diff --git a/.backportrc.json b/.backportrc.json index a3f2ff8fbb8..3dce189d671 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,6 +1,6 @@ { "upstream": "elastic/beats", - "branches": [{ "name": "7.8"}, { "name": "7.7"}, { "name": "7.x"}], + "branches": [{ "name": "7.9"}, { "name": "7.8"}, { "name": "7.7"}, { "name": "7.x"}], "labels": ["backport"], "autoAssign": true, "prTitle": "Cherry-pick to {targetBranch}: {commitMessages}" diff --git a/.ci/apm-beats-update.groovy b/.ci/apm-beats-update.groovy index 4a923a0adad..f8da89d6fa6 100644 --- a/.ci/apm-beats-update.groovy +++ b/.ci/apm-beats-update.groovy @@ -2,7 +2,7 @@ @Library('apm@current') _ pipeline { - agent none + agent { label 'master' } environment { REPO = 'apm-server' BASE_DIR = "src/github.com/elastic/${env.REPO}" @@ -27,11 +27,11 @@ pipeline { } triggers { issueCommentTrigger('(?i).*/run\\s+(?:apm-beats-update\\W+)?.*') - upstream("Beats/beats-beats-mbp/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") + upstream("Beats/beats/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") } stages { stage('Filter build') { - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } when { beforeAgent true anyOf { @@ -48,51 +48,54 @@ pipeline { } } } - /** - Checkout the code and stash it, to use it on other stages. - */ - stage('Checkout') { - steps { - deleteDir() - gitCheckout(basedir: "${BEATS_DIR}", githubNotifyFirstTimeContributor: false) - script { - dir("${BEATS_DIR}"){ - env.GO_VERSION = readFile(".go-version").trim() - def regexps =[ - "^devtools/mage.*", - "^libbeat/scripts/Makefile", - ] - env.BEATS_UPDATED = isGitRegionMatch(patterns: regexps) - // Skip all the stages except docs for PR's with asciidoc changes only - env.ONLY_DOCS = isGitRegionMatch(patterns: [ '.*\\.asciidoc' ], comparator: 'regexp', shouldMatchAll: true) + stages { + /** + Checkout the code and stash it, to use it on other stages. + */ + stage('Checkout') { + options { skipDefaultCheckout() } + steps { + deleteDir() + gitCheckout(basedir: "${BEATS_DIR}", githubNotifyFirstTimeContributor: false) + script { + dir("${BEATS_DIR}"){ + env.GO_VERSION = readFile(".go-version").trim() + def regexps =[ + "^devtools/mage.*", + "^libbeat/scripts/Makefile", + ] + env.BEATS_UPDATED = isGitRegionMatch(patterns: regexps) + // Skip all the stages except docs for PR's with asciidoc changes only + env.ONLY_DOCS = isGitRegionMatch(patterns: [ '.*\\.asciidoc' ], comparator: 'regexp', shouldMatchAll: true) + } } } } - } - /** - updates beats updates the framework part and go parts of beats. - Then build and test. - Finally archive the results. - */ - stage('Update Beats') { - options { skipDefaultCheckout() } - when { - beforeAgent true - anyOf { - branch 'master' - branch "\\d+\\.\\d+" - branch "v\\d?" - tag "v\\d+\\.\\d+\\.\\d+*" - allOf { - expression { return env.BEATS_UPDATED != "false" || isCommentTrigger() } - changeRequest() - } + /** + updates beats updates the framework part and go parts of beats. + Then build and test. + Finally archive the results. + */ + stage('Update Beats') { + options { skipDefaultCheckout() } + when { + beforeAgent true + anyOf { + branch 'master' + branch "\\d+\\.\\d+" + branch "v\\d?" + tag "v\\d+\\.\\d+\\.\\d+*" + allOf { + expression { return env.BEATS_UPDATED != "false" || isCommentTrigger() } + changeRequest() + } + } } - } - steps { - withGithubNotify(context: 'Check Apm Server Beats Update') { - beatsUpdate() + steps { + withGithubNotify(context: 'Check Apm Server Beats Update') { + beatsUpdate() + } } } } diff --git a/.ci/beats-tester.groovy b/.ci/beats-tester.groovy new file mode 100644 index 00000000000..eb1357700b6 --- /dev/null +++ b/.ci/beats-tester.groovy @@ -0,0 +1,106 @@ +#!/usr/bin/env groovy + +@Library('apm@current') _ + +pipeline { + agent none + environment { + BASE_DIR = 'src/github.com/elastic/beats' + PIPELINE_LOG_LEVEL = "INFO" + BEATS_TESTER_JOB = 'Beats/beats-tester-mbp/master' + } + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30')) + timestamps() + ansiColor('xterm') + disableResume() + durabilityHint('PERFORMANCE_OPTIMIZED') + disableConcurrentBuilds() + } + triggers { + issueCommentTrigger('(?i)^\\/beats-tester$') + upstream("Beats/packaging/${env.JOB_BASE_NAME}") + } + stages { + stage('Filter build') { + agent { label 'ubuntu && immutable' } + when { + beforeAgent true + anyOf { + triggeredBy cause: "IssueCommentCause" + expression { + def ret = isUserTrigger() || isUpstreamTrigger() + if(!ret){ + currentBuild.result = 'NOT_BUILT' + currentBuild.description = "The build has been skipped" + currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)" + echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, GitHub comment, and upstream job") + } + return ret + } + } + } + stages { + stage('Checkout') { + options { skipDefaultCheckout() } + steps { + deleteDir() + gitCheckout(basedir: "${BASE_DIR}") + setEnvVar('VERSION', sh(script: "grep ':stack-version:' ${BASE_DIR}/libbeat/docs/version.asciidoc | cut -d' ' -f2", returnStdout: true).trim()) + } + } + stage('Build master') { + options { skipDefaultCheckout() } + when { branch 'master' } + steps { + runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT") + } + } + stage('Build *.x branch') { + options { skipDefaultCheckout() } + when { branch '*.x' } + steps { + runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT") + } + } + stage('Build PullRequest') { + options { skipDefaultCheckout() } + when { changeRequest() } + steps { + runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT", + apm: "https://storage.googleapis.com/apm-ci-artifacts/jobs/pull-requests/pr-${env.CHANGE_ID}", + beats: "https://storage.googleapis.com/beats-ci-artifacts/pull-requests/pr-${env.CHANGE_ID}") + } + } + stage('Build release branch') { + options { skipDefaultCheckout() } + when { + not { + allOf { + branch comparator: 'REGEXP', pattern: '(master|.*x)' + changeRequest() + } + } + } + steps { + runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT") + } + } + } + } + } +} + +def runBeatsTesterJob(Map args = [:]) { + if (args.apm && args.beats) { + build(job: env.BEATS_TESTER_JOB, propagate: false, wait: false, + parameters: [ + string(name: 'APM_URL_BASE', value: args.apm), + string(name: 'BEATS_URL_BASE', value: args.beats), + string(name: 'VERSION', value: args.version) + ]) + } else { + build(job: env.BEATS_TESTER_JOB, propagate: false, wait: false, parameters: [ string(name: 'VERSION', value: args.version) ]) + } +} \ No newline at end of file diff --git a/.ci/jobs/apm-beats-update.yml b/.ci/jobs/apm-beats-update.yml index ec583545eca..8bdc322f65a 100644 --- a/.ci/jobs/apm-beats-update.yml +++ b/.ci/jobs/apm-beats-update.yml @@ -23,7 +23,7 @@ notification-context: 'apm-beats-update' repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/jobs/beats-tester.yml b/.ci/jobs/beats-tester.yml new file mode 100644 index 00000000000..522abfa5e5c --- /dev/null +++ b/.ci/jobs/beats-tester.yml @@ -0,0 +1,56 @@ +--- +- job: + name: Beats/beats-tester + display-name: Beats Tester + description: Run the beats-tester + view: Beats + disabled: false + project-type: multibranch + script-path: .ci/beats-tester.groovy + scm: + - github: + branch-discovery: 'no-pr' + discover-pr-forks-strategy: 'merge-current' + discover-pr-forks-trust: 'permission' + discover-pr-origin: 'merge-current' + discover-tags: true + head-filter-regex: '(master|7\.([x9]|1\d+)|8\.\d+|PR-.*|v\d+\.\d+\.\d+)' + disable-pr-notifications: true + notification-context: 'beats-tester' + repo: 'beats' + repo-owner: 'elastic' + credentials-id: github-app-beats-ci + ssh-checkout: + credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba + build-strategies: + - skip-initial-build: true + - tags: + ignore-tags-older-than: -1 + ignore-tags-newer-than: 30 + - named-branches: + - exact-name: + name: 'master' + case-sensitive: true + - regex-name: + regex: '7\.([x9]|1\d+)' + case-sensitive: true + - regex-name: + regex: '8\.\d+' + case-sensitive: true + - change-request: + ignore-target-only-changes: true + clean: + after: true + before: true + prune: true + shallow-clone: true + depth: 3 + do-not-fetch-tags: true + submodule: + disable: false + recursive: true + parent-credentials: true + timeout: 100 + timeout: '15' + use-author: true + wipe-workspace: true diff --git a/.ci/jobs/beats-windows-mbp.yml b/.ci/jobs/beats-windows-mbp.yml index 256cde11f6e..64efa009979 100644 --- a/.ci/jobs/beats-windows-mbp.yml +++ b/.ci/jobs/beats-windows-mbp.yml @@ -15,10 +15,10 @@ discover-tags: false # Run MBP for the master branch and PRs head-filter-regex: '(master|PR-.*)' - notification-context: 'beats-ci' + notification-context: 'beats-ci/windows' repo: beats repo-owner: elastic - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 858b078a842..1e393bab6b9 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -1,7 +1,7 @@ --- - job: name: Beats/beats - display-name: 'Beats (replacement)' + display-name: 'Beats' description: 'Beats Main Pipeline' view: Beats concurrent: true @@ -22,7 +22,7 @@ notification-context: "beats-ci" repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/jobs/packaging.yml b/.ci/jobs/packaging.yml index 988906ede9e..0dce4d4672b 100644 --- a/.ci/jobs/packaging.yml +++ b/.ci/jobs/packaging.yml @@ -19,7 +19,7 @@ notification-context: 'beats-packaging' repo: 'beats' repo-owner: 'elastic' - credentials-id: 2a9602aa-ab9f-4e52-baf3-b71ca88469c7-UserAndToken + credentials-id: github-app-beats-ci ssh-checkout: credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba build-strategies: diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 38effd7d23e..2be78aac68f 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -26,7 +26,7 @@ pipeline { triggers { issueCommentTrigger('(?i)^\\/packag[ing|e]$') // disable upstream trigger on a PR basis - upstream("Beats/beats-beats-mbp/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") + upstream("Beats/beats/${ env.JOB_BASE_NAME.startsWith('PR-') ? 'none' : env.JOB_BASE_NAME }") } parameters { booleanParam(name: 'macos', defaultValue: false, description: 'Allow macOS stages.') @@ -79,7 +79,7 @@ pipeline { 'x-pack/dockerlogbeat', 'x-pack/filebeat', 'x-pack/functionbeat', - // 'x-pack/heartbeat', + 'x-pack/heartbeat', // 'x-pack/journalbeat', 'x-pack/metricbeat', // 'x-pack/packetbeat', @@ -161,7 +161,6 @@ def pushCIDockerImages(){ } else if ("${env.BEATS_FOLDER}" == "filebeat") { tagAndPush('filebeat-oss') } else if ("${env.BEATS_FOLDER}" == "heartbeat"){ - tagAndPush('heartbeat') tagAndPush('heartbeat-oss') } else if ("${env.BEATS_FOLDER}" == "journalbeat"){ tagAndPush('journalbeat') @@ -177,6 +176,8 @@ def pushCIDockerImages(){ tagAndPush('elastic-agent') } else if ("${env.BEATS_FOLDER}" == "x-pack/filebeat"){ tagAndPush('filebeat') + } else if ("${env.BEATS_FOLDER}" == "x-pack/heartbeat"){ + tagAndPush('heartbeat') } else if ("${env.BEATS_FOLDER}" == "x-pack/metricbeat"){ tagAndPush('metricbeat') } @@ -188,8 +189,14 @@ def tagAndPush(name){ if("${env.SNAPSHOT}" == "true"){ libbetaVer += "-SNAPSHOT" } + + def tagName = "${libbetaVer}" + if (isPR()) { + tagName = "pr-${env.CHANGE_ID}" + } + def oldName = "${DOCKER_REGISTRY}/beats/${name}:${libbetaVer}" - def newName = "${DOCKER_REGISTRY}/observability-ci/${name}:${libbetaVer}" + def newName = "${DOCKER_REGISTRY}/observability-ci/${name}:${tagName}" def commitName = "${DOCKER_REGISTRY}/observability-ci/${name}:${env.GIT_BASE_COMMIT}" dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") retry(3){ @@ -222,7 +229,12 @@ def withMacOSEnv(Closure body){ } def publishPackages(baseDir){ - googleStorageUpload(bucket: "gs://${JOB_GCS_BUCKET}/snapshots", + def bucketUri = "gs://${JOB_GCS_BUCKET}/snapshots" + if (isPR()) { + bucketUri = "gs://${JOB_GCS_BUCKET}/pull-requests/pr-${env.CHANGE_ID}" + } + def beatsFolderName = getBeatsName(baseDir) + googleStorageUpload(bucket: "${bucketUri}/${beatsFolderName}", credentialsId: "${JOB_GCS_CREDENTIALS}", pathPrefix: "${baseDir}/build/distributions/", pattern: "${baseDir}/build/distributions/**/*", @@ -231,6 +243,18 @@ def publishPackages(baseDir){ ) } +/** +* There is a specific folder structure in https://staging.elastic.co/ and https://artifacts.elastic.co/downloads/ +* therefore the storage bucket in GCP should follow the same folder structure. +* This is required by https://github.com/elastic/beats-tester +* e.g. +* baseDir=name -> return name +* baseDir=name1/name2/name3-> return name2 +*/ +def getBeatsName(baseDir) { + return baseDir.replace('x-pack/', '') +} + def withBeatsEnv(Closure body) { withMageEnv(){ withEnv([ diff --git a/.ci/scripts/generate_build_table.py b/.ci/scripts/generate_build_table.py new file mode 100755 index 00000000000..21fe5d67107 --- /dev/null +++ b/.ci/scripts/generate_build_table.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python3 + +import os +import yaml + +if __name__ == "__main__": + + print("| Beat | Stage | Command | MODULE | Platforms | When |") + print("|-------|--------|----------|---------|------------|------|") + for root, dirs, files in os.walk("."): + dirs.sort() + for file in files: + if file.endswith("Jenkinsfile.yml") and root != ".": + with open(os.path.join(root, file), 'r') as f: + doc = yaml.load(f, Loader=yaml.FullLoader) + module = root.replace(".{}".format(os.sep), '') + platforms = [doc["platform"]] + when = "" + if "branches" in doc["when"]: + when = f"{when}/:palm_tree:" + if "changeset" in doc["when"]: + when = f"{when}/:file_folder:" + if "comments" in doc["when"]: + when = f"{when}/:speech_balloon:" + if "labels" in doc["when"]: + when = f"{when}/:label:" + if "parameters" in doc["when"]: + when = f"{when}/:smiley:" + if "tags" in doc["when"]: + when = f"{when}/:taco:" + for stage in doc["stages"]: + withModule = False + if "make" in doc["stages"][stage]: + command = doc["stages"][stage]["make"] + if "mage" in doc["stages"][stage]: + command = doc["stages"][stage]["mage"] + if "platforms" in doc["stages"][stage]: + platforms = doc["stages"][stage]["platforms"] + if "withModule" in doc["stages"][stage]: + withModule = doc["stages"][stage]["withModule"] + if "when" in doc["stages"][stage]: + when = f"{when}/:star:" + print("| {} | {} | `{}` | {} | `{}` | {} |".format( + module, stage, command, withModule, platforms, when)) + +print("> :palm_tree: -> Git Branch based") +print("> :label: -> GitHub Pull Request Label based") +print("> :file_folder: -> Changeset based") +print("> :speech_balloon: -> GitHub Pull Request comment based") +print("> :taco: -> Git tag based") +print("> :smiley: -> Manual UI interaction based") +print("> :star: -> More specific cases based") diff --git a/.ci/scripts/get-vendor-dependencies.sh b/.ci/scripts/get-vendor-dependencies.sh new file mode 100755 index 00000000000..e002a208b76 --- /dev/null +++ b/.ci/scripts/get-vendor-dependencies.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# +# Given the go module it will list all the dependencies that will be later on +# used by the CI to enable/disable specific stages as long as the changeset +# matches any of those patterns. +# + +GO_VERSION=${GO_VERSION:?"GO_VERSION environment variable is not set"} +BEATS=${1:?"parameter missing."} +eval "$(gvm "${GO_VERSION}")" + +go list -deps ./"${BEATS}" \ +| grep 'elastic/beats' \ +| sort \ +| sed -e "s#github.com/elastic/beats/v7/##g" \ +| awk '{print "^" $1 "/.*"}' diff --git a/.ci/scripts/install-docker-compose.sh b/.ci/scripts/install-docker-compose.sh index a430eb1873f..72d889f216a 100755 --- a/.ci/scripts/install-docker-compose.sh +++ b/.ci/scripts/install-docker-compose.sh @@ -2,9 +2,23 @@ set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing: DOCKER_COMPOSE_VERSION." DOCKER_COMPOSE_VERSION=${DOCKER_COMPOSE_VERSION:?$MSG} HOME=${HOME:?$MSG} + +if command -v docker-compose +then + echo "Found docker-compose. Checking version.." + FOUND_DOCKER_COMPOSE_VERSION=$(docker-compose --version|awk '{print $3}'|sed s/\,//) + if [ $FOUND_DOCKER_COMPOSE_VERSION == $DOCKER_COMPOSE_VERSION ] + then + echo "Versions match. No need to install docker-compose. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing docker-compose" + DC_CMD="${HOME}/bin/docker-compose" mkdir -p "${HOME}/bin" diff --git a/.ci/scripts/install-go.sh b/.ci/scripts/install-go.sh index 5af9f338ca1..49e12c7a18d 100755 --- a/.ci/scripts/install-go.sh +++ b/.ci/scripts/install-go.sh @@ -1,13 +1,25 @@ #!/usr/bin/env bash set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing" GO_VERSION=${GO_VERSION:?$MSG} PROPERTIES_FILE=${PROPERTIES_FILE:-"go_env.properties"} HOME=${HOME:?$MSG} ARCH=$(uname -s| tr '[:upper:]' '[:lower:]') GVM_CMD="${HOME}/bin/gvm" +if command -v go +then + echo "Found Go. Checking version.." + FOUND_GO_VERSION=$(go version|awk '{print $3}'|sed s/go//) + if [ $FOUND_GO_VERSION == $GO_VERSION ] + then + echo "Versions match. No need to install Go. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Go" mkdir -p "${HOME}/bin" curl -sSLo "${GVM_CMD}" "https://github.com/andrewkroh/gvm/releases/download/v0.2.2/gvm-${ARCH}-amd64" diff --git a/.ci/scripts/install-kind.sh b/.ci/scripts/install-kind.sh index dc83bb4cd2a..a53c4b3708a 100755 --- a/.ci/scripts/install-kind.sh +++ b/.ci/scripts/install-kind.sh @@ -1,12 +1,25 @@ #!/usr/bin/env bash set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing." DEFAULT_HOME="/usr/local" KIND_VERSION=${KIND_VERSION:?$MSG} HOME=${HOME:?$DEFAULT_HOME} KIND_CMD="${HOME}/bin/kind" +if command -v kind +then + echo "Found Kind. Checking version.." + FOUND_KIND_VERSION=$(kind --version 2>&1 >/dev/null | awk '{print $3}') + if [ $FOUND_KIND_VERSION == $KIND_VERSION ] + then + echo "Versions match. No need to install Kind. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Kind" + mkdir -p "${HOME}/bin" curl -sSLo "${KIND_CMD}" "https://github.com/kubernetes-sigs/kind/releases/download/${KIND_VERSION}/kind-linux-amd64" diff --git a/.ci/scripts/install-terraform.sh b/.ci/scripts/install-terraform.sh index 39aa684d0aa..4af2e91baab 100755 --- a/.ci/scripts/install-terraform.sh +++ b/.ci/scripts/install-terraform.sh @@ -2,13 +2,26 @@ set -exuo pipefail -MSG="parameter missing." +MSG="environment variable missing." TERRAFORM_VERSION=${TERRAFORM_VERSION:?$MSG} HOME=${HOME:?$MSG} TERRAFORM_CMD="${HOME}/bin/terraform" OS=$(uname -s | tr '[:upper:]' '[:lower:]') +if command -v terraform +then + echo "Found Terraform. Checking version.." + FOUND_TERRAFORM_VERSION=$(terraform --version | awk '{print $2}' | sed s/v//) + if [ $FOUND_TERRAFORM_VERSION == $TERRAFORM_VERSION ] + then + echo "Versions match. No need to install Terraform. Exiting." + exit 0 + fi +fi + +echo "UNMET DEP: Installing Terraform" + mkdir -p "${HOME}/bin" curl -sSLo - "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_${OS}_amd64.zip" > ${TERRAFORM_CMD}.zip diff --git a/.ci/scripts/install-tools.bat b/.ci/scripts/install-tools.bat index cce12820425..807f9267778 100644 --- a/.ci/scripts/install-tools.bat +++ b/.ci/scripts/install-tools.bat @@ -10,7 +10,7 @@ set PATH=%WORKSPACE%\bin;C:\ProgramData\chocolatey\bin;C:\tools\mingw%MINGW_ARCH where /q curl IF ERRORLEVEL 1 ( - choco install curl -y --no-progress --skipdownloadcache + choco install curl -y --no-progress --skipdownloadcache ) mkdir %WORKSPACE%\bin @@ -35,8 +35,11 @@ mage -version where mage IF NOT EXIST C:\Python38\python.exe ( - REM Install python 3.8. - choco install python -y -r --no-progress --version 3.8.2 || echo ERROR && exit /b + REM Install python 3.8 + choco install python -y -r --no-progress --version 3.8.5 + IF NOT ERRORLEVEL 0 ( + exit /b 1 + ) ) python --version where python @@ -44,7 +47,10 @@ where python where /q gcc IF ERRORLEVEL 1 ( REM Install mingw 5.3.0 - choco install mingw -y -r --no-progress --version 5.3.0 || echo ERROR && exit /b + choco install mingw -y -r --no-progress --version 5.3.0 + IF NOT ERRORLEVEL 0 ( + exit /b 1 + ) ) gcc --version where gcc diff --git a/.ci/scripts/install-tools.sh b/.ci/scripts/install-tools.sh new file mode 100755 index 00000000000..297a7820cad --- /dev/null +++ b/.ci/scripts/install-tools.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -exuo pipefail + +.ci/scripts/install-go.sh +.ci/scripts/install-docker-compose.sh +.ci/scripts/install-terraform.sh +make mage diff --git a/.ci/scripts/pre_archive_test.py b/.ci/scripts/pre_archive_test.py new file mode 100755 index 00000000000..8fd8cb75ea1 --- /dev/null +++ b/.ci/scripts/pre_archive_test.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 + +import os +import distutils +from distutils import dir_util + + +if __name__ == "__main__": + + if not os.path.exists('build'): + os.makedirs('build') + + # Top level folders to be excluded + EXCLUDE = set(['.ci', '.git', '.github', 'vendor', 'dev-tools']) + for root, dirs, files in os.walk('.'): + dirs[:] = [d for d in dirs if d not in EXCLUDE] + if root.endswith(('build')) and not root.startswith((".{}build".format(os.sep))): + dest = os.path.join('build', root.replace(".{}".format(os.sep), '')) + print("Copy {} into {}".format(root, dest)) + distutils.dir_util.copy_tree(root, dest, preserve_symlinks=1) diff --git a/.ci/scripts/search_system_tests.py b/.ci/scripts/search_system_tests.py new file mode 100755 index 00000000000..0e3896d9ff4 --- /dev/null +++ b/.ci/scripts/search_system_tests.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python3 + +import os + + +if __name__ == "__main__": + + for root, dirs, files in os.walk('build'): + if root.endswith(('system-tests')): + print(root.replace(".{}".format(os.sep), '')) diff --git a/.ci/windows.groovy b/.ci/windows.groovy index 87fa630d185..649f7390cfa 100644 --- a/.ci/windows.groovy +++ b/.ci/windows.groovy @@ -529,7 +529,8 @@ def dumpFilteredEnvironment(){ echo "PROCESSES: ${env.PROCESSES}" echo "TIMEOUT: ${env.TIMEOUT}" echo "PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES}" - echo "NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS}" + echo "PYTEST_ADDOPTS: ${env.PYTEST_ADDOPTS}" + echo "PYTEST_OPTIONS: ${env.PYTEST_OPTIONS}" echo "TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT}" echo "SYSTEM_TESTS: ${env.SYSTEM_TESTS}" echo "STRESS_TESTS: ${env.STRESS_TESTS}" diff --git a/.github/stale.yml b/.github/stale.yml index 2f6bc438b5f..c0fadc07678 100644 --- a/.github/stale.yml +++ b/.github/stale.yml @@ -46,12 +46,36 @@ limitPerRun: 30 # only: issues # Optionally, specify configuration settings that are specific to just 'issues' or 'pulls': -# pulls: -# daysUntilStale: 30 -# markComment: > -# This pull request has been automatically marked as stale because it has not had -# recent activity. It will be closed if no further activity occurs. Thank you -# for your contributions. +pulls: + daysUntilStale: 30 + daysUntilClose: 30 + markComment: > + Hi! + + We just realized that we haven't looked into this PR in a while. We're + sorry! + + + We're labeling this issue as `Stale` to make it hit our filters and + make sure we get back to it in as soon as possible. In the meantime, it'd + be extremely helpful if you could take a look at it as well and confirm its + relevance. A simple comment with a nice emoji will be enough `:+1`. + + Thank you for your contribution! + + closeComment: > + Hi! + + This PR has been stale for a while and we're going to close it as part of + our cleanup procedure. + + We appreciate your contribution and would like to apologize if we have not + been able to review it, due to the current heavy load of the team. + + Feel free to re-open this PR if you think it should stay open and is worth rebasing. + + Thank you for your contribution! + # issues: # exemptLabels: diff --git a/.gitignore b/.gitignore index 78e09df9348..4f2f4f719b9 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,7 @@ x-pack/dockerlogbeat/temproot.tar x-pack/elastic-agent/elastic_agent x-pack/elastic-agent/fleet.yml x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/configurable +x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/serviceable # Editor swap files *.swp diff --git a/.go-version b/.go-version index 4e00d0ac079..52e779f28fa 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.14.4 +1.14.7 diff --git a/.travis.yml b/.travis.yml index b9f903b023b..7809fe380b7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,41 +38,55 @@ jobs: # Filebeat - os: linux before_install: .ci/scripts/travis_has_changes.sh filebeat libbeat || travis_terminate 0 - env: TARGETS="-C filebeat testsuite" + env: + - PROJECT=filebeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh filebeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C filebeat testsuite" + env: + - PROJECT=filebeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/filebeat filebeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/filebeat testsuite" + env: + - PROJECT=x-pack/filebeat + - MAGE='build test' go: $(GO_VERSION) stage: test # Heartbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh heartbeat libbeat || travis_terminate 0 - env: TARGETS="-C heartbeat testsuite" + env: + - PROJECT=heartbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh heartbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C heartbeat testsuite" + env: + - PROJECT=heartbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Auditbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh auditbeat libbeat || travis_terminate 0 - env: TARGETS="-C auditbeat testsuite" + env: + - PROJECT=auditbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh auditbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C auditbeat testsuite" + env: + - PROJECT=auditbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -82,14 +96,27 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/auditbeat auditbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/auditbeat testsuite" + env: + - PROJECT=x-pack/auditbeat + - MAGE='build test' + go: $TRAVIS_GO_VERSION + stage: test + - os: osx + before_install: .ci/scripts/travis_has_changes.sh x-pack/auditbeat auditbeat libbeat || travis_terminate 0 + env: + - PROJECT=x-pack/auditbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Libbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh libbeat || travis_terminate 0 - env: TARGETS="-C libbeat testsuite" + env: + - PROJECT=libbeat + - MAGE='build test' + # The libbeat tests are so verbose that they exceed the maximum allowed log length of Travis CI. + - MAGEFILE_VERBOSE=false go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -104,35 +131,44 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/libbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/libbeat testsuite" + env: + - PROJECT=x-pack/libbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test # Metricbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat unit-tests" + env: + - PROJECT=metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - install: + install: - .ci/scripts/install-kind.sh - .ci/scripts/install-kubectl.sh env: - - TARGETS="-C metricbeat integration-tests" - K8S_VERSION=v1.17.2 - KIND_VERSION=v0.7.0 + - PROJECT=metricbeat + - MAGE='goIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat system-tests" + env: + - PROJECT=metricbeat + - MAGE='pythonIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C metricbeat testsuite" + env: + - PROJECT=metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux @@ -142,29 +178,39 @@ jobs: stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat unit-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat integration-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='goIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/metricbeat metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat system-tests" + env: + - PROJECT=x-pack/metricbeat + - MAGE='pythonIntegTest' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh metricbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/metricbeat testsuite" + env: + - PROJECT=x-pack/metricbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test # Packetbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh packetbeat libbeat || travis_terminate 0 - env: TARGETS="-C packetbeat testsuite" + env: + - PROJECT=packetbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test @@ -178,43 +224,57 @@ jobs: # Functionbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/functionbeat testsuite" + env: + - PROJECT=x-pack/functionbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/functionbeat testsuite" + env: + - PROJECT=x-pack/functionbeat + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/functionbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/functionbeat test-gcp-functions" + env: + - PROJECT=x-pack/functionbeat + - MAGE='testGCPFunctions' go: 1.13.1 stage: test # Docker Log Driver - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/dockerlogbeat libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/dockerlogbeat testsuite" + env: + - PROJECT=x-pack/dockerlogbeat + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test # Journalbeat - os: linux before_install: .ci/scripts/travis_has_changes.sh journalbeat libbeat || travis_terminate 0 - env: TARGETS="-C journalbeat testsuite" + env: + - PROJECT=journalbeat + - MAGE='build goUnitTest' go: $TRAVIS_GO_VERSION stage: test # Agent - os: linux before_install: .ci/scripts/travis_has_changes.sh x-pack/elastic-agent libbeat || travis_terminate 0 - env: TARGETS="-C x-pack/elastic-agent testsuite" + env: + - PROJECT=x-pack/elastic-agent + - MAGE='build test' go: $TRAVIS_GO_VERSION stage: test - os: osx before_install: .ci/scripts/travis_has_changes.sh x-pack/elastic-agent libbeat || travis_terminate 0 - env: TARGETS="TEST_ENVIRONMENT=0 -C x-pack/elastic-agent testsuite" + env: + - PROJECT=x-pack/elastic-agent + - MAGE='build unitTest' go: $TRAVIS_GO_VERSION stage: test @@ -318,13 +378,21 @@ before_script: - chmod +x docker-compose - sudo mv docker-compose /usr/local/bin - if [ $TRAVIS_OS_NAME = osx ]; then pip install virtualenv==16.7.9; fi + - make mage script: # Replacement for travis_wait which doesn't print output in real time. # Default Travis timeout is 10min, so this workaround prints timestamps every 9min to reset the counter. # Using seconds (540s = 9min) instead of minutes for shell compatibility reasons. - while sleep 540; do echo "=====[ ${SECONDS} seconds still running ]====="; done & - - make $TARGETS + - if [[ -n "$MAGE" ]]; then + echo ">> mage $MAGE from $PROJECT"; + cd "$PROJECT"; + mage $MAGE; + else + echo ">> make $TARGETS"; + make $TARGETS; + fi - kill %1 notifications: @@ -333,13 +401,4 @@ notifications: on_failure: always on_pull_requests: false rooms: - secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" - -after_success: - # Copy full.cov to coverage.txt because codecov.io requires this file - - test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov - - test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov - - test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov - - test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov - - test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov - - test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov + secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" \ No newline at end of file diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 8f2a8b4fbf5..cf02bc84960 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -51,10 +51,12 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Remove `common.MapStrPointer` parameter from `cfgfile.Runnerfactory` interface. {pull}19135[19135] - Replace `ACKCount`, `ACKEvents`, and `ACKLastEvent` callbacks with `ACKHandler` and interface in `beat.ClientConfig`. {pull}19632[19632] - Remove global ACK handler support via `SetACKHandler` from publisher pipeline. {pull}19632[19632] +- Make implementing `Close` required for `reader.Reader` interfaces. {pull}20455[20455] ==== Bugfixes - Stop using `mage:import` in community beats. This was ignoring the vendorized beats directory for some mage targets, using the code available in GOPATH, this causes inconsistencies and compilation problems if the version of the code in the GOPATH is different to the vendored one. Use of `mage:import` will continue to be unsupported in custom beats till beats is migrated to go modules, or mage supports vendored dependencies. {issue}13998[13998] {pull}14162[14162] +- Metricbeat module builders call host parser only once when instantiating light modules. {pull}20149[20149] ==== Added @@ -97,3 +99,6 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Remove vendor folder from repository. {pull}18655[18655] - Added SQL helper that can be used from any Metricbeat module {pull}18955[18955] - Update Go version to 1.14.4. {pull}19753[19753] +- Update Go version to 1.14.7. {pull}20508[20508] +- Add packaging for docker image based on UBI minimal 8. {pull}20576[20576] +- Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index d1ab5687dc9..b0b31734005 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,871 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.9.1]] +=== Beats version 7.9.1 +https://github.com/elastic/beats/compare/v7.9.0...v7.9.1[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] + +==== Bugfixes + +*Affecting all Beats* + +- Update replicaset group to apps/v1 {pull}15854[15854] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] + +*Filebeat* + +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] + +*Heartbeat* + +- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] + +*Metricbeat* + +- Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] +- Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] +- Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] + +*Winlogbeat* + +- Fix duplicated field error when exporting index-pattern with migration.6_to_7.enabled. {issue}20521[20521] {pull}20540[20540] +- Fix `event.outcome` in the security module for non-English languages. {issue}20079[20079] {pull}20564[20564] + +==== Added + +*Affecting all Beats* + +- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] + +[[release-notes-7.9.0]] +=== Beats version 7.9.0 +https://github.com/elastic/beats/compare/v7.8.1...v7.9.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Ensure dynamic template names are unique for the same field. {pull}18849[18849] + +*Filebeat* + +- With the default configuration the cloud modules (AWS, Azure, Googlecloud, o365, Okta) +will no longer send the `host` field that contains information about the host Filebeat is +running on. This is because the `host` field specifies the host on which the event +happened. {issue}13920[13920] {pull}18223[18223] +- With the default configuration the following modules will no longer send the `host` +field. You can revert this change by configuring tags for the module and omitting +`forwarded` from the list. +* Cisco {pull}18753[18753] +* CrowdStrike {pull}19132[19132] +* Fortinet {pull}19133[19133] +* Iptables {pull}18756[18756] +* Checkpoint {pull}18754[18754] +* Netflow {pull}19087[19087] +* Zeek {pull}19113[19113] (`forwarded` tag is not included by default) +* Suricata {pull}19107[19107] (`forwarded` tag is not included by default) +* CoreDNS {pull}19134[19134] (`forwarded` tag is not included by default) +* Envoy Proxy {pull}19134[19134] (`forwarded` tag is not included by default) +* CEF module {issue}13920[13920] {pull}18223[18223] +* Palo Alto Networks module {issue}13920[13920] {pull}18223[18223] +- Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] +- Add oauth support for httpjson input. {issue}18415[18415] {pull}18892[18892] +- Add `split_events_by` option to httpjson input. {pull}19246[19246] +- Add `date_cursor` option to httpjson input. {pull}19483[19483] +- Add Gsuite module with SAML support. {pull}19329[19329] +- Add Gsuite User Accounts support. {pull}19329[19329] +- Add Gsuite Login audit support. {pull}19702[19702] +- Add Gsuite Admin support. {pull}19769[19769] +- Add Gsuite Drive support. {pull}19704[19704] +- Add Gsuite Groups support. {pull}19725[19725] + +*Metricbeat* + +- Move service config under metrics and simplify metric types. {pull}18691[18691] +- Fix ECS compliance of `user.id` field in system/users metricset. {pull}19019[19019] +- Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] + +*Winlogbeat* + +- Add PowerShell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] +- Fix PowerShell processing of downgraded engine events. {pull}18966[18966] +- Fix unprefixed fields in `fields.yml` for PowerShell module. {issue}18984[18984] + +==== Bugfixes + +*Affecting all Beats* + +- Fix potential race condition in fingerprint processor. {pull}18738[18738] +- Add better handling for Kubernetes Update and Delete watcher events. {pull}18882[18882] +- Fix config reload metrics (`libbeat.config.module.start/stops/running`). {pull}19168[19168] +- Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed. {pull}18979[18979] +- Server-side TLS config now validates that certificate and key settings are both specified. {pull}19584[19584] + +*Auditbeat* + +- system/socket: Fix issue with dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] + +*Filebeat* + +- Fix Kubernetes Watcher goroutine leaks when input config is invalid and `input.reload` is enabled. {issue}18629[18629] {pull}18630[18630] +- Okta module now sets the Elasticsearch `_id` field to the Okta UUID value contained in each system log to minimize the possibility of duplicating events. {pull}18953[18953] +- Fix `netflow` module to support 7 bytepad for IPFIX template. {issue}18098[18098] +- Fix improper nesting of session_issuer object in AWS cloudtrail fileset. {issue}18894[18894] {pull}18915[18915] +- Fix Cisco ASA 3020** and 106023 messages. {pull}17964[17964] +- Add missing `default_field: false` to AWS filesets fields.yml. {pull}19568[19568] +- Fix memory leak in tcp and unix input sources. {pull}19459[19459] +- Fix Cisco ASA dissect pattern for 313008 & 313009 messages. {pull}19149[19149] +- Fix bug with empty filter values in system/service. {pull}19812[19812] + +*Metricbeat* + +- Fix incorrect usage of hints builder when exposed port is a substring of the hint. {pull}19052[19052] +- Stop counterCache only when already started. {pull}19103[19103] +- Remove dedot for tag values in AWS module. {issue}19112[19112] {pull}19221[19221] +- Fix empty field name errors in the application pool metricset. {pull}19537[19537] +- Fix mapping of service start type in the service metricset of the Windows module. {pull}19551[19551] +- Fix config example in the perfmon configuration files. {pull}19539[19539] +- Fix k8s scheduler compatibility issue. {pull}19699[19699] +- Fix SQL module mapping NULL values as string. {pull}18955[18955] {issue}18898[18898] + +*Packetbeat* + +- Fix process monitoring when ipv6 is disabled under Linux. {issue}19941[19941] {pull}19945[19945] + +==== Added + +*Affecting all Beats* + +- Add initial instrument of Beats with APM GO Agent. {pull}17938[17938] +- Add optional regex based cid extractor to `add_kubernetes_metadata` processor. {pull}17360[17360] +- Add k8s keystore backend. {pull}18096[18096] +- Change ownership of files in docker images so they can be used in secured environments. {pull}12905[12905] +- Upgrade k8s.io/client-go and k8s keystore tests. {pull}18817[18817] +- Add support for multiple sets of hints on autodiscover. {pull}18883[18883] +- Add a configurable delay between retries when app metadata cannot be retrieved by `add_cloudfoundry_metadata`. {pull}19181[19181] +- Add data type conversion in `dissect` processor for converting string values to other basic data types. {pull}18683[18683] +- Add the `ignore_failure` configuration option to the dissect processor. {pull}19464[19464] +- Add the `overwrite_keys` configuration option to the dissect processor. {pull}19464[19464] +- Add support to trim captured values in the dissect processor. {pull}19464[19464] +- Add the `max_cached_sessions` option to the script processor. {pull}19562[19562] + +*Auditbeat* + +- Add ECS categorization info for Auditd module. {pull}18596[18596] + +*Filebeat* + + +- Add http_endpoint input. {pull}18298[18298] +- Add `observer.vendor`, `observer.product`, and `observer.type` to Palo Alto Networks module events. {pull}18223[18223] +- The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] +- Improve ECS categorization field mappings in CoreDNS module. {issue}16159[16159] {pull}18424[18424] +- Improve ECS categorization field mappings in Envoyproxy module. {issue}16161[16161] {pull}18395[18395] +- Improve ECS categorization field mappings in Cisco module. {issue}16028[16028] {pull}18537[18537] +- The s3 input can now automatically detect gzipped objects. {issue}18283[18283] {pull}18764[18764] +- Add geoip AS lookup and improve ECS categorization in AWS cloudtrail fileset. {issue}18644[18644] {pull}18958[18958] +- Add support for v1 consumer API in Cloud Foundry input and use it by default. {pull}19125[19125] +- Add new mode to multiline reader to aggregate constant number of lines. {pull}18352[18352] +- Explicitly set ECS version in all Filebeat modules. {pull}19198[19198] +- Add awscloudwatch input. {pull}19025[19025] +- Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Change the Palo Alto Networks module to pass through (rather than drop) message types other than threat and traffic. {issue}16815[16815] {pull}19375[19375] +- Improve ECS categorization field mappings in Traefik module. {issue}16183[16183] {pull}19379[19379] +- Improve ECS categorization field mappings in Azure module. {issue}16155[16155] {pull}19376[19376] +- Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956] +- Add text and flattened versions of fields with unknown subfields in AWS cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Add Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197] +- Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add experimental dataset tomcat/log for Apache Tomcat logs. {pull}19713[19713] +- Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs. {pull}19713[19713] +- Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs. {pull}19713[19713] +- Add experimental dataset f5/bigipapm for F5 Big-IP Access Policy Manager logs. {pull}19713[19713] +- Add experimental dataset bluecoat/director for Bluecoat Director logs. {pull}19713[19713] +- Add experimental dataset cisco/nexus for Cisco Nexus logs. {pull}19713[19713] +- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs. {pull}19713[19713] +- Add experimental dataset cylance/protect for Cylance Protect logs. {pull}19713[19713] +- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs. {pull}19713[19713] +- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs. {pull}19713[19713] +- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs. {pull}19713[19713] +- Add experimental dataset juniper/junos for Juniper Junos OS logs. {pull}19713[19713] +- Add experimental dataset kaspersky/av for Kaspersky Anti-Virus logs. {pull}19713[19713] +- Add experimental dataset microsoft/dhcp for Microsoft DHCP Server logs. {pull}19713[19713] +- Add experimental dataset tenable/nessus_security for Tenable Nessus Security Scanner logs. {pull}19713[19713] +- Add experimental dataset rapid7/nexpose for Rapid7 Nexpose logs. {pull}19713[19713] +- Add experimental dataset radware/defensepro for Radware DefensePro logs. {pull}19713[19713] +- Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs. {pull}19713[19713] +- Add experimental dataset squid/log for Squid Proxy Server logs. {pull}19713[19713] +- Add experimental dataset zscaler/zia for Zscaler Internet Access logs. {pull}19713[19713] + +*Heartbeat* + +- Record HTTP response headers. {pull}18327[18327] + +*Journalbeat* + +- Added an `id` config option to inputs to allow running multiple inputs on the same journal. {pull}18467[18467] +- Add basic ECS categorization and `log.syslog` fields. {pull}19176[19176] + +*Metricbeat* + +- Add client address to events from http server module. {pull}18336[18336] +- Add new fields to HAProxy module. {issue}18523[18523] +- Add Tomcat overview dashboard. {pull}14026[14026] +- Accept prefix as metric_types config parameter in googlecloud stackdriver metricset. {pull}19345[19345] +- Add dashboards for googlecloud load balancing metricset. {pull}18369[18369] +- Add support for v1 consumer API in Cloud Foundry module and use it by default. {pull}19268[19268] +- Add support for named ports in autodiscover. {pull}19398[19398] +- Add param `aws_partition` to support aws-cn, aws-us-gov regions. {issue}18850[18850] {pull}19423[19423] +- Add support for wildcard `*` in dimension value of AWS CloudWatch metrics config. {issue}18050[18050] {pull}19660[19660] +- The `elasticsearch/index` metricset now collects metrics for hidden indices. {issue}18639[18639] {pull}18703[18703] +- Added `performance` and `query` metricsets to `mysql` module. {pull}18955[18955] +- The `elasticsearch-xpack/index` metricset now reports hidden indices as such. {issue}18639[18639] {pull}18706[18706] +- Adds support for app insights metrics in the Azure module. {issue}18570[18570] {pull}18940[18940] +- Added cache and connection_errors metrics to status metricset of MySQL module. {issue}16955[16955] {pull}19844[19844] +- Update MySQL dashboard with connection errors and cache metrics. {pull}19913[19913] {issue}16955[16955] + +*Packetbeat* + +- Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] + +*Functionbeat* + +- Add basic ECS categorization and `cloud` fields. {pull}19174[19174] + +*Elastic Log Driver* + +- Add support for `docker logs` command. {pull}19531[19531] + +==== Deprecated + +*Metricbeat* + +- Deprecate tags config parameter in cloudwatch metricset. {pull}16733[16733] +- Deprecate tags.resource_type_filter config parameter and replace with resource_type. {pull}19688[19688] + +[[release-notes-7.8.1]] +=== Beats version 7.8.1 +https://github.com/elastic/beats/compare/v7.8.0...v7.8.1[View commits] + +==== Breaking changes + +*Filebeat* + +- Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] + +==== Bugfixes + +*Affecting all Beats* + +- The `monitoring.elasticsearch.api_key` value is correctly base64-encoded before being sent to the monitoring Elasticsearch cluster. {issue}18939[18939] {pull}18945[18945] +- Fix kafka topic setting not allowing upper case characters. {pull}18854[18854] {issue}18640[18640] +- Fix redis key setting not allowing upper case characters. {pull}18854[18854] {issue}18640[18640] + +*Auditbeat* + +- system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN] + +*Filebeat* + +- Fix date and timestamp formats for fortigate module {pull}19316[19316] +- Fix `googlecloud.audit` pipeline to only take in fields that are explicitly defined by the dataset. {issue}18465[18465] {pull}18472[18472] +- Fix a rate limit related issue in httpjson input for Okta module. {issue}18530[18530] {pull}18534[18534] +- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] + +*Metricbeat* + +- Set tags correctly if the dimension value is ARN {issue}19111[19111] {pull}19433[19433] +- Fix bug incorrect parsing of float numbers as integers in Couchbase module {issue}18949[18949] {pull}19055[19055] +- Add missing info about the rest of the azure metricsets in the documentation. {pull}19601[19601] + +==== Added + +*Filebeat* + +- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346] + +*Metricbeat* + +- Update Couchbase to version 6.5 {issue}18595[18595] {pull}19055[19055] + +[[release-notes-7.8.0]] +=== Beats version 7.8.0 +https://github.com/elastic/beats/compare/v7.7.0...v7.8.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Introduce APM instrumentation, which is active when running the beat with `ELASTIC_APM_ACTIVE=true`. {pull}17938[17938] + +*Filebeat* + +- Improve ECS field mappings in panw module. `event.outcome` now only contains success or failure, as recommended by the {ecs-ref}/ecs-event.html[ECS specification]. {issue}16025[16025] {pull}17910[17910] +- Improve ECS categorization field mappings for nginx module. `http.request.referrer` is now lowercase, and it is only populated when nginx sets a value. {issue}16174[16174] {pull}17844[17844] +- Improve ECS field mappings in santa module. `hash.sha256` is moved to `process.hash.sha256`, and certificate fields are now under `santa.certificate`. {issue}16180[16180] {pull}17982[17982] + +==== Bugfixes + +*Affecting all Beats* + +- Fix a bug in config reloading that could result in memory leaks or lost events when an output was rapidly reloaded multiple times. {issue}10491[10491] {pull}17381[17381] +- Fix panic when assigning a key to a `nil` value in an event. {pull}18143[18143] + +*Heartbeat* + +- Fix TCP TLS checks to properly validate hostnames. In previous 7.x versions, this only worked for IP SANs. {pull}17549[17549] + +*Metricbeat* + +- No longer send NaNs for memory metrics that don't exist on the platform being monitored. {pull}17400[17400] +- Add a switch to the driver definition on SQL module to use pretty names. {pull}17378[17378] + +==== Added + +*Affecting all Beats* + +- Update supported versions of `redis` output. {pull}17198[17198] +- Add `replace` processor for replacing string values of fields. {pull}17342[17342] +- Add `urldecode` processor for decoding URL-encoded fields. {pull}17505[17505] +- Add support for AWS IAM `role_arn` in credentials config. {pull}17658[17658] {issue}12464[12464] +- Add Kerberos support to Elasticsearch output. {pull}17927[17927] +- Set `agent.name` to the hostname by default. {issue}16377[16377] {pull}18000[18000] +- Add keystore support for autodiscover static configurations. {pull}16306[16306] +- Add support for basic ECS logging. {pull}17974[17974] +- Add config example of how to skip the `add_host_metadata` processor when forwarding logs. {issue}13920[13920] {pull}18153[18153] +- Add backoff configuration options for the Kafka output. {issue}16777[16777] {pull}17808[17808] +- Add keystore support for autodiscover static configurations. {pull}16306[16306] +- Add Kerberos support to Elasticsearch output. {pull}17927[17927] +- Add support for fixed length extraction in `dissect` processor. {pull}17191[17191] + +*Auditbeat* + +- Add system module process dataset ECS categorization fields. {pull}18032[18032] +- Add system module user dataset ECS categorization fields. {pull}18035[18035] +- Add system module login dataset ECS categorization fields. {pull}18034[18034] +- Add system module package dataset ECS categorization fields. {pull}18033[18033] +- Add ECS categories for system module host dataset. {pull}18031[18031] +- Add system module socket dataset ECS categorization fields. {pull}18036[18036] +- Add file integrity module ECS categorization fields. {pull}18012[18012] +- Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] + +*Filebeat* + +- Add source field in k8s events. {pull}17209[17209] +- Add new `crowdstrike` module for ingesting Crowdstrike Falcon streaming API endpoint event data. {pull}16988[16988] +- Improve ECS categorization field mappings in mongodb module. {issue}16170[16170] {pull}17371[17371] +- Improve ECS categorization field mappings for mssql module. {issue}16171[16171] {pull}17376[17376] +- Improve ECS categorization field mappings for mysql module. {issue}16172[16172] {pull}17491[17491] +- Add new Checkpoint Syslog filebeat module. {pull}17682[17682] +- Add config option to select a different azure cloud env in the azure-eventhub input and azure module. {issue}17649[17649] {pull}17659[17659] +- Enhance `elasticsearch/server` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17714[17714] +- Add Unix stream socket support as an input source and a syslog input source. {pull}17492[17492] +- Improve ECS categorization field mappings in misp module. {issue}16026[16026] {pull}17344[17344] +- Enhance `elasticsearch/deprecation` fileset to handle ECS-compatible logs emitted by Elasticsearch. {issue}17715[17715] {pull}17728[17728] +- Make `decode_cef` processor GA. {pull}17944[17944] +- Add new Fortigate Syslog filebeat module. {pull}17890[17890] +- Improve ECS categorization field mappings in redis module. {issue}16179[16179] {pull}17918[17918] +- Improve ECS categorization field mappings in rabbitmq module. {issue}16178[16178] {pull}17916[17916] +- Improve ECS categorization field mappings in postgresql module. {issue}16177[16177] {pull}17914[17914] +- Improve ECS categorization field mappings for nginx module. {issue}16174[16174] {pull}17844[17844] +- Add support for Google Application Default Credentials to the Google Pub/Sub input and Google Cloud modules. {pull}15668[15668] +- Improve ECS categorization field mappings for zeek module. {issue}16029[16029] {pull}17738[17738] +- Improve ECS categorization field mappings for netflow module. {issue}16135[16135] {pull}18108[18108] +- Add an input option `publisher_pipeline.disable_host` to disable `host.name`. {pull}18456[18456] +- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] +- Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] +- Add support for v10, v11 and v12 logs on Postgres {issue}13810[13810] {pull}17732[17732] +- Add dashboard for Google Cloud Audit and AWS CloudTrail. {pull}17379[17379] + +*Heartbeat* + +- Add additional ECS compatible fields for TLS information. {pull}17687[17687] + +*Metricbeat* + +- Refactor windows/perfmon metricset configuration options and event output. {pull}17596[17596] +- Add more detailed error messages, system tests and small refactoring to the service metricset in windows. {pull}17725[17725] +- Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[16471] {pull}17609[17609] +- Add Metricbeat IIS module dashboards. {pull}17966[17966] +- Add dashboard for the azure database account metricset. {pull}17901[17901] +- Allow partial region and zone name in googlecloud module config. {pull}17913[17913] +- Add aggregation aligner as a config parameter for googlecloud stackdriver metricset. {issue}17141[17141] {pull}17719[17719] +- Move the perfmon metricset to GA. {issue}16608[16608] {pull}17879[17879] +- Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[16471] {pull}17609[17609] +- Add static mapping for metricsets under aws module. {pull}17614[17614] {pull}17650[17650] +- Add dashboard for googlecloud storage metricset. {pull}18172[18172] +- Collect new `bulk` indexing metrics from Elasticsearch when `xpack.enabled:true` is set. {issue}17977[17977] {pull}17992[17992] +- Remove requirement to connect as sysdba in Oracle module. {issue}15846[15846] {pull}18182[18182] +- Update MSSQL module to fix some SSPI authentication and add brackets to USE statements. {pull}17862[17862] + +*Winlogbeat* + +- Set `process.command_line` and `process.parent.command_line` from Sysmon Event ID 1. {pull}17327[17327] +- Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module. {pull}17517[17517] +- Add registry and code signature information and ECS categorization fields for sysmon module. {pull}18058[18058] + +[[release-notes-7.7.0]] +=== Beats version 7.7.0 +https://github.com/elastic/beats/compare/v7.6.2...v7.7.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Environment variables can no longer reference other environment variables or objects. {pull}15937[15937] +- Change `aws_elb` autodiscovery provider field name from `elb_listener.*` to `aws.elb.*`. {issue}16219[16219] {pull}16402[16402] +- Remove support for using `add_docker_metadata` and `add_kubernetes_metadata` processors from the `script` processor. They can still be used as normal processors in the configuration. {issue}16349[16349] {pull}16514[16514] + +==== Bugfixes + +*Affecting all Beats* + +- Fix Kubernetes autodiscovery provider to correctly handle pod states and avoid missing event data. {pull}17223[17223] +- Fix `add_cloud_metadata` processor to better support modifying sub-fields with other processors. {pull}13808[13808] +- Fix panic in the Logstash output when trying to send events to closed connection. {pull}15568[15568] +- Fix logging target settings being ignored when Beats are started via systemd or docker. {issue}12024[12024] {pull}15422[15442] +- Fix issue where default go logger is not discarded when either * or stdout is selected. {issue}10251[10251] {pull}15708[15708] +- Remove superfluous use of `number_of_routing_shards` setting from the default template. {pull}16038[16038] +- Automatically convert index names to lowercase. {pull}16081[16081] +- Fix loading processor annotation hints, allowing the value to be a full configuration section. {pull}16348[16348] +- Add `ssl.ca_sha256` to the list of supported TLS options. This option allows you to check that a specific certificate is used as part of the verified chain. {issue}15717[15717] +- Fix `NewContainerMetadataEnricher` to use default config for kubernetes module. No longer requires the user to have `labels.dedot: true` in the configuration as it is now properly the default. {pull}16857[16857] +- Improve logging messages for the `add_kubernetes_metadata` processor. {pull}16866[16866] +- Fail to start if httpprof is used and it cannot be initialized. {pull}17028[17028] +- Fix concurrency issues in convert processor when used in the global context. {pull}17032[17032] +- Fix bug with `monitoring.cluster_uuid` setting not always being exposed via GET /state Beats API. {issue}16732[16732] {pull}17420[17420] +- Fix building on FreeBSD by removing build flags from `add_cloudfoundry_metadata` processor. {pull}17486[17486] + +*Filebeat* + +- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906] +- Fix merging of fileset inputs to replace paths and append processors. {pull}16450[16450] +- Fix Elasticsearch `_id` field set by S3 and Google Pub/Sub inputs. {pull}17026[17026] +- Fix various Cisco FTD parsing issues. {issue}16863[16863] {pull}16889[16889] +- Fix default index pattern in IBM MQ Filebeat dashboard. {pull}17146[17146] +- Fix a mapping exception when ingesting Logstash plain logs (7.4+) with pipeline ids containing non alphanumeric chars. {issue}17242[17242] {pull}17243[17243] +- Fix MySQL slowlog module causing "regular expression has redundant nested repeat operator" warning in Elasticsearch. {issue}17086[17086] {pull}17156[17156] +- Fix `elasticsearch.audit` data ingest pipeline to be more forgiving with date formats found in Elasticsearch audit logs. {pull}17406[17406] +- Fix decoding errors caused by trailing spaces in CEF messages. {pull}17253[17253] +- Fix activemq module causing "regular expression has redundant nested repeat operator" warning in Elasticsearch. {pull}17428[17428] + +*Metricbeat* + +- Change `lookup_fields` setting from `metricset.host` to `service.address`. {pull}15883[15883] +- Make `logstash-xpack` module once again have parity with internally-collected Logstash monitoring data. {pull}16198[16198] +- Improve metrics collection in the `system/service` metricset on older linux distributions. {pull}16902[16902] +- Use max in k8s apiserver dashboard aggregations. {pull}17018[17018] +- Check if CCR feature is available on Elasticsearch cluster before attempting to call CCR APIs from `elasticsearch/ccr` metricset. {issue}16511[16511] {pull}17073[17073] +- Use max in k8s overview dashboard aggregations. {pull}17015[17015] +- Fix Disk Used and Disk Usage visualizations in the Metricbeat System dashboards. {issue}12435[12435] {pull}17272[17272] +- Fix missing Accept header for Prometheus and OpenMetrics module. {issue}16870[16870] {pull}17291[17291] +- Combine cloudwatch aggregated metrics into single event. {pull}17345[17345] +- Fix how we filter services by name in system/service. {pull}17400[17400] +- Fix problem where `cloudwatch` metricset was not collecting tags correctly. {issue}17419[17419] {pull}17424[17424] +- Check if cpuOptions field is nil in DescribeInstances output in ec2 metricset. {pull}17418[17418] +- Fix `aws.s3.bucket.name` terms_field in s3 overview dashboard. {pull}17542[17542] +- Fix Unix socket path in memcached module. {pull}17512[17512] +- Fix vsphere VM dashboard host aggregation visualizations. {pull}17555[17555] + +==== Added + +*Affecting all Beats* + +- Include network information by default when using the `add_host_metadata` or `add_observer_metadata` processor. {issue}15347[15347] {pull}16077[16077] +- Add `aws_ec2` provider for autodiscovery. {issue}12518[12518] {pull}14823[14823] +- Add support for multiple passwords in redis output. {issue}16058[16058] {pull}16206[16206] +- Add support for Histogram type in fields.yml. {pull}16570[16570] +- Windows .exe files now have embedded file version info. {issue}15232[15232]t +- Remove experimental flag from `setup.template.append_fields`. {pull}16576[16576] +- Add `add_cloudfoundry_metadata` processor to annotate events with Cloud Foundry application data. {pull}16621[16621] +- Add `translate_sid` processor on Windows for converting Windows security identifier (SID) values to names. {issue}7451[7451] {pull}16013[16013] +- Add support for Kubernetes provider to recognize namespace level defaults. {pull}16321[16321] +- Add ability to enrich the `container.id` with the process id by using the `add_process_metadata` processor. {pull}15947[15947] +- Update RPM packages contained in Beat Docker images. {issue}17035[17035] +- Add Kerberos support to Kafka input and output. {pull}16781[16781] + +*Auditbeat* + +- Add examples to the kubernetes manifests to show how to +configure the auditd module and use processors to enrich events with metadata. +- In the kubernetes manifests, mount the data directory from the host, so data persist between executions in the same node. {pull}17429[17429] +- Log to stderr when using kubernetes manifests. {pull}17443[174443] +- Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] + +*Filebeat* + +- Add ECS tls fields to the smtp, rdp, and ssl filesets in the zeek module, and the s3access and elb filesets in the aws module. {issue}15757[15757] {pull}15935[15936] +- Add Nginx `ingress_controller` fileset. {pull}16197[16197] +- Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121] +- Add MQTT input. {issue}15602[15602] {pull}16204[16204] +- Improve ECS categorization, container, and process field mappings in auditd module. {issue}16153[16153] {pull}16280[16280] +- Add ECS categorization fields to activemq module. {issue}16151[16151] {pull}16201[16201] +- Improve ECS field mappings in aws module. {issue}16154[16154] {pull}16307[16307] +- Improve ECS categorization field mappings in googlecloud module. {issue}16030[16030] {pull}16500[16500] +- Add `cloudwatch` and `ec2` filesets to aws module. {issue}13716[13716] {pull}16579[16579] +- Improve ECS categorization field mappings in kibana module. {issue}16168[16168] {pull}16652[16652] +- Add `cloudfoundry` input to send events from Cloud Foundry. {pull}16586[16586] +- Improve ECS field mappings in haproxy module. {issue}16162[16162] {pull}16529[16529] +- Allow users to override pipeline ID in fileset input config. {issue}9531[9531] {pull}16561[16561] +- Improve ECS categorization field mappings in logstash module. {issue}16169[16169] {pull}16668[16668] +- Improve ECS categorization field mappings in iis module. {issue}16165[16165] {pull}16618[16618] +- Improve the `decode_cef` processor by reducing the number of memory allocations. {pull}16587[16587] +- Improve ECS categorization field mapping in kafka module. {issue}16167[16167] {pull}16645[16645] +- Improve ECS categorization field mapping in icinga module. {issue}16164[16164] {pull}16533[16533] +- Improve ECS categorization field mappings in ibmmq module. {issue}16163[16163] {pull}16532[16532] +- Add custom string mapping to CEF module to support Forcepoint NGFW. {issue}14663[14663] {pull}15910[15910] +- Add ECS fields to CEF module. {issue}16157[16157] {pull}16338[16338] +- Improve ECS categorization and host field mappings in elasticsearch module. {issue}16160[16160] {pull}16469[16469] +- Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] +- Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] +- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] +- Add pattern for Cisco ASA / FTD Message 734001. {issue}16212[16212] {pull}16612[16612] +- Add `o365audit` input type for consuming events from Office 365 Management Activity API. {issue}16196[16196] {pull}16244[16244] +- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907] +- Add `o365` module for ingesting Office 365 management activity API events. {issue}16196[16196] {pull}16386[16386] +- Add Okta module. {pull}16362[16362] +- Improve AWS cloudtrail field mappings. {issue}16086[16086] {issue}16110[16110] {pull}17155[17155] +- Make the `azure-eventhub` input GA. {issue}15671[15671] {pull}17313[17313] +- Add `access_key_id`, `secret_access_key`, and `session_token` to the aws module config. {pull}17456[17456] + +*Heartbeat* + +- Allow a list of status codes for HTTP checks. {pull}15587[15587] + +*Journalbeat* + +- Improve parsing of `syslog.pid` in Journalbeat to strip the username when +present. {pull}16116[16116] + +*Metricbeat* + +- Add lambda metricset in aws module. {pull}15260[15260] +- Add DynamoDB AWS light module. {pull}15097[15097] +- Add IBM MQ light-weight module. {pull}15301[15301] +- Add mixer metricset for Istio Metricbeat module. {pull}15696[15696] +- Add mesh metricset for Istio Metricbeat module. {pull}15535[15535] +- Add pilot metricset for Istio Metricbeat module. {pull}15761[15761] +- Add galley metricset for Istio Metricbeat module. {pull}15857[15857] +- Add `key/value` mode for SQL module. {issue}15770[15770] {pull}15845[15845] +- Add support for Unix socket in Memcached module. {issue}13685[13685] {pull}15822[15822] +- Make the `system/cpu` metricset collect normalized CPU metrics by default. {issue}15618[15618] {pull}15729[15729] +- Add kubernetes storage class support via kube-state-metrics. {pull}16145[16145] +- Add `up` metric to prometheus metrics collected from host. {pull}15948[15948] +- Add citadel metricset for Istio Metricbeat module. {pull}15990[15990] +- Add support for processors in light modules. {issue}14740[14740] {pull}15923[15923] +- Add ability to collect AuroraDB metrics in rds metricset. {issue}14142[14142] {pull}16004[16004] +- Reuse connections in SQL module. {pull}16001[16001] +- Improve the `logstash` module (when `xpack.enabled` is set to `true`) to use the override `cluster_uuid` returned by Logstash APIs. {issue}15772[15772] {pull}15795[15795] +- Add region parameter in googlecloud module. {issue}15780[15780] {pull}16203[16203] +- Add `database_account` azure metricset. {issue}15758[15758] +- Add support for Dropwizard metrics 4.1. {pull}16332[16332] +- Add support for NATS 2.1. {pull}16317[16317] +- Add azure container metricset in order to monitor containers. {issue}15751[15751] {pull}16421[16421] +- Improve the `haproxy` module to support metrics exposed via HTTPS. {issue}14579[14579] {pull}16333[16333] +- Add filtering option for prometheus collector. {pull}16420[16420] +- Add metricsets based on Ceph Manager Daemon to the `ceph` module. {issue}7723[7723] {pull}16254[16254] +- Add Load Balancing metricset to GCP. {pull}15559[15559] +- Release `statsd` module as GA. {pull}16447[16447] {issue}14280[14280] +- Add collecting tags and tags_filter for rds metricset in aws module. {pull}16605[16605] {issue}16358[16358] +- Add OpenMetrics module. {pull}16596[16596] +- Add `redisenterprise` module. {pull}16482[16482] {issue}15269[15269] +- Add `cloudfoundry` module to send events from Cloud Foundry. {pull}16671[16671] +- Add system/users metricset as beta. {pull}16569[16569] +- Align fields to ECS and add more tests for the azure module. {issue}16024[16024] {pull}16754[16754] +- Add additional cgroup fields to docker/diskio. {pull}16638[16638] +- Add overview dashboard for googlecloud compute metricset. {issue}16534[16534] {pull}16819[16819] +- Add Prometheus remote write endpoint. {pull}16609[16609] +- Release STAN module as GA. {pull}16980[16980] +- Add query metricset for prometheus module. {pull}17104[17104] +- Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] +- Add support for CouchDB v2. {issue}16352[16352] {pull}16455[16455] +- Add dashboards for the azure container metricsets. {pull}17194[17194] +- Separate the `vpc` metricset into three smaller metricsets: `vpn`, `transitgateway`, and `natgateway`. {pull}16892[16892] +- Use Elasticsearch histogram type to store Prometheus histograms. {pull}17061[17061] +- Allow to rate Prometheus counters when scraping them. {pull}17061[17061] +- Release the Oracle module as GA. {issue}14279[14279] {pull}16833[16833] +- Add Storage metricsets to GCP module. {pull}15598[15598] +- Release the vsphere module as GA. {issue}15798[15798] {pull}17119[17119] +- Add PubSub metricset to Google Cloud Platform module. {pull}15536[15536] +- Add dashboard for `redisenterprise` module. {pull}16752[16752] +- Add dashboard for VSphere host cluster and virtual machine. {pull}14135[14135] +- Add test for documented fields check for metricsets without a http input. {issue}17315[17315] {pull}17334[17334] +- Release the azure module as GA. {pull}17319[17319] +- In the kubernetes manifests, mount the data directory from the host, so data persist between executions in the same node. {pull}17429[17429] + +*Packetbeat* + +- Add `dns.question.subdomain` and `dns.question.top_level_domain` fields. {pull}14578[14578] +- Add `redact_headers` configuration option to allow HTTP request headers to be redacted whilst keeping the header field included in the Beat. {pull}15353[15353] +- Enable setting promiscuous mode automatically. {pull}11366[11366] + +*Winlogbeat* + +- Add Audit and Log Management, Computer Object Management, and Distribution Group related events to the Security module. {pull}15217[15217] +- Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849] + +[[release-notes-7.6.2]] +=== Beats version 7.6.2 +https://github.com/elastic/beats/compare/v7.6.1...v7.6.2[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Fix an issue that could cause redundant configuration reloads. {pull}16440[16440] +- Fix metadata enrichers to use default config for kubernetes module. {pull}17020[17020] + +*Metricbeat* + +- Make use of secure port when accessing Kubelet API {pull}16063[16063] + +==== Bugfixes + +*Affecting all Beats* + +- Fix k8s metadata issue regarding node labels not shown up on root level of metadata. {pull}16834[16834] + +*Filebeat* + +- Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] +- Fix issue where autodiscover hints default configuration was not being copied. {pull}16987[16987] + +*Metricbeat* + +- Convert increments of 100 nanoseconds/ticks to milliseconds for WriteTime and ReadTime in diskio metricset (Windows) for consistency. {issue}14233[14233] +- Fix diskio issue for windows 32 bit on disk_performance struct alignment. {issue}16680[16680] + +==== Added + +*Affecting all Beats* + +- Add monitoring variable `libbeat.config.scans` to distinguish scans of the configuration directory from actual reloads of its contents. {pull}16440[16440] + +*Winlogbeat* + +- Add more DNS error codes to the Sysmon module. {issue}15685[15685] + +[[release-notes-7.6.1]] +=== Beats version 7.6.1 +https://github.com/elastic/beats/compare/v7.6.0...v7.6.1[View commits] + +==== Bugfixes + +*Affecting all Beats* + +- Fix k8s pods labels broken schema. {pull}16480[16480] +- Fix k8s pods annotations broken schema. {pull}16554[16554] + +*Filebeat* + +- Fix a connection error in httpjson input. {pull}16123[16123] +- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] +- Rewrite azure filebeat dashboards, due to changes in kibana. {pull}16466[16466] +- Adding the var definitions in azure manifest files, fix for errors when executing command setup. {issue}16270[16270] {pull}16468[16468] + +*Heartbeat* + +- Fix scheduler shutdown issues which would in rare situations cause a panic due to semaphore misuse. {pull}16397[16397] + +*Metricbeat* + +- Avoid parsing errors returned from prometheus endpoints. {pull}15712[15712] +- Change sqs metricset to use average as statistic method. {pull}16438[16438] + +*Functionbeat* + +- Fix timeout option of GCP functions. {issue}16282[16282] {pull}16287[16287] + +[[release-notes-7.6.0]] +=== Beats version 7.6.0 +https://github.com/elastic/beats/compare/v7.5.1...v7.6.0[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Remove version information from default ILM policy for improved upgrade experience on custom policies. {pull}14745[14745] +- Running `setup` cmd respects `setup.ilm.overwrite` setting for improved support of custom policies. {pull}14741[14741] +- Cleanup the x-pack licenser code to use the new license endpoint and the new format. Replaces the url /_xpack/license with /_license. {pull}15091[15091] +- The document id fields has been renamed from @metadata.id to @metadata._id {pull}15859[15859] +- Two Beat instances with the same data path cannot be run concurrently. {pull}14069[14069] + +*Filebeat* + +- CEF extensions are now mapped to the data types defined in the CEF guide. {pull}14342[14342] + +*Journalbeat* + +- Remove broken dashboard. {pull}15288[15288] + +*Metricbeat* + +- Update cloudwatch metricset mapping for both metrics and dimensions. {pull}15245[15245] + +*Packetbeat* + +- TLS: Fields have been changed to adapt to ECS. {pull}15497[15497] +- TLS: The behavior of send_certificates and include_raw_certificates options has changed. {pull}15497[15497] + +==== Bugfixes + +*Affecting all Beats* + +- Fix spooling to disk blocking infinitely if the lock file can not be acquired. {pull}15338[15338] +- Fix `metricbeat test output` with an ipv6 ES host in the output.hosts. {pull}15368[15368] +- Fix `convert` processor conversion of string to integer with leading zeros. {issue}15513[15513] {pull}15557[15557] +- Fix existing agent.*, ecs.version, and host.name fields getting overwritten by Beats if they are already present in the original event. {pull}14407[14407] +- Fix issue where TLS settings would be ignored when a forward proxy was in use. {pull}15516[$15516] +- Beats no longer attempts to load dashboards if they are unavailable. {pull}15802[15802] + +*Auditbeat* + +- system/socket: Fix compatibility issue with kernel 5.x. {pull}15771[15771] + +*Filebeat* + +- Fix a problem in Filebeat input httpjson where interval is not used as time.Duration. {pull}14728[14728] +- Fix SSL config in input.yml for Filebeat httpjson input in the MISP module. {pull}14767[14767] +- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225] +- Fix session reset detection and a crash in Netflow input. {pull}14904[14904] +- Handle errors in handleS3Objects function and add more debug messages for s3 input. {pull}15545[15545] +- netflow: Allow for options templates without scope fields. {pull}15449[15449] +- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449] +- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449] +- Fix dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553] +- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] +- Add shared_credential_file to cloudtrail config. {issue}15652[15652] {pull}15656[15656] +- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] +- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900] +- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942] + +*Heartbeat* + +- Fix excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639] + +*Metricbeat* + +- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666] +- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] +- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264] +- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306] +- Add username/password in Metricbeat autodiscover hints {pull}15349[15349] +- Add dedot for tags in ec2 metricset and cloudwatch metricset. {issue}15843[15843] {pull}15844[15844] +- Use RFC3339 format for timestamps collected using the SQL module. {pull}15847[15847] +- Add dedot for cloudwatch metric name. {issue}15916[15916] {pull}15917[15917] +- Fixed issue `logstash-xpack` module suddenly ceasing to monitor Logstash. {issue}15974[15974] {pull}16044[16044] + +==== Added + +*Affecting all Beats* + +- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336] +- GA the `script` processor. {pull}14325[14325] +- Add `fingerprint` processor. {issue}11173[11173] {pull}14205[14205] +- Add support for API keys in Elasticsearch outputs. {pull}14324[14324] +- Add consumer_lag in Kafka consumergroup metricset {pull}14822[14822] +- Make use of consumer_lag in Kafka dashboard {pull}14863[14863] +- Refactor kubernetes autodiscover to enable different resource based discovery {pull}14738[14738] +- Add `add_id` processor. {pull}14524[14524] +- Enable TLS 1.3 in all beats. {pull}12973[12973] +- Spooling to disk creates a lockfile on each platform. {pull}15338[15338] +- Enable DEP (Data Execution Protection) for Windows packages. {pull}15149[15149] +- Users can now specify `monitoring.cloud.*` to override `monitoring.elasticsearch.*` settings. {issue}14399[14399] {pull}15254[15254] +- Add support to kubernetes autodiscovery to add additional metadata from other source to events. {pull}14875[14875] +- Update to ECS 1.4.0. {pull}14844[14844] +- Add document_id setting to decode_json_fields processor. {pull}15859[15859] + +*Filebeat* + +- Add new fileset googlecloud/audit for ingesting Google Cloud Audit logs. {pull}15200[15200] +- Add dashboards to the CEF module (ported from the Logstash ArcSight module). {pull}14342[14342] +- Add expand_event_list_from_field support in s3 input for reading json format AWS logs. {issue}15357[15357] {pull}15370[15370] +- Add azure-eventhub input which will use the azure eventhub go sdk. {issue}14092[14092] {pull}14882[14882] +- Expose more metrics of harvesters (e.g. `read_offset`, `start_time`). {pull}13395[13395] +- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453] +- Release aws elb fileset as GA. {pull}15426[15426] {issue}15380[15380] +- Integrate the azure-eventhub with filebeat azure module (replace the kafka input). {pull}15480[15480] +- Release aws s3access fileset to GA. {pull}15431[15431] {issue}15430[15430] +- Add cloudtrail fileset to AWS module. {issue}14657[14657] {pull}15227[15227] +- New fileset googlecloud/firewall for ingesting Google Cloud Firewall logs. {pull}14553[14553] +- google-pubsub input: ACK pub/sub message when acknowledged by publisher. {issue}13346[13346] {pull}14715[14715] +- Remove Beta label from google-pubsub input. {issue}13346[13346] {pull}14715[14715] +- Add dashboard for AWS ELB fileset. {pull}15804[15804] +- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] +- Add dashboard for AWS vpcflow fileset. {pull}16007[16007] + +*Heartbeat* + +*Metricbeat* + +- Expand data for the `system/memory` metricset {pull}15492[15492] +- Add azure `storage` metricset in order to retrieve metric values for storage accounts. {issue}14548[14548] {pull}15342[15342] +- Add cost warnings for the azure module. {pull}15356[15356] +- Release elb module as GA. {pull}15485[15485] +- Add a `system/network_summary` metricset {pull}15196[15196] +- Allow Metricbeat's beat module to read monitoring information over a named pipe or unix domain socket. {pull}14558[14558] +- Enable script processor. {pull}14711[14711] +- Add STAN dashboard {pull}15654[15654] + +*Functionbeat* + +- Add monitoring info about triggered functions. {pull}14876[14876] +- Add Google Cloud Platform support. {pull}13598[13598] + +[[release-notes-7.5.2]] +=== Beats version 7.5.2 +https://github.com/elastic/beats/compare/v7.5.1...v7.5.2[View commits] + +==== Breaking changes + +*Journalbeat* + +- Remove broken dashboard. {pull}15288[15288] + +==== Bugfixes + +*Affecting all Beats* + +- Fix `convert` processor conversion of string to integer with leading zeros. {issue}15513[15513] {pull}15557[15557] + +*Filebeat* + +- Check content-type when creating new reader in s3 input. {pull}15252[15252] {issue}15225[15225] +- Fix session reset detection and a crash in Netflow input. {pull}14904[14904] +- netflow: Allow for options templates without scope fields. {pull}15449[15449] +- netflow: Fix bytes/packets counters on some devices (NSEL and Netstream). {pull}15449[15449] +- netflow: Fix compatibility with some Cisco devices by changing the field `class_id` from short to long. {pull}15449[15449] +- Fix dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553] + +*Metricbeat* + +- Fix regular expression to detect instance name in perfmon metricset. {issue}14273[14273] {pull}14666[14666] +- Fix `docker.container.size` fields values {issue}14979[14979] {pull}15224[15224] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] +- Fix panic exception with some unicode strings in perfmon metricset. {issue}15264[15264] +- Make `logstash` module more resilient to Logstash unavailability. {issue}15276[15276] {pull}15306[15306] + +==== Added + +*Affecting all Beats* + +- Add a friendly log message when a request to docker has exceeded the deadline. {pull}15336[15336] + +*Filebeat* + +- Include log.source.address for unparseable syslog messages. {issue}13268[13268] {pull}15453[15453] + [[release-notes-7.5.1]] === Beats version 7.5.1 https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits] @@ -33,6 +898,7 @@ https://github.com/elastic/beats/compare/v7.5.0...v7.5.1[View commits] - Fix ListMetrics pagination in aws module. {issue}14926[14926] {pull}14942[14942] - Fix CPU count in docker/cpu in cases where no `online_cpus` are reported {pull}15070[15070] - Add domain state to kvm module {pull}17673[17673] +- Fix Kubernetes Overview Dashboard to correctly display non 10s intervals for node usage {pull}19675[19675] [[release-notes-7.5.0]] === Beats version 7.5.0 @@ -156,10 +1022,11 @@ processing events. (CVE-2019-17596) See https://www.elastic.co/community/securit - Add Kibana Dashboard for MISP module. {pull}14147[14147] - Add support for gzipped files in S3 input {pull}13980[13980] - Add Filebeat Azure Dashboards {pull}14127[14127] +- Add support for space or time sync character before timestamp in syslog input. {pull}13278[13278] {issue}13269[13269] - Add support for thread ID in Filebeat Kafka module. {pull}19463[19463] - *Heartbeat* + - Add non-privileged icmp on linux and darwin(mac). {pull}13795[13795] {issue}11498[11498] - Allow `hosts` to be used to configure http monitors {pull}13703[13703] @@ -201,29 +1068,19 @@ processing events. (CVE-2019-17596) See https://www.elastic.co/community/securit - `kubernetes.container.id` field for `state_container` is deprecated in favour of ECS `container.id` and `container.runtime`. {pull}13884[13884] -[[release-notes-7.4.1]] -=== Beats version 7.4.1 -https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] +[[release-notes-7.4.2]] +=== Beats version 7.4.2 +https://github.com/elastic/beats/compare/v7.4.1...v7.4.2[View commits] -==== Breaking changes - -*Affecting all Beats* - -*Auditbeat* +==== Bugfixes *Filebeat* -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* +- panw module: Use geo.name instead of geo.country_iso_code for free-form location. {issue}13272[13272] -*Functionbeat* +[[release-notes-7.4.1]] +=== Beats version 7.4.1 +https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] ==== Bugfixes @@ -232,8 +1089,6 @@ https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] - Recover from panics in the javascript process and log details about the failure to aid in future debugging. {pull}13690[13690] - Make the script processor concurrency-safe. {issue}13690[13690] {pull}13857[13857] -*Auditbeat* - *Filebeat* - Fixed early expiration of templates (Netflow v9 and IPFIX). {pull}13821[13821] @@ -244,62 +1099,10 @@ https://github.com/elastic/beats/compare/v7.4.0...v7.4.1[View commits] - Fix missing netflow fields in index template. {issue}13768[13768] {pull}13914[13914] - Fix cisco module's asa and ftd filesets parsing of domain names where an IP address is expected. {issue}14034[14034] -*Heartbeat* - -*Journalbeat* - *Metricbeat* - Mark Kibana usage stats as collected only if API call succeeds. {pull}13881[13881] -*Packetbeat* - -*Winlogbeat* - -*Functionbeat* - -==== Added - -*Affecting all Beats* - -*Auditbeat* - -*Filebeat* - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Functionbeat* - -*Winlogbeat* - -==== Deprecated - -*Affecting all Beats* - -*Filebeat* - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* - -*Functionbeat* - -==== Known Issue - -*Journalbeat* - [[release-notes-7.4.0]] === Beats version 7.4.0 https://github.com/elastic/beats/compare/v7.3.1...v7.4.0[View commits] @@ -841,8 +1644,6 @@ https://github.com/elastic/beats/compare/v7.1.1...v7.2.0[View commits] - Enable `add_observer_metadata` processor in default config. {pull}11394[11394] -*Journalbeat* - *Metricbeat* - Add AWS SQS metricset. {pull}10684[10684] {issue}10053[10053] @@ -859,35 +1660,21 @@ https://github.com/elastic/beats/compare/v7.1.1...v7.2.0[View commits] - Add AWS cloudwatch metricset. {pull}11798[11798] {issue}11734[11734] - Add `regions` in aws module config to specify target regions for querying cloudwatch metrics. {issue}11932[11932] {pull}11956[11956] - Keep `etcd` followers members from reporting `leader` metricset events {pull}12004[12004] -- Add validation for elasticsearch and kibana modules' metricsets when xpack.enabled is set to true. {pull}12386[12386] - -*Packetbeat* +- Add validation for elasticsearch and kibana modules' metricsets when `xpack.enabled` is set to `true`. {pull}12386[12386] *Functionbeat* -- New options to configure roles and VPC. {pull}11779[11779] +- Add new options to configure roles and VPC. {pull}11779[11779] *Winlogbeat* -- Add support for reading from .evtx files. {issue}4450[4450] +- Add support for reading from `.evtx` files. {issue}4450[4450] ==== Deprecated -*Affecting all Beats* - *Filebeat* -- `docker` input is deprecated in favour `container`. {pull}12162[12162] - -*Heartbeat* - -*Journalbeat* - -*Metricbeat* - -*Packetbeat* - -*Winlogbeat* +- Deprecate `docker` input in favor of `container`. {pull}12162[12162] *Functionbeat* @@ -1710,6 +2497,85 @@ https://github.com/elastic/beats/compare/v6.5.0...v7.0.0-alpha1[View commits] - Added support to calculate certificates' fingerprints (MD5, SHA-1, SHA-256). {issue}8180[8180] - Support new TLS version negotiation introduced in TLS 1.3. {issue}8647[8647]. +[[release-notes-6.8.9]] +=== Beats version 6.8.9 +https://github.com/elastic/beats/compare/v6.8.8...v6.8.9[View commits] + +==== Bugfixes + +*Heartbeat* + +- Fix crashes when multiple TCP ports are specified. {pull}17262[17262] + +[[release-notes-6.8.8]] +=== Beats version 6.8.8 +https://github.com/elastic/beats/compare/v6.8.7...v6.8.8[View commits] + +==== Bugfixes + +*Filebeat* + +- Add support for Cisco syslog format used by their switch. {pull}10760[10760] + +[[release-notes-6.8.7]] +=== Beats version 6.8.7 +https://github.com/elastic/beats/compare/v6.8.6...v6.8.7[View commits] + +==== Bugfixes + +*Metricbeat* + +- Fix bug with `elasticsearch/cluster_stats` metricset not recording license expiration date correctly. {issue}14541[14541] {pull}14591[14591] +- Make `kibana` module more resilient to Kibana unavailability. {issue}15258[15258] {pull}15270[15270] + +[[release-notes-6.8.6]] +=== Beats version 6.8.6 +https://github.com/elastic/beats/compare/v6.8.5...v6.8.6[View commits] + +==== Bugfixes + +*Heartbeat* + +- Fix recording of SSL cert metadata for Expired/Unvalidated x509 certs. {pull}13687[13687] + +*Metricbeat* + +- Fix marshaling of ms-since-epoch values in `elasticsearch/cluster_stats` metricset. {pull}14378[14378] +- Fix bug with `elasticsearch/cluster_stats` metricset not recording license ID in the correct field. {pull}14592[14592] + +[[release-notes-6.8.5]] +=== Beats version 6.8.5 +https://github.com/elastic/beats/compare/v6.8.4...v6.8.5[View commits] + +==== Bugfixes + +*Metricbeat* + +- Convert indexed ms-since-epoch timestamp fields in `elasticsearch/ml_job` metricset to ints from float64s. {issue}14220[14220] {pull}14222[14222] + +[[release-notes-6.8.4]] +=== Beats version 6.8.4 +https://github.com/elastic/beats/compare/v6.8.3...v6.8.4[View commits] + +==== Breaking changes + +*Filebeat* + +- Fix delay in enforcing close_renamed and close_removed options. {issue}13488[13488] {pull}13907[13907] + +==== Bugfixes + +*Filebeat* + +- Fix merging of fields specified in global scope with fields specified under an input's scope. {issue}3628[3628] {pull}13909[13909] +- Fix early expiration of templates (Netflow v9 and IPFIX). {pull}13821[13821] +- Fix bad handling of sequence numbers when multiple observation domains were exported by a single device (Netflow V9 and IPFIX). {pull}13821[13821] +- Fix increased memory usage with large files when multiline pattern does not match. {issue}14068[14068] + +*Metricbeat* + +- Mark Kibana usage stats as collected only if API call succeeds. {pull}13881[13881] + [[release-notes-6.8.3]] === Beats version 6.8.3 https://github.com/elastic/beats/compare/v6.8.2...v6.8.3[View commits diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 105e48ee125..67cac68940c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -18,10 +18,17 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove the non-ECS `agent.hostname` field. Use the `agent.name` or `agent.id` fields for an identifier. {issue}16377[16377] {pull}18328[18328] - Make error message about locked data path actionable. {pull}18667[18667] - Ensure dynamic template names are unique for the same field. {pull}18849[18849] +- Remove the deprecated `xpack.monitoring.*` settings. Going forward only `monitoring.*` settings may be used. {issue}9424[9424] {pull}18608[18608] +- Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293] +- Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] +- Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175] *Auditbeat* - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630] +- Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] +- Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695] +- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202] *Filebeat* @@ -56,6 +63,16 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds `date_cursor` option to httpjson input. {pull}19483[19483] - Adds Gsuite module with SAML support. {pull}19329[19329] - Adds Gsuite User Accounts support. {pull}19329[19329] +- Adds Gsuite Login audit support. {pull}19702[19702] +- Adds Gsuite Admin support. {pull}19769[19769] +- Adds Gsuite Drive support. {pull}19704[19704] +- Adds Gsuite Groups support. {pull}19725[19725] +- Move file metrics to dataset endpoint {pull}19977[19977] +- Add `while_pattern` type to multiline reader. {pull}19662[19662] +- Tracking session end reason in panw module. {pull}18705[18705] +- Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808] +- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] +- Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993] *Heartbeat* @@ -71,10 +88,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Tomcat overview dashboard {pull}14026[14026] - Move service config under metrics and simplify metric types. {pull}18691[18691] - Fix ECS compliance of user.id field in system/users metricset {pull}19019[19019] +- Rename googlecloud stackdriver metricset to metrics. {pull}19718[19718] *Packetbeat* - Redis: fix incorrectly handle with two-words redis command. {issue}14872[14872] {pull}14873[14873] +- `event.category` no longer contains the value `network_traffic` because this is not a valid ECS event category value. {pull}20556[20556] *Winlogbeat* @@ -86,6 +105,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] - Fix Powershell processing of downgraded engine events. {pull}18966[18966] - Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984] +- Remove top level `hash` property from sysmon events {pull}20653[20653] *Functionbeat* @@ -141,6 +161,19 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix config reload metrics (`libbeat.config.module.start/stops/running`). {pull}19168[19168] - Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed {pull}18979[18979] - Server-side TLS config now validates certificate and key are both specified {pull}19584[19584] +- Fix terminating pod autodiscover issue. {pull}20084[20084] +- Fix seccomp policy for calls to `chmod` and `chown`. {pull}20054[20054] +- Remove unnecessary restarts of metricsets while using Node autodiscover {pull}19974[19974] +- Output errors when Kibana index pattern setup fails. {pull}20121[20121] +- Fix issue in autodiscover that kept inputs stopped after config updates. {pull}20305[20305] +- Log debug message if the Kibana dashboard can not be imported from the archive because of the invalid archive directory structure {issue}12211[12211], {pull}13387[13387] +- Add service resource in k8s cluster role. {pull}20546[20546] +- [Metricbeat][Kubernetes] Change cluster_ip field from ip to keyword. {pull}20571[20571] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] +- [Autodiscover] Handle input-not-finished errors in config reload. {pull}20915[20915] +- Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] +- Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197] *Auditbeat* @@ -152,9 +185,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] - system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN] - file_integrity: Create fsnotify watcher only when starting file_integrity module {pull}19505[19505] +- auditd: Fix spelling of anomaly in `event.category`. +- auditd: Fix typo in `event.action` of `removed-user-role-from`. {pull}19300[19300] +- auditd: Fix typo in `event.action` of `used-suspicious-link`. {pull}19300[19300] +- system/socket: Fix kprobe grouping to allow running more than one instance. {pull}20325[20325] *Filebeat* +- Fix mapping of fortinet.firewall.mem as integer. {pull}19335[19335] - Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] - Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] - Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] @@ -204,11 +242,42 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix memory leak in tcp and unix input sources. {pull}19459[19459] - Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568] - Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] +- Update container name for the azure filesets. {pull}19899[19899] +- Fix bug with empty filter values in system/service {pull}19812[19812] +- Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972] +- Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984] +- Fix auditd module syscall table for ppc64 and ppc64le. {pull}20052[20052] +- Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] +- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] {pull}20370[20370] +- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] +- Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245] +- Fix event.outcome logic for azure/siginlogs fileset {pull}20254[20254] +- Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273] +- Fix `okta` geoip lookup in pipeline for `destination.ip` {pull}20454[20454] +- Fix mapping exception in the `googlecloud/audit` dataset pipeline. {issue}18465[18465] {pull}20465[20465] +- Fix `cisco` asa and ftd parsing of messages 106102 and 106103. {pull}20469[20469] +- Improve validation checks for Azure configuration {issue}20369[20369] {pull}20389[20389] +- Fix event.kind for system/syslog pipeline {issue}20365[20365] {pull}20390[20390] +- Clone value when copy fields in processors to avoid crash. {issue}19206[19206] {pull}20500[20500] +- Fix event.type for zeek/ssl and duplicate event.category for zeek/connection {pull}20696[20696] +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] +- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] +- Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983] +- Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] +- Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] +- Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] *Heartbeat* - Fixed excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639] - Fixed TCP TLS checks to properly validate hostnames, this broke in 7.x and only worked for IP SANs. {pull}17549[17549] +- Add support for new `service_name` option to all monitors. {pull}19932[19932]. +- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] + +*Heartbeat* + *Journalbeat* @@ -252,7 +321,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix "ID" event generator of Google Cloud module {issue}17160[17160] {pull}17608[17608] - Add privileged option for Auditbeat in Openshift {pull}17637[17637] - Fix storage metricset to allow config without region/zone. {issue}17623[17623] {pull}17624[17624] -- Add a switch to the driver definition on SQL module to use pretty names. {pull}17378[17378] - Fix overflow on Prometheus rates when new buckets are added on the go. {pull}17753[17753] - Remove specific win32 api errors from events in perfmon. {issue}18292[18292] {pull}18361[18361] - Fix application_pool metricset after pdh changes. {pull}18477[18477] @@ -265,6 +333,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix incorrect usage of hints builder when exposed port is a substring of the hint {pull}19052[19052] - Remove dedot for tag values in aws module. {issue}19112[19112] {pull}19221[19221] - Stop counterCache only when already started {pull}19103[19103] +- Fix empty field name errors in the application pool metricset. {pull}19537[19537] - Set tags correctly if the dimension value is ARN {issue}19111[19111] {pull}19433[19433] - Fix bug incorrect parsing of float numbers as integers in Couchbase module {issue}18949[18949] {pull}19055[19055] - Fix mapping of service start type in the service metricset, windows module. {pull}19551[19551] @@ -272,10 +341,23 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add missing info about the rest of the azure metricsets in the documentation. {pull}19601[19601] - Fix k8s scheduler compatibility issue. {pull}19699[19699] - Fix SQL module mapping NULL values as string {pull}18955[18955] {issue}18898[18898 +- Fix ec2 disk and network metrics to use Sum statistic method. {pull}20680[20680] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] +- The Kibana collector applies backoff when errored at getting usage stats {pull}20772[20772] +- Update fields.yml in the azure module, missing metrics field. {pull}20918[20918] +- The `elasticsearch/index` metricset only requests wildcard expansion for hidden indices if the monitored Elasticsearch cluster supports it. {pull}20938[20938] +- Disable Kafka metricsets based on Jolokia by default. They require a different configuration. {pull}20989[20989] +- Fix panic index out of range error when getting AWS account name. {pull}21101[21101] {issue}21095[21095] +- Handle missing counters in the application_pool metricset. {pull}21071[21071] +- Fix timestamp handling in remote_write. {pull}21166[21166] +- Fix remote_write flaky test. {pull}21173[21173] +- Visualization title fixes in aws, azure and googlecloud compute dashboards. {pull}21098[21098] *Packetbeat* - Enable setting promiscuous mode automatically. {pull}11366[11366] +- Fix process monitoring when ipv6 is disabled under Linux. {issue}19941[19941] {pull}19945[19945] +- Add "network" to event.category {issue}20364[20364] {pull}20392[20392] *Winlogbeat* @@ -285,6 +367,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Functionbeat* - Fix timeout option of GCP functions. {issue}16282[16282] {pull}16287[16287] +- Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072] +- Fix dependency issues of GCP functions. {issue}20830[20830] {pull}21070[21070] +- Fix catchall bucket config errors by adding more validation. {issue}17572[16282] {pull}20887[16287] ==== Added @@ -331,6 +416,28 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add the `overwrite_keys` configuration option to the dissect processor. {pull}19464[19464] - Add support to trim captured values in the dissect processor. {pull}19464[19464] - Added the `max_cached_sessions` option to the script processor. {pull}19562[19562] +- Add support for DNS over TLS for the dns_processor. {pull}19321[19321] +- Add minimum cache TTL for successful DNS responses. {pull}18986[18986] +- Set index.max_docvalue_fields_search in index template to increase value to 200 fields. {issue}20215[20215] +- Add leader election for Kubernetes autodiscover. {pull}20281[20281] +- Add capability of enriching process metadata with contianer id also for non-privileged containers in `add_process_metadata` processor. {pull}19767[19767] +- Add replace_fields config option in add_host_metadata for replacing host fields. {pull}20490[20490] {issue}20464[20464] +- Add container ECS fields in kubernetes metadata. {pull}20984[20984] +- Add ingress controller dashboards. {pull}21052[21052] +- Added experimental `citrix` module. {pull}20820[20820] +- Added experimental `cyberark` module. {pull}20820[20820] +- Added experimental `proofpoint` module. {pull}20820[20820] +- Added experimental `snort` module. {pull}20820[20820] +- Added experimental `symantec` module. {pull}20820[20820] +- Added experimental dataset `barracuda/spamfirewall`. {pull}20820[20820] +- Added experimental dataset `cisco/meraki`. {pull}20820[20820] +- Added experimental dataset `f5/bigipafm`. {pull}20820[20820] +- Added experimental dataset `fortinet/fortimail`. {pull}20820[20820] +- Added experimental dataset `fortinet/fortimanager`. {pull}20820[20820] +- Added experimental dataset `juniper/netscreen`. {pull}20820[20820] +- Added experimental dataset `sophos/utm`. {pull}20820[20820] +- Add Cloud Foundry tags in related events. {pull}21177[21177] +- Add option to select the type of index template to load: legacy, component, index. {pull}21212[21212] *Auditbeat* @@ -348,6 +455,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add file integrity module ECS categorization fields. {pull}18012[18012] - Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] - Add ECS categorization info for auditd module {pull}18596[18596] +- Add enrichment of auditd seccomp events with name of the architecture, syscall, and signal. {issue}14055[14055] {pull}19300[19300] *Filebeat* @@ -422,7 +530,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065] - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] - Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] -- Added http_endpoint input{pull}18298[18298] +- Add http_endpoint input. {pull}18298[18298] - Add support for array parsing in azure-eventhub input. {pull}18585[18585] - Added `observer.vendor`, `observer.product`, and `observer.type` to PANW module events. {pull}18223[18223] - The `logstash` module can now automatically detect the log file format (JSON or plaintext) and process it accordingly. {issue}9964[9964] {pull}18095[18095] @@ -442,6 +550,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379] - Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376] - Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121] +- Added Microsoft Defender ATP Module. {issue}17997[17997] {pull}19197[19197] - Add experimental dataset tomcat/log for Apache TomCat logs {pull}19713[19713] - Add experimental dataset netscout/sightline for Netscout Arbor Sightline logs {pull}19713[19713] - Add experimental dataset barracuda/waf for Barracuda Web Application Firewall logs {pull}19713[19713] @@ -450,7 +559,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] - Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] - Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] -- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713] - Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] - Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] - Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] @@ -463,17 +571,39 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset sonicwall/firewall for Sonicwall Firewalls logs {pull}19713[19713] - Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] - Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] +- Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add support for reading auditd logs that are prefixed with `node=`. {pull}19659[19659] +- Add event.ingested for CrowdStrike module {pull}20138[20138] +- Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] +- Add event.ingested for Suricata module {pull}20220[20220] +- Add support for custom header and headersecret for filebeat http_endpoint input {pull}20435[20435] +- Add event.ingested to all Filebeat modules. {pull}20386[20386] +- Return error when log harvester tries to open a named pipe. {issue}18682[18682] {pull}20450[20450] +- Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455] +- Convert httpjson to v2 input {pull}20226[20226] +- Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] +- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] +- Added new properties field support for event.outcome in azure module {pull}20998[20998] +- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] +- Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] +- Improve Santa module with `x509` ECS mappings {pull}20976[20976] +- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973] +- Added new module for Zoom webhooks {pull}20414[20414] +- Add type and sub_type to panw panos fileset {pull}20912[20912] +- Always attempt community_id processor on zeek module {pull}21155[21155] +- Add related.hosts ecs field to all modules {pull}21160[21160] *Heartbeat* - Allow a list of status codes for HTTP checks. {pull}15587[15587] - Add additional ECS compatible fields for TLS information. {pull}17687[17687] - Record HTTP response headers. {pull}18327[18327] +- Add index and pipeline settings to monitor configurations. {pull}20610[20610] *Journalbeat* - Added an `id` config option to inputs to allow running multiple inputs on the - same journal. {pull}18467{18467} + same journal. {pull}18467[18467] - Add basic ECS categorization and `log.syslog` fields. {pull}19176[19176] *Metricbeat* @@ -539,6 +669,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add final tests and move label to GA for the azure module in metricbeat. {pull}17319[17319] - Refactor windows/perfmon metricset configuration options and event output. {pull}17596[17596] - Reference kubernetes manifests mount data directory from the host when running metricbeat as daemonset, so data persist between executions in the same node. {pull}17429[17429] +- Add `state_statefulset` metricset to Metricbeat recommended configuration for k8s. {pull}17627[17627] - Add more detailed error messages, system tests and small refactoring to the service metricset in windows. {pull}17725[17725] - Stack Monitoring modules now auto-configure required metricsets when `xpack.enabled: true` is set. {issue}16471[[16471] {pull}17609[17609] - Add Metricbeat IIS module dashboards. {pull}17966[17966] @@ -567,6 +698,25 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `performance` and `query` metricsets to `mysql` module. {pull}18955[18955] - The `elasticsearch-xpack/index` metricset now reports hidden indices as such. {issue}18639[18639] {pull}18706[18706] - Adds support for app insights metrics in the azure module. {issue}18570[18570] {pull}18940[18940] +- Infer types in Prometheus remote_write. {pull}19944[19944] +- Added cache and connection_errors metrics to status metricset of MySQL module {issue}16955[16955] {pull}19844[19844] +- Update MySQL dashboard with connection errors and cache metrics {pull}19913[19913] {issue}16955[16955] +- Add cloud.instance.name into aws ec2 metricset. {pull}20077[20077] +- Add host inventory metrics into aws ec2 metricset. {pull}20171[20171] +- Add `scope` setting for elasticsearch module, allowing it to monitor an Elasticsearch cluster behind a load-balancing proxy. {issue}18539[18539] {pull}18547[18547] +- Add state_daemonset metricset for Kubernetes Metricbeat module {pull}20649[20649] +- Add host inventory metrics to azure compute_vm metricset. {pull}20641[20641] +- Add host inventory metrics to googlecloud compute metricset. {pull}20391[20391] +- Add host inventory metrics to system module. {pull}20415[20415] +- Add billing data collection from Cost Explorer into aws billing metricset. {pull}20527[20527] {issue}20103[20103] +- Migrate `compute_vm` metricset to a light one, map `cloud.instance.id` field. {pull}20889[20889] +- Request prometheus endpoints to be gzipped by default {pull}20766[20766] +- Release all kubernetes `state` metricsets as GA {pull}20901[20901] +- Add billing metricset into googlecloud module. {pull}20812[20812] {issue}20738[20738] +- Move `compute_vm_scaleset` to light metricset. {pull}21038[21038] {issue}20985[20985] +- Sanitize `event.host`. {pull}21022[21022] +- Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124] +- Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255] *Packetbeat* @@ -574,9 +724,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d `host` metadata fields when processing network data from network tap or mirror port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] +- Add 100-continue support {issue}15830[15830] {pull}19349[19349] + *Functionbeat* - Add basic ECS categorization and `cloud` fields. {pull}19174[19174] +- Add support for parallelization factor for kinesis. {pull}20727[20727] *Winlogbeat* @@ -586,9 +739,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for event IDs 4673,4674,4697,4698,4699,4700,4701,4702,4768,4769,4770,4771,4776,4778,4779,4964 to the Security module {pull}17517[17517] - Add registry and code signature information and ECS categorization fields for sysmon module {pull}18058[18058] - Add new winlogbeat security dashboard {pull}18775[18775] +- Add `event.outcome` to events based on the audit success and audit failure keywords. {pull}20564[20564] *Elastic Log Driver* - Add support for `docker logs` command {pull}19531[19531] +- Add support to change beat name, and support for Kibana Logs. {pull}20522[20522] ==== Deprecated @@ -602,6 +757,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* *Metricbeat* + - Deprecate tags config parameter in cloudwatch metricset. {pull}16733[16733] - Deprecate tags.resource_type_filter config parameter and replace with resource_type. {pull}19688[19688] diff --git a/Jenkinsfile b/Jenkinsfile index e0f12058de4..e7f91ef95e5 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,41 +3,27 @@ @Library('apm@current') _ import groovy.transform.Field - - -/** - NOTE: Important note regarding the agents and labels. - agent labels are defined in the gobld service, that's managed by infra. The required format - is: - - ' && immutable' for linux OS. - - 'macosx' for the MacOS. - - 'windows-immutable && windows-' for Windows. NOTE: version might differ in some cases - - The above labels will help to set what OS family and specific version of the agent is - required to used in the stage. -*/ - /** This is required to store the stashed id with the test results to be digested with runbld */ @Field def stashedTestReports = [:] pipeline { - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } environment { + AWS_ACCOUNT_SECRET = 'secret/observability-team/ci/elastic-observability-aws-account-auth' BASE_DIR = 'src/github.com/elastic/beats' - GOX_FLAGS = "-arch amd64" - DOCKER_COMPOSE_VERSION = "1.21.0" - TERRAFORM_VERSION = "0.12.24" - PIPELINE_LOG_LEVEL = "INFO" DOCKERELASTIC_SECRET = 'secret/observability-team/ci/docker-registry/prod' + DOCKER_COMPOSE_VERSION = "1.21.0" DOCKER_REGISTRY = 'docker.elastic.co' - AWS_ACCOUNT_SECRET = 'secret/observability-team/ci/elastic-observability-aws-account-auth' - RUNBLD_DISABLE_NOTIFICATIONS = 'true' + GOX_FLAGS = "-arch amd64" JOB_GCS_BUCKET = 'beats-ci-temp' JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin' - XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' + PIPELINE_LOG_LEVEL = 'INFO' + RUNBLD_DISABLE_NOTIFICATIONS = 'true' + TERRAFORM_VERSION = "0.12.24" + XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*' } options { timeout(time: 2, unit: 'HOURS') @@ -50,24 +36,16 @@ pipeline { rateLimitBuilds(throttle: [count: 60, durationName: 'hour', userBoost: true]) } triggers { - issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*') + issueCommentTrigger('(?i)(.*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*|^/test\\W+.*$)') } parameters { - booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') - booleanParam(name: 'windowsTest', defaultValue: true, description: 'Allow Windows stages.') - booleanParam(name: 'macosTest', defaultValue: true, description: 'Allow macOS stages.') - booleanParam(name: 'allCloudTests', defaultValue: false, description: 'Run all cloud integration tests.') - booleanParam(name: 'awsCloudTests', defaultValue: false, description: 'Run AWS cloud integration tests.') + booleanParam(name: 'awsCloudTests', defaultValue: true, description: 'Run AWS cloud integration tests.') string(name: 'awsRegion', defaultValue: 'eu-central-1', description: 'Default AWS region to use for testing.') - - booleanParam(name: 'debug', defaultValue: false, description: 'Allow debug logging for Jenkins steps') - booleanParam(name: 'dry_run', defaultValue: false, description: 'Skip build steps, it is for testing pipeline flow') + booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') + booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') } stages { - /** - Checkout the code and stash it, to use it on other stages. - */ stage('Checkout') { options { skipDefaultCheckout() } steps { @@ -76,705 +54,65 @@ pipeline { gitCheckout(basedir: "${BASE_DIR}", githubNotifyFirstTimeContributor: true) stashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") dir("${BASE_DIR}"){ - loadConfigEnvVars() - } - whenTrue(params.debug){ - dumpFilteredEnvironment() + // Skip all the stages except docs for PR's with asciidoc and md changes only + setEnvVar('ONLY_DOCS', isGitRegionMatch(patterns: [ '.*\\.(asciidoc|md)' ], shouldMatchAll: true).toString()) + setEnvVar('GO_VERSION', readFile(".go-version").trim()) + withEnv(["HOME=${env.WORKSPACE}"]) { + retryWithSleep(retries: 2, seconds: 5){ sh(label: "Install Go ${env.GO_VERSION}", script: '.ci/scripts/install-go.sh') } + } } } } stage('Lint'){ options { skipDefaultCheckout() } + environment { + GOFLAGS = '-mod=readonly' + } steps { - makeTarget(context: "Lint", target: "check") + withGithubNotify(context: 'Lint') { + withBeatsEnv(archive: true) { + dumpVariables() + cmd(label: 'make check', script: 'make check') + } + } } } - stage('Build and Test'){ + stage('Build&Test') { + options { skipDefaultCheckout() } when { - beforeAgent true - expression { return env.ONLY_DOCS == "false" } - } - failFast false - parallel { - stage('Elastic Agent x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" - } - } - steps { - mageTarget(context: "Elastic Agent x-pack Linux", directory: "x-pack/elastic-agent", target: "build test") - } - } - - stage('Elastic Agent x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Elastic Agent x-pack Windows Unit test", directory: "x-pack/elastic-agent", target: "build unitTest") - } - } - - stage('Elastic Agent Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Elastic Agent x-pack Mac OS X", directory: "x-pack/elastic-agent", target: "build unitTest") - } - post { - always { - delete() - } - } - } - - stage('Filebeat oss'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" - } - } - steps { - makeTarget(context: "Filebeat oss Linux", target: "-C filebeat testsuite", withModule: true) - } - } - stage('Filebeat x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Filebeat x-pack Linux", directory: "x-pack/filebeat", target: "update build test", withModule: true) - } - } - stage('Filebeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Filebeat oss Mac OS X", directory: "filebeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Filebeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Filebeat x-pack Mac OS X", directory: "x-pack/filebeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Filebeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Filebeat oss Windows Unit test", directory: "filebeat", target: "build unitTest") - } - } - stage('Filebeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FILEBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Filebeat x-pack Windows", directory: "x-pack/filebeat", target: "build unitTest") - } - } - stage('Heartbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_HEARTBEAT != "false" - } - } - stages { - stage('Heartbeat oss'){ - steps { - makeTarget(context: "Heartbeat oss Linux", target: "-C heartbeat testsuite") - } - } - stage('Heartbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - mageTarget(context: "Heartbeat oss Mac OS X", directory: "heartbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Heartbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Heartbeat oss Windows Unit test", directory: "heartbeat", target: "build unitTest") - } - } - } - } - stage('Auditbeat oss Linux'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" - } - } - steps { - makeTarget(context: "Auditbeat oss Linux", target: "-C auditbeat testsuite", withModule: true) - } - } - stage('Auditbeat crosscompile'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" - } - } - steps { - makeTarget(context: "Auditbeat oss crosscompile", target: "-C auditbeat crosscompile") - } - } - stage('Auditbeat oss Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Auditbeat oss Mac OS X", directory: "auditbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Auditbeat oss Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Auditbeat oss Windows Unit test", directory: "auditbeat", target: "build unitTest") - } - } - stage('Auditbeat x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" - } - } - steps { - mageTarget(context: "Auditbeat x-pack Linux", directory: "x-pack/auditbeat", target: "update build test", withModule: true) + // Always when running builds on branches/tags + // On a PR basis, skip if changes are only related to docs. + // Always when forcing the input parameter + anyOf { + not { changeRequest() } // If no PR + allOf { // If PR and no docs changes + expression { return env.ONLY_DOCS == "false" } + changeRequest() } + expression { return params.runAllStages } // If UI forced } - stage('Auditbeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Auditbeat x-pack Mac OS X", directory: "x-pack/auditbeat", target: "build unitTest") - } - } - stage('Auditbeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Auditbeat x-pack Windows", directory: "x-pack/auditbeat", target: "build unitTest") - } - } - stage('Libbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_LIBBEAT != "false" - } - } - stages { - stage('Libbeat oss'){ - steps { - makeTarget(context: "Libbeat oss Linux", target: "-C libbeat testsuite") - } - } - stage('Libbeat crosscompile'){ - steps { - makeTarget(context: "Libbeat oss crosscompile", target: "-C libbeat crosscompile") - } - } - stage('Libbeat stress-tests'){ - steps { - makeTarget(context: "Libbeat stress-tests", target: "STRESS_TEST_OPTIONS='-timeout=20m -race -v -parallel 1' -C libbeat stress-tests") - } - } - } - } - stage('Libbeat x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_LIBBEAT_XPACK != "false" - } - } - steps { - makeTarget(context: "Libbeat x-pack Linux", target: "-C x-pack/libbeat testsuite") - } - } - stage('Metricbeat OSS Unit tests'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (unitTest)", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat OSS Integration tests'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (goIntegTest)", directory: "metricbeat", target: "goIntegTest", withModule: true) - } - } - stage('Metricbeat Python integration tests'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - mageTarget(context: "Metricbeat OSS linux/amd64 (pythonIntegTest)", directory: "metricbeat", target: "pythonIntegTest", withModule: true) - } - } - stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" - } - } - stages { - stage('Prepare cloud integration tests environments'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - steps { - startCloudTestEnv('x-pack-metricbeat', [ - [cond: params.awsCloudTests, dir: 'x-pack/metricbeat/module/aws'], - ]) - } - } - stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - steps { - withCloudTestEnv() { - mageTarget(context: "Metricbeat x-pack Linux", directory: "x-pack/metricbeat", target: "build test", withModule: true) - } - } - } - } - post { - cleanup { - terraformCleanup('x-pack-metricbeat', 'x-pack/metricbeat') - } - } - } - stage('Metricbeat crosscompile'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" - } - } - steps { - makeTarget(context: "Metricbeat OSS crosscompile", target: "-C metricbeat crosscompile") - } - } - stage('Metricbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Metricbeat OSS Mac OS X", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat x-pack Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" && params.macosTest - } - } - steps { - mageTarget(context: "Metricbeat x-pack Mac OS X", directory: "x-pack/metricbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Metricbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Metricbeat Windows Unit test", directory: "metricbeat", target: "build unitTest") - } - } - stage('Metricbeat x-pack Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_METRICBEAT_XPACK != "false" && params.windowsTest - } - } - steps { - mageTargetWin(context: "Metricbeat x-pack Windows", directory: "x-pack/metricbeat", target: "build unitTest") - } - } - stage('Packetbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_PACKETBEAT != "false" - } - } - stages { - stage('Packetbeat oss'){ - steps { - makeTarget(context: "Packetbeat oss Linux", target: "-C packetbeat testsuite") - } - } - } - } - stage('dockerlogbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_DOCKERLOGBEAT_XPACK != "false" - } - } - stages { - stage('Dockerlogbeat'){ - steps { - mageTarget(context: "Elastic Docker Logging Driver Plugin unit tests", directory: "x-pack/dockerlogbeat", target: "update build test") - } - } - } - } - stage('Winlogbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_WINLOGBEAT != "false" - } - } - stages { - stage('Winlogbeat oss'){ - steps { - makeTarget(context: "Winlogbeat oss crosscompile", target: "-C winlogbeat crosscompile") - } - } - stage('Winlogbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "winlogbeat", target: "build unitTest") - } - } - } - } - stage('Winlogbeat Windows x-pack'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest && env.BUILD_WINLOGBEAT_XPACK != "false" - } - } - steps { - mageTargetWin(context: "Winlogbeat Windows Unit test", directory: "x-pack/winlogbeat", target: "build unitTest", withModule: true) - } - } - stage('Functionbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_FUNCTIONBEAT_XPACK != "false" - } - } - stages { - stage('Functionbeat x-pack'){ - steps { - mageTarget(context: "Functionbeat x-pack Linux", directory: "x-pack/functionbeat", target: "update build test") - withEnv(["GO_VERSION=1.13.1"]){ - makeTarget(context: "Functionbeat x-pack Linux", target: "-C x-pack/functionbeat test-gcp-functions") - } - } - } - stage('Functionbeat Mac OS X x-pack'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - mageTarget(context: "Functionbeat x-pack Mac OS X", directory: "x-pack/functionbeat", target: "build unitTest") - } - post { - always { - delete() - } - } - } - stage('Functionbeat Windows'){ - agent { label 'windows-immutable && windows-2019' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.windowsTest - } - } - steps { - mageTargetWin(context: "Functionbeat Windows Unit test", directory: "x-pack/functionbeat", target: "build unitTest") - } - } - } - } - stage('Journalbeat'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_JOURNALBEAT != "false" - } - } - stages { - stage('Journalbeat oss'){ - steps { - makeTarget(context: "Journalbeat Linux", target: "-C journalbeat testsuite") - } - } - } - } - stage('Generators'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_GENERATOR != "false" - } - } - stages { - stage('Generators Metricbeat Linux'){ - steps { - makeTarget(context: "Generators Metricbeat Linux", target: "-C generator/_templates/metricbeat test") - makeTarget(context: "Generators Metricbeat Linux", target: "-C generator/_templates/metricbeat test-package") - } - } - stage('Generators Beat Linux'){ - steps { - makeTarget(context: "Generators Beat Linux", target: "-C generator/_templates/beat test") - makeTarget(context: "Generators Beat Linux", target: "-C generator/_templates/beat test-package") - } - } - stage('Generators Metricbeat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - makeTarget(context: "Generators Metricbeat Mac OS X", target: "-C generator/_templates/metricbeat test") - } - post { - always { - delete() - } - } - } - stage('Generators Beat Mac OS X'){ - agent { label 'macosx' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return params.macosTest - } - } - steps { - makeTarget(context: "Generators Beat Mac OS X", target: "-C generator/_templates/beat test") - } - post { - always { - delete() - } + } + steps { + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") + dir("${BASE_DIR}"){ + script { + def mapParallelTasks = [:] + def content = readYaml(file: 'Jenkinsfile.yml') + content['projects'].each { projectName -> + generateStages(project: projectName, changeset: content['changeset']).each { k,v -> + mapParallelTasks["${k}"] = v } } + parallel(mapParallelTasks) } } - stage('Kubernetes'){ - agent { label 'ubuntu && immutable' } - options { skipDefaultCheckout() } - when { - beforeAgent true - expression { - return env.BUILD_KUBERNETES != "false" - } - } - steps { - k8sTest(["v1.18.2","v1.17.2","v1.16.4","v1.15.7","v1.14.10"]) + } + post { + always { + dir("${BASE_DIR}"){ + // Archive the markdown files that contain the build reasons + archiveArtifacts(allowEmptyArchive: false, artifacts: 'build-reasons/*.md') } } } @@ -790,346 +128,286 @@ pipeline { } } -def delete() { - dir("${env.BASE_DIR}") { - fixPermissions("${WORKSPACE}") +/** +* This method is the one used for running the parallel stages, therefore +* its arguments are passed by the beatsStages step. +*/ +def generateStages(Map args = [:]) { + def projectName = args.project + def changeset = args.changeset + def mapParallelStages = [:] + def fileName = "${projectName}/Jenkinsfile.yml" + if (fileExists(fileName)) { + def content = readYaml(file: fileName) + // changesetFunction argument is only required for the top-level when, stage specific when don't need it since it's an aggregation. + if (beatsWhen(project: projectName, content: content?.when, changeset: changeset, changesetFunction: new GetProjectDependencies(steps: this))) { + mapParallelStages = beatsStages(project: projectName, content: content, changeset: changeset, function: new RunCommand(steps: this)) + } + } else { + log(level: 'WARN', text: "${fileName} file does not exist. Please review the top-level Jenkinsfile.yml") } - deleteDir() -} - -def fixPermissions(location) { - sh(label: 'Fix permissions', script: """#!/usr/bin/env bash - source ./dev-tools/common.bash - docker_setup - script/fix_permissions.sh ${location}""", returnStatus: true) + return mapParallelStages } -def makeTarget(Map args = [:]) { - def context = args.context - def target = args.target - def clean = args.get('clean', true) - def withModule = args.get('withModule', false) - withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, modulePattern: getModulePattern(target)) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMage() - } - sh(label: "Make ${target}", script: "make ${target}") - whenTrue(clean) { - fixPermissions("${HOME}") - } +def cloud(Map args = [:]) { + node(args.label) { + startCloudTestEnv(name: args.directory, dirs: args.dirs) + } + withCloudTestEnv() { + try { + target(context: args.context, command: args.command, directory: args.directory, label: args.label, withModule: args.withModule, isMage: true, id: args.id) + } finally { + terraformCleanup(name: args.directory, dir: args.directory) } } } -def mageTarget(Map args = [:]) { - def context = args.context - def directory = args.directory - def target = args.target - def withModule = args.get('withModule', false) - withGithubNotify(context: "${context}") { - withBeatsEnv(archive: true, withModule: withModule, modulePattern: getModulePattern(directory)) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMage() - } - - def verboseFlag = params.debug ? "-v" : "" - dir(directory) { - sh(label: "Mage ${target}", script: "mage ${verboseFlag} ${target}") +def k8sTest(Map args = [:]) { + def versions = args.versions + node(args.label) { + versions.each{ v -> + stage("${args.context} ${v}"){ + withEnv(["K8S_VERSION=${v}", "KIND_VERSION=v0.7.0", "KUBECONFIG=${env.WORKSPACE}/kubecfg"]){ + withGithubNotify(context: "${args.context} ${v}") { + withBeatsEnv(archive: false, withModule: false) { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install kind", script: ".ci/scripts/install-kind.sh") } + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install kubectl", script: ".ci/scripts/install-kubectl.sh") } + try { + sh(label: "Setup kind", script: ".ci/scripts/kind-setup.sh") + sh(label: "Integration tests", script: "MODULE=kubernetes make -C metricbeat integration-tests") + sh(label: "Deploy to kubernetes",script: "make -C deploy/kubernetes test") + } finally { + sh(label: 'Delete cluster', script: 'kind delete cluster') + } + } + } + } } } } } -def mageTargetWin(Map args = [:]) { +/** +* This method runs the given command supporting two kind of scenarios: +* - make -C then the dir(location) is not required, aka by disaling isMage: false +* - mage then the dir(location) is required, aka by enabling isMage: true. +*/ +def target(Map args = [:]) { def context = args.context - def directory = args.directory - def target = args.target + def command = args.command + def directory = args.get('directory', '') def withModule = args.get('withModule', false) - withGithubNotify(context: "${context}") { - withBeatsEnvWin(withModule: withModule, modulePattern: getModulePattern(directory)) { - whenTrue(params.debug) { - dumpFilteredEnvironment() - dumpMageWin() - } - - def verboseFlag = params.debug ? "-v" : "" - dir(directory) { - bat(label: "Mage ${target}", script: "mage ${verboseFlag} ${target}") + def isMage = args.get('isMage', false) + node(args.label) { + withGithubNotify(context: "${context}") { + withBeatsEnv(archive: true, withModule: withModule, directory: directory, id: args.id) { + dumpVariables() + // make commands use -C while mage commands require the dir(folder) + // let's support this scenario with the location variable. + dir(isMage ? directory : '') { + cmd(label: "${command}", script: "${command}") + } } } } } -def getModulePattern(String toCompare) { - // Use contains to support the makeTarget(target: '-C ') while mageTarget(directory: '') - return (toCompare.contains('x-pack') ? env.XPACK_MODULE_PATTERN : env.OSS_MODULE_PATTERN) -} - +/** +* This method wraps all the environment setup and pre-requirements to run any commands. +*/ def withBeatsEnv(Map args = [:], Closure body) { def archive = args.get('archive', true) def withModule = args.get('withModule', false) - def modulePattern - if (withModule) { - modulePattern = args.containsKey('modulePattern') ? args.modulePattern : error('withBeatsEnv: modulePattern parameter is required.') + def directory = args.get('directory', '') + + def goRoot, path, magefile, pythonEnv, testResults, artifacts + + if(isUnix()) { + goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${nodeOS()}.amd64" + path = "${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}" + magefile = "${WORKSPACE}/.magefile" + pythonEnv = "${WORKSPACE}/python-env" + testResults = '**/build/TEST*.xml' + artifacts = '**/build/TEST*.out' + } else { + def chocoPath = 'C:\\ProgramData\\chocolatey\\bin' + def chocoPython3Path = 'C:\\Python38;C:\\Python38\\Scripts' + goRoot = "${env.USERPROFILE}\\.gvm\\versions\\go${GO_VERSION}.windows.amd64" + path = "${env.WORKSPACE}\\bin;${goRoot}\\bin;${chocoPath};${chocoPython3Path};${env.PATH}" + magefile = "${env.WORKSPACE}\\.magefile" + testResults = "**\\build\\TEST*.xml" + artifacts = "**\\build\\TEST*.out" } - def os = goos() - def goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${os}.amd64" deleteDir() unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") - // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern) : '' - + def module = withModule ? getCommonModuleInTheChangeSet(directory) : '' withEnv([ - "HOME=${env.WORKSPACE}", + "DOCKER_PULL=0", "GOPATH=${env.WORKSPACE}", "GOROOT=${goRoot}", - "PATH=${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}", - "MAGEFILE_CACHE=${WORKSPACE}/.magefile", - "TEST_COVERAGE=true", + "HOME=${env.WORKSPACE}", + "MAGEFILE_CACHE=${magefile}", + "MODULE=${module}", + "PATH=${path}", + "PYTHON_ENV=${pythonEnv}", "RACE_DETECTOR=true", - "PYTHON_ENV=${WORKSPACE}/python-env", - "TEST_TAGS=${env.TEST_TAGS},oracle", - "DOCKER_PULL=0", - "MODULE=${module}" + "TEST_COVERAGE=true", + "TEST_TAGS=${env.TEST_TAGS},oracle" ]) { - if(isDockerInstalled()){ + if(isDockerInstalled()) { dockerLogin(secret: "${DOCKERELASTIC_SECRET}", registry: "${DOCKER_REGISTRY}") } dir("${env.BASE_DIR}") { installTools() - // TODO (2020-04-07): This is a work-around to fix the Beat generator tests. - // See https://github.com/elastic/beats/issues/17787. - setGitConfig() + if(isUnix()) { + // TODO (2020-04-07): This is a work-around to fix the Beat generator tests. + // See https://github.com/elastic/beats/issues/17787. + sh(label: 'check git config', script: ''' + if [ -z "$(git config --get user.email)" ]; then + git config user.email "beatsmachine@users.noreply.github.com" + git config user.name "beatsmachine" + fi''') + } try { - if(!params.dry_run){ - body() - } + body() } finally { if (archive) { - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: "**/build/TEST*.xml") - archiveArtifacts(allowEmptyArchive: true, artifacts: '**/build/TEST*.out') - } + archiveTestOutput(testResults: testResults, artifacts: artifacts, id: args.id) + } + // Tear down the setup for the permamnent workers. + catchError(buildResult: 'SUCCESS', stageResult: 'SUCCESS') { + fixPermissions("${WORKSPACE}") + deleteDir() } - reportCoverage() } } } } -def withBeatsEnvWin(Map args = [:], Closure body) { - def withModule = args.get('withModule', false) - def modulePattern - if (withModule) { - modulePattern = args.containsKey('modulePattern') ? args.modulePattern : error('withBeatsEnvWin: modulePattern parameter is required.') - } - final String chocoPath = 'C:\\ProgramData\\chocolatey\\bin' - final String chocoPython3Path = 'C:\\Python38;C:\\Python38\\Scripts' - def goRoot = "${env.USERPROFILE}\\.gvm\\versions\\go${GO_VERSION}.windows.amd64" - - deleteDir() - unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") - - // NOTE: This is required to run after the unstash - def module = withModule ? getCommonModuleInTheChangeSet(modulePattern) : '' - - withEnv([ - "HOME=${env.WORKSPACE}", - "GOPATH=${env.WORKSPACE}", - "GOROOT=${goRoot}", - "PATH=${env.WORKSPACE}\\bin;${goRoot}\\bin;${chocoPath};${chocoPython3Path};${env.PATH}", - "MAGEFILE_CACHE=${env.WORKSPACE}\\.magefile", - "TEST_COVERAGE=true", - "RACE_DETECTOR=true", - "MODULE=${module}" - ]){ - dir("${env.BASE_DIR}"){ - installTools() - try { - if(!params.dry_run){ - body() - } - } finally { - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: "**\\build\\TEST*.xml") - archiveArtifacts(allowEmptyArchive: true, artifacts: '**\\build\\TEST*.out') - } - } - } +/** +* This method fixes the filesystem permissions after the build has happenend. The reason is to +* ensure any non-ephemeral workers don't have any leftovers that could cause some environmental +* issues. +*/ +def fixPermissions(location) { + if(isUnix()) { + sh(label: 'Fix permissions', script: """#!/usr/bin/env bash + set +x + source ./dev-tools/common.bash + docker_setup + script/fix_permissions.sh ${location}""", returnStatus: true) } } +/** +* This method installs the required dependencies that are for some reason not available in the +* CI Workers. +*/ def installTools() { - def i = 2 // Number of retries if(isUnix()) { - retry(i) { sh(label: "Install Go ${GO_VERSION}", script: ".ci/scripts/install-go.sh") } - retry(i) { sh(label: "Install docker-compose ${DOCKER_COMPOSE_VERSION}", script: ".ci/scripts/install-docker-compose.sh") } - retry(i) { sh(label: "Install Terraform ${TERRAFORM_VERSION}", script: ".ci/scripts/install-terraform.sh") } - retry(i) { sh(label: "Install Mage", script: "make mage") } + retryWithSleep(retries: 2, seconds: 5, backoff: true){ sh(label: "Install Go/Mage/Python/Docker/Terraform ${GO_VERSION}", script: '.ci/scripts/install-tools.sh') } } else { - retry(i) { bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } + retryWithSleep(retries: 2, seconds: 5, backoff: true){ bat(label: "Install Go/Mage/Python ${GO_VERSION}", script: ".ci/scripts/install-tools.bat") } } } -def goos(){ - def labels = env.NODE_LABELS +/** +* This method gathers the module name, if required, in order to run the ITs only if +* the changeset affects a specific module. +* +* For such, it's required to look for changes under the module folder and exclude anything else +* such as asciidoc and png files. +*/ +def getCommonModuleInTheChangeSet(String directory) { + // Use contains to support the target(target: 'make -C ') while target(directory: '', target: '...') + def pattern = (directory.contains('x-pack') ? env.XPACK_MODULE_PATTERN : env.OSS_MODULE_PATTERN) + def module = '' - if (labels.contains('linux')) { - return 'linux' - } else if (labels.contains('windows')) { - return 'windows' - } else if (labels.contains('darwin')) { - return 'darwin' + // Transform folder structure in regex format since path separator is required to be escaped + def transformedDirectory = directory.replaceAll('/', '\\/') + def directoryExclussion = "((?!^${transformedDirectory}\\/).)*\$" + def exclude = "^(${directoryExclussion}|((?!\\/module\\/).)*\$|.*\\.asciidoc|.*\\.png)" + dir("${env.BASE_DIR}") { + module = getGitMatchingGroup(pattern: pattern, exclude: exclude) } - - error("Unhandled OS name in NODE_LABELS: " + labels) -} - -def dumpMage(){ - echo "### MAGE DUMP ###" - sh(label: "Dump mage variables", script: "mage dumpVariables") - echo "### END MAGE DUMP ###" + return module } -def dumpMageWin(){ - echo "### MAGE DUMP ###" - bat(label: "Dump mage variables", script: "mage dumpVariables") - echo "### END MAGE DUMP ###" +/** +* This method archives and report the tests output, for such, it searches in certain folders +* to bypass some issues when working with big repositories. +*/ +def archiveTestOutput(Map args = [:]) { + catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { + if (isUnix()) { + fixPermissions("${WORKSPACE}") + } + cmd(label: 'Prepare test output', script: 'python .ci/scripts/pre_archive_test.py') + dir('build') { + junitAndStore(allowEmptyResults: true, keepLongStdio: true, testResults: args.testResults, id: args.id) + archiveArtifacts(allowEmptyArchive: true, artifacts: args.artifacts) + } + catchError(buildResult: 'SUCCESS', message: 'Failed to archive the build test results', stageResult: 'SUCCESS') { + def folder = cmd(label: 'Find system-tests', returnStdout: true, script: 'python .ci/scripts/search_system_tests.py').trim() + log(level: 'INFO', text: "system-tests='${folder}'. If no empty then let's create a tarball") + if (folder.trim()) { + def name = folder.replaceAll('/', '-').replaceAll('\\\\', '-').replaceAll('build', '').replaceAll('^-', '') + '-' + nodeOS() + tar(file: "${name}.tgz", archive: true, dir: folder) + } + } + } } -def dumpFilteredEnvironment(){ - echo "### ENV DUMP ###" - echo "PATH: ${env.PATH}" - echo "HOME: ${env.HOME}" - echo "USERPROFILE: ${env.USERPROFILE}" - echo "BUILD_DIR: ${env.BUILD_DIR}" - echo "COVERAGE_DIR: ${env.COVERAGE_DIR}" - echo "BEATS: ${env.BEATS}" - echo "PROJECTS: ${env.PROJECTS}" - echo "PROJECTS_ENV: ${env.PROJECTS_ENV}" - echo "PYTHON_ENV: ${env.PYTHON_ENV}" - echo "PYTHON_EXE: ${env.PYTHON_EXE}" - echo "PYTHON_ENV_EXE: ${env.PYTHON_ENV_EXE}" - echo "VENV_PARAMS: ${env.VENV_PARAMS}" - echo "FIND: ${env.FIND}" - echo "GOLINT: ${env.GOLINT}" - echo "GOLINT_REPO: ${env.GOLINT_REPO}" - echo "REVIEWDOG: ${env.REVIEWDOG}" - echo "REVIEWDOG_OPTIONS: ${env.REVIEWDOG_OPTIONS}" - echo "REVIEWDOG_REPO: ${env.REVIEWDOG_REPO}" - echo "XPACK_SUFFIX: ${env.XPACK_SUFFIX}" - echo "PKG_BUILD_DIR: ${env.PKG_BUILD_DIR}" - echo "PKG_UPLOAD_DIR: ${env.PKG_UPLOAD_DIR}" - echo "COVERAGE_TOOL: ${env.COVERAGE_TOOL}" - echo "COVERAGE_TOOL_REPO: ${env.COVERAGE_TOOL_REPO}" - echo "TESTIFY_TOOL_REPO: ${env.TESTIFY_TOOL_REPO}" - echo "NOW: ${env.NOW}" - echo "GOBUILD_FLAGS: ${env.GOBUILD_FLAGS}" - echo "GOIMPORTS: ${env.GOIMPORTS}" - echo "GOIMPORTS_REPO: ${env.GOIMPORTS_REPO}" - echo "GOIMPORTS_LOCAL_PREFIX: ${env.GOIMPORTS_LOCAL_PREFIX}" - echo "PROCESSES: ${env.PROCESSES}" - echo "TIMEOUT: ${env.TIMEOUT}" - echo "PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES}" - echo "NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS}" - echo "TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT}" - echo "SYSTEM_TESTS: ${env.SYSTEM_TESTS}" - echo "STRESS_TESTS: ${env.STRESS_TESTS}" - echo "STRESS_TEST_OPTIONS: ${env.STRESS_TEST_OPTIONS}" - echo "TEST_TAGS: ${env.TEST_TAGS}" - echo "GOX_OS: ${env.GOX_OS}" - echo "GOX_OSARCH: ${env.GOX_OSARCH}" - echo "GOX_FLAGS: ${env.GOX_FLAGS}" - echo "TESTING_ENVIRONMENT: ${env.TESTING_ENVIRONMENT}" - echo "BEAT_VERSION: ${env.BEAT_VERSION}" - echo "COMMIT_ID: ${env.COMMIT_ID}" - echo "DOCKER_COMPOSE_PROJECT_NAME: ${env.DOCKER_COMPOSE_PROJECT_NAME}" - echo "DOCKER_COMPOSE: ${env.DOCKER_COMPOSE}" - echo "DOCKER_CACHE: ${env.DOCKER_CACHE}" - echo "GOPACKAGES_COMMA_SEP: ${env.GOPACKAGES_COMMA_SEP}" - echo "PIP_INSTALL_PARAMS: ${env.PIP_INSTALL_PARAMS}" - echo "### END ENV DUMP ###" +/** +* This method wraps the junit built-in step to archive the test reports that gonna be populated later on +* with the runbld post build step. +*/ +def junitAndStore(Map args = [:]) { + junit(args) + // args.id could be null in some cases, so let's use the currentmilliseconds + def stageName = args.id ? args.id?.replaceAll("[\\W]|_",'-') : "uncategorized-${new java.util.Date().getTime()}" + stash(includes: args.testResults, allowEmpty: true, name: stageName, useDefaultExcludes: true) + stashedTestReports[stageName] = stageName } -def k8sTest(versions){ - versions.each{ v -> - stage("k8s ${v}"){ - withEnv(["K8S_VERSION=${v}", "KIND_VERSION=v0.7.0", "KUBECONFIG=${env.WORKSPACE}/kubecfg"]){ - withGithubNotify(context: "K8s ${v}") { - withBeatsEnv(archive: false, withModule: false) { - sh(label: "Install kind", script: ".ci/scripts/install-kind.sh") - sh(label: "Install kubectl", script: ".ci/scripts/install-kubectl.sh") - sh(label: "Setup kind", script: ".ci/scripts/kind-setup.sh") - sh(label: "Integration tests", script: "MODULE=kubernetes make -C metricbeat integration-tests") - sh(label: "Deploy to kubernetes",script: "make -C deploy/kubernetes test") - sh(label: 'Delete cluster', script: 'kind delete cluster') +/** +* This method populates the test output using the runbld approach. For such it requires the +* global variable stashedTestReports. +* TODO: should be moved to the shared library +*/ +def runbld() { + catchError(buildResult: 'SUCCESS', message: 'runbld post build action failed.') { + if (stashedTestReports) { + def jobName = isPR() ? 'elastic+beats+pull-request' : 'elastic+beats' + deleteDir() + unstashV2(name: 'source', bucket: "${JOB_GCS_BUCKET}", credentialsId: "${JOB_GCS_CREDENTIALS}") + dir("${env.BASE_DIR}") { + // Unstash the test reports + stashedTestReports.each { k, v -> + dir(k) { + unstash(v) } } } + sh(label: 'Process JUnit reports with runbld', + script: """\ + ## for debugging purposes + find . -name "TEST-*.xml" + cat >./runbld-script </.*`. -def isChanged(patterns){ - return ( - params.runAllStages - || isGitRegionMatch(patterns: patterns, comparator: 'regexp') - ) -} - -def isChangedOSSCode(patterns) { - def allPatterns = [ - "^Jenkinsfile", - "^go.mod", - "^libbeat/.*", - "^testing/.*", - "^dev-tools/.*", - "^\\.ci/scripts/.*", - ] - allPatterns.addAll(patterns) - return isChanged(allPatterns) -} - -def isChangedXPackCode(patterns) { - def allPatterns = [ - "^Jenkinsfile", - "^go.mod", - "^libbeat/.*", - "^dev-tools/.*", - "^testing/.*", - "^x-pack/libbeat/.*", - "^\\.ci/scripts/.*", - ] - allPatterns.addAll(patterns) - return isChanged(allPatterns) -} - -// withCloudTestEnv executes a closure with credentials for cloud test -// environments. +/** +* This method executes a closure with credentials for cloud test +* environments. +*/ def withCloudTestEnv(Closure body) { def maskedVars = [] def testTags = "${env.TEST_TAGS}" @@ -1160,12 +438,41 @@ def withCloudTestEnv(Closure body) { } } -def terraformInit(String directory) { - dir(directory) { - sh(label: "Terraform Init on ${directory}", script: "terraform init") +/** +* Start testing environment on cloud using terraform. Terraform files are +* stashed so they can be used by other stages. They are also archived in +* case manual cleanup is needed. +* +* Example: +* startCloudTestEnv(name: 'x-pack-metricbeat', dirs: ['x-pack/metricbeat/module/aws']) +* ... +* terraformCleanup(name: 'x-pack-metricbeat', dir: 'x-pack/metricbeat') +*/ +def startCloudTestEnv(Map args = [:]) { + String name = normalise(args.name) + def dirs = args.get('dirs',[]) + stage("${name}-prepare-cloud-env"){ + withCloudTestEnv() { + withBeatsEnv(archive: false, withModule: false) { + try { + for (folder in dirs) { + retryWithSleep(retries: 2, seconds: 5, backoff: true){ + terraformApply(folder) + } + } + } finally { + // Archive terraform states in case manual cleanup is needed. + archiveArtifacts(allowEmptyArchive: true, artifacts: '**/terraform.tfstate') + } + stash(name: "terraform-${name}", allowEmpty: true, includes: '**/terraform.tfstate,**/.terraform/**') + } + } } } +/** +* Run terraform in the given directory +*/ def terraformApply(String directory) { terraformInit(directory) dir(directory) { @@ -1173,46 +480,19 @@ def terraformApply(String directory) { } } -// Start testing environment on cloud using terraform. Terraform files are -// stashed so they can be used by other stages. They are also archived in -// case manual cleanup is needed. -// -// Example: -// startCloudTestEnv('x-pack-metricbeat', [ -// [cond: params.awsCloudTests, dir: 'x-pack/metricbeat/module/aws'], -// ]) -// ... -// terraformCleanup('x-pack-metricbeat', 'x-pack/metricbeat') -def startCloudTestEnv(String name, environments = []) { - withCloudTestEnv() { - withBeatsEnv(archive: false, withModule: false) { - def runAll = params.runAllCloudTests - try { - for (environment in environments) { - if (environment.cond || runAll) { - retry(2) { - terraformApply(environment.dir) - } - } - } - } finally { - // Archive terraform states in case manual cleanup is needed. - archiveArtifacts(allowEmptyArchive: true, artifacts: '**/terraform.tfstate') - } - stash(name: "terraform-${name}", allowEmpty: true, includes: '**/terraform.tfstate,**/.terraform/**') - } - } -} - - -// Looks for all terraform states in directory and runs terraform destroy for them, -// it uses terraform states previously stashed by startCloudTestEnv. -def terraformCleanup(String stashName, String directory) { - stage("Remove cloud scenarios in ${directory}"){ +/** +* Tear down the terraform environments, by looking for all terraform states in directory +* then it runs terraform destroy for each one. +* It uses terraform states previously stashed by startCloudTestEnv. +*/ +def terraformCleanup(Map args = [:]) { + String name = normalise(args.name) + String directory = args.dir + stage("${name}-tear-down-cloud-env"){ withCloudTestEnv() { withBeatsEnv(archive: false, withModule: false) { - unstash("terraform-${stashName}") - retry(2) { + unstash("terraform-${name}") + retryWithSleep(retries: 2, seconds: 5, backoff: true) { sh(label: "Terraform Cleanup", script: ".ci/scripts/terraform-cleanup.sh ${directory}") } } @@ -1220,173 +500,138 @@ def terraformCleanup(String stashName, String directory) { } } -def loadConfigEnvVars(){ - def empty = [] - env.GO_VERSION = readFile(".go-version").trim() - - withEnv(["HOME=${env.WORKSPACE}"]) { - retry(2) { sh(label: "Install Go ${env.GO_VERSION}", script: ".ci/scripts/install-go.sh") } - } - - // Libbeat is the core framework of Beats. It has no additional dependencies - // on other projects in the Beats repository. - env.BUILD_LIBBEAT = isChangedOSSCode(empty) - env.BUILD_LIBBEAT_XPACK = isChangedXPackCode(empty) - - // Auditbeat depends on metricbeat as framework, but does not include any of - // the modules from Metricbeat. - // The Auditbeat x-pack build contains all functionality from OSS Auditbeat. - env.BUILD_AUDITBEAT = isChangedOSSCode(getProjectDependencies('auditbeat')) - env.BUILD_AUDITBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/auditbeat')) - - // Dockerlogbeat is a standalone Beat that only relies on libbeat. - env.BUILD_DOCKERLOGBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/dockerlogbeat')) - - // Filebeat depends on libbeat only. - // The Filebeat x-pack build contains all functionality from OSS Filebeat. - env.BUILD_FILEBEAT = isChangedOSSCode(getProjectDependencies('filebeat')) - env.BUILD_FILEBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/filebeat')) - - // Metricbeat depends on libbeat only. - // The Metricbeat x-pack build contains all functionality from OSS Metricbeat. - env.BUILD_METRICBEAT = isChangedOSSCode(getProjectDependencies('metricbeat')) - env.BUILD_METRICBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/metricbeat')) - - // Functionbeat is a standalone beat that depends on libbeat only. - // Functionbeat is available as x-pack build only. - env.BUILD_FUNCTIONBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/functionbeat')) - - // Heartbeat depends on libbeat only. - // The Heartbeat x-pack build contains all functionality from OSS Heartbeat. - env.BUILD_HEARTBEAT = isChangedOSSCode(getProjectDependencies('heartbeat')) - env.BUILD_HEARTBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/heartbeat')) - - // Journalbeat depends on libbeat only. - // The Journalbeat x-pack build contains all functionality from OSS Journalbeat. - env.BUILD_JOURNALBEAT = isChangedOSSCode(getProjectDependencies('journalbeat')) - env.BUILD_JOURNALBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/journalbeat')) - - // Packetbeat depends on libbeat only. - // The Packetbeat x-pack build contains all functionality from OSS Packetbeat. - env.BUILD_PACKETBEAT = isChangedOSSCode(getProjectDependencies('packetbeat')) - env.BUILD_PACKETBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/packetbeat')) - - // Winlogbeat depends on libbeat only. - // The Winlogbeat x-pack build contains all functionality from OSS Winlogbeat. - env.BUILD_WINLOGBEAT = isChangedOSSCode(getProjectDependencies('winlogbeat')) - env.BUILD_WINLOGBEAT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/winlogbeat')) - - // Elastic-agent is a self-contained product, that depends on libbeat only. - // The agent acts as a supervisor for other Beats like Filebeat or Metricbeat. - // The agent is available as x-pack build only. - env.BUILD_ELASTIC_AGENT_XPACK = isChangedXPackCode(getProjectDependencies('x-pack/elastic-agent')) - - // The Kubernetes test use Filebeat and Metricbeat, but only need to be run - // if the deployment scripts have been updated. No Beats specific testing is - // involved. - env.BUILD_KUBERNETES = isChanged(["^deploy/kubernetes/.*"]) - - def generatorPatterns = ['^generator/.*'] - generatorPatterns.addAll(getProjectDependencies('generator/common/beatgen')) - generatorPatterns.addAll(getProjectDependencies('metricbeat/beater')) - env.BUILD_GENERATOR = isChangedOSSCode(generatorPatterns) - - // Skip all the stages for changes only related to the documentation - env.ONLY_DOCS = isDocChangedOnly() -} - /** - This method gathers the module name, if required, in order to run the ITs only if - the changeset affects a specific module. - - For such, it's required to look for changes under the module folder and exclude anything else - such as ascidoc and png files. +* Prepare the terraform context in the given directory */ -def getCommonModuleInTheChangeSet(String pattern) { - def module = '' - dir("${env.BASE_DIR}") { - module = getGitMatchingGroup(pattern: pattern , exclude: '^(((?!\\/module\\/).)*$|.*\\.asciidoc|.*\\.png)') +def terraformInit(String directory) { + dir(directory) { + sh(label: "Terraform Init on ${directory}", script: "terraform init") } - return module } /** - This method verifies if the changeset for the current pull request affect only changes related - to documentation, such as asciidoc and png files. +* Replace the slashes in the directory in case there are nested folders. */ -def isDocChangedOnly(){ - if (params.runAllStages || !env.CHANGE_ID?.trim()) { - log(level: 'INFO', text: 'Speed build for docs only is disabled for branches/tags or when forcing with the runAllStages parameter.') - return 'false' - } else { - log(level: "INFO", text: 'Check if the speed build for docs is enabled.') - return isGitRegionMatch(patterns: ['.*\\.(asciidoc|png)'], shouldMatchAll: true) - } +def normalise(String directory) { + return directory.replaceAll("[\\W]|_",'-') } /** - This method grab the dependencies of a Go module and transform them on regexp +* For debugging purposes. */ -def getProjectDependencies(beatName){ - def os = goos() - def goRoot = "${env.WORKSPACE}/.gvm/versions/go${GO_VERSION}.${os}.amd64" - def output = "" - - withEnv([ - "HOME=${env.WORKSPACE}/${env.BASE_DIR}", - "PATH=${env.WORKSPACE}/bin:${goRoot}/bin:${env.PATH}", - ]) { - output = sh(label: 'Get vendor dependency patterns', returnStdout: true, script: """ - go list -deps ./${beatName} \ - | grep 'elastic/beats' \ - | sed -e "s#github.com/elastic/beats/v7/##g" \ - | awk '{print "^" \$1 "/.*"}' - """) - } - return output?.split('\n').collect{ item -> item as String } -} - -def setGitConfig(){ - sh(label: 'check git config', script: ''' - if [ -z "$(git config --get user.email)" ]; then - git config user.email "beatsmachine@users.noreply.github.com" - git config user.name "beatsmachine" - fi - ''') +def dumpVariables(){ + echo "### MAGE DUMP ###" + cmd(label: 'Dump mage variables', script: 'mage dumpVariables') + echo "### END MAGE DUMP ###" + echo """ + ### ENV DUMP ### + BEAT_VERSION: ${env.BEAT_VERSION} + BEATS: ${env.BEATS} + BUILD_DIR: ${env.BUILD_DIR} + COMMIT_ID: ${env.COMMIT_ID} + COVERAGE_DIR: ${env.COVERAGE_DIR} + COVERAGE_TOOL: ${env.COVERAGE_TOOL} + COVERAGE_TOOL_REPO: ${env.COVERAGE_TOOL_REPO} + DOCKER_CACHE: ${env.DOCKER_CACHE} + DOCKER_COMPOSE_PROJECT_NAME: ${env.DOCKER_COMPOSE_PROJECT_NAME} + DOCKER_COMPOSE: ${env.DOCKER_COMPOSE} + FIND: ${env.FIND} + GOBUILD_FLAGS: ${env.GOBUILD_FLAGS} + GOIMPORTS: ${env.GOIMPORTS} + GOIMPORTS_REPO: ${env.GOIMPORTS_REPO} + GOIMPORTS_LOCAL_PREFIX: ${env.GOIMPORTS_LOCAL_PREFIX} + GOLINT: ${env.GOLINT} + GOLINT_REPO: ${env.GOLINT_REPO} + GOPACKAGES_COMMA_SEP: ${env.GOPACKAGES_COMMA_SEP} + GOX_FLAGS: ${env.GOX_FLAGS} + GOX_OS: ${env.GOX_OS} + GOX_OSARCH: ${env.GOX_OSARCH} + HOME: ${env.HOME} + NOSETESTS_OPTIONS: ${env.NOSETESTS_OPTIONS} + NOW: ${env.NOW} + PATH: ${env.PATH} + PKG_BUILD_DIR: ${env.PKG_BUILD_DIR} + PKG_UPLOAD_DIR: ${env.PKG_UPLOAD_DIR} + PIP_INSTALL_PARAMS: ${env.PIP_INSTALL_PARAMS} + PROJECTS: ${env.PROJECTS} + PROJECTS_ENV: ${env.PROJECTS_ENV} + PYTHON_ENV: ${env.PYTHON_ENV} + PYTHON_ENV_EXE: ${env.PYTHON_ENV_EXE} + PYTHON_EXE: ${env.PYTHON_EXE} + PYTHON_TEST_FILES: ${env.PYTHON_TEST_FILES} + PROCESSES: ${env.PROCESSES} + REVIEWDOG: ${env.REVIEWDOG} + REVIEWDOG_OPTIONS: ${env.REVIEWDOG_OPTIONS} + REVIEWDOG_REPO: ${env.REVIEWDOG_REPO} + STRESS_TESTS: ${env.STRESS_TESTS} + STRESS_TEST_OPTIONS: ${env.STRESS_TEST_OPTIONS} + SYSTEM_TESTS: ${env.SYSTEM_TESTS} + TESTIFY_TOOL_REPO: ${env.TESTIFY_TOOL_REPO} + TEST_ENVIRONMENT: ${env.TEST_ENVIRONMENT} + TEST_TAGS: ${env.TEST_TAGS} + TESTING_ENVIRONMENT: ${env.TESTING_ENVIRONMENT} + TIMEOUT: ${env.TIMEOUT} + USERPROFILE: ${env.USERPROFILE} + VENV_PARAMS: ${env.VENV_PARAMS} + XPACK_SUFFIX: ${env.XPACK_SUFFIX} + ### END ENV DUMP ### + """ } def isDockerInstalled(){ - return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) + if (isUnix()) { + // TODO: some issues with macosx if(isInstalled(tool: 'docker', flag: '--version')) { + return sh(label: 'check for Docker', script: 'command -v docker', returnStatus: true) + } else { + return false + } } -def junitAndStore(Map params = [:]){ - junit(params) - // STAGE_NAME env variable could be null in some cases, so let's use the currentmilliseconds - def stageName = env.STAGE_NAME ? env.STAGE_NAME.replaceAll("[\\W]|_",'-') : "uncategorized-${new java.util.Date().getTime()}" - stash(includes: params.testResults, allowEmpty: true, name: stageName, useDefaultExcludes: true) - stashedTestReports[stageName] = stageName +/** +* This class is the one used for running the parallel stages, therefore +* its arguments are passed by the beatsStages step. +* +* What parameters/arguments are supported: +* - label -> the worker labels +* - project -> the name of the project that should match with the folder name. +* - content -> the specific stage data in the /Jenkinsfile.yml +* - context -> the name of the stage, normally -(-)? +*/ +class RunCommand extends co.elastic.beats.BeatsFunction { + public RunCommand(Map args = [:]){ + super(args) + } + public run(Map args = [:]){ + def withModule = args.content.get('withModule', false) + if(args?.content?.containsKey('make')) { + steps.target(context: args.context, command: args.content.make, directory: args.project, label: args.label, withModule: withModule, isMage: false, id: args.id) + } + if(args?.content?.containsKey('mage')) { + steps.target(context: args.context, command: args.content.mage, directory: args.project, label: args.label, withModule: withModule, isMage: true, id: args.id) + } + if(args?.content?.containsKey('k8sTest')) { + steps.k8sTest(context: args.context, versions: args.content.k8sTest.split(','), label: args.label, id: args.id) + } + if(args?.content?.containsKey('cloud')) { + steps.cloud(context: args.context, command: args.content.cloud, directory: args.project, label: args.label, withModule: withModule, dirs: args.content.dirs, id: args.id) + } + } } -def runbld() { - catchError(buildResult: 'SUCCESS', message: 'runbld post build action failed.') { - if (stashedTestReports) { - dir("${env.BASE_DIR}") { - sh(label: 'Prepare workspace context', - script: 'find . -type f -name "TEST*.xml" -path "*/build/*" -delete') - // Unstash the test reports - stashedTestReports.each { k, v -> - dir(k) { - unstash(v) - } - } - sh(label: 'Process JUnit reports with runbld', - script: '''\ - cat >./runbld-script < item as String } } } diff --git a/Jenkinsfile.yml b/Jenkinsfile.yml new file mode 100644 index 00000000000..2f720bf055b --- /dev/null +++ b/Jenkinsfile.yml @@ -0,0 +1,47 @@ +projects: + - "auditbeat" + - "deploy/kubernetes" + - "filebeat" + - "generator" + - "heartbeat" + - "journalbeat" + - "libbeat" + - "metricbeat" + - "packetbeat" + - "winlogbeat" + - "x-pack/auditbeat" + - "x-pack/dockerlogbeat" + - "x-pack/elastic-agent" + - "x-pack/filebeat" + - "x-pack/functionbeat" + - "x-pack/libbeat" + - "x-pack/metricbeat" + - "x-pack/winlogbeat" + ##- "x-pack/heartbeat" It's not yet in the 1.0 pipeline. + ##- "x-pack/journalbeat" It's not yet in the 1.0 pipeline. + ##- "x-pack/packetbeat" It's not yet in the 1.0 pipeline. + +## Changeset macros that are defined here and used in each specific 2.0 pipeline. +changeset: + ci: + - "^Jenkinsfile" + - "^\\.ci/scripts/.*" + oss: + - "^go.mod" + - "^dev-tools/.*" + - "^libbeat/.*" + - "^testing/.*" + xpack: + - "^go.mod" + - "^dev-tools/.*" + - "^libbeat/.*" + - "^testing/.*" + - "^x-pack/libbeat/.*" + +## Proposal +## TBC: This will allow to configure what to do based on the PR configuration +disabled: + when: + labels: ## Skip the GitHub Pull Request builds if there is a GitHub label match + - "skip-ci" + draft: true ## Skip the GitHub Pull Request builds with Draft PRs. diff --git a/Makefile b/Makefile index 11e9c72f72d..c21c0a7346e 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ XPACK_SUFFIX=x-pack/ # PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support # in the x-pack directory (rather than having the OSS build produce both sets # of artifacts). This will be removed once we complete the transition. -PROJECTS_XPACK_PKG=x-pack/auditbeat x-pack/dockerlogbeat x-pack/filebeat x-pack/metricbeat x-pack/winlogbeat +PROJECTS_XPACK_PKG=x-pack/auditbeat x-pack/dockerlogbeat x-pack/filebeat x-pack/heartbeat x-pack/metricbeat x-pack/winlogbeat # PROJECTS_XPACK_MAGE is a list of Beats whose primary build logic is based in # Mage. For compatibility with CI testing these projects support a subset of the # makefile targets. After all Beats converge to primarily using Mage we can @@ -167,7 +167,7 @@ notice: .PHONY: python-env python-env: @test -d $(PYTHON_ENV) || ${PYTHON_EXE} -m venv $(VENV_PARAMS) $(PYTHON_ENV) - @$(PYTHON_ENV)/bin/pip install -q --upgrade pip autopep8==1.3.5 pylint==2.4.4 + @$(PYTHON_ENV)/bin/pip install -q --upgrade pip autopep8==1.5.4 pylint==2.4.4 @# Work around pip bug. See: https://github.com/pypa/pip/issues/4464 @find $(PYTHON_ENV) -type d -name dist-packages -exec sh -c "echo dist-packages > {}.pth" ';' diff --git a/NOTICE.txt b/NOTICE.txt index 4c0b57c2a00..748fe0f5e98 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -285,12 +285,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go@v0.51.0/LICENS -------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/pubsub +Dependency : cloud.google.com/go/bigquery Version: v1.0.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/bigquery@v1.0.1/LICENSE: Apache License @@ -497,12 +497,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/ -------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/storage -Version: v1.0.0 +Dependency : cloud.google.com/go/pubsub +Version: v1.0.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/pubsub@v1.0.1/LICENSE: Apache License @@ -709,228 +709,12 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0 -------------------------------------------------------------------------------- -Dependency : code.cloudfoundry.org/go-loggregator -Version: v7.4.0+incompatible -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregator@v7.4.0+incompatible/LICENSE: - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-event-hubs-go/v3 -Version: v3.1.2 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE: - - MIT License - - Copyright (c) Microsoft Corporation. All rights reserved. - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in all - copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE - - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-sdk-for-go -Version: v37.1.0+incompatible +Dependency : cloud.google.com/go/storage +Version: v1.0.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v37.1.0+incompatible/LICENSE: +Contents of probable licence file $GOMODCACHE/cloud.google.com/go/storage@v1.0.0/LICENSE: Apache License @@ -1121,7 +905,7 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2016 Microsoft Corporation + Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -1137,45 +921,14 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go -------------------------------------------------------------------------------- -Dependency : github.com/Azure/azure-storage-blob-go -Version: v0.8.0 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-storage-blob-go@v0.8.0/LICENSE: - - MIT License - - Copyright (c) Microsoft Corporation. All rights reserved. - - Permission is hereby granted, free of charge, to any person obtaining a copy - of this software and associated documentation files (the "Software"), to deal - in the Software without restriction, including without limitation the rights - to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - copies of the Software, and to permit persons to whom the Software is - furnished to do so, subject to the following conditions: - - The above copyright notice and this permission notice shall be included in all - copies or substantial portions of the Software. - - THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - SOFTWARE - --------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest -Version: v0.9.4 +Dependency : code.cloudfoundry.org/go-loggregator +Version: v7.4.0+incompatible Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest@v0.9.4/LICENSE: - +Contents of probable licence file $GOMODCACHE/code.cloudfoundry.org/go-loggregator@v7.4.0+incompatible/LICENSE: - Apache License + Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ @@ -1352,7 +1105,235 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto END OF TERMS AND CONDITIONS - Copyright 2015 Microsoft Corporation +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/azure-event-hubs-go/v3 +Version: v3.1.2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-event-hubs-go/v3@v3.1.2/LICENSE: + + MIT License + + Copyright (c) Microsoft Corporation. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE + + +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/azure-sdk-for-go +Version: v37.1.0+incompatible +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-sdk-for-go@v37.1.0+incompatible/LICENSE: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 Microsoft Corporation Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -1368,12 +1349,42 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/adal -Version: v0.8.1 +Dependency : github.com/Azure/azure-storage-blob-go +Version: v0.8.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!azure/azure-storage-blob-go@v0.8.0/LICENSE: + + MIT License + + Copyright (c) Microsoft Corporation. All rights reserved. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE + +-------------------------------------------------------------------------------- +Dependency : github.com/Azure/go-autorest/autorest +Version: v0.9.4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/adal@v0.8.1/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest@v0.9.4/LICENSE: Apache License @@ -1569,12 +1580,12 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/azure/auth -Version: v0.4.2 +Dependency : github.com/Azure/go-autorest/autorest/adal +Version: v0.8.1 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/azure/auth@v0.4.2/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/adal@v0.8.1/LICENSE: Apache License @@ -1770,12 +1781,12 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Azure/go-autorest/autorest/date -Version: v0.2.0 +Dependency : github.com/Azure/go-autorest/autorest/azure/auth +Version: v0.4.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/date@v0.2.0/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/azure/auth@v0.4.2/LICENSE: Apache License @@ -1971,33 +1982,204 @@ Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/auto -------------------------------------------------------------------------------- -Dependency : github.com/Masterminds/semver -Version: v1.4.2 -Licence type (autodetected): MIT +Dependency : github.com/Azure/go-autorest/autorest/date +Version: v0.2.0 +Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/!masterminds/semver@v1.4.2/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/!azure/go-autorest/autorest/date@v0.2.0/LICENSE: -The Masterminds -Copyright (C) 2014-2015, Matt Butcher and Matt Farina -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2015 Microsoft Corporation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -------------------------------------------------------------------------------- @@ -2343,11 +2525,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/antlr/antlr4 -Version: v0.0.0-20200225173536-225249fdaef5 +Version: v0.0.0-20200820155224-be881fa6b91d Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/antlr/antlr4@v0.0.0-20200225173536-225249fdaef5/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/antlr/antlr4@v0.0.0-20200820155224-be881fa6b91d/LICENSE.txt: [The "BSD 3-clause license"] Copyright (c) 2012-2017 The ANTLR Project. All rights reserved. @@ -5491,11 +5673,11 @@ This Agreement is governed by the laws of the State of New York and the intellec -------------------------------------------------------------------------------- Dependency : github.com/elastic/ecs -Version: v1.5.0 +Version: v1.6.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.5.0/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/ecs@v1.6.0/LICENSE.txt: Apache License @@ -5936,11 +6118,11 @@ SOFTWARE -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-concert -Version: v0.0.3 +Version: v0.0.4 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0.3/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0.4/LICENSE: Apache License Version 2.0, January 2004 @@ -6147,11 +6329,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-libaudit/v2 -Version: v2.0.0-20200515221334-92371bef3fb8 +Version: v2.0.2 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.0-20200515221334-92371bef3fb8/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.2/LICENSE.txt: Apache License @@ -7899,11 +8081,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-ucfg@v0.8.3/ -------------------------------------------------------------------------------- Dependency : github.com/elastic/gosigar -Version: v0.10.5 +Version: v0.10.6-0.20200715000138-f115143bb233 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.10.5/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/elastic/gosigar@v0.10.6-0.20200715000138-f115143bb233/LICENSE: Apache License Version 2.0, January 2004 @@ -9563,685 +9745,213 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : github.com/gorhill/cronexpr Version: v0.0.0-20161205141322-d520615e531a -Licence type (autodetected): GPL-3.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/gorhill/cronexpr@v0.0.0-20161205141322-d520615e531a/GPLv3: - -GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. {http://fsf.org/} - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - {one line to give the program's name and a brief idea of what it does.} - Copyright (C) {year} {name of author} - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see {http://www.gnu.org/licenses/}. - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - cronexpr Copyright (C) 2013 Raymond Hill - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -{http://www.gnu.org/licenses/}. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -{http://www.gnu.org/philosophy/why-not-lgpl.html}. +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/gorhill/cronexpr@v0.0.0-20161205141322-d520615e531a/APLv2: + + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. -------------------------------------------------------------------------------- @@ -12135,11 +11845,11 @@ Contents of probable licence file $GOMODCACHE/github.com/oklog/ulid@v1.3.1/LICEN -------------------------------------------------------------------------------- Dependency : github.com/pierrre/gotestcover -Version: v0.0.0-20160113212533-7b94f124d338 +Version: v0.0.0-20160517101806-924dca7d15f0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/pierrre/gotestcover@v0.0.0-20160113212533-7b94f124d338/LICENSE: +Contents of probable licence file $GOMODCACHE/github.com/pierrre/gotestcover@v0.0.0-20160517101806-924dca7d15f0/LICENSE: Copyright (C) 2015 Pierre Durand @@ -14231,11 +13941,11 @@ Contents of probable licence file $GOMODCACHE/github.com/xdg/scram@v0.0.0-201808 -------------------------------------------------------------------------------- Dependency : go.elastic.co/apm -Version: v1.7.2 +Version: v1.8.1-0.20200909061013-2aef45b9cf4b Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.elastic.co/apm@v1.7.2/LICENSE: +Contents of probable licence file $GOMODCACHE/go.elastic.co/apm@v1.8.1-0.20200909061013-2aef45b9cf4b/LICENSE: Apache License Version 2.0, January 2004 @@ -15589,11 +15299,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : golang.org/x/sys -Version: v0.0.0-20200202164722-d101bd2416d5 +Version: v0.0.0-20200625212154-ddb9806d33ae Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200202164722-d101bd2416d5/LICENSE: +Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200625212154-ddb9806d33ae/LICENSE: Copyright (c) 2009 The Go Authors. All rights reserved. @@ -16197,15 +15907,14 @@ Contents of probable licence file $GOMODCACHE/google.golang.org/grpc@v1.29.1/LIC -------------------------------------------------------------------------------- -Dependency : gopkg.in/inf.v0 -Version: v0.9.1 +Dependency : google.golang.org/protobuf +Version: v1.23.0 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/gopkg.in/inf.v0@v0.9.1/LICENSE: +Contents of probable licence file $GOMODCACHE/google.golang.org/protobuf@v1.23.0/LICENSE: -Copyright (c) 2012 Péter Surányi. Portions Copyright (c) 2009 The Go -Authors. All rights reserved. +Copyright (c) 2018 The Go Authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are @@ -16235,258 +15944,50 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Dependency : gopkg.in/jcmturner/gokrb5.v7 -Version: v7.5.0 -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/gopkg.in/jcmturner/gokrb5.v7@v7.5.0/LICENSE: - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - --------------------------------------------------------------------------------- -Dependency : gopkg.in/mgo.v2 -Version: v2.0.0-20160818020120-3f83fa500528 -Licence type (autodetected): BSD-2-Clause +Dependency : gopkg.in/inf.v0 +Version: v0.9.1 +Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/gopkg.in/mgo.v2@v2.0.0-20160818020120-3f83fa500528/LICENSE: - -mgo - MongoDB driver for Go - -Copyright (c) 2010-2013 - Gustavo Niemeyer +Contents of probable licence file $GOMODCACHE/gopkg.in/inf.v0@v0.9.1/LICENSE: -All rights reserved. +Copyright (c) 2012 Péter Surányi. Portions Copyright (c) 2009 The Go +Authors. All rights reserved. Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: +modification, are permitted provided that the following conditions are +met: -1. Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. -2. Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR -ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Dependency : gopkg.in/yaml.v2 -Version: v2.3.0 +Dependency : gopkg.in/jcmturner/gokrb5.v7 +Version: v7.5.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/gopkg.in/yaml.v2@v2.3.0/LICENSE: +Contents of probable licence file $GOMODCACHE/gopkg.in/jcmturner/gokrb5.v7@v7.5.0/LICENSE: Apache License Version 2.0, January 2004 @@ -16692,14 +16193,18 @@ Contents of probable licence file $GOMODCACHE/gopkg.in/yaml.v2@v2.3.0/LICENSE: -------------------------------------------------------------------------------- -Dependency : howett.net/plist -Version: v0.0.0-20181124034731-591f970eefbb +Dependency : gopkg.in/mgo.v2 +Version: v2.0.0-20160818020120-3f83fa500528 Licence type (autodetected): BSD-2-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/howett.net/plist@v0.0.0-20181124034731-591f970eefbb/LICENSE: +Contents of probable licence file $GOMODCACHE/gopkg.in/mgo.v2@v2.0.0-20160818020120-3f83fa500528/LICENSE: -Copyright (c) 2013, Dustin L. Howett. All rights reserved. +mgo - MongoDB driver for Go + +Copyright (c) 2010-2013 - Gustavo Niemeyer + +All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -16721,52 +16226,14 @@ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -The views and conclusions contained in the software and documentation are those -of the authors and should not be interpreted as representing official policies, -either expressed or implied, of the FreeBSD Project. - --------------------------------------------------------------------------------- -Parts of this package were made available under the license covering -the Go language and all attended core libraries. That license follows. --------------------------------------------------------------------------------- - -Copyright (c) 2012 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -------------------------------------------------------------------------------- -Dependency : k8s.io/api -Version: v0.18.3 +Dependency : gopkg.in/yaml.v2 +Version: v2.3.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/k8s.io/api@v0.18.3/LICENSE: - +Contents of probable licence file $GOMODCACHE/gopkg.in/yaml.v2@v2.3.0/LICENSE: Apache License Version 2.0, January 2004 @@ -16948,7 +16415,7 @@ Contents of probable licence file $GOMODCACHE/k8s.io/api@v0.18.3/LICENSE: APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" + boilerplate notice, with the fields enclosed by brackets "{}" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a @@ -16956,7 +16423,7 @@ Contents of probable licence file $GOMODCACHE/k8s.io/api@v0.18.3/LICENSE: same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright {yyyy} {name of copyright owner} Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -16972,12 +16439,103 @@ Contents of probable licence file $GOMODCACHE/k8s.io/api@v0.18.3/LICENSE: -------------------------------------------------------------------------------- -Dependency : k8s.io/apimachinery +Dependency : gotest.tools +Version: v2.2.0+incompatible +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/gotest.tools@v2.2.0+incompatible/LICENSE: + +Copyright 2018 gotest.tools authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + + +-------------------------------------------------------------------------------- +Dependency : howett.net/plist +Version: v0.0.0-20181124034731-591f970eefbb +Licence type (autodetected): BSD-2-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/howett.net/plist@v0.0.0-20181124034731-591f970eefbb/LICENSE: + +Copyright (c) 2013, Dustin L. Howett. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +The views and conclusions contained in the software and documentation are those +of the authors and should not be interpreted as representing official policies, +either expressed or implied, of the FreeBSD Project. + +-------------------------------------------------------------------------------- +Parts of this package were made available under the license covering +the Go language and all attended core libraries. That license follows. +-------------------------------------------------------------------------------- + +Copyright (c) 2012 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +-------------------------------------------------------------------------------- +Dependency : k8s.io/api Version: v0.18.3 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/k8s.io/apimachinery@v0.18.3/LICENSE: +Contents of probable licence file $GOMODCACHE/k8s.io/api@v0.18.3/LICENSE: Apache License @@ -17184,12 +16742,12 @@ Contents of probable licence file $GOMODCACHE/k8s.io/apimachinery@v0.18.3/LICENS -------------------------------------------------------------------------------- -Dependency : k8s.io/client-go +Dependency : k8s.io/apimachinery Version: v0.18.3 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/k8s.io/client-go@v0.18.3/LICENSE: +Contents of probable licence file $GOMODCACHE/k8s.io/apimachinery@v0.18.3/LICENSE: Apache License @@ -17395,151 +16953,13 @@ Contents of probable licence file $GOMODCACHE/k8s.io/client-go@v0.18.3/LICENSE: limitations under the License. - - -================================================================================ -Indirect dependencies - - --------------------------------------------------------------------------------- -Dependency : 4d63.com/embedfiles -Version: v0.0.0-20190311033909-995e0740726f -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/4d63.com/embedfiles@v0.0.0-20190311033909-995e0740726f/LICENSE: - -Copyright (c) 2017, Leigh McCulloch - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - - --------------------------------------------------------------------------------- -Dependency : bazil.org/fuse -Version: v0.0.0-20160811212531-371fbbdaa898 -Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/bazil.org/fuse@v0.0.0-20160811212531-371fbbdaa898/LICENSE: - -Copyright (c) 2013-2015 Tommi Virtanen. -Copyright (c) 2009, 2011, 2012 The Go Authors. -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - - -The following included software components have additional copyright -notices and license terms that may differ from the above. - - -File fuse.go: - -// Adapted from Plan 9 from User Space's src/cmd/9pfuse/fuse.c, -// which carries this notice: -// -// The files in this directory are subject to the following license. -// -// The author of this software is Russ Cox. -// -// Copyright (c) 2006 Russ Cox -// -// Permission to use, copy, modify, and distribute this software for any -// purpose without fee is hereby granted, provided that this entire notice -// is included in all copies of any software which is or includes a copy -// or modification of this software and in all copies of the supporting -// documentation for such software. -// -// THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED -// WARRANTY. IN PARTICULAR, THE AUTHOR MAKES NO REPRESENTATION OR WARRANTY -// OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS -// FITNESS FOR ANY PARTICULAR PURPOSE. - - -File fuse_kernel.go: - -// Derived from FUSE's fuse_kernel.h -/* - This file defines the kernel interface of FUSE - Copyright (C) 2001-2007 Miklos Szeredi - - - This -- and only this -- header file may also be distributed under - the terms of the BSD Licence as follows: - - Copyright (C) 2001-2007 Miklos Szeredi. All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. -*/ - - --------------------------------------------------------------------------------- -Dependency : cloud.google.com/go/bigquery -Version: v1.0.1 +Dependency : k8s.io/client-go +Version: v0.18.3 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/cloud.google.com/go/bigquery@v1.0.1/LICENSE: +Contents of probable licence file $GOMODCACHE/k8s.io/client-go@v0.18.3/LICENSE: Apache License @@ -17745,6 +17165,144 @@ Contents of probable licence file $GOMODCACHE/cloud.google.com/go/bigquery@v1.0. limitations under the License. + + +================================================================================ +Indirect dependencies + + +-------------------------------------------------------------------------------- +Dependency : 4d63.com/embedfiles +Version: v0.0.0-20190311033909-995e0740726f +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/4d63.com/embedfiles@v0.0.0-20190311033909-995e0740726f/LICENSE: + +Copyright (c) 2017, Leigh McCulloch + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : bazil.org/fuse +Version: v0.0.0-20160811212531-371fbbdaa898 +Licence type (autodetected): BSD-3-Clause +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/bazil.org/fuse@v0.0.0-20160811212531-371fbbdaa898/LICENSE: + +Copyright (c) 2013-2015 Tommi Virtanen. +Copyright (c) 2009, 2011, 2012 The Go Authors. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + + +The following included software components have additional copyright +notices and license terms that may differ from the above. + + +File fuse.go: + +// Adapted from Plan 9 from User Space's src/cmd/9pfuse/fuse.c, +// which carries this notice: +// +// The files in this directory are subject to the following license. +// +// The author of this software is Russ Cox. +// +// Copyright (c) 2006 Russ Cox +// +// Permission to use, copy, modify, and distribute this software for any +// purpose without fee is hereby granted, provided that this entire notice +// is included in all copies of any software which is or includes a copy +// or modification of this software and in all copies of the supporting +// documentation for such software. +// +// THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED +// WARRANTY. IN PARTICULAR, THE AUTHOR MAKES NO REPRESENTATION OR WARRANTY +// OF ANY KIND CONCERNING THE MERCHANTABILITY OF THIS SOFTWARE OR ITS +// FITNESS FOR ANY PARTICULAR PURPOSE. + + +File fuse_kernel.go: + +// Derived from FUSE's fuse_kernel.h +/* + This file defines the kernel interface of FUSE + Copyright (C) 2001-2007 Miklos Szeredi + + + This -- and only this -- header file may also be distributed under + the terms of the BSD Licence as follows: + + Copyright (C) 2001-2007 Miklos Szeredi. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. +*/ + + -------------------------------------------------------------------------------- Dependency : cloud.google.com/go/datastore Version: v1.0.0 @@ -19863,6 +19421,36 @@ Contents of probable licence file $GOMODCACHE/github.com/!burnt!sushi/xgb@v0.0.0 // such litigation is filed. +-------------------------------------------------------------------------------- +Dependency : github.com/Masterminds/semver +Version: v1.4.2 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/!masterminds/semver@v1.4.2/LICENSE.txt: + +The Masterminds +Copyright (C) 2014-2015, Matt Butcher and Matt Farina + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/Microsoft/hcsshim Version: v0.8.7 @@ -20007,37 +19595,6 @@ SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/Sirupsen/logrus -Version: v1.0.1-0.20170608221441-85b1699d5056 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/!sirupsen/logrus@v1.0.1-0.20170608221441-85b1699d5056/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2014 Simon Eskildsen - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/akavel/rsrc Version: v0.8.0 @@ -37787,11 +37344,11 @@ SOFTWARE. -------------------------------------------------------------------------------- Dependency : go.elastic.co/fastjson -Version: v1.0.0 +Version: v1.1.0 Licence type (autodetected): MIT -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.elastic.co/fastjson@v1.0.0/LICENSE: +Contents of probable licence file $GOMODCACHE/go.elastic.co/fastjson@v1.1.0/LICENSE: Copyright 2018 Elasticsearch BV @@ -38486,43 +38043,6 @@ Contents of probable licence file $GOMODCACHE/google.golang.org/appengine@v1.6.5 limitations under the License. --------------------------------------------------------------------------------- -Dependency : google.golang.org/protobuf -Version: v1.23.0 -Licence type (autodetected): BSD-3-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/google.golang.org/protobuf@v1.23.0/LICENSE: - -Copyright (c) 2018 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : gopkg.in/airbrake/gobrake.v2 Version: v2.0.9 @@ -39672,29 +39192,6 @@ See the License for the specific language governing permissions and limitations under the License. --------------------------------------------------------------------------------- -Dependency : gotest.tools -Version: v2.2.0+incompatible -Licence type (autodetected): Apache-2.0 --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/gotest.tools@v2.2.0+incompatible/LICENSE: - -Copyright 2018 gotest.tools authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - - -------------------------------------------------------------------------------- Dependency : honnef.co/go/tools Version: v0.0.1-2019.2.3 diff --git a/README.md b/README.md index 1b383c288de..28fbe081d04 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ -[![Build Status](https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/job/master/badge/icon)](https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/job/master/) +[![Build Status](https://beats-ci.elastic.co/job/Beats/job/beats/job/master/badge/icon)](https://beats-ci.elastic.co/job/Beats/job/beats/job/master/) [![Travis](https://travis-ci.org/elastic/beats.svg?branch=master)](https://travis-ci.org/elastic/beats) [![GoReportCard](http://goreportcard.com/badge/elastic/beats)](http://goreportcard.com/report/elastic/beats) -[![codecov.io](https://codecov.io/github/elastic/beats/coverage.svg?branch=master)](https://codecov.io/github/elastic/beats?branch=master) [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com) # Beats - The Lightweight Shippers of the Elastic Stack @@ -51,6 +50,10 @@ on the [elastic.co site](https://www.elastic.co/guide/): * [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/index.html) * [Winlogbeat](https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html) +## Documentation and Getting Started information for the Elastic Agent + +You can find the documentation and getting started guides for the Elastic Agent +on the [elastic.co site](https://www.elastic.co/downloads/elastic-agent) ## Getting Help @@ -90,15 +93,31 @@ For testing purposes, we generate snapshot builds that you can find [here](https ## CI +### PR Comments + It is possible to trigger some jobs by putting a comment on a GitHub PR. (This service is only available for users affiliated with Elastic and not for open-source contributors.) * [beats][] - * `jenkins run the tests please` - * `jenkins run tests` + * `jenkins run the tests please` or `jenkins run tests` or `/test` will kick off a default build. + * `/test macos` will kick off a default build with also the `macos` stages. + * `/test ` will kick off the default build for the given PR in addition to the `` build itself. + * `/test for macos` will kick off a default build with also the `macos` stage for the ``. * [apm-beats-update][] * `/run apm-beats-update` +* [apm-beats-packaging][] + * `/package` or `/packaging` will kick of a build to generate the packages for beats. +* [apm-beats-tester][] + * `/beats-tester` will kick of a build to validate the generated packages. + +### PR Labels + +It's possible to configure the build on a GitHub PR by labelling the PR with the below labels +* `` to force the following builds to run the stages for the `` +* `macOS` to force the following builds to run the `macos` stages. -[beats]: https://beats-ci.elastic.co/job/Beats/job/beats-beats-mbp/ +[beats]: https://beats-ci.elastic.co/job/Beats/job/beats/ [apm-beats-update]: https://beats-ci.elastic.co/job/Beats/job/apm-beats-update/ +[apm-beats-packaging]: https://beats-ci.elastic.co/job/Beats/job/packaging/ +[apm-beats-tester]: https://beats-ci.elastic.co/job/Beats/job/beats-tester/ diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 194289595e2..0db572a2d1f 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -9,8 +9,6 @@ RUN \ librpm-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/auditbeat/Jenkinsfile.yml b/auditbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..873e2c319f3 --- /dev/null +++ b/auditbeat/Jenkinsfile.yml @@ -0,0 +1,34 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^auditbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test auditbeat" + labels: ## when PR labels matches any of those entries + - "auditbeat" + parameters: ## when parameter was selected in the UI. + - "auditbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + crosscompile: + make: "make -C auditbeat crosscompile" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test auditbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index f075f27639b..f0dafa75662 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -489,10 +489,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -605,20 +613,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -628,7 +643,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -791,30 +806,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -827,6 +849,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -934,42 +962,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1102,6 +1144,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default auditbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "auditbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "auditbeat-%{[agent.version]}" @@ -1205,20 +1252,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1237,6 +1295,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1387,17 +1456,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1420,6 +1496,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/auditbeat/conftest.py b/auditbeat/conftest.py new file mode 100644 index 00000000000..060b8f8073f --- /dev/null +++ b/auditbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../metricbeat/tests/system')) diff --git a/auditbeat/docs/configuring-howto.asciidoc b/auditbeat/docs/configuring-howto.asciidoc index f52e7abb0d6..745c58c7997 100644 --- a/auditbeat/docs/configuring-howto.asciidoc +++ b/auditbeat/docs/configuring-howto.asciidoc @@ -24,6 +24,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> After changing configuration settings, you need to restart {beatname_uc} to @@ -57,4 +58,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 558c5559028..7ba194357ee 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2520,16 +2520,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -2987,6 +2977,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -3028,7 +3030,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -3244,8 +3246,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -3308,19 +3309,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3407,7 +3408,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3431,6 +3432,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -3449,6 +3461,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -3491,6 +3515,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -3801,8 +3849,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -3865,19 +3912,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3964,7 +4011,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3988,6 +4035,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -4116,6 +4174,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -4149,6 +4218,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -4220,7 +4301,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -4299,7 +4380,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -4307,12 +4388,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -4331,7 +4412,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -4448,6 +4529,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -4630,6 +4713,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -4659,6 +4744,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -4667,7 +4764,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -4751,11 +4848,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -5049,6 +5146,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -5082,6 +5190,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -5154,211 +5274,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -5369,7 +5556,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -5380,7 +5567,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -5391,7 +5578,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -5402,7 +5589,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -5413,7 +5600,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -5426,7 +5613,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -5437,7 +5624,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -5448,20 +5635,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -5676,7 +6060,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5700,6 +6084,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -5754,11 +6149,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -5888,6 +6285,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -5926,7 +6335,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -5956,6 +6366,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -6924,6 +7336,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -6957,6 +7380,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -7188,12 +7623,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -7384,49 +7819,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -7502,6 +8015,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -7535,6 +8059,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -7777,6 +8313,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -8075,8 +8620,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -8139,19 +8683,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8238,7 +8782,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8262,6 +8806,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -8515,8 +9070,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -8579,19 +9133,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8678,7 +9232,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8702,10 +9256,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -8723,7 +9288,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -8734,7 +9299,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -8745,7 +9310,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -8756,7 +9321,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -8767,11 +9332,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -8785,7 +9350,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -8872,7 +9437,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -8912,7 +9477,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -8927,7 +9492,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -8942,319 +9507,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -9268,12 +10373,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -9292,7 +10397,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9395,7 +10500,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -9419,6 +10524,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -9747,6 +10863,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-file_integrity]] == File Integrity fields diff --git a/auditbeat/docs/index.asciidoc b/auditbeat/docs/index.asciidoc index b236e1a6eee..56f3d7cc756 100644 --- a/auditbeat/docs/index.asciidoc +++ b/auditbeat/docs/index.asciidoc @@ -53,4 +53,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc index 74007cdeb35..dee50fa254a 100644 --- a/auditbeat/docs/running-on-docker.asciidoc +++ b/auditbeat/docs/running-on-docker.asciidoc @@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace. ["source","sh",subs="attributes"] ---- -docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage} +docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage} ---- diff --git a/auditbeat/docs/running-on-kubernetes.asciidoc b/auditbeat/docs/running-on-kubernetes.asciidoc index d98bcaca1d6..73ac5cdd70f 100644 --- a/auditbeat/docs/running-on-kubernetes.asciidoc +++ b/auditbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ {beatname_uc} <> can be used on Kubernetes to check files integrity. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index dae74f1c134..6d1f27aa2df 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9m79uY0cmX//34KlfNH7FMwBgzYzq3cLRvwxnfjODfEm1NnawuLGQFKZkZEmjHxfvpTaj1G88AeHBNnU9lKbRmY0aPVanW3un8NqNkurGNOsZ8xPxXG8M8waA3gI6KJIOEMdDIKlZQAlDK8RfiGUcDfbwZkmSwsQGemsKkhfPF6rWOjrBOeKEVNVX7doDadT5eLrVViGKsqXjQOQInUaKuqS8VmQcrt1zoE1yFpSeC9Hk9Gg+Gr0eTd+GTy4fz9q8nJaDxpd44mg9PBZPzqpNPr/3KPhLEzVwgWDu22RIW3o4umqUEnEhwHTRyymORWjUFwvUW612MDV7llfbCBVFRllCpczyb54oepoDcgIK/LU5r4C0zjayRo7GuPt1uiCKlrApUDZiEjQyrKcToX5+eeV7uQyLqRbInEJ6aAj0trp/NSdHyO+plps4BozPVr8aA1yAKezSrgRN9/5JPHZpSLJMcWJhNmYQPKKio65Fam+bCFWmCx8KKgt6X1GeQEVDwnfMnliZhBMF8MeyigYCayGRqO3tllzEd4Q0JejZ1zprIqBBUJiX19m6RAd8HvqAo8NZyzzF5KZYuiPINZJcV0uSQcslCAXsUt0jo77A8OzzqDXu/0bHg4PBodnR6ddU/PTs9ag+PR4CFrIha4/WSLMn510v7Hr8rx6OD4YHh80D44Ojo6GnaOjjr9/qAzPG73Ou3usD1sDwaj087JA1cnO3GeZH06vX71ClkaOjkFX79CWatqpR5n3/SPDs/6/f5Jq9cdnbUPT1pHo85Zp93vjE5Ou4PTQWvY6fdG7eHh0WHvdHTYPT07GBy2O4OT487w5Kx2aQo9RypEujWVZ5jlaJnik1LfT6cfiW+v1tUIzCfQ5CrPIw0tXVqlIgEHb15e3A7VFdg7xhI0OGmgy6uX5/GMY5Hw1Aff6nuCowYaDl5GtyZwZDh4aeIY6hPwIz7Y1jmuL4UgtTgLz1f96rxTqVQv2ErFaC4Jl8wmmWw8fr2fKdoILXAciAX+VL4TDbqkN20fBf1pr+cftjuHnaPjg06n7R/3p7jT3ZSfYpZM8CypxVLraukPcUL239OIuMoylOzVeOY5rUCgmEE8E9GbNZBb2d2bFfX/n3danXazJf+9b7VewD+v1Wr9p3bNWWe+U0j9/IYT1rpR7cm2jw9bjzFZhej2yMEDhXJ1giEfh6EUlzEavznXUjUhYZiDy1d3IwsmkljX9ytXBtHUowJhVeNKX1xpq8pDHySNHaktn8wVbikUP54TSfYl1UlCbkyeThMqEX+1Wnk6Y8/z2aYEV6LyKcVzSSBngtiS5V6BHN2aCp2XVy+HuXo6jyWHRbpUlzcTZVJvKxXOWle6m2rdIWfLq28WJAzZWrtljTXf6fUnvw0upDV/cNSteHo0GNZ4/rnnefU3e8qLhai37QSRPWZlWOCqErLfFY0bShbq2ohVgT2C+MtOr89rV54hIsHTEBi/xkynjIUEx1UTOlU/oVmIc9OiM+PsQjGZs4Qqbl9hiIvziRCzNEQ4dnLaOY4F1LfSPrUYkdjnt1CZL0njmIS1DdmYfEkmxr32TZfS+vRUaR01bhJ46C1RC6uLCTtBkpBfePLmJKuwvmv8mFJ4UhyrUlZYCDqPpeQQ+0komjATqc3LOTRVu2t/8L4skih8hsNl3DRjbNJA7BXsK11rP1PfQ7aCm2VR5jo5yv17SwO5cdIijbbKcFQUHLHAcLpfCJ/IfF2x8nTJdwtcWpvNNOrsd+k11GPb1GtYntJTeQ3XjWTb59oWvIbuWjxoDb5rr6Ee7g/jNTSr9U/2Grpr8mN4DZ9yVR7ba1hYnR/Ea1hzhVxj/R/nNdRz3KrXcLyRf7DkF8yOCgcT/wn8g7r7j/hga6ZotYNQV/l8LAfhwXG3223jab932OuSTqd1OG2T9rTbO5we9LvtYEN6PIaD8D2NpAEXLUv+Mu0c+h4chM58v9pBuOmEv7mDUE92u/6qcW3PVEEkV4gAaVmane35LNqKCNhufds3KeCE5PIUzUm1xFwY/DH5PeN0TmMcavu2ggO8Tu3F1p1s28HwBoA96d8kUEY4nH7WvwDuSnea900xua+av42H4tg3yY8mJsr5an1c1DADGTWNVGPWQhjT38TIY6xMGs7S+YKlZvdgFFGfM4uwzP0FTYjiTByG0rCRJvANJavMssoC/vUmcAaOnNQJxMnnlEiLtZkxianeuyJT87sxn2acxUmTxEEBG68pp/M5JVwePFA+X88jw2yYYv+T++YG8Vhy9FsMel0Pjqw6zvKpTtQ3argim5tOkFEZuVnhYW0rT4k8dVDC5kRqf6AZ2iazTD6V12UILg/iUC2eAzyZEN7UXh3iULKUUtudzo47s4Pe4eH0oBvgPj7wyXHnOGiRFukeHvSL5LWlkp+GyLb7AqnN9yYf2yT9W5wayMmICBYp17ANkOBjgZ1F6lwFSQ3a0heiFfW5UCJfqzVr9Q8xbk3xcaszPXSkQspDVyJcvXt9jzS4evfaxD8aaFF9RwFObtinJCG6zD1svKt3r0UDwiD1k0ZiSRpMOYGkbBSwVSxZgiHhL0hEGhb5YImThX6fIePHq7PRtpvxqpVtk8XGw0aWG56/HtvJ49wKFhGNNIuBnhG+VcG62kF+/lbOdl+SUNJVpdOGtw3gCJYmFlXQtqoy+M/1rZ9sW6XwO5g0ColzzgzyxrW+2tMggiWmqbjhs9cMxhO9LdK+X+ggW5PPKbQbTAon03mFGqB3gyVLysMCimqhCSoURqcggHNOE+3xbMhVjFkiRSG/hfjpBey3/PuFxkOCIYlwSThlAYpSkUAjUynr/DANSFABs6BsZHh4StDOMp7vZH4O+fqOJ78rr9BSn4BO0to8ysBhHn1V3jKeOGCpkihg8ih2enbt8H/CljsF4lw/u1ZGSx6Cwgy6kH07S8NHVMCeLLfhfKay+KUIhGRIGsktrRMiobB7Kki2YW8dXwmAgWY2Do3RteRn2d413B2C7wU2vAY4F4gTaR2Bqi+NZG5sB6Pw5HFLXdSbinD7vAR40e0e7Ct03l8/v8yh9T5L2DK3emZD/gAr+PwqjlgASPGZnAHWF0gQEucoW0b8csooxBZ9NGIxTZhU55UEYFM4uQN7GEyJFDWacRoKjxwLlxUwXLYCTrNqQ74KGQQJidHHFKCEMsMRZJc8R4sYLZZzbJaufc02i0HTX2FhB9rInfOVxUAexESytTU/5/hriYVwuObR7+V08wWrwiuMIdkWhMJbnCwKfTuyVRNopzCcLSCVuQhZpXF0uwclydHtHuQGJU2o220qCdCBZmKLuQjjVb/oe++qObh69E6B2Upn169wdsF9XuA6INxeAINfKXRWa4mZfBd2qJOopnx3zthNmRquYrWgv2ma2KcaTmdqskpNsS0qIKUYkWiZZOOBoasnr/XbBQD5XMUHNCXJipB8CEOyYkpXLRzQT42OJkXwT2i07wcaTRlt22KCMbS+XibCabNTOHdVFuT1i0q9U413zbmV9yf8BH1DP0HfHgT6tsWQ4ivdfIWO4o4g59wxn++pygeOu2LFiByGkq0aAY8q9RYyZ8kNtvaF9jPkq0joJFvJH1BCB8rTARC2C4grv6FE6BPVIEmhiAFaDVYuYhoYM9k4onCMMMT7aIUbTmvh+IejDSBgfli8vqeE6vuJ0leJ0vejA/T9A7D5nhqW7yci372IfE8OxvcTh08pFRM8N25ER7VA2bc1FAzVhlEzsjq0LCIaEA9NOVs5d4guut6tdnSJBVshKbxiuN41t8pQvsxnkVQOra2ub9VTO1RjJ2+gExBbiPIbSAndW3FJ6NuFKdC0njG3MqCMdKVBjfEMc5ob1HfvBC7IAYc/Jjn+KM71gv1NwxDv97wW2lWr8T9o8PZKrwy6HKN2Z9JWxs0F9uUX/95DJ8tlSD6Q6e802e+3el7ba/fs8HZ/f/X+4nVDvfMb8T+xPaSL0+23O14LXbApDcl+uzdqd480uff7ra7O07BEF94MRzTcltftcoxU+2jX2EScBAucNFBAphTHDTTjhExF0EArGgdsJfbKybnwZGncP8aVz+WScOwAJRrdEKwRE59rQ285lElZU9ZJsc4F+4hvSJFanwiPybbU+NIcVG922Cr0AK/W7ZCu1/VazXa705yTmHDqF0f/g5gAa9baXNM7K71ucf9dpIzRTr/Vypr+9H72SZww0UDpNI2T9K49jPmKlvbwdkMDS4Ovy4/tltcuSsrtDrVQWPSOk1NKd0e/ugm1ZNSa1R+vT97U0ankc/ninMrDbwvPH7U6XvszSvB8V+y5dT6NFwUL5f7CAtF4DjEjUjUn6k9oHwvBfJVNp8o5x+ZKEOwFMCjkrC3EsFP3VHWmKyFb9C/93Bt1M+rJ2VfNghOf8UA2R+N5qGeb4DlAzcIVagqBCJA8aBbPKSf9uUnj5mdEYh8vRapGKRra3KkaGcrddtpSXLppFxgX22tdQWLBuEYi/g8hnxroA+VELDD/tAd3lgCFq/F4TWVljmcz6pcoQeOY8LWrqppA6iE9uWyBBdo1rjTdqv4tP/+9NZO8e3o5UOpNZ3nH9HKYBBCUY+6ppCUaBFRzlhlPjlegDFKgwqU1ORI8n4Ms0E1eTk2Wh8Pchns9l8t1Lm8F/5nHdZOWt11zFuLX7a7QoZTGCA6o8DkBo7u4w3SbMAKnvXXr4pRv0rWbGsqic6s8bWDabM05AxM6HypNUQNR6zh2S/2yvP7lnoP4G1g+l0sF2KhmACbzJnNgaSJoQO6eiJX6aRgTjqc0NCUKjfgv/bD+HJDHQK6hGk58XNE1Knn0TeL+jT3AauFOaiD5La1Prpy6VgikPHcjymEiSYkuGG53LPa4AezXoTdGJWra/b07c32gQzBfZF/jq/FoT/4Bai4O4UHbaPYCTvAUTiKOzvS+3cvdvWXYAJ9THN6KeYp54Km/PZ9F+59XZLog4XJ/xiYQQRbuf4rZKiTBnMim93MTnBhcViK8RRL9+f/QkB1YnhjZs3/tVUYHmdBEc71Svv16/ueOmdfOXxvA71SAz28DCDffkU0qyVFB+IxnmmVucTIj3Q1qgmQkQHDwb4TYL4HWDv4Yj+tSwhnxd2sVlahaqL9aJilsPn1mCXuE4xBOQ7e3qrfXbA//hjj4vyDD9mf4M7B5+My/IRO4TZw4gxMTnxOckODPARTKsN26spUSdRaPviyZkJJj8MfIneFfpfU9j1GE/csxUmlwqOO1O16/4Ybx5MmhAwXfvR1skIVP4jQCo2erG8RIUecGxYGtoeKOpSlvjqolqtgdo7ok2DI6vJqxFg2758M9EzihK8ovs6jn6sMSqQtsD527d866Bn2xA92ouZ8q07V4etRl/dUCJxMqJnIL0GBP83qRx23rJV4/H/5VsUbNTqt93Gy1Wq0N4GC2i2x+gjgxNUTXCZic/qyljcogiWhC58r8sbQwi2G5PyisS5Ew1Sviz2lzSmP5Lbjz/Dn9Vf7x0tKx325vQEbJeJOtMr+2IhlHwsdxNauWJi9n0m61j7xNmEK2HxPu3ZA4YNvKsH+fL9ddOuBhCEgNoYw7TmI8De9R190JMU48qXnVmMwsZLiyGPvzsWxGhcNwHM/11VfLa0mNu93yWsqZCH8a7KkFQRETCRLkhnA31vxUqphCt8ik9Sk1NiGIEBHctYHUXoaMJoYoEUk49QXaVdD66Aau8rP0ExXm/QUKlS85vaEhmROdzKVviRPCVVbbXkNXUslade98ZRu2XfnanEOzUIZLRU3AmPZ0qpfPlmSNElChfhlVHVi3GWgsvr2SptrzepstMYlvKGeAz1XrKusbrfXIHdZ9i47jW2STGIBL9Ao10ENWCC5kKSeAWfYdLFFCoiXj39PqvNcjum9h4O4nwkmqCC1JGmhIPZhFI3dem7XyH29f1KTwdn3lYMi/wcbbkpPa1nTeffPHcC877KVpTBOc0BsXGeWGcOBPHH+i8Rxc1Duv2WqngXYuSEDTaEdx884rOl/swBJIMw3ddOSiWvFpWwROEEUHpIJgsH0l0FXW1oHX0pG5t+BDDMiMxvlELtlC9nBujRwugieoQGwVA25sgCIc47nyPZ2dvxu/9y75vIHOY99Du/CFFJ7oatxUICkxA1TAGXVMLT7HsS3XslowKQyoMMmQCUMLEi5B7oNHXRAfmFNqtiAnpPa1ZLFbIobgSCDscyaU4rxiPAzWsGh8E3gxFYk3Zzfgs2hqUQTsWhYG6nKkHqvqJdmidmFXvVLDgKBWST0QFOYQNOVfeBYKgeRZyjhN9EIgTuZY1Z90RMDDKFhS4mU3vu26kopNSZAXaKrKaeLYXzCuPjZ9YzJrf+SpeiZHmf+Ftgcm50WXo5xCUUN9dWGiImErhaHOlpOLAU64Ku+hui0zSMi55cMhtdlwS5wszMPOgxUDlP8NyZITH4rrNCHzMnsRfIfwieYvzqTYnmcxzGZ8Uyh8SSPyt4nGWT885TgtPBzRuTLsX6CEpyTfuqJIrlnmgtCoD5Mqdl4zdbs+oLfBWTJPOSyK6qxqfjVIL1fIfe7OaUGjD13TO1uWxBUA2OHRWCQ4M0DvpRFAlKt3kXkX0cBsCz9kaZDtgIH8aA4iLrc5DnCCqzfFhf5VaRN+7lWwWLOLBBwEE3hgYpqUT/pECGWtmD2SmzW84C05k9yQBdhmKeLql+aXu3nDDfLSr8id+huke6gZK4OponMa4Tmp6BpHtImnftDuHFTK06z3c9kCOh9aQ1zRySyF5stn6ESyCDzEwsDdIWZAknCeJQkQ+R4eq3z4Tj5z+jADzIz0u7uxE7LPb9xTjW1T6Kvu/nF6i7C/oDEB4VKrM/2C57xQty/XrpjUkKR3v1W3V83jdReutL/q9sPJPFOb7+4j92hl+0YeBcz/BLyqBdLQfK7YXuo3JBIMl9BhqJB2QBqp3+S+FgvGk4k6EjLNyugBqr+mFUZrzms7LFRxPZh/JSdE1LHk1lqvJpZDsOpXKom2pispcTbvDSSds6E27LXwZr1OH96dTvZEz9D7y+HlC/SKraReE2GAORbk19JYchoGulvLQOvlObIyXQ3BM5wrD/6Mb1+pTxWNnMcz5nKrPhbk68jIGodB5feV7KnPjdFg7MbQUBM14hFfeLeRxp9/pi+Bsa6ILo2n7M1CsgazIDPrOX390uQyKqrB0e8j7yyjCFw1Zcte7pcJb5rSsNxleUXt6b3TPhq2W8c79YZzOUbQg+t4rx6IzwJSuQ/uGotIOEn8Rf3BmF5USlZ8aznwUzolPCYJ3IRoPvzd/a6i3ex3q+zlNbesUeRy4d1SNXvpXsmaG/TdPFek+JIF1WJno83sUGDJVEmV8uLKrtIKGf7Qnt6yAF2dD8sdyf+LJfYfb1JZi+XOWFAS+V/ZmYn3LnemxeW/vlowOz9PIrxc0niun935V81d5IxYHyQRXpaHDHlb6j7tuxu3M7bqwXMCpVcESR53ibN21yx0QJYhu40K9u3Xd5y1u6ZjqQiSWRo++pSdhtd0fY8e9NCObbP3dlut9H19v6pdfcBoWZ6dLm/tFxXt6h+zc8UatVXnQNY22ugQIF/qqp26B498IX6aOPehqEL11DP+yEL2ieImThMWUAFXHdn0/0/9iob6l1vkPoccy/te70lFU+4prMdhm1znV9TPecq9lL/Z2MCdZgL8dUAHm9kBOGH+1X3Su5zRa7obYX+hsxYVEKENL9El4zTiBqGACmcjhXXBLpFgnqRL4+NRDSnIm0hFtliHYKKBlnFEEjkxrm+7YN1IAiq5AmaAL+THhg6fgKGBjxyHADkilNv8/G3DuJaA3WnQgDxkuP7KDQmc5YkAylSTUEfbLjkLUj/ZnJAQD2j3rm5Gqol2bnd1+2B2yXX7XNjMlV2n5717unZCJzbsWb1rSJ1N3+EFgXgax6r0VfU4DFTsxr1fvXutwfqlqQLdaW6FkdxFdD/l9WtIZb1+sOCIZn4rLCyLa5MSp8mCxImNClVAdtbrW7j4sLGDNa4+Nrz1+MV1+2uRW5TuuV7PaEgQTjQqt7ZNq2SdIElK76JfBiPO0+p8cQWMatFXFxpz6Fo1fY2mNJHdeOgyolDYA0qCrKgghfsEQZL59sYy32gsKjV5c25G6MRAzLCZTjaz4fUgJDNAdPJF3fnpzpAbGY4MbGdYBcEEUI6KZQO2ikOGDeachy7j8NZpxpaHlCwG4agNdEOxMksvhucJiT4sCCdnnEUiYxnPacLQis7MSN0sAY2cVYI1+Zrg4rXEtXDvscGS125+m5CQKrwJuX0Bd0W2ixyASPWfxvvQ05EaRIkXQxqnX9ZqUqWL3/HotXxBXwpmF8CwgpXqVwmEaR2rVfTGVnGGJ65sIq/QLGeObla3WWjpubCzkY0UGy6gfj20aY0Fw7hzlDuGLrkh4T19ZFUwWxv0Cy17v1SiYN0lUq9UMJvjvUJFV541edOArvf+5WNV5aMmUK7Q9jqGcVwoNYjv9HA+LJI5Z2ht1phKSM/N20Ki1Zv7yCKobXP+hV6+ngaFBt3E/BxUUKHN/HdrWtRAS2VKrLfdNneoFbvLSLKGKA9st4JDpDRU+TP1WOTMPr9VHil28/VMUmzxEbjEafKbsEmpv8fik1LDFYwi8E1BrV/LI2P56FbZw+nh6znDaewRmEK19k34we3qsVjBbVNR478BAAD//xGFF30=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3pkZypU/4/+dTKDwRb8N57cI2NpfemD1B23CGPfTlNPTMs2fmhJGrZFtDWfKUVLiZjf3uG0pdSnUx2EA1NEPHxAS2qyRlKpXKlH6ZWRrh4GjlsOqaTTOkygkdYIajMqdsofk7hjMlfATOeVW/Z5xNqUwjvV/HWMKHMhT5/6BGzFnjLWrt7wZ7nd7BbruJGjGWjbeo1w/67f5h5wD93zelQdZ4iPPmiyBJy+7HhQNO7OrwNxHWRw7aCuMTNE0wS2Oc+OlH5YzcoBCyrymzM5cMzeybMn9oRBNtUYWE6asFCCKIuQZQjUmSJa6ypm22Q+nhxWgxuxFU/aEPFpsotMvah6d94FLxST2oLXAwWNXGN4cNckq4pbZ8ujHmQnLWisLS3CRkSjmrc6V9hh5uW2itfw1WjaumpWbGVLnS/pWSMckzqniRWRpD9SVmhltwpZ/1XrF1+um6p+yt00/Xe9v5PWOOwxoIfn80qB5LMa26DB5wa/vmQvmOxpuC8BLf+h9jJbQfji6cU21SrVFjbmULkaNFQq+xJGj4/t/bniGbXwDgosUcR2iMY8xCWILerR9PUMJTtTILlqqic8HXCuPYKFzCZwAEzT1fFmi3dANTrVQlmsj7GWaFuJ7SNDwwpsiwfZWIa3AmSUg0qjIJH7EKOQAnpzMipNep5ZHuuwmELBYkckNOx9aSdFN+koVkND3QMTRn3MgJT1BjwnlgngtCPm8gKlDD/6KYwFtfjhooVUR0WkVIskZCKpSjZMpmgusa0ysTtKQv/kQ6mdCvrkV4Zmsm5eLtzo5+RD+hHKTtAF1oMJPk2uv/SufulHl8gwSdL+IbJPFVNq/a1Y2xkEguOYrxmMRCe9WMSwCp6DSiivqLs6FwOOVGyIP0qlHeCD1u5KRC8sUIJOAbCAWZTAikj1a9GovETOMWuTgbbjf1VccV40tmz7hyw0KG9017jAg8WuBM8j04T1CWn2K/rlkv+EexCATo+xYcEJpVMpPNxHrSA9/n5CYVJAnqFRnfocpifBwkybubQXyySmtghs6GR5/UdnCkKR66pnxZeVOmjswxjWsiTlnvCDqw1kkZ1xVM0jh+5EjnJztXUQS/EUiRBN2Bf3DLhXk8JolEx5QJSYyI5XgDx6RPJoD6pqx2CdRE1nZLuDoXuLkJNBeFcKC4YxFqFYKqx1mjt+vPhO6sPIg600cYToHeAVit5F7ZbR9SoLHPWkExhBlnN3P6p4c60yx0H7/oOiJ0gi6BCii3nZgPirpLVyU85Gyi56oIY2BQACe7h0E2P0WVUN0Zyf44omRmC7osD+Lx3Nsn02jnM2VwM5OON+ZTyspEeyoNg0orsyLhcW2Bnq5CFQgk9GQPhCAS34y3+lb+za+NKzrGDI9wNKes0USNhCivhbLpSDV4Z/iZf7dt0y95l9v2q9vL5du3S1el0v9Nwz3BIcsQXBGW2IxwiQUKeRyTELINmG9zRfVdQf0JZZFeVG6Jx3wqzNp2mfpt3xBvpNECG9zkkcWMzEmC4xqLPRzbPkoLkwo3/C06gdhKXTZqu1TrKIJlAo63vnQVtiBBQiB7g9DVHi5Ng6DCIk6EsjvLpuQB7k367fYkx4xadFJFrQuH4GBMYxz0iDUUK5MmKiD9SUKFp7j5REcRMR4Rc+CZIzm7Y3QpCEBgwACPSLmIlAtGLhWq8AdjQp7n+IoIRCVacCHoWOchcPKZuRRKTpVAzolMaKhlFiJnC1Kbj8VRC0Z5UTRMY5zAeF2TZE6lLcxSxMB94NJcfFMdNMSIqZNGSPaC0OsyNwxAtvMc2zPEqXfFrrHr2hTBEl2q98y+qLZJ+Ki4D4YiriirE+3ukz4ZT0gbk72wd7jfjcbkcNLu7PdwZ293fzw+6Pb2J3s5eazp9DVnUVph08gETzsBtwpAQ1bxIhRzMCsT9DtEXBl5wXHMl3r6IypkQsepj303bZgghiSFsA5bYESH9eRtHH36YvEiQmKIvIZjvWyFMHdN4A3/VH8bYgEUHCvvlIYm1Cm3iqy5AwmujNGjz9NSId3lOvKc+3cES1HViHaRzbYEVVoWLj2Ee1RN5GVmmOnwvIlaGMBuv8ZNxYGKT0fLLLe8EPGI1HoFZKUJO5GALgt6xpMEueRaFzlRUi3Yl61WtGa/+g2WqQeJ9VOnQLw0wBB0PFnTmwRLulOL2Q3O2FbmcY2a7cSNzMYO2tbWk6WCSvaGUJaowgDUs3rOPXxkXlCNDAZqCKp7G4OXW8mcCPbmTWZfQgI3cx8ckoXUxLne9IiBxdaMNIM0EVd+qrnMjuWwoimbplTM3KxlixKWtNovULrIbfVmn+NCDRX57oJJoGH4woiwx/NOJWTNF7RQXmoyBWOlZxu1tFZwPDZEzTHToDpBKswE21+rbf518hpaeLG6j3oXrQPAdfsFWvN+TE3JFMDktZjtjfcJeLGQoFA78xX2bM5OcDu0Z5hbSrxOju0EnU50IzxxbeCEFEZXXKErVO/SWk6XOa16eYfWzU1HJSL4cWbk53xKTDshDlaY8y3Ks5LpYMlRzPmVcsGwiSUkUpdcLPgWXhZOp93L3NgNukHP97MAfZhzs7JvbvGy9FN3Y1EtvFFXToObsJ28SZhvyQOd3gE39e8KDeb0WYIiDbzzFRT5Cop8BUU+E1CkXpM2dVimSJ4QGamH9IqMfEVGPs6QXpGR6/PsFRn5ioz8npCReq94HshIGEvNyEhD8B2IQBwbGF22FLkDC1aiAr0IOyQTDB4Umz57lORKdgQP5MczREmub6l9Q6hkhcw/OVTStx9foZKvUMlXqOQrVPIVKvkKlXyFSr5CJV+hkq9QyVeo5EuFSur6a/CsucK7yL5ZfYXXMKVI1GKLsRB0cmOxVxiSOEOqUxyGXGf3gRxiui8k8VfO+PzmNzPC35yRowh+f3rx+RgdXVz8f4N/QoGvSYLnBNJG/8Zy+ElIcsITYGBuJFnDZhzgEWKX6ZYmLqeqdnlPh+dN9OEfJ780IfvotoVlYBTy+VzpWjPkIGsabr+BoEDiUNIw+BuMyGUZ9/PGKp/LWLcuQ5iZYN1G1q4e0W8NOl/gUP7W2A5yXZFwBus5+JvPhlKncGWWNXpFGXhzYKzicAYZulyKTjgalPo2WffThAkLQz5fxFRo2NSU41iPLmv3t4aX4pUp5ccn9vpYDV0XY1vnTtXN8jfYpowcui6z0oppomsl2tSm+jzaylXOkteTDr+7SXF4T1iLjpsBOnFdmbZo7swcWbfFFcQDMBkkNWNTlyAXEeXj6MopElE2VW68Uhb6XIXIhIuFdh5ib7B4OtXk2ZxIBWXir7i8A6rlujYjp6EEm+pjBs3NnExa5v1vk/I9FQThkn74zRH6m2mlmXMZ0Rb5Grisg1hKHF4FcyoTAlkH9Sti5+Ko3e61d9B2o8ge/UsVY2q0qho5ebXonHWZ5POkpE8fzqQyj7SyquJR3bk3QYZcJ5B++hlxym++zLV1W8nz1e0A32RdOtX20KVpG9qMnfYtsXPR6R0eVogefL+CQy/EQW/kENkbz4g/Db501zUjx9YkGDqTwI++KU/TE+mItRnpM7As5Y/FyPvqimI7vnFv0gpay97k1N2kwCCGLON+GsycDT7hYSrsaUSWs9cmyERUChJPwEqiUJALknjGNwhfcwr1CloRWciZS2iamVB6CF+DfvvQtBqSRGrTSRcQ3qDEYUgXs9oqV5zrYnCURWDWmey0ukstXFGauK8N4NdjaUmlnZ2PjgfDn45Hn8+PRr+cXvw0Ojo+H3W6B6PBu8Ho/Kejbn/vdvfOo1wnB/F4VxMXPh2/b9lShkJiFrVwzBnJzRoHKL+rDGDGBuf3TvrBNdEYznmq86C2yNcwTgW9Bg14WSZpFM4wZZdIUBaaY3i/0hXSlxc64syl2IypKHvW709Pg2DtwiurRlL3mYHPa6/zEhY/x/3M2ZgB9nP1XNxrDjJ4tZ0FLM2lTD5UbUITIXNiYeNuZg6+VlEBIzczrftN1AyLWTCP+jXNzyCnoLIy/VnK6vfDPoooOG58gobHn9005vHkEP63xso50TEcggpJWGiuuEzhoqw0f9PzXN1NWTYp+rgyK8iZLhYkgZgX4FdxibRP9vcG+yfdQb//7mS4Pzw4Pnh3cNJ7d/LupD04PB7cZ07EDHeebFLOfzrqfPezcni8e7g7PNzt7B4cHBwMuwcH3b29QXd42Ol3O71hZ9gZDI7fdY/uOTvZjvMk89Pt71XPkOOhF8Hw8BnKWtUz9TjrZu9g/2Rvb++o3e8dn3T2j9oHx92Tbmeve3z0rjd4N2gPu3v9485w/2C//+54v/fuZHew3+kOjg67w6OTtUt5GBqpEGltJs8wiwizNUz5BIl0/DsJ3YW/HoH9BJZc5X5kUnGXZqnIwMGHH004EPrMuUSDoyb6+OXHUzZJsJBJGsLR5wXB8yYaDn5013zDwY8WW7E++37Hu3Xt4uaeCsKYs1AA3a+JcVUm9YwvNR50QRIlakrEzs/PdjIzG6EZZpGY4avyNW3UI/1x5yDaG/f74X6nu989ONztdjvh4d4Yd3ubShPjcoQnci2BirLJzQsNlmTngs6JbypD3WeT/T1nEwjEOMCsiFmqkVrI/sqkUflipNvudlpt9d9Fu/0W/gva7fa/1y5c7NE7hjDTb0iwsYzWJrZzuN9+DGJ1qrxHxjMUivsJjkIcx0pZMnT+4dToVEniOFdcQAf72EKMygUt11Ex3KMCYV0RzFwxGZ8KSR6gXxSbPbWtHs5VuikU0Z4SxfkFNTFJPlrQRCWV+L9cLgMTIBiEfFOea135lPq5pJEzTezYcqdGnt/YSq8fv/w4zBUgeiRNLNKFvk4ZaZe69htZ00217ZDz5fU3MxLHfKXfssKb7/b3Rv8YvFfe/O5Br+Lp48FwjeffBEGw6XL/2m8fBjgGmK+k1wQWfl1cPaPaZrOy5/WrAwzQ1vnRh+1A39BJKNx/jZMbxfUqY0FXWKRS1932hReuScapNJe2GqIN8Ix8XePhh3PkU4x0ndoljaMQJ5HY1sWKcxAwUr42e/M3b/Hfawq0fRTo4dapfe0cmNtsUAdbgw9Q70YNAgrme5x0PC4Rbe0vZZKjn+h0ho6ESBOsHH6Tn3+wqYuR5wUEINXOBx3mtDXYhoAQUSTzy9rFxypoiHzdW+e0Vij5reF9ZnXw45fzJvrorOtTFoI6hw0ug942fQu8QgLcenoMSYDApCw0qi5RsN1YXXS2XWTOeyUsSov8TMnyAQT5gbo1E+V3JdDWxwcs9FMWPhLNOB6ljNZl8FSRjmOkelQc+HIPFhSk/wFsgOQeI56MAN9R30WX22t1MpEE2f7cTnvRROeAFvlUkvMBjumEJ4zi+1D6GP4heEpYegn11nAIV/hG3Xa33Wrvtzp7qL37ttN/u3v4/4ODdF/iHuwM3kld0ftbSVnnsNU+AMo6b3vtt93+/SnToQ2jK3IzcpX7a3MBTftVFTBdHMYVKS/Ez+f32kg82sI0ua5r0V3oS71rki96HcfqgdD8lFGHHJ/L917uJ5eYpcQLRoVc9LtrF65cwRDydcFZFt13n1wZx6YJN50RSeh1aTLdhdIaxO31+7v7lvksIl+LoIj7ESvon+tM/ipCISco/dPBsby5FAscwvXVmFYA67rt3sF9hi5IQnE8WjubyQNQ4borm6cEtqvM363cJYtH59kthg0zz85b4sUMsxQyLDTzGWCyo/MllTMOTlusjBXleblzdNd0OMMJDiFstMjkfv/k3bvDwf7w+N1J+/CgfTjsdAeDo3tpDFeRunZleJoP7PBZnZXF9jTFL1DBlM/nRPFH+GFlemuf8BQwFugfHJ1hNkWD5GYhOYrpOMHJTYDOCXEgkimVs3SsjJqdKY8xm+5M+c445uOdKe8End6OSMKdEBrYUYyB/wVT/sPZ7u5+62y3v1uuTgx3NK17qmpzOPA0rrBwvrAdRpE4McMJiYJpzMc4djZhVkXmnrQ+hav7OJ6upeE5uLpFVWUPmnQqixW+7vnFj5m920RnP55jhk6UF0tFyD1fuKk8oAA831qk4Nm4uTkGPISip/ZzVy3i3IQ+FoHPwKkt0Hsvkv4CDqrBB9RrVXmZG1WnxswpieLu2gTU6LesQC1mnoyLOIXkuPpSpKmvL/ECEvhVhQcLEi66/b1kbQ+FCInHMSj2NSgdcx4TzKoIeqd/QpMY58iiE4tORYxMuaT6dmqJIbo+JEJM0lgZns6kgsrsVD1lQLAMEQb2kPqcMkbitZcbI1/lyOJhv+lUOhDumMBXMG4SBegT0ROrwS3Iy7UA6QePPhyZbB7KbrA243K5DChmGEDHWCgrdU6YFDsyFi2gREm+oqGl2135Q/B1JufxDzhesJYdY4tGYrsAiNL5VDynIeZLCM4SZalTo9zpBGsLXUJEOq9V4KgoIKdB4Ey/EJHoqIUC89rAKUrp2mJmKvA9S5ivGdumMN8ySU8F8101kppYXCfM15+Le83Bs4b5muG+GJivna3vGebrz8nLgPk+5aw8Nsy3MDsvBOa75gxlrX6HMF9DY60w3/ONAL0lIG+2VXj1gb85oNd0/jverQ05Vo3o1R0/GqJ397DX63XweK+/3++Rbre9P+6QzrjX3x/v7vU60Yb8eKwbWyHxfFECuBo053NA9Hr0Psol7iYEf3NEryG2XnTp+do40oJCrlAAJYxRbQrgFfb4dLBHfwr+6rDHSl58Z7DHChqew13QdwZ7rODis7kPuhfssYKgp74Oqh32eAfNz+CG6JvAHivY8EJvlXxKXxzssUjcy4E9+pS9NNjjCtr+urDHFQx5mbDHFcR+D7BHf+ivsMdvCHvMMf4V9vjtYI85xr9w2GM1rd8X7LGKhufg6n4/sMcqDj4bN/desMcqip7az31U2ONdBD4Dp3ZT2GMVSX8BB/W7hD1W1tZ+vFTg2jTL1Say18oLnAhbS1x9zxM6pUr4NBit4sIm6K59CG7nomY04AfF/Zj+SSKNmIOragcGhE3EJ/MuEm0S0ZUEumyjCQ6thWYzjnpfrc46qna5hI5TQFfqNwDcJJTxvOBC0HFMNA4Txzd/Ent9ijX+KOHpVNnSZpQYzWmYcFs1HSfhjEoSGtMyVsYiZwRdU7L0vDSX6944At7AkVc6ACXkj5QIKVArExLKKBT+WJKx/d1inSYJZ7KlrNd8nfuWIuePlCSUCDTHkaNDZxlexASNcXjlv7lBtlOxwKy+9NBvVlYUUf3a2gnwOeQ6c7lS3IqlfmX/I/14QsxlIWAr+IIkBp5rSzAAGBcDhLLpKkVgx2jJXYuYaWiHYVhTlzePsMRjtQQUu28qitpPJof44PCgM94Pw6i/tpbV9DwBl8uMhG+0TIhMgEw9Dl3pLGOiQQ+OiXL8keRTopgGDq5rMquQZMqTGGbPMItivUJcN1AUsmVwrsQT1xKne+PJYXey29/fH+/2IryHd0Ny2D2M2qRNevu7e0X22hE/EZNt9xtItP+WKYNnyy26sr9QBmJOsEgTcw4AYu6EVol4JtJ5UTfPkaTM3HZ70t7bx7g9xoft7njfU8xpEvtK+cvnszsU8pfPZzbBs6lIgUwSJu22K1VJjCWDE9B9Xz6fCX2BbJ60m4biwTghUAoPRXzJlMBwJMIZmZOmqzm5wHJm3ufI4p7X0XX11hkb6ipgtnhQEmcqqJFP/+XXIzxlSPA5Aai6mkDFzzm+0TnITUDB6SdF7Y5ioeKrLmIW3zTdyRAuFkJkUDjx1GQ1U23ryolejd8lHDRNua15emlSl2nOlYWmIoOZC8uwyP26WHsxM1nELV5BGNiwUl228wpLzKwGx5Y0iXOlIEtNUIEAFiGIRFStXIMQb6pZZFwqRZncQFr4Gay3/PuFxmOCoaLRgiSUR2ieCgmNjJUmDOM0IlFFdUt9OAgPjwlqLNi0kZ0gqtcbgfquPEMLY4R4dXKm8/VOsO81K594Io0pbyQewf2WFqcfLj35l3zRKDDn8odLfWGVr/xpB12oeTZJ40e0gZ+sPMPpRNdOVCoQqjHRuVrSpiLTDU8hCXy2YG+8A2EhuY8KowxdKnlW7V1CrBUYNLDg9VqhAk5EmUZHkUh7k2BAWZsT9n3XpF9vuKKeQF4DvO31dncEUTbz3//40XyvP/8g+SI3e3ZBvoAZfPOFzXmk9v8o0zMg+gIJQliOs46jrpsPXJo4CMoQI1Lv8JxRyZVHpTUAH8POHbnNYEyUqjGCA3OdECx8UcAQnIZiPjVl/dWrUCJBEoZ+T6GIcwa1A92l9tFiZVwnOa5MmHvNNYvB2Vpi4QbazO3zjMuycrqXEKnWVvyck68FFsKTmkePYzLNFxy7oDAGWVfhyk9Yzgp9e7rVMKhRGE4NNeL92uSlcfR65SuPXm83Nyhwq+o0EqADI8T61zHRtoL+xcQJVtHg29GNgrCV9q6/w94F8U+Rfwbk9xIoba8NOme1MK7ehRWaZLpH4za8scOr8IyuTqv6G6fSPdX0OtPEajPFtajLVzNE5guZjQeGrp+8NG+bYnLugppCcASTFEuCxkQuCcmHfMol17ZqYYN+6rr0SgW/FqV/VkXptd9WlxycQ+ur1SJsOI3C1quhCpdvK01PPd4VW1f+wOG13D56Lbd/v3L7NV4BfzHNV9gp/ghyBzz28+oTHpBCONoz5zx2Y81Xrx7zVLqyycbEhfJg5Bo7H8OcNZhKxeZLU0lMyccMXxM4cidwJc8T74iSyYQSYXZVW8MbzTnUzcX6pJ5G1lW2h1GYIQwx0sbohh1beMf0czNxT3+AtLpQvS5EXmOdeojkqFEq86EiQcm1f2RgxJN5h4rWN0K7aqq7JqKTrJZAyT4+gmLi6JgyIYkRLDtOXSD/qSQOeq9V5DR9tR3Xl0/rXY4aIM3UIdT1kncWMZa6pH95iDUqbJ//urNc/17ccV23GVaPznRNjETXUsxp9glcjWkVxBBmnN3M6Z/eSZRmnPv4RZBJGivBv4TK+DS6VKKhPyjCLl3UWcjZRM8QjvO7CYvUfsB4ti6Nl1KQoqL8hBkC/TFlxx5xChuY6FL2lITjviN4Mp11PlNuvbYbEhTzqXeJISoCMTEorbzzx+PaoiNdhhN9u6h6QlhbGpJmy8eYFIWxvvm1cUXHmOERjuaUNZqooQuuUzYdqQYb/7kDkuEbTiM8tcelnvmEsm/XMKJ0G9aUYoC/gDjMOdHHCBiNE770blLd0rqYkRtzoCdmfImUgmaAJLAAhphPhWpKGcDuTMIAOFI3VHsesIHdQ1Tz30oTmt6Kc0k/zTgjd6y+WgaUsa4M6sUTnNDcoJ79YXdB13nyMcrJR5HW9/xPGsd4px+00Zaejf+BBp++mJlBH89RpzvqaAfuPQ7VF/+9jY4Wi5j8Qsb/pHJnr90POkGn74a39c+fLt6fNfU7/yDhFd+2ELGdTjdoo/d8TGOy0+kfd3oHht07e+2eyd/lmC6CCZ7TuK7TxY/nSLePtqzfl5BohmUTRWRMMWuiSULIWERNtKQs4kuxXa6zBk+Wxv0yrrY+ajgOmxqbytq/4HHZvC0uJUsCUGttF5bkTIvOe/47viZFbl2RhJG6XJUSDbo3N2wNscDLVSukF/SCdqvT6bYgcIuGxdG/EDdnxVxbOII306sm97+LnLEW+LeaWdufWc8hYZKLJkrHKZPpbWsYJ0taWsP1olBLg19XHjvtoFPUlPUO1YP33rFzKu3u2VfXsdGMxrL6+ezowzo2lXrOWlM4yW4yjPF+gw7a3aDzB5J4uiUADY7RAodXRNqTIiz0ER8WiLIpYGMguYX+E9rHQvCQGhC9aoLZq0/wicBpUlQ7gCF2EXymM63xsjLu5rkP+gY4UNRXUZGQkCeRao6yaWyolXgKeEW4Kk4BcAFJJe3kzTSAQA30jxZlrT8QYSFeiFSPUjSNS1c1MpS71ZU3Cxoq+9Q0bQ7VANSH3fW1IEzwBG2RYBqgfxNy1US/0ISIGU6utuFull6T+AY5yxuc7wRPIMCxwAnKGElWzqpuAumHDHHZBAu0ZY8LTavmtzz92yuIvJ08TZ9pd1MqbyEvV1sSwEf2Pk5521FEjWTZ8eRkRQm6Ti5ELDsknk5BF5gmP45t9i9PuK30Br6UmxyvFfJnHzdNOtn2XXbIbORWhQGUWkc/oiJMCBwsFFeYaRNG4LW3al4mNCFLHMeiiRIQftHUbiuO0BjHmIUkERu4NrUdQAFBp0NtKeqilDZs1HG/rK9vd0a/iefzcWGCaIACOBfYhAaeSkGjOwKSndZPY0YSPKYuwMuq/9IPq/cBtQ3kGlrjogJXdI1KtxY2oXN2trCOSKnVOOX1Ah0gkxOfWINA6XM/eAEIkSW+YLjBchHCcKQgiIUYWZOo5db31sQ/5x2C+6L6Ov9yfryt/tD5CWJ40DWavWDh9DxBJ2bdbucuGLOc0X+kOL4R0xQnUaD/huDbP5ZkPCPxYmfCR4CUi3euGF/GJJoS1fROjsCRYT0lIpjJ+a//gobcwPLMyJ79z3YlCspCMO0VUvmG782vDUvXnQdJfqp5tVlALGZ9hhjkXMh15OKXclwQIU8yyzI3OZmT7oO3IAcHZPYOr4XYKceg/Xy+dsCsN+Jn6xWVuOp9Uc1SWHxmzxJuC8cx7IZ+b1Vvr1ge4TUJ5lQmROdUVzpsZ4L/ADGPfwivyQhuTEfe4MQoTAiWJPp1AJHcrltft1Ki9+LjrwsulOYY/HzsU/if0vyeMjTH4cdzpNO9oG7Q6QZ7TR+ulGeHAUR+/jTYIDszgaQIdS8Qq0W9k36vnAEVt0xNeXFUTVHF6jhelwW1WSaKckuxUQ1bp8Ntiw4xmS4WGbq7erNE+pI+QKf+vTpK85cnpgPTqL2DK/O1uHusK/rLGZYjKkZqCdBo28h6UcZd6yVZPx3+p2KOWjqFULvd3qBMACDnagsMPkIJ0XDi1QomZz8bbaMjZeZU0ql2fxwv7GQ46Y8K81JkTPWMhFPaGlOmvoXjvHBK/67++NHxca/T2YCNSvBGtQq/8SJ5gkSIWbWoViaV6rQ7B8EmQqHaZyQJrgmLeF0h1YokH/ZT3OBhCEgPoUTWBWF4HK+fPyjkCQnGWeaZ24iZxBzLShP2XDWjIT8JZlNz9dUO2sri7rSDtj5MhD9tTZIZQXMuJBLkmiQ+pv6dMjGFaZEr71NZbEIQIeZw1wZaexFzKi1T5kQmNBRoC0uJwyt0DXCFLMxGw9m/UnnTRIuEXtOYTIkJWjM34ZIkOnpvu4nofIFDmbXq32urNly76rVpAs2qpgwyBMZkcqpC1OAKI6DC/LKmOohuK+JhqkjeLlmq/aC/2RQTdk0TDnVb1rrK+kZzfewP665Jx+wGuWANkBIzQ010nxmCC1maEKhl8wymSJL5gifPaXYuzIjumhi4+5ljmWpGK5ZGptQSUNHM7dd2rsLHWxdrcrjes3Jw5D/YlCW5E4/Mdd768PNwO9vslWtMJeSGdjyCaQD5xOyKsikcUTfO+LLRRI33JKLpvKGlufETnc4aMAXKTUPXXTWpTn26FkESRPEAUifndn1J6CprazdoG/jxDZwhRmRCWT5gTbWQPZybI0+K4AkqEF8yEmnrBTM81WdPJ6efzy+Cj8lUZ6lBW/CFUp7oy3lLp89nHKpFTajnann5YZpoOeNKGVBhgz4lRzMSL0Dvw4m6ICEIp7JsQU8o62vBmXdZJgmeC4TDhAttOC95EkcrRJRdRwGjQgZTfg1nFi2jikBcy8pAX46sJ6pmSmq0LtysV1oYANxV3ANFYTdBDMnWIJN57Hi2SChPqDQTgRIyxQlcDnsq4H4cLBnxqpvQdX3HOeTXfvvQP36E1DSDQm71204gqVBGQKz3Bn0Fox0Rta7seaRaK18L+e9FLself1BJdT6G+AbFfDo18f9Q9EvpUn2RE9EphY3QZsTL0tw5hpAwlcrEQ2PKcEKVGXO+8/70/XG+N2YwumMewTOwf+L4RkAUIQQ621FyONC/CtAvcObP4pvshqqQsdUMHYCD+hw1n+bQtMiIkCRCKYtIgi5VX5em9RkWMyKs4PmFeHLJFxOSwWyb7jSXoEv1/iUk9oCg7iycdsEXaYxNMCRcAOoLLOjdL3Jzue07qOZiA1wwB2PMFa7KIyfHXM6QAN1tM7G5yzZ/oCAXXOdlC+0Yc2zRiH6lNAFjq9osN1khR4YsGYvAy/Z0ub3+gfZrIYQnKYTwVy9+8L0WPHgtcmD+3XfGn03Gx3sVNvirFDP4CxcweNlFC15coYKXVZzgpRUkeC1CkGfCyyw88P0VG3gtMPDNCgy8FhX4hkUFXnohge+1eMBrwYAHzPazcRnvVyTgRRYGeCHFAF52AYDvJul/S/X8Fo0JXGRjFs54oj+2QotvNLc37/QzuSH8T2h7YBOxmT1Jve7iTOz9AdxWxLFJ4QjHzGqolSfjENo040J6ilrzCcfUpWhcYDmzD3sPVgxQ/RuSRUJCuJpoQTrQ7EW4lYFPNB/lhJkNs8qNT9EXSDonf9rQ6dXD0yj3wsNzOtUozLdIJinJt645kmuW+7Wk9YdRldysIN3ND4Bs4OJ/miYwKbqzKvrWYL2aIf+5W8mCRu87p7e2rJgrIJF/QJmQ3mHpnTyC4wf9LrLvIhrZZRHGPI2yFTBQHy1qIEFzInGEJa5eFO/Nrxr6EeZeBXhh5o/gKBrBAyPbpHoyJEJoaJm/RnKUw0sBneOplwc/Sykxpy08DqNOd7dSf2QCcqpaQKdDB17Uw7UcMeLxAzpSMwUP8TjyBdUOSI0/0KOytN4x1ZUP3zrdXh92gBmw8fZuHEHu+Y17WkN6C32tK8Zeb3MczigjsMbX6sy8EHgvrNuXj8UaraHQbn9r3V4XCQcttubEmcc3n7eETDOr7/Y+co9Wtm/VQsTDK5BVoxeG9nPF8tK/gd2h9sc41jUaQCno39QKFzOeyJHWzJk9Ybdj3V/L6YQV26YbFqq4gc6/klMieneAnELuxypmeQyrfqWSaSu6Uhpn895A03kLasNeC2+u1+n9uzNpQNEP6OLj8ONb9BNfKvNijhdKyQry99JYchs9un2zR6v1OXI6XQ8hsJKr9t9Mbn/SnyoaOWUT7kur2RbU68jqGk9A1feV4mn2jePBuR93TG2kbUBCEdzM48A8pwPncKLPVBlnrezNQhIv7goQrJb01VOTy7RlmxhzHhPM1mTvJOMIhOdk017ul4tgnNK43GV5Rt3u3egcDDvtw8Z6w/l4jqAHH6NSPZCQR6RyHdw2FiETIsPZ+oOxvehUfezGSeBVOiYJIxKgAEYO/+l/V9Fu9ruzufIGVNYo8qXwdq2avXSnZs0N+naZK3J8waNqtbPRYvY4sOD6WKk8uaqrtEKH37enTzxCX06H5Y7AZV7g8PGIylosd8ajksp/YGc2R065M6Mu//Zgxez9PJrjxYKyqXm28bc1V5E3YrORzPGiPGTI56cPnJ7duL2xVQ8+IYuYhlgQ+bhTnLW7YqIjsoj5zbzgZj6846zdFR3DAdQkjR+dZK/hFV3fYQfdt2PX7J3dVht9D+9Xt2s2GKPLs93lk/uiol3zY7avOKe2ah/I2kYbbQLk67pmp+khyADGt5iehuLfecyvKG7hVPKICggPycj/X/pXNDS/3CD/OeR53nceYlQ05e/CZhyuyVXHe+a5QJ/y5KNBNjjVssef5oqXT9wAvNRI1X3S2w5fV3R3jMOZyfSoi1S5kFwDXjGZ2AmFikEuu0qU6kwAEicyXdh7IN2QLocw19HA7lxOmjqoeE6kIiwxEUIwb0SCSa4TdsMX6mPThJzC0CCuAMeQi17om/3TT/oJI16IRk3AgEPIUG5IEGAgBXCmmoUG7rxIeJSGcnNGXmhotVm7phllJjrabuv23uKS6/aNcNm+tryet+/o2gs33bBn/a6HLDfke7IgUJIypiaasupx2DKCG/f+5fMZminnc6ZcFejOSCuM5Damh2lSuKrIu0krev3FFc6y9C2xcCJuXEqcyhlh0mXS0EWO3OFr4f7B5VtY4wZiw8uH//JP343KLWr3XK8nNCYIS1M01/imlYVgiUzpbfzLqvwqjV7B03NdNM9V5puZYhSXuulLNKZSdROgj3MKwBOowbqkghSO9QWR0/rGMt1oLDqd6+bSjNCRLT0At3kJhMuZlESgJLN6xeSrjpMynSE/mw6yJd3iqtocUOZLi2zElyzm2NYjCtBHFt94zZhimzoaB1J4NNE1xdotfT88lWT+y4wk5CThc5GJTOA1YXlFJ3akhYAlxmU53f1DErKsZK6DrjFb6tkc87skTqnOQ66WL+TjV+0ir3iY/mfywBtylAVRksWYsvTrSkuqhE07Pz5TL5i7uSxoDmaw0vwqFedYJWoVvfEly/KT89zVtp+de+NmoaU3wlGjGik2XCgHc9+mTY0AnnhbuefokmsS39FHhh5qb9AvtBz8V2V1lNtU6hedAMA7vULFozzn8qYRXX36l8faqkdtcoFC26sExjtCWYP5Xg+nwyKbc47WZo0xSOKbo9uVylmP9mNXWadO+gu9PJwHhQaZl8w4V0Ki0Gb+uxUtmgIcZU6s9t02P1ArdpexZAVT7tluhYRAPCnkHFtPRE7c87XKSLGbhwtJscVHkBKvyW8iJqX+HktOSg1XCIrA1wWzfqWMnKtHaxUPr4eHS4bX2CMIhW7tm8iD39VjiYLfpubG/wsAAP//W83Fpw==" } diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go index 11554761940..bc99856a890 100644 --- a/auditbeat/magefile.go +++ b/auditbeat/magefile.go @@ -31,16 +31,18 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" - // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) func init() { common.RegisterCheckDeps(Update) unittest.RegisterGoTestDeps(fieldsYML) + integtest.RegisterGoTestDeps(fieldsYML) + integtest.RegisterPythonTestDeps(Dashboards) devtools.BeatDescription = "Audit the activities of users and processes on your system." } @@ -90,7 +92,7 @@ func Package() { // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // Update is an alias for running fields, dashboards, config, includes. diff --git a/auditbeat/module/auditd/_meta/accept.json b/auditbeat/module/auditd/_meta/accept.json index 7d300556af3..2ec04e0226c 100644 --- a/auditbeat/module/auditd/_meta/accept.json +++ b/auditbeat/module/auditd/_meta/accept.json @@ -38,7 +38,7 @@ "module": "auditd" }, "network": { - "direction": "incoming" + "direction": "inbound" }, "process": { "executable": "/usr/sbin/sshd", @@ -92,4 +92,4 @@ "name": "root" } } -} \ No newline at end of file +} diff --git a/auditbeat/module/auditd/_meta/data.json b/auditbeat/module/auditd/_meta/data.json index 7dccb3a6e1b..906fef698ed 100644 --- a/auditbeat/module/auditd/_meta/data.json +++ b/auditbeat/module/auditd/_meta/data.json @@ -36,7 +36,7 @@ ] }, "network": { - "direction": "incoming" + "direction": "inbound" }, "process": { "executable": "/usr/sbin/sshd", @@ -55,4 +55,4 @@ "id": "0", "name": "root" } -} \ No newline at end of file +} diff --git a/auditbeat/module/auditd/audit.go b/auditbeat/module/auditd/audit.go new file mode 100644 index 00000000000..9812f2fbefe --- /dev/null +++ b/auditbeat/module/auditd/audit.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package auditd + +const ( + moduleName = "auditd" + metricsetName = "auditd" +) diff --git a/auditbeat/module/auditd/config.go b/auditbeat/module/auditd/config_linux.go similarity index 98% rename from auditbeat/module/auditd/config.go rename to auditbeat/module/auditd/config_linux.go index 149af7a08a0..d0d90e86c44 100644 --- a/auditbeat/module/auditd/config.go +++ b/auditbeat/module/auditd/config_linux.go @@ -35,12 +35,6 @@ import ( "github.com/elastic/go-libaudit/v2/rule/flags" ) -const ( - moduleName = "auditd" - metricsetName = "auditd" - recursiveGlobDepth = 8 -) - // Config defines the kernel metricset's possible configuration options. type Config struct { ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names. diff --git a/auditbeat/scripts/docs_collector.py b/auditbeat/scripts/docs_collector.py index 5e897bde3ed..7b7bc6a3299 100644 --- a/auditbeat/scripts/docs_collector.py +++ b/auditbeat/scripts/docs_collector.py @@ -56,7 +56,7 @@ def collect(base_paths): # Load title from fields.yml with open(beat_path + "/fields.yml") as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] modules_list[module] = title diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go index fbda2077f4f..09591705121 100644 --- a/auditbeat/scripts/mage/package.go +++ b/auditbeat/scripts/mage/package.go @@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) { args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig) sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget case devtools.Docker: - args.Spec.ExtraVar("user", "root") default: panic(errors.Errorf("unhandled package type: %v", pkgType)) } diff --git a/auditbeat/tests/system/auditbeat.py b/auditbeat/tests/system/auditbeat.py index 417b60fe894..320e7da9ea6 100644 --- a/auditbeat/tests/system/auditbeat.py +++ b/auditbeat/tests/system/auditbeat.py @@ -3,8 +3,6 @@ import sys import tempfile -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../metricbeat/tests/system')) - if os.name == "nt": import win32file diff --git a/auditbeat/tests/system/test_base.py b/auditbeat/tests/system/test_base.py index 8a15d004df9..8dfa64f8ac3 100644 --- a/auditbeat/tests/system/test_base.py +++ b/auditbeat/tests/system/test_base.py @@ -6,9 +6,10 @@ from auditbeat import * from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_start_stop(self): """ Auditbeat starts and stops without error. diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py index 813ae8177c5..bf90a9ee38e 100644 --- a/auditbeat/tests/system/test_file_integrity.py +++ b/auditbeat/tests/system/test_file_integrity.py @@ -31,7 +31,7 @@ def file_events(objs, path, expected): evts = set() for obj in objs: if 'file.path' in obj and 'event.action' in obj and obj['file.path'].lower() == path.lower(): - if type(obj['event.action']) == list: + if isinstance(obj['event.action'], list): evts = evts.union(set(obj['event.action'])) else: evts.add(obj['event.action']) diff --git a/deploy/kubernetes/Jenkinsfile.yml b/deploy/kubernetes/Jenkinsfile.yml new file mode 100644 index 00000000000..452771edfb5 --- /dev/null +++ b/deploy/kubernetes/Jenkinsfile.yml @@ -0,0 +1,15 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^deploy/kubernetes/.*" + comments: ## when PR comment contains any of those entries + - "/test deploy/kubernetes" + labels: ## when PR labels matches any of those entries + - "kubernetes" + parameters: ## when parameter was selected in the UI. + - "kubernetes" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + k8sTest: + k8sTest: "v1.18.2,v1.17.2,v1.16.4,v1.15.7,v1.14.10" diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index 722cac158d1..a97e9a986f4 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -1,4 +1,4 @@ -ALL=filebeat metricbeat auditbeat +ALL=filebeat metricbeat auditbeat heartbeat BEAT_VERSION=$(shell head -n 1 ../../libbeat/docs/version.asciidoc | cut -c 17- ) .PHONY: all $(ALL) diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md index 65275dc4e45..b1ee4207d3e 100644 --- a/deploy/kubernetes/README.md +++ b/deploy/kubernetes/README.md @@ -9,3 +9,5 @@ Beat | Description ---- | ---- [filebeat](filebeat) | Tails and ships logs [metricbeat](metricbeat) | Fetches sets of metrics from the operating system and services +[auditbeat](auditbeat) | Collect Linux audit framework data and monitor files integrity +[heartbeat](heartbeat) | Monitor services for their availability with active probing diff --git a/deploy/kubernetes/elastic-agent-kubernetes.yaml b/deploy/kubernetes/elastic-agent-kubernetes.yaml new file mode 100644 index 00000000000..f20ca2796e9 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-kubernetes.yaml @@ -0,0 +1,147 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management +--- diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml new file mode 100644 index 00000000000..9dd5727d1f7 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-daemonset.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: agent-ingest-management-nodescope + namespace: kube-system + labels: + app: agent-ingest-management-nodescope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-nodescope + template: + metadata: + labels: + app: agent-ingest-management-nodescope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: agent-ingest-management-nodescope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of node scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml new file mode 100644 index 00000000000..a1f026442db --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: agent-ingest-management-clusterscope + namespace: kube-system + labels: + app: agent-ingest-management-clusterscope + group: ingest-management +spec: + selector: + matchLabels: + app: agent-ingest-management-clusterscope + template: + metadata: + labels: + app: agent-ingest-management-clusterscope + group: ingest-management + spec: + serviceAccountName: agent-ingest-management + containers: + - name: agent-ingest-management-clusterscope + image: docker.elastic.co/beats/elastic-agent:8.0.0-SNAPSHOT + env: + - name: FLEET_ENROLL + value: "1" + # Use enrollment key of cluster scope configuration to distinguish node scope datasets + - name: FLEET_ENROLLMENT_TOKEN + value: + - name: KIBANA_HOST + value: "http://kibana:5601" + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml new file mode 100644 index 00000000000..bc451c6adf3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: agent-ingest-management +subjects: + - kind: ServiceAccount + name: agent-ingest-management + namespace: kube-system +roleRef: + kind: ClusterRole + name: agent-ingest-management + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml new file mode 100644 index 00000000000..66b1bdc0437 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-role.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: agent-ingest-management + labels: + k8s-app: agent-ingest-management +rules: + - apiGroups: [""] + resources: + - nodes + - namespaces + - events + - pods + - secrets + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + - deployments + - replicasets + verbs: ["get", "list", "watch"] + - apiGroups: + - "" + resources: + - nodes/stats + verbs: + - get + # required for apiserver + - nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml new file mode 100644 index 00000000000..107e4210814 --- /dev/null +++ b/deploy/kubernetes/elastic-agent/elastic-agent-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: agent-ingest-management + namespace: kube-system + labels: + k8s-app: agent-ingest-management diff --git a/deploy/kubernetes/heartbeat-kubernetes.yaml b/deploy/kubernetes/heartbeat-kubernetes.yaml new file mode 100644 index 00000000000..cfb7622fd33 --- /dev/null +++ b/deploy/kubernetes/heartbeat-kubernetes.yaml @@ -0,0 +1,159 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics +apiVersion: apps/v1 +kind: Deployment +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +spec: + selector: + matchLabels: + k8s-app: heartbeat + template: + metadata: + labels: + k8s-app: heartbeat + spec: + serviceAccountName: heartbeat + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:8.0.0 + args: [ + "-c", "/etc/heartbeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/heartbeat.yml + readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data + volumes: + - name: config + configMap: + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +--- diff --git a/deploy/kubernetes/heartbeat/README.md b/deploy/kubernetes/heartbeat/README.md new file mode 100644 index 00000000000..a42be6a4a50 --- /dev/null +++ b/deploy/kubernetes/heartbeat/README.md @@ -0,0 +1,30 @@ +# Heartbeat + +## Monitor Kubernetes services uptime + +### Kubernetes Deployment + +Heartbeat can be deployed to monitor the whole cluster from a single pod. + +Everything is deployed under `kube-system` namespace, you can change that by +updating YAML manifests under this folder. + +### Settings + +We use official [Beats Docker images](https://github.com/elastic/beats-docker), +as they allow external files configuration, a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) +is used for kubernetes specific settings. Check [heartbeat-configmap.yaml](heartbeat-configmap.yaml) +for details. + +Also, [heartbeat-deployment.yaml](heartbeat-deployment.yaml) uses a set of environment +variables to configure Elasticsearch output: + +Variable | Default | Description +-------- | ------- | ----------- +ELASTICSEARCH_HOST | elasticsearch | Elasticsearch host +ELASTICSEARCH_PORT | 9200 | Elasticsearch port +ELASTICSEARCH_USERNAME | elastic | Elasticsearch username for HTTP auth +ELASTICSEARCH_PASSWORD | changeme | Elasticsearch password + +If there is an existing `elasticsearch` service in the kubernetes cluster these +defaults will use it. diff --git a/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml new file mode 100644 index 00000000000..639ad28ae2b --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml similarity index 65% rename from deploy/kubernetes/metricbeat/metricbeat-deployment.yaml rename to deploy/kubernetes/heartbeat/heartbeat-deployment.yaml index 0e11187cac3..3f7a471b457 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-deployment.yaml +++ b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml @@ -2,27 +2,27 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: metricbeat + name: heartbeat namespace: kube-system labels: - k8s-app: metricbeat + k8s-app: heartbeat spec: selector: matchLabels: - k8s-app: metricbeat + k8s-app: heartbeat template: metadata: labels: - k8s-app: metricbeat + k8s-app: heartbeat spec: - serviceAccountName: metricbeat + serviceAccountName: heartbeat hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: - - name: metricbeat - image: docker.elastic.co/beats/metricbeat:%VERSION% + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:%VERSION% args: [ - "-c", "/etc/metricbeat.yml", + "-c", "/etc/heartbeat.yml", "-e", ] env: @@ -52,18 +52,18 @@ spec: memory: 100Mi volumeMounts: - name: config - mountPath: /etc/metricbeat.yml - readOnly: true - subPath: metricbeat.yml - - name: modules - mountPath: /usr/share/metricbeat/modules.d + mountPath: /etc/heartbeat.yml readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data volumes: - name: config configMap: - defaultMode: 0640 - name: metricbeat-deployment-config - - name: modules - configMap: - defaultMode: 0640 - name: metricbeat-deployment-modules + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + diff --git a/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml new file mode 100644 index 00000000000..5fe59dd56b8 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/heartbeat/heartbeat-role.yaml b/deploy/kubernetes/heartbeat/heartbeat-role.yaml new file mode 100644 index 00000000000..50782d99aed --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] diff --git a/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml new file mode 100644 index 00000000000..461c335e176 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index e0dc4064c63..4bc1976e40e 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -14,12 +14,42 @@ data: # Reload module configs as they change: reload.enabled: false - # To enable hints based autodiscover uncomment this: - #metricbeat.autodiscover: - # providers: - # - type: kubernetes - # node: ${NODE_NAME} - # hints.enabled: true + metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node + - state_deployment + - state_daemonset + - state_replicaset + - state_pod + - state_container + - state_cronjob + - state_resourcequota + - state_statefulset + # Uncomment this to get k8s events: + #- event + - module: kubernetes + metricsets: + - apiserver + hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + period: 30s + # To enable hints based autodiscover uncomment this: + #- type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true processors: - add_cloud_metadata: @@ -189,135 +219,6 @@ spec: path: /var/lib/metricbeat-data type: DirectoryOrCreate --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-config - namespace: kube-system - labels: - k8s-app: metricbeat -data: - metricbeat.yml: |- - metricbeat.config.modules: - # Mounted `metricbeat-daemonset-modules` configmap: - path: ${path.config}/modules.d/*.yml - # Reload module configs as they change: - reload.enabled: false - - processors: - - add_cloud_metadata: - - cloud.id: ${ELASTIC_CLOUD_ID} - cloud.auth: ${ELASTIC_CLOUD_AUTH} - - output.elasticsearch: - hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] - username: ${ELASTICSEARCH_USERNAME} - password: ${ELASTICSEARCH_PASSWORD} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-modules - namespace: kube-system - labels: - k8s-app: metricbeat -data: - # This module requires `kube-state-metrics` up and running under `kube-system` namespace - kubernetes.yml: |- - - module: kubernetes - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - - state_cronjob - - state_resourcequota - # Uncomment this to get k8s events: - #- event - period: 10s - host: ${NODE_NAME} - hosts: ["kube-state-metrics:8080"] - #- module: kubernetes - # metricsets: - # - apiserver - # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] - # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # ssl.certificate_authorities: - # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # period: 30s ---- -# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metricbeat - namespace: kube-system - labels: - k8s-app: metricbeat -spec: - selector: - matchLabels: - k8s-app: metricbeat - template: - metadata: - labels: - k8s-app: metricbeat - spec: - serviceAccountName: metricbeat - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - containers: - - name: metricbeat - image: docker.elastic.co/beats/metricbeat:8.0.0 - args: [ - "-c", "/etc/metricbeat.yml", - "-e", - ] - env: - - name: ELASTICSEARCH_HOST - value: elasticsearch - - name: ELASTICSEARCH_PORT - value: "9200" - - name: ELASTICSEARCH_USERNAME - value: elastic - - name: ELASTICSEARCH_PASSWORD - value: changeme - - name: ELASTIC_CLOUD_ID - value: - - name: ELASTIC_CLOUD_AUTH - value: - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - securityContext: - runAsUser: 0 - resources: - limits: - memory: 200Mi - requests: - cpu: 100m - memory: 100Mi - volumeMounts: - - name: config - mountPath: /etc/metricbeat.yml - readOnly: true - subPath: metricbeat.yml - - name: modules - mountPath: /usr/share/metricbeat/modules.d - readOnly: true - volumes: - - name: config - configMap: - defaultMode: 0640 - name: metricbeat-deployment-config - - name: modules - configMap: - defaultMode: 0640 - name: metricbeat-deployment-modules ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -345,6 +246,7 @@ rules: - events - pods - secrets + - services verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: @@ -366,6 +268,12 @@ rules: - "/metrics" verbs: - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' --- apiVersion: v1 kind: ServiceAccount diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index a244dda551a..98fffb86ad0 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -14,12 +14,42 @@ data: # Reload module configs as they change: reload.enabled: false - # To enable hints based autodiscover uncomment this: - #metricbeat.autodiscover: - # providers: - # - type: kubernetes - # node: ${NODE_NAME} - # hints.enabled: true + metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node + - state_deployment + - state_daemonset + - state_replicaset + - state_pod + - state_container + - state_cronjob + - state_resourcequota + - state_statefulset + # Uncomment this to get k8s events: + #- event + - module: kubernetes + metricsets: + - apiserver + hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + period: 30s + # To enable hints based autodiscover uncomment this: + #- type: kubernetes + # node: ${NODE_NAME} + # hints.enabled: true processors: - add_cloud_metadata: diff --git a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml deleted file mode 100644 index b7760db7169..00000000000 --- a/deploy/kubernetes/metricbeat/metricbeat-deployment-configmap.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-config - namespace: kube-system - labels: - k8s-app: metricbeat -data: - metricbeat.yml: |- - metricbeat.config.modules: - # Mounted `metricbeat-daemonset-modules` configmap: - path: ${path.config}/modules.d/*.yml - # Reload module configs as they change: - reload.enabled: false - - processors: - - add_cloud_metadata: - - cloud.id: ${ELASTIC_CLOUD_ID} - cloud.auth: ${ELASTIC_CLOUD_AUTH} - - output.elasticsearch: - hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] - username: ${ELASTICSEARCH_USERNAME} - password: ${ELASTICSEARCH_PASSWORD} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: metricbeat-deployment-modules - namespace: kube-system - labels: - k8s-app: metricbeat -data: - # This module requires `kube-state-metrics` up and running under `kube-system` namespace - kubernetes.yml: |- - - module: kubernetes - metricsets: - - state_node - - state_deployment - - state_replicaset - - state_pod - - state_container - - state_cronjob - - state_resourcequota - # Uncomment this to get k8s events: - #- event - period: 10s - host: ${NODE_NAME} - hosts: ["kube-state-metrics:8080"] - #- module: kubernetes - # metricsets: - # - apiserver - # hosts: ["https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"] - # bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - # ssl.certificate_authorities: - # - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - # period: 30s diff --git a/deploy/kubernetes/metricbeat/metricbeat-role.yaml b/deploy/kubernetes/metricbeat/metricbeat-role.yaml index 152f9c4e9de..f6253ad6d1a 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-role.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-role.yaml @@ -12,6 +12,7 @@ rules: - events - pods - secrets + - services verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: @@ -33,3 +34,9 @@ rules: - "/metrics" verbs: - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' diff --git a/dev-tools/cmd/dashboards/export_5x_dashboards.py b/dev-tools/cmd/dashboards/export_5x_dashboards.py index 31e4cd9670d..2e657d26894 100644 --- a/dev-tools/cmd/dashboards/export_5x_dashboards.py +++ b/dev-tools/cmd/dashboards/export_5x_dashboards.py @@ -13,7 +13,7 @@ def ExportDashboards(es, regex, kibana_index, output_directory): try: reg_exp = re.compile(regex, re.IGNORECASE) - except: + except BaseException: print("Wrong regex {}".format(regex)) return diff --git a/dev-tools/mage/check.go b/dev-tools/mage/check.go index 196eba36d48..2a195a41c7d 100644 --- a/dev-tools/mage/check.go +++ b/dev-tools/mage/check.go @@ -43,12 +43,12 @@ import ( // if it finds any modifications. If executed in in verbose mode it will write // the results of 'git diff' to stdout to indicate what changes have been made. // -// It checks the file permissions of nosetests test cases and YAML files. +// It checks the file permissions of python test cases and YAML files. // It checks .go source files using 'go vet'. func Check() error { fmt.Println(">> check: Checking source code for common problems") - mg.Deps(GoVet, CheckNosetestsNotExecutable, CheckYAMLNotExecutable, CheckDashboardsFormat) + mg.Deps(GoVet, CheckPythonTestNotExecutable, CheckYAMLNotExecutable, CheckDashboardsFormat) changes, err := GitDiffIndex() if err != nil { @@ -124,16 +124,15 @@ func GitDiff() error { return err } -// CheckNosetestsNotExecutable checks that none of the nosetests files are -// executable. Nosetests silently skips executable .py files and we don't want -// this to happen. -func CheckNosetestsNotExecutable() error { +// CheckPythonTestNotExecutable checks that none of the python test files are +// executable. They are silently skipped and we don't want this to happen. +func CheckPythonTestNotExecutable() error { if runtime.GOOS == "windows" { // Skip windows because it doesn't have POSIX permissions. return nil } - tests, err := FindFiles(nosetestsTestFiles...) + tests, err := FindFiles(pythonTestFiles...) if err != nil { return err } @@ -151,7 +150,7 @@ func CheckNosetestsNotExecutable() error { } if len(executableTestFiles) > 0 { - return errors.Errorf("nosetests files cannot be executable because "+ + return errors.Errorf("python test files cannot be executable because "+ "they will be skipped. Fix permissions of %v", executableTestFiles) } return nil diff --git a/dev-tools/mage/config.go b/dev-tools/mage/config.go index 677b307926f..da54123e916 100644 --- a/dev-tools/mage/config.go +++ b/dev-tools/mage/config.go @@ -18,10 +18,12 @@ package mage import ( + "bytes" "fmt" "io/ioutil" "os" "path/filepath" + "regexp" "sort" "strings" "text/template" @@ -160,14 +162,26 @@ func makeConfigTemplate(destination string, mode os.FileMode, confParams ConfigF "ExcludeDashboards": false, } params = joinMaps(params, confParams.ExtraVars, tmplParams) + tmpl := template.New("config").Option("missingkey=error") funcs := joinMaps(FuncMap, template.FuncMap{ "header": header, "subheader": subheader, + "indent": indent, + // include is necessary because you cannot pipe 'template' to a function + // since 'template' is an action. This allows you to include a + // template and indent it (e.g. {{ include "x.tmpl" . | indent 4 }}). + "include": func(name string, data interface{}) (string, error) { + buf := bytes.NewBuffer(nil) + if err := tmpl.ExecuteTemplate(buf, name, data); err != nil { + return "", err + } + return buf.String(), nil + }, }) + tmpl = tmpl.Funcs(funcs) fmt.Printf(">> Building %v for %v/%v\n", destination, params["GOOS"], params["GOARCH"]) var err error - tmpl := template.New("config").Option("missingkey=error").Funcs(funcs) for _, templateGlob := range confParams.Templates { if tmpl, err = tmpl.ParseGlob(templateGlob); err != nil { return errors.Wrapf(err, "failed to parse config templates in %q", templateGlob) @@ -205,6 +219,14 @@ func subheader(title string) string { return makeHeading(title, "-") } +var nonWhitespaceRegex = regexp.MustCompile(`(?m)(^.*\S.*$)`) + +// indent pads all non-whitespace lines with the number of spaces specified. +func indent(spaces int, content string) string { + pad := strings.Repeat(" ", spaces) + return nonWhitespaceRegex.ReplaceAllString(content, pad+"$1") +} + func makeHeading(title, separator string) string { const line = 80 leftEquals := (line - len("# ") - len(title) - 2*len(" ")) / 2 diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 6a11f7666cd..4340c7fdb4e 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -173,7 +173,7 @@ func CrossBuildXPack(options ...CrossBuildOption) error { // values for Docker. It has the benefit of speeding up the build because the // mage -compile is done only once rather than in each Docker container. func buildMage() error { - return sh.Run("mage", "-f", "-goos=linux", "-goarch=amd64", + return sh.RunWith(map[string]string{"CGO_ENABLED": "0"}, "mage", "-f", "-goos=linux", "-goarch=amd64", "-compile", CreateDir(filepath.Join("build", "mage-linux-amd64"))) } @@ -267,6 +267,7 @@ func (b GolangCrossBuilder) Build() error { "--env", "MAGEFILE_VERBOSE="+verbose, "--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""), "--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot), + "--env", fmt.Sprintf("DEV=%v", DevBuild), "-v", repoInfo.RootDir+":"+mountPoint, "-w", workDir, image, diff --git a/dev-tools/mage/dmgbuilder.go b/dev-tools/mage/dmgbuilder.go index c04a5eea6f7..47a1125a5a6 100644 --- a/dev-tools/mage/dmgbuilder.go +++ b/dev-tools/mage/dmgbuilder.go @@ -109,8 +109,16 @@ func (b *dmgBuilder) buildBeatPkg() error { // Copy files into the packaging root and set their mode. for _, f := range b.Files { + if f.Symlink { + // not supported, handling symlink in post/pre install scripts + continue + } + target := filepath.Join(beatPkgRoot, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + continue + } return err } diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go index adc30aabfd7..90a99434884 100644 --- a/dev-tools/mage/dockerbuilder.go +++ b/dev-tools/mage/dockerbuilder.go @@ -102,6 +102,9 @@ func (b *dockerBuilder) copyFiles() error { for _, f := range b.Files { target := filepath.Join(b.beatDir, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + continue + } return errors.Wrapf(err, "failed to copy from %s to %s", f.Source, target) } } @@ -148,19 +151,14 @@ func isDockerFile(path string) bool { } func (b *dockerBuilder) expandDockerfile(templatesDir string, data map[string]interface{}) error { - // has specific dockerfile - dockerfile := fmt.Sprintf("Dockerfile.%s.tmpl", b.imageName) - _, err := os.Stat(filepath.Join(templatesDir, dockerfile)) - if err != nil { - // specific missing fallback to generic - dockerfile = "Dockerfile.tmpl" + dockerfile := "Dockerfile.tmpl" + if f, found := b.ExtraVars["dockerfile"]; found { + dockerfile = f } - entrypoint := fmt.Sprintf("docker-entrypoint.%s.tmpl", b.imageName) - _, err = os.Stat(filepath.Join(templatesDir, entrypoint)) - if err != nil { - // specific missing fallback to generic - entrypoint = "docker-entrypoint.tmpl" + entrypoint := "docker-entrypoint.tmpl" + if e, found := b.ExtraVars["docker_entrypoint"]; found { + entrypoint = e } type fileExpansion struct { @@ -173,7 +171,7 @@ func (b *dockerBuilder) expandDockerfile(templatesDir string, data map[string]in ".tmpl", ) path := filepath.Join(templatesDir, file.source) - err = b.ExpandFile(path, target, data) + err := b.ExpandFile(path, target, data) if err != nil { return errors.Wrapf(err, "expanding template '%s' to '%s'", path, target) } diff --git a/dev-tools/mage/gotool/go.go b/dev-tools/mage/gotool/go.go index 9022e0c0137..bb7066a4f3e 100644 --- a/dev-tools/mage/gotool/go.go +++ b/dev-tools/mage/gotool/go.go @@ -85,6 +85,25 @@ func ListDeps(pkg string) ([]string, error) { return getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg)) } +// ListDepsLocation calls `go list -dep` for every package spec given. +func ListDepsLocation(pkg string) (map[string]string, error) { + const tmpl = `{{if not .Standard}}{{.ImportPath}};{{.Dir}}{{end}}` + + lines, err := getLines(callGo(nil, "list", "-deps", "-f", tmpl, pkg)) + if err != nil { + return nil, err + } + deps := make(map[string]string, len(lines)) + for _, l := range lines { + parts := strings.Split(l, ";") + if len(parts) != 2 { + return nil, fmt.Errorf("invalid number of parts") + } + deps[parts[0]] = parts[1] + } + return deps, nil +} + // ListTestFiles lists all go and cgo test files available in a package. func ListTestFiles(pkg string) ([]string, error) { const tmpl = `{{ range .TestGoFiles }}{{ printf "%s\n" . }}{{ end }}` + diff --git a/dev-tools/mage/install.go b/dev-tools/mage/install.go index 5220eb25be3..ec3607f0ec0 100644 --- a/dev-tools/mage/install.go +++ b/dev-tools/mage/install.go @@ -37,7 +37,7 @@ func InstallVendored(importPath string) error { // InstallGoLicenser target installs go-licenser func InstallGoLicenser() error { - return gotool.Get( - gotool.Get.Package(GoLicenserImportPath), + return gotool.Install( + gotool.Install.Package(GoLicenserImportPath), ) } diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go index 396c010dbc2..16321fa9032 100644 --- a/dev-tools/mage/integtest.go +++ b/dev-tools/mage/integtest.go @@ -213,7 +213,7 @@ func NewIntegrationRunners(path string, passInEnv map[string]string) (Integratio return runners, nil } -// NewDockerIntegrationRunner returns an intergration runner configured only for docker. +// NewDockerIntegrationRunner returns an integration runner configured only for docker. func NewDockerIntegrationRunner(passThroughEnvVars ...string) (*IntegrationRunner, error) { cwd, err := os.Getwd() if err != nil { diff --git a/dev-tools/mage/integtest_docker.go b/dev-tools/mage/integtest_docker.go index afc05a16dc1..2ed09db711e 100644 --- a/dev-tools/mage/integtest_docker.go +++ b/dev-tools/mage/integtest_docker.go @@ -19,8 +19,10 @@ package mage import ( "fmt" + "go/build" "io/ioutil" "os" + "path" "path/filepath" "runtime" "strings" @@ -93,6 +95,8 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri dockerRepoRoot := filepath.Join("/go/src", repo.CanonicalRootImportPath) dockerGoCache := filepath.Join(dockerRepoRoot, "build/docker-gocache") magePath := filepath.Join("/go/src", repo.CanonicalRootImportPath, repo.SubDir, "build/mage-linux-amd64") + goPkgCache := filepath.Join(filepath.SplitList(build.Default.GOPATH)[0], "pkg/mod/cache/download") + dockerGoPkgCache := "/gocache" // Execute the inside of docker-compose. args := []string{"-p", dockerComposeProjectName(), "run", @@ -104,6 +108,9 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri "-e", "STACK_ENVIRONMENT=" + StackEnvironment, "-e", "TESTING_ENVIRONMENT=" + StackEnvironment, "-e", "GOCACHE=" + dockerGoCache, + // Use the host machine's pkg cache to minimize external downloads. + "-v", goPkgCache + ":" + dockerGoPkgCache + ":ro", + "-e", "GOPROXY=file://" + dockerGoPkgCache + ",direct", } args, err = addUidGidEnvArgs(args) if err != nil { @@ -156,6 +163,13 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri func (d *DockerIntegrationTester) InsideTest(test func() error) error { // Fix file permissions after test is done writing files as root. if runtime.GOOS != "windows" { + repo, err := GetProjectRepoInfo() + if err != nil { + return err + } + + // Handle virtualenv and the current project dir. + defer DockerChown(path.Join(repo.RootDir, "build")) defer DockerChown(".") } return test() diff --git a/dev-tools/mage/kubernetes/kind.go b/dev-tools/mage/kubernetes/kind.go index d74191e88cd..c61c302b39b 100644 --- a/dev-tools/mage/kubernetes/kind.go +++ b/dev-tools/mage/kubernetes/kind.go @@ -65,7 +65,7 @@ func (m *KindIntegrationTestStep) Setup(env map[string]string) error { return nil } - clusterName := kubernetesPodName() + clusterName := kubernetesClusterName() stdOut := ioutil.Discard stdErr := ioutil.Discard if mg.Verbose() { diff --git a/dev-tools/mage/kubernetes/kubernetes.go b/dev-tools/mage/kubernetes/kubernetes.go index e63166dabe9..9b25f316b2c 100644 --- a/dev-tools/mage/kubernetes/kubernetes.go +++ b/dev-tools/mage/kubernetes/kubernetes.go @@ -24,6 +24,7 @@ import ( "log" "os" "path/filepath" + "regexp" "strings" "time" @@ -132,7 +133,7 @@ func (d *KubernetesIntegrationTester) Test(dir string, mageTarget string, env ma destDir := filepath.Join("/go/src", repo.CanonicalRootImportPath) workDir := filepath.Join(destDir, repo.SubDir) - remote, err := NewKubeRemote(kubeConfig, "default", kubernetesPodName(), workDir, destDir, repo.RootDir) + remote, err := NewKubeRemote(kubeConfig, "default", kubernetesClusterName(), workDir, destDir, repo.RootDir) if err != nil { return err } @@ -172,8 +173,8 @@ func waitKubeStateMetricsReadiness(env map[string]string, stdOut, stdErr io.Writ return nil } -// kubernetesPodName returns the pod name to use with kubernetes. -func kubernetesPodName() string { +// kubernetesClusterName generates a name for the Kubernetes cluster. +func kubernetesClusterName() string { commit, err := mage.CommitHash() if err != nil { panic(errors.Wrap(err, "failed to construct kind cluster name")) @@ -183,13 +184,29 @@ func kubernetesPodName() string { if err != nil { panic(errors.Wrap(err, "failed to construct kind cluster name")) } - version = strings.NewReplacer(".", "_").Replace(version) + version = strings.NewReplacer(".", "-").Replace(version) - clusterName := "{{.BeatName}}_{{.Version}}_{{.ShortCommit}}-{{.StackEnvironment}}" + clusterName := "{{.BeatName}}-{{.Version}}-{{.ShortCommit}}-{{.StackEnvironment}}" clusterName = mage.MustExpand(clusterName, map[string]interface{}{ "StackEnvironment": mage.StackEnvironment, "ShortCommit": commit[:10], "Version": version, }) + + // The cluster name may be used as a component of Kubernetes resource names. + // kind does this, for example. + // + // Since Kubernetes resources are required to have names that are valid DNS + // names, we should ensure that the cluster name also meets this criterion. + subDomainPattern := `^[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?$` + // Note that underscores, in particular, are not permitted. + matched, err := regexp.MatchString(subDomainPattern, clusterName) + if err != nil { + panic(errors.Wrap(err, "error while validating kind cluster name")) + } + if !matched { + panic("constructed invalid kind cluster name") + } + return clusterName } diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go index 7a9f4926bb4..4ecdec89d39 100644 --- a/dev-tools/mage/pkg.go +++ b/dev-tools/mage/pkg.go @@ -20,6 +20,7 @@ package mage import ( "fmt" "log" + "os" "runtime" "strconv" @@ -71,6 +72,8 @@ func Package() error { continue } + agentPackageDrop, _ := os.LookupEnv("AGENT_DROP_PATH") + spec := pkg.Spec.Clone() spec.OS = target.GOOS() spec.Arch = packageArch @@ -83,6 +86,7 @@ func Package() error { "AgentArchName": agentPackageArch, "PackageType": pkgType.String(), "BinaryExt": binaryExtension(target.GOOS()), + "AgentDropPath": agentPackageDrop, } spec.packageDir, err = pkgType.PackagingDir(packageStagingDir, target, spec) diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index 82fea52376c..b7f7c7bbbee 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -98,15 +98,17 @@ type PackageSpec struct { // PackageFile represents a file or directory within a package. type PackageFile struct { - Source string `yaml:"source,omitempty"` // Regular source file or directory. - Content string `yaml:"content,omitempty"` // Inline template string. - Template string `yaml:"template,omitempty"` // Input template file. - Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). - Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. - Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). - Modules bool `yaml:"modules"` // Mark directory as directory with modules. - Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. - Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + Source string `yaml:"source,omitempty"` // Regular source file or directory. + Content string `yaml:"content,omitempty"` // Inline template string. + Template string `yaml:"template,omitempty"` // Input template file. + Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). + Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. + Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). + Modules bool `yaml:"modules"` // Mark directory as directory with modules. + Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. + Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + SkipOnMissing bool `yaml:"skip_on_missing,omitempty"` // Prevents build failure if the file is missing. + Symlink bool `yaml:"symlink"` // Symlink marks file as a symlink pointing from target to source. } // OSArchNames defines the names of architectures for use in packages. @@ -475,6 +477,10 @@ func copyInstallScript(spec PackageSpec, script string, local *string) error { *local = strings.TrimSuffix(*local, ".tmpl") } + if strings.HasSuffix(*local, "."+spec.Name) { + *local = strings.TrimSuffix(*local, "."+spec.Name) + } + if err := spec.ExpandFile(script, createDir(*local)); err != nil { return errors.Wrap(err, "failed to copy install script to package dir") } @@ -538,6 +544,11 @@ func PackageZip(spec PackageSpec) error { // Add files to zip. for _, pkgFile := range spec.Files { + if pkgFile.Symlink { + // not supported on zip archives + continue + } + if err := addFileToZip(w, baseDir, pkgFile); err != nil { p, _ := filepath.Abs(pkgFile.Source) return errors.Wrapf(err, "failed adding file=%+v to zip", p) @@ -583,11 +594,32 @@ func PackageTarGz(spec PackageSpec) error { // Add files to tar. for _, pkgFile := range spec.Files { + if pkgFile.Symlink { + continue + } + if err := addFileToTar(w, baseDir, pkgFile); err != nil { return errors.Wrapf(err, "failed adding file=%+v to tar", pkgFile) } } + // same for symlinks so they can point to files in tar + for _, pkgFile := range spec.Files { + if !pkgFile.Symlink { + continue + } + + tmpdir, err := ioutil.TempDir("", "TmpSymlinkDropPath") + if err != nil { + return err + } + defer os.RemoveAll(tmpdir) + + if err := addSymlinkToTar(tmpdir, w, baseDir, pkgFile); err != nil { + return errors.Wrapf(err, "failed adding file=%+v to tar", pkgFile) + } + } + if err := w.Close(); err != nil { return err } @@ -758,6 +790,10 @@ func addUidGidEnvArgs(args []string) ([]string, error) { func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } @@ -819,6 +855,10 @@ func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { func addFileToTar(ar *tar.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } @@ -873,6 +913,56 @@ func addFileToTar(ar *tar.Writer, baseDir string, pkgFile PackageFile) error { }) } +// addSymlinkToTar adds a symlink file to a tar archive. +func addSymlinkToTar(tmpdir string, ar *tar.Writer, baseDir string, pkgFile PackageFile) error { + // create symlink we can work with later, header will be updated later + link := filepath.Join(tmpdir, "link") + target := tmpdir + if err := os.Symlink(target, link); err != nil { + return err + } + + return filepath.Walk(link, func(path string, info os.FileInfo, err error) error { + if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + + return err + } + + header, err := tar.FileInfoHeader(info, info.Name()) + if err != nil { + return err + } + header.Uname, header.Gname = "root", "root" + header.Uid, header.Gid = 0, 0 + + if info.Mode().IsRegular() && pkgFile.Mode > 0 { + header.Mode = int64(pkgFile.Mode & os.ModePerm) + } else if info.IsDir() { + header.Mode = int64(0755) + } + + header.Name = filepath.Join(baseDir, pkgFile.Target) + if filepath.IsAbs(pkgFile.Target) { + header.Name = pkgFile.Target + } + + header.Linkname = pkgFile.Source + header.Typeflag = tar.TypeSymlink + + if mg.Verbose() { + log.Println("Adding", os.FileMode(header.Mode), header.Name) + } + if err := ar.WriteHeader(header); err != nil { + return err + } + + return nil + }) +} + // PackageDMG packages the Beat into a .dmg file containing an installer pkg // and uninstaller app. func PackageDMG(spec PackageSpec) error { diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go index 9c15e1f7e5f..e562fdef95b 100644 --- a/dev-tools/mage/pytest.go +++ b/dev-tools/mage/pytest.go @@ -56,7 +56,7 @@ var ( pythonVirtualenvLock sync.Mutex // More globs may be needed in the future if tests are added in more places. - nosetestsTestFiles = []string{ + pythonTestFiles = []string{ "tests/system/test_*.py", "module/*/test_*.py", "module/*/*/test_*.py", @@ -77,11 +77,11 @@ func init() { } // PythonTestArgs are the arguments used for the "python*Test" targets and they -// define how "nosetests" is invoked. +// define how python tests are invoked. type PythonTestArgs struct { TestName string // Test name used in logging. Env map[string]string // Env vars to add to the current env. - Files []string // Globs used by nosetests to find tests. + Files []string // Globs used to find tests. XUnitReportFile string // File to write the XUnit XML test report to. CoverageProfileFile string // Test coverage profile file. } @@ -109,8 +109,8 @@ func DefaultPythonTestUnitArgs() PythonTestArgs { return makePythonTestArgs("Uni // checking for INTEGRATION_TEST=1 in the test code. func DefaultPythonTestIntegrationArgs() PythonTestArgs { return makePythonTestArgs("Integration") } -// PythonNoseTest invokes "nosetests" via a Python virtualenv. -func PythonNoseTest(params PythonTestArgs) error { +// PythonTest executes python tests via a Python virtualenv. +func PythonTest(params PythonTestArgs) error { fmt.Println(">> python test:", params.TestName, "Testing") ve, err := PythonVirtualenv() @@ -118,32 +118,31 @@ func PythonNoseTest(params PythonTestArgs) error { return err } - nosetestsEnv := map[string]string{ + pytestEnv := map[string]string{ // activate sets this. Not sure if it's ever needed. "VIRTUAL_ENV": ve, } if IsInIntegTestEnv() { - nosetestsEnv["INTEGRATION_TESTS"] = "1" + pytestEnv["INTEGRATION_TESTS"] = "1" } for k, v := range params.Env { - nosetestsEnv[k] = v + pytestEnv[k] = v } - nosetestsOptions := []string{ - "--process-timeout=90", - "--with-timer", + pytestOptions := []string{ + "--timeout=90", + "--durations=20", } if mg.Verbose() { - nosetestsOptions = append(nosetestsOptions, "-v") + pytestOptions = append(pytestOptions, "-v") } if params.XUnitReportFile != "" { - nosetestsOptions = append(nosetestsOptions, - "--with-xunit", - "--xunit-file="+createDir(params.XUnitReportFile), + pytestOptions = append(pytestOptions, + "--junit-xml="+createDir(params.XUnitReportFile), ) } - files := nosetestsTestFiles + files := pythonTestFiles if len(params.Files) > 0 { files = params.Files } @@ -159,23 +158,23 @@ func PythonNoseTest(params PythonTestArgs) error { // We check both the VE and the normal PATH because on Windows if the // requirements are met by the globally installed package they are not // installed to the VE. - nosetestsPath, err := LookVirtualenvPath(ve, "nosetests") + pytestPath, err := LookVirtualenvPath(ve, "pytest") if err != nil { return err } defer fmt.Println(">> python test:", params.TestName, "Testing Complete") - _, err = sh.Exec(nosetestsEnv, os.Stdout, os.Stderr, nosetestsPath, append(nosetestsOptions, testFiles...)...) + _, err = sh.Exec(pytestEnv, os.Stdout, os.Stderr, pytestPath, append(pytestOptions, testFiles...)...) return err // TODO: Aggregate all the individual code coverage reports and generate // and HTML report. } -// PythonNoseTestForModule executes python system tests for modules. +// PythonTestForModule executes python system tests for modules. // // Use `MODULE=module` to run only tests for `module`. -func PythonNoseTestForModule(params PythonTestArgs) error { +func PythonTestForModule(params PythonTestArgs) error { if module := EnvOr("MODULE", ""); module != "" { params.Files = []string{ fmt.Sprintf("module/%s/test_*.py", module), @@ -183,12 +182,12 @@ func PythonNoseTestForModule(params PythonTestArgs) error { } params.TestName += "-" + module } - return PythonNoseTest(params) + return PythonTest(params) } // PythonVirtualenv constructs a virtualenv that contains the given modules as // defined in the requirements file pointed to by requirementsTxt. It returns -// the path to the virutalenv. +// the path to the virtualenv. func PythonVirtualenv() (string, error) { pythonVirtualenvLock.Lock() defer pythonVirtualenvLock.Unlock() @@ -221,20 +220,28 @@ func PythonVirtualenv() (string, error) { } pip := virtualenvPath(ve, "pip") - args := []string{"install"} - if !mg.Verbose() { - args = append(args, "--quiet") + pipUpgrade := func(pkg string) error { + return sh.RunWith(env, pip, "install", "-U", pkg) } - for _, req := range reqs { - args = append(args, "-Ur", req) + + // Ensure we are using the latest pip version. + if err = pipUpgrade("pip"); err != nil { + fmt.Printf("warn: failed to upgrade pip (ignoring): %v", err) } // First ensure that wheel is installed so that bdists build cleanly. - if err = sh.RunWith(env, pip, "install", "-U", "wheel"); err != nil { + if err = pipUpgrade("wheel"); err != nil { return "", err } // Execute pip to install the dependencies. + args := []string{"install"} + if !mg.Verbose() { + args = append(args, "--quiet") + } + for _, req := range reqs { + args = append(args, "-Ur", req) + } if err := sh.RunWith(env, pip, args...); err != nil { return "", err } diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go index 2473202648e..037d4838d03 100644 --- a/dev-tools/mage/settings.go +++ b/dev-tools/mage/settings.go @@ -77,6 +77,7 @@ var ( BeatProjectType ProjectType Snapshot bool + DevBuild bool versionQualified bool versionQualifier string @@ -85,12 +86,14 @@ var ( "beat_doc_branch": BeatDocBranch, "beat_version": BeatQualifiedVersion, "commit": CommitHash, + "commit_short": CommitHashShort, "date": BuildDate, "elastic_beats_dir": ElasticBeatsDir, "go_version": GoVersion, "repo": GetProjectRepoInfo, "title": strings.Title, "tolower": strings.ToLower, + "contains": strings.Contains, } ) @@ -115,6 +118,11 @@ func init() { panic(errors.Wrap(err, "failed to parse SNAPSHOT env value")) } + DevBuild, err = strconv.ParseBool(EnvOr("DEV", "false")) + if err != nil { + panic(errors.Wrap(err, "failed to parse DEV env value")) + } + versionQualifier, versionQualified = os.LookupEnv("VERSION_QUALIFIER") } @@ -163,6 +171,7 @@ func varMap(args ...map[string]interface{}) map[string]interface{} { "BeatURL": BeatURL, "BeatUser": BeatUser, "Snapshot": Snapshot, + "DEV": DevBuild, "Qualifier": versionQualifier, } @@ -238,6 +247,15 @@ func CommitHash() (string, error) { return commitHash, err } +// CommitHashShort returns the short length git commit hash. +func CommitHashShort() (string, error) { + shortHash, err := CommitHash() + if len(shortHash) > 6 { + shortHash = shortHash[:6] + } + return shortHash, err +} + var ( elasticBeatsDirValue string elasticBeatsDirErr error diff --git a/dev-tools/mage/target/integtest/integtest.go b/dev-tools/mage/target/integtest/integtest.go index 62d601cea6d..7b7cae52819 100644 --- a/dev-tools/mage/target/integtest/integtest.go +++ b/dev-tools/mage/target/integtest/integtest.go @@ -74,19 +74,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(pythonTestDeps...) } - runner, err := devtools.NewDockerIntegrationRunner(append(whitelistedEnvVars, devtools.ListMatchingEnvVars("NOSE_")...)...) + runner, err := devtools.NewDockerIntegrationRunner(append(whitelistedEnvVars, devtools.ListMatchingEnvVars("PYTEST_")...)...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTest(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/dev-tools/mage/target/unittest/unittest.go b/dev-tools/mage/target/unittest/unittest.go index 859849bac1e..891b5c23309 100644 --- a/dev-tools/mage/target/unittest/unittest.go +++ b/dev-tools/mage/target/unittest/unittest.go @@ -61,5 +61,5 @@ func GoUnitTest(ctx context.Context) error { func PythonUnitTest() error { mg.SerialDeps(pythonTestDeps...) mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTest(devtools.DefaultPythonTestUnitArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestUnitArgs()) } diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json index 16c8447a13d..3ff25e285af 100644 --- a/dev-tools/notice/overrides.json +++ b/dev-tools/notice/overrides.json @@ -1,5 +1,5 @@ {"name": "github.com/elastic/elastic-agent-client/v7", "licenceType": "Elastic"} -{"name": "github.com/gorhill/cronexpr", "licenceType": "GPL-3.0", "licenceFile":"GPLv3"} +{"name": "github.com/gorhill/cronexpr", "licenceType": "Apache-2.0", "licenceFile":"APLv2"} {"name": "github.com/miekg/dns", "licenceType": "BSD"} {"name": "github.com/kr/logfmt", "licenceFile": "Readme", "licenceType": "MIT"} {"name": "github.com/samuel/go-parser", "licenceType": "BSD-3-Clause"} diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 96173cde880..2a74e80b7f4 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -48,13 +48,15 @@ const ( ) var ( - configFilePattern = regexp.MustCompile(`.*beat\.yml$|apm-server\.yml$`) + configFilePattern = regexp.MustCompile(`.*beat\.yml$|apm-server\.yml|elastic-agent\.yml$`) manifestFilePattern = regexp.MustCompile(`manifest.yml`) modulesDirPattern = regexp.MustCompile(`module/.+`) modulesDDirPattern = regexp.MustCompile(`modules.d/$`) modulesDFilePattern = regexp.MustCompile(`modules.d/.+`) monitorsDFilePattern = regexp.MustCompile(`monitors.d/.+`) systemdUnitFilePattern = regexp.MustCompile(`/lib/systemd/system/.*\.service`) + + licenseFiles = []string{"LICENSE.txt", "NOTICE.txt"} ) var ( @@ -122,6 +124,7 @@ func checkRPM(t *testing.T, file string) { checkModulesPresent(t, "/usr/share", p) checkModulesDPresent(t, "/etc/", p) checkMonitorsDPresent(t, "/etc", p) + checkLicensesPresent(t, "/usr/share", p) checkSystemdUnitPermissions(t, p) ensureNoBuildIDLinks(t, p) } @@ -141,6 +144,7 @@ func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { checkModulesPresent(t, "./usr/share", p) checkModulesDPresent(t, "./etc/", p) checkMonitorsDPresent(t, "./etc/", p) + checkLicensesPresent(t, "./usr/share", p) checkModulesOwner(t, p, true) checkModulesPermissions(t, p) checkSystemdUnitPermissions(t, p) @@ -160,6 +164,7 @@ func checkTar(t *testing.T, file string) { checkModulesDPresent(t, "", p) checkModulesPermissions(t, p) checkModulesOwner(t, p, true) + checkLicensesPresent(t, "", p) } func checkZip(t *testing.T, file string) { @@ -174,6 +179,7 @@ func checkZip(t *testing.T, file string) { checkModulesPresent(t, "", p) checkModulesDPresent(t, "", p) checkModulesPermissions(t, p) + checkLicensesPresent(t, "", p) } func checkDocker(t *testing.T, file string) { @@ -190,6 +196,7 @@ func checkDocker(t *testing.T, file string) { checkManifestPermissionsWithMode(t, p, os.FileMode(0640)) checkModulesPresent(t, "", p) checkModulesDPresent(t, "", p) + checkLicensesPresent(t, "licenses/", p) } // Verify that the main configuration file is installed with a 0600 file mode. @@ -373,6 +380,22 @@ func checkMonitors(t *testing.T, name, prefix string, r *regexp.Regexp, p *packa }) } +func checkLicensesPresent(t *testing.T, prefix string, p *packageFile) { + for _, licenseFile := range licenseFiles { + t.Run("License file "+licenseFile, func(t *testing.T) { + for _, entry := range p.Contents { + if strings.HasPrefix(entry.File, prefix) && strings.HasSuffix(entry.File, "/"+licenseFile) { + return + } + } + if prefix != "" { + t.Fatalf("not found under %s", prefix) + } + t.Fatal("not found") + }) + } +} + func checkDockerEntryPoint(t *testing.T, p *packageFile, info *dockerInfo) { expectedMode := os.FileMode(0755) @@ -402,7 +425,8 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri if vendor != "Elastic" { return } - t.Run(fmt.Sprintf("%s labels", p.Name), func(t *testing.T) { + + t.Run(fmt.Sprintf("%s license labels", p.Name), func(t *testing.T) { expectedLicense := "Elastic License" ossPrefix := strings.Join([]string{ info.Config.Labels["org.label-schema.name"], @@ -412,8 +436,24 @@ func checkDockerLabels(t *testing.T, p *packageFile, info *dockerInfo, file stri if strings.HasPrefix(filepath.Base(file), ossPrefix) { expectedLicense = "ASL 2.0" } - if license, present := info.Config.Labels["license"]; !present || license != expectedLicense { - t.Errorf("unexpected license label: %s", license) + licenseLabels := []string{ + "license", + "org.label-schema.license", + } + for _, licenseLabel := range licenseLabels { + if license, present := info.Config.Labels[licenseLabel]; !present || license != expectedLicense { + t.Errorf("unexpected license label %s: %s", licenseLabel, license) + } + } + }) + + t.Run(fmt.Sprintf("%s required labels", p.Name), func(t *testing.T) { + // From https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/program-on-boarding/technical-prerequisites + requiredLabels := []string{"name", "vendor", "version", "release", "summary", "description"} + for _, label := range requiredLabels { + if value, present := info.Config.Labels[label]; !present || value == "" { + t.Errorf("missing required label %s", label) + } } }) } @@ -657,6 +697,12 @@ func readDocker(dockerFile string) (*packageFile, *dockerInfo, error) { if strings.HasPrefix("/"+name, workingDir) || "/"+name == entrypoint { p.Contents[name] = entry } + // Add also licenses + for _, licenseFile := range licenseFiles { + if strings.Contains(name, licenseFile) { + p.Contents[name] = entry + } + } } } diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index a81b683f6e8..dbfbc9f4b7a 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -28,6 +28,9 @@ shared: /usr/share/{{.BeatName}}/LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + /usr/share/{{.BeatName}}/NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 /usr/share/{{.BeatName}}/README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -42,30 +45,68 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true + /etc/{{.BeatName}}/.elastic-agent.active.commit: + content: > + {{ commit }} + mode: 0644 /usr/share/{{.BeatName}}/bin/{{.BeatName}}-god: source: build/golang-crossbuild/god-{{.GOOS}}-{{.Platform.Arch}} mode: 0755 /usr/bin/{{.BeatName}}: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/beatname.sh.tmpl' + template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl' mode: 0755 /lib/systemd/system/{{.BeatServiceName}}.service: - template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/systemd.unit.tmpl' + template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl' mode: 0644 /etc/init.d/{{.BeatServiceName}}: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/{{.PackageType}}/init.sh.tmpl' mode: 0755 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}: + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + # MacOS pkg spec for community beats. @@ -78,7 +119,7 @@ shared: identifier: 'co.{{.BeatVendor | tolower}}.beats.{{.BeatName}}' install_path: /Library/Application Support pre_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/preinstall.tmpl' - post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.tmpl' + post_install_script: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl' files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} @@ -86,6 +127,9 @@ shared: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -103,26 +147,71 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /etc/{{.BeatName}}/.elastic-agent.active.commit: + content: > + {{ commit }} mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}: + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 - /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true - &agent_binary_files '{{.BeatName}}{{.BinaryExt}}': source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} mode: 0755 + 'data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}': + source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + mode: 0755 LICENSE.txt: source: '{{ repo.RootDir }}/LICENSE.txt' mode: 0644 + NOTICE.txt: + source: '{{ repo.RootDir }}/NOTICE.txt' + mode: 0644 README.md: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/common/README.md.tmpl' mode: 0644 @@ -137,25 +226,58 @@ shared: source: 'elastic-agent.yml' mode: 0600 config: true + '.elastic-agent.active.commit': + content: > + {{ commit }} + mode: 0644 # Binary package spec (tar.gz for linux/darwin) for community beats. - &agent_binary_spec <<: *common files: <<: *agent_binary_files - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - <<: *agent_binary_files - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true # Binary package spec (zip for windows) for community beats. - &agent_windows_binary_spec @@ -168,30 +290,67 @@ shared: uninstall-service-{{.BeatName}}.ps1: template: '{{ elastic_beats_dir }}/dev-tools/packaging/templates/windows/uninstall-service.ps1.tmpl' mode: 0755 - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/heartbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' mode: 0644 - 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': - source: '{{ elastic_beats_dir }}/x-pack/filebeat/build/distributions/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': - source: '{{ elastic_beats_dir }}/x-pack/metricbeat/build/distributions/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' mode: 0644 + 'data/{{.BeatName}}-{{ commit_short }}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + skip_on_missing: true + 'data/{{.BeatName}}-{{ commit_short }}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true - &agent_docker_spec <<: *agent_binary_spec extra_vars: from: 'centos:7' - user: 'root' + buildFrom: 'centos:7' + dockerfile: 'Dockerfile.elastic-agent.tmpl' + docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl' + user: '{{ .BeatName }}' linux_capabilities: '' files: 'elastic-agent.yml': source: 'elastic-agent.docker.yml' mode: 0600 config: true + '.elastic-agent.active.commit': + content: > + {{ commit }} + mode: 0644 # Deb/RPM spec for community beats. - &deb_rpm_spec @@ -338,6 +497,7 @@ shared: <<: *binary_spec extra_vars: from: 'centos:7' + buildFrom: 'centos:7' user: '{{ .BeatName }}' linux_capabilities: '' files: @@ -346,6 +506,11 @@ shared: mode: 0600 config: true + - &docker_ubi_spec + extra_vars: + image_name: '{{.BeatName}}-ubi8' + from: 'docker.elastic.co/ubi8/ubi-minimal' + - &elastic_docker_spec extra_vars: repository: 'docker.elastic.co/beats' @@ -515,6 +680,14 @@ specs: <<: *elastic_docker_spec <<: *elastic_license_for_binaries + - os: linux + types: [docker] + spec: + <<: *docker_spec + <<: *docker_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + # Elastic Beat with Elastic License and binary taken the current directory. elastic_beat_xpack_reduced: ### @@ -599,6 +772,17 @@ specs: '{{.BeatName}}{{.BinaryExt}}': source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + - os: linux + types: [docker] + spec: + <<: *docker_spec + <<: *docker_ubi_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': + source: ./{{.XPackDir}}/{{.BeatName}}/build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + # Elastic Beat with Elastic License and binary taken from the x-pack dir. elastic_beat_agent_binaries: ### @@ -620,7 +804,9 @@ specs: <<: *elastic_license_for_binaries files: '{{.BeatName}}{{.BinaryExt}}': - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 - os: darwin types: [dmg] @@ -630,7 +816,8 @@ specs: files: /Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: mode: 0755 - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: /etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true - os: linux types: [tgz] @@ -639,7 +826,9 @@ specs: <<: *elastic_license_for_binaries files: '{{.BeatName}}{{.BinaryExt}}': - source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} + source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 - os: linux types: [deb, rpm] @@ -648,12 +837,25 @@ specs: <<: *elastic_license_for_deb_rpm files: /usr/share/{{.BeatName}}/bin/{{.BeatName}}{{.BinaryExt}}: + source: /var/lib/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}} + symlink: true + mode: 0755 + + - os: linux + types: [docker] + spec: + <<: *agent_docker_spec + <<: *elastic_docker_spec + <<: *elastic_license_for_binaries + files: + '{{.BeatName}}{{.BinaryExt}}': source: ./build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}} - os: linux types: [docker] spec: <<: *agent_docker_spec + <<: *docker_ubi_spec <<: *elastic_docker_spec <<: *elastic_license_for_binaries files: diff --git a/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl b/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl new file mode 100644 index 00000000000..2a9549b1d3e --- /dev/null +++ b/dev-tools/packaging/templates/darwin/scripts/postinstall.elastic-agent.tmpl @@ -0,0 +1,32 @@ +#!/usr/bin/env bash + +BEAT_NAME="{{.BeatName}}" +VERSION="{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}" +SCRIPT="postinstall" +INSTALL_DIR="{{.install_path}}/{{.BeatVendor}}/{{.BeatName}}" +IDENTIFIER="{{.identifier}}" +VERSIONED_EXECUTABLE="/etc/{{.BeatName}}/data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}" +EXE_ROOT="/Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/bin" +EXE_NAME="{{.BeatName}}{{.BinaryExt}}" + +log() { + LEVEL="$1"; shift + syslog -s -l "$LEVEL" "$BEAT_NAME $SCRIPT: $@" +} + +die() { + log ERROR "Failed: $@" +} + +log WARN "identifier: $IDENTIFIER" +log WARN "version: $VERSION" +log WARN "install_dir: $INSTALL_DIR" + +mkdir -p "$EXE_ROOT" || die "Unable to create $BEAT_NAME bin directory" +ln -s "$VERSIONED_EXECUTABLE" "$EXE_ROOT/$EXE_NAME" || die "Unable to create $BEAT_NAME symlink" + +DAEMON_PLIST="/Library/LaunchDaemons/$IDENTIFIER.plist" +launchctl unload -w "$DAEMON_PLIST" +rm -f "$DAEMON_PLIST" +ln -s "$INSTALL_DIR/$IDENTIFIER.plist" "$DAEMON_PLIST" || die "Unable to create $DAEMON_PLIST symlink" +launchctl load -w "$DAEMON_PLIST" || die "Unable to install launchctl daemon $DAEMON_PLIST" diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index a38ea8701a3..7ab87f6f3ec 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -2,11 +2,40 @@ {{- $beatBinary := printf "%s/%s" $beatHome .BeatName }} {{- $repoInfo := repo }} +# Prepare home in a different stage to avoid creating additional layers on +# the final image because of permission changes. +FROM {{ .buildFrom }} AS home + +COPY beat {{ $beatHome }} + +RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/logs && \ + chown -R root:root {{ $beatHome }} && \ + find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ + find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + find {{ $beatHome }}/data -type d -exec chmod 0770 {} \; && \ + find {{ $beatHome }}/data -type f -exec chmod 0660 {} \; && \ + rm {{ $beatBinary }} && \ + ln -s {{ $beatHome }}/data/elastic-agent-{{ commit_short }}/elastic-agent {{ $beatBinary }} && \ + chmod 0750 {{ $beatHome }}/data/elastic-agent-*/elastic-agent && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} +{{- range $i, $modulesd := .ModulesDirs }} + chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ +{{- end }} + true + FROM {{ .from }} +{{- if contains .from "ubi-minimal" }} +RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils && microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) +RUN curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /usr/local/bin/jq && \ + chmod +x /usr/local/bin/jq +{{- else }} # Installing jq needs to be installed after epel-release and cannot be in the same yum install command. RUN for iter in {1..10}; do yum update --setopt=tsflags=nodocs -y && yum install --setopt=tsflags=nodocs -y epel-release && yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) RUN for iter in {1..10}; do yum update -y && yum install -y jq && yum clean all && exit_code=0 && break || exit_code=$? && echo "yum error: retry $iter in 10s" && sleep 10; done; (exit $exit_code) +{{- end }} LABEL \ org.label-schema.build-date="{{ date }}" \ @@ -18,33 +47,41 @@ LABEL \ org.label-schema.url="{{ .BeatURL }}" \ org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \ org.label-schema.vcs-ref="{{ commit }}" \ + io.k8s.description="{{ .BeatDescription }}" \ + io.k8s.display-name="{{ .BeatName | title }} image" \ + org.opencontainers.image.created="{{ date }}" \ + org.opencontainers.image.licenses="{{ .License }}" \ + org.opencontainers.image.title="{{ .BeatName | title }}" \ + org.opencontainers.image.vendor="{{ .BeatVendor }}" \ + name="{{ .BeatName }}" \ + maintainer="infra@elastic.co" \ + vendor="{{ .BeatVendor }}" \ + version="{{ beat_version }}" \ + release="1" \ + url="{{ .BeatURL }}" \ + summary="{{ .BeatName }}" \ license="{{ .License }}" \ description="{{ .BeatDescription }}" ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -COPY beat {{ $beatHome }} COPY docker-entrypoint /usr/local/bin/docker-entrypoint RUN chmod 755 /usr/local/bin/docker-entrypoint -RUN groupadd --gid 1000 {{ .BeatName }} +COPY --from=home {{ $beatHome }} {{ $beatHome }} -RUN mkdir -p {{ $beatHome }}/data {{ $beatHome }}/logs && \ - chown -R root:{{ .BeatName }} {{ $beatHome }} && \ - find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ - find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ - chmod 0750 {{ $beatBinary }} && \ -{{- if .linux_capabilities }} - setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ -{{- end }} -{{- range $i, $modulesd := .ModulesDirs }} - chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ -{{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs +# Elastic Agent needs group permissions in the home itself to be able to +# create fleet.yml when running as non-root. +RUN chmod 0770 {{ $beatHome }} + +RUN mkdir /licenses +COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses +COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses {{- if ne .user "root" }} -RUN useradd -M --uid 1000 --gid 1000 --home {{ $beatHome }} {{ .user }} +RUN groupadd --gid 1000 {{ .BeatName }} +RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} {{- end }} USER {{ .user }} diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index 9080b7c534d..8b7eb80745c 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -2,10 +2,34 @@ {{- $beatBinary := printf "%s/%s" $beatHome .BeatName }} {{- $repoInfo := repo }} +# Prepare home in a different stage to avoid creating additional layers on +# the final image because of permission changes. +FROM {{ .buildFrom }} AS home + +COPY beat {{ $beatHome }} + +RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \ + chown -R root:root {{ $beatHome }} && \ + find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ + find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ + chmod 0750 {{ $beatBinary }} && \ +{{- if .linux_capabilities }} + setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ +{{- end }} +{{- range $i, $modulesd := .ModulesDirs }} + chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ +{{- end }} + chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs + FROM {{ .from }} -RUN yum -y --setopt=tsflags=nodocs update && \ - yum clean all +{{- if contains .from "ubi-minimal" }} +RUN microdnf -y --setopt=tsflags=nodocs update && \ + microdnf install shadow-utils && \ + microdnf clean all +{{- else }} +RUN yum -y --setopt=tsflags=nodocs update && yum clean all +{{- end }} LABEL \ org.label-schema.build-date="{{ date }}" \ @@ -17,32 +41,36 @@ LABEL \ org.label-schema.url="{{ .BeatURL }}" \ org.label-schema.vcs-url="{{ $repoInfo.RootImportPath }}" \ org.label-schema.vcs-ref="{{ commit }}" \ + io.k8s.description="{{ .BeatDescription }}" \ + io.k8s.display-name="{{ .BeatName | title }} image" \ + org.opencontainers.image.created="{{ date }}" \ + org.opencontainers.image.licenses="{{ .License }}" \ + org.opencontainers.image.title="{{ .BeatName | title }}" \ + org.opencontainers.image.vendor="{{ .BeatVendor }}" \ + name="{{ .BeatName }}" \ + maintainer="infra@elastic.co" \ + vendor="{{ .BeatVendor }}" \ + version="{{ beat_version }}" \ + release="1" \ + url="{{ .BeatURL }}" \ + summary="{{ .BeatName }}" \ license="{{ .License }}" \ description="{{ .BeatDescription }}" ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -COPY beat {{ $beatHome }} COPY docker-entrypoint /usr/local/bin/docker-entrypoint RUN chmod 755 /usr/local/bin/docker-entrypoint -RUN groupadd --gid 1000 {{ .BeatName }} +COPY --from=home {{ $beatHome }} {{ $beatHome }} -RUN mkdir {{ $beatHome }}/data {{ $beatHome }}/logs && \ - chown -R root:root {{ $beatHome }} && \ - find {{ $beatHome }} -type d -exec chmod 0750 {} \; && \ - find {{ $beatHome }} -type f -exec chmod 0640 {} \; && \ - chmod 0750 {{ $beatBinary }} && \ -{{- if .linux_capabilities }} - setcap {{ .linux_capabilities }} {{ $beatBinary }} && \ -{{- end }} -{{- range $i, $modulesd := .ModulesDirs }} - chmod 0770 {{ $beatHome}}/{{ $modulesd }} && \ -{{- end }} - chmod 0770 {{ $beatHome }}/data {{ $beatHome }}/logs +RUN mkdir /licenses +COPY --from=home {{ $beatHome }}/LICENSE.txt /licenses +COPY --from=home {{ $beatHome }}/NOTICE.txt /licenses {{- if ne .user "root" }} +RUN groupadd --gid 1000 {{ .BeatName }} RUN useradd -M --uid 1000 --gid 1000 --groups 0 --home {{ $beatHome }} {{ .user }} {{- end }} USER {{ .user }} diff --git a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl index 8e6149e351f..91f043d2799 100644 --- a/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/docker-entrypoint.elastic-agent.tmpl @@ -5,6 +5,7 @@ set -eo pipefail # Environment variables used # FLEET_ENROLLMENT_TOKEN - existing enrollment token to be used for enroll # FLEET_ENROLL - if set to 1 enroll will be performed +# FLEET_ENROLL_INSECURE - if set to 1, agent will enroll with fleet using --insecure flag # FLEET_SETUP - if set to 1 fleet setup will be performed # FLEET_TOKEN_NAME - token name for a token to be created # KIBANA_HOST - actual kibana host [http://localhost:5601] @@ -53,7 +54,11 @@ function enroll(){ fi echo $apikey - ./{{ .BeatName }} enroll ${KIBANA_HOST:-http://localhost:5601} $apikey -f + if [[ -n "${FLEET_ENROLL_INSECURE}" ]] && [[ ${FLEET_ENROLL_INSECURE} == 1 ]]; then + insecure_flag="--insecure" + fi + + ./{{ .BeatName }} enroll ${insecure_flag} ${KIBANA_HOST:-http://localhost:5601} $apikey -f } if [[ -n "${FLEET_SETUP}" ]] && [[ ${FLEET_SETUP} == 1 ]]; then setup; fi diff --git a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl new file mode 100644 index 00000000000..744abc05702 --- /dev/null +++ b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl @@ -0,0 +1,11 @@ +#!/usr/bin/env bash + +# Script to run {{.BeatName | title}} in foreground with the same path settings that +# the init script / systemd unit file would do. + +exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ + --path.home /var/lib/{{.BeatName}} \ + --path.config /etc/{{.BeatName}} \ + --path.data /var/lib/{{.BeatName}}/data \ + --path.logs /var/log/{{.BeatName}} \ + "$@" diff --git a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl new file mode 100644 index 00000000000..f7ffb886884 --- /dev/null +++ b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl @@ -0,0 +1,19 @@ +[Unit] +Description={{.Description}} +Documentation={{.URL}} +Wants=network-online.target +After=network-online.target + +[Service] +{{ if ne .BeatUser "root" -}} +User={{ .BeatUser }} +Group={{ .BeatUser }} +{{- end }} +Environment="BEAT_LOG_OPTS=" +Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" +Environment="BEAT_PATH_OPTS=--path.home /var/lib/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}}/data --path.logs /var/log/{{.BeatName}}" +ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/dev-tools/packaging/templates/linux/systemd.unit.tmpl b/dev-tools/packaging/templates/linux/systemd.unit.tmpl index 4199e856591..ab0d1bcab5f 100644 --- a/dev-tools/packaging/templates/linux/systemd.unit.tmpl +++ b/dev-tools/packaging/templates/linux/systemd.unit.tmpl @@ -12,7 +12,7 @@ Group={{ .BeatUser }} Environment="BEAT_LOG_OPTS=" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" Environment="BEAT_PATH_OPTS=--path.home /usr/share/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}} --path.logs /var/log/{{.BeatName}}" -ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} -environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS +ExecStart=/usr/share/{{.BeatName}}/bin/{{.BeatName}} --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS Restart=always [Install] diff --git a/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl b/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl index 58fd5b63b9f..fe037e3b425 100644 --- a/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl +++ b/dev-tools/packaging/templates/windows/install-service-elastic-agent.ps1.tmpl @@ -1,3 +1,5 @@ +$ErrorActionPreference = "Stop" + # Delete and stop the service if it already exists. if (Get-Service {{.BeatName}} -ErrorAction SilentlyContinue) { $service = Get-WmiObject -Class Win32_Service -Filter "name='{{.BeatName}}'" @@ -13,8 +15,5 @@ New-Service -name {{.BeatName}} ` -displayName {{.BeatName | title}} ` -binaryPathName "`"$workdir\{{.BeatName}}.exe`" --path.home `"$workdir`" --path.data `"$workdir\data`" run" -# Attempt to set the service to delayed start using sc config. -Try { - Start-Process -FilePath sc.exe -ArgumentList 'config {{.BeatName}} start= delayed-auto' -} -Catch { Write-Host -f red "An error occured setting the service to delayed start." } +# Start the new service. +Start-Service -name {{.BeatName}} diff --git a/dev-tools/packaging/templates/windows/install-service.ps1.tmpl b/dev-tools/packaging/templates/windows/install-service.ps1.tmpl index 3ca9069db88..3e8fde69257 100644 --- a/dev-tools/packaging/templates/windows/install-service.ps1.tmpl +++ b/dev-tools/packaging/templates/windows/install-service.ps1.tmpl @@ -11,7 +11,7 @@ $workdir = Split-Path $MyInvocation.MyCommand.Path # Create the new service. New-Service -name {{.BeatName}} ` -displayName {{.BeatName | title}} ` - -binaryPathName "`"$workdir\{{.BeatName}}.exe`" -environment=windows_service -c `"$workdir\{{.BeatName}}.yml`" --path.home `"$workdir`" --path.data `"C:\ProgramData\{{.BeatName}}`" --path.logs `"C:\ProgramData\{{.BeatName}}\logs`" -E logging.files.redirect_stderr=true" + -binaryPathName "`"$workdir\{{.BeatName}}.exe`" --environment=windows_service -c `"$workdir\{{.BeatName}}.yml`" --path.home `"$workdir`" --path.data `"C:\ProgramData\{{.BeatName}}`" --path.logs `"C:\ProgramData\{{.BeatName}}\logs`" -E logging.files.redirect_stderr=true" # Attempt to set the service to delayed start using sc config. Try { diff --git a/docs/devguide/index.asciidoc b/docs/devguide/index.asciidoc index 213dc7cccaf..6cc701592f0 100644 --- a/docs/devguide/index.asciidoc +++ b/docs/devguide/index.asciidoc @@ -27,6 +27,8 @@ include::./fields-yml.asciidoc[] include::./event-conventions.asciidoc[] +include::./python.asciidoc[] + include::./newdashboards.asciidoc[] include::./new_protocol.asciidoc[] diff --git a/docs/devguide/modules-dev-guide.asciidoc b/docs/devguide/modules-dev-guide.asciidoc index d25161a079c..b3a8cb22592 100644 --- a/docs/devguide/modules-dev-guide.asciidoc +++ b/docs/devguide/modules-dev-guide.asciidoc @@ -486,6 +486,6 @@ locally for a specific module, using the following procedure under Filebeat dire . Run an Elasticsearch instance locally using docker: `docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT` . Create python env: `make python-env` -. Source python env: `./build/python-env/bin/activate` +. Source python env: `source ./build/python-env/bin/activate` . Create the testing binary: `make filebeat.test` -. Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx nosetests tests/system/test_modules.py` +. Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx pytest tests/system/test_modules.py` diff --git a/docs/devguide/python.asciidoc b/docs/devguide/python.asciidoc index 4f9902af205..8f86e81fcc3 100644 --- a/docs/devguide/python.asciidoc +++ b/docs/devguide/python.asciidoc @@ -1,5 +1,5 @@ [[python-beats]] -== Python in Beats +=== Python in Beats Python is used for Beats development, it is the language used to implement system tests and some other tools. Python dependencies are managed by the use of @@ -9,7 +9,7 @@ https://docs.python.org/3/library/venv.html[venv]. Beats development requires Python >= {python}. [[installing-python]] -=== Installing Python and venv +==== Installing Python and venv Python uses to be installed in many operating systems. If it is not installed in your system you can follow the instructions available in https://www.python.org/downloads/ @@ -32,7 +32,7 @@ sudo apt-get install python3.7 python3.7-venv It is recommended to use Python >= {python}. [[python-virtual-environments]] -=== Working with virtual environments +==== Working with virtual environments All `make` and `mage` targets manage their own virtual environments in a transparent way, so for the most common operations required when contributing to beats, @@ -52,20 +52,20 @@ of these virtual environments: is created by `make` or `mage` targets when needed. Virtual environments can also be used without `make` or `mage`, this is usual -for example when running individual system tests with `nosetests`. There are two +for example when running individual system tests with `pytest`. There are two ways to run commands from the virtual environment: * "Activating" the virtual environment in your current terminal running `source ./build/python-env/bin/activate`. Virtual environment can be deactivated by running `deactivate`. * Directly running commands from the virtual environment path. For example - `nosetests` can be executed as `./build/python-env/bin/nosetests`. + `pytest` can be executed as `./build/python-env/bin/pytest`. To recreate a virtual environment, remove its directory. All virtual environments are also removed with `make clean`. [[python-older-versions]] -=== Working with older versions +==== Working with older versions Older versions of Beats were not compatible with Python 3, if you need to temporary work on one of these versions of Beats, and you don't want to remove diff --git a/docs/devguide/testing.asciidoc b/docs/devguide/testing.asciidoc index a21a8d65ce0..75a476d5c5a 100644 --- a/docs/devguide/testing.asciidoc +++ b/docs/devguide/testing.asciidoc @@ -8,7 +8,8 @@ In general there are two major test suites: * Tests written in Go * Tests written in Python -The tests written in Go use the https://golang.org/pkg/testing/[Go Testing package]. The tests written in Python depend on http://nose.readthedocs.io/en/latest/[nosetests] and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs. +The tests written in Go use the https://golang.org/pkg/testing/[Go Testing +package]. The tests written in Python depend on https://docs.pytest.org/en/latest/[pytest] and require a compiled and executable binary from the Go code. The python test run a beat with a specific config and params and either check if the output is as expected or if the correct things show up in the logs. For both of the above test suites so called integration tests exists. Integration tests in Beats are tests which require an external system like Elasticsearch to test if the integration with this service works as expected. Beats provides in its testsuite docker containers and docker-compose files to start these environments but a developer can run the required services also locally. @@ -23,7 +24,7 @@ All Go tests are in the same package as the tested code itself and have the post ==== Running Python Tests -The system tests require a testing binary to be available and the python environment to be set up. To create the testing binary run `make {beatname}.test`. This will create the test binary in the beat directory. To setup the testing environment `make python-env` can be run which will use `venv` to load the dependencies. Then `nosetests` has to be run inside `tests/system`. +The system tests require a testing binary to be available and the python environment to be set up. To create the testing binary run `make {beatname}.test`. This will create the test binary in the beat directory. To setup the testing environment `make python-env` can be run which will use `venv` to load the dependencies. Then `pytest` has to be run inside `tests/system`. To automate all these steps into one `make system-tests` can be run. This creates the binary, the environment and runs all tests which do not require and external service. diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index e4aec49417d..7a25b9906af 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -12,8 +12,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/filebeat/Jenkinsfile.yml b/filebeat/Jenkinsfile.yml new file mode 100644 index 00000000000..45b032accfb --- /dev/null +++ b/filebeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^filebeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test filebeat" + labels: ## when PR labels matches any of those entries + - "filebeat" + parameters: ## when parameter was selected in the UI. + - "filebeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test filebeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl index ae4816f4f82..c920b7dbec8 100644 --- a/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl +++ b/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl @@ -50,6 +50,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: diff --git a/filebeat/_meta/fields.common.yml b/filebeat/_meta/fields.common.yml index 03ef3f75ce8..3de0956c7d1 100644 --- a/filebeat/_meta/fields.common.yml +++ b/filebeat/_meta/fields.common.yml @@ -4,13 +4,6 @@ Contains log file lines. fields: - - name: log.file.path - type: keyword - required: false - description: > - The file from which the line was read. This field contains the absolute path to the file. - For example: `/var/log/system.log`. - - name: log.source.address type: keyword required: false diff --git a/filebeat/config/config_test.go b/filebeat/config/config_test.go index 15f9f624b28..7d148a272f8 100644 --- a/filebeat/config/config_test.go +++ b/filebeat/config/config_test.go @@ -34,24 +34,24 @@ func TestReadConfig2(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) config := &Config{} // Reads second config file err = cfgfile.Read(config, absPath+"/config2.yml") - assert.Nil(t, err) + assert.NoError(t, err) } func TestGetConfigFiles_File(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath + "/config.yml") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 1, len(files)) assert.Equal(t, absPath+"/config.yml", files[0]) @@ -61,11 +61,11 @@ func TestGetConfigFiles_Dir(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, len(files)) assert.Equal(t, filepath.Join(absPath, "/config.yml"), files[0]) @@ -76,11 +76,11 @@ func TestGetConfigFiles_EmptyDir(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath + "/logs") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 0, len(files)) } @@ -88,12 +88,12 @@ func TestGetConfigFiles_Invalid(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) // Invalid directory files, err := getConfigFiles(absPath + "/qwerwer") - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, files) } @@ -101,11 +101,11 @@ func TestMergeConfigFiles(t *testing.T) { absPath, err := filepath.Abs("../tests/files/") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) files, err := getConfigFiles(absPath) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, len(files)) config := &Config{} diff --git a/filebeat/conftest.py b/filebeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/filebeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/filebeat/docker-compose.yml b/filebeat/docker-compose.yml index 5a447d6cd66..19302ae1e6f 100644 --- a/filebeat/docker-compose.yml +++ b/filebeat/docker-compose.yml @@ -40,8 +40,6 @@ services: extends: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch - environment: - script.cache.max_size: "500" kafka: build: ${ES_BEATS}/testing/environments/docker/kafka diff --git a/filebeat/docs/autodiscover-hints.asciidoc b/filebeat/docs/autodiscover-hints.asciidoc index 9c1893c8367..de678011763 100644 --- a/filebeat/docs/autodiscover-hints.asciidoc +++ b/filebeat/docs/autodiscover-hints.asciidoc @@ -112,7 +112,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only Pods annotated like `co.elastic.logs/enabled: true` @@ -215,7 +215,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only containers labeled with `co.elastic.logs/enabled: true` diff --git a/filebeat/docs/configuring-howto.asciidoc b/filebeat/docs/configuring-howto.asciidoc index 89a8f4b4f2d..ec70fe23942 100644 --- a/filebeat/docs/configuring-howto.asciidoc +++ b/filebeat/docs/configuring-howto.asciidoc @@ -27,6 +27,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -65,4 +66,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 2e97c5c150e..b4888ec8c5e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -29,6 +29,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -49,7 +50,6 @@ grouped in the following categories: * <> * <> * <> -* <> * <> * <> * <> @@ -69,20 +69,23 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> -* <> * <> * <> * <> +* <> * <> +* <> * <> * <> +* <> * <> -* <> * <> * <> * <> +* <> * <> -- @@ -1490,6 +1493,120 @@ type: flattened -- +[float] +=== digest + +Fields from Cloudtrail Digest Logs + + +*`aws.cloudtrail.digest.log_files`*:: ++ +-- +A list of Logfiles contained in the digest. + +type: nested + +-- + +*`aws.cloudtrail.digest.start_time`*:: ++ +-- +The starting UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. + +type: date + +-- + +*`aws.cloudtrail.digest.end_time`*:: ++ +-- +The ending UTC time range that the digest file covers, taking as a reference the time in which log files have been delivered by CloudTrail. + +type: date + +-- + +*`aws.cloudtrail.digest.s3_bucket`*:: ++ +-- +The name of the Amazon S3 bucket to which the current digest file has been delivered. + +type: keyword + +-- + +*`aws.cloudtrail.digest.s3_object`*:: ++ +-- +The Amazon S3 object key (that is, the Amazon S3 bucket location) of the current digest file. + +type: keyword + +-- + +*`aws.cloudtrail.digest.newest_event_time`*:: ++ +-- +The UTC time of the most recent event among all of the events in the log files in the digest. + +type: date + +-- + +*`aws.cloudtrail.digest.oldest_event_time`*:: ++ +-- +The UTC time of the oldest event among all of the events in the log files in the digest. + +type: date + +-- + +*`aws.cloudtrail.digest.previous_s3_bucket`*:: ++ +-- +The Amazon S3 bucket to which the previous digest file was delivered. + +type: keyword + +-- + +*`aws.cloudtrail.digest.previous_hash_algorithm`*:: ++ +-- +The name of the hash algorithm that was used to hash the previous digest file. + +type: keyword + +-- + +*`aws.cloudtrail.digest.public_key_fingerprint`*:: ++ +-- +The hexadecimal encoded fingerprint of the public key that matches the private key used to sign this digest file. + +type: keyword + +-- + +*`aws.cloudtrail.digest.signature_algorithm`*:: ++ +-- +The algorithm used to sign the digest file. + +type: keyword + +-- + +*`aws.cloudtrail.insight_details`*:: ++ +-- +Shows information about the underlying triggers of an Insights event, such as event source, user agent, statistics, API name, and whether the event is the start or end of the Insights event. + +type: flattened + +-- + [float] === cloudwatch @@ -20476,14 +20593,7 @@ Module for handling Cisco network device logs. [float] -=== cisco - -Fields from Cisco logs. - - - -[float] -=== asa +=== cisco.asa Fields for Cisco ASA Firewall. @@ -20687,12 +20797,122 @@ type: keyword The assigned DAP records +type: keyword + +-- + +*`cisco.asa.command_line_arguments`*:: ++ +-- +The command line arguments logged by the local audit log + + +type: keyword + +-- + +*`cisco.asa.assigned_ip`*:: ++ +-- +The IP address assigned to a VPN client successfully connecting + + +type: ip + +-- + +*`cisco.asa.privilege.old`*:: ++ +-- +When a users privilege is changed this is the old value + + +type: keyword + +-- + +*`cisco.asa.privilege.new`*:: ++ +-- +When a users privilege is changed this is the new value + + +type: keyword + +-- + +*`cisco.asa.burst.object`*:: ++ +-- +The related object for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.id`*:: ++ +-- +The related rate ID for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.current_rate`*:: ++ +-- +The current burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_rate`*:: ++ +-- +The current configured burst rate + + +type: keyword + +-- + +*`cisco.asa.burst.avg_rate`*:: ++ +-- +The current average burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_avg_rate`*:: ++ +-- +The current configured average burst rate allowed + + +type: keyword + +-- + +*`cisco.asa.burst.cumulative_count`*:: ++ +-- +The total count of burst rate hits since the object was created or cleared + + type: keyword -- [float] -=== ftd +=== cisco.ftd Fields for Cisco Firepower Threat Defense Firewall. @@ -20910,7 +21130,7 @@ type: keyword -- [float] -=== ios +=== cisco.ios Fields for Cisco IOS logs. @@ -20938,7 +21158,7 @@ example: SEC -- -*`cisco.network.interface.name`*:: +*`network.interface.name`*:: + -- Name of the network interface where the traffic has been observed. @@ -20950,7 +21170,7 @@ type: keyword -*`cisco.rsa.internal.msg`*:: +*`rsa.internal.msg`*:: + -- This key is used to capture the raw message that comes into the Log Decoder @@ -20959,21 +21179,21 @@ type: keyword -- -*`cisco.rsa.internal.messageid`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`cisco.rsa.internal.event_desc`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`cisco.rsa.internal.message`*:: +*`rsa.internal.message`*:: + -- This key captures the contents of instant messages @@ -20982,7 +21202,7 @@ type: keyword -- -*`cisco.rsa.internal.time`*:: +*`rsa.internal.time`*:: + -- This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. @@ -20991,7 +21211,7 @@ type: date -- -*`cisco.rsa.internal.level`*:: +*`rsa.internal.level`*:: + -- Deprecated key defined only in table map. @@ -21000,7 +21220,7 @@ type: long -- -*`cisco.rsa.internal.msg_id`*:: +*`rsa.internal.msg_id`*:: + -- This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21009,7 +21229,7 @@ type: keyword -- -*`cisco.rsa.internal.msg_vid`*:: +*`rsa.internal.msg_vid`*:: + -- This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21018,7 +21238,7 @@ type: keyword -- -*`cisco.rsa.internal.data`*:: +*`rsa.internal.data`*:: + -- Deprecated key defined only in table map. @@ -21027,7 +21247,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_server`*:: +*`rsa.internal.obj_server`*:: + -- Deprecated key defined only in table map. @@ -21036,7 +21256,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_val`*:: +*`rsa.internal.obj_val`*:: + -- Deprecated key defined only in table map. @@ -21045,7 +21265,7 @@ type: keyword -- -*`cisco.rsa.internal.resource`*:: +*`rsa.internal.resource`*:: + -- Deprecated key defined only in table map. @@ -21054,7 +21274,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_id`*:: +*`rsa.internal.obj_id`*:: + -- Deprecated key defined only in table map. @@ -21063,7 +21283,7 @@ type: keyword -- -*`cisco.rsa.internal.statement`*:: +*`rsa.internal.statement`*:: + -- Deprecated key defined only in table map. @@ -21072,7 +21292,7 @@ type: keyword -- -*`cisco.rsa.internal.audit_class`*:: +*`rsa.internal.audit_class`*:: + -- Deprecated key defined only in table map. @@ -21081,7 +21301,7 @@ type: keyword -- -*`cisco.rsa.internal.entry`*:: +*`rsa.internal.entry`*:: + -- Deprecated key defined only in table map. @@ -21090,7 +21310,7 @@ type: keyword -- -*`cisco.rsa.internal.hcode`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. @@ -21099,7 +21319,7 @@ type: keyword -- -*`cisco.rsa.internal.inode`*:: +*`rsa.internal.inode`*:: + -- Deprecated key defined only in table map. @@ -21108,7 +21328,7 @@ type: long -- -*`cisco.rsa.internal.resource_class`*:: +*`rsa.internal.resource_class`*:: + -- Deprecated key defined only in table map. @@ -21117,7 +21337,7 @@ type: keyword -- -*`cisco.rsa.internal.dead`*:: +*`rsa.internal.dead`*:: + -- Deprecated key defined only in table map. @@ -21126,7 +21346,7 @@ type: long -- -*`cisco.rsa.internal.feed_desc`*:: +*`rsa.internal.feed_desc`*:: + -- This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21135,7 +21355,7 @@ type: keyword -- -*`cisco.rsa.internal.feed_name`*:: +*`rsa.internal.feed_name`*:: + -- This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21144,7 +21364,7 @@ type: keyword -- -*`cisco.rsa.internal.cid`*:: +*`rsa.internal.cid`*:: + -- This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21153,7 +21373,7 @@ type: keyword -- -*`cisco.rsa.internal.device_class`*:: +*`rsa.internal.device_class`*:: + -- This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21162,7 +21382,7 @@ type: keyword -- -*`cisco.rsa.internal.device_group`*:: +*`rsa.internal.device_group`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21171,7 +21391,7 @@ type: keyword -- -*`cisco.rsa.internal.device_host`*:: +*`rsa.internal.device_host`*:: + -- This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21180,7 +21400,7 @@ type: keyword -- -*`cisco.rsa.internal.device_ip`*:: +*`rsa.internal.device_ip`*:: + -- This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21189,7 +21409,7 @@ type: ip -- -*`cisco.rsa.internal.device_ipv6`*:: +*`rsa.internal.device_ipv6`*:: + -- This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21198,7 +21418,7 @@ type: ip -- -*`cisco.rsa.internal.device_type`*:: +*`rsa.internal.device_type`*:: + -- This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21207,7 +21427,7 @@ type: keyword -- -*`cisco.rsa.internal.device_type_id`*:: +*`rsa.internal.device_type_id`*:: + -- Deprecated key defined only in table map. @@ -21216,7 +21436,7 @@ type: long -- -*`cisco.rsa.internal.did`*:: +*`rsa.internal.did`*:: + -- This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21225,7 +21445,7 @@ type: keyword -- -*`cisco.rsa.internal.entropy_req`*:: +*`rsa.internal.entropy_req`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -21234,7 +21454,7 @@ type: long -- -*`cisco.rsa.internal.entropy_res`*:: +*`rsa.internal.entropy_res`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -21243,7 +21463,7 @@ type: long -- -*`cisco.rsa.internal.event_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -21252,7 +21472,7 @@ type: keyword -- -*`cisco.rsa.internal.feed_category`*:: +*`rsa.internal.feed_category`*:: + -- This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21261,7 +21481,7 @@ type: keyword -- -*`cisco.rsa.internal.forward_ip`*:: +*`rsa.internal.forward_ip`*:: + -- This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. @@ -21270,7 +21490,7 @@ type: ip -- -*`cisco.rsa.internal.forward_ipv6`*:: +*`rsa.internal.forward_ipv6`*:: + -- This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21279,7 +21499,7 @@ type: ip -- -*`cisco.rsa.internal.header_id`*:: +*`rsa.internal.header_id`*:: + -- This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21288,7 +21508,7 @@ type: keyword -- -*`cisco.rsa.internal.lc_cid`*:: +*`rsa.internal.lc_cid`*:: + -- This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21297,7 +21517,7 @@ type: keyword -- -*`cisco.rsa.internal.lc_ctime`*:: +*`rsa.internal.lc_ctime`*:: + -- This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21306,7 +21526,7 @@ type: date -- -*`cisco.rsa.internal.mcb_req`*:: +*`rsa.internal.mcb_req`*:: + -- This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most @@ -21315,7 +21535,7 @@ type: long -- -*`cisco.rsa.internal.mcb_res`*:: +*`rsa.internal.mcb_res`*:: + -- This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most @@ -21324,7 +21544,7 @@ type: long -- -*`cisco.rsa.internal.mcbc_req`*:: +*`rsa.internal.mcbc_req`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -21333,7 +21553,7 @@ type: long -- -*`cisco.rsa.internal.mcbc_res`*:: +*`rsa.internal.mcbc_res`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -21342,7 +21562,7 @@ type: long -- -*`cisco.rsa.internal.medium`*:: +*`rsa.internal.medium`*:: + -- This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session @@ -21351,7 +21571,7 @@ type: long -- -*`cisco.rsa.internal.node_name`*:: +*`rsa.internal.node_name`*:: + -- Deprecated key defined only in table map. @@ -21360,7 +21580,7 @@ type: keyword -- -*`cisco.rsa.internal.nwe_callback_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- This key denotes that event is endpoint related @@ -21369,7 +21589,7 @@ type: keyword -- -*`cisco.rsa.internal.parse_error`*:: +*`rsa.internal.parse_error`*:: + -- This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21378,7 +21598,7 @@ type: keyword -- -*`cisco.rsa.internal.payload_req`*:: +*`rsa.internal.payload_req`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -21387,7 +21607,7 @@ type: long -- -*`cisco.rsa.internal.payload_res`*:: +*`rsa.internal.payload_res`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -21396,7 +21616,7 @@ type: long -- -*`cisco.rsa.internal.process_vid_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. @@ -21405,7 +21625,7 @@ type: keyword -- -*`cisco.rsa.internal.process_vid_src`*:: +*`rsa.internal.process_vid_src`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. @@ -21414,7 +21634,7 @@ type: keyword -- -*`cisco.rsa.internal.rid`*:: +*`rsa.internal.rid`*:: + -- This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21423,7 +21643,7 @@ type: long -- -*`cisco.rsa.internal.session_split`*:: +*`rsa.internal.session_split`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21432,7 +21652,7 @@ type: keyword -- -*`cisco.rsa.internal.site`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -21441,7 +21661,7 @@ type: keyword -- -*`cisco.rsa.internal.size`*:: +*`rsa.internal.size`*:: + -- This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21450,7 +21670,7 @@ type: long -- -*`cisco.rsa.internal.sourcefile`*:: +*`rsa.internal.sourcefile`*:: + -- This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21459,7 +21679,7 @@ type: keyword -- -*`cisco.rsa.internal.ubc_req`*:: +*`rsa.internal.ubc_req`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -21468,7 +21688,7 @@ type: long -- -*`cisco.rsa.internal.ubc_res`*:: +*`rsa.internal.ubc_res`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -21477,7 +21697,7 @@ type: long -- -*`cisco.rsa.internal.word`*:: +*`rsa.internal.word`*:: + -- This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log @@ -21487,7 +21707,7 @@ type: keyword -- -*`cisco.rsa.time.event_time`*:: +*`rsa.time.event_time`*:: + -- This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form @@ -21496,7 +21716,7 @@ type: date -- -*`cisco.rsa.time.duration_time`*:: +*`rsa.time.duration_time`*:: + -- This key is used to capture the normalized duration/lifetime in seconds. @@ -21505,7 +21725,7 @@ type: double -- -*`cisco.rsa.time.event_time_str`*:: +*`rsa.time.event_time_str`*:: + -- This key is used to capture the incomplete time mentioned in a session as a string @@ -21514,7 +21734,7 @@ type: keyword -- -*`cisco.rsa.time.starttime`*:: +*`rsa.time.starttime`*:: + -- This key is used to capture the Start time mentioned in a session in a standard form @@ -21523,21 +21743,21 @@ type: date -- -*`cisco.rsa.time.month`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`cisco.rsa.time.day`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`cisco.rsa.time.endtime`*:: +*`rsa.time.endtime`*:: + -- This key is used to capture the End time mentioned in a session in a standard form @@ -21546,7 +21766,7 @@ type: date -- -*`cisco.rsa.time.timezone`*:: +*`rsa.time.timezone`*:: + -- This key is used to capture the timezone of the Event Time @@ -21555,7 +21775,7 @@ type: keyword -- -*`cisco.rsa.time.duration_str`*:: +*`rsa.time.duration_str`*:: + -- A text string version of the duration @@ -21564,21 +21784,21 @@ type: keyword -- -*`cisco.rsa.time.date`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`cisco.rsa.time.year`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`cisco.rsa.time.recorded_time`*:: +*`rsa.time.recorded_time`*:: + -- The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. @@ -21587,14 +21807,14 @@ type: date -- -*`cisco.rsa.time.datetime`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`cisco.rsa.time.effective_time`*:: +*`rsa.time.effective_time`*:: + -- This key is the effective time referenced by an individual event in a Standard Timestamp format @@ -21603,7 +21823,7 @@ type: date -- -*`cisco.rsa.time.expire_time`*:: +*`rsa.time.expire_time`*:: + -- This key is the timestamp that explicitly refers to an expiration. @@ -21612,7 +21832,7 @@ type: date -- -*`cisco.rsa.time.process_time`*:: +*`rsa.time.process_time`*:: + -- Deprecated, use duration.time @@ -21621,28 +21841,28 @@ type: keyword -- -*`cisco.rsa.time.hour`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`cisco.rsa.time.min`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`cisco.rsa.time.timestamp`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`cisco.rsa.time.event_queue_time`*:: +*`rsa.time.event_queue_time`*:: + -- This key is the Time that the event was queued. @@ -21651,77 +21871,77 @@ type: date -- -*`cisco.rsa.time.p_time1`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`cisco.rsa.time.tzone`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`cisco.rsa.time.eventtime`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`cisco.rsa.time.gmtdate`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`cisco.rsa.time.gmttime`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`cisco.rsa.time.p_date`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`cisco.rsa.time.p_month`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`cisco.rsa.time.p_time`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`cisco.rsa.time.p_time2`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`cisco.rsa.time.p_year`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`cisco.rsa.time.expire_time_str`*:: +*`rsa.time.expire_time_str`*:: + -- This key is used to capture incomplete timestamp that explicitly refers to an expiration. @@ -21730,7 +21950,7 @@ type: keyword -- -*`cisco.rsa.time.stamp`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. @@ -21740,14 +21960,14 @@ type: date -- -*`cisco.rsa.misc.action`*:: +*`rsa.misc.action`*:: + -- type: keyword -- -*`cisco.rsa.misc.result`*:: +*`rsa.misc.result`*:: + -- This key is used to capture the outcome/result string value of an action in a session. @@ -21756,7 +21976,7 @@ type: keyword -- -*`cisco.rsa.misc.severity`*:: +*`rsa.misc.severity`*:: + -- This key is used to capture the severity given the session @@ -21765,7 +21985,7 @@ type: keyword -- -*`cisco.rsa.misc.event_type`*:: +*`rsa.misc.event_type`*:: + -- This key captures the event category type as specified by the event source. @@ -21774,7 +21994,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id`*:: +*`rsa.misc.reference_id`*:: + -- This key is used to capture an event id from the session directly @@ -21783,7 +22003,7 @@ type: keyword -- -*`cisco.rsa.misc.version`*:: +*`rsa.misc.version`*:: + -- This key captures Version of the application or OS which is generating the event. @@ -21792,7 +22012,7 @@ type: keyword -- -*`cisco.rsa.misc.disposition`*:: +*`rsa.misc.disposition`*:: + -- This key captures the The end state of an action. @@ -21801,7 +22021,7 @@ type: keyword -- -*`cisco.rsa.misc.result_code`*:: +*`rsa.misc.result_code`*:: + -- This key is used to capture the outcome/result numeric value of an action in a session @@ -21810,7 +22030,7 @@ type: keyword -- -*`cisco.rsa.misc.category`*:: +*`rsa.misc.category`*:: + -- This key is used to capture the category of an event given by the vendor in the session @@ -21819,7 +22039,7 @@ type: keyword -- -*`cisco.rsa.misc.obj_name`*:: +*`rsa.misc.obj_name`*:: + -- This is used to capture name of object @@ -21828,7 +22048,7 @@ type: keyword -- -*`cisco.rsa.misc.obj_type`*:: +*`rsa.misc.obj_type`*:: + -- This is used to capture type of object @@ -21837,7 +22057,7 @@ type: keyword -- -*`cisco.rsa.misc.event_source`*:: +*`rsa.misc.event_source`*:: + -- This key captures Source of the event that’s not a hostname @@ -21846,7 +22066,7 @@ type: keyword -- -*`cisco.rsa.misc.log_session_id`*:: +*`rsa.misc.log_session_id`*:: + -- This key is used to capture a sessionid from the session directly @@ -21855,7 +22075,7 @@ type: keyword -- -*`cisco.rsa.misc.group`*:: +*`rsa.misc.group`*:: + -- This key captures the Group Name value @@ -21864,7 +22084,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_name`*:: +*`rsa.misc.policy_name`*:: + -- This key is used to capture the Policy Name only. @@ -21873,7 +22093,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_name`*:: +*`rsa.misc.rule_name`*:: + -- This key captures the Rule Name @@ -21882,7 +22102,7 @@ type: keyword -- -*`cisco.rsa.misc.context`*:: +*`rsa.misc.context`*:: + -- This key captures Information which adds additional context to the event. @@ -21891,7 +22111,7 @@ type: keyword -- -*`cisco.rsa.misc.change_new`*:: +*`rsa.misc.change_new`*:: + -- This key is used to capture the new values of the attribute that’s changing in a session @@ -21900,14 +22120,14 @@ type: keyword -- -*`cisco.rsa.misc.space`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`cisco.rsa.misc.client`*:: +*`rsa.misc.client`*:: + -- This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. @@ -21916,21 +22136,21 @@ type: keyword -- -*`cisco.rsa.misc.msgIdPart1`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgIdPart2`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`cisco.rsa.misc.change_old`*:: +*`rsa.misc.change_old`*:: + -- This key is used to capture the old value of the attribute that’s changing in a session @@ -21939,7 +22159,7 @@ type: keyword -- -*`cisco.rsa.misc.operation_id`*:: +*`rsa.misc.operation_id`*:: + -- An alert number or operation number. The values should be unique and non-repeating. @@ -21948,7 +22168,7 @@ type: keyword -- -*`cisco.rsa.misc.event_state`*:: +*`rsa.misc.event_state`*:: + -- This key captures the current state of the object/item referenced within the event. Describing an on-going event. @@ -21957,7 +22177,7 @@ type: keyword -- -*`cisco.rsa.misc.group_object`*:: +*`rsa.misc.group_object`*:: + -- This key captures a collection/grouping of entities. Specific usage @@ -21966,7 +22186,7 @@ type: keyword -- -*`cisco.rsa.misc.node`*:: +*`rsa.misc.node`*:: + -- Common use case is the node name within a cluster. The cluster name is reflected by the host name. @@ -21975,7 +22195,7 @@ type: keyword -- -*`cisco.rsa.misc.rule`*:: +*`rsa.misc.rule`*:: + -- This key captures the Rule number @@ -21984,7 +22204,7 @@ type: keyword -- -*`cisco.rsa.misc.device_name`*:: +*`rsa.misc.device_name`*:: + -- This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc @@ -21993,7 +22213,7 @@ type: keyword -- -*`cisco.rsa.misc.param`*:: +*`rsa.misc.param`*:: + -- This key is the parameters passed as part of a command or application, etc. @@ -22002,7 +22222,7 @@ type: keyword -- -*`cisco.rsa.misc.change_attrib`*:: +*`rsa.misc.change_attrib`*:: + -- This key is used to capture the name of the attribute that’s changing in a session @@ -22011,7 +22231,7 @@ type: keyword -- -*`cisco.rsa.misc.event_computer`*:: +*`rsa.misc.event_computer`*:: + -- This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. @@ -22020,7 +22240,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id1`*:: +*`rsa.misc.reference_id1`*:: + -- This key is for Linked ID to be used as an addition to "reference.id" @@ -22029,7 +22249,7 @@ type: keyword -- -*`cisco.rsa.misc.event_log`*:: +*`rsa.misc.event_log`*:: + -- This key captures the Name of the event log @@ -22038,7 +22258,7 @@ type: keyword -- -*`cisco.rsa.misc.OS`*:: +*`rsa.misc.OS`*:: + -- This key captures the Name of the Operating System @@ -22047,7 +22267,7 @@ type: keyword -- -*`cisco.rsa.misc.terminal`*:: +*`rsa.misc.terminal`*:: + -- This key captures the Terminal Names only @@ -22056,14 +22276,14 @@ type: keyword -- -*`cisco.rsa.misc.msgIdPart3`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`cisco.rsa.misc.filter`*:: +*`rsa.misc.filter`*:: + -- This key captures Filter used to reduce result set @@ -22072,7 +22292,7 @@ type: keyword -- -*`cisco.rsa.misc.serial_number`*:: +*`rsa.misc.serial_number`*:: + -- This key is the Serial number associated with a physical asset. @@ -22081,7 +22301,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum`*:: +*`rsa.misc.checksum`*:: + -- This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. @@ -22090,7 +22310,7 @@ type: keyword -- -*`cisco.rsa.misc.event_user`*:: +*`rsa.misc.event_user`*:: + -- This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. @@ -22099,7 +22319,7 @@ type: keyword -- -*`cisco.rsa.misc.virusname`*:: +*`rsa.misc.virusname`*:: + -- This key captures the name of the virus @@ -22108,7 +22328,7 @@ type: keyword -- -*`cisco.rsa.misc.content_type`*:: +*`rsa.misc.content_type`*:: + -- This key is used to capture Content Type only. @@ -22117,7 +22337,7 @@ type: keyword -- -*`cisco.rsa.misc.group_id`*:: +*`rsa.misc.group_id`*:: + -- This key captures Group ID Number (related to the group name) @@ -22126,7 +22346,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_id`*:: +*`rsa.misc.policy_id`*:: + -- This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise @@ -22135,7 +22355,7 @@ type: keyword -- -*`cisco.rsa.misc.vsys`*:: +*`rsa.misc.vsys`*:: + -- This key captures Virtual System Name @@ -22144,7 +22364,7 @@ type: keyword -- -*`cisco.rsa.misc.connection_id`*:: +*`rsa.misc.connection_id`*:: + -- This key captures the Connection ID @@ -22153,7 +22373,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id2`*:: +*`rsa.misc.reference_id2`*:: + -- This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. @@ -22162,7 +22382,7 @@ type: keyword -- -*`cisco.rsa.misc.sensor`*:: +*`rsa.misc.sensor`*:: + -- This key captures Name of the sensor. Typically used in IDS/IPS based devices @@ -22171,7 +22391,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_id`*:: +*`rsa.misc.sig_id`*:: + -- This key captures IDS/IPS Int Signature ID @@ -22180,7 +22400,7 @@ type: long -- -*`cisco.rsa.misc.port_name`*:: +*`rsa.misc.port_name`*:: + -- This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). @@ -22189,7 +22409,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_group`*:: +*`rsa.misc.rule_group`*:: + -- This key captures the Rule group name @@ -22198,7 +22418,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_num`*:: +*`rsa.misc.risk_num`*:: + -- This key captures a Numeric Risk value @@ -22207,7 +22427,7 @@ type: double -- -*`cisco.rsa.misc.trigger_val`*:: +*`rsa.misc.trigger_val`*:: + -- This key captures the Value of the trigger or threshold condition. @@ -22216,7 +22436,7 @@ type: keyword -- -*`cisco.rsa.misc.log_session_id1`*:: +*`rsa.misc.log_session_id1`*:: + -- This key is used to capture a Linked (Related) Session ID from the session directly @@ -22225,7 +22445,7 @@ type: keyword -- -*`cisco.rsa.misc.comp_version`*:: +*`rsa.misc.comp_version`*:: + -- This key captures the Version level of a sub-component of a product. @@ -22234,7 +22454,7 @@ type: keyword -- -*`cisco.rsa.misc.content_version`*:: +*`rsa.misc.content_version`*:: + -- This key captures Version level of a signature or database content. @@ -22243,7 +22463,7 @@ type: keyword -- -*`cisco.rsa.misc.hardware_id`*:: +*`rsa.misc.hardware_id`*:: + -- This key is used to capture unique identifier for a device or system (NOT a Mac address) @@ -22252,7 +22472,7 @@ type: keyword -- -*`cisco.rsa.misc.risk`*:: +*`rsa.misc.risk`*:: + -- This key captures the non-numeric risk value @@ -22261,28 +22481,28 @@ type: keyword -- -*`cisco.rsa.misc.event_id`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.reason`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`cisco.rsa.misc.status`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`cisco.rsa.misc.mail_id`*:: +*`rsa.misc.mail_id`*:: + -- This key is used to capture the mailbox id/name @@ -22291,7 +22511,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_uid`*:: +*`rsa.misc.rule_uid`*:: + -- This key is the Unique Identifier for a rule. @@ -22300,7 +22520,7 @@ type: keyword -- -*`cisco.rsa.misc.trigger_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- This key captures the Description of the trigger or threshold condition. @@ -22309,35 +22529,35 @@ type: keyword -- -*`cisco.rsa.misc.inout`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.data_type`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgIdPart4`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`cisco.rsa.misc.error`*:: +*`rsa.misc.error`*:: + -- This key captures All non successful Error codes or responses @@ -22346,14 +22566,14 @@ type: keyword -- -*`cisco.rsa.misc.index`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`cisco.rsa.misc.listnum`*:: +*`rsa.misc.listnum`*:: + -- This key is used to capture listname or listnumber, primarily for collecting access-list @@ -22362,14 +22582,14 @@ type: keyword -- -*`cisco.rsa.misc.ntype`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`cisco.rsa.misc.observed_val`*:: +*`rsa.misc.observed_val`*:: + -- This key captures the Value observed (from the perspective of the device generating the log). @@ -22378,7 +22598,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_value`*:: +*`rsa.misc.policy_value`*:: + -- This key captures the contents of the policy. This contains details about the policy @@ -22387,7 +22607,7 @@ type: keyword -- -*`cisco.rsa.misc.pool_name`*:: +*`rsa.misc.pool_name`*:: + -- This key captures the name of a resource pool @@ -22396,7 +22616,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_template`*:: +*`rsa.misc.rule_template`*:: + -- A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template @@ -22405,35 +22625,35 @@ type: keyword -- -*`cisco.rsa.misc.count`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`cisco.rsa.misc.number`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`cisco.rsa.misc.sigcat`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`cisco.rsa.misc.type`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`cisco.rsa.misc.comments`*:: +*`rsa.misc.comments`*:: + -- Comment information provided in the log message @@ -22442,7 +22662,7 @@ type: keyword -- -*`cisco.rsa.misc.doc_number`*:: +*`rsa.misc.doc_number`*:: + -- This key captures File Identification number @@ -22451,7 +22671,7 @@ type: long -- -*`cisco.rsa.misc.expected_val`*:: +*`rsa.misc.expected_val`*:: + -- This key captures the Value expected (from the perspective of the device generating the log). @@ -22460,7 +22680,7 @@ type: keyword -- -*`cisco.rsa.misc.job_num`*:: +*`rsa.misc.job_num`*:: + -- This key captures the Job Number @@ -22469,7 +22689,7 @@ type: keyword -- -*`cisco.rsa.misc.spi_dst`*:: +*`rsa.misc.spi_dst`*:: + -- Destination SPI Index @@ -22478,7 +22698,7 @@ type: keyword -- -*`cisco.rsa.misc.spi_src`*:: +*`rsa.misc.spi_src`*:: + -- Source SPI Index @@ -22487,14 +22707,14 @@ type: keyword -- -*`cisco.rsa.misc.code`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`cisco.rsa.misc.agent_id`*:: +*`rsa.misc.agent_id`*:: + -- This key is used to capture agent id @@ -22503,7 +22723,7 @@ type: keyword -- -*`cisco.rsa.misc.message_body`*:: +*`rsa.misc.message_body`*:: + -- This key captures the The contents of the message body. @@ -22512,14 +22732,14 @@ type: keyword -- -*`cisco.rsa.misc.phone`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`cisco.rsa.misc.sig_id_str`*:: +*`rsa.misc.sig_id_str`*:: + -- This key captures a string object of the sigid variable. @@ -22528,28 +22748,28 @@ type: keyword -- -*`cisco.rsa.misc.cmd`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`cisco.rsa.misc.misc`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`cisco.rsa.misc.name`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cpu`*:: +*`rsa.misc.cpu`*:: + -- This key is the CPU time used in the execution of the event being recorded. @@ -22558,7 +22778,7 @@ type: long -- -*`cisco.rsa.misc.event_desc`*:: +*`rsa.misc.event_desc`*:: + -- This key is used to capture a description of an event available directly or inferred @@ -22567,7 +22787,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_id1`*:: +*`rsa.misc.sig_id1`*:: + -- This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id @@ -22576,42 +22796,42 @@ type: long -- -*`cisco.rsa.misc.im_buddyid`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_client`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_userid`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`cisco.rsa.misc.pid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`cisco.rsa.misc.priority`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`cisco.rsa.misc.context_subject`*:: +*`rsa.misc.context_subject`*:: + -- This key is to be used in an audit context where the subject is the object being identified @@ -22620,14 +22840,14 @@ type: keyword -- -*`cisco.rsa.misc.context_target`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`cisco.rsa.misc.cve`*:: +*`rsa.misc.cve`*:: + -- This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. @@ -22636,7 +22856,7 @@ type: keyword -- -*`cisco.rsa.misc.fcatnum`*:: +*`rsa.misc.fcatnum`*:: + -- This key captures Filter Category Number. Legacy Usage @@ -22645,7 +22865,7 @@ type: keyword -- -*`cisco.rsa.misc.library`*:: +*`rsa.misc.library`*:: + -- This key is used to capture library information in mainframe devices @@ -22654,7 +22874,7 @@ type: keyword -- -*`cisco.rsa.misc.parent_node`*:: +*`rsa.misc.parent_node`*:: + -- This key captures the Parent Node Name. Must be related to node variable. @@ -22663,7 +22883,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_info`*:: +*`rsa.misc.risk_info`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22672,7 +22892,7 @@ type: keyword -- -*`cisco.rsa.misc.tcp_flags`*:: +*`rsa.misc.tcp_flags`*:: + -- This key is captures the TCP flags set in any packet of session @@ -22681,7 +22901,7 @@ type: long -- -*`cisco.rsa.misc.tos`*:: +*`rsa.misc.tos`*:: + -- This key describes the type of service @@ -22690,7 +22910,7 @@ type: long -- -*`cisco.rsa.misc.vm_target`*:: +*`rsa.misc.vm_target`*:: + -- VMWare Target **VMWARE** only varaible. @@ -22699,7 +22919,7 @@ type: keyword -- -*`cisco.rsa.misc.workspace`*:: +*`rsa.misc.workspace`*:: + -- This key captures Workspace Description @@ -22708,91 +22928,91 @@ type: keyword -- -*`cisco.rsa.misc.command`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`cisco.rsa.misc.event_category`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`cisco.rsa.misc.facilityname`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`cisco.rsa.misc.forensic_info`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`cisco.rsa.misc.jobname`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`cisco.rsa.misc.mode`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`cisco.rsa.misc.policy`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`cisco.rsa.misc.policy_waiver`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`cisco.rsa.misc.second`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`cisco.rsa.misc.space1`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`cisco.rsa.misc.subcategory`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`cisco.rsa.misc.tbdstr2`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`cisco.rsa.misc.alert_id`*:: +*`rsa.misc.alert_id`*:: + -- Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22801,7 +23021,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- This key is used to capture the checksum or hash of the the target entity such as a process or file. @@ -22810,7 +23030,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum_src`*:: +*`rsa.misc.checksum_src`*:: + -- This key is used to capture the checksum or hash of the source entity such as a file or process. @@ -22819,7 +23039,7 @@ type: keyword -- -*`cisco.rsa.misc.fresult`*:: +*`rsa.misc.fresult`*:: + -- This key captures the Filter Result @@ -22828,7 +23048,7 @@ type: long -- -*`cisco.rsa.misc.payload_dst`*:: +*`rsa.misc.payload_dst`*:: + -- This key is used to capture destination payload @@ -22837,7 +23057,7 @@ type: keyword -- -*`cisco.rsa.misc.payload_src`*:: +*`rsa.misc.payload_src`*:: + -- This key is used to capture source payload @@ -22846,7 +23066,7 @@ type: keyword -- -*`cisco.rsa.misc.pool_id`*:: +*`rsa.misc.pool_id`*:: + -- This key captures the identifier (typically numeric field) of a resource pool @@ -22855,7 +23075,7 @@ type: keyword -- -*`cisco.rsa.misc.process_id_val`*:: +*`rsa.misc.process_id_val`*:: + -- This key is a failure key for Process ID when it is not an integer value @@ -22864,7 +23084,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_num_comm`*:: +*`rsa.misc.risk_num_comm`*:: + -- This key captures Risk Number Community @@ -22873,7 +23093,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_next`*:: +*`rsa.misc.risk_num_next`*:: + -- This key captures Risk Number NextGen @@ -22882,7 +23102,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_sand`*:: +*`rsa.misc.risk_num_sand`*:: + -- This key captures Risk Number SandBox @@ -22891,7 +23111,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_static`*:: +*`rsa.misc.risk_num_static`*:: + -- This key captures Risk Number Static @@ -22900,7 +23120,7 @@ type: double -- -*`cisco.rsa.misc.risk_suspicious`*:: +*`rsa.misc.risk_suspicious`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22909,7 +23129,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_warning`*:: +*`rsa.misc.risk_warning`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22918,7 +23138,7 @@ type: keyword -- -*`cisco.rsa.misc.snmp_oid`*:: +*`rsa.misc.snmp_oid`*:: + -- SNMP Object Identifier @@ -22927,7 +23147,7 @@ type: keyword -- -*`cisco.rsa.misc.sql`*:: +*`rsa.misc.sql`*:: + -- This key captures the SQL query @@ -22936,7 +23156,7 @@ type: keyword -- -*`cisco.rsa.misc.vuln_ref`*:: +*`rsa.misc.vuln_ref`*:: + -- This key captures the Vulnerability Reference details @@ -22945,1547 +23165,1547 @@ type: keyword -- -*`cisco.rsa.misc.acl_id`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_op`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_pos`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_table`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`cisco.rsa.misc.admin`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`cisco.rsa.misc.alarm_id`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.alarmname`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`cisco.rsa.misc.app_id`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.audit`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`cisco.rsa.misc.audit_object`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`cisco.rsa.misc.auditdata`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`cisco.rsa.misc.benchmark`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`cisco.rsa.misc.bypass`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`cisco.rsa.misc.cache`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`cisco.rsa.misc.cache_hit`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`cisco.rsa.misc.cefversion`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_attr`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_obj`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_path`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`cisco.rsa.misc.changes`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`cisco.rsa.misc.client_ip`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`cisco.rsa.misc.clustermembers`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_asn_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_engine_id`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_engine_type`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_f_switch`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_invalid`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_l_switch`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_log_did`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_log_rid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_muligmptype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sampalgo`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sampint`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_seqctr`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_spackets`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_src_tos`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_src_vlan`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sysuptime`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_template_id`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totflowexp`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_class`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_name`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_rbytes`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_sbytes`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`cisco.rsa.misc.cpu_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.criticality`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_agency_dst`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_other`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_primary`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_secondary`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_bit9status`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_context`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_control`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_data`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_datecret`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_event_uuid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_filetype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_fld`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_if_desc`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_if_name`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_lifetime`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_log_medium`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_loginname`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_modulescore`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_modulesign`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_payload`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_registrant`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_registrar`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_represult`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_rpayload`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_streams`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_whois_server`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_yararesult`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`cisco.rsa.misc.description`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`cisco.rsa.misc.devvendor`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`cisco.rsa.misc.distance`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`cisco.rsa.misc.dstburb`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.edomain`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`cisco.rsa.misc.edomaub`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`cisco.rsa.misc.euid`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`cisco.rsa.misc.facility`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`cisco.rsa.misc.finterface`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`cisco.rsa.misc.flags`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`cisco.rsa.misc.gaddr`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`cisco.rsa.misc.id3`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_buddyname`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_croomid`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_croomtype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_members`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_username`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipkt`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipscat`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipspri`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`cisco.rsa.misc.latitude`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`cisco.rsa.misc.linenum`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`cisco.rsa.misc.list_name`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.load_data`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.location_floor`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`cisco.rsa.misc.location_mark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`cisco.rsa.misc.log_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.log_type`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.logid`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`cisco.rsa.misc.logip`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`cisco.rsa.misc.logname`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`cisco.rsa.misc.longitude`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`cisco.rsa.misc.lport`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`cisco.rsa.misc.mbug_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.misc_name`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.msg_type`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgid`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.netsessid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`cisco.rsa.misc.num`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`cisco.rsa.misc.number1`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`cisco.rsa.misc.number2`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`cisco.rsa.misc.nwwn`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`cisco.rsa.misc.object`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`cisco.rsa.misc.operation`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`cisco.rsa.misc.opkt`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`cisco.rsa.misc.orig_from`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`cisco.rsa.misc.owner_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_action`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_filter`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_group_object`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_id`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid1`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid2`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_result1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`cisco.rsa.misc.password_chg`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`cisco.rsa.misc.password_expire`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`cisco.rsa.misc.permgranted`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`cisco.rsa.misc.permwanted`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`cisco.rsa.misc.pgid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.policyUUID`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`cisco.rsa.misc.prog_asp_num`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`cisco.rsa.misc.program`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`cisco.rsa.misc.real_data`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_asp_device`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_asp_num`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_library`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`cisco.rsa.misc.recordnum`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`cisco.rsa.misc.ruid`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`cisco.rsa.misc.sburb`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.sdomain_fld`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.sec`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`cisco.rsa.misc.sensorname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`cisco.rsa.misc.seqnum`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`cisco.rsa.misc.session`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`cisco.rsa.misc.sessiontype`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`cisco.rsa.misc.sigUUID`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`cisco.rsa.misc.spi`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcburb`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcdom`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcservice`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`cisco.rsa.misc.state`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`cisco.rsa.misc.status1`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`cisco.rsa.misc.svcno`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`cisco.rsa.misc.system`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`cisco.rsa.misc.tbdstr1`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`cisco.rsa.misc.tgtdom`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`cisco.rsa.misc.tgtdomain`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`cisco.rsa.misc.threshold`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`cisco.rsa.misc.type1`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`cisco.rsa.misc.udb_class`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`cisco.rsa.misc.url_fld`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.user_div`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`cisco.rsa.misc.userid`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`cisco.rsa.misc.username_fld`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.utcstamp`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`cisco.rsa.misc.v_instafname`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`cisco.rsa.misc.virt_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.vpnid`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`cisco.rsa.misc.autorun_type`*:: +*`rsa.misc.autorun_type`*:: + -- This is used to capture Auto Run type @@ -24494,7 +24714,7 @@ type: keyword -- -*`cisco.rsa.misc.cc_number`*:: +*`rsa.misc.cc_number`*:: + -- Valid Credit Card Numbers only @@ -24503,7 +24723,7 @@ type: long -- -*`cisco.rsa.misc.content`*:: +*`rsa.misc.content`*:: + -- This key captures the content type from protocol headers @@ -24512,7 +24732,7 @@ type: keyword -- -*`cisco.rsa.misc.ein_number`*:: +*`rsa.misc.ein_number`*:: + -- Employee Identification Numbers only @@ -24521,7 +24741,7 @@ type: long -- -*`cisco.rsa.misc.found`*:: +*`rsa.misc.found`*:: + -- This is used to capture the results of regex match @@ -24530,7 +24750,7 @@ type: keyword -- -*`cisco.rsa.misc.language`*:: +*`rsa.misc.language`*:: + -- This is used to capture list of languages the client support and what it prefers @@ -24539,7 +24759,7 @@ type: keyword -- -*`cisco.rsa.misc.lifetime`*:: +*`rsa.misc.lifetime`*:: + -- This key is used to capture the session lifetime in seconds. @@ -24548,7 +24768,7 @@ type: long -- -*`cisco.rsa.misc.link`*:: +*`rsa.misc.link`*:: + -- This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -24557,7 +24777,7 @@ type: keyword -- -*`cisco.rsa.misc.match`*:: +*`rsa.misc.match`*:: + -- This key is for regex match name from search.ini @@ -24566,7 +24786,7 @@ type: keyword -- -*`cisco.rsa.misc.param_dst`*:: +*`rsa.misc.param_dst`*:: + -- This key captures the command line/launch argument of the target process or file @@ -24575,7 +24795,7 @@ type: keyword -- -*`cisco.rsa.misc.param_src`*:: +*`rsa.misc.param_src`*:: + -- This key captures source parameter @@ -24584,7 +24804,7 @@ type: keyword -- -*`cisco.rsa.misc.search_text`*:: +*`rsa.misc.search_text`*:: + -- This key captures the Search Text used @@ -24593,7 +24813,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_name`*:: +*`rsa.misc.sig_name`*:: + -- This key is used to capture the Signature Name only. @@ -24602,7 +24822,7 @@ type: keyword -- -*`cisco.rsa.misc.snmp_value`*:: +*`rsa.misc.snmp_value`*:: + -- SNMP set request value @@ -24611,7 +24831,7 @@ type: keyword -- -*`cisco.rsa.misc.streams`*:: +*`rsa.misc.streams`*:: + -- This key captures number of streams in session @@ -24621,7 +24841,7 @@ type: long -- -*`cisco.rsa.db.index`*:: +*`rsa.db.index`*:: + -- This key captures IndexID of the index. @@ -24630,7 +24850,7 @@ type: keyword -- -*`cisco.rsa.db.instance`*:: +*`rsa.db.instance`*:: + -- This key is used to capture the database server instance name @@ -24639,7 +24859,7 @@ type: keyword -- -*`cisco.rsa.db.database`*:: +*`rsa.db.database`*:: + -- This key is used to capture the name of a database or an instance as seen in a session @@ -24648,7 +24868,7 @@ type: keyword -- -*`cisco.rsa.db.transact_id`*:: +*`rsa.db.transact_id`*:: + -- This key captures the SQL transantion ID of the current session @@ -24657,7 +24877,7 @@ type: keyword -- -*`cisco.rsa.db.permissions`*:: +*`rsa.db.permissions`*:: + -- This key captures permission or privilege level assigned to a resource. @@ -24666,7 +24886,7 @@ type: keyword -- -*`cisco.rsa.db.table_name`*:: +*`rsa.db.table_name`*:: + -- This key is used to capture the table name @@ -24675,7 +24895,7 @@ type: keyword -- -*`cisco.rsa.db.db_id`*:: +*`rsa.db.db_id`*:: + -- This key is used to capture the unique identifier for a database @@ -24684,7 +24904,7 @@ type: keyword -- -*`cisco.rsa.db.db_pid`*:: +*`rsa.db.db_pid`*:: + -- This key captures the process id of a connection with database server @@ -24693,7 +24913,7 @@ type: long -- -*`cisco.rsa.db.lread`*:: +*`rsa.db.lread`*:: + -- This key is used for the number of logical reads @@ -24702,7 +24922,7 @@ type: long -- -*`cisco.rsa.db.lwrite`*:: +*`rsa.db.lwrite`*:: + -- This key is used for the number of logical writes @@ -24711,7 +24931,7 @@ type: long -- -*`cisco.rsa.db.pread`*:: +*`rsa.db.pread`*:: + -- This key is used for the number of physical writes @@ -24721,7 +24941,7 @@ type: long -- -*`cisco.rsa.network.alias_host`*:: +*`rsa.network.alias_host`*:: + -- This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. @@ -24730,14 +24950,14 @@ type: keyword -- -*`cisco.rsa.network.domain`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`cisco.rsa.network.host_dst`*:: +*`rsa.network.host_dst`*:: + -- This key should only be used when it’s a Destination Hostname @@ -24746,7 +24966,7 @@ type: keyword -- -*`cisco.rsa.network.network_service`*:: +*`rsa.network.network_service`*:: + -- This is used to capture layer 7 protocols/service names @@ -24755,7 +24975,7 @@ type: keyword -- -*`cisco.rsa.network.interface`*:: +*`rsa.network.interface`*:: + -- This key should be used when the source or destination context of an interface is not clear @@ -24764,7 +24984,7 @@ type: keyword -- -*`cisco.rsa.network.network_port`*:: +*`rsa.network.network_port`*:: + -- Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) @@ -24773,7 +24993,7 @@ type: long -- -*`cisco.rsa.network.eth_host`*:: +*`rsa.network.eth_host`*:: + -- Deprecated, use alias.mac @@ -24782,7 +25002,7 @@ type: keyword -- -*`cisco.rsa.network.sinterface`*:: +*`rsa.network.sinterface`*:: + -- This key should only be used when it’s a Source Interface @@ -24791,7 +25011,7 @@ type: keyword -- -*`cisco.rsa.network.dinterface`*:: +*`rsa.network.dinterface`*:: + -- This key should only be used when it’s a Destination Interface @@ -24800,7 +25020,7 @@ type: keyword -- -*`cisco.rsa.network.vlan`*:: +*`rsa.network.vlan`*:: + -- This key should only be used to capture the ID of the Virtual LAN @@ -24809,7 +25029,7 @@ type: long -- -*`cisco.rsa.network.zone_src`*:: +*`rsa.network.zone_src`*:: + -- This key should only be used when it’s a Source Zone. @@ -24818,7 +25038,7 @@ type: keyword -- -*`cisco.rsa.network.zone`*:: +*`rsa.network.zone`*:: + -- This key should be used when the source or destination context of a Zone is not clear @@ -24827,7 +25047,7 @@ type: keyword -- -*`cisco.rsa.network.zone_dst`*:: +*`rsa.network.zone_dst`*:: + -- This key should only be used when it’s a Destination Zone. @@ -24836,7 +25056,7 @@ type: keyword -- -*`cisco.rsa.network.gateway`*:: +*`rsa.network.gateway`*:: + -- This key is used to capture the IP Address of the gateway @@ -24845,7 +25065,7 @@ type: keyword -- -*`cisco.rsa.network.icmp_type`*:: +*`rsa.network.icmp_type`*:: + -- This key is used to capture the ICMP type only @@ -24854,7 +25074,7 @@ type: long -- -*`cisco.rsa.network.mask`*:: +*`rsa.network.mask`*:: + -- This key is used to capture the device network IPmask. @@ -24863,7 +25083,7 @@ type: keyword -- -*`cisco.rsa.network.icmp_code`*:: +*`rsa.network.icmp_code`*:: + -- This key is used to capture the ICMP code only @@ -24872,7 +25092,7 @@ type: long -- -*`cisco.rsa.network.protocol_detail`*:: +*`rsa.network.protocol_detail`*:: + -- This key should be used to capture additional protocol information @@ -24881,7 +25101,7 @@ type: keyword -- -*`cisco.rsa.network.dmask`*:: +*`rsa.network.dmask`*:: + -- This key is used for Destionation Device network mask @@ -24890,7 +25110,7 @@ type: keyword -- -*`cisco.rsa.network.port`*:: +*`rsa.network.port`*:: + -- This key should only be used to capture a Network Port when the directionality is not clear @@ -24899,7 +25119,7 @@ type: long -- -*`cisco.rsa.network.smask`*:: +*`rsa.network.smask`*:: + -- This key is used for capturing source Network Mask @@ -24908,7 +25128,7 @@ type: keyword -- -*`cisco.rsa.network.netname`*:: +*`rsa.network.netname`*:: + -- This key is used to capture the network name associated with an IP range. This is configured by the end user. @@ -24917,7 +25137,7 @@ type: keyword -- -*`cisco.rsa.network.paddr`*:: +*`rsa.network.paddr`*:: + -- Deprecated @@ -24926,91 +25146,91 @@ type: ip -- -*`cisco.rsa.network.faddr`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`cisco.rsa.network.lhost`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`cisco.rsa.network.origin`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`cisco.rsa.network.remote_domain_id`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`cisco.rsa.network.addr`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_a_record`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_ptr_record`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`cisco.rsa.network.fhost`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`cisco.rsa.network.fport`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`cisco.rsa.network.laddr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`cisco.rsa.network.linterface`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`cisco.rsa.network.phost`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`cisco.rsa.network.ad_computer_dst`*:: +*`rsa.network.ad_computer_dst`*:: + -- Deprecated, use host.dst @@ -25019,7 +25239,7 @@ type: keyword -- -*`cisco.rsa.network.eth_type`*:: +*`rsa.network.eth_type`*:: + -- This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only @@ -25028,7 +25248,7 @@ type: long -- -*`cisco.rsa.network.ip_proto`*:: +*`rsa.network.ip_proto`*:: + -- This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI @@ -25037,63 +25257,63 @@ type: long -- -*`cisco.rsa.network.dns_cname_record`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_id`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_opcode`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_resp`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_type`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`cisco.rsa.network.domain1`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`cisco.rsa.network.host_type`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`cisco.rsa.network.packet_length`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`cisco.rsa.network.host_orig`*:: +*`rsa.network.host_orig`*:: + -- This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. @@ -25102,7 +25322,7 @@ type: keyword -- -*`cisco.rsa.network.rpayload`*:: +*`rsa.network.rpayload`*:: + -- This key is used to capture the total number of payload bytes seen in the retransmitted packets. @@ -25111,7 +25331,7 @@ type: keyword -- -*`cisco.rsa.network.vlan_name`*:: +*`rsa.network.vlan_name`*:: + -- This key should only be used to capture the name of the Virtual LAN @@ -25121,7 +25341,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_activity`*:: +*`rsa.investigations.ec_activity`*:: + -- This key captures the particular event activity(Ex:Logoff) @@ -25130,7 +25350,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_theme`*:: +*`rsa.investigations.ec_theme`*:: + -- This key captures the Theme of a particular Event(Ex:Authentication) @@ -25139,7 +25359,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_subject`*:: +*`rsa.investigations.ec_subject`*:: + -- This key captures the Subject of a particular Event(Ex:User) @@ -25148,7 +25368,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_outcome`*:: +*`rsa.investigations.ec_outcome`*:: + -- This key captures the outcome of a particular Event(Ex:Success) @@ -25157,7 +25377,7 @@ type: keyword -- -*`cisco.rsa.investigations.event_cat`*:: +*`rsa.investigations.event_cat`*:: + -- This key captures the Event category number @@ -25166,7 +25386,7 @@ type: long -- -*`cisco.rsa.investigations.event_cat_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- This key captures the event category name corresponding to the event cat code @@ -25175,7 +25395,7 @@ type: keyword -- -*`cisco.rsa.investigations.event_vcat`*:: +*`rsa.investigations.event_vcat`*:: + -- This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. @@ -25184,7 +25404,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_file`*:: +*`rsa.investigations.analysis_file`*:: + -- This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file @@ -25193,7 +25413,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_service`*:: +*`rsa.investigations.analysis_service`*:: + -- This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service @@ -25202,7 +25422,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_session`*:: +*`rsa.investigations.analysis_session`*:: + -- This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session @@ -25211,7 +25431,7 @@ type: keyword -- -*`cisco.rsa.investigations.boc`*:: +*`rsa.investigations.boc`*:: + -- This is used to capture behaviour of compromise @@ -25220,7 +25440,7 @@ type: keyword -- -*`cisco.rsa.investigations.eoc`*:: +*`rsa.investigations.eoc`*:: + -- This is used to capture Enablers of Compromise @@ -25229,7 +25449,7 @@ type: keyword -- -*`cisco.rsa.investigations.inv_category`*:: +*`rsa.investigations.inv_category`*:: + -- This used to capture investigation category @@ -25238,7 +25458,7 @@ type: keyword -- -*`cisco.rsa.investigations.inv_context`*:: +*`rsa.investigations.inv_context`*:: + -- This used to capture investigation context @@ -25247,7 +25467,7 @@ type: keyword -- -*`cisco.rsa.investigations.ioc`*:: +*`rsa.investigations.ioc`*:: + -- This is key capture indicator of compromise @@ -25257,7 +25477,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c1`*:: +*`rsa.counters.dclass_c1`*:: + -- This is a generic counter key that should be used with the label dclass.c1.str only @@ -25266,7 +25486,7 @@ type: long -- -*`cisco.rsa.counters.dclass_c2`*:: +*`rsa.counters.dclass_c2`*:: + -- This is a generic counter key that should be used with the label dclass.c2.str only @@ -25275,7 +25495,7 @@ type: long -- -*`cisco.rsa.counters.event_counter`*:: +*`rsa.counters.event_counter`*:: + -- This is used to capture the number of times an event repeated @@ -25284,7 +25504,7 @@ type: long -- -*`cisco.rsa.counters.dclass_r1`*:: +*`rsa.counters.dclass_r1`*:: + -- This is a generic ratio key that should be used with the label dclass.r1.str only @@ -25293,7 +25513,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c3`*:: +*`rsa.counters.dclass_c3`*:: + -- This is a generic counter key that should be used with the label dclass.c3.str only @@ -25302,7 +25522,7 @@ type: long -- -*`cisco.rsa.counters.dclass_c1_str`*:: +*`rsa.counters.dclass_c1_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c1 only @@ -25311,7 +25531,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c2_str`*:: +*`rsa.counters.dclass_c2_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c2 only @@ -25320,7 +25540,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r1_str`*:: +*`rsa.counters.dclass_r1_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r1 only @@ -25329,7 +25549,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r2`*:: +*`rsa.counters.dclass_r2`*:: + -- This is a generic ratio key that should be used with the label dclass.r2.str only @@ -25338,7 +25558,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c3_str`*:: +*`rsa.counters.dclass_c3_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c3 only @@ -25347,7 +25567,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r3`*:: +*`rsa.counters.dclass_r3`*:: + -- This is a generic ratio key that should be used with the label dclass.r3.str only @@ -25356,7 +25576,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r2_str`*:: +*`rsa.counters.dclass_r2_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r2 only @@ -25365,7 +25585,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r3_str`*:: +*`rsa.counters.dclass_r3_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r3 only @@ -25375,7 +25595,7 @@ type: keyword -- -*`cisco.rsa.identity.auth_method`*:: +*`rsa.identity.auth_method`*:: + -- This key is used to capture authentication methods used only @@ -25384,7 +25604,7 @@ type: keyword -- -*`cisco.rsa.identity.user_role`*:: +*`rsa.identity.user_role`*:: + -- This key is used to capture the Role of a user only @@ -25393,7 +25613,7 @@ type: keyword -- -*`cisco.rsa.identity.dn`*:: +*`rsa.identity.dn`*:: + -- X.500 (LDAP) Distinguished Name @@ -25402,7 +25622,7 @@ type: keyword -- -*`cisco.rsa.identity.logon_type`*:: +*`rsa.identity.logon_type`*:: + -- This key is used to capture the type of logon method used. @@ -25411,7 +25631,7 @@ type: keyword -- -*`cisco.rsa.identity.profile`*:: +*`rsa.identity.profile`*:: + -- This key is used to capture the user profile @@ -25420,7 +25640,7 @@ type: keyword -- -*`cisco.rsa.identity.accesses`*:: +*`rsa.identity.accesses`*:: + -- This key is used to capture actual privileges used in accessing an object @@ -25429,7 +25649,7 @@ type: keyword -- -*`cisco.rsa.identity.realm`*:: +*`rsa.identity.realm`*:: + -- Radius realm or similar grouping of accounts @@ -25438,7 +25658,7 @@ type: keyword -- -*`cisco.rsa.identity.user_sid_dst`*:: +*`rsa.identity.user_sid_dst`*:: + -- This key captures Destination User Session ID @@ -25447,7 +25667,7 @@ type: keyword -- -*`cisco.rsa.identity.dn_src`*:: +*`rsa.identity.dn_src`*:: + -- An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn @@ -25456,7 +25676,7 @@ type: keyword -- -*`cisco.rsa.identity.org`*:: +*`rsa.identity.org`*:: + -- This key captures the User organization @@ -25465,7 +25685,7 @@ type: keyword -- -*`cisco.rsa.identity.dn_dst`*:: +*`rsa.identity.dn_dst`*:: + -- An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn @@ -25474,7 +25694,7 @@ type: keyword -- -*`cisco.rsa.identity.firstname`*:: +*`rsa.identity.firstname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -25483,7 +25703,7 @@ type: keyword -- -*`cisco.rsa.identity.lastname`*:: +*`rsa.identity.lastname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -25492,7 +25712,7 @@ type: keyword -- -*`cisco.rsa.identity.user_dept`*:: +*`rsa.identity.user_dept`*:: + -- User's Department Names only @@ -25501,7 +25721,7 @@ type: keyword -- -*`cisco.rsa.identity.user_sid_src`*:: +*`rsa.identity.user_sid_src`*:: + -- This key captures Source User Session ID @@ -25510,7 +25730,7 @@ type: keyword -- -*`cisco.rsa.identity.federated_sp`*:: +*`rsa.identity.federated_sp`*:: + -- This key is the Federated Service Provider. This is the application requesting authentication. @@ -25519,7 +25739,7 @@ type: keyword -- -*`cisco.rsa.identity.federated_idp`*:: +*`rsa.identity.federated_idp`*:: + -- This key is the federated Identity Provider. This is the server providing the authentication. @@ -25528,7 +25748,7 @@ type: keyword -- -*`cisco.rsa.identity.logon_type_desc`*:: +*`rsa.identity.logon_type_desc`*:: + -- This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. @@ -25537,7 +25757,7 @@ type: keyword -- -*`cisco.rsa.identity.middlename`*:: +*`rsa.identity.middlename`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -25546,7 +25766,7 @@ type: keyword -- -*`cisco.rsa.identity.password`*:: +*`rsa.identity.password`*:: + -- This key is for Passwords seen in any session, plain text or encrypted @@ -25555,7 +25775,7 @@ type: keyword -- -*`cisco.rsa.identity.host_role`*:: +*`rsa.identity.host_role`*:: + -- This key should only be used to capture the role of a Host Machine @@ -25564,7 +25784,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap`*:: +*`rsa.identity.ldap`*:: + -- This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context @@ -25573,7 +25793,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap_query`*:: +*`rsa.identity.ldap_query`*:: + -- This key is the Search criteria from an LDAP search @@ -25582,7 +25802,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap_response`*:: +*`rsa.identity.ldap_response`*:: + -- This key is to capture Results from an LDAP search @@ -25591,7 +25811,7 @@ type: keyword -- -*`cisco.rsa.identity.owner`*:: +*`rsa.identity.owner`*:: + -- This is used to capture username the process or service is running as, the author of the task @@ -25600,7 +25820,7 @@ type: keyword -- -*`cisco.rsa.identity.service_account`*:: +*`rsa.identity.service_account`*:: + -- This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage @@ -25610,7 +25830,7 @@ type: keyword -- -*`cisco.rsa.email.email_dst`*:: +*`rsa.email.email_dst`*:: + -- This key is used to capture the Destination email address only, when the destination context is not clear use email @@ -25619,7 +25839,7 @@ type: keyword -- -*`cisco.rsa.email.email_src`*:: +*`rsa.email.email_src`*:: + -- This key is used to capture the source email address only, when the source context is not clear use email @@ -25628,7 +25848,7 @@ type: keyword -- -*`cisco.rsa.email.subject`*:: +*`rsa.email.subject`*:: + -- This key is used to capture the subject string from an Email only. @@ -25637,7 +25857,7 @@ type: keyword -- -*`cisco.rsa.email.email`*:: +*`rsa.email.email`*:: + -- This key is used to capture a generic email address where the source or destination context is not clear @@ -25646,7 +25866,7 @@ type: keyword -- -*`cisco.rsa.email.trans_from`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -25655,7 +25875,7 @@ type: keyword -- -*`cisco.rsa.email.trans_to`*:: +*`rsa.email.trans_to`*:: + -- Deprecated key defined only in table map. @@ -25665,7 +25885,7 @@ type: keyword -- -*`cisco.rsa.file.privilege`*:: +*`rsa.file.privilege`*:: + -- Deprecated, use permissions @@ -25674,7 +25894,7 @@ type: keyword -- -*`cisco.rsa.file.attachment`*:: +*`rsa.file.attachment`*:: + -- This key captures the attachment file name @@ -25683,14 +25903,14 @@ type: keyword -- -*`cisco.rsa.file.filesystem`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`cisco.rsa.file.binary`*:: +*`rsa.file.binary`*:: + -- Deprecated key defined only in table map. @@ -25699,7 +25919,7 @@ type: keyword -- -*`cisco.rsa.file.filename_dst`*:: +*`rsa.file.filename_dst`*:: + -- This is used to capture name of the file targeted by the action @@ -25708,7 +25928,7 @@ type: keyword -- -*`cisco.rsa.file.filename_src`*:: +*`rsa.file.filename_src`*:: + -- This is used to capture name of the parent filename, the file which performed the action @@ -25717,14 +25937,14 @@ type: keyword -- -*`cisco.rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`cisco.rsa.file.directory_dst`*:: +*`rsa.file.directory_dst`*:: + -- This key is used to capture the directory of the target process or file @@ -25733,7 +25953,7 @@ type: keyword -- -*`cisco.rsa.file.directory_src`*:: +*`rsa.file.directory_src`*:: + -- This key is used to capture the directory of the source process or file @@ -25742,7 +25962,7 @@ type: keyword -- -*`cisco.rsa.file.file_entropy`*:: +*`rsa.file.file_entropy`*:: + -- This is used to capture entropy vale of a file @@ -25751,7 +25971,7 @@ type: double -- -*`cisco.rsa.file.file_vendor`*:: +*`rsa.file.file_vendor`*:: + -- This is used to capture Company name of file located in version_info @@ -25760,7 +25980,7 @@ type: keyword -- -*`cisco.rsa.file.task_name`*:: +*`rsa.file.task_name`*:: + -- This is used to capture name of the task @@ -25770,7 +25990,7 @@ type: keyword -- -*`cisco.rsa.web.fqdn`*:: +*`rsa.web.fqdn`*:: + -- Fully Qualified Domain Names @@ -25779,7 +25999,7 @@ type: keyword -- -*`cisco.rsa.web.web_cookie`*:: +*`rsa.web.web_cookie`*:: + -- This key is used to capture the Web cookies specifically. @@ -25788,14 +26008,14 @@ type: keyword -- -*`cisco.rsa.web.alias_host`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`cisco.rsa.web.reputation_num`*:: +*`rsa.web.reputation_num`*:: + -- Reputation Number of an entity. Typically used for Web Domains @@ -25804,7 +26024,7 @@ type: double -- -*`cisco.rsa.web.web_ref_domain`*:: +*`rsa.web.web_ref_domain`*:: + -- Web referer's domain @@ -25813,7 +26033,7 @@ type: keyword -- -*`cisco.rsa.web.web_ref_query`*:: +*`rsa.web.web_ref_query`*:: + -- This key captures Web referer's query portion of the URL @@ -25822,14 +26042,14 @@ type: keyword -- -*`cisco.rsa.web.remote_domain`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`cisco.rsa.web.web_ref_page`*:: +*`rsa.web.web_ref_page`*:: + -- This key captures Web referer's page information @@ -25838,7 +26058,7 @@ type: keyword -- -*`cisco.rsa.web.web_ref_root`*:: +*`rsa.web.web_ref_root`*:: + -- Web referer's root URL path @@ -25847,77 +26067,77 @@ type: keyword -- -*`cisco.rsa.web.cn_asn_dst`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`cisco.rsa.web.cn_rpackets`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`cisco.rsa.web.urlpage`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`cisco.rsa.web.urlroot`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`cisco.rsa.web.p_url`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`cisco.rsa.web.p_user_agent`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_cookie`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_method`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_referer`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`cisco.rsa.web.web_extension_tmp`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`cisco.rsa.web.web_page`*:: +*`rsa.web.web_page`*:: + -- type: keyword @@ -25925,7 +26145,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_category`*:: +*`rsa.threat.threat_category`*:: + -- This key captures Threat Name/Threat Category/Categorization of alert @@ -25934,7 +26154,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_desc`*:: +*`rsa.threat.threat_desc`*:: + -- This key is used to capture the threat description from the session directly or inferred @@ -25943,7 +26163,7 @@ type: keyword -- -*`cisco.rsa.threat.alert`*:: +*`rsa.threat.alert`*:: + -- This key is used to capture name of the alert @@ -25952,7 +26172,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_source`*:: +*`rsa.threat.threat_source`*:: + -- This key is used to capture source of the threat @@ -25962,7 +26182,7 @@ type: keyword -- -*`cisco.rsa.crypto.crypto`*:: +*`rsa.crypto.crypto`*:: + -- This key is used to capture the Encryption Type or Encryption Key only @@ -25971,7 +26191,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_src`*:: +*`rsa.crypto.cipher_src`*:: + -- This key is for Source (Client) Cipher @@ -25980,7 +26200,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_subject`*:: +*`rsa.crypto.cert_subject`*:: + -- This key is used to capture the Certificate organization only @@ -25989,7 +26209,7 @@ type: keyword -- -*`cisco.rsa.crypto.peer`*:: +*`rsa.crypto.peer`*:: + -- This key is for Encryption peer's IP Address @@ -25998,7 +26218,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_size_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- This key captures Source (Client) Cipher Size @@ -26007,7 +26227,7 @@ type: long -- -*`cisco.rsa.crypto.ike`*:: +*`rsa.crypto.ike`*:: + -- IKE negotiation phase. @@ -26016,7 +26236,7 @@ type: keyword -- -*`cisco.rsa.crypto.scheme`*:: +*`rsa.crypto.scheme`*:: + -- This key captures the Encryption scheme used @@ -26025,7 +26245,7 @@ type: keyword -- -*`cisco.rsa.crypto.peer_id`*:: +*`rsa.crypto.peer_id`*:: + -- This key is for Encryption peer’s identity @@ -26034,7 +26254,7 @@ type: keyword -- -*`cisco.rsa.crypto.sig_type`*:: +*`rsa.crypto.sig_type`*:: + -- This key captures the Signature Type @@ -26043,14 +26263,14 @@ type: keyword -- -*`cisco.rsa.crypto.cert_issuer`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_host_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- Deprecated key defined only in table map. @@ -26059,7 +26279,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_error`*:: +*`rsa.crypto.cert_error`*:: + -- This key captures the Certificate Error String @@ -26068,7 +26288,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_dst`*:: +*`rsa.crypto.cipher_dst`*:: + -- This key is for Destination (Server) Cipher @@ -26077,7 +26297,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_size_dst`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- This key captures Destination (Server) Cipher Size @@ -26086,7 +26306,7 @@ type: long -- -*`cisco.rsa.crypto.ssl_ver_src`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- Deprecated, use version @@ -26095,21 +26315,21 @@ type: keyword -- -*`cisco.rsa.crypto.d_certauth`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`cisco.rsa.crypto.s_certauth`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`cisco.rsa.crypto.ike_cookie1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- ID of the negotiation — sent for ISAKMP Phase One @@ -26118,7 +26338,7 @@ type: keyword -- -*`cisco.rsa.crypto.ike_cookie2`*:: +*`rsa.crypto.ike_cookie2`*:: + -- ID of the negotiation — sent for ISAKMP Phase Two @@ -26127,14 +26347,14 @@ type: keyword -- -*`cisco.rsa.crypto.cert_checksum`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_host_cat`*:: +*`rsa.crypto.cert_host_cat`*:: + -- This key is used for the hostname category value of a certificate @@ -26143,7 +26363,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_serial`*:: +*`rsa.crypto.cert_serial`*:: + -- This key is used to capture the Certificate serial number only @@ -26152,7 +26372,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_status`*:: +*`rsa.crypto.cert_status`*:: + -- This key captures Certificate validation status @@ -26161,7 +26381,7 @@ type: keyword -- -*`cisco.rsa.crypto.ssl_ver_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- Deprecated, use version @@ -26170,35 +26390,35 @@ type: keyword -- -*`cisco.rsa.crypto.cert_keysize`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_username`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`cisco.rsa.crypto.https_insact`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`cisco.rsa.crypto.https_valid`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_ca`*:: +*`rsa.crypto.cert_ca`*:: + -- This key is used to capture the Certificate signing authority only @@ -26207,7 +26427,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_common`*:: +*`rsa.crypto.cert_common`*:: + -- This key is used to capture the Certificate common name only @@ -26217,7 +26437,7 @@ type: keyword -- -*`cisco.rsa.wireless.wlan_ssid`*:: +*`rsa.wireless.wlan_ssid`*:: + -- This key is used to capture the ssid of a Wireless Session @@ -26226,7 +26446,7 @@ type: keyword -- -*`cisco.rsa.wireless.access_point`*:: +*`rsa.wireless.access_point`*:: + -- This key is used to capture the access point name. @@ -26235,7 +26455,7 @@ type: keyword -- -*`cisco.rsa.wireless.wlan_channel`*:: +*`rsa.wireless.wlan_channel`*:: + -- This is used to capture the channel names @@ -26244,7 +26464,7 @@ type: long -- -*`cisco.rsa.wireless.wlan_name`*:: +*`rsa.wireless.wlan_name`*:: + -- This key captures either WLAN number/name @@ -26254,7 +26474,7 @@ type: keyword -- -*`cisco.rsa.storage.disk_volume`*:: +*`rsa.storage.disk_volume`*:: + -- A unique name assigned to logical units (volumes) within a physical disk @@ -26263,7 +26483,7 @@ type: keyword -- -*`cisco.rsa.storage.lun`*:: +*`rsa.storage.lun`*:: + -- Logical Unit Number.This key is a very useful concept in Storage. @@ -26272,7 +26492,7 @@ type: keyword -- -*`cisco.rsa.storage.pwwn`*:: +*`rsa.storage.pwwn`*:: + -- This uniquely identifies a port on a HBA. @@ -26282,7 +26502,7 @@ type: keyword -- -*`cisco.rsa.physical.org_dst`*:: +*`rsa.physical.org_dst`*:: + -- This is used to capture the destination organization based on the GEOPIP Maxmind database. @@ -26291,7 +26511,7 @@ type: keyword -- -*`cisco.rsa.physical.org_src`*:: +*`rsa.physical.org_src`*:: + -- This is used to capture the source organization based on the GEOPIP Maxmind database. @@ -26301,7 +26521,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_fname`*:: +*`rsa.healthcare.patient_fname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -26310,7 +26530,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_id`*:: +*`rsa.healthcare.patient_id`*:: + -- This key captures the unique ID for a patient @@ -26319,7 +26539,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_lname`*:: +*`rsa.healthcare.patient_lname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -26328,7 +26548,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_mname`*:: +*`rsa.healthcare.patient_mname`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -26338,7 +26558,7 @@ type: keyword -- -*`cisco.rsa.endpoint.host_state`*:: +*`rsa.endpoint.host_state`*:: + -- This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on @@ -26347,7 +26567,7 @@ type: keyword -- -*`cisco.rsa.endpoint.registry_key`*:: +*`rsa.endpoint.registry_key`*:: + -- This key captures the path to the registry key @@ -26356,7 +26576,7 @@ type: keyword -- -*`cisco.rsa.endpoint.registry_value`*:: +*`rsa.endpoint.registry_value`*:: + -- This key captures values or decorators used within a registry entry @@ -26366,7 +26586,7 @@ type: keyword -- [[exported-fields-citrix]] -== Citrix XenApp fields +== Citrix NetScaler fields citrix fields. @@ -31806,16 +32026,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -32021,7 +32231,7 @@ Meta data fields for each event that include type and timestamp. *`crowdstrike.metadata.eventType`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent +DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword @@ -32201,6 +32411,16 @@ type: keyword Executable path with command line arguments. +type: keyword + +-- + +*`crowdstrike.event.SHA1String`*:: ++ +-- +SHA1 sum of the executable associated with the detection. + + type: keyword -- @@ -32451,6 +32671,16 @@ type: date Fields that were changed in this event. +type: nested + +-- + +*`crowdstrike.event.ExecutablesWritten`*:: ++ +-- +Detected executables written to disk by a process. + + type: nested -- @@ -32495,10 +32725,410 @@ type: date -- -[[exported-fields-cylance]] -== CylanceProtect fields +*`crowdstrike.event.LateralMovement`*:: ++ +-- +Lateral movement field for incident. -cylance fields. + +type: long + +-- + +*`crowdstrike.event.ParentImageFileName`*:: ++ +-- +Path to the parent process. + + +type: keyword + +-- + +*`crowdstrike.event.ParentCommandLine`*:: ++ +-- +Parent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentImageFileName`*:: ++ +-- +Path to the grandparent process. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentCommandLine`*:: ++ +-- +Grandparent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.IOCType`*:: ++ +-- +CrowdStrike type for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.IOCValue`*:: ++ +-- +CrowdStrike value for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.CustomerId`*:: ++ +-- +Customer identifier. + + +type: keyword + +-- + +*`crowdstrike.event.DeviceId`*:: ++ +-- +Device on which the event occurred. + + +type: keyword + +-- + +*`crowdstrike.event.Ipv`*:: ++ +-- +Protocol for network request. + + +type: keyword + +-- + +*`crowdstrike.event.ConnectionDirection`*:: ++ +-- +Direction for network connection. + + +type: keyword + +-- + +*`crowdstrike.event.EventType`*:: ++ +-- +CrowdStrike provided event type. + + +type: keyword + +-- + +*`crowdstrike.event.HostName`*:: ++ +-- +Host name of the local machine. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPCode`*:: ++ +-- +RFC2780 ICMP Code field. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPType`*:: ++ +-- +RFC2780 ICMP Type field. + + +type: keyword + +-- + +*`crowdstrike.event.ImageFileName`*:: ++ +-- +File name of the associated process for the detection. + + +type: keyword + +-- + +*`crowdstrike.event.PID`*:: ++ +-- +Associated process id for the detection. + + +type: long + +-- + +*`crowdstrike.event.LocalAddress`*:: ++ +-- +IP address of local machine. + + +type: ip + +-- + +*`crowdstrike.event.LocalPort`*:: ++ +-- +Port of local machine. + + +type: long + +-- + +*`crowdstrike.event.RemoteAddress`*:: ++ +-- +IP address of remote machine. + + +type: ip + +-- + +*`crowdstrike.event.RemotePort`*:: ++ +-- +Port of remote machine. + + +type: long + +-- + +*`crowdstrike.event.RuleAction`*:: ++ +-- +Firewall rule action. + + +type: keyword + +-- + +*`crowdstrike.event.RuleDescription`*:: ++ +-- +Firewall rule description. + + +type: keyword + +-- + +*`crowdstrike.event.RuleFamilyID`*:: ++ +-- +Firewall rule family id. + + +type: keyword + +-- + +*`crowdstrike.event.RuleGroupName`*:: ++ +-- +Firewall rule group name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleName`*:: ++ +-- +Firewall rule name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleId`*:: ++ +-- +Firewall rule id. + + +type: keyword + +-- + +*`crowdstrike.event.MatchCount`*:: ++ +-- +Number of firewall rule matches. + + +type: long + +-- + +*`crowdstrike.event.MatchCountSinceLastReport`*:: ++ +-- +Number of firewall rule matches since the last report. + + +type: long + +-- + +*`crowdstrike.event.Timestamp`*:: ++ +-- +Firewall rule triggered timestamp. + + +type: date + +-- + +*`crowdstrike.event.Flags.Audit`*:: ++ +-- +CrowdStrike audit flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Log`*:: ++ +-- +CrowdStrike log flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Monitor`*:: ++ +-- +CrowdStrike monitor flag. + + +type: boolean + +-- + +*`crowdstrike.event.Protocol`*:: ++ +-- +CrowdStrike provided protocol. + + +type: keyword + +-- + +*`crowdstrike.event.NetworkProfile`*:: ++ +-- +CrowdStrike network profile. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyName`*:: ++ +-- +CrowdStrike policy name. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyID`*:: ++ +-- +CrowdStrike policy id. + + +type: keyword + +-- + +*`crowdstrike.event.Status`*:: ++ +-- +CrowdStrike status. + + +type: keyword + +-- + +*`crowdstrike.event.TreeID`*:: ++ +-- +CrowdStrike tree id. + + +type: keyword + +-- + +*`crowdstrike.event.Commands`*:: ++ +-- +Commands run in a remote session. + + +type: keyword + +-- + +[[exported-fields-cyberark]] +== Cyber-Ark fields + +cyberark fields. @@ -37929,13249 +38559,14628 @@ type: keyword -- -[[exported-fields-docker-processor]] -== Docker fields - -Docker stats collected from Docker. +[[exported-fields-cylance]] +== CylanceProtect fields +cylance fields. -*`docker.container.id`*:: +*`network.interface.name`*:: + -- -type: alias +Name of the network interface where the traffic has been observed. -alias to: container.id --- +type: keyword -*`docker.container.image`*:: -+ -- -type: alias -alias to: container.image.name --- -*`docker.container.name`*:: +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: container.name +type: keyword -- -*`docker.container.labels`*:: +*`rsa.internal.messageid`*:: + -- -Image labels. +type: keyword +-- -type: object +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword -- -[[exported-fields-ecs]] -== ECS fields +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages -ECS Fields. +type: keyword +-- -*`@timestamp`*:: +*`rsa.internal.time`*:: + -- -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. type: date -example: 2016-05-23T08:05:34.853Z - -required: True - -- -*`labels`*:: +*`rsa.internal.level`*:: + -- -Custom key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. - -type: object +Deprecated key defined only in table map. -example: {"application": "foo-bar", "env": "production"} +type: long -- -*`message`*:: +*`rsa.internal.msg_id`*:: + -- -For log events the message field contains the log message, optimized for viewing in a log viewer. -For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. -If multiple messages exist, they can be combined into one message. - -type: text +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: Hello World +type: keyword -- -*`tags`*:: +*`rsa.internal.msg_vid`*:: + -- -List of keywords used to tag each event. +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: ["production", "env2"] - -- -[float] -=== agent - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. -Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. - - -*`agent.ephemeral_id`*:: +*`rsa.internal.data`*:: + -- -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. +Deprecated key defined only in table map. type: keyword -example: 8a4f500f - -- -*`agent.id`*:: +*`rsa.internal.obj_server`*:: + -- -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. +Deprecated key defined only in table map. type: keyword -example: 8a4f500d - -- -*`agent.name`*:: +*`rsa.internal.obj_val`*:: + -- -Custom name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +Deprecated key defined only in table map. type: keyword -example: foo - -- -*`agent.type`*:: +*`rsa.internal.resource`*:: + -- -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +Deprecated key defined only in table map. type: keyword -example: filebeat - -- -*`agent.version`*:: +*`rsa.internal.obj_id`*:: + -- -Version of the agent. +Deprecated key defined only in table map. type: keyword -example: 6.0.0-rc2 - -- -[float] -=== as - -An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. - - -*`as.number`*:: +*`rsa.internal.statement`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +Deprecated key defined only in table map. -example: 15169 +type: keyword -- -*`as.organization.name`*:: +*`rsa.internal.audit_class`*:: + -- -Organization name. +Deprecated key defined only in table map. type: keyword -example: Google LLC - -- -*`as.organization.name.text`*:: +*`rsa.internal.entry`*:: + -- -type: text - --- - -[float] -=== client +Deprecated key defined only in table map. -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +type: keyword +-- -*`client.address`*:: +*`rsa.internal.hcode`*:: + -- -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +Deprecated key defined only in table map. type: keyword -- -*`client.as.number`*:: +*`rsa.internal.inode`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +Deprecated key defined only in table map. type: long -example: 15169 - -- -*`client.as.organization.name`*:: +*`rsa.internal.resource_class`*:: + -- -Organization name. +Deprecated key defined only in table map. type: keyword -example: Google LLC - -- -*`client.as.organization.name.text`*:: +*`rsa.internal.dead`*:: + -- -type: text +Deprecated key defined only in table map. + +type: long -- -*`client.bytes`*:: +*`rsa.internal.feed_desc`*:: + -- -Bytes sent from the client to the server. - -type: long - -example: 184 +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -format: bytes +type: keyword -- -*`client.domain`*:: +*`rsa.internal.feed_name`*:: + -- -Client domain. +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`client.geo.city_name`*:: +*`rsa.internal.cid`*:: + -- -City name. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Montreal - -- -*`client.geo.continent_name`*:: +*`rsa.internal.device_class`*:: + -- -Name of the continent. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: North America - -- -*`client.geo.country_iso_code`*:: +*`rsa.internal.device_group`*:: + -- -Country ISO code. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: CA - -- -*`client.geo.country_name`*:: +*`rsa.internal.device_host`*:: + -- -Country name. +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: Canada - -- -*`client.geo.location`*:: +*`rsa.internal.device_ip`*:: + -- -Longitude and latitude. - -type: geo_point +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: { "lon": -73.614830, "lat": 45.505918 } +type: ip -- -*`client.geo.name`*:: +*`rsa.internal.device_ipv6`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: boston-dc +type: ip -- -*`client.geo.region_iso_code`*:: +*`rsa.internal.device_type`*:: + -- -Region ISO code. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: CA-QC - -- -*`client.geo.region_name`*:: +*`rsa.internal.device_type_id`*:: + -- -Region name. - -type: keyword +Deprecated key defined only in table map. -example: Quebec +type: long -- -*`client.ip`*:: +*`rsa.internal.did`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`client.mac`*:: +*`rsa.internal.entropy_req`*:: + -- -MAC address of the client. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`client.nat.ip`*:: +*`rsa.internal.entropy_res`*:: + -- -Translated IP of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: ip +type: long -- -*`client.nat.port`*:: +*`rsa.internal.event_name`*:: + -- -Translated port of source based NAT sessions (e.g. internal client to internet). -Typically connections traversing load balancers, firewalls, or routers. - -type: long +Deprecated key defined only in table map. -format: string +type: keyword -- -*`client.packets`*:: +*`rsa.internal.feed_category`*:: + -- -Packets sent from the client to the server. - -type: long +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: 12 +type: keyword -- -*`client.port`*:: +*`rsa.internal.forward_ip`*:: + -- -Port of the client. - -type: long +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -format: string +type: ip -- -*`client.registered_domain`*:: +*`rsa.internal.forward_ipv6`*:: + -- -The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - -type: keyword +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: google.com +type: ip -- -*`client.top_level_domain`*:: +*`rsa.internal.header_id`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: co.uk - -- -*`client.user.domain`*:: +*`rsa.internal.lc_cid`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`client.user.email`*:: +*`rsa.internal.lc_ctime`*:: + -- -User email address. +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`client.user.full_name`*:: +*`rsa.internal.mcb_req`*:: + -- -User's full name, if available. - -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -example: Albert Einstein +type: long -- -*`client.user.full_name.text`*:: +*`rsa.internal.mcb_res`*:: + -- -type: text +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`client.user.group.domain`*:: +*`rsa.internal.mcbc_req`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`client.user.group.id`*:: +*`rsa.internal.mcbc_res`*:: + -- -Unique identifier for the group on the system/platform. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`client.user.group.name`*:: +*`rsa.internal.medium`*:: + -- -Name of the group. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`client.user.hash`*:: +*`rsa.internal.node_name`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +Deprecated key defined only in table map. type: keyword -- -*`client.user.id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Unique identifiers of the user. +This key denotes that event is endpoint related type: keyword -- -*`client.user.name`*:: +*`rsa.internal.parse_error`*:: + -- -Short name or login of the user. +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: albert - -- -*`client.user.name.text`*:: +*`rsa.internal.payload_req`*:: + -- -type: text +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -[float] -=== cloud +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -Fields related to the cloud or infrastructure the events are coming from. +type: long +-- -*`cloud.account.id`*:: +*`rsa.internal.process_vid_dst`*:: + -- -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -example: 666777888999 - -- -*`cloud.availability_zone`*:: +*`rsa.internal.process_vid_src`*:: + -- -Availability zone in which this host is running. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -example: us-east-1c - -- -*`cloud.instance.id`*:: +*`rsa.internal.rid`*:: + -- -Instance ID of the host machine. - -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: i-1234567890abcdef0 +type: long -- -*`cloud.instance.name`*:: +*`rsa.internal.session_split`*:: + -- -Instance name of the host machine. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`cloud.machine.type`*:: +*`rsa.internal.site`*:: + -- -Machine type of the host machine. +Deprecated key defined only in table map. type: keyword -example: t2.medium - -- -*`cloud.provider`*:: +*`rsa.internal.size`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -example: aws +type: long -- -*`cloud.region`*:: +*`rsa.internal.sourcefile`*:: + -- -Region in which this host is running. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -example: us-east-1 - -- -[float] -=== code_signature - -These fields contain information about binary code signatures. - - -*`code_signature.exists`*:: +*`rsa.internal.ubc_req`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -example: true +type: long -- -*`code_signature.status`*:: +*`rsa.internal.ubc_res`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -example: ERROR_UNTRUSTED_ROOT +type: long -- -*`code_signature.subject_name`*:: +*`rsa.internal.word`*:: + -- -Subject name of the code signer +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -example: Microsoft Corporation - -- -*`code_signature.trusted`*:: + +*`rsa.time.event_time`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -example: true +type: date -- -*`code_signature.valid`*:: +*`rsa.time.duration_time`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is used to capture the normalized duration/lifetime in seconds. -example: true +type: double -- -[float] -=== container +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string -Container fields are used for meta information about the specific container that is the source of information. -These fields help correlate data based containers from any runtime. +type: keyword +-- -*`container.id`*:: +*`rsa.time.starttime`*:: + -- -Unique container id. +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`container.image.name`*:: +*`rsa.time.month`*:: + -- -Name of the image the container was built on. - type: keyword -- -*`container.image.tag`*:: +*`rsa.time.day`*:: + -- -Container image tags. - type: keyword -- -*`container.labels`*:: +*`rsa.time.endtime`*:: + -- -Image labels. +This key is used to capture the End time mentioned in a session in a standard form -type: object +type: date -- -*`container.name`*:: +*`rsa.time.timezone`*:: + -- -Container name. +This key is used to capture the timezone of the Event Time type: keyword -- -*`container.runtime`*:: +*`rsa.time.duration_str`*:: + -- -Runtime managing this container. +A text string version of the duration type: keyword -example: docker - -- -[float] -=== destination - -Destination fields describe details about the destination of a packet/event. -Destination fields are usually populated in conjunction with source fields. +*`rsa.time.date`*:: ++ +-- +type: keyword +-- -*`destination.address`*:: +*`rsa.time.year`*:: + -- -Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`destination.as.number`*:: +*`rsa.time.recorded_time`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -example: 15169 +type: date -- -*`destination.as.organization.name`*:: +*`rsa.time.datetime`*:: + -- -Organization name. - type: keyword -example: Google LLC - -- -*`destination.as.organization.name.text`*:: +*`rsa.time.effective_time`*:: + -- -type: text +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`destination.bytes`*:: +*`rsa.time.expire_time`*:: + -- -Bytes sent from the destination to the source. - -type: long - -example: 184 +This key is the timestamp that explicitly refers to an expiration. -format: bytes +type: date -- -*`destination.domain`*:: +*`rsa.time.process_time`*:: + -- -Destination domain. +Deprecated, use duration.time type: keyword -- -*`destination.geo.city_name`*:: +*`rsa.time.hour`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`destination.geo.continent_name`*:: +*`rsa.time.min`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`destination.geo.country_iso_code`*:: +*`rsa.time.timestamp`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`destination.geo.country_name`*:: +*`rsa.time.event_queue_time`*:: + -- -Country name. - -type: keyword +This key is the Time that the event was queued. -example: Canada +type: date -- -*`destination.geo.location`*:: +*`rsa.time.p_time1`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.time.tzone`*:: ++ +-- +type: keyword -- -*`destination.geo.name`*:: +*`rsa.time.eventtime`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`destination.geo.region_iso_code`*:: +*`rsa.time.gmtdate`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`destination.geo.region_name`*:: +*`rsa.time.gmttime`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`destination.ip`*:: +*`rsa.time.p_date`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. - -type: ip +type: keyword -- -*`destination.mac`*:: +*`rsa.time.p_month`*:: + -- -MAC address of the destination. - type: keyword -- -*`destination.nat.ip`*:: +*`rsa.time.p_time`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: ip +type: keyword -- -*`destination.nat.port`*:: +*`rsa.time.p_time2`*:: + -- -Port the source session is translated to by NAT Device. -Typically used with load balancers, firewalls, or routers. +type: keyword -type: long +-- -format: string +*`rsa.time.p_year`*:: ++ +-- +type: keyword -- -*`destination.packets`*:: +*`rsa.time.expire_time_str`*:: + -- -Packets sent from the destination to the source. - -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -example: 12 +type: keyword -- -*`destination.port`*:: +*`rsa.time.stamp`*:: + -- -Port of the destination. - -type: long +Deprecated key defined only in table map. -format: string +type: date -- -*`destination.registered_domain`*:: + +*`rsa.misc.action`*:: + -- -The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com - -- -*`destination.top_level_domain`*:: +*`rsa.misc.result`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This key is used to capture the outcome/result string value of an action in a session. type: keyword -example: co.uk - -- -*`destination.user.domain`*:: +*`rsa.misc.severity`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This key is used to capture the severity given the session type: keyword -- -*`destination.user.email`*:: +*`rsa.misc.event_type`*:: + -- -User email address. +This key captures the event category type as specified by the event source. type: keyword -- -*`destination.user.full_name`*:: +*`rsa.misc.reference_id`*:: + -- -User's full name, if available. +This key is used to capture an event id from the session directly type: keyword -example: Albert Einstein - -- -*`destination.user.full_name.text`*:: +*`rsa.misc.version`*:: + -- -type: text +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`destination.user.group.domain`*:: +*`rsa.misc.disposition`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key captures the The end state of an action. type: keyword -- -*`destination.user.group.id`*:: +*`rsa.misc.result_code`*:: + -- -Unique identifier for the group on the system/platform. +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`destination.user.group.name`*:: +*`rsa.misc.category`*:: + -- -Name of the group. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`destination.user.hash`*:: +*`rsa.misc.obj_name`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This is used to capture name of object type: keyword -- -*`destination.user.id`*:: +*`rsa.misc.obj_type`*:: + -- -Unique identifiers of the user. +This is used to capture type of object type: keyword -- -*`destination.user.name`*:: +*`rsa.misc.event_source`*:: + -- -Short name or login of the user. +This key captures Source of the event that’s not a hostname type: keyword -example: albert - -- -*`destination.user.name.text`*:: +*`rsa.misc.log_session_id`*:: + -- -type: text - --- - -[float] -=== dll - -These fields contain information about code libraries dynamically loaded into processes. +This key is used to capture a sessionid from the session directly -Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: -* Dynamic-link library (`.dll`) commonly used on Windows -* Shared Object (`.so`) commonly used on Unix-like operating systems -* Dynamic library (`.dylib`) commonly used on macOS +type: keyword +-- -*`dll.code_signature.exists`*:: +*`rsa.misc.group`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key captures the Group Name value -example: true +type: keyword -- -*`dll.code_signature.status`*:: +*`rsa.misc.policy_name`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +This key is used to capture the Policy Name only. type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`dll.code_signature.subject_name`*:: +*`rsa.misc.rule_name`*:: + -- -Subject name of the code signer +This key captures the Rule Name type: keyword -example: Microsoft Corporation - -- -*`dll.code_signature.trusted`*:: +*`rsa.misc.context`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean +This key captures Information which adds additional context to the event. -example: true +type: keyword -- -*`dll.code_signature.valid`*:: +*`rsa.misc.change_new`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. - -type: boolean +This key is used to capture the new values of the attribute that’s changing in a session -example: true +type: keyword -- -*`dll.hash.md5`*:: +*`rsa.misc.space`*:: + -- -MD5 hash. - type: keyword -- -*`dll.hash.sha1`*:: +*`rsa.misc.client`*:: + -- -SHA1 hash. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`dll.hash.sha256`*:: +*`rsa.misc.msgIdPart1`*:: + -- -SHA256 hash. - type: keyword -- -*`dll.hash.sha512`*:: +*`rsa.misc.msgIdPart2`*:: + -- -SHA512 hash. - type: keyword -- -*`dll.name`*:: +*`rsa.misc.change_old`*:: + -- -Name of the library. -This generally maps to the name of the file on disk. +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -example: kernel32.dll - -- -*`dll.path`*:: +*`rsa.misc.operation_id`*:: + -- -Full file path of the library. +An alert number or operation number. The values should be unique and non-repeating. type: keyword -example: C:\Windows\System32\kernel32.dll - -- -*`dll.pe.company`*:: +*`rsa.misc.event_state`*:: + -- -Internal company name of the file, provided at compile-time. +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -example: Microsoft Corporation - -- -*`dll.pe.description`*:: +*`rsa.misc.group_object`*:: + -- -Internal description of the file, provided at compile-time. +This key captures a collection/grouping of entities. Specific usage type: keyword -example: Paint - -- -*`dll.pe.file_version`*:: +*`rsa.misc.node`*:: + -- -Internal version of the file, provided at compile-time. +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -example: 6.3.9600.17415 - -- -*`dll.pe.original_file_name`*:: +*`rsa.misc.rule`*:: + -- -Internal name of the file, provided at compile-time. +This key captures the Rule number type: keyword -example: MSPAINT.EXE - -- -*`dll.pe.product`*:: +*`rsa.misc.device_name`*:: + -- -Internal product name of the file, provided at compile-time. +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -example: Microsoft® Windows® Operating System - -- -[float] -=== dns - -Fields describing DNS queries and answers. -DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). - - -*`dns.answers`*:: +*`rsa.misc.param`*:: + -- -An array containing an object for each answer section returned by the server. -The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. -Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. +This key is the parameters passed as part of a command or application, etc. -type: object +type: keyword -- -*`dns.answers.class`*:: +*`rsa.misc.change_attrib`*:: + -- -The class of DNS data contained in this resource record. +This key is used to capture the name of the attribute that’s changing in a session type: keyword -example: IN - -- -*`dns.answers.data`*:: +*`rsa.misc.event_computer`*:: + -- -The data describing the resource. -The meaning of this data depends on the type and class of the resource record. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -example: 10.10.10.10 - -- -*`dns.answers.name`*:: +*`rsa.misc.reference_id1`*:: + -- -The domain name to which this resource record pertains. -If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -example: www.google.com - -- -*`dns.answers.ttl`*:: +*`rsa.misc.event_log`*:: + -- -The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. - -type: long +This key captures the Name of the event log -example: 180 +type: keyword -- -*`dns.answers.type`*:: +*`rsa.misc.OS`*:: + -- -The type of data contained in this resource record. +This key captures the Name of the Operating System type: keyword -example: CNAME - -- -*`dns.header_flags`*:: +*`rsa.misc.terminal`*:: + -- -Array of 2 letter DNS header flags. -Expected values are: AA, TC, RD, RA, AD, CD, DO. +This key captures the Terminal Names only type: keyword -example: ['RD', 'RA'] - -- -*`dns.id`*:: +*`rsa.misc.msgIdPart3`*:: + -- -The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. - type: keyword -example: 62111 - -- -*`dns.op_code`*:: +*`rsa.misc.filter`*:: + -- -The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. +This key captures Filter used to reduce result set type: keyword -example: QUERY - -- -*`dns.question.class`*:: +*`rsa.misc.serial_number`*:: + -- -The class of records being queried. +This key is the Serial number associated with a physical asset. type: keyword -example: IN - -- -*`dns.question.name`*:: +*`rsa.misc.checksum`*:: + -- -The name being queried. -If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -example: www.google.com - -- -*`dns.question.registered_domain`*:: +*`rsa.misc.event_user`*:: + -- -The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -example: google.com - -- -*`dns.question.subdomain`*:: +*`rsa.misc.virusname`*:: + -- -The subdomain is all of the labels under the registered_domain. -If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. +This key captures the name of the virus type: keyword -example: www - -- -*`dns.question.top_level_domain`*:: +*`rsa.misc.content_type`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This key is used to capture Content Type only. type: keyword -example: co.uk - -- -*`dns.question.type`*:: +*`rsa.misc.group_id`*:: + -- -The type of record being queried. +This key captures Group ID Number (related to the group name) type: keyword -example: AAAA - -- -*`dns.resolved_ip`*:: +*`rsa.misc.policy_id`*:: + -- -Array containing all IPs seen in `answers.data`. -The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. - -type: ip +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -example: ['10.10.10.10', '10.10.10.11'] +type: keyword -- -*`dns.response_code`*:: +*`rsa.misc.vsys`*:: + -- -The DNS response code. +This key captures Virtual System Name type: keyword -example: NOERROR - -- -*`dns.type`*:: +*`rsa.misc.connection_id`*:: + -- -The type of DNS event captured, query or answer. -If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. -If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. +This key captures the Connection ID type: keyword -example: answer - -- -[float] -=== ecs +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. -Meta-information specific to ECS. +type: keyword +-- -*`ecs.version`*:: +*`rsa.misc.sensor`*:: + -- -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -example: 1.0.0 - -required: True - -- -[float] -=== error +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID -These fields can represent errors of any kind. -Use them for errors that happen while fetching events or in cases where the event itself contains an error. +type: long +-- -*`error.code`*:: +*`rsa.misc.port_name`*:: + -- -Error code describing the error. +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`error.id`*:: +*`rsa.misc.rule_group`*:: + -- -Unique identifier for the error. +This key captures the Rule group name type: keyword -- -*`error.message`*:: +*`rsa.misc.risk_num`*:: + -- -Error message. +This key captures a Numeric Risk value -type: text +type: double -- -*`error.stack_trace`*:: +*`rsa.misc.trigger_val`*:: + -- -The stack trace of this error in plain text. +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`error.stack_trace.text`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: text +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword -- -*`error.type`*:: +*`rsa.misc.comp_version`*:: + -- -The type of the error, for example the class name of the exception. +This key captures the Version level of a sub-component of a product. type: keyword -example: java.lang.NullPointerException - -- -[float] -=== event +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. -The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. +type: keyword +-- -*`event.action`*:: +*`rsa.misc.hardware_id`*:: + -- -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -example: user-password-change - -- -*`event.category`*:: +*`rsa.misc.risk`*:: + -- -This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. -`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. -This field is an array. This will allow proper categorization of some events that fall in multiple categories. +This key captures the non-numeric risk value type: keyword -example: authentication - -- -*`event.code`*:: +*`rsa.misc.event_id`*:: + -- -Identification code for this event, if one exists. -Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. - type: keyword -example: 4648 - -- -*`event.created`*:: +*`rsa.misc.reason`*:: + -- -event.created contains the date/time when the event was first read by an agent, or by your pipeline. -This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. -In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. -In case the two timestamps are identical, @timestamp should be used. +type: keyword -type: date +-- -example: 2016-05-23T08:05:34.857Z +*`rsa.misc.status`*:: ++ +-- +type: keyword -- -*`event.dataset`*:: +*`rsa.misc.mail_id`*:: + -- -Name of the dataset. -If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. -It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. +This key is used to capture the mailbox id/name type: keyword -example: apache.access - -- -*`event.duration`*:: +*`rsa.misc.rule_uid`*:: + -- -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -type: long +This key is the Unique Identifier for a rule. -format: duration +type: keyword -- -*`event.end`*:: +*`rsa.misc.trigger_desc`*:: + -- -event.end contains the date when the event ended or when the activity was last observed. +This key captures the Description of the trigger or threshold condition. -type: date +type: keyword -- -*`event.hash`*:: +*`rsa.misc.inout`*:: + -- -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - type: keyword -example: 123456789012345678901234567890ABCD - -- -*`event.id`*:: +*`rsa.misc.p_msgid`*:: + -- -Unique ID to describe the event. - type: keyword -example: 8a4f500d - -- -*`event.ingested`*:: +*`rsa.misc.data_type`*:: + -- -Timestamp when an event arrived in the central data store. -This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. -In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. +type: keyword -type: date +-- -example: 2016-05-23T08:05:35.101Z +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword -- -*`event.kind`*:: +*`rsa.misc.error`*:: + -- -This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. -`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. -The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. +This key captures All non successful Error codes or responses type: keyword -example: alert - -- -*`event.module`*:: +*`rsa.misc.index`*:: + -- -Name of the module this data is coming from. -If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. - type: keyword -example: apache - -- -*`event.original`*:: +*`rsa.misc.listnum`*:: + -- -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +-- +*`rsa.misc.ntype`*:: ++ -- +type: keyword -*`event.outcome`*:: +-- + +*`rsa.misc.observed_val`*:: + -- -This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. -Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. -Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. -Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -example: success - -- -*`event.provider`*:: +*`rsa.misc.policy_value`*:: + -- -Source of the event. -Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). +This key captures the contents of the policy. This contains details about the policy type: keyword -example: kernel - -- -*`event.reference`*:: +*`rsa.misc.pool_name`*:: + -- -Reference URL linking to additional information about this event. -This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This key captures the name of a resource pool type: keyword -example: https://system.vendor.com/event/#0001234 - -- -*`event.risk_score`*:: +*`rsa.misc.rule_template`*:: + -- -Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template -type: float +type: keyword -- -*`event.risk_score_norm`*:: +*`rsa.misc.count`*:: + -- -Normalized risk score or priority of the event, on a scale of 0 to 100. -This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. - -type: float +type: keyword -- -*`event.sequence`*:: +*`rsa.misc.number`*:: + -- -Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. +type: keyword -type: long +-- -format: string +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword -- -*`event.severity`*:: +*`rsa.misc.type`*:: + -- -The numeric severity of the event according to your event source. -What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. -The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. +type: keyword -type: long +-- -example: 7 +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message -format: string +type: keyword -- -*`event.start`*:: +*`rsa.misc.doc_number`*:: + -- -event.start contains the date when the event started or when the activity was first observed. +This key captures File Identification number -type: date +type: long -- -*`event.timezone`*:: +*`rsa.misc.expected_val`*:: + -- -This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. -Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`event.type`*:: +*`rsa.misc.job_num`*:: + -- -This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. -`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. -This field is an array. This will allow proper categorization of some events that fall in multiple event types. +This key captures the Job Number type: keyword -- -*`event.url`*:: +*`rsa.misc.spi_dst`*:: + -- -URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +Destination SPI Index type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe - -- -[float] -=== file +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index -A file is defined as a set of information that has been created on, or has existed on a filesystem. -File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. +type: keyword +-- -*`file.accessed`*:: +*`rsa.misc.code`*:: + -- -Last time the file was accessed. -Note that not all filesystems keep track of access time. - -type: date +type: keyword -- -*`file.attributes`*:: +*`rsa.misc.agent_id`*:: + -- -Array of file attributes. -Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. +This key is used to capture agent id type: keyword -example: ["readonly", "system"] - -- -*`file.code_signature.exists`*:: +*`rsa.misc.message_body`*:: + -- -Boolean to capture if a signature is present. - -type: boolean +This key captures the The contents of the message body. -example: true +type: keyword -- -*`file.code_signature.status`*:: +*`rsa.misc.phone`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`file.code_signature.subject_name`*:: +*`rsa.misc.sig_id_str`*:: + -- -Subject name of the code signer +This key captures a string object of the sigid variable. type: keyword -example: Microsoft Corporation - -- -*`file.code_signature.trusted`*:: +*`rsa.misc.cmd`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. - -type: boolean - -example: true +type: keyword -- -*`file.code_signature.valid`*:: +*`rsa.misc.misc`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.name`*:: ++ +-- +type: keyword -- -*`file.created`*:: +*`rsa.misc.cpu`*:: + -- -File creation time. -Note that not all filesystems store the creation time. +This key is the CPU time used in the execution of the event being recorded. -type: date +type: long -- -*`file.ctime`*:: +*`rsa.misc.event_desc`*:: + -- -Last time the file attributes or metadata changed. -Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. +This key is used to capture a description of an event available directly or inferred -type: date +type: keyword -- -*`file.device`*:: +*`rsa.misc.sig_id1`*:: + -- -Device that is the source of the file. - -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -example: sda +type: long -- -*`file.directory`*:: +*`rsa.misc.im_buddyid`*:: + -- -Directory where the file is located. It should include the drive letter, when appropriate. - type: keyword -example: /home/alice - -- -*`file.drive_letter`*:: +*`rsa.misc.im_client`*:: + -- -Drive letter where the file is located. This field is only relevant on Windows. -The value should be uppercase, and not include the colon. - type: keyword -example: C - -- -*`file.extension`*:: +*`rsa.misc.im_userid`*:: + -- -File extension. - type: keyword -example: png - -- -*`file.gid`*:: +*`rsa.misc.pid`*:: + -- -Primary group ID (GID) of the file. - type: keyword -example: 1001 - -- -*`file.group`*:: +*`rsa.misc.priority`*:: + -- -Primary group name of the file. - type: keyword -example: alice - -- -*`file.hash.md5`*:: +*`rsa.misc.context_subject`*:: + -- -MD5 hash. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`file.hash.sha1`*:: +*`rsa.misc.context_target`*:: + -- -SHA1 hash. - type: keyword -- -*`file.hash.sha256`*:: +*`rsa.misc.cve`*:: + -- -SHA256 hash. +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`file.hash.sha512`*:: +*`rsa.misc.fcatnum`*:: + -- -SHA512 hash. +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`file.inode`*:: +*`rsa.misc.library`*:: + -- -Inode representing the file in the filesystem. +This key is used to capture library information in mainframe devices type: keyword -example: 256383 - -- -*`file.mime_type`*:: +*`rsa.misc.parent_node`*:: + -- -MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`file.mode`*:: +*`rsa.misc.risk_info`*:: + -- -Mode of the file in octal representation. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: 0640 - -- -*`file.mtime`*:: +*`rsa.misc.tcp_flags`*:: + -- -Last time the file content was modified. +This key is captures the TCP flags set in any packet of session -type: date +type: long -- -*`file.name`*:: +*`rsa.misc.tos`*:: + -- -Name of the file including the extension, without the directory. - -type: keyword +This key describes the type of service -example: example.png +type: long -- -*`file.owner`*:: +*`rsa.misc.vm_target`*:: + -- -File owner's username. +VMWare Target **VMWARE** only varaible. type: keyword -example: alice - -- -*`file.path`*:: +*`rsa.misc.workspace`*:: + -- -Full path to the file, including the file name. It should include the drive letter, when appropriate. +This key captures Workspace Description type: keyword -example: /home/alice/example.png - -- -*`file.path.text`*:: +*`rsa.misc.command`*:: + -- -type: text +type: keyword -- -*`file.pe.company`*:: +*`rsa.misc.event_category`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`file.pe.description`*:: +*`rsa.misc.facilityname`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`file.pe.file_version`*:: +*`rsa.misc.forensic_info`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`file.pe.original_file_name`*:: +*`rsa.misc.jobname`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`file.pe.product`*:: +*`rsa.misc.mode`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System - -- -*`file.size`*:: +*`rsa.misc.policy`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". - -type: long - -example: 16384 +type: keyword -- -*`file.target_path`*:: +*`rsa.misc.policy_waiver`*:: + -- -Target path for symlinks. - type: keyword -- -*`file.target_path.text`*:: +*`rsa.misc.second`*:: + -- -type: text +type: keyword -- -*`file.type`*:: +*`rsa.misc.space1`*:: + -- -File type (file, dir, or symlink). - type: keyword -example: file - -- -*`file.uid`*:: +*`rsa.misc.subcategory`*:: + -- -The user ID (UID) or security identifier (SID) of the file owner. - type: keyword -example: 1001 - -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`rsa.misc.tbdstr2`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`geo.continent_name`*:: +*`rsa.misc.alert_id`*:: + -- -Name of the continent. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -example: North America - -- -*`geo.country_iso_code`*:: +*`rsa.misc.checksum_dst`*:: + -- -Country ISO code. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -example: CA - -- -*`geo.country_name`*:: +*`rsa.misc.checksum_src`*:: + -- -Country name. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -example: Canada - -- -*`geo.location`*:: +*`rsa.misc.fresult`*:: + -- -Longitude and latitude. - -type: geo_point +This key captures the Filter Result -example: { "lon": -73.614830, "lat": 45.505918 } +type: long -- -*`geo.name`*:: +*`rsa.misc.payload_dst`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +This key is used to capture destination payload type: keyword -example: boston-dc - -- -*`geo.region_iso_code`*:: +*`rsa.misc.payload_src`*:: + -- -Region ISO code. +This key is used to capture source payload type: keyword -example: CA-QC - -- -*`geo.region_name`*:: +*`rsa.misc.pool_id`*:: + -- -Region name. +This key captures the identifier (typically numeric field) of a resource pool type: keyword -example: Quebec - -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. - - -*`group.domain`*:: +*`rsa.misc.process_id_val`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`group.id`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Unique identifier for the group on the system/platform. +This key captures Risk Number Community -type: keyword +type: double -- -*`group.name`*:: +*`rsa.misc.risk_num_next`*:: + -- -Name of the group. +This key captures Risk Number NextGen -type: keyword +type: double -- -[float] -=== hash +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: double +-- -*`hash.md5`*:: +*`rsa.misc.risk_num_static`*:: + -- -MD5 hash. +This key captures Risk Number Static -type: keyword +type: double -- -*`hash.sha1`*:: +*`rsa.misc.risk_suspicious`*:: + -- -SHA1 hash. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`hash.sha256`*:: +*`rsa.misc.risk_warning`*:: + -- -SHA256 hash. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`hash.sha512`*:: +*`rsa.misc.snmp_oid`*:: + -- -SHA512 hash. +SNMP Object Identifier type: keyword -- -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. - - -*`host.architecture`*:: +*`rsa.misc.sql`*:: + -- -Operating system architecture. +This key captures the SQL query type: keyword -example: x86_64 - -- -*`host.domain`*:: +*`rsa.misc.vuln_ref`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +This key captures the Vulnerability Reference details type: keyword -example: CONTOSO - -- -*`host.geo.city_name`*:: +*`rsa.misc.acl_id`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`host.geo.continent_name`*:: +*`rsa.misc.acl_op`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`host.geo.country_iso_code`*:: +*`rsa.misc.acl_pos`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`rsa.misc.acl_table`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`host.geo.location`*:: +*`rsa.misc.admin`*:: + -- -Longitude and latitude. - -type: geo_point - -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`host.geo.name`*:: +*`rsa.misc.alarm_id`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`rsa.misc.alarmname`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`host.geo.region_name`*:: +*`rsa.misc.app_id`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`host.hostname`*:: +*`rsa.misc.audit`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. - type: keyword -- -*`host.id`*:: +*`rsa.misc.audit_object`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. - type: keyword -- -*`host.ip`*:: +*`rsa.misc.auditdata`*:: + -- -Host ip addresses. - -type: ip +type: keyword -- -*`host.mac`*:: +*`rsa.misc.benchmark`*:: + -- -Host mac addresses. - type: keyword -- -*`host.name`*:: +*`rsa.misc.bypass`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. - type: keyword -- -*`host.os.family`*:: +*`rsa.misc.cache`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`host.os.full`*:: +*`rsa.misc.cache_hit`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`host.os.full.text`*:: +*`rsa.misc.cefversion`*:: + -- -type: text +type: keyword -- -*`host.os.kernel`*:: +*`rsa.misc.cfg_attr`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`host.os.name`*:: +*`rsa.misc.cfg_obj`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`host.os.name.text`*:: +*`rsa.misc.cfg_path`*:: + -- -type: text +type: keyword -- -*`host.os.platform`*:: +*`rsa.misc.changes`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`host.os.version`*:: +*`rsa.misc.client_ip`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`rsa.misc.clustermembers`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. - type: keyword -- -*`host.uptime`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Seconds the host has been up. +type: keyword -type: long +-- -example: 1325 +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword -- -*`host.user.domain`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.email`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -User email address. - type: keyword -- -*`host.user.full_name`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -User's full name, if available. - type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -type: text +type: keyword -- -*`host.user.group.domain`*:: +*`rsa.misc.cn_engine_id`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`host.user.group.id`*:: +*`rsa.misc.cn_engine_type`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`host.user.group.name`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Name of the group. - type: keyword -- -*`host.user.hash`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - type: keyword -- -*`host.user.id`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Unique identifiers of the user. - type: keyword -- -*`host.user.name`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Short name or login of the user. - type: keyword -example: albert - -- -*`host.user.name.text`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -type: text +type: keyword -- -[float] -=== http - -Fields related to HTTP activity. Use the `url` field set to store the url of the request. +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword +-- -*`http.request.body.bytes`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -Size in bytes of the request body. - -type: long +type: keyword -example: 887 +-- -format: bytes +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword -- -*`http.request.body.content`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -The full HTTP request body. - type: keyword -example: Hello world - -- -*`http.request.body.content.text`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -type: text +type: keyword -- -*`http.request.bytes`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword -- -*`http.request.method`*:: +*`rsa.misc.cn_log_rid`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Referrer for this HTTP request. - type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Size in bytes of the response body. - -type: long +type: keyword -example: 887 +-- -format: bytes +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword -- -*`http.response.body.content`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -The full HTTP response body. - type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: text +type: keyword -- -*`http.response.bytes`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -Total size in bytes of the response (body and headers). - -type: long +type: keyword -example: 1437 +-- -format: bytes +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword -- -*`http.response.status_code`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -HTTP response status code. - -type: long +type: keyword -example: 404 +-- -format: string +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword -- -*`http.version`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -HTTP version. - type: keyword -example: 1.1 +-- +*`rsa.misc.cn_mpls_lbl_6`*:: ++ -- +type: keyword -[float] -=== interface +-- -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword +-- -*`interface.alias`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`interface.id`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`interface.name`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 +-- +*`rsa.misc.cn_mplstoplabip`*:: ++ -- +type: keyword -[float] -=== log +-- -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword +-- -*`log.level`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. - type: keyword -example: error - -- -*`log.logger`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. - type: keyword -example: org.elasticsearch.bootstrap.Bootstrap - -- -*`log.origin.file.line`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -The line number of the file containing the source code which originated the log event. +type: keyword -type: integer +-- -example: 42 +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword -- -*`log.origin.file.name`*:: +*`rsa.misc.cn_seqctr`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. - type: keyword -example: Bootstrap.java - -- -*`log.origin.function`*:: +*`rsa.misc.cn_spackets`*:: + -- -The name of the function or method which originated the log event. - type: keyword -example: init - -- -*`log.original`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. - type: keyword -example: Sep 19 08:26:10 localhost My log - -- -*`log.syslog`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - -type: object +type: keyword -- -*`log.syslog.facility.code`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long +type: keyword -example: 23 +-- -format: string +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword -- -*`log.syslog.facility.name`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -The Syslog text-based facility of the log event, if available. - type: keyword -example: local7 - -- -*`log.syslog.priority`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long +type: keyword -example: 135 +-- -format: string +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword -- -*`log.syslog.severity.code`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +type: keyword -type: long +-- -example: 3 +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword -- -*`log.syslog.severity.name`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - type: keyword -example: Error - -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`rsa.misc.comp_class`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: aim - -- -*`network.bytes`*:: +*`rsa.misc.comp_name`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -type: long - -example: 368 - -format: bytes +type: keyword -- -*`network.community_id`*:: +*`rsa.misc.comp_rbytes`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - type: keyword -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= - -- -*`network.direction`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown +type: keyword -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +-- +*`rsa.misc.cpu_data`*:: ++ +-- type: keyword -example: inbound - -- -*`network.forwarded_ip`*:: +*`rsa.misc.criticality`*:: + -- -Host IP address when the source IP address is the proxy. +type: keyword -type: ip +-- -example: 192.1.1.2 +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword -- -*`network.iana_number`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - type: keyword -example: 6 - -- -*`network.inner`*:: +*`rsa.misc.cs_av_other`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) - -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`rsa.misc.cs_av_primary`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`network.inner.vlan.name`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -*`network.name`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Name given by operators to sections of their network. - type: keyword -example: Guest Wifi - -- -*`network.packets`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. +type: keyword -type: long +-- -example: 24 +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword -- -*`network.protocol`*:: +*`rsa.misc.cs_control`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: http - -- -*`network.transport`*:: +*`rsa.misc.cs_data`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: tcp - -- -*`network.type`*:: +*`rsa.misc.cs_datecret`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - type: keyword -example: ipv4 - -- -*`network.vlan.id`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`network.vlan.name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside +-- +*`rsa.misc.cs_eth_src_ven`*:: ++ -- +type: keyword -[float] -=== observer +-- -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword +-- -*`observer.egress`*:: +*`rsa.misc.cs_filetype`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: keyword -- -*`observer.egress.interface.alias`*:: +*`rsa.misc.cs_fld`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`observer.egress.interface.id`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`observer.egress.interface.name`*:: +*`rsa.misc.cs_if_name`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.egress.vlan.id`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`observer.egress.vlan.name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -*`observer.egress.zone`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. - type: keyword -example: Public_Internet - -- -*`observer.geo.city_name`*:: +*`rsa.misc.cs_lifetime`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`observer.geo.continent_name`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`observer.geo.country_iso_code`*:: +*`rsa.misc.cs_loginname`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`observer.geo.country_name`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`observer.geo.location`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword -- -*`observer.geo.name`*:: +*`rsa.misc.cs_payload`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`observer.geo.region_iso_code`*:: +*`rsa.misc.cs_registrant`*:: + -- -Region ISO code. - type: keyword -example: CA-QC - -- -*`observer.geo.region_name`*:: +*`rsa.misc.cs_registrar`*:: + -- -Region name. - type: keyword -example: Quebec - -- -*`observer.hostname`*:: +*`rsa.misc.cs_represult`*:: + -- -Hostname of the observer. - type: keyword -- -*`observer.ingress`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: keyword -- -*`observer.ingress.interface.alias`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. - type: keyword -example: outside - -- -*`observer.ingress.interface.id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). - type: keyword -example: 10 - -- -*`observer.ingress.interface.name`*:: +*`rsa.misc.cs_streams`*:: + -- -Interface name as reported by the system. - type: keyword -example: eth0 - -- -*`observer.ingress.vlan.id`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -VLAN ID as reported by the observer. - type: keyword -example: 10 - -- -*`observer.ingress.vlan.name`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Optional VLAN name as reported by the observer. - type: keyword -example: outside - -- -*`observer.ingress.zone`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. - type: keyword -example: DMZ - -- -*`observer.ip`*:: +*`rsa.misc.cs_yararesult`*:: + -- -IP addresses of the observer. - -type: ip +type: keyword -- -*`observer.mac`*:: +*`rsa.misc.description`*:: + -- -MAC addresses of the observer - type: keyword -- -*`observer.name`*:: +*`rsa.misc.devvendor`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. - type: keyword -example: 1_proxySG - -- -*`observer.os.family`*:: +*`rsa.misc.distance`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`observer.os.full`*:: +*`rsa.misc.dstburb`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`observer.os.full.text`*:: +*`rsa.misc.edomain`*:: + -- -type: text +type: keyword -- -*`observer.os.kernel`*:: +*`rsa.misc.edomaub`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`observer.os.name`*:: +*`rsa.misc.euid`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`observer.os.name.text`*:: +*`rsa.misc.facility`*:: + -- -type: text +type: keyword -- -*`observer.os.platform`*:: +*`rsa.misc.finterface`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`observer.os.version`*:: +*`rsa.misc.flags`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 - -- -*`observer.product`*:: +*`rsa.misc.gaddr`*:: + -- -The product name of the observer. - type: keyword -example: s200 - -- -*`observer.serial_number`*:: +*`rsa.misc.id3`*:: + -- -Observer serial number. - type: keyword -- -*`observer.type`*:: +*`rsa.misc.im_buddyname`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - type: keyword -example: firewall - -- -*`observer.vendor`*:: +*`rsa.misc.im_croomid`*:: + -- -Vendor name of the observer. - type: keyword -example: Symantec - -- -*`observer.version`*:: +*`rsa.misc.im_croomtype`*:: + -- -Observer version. - type: keyword -- -[float] -=== organization - -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +*`rsa.misc.im_members`*:: ++ +-- +type: keyword +-- -*`organization.id`*:: +*`rsa.misc.im_username`*:: + -- -Unique identifier for the organization. - type: keyword -- -*`organization.name`*:: +*`rsa.misc.ipkt`*:: + -- -Organization name. - type: keyword -- -*`organization.name.text`*:: +*`rsa.misc.ipscat`*:: + -- -type: text +type: keyword -- -[float] -=== os - -The OS fields contain information about the operating system. +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword +-- -*`os.family`*:: +*`rsa.misc.latitude`*:: + -- -OS family (such as redhat, debian, freebsd, windows). - type: keyword -example: debian - -- -*`os.full`*:: +*`rsa.misc.linenum`*:: + -- -Operating system name, including the version or code name. - type: keyword -example: Mac OS Mojave - -- -*`os.full.text`*:: +*`rsa.misc.list_name`*:: + -- -type: text +type: keyword -- -*`os.kernel`*:: +*`rsa.misc.load_data`*:: + -- -Operating system kernel version as a raw string. - type: keyword -example: 4.4.0-112-generic - -- -*`os.name`*:: +*`rsa.misc.location_floor`*:: + -- -Operating system name, without the version. - type: keyword -example: Mac OS X - -- -*`os.name.text`*:: +*`rsa.misc.location_mark`*:: + -- -type: text +type: keyword -- -*`os.platform`*:: +*`rsa.misc.log_id`*:: + -- -Operating system platform (such centos, ubuntu, windows). - type: keyword -example: darwin - -- -*`os.version`*:: +*`rsa.misc.log_type`*:: + -- -Operating system version as a raw string. - type: keyword -example: 10.14.1 +-- +*`rsa.misc.logid`*:: ++ -- +type: keyword -[float] -=== package +-- -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +*`rsa.misc.logip`*:: ++ +-- +type: keyword +-- -*`package.architecture`*:: +*`rsa.misc.logname`*:: + -- -Package architecture. - type: keyword -example: x86_64 - -- -*`package.build_version`*:: +*`rsa.misc.longitude`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. - type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd - -- -*`package.checksum`*:: +*`rsa.misc.lport`*:: + -- -Checksum of the installed package for verification. - type: keyword -example: 68b329da9893e34099c7d8ad5cb9c940 - -- -*`package.description`*:: +*`rsa.misc.mbug_data`*:: + -- -Description of the package. - type: keyword -example: Open source programming language to build simple/reliable/efficient software. - -- -*`package.install_scope`*:: +*`rsa.misc.misc_name`*:: + -- -Indicating how the package was installed, e.g. user-local, global. - type: keyword -example: global - -- -*`package.installed`*:: +*`rsa.misc.msg_type`*:: + -- -Time when package was installed. - -type: date +type: keyword -- -*`package.license`*:: +*`rsa.misc.msgid`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). - type: keyword -example: Apache License 2.0 - -- -*`package.name`*:: +*`rsa.misc.netsessid`*:: + -- -Package name - type: keyword -example: go - -- -*`package.path`*:: +*`rsa.misc.num`*:: + -- -Path where the package is installed. - type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`rsa.misc.number1`*:: + -- -Home page or reference URL of the software in this package, if available. - type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`rsa.misc.number2`*:: + -- -Package size in bytes. - -type: long +type: keyword -example: 62231 +-- -format: string +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword -- -*`package.type`*:: +*`rsa.misc.object`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. - type: keyword -example: rpm - -- -*`package.version`*:: +*`rsa.misc.operation`*:: + -- -Package version - type: keyword -example: 1.12.9 +-- +*`rsa.misc.opkt`*:: ++ -- +type: keyword -[float] -=== pe +-- -These fields contain Windows Portable Executable (PE) metadata. +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword +-- -*`pe.company`*:: +*`rsa.misc.owner_id`*:: + -- -Internal company name of the file, provided at compile-time. - type: keyword -example: Microsoft Corporation - -- -*`pe.description`*:: +*`rsa.misc.p_action`*:: + -- -Internal description of the file, provided at compile-time. - type: keyword -example: Paint - -- -*`pe.file_version`*:: +*`rsa.misc.p_filter`*:: + -- -Internal version of the file, provided at compile-time. - type: keyword -example: 6.3.9600.17415 - -- -*`pe.original_file_name`*:: +*`rsa.misc.p_group_object`*:: + -- -Internal name of the file, provided at compile-time. - type: keyword -example: MSPAINT.EXE - -- -*`pe.product`*:: +*`rsa.misc.p_id`*:: + -- -Internal product name of the file, provided at compile-time. - type: keyword -example: Microsoft® Windows® Operating System +-- +*`rsa.misc.p_msgid1`*:: ++ -- +type: keyword -[float] -=== process +-- -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword +-- -*`process.args`*:: +*`rsa.misc.p_result1`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. - type: keyword -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.args_count`*:: +*`rsa.misc.password_chg`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +type: keyword -type: long +-- -example: 4 +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword -- -*`process.code_signature.exists`*:: +*`rsa.misc.permgranted`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword -- -*`process.code_signature.status`*:: +*`rsa.misc.pgid`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.code_signature.subject_name`*:: +*`rsa.misc.policyUUID`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`process.code_signature.trusted`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.program`*:: ++ +-- +type: keyword -- -*`process.code_signature.valid`*:: +*`rsa.misc.real_data`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword -- -*`process.command_line`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. - type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.command_line.text`*:: +*`rsa.misc.rec_library`*:: + -- -type: text +type: keyword -- -*`process.entity_id`*:: +*`rsa.misc.recordnum`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - type: keyword -example: c2c455d9f99375d - -- -*`process.executable`*:: +*`rsa.misc.ruid`*:: + -- -Absolute path to the process executable. - type: keyword -example: /usr/bin/ssh - -- -*`process.executable.text`*:: +*`rsa.misc.sburb`*:: + -- -type: text +type: keyword -- -*`process.exit_code`*:: +*`rsa.misc.sdomain_fld`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +type: keyword -type: long +-- -example: 137 +*`rsa.misc.sec`*:: ++ +-- +type: keyword -- -*`process.hash.md5`*:: +*`rsa.misc.sensorname`*:: + -- -MD5 hash. - type: keyword -- -*`process.hash.sha1`*:: +*`rsa.misc.seqnum`*:: + -- -SHA1 hash. - type: keyword -- -*`process.hash.sha256`*:: +*`rsa.misc.session`*:: + -- -SHA256 hash. - type: keyword -- -*`process.hash.sha512`*:: +*`rsa.misc.sessiontype`*:: + -- -SHA512 hash. - type: keyword -- -*`process.name`*:: +*`rsa.misc.sigUUID`*:: + -- -Process name. -Sometimes called program name or similar. - type: keyword -example: ssh - -- -*`process.name.text`*:: +*`rsa.misc.spi`*:: + -- -type: text +type: keyword -- -*`process.parent.args`*:: +*`rsa.misc.srcburb`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. - type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] - -- -*`process.parent.args_count`*:: +*`rsa.misc.srcdom`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +type: keyword -type: long +-- -example: 4 +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword -- -*`process.parent.code_signature.exists`*:: +*`rsa.misc.state`*:: + -- -Boolean to capture if a signature is present. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.status1`*:: ++ +-- +type: keyword -- -*`process.parent.code_signature.status`*:: +*`rsa.misc.svcno`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. - type: keyword -example: ERROR_UNTRUSTED_ROOT - -- -*`process.parent.code_signature.subject_name`*:: +*`rsa.misc.system`*:: + -- -Subject name of the code signer - type: keyword -example: Microsoft Corporation - -- -*`process.parent.code_signature.trusted`*:: +*`rsa.misc.tbdstr1`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`process.parent.code_signature.valid`*:: +*`rsa.misc.tgtdomain`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +type: keyword -type: boolean +-- -example: true +*`rsa.misc.threshold`*:: ++ +-- +type: keyword -- -*`process.parent.command_line`*:: +*`rsa.misc.type1`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. - type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 - -- -*`process.parent.command_line.text`*:: +*`rsa.misc.udb_class`*:: + -- -type: text +type: keyword -- -*`process.parent.entity_id`*:: +*`rsa.misc.url_fld`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. - type: keyword -example: c2c455d9f99375d - -- -*`process.parent.executable`*:: +*`rsa.misc.user_div`*:: + -- -Absolute path to the process executable. - type: keyword -example: /usr/bin/ssh - -- -*`process.parent.executable.text`*:: +*`rsa.misc.userid`*:: + -- -type: text +type: keyword -- -*`process.parent.exit_code`*:: +*`rsa.misc.username_fld`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +type: keyword -type: long +-- -example: 137 +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword -- -*`process.parent.hash.md5`*:: +*`rsa.misc.v_instafname`*:: + -- -MD5 hash. - type: keyword -- -*`process.parent.hash.sha1`*:: +*`rsa.misc.virt_data`*:: + -- -SHA1 hash. - type: keyword -- -*`process.parent.hash.sha256`*:: +*`rsa.misc.vpnid`*:: + -- -SHA256 hash. - type: keyword -- -*`process.parent.hash.sha512`*:: +*`rsa.misc.autorun_type`*:: + -- -SHA512 hash. +This is used to capture Auto Run type type: keyword -- -*`process.parent.name`*:: +*`rsa.misc.cc_number`*:: + -- -Process name. -Sometimes called program name or similar. - -type: keyword +Valid Credit Card Numbers only -example: ssh +type: long -- -*`process.parent.name.text`*:: +*`rsa.misc.content`*:: + -- -type: text +This key captures the content type from protocol headers + +type: keyword -- -*`process.parent.pgid`*:: +*`rsa.misc.ein_number`*:: + -- -Identifier of the group of processes the process belongs to. +Employee Identification Numbers only type: long -format: string - -- -*`process.parent.pid`*:: +*`rsa.misc.found`*:: + -- -Process id. +This is used to capture the results of regex match -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword -- -*`process.parent.ppid`*:: +*`rsa.misc.lifetime`*:: + -- -Parent process' pid. +This key is used to capture the session lifetime in seconds. type: long -example: 4241 +-- -format: string +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`process.parent.start`*:: +*`rsa.misc.match`*:: + -- -The time the process started. - -type: date +This key is for regex match name from search.ini -example: 2016-05-23T08:05:34.853Z +type: keyword -- -*`process.parent.thread.id`*:: +*`rsa.misc.param_dst`*:: + -- -Thread ID. +This key captures the command line/launch argument of the target process or file -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword -- -*`process.parent.thread.name`*:: +*`rsa.misc.search_text`*:: + -- -Thread name. +This key captures the Search Text used type: keyword -example: thread-0 - -- -*`process.parent.title`*:: +*`rsa.misc.sig_name`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This key is used to capture the Signature Name only. type: keyword -- -*`process.parent.title.text`*:: +*`rsa.misc.snmp_value`*:: + -- -type: text +SNMP set request value + +type: keyword -- -*`process.parent.uptime`*:: +*`rsa.misc.streams`*:: + -- -Seconds the process has been up. +This key captures number of streams in session type: long -example: 1325 - -- -*`process.parent.working_directory`*:: + +*`rsa.db.index`*:: + -- -The working directory of the process. +This key captures IndexID of the index. type: keyword -example: /home/alice - -- -*`process.parent.working_directory.text`*:: +*`rsa.db.instance`*:: + -- -type: text +This key is used to capture the database server instance name + +type: keyword -- -*`process.pe.company`*:: +*`rsa.db.database`*:: + -- -Internal company name of the file, provided at compile-time. +This key is used to capture the name of a database or an instance as seen in a session type: keyword -example: Microsoft Corporation - -- -*`process.pe.description`*:: +*`rsa.db.transact_id`*:: + -- -Internal description of the file, provided at compile-time. +This key captures the SQL transantion ID of the current session type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`rsa.db.permissions`*:: + -- -Internal version of the file, provided at compile-time. +This key captures permission or privilege level assigned to a resource. type: keyword -example: 6.3.9600.17415 - -- -*`process.pe.original_file_name`*:: +*`rsa.db.table_name`*:: + -- -Internal name of the file, provided at compile-time. +This key is used to capture the table name type: keyword -example: MSPAINT.EXE - -- -*`process.pe.product`*:: +*`rsa.db.db_id`*:: + -- -Internal product name of the file, provided at compile-time. +This key is used to capture the unique identifier for a database type: keyword -example: Microsoft® Windows® Operating System - -- -*`process.pgid`*:: +*`rsa.db.db_pid`*:: + -- -Identifier of the group of processes the process belongs to. +This key captures the process id of a connection with database server type: long -format: string - -- -*`process.pid`*:: +*`rsa.db.lread`*:: + -- -Process id. +This key is used for the number of logical reads type: long -example: 4242 - -format: string - -- -*`process.ppid`*:: +*`rsa.db.lwrite`*:: + -- -Parent process' pid. +This key is used for the number of logical writes type: long -example: 4241 +-- -format: string - --- - -*`process.start`*:: +*`rsa.db.pread`*:: + -- -The time the process started. - -type: date +This key is used for the number of physical writes -example: 2016-05-23T08:05:34.853Z +type: long -- -*`process.thread.id`*:: + +*`rsa.network.alias_host`*:: + -- -Thread ID. +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. -type: long +type: keyword -example: 4242 +-- -format: string +*`rsa.network.domain`*:: ++ +-- +type: keyword -- -*`process.thread.name`*:: +*`rsa.network.host_dst`*:: + -- -Thread name. +This key should only be used when it’s a Destination Hostname type: keyword -example: thread-0 - -- -*`process.title`*:: +*`rsa.network.network_service`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +This is used to capture layer 7 protocols/service names type: keyword -- -*`process.title.text`*:: +*`rsa.network.interface`*:: + -- -type: text +This key should be used when the source or destination context of an interface is not clear + +type: keyword -- -*`process.uptime`*:: +*`rsa.network.network_port`*:: + -- -Seconds the process has been up. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) type: long -example: 1325 - -- -*`process.working_directory`*:: +*`rsa.network.eth_host`*:: + -- -The working directory of the process. +Deprecated, use alias.mac type: keyword -example: /home/alice - -- -*`process.working_directory.text`*:: +*`rsa.network.sinterface`*:: + -- -type: text - --- - -[float] -=== registry +This key should only be used when it’s a Source Interface -Fields related to Windows Registry operations. +type: keyword +-- -*`registry.data.bytes`*:: +*`rsa.network.dinterface`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +This key should only be used when it’s a Destination Interface type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= - -- -*`registry.data.strings`*:: +*`rsa.network.vlan`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). - -type: keyword +This key should only be used to capture the ID of the Virtual LAN -example: ["C:\rta\red_ttp\bin\myapp.exe"] +type: long -- -*`registry.data.type`*:: +*`rsa.network.zone_src`*:: + -- -Standard registry type for encoding contents +This key should only be used when it’s a Source Zone. type: keyword -example: REG_SZ - -- -*`registry.hive`*:: +*`rsa.network.zone`*:: + -- -Abbreviated name for the hive. +This key should be used when the source or destination context of a Zone is not clear type: keyword -example: HKLM - -- -*`registry.key`*:: +*`rsa.network.zone_dst`*:: + -- -Hive-relative path of keys. +This key should only be used when it’s a Destination Zone. type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe - -- -*`registry.path`*:: +*`rsa.network.gateway`*:: + -- -Full path, including hive, key and value +This key is used to capture the IP Address of the gateway type: keyword -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger - -- -*`registry.value`*:: +*`rsa.network.icmp_type`*:: + -- -Name of the value written. - -type: keyword +This key is used to capture the ICMP type only -example: Debugger +type: long -- -[float] -=== related +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. +type: keyword +-- -*`related.hash`*:: +*`rsa.network.icmp_code`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`related.ip`*:: +*`rsa.network.protocol_detail`*:: + -- -All of the IPs seen on your event. +This key should be used to capture additional protocol information -type: ip +type: keyword -- -*`related.user`*:: +*`rsa.network.dmask`*:: + -- -All the user names seen on your event. +This key is used for Destionation Device network mask type: keyword -- -[float] -=== rule +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +type: long +-- -*`rule.author`*:: +*`rsa.network.smask`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. +This key is used for capturing source Network Mask type: keyword -example: ['Star-Lord'] - -- -*`rule.category`*:: +*`rsa.network.netname`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -example: Attempted Information Leak - -- -*`rule.description`*:: +*`rsa.network.paddr`*:: + -- -The description of the rule generating the event. - -type: keyword +Deprecated -example: Block requests to public DNS over HTTPS / TLS protocols +type: ip -- -*`rule.id`*:: +*`rsa.network.faddr`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - type: keyword -example: 101 - -- -*`rule.license`*:: +*`rsa.network.lhost`*:: + -- -Name of the license under which the rule used to generate this event is made available. - type: keyword -example: Apache 2.0 - -- -*`rule.name`*:: +*`rsa.network.origin`*:: + -- -The name of the rule or signature generating the event. - type: keyword -example: BLOCK_DNS_over_TLS - -- -*`rule.reference`*:: +*`rsa.network.remote_domain_id`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. - type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS - -- -*`rule.ruleset`*:: +*`rsa.network.addr`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. - type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`rsa.network.dns_a_record`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. - type: keyword -example: 1100110011 - -- -*`rule.version`*:: +*`rsa.network.dns_ptr_record`*:: + -- -The version / revision of the rule being used for analysis. - type: keyword -example: 1.1 +-- +*`rsa.network.fhost`*:: ++ -- +type: keyword -[float] -=== server +-- -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +*`rsa.network.fport`*:: ++ +-- +type: keyword +-- -*`server.address`*:: +*`rsa.network.laddr`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. - type: keyword -- -*`server.as.number`*:: +*`rsa.network.linterface`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +type: keyword -type: long +-- -example: 15169 +*`rsa.network.phost`*:: ++ +-- +type: keyword -- -*`server.as.organization.name`*:: +*`rsa.network.ad_computer_dst`*:: + -- -Organization name. +Deprecated, use host.dst type: keyword -example: Google LLC - -- -*`server.as.organization.name.text`*:: +*`rsa.network.eth_type`*:: + -- -type: text +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`server.bytes`*:: +*`rsa.network.ip_proto`*:: + -- -Bytes sent from the server to the client. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI type: long -example: 184 - -format: bytes - -- -*`server.domain`*:: +*`rsa.network.dns_cname_record`*:: + -- -Server domain. - type: keyword -- -*`server.geo.city_name`*:: +*`rsa.network.dns_id`*:: + -- -City name. - type: keyword -example: Montreal - -- -*`server.geo.continent_name`*:: +*`rsa.network.dns_opcode`*:: + -- -Name of the continent. - type: keyword -example: North America - -- -*`server.geo.country_iso_code`*:: +*`rsa.network.dns_resp`*:: + -- -Country ISO code. - type: keyword -example: CA - -- -*`server.geo.country_name`*:: +*`rsa.network.dns_type`*:: + -- -Country name. - type: keyword -example: Canada - -- -*`server.geo.location`*:: +*`rsa.network.domain1`*:: + -- -Longitude and latitude. +type: keyword -type: geo_point +-- -example: { "lon": -73.614830, "lat": 45.505918 } +*`rsa.network.host_type`*:: ++ +-- +type: keyword -- -*`server.geo.name`*:: +*`rsa.network.packet_length`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. - type: keyword -example: boston-dc - -- -*`server.geo.region_iso_code`*:: +*`rsa.network.host_orig`*:: + -- -Region ISO code. +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -example: CA-QC - -- -*`server.geo.region_name`*:: +*`rsa.network.rpayload`*:: + -- -Region name. +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -example: Quebec - -- -*`server.ip`*:: +*`rsa.network.vlan_name`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +This key should only be used to capture the name of the Virtual LAN -type: ip +type: keyword -- -*`server.mac`*:: + +*`rsa.investigations.ec_activity`*:: + -- -MAC address of the server. +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`server.nat.ip`*:: +*`rsa.investigations.ec_theme`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +This key captures the Theme of a particular Event(Ex:Authentication) -type: ip +type: keyword -- -*`server.nat.port`*:: +*`rsa.investigations.ec_subject`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. - -type: long +This key captures the Subject of a particular Event(Ex:User) -format: string +type: keyword -- -*`server.packets`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Packets sent from the server to the client. - -type: long +This key captures the outcome of a particular Event(Ex:Success) -example: 12 +type: keyword -- -*`server.port`*:: +*`rsa.investigations.event_cat`*:: + -- -Port of the server. +This key captures the Event category number type: long -format: string - -- -*`server.registered_domain`*:: +*`rsa.investigations.event_cat_name`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +This key captures the event category name corresponding to the event cat code type: keyword -example: google.com - -- -*`server.top_level_domain`*:: +*`rsa.investigations.event_vcat`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -example: co.uk - -- -*`server.user.domain`*:: +*`rsa.investigations.analysis_file`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`server.user.email`*:: +*`rsa.investigations.analysis_service`*:: + -- -User email address. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -*`server.user.full_name`*:: +*`rsa.investigations.analysis_session`*:: + -- -User's full name, if available. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -example: Albert Einstein - -- -*`server.user.full_name.text`*:: +*`rsa.investigations.boc`*:: + -- -type: text +This is used to capture behaviour of compromise + +type: keyword -- -*`server.user.group.domain`*:: +*`rsa.investigations.eoc`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This is used to capture Enablers of Compromise type: keyword -- -*`server.user.group.id`*:: +*`rsa.investigations.inv_category`*:: + -- -Unique identifier for the group on the system/platform. +This used to capture investigation category type: keyword -- -*`server.user.group.name`*:: +*`rsa.investigations.inv_context`*:: + -- -Name of the group. +This used to capture investigation context type: keyword -- -*`server.user.hash`*:: +*`rsa.investigations.ioc`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This is key capture indicator of compromise type: keyword -- -*`server.user.id`*:: + +*`rsa.counters.dclass_c1`*:: + -- -Unique identifiers of the user. +This is a generic counter key that should be used with the label dclass.c1.str only -type: keyword +type: long -- -*`server.user.name`*:: +*`rsa.counters.dclass_c2`*:: + -- -Short name or login of the user. - -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only -example: albert +type: long -- -*`server.user.name.text`*:: +*`rsa.counters.event_counter`*:: + -- -type: text - --- - -[float] -=== service +This is used to capture the number of times an event repeated -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +type: long +-- -*`service.ephemeral_id`*:: +*`rsa.counters.dclass_r1`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. +This is a generic ratio key that should be used with the label dclass.r1.str only type: keyword -example: 8a4f500f - -- -*`service.id`*:: +*`rsa.counters.dclass_c3`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. - -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 +type: long -- -*`service.name`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -example: elasticsearch-metrics - -- -*`service.node.name`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -example: instance-0000000016 - -- -*`service.state`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -Current state of the service. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`service.type`*:: +*`rsa.counters.dclass_r2`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +This is a generic ratio key that should be used with the label dclass.r2.str only type: keyword -example: elasticsearch - -- -*`service.version`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -example: 3.2.4 - -- -[float] -=== source - -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. - - -*`source.address`*:: +*`rsa.counters.dclass_r3`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`source.as.number`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. - -type: long +This is a generic ratio string key that should be used with the label dclass.r2 only -example: 15169 +type: keyword -- -*`source.as.organization.name`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -Organization name. +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -example: Google LLC - -- -*`source.as.organization.name.text`*:: + +*`rsa.identity.auth_method`*:: + -- -type: text +This key is used to capture authentication methods used only + +type: keyword -- -*`source.bytes`*:: +*`rsa.identity.user_role`*:: + -- -Bytes sent from the source to the destination. - -type: long - -example: 184 +This key is used to capture the Role of a user only -format: bytes +type: keyword -- -*`source.domain`*:: +*`rsa.identity.dn`*:: + -- -Source domain. +X.500 (LDAP) Distinguished Name type: keyword -- -*`source.geo.city_name`*:: +*`rsa.identity.logon_type`*:: + -- -City name. +This key is used to capture the type of logon method used. type: keyword -example: Montreal - -- -*`source.geo.continent_name`*:: +*`rsa.identity.profile`*:: + -- -Name of the continent. +This key is used to capture the user profile type: keyword -example: North America - -- -*`source.geo.country_iso_code`*:: +*`rsa.identity.accesses`*:: + -- -Country ISO code. +This key is used to capture actual privileges used in accessing an object type: keyword -example: CA - -- -*`source.geo.country_name`*:: +*`rsa.identity.realm`*:: + -- -Country name. +Radius realm or similar grouping of accounts type: keyword -example: Canada - -- -*`source.geo.location`*:: +*`rsa.identity.user_sid_dst`*:: + -- -Longitude and latitude. - -type: geo_point +This key captures Destination User Session ID -example: { "lon": -73.614830, "lat": 45.505918 } +type: keyword -- -*`source.geo.name`*:: +*`rsa.identity.dn_src`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -example: boston-dc - -- -*`source.geo.region_iso_code`*:: +*`rsa.identity.org`*:: + -- -Region ISO code. +This key captures the User organization type: keyword -example: CA-QC - -- -*`source.geo.region_name`*:: +*`rsa.identity.dn_dst`*:: + -- -Region name. +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -example: Quebec - -- -*`source.ip`*:: +*`rsa.identity.firstname`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: ip +type: keyword -- -*`source.mac`*:: +*`rsa.identity.lastname`*:: + -- -MAC address of the source. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`source.nat.ip`*:: +*`rsa.identity.user_dept`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +User's Department Names only -type: ip +type: keyword -- -*`source.nat.port`*:: +*`rsa.identity.user_sid_src`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. - -type: long +This key captures Source User Session ID -format: string +type: keyword -- -*`source.packets`*:: +*`rsa.identity.federated_sp`*:: + -- -Packets sent from the source to the destination. - -type: long +This key is the Federated Service Provider. This is the application requesting authentication. -example: 12 +type: keyword -- -*`source.port`*:: +*`rsa.identity.federated_idp`*:: + -- -Port of the source. - -type: long +This key is the federated Identity Provider. This is the server providing the authentication. -format: string +type: keyword -- -*`source.registered_domain`*:: +*`rsa.identity.logon_type_desc`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -example: google.com - -- -*`source.top_level_domain`*:: +*`rsa.identity.middlename`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: co.uk - -- -*`source.user.domain`*:: +*`rsa.identity.password`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This key is for Passwords seen in any session, plain text or encrypted type: keyword -- -*`source.user.email`*:: +*`rsa.identity.host_role`*:: + -- -User email address. +This key should only be used to capture the role of a Host Machine type: keyword -- -*`source.user.full_name`*:: +*`rsa.identity.ldap`*:: + -- -User's full name, if available. +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -example: Albert Einstein - -- -*`source.user.full_name.text`*:: +*`rsa.identity.ldap_query`*:: + -- -type: text +This key is the Search criteria from an LDAP search + +type: keyword -- -*`source.user.group.domain`*:: +*`rsa.identity.ldap_response`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +This key is to capture Results from an LDAP search type: keyword -- -*`source.user.group.id`*:: +*`rsa.identity.owner`*:: + -- -Unique identifier for the group on the system/platform. +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`source.user.group.name`*:: +*`rsa.identity.service_account`*:: + -- -Name of the group. +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage type: keyword -- -*`source.user.hash`*:: + +*`rsa.email.email_dst`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`source.user.id`*:: +*`rsa.email.email_src`*:: + -- -Unique identifiers of the user. +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`source.user.name`*:: +*`rsa.email.subject`*:: + -- -Short name or login of the user. +This key is used to capture the subject string from an Email only. type: keyword -example: albert - -- -*`source.user.name.text`*:: +*`rsa.email.email`*:: + -- -type: text - --- - -[float] -=== threat +This key is used to capture a generic email address where the source or destination context is not clear -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: keyword +-- -*`threat.framework`*:: +*`rsa.email.trans_from`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +Deprecated key defined only in table map. type: keyword -example: MITRE ATT&CK - -- -*`threat.tactic.id`*:: +*`rsa.email.trans_to`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Deprecated key defined only in table map. type: keyword -example: TA0040 - -- -*`threat.tactic.name`*:: + +*`rsa.file.privilege`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Deprecated, use permissions type: keyword -example: impact - -- -*`threat.tactic.reference`*:: +*`rsa.file.attachment`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +This key captures the attachment file name type: keyword -example: https://attack.mitre.org/tactics/TA0040/ - -- -*`threat.technique.id`*:: +*`rsa.file.filesystem`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) - type: keyword -example: T1499 - -- -*`threat.technique.name`*:: +*`rsa.file.binary`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +Deprecated key defined only in table map. type: keyword -example: endpoint denial of service - -- -*`threat.technique.name.text`*:: +*`rsa.file.filename_dst`*:: + -- -type: text +This is used to capture name of the file targeted by the action + +type: keyword -- -*`threat.technique.reference`*:: +*`rsa.file.filename_src`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +This is used to capture name of the parent filename, the file which performed the action type: keyword -example: https://attack.mitre.org/techniques/T1499/ - -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`rsa.file.filename_tmp`*:: + -- -String indicating the cipher used during the current connection. - type: keyword -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - -- -*`tls.client.certificate`*:: +*`rsa.file.directory_dst`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +This key is used to capture the directory of the target process or file type: keyword -example: MII... - -- -*`tls.client.certificate_chain`*:: +*`rsa.file.directory_src`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. +This key is used to capture the directory of the source process or file type: keyword -example: ['MII...', 'MII...'] - -- -*`tls.client.hash.md5`*:: +*`rsa.file.file_entropy`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. - -type: keyword +This is used to capture entropy vale of a file -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +type: double -- -*`tls.client.hash.sha1`*:: +*`rsa.file.file_vendor`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +This is used to capture Company name of file located in version_info type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - -- -*`tls.client.hash.sha256`*:: +*`rsa.file.task_name`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +This is used to capture name of the task type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.client.issuer`*:: + +*`rsa.web.fqdn`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +Fully Qualified Domain Names type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.client.ja3`*:: +*`rsa.web.web_cookie`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +This key is used to capture the Web cookies specifically. type: keyword -example: d4e5b18d6b55c71272893221c96ba240 - -- -*`tls.client.not_after`*:: +*`rsa.web.alias_host`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z +type: keyword -- -*`tls.client.not_before`*:: +*`rsa.web.reputation_num`*:: + -- -Date/Time indicating when client certificate is first considered valid. - -type: date +Reputation Number of an entity. Typically used for Web Domains -example: 1970-01-01T00:00:00.000Z +type: double -- -*`tls.client.server_name`*:: +*`rsa.web.web_ref_domain`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Web referer's domain type: keyword -example: www.elastic.co - -- -*`tls.client.subject`*:: +*`rsa.web.web_ref_query`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +This key captures Web referer's query portion of the URL type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com - -- -*`tls.client.supported_ciphers`*:: +*`rsa.web.remote_domain`*:: + -- -Array of ciphers offered by the client during the client hello. - type: keyword -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] - -- -*`tls.curve`*:: +*`rsa.web.web_ref_page`*:: + -- -String indicating the curve used for the given cipher, when applicable. +This key captures Web referer's page information type: keyword -example: secp256r1 - -- -*`tls.established`*:: +*`rsa.web.web_ref_root`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +Web referer's root URL path -type: boolean +type: keyword -- -*`tls.next_protocol`*:: +*`rsa.web.cn_asn_dst`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. - type: keyword -example: http/1.1 - -- -*`tls.resumed`*:: +*`rsa.web.cn_rpackets`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. - -type: boolean +type: keyword -- -*`tls.server.certificate`*:: +*`rsa.web.urlpage`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. - type: keyword -example: MII... - -- -*`tls.server.certificate_chain`*:: +*`rsa.web.urlroot`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. - type: keyword -example: ['MII...', 'MII...'] - -- -*`tls.server.hash.md5`*:: +*`rsa.web.p_url`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC - -- -*`tls.server.hash.sha1`*:: +*`rsa.web.p_user_agent`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A - -- -*`tls.server.hash.sha256`*:: +*`rsa.web.p_web_cookie`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. - type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 - -- -*`tls.server.issuer`*:: +*`rsa.web.p_web_method`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. - type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.server.ja3s`*:: +*`rsa.web.p_web_referer`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. - type: keyword -example: 394441ab65754e2207b1e1b457b3641d - -- -*`tls.server.not_after`*:: +*`rsa.web.web_extension_tmp`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date - -example: 2021-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.not_before`*:: +*`rsa.web.web_page`*:: + -- -Timestamp indicating when server certificate is first considered valid. - -type: date - -example: 1970-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.subject`*:: + +*`rsa.threat.threat_category`*:: + -- -Subject of the x.509 certificate presented by the server. +This key captures Threat Name/Threat Category/Categorization of alert type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com - -- -*`tls.version`*:: +*`rsa.threat.threat_desc`*:: + -- -Numeric part of the version parsed from the original string. +This key is used to capture the threat description from the session directly or inferred type: keyword -example: 1.2 - -- -*`tls.version_protocol`*:: +*`rsa.threat.alert`*:: + -- -Normalized lowercase protocol name parsed from original string. +This key is used to capture name of the alert type: keyword -example: tls +-- +*`rsa.threat.threat_source`*:: ++ -- +This key is used to capture source of the threat -[float] -=== tracing +type: keyword -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +-- -*`tracing.trace.id`*:: +*`rsa.crypto.crypto`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +This key is used to capture the Encryption Type or Encryption Key only type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 - -- -*`tracing.transaction.id`*:: +*`rsa.crypto.cipher_src`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +This key is for Source (Client) Cipher type: keyword -example: 00f067aa0ba902b7 - -- -[float] -=== url +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +-- -*`url.domain`*:: +*`rsa.crypto.peer`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +This key is for Encryption peer's IP Address type: keyword -example: www.elastic.co - -- -*`url.extension`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". - -type: keyword +This key captures Source (Client) Cipher Size -example: png +type: long -- -*`url.fragment`*:: +*`rsa.crypto.ike`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +IKE negotiation phase. type: keyword -- -*`url.full`*:: +*`rsa.crypto.scheme`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +This key captures the Encryption scheme used type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top - -- -*`url.full.text`*:: +*`rsa.crypto.peer_id`*:: + -- -type: text +This key is for Encryption peer’s identity + +type: keyword -- -*`url.original`*:: +*`rsa.crypto.sig_type`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +This key captures the Signature Type type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - -- -*`url.original.text`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: text +type: keyword -- -*`url.password`*:: +*`rsa.crypto.cert_host_name`*:: + -- -Password of the request. +Deprecated key defined only in table map. type: keyword -- -*`url.path`*:: +*`rsa.crypto.cert_error`*:: + -- -Path of the request, such as "/search". +This key captures the Certificate Error String type: keyword -- -*`url.port`*:: +*`rsa.crypto.cipher_dst`*:: + -- -Port of the request, such as 443. +This key is for Destination (Server) Cipher -type: long +type: keyword -example: 443 +-- -format: string +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long -- -*`url.query`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Deprecated, use version type: keyword -- -*`url.registered_domain`*:: +*`rsa.crypto.d_certauth`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". - type: keyword -example: google.com +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword -- -*`url.scheme`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +ID of the negotiation — sent for ISAKMP Phase One type: keyword -example: https - -- -*`url.top_level_domain`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -example: co.uk - -- -*`url.username`*:: +*`rsa.crypto.cert_checksum`*:: + -- -Username of the request. - type: keyword -- -[float] -=== user +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +type: keyword +-- -*`user.domain`*:: +*`rsa.crypto.cert_serial`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +This key is used to capture the Certificate serial number only type: keyword -- -*`user.email`*:: +*`rsa.crypto.cert_status`*:: + -- -User email address. +This key captures Certificate validation status type: keyword -- -*`user.full_name`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -User's full name, if available. +Deprecated, use version type: keyword -example: Albert Einstein - -- -*`user.full_name.text`*:: +*`rsa.crypto.cert_keysize`*:: + -- -type: text +type: keyword -- -*`user.group.domain`*:: +*`rsa.crypto.cert_username`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - type: keyword -- -*`user.group.id`*:: +*`rsa.crypto.https_insact`*:: + -- -Unique identifier for the group on the system/platform. - type: keyword -- -*`user.group.name`*:: +*`rsa.crypto.https_valid`*:: + -- -Name of the group. - type: keyword -- -*`user.hash`*:: +*`rsa.crypto.cert_ca`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +This key is used to capture the Certificate signing authority only type: keyword -- -*`user.id`*:: +*`rsa.crypto.cert_common`*:: + -- -Unique identifiers of the user. +This key is used to capture the Certificate common name only type: keyword -- -*`user.name`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Short name or login of the user. +This key is used to capture the ssid of a Wireless Session type: keyword -example: albert - -- -*`user.name.text`*:: +*`rsa.wireless.access_point`*:: + -- -type: text +This key is used to capture the access point name. + +type: keyword -- -[float] -=== user_agent +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: long +-- -*`user_agent.device.name`*:: +*`rsa.wireless.wlan_name`*:: + -- -Name of the device. +This key captures either WLAN number/name type: keyword -example: iPhone - -- -*`user_agent.name`*:: + +*`rsa.storage.disk_volume`*:: + -- -Name of the user agent. +A unique name assigned to logical units (volumes) within a physical disk type: keyword -example: Safari - -- -*`user_agent.original`*:: +*`rsa.storage.lun`*:: + -- -Unparsed user_agent string. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 - -- -*`user_agent.original.text`*:: +*`rsa.storage.pwwn`*:: + -- -type: text +This uniquely identifies a port on a HBA. + +type: keyword -- -*`user_agent.os.family`*:: + +*`rsa.physical.org_dst`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -example: debian - -- -*`user_agent.os.full`*:: +*`rsa.physical.org_src`*:: + -- -Operating system name, including the version or code name. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -example: Mac OS Mojave - -- -*`user_agent.os.full.text`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -type: text +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`user_agent.os.kernel`*:: +*`rsa.healthcare.patient_id`*:: + -- -Operating system kernel version as a raw string. +This key captures the unique ID for a patient type: keyword -example: 4.4.0-112-generic - -- -*`user_agent.os.name`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Operating system name, without the version. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -example: Mac OS X - -- -*`user_agent.os.name.text`*:: +*`rsa.healthcare.patient_mname`*:: + -- -type: text +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`user_agent.os.platform`*:: + +*`rsa.endpoint.host_state`*:: + -- -Operating system platform (such centos, ubuntu, windows). +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -example: darwin - -- -*`user_agent.os.version`*:: +*`rsa.endpoint.registry_key`*:: + -- -Operating system version as a raw string. +This key captures the path to the registry key type: keyword -example: 10.14.1 - -- -*`user_agent.version`*:: +*`rsa.endpoint.registry_value`*:: + -- -Version of the user agent. +This key captures values or decorators used within a registry entry type: keyword -example: 12.0 - -- -[float] -=== vlan +[[exported-fields-docker-processor]] +== Docker fields -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. +Docker stats collected from Docker. -*`vlan.id`*:: + + +*`docker.container.id`*:: + -- -VLAN ID as reported by the observer. - -type: keyword +type: alias -example: 10 +alias to: container.id -- -*`vlan.name`*:: +*`docker.container.image`*:: + -- -Optional VLAN name as reported by the observer. - -type: keyword +type: alias -example: outside +alias to: container.image.name -- -[float] -=== vulnerability +*`docker.container.name`*:: ++ +-- +type: alias -The vulnerability fields describe information about a vulnerability that is relevant to an event. +alias to: container.name +-- -*`vulnerability.category`*:: +*`docker.container.labels`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Image labels. -type: keyword -example: ["Firewall"] +type: object -- -*`vulnerability.classification`*:: +[[exported-fields-ecs]] +== ECS fields + +ECS Fields. + + +*`@timestamp`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. -type: keyword +type: date -example: CVSS +example: 2016-05-23T08:05:34.853Z + +required: True -- -*`vulnerability.description`*:: +*`labels`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) +Custom key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. -type: keyword +type: object -example: In macOS before 2.12.6, there is a vulnerability in the RPC... +example: {"application": "foo-bar", "env": "production"} -- -*`vulnerability.description.text`*:: +*`message`*:: + -- +For log events the message field contains the log message, optimized for viewing in a log viewer. +For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. +If multiple messages exist, they can be combined into one message. + type: text +example: Hello World + -- -*`vulnerability.enumeration`*:: +*`tags`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +List of keywords used to tag each event. type: keyword -example: CVE +example: ["production", "env2"] -- -*`vulnerability.id`*:: +[float] +=== agent + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. +Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + +*`agent.build.original`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. type: keyword -example: CVE-2019-00001 +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] -- -*`vulnerability.reference`*:: +*`agent.ephemeral_id`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 +example: 8a4f500f -- -*`vulnerability.report_id`*:: +*`agent.id`*:: + -- -The report or scan identification number. +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. type: keyword -example: 20191018.0001 +example: 8a4f500d -- -*`vulnerability.scanner.vendor`*:: +*`agent.name`*:: + -- -The name of the vulnerability scanner vendor. +Custom name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. type: keyword -example: Tenable +example: foo -- -*`vulnerability.score.base`*:: +*`agent.type`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) +Type of the agent. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. -type: float +type: keyword -example: 5.5 +example: filebeat -- -*`vulnerability.score.environmental`*:: +*`agent.version`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) +Version of the agent. -type: float +type: keyword -example: 5.5 +example: 6.0.0-rc2 -- -*`vulnerability.score.temporal`*:: -+ --- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +[float] +=== as -type: float +An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet. --- -*`vulnerability.score.version`*:: +*`as.number`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: 2.0 +example: 15169 -- -*`vulnerability.severity`*:: +*`as.organization.name`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Organization name. type: keyword -example: Critical +example: Google LLC -- -[[exported-fields-elasticsearch]] -== Elasticsearch fields - -elasticsearch Module - +*`as.organization.name.text`*:: ++ +-- +type: text +-- [float] -=== elasticsearch - +=== client +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. -*`elasticsearch.component`*:: +*`client.address`*:: + -- -Elasticsearch component from where the log event originated +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -example: o.e.c.m.MetaDataCreateIndexService - -- -*`elasticsearch.cluster.uuid`*:: +*`client.as.number`*:: + -- -UUID of the cluster +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: GmvrbHlNTiSVYiPf8kxg9g +example: 15169 -- -*`elasticsearch.cluster.name`*:: +*`client.as.organization.name`*:: + -- -Name of the cluster +Organization name. type: keyword -example: docker-cluster +example: Google LLC -- -*`elasticsearch.node.id`*:: +*`client.as.organization.name.text`*:: + -- -ID of the node +type: text -type: keyword +-- -example: DSiWcTyeThWtUXLB9J0BMw +*`client.bytes`*:: ++ +-- +Bytes sent from the client to the server. + +type: long + +example: 184 + +format: bytes -- -*`elasticsearch.node.name`*:: +*`client.domain`*:: + -- -Name of the node +Client domain. type: keyword -example: vWNJsZ3 - -- -*`elasticsearch.index.name`*:: +*`client.geo.city_name`*:: + -- -Index name +City name. type: keyword -example: filebeat-test-input +example: Montreal -- -*`elasticsearch.index.id`*:: +*`client.geo.continent_name`*:: + -- -Index id +Name of the continent. type: keyword -example: aOGgDwbURfCV57AScqbCgw +example: North America -- -*`elasticsearch.shard.id`*:: +*`client.geo.country_iso_code`*:: + -- -Id of the shard +Country ISO code. type: keyword -example: 0 +example: CA -- -[float] -=== audit +*`client.geo.country_name`*:: ++ +-- +Country name. +type: keyword +example: Canada +-- -*`elasticsearch.audit.layer`*:: +*`client.geo.location`*:: + -- -The layer from which this event originated: rest, transport or ip_filter +Longitude and latitude. -type: keyword +type: geo_point -example: rest +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`elasticsearch.audit.event_type`*:: +*`client.geo.name`*:: + -- -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: access_granted +example: boston-dc -- -*`elasticsearch.audit.origin.type`*:: +*`client.geo.region_iso_code`*:: + -- -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) +Region ISO code. type: keyword -example: local_node +example: CA-QC -- -*`elasticsearch.audit.realm`*:: +*`client.geo.region_name`*:: + -- -The authentication realm the authentication was validated against +Region name. type: keyword +example: Quebec + -- -*`elasticsearch.audit.user.realm`*:: +*`client.ip`*:: + -- -The user's authentication realm, if authenticated +IP address of the client (IPv4 or IPv6). -type: keyword +type: ip -- -*`elasticsearch.audit.user.roles`*:: +*`client.mac`*:: + -- -Roles to which the principal belongs +MAC address of the client. type: keyword -example: ['kibana_user', 'beats_admin'] - -- -*`elasticsearch.audit.action`*:: +*`client.nat.ip`*:: + -- -The name of the action that was executed - -type: keyword +Translated IP of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -example: cluster:monitor/main +type: ip -- -*`elasticsearch.audit.url.params`*:: +*`client.nat.port`*:: + -- -REST URI parameters +Translated port of source based NAT sessions (e.g. internal client to internet). +Typically connections traversing load balancers, firewalls, or routers. -example: {username=jacknich2} +type: long + +format: string -- -*`elasticsearch.audit.indices`*:: +*`client.packets`*:: + -- -Indices accessed by action +Packets sent from the client to the server. -type: keyword +type: long -example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] +example: 12 -- -*`elasticsearch.audit.request.id`*:: +*`client.port`*:: + -- -Unique ID of request +Port of the client. -type: keyword +type: long -example: WzL_kb6VSvOhAq0twPvHOQ +format: string -- -*`elasticsearch.audit.request.name`*:: +*`client.registered_domain`*:: + -- -The type of request that was executed +The highest registered client domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: ClearScrollRequest +example: example.com -- -*`elasticsearch.audit.request_body`*:: +*`client.top_level_domain`*:: + -- -type: alias +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -alias to: http.request.body.content +type: keyword + +example: co.uk -- -*`elasticsearch.audit.origin_address`*:: +*`client.user.domain`*:: + -- -type: alias +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. -alias to: source.ip +type: keyword -- -*`elasticsearch.audit.uri`*:: +*`client.user.email`*:: + -- -type: alias +User email address. -alias to: url.original +type: keyword -- -*`elasticsearch.audit.principal`*:: +*`client.user.full_name`*:: + -- -type: alias +User's full name, if available. -alias to: user.name +type: keyword + +example: Albert Einstein -- -*`elasticsearch.audit.message`*:: +*`client.user.full_name.text`*:: + -- type: text -- -[float] -=== deprecation - - - -[float] -=== gc - -GC fileset fields. - - - -[float] -=== phase - -Fields specific to GC phase. +*`client.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. +type: keyword +-- -*`elasticsearch.gc.phase.name`*:: +*`client.user.group.id`*:: + -- -Name of the GC collection phase. - +Unique identifier for the group on the system/platform. type: keyword -- -*`elasticsearch.gc.phase.duration_sec`*:: +*`client.user.group.name`*:: + -- -Collection phase duration according to the Java virtual machine. - +Name of the group. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: +*`client.user.hash`*:: + -- -Pause time in seconds cleaning up symbol tables. - +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. -type: float +type: keyword -- -*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: +*`client.user.id`*:: + -- -Pause time in seconds cleaning up string tables. - +Unique identifier of the user. -type: float +type: keyword -- -*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: +*`client.user.name`*:: + -- -Time spent processing weak references in seconds. +Short name or login of the user. +type: keyword -type: float +example: albert -- -*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: +*`client.user.name.text`*:: + -- -Time spent in seconds marking live objects while application is stopped. - - -type: float +type: text -- -*`elasticsearch.gc.phase.class_unload_time_sec`*:: +*`client.user.roles`*:: + -- -Time spent unloading unused classes in seconds. +Array of user roles at the time of the event. +type: keyword -type: float +example: ["kibana_admin", "reporting_user"] -- [float] -=== cpu_time - -Process CPU time spent performing collections. +=== cloud +Fields related to the cloud or infrastructure the events are coming from. -*`elasticsearch.gc.phase.cpu_time.user_sec`*:: +*`cloud.account.id`*:: + -- -CPU time spent outside the kernel. +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. +type: keyword -type: float +example: 666777888999 -- -*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: +*`cloud.account.name`*:: + -- -CPU time spent inside the kernel. +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. +type: keyword -type: float +example: elastic-dev -- -*`elasticsearch.gc.phase.cpu_time.real_sec`*:: +*`cloud.availability_zone`*:: + -- -Total elapsed CPU time spent to complete the collection from start to finish. +Availability zone in which this host is running. +type: keyword -type: float +example: us-east-1c -- -*`elasticsearch.gc.jvm_runtime_sec`*:: +*`cloud.instance.id`*:: + -- -The time from JVM start up in seconds, as a floating point number. +Instance ID of the host machine. +type: keyword -type: float +example: i-1234567890abcdef0 -- -*`elasticsearch.gc.threads_total_stop_time_sec`*:: +*`cloud.instance.name`*:: + -- -Garbage collection threads total stop time seconds. - +Instance name of the host machine. -type: float +type: keyword -- -*`elasticsearch.gc.stopping_threads_time_sec`*:: +*`cloud.machine.type`*:: + -- -Time took to stop threads seconds. +Machine type of the host machine. +type: keyword -type: float +example: t2.medium -- -*`elasticsearch.gc.tags`*:: +*`cloud.project.id`*:: + -- -GC logging tags. - +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. type: keyword +example: my-project + -- -[float] -=== heap +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. -Heap allocation and total size. +type: keyword +example: my project +-- -*`elasticsearch.gc.heap.size_kb`*:: +*`cloud.provider`*:: + -- -Total heap size in kilobytes. +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. +type: keyword -type: integer +example: aws -- -*`elasticsearch.gc.heap.used_kb`*:: +*`cloud.region`*:: + -- -Used heap in kilobytes. +Region in which this host is running. +type: keyword -type: integer +example: us-east-1 -- [float] -=== old_gen - -Old generation occupancy and total size. +=== code_signature +These fields contain information about binary code signatures. -*`elasticsearch.gc.old_gen.size_kb`*:: +*`code_signature.exists`*:: + -- -Total size of old generation in kilobytes. +Boolean to capture if a signature is present. +type: boolean -type: integer +example: true -- -*`elasticsearch.gc.old_gen.used_kb`*:: +*`code_signature.status`*:: + -- -Old generation occupancy in kilobytes. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +type: keyword -type: integer +example: ERROR_UNTRUSTED_ROOT -- -[float] -=== young_gen +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer -Young generation occupancy and total size. +type: keyword +example: Microsoft Corporation +-- -*`elasticsearch.gc.young_gen.size_kb`*:: +*`code_signature.trusted`*:: + -- -Total size of young generation in kilobytes. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +type: boolean -type: integer +example: true -- -*`elasticsearch.gc.young_gen.used_kb`*:: +*`code_signature.valid`*:: + -- -Young generation occupancy in kilobytes. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. +type: boolean -type: integer +example: true -- [float] -=== server +=== container -Server log file +Container fields are used for meta information about the specific container that is the source of information. +These fields help correlate data based containers from any runtime. -*`elasticsearch.server.stacktrace`*:: +*`container.id`*:: + -- -Field is not indexed. - --- - -[float] -=== gc - -GC log - - -[float] -=== young +Unique container id. -Young GC +type: keyword +-- -*`elasticsearch.server.gc.young.one`*:: +*`container.image.name`*:: + -- +Name of the image the container was built on. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.young.two`*:: +*`container.image.tag`*:: + -- +Container image tags. - -type: long - -example: +type: keyword -- -*`elasticsearch.server.gc.overhead_seq`*:: +*`container.labels`*:: + -- -Sequence number - -type: long +Image labels. -example: 3449992 +type: object -- -*`elasticsearch.server.gc.collection_duration.ms`*:: +*`container.name`*:: + -- -Time spent in GC, in milliseconds - -type: float +Container name. -example: 1600 +type: keyword -- -*`elasticsearch.server.gc.observation_duration.ms`*:: +*`container.runtime`*:: + -- -Total time over which collection was observed, in milliseconds +Runtime managing this container. -type: float +type: keyword -example: 1800 +example: docker -- [float] -=== slowlog +=== destination -Slowlog events from Elasticsearch +Destination fields describe details about the destination of a packet/event. +Destination fields are usually populated in conjunction with source fields. -*`elasticsearch.slowlog.logger`*:: +*`destination.address`*:: + -- -Logger name +Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -example: index.search.slowlog.fetch - -- -*`elasticsearch.slowlog.took`*:: +*`destination.as.number`*:: + -- -Time it took to execute the query +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. -type: keyword +type: long -example: 300ms +example: 15169 -- -*`elasticsearch.slowlog.types`*:: +*`destination.as.organization.name`*:: + -- -Types +Organization name. type: keyword -example: +example: Google LLC -- -*`elasticsearch.slowlog.stats`*:: +*`destination.as.organization.name.text`*:: + -- -Stats groups - -type: keyword - -example: group1 +type: text -- -*`elasticsearch.slowlog.search_type`*:: +*`destination.bytes`*:: + -- -Search type +Bytes sent from the destination to the source. -type: keyword +type: long -example: QUERY_THEN_FETCH +example: 184 + +format: bytes -- -*`elasticsearch.slowlog.source_query`*:: +*`destination.domain`*:: + -- -Slow query +Destination domain. type: keyword -example: {"query":{"match_all":{"boost":1.0}}} - -- -*`elasticsearch.slowlog.extra_source`*:: +*`destination.geo.city_name`*:: + -- -Extra source information +City name. type: keyword -example: +example: Montreal -- -*`elasticsearch.slowlog.total_hits`*:: +*`destination.geo.continent_name`*:: + -- -Total hits +Name of the continent. type: keyword -example: 42 +example: North America -- -*`elasticsearch.slowlog.total_shards`*:: +*`destination.geo.country_iso_code`*:: + -- -Total queried shards +Country ISO code. type: keyword -example: 22 +example: CA -- -*`elasticsearch.slowlog.routing`*:: +*`destination.geo.country_name`*:: + -- -Routing +Country name. type: keyword -example: s01HZ2QBk9jw4gtgaFtn +example: Canada -- -*`elasticsearch.slowlog.id`*:: +*`destination.geo.location`*:: + -- -Id +Longitude and latitude. -type: keyword +type: geo_point -example: +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`elasticsearch.slowlog.type`*:: +*`destination.geo.name`*:: + -- -Type +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: doc +example: boston-dc -- -*`elasticsearch.slowlog.source`*:: +*`destination.geo.region_iso_code`*:: + -- -Source of document that was indexed +Region ISO code. type: keyword --- +example: CA-QC -[[exported-fields-envoyproxy]] -== Envoyproxy fields +-- -Module for handling logs produced by envoy +*`destination.geo.region_name`*:: ++ +-- +Region name. +type: keyword +example: Quebec -[float] -=== envoyproxy +-- -Fields from envoy proxy logs after normalization +*`destination.ip`*:: ++ +-- +IP address of the destination (IPv4 or IPv6). +type: ip +-- -*`envoyproxy.log_type`*:: +*`destination.mac`*:: + -- -Envoy log type, normally ACCESS - +MAC address of the destination. type: keyword -- -*`envoyproxy.response_flags`*:: +*`destination.nat.ip`*:: + -- -Response flags - +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. -type: keyword +type: ip -- -*`envoyproxy.upstream_service_time`*:: +*`destination.nat.port`*:: + -- -Upstream service time in nanoseconds - +Port the source session is translated to by NAT Device. +Typically used with load balancers, firewalls, or routers. type: long -format: duration +format: string -- -*`envoyproxy.request_id`*:: +*`destination.packets`*:: + -- -ID of the request +Packets sent from the destination to the source. +type: long -type: keyword +example: 12 -- -*`envoyproxy.authority`*:: +*`destination.port`*:: + -- -Envoy proxy authority field +Port of the destination. +type: long -type: keyword +format: string -- -*`envoyproxy.proxy_type`*:: +*`destination.registered_domain`*:: + -- -Envoy proxy type, tcp or http - +The highest registered destination domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -[[exported-fields-f5]] -== Big-IP Access Policy Manager fields +*`destination.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". -f5 fields. +type: keyword +example: co.uk +-- -*`network.interface.name`*:: +*`destination.user.domain`*:: + -- -Name of the network interface where the traffic has been observed. - +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- - - -*`rsa.internal.msg`*:: +*`destination.user.email`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +User email address. type: keyword -- -*`rsa.internal.messageid`*:: +*`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword +example: Albert Einstein + -- -*`rsa.internal.event_desc`*:: +*`destination.user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.internal.message`*:: +*`destination.user.group.domain`*:: + -- -This key captures the contents of instant messages +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.internal.time`*:: +*`destination.user.group.id`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +Unique identifier for the group on the system/platform. -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`destination.user.group.name`*:: + -- -Deprecated key defined only in table map. +Name of the group. -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`destination.user.hash`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`rsa.internal.msg_vid`*:: +*`destination.user.id`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique identifier of the user. type: keyword -- -*`rsa.internal.data`*:: +*`destination.user.name`*:: + -- -Deprecated key defined only in table map. +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.internal.obj_server`*:: +*`destination.user.name.text`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: text -- -*`rsa.internal.obj_val`*:: +*`destination.user.roles`*:: + -- -Deprecated key defined only in table map. +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.internal.resource`*:: -+ -- -Deprecated key defined only in table map. -type: keyword - --- +[float] +=== dll -*`rsa.internal.obj_id`*:: -+ --- -Deprecated key defined only in table map. +These fields contain information about code libraries dynamically loaded into processes. -type: keyword +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS --- -*`rsa.internal.statement`*:: +*`dll.code_signature.exists`*:: + -- -Deprecated key defined only in table map. +Boolean to capture if a signature is present. -type: keyword +type: boolean + +example: true -- -*`rsa.internal.audit_class`*:: +*`dll.code_signature.status`*:: + -- -Deprecated key defined only in table map. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.internal.entry`*:: +*`dll.code_signature.subject_name`*:: + -- -Deprecated key defined only in table map. +Subject name of the code signer type: keyword +example: Microsoft Corporation + -- -*`rsa.internal.hcode`*:: +*`dll.code_signature.trusted`*:: + -- -Deprecated key defined only in table map. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean + +example: true -- -*`rsa.internal.inode`*:: +*`dll.code_signature.valid`*:: + -- -Deprecated key defined only in table map. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean + +example: true -- -*`rsa.internal.resource_class`*:: +*`dll.hash.md5`*:: + -- -Deprecated key defined only in table map. +MD5 hash. type: keyword -- -*`rsa.internal.dead`*:: +*`dll.hash.sha1`*:: + -- -Deprecated key defined only in table map. +SHA1 hash. -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`dll.hash.sha256`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SHA256 hash. type: keyword -- -*`rsa.internal.feed_name`*:: +*`dll.hash.sha512`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SHA512 hash. type: keyword -- -*`rsa.internal.cid`*:: +*`dll.name`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Name of the library. +This generally maps to the name of the file on disk. type: keyword +example: kernel32.dll + -- -*`rsa.internal.device_class`*:: +*`dll.path`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Full file path of the library. type: keyword +example: C:\Windows\System32\kernel32.dll + -- -*`rsa.internal.device_group`*:: +*`dll.pe.architecture`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.internal.device_host`*:: +*`dll.pe.company`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Internal company name of the file, provided at compile-time. type: keyword +example: Microsoft Corporation + -- -*`rsa.internal.device_ip`*:: +*`dll.pe.description`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Internal description of the file, provided at compile-time. -type: ip +type: keyword + +example: Paint -- -*`rsa.internal.device_ipv6`*:: +*`dll.pe.file_version`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Internal version of the file, provided at compile-time. -type: ip +type: keyword + +example: 6.3.9600.17415 -- -*`rsa.internal.device_type`*:: +*`dll.pe.imphash`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.internal.device_type_id`*:: +*`dll.pe.original_file_name`*:: + -- -Deprecated key defined only in table map. +Internal name of the file, provided at compile-time. -type: long +type: keyword + +example: MSPAINT.EXE -- -*`rsa.internal.did`*:: +*`dll.pe.product`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Internal product name of the file, provided at compile-time. type: keyword --- +example: Microsoft® Windows® Operating System -*`rsa.internal.entropy_req`*:: -+ -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: long +[float] +=== dns --- +Fields describing DNS queries and answers. +DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`). -*`rsa.internal.entropy_res`*:: + +*`dns.answers`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +An array containing an object for each answer section returned by the server. +The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. +Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. -type: long +type: object -- -*`rsa.internal.event_name`*:: +*`dns.answers.class`*:: + -- -Deprecated key defined only in table map. +The class of DNS data contained in this resource record. type: keyword +example: IN + -- -*`rsa.internal.feed_category`*:: +*`dns.answers.data`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The data describing the resource. +The meaning of this data depends on the type and class of the resource record. type: keyword +example: 10.10.10.10 + -- -*`rsa.internal.forward_ip`*:: +*`dns.answers.name`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +The domain name to which this resource record pertains. +If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. -type: ip +type: keyword + +example: www.example.com -- -*`rsa.internal.forward_ipv6`*:: +*`dns.answers.ttl`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -type: ip +type: long + +example: 180 -- -*`rsa.internal.header_id`*:: +*`dns.answers.type`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of data contained in this resource record. type: keyword +example: CNAME + -- -*`rsa.internal.lc_cid`*:: +*`dns.header_flags`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Array of 2 letter DNS header flags. +Expected values are: AA, TC, RD, RA, AD, CD, DO. type: keyword +example: ['RD', 'RA'] + -- -*`rsa.internal.lc_ctime`*:: +*`dns.id`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -type: date +type: keyword + +example: 62111 -- -*`rsa.internal.mcb_req`*:: +*`dns.op_code`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. -type: long +type: keyword + +example: QUERY -- -*`rsa.internal.mcb_res`*:: +*`dns.question.class`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +The class of records being queried. -type: long +type: keyword + +example: IN -- -*`rsa.internal.mcbc_req`*:: +*`dns.question.name`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +The name being queried. +If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: long +type: keyword + +example: www.example.com -- -*`rsa.internal.mcbc_res`*:: +*`dns.question.registered_domain`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +The highest registered domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: long +type: keyword + +example: example.com -- -*`rsa.internal.medium`*:: +*`dns.question.subdomain`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +The subdomain is all of the labels under the registered_domain. +If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. -type: long +type: keyword + +example: www -- -*`rsa.internal.node_name`*:: +*`dns.question.top_level_domain`*:: + -- -Deprecated key defined only in table map. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`rsa.internal.nwe_callback_id`*:: +*`dns.question.type`*:: + -- -This key denotes that event is endpoint related +The type of record being queried. type: keyword +example: AAAA + -- -*`rsa.internal.parse_error`*:: +*`dns.resolved_ip`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Array containing all IPs seen in `answers.data`. +The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for. -type: keyword +type: ip + +example: ['10.10.10.10', '10.10.10.11'] -- -*`rsa.internal.payload_req`*:: +*`dns.response_code`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The DNS response code. -type: long +type: keyword + +example: NOERROR -- -*`rsa.internal.payload_res`*:: +*`dns.type`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +The type of DNS event captured, query or answer. +If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`. +If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers. -type: long +type: keyword + +example: answer -- -*`rsa.internal.process_vid_dst`*:: +[float] +=== ecs + +Meta-information specific to ECS. + + +*`ecs.version`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. type: keyword +example: 1.0.0 + +required: True + -- -*`rsa.internal.process_vid_src`*:: +[float] +=== error + +These fields can represent errors of any kind. +Use them for errors that happen while fetching events or in cases where the event itself contains an error. + + +*`error.code`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +Error code describing the error. type: keyword -- -*`rsa.internal.rid`*:: +*`error.id`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Unique identifier for the error. -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`error.message`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Error message. -type: keyword +type: text -- -*`rsa.internal.site`*:: +*`error.stack_trace`*:: + -- -Deprecated key defined only in table map. +The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- -*`rsa.internal.size`*:: +*`error.stack_trace.text`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: text -- -*`rsa.internal.sourcefile`*:: +*`error.type`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The type of the error, for example the class name of the exception. type: keyword +example: java.lang.NullPointerException + -- -*`rsa.internal.ubc_req`*:: +[float] +=== event + +The event fields are used for context information about the log or metric event itself. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. + + +*`event.action`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. -type: long +type: keyword + +example: user-password-change -- -*`rsa.internal.ubc_res`*:: +*`event.category`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. +`event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. +This field is an array. This will allow proper categorization of some events that fall in multiple categories. -type: long +type: keyword + +example: authentication -- -*`rsa.internal.word`*:: +*`event.code`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Identification code for this event, if one exists. +Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. type: keyword --- +example: 4648 +-- -*`rsa.time.event_time`*:: +*`event.created`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +event.created contains the date/time when the event was first read by an agent, or by your pipeline. +This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. +In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. +In case the two timestamps are identical, @timestamp should be used. type: date +example: 2016-05-23T08:05:34.857Z + -- -*`rsa.time.duration_time`*:: +*`event.dataset`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +Name of the dataset. +If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. +It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. -type: double +type: keyword + +example: apache.access -- -*`rsa.time.event_time_str`*:: +*`event.duration`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. -type: keyword +type: long + +format: duration -- -*`rsa.time.starttime`*:: +*`event.end`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +event.end contains the date when the event ended or when the activity was last observed. type: date -- -*`rsa.time.month`*:: +*`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword +example: 123456789012345678901234567890ABCD + -- -*`rsa.time.day`*:: +*`event.id`*:: + -- +Unique ID to describe the event. + type: keyword +example: 8a4f500d + -- -*`rsa.time.endtime`*:: +*`event.ingested`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Timestamp when an event arrived in the central data store. +This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. +In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`. type: date +example: 2016-05-23T08:05:35.101Z + -- -*`rsa.time.timezone`*:: +*`event.kind`*:: + -- -This key is used to capture the timezone of the Event Time +This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. +`event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. +The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. type: keyword +example: alert + -- -*`rsa.time.duration_str`*:: +*`event.module`*:: + -- -A text string version of the duration +Name of the module this data is coming from. +If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. type: keyword +example: apache + -- -*`rsa.time.date`*:: +*`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword +example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + +Field is not indexed. + -- -*`rsa.time.year`*:: +*`event.outcome`*:: + -- +This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. + type: keyword +example: success + -- -*`rsa.time.recorded_time`*:: +*`event.provider`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Source of the event. +Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). -type: date +type: keyword + +example: kernel -- -*`rsa.time.datetime`*:: +*`event.reason`*:: + -- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + type: keyword +example: Terminated an unexpected process + -- -*`rsa.time.effective_time`*:: +*`event.reference`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. -type: date +type: keyword + +example: https://system.example.com/event/#0001234 -- -*`rsa.time.expire_time`*:: +*`event.risk_score`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +Risk score or priority of the event (e.g. security solutions). Use your system's original value here. -type: date +type: float -- -*`rsa.time.process_time`*:: +*`event.risk_score_norm`*:: + -- -Deprecated, use duration.time +Normalized risk score or priority of the event, on a scale of 0 to 100. +This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. -type: keyword +type: float -- -*`rsa.time.hour`*:: +*`event.sequence`*:: + -- -type: keyword +Sequence number of the event. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. --- +type: long -*`rsa.time.min`*:: -+ --- -type: keyword +format: string -- -*`rsa.time.timestamp`*:: +*`event.severity`*:: + -- -type: keyword +The numeric severity of the event according to your event source. +What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. +The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. + +type: long + +example: 7 + +format: string -- -*`rsa.time.event_queue_time`*:: +*`event.start`*:: + -- -This key is the Time that the event was queued. +event.start contains the date when the event started or when the activity was first observed. type: date -- -*`rsa.time.p_time1`*:: +*`event.timezone`*:: + -- +This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. +Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). + type: keyword -- -*`rsa.time.tzone`*:: +*`event.type`*:: + -- +This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. +`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. +This field is an array. This will allow proper categorization of some events that fall in multiple event types. + type: keyword -- -*`rsa.time.eventtime`*:: +*`event.url`*:: + -- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + type: keyword --- +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -*`rsa.time.gmtdate`*:: -+ -- -type: keyword --- +[float] +=== file -*`rsa.time.gmttime`*:: +A file is defined as a set of information that has been created on, or has existed on a filesystem. +File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. + + +*`file.accessed`*:: + -- -type: keyword +Last time the file was accessed. +Note that not all filesystems keep track of access time. + +type: date -- -*`rsa.time.p_date`*:: +*`file.attributes`*:: + -- +Array of file attributes. +Attributes names will vary by platform. Here's a non-exhaustive list of values that are expected in this field: archive, compressed, directory, encrypted, execute, hidden, read, readonly, system, write. + type: keyword +example: ["readonly", "system"] + -- -*`rsa.time.p_month`*:: +*`file.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`rsa.time.p_time`*:: +*`file.code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.time.p_time2`*:: +*`file.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.time.p_year`*:: +*`file.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true -- -*`rsa.time.expire_time_str`*:: +*`file.code_signature.valid`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean + +example: true -- -*`rsa.time.stamp`*:: +*`file.created`*:: + -- -Deprecated key defined only in table map. +File creation time. +Note that not all filesystems store the creation time. type: date -- - -*`rsa.misc.action`*:: +*`file.ctime`*:: + -- -type: keyword +Last time the file attributes or metadata changed. +Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file. + +type: date -- -*`rsa.misc.result`*:: +*`file.device`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +Device that is the source of the file. type: keyword +example: sda + -- -*`rsa.misc.severity`*:: +*`file.directory`*:: + -- -This key is used to capture the severity given the session +Directory where the file is located. It should include the drive letter, when appropriate. type: keyword +example: /home/alice + -- -*`rsa.misc.event_type`*:: +*`file.drive_letter`*:: + -- -This key captures the event category type as specified by the event source. +Drive letter where the file is located. This field is only relevant on Windows. +The value should be uppercase, and not include the colon. type: keyword +example: C + -- -*`rsa.misc.reference_id`*:: +*`file.extension`*:: + -- -This key is used to capture an event id from the session directly +File extension. type: keyword +example: png + -- -*`rsa.misc.version`*:: +*`file.gid`*:: + -- -This key captures Version of the application or OS which is generating the event. +Primary group ID (GID) of the file. type: keyword +example: 1001 + -- -*`rsa.misc.disposition`*:: +*`file.group`*:: + -- -This key captures the The end state of an action. +Primary group name of the file. type: keyword +example: alice + -- -*`rsa.misc.result_code`*:: +*`file.hash.md5`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +MD5 hash. type: keyword -- -*`rsa.misc.category`*:: +*`file.hash.sha1`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +SHA1 hash. type: keyword -- -*`rsa.misc.obj_name`*:: +*`file.hash.sha256`*:: + -- -This is used to capture name of object +SHA256 hash. type: keyword -- -*`rsa.misc.obj_type`*:: +*`file.hash.sha512`*:: + -- -This is used to capture type of object +SHA512 hash. type: keyword -- -*`rsa.misc.event_source`*:: +*`file.inode`*:: + -- -This key captures Source of the event that’s not a hostname +Inode representing the file in the filesystem. type: keyword +example: 256383 + -- -*`rsa.misc.log_session_id`*:: +*`file.mime_type`*:: + -- -This key is used to capture a sessionid from the session directly +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. type: keyword -- -*`rsa.misc.group`*:: +*`file.mode`*:: + -- -This key captures the Group Name value +Mode of the file in octal representation. type: keyword +example: 0640 + -- -*`rsa.misc.policy_name`*:: +*`file.mtime`*:: + -- -This key is used to capture the Policy Name only. +Last time the file content was modified. -type: keyword +type: date -- -*`rsa.misc.rule_name`*:: +*`file.name`*:: + -- -This key captures the Rule Name +Name of the file including the extension, without the directory. type: keyword +example: example.png + -- -*`rsa.misc.context`*:: +*`file.owner`*:: + -- -This key captures Information which adds additional context to the event. +File owner's username. type: keyword +example: alice + -- -*`rsa.misc.change_new`*:: +*`file.path`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +Full path to the file, including the file name. It should include the drive letter, when appropriate. type: keyword +example: /home/alice/example.png + -- -*`rsa.misc.space`*:: +*`file.path.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.client`*:: +*`file.pe.architecture`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +CPU architecture target for the file. type: keyword +example: x64 + -- -*`rsa.misc.msgIdPart1`*:: +*`file.pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.msgIdPart2`*:: +*`file.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.change_old`*:: +*`file.pe.file_version`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +Internal version of the file, provided at compile-time. type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.operation_id`*:: +*`file.pe.imphash`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.event_state`*:: +*`file.pe.original_file_name`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.group_object`*:: +*`file.pe.product`*:: + -- -This key captures a collection/grouping of entities. Specific usage +Internal product name of the file, provided at compile-time. type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.node`*:: +*`file.size`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +File size in bytes. +Only relevant when `file.type` is "file". -type: keyword +type: long + +example: 16384 -- -*`rsa.misc.rule`*:: +*`file.target_path`*:: + -- -This key captures the Rule number +Target path for symlinks. type: keyword -- -*`rsa.misc.device_name`*:: +*`file.target_path.text`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - -type: keyword +type: text -- -*`rsa.misc.param`*:: +*`file.type`*:: + -- -This key is the parameters passed as part of a command or application, etc. +File type (file, dir, or symlink). type: keyword +example: file + -- -*`rsa.misc.change_attrib`*:: +*`file.uid`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +The user ID (UID) or security identifier (SID) of the file owner. type: keyword +example: 1001 + -- -*`rsa.misc.event_computer`*:: +*`file.x509.alternative_names`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`rsa.misc.reference_id1`*:: +*`file.x509.issuer.common_name`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.misc.event_log`*:: +*`file.x509.issuer.country`*:: + -- -This key captures the Name of the event log +List of country (C) codes type: keyword +example: US + -- -*`rsa.misc.OS`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -This key captures the Name of the Operating System +Distinguished name (DN) of issuing certificate authority. type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.misc.terminal`*:: +*`file.x509.issuer.locality`*:: + -- -This key captures the Terminal Names only +List of locality names (L) type: keyword +example: Mountain View + -- -*`rsa.misc.msgIdPart3`*:: +*`file.x509.issuer.organization`*:: + -- +List of organizations (O) of issuing certificate authority. + type: keyword +example: Example Inc + -- -*`rsa.misc.filter`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -This key captures Filter used to reduce result set +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`rsa.misc.serial_number`*:: +*`file.x509.issuer.state_or_province`*:: + -- -This key is the Serial number associated with a physical asset. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`rsa.misc.checksum`*:: +*`file.x509.not_after`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.misc.event_user`*:: +*`file.x509.not_before`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.misc.virusname`*:: +*`file.x509.public_key_algorithm`*:: + -- -This key captures the name of the virus +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`rsa.misc.content_type`*:: +*`file.x509.public_key_curve`*:: + -- -This key is used to capture Content Type only. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`rsa.misc.group_id`*:: +*`file.x509.public_key_exponent`*:: + -- -This key captures Group ID Number (related to the group name) +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long + +example: 65537 + +Field is not indexed. -- -*`rsa.misc.policy_id`*:: +*`file.x509.public_key_size`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`rsa.misc.vsys`*:: +*`file.x509.serial_number`*:: + -- -This key captures Virtual System Name +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.misc.connection_id`*:: +*`file.x509.signature_algorithm`*:: + -- -This key captures the Connection ID +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.misc.reference_id2`*:: +*`file.x509.subject.common_name`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`rsa.misc.sensor`*:: +*`file.x509.subject.country`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +List of country (C) code type: keyword +example: US + -- -*`rsa.misc.sig_id`*:: +*`file.x509.subject.distinguished_name`*:: + -- -This key captures IDS/IPS Int Signature ID +Distinguished name (DN) of the certificate subject entity. -type: long +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`rsa.misc.port_name`*:: +*`file.x509.subject.locality`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +List of locality names (L) type: keyword +example: San Francisco + -- -*`rsa.misc.rule_group`*:: +*`file.x509.subject.organization`*:: + -- -This key captures the Rule group name +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -*`rsa.misc.risk_num`*:: +*`file.x509.subject.organizational_unit`*:: + -- -This key captures a Numeric Risk value +List of organizational units (OU) of subject. -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`file.x509.subject.state_or_province`*:: + -- -This key captures the Value of the trigger or threshold condition. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`rsa.misc.log_session_id1`*:: +*`file.x509.version_number`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +Version of x509 format. type: keyword --- +example: 3 -*`rsa.misc.comp_version`*:: -+ -- -This key captures the Version level of a sub-component of a product. -type: keyword +[float] +=== geo --- +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. -*`rsa.misc.content_version`*:: + +*`geo.city_name`*:: + -- -This key captures Version level of a signature or database content. +City name. type: keyword +example: Montreal + -- -*`rsa.misc.hardware_id`*:: +*`geo.continent_name`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Name of the continent. type: keyword +example: North America + -- -*`rsa.misc.risk`*:: +*`geo.country_iso_code`*:: + -- -This key captures the non-numeric risk value +Country ISO code. type: keyword +example: CA + -- -*`rsa.misc.event_id`*:: +*`geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.reason`*:: +*`geo.location`*:: + -- -type: keyword +Longitude and latitude. --- +type: geo_point -*`rsa.misc.status`*:: -+ --- -type: keyword +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.mail_id`*:: +*`geo.name`*:: + -- -This key is used to capture the mailbox id/name +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.misc.rule_uid`*:: +*`geo.region_iso_code`*:: + -- -This key is the Unique Identifier for a rule. +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.misc.trigger_desc`*:: +*`geo.region_name`*:: + -- -This key captures the Description of the trigger or threshold condition. +Region name. type: keyword --- +example: Quebec -*`rsa.misc.inout`*:: -+ -- -type: keyword --- +[float] +=== group -*`rsa.misc.p_msgid`*:: -+ --- -type: keyword +The group fields are meant to represent groups that are relevant to the event. --- -*`rsa.misc.data_type`*:: +*`group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.error`*:: +*`group.name`*:: + -- -This key captures All non successful Error codes or responses +Name of the group. type: keyword -- -*`rsa.misc.index`*:: +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.listnum`*:: +*`hash.sha1`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +SHA1 hash. type: keyword -- -*`rsa.misc.ntype`*:: +*`hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.observed_val`*:: +*`hash.sha512`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +SHA512 hash. type: keyword -- -*`rsa.misc.policy_value`*:: +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: + -- -This key captures the contents of the policy. This contains details about the policy +Operating system architecture. type: keyword +example: x86_64 + -- -*`rsa.misc.pool_name`*:: +*`host.domain`*:: + -- -This key captures the name of a resource pool +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword +example: CONTOSO + -- -*`rsa.misc.rule_template`*:: +*`host.geo.city_name`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +City name. type: keyword +example: Montreal + -- -*`rsa.misc.count`*:: +*`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.number`*:: +*`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.sigcat`*:: +*`host.geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.type`*:: +*`host.geo.location`*:: + -- -type: keyword +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.comments`*:: +*`host.geo.name`*:: + -- -Comment information provided in the log message +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.misc.doc_number`*:: +*`host.geo.region_iso_code`*:: + -- -This key captures File Identification number +Region ISO code. -type: long +type: keyword + +example: CA-QC -- -*`rsa.misc.expected_val`*:: +*`host.geo.region_name`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +Region name. type: keyword +example: Quebec + -- -*`rsa.misc.job_num`*:: +*`host.hostname`*:: + -- -This key captures the Job Number +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. type: keyword -- -*`rsa.misc.spi_dst`*:: +*`host.id`*:: + -- -Destination SPI Index +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. type: keyword -- -*`rsa.misc.spi_src`*:: +*`host.ip`*:: + -- -Source SPI Index +Host ip addresses. -type: keyword +type: ip -- -*`rsa.misc.code`*:: +*`host.mac`*:: + -- +Host mac addresses. + type: keyword -- -*`rsa.misc.agent_id`*:: +*`host.name`*:: + -- -This key is used to capture agent id +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. type: keyword -- -*`rsa.misc.message_body`*:: +*`host.os.family`*:: + -- -This key captures the The contents of the message body. +OS family (such as redhat, debian, freebsd, windows). type: keyword +example: debian + -- -*`rsa.misc.phone`*:: +*`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.misc.sig_id_str`*:: +*`host.os.full.text`*:: + -- -This key captures a string object of the sigid variable. +type: text + +-- + +*`host.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.misc.cmd`*:: +*`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.misc.misc`*:: +*`host.os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.name`*:: +*`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword +example: darwin + -- -*`rsa.misc.cpu`*:: +*`host.os.version`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +Operating system version as a raw string. -type: long +type: keyword + +example: 10.14.1 -- -*`rsa.misc.event_desc`*:: +*`host.type`*:: + -- -This key is used to capture a description of an event available directly or inferred +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. type: keyword -- -*`rsa.misc.sig_id1`*:: +*`host.uptime`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +Seconds the host has been up. type: long +example: 1325 + -- -*`rsa.misc.im_buddyid`*:: +*`host.user.domain`*:: + -- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.im_client`*:: +*`host.user.email`*:: + -- +User email address. + type: keyword -- -*`rsa.misc.im_userid`*:: +*`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword +example: Albert Einstein + -- -*`rsa.misc.pid`*:: +*`host.user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.priority`*:: +*`host.user.group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.context_subject`*:: +*`host.user.group.id`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.misc.context_target`*:: +*`host.user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.cve`*:: +*`host.user.hash`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -*`rsa.misc.fcatnum`*:: +*`host.user.id`*:: + -- -This key captures Filter Category Number. Legacy Usage +Unique identifier of the user. type: keyword -- -*`rsa.misc.library`*:: +*`host.user.name`*:: + -- -This key is used to capture library information in mainframe devices +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.misc.parent_node`*:: +*`host.user.name.text`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - -type: keyword +type: text -- -*`rsa.misc.risk_info`*:: +*`host.user.roles`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.misc.tcp_flags`*:: -+ -- -This key is captures the TCP flags set in any packet of session -type: long +[float] +=== http --- +Fields related to HTTP activity. Use the `url` field set to store the url of the request. -*`rsa.misc.tos`*:: + +*`http.request.body.bytes`*:: + -- -This key describes the type of service +Size in bytes of the request body. type: long +example: 887 + +format: bytes + -- -*`rsa.misc.vm_target`*:: +*`http.request.body.content`*:: + -- -VMWare Target **VMWARE** only varaible. +The full HTTP request body. type: keyword +example: Hello world + -- -*`rsa.misc.workspace`*:: +*`http.request.body.content.text`*:: + -- -This key captures Workspace Description - -type: keyword +type: text -- -*`rsa.misc.command`*:: +*`http.request.bytes`*:: + -- -type: keyword +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes -- -*`rsa.misc.event_category`*:: +*`http.request.method`*:: + -- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + type: keyword +example: GET, POST, PUT, PoST + -- -*`rsa.misc.facilityname`*:: +*`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword +example: https://blog.example.com/ + -- -*`rsa.misc.forensic_info`*:: +*`http.response.body.bytes`*:: + -- -type: keyword +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes -- -*`rsa.misc.jobname`*:: +*`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword +example: Hello world + -- -*`rsa.misc.mode`*:: +*`http.response.body.content.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.policy`*:: +*`http.response.bytes`*:: + -- -type: keyword +Total size in bytes of the response (body and headers). + +type: long + +example: 1437 + +format: bytes -- -*`rsa.misc.policy_waiver`*:: +*`http.response.status_code`*:: + -- -type: keyword +HTTP response status code. + +type: long + +example: 404 + +format: string -- -*`rsa.misc.second`*:: +*`http.version`*:: + -- +HTTP version. + type: keyword +example: 1.1 + -- -*`rsa.misc.space1`*:: +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: + -- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + type: keyword +example: outside + -- -*`rsa.misc.subcategory`*:: +*`interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.misc.tbdstr2`*:: +*`interface.name`*:: + -- +Interface name as reported by the system. + type: keyword +example: eth0 + -- -*`rsa.misc.alert_id`*:: +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. type: keyword +example: /var/log/fun-times.log + -- -*`rsa.misc.checksum_dst`*:: +*`log.level`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. type: keyword +example: error + -- -*`rsa.misc.checksum_src`*:: +*`log.logger`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: keyword +example: org.elasticsearch.bootstrap.Bootstrap + -- -*`rsa.misc.fresult`*:: +*`log.origin.file.line`*:: + -- -This key captures the Filter Result +The line number of the file containing the source code which originated the log event. -type: long +type: integer + +example: 42 -- -*`rsa.misc.payload_dst`*:: +*`log.origin.file.name`*:: + -- -This key is used to capture destination payload +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword +example: Bootstrap.java + -- -*`rsa.misc.payload_src`*:: +*`log.origin.function`*:: + -- -This key is used to capture source payload +The name of the function or method which originated the log event. type: keyword +example: init + -- -*`rsa.misc.pool_id`*:: +*`log.original`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. type: keyword +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. + -- -*`rsa.misc.process_id_val`*:: +*`log.syslog`*:: + -- -This key is a failure key for Process ID when it is not an integer value +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. -type: keyword +type: object -- -*`rsa.misc.risk_num_comm`*:: +*`log.syslog.facility.code`*:: + -- -This key captures Risk Number Community +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. -type: double +type: long + +example: 23 + +format: string -- -*`rsa.misc.risk_num_next`*:: +*`log.syslog.facility.name`*:: + -- -This key captures Risk Number NextGen +The Syslog text-based facility of the log event, if available. -type: double +type: keyword + +example: local7 -- -*`rsa.misc.risk_num_sand`*:: +*`log.syslog.priority`*:: + -- -This key captures Risk Number SandBox +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. -type: double +type: long + +example: 135 + +format: string -- -*`rsa.misc.risk_num_static`*:: +*`log.syslog.severity.code`*:: + -- -This key captures Risk Number Static +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. -type: double +type: long + +example: 3 -- -*`rsa.misc.risk_suspicious`*:: +*`log.syslog.severity.name`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. type: keyword --- +example: Error -*`rsa.misc.risk_warning`*:: -+ -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: keyword +[float] +=== network --- +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. -*`rsa.misc.snmp_oid`*:: + +*`network.application`*:: + -- -SNMP Object Identifier +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". type: keyword +example: aim + -- -*`rsa.misc.sql`*:: +*`network.bytes`*:: + -- -This key captures the SQL query +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. -type: keyword +type: long + +example: 368 + +format: bytes -- -*`rsa.misc.vuln_ref`*:: +*`network.community_id`*:: + -- -This key captures the Vulnerability Reference details +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. type: keyword +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + -- -*`rsa.misc.acl_id`*:: +*`network.direction`*:: + -- -type: keyword +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown --- +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. -*`rsa.misc.acl_op`*:: -+ --- type: keyword +example: inbound + -- -*`rsa.misc.acl_pos`*:: +*`network.forwarded_ip`*:: + -- -type: keyword +Host IP address when the source IP address is the proxy. --- +type: ip -*`rsa.misc.acl_table`*:: -+ --- -type: keyword +example: 192.1.1.2 -- -*`rsa.misc.admin`*:: +*`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword +example: 6 + -- -*`rsa.misc.alarm_id`*:: +*`network.inner`*:: + -- -type: keyword +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object -- -*`rsa.misc.alarmname`*:: +*`network.inner.vlan.id`*:: + -- +VLAN ID as reported by the observer. + type: keyword +example: 10 + -- -*`rsa.misc.app_id`*:: +*`network.inner.vlan.name`*:: + -- +Optional VLAN name as reported by the observer. + type: keyword +example: outside + -- -*`rsa.misc.audit`*:: +*`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword +example: Guest Wifi + -- -*`rsa.misc.audit_object`*:: +*`network.packets`*:: + -- -type: keyword +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. --- +type: long -*`rsa.misc.auditdata`*:: -+ --- -type: keyword +example: 24 -- -*`rsa.misc.benchmark`*:: +*`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword +example: http + -- -*`rsa.misc.bypass`*:: +*`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword +example: tcp + -- -*`rsa.misc.cache`*:: +*`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword +example: ipv4 + -- -*`rsa.misc.cache_hit`*:: +*`network.vlan.id`*:: + -- +VLAN ID as reported by the observer. + type: keyword +example: 10 + -- -*`rsa.misc.cefversion`*:: +*`network.vlan.name`*:: + -- +Optional VLAN name as reported by the observer. + type: keyword --- +example: outside -*`rsa.misc.cfg_attr`*:: -+ -- -type: keyword --- +[float] +=== observer -*`rsa.misc.cfg_obj`*:: +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: + -- -type: keyword +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object -- -*`rsa.misc.cfg_path`*:: +*`observer.egress.interface.alias`*:: + -- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + type: keyword +example: outside + -- -*`rsa.misc.changes`*:: +*`observer.egress.interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.misc.client_ip`*:: +*`observer.egress.interface.name`*:: + -- +Interface name as reported by the system. + type: keyword +example: eth0 + -- -*`rsa.misc.clustermembers`*:: +*`observer.egress.vlan.id`*:: + -- +VLAN ID as reported by the observer. + type: keyword +example: 10 + -- -*`rsa.misc.cn_acttimeout`*:: +*`observer.egress.vlan.name`*:: + -- +Optional VLAN name as reported by the observer. + type: keyword +example: outside + -- -*`rsa.misc.cn_asn_src`*:: +*`observer.egress.zone`*:: + -- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + type: keyword +example: Public_Internet + -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`observer.geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.cn_dst_tos`*:: +*`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.cn_dst_vlan`*:: +*`observer.geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.cn_engine_id`*:: +*`observer.geo.location`*:: + -- -type: keyword +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.cn_engine_type`*:: +*`observer.geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.cn_f_switch`*:: +*`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.cn_flowsampid`*:: +*`observer.geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.cn_flowsampintv`*:: +*`observer.hostname`*:: + -- +Hostname of the observer. + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`observer.ingress`*:: + -- -type: keyword +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object -- -*`rsa.misc.cn_inacttimeout`*:: +*`observer.ingress.interface.alias`*:: + -- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + type: keyword +example: outside + -- -*`rsa.misc.cn_inpermbyts`*:: +*`observer.ingress.interface.id`*:: + -- +Interface ID as reported by an observer (typically SNMP interface ID). + type: keyword +example: 10 + -- -*`rsa.misc.cn_inpermpckts`*:: +*`observer.ingress.interface.name`*:: + -- +Interface name as reported by the system. + type: keyword +example: eth0 + -- -*`rsa.misc.cn_invalid`*:: +*`observer.ingress.vlan.id`*:: + -- +VLAN ID as reported by the observer. + type: keyword +example: 10 + -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`observer.ingress.vlan.name`*:: + -- +Optional VLAN name as reported by the observer. + type: keyword +example: outside + -- -*`rsa.misc.cn_ipv4_ident`*:: +*`observer.ingress.zone`*:: + -- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + type: keyword +example: DMZ + -- -*`rsa.misc.cn_l_switch`*:: +*`observer.ip`*:: + -- -type: keyword +IP addresses of the observer. + +type: ip -- -*`rsa.misc.cn_log_did`*:: +*`observer.mac`*:: + -- +MAC addresses of the observer + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`observer.name`*:: + -- +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. + type: keyword +example: 1_proxySG + -- -*`rsa.misc.cn_max_ttl`*:: +*`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.misc.cn_maxpcktlen`*:: +*`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.misc.cn_min_ttl`*:: +*`observer.os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_minpcktlen`*:: +*`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`observer.os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword +example: darwin + -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword +example: 10.14.1 + -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`observer.product`*:: + -- +The product name of the observer. + type: keyword +example: s200 + -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`observer.serial_number`*:: + -- +Observer serial number. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword +example: firewall + -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`observer.vendor`*:: + -- +Vendor name of the observer. + type: keyword +example: Symantec + -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`observer.version`*:: + -- +Observer version. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +[float] +=== organization + +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. + + +*`organization.id`*:: + -- +Unique identifier for the organization. + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`organization.name`*:: + -- +Organization name. + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`organization.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_mul_dst_byt`*:: +[float] +=== os + +The OS fields contain information about the operating system. + + +*`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword +example: debian + -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword +example: Mac OS Mojave + -- -*`rsa.misc.cn_muligmptype`*:: +*`os.full.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_sampalgo`*:: +*`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword +example: 4.4.0-112-generic + -- -*`rsa.misc.cn_sampint`*:: +*`os.name`*:: + -- +Operating system name, without the version. + type: keyword +example: Mac OS X + -- -*`rsa.misc.cn_seqctr`*:: +*`os.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cn_spackets`*:: +*`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword +example: darwin + -- -*`rsa.misc.cn_src_tos`*:: +*`os.version`*:: + -- +Operating system version as a raw string. + type: keyword +example: 10.14.1 + -- -*`rsa.misc.cn_src_vlan`*:: +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: + -- +Package architecture. + type: keyword +example: x86_64 + -- -*`rsa.misc.cn_sysuptime`*:: +*`package.build_version`*:: + -- +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. + type: keyword +example: 36f4f7e89dd61b0988b12ee000b98966867710cd + -- -*`rsa.misc.cn_template_id`*:: +*`package.checksum`*:: + -- +Checksum of the installed package for verification. + type: keyword +example: 68b329da9893e34099c7d8ad5cb9c940 + -- -*`rsa.misc.cn_totbytsexp`*:: +*`package.description`*:: + -- +Description of the package. + type: keyword +example: Open source programming language to build simple/reliable/efficient software. + -- -*`rsa.misc.cn_totflowexp`*:: +*`package.install_scope`*:: + -- +Indicating how the package was installed, e.g. user-local, global. + type: keyword +example: global + -- -*`rsa.misc.cn_totpcktsexp`*:: +*`package.installed`*:: + -- -type: keyword +Time when package was installed. + +type: date -- -*`rsa.misc.cn_unixnanosecs`*:: +*`package.license`*:: + -- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + type: keyword +example: Apache License 2.0 + -- -*`rsa.misc.cn_v6flowlabel`*:: +*`package.name`*:: + -- +Package name + type: keyword +example: go + -- -*`rsa.misc.cn_v6optheaders`*:: +*`package.path`*:: + -- +Path where the package is installed. + type: keyword +example: /usr/local/Cellar/go/1.12.9/ + -- -*`rsa.misc.comp_class`*:: +*`package.reference`*:: + -- +Home page or reference URL of the software in this package, if available. + type: keyword +example: https://golang.org + -- -*`rsa.misc.comp_name`*:: +*`package.size`*:: + -- -type: keyword +Package size in bytes. + +type: long + +example: 62231 + +format: string -- -*`rsa.misc.comp_rbytes`*:: +*`package.type`*:: + -- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + type: keyword +example: rpm + -- -*`rsa.misc.comp_sbytes`*:: +*`package.version`*:: + -- +Package version + type: keyword +example: 1.12.9 + -- -*`rsa.misc.cpu_data`*:: +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.architecture`*:: + -- +CPU architecture target for the file. + type: keyword +example: x64 + -- -*`rsa.misc.criticality`*:: +*`pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cs_agency_dst`*:: +*`pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.cs_analyzedby`*:: +*`pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.cs_av_other`*:: +*`pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.cs_av_primary`*:: +*`pe.original_file_name`*:: + -- +Internal name of the file, provided at compile-time. + type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.cs_av_secondary`*:: +*`pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.cs_bgpv6nxthop`*:: +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: + -- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + type: keyword +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + -- -*`rsa.misc.cs_bit9status`*:: +*`process.args_count`*:: + -- -type: keyword +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 -- -*`rsa.misc.cs_context`*:: +*`process.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`rsa.misc.cs_control`*:: +*`process.code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.cs_data`*:: +*`process.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cs_datecret`*:: +*`process.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. --- +type: boolean -*`rsa.misc.cs_dst_tld`*:: -+ --- -type: keyword +example: true -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`process.code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. --- +type: boolean -*`rsa.misc.cs_eth_src_ven`*:: -+ --- -type: keyword +example: true -- -*`rsa.misc.cs_event_uuid`*:: +*`process.command_line`*:: + -- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.misc.cs_filetype`*:: +*`process.command_line.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_fld`*:: +*`process.entity_id`*:: + -- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + type: keyword +example: c2c455d9f99375d + -- -*`rsa.misc.cs_if_desc`*:: +*`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword +example: /usr/bin/ssh + -- -*`rsa.misc.cs_if_name`*:: +*`process.executable.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_ip_next_hop`*:: +*`process.exit_code`*:: + -- -type: keyword +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`process.hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`process.hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`process.hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`process.hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword +example: ssh + -- -*`rsa.misc.cs_modulescore`*:: +*`process.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_modulesign`*:: +*`process.parent.args`*:: + -- +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. + type: keyword +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] + -- -*`rsa.misc.cs_opswatresult`*:: +*`process.parent.args_count`*:: + -- -type: keyword +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 -- -*`rsa.misc.cs_payload`*:: +*`process.parent.code_signature.exists`*:: + -- -type: keyword +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`rsa.misc.cs_registrant`*:: +*`process.parent.code_signature.status`*:: + -- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + type: keyword +example: ERROR_UNTRUSTED_ROOT + -- -*`rsa.misc.cs_registrar`*:: +*`process.parent.code_signature.subject_name`*:: + -- +Subject name of the code signer + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.cs_represult`*:: +*`process.parent.code_signature.trusted`*:: + -- -type: keyword +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true -- -*`rsa.misc.cs_rpayload`*:: +*`process.parent.code_signature.valid`*:: + -- -type: keyword +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true -- -*`rsa.misc.cs_sampler_name`*:: +*`process.parent.command_line`*:: + -- +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. + type: keyword +example: /usr/bin/ssh -l user 10.0.0.16 + -- -*`rsa.misc.cs_sourcemodule`*:: +*`process.parent.command_line.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_streams`*:: +*`process.parent.entity_id`*:: + -- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + type: keyword +example: c2c455d9f99375d + -- -*`rsa.misc.cs_targetmodule`*:: +*`process.parent.executable`*:: + -- +Absolute path to the process executable. + type: keyword +example: /usr/bin/ssh + -- -*`rsa.misc.cs_v6nxthop`*:: +*`process.parent.executable.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.cs_whois_server`*:: +*`process.parent.exit_code`*:: + -- -type: keyword +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). + +type: long + +example: 137 -- -*`rsa.misc.cs_yararesult`*:: +*`process.parent.hash.md5`*:: + -- +MD5 hash. + type: keyword -- -*`rsa.misc.description`*:: +*`process.parent.hash.sha1`*:: + -- +SHA1 hash. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`process.parent.hash.sha256`*:: + -- +SHA256 hash. + type: keyword -- -*`rsa.misc.distance`*:: +*`process.parent.hash.sha512`*:: + -- +SHA512 hash. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`process.parent.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword +example: ssh + -- -*`rsa.misc.edomain`*:: +*`process.parent.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.edomaub`*:: +*`process.parent.pe.architecture`*:: + -- +CPU architecture target for the file. + type: keyword +example: x64 + -- -*`rsa.misc.euid`*:: +*`process.parent.pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.facility`*:: +*`process.parent.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.finterface`*:: +*`process.parent.pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.flags`*:: +*`process.parent.pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.gaddr`*:: +*`process.parent.pe.original_file_name`*:: + -- +Internal name of the file, provided at compile-time. + type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.id3`*:: +*`process.parent.pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.im_buddyname`*:: +*`process.parent.pgid`*:: + -- -type: keyword +Identifier of the group of processes the process belongs to. + +type: long + +format: string -- -*`rsa.misc.im_croomid`*:: +*`process.parent.pid`*:: + -- -type: keyword +Process id. + +type: long + +example: 4242 + +format: string -- -*`rsa.misc.im_croomtype`*:: +*`process.parent.ppid`*:: + -- -type: keyword +Parent process' pid. + +type: long + +example: 4241 + +format: string -- -*`rsa.misc.im_members`*:: +*`process.parent.start`*:: + -- -type: keyword +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z -- -*`rsa.misc.im_username`*:: +*`process.parent.thread.id`*:: + -- -type: keyword +Thread ID. + +type: long + +example: 4242 + +format: string -- -*`rsa.misc.ipkt`*:: +*`process.parent.thread.name`*:: + -- +Thread name. + type: keyword +example: thread-0 + -- -*`rsa.misc.ipscat`*:: +*`process.parent.title`*:: + -- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + type: keyword -- -*`rsa.misc.ipspri`*:: +*`process.parent.title.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.latitude`*:: +*`process.parent.uptime`*:: + -- -type: keyword +Seconds the process has been up. + +type: long + +example: 1325 -- -*`rsa.misc.linenum`*:: +*`process.parent.working_directory`*:: + -- +The working directory of the process. + type: keyword +example: /home/alice + -- -*`rsa.misc.list_name`*:: +*`process.parent.working_directory.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.load_data`*:: +*`process.pe.architecture`*:: + -- +CPU architecture target for the file. + type: keyword +example: x64 + -- -*`rsa.misc.location_floor`*:: +*`process.pe.company`*:: + -- +Internal company name of the file, provided at compile-time. + type: keyword +example: Microsoft Corporation + -- -*`rsa.misc.location_mark`*:: +*`process.pe.description`*:: + -- +Internal description of the file, provided at compile-time. + type: keyword +example: Paint + -- -*`rsa.misc.log_id`*:: +*`process.pe.file_version`*:: + -- +Internal version of the file, provided at compile-time. + type: keyword +example: 6.3.9600.17415 + -- -*`rsa.misc.log_type`*:: +*`process.pe.imphash`*:: + -- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`rsa.misc.logid`*:: +*`process.pe.original_file_name`*:: + -- +Internal name of the file, provided at compile-time. + type: keyword +example: MSPAINT.EXE + -- -*`rsa.misc.logip`*:: +*`process.pe.product`*:: + -- +Internal product name of the file, provided at compile-time. + type: keyword +example: Microsoft® Windows® Operating System + -- -*`rsa.misc.logname`*:: +*`process.pgid`*:: + -- -type: keyword +Identifier of the group of processes the process belongs to. + +type: long + +format: string -- -*`rsa.misc.longitude`*:: +*`process.pid`*:: + -- -type: keyword +Process id. + +type: long + +example: 4242 + +format: string -- -*`rsa.misc.lport`*:: +*`process.ppid`*:: + -- -type: keyword +Parent process' pid. + +type: long + +example: 4241 + +format: string -- -*`rsa.misc.mbug_data`*:: +*`process.start`*:: + -- -type: keyword +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z -- -*`rsa.misc.misc_name`*:: +*`process.thread.id`*:: + -- -type: keyword +Thread ID. + +type: long + +example: 4242 + +format: string -- -*`rsa.misc.msg_type`*:: +*`process.thread.name`*:: + -- +Thread name. + type: keyword +example: thread-0 + -- -*`rsa.misc.msgid`*:: +*`process.title`*:: + -- +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + type: keyword -- -*`rsa.misc.netsessid`*:: +*`process.title.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.num`*:: +*`process.uptime`*:: + -- -type: keyword +Seconds the process has been up. + +type: long + +example: 1325 -- -*`rsa.misc.number1`*:: +*`process.working_directory`*:: + -- +The working directory of the process. + type: keyword +example: /home/alice + -- -*`rsa.misc.number2`*:: +*`process.working_directory.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.nwwn`*:: +[float] +=== registry + +Fields related to Windows Registry operations. + + +*`registry.data.bytes`*:: + -- +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. + type: keyword +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= + -- -*`rsa.misc.object`*:: +*`registry.data.strings`*:: + -- +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). + type: keyword +example: ["C:\rta\red_ttp\bin\myapp.exe"] + -- -*`rsa.misc.operation`*:: +*`registry.data.type`*:: + -- +Standard registry type for encoding contents + type: keyword +example: REG_SZ + -- -*`rsa.misc.opkt`*:: +*`registry.hive`*:: + -- +Abbreviated name for the hive. + type: keyword +example: HKLM + -- -*`rsa.misc.orig_from`*:: +*`registry.key`*:: + -- +Hive-relative path of keys. + type: keyword +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe + -- -*`rsa.misc.owner_id`*:: +*`registry.path`*:: + -- +Full path, including hive, key and value + type: keyword +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger + -- -*`rsa.misc.p_action`*:: +*`registry.value`*:: + -- +Name of the value written. + type: keyword +example: Debugger + -- -*`rsa.misc.p_filter`*:: +[float] +=== related + +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: + -- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`related.hosts`*:: + -- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + type: keyword -- -*`rsa.misc.p_id`*:: +*`related.ip`*:: + -- -type: keyword +All of the IPs seen on your event. + +type: ip -- -*`rsa.misc.p_msgid1`*:: +*`related.user`*:: + -- +All the user names seen on your event. + type: keyword -- -*`rsa.misc.p_msgid2`*:: +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: + -- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + type: keyword +example: ['Star-Lord'] + -- -*`rsa.misc.p_result1`*:: +*`rule.category`*:: + -- +A categorization value keyword used by the entity using the rule for detection of this event. + type: keyword +example: Attempted Information Leak + -- -*`rsa.misc.password_chg`*:: +*`rule.description`*:: + -- +The description of the rule generating the event. + type: keyword +example: Block requests to public DNS over HTTPS / TLS protocols + -- -*`rsa.misc.password_expire`*:: +*`rule.id`*:: + -- +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. + type: keyword +example: 101 + -- -*`rsa.misc.permgranted`*:: +*`rule.license`*:: + -- +Name of the license under which the rule used to generate this event is made available. + type: keyword +example: Apache 2.0 + -- -*`rsa.misc.permwanted`*:: +*`rule.name`*:: + -- +The name of the rule or signature generating the event. + type: keyword +example: BLOCK_DNS_over_TLS + -- -*`rsa.misc.pgid`*:: +*`rule.reference`*:: + -- +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. + type: keyword +example: https://en.wikipedia.org/wiki/DNS_over_TLS + -- -*`rsa.misc.policyUUID`*:: +*`rule.ruleset`*:: + -- +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + type: keyword +example: Standard_Protocol_Filters + -- -*`rsa.misc.prog_asp_num`*:: +*`rule.uuid`*:: + -- +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. + type: keyword +example: 1100110011 + -- -*`rsa.misc.program`*:: +*`rule.version`*:: + -- +The version / revision of the rule being used for analysis. + type: keyword +example: 1.1 + -- -*`rsa.misc.real_data`*:: +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: + -- +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`server.as.number`*:: + -- -type: keyword +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. + +type: long + +example: 15169 -- -*`rsa.misc.rec_asp_num`*:: +*`server.as.organization.name`*:: + -- +Organization name. + type: keyword +example: Google LLC + -- -*`rsa.misc.rec_library`*:: +*`server.as.organization.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.recordnum`*:: +*`server.bytes`*:: + -- -type: keyword +Bytes sent from the server to the client. + +type: long + +example: 184 + +format: bytes -- -*`rsa.misc.ruid`*:: +*`server.domain`*:: + -- +Server domain. + type: keyword -- -*`rsa.misc.sburb`*:: +*`server.geo.city_name`*:: + -- +City name. + type: keyword +example: Montreal + -- -*`rsa.misc.sdomain_fld`*:: +*`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword +example: North America + -- -*`rsa.misc.sec`*:: +*`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword +example: CA + -- -*`rsa.misc.sensorname`*:: +*`server.geo.country_name`*:: + -- +Country name. + type: keyword +example: Canada + -- -*`rsa.misc.seqnum`*:: +*`server.geo.location`*:: + -- -type: keyword +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.misc.session`*:: +*`server.geo.name`*:: + -- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + type: keyword +example: boston-dc + -- -*`rsa.misc.sessiontype`*:: +*`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword +example: CA-QC + -- -*`rsa.misc.sigUUID`*:: +*`server.geo.region_name`*:: + -- +Region name. + type: keyword +example: Quebec + -- -*`rsa.misc.spi`*:: +*`server.ip`*:: + -- -type: keyword +IP address of the server (IPv4 or IPv6). + +type: ip -- -*`rsa.misc.srcburb`*:: +*`server.mac`*:: + -- +MAC address of the server. + type: keyword -- -*`rsa.misc.srcdom`*:: +*`server.nat.ip`*:: + -- -type: keyword +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip -- -*`rsa.misc.srcservice`*:: +*`server.nat.port`*:: + -- -type: keyword +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: long + +format: string -- -*`rsa.misc.state`*:: +*`server.packets`*:: + -- -type: keyword +Packets sent from the server to the client. + +type: long + +example: 12 -- -*`rsa.misc.status1`*:: +*`server.port`*:: + -- -type: keyword +Port of the server. + +type: long + +format: string -- -*`rsa.misc.svcno`*:: +*`server.registered_domain`*:: + -- +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + type: keyword +example: example.com + -- -*`rsa.misc.system`*:: +*`server.top_level_domain`*:: + -- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + type: keyword +example: co.uk + -- -*`rsa.misc.tbdstr1`*:: +*`server.user.domain`*:: + -- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`server.user.email`*:: + -- +User email address. + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword +example: Albert Einstein + -- -*`rsa.misc.threshold`*:: +*`server.user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.type1`*:: +*`server.user.group.domain`*:: + -- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + type: keyword -- -*`rsa.misc.udb_class`*:: +*`server.user.group.id`*:: + -- +Unique identifier for the group on the system/platform. + type: keyword -- -*`rsa.misc.url_fld`*:: +*`server.user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.misc.user_div`*:: +*`server.user.hash`*:: + -- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + type: keyword -- -*`rsa.misc.userid`*:: +*`server.user.id`*:: + -- +Unique identifier of the user. + type: keyword -- -*`rsa.misc.username_fld`*:: +*`server.user.name`*:: + -- +Short name or login of the user. + type: keyword +example: albert + -- -*`rsa.misc.utcstamp`*:: +*`server.user.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.misc.v_instafname`*:: +*`server.user.roles`*:: + -- +Array of user roles at the time of the event. + type: keyword +example: ["kibana_admin", "reporting_user"] + -- -*`rsa.misc.virt_data`*:: +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword +example: 8a4f500f + -- -*`rsa.misc.vpnid`*:: +*`service.id`*:: + -- +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. + type: keyword +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- -*`rsa.misc.autorun_type`*:: +*`service.name`*:: + -- -This is used to capture Auto Run type +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword +example: elasticsearch-metrics + -- -*`rsa.misc.cc_number`*:: +*`service.node.name`*:: + -- -Valid Credit Card Numbers only +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. -type: long +type: keyword + +example: instance-0000000016 -- -*`rsa.misc.content`*:: +*`service.state`*:: + -- -This key captures the content type from protocol headers +Current state of the service. type: keyword -- -*`rsa.misc.ein_number`*:: +*`service.type`*:: + -- -Employee Identification Numbers only +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. -type: long +type: keyword + +example: elasticsearch -- -*`rsa.misc.found`*:: +*`service.version`*:: + -- -This is used to capture the results of regex match +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. type: keyword +example: 3.2.4 + -- -*`rsa.misc.language`*:: +[float] +=== source + +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. + + +*`source.address`*:: + -- -This is used to capture list of languages the client support and what it prefers +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`rsa.misc.lifetime`*:: +*`source.as.number`*:: + -- -This key is used to capture the session lifetime in seconds. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long +example: 15169 + -- -*`rsa.misc.link`*:: +*`source.as.organization.name`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Organization name. type: keyword +example: Google LLC + -- -*`rsa.misc.match`*:: +*`source.as.organization.name.text`*:: + -- -This key is for regex match name from search.ini - -type: keyword +type: text -- -*`rsa.misc.param_dst`*:: +*`source.bytes`*:: + -- -This key captures the command line/launch argument of the target process or file - -type: keyword +Bytes sent from the source to the destination. --- +type: long -*`rsa.misc.param_src`*:: -+ --- -This key captures source parameter +example: 184 -type: keyword +format: bytes -- -*`rsa.misc.search_text`*:: +*`source.domain`*:: + -- -This key captures the Search Text used +Source domain. type: keyword -- -*`rsa.misc.sig_name`*:: +*`source.geo.city_name`*:: + -- -This key is used to capture the Signature Name only. +City name. type: keyword +example: Montreal + -- -*`rsa.misc.snmp_value`*:: +*`source.geo.continent_name`*:: + -- -SNMP set request value +Name of the continent. type: keyword +example: North America + -- -*`rsa.misc.streams`*:: +*`source.geo.country_iso_code`*:: + -- -This key captures number of streams in session +Country ISO code. -type: long +type: keyword --- +example: CA +-- -*`rsa.db.index`*:: +*`source.geo.country_name`*:: + -- -This key captures IndexID of the index. +Country name. type: keyword +example: Canada + -- -*`rsa.db.instance`*:: +*`source.geo.location`*:: + -- -This key is used to capture the database server instance name +Longitude and latitude. -type: keyword +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`rsa.db.database`*:: +*`source.geo.name`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword +example: boston-dc + -- -*`rsa.db.transact_id`*:: +*`source.geo.region_iso_code`*:: + -- -This key captures the SQL transantion ID of the current session +Region ISO code. type: keyword +example: CA-QC + -- -*`rsa.db.permissions`*:: +*`source.geo.region_name`*:: + -- -This key captures permission or privilege level assigned to a resource. +Region name. type: keyword +example: Quebec + -- -*`rsa.db.table_name`*:: +*`source.ip`*:: + -- -This key is used to capture the table name +IP address of the source (IPv4 or IPv6). -type: keyword +type: ip -- -*`rsa.db.db_id`*:: +*`source.mac`*:: + -- -This key is used to capture the unique identifier for a database +MAC address of the source. type: keyword -- -*`rsa.db.db_pid`*:: +*`source.nat.ip`*:: + -- -This key captures the process id of a connection with database server +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. -type: long +type: ip -- -*`rsa.db.lread`*:: +*`source.nat.port`*:: + -- -This key is used for the number of logical reads +Translated port of source based NAT sessions. (e.g. internal client to internet) +Typically used with load balancers, firewalls, or routers. type: long +format: string + -- -*`rsa.db.lwrite`*:: +*`source.packets`*:: + -- -This key is used for the number of logical writes +Packets sent from the source to the destination. type: long +example: 12 + -- -*`rsa.db.pread`*:: +*`source.port`*:: + -- -This key is used for the number of physical writes +Port of the source. type: long --- +format: string +-- -*`rsa.network.alias_host`*:: +*`source.registered_domain`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword +example: example.com + -- -*`rsa.network.domain`*:: +*`source.top_level_domain`*:: + -- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + type: keyword +example: co.uk + -- -*`rsa.network.host_dst`*:: +*`source.user.domain`*:: + -- -This key should only be used when it’s a Destination Hostname +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.network.network_service`*:: +*`source.user.email`*:: + -- -This is used to capture layer 7 protocols/service names +User email address. type: keyword -- -*`rsa.network.interface`*:: +*`source.user.full_name`*:: + -- -This key should be used when the source or destination context of an interface is not clear +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.network.network_port`*:: +*`source.user.full_name.text`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - -type: long +type: text -- -*`rsa.network.eth_host`*:: +*`source.user.group.domain`*:: + -- -Deprecated, use alias.mac +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.network.sinterface`*:: +*`source.user.group.id`*:: + -- -This key should only be used when it’s a Source Interface +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.network.dinterface`*:: +*`source.user.group.name`*:: + -- -This key should only be used when it’s a Destination Interface +Name of the group. type: keyword -- -*`rsa.network.vlan`*:: +*`source.user.hash`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`source.user.id`*:: + -- -This key should only be used when it’s a Source Zone. +Unique identifier of the user. type: keyword -- -*`rsa.network.zone`*:: +*`source.user.name`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +Short name or login of the user. type: keyword +example: albert + -- -*`rsa.network.zone_dst`*:: +*`source.user.name.text`*:: + -- -This key should only be used when it’s a Destination Zone. - -type: keyword +type: text -- -*`rsa.network.gateway`*:: +*`source.user.roles`*:: + -- -This key is used to capture the IP Address of the gateway +Array of user roles at the time of the event. type: keyword --- +example: ["kibana_admin", "reporting_user"] -*`rsa.network.icmp_type`*:: -+ -- -This key is used to capture the ICMP type only -type: long +[float] +=== threat --- +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). -*`rsa.network.mask`*:: + +*`threat.framework`*:: + -- -This key is used to capture the device network IPmask. +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword --- - -*`rsa.network.icmp_code`*:: -+ --- -This key is used to capture the ICMP code only - -type: long +example: MITRE ATT&CK -- -*`rsa.network.protocol_detail`*:: +*`threat.tactic.id`*:: + -- -This key should be used to capture additional protocol information +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword +example: TA0040 + -- -*`rsa.network.dmask`*:: +*`threat.tactic.name`*:: + -- -This key is used for Destionation Device network mask +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword --- - -*`rsa.network.port`*:: -+ --- -This key should only be used to capture a Network Port when the directionality is not clear - -type: long +example: impact -- -*`rsa.network.smask`*:: +*`threat.tactic.reference`*:: + -- -This key is used for capturing source Network Mask +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword +example: https://attack.mitre.org/tactics/TA0040/ + -- -*`rsa.network.netname`*:: +*`threat.technique.id`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword --- - -*`rsa.network.paddr`*:: -+ --- -Deprecated - -type: ip +example: T1499 -- -*`rsa.network.faddr`*:: +*`threat.technique.name`*:: + -- +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) + type: keyword +example: Endpoint Denial of Service + -- -*`rsa.network.lhost`*:: +*`threat.technique.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.network.origin`*:: +*`threat.technique.reference`*:: + -- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) + type: keyword --- +example: https://attack.mitre.org/techniques/T1499/ -*`rsa.network.remote_domain_id`*:: -+ -- -type: keyword --- +[float] +=== tls -*`rsa.network.addr`*:: -+ --- -type: keyword +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. --- -*`rsa.network.dns_a_record`*:: +*`tls.cipher`*:: + -- +String indicating the cipher used during the current connection. + type: keyword +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + -- -*`rsa.network.dns_ptr_record`*:: +*`tls.client.certificate`*:: + -- +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. + type: keyword +example: MII... + -- -*`rsa.network.fhost`*:: +*`tls.client.certificate_chain`*:: + -- +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. + type: keyword +example: ['MII...', 'MII...'] + -- -*`rsa.network.fport`*:: +*`tls.client.hash.md5`*:: + -- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + type: keyword +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + -- -*`rsa.network.laddr`*:: +*`tls.client.hash.sha1`*:: + -- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + type: keyword +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + -- -*`rsa.network.linterface`*:: +*`tls.client.hash.sha256`*:: + -- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + type: keyword +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + -- -*`rsa.network.phost`*:: +*`tls.client.issuer`*:: + -- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + type: keyword +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + -- -*`rsa.network.ad_computer_dst`*:: +*`tls.client.ja3`*:: + -- -Deprecated, use host.dst +A hash that identifies clients based on how they perform an SSL/TLS handshake. type: keyword +example: d4e5b18d6b55c71272893221c96ba240 + -- -*`rsa.network.eth_type`*:: +*`tls.client.not_after`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Date/Time indicating when client certificate is no longer considered valid. -type: long +type: date + +example: 2021-01-01T00:00:00.000Z -- -*`rsa.network.ip_proto`*:: +*`tls.client.not_before`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Date/Time indicating when client certificate is first considered valid. -type: long +type: date + +example: 1970-01-01T00:00:00.000Z -- -*`rsa.network.dns_cname_record`*:: +*`tls.client.server_name`*:: + -- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + type: keyword +example: www.elastic.co + -- -*`rsa.network.dns_id`*:: +*`tls.client.subject`*:: + -- +Distinguished name of subject of the x.509 certificate presented by the client. + type: keyword +example: CN=myclient, OU=Documentation Team, DC=example, DC=com + -- -*`rsa.network.dns_opcode`*:: +*`tls.client.supported_ciphers`*:: + -- +Array of ciphers offered by the client during the client hello. + type: keyword +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] + -- -*`rsa.network.dns_resp`*:: +*`tls.client.x509.alternative_names`*:: + -- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + type: keyword +example: *.elastic.co + -- -*`rsa.network.dns_type`*:: +*`tls.client.x509.issuer.common_name`*:: + -- +List of common name (CN) of issuing certificate authority. + type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.network.domain1`*:: +*`tls.client.x509.issuer.country`*:: + -- +List of country (C) codes + type: keyword +example: US + -- -*`rsa.network.host_type`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- +Distinguished name (DN) of issuing certificate authority. + type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.network.packet_length`*:: +*`tls.client.x509.issuer.locality`*:: + -- +List of locality names (L) + type: keyword +example: Mountain View + -- -*`rsa.network.host_orig`*:: +*`tls.client.x509.issuer.organization`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`rsa.network.rpayload`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`rsa.network.vlan_name`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -This key should only be used to capture the name of the Virtual LAN +List of state or province names (ST, S, or P) type: keyword --- +example: California +-- -*`rsa.investigations.ec_activity`*:: +*`tls.client.x509.not_after`*:: + -- -This key captures the particular event activity(Ex:Logoff) +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.investigations.ec_theme`*:: +*`tls.client.x509.not_before`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.investigations.ec_subject`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`rsa.investigations.ec_outcome`*:: +*`tls.client.x509.public_key_curve`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`rsa.investigations.event_cat`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -This key captures the Event category number +Exponent used to derive the public key. This is algorithm specific. type: long +example: 65537 + +Field is not indexed. + -- -*`rsa.investigations.event_cat_name`*:: +*`tls.client.x509.public_key_size`*:: + -- -This key captures the event category name corresponding to the event cat code +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`rsa.investigations.event_vcat`*:: +*`tls.client.x509.serial_number`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.investigations.analysis_file`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.investigations.analysis_service`*:: +*`tls.client.x509.subject.common_name`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`rsa.investigations.analysis_session`*:: +*`tls.client.x509.subject.country`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +List of country (C) code type: keyword +example: US + -- -*`rsa.investigations.boc`*:: +*`tls.client.x509.subject.distinguished_name`*:: + -- -This is used to capture behaviour of compromise +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.investigations.eoc`*:: +*`tls.client.x509.subject.locality`*:: + -- -This is used to capture Enablers of Compromise +List of locality names (L) type: keyword +example: San Francisco + -- -*`rsa.investigations.inv_category`*:: +*`tls.client.x509.subject.organization`*:: + -- -This used to capture investigation category +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -*`rsa.investigations.inv_context`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -This used to capture investigation context +List of organizational units (OU) of subject. type: keyword -- -*`rsa.investigations.ioc`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -This is key capture indicator of compromise +List of state or province names (ST, S, or P) type: keyword --- +example: California +-- -*`rsa.counters.dclass_c1`*:: +*`tls.client.x509.version_number`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Version of x509 format. -type: long +type: keyword + +example: 3 -- -*`rsa.counters.dclass_c2`*:: +*`tls.curve`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +String indicating the curve used for the given cipher, when applicable. -type: long +type: keyword + +example: secp256r1 -- -*`rsa.counters.event_counter`*:: +*`tls.established`*:: + -- -This is used to capture the number of times an event repeated +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -type: long +type: boolean -- -*`rsa.counters.dclass_r1`*:: +*`tls.next_protocol`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`rsa.counters.dclass_c3`*:: +*`tls.resumed`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: long +type: boolean -- -*`rsa.counters.dclass_c1_str`*:: +*`tls.server.certificate`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword +example: MII... + -- -*`rsa.counters.dclass_c2_str`*:: +*`tls.server.certificate_chain`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword +example: ['MII...', 'MII...'] + -- -*`rsa.counters.dclass_r1_str`*:: +*`tls.server.hash.md5`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + -- -*`rsa.counters.dclass_r2`*:: +*`tls.server.hash.sha1`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + -- -*`rsa.counters.dclass_c3_str`*:: +*`tls.server.hash.sha256`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + -- -*`rsa.counters.dclass_r3`*:: +*`tls.server.issuer`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +Subject of the issuer of the x.509 certificate presented by the server. type: keyword +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + -- -*`rsa.counters.dclass_r2_str`*:: +*`tls.server.ja3s`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword +example: 394441ab65754e2207b1e1b457b3641d + -- -*`rsa.counters.dclass_r3_str`*:: +*`tls.server.not_after`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Timestamp indicating when server certificate is no longer considered valid. -type: keyword +type: date --- +example: 2021-01-01T00:00:00.000Z +-- -*`rsa.identity.auth_method`*:: +*`tls.server.not_before`*:: + -- -This key is used to capture authentication methods used only +Timestamp indicating when server certificate is first considered valid. -type: keyword +type: date + +example: 1970-01-01T00:00:00.000Z -- -*`rsa.identity.user_role`*:: +*`tls.server.subject`*:: + -- -This key is used to capture the Role of a user only +Subject of the x.509 certificate presented by the server. type: keyword +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + -- -*`rsa.identity.dn`*:: +*`tls.server.x509.alternative_names`*:: + -- -X.500 (LDAP) Distinguished Name +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`rsa.identity.logon_type`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -This key is used to capture the type of logon method used. +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.identity.profile`*:: +*`tls.server.x509.issuer.country`*:: + -- -This key is used to capture the user profile +List of country (C) codes type: keyword +example: US + -- -*`rsa.identity.accesses`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -This key is used to capture actual privileges used in accessing an object +Distinguished name (DN) of issuing certificate authority. type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.identity.realm`*:: +*`tls.server.x509.issuer.locality`*:: + -- -Radius realm or similar grouping of accounts +List of locality names (L) type: keyword +example: Mountain View + -- -*`rsa.identity.user_sid_dst`*:: +*`tls.server.x509.issuer.organization`*:: + -- -This key captures Destination User Session ID +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`rsa.identity.dn_src`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`rsa.identity.org`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -This key captures the User organization +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`rsa.identity.dn_dst`*:: +*`tls.server.x509.not_after`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.identity.firstname`*:: +*`tls.server.x509.not_before`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.identity.lastname`*:: +*`tls.server.x509.public_key_algorithm`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`rsa.identity.user_dept`*:: +*`tls.server.x509.public_key_curve`*:: + -- -User's Department Names only +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`rsa.identity.user_sid_src`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -This key captures Source User Session ID +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long + +example: 65537 + +Field is not indexed. -- -*`rsa.identity.federated_sp`*:: +*`tls.server.x509.public_key_size`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`rsa.identity.federated_idp`*:: +*`tls.server.x509.serial_number`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`rsa.identity.logon_type_desc`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.identity.middlename`*:: +*`tls.server.x509.subject.common_name`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`rsa.identity.password`*:: +*`tls.server.x509.subject.country`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +List of country (C) code type: keyword +example: US + -- -*`rsa.identity.host_role`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -This key should only be used to capture the role of a Host Machine +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.identity.ldap`*:: +*`tls.server.x509.subject.locality`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +List of locality names (L) type: keyword +example: San Francisco + -- -*`rsa.identity.ldap_query`*:: +*`tls.server.x509.subject.organization`*:: + -- -This key is the Search criteria from an LDAP search +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -*`rsa.identity.ldap_response`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -This key is to capture Results from an LDAP search +List of organizational units (OU) of subject. type: keyword -- -*`rsa.identity.owner`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -This is used to capture username the process or service is running as, the author of the task +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`rsa.identity.service_account`*:: +*`tls.server.x509.version_number`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +Version of x509 format. type: keyword --- +example: 3 +-- -*`rsa.email.email_dst`*:: +*`tls.version`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Numeric part of the version parsed from the original string. type: keyword +example: 1.2 + -- -*`rsa.email.email_src`*:: +*`tls.version_protocol`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +Normalized lowercase protocol name parsed from original string. type: keyword --- +example: tls -*`rsa.email.subject`*:: -+ -- -This key is used to capture the subject string from an Email only. -type: keyword +[float] +=== tracing --- +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. -*`rsa.email.email`*:: + +*`tracing.span.id`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. type: keyword +example: 3ff9a8981b7ccd5a + -- -*`rsa.email.trans_from`*:: +*`tracing.trace.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. type: keyword +example: 4bf92f3577b34da6a3ce929d0e0e4736 + -- -*`rsa.email.trans_to`*:: +*`tracing.transaction.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. type: keyword +example: 00f067aa0ba902b7 + -- +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + -*`rsa.file.privilege`*:: +*`url.domain`*:: + -- -Deprecated, use permissions +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. type: keyword +example: www.elastic.co + -- -*`rsa.file.attachment`*:: +*`url.extension`*:: + -- -This key captures the attachment file name +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". type: keyword +example: png + -- -*`rsa.file.filesystem`*:: +*`url.fragment`*:: + -- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + type: keyword -- -*`rsa.file.binary`*:: +*`url.full`*:: + -- -Deprecated key defined only in table map. +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. type: keyword +example: https://www.elastic.co:443/search?q=elasticsearch#top + -- -*`rsa.file.filename_dst`*:: +*`url.full.text`*:: + -- -This is used to capture name of the file targeted by the action - -type: keyword +type: text -- -*`rsa.file.filename_src`*:: +*`url.original`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. type: keyword +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- -*`rsa.file.filename_tmp`*:: +*`url.original.text`*:: + -- -type: keyword +type: text -- -*`rsa.file.directory_dst`*:: +*`url.password`*:: + -- -This key is used to capture the directory of the target process or file +Password of the request. type: keyword -- -*`rsa.file.directory_src`*:: +*`url.path`*:: + -- -This key is used to capture the directory of the source process or file +Path of the request, such as "/search". type: keyword -- -*`rsa.file.file_entropy`*:: +*`url.port`*:: + -- -This is used to capture entropy vale of a file +Port of the request, such as 443. -type: double +type: long + +example: 443 + +format: string -- -*`rsa.file.file_vendor`*:: +*`url.query`*:: + -- -This is used to capture Company name of file located in version_info +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. type: keyword -- -*`rsa.file.task_name`*:: +*`url.registered_domain`*:: + -- -This is used to capture name of the task +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword --- +example: example.com +-- -*`rsa.web.fqdn`*:: +*`url.scheme`*:: + -- -Fully Qualified Domain Names +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. type: keyword +example: https + -- -*`rsa.web.web_cookie`*:: +*`url.top_level_domain`*:: + -- -This key is used to capture the Web cookies specifically. +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword +example: co.uk + -- -*`rsa.web.alias_host`*:: +*`url.username`*:: + -- +Username of the request. + type: keyword -- -*`rsa.web.reputation_num`*:: +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`user.email`*:: + -- -Web referer's domain +User email address. type: keyword -- -*`rsa.web.web_ref_query`*:: +*`user.full_name`*:: + -- -This key captures Web referer's query portion of the URL +User's full name, if available. type: keyword +example: Albert Einstein + -- -*`rsa.web.remote_domain`*:: +*`user.full_name.text`*:: + -- -type: keyword +type: text -- -*`rsa.web.web_ref_page`*:: +*`user.group.domain`*:: + -- -This key captures Web referer's page information +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`rsa.web.web_ref_root`*:: +*`user.group.id`*:: + -- -Web referer's root URL path +Unique identifier for the group on the system/platform. type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`user.group.name`*:: + -- +Name of the group. + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`user.hash`*:: + -- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + type: keyword -- -*`rsa.web.urlpage`*:: +*`user.id`*:: + -- +Unique identifier of the user. + type: keyword -- -*`rsa.web.urlroot`*:: +*`user.name`*:: + -- +Short name or login of the user. + type: keyword +example: albert + -- -*`rsa.web.p_url`*:: +*`user.name.text`*:: + -- -type: keyword +type: text -- -*`rsa.web.p_user_agent`*:: +*`user.roles`*:: + -- +Array of user roles at the time of the event. + type: keyword +example: ["kibana_admin", "reporting_user"] + -- -*`rsa.web.p_web_cookie`*:: +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: + -- +Name of the device. + type: keyword +example: iPhone + -- -*`rsa.web.p_web_method`*:: +*`user_agent.name`*:: + -- +Name of the user agent. + type: keyword +example: Safari + -- -*`rsa.web.p_web_referer`*:: +*`user_agent.original`*:: + -- +Unparsed user_agent string. + type: keyword +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + -- -*`rsa.web.web_extension_tmp`*:: +*`user_agent.original.text`*:: + -- -type: keyword +type: text -- -*`rsa.web.web_page`*:: +*`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword --- +example: debian +-- -*`rsa.threat.threat_category`*:: +*`user_agent.os.full`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Operating system name, including the version or code name. type: keyword +example: Mac OS Mojave + -- -*`rsa.threat.threat_desc`*:: +*`user_agent.os.full.text`*:: + -- -This key is used to capture the threat description from the session directly or inferred - -type: keyword +type: text -- -*`rsa.threat.alert`*:: +*`user_agent.os.kernel`*:: + -- -This key is used to capture name of the alert +Operating system kernel version as a raw string. type: keyword +example: 4.4.0-112-generic + -- -*`rsa.threat.threat_source`*:: +*`user_agent.os.name`*:: + -- -This key is used to capture source of the threat +Operating system name, without the version. type: keyword --- +example: Mac OS X +-- -*`rsa.crypto.crypto`*:: +*`user_agent.os.name.text`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword +type: text -- -*`rsa.crypto.cipher_src`*:: +*`user_agent.os.platform`*:: + -- -This key is for Source (Client) Cipher +Operating system platform (such centos, ubuntu, windows). type: keyword +example: darwin + -- -*`rsa.crypto.cert_subject`*:: +*`user_agent.os.version`*:: + -- -This key is used to capture the Certificate organization only +Operating system version as a raw string. type: keyword +example: 10.14.1 + -- -*`rsa.crypto.peer`*:: +*`user_agent.version`*:: + -- -This key is for Encryption peer's IP Address +Version of the user agent. type: keyword --- +example: 12.0 -*`rsa.crypto.cipher_size_src`*:: -+ -- -This key captures Source (Client) Cipher Size -type: long +[float] +=== vlan --- +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. -*`rsa.crypto.ike`*:: + +*`vlan.id`*:: + -- -IKE negotiation phase. +VLAN ID as reported by the observer. type: keyword +example: 10 + -- -*`rsa.crypto.scheme`*:: +*`vlan.name`*:: + -- -This key captures the Encryption scheme used +Optional VLAN name as reported by the observer. type: keyword --- +example: outside -*`rsa.crypto.peer_id`*:: -+ -- -This key is for Encryption peer’s identity -type: keyword +[float] +=== vulnerability --- +The vulnerability fields describe information about a vulnerability that is relevant to an event. -*`rsa.crypto.sig_type`*:: + +*`vulnerability.category`*:: + -- -This key captures the Signature Type +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. type: keyword +example: ["Firewall"] + -- -*`rsa.crypto.cert_issuer`*:: +*`vulnerability.classification`*:: + -- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + type: keyword +example: CVSS + -- -*`rsa.crypto.cert_host_name`*:: +*`vulnerability.description`*:: + -- -Deprecated key defined only in table map. +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) type: keyword +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + -- -*`rsa.crypto.cert_error`*:: +*`vulnerability.description.text`*:: + -- -This key captures the Certificate Error String - -type: keyword +type: text -- -*`rsa.crypto.cipher_dst`*:: +*`vulnerability.enumeration`*:: + -- -This key is for Destination (Server) Cipher +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) type: keyword +example: CVE + -- -*`rsa.crypto.cipher_size_dst`*:: +*`vulnerability.id`*:: + -- -This key captures Destination (Server) Cipher Size +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] -type: long +type: keyword + +example: CVE-2019-00001 -- -*`rsa.crypto.ssl_ver_src`*:: +*`vulnerability.reference`*:: + -- -Deprecated, use version +A resource that provides additional information, context, and mitigations for the identified vulnerability. type: keyword +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + -- -*`rsa.crypto.d_certauth`*:: +*`vulnerability.report_id`*:: + -- +The report or scan identification number. + type: keyword +example: 20191018.0001 + -- -*`rsa.crypto.s_certauth`*:: +*`vulnerability.scanner.vendor`*:: + -- +The name of the vulnerability scanner vendor. + type: keyword +example: Tenable + -- -*`rsa.crypto.ike_cookie1`*:: +*`vulnerability.score.base`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) -type: keyword +type: float + +example: 5.5 -- -*`rsa.crypto.ike_cookie2`*:: +*`vulnerability.score.environmental`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) -type: keyword +type: float + +example: 5.5 -- -*`rsa.crypto.cert_checksum`*:: +*`vulnerability.score.temporal`*:: + -- -type: keyword +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float -- -*`rsa.crypto.cert_host_cat`*:: +*`vulnerability.score.version`*:: + -- -This key is used for the hostname category value of a certificate +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword +example: 2.0 + -- -*`rsa.crypto.cert_serial`*:: +*`vulnerability.severity`*:: + -- -This key is used to capture the Certificate serial number only +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) type: keyword +example: Critical + -- -*`rsa.crypto.cert_status`*:: +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: + -- -This key captures Certificate validation status +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`rsa.crypto.ssl_ver_dst`*:: +*`x509.issuer.common_name`*:: + -- -Deprecated, use version +List of common name (CN) of issuing certificate authority. type: keyword +example: Example SHA2 High Assurance Server CA + -- -*`rsa.crypto.cert_keysize`*:: +*`x509.issuer.country`*:: + -- +List of country (C) codes + type: keyword +example: US + -- -*`rsa.crypto.cert_username`*:: +*`x509.issuer.distinguished_name`*:: + -- +Distinguished name (DN) of issuing certificate authority. + type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`rsa.crypto.https_insact`*:: +*`x509.issuer.locality`*:: + -- +List of locality names (L) + type: keyword +example: Mountain View + -- -*`rsa.crypto.https_valid`*:: +*`x509.issuer.organization`*:: + -- +List of organizations (O) of issuing certificate authority. + type: keyword +example: Example Inc + -- -*`rsa.crypto.cert_ca`*:: +*`x509.issuer.organizational_unit`*:: + -- -This key is used to capture the Certificate signing authority only +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`rsa.crypto.cert_common`*:: +*`x509.issuer.state_or_province`*:: + -- -This key is used to capture the Certificate common name only +List of state or province names (ST, S, or P) type: keyword --- +example: California +-- -*`rsa.wireless.wlan_ssid`*:: +*`x509.not_after`*:: + -- -This key is used to capture the ssid of a Wireless Session +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`rsa.wireless.access_point`*:: +*`x509.not_before`*:: + -- -This key is used to capture the access point name. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`rsa.wireless.wlan_channel`*:: +*`x509.public_key_algorithm`*:: + -- -This is used to capture the channel names +Algorithm used to generate the public key. -type: long +type: keyword + +example: RSA -- -*`rsa.wireless.wlan_name`*:: +*`x509.public_key_curve`*:: + -- -This key captures either WLAN number/name +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword --- +example: nistp521 +-- -*`rsa.storage.disk_volume`*:: +*`x509.public_key_exponent`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long + +example: 65537 + +Field is not indexed. -- -*`rsa.storage.lun`*:: +*`x509.public_key_size`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`rsa.storage.pwwn`*:: +*`x509.serial_number`*:: + -- -This uniquely identifies a port on a HBA. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword --- +example: 55FBB9C7DEBF09809D12CCAA +-- -*`rsa.physical.org_dst`*:: +*`x509.signature_algorithm`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`rsa.physical.org_src`*:: +*`x509.subject.common_name`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +List of common names (CN) of subject. type: keyword --- +example: shared.global.example.net +-- -*`rsa.healthcare.patient_fname`*:: +*`x509.subject.country`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +List of country (C) code type: keyword +example: US + -- -*`rsa.healthcare.patient_id`*:: +*`x509.subject.distinguished_name`*:: + -- -This key captures the unique ID for a patient +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`rsa.healthcare.patient_lname`*:: +*`x509.subject.locality`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +List of locality names (L) type: keyword +example: San Francisco + -- -*`rsa.healthcare.patient_mname`*:: +*`x509.subject.organization`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +List of organizations (O) of subject. type: keyword --- +example: Example, Inc. +-- -*`rsa.endpoint.host_state`*:: +*`x509.subject.organizational_unit`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +List of organizational units (OU) of subject. type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`x509.subject.state_or_province`*:: + -- -This key captures the path to the registry key +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`rsa.endpoint.registry_value`*:: +*`x509.version_number`*:: + -- -This key captures values or decorators used within a registry entry +Version of x509 format. type: keyword +example: 3 + -- -[[exported-fields-fortinet]] -== Fortinet fields +[[exported-fields-elasticsearch]] +== Elasticsearch fields -fortinet Module +elasticsearch Module [float] -=== fortinet +=== elasticsearch -Fields from fortinet FortiOS -*`fortinet.file.hash.crc32`*:: +*`elasticsearch.component`*:: + -- -CRC32 Hash of file - +Elasticsearch component from where the log event originated type: keyword +example: o.e.c.m.MetaDataCreateIndexService + -- -*`fortinet.network.interface.name`*:: +*`elasticsearch.cluster.uuid`*:: + -- -Name of the network interface where the traffic has been observed. - +UUID of the cluster type: keyword --- - +example: GmvrbHlNTiSVYiPf8kxg9g +-- -*`fortinet.rsa.internal.msg`*:: +*`elasticsearch.cluster.name`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +Name of the cluster type: keyword +example: docker-cluster + -- -*`fortinet.rsa.internal.messageid`*:: +*`elasticsearch.node.id`*:: + -- +ID of the node + type: keyword +example: DSiWcTyeThWtUXLB9J0BMw + -- -*`fortinet.rsa.internal.event_desc`*:: +*`elasticsearch.node.name`*:: + -- +Name of the node + type: keyword +example: vWNJsZ3 + -- -*`fortinet.rsa.internal.message`*:: +*`elasticsearch.index.name`*:: + -- -This key captures the contents of instant messages +Index name type: keyword +example: filebeat-test-input + -- -*`fortinet.rsa.internal.time`*:: +*`elasticsearch.index.id`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +Index id -type: date +type: keyword + +example: aOGgDwbURfCV57AScqbCgw -- -*`fortinet.rsa.internal.level`*:: +*`elasticsearch.shard.id`*:: + -- -Deprecated key defined only in table map. +Id of the shard -type: long +type: keyword --- +example: 0 -*`fortinet.rsa.internal.msg_id`*:: -+ -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +[float] +=== audit + --- -*`fortinet.rsa.internal.msg_vid`*:: + +*`elasticsearch.audit.layer`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The layer from which this event originated: rest, transport or ip_filter type: keyword +example: rest + -- -*`fortinet.rsa.internal.data`*:: +*`elasticsearch.audit.event_type`*:: + -- -Deprecated key defined only in table map. +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied type: keyword +example: access_granted + -- -*`fortinet.rsa.internal.obj_server`*:: +*`elasticsearch.audit.origin.type`*:: + -- -Deprecated key defined only in table map. +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) type: keyword +example: local_node + -- -*`fortinet.rsa.internal.obj_val`*:: +*`elasticsearch.audit.realm`*:: ++ +-- +The authentication realm the authentication was validated against + +type: keyword + +-- + +*`elasticsearch.audit.user.realm`*:: ++ +-- +The user's authentication realm, if authenticated + +type: keyword + +-- + +*`elasticsearch.audit.user.roles`*:: ++ +-- +Roles to which the principal belongs + +type: keyword + +example: ['kibana_admin', 'beats_admin'] + +-- + +*`elasticsearch.audit.action`*:: ++ +-- +The name of the action that was executed + +type: keyword + +example: cluster:monitor/main + +-- + +*`elasticsearch.audit.url.params`*:: ++ +-- +REST URI parameters + +example: {username=jacknich2} + +-- + +*`elasticsearch.audit.indices`*:: ++ +-- +Indices accessed by action + +type: keyword + +example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] + +-- + +*`elasticsearch.audit.request.id`*:: ++ +-- +Unique ID of request + +type: keyword + +example: WzL_kb6VSvOhAq0twPvHOQ + +-- + +*`elasticsearch.audit.request.name`*:: ++ +-- +The type of request that was executed + +type: keyword + +example: ClearScrollRequest + +-- + +*`elasticsearch.audit.request_body`*:: ++ +-- +type: alias + +alias to: http.request.body.content + +-- + +*`elasticsearch.audit.origin_address`*:: ++ +-- +type: alias + +alias to: source.ip + +-- + +*`elasticsearch.audit.uri`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`elasticsearch.audit.principal`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`elasticsearch.audit.message`*:: ++ +-- +type: text + +-- + +[float] +=== deprecation + + + +[float] +=== gc + +GC fileset fields. + + + +[float] +=== phase + +Fields specific to GC phase. + + + +*`elasticsearch.gc.phase.name`*:: ++ +-- +Name of the GC collection phase. + + +type: keyword + +-- + +*`elasticsearch.gc.phase.duration_sec`*:: ++ +-- +Collection phase duration according to the Java virtual machine. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up symbol tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: ++ +-- +Pause time in seconds cleaning up string tables. + + +type: float + +-- + +*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: ++ +-- +Time spent processing weak references in seconds. + + +type: float + +-- + +*`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: ++ +-- +Time spent in seconds marking live objects while application is stopped. + + +type: float + +-- + +*`elasticsearch.gc.phase.class_unload_time_sec`*:: ++ +-- +Time spent unloading unused classes in seconds. + + +type: float + +-- + +[float] +=== cpu_time + +Process CPU time spent performing collections. + + + +*`elasticsearch.gc.phase.cpu_time.user_sec`*:: ++ +-- +CPU time spent outside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.sys_sec`*:: ++ +-- +CPU time spent inside the kernel. + + +type: float + +-- + +*`elasticsearch.gc.phase.cpu_time.real_sec`*:: ++ +-- +Total elapsed CPU time spent to complete the collection from start to finish. + + +type: float + +-- + +*`elasticsearch.gc.jvm_runtime_sec`*:: ++ +-- +The time from JVM start up in seconds, as a floating point number. + + +type: float + +-- + +*`elasticsearch.gc.threads_total_stop_time_sec`*:: ++ +-- +Garbage collection threads total stop time seconds. + + +type: float + +-- + +*`elasticsearch.gc.stopping_threads_time_sec`*:: ++ +-- +Time took to stop threads seconds. + + +type: float + +-- + +*`elasticsearch.gc.tags`*:: ++ +-- +GC logging tags. + + +type: keyword + +-- + +[float] +=== heap + +Heap allocation and total size. + + + +*`elasticsearch.gc.heap.size_kb`*:: ++ +-- +Total heap size in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.heap.used_kb`*:: ++ +-- +Used heap in kilobytes. + + +type: integer + +-- + +[float] +=== old_gen + +Old generation occupancy and total size. + + + +*`elasticsearch.gc.old_gen.size_kb`*:: ++ +-- +Total size of old generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.old_gen.used_kb`*:: ++ +-- +Old generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== young_gen + +Young generation occupancy and total size. + + + +*`elasticsearch.gc.young_gen.size_kb`*:: ++ +-- +Total size of young generation in kilobytes. + + +type: integer + +-- + +*`elasticsearch.gc.young_gen.used_kb`*:: ++ +-- +Young generation occupancy in kilobytes. + + +type: integer + +-- + +[float] +=== server + +Server log file + + +*`elasticsearch.server.stacktrace`*:: ++ +-- +Field is not indexed. + +-- + +[float] +=== gc + +GC log + + +[float] +=== young + +Young GC + + +*`elasticsearch.server.gc.young.one`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.young.two`*:: ++ +-- + + +type: long + +example: + +-- + +*`elasticsearch.server.gc.overhead_seq`*:: ++ +-- +Sequence number + +type: long + +example: 3449992 + +-- + +*`elasticsearch.server.gc.collection_duration.ms`*:: ++ +-- +Time spent in GC, in milliseconds + +type: float + +example: 1600 + +-- + +*`elasticsearch.server.gc.observation_duration.ms`*:: ++ +-- +Total time over which collection was observed, in milliseconds + +type: float + +example: 1800 + +-- + +[float] +=== slowlog + +Slowlog events from Elasticsearch + + +*`elasticsearch.slowlog.logger`*:: ++ +-- +Logger name + +type: keyword + +example: index.search.slowlog.fetch + +-- + +*`elasticsearch.slowlog.took`*:: ++ +-- +Time it took to execute the query + +type: keyword + +example: 300ms + +-- + +*`elasticsearch.slowlog.types`*:: ++ +-- +Types + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.stats`*:: ++ +-- +Stats groups + +type: keyword + +example: group1 + +-- + +*`elasticsearch.slowlog.search_type`*:: ++ +-- +Search type + +type: keyword + +example: QUERY_THEN_FETCH + +-- + +*`elasticsearch.slowlog.source_query`*:: ++ +-- +Slow query + +type: keyword + +example: {"query":{"match_all":{"boost":1.0}}} + +-- + +*`elasticsearch.slowlog.extra_source`*:: ++ +-- +Extra source information + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.total_hits`*:: ++ +-- +Total hits + +type: keyword + +example: 42 + +-- + +*`elasticsearch.slowlog.total_shards`*:: ++ +-- +Total queried shards + +type: keyword + +example: 22 + +-- + +*`elasticsearch.slowlog.routing`*:: ++ +-- +Routing + +type: keyword + +example: s01HZ2QBk9jw4gtgaFtn + +-- + +*`elasticsearch.slowlog.id`*:: ++ +-- +Id + +type: keyword + +example: + +-- + +*`elasticsearch.slowlog.type`*:: ++ +-- +Type + +type: keyword + +example: doc + +-- + +*`elasticsearch.slowlog.source`*:: ++ +-- +Source of document that was indexed + +type: keyword + +-- + +[[exported-fields-envoyproxy]] +== Envoyproxy fields + +Module for handling logs produced by envoy + + + +[float] +=== envoyproxy + +Fields from envoy proxy logs after normalization + + + +*`envoyproxy.log_type`*:: ++ +-- +Envoy log type, normally ACCESS + + +type: keyword + +-- + +*`envoyproxy.response_flags`*:: ++ +-- +Response flags + + +type: keyword + +-- + +*`envoyproxy.upstream_service_time`*:: ++ +-- +Upstream service time in nanoseconds + + +type: long + +format: duration + +-- + +*`envoyproxy.request_id`*:: ++ +-- +ID of the request + + +type: keyword + +-- + +*`envoyproxy.authority`*:: ++ +-- +Envoy proxy authority field + + +type: keyword + +-- + +*`envoyproxy.proxy_type`*:: ++ +-- +Envoy proxy type, tcp or http + + +type: keyword + +-- + +[[exported-fields-f5]] +== Big-IP Access Policy Manager fields + +f5 fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: + -- Deprecated key defined only in table map. @@ -51180,7 +53189,7 @@ type: keyword -- -*`fortinet.rsa.internal.resource`*:: +*`rsa.internal.resource`*:: + -- Deprecated key defined only in table map. @@ -51189,7 +53198,7 @@ type: keyword -- -*`fortinet.rsa.internal.obj_id`*:: +*`rsa.internal.obj_id`*:: + -- Deprecated key defined only in table map. @@ -51198,7 +53207,7 @@ type: keyword -- -*`fortinet.rsa.internal.statement`*:: +*`rsa.internal.statement`*:: + -- Deprecated key defined only in table map. @@ -51207,7 +53216,7 @@ type: keyword -- -*`fortinet.rsa.internal.audit_class`*:: +*`rsa.internal.audit_class`*:: + -- Deprecated key defined only in table map. @@ -51216,7 +53225,7 @@ type: keyword -- -*`fortinet.rsa.internal.entry`*:: +*`rsa.internal.entry`*:: + -- Deprecated key defined only in table map. @@ -51225,7 +53234,7 @@ type: keyword -- -*`fortinet.rsa.internal.hcode`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. @@ -51234,7 +53243,7 @@ type: keyword -- -*`fortinet.rsa.internal.inode`*:: +*`rsa.internal.inode`*:: + -- Deprecated key defined only in table map. @@ -51243,7 +53252,7 @@ type: long -- -*`fortinet.rsa.internal.resource_class`*:: +*`rsa.internal.resource_class`*:: + -- Deprecated key defined only in table map. @@ -51252,7 +53261,7 @@ type: keyword -- -*`fortinet.rsa.internal.dead`*:: +*`rsa.internal.dead`*:: + -- Deprecated key defined only in table map. @@ -51261,7 +53270,7 @@ type: long -- -*`fortinet.rsa.internal.feed_desc`*:: +*`rsa.internal.feed_desc`*:: + -- This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51270,7 +53279,7 @@ type: keyword -- -*`fortinet.rsa.internal.feed_name`*:: +*`rsa.internal.feed_name`*:: + -- This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51279,7 +53288,7 @@ type: keyword -- -*`fortinet.rsa.internal.cid`*:: +*`rsa.internal.cid`*:: + -- This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51288,7 +53297,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_class`*:: +*`rsa.internal.device_class`*:: + -- This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51297,7 +53306,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_group`*:: +*`rsa.internal.device_group`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51306,7 +53315,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_host`*:: +*`rsa.internal.device_host`*:: + -- This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51315,7 +53324,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_ip`*:: +*`rsa.internal.device_ip`*:: + -- This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51324,7 +53333,7 @@ type: ip -- -*`fortinet.rsa.internal.device_ipv6`*:: +*`rsa.internal.device_ipv6`*:: + -- This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51333,7 +53342,7 @@ type: ip -- -*`fortinet.rsa.internal.device_type`*:: +*`rsa.internal.device_type`*:: + -- This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51342,7 +53351,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_type_id`*:: +*`rsa.internal.device_type_id`*:: + -- Deprecated key defined only in table map. @@ -51351,7 +53360,7 @@ type: long -- -*`fortinet.rsa.internal.did`*:: +*`rsa.internal.did`*:: + -- This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51360,7 +53369,7 @@ type: keyword -- -*`fortinet.rsa.internal.entropy_req`*:: +*`rsa.internal.entropy_req`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -51369,7 +53378,7 @@ type: long -- -*`fortinet.rsa.internal.entropy_res`*:: +*`rsa.internal.entropy_res`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -51378,7 +53387,7 @@ type: long -- -*`fortinet.rsa.internal.event_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -51387,7 +53396,7 @@ type: keyword -- -*`fortinet.rsa.internal.feed_category`*:: +*`rsa.internal.feed_category`*:: + -- This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51396,7 +53405,7 @@ type: keyword -- -*`fortinet.rsa.internal.forward_ip`*:: +*`rsa.internal.forward_ip`*:: + -- This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. @@ -51405,7 +53414,7 @@ type: ip -- -*`fortinet.rsa.internal.forward_ipv6`*:: +*`rsa.internal.forward_ipv6`*:: + -- This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51414,7 +53423,7 @@ type: ip -- -*`fortinet.rsa.internal.header_id`*:: +*`rsa.internal.header_id`*:: + -- This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51423,7 +53432,7 @@ type: keyword -- -*`fortinet.rsa.internal.lc_cid`*:: +*`rsa.internal.lc_cid`*:: + -- This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51432,7 +53441,7 @@ type: keyword -- -*`fortinet.rsa.internal.lc_ctime`*:: +*`rsa.internal.lc_ctime`*:: + -- This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51441,7 +53450,7 @@ type: date -- -*`fortinet.rsa.internal.mcb_req`*:: +*`rsa.internal.mcb_req`*:: + -- This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most @@ -51450,7 +53459,7 @@ type: long -- -*`fortinet.rsa.internal.mcb_res`*:: +*`rsa.internal.mcb_res`*:: + -- This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most @@ -51459,7 +53468,7 @@ type: long -- -*`fortinet.rsa.internal.mcbc_req`*:: +*`rsa.internal.mcbc_req`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -51468,7 +53477,7 @@ type: long -- -*`fortinet.rsa.internal.mcbc_res`*:: +*`rsa.internal.mcbc_res`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -51477,7 +53486,7 @@ type: long -- -*`fortinet.rsa.internal.medium`*:: +*`rsa.internal.medium`*:: + -- This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session @@ -51486,7 +53495,7 @@ type: long -- -*`fortinet.rsa.internal.node_name`*:: +*`rsa.internal.node_name`*:: + -- Deprecated key defined only in table map. @@ -51495,7 +53504,7 @@ type: keyword -- -*`fortinet.rsa.internal.nwe_callback_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- This key denotes that event is endpoint related @@ -51504,7 +53513,7 @@ type: keyword -- -*`fortinet.rsa.internal.parse_error`*:: +*`rsa.internal.parse_error`*:: + -- This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51513,7 +53522,7 @@ type: keyword -- -*`fortinet.rsa.internal.payload_req`*:: +*`rsa.internal.payload_req`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -51522,7 +53531,7 @@ type: long -- -*`fortinet.rsa.internal.payload_res`*:: +*`rsa.internal.payload_res`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -51531,7 +53540,7 @@ type: long -- -*`fortinet.rsa.internal.process_vid_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. @@ -51540,7 +53549,7 @@ type: keyword -- -*`fortinet.rsa.internal.process_vid_src`*:: +*`rsa.internal.process_vid_src`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. @@ -51549,7 +53558,7 @@ type: keyword -- -*`fortinet.rsa.internal.rid`*:: +*`rsa.internal.rid`*:: + -- This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51558,7 +53567,7 @@ type: long -- -*`fortinet.rsa.internal.session_split`*:: +*`rsa.internal.session_split`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51567,7 +53576,7 @@ type: keyword -- -*`fortinet.rsa.internal.site`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -51576,7 +53585,7 @@ type: keyword -- -*`fortinet.rsa.internal.size`*:: +*`rsa.internal.size`*:: + -- This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51585,7 +53594,7 @@ type: long -- -*`fortinet.rsa.internal.sourcefile`*:: +*`rsa.internal.sourcefile`*:: + -- This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51594,7 +53603,7 @@ type: keyword -- -*`fortinet.rsa.internal.ubc_req`*:: +*`rsa.internal.ubc_req`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -51603,7 +53612,7 @@ type: long -- -*`fortinet.rsa.internal.ubc_res`*:: +*`rsa.internal.ubc_res`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -51612,7 +53621,7 @@ type: long -- -*`fortinet.rsa.internal.word`*:: +*`rsa.internal.word`*:: + -- This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log @@ -51622,7 +53631,7 @@ type: keyword -- -*`fortinet.rsa.time.event_time`*:: +*`rsa.time.event_time`*:: + -- This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form @@ -51631,7 +53640,7 @@ type: date -- -*`fortinet.rsa.time.duration_time`*:: +*`rsa.time.duration_time`*:: + -- This key is used to capture the normalized duration/lifetime in seconds. @@ -51640,7 +53649,7 @@ type: double -- -*`fortinet.rsa.time.event_time_str`*:: +*`rsa.time.event_time_str`*:: + -- This key is used to capture the incomplete time mentioned in a session as a string @@ -51649,7 +53658,7 @@ type: keyword -- -*`fortinet.rsa.time.starttime`*:: +*`rsa.time.starttime`*:: + -- This key is used to capture the Start time mentioned in a session in a standard form @@ -51658,21 +53667,21 @@ type: date -- -*`fortinet.rsa.time.month`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`fortinet.rsa.time.day`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`fortinet.rsa.time.endtime`*:: +*`rsa.time.endtime`*:: + -- This key is used to capture the End time mentioned in a session in a standard form @@ -51681,7 +53690,7 @@ type: date -- -*`fortinet.rsa.time.timezone`*:: +*`rsa.time.timezone`*:: + -- This key is used to capture the timezone of the Event Time @@ -51690,7 +53699,7 @@ type: keyword -- -*`fortinet.rsa.time.duration_str`*:: +*`rsa.time.duration_str`*:: + -- A text string version of the duration @@ -51699,21 +53708,21 @@ type: keyword -- -*`fortinet.rsa.time.date`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`fortinet.rsa.time.year`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`fortinet.rsa.time.recorded_time`*:: +*`rsa.time.recorded_time`*:: + -- The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. @@ -51722,14 +53731,14 @@ type: date -- -*`fortinet.rsa.time.datetime`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`fortinet.rsa.time.effective_time`*:: +*`rsa.time.effective_time`*:: + -- This key is the effective time referenced by an individual event in a Standard Timestamp format @@ -51738,7 +53747,7 @@ type: date -- -*`fortinet.rsa.time.expire_time`*:: +*`rsa.time.expire_time`*:: + -- This key is the timestamp that explicitly refers to an expiration. @@ -51747,7 +53756,7 @@ type: date -- -*`fortinet.rsa.time.process_time`*:: +*`rsa.time.process_time`*:: + -- Deprecated, use duration.time @@ -51756,28 +53765,28 @@ type: keyword -- -*`fortinet.rsa.time.hour`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`fortinet.rsa.time.min`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`fortinet.rsa.time.timestamp`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`fortinet.rsa.time.event_queue_time`*:: +*`rsa.time.event_queue_time`*:: + -- This key is the Time that the event was queued. @@ -51786,77 +53795,77 @@ type: date -- -*`fortinet.rsa.time.p_time1`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`fortinet.rsa.time.tzone`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`fortinet.rsa.time.eventtime`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`fortinet.rsa.time.gmtdate`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`fortinet.rsa.time.gmttime`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_date`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_month`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_time`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_time2`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_year`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`fortinet.rsa.time.expire_time_str`*:: +*`rsa.time.expire_time_str`*:: + -- This key is used to capture incomplete timestamp that explicitly refers to an expiration. @@ -51865,7 +53874,7 @@ type: keyword -- -*`fortinet.rsa.time.stamp`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. @@ -51875,14 +53884,14 @@ type: date -- -*`fortinet.rsa.misc.action`*:: +*`rsa.misc.action`*:: + -- type: keyword -- -*`fortinet.rsa.misc.result`*:: +*`rsa.misc.result`*:: + -- This key is used to capture the outcome/result string value of an action in a session. @@ -51891,7 +53900,7 @@ type: keyword -- -*`fortinet.rsa.misc.severity`*:: +*`rsa.misc.severity`*:: + -- This key is used to capture the severity given the session @@ -51900,7 +53909,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_type`*:: +*`rsa.misc.event_type`*:: + -- This key captures the event category type as specified by the event source. @@ -51909,7 +53918,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id`*:: +*`rsa.misc.reference_id`*:: + -- This key is used to capture an event id from the session directly @@ -51918,7 +53927,7 @@ type: keyword -- -*`fortinet.rsa.misc.version`*:: +*`rsa.misc.version`*:: + -- This key captures Version of the application or OS which is generating the event. @@ -51927,7 +53936,7 @@ type: keyword -- -*`fortinet.rsa.misc.disposition`*:: +*`rsa.misc.disposition`*:: + -- This key captures the The end state of an action. @@ -51936,7 +53945,7 @@ type: keyword -- -*`fortinet.rsa.misc.result_code`*:: +*`rsa.misc.result_code`*:: + -- This key is used to capture the outcome/result numeric value of an action in a session @@ -51945,7 +53954,7 @@ type: keyword -- -*`fortinet.rsa.misc.category`*:: +*`rsa.misc.category`*:: + -- This key is used to capture the category of an event given by the vendor in the session @@ -51954,7 +53963,7 @@ type: keyword -- -*`fortinet.rsa.misc.obj_name`*:: +*`rsa.misc.obj_name`*:: + -- This is used to capture name of object @@ -51963,7 +53972,7 @@ type: keyword -- -*`fortinet.rsa.misc.obj_type`*:: +*`rsa.misc.obj_type`*:: + -- This is used to capture type of object @@ -51972,7 +53981,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_source`*:: +*`rsa.misc.event_source`*:: + -- This key captures Source of the event that’s not a hostname @@ -51981,7 +53990,7 @@ type: keyword -- -*`fortinet.rsa.misc.log_session_id`*:: +*`rsa.misc.log_session_id`*:: + -- This key is used to capture a sessionid from the session directly @@ -51990,7 +53999,7 @@ type: keyword -- -*`fortinet.rsa.misc.group`*:: +*`rsa.misc.group`*:: + -- This key captures the Group Name value @@ -51999,7 +54008,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_name`*:: +*`rsa.misc.policy_name`*:: + -- This key is used to capture the Policy Name only. @@ -52008,7 +54017,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_name`*:: +*`rsa.misc.rule_name`*:: + -- This key captures the Rule Name @@ -52017,7 +54026,7 @@ type: keyword -- -*`fortinet.rsa.misc.context`*:: +*`rsa.misc.context`*:: + -- This key captures Information which adds additional context to the event. @@ -52026,7 +54035,7 @@ type: keyword -- -*`fortinet.rsa.misc.change_new`*:: +*`rsa.misc.change_new`*:: + -- This key is used to capture the new values of the attribute that’s changing in a session @@ -52035,14 +54044,14 @@ type: keyword -- -*`fortinet.rsa.misc.space`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`fortinet.rsa.misc.client`*:: +*`rsa.misc.client`*:: + -- This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. @@ -52051,21 +54060,21 @@ type: keyword -- -*`fortinet.rsa.misc.msgIdPart1`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgIdPart2`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.change_old`*:: +*`rsa.misc.change_old`*:: + -- This key is used to capture the old value of the attribute that’s changing in a session @@ -52074,7 +54083,7 @@ type: keyword -- -*`fortinet.rsa.misc.operation_id`*:: +*`rsa.misc.operation_id`*:: + -- An alert number or operation number. The values should be unique and non-repeating. @@ -52083,7 +54092,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_state`*:: +*`rsa.misc.event_state`*:: + -- This key captures the current state of the object/item referenced within the event. Describing an on-going event. @@ -52092,7 +54101,7 @@ type: keyword -- -*`fortinet.rsa.misc.group_object`*:: +*`rsa.misc.group_object`*:: + -- This key captures a collection/grouping of entities. Specific usage @@ -52101,7 +54110,7 @@ type: keyword -- -*`fortinet.rsa.misc.node`*:: +*`rsa.misc.node`*:: + -- Common use case is the node name within a cluster. The cluster name is reflected by the host name. @@ -52110,7 +54119,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule`*:: +*`rsa.misc.rule`*:: + -- This key captures the Rule number @@ -52119,7 +54128,7 @@ type: keyword -- -*`fortinet.rsa.misc.device_name`*:: +*`rsa.misc.device_name`*:: + -- This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc @@ -52128,7 +54137,7 @@ type: keyword -- -*`fortinet.rsa.misc.param`*:: +*`rsa.misc.param`*:: + -- This key is the parameters passed as part of a command or application, etc. @@ -52137,7 +54146,7 @@ type: keyword -- -*`fortinet.rsa.misc.change_attrib`*:: +*`rsa.misc.change_attrib`*:: + -- This key is used to capture the name of the attribute that’s changing in a session @@ -52146,7 +54155,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_computer`*:: +*`rsa.misc.event_computer`*:: + -- This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. @@ -52155,7 +54164,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id1`*:: +*`rsa.misc.reference_id1`*:: + -- This key is for Linked ID to be used as an addition to "reference.id" @@ -52164,7 +54173,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_log`*:: +*`rsa.misc.event_log`*:: + -- This key captures the Name of the event log @@ -52173,7 +54182,7 @@ type: keyword -- -*`fortinet.rsa.misc.OS`*:: +*`rsa.misc.OS`*:: + -- This key captures the Name of the Operating System @@ -52182,7 +54191,7 @@ type: keyword -- -*`fortinet.rsa.misc.terminal`*:: +*`rsa.misc.terminal`*:: + -- This key captures the Terminal Names only @@ -52191,14 +54200,14 @@ type: keyword -- -*`fortinet.rsa.misc.msgIdPart3`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.filter`*:: +*`rsa.misc.filter`*:: + -- This key captures Filter used to reduce result set @@ -52207,7 +54216,7 @@ type: keyword -- -*`fortinet.rsa.misc.serial_number`*:: +*`rsa.misc.serial_number`*:: + -- This key is the Serial number associated with a physical asset. @@ -52216,7 +54225,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum`*:: +*`rsa.misc.checksum`*:: + -- This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. @@ -52225,7 +54234,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_user`*:: +*`rsa.misc.event_user`*:: + -- This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. @@ -52234,7 +54243,7 @@ type: keyword -- -*`fortinet.rsa.misc.virusname`*:: +*`rsa.misc.virusname`*:: + -- This key captures the name of the virus @@ -52243,7 +54252,7 @@ type: keyword -- -*`fortinet.rsa.misc.content_type`*:: +*`rsa.misc.content_type`*:: + -- This key is used to capture Content Type only. @@ -52252,7 +54261,7 @@ type: keyword -- -*`fortinet.rsa.misc.group_id`*:: +*`rsa.misc.group_id`*:: + -- This key captures Group ID Number (related to the group name) @@ -52261,7 +54270,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_id`*:: +*`rsa.misc.policy_id`*:: + -- This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise @@ -52270,7 +54279,7 @@ type: keyword -- -*`fortinet.rsa.misc.vsys`*:: +*`rsa.misc.vsys`*:: + -- This key captures Virtual System Name @@ -52279,7 +54288,7 @@ type: keyword -- -*`fortinet.rsa.misc.connection_id`*:: +*`rsa.misc.connection_id`*:: + -- This key captures the Connection ID @@ -52288,7 +54297,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id2`*:: +*`rsa.misc.reference_id2`*:: + -- This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. @@ -52297,7 +54306,7 @@ type: keyword -- -*`fortinet.rsa.misc.sensor`*:: +*`rsa.misc.sensor`*:: + -- This key captures Name of the sensor. Typically used in IDS/IPS based devices @@ -52306,7 +54315,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_id`*:: +*`rsa.misc.sig_id`*:: + -- This key captures IDS/IPS Int Signature ID @@ -52315,7 +54324,7 @@ type: long -- -*`fortinet.rsa.misc.port_name`*:: +*`rsa.misc.port_name`*:: + -- This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). @@ -52324,7 +54333,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_group`*:: +*`rsa.misc.rule_group`*:: + -- This key captures the Rule group name @@ -52333,7 +54342,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_num`*:: +*`rsa.misc.risk_num`*:: + -- This key captures a Numeric Risk value @@ -52342,7 +54351,7 @@ type: double -- -*`fortinet.rsa.misc.trigger_val`*:: +*`rsa.misc.trigger_val`*:: + -- This key captures the Value of the trigger or threshold condition. @@ -52351,7 +54360,7 @@ type: keyword -- -*`fortinet.rsa.misc.log_session_id1`*:: +*`rsa.misc.log_session_id1`*:: + -- This key is used to capture a Linked (Related) Session ID from the session directly @@ -52360,7 +54369,7 @@ type: keyword -- -*`fortinet.rsa.misc.comp_version`*:: +*`rsa.misc.comp_version`*:: + -- This key captures the Version level of a sub-component of a product. @@ -52369,7 +54378,7 @@ type: keyword -- -*`fortinet.rsa.misc.content_version`*:: +*`rsa.misc.content_version`*:: + -- This key captures Version level of a signature or database content. @@ -52378,7 +54387,7 @@ type: keyword -- -*`fortinet.rsa.misc.hardware_id`*:: +*`rsa.misc.hardware_id`*:: + -- This key is used to capture unique identifier for a device or system (NOT a Mac address) @@ -52387,7 +54396,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk`*:: +*`rsa.misc.risk`*:: + -- This key captures the non-numeric risk value @@ -52396,28 +54405,28 @@ type: keyword -- -*`fortinet.rsa.misc.event_id`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.reason`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`fortinet.rsa.misc.status`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mail_id`*:: +*`rsa.misc.mail_id`*:: + -- This key is used to capture the mailbox id/name @@ -52426,7 +54435,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_uid`*:: +*`rsa.misc.rule_uid`*:: + -- This key is the Unique Identifier for a rule. @@ -52435,7 +54444,7 @@ type: keyword -- -*`fortinet.rsa.misc.trigger_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- This key captures the Description of the trigger or threshold condition. @@ -52444,35 +54453,35 @@ type: keyword -- -*`fortinet.rsa.misc.inout`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.data_type`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgIdPart4`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`fortinet.rsa.misc.error`*:: +*`rsa.misc.error`*:: + -- This key captures All non successful Error codes or responses @@ -52481,14 +54490,14 @@ type: keyword -- -*`fortinet.rsa.misc.index`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`fortinet.rsa.misc.listnum`*:: +*`rsa.misc.listnum`*:: + -- This key is used to capture listname or listnumber, primarily for collecting access-list @@ -52497,14 +54506,14 @@ type: keyword -- -*`fortinet.rsa.misc.ntype`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.observed_val`*:: +*`rsa.misc.observed_val`*:: + -- This key captures the Value observed (from the perspective of the device generating the log). @@ -52513,7 +54522,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_value`*:: +*`rsa.misc.policy_value`*:: + -- This key captures the contents of the policy. This contains details about the policy @@ -52522,7 +54531,7 @@ type: keyword -- -*`fortinet.rsa.misc.pool_name`*:: +*`rsa.misc.pool_name`*:: + -- This key captures the name of a resource pool @@ -52531,7 +54540,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_template`*:: +*`rsa.misc.rule_template`*:: + -- A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template @@ -52540,35 +54549,35 @@ type: keyword -- -*`fortinet.rsa.misc.count`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sigcat`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`fortinet.rsa.misc.type`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comments`*:: +*`rsa.misc.comments`*:: + -- Comment information provided in the log message @@ -52577,7 +54586,7 @@ type: keyword -- -*`fortinet.rsa.misc.doc_number`*:: +*`rsa.misc.doc_number`*:: + -- This key captures File Identification number @@ -52586,7 +54595,7 @@ type: long -- -*`fortinet.rsa.misc.expected_val`*:: +*`rsa.misc.expected_val`*:: + -- This key captures the Value expected (from the perspective of the device generating the log). @@ -52595,7 +54604,7 @@ type: keyword -- -*`fortinet.rsa.misc.job_num`*:: +*`rsa.misc.job_num`*:: + -- This key captures the Job Number @@ -52604,7 +54613,7 @@ type: keyword -- -*`fortinet.rsa.misc.spi_dst`*:: +*`rsa.misc.spi_dst`*:: + -- Destination SPI Index @@ -52613,7 +54622,7 @@ type: keyword -- -*`fortinet.rsa.misc.spi_src`*:: +*`rsa.misc.spi_src`*:: + -- Source SPI Index @@ -52622,14 +54631,14 @@ type: keyword -- -*`fortinet.rsa.misc.code`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`fortinet.rsa.misc.agent_id`*:: +*`rsa.misc.agent_id`*:: + -- This key is used to capture agent id @@ -52638,7 +54647,7 @@ type: keyword -- -*`fortinet.rsa.misc.message_body`*:: +*`rsa.misc.message_body`*:: + -- This key captures the The contents of the message body. @@ -52647,14 +54656,14 @@ type: keyword -- -*`fortinet.rsa.misc.phone`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sig_id_str`*:: +*`rsa.misc.sig_id_str`*:: + -- This key captures a string object of the sigid variable. @@ -52663,28 +54672,28 @@ type: keyword -- -*`fortinet.rsa.misc.cmd`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`fortinet.rsa.misc.misc`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`fortinet.rsa.misc.name`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cpu`*:: +*`rsa.misc.cpu`*:: + -- This key is the CPU time used in the execution of the event being recorded. @@ -52693,7 +54702,7 @@ type: long -- -*`fortinet.rsa.misc.event_desc`*:: +*`rsa.misc.event_desc`*:: + -- This key is used to capture a description of an event available directly or inferred @@ -52702,7 +54711,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_id1`*:: +*`rsa.misc.sig_id1`*:: + -- This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id @@ -52711,42 +54720,42 @@ type: long -- -*`fortinet.rsa.misc.im_buddyid`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_client`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_userid`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.pid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.priority`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`fortinet.rsa.misc.context_subject`*:: +*`rsa.misc.context_subject`*:: + -- This key is to be used in an audit context where the subject is the object being identified @@ -52755,14 +54764,14 @@ type: keyword -- -*`fortinet.rsa.misc.context_target`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cve`*:: +*`rsa.misc.cve`*:: + -- This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. @@ -52771,7 +54780,7 @@ type: keyword -- -*`fortinet.rsa.misc.fcatnum`*:: +*`rsa.misc.fcatnum`*:: + -- This key captures Filter Category Number. Legacy Usage @@ -52780,7 +54789,7 @@ type: keyword -- -*`fortinet.rsa.misc.library`*:: +*`rsa.misc.library`*:: + -- This key is used to capture library information in mainframe devices @@ -52789,7 +54798,7 @@ type: keyword -- -*`fortinet.rsa.misc.parent_node`*:: +*`rsa.misc.parent_node`*:: + -- This key captures the Parent Node Name. Must be related to node variable. @@ -52798,7 +54807,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_info`*:: +*`rsa.misc.risk_info`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -52807,7 +54816,7 @@ type: keyword -- -*`fortinet.rsa.misc.tcp_flags`*:: +*`rsa.misc.tcp_flags`*:: + -- This key is captures the TCP flags set in any packet of session @@ -52816,7 +54825,7 @@ type: long -- -*`fortinet.rsa.misc.tos`*:: +*`rsa.misc.tos`*:: + -- This key describes the type of service @@ -52825,7 +54834,7 @@ type: long -- -*`fortinet.rsa.misc.vm_target`*:: +*`rsa.misc.vm_target`*:: + -- VMWare Target **VMWARE** only varaible. @@ -52834,7 +54843,7 @@ type: keyword -- -*`fortinet.rsa.misc.workspace`*:: +*`rsa.misc.workspace`*:: + -- This key captures Workspace Description @@ -52843,91 +54852,91 @@ type: keyword -- -*`fortinet.rsa.misc.command`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`fortinet.rsa.misc.event_category`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`fortinet.rsa.misc.facilityname`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.forensic_info`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`fortinet.rsa.misc.jobname`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mode`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policy`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policy_waiver`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`fortinet.rsa.misc.second`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`fortinet.rsa.misc.space1`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.subcategory`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tbdstr2`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alert_id`*:: +*`rsa.misc.alert_id`*:: + -- Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -52936,7 +54945,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- This key is used to capture the checksum or hash of the the target entity such as a process or file. @@ -52945,7 +54954,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum_src`*:: +*`rsa.misc.checksum_src`*:: + -- This key is used to capture the checksum or hash of the source entity such as a file or process. @@ -52954,7 +54963,7 @@ type: keyword -- -*`fortinet.rsa.misc.fresult`*:: +*`rsa.misc.fresult`*:: + -- This key captures the Filter Result @@ -52963,7 +54972,7 @@ type: long -- -*`fortinet.rsa.misc.payload_dst`*:: +*`rsa.misc.payload_dst`*:: + -- This key is used to capture destination payload @@ -52972,7 +54981,7 @@ type: keyword -- -*`fortinet.rsa.misc.payload_src`*:: +*`rsa.misc.payload_src`*:: + -- This key is used to capture source payload @@ -52981,7 +54990,7 @@ type: keyword -- -*`fortinet.rsa.misc.pool_id`*:: +*`rsa.misc.pool_id`*:: + -- This key captures the identifier (typically numeric field) of a resource pool @@ -52990,7 +54999,7 @@ type: keyword -- -*`fortinet.rsa.misc.process_id_val`*:: +*`rsa.misc.process_id_val`*:: + -- This key is a failure key for Process ID when it is not an integer value @@ -52999,7 +55008,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_num_comm`*:: +*`rsa.misc.risk_num_comm`*:: + -- This key captures Risk Number Community @@ -53008,7 +55017,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_next`*:: +*`rsa.misc.risk_num_next`*:: + -- This key captures Risk Number NextGen @@ -53017,7 +55026,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_sand`*:: +*`rsa.misc.risk_num_sand`*:: + -- This key captures Risk Number SandBox @@ -53026,7 +55035,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_static`*:: +*`rsa.misc.risk_num_static`*:: + -- This key captures Risk Number Static @@ -53035,7 +55044,7 @@ type: double -- -*`fortinet.rsa.misc.risk_suspicious`*:: +*`rsa.misc.risk_suspicious`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -53044,7 +55053,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_warning`*:: +*`rsa.misc.risk_warning`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -53053,7 +55062,7 @@ type: keyword -- -*`fortinet.rsa.misc.snmp_oid`*:: +*`rsa.misc.snmp_oid`*:: + -- SNMP Object Identifier @@ -53062,7 +55071,7 @@ type: keyword -- -*`fortinet.rsa.misc.sql`*:: +*`rsa.misc.sql`*:: + -- This key captures the SQL query @@ -53071,7 +55080,7 @@ type: keyword -- -*`fortinet.rsa.misc.vuln_ref`*:: +*`rsa.misc.vuln_ref`*:: + -- This key captures the Vulnerability Reference details @@ -53080,1547 +55089,1547 @@ type: keyword -- -*`fortinet.rsa.misc.acl_id`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_op`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_pos`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_table`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`fortinet.rsa.misc.admin`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alarm_id`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alarmname`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.app_id`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.audit`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`fortinet.rsa.misc.audit_object`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.auditdata`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`fortinet.rsa.misc.benchmark`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`fortinet.rsa.misc.bypass`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cache`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cache_hit`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cefversion`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_attr`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_obj`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_path`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`fortinet.rsa.misc.changes`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.client_ip`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.clustermembers`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_asn_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_engine_id`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_engine_type`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_f_switch`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_invalid`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_l_switch`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_log_did`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_log_rid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_muligmptype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sampalgo`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sampint`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_seqctr`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_spackets`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_src_tos`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_src_vlan`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sysuptime`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_template_id`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totflowexp`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_class`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_name`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_rbytes`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_sbytes`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cpu_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.criticality`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_agency_dst`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_other`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_primary`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_secondary`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_bit9status`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_context`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_control`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_data`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_datecret`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_event_uuid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_filetype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_fld`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_if_desc`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_if_name`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_lifetime`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_log_medium`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_loginname`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_modulescore`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_modulesign`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_payload`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_registrant`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_registrar`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_represult`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_rpayload`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_streams`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_whois_server`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_yararesult`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.description`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`fortinet.rsa.misc.devvendor`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`fortinet.rsa.misc.distance`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`fortinet.rsa.misc.dstburb`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.edomain`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`fortinet.rsa.misc.edomaub`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`fortinet.rsa.misc.euid`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.facility`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`fortinet.rsa.misc.finterface`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`fortinet.rsa.misc.flags`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`fortinet.rsa.misc.gaddr`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.id3`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_buddyname`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_croomid`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_croomtype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_members`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_username`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipkt`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipscat`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipspri`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`fortinet.rsa.misc.latitude`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`fortinet.rsa.misc.linenum`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.list_name`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.load_data`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.location_floor`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`fortinet.rsa.misc.location_mark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`fortinet.rsa.misc.log_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.log_type`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logid`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logip`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logname`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.longitude`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`fortinet.rsa.misc.lport`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mbug_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.misc_name`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msg_type`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgid`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.netsessid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.num`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number1`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number2`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.nwwn`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`fortinet.rsa.misc.object`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.operation`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`fortinet.rsa.misc.opkt`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.orig_from`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`fortinet.rsa.misc.owner_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_action`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_filter`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_group_object`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_id`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid1`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid2`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_result1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.password_chg`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`fortinet.rsa.misc.password_expire`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`fortinet.rsa.misc.permgranted`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`fortinet.rsa.misc.permwanted`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`fortinet.rsa.misc.pgid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policyUUID`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`fortinet.rsa.misc.prog_asp_num`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.program`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`fortinet.rsa.misc.real_data`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_asp_device`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_asp_num`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_library`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`fortinet.rsa.misc.recordnum`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ruid`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sburb`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sdomain_fld`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sec`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sensorname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.seqnum`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.session`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sessiontype`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sigUUID`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`fortinet.rsa.misc.spi`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcburb`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcdom`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcservice`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`fortinet.rsa.misc.state`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`fortinet.rsa.misc.status1`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.svcno`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`fortinet.rsa.misc.system`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tbdstr1`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tgtdom`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tgtdomain`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`fortinet.rsa.misc.threshold`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`fortinet.rsa.misc.type1`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.udb_class`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`fortinet.rsa.misc.url_fld`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.user_div`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`fortinet.rsa.misc.userid`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.username_fld`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.utcstamp`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.v_instafname`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.virt_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.vpnid`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.autorun_type`*:: +*`rsa.misc.autorun_type`*:: + -- This is used to capture Auto Run type @@ -54629,7 +56638,7 @@ type: keyword -- -*`fortinet.rsa.misc.cc_number`*:: +*`rsa.misc.cc_number`*:: + -- Valid Credit Card Numbers only @@ -54638,7 +56647,7 @@ type: long -- -*`fortinet.rsa.misc.content`*:: +*`rsa.misc.content`*:: + -- This key captures the content type from protocol headers @@ -54647,7 +56656,7 @@ type: keyword -- -*`fortinet.rsa.misc.ein_number`*:: +*`rsa.misc.ein_number`*:: + -- Employee Identification Numbers only @@ -54656,7 +56665,7 @@ type: long -- -*`fortinet.rsa.misc.found`*:: +*`rsa.misc.found`*:: + -- This is used to capture the results of regex match @@ -54665,7 +56674,7 @@ type: keyword -- -*`fortinet.rsa.misc.language`*:: +*`rsa.misc.language`*:: + -- This is used to capture list of languages the client support and what it prefers @@ -54674,7 +56683,7 @@ type: keyword -- -*`fortinet.rsa.misc.lifetime`*:: +*`rsa.misc.lifetime`*:: + -- This key is used to capture the session lifetime in seconds. @@ -54683,7 +56692,7 @@ type: long -- -*`fortinet.rsa.misc.link`*:: +*`rsa.misc.link`*:: + -- This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -54692,7 +56701,7 @@ type: keyword -- -*`fortinet.rsa.misc.match`*:: +*`rsa.misc.match`*:: + -- This key is for regex match name from search.ini @@ -54701,7 +56710,7 @@ type: keyword -- -*`fortinet.rsa.misc.param_dst`*:: +*`rsa.misc.param_dst`*:: + -- This key captures the command line/launch argument of the target process or file @@ -54710,7 +56719,7 @@ type: keyword -- -*`fortinet.rsa.misc.param_src`*:: +*`rsa.misc.param_src`*:: + -- This key captures source parameter @@ -54719,7 +56728,7 @@ type: keyword -- -*`fortinet.rsa.misc.search_text`*:: +*`rsa.misc.search_text`*:: + -- This key captures the Search Text used @@ -54728,7 +56737,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_name`*:: +*`rsa.misc.sig_name`*:: + -- This key is used to capture the Signature Name only. @@ -54737,7 +56746,7 @@ type: keyword -- -*`fortinet.rsa.misc.snmp_value`*:: +*`rsa.misc.snmp_value`*:: + -- SNMP set request value @@ -54746,7 +56755,7 @@ type: keyword -- -*`fortinet.rsa.misc.streams`*:: +*`rsa.misc.streams`*:: + -- This key captures number of streams in session @@ -54756,7 +56765,7 @@ type: long -- -*`fortinet.rsa.db.index`*:: +*`rsa.db.index`*:: + -- This key captures IndexID of the index. @@ -54765,7 +56774,7 @@ type: keyword -- -*`fortinet.rsa.db.instance`*:: +*`rsa.db.instance`*:: + -- This key is used to capture the database server instance name @@ -54774,7 +56783,7 @@ type: keyword -- -*`fortinet.rsa.db.database`*:: +*`rsa.db.database`*:: + -- This key is used to capture the name of a database or an instance as seen in a session @@ -54783,7 +56792,7 @@ type: keyword -- -*`fortinet.rsa.db.transact_id`*:: +*`rsa.db.transact_id`*:: + -- This key captures the SQL transantion ID of the current session @@ -54792,7 +56801,7 @@ type: keyword -- -*`fortinet.rsa.db.permissions`*:: +*`rsa.db.permissions`*:: + -- This key captures permission or privilege level assigned to a resource. @@ -54801,7 +56810,7 @@ type: keyword -- -*`fortinet.rsa.db.table_name`*:: +*`rsa.db.table_name`*:: + -- This key is used to capture the table name @@ -54810,7 +56819,7 @@ type: keyword -- -*`fortinet.rsa.db.db_id`*:: +*`rsa.db.db_id`*:: + -- This key is used to capture the unique identifier for a database @@ -54819,7 +56828,7 @@ type: keyword -- -*`fortinet.rsa.db.db_pid`*:: +*`rsa.db.db_pid`*:: + -- This key captures the process id of a connection with database server @@ -54828,7 +56837,7 @@ type: long -- -*`fortinet.rsa.db.lread`*:: +*`rsa.db.lread`*:: + -- This key is used for the number of logical reads @@ -54837,7 +56846,7 @@ type: long -- -*`fortinet.rsa.db.lwrite`*:: +*`rsa.db.lwrite`*:: + -- This key is used for the number of logical writes @@ -54846,7 +56855,7 @@ type: long -- -*`fortinet.rsa.db.pread`*:: +*`rsa.db.pread`*:: + -- This key is used for the number of physical writes @@ -54856,7 +56865,7 @@ type: long -- -*`fortinet.rsa.network.alias_host`*:: +*`rsa.network.alias_host`*:: + -- This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. @@ -54865,14 +56874,14 @@ type: keyword -- -*`fortinet.rsa.network.domain`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_dst`*:: +*`rsa.network.host_dst`*:: + -- This key should only be used when it’s a Destination Hostname @@ -54881,7 +56890,7 @@ type: keyword -- -*`fortinet.rsa.network.network_service`*:: +*`rsa.network.network_service`*:: + -- This is used to capture layer 7 protocols/service names @@ -54890,7 +56899,7 @@ type: keyword -- -*`fortinet.rsa.network.interface`*:: +*`rsa.network.interface`*:: + -- This key should be used when the source or destination context of an interface is not clear @@ -54899,7 +56908,7 @@ type: keyword -- -*`fortinet.rsa.network.network_port`*:: +*`rsa.network.network_port`*:: + -- Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) @@ -54908,7 +56917,7 @@ type: long -- -*`fortinet.rsa.network.eth_host`*:: +*`rsa.network.eth_host`*:: + -- Deprecated, use alias.mac @@ -54917,7 +56926,7 @@ type: keyword -- -*`fortinet.rsa.network.sinterface`*:: +*`rsa.network.sinterface`*:: + -- This key should only be used when it’s a Source Interface @@ -54926,7 +56935,7 @@ type: keyword -- -*`fortinet.rsa.network.dinterface`*:: +*`rsa.network.dinterface`*:: + -- This key should only be used when it’s a Destination Interface @@ -54935,7 +56944,7 @@ type: keyword -- -*`fortinet.rsa.network.vlan`*:: +*`rsa.network.vlan`*:: + -- This key should only be used to capture the ID of the Virtual LAN @@ -54944,7 +56953,7 @@ type: long -- -*`fortinet.rsa.network.zone_src`*:: +*`rsa.network.zone_src`*:: + -- This key should only be used when it’s a Source Zone. @@ -54953,7 +56962,7 @@ type: keyword -- -*`fortinet.rsa.network.zone`*:: +*`rsa.network.zone`*:: + -- This key should be used when the source or destination context of a Zone is not clear @@ -54962,7 +56971,7 @@ type: keyword -- -*`fortinet.rsa.network.zone_dst`*:: +*`rsa.network.zone_dst`*:: + -- This key should only be used when it’s a Destination Zone. @@ -54971,7 +56980,7 @@ type: keyword -- -*`fortinet.rsa.network.gateway`*:: +*`rsa.network.gateway`*:: + -- This key is used to capture the IP Address of the gateway @@ -54980,7 +56989,7 @@ type: keyword -- -*`fortinet.rsa.network.icmp_type`*:: +*`rsa.network.icmp_type`*:: + -- This key is used to capture the ICMP type only @@ -54989,7 +56998,7 @@ type: long -- -*`fortinet.rsa.network.mask`*:: +*`rsa.network.mask`*:: + -- This key is used to capture the device network IPmask. @@ -54998,7 +57007,7 @@ type: keyword -- -*`fortinet.rsa.network.icmp_code`*:: +*`rsa.network.icmp_code`*:: + -- This key is used to capture the ICMP code only @@ -55007,7 +57016,7 @@ type: long -- -*`fortinet.rsa.network.protocol_detail`*:: +*`rsa.network.protocol_detail`*:: + -- This key should be used to capture additional protocol information @@ -55016,7 +57025,7 @@ type: keyword -- -*`fortinet.rsa.network.dmask`*:: +*`rsa.network.dmask`*:: + -- This key is used for Destionation Device network mask @@ -55025,7 +57034,7 @@ type: keyword -- -*`fortinet.rsa.network.port`*:: +*`rsa.network.port`*:: + -- This key should only be used to capture a Network Port when the directionality is not clear @@ -55034,7 +57043,7 @@ type: long -- -*`fortinet.rsa.network.smask`*:: +*`rsa.network.smask`*:: + -- This key is used for capturing source Network Mask @@ -55043,7 +57052,7 @@ type: keyword -- -*`fortinet.rsa.network.netname`*:: +*`rsa.network.netname`*:: + -- This key is used to capture the network name associated with an IP range. This is configured by the end user. @@ -55052,7 +57061,7 @@ type: keyword -- -*`fortinet.rsa.network.paddr`*:: +*`rsa.network.paddr`*:: + -- Deprecated @@ -55061,91 +57070,91 @@ type: ip -- -*`fortinet.rsa.network.faddr`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`fortinet.rsa.network.lhost`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`fortinet.rsa.network.origin`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`fortinet.rsa.network.remote_domain_id`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`fortinet.rsa.network.addr`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_a_record`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_ptr_record`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.fhost`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`fortinet.rsa.network.fport`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`fortinet.rsa.network.laddr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`fortinet.rsa.network.linterface`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`fortinet.rsa.network.phost`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`fortinet.rsa.network.ad_computer_dst`*:: +*`rsa.network.ad_computer_dst`*:: + -- Deprecated, use host.dst @@ -55154,7 +57163,7 @@ type: keyword -- -*`fortinet.rsa.network.eth_type`*:: +*`rsa.network.eth_type`*:: + -- This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only @@ -55163,7 +57172,7 @@ type: long -- -*`fortinet.rsa.network.ip_proto`*:: +*`rsa.network.ip_proto`*:: + -- This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI @@ -55172,63 +57181,63 @@ type: long -- -*`fortinet.rsa.network.dns_cname_record`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_id`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_opcode`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_resp`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_type`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`fortinet.rsa.network.domain1`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_type`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`fortinet.rsa.network.packet_length`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_orig`*:: +*`rsa.network.host_orig`*:: + -- This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. @@ -55237,7 +57246,7 @@ type: keyword -- -*`fortinet.rsa.network.rpayload`*:: +*`rsa.network.rpayload`*:: + -- This key is used to capture the total number of payload bytes seen in the retransmitted packets. @@ -55246,7 +57255,7 @@ type: keyword -- -*`fortinet.rsa.network.vlan_name`*:: +*`rsa.network.vlan_name`*:: + -- This key should only be used to capture the name of the Virtual LAN @@ -55256,7 +57265,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_activity`*:: +*`rsa.investigations.ec_activity`*:: + -- This key captures the particular event activity(Ex:Logoff) @@ -55265,7 +57274,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_theme`*:: +*`rsa.investigations.ec_theme`*:: + -- This key captures the Theme of a particular Event(Ex:Authentication) @@ -55274,7 +57283,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_subject`*:: +*`rsa.investigations.ec_subject`*:: + -- This key captures the Subject of a particular Event(Ex:User) @@ -55283,7 +57292,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_outcome`*:: +*`rsa.investigations.ec_outcome`*:: + -- This key captures the outcome of a particular Event(Ex:Success) @@ -55292,7 +57301,7 @@ type: keyword -- -*`fortinet.rsa.investigations.event_cat`*:: +*`rsa.investigations.event_cat`*:: + -- This key captures the Event category number @@ -55301,7 +57310,7 @@ type: long -- -*`fortinet.rsa.investigations.event_cat_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- This key captures the event category name corresponding to the event cat code @@ -55310,7 +57319,7 @@ type: keyword -- -*`fortinet.rsa.investigations.event_vcat`*:: +*`rsa.investigations.event_vcat`*:: + -- This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. @@ -55319,7 +57328,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_file`*:: +*`rsa.investigations.analysis_file`*:: + -- This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file @@ -55328,7 +57337,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_service`*:: +*`rsa.investigations.analysis_service`*:: + -- This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service @@ -55337,7 +57346,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_session`*:: +*`rsa.investigations.analysis_session`*:: + -- This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session @@ -55346,7 +57355,7 @@ type: keyword -- -*`fortinet.rsa.investigations.boc`*:: +*`rsa.investigations.boc`*:: + -- This is used to capture behaviour of compromise @@ -55355,7 +57364,7 @@ type: keyword -- -*`fortinet.rsa.investigations.eoc`*:: +*`rsa.investigations.eoc`*:: + -- This is used to capture Enablers of Compromise @@ -55364,7 +57373,7 @@ type: keyword -- -*`fortinet.rsa.investigations.inv_category`*:: +*`rsa.investigations.inv_category`*:: + -- This used to capture investigation category @@ -55373,7 +57382,7 @@ type: keyword -- -*`fortinet.rsa.investigations.inv_context`*:: +*`rsa.investigations.inv_context`*:: + -- This used to capture investigation context @@ -55382,7 +57391,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ioc`*:: +*`rsa.investigations.ioc`*:: + -- This is key capture indicator of compromise @@ -55392,7 +57401,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c1`*:: +*`rsa.counters.dclass_c1`*:: + -- This is a generic counter key that should be used with the label dclass.c1.str only @@ -55401,7 +57410,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_c2`*:: +*`rsa.counters.dclass_c2`*:: + -- This is a generic counter key that should be used with the label dclass.c2.str only @@ -55410,7 +57419,7 @@ type: long -- -*`fortinet.rsa.counters.event_counter`*:: +*`rsa.counters.event_counter`*:: + -- This is used to capture the number of times an event repeated @@ -55419,7 +57428,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_r1`*:: +*`rsa.counters.dclass_r1`*:: + -- This is a generic ratio key that should be used with the label dclass.r1.str only @@ -55428,7 +57437,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c3`*:: +*`rsa.counters.dclass_c3`*:: + -- This is a generic counter key that should be used with the label dclass.c3.str only @@ -55437,7 +57446,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_c1_str`*:: +*`rsa.counters.dclass_c1_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c1 only @@ -55446,7 +57455,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c2_str`*:: +*`rsa.counters.dclass_c2_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c2 only @@ -55455,7 +57464,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r1_str`*:: +*`rsa.counters.dclass_r1_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r1 only @@ -55464,7 +57473,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r2`*:: +*`rsa.counters.dclass_r2`*:: + -- This is a generic ratio key that should be used with the label dclass.r2.str only @@ -55473,7 +57482,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c3_str`*:: +*`rsa.counters.dclass_c3_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c3 only @@ -55482,7 +57491,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r3`*:: +*`rsa.counters.dclass_r3`*:: + -- This is a generic ratio key that should be used with the label dclass.r3.str only @@ -55491,7 +57500,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r2_str`*:: +*`rsa.counters.dclass_r2_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r2 only @@ -55500,7 +57509,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r3_str`*:: +*`rsa.counters.dclass_r3_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r3 only @@ -55510,7 +57519,7 @@ type: keyword -- -*`fortinet.rsa.identity.auth_method`*:: +*`rsa.identity.auth_method`*:: + -- This key is used to capture authentication methods used only @@ -55519,7 +57528,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_role`*:: +*`rsa.identity.user_role`*:: + -- This key is used to capture the Role of a user only @@ -55528,7 +57537,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn`*:: +*`rsa.identity.dn`*:: + -- X.500 (LDAP) Distinguished Name @@ -55537,7 +57546,7 @@ type: keyword -- -*`fortinet.rsa.identity.logon_type`*:: +*`rsa.identity.logon_type`*:: + -- This key is used to capture the type of logon method used. @@ -55546,7 +57555,7 @@ type: keyword -- -*`fortinet.rsa.identity.profile`*:: +*`rsa.identity.profile`*:: + -- This key is used to capture the user profile @@ -55555,7 +57564,7 @@ type: keyword -- -*`fortinet.rsa.identity.accesses`*:: +*`rsa.identity.accesses`*:: + -- This key is used to capture actual privileges used in accessing an object @@ -55564,7 +57573,7 @@ type: keyword -- -*`fortinet.rsa.identity.realm`*:: +*`rsa.identity.realm`*:: + -- Radius realm or similar grouping of accounts @@ -55573,7 +57582,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_sid_dst`*:: +*`rsa.identity.user_sid_dst`*:: + -- This key captures Destination User Session ID @@ -55582,7 +57591,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn_src`*:: +*`rsa.identity.dn_src`*:: + -- An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn @@ -55591,7 +57600,7 @@ type: keyword -- -*`fortinet.rsa.identity.org`*:: +*`rsa.identity.org`*:: + -- This key captures the User organization @@ -55600,7 +57609,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn_dst`*:: +*`rsa.identity.dn_dst`*:: + -- An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn @@ -55609,7 +57618,7 @@ type: keyword -- -*`fortinet.rsa.identity.firstname`*:: +*`rsa.identity.firstname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -55618,7 +57627,7 @@ type: keyword -- -*`fortinet.rsa.identity.lastname`*:: +*`rsa.identity.lastname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -55627,7 +57636,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_dept`*:: +*`rsa.identity.user_dept`*:: + -- User's Department Names only @@ -55636,7 +57645,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_sid_src`*:: +*`rsa.identity.user_sid_src`*:: + -- This key captures Source User Session ID @@ -55645,7 +57654,7 @@ type: keyword -- -*`fortinet.rsa.identity.federated_sp`*:: +*`rsa.identity.federated_sp`*:: + -- This key is the Federated Service Provider. This is the application requesting authentication. @@ -55654,7 +57663,7 @@ type: keyword -- -*`fortinet.rsa.identity.federated_idp`*:: +*`rsa.identity.federated_idp`*:: + -- This key is the federated Identity Provider. This is the server providing the authentication. @@ -55663,7 +57672,7 @@ type: keyword -- -*`fortinet.rsa.identity.logon_type_desc`*:: +*`rsa.identity.logon_type_desc`*:: + -- This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. @@ -55672,7 +57681,7 @@ type: keyword -- -*`fortinet.rsa.identity.middlename`*:: +*`rsa.identity.middlename`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -55681,7 +57690,7 @@ type: keyword -- -*`fortinet.rsa.identity.password`*:: +*`rsa.identity.password`*:: + -- This key is for Passwords seen in any session, plain text or encrypted @@ -55690,7 +57699,7 @@ type: keyword -- -*`fortinet.rsa.identity.host_role`*:: +*`rsa.identity.host_role`*:: + -- This key should only be used to capture the role of a Host Machine @@ -55699,7 +57708,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap`*:: +*`rsa.identity.ldap`*:: + -- This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context @@ -55708,7 +57717,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap_query`*:: +*`rsa.identity.ldap_query`*:: + -- This key is the Search criteria from an LDAP search @@ -55717,7 +57726,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap_response`*:: +*`rsa.identity.ldap_response`*:: + -- This key is to capture Results from an LDAP search @@ -55726,7 +57735,7 @@ type: keyword -- -*`fortinet.rsa.identity.owner`*:: +*`rsa.identity.owner`*:: + -- This is used to capture username the process or service is running as, the author of the task @@ -55735,7 +57744,7 @@ type: keyword -- -*`fortinet.rsa.identity.service_account`*:: +*`rsa.identity.service_account`*:: + -- This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage @@ -55745,7 +57754,7 @@ type: keyword -- -*`fortinet.rsa.email.email_dst`*:: +*`rsa.email.email_dst`*:: + -- This key is used to capture the Destination email address only, when the destination context is not clear use email @@ -55754,7 +57763,7 @@ type: keyword -- -*`fortinet.rsa.email.email_src`*:: +*`rsa.email.email_src`*:: + -- This key is used to capture the source email address only, when the source context is not clear use email @@ -55763,7 +57772,7 @@ type: keyword -- -*`fortinet.rsa.email.subject`*:: +*`rsa.email.subject`*:: + -- This key is used to capture the subject string from an Email only. @@ -55772,7 +57781,7 @@ type: keyword -- -*`fortinet.rsa.email.email`*:: +*`rsa.email.email`*:: + -- This key is used to capture a generic email address where the source or destination context is not clear @@ -55781,7 +57790,7 @@ type: keyword -- -*`fortinet.rsa.email.trans_from`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -55790,7 +57799,7 @@ type: keyword -- -*`fortinet.rsa.email.trans_to`*:: +*`rsa.email.trans_to`*:: + -- Deprecated key defined only in table map. @@ -55800,7 +57809,7 @@ type: keyword -- -*`fortinet.rsa.file.privilege`*:: +*`rsa.file.privilege`*:: + -- Deprecated, use permissions @@ -55809,7 +57818,7 @@ type: keyword -- -*`fortinet.rsa.file.attachment`*:: +*`rsa.file.attachment`*:: + -- This key captures the attachment file name @@ -55818,14 +57827,14 @@ type: keyword -- -*`fortinet.rsa.file.filesystem`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`fortinet.rsa.file.binary`*:: +*`rsa.file.binary`*:: + -- Deprecated key defined only in table map. @@ -55834,7 +57843,7 @@ type: keyword -- -*`fortinet.rsa.file.filename_dst`*:: +*`rsa.file.filename_dst`*:: + -- This is used to capture name of the file targeted by the action @@ -55843,7 +57852,7 @@ type: keyword -- -*`fortinet.rsa.file.filename_src`*:: +*`rsa.file.filename_src`*:: + -- This is used to capture name of the parent filename, the file which performed the action @@ -55852,14 +57861,14 @@ type: keyword -- -*`fortinet.rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`fortinet.rsa.file.directory_dst`*:: +*`rsa.file.directory_dst`*:: + -- This key is used to capture the directory of the target process or file @@ -55868,7 +57877,7 @@ type: keyword -- -*`fortinet.rsa.file.directory_src`*:: +*`rsa.file.directory_src`*:: + -- This key is used to capture the directory of the source process or file @@ -55877,7 +57886,7 @@ type: keyword -- -*`fortinet.rsa.file.file_entropy`*:: +*`rsa.file.file_entropy`*:: + -- This is used to capture entropy vale of a file @@ -55886,7 +57895,7 @@ type: double -- -*`fortinet.rsa.file.file_vendor`*:: +*`rsa.file.file_vendor`*:: + -- This is used to capture Company name of file located in version_info @@ -55895,7 +57904,7 @@ type: keyword -- -*`fortinet.rsa.file.task_name`*:: +*`rsa.file.task_name`*:: + -- This is used to capture name of the task @@ -55905,7 +57914,7 @@ type: keyword -- -*`fortinet.rsa.web.fqdn`*:: +*`rsa.web.fqdn`*:: + -- Fully Qualified Domain Names @@ -55914,7 +57923,7 @@ type: keyword -- -*`fortinet.rsa.web.web_cookie`*:: +*`rsa.web.web_cookie`*:: + -- This key is used to capture the Web cookies specifically. @@ -55923,14 +57932,14 @@ type: keyword -- -*`fortinet.rsa.web.alias_host`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`fortinet.rsa.web.reputation_num`*:: +*`rsa.web.reputation_num`*:: + -- Reputation Number of an entity. Typically used for Web Domains @@ -55939,7 +57948,7 @@ type: double -- -*`fortinet.rsa.web.web_ref_domain`*:: +*`rsa.web.web_ref_domain`*:: + -- Web referer's domain @@ -55948,7 +57957,7 @@ type: keyword -- -*`fortinet.rsa.web.web_ref_query`*:: +*`rsa.web.web_ref_query`*:: + -- This key captures Web referer's query portion of the URL @@ -55957,14 +57966,14 @@ type: keyword -- -*`fortinet.rsa.web.remote_domain`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_ref_page`*:: +*`rsa.web.web_ref_page`*:: + -- This key captures Web referer's page information @@ -55973,7 +57982,7 @@ type: keyword -- -*`fortinet.rsa.web.web_ref_root`*:: +*`rsa.web.web_ref_root`*:: + -- Web referer's root URL path @@ -55982,77 +57991,77 @@ type: keyword -- -*`fortinet.rsa.web.cn_asn_dst`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`fortinet.rsa.web.cn_rpackets`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`fortinet.rsa.web.urlpage`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`fortinet.rsa.web.urlroot`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_url`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_user_agent`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_cookie`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_method`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_referer`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_extension_tmp`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_page`*:: +*`rsa.web.web_page`*:: + -- type: keyword @@ -56060,7 +58069,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_category`*:: +*`rsa.threat.threat_category`*:: + -- This key captures Threat Name/Threat Category/Categorization of alert @@ -56069,7 +58078,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_desc`*:: +*`rsa.threat.threat_desc`*:: + -- This key is used to capture the threat description from the session directly or inferred @@ -56078,7 +58087,7 @@ type: keyword -- -*`fortinet.rsa.threat.alert`*:: +*`rsa.threat.alert`*:: + -- This key is used to capture name of the alert @@ -56087,7 +58096,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_source`*:: +*`rsa.threat.threat_source`*:: + -- This key is used to capture source of the threat @@ -56097,7 +58106,7 @@ type: keyword -- -*`fortinet.rsa.crypto.crypto`*:: +*`rsa.crypto.crypto`*:: + -- This key is used to capture the Encryption Type or Encryption Key only @@ -56106,7 +58115,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_src`*:: +*`rsa.crypto.cipher_src`*:: + -- This key is for Source (Client) Cipher @@ -56115,7 +58124,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_subject`*:: +*`rsa.crypto.cert_subject`*:: + -- This key is used to capture the Certificate organization only @@ -56124,7 +58133,7 @@ type: keyword -- -*`fortinet.rsa.crypto.peer`*:: +*`rsa.crypto.peer`*:: + -- This key is for Encryption peer's IP Address @@ -56133,7 +58142,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_size_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- This key captures Source (Client) Cipher Size @@ -56142,7 +58151,7 @@ type: long -- -*`fortinet.rsa.crypto.ike`*:: +*`rsa.crypto.ike`*:: + -- IKE negotiation phase. @@ -56151,7 +58160,7 @@ type: keyword -- -*`fortinet.rsa.crypto.scheme`*:: +*`rsa.crypto.scheme`*:: + -- This key captures the Encryption scheme used @@ -56160,7 +58169,7 @@ type: keyword -- -*`fortinet.rsa.crypto.peer_id`*:: +*`rsa.crypto.peer_id`*:: + -- This key is for Encryption peer’s identity @@ -56169,7 +58178,7 @@ type: keyword -- -*`fortinet.rsa.crypto.sig_type`*:: +*`rsa.crypto.sig_type`*:: + -- This key captures the Signature Type @@ -56178,14 +58187,14 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_issuer`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_host_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- Deprecated key defined only in table map. @@ -56194,7 +58203,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_error`*:: +*`rsa.crypto.cert_error`*:: + -- This key captures the Certificate Error String @@ -56203,7 +58212,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_dst`*:: +*`rsa.crypto.cipher_dst`*:: + -- This key is for Destination (Server) Cipher @@ -56212,7 +58221,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_size_dst`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- This key captures Destination (Server) Cipher Size @@ -56221,7 +58230,7 @@ type: long -- -*`fortinet.rsa.crypto.ssl_ver_src`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- Deprecated, use version @@ -56230,21 +58239,21 @@ type: keyword -- -*`fortinet.rsa.crypto.d_certauth`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.s_certauth`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.ike_cookie1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- ID of the negotiation — sent for ISAKMP Phase One @@ -56253,7 +58262,7 @@ type: keyword -- -*`fortinet.rsa.crypto.ike_cookie2`*:: +*`rsa.crypto.ike_cookie2`*:: + -- ID of the negotiation — sent for ISAKMP Phase Two @@ -56262,14 +58271,14 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_checksum`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_host_cat`*:: +*`rsa.crypto.cert_host_cat`*:: + -- This key is used for the hostname category value of a certificate @@ -56278,7 +58287,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_serial`*:: +*`rsa.crypto.cert_serial`*:: + -- This key is used to capture the Certificate serial number only @@ -56287,7 +58296,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_status`*:: +*`rsa.crypto.cert_status`*:: + -- This key captures Certificate validation status @@ -56296,7 +58305,7 @@ type: keyword -- -*`fortinet.rsa.crypto.ssl_ver_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- Deprecated, use version @@ -56305,35 +58314,35 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_keysize`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_username`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.https_insact`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.https_valid`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_ca`*:: +*`rsa.crypto.cert_ca`*:: + -- This key is used to capture the Certificate signing authority only @@ -56342,7 +58351,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_common`*:: +*`rsa.crypto.cert_common`*:: + -- This key is used to capture the Certificate common name only @@ -56352,7 +58361,7 @@ type: keyword -- -*`fortinet.rsa.wireless.wlan_ssid`*:: +*`rsa.wireless.wlan_ssid`*:: + -- This key is used to capture the ssid of a Wireless Session @@ -56361,7 +58370,7 @@ type: keyword -- -*`fortinet.rsa.wireless.access_point`*:: +*`rsa.wireless.access_point`*:: + -- This key is used to capture the access point name. @@ -56370,7 +58379,7 @@ type: keyword -- -*`fortinet.rsa.wireless.wlan_channel`*:: +*`rsa.wireless.wlan_channel`*:: + -- This is used to capture the channel names @@ -56379,7 +58388,7 @@ type: long -- -*`fortinet.rsa.wireless.wlan_name`*:: +*`rsa.wireless.wlan_name`*:: + -- This key captures either WLAN number/name @@ -56389,7 +58398,7 @@ type: keyword -- -*`fortinet.rsa.storage.disk_volume`*:: +*`rsa.storage.disk_volume`*:: + -- A unique name assigned to logical units (volumes) within a physical disk @@ -56398,7 +58407,7 @@ type: keyword -- -*`fortinet.rsa.storage.lun`*:: +*`rsa.storage.lun`*:: + -- Logical Unit Number.This key is a very useful concept in Storage. @@ -56407,7 +58416,7 @@ type: keyword -- -*`fortinet.rsa.storage.pwwn`*:: +*`rsa.storage.pwwn`*:: + -- This uniquely identifies a port on a HBA. @@ -56417,7 +58426,7 @@ type: keyword -- -*`fortinet.rsa.physical.org_dst`*:: +*`rsa.physical.org_dst`*:: + -- This is used to capture the destination organization based on the GEOPIP Maxmind database. @@ -56426,7 +58435,7 @@ type: keyword -- -*`fortinet.rsa.physical.org_src`*:: +*`rsa.physical.org_src`*:: + -- This is used to capture the source organization based on the GEOPIP Maxmind database. @@ -56436,7 +58445,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_fname`*:: +*`rsa.healthcare.patient_fname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -56445,7 +58454,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_id`*:: +*`rsa.healthcare.patient_id`*:: + -- This key captures the unique ID for a patient @@ -56454,7 +58463,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_lname`*:: +*`rsa.healthcare.patient_lname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -56463,7 +58472,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_mname`*:: +*`rsa.healthcare.patient_mname`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -56473,7 +58482,7 @@ type: keyword -- -*`fortinet.rsa.endpoint.host_state`*:: +*`rsa.endpoint.host_state`*:: + -- This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on @@ -56482,7 +58491,7 @@ type: keyword -- -*`fortinet.rsa.endpoint.registry_key`*:: +*`rsa.endpoint.registry_key`*:: + -- This key captures the path to the registry key @@ -56491,7 +58500,7 @@ type: keyword -- -*`fortinet.rsa.endpoint.registry_value`*:: +*`rsa.endpoint.registry_value`*:: + -- This key captures values or decorators used within a registry entry @@ -56500,11595 +58509,11492 @@ type: keyword -- -[float] -=== firewall +[[exported-fields-fortinet]] +== Fortinet fields -Module for parsing Fortinet syslog. +fortinet Module -*`fortinet.firewall.acct_stat`*:: +*`network.interface.name`*:: + -- -Accounting state (RADIUS) +Name of the network interface where the traffic has been observed. type: keyword -- -*`fortinet.firewall.acktime`*:: + + +*`rsa.internal.msg`*:: + -- -Alarm Acknowledge Time - +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`fortinet.firewall.act`*:: +*`rsa.internal.messageid`*:: + -- -Action - - type: keyword -- -*`fortinet.firewall.action`*:: +*`rsa.internal.event_desc`*:: + -- -Status of the session - - type: keyword -- -*`fortinet.firewall.activity`*:: +*`rsa.internal.message`*:: + -- -HA activity message - +This key captures the contents of instant messages type: keyword -- -*`fortinet.firewall.addr`*:: +*`rsa.internal.time`*:: + -- -IP Address - +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: ip +type: date -- -*`fortinet.firewall.addr_type`*:: +*`rsa.internal.level`*:: + -- -Address Type - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`fortinet.firewall.addrgrp`*:: +*`rsa.internal.msg_id`*:: + -- -Address Group - +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.adgroup`*:: +*`rsa.internal.msg_vid`*:: + -- -AD Group Name - +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.admin`*:: +*`rsa.internal.data`*:: + -- -Admin User - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.age`*:: +*`rsa.internal.obj_server`*:: + -- -Time in seconds - time passed since last seen - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`fortinet.firewall.agent`*:: +*`rsa.internal.obj_val`*:: + -- -User agent - eg. agent="Mozilla/5.0" - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.alarmid`*:: +*`rsa.internal.resource`*:: + -- -Alarm ID - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`fortinet.firewall.alert`*:: +*`rsa.internal.obj_id`*:: + -- -Alert - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.analyticscksum`*:: +*`rsa.internal.statement`*:: + -- -The checksum of the file submitted for analytics - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.analyticssubmit`*:: +*`rsa.internal.audit_class`*:: + -- -The flag for analytics submission - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.ap`*:: +*`rsa.internal.entry`*:: + -- -Access Point - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.app-type`*:: +*`rsa.internal.hcode`*:: + -- -Address Type - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.appact`*:: +*`rsa.internal.inode`*:: + -- -The security action from app control - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`fortinet.firewall.appid`*:: +*`rsa.internal.resource_class`*:: + -- -Application ID - +Deprecated key defined only in table map. -type: integer +type: keyword -- -*`fortinet.firewall.applist`*:: +*`rsa.internal.dead`*:: + -- -Application Control profile - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`fortinet.firewall.apprisk`*:: +*`rsa.internal.feed_desc`*:: + -- -Application Risk Level - +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.apscan`*:: +*`rsa.internal.feed_name`*:: + -- -The name of the AP, which scanned and detected the rogue AP - +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.apsn`*:: +*`rsa.internal.cid`*:: + -- -Access Point - +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.apstatus`*:: +*`rsa.internal.device_class`*:: + -- -Access Point status - +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.aptype`*:: +*`rsa.internal.device_group`*:: + -- -Access Point type - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.assigned`*:: +*`rsa.internal.device_host`*:: + -- -Assigned IP Address - +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: ip +type: keyword -- -*`fortinet.firewall.assignip`*:: +*`rsa.internal.device_ip`*:: + -- -Assigned IP Address - +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: ip -- -*`fortinet.firewall.attachment`*:: +*`rsa.internal.device_ipv6`*:: + -- -The flag for email attachement - +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`fortinet.firewall.attack`*:: +*`rsa.internal.device_type`*:: + -- -Attack Name - +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.attackcontext`*:: +*`rsa.internal.device_type_id`*:: + -- -The trigger patterns and the packetdata with base64 encoding - +Deprecated key defined only in table map. -type: keyword +type: long -- -*`fortinet.firewall.attackcontextid`*:: +*`rsa.internal.did`*:: + -- -Attack context id / total - +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.attackid`*:: +*`rsa.internal.entropy_req`*:: + -- -Attack ID - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: integer +type: long -- -*`fortinet.firewall.auditid`*:: +*`rsa.internal.entropy_res`*:: + -- -Audit ID - +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration type: long -- -*`fortinet.firewall.auditscore`*:: +*`rsa.internal.event_name`*:: + -- -The Audit Score - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.audittime`*:: +*`rsa.internal.feed_category`*:: + -- -The time of the audit - +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: keyword -- -*`fortinet.firewall.authgrp`*:: +*`rsa.internal.forward_ip`*:: + -- -Authorization Group - +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`fortinet.firewall.authid`*:: +*`rsa.internal.forward_ipv6`*:: + -- -Authentication ID - +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`fortinet.firewall.authproto`*:: +*`rsa.internal.header_id`*:: + -- -The protocol that initiated the authentication - +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.authserver`*:: +*`rsa.internal.lc_cid`*:: + -- -Authentication server - +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.bandwidth`*:: +*`rsa.internal.lc_ctime`*:: + -- -Bandwidth - +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`fortinet.firewall.banned_rule`*:: +*`rsa.internal.mcb_req`*:: + -- -NAC quarantine Banned Rule Name - +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`fortinet.firewall.banned_src`*:: +*`rsa.internal.mcb_res`*:: + -- -NAC quarantine Banned Source IP - +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`fortinet.firewall.banword`*:: +*`rsa.internal.mcbc_req`*:: + -- -Banned word - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`fortinet.firewall.botnetdomain`*:: +*`rsa.internal.mcbc_res`*:: + -- -Botnet Domain Name - +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`fortinet.firewall.botnetip`*:: +*`rsa.internal.medium`*:: + -- -Botnet IP Address - +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: ip +type: long -- -*`fortinet.firewall.bssid`*:: +*`rsa.internal.node_name`*:: + -- -Service Set ID - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.call_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Caller ID - +This key denotes that event is endpoint related type: keyword -- -*`fortinet.firewall.carrier_ep`*:: +*`rsa.internal.parse_error`*:: + -- -The FortiOS Carrier end-point identification - +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.cat`*:: +*`rsa.internal.payload_req`*:: + -- -DNS category ID - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: integer +type: long -- -*`fortinet.firewall.category`*:: +*`rsa.internal.payload_res`*:: + -- -Authentication category - +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`fortinet.firewall.cc`*:: +*`rsa.internal.process_vid_dst`*:: + -- -CC Email Address - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`fortinet.firewall.cdrcontent`*:: +*`rsa.internal.process_vid_src`*:: + -- -Cdrcontent - +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`fortinet.firewall.centralnatid`*:: +*`rsa.internal.rid`*:: + -- -Central NAT ID - +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: long -- -*`fortinet.firewall.cert`*:: +*`rsa.internal.session_split`*:: + -- -Certificate - +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.cert-type`*:: +*`rsa.internal.site`*:: + -- -Certificate type - +Deprecated key defined only in table map. type: keyword -- -*`fortinet.firewall.certhash`*:: +*`rsa.internal.size`*:: + -- -Certificate hash - +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`fortinet.firewall.cfgattr`*:: +*`rsa.internal.sourcefile`*:: + -- -Configuration attribute - +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`fortinet.firewall.cfgobj`*:: +*`rsa.internal.ubc_req`*:: + -- -Configuration object - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`fortinet.firewall.cfgpath`*:: +*`rsa.internal.ubc_res`*:: + -- -Configuration path - +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`fortinet.firewall.cfgtid`*:: +*`rsa.internal.word`*:: + -- -Configuration transaction ID - +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`fortinet.firewall.cfgtxpower`*:: + +*`rsa.time.event_time`*:: + -- -Configuration TX power - +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: integer +type: date -- -*`fortinet.firewall.channel`*:: +*`rsa.time.duration_time`*:: + -- -Wireless Channel - +This key is used to capture the normalized duration/lifetime in seconds. -type: integer +type: double -- -*`fortinet.firewall.channeltype`*:: +*`rsa.time.event_time_str`*:: + -- -SSH channel type - +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`fortinet.firewall.chassisid`*:: +*`rsa.time.starttime`*:: + -- -Chassis ID - +This key is used to capture the Start time mentioned in a session in a standard form -type: integer +type: date -- -*`fortinet.firewall.checksum`*:: +*`rsa.time.month`*:: + -- -The checksum of the scanned file - - type: keyword -- -*`fortinet.firewall.chgheaders`*:: +*`rsa.time.day`*:: + -- -HTTP Headers - - type: keyword -- -*`fortinet.firewall.cldobjid`*:: +*`rsa.time.endtime`*:: + -- -Connector object ID - +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`fortinet.firewall.client_addr`*:: +*`rsa.time.timezone`*:: + -- -Wifi client address - +This key is used to capture the timezone of the Event Time type: keyword -- -*`fortinet.firewall.cloudaction`*:: +*`rsa.time.duration_str`*:: + -- -Cloud Action - +A text string version of the duration type: keyword -- -*`fortinet.firewall.clouduser`*:: +*`rsa.time.date`*:: + -- -Cloud User +type: keyword +-- +*`rsa.time.year`*:: ++ +-- type: keyword -- -*`fortinet.firewall.column`*:: +*`rsa.time.recorded_time`*:: + -- -VOIP Column - +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: integer +type: date -- -*`fortinet.firewall.command`*:: +*`rsa.time.datetime`*:: + -- -CLI Command - - type: keyword -- -*`fortinet.firewall.community`*:: +*`rsa.time.effective_time`*:: + -- -SNMP Community - +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`fortinet.firewall.configcountry`*:: +*`rsa.time.expire_time`*:: + -- -Configuration country - +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`fortinet.firewall.connection_type`*:: +*`rsa.time.process_time`*:: + -- -FortiClient Connection Type - +Deprecated, use duration.time type: keyword -- -*`fortinet.firewall.conserve`*:: +*`rsa.time.hour`*:: + -- -Flag for conserve mode - - type: keyword -- -*`fortinet.firewall.constraint`*:: +*`rsa.time.min`*:: + -- -WAF http protocol restrictions - - type: keyword -- -*`fortinet.firewall.contentdisarmed`*:: +*`rsa.time.timestamp`*:: + -- -Email scanned content - - type: keyword -- -*`fortinet.firewall.contenttype`*:: +*`rsa.time.event_queue_time`*:: + -- -Content Type from HTTP header - +This key is the Time that the event was queued. -type: keyword +type: date -- -*`fortinet.firewall.cookies`*:: +*`rsa.time.p_time1`*:: + -- -VPN Cookie - - type: keyword -- -*`fortinet.firewall.count`*:: +*`rsa.time.tzone`*:: + -- -Counts of action type - - -type: integer +type: keyword -- -*`fortinet.firewall.countapp`*:: +*`rsa.time.eventtime`*:: + -- -Number of App Ctrl logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countav`*:: +*`rsa.time.gmtdate`*:: + -- -Number of AV logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countcifs`*:: +*`rsa.time.gmttime`*:: + -- -Number of CIFS logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countdlp`*:: +*`rsa.time.p_date`*:: + -- -Number of DLP logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countdns`*:: +*`rsa.time.p_month`*:: + -- -Number of DNS logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countemail`*:: +*`rsa.time.p_time`*:: + -- -Number of email logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countff`*:: +*`rsa.time.p_time2`*:: + -- -Number of ff logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countips`*:: +*`rsa.time.p_year`*:: + -- -Number of IPS logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countssh`*:: +*`rsa.time.expire_time_str`*:: + -- -Number of SSH logs associated with the session - +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -type: integer +type: keyword -- -*`fortinet.firewall.countssl`*:: +*`rsa.time.stamp`*:: + -- -Number of SSL logs associated with the session - +Deprecated key defined only in table map. -type: integer +type: date -- -*`fortinet.firewall.countwaf`*:: + +*`rsa.misc.action`*:: + -- -Number of WAF logs associated with the session - - -type: integer +type: keyword -- -*`fortinet.firewall.countweb`*:: +*`rsa.misc.result`*:: + -- -Number of Web filter logs associated with the session - +This key is used to capture the outcome/result string value of an action in a session. -type: integer +type: keyword -- -*`fortinet.firewall.cpu`*:: +*`rsa.misc.severity`*:: + -- -CPU Usage - +This key is used to capture the severity given the session -type: integer +type: keyword -- -*`fortinet.firewall.craction`*:: +*`rsa.misc.event_type`*:: + -- -Client Reputation Action - +This key captures the event category type as specified by the event source. -type: integer +type: keyword -- -*`fortinet.firewall.criticalcount`*:: +*`rsa.misc.reference_id`*:: + -- -Number of critical ratings - +This key is used to capture an event id from the session directly -type: integer +type: keyword -- -*`fortinet.firewall.crl`*:: +*`rsa.misc.version`*:: + -- -Client Reputation Level - +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`fortinet.firewall.crlevel`*:: +*`rsa.misc.disposition`*:: + -- -Client Reputation Level - +This key captures the The end state of an action. type: keyword -- -*`fortinet.firewall.crscore`*:: -+ --- -Some description - - -type: integer - --- - -*`fortinet.firewall.cveid`*:: +*`rsa.misc.result_code`*:: + -- -CVE ID - +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`fortinet.firewall.daemon`*:: +*`rsa.misc.category`*:: + -- -Daemon name - +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`fortinet.firewall.datarange`*:: +*`rsa.misc.obj_name`*:: + -- -Data range for reports - +This is used to capture name of object type: keyword -- -*`fortinet.firewall.date`*:: +*`rsa.misc.obj_type`*:: + -- -Date - +This is used to capture type of object type: keyword -- -*`fortinet.firewall.ddnsserver`*:: -+ --- -DDNS server - - -type: ip - --- - -*`fortinet.firewall.desc`*:: +*`rsa.misc.event_source`*:: + -- -Description - +This key captures Source of the event that’s not a hostname type: keyword -- -*`fortinet.firewall.detectionmethod`*:: +*`rsa.misc.log_session_id`*:: + -- -Detection method - +This key is used to capture a sessionid from the session directly type: keyword -- -*`fortinet.firewall.devcategory`*:: +*`rsa.misc.group`*:: + -- -Device category - +This key captures the Group Name value type: keyword -- -*`fortinet.firewall.devintfname`*:: +*`rsa.misc.policy_name`*:: + -- -HA device Interface Name - +This key is used to capture the Policy Name only. type: keyword -- -*`fortinet.firewall.devtype`*:: +*`rsa.misc.rule_name`*:: + -- -Device type - +This key captures the Rule Name type: keyword -- -*`fortinet.firewall.dhcp_msg`*:: +*`rsa.misc.context`*:: + -- -DHCP Message - +This key captures Information which adds additional context to the event. type: keyword -- -*`fortinet.firewall.dintf`*:: +*`rsa.misc.change_new`*:: + -- -Destination interface - +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`fortinet.firewall.disk`*:: +*`rsa.misc.space`*:: + -- -Assosciated disk - - type: keyword -- -*`fortinet.firewall.disklograte`*:: +*`rsa.misc.client`*:: + -- -Disk logging rate - +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -type: long +type: keyword -- -*`fortinet.firewall.dlpextra`*:: +*`rsa.misc.msgIdPart1`*:: + -- -DLP extra information - - type: keyword -- -*`fortinet.firewall.docsource`*:: +*`rsa.misc.msgIdPart2`*:: + -- -DLP fingerprint document source - - type: keyword -- -*`fortinet.firewall.domainctrlauthstate`*:: +*`rsa.misc.change_old`*:: + -- -CIFS domain auth state - +This key is used to capture the old value of the attribute that’s changing in a session -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlauthtype`*:: +*`rsa.misc.operation_id`*:: + -- -CIFS domain auth type - +An alert number or operation number. The values should be unique and non-repeating. -type: integer +type: keyword -- -*`fortinet.firewall.domainctrldomain`*:: +*`rsa.misc.event_state`*:: + -- -CIFS domain auth domain - +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`fortinet.firewall.domainctrlip`*:: +*`rsa.misc.group_object`*:: + -- -CIFS Domain IP - +This key captures a collection/grouping of entities. Specific usage -type: ip +type: keyword -- -*`fortinet.firewall.domainctrlname`*:: +*`rsa.misc.node`*:: + -- -CIFS Domain name - +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`fortinet.firewall.domainctrlprotocoltype`*:: +*`rsa.misc.rule`*:: + -- -CIFS Domain connection protocol - +This key captures the Rule number -type: integer +type: keyword -- -*`fortinet.firewall.domainctrlusername`*:: +*`rsa.misc.device_name`*:: + -- -CIFS Domain username - +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`fortinet.firewall.domainfilteridx`*:: +*`rsa.misc.param`*:: + -- -Domain filter ID - +This key is the parameters passed as part of a command or application, etc. -type: integer +type: keyword -- -*`fortinet.firewall.domainfilterlist`*:: +*`rsa.misc.change_attrib`*:: + -- -Domain filter name - +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`fortinet.firewall.ds`*:: +*`rsa.misc.event_computer`*:: + -- -Direction with distribution system - +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`fortinet.firewall.dst_int`*:: +*`rsa.misc.reference_id1`*:: + -- -Destination interface - +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`fortinet.firewall.dstintfrole`*:: +*`rsa.misc.event_log`*:: + -- -Destination interface role - +This key captures the Name of the event log type: keyword -- -*`fortinet.firewall.dstcountry`*:: +*`rsa.misc.OS`*:: + -- -Destination country - +This key captures the Name of the Operating System type: keyword -- -*`fortinet.firewall.dstdevcategory`*:: +*`rsa.misc.terminal`*:: + -- -Destination device category - +This key captures the Terminal Names only type: keyword -- -*`fortinet.firewall.dstdevtype`*:: +*`rsa.misc.msgIdPart3`*:: + -- -Destination device type - - type: keyword -- -*`fortinet.firewall.dstfamily`*:: +*`rsa.misc.filter`*:: + -- -Destination OS family - +This key captures Filter used to reduce result set type: keyword -- -*`fortinet.firewall.dsthwvendor`*:: +*`rsa.misc.serial_number`*:: + -- -Destination HW vendor - +This key is the Serial number associated with a physical asset. type: keyword -- -*`fortinet.firewall.dsthwversion`*:: +*`rsa.misc.checksum`*:: + -- -Destination HW version - +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`fortinet.firewall.dstinetsvc`*:: +*`rsa.misc.event_user`*:: + -- -Destination interface service - +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`fortinet.firewall.dstosname`*:: +*`rsa.misc.virusname`*:: + -- -Destination OS name - +This key captures the name of the virus type: keyword -- -*`fortinet.firewall.dstosversion`*:: +*`rsa.misc.content_type`*:: + -- -Destination OS version - +This key is used to capture Content Type only. type: keyword -- -*`fortinet.firewall.dstserver`*:: +*`rsa.misc.group_id`*:: + -- -Destination server - +This key captures Group ID Number (related to the group name) -type: integer +type: keyword -- -*`fortinet.firewall.dstssid`*:: +*`rsa.misc.policy_id`*:: + -- -Destination SSID - +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`fortinet.firewall.dstswversion`*:: +*`rsa.misc.vsys`*:: + -- -Destination software version - +This key captures Virtual System Name type: keyword -- -*`fortinet.firewall.dstunauthusersource`*:: +*`rsa.misc.connection_id`*:: + -- -Destination unauthenticated source - +This key captures the Connection ID type: keyword -- -*`fortinet.firewall.dstuuid`*:: +*`rsa.misc.reference_id2`*:: + -- -UUID of the Destination IP address - +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`fortinet.firewall.duid`*:: +*`rsa.misc.sensor`*:: + -- -DHCP UID - +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`fortinet.firewall.eapolcnt`*:: +*`rsa.misc.sig_id`*:: + -- -EAPOL packet count - +This key captures IDS/IPS Int Signature ID -type: integer +type: long -- -*`fortinet.firewall.eapoltype`*:: +*`rsa.misc.port_name`*:: + -- -EAPOL packet type - +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`fortinet.firewall.encrypt`*:: +*`rsa.misc.rule_group`*:: + -- -Whether the packet is encrypted or not - +This key captures the Rule group name -type: integer +type: keyword -- -*`fortinet.firewall.encryption`*:: +*`rsa.misc.risk_num`*:: + -- -Encryption method - +This key captures a Numeric Risk value -type: keyword +type: double -- -*`fortinet.firewall.epoch`*:: +*`rsa.misc.trigger_val`*:: + -- -Epoch used for locating file - +This key captures the Value of the trigger or threshold condition. -type: integer +type: keyword -- -*`fortinet.firewall.espauth`*:: +*`rsa.misc.log_session_id1`*:: + -- -ESP Authentication - +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`fortinet.firewall.esptransform`*:: +*`rsa.misc.comp_version`*:: + -- -ESP Transform - +This key captures the Version level of a sub-component of a product. type: keyword -- -*`fortinet.firewall.exch`*:: +*`rsa.misc.content_version`*:: + -- -Mail Exchanges from DNS response answer section - +This key captures Version level of a signature or database content. type: keyword -- -*`fortinet.firewall.exchange`*:: +*`rsa.misc.hardware_id`*:: + -- -Mail Exchanges from DNS response answer section - +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`fortinet.firewall.expectedsignature`*:: +*`rsa.misc.risk`*:: + -- -Expected SSL signature - +This key captures the non-numeric risk value type: keyword -- -*`fortinet.firewall.expiry`*:: +*`rsa.misc.event_id`*:: + -- -FortiGuard override expiry timestamp - - type: keyword -- -*`fortinet.firewall.fams_pause`*:: +*`rsa.misc.reason`*:: + -- -Fortinet Analysis and Management Service Pause - - -type: integer +type: keyword -- -*`fortinet.firewall.fazlograte`*:: +*`rsa.misc.status`*:: + -- -FortiAnalyzer Logging Rate - - -type: long +type: keyword -- -*`fortinet.firewall.fctemssn`*:: +*`rsa.misc.mail_id`*:: + -- -FortiClient Endpoint SSN - +This key is used to capture the mailbox id/name type: keyword -- -*`fortinet.firewall.fctuid`*:: +*`rsa.misc.rule_uid`*:: + -- -FortiClient UID - +This key is the Unique Identifier for a rule. type: keyword -- -*`fortinet.firewall.field`*:: +*`rsa.misc.trigger_desc`*:: + -- -NTP status field - +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`fortinet.firewall.filefilter`*:: +*`rsa.misc.inout`*:: + -- -The filter used to identify the affected file - - type: keyword -- -*`fortinet.firewall.filehashsrc`*:: +*`rsa.misc.p_msgid`*:: + -- -Filehash source - - type: keyword -- -*`fortinet.firewall.filtercat`*:: +*`rsa.misc.data_type`*:: + -- -DLP filter category - - type: keyword -- -*`fortinet.firewall.filteridx`*:: +*`rsa.misc.msgIdPart4`*:: + -- -DLP filter ID - - -type: integer +type: keyword -- -*`fortinet.firewall.filtername`*:: +*`rsa.misc.error`*:: + -- -DLP rule name - +This key captures All non successful Error codes or responses type: keyword -- -*`fortinet.firewall.filtertype`*:: +*`rsa.misc.index`*:: + -- -DLP filter type - - type: keyword -- -*`fortinet.firewall.fortiguardresp`*:: +*`rsa.misc.listnum`*:: + -- -Antispam ESP value - +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`fortinet.firewall.forwardedfor`*:: +*`rsa.misc.ntype`*:: + -- -Email address forwarded - - type: keyword -- -*`fortinet.firewall.fqdn`*:: +*`rsa.misc.observed_val`*:: + -- -FQDN - +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`fortinet.firewall.frametype`*:: +*`rsa.misc.policy_value`*:: + -- -Wireless frametype - +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`fortinet.firewall.freediskstorage`*:: +*`rsa.misc.pool_name`*:: + -- -Free disk integer - +This key captures the name of a resource pool -type: integer +type: keyword -- -*`fortinet.firewall.from`*:: +*`rsa.misc.rule_template`*:: + -- -From email address - +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`fortinet.firewall.from_vcluster`*:: +*`rsa.misc.count`*:: + -- -Source virtual cluster number - - -type: integer +type: keyword -- -*`fortinet.firewall.fsaverdict`*:: +*`rsa.misc.number`*:: + -- -FSA verdict - - type: keyword -- -*`fortinet.firewall.fwserver_name`*:: +*`rsa.misc.sigcat`*:: + -- -Web proxy server name - - type: keyword -- -*`fortinet.firewall.gateway`*:: +*`rsa.misc.type`*:: + -- -Gateway ip address for PPPoE status report - - -type: ip +type: keyword -- -*`fortinet.firewall.green`*:: +*`rsa.misc.comments`*:: + -- -Memory status - +Comment information provided in the log message type: keyword -- -*`fortinet.firewall.groupid`*:: +*`rsa.misc.doc_number`*:: + -- -User Group ID - +This key captures File Identification number -type: integer +type: long -- -*`fortinet.firewall.ha-prio`*:: +*`rsa.misc.expected_val`*:: + -- -HA Priority - +This key captures the Value expected (from the perspective of the device generating the log). -type: integer +type: keyword -- -*`fortinet.firewall.ha_group`*:: +*`rsa.misc.job_num`*:: + -- -HA Group - +This key captures the Job Number type: keyword -- -*`fortinet.firewall.ha_role`*:: +*`rsa.misc.spi_dst`*:: + -- -HA Role - +Destination SPI Index type: keyword -- -*`fortinet.firewall.handshake`*:: +*`rsa.misc.spi_src`*:: + -- -SSL Handshake - +Source SPI Index type: keyword -- -*`fortinet.firewall.hash`*:: +*`rsa.misc.code`*:: + -- -Hash value of downloaded file - - type: keyword -- -*`fortinet.firewall.hbdn_reason`*:: +*`rsa.misc.agent_id`*:: + -- -Heartbeat down reason - +This key is used to capture agent id type: keyword -- -*`fortinet.firewall.highcount`*:: +*`rsa.misc.message_body`*:: + -- -Highcount fabric summary - +This key captures the The contents of the message body. -type: integer +type: keyword -- -*`fortinet.firewall.host`*:: +*`rsa.misc.phone`*:: + -- -Hostname - - type: keyword -- -*`fortinet.firewall.iaid`*:: +*`rsa.misc.sig_id_str`*:: + -- -DHCPv6 id - +This key captures a string object of the sigid variable. type: keyword -- -*`fortinet.firewall.icmpcode`*:: +*`rsa.misc.cmd`*:: + -- -Destination Port of the ICMP message - - type: keyword -- -*`fortinet.firewall.icmpid`*:: +*`rsa.misc.misc`*:: + -- -Source port of the ICMP message - - type: keyword -- -*`fortinet.firewall.icmptype`*:: +*`rsa.misc.name`*:: + -- -The type of ICMP message - - type: keyword -- -*`fortinet.firewall.identifier`*:: +*`rsa.misc.cpu`*:: + -- -Network traffic identifier - +This key is the CPU time used in the execution of the event being recorded. -type: integer +type: long -- -*`fortinet.firewall.in_spi`*:: +*`rsa.misc.event_desc`*:: + -- -IPSEC inbound SPI - +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`fortinet.firewall.incidentserialno`*:: +*`rsa.misc.sig_id1`*:: + -- -Incident serial number - +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: integer +type: long -- -*`fortinet.firewall.infected`*:: +*`rsa.misc.im_buddyid`*:: + -- -Infected MMS - - -type: integer +type: keyword -- -*`fortinet.firewall.infectedfilelevel`*:: +*`rsa.misc.im_client`*:: + -- -DLP infected file level - - -type: integer +type: keyword -- -*`fortinet.firewall.informationsource`*:: +*`rsa.misc.im_userid`*:: + -- -Information source - - type: keyword -- -*`fortinet.firewall.init`*:: +*`rsa.misc.pid`*:: + -- -IPSEC init stage - - type: keyword -- -*`fortinet.firewall.initiator`*:: +*`rsa.misc.priority`*:: + -- -Original login user name for Fortiguard override - - type: keyword -- -*`fortinet.firewall.interface`*:: +*`rsa.misc.context_subject`*:: + -- -Related interface - +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`fortinet.firewall.intf`*:: +*`rsa.misc.context_target`*:: + -- -Related interface - - type: keyword -- -*`fortinet.firewall.invalidmac`*:: +*`rsa.misc.cve`*:: + -- -The MAC address with invalid OUI - +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`fortinet.firewall.ip`*:: +*`rsa.misc.fcatnum`*:: + -- -Related IP - +This key captures Filter Category Number. Legacy Usage -type: ip +type: keyword -- -*`fortinet.firewall.iptype`*:: +*`rsa.misc.library`*:: + -- -Related IP type - +This key is used to capture library information in mainframe devices type: keyword -- -*`fortinet.firewall.keyword`*:: +*`rsa.misc.parent_node`*:: + -- -Keyword used for search - +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`fortinet.firewall.kind`*:: +*`rsa.misc.risk_info`*:: + -- -VOIP kind - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`fortinet.firewall.lanin`*:: +*`rsa.misc.tcp_flags`*:: + -- -LAN incoming traffic in bytes - +This key is captures the TCP flags set in any packet of session type: long -- -*`fortinet.firewall.lanout`*:: +*`rsa.misc.tos`*:: + -- -LAN outbound traffic in bytes - +This key describes the type of service type: long -- -*`fortinet.firewall.lease`*:: +*`rsa.misc.vm_target`*:: + -- -DHCP lease - +VMWare Target **VMWARE** only varaible. -type: integer +type: keyword -- -*`fortinet.firewall.license_limit`*:: +*`rsa.misc.workspace`*:: + -- -Maximum Number of FortiClients for the License - +This key captures Workspace Description type: keyword -- -*`fortinet.firewall.limit`*:: +*`rsa.misc.command`*:: + -- -Virtual Domain Resource Limit - - -type: integer +type: keyword -- -*`fortinet.firewall.line`*:: +*`rsa.misc.event_category`*:: + -- -VOIP line - - type: keyword -- -*`fortinet.firewall.live`*:: +*`rsa.misc.facilityname`*:: + -- -Time in seconds - - -type: integer +type: keyword -- -*`fortinet.firewall.local`*:: +*`rsa.misc.forensic_info`*:: + -- -Local IP for a PPPD Connection - - -type: ip +type: keyword -- -*`fortinet.firewall.log`*:: +*`rsa.misc.jobname`*:: + -- -Log message - - type: keyword -- -*`fortinet.firewall.login`*:: +*`rsa.misc.mode`*:: + -- -SSH login - - type: keyword -- -*`fortinet.firewall.lowcount`*:: +*`rsa.misc.policy`*:: + -- -Fabric lowcount - - -type: integer +type: keyword -- -*`fortinet.firewall.mac`*:: +*`rsa.misc.policy_waiver`*:: + -- -DHCP mac address - - type: keyword -- -*`fortinet.firewall.malform_data`*:: +*`rsa.misc.second`*:: + -- -VOIP malformed data +type: keyword +-- -type: integer +*`rsa.misc.space1`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.malform_desc`*:: +*`rsa.misc.subcategory`*:: + -- -VOIP malformed data description +type: keyword +-- +*`rsa.misc.tbdstr2`*:: ++ +-- type: keyword -- -*`fortinet.firewall.manuf`*:: +*`rsa.misc.alert_id`*:: + -- -Manufacturer name - +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`fortinet.firewall.masterdstmac`*:: +*`rsa.misc.checksum_dst`*:: + -- -Master mac address for a host with multiple network interfaces - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`fortinet.firewall.mastersrcmac`*:: +*`rsa.misc.checksum_src`*:: + -- -The master MAC address for a host that has multiple network interfaces - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`fortinet.firewall.mediumcount`*:: +*`rsa.misc.fresult`*:: + -- -Fabric medium count - +This key captures the Filter Result -type: integer +type: long -- -*`fortinet.firewall.mem`*:: +*`rsa.misc.payload_dst`*:: + -- -Memory usage system statistics - +This key is used to capture destination payload type: keyword -- -*`fortinet.firewall.meshmode`*:: +*`rsa.misc.payload_src`*:: + -- -Wireless mesh mode - +This key is used to capture source payload type: keyword -- -*`fortinet.firewall.message_type`*:: +*`rsa.misc.pool_id`*:: + -- -VOIP message type - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`fortinet.firewall.method`*:: +*`rsa.misc.process_id_val`*:: + -- -HTTP method - +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`fortinet.firewall.mgmtcnt`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The number of unauthorized client flooding managemet frames - +This key captures Risk Number Community -type: integer +type: double -- -*`fortinet.firewall.mode`*:: +*`rsa.misc.risk_num_next`*:: + -- -IPSEC mode - +This key captures Risk Number NextGen -type: keyword +type: double -- -*`fortinet.firewall.module`*:: +*`rsa.misc.risk_num_sand`*:: + -- -PCI-DSS module - +This key captures Risk Number SandBox -type: keyword +type: double -- -*`fortinet.firewall.monitor-name`*:: +*`rsa.misc.risk_num_static`*:: + -- -Health Monitor Name - +This key captures Risk Number Static -type: keyword +type: double -- -*`fortinet.firewall.monitor-type`*:: +*`rsa.misc.risk_suspicious`*:: + -- -Health Monitor Type - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`fortinet.firewall.mpsk`*:: +*`rsa.misc.risk_warning`*:: + -- -Wireless MPSK - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`fortinet.firewall.msgproto`*:: +*`rsa.misc.snmp_oid`*:: + -- -Message Protocol Number - +SNMP Object Identifier type: keyword -- -*`fortinet.firewall.mtu`*:: +*`rsa.misc.sql`*:: + -- -Max Transmission Unit Value - +This key captures the SQL query -type: integer +type: keyword -- -*`fortinet.firewall.name`*:: +*`rsa.misc.vuln_ref`*:: + -- -Name - +This key captures the Vulnerability Reference details type: keyword -- -*`fortinet.firewall.nat`*:: +*`rsa.misc.acl_id`*:: + -- -NAT IP Address - - type: keyword -- -*`fortinet.firewall.netid`*:: +*`rsa.misc.acl_op`*:: + -- -Connector NetID - - type: keyword -- -*`fortinet.firewall.new_status`*:: +*`rsa.misc.acl_pos`*:: + -- -New status on user change - - type: keyword -- -*`fortinet.firewall.new_value`*:: +*`rsa.misc.acl_table`*:: + -- -New Virtual Domain Name - - type: keyword -- -*`fortinet.firewall.newchannel`*:: +*`rsa.misc.admin`*:: + -- -New Channel Number - - -type: integer +type: keyword -- -*`fortinet.firewall.newchassisid`*:: +*`rsa.misc.alarm_id`*:: + -- -New Chassis ID - - -type: integer +type: keyword -- -*`fortinet.firewall.newslot`*:: +*`rsa.misc.alarmname`*:: + -- -New Slot Number - - -type: integer +type: keyword -- -*`fortinet.firewall.nextstat`*:: +*`rsa.misc.app_id`*:: + -- -Time interval in seconds for the next statistics. - - -type: integer +type: keyword -- -*`fortinet.firewall.nf_type`*:: +*`rsa.misc.audit`*:: + -- -Notification Type - - type: keyword -- -*`fortinet.firewall.noise`*:: +*`rsa.misc.audit_object`*:: + -- -Wifi Noise - - -type: integer +type: keyword -- -*`fortinet.firewall.old_status`*:: +*`rsa.misc.auditdata`*:: + -- -Original Status - - type: keyword -- -*`fortinet.firewall.old_value`*:: +*`rsa.misc.benchmark`*:: + -- -Original Virtual Domain name - - type: keyword -- -*`fortinet.firewall.oldchannel`*:: +*`rsa.misc.bypass`*:: + -- -Original channel - - -type: integer +type: keyword -- -*`fortinet.firewall.oldchassisid`*:: +*`rsa.misc.cache`*:: + -- -Original Chassis Number - - -type: integer +type: keyword -- -*`fortinet.firewall.oldslot`*:: +*`rsa.misc.cache_hit`*:: + -- -Original Slot Number - - -type: integer +type: keyword -- -*`fortinet.firewall.oldsn`*:: +*`rsa.misc.cefversion`*:: + -- -Old Serial number - - type: keyword -- -*`fortinet.firewall.oldwprof`*:: +*`rsa.misc.cfg_attr`*:: + -- -Old Web Filter Profile - - type: keyword -- -*`fortinet.firewall.onwire`*:: +*`rsa.misc.cfg_obj`*:: + -- -A flag to indicate if the AP is onwire or not - - type: keyword -- -*`fortinet.firewall.opercountry`*:: +*`rsa.misc.cfg_path`*:: + -- -Operating Country - - type: keyword -- -*`fortinet.firewall.opertxpower`*:: +*`rsa.misc.changes`*:: + -- -Operating TX power - - -type: integer +type: keyword -- -*`fortinet.firewall.osname`*:: +*`rsa.misc.client_ip`*:: + -- -Operating System name - - type: keyword -- -*`fortinet.firewall.osversion`*:: +*`rsa.misc.clustermembers`*:: + -- -Operating System version - - type: keyword -- -*`fortinet.firewall.out_spi`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Out SPI - - type: keyword -- -*`fortinet.firewall.outintf`*:: +*`rsa.misc.cn_asn_src`*:: + -- -Out interface - - type: keyword -- -*`fortinet.firewall.passedcount`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Fabric passed count - - -type: integer +type: keyword -- -*`fortinet.firewall.passwd`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -Changed user password information - - type: keyword -- -*`fortinet.firewall.path`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Path of looped configuration for security fabric - - type: keyword -- -*`fortinet.firewall.peer`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -WAN optimization peer - - type: keyword -- -*`fortinet.firewall.peer_notif`*:: +*`rsa.misc.cn_engine_id`*:: + -- -VPN peer notification - - type: keyword -- -*`fortinet.firewall.phase2_name`*:: +*`rsa.misc.cn_engine_type`*:: + -- -VPN phase2 name - - type: keyword -- -*`fortinet.firewall.phone`*:: +*`rsa.misc.cn_f_switch`*:: + -- -VOIP Phone - - type: keyword -- -*`fortinet.firewall.pid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Process ID - - -type: integer +type: keyword -- -*`fortinet.firewall.policytype`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -Policy Type - - type: keyword -- -*`fortinet.firewall.poolname`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -IP Pool name - - type: keyword -- -*`fortinet.firewall.port`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Log upload error port - - -type: integer +type: keyword -- -*`fortinet.firewall.portbegin`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -IP Pool port number to begin - - -type: integer +type: keyword -- -*`fortinet.firewall.portend`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -IP Pool port number to end - - -type: integer +type: keyword -- -*`fortinet.firewall.probeproto`*:: +*`rsa.misc.cn_invalid`*:: + -- -Link Monitor Probe Protocol - - type: keyword -- -*`fortinet.firewall.process`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -URL Filter process - - type: keyword -- -*`fortinet.firewall.processtime`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Process time for reports - - -type: integer +type: keyword -- -*`fortinet.firewall.profile`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Profile Name - - type: keyword -- -*`fortinet.firewall.profile_vd`*:: +*`rsa.misc.cn_log_did`*:: + -- -Virtual Domain Name - - type: keyword -- -*`fortinet.firewall.profilegroup`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Profile Group Name - - type: keyword -- -*`fortinet.firewall.profiletype`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Profile Type - - type: keyword -- -*`fortinet.firewall.qtypeval`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -DNS question type value - - -type: integer +type: keyword -- -*`fortinet.firewall.quarskip`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -Quarantine skip explanation - - type: keyword -- -*`fortinet.firewall.quotaexceeded`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -If quota has been exceeded - - type: keyword -- -*`fortinet.firewall.quotamax`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - -type: long +type: keyword -- -*`fortinet.firewall.quotatype`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -Quota type - - type: keyword -- -*`fortinet.firewall.quotaused`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -Quota used - in seconds if time-based - in bytes if trafficbased) - - -type: long +type: keyword -- -*`fortinet.firewall.radioband`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -Radio band - - type: keyword -- -*`fortinet.firewall.radioid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Radio ID - - -type: integer +type: keyword -- -*`fortinet.firewall.radioidclosest`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -Radio ID on the AP closest the rogue AP - - -type: integer +type: keyword -- -*`fortinet.firewall.radioiddetected`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -Radio ID on the AP which detected the rogue AP - - -type: integer +type: keyword -- -*`fortinet.firewall.rate`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -Wireless rogue rate value - - type: keyword -- -*`fortinet.firewall.rawdata`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Raw data value - - type: keyword -- -*`fortinet.firewall.rawdataid`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Raw data ID - - type: keyword -- -*`fortinet.firewall.rcvddelta`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Received bytes delta - - type: keyword -- -*`fortinet.firewall.reason`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Alert reason - - type: keyword -- -*`fortinet.firewall.received`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Server key exchange received - - -type: integer +type: keyword -- -*`fortinet.firewall.receivedsignature`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -Server key exchange received signature - - type: keyword -- -*`fortinet.firewall.red`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -Memory information in red - - type: keyword -- -*`fortinet.firewall.referralurl`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -Web filter referralurl - - type: keyword -- -*`fortinet.firewall.remote`*:: +*`rsa.misc.cn_sampint`*:: + -- -Remote PPP IP address - - -type: ip +type: keyword -- -*`fortinet.firewall.remotewtptime`*:: +*`rsa.misc.cn_seqctr`*:: + -- -Remote Wifi Radius authentication time - - type: keyword -- -*`fortinet.firewall.reporttype`*:: +*`rsa.misc.cn_spackets`*:: + -- -Report type - - type: keyword -- -*`fortinet.firewall.reqtype`*:: +*`rsa.misc.cn_src_tos`*:: + -- -Request type - - type: keyword -- -*`fortinet.firewall.request_name`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -VOIP request name - - type: keyword -- -*`fortinet.firewall.result`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -VPN phase result - - type: keyword -- -*`fortinet.firewall.role`*:: +*`rsa.misc.cn_template_id`*:: + -- -VPN Phase 2 role - - type: keyword -- -*`fortinet.firewall.rssi`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -Received signal strength indicator - - -type: integer +type: keyword -- -*`fortinet.firewall.rsso_key`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -RADIUS SSO attribute value - - type: keyword -- -*`fortinet.firewall.ruledata`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -Rule data - - type: keyword -- -*`fortinet.firewall.ruletype`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -Rule type - - type: keyword -- -*`fortinet.firewall.scanned`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Number of Scanned MMSs - - -type: integer +type: keyword -- -*`fortinet.firewall.scantime`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -Scanned time - - -type: long +type: keyword -- -*`fortinet.firewall.scope`*:: +*`rsa.misc.comp_class`*:: + -- -FortiGuard Override Scope - - type: keyword -- -*`fortinet.firewall.security`*:: +*`rsa.misc.comp_name`*:: + -- -Wireless rogue security - - type: keyword -- -*`fortinet.firewall.sensitivity`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Sensitivity for document fingerprint - - type: keyword -- -*`fortinet.firewall.sensor`*:: +*`rsa.misc.comp_sbytes`*:: + -- -NAC Sensor Name - - type: keyword -- -*`fortinet.firewall.sentdelta`*:: +*`rsa.misc.cpu_data`*:: + -- -Sent bytes delta - - type: keyword -- -*`fortinet.firewall.seq`*:: +*`rsa.misc.criticality`*:: + -- -Sequence number - - type: keyword -- -*`fortinet.firewall.serial`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -WAN optimisation serial - - type: keyword -- -*`fortinet.firewall.serialno`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Serial number - - type: keyword -- -*`fortinet.firewall.server`*:: +*`rsa.misc.cs_av_other`*:: + -- -AD server FQDN or IP - - type: keyword -- -*`fortinet.firewall.session_id`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Session ID - - type: keyword -- -*`fortinet.firewall.sessionid`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -WAD Session ID - - -type: integer +type: keyword -- -*`fortinet.firewall.setuprate`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Session Setup Rate - - -type: long +type: keyword -- -*`fortinet.firewall.severity`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Severity - - type: keyword -- -*`fortinet.firewall.shaperdroprcvdbyte`*:: +*`rsa.misc.cs_context`*:: + -- -Received bytes dropped by shaper - - -type: integer +type: keyword -- -*`fortinet.firewall.shaperdropsentbyte`*:: +*`rsa.misc.cs_control`*:: + -- -Sent bytes dropped by shaper - - -type: integer +type: keyword -- -*`fortinet.firewall.shaperperipdropbyte`*:: +*`rsa.misc.cs_data`*:: + -- -Dropped bytes per IP by shaper - - -type: integer +type: keyword -- -*`fortinet.firewall.shaperperipname`*:: +*`rsa.misc.cs_datecret`*:: + -- -Traffic shaper name (per IP) - - type: keyword -- -*`fortinet.firewall.shaperrcvdname`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -Traffic shaper name for received traffic - - type: keyword -- -*`fortinet.firewall.shapersentname`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -Traffic shaper name for sent traffic - - type: keyword -- -*`fortinet.firewall.shapingpolicyid`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -Traffic shaper policy ID - - -type: integer +type: keyword -- -*`fortinet.firewall.signal`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Wireless rogue API signal - - -type: integer +type: keyword -- -*`fortinet.firewall.size`*:: +*`rsa.misc.cs_filetype`*:: + -- -Email size in bytes - - -type: long +type: keyword -- -*`fortinet.firewall.slot`*:: +*`rsa.misc.cs_fld`*:: + -- -Slot number - - -type: integer +type: keyword -- -*`fortinet.firewall.sn`*:: +*`rsa.misc.cs_if_desc`*:: + -- -Security fabric serial number - - type: keyword -- -*`fortinet.firewall.snclosest`*:: +*`rsa.misc.cs_if_name`*:: + -- -SN of the AP closest to the rogue AP - - type: keyword -- -*`fortinet.firewall.sndetected`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -SN of the AP which detected the rogue AP - - type: keyword -- -*`fortinet.firewall.snmeshparent`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -SN of the mesh parent - - type: keyword -- -*`fortinet.firewall.spi`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -IPSEC SPI - - type: keyword -- -*`fortinet.firewall.src_int`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Source interface - - type: keyword -- -*`fortinet.firewall.srcintfrole`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Source interface role - - type: keyword -- -*`fortinet.firewall.srccountry`*:: +*`rsa.misc.cs_loginname`*:: + -- -Source country - - type: keyword -- -*`fortinet.firewall.srcfamily`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Source family - - type: keyword -- -*`fortinet.firewall.srchwvendor`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Source hardware vendor - - type: keyword -- -*`fortinet.firewall.srchwversion`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Source hardware version - - type: keyword -- -*`fortinet.firewall.srcinetsvc`*:: +*`rsa.misc.cs_payload`*:: + -- -Source interface service - - type: keyword -- -*`fortinet.firewall.srcname`*:: +*`rsa.misc.cs_registrant`*:: + -- -Source name - - type: keyword -- -*`fortinet.firewall.srcserver`*:: +*`rsa.misc.cs_registrar`*:: + -- -Source server - - -type: integer +type: keyword -- -*`fortinet.firewall.srcssid`*:: +*`rsa.misc.cs_represult`*:: + -- -Source SSID - - type: keyword -- -*`fortinet.firewall.srcswversion`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Source software version - - type: keyword -- -*`fortinet.firewall.srcuuid`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -Source UUID - - type: keyword -- -*`fortinet.firewall.sscname`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -SSC name - - type: keyword -- -*`fortinet.firewall.ssid`*:: +*`rsa.misc.cs_streams`*:: + -- -Base Service Set ID - - type: keyword -- -*`fortinet.firewall.sslaction`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -SSL Action - - type: keyword -- -*`fortinet.firewall.ssllocal`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -WAD SSL local - - type: keyword -- -*`fortinet.firewall.sslremote`*:: +*`rsa.misc.cs_whois_server`*:: + -- -WAD SSL remote - - type: keyword -- -*`fortinet.firewall.stacount`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Number of stations/clients - - -type: integer +type: keyword -- -*`fortinet.firewall.stage`*:: +*`rsa.misc.description`*:: + -- -IPSEC stage - - type: keyword -- -*`fortinet.firewall.stamac`*:: +*`rsa.misc.devvendor`*:: + -- -802.1x station mac - - type: keyword -- -*`fortinet.firewall.state`*:: +*`rsa.misc.distance`*:: + -- -Admin login state - - type: keyword -- -*`fortinet.firewall.status`*:: +*`rsa.misc.dstburb`*:: + -- -Status - - type: keyword -- -*`fortinet.firewall.stitch`*:: +*`rsa.misc.edomain`*:: + -- -Automation stitch triggered - - type: keyword -- -*`fortinet.firewall.subject`*:: +*`rsa.misc.edomaub`*:: + -- -Email subject - - type: keyword -- -*`fortinet.firewall.submodule`*:: +*`rsa.misc.euid`*:: + -- -Configuration Sub-Module Name - - type: keyword -- -*`fortinet.firewall.subservice`*:: +*`rsa.misc.facility`*:: + -- -AV subservice - - type: keyword -- -*`fortinet.firewall.subtype`*:: +*`rsa.misc.finterface`*:: + -- -Log subtype - - type: keyword -- -*`fortinet.firewall.suspicious`*:: +*`rsa.misc.flags`*:: + -- -Number of Suspicious MMSs - - -type: integer +type: keyword -- -*`fortinet.firewall.switchproto`*:: +*`rsa.misc.gaddr`*:: + -- -Protocol change information - - type: keyword -- -*`fortinet.firewall.sync_status`*:: +*`rsa.misc.id3`*:: + -- -The sync status with the master - - type: keyword -- -*`fortinet.firewall.sync_type`*:: +*`rsa.misc.im_buddyname`*:: + -- -The sync type with the master - - type: keyword -- -*`fortinet.firewall.sysuptime`*:: +*`rsa.misc.im_croomid`*:: + -- -System uptime - - type: keyword -- -*`fortinet.firewall.tamac`*:: +*`rsa.misc.im_croomtype`*:: + -- -the MAC address of Transmitter, if none, then Receiver - - type: keyword -- -*`fortinet.firewall.threattype`*:: +*`rsa.misc.im_members`*:: + -- -WIDS threat type - - type: keyword -- -*`fortinet.firewall.time`*:: +*`rsa.misc.im_username`*:: + -- -Time of the event - - type: keyword -- -*`fortinet.firewall.to`*:: +*`rsa.misc.ipkt`*:: + -- -Email to field - - type: keyword -- -*`fortinet.firewall.to_vcluster`*:: +*`rsa.misc.ipscat`*:: + -- -destination virtual cluster number - - -type: integer +type: keyword -- -*`fortinet.firewall.total`*:: +*`rsa.misc.ipspri`*:: + -- -Total memory - - -type: integer +type: keyword -- -*`fortinet.firewall.totalsession`*:: +*`rsa.misc.latitude`*:: + -- -Total Number of Sessions - - -type: integer +type: keyword -- -*`fortinet.firewall.trace_id`*:: +*`rsa.misc.linenum`*:: + -- -Session clash trace ID - - type: keyword -- -*`fortinet.firewall.trandisp`*:: +*`rsa.misc.list_name`*:: + -- -NAT translation type - - type: keyword -- -*`fortinet.firewall.transid`*:: +*`rsa.misc.load_data`*:: + -- -HTTP transaction ID - - -type: integer +type: keyword -- -*`fortinet.firewall.translationid`*:: +*`rsa.misc.location_floor`*:: + -- -DNS filter transaltion ID - - type: keyword -- -*`fortinet.firewall.trigger`*:: +*`rsa.misc.location_mark`*:: + -- -Automation stitch trigger - - type: keyword -- -*`fortinet.firewall.trueclntip`*:: +*`rsa.misc.log_id`*:: + -- -File filter true client IP - - -type: ip +type: keyword -- -*`fortinet.firewall.tunnelid`*:: +*`rsa.misc.log_type`*:: + -- -IPSEC tunnel ID - - -type: integer +type: keyword -- -*`fortinet.firewall.tunnelip`*:: +*`rsa.misc.logid`*:: + -- -IPSEC tunnel IP - - -type: ip +type: keyword -- -*`fortinet.firewall.tunneltype`*:: +*`rsa.misc.logip`*:: + -- -IPSEC tunnel type - - type: keyword -- -*`fortinet.firewall.type`*:: +*`rsa.misc.logname`*:: + -- -Module type +type: keyword +-- +*`rsa.misc.longitude`*:: ++ +-- type: keyword -- -*`fortinet.firewall.ui`*:: +*`rsa.misc.lport`*:: + -- -Admin authentication UI type +type: keyword +-- +*`rsa.misc.mbug_data`*:: ++ +-- type: keyword -- -*`fortinet.firewall.unauthusersource`*:: +*`rsa.misc.misc_name`*:: + -- -Unauthenticated user source +type: keyword +-- +*`rsa.misc.msg_type`*:: ++ +-- type: keyword -- -*`fortinet.firewall.unit`*:: +*`rsa.misc.msgid`*:: + -- -Power supply unit +type: keyword +-- -type: integer +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.urlfilteridx`*:: +*`rsa.misc.num`*:: + -- -URL filter ID +type: keyword +-- -type: integer +*`rsa.misc.number1`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.urlfilterlist`*:: +*`rsa.misc.number2`*:: + -- -URL filter list +type: keyword +-- +*`rsa.misc.nwwn`*:: ++ +-- type: keyword -- -*`fortinet.firewall.urlsource`*:: +*`rsa.misc.object`*:: + -- -URL filter source +type: keyword +-- +*`rsa.misc.operation`*:: ++ +-- type: keyword -- -*`fortinet.firewall.urltype`*:: +*`rsa.misc.opkt`*:: + -- -URL filter type +type: keyword +-- +*`rsa.misc.orig_from`*:: ++ +-- type: keyword -- -*`fortinet.firewall.used`*:: +*`rsa.misc.owner_id`*:: + -- -Number of Used IPs +type: keyword +-- -type: integer +*`rsa.misc.p_action`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.used_for_type`*:: +*`rsa.misc.p_filter`*:: + -- -Connection for the type +type: keyword +-- -type: integer +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.utmaction`*:: +*`rsa.misc.p_id`*:: + -- -Security action performed by UTM +type: keyword +-- +*`rsa.misc.p_msgid1`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vap`*:: +*`rsa.misc.p_msgid2`*:: + -- -Virtual AP +type: keyword +-- +*`rsa.misc.p_result1`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vapmode`*:: +*`rsa.misc.password_chg`*:: + -- -Virtual AP mode +type: keyword +-- +*`rsa.misc.password_expire`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vcluster`*:: +*`rsa.misc.permgranted`*:: + -- -virtual cluster id +type: keyword +-- -type: integer +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.vcluster_member`*:: +*`rsa.misc.pgid`*:: + -- -Virtual cluster member +type: keyword +-- -type: integer +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.vcluster_state`*:: +*`rsa.misc.prog_asp_num`*:: + -- -Virtual cluster state +type: keyword +-- +*`rsa.misc.program`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vd`*:: +*`rsa.misc.real_data`*:: + -- -Virtual Domain Name +type: keyword +-- +*`rsa.misc.rec_asp_device`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vdname`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Virtual Domain Name +type: keyword +-- +*`rsa.misc.rec_library`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vendorurl`*:: +*`rsa.misc.recordnum`*:: + -- -Vulnerability scan vendor name +type: keyword +-- +*`rsa.misc.ruid`*:: ++ +-- type: keyword -- -*`fortinet.firewall.version`*:: +*`rsa.misc.sburb`*:: + -- -Version +type: keyword +-- +*`rsa.misc.sdomain_fld`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vip`*:: +*`rsa.misc.sec`*:: + -- -Virtual IP +type: keyword +-- +*`rsa.misc.sensorname`*:: ++ +-- type: keyword -- -*`fortinet.firewall.virus`*:: +*`rsa.misc.seqnum`*:: + -- -Virus name +type: keyword +-- +*`rsa.misc.session`*:: ++ +-- type: keyword -- -*`fortinet.firewall.virusid`*:: +*`rsa.misc.sessiontype`*:: + -- -Virus ID (unique virus identifier) +type: keyword +-- -type: integer +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.voip_proto`*:: +*`rsa.misc.spi`*:: + -- -VOIP protocol +type: keyword +-- +*`rsa.misc.srcburb`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vpn`*:: +*`rsa.misc.srcdom`*:: + -- -VPN description +type: keyword +-- +*`rsa.misc.srcservice`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vpntunnel`*:: +*`rsa.misc.state`*:: + -- -IPsec Vpn Tunnel Name +type: keyword +-- +*`rsa.misc.status1`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vpntype`*:: +*`rsa.misc.svcno`*:: + -- -The type of the VPN tunnel +type: keyword +-- +*`rsa.misc.system`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vrf`*:: +*`rsa.misc.tbdstr1`*:: + -- -VRF number +type: keyword +-- -type: integer +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.vulncat`*:: +*`rsa.misc.tgtdomain`*:: + -- -Vulnerability Category +type: keyword +-- +*`rsa.misc.threshold`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vulnid`*:: +*`rsa.misc.type1`*:: + -- -Vulnerability ID +type: keyword +-- -type: integer +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.vulnname`*:: +*`rsa.misc.url_fld`*:: + -- -Vulnerability name +type: keyword +-- +*`rsa.misc.user_div`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vwlid`*:: +*`rsa.misc.userid`*:: + -- -VWL ID +type: keyword +-- -type: integer +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword -- -*`fortinet.firewall.vwlquality`*:: +*`rsa.misc.utcstamp`*:: + -- -VWL quality +type: keyword +-- +*`rsa.misc.v_instafname`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vwlservice`*:: +*`rsa.misc.virt_data`*:: + -- -VWL service +type: keyword +-- +*`rsa.misc.vpnid`*:: ++ +-- type: keyword -- -*`fortinet.firewall.vwpvlanid`*:: +*`rsa.misc.autorun_type`*:: + -- -VWP VLAN ID - +This is used to capture Auto Run type -type: integer +type: keyword -- -*`fortinet.firewall.wanin`*:: +*`rsa.misc.cc_number`*:: + -- -WAN incoming traffic in bytes - +Valid Credit Card Numbers only type: long -- -*`fortinet.firewall.wanoptapptype`*:: +*`rsa.misc.content`*:: + -- -WAN Optimization Application type - +This key captures the content type from protocol headers type: keyword -- -*`fortinet.firewall.wanout`*:: +*`rsa.misc.ein_number`*:: + -- -WAN outgoing traffic in bytes - +Employee Identification Numbers only type: long -- -*`fortinet.firewall.weakwepiv`*:: +*`rsa.misc.found`*:: + -- -Weak Wep Initiation Vector - +This is used to capture the results of regex match type: keyword -- -*`fortinet.firewall.xauthgroup`*:: +*`rsa.misc.language`*:: + -- -XAuth Group Name - +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`fortinet.firewall.xauthuser`*:: +*`rsa.misc.lifetime`*:: + -- -XAuth User Name - +This key is used to capture the session lifetime in seconds. -type: keyword +type: long -- -*`fortinet.firewall.xid`*:: +*`rsa.misc.link`*:: + -- -Wireless X ID - +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: integer +type: keyword -- -[[exported-fields-googlecloud]] -== Google Cloud fields - -Module for handling logs from Google Cloud. - - +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini -[float] -=== googlecloud +type: keyword -Fields from Google Cloud logs. +-- +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file +type: keyword -[float] -=== destination.instance +-- -If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter +type: keyword +-- -*`googlecloud.destination.instance.project_id`*:: +*`rsa.misc.search_text`*:: + -- -ID of the project containing the VM. - +This key captures the Search Text used type: keyword -- -*`googlecloud.destination.instance.region`*:: +*`rsa.misc.sig_name`*:: + -- -Region of the VM. - +This key is used to capture the Signature Name only. type: keyword -- -*`googlecloud.destination.instance.zone`*:: +*`rsa.misc.snmp_value`*:: + -- -Zone of the VM. - +SNMP set request value type: keyword -- -[float] -=== destination.vpc +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session -If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. +type: long +-- -*`googlecloud.destination.vpc.project_id`*:: +*`rsa.db.index`*:: + -- -ID of the project containing the VM. - +This key captures IndexID of the index. type: keyword -- -*`googlecloud.destination.vpc.vpc_name`*:: +*`rsa.db.instance`*:: + -- -VPC on which the VM is operating. - +This key is used to capture the database server instance name type: keyword -- -*`googlecloud.destination.vpc.subnetwork_name`*:: +*`rsa.db.database`*:: + -- -Subnetwork on which the VM is operating. - +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -[float] -=== source.instance - -If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session +type: keyword +-- -*`googlecloud.source.instance.project_id`*:: +*`rsa.db.permissions`*:: + -- -ID of the project containing the VM. - +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`googlecloud.source.instance.region`*:: +*`rsa.db.table_name`*:: + -- -Region of the VM. - +This key is used to capture the table name type: keyword -- -*`googlecloud.source.instance.zone`*:: +*`rsa.db.db_id`*:: + -- -Zone of the VM. - +This key is used to capture the unique identifier for a database type: keyword -- -[float] -=== source.vpc - -If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. - - - -*`googlecloud.source.vpc.project_id`*:: +*`rsa.db.db_pid`*:: + -- -ID of the project containing the VM. - +This key captures the process id of a connection with database server -type: keyword +type: long -- -*`googlecloud.source.vpc.vpc_name`*:: +*`rsa.db.lread`*:: + -- -VPC on which the VM is operating. - +This key is used for the number of logical reads -type: keyword +type: long -- -*`googlecloud.source.vpc.subnetwork_name`*:: +*`rsa.db.lwrite`*:: + -- -Subnetwork on which the VM is operating. - +This key is used for the number of logical writes -type: keyword +type: long -- -[float] -=== audit +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes -Fields for Google Cloud audit logs. +type: long +-- -*`googlecloud.audit.type`*:: +*`rsa.network.alias_host`*:: + -- -Type property. - +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -[float] -=== authentication_info - -Authentication information. - - - -*`googlecloud.audit.authentication_info.principal_email`*:: +*`rsa.network.domain`*:: + -- -The email address of the authenticated user making the request. - - type: keyword -- -*`googlecloud.audit.authentication_info.authority_selector`*:: +*`rsa.network.host_dst`*:: + -- -The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. - +This key should only be used when it’s a Destination Hostname type: keyword -- -*`googlecloud.audit.authorization_info`*:: +*`rsa.network.network_service`*:: + -- -Authorization information for the operation. - +This is used to capture layer 7 protocols/service names -type: array +type: keyword -- -*`googlecloud.audit.method_name`*:: +*`rsa.network.interface`*:: + -- -The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. - +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`googlecloud.audit.num_response_items`*:: +*`rsa.network.network_port`*:: + -- -The number of items returned from a List or Query API method, if applicable. - +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) type: long -- -[float] -=== request - -The operation request. - - - -*`googlecloud.audit.request.proto_name`*:: +*`rsa.network.eth_host`*:: + -- -Type property of the request. - +Deprecated, use alias.mac type: keyword -- -*`googlecloud.audit.request.filter`*:: +*`rsa.network.sinterface`*:: + -- -Filter of the request. - +This key should only be used when it’s a Source Interface type: keyword -- -*`googlecloud.audit.request.name`*:: +*`rsa.network.dinterface`*:: + -- -Name of the request. - +This key should only be used when it’s a Destination Interface type: keyword -- -*`googlecloud.audit.request.resource_name`*:: +*`rsa.network.vlan`*:: + -- -Name of the request resource. - +This key should only be used to capture the ID of the Virtual LAN -type: keyword +type: long -- -[float] -=== request_metadata - -Metadata about the request. - - - -*`googlecloud.audit.request_metadata.caller_ip`*:: +*`rsa.network.zone_src`*:: + -- -The IP address of the caller. - +This key should only be used when it’s a Source Zone. -type: ip +type: keyword -- -*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: +*`rsa.network.zone`*:: + -- -The user agent of the caller. This information is not authenticated and should be treated accordingly. - +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -[float] -=== response - -The operation response. - - - -*`googlecloud.audit.response.proto_name`*:: +*`rsa.network.zone_dst`*:: + -- -Type property of the response. - +This key should only be used when it’s a Destination Zone. type: keyword -- -[float] -=== details - -The details of the response. - - - -*`googlecloud.audit.response.details.group`*:: +*`rsa.network.gateway`*:: + -- -The name of the group. - +This key is used to capture the IP Address of the gateway type: keyword -- -*`googlecloud.audit.response.details.kind`*:: +*`rsa.network.icmp_type`*:: + -- -The kind of the response details. - +This key is used to capture the ICMP type only -type: keyword +type: long -- -*`googlecloud.audit.response.details.name`*:: +*`rsa.network.mask`*:: + -- -The name of the response details. - +This key is used to capture the device network IPmask. type: keyword -- -*`googlecloud.audit.response.details.uid`*:: +*`rsa.network.icmp_code`*:: + -- -The uid of the response details. - +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`googlecloud.audit.response.status`*:: +*`rsa.network.protocol_detail`*:: + -- -Status of the response. - +This key should be used to capture additional protocol information type: keyword -- -*`googlecloud.audit.resource_name`*:: +*`rsa.network.dmask`*:: + -- -The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. - +This key is used for Destionation Device network mask type: keyword -- -[float] -=== resource_location - -The location of the resource. +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear +type: long +-- -*`googlecloud.audit.resource_location.current_locations`*:: +*`rsa.network.smask`*:: + -- -Current locations of the resource. - +This key is used for capturing source Network Mask type: keyword -- -*`googlecloud.audit.service_name`*:: +*`rsa.network.netname`*:: + -- -The name of the API service performing the operation. For example, datastore.googleapis.com. - +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -[float] -=== status - -The status of the overall operation. - - - -*`googlecloud.audit.status.code`*:: +*`rsa.network.paddr`*:: + -- -The status code, which should be an enum value of google.rpc.Code. - +Deprecated -type: integer +type: ip -- -*`googlecloud.audit.status.message`*:: +*`rsa.network.faddr`*:: + -- -A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. - - type: keyword -- -[float] -=== firewall - -Fields for Google Cloud Firewall logs. - - - -[float] -=== rule_details - -Description of the firewall rule that matched this connection. - - - -*`googlecloud.firewall.rule_details.priority`*:: +*`rsa.network.lhost`*:: + -- -The priority for the firewall rule. - -type: long +type: keyword -- -*`googlecloud.firewall.rule_details.action`*:: +*`rsa.network.origin`*:: + -- -Action that the rule performs on match. - type: keyword -- -*`googlecloud.firewall.rule_details.direction`*:: +*`rsa.network.remote_domain_id`*:: + -- -Direction of traffic that matches this rule. - type: keyword -- -*`googlecloud.firewall.rule_details.reference`*:: +*`rsa.network.addr`*:: + -- -Reference to the firewall rule. - type: keyword -- -*`googlecloud.firewall.rule_details.source_range`*:: +*`rsa.network.dns_a_record`*:: + -- -List of source ranges that the firewall rule applies to. - type: keyword -- -*`googlecloud.firewall.rule_details.destination_range`*:: +*`rsa.network.dns_ptr_record`*:: + -- -List of destination ranges that the firewall applies to. - type: keyword -- -*`googlecloud.firewall.rule_details.source_tag`*:: +*`rsa.network.fhost`*:: + -- -List of all the source tags that the firewall rule applies to. - - type: keyword -- -*`googlecloud.firewall.rule_details.target_tag`*:: +*`rsa.network.fport`*:: + -- -List of all the target tags that the firewall rule applies to. - - type: keyword -- -*`googlecloud.firewall.rule_details.ip_port_info`*:: +*`rsa.network.laddr`*:: + -- -List of ip protocols and applicable port ranges for rules. - - -type: array +type: keyword -- -*`googlecloud.firewall.rule_details.source_service_account`*:: +*`rsa.network.linterface`*:: + -- -List of all the source service accounts that the firewall rule applies to. - - type: keyword -- -*`googlecloud.firewall.rule_details.target_service_account`*:: +*`rsa.network.phost`*:: + -- -List of all the target service accounts that the firewall rule applies to. - - type: keyword -- -[float] -=== vpcflow - -Fields for Google Cloud VPC flow logs. - - - -*`googlecloud.vpcflow.reporter`*:: +*`rsa.network.ad_computer_dst`*:: + -- -The side which reported the flow. Can be either 'SRC' or 'DEST'. - +Deprecated, use host.dst type: keyword -- -*`googlecloud.vpcflow.rtt.ms`*:: +*`rsa.network.eth_type`*:: + -- -Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. - +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only type: long -- -[[exported-fields-gsuite]] -== gsuite fields - -gsuite Module - - - -[float] -=== gsuite - -Gsuite specific fields. -More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: long +-- -*`gsuite.actor.type`*:: +*`rsa.network.dns_cname_record`*:: + -- -The type of actor. -Values can be: - *USER*: Another user in the same domain. - *EXTERNAL_USER*: A user outside the domain. - *KEY*: A non-human actor. - - type: keyword -- -*`gsuite.actor.key`*:: +*`rsa.network.dns_id`*:: + -- -Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. - - type: keyword -- -*`gsuite.event.type`*:: +*`rsa.network.dns_opcode`*:: + -- -The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - type: keyword -example: audit#activity - -- -*`gsuite.kind`*:: +*`rsa.network.dns_resp`*:: + -- -The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list - - type: keyword -example: audit#activity - -- -*`gsuite.organization.domain`*:: +*`rsa.network.dns_type`*:: + -- -The domain that is affected by the report's event. - - type: keyword -- - -*`gsuite.saml.application_name`*:: +*`rsa.network.domain1`*:: + -- -Saml SP application name. - - type: keyword -- -*`gsuite.saml.failure_type`*:: +*`rsa.network.host_type`*:: + -- -Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. - - type: keyword -- -*`gsuite.saml.initiated_by`*:: +*`rsa.network.packet_length`*:: + -- -Requester of SAML authentication. - - type: keyword -- -*`gsuite.saml.orgunit_path`*:: +*`rsa.network.host_orig`*:: + -- -User orgunit. - +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`gsuite.saml.status_code`*:: +*`rsa.network.rpayload`*:: + -- -SAML status code. - +This key is used to capture the total number of payload bytes seen in the retransmitted packets. -type: long +type: keyword -- -*`gsuite.saml.second_level_status_code`*:: +*`rsa.network.vlan_name`*:: + -- -SAML second level status code. - +This key should only be used to capture the name of the Virtual LAN -type: long +type: keyword -- -[[exported-fields-haproxy]] -== HAProxy fields - -haproxy Module - - - -[float] -=== haproxy - - - -*`haproxy.frontend_name`*:: +*`rsa.investigations.ec_activity`*:: + -- -Name of the frontend (or listener) which received and processed the connection. +This key captures the particular event activity(Ex:Logoff) + +type: keyword -- -*`haproxy.backend_name`*:: +*`rsa.investigations.ec_theme`*:: + -- -Name of the backend (or listener) which was selected to manage the connection to the server. +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword -- -*`haproxy.server_name`*:: +*`rsa.investigations.ec_subject`*:: + -- -Name of the last server to which the connection was sent. +This key captures the Subject of a particular Event(Ex:User) + +type: keyword -- -*`haproxy.total_waiting_time_ms`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Total time in milliseconds spent waiting in the various queues +This key captures the outcome of a particular Event(Ex:Success) -type: long +type: keyword -- -*`haproxy.connection_wait_time_ms`*:: +*`rsa.investigations.event_cat`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server +This key captures the Event category number type: long -- -*`haproxy.bytes_read`*:: +*`rsa.investigations.event_cat_name`*:: + -- -Total number of bytes transmitted to the client when the log is emitted. +This key captures the event category name corresponding to the event cat code -type: long +type: keyword -- -*`haproxy.time_queue`*:: +*`rsa.investigations.event_vcat`*:: + -- -Total time in milliseconds spent waiting in the various queues. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. -type: long +type: keyword -- -*`haproxy.time_backend_connect`*:: +*`rsa.investigations.analysis_file`*:: + -- -Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -type: long +type: keyword -- -*`haproxy.server_queue`*:: +*`rsa.investigations.analysis_service`*:: + -- -Total number of requests which were processed before this one in the server queue. +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service -type: long +type: keyword -- -*`haproxy.backend_queue`*:: +*`rsa.investigations.analysis_session`*:: + -- -Total number of requests which were processed before this one in the backend's global queue. +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session -type: long +type: keyword -- -*`haproxy.bind_name`*:: +*`rsa.investigations.boc`*:: + -- -Name of the listening address which received the connection. +This is used to capture behaviour of compromise + +type: keyword -- -*`haproxy.error_message`*:: +*`rsa.investigations.eoc`*:: + -- -Error message logged by HAProxy in case of error. +This is used to capture Enablers of Compromise -type: text +type: keyword -- -*`haproxy.source`*:: +*`rsa.investigations.inv_category`*:: + -- -The HAProxy source of the log +This used to capture investigation category type: keyword -- -*`haproxy.termination_state`*:: +*`rsa.investigations.inv_context`*:: + -- -Condition the session was in when the session ended. +This used to capture investigation context + +type: keyword -- -*`haproxy.mode`*:: +*`rsa.investigations.ioc`*:: + -- -mode that the frontend is operating (TCP or HTTP) +This is key capture indicator of compromise type: keyword -- -[float] -=== connections - -Contains various counts of connections active in the process. - -*`haproxy.connections.active`*:: +*`rsa.counters.dclass_c1`*:: + -- -Total number of concurrent connections on the process when the session was logged. +This is a generic counter key that should be used with the label dclass.c1.str only type: long -- -*`haproxy.connections.frontend`*:: +*`rsa.counters.dclass_c2`*:: + -- -Total number of concurrent connections on the frontend when the session was logged. +This is a generic counter key that should be used with the label dclass.c2.str only type: long -- -*`haproxy.connections.backend`*:: +*`rsa.counters.event_counter`*:: + -- -Total number of concurrent connections handled by the backend when the session was logged. +This is used to capture the number of times an event repeated type: long -- -*`haproxy.connections.server`*:: +*`rsa.counters.dclass_r1`*:: + -- -Total number of concurrent connections still active on the server when the session was logged. +This is a generic ratio key that should be used with the label dclass.r1.str only -type: long +type: keyword -- -*`haproxy.connections.retries`*:: +*`rsa.counters.dclass_c3`*:: + -- -Number of connection retries experienced by this session when trying to connect to the server. +This is a generic counter key that should be used with the label dclass.c3.str only type: long -- -[float] -=== client - -Information about the client doing the request - - -*`haproxy.client.ip`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c1 only -alias to: source.address +type: keyword -- -*`haproxy.client.port`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -type: alias +This is a generic counter string key that should be used with the label dclass.c2 only -alias to: source.port +type: keyword -- -*`haproxy.process_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -type: alias +This is a generic ratio string key that should be used with the label dclass.r1 only -alias to: process.name +type: keyword -- -*`haproxy.pid`*:: +*`rsa.counters.dclass_r2`*:: + -- -type: alias +This is a generic ratio key that should be used with the label dclass.r2.str only -alias to: process.pid +type: keyword -- -[float] -=== destination +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only -Destination information +type: keyword +-- -*`haproxy.destination.port`*:: +*`rsa.counters.dclass_r3`*:: + -- -type: alias +This is a generic ratio key that should be used with the label dclass.r3.str only -alias to: destination.port +type: keyword -- -*`haproxy.destination.ip`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -type: alias +This is a generic ratio string key that should be used with the label dclass.r2 only -alias to: destination.ip +type: keyword -- -[float] -=== geoip +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only -Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. +type: keyword +-- -*`haproxy.geoip.continent_name`*:: +*`rsa.identity.auth_method`*:: + -- -type: alias +This key is used to capture authentication methods used only -alias to: source.geo.continent_name +type: keyword -- -*`haproxy.geoip.country_iso_code`*:: +*`rsa.identity.user_role`*:: + -- -type: alias +This key is used to capture the Role of a user only -alias to: source.geo.country_iso_code +type: keyword -- -*`haproxy.geoip.location`*:: +*`rsa.identity.dn`*:: + -- -type: alias +X.500 (LDAP) Distinguished Name -alias to: source.geo.location +type: keyword -- -*`haproxy.geoip.region_name`*:: +*`rsa.identity.logon_type`*:: + -- -type: alias +This key is used to capture the type of logon method used. -alias to: source.geo.region_name +type: keyword -- -*`haproxy.geoip.city_name`*:: +*`rsa.identity.profile`*:: + -- -type: alias +This key is used to capture the user profile -alias to: source.geo.city_name +type: keyword -- -*`haproxy.geoip.region_iso_code`*:: +*`rsa.identity.accesses`*:: + -- -type: alias +This key is used to capture actual privileges used in accessing an object -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== http - -Please add description - - -[float] -=== response - -Fields related to the HTTP response - - -*`haproxy.http.response.captured_cookie`*:: +*`rsa.identity.realm`*:: + -- -Optional "name=value" entry indicating that the client had this cookie in the response. +Radius realm or similar grouping of accounts +type: keyword -- -*`haproxy.http.response.captured_headers`*:: +*`rsa.identity.user_sid_dst`*:: + -- -List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. - +This key captures Destination User Session ID type: keyword -- -*`haproxy.http.response.status_code`*:: +*`rsa.identity.dn_src`*:: + -- -type: alias +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn -alias to: http.response.status_code +type: keyword -- -[float] -=== request - -Fields related to the HTTP request - - -*`haproxy.http.request.captured_cookie`*:: +*`rsa.identity.org`*:: + -- -Optional "name=value" entry indicating that the server has returned a cookie with its request. +This key captures the User organization +type: keyword -- -*`haproxy.http.request.captured_headers`*:: +*`rsa.identity.dn_dst`*:: + -- -List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. - +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn type: keyword -- -*`haproxy.http.request.raw_request_line`*:: +*`rsa.identity.firstname`*:: + -- -Complete HTTP request line, including the method, request and HTTP version string. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`haproxy.http.request.time_wait_without_data_ms`*:: +*`rsa.identity.lastname`*:: + -- -Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`haproxy.http.request.time_wait_ms`*:: +*`rsa.identity.user_dept`*:: + -- -Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +User's Department Names only -type: long +type: keyword -- -[float] -=== tcp - -TCP log format - - -*`haproxy.tcp.connection_waiting_time_ms`*:: +*`rsa.identity.user_sid_src`*:: + -- -Total time in milliseconds elapsed between the accept and the last close +This key captures Source User Session ID -type: long +type: keyword -- -[[exported-fields-host-processor]] -== Host fields - -Info collected for the host machine. - - - - -*`host.containerized`*:: +*`rsa.identity.federated_sp`*:: + -- -If the host is a container. - +This key is the Federated Service Provider. This is the application requesting authentication. -type: boolean +type: keyword -- -*`host.os.build`*:: +*`rsa.identity.federated_idp`*:: + -- -OS build information. - +This key is the federated Identity Provider. This is the server providing the authentication. type: keyword -example: 18D109 - -- -*`host.os.codename`*:: +*`rsa.identity.logon_type_desc`*:: + -- -OS codename, if any. - +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. type: keyword -example: stretch - -- -[[exported-fields-ibmmq]] -== ibmmq fields - -ibmmq Module - +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +type: keyword -[float] -=== ibmmq +-- +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted +type: keyword +-- -[float] -=== errorlog +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine -IBM MQ error logs +type: keyword +-- -*`ibmmq.errorlog.installation`*:: +*`rsa.identity.ldap`*:: + -- -This is the installation name which can be given at installation time. -Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. - +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context type: keyword -- -*`ibmmq.errorlog.qmgr`*:: +*`rsa.identity.ldap_query`*:: + -- -Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. - +This key is the Search criteria from an LDAP search type: keyword -- -*`ibmmq.errorlog.arithinsert`*:: +*`rsa.identity.ldap_response`*:: + -- -Changing content based on error.id +This key is to capture Results from an LDAP search type: keyword -- -*`ibmmq.errorlog.commentinsert`*:: +*`rsa.identity.owner`*:: + -- -Changing content based on error.id +This is used to capture username the process or service is running as, the author of the task type: keyword -- -*`ibmmq.errorlog.errordescription`*:: +*`rsa.identity.service_account`*:: + -- -Please add description - -type: text +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage -example: Please add example +type: keyword -- -*`ibmmq.errorlog.explanation`*:: + +*`rsa.email.email_dst`*:: + -- -Explaines the error in more detail +This key is used to capture the Destination email address only, when the destination context is not clear use email type: keyword -- -*`ibmmq.errorlog.action`*:: +*`rsa.email.email_src`*:: + -- -Defines what to do when the error occurs +This key is used to capture the source email address only, when the source context is not clear use email type: keyword -- -*`ibmmq.errorlog.code`*:: +*`rsa.email.subject`*:: + -- -Error code. +This key is used to capture the subject string from an Email only. type: keyword -- -[[exported-fields-icinga]] -== Icinga fields - -Icinga Module - +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear +type: keyword -[float] -=== icinga +-- +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -[float] -=== debug +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. -Contains fields for the Icinga debug logs. +type: keyword +-- -*`icinga.debug.facility`*:: +*`rsa.file.privilege`*:: + -- -Specifies what component of Icinga logged the message. - +Deprecated, use permissions type: keyword -- -*`icinga.debug.severity`*:: +*`rsa.file.attachment`*:: + -- -type: alias +This key captures the attachment file name -alias to: log.level +type: keyword -- -*`icinga.debug.message`*:: +*`rsa.file.filesystem`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== main - -Contains fields for the Icinga main logs. +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. +type: keyword +-- -*`icinga.main.facility`*:: +*`rsa.file.filename_dst`*:: + -- -Specifies what component of Icinga logged the message. - +This is used to capture name of the file targeted by the action type: keyword -- -*`icinga.main.severity`*:: +*`rsa.file.filename_src`*:: + -- -type: alias +This is used to capture name of the parent filename, the file which performed the action -alias to: log.level +type: keyword -- -*`icinga.main.message`*:: +*`rsa.file.filename_tmp`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== startup - -Contains fields for the Icinga startup logs. +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file +type: keyword +-- -*`icinga.startup.facility`*:: +*`rsa.file.directory_src`*:: + -- -Specifies what component of Icinga logged the message. - +This key is used to capture the directory of the source process or file type: keyword -- -*`icinga.startup.severity`*:: +*`rsa.file.file_entropy`*:: + -- -type: alias +This is used to capture entropy vale of a file -alias to: log.level +type: double -- -*`icinga.startup.message`*:: +*`rsa.file.file_vendor`*:: + -- -type: alias +This is used to capture Company name of file located in version_info -alias to: message +type: keyword -- -[[exported-fields-iis]] -== IIS fields - -Module for parsing IIS log files. - +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task +type: keyword -[float] -=== iis +-- -Fields from IIS log files. +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names +type: keyword -[float] -=== access +-- -Contains fields for IIS access logs. +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. +type: keyword +-- -*`iis.access.sub_status`*:: +*`rsa.web.alias_host`*:: + -- -The HTTP substatus code. - - -type: long +type: keyword -- -*`iis.access.win32_status`*:: +*`rsa.web.reputation_num`*:: + -- -The Windows status code. - +Reputation Number of an entity. Typically used for Web Domains -type: long +type: double -- -*`iis.access.site_name`*:: +*`rsa.web.web_ref_domain`*:: + -- -The site name and instance number. - +Web referer's domain type: keyword -- -*`iis.access.server_name`*:: +*`rsa.web.web_ref_query`*:: + -- -The name of the server on which the log file entry was generated. - +This key captures Web referer's query portion of the URL type: keyword -- -*`iis.access.cookie`*:: +*`rsa.web.remote_domain`*:: + -- -The content of the cookie sent or received, if any. - - type: keyword -- -*`iis.access.body_received.bytes`*:: +*`rsa.web.web_ref_page`*:: + -- -type: alias +This key captures Web referer's page information -alias to: http.request.body.bytes +type: keyword -- -*`iis.access.body_sent.bytes`*:: +*`rsa.web.web_ref_root`*:: + -- -type: alias +Web referer's root URL path -alias to: http.response.body.bytes +type: keyword -- -*`iis.access.server_ip`*:: +*`rsa.web.cn_asn_dst`*:: + -- -type: alias - -alias to: destination.address +type: keyword -- -*`iis.access.method`*:: +*`rsa.web.cn_rpackets`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`iis.access.url`*:: +*`rsa.web.urlpage`*:: + -- -type: alias - -alias to: url.path +type: keyword -- -*`iis.access.query_string`*:: +*`rsa.web.urlroot`*:: + -- -type: alias - -alias to: url.query +type: keyword -- -*`iis.access.port`*:: +*`rsa.web.p_url`*:: + -- -type: alias - -alias to: destination.port +type: keyword -- -*`iis.access.user_name`*:: +*`rsa.web.p_user_agent`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`iis.access.remote_ip`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.access.referrer`*:: +*`rsa.web.p_web_method`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`iis.access.response_code`*:: +*`rsa.web.p_web_referer`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`iis.access.http_version`*:: +*`rsa.web.web_extension_tmp`*:: + -- -type: alias - -alias to: http.version +type: keyword -- -*`iis.access.hostname`*:: +*`rsa.web.web_page`*:: + -- -type: alias - -alias to: host.hostname +type: keyword -- -*`iis.access.user_agent.device`*:: +*`rsa.threat.threat_category`*:: + -- -type: alias +This key captures Threat Name/Threat Category/Categorization of alert -alias to: user_agent.device.name +type: keyword -- -*`iis.access.user_agent.name`*:: +*`rsa.threat.threat_desc`*:: + -- -type: alias +This key is used to capture the threat description from the session directly or inferred -alias to: user_agent.name +type: keyword -- -*`iis.access.user_agent.os`*:: +*`rsa.threat.alert`*:: + -- -type: alias +This key is used to capture name of the alert -alias to: user_agent.os.full_name +type: keyword -- -*`iis.access.user_agent.os_name`*:: +*`rsa.threat.threat_source`*:: + -- -type: alias +This key is used to capture source of the threat -alias to: user_agent.os.name +type: keyword -- -*`iis.access.user_agent.original`*:: + +*`rsa.crypto.crypto`*:: + -- -type: alias +This key is used to capture the Encryption Type or Encryption Key only -alias to: user_agent.original +type: keyword -- - -*`iis.access.geoip.continent_name`*:: +*`rsa.crypto.cipher_src`*:: + -- -type: alias +This key is for Source (Client) Cipher -alias to: source.geo.continent_name +type: keyword -- -*`iis.access.geoip.country_iso_code`*:: +*`rsa.crypto.cert_subject`*:: + -- -type: alias +This key is used to capture the Certificate organization only -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.access.geoip.location`*:: +*`rsa.crypto.peer`*:: + -- -type: alias +This key is for Encryption peer's IP Address -alias to: source.geo.location +type: keyword -- -*`iis.access.geoip.region_name`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: alias +This key captures Source (Client) Cipher Size -alias to: source.geo.region_name +type: long -- -*`iis.access.geoip.city_name`*:: +*`rsa.crypto.ike`*:: + -- -type: alias +IKE negotiation phase. -alias to: source.geo.city_name +type: keyword -- -*`iis.access.geoip.region_iso_code`*:: +*`rsa.crypto.scheme`*:: + -- -type: alias +This key captures the Encryption scheme used -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error - -Contains fields for IIS error logs. - - - -*`iis.error.reason_phrase`*:: +*`rsa.crypto.peer_id`*:: + -- -The HTTP reason phrase. - +This key is for Encryption peer’s identity type: keyword -- -*`iis.error.queue_name`*:: +*`rsa.crypto.sig_type`*:: + -- -The IIS application pool name. - +This key captures the Signature Type type: keyword -- -*`iis.error.remote_ip`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: alias - -alias to: source.address +type: keyword -- -*`iis.error.remote_port`*:: +*`rsa.crypto.cert_host_name`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: source.port +type: keyword -- -*`iis.error.server_ip`*:: +*`rsa.crypto.cert_error`*:: + -- -type: alias +This key captures the Certificate Error String -alias to: destination.address +type: keyword -- -*`iis.error.server_port`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: alias +This key is for Destination (Server) Cipher -alias to: destination.port +type: keyword -- -*`iis.error.http_version`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: alias +This key captures Destination (Server) Cipher Size -alias to: http.version +type: long -- -*`iis.error.method`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -type: alias +Deprecated, use version -alias to: http.request.method +type: keyword -- -*`iis.error.url`*:: +*`rsa.crypto.d_certauth`*:: + -- -type: alias - -alias to: url.original +type: keyword -- -*`iis.error.response_code`*:: +*`rsa.crypto.s_certauth`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- - -*`iis.error.geoip.continent_name`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -type: alias +ID of the negotiation — sent for ISAKMP Phase One -alias to: source.geo.continent_name +type: keyword -- -*`iis.error.geoip.country_iso_code`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -type: alias +ID of the negotiation — sent for ISAKMP Phase Two -alias to: source.geo.country_iso_code +type: keyword -- -*`iis.error.geoip.location`*:: +*`rsa.crypto.cert_checksum`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`iis.error.geoip.region_name`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -type: alias +This key is used for the hostname category value of a certificate -alias to: source.geo.region_name +type: keyword -- -*`iis.error.geoip.city_name`*:: +*`rsa.crypto.cert_serial`*:: + -- -type: alias +This key is used to capture the Certificate serial number only -alias to: source.geo.city_name +type: keyword -- -*`iis.error.geoip.region_iso_code`*:: +*`rsa.crypto.cert_status`*:: + -- -type: alias +This key captures Certificate validation status -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-imperva]] -== Imperva SecureSphere fields - -imperva fields. - - - -*`network.interface.name`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -Name of the network interface where the traffic has been observed. - +Deprecated, use version type: keyword -- +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword +-- -*`rsa.internal.msg`*:: +*`rsa.crypto.cert_username`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.crypto.cert_ca`*:: + -- -This key captures the contents of instant messages +This key is used to capture the Certificate signing authority only type: keyword -- -*`rsa.internal.time`*:: +*`rsa.crypto.cert_common`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key is used to capture the Certificate common name only -type: date +type: keyword -- -*`rsa.internal.level`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the ssid of a Wireless Session -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.wireless.access_point`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture the access point name. type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.wireless.wlan_channel`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture the channel names -type: keyword +type: long -- -*`rsa.internal.data`*:: +*`rsa.wireless.wlan_name`*:: + -- -Deprecated key defined only in table map. +This key captures either WLAN number/name type: keyword -- -*`rsa.internal.obj_server`*:: + +*`rsa.storage.disk_volume`*:: + -- -Deprecated key defined only in table map. +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.storage.lun`*:: + -- -Deprecated key defined only in table map. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.storage.pwwn`*:: + -- -Deprecated key defined only in table map. +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.internal.obj_id`*:: + +*`rsa.physical.org_dst`*:: + -- -Deprecated key defined only in table map. +This is used to capture the destination organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.physical.org_src`*:: + -- -Deprecated key defined only in table map. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.internal.audit_class`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -Deprecated key defined only in table map. +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.healthcare.patient_id`*:: + -- -Deprecated key defined only in table map. +This key captures the unique ID for a patient type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.healthcare.patient_lname`*:: + -- -Deprecated key defined only in table map. +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.healthcare.patient_mname`*:: + -- -Deprecated key defined only in table map. +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: + +*`rsa.endpoint.host_state`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.endpoint.registry_key`*:: + -- -Deprecated key defined only in table map. +This key captures the path to the registry key -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.endpoint.registry_value`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.internal.feed_name`*:: +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +CRC32 Hash of file + type: keyword -- -*`rsa.internal.cid`*:: +[float] +=== firewall + +Module for parsing Fortinet syslog. + + + +*`fortinet.firewall.acct_stat`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Accounting state (RADIUS) + type: keyword -- -*`rsa.internal.device_class`*:: +*`fortinet.firewall.acktime`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Alarm Acknowledge Time + type: keyword -- -*`rsa.internal.device_group`*:: +*`fortinet.firewall.act`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Action + type: keyword -- -*`rsa.internal.device_host`*:: +*`fortinet.firewall.action`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Status of the session + type: keyword -- -*`rsa.internal.device_ip`*:: +*`fortinet.firewall.activity`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +HA activity message -type: ip + +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`fortinet.firewall.addr`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +IP Address + type: ip -- -*`rsa.internal.device_type`*:: +*`fortinet.firewall.addr_type`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Address Type + type: keyword -- -*`rsa.internal.device_type_id`*:: +*`fortinet.firewall.addrgrp`*:: + -- -Deprecated key defined only in table map. +Address Group -type: long + +type: keyword -- -*`rsa.internal.did`*:: +*`fortinet.firewall.adgroup`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +AD Group Name + type: keyword -- -*`rsa.internal.entropy_req`*:: +*`fortinet.firewall.admin`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Admin User -type: long + +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`fortinet.firewall.age`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Time in seconds - time passed since last seen -type: long + +type: integer -- -*`rsa.internal.event_name`*:: +*`fortinet.firewall.agent`*:: + -- -Deprecated key defined only in table map. +User agent - eg. agent="Mozilla/5.0" + type: keyword -- -*`rsa.internal.feed_category`*:: +*`fortinet.firewall.alarmid`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Alarm ID -type: keyword + +type: integer -- -*`rsa.internal.forward_ip`*:: +*`fortinet.firewall.alert`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +Alert -type: ip + +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`fortinet.firewall.analyticscksum`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The checksum of the file submitted for analytics -type: ip + +type: keyword -- -*`rsa.internal.header_id`*:: +*`fortinet.firewall.analyticssubmit`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The flag for analytics submission + type: keyword -- -*`rsa.internal.lc_cid`*:: +*`fortinet.firewall.ap`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Access Point + type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`fortinet.firewall.app-type`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Address Type -type: date + +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`fortinet.firewall.appact`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +The security action from app control -type: long + +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`fortinet.firewall.appid`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +Application ID -type: long + +type: integer -- -*`rsa.internal.mcbc_req`*:: +*`fortinet.firewall.applist`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Application Control profile -type: long + +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`fortinet.firewall.apprisk`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +Application Risk Level -type: long + +type: keyword -- -*`rsa.internal.medium`*:: +*`fortinet.firewall.apscan`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +The name of the AP, which scanned and detected the rogue AP -type: long + +type: keyword -- -*`rsa.internal.node_name`*:: +*`fortinet.firewall.apsn`*:: + -- -Deprecated key defined only in table map. +Access Point + type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`fortinet.firewall.apstatus`*:: + -- -This key denotes that event is endpoint related +Access Point status + type: keyword -- -*`rsa.internal.parse_error`*:: +*`fortinet.firewall.aptype`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Access Point type + type: keyword -- -*`rsa.internal.payload_req`*:: +*`fortinet.firewall.assigned`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Assigned IP Address -type: long + +type: ip -- -*`rsa.internal.payload_res`*:: +*`fortinet.firewall.assignip`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Assigned IP Address -type: long + +type: ip -- -*`rsa.internal.process_vid_dst`*:: +*`fortinet.firewall.attachment`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +The flag for email attachement + type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`fortinet.firewall.attack`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +Attack Name + type: keyword -- -*`rsa.internal.rid`*:: +*`fortinet.firewall.attackcontext`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The trigger patterns and the packetdata with base64 encoding -type: long + +type: keyword -- -*`rsa.internal.session_split`*:: +*`fortinet.firewall.attackcontextid`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Attack context id / total + type: keyword -- -*`rsa.internal.site`*:: +*`fortinet.firewall.attackid`*:: + -- -Deprecated key defined only in table map. +Attack ID -type: keyword + +type: integer -- -*`rsa.internal.size`*:: +*`fortinet.firewall.auditid`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Audit ID + type: long -- -*`rsa.internal.sourcefile`*:: +*`fortinet.firewall.auditscore`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The Audit Score + type: keyword -- -*`rsa.internal.ubc_req`*:: +*`fortinet.firewall.audittime`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +The time of the audit + type: long -- -*`rsa.internal.ubc_res`*:: +*`fortinet.firewall.authgrp`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +Authorization Group -type: long + +type: keyword -- -*`rsa.internal.word`*:: +*`fortinet.firewall.authid`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +Authentication ID + type: keyword -- - -*`rsa.time.event_time`*:: +*`fortinet.firewall.authproto`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +The protocol that initiated the authentication -type: date + +type: keyword -- -*`rsa.time.duration_time`*:: +*`fortinet.firewall.authserver`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +Authentication server -type: double + +type: keyword -- -*`rsa.time.event_time_str`*:: +*`fortinet.firewall.bandwidth`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Bandwidth + type: keyword -- -*`rsa.time.starttime`*:: +*`fortinet.firewall.banned_rule`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +NAC quarantine Banned Rule Name --- -*`rsa.time.month`*:: -+ --- type: keyword -- -*`rsa.time.day`*:: +*`fortinet.firewall.banned_src`*:: + -- +NAC quarantine Banned Source IP + + type: keyword -- -*`rsa.time.endtime`*:: +*`fortinet.firewall.banword`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +Banned word -type: date + +type: keyword -- -*`rsa.time.timezone`*:: +*`fortinet.firewall.botnetdomain`*:: + -- -This key is used to capture the timezone of the Event Time +Botnet Domain Name + type: keyword -- -*`rsa.time.duration_str`*:: +*`fortinet.firewall.botnetip`*:: + -- -A text string version of the duration +Botnet IP Address -type: keyword + +type: ip -- -*`rsa.time.date`*:: +*`fortinet.firewall.bssid`*:: + -- -type: keyword +Service Set ID --- -*`rsa.time.year`*:: -+ --- type: keyword -- -*`rsa.time.recorded_time`*:: +*`fortinet.firewall.call_id`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +Caller ID --- -*`rsa.time.datetime`*:: -+ --- type: keyword -- -*`rsa.time.effective_time`*:: +*`fortinet.firewall.carrier_ep`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +The FortiOS Carrier end-point identification -type: date + +type: keyword -- -*`rsa.time.expire_time`*:: +*`fortinet.firewall.cat`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +DNS category ID -type: date + +type: integer -- -*`rsa.time.process_time`*:: +*`fortinet.firewall.category`*:: + -- -Deprecated, use duration.time +Authentication category + type: keyword -- -*`rsa.time.hour`*:: +*`fortinet.firewall.cc`*:: + -- -type: keyword +CC Email Address --- -*`rsa.time.min`*:: -+ --- type: keyword -- -*`rsa.time.timestamp`*:: +*`fortinet.firewall.cdrcontent`*:: + -- +Cdrcontent + + type: keyword -- -*`rsa.time.event_queue_time`*:: +*`fortinet.firewall.centralnatid`*:: + -- -This key is the Time that the event was queued. +Central NAT ID -type: date + +type: integer -- -*`rsa.time.p_time1`*:: +*`fortinet.firewall.cert`*:: + -- -type: keyword +Certificate --- -*`rsa.time.tzone`*:: -+ --- type: keyword -- -*`rsa.time.eventtime`*:: +*`fortinet.firewall.cert-type`*:: + -- +Certificate type + + type: keyword -- -*`rsa.time.gmtdate`*:: +*`fortinet.firewall.certhash`*:: + -- +Certificate hash + + type: keyword -- -*`rsa.time.gmttime`*:: +*`fortinet.firewall.cfgattr`*:: + -- +Configuration attribute + + type: keyword -- -*`rsa.time.p_date`*:: +*`fortinet.firewall.cfgobj`*:: + -- +Configuration object + + type: keyword -- -*`rsa.time.p_month`*:: +*`fortinet.firewall.cfgpath`*:: + -- +Configuration path + + type: keyword -- -*`rsa.time.p_time`*:: +*`fortinet.firewall.cfgtid`*:: + -- +Configuration transaction ID + + type: keyword -- -*`rsa.time.p_time2`*:: +*`fortinet.firewall.cfgtxpower`*:: + -- -type: keyword +Configuration TX power + + +type: integer -- -*`rsa.time.p_year`*:: +*`fortinet.firewall.channel`*:: + -- -type: keyword +Wireless Channel + + +type: integer -- -*`rsa.time.expire_time_str`*:: +*`fortinet.firewall.channeltype`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +SSH channel type + type: keyword -- -*`rsa.time.stamp`*:: +*`fortinet.firewall.chassisid`*:: + -- -Deprecated key defined only in table map. +Chassis ID -type: date --- +type: integer +-- -*`rsa.misc.action`*:: +*`fortinet.firewall.checksum`*:: + -- +The checksum of the scanned file + + type: keyword -- -*`rsa.misc.result`*:: +*`fortinet.firewall.chgheaders`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +HTTP Headers + type: keyword -- -*`rsa.misc.severity`*:: +*`fortinet.firewall.cldobjid`*:: + -- -This key is used to capture the severity given the session +Connector object ID + type: keyword -- -*`rsa.misc.event_type`*:: +*`fortinet.firewall.client_addr`*:: + -- -This key captures the event category type as specified by the event source. +Wifi client address + type: keyword -- -*`rsa.misc.reference_id`*:: +*`fortinet.firewall.cloudaction`*:: + -- -This key is used to capture an event id from the session directly +Cloud Action + type: keyword -- -*`rsa.misc.version`*:: +*`fortinet.firewall.clouduser`*:: + -- -This key captures Version of the application or OS which is generating the event. +Cloud User + type: keyword -- -*`rsa.misc.disposition`*:: +*`fortinet.firewall.column`*:: + -- -This key captures the The end state of an action. +VOIP Column -type: keyword + +type: integer -- -*`rsa.misc.result_code`*:: +*`fortinet.firewall.command`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +CLI Command + type: keyword -- -*`rsa.misc.category`*:: +*`fortinet.firewall.community`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +SNMP Community + type: keyword -- -*`rsa.misc.obj_name`*:: +*`fortinet.firewall.configcountry`*:: + -- -This is used to capture name of object +Configuration country + type: keyword -- -*`rsa.misc.obj_type`*:: +*`fortinet.firewall.connection_type`*:: + -- -This is used to capture type of object +FortiClient Connection Type + type: keyword -- -*`rsa.misc.event_source`*:: +*`fortinet.firewall.conserve`*:: + -- -This key captures Source of the event that’s not a hostname +Flag for conserve mode + type: keyword -- -*`rsa.misc.log_session_id`*:: +*`fortinet.firewall.constraint`*:: + -- -This key is used to capture a sessionid from the session directly +WAF http protocol restrictions + type: keyword -- -*`rsa.misc.group`*:: +*`fortinet.firewall.contentdisarmed`*:: + -- -This key captures the Group Name value +Email scanned content + type: keyword -- -*`rsa.misc.policy_name`*:: +*`fortinet.firewall.contenttype`*:: + -- -This key is used to capture the Policy Name only. +Content Type from HTTP header + type: keyword -- -*`rsa.misc.rule_name`*:: +*`fortinet.firewall.cookies`*:: + -- -This key captures the Rule Name +VPN Cookie + type: keyword -- -*`rsa.misc.context`*:: +*`fortinet.firewall.count`*:: + -- -This key captures Information which adds additional context to the event. +Counts of action type -type: keyword + +type: integer -- -*`rsa.misc.change_new`*:: +*`fortinet.firewall.countapp`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +Number of App Ctrl logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.space`*:: +*`fortinet.firewall.countav`*:: + -- -type: keyword +Number of AV logs associated with the session + + +type: integer -- -*`rsa.misc.client`*:: +*`fortinet.firewall.countcifs`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +Number of CIFS logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.msgIdPart1`*:: +*`fortinet.firewall.countdlp`*:: + -- -type: keyword +Number of DLP logs associated with the session --- -*`rsa.misc.msgIdPart2`*:: -+ --- -type: keyword +type: integer -- -*`rsa.misc.change_old`*:: +*`fortinet.firewall.countdns`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +Number of DNS logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.operation_id`*:: +*`fortinet.firewall.countemail`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +Number of email logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.event_state`*:: +*`fortinet.firewall.countff`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +Number of ff logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.group_object`*:: +*`fortinet.firewall.countips`*:: + -- -This key captures a collection/grouping of entities. Specific usage +Number of IPS logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.node`*:: +*`fortinet.firewall.countssh`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +Number of SSH logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.rule`*:: +*`fortinet.firewall.countssl`*:: + -- -This key captures the Rule number +Number of SSL logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.device_name`*:: +*`fortinet.firewall.countwaf`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +Number of WAF logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.param`*:: +*`fortinet.firewall.countweb`*:: + -- -This key is the parameters passed as part of a command or application, etc. +Number of Web filter logs associated with the session -type: keyword + +type: integer -- -*`rsa.misc.change_attrib`*:: +*`fortinet.firewall.cpu`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +CPU Usage -type: keyword + +type: integer -- -*`rsa.misc.event_computer`*:: +*`fortinet.firewall.craction`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +Client Reputation Action -type: keyword + +type: integer -- -*`rsa.misc.reference_id1`*:: +*`fortinet.firewall.criticalcount`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +Number of critical ratings -type: keyword + +type: integer -- -*`rsa.misc.event_log`*:: +*`fortinet.firewall.crl`*:: + -- -This key captures the Name of the event log +Client Reputation Level + type: keyword -- -*`rsa.misc.OS`*:: +*`fortinet.firewall.crlevel`*:: + -- -This key captures the Name of the Operating System +Client Reputation Level + type: keyword -- -*`rsa.misc.terminal`*:: +*`fortinet.firewall.crscore`*:: + -- -This key captures the Terminal Names only +Some description -type: keyword + +type: integer -- -*`rsa.misc.msgIdPart3`*:: +*`fortinet.firewall.cveid`*:: + -- +CVE ID + + type: keyword -- -*`rsa.misc.filter`*:: +*`fortinet.firewall.daemon`*:: + -- -This key captures Filter used to reduce result set +Daemon name + type: keyword -- -*`rsa.misc.serial_number`*:: +*`fortinet.firewall.datarange`*:: + -- -This key is the Serial number associated with a physical asset. +Data range for reports + type: keyword -- -*`rsa.misc.checksum`*:: +*`fortinet.firewall.date`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +Date + type: keyword -- -*`rsa.misc.event_user`*:: +*`fortinet.firewall.ddnsserver`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +DDNS server -type: keyword + +type: ip -- -*`rsa.misc.virusname`*:: +*`fortinet.firewall.desc`*:: + -- -This key captures the name of the virus +Description + type: keyword -- -*`rsa.misc.content_type`*:: +*`fortinet.firewall.detectionmethod`*:: + -- -This key is used to capture Content Type only. +Detection method + type: keyword -- -*`rsa.misc.group_id`*:: +*`fortinet.firewall.devcategory`*:: + -- -This key captures Group ID Number (related to the group name) +Device category + type: keyword -- -*`rsa.misc.policy_id`*:: +*`fortinet.firewall.devintfname`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +HA device Interface Name + type: keyword -- -*`rsa.misc.vsys`*:: +*`fortinet.firewall.devtype`*:: + -- -This key captures Virtual System Name +Device type + type: keyword -- -*`rsa.misc.connection_id`*:: +*`fortinet.firewall.dhcp_msg`*:: + -- -This key captures the Connection ID +DHCP Message + type: keyword -- -*`rsa.misc.reference_id2`*:: +*`fortinet.firewall.dintf`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +Destination interface + type: keyword -- -*`rsa.misc.sensor`*:: +*`fortinet.firewall.disk`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +Assosciated disk + type: keyword -- -*`rsa.misc.sig_id`*:: +*`fortinet.firewall.disklograte`*:: + -- -This key captures IDS/IPS Int Signature ID +Disk logging rate + type: long -- -*`rsa.misc.port_name`*:: +*`fortinet.firewall.dlpextra`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +DLP extra information + type: keyword -- -*`rsa.misc.rule_group`*:: +*`fortinet.firewall.docsource`*:: + -- -This key captures the Rule group name +DLP fingerprint document source + type: keyword -- -*`rsa.misc.risk_num`*:: +*`fortinet.firewall.domainctrlauthstate`*:: + -- -This key captures a Numeric Risk value +CIFS domain auth state -type: double + +type: integer -- -*`rsa.misc.trigger_val`*:: +*`fortinet.firewall.domainctrlauthtype`*:: + -- -This key captures the Value of the trigger or threshold condition. +CIFS domain auth type -type: keyword + +type: integer -- -*`rsa.misc.log_session_id1`*:: +*`fortinet.firewall.domainctrldomain`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +CIFS domain auth domain + type: keyword -- -*`rsa.misc.comp_version`*:: +*`fortinet.firewall.domainctrlip`*:: + -- -This key captures the Version level of a sub-component of a product. +CIFS Domain IP -type: keyword + +type: ip -- -*`rsa.misc.content_version`*:: +*`fortinet.firewall.domainctrlname`*:: + -- -This key captures Version level of a signature or database content. +CIFS Domain name + type: keyword -- -*`rsa.misc.hardware_id`*:: +*`fortinet.firewall.domainctrlprotocoltype`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +CIFS Domain connection protocol -type: keyword + +type: integer -- -*`rsa.misc.risk`*:: +*`fortinet.firewall.domainctrlusername`*:: + -- -This key captures the non-numeric risk value +CIFS Domain username + type: keyword -- -*`rsa.misc.event_id`*:: +*`fortinet.firewall.domainfilteridx`*:: + -- -type: keyword +Domain filter ID --- -*`rsa.misc.reason`*:: -+ --- -type: keyword +type: integer -- -*`rsa.misc.status`*:: +*`fortinet.firewall.domainfilterlist`*:: + -- +Domain filter name + + type: keyword -- -*`rsa.misc.mail_id`*:: +*`fortinet.firewall.ds`*:: + -- -This key is used to capture the mailbox id/name +Direction with distribution system + type: keyword -- -*`rsa.misc.rule_uid`*:: +*`fortinet.firewall.dst_int`*:: + -- -This key is the Unique Identifier for a rule. +Destination interface + type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`fortinet.firewall.dstintfrole`*:: + -- -This key captures the Description of the trigger or threshold condition. +Destination interface role + type: keyword -- -*`rsa.misc.inout`*:: +*`fortinet.firewall.dstcountry`*:: + -- -type: keyword +Destination country --- -*`rsa.misc.p_msgid`*:: -+ --- type: keyword -- -*`rsa.misc.data_type`*:: +*`fortinet.firewall.dstdevcategory`*:: + -- -type: keyword +Destination device category --- -*`rsa.misc.msgIdPart4`*:: -+ --- type: keyword -- -*`rsa.misc.error`*:: +*`fortinet.firewall.dstdevtype`*:: + -- -This key captures All non successful Error codes or responses +Destination device type + type: keyword -- -*`rsa.misc.index`*:: +*`fortinet.firewall.dstfamily`*:: + -- +Destination OS family + + type: keyword -- -*`rsa.misc.listnum`*:: +*`fortinet.firewall.dsthwvendor`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +Destination HW vendor + type: keyword -- -*`rsa.misc.ntype`*:: +*`fortinet.firewall.dsthwversion`*:: + -- +Destination HW version + + type: keyword -- -*`rsa.misc.observed_val`*:: +*`fortinet.firewall.dstinetsvc`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +Destination interface service + type: keyword -- -*`rsa.misc.policy_value`*:: +*`fortinet.firewall.dstosname`*:: + -- -This key captures the contents of the policy. This contains details about the policy +Destination OS name + type: keyword -- -*`rsa.misc.pool_name`*:: +*`fortinet.firewall.dstosversion`*:: + -- -This key captures the name of a resource pool +Destination OS version + type: keyword -- -*`rsa.misc.rule_template`*:: +*`fortinet.firewall.dstserver`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +Destination server -type: keyword + +type: integer -- -*`rsa.misc.count`*:: +*`fortinet.firewall.dstssid`*:: + -- +Destination SSID + + type: keyword -- -*`rsa.misc.number`*:: +*`fortinet.firewall.dstswversion`*:: + -- +Destination software version + + type: keyword -- -*`rsa.misc.sigcat`*:: +*`fortinet.firewall.dstunauthusersource`*:: + -- +Destination unauthenticated source + + type: keyword -- -*`rsa.misc.type`*:: +*`fortinet.firewall.dstuuid`*:: + -- +UUID of the Destination IP address + + type: keyword -- -*`rsa.misc.comments`*:: +*`fortinet.firewall.duid`*:: + -- -Comment information provided in the log message +DHCP UID + type: keyword -- -*`rsa.misc.doc_number`*:: +*`fortinet.firewall.eapolcnt`*:: + -- -This key captures File Identification number +EAPOL packet count -type: long + +type: integer -- -*`rsa.misc.expected_val`*:: +*`fortinet.firewall.eapoltype`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +EAPOL packet type + type: keyword -- -*`rsa.misc.job_num`*:: +*`fortinet.firewall.encrypt`*:: + -- -This key captures the Job Number +Whether the packet is encrypted or not -type: keyword + +type: integer -- -*`rsa.misc.spi_dst`*:: +*`fortinet.firewall.encryption`*:: + -- -Destination SPI Index +Encryption method + type: keyword -- -*`rsa.misc.spi_src`*:: +*`fortinet.firewall.epoch`*:: + -- -Source SPI Index +Epoch used for locating file -type: keyword + +type: integer -- -*`rsa.misc.code`*:: +*`fortinet.firewall.espauth`*:: + -- +ESP Authentication + + type: keyword -- -*`rsa.misc.agent_id`*:: +*`fortinet.firewall.esptransform`*:: + -- -This key is used to capture agent id +ESP Transform + type: keyword -- -*`rsa.misc.message_body`*:: +*`fortinet.firewall.exch`*:: + -- -This key captures the The contents of the message body. +Mail Exchanges from DNS response answer section + type: keyword -- -*`rsa.misc.phone`*:: +*`fortinet.firewall.exchange`*:: + -- +Mail Exchanges from DNS response answer section + + type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`fortinet.firewall.expectedsignature`*:: + -- -This key captures a string object of the sigid variable. +Expected SSL signature + type: keyword -- -*`rsa.misc.cmd`*:: +*`fortinet.firewall.expiry`*:: + -- -type: keyword +FortiGuard override expiry timestamp --- -*`rsa.misc.misc`*:: -+ --- type: keyword -- -*`rsa.misc.name`*:: +*`fortinet.firewall.fams_pause`*:: + -- -type: keyword +Fortinet Analysis and Management Service Pause + + +type: integer -- -*`rsa.misc.cpu`*:: +*`fortinet.firewall.fazlograte`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +FortiAnalyzer Logging Rate + type: long -- -*`rsa.misc.event_desc`*:: +*`fortinet.firewall.fctemssn`*:: + -- -This key is used to capture a description of an event available directly or inferred +FortiClient Endpoint SSN + type: keyword -- -*`rsa.misc.sig_id1`*:: +*`fortinet.firewall.fctuid`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +FortiClient UID --- -*`rsa.misc.im_buddyid`*:: -+ --- type: keyword -- -*`rsa.misc.im_client`*:: +*`fortinet.firewall.field`*:: + -- -type: keyword +NTP status field --- -*`rsa.misc.im_userid`*:: -+ --- type: keyword -- -*`rsa.misc.pid`*:: +*`fortinet.firewall.filefilter`*:: + -- +The filter used to identify the affected file + + type: keyword -- -*`rsa.misc.priority`*:: +*`fortinet.firewall.filehashsrc`*:: + -- +Filehash source + + type: keyword -- -*`rsa.misc.context_subject`*:: +*`fortinet.firewall.filtercat`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +DLP filter category + type: keyword -- -*`rsa.misc.context_target`*:: +*`fortinet.firewall.filteridx`*:: + -- -type: keyword +DLP filter ID + + +type: integer -- -*`rsa.misc.cve`*:: +*`fortinet.firewall.filtername`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +DLP rule name + type: keyword -- -*`rsa.misc.fcatnum`*:: +*`fortinet.firewall.filtertype`*:: + -- -This key captures Filter Category Number. Legacy Usage +DLP filter type + type: keyword -- -*`rsa.misc.library`*:: +*`fortinet.firewall.fortiguardresp`*:: + -- -This key is used to capture library information in mainframe devices +Antispam ESP value + type: keyword -- -*`rsa.misc.parent_node`*:: +*`fortinet.firewall.forwardedfor`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +Email address forwarded + type: keyword -- -*`rsa.misc.risk_info`*:: +*`fortinet.firewall.fqdn`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +FQDN + type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`fortinet.firewall.frametype`*:: + -- -This key is captures the TCP flags set in any packet of session +Wireless frametype -type: long + +type: keyword -- -*`rsa.misc.tos`*:: +*`fortinet.firewall.freediskstorage`*:: + -- -This key describes the type of service +Free disk integer -type: long + +type: integer -- -*`rsa.misc.vm_target`*:: +*`fortinet.firewall.from`*:: + -- -VMWare Target **VMWARE** only varaible. +From email address + type: keyword -- -*`rsa.misc.workspace`*:: +*`fortinet.firewall.from_vcluster`*:: + -- -This key captures Workspace Description +Source virtual cluster number -type: keyword + +type: integer -- -*`rsa.misc.command`*:: +*`fortinet.firewall.fsaverdict`*:: + -- -type: keyword +FSA verdict --- -*`rsa.misc.event_category`*:: -+ --- type: keyword -- -*`rsa.misc.facilityname`*:: +*`fortinet.firewall.fwserver_name`*:: + -- +Web proxy server name + + type: keyword -- -*`rsa.misc.forensic_info`*:: +*`fortinet.firewall.gateway`*:: + -- -type: keyword +Gateway ip address for PPPoE status report + + +type: ip -- -*`rsa.misc.jobname`*:: +*`fortinet.firewall.green`*:: + -- +Memory status + + type: keyword -- -*`rsa.misc.mode`*:: +*`fortinet.firewall.groupid`*:: + -- -type: keyword +User Group ID + + +type: integer -- -*`rsa.misc.policy`*:: +*`fortinet.firewall.ha-prio`*:: + -- -type: keyword +HA Priority + + +type: integer -- -*`rsa.misc.policy_waiver`*:: +*`fortinet.firewall.ha_group`*:: + -- +HA Group + + type: keyword -- -*`rsa.misc.second`*:: +*`fortinet.firewall.ha_role`*:: + -- +HA Role + + type: keyword -- -*`rsa.misc.space1`*:: +*`fortinet.firewall.handshake`*:: + -- +SSL Handshake + + type: keyword -- -*`rsa.misc.subcategory`*:: +*`fortinet.firewall.hash`*:: + -- +Hash value of downloaded file + + type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`fortinet.firewall.hbdn_reason`*:: + -- +Heartbeat down reason + + type: keyword -- -*`rsa.misc.alert_id`*:: +*`fortinet.firewall.highcount`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Highcount fabric summary -type: keyword + +type: integer -- -*`rsa.misc.checksum_dst`*:: +*`fortinet.firewall.host`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +Hostname + type: keyword -- -*`rsa.misc.checksum_src`*:: +*`fortinet.firewall.iaid`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +DHCPv6 id + type: keyword -- -*`rsa.misc.fresult`*:: +*`fortinet.firewall.icmpcode`*:: + -- -This key captures the Filter Result +Destination Port of the ICMP message -type: long + +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`fortinet.firewall.icmpid`*:: + -- -This key is used to capture destination payload +Source port of the ICMP message + type: keyword -- -*`rsa.misc.payload_src`*:: +*`fortinet.firewall.icmptype`*:: + -- -This key is used to capture source payload +The type of ICMP message + type: keyword -- -*`rsa.misc.pool_id`*:: +*`fortinet.firewall.identifier`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +Network traffic identifier -type: keyword + +type: integer -- -*`rsa.misc.process_id_val`*:: +*`fortinet.firewall.in_spi`*:: + -- -This key is a failure key for Process ID when it is not an integer value +IPSEC inbound SPI + type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`fortinet.firewall.incidentserialno`*:: + -- -This key captures Risk Number Community +Incident serial number -type: double + +type: integer -- -*`rsa.misc.risk_num_next`*:: +*`fortinet.firewall.infected`*:: + -- -This key captures Risk Number NextGen +Infected MMS -type: double + +type: integer -- -*`rsa.misc.risk_num_sand`*:: +*`fortinet.firewall.infectedfilelevel`*:: + -- -This key captures Risk Number SandBox +DLP infected file level -type: double + +type: integer -- -*`rsa.misc.risk_num_static`*:: +*`fortinet.firewall.informationsource`*:: + -- -This key captures Risk Number Static +Information source -type: double + +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`fortinet.firewall.init`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +IPSEC init stage + type: keyword -- -*`rsa.misc.risk_warning`*:: +*`fortinet.firewall.initiator`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +Original login user name for Fortiguard override + type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`fortinet.firewall.interface`*:: + -- -SNMP Object Identifier +Related interface + type: keyword -- -*`rsa.misc.sql`*:: +*`fortinet.firewall.intf`*:: + -- -This key captures the SQL query +Related interface + type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`fortinet.firewall.invalidmac`*:: + -- -This key captures the Vulnerability Reference details +The MAC address with invalid OUI + type: keyword -- -*`rsa.misc.acl_id`*:: +*`fortinet.firewall.ip`*:: + -- -type: keyword +Related IP + + +type: ip -- -*`rsa.misc.acl_op`*:: +*`fortinet.firewall.iptype`*:: + -- +Related IP type + + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`fortinet.firewall.keyword`*:: + -- +Keyword used for search + + type: keyword -- -*`rsa.misc.acl_table`*:: +*`fortinet.firewall.kind`*:: + -- +VOIP kind + + type: keyword -- -*`rsa.misc.admin`*:: +*`fortinet.firewall.lanin`*:: + -- -type: keyword +LAN incoming traffic in bytes + + +type: long -- -*`rsa.misc.alarm_id`*:: +*`fortinet.firewall.lanout`*:: + -- -type: keyword +LAN outbound traffic in bytes + + +type: long -- -*`rsa.misc.alarmname`*:: +*`fortinet.firewall.lease`*:: + -- -type: keyword +DHCP lease + + +type: integer -- -*`rsa.misc.app_id`*:: +*`fortinet.firewall.license_limit`*:: + -- +Maximum Number of FortiClients for the License + + type: keyword -- -*`rsa.misc.audit`*:: +*`fortinet.firewall.limit`*:: + -- -type: keyword +Virtual Domain Resource Limit + + +type: integer -- -*`rsa.misc.audit_object`*:: +*`fortinet.firewall.line`*:: + -- +VOIP line + + type: keyword -- -*`rsa.misc.auditdata`*:: +*`fortinet.firewall.live`*:: + -- -type: keyword +Time in seconds + + +type: integer -- -*`rsa.misc.benchmark`*:: +*`fortinet.firewall.local`*:: + -- -type: keyword +Local IP for a PPPD Connection + + +type: ip -- -*`rsa.misc.bypass`*:: +*`fortinet.firewall.log`*:: + -- +Log message + + type: keyword -- -*`rsa.misc.cache`*:: +*`fortinet.firewall.login`*:: + -- +SSH login + + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`fortinet.firewall.lowcount`*:: + -- -type: keyword +Fabric lowcount + + +type: integer -- -*`rsa.misc.cefversion`*:: +*`fortinet.firewall.mac`*:: + -- +DHCP mac address + + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`fortinet.firewall.malform_data`*:: + -- -type: keyword +VOIP malformed data + + +type: integer -- -*`rsa.misc.cfg_obj`*:: +*`fortinet.firewall.malform_desc`*:: + -- +VOIP malformed data description + + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`fortinet.firewall.manuf`*:: + -- +Manufacturer name + + type: keyword -- -*`rsa.misc.changes`*:: +*`fortinet.firewall.masterdstmac`*:: + -- +Master mac address for a host with multiple network interfaces + + type: keyword -- -*`rsa.misc.client_ip`*:: +*`fortinet.firewall.mastersrcmac`*:: + -- +The master MAC address for a host that has multiple network interfaces + + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`fortinet.firewall.mediumcount`*:: + -- -type: keyword +Fabric medium count + + +type: integer -- -*`rsa.misc.cn_acttimeout`*:: +*`fortinet.firewall.mem`*:: + -- -type: keyword +Memory usage system statistics + + +type: integer -- -*`rsa.misc.cn_asn_src`*:: +*`fortinet.firewall.meshmode`*:: + -- +Wireless mesh mode + + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`fortinet.firewall.message_type`*:: + -- +VOIP message type + + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`fortinet.firewall.method`*:: + -- +HTTP method + + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`fortinet.firewall.mgmtcnt`*:: + -- -type: keyword +The number of unauthorized client flooding managemet frames + + +type: integer -- -*`rsa.misc.cn_dst_vlan`*:: +*`fortinet.firewall.mode`*:: + -- +IPSEC mode + + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`fortinet.firewall.module`*:: + -- +PCI-DSS module + + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`fortinet.firewall.monitor-name`*:: + -- +Health Monitor Name + + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`fortinet.firewall.monitor-type`*:: + -- +Health Monitor Type + + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`fortinet.firewall.mpsk`*:: + -- +Wireless MPSK + + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`fortinet.firewall.msgproto`*:: + -- +Message Protocol Number + + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`fortinet.firewall.mtu`*:: + -- -type: keyword +Max Transmission Unit Value + + +type: integer -- -*`rsa.misc.cn_inacttimeout`*:: +*`fortinet.firewall.name`*:: + -- +Name + + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`fortinet.firewall.nat`*:: + -- +NAT IP Address + + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`fortinet.firewall.netid`*:: + -- +Connector NetID + + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`fortinet.firewall.new_status`*:: + -- +New status on user change + + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`fortinet.firewall.new_value`*:: + -- +New Virtual Domain Name + + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`fortinet.firewall.newchannel`*:: + -- -type: keyword +New Channel Number + + +type: integer -- -*`rsa.misc.cn_l_switch`*:: +*`fortinet.firewall.newchassisid`*:: + -- -type: keyword +New Chassis ID + + +type: integer -- -*`rsa.misc.cn_log_did`*:: +*`fortinet.firewall.newslot`*:: + -- -type: keyword +New Slot Number + + +type: integer -- -*`rsa.misc.cn_log_rid`*:: +*`fortinet.firewall.nextstat`*:: + -- -type: keyword +Time interval in seconds for the next statistics. + + +type: integer -- -*`rsa.misc.cn_max_ttl`*:: +*`fortinet.firewall.nf_type`*:: + -- +Notification Type + + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`fortinet.firewall.noise`*:: + -- -type: keyword +Wifi Noise + + +type: integer -- -*`rsa.misc.cn_min_ttl`*:: +*`fortinet.firewall.old_status`*:: + -- +Original Status + + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`fortinet.firewall.old_value`*:: + -- +Original Virtual Domain name + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`fortinet.firewall.oldchannel`*:: + -- -type: keyword +Original channel + + +type: integer -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`fortinet.firewall.oldchassisid`*:: + -- -type: keyword +Original Chassis Number + + +type: integer -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`fortinet.firewall.oldslot`*:: + -- -type: keyword +Original Slot Number + + +type: integer -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`fortinet.firewall.oldsn`*:: + -- +Old Serial number + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`fortinet.firewall.oldwprof`*:: + -- +Old Web Filter Profile + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`fortinet.firewall.onwire`*:: + -- +A flag to indicate if the AP is onwire or not + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`fortinet.firewall.opercountry`*:: + -- +Operating Country + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`fortinet.firewall.opertxpower`*:: + -- -type: keyword +Operating TX power + + +type: integer -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`fortinet.firewall.osname`*:: + -- +Operating System name + + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`fortinet.firewall.osversion`*:: + -- +Operating System version + + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`fortinet.firewall.out_spi`*:: + -- +Out SPI + + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`fortinet.firewall.outintf`*:: + -- +Out interface + + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`fortinet.firewall.passedcount`*:: + -- -type: keyword +Fabric passed count + + +type: integer -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`fortinet.firewall.passwd`*:: + -- +Changed user password information + + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`fortinet.firewall.path`*:: + -- +Path of looped configuration for security fabric + + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`fortinet.firewall.peer`*:: + -- +WAN optimization peer + + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`fortinet.firewall.peer_notif`*:: + -- +VPN peer notification + + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`fortinet.firewall.phase2_name`*:: + -- +VPN phase2 name + + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`fortinet.firewall.phone`*:: + -- +VOIP Phone + + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`fortinet.firewall.pid`*:: + -- -type: keyword +Process ID + + +type: integer -- -*`rsa.misc.cn_src_vlan`*:: +*`fortinet.firewall.policytype`*:: + -- +Policy Type + + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`fortinet.firewall.poolname`*:: + -- +IP Pool name + + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`fortinet.firewall.port`*:: + -- -type: keyword +Log upload error port + + +type: integer -- -*`rsa.misc.cn_totbytsexp`*:: +*`fortinet.firewall.portbegin`*:: + -- -type: keyword +IP Pool port number to begin + + +type: integer -- -*`rsa.misc.cn_totflowexp`*:: +*`fortinet.firewall.portend`*:: + -- -type: keyword +IP Pool port number to end + + +type: integer -- -*`rsa.misc.cn_totpcktsexp`*:: +*`fortinet.firewall.probeproto`*:: + -- +Link Monitor Probe Protocol + + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`fortinet.firewall.process`*:: + -- +URL Filter process + + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`fortinet.firewall.processtime`*:: + -- -type: keyword +Process time for reports + + +type: integer -- -*`rsa.misc.cn_v6optheaders`*:: +*`fortinet.firewall.profile`*:: + -- +Profile Name + + type: keyword -- -*`rsa.misc.comp_class`*:: +*`fortinet.firewall.profile_vd`*:: + -- +Virtual Domain Name + + type: keyword -- -*`rsa.misc.comp_name`*:: +*`fortinet.firewall.profilegroup`*:: + -- +Profile Group Name + + type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`fortinet.firewall.profiletype`*:: + -- +Profile Type + + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`fortinet.firewall.qtypeval`*:: + -- -type: keyword +DNS question type value + + +type: integer -- -*`rsa.misc.cpu_data`*:: +*`fortinet.firewall.quarskip`*:: + -- +Quarantine skip explanation + + type: keyword -- -*`rsa.misc.criticality`*:: +*`fortinet.firewall.quotaexceeded`*:: + -- +If quota has been exceeded + + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`fortinet.firewall.quotamax`*:: + -- -type: keyword +Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + +type: long -- -*`rsa.misc.cs_analyzedby`*:: +*`fortinet.firewall.quotatype`*:: + -- +Quota type + + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`fortinet.firewall.quotaused`*:: + -- -type: keyword +Quota used - in seconds if time-based - in bytes if trafficbased) + + +type: long -- -*`rsa.misc.cs_av_primary`*:: +*`fortinet.firewall.radioband`*:: + -- +Radio band + + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`fortinet.firewall.radioid`*:: + -- -type: keyword +Radio ID + + +type: integer -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`fortinet.firewall.radioidclosest`*:: + -- -type: keyword +Radio ID on the AP closest the rogue AP + + +type: integer -- -*`rsa.misc.cs_bit9status`*:: +*`fortinet.firewall.radioiddetected`*:: + -- -type: keyword +Radio ID on the AP which detected the rogue AP + + +type: integer -- -*`rsa.misc.cs_context`*:: +*`fortinet.firewall.rate`*:: + -- +Wireless rogue rate value + + type: keyword -- -*`rsa.misc.cs_control`*:: +*`fortinet.firewall.rawdata`*:: + -- +Raw data value + + type: keyword -- -*`rsa.misc.cs_data`*:: +*`fortinet.firewall.rawdataid`*:: + -- +Raw data ID + + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`fortinet.firewall.rcvddelta`*:: + -- +Received bytes delta + + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`fortinet.firewall.reason`*:: + -- +Alert reason + + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`fortinet.firewall.received`*:: + -- -type: keyword +Server key exchange received + + +type: integer -- -*`rsa.misc.cs_eth_src_ven`*:: +*`fortinet.firewall.receivedsignature`*:: + -- +Server key exchange received signature + + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`fortinet.firewall.red`*:: + -- +Memory information in red + + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`fortinet.firewall.referralurl`*:: + -- +Web filter referralurl + + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`fortinet.firewall.remote`*:: + -- -type: keyword +Remote PPP IP address + + +type: ip -- -*`rsa.misc.cs_if_desc`*:: +*`fortinet.firewall.remotewtptime`*:: + -- +Remote Wifi Radius authentication time + + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`fortinet.firewall.reporttype`*:: + -- +Report type + + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`fortinet.firewall.reqtype`*:: + -- -type: keyword +Request type --- -*`rsa.misc.cs_ipv4dstpre`*:: -+ --- type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`fortinet.firewall.request_name`*:: + -- -type: keyword +VOIP request name --- -*`rsa.misc.cs_lifetime`*:: -+ --- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`fortinet.firewall.result`*:: + -- -type: keyword +VPN phase result --- -*`rsa.misc.cs_loginname`*:: -+ --- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`fortinet.firewall.role`*:: + -- -type: keyword +VPN Phase 2 role --- -*`rsa.misc.cs_modulesign`*:: -+ --- type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`fortinet.firewall.rssi`*:: + -- -type: keyword +Received signal strength indicator --- -*`rsa.misc.cs_payload`*:: -+ --- -type: keyword +type: integer -- -*`rsa.misc.cs_registrant`*:: +*`fortinet.firewall.rsso_key`*:: + -- -type: keyword +RADIUS SSO attribute value --- -*`rsa.misc.cs_registrar`*:: -+ --- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`fortinet.firewall.ruledata`*:: + -- -type: keyword +Rule data --- -*`rsa.misc.cs_rpayload`*:: -+ --- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`fortinet.firewall.ruletype`*:: + -- -type: keyword +Rule type --- -*`rsa.misc.cs_sourcemodule`*:: -+ --- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`fortinet.firewall.scanned`*:: + -- -type: keyword +Number of Scanned MMSs --- -*`rsa.misc.cs_targetmodule`*:: -+ --- -type: keyword +type: integer -- -*`rsa.misc.cs_v6nxthop`*:: +*`fortinet.firewall.scantime`*:: + -- -type: keyword +Scanned time --- -*`rsa.misc.cs_whois_server`*:: -+ --- -type: keyword +type: long -- -*`rsa.misc.cs_yararesult`*:: +*`fortinet.firewall.scope`*:: + -- -type: keyword +FortiGuard Override Scope --- -*`rsa.misc.description`*:: -+ --- type: keyword -- -*`rsa.misc.devvendor`*:: +*`fortinet.firewall.security`*:: + -- -type: keyword +Wireless rogue security --- -*`rsa.misc.distance`*:: -+ --- type: keyword -- -*`rsa.misc.dstburb`*:: +*`fortinet.firewall.sensitivity`*:: + -- +Sensitivity for document fingerprint + + type: keyword -- -*`rsa.misc.edomain`*:: +*`fortinet.firewall.sensor`*:: + -- +NAC Sensor Name + + type: keyword -- -*`rsa.misc.edomaub`*:: +*`fortinet.firewall.sentdelta`*:: + -- +Sent bytes delta + + type: keyword -- -*`rsa.misc.euid`*:: +*`fortinet.firewall.seq`*:: + -- +Sequence number + + type: keyword -- -*`rsa.misc.facility`*:: +*`fortinet.firewall.serial`*:: + -- +WAN optimisation serial + + type: keyword -- -*`rsa.misc.finterface`*:: +*`fortinet.firewall.serialno`*:: + -- +Serial number + + type: keyword -- -*`rsa.misc.flags`*:: +*`fortinet.firewall.server`*:: + -- +AD server FQDN or IP + + type: keyword -- -*`rsa.misc.gaddr`*:: +*`fortinet.firewall.session_id`*:: + -- +Session ID + + type: keyword -- -*`rsa.misc.id3`*:: +*`fortinet.firewall.sessionid`*:: + -- -type: keyword +WAD Session ID + + +type: integer -- -*`rsa.misc.im_buddyname`*:: +*`fortinet.firewall.setuprate`*:: + -- -type: keyword +Session Setup Rate + + +type: long -- -*`rsa.misc.im_croomid`*:: +*`fortinet.firewall.severity`*:: + -- +Severity + + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`fortinet.firewall.shaperdroprcvdbyte`*:: + -- -type: keyword +Received bytes dropped by shaper + + +type: integer -- -*`rsa.misc.im_members`*:: +*`fortinet.firewall.shaperdropsentbyte`*:: + -- -type: keyword +Sent bytes dropped by shaper + + +type: integer -- -*`rsa.misc.im_username`*:: +*`fortinet.firewall.shaperperipdropbyte`*:: + -- -type: keyword +Dropped bytes per IP by shaper + + +type: integer -- -*`rsa.misc.ipkt`*:: +*`fortinet.firewall.shaperperipname`*:: + -- +Traffic shaper name (per IP) + + type: keyword -- -*`rsa.misc.ipscat`*:: +*`fortinet.firewall.shaperrcvdname`*:: + -- +Traffic shaper name for received traffic + + type: keyword -- -*`rsa.misc.ipspri`*:: +*`fortinet.firewall.shapersentname`*:: + -- +Traffic shaper name for sent traffic + + type: keyword -- -*`rsa.misc.latitude`*:: +*`fortinet.firewall.shapingpolicyid`*:: + -- -type: keyword +Traffic shaper policy ID + + +type: integer -- -*`rsa.misc.linenum`*:: +*`fortinet.firewall.signal`*:: + -- -type: keyword +Wireless rogue API signal + + +type: integer -- -*`rsa.misc.list_name`*:: +*`fortinet.firewall.size`*:: + -- -type: keyword +Email size in bytes + + +type: long -- -*`rsa.misc.load_data`*:: +*`fortinet.firewall.slot`*:: + -- -type: keyword +Slot number + + +type: integer -- -*`rsa.misc.location_floor`*:: +*`fortinet.firewall.sn`*:: + -- +Security fabric serial number + + type: keyword -- -*`rsa.misc.location_mark`*:: +*`fortinet.firewall.snclosest`*:: + -- +SN of the AP closest to the rogue AP + + type: keyword -- -*`rsa.misc.log_id`*:: +*`fortinet.firewall.sndetected`*:: + -- +SN of the AP which detected the rogue AP + + type: keyword -- -*`rsa.misc.log_type`*:: +*`fortinet.firewall.snmeshparent`*:: + -- +SN of the mesh parent + + type: keyword -- -*`rsa.misc.logid`*:: +*`fortinet.firewall.spi`*:: + -- +IPSEC SPI + + type: keyword -- -*`rsa.misc.logip`*:: +*`fortinet.firewall.src_int`*:: + -- +Source interface + + type: keyword -- -*`rsa.misc.logname`*:: +*`fortinet.firewall.srcintfrole`*:: + -- +Source interface role + + type: keyword -- -*`rsa.misc.longitude`*:: +*`fortinet.firewall.srccountry`*:: + -- +Source country + + type: keyword -- -*`rsa.misc.lport`*:: +*`fortinet.firewall.srcfamily`*:: + -- +Source family + + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`fortinet.firewall.srchwvendor`*:: + -- +Source hardware vendor + + type: keyword -- -*`rsa.misc.misc_name`*:: +*`fortinet.firewall.srchwversion`*:: + -- +Source hardware version + + type: keyword -- -*`rsa.misc.msg_type`*:: +*`fortinet.firewall.srcinetsvc`*:: + -- +Source interface service + + type: keyword -- -*`rsa.misc.msgid`*:: +*`fortinet.firewall.srcname`*:: + -- +Source name + + type: keyword -- -*`rsa.misc.netsessid`*:: +*`fortinet.firewall.srcserver`*:: + -- -type: keyword +Source server + + +type: integer -- -*`rsa.misc.num`*:: +*`fortinet.firewall.srcssid`*:: + -- +Source SSID + + type: keyword -- -*`rsa.misc.number1`*:: +*`fortinet.firewall.srcswversion`*:: + -- +Source software version + + type: keyword -- -*`rsa.misc.number2`*:: +*`fortinet.firewall.srcuuid`*:: + -- +Source UUID + + type: keyword -- -*`rsa.misc.nwwn`*:: +*`fortinet.firewall.sscname`*:: + -- +SSC name + + type: keyword -- -*`rsa.misc.object`*:: +*`fortinet.firewall.ssid`*:: + -- +Base Service Set ID + + type: keyword -- -*`rsa.misc.operation`*:: +*`fortinet.firewall.sslaction`*:: + -- +SSL Action + + type: keyword -- -*`rsa.misc.opkt`*:: +*`fortinet.firewall.ssllocal`*:: + -- +WAD SSL local + + type: keyword -- -*`rsa.misc.orig_from`*:: +*`fortinet.firewall.sslremote`*:: + -- +WAD SSL remote + + type: keyword -- -*`rsa.misc.owner_id`*:: +*`fortinet.firewall.stacount`*:: + -- -type: keyword +Number of stations/clients + + +type: integer -- -*`rsa.misc.p_action`*:: +*`fortinet.firewall.stage`*:: + -- +IPSEC stage + + type: keyword -- -*`rsa.misc.p_filter`*:: +*`fortinet.firewall.stamac`*:: + -- +802.1x station mac + + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`fortinet.firewall.state`*:: + -- +Admin login state + + type: keyword -- -*`rsa.misc.p_id`*:: +*`fortinet.firewall.status`*:: + -- +Status + + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`fortinet.firewall.stitch`*:: + -- +Automation stitch triggered + + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`fortinet.firewall.subject`*:: + -- +Email subject + + type: keyword -- -*`rsa.misc.p_result1`*:: +*`fortinet.firewall.submodule`*:: + -- +Configuration Sub-Module Name + + type: keyword -- -*`rsa.misc.password_chg`*:: +*`fortinet.firewall.subservice`*:: + -- +AV subservice + + type: keyword -- -*`rsa.misc.password_expire`*:: +*`fortinet.firewall.subtype`*:: + -- +Log subtype + + type: keyword -- -*`rsa.misc.permgranted`*:: +*`fortinet.firewall.suspicious`*:: + -- -type: keyword +Number of Suspicious MMSs + + +type: integer -- -*`rsa.misc.permwanted`*:: +*`fortinet.firewall.switchproto`*:: + -- +Protocol change information + + type: keyword -- -*`rsa.misc.pgid`*:: +*`fortinet.firewall.sync_status`*:: + -- +The sync status with the master + + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`fortinet.firewall.sync_type`*:: + -- +The sync type with the master + + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`fortinet.firewall.sysuptime`*:: + -- +System uptime + + type: keyword -- -*`rsa.misc.program`*:: +*`fortinet.firewall.tamac`*:: + -- +the MAC address of Transmitter, if none, then Receiver + + type: keyword -- -*`rsa.misc.real_data`*:: +*`fortinet.firewall.threattype`*:: + -- +WIDS threat type + + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`fortinet.firewall.time`*:: + -- +Time of the event + + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`fortinet.firewall.to`*:: + -- +Email to field + + type: keyword -- -*`rsa.misc.rec_library`*:: +*`fortinet.firewall.to_vcluster`*:: + -- -type: keyword +destination virtual cluster number + + +type: integer -- -*`rsa.misc.recordnum`*:: +*`fortinet.firewall.total`*:: + -- -type: keyword +Total memory + + +type: integer -- -*`rsa.misc.ruid`*:: +*`fortinet.firewall.totalsession`*:: + -- -type: keyword +Total Number of Sessions + + +type: integer -- -*`rsa.misc.sburb`*:: +*`fortinet.firewall.trace_id`*:: + -- +Session clash trace ID + + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`fortinet.firewall.trandisp`*:: + -- +NAT translation type + + type: keyword -- -*`rsa.misc.sec`*:: +*`fortinet.firewall.transid`*:: + -- -type: keyword +HTTP transaction ID + + +type: integer -- -*`rsa.misc.sensorname`*:: +*`fortinet.firewall.translationid`*:: + -- +DNS filter transaltion ID + + type: keyword -- -*`rsa.misc.seqnum`*:: +*`fortinet.firewall.trigger`*:: + -- +Automation stitch trigger + + type: keyword -- -*`rsa.misc.session`*:: +*`fortinet.firewall.trueclntip`*:: + -- -type: keyword +File filter true client IP + + +type: ip -- -*`rsa.misc.sessiontype`*:: +*`fortinet.firewall.tunnelid`*:: + -- -type: keyword +IPSEC tunnel ID + + +type: integer -- -*`rsa.misc.sigUUID`*:: +*`fortinet.firewall.tunnelip`*:: + -- -type: keyword +IPSEC tunnel IP + + +type: ip -- -*`rsa.misc.spi`*:: +*`fortinet.firewall.tunneltype`*:: + -- +IPSEC tunnel type + + type: keyword -- -*`rsa.misc.srcburb`*:: +*`fortinet.firewall.type`*:: + -- +Module type + + type: keyword -- -*`rsa.misc.srcdom`*:: +*`fortinet.firewall.ui`*:: + -- +Admin authentication UI type + + type: keyword -- -*`rsa.misc.srcservice`*:: +*`fortinet.firewall.unauthusersource`*:: + -- +Unauthenticated user source + + type: keyword -- -*`rsa.misc.state`*:: +*`fortinet.firewall.unit`*:: + -- -type: keyword +Power supply unit + + +type: integer -- -*`rsa.misc.status1`*:: +*`fortinet.firewall.urlfilteridx`*:: + -- -type: keyword +URL filter ID + + +type: integer -- -*`rsa.misc.svcno`*:: +*`fortinet.firewall.urlfilterlist`*:: + -- +URL filter list + + type: keyword -- -*`rsa.misc.system`*:: +*`fortinet.firewall.urlsource`*:: + -- +URL filter source + + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`fortinet.firewall.urltype`*:: + -- +URL filter type + + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`fortinet.firewall.used`*:: + -- -type: keyword +Number of Used IPs + + +type: integer -- -*`rsa.misc.tgtdomain`*:: +*`fortinet.firewall.used_for_type`*:: + -- -type: keyword +Connection for the type + + +type: integer -- -*`rsa.misc.threshold`*:: +*`fortinet.firewall.utmaction`*:: + -- +Security action performed by UTM + + type: keyword -- -*`rsa.misc.type1`*:: +*`fortinet.firewall.vap`*:: + -- +Virtual AP + + type: keyword -- -*`rsa.misc.udb_class`*:: +*`fortinet.firewall.vapmode`*:: + -- +Virtual AP mode + + type: keyword -- -*`rsa.misc.url_fld`*:: +*`fortinet.firewall.vcluster`*:: + -- -type: keyword +virtual cluster id + + +type: integer -- -*`rsa.misc.user_div`*:: +*`fortinet.firewall.vcluster_member`*:: + -- -type: keyword +Virtual cluster member + + +type: integer -- -*`rsa.misc.userid`*:: +*`fortinet.firewall.vcluster_state`*:: + -- +Virtual cluster state + + type: keyword -- -*`rsa.misc.username_fld`*:: +*`fortinet.firewall.vd`*:: + -- +Virtual Domain Name + + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`fortinet.firewall.vdname`*:: + -- +Virtual Domain Name + + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`fortinet.firewall.vendorurl`*:: + -- +Vulnerability scan vendor name + + type: keyword -- -*`rsa.misc.virt_data`*:: +*`fortinet.firewall.version`*:: + -- +Version + + type: keyword -- -*`rsa.misc.vpnid`*:: +*`fortinet.firewall.vip`*:: + -- +Virtual IP + + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`fortinet.firewall.virus`*:: + -- -This is used to capture Auto Run type +Virus name + type: keyword -- -*`rsa.misc.cc_number`*:: +*`fortinet.firewall.virusid`*:: + -- -Valid Credit Card Numbers only +Virus ID (unique virus identifier) -type: long + +type: integer -- -*`rsa.misc.content`*:: +*`fortinet.firewall.voip_proto`*:: + -- -This key captures the content type from protocol headers +VOIP protocol + type: keyword -- -*`rsa.misc.ein_number`*:: +*`fortinet.firewall.vpn`*:: + -- -Employee Identification Numbers only +VPN description -type: long + +type: keyword -- -*`rsa.misc.found`*:: +*`fortinet.firewall.vpntunnel`*:: + -- -This is used to capture the results of regex match +IPsec Vpn Tunnel Name + type: keyword -- -*`rsa.misc.language`*:: +*`fortinet.firewall.vpntype`*:: + -- -This is used to capture list of languages the client support and what it prefers +The type of the VPN tunnel + type: keyword -- -*`rsa.misc.lifetime`*:: +*`fortinet.firewall.vrf`*:: + -- -This key is used to capture the session lifetime in seconds. +VRF number -type: long + +type: integer -- -*`rsa.misc.link`*:: +*`fortinet.firewall.vulncat`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Vulnerability Category + type: keyword -- -*`rsa.misc.match`*:: +*`fortinet.firewall.vulnid`*:: + -- -This key is for regex match name from search.ini +Vulnerability ID -type: keyword + +type: integer -- -*`rsa.misc.param_dst`*:: +*`fortinet.firewall.vulnname`*:: + -- -This key captures the command line/launch argument of the target process or file +Vulnerability name + type: keyword -- -*`rsa.misc.param_src`*:: +*`fortinet.firewall.vwlid`*:: + -- -This key captures source parameter +VWL ID -type: keyword + +type: integer -- -*`rsa.misc.search_text`*:: +*`fortinet.firewall.vwlquality`*:: + -- -This key captures the Search Text used +VWL quality + type: keyword -- -*`rsa.misc.sig_name`*:: +*`fortinet.firewall.vwlservice`*:: + -- -This key is used to capture the Signature Name only. +VWL service + type: keyword -- -*`rsa.misc.snmp_value`*:: +*`fortinet.firewall.vwpvlanid`*:: + -- -SNMP set request value +VWP VLAN ID -type: keyword + +type: integer -- -*`rsa.misc.streams`*:: +*`fortinet.firewall.wanin`*:: + -- -This key captures number of streams in session +WAN incoming traffic in bytes + type: long -- - -*`rsa.db.index`*:: +*`fortinet.firewall.wanoptapptype`*:: + -- -This key captures IndexID of the index. +WAN Optimization Application type + type: keyword -- -*`rsa.db.instance`*:: +*`fortinet.firewall.wanout`*:: + -- -This key is used to capture the database server instance name +WAN outgoing traffic in bytes -type: keyword + +type: long -- -*`rsa.db.database`*:: +*`fortinet.firewall.weakwepiv`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Weak Wep Initiation Vector + type: keyword -- -*`rsa.db.transact_id`*:: +*`fortinet.firewall.xauthgroup`*:: + -- -This key captures the SQL transantion ID of the current session +XAuth Group Name + type: keyword -- -*`rsa.db.permissions`*:: +*`fortinet.firewall.xauthuser`*:: + -- -This key captures permission or privilege level assigned to a resource. +XAuth User Name + type: keyword -- -*`rsa.db.table_name`*:: +*`fortinet.firewall.xid`*:: + -- -This key is used to capture the table name +Wireless X ID -type: keyword --- +type: integer -*`rsa.db.db_id`*:: -+ -- -This key is used to capture the unique identifier for a database -type: keyword +[[exported-fields-googlecloud]] +== Google Cloud fields --- +Module for handling logs from Google Cloud. -*`rsa.db.db_pid`*:: -+ --- -This key captures the process id of a connection with database server -type: long --- +[float] +=== googlecloud -*`rsa.db.lread`*:: -+ --- -This key is used for the number of logical reads +Fields from Google Cloud logs. -type: long --- -*`rsa.db.lwrite`*:: -+ --- -This key is used for the number of logical writes +[float] +=== destination.instance -type: long +If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. --- -*`rsa.db.pread`*:: + +*`googlecloud.destination.instance.project_id`*:: + -- -This key is used for the number of physical writes +ID of the project containing the VM. -type: long --- +type: keyword +-- -*`rsa.network.alias_host`*:: +*`googlecloud.destination.instance.region`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Region of the VM. + type: keyword -- -*`rsa.network.domain`*:: +*`googlecloud.destination.instance.zone`*:: + -- +Zone of the VM. + + type: keyword -- -*`rsa.network.host_dst`*:: +[float] +=== destination.vpc + +If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. + + + +*`googlecloud.destination.vpc.project_id`*:: + -- -This key should only be used when it’s a Destination Hostname +ID of the project containing the VM. + type: keyword -- -*`rsa.network.network_service`*:: +*`googlecloud.destination.vpc.vpc_name`*:: + -- -This is used to capture layer 7 protocols/service names +VPC on which the VM is operating. + type: keyword -- -*`rsa.network.interface`*:: +*`googlecloud.destination.vpc.subnetwork_name`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Subnetwork on which the VM is operating. + type: keyword -- -*`rsa.network.network_port`*:: -+ --- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +[float] +=== source.instance -type: long +If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project. --- -*`rsa.network.eth_host`*:: + +*`googlecloud.source.instance.project_id`*:: + -- -Deprecated, use alias.mac +ID of the project containing the VM. + type: keyword -- -*`rsa.network.sinterface`*:: +*`googlecloud.source.instance.region`*:: + -- -This key should only be used when it’s a Source Interface +Region of the VM. + type: keyword -- -*`rsa.network.dinterface`*:: +*`googlecloud.source.instance.zone`*:: + -- -This key should only be used when it’s a Destination Interface +Zone of the VM. + type: keyword -- -*`rsa.network.vlan`*:: -+ --- -This key should only be used to capture the ID of the Virtual LAN +[float] +=== source.vpc -type: long +If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. --- -*`rsa.network.zone_src`*:: + +*`googlecloud.source.vpc.project_id`*:: + -- -This key should only be used when it’s a Source Zone. +ID of the project containing the VM. + type: keyword -- -*`rsa.network.zone`*:: +*`googlecloud.source.vpc.vpc_name`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +VPC on which the VM is operating. + type: keyword -- -*`rsa.network.zone_dst`*:: +*`googlecloud.source.vpc.subnetwork_name`*:: + -- -This key should only be used when it’s a Destination Zone. +Subnetwork on which the VM is operating. + type: keyword -- -*`rsa.network.gateway`*:: +[float] +=== audit + +Fields for Google Cloud audit logs. + + + +*`googlecloud.audit.type`*:: + -- -This key is used to capture the IP Address of the gateway +Type property. + type: keyword -- -*`rsa.network.icmp_type`*:: -+ --- -This key is used to capture the ICMP type only +[float] +=== authentication_info -type: long +Authentication information. --- -*`rsa.network.mask`*:: + +*`googlecloud.audit.authentication_info.principal_email`*:: + -- -This key is used to capture the device network IPmask. +The email address of the authenticated user making the request. + type: keyword -- -*`rsa.network.icmp_code`*:: +*`googlecloud.audit.authentication_info.authority_selector`*:: + -- -This key is used to capture the ICMP code only +The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. -type: long + +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`googlecloud.audit.authorization_info`*:: + -- -This key should be used to capture additional protocol information +Authorization information for the operation. -type: keyword + +type: array -- -*`rsa.network.dmask`*:: +*`googlecloud.audit.method_name`*:: + -- -This key is used for Destionation Device network mask +The name of the service method or operation. For API calls, this should be the name of the API method. For example, 'google.datastore.v1.Datastore.RunQuery'. + type: keyword -- -*`rsa.network.port`*:: +*`googlecloud.audit.num_response_items`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +The number of items returned from a List or Query API method, if applicable. + type: long -- -*`rsa.network.smask`*:: -+ --- -This key is used for capturing source Network Mask +[float] +=== request -type: keyword +The operation request. --- -*`rsa.network.netname`*:: + +*`googlecloud.audit.request.proto_name`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Type property of the request. + type: keyword -- -*`rsa.network.paddr`*:: +*`googlecloud.audit.request.filter`*:: + -- -Deprecated - -type: ip +Filter of the request. --- -*`rsa.network.faddr`*:: -+ --- type: keyword -- -*`rsa.network.lhost`*:: +*`googlecloud.audit.request.name`*:: + -- -type: keyword +Name of the request. --- -*`rsa.network.origin`*:: -+ --- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`googlecloud.audit.request.resource_name`*:: + -- +Name of the request resource. + + type: keyword -- -*`rsa.network.addr`*:: +[float] +=== request_metadata + +Metadata about the request. + + + +*`googlecloud.audit.request_metadata.caller_ip`*:: + -- -type: keyword +The IP address of the caller. + + +type: ip -- -*`rsa.network.dns_a_record`*:: +*`googlecloud.audit.request_metadata.caller_supplied_user_agent`*:: + -- +The user agent of the caller. This information is not authenticated and should be treated accordingly. + + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +[float] +=== response + +The operation response. + + + +*`googlecloud.audit.response.proto_name`*:: + -- +Type property of the response. + + type: keyword -- -*`rsa.network.fhost`*:: +[float] +=== details + +The details of the response. + + + +*`googlecloud.audit.response.details.group`*:: + -- +The name of the group. + + type: keyword -- -*`rsa.network.fport`*:: +*`googlecloud.audit.response.details.kind`*:: + -- +The kind of the response details. + + type: keyword -- -*`rsa.network.laddr`*:: +*`googlecloud.audit.response.details.name`*:: + -- +The name of the response details. + + type: keyword -- -*`rsa.network.linterface`*:: +*`googlecloud.audit.response.details.uid`*:: + -- +The uid of the response details. + + type: keyword -- -*`rsa.network.phost`*:: +*`googlecloud.audit.response.status`*:: + -- +Status of the response. + + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`googlecloud.audit.resource_name`*:: + -- -Deprecated, use host.dst +The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, 'shelves/SHELF_ID/books'. + type: keyword -- -*`rsa.network.eth_type`*:: -+ --- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - -type: long - --- +[float] +=== resource_location -*`rsa.network.ip_proto`*:: -+ --- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +The location of the resource. -type: long --- -*`rsa.network.dns_cname_record`*:: +*`googlecloud.audit.resource_location.current_locations`*:: + -- -type: keyword +Current locations of the resource. --- -*`rsa.network.dns_id`*:: -+ --- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`googlecloud.audit.service_name`*:: + -- -type: keyword +The name of the API service performing the operation. For example, datastore.googleapis.com. --- -*`rsa.network.dns_resp`*:: -+ --- type: keyword -- -*`rsa.network.dns_type`*:: -+ --- -type: keyword +[float] +=== status --- +The status of the overall operation. -*`rsa.network.domain1`*:: -+ --- -type: keyword --- -*`rsa.network.host_type`*:: +*`googlecloud.audit.status.code`*:: + -- -type: keyword +The status code, which should be an enum value of google.rpc.Code. --- -*`rsa.network.packet_length`*:: -+ --- -type: keyword +type: integer -- -*`rsa.network.host_orig`*:: +*`googlecloud.audit.status.message`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - -type: keyword - --- +A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. -*`rsa.network.rpayload`*:: -+ --- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.network.vlan_name`*:: -+ --- -This key should only be used to capture the name of the Virtual LAN +[float] +=== firewall -type: keyword +Fields for Google Cloud Firewall logs. --- -*`rsa.investigations.ec_activity`*:: -+ --- -This key captures the particular event activity(Ex:Logoff) +[float] +=== rule_details -type: keyword +Description of the firewall rule that matched this connection. --- -*`rsa.investigations.ec_theme`*:: + +*`googlecloud.firewall.rule_details.priority`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +The priority for the firewall rule. -type: keyword +type: long -- -*`rsa.investigations.ec_subject`*:: +*`googlecloud.firewall.rule_details.action`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +Action that the rule performs on match. type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`googlecloud.firewall.rule_details.direction`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +Direction of traffic that matches this rule. type: keyword -- -*`rsa.investigations.event_cat`*:: +*`googlecloud.firewall.rule_details.reference`*:: + -- -This key captures the Event category number +Reference to the firewall rule. -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`googlecloud.firewall.rule_details.source_range`*:: + -- -This key captures the event category name corresponding to the event cat code +List of source ranges that the firewall rule applies to. type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`googlecloud.firewall.rule_details.destination_range`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +List of destination ranges that the firewall applies to. type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`googlecloud.firewall.rule_details.source_tag`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +List of all the source tags that the firewall rule applies to. + type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`googlecloud.firewall.rule_details.target_tag`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +List of all the target tags that the firewall rule applies to. + type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`googlecloud.firewall.rule_details.ip_port_info`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +List of ip protocols and applicable port ranges for rules. -type: keyword + +type: array -- -*`rsa.investigations.boc`*:: +*`googlecloud.firewall.rule_details.source_service_account`*:: + -- -This is used to capture behaviour of compromise +List of all the source service accounts that the firewall rule applies to. + type: keyword -- -*`rsa.investigations.eoc`*:: +*`googlecloud.firewall.rule_details.target_service_account`*:: + -- -This is used to capture Enablers of Compromise +List of all the target service accounts that the firewall rule applies to. + type: keyword -- -*`rsa.investigations.inv_category`*:: -+ --- -This used to capture investigation category +[float] +=== vpcflow -type: keyword +Fields for Google Cloud VPC flow logs. --- -*`rsa.investigations.inv_context`*:: + +*`googlecloud.vpcflow.reporter`*:: + -- -This used to capture investigation context +The side which reported the flow. Can be either 'SRC' or 'DEST'. + type: keyword -- -*`rsa.investigations.ioc`*:: +*`googlecloud.vpcflow.rtt.ms`*:: + -- -This is key capture indicator of compromise - -type: keyword +Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. --- +type: long -*`rsa.counters.dclass_c1`*:: -+ -- -This is a generic counter key that should be used with the label dclass.c1.str only -type: long +[[exported-fields-gsuite]] +== gsuite fields --- +gsuite Module -*`rsa.counters.dclass_c2`*:: -+ --- -This is a generic counter key that should be used with the label dclass.c2.str only -type: long --- +[float] +=== gsuite -*`rsa.counters.event_counter`*:: -+ --- -This is used to capture the number of times an event repeated +Gsuite specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list -type: long --- -*`rsa.counters.dclass_r1`*:: +*`gsuite.actor.type`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`gsuite.actor.key`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. -type: long + +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`gsuite.event.type`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +The type of GSuite event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + type: keyword +example: audit#activity + -- -*`rsa.counters.dclass_c2_str`*:: +*`gsuite.kind`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + type: keyword +example: audit#activity + -- -*`rsa.counters.dclass_r1_str`*:: +*`gsuite.organization.domain`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +The domain that is affected by the report's event. + type: keyword -- -*`rsa.counters.dclass_r2`*:: + +*`gsuite.admin.application.edition`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +The GSuite edition. type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`gsuite.admin.application.name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +The application's name. type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`gsuite.admin.application.enabled`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +The enabled application. type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`gsuite.admin.application.licences_order_number`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Order number used to redeem licenses. type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`gsuite.admin.application.licences_purchased`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Number of licences purchased. type: keyword -- - -*`rsa.identity.auth_method`*:: +*`gsuite.admin.application.id`*:: + -- -This key is used to capture authentication methods used only +The application ID. type: keyword -- -*`rsa.identity.user_role`*:: +*`gsuite.admin.application.asp_id`*:: + -- -This key is used to capture the Role of a user only +The application specific password ID. type: keyword -- -*`rsa.identity.dn`*:: +*`gsuite.admin.application.package_id`*:: + -- -X.500 (LDAP) Distinguished Name +The mobile application package ID. type: keyword -- -*`rsa.identity.logon_type`*:: +*`gsuite.admin.group.email`*:: + -- -This key is used to capture the type of logon method used. +The group's primary email address. type: keyword -- -*`rsa.identity.profile`*:: +*`gsuite.admin.new_value`*:: + -- -This key is used to capture the user profile +The new value for the setting. type: keyword -- -*`rsa.identity.accesses`*:: +*`gsuite.admin.old_value`*:: + -- -This key is used to capture actual privileges used in accessing an object +The old value for the setting. type: keyword -- -*`rsa.identity.realm`*:: +*`gsuite.admin.org_unit.name`*:: + -- -Radius realm or similar grouping of accounts +The organizational unit name. type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`gsuite.admin.org_unit.full`*:: + -- -This key captures Destination User Session ID +The org unit full path including the root org unit name. type: keyword -- -*`rsa.identity.dn_src`*:: +*`gsuite.admin.setting.name`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +The setting name. type: keyword -- -*`rsa.identity.org`*:: +*`gsuite.admin.user_defined_setting.name`*:: + -- -This key captures the User organization +The name of the user-defined setting. type: keyword -- -*`rsa.identity.dn_dst`*:: +*`gsuite.admin.setting.description`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +The setting name. type: keyword -- -*`rsa.identity.firstname`*:: +*`gsuite.admin.group.priorities`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Group priorities. type: keyword -- -*`rsa.identity.lastname`*:: +*`gsuite.admin.domain.alias`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +The domain alias. type: keyword -- -*`rsa.identity.user_dept`*:: +*`gsuite.admin.domain.name`*:: + -- -User's Department Names only +The primary domain name. type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`gsuite.admin.domain.secondary_name`*:: + -- -This key captures Source User Session ID +The secondary domain name. type: keyword -- -*`rsa.identity.federated_sp`*:: +*`gsuite.admin.managed_configuration`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +The name of the managed configuration. type: keyword -- -*`rsa.identity.federated_idp`*:: +*`gsuite.admin.non_featured_services_selection`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`gsuite.admin.field`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +The name of the field. type: keyword -- -*`rsa.identity.middlename`*:: +*`gsuite.admin.resource.id`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +The name of the resource identifier. type: keyword -- -*`rsa.identity.password`*:: +*`gsuite.admin.user.email`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +The user's primary email address. type: keyword -- -*`rsa.identity.host_role`*:: +*`gsuite.admin.user.nickname`*:: + -- -This key should only be used to capture the role of a Host Machine +The user's nickname. type: keyword -- -*`rsa.identity.ldap`*:: +*`gsuite.admin.user.birthdate`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +The user's birth date. -type: keyword +type: date -- -*`rsa.identity.ldap_query`*:: +*`gsuite.admin.gateway.name`*:: + -- -This key is the Search criteria from an LDAP search +Gateway name. Present on some chat settings. type: keyword -- -*`rsa.identity.ldap_response`*:: +*`gsuite.admin.chrome_os.session_type`*:: + -- -This key is to capture Results from an LDAP search +Chrome OS session type. type: keyword -- -*`rsa.identity.owner`*:: +*`gsuite.admin.device.serial_number`*:: + -- -This is used to capture username the process or service is running as, the author of the task +Device serial number. type: keyword -- -*`rsa.identity.service_account`*:: +*`gsuite.admin.device.id`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`gsuite.admin.device.type`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Device type. type: keyword -- -*`rsa.email.email_src`*:: +*`gsuite.admin.print_server.name`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +The name of the print server. type: keyword -- -*`rsa.email.subject`*:: +*`gsuite.admin.printer.name`*:: + -- -This key is used to capture the subject string from an Email only. +The name of the printer. type: keyword -- -*`rsa.email.email`*:: +*`gsuite.admin.device.command_details`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +Command details. type: keyword -- -*`rsa.email.trans_from`*:: +*`gsuite.admin.role.id`*:: + -- -Deprecated key defined only in table map. +Unique identifier for this role privilege. type: keyword -- -*`rsa.email.trans_to`*:: +*`gsuite.admin.role.name`*:: + -- -Deprecated key defined only in table map. +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + type: keyword -- - -*`rsa.file.privilege`*:: +*`gsuite.admin.privilege.name`*:: + -- -Deprecated, use permissions +Privilege name. type: keyword -- -*`rsa.file.attachment`*:: +*`gsuite.admin.service.name`*:: + -- -This key captures the attachment file name +The service name. type: keyword -- -*`rsa.file.filesystem`*:: +*`gsuite.admin.url.name`*:: + -- +The website name. + type: keyword -- -*`rsa.file.binary`*:: +*`gsuite.admin.product.name`*:: + -- -Deprecated key defined only in table map. +The product name. type: keyword -- -*`rsa.file.filename_dst`*:: +*`gsuite.admin.product.sku`*:: + -- -This is used to capture name of the file targeted by the action +The product SKU. type: keyword -- -*`rsa.file.filename_src`*:: +*`gsuite.admin.bulk_upload.failed`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Number of failed records in bulk upload operation. -type: keyword +type: long -- -*`rsa.file.filename_tmp`*:: +*`gsuite.admin.bulk_upload.total`*:: + -- -type: keyword +Number of total records in bulk upload operation. + +type: long -- -*`rsa.file.directory_dst`*:: +*`gsuite.admin.group.allowed_list`*:: + -- -This key is used to capture the directory of the target process or file +Names of allow-listed groups. type: keyword -- -*`rsa.file.directory_src`*:: +*`gsuite.admin.email.quarantine_name`*:: + -- -This key is used to capture the directory of the source process or file +The name of the quarantine. type: keyword -- -*`rsa.file.file_entropy`*:: +*`gsuite.admin.email.log_search_filter.message_id`*:: + -- -This is used to capture entropy vale of a file +The log search filter's email message ID. -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`gsuite.admin.email.log_search_filter.start_date`*:: + -- -This is used to capture Company name of file located in version_info +The log search filter's start date. -type: keyword +type: date -- -*`rsa.file.task_name`*:: +*`gsuite.admin.email.log_search_filter.end_date`*:: + -- -This is used to capture name of the task +The log search filter's ending date. -type: keyword +type: date -- - -*`rsa.web.fqdn`*:: +*`gsuite.admin.email.log_search_filter.recipient.value`*:: + -- -Fully Qualified Domain Names +The log search filter's email recipient. type: keyword -- -*`rsa.web.web_cookie`*:: +*`gsuite.admin.email.log_search_filter.sender.value`*:: + -- -This key is used to capture the Web cookies specifically. +The log search filter's email sender. type: keyword -- -*`rsa.web.alias_host`*:: +*`gsuite.admin.email.log_search_filter.recipient.ip`*:: + -- -type: keyword +The log search filter's email recipient's IP address. + +type: ip -- -*`rsa.web.reputation_num`*:: +*`gsuite.admin.email.log_search_filter.sender.ip`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +The log search filter's email sender's IP address. -type: double +type: ip -- -*`rsa.web.web_ref_domain`*:: +*`gsuite.admin.chrome_licenses.enabled`*:: + -- -Web referer's domain +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + type: keyword -- -*`rsa.web.web_ref_query`*:: +*`gsuite.admin.chrome_licenses.allowed`*:: + -- -This key captures Web referer's query portion of the URL +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + type: keyword -- -*`rsa.web.remote_domain`*:: +*`gsuite.admin.oauth2.service.name`*:: + -- +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`gsuite.admin.oauth2.application.id`*:: + -- -This key captures Web referer's page information +OAuth2 application ID. type: keyword -- -*`rsa.web.web_ref_root`*:: +*`gsuite.admin.oauth2.application.name`*:: + -- -Web referer's root URL path +OAuth2 application name. type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`gsuite.admin.oauth2.application.type`*:: + -- -type: keyword +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings --- -*`rsa.web.cn_rpackets`*:: -+ --- type: keyword -- -*`rsa.web.urlpage`*:: +*`gsuite.admin.verification_method`*:: + -- -type: keyword +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings --- -*`rsa.web.urlroot`*:: -+ --- type: keyword -- -*`rsa.web.p_url`*:: +*`gsuite.admin.alert.name`*:: + -- +The alert name. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`gsuite.admin.rule.name`*:: + -- +The rule name. + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`gsuite.admin.api.client.name`*:: + -- +The API client name. + type: keyword -- -*`rsa.web.p_web_method`*:: +*`gsuite.admin.api.scopes`*:: + -- +The API scopes. + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`gsuite.admin.mdm.token`*:: + -- +The MDM vendor enrollment token. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`gsuite.admin.mdm.vendor`*:: + -- +The MDM vendor's name. + type: keyword -- -*`rsa.web.web_page`*:: +*`gsuite.admin.info_type`*:: + -- +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`gsuite.admin.email_monitor.dest_email`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +The destination address of the email monitor. type: keyword -- -*`rsa.threat.threat_desc`*:: +*`gsuite.admin.email_monitor.level.chat`*:: + -- -This key is used to capture the threat description from the session directly or inferred +The chat email monitor level. type: keyword -- -*`rsa.threat.alert`*:: +*`gsuite.admin.email_monitor.level.draft`*:: + -- -This key is used to capture name of the alert +The draft email monitor level. type: keyword -- -*`rsa.threat.threat_source`*:: +*`gsuite.admin.email_monitor.level.incoming`*:: + -- -This key is used to capture source of the threat +The incoming email monitor level. type: keyword -- - -*`rsa.crypto.crypto`*:: +*`gsuite.admin.email_monitor.level.outgoing`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +The outgoing email monitor level. type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`gsuite.admin.email_dump.include_deleted`*:: + -- -This key is for Source (Client) Cipher +Indicates if deleted emails are included in the export. -type: keyword +type: boolean -- -*`rsa.crypto.cert_subject`*:: +*`gsuite.admin.email_dump.package_content`*:: + -- -This key is used to capture the Certificate organization only +The contents of the mailbox package. type: keyword -- -*`rsa.crypto.peer`*:: +*`gsuite.admin.email_dump.query`*:: + -- -This key is for Encryption peer's IP Address +The search query used for the dump. type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`gsuite.admin.request.id`*:: + -- -This key captures Source (Client) Cipher Size +The request ID. -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`gsuite.admin.mobile.action.id`*:: + -- -IKE negotiation phase. +The mobile device action's ID. type: keyword -- -*`rsa.crypto.scheme`*:: +*`gsuite.admin.mobile.action.type`*:: + -- -This key captures the Encryption scheme used +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + type: keyword -- -*`rsa.crypto.peer_id`*:: +*`gsuite.admin.mobile.certificate.name`*:: + -- -This key is for Encryption peer’s identity +The mobile certificate common name. type: keyword -- -*`rsa.crypto.sig_type`*:: +*`gsuite.admin.mobile.company_owned_devices`*:: + -- -This key captures the Signature Type +The number of devices a company owns. -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`gsuite.admin.distribution.entity.name`*:: + -- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`gsuite.admin.distribution.entity.type`*:: + -- -Deprecated key defined only in table map. +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + type: keyword -- -*`rsa.crypto.cert_error`*:: + +*`gsuite.drive.billable`*:: + -- -This key captures the Certificate Error String +Whether this activity is billable. -type: keyword +type: boolean -- -*`rsa.crypto.cipher_dst`*:: +*`gsuite.drive.source_folder_id`*:: + -- -This key is for Destination (Server) Cipher - type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`gsuite.drive.source_folder_title`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`gsuite.drive.destination_folder_id`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`gsuite.drive.destination_folder_title`*:: + -- type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`gsuite.drive.file.id`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`gsuite.drive.file.type`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`gsuite.drive.originating_app_id`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +The Google Cloud Project ID of the application that performed the action. + type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`gsuite.drive.file.owner.email`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`gsuite.drive.file.owner.is_shared_drive`*:: + -- -This key is used for the hostname category value of a certificate +Boolean flag denoting whether owner is a shared drive. -type: keyword + +type: boolean -- -*`rsa.crypto.cert_serial`*:: +*`gsuite.drive.primary_event`*:: + -- -This key is used to capture the Certificate serial number only +Whether this is a primary event. A single user action in Drive may generate several events. -type: keyword + +type: boolean -- -*`rsa.crypto.cert_status`*:: +*`gsuite.drive.shared_drive_id`*:: + -- -This key captures Certificate validation status +The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`gsuite.drive.visibility`*:: + -- -Deprecated, use version +Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`gsuite.drive.new_value`*:: + -- -type: keyword +When a setting or property of the file changes, the new value for it will appear here. --- -*`rsa.crypto.cert_username`*:: -+ --- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`gsuite.drive.old_value`*:: + -- -type: keyword +When a setting or property of the file changes, the old value for it will appear here. --- -*`rsa.crypto.https_valid`*:: -+ --- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`gsuite.drive.sheets_import_range_recipient_doc`*:: + -- -This key is used to capture the Certificate signing authority only +Doc ID of the recipient of a sheets import range. type: keyword -- -*`rsa.crypto.cert_common`*:: +*`gsuite.drive.old_visibility`*:: + -- -This key is used to capture the Certificate common name only +When visibility changes, this holds the old value. + type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`gsuite.drive.visibility_change`*:: + -- -This key is used to capture the ssid of a Wireless Session +When visibility changes, this holds the new overall visibility of the file. + type: keyword -- -*`rsa.wireless.access_point`*:: +*`gsuite.drive.target_domain`*:: + -- -This key is used to capture the access point name. +The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`gsuite.drive.added_role`*:: + -- -This is used to capture the channel names +Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive -type: long + +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`gsuite.drive.membership_change_type`*:: + -- -This key captures either WLAN number/name +Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`gsuite.drive.shared_drive_settings_change_type`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + type: keyword -- -*`rsa.storage.lun`*:: +*`gsuite.drive.removed_role`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + type: keyword -- -*`rsa.storage.pwwn`*:: +*`gsuite.drive.target`*:: + -- -This uniquely identifies a port on a HBA. +Target user or group. type: keyword -- -*`rsa.physical.org_dst`*:: +*`gsuite.groups.acl_permission`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + type: keyword -- -*`rsa.physical.org_src`*:: +*`gsuite.groups.email`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +Group email. + type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`gsuite.groups.member.email`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +Member email. + type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`gsuite.groups.member.role`*:: + -- -This key captures the unique ID for a patient +Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`gsuite.groups.setting`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`gsuite.groups.new_value`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`gsuite.groups.old_value`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`gsuite.groups.value`*:: + -- -This key captures the path to the registry key +Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`gsuite.groups.message.id`*:: + -- -This key captures values or decorators used within a registry entry +SMTP message Id of an email message. Present for moderation events. + type: keyword -- -[[exported-fields-infoblox]] -== Infoblox NIOS fields +*`gsuite.groups.message.moderation_action`*:: ++ +-- +Message moderation action. Possible values are `approved` and `rejected`. -infoblox fields. +type: keyword +-- -*`network.interface.name`*:: +*`gsuite.groups.status`*:: + -- -Name of the network interface where the traffic has been observed. +A status describing the output of an operation. Possible values are `failed` and `succeeded`. type: keyword @@ -68096,2276 +70002,3526 @@ type: keyword -- - -*`rsa.internal.msg`*:: +*`gsuite.login.affected_email_address`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`gsuite.login.challenge_method`*:: + -- +Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + type: keyword -- -*`rsa.internal.event_desc`*:: +*`gsuite.login.failure_type`*:: + -- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + type: keyword -- -*`rsa.internal.message`*:: +*`gsuite.login.type`*:: + -- -This key captures the contents of instant messages +Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + type: keyword -- -*`rsa.internal.time`*:: +*`gsuite.login.is_second_factor`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: boolean -- -*`rsa.internal.level`*:: +*`gsuite.login.is_suspicious`*:: + -- -Deprecated key defined only in table map. - -type: long +type: boolean -- -*`rsa.internal.msg_id`*:: + +*`gsuite.saml.application_name`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Saml SP application name. + type: keyword -- -*`rsa.internal.msg_vid`*:: +*`gsuite.saml.failure_type`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + type: keyword -- -*`rsa.internal.data`*:: +*`gsuite.saml.initiated_by`*:: + -- -Deprecated key defined only in table map. +Requester of SAML authentication. + type: keyword -- -*`rsa.internal.obj_server`*:: +*`gsuite.saml.orgunit_path`*:: + -- -Deprecated key defined only in table map. +User orgunit. + type: keyword -- -*`rsa.internal.obj_val`*:: +*`gsuite.saml.status_code`*:: + -- -Deprecated key defined only in table map. +SAML status code. -type: keyword + +type: long -- -*`rsa.internal.resource`*:: +*`gsuite.saml.second_level_status_code`*:: + -- -Deprecated key defined only in table map. +SAML second level status code. -type: keyword --- +type: long -*`rsa.internal.obj_id`*:: -+ -- -Deprecated key defined only in table map. -type: keyword +[[exported-fields-haproxy]] +== HAProxy fields --- +haproxy Module -*`rsa.internal.statement`*:: -+ --- -Deprecated key defined only in table map. -type: keyword --- +[float] +=== haproxy -*`rsa.internal.audit_class`*:: + + + +*`haproxy.frontend_name`*:: + -- -Deprecated key defined only in table map. - -type: keyword +Name of the frontend (or listener) which received and processed the connection. -- -*`rsa.internal.entry`*:: +*`haproxy.backend_name`*:: + -- -Deprecated key defined only in table map. - -type: keyword +Name of the backend (or listener) which was selected to manage the connection to the server. -- -*`rsa.internal.hcode`*:: +*`haproxy.server_name`*:: + -- -Deprecated key defined only in table map. - -type: keyword +Name of the last server to which the connection was sent. -- -*`rsa.internal.inode`*:: +*`haproxy.total_waiting_time_ms`*:: + -- -Deprecated key defined only in table map. +Total time in milliseconds spent waiting in the various queues type: long -- -*`rsa.internal.resource_class`*:: +*`haproxy.connection_wait_time_ms`*:: + -- -Deprecated key defined only in table map. +Total time in milliseconds spent waiting for the connection to establish to the final server -type: keyword +type: long -- -*`rsa.internal.dead`*:: +*`haproxy.bytes_read`*:: + -- -Deprecated key defined only in table map. +Total number of bytes transmitted to the client when the log is emitted. type: long -- -*`rsa.internal.feed_desc`*:: +*`haproxy.time_queue`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total time in milliseconds spent waiting in the various queues. -type: keyword +type: long -- -*`rsa.internal.feed_name`*:: +*`haproxy.time_backend_connect`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. -type: keyword +type: long -- -*`rsa.internal.cid`*:: +*`haproxy.server_queue`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total number of requests which were processed before this one in the server queue. -type: keyword +type: long -- -*`rsa.internal.device_class`*:: +*`haproxy.backend_queue`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total number of requests which were processed before this one in the backend's global queue. -type: keyword +type: long -- -*`rsa.internal.device_group`*:: +*`haproxy.bind_name`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: keyword +Name of the listening address which received the connection. -- -*`rsa.internal.device_host`*:: +*`haproxy.error_message`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Error message logged by HAProxy in case of error. -type: keyword +type: text -- -*`rsa.internal.device_ip`*:: +*`haproxy.source`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +The HAProxy source of the log -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`haproxy.termination_state`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +Condition the session was in when the session ended. -- -*`rsa.internal.device_type`*:: +*`haproxy.mode`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +mode that the frontend is operating (TCP or HTTP) type: keyword -- -*`rsa.internal.device_type_id`*:: +[float] +=== connections + +Contains various counts of connections active in the process. + + +*`haproxy.connections.active`*:: + -- -Deprecated key defined only in table map. +Total number of concurrent connections on the process when the session was logged. type: long -- -*`rsa.internal.did`*:: +*`haproxy.connections.frontend`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total number of concurrent connections on the frontend when the session was logged. -type: keyword +type: long -- -*`rsa.internal.entropy_req`*:: +*`haproxy.connections.backend`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Total number of concurrent connections handled by the backend when the session was logged. type: long -- -*`rsa.internal.entropy_res`*:: +*`haproxy.connections.server`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Total number of concurrent connections still active on the server when the session was logged. type: long -- -*`rsa.internal.event_name`*:: +*`haproxy.connections.retries`*:: + -- -Deprecated key defined only in table map. +Number of connection retries experienced by this session when trying to connect to the server. -type: keyword +type: long -- -*`rsa.internal.feed_category`*:: -+ --- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +[float] +=== client -type: keyword +Information about the client doing the request --- -*`rsa.internal.forward_ip`*:: +*`haproxy.client.ip`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +type: alias -type: ip +alias to: source.address -- -*`rsa.internal.forward_ipv6`*:: +*`haproxy.client.port`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: ip +alias to: source.port -- -*`rsa.internal.header_id`*:: +*`haproxy.process_name`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: process.name -- -*`rsa.internal.lc_cid`*:: +*`haproxy.pid`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: process.pid -- -*`rsa.internal.lc_ctime`*:: -+ --- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +[float] +=== destination -type: date +Destination information --- -*`rsa.internal.mcb_req`*:: +*`haproxy.destination.port`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most +type: alias -type: long +alias to: destination.port -- -*`rsa.internal.mcb_res`*:: +*`haproxy.destination.ip`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most +type: alias -type: long +alias to: destination.ip -- -*`rsa.internal.mcbc_req`*:: -+ --- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +[float] +=== geoip -type: long +Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. --- -*`rsa.internal.mcbc_res`*:: + +*`haproxy.geoip.continent_name`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +type: alias -type: long +alias to: source.geo.continent_name -- -*`rsa.internal.medium`*:: +*`haproxy.geoip.country_iso_code`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +type: alias -type: long +alias to: source.geo.country_iso_code -- -*`rsa.internal.node_name`*:: +*`haproxy.geoip.location`*:: + -- -Deprecated key defined only in table map. +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.internal.nwe_callback_id`*:: +*`haproxy.geoip.region_name`*:: + -- -This key denotes that event is endpoint related +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.internal.parse_error`*:: +*`haproxy.geoip.city_name`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +type: alias -type: keyword +alias to: source.geo.city_name -- -*`rsa.internal.payload_req`*:: +*`haproxy.geoip.region_iso_code`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +type: alias -type: long +alias to: source.geo.region_iso_code -- -*`rsa.internal.payload_res`*:: +[float] +=== http + +Please add description + + +[float] +=== response + +Fields related to the HTTP response + + +*`haproxy.http.response.captured_cookie`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Optional "name=value" entry indicating that the client had this cookie in the response. -type: long -- -*`rsa.internal.process_vid_dst`*:: +*`haproxy.http.response.captured_headers`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. + type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`haproxy.http.response.status_code`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +type: alias -type: keyword +alias to: http.response.status_code -- -*`rsa.internal.rid`*:: +[float] +=== request + +Fields related to the HTTP request + + +*`haproxy.http.request.captured_cookie`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Optional "name=value" entry indicating that the server has returned a cookie with its request. -type: long -- -*`rsa.internal.session_split`*:: +*`haproxy.http.request.captured_headers`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. + type: keyword -- -*`rsa.internal.site`*:: +*`haproxy.http.request.raw_request_line`*:: + -- -Deprecated key defined only in table map. +Complete HTTP request line, including the method, request and HTTP version string. type: keyword -- -*`rsa.internal.size`*:: +*`haproxy.http.request.time_wait_without_data_ms`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. type: long -- -*`rsa.internal.sourcefile`*:: +*`haproxy.http.request.time_wait_ms`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. -type: keyword +type: long -- -*`rsa.internal.ubc_req`*:: -+ --- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +[float] +=== tcp -type: long +TCP log format --- -*`rsa.internal.ubc_res`*:: +*`haproxy.tcp.connection_waiting_time_ms`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +Total time in milliseconds elapsed between the accept and the last close type: long -- -*`rsa.internal.word`*:: -+ --- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +[[exported-fields-host-processor]] +== Host fields -type: keyword +Info collected for the host machine. --- -*`rsa.time.event_time`*:: + +*`host.containerized`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +If the host is a container. -type: date + +type: boolean -- -*`rsa.time.duration_time`*:: +*`host.os.build`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +OS build information. -type: double + +type: keyword + +example: 18D109 -- -*`rsa.time.event_time_str`*:: +*`host.os.codename`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +OS codename, if any. + type: keyword --- +example: stretch -*`rsa.time.starttime`*:: -+ -- -This key is used to capture the Start time mentioned in a session in a standard form -type: date +[[exported-fields-ibmmq]] +== ibmmq fields --- +ibmmq Module -*`rsa.time.month`*:: -+ --- -type: keyword --- -*`rsa.time.day`*:: -+ --- -type: keyword +[float] +=== ibmmq --- -*`rsa.time.endtime`*:: -+ --- -This key is used to capture the End time mentioned in a session in a standard form -type: date --- +[float] +=== errorlog -*`rsa.time.timezone`*:: +IBM MQ error logs + + +*`ibmmq.errorlog.installation`*:: + -- -This key is used to capture the timezone of the Event Time +This is the installation name which can be given at installation time. +Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation. + type: keyword -- -*`rsa.time.duration_str`*:: +*`ibmmq.errorlog.qmgr`*:: + -- -A text string version of the duration +Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them. + type: keyword -- -*`rsa.time.date`*:: +*`ibmmq.errorlog.arithinsert`*:: + -- +Changing content based on error.id + type: keyword -- -*`rsa.time.year`*:: +*`ibmmq.errorlog.commentinsert`*:: + -- +Changing content based on error.id + type: keyword -- -*`rsa.time.recorded_time`*:: +*`ibmmq.errorlog.errordescription`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. +Please add description -type: date +type: text + +example: Please add example -- -*`rsa.time.datetime`*:: +*`ibmmq.errorlog.explanation`*:: + -- +Explaines the error in more detail + type: keyword -- -*`rsa.time.effective_time`*:: +*`ibmmq.errorlog.action`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Defines what to do when the error occurs -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`ibmmq.errorlog.code`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +Error code. -type: date +type: keyword -- -*`rsa.time.process_time`*:: -+ +[[exported-fields-icinga]] +== Icinga fields + +Icinga Module + + + +[float] +=== icinga + + + + +[float] +=== debug + +Contains fields for the Icinga debug logs. + + + +*`icinga.debug.facility`*:: ++ -- -Deprecated, use duration.time +Specifies what component of Icinga logged the message. + type: keyword -- -*`rsa.time.hour`*:: +*`icinga.debug.severity`*:: + -- -type: keyword +type: alias + +alias to: log.level -- -*`rsa.time.min`*:: +*`icinga.debug.message`*:: + -- -type: keyword +type: alias + +alias to: message -- -*`rsa.time.timestamp`*:: +[float] +=== main + +Contains fields for the Icinga main logs. + + + +*`icinga.main.facility`*:: + -- +Specifies what component of Icinga logged the message. + + type: keyword -- -*`rsa.time.event_queue_time`*:: +*`icinga.main.severity`*:: + -- -This key is the Time that the event was queued. +type: alias -type: date +alias to: log.level -- -*`rsa.time.p_time1`*:: +*`icinga.main.message`*:: + -- -type: keyword +type: alias + +alias to: message -- -*`rsa.time.tzone`*:: +[float] +=== startup + +Contains fields for the Icinga startup logs. + + + +*`icinga.startup.facility`*:: + -- +Specifies what component of Icinga logged the message. + + type: keyword -- -*`rsa.time.eventtime`*:: +*`icinga.startup.severity`*:: + -- -type: keyword +type: alias + +alias to: log.level -- -*`rsa.time.gmtdate`*:: +*`icinga.startup.message`*:: + -- -type: keyword +type: alias + +alias to: message -- -*`rsa.time.gmttime`*:: +[[exported-fields-iis]] +== IIS fields + +Module for parsing IIS log files. + + + +[float] +=== iis + +Fields from IIS log files. + + + +[float] +=== access + +Contains fields for IIS access logs. + + + +*`iis.access.sub_status`*:: + -- -type: keyword +The HTTP substatus code. + + +type: long -- -*`rsa.time.p_date`*:: +*`iis.access.win32_status`*:: + -- -type: keyword +The Windows status code. + + +type: long -- -*`rsa.time.p_month`*:: +*`iis.access.site_name`*:: + -- +The site name and instance number. + + type: keyword -- -*`rsa.time.p_time`*:: +*`iis.access.server_name`*:: + -- +The name of the server on which the log file entry was generated. + + type: keyword -- -*`rsa.time.p_time2`*:: +*`iis.access.cookie`*:: + -- +The content of the cookie sent or received, if any. + + type: keyword -- -*`rsa.time.p_year`*:: +*`iis.access.body_received.bytes`*:: + -- -type: keyword +type: alias + +alias to: http.request.body.bytes -- -*`rsa.time.expire_time_str`*:: +*`iis.access.body_sent.bytes`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +type: alias -type: keyword +alias to: http.response.body.bytes -- -*`rsa.time.stamp`*:: +*`iis.access.server_ip`*:: + -- -Deprecated key defined only in table map. +type: alias -type: date +alias to: destination.address -- - -*`rsa.misc.action`*:: +*`iis.access.method`*:: + -- -type: keyword +type: alias + +alias to: http.request.method -- -*`rsa.misc.result`*:: +*`iis.access.url`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. +type: alias -type: keyword +alias to: url.path -- -*`rsa.misc.severity`*:: +*`iis.access.query_string`*:: + -- -This key is used to capture the severity given the session +type: alias -type: keyword +alias to: url.query -- -*`rsa.misc.event_type`*:: +*`iis.access.port`*:: + -- -This key captures the event category type as specified by the event source. +type: alias -type: keyword +alias to: destination.port -- -*`rsa.misc.reference_id`*:: +*`iis.access.user_name`*:: + -- -This key is used to capture an event id from the session directly +type: alias -type: keyword +alias to: user.name -- -*`rsa.misc.version`*:: +*`iis.access.remote_ip`*:: + -- -This key captures Version of the application or OS which is generating the event. +type: alias -type: keyword +alias to: source.address -- -*`rsa.misc.disposition`*:: +*`iis.access.referrer`*:: + -- -This key captures the The end state of an action. +type: alias -type: keyword +alias to: http.request.referrer -- -*`rsa.misc.result_code`*:: +*`iis.access.response_code`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session +type: alias -type: keyword +alias to: http.response.status_code -- -*`rsa.misc.category`*:: +*`iis.access.http_version`*:: + -- -This key is used to capture the category of an event given by the vendor in the session +type: alias -type: keyword +alias to: http.version -- -*`rsa.misc.obj_name`*:: +*`iis.access.hostname`*:: + -- -This is used to capture name of object +type: alias -type: keyword +alias to: host.hostname -- -*`rsa.misc.obj_type`*:: + +*`iis.access.user_agent.device`*:: + -- -This is used to capture type of object +type: alias -type: keyword +alias to: user_agent.device.name -- -*`rsa.misc.event_source`*:: +*`iis.access.user_agent.name`*:: + -- -This key captures Source of the event that’s not a hostname +type: alias -type: keyword +alias to: user_agent.name -- -*`rsa.misc.log_session_id`*:: +*`iis.access.user_agent.os`*:: + -- -This key is used to capture a sessionid from the session directly +type: alias -type: keyword +alias to: user_agent.os.full_name -- -*`rsa.misc.group`*:: +*`iis.access.user_agent.os_name`*:: + -- -This key captures the Group Name value +type: alias -type: keyword +alias to: user_agent.os.name -- -*`rsa.misc.policy_name`*:: +*`iis.access.user_agent.original`*:: + -- -This key is used to capture the Policy Name only. +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.misc.rule_name`*:: + +*`iis.access.geoip.continent_name`*:: + -- -This key captures the Rule Name +type: alias -type: keyword +alias to: source.geo.continent_name -- -*`rsa.misc.context`*:: +*`iis.access.geoip.country_iso_code`*:: + -- -This key captures Information which adds additional context to the event. +type: alias -type: keyword +alias to: source.geo.country_iso_code -- -*`rsa.misc.change_new`*:: +*`iis.access.geoip.location`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.misc.space`*:: +*`iis.access.geoip.region_name`*:: + -- -type: keyword +type: alias + +alias to: source.geo.region_name -- -*`rsa.misc.client`*:: +*`iis.access.geoip.city_name`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. +type: alias -type: keyword +alias to: source.geo.city_name -- -*`rsa.misc.msgIdPart1`*:: +*`iis.access.geoip.region_iso_code`*:: + -- -type: keyword +type: alias + +alias to: source.geo.region_iso_code -- -*`rsa.misc.msgIdPart2`*:: +[float] +=== error + +Contains fields for IIS error logs. + + + +*`iis.error.reason_phrase`*:: + -- +The HTTP reason phrase. + + type: keyword -- -*`rsa.misc.change_old`*:: +*`iis.error.queue_name`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session +The IIS application pool name. + type: keyword -- -*`rsa.misc.operation_id`*:: +*`iis.error.remote_ip`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. +type: alias -type: keyword +alias to: source.address -- -*`rsa.misc.event_state`*:: +*`iis.error.remote_port`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. +type: alias -type: keyword +alias to: source.port -- -*`rsa.misc.group_object`*:: +*`iis.error.server_ip`*:: + -- -This key captures a collection/grouping of entities. Specific usage +type: alias -type: keyword +alias to: destination.address -- -*`rsa.misc.node`*:: +*`iis.error.server_port`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. +type: alias -type: keyword +alias to: destination.port -- -*`rsa.misc.rule`*:: +*`iis.error.http_version`*:: + -- -This key captures the Rule number +type: alias -type: keyword +alias to: http.version -- -*`rsa.misc.device_name`*:: +*`iis.error.method`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc +type: alias -type: keyword +alias to: http.request.method -- -*`rsa.misc.param`*:: +*`iis.error.url`*:: + -- -This key is the parameters passed as part of a command or application, etc. +type: alias -type: keyword +alias to: url.original -- -*`rsa.misc.change_attrib`*:: +*`iis.error.response_code`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session +type: alias -type: keyword +alias to: http.response.status_code -- -*`rsa.misc.event_computer`*:: + +*`iis.error.geoip.continent_name`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. +type: alias -type: keyword +alias to: source.geo.continent_name -- -*`rsa.misc.reference_id1`*:: +*`iis.error.geoip.country_iso_code`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +type: alias -type: keyword +alias to: source.geo.country_iso_code -- -*`rsa.misc.event_log`*:: +*`iis.error.geoip.location`*:: + -- -This key captures the Name of the event log +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.misc.OS`*:: +*`iis.error.geoip.region_name`*:: + -- -This key captures the Name of the Operating System +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.misc.terminal`*:: +*`iis.error.geoip.city_name`*:: + -- -This key captures the Terminal Names only +type: alias -type: keyword +alias to: source.geo.city_name -- -*`rsa.misc.msgIdPart3`*:: +*`iis.error.geoip.region_iso_code`*:: + -- -type: keyword +type: alias + +alias to: source.geo.region_iso_code -- -*`rsa.misc.filter`*:: +[[exported-fields-imperva]] +== Imperva SecureSphere fields + +imperva fields. + + + +*`network.interface.name`*:: + -- -This key captures Filter used to reduce result set +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.misc.serial_number`*:: + + +*`rsa.internal.msg`*:: + -- -This key is the Serial number associated with a physical asset. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.internal.messageid`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.internal.event_desc`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.internal.message`*:: + -- -This key captures the name of the virus +This key captures the contents of instant messages type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.internal.time`*:: + -- -This key is used to capture Content Type only. +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.misc.group_id`*:: +*`rsa.internal.level`*:: + -- -This key captures Group ID Number (related to the group name) +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.policy_id`*:: +*`rsa.internal.msg_id`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.internal.msg_vid`*:: + -- -This key captures Virtual System Name +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.internal.data`*:: + -- -This key captures the Connection ID +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.internal.obj_server`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.internal.obj_val`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.internal.resource`*:: + -- -This key captures IDS/IPS Int Signature ID +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.internal.obj_id`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.internal.statement`*:: + -- -This key captures the Rule group name +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.internal.audit_class`*:: + -- -This key captures a Numeric Risk value +Deprecated key defined only in table map. -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.internal.entry`*:: + -- -This key captures the Value of the trigger or threshold condition. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.internal.hcode`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.internal.inode`*:: + -- -This key captures the Version level of a sub-component of a product. +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.content_version`*:: +*`rsa.internal.resource_class`*:: + -- -This key captures Version level of a signature or database content. +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.internal.dead`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.misc.risk`*:: +*`rsa.internal.feed_desc`*:: + -- -This key captures the non-numeric risk value +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.internal.device_group`*:: + -- -This key is used to capture the mailbox id/name +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.internal.device_host`*:: + -- -This key is the Unique Identifier for a rule. +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.internal.device_ip`*:: + -- -This key captures the Description of the trigger or threshold condition. +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.inout`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.p_msgid`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.internal.device_type_id`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.internal.entropy_req`*:: + -- -This key captures All non successful Error codes or responses +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.misc.index`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.listnum`*:: +*`rsa.internal.event_name`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.internal.forward_ip`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.misc.policy_value`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.misc.pool_name`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the name of a resource pool +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.internal.lc_cid`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.count`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`rsa.misc.number`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.sigcat`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.type`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.comments`*:: +*`rsa.internal.mcbc_res`*:: + -- -Comment information provided in the log message +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.misc.doc_number`*:: +*`rsa.internal.medium`*:: + -- -This key captures File Identification number +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`rsa.misc.expected_val`*:: +*`rsa.internal.node_name`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This key captures the Job Number +This key denotes that event is endpoint related type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.internal.parse_error`*:: + -- -Destination SPI Index +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.internal.payload_req`*:: + -- -Source SPI Index +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.misc.code`*:: +*`rsa.internal.payload_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.agent_id`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key is used to capture agent id +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key captures the The contents of the message body. +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.sig_id_str`*:: +*`rsa.internal.session_split`*:: + -- -This key captures a string object of the sigid variable. +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.name`*:: +*`rsa.internal.sourcefile`*:: + -- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.internal.ubc_res`*:: + -- -This key is used to capture a description of an event available directly or inferred +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.misc.sig_id1`*:: +*`rsa.internal.word`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: + +*`rsa.time.event_time`*:: + -- -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`rsa.misc.im_client`*:: +*`rsa.time.duration_time`*:: + -- -type: keyword +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`rsa.misc.im_userid`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.time.starttime`*:: + -- -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.priority`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.time.day`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.time.endtime`*:: + -- -type: keyword +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.cve`*:: +*`rsa.time.timezone`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.time.duration_str`*:: + -- -This key captures Filter Category Number. Legacy Usage +A text string version of the duration type: keyword -- -*`rsa.misc.library`*:: +*`rsa.time.date`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.time.year`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.time.recorded_time`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.misc.tcp_flags`*:: +*`rsa.time.datetime`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.time.effective_time`*:: + -- -This key describes the type of service +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: long +type: date -- -*`rsa.misc.vm_target`*:: +*`rsa.time.expire_time`*:: + -- -VMWare Target **VMWARE** only varaible. +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.misc.workspace`*:: +*`rsa.time.process_time`*:: + -- -This key captures Workspace Description +Deprecated, use duration.time type: keyword -- -*`rsa.misc.command`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.misc.jobname`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.time.p_time2`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.time.p_year`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.time.expire_time_str`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.time.stamp`*:: + -- -This key captures the Filter Result +Deprecated key defined only in table map. -type: long +type: date -- -*`rsa.misc.payload_dst`*:: + +*`rsa.misc.action`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.result`*:: + -- -This key is used to capture source payload +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.severity`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.event_type`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures Risk Number Community +This key is used to capture an event id from the session directly -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.version`*:: + -- -This key captures Risk Number NextGen +This key captures Version of the application or OS which is generating the event. -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.disposition`*:: + -- -This key captures Risk Number SandBox +This key captures the The end state of an action. -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.result_code`*:: + -- -This key captures Risk Number Static +This key is used to capture the outcome/result numeric value of an action in a session -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.category`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.obj_name`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This is used to capture name of object type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.obj_type`*:: + -- -SNMP Object Identifier +This is used to capture type of object type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.event_source`*:: + -- -This key captures the SQL query +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.log_session_id`*:: + -- -This key captures the Vulnerability Reference details +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.group`*:: + -- +This key captures the Group Name value + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.node`*:: + -- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.rule`*:: + -- +This key captures the Rule number + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.device_name`*:: + -- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.event_log`*:: + -- +This key captures the Name of the event log + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword @@ -73512,407 +76668,10 @@ type: keyword -- -[[exported-fields-iptables]] -== iptables fields - -Module for handling the iptables logs. - - - -[float] -=== iptables - -Fields from the iptables logs. - - - -*`iptables.ether_type`*:: -+ --- -Value of the ethernet type field identifying the network layer protocol. - - -type: long - --- - -*`iptables.flow_label`*:: -+ --- -IPv6 flow label. - - -type: integer - --- - -*`iptables.fragment_flags`*:: -+ --- -IP fragment flags. A combination of CE, DF and MF. - - -type: keyword - --- - -*`iptables.fragment_offset`*:: -+ --- -Offset of the current IP fragment. - - -type: long - --- - -[float] -=== icmp - -ICMP fields. - - - -*`iptables.icmp.code`*:: -+ --- -ICMP code. - - -type: long - --- - -*`iptables.icmp.id`*:: -+ --- -ICMP ID. - - -type: long - --- - -*`iptables.icmp.parameter`*:: -+ --- -ICMP parameter. - - -type: long - --- - -*`iptables.icmp.redirect`*:: -+ --- -ICMP redirect address. - - -type: ip - --- - -*`iptables.icmp.seq`*:: -+ --- -ICMP sequence number. - - -type: long - --- - -*`iptables.icmp.type`*:: -+ --- -ICMP type. - - -type: long - --- - -*`iptables.id`*:: -+ --- -Packet identifier. - - -type: long - --- - -*`iptables.incomplete_bytes`*:: -+ --- -Number of incomplete bytes. - - -type: long - --- - -*`iptables.input_device`*:: -+ --- -Device that received the packet. - - -type: keyword - --- - -*`iptables.precedence_bits`*:: -+ --- -IP precedence bits. - - -type: short - --- - -*`iptables.tos`*:: -+ --- -IP Type of Service field. - - -type: long - --- - -*`iptables.length`*:: -+ --- -Packet length. - - -type: long - --- - -*`iptables.output_device`*:: -+ --- -Device that output the packet. - - -type: keyword - --- - -[float] -=== tcp - -TCP fields. - - - -*`iptables.tcp.flags`*:: -+ --- -TCP flags. - - -type: keyword - --- - -*`iptables.tcp.reserved_bits`*:: -+ --- -TCP reserved bits. - - -type: short - --- - -*`iptables.tcp.seq`*:: -+ --- -TCP sequence number. - - -type: long - --- - -*`iptables.tcp.ack`*:: -+ --- -TCP Acknowledgment number. - - -type: long - --- - -*`iptables.tcp.window`*:: -+ --- -Advertised TCP window size. - - -type: long - --- - -*`iptables.ttl`*:: -+ --- -Time To Live field. - - -type: integer - --- - -[float] -=== udp - -UDP fields. - - - -*`iptables.udp.length`*:: -+ --- -Length of the UDP header and payload. - - -type: long - --- - -[float] -=== ubiquiti - -Fields for Ubiquiti network devices. - - - -*`iptables.ubiquiti.input_zone`*:: -+ --- -Input zone. - - -type: keyword - --- - -*`iptables.ubiquiti.output_zone`*:: -+ --- -Output zone. - - -type: keyword - --- - -*`iptables.ubiquiti.rule_number`*:: -+ --- -The rule number within the rule set. - -type: keyword - --- - -*`iptables.ubiquiti.rule_set`*:: -+ --- -The rule set name. - -type: keyword - --- - -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields - -Metadata from Jolokia Discovery added by the jolokia provider. - - - -*`jolokia.agent.version`*:: -+ --- -Version number of jolokia agent. - - -type: keyword - --- - -*`jolokia.agent.id`*:: -+ --- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - - -type: keyword - --- - -*`jolokia.server.product`*:: -+ --- -The container product if detected. - - -type: keyword - --- - -*`jolokia.server.version`*:: -+ --- -The container's version (if detected). - - -type: keyword - --- - -*`jolokia.server.vendor`*:: -+ --- -The vendor of the container the agent is running in. - - -type: keyword - --- - -*`jolokia.url`*:: -+ --- -The URL how this agent can be contacted. - - -type: keyword - --- - -*`jolokia.secured`*:: -+ --- -Whether the agent was configured for authentication or not. - - -type: boolean - --- - -[[exported-fields-juniper]] -== Juniper JUNOS fields +[[exported-fields-infoblox]] +== Infoblox NIOS fields -juniper fields. +infoblox fields. @@ -79343,105 +82102,407 @@ type: keyword -- -[[exported-fields-kafka]] -== Kafka fields +[[exported-fields-iptables]] +== iptables fields -Kafka module +Module for handling the iptables logs. [float] -=== kafka +=== iptables + +Fields from the iptables logs. + +*`iptables.ether_type`*:: ++ +-- +Value of the ethernet type field identifying the network layer protocol. + + +type: long + +-- + +*`iptables.flow_label`*:: ++ +-- +IPv6 flow label. + + +type: integer + +-- + +*`iptables.fragment_flags`*:: ++ +-- +IP fragment flags. A combination of CE, DF and MF. + + +type: keyword + +-- + +*`iptables.fragment_offset`*:: ++ +-- +Offset of the current IP fragment. +type: long + +-- + [float] -=== log +=== icmp -Kafka log lines. +ICMP fields. -*`kafka.log.level`*:: +*`iptables.icmp.code`*:: + -- -type: alias +ICMP code. -alias to: log.level + +type: long -- -*`kafka.log.message`*:: +*`iptables.icmp.id`*:: + -- -type: alias +ICMP ID. -alias to: message + +type: long -- -*`kafka.log.component`*:: +*`iptables.icmp.parameter`*:: + -- -Component the log is coming from. +ICMP parameter. + + +type: long + +-- + +*`iptables.icmp.redirect`*:: ++ +-- +ICMP redirect address. + + +type: ip + +-- + +*`iptables.icmp.seq`*:: ++ +-- +ICMP sequence number. + + +type: long + +-- + +*`iptables.icmp.type`*:: ++ +-- +ICMP type. + + +type: long + +-- + +*`iptables.id`*:: ++ +-- +Packet identifier. + + +type: long + +-- + +*`iptables.incomplete_bytes`*:: ++ +-- +Number of incomplete bytes. + + +type: long + +-- + +*`iptables.input_device`*:: ++ +-- +Device that received the packet. type: keyword -- -*`kafka.log.class`*:: +*`iptables.precedence_bits`*:: + -- -Java class the log is coming from. +IP precedence bits. + + +type: short + +-- + +*`iptables.tos`*:: ++ +-- +IP Type of Service field. + + +type: long + +-- + +*`iptables.length`*:: ++ +-- +Packet length. + + +type: long + +-- + +*`iptables.output_device`*:: ++ +-- +Device that output the packet. type: keyword -- -*`kafka.log.thread`*:: +[float] +=== tcp + +TCP fields. + + + +*`iptables.tcp.flags`*:: + -- -Thread name the log is coming from. +TCP flags. type: keyword -- +*`iptables.tcp.reserved_bits`*:: ++ +-- +TCP reserved bits. + + +type: short + +-- + +*`iptables.tcp.seq`*:: ++ +-- +TCP sequence number. + + +type: long + +-- + +*`iptables.tcp.ack`*:: ++ +-- +TCP Acknowledgment number. + + +type: long + +-- + +*`iptables.tcp.window`*:: ++ +-- +Advertised TCP window size. + + +type: long + +-- + +*`iptables.ttl`*:: ++ +-- +Time To Live field. + + +type: integer + +-- + [float] -=== trace +=== udp -Trace in the log line. +UDP fields. -*`kafka.log.trace.class`*:: +*`iptables.udp.length`*:: + -- -Java class the trace is coming from. +Length of the UDP header and payload. + + +type: long + +-- + +[float] +=== ubiquiti + +Fields for Ubiquiti network devices. + + + +*`iptables.ubiquiti.input_zone`*:: ++ +-- +Input zone. type: keyword -- -*`kafka.log.trace.message`*:: +*`iptables.ubiquiti.output_zone`*:: + -- -Message part of the trace. +Output zone. -type: text +type: keyword -- -[[exported-fields-kaspersky]] -== Kaspersky Anti-Virus fields +*`iptables.ubiquiti.rule_number`*:: ++ +-- +The rule number within the rule set. -kaspersky fields. +type: keyword + +-- + +*`iptables.ubiquiti.rule_set`*:: ++ +-- +The rule set name. + +type: keyword + +-- + +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields + +Metadata from Jolokia Discovery added by the jolokia provider. + + + +*`jolokia.agent.version`*:: ++ +-- +Version number of jolokia agent. + + +type: keyword + +-- + +*`jolokia.agent.id`*:: ++ +-- +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. + + +type: keyword + +-- + +*`jolokia.server.product`*:: ++ +-- +The container product if detected. + + +type: keyword + +-- + +*`jolokia.server.version`*:: ++ +-- +The container's version (if detected). + + +type: keyword + +-- + +*`jolokia.server.vendor`*:: ++ +-- +The vendor of the container the agent is running in. + + +type: keyword + +-- + +*`jolokia.url`*:: ++ +-- +The URL how this agent can be contacted. + + +type: keyword + +-- + +*`jolokia.secured`*:: ++ +-- +Whether the agent was configured for authentication or not. + + +type: boolean + +-- + +[[exported-fields-juniper]] +== Juniper JUNOS fields + +juniper fields. @@ -84872,6 +87933,101 @@ type: keyword -- +[[exported-fields-kafka]] +== Kafka fields + +Kafka module + + + +[float] +=== kafka + + + + +[float] +=== log + +Kafka log lines. + + + +*`kafka.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`kafka.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +*`kafka.log.component`*:: ++ +-- +Component the log is coming from. + + +type: keyword + +-- + +*`kafka.log.class`*:: ++ +-- +Java class the log is coming from. + + +type: keyword + +-- + +*`kafka.log.thread`*:: ++ +-- +Thread name the log is coming from. + + +type: keyword + +-- + +[float] +=== trace + +Trace in the log line. + + + +*`kafka.log.trace.class`*:: ++ +-- +Java class the trace is coming from. + + +type: keyword + +-- + +*`kafka.log.trace.message`*:: ++ +-- +Message part of the trace. + + +type: text + +-- + [[exported-fields-kibana]] == kibana fields @@ -85107,18 +88263,6 @@ Contains log file lines. -*`log.file.path`*:: -+ --- -The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. - - -type: keyword - -required: False - --- - *`log.source.address`*:: + -- @@ -85655,11 +88799,188 @@ alias to: event.duration -- [[exported-fields-microsoft]] -== Microsoft DHCP fields +== Microsoft fields + +Microsoft Module + + + +[float] +=== microsoft.defender_atp + +Module for ingesting Microsoft Defender ATP. + + + +*`microsoft.defender_atp.lastUpdateTime`*:: ++ +-- +The date and time (in UTC) the alert was last updated. + + +type: date + +-- + +*`microsoft.defender_atp.resolvedTime`*:: ++ +-- +The date and time in which the status of the alert was changed to 'Resolved'. + + +type: date -microsoft fields. +-- + +*`microsoft.defender_atp.incidentId`*:: ++ +-- +The Incident ID of the Alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.investigationId`*:: ++ +-- +The Investigation ID related to the Alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.investigationState`*:: ++ +-- +The current state of the Investigation. + + +type: keyword + +-- + +*`microsoft.defender_atp.assignedTo`*:: ++ +-- +Owner of the alert. + + +type: keyword + +-- + +*`microsoft.defender_atp.status`*:: ++ +-- +Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + +type: keyword + +-- + +*`microsoft.defender_atp.classification`*:: ++ +-- +Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + +type: keyword + +-- + +*`microsoft.defender_atp.determination`*:: ++ +-- +Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + + +type: keyword + +-- + +*`microsoft.defender_atp.threatFamilyName`*:: ++ +-- +Threat family. + + +type: keyword + +-- + +*`microsoft.defender_atp.rbacGroupName`*:: ++ +-- +User group related to the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.domainName`*:: ++ +-- +Domain name related to the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.ipAddress`*:: ++ +-- +IP address involved in the alert + + +type: ip + +-- + +*`microsoft.defender_atp.evidence.aadUserId`*:: ++ +-- +ID of the user involved in the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.accountName`*:: ++ +-- +Username of the user involved in the alert + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.entityType`*:: ++ +-- +The type of evidence + + +type: keyword + +-- + +*`microsoft.defender_atp.evidence.userPrincipalName`*:: ++ +-- +Principal name of the user involved in the alert +type: keyword + +-- *`network.interface.name`*:: + @@ -93012,3104 +96333,16291 @@ type: short -- -*`netflow.ip_class_of_service`*:: +*`netflow.ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_control_bits`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.egress_interface`*:: ++ +-- +type: long + +-- + +*`netflow.ip_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_source_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_destination_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_next_hop_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_mcast_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_sys_up_time`*:: ++ +-- +type: long + +-- + +*`netflow.post_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.destination_ipv6_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.flow_label_ipv6`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.igmp_type`*:: ++ +-- +type: short + +-- + +*`netflow.sampling_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_algorithm`*:: ++ +-- +type: short + +-- + +*`netflow.flow_active_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_idle_timeout`*:: ++ +-- +type: integer + +-- + +*`netflow.engine_type`*:: ++ +-- +type: short + +-- + +*`netflow.engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.exported_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_message_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.exported_flow_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ipv4_router_sc`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.destination_ipv4_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.mpls_top_label_type`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.sampler_id`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_mode`*:: ++ +-- +type: short + +-- + +*`netflow.sampler_random_interval`*:: ++ +-- +type: long + +-- + +*`netflow.class_id`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.maximum_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_identification`*:: ++ +-- +type: long + +-- + +*`netflow.post_ip_class_of_service`*:: ++ +-- +type: short + +-- + +*`netflow.source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_version`*:: ++ +-- +type: short + +-- + +*`netflow.flow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ip_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.bgp_next_hop_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ipv6_extension_headers`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section2`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section3`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section4`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section5`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section7`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section8`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section9`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section10`*:: ++ +-- +type: short + +-- + +*`netflow.destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.interface_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.sampler_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flags_and_sampler_id`*:: ++ +-- +type: long + +-- + +*`netflow.fragment_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.forwarding_status`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_vpn_route_distinguisher`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_top_label_prefix_length`*:: ++ +-- +type: short + +-- + +*`netflow.src_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.dst_traffic_index`*:: ++ +-- +type: long + +-- + +*`netflow.application_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_id`*:: ++ +-- +type: short + +-- + +*`netflow.application_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.multicast_replication_factor`*:: ++ +-- +type: long + +-- + +*`netflow.class_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.classification_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.layer2packet_section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_size`*:: ++ +-- +type: integer + +-- + +*`netflow.layer2packet_section_data`*:: ++ +-- +type: short + +-- + +*`netflow.bgp_next_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.bgp_prev_adjacent_as_number`*:: ++ +-- +type: long + +-- + +*`netflow.exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.dropped_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_reason`*:: ++ +-- +type: short + +-- + +*`netflow.common_properties_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_point_id`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_code_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.mpls_top_label_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.line_card_id`*:: ++ +-- +type: long + +-- + +*`netflow.port_id`*:: ++ +-- +type: long + +-- + +*`netflow.metering_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.exporting_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.template_id`*:: ++ +-- +type: integer + +-- + +*`netflow.wlan_channel_id`*:: ++ +-- +type: short + +-- + +*`netflow.wlan_ssid`*:: ++ +-- +type: keyword + +-- + +*`netflow.flow_id`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_start_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_end_delta_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.system_init_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.flow_duration_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.flow_duration_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.observed_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_flow_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.destination_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.source_ipv6_prefix`*:: ++ +-- +type: ip + +-- + +*`netflow.post_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_key_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.icmp_type_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv4`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_type_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.icmp_code_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.udp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.udp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_source_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_destination_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_sequence_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_acknowledgement_number`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_window_size`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_urgent_pointer`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ip_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.total_length_ipv4`*:: ++ +-- +type: integer + +-- + +*`netflow.payload_length_ipv6`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.next_header_ipv6`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.ip_diff_serv_code_point`*:: ++ +-- +type: short + +-- + +*`netflow.ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.fragment_flags`*:: ++ +-- +type: short + +-- + +*`netflow.octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_ttl`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_length`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_label_stack_depth`*:: ++ +-- +type: long + +-- + +*`netflow.mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_length`*:: ++ +-- +type: long + +-- + +*`netflow.udp_message_length`*:: ++ +-- +type: integer + +-- + +*`netflow.is_multicast`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_ihl`*:: ++ +-- +type: short + +-- + +*`netflow.ipv4_options`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_options`*:: ++ +-- +type: long + +-- + +*`netflow.padding_octets`*:: ++ +-- +type: short + +-- + +*`netflow.collector_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.collector_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.export_interface`*:: ++ +-- +type: long + +-- + +*`netflow.export_protocol_version`*:: ++ +-- +type: short + +-- + +*`netflow.export_transport_protocol`*:: ++ +-- +type: short + +-- + +*`netflow.collector_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.exporter_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.tcp_syn_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_fin_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_rst_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_psh_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_ack_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.tcp_urg_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ip_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_napt_source_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.post_napt_destination_transport_port`*:: ++ +-- +type: integer + +-- + +*`netflow.nat_originating_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_event`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_octets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_octets`*:: ++ +-- +type: long + +-- + +*`netflow.firewall_event`*:: ++ +-- +type: short + +-- + +*`netflow.ingress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.egress_vrfid`*:: ++ +-- +type: long + +-- + +*`netflow.vr_fname`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_mpls_top_label_exp`*:: ++ +-- +type: short + +-- + +*`netflow.tcp_window_scale`*:: ++ +-- +type: integer + +-- + +*`netflow.biflow_direction`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_header_length`*:: ++ +-- +type: short + +-- + +*`netflow.ethernet_payload_length`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_total_length`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_customer_priority`*:: ++ +-- +type: short + +-- + +*`netflow.metro_evc_id`*:: ++ +-- +type: keyword + +-- + +*`netflow.metro_evc_type`*:: ++ +-- +type: short + +-- + +*`netflow.pseudo_wire_id`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_type`*:: ++ +-- +type: integer + +-- + +*`netflow.pseudo_wire_control_word`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.egress_physical_interface`*:: ++ +-- +type: long + +-- + +*`netflow.post_dot1q_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.post_dot1q_customer_vlan_id`*:: ++ +-- +type: integer + +-- + +*`netflow.ethernet_type`*:: ++ +-- +type: integer + +-- + +*`netflow.post_ip_precedence`*:: ++ +-- +type: short + +-- + +*`netflow.collection_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.export_sctp_stream_id`*:: ++ +-- +type: integer + +-- + +*`netflow.max_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.message_md5_checksum`*:: ++ +-- +type: short + +-- + +*`netflow.message_scope`*:: ++ +-- +type: short + +-- + +*`netflow.min_export_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.opaque_octets`*:: ++ +-- +type: short + +-- + +*`netflow.session_scope`*:: ++ +-- +type: short + +-- + +*`netflow.max_flow_end_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.max_flow_end_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.min_flow_start_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.collector_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.exporter_certificate`*:: ++ +-- +type: short + +-- + +*`netflow.data_records_reliability`*:: ++ +-- +type: boolean + +-- + +*`netflow.observation_point_type`*:: ++ +-- +type: short + +-- + +*`netflow.new_connection_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.connection_sum_duration_seconds`*:: ++ +-- +type: long + +-- + +*`netflow.connection_transaction_id`*:: ++ +-- +type: long + +-- + +*`netflow.post_nat_source_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.post_nat_destination_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.nat_pool_id`*:: ++ +-- +type: long + +-- + +*`netflow.nat_pool_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.anonymization_flags`*:: ++ +-- +type: integer + +-- + +*`netflow.anonymization_technique`*:: ++ +-- +type: integer + +-- + +*`netflow.information_element_index`*:: ++ +-- +type: integer + +-- + +*`netflow.p2p_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.tunnel_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.encrypted_technology`*:: ++ +-- +type: keyword + +-- + +*`netflow.bgp_validity_state`*:: ++ +-- +type: short + +-- + +*`netflow.ip_sec_spi`*:: ++ +-- +type: long + +-- + +*`netflow.gre_key`*:: ++ +-- +type: long + +-- + +*`netflow.nat_type`*:: ++ +-- +type: short + +-- + +*`netflow.initiator_packets`*:: ++ +-- +type: long + +-- + +*`netflow.responder_packets`*:: ++ +-- +type: long + +-- + +*`netflow.observation_domain_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.selection_sequence_id`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_id`*:: ++ +-- +type: integer + +-- + +*`netflow.selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.sampling_packet_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_packet_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_time_space`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_size`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_population`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_probability`*:: ++ +-- +type: double + +-- + +*`netflow.data_link_frame_size`*:: ++ +-- +type: integer + +-- + +*`netflow.ip_header_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.ip_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.data_link_frame_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_label_stack_section`*:: ++ +-- +type: short + +-- + +*`netflow.mpls_payload_packet_section`*:: ++ +-- +type: short + +-- + +*`netflow.selector_id_total_pkts_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_pkts_selected`*:: ++ +-- +type: long + +-- + +*`netflow.absolute_error`*:: ++ +-- +type: double + +-- + +*`netflow.relative_error`*:: ++ +-- +type: double + +-- + +*`netflow.observation_time_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_milliseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_microseconds`*:: ++ +-- +type: date + +-- + +*`netflow.observation_time_nanoseconds`*:: ++ +-- +type: date + +-- + +*`netflow.digest_hash_value`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_offset`*:: ++ +-- +type: long + +-- + +*`netflow.hash_ip_payload_size`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_output_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_min`*:: ++ +-- +type: long + +-- + +*`netflow.hash_selected_range_max`*:: ++ +-- +type: long + +-- + +*`netflow.hash_digest_output`*:: ++ +-- +type: boolean + +-- + +*`netflow.hash_initialiser_value`*:: ++ +-- +type: long + +-- + +*`netflow.selector_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.upper_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.lower_ci_limit`*:: ++ +-- +type: double + +-- + +*`netflow.confidence_level`*:: ++ +-- +type: double + +-- + +*`netflow.information_element_data_type`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.information_element_range_begin`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_range_end`*:: ++ +-- +type: long + +-- + +*`netflow.information_element_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.information_element_units`*:: ++ +-- +type: integer + +-- + +*`netflow.private_enterprise_number`*:: ++ +-- +type: long + +-- + +*`netflow.virtual_station_interface_id`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_interface_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.virtual_station_uuid`*:: ++ +-- +type: short + +-- + +*`netflow.virtual_station_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.layer2_segment_id`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_multicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ingress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_unicast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.egress_broadcast_packet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.monitoring_interval_start_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.monitoring_interval_end_milli_seconds`*:: ++ +-- +type: date + +-- + +*`netflow.port_range_start`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_end`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_step_size`*:: ++ +-- +type: integer + +-- + +*`netflow.port_range_num_ports`*:: ++ +-- +type: integer + +-- + +*`netflow.sta_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.sta_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.wtp_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.ingress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.egress_interface_type`*:: ++ +-- +type: long + +-- + +*`netflow.rtp_sequence_number`*:: ++ +-- +type: integer + +-- + +*`netflow.user_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_sub_category_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.application_group_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.original_flows_present`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_initiated`*:: ++ +-- +type: long + +-- + +*`netflow.original_flows_completed`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ip_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv4_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_source_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.distinct_count_of_destination_ipv6_address`*:: ++ +-- +type: long + +-- + +*`netflow.value_distribution_method`*:: ++ +-- +type: short + +-- + +*`netflow.rfc3550_jitter_milliseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_microseconds`*:: ++ +-- +type: long + +-- + +*`netflow.rfc3550_jitter_nanoseconds`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.dot1q_customer_dei`*:: ++ +-- +type: boolean + +-- + +*`netflow.flow_selector_algorithm`*:: ++ +-- +type: integer + +-- + +*`netflow.flow_selected_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.flow_selected_flow_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_observed`*:: ++ +-- +type: long + +-- + +*`netflow.selector_id_total_flows_selected`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_interval`*:: ++ +-- +type: long + +-- + +*`netflow.sampling_flow_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_interval`*:: ++ +-- +type: long + +-- + +*`netflow.flow_sampling_time_spacing`*:: ++ +-- +type: long + +-- + +*`netflow.hash_flow_domain`*:: ++ +-- +type: integer + +-- + +*`netflow.transport_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.transport_packet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.original_exporter_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_exporter_ipv6_address`*:: ++ +-- +type: ip + +-- + +*`netflow.original_observation_domain_id`*:: ++ +-- +type: long + +-- + +*`netflow.intermediate_process_id`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_data_record_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.data_link_frame_type`*:: ++ +-- +type: integer + +-- + +*`netflow.section_offset`*:: ++ +-- +type: integer + +-- + +*`netflow.section_exported_octets`*:: ++ +-- +type: integer + +-- + +*`netflow.dot1q_service_instance_tag`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_service_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.dot1q_service_instance_priority`*:: ++ +-- +type: short + +-- + +*`netflow.dot1q_customer_source_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.dot1q_customer_destination_mac_address`*:: ++ +-- +type: keyword + +-- + +*`netflow.post_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.post_mcast_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.minimum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.maximum_layer2_total_length`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.dropped_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.ignored_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.not_sent_layer2_octet_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_delta_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_octet_total_sum_of_squares`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_delta_count`*:: ++ +-- +type: long + +-- + +*`netflow.layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.pseudo_wire_destination_ipv4_address`*:: ++ +-- +type: ip + +-- + +*`netflow.ignored_layer2_frame_total_count`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_integer`*:: ++ +-- +type: integer + +-- + +*`netflow.mib_object_value_octet_string`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_oid`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_bits`*:: ++ +-- +type: short + +-- + +*`netflow.mib_object_value_ip_address`*:: ++ +-- +type: ip + +-- + +*`netflow.mib_object_value_counter`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_gauge`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_time_ticks`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_value_unsigned`*:: ++ +-- +type: long + +-- + +*`netflow.mib_object_identifier`*:: ++ +-- +type: short + +-- + +*`netflow.mib_sub_identifier`*:: ++ +-- +type: long + +-- + +*`netflow.mib_index_indicator`*:: ++ +-- +type: long + +-- + +*`netflow.mib_capture_time_semantics`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_engine_id`*:: ++ +-- +type: short + +-- + +*`netflow.mib_context_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_description`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_object_syntax`*:: ++ +-- +type: keyword + +-- + +*`netflow.mib_module_name`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_imsi`*:: ++ +-- +type: keyword + +-- + +*`netflow.mobile_msisdn`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_status_code`*:: ++ +-- +type: integer + +-- + +*`netflow.source_transport_ports_limit`*:: ++ +-- +type: integer + +-- + +*`netflow.http_request_method`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_host`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_request_target`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_message_version`*:: ++ +-- +type: keyword + +-- + +*`netflow.nat_instance_id`*:: ++ +-- +type: long + +-- + +*`netflow.internal_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.external_address_realm`*:: ++ +-- +type: short + +-- + +*`netflow.nat_quota_exceeded_event`*:: ++ +-- +type: long + +-- + +*`netflow.nat_threshold_event`*:: ++ +-- +type: long + +-- + +*`netflow.http_user_agent`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_content_type`*:: ++ +-- +type: keyword + +-- + +*`netflow.http_reason_phrase`*:: ++ +-- +type: keyword + +-- + +*`netflow.max_session_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_bib_entries`*:: ++ +-- +type: long + +-- + +*`netflow.max_entries_per_user`*:: ++ +-- +type: long + +-- + +*`netflow.max_subscribers`*:: ++ +-- +type: long + +-- + +*`netflow.max_fragments_pending_reassembly`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_pool_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_low_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.address_port_mapping_per_user_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.global_address_mapping_high_threshold`*:: ++ +-- +type: long + +-- + +*`netflow.vpn_identifier`*:: ++ +-- +type: short + +-- + +[[exported-fields-netscout]] +== Arbor Peakflow SP fields + +netscout fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_table`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.admin`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarm_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alarmname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.app_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.audit_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.auditdata`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.benchmark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.bypass`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cache_hit`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cefversion`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_attr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_obj`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cfg_path`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.changes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client_ip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.clustermembers`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_acttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_asn_src`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_bgpv4nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ctr_dst_code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_dst_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_engine_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_f_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampintv`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_flowsampmode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inacttimeout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermbyts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_inpermpckts`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_invalid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ip_proto_ver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_ipv4_ident`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_l_switch`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_did`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_log_rid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_max_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_maxpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_min_ttl`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_minpcktlen`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_10`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_5`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_6`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_7`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_8`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mpls_lbl_9`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mplstoplabip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_byt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_mul_dst_pks`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_muligmptype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampalgo`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sampint`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_seqctr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_spackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_tos`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_src_vlan`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_template_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totbytsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totflowexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_totpcktsexp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_unixnanosecs`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6flowlabel`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cn_v6optheaders`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_rbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comp_sbytes`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.criticality`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_agency_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_analyzedby`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_other`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_primary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_av_secondary`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bgpv6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_bit9status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_context`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_control`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_datecret`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_dst_tld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_dst_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_eth_src_ven`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_event_uuid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_filetype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_if_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ip_next_hop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4dstpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_ipv4srcpre`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_lifetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_log_medium`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_loginname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulescore`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_modulesign`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_opswatresult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_payload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrant`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_registrar`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_represult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_rpayload`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sampler_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_sourcemodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_streams`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_targetmodule`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_v6nxthop`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_whois_server`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cs_yararesult`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.description`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.devvendor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.distance`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.dstburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.edomaub`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.euid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facility`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.finterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.flags`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.gaddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.id3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_buddyname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_croomtype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_members`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipscat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ipspri`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.latitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.linenum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.list_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.load_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_floor`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.location_mark`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.log_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logip`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.logname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.longitude`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.lport`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mbug_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc_name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msg_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.netsessid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.nwwn`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.operation`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.opkt`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.orig_from`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.owner_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_filter`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_group_object`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_result1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_chg`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.password_expire`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permgranted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.permwanted`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policyUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.prog_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.program`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.real_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_device`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_asp_num`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.rec_library`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.recordnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.ruid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sdomain_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sec`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sensorname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.seqnum`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.session`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sessiontype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigUUID`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.spi`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcburb`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.srcservice`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.state`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.svcno`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.system`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdom`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tgtdomain`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.threshold`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.udb_class`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.url_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.user_div`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.username_fld`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.utcstamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.v_instafname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.virt_data`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.vpnid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.autorun_type`*:: ++ +-- +This is used to capture Auto Run type + +type: keyword + +-- + +*`rsa.misc.cc_number`*:: ++ +-- +Valid Credit Card Numbers only + +type: long + +-- + +*`rsa.misc.content`*:: ++ +-- +This key captures the content type from protocol headers + +type: keyword + +-- + +*`rsa.misc.ein_number`*:: ++ +-- +Employee Identification Numbers only + +type: long + +-- + +*`rsa.misc.found`*:: ++ +-- +This is used to capture the results of regex match + +type: keyword + +-- + +*`rsa.misc.language`*:: ++ +-- +This is used to capture list of languages the client support and what it prefers + +type: keyword + +-- + +*`rsa.misc.lifetime`*:: ++ +-- +This key is used to capture the session lifetime in seconds. + +type: long + +-- + +*`rsa.misc.link`*:: ++ +-- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.misc.match`*:: ++ +-- +This key is for regex match name from search.ini + +type: keyword + +-- + +*`rsa.misc.param_dst`*:: ++ +-- +This key captures the command line/launch argument of the target process or file + +type: keyword + +-- + +*`rsa.misc.param_src`*:: ++ +-- +This key captures source parameter + +type: keyword + +-- + +*`rsa.misc.search_text`*:: ++ +-- +This key captures the Search Text used + +type: keyword + +-- + +*`rsa.misc.sig_name`*:: ++ +-- +This key is used to capture the Signature Name only. + +type: keyword + +-- + +*`rsa.misc.snmp_value`*:: ++ +-- +SNMP set request value + +type: keyword + +-- + +*`rsa.misc.streams`*:: ++ +-- +This key captures number of streams in session + +type: long + +-- + + +*`rsa.db.index`*:: ++ +-- +This key captures IndexID of the index. + +type: keyword + +-- + +*`rsa.db.instance`*:: ++ +-- +This key is used to capture the database server instance name + +type: keyword + +-- + +*`rsa.db.database`*:: ++ +-- +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword + +-- + +*`rsa.db.transact_id`*:: ++ +-- +This key captures the SQL transantion ID of the current session + +type: keyword + +-- + +*`rsa.db.permissions`*:: ++ +-- +This key captures permission or privilege level assigned to a resource. + +type: keyword + +-- + +*`rsa.db.table_name`*:: ++ +-- +This key is used to capture the table name + +type: keyword + +-- + +*`rsa.db.db_id`*:: ++ +-- +This key is used to capture the unique identifier for a database + +type: keyword + +-- + +*`rsa.db.db_pid`*:: ++ +-- +This key captures the process id of a connection with database server + +type: long + +-- + +*`rsa.db.lread`*:: ++ +-- +This key is used for the number of logical reads + +type: long + +-- + +*`rsa.db.lwrite`*:: ++ +-- +This key is used for the number of logical writes + +type: long + +-- + +*`rsa.db.pread`*:: ++ +-- +This key is used for the number of physical writes + +type: long + +-- + + +*`rsa.network.alias_host`*:: ++ +-- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword + +-- + +*`rsa.network.domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_dst`*:: ++ +-- +This key should only be used when it’s a Destination Hostname + +type: keyword + +-- + +*`rsa.network.network_service`*:: ++ +-- +This is used to capture layer 7 protocols/service names + +type: keyword + +-- + +*`rsa.network.interface`*:: ++ +-- +This key should be used when the source or destination context of an interface is not clear + +type: keyword + +-- + +*`rsa.network.network_port`*:: ++ +-- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long + +-- + +*`rsa.network.eth_host`*:: ++ +-- +Deprecated, use alias.mac + +type: keyword + +-- + +*`rsa.network.sinterface`*:: ++ +-- +This key should only be used when it’s a Source Interface + +type: keyword + +-- + +*`rsa.network.dinterface`*:: ++ +-- +This key should only be used when it’s a Destination Interface + +type: keyword + +-- + +*`rsa.network.vlan`*:: ++ +-- +This key should only be used to capture the ID of the Virtual LAN + +type: long + +-- + +*`rsa.network.zone_src`*:: ++ +-- +This key should only be used when it’s a Source Zone. + +type: keyword + +-- + +*`rsa.network.zone`*:: ++ +-- +This key should be used when the source or destination context of a Zone is not clear + +type: keyword + +-- + +*`rsa.network.zone_dst`*:: ++ +-- +This key should only be used when it’s a Destination Zone. + +type: keyword + +-- + +*`rsa.network.gateway`*:: ++ +-- +This key is used to capture the IP Address of the gateway + +type: keyword + +-- + +*`rsa.network.icmp_type`*:: ++ +-- +This key is used to capture the ICMP type only + +type: long + +-- + +*`rsa.network.mask`*:: ++ +-- +This key is used to capture the device network IPmask. + +type: keyword + +-- + +*`rsa.network.icmp_code`*:: ++ +-- +This key is used to capture the ICMP code only + +type: long + +-- + +*`rsa.network.protocol_detail`*:: ++ +-- +This key should be used to capture additional protocol information + +type: keyword + +-- + +*`rsa.network.dmask`*:: ++ +-- +This key is used for Destionation Device network mask + +type: keyword + +-- + +*`rsa.network.port`*:: ++ +-- +This key should only be used to capture a Network Port when the directionality is not clear + +type: long + +-- + +*`rsa.network.smask`*:: ++ +-- +This key is used for capturing source Network Mask + +type: keyword + +-- + +*`rsa.network.netname`*:: ++ +-- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword + +-- + +*`rsa.network.paddr`*:: ++ +-- +Deprecated + +type: ip + +-- + +*`rsa.network.faddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.lhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.origin`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.remote_domain_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.addr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_a_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_ptr_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fhost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.fport`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.laddr`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.linterface`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.phost`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.ad_computer_dst`*:: ++ +-- +Deprecated, use host.dst + +type: keyword + +-- + +*`rsa.network.eth_type`*:: ++ +-- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long + +-- + +*`rsa.network.ip_proto`*:: ++ +-- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long + +-- + +*`rsa.network.dns_cname_record`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_opcode`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_resp`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.dns_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.domain1`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.packet_length`*:: ++ +-- +type: keyword + +-- + +*`rsa.network.host_orig`*:: ++ +-- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword + +-- + +*`rsa.network.rpayload`*:: ++ +-- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword + +-- + +*`rsa.network.vlan_name`*:: ++ +-- +This key should only be used to capture the name of the Virtual LAN + +type: keyword + +-- + + +*`rsa.investigations.ec_activity`*:: ++ +-- +This key captures the particular event activity(Ex:Logoff) + +type: keyword + +-- + +*`rsa.investigations.ec_theme`*:: ++ +-- +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword + +-- + +*`rsa.investigations.ec_subject`*:: ++ +-- +This key captures the Subject of a particular Event(Ex:User) + +type: keyword + +-- + +*`rsa.investigations.ec_outcome`*:: ++ +-- +This key captures the outcome of a particular Event(Ex:Success) + +type: keyword + +-- + +*`rsa.investigations.event_cat`*:: ++ +-- +This key captures the Event category number + +type: long + +-- + +*`rsa.investigations.event_cat_name`*:: ++ +-- +This key captures the event category name corresponding to the event cat code + +type: keyword + +-- + +*`rsa.investigations.event_vcat`*:: ++ +-- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword + +-- + +*`rsa.investigations.analysis_file`*:: ++ +-- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword + +-- + +*`rsa.investigations.analysis_service`*:: ++ +-- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + +type: keyword + +-- + +*`rsa.investigations.analysis_session`*:: ++ +-- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + +type: keyword + +-- + +*`rsa.investigations.boc`*:: ++ +-- +This is used to capture behaviour of compromise + +type: keyword + +-- + +*`rsa.investigations.eoc`*:: ++ +-- +This is used to capture Enablers of Compromise + +type: keyword + +-- + +*`rsa.investigations.inv_category`*:: ++ +-- +This used to capture investigation category + +type: keyword + +-- + +*`rsa.investigations.inv_context`*:: ++ +-- +This used to capture investigation context + +type: keyword + +-- + +*`rsa.investigations.ioc`*:: ++ +-- +This is key capture indicator of compromise + +type: keyword + +-- + + +*`rsa.counters.dclass_c1`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long + +-- + +*`rsa.counters.dclass_c2`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long + +-- + +*`rsa.counters.event_counter`*:: ++ +-- +This is used to capture the number of times an event repeated + +type: long + +-- + +*`rsa.counters.dclass_r1`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r1.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3`*:: ++ +-- +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long + +-- + +*`rsa.counters.dclass_c1_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword + +-- + +*`rsa.counters.dclass_c2_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r1_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword + +-- + +*`rsa.counters.dclass_r2`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword + +-- + +*`rsa.counters.dclass_c3_str`*:: ++ +-- +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3`*:: ++ +-- +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword + +-- + +*`rsa.counters.dclass_r2_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword + +-- + +*`rsa.counters.dclass_r3_str`*:: ++ +-- +This is a generic ratio string key that should be used with the label dclass.r3 only + +type: keyword + +-- + + +*`rsa.identity.auth_method`*:: ++ +-- +This key is used to capture authentication methods used only + +type: keyword + +-- + +*`rsa.identity.user_role`*:: ++ +-- +This key is used to capture the Role of a user only + +type: keyword + +-- + +*`rsa.identity.dn`*:: ++ +-- +X.500 (LDAP) Distinguished Name + +type: keyword + +-- + +*`rsa.identity.logon_type`*:: ++ +-- +This key is used to capture the type of logon method used. + +type: keyword + +-- + +*`rsa.identity.profile`*:: ++ +-- +This key is used to capture the user profile + +type: keyword + +-- + +*`rsa.identity.accesses`*:: ++ +-- +This key is used to capture actual privileges used in accessing an object + +type: keyword + +-- + +*`rsa.identity.realm`*:: ++ +-- +Radius realm or similar grouping of accounts + +type: keyword + +-- + +*`rsa.identity.user_sid_dst`*:: ++ +-- +This key captures Destination User Session ID + +type: keyword + +-- + +*`rsa.identity.dn_src`*:: ++ +-- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword + +-- + +*`rsa.identity.org`*:: ++ +-- +This key captures the User organization + +type: keyword + +-- + +*`rsa.identity.dn_dst`*:: ++ +-- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + +type: keyword + +-- + +*`rsa.identity.firstname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.lastname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.user_dept`*:: ++ +-- +User's Department Names only + +type: keyword + +-- + +*`rsa.identity.user_sid_src`*:: ++ +-- +This key captures Source User Session ID + +type: keyword + +-- + +*`rsa.identity.federated_sp`*:: ++ +-- +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword + +-- + +*`rsa.identity.federated_idp`*:: ++ +-- +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword + +-- + +*`rsa.identity.logon_type_desc`*:: ++ +-- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword + +-- + +*`rsa.identity.middlename`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.identity.password`*:: ++ +-- +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword + +-- + +*`rsa.identity.host_role`*:: ++ +-- +This key should only be used to capture the role of a Host Machine + +type: keyword + +-- + +*`rsa.identity.ldap`*:: ++ +-- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword + +-- + +*`rsa.identity.ldap_query`*:: ++ +-- +This key is the Search criteria from an LDAP search + +type: keyword + +-- + +*`rsa.identity.ldap_response`*:: ++ +-- +This key is to capture Results from an LDAP search + +type: keyword + +-- + +*`rsa.identity.owner`*:: ++ +-- +This is used to capture username the process or service is running as, the author of the task + +type: keyword + +-- + +*`rsa.identity.service_account`*:: ++ +-- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + +type: keyword + +-- + + +*`rsa.email.email_dst`*:: ++ +-- +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword + +-- + +*`rsa.email.email_src`*:: ++ +-- +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword + +-- + +*`rsa.email.subject`*:: ++ +-- +This key is used to capture the subject string from an Email only. + +type: keyword + +-- + +*`rsa.email.email`*:: ++ +-- +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword + +-- + +*`rsa.email.trans_from`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.email.trans_to`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + + +*`rsa.file.privilege`*:: ++ +-- +Deprecated, use permissions + +type: keyword + +-- + +*`rsa.file.attachment`*:: ++ +-- +This key captures the attachment file name + +type: keyword + +-- + +*`rsa.file.filesystem`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.binary`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.file.filename_dst`*:: ++ +-- +This is used to capture name of the file targeted by the action + +type: keyword + +-- + +*`rsa.file.filename_src`*:: ++ +-- +This is used to capture name of the parent filename, the file which performed the action + +type: keyword + +-- + +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-nginx]] +== Nginx fields + +Module for parsing the Nginx log files. + + + +[float] +=== nginx + +Fields from the Nginx log files. + + + +[float] +=== access + +Contains fields for the Nginx access logs. + + + +*`nginx.access.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.access.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.access.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.access.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.access.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.access.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.access.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.access.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.access.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.access.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.access.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.access.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.access.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.access.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.access.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.access.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.access.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.access.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.access.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[float] +=== error + +Contains fields for the Nginx error logs. + + + +*`nginx.error.connection_id`*:: ++ +-- +Connection identifier. + + +type: long + +-- + +*`nginx.error.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`nginx.error.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`nginx.error.tid`*:: ++ +-- +type: alias + +alias to: process.thread.id + +-- + +*`nginx.error.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== ingress_controller + +Contains fields for the Ingress Nginx controller access logs. + + + +*`nginx.ingress_controller.remote_ip_list`*:: ++ +-- +An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. + + +type: array + +-- + +*`nginx.ingress_controller.http.request.length`*:: ++ +-- +The request length (including request line, header, and request body) + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.http.request.time`*:: ++ +-- +Time elapsed since the first bytes were read from the client + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.name`*:: ++ +-- +The name of the upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.alternative_name`*:: ++ +-- +The name of the alternative upstream. + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.response.length`*:: ++ +-- +The length of the response obtained from the upstream server + + +type: long + +format: bytes + +-- + +*`nginx.ingress_controller.upstream.response.time`*:: ++ +-- +The time spent on receiving the response from the upstream server as seconds with millisecond resolution + + +type: double + +format: duration + +-- + +*`nginx.ingress_controller.upstream.response.status_code`*:: ++ +-- +The status code of the response obtained from the upstream server + + +type: long + +-- + +*`nginx.ingress_controller.http.request.id`*:: ++ +-- +The randomly generated ID of the request + + +type: keyword + +-- + +*`nginx.ingress_controller.upstream.ip`*:: ++ +-- +The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. + + +type: ip + +-- + +*`nginx.ingress_controller.upstream.port`*:: ++ +-- +The port of the upstream server. + + +type: long + +-- + +*`nginx.ingress_controller.body_sent.bytes`*:: ++ +-- +type: alias + +alias to: http.response.body.bytes + +-- + +*`nginx.ingress_controller.user_name`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`nginx.ingress_controller.method`*:: ++ +-- +type: alias + +alias to: http.request.method + +-- + +*`nginx.ingress_controller.url`*:: ++ +-- +type: alias + +alias to: url.original + +-- + +*`nginx.ingress_controller.http_version`*:: ++ +-- +type: alias + +alias to: http.version + +-- + +*`nginx.ingress_controller.response_code`*:: ++ +-- +type: alias + +alias to: http.response.status_code + +-- + +*`nginx.ingress_controller.referrer`*:: ++ +-- +type: alias + +alias to: http.request.referrer + +-- + +*`nginx.ingress_controller.agent`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.user_agent.device`*:: ++ +-- +type: alias + +alias to: user_agent.device.name + +-- + +*`nginx.ingress_controller.user_agent.name`*:: ++ +-- +type: alias + +alias to: user_agent.name + +-- + +*`nginx.ingress_controller.user_agent.os`*:: ++ +-- +type: alias + +alias to: user_agent.os.full_name + +-- + +*`nginx.ingress_controller.user_agent.os_name`*:: ++ +-- +type: alias + +alias to: user_agent.os.name + +-- + +*`nginx.ingress_controller.user_agent.original`*:: ++ +-- +type: alias + +alias to: user_agent.original + +-- + + +*`nginx.ingress_controller.geoip.continent_name`*:: ++ +-- +type: alias + +alias to: source.geo.continent_name + +-- + +*`nginx.ingress_controller.geoip.country_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.country_iso_code + +-- + +*`nginx.ingress_controller.geoip.location`*:: ++ +-- +type: alias + +alias to: source.geo.location + +-- + +*`nginx.ingress_controller.geoip.region_name`*:: ++ +-- +type: alias + +alias to: source.geo.region_name + +-- + +*`nginx.ingress_controller.geoip.city_name`*:: ++ +-- +type: alias + +alias to: source.geo.city_name + +-- + +*`nginx.ingress_controller.geoip.region_iso_code`*:: ++ +-- +type: alias + +alias to: source.geo.region_iso_code + +-- + +[[exported-fields-o365]] +== Office 365 fields + +Module for handling logs from Office 365. + + + +[float] +=== o365.audit + +Fields from Office 365 Management API audit logs. + + + +*`o365.audit.Actor`*:: ++ +-- +type: array + +-- + +*`o365.audit.ActorContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorIpAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ActorYammerUserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertEntityId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AlertLinks`*:: ++ +-- +type: array + +-- + +*`o365.audit.AlertType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationDisplayName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ApplicationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.AzureActiveDirectoryEventType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExchangeMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Category`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientAppId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientInfoString`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIP`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ClientIPAddress`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Comments`*:: ++ +-- +type: text + +-- + +*`o365.audit.CorrelationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CreationTime`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.CustomUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Data`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.DataType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EntityType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventData`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.EventSource`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ExceptionInfo.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExtendedProperties.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ExternalAccess`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.GroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Id`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ImplicitShare`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IncidentId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InternalLogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.InterSystemsId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.IntraSystemId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Item.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Item.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ItemName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ItemType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ListItemUniqueId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonError`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.LogonUserSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerMasterAccountSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerSid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.MailboxOwnerUPN`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Members`*:: ++ +-- +type: array + +-- + +*`o365.audit.Members.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.ModifiedProperties.*.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.Name`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ObjectId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Operation`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OrganizationName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.OriginatingServer`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Parameters.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.PolicyDetails`*:: ++ +-- +type: array + +-- + +*`o365.audit.PolicyId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.RecordType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.ResultStatus`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SharePointMetaData.*`*:: ++ +-- +type: object + +-- + +*`o365.audit.SessionId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Severity`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Site`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SiteUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Source`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileExtension`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceFileName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SourceRelativeUrl`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Status`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.SupportTicketId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Target`*:: ++ +-- +type: array + +-- + +*`o365.audit.TargetContextId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TargetUserOrGroupType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamName`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.TeamGuid`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UniqueSharingId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserAgent`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserKey`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.UserType`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Version`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.WebId`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.Workload`*:: ++ +-- +type: keyword + +-- + +*`o365.audit.YammerNetworkId`*:: ++ +-- +type: keyword + +-- + +[[exported-fields-okta]] +== Okta fields + +Module for handling system logs from Okta. + + + +[float] +=== okta + +Fields from Okta. + + + +*`okta.uuid`*:: ++ +-- +The unique identifier of the Okta LogEvent. + + +type: keyword + +-- + +*`okta.event_type`*:: ++ +-- +The type of the LogEvent. + + +type: keyword + +-- + +*`okta.version`*:: ++ +-- +The version of the LogEvent. + + +type: keyword + +-- + +*`okta.severity`*:: ++ +-- +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + + +type: keyword + +-- + +*`okta.display_message`*:: ++ +-- +The display message of the LogEvent. + + +type: keyword + +-- + +[float] +=== actor + +Fields that let you store information of the actor for the LogEvent. + + + +*`okta.actor.id`*:: ++ +-- +Identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.type`*:: ++ +-- +Type of the actor. + + +type: keyword + +-- + +*`okta.actor.alternate_id`*:: ++ +-- +Alternate identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.display_name`*:: ++ +-- +Display name of the actor. + + +type: keyword + +-- + +[float] +=== client + +Fields that let you store information about the client of the actor. + + + +*`okta.client.ip`*:: ++ +-- +The IP address of the client. + + +type: ip + +-- + +[float] +=== user_agent + +Fields about the user agent information of the client. + + + +*`okta.client.user_agent.raw_user_agent`*:: ++ +-- +The raw informaton of the user agent. + + +type: keyword + +-- + +*`okta.client.user_agent.os`*:: ++ +-- +The OS informaton. + + +type: keyword + +-- + +*`okta.client.user_agent.browser`*:: ++ +-- +The browser informaton of the client. + + +type: keyword + +-- + +*`okta.client.zone`*:: ++ +-- +The zone information of the client. + + +type: keyword + +-- + +*`okta.client.device`*:: ++ +-- +The information of the client device. + + +type: keyword + +-- + +*`okta.client.id`*:: ++ +-- +The identifier of the client. + + +type: keyword + +-- + +[float] +=== outcome + +Fields that let you store information about the outcome. + + + +*`okta.outcome.reason`*:: ++ +-- +The reason of the outcome. + + +type: keyword + +-- + +*`okta.outcome.result`*:: ++ +-- +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + + +type: keyword + +-- + +*`okta.target`*:: ++ +-- +The list of targets. + + +type: array + +-- + +[float] +=== transaction + +Fields that let you store information about related transaction. + + + +*`okta.transaction.id`*:: ++ +-- +Identifier of the transaction. + + +type: keyword + +-- + +*`okta.transaction.type`*:: ++ +-- +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + +[[exported-fields-osquery]] +== Osquery fields + +Fields exported by the `osquery` module + + + +[float] +=== osquery + + + + +[float] +=== result + +Common fields exported by the result metricset. + + + +*`osquery.result.name`*:: ++ +-- +The name of the query that generated this event. + + +type: keyword + +-- + +*`osquery.result.action`*:: ++ +-- +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". + + +type: keyword + +-- + +*`osquery.result.host_identifier`*:: ++ +-- +The identifier for the host on which the osquery agent is running. Normally the hostname. + + +type: keyword + +-- + +*`osquery.result.unix_time`*:: ++ +-- +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. + + +type: long + +-- + +*`osquery.result.calendar_time`*:: ++ +-- +String representation of the collection time, as formatted by osquery. + + +type: keyword + +-- + +[[exported-fields-panw]] +== panw fields + +Module for Palo Alto Networks (PAN-OS) + + + +[float] +=== panw + +Fields from the panw module. + + + +[float] +=== panos + +Fields for the Palo Alto Networks PAN-OS logs. + + + +*`panw.panos.ruleset`*:: ++ +-- +Name of the rule that matched this session. + + +type: keyword + +-- + +[float] +=== source + +Fields to extend the top-level source object. + + + +*`panw.panos.source.zone`*:: ++ +-- +Source zone for this session. + + +type: keyword + +-- + +*`panw.panos.source.interface`*:: ++ +-- +Source interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT source address, if source NAT is performed. + + + +*`panw.panos.source.nat.ip`*:: ++ +-- +Post-NAT source IP. + + +type: ip + +-- + +*`panw.panos.source.nat.port`*:: ++ +-- +Post-NAT source port. + + +type: long + +-- + +[float] +=== destination + +Fields to extend the top-level destination object. + + + +*`panw.panos.destination.zone`*:: ++ +-- +Destination zone for this session. + + +type: keyword + +-- + +*`panw.panos.destination.interface`*:: ++ +-- +Destination interface for this session. + + +type: keyword + +-- + +[float] +=== nat + +Post-NAT destination address, if destination NAT is performed. + + + +*`panw.panos.destination.nat.ip`*:: ++ +-- +Post-NAT destination IP. + + +type: ip + +-- + +*`panw.panos.destination.nat.port`*:: ++ +-- +Post-NAT destination port. + + +type: long + +-- + +*`panw.panos.endreason`*:: ++ +-- +The reason a session terminated. + + +type: keyword + +-- + +[float] +=== network + +Fields to extend the top-level network object. + + + +*`panw.panos.network.pcap_id`*:: ++ +-- +Packet capture ID for a threat. + + +type: keyword + +-- + + +*`panw.panos.network.nat.community_id`*:: ++ +-- +Community ID flow-hash for the NAT 5-tuple. + + +type: keyword + +-- + +[float] +=== file + +Fields to extend the top-level file object. + + + +*`panw.panos.file.hash`*:: ++ +-- +Binary hash for a threat file sent to be analyzed by the WildFire service. + + +type: keyword + +-- + +[float] +=== url + +Fields to extend the top-level url object. + + + +*`panw.panos.url.category`*:: ++ +-- +For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. + + +type: keyword + +-- + +*`panw.panos.flow_id`*:: ++ +-- +Internal numeric identifier for each session. + + +type: keyword + +-- + +*`panw.panos.sequence_number`*:: ++ +-- +Log entry identifier that is incremented sequentially. Unique for each log type. + + +type: long + +-- + +*`panw.panos.threat.resource`*:: ++ +-- +URL or file name for a threat. + + +type: keyword + +-- + +*`panw.panos.threat.id`*:: ++ +-- +Palo Alto Networks identifier for the threat. + + +type: keyword + +-- + +*`panw.panos.threat.name`*:: ++ +-- +Palo Alto Networks name for the threat. + + +type: keyword + +-- + +*`panw.panos.action`*:: ++ +-- +Action taken for the session. + +type: keyword + +-- + +*`panw.panos.type`*:: ++ +-- +Specifies the type of the log + +-- + +*`panw.panos.sub_type`*:: ++ +-- +Specifies the sub type of the log + +-- + +[[exported-fields-postgresql]] +== PostgreSQL fields + +Module for parsing the PostgreSQL log files. + + + +[float] +=== postgresql + +Fields from PostgreSQL logs. + + + +[float] +=== log + +Fields from the PostgreSQL log files. + + + +*`postgresql.log.timestamp`*:: ++ +-- + +deprecated:[7.3.0] + +The timestamp from the log line. + + +-- + +*`postgresql.log.core_id`*:: ++ +-- +Core id + + +type: long + +-- + +*`postgresql.log.database`*:: ++ +-- +Name of database + + +example: mydb + +-- + +*`postgresql.log.query`*:: ++ +-- +Query statement. + + +example: SELECT * FROM users; + +-- + +*`postgresql.log.query_step`*:: ++ +-- +Statement step when using extended query protocol (one of statement, parse, bind or execute) + + +example: parse + +-- + +*`postgresql.log.query_name`*:: ++ +-- +Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. + + +example: pdo_stmt_00000001 + +-- + +*`postgresql.log.error.code`*:: ++ +-- +Error code returned by Postgres (if any) + +type: long + +-- + +*`postgresql.log.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`postgresql.log.thread_id`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`postgresql.log.user`*:: ++ +-- +type: alias + +alias to: user.name + +-- + +*`postgresql.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`postgresql.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[[exported-fields-process]] +== Process fields + +Process metadata fields + + + + +*`process.exe`*:: ++ +-- +type: alias + +alias to: process.executable + +-- + +[[exported-fields-proofpoint]] +== Proofpoint Email Security fields + +proofpoint fields. + + + +*`network.interface.name`*:: ++ +-- +Name of the network interface where the traffic has been observed. + + +type: keyword + +-- + + + +*`rsa.internal.msg`*:: ++ +-- +This key is used to capture the raw message that comes into the Log Decoder + +type: keyword + +-- + +*`rsa.internal.messageid`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.event_desc`*:: ++ +-- +type: keyword + +-- + +*`rsa.internal.message`*:: ++ +-- +This key captures the contents of instant messages + +type: keyword + +-- + +*`rsa.internal.time`*:: ++ +-- +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date + +-- + +*`rsa.internal.level`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.msg_vid`*:: ++ +-- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.data`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_server`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_val`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.obj_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.statement`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.audit_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.entry`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.hcode`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.inode`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.resource_class`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.dead`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.feed_desc`*:: ++ +-- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.feed_name`*:: ++ +-- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.cid`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_class`*:: ++ +-- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_group`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_host`*:: ++ +-- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_ip`*:: ++ +-- +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_ipv6`*:: ++ +-- +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.device_type`*:: ++ +-- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.device_type_id`*:: ++ +-- +Deprecated key defined only in table map. + +type: long + +-- + +*`rsa.internal.did`*:: ++ +-- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.entropy_req`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.entropy_res`*:: ++ +-- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long + +-- + +*`rsa.internal.event_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.feed_category`*:: ++ +-- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.forward_ip`*:: ++ +-- +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip + +-- + +*`rsa.internal.forward_ipv6`*:: ++ +-- +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip + +-- + +*`rsa.internal.header_id`*:: ++ +-- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_cid`*:: ++ +-- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.lc_ctime`*:: ++ +-- +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date + +-- + +*`rsa.internal.mcb_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcb_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long + +-- + +*`rsa.internal.mcbc_req`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.mcbc_res`*:: ++ +-- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long + +-- + +*`rsa.internal.medium`*:: ++ +-- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long + +-- + +*`rsa.internal.node_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.nwe_callback_id`*:: ++ +-- +This key denotes that event is endpoint related + +type: keyword + +-- + +*`rsa.internal.parse_error`*:: ++ +-- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.payload_req`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.payload_res`*:: ++ +-- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long + +-- + +*`rsa.internal.process_vid_dst`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword + +-- + +*`rsa.internal.process_vid_src`*:: ++ +-- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword + +-- + +*`rsa.internal.rid`*:: ++ +-- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.session_split`*:: ++ +-- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.site`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.internal.size`*:: ++ +-- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long + +-- + +*`rsa.internal.sourcefile`*:: ++ +-- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword + +-- + +*`rsa.internal.ubc_req`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.ubc_res`*:: ++ +-- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long + +-- + +*`rsa.internal.word`*:: ++ +-- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword + +-- + + +*`rsa.time.event_time`*:: ++ +-- +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date + +-- + +*`rsa.time.duration_time`*:: ++ +-- +This key is used to capture the normalized duration/lifetime in seconds. + +type: double + +-- + +*`rsa.time.event_time_str`*:: ++ +-- +This key is used to capture the incomplete time mentioned in a session as a string + +type: keyword + +-- + +*`rsa.time.starttime`*:: ++ +-- +This key is used to capture the Start time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.day`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.endtime`*:: ++ +-- +This key is used to capture the End time mentioned in a session in a standard form + +type: date + +-- + +*`rsa.time.timezone`*:: ++ +-- +This key is used to capture the timezone of the Event Time + +type: keyword + +-- + +*`rsa.time.duration_str`*:: ++ +-- +A text string version of the duration + +type: keyword + +-- + +*`rsa.time.date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.recorded_time`*:: ++ +-- +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date + +-- + +*`rsa.time.datetime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.effective_time`*:: ++ +-- +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date + +-- + +*`rsa.time.expire_time`*:: ++ +-- +This key is the timestamp that explicitly refers to an expiration. + +type: date + +-- + +*`rsa.time.process_time`*:: ++ +-- +Deprecated, use duration.time + +type: keyword + +-- + +*`rsa.time.hour`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.min`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.timestamp`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.event_queue_time`*:: ++ +-- +This key is the Time that the event was queued. + +type: date + +-- + +*`rsa.time.p_time1`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.tzone`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.eventtime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmtdate`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.gmttime`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_date`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_month`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_time2`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.p_year`*:: ++ +-- +type: keyword + +-- + +*`rsa.time.expire_time_str`*:: ++ +-- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword + +-- + +*`rsa.time.stamp`*:: ++ +-- +Deprecated key defined only in table map. + +type: date + +-- + + +*`rsa.misc.action`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.result`*:: ++ +-- +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword + +-- + +*`rsa.misc.severity`*:: ++ +-- +This key is used to capture the severity given the session + +type: keyword + +-- + +*`rsa.misc.event_type`*:: ++ +-- +This key captures the event category type as specified by the event source. + +type: keyword + +-- + +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword + +-- + +*`rsa.misc.version`*:: ++ +-- +This key captures Version of the application or OS which is generating the event. + +type: keyword + +-- + +*`rsa.misc.disposition`*:: ++ +-- +This key captures the The end state of an action. + +type: keyword + +-- + +*`rsa.misc.result_code`*:: ++ +-- +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword + +-- + +*`rsa.misc.category`*:: ++ +-- +This key is used to capture the category of an event given by the vendor in the session + +type: keyword + +-- + +*`rsa.misc.obj_name`*:: ++ +-- +This is used to capture name of object + +type: keyword + +-- + +*`rsa.misc.obj_type`*:: ++ +-- +This is used to capture type of object + +type: keyword + +-- + +*`rsa.misc.event_source`*:: ++ +-- +This key captures Source of the event that’s not a hostname + +type: keyword + +-- + +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword + +-- + +*`rsa.misc.group`*:: ++ +-- +This key captures the Group Name value + +type: keyword + +-- + +*`rsa.misc.policy_name`*:: ++ +-- +This key is used to capture the Policy Name only. + +type: keyword + +-- + +*`rsa.misc.rule_name`*:: ++ +-- +This key captures the Rule Name + +type: keyword + +-- + +*`rsa.misc.context`*:: ++ +-- +This key captures Information which adds additional context to the event. + +type: keyword + +-- + +*`rsa.misc.change_new`*:: ++ +-- +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.space`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.client`*:: ++ +-- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword + +-- + +*`rsa.misc.msgIdPart1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.change_old`*:: ++ +-- +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.operation_id`*:: ++ +-- +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword + +-- + +*`rsa.misc.event_state`*:: ++ +-- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword + +-- + +*`rsa.misc.group_object`*:: ++ +-- +This key captures a collection/grouping of entities. Specific usage + +type: keyword + +-- + +*`rsa.misc.node`*:: ++ +-- +Common use case is the node name within a cluster. The cluster name is reflected by the host name. + +type: keyword + +-- + +*`rsa.misc.rule`*:: ++ +-- +This key captures the Rule number + +type: keyword + +-- + +*`rsa.misc.device_name`*:: ++ +-- +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword + +-- + +*`rsa.misc.param`*:: ++ +-- +This key is the parameters passed as part of a command or application, etc. + +type: keyword + +-- + +*`rsa.misc.change_attrib`*:: ++ +-- +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword + +-- + +*`rsa.misc.event_computer`*:: ++ +-- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword + +-- + +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword + +-- + +*`rsa.misc.event_log`*:: ++ +-- +This key captures the Name of the event log + +type: keyword + +-- + +*`rsa.misc.OS`*:: ++ +-- +This key captures the Name of the Operating System + +type: keyword + +-- + +*`rsa.misc.terminal`*:: ++ +-- +This key captures the Terminal Names only + +type: keyword + +-- + +*`rsa.misc.msgIdPart3`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.filter`*:: ++ +-- +This key captures Filter used to reduce result set + +type: keyword + +-- + +*`rsa.misc.serial_number`*:: ++ +-- +This key is the Serial number associated with a physical asset. + +type: keyword + +-- + +*`rsa.misc.checksum`*:: ++ +-- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + +type: keyword + +-- + +*`rsa.misc.event_user`*:: ++ +-- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword + +-- + +*`rsa.misc.virusname`*:: ++ +-- +This key captures the name of the virus + +type: keyword + +-- + +*`rsa.misc.content_type`*:: ++ +-- +This key is used to capture Content Type only. + +type: keyword + +-- + +*`rsa.misc.group_id`*:: ++ +-- +This key captures Group ID Number (related to the group name) + +type: keyword + +-- + +*`rsa.misc.policy_id`*:: ++ +-- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword + +-- + +*`rsa.misc.vsys`*:: ++ +-- +This key captures Virtual System Name + +type: keyword + +-- + +*`rsa.misc.connection_id`*:: ++ +-- +This key captures the Connection ID + +type: keyword + +-- + +*`rsa.misc.reference_id2`*:: ++ +-- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + +type: keyword + +-- + +*`rsa.misc.sensor`*:: ++ +-- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + +type: keyword + +-- + +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: ++ +-- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + +type: keyword + +-- + +*`rsa.misc.rule_group`*:: ++ +-- +This key captures the Rule group name + +type: keyword + +-- + +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.log_session_id1`*:: ++ +-- +This key is used to capture a Linked (Related) Session ID from the session directly + +type: keyword + +-- + +*`rsa.misc.comp_version`*:: ++ +-- +This key captures the Version level of a sub-component of a product. + +type: keyword + +-- + +*`rsa.misc.content_version`*:: ++ +-- +This key captures Version level of a signature or database content. + +type: keyword + +-- + +*`rsa.misc.hardware_id`*:: ++ +-- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + +type: keyword + +-- + +*`rsa.misc.risk`*:: ++ +-- +This key captures the non-numeric risk value + +type: keyword + +-- + +*`rsa.misc.event_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.reason`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.status`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mail_id`*:: ++ +-- +This key is used to capture the mailbox id/name + +type: keyword + +-- + +*`rsa.misc.rule_uid`*:: ++ +-- +This key is the Unique Identifier for a rule. + +type: keyword + +-- + +*`rsa.misc.trigger_desc`*:: ++ +-- +This key captures the Description of the trigger or threshold condition. + +type: keyword + +-- + +*`rsa.misc.inout`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.p_msgid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.data_type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.msgIdPart4`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.error`*:: ++ +-- +This key captures All non successful Error codes or responses + +type: keyword + +-- + +*`rsa.misc.index`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.listnum`*:: ++ +-- +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword + +-- + +*`rsa.misc.ntype`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.observed_val`*:: ++ +-- +This key captures the Value observed (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.policy_value`*:: ++ +-- +This key captures the contents of the policy. This contains details about the policy + +type: keyword + +-- + +*`rsa.misc.pool_name`*:: ++ +-- +This key captures the name of a resource pool + +type: keyword + +-- + +*`rsa.misc.rule_template`*:: ++ +-- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + +type: keyword + +-- + +*`rsa.misc.count`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.number`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sigcat`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.type`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.comments`*:: ++ +-- +Comment information provided in the log message + +type: keyword + +-- + +*`rsa.misc.doc_number`*:: ++ +-- +This key captures File Identification number + +type: long + +-- + +*`rsa.misc.expected_val`*:: ++ +-- +This key captures the Value expected (from the perspective of the device generating the log). + +type: keyword + +-- + +*`rsa.misc.job_num`*:: ++ +-- +This key captures the Job Number + +type: keyword + +-- + +*`rsa.misc.spi_dst`*:: ++ +-- +Destination SPI Index + +type: keyword + +-- + +*`rsa.misc.spi_src`*:: ++ +-- +Source SPI Index + +type: keyword + +-- + +*`rsa.misc.code`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.agent_id`*:: ++ +-- +This key is used to capture agent id + +type: keyword + +-- + +*`rsa.misc.message_body`*:: ++ +-- +This key captures the The contents of the message body. + +type: keyword + +-- + +*`rsa.misc.phone`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.sig_id_str`*:: ++ +-- +This key captures a string object of the sigid variable. + +type: keyword + +-- + +*`rsa.misc.cmd`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.misc`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.name`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cpu`*:: ++ +-- +This key is the CPU time used in the execution of the event being recorded. + +type: long + +-- + +*`rsa.misc.event_desc`*:: ++ +-- +This key is used to capture a description of an event available directly or inferred + +type: keyword + +-- + +*`rsa.misc.sig_id1`*:: ++ +-- +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long + +-- + +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_client`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.im_userid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.pid`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.priority`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.context_subject`*:: ++ +-- +This key is to be used in an audit context where the subject is the object being identified + +type: keyword + +-- + +*`rsa.misc.context_target`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.cve`*:: ++ +-- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + +type: keyword + +-- + +*`rsa.misc.fcatnum`*:: ++ +-- +This key captures Filter Category Number. Legacy Usage + +type: keyword + +-- + +*`rsa.misc.library`*:: ++ +-- +This key is used to capture library information in mainframe devices + +type: keyword + +-- + +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. + +type: keyword + +-- + +*`rsa.misc.risk_info`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.tcp_flags`*:: ++ +-- +This key is captures the TCP flags set in any packet of session + +type: long + +-- + +*`rsa.misc.tos`*:: ++ +-- +This key describes the type of service + +type: long + +-- + +*`rsa.misc.vm_target`*:: ++ +-- +VMWare Target **VMWARE** only varaible. + +type: keyword + +-- + +*`rsa.misc.workspace`*:: ++ +-- +This key captures Workspace Description + +type: keyword + +-- + +*`rsa.misc.command`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.event_category`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.facilityname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.forensic_info`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.jobname`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.mode`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.policy_waiver`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.second`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.space1`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.subcategory`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.tbdstr2`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.alert_id`*:: ++ +-- +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.checksum_dst`*:: ++ +-- +This key is used to capture the checksum or hash of the the target entity such as a process or file. + +type: keyword + +-- + +*`rsa.misc.checksum_src`*:: ++ +-- +This key is used to capture the checksum or hash of the source entity such as a file or process. + +type: keyword + +-- + +*`rsa.misc.fresult`*:: ++ +-- +This key captures the Filter Result + +type: long + +-- + +*`rsa.misc.payload_dst`*:: ++ +-- +This key is used to capture destination payload + +type: keyword + +-- + +*`rsa.misc.payload_src`*:: ++ +-- +This key is used to capture source payload + +type: keyword + +-- + +*`rsa.misc.pool_id`*:: ++ +-- +This key captures the identifier (typically numeric field) of a resource pool + +type: keyword + +-- + +*`rsa.misc.process_id_val`*:: ++ +-- +This key is a failure key for Process ID when it is not an integer value + +type: keyword + +-- + +*`rsa.misc.risk_num_comm`*:: ++ +-- +This key captures Risk Number Community + +type: double + +-- + +*`rsa.misc.risk_num_next`*:: ++ +-- +This key captures Risk Number NextGen + +type: double + +-- + +*`rsa.misc.risk_num_sand`*:: ++ +-- +This key captures Risk Number SandBox + +type: double + +-- + +*`rsa.misc.risk_num_static`*:: ++ +-- +This key captures Risk Number Static + +type: double + +-- + +*`rsa.misc.risk_suspicious`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.risk_warning`*:: ++ +-- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + +type: keyword + +-- + +*`rsa.misc.snmp_oid`*:: ++ +-- +SNMP Object Identifier + +type: keyword + +-- + +*`rsa.misc.sql`*:: ++ +-- +This key captures the SQL query + +type: keyword + +-- + +*`rsa.misc.vuln_ref`*:: ++ +-- +This key captures the Vulnerability Reference details + +type: keyword + +-- + +*`rsa.misc.acl_id`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_op`*:: ++ +-- +type: keyword + +-- + +*`rsa.misc.acl_pos`*:: + -- -type: short +type: keyword -- -*`netflow.tcp_control_bits`*:: +*`rsa.misc.acl_table`*:: + -- -type: integer +type: keyword -- -*`netflow.source_transport_port`*:: +*`rsa.misc.admin`*:: + -- -type: integer +type: keyword -- -*`netflow.source_ipv4_address`*:: +*`rsa.misc.alarm_id`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv4_prefix_length`*:: +*`rsa.misc.alarmname`*:: + -- -type: short +type: keyword -- -*`netflow.ingress_interface`*:: +*`rsa.misc.app_id`*:: + -- -type: long +type: keyword -- -*`netflow.destination_transport_port`*:: +*`rsa.misc.audit`*:: + -- -type: integer +type: keyword -- -*`netflow.destination_ipv4_address`*:: +*`rsa.misc.audit_object`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix_length`*:: +*`rsa.misc.auditdata`*:: + -- -type: short +type: keyword -- -*`netflow.egress_interface`*:: +*`rsa.misc.benchmark`*:: + -- -type: long +type: keyword -- -*`netflow.ip_next_hop_ipv4_address`*:: +*`rsa.misc.bypass`*:: + -- -type: ip +type: keyword -- -*`netflow.bgp_source_as_number`*:: +*`rsa.misc.cache`*:: + -- -type: long +type: keyword -- -*`netflow.bgp_destination_as_number`*:: +*`rsa.misc.cache_hit`*:: + -- -type: long +type: keyword -- -*`netflow.bgp_next_hop_ipv4_address`*:: +*`rsa.misc.cefversion`*:: + -- -type: ip +type: keyword -- -*`netflow.post_mcast_packet_delta_count`*:: +*`rsa.misc.cfg_attr`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_octet_delta_count`*:: +*`rsa.misc.cfg_obj`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_sys_up_time`*:: +*`rsa.misc.cfg_path`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_sys_up_time`*:: +*`rsa.misc.changes`*:: + -- -type: long +type: keyword -- -*`netflow.post_octet_delta_count`*:: +*`rsa.misc.client_ip`*:: + -- -type: long +type: keyword -- -*`netflow.post_packet_delta_count`*:: +*`rsa.misc.clustermembers`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_ip_total_length`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -type: long +type: keyword -- -*`netflow.maximum_ip_total_length`*:: +*`rsa.misc.cn_asn_src`*:: + -- -type: long +type: keyword -- -*`netflow.source_ipv6_address`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv6_address`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv6_prefix_length`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -type: short +type: keyword -- -*`netflow.destination_ipv6_prefix_length`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -type: short +type: keyword -- -*`netflow.flow_label_ipv6`*:: +*`rsa.misc.cn_engine_id`*:: + -- -type: long +type: keyword -- -*`netflow.icmp_type_code_ipv4`*:: +*`rsa.misc.cn_engine_type`*:: + -- -type: integer +type: keyword -- -*`netflow.igmp_type`*:: +*`rsa.misc.cn_f_switch`*:: + -- -type: short +type: keyword -- -*`netflow.sampling_interval`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_algorithm`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -type: short +type: keyword -- -*`netflow.flow_active_timeout`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -type: integer +type: keyword -- -*`netflow.flow_idle_timeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -type: integer +type: keyword -- -*`netflow.engine_type`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -type: short +type: keyword -- -*`netflow.engine_id`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -type: short +type: keyword -- -*`netflow.exported_octet_total_count`*:: +*`rsa.misc.cn_invalid`*:: + -- -type: long +type: keyword -- -*`netflow.exported_message_total_count`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -type: long +type: keyword -- -*`netflow.exported_flow_record_total_count`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -type: long +type: keyword -- -*`netflow.ipv4_router_sc`*:: +*`rsa.misc.cn_l_switch`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv4_prefix`*:: +*`rsa.misc.cn_log_did`*:: + -- -type: ip +type: keyword -- -*`netflow.destination_ipv4_prefix`*:: +*`rsa.misc.cn_log_rid`*:: + -- -type: ip +type: keyword -- -*`netflow.mpls_top_label_type`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_top_label_ipv4_address`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -type: ip +type: keyword -- -*`netflow.sampler_id`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -type: short +type: keyword -- -*`netflow.sampler_mode`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -type: short +type: keyword -- -*`netflow.sampler_random_interval`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -type: long +type: keyword -- -*`netflow.class_id`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_ttl`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -type: short +type: keyword -- -*`netflow.maximum_ttl`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -type: short +type: keyword -- -*`netflow.fragment_identification`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -type: long +type: keyword -- -*`netflow.post_ip_class_of_service`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -type: short +type: keyword -- -*`netflow.source_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`netflow.post_destination_mac_address`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`netflow.vlan_id`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -type: integer +type: keyword -- -*`netflow.post_vlan_id`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -type: integer +type: keyword -- -*`netflow.ip_version`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -type: short +type: keyword -- -*`netflow.flow_direction`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -type: short +type: keyword -- -*`netflow.ip_next_hop_ipv6_address`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -type: ip +type: keyword -- -*`netflow.bgp_next_hop_ipv6_address`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -type: ip +type: keyword -- -*`netflow.ipv6_extension_headers`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -type: long +type: keyword -- -*`netflow.mpls_top_label_stack_section`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section2`*:: +*`rsa.misc.cn_sampint`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section3`*:: +*`rsa.misc.cn_seqctr`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section4`*:: +*`rsa.misc.cn_spackets`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section5`*:: +*`rsa.misc.cn_src_tos`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section6`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section7`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section8`*:: +*`rsa.misc.cn_template_id`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section9`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section10`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -type: short +type: keyword -- -*`netflow.destination_mac_address`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`netflow.post_source_mac_address`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`netflow.interface_name`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`netflow.interface_description`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`netflow.sampler_name`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`netflow.octet_total_count`*:: +*`rsa.misc.comp_name`*:: + -- -type: long +type: keyword -- -*`netflow.packet_total_count`*:: +*`rsa.misc.comp_rbytes`*:: + -- -type: long +type: keyword -- -*`netflow.flags_and_sampler_id`*:: +*`rsa.misc.comp_sbytes`*:: + -- -type: long +type: keyword -- -*`netflow.fragment_offset`*:: +*`rsa.misc.cpu_data`*:: + -- -type: integer +type: keyword -- -*`netflow.forwarding_status`*:: +*`rsa.misc.criticality`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_vpn_route_distinguisher`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_top_label_prefix_length`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -type: short +type: keyword -- -*`netflow.src_traffic_index`*:: +*`rsa.misc.cs_av_other`*:: + -- -type: long +type: keyword -- -*`netflow.dst_traffic_index`*:: +*`rsa.misc.cs_av_primary`*:: + -- -type: long +type: keyword -- -*`netflow.application_description`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`netflow.application_id`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -type: short +type: keyword -- -*`netflow.application_name`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`netflow.post_ip_diff_serv_code_point`*:: +*`rsa.misc.cs_context`*:: + -- -type: short +type: keyword -- -*`netflow.multicast_replication_factor`*:: +*`rsa.misc.cs_control`*:: + -- -type: long +type: keyword -- -*`netflow.class_name`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`netflow.classification_engine_id`*:: +*`rsa.misc.cs_datecret`*:: + -- -type: short +type: keyword -- -*`netflow.layer2packet_section_offset`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -type: integer +type: keyword -- -*`netflow.layer2packet_section_size`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -type: integer +type: keyword -- -*`netflow.layer2packet_section_data`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -type: short +type: keyword -- -*`netflow.bgp_next_adjacent_as_number`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -type: long +type: keyword -- -*`netflow.bgp_prev_adjacent_as_number`*:: +*`rsa.misc.cs_filetype`*:: + -- -type: long +type: keyword -- -*`netflow.exporter_ipv4_address`*:: +*`rsa.misc.cs_fld`*:: + -- -type: ip +type: keyword -- -*`netflow.exporter_ipv6_address`*:: +*`rsa.misc.cs_if_desc`*:: + -- -type: ip +type: keyword -- -*`netflow.dropped_octet_delta_count`*:: +*`rsa.misc.cs_if_name`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_packet_delta_count`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_octet_total_count`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_packet_total_count`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_reason`*:: +*`rsa.misc.cs_lifetime`*:: + -- -type: short +type: keyword -- -*`netflow.common_properties_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -type: long +type: keyword -- -*`netflow.observation_point_id`*:: +*`rsa.misc.cs_loginname`*:: + -- -type: long +type: keyword -- -*`netflow.icmp_type_code_ipv6`*:: +*`rsa.misc.cs_modulescore`*:: + -- -type: integer +type: keyword -- -*`netflow.mpls_top_label_ipv6_address`*:: +*`rsa.misc.cs_modulesign`*:: + -- -type: ip +type: keyword -- -*`netflow.line_card_id`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -type: long +type: keyword -- -*`netflow.port_id`*:: +*`rsa.misc.cs_payload`*:: + -- -type: long +type: keyword -- -*`netflow.metering_process_id`*:: +*`rsa.misc.cs_registrant`*:: + -- -type: long +type: keyword -- -*`netflow.exporting_process_id`*:: +*`rsa.misc.cs_registrar`*:: + -- -type: long +type: keyword -- -*`netflow.template_id`*:: +*`rsa.misc.cs_represult`*:: + -- -type: integer +type: keyword -- -*`netflow.wlan_channel_id`*:: +*`rsa.misc.cs_rpayload`*:: + -- -type: short +type: keyword -- -*`netflow.wlan_ssid`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`netflow.flow_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -type: long +type: keyword -- -*`netflow.observation_domain_id`*:: +*`rsa.misc.cs_streams`*:: + -- -type: long +type: keyword -- -*`netflow.flow_start_seconds`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_seconds`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_milliseconds`*:: +*`rsa.misc.cs_whois_server`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_milliseconds`*:: +*`rsa.misc.cs_yararesult`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_microseconds`*:: +*`rsa.misc.description`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_microseconds`*:: +*`rsa.misc.devvendor`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_nanoseconds`*:: +*`rsa.misc.distance`*:: + -- -type: date +type: keyword -- -*`netflow.flow_end_nanoseconds`*:: +*`rsa.misc.dstburb`*:: + -- -type: date +type: keyword -- -*`netflow.flow_start_delta_microseconds`*:: +*`rsa.misc.edomain`*:: + -- -type: long +type: keyword -- -*`netflow.flow_end_delta_microseconds`*:: +*`rsa.misc.edomaub`*:: + -- -type: long +type: keyword -- -*`netflow.system_init_time_milliseconds`*:: +*`rsa.misc.euid`*:: + -- -type: date +type: keyword -- -*`netflow.flow_duration_milliseconds`*:: +*`rsa.misc.facility`*:: + -- -type: long +type: keyword -- -*`netflow.flow_duration_microseconds`*:: +*`rsa.misc.finterface`*:: + -- -type: long +type: keyword -- -*`netflow.observed_flow_total_count`*:: +*`rsa.misc.flags`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_packet_total_count`*:: +*`rsa.misc.gaddr`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_octet_total_count`*:: +*`rsa.misc.id3`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_flow_total_count`*:: +*`rsa.misc.im_buddyname`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_packet_total_count`*:: +*`rsa.misc.im_croomid`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_octet_total_count`*:: +*`rsa.misc.im_croomtype`*:: + -- -type: long +type: keyword -- -*`netflow.destination_ipv6_prefix`*:: +*`rsa.misc.im_members`*:: + -- -type: ip +type: keyword -- -*`netflow.source_ipv6_prefix`*:: +*`rsa.misc.im_username`*:: + -- -type: ip +type: keyword -- -*`netflow.post_octet_total_count`*:: +*`rsa.misc.ipkt`*:: + -- -type: long +type: keyword -- -*`netflow.post_packet_total_count`*:: +*`rsa.misc.ipscat`*:: + -- -type: long +type: keyword -- -*`netflow.flow_key_indicator`*:: +*`rsa.misc.ipspri`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_packet_total_count`*:: +*`rsa.misc.latitude`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_octet_total_count`*:: +*`rsa.misc.linenum`*:: + -- -type: long +type: keyword -- -*`netflow.icmp_type_ipv4`*:: +*`rsa.misc.list_name`*:: + -- -type: short +type: keyword -- -*`netflow.icmp_code_ipv4`*:: +*`rsa.misc.load_data`*:: + -- -type: short +type: keyword -- -*`netflow.icmp_type_ipv6`*:: +*`rsa.misc.location_floor`*:: + -- -type: short +type: keyword -- -*`netflow.icmp_code_ipv6`*:: +*`rsa.misc.location_mark`*:: + -- -type: short +type: keyword -- -*`netflow.udp_source_port`*:: +*`rsa.misc.log_id`*:: + -- -type: integer +type: keyword -- -*`netflow.udp_destination_port`*:: +*`rsa.misc.log_type`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_source_port`*:: +*`rsa.misc.logid`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_destination_port`*:: +*`rsa.misc.logip`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_sequence_number`*:: +*`rsa.misc.logname`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_acknowledgement_number`*:: +*`rsa.misc.longitude`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_window_size`*:: +*`rsa.misc.lport`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_urgent_pointer`*:: +*`rsa.misc.mbug_data`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_header_length`*:: +*`rsa.misc.misc_name`*:: + -- -type: short +type: keyword -- -*`netflow.ip_header_length`*:: +*`rsa.misc.msg_type`*:: + -- -type: short +type: keyword -- -*`netflow.total_length_ipv4`*:: +*`rsa.misc.msgid`*:: + -- -type: integer +type: keyword -- -*`netflow.payload_length_ipv6`*:: +*`rsa.misc.netsessid`*:: + -- -type: integer +type: keyword -- -*`netflow.ip_ttl`*:: +*`rsa.misc.num`*:: + -- -type: short +type: keyword -- -*`netflow.next_header_ipv6`*:: +*`rsa.misc.number1`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_payload_length`*:: +*`rsa.misc.number2`*:: + -- -type: long +type: keyword -- -*`netflow.ip_diff_serv_code_point`*:: +*`rsa.misc.nwwn`*:: + -- -type: short +type: keyword -- -*`netflow.ip_precedence`*:: +*`rsa.misc.object`*:: + -- -type: short +type: keyword -- -*`netflow.fragment_flags`*:: +*`rsa.misc.operation`*:: + -- -type: short +type: keyword -- -*`netflow.octet_delta_sum_of_squares`*:: +*`rsa.misc.opkt`*:: + -- -type: long +type: keyword -- -*`netflow.octet_total_sum_of_squares`*:: +*`rsa.misc.orig_from`*:: + -- -type: long +type: keyword -- -*`netflow.mpls_top_label_ttl`*:: +*`rsa.misc.owner_id`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_length`*:: +*`rsa.misc.p_action`*:: + -- -type: long +type: keyword -- -*`netflow.mpls_label_stack_depth`*:: +*`rsa.misc.p_filter`*:: + -- -type: long +type: keyword -- -*`netflow.mpls_top_label_exp`*:: +*`rsa.misc.p_group_object`*:: + -- -type: short +type: keyword -- -*`netflow.ip_payload_length`*:: +*`rsa.misc.p_id`*:: + -- -type: long +type: keyword -- -*`netflow.udp_message_length`*:: +*`rsa.misc.p_msgid1`*:: + -- -type: integer +type: keyword -- -*`netflow.is_multicast`*:: +*`rsa.misc.p_msgid2`*:: + -- -type: short +type: keyword -- -*`netflow.ipv4_ihl`*:: +*`rsa.misc.p_result1`*:: + -- -type: short +type: keyword -- -*`netflow.ipv4_options`*:: +*`rsa.misc.password_chg`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_options`*:: +*`rsa.misc.password_expire`*:: + -- -type: long +type: keyword -- -*`netflow.padding_octets`*:: +*`rsa.misc.permgranted`*:: + -- -type: short +type: keyword -- -*`netflow.collector_ipv4_address`*:: +*`rsa.misc.permwanted`*:: + -- -type: ip +type: keyword -- -*`netflow.collector_ipv6_address`*:: +*`rsa.misc.pgid`*:: + -- -type: ip +type: keyword -- -*`netflow.export_interface`*:: +*`rsa.misc.policyUUID`*:: + -- -type: long +type: keyword -- -*`netflow.export_protocol_version`*:: +*`rsa.misc.prog_asp_num`*:: + -- -type: short +type: keyword -- -*`netflow.export_transport_protocol`*:: +*`rsa.misc.program`*:: + -- -type: short +type: keyword -- -*`netflow.collector_transport_port`*:: +*`rsa.misc.real_data`*:: + -- -type: integer +type: keyword -- -*`netflow.exporter_transport_port`*:: +*`rsa.misc.rec_asp_device`*:: + -- -type: integer +type: keyword -- -*`netflow.tcp_syn_total_count`*:: +*`rsa.misc.rec_asp_num`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_fin_total_count`*:: +*`rsa.misc.rec_library`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_rst_total_count`*:: +*`rsa.misc.recordnum`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_psh_total_count`*:: +*`rsa.misc.ruid`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_ack_total_count`*:: +*`rsa.misc.sburb`*:: + -- -type: long +type: keyword -- -*`netflow.tcp_urg_total_count`*:: +*`rsa.misc.sdomain_fld`*:: + -- -type: long +type: keyword -- -*`netflow.ip_total_length`*:: +*`rsa.misc.sec`*:: + -- -type: long +type: keyword -- -*`netflow.post_nat_source_ipv4_address`*:: +*`rsa.misc.sensorname`*:: + -- -type: ip +type: keyword -- -*`netflow.post_nat_destination_ipv4_address`*:: +*`rsa.misc.seqnum`*:: + -- -type: ip +type: keyword -- -*`netflow.post_napt_source_transport_port`*:: +*`rsa.misc.session`*:: + -- -type: integer +type: keyword -- -*`netflow.post_napt_destination_transport_port`*:: +*`rsa.misc.sessiontype`*:: + -- -type: integer +type: keyword -- -*`netflow.nat_originating_address_realm`*:: +*`rsa.misc.sigUUID`*:: + -- -type: short +type: keyword -- -*`netflow.nat_event`*:: +*`rsa.misc.spi`*:: + -- -type: short +type: keyword -- -*`netflow.initiator_octets`*:: +*`rsa.misc.srcburb`*:: + -- -type: long +type: keyword -- -*`netflow.responder_octets`*:: +*`rsa.misc.srcdom`*:: + -- -type: long +type: keyword -- -*`netflow.firewall_event`*:: +*`rsa.misc.srcservice`*:: + -- -type: short +type: keyword -- -*`netflow.ingress_vrfid`*:: +*`rsa.misc.state`*:: + -- -type: long +type: keyword -- -*`netflow.egress_vrfid`*:: +*`rsa.misc.status1`*:: + -- -type: long +type: keyword -- -*`netflow.vr_fname`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`netflow.post_mpls_top_label_exp`*:: +*`rsa.misc.system`*:: + -- -type: short +type: keyword -- -*`netflow.tcp_window_scale`*:: +*`rsa.misc.tbdstr1`*:: + -- -type: integer +type: keyword -- -*`netflow.biflow_direction`*:: +*`rsa.misc.tgtdom`*:: + -- -type: short +type: keyword -- -*`netflow.ethernet_header_length`*:: +*`rsa.misc.tgtdomain`*:: + -- -type: short +type: keyword -- -*`netflow.ethernet_payload_length`*:: +*`rsa.misc.threshold`*:: + -- -type: integer +type: keyword -- -*`netflow.ethernet_total_length`*:: +*`rsa.misc.type1`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_vlan_id`*:: +*`rsa.misc.udb_class`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_priority`*:: +*`rsa.misc.url_fld`*:: + -- -type: short +type: keyword -- -*`netflow.dot1q_customer_vlan_id`*:: +*`rsa.misc.user_div`*:: + -- -type: integer +type: keyword -- -*`netflow.dot1q_customer_priority`*:: +*`rsa.misc.userid`*:: + -- -type: short +type: keyword -- -*`netflow.metro_evc_id`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`netflow.metro_evc_type`*:: +*`rsa.misc.utcstamp`*:: + -- -type: short +type: keyword -- -*`netflow.pseudo_wire_id`*:: +*`rsa.misc.v_instafname`*:: + -- -type: long +type: keyword -- -*`netflow.pseudo_wire_type`*:: +*`rsa.misc.virt_data`*:: + -- -type: integer +type: keyword -- -*`netflow.pseudo_wire_control_word`*:: +*`rsa.misc.vpnid`*:: + -- -type: long +type: keyword -- -*`netflow.ingress_physical_interface`*:: +*`rsa.misc.autorun_type`*:: + -- -type: long +This is used to capture Auto Run type + +type: keyword -- -*`netflow.egress_physical_interface`*:: +*`rsa.misc.cc_number`*:: + -- +Valid Credit Card Numbers only + type: long -- -*`netflow.post_dot1q_vlan_id`*:: +*`rsa.misc.content`*:: + -- -type: integer +This key captures the content type from protocol headers + +type: keyword -- -*`netflow.post_dot1q_customer_vlan_id`*:: +*`rsa.misc.ein_number`*:: + -- -type: integer +Employee Identification Numbers only + +type: long -- -*`netflow.ethernet_type`*:: +*`rsa.misc.found`*:: + -- -type: integer +This is used to capture the results of regex match + +type: keyword -- -*`netflow.post_ip_precedence`*:: +*`rsa.misc.language`*:: + -- -type: short +This is used to capture list of languages the client support and what it prefers + +type: keyword -- -*`netflow.collection_time_milliseconds`*:: +*`rsa.misc.lifetime`*:: + -- -type: date +This key is used to capture the session lifetime in seconds. + +type: long -- -*`netflow.export_sctp_stream_id`*:: +*`rsa.misc.link`*:: + -- -type: integer +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`netflow.max_export_seconds`*:: +*`rsa.misc.match`*:: + -- -type: date +This key is for regex match name from search.ini + +type: keyword -- -*`netflow.max_flow_end_seconds`*:: +*`rsa.misc.param_dst`*:: + -- -type: date +This key captures the command line/launch argument of the target process or file + +type: keyword -- -*`netflow.message_md5_checksum`*:: +*`rsa.misc.param_src`*:: + -- -type: short +This key captures source parameter + +type: keyword -- -*`netflow.message_scope`*:: +*`rsa.misc.search_text`*:: + -- -type: short +This key captures the Search Text used + +type: keyword -- -*`netflow.min_export_seconds`*:: +*`rsa.misc.sig_name`*:: + -- -type: date +This key is used to capture the Signature Name only. + +type: keyword -- -*`netflow.min_flow_start_seconds`*:: +*`rsa.misc.snmp_value`*:: + -- -type: date +SNMP set request value + +type: keyword -- -*`netflow.opaque_octets`*:: +*`rsa.misc.streams`*:: + -- -type: short +This key captures number of streams in session + +type: long -- -*`netflow.session_scope`*:: + +*`rsa.db.index`*:: + -- -type: short +This key captures IndexID of the index. + +type: keyword -- -*`netflow.max_flow_end_microseconds`*:: +*`rsa.db.instance`*:: + -- -type: date +This key is used to capture the database server instance name + +type: keyword -- -*`netflow.max_flow_end_milliseconds`*:: +*`rsa.db.database`*:: + -- -type: date +This key is used to capture the name of a database or an instance as seen in a session + +type: keyword -- -*`netflow.max_flow_end_nanoseconds`*:: +*`rsa.db.transact_id`*:: + -- -type: date +This key captures the SQL transantion ID of the current session + +type: keyword -- -*`netflow.min_flow_start_microseconds`*:: +*`rsa.db.permissions`*:: + -- -type: date +This key captures permission or privilege level assigned to a resource. + +type: keyword -- -*`netflow.min_flow_start_milliseconds`*:: +*`rsa.db.table_name`*:: + -- -type: date +This key is used to capture the table name + +type: keyword -- -*`netflow.min_flow_start_nanoseconds`*:: +*`rsa.db.db_id`*:: + -- -type: date +This key is used to capture the unique identifier for a database + +type: keyword -- -*`netflow.collector_certificate`*:: +*`rsa.db.db_pid`*:: + -- -type: short +This key captures the process id of a connection with database server + +type: long -- -*`netflow.exporter_certificate`*:: +*`rsa.db.lread`*:: + -- -type: short +This key is used for the number of logical reads + +type: long -- -*`netflow.data_records_reliability`*:: +*`rsa.db.lwrite`*:: + -- -type: boolean +This key is used for the number of logical writes + +type: long -- -*`netflow.observation_point_type`*:: +*`rsa.db.pread`*:: + -- -type: short +This key is used for the number of physical writes + +type: long -- -*`netflow.new_connection_delta_count`*:: + +*`rsa.network.alias_host`*:: + -- -type: long +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + +type: keyword -- -*`netflow.connection_sum_duration_seconds`*:: +*`rsa.network.domain`*:: + -- -type: long +type: keyword -- -*`netflow.connection_transaction_id`*:: +*`rsa.network.host_dst`*:: + -- -type: long +This key should only be used when it’s a Destination Hostname + +type: keyword -- -*`netflow.post_nat_source_ipv6_address`*:: +*`rsa.network.network_service`*:: + -- -type: ip +This is used to capture layer 7 protocols/service names + +type: keyword -- -*`netflow.post_nat_destination_ipv6_address`*:: +*`rsa.network.interface`*:: + -- -type: ip +This key should be used when the source or destination context of an interface is not clear + +type: keyword -- -*`netflow.nat_pool_id`*:: +*`rsa.network.network_port`*:: + -- +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + type: long -- -*`netflow.nat_pool_name`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`netflow.anonymization_flags`*:: +*`rsa.network.sinterface`*:: + -- -type: integer +This key should only be used when it’s a Source Interface + +type: keyword -- -*`netflow.anonymization_technique`*:: +*`rsa.network.dinterface`*:: + -- -type: integer +This key should only be used when it’s a Destination Interface + +type: keyword -- -*`netflow.information_element_index`*:: +*`rsa.network.vlan`*:: + -- -type: integer +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`netflow.p2p_technology`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`netflow.tunnel_technology`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`netflow.encrypted_technology`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`netflow.bgp_validity_state`*:: +*`rsa.network.gateway`*:: + -- -type: short - --- +This key is used to capture the IP Address of the gateway -*`netflow.ip_sec_spi`*:: -+ --- -type: long +type: keyword -- -*`netflow.gre_key`*:: +*`rsa.network.icmp_type`*:: + -- +This key is used to capture the ICMP type only + type: long -- -*`netflow.nat_type`*:: +*`rsa.network.mask`*:: + -- -type: short +This key is used to capture the device network IPmask. + +type: keyword -- -*`netflow.initiator_packets`*:: +*`rsa.network.icmp_code`*:: + -- +This key is used to capture the ICMP code only + type: long -- -*`netflow.responder_packets`*:: +*`rsa.network.protocol_detail`*:: + -- -type: long +This key should be used to capture additional protocol information + +type: keyword -- -*`netflow.observation_domain_name`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`netflow.selection_sequence_id`*:: +*`rsa.network.port`*:: + -- +This key should only be used to capture a Network Port when the directionality is not clear + type: long -- -*`netflow.selector_id`*:: +*`rsa.network.smask`*:: + -- -type: long +This key is used for capturing source Network Mask + +type: keyword -- -*`netflow.information_element_id`*:: +*`rsa.network.netname`*:: + -- -type: integer +This key is used to capture the network name associated with an IP range. This is configured by the end user. + +type: keyword -- -*`netflow.selector_algorithm`*:: +*`rsa.network.paddr`*:: + -- -type: integer +Deprecated + +type: ip -- -*`netflow.sampling_packet_interval`*:: +*`rsa.network.faddr`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_packet_space`*:: +*`rsa.network.lhost`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_time_interval`*:: +*`rsa.network.origin`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_time_space`*:: +*`rsa.network.remote_domain_id`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_size`*:: +*`rsa.network.addr`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_population`*:: +*`rsa.network.dns_a_record`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_probability`*:: +*`rsa.network.dns_ptr_record`*:: + -- -type: double +type: keyword -- -*`netflow.data_link_frame_size`*:: +*`rsa.network.fhost`*:: + -- -type: integer +type: keyword -- -*`netflow.ip_header_packet_section`*:: +*`rsa.network.fport`*:: + -- -type: short +type: keyword -- -*`netflow.ip_payload_packet_section`*:: +*`rsa.network.laddr`*:: + -- -type: short +type: keyword -- -*`netflow.data_link_frame_section`*:: +*`rsa.network.linterface`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_label_stack_section`*:: +*`rsa.network.phost`*:: + -- -type: short +type: keyword -- -*`netflow.mpls_payload_packet_section`*:: +*`rsa.network.ad_computer_dst`*:: + -- -type: short +Deprecated, use host.dst + +type: keyword -- -*`netflow.selector_id_total_pkts_observed`*:: +*`rsa.network.eth_type`*:: + -- +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + type: long -- -*`netflow.selector_id_total_pkts_selected`*:: +*`rsa.network.ip_proto`*:: + -- +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + type: long -- -*`netflow.absolute_error`*:: +*`rsa.network.dns_cname_record`*:: + -- -type: double +type: keyword -- -*`netflow.relative_error`*:: +*`rsa.network.dns_id`*:: + -- -type: double +type: keyword -- -*`netflow.observation_time_seconds`*:: +*`rsa.network.dns_opcode`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_milliseconds`*:: +*`rsa.network.dns_resp`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_microseconds`*:: +*`rsa.network.dns_type`*:: + -- -type: date +type: keyword -- -*`netflow.observation_time_nanoseconds`*:: +*`rsa.network.domain1`*:: + -- -type: date +type: keyword -- -*`netflow.digest_hash_value`*:: +*`rsa.network.host_type`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_offset`*:: +*`rsa.network.packet_length`*:: + -- -type: long +type: keyword -- -*`netflow.hash_ip_payload_size`*:: +*`rsa.network.host_orig`*:: + -- -type: long +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + +type: keyword -- -*`netflow.hash_output_range_min`*:: +*`rsa.network.rpayload`*:: + -- -type: long +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + +type: keyword -- -*`netflow.hash_output_range_max`*:: +*`rsa.network.vlan_name`*:: + -- -type: long +This key should only be used to capture the name of the Virtual LAN --- +type: keyword -*`netflow.hash_selected_range_min`*:: -+ -- -type: long --- -*`netflow.hash_selected_range_max`*:: +*`rsa.investigations.ec_activity`*:: + -- -type: long +This key captures the particular event activity(Ex:Logoff) + +type: keyword -- -*`netflow.hash_digest_output`*:: +*`rsa.investigations.ec_theme`*:: + -- -type: boolean +This key captures the Theme of a particular Event(Ex:Authentication) + +type: keyword -- -*`netflow.hash_initialiser_value`*:: +*`rsa.investigations.ec_subject`*:: + -- -type: long +This key captures the Subject of a particular Event(Ex:User) + +type: keyword -- -*`netflow.selector_name`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`netflow.upper_ci_limit`*:: +*`rsa.investigations.event_cat`*:: + -- -type: double +This key captures the Event category number + +type: long -- -*`netflow.lower_ci_limit`*:: +*`rsa.investigations.event_cat_name`*:: + -- -type: double +This key captures the event category name corresponding to the event cat code + +type: keyword -- -*`netflow.confidence_level`*:: +*`rsa.investigations.event_vcat`*:: + -- -type: double +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + +type: keyword -- -*`netflow.information_element_data_type`*:: +*`rsa.investigations.analysis_file`*:: + -- -type: short +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + +type: keyword -- -*`netflow.information_element_description`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`netflow.information_element_name`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`netflow.information_element_range_begin`*:: +*`rsa.investigations.boc`*:: + -- -type: long +This is used to capture behaviour of compromise + +type: keyword -- -*`netflow.information_element_range_end`*:: +*`rsa.investigations.eoc`*:: + -- -type: long +This is used to capture Enablers of Compromise + +type: keyword -- -*`netflow.information_element_semantics`*:: +*`rsa.investigations.inv_category`*:: + -- -type: short +This used to capture investigation category + +type: keyword -- -*`netflow.information_element_units`*:: +*`rsa.investigations.inv_context`*:: + -- -type: integer +This used to capture investigation context + +type: keyword -- -*`netflow.private_enterprise_number`*:: +*`rsa.investigations.ioc`*:: + -- -type: long +This is key capture indicator of compromise + +type: keyword -- -*`netflow.virtual_station_interface_id`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: short +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`netflow.virtual_station_interface_name`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`netflow.virtual_station_uuid`*:: +*`rsa.counters.event_counter`*:: + -- -type: short +This is used to capture the number of times an event repeated + +type: long -- -*`netflow.virtual_station_name`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`netflow.layer2_segment_id`*:: +*`rsa.counters.dclass_c3`*:: + -- +This is a generic counter key that should be used with the label dclass.c3.str only + type: long -- -*`netflow.layer2_octet_delta_count`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -type: long +This is a generic counter string key that should be used with the label dclass.c1 only + +type: keyword -- -*`netflow.layer2_octet_total_count`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -type: long +This is a generic counter string key that should be used with the label dclass.c2 only + +type: keyword -- -*`netflow.ingress_unicast_packet_total_count`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -type: long +This is a generic ratio string key that should be used with the label dclass.r1 only + +type: keyword -- -*`netflow.ingress_multicast_packet_total_count`*:: +*`rsa.counters.dclass_r2`*:: + -- -type: long +This is a generic ratio key that should be used with the label dclass.r2.str only + +type: keyword -- -*`netflow.ingress_broadcast_packet_total_count`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -type: long +This is a generic counter string key that should be used with the label dclass.c3 only + +type: keyword -- -*`netflow.egress_unicast_packet_total_count`*:: +*`rsa.counters.dclass_r3`*:: + -- -type: long +This is a generic ratio key that should be used with the label dclass.r3.str only + +type: keyword -- -*`netflow.egress_broadcast_packet_total_count`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -type: long +This is a generic ratio string key that should be used with the label dclass.r2 only + +type: keyword -- -*`netflow.monitoring_interval_start_milli_seconds`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -type: date +This is a generic ratio string key that should be used with the label dclass.r3 only --- +type: keyword -*`netflow.monitoring_interval_end_milli_seconds`*:: -+ -- -type: date --- -*`netflow.port_range_start`*:: +*`rsa.identity.auth_method`*:: + -- -type: integer +This key is used to capture authentication methods used only + +type: keyword -- -*`netflow.port_range_end`*:: +*`rsa.identity.user_role`*:: + -- -type: integer +This key is used to capture the Role of a user only + +type: keyword -- -*`netflow.port_range_step_size`*:: +*`rsa.identity.dn`*:: + -- -type: integer +X.500 (LDAP) Distinguished Name + +type: keyword -- -*`netflow.port_range_num_ports`*:: +*`rsa.identity.logon_type`*:: + -- -type: integer +This key is used to capture the type of logon method used. + +type: keyword -- -*`netflow.sta_mac_address`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`netflow.sta_ipv4_address`*:: +*`rsa.identity.accesses`*:: + -- -type: ip +This key is used to capture actual privileges used in accessing an object + +type: keyword -- -*`netflow.wtp_mac_address`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`netflow.ingress_interface_type`*:: +*`rsa.identity.user_sid_dst`*:: + -- -type: long +This key captures Destination User Session ID + +type: keyword -- -*`netflow.egress_interface_type`*:: +*`rsa.identity.dn_src`*:: + -- -type: long +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + +type: keyword -- -*`netflow.rtp_sequence_number`*:: +*`rsa.identity.org`*:: + -- -type: integer +This key captures the User organization + +type: keyword -- -*`netflow.user_name`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`netflow.application_category_name`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`netflow.application_sub_category_name`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`netflow.application_group_name`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`netflow.original_flows_present`*:: +*`rsa.identity.user_sid_src`*:: + -- -type: long +This key captures Source User Session ID + +type: keyword -- -*`netflow.original_flows_initiated`*:: +*`rsa.identity.federated_sp`*:: + -- -type: long +This key is the Federated Service Provider. This is the application requesting authentication. + +type: keyword -- -*`netflow.original_flows_completed`*:: +*`rsa.identity.federated_idp`*:: + -- -type: long +This key is the federated Identity Provider. This is the server providing the authentication. + +type: keyword -- -*`netflow.distinct_count_of_source_ip_address`*:: +*`rsa.identity.logon_type_desc`*:: + -- -type: long +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + +type: keyword -- -*`netflow.distinct_count_of_destination_ip_address`*:: +*`rsa.identity.middlename`*:: + -- -type: long +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.distinct_count_of_source_ipv4_address`*:: +*`rsa.identity.password`*:: + -- -type: long +This key is for Passwords seen in any session, plain text or encrypted + +type: keyword -- -*`netflow.distinct_count_of_destination_ipv4_address`*:: +*`rsa.identity.host_role`*:: + -- -type: long +This key should only be used to capture the role of a Host Machine + +type: keyword -- -*`netflow.distinct_count_of_source_ipv6_address`*:: +*`rsa.identity.ldap`*:: + -- -type: long +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + +type: keyword -- -*`netflow.distinct_count_of_destination_ipv6_address`*:: +*`rsa.identity.ldap_query`*:: + -- -type: long +This key is the Search criteria from an LDAP search + +type: keyword -- -*`netflow.value_distribution_method`*:: +*`rsa.identity.ldap_response`*:: + -- -type: short +This key is to capture Results from an LDAP search + +type: keyword -- -*`netflow.rfc3550_jitter_milliseconds`*:: +*`rsa.identity.owner`*:: + -- -type: long +This is used to capture username the process or service is running as, the author of the task + +type: keyword -- -*`netflow.rfc3550_jitter_microseconds`*:: +*`rsa.identity.service_account`*:: + -- -type: long +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage --- +type: keyword -*`netflow.rfc3550_jitter_nanoseconds`*:: -+ -- -type: long --- -*`netflow.dot1q_dei`*:: +*`rsa.email.email_dst`*:: + -- -type: boolean +This key is used to capture the Destination email address only, when the destination context is not clear use email + +type: keyword -- -*`netflow.dot1q_customer_dei`*:: +*`rsa.email.email_src`*:: + -- -type: boolean +This key is used to capture the source email address only, when the source context is not clear use email + +type: keyword -- -*`netflow.flow_selector_algorithm`*:: +*`rsa.email.subject`*:: + -- -type: integer +This key is used to capture the subject string from an Email only. + +type: keyword -- -*`netflow.flow_selected_octet_delta_count`*:: +*`rsa.email.email`*:: + -- -type: long +This key is used to capture a generic email address where the source or destination context is not clear + +type: keyword -- -*`netflow.flow_selected_packet_delta_count`*:: +*`rsa.email.trans_from`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.flow_selected_flow_delta_count`*:: +*`rsa.email.trans_to`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.selector_id_total_flows_observed`*:: + +*`rsa.file.privilege`*:: + -- -type: long +Deprecated, use permissions + +type: keyword -- -*`netflow.selector_id_total_flows_selected`*:: +*`rsa.file.attachment`*:: + -- -type: long +This key captures the attachment file name + +type: keyword -- -*`netflow.sampling_flow_interval`*:: +*`rsa.file.filesystem`*:: + -- -type: long +type: keyword -- -*`netflow.sampling_flow_spacing`*:: +*`rsa.file.binary`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.flow_sampling_time_interval`*:: +*`rsa.file.filename_dst`*:: + -- -type: long +This is used to capture name of the file targeted by the action + +type: keyword -- -*`netflow.flow_sampling_time_spacing`*:: +*`rsa.file.filename_src`*:: + -- -type: long +This is used to capture name of the parent filename, the file which performed the action + +type: keyword -- -*`netflow.hash_flow_domain`*:: +*`rsa.file.filename_tmp`*:: + -- -type: integer +type: keyword -- -*`netflow.transport_octet_delta_count`*:: +*`rsa.file.directory_dst`*:: + -- -type: long +This key is used to capture the directory of the target process or file + +type: keyword -- -*`netflow.transport_packet_delta_count`*:: +*`rsa.file.directory_src`*:: + -- -type: long +This key is used to capture the directory of the source process or file + +type: keyword -- -*`netflow.original_exporter_ipv4_address`*:: +*`rsa.file.file_entropy`*:: + -- -type: ip +This is used to capture entropy vale of a file + +type: double -- -*`netflow.original_exporter_ipv6_address`*:: +*`rsa.file.file_vendor`*:: + -- -type: ip +This is used to capture Company name of file located in version_info + +type: keyword -- -*`netflow.original_observation_domain_id`*:: +*`rsa.file.task_name`*:: + -- -type: long +This is used to capture name of the task + +type: keyword -- -*`netflow.intermediate_process_id`*:: + +*`rsa.web.fqdn`*:: + -- -type: long +Fully Qualified Domain Names + +type: keyword -- -*`netflow.ignored_data_record_total_count`*:: +*`rsa.web.web_cookie`*:: + -- -type: long +This key is used to capture the Web cookies specifically. + +type: keyword -- -*`netflow.data_link_frame_type`*:: +*`rsa.web.alias_host`*:: + -- -type: integer +type: keyword -- -*`netflow.section_offset`*:: +*`rsa.web.reputation_num`*:: + -- -type: integer +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`netflow.section_exported_octets`*:: +*`rsa.web.web_ref_domain`*:: + -- -type: integer +Web referer's domain + +type: keyword -- -*`netflow.dot1q_service_instance_tag`*:: +*`rsa.web.web_ref_query`*:: + -- -type: short +This key captures Web referer's query portion of the URL + +type: keyword -- -*`netflow.dot1q_service_instance_id`*:: +*`rsa.web.remote_domain`*:: + -- -type: long +type: keyword -- -*`netflow.dot1q_service_instance_priority`*:: +*`rsa.web.web_ref_page`*:: + -- -type: short +This key captures Web referer's page information + +type: keyword -- -*`netflow.dot1q_customer_source_mac_address`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`netflow.dot1q_customer_destination_mac_address`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`netflow.post_layer2_octet_delta_count`*:: +*`rsa.web.cn_rpackets`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_delta_count`*:: +*`rsa.web.urlpage`*:: + -- -type: long +type: keyword -- -*`netflow.post_layer2_octet_total_count`*:: +*`rsa.web.urlroot`*:: + -- -type: long +type: keyword -- -*`netflow.post_mcast_layer2_octet_total_count`*:: +*`rsa.web.p_url`*:: + -- -type: long +type: keyword -- -*`netflow.minimum_layer2_total_length`*:: +*`rsa.web.p_user_agent`*:: + -- -type: long +type: keyword -- -*`netflow.maximum_layer2_total_length`*:: +*`rsa.web.p_web_cookie`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_delta_count`*:: +*`rsa.web.p_web_method`*:: + -- -type: long +type: keyword -- -*`netflow.dropped_layer2_octet_total_count`*:: +*`rsa.web.p_web_referer`*:: + -- -type: long +type: keyword -- -*`netflow.ignored_layer2_octet_total_count`*:: +*`rsa.web.web_extension_tmp`*:: + -- -type: long +type: keyword -- -*`netflow.not_sent_layer2_octet_total_count`*:: +*`rsa.web.web_page`*:: + -- -type: long +type: keyword -- -*`netflow.layer2_octet_delta_sum_of_squares`*:: + +*`rsa.threat.threat_category`*:: + -- -type: long +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword -- -*`netflow.layer2_octet_total_sum_of_squares`*:: +*`rsa.threat.threat_desc`*:: + -- -type: long +This key is used to capture the threat description from the session directly or inferred + +type: keyword -- -*`netflow.layer2_frame_delta_count`*:: +*`rsa.threat.alert`*:: + -- -type: long +This key is used to capture name of the alert + +type: keyword -- -*`netflow.layer2_frame_total_count`*:: +*`rsa.threat.threat_source`*:: + -- -type: long +This key is used to capture source of the threat + +type: keyword -- -*`netflow.pseudo_wire_destination_ipv4_address`*:: + +*`rsa.crypto.crypto`*:: + -- -type: ip +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword -- -*`netflow.ignored_layer2_frame_total_count`*:: +*`rsa.crypto.cipher_src`*:: + -- -type: long +This key is for Source (Client) Cipher + +type: keyword -- -*`netflow.mib_object_value_integer`*:: +*`rsa.crypto.cert_subject`*:: + -- -type: integer +This key is used to capture the Certificate organization only + +type: keyword -- -*`netflow.mib_object_value_octet_string`*:: +*`rsa.crypto.peer`*:: + -- -type: short +This key is for Encryption peer's IP Address + +type: keyword -- -*`netflow.mib_object_value_oid`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: short +This key captures Source (Client) Cipher Size + +type: long -- -*`netflow.mib_object_value_bits`*:: +*`rsa.crypto.ike`*:: + -- -type: short +IKE negotiation phase. + +type: keyword -- -*`netflow.mib_object_value_ip_address`*:: +*`rsa.crypto.scheme`*:: + -- -type: ip +This key captures the Encryption scheme used + +type: keyword -- -*`netflow.mib_object_value_counter`*:: +*`rsa.crypto.peer_id`*:: + -- -type: long +This key is for Encryption peer’s identity + +type: keyword -- -*`netflow.mib_object_value_gauge`*:: +*`rsa.crypto.sig_type`*:: + -- -type: long +This key captures the Signature Type + +type: keyword -- -*`netflow.mib_object_value_time_ticks`*:: +*`rsa.crypto.cert_issuer`*:: + -- -type: long +type: keyword -- -*`netflow.mib_object_value_unsigned`*:: +*`rsa.crypto.cert_host_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`netflow.mib_object_identifier`*:: +*`rsa.crypto.cert_error`*:: + -- -type: short +This key captures the Certificate Error String + +type: keyword -- -*`netflow.mib_sub_identifier`*:: +*`rsa.crypto.cipher_dst`*:: + -- -type: long +This key is for Destination (Server) Cipher + +type: keyword -- -*`netflow.mib_index_indicator`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- +This key captures Destination (Server) Cipher Size + type: long -- -*`netflow.mib_capture_time_semantics`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -type: short +Deprecated, use version + +type: keyword -- -*`netflow.mib_context_engine_id`*:: +*`rsa.crypto.d_certauth`*:: + -- -type: short +type: keyword -- -*`netflow.mib_context_name`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`netflow.mib_object_name`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`netflow.mib_object_description`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`netflow.mib_object_syntax`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`netflow.mib_module_name`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`netflow.mobile_imsi`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`netflow.mobile_msisdn`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`netflow.http_status_code`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -type: integer +Deprecated, use version + +type: keyword -- -*`netflow.source_transport_ports_limit`*:: +*`rsa.crypto.cert_keysize`*:: + -- -type: integer +type: keyword -- -*`netflow.http_request_method`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`netflow.http_request_host`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`netflow.http_request_target`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`netflow.http_message_version`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`netflow.nat_instance_id`*:: +*`rsa.crypto.cert_common`*:: + -- -type: long +This key is used to capture the Certificate common name only --- +type: keyword -*`netflow.internal_address_realm`*:: -+ -- -type: short --- -*`netflow.external_address_realm`*:: +*`rsa.wireless.wlan_ssid`*:: + -- -type: short +This key is used to capture the ssid of a Wireless Session + +type: keyword -- -*`netflow.nat_quota_exceeded_event`*:: +*`rsa.wireless.access_point`*:: + -- -type: long +This key is used to capture the access point name. + +type: keyword -- -*`netflow.nat_threshold_event`*:: +*`rsa.wireless.wlan_channel`*:: + -- +This is used to capture the channel names + type: long -- -*`netflow.http_user_agent`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`netflow.http_content_type`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`netflow.http_reason_phrase`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`netflow.max_session_entries`*:: +*`rsa.storage.pwwn`*:: + -- -type: long +This uniquely identifies a port on a HBA. --- +type: keyword -*`netflow.max_bib_entries`*:: -+ -- -type: long --- -*`netflow.max_entries_per_user`*:: +*`rsa.physical.org_dst`*:: + -- -type: long +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.max_subscribers`*:: +*`rsa.physical.org_src`*:: + -- -type: long +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword -- -*`netflow.max_fragments_pending_reassembly`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -type: long +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.address_pool_high_threshold`*:: +*`rsa.healthcare.patient_id`*:: + -- -type: long +This key captures the unique ID for a patient + +type: keyword -- -*`netflow.address_pool_low_threshold`*:: +*`rsa.healthcare.patient_lname`*:: + -- -type: long +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.address_port_mapping_high_threshold`*:: +*`rsa.healthcare.patient_mname`*:: + -- -type: long +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword -- -*`netflow.address_port_mapping_low_threshold`*:: + +*`rsa.endpoint.host_state`*:: + -- -type: long +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword -- -*`netflow.address_port_mapping_per_user_high_threshold`*:: +*`rsa.endpoint.registry_key`*:: + -- -type: long +This key captures the path to the registry key + +type: keyword -- -*`netflow.global_address_mapping_high_threshold`*:: +*`rsa.endpoint.registry_value`*:: + -- -type: long +This key captures values or decorators used within a registry entry + +type: keyword -- -*`netflow.vpn_identifier`*:: +[[exported-fields-rabbitmq]] +== RabbitMQ fields + +RabbitMQ Module + + + +[float] +=== rabbitmq + + + + +[float] +=== log + +RabbitMQ log files + + + +*`rabbitmq.log.pid`*:: + -- -type: short +The Erlang process id + +type: keyword + +example: <0.222.0> -- -[[exported-fields-netscout]] -== Arbor Peakflow SP fields +[[exported-fields-radware]] +== Radware DefensePro fields -netscout fields. +radware fields. @@ -100892,340 +117400,1244 @@ type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.file.directory_dst`*:: ++ +-- +This key is used to capture the directory of the target process or file + +type: keyword + +-- + +*`rsa.file.directory_src`*:: ++ +-- +This key is used to capture the directory of the source process or file + +type: keyword + +-- + +*`rsa.file.file_entropy`*:: ++ +-- +This is used to capture entropy vale of a file + +type: double + +-- + +*`rsa.file.file_vendor`*:: ++ +-- +This is used to capture Company name of file located in version_info + +type: keyword + +-- + +*`rsa.file.task_name`*:: ++ +-- +This is used to capture name of the task + +type: keyword + +-- + + +*`rsa.web.fqdn`*:: ++ +-- +Fully Qualified Domain Names + +type: keyword + +-- + +*`rsa.web.web_cookie`*:: ++ +-- +This key is used to capture the Web cookies specifically. + +type: keyword + +-- + +*`rsa.web.alias_host`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.reputation_num`*:: ++ +-- +Reputation Number of an entity. Typically used for Web Domains + +type: double + +-- + +*`rsa.web.web_ref_domain`*:: ++ +-- +Web referer's domain + +type: keyword + +-- + +*`rsa.web.web_ref_query`*:: ++ +-- +This key captures Web referer's query portion of the URL + +type: keyword + +-- + +*`rsa.web.remote_domain`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_ref_page`*:: ++ +-- +This key captures Web referer's page information + +type: keyword + +-- + +*`rsa.web.web_ref_root`*:: ++ +-- +Web referer's root URL path + +type: keyword + +-- + +*`rsa.web.cn_asn_dst`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.cn_rpackets`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlpage`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.urlroot`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_url`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_user_agent`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_cookie`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_method`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.p_web_referer`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_extension_tmp`*:: ++ +-- +type: keyword + +-- + +*`rsa.web.web_page`*:: ++ +-- +type: keyword + +-- + + +*`rsa.threat.threat_category`*:: ++ +-- +This key captures Threat Name/Threat Category/Categorization of alert + +type: keyword + +-- + +*`rsa.threat.threat_desc`*:: ++ +-- +This key is used to capture the threat description from the session directly or inferred + +type: keyword + +-- + +*`rsa.threat.alert`*:: ++ +-- +This key is used to capture name of the alert + +type: keyword + +-- + +*`rsa.threat.threat_source`*:: ++ +-- +This key is used to capture source of the threat + +type: keyword + +-- + + +*`rsa.crypto.crypto`*:: ++ +-- +This key is used to capture the Encryption Type or Encryption Key only + +type: keyword + +-- + +*`rsa.crypto.cipher_src`*:: ++ +-- +This key is for Source (Client) Cipher + +type: keyword + +-- + +*`rsa.crypto.cert_subject`*:: ++ +-- +This key is used to capture the Certificate organization only + +type: keyword + +-- + +*`rsa.crypto.peer`*:: ++ +-- +This key is for Encryption peer's IP Address + +type: keyword + +-- + +*`rsa.crypto.cipher_size_src`*:: ++ +-- +This key captures Source (Client) Cipher Size + +type: long + +-- + +*`rsa.crypto.ike`*:: ++ +-- +IKE negotiation phase. + +type: keyword + +-- + +*`rsa.crypto.scheme`*:: ++ +-- +This key captures the Encryption scheme used + +type: keyword + +-- + +*`rsa.crypto.peer_id`*:: ++ +-- +This key is for Encryption peer’s identity + +type: keyword + +-- + +*`rsa.crypto.sig_type`*:: ++ +-- +This key captures the Signature Type + +type: keyword + +-- + +*`rsa.crypto.cert_issuer`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_name`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword + +-- + +*`rsa.crypto.cert_error`*:: ++ +-- +This key captures the Certificate Error String + +type: keyword + +-- + +*`rsa.crypto.cipher_dst`*:: ++ +-- +This key is for Destination (Server) Cipher + +type: keyword + +-- + +*`rsa.crypto.cipher_size_dst`*:: ++ +-- +This key captures Destination (Server) Cipher Size + +type: long + +-- + +*`rsa.crypto.ssl_ver_src`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.d_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.s_certauth`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.ike_cookie1`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase One + +type: keyword + +-- + +*`rsa.crypto.ike_cookie2`*:: ++ +-- +ID of the negotiation — sent for ISAKMP Phase Two + +type: keyword + +-- + +*`rsa.crypto.cert_checksum`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_host_cat`*:: ++ +-- +This key is used for the hostname category value of a certificate + +type: keyword + +-- + +*`rsa.crypto.cert_serial`*:: ++ +-- +This key is used to capture the Certificate serial number only + +type: keyword + +-- + +*`rsa.crypto.cert_status`*:: ++ +-- +This key captures Certificate validation status + +type: keyword + +-- + +*`rsa.crypto.ssl_ver_dst`*:: ++ +-- +Deprecated, use version + +type: keyword + +-- + +*`rsa.crypto.cert_keysize`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_username`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_insact`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.https_valid`*:: ++ +-- +type: keyword + +-- + +*`rsa.crypto.cert_ca`*:: ++ +-- +This key is used to capture the Certificate signing authority only + +type: keyword + +-- + +*`rsa.crypto.cert_common`*:: ++ +-- +This key is used to capture the Certificate common name only + +type: keyword + +-- + + +*`rsa.wireless.wlan_ssid`*:: ++ +-- +This key is used to capture the ssid of a Wireless Session + +type: keyword + +-- + +*`rsa.wireless.access_point`*:: ++ +-- +This key is used to capture the access point name. + +type: keyword + +-- + +*`rsa.wireless.wlan_channel`*:: ++ +-- +This is used to capture the channel names + +type: long + +-- + +*`rsa.wireless.wlan_name`*:: ++ +-- +This key captures either WLAN number/name + +type: keyword + +-- + + +*`rsa.storage.disk_volume`*:: ++ +-- +A unique name assigned to logical units (volumes) within a physical disk + +type: keyword + +-- + +*`rsa.storage.lun`*:: ++ +-- +Logical Unit Number.This key is a very useful concept in Storage. + +type: keyword + +-- + +*`rsa.storage.pwwn`*:: ++ +-- +This uniquely identifies a port on a HBA. + +type: keyword + +-- + + +*`rsa.physical.org_dst`*:: ++ +-- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + +*`rsa.physical.org_src`*:: ++ +-- +This is used to capture the source organization based on the GEOPIP Maxmind database. + +type: keyword + +-- + + +*`rsa.healthcare.patient_fname`*:: ++ +-- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_id`*:: ++ +-- +This key captures the unique ID for a patient + +type: keyword + +-- + +*`rsa.healthcare.patient_lname`*:: ++ +-- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + +*`rsa.healthcare.patient_mname`*:: ++ +-- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + +type: keyword + +-- + + +*`rsa.endpoint.host_state`*:: ++ +-- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + +type: keyword + +-- + +*`rsa.endpoint.registry_key`*:: ++ +-- +This key captures the path to the registry key + +type: keyword + +-- + +*`rsa.endpoint.registry_value`*:: ++ +-- +This key captures values or decorators used within a registry entry + +type: keyword + +-- + +[[exported-fields-redis]] +== Redis fields + +Redis Module + + + +[float] +=== redis + + + + +[float] +=== log + +Redis log files + + + +*`redis.log.role`*:: ++ +-- +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. + + +type: keyword + +-- + +*`redis.log.pid`*:: ++ +-- +type: alias + +alias to: process.pid + +-- + +*`redis.log.level`*:: ++ +-- +type: alias + +alias to: log.level + +-- + +*`redis.log.message`*:: ++ +-- +type: alias + +alias to: message + +-- + +[float] +=== slowlog + +Slow logs are retrieved from Redis via a network connection. + + + +*`redis.slowlog.cmd`*:: ++ +-- +The command executed. + + +type: keyword + +-- + +*`redis.slowlog.duration.us`*:: ++ +-- +How long it took to execute the command in microseconds. + + +type: long + +-- + +*`redis.slowlog.id`*:: ++ +-- +The ID of the query. + + +type: long + +-- + +*`redis.slowlog.key`*:: ++ +-- +The key on which the command was executed. + + +type: keyword + +-- + +*`redis.slowlog.args`*:: ++ +-- +The arguments with which the command was called. + + +type: keyword + +-- + +[[exported-fields-s3]] +== s3 fields + +S3 fields from s3 input. + + + +*`bucket_name`*:: ++ +-- +Name of the S3 bucket that this log retrieved from. + + +type: keyword + +-- + +*`object_key`*:: ++ +-- +Name of the S3 object that this log retrieved from. + + +type: keyword + +-- + +[[exported-fields-santa]] +== Google Santa fields + +Santa Module + + + +[float] +=== santa + + + + +*`santa.action`*:: ++ +-- +Action + +type: keyword + +example: EXEC + +-- + +*`santa.decision`*:: ++ +-- +Decision that santad took. + +type: keyword + +example: ALLOW + +-- + +*`santa.reason`*:: ++ +-- +Reason for the decsision. + +type: keyword + +example: CERT + +-- + +*`santa.mode`*:: ++ +-- +Operating mode of Santa. + +type: keyword + +example: M + +-- + +[float] +=== disk + +Fields for DISKAPPEAR actions. + + +*`santa.disk.volume`*:: ++ +-- +The volume name. + +-- + +*`santa.disk.bus`*:: ++ +-- +The disk bus protocol. + +-- + +*`santa.disk.serial`*:: ++ +-- +The disk serial number. + +-- + +*`santa.disk.bsdname`*:: + -- -type: keyword +The disk BSD name. + +example: disk1s3 -- -*`rsa.file.directory_dst`*:: +*`santa.disk.model`*:: + -- -This key is used to capture the directory of the target process or file +The disk model. -type: keyword +example: APPLE SSD SM0512L -- -*`rsa.file.directory_src`*:: +*`santa.disk.fs`*:: + -- -This key is used to capture the directory of the source process or file +The disk volume kind (filesystem type). -type: keyword +example: apfs -- -*`rsa.file.file_entropy`*:: +*`santa.disk.mount`*:: + -- -This is used to capture entropy vale of a file - -type: double +The disk volume path. -- -*`rsa.file.file_vendor`*:: +*`santa.certificate.common_name`*:: + -- -This is used to capture Company name of file located in version_info +Common name from code signing certificate. type: keyword -- -*`rsa.file.task_name`*:: +*`santa.certificate.sha256`*:: + -- -This is used to capture name of the task +SHA256 hash of code signing certificate. type: keyword -- +[[exported-fields-snort]] +== Snort/Sourcefire fields -*`rsa.web.fqdn`*:: +snort fields. + + + +*`network.interface.name`*:: + -- -Fully Qualified Domain Names +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.web.web_cookie`*:: + + +*`rsa.internal.msg`*:: + -- -This key is used to capture the Web cookies specifically. +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.internal.event_desc`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.internal.message`*:: + -- -Web referer's domain +This key captures the contents of instant messages type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.internal.time`*:: + -- -This key captures Web referer's query portion of the URL +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: keyword +type: date -- -*`rsa.web.remote_domain`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.web.web_ref_page`*:: +*`rsa.internal.msg_id`*:: + -- -This key captures Web referer's page information +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.internal.msg_vid`*:: + -- -Web referer's root URL path +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.web.web_page`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.internal.dead`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.threat.threat_desc`*:: +*`rsa.internal.feed_desc`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.internal.feed_name`*:: + -- -This key is used to capture name of the alert +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.internal.cid`*:: + -- -This key is used to capture source of the threat +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.internal.device_class`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.internal.device_group`*:: + -- -This key is for Source (Client) Cipher +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.internal.device_host`*:: + -- -This key is used to capture the Certificate organization only +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.internal.device_ip`*:: + -- -This key is for Encryption peer's IP Address +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures Source (Client) Cipher Size +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.crypto.ike`*:: +*`rsa.internal.device_type`*:: + -- -IKE negotiation phase. +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.internal.device_type_id`*:: + -- -This key captures the Encryption scheme used +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.crypto.peer_id`*:: +*`rsa.internal.did`*:: + -- -This key is for Encryption peer’s identity +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.internal.entropy_req`*:: + -- -This key captures the Signature Type +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -101234,24895 +118646,24711 @@ type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.internal.feed_category`*:: + -- -This key captures the Certificate Error String +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.internal.forward_ip`*:: + -- -This key is for Destination (Server) Cipher +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This key captures Destination (Server) Cipher Size +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: long +type: ip -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.internal.header_id`*:: + -- -Deprecated, use version +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.internal.mcb_req`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.internal.mcb_res`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key is used for the hostname category value of a certificate +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.crypto.cert_serial`*:: +*`rsa.internal.medium`*:: + -- -This key is used to capture the Certificate serial number only +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.crypto.cert_status`*:: +*`rsa.internal.node_name`*:: + -- -This key captures Certificate validation status +Deprecated key defined only in table map. type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -Deprecated, use version +This key denotes that event is endpoint related type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.crypto.https_insact`*:: +*`rsa.internal.payload_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.crypto.https_valid`*:: +*`rsa.internal.process_vid_dst`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key is used to capture the Certificate signing authority only +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.internal.rid`*:: + -- -This key is used to capture the Certificate common name only +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.internal.session_split`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.internal.site`*:: + -- -This key is used to capture the access point name. +Deprecated key defined only in table map. type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.internal.size`*:: + -- -This is used to capture the channel names +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: long -- -*`rsa.wireless.wlan_name`*:: +*`rsa.internal.sourcefile`*:: + -- -This key captures either WLAN number/name +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.internal.ubc_req`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.storage.lun`*:: +*`rsa.internal.ubc_res`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.storage.pwwn`*:: +*`rsa.internal.word`*:: + -- -This uniquely identifies a port on a HBA. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.physical.org_dst`*:: +*`rsa.time.event_time`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.physical.org_src`*:: +*`rsa.time.duration_time`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.time.event_time_str`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.time.starttime`*:: + -- -This key captures the unique ID for a patient +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.time.month`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.time.day`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.time.endtime`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.endpoint.registry_key`*:: +*`rsa.time.timezone`*:: + -- -This key captures the path to the registry key +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.time.duration_str`*:: + -- -This key captures values or decorators used within a registry entry +A text string version of the duration type: keyword -- -[[exported-fields-nginx]] -== Nginx fields - -Module for parsing the Nginx log files. - - - -[float] -=== nginx - -Fields from the Nginx log files. - - - -[float] -=== access - -Contains fields for the Nginx access logs. - - - -*`nginx.access.remote_ip_list`*:: +*`rsa.time.date`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - - -type: array +type: keyword -- -*`nginx.access.body_sent.bytes`*:: +*`rsa.time.year`*:: + -- -type: alias - -alias to: http.response.body.bytes +type: keyword -- -*`nginx.access.user_name`*:: +*`rsa.time.recorded_time`*:: + -- -type: alias +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -alias to: user.name +type: date -- -*`nginx.access.method`*:: +*`rsa.time.datetime`*:: + -- -type: alias - -alias to: http.request.method +type: keyword -- -*`nginx.access.url`*:: +*`rsa.time.effective_time`*:: + -- -type: alias +This key is the effective time referenced by an individual event in a Standard Timestamp format -alias to: url.original +type: date -- -*`nginx.access.http_version`*:: +*`rsa.time.expire_time`*:: + -- -type: alias +This key is the timestamp that explicitly refers to an expiration. -alias to: http.version +type: date -- -*`nginx.access.response_code`*:: +*`rsa.time.process_time`*:: + -- -type: alias +Deprecated, use duration.time -alias to: http.response.status_code +type: keyword -- -*`nginx.access.referrer`*:: +*`rsa.time.hour`*:: + -- -type: alias - -alias to: http.request.referrer +type: keyword -- -*`nginx.access.agent`*:: +*`rsa.time.min`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`nginx.access.user_agent.device`*:: +*`rsa.time.timestamp`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.access.user_agent.name`*:: +*`rsa.time.event_queue_time`*:: + -- -type: alias +This key is the Time that the event was queued. -alias to: user_agent.name +type: date -- -*`nginx.access.user_agent.os`*:: +*`rsa.time.p_time1`*:: + -- -type: alias - -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.access.user_agent.os_name`*:: +*`rsa.time.tzone`*:: + -- -type: alias - -alias to: user_agent.os.name +type: keyword -- -*`nginx.access.user_agent.original`*:: +*`rsa.time.eventtime`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`nginx.access.geoip.continent_name`*:: +*`rsa.time.gmtdate`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`nginx.access.geoip.country_iso_code`*:: +*`rsa.time.gmttime`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.access.geoip.location`*:: +*`rsa.time.p_date`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`nginx.access.geoip.region_name`*:: +*`rsa.time.p_month`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`nginx.access.geoip.city_name`*:: +*`rsa.time.p_time`*:: + -- -type: alias - -alias to: source.geo.city_name +type: keyword -- -*`nginx.access.geoip.region_iso_code`*:: +*`rsa.time.p_time2`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== error - -Contains fields for the Nginx error logs. - - - -*`nginx.error.connection_id`*:: +*`rsa.time.p_year`*:: + -- -Connection identifier. - - -type: long +type: keyword -- -*`nginx.error.level`*:: +*`rsa.time.expire_time_str`*:: + -- -type: alias +This key is used to capture incomplete timestamp that explicitly refers to an expiration. -alias to: log.level +type: keyword -- -*`nginx.error.pid`*:: +*`rsa.time.stamp`*:: + -- -type: alias +Deprecated key defined only in table map. -alias to: process.pid +type: date -- -*`nginx.error.tid`*:: + +*`rsa.misc.action`*:: + -- -type: alias - -alias to: process.thread.id +type: keyword -- -*`nginx.error.message`*:: +*`rsa.misc.result`*:: + -- -type: alias +This key is used to capture the outcome/result string value of an action in a session. -alias to: message +type: keyword -- -[float] -=== ingress_controller - -Contains fields for the Ingress Nginx controller access logs. - - - -*`nginx.ingress_controller.remote_ip_list`*:: +*`rsa.misc.severity`*:: + -- -An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. - +This key is used to capture the severity given the session -type: array +type: keyword -- -*`nginx.ingress_controller.http.request.length`*:: +*`rsa.misc.event_type`*:: + -- -The request length (including request line, header, and request body) - - -type: long +This key captures the event category type as specified by the event source. -format: bytes +type: keyword -- -*`nginx.ingress_controller.http.request.time`*:: +*`rsa.misc.reference_id`*:: + -- -Time elapsed since the first bytes were read from the client - - -type: double +This key is used to capture an event id from the session directly -format: duration +type: keyword -- -*`nginx.ingress_controller.upstream.name`*:: +*`rsa.misc.version`*:: + -- -The name of the upstream. - +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`nginx.ingress_controller.upstream.alternative_name`*:: +*`rsa.misc.disposition`*:: + -- -The name of the alternative upstream. - +This key captures the The end state of an action. type: keyword -- -*`nginx.ingress_controller.upstream.response.length`*:: +*`rsa.misc.result_code`*:: + -- -The length of the response obtained from the upstream server - - -type: long +This key is used to capture the outcome/result numeric value of an action in a session -format: bytes +type: keyword -- -*`nginx.ingress_controller.upstream.response.time`*:: +*`rsa.misc.category`*:: + -- -The time spent on receiving the response from the upstream server as seconds with millisecond resolution - - -type: double +This key is used to capture the category of an event given by the vendor in the session -format: duration +type: keyword -- -*`nginx.ingress_controller.upstream.response.status_code`*:: +*`rsa.misc.obj_name`*:: + -- -The status code of the response obtained from the upstream server - +This is used to capture name of object -type: long +type: keyword -- -*`nginx.ingress_controller.http.request.id`*:: +*`rsa.misc.obj_type`*:: + -- -The randomly generated ID of the request - +This is used to capture type of object type: keyword -- -*`nginx.ingress_controller.upstream.ip`*:: +*`rsa.misc.event_source`*:: + -- -The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas. - +This key captures Source of the event that’s not a hostname -type: ip +type: keyword -- -*`nginx.ingress_controller.upstream.port`*:: +*`rsa.misc.log_session_id`*:: + -- -The port of the upstream server. - +This key is used to capture a sessionid from the session directly -type: long +type: keyword -- -*`nginx.ingress_controller.body_sent.bytes`*:: +*`rsa.misc.group`*:: + -- -type: alias +This key captures the Group Name value -alias to: http.response.body.bytes +type: keyword -- -*`nginx.ingress_controller.user_name`*:: +*`rsa.misc.policy_name`*:: + -- -type: alias +This key is used to capture the Policy Name only. -alias to: user.name +type: keyword -- -*`nginx.ingress_controller.method`*:: +*`rsa.misc.rule_name`*:: + -- -type: alias +This key captures the Rule Name -alias to: http.request.method +type: keyword -- -*`nginx.ingress_controller.url`*:: +*`rsa.misc.context`*:: + -- -type: alias +This key captures Information which adds additional context to the event. -alias to: url.original +type: keyword -- -*`nginx.ingress_controller.http_version`*:: +*`rsa.misc.change_new`*:: + -- -type: alias +This key is used to capture the new values of the attribute that’s changing in a session -alias to: http.version +type: keyword -- -*`nginx.ingress_controller.response_code`*:: +*`rsa.misc.space`*:: + -- -type: alias - -alias to: http.response.status_code +type: keyword -- -*`nginx.ingress_controller.referrer`*:: +*`rsa.misc.client`*:: + -- -type: alias +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -alias to: http.request.referrer +type: keyword -- -*`nginx.ingress_controller.agent`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: alias - -alias to: user_agent.original +type: keyword -- - -*`nginx.ingress_controller.user_agent.device`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: alias - -alias to: user_agent.device.name +type: keyword -- -*`nginx.ingress_controller.user_agent.name`*:: +*`rsa.misc.change_old`*:: + -- -type: alias +This key is used to capture the old value of the attribute that’s changing in a session -alias to: user_agent.name +type: keyword -- -*`nginx.ingress_controller.user_agent.os`*:: +*`rsa.misc.operation_id`*:: + -- -type: alias +An alert number or operation number. The values should be unique and non-repeating. -alias to: user_agent.os.full_name +type: keyword -- -*`nginx.ingress_controller.user_agent.os_name`*:: +*`rsa.misc.event_state`*:: + -- -type: alias +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -alias to: user_agent.os.name +type: keyword -- -*`nginx.ingress_controller.user_agent.original`*:: +*`rsa.misc.group_object`*:: + -- -type: alias +This key captures a collection/grouping of entities. Specific usage -alias to: user_agent.original +type: keyword -- - -*`nginx.ingress_controller.geoip.continent_name`*:: +*`rsa.misc.node`*:: + -- -type: alias +Common use case is the node name within a cluster. The cluster name is reflected by the host name. -alias to: source.geo.continent_name +type: keyword -- -*`nginx.ingress_controller.geoip.country_iso_code`*:: +*`rsa.misc.rule`*:: + -- -type: alias +This key captures the Rule number -alias to: source.geo.country_iso_code +type: keyword -- -*`nginx.ingress_controller.geoip.location`*:: +*`rsa.misc.device_name`*:: + -- -type: alias +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc -alias to: source.geo.location +type: keyword -- -*`nginx.ingress_controller.geoip.region_name`*:: +*`rsa.misc.param`*:: + -- -type: alias +This key is the parameters passed as part of a command or application, etc. -alias to: source.geo.region_name +type: keyword -- -*`nginx.ingress_controller.geoip.city_name`*:: +*`rsa.misc.change_attrib`*:: + -- -type: alias +This key is used to capture the name of the attribute that’s changing in a session -alias to: source.geo.city_name +type: keyword -- -*`nginx.ingress_controller.geoip.region_iso_code`*:: +*`rsa.misc.event_computer`*:: + -- -type: alias +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. -alias to: source.geo.region_iso_code +type: keyword -- -[[exported-fields-o365]] -== Office 365 fields - -Module for handling logs from Office 365. - - - -[float] -=== o365.audit - -Fields from Office 365 Management API audit logs. +*`rsa.misc.reference_id1`*:: ++ +-- +This key is for Linked ID to be used as an addition to "reference.id" +type: keyword +-- -*`o365.audit.Actor`*:: +*`rsa.misc.event_log`*:: + -- -type: array +This key captures the Name of the event log + +type: keyword -- -*`o365.audit.ActorContextId`*:: +*`rsa.misc.OS`*:: + -- +This key captures the Name of the Operating System + type: keyword -- -*`o365.audit.ActorIpAddress`*:: +*`rsa.misc.terminal`*:: + -- +This key captures the Terminal Names only + type: keyword -- -*`o365.audit.ActorUserId`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`o365.audit.ActorYammerUserId`*:: +*`rsa.misc.filter`*:: + -- +This key captures Filter used to reduce result set + type: keyword -- -*`o365.audit.AlertEntityId`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`o365.audit.AlertId`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`o365.audit.AlertLinks`*:: +*`rsa.misc.event_user`*:: + -- -type: array +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + +type: keyword -- -*`o365.audit.AlertType`*:: +*`rsa.misc.virusname`*:: + -- +This key captures the name of the virus + type: keyword -- -*`o365.audit.AppId`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`o365.audit.ApplicationDisplayName`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`o365.audit.ApplicationId`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`o365.audit.AzureActiveDirectoryEventType`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`o365.audit.ExchangeMetaData.*`*:: +*`rsa.misc.connection_id`*:: + -- -type: object +This key captures the Connection ID + +type: keyword -- -*`o365.audit.Category`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`o365.audit.ClientAppId`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`o365.audit.ClientInfoString`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`o365.audit.ClientIP`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`o365.audit.ClientIPAddress`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`o365.audit.Comments`*:: +*`rsa.misc.risk_num`*:: + -- -type: text +This key captures a Numeric Risk value + +type: double -- -*`o365.audit.CorrelationId`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`o365.audit.CreationTime`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`o365.audit.CustomUniqueId`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`o365.audit.Data`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`o365.audit.DataType`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`o365.audit.EntityType`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`o365.audit.EventData`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`o365.audit.EventSource`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`o365.audit.ExceptionInfo.*`*:: +*`rsa.misc.status`*:: + -- -type: object +type: keyword -- -*`o365.audit.ExtendedProperties.*`*:: +*`rsa.misc.mail_id`*:: + -- -type: object +This key is used to capture the mailbox id/name + +type: keyword -- -*`o365.audit.ExternalAccess`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`o365.audit.GroupName`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`o365.audit.Id`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`o365.audit.ImplicitShare`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`o365.audit.IncidentId`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`o365.audit.InternalLogonType`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`o365.audit.InterSystemsId`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -*`o365.audit.IntraSystemId`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`o365.audit.Item.*`*:: +*`rsa.misc.listnum`*:: + -- -type: object +This key is used to capture listname or listnumber, primarily for collecting access-list + +type: keyword -- -*`o365.audit.Item.*.*`*:: +*`rsa.misc.ntype`*:: + -- -type: object +type: keyword -- -*`o365.audit.ItemName`*:: +*`rsa.misc.observed_val`*:: + -- +This key captures the Value observed (from the perspective of the device generating the log). + type: keyword -- -*`o365.audit.ItemType`*:: +*`rsa.misc.policy_value`*:: + -- +This key captures the contents of the policy. This contains details about the policy + type: keyword -- -*`o365.audit.ListId`*:: +*`rsa.misc.pool_name`*:: + -- +This key captures the name of a resource pool + type: keyword -- -*`o365.audit.ListItemUniqueId`*:: +*`rsa.misc.rule_template`*:: + -- +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + type: keyword -- -*`o365.audit.LogonError`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`o365.audit.LogonType`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`o365.audit.LogonUserSid`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`o365.audit.MailboxGuid`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`o365.audit.MailboxOwnerMasterAccountSid`*:: +*`rsa.misc.comments`*:: + -- +Comment information provided in the log message + type: keyword -- -*`o365.audit.MailboxOwnerSid`*:: +*`rsa.misc.doc_number`*:: + -- -type: keyword +This key captures File Identification number + +type: long -- -*`o365.audit.MailboxOwnerUPN`*:: +*`rsa.misc.expected_val`*:: + -- +This key captures the Value expected (from the perspective of the device generating the log). + type: keyword -- -*`o365.audit.Members`*:: +*`rsa.misc.job_num`*:: + -- -type: array +This key captures the Job Number + +type: keyword -- -*`o365.audit.Members.*`*:: +*`rsa.misc.spi_dst`*:: + -- -type: object +Destination SPI Index + +type: keyword -- -*`o365.audit.ModifiedProperties.*.*`*:: +*`rsa.misc.spi_src`*:: + -- -type: object +Source SPI Index + +type: keyword -- -*`o365.audit.Name`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`o365.audit.ObjectId`*:: +*`rsa.misc.agent_id`*:: + -- +This key is used to capture agent id + type: keyword -- -*`o365.audit.Operation`*:: +*`rsa.misc.message_body`*:: + -- +This key captures the The contents of the message body. + type: keyword -- -*`o365.audit.OrganizationId`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`o365.audit.OrganizationName`*:: +*`rsa.misc.sig_id_str`*:: + -- +This key captures a string object of the sigid variable. + type: keyword -- -*`o365.audit.OriginatingServer`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`o365.audit.Parameters.*`*:: +*`rsa.misc.misc`*:: + -- -type: object +type: keyword -- -*`o365.audit.PolicyDetails`*:: +*`rsa.misc.name`*:: + -- -type: array +type: keyword -- -*`o365.audit.PolicyId`*:: +*`rsa.misc.cpu`*:: + -- -type: keyword +This key is the CPU time used in the execution of the event being recorded. + +type: long -- -*`o365.audit.RecordType`*:: +*`rsa.misc.event_desc`*:: + -- +This key is used to capture a description of an event available directly or inferred + type: keyword -- -*`o365.audit.ResultStatus`*:: +*`rsa.misc.sig_id1`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + +type: long -- -*`o365.audit.SensitiveInfoDetectionIsIncluded`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`o365.audit.SharePointMetaData.*`*:: +*`rsa.misc.im_client`*:: + -- -type: object +type: keyword -- -*`o365.audit.SessionId`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`o365.audit.Severity`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`o365.audit.Site`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`o365.audit.SiteUrl`*:: +*`rsa.misc.context_subject`*:: + -- +This key is to be used in an audit context where the subject is the object being identified + type: keyword -- -*`o365.audit.Source`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`o365.audit.SourceFileExtension`*:: +*`rsa.misc.cve`*:: + -- +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + type: keyword -- -*`o365.audit.SourceFileName`*:: +*`rsa.misc.fcatnum`*:: + -- +This key captures Filter Category Number. Legacy Usage + type: keyword -- -*`o365.audit.SourceRelativeUrl`*:: +*`rsa.misc.library`*:: + -- +This key is used to capture library information in mainframe devices + type: keyword -- -*`o365.audit.Status`*:: +*`rsa.misc.parent_node`*:: + -- +This key captures the Parent Node Name. Must be related to node variable. + type: keyword -- -*`o365.audit.SupportTicketId`*:: +*`rsa.misc.risk_info`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`o365.audit.Target`*:: +*`rsa.misc.tcp_flags`*:: + -- -type: array +This key is captures the TCP flags set in any packet of session + +type: long -- -*`o365.audit.TargetContextId`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`o365.audit.TargetUserOrGroupName`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`o365.audit.TargetUserOrGroupType`*:: +*`rsa.misc.workspace`*:: + -- +This key captures Workspace Description + type: keyword -- -*`o365.audit.TeamName`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`o365.audit.TeamGuid`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`o365.audit.UniqueSharingId`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`o365.audit.UserAgent`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`o365.audit.UserId`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`o365.audit.UserKey`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`o365.audit.UserType`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`o365.audit.Version`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`o365.audit.WebId`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`o365.audit.Workload`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`o365.audit.YammerNetworkId`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -[[exported-fields-okta]] -== Okta fields - -Module for handling system logs from Okta. - - - -[float] -=== okta - -Fields from Okta. - - - -*`okta.uuid`*:: +*`rsa.misc.tbdstr2`*:: + -- -The unique identifier of the Okta LogEvent. - - type: keyword -- -*`okta.event_type`*:: +*`rsa.misc.alert_id`*:: + -- -The type of the LogEvent. - +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`okta.version`*:: +*`rsa.misc.checksum_dst`*:: + -- -The version of the LogEvent. - +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`okta.severity`*:: +*`rsa.misc.checksum_src`*:: + -- -The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. - +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`okta.display_message`*:: +*`rsa.misc.fresult`*:: + -- -The display message of the LogEvent. - +This key captures the Filter Result -type: keyword +type: long -- -[float] -=== actor - -Fields that let you store information of the actor for the LogEvent. - - - -*`okta.actor.id`*:: +*`rsa.misc.payload_dst`*:: + -- -Identifier of the actor. - +This key is used to capture destination payload type: keyword -- -*`okta.actor.type`*:: +*`rsa.misc.payload_src`*:: + -- -Type of the actor. - +This key is used to capture source payload type: keyword -- -*`okta.actor.alternate_id`*:: +*`rsa.misc.pool_id`*:: + -- -Alternate identifier of the actor. - +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`okta.actor.display_name`*:: +*`rsa.misc.process_id_val`*:: + -- -Display name of the actor. - +This key is a failure key for Process ID when it is not an integer value type: keyword -- -[float] -=== client - -Fields that let you store information about the client of the actor. - - - -*`okta.client.ip`*:: +*`rsa.misc.risk_num_comm`*:: + -- -The IP address of the client. - +This key captures Risk Number Community -type: ip +type: double -- -[float] -=== user_agent - -Fields about the user agent information of the client. - - - -*`okta.client.user_agent.raw_user_agent`*:: +*`rsa.misc.risk_num_next`*:: + -- -The raw informaton of the user agent. - +This key captures Risk Number NextGen -type: keyword +type: double -- -*`okta.client.user_agent.os`*:: +*`rsa.misc.risk_num_sand`*:: + -- -The OS informaton. - +This key captures Risk Number SandBox -type: keyword +type: double -- -*`okta.client.user_agent.browser`*:: +*`rsa.misc.risk_num_static`*:: + -- -The browser informaton of the client. - +This key captures Risk Number Static -type: keyword +type: double -- -*`okta.client.zone`*:: +*`rsa.misc.risk_suspicious`*:: + -- -The zone information of the client. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`okta.client.device`*:: +*`rsa.misc.risk_warning`*:: + -- -The information of the client device. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`okta.client.id`*:: +*`rsa.misc.snmp_oid`*:: + -- -The identifier of the client. - +SNMP Object Identifier type: keyword -- -[float] -=== outcome - -Fields that let you store information about the outcome. - - - -*`okta.outcome.reason`*:: +*`rsa.misc.sql`*:: + -- -The reason of the outcome. - +This key captures the SQL query type: keyword -- -*`okta.outcome.result`*:: +*`rsa.misc.vuln_ref`*:: + -- -The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. - +This key captures the Vulnerability Reference details type: keyword -- -*`okta.target`*:: +*`rsa.misc.acl_id`*:: + -- -The list of targets. - - -type: array +type: keyword -- -[float] -=== transaction - -Fields that let you store information about related transaction. - - - -*`okta.transaction.id`*:: +*`rsa.misc.acl_op`*:: + -- -Identifier of the transaction. - - type: keyword -- -*`okta.transaction.type`*:: +*`rsa.misc.acl_pos`*:: + -- -The type of transaction. Must be one of "WEB", "JOB". - - type: keyword -- -[float] -=== debug_context - -Fields that let you store information about the debug context. - - - -[float] -=== debug_data - -The debug data. - - - -*`okta.debug_context.debug_data.device_fingerprint`*:: +*`rsa.misc.acl_table`*:: + -- -The fingerprint of the device. - - type: keyword -- -*`okta.debug_context.debug_data.request_id`*:: +*`rsa.misc.admin`*:: + -- -The identifier of the request. - - type: keyword -- -*`okta.debug_context.debug_data.request_uri`*:: +*`rsa.misc.alarm_id`*:: + -- -The request URI. - - type: keyword -- -*`okta.debug_context.debug_data.threat_suspected`*:: +*`rsa.misc.alarmname`*:: + -- -Threat suspected. - - type: keyword -- -*`okta.debug_context.debug_data.url`*:: +*`rsa.misc.app_id`*:: + -- -The URL. - - type: keyword -- -[float] -=== authentication_context - -Fields that let you store information about authentication context. - - - -*`okta.authentication_context.authentication_provider`*:: +*`rsa.misc.audit`*:: + -- -The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. - - type: keyword -- -*`okta.authentication_context.authentication_step`*:: +*`rsa.misc.audit_object`*:: + -- -The authentication step. - - -type: integer +type: keyword -- -*`okta.authentication_context.credential_provider`*:: +*`rsa.misc.auditdata`*:: + -- -The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. - - type: keyword -- -*`okta.authentication_context.credential_type`*:: +*`rsa.misc.benchmark`*:: + -- -The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. - - type: keyword -- -*`okta.authentication_context.issuer`*:: +*`rsa.misc.bypass`*:: + -- -The information about the issuer. - - -type: array +type: keyword -- -*`okta.authentication_context.external_session_id`*:: +*`rsa.misc.cache`*:: + -- -The session identifer of the external session if any. - - type: keyword -- -*`okta.authentication_context.interface`*:: +*`rsa.misc.cache_hit`*:: + -- -The interface used. e.g., Outlook, Office365, wsTrust - - type: keyword -- -[float] -=== security_context - -Fields that let you store information about security context. - - - -[float] -=== as - -The autonomous system. - - - -*`okta.security_context.as.number`*:: +*`rsa.misc.cefversion`*:: + -- -The AS number. - - -type: integer +type: keyword -- -[float] -=== organization - -The organization that owns the AS number. - - - -*`okta.security_context.as.organization.name`*:: +*`rsa.misc.cfg_attr`*:: + -- -The organization name. - - type: keyword -- -*`okta.security_context.isp`*:: +*`rsa.misc.cfg_obj`*:: + -- -The Internet Service Provider. - - type: keyword -- -*`okta.security_context.domain`*:: +*`rsa.misc.cfg_path`*:: + -- -The domain name. - - type: keyword -- -*`okta.security_context.is_proxy`*:: +*`rsa.misc.changes`*:: + -- -Whether it is a proxy or not. - - -type: boolean +type: keyword -- -[float] -=== request - -Fields that let you store information about the request, in the form of list of ip_chain. - - - -[float] -=== ip_chain - -List of ip_chain objects. - - - -*`okta.request.ip_chain.ip`*:: +*`rsa.misc.client_ip`*:: + -- -IP address. - - -type: ip +type: keyword -- -*`okta.request.ip_chain.version`*:: +*`rsa.misc.clustermembers`*:: + -- -IP version. Must be one of V4, V6. - - type: keyword -- -*`okta.request.ip_chain.source`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -Source information. - - type: keyword -- -[float] -=== geographical_context - -Geographical information. - - - -*`okta.request.ip_chain.geographical_context.city`*:: +*`rsa.misc.cn_asn_src`*:: + -- -The city. - type: keyword -- -*`okta.request.ip_chain.geographical_context.state`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -The state. - type: keyword -- -*`okta.request.ip_chain.geographical_context.postal_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -The postal code. - type: keyword -- -*`okta.request.ip_chain.geographical_context.country`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -The country. - type: keyword -- -*`okta.request.ip_chain.geographical_context.geolocation`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -Geolocation information. - - -type: geo_point +type: keyword -- -[[exported-fields-osquery]] -== Osquery fields - -Fields exported by the `osquery` module - - - -[float] -=== osquery - - - - -[float] -=== result - -Common fields exported by the result metricset. - - - -*`osquery.result.name`*:: +*`rsa.misc.cn_engine_id`*:: + -- -The name of the query that generated this event. - - type: keyword -- -*`osquery.result.action`*:: +*`rsa.misc.cn_engine_type`*:: + -- -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - - type: keyword -- -*`osquery.result.host_identifier`*:: +*`rsa.misc.cn_f_switch`*:: + -- -The identifier for the host on which the osquery agent is running. Normally the hostname. - - type: keyword -- -*`osquery.result.unix_time`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - - -type: long +type: keyword -- -*`osquery.result.calendar_time`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -String representation of the collection time, as formatted by osquery. - - type: keyword -- -[[exported-fields-panw]] -== panw fields - -Module for Palo Alto Networks (PAN-OS) - - - -[float] -=== panw - -Fields from the panw module. - - - -[float] -=== panos - -Fields for the Palo Alto Networks PAN-OS logs. - - - -*`panw.panos.ruleset`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -Name of the rule that matched this session. - - type: keyword -- -[float] -=== source - -Fields to extend the top-level source object. - - - -*`panw.panos.source.zone`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Source zone for this session. - - type: keyword -- -*`panw.panos.source.interface`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -Source interface for this session. - - type: keyword -- -[float] -=== nat - -Post-NAT source address, if source NAT is performed. - - - -*`panw.panos.source.nat.ip`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -Post-NAT source IP. - - -type: ip +type: keyword -- -*`panw.panos.source.nat.port`*:: +*`rsa.misc.cn_invalid`*:: + -- -Post-NAT source port. - - -type: long +type: keyword -- -[float] -=== destination - -Fields to extend the top-level destination object. - - - -*`panw.panos.destination.zone`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Destination zone for this session. - - type: keyword -- -*`panw.panos.destination.interface`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -Destination interface for this session. - - type: keyword -- -[float] -=== nat - -Post-NAT destination address, if destination NAT is performed. - - - -*`panw.panos.destination.nat.ip`*:: +*`rsa.misc.cn_l_switch`*:: + -- -Post-NAT destination IP. - - -type: ip +type: keyword -- -*`panw.panos.destination.nat.port`*:: +*`rsa.misc.cn_log_did`*:: + -- -Post-NAT destination port. - - -type: long +type: keyword -- -[float] -=== network - -Fields to extend the top-level network object. - - - -*`panw.panos.network.pcap_id`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Packet capture ID for a threat. - - type: keyword -- - -*`panw.panos.network.nat.community_id`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Community ID flow-hash for the NAT 5-tuple. - - type: keyword -- -[float] -=== file - -Fields to extend the top-level file object. - - - -*`panw.panos.file.hash`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -Binary hash for a threat file sent to be analyzed by the WildFire service. - - type: keyword -- -[float] -=== url - -Fields to extend the top-level url object. - - - -*`panw.panos.url.category`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. - - type: keyword -- -*`panw.panos.flow_id`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -Internal numeric identifier for each session. - - type: keyword -- -*`panw.panos.sequence_number`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Log entry identifier that is incremented sequentially. Unique for each log type. - - -type: long +type: keyword -- -*`panw.panos.threat.resource`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -URL or file name for a threat. - - type: keyword -- -*`panw.panos.threat.id`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -Palo Alto Networks identifier for the threat. - - type: keyword -- -*`panw.panos.threat.name`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -Palo Alto Networks name for the threat. - - type: keyword -- -*`panw.panos.action`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Action taken for the session. - type: keyword -- -[[exported-fields-postgresql]] -== PostgreSQL fields - -Module for parsing the PostgreSQL log files. - - - -[float] -=== postgresql - -Fields from PostgreSQL logs. - - - -[float] -=== log - -Fields from the PostgreSQL log files. - - - -*`postgresql.log.timestamp`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- - -deprecated:[7.3.0] - -The timestamp from the log line. - +type: keyword -- -*`postgresql.log.core_id`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -Core id - - -type: long +type: keyword -- -*`postgresql.log.database`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -Name of database - - -example: mydb +type: keyword -- -*`postgresql.log.query`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Query statement. - - -example: SELECT * FROM users; +type: keyword -- -*`postgresql.log.query_step`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -Statement step when using extended query protocol (one of statement, parse, bind or execute) - - -example: parse +type: keyword -- -*`postgresql.log.query_name`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -Name given to a query when using extended query protocol. If it is "", or not present, this field is ignored. - - -example: pdo_stmt_00000001 +type: keyword -- -*`postgresql.log.error.code`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Error code returned by Postgres (if any) - -type: long +type: keyword -- -*`postgresql.log.timezone`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -type: alias - -alias to: event.timezone +type: keyword -- -*`postgresql.log.thread_id`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`postgresql.log.user`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -type: alias - -alias to: user.name +type: keyword -- -*`postgresql.log.level`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`postgresql.log.message`*:: +*`rsa.misc.cn_sampint`*:: + -- -type: alias - -alias to: message +type: keyword -- -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: +*`rsa.misc.cn_seqctr`*:: + -- -type: alias - -alias to: process.executable +type: keyword -- -[[exported-fields-rabbitmq]] -== RabbitMQ fields - -RabbitMQ Module - - - -[float] -=== rabbitmq - - - - -[float] -=== log - -RabbitMQ log files - - - -*`rabbitmq.log.pid`*:: +*`rsa.misc.cn_spackets`*:: + -- -The Erlang process id - type: keyword -example: <0.222.0> - -- -[[exported-fields-radware]] -== Radware DefensePro fields - -radware fields. - - - -*`network.interface.name`*:: +*`rsa.misc.cn_src_tos`*:: + -- -Name of the network interface where the traffic has been observed. - - type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.comp_class`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.comp_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.cpu_data`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.criticality`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.cs_av_other`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.cs_context`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.cs_control`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.cs_data`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.cs_datecret`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.cs_filetype`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.cs_loginname`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.cs_payload`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.cs_registrar`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cs_represult`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cs_streams`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.cs_yararesult`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.description`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.devvendor`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.distance`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.dstburb`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.edomain`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.edomaub`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.euid`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.finterface`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.id3`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.im_croomid`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.im_username`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.ipscat`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.ipspri`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.latitude`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.location_floor`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.msg_type`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.msgid`*:: + -- -Deprecated key defined only in table map. +type: keyword -type: date +-- +*`rsa.misc.netsessid`*:: ++ -- +type: keyword +-- -*`rsa.misc.action`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.number1`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.number2`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.nwwn`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.object`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.operation`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.opkt`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.orig_from`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.owner_id`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.p_action`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.p_filter`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.p_group_object`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.p_id`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.p_msgid1`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.p_result1`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.password_chg`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.password_expire`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.permwanted`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.program`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.real_data`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.rec_library`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.recordnum`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.ruid`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.sec`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.sensorname`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.session`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.sigUUID`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.spi`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.srcburb`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.srcdom`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.srcservice`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.status1`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.svcno`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.system`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.threshold`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.type1`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.udb_class`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.url_fld`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.user_div`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.userid`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.username_fld`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.utcstamp`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.v_instafname`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.content`*:: + -- -This key is used to capture the mailbox id/name +This key captures the content type from protocol headers type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.ein_number`*:: + -- -This key is the Unique Identifier for a rule. +Employee Identification Numbers only -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.found`*:: + -- -This key captures the Description of the trigger or threshold condition. +This is used to capture the results of regex match type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.data_type`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.param_dst`*:: + -- -This key captures All non successful Error codes or responses +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.search_text`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This key captures the Search Text used type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.snmp_value`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +SNMP set request value type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.streams`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.misc.pool_name`*:: + +*`rsa.db.index`*:: + -- -This key captures the name of a resource pool +This key captures IndexID of the index. type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.db.instance`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This key is used to capture the database server instance name type: keyword -- -*`rsa.misc.count`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.db.db_id`*:: + -- -Comment information provided in the log message +This key is used to capture the unique identifier for a database type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.db.db_pid`*:: + -- -This key captures File Identification number +This key captures the process id of a connection with database server type: long -- -*`rsa.misc.expected_val`*:: +*`rsa.db.lread`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key is used for the number of logical reads -type: keyword +type: long -- -*`rsa.misc.job_num`*:: +*`rsa.db.lwrite`*:: + -- -This key captures the Job Number +This key is used for the number of logical writes -type: keyword +type: long -- -*`rsa.misc.spi_dst`*:: +*`rsa.db.pread`*:: + -- -Destination SPI Index +This key is used for the number of physical writes -type: keyword +type: long -- -*`rsa.misc.spi_src`*:: + +*`rsa.network.alias_host`*:: + -- -Source SPI Index +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`rsa.misc.code`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.network.host_dst`*:: + -- -This key is used to capture agent id +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.network.network_service`*:: + -- -This key captures the The contents of the message body. +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.network.network_port`*:: + -- -This key captures a string object of the sigid variable. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.misc.cmd`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.network.vlan`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key should only be used to capture the ID of the Virtual LAN type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.network.zone_src`*:: + -- -This key is used to capture a description of an event available directly or inferred +This key should only be used when it’s a Source Zone. type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.network.zone`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +This key should be used when the source or destination context of a Zone is not clear -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.pid`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.context_subject`*:: +*`rsa.network.protocol_detail`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This key should be used to capture additional protocol information type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.network.port`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key should only be used to capture a Network Port when the directionality is not clear -type: keyword +type: long -- -*`rsa.misc.fcatnum`*:: +*`rsa.network.smask`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key is used for capturing source Network Mask type: keyword -- -*`rsa.misc.library`*:: +*`rsa.network.netname`*:: + -- -This key is used to capture library information in mainframe devices +This key is used to capture the network name associated with an IP range. This is configured by the end user. type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.network.paddr`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +Deprecated -type: keyword +type: ip -- -*`rsa.misc.risk_info`*:: +*`rsa.network.faddr`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.network.lhost`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.network.origin`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.network.remote_domain_id`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.network.addr`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.second`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.space1`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.subcategory`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.network.dns_opcode`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.network.dns_resp`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.network.dns_type`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.network.domain1`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.network.host_type`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.network.packet_length`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.network.host_orig`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.network.rpayload`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.network.vlan_name`*:: + -- -This key captures Risk Number Community +This key should only be used to capture the name of the Virtual LAN -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: + +*`rsa.investigations.ec_activity`*:: + -- -This key captures Risk Number NextGen +This key captures the particular event activity(Ex:Logoff) -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key captures Risk Number SandBox +This key captures the Theme of a particular Event(Ex:Authentication) -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures Risk Number Static +This key captures the Subject of a particular Event(Ex:User) -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.investigations.event_cat`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the Event category number -type: keyword +type: long -- -*`rsa.misc.snmp_oid`*:: +*`rsa.investigations.event_cat_name`*:: + -- -SNMP Object Identifier +This key captures the event category name corresponding to the event cat code type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.investigations.event_vcat`*:: + -- -This key captures the SQL query +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.investigations.analysis_file`*:: + -- -This key captures the Vulnerability Reference details +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.app_id`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.audit`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.audit_object`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.auditdata`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.bypass`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.client_ip`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.cn_seqctr`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.cs_bit9status`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.description`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.dstburb`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.edomaub`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.flags`*:: + +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.endpoint.registry_key`*:: + -- +This key captures the path to the registry key + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.endpoint.registry_value`*:: + -- +This key captures values or decorators used within a registry entry + type: keyword -- -*`rsa.misc.im_buddyname`*:: +[[exported-fields-sonicwall]] +== Sonicwall-FW fields + +sonicwall fields. + + + +*`network.interface.name`*:: + -- +Name of the network interface where the traffic has been observed. + + type: keyword -- -*`rsa.misc.im_croomid`*:: + + +*`rsa.internal.msg`*:: + -- +This key is used to capture the raw message that comes into the Log Decoder + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.internal.time`*:: + -- -type: keyword +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`rsa.misc.ipscat`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.ipspri`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.longitude`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.mbug_data`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.num`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.number2`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.nwwn`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.internal.device_type_id`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.operation`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.orig_from`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.owner_id`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.internal.forward_ip`*:: + -- -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`rsa.misc.p_group_object`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: keyword +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.p_id`*:: +*`rsa.internal.header_id`*:: + -- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`rsa.misc.p_result1`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.password_chg`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.password_expire`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.permgranted`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.permwanted`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`rsa.misc.pgid`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.real_data`*:: +*`rsa.internal.payload_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.internal.process_vid_dst`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.internal.process_vid_src`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.recordnum`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.internal.sourcefile`*:: + -- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.internal.ubc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.sensorname`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.seqnum`*:: +*`rsa.internal.word`*:: + -- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + type: keyword -- -*`rsa.misc.session`*:: + +*`rsa.time.event_time`*:: + -- -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`rsa.misc.sessiontype`*:: +*`rsa.time.duration_time`*:: + -- -type: keyword +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`rsa.misc.sigUUID`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.time.starttime`*:: + -- -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.srcburb`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.time.endtime`*:: + -- -type: keyword +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.state`*:: +*`rsa.time.timezone`*:: + -- +This key is used to capture the timezone of the Event Time + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.tgtdom`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.threshold`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.type1`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.misc.username_fld`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.time.p_date`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.time.p_month`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.time.p_time`*:: + -- -This key captures the content type from protocol headers - type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.time.p_time2`*:: + -- -Employee Identification Numbers only - -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.time.p_year`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.time.expire_time_str`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.time.stamp`*:: + -- -This key is used to capture the session lifetime in seconds. +Deprecated key defined only in table map. -type: long +type: date -- -*`rsa.misc.link`*:: + +*`rsa.misc.action`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.result`*:: + -- -This key is for regex match name from search.ini +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.severity`*:: + -- -This key captures the command line/launch argument of the target process or file +This key is used to capture the severity given the session type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.event_type`*:: + -- -This key captures source parameter +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.reference_id`*:: + -- -This key captures the Search Text used +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.version`*:: + -- -This key is used to capture the Signature Name only. +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.disposition`*:: + -- -SNMP set request value +This key captures the The end state of an action. type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.result_code`*:: + -- -This key captures number of streams in session +This key is used to capture the outcome/result numeric value of an action in a session -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.category`*:: + -- -This key captures IndexID of the index. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.obj_name`*:: + -- -This key is used to capture the database server instance name +This is used to capture name of object type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.obj_type`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +This is used to capture type of object type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.event_source`*:: + -- -This key captures the SQL transantion ID of the current session +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.log_session_id`*:: + -- -This key captures permission or privilege level assigned to a resource. +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture the table name +This key captures the Group Name value type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.policy_name`*:: + -- -This key is used to capture the unique identifier for a database +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.rule_name`*:: + -- -This key captures the process id of a connection with database server +This key captures the Rule Name -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.context`*:: + -- -This key is used for the number of logical reads +This key captures Information which adds additional context to the event. -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.change_new`*:: + -- -This key is used for the number of logical writes +This key is used to capture the new values of the attribute that’s changing in a session -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.space`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.client`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.change_old`*:: + -- -This is used to capture layer 7 protocols/service names +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.operation_id`*:: + -- -This key should be used when the source or destination context of an interface is not clear +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.event_state`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key captures the current state of the object/item referenced within the event. Describing an on-going event. -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.group_object`*:: + -- -Deprecated, use alias.mac +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.node`*:: + -- -This key should only be used when it’s a Source Interface +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.rule`*:: + -- -This key should only be used when it’s a Destination Interface +This key captures the Rule number type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.device_name`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.param`*:: + -- -This key should only be used when it’s a Source Zone. +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.change_attrib`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.event_computer`*:: + -- -This key should only be used when it’s a Destination Zone. +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is used to capture the IP Address of the gateway +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.event_log`*:: + -- -This key is used to capture the ICMP type only +This key captures the Name of the event log -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.OS`*:: + -- -This key is used to capture the device network IPmask. +This key captures the Name of the Operating System type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.terminal`*:: + -- -This key is used to capture the ICMP code only +This key captures the Terminal Names only -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.filter`*:: + -- -This key is used for Destionation Device network mask +This key captures Filter used to reduce result set type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.serial_number`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key is the Serial number associated with a physical asset. -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.checksum`*:: + -- -This key is used for capturing source Network Mask +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.event_user`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.virusname`*:: + -- -Deprecated - -type: ip - --- +This key captures the name of the virus -*`rsa.network.faddr`*:: -+ --- type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.policy_id`*:: + -- +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.network.laddr`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.trigger_val`*:: + -- -Deprecated, use host.dst +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.log_session_id1`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +This key is used to capture a Linked (Related) Session ID from the session directly -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.comp_version`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This key captures the Version level of a sub-component of a product. -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.trigger_desc`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.inout`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.p_msgid`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.data_type`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.error`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.index`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.listnum`*:: + -- -This key captures the Event category number +This key is used to capture listname or listnumber, primarily for collecting access-list -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.ntype`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.observed_val`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.policy_value`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.pool_name`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +This key captures the name of a resource pool type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.rule_template`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.count`*:: + -- -This is used to capture behaviour of compromise - type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.number`*:: + -- -This is used to capture Enablers of Compromise - type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.sigcat`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.type`*:: + -- -This used to capture investigation context - type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.comments`*:: + -- -This is key capture indicator of compromise +Comment information provided in the log message type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.doc_number`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This key captures File Identification number type: long -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.expected_val`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +This key captures the Value expected (from the perspective of the device generating the log). -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.job_num`*:: + -- -This is used to capture the number of times an event repeated +This key captures the Job Number -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.spi_dst`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Destination SPI Index type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.spi_src`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Source SPI Index -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.code`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only - type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.agent_id`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key is used to capture agent id type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.message_body`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This key captures the The contents of the message body. type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.phone`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.sig_id_str`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.cmd`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.misc`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.name`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.cpu`*:: + -- -This key is used to capture authentication methods used only +This key is the CPU time used in the execution of the event being recorded. -type: keyword +type: long -- -*`rsa.identity.user_role`*:: +*`rsa.misc.event_desc`*:: + -- -This key is used to capture the Role of a user only +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.sig_id1`*:: + -- -X.500 (LDAP) Distinguished Name +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.im_buddyid`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.im_client`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.im_userid`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.pid`*:: + -- -Radius realm or similar grouping of accounts - type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.priority`*:: + -- -This key captures Destination User Session ID - type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.context_subject`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.context_target`*:: + -- -This key captures the User organization - type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.cve`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.fcatnum`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.misc.library`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture library information in mainframe devices type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.parent_node`*:: + -- -User's Department Names only +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.risk_info`*:: + -- -This key captures Source User Session ID +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.tos`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key describes the type of service -type: keyword +type: long -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.vm_target`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.workspace`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key captures Workspace Description type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.command`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.event_category`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.facilityname`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.jobname`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.mode`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.policy`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.policy_waiver`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.second`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.space1`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.subcategory`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.tbdstr2`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.misc.alert_id`*:: + -- -Deprecated key defined only in table map. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.checksum_dst`*:: + -- -Deprecated, use permissions +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.checksum_src`*:: + -- -This key captures the attachment file name +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword +This key captures the Filter Result + +type: long -- -*`rsa.file.binary`*:: +*`rsa.misc.payload_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture destination payload type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.payload_src`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture source payload type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.misc.pool_id`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.risk_num_comm`*:: + -- -This key is used to capture the directory of the target process or file +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.file.directory_src`*:: +*`rsa.misc.risk_num_next`*:: + -- -This key is used to capture the directory of the source process or file +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This is used to capture entropy vale of a file +This key captures Risk Number SandBox type: double -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.risk_num_static`*:: + -- -This is used to capture Company name of file located in version_info +This key captures Risk Number Static -type: keyword +type: double -- -*`rsa.file.task_name`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This is used to capture name of the task +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.risk_warning`*:: + -- -Fully Qualified Domain Names +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.snmp_oid`*:: + -- -This key is used to capture the Web cookies specifically. +SNMP Object Identifier type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.vuln_ref`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This key captures the Vulnerability Reference details -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.acl_id`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.acl_op`*:: + -- -This key captures Web referer's query portion of the URL - type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.acl_table`*:: + -- -This key captures Web referer's page information - type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.admin`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.cfg_obj`*:: + -- -This key is used to capture the threat description from the session directly or inferred - type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.cfg_path`*:: + -- -This key is used to capture name of the alert - type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.changes`*:: + -- -This key is used to capture source of the threat - type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.client_ip`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.clustermembers`*:: + -- -This key is for Source (Client) Cipher - type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This key is used to capture the Certificate organization only - type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is for Encryption peer's IP Address - type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key captures Source (Client) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -IKE negotiation phase. - type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key captures the Encryption scheme used - type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is for Encryption peer’s identity - type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key captures the Signature Type - type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.cn_f_switch`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key captures the Certificate Error String - type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is for Destination (Server) Cipher - type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.cn_invalid`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -This key is used to capture the Certificate common name only - type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key is used to capture the ssid of a Wireless Session - type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This key captures the unique ID for a patient - type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key captures values or decorators used within a registry entry - type: keyword -- -[[exported-fields-rapid7]] -== Rapid7 NeXpose fields - -rapid7 fields. - - - -*`network.interface.name`*:: +*`rsa.misc.cn_src_tos`*:: + -- -Name of the network interface where the traffic has been observed. +type: keyword +-- +*`rsa.misc.cn_src_vlan`*:: ++ +-- type: keyword -- +*`rsa.misc.cn_sysuptime`*:: ++ +-- +type: keyword +-- -*`rsa.internal.msg`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.comp_class`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.comp_name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.comp_rbytes`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.cpu_data`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.criticality`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.cs_av_other`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.cs_bit9status`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.cs_context`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.cs_control`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.cs_data`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.cs_datecret`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.cs_filetype`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.cs_fld`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.cs_loginname`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.cs_payload`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.cs_represult`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cs_streams`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cs_whois_server`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.description`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.devvendor`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.distance`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.dstburb`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.edomain`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.edomaub`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.euid`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.facility`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.finterface`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.flags`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.gaddr`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.im_croomid`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.im_croomtype`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.im_members`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.ipscat`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.latitude`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.linenum`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.list_name`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.log_id`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.netsessid`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.num`*:: + -- -Deprecated key defined only in table map. +type: keyword -type: date +-- +*`rsa.misc.number1`*:: ++ -- +type: keyword +-- -*`rsa.misc.action`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.nwwn`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.object`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.operation`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.opkt`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.orig_from`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.owner_id`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.p_action`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.p_filter`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.p_group_object`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.p_id`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.p_msgid1`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is used to capture a sessionid from the session directly +type: keyword +-- + +*`rsa.misc.p_result1`*:: ++ +-- type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.password_chg`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.password_expire`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.permgranted`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.permwanted`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.pgid`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.prog_asp_num`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.rec_asp_num`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.rec_library`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.recordnum`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.ruid`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.sburb`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.sec`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.sensorname`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.seqnum`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.session`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.sessiontype`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.sigUUID`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.spi`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.srcservice`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.status1`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.svcno`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.system`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.tbdstr1`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.tgtdomain`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.threshold`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.type1`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.udb_class`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.url_fld`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.user_div`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.userid`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.username_fld`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.utcstamp`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.v_instafname`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.virt_data`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.vpnid`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.autorun_type`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +This is used to capture Auto Run type type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cc_number`*:: + -- -This key captures the non-numeric risk value +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.misc.event_id`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.status`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.language`*:: + -- -This key is used to capture the mailbox id/name +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.lifetime`*:: + -- -This key is the Unique Identifier for a rule. +This key is used to capture the session lifetime in seconds. -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.link`*:: + -- -This key captures the Description of the trigger or threshold condition. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.sig_name`*:: + -- -This key captures All non successful Error codes or responses +This key is used to capture the Signature Name only. type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.streams`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.misc.ntype`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.db.instance`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This key is used to capture the database server instance name type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.db.database`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This key is used to capture the name of a database or an instance as seen in a session type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.db.transact_id`*:: + -- -This key captures the name of a resource pool +This key captures the SQL transantion ID of the current session type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.db.permissions`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`rsa.misc.count`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.number`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.type`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.comments`*:: +*`rsa.db.lwrite`*:: + -- -Comment information provided in the log message +This key is used for the number of logical writes -type: keyword +type: long -- -*`rsa.misc.doc_number`*:: +*`rsa.db.pread`*:: + -- -This key captures File Identification number +This key is used for the number of physical writes type: long -- -*`rsa.misc.expected_val`*:: + +*`rsa.network.alias_host`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.network.domain`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.network.host_dst`*:: + -- -Destination SPI Index +This key should only be used when it’s a Destination Hostname type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.network.network_service`*:: + -- -Source SPI Index +This is used to capture layer 7 protocols/service names type: keyword -- -*`rsa.misc.code`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.network.network_port`*:: + -- -This key is used to capture agent id +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.misc.message_body`*:: +*`rsa.network.eth_host`*:: + -- -This key captures the The contents of the message body. +Deprecated, use alias.mac type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.network.dinterface`*:: + -- -This key captures a string object of the sigid variable. +This key should only be used when it’s a Destination Interface type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.misc`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.network.zone_dst`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key should only be used when it’s a Destination Zone. -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.network.gateway`*:: + -- -This key is used to capture a description of an event available directly or inferred +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.network.icmp_type`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +This key is used to capture the ICMP type only type: long -- -*`rsa.misc.im_buddyid`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.im_userid`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.context_subject`*:: +*`rsa.network.smask`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This key is used for capturing source Network Mask type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.network.paddr`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +Deprecated -type: keyword +type: ip -- -*`rsa.misc.fcatnum`*:: +*`rsa.network.faddr`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.network.lhost`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.network.origin`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.network.remote_domain_id`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.network.addr`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.network.dns_a_record`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.network.dns_ptr_record`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.network.fhost`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.policy`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.policy_waiver`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.network.domain1`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.network.host_type`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.network.packet_length`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.network.host_orig`*:: + -- -This key captures the Filter Result +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.network.rpayload`*:: + -- -This key is used to capture destination payload +This key is used to capture the total number of payload bytes seen in the retransmitted packets. type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.network.vlan_name`*:: + -- -This key is used to capture source payload +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.misc.pool_id`*:: + +*`rsa.investigations.ec_activity`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures Risk Number Community +This key captures the Subject of a particular Event(Ex:User) -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.investigations.ec_outcome`*:: + -- -This key captures Risk Number NextGen +This key captures the outcome of a particular Event(Ex:Success) -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.investigations.event_cat`*:: + -- -This key captures Risk Number SandBox +This key captures the Event category number -type: double +type: long -- -*`rsa.misc.risk_num_static`*:: +*`rsa.investigations.event_cat_name`*:: + -- -This key captures Risk Number Static +This key captures the event category name corresponding to the event cat code -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.investigations.event_vcat`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.investigations.analysis_file`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.investigations.analysis_service`*:: + -- -SNMP Object Identifier +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.investigations.analysis_session`*:: + -- -This key captures the SQL query +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.investigations.boc`*:: + -- -This key captures the Vulnerability Reference details +This is used to capture behaviour of compromise type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.admin`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.alarm_id`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.alarmname`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.app_id`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.audit_object`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cfg_obj`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.cn_spackets`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.criticality`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.cs_av_primary`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.cs_control`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.description`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.distance`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.euid`*:: + +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.endpoint.registry_key`*:: + -- +This key captures the path to the registry key + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.endpoint.registry_value`*:: + -- +This key captures values or decorators used within a registry entry + type: keyword -- -*`rsa.misc.flags`*:: +[[exported-fields-sophos]] +== sophos fields + +sophos Module + + + +*`network.interface.name`*:: + -- +Name of the network interface where the traffic has been observed. + + type: keyword -- -*`rsa.misc.gaddr`*:: + + +*`rsa.internal.msg`*:: + -- +This key is used to capture the raw message that comes into the Log Decoder + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.internal.time`*:: + -- -type: keyword +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`rsa.misc.im_members`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.im_username`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.internal.resource`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.internal.obj_id`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.internal.statement`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.logid`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.logname`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.internal.cid`*:: + -- +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.internal.device_class`*:: + -- +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.internal.device_group`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.internal.device_host`*:: + -- +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.internal.device_ip`*:: + -- -type: keyword +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.netsessid`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: keyword +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.num`*:: +*`rsa.internal.device_type`*:: + -- +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.internal.device_type_id`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.misc.number2`*:: +*`rsa.internal.did`*:: + -- +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.internal.entropy_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.object`*:: +*`rsa.internal.entropy_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + +type: long -- -*`rsa.misc.operation`*:: +*`rsa.internal.event_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.internal.feed_category`*:: + -- +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.internal.forward_ip`*:: + -- -type: keyword +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`rsa.misc.owner_id`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: keyword +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`rsa.misc.p_action`*:: +*`rsa.internal.header_id`*:: + -- +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.internal.lc_cid`*:: + -- +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: keyword +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`rsa.misc.p_id`*:: +*`rsa.internal.mcb_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.p_msgid1`*:: +*`rsa.internal.mcb_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + +type: long -- -*`rsa.misc.p_msgid2`*:: +*`rsa.internal.mcbc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.p_result1`*:: +*`rsa.internal.mcbc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + +type: long -- -*`rsa.misc.password_chg`*:: +*`rsa.internal.medium`*:: + -- -type: keyword +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + +type: long -- -*`rsa.misc.password_expire`*:: +*`rsa.internal.node_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.internal.nwe_callback_id`*:: + -- +This key denotes that event is endpoint related + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.internal.parse_error`*:: + -- +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.internal.payload_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.policyUUID`*:: +*`rsa.internal.payload_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + +type: long -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.internal.process_vid_dst`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.internal.process_vid_src`*:: + -- +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.internal.rid`*:: + -- -type: keyword +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.internal.session_split`*:: + -- +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.internal.site`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.internal.size`*:: + -- -type: keyword +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: long -- -*`rsa.misc.recordnum`*:: +*`rsa.internal.sourcefile`*:: + -- +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.internal.ubc_req`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.sburb`*:: +*`rsa.internal.ubc_res`*:: + -- -type: keyword +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + +type: long -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.internal.word`*:: + -- +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + type: keyword -- -*`rsa.misc.sec`*:: + +*`rsa.time.event_time`*:: + -- -type: keyword +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`rsa.misc.sensorname`*:: +*`rsa.time.duration_time`*:: + -- -type: keyword +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`rsa.misc.seqnum`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.time.starttime`*:: + -- -type: keyword +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.sessiontype`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.time.endtime`*:: + -- -type: keyword +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`rsa.misc.srcburb`*:: +*`rsa.time.timezone`*:: + -- +This key is used to capture the timezone of the Event Time + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.time.duration_str`*:: + -- +A text string version of the duration + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.time.recorded_time`*:: + -- -type: keyword +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`rsa.misc.svcno`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.time.effective_time`*:: + -- -type: keyword +This key is the effective time referenced by an individual event in a Standard Timestamp format + +type: date -- -*`rsa.misc.tbdstr1`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.misc.tgtdom`*:: +*`rsa.time.process_time`*:: + -- +Deprecated, use duration.time + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.time.event_queue_time`*:: + -- -type: keyword +This key is the Time that the event was queued. + +type: date -- -*`rsa.misc.url_fld`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.time.p_time2`*:: + -- -This is used to capture Auto Run type - type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.time.p_year`*:: + -- -Valid Credit Card Numbers only - -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.time.expire_time_str`*:: + -- -This key captures the content type from protocol headers +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.time.stamp`*:: + -- -Employee Identification Numbers only +Deprecated key defined only in table map. -type: long +type: date -- -*`rsa.misc.found`*:: + +*`rsa.misc.action`*:: + -- -This is used to capture the results of regex match - type: keyword -- -*`rsa.misc.language`*:: +*`rsa.misc.result`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.misc.severity`*:: + -- -This key is used to capture the session lifetime in seconds. +This key is used to capture the severity given the session -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.misc.event_type`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the event category type as specified by the event source. type: keyword -- -*`rsa.misc.match`*:: +*`rsa.misc.reference_id`*:: + -- -This key is for regex match name from search.ini +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.misc.version`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.misc.disposition`*:: + -- -This key captures source parameter +This key captures the The end state of an action. type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.misc.result_code`*:: + -- -This key captures the Search Text used +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.misc.category`*:: + -- -This key is used to capture the Signature Name only. +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.misc.obj_name`*:: + -- -SNMP set request value +This is used to capture name of object type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.misc.obj_type`*:: + -- -This key captures number of streams in session +This is used to capture type of object -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.misc.event_source`*:: + -- -This key captures IndexID of the index. +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.db.instance`*:: +*`rsa.misc.log_session_id`*:: + -- -This key is used to capture the database server instance name +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.db.database`*:: +*`rsa.misc.group`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +This key captures the Group Name value type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.misc.policy_name`*:: + -- -This key captures the SQL transantion ID of the current session +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.misc.rule_name`*:: + -- -This key captures permission or privilege level assigned to a resource. +This key captures the Rule Name type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.misc.context`*:: + -- -This key is used to capture the table name +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.misc.change_new`*:: + -- -This key is used to capture the unique identifier for a database +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.misc.space`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.misc.client`*:: + -- -This key is used for the number of logical reads +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.misc.msgIdPart1`*:: + -- -This key is used for the number of logical writes - -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.misc.msgIdPart2`*:: + -- -This key is used for the number of physical writes - -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.misc.change_old`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.network.domain`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.misc.event_state`*:: + -- -This key should only be used when it’s a Destination Hostname +This key captures the current state of the object/item referenced within the event. Describing an on-going event. type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.misc.group_object`*:: + -- -This is used to capture layer 7 protocols/service names +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.network.interface`*:: +*`rsa.misc.node`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.misc.rule`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key captures the Rule number -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.misc.device_name`*:: + -- -Deprecated, use alias.mac +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.misc.param`*:: + -- -This key should only be used when it’s a Source Interface +This key is the parameters passed as part of a command or application, etc. type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.misc.change_attrib`*:: + -- -This key should only be used when it’s a Destination Interface +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.misc.event_computer`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.misc.reference_id1`*:: + -- -This key should only be used when it’s a Source Zone. +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.network.zone`*:: +*`rsa.misc.event_log`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +This key captures the Name of the event log type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.misc.OS`*:: + -- -This key should only be used when it’s a Destination Zone. +This key captures the Name of the Operating System type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.misc.terminal`*:: + -- -This key is used to capture the IP Address of the gateway +This key captures the Terminal Names only type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key is used to capture the ICMP type only - -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.misc.filter`*:: + -- -This key is used to capture the device network IPmask. +This key captures Filter used to reduce result set type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.misc.serial_number`*:: + -- -This key is used to capture the ICMP code only +This key is the Serial number associated with a physical asset. -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.misc.checksum`*:: + -- -This key should be used to capture additional protocol information +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.misc.event_user`*:: + -- -This key is used for Destionation Device network mask +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.network.port`*:: +*`rsa.misc.virusname`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key captures the name of the virus -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.misc.content_type`*:: + -- -This key is used for capturing source Network Mask +This key is used to capture Content Type only. type: keyword -- -*`rsa.network.netname`*:: +*`rsa.misc.group_id`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key captures Group ID Number (related to the group name) type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.misc.policy_id`*:: + -- -Deprecated +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`rsa.network.addr`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.network.dns_a_record`*:: +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.misc.risk_num`*:: + -- -type: keyword +This key captures a Numeric Risk value + +type: double -- -*`rsa.network.fport`*:: +*`rsa.misc.trigger_val`*:: + -- +This key captures the Value of the trigger or threshold condition. + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.misc.hardware_id`*:: + -- -Deprecated, use host.dst +This key is used to capture unique identifier for a device or system (NOT a Mac address) type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.misc.risk`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +This key captures the non-numeric risk value -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.misc.event_id`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.misc.mail_id`*:: + -- +This key is used to capture the mailbox id/name + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.misc.rule_uid`*:: + -- +This key is the Unique Identifier for a rule. + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.misc.trigger_desc`*:: + -- +This key captures the Description of the trigger or threshold condition. + type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`rsa.network.host_type`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.misc.error`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.misc.index`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.misc.listnum`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.misc.ntype`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.misc.observed_val`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.misc.policy_value`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.misc.pool_name`*:: + -- -This key captures the Event category number +This key captures the name of a resource pool -type: long +type: keyword -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.misc.rule_template`*:: + -- -This key captures the event category name corresponding to the event cat code +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.misc.count`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.misc.number`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.misc.sigcat`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.misc.type`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.misc.comments`*:: + -- -This is used to capture behaviour of compromise +Comment information provided in the log message type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.misc.doc_number`*:: + -- -This is used to capture Enablers of Compromise +This key captures File Identification number -type: keyword +type: long -- -*`rsa.investigations.inv_category`*:: +*`rsa.misc.expected_val`*:: + -- -This used to capture investigation category +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.misc.job_num`*:: + -- -This used to capture investigation context +This key captures the Job Number type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.misc.spi_dst`*:: + -- -This is key capture indicator of compromise +Destination SPI Index type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.misc.spi_src`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Source SPI Index -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.misc.code`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only - -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.misc.agent_id`*:: + -- -This is used to capture the number of times an event repeated +This key is used to capture agent id -type: long +type: keyword -- -*`rsa.counters.dclass_r1`*:: +*`rsa.misc.message_body`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This key captures the The contents of the message body. type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.misc.phone`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.misc.sig_id_str`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.misc.cmd`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.misc.misc`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only - type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.misc.name`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.misc.cpu`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is the CPU time used in the execution of the event being recorded. -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: +*`rsa.misc.event_desc`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.misc.sig_id1`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -type: keyword +type: long -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.misc.im_buddyid`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - type: keyword -- - -*`rsa.identity.auth_method`*:: +*`rsa.misc.im_client`*:: + -- -This key is used to capture authentication methods used only - type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.misc.im_userid`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.misc.pid`*:: + -- -X.500 (LDAP) Distinguished Name - type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.misc.priority`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.misc.context_subject`*:: + -- -This key is used to capture the user profile +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`rsa.identity.accesses`*:: +*`rsa.misc.context_target`*:: + -- -This key is used to capture actual privileges used in accessing an object - type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.misc.cve`*:: + -- -Radius realm or similar grouping of accounts +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.misc.fcatnum`*:: + -- -This key captures Destination User Session ID +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.identity.dn_src`*:: +*`rsa.misc.library`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is used to capture library information in mainframe devices type: keyword -- -*`rsa.identity.org`*:: +*`rsa.misc.parent_node`*:: + -- -This key captures the User organization +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.misc.risk_info`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`rsa.identity.lastname`*:: +*`rsa.misc.tos`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key describes the type of service -type: keyword +type: long -- -*`rsa.identity.user_dept`*:: +*`rsa.misc.vm_target`*:: + -- -User's Department Names only +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.identity.user_sid_src`*:: +*`rsa.misc.workspace`*:: + -- -This key captures Source User Session ID +This key captures Workspace Description type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.misc.command`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. - type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.misc.event_category`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.misc.facilityname`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: +*`rsa.misc.jobname`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.misc.mode`*:: + -- -This key should only be used to capture the role of a Host Machine - type: keyword -- -*`rsa.identity.ldap`*:: +*`rsa.misc.policy`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - type: keyword -- -*`rsa.identity.ldap_query`*:: +*`rsa.misc.policy_waiver`*:: + -- -This key is the Search criteria from an LDAP search - type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.misc.second`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.misc.space1`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.misc.subcategory`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.misc.tbdstr2`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.misc.alert_id`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.email.subject`*:: +*`rsa.misc.checksum_dst`*:: + -- -This key is used to capture the subject string from an Email only. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`rsa.email.email`*:: +*`rsa.misc.checksum_src`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.misc.fresult`*:: + -- -Deprecated key defined only in table map. +This key captures the Filter Result -type: keyword +type: long -- -*`rsa.email.trans_to`*:: +*`rsa.misc.payload_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture destination payload type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.misc.payload_src`*:: + -- -Deprecated, use permissions +This key is used to capture source payload type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.misc.pool_id`*:: + -- -This key captures the attachment file name +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.misc.risk_num_comm`*:: + -- -Deprecated key defined only in table map. +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.file.filename_dst`*:: +*`rsa.misc.risk_num_next`*:: + -- -This is used to capture name of the file targeted by the action +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.file.filename_src`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +This key captures Risk Number SandBox -type: keyword +type: double -- -*`rsa.file.filename_tmp`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This key is used to capture the directory of the target process or file +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.risk_warning`*:: + -- -This key is used to capture the directory of the source process or file +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.snmp_oid`*:: + -- -This is used to capture entropy vale of a file +SNMP Object Identifier -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.sql`*:: + -- -This is used to capture Company name of file located in version_info +This key captures the SQL query type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.vuln_ref`*:: + -- -This is used to capture name of the task +This key captures the Vulnerability Reference details type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.acl_id`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.acl_op`*:: + -- -This key is used to capture the Web cookies specifically. - type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.acl_table`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.admin`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.alarm_id`*:: + -- -This key captures Web referer's query portion of the URL - type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.app_id`*:: + -- -This key captures Web referer's page information - type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.audit`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.client_ip`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.clustermembers`*:: + -- -This key is used to capture the threat description from the session directly or inferred - type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This key is used to capture name of the alert - type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is used to capture source of the threat - type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is for Source (Client) Cipher - type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key is used to capture the Certificate organization only - type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is for Encryption peer's IP Address - type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key captures Source (Client) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.cn_engine_type`*:: + -- -IKE negotiation phase. - type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key captures the Encryption scheme used - type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key is for Encryption peer’s identity - type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key captures the Signature Type - type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key captures the Certificate Error String - type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -This key is for Destination (Server) Cipher - type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.cn_log_did`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.cn_log_rid`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key is used for the hostname category value of a certificate - type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key is used to capture the Certificate serial number only - type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key captures Certificate validation status - type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -Deprecated, use version - type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This key is used to capture the Certificate common name only - type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -This key is used to capture the ssid of a Wireless Session - type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This is used to capture the channel names - -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key captures either WLAN number/name - type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. - type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures the unique ID for a patient - type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key captures the path to the registry key - type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key captures values or decorators used within a registry entry - type: keyword -- -[[exported-fields-redis]] -== Redis fields - -Redis Module - - - -[float] -=== redis - - - - -[float] -=== log - -Redis log files - - - -*`redis.log.role`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. - - type: keyword -- -*`redis.log.pid`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`redis.log.level`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -type: alias - -alias to: log.level +type: keyword -- -*`redis.log.message`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -type: alias - -alias to: message +type: keyword -- -[float] -=== slowlog - -Slow logs are retrieved from Redis via a network connection. - - - -*`redis.slowlog.cmd`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -The command executed. - - type: keyword -- -*`redis.slowlog.duration.us`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -How long it took to execute the command in microseconds. - - -type: long +type: keyword -- -*`redis.slowlog.id`*:: +*`rsa.misc.comp_class`*:: + -- -The ID of the query. - - -type: long +type: keyword -- -*`redis.slowlog.key`*:: +*`rsa.misc.comp_name`*:: + -- -The key on which the command was executed. - - type: keyword -- -*`redis.slowlog.args`*:: +*`rsa.misc.comp_rbytes`*:: + -- -The arguments with which the command was called. - - type: keyword -- -[[exported-fields-s3]] -== s3 fields - -S3 fields from s3 input. - - - -*`bucket_name`*:: +*`rsa.misc.comp_sbytes`*:: + -- -Name of the S3 bucket that this log retrieved from. - - type: keyword -- -*`object_key`*:: +*`rsa.misc.cpu_data`*:: + -- -Name of the S3 object that this log retrieved from. - - type: keyword -- -[[exported-fields-santa]] -== Google Santa fields - -Santa Module - - - -[float] -=== santa - - - - -*`santa.action`*:: +*`rsa.misc.criticality`*:: + -- -Action - type: keyword -example: EXEC - -- -*`santa.decision`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -Decision that santad took. - type: keyword -example: ALLOW - -- -*`santa.reason`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -Reason for the decsision. - type: keyword -example: CERT - -- -*`santa.mode`*:: +*`rsa.misc.cs_av_other`*:: + -- -Operating mode of Santa. - type: keyword -example: M - -- -[float] -=== disk - -Fields for DISKAPPEAR actions. - - -*`santa.disk.volume`*:: +*`rsa.misc.cs_av_primary`*:: + -- -The volume name. +type: keyword -- -*`santa.disk.bus`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -The disk bus protocol. +type: keyword -- -*`santa.disk.serial`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -The disk serial number. +type: keyword -- -*`santa.disk.bsdname`*:: +*`rsa.misc.cs_bit9status`*:: + -- -The disk BSD name. - -example: disk1s3 +type: keyword -- -*`santa.disk.model`*:: +*`rsa.misc.cs_context`*:: + -- -The disk model. - -example: APPLE SSD SM0512L +type: keyword -- -*`santa.disk.fs`*:: +*`rsa.misc.cs_control`*:: + -- -The disk volume kind (filesystem type). - -example: apfs +type: keyword -- -*`santa.disk.mount`*:: +*`rsa.misc.cs_data`*:: + -- -The disk volume path. +type: keyword -- -*`santa.certificate.common_name`*:: +*`rsa.misc.cs_datecret`*:: + -- -Common name from code signing certificate. - type: keyword -- -*`santa.certificate.sha256`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -SHA256 hash of code signing certificate. - type: keyword -- -[[exported-fields-sonicwall]] -== Sonicwall-FW fields - -sonicwall fields. - - - -*`network.interface.name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -Name of the network interface where the traffic has been observed. - - type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.cs_fld`*:: + -- -This key captures the contents of instant messages - type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.cs_if_name`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.cs_lifetime`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.cs_log_medium`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.cs_loginname`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.cs_modulescore`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.cs_modulesign`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.cs_payload`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.cs_registrant`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.cs_registrar`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.cs_represult`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.cs_rpayload`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.cs_streams`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.cs_targetmodule`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.description`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.devvendor`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.distance`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.dstburb`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.edomain`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.edomaub`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.euid`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.facility`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.finterface`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.flags`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.gaddr`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.id3`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.im_buddyname`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.im_croomid`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.im_croomtype`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.im_members`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.im_username`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.ipkt`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.ipscat`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.ipspri`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.latitude`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.linenum`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.list_name`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.load_data`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.location_floor`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.location_mark`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.log_id`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.log_type`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.logid`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.logip`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.logname`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.longitude`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.lport`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.misc_name`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.msg_type`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.msgid`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.number1`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.number2`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.nwwn`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.opkt`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.owner_id`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.p_action`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.p_filter`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.p_msgid2`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.rec_asp_device`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.rec_asp_num`*:: + -- -Deprecated key defined only in table map. +type: keyword -type: date +-- +*`rsa.misc.rec_library`*:: ++ -- +type: keyword +-- -*`rsa.misc.action`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.sec`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.sensorname`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.session`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.sessiontype`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.sigUUID`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.spi`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.srcburb`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.srcdom`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.srcservice`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.state`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.status1`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.svcno`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.system`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.tgtdom`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.type1`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.udb_class`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.url_fld`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.user_div`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.userid`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.username_fld`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.utcstamp`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.v_instafname`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.virt_data`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.vpnid`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.autorun_type`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" +This is used to capture Auto Run type type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cc_number`*:: + -- -This key captures the Name of the event log +Valid Credit Card Numbers only -type: keyword +type: long -- -*`rsa.misc.OS`*:: +*`rsa.misc.content`*:: + -- -This key captures the Name of the Operating System +This key captures the content type from protocol headers type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.ein_number`*:: + -- -This key captures the Terminal Names only +Employee Identification Numbers only -type: keyword +type: long -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.language`*:: + -- -This key captures Filter used to reduce result set +This is used to capture list of languages the client support and what it prefers type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.lifetime`*:: + -- -This key is the Serial number associated with a physical asset. +This key is used to capture the session lifetime in seconds. -type: keyword +type: long -- -*`rsa.misc.checksum`*:: +*`rsa.misc.link`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.match`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. +This key is for regex match name from search.ini type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.param_dst`*:: + -- -This key captures the name of the virus +This key captures the command line/launch argument of the target process or file type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.param_src`*:: + -- -This key is used to capture Content Type only. +This key captures source parameter type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.search_text`*:: + -- -This key captures Group ID Number (related to the group name) +This key captures the Search Text used type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.sig_name`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise +This key is used to capture the Signature Name only. type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.snmp_value`*:: + -- -This key captures Virtual System Name +SNMP set request value type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.streams`*:: + -- -This key captures the Connection ID +This key captures number of streams in session -type: keyword +type: long -- -*`rsa.misc.reference_id2`*:: + +*`rsa.db.index`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. +This key captures IndexID of the index. type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.db.instance`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices +This key is used to capture the database server instance name type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.db.database`*:: + -- -This key captures IDS/IPS Int Signature ID +This key is used to capture the name of a database or an instance as seen in a session -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.db.transact_id`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). +This key captures the SQL transantion ID of the current session type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.db.permissions`*:: + -- -This key captures the Rule group name +This key captures permission or privilege level assigned to a resource. type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.db.table_name`*:: + -- -This key captures a Numeric Risk value +This key is used to capture the table name -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.db.db_id`*:: + -- -This key captures the Value of the trigger or threshold condition. +This key is used to capture the unique identifier for a database type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.db.db_pid`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly +This key captures the process id of a connection with database server -type: keyword +type: long -- -*`rsa.misc.comp_version`*:: +*`rsa.db.lread`*:: + -- -This key captures the Version level of a sub-component of a product. +This key is used for the number of logical reads -type: keyword +type: long -- -*`rsa.misc.content_version`*:: +*`rsa.db.lwrite`*:: + -- -This key captures Version level of a signature or database content. +This key is used for the number of logical writes -type: keyword +type: long -- -*`rsa.misc.hardware_id`*:: +*`rsa.db.pread`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) +This key is used for the number of physical writes -type: keyword +type: long -- -*`rsa.misc.risk`*:: + +*`rsa.network.alias_host`*:: + -- -This key captures the non-numeric risk value +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.status`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.network.interface`*:: + -- -This key is used to capture the mailbox id/name +This key should be used when the source or destination context of an interface is not clear type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.network.network_port`*:: + -- -This key is the Unique Identifier for a rule. +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) -type: keyword +type: long -- -*`rsa.misc.trigger_desc`*:: +*`rsa.network.eth_host`*:: + -- -This key captures the Description of the trigger or threshold condition. +Deprecated, use alias.mac type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.error`*:: +*`rsa.network.zone`*:: + -- -This key captures All non successful Error codes or responses +This key should be used when the source or destination context of a Zone is not clear type: keyword -- -*`rsa.misc.index`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.network.gateway`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list +This key is used to capture the IP Address of the gateway type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.observed_val`*:: +*`rsa.network.mask`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). +This key is used to capture the device network IPmask. type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.network.icmp_code`*:: + -- -This key captures the contents of the policy. This contains details about the policy +This key is used to capture the ICMP code only -type: keyword +type: long -- -*`rsa.misc.pool_name`*:: +*`rsa.network.protocol_detail`*:: + -- -This key captures the name of a resource pool +This key should be used to capture additional protocol information type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.network.dmask`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +This key is used for Destionation Device network mask type: keyword -- -*`rsa.misc.count`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.number`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.type`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.comments`*:: +*`rsa.network.faddr`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.network.lhost`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.network.origin`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.network.remote_domain_id`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.network.addr`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.network.dns_a_record`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.network.fhost`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.network.fport`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.network.linterface`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.name`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.cpu`*:: +*`rsa.network.ip_proto`*:: + -- -This key is the CPU time used in the execution of the event being recorded. +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI type: long -- -*`rsa.misc.event_desc`*:: +*`rsa.network.dns_cname_record`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.network.dns_id`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id +type: keyword -type: long +-- +*`rsa.network.dns_opcode`*:: ++ -- +type: keyword -*`rsa.misc.im_buddyid`*:: +-- + +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.network.host_orig`*:: + -- -This key is to be used in an audit context where the subject is the object being identified +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.network.vlan_name`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. +This key should only be used to capture the name of the Virtual LAN type: keyword -- -*`rsa.misc.fcatnum`*:: + +*`rsa.investigations.ec_activity`*:: + -- -This key captures Filter Category Number. Legacy Usage +This key captures the particular event activity(Ex:Logoff) type: keyword -- -*`rsa.misc.library`*:: +*`rsa.investigations.ec_theme`*:: + -- -This key is used to capture library information in mainframe devices +This key captures the Theme of a particular Event(Ex:Authentication) type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.investigations.ec_subject`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. +This key captures the Subject of a particular Event(Ex:User) type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.investigations.ec_outcome`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key captures the outcome of a particular Event(Ex:Success) type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.investigations.event_cat`*:: + -- -This key is captures the TCP flags set in any packet of session +This key captures the Event category number type: long -- -*`rsa.misc.tos`*:: +*`rsa.investigations.event_cat_name`*:: + -- -This key describes the type of service +This key captures the event category name corresponding to the event cat code -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.investigations.event_vcat`*:: + -- -VMWare Target **VMWARE** only varaible. +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.investigations.analysis_file`*:: + -- -This key captures Workspace Description +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file type: keyword -- -*`rsa.misc.command`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.policy_waiver`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.second`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.space1`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.subcategory`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.alert_id`*:: +*`rsa.counters.dclass_c1_str`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This is a generic counter string key that should be used with the label dclass.c1 only type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.counters.dclass_c2_str`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. +This is a generic counter string key that should be used with the label dclass.c2 only type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.counters.dclass_r1_str`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. +This is a generic ratio string key that should be used with the label dclass.r1 only type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.counters.dclass_r2`*:: + -- -This key captures the Filter Result +This is a generic ratio key that should be used with the label dclass.r2.str only -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.counters.dclass_c3_str`*:: + -- -This key is used to capture destination payload +This is a generic counter string key that should be used with the label dclass.c3 only type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.counters.dclass_r3`*:: + -- -This key is used to capture source payload +This is a generic ratio key that should be used with the label dclass.r3.str only type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.counters.dclass_r2_str`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool +This is a generic ratio string key that should be used with the label dclass.r2 only type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.counters.dclass_r3_str`*:: + -- -This key is a failure key for Process ID when it is not an integer value +This is a generic ratio string key that should be used with the label dclass.r3 only type: keyword -- -*`rsa.misc.risk_num_comm`*:: + +*`rsa.identity.auth_method`*:: + -- -This key captures Risk Number Community +This key is used to capture authentication methods used only -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.identity.user_role`*:: + -- -This key captures Risk Number NextGen +This key is used to capture the Role of a user only -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.identity.dn`*:: + -- -This key captures Risk Number SandBox +X.500 (LDAP) Distinguished Name -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.identity.logon_type`*:: + -- -This key captures Risk Number Static +This key is used to capture the type of logon method used. -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.identity.profile`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture the user profile type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.identity.accesses`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) +This key is used to capture actual privileges used in accessing an object type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.identity.realm`*:: + -- -SNMP Object Identifier +Radius realm or similar grouping of accounts type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.identity.user_sid_dst`*:: + -- -This key captures the SQL query +This key captures Destination User Session ID type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.identity.dn_src`*:: + -- -This key captures the Vulnerability Reference details +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.cfg_obj`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_asn_src`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.cs_context`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.misc.cs_datecret`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: + +*`rsa.storage.disk_volume`*:: + -- +A unique name assigned to logical units (volumes) within a physical disk + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.storage.lun`*:: + -- +Logical Unit Number.This key is a very useful concept in Storage. + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.storage.pwwn`*:: + -- +This uniquely identifies a port on a HBA. + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.misc.cs_fld`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: + +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.endpoint.registry_key`*:: + -- +This key captures the path to the registry key + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.endpoint.registry_value`*:: + -- +This key captures values or decorators used within a registry entry + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +[float] +=== sophos + + + + +[float] +=== xg + +Module for parsing sophosxg syslog. + + + +*`sophos.xg.device`*:: + -- +device + + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`sophos.xg.date`*:: + -- -type: keyword +Date (yyyy-mm-dd) when the event occurred + + +type: date -- -*`rsa.misc.cs_modulescore`*:: +*`sophos.xg.timezone`*:: + -- +Time (hh:mm:ss) when the event occurred + + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`sophos.xg.device_name`*:: + -- +Model number of the device + + type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`sophos.xg.device_id`*:: + -- +Serial number of the device + + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`sophos.xg.log_id`*:: + -- +Unique 12 characters code (0101011) + + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`sophos.xg.log_type`*:: + -- +Type of event e.g. firewall event + + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`sophos.xg.log_component`*:: + -- +Component responsible for logging e.g. Firewall rule + + type: keyword -- -*`rsa.misc.cs_represult`*:: +*`sophos.xg.log_subtype`*:: + -- +Sub type of event + + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`sophos.xg.hb_health`*:: + -- +Heartbeat status + + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`sophos.xg.priority`*:: + -- +Severity level of traffic + + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`sophos.xg.status`*:: + -- +Ultimate status of traffic – Allowed or Denied + + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`sophos.xg.duration`*:: + -- -type: keyword +Durability of traffic (seconds) + + +type: long -- -*`rsa.misc.cs_targetmodule`*:: +*`sophos.xg.fw_rule_id`*:: + -- -type: keyword +Firewall Rule ID which is applied on the traffic + + +type: integer -- -*`rsa.misc.cs_v6nxthop`*:: +*`sophos.xg.user_name`*:: + -- +user_name + + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`sophos.xg.user_group`*:: + -- +Group name to which the user belongs + + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`sophos.xg.iap`*:: + -- +Internet Access policy ID applied on the traffic + + type: keyword -- -*`rsa.misc.description`*:: +*`sophos.xg.ips_policy_id`*:: + -- -type: keyword +IPS policy ID applied on the traffic + + +type: integer -- -*`rsa.misc.devvendor`*:: +*`sophos.xg.policy_type`*:: + -- +Policy type applied to the traffic + + type: keyword -- -*`rsa.misc.distance`*:: +*`sophos.xg.appfilter_policy_id`*:: + -- -type: keyword +Application Filter policy applied on the traffic + + +type: integer -- -*`rsa.misc.dstburb`*:: +*`sophos.xg.application_filter_policy`*:: + -- -type: keyword +Application Filter policy applied on the traffic + + +type: integer -- -*`rsa.misc.edomain`*:: +*`sophos.xg.application`*:: + -- +Application name + + type: keyword -- -*`rsa.misc.edomaub`*:: +*`sophos.xg.application_name`*:: + -- +Application name + + type: keyword -- -*`rsa.misc.euid`*:: +*`sophos.xg.application_risk`*:: + -- +Risk level assigned to the application + + type: keyword -- -*`rsa.misc.facility`*:: +*`sophos.xg.application_technology`*:: + -- +Technology of the application + + type: keyword -- -*`rsa.misc.finterface`*:: +*`sophos.xg.application_category`*:: + -- +Application is resolved by signature or synchronized application + + type: keyword -- -*`rsa.misc.flags`*:: +*`sophos.xg.appresolvedby`*:: + -- +Technology of the application + + type: keyword -- -*`rsa.misc.gaddr`*:: +*`sophos.xg.app_is_cloud`*:: + -- +Application is Cloud + + type: keyword -- -*`rsa.misc.id3`*:: +*`sophos.xg.in_interface`*:: + -- +Interface for incoming traffic, e.g., Port A + + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`sophos.xg.out_interface`*:: + -- +Interface for outgoing traffic, e.g., Port B + + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`sophos.xg.src_ip`*:: + -- -type: keyword +Original source IP address of traffic + + +type: ip -- -*`rsa.misc.im_croomtype`*:: +*`sophos.xg.src_mac`*:: + -- +Original source MAC address of traffic + + type: keyword -- -*`rsa.misc.im_members`*:: +*`sophos.xg.src_country_code`*:: + -- +Code of the country to which the source IP belongs + + type: keyword -- -*`rsa.misc.im_username`*:: +*`sophos.xg.dst_ip`*:: + -- -type: keyword +Original destination IP address of traffic + + +type: ip -- -*`rsa.misc.ipkt`*:: +*`sophos.xg.dst_country_code`*:: + -- +Code of the country to which the destination IP belongs + + type: keyword -- -*`rsa.misc.ipscat`*:: +*`sophos.xg.protocol`*:: + -- +Protocol number of traffic + + type: keyword -- -*`rsa.misc.ipspri`*:: +*`sophos.xg.src_port`*:: + -- -type: keyword +Original source port of TCP and UDP traffic + + +type: integer -- -*`rsa.misc.latitude`*:: +*`sophos.xg.dst_port`*:: + -- -type: keyword +Original destination port of TCP and UDP traffic + + +type: integer -- -*`rsa.misc.linenum`*:: +*`sophos.xg.icmp_type`*:: + -- -type: keyword +ICMP type of ICMP traffic --- -*`rsa.misc.list_name`*:: -+ --- type: keyword -- -*`rsa.misc.load_data`*:: +*`sophos.xg.icmp_code`*:: + -- +ICMP code of ICMP traffic + + type: keyword -- -*`rsa.misc.location_floor`*:: +*`sophos.xg.sent_pkts`*:: + -- -type: keyword +Total number of packets sent + + +type: long -- -*`rsa.misc.location_mark`*:: +*`sophos.xg.received_pkts`*:: + -- -type: keyword +Total number of packets received + + +type: long -- -*`rsa.misc.log_id`*:: +*`sophos.xg.sent_bytes`*:: + -- -type: keyword +Total number of bytes sent + + +type: long -- -*`rsa.misc.log_type`*:: +*`sophos.xg.recv_bytes`*:: + -- -type: keyword +Total number of bytes received + + +type: long -- -*`rsa.misc.logid`*:: +*`sophos.xg.trans_src_ ip`*:: + -- -type: keyword +Translated source IP address for outgoing traffic + + +type: ip -- -*`rsa.misc.logip`*:: +*`sophos.xg.trans_src_port`*:: + -- -type: keyword +Translated source port for outgoing traffic + + +type: integer -- -*`rsa.misc.logname`*:: +*`sophos.xg.trans_dst_ip`*:: + -- -type: keyword +Translated destination IP address for outgoing traffic + + +type: ip -- -*`rsa.misc.longitude`*:: +*`sophos.xg.trans_dst_port`*:: + -- -type: keyword +Translated destination port for outgoing traffic + + +type: integer -- -*`rsa.misc.lport`*:: +*`sophos.xg.srczonetype`*:: + -- +Type of source zone, e.g., LAN + + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`sophos.xg.srczone`*:: + -- +Name of source zone + + type: keyword -- -*`rsa.misc.misc_name`*:: +*`sophos.xg.dstzonetype`*:: + -- +Type of destination zone, e.g., WAN + + type: keyword -- -*`rsa.misc.msg_type`*:: +*`sophos.xg.dstzone`*:: + -- +Name of destination zone + + type: keyword -- -*`rsa.misc.msgid`*:: +*`sophos.xg.dir_disp`*:: + -- +TPacket direction. Possible values:“org”, “reply”, “” + + type: keyword -- -*`rsa.misc.netsessid`*:: +*`sophos.xg.connevent`*:: + -- +Event on which this log is generated + + type: keyword -- -*`rsa.misc.num`*:: +*`sophos.xg.conn_id`*:: + -- -type: keyword +Unique identifier of connection + + +type: integer -- -*`rsa.misc.number1`*:: +*`sophos.xg.vconn_id`*:: + -- -type: keyword +Connection ID of the master connection + + +type: integer -- -*`rsa.misc.number2`*:: +*`sophos.xg.idp_policy_id`*:: + -- -type: keyword +IPS policy ID which is applied on the traffic + + +type: integer -- -*`rsa.misc.nwwn`*:: +*`sophos.xg.idp_policy_name`*:: + -- +IPS policy name i.e. IPS policy name which is applied on the traffic + + type: keyword -- -*`rsa.misc.object`*:: +*`sophos.xg.signature_id`*:: + -- +Signature ID + + type: keyword -- -*`rsa.misc.operation`*:: +*`sophos.xg.signature_msg`*:: + -- +Signature messsage + + type: keyword -- -*`rsa.misc.opkt`*:: +*`sophos.xg.classification`*:: + -- +Signature classification + + type: keyword -- -*`rsa.misc.orig_from`*:: +*`sophos.xg.rule_priority`*:: + -- +Priority of IPS policy + + type: keyword -- -*`rsa.misc.owner_id`*:: +*`sophos.xg.platform`*:: + -- +Platform of the traffic. + + type: keyword -- -*`rsa.misc.p_action`*:: +*`sophos.xg.category`*:: + -- +IPS signature category. + + type: keyword -- -*`rsa.misc.p_filter`*:: +*`sophos.xg.target`*:: + -- +Platform of the traffic. + + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`sophos.xg.eventid`*:: + -- +ATP Evenet ID + + type: keyword -- -*`rsa.misc.p_id`*:: +*`sophos.xg.ep_uuid`*:: + -- +Endpoint UUID + + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`sophos.xg.threatname`*:: + -- +ATP threatname + + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`sophos.xg.sourceip`*:: + -- -type: keyword +Original source IP address of traffic + + +type: ip -- -*`rsa.misc.p_result1`*:: +*`sophos.xg.destinationip`*:: + -- -type: keyword +Original destination IP address of traffic + + +type: ip -- -*`rsa.misc.password_chg`*:: +*`sophos.xg.login_user`*:: + -- +ATP login user + + type: keyword -- -*`rsa.misc.password_expire`*:: +*`sophos.xg.eventtype`*:: + -- +ATP event type + + type: keyword -- -*`rsa.misc.permgranted`*:: +*`sophos.xg.execution_path`*:: + -- +ATP execution path + + type: keyword -- -*`rsa.misc.permwanted`*:: +*`sophos.xg.av_policy_name`*:: + -- +Malware scanning policy name which is applied on the traffic + + type: keyword -- -*`rsa.misc.pgid`*:: +*`sophos.xg.from_email_address`*:: + -- +Sender email address + + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`sophos.xg.to_email_address`*:: + -- +Receipeint email address + + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`sophos.xg.subject`*:: + -- +Email subject + + type: keyword -- -*`rsa.misc.program`*:: +*`sophos.xg.mailsize`*:: + -- -type: keyword +mailsize + + +type: integer -- -*`rsa.misc.real_data`*:: +*`sophos.xg.virus`*:: + -- +virus name + + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`sophos.xg.FTP_url`*:: + -- +FTP URL from which virus was downloaded + + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`sophos.xg.FTP_direction`*:: + -- +Direction of FTP transfer: Upload or Download + + type: keyword -- -*`rsa.misc.rec_library`*:: +*`sophos.xg.filesize`*:: + -- -type: keyword +Size of the file that contained virus + + +type: integer -- -*`rsa.misc.recordnum`*:: +*`sophos.xg.filepath`*:: + -- +Path of the file containing virus + + type: keyword -- -*`rsa.misc.ruid`*:: +*`sophos.xg.filename`*:: + -- +File name associated with the event + + type: keyword -- -*`rsa.misc.sburb`*:: +*`sophos.xg.ftpcommand`*:: + -- +FTP command used when virus was found + + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`sophos.xg.url`*:: + -- +URL from which virus was downloaded + + type: keyword -- -*`rsa.misc.sec`*:: +*`sophos.xg.domainname`*:: + -- +Domain from which virus was downloaded + + type: keyword -- -*`rsa.misc.sensorname`*:: +*`sophos.xg.quarantine`*:: + -- +Path and filename of the file quarantined + + type: keyword -- -*`rsa.misc.seqnum`*:: +*`sophos.xg.src_domainname`*:: + -- +Sender domain name + + type: keyword -- -*`rsa.misc.session`*:: +*`sophos.xg.dst_domainname`*:: + -- +Receiver domain name + + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`sophos.xg.reason`*:: + -- +Reason why the record was detected as spam/malicious + + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`sophos.xg.referer`*:: + -- +Referer + + type: keyword -- -*`rsa.misc.spi`*:: +*`sophos.xg.spamaction`*:: + -- +Spam Action + + type: keyword -- -*`rsa.misc.srcburb`*:: +*`sophos.xg.mailid`*:: + -- +mailid + + type: keyword -- -*`rsa.misc.srcdom`*:: +*`sophos.xg.quarantine_reason`*:: + -- +Quarantine reason + + type: keyword -- -*`rsa.misc.srcservice`*:: +*`sophos.xg.status_code`*:: + -- +Status code + + type: keyword -- -*`rsa.misc.state`*:: +*`sophos.xg.override_token`*:: + -- +Override token + + type: keyword -- -*`rsa.misc.status1`*:: +*`sophos.xg.con_id`*:: + -- -type: keyword +Unique identifier of connection + + +type: integer -- -*`rsa.misc.svcno`*:: +*`sophos.xg.override_authorizer`*:: + -- +Override authorizer + + type: keyword -- -*`rsa.misc.system`*:: +*`sophos.xg.transactionid`*:: + -- +Transaction ID of the AV scan. + + type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`sophos.xg.upload_file_type`*:: + -- +Upload file type + + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`sophos.xg.upload_file_name`*:: + -- +Upload file name + + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`sophos.xg.httpresponsecode`*:: + -- -type: keyword +code of HTTP response + + +type: long -- -*`rsa.misc.threshold`*:: +*`sophos.xg.user_gp`*:: + -- +Group name to which the user belongs. + + type: keyword -- -*`rsa.misc.type1`*:: +*`sophos.xg.category_type`*:: + -- +Type of category under which website falls + + type: keyword -- -*`rsa.misc.udb_class`*:: +*`sophos.xg.download_file_type`*:: + -- +Download file type + + type: keyword -- -*`rsa.misc.url_fld`*:: +*`sophos.xg.exceptions`*:: + -- +List of the checks excluded by web exceptions. + + type: keyword -- -*`rsa.misc.user_div`*:: +*`sophos.xg.contenttype`*:: + -- +Type of the content + + type: keyword -- -*`rsa.misc.userid`*:: +*`sophos.xg.override_name`*:: + -- +Override name + + type: keyword -- -*`rsa.misc.username_fld`*:: +*`sophos.xg.activityname`*:: + -- +Web policy activity that matched and caused the policy result. + + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`sophos.xg.download_file_name`*:: + -- +Download file name + + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`sophos.xg.sha1sum`*:: + -- +SHA1 checksum of the item being analyzed + + type: keyword -- -*`rsa.misc.virt_data`*:: +*`sophos.xg.message_id`*:: + -- +Message ID + + type: keyword -- -*`rsa.misc.vpnid`*:: +*`sophos.xg.connid`*:: + -- +Connection ID + + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`sophos.xg.message`*:: + -- -This is used to capture Auto Run type +Message + type: keyword -- -*`rsa.misc.cc_number`*:: +*`sophos.xg.email_subject`*:: + -- -Valid Credit Card Numbers only +Email Subject -type: long + +type: keyword -- -*`rsa.misc.content`*:: +*`sophos.xg.file_path`*:: + -- -This key captures the content type from protocol headers +File path + type: keyword -- -*`rsa.misc.ein_number`*:: +*`sophos.xg.dstdomain`*:: + -- -Employee Identification Numbers only +Destination Domain -type: long + +type: keyword -- -*`rsa.misc.found`*:: +*`sophos.xg.file_size`*:: + -- -This is used to capture the results of regex match +File Size -type: keyword + +type: integer -- -*`rsa.misc.language`*:: +*`sophos.xg.transaction_id`*:: + -- -This is used to capture list of languages the client support and what it prefers +Transaction ID + type: keyword -- -*`rsa.misc.lifetime`*:: +*`sophos.xg.website`*:: + -- -This key is used to capture the session lifetime in seconds. +Website -type: long + +type: keyword -- -*`rsa.misc.link`*:: +*`sophos.xg.file_name`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Filename + type: keyword -- -*`rsa.misc.match`*:: +*`sophos.xg.context_prefix`*:: + -- -This key is for regex match name from search.ini +Content Prefix + type: keyword -- -*`rsa.misc.param_dst`*:: +*`sophos.xg.site_category`*:: + -- -This key captures the command line/launch argument of the target process or file +Site Category + type: keyword -- -*`rsa.misc.param_src`*:: +*`sophos.xg.context_suffix`*:: + -- -This key captures source parameter +Context Suffix + type: keyword -- -*`rsa.misc.search_text`*:: +*`sophos.xg.dictionary_name`*:: + -- -This key captures the Search Text used +Dictionary Name + type: keyword -- -*`rsa.misc.sig_name`*:: +*`sophos.xg.action`*:: + -- -This key is used to capture the Signature Name only. +Event Action + type: keyword -- -*`rsa.misc.snmp_value`*:: +*`sophos.xg.user`*:: + -- -SNMP set request value +User + type: keyword -- -*`rsa.misc.streams`*:: +*`sophos.xg.context_match`*:: + -- -This key captures number of streams in session +Context Match -type: long --- +type: keyword +-- -*`rsa.db.index`*:: +*`sophos.xg.direction`*:: + -- -This key captures IndexID of the index. +Direction + type: keyword -- -*`rsa.db.instance`*:: +*`sophos.xg.auth_client`*:: + -- -This key is used to capture the database server instance name +Auth Client + type: keyword -- -*`rsa.db.database`*:: +*`sophos.xg.auth_mechanism`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Auth mechanism + type: keyword -- -*`rsa.db.transact_id`*:: +*`sophos.xg.connectionname`*:: + -- -This key captures the SQL transantion ID of the current session +Connectionname + type: keyword -- -*`rsa.db.permissions`*:: +*`sophos.xg.remotenetwork`*:: + -- -This key captures permission or privilege level assigned to a resource. +remotenetwork + type: keyword -- -*`rsa.db.table_name`*:: +*`sophos.xg.localgateway`*:: + -- -This key is used to capture the table name +Localgateway + type: keyword -- -*`rsa.db.db_id`*:: +*`sophos.xg.localnetwork`*:: + -- -This key is used to capture the unique identifier for a database +Localnetwork + type: keyword -- -*`rsa.db.db_pid`*:: +*`sophos.xg.connectiontype`*:: + -- -This key captures the process id of a connection with database server +Connectiontype -type: long + +type: keyword -- -*`rsa.db.lread`*:: +*`sophos.xg.oldversion`*:: + -- -This key is used for the number of logical reads +Oldversion -type: long + +type: keyword -- -*`rsa.db.lwrite`*:: +*`sophos.xg.newversion`*:: + -- -This key is used for the number of logical writes +Newversion -type: long + +type: keyword -- -*`rsa.db.pread`*:: +*`sophos.xg.ipaddress`*:: + -- -This key is used for the number of physical writes +Ipaddress -type: long --- +type: keyword +-- -*`rsa.network.alias_host`*:: +*`sophos.xg.client_physical_address`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Client physical address + type: keyword -- -*`rsa.network.domain`*:: +*`sophos.xg.client_host_name`*:: + -- +Client host name + + type: keyword -- -*`rsa.network.host_dst`*:: +*`sophos.xg.raw_data`*:: + -- -This key should only be used when it’s a Destination Hostname +Raw data + type: keyword -- -*`rsa.network.network_service`*:: +*`sophos.xg.Mode`*:: + -- -This is used to capture layer 7 protocols/service names +Mode + type: keyword -- -*`rsa.network.interface`*:: +*`sophos.xg.sessionid`*:: + -- -This key should be used when the source or destination context of an interface is not clear +Sessionid + type: keyword -- -*`rsa.network.network_port`*:: +*`sophos.xg.starttime`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +Starttime -type: long + +type: date -- -*`rsa.network.eth_host`*:: +*`sophos.xg.remote_ip`*:: + -- -Deprecated, use alias.mac +Remote IP -type: keyword + +type: ip -- -*`rsa.network.sinterface`*:: +*`sophos.xg.timestamp`*:: + -- -This key should only be used when it’s a Source Interface +timestamp -type: keyword + +type: date -- -*`rsa.network.dinterface`*:: +*`sophos.xg.SysLog_SERVER_NAME`*:: + -- -This key should only be used when it’s a Destination Interface +SysLog SERVER NAME + type: keyword -- -*`rsa.network.vlan`*:: +*`sophos.xg.backup_mode`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +Backup mode -type: long + +type: keyword -- -*`rsa.network.zone_src`*:: +*`sophos.xg.source`*:: + -- -This key should only be used when it’s a Source Zone. +Source + type: keyword -- -*`rsa.network.zone`*:: +*`sophos.xg.server`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +Server + type: keyword -- -*`rsa.network.zone_dst`*:: +*`sophos.xg.host`*:: + -- -This key should only be used when it’s a Destination Zone. +Host + type: keyword -- -*`rsa.network.gateway`*:: +*`sophos.xg.responsetime`*:: + -- -This key is used to capture the IP Address of the gateway +Responsetime -type: keyword + +type: long -- -*`rsa.network.icmp_type`*:: +*`sophos.xg.cookie`*:: + -- -This key is used to capture the ICMP type only +cookie -type: long + +type: keyword -- -*`rsa.network.mask`*:: +*`sophos.xg.querystring`*:: + -- -This key is used to capture the device network IPmask. +querystring + type: keyword -- -*`rsa.network.icmp_code`*:: +*`sophos.xg.extra`*:: + -- -This key is used to capture the ICMP code only +extra -type: long + +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`sophos.xg.PHPSESSID`*:: + -- -This key should be used to capture additional protocol information +PHPSESSID + type: keyword -- -*`rsa.network.dmask`*:: +*`sophos.xg.start_time`*:: + -- -This key is used for Destionation Device network mask +Start time -type: keyword + +type: date -- -*`rsa.network.port`*:: +*`sophos.xg.eventtime`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +Event time -type: long + +type: date -- -*`rsa.network.smask`*:: +*`sophos.xg.red_id`*:: + -- -This key is used for capturing source Network Mask +RED ID + type: keyword -- -*`rsa.network.netname`*:: +*`sophos.xg.branch_name`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +Branch Name + type: keyword -- -*`rsa.network.paddr`*:: +*`sophos.xg.updatedip`*:: + -- -Deprecated +updatedip + type: ip -- -*`rsa.network.faddr`*:: +*`sophos.xg.idle_cpu`*:: + -- -type: keyword +idle ## --- -*`rsa.network.lhost`*:: -+ --- -type: keyword +type: float -- -*`rsa.network.origin`*:: +*`sophos.xg.system_cpu`*:: + -- -type: keyword +system --- -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword +type: float -- -*`rsa.network.addr`*:: +*`sophos.xg.user_cpu`*:: + -- -type: keyword +system + + +type: float -- -*`rsa.network.dns_a_record`*:: +*`sophos.xg.used`*:: + -- -type: keyword +used + + +type: integer -- -*`rsa.network.dns_ptr_record`*:: +*`sophos.xg.unit`*:: + -- +unit + + type: keyword -- -*`rsa.network.fhost`*:: +*`sophos.xg.total_memory`*:: + -- -type: keyword +Total Memory + + +type: integer -- -*`rsa.network.fport`*:: +*`sophos.xg.free`*:: + -- -type: keyword +free + + +type: integer -- -*`rsa.network.laddr`*:: +*`sophos.xg.transmittederrors`*:: + -- +transmitted errors + + type: keyword -- -*`rsa.network.linterface`*:: +*`sophos.xg.receivederrors`*:: + -- +received errors + + type: keyword -- -*`rsa.network.phost`*:: +*`sophos.xg.receivedkbits`*:: + -- -type: keyword +received kbits + + +type: long -- -*`rsa.network.ad_computer_dst`*:: +*`sophos.xg.transmittedkbits`*:: + -- -Deprecated, use host.dst +transmitted kbits -type: keyword + +type: long -- -*`rsa.network.eth_type`*:: +*`sophos.xg.transmitteddrops`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +transmitted drops + type: long -- -*`rsa.network.ip_proto`*:: +*`sophos.xg.receiveddrops`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +received drops + type: long -- -*`rsa.network.dns_cname_record`*:: +*`sophos.xg.collisions`*:: + -- -type: keyword +collisions + + +type: long -- -*`rsa.network.dns_id`*:: +*`sophos.xg.interface`*:: + -- +interface + + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`sophos.xg.Configuration`*:: + -- -type: keyword +Configuration + + +type: float -- -*`rsa.network.dns_resp`*:: +*`sophos.xg.Reports`*:: + -- -type: keyword +Reports + + +type: float -- -*`rsa.network.dns_type`*:: +*`sophos.xg.Signature`*:: + -- -type: keyword +Signature + + +type: float -- -*`rsa.network.domain1`*:: +*`sophos.xg.Temp`*:: + -- -type: keyword +Temp + + +type: float -- -*`rsa.network.host_type`*:: +*`sophos.xg.users`*:: + -- +users + + type: keyword -- -*`rsa.network.packet_length`*:: +*`sophos.xg.ssid`*:: + -- +ssid + + type: keyword -- -*`rsa.network.host_orig`*:: +*`sophos.xg.ap`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +ap + type: keyword -- -*`rsa.network.rpayload`*:: +*`sophos.xg.clients_conn_ssid`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +clients connection ssid + type: keyword -- -*`rsa.network.vlan_name`*:: +[[exported-fields-squid]] +== Squid fields + +squid fields. + + + +*`network.interface.name`*:: + -- -This key should only be used to capture the name of the Virtual LAN +Name of the network interface where the traffic has been observed. + type: keyword -- -*`rsa.investigations.ec_activity`*:: + +*`rsa.internal.msg`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This key is used to capture the raw message that comes into the Log Decoder type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.internal.messageid`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - type: keyword -- -*`rsa.investigations.ec_subject`*:: +*`rsa.internal.event_desc`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.internal.message`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This key captures the contents of instant messages type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.internal.time`*:: + -- -This key captures the Event category number +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -type: long +type: date -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.internal.level`*:: + -- -This key captures the event category name corresponding to the event cat code +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.investigations.event_vcat`*:: +*`rsa.internal.msg_id`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`rsa.internal.msg_vid`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.analysis_service`*:: +*`rsa.internal.data`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.internal.obj_server`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.internal.obj_val`*:: + -- -This is used to capture behaviour of compromise +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.eoc`*:: +*`rsa.internal.resource`*:: + -- -This is used to capture Enablers of Compromise +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.inv_category`*:: +*`rsa.internal.obj_id`*:: + -- -This used to capture investigation category +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.internal.statement`*:: + -- -This used to capture investigation context +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.internal.audit_class`*:: + -- -This is key capture indicator of compromise +Deprecated key defined only in table map. type: keyword -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.internal.entry`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`rsa.internal.hcode`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.counters.event_counter`*:: +*`rsa.internal.inode`*:: + -- -This is used to capture the number of times an event repeated +Deprecated key defined only in table map. type: long -- -*`rsa.counters.dclass_r1`*:: +*`rsa.internal.resource_class`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`rsa.internal.dead`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +Deprecated key defined only in table map. type: long -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.internal.feed_desc`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.internal.feed_name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.internal.cid`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.internal.device_class`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.internal.device_group`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`rsa.internal.device_host`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.internal.device_ip`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.internal.device_ipv6`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- - -*`rsa.identity.auth_method`*:: +*`rsa.internal.device_type`*:: + -- -This key is used to capture authentication methods used only +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.internal.device_type_id`*:: + -- -This key is used to capture the Role of a user only +Deprecated key defined only in table map. -type: keyword +type: long -- -*`rsa.identity.dn`*:: +*`rsa.internal.did`*:: + -- -X.500 (LDAP) Distinguished Name +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.logon_type`*:: +*`rsa.internal.entropy_req`*:: + -- -This key is used to capture the type of logon method used. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.identity.profile`*:: +*`rsa.internal.entropy_res`*:: + -- -This key is used to capture the user profile +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`rsa.internal.event_name`*:: + -- -This key is used to capture actual privileges used in accessing an object +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.realm`*:: +*`rsa.internal.feed_category`*:: + -- -Radius realm or similar grouping of accounts +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_sid_dst`*:: +*`rsa.internal.forward_ip`*:: + -- -This key captures Destination User Session ID +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.identity.dn_src`*:: +*`rsa.internal.forward_ipv6`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.identity.org`*:: +*`rsa.internal.header_id`*:: + -- -This key captures the User organization +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.internal.lc_cid`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.firstname`*:: +*`rsa.internal.lc_ctime`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- -*`rsa.identity.lastname`*:: +*`rsa.internal.mcb_req`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.identity.user_dept`*:: +*`rsa.internal.mcb_res`*:: + -- -User's Department Names only +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most -type: keyword +type: long -- -*`rsa.identity.user_sid_src`*:: +*`rsa.internal.mcbc_req`*:: + -- -This key captures Source User Session ID +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.identity.federated_sp`*:: +*`rsa.internal.mcbc_res`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.identity.federated_idp`*:: +*`rsa.internal.medium`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session -type: keyword +type: long -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.internal.node_name`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key denotes that event is endpoint related type: keyword -- -*`rsa.identity.password`*:: +*`rsa.internal.parse_error`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.internal.payload_req`*:: + -- -This key should only be used to capture the role of a Host Machine +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.identity.ldap`*:: +*`rsa.internal.payload_res`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.identity.ldap_query`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This key is the Search criteria from an LDAP search +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.internal.process_vid_src`*:: + -- -This key is to capture Results from an LDAP search +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.internal.rid`*:: + -- -This is used to capture username the process or service is running as, the author of the task +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.identity.service_account`*:: +*`rsa.internal.session_split`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.internal.site`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +Deprecated key defined only in table map. type: keyword -- -*`rsa.email.email_src`*:: +*`rsa.internal.size`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.email.subject`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is used to capture the subject string from an Email only. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.email.email`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.email.trans_from`*:: +*`rsa.internal.ubc_res`*:: + -- -Deprecated key defined only in table map. +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.email.trans_to`*:: +*`rsa.internal.word`*:: + -- -Deprecated key defined only in table map. +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.file.privilege`*:: +*`rsa.time.event_time`*:: + -- -Deprecated, use permissions +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.file.attachment`*:: +*`rsa.time.duration_time`*:: + -- -This key captures the attachment file name +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.file.filesystem`*:: +*`rsa.time.event_time_str`*:: + -- +This key is used to capture the incomplete time mentioned in a session as a string + type: keyword -- -*`rsa.file.binary`*:: +*`rsa.time.starttime`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.file.filename_dst`*:: +*`rsa.time.month`*:: + -- -This is used to capture name of the file targeted by the action - type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.time.day`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - type: keyword -- -*`rsa.file.filename_tmp`*:: +*`rsa.time.endtime`*:: + -- -type: keyword +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`rsa.file.directory_dst`*:: +*`rsa.time.timezone`*:: + -- -This key is used to capture the directory of the target process or file +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.time.duration_str`*:: + -- -This key is used to capture the directory of the source process or file +A text string version of the duration type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.time.date`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.time.year`*:: + -- -This is used to capture Company name of file located in version_info - type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.time.recorded_time`*:: + -- -This is used to capture name of the task +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- - -*`rsa.web.fqdn`*:: +*`rsa.time.datetime`*:: + -- -Fully Qualified Domain Names - type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.time.effective_time`*:: + -- -This key is used to capture the Web cookies specifically. +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.web.alias_host`*:: +*`rsa.time.expire_time`*:: + -- -type: keyword +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`rsa.web.reputation_num`*:: +*`rsa.time.process_time`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +Deprecated, use duration.time -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.time.hour`*:: + -- -Web referer's domain - type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.time.min`*:: + -- -This key captures Web referer's query portion of the URL - type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.time.event_queue_time`*:: + -- -This key captures Web referer's page information +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.web.web_ref_root`*:: +*`rsa.time.p_time1`*:: + -- -Web referer's root URL path - type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.time.expire_time_str`*:: + -- +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.time.stamp`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: date -- -*`rsa.threat.threat_category`*:: +*`rsa.misc.action`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.result`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.severity`*:: + -- -This key is used to capture name of the alert +This key is used to capture the severity given the session type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.event_type`*:: + -- -This key is used to capture source of the threat +This key captures the event category type as specified by the event source. type: keyword -- +*`rsa.misc.reference_id`*:: ++ +-- +This key is used to capture an event id from the session directly + +type: keyword -*`rsa.crypto.crypto`*:: +-- + +*`rsa.misc.version`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key captures Version of the application or OS which is generating the event. type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.disposition`*:: + -- -This key is for Source (Client) Cipher +This key captures the The end state of an action. type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.result_code`*:: + -- -This key is used to capture the Certificate organization only +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.category`*:: + -- -This key is for Encryption peer's IP Address +This key is used to capture the category of an event given by the vendor in the session type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.obj_name`*:: + -- -This key captures Source (Client) Cipher Size +This is used to capture name of object -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.obj_type`*:: + -- -IKE negotiation phase. +This is used to capture type of object type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.event_source`*:: + -- -This key captures the Encryption scheme used +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.log_session_id`*:: + -- -This key is for Encryption peer’s identity +This key is used to capture a sessionid from the session directly type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.group`*:: + -- -This key captures the Signature Type +This key captures the Group Name value type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.policy_name`*:: + -- +This key is used to capture the Policy Name only. + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.rule_name`*:: + -- -Deprecated key defined only in table map. +This key captures the Rule Name type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.context`*:: + -- -This key captures the Certificate Error String +This key captures Information which adds additional context to the event. type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.change_new`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture the new values of the attribute that’s changing in a session type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.space`*:: + -- -This key captures Destination (Server) Cipher Size - -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.client`*:: + -- -Deprecated, use version +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.change_old`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key is used to capture the old value of the attribute that’s changing in a session type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.operation_id`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +An alert number or operation number. The values should be unique and non-repeating. type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.group_object`*:: + -- -This key is used for the hostname category value of a certificate +This key captures a collection/grouping of entities. Specific usage type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.node`*:: + -- -This key is used to capture the Certificate serial number only +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.rule`*:: + -- -This key captures Certificate validation status +This key captures the Rule number type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.device_name`*:: + -- -Deprecated, use version +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.param`*:: + -- +This key is the parameters passed as part of a command or application, etc. + type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.change_attrib`*:: + -- +This key is used to capture the name of the attribute that’s changing in a session + type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.event_computer`*:: + -- +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.reference_id1`*:: + -- +This key is for Linked ID to be used as an addition to "reference.id" + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.event_log`*:: + -- -This key is used to capture the Certificate signing authority only +This key captures the Name of the event log type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.OS`*:: + -- -This key is used to capture the Certificate common name only +This key captures the Name of the Operating System type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.terminal`*:: + -- -This key is used to capture the ssid of a Wireless Session +This key captures the Terminal Names only type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key is used to capture the access point name. - type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.filter`*:: + -- -This is used to capture the channel names +This key captures Filter used to reduce result set -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.serial_number`*:: + -- -This key captures either WLAN number/name +This key is the Serial number associated with a physical asset. type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.checksum`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.event_user`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.virusname`*:: + -- -This uniquely identifies a port on a HBA. +This key captures the name of the virus type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.content_type`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +This key is used to capture Content Type only. type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.group_id`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This key captures Group ID Number (related to the group name) type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.policy_id`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.vsys`*:: + -- -This key captures the unique ID for a patient +This key captures Virtual System Name type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.connection_id`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the Connection ID type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.reference_id2`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.sensor`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.sig_id`*:: + -- -This key captures the path to the registry key +This key captures IDS/IPS Int Signature ID -type: keyword +type: long -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.port_name`*:: + -- -This key captures values or decorators used within a registry entry +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -[[exported-fields-squid]] -== Squid fields - -squid fields. - - - -*`network.interface.name`*:: +*`rsa.misc.rule_group`*:: + -- -Name of the network interface where the traffic has been observed. - +This key captures the Rule group name type: keyword -- +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value +type: double -*`rsa.internal.msg`*:: +-- + +*`rsa.misc.trigger_val`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.log_session_id1`*:: + -- +This key is used to capture a Linked (Related) Session ID from the session directly + type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.content_version`*:: + -- -This key captures the contents of instant messages +This key captures Version level of a signature or database content. type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.hardware_id`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key is used to capture unique identifier for a device or system (NOT a Mac address) -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.risk`*:: + -- -Deprecated key defined only in table map. +This key captures the non-numeric risk value -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.event_id`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.reason`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.status`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.mail_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the mailbox id/name type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.rule_uid`*:: + -- -Deprecated key defined only in table map. +This key is the Unique Identifier for a rule. type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.trigger_desc`*:: + -- -Deprecated key defined only in table map. +This key captures the Description of the trigger or threshold condition. type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.inout`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.p_msgid`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.data_type`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.msgIdPart4`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.error`*:: + -- -Deprecated key defined only in table map. +This key captures All non successful Error codes or responses type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.index`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.listnum`*:: + -- -Deprecated key defined only in table map. +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.ntype`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.observed_val`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.policy_value`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.pool_name`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the name of a resource pool type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.rule_template`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.count`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.number`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.sigcat`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.type`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.comments`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Comment information provided in the log message type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.doc_number`*:: + -- -Deprecated key defined only in table map. +This key captures File Identification number type: long -- -*`rsa.internal.did`*:: +*`rsa.misc.expected_val`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Value expected (from the perspective of the device generating the log). type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.job_num`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the Job Number -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.spi_dst`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Destination SPI Index -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.spi_src`*:: + -- -Deprecated key defined only in table map. +Source SPI Index type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.code`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.agent_id`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. +This key is used to capture agent id -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.message_body`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the The contents of the message body. -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.phone`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.sig_id_str`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.cmd`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.misc`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.name`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.cpu`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.event_desc`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams +This key is used to capture a description of an event available directly or inferred -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.sig_id1`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`rsa.internal.node_name`*:: +*`rsa.misc.im_buddyid`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.im_client`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.im_userid`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.pid`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.priority`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.context_subject`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.context_target`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.cve`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.fcatnum`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.library`*:: + -- -Deprecated key defined only in table map. +This key is used to capture library information in mainframe devices type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.parent_node`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Parent Node Name. Must be related to node variable. -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.risk_info`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key is captures the TCP flags set in any packet of session type: long -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.tos`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key describes the type of service type: long -- -*`rsa.internal.word`*:: +*`rsa.misc.vm_target`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +VMWare Target **VMWARE** only varaible. type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.workspace`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This key captures Workspace Description -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.command`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.event_category`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.facilityname`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.mode`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.policy`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.policy_waiver`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.subcategory`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.alert_id`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.checksum_dst`*:: + -- -This key is the timestamp that explicitly refers to an expiration. +This key is used to capture the checksum or hash of the the target entity such as a process or file. -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.checksum_src`*:: + -- -Deprecated, use duration.time +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.fresult`*:: + -- -type: keyword - --- +This key captures the Filter Result -*`rsa.time.min`*:: -+ --- -type: keyword +type: long -- -*`rsa.time.timestamp`*:: +*`rsa.misc.payload_dst`*:: + -- +This key is used to capture destination payload + type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.payload_src`*:: + -- -This key is the Time that the event was queued. - -type: date - --- +This key is used to capture source payload -*`rsa.time.p_time1`*:: -+ --- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.pool_id`*:: + -- +This key captures the identifier (typically numeric field) of a resource pool + type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.process_id_val`*:: + -- +This key is a failure key for Process ID when it is not an integer value + type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.risk_num_comm`*:: + -- -type: keyword +This key captures Risk Number Community + +type: double -- -*`rsa.time.gmttime`*:: +*`rsa.misc.risk_num_next`*:: + -- -type: keyword +This key captures Risk Number NextGen + +type: double -- -*`rsa.time.p_date`*:: +*`rsa.misc.risk_num_sand`*:: + -- -type: keyword +This key captures Risk Number SandBox + +type: double -- -*`rsa.time.p_month`*:: +*`rsa.misc.risk_num_static`*:: + -- -type: keyword +This key captures Risk Number Static + +type: double -- -*`rsa.time.p_time`*:: +*`rsa.misc.risk_suspicious`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.risk_warning`*:: + -- +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.sql`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. +This key captures the SQL query type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.vuln_ref`*:: + -- -Deprecated key defined only in table map. +This key captures the Vulnerability Reference details -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.acl_op`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.acl_pos`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.acl_table`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.admin`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.alarm_id`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.alarmname`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.app_id`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.audit`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.audit_object`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.auditdata`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.benchmark`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.bypass`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cache`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cache_hit`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cefversion`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.cfg_obj`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.changes`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cn_asn_src`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cn_max_ttl`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cn_min_ttl`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.comp_class`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.criticality`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.cs_context`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.cs_data`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.cs_payload`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.cs_registrar`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.cs_represult`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.edomain`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.edomaub`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.euid`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.facility`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.finterface`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.flags`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.gaddr`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.id3`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.im_croomid`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.im_croomtype`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.im_members`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.im_username`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.ipkt`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.ipscat`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.ipspri`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.latitude`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.criticality`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cs_av_other`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cs_datecret`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cs_fld`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cs_if_name`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cs_ipv4srcpre`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cs_represult`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.devvendor`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.edomain`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.ipscat`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.ipspri`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.location_mark`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.logname`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.msg_type`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.num`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.orig_from`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.owner_id`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.p_action`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.p_filter`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.p_id`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.pgid`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.status1`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.system`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.tbdstr1`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.url_fld`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.file.directory_src`*:: + -- -This is used to capture Auto Run type +This key is used to capture the directory of the source process or file type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.file.file_entropy`*:: + -- -Valid Credit Card Numbers only +This is used to capture entropy vale of a file -type: long +type: double -- -*`rsa.misc.content`*:: +*`rsa.file.file_vendor`*:: + -- -This key captures the content type from protocol headers +This is used to capture Company name of file located in version_info type: keyword -- -*`rsa.misc.ein_number`*:: +*`rsa.file.task_name`*:: + -- -Employee Identification Numbers only +This is used to capture name of the task -type: long +type: keyword -- -*`rsa.misc.found`*:: + +*`rsa.web.fqdn`*:: + -- -This is used to capture the results of regex match +Fully Qualified Domain Names type: keyword -- -*`rsa.misc.language`*:: +*`rsa.web.web_cookie`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture the Web cookies specifically. type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.web.alias_host`*:: + -- -This key is used to capture the session lifetime in seconds. - -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.web.reputation_num`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Reputation Number of an entity. Typically used for Web Domains -type: keyword +type: double -- -*`rsa.misc.match`*:: +*`rsa.web.web_ref_domain`*:: + -- -This key is for regex match name from search.ini +Web referer's domain type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.web.web_ref_query`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures Web referer's query portion of the URL type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.web.remote_domain`*:: + -- -This key captures source parameter - type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.web.web_ref_page`*:: + -- -This key captures the Search Text used +This key captures Web referer's page information type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.web.web_ref_root`*:: + -- -This key is used to capture the Signature Name only. +Web referer's root URL path type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.web.cn_asn_dst`*:: + -- -SNMP set request value - type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.web.cn_rpackets`*:: + -- -This key captures number of streams in session +type: keyword -type: long +-- +*`rsa.web.urlpage`*:: ++ -- +type: keyword +-- -*`rsa.db.index`*:: +*`rsa.web.urlroot`*:: + -- -This key captures IndexID of the index. - type: keyword -- -*`rsa.db.instance`*:: +*`rsa.web.p_url`*:: + -- -This key is used to capture the database server instance name - type: keyword -- -*`rsa.db.database`*:: +*`rsa.web.p_user_agent`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session - type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.web.p_web_cookie`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.web.p_web_method`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.web.p_web_referer`*:: + -- -This key is used to capture the table name - type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.web.web_extension_tmp`*:: + -- -This key is used to capture the unique identifier for a database - type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.web.web_page`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: + +*`rsa.threat.threat_category`*:: + -- -This key is used for the number of logical reads +This key captures Threat Name/Threat Category/Categorization of alert -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.threat.threat_desc`*:: + -- -This key is used for the number of logical writes +This key is used to capture the threat description from the session directly or inferred -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.threat.alert`*:: + -- -This key is used for the number of physical writes +This key is used to capture name of the alert -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.threat.threat_source`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +This key is used to capture source of the threat type: keyword -- -*`rsa.network.domain`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.crypto.cipher_src`*:: + -- -This key should only be used when it’s a Destination Hostname +This key is for Source (Client) Cipher type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.crypto.cert_subject`*:: + -- -This is used to capture layer 7 protocols/service names +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.network.interface`*:: +*`rsa.crypto.peer`*:: + -- -This key should be used when the source or destination context of an interface is not clear +This key is for Encryption peer's IP Address type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key captures Source (Client) Cipher Size type: long -- -*`rsa.network.eth_host`*:: +*`rsa.crypto.ike`*:: + -- -Deprecated, use alias.mac +IKE negotiation phase. type: keyword -- -*`rsa.network.sinterface`*:: +*`rsa.crypto.scheme`*:: + -- -This key should only be used when it’s a Source Interface +This key captures the Encryption scheme used type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.crypto.peer_id`*:: + -- -This key should only be used when it’s a Destination Interface +This key is for Encryption peer’s identity type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.crypto.sig_type`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This key captures the Signature Type -type: long +type: keyword -- -*`rsa.network.zone_src`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This key should only be used when it’s a Source Zone. - type: keyword -- -*`rsa.network.zone`*:: +*`rsa.crypto.cert_host_name`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +Deprecated key defined only in table map. type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.crypto.cert_error`*:: + -- -This key should only be used when it’s a Destination Zone. +This key captures the Certificate Error String type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key is used to capture the IP Address of the gateway +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.network.icmp_type`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -This key is used to capture the ICMP type only +This key captures Destination (Server) Cipher Size type: long -- -*`rsa.network.mask`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key is used to capture the device network IPmask. +Deprecated, use version type: keyword -- -*`rsa.network.icmp_code`*:: +*`rsa.crypto.d_certauth`*:: + -- -This key is used to capture the ICMP code only - -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.crypto.s_certauth`*:: + -- -This key should be used to capture additional protocol information - type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -This key is used for Destionation Device network mask +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`rsa.network.port`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +ID of the negotiation — sent for ISAKMP Phase Two -type: long +type: keyword -- -*`rsa.network.smask`*:: +*`rsa.crypto.cert_checksum`*:: + -- -This key is used for capturing source Network Mask - type: keyword -- -*`rsa.network.netname`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key is used for the hostname category value of a certificate type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.crypto.cert_serial`*:: + -- -Deprecated +This key is used to capture the Certificate serial number only -type: ip +type: keyword -- -*`rsa.network.faddr`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.network.lhost`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.network.fhost`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.network.fport`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.wireless.access_point`*:: + -- +This key is used to capture the access point name. + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.wireless.wlan_channel`*:: + -- -type: keyword +This is used to capture the channel names + +type: long -- -*`rsa.network.phost`*:: +*`rsa.wireless.wlan_name`*:: + -- +This key captures either WLAN number/name + type: keyword -- -*`rsa.network.ad_computer_dst`*:: + +*`rsa.storage.disk_volume`*:: + -- -Deprecated, use host.dst +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.storage.lun`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Logical Unit Number.This key is a very useful concept in Storage. -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.storage.pwwn`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +This uniquely identifies a port on a HBA. -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: + +*`rsa.physical.org_dst`*:: + -- +This is used to capture the destination organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.physical.org_src`*:: + -- +This is used to capture the source organization based on the GEOPIP Maxmind database. + type: keyword -- -*`rsa.network.dns_opcode`*:: + +*`rsa.healthcare.patient_fname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.healthcare.patient_id`*:: + -- +This key captures the unique ID for a patient + type: keyword -- -*`rsa.network.dns_type`*:: +*`rsa.healthcare.patient_lname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.healthcare.patient_mname`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.network.host_type`*:: + +*`rsa.endpoint.host_state`*:: + -- +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.endpoint.registry_key`*:: + -- +This key captures the path to the registry key + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.endpoint.registry_value`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This key captures values or decorators used within a registry entry type: keyword -- -*`rsa.network.rpayload`*:: +[[exported-fields-suricata]] +== Suricata fields + +Module for handling the EVE JSON logs produced by Suricata. + + + +[float] +=== suricata + +Fields from the Suricata EVE log file. + + + +[float] +=== eve + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. - type: keyword -- -*`rsa.network.vlan_name`*:: +*`suricata.eve.app_proto_orig`*:: + -- -This key should only be used to capture the name of the Virtual LAN - type: keyword -- -*`rsa.investigations.ec_activity`*:: +*`suricata.eve.tcp.tcp_flags`*:: + -- -This key captures the particular event activity(Ex:Logoff) - type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`suricata.eve.tcp.psh`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) - -type: keyword +type: boolean -- -*`rsa.investigations.ec_subject`*:: +*`suricata.eve.tcp.tcp_flags_tc`*:: + -- -This key captures the Subject of a particular Event(Ex:User) - type: keyword -- -*`rsa.investigations.ec_outcome`*:: +*`suricata.eve.tcp.ack`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) - -type: keyword +type: boolean -- -*`rsa.investigations.event_cat`*:: +*`suricata.eve.tcp.syn`*:: + -- -This key captures the Event category number - -type: long +type: boolean -- -*`rsa.investigations.event_cat_name`*:: +*`suricata.eve.tcp.state`*:: + -- -This key captures the event category name corresponding to the event cat code - type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`suricata.eve.tcp.tcp_flags_ts`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - type: keyword -- -*`rsa.investigations.analysis_file`*:: +*`suricata.eve.tcp.rst`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - -type: keyword +type: boolean -- -*`rsa.investigations.analysis_service`*:: +*`suricata.eve.tcp.fin`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - -type: keyword +type: boolean -- -*`rsa.investigations.analysis_session`*:: + +*`suricata.eve.fileinfo.sha1`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - type: keyword -- -*`rsa.investigations.boc`*:: +*`suricata.eve.fileinfo.filename`*:: + -- -This is used to capture behaviour of compromise +type: alias -type: keyword +alias to: file.path -- -*`rsa.investigations.eoc`*:: +*`suricata.eve.fileinfo.tx_id`*:: + -- -This is used to capture Enablers of Compromise - -type: keyword +type: long -- -*`rsa.investigations.inv_category`*:: +*`suricata.eve.fileinfo.state`*:: + -- -This used to capture investigation category - type: keyword -- -*`rsa.investigations.inv_context`*:: +*`suricata.eve.fileinfo.stored`*:: + -- -This used to capture investigation context - -type: keyword +type: boolean -- -*`rsa.investigations.ioc`*:: +*`suricata.eve.fileinfo.gaps`*:: + -- -This is key capture indicator of compromise +type: boolean -type: keyword +-- +*`suricata.eve.fileinfo.sha256`*:: ++ -- +type: keyword +-- -*`rsa.counters.dclass_c1`*:: +*`suricata.eve.fileinfo.md5`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only - -type: long +type: keyword -- -*`rsa.counters.dclass_c2`*:: +*`suricata.eve.fileinfo.size`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +type: alias -type: long +alias to: file.size -- -*`rsa.counters.event_counter`*:: +*`suricata.eve.icmp_type`*:: + -- -This is used to capture the number of times an event repeated - type: long -- -*`rsa.counters.dclass_r1`*:: +*`suricata.eve.dest_port`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +type: alias -type: keyword +alias to: destination.port -- -*`rsa.counters.dclass_c3`*:: +*`suricata.eve.src_port`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +type: alias -type: long +alias to: source.port -- -*`rsa.counters.dclass_c1_str`*:: +*`suricata.eve.proto`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +type: alias -type: keyword +alias to: network.transport -- -*`rsa.counters.dclass_c2_str`*:: +*`suricata.eve.pcap_cnt`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only - -type: keyword +type: long -- -*`rsa.counters.dclass_r1_str`*:: +*`suricata.eve.src_ip`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +type: alias -type: keyword +alias to: source.ip -- -*`rsa.counters.dclass_r2`*:: + +*`suricata.eve.dns.type`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only - type: keyword -- -*`rsa.counters.dclass_c3_str`*:: +*`suricata.eve.dns.rrtype`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only - type: keyword -- -*`rsa.counters.dclass_r3`*:: +*`suricata.eve.dns.rrname`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only - type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`suricata.eve.dns.rdata`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only - type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`suricata.eve.dns.tx_id`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only - -type: keyword +type: long -- - -*`rsa.identity.auth_method`*:: +*`suricata.eve.dns.ttl`*:: + -- -This key is used to capture authentication methods used only - -type: keyword +type: long -- -*`rsa.identity.user_role`*:: +*`suricata.eve.dns.rcode`*:: + -- -This key is used to capture the Role of a user only - type: keyword -- -*`rsa.identity.dn`*:: +*`suricata.eve.dns.id`*:: + -- -X.500 (LDAP) Distinguished Name - -type: keyword +type: long -- -*`rsa.identity.logon_type`*:: +*`suricata.eve.flow_id`*:: + -- -This key is used to capture the type of logon method used. - type: keyword -- -*`rsa.identity.profile`*:: + +*`suricata.eve.email.status`*:: + -- -This key is used to capture the user profile - type: keyword -- -*`rsa.identity.accesses`*:: +*`suricata.eve.dest_ip`*:: + -- -This key is used to capture actual privileges used in accessing an object +type: alias -type: keyword +alias to: destination.ip -- -*`rsa.identity.realm`*:: +*`suricata.eve.icmp_code`*:: + -- -Radius realm or similar grouping of accounts - -type: keyword +type: long -- -*`rsa.identity.user_sid_dst`*:: + +*`suricata.eve.http.status`*:: + -- -This key captures Destination User Session ID +type: alias -type: keyword +alias to: http.response.status_code -- -*`rsa.identity.dn_src`*:: +*`suricata.eve.http.redirect`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - type: keyword -- -*`rsa.identity.org`*:: +*`suricata.eve.http.http_user_agent`*:: + -- -This key captures the User organization +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.identity.dn_dst`*:: +*`suricata.eve.http.protocol`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - type: keyword -- -*`rsa.identity.firstname`*:: +*`suricata.eve.http.http_refer`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +type: alias -type: keyword +alias to: http.request.referrer -- -*`rsa.identity.lastname`*:: +*`suricata.eve.http.url`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +type: alias -type: keyword +alias to: url.original -- -*`rsa.identity.user_dept`*:: +*`suricata.eve.http.hostname`*:: + -- -User's Department Names only +type: alias -type: keyword +alias to: url.domain -- -*`rsa.identity.user_sid_src`*:: +*`suricata.eve.http.length`*:: + -- -This key captures Source User Session ID +type: alias -type: keyword +alias to: http.response.body.bytes -- -*`rsa.identity.federated_sp`*:: +*`suricata.eve.http.http_method`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +type: alias -type: keyword +alias to: http.request.method -- -*`rsa.identity.federated_idp`*:: +*`suricata.eve.http.http_content_type`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`suricata.eve.timestamp`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +type: alias -type: keyword +alias to: @timestamp -- -*`rsa.identity.middlename`*:: +*`suricata.eve.in_iface`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.password`*:: + +*`suricata.eve.alert.category`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`suricata.eve.alert.severity`*:: + -- -This key should only be used to capture the role of a Host Machine +type: alias -type: keyword +alias to: event.severity -- -*`rsa.identity.ldap`*:: +*`suricata.eve.alert.rev`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - -type: keyword +type: long -- -*`rsa.identity.ldap_query`*:: +*`suricata.eve.alert.gid`*:: + -- -This key is the Search criteria from an LDAP search - -type: keyword +type: long -- -*`rsa.identity.ldap_response`*:: +*`suricata.eve.alert.signature`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`suricata.eve.alert.action`*:: + -- -This is used to capture username the process or service is running as, the author of the task +type: alias -type: keyword +alias to: event.outcome -- -*`rsa.identity.service_account`*:: +*`suricata.eve.alert.signature_id`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - -type: keyword +type: long -- -*`rsa.email.email_dst`*:: + +*`suricata.eve.ssh.client.proto_version`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email - type: keyword -- -*`rsa.email.email_src`*:: +*`suricata.eve.ssh.client.software_version`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: + +*`suricata.eve.ssh.server.proto_version`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`suricata.eve.ssh.server.software_version`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: + + +*`suricata.eve.stats.capture.kernel_packets`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.email.trans_to`*:: +*`suricata.eve.stats.capture.kernel_drops`*:: + -- -Deprecated key defined only in table map. +type: long -type: keyword +-- +*`suricata.eve.stats.capture.kernel_ifdrops`*:: ++ -- +type: long +-- -*`rsa.file.privilege`*:: +*`suricata.eve.stats.uptime`*:: + -- -Deprecated, use permissions - -type: keyword +type: long -- -*`rsa.file.attachment`*:: + +*`suricata.eve.stats.detect.alert`*:: + -- -This key captures the attachment file name - -type: keyword +type: long -- -*`rsa.file.filesystem`*:: + +*`suricata.eve.stats.http.memcap`*:: + -- -type: keyword +type: long -- -*`rsa.file.binary`*:: +*`suricata.eve.stats.http.memuse`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.file.filename_dst`*:: + +*`suricata.eve.stats.file_store.open_files`*:: + -- -This is used to capture name of the file targeted by the action - -type: keyword +type: long -- -*`rsa.file.filename_src`*:: + +*`suricata.eve.stats.defrag.max_frag_hits`*:: + -- -This is used to capture name of the parent filename, the file which performed the action - -type: keyword +type: long -- -*`rsa.file.filename_tmp`*:: + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: + -- -type: keyword +type: long -- -*`rsa.file.directory_dst`*:: +*`suricata.eve.stats.defrag.ipv4.fragments`*:: + -- -This key is used to capture the directory of the target process or file - -type: keyword +type: long -- -*`rsa.file.directory_src`*:: +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: + -- -This key is used to capture the directory of the source process or file - -type: keyword +type: long -- -*`rsa.file.file_entropy`*:: + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: + -- -This is used to capture entropy vale of a file - -type: double +type: long -- -*`rsa.file.file_vendor`*:: +*`suricata.eve.stats.defrag.ipv6.fragments`*:: + -- -This is used to capture Company name of file located in version_info - -type: keyword +type: long -- -*`rsa.file.task_name`*:: +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: + -- -This is used to capture name of the task - -type: keyword +type: long -- -*`rsa.web.fqdn`*:: +*`suricata.eve.stats.flow.tcp_reuse`*:: + -- -Fully Qualified Domain Names - -type: keyword +type: long -- -*`rsa.web.web_cookie`*:: +*`suricata.eve.stats.flow.udp`*:: + -- -This key is used to capture the Web cookies specifically. - -type: keyword +type: long -- -*`rsa.web.alias_host`*:: +*`suricata.eve.stats.flow.memcap`*:: + -- -type: keyword +type: long -- -*`rsa.web.reputation_num`*:: +*`suricata.eve.stats.flow.emerg_mode_entered`*:: + -- -Reputation Number of an entity. Typically used for Web Domains - -type: double +type: long -- -*`rsa.web.web_ref_domain`*:: +*`suricata.eve.stats.flow.emerg_mode_over`*:: + -- -Web referer's domain - -type: keyword +type: long -- -*`rsa.web.web_ref_query`*:: +*`suricata.eve.stats.flow.tcp`*:: + -- -This key captures Web referer's query portion of the URL - -type: keyword +type: long -- -*`rsa.web.remote_domain`*:: +*`suricata.eve.stats.flow.icmpv6`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_ref_page`*:: +*`suricata.eve.stats.flow.icmpv4`*:: + -- -This key captures Web referer's page information - -type: keyword +type: long -- -*`rsa.web.web_ref_root`*:: +*`suricata.eve.stats.flow.spare`*:: + -- -Web referer's root URL path - -type: keyword +type: long -- -*`rsa.web.cn_asn_dst`*:: +*`suricata.eve.stats.flow.memuse`*:: + -- -type: keyword +type: long -- -*`rsa.web.cn_rpackets`*:: + +*`suricata.eve.stats.tcp.pseudo_failed`*:: + -- -type: keyword +type: long -- -*`rsa.web.urlpage`*:: +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: + -- -type: keyword +type: long -- -*`rsa.web.urlroot`*:: +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_url`*:: +*`suricata.eve.stats.tcp.sessions`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_user_agent`*:: +*`suricata.eve.stats.tcp.pseudo`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_cookie`*:: +*`suricata.eve.stats.tcp.synack`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_method`*:: +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: + -- -type: keyword +type: long -- -*`rsa.web.p_web_referer`*:: +*`suricata.eve.stats.tcp.syn`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_extension_tmp`*:: +*`suricata.eve.stats.tcp.memuse`*:: + -- -type: keyword +type: long -- -*`rsa.web.web_page`*:: +*`suricata.eve.stats.tcp.invalid_checksum`*:: + -- -type: keyword +type: long -- - -*`rsa.threat.threat_category`*:: +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert - -type: keyword +type: long -- -*`rsa.threat.threat_desc`*:: +*`suricata.eve.stats.tcp.overlap`*:: + -- -This key is used to capture the threat description from the session directly or inferred - -type: keyword +type: long -- -*`rsa.threat.alert`*:: +*`suricata.eve.stats.tcp.insert_list_fail`*:: + -- -This key is used to capture name of the alert - -type: keyword +type: long -- -*`rsa.threat.threat_source`*:: +*`suricata.eve.stats.tcp.rst`*:: + -- -This key is used to capture source of the threat +type: long -type: keyword +-- +*`suricata.eve.stats.tcp.stream_depth_reached`*:: ++ -- +type: long +-- -*`rsa.crypto.crypto`*:: +*`suricata.eve.stats.tcp.reassembly_memuse`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only - -type: keyword +type: long -- -*`rsa.crypto.cipher_src`*:: +*`suricata.eve.stats.tcp.reassembly_gap`*:: + -- -This key is for Source (Client) Cipher - -type: keyword +type: long -- -*`rsa.crypto.cert_subject`*:: +*`suricata.eve.stats.tcp.overlap_diff_data`*:: + -- -This key is used to capture the Certificate organization only - -type: keyword +type: long -- -*`rsa.crypto.peer`*:: +*`suricata.eve.stats.tcp.no_flow`*:: + -- -This key is for Encryption peer's IP Address - -type: keyword +type: long -- -*`rsa.crypto.cipher_size_src`*:: + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: + -- -This key captures Source (Client) Cipher Size - type: long -- -*`rsa.crypto.ike`*:: +*`suricata.eve.stats.decoder.bytes`*:: + -- -IKE negotiation phase. - -type: keyword +type: long -- -*`rsa.crypto.scheme`*:: +*`suricata.eve.stats.decoder.tcp`*:: + -- -This key captures the Encryption scheme used - -type: keyword +type: long -- -*`rsa.crypto.peer_id`*:: +*`suricata.eve.stats.decoder.raw`*:: + -- -This key is for Encryption peer’s identity - -type: keyword +type: long -- -*`rsa.crypto.sig_type`*:: +*`suricata.eve.stats.decoder.ppp`*:: + -- -This key captures the Signature Type - -type: keyword +type: long -- -*`rsa.crypto.cert_issuer`*:: +*`suricata.eve.stats.decoder.vlan_qinq`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_host_name`*:: +*`suricata.eve.stats.decoder.null`*:: + -- -Deprecated key defined only in table map. - -type: keyword +type: long -- -*`rsa.crypto.cert_error`*:: + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: + -- -This key captures the Certificate Error String - -type: keyword +type: long -- -*`rsa.crypto.cipher_dst`*:: +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: + -- -This key is for Destination (Server) Cipher - -type: keyword +type: long -- -*`rsa.crypto.cipher_size_dst`*:: +*`suricata.eve.stats.decoder.invalid`*:: + -- -This key captures Destination (Server) Cipher Size - type: long -- -*`rsa.crypto.ssl_ver_src`*:: +*`suricata.eve.stats.decoder.gre`*:: + -- -Deprecated, use version - -type: keyword +type: long -- -*`rsa.crypto.d_certauth`*:: +*`suricata.eve.stats.decoder.ipv4`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.s_certauth`*:: +*`suricata.eve.stats.decoder.ipv6`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.ike_cookie1`*:: +*`suricata.eve.stats.decoder.pkts`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One - -type: keyword +type: long -- -*`rsa.crypto.ike_cookie2`*:: +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two - -type: keyword +type: long -- -*`rsa.crypto.cert_checksum`*:: + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_host_cat`*:: +*`suricata.eve.stats.decoder.pppoe`*:: + -- -This key is used for the hostname category value of a certificate - -type: keyword +type: long -- -*`rsa.crypto.cert_serial`*:: +*`suricata.eve.stats.decoder.udp`*:: + -- -This key is used to capture the Certificate serial number only - -type: keyword +type: long -- -*`rsa.crypto.cert_status`*:: + +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: + -- -This key captures Certificate validation status - -type: keyword +type: long -- -*`rsa.crypto.ssl_ver_dst`*:: +*`suricata.eve.stats.decoder.vlan`*:: + -- -Deprecated, use version - -type: keyword +type: long -- -*`rsa.crypto.cert_keysize`*:: +*`suricata.eve.stats.decoder.sctp`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_username`*:: +*`suricata.eve.stats.decoder.max_pkt_size`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.https_insact`*:: +*`suricata.eve.stats.decoder.teredo`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.https_valid`*:: +*`suricata.eve.stats.decoder.mpls`*:: + -- -type: keyword +type: long -- -*`rsa.crypto.cert_ca`*:: +*`suricata.eve.stats.decoder.sll`*:: + -- -This key is used to capture the Certificate signing authority only - -type: keyword +type: long -- -*`rsa.crypto.cert_common`*:: +*`suricata.eve.stats.decoder.icmpv6`*:: + -- -This key is used to capture the Certificate common name only +type: long -type: keyword +-- +*`suricata.eve.stats.decoder.icmpv4`*:: ++ -- +type: long +-- -*`rsa.wireless.wlan_ssid`*:: +*`suricata.eve.stats.decoder.erspan`*:: + -- -This key is used to capture the ssid of a Wireless Session - -type: keyword +type: long -- -*`rsa.wireless.access_point`*:: +*`suricata.eve.stats.decoder.ethernet`*:: + -- -This key is used to capture the access point name. - -type: keyword +type: long -- -*`rsa.wireless.wlan_channel`*:: +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: + -- -This is used to capture the channel names - type: long -- -*`rsa.wireless.wlan_name`*:: +*`suricata.eve.stats.decoder.ieee8021ah`*:: + -- -This key captures either WLAN number/name - -type: keyword +type: long -- -*`rsa.storage.disk_volume`*:: +*`suricata.eve.stats.dns.memcap_global`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - -type: keyword +type: long -- -*`rsa.storage.lun`*:: +*`suricata.eve.stats.dns.memcap_state`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - -type: keyword +type: long -- -*`rsa.storage.pwwn`*:: +*`suricata.eve.stats.dns.memuse`*:: + -- -This uniquely identifies a port on a HBA. - -type: keyword +type: long -- -*`rsa.physical.org_dst`*:: +*`suricata.eve.stats.flow_mgr.rows_busy`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - -type: keyword +type: long -- -*`rsa.physical.org_src`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +type: long -type: keyword +-- +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: ++ -- +type: long +-- -*`rsa.healthcare.patient_fname`*:: +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.healthcare.patient_id`*:: +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: + -- -This key captures the unique ID for a patient - -type: keyword +type: long -- -*`rsa.healthcare.patient_lname`*:: +*`suricata.eve.stats.flow_mgr.new_pruned`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - -type: keyword +type: long -- -*`rsa.healthcare.patient_mname`*:: +*`suricata.eve.stats.flow_mgr.flows_removed`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +type: long -type: keyword +-- +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: ++ -- +type: long +-- -*`rsa.endpoint.host_state`*:: +*`suricata.eve.stats.flow_mgr.est_pruned`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - -type: keyword +type: long -- -*`rsa.endpoint.registry_key`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: + -- -This key captures the path to the registry key - -type: keyword +type: long -- -*`rsa.endpoint.registry_value`*:: +*`suricata.eve.stats.flow_mgr.flows_checked`*:: + -- -This key captures values or decorators used within a registry entry +type: long -type: keyword +-- +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: ++ -- +type: long -[[exported-fields-suricata]] -== Suricata fields +-- -Module for handling the EVE JSON logs produced by Suricata. +*`suricata.eve.stats.flow_mgr.rows_checked`*:: ++ +-- +type: long +-- + +*`suricata.eve.stats.flow_mgr.rows_empty`*:: ++ +-- +type: long +-- -[float] -=== suricata -Fields from the Suricata EVE log file. +*`suricata.eve.stats.app_layer.flow.tls`*:: ++ +-- +type: long +-- -[float] -=== eve +*`suricata.eve.stats.app_layer.flow.ftp`*:: ++ +-- +type: long -Fields exported by the EVE JSON logs +-- +*`suricata.eve.stats.app_layer.flow.http`*:: ++ +-- +type: long +-- -*`suricata.eve.event_type`*:: +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.app_proto_orig`*:: +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: + -- -type: keyword +type: long -- - -*`suricata.eve.tcp.tcp_flags`*:: +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tcp.psh`*:: +*`suricata.eve.stats.app_layer.flow.smtp`*:: + -- -type: boolean +type: long -- -*`suricata.eve.tcp.tcp_flags_tc`*:: +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tcp.ack`*:: +*`suricata.eve.stats.app_layer.flow.msn`*:: + -- -type: boolean +type: long -- -*`suricata.eve.tcp.syn`*:: +*`suricata.eve.stats.app_layer.flow.ssh`*:: + -- -type: boolean +type: long -- -*`suricata.eve.tcp.state`*:: +*`suricata.eve.stats.app_layer.flow.imap`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tcp.rst`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: + -- -type: boolean +type: long -- -*`suricata.eve.tcp.fin`*:: +*`suricata.eve.stats.app_layer.flow.smb`*:: + -- -type: boolean +type: long -- -*`suricata.eve.fileinfo.sha1`*:: +*`suricata.eve.stats.app_layer.tx.tls`*:: + -- -type: keyword +type: long -- -*`suricata.eve.fileinfo.filename`*:: +*`suricata.eve.stats.app_layer.tx.ftp`*:: + -- -type: alias - -alias to: file.path +type: long -- -*`suricata.eve.fileinfo.tx_id`*:: +*`suricata.eve.stats.app_layer.tx.http`*:: + -- type: long -- -*`suricata.eve.fileinfo.state`*:: +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.fileinfo.stored`*:: +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: + -- -type: boolean +type: long -- -*`suricata.eve.fileinfo.gaps`*:: +*`suricata.eve.stats.app_layer.tx.smtp`*:: + -- -type: boolean +type: long -- -*`suricata.eve.fileinfo.sha256`*:: +*`suricata.eve.stats.app_layer.tx.ssh`*:: + -- -type: keyword +type: long -- -*`suricata.eve.fileinfo.md5`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.fileinfo.size`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: + -- -type: alias - -alias to: file.size +type: long -- -*`suricata.eve.icmp_type`*:: +*`suricata.eve.stats.app_layer.tx.smb`*:: + -- type: long -- -*`suricata.eve.dest_port`*:: + +*`suricata.eve.tls.notbefore`*:: + -- -type: alias - -alias to: destination.port +type: date -- -*`suricata.eve.src_port`*:: +*`suricata.eve.tls.issuerdn`*:: + -- -type: alias - -alias to: source.port +type: keyword -- -*`suricata.eve.proto`*:: +*`suricata.eve.tls.sni`*:: + -- -type: alias - -alias to: network.transport +type: keyword -- -*`suricata.eve.pcap_cnt`*:: +*`suricata.eve.tls.version`*:: + -- -type: long +type: keyword -- -*`suricata.eve.src_ip`*:: +*`suricata.eve.tls.session_resumed`*:: + -- -type: alias - -alias to: source.ip +type: boolean -- - -*`suricata.eve.dns.type`*:: +*`suricata.eve.tls.fingerprint`*:: + -- type: keyword -- -*`suricata.eve.dns.rrtype`*:: +*`suricata.eve.tls.serial`*:: + -- type: keyword -- -*`suricata.eve.dns.rrname`*:: +*`suricata.eve.tls.notafter`*:: + -- -type: keyword +type: date -- -*`suricata.eve.dns.rdata`*:: +*`suricata.eve.tls.subject`*:: + -- type: keyword -- -*`suricata.eve.dns.tx_id`*:: + +*`suricata.eve.tls.ja3s.string`*:: + -- -type: long +type: keyword -- -*`suricata.eve.dns.ttl`*:: +*`suricata.eve.tls.ja3s.hash`*:: + -- -type: long +type: keyword -- -*`suricata.eve.dns.rcode`*:: + +*`suricata.eve.tls.ja3.string`*:: + -- type: keyword -- -*`suricata.eve.dns.id`*:: +*`suricata.eve.tls.ja3.hash`*:: + -- -type: long +type: keyword -- -*`suricata.eve.flow_id`*:: +*`suricata.eve.app_proto_ts`*:: + -- type: keyword @@ -126130,13039 +143358,13554 @@ type: keyword -- -*`suricata.eve.email.status`*:: +*`suricata.eve.flow.bytes_toclient`*:: + -- -type: keyword +type: alias + +alias to: destination.bytes -- -*`suricata.eve.dest_ip`*:: +*`suricata.eve.flow.start`*:: + -- type: alias -alias to: destination.ip +alias to: event.start -- -*`suricata.eve.icmp_code`*:: +*`suricata.eve.flow.pkts_toclient`*:: + -- -type: long +type: alias --- +alias to: destination.packets +-- -*`suricata.eve.http.status`*:: +*`suricata.eve.flow.age`*:: + -- -type: alias - -alias to: http.response.status_code +type: long -- -*`suricata.eve.http.redirect`*:: +*`suricata.eve.flow.state`*:: + -- type: keyword -- -*`suricata.eve.http.http_user_agent`*:: +*`suricata.eve.flow.bytes_toserver`*:: + -- type: alias -alias to: user_agent.original +alias to: source.bytes -- -*`suricata.eve.http.protocol`*:: +*`suricata.eve.flow.reason`*:: + -- type: keyword -- -*`suricata.eve.http.http_refer`*:: +*`suricata.eve.flow.pkts_toserver`*:: + -- type: alias -alias to: http.request.referrer +alias to: source.packets -- -*`suricata.eve.http.url`*:: +*`suricata.eve.flow.end`*:: + -- -type: alias - -alias to: url.original +type: date -- -*`suricata.eve.http.hostname`*:: +*`suricata.eve.flow.alerted`*:: + -- -type: alias - -alias to: url.domain +type: boolean -- -*`suricata.eve.http.length`*:: +*`suricata.eve.app_proto`*:: + -- type: alias -alias to: http.response.body.bytes +alias to: network.protocol -- -*`suricata.eve.http.http_method`*:: +*`suricata.eve.tx_id`*:: + -- -type: alias +type: long -alias to: http.request.method +-- +*`suricata.eve.app_proto_tc`*:: ++ -- +type: keyword -*`suricata.eve.http.http_content_type`*:: +-- + + +*`suricata.eve.smtp.rcpt_to`*:: + -- type: keyword -- -*`suricata.eve.timestamp`*:: +*`suricata.eve.smtp.mail_from`*:: + -- -type: alias +type: keyword -alias to: @timestamp +-- + +*`suricata.eve.smtp.helo`*:: ++ +-- +type: keyword -- -*`suricata.eve.in_iface`*:: +*`suricata.eve.app_proto_expected`*:: + -- type: keyword -- +[[exported-fields-symantec]] +== Symantec AntiVirus/Endpoint Protection fields -*`suricata.eve.alert.category`*:: +symantec fields. + + + +*`network.interface.name`*:: + -- +Name of the network interface where the traffic has been observed. + + type: keyword -- -*`suricata.eve.alert.severity`*:: + + +*`rsa.internal.msg`*:: + -- -type: alias +This key is used to capture the raw message that comes into the Log Decoder -alias to: event.severity +type: keyword -- -*`suricata.eve.alert.rev`*:: +*`rsa.internal.messageid`*:: + -- -type: long +type: keyword -- -*`suricata.eve.alert.gid`*:: +*`rsa.internal.event_desc`*:: + -- -type: long +type: keyword -- -*`suricata.eve.alert.signature`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`suricata.eve.alert.action`*:: +*`rsa.internal.time`*:: + -- -type: alias +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. -alias to: event.outcome +type: date -- -*`suricata.eve.alert.signature_id`*:: +*`rsa.internal.level`*:: + -- +Deprecated key defined only in table map. + type: long -- +*`rsa.internal.msg_id`*:: ++ +-- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword +-- -*`suricata.eve.ssh.client.proto_version`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`suricata.eve.ssh.client.software_version`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- - -*`suricata.eve.ssh.server.proto_version`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`suricata.eve.ssh.server.software_version`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- +*`rsa.internal.resource`*:: ++ +-- +Deprecated key defined only in table map. + +type: keyword +-- -*`suricata.eve.stats.capture.kernel_packets`*:: +*`rsa.internal.obj_id`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.capture.kernel_drops`*:: +*`rsa.internal.statement`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`rsa.internal.audit_class`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.uptime`*:: +*`rsa.internal.entry`*:: + -- -type: long +Deprecated key defined only in table map. --- +type: keyword +-- -*`suricata.eve.stats.detect.alert`*:: +*`rsa.internal.hcode`*:: + -- -type: long +Deprecated key defined only in table map. --- +type: keyword +-- -*`suricata.eve.stats.http.memcap`*:: +*`rsa.internal.inode`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`suricata.eve.stats.http.memuse`*:: +*`rsa.internal.resource_class`*:: + -- -type: long +Deprecated key defined only in table map. --- +type: keyword +-- -*`suricata.eve.stats.file_store.open_files`*:: +*`rsa.internal.dead`*:: + -- +Deprecated key defined only in table map. + type: long -- - -*`suricata.eve.stats.defrag.max_frag_hits`*:: +*`rsa.internal.feed_desc`*:: + -- -type: long +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: keyword +-- -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`rsa.internal.feed_name`*:: + -- -type: long +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: +*`rsa.internal.cid`*:: + -- -type: long +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`rsa.internal.device_class`*:: + -- -type: long +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: keyword +-- -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: +*`rsa.internal.device_group`*:: + -- -type: long +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`rsa.internal.device_host`*:: + -- -type: long +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: +*`rsa.internal.device_ip`*:: + -- -type: long +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: ip +-- -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`rsa.internal.device_ipv6`*:: + -- -type: long +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: ip -- -*`suricata.eve.stats.flow.udp`*:: +*`rsa.internal.device_type`*:: + -- -type: long +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`rsa.internal.device_type_id`*:: + -- +Deprecated key defined only in table map. + type: long -- -*`suricata.eve.stats.flow.emerg_mode_entered`*:: +*`rsa.internal.did`*:: + -- -type: long +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_over`*:: +*`rsa.internal.entropy_req`*:: + -- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + type: long -- -*`suricata.eve.stats.flow.tcp`*:: +*`rsa.internal.entropy_res`*:: + -- +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + type: long -- -*`suricata.eve.stats.flow.icmpv6`*:: +*`rsa.internal.event_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.flow.icmpv4`*:: +*`rsa.internal.feed_category`*:: + -- -type: long +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.flow.spare`*:: +*`rsa.internal.forward_ip`*:: + -- -type: long +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + +type: ip -- -*`suricata.eve.stats.flow.memuse`*:: +*`rsa.internal.forward_ipv6`*:: + -- -type: long +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness --- +type: ip +-- -*`suricata.eve.stats.tcp.pseudo_failed`*:: +*`rsa.internal.header_id`*:: + -- -type: long +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`rsa.internal.lc_cid`*:: + -- -type: long +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: +*`rsa.internal.lc_ctime`*:: + -- -type: long +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: date -- -*`suricata.eve.stats.tcp.sessions`*:: +*`rsa.internal.mcb_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`suricata.eve.stats.tcp.pseudo`*:: +*`rsa.internal.mcb_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + type: long -- -*`suricata.eve.stats.tcp.synack`*:: +*`rsa.internal.mcbc_req`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: +*`rsa.internal.mcbc_res`*:: + -- +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + type: long -- -*`suricata.eve.stats.tcp.syn`*:: +*`rsa.internal.medium`*:: + -- +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session + type: long -- -*`suricata.eve.stats.tcp.memuse`*:: +*`rsa.internal.node_name`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -type: long +This key denotes that event is endpoint related + +type: keyword -- -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: +*`rsa.internal.parse_error`*:: + -- -type: long +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.tcp.overlap`*:: +*`rsa.internal.payload_req`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- -*`suricata.eve.stats.tcp.insert_list_fail`*:: +*`rsa.internal.payload_res`*:: + -- +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + type: long -- -*`suricata.eve.stats.tcp.rst`*:: +*`rsa.internal.process_vid_dst`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + +type: keyword -- -*`suricata.eve.stats.tcp.stream_depth_reached`*:: +*`rsa.internal.process_vid_src`*:: + -- -type: long +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + +type: keyword -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`rsa.internal.rid`*:: + -- +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- -*`suricata.eve.stats.tcp.reassembly_gap`*:: +*`rsa.internal.session_split`*:: + -- -type: long +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: +*`rsa.internal.site`*:: + -- -type: long +Deprecated key defined only in table map. + +type: keyword -- -*`suricata.eve.stats.tcp.no_flow`*:: +*`rsa.internal.size`*:: + -- +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: long -- - -*`suricata.eve.stats.decoder.avg_pkt_size`*:: +*`rsa.internal.sourcefile`*:: + -- -type: long +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + +type: keyword -- -*`suricata.eve.stats.decoder.bytes`*:: +*`rsa.internal.ubc_req`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.decoder.tcp`*:: +*`rsa.internal.ubc_res`*:: + -- +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + type: long -- -*`suricata.eve.stats.decoder.raw`*:: +*`rsa.internal.word`*:: + -- -type: long +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + +type: keyword -- -*`suricata.eve.stats.decoder.ppp`*:: + +*`rsa.time.event_time`*:: + -- -type: long +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + +type: date -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`rsa.time.duration_time`*:: + -- -type: long +This key is used to capture the normalized duration/lifetime in seconds. + +type: double -- -*`suricata.eve.stats.decoder.null`*:: +*`rsa.time.event_time_str`*:: + -- -type: long +This key is used to capture the incomplete time mentioned in a session as a string --- +type: keyword +-- -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +*`rsa.time.starttime`*:: + -- -type: long +This key is used to capture the Start time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: +*`rsa.time.month`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.invalid`*:: +*`rsa.time.day`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.gre`*:: +*`rsa.time.endtime`*:: + -- -type: long +This key is used to capture the End time mentioned in a session in a standard form + +type: date -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`rsa.time.timezone`*:: + -- -type: long +This key is used to capture the timezone of the Event Time + +type: keyword -- -*`suricata.eve.stats.decoder.ipv6`*:: +*`rsa.time.duration_str`*:: + -- -type: long +A text string version of the duration + +type: keyword -- -*`suricata.eve.stats.decoder.pkts`*:: +*`rsa.time.date`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: +*`rsa.time.year`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +*`rsa.time.recorded_time`*:: + -- -type: long +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + +type: date -- -*`suricata.eve.stats.decoder.pppoe`*:: +*`rsa.time.datetime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.udp`*:: +*`rsa.time.effective_time`*:: + -- -type: long +This key is the effective time referenced by an individual event in a Standard Timestamp format --- +type: date +-- -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: +*`rsa.time.expire_time`*:: + -- -type: long +This key is the timestamp that explicitly refers to an expiration. + +type: date -- -*`suricata.eve.stats.decoder.vlan`*:: +*`rsa.time.process_time`*:: + -- -type: long +Deprecated, use duration.time + +type: keyword -- -*`suricata.eve.stats.decoder.sctp`*:: +*`rsa.time.hour`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`rsa.time.min`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.teredo`*:: +*`rsa.time.timestamp`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.mpls`*:: +*`rsa.time.event_queue_time`*:: + -- -type: long +This key is the Time that the event was queued. + +type: date -- -*`suricata.eve.stats.decoder.sll`*:: +*`rsa.time.p_time1`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`rsa.time.tzone`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.icmpv4`*:: +*`rsa.time.eventtime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.erspan`*:: +*`rsa.time.gmtdate`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ethernet`*:: +*`rsa.time.gmttime`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`rsa.time.p_date`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.decoder.ieee8021ah`*:: +*`rsa.time.p_month`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.dns.memcap_global`*:: +*`rsa.time.p_time`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.dns.memcap_state`*:: +*`rsa.time.p_time2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.dns.memuse`*:: +*`rsa.time.p_year`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.flow_mgr.rows_busy`*:: +*`rsa.time.expire_time_str`*:: + -- -type: long +This key is used to capture incomplete timestamp that explicitly refers to an expiration. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`rsa.time.stamp`*:: + -- -type: long +Deprecated key defined only in table map. + +type: date -- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: + +*`rsa.misc.action`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`rsa.misc.result`*:: + -- -type: long +This key is used to capture the outcome/result string value of an action in a session. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: +*`rsa.misc.severity`*:: + -- -type: long +This key is used to capture the severity given the session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`rsa.misc.event_type`*:: + -- -type: long +This key captures the event category type as specified by the event source. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: +*`rsa.misc.reference_id`*:: + -- -type: long +This key is used to capture an event id from the session directly + +type: keyword -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`rsa.misc.version`*:: + -- -type: long +This key captures Version of the application or OS which is generating the event. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: +*`rsa.misc.disposition`*:: + -- -type: long +This key captures the The end state of an action. + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`rsa.misc.result_code`*:: + -- -type: long +This key is used to capture the outcome/result numeric value of an action in a session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: +*`rsa.misc.category`*:: + -- -type: long +This key is used to capture the category of an event given by the vendor in the session + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: +*`rsa.misc.obj_name`*:: + -- -type: long +This is used to capture name of object + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: +*`rsa.misc.obj_type`*:: + -- -type: long +This is used to capture type of object + +type: keyword -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: +*`rsa.misc.event_source`*:: + -- -type: long +This key captures Source of the event that’s not a hostname + +type: keyword -- +*`rsa.misc.log_session_id`*:: ++ +-- +This key is used to capture a sessionid from the session directly + +type: keyword +-- -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`rsa.misc.group`*:: + -- -type: long +This key captures the Group Name value + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ftp`*:: +*`rsa.misc.policy_name`*:: + -- -type: long +This key is used to capture the Policy Name only. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`rsa.misc.rule_name`*:: + -- -type: long +This key captures the Rule Name + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: +*`rsa.misc.context`*:: + -- -type: long +This key captures Information which adds additional context to the event. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`rsa.misc.change_new`*:: + -- -type: long +This key is used to capture the new values of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: +*`rsa.misc.space`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: +*`rsa.misc.client`*:: + -- -type: long +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: +*`rsa.misc.msgIdPart1`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.msn`*:: +*`rsa.misc.msgIdPart2`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.app_layer.flow.ssh`*:: +*`rsa.misc.change_old`*:: + -- -type: long +This key is used to capture the old value of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`rsa.misc.operation_id`*:: + -- -type: long +An alert number or operation number. The values should be unique and non-repeating. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: +*`rsa.misc.event_state`*:: + -- -type: long +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`rsa.misc.group_object`*:: + -- -type: long +This key captures a collection/grouping of entities. Specific usage + +type: keyword -- -*`suricata.eve.stats.app_layer.flow.smb`*:: +*`rsa.misc.node`*:: + -- -type: long +Common use case is the node name within a cluster. The cluster name is reflected by the host name. --- +type: keyword +-- -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`rsa.misc.rule`*:: + -- -type: long +This key captures the Rule number + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ftp`*:: +*`rsa.misc.device_name`*:: + -- -type: long +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`rsa.misc.param`*:: + -- -type: long +This key is the parameters passed as part of a command or application, etc. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: +*`rsa.misc.change_attrib`*:: + -- -type: long +This key is used to capture the name of the attribute that’s changing in a session + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`rsa.misc.event_computer`*:: + -- -type: long +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smtp`*:: +*`rsa.misc.reference_id1`*:: + -- -type: long +This key is for Linked ID to be used as an addition to "reference.id" + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: +*`rsa.misc.event_log`*:: + -- -type: long +This key captures the Name of the event log + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: +*`rsa.misc.OS`*:: + -- -type: long +This key captures the Name of the Operating System + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`rsa.misc.terminal`*:: + -- -type: long +This key captures the Terminal Names only + +type: keyword -- -*`suricata.eve.stats.app_layer.tx.smb`*:: +*`rsa.misc.msgIdPart3`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.tls.notbefore`*:: +*`rsa.misc.filter`*:: + -- -type: date +This key captures Filter used to reduce result set + +type: keyword -- -*`suricata.eve.tls.issuerdn`*:: +*`rsa.misc.serial_number`*:: + -- +This key is the Serial number associated with a physical asset. + type: keyword -- -*`suricata.eve.tls.sni`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`suricata.eve.tls.version`*:: +*`rsa.misc.event_user`*:: + -- +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + type: keyword -- -*`suricata.eve.tls.session_resumed`*:: +*`rsa.misc.virusname`*:: + -- -type: boolean +This key captures the name of the virus + +type: keyword -- -*`suricata.eve.tls.fingerprint`*:: +*`rsa.misc.content_type`*:: + -- +This key is used to capture Content Type only. + type: keyword -- -*`suricata.eve.tls.serial`*:: +*`rsa.misc.group_id`*:: + -- +This key captures Group ID Number (related to the group name) + type: keyword -- -*`suricata.eve.tls.notafter`*:: +*`rsa.misc.policy_id`*:: + -- -type: date +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + +type: keyword -- -*`suricata.eve.tls.subject`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- - -*`suricata.eve.tls.ja3s.string`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`suricata.eve.tls.ja3s.hash`*:: +*`rsa.misc.reference_id2`*:: + -- +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + type: keyword -- - -*`suricata.eve.tls.ja3.string`*:: +*`rsa.misc.sensor`*:: + -- +This key captures Name of the sensor. Typically used in IDS/IPS based devices + type: keyword -- -*`suricata.eve.tls.ja3.hash`*:: +*`rsa.misc.sig_id`*:: ++ +-- +This key captures IDS/IPS Int Signature ID + +type: long + +-- + +*`rsa.misc.port_name`*:: + -- +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). + type: keyword -- -*`suricata.eve.app_proto_ts`*:: +*`rsa.misc.rule_group`*:: + -- +This key captures the Rule group name + type: keyword -- +*`rsa.misc.risk_num`*:: ++ +-- +This key captures a Numeric Risk value + +type: double + +-- -*`suricata.eve.flow.bytes_toclient`*:: +*`rsa.misc.trigger_val`*:: + -- -type: alias +This key captures the Value of the trigger or threshold condition. -alias to: destination.bytes +type: keyword -- -*`suricata.eve.flow.start`*:: +*`rsa.misc.log_session_id1`*:: + -- -type: alias +This key is used to capture a Linked (Related) Session ID from the session directly -alias to: event.start +type: keyword -- -*`suricata.eve.flow.pkts_toclient`*:: +*`rsa.misc.comp_version`*:: + -- -type: alias +This key captures the Version level of a sub-component of a product. -alias to: destination.packets +type: keyword -- -*`suricata.eve.flow.age`*:: +*`rsa.misc.content_version`*:: + -- -type: long +This key captures Version level of a signature or database content. + +type: keyword -- -*`suricata.eve.flow.state`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`suricata.eve.flow.bytes_toserver`*:: +*`rsa.misc.risk`*:: + -- -type: alias +This key captures the non-numeric risk value -alias to: source.bytes +type: keyword -- -*`suricata.eve.flow.reason`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`suricata.eve.flow.pkts_toserver`*:: +*`rsa.misc.reason`*:: + -- -type: alias - -alias to: source.packets +type: keyword -- -*`suricata.eve.flow.end`*:: +*`rsa.misc.status`*:: + -- -type: date +type: keyword -- -*`suricata.eve.flow.alerted`*:: +*`rsa.misc.mail_id`*:: + -- -type: boolean +This key is used to capture the mailbox id/name + +type: keyword -- -*`suricata.eve.app_proto`*:: +*`rsa.misc.rule_uid`*:: + -- -type: alias +This key is the Unique Identifier for a rule. -alias to: network.protocol +type: keyword -- -*`suricata.eve.tx_id`*:: +*`rsa.misc.trigger_desc`*:: + -- -type: long +This key captures the Description of the trigger or threshold condition. + +type: keyword -- -*`suricata.eve.app_proto_tc`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- - -*`suricata.eve.smtp.rcpt_to`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`suricata.eve.smtp.mail_from`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`suricata.eve.smtp.helo`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`suricata.eve.app_proto_expected`*:: +*`rsa.misc.error`*:: + -- +This key captures All non successful Error codes or responses + type: keyword -- -[[exported-fields-system]] -== System fields - -Module for parsing system log files. - - - -[float] -=== system - -Fields from the system log files. - - - -[float] -=== auth - -Fields from the Linux authorization logs. - - - -*`system.auth.timestamp`*:: +*`rsa.misc.index`*:: + -- -type: alias - -alias to: @timestamp +type: keyword -- -*`system.auth.hostname`*:: +*`rsa.misc.listnum`*:: + -- -type: alias +This key is used to capture listname or listnumber, primarily for collecting access-list -alias to: host.hostname +type: keyword -- -*`system.auth.program`*:: +*`rsa.misc.ntype`*:: + -- -type: alias - -alias to: process.name +type: keyword -- -*`system.auth.pid`*:: +*`rsa.misc.observed_val`*:: + -- -type: alias +This key captures the Value observed (from the perspective of the device generating the log). -alias to: process.pid +type: keyword -- -*`system.auth.message`*:: +*`rsa.misc.policy_value`*:: + -- -type: alias +This key captures the contents of the policy. This contains details about the policy -alias to: message +type: keyword -- -*`system.auth.user`*:: +*`rsa.misc.pool_name`*:: + -- -type: alias +This key captures the name of a resource pool -alias to: user.name +type: keyword -- - -*`system.auth.ssh.method`*:: +*`rsa.misc.rule_template`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template +type: keyword -- -*`system.auth.ssh.signature`*:: +*`rsa.misc.count`*:: + -- -The signature of the client public key. - +type: keyword -- -*`system.auth.ssh.dropped_ip`*:: +*`rsa.misc.number`*:: + -- -The client IP from SSH connections that are open and immediately dropped. - - -type: ip +type: keyword -- -*`system.auth.ssh.event`*:: +*`rsa.misc.sigcat`*:: + -- -The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) - - -example: Accepted +type: keyword -- -*`system.auth.ssh.ip`*:: +*`rsa.misc.type`*:: + -- -type: alias - -alias to: source.ip +type: keyword -- -*`system.auth.ssh.port`*:: +*`rsa.misc.comments`*:: + -- -type: alias +Comment information provided in the log message -alias to: source.port +type: keyword -- - -*`system.auth.ssh.geoip.continent_name`*:: +*`rsa.misc.doc_number`*:: + -- -type: alias +This key captures File Identification number -alias to: source.geo.continent_name +type: long -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`rsa.misc.expected_val`*:: + -- -type: alias +This key captures the Value expected (from the perspective of the device generating the log). -alias to: source.geo.country_iso_code +type: keyword -- -*`system.auth.ssh.geoip.location`*:: +*`rsa.misc.job_num`*:: + -- -type: alias +This key captures the Job Number -alias to: source.geo.location +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`rsa.misc.spi_dst`*:: + -- -type: alias +Destination SPI Index -alias to: source.geo.region_name +type: keyword -- -*`system.auth.ssh.geoip.city_name`*:: +*`rsa.misc.spi_src`*:: + -- -type: alias +Source SPI Index -alias to: source.geo.city_name +type: keyword -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`rsa.misc.code`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -=== sudo - -Fields specific to events created by the `sudo` command. - - - -*`system.auth.sudo.error`*:: +*`rsa.misc.agent_id`*:: + -- -The error message in case the sudo command failed. - +This key is used to capture agent id -example: user NOT in sudoers +type: keyword -- -*`system.auth.sudo.tty`*:: +*`rsa.misc.message_body`*:: + -- -The TTY where the sudo command is executed. +This key captures the The contents of the message body. +type: keyword -- -*`system.auth.sudo.pwd`*:: +*`rsa.misc.phone`*:: + -- -The current directory where the sudo command is executed. - +type: keyword -- -*`system.auth.sudo.user`*:: +*`rsa.misc.sig_id_str`*:: + -- -The target user to which the sudo command is switching. - +This key captures a string object of the sigid variable. -example: root +type: keyword -- -*`system.auth.sudo.command`*:: +*`rsa.misc.cmd`*:: + -- -The command executed via sudo. - +type: keyword -- -[float] -=== useradd - -Fields specific to events created by the `useradd` command. - - - -*`system.auth.useradd.home`*:: +*`rsa.misc.misc`*:: + -- -The home folder for the new user. +type: keyword -- -*`system.auth.useradd.shell`*:: +*`rsa.misc.name`*:: + -- -The default shell for the new user. +type: keyword -- -*`system.auth.useradd.name`*:: +*`rsa.misc.cpu`*:: + -- -type: alias +This key is the CPU time used in the execution of the event being recorded. -alias to: user.name +type: long -- -*`system.auth.useradd.uid`*:: +*`rsa.misc.event_desc`*:: + -- -type: alias +This key is used to capture a description of an event available directly or inferred -alias to: user.id +type: keyword -- -*`system.auth.useradd.gid`*:: +*`rsa.misc.sig_id1`*:: + -- -type: alias +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id -alias to: group.id +type: long -- -[float] -=== groupadd - -Fields specific to events created by the `groupadd` command. - +*`rsa.misc.im_buddyid`*:: ++ +-- +type: keyword +-- -*`system.auth.groupadd.name`*:: +*`rsa.misc.im_client`*:: + -- -type: alias - -alias to: group.name +type: keyword -- -*`system.auth.groupadd.gid`*:: +*`rsa.misc.im_userid`*:: + -- -type: alias - -alias to: group.id +type: keyword -- -[float] -=== syslog +*`rsa.misc.pid`*:: ++ +-- +type: keyword -Contains fields from the syslog system logs. +-- +*`rsa.misc.priority`*:: ++ +-- +type: keyword +-- -*`system.syslog.timestamp`*:: +*`rsa.misc.context_subject`*:: + -- -type: alias +This key is to be used in an audit context where the subject is the object being identified -alias to: @timestamp +type: keyword -- -*`system.syslog.hostname`*:: +*`rsa.misc.context_target`*:: + -- -type: alias - -alias to: host.hostname +type: keyword -- -*`system.syslog.program`*:: +*`rsa.misc.cve`*:: + -- -type: alias +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -alias to: process.name +type: keyword -- -*`system.syslog.pid`*:: +*`rsa.misc.fcatnum`*:: + -- -type: alias +This key captures Filter Category Number. Legacy Usage -alias to: process.pid +type: keyword -- -*`system.syslog.message`*:: +*`rsa.misc.library`*:: + -- -type: alias +This key is used to capture library information in mainframe devices -alias to: message +type: keyword -- -[[exported-fields-tenable]] -== Tenable Network Security Nessus fields - -tenable fields. +*`rsa.misc.parent_node`*:: ++ +-- +This key captures the Parent Node Name. Must be related to node variable. +type: keyword +-- -*`network.interface.name`*:: +*`rsa.misc.risk_info`*:: + -- -Name of the network interface where the traffic has been observed. - +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder +This key is captures the TCP flags set in any packet of session -type: keyword +type: long -- -*`rsa.internal.messageid`*:: +*`rsa.misc.tos`*:: + -- -type: keyword +This key describes the type of service + +type: long -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.vm_target`*:: + -- +VMWare Target **VMWARE** only varaible. + type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.workspace`*:: + -- -This key captures the contents of instant messages +This key captures Workspace Description type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.command`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - -type: date +type: keyword -- -*`rsa.internal.level`*:: +*`rsa.misc.event_category`*:: + -- -Deprecated key defined only in table map. - -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.facilityname`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.forensic_info`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.jobname`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.mode`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.policy`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.policy_waiver`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.second`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.space1`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.subcategory`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.tbdstr2`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.alert_id`*:: + -- -Deprecated key defined only in table map. +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.checksum_dst`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the the target entity such as a process or file. -type: long +type: keyword -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.checksum_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.fresult`*:: + -- -Deprecated key defined only in table map. +This key captures the Filter Result type: long -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.payload_dst`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture destination payload type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.payload_src`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture source payload type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.pool_id`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.process_id_val`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is a failure key for Process ID when it is not an integer value type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.risk_num_comm`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number Community -type: keyword +type: double -- -*`rsa.internal.device_host`*:: +*`rsa.misc.risk_num_next`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number NextGen -type: keyword +type: double -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number SandBox -type: ip +type: double -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.risk_num_static`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Risk Number Static -type: ip +type: double -- -*`rsa.internal.device_type`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.risk_warning`*:: + -- -Deprecated key defined only in table map. +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.snmp_oid`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +SNMP Object Identifier type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.sql`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the SQL query -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.vuln_ref`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key captures the Vulnerability Reference details -type: long +type: keyword -- -*`rsa.internal.event_name`*:: +*`rsa.misc.acl_id`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.acl_op`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.forward_ip`*:: +*`rsa.misc.acl_pos`*:: + -- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip +type: keyword -- -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.acl_table`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.admin`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.alarm_id`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.alarmname`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.app_id`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.audit`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.audit_object`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.auditdata`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.benchmark`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.bypass`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.cache`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.cache_hit`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.cefversion`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.cfg_attr`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.cfg_obj`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.cfg_path`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.changes`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.session_split`*:: +*`rsa.misc.client_ip`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.clustermembers`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.size`*:: +*`rsa.misc.cn_acttimeout`*:: + -- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long +type: keyword -- -*`rsa.internal.sourcefile`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - -type: long +type: keyword -- -*`rsa.internal.word`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - type: keyword -- - -*`rsa.time.event_time`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - -type: date +type: keyword -- -*`rsa.time.duration_time`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. - -type: double +type: keyword -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string - type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form - -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.cn_log_rid`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_muligmptype`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.cn_template_id`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.comp_class`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.criticality`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cs_av_other`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cs_av_primary`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cs_av_secondary`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cs_context`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cs_control`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cs_data`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cs_datecret`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cs_dst_tld`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cs_filetype`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cs_fld`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cs_lifetime`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cs_log_medium`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cs_loginname`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.cs_payload`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.cs_registrant`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.cs_registrar`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.cs_represult`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.cs_sampler_name`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cs_streams`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.description`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.devvendor`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.euid`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.finterface`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.gaddr`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.id3`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.im_buddyname`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.im_croomid`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.ipscat`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.ipspri`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.latitude`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.linenum`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.list_name`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.load_data`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.location_mark`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.log_id`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.logid`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.lport`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.misc_name`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.number2`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.object`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.operation`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.opkt`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.orig_from`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.owner_id`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.p_action`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.p_filter`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.p_group_object`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.p_id`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.rec_asp_device`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.rec_asp_num`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.rec_library`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.recordnum`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.ruid`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.sburb`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.sdomain_fld`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.sec`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.sensorname`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.seqnum`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.session`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.sessiontype`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.sigUUID`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.spi`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.srcburb`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.srcdom`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.srcservice`*:: + -- -This key captures the Vulnerability Reference details - type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cn_flowsampmode`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_log_did`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.cn_maxpcktlen`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cn_src_vlan`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.comp_class`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.comp_name`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.comp_rbytes`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.criticality`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cs_av_other`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.cs_dst_tld`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.cs_fld`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.cs_modulesign`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.cs_payload`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.cs_registrant`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.cs_represult`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.cs_yararesult`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.description`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.edomaub`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.gaddr`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.latitude`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.linenum`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.list_name`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.load_data`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.location_mark`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.longitude`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.mbug_data`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.num`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.nwwn`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.operation`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.p_action`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.policyUUID`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.program`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.rec_asp_device`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.threat.threat_desc`*:: + -- +This key is used to capture the threat description from the session directly or inferred + type: keyword -- -*`rsa.misc.rec_library`*:: +*`rsa.threat.alert`*:: + -- +This key is used to capture name of the alert + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.threat.threat_source`*:: + -- +This key is used to capture source of the threat + type: keyword -- -*`rsa.misc.ruid`*:: + +*`rsa.crypto.crypto`*:: + -- +This key is used to capture the Encryption Type or Encryption Key only + type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.crypto.cipher_src`*:: + -- +This key is for Source (Client) Cipher + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.crypto.cert_subject`*:: + -- +This key is used to capture the Certificate organization only + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.crypto.peer`*:: + -- +This key is for Encryption peer's IP Address + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -type: keyword +This key captures Source (Client) Cipher Size + +type: long -- -*`rsa.misc.seqnum`*:: +*`rsa.crypto.ike`*:: + -- +IKE negotiation phase. + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.crypto.scheme`*:: + -- +This key captures the Encryption scheme used + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.crypto.peer_id`*:: + -- +This key is for Encryption peer’s identity + type: keyword -- -*`rsa.misc.sigUUID`*:: +*`rsa.crypto.sig_type`*:: + -- +This key captures the Signature Type + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`rsa.misc.srcburb`*:: +*`rsa.crypto.cert_host_name`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.crypto.cert_error`*:: + -- +This key captures the Certificate Error String + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.crypto.cipher_dst`*:: + -- +This key is for Destination (Server) Cipher + type: keyword -- -*`rsa.misc.state`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -type: keyword +This key captures Destination (Server) Cipher Size + +type: long -- -*`rsa.misc.status1`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`rsa.misc.system`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- +ID of the negotiation — sent for ISAKMP Phase One + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.crypto.ike_cookie2`*:: + -- +ID of the negotiation — sent for ISAKMP Phase Two + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.crypto.cert_host_cat`*:: + -- +This key is used for the hostname category value of a certificate + type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.crypto.cert_serial`*:: + -- +This key is used to capture the Certificate serial number only + type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.crypto.cert_status`*:: + -- +This key captures Certificate validation status + type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- +Deprecated, use version + type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.crypto.cert_ca`*:: + -- +This key is used to capture the Certificate signing authority only + type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.crypto.cert_common`*:: + -- +This key is used to capture the Certificate common name only + type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- +This key is used to capture the ssid of a Wireless Session + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.wireless.access_point`*:: + -- -This is used to capture Auto Run type +This key is used to capture the access point name. type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.wireless.wlan_channel`*:: + -- -Valid Credit Card Numbers only +This is used to capture the channel names type: long -- -*`rsa.misc.content`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key captures the content type from protocol headers +This key captures either WLAN number/name type: keyword -- -*`rsa.misc.ein_number`*:: + +*`rsa.storage.disk_volume`*:: + -- -Employee Identification Numbers only +A unique name assigned to logical units (volumes) within a physical disk -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.storage.lun`*:: + -- -This is used to capture the results of regex match +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.misc.language`*:: +*`rsa.storage.pwwn`*:: + -- -This is used to capture list of languages the client support and what it prefers +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.misc.lifetime`*:: + +*`rsa.physical.org_dst`*:: + -- -This key is used to capture the session lifetime in seconds. +This is used to capture the destination organization based on the GEOPIP Maxmind database. -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.physical.org_src`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.misc.match`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key is for regex match name from search.ini +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures the unique ID for a patient type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key captures source parameter +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key captures the Search Text used +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.misc.sig_name`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key is used to capture the Signature Name only. +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.endpoint.registry_key`*:: + -- -SNMP set request value +This key captures the path to the registry key type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.endpoint.registry_value`*:: + -- -This key captures number of streams in session +This key captures values or decorators used within a registry entry -type: long +type: keyword -- +[[exported-fields-system]] +== System fields + +Module for parsing system log files. -*`rsa.db.index`*:: + + +[float] +=== system + +Fields from the system log files. + + + +[float] +=== auth + +Fields from the Linux authorization logs. + + + +*`system.auth.timestamp`*:: + -- -This key captures IndexID of the index. +type: alias -type: keyword +alias to: @timestamp -- -*`rsa.db.instance`*:: +*`system.auth.hostname`*:: + -- -This key is used to capture the database server instance name +type: alias -type: keyword +alias to: host.hostname -- -*`rsa.db.database`*:: +*`system.auth.program`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +type: alias -type: keyword +alias to: process.name -- -*`rsa.db.transact_id`*:: +*`system.auth.pid`*:: + -- -This key captures the SQL transantion ID of the current session +type: alias -type: keyword +alias to: process.pid -- -*`rsa.db.permissions`*:: +*`system.auth.message`*:: + -- -This key captures permission or privilege level assigned to a resource. +type: alias -type: keyword +alias to: message -- -*`rsa.db.table_name`*:: +*`system.auth.user`*:: + -- -This key is used to capture the table name +type: alias -type: keyword +alias to: user.name -- -*`rsa.db.db_id`*:: + +*`system.auth.ssh.method`*:: + -- -This key is used to capture the unique identifier for a database +The SSH authentication method. Can be one of "password" or "publickey". -type: keyword -- -*`rsa.db.db_pid`*:: +*`system.auth.ssh.signature`*:: + -- -This key captures the process id of a connection with database server +The signature of the client public key. -type: long -- -*`rsa.db.lread`*:: +*`system.auth.ssh.dropped_ip`*:: + -- -This key is used for the number of logical reads +The client IP from SSH connections that are open and immediately dropped. -type: long + +type: ip -- -*`rsa.db.lwrite`*:: +*`system.auth.ssh.event`*:: + -- -This key is used for the number of logical writes +The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) -type: long + +example: Accepted -- -*`rsa.db.pread`*:: +*`system.auth.ssh.ip`*:: + -- -This key is used for the number of physical writes +type: alias -type: long +alias to: source.ip -- - -*`rsa.network.alias_host`*:: +*`system.auth.ssh.port`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +type: alias -type: keyword +alias to: source.port -- -*`rsa.network.domain`*:: + +*`system.auth.ssh.geoip.continent_name`*:: + -- -type: keyword +type: alias + +alias to: source.geo.continent_name -- -*`rsa.network.host_dst`*:: +*`system.auth.ssh.geoip.country_iso_code`*:: + -- -This key should only be used when it’s a Destination Hostname +type: alias -type: keyword +alias to: source.geo.country_iso_code -- -*`rsa.network.network_service`*:: +*`system.auth.ssh.geoip.location`*:: + -- -This is used to capture layer 7 protocols/service names +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.network.interface`*:: +*`system.auth.ssh.geoip.region_name`*:: + -- -This key should be used when the source or destination context of an interface is not clear +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.network.network_port`*:: +*`system.auth.ssh.geoip.city_name`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +type: alias -type: long +alias to: source.geo.city_name -- -*`rsa.network.eth_host`*:: +*`system.auth.ssh.geoip.region_iso_code`*:: + -- -Deprecated, use alias.mac +type: alias -type: keyword +alias to: source.geo.region_iso_code -- -*`rsa.network.sinterface`*:: +[float] +=== sudo + +Fields specific to events created by the `sudo` command. + + + +*`system.auth.sudo.error`*:: + -- -This key should only be used when it’s a Source Interface +The error message in case the sudo command failed. -type: keyword + +example: user NOT in sudoers -- -*`rsa.network.dinterface`*:: +*`system.auth.sudo.tty`*:: + -- -This key should only be used when it’s a Destination Interface +The TTY where the sudo command is executed. -type: keyword -- -*`rsa.network.vlan`*:: +*`system.auth.sudo.pwd`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +The current directory where the sudo command is executed. -type: long -- -*`rsa.network.zone_src`*:: +*`system.auth.sudo.user`*:: + -- -This key should only be used when it’s a Source Zone. +The target user to which the sudo command is switching. -type: keyword + +example: root -- -*`rsa.network.zone`*:: +*`system.auth.sudo.command`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +The command executed via sudo. -type: keyword -- -*`rsa.network.zone_dst`*:: +[float] +=== useradd + +Fields specific to events created by the `useradd` command. + + + +*`system.auth.useradd.home`*:: + -- -This key should only be used when it’s a Destination Zone. +The home folder for the new user. -type: keyword +-- +*`system.auth.useradd.shell`*:: ++ -- +The default shell for the new user. -*`rsa.network.gateway`*:: +-- + +*`system.auth.useradd.name`*:: + -- -This key is used to capture the IP Address of the gateway +type: alias -type: keyword +alias to: user.name -- -*`rsa.network.icmp_type`*:: +*`system.auth.useradd.uid`*:: + -- -This key is used to capture the ICMP type only +type: alias -type: long +alias to: user.id -- -*`rsa.network.mask`*:: +*`system.auth.useradd.gid`*:: + -- -This key is used to capture the device network IPmask. +type: alias -type: keyword +alias to: group.id -- -*`rsa.network.icmp_code`*:: +[float] +=== groupadd + +Fields specific to events created by the `groupadd` command. + + + +*`system.auth.groupadd.name`*:: + -- -This key is used to capture the ICMP code only +type: alias -type: long +alias to: group.name -- -*`rsa.network.protocol_detail`*:: +*`system.auth.groupadd.gid`*:: + -- -This key should be used to capture additional protocol information +type: alias -type: keyword +alias to: group.id -- -*`rsa.network.dmask`*:: +[float] +=== syslog + +Contains fields from the syslog system logs. + + + +*`system.syslog.timestamp`*:: + -- -This key is used for Destionation Device network mask +type: alias -type: keyword +alias to: @timestamp -- -*`rsa.network.port`*:: +*`system.syslog.hostname`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +type: alias -type: long +alias to: host.hostname -- -*`rsa.network.smask`*:: +*`system.syslog.program`*:: + -- -This key is used for capturing source Network Mask +type: alias -type: keyword +alias to: process.name -- -*`rsa.network.netname`*:: +*`system.syslog.pid`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +type: alias -type: keyword +alias to: process.pid -- -*`rsa.network.paddr`*:: +*`system.syslog.message`*:: + -- -Deprecated +type: alias -type: ip +alias to: message -- -*`rsa.network.faddr`*:: +[[exported-fields-tomcat]] +== Apache Tomcat fields + +tomcat fields. + + + +*`network.interface.name`*:: + -- +Name of the network interface where the traffic has been observed. + + type: keyword -- -*`rsa.network.lhost`*:: + + +*`rsa.internal.msg`*:: + -- +This key is used to capture the raw message that comes into the Log Decoder + type: keyword -- -*`rsa.network.origin`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`rsa.network.remote_domain_id`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`rsa.network.addr`*:: +*`rsa.internal.message`*:: + -- +This key captures the contents of instant messages + type: keyword -- -*`rsa.network.dns_a_record`*:: +*`rsa.internal.time`*:: + -- -type: keyword +This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + +type: date -- -*`rsa.network.dns_ptr_record`*:: +*`rsa.internal.level`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.fhost`*:: +*`rsa.internal.msg_id`*:: + -- +This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.fport`*:: +*`rsa.internal.msg_vid`*:: + -- +This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.laddr`*:: +*`rsa.internal.data`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.linterface`*:: +*`rsa.internal.obj_server`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.phost`*:: +*`rsa.internal.obj_val`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.ad_computer_dst`*:: +*`rsa.internal.resource`*:: + -- -Deprecated, use host.dst +Deprecated key defined only in table map. type: keyword -- -*`rsa.network.eth_type`*:: +*`rsa.internal.obj_id`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.ip_proto`*:: +*`rsa.internal.statement`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +Deprecated key defined only in table map. -type: long +type: keyword -- -*`rsa.network.dns_cname_record`*:: +*`rsa.internal.audit_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_id`*:: +*`rsa.internal.entry`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_opcode`*:: +*`rsa.internal.hcode`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.dns_resp`*:: +*`rsa.internal.inode`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.dns_type`*:: +*`rsa.internal.resource_class`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.network.domain1`*:: +*`rsa.internal.dead`*:: + -- -type: keyword +Deprecated key defined only in table map. + +type: long -- -*`rsa.network.host_type`*:: +*`rsa.internal.feed_desc`*:: + -- +This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.packet_length`*:: +*`rsa.internal.feed_name`*:: + -- +This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.network.host_orig`*:: +*`rsa.internal.cid`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.rpayload`*:: +*`rsa.internal.device_class`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.network.vlan_name`*:: +*`rsa.internal.device_group`*:: + -- -This key should only be used to capture the name of the Virtual LAN +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- - -*`rsa.investigations.ec_activity`*:: +*`rsa.internal.device_host`*:: + -- -This key captures the particular event activity(Ex:Logoff) +This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.ec_theme`*:: +*`rsa.internal.device_ip`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.investigations.ec_subject`*:: +*`rsa.internal.device_ipv6`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.investigations.ec_outcome`*:: +*`rsa.internal.device_type`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.event_cat`*:: +*`rsa.internal.device_type_id`*:: + -- -This key captures the Event category number +Deprecated key defined only in table map. type: long -- -*`rsa.investigations.event_cat_name`*:: +*`rsa.internal.did`*:: + -- -This key captures the event category name corresponding to the event cat code +This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.event_vcat`*:: +*`rsa.internal.entropy_req`*:: + -- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.investigations.analysis_file`*:: +*`rsa.internal.entropy_res`*:: + -- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file +This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration -type: keyword +type: long -- -*`rsa.investigations.analysis_service`*:: +*`rsa.internal.event_name`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +Deprecated key defined only in table map. type: keyword -- -*`rsa.investigations.analysis_session`*:: +*`rsa.internal.feed_category`*:: + -- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.boc`*:: +*`rsa.internal.forward_ip`*:: + -- -This is used to capture behaviour of compromise +This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. -type: keyword +type: ip -- -*`rsa.investigations.eoc`*:: +*`rsa.internal.forward_ipv6`*:: + -- -This is used to capture Enablers of Compromise +This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: ip -- -*`rsa.investigations.inv_category`*:: +*`rsa.internal.header_id`*:: + -- -This used to capture investigation category +This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.inv_context`*:: +*`rsa.internal.lc_cid`*:: + -- -This used to capture investigation context +This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.investigations.ioc`*:: +*`rsa.internal.lc_ctime`*:: + -- -This is key capture indicator of compromise +This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: date -- - -*`rsa.counters.dclass_c1`*:: +*`rsa.internal.mcb_req`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most type: long -- -*`rsa.counters.dclass_c2`*:: +*`rsa.internal.mcb_res`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most type: long -- -*`rsa.counters.event_counter`*:: +*`rsa.internal.mcbc_req`*:: + -- -This is used to capture the number of times an event repeated +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams type: long -- -*`rsa.counters.dclass_r1`*:: +*`rsa.internal.mcbc_res`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams -type: keyword +type: long -- -*`rsa.counters.dclass_c3`*:: +*`rsa.internal.medium`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session type: long -- -*`rsa.counters.dclass_c1_str`*:: +*`rsa.internal.node_name`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +Deprecated key defined only in table map. type: keyword -- -*`rsa.counters.dclass_c2_str`*:: +*`rsa.internal.nwe_callback_id`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +This key denotes that event is endpoint related type: keyword -- -*`rsa.counters.dclass_r1_str`*:: +*`rsa.internal.parse_error`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`rsa.internal.payload_req`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.counters.dclass_c3_str`*:: +*`rsa.internal.payload_res`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep -type: keyword +type: long -- -*`rsa.counters.dclass_r3`*:: +*`rsa.internal.process_vid_dst`*:: + -- -This is a generic ratio key that should be used with the label dclass.r3.str only +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. type: keyword -- -*`rsa.counters.dclass_r2_str`*:: +*`rsa.internal.process_vid_src`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. type: keyword -- -*`rsa.counters.dclass_r3_str`*:: +*`rsa.internal.rid`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- - -*`rsa.identity.auth_method`*:: +*`rsa.internal.session_split`*:: + -- -This key is used to capture authentication methods used only +This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.user_role`*:: +*`rsa.internal.site`*:: + -- -This key is used to capture the Role of a user only +Deprecated key defined only in table map. type: keyword -- -*`rsa.identity.dn`*:: +*`rsa.internal.size`*:: + -- -X.500 (LDAP) Distinguished Name +This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness -type: keyword +type: long -- -*`rsa.identity.logon_type`*:: +*`rsa.internal.sourcefile`*:: + -- -This key is used to capture the type of logon method used. +This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness type: keyword -- -*`rsa.identity.profile`*:: +*`rsa.internal.ubc_req`*:: + -- -This key is used to capture the user profile +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.identity.accesses`*:: +*`rsa.internal.ubc_res`*:: + -- -This key is used to capture actual privileges used in accessing an object +This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once -type: keyword +type: long -- -*`rsa.identity.realm`*:: +*`rsa.internal.word`*:: + -- -Radius realm or similar grouping of accounts +This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log type: keyword -- -*`rsa.identity.user_sid_dst`*:: + +*`rsa.time.event_time`*:: + -- -This key captures Destination User Session ID +This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form -type: keyword +type: date -- -*`rsa.identity.dn_src`*:: +*`rsa.time.duration_time`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +This key is used to capture the normalized duration/lifetime in seconds. -type: keyword +type: double -- -*`rsa.identity.org`*:: +*`rsa.time.event_time_str`*:: + -- -This key captures the User organization +This key is used to capture the incomplete time mentioned in a session as a string type: keyword -- -*`rsa.identity.dn_dst`*:: +*`rsa.time.starttime`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +This key is used to capture the Start time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.identity.firstname`*:: +*`rsa.time.month`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.lastname`*:: +*`rsa.time.day`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.identity.user_dept`*:: +*`rsa.time.endtime`*:: + -- -User's Department Names only +This key is used to capture the End time mentioned in a session in a standard form -type: keyword +type: date -- -*`rsa.identity.user_sid_src`*:: +*`rsa.time.timezone`*:: + -- -This key captures Source User Session ID +This key is used to capture the timezone of the Event Time type: keyword -- -*`rsa.identity.federated_sp`*:: +*`rsa.time.duration_str`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +A text string version of the duration type: keyword -- -*`rsa.identity.federated_idp`*:: +*`rsa.time.date`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. - type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`rsa.time.year`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - type: keyword -- -*`rsa.identity.middlename`*:: +*`rsa.time.recorded_time`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. -type: keyword +type: date -- -*`rsa.identity.password`*:: +*`rsa.time.datetime`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted - type: keyword -- -*`rsa.identity.host_role`*:: +*`rsa.time.effective_time`*:: + -- -This key should only be used to capture the role of a Host Machine +This key is the effective time referenced by an individual event in a Standard Timestamp format -type: keyword +type: date -- -*`rsa.identity.ldap`*:: +*`rsa.time.expire_time`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +This key is the timestamp that explicitly refers to an expiration. -type: keyword +type: date -- -*`rsa.identity.ldap_query`*:: +*`rsa.time.process_time`*:: + -- -This key is the Search criteria from an LDAP search +Deprecated, use duration.time type: keyword -- -*`rsa.identity.ldap_response`*:: +*`rsa.time.hour`*:: + -- -This key is to capture Results from an LDAP search - type: keyword -- -*`rsa.identity.owner`*:: +*`rsa.time.min`*:: + -- -This is used to capture username the process or service is running as, the author of the task - type: keyword -- -*`rsa.identity.service_account`*:: +*`rsa.time.timestamp`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - type: keyword -- - -*`rsa.email.email_dst`*:: +*`rsa.time.event_queue_time`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +This key is the Time that the event was queued. -type: keyword +type: date -- -*`rsa.email.email_src`*:: +*`rsa.time.p_time1`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email - type: keyword -- -*`rsa.email.subject`*:: +*`rsa.time.tzone`*:: + -- -This key is used to capture the subject string from an Email only. - type: keyword -- -*`rsa.email.email`*:: +*`rsa.time.eventtime`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear - type: keyword -- -*`rsa.email.trans_from`*:: +*`rsa.time.gmtdate`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.email.trans_to`*:: +*`rsa.time.gmttime`*:: + -- -Deprecated key defined only in table map. - type: keyword -- - -*`rsa.file.privilege`*:: +*`rsa.time.p_date`*:: + -- -Deprecated, use permissions - type: keyword -- -*`rsa.file.attachment`*:: +*`rsa.time.p_month`*:: + -- -This key captures the attachment file name - type: keyword -- -*`rsa.file.filesystem`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`rsa.file.binary`*:: +*`rsa.time.p_time2`*:: + -- -Deprecated key defined only in table map. +type: keyword +-- + +*`rsa.time.p_year`*:: ++ +-- type: keyword -- -*`rsa.file.filename_dst`*:: +*`rsa.time.expire_time_str`*:: + -- -This is used to capture name of the file targeted by the action +This key is used to capture incomplete timestamp that explicitly refers to an expiration. type: keyword -- -*`rsa.file.filename_src`*:: +*`rsa.time.stamp`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +Deprecated key defined only in table map. -type: keyword +type: date -- -*`rsa.file.filename_tmp`*:: + +*`rsa.misc.action`*:: + -- type: keyword -- -*`rsa.file.directory_dst`*:: +*`rsa.misc.result`*:: + -- -This key is used to capture the directory of the target process or file +This key is used to capture the outcome/result string value of an action in a session. type: keyword -- -*`rsa.file.directory_src`*:: +*`rsa.misc.severity`*:: + -- -This key is used to capture the directory of the source process or file +This key is used to capture the severity given the session type: keyword -- -*`rsa.file.file_entropy`*:: +*`rsa.misc.event_type`*:: + -- -This is used to capture entropy vale of a file +This key captures the event category type as specified by the event source. -type: double +type: keyword -- -*`rsa.file.file_vendor`*:: +*`rsa.misc.reference_id`*:: + -- -This is used to capture Company name of file located in version_info +This key is used to capture an event id from the session directly type: keyword -- -*`rsa.file.task_name`*:: +*`rsa.misc.version`*:: + -- -This is used to capture name of the task +This key captures Version of the application or OS which is generating the event. type: keyword -- - -*`rsa.web.fqdn`*:: +*`rsa.misc.disposition`*:: + -- -Fully Qualified Domain Names +This key captures the The end state of an action. type: keyword -- -*`rsa.web.web_cookie`*:: +*`rsa.misc.result_code`*:: + -- -This key is used to capture the Web cookies specifically. +This key is used to capture the outcome/result numeric value of an action in a session type: keyword -- -*`rsa.web.alias_host`*:: +*`rsa.misc.category`*:: + -- +This key is used to capture the category of an event given by the vendor in the session + type: keyword -- -*`rsa.web.reputation_num`*:: +*`rsa.misc.obj_name`*:: + -- -Reputation Number of an entity. Typically used for Web Domains +This is used to capture name of object -type: double +type: keyword -- -*`rsa.web.web_ref_domain`*:: +*`rsa.misc.obj_type`*:: + -- -Web referer's domain +This is used to capture type of object type: keyword -- -*`rsa.web.web_ref_query`*:: +*`rsa.misc.event_source`*:: + -- -This key captures Web referer's query portion of the URL +This key captures Source of the event that’s not a hostname type: keyword -- -*`rsa.web.remote_domain`*:: +*`rsa.misc.log_session_id`*:: + -- +This key is used to capture a sessionid from the session directly + type: keyword -- -*`rsa.web.web_ref_page`*:: +*`rsa.misc.group`*:: + -- -This key captures Web referer's page information +This key captures the Group Name value type: keyword -- -*`rsa.web.web_ref_root`*:: +*`rsa.misc.policy_name`*:: + -- -Web referer's root URL path +This key is used to capture the Policy Name only. type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`rsa.misc.rule_name`*:: + -- +This key captures the Rule Name + type: keyword -- -*`rsa.web.cn_rpackets`*:: +*`rsa.misc.context`*:: + -- +This key captures Information which adds additional context to the event. + type: keyword -- -*`rsa.web.urlpage`*:: +*`rsa.misc.change_new`*:: + -- +This key is used to capture the new values of the attribute that’s changing in a session + type: keyword -- -*`rsa.web.urlroot`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`rsa.web.p_url`*:: +*`rsa.misc.client`*:: + -- +This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`rsa.web.p_web_cookie`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`rsa.web.p_web_method`*:: +*`rsa.misc.change_old`*:: + -- +This key is used to capture the old value of the attribute that’s changing in a session + type: keyword -- -*`rsa.web.p_web_referer`*:: +*`rsa.misc.operation_id`*:: + -- +An alert number or operation number. The values should be unique and non-repeating. + type: keyword -- -*`rsa.web.web_extension_tmp`*:: +*`rsa.misc.event_state`*:: + -- +This key captures the current state of the object/item referenced within the event. Describing an on-going event. + type: keyword -- -*`rsa.web.web_page`*:: +*`rsa.misc.group_object`*:: + -- +This key captures a collection/grouping of entities. Specific usage + type: keyword -- - -*`rsa.threat.threat_category`*:: +*`rsa.misc.node`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +Common use case is the node name within a cluster. The cluster name is reflected by the host name. type: keyword -- -*`rsa.threat.threat_desc`*:: +*`rsa.misc.rule`*:: + -- -This key is used to capture the threat description from the session directly or inferred +This key captures the Rule number type: keyword -- -*`rsa.threat.alert`*:: +*`rsa.misc.device_name`*:: + -- -This key is used to capture name of the alert +This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc type: keyword -- -*`rsa.threat.threat_source`*:: +*`rsa.misc.param`*:: + -- -This key is used to capture source of the threat +This key is the parameters passed as part of a command or application, etc. type: keyword -- - -*`rsa.crypto.crypto`*:: +*`rsa.misc.change_attrib`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +This key is used to capture the name of the attribute that’s changing in a session type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`rsa.misc.event_computer`*:: + -- -This key is for Source (Client) Cipher +This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`rsa.misc.reference_id1`*:: + -- -This key is used to capture the Certificate organization only +This key is for Linked ID to be used as an addition to "reference.id" type: keyword -- -*`rsa.crypto.peer`*:: +*`rsa.misc.event_log`*:: + -- -This key is for Encryption peer's IP Address +This key captures the Name of the event log type: keyword -- -*`rsa.crypto.cipher_size_src`*:: +*`rsa.misc.OS`*:: + -- -This key captures Source (Client) Cipher Size +This key captures the Name of the Operating System -type: long +type: keyword -- -*`rsa.crypto.ike`*:: +*`rsa.misc.terminal`*:: + -- -IKE negotiation phase. +This key captures the Terminal Names only type: keyword -- -*`rsa.crypto.scheme`*:: +*`rsa.misc.msgIdPart3`*:: + -- -This key captures the Encryption scheme used - type: keyword -- -*`rsa.crypto.peer_id`*:: +*`rsa.misc.filter`*:: + -- -This key is for Encryption peer’s identity +This key captures Filter used to reduce result set type: keyword -- -*`rsa.crypto.sig_type`*:: +*`rsa.misc.serial_number`*:: + -- -This key captures the Signature Type +This key is the Serial number associated with a physical asset. type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`rsa.misc.checksum`*:: + -- +This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + type: keyword -- -*`rsa.crypto.cert_host_name`*:: +*`rsa.misc.event_user`*:: + -- -Deprecated key defined only in table map. +This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. type: keyword -- -*`rsa.crypto.cert_error`*:: +*`rsa.misc.virusname`*:: + -- -This key captures the Certificate Error String +This key captures the name of the virus type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`rsa.misc.content_type`*:: + -- -This key is for Destination (Server) Cipher +This key is used to capture Content Type only. type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: +*`rsa.misc.group_id`*:: + -- -This key captures Destination (Server) Cipher Size +This key captures Group ID Number (related to the group name) -type: long +type: keyword -- -*`rsa.crypto.ssl_ver_src`*:: +*`rsa.misc.policy_id`*:: + -- -Deprecated, use version +This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise type: keyword -- -*`rsa.crypto.d_certauth`*:: +*`rsa.misc.vsys`*:: + -- +This key captures Virtual System Name + type: keyword -- -*`rsa.crypto.s_certauth`*:: +*`rsa.misc.connection_id`*:: + -- +This key captures the Connection ID + type: keyword -- -*`rsa.crypto.ike_cookie1`*:: +*`rsa.misc.reference_id2`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. type: keyword -- -*`rsa.crypto.ike_cookie2`*:: +*`rsa.misc.sensor`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +This key captures Name of the sensor. Typically used in IDS/IPS based devices type: keyword -- -*`rsa.crypto.cert_checksum`*:: +*`rsa.misc.sig_id`*:: + -- -type: keyword +This key captures IDS/IPS Int Signature ID + +type: long -- -*`rsa.crypto.cert_host_cat`*:: +*`rsa.misc.port_name`*:: + -- -This key is used for the hostname category value of a certificate +This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). type: keyword -- -*`rsa.crypto.cert_serial`*:: +*`rsa.misc.rule_group`*:: + -- -This key is used to capture the Certificate serial number only +This key captures the Rule group name type: keyword -- -*`rsa.crypto.cert_status`*:: +*`rsa.misc.risk_num`*:: + -- -This key captures Certificate validation status +This key captures a Numeric Risk value + +type: double + +-- + +*`rsa.misc.trigger_val`*:: ++ +-- +This key captures the Value of the trigger or threshold condition. type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`rsa.misc.log_session_id1`*:: + -- -Deprecated, use version +This key is used to capture a Linked (Related) Session ID from the session directly type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`rsa.misc.comp_version`*:: + -- +This key captures the Version level of a sub-component of a product. + type: keyword -- -*`rsa.crypto.cert_username`*:: +*`rsa.misc.content_version`*:: + -- +This key captures Version level of a signature or database content. + type: keyword -- -*`rsa.crypto.https_insact`*:: +*`rsa.misc.hardware_id`*:: + -- +This key is used to capture unique identifier for a device or system (NOT a Mac address) + type: keyword -- -*`rsa.crypto.https_valid`*:: +*`rsa.misc.risk`*:: + -- +This key captures the non-numeric risk value + type: keyword -- -*`rsa.crypto.cert_ca`*:: +*`rsa.misc.event_id`*:: + -- -This key is used to capture the Certificate signing authority only - type: keyword -- -*`rsa.crypto.cert_common`*:: +*`rsa.misc.reason`*:: + -- -This key is used to capture the Certificate common name only - type: keyword -- - -*`rsa.wireless.wlan_ssid`*:: +*`rsa.misc.status`*:: + -- -This key is used to capture the ssid of a Wireless Session - type: keyword -- -*`rsa.wireless.access_point`*:: +*`rsa.misc.mail_id`*:: + -- -This key is used to capture the access point name. +This key is used to capture the mailbox id/name type: keyword -- -*`rsa.wireless.wlan_channel`*:: +*`rsa.misc.rule_uid`*:: + -- -This is used to capture the channel names +This key is the Unique Identifier for a rule. -type: long +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`rsa.misc.trigger_desc`*:: + -- -This key captures either WLAN number/name +This key captures the Description of the trigger or threshold condition. type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`rsa.misc.inout`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk - type: keyword -- -*`rsa.storage.lun`*:: +*`rsa.misc.p_msgid`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. - type: keyword -- -*`rsa.storage.pwwn`*:: +*`rsa.misc.data_type`*:: + -- -This uniquely identifies a port on a HBA. - type: keyword -- - -*`rsa.physical.org_dst`*:: +*`rsa.misc.msgIdPart4`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. - type: keyword -- -*`rsa.physical.org_src`*:: +*`rsa.misc.error`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +This key captures All non successful Error codes or responses type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`rsa.misc.index`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`rsa.misc.listnum`*:: + -- -This key captures the unique ID for a patient +This key is used to capture listname or listnumber, primarily for collecting access-list type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`rsa.misc.ntype`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`rsa.misc.observed_val`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +This key captures the Value observed (from the perspective of the device generating the log). type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`rsa.misc.policy_value`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +This key captures the contents of the policy. This contains details about the policy type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`rsa.misc.pool_name`*:: + -- -This key captures the path to the registry key +This key captures the name of a resource pool type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`rsa.misc.rule_template`*:: + -- -This key captures values or decorators used within a registry entry +A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template type: keyword -- -[[exported-fields-tomcat]] -== Apache Tomcat fields - -tomcat fields. - - - -*`network.interface.name`*:: +*`rsa.misc.count`*:: + -- -Name of the network interface where the traffic has been observed. - - type: keyword -- - - -*`rsa.internal.msg`*:: +*`rsa.misc.number`*:: + -- -This key is used to capture the raw message that comes into the Log Decoder - type: keyword -- -*`rsa.internal.messageid`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`rsa.internal.event_desc`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`rsa.internal.message`*:: +*`rsa.misc.comments`*:: + -- -This key captures the contents of instant messages +Comment information provided in the log message type: keyword -- -*`rsa.internal.time`*:: +*`rsa.misc.doc_number`*:: + -- -This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. +This key captures File Identification number -type: date +type: long -- -*`rsa.internal.level`*:: +*`rsa.misc.expected_val`*:: + -- -Deprecated key defined only in table map. +This key captures the Value expected (from the perspective of the device generating the log). -type: long +type: keyword -- -*`rsa.internal.msg_id`*:: +*`rsa.misc.job_num`*:: + -- -This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Job Number type: keyword -- -*`rsa.internal.msg_vid`*:: +*`rsa.misc.spi_dst`*:: + -- -This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +Destination SPI Index type: keyword -- -*`rsa.internal.data`*:: +*`rsa.misc.spi_src`*:: + -- -Deprecated key defined only in table map. +Source SPI Index type: keyword -- -*`rsa.internal.obj_server`*:: +*`rsa.misc.code`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.obj_val`*:: +*`rsa.misc.agent_id`*:: + -- -Deprecated key defined only in table map. +This key is used to capture agent id type: keyword -- -*`rsa.internal.resource`*:: +*`rsa.misc.message_body`*:: + -- -Deprecated key defined only in table map. +This key captures the The contents of the message body. type: keyword -- -*`rsa.internal.obj_id`*:: +*`rsa.misc.phone`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.statement`*:: +*`rsa.misc.sig_id_str`*:: + -- -Deprecated key defined only in table map. +This key captures a string object of the sigid variable. type: keyword -- -*`rsa.internal.audit_class`*:: +*`rsa.misc.cmd`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.entry`*:: +*`rsa.misc.misc`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.hcode`*:: +*`rsa.misc.name`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.inode`*:: +*`rsa.misc.cpu`*:: + -- -Deprecated key defined only in table map. +This key is the CPU time used in the execution of the event being recorded. type: long -- -*`rsa.internal.resource_class`*:: +*`rsa.misc.event_desc`*:: + -- -Deprecated key defined only in table map. +This key is used to capture a description of an event available directly or inferred type: keyword -- -*`rsa.internal.dead`*:: +*`rsa.misc.sig_id1`*:: + -- -Deprecated key defined only in table map. +This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id type: long -- -*`rsa.internal.feed_desc`*:: +*`rsa.misc.im_buddyid`*:: + -- -This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.feed_name`*:: +*`rsa.misc.im_client`*:: + -- -This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.cid`*:: +*`rsa.misc.im_userid`*:: + -- -This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_class`*:: +*`rsa.misc.pid`*:: + -- -This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_group`*:: +*`rsa.misc.priority`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.device_host`*:: +*`rsa.misc.context_subject`*:: + -- -This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is to be used in an audit context where the subject is the object being identified type: keyword -- -*`rsa.internal.device_ip`*:: +*`rsa.misc.context_target`*:: + -- -This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: ip +type: keyword -- -*`rsa.internal.device_ipv6`*:: +*`rsa.misc.cve`*:: + -- -This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. -type: ip +type: keyword -- -*`rsa.internal.device_type`*:: +*`rsa.misc.fcatnum`*:: + -- -This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Filter Category Number. Legacy Usage type: keyword -- -*`rsa.internal.device_type_id`*:: +*`rsa.misc.library`*:: + -- -Deprecated key defined only in table map. +This key is used to capture library information in mainframe devices -type: long +type: keyword -- -*`rsa.internal.did`*:: +*`rsa.misc.parent_node`*:: + -- -This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Parent Node Name. Must be related to node variable. type: keyword -- -*`rsa.internal.entropy_req`*:: +*`rsa.misc.risk_info`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.entropy_res`*:: +*`rsa.misc.tcp_flags`*:: + -- -This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration +This key is captures the TCP flags set in any packet of session type: long -- -*`rsa.internal.event_name`*:: +*`rsa.misc.tos`*:: + -- -Deprecated key defined only in table map. +This key describes the type of service -type: keyword +type: long -- -*`rsa.internal.feed_category`*:: +*`rsa.misc.vm_target`*:: + -- -This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +VMWare Target **VMWARE** only varaible. type: keyword -- -*`rsa.internal.forward_ip`*:: -+ --- -This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - -type: ip - --- - -*`rsa.internal.forward_ipv6`*:: +*`rsa.misc.workspace`*:: + -- -This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Workspace Description -type: ip +type: keyword -- -*`rsa.internal.header_id`*:: +*`rsa.misc.command`*:: + -- -This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_cid`*:: +*`rsa.misc.event_category`*:: + -- -This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.lc_ctime`*:: +*`rsa.misc.facilityname`*:: + -- -This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: date +type: keyword -- -*`rsa.internal.mcb_req`*:: +*`rsa.misc.forensic_info`*:: + -- -This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcb_res`*:: +*`rsa.misc.jobname`*:: + -- -This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - -type: long +type: keyword -- -*`rsa.internal.mcbc_req`*:: +*`rsa.misc.mode`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.mcbc_res`*:: +*`rsa.misc.policy`*:: + -- -This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - -type: long +type: keyword -- -*`rsa.internal.medium`*:: +*`rsa.misc.policy_waiver`*:: + -- -This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - -type: long +type: keyword -- -*`rsa.internal.node_name`*:: +*`rsa.misc.second`*:: + -- -Deprecated key defined only in table map. - type: keyword -- -*`rsa.internal.nwe_callback_id`*:: +*`rsa.misc.space1`*:: + -- -This key denotes that event is endpoint related - type: keyword -- -*`rsa.internal.parse_error`*:: +*`rsa.misc.subcategory`*:: + -- -This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - type: keyword -- -*`rsa.internal.payload_req`*:: +*`rsa.misc.tbdstr2`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - -type: long +type: keyword -- -*`rsa.internal.payload_res`*:: +*`rsa.misc.alert_id`*:: + -- -This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep +Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: long +type: keyword -- -*`rsa.internal.process_vid_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. +This key is used to capture the checksum or hash of the the target entity such as a process or file. type: keyword -- -*`rsa.internal.process_vid_src`*:: +*`rsa.misc.checksum_src`*:: + -- -Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. +This key is used to capture the checksum or hash of the source entity such as a file or process. type: keyword -- -*`rsa.internal.rid`*:: +*`rsa.misc.fresult`*:: + -- -This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the Filter Result type: long -- -*`rsa.internal.session_split`*:: +*`rsa.misc.payload_dst`*:: + -- -This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key is used to capture destination payload type: keyword -- -*`rsa.internal.site`*:: +*`rsa.misc.payload_src`*:: + -- -Deprecated key defined only in table map. +This key is used to capture source payload type: keyword -- -*`rsa.internal.size`*:: -+ --- -This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - -type: long - --- - -*`rsa.internal.sourcefile`*:: +*`rsa.misc.pool_id`*:: + -- -This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures the identifier (typically numeric field) of a resource pool type: keyword -- -*`rsa.internal.ubc_req`*:: +*`rsa.misc.process_id_val`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key is a failure key for Process ID when it is not an integer value -type: long +type: keyword -- -*`rsa.internal.ubc_res`*:: +*`rsa.misc.risk_num_comm`*:: + -- -This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once +This key captures Risk Number Community -type: long +type: double -- -*`rsa.internal.word`*:: +*`rsa.misc.risk_num_next`*:: + -- -This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log +This key captures Risk Number NextGen -type: keyword +type: double -- - -*`rsa.time.event_time`*:: +*`rsa.misc.risk_num_sand`*:: + -- -This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form +This key captures Risk Number SandBox -type: date +type: double -- -*`rsa.time.duration_time`*:: +*`rsa.misc.risk_num_static`*:: + -- -This key is used to capture the normalized duration/lifetime in seconds. +This key captures Risk Number Static type: double -- -*`rsa.time.event_time_str`*:: +*`rsa.misc.risk_suspicious`*:: + -- -This key is used to capture the incomplete time mentioned in a session as a string +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) type: keyword -- -*`rsa.time.starttime`*:: +*`rsa.misc.risk_warning`*:: + -- -This key is used to capture the Start time mentioned in a session in a standard form +Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) -type: date +type: keyword -- -*`rsa.time.month`*:: +*`rsa.misc.snmp_oid`*:: + -- +SNMP Object Identifier + type: keyword -- -*`rsa.time.day`*:: +*`rsa.misc.sql`*:: + -- +This key captures the SQL query + type: keyword -- -*`rsa.time.endtime`*:: +*`rsa.misc.vuln_ref`*:: + -- -This key is used to capture the End time mentioned in a session in a standard form +This key captures the Vulnerability Reference details -type: date +type: keyword -- -*`rsa.time.timezone`*:: +*`rsa.misc.acl_id`*:: + -- -This key is used to capture the timezone of the Event Time - type: keyword -- -*`rsa.time.duration_str`*:: +*`rsa.misc.acl_op`*:: + -- -A text string version of the duration - type: keyword -- -*`rsa.time.date`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`rsa.time.year`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`rsa.time.recorded_time`*:: +*`rsa.misc.admin`*:: + -- -The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - -type: date +type: keyword -- -*`rsa.time.datetime`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`rsa.time.effective_time`*:: +*`rsa.misc.alarmname`*:: + -- -This key is the effective time referenced by an individual event in a Standard Timestamp format - -type: date +type: keyword -- -*`rsa.time.expire_time`*:: +*`rsa.misc.app_id`*:: + -- -This key is the timestamp that explicitly refers to an expiration. - -type: date +type: keyword -- -*`rsa.time.process_time`*:: +*`rsa.misc.audit`*:: + -- -Deprecated, use duration.time - type: keyword -- -*`rsa.time.hour`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`rsa.time.min`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`rsa.time.timestamp`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`rsa.time.event_queue_time`*:: +*`rsa.misc.bypass`*:: + -- -This key is the Time that the event was queued. - -type: date +type: keyword -- -*`rsa.time.p_time1`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`rsa.time.tzone`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`rsa.time.eventtime`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`rsa.time.gmtdate`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`rsa.time.gmttime`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`rsa.time.p_date`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`rsa.time.p_month`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`rsa.time.p_time`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`rsa.time.p_time2`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`rsa.time.p_year`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`rsa.time.expire_time_str`*:: +*`rsa.misc.cn_asn_src`*:: + -- -This key is used to capture incomplete timestamp that explicitly refers to an expiration. - type: keyword -- -*`rsa.time.stamp`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- -Deprecated key defined only in table map. - -type: date +type: keyword -- - -*`rsa.misc.action`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`rsa.misc.result`*:: +*`rsa.misc.cn_dst_tos`*:: + -- -This key is used to capture the outcome/result string value of an action in a session. - type: keyword -- -*`rsa.misc.severity`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- -This key is used to capture the severity given the session - type: keyword -- -*`rsa.misc.event_type`*:: +*`rsa.misc.cn_engine_id`*:: + -- -This key captures the event category type as specified by the event source. - type: keyword -- -*`rsa.misc.reference_id`*:: +*`rsa.misc.cn_engine_type`*:: + -- -This key is used to capture an event id from the session directly - type: keyword -- -*`rsa.misc.version`*:: +*`rsa.misc.cn_f_switch`*:: + -- -This key captures Version of the application or OS which is generating the event. - type: keyword -- -*`rsa.misc.disposition`*:: +*`rsa.misc.cn_flowsampid`*:: + -- -This key captures the The end state of an action. - type: keyword -- -*`rsa.misc.result_code`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- -This key is used to capture the outcome/result numeric value of an action in a session - type: keyword -- -*`rsa.misc.category`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- -This key is used to capture the category of an event given by the vendor in the session - type: keyword -- -*`rsa.misc.obj_name`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- -This is used to capture name of object - type: keyword -- -*`rsa.misc.obj_type`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- -This is used to capture type of object - type: keyword -- -*`rsa.misc.event_source`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- -This key captures Source of the event that’s not a hostname - type: keyword -- -*`rsa.misc.log_session_id`*:: +*`rsa.misc.cn_invalid`*:: + -- -This key is used to capture a sessionid from the session directly - type: keyword -- -*`rsa.misc.group`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- -This key captures the Group Name value - type: keyword -- -*`rsa.misc.policy_name`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- -This key is used to capture the Policy Name only. - type: keyword -- -*`rsa.misc.rule_name`*:: +*`rsa.misc.cn_l_switch`*:: + -- -This key captures the Rule Name - type: keyword -- -*`rsa.misc.context`*:: +*`rsa.misc.cn_log_did`*:: + -- -This key captures Information which adds additional context to the event. - type: keyword -- -*`rsa.misc.change_new`*:: +*`rsa.misc.cn_log_rid`*:: + -- -This key is used to capture the new values of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.space`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`rsa.misc.client`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- -This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - type: keyword -- -*`rsa.misc.msgIdPart1`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart2`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`rsa.misc.change_old`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- -This key is used to capture the old value of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.operation_id`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- -An alert number or operation number. The values should be unique and non-repeating. - type: keyword -- -*`rsa.misc.event_state`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- -This key captures the current state of the object/item referenced within the event. Describing an on-going event. - type: keyword -- -*`rsa.misc.group_object`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- -This key captures a collection/grouping of entities. Specific usage - type: keyword -- -*`rsa.misc.node`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- -Common use case is the node name within a cluster. The cluster name is reflected by the host name. - type: keyword -- -*`rsa.misc.rule`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- -This key captures the Rule number - type: keyword -- -*`rsa.misc.device_name`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- -This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - type: keyword -- -*`rsa.misc.param`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- -This key is the parameters passed as part of a command or application, etc. - type: keyword -- -*`rsa.misc.change_attrib`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- -This key is used to capture the name of the attribute that’s changing in a session - type: keyword -- -*`rsa.misc.event_computer`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- -This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - type: keyword -- -*`rsa.misc.reference_id1`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- -This key is for Linked ID to be used as an addition to "reference.id" - type: keyword -- -*`rsa.misc.event_log`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- -This key captures the Name of the event log - type: keyword -- -*`rsa.misc.OS`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- -This key captures the Name of the Operating System - type: keyword -- -*`rsa.misc.terminal`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- -This key captures the Terminal Names only - type: keyword -- -*`rsa.misc.msgIdPart3`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`rsa.misc.filter`*:: +*`rsa.misc.cn_sampalgo`*:: + -- -This key captures Filter used to reduce result set - type: keyword -- -*`rsa.misc.serial_number`*:: +*`rsa.misc.cn_sampint`*:: + -- -This key is the Serial number associated with a physical asset. - type: keyword -- -*`rsa.misc.checksum`*:: +*`rsa.misc.cn_seqctr`*:: + -- -This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - type: keyword -- -*`rsa.misc.event_user`*:: +*`rsa.misc.cn_spackets`*:: + -- -This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - type: keyword -- -*`rsa.misc.virusname`*:: +*`rsa.misc.cn_src_tos`*:: + -- -This key captures the name of the virus - type: keyword -- -*`rsa.misc.content_type`*:: +*`rsa.misc.cn_src_vlan`*:: + -- -This key is used to capture Content Type only. - type: keyword -- -*`rsa.misc.group_id`*:: +*`rsa.misc.cn_sysuptime`*:: + -- -This key captures Group ID Number (related to the group name) - type: keyword -- -*`rsa.misc.policy_id`*:: +*`rsa.misc.cn_template_id`*:: + -- -This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - type: keyword -- -*`rsa.misc.vsys`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- -This key captures Virtual System Name - type: keyword -- -*`rsa.misc.connection_id`*:: +*`rsa.misc.cn_totflowexp`*:: + -- -This key captures the Connection ID - type: keyword -- -*`rsa.misc.reference_id2`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- -This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - type: keyword -- -*`rsa.misc.sensor`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- -This key captures Name of the sensor. Typically used in IDS/IPS based devices - type: keyword -- -*`rsa.misc.sig_id`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- -This key captures IDS/IPS Int Signature ID - -type: long +type: keyword -- -*`rsa.misc.port_name`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- -This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - type: keyword -- -*`rsa.misc.rule_group`*:: +*`rsa.misc.comp_class`*:: + -- -This key captures the Rule group name - type: keyword -- -*`rsa.misc.risk_num`*:: +*`rsa.misc.comp_name`*:: + -- -This key captures a Numeric Risk value - -type: double +type: keyword -- -*`rsa.misc.trigger_val`*:: +*`rsa.misc.comp_rbytes`*:: + -- -This key captures the Value of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.log_session_id1`*:: +*`rsa.misc.comp_sbytes`*:: + -- -This key is used to capture a Linked (Related) Session ID from the session directly - type: keyword -- -*`rsa.misc.comp_version`*:: +*`rsa.misc.cpu_data`*:: + -- -This key captures the Version level of a sub-component of a product. - type: keyword -- -*`rsa.misc.content_version`*:: +*`rsa.misc.criticality`*:: + -- -This key captures Version level of a signature or database content. - type: keyword -- -*`rsa.misc.hardware_id`*:: +*`rsa.misc.cs_agency_dst`*:: + -- -This key is used to capture unique identifier for a device or system (NOT a Mac address) - type: keyword -- -*`rsa.misc.risk`*:: +*`rsa.misc.cs_analyzedby`*:: + -- -This key captures the non-numeric risk value - type: keyword -- -*`rsa.misc.event_id`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`rsa.misc.reason`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`rsa.misc.status`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`rsa.misc.mail_id`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- -This key is used to capture the mailbox id/name - type: keyword -- -*`rsa.misc.rule_uid`*:: +*`rsa.misc.cs_bit9status`*:: + -- -This key is the Unique Identifier for a rule. - type: keyword -- -*`rsa.misc.trigger_desc`*:: +*`rsa.misc.cs_context`*:: + -- -This key captures the Description of the trigger or threshold condition. - type: keyword -- -*`rsa.misc.inout`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`rsa.misc.p_msgid`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`rsa.misc.data_type`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`rsa.misc.msgIdPart4`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`rsa.misc.error`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- -This key captures All non successful Error codes or responses - type: keyword -- -*`rsa.misc.index`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`rsa.misc.listnum`*:: +*`rsa.misc.cs_event_uuid`*:: + -- -This key is used to capture listname or listnumber, primarily for collecting access-list - type: keyword -- -*`rsa.misc.ntype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`rsa.misc.observed_val`*:: +*`rsa.misc.cs_fld`*:: + -- -This key captures the Value observed (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.policy_value`*:: +*`rsa.misc.cs_if_desc`*:: + -- -This key captures the contents of the policy. This contains details about the policy - type: keyword -- -*`rsa.misc.pool_name`*:: +*`rsa.misc.cs_if_name`*:: + -- -This key captures the name of a resource pool - type: keyword -- -*`rsa.misc.rule_template`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- -A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - type: keyword -- -*`rsa.misc.count`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`rsa.misc.number`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`rsa.misc.sigcat`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`rsa.misc.type`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`rsa.misc.comments`*:: +*`rsa.misc.cs_loginname`*:: + -- -Comment information provided in the log message - type: keyword -- -*`rsa.misc.doc_number`*:: +*`rsa.misc.cs_modulescore`*:: + -- -This key captures File Identification number - -type: long +type: keyword -- -*`rsa.misc.expected_val`*:: +*`rsa.misc.cs_modulesign`*:: + -- -This key captures the Value expected (from the perspective of the device generating the log). - type: keyword -- -*`rsa.misc.job_num`*:: +*`rsa.misc.cs_opswatresult`*:: + -- -This key captures the Job Number - type: keyword -- -*`rsa.misc.spi_dst`*:: +*`rsa.misc.cs_payload`*:: + -- -Destination SPI Index - type: keyword -- -*`rsa.misc.spi_src`*:: +*`rsa.misc.cs_registrant`*:: + -- -Source SPI Index - type: keyword -- -*`rsa.misc.code`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`rsa.misc.agent_id`*:: +*`rsa.misc.cs_represult`*:: + -- -This key is used to capture agent id - type: keyword -- -*`rsa.misc.message_body`*:: +*`rsa.misc.cs_rpayload`*:: + -- -This key captures the The contents of the message body. - type: keyword -- -*`rsa.misc.phone`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`rsa.misc.sig_id_str`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- -This key captures a string object of the sigid variable. - type: keyword -- -*`rsa.misc.cmd`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`rsa.misc.misc`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`rsa.misc.name`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`rsa.misc.cpu`*:: +*`rsa.misc.cs_whois_server`*:: + -- -This key is the CPU time used in the execution of the event being recorded. - -type: long +type: keyword -- -*`rsa.misc.event_desc`*:: +*`rsa.misc.cs_yararesult`*:: + -- -This key is used to capture a description of an event available directly or inferred - type: keyword -- -*`rsa.misc.sig_id1`*:: +*`rsa.misc.description`*:: + -- -This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - -type: long +type: keyword -- -*`rsa.misc.im_buddyid`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`rsa.misc.im_client`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`rsa.misc.im_userid`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`rsa.misc.pid`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`rsa.misc.priority`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`rsa.misc.context_subject`*:: +*`rsa.misc.euid`*:: + -- -This key is to be used in an audit context where the subject is the object being identified - type: keyword -- -*`rsa.misc.context_target`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`rsa.misc.cve`*:: +*`rsa.misc.finterface`*:: + -- -This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - type: keyword -- -*`rsa.misc.fcatnum`*:: +*`rsa.misc.flags`*:: + -- -This key captures Filter Category Number. Legacy Usage - type: keyword -- -*`rsa.misc.library`*:: +*`rsa.misc.gaddr`*:: + -- -This key is used to capture library information in mainframe devices - type: keyword -- -*`rsa.misc.parent_node`*:: +*`rsa.misc.id3`*:: + -- -This key captures the Parent Node Name. Must be related to node variable. - type: keyword -- -*`rsa.misc.risk_info`*:: +*`rsa.misc.im_buddyname`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.tcp_flags`*:: +*`rsa.misc.im_croomid`*:: + -- -This key is captures the TCP flags set in any packet of session - -type: long +type: keyword -- -*`rsa.misc.tos`*:: +*`rsa.misc.im_croomtype`*:: + -- -This key describes the type of service - -type: long +type: keyword -- -*`rsa.misc.vm_target`*:: +*`rsa.misc.im_members`*:: + -- -VMWare Target **VMWARE** only varaible. - type: keyword -- -*`rsa.misc.workspace`*:: +*`rsa.misc.im_username`*:: + -- -This key captures Workspace Description - type: keyword -- -*`rsa.misc.command`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`rsa.misc.event_category`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`rsa.misc.facilityname`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`rsa.misc.forensic_info`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`rsa.misc.jobname`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`rsa.misc.mode`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`rsa.misc.policy`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`rsa.misc.policy_waiver`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`rsa.misc.second`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`rsa.misc.space1`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`rsa.misc.subcategory`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`rsa.misc.tbdstr2`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`rsa.misc.alert_id`*:: +*`rsa.misc.logip`*:: + -- -Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.checksum_dst`*:: +*`rsa.misc.logname`*:: + -- -This key is used to capture the checksum or hash of the the target entity such as a process or file. - type: keyword -- -*`rsa.misc.checksum_src`*:: +*`rsa.misc.longitude`*:: + -- -This key is used to capture the checksum or hash of the source entity such as a file or process. - type: keyword -- -*`rsa.misc.fresult`*:: +*`rsa.misc.lport`*:: + -- -This key captures the Filter Result - -type: long +type: keyword -- -*`rsa.misc.payload_dst`*:: +*`rsa.misc.mbug_data`*:: + -- -This key is used to capture destination payload - type: keyword -- -*`rsa.misc.payload_src`*:: +*`rsa.misc.misc_name`*:: + -- -This key is used to capture source payload - type: keyword -- -*`rsa.misc.pool_id`*:: +*`rsa.misc.msg_type`*:: + -- -This key captures the identifier (typically numeric field) of a resource pool - type: keyword -- -*`rsa.misc.process_id_val`*:: +*`rsa.misc.msgid`*:: + -- -This key is a failure key for Process ID when it is not an integer value - type: keyword -- -*`rsa.misc.risk_num_comm`*:: +*`rsa.misc.netsessid`*:: + -- -This key captures Risk Number Community - -type: double +type: keyword -- -*`rsa.misc.risk_num_next`*:: +*`rsa.misc.num`*:: + -- -This key captures Risk Number NextGen - -type: double +type: keyword -- -*`rsa.misc.risk_num_sand`*:: +*`rsa.misc.number1`*:: + -- -This key captures Risk Number SandBox - -type: double +type: keyword -- -*`rsa.misc.risk_num_static`*:: +*`rsa.misc.number2`*:: + -- -This key captures Risk Number Static - -type: double +type: keyword -- -*`rsa.misc.risk_suspicious`*:: +*`rsa.misc.nwwn`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.risk_warning`*:: +*`rsa.misc.object`*:: + -- -Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - type: keyword -- -*`rsa.misc.snmp_oid`*:: +*`rsa.misc.operation`*:: + -- -SNMP Object Identifier - type: keyword -- -*`rsa.misc.sql`*:: +*`rsa.misc.opkt`*:: + -- -This key captures the SQL query - type: keyword -- -*`rsa.misc.vuln_ref`*:: +*`rsa.misc.orig_from`*:: + --- -This key captures the Vulnerability Reference details - +-- type: keyword -- -*`rsa.misc.acl_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`rsa.misc.acl_op`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`rsa.misc.acl_pos`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`rsa.misc.acl_table`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`rsa.misc.admin`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`rsa.misc.alarm_id`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`rsa.misc.alarmname`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`rsa.misc.app_id`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`rsa.misc.audit`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`rsa.misc.audit_object`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`rsa.misc.auditdata`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`rsa.misc.benchmark`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`rsa.misc.bypass`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`rsa.misc.cache`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`rsa.misc.cache_hit`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`rsa.misc.cefversion`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`rsa.misc.cfg_attr`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`rsa.misc.cfg_obj`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`rsa.misc.cfg_path`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`rsa.misc.changes`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`rsa.misc.client_ip`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`rsa.misc.clustermembers`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`rsa.misc.cn_acttimeout`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`rsa.misc.cn_asn_src`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_tos`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_id`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`rsa.misc.cn_engine_type`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`rsa.misc.cn_f_switch`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampid`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`rsa.misc.cn_invalid`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`rsa.misc.cn_l_switch`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`rsa.misc.cn_log_did`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`rsa.misc.cn_log_rid`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`rsa.misc.cn_max_ttl`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_min_ttl`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.autorun_type`*:: + -- +This is used to capture Auto Run type + type: keyword -- -*`rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cc_number`*:: + -- -type: keyword +Valid Credit Card Numbers only + +type: long -- -*`rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.content`*:: + -- +This key captures the content type from protocol headers + type: keyword -- -*`rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.ein_number`*:: + -- -type: keyword +Employee Identification Numbers only + +type: long -- -*`rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.found`*:: + -- +This is used to capture the results of regex match + type: keyword -- -*`rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.language`*:: + -- +This is used to capture list of languages the client support and what it prefers + type: keyword -- -*`rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.lifetime`*:: + -- -type: keyword +This key is used to capture the session lifetime in seconds. + +type: long -- -*`rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.link`*:: + -- +This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + type: keyword -- -*`rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.match`*:: + -- +This key is for regex match name from search.ini + type: keyword -- -*`rsa.misc.cn_muligmptype`*:: +*`rsa.misc.param_dst`*:: + -- +This key captures the command line/launch argument of the target process or file + type: keyword -- -*`rsa.misc.cn_sampalgo`*:: +*`rsa.misc.param_src`*:: + -- +This key captures source parameter + type: keyword -- -*`rsa.misc.cn_sampint`*:: +*`rsa.misc.search_text`*:: + -- +This key captures the Search Text used + type: keyword -- -*`rsa.misc.cn_seqctr`*:: +*`rsa.misc.sig_name`*:: + -- +This key is used to capture the Signature Name only. + type: keyword -- -*`rsa.misc.cn_spackets`*:: +*`rsa.misc.snmp_value`*:: + -- +SNMP set request value + type: keyword -- -*`rsa.misc.cn_src_tos`*:: +*`rsa.misc.streams`*:: + -- -type: keyword +This key captures number of streams in session + +type: long -- -*`rsa.misc.cn_src_vlan`*:: + +*`rsa.db.index`*:: + -- +This key captures IndexID of the index. + type: keyword -- -*`rsa.misc.cn_sysuptime`*:: +*`rsa.db.instance`*:: + -- +This key is used to capture the database server instance name + type: keyword -- -*`rsa.misc.cn_template_id`*:: +*`rsa.db.database`*:: + -- +This key is used to capture the name of a database or an instance as seen in a session + type: keyword -- -*`rsa.misc.cn_totbytsexp`*:: +*`rsa.db.transact_id`*:: + -- +This key captures the SQL transantion ID of the current session + type: keyword -- -*`rsa.misc.cn_totflowexp`*:: +*`rsa.db.permissions`*:: + -- +This key captures permission or privilege level assigned to a resource. + type: keyword -- -*`rsa.misc.cn_totpcktsexp`*:: +*`rsa.db.table_name`*:: + -- +This key is used to capture the table name + type: keyword -- -*`rsa.misc.cn_unixnanosecs`*:: +*`rsa.db.db_id`*:: + -- +This key is used to capture the unique identifier for a database + type: keyword -- -*`rsa.misc.cn_v6flowlabel`*:: +*`rsa.db.db_pid`*:: + -- -type: keyword +This key captures the process id of a connection with database server + +type: long -- -*`rsa.misc.cn_v6optheaders`*:: +*`rsa.db.lread`*:: + -- -type: keyword +This key is used for the number of logical reads + +type: long -- -*`rsa.misc.comp_class`*:: +*`rsa.db.lwrite`*:: + -- -type: keyword +This key is used for the number of logical writes + +type: long -- -*`rsa.misc.comp_name`*:: +*`rsa.db.pread`*:: + -- -type: keyword +This key is used for the number of physical writes + +type: long -- -*`rsa.misc.comp_rbytes`*:: + +*`rsa.network.alias_host`*:: + -- +This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + type: keyword -- -*`rsa.misc.comp_sbytes`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`rsa.misc.cpu_data`*:: +*`rsa.network.host_dst`*:: + -- +This key should only be used when it’s a Destination Hostname + type: keyword -- -*`rsa.misc.criticality`*:: +*`rsa.network.network_service`*:: + -- +This is used to capture layer 7 protocols/service names + type: keyword -- -*`rsa.misc.cs_agency_dst`*:: +*`rsa.network.interface`*:: + -- +This key should be used when the source or destination context of an interface is not clear + type: keyword -- -*`rsa.misc.cs_analyzedby`*:: +*`rsa.network.network_port`*:: + -- -type: keyword +Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) + +type: long -- -*`rsa.misc.cs_av_other`*:: +*`rsa.network.eth_host`*:: + -- +Deprecated, use alias.mac + type: keyword -- -*`rsa.misc.cs_av_primary`*:: +*`rsa.network.sinterface`*:: + -- +This key should only be used when it’s a Source Interface + type: keyword -- -*`rsa.misc.cs_av_secondary`*:: +*`rsa.network.dinterface`*:: + -- +This key should only be used when it’s a Destination Interface + type: keyword -- -*`rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.network.vlan`*:: + -- -type: keyword +This key should only be used to capture the ID of the Virtual LAN + +type: long -- -*`rsa.misc.cs_bit9status`*:: +*`rsa.network.zone_src`*:: + -- +This key should only be used when it’s a Source Zone. + type: keyword -- -*`rsa.misc.cs_context`*:: +*`rsa.network.zone`*:: + -- +This key should be used when the source or destination context of a Zone is not clear + type: keyword -- -*`rsa.misc.cs_control`*:: +*`rsa.network.zone_dst`*:: + -- +This key should only be used when it’s a Destination Zone. + type: keyword -- -*`rsa.misc.cs_data`*:: +*`rsa.network.gateway`*:: + -- +This key is used to capture the IP Address of the gateway + type: keyword -- -*`rsa.misc.cs_datecret`*:: +*`rsa.network.icmp_type`*:: + -- -type: keyword +This key is used to capture the ICMP type only + +type: long -- -*`rsa.misc.cs_dst_tld`*:: +*`rsa.network.mask`*:: + -- +This key is used to capture the device network IPmask. + type: keyword -- -*`rsa.misc.cs_eth_dst_ven`*:: +*`rsa.network.icmp_code`*:: + -- -type: keyword +This key is used to capture the ICMP code only + +type: long -- -*`rsa.misc.cs_eth_src_ven`*:: +*`rsa.network.protocol_detail`*:: + -- +This key should be used to capture additional protocol information + type: keyword -- -*`rsa.misc.cs_event_uuid`*:: +*`rsa.network.dmask`*:: + -- +This key is used for Destionation Device network mask + type: keyword -- -*`rsa.misc.cs_filetype`*:: +*`rsa.network.port`*:: + -- -type: keyword +This key should only be used to capture a Network Port when the directionality is not clear + +type: long -- -*`rsa.misc.cs_fld`*:: +*`rsa.network.smask`*:: + -- +This key is used for capturing source Network Mask + type: keyword -- -*`rsa.misc.cs_if_desc`*:: +*`rsa.network.netname`*:: + -- +This key is used to capture the network name associated with an IP range. This is configured by the end user. + type: keyword -- -*`rsa.misc.cs_if_name`*:: +*`rsa.network.paddr`*:: + -- -type: keyword +Deprecated + +type: ip -- -*`rsa.misc.cs_ip_next_hop`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4dstpre`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`rsa.misc.cs_ipv4srcpre`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`rsa.misc.cs_lifetime`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`rsa.misc.cs_log_medium`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`rsa.misc.cs_loginname`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`rsa.misc.cs_modulescore`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`rsa.misc.cs_modulesign`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`rsa.misc.cs_opswatresult`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`rsa.misc.cs_payload`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`rsa.misc.cs_registrant`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`rsa.misc.cs_registrar`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`rsa.misc.cs_represult`*:: +*`rsa.network.ad_computer_dst`*:: + -- +Deprecated, use host.dst + type: keyword -- -*`rsa.misc.cs_rpayload`*:: +*`rsa.network.eth_type`*:: + -- -type: keyword +This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + +type: long -- -*`rsa.misc.cs_sampler_name`*:: +*`rsa.network.ip_proto`*:: + -- -type: keyword +This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + +type: long -- -*`rsa.misc.cs_sourcemodule`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`rsa.misc.cs_streams`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`rsa.misc.cs_targetmodule`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`rsa.misc.cs_v6nxthop`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`rsa.misc.cs_whois_server`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`rsa.misc.cs_yararesult`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`rsa.misc.description`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`rsa.misc.devvendor`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`rsa.misc.distance`*:: +*`rsa.network.host_orig`*:: + -- +This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + type: keyword -- -*`rsa.misc.dstburb`*:: +*`rsa.network.rpayload`*:: + -- +This key is used to capture the total number of payload bytes seen in the retransmitted packets. + type: keyword -- -*`rsa.misc.edomain`*:: +*`rsa.network.vlan_name`*:: + -- +This key should only be used to capture the name of the Virtual LAN + type: keyword -- -*`rsa.misc.edomaub`*:: + +*`rsa.investigations.ec_activity`*:: + -- +This key captures the particular event activity(Ex:Logoff) + type: keyword -- -*`rsa.misc.euid`*:: +*`rsa.investigations.ec_theme`*:: + -- +This key captures the Theme of a particular Event(Ex:Authentication) + type: keyword -- -*`rsa.misc.facility`*:: +*`rsa.investigations.ec_subject`*:: + -- +This key captures the Subject of a particular Event(Ex:User) + type: keyword -- -*`rsa.misc.finterface`*:: +*`rsa.investigations.ec_outcome`*:: + -- +This key captures the outcome of a particular Event(Ex:Success) + type: keyword -- -*`rsa.misc.flags`*:: +*`rsa.investigations.event_cat`*:: + -- -type: keyword +This key captures the Event category number + +type: long -- -*`rsa.misc.gaddr`*:: +*`rsa.investigations.event_cat_name`*:: + -- +This key captures the event category name corresponding to the event cat code + type: keyword -- -*`rsa.misc.id3`*:: +*`rsa.investigations.event_vcat`*:: + -- +This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + type: keyword -- -*`rsa.misc.im_buddyname`*:: +*`rsa.investigations.analysis_file`*:: + -- +This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + type: keyword -- -*`rsa.misc.im_croomid`*:: +*`rsa.investigations.analysis_service`*:: + -- +This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + type: keyword -- -*`rsa.misc.im_croomtype`*:: +*`rsa.investigations.analysis_session`*:: + -- +This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + type: keyword -- -*`rsa.misc.im_members`*:: +*`rsa.investigations.boc`*:: + -- +This is used to capture behaviour of compromise + type: keyword -- -*`rsa.misc.im_username`*:: +*`rsa.investigations.eoc`*:: + -- +This is used to capture Enablers of Compromise + type: keyword -- -*`rsa.misc.ipkt`*:: +*`rsa.investigations.inv_category`*:: + -- +This used to capture investigation category + type: keyword -- -*`rsa.misc.ipscat`*:: +*`rsa.investigations.inv_context`*:: + -- +This used to capture investigation context + type: keyword -- -*`rsa.misc.ipspri`*:: +*`rsa.investigations.ioc`*:: + -- +This is key capture indicator of compromise + type: keyword -- -*`rsa.misc.latitude`*:: + +*`rsa.counters.dclass_c1`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c1.str only + +type: long -- -*`rsa.misc.linenum`*:: +*`rsa.counters.dclass_c2`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c2.str only + +type: long -- -*`rsa.misc.list_name`*:: +*`rsa.counters.event_counter`*:: + -- -type: keyword +This is used to capture the number of times an event repeated + +type: long -- -*`rsa.misc.load_data`*:: +*`rsa.counters.dclass_r1`*:: + -- +This is a generic ratio key that should be used with the label dclass.r1.str only + type: keyword -- -*`rsa.misc.location_floor`*:: +*`rsa.counters.dclass_c3`*:: + -- -type: keyword +This is a generic counter key that should be used with the label dclass.c3.str only + +type: long -- -*`rsa.misc.location_mark`*:: +*`rsa.counters.dclass_c1_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c1 only + type: keyword -- -*`rsa.misc.log_id`*:: +*`rsa.counters.dclass_c2_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c2 only + type: keyword -- -*`rsa.misc.log_type`*:: +*`rsa.counters.dclass_r1_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r1 only + type: keyword -- -*`rsa.misc.logid`*:: +*`rsa.counters.dclass_r2`*:: + -- +This is a generic ratio key that should be used with the label dclass.r2.str only + type: keyword -- -*`rsa.misc.logip`*:: +*`rsa.counters.dclass_c3_str`*:: + -- +This is a generic counter string key that should be used with the label dclass.c3 only + type: keyword -- -*`rsa.misc.logname`*:: +*`rsa.counters.dclass_r3`*:: + -- +This is a generic ratio key that should be used with the label dclass.r3.str only + type: keyword -- -*`rsa.misc.longitude`*:: +*`rsa.counters.dclass_r2_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r2 only + type: keyword -- -*`rsa.misc.lport`*:: +*`rsa.counters.dclass_r3_str`*:: + -- +This is a generic ratio string key that should be used with the label dclass.r3 only + type: keyword -- -*`rsa.misc.mbug_data`*:: + +*`rsa.identity.auth_method`*:: + -- +This key is used to capture authentication methods used only + type: keyword -- -*`rsa.misc.misc_name`*:: +*`rsa.identity.user_role`*:: + -- +This key is used to capture the Role of a user only + type: keyword -- -*`rsa.misc.msg_type`*:: +*`rsa.identity.dn`*:: + -- +X.500 (LDAP) Distinguished Name + type: keyword -- -*`rsa.misc.msgid`*:: +*`rsa.identity.logon_type`*:: + -- +This key is used to capture the type of logon method used. + type: keyword -- -*`rsa.misc.netsessid`*:: +*`rsa.identity.profile`*:: + -- +This key is used to capture the user profile + type: keyword -- -*`rsa.misc.num`*:: +*`rsa.identity.accesses`*:: + -- +This key is used to capture actual privileges used in accessing an object + type: keyword -- -*`rsa.misc.number1`*:: +*`rsa.identity.realm`*:: + -- +Radius realm or similar grouping of accounts + type: keyword -- -*`rsa.misc.number2`*:: +*`rsa.identity.user_sid_dst`*:: + -- +This key captures Destination User Session ID + type: keyword -- -*`rsa.misc.nwwn`*:: +*`rsa.identity.dn_src`*:: + -- +An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + type: keyword -- -*`rsa.misc.object`*:: +*`rsa.identity.org`*:: + -- +This key captures the User organization + type: keyword -- -*`rsa.misc.operation`*:: +*`rsa.identity.dn_dst`*:: + -- +An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + type: keyword -- -*`rsa.misc.opkt`*:: +*`rsa.identity.firstname`*:: + -- +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.orig_from`*:: +*`rsa.identity.lastname`*:: + -- +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.owner_id`*:: +*`rsa.identity.user_dept`*:: + -- +User's Department Names only + type: keyword -- -*`rsa.misc.p_action`*:: +*`rsa.identity.user_sid_src`*:: + -- +This key captures Source User Session ID + type: keyword -- -*`rsa.misc.p_filter`*:: +*`rsa.identity.federated_sp`*:: + -- +This key is the Federated Service Provider. This is the application requesting authentication. + type: keyword -- -*`rsa.misc.p_group_object`*:: +*`rsa.identity.federated_idp`*:: + -- +This key is the federated Identity Provider. This is the server providing the authentication. + type: keyword -- -*`rsa.misc.p_id`*:: +*`rsa.identity.logon_type_desc`*:: + -- +This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + type: keyword -- -*`rsa.misc.p_msgid1`*:: +*`rsa.identity.middlename`*:: + -- +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + type: keyword -- -*`rsa.misc.p_msgid2`*:: +*`rsa.identity.password`*:: + -- +This key is for Passwords seen in any session, plain text or encrypted + type: keyword -- -*`rsa.misc.p_result1`*:: +*`rsa.identity.host_role`*:: + -- +This key should only be used to capture the role of a Host Machine + type: keyword -- -*`rsa.misc.password_chg`*:: +*`rsa.identity.ldap`*:: + -- +This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context + type: keyword -- -*`rsa.misc.password_expire`*:: +*`rsa.identity.ldap_query`*:: + -- +This key is the Search criteria from an LDAP search + type: keyword -- -*`rsa.misc.permgranted`*:: +*`rsa.identity.ldap_response`*:: + -- +This key is to capture Results from an LDAP search + type: keyword -- -*`rsa.misc.permwanted`*:: +*`rsa.identity.owner`*:: + -- +This is used to capture username the process or service is running as, the author of the task + type: keyword -- -*`rsa.misc.pgid`*:: +*`rsa.identity.service_account`*:: + -- +This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + type: keyword -- -*`rsa.misc.policyUUID`*:: + +*`rsa.email.email_dst`*:: + -- +This key is used to capture the Destination email address only, when the destination context is not clear use email + type: keyword -- -*`rsa.misc.prog_asp_num`*:: +*`rsa.email.email_src`*:: + -- +This key is used to capture the source email address only, when the source context is not clear use email + type: keyword -- -*`rsa.misc.program`*:: +*`rsa.email.subject`*:: + -- +This key is used to capture the subject string from an Email only. + type: keyword -- -*`rsa.misc.real_data`*:: +*`rsa.email.email`*:: + -- +This key is used to capture a generic email address where the source or destination context is not clear + type: keyword -- -*`rsa.misc.rec_asp_device`*:: +*`rsa.email.trans_from`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.rec_asp_num`*:: +*`rsa.email.trans_to`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.rec_library`*:: + +*`rsa.file.privilege`*:: + -- +Deprecated, use permissions + type: keyword -- -*`rsa.misc.recordnum`*:: +*`rsa.file.attachment`*:: + -- +This key captures the attachment file name + type: keyword -- -*`rsa.misc.ruid`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`rsa.misc.sburb`*:: +*`rsa.file.binary`*:: + -- +Deprecated key defined only in table map. + type: keyword -- -*`rsa.misc.sdomain_fld`*:: +*`rsa.file.filename_dst`*:: + -- +This is used to capture name of the file targeted by the action + type: keyword -- -*`rsa.misc.sec`*:: +*`rsa.file.filename_src`*:: + -- +This is used to capture name of the parent filename, the file which performed the action + type: keyword -- -*`rsa.misc.sensorname`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`rsa.misc.seqnum`*:: +*`rsa.file.directory_dst`*:: + -- +This key is used to capture the directory of the target process or file + type: keyword -- -*`rsa.misc.session`*:: +*`rsa.file.directory_src`*:: + -- +This key is used to capture the directory of the source process or file + type: keyword -- -*`rsa.misc.sessiontype`*:: +*`rsa.file.file_entropy`*:: + -- -type: keyword +This is used to capture entropy vale of a file + +type: double -- -*`rsa.misc.sigUUID`*:: +*`rsa.file.file_vendor`*:: + -- +This is used to capture Company name of file located in version_info + type: keyword -- -*`rsa.misc.spi`*:: +*`rsa.file.task_name`*:: + -- +This is used to capture name of the task + type: keyword -- -*`rsa.misc.srcburb`*:: + +*`rsa.web.fqdn`*:: + -- +Fully Qualified Domain Names + type: keyword -- -*`rsa.misc.srcdom`*:: +*`rsa.web.web_cookie`*:: + -- +This key is used to capture the Web cookies specifically. + type: keyword -- -*`rsa.misc.srcservice`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`rsa.misc.state`*:: +*`rsa.web.reputation_num`*:: + -- -type: keyword +Reputation Number of an entity. Typically used for Web Domains + +type: double -- -*`rsa.misc.status1`*:: +*`rsa.web.web_ref_domain`*:: + -- +Web referer's domain + type: keyword -- -*`rsa.misc.svcno`*:: +*`rsa.web.web_ref_query`*:: + -- +This key captures Web referer's query portion of the URL + type: keyword -- -*`rsa.misc.system`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`rsa.misc.tbdstr1`*:: +*`rsa.web.web_ref_page`*:: + -- +This key captures Web referer's page information + type: keyword -- -*`rsa.misc.tgtdom`*:: +*`rsa.web.web_ref_root`*:: + -- +Web referer's root URL path + type: keyword -- -*`rsa.misc.tgtdomain`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`rsa.misc.threshold`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`rsa.misc.type1`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`rsa.misc.udb_class`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`rsa.misc.url_fld`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`rsa.misc.user_div`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`rsa.misc.userid`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`rsa.misc.username_fld`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`rsa.misc.utcstamp`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`rsa.misc.v_instafname`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`rsa.misc.virt_data`*:: +*`rsa.web.web_page`*:: + -- type: keyword -- -*`rsa.misc.vpnid`*:: + +*`rsa.threat.threat_category`*:: + -- +This key captures Threat Name/Threat Category/Categorization of alert + type: keyword -- -*`rsa.misc.autorun_type`*:: +*`rsa.threat.threat_desc`*:: + -- -This is used to capture Auto Run type +This key is used to capture the threat description from the session directly or inferred type: keyword -- -*`rsa.misc.cc_number`*:: +*`rsa.threat.alert`*:: + -- -Valid Credit Card Numbers only +This key is used to capture name of the alert -type: long +type: keyword -- -*`rsa.misc.content`*:: +*`rsa.threat.threat_source`*:: + -- -This key captures the content type from protocol headers +This key is used to capture source of the threat type: keyword -- -*`rsa.misc.ein_number`*:: + +*`rsa.crypto.crypto`*:: + -- -Employee Identification Numbers only +This key is used to capture the Encryption Type or Encryption Key only -type: long +type: keyword -- -*`rsa.misc.found`*:: +*`rsa.crypto.cipher_src`*:: + -- -This is used to capture the results of regex match +This key is for Source (Client) Cipher type: keyword -- -*`rsa.misc.language`*:: +*`rsa.crypto.cert_subject`*:: + -- -This is used to capture list of languages the client support and what it prefers +This key is used to capture the Certificate organization only type: keyword -- -*`rsa.misc.lifetime`*:: +*`rsa.crypto.peer`*:: + -- -This key is used to capture the session lifetime in seconds. +This key is for Encryption peer's IP Address -type: long +type: keyword -- -*`rsa.misc.link`*:: +*`rsa.crypto.cipher_size_src`*:: + -- -This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness +This key captures Source (Client) Cipher Size -type: keyword +type: long -- -*`rsa.misc.match`*:: +*`rsa.crypto.ike`*:: + -- -This key is for regex match name from search.ini +IKE negotiation phase. type: keyword -- -*`rsa.misc.param_dst`*:: +*`rsa.crypto.scheme`*:: + -- -This key captures the command line/launch argument of the target process or file +This key captures the Encryption scheme used type: keyword -- -*`rsa.misc.param_src`*:: +*`rsa.crypto.peer_id`*:: + -- -This key captures source parameter +This key is for Encryption peer’s identity type: keyword -- -*`rsa.misc.search_text`*:: +*`rsa.crypto.sig_type`*:: + -- -This key captures the Search Text used +This key captures the Signature Type type: keyword -- -*`rsa.misc.sig_name`*:: +*`rsa.crypto.cert_issuer`*:: + -- -This key is used to capture the Signature Name only. - type: keyword -- -*`rsa.misc.snmp_value`*:: +*`rsa.crypto.cert_host_name`*:: + -- -SNMP set request value +Deprecated key defined only in table map. type: keyword -- -*`rsa.misc.streams`*:: +*`rsa.crypto.cert_error`*:: + -- -This key captures number of streams in session +This key captures the Certificate Error String -type: long +type: keyword -- - -*`rsa.db.index`*:: +*`rsa.crypto.cipher_dst`*:: + -- -This key captures IndexID of the index. +This key is for Destination (Server) Cipher type: keyword -- -*`rsa.db.instance`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- -This key is used to capture the database server instance name +This key captures Destination (Server) Cipher Size -type: keyword +type: long -- -*`rsa.db.database`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- -This key is used to capture the name of a database or an instance as seen in a session +Deprecated, use version type: keyword -- -*`rsa.db.transact_id`*:: +*`rsa.crypto.d_certauth`*:: + -- -This key captures the SQL transantion ID of the current session - type: keyword -- -*`rsa.db.permissions`*:: +*`rsa.crypto.s_certauth`*:: + -- -This key captures permission or privilege level assigned to a resource. - type: keyword -- -*`rsa.db.table_name`*:: +*`rsa.crypto.ike_cookie1`*:: + -- -This key is used to capture the table name +ID of the negotiation — sent for ISAKMP Phase One type: keyword -- -*`rsa.db.db_id`*:: +*`rsa.crypto.ike_cookie2`*:: + -- -This key is used to capture the unique identifier for a database +ID of the negotiation — sent for ISAKMP Phase Two type: keyword -- -*`rsa.db.db_pid`*:: +*`rsa.crypto.cert_checksum`*:: + -- -This key captures the process id of a connection with database server - -type: long +type: keyword -- -*`rsa.db.lread`*:: +*`rsa.crypto.cert_host_cat`*:: + -- -This key is used for the number of logical reads +This key is used for the hostname category value of a certificate -type: long +type: keyword -- -*`rsa.db.lwrite`*:: +*`rsa.crypto.cert_serial`*:: + -- -This key is used for the number of logical writes +This key is used to capture the Certificate serial number only -type: long +type: keyword -- -*`rsa.db.pread`*:: +*`rsa.crypto.cert_status`*:: + -- -This key is used for the number of physical writes +This key captures Certificate validation status -type: long +type: keyword -- - -*`rsa.network.alias_host`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- -This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. +Deprecated, use version type: keyword -- -*`rsa.network.domain`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`rsa.network.host_dst`*:: +*`rsa.crypto.cert_username`*:: + -- -This key should only be used when it’s a Destination Hostname - type: keyword -- -*`rsa.network.network_service`*:: +*`rsa.crypto.https_insact`*:: + -- -This is used to capture layer 7 protocols/service names - type: keyword -- -*`rsa.network.interface`*:: +*`rsa.crypto.https_valid`*:: + -- -This key should be used when the source or destination context of an interface is not clear - type: keyword -- -*`rsa.network.network_port`*:: +*`rsa.crypto.cert_ca`*:: + -- -Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) +This key is used to capture the Certificate signing authority only -type: long +type: keyword -- -*`rsa.network.eth_host`*:: +*`rsa.crypto.cert_common`*:: + -- -Deprecated, use alias.mac +This key is used to capture the Certificate common name only type: keyword -- -*`rsa.network.sinterface`*:: + +*`rsa.wireless.wlan_ssid`*:: + -- -This key should only be used when it’s a Source Interface +This key is used to capture the ssid of a Wireless Session type: keyword -- -*`rsa.network.dinterface`*:: +*`rsa.wireless.access_point`*:: + -- -This key should only be used when it’s a Destination Interface +This key is used to capture the access point name. type: keyword -- -*`rsa.network.vlan`*:: +*`rsa.wireless.wlan_channel`*:: + -- -This key should only be used to capture the ID of the Virtual LAN +This is used to capture the channel names type: long -- -*`rsa.network.zone_src`*:: +*`rsa.wireless.wlan_name`*:: + -- -This key should only be used when it’s a Source Zone. +This key captures either WLAN number/name type: keyword -- -*`rsa.network.zone`*:: + +*`rsa.storage.disk_volume`*:: + -- -This key should be used when the source or destination context of a Zone is not clear +A unique name assigned to logical units (volumes) within a physical disk type: keyword -- -*`rsa.network.zone_dst`*:: +*`rsa.storage.lun`*:: + -- -This key should only be used when it’s a Destination Zone. +Logical Unit Number.This key is a very useful concept in Storage. type: keyword -- -*`rsa.network.gateway`*:: +*`rsa.storage.pwwn`*:: + -- -This key is used to capture the IP Address of the gateway +This uniquely identifies a port on a HBA. type: keyword -- -*`rsa.network.icmp_type`*:: + +*`rsa.physical.org_dst`*:: + -- -This key is used to capture the ICMP type only +This is used to capture the destination organization based on the GEOPIP Maxmind database. -type: long +type: keyword -- -*`rsa.network.mask`*:: +*`rsa.physical.org_src`*:: + -- -This key is used to capture the device network IPmask. +This is used to capture the source organization based on the GEOPIP Maxmind database. type: keyword -- -*`rsa.network.icmp_code`*:: + +*`rsa.healthcare.patient_fname`*:: + -- -This key is used to capture the ICMP code only +This key is for First Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.network.protocol_detail`*:: +*`rsa.healthcare.patient_id`*:: + -- -This key should be used to capture additional protocol information +This key captures the unique ID for a patient type: keyword -- -*`rsa.network.dmask`*:: +*`rsa.healthcare.patient_lname`*:: + -- -This key is used for Destionation Device network mask +This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information type: keyword -- -*`rsa.network.port`*:: +*`rsa.healthcare.patient_mname`*:: + -- -This key should only be used to capture a Network Port when the directionality is not clear +This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information -type: long +type: keyword -- -*`rsa.network.smask`*:: + +*`rsa.endpoint.host_state`*:: + -- -This key is used for capturing source Network Mask +This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on type: keyword -- -*`rsa.network.netname`*:: +*`rsa.endpoint.registry_key`*:: + -- -This key is used to capture the network name associated with an IP range. This is configured by the end user. +This key captures the path to the registry key type: keyword -- -*`rsa.network.paddr`*:: +*`rsa.endpoint.registry_value`*:: + -- -Deprecated +This key captures values or decorators used within a registry entry -type: ip +type: keyword -- -*`rsa.network.faddr`*:: -+ --- -type: keyword +[[exported-fields-traefik]] +== Traefik fields --- +Module for parsing the Traefik log files. -*`rsa.network.lhost`*:: -+ --- -type: keyword --- -*`rsa.network.origin`*:: -+ --- -type: keyword +[float] +=== traefik --- +Fields from the Traefik log files. + + + +[float] +=== access + +Contains fields for the Traefik access logs. -*`rsa.network.remote_domain_id`*:: -+ --- -type: keyword --- -*`rsa.network.addr`*:: +*`traefik.access.user_identifier`*:: + -- -type: keyword +Is the RFC 1413 identity of the client --- -*`rsa.network.dns_a_record`*:: -+ --- type: keyword -- -*`rsa.network.dns_ptr_record`*:: +*`traefik.access.request_count`*:: + -- -type: keyword +The number of requests --- -*`rsa.network.fhost`*:: -+ --- -type: keyword +type: long -- -*`rsa.network.fport`*:: +*`traefik.access.frontend_name`*:: + -- -type: keyword +The name of the frontend used --- -*`rsa.network.laddr`*:: -+ --- type: keyword -- -*`rsa.network.linterface`*:: +*`traefik.access.backend_url`*:: + -- +The url of the backend where request is forwarded + type: keyword -- -*`rsa.network.phost`*:: +*`traefik.access.body_sent.bytes`*:: + -- -type: keyword +type: alias + +alias to: http.response.body.bytes -- -*`rsa.network.ad_computer_dst`*:: +*`traefik.access.remote_ip`*:: + -- -Deprecated, use host.dst +type: alias -type: keyword +alias to: source.address -- -*`rsa.network.eth_type`*:: +*`traefik.access.user_name`*:: + -- -This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only +type: alias -type: long +alias to: user.name -- -*`rsa.network.ip_proto`*:: +*`traefik.access.method`*:: + -- -This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI +type: alias -type: long +alias to: http.request.method -- -*`rsa.network.dns_cname_record`*:: +*`traefik.access.url`*:: + -- -type: keyword +type: alias + +alias to: url.original -- -*`rsa.network.dns_id`*:: +*`traefik.access.http_version`*:: + -- -type: keyword +type: alias + +alias to: http.version -- -*`rsa.network.dns_opcode`*:: +*`traefik.access.response_code`*:: + -- -type: keyword +type: alias + +alias to: http.response.status_code -- -*`rsa.network.dns_resp`*:: +*`traefik.access.referrer`*:: + -- -type: keyword +type: alias + +alias to: http.request.referrer -- -*`rsa.network.dns_type`*:: +*`traefik.access.agent`*:: + -- -type: keyword +type: alias --- +alias to: user_agent.original -*`rsa.network.domain1`*:: -+ -- -type: keyword --- -*`rsa.network.host_type`*:: +*`traefik.access.user_agent.device`*:: + -- -type: keyword +type: alias + +alias to: user_agent.device.name -- -*`rsa.network.packet_length`*:: +*`traefik.access.user_agent.name`*:: + -- -type: keyword +type: alias + +alias to: user_agent.name -- -*`rsa.network.host_orig`*:: +*`traefik.access.user_agent.os`*:: + -- -This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. +type: alias -type: keyword +alias to: user_agent.os.full_name -- -*`rsa.network.rpayload`*:: +*`traefik.access.user_agent.os_name`*:: + -- -This key is used to capture the total number of payload bytes seen in the retransmitted packets. +type: alias -type: keyword +alias to: user_agent.os.name -- -*`rsa.network.vlan_name`*:: +*`traefik.access.user_agent.original`*:: + -- -This key should only be used to capture the name of the Virtual LAN +type: alias -type: keyword +alias to: user_agent.original -- -*`rsa.investigations.ec_activity`*:: +*`traefik.access.geoip.continent_name`*:: + -- -This key captures the particular event activity(Ex:Logoff) +type: alias -type: keyword +alias to: source.geo.continent_name -- -*`rsa.investigations.ec_theme`*:: +*`traefik.access.geoip.country_iso_code`*:: + -- -This key captures the Theme of a particular Event(Ex:Authentication) +type: alias -type: keyword +alias to: source.geo.country_iso_code -- -*`rsa.investigations.ec_subject`*:: +*`traefik.access.geoip.location`*:: + -- -This key captures the Subject of a particular Event(Ex:User) +type: alias -type: keyword +alias to: source.geo.location -- -*`rsa.investigations.ec_outcome`*:: +*`traefik.access.geoip.region_name`*:: + -- -This key captures the outcome of a particular Event(Ex:Success) +type: alias -type: keyword +alias to: source.geo.region_name -- -*`rsa.investigations.event_cat`*:: +*`traefik.access.geoip.city_name`*:: + -- -This key captures the Event category number +type: alias -type: long +alias to: source.geo.city_name -- -*`rsa.investigations.event_cat_name`*:: +*`traefik.access.geoip.region_iso_code`*:: + -- -This key captures the event category name corresponding to the event cat code +type: alias -type: keyword +alias to: source.geo.region_iso_code -- -*`rsa.investigations.event_vcat`*:: -+ --- -This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. +[[exported-fields-zeek]] +== Zeek fields -type: keyword +Module for handling logs produced by Zeek/Bro --- -*`rsa.investigations.analysis_file`*:: -+ --- -This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file -type: keyword +[float] +=== zeek --- +Fields from Zeek/Bro logs after normalization -*`rsa.investigations.analysis_service`*:: + + +*`zeek.session_id`*:: + -- -This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service +A unique identifier of the session + type: keyword -- -*`rsa.investigations.analysis_session`*:: -+ --- -This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session +[float] +=== capture_loss -type: keyword +Fields exported by the Zeek capture_loss log --- -*`rsa.investigations.boc`*:: + +*`zeek.capture_loss.ts_delta`*:: + -- -This is used to capture behaviour of compromise +The time delay between this measurement and the last. -type: keyword + +type: integer -- -*`rsa.investigations.eoc`*:: +*`zeek.capture_loss.peer`*:: + -- -This is used to capture Enablers of Compromise +In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + type: keyword -- -*`rsa.investigations.inv_category`*:: +*`zeek.capture_loss.gaps`*:: + -- -This used to capture investigation category +Number of missed ACKs from the previous measurement interval. -type: keyword + +type: integer -- -*`rsa.investigations.inv_context`*:: +*`zeek.capture_loss.acks`*:: + -- -This used to capture investigation context +Total number of ACKs seen in the previous measurement interval. -type: keyword + +type: integer -- -*`rsa.investigations.ioc`*:: +*`zeek.capture_loss.percent_lost`*:: + -- -This is key capture indicator of compromise +Percentage of ACKs seen where the data being ACKed wasn't seen. -type: keyword + +type: double -- +[float] +=== connection + +Fields exported by the Zeek Connection log -*`rsa.counters.dclass_c1`*:: + + +*`zeek.connection.local_orig`*:: + -- -This is a generic counter key that should be used with the label dclass.c1.str only +Indicates whether the session is originated locally. -type: long + +type: boolean -- -*`rsa.counters.dclass_c2`*:: +*`zeek.connection.local_resp`*:: + -- -This is a generic counter key that should be used with the label dclass.c2.str only +Indicates whether the session is responded locally. -type: long + +type: boolean -- -*`rsa.counters.event_counter`*:: +*`zeek.connection.missed_bytes`*:: + -- -This is used to capture the number of times an event repeated +Missed bytes for the session. + type: long -- -*`rsa.counters.dclass_r1`*:: +*`zeek.connection.state`*:: + -- -This is a generic ratio key that should be used with the label dclass.r1.str only +Code indicating the state of the session. + type: keyword -- -*`rsa.counters.dclass_c3`*:: +*`zeek.connection.state_message`*:: + -- -This is a generic counter key that should be used with the label dclass.c3.str only +The state of the session. -type: long + +type: keyword -- -*`rsa.counters.dclass_c1_str`*:: + +*`zeek.connection.icmp.type`*:: + -- -This is a generic counter string key that should be used with the label dclass.c1 only +ICMP message type. -type: keyword + +type: integer -- -*`rsa.counters.dclass_c2_str`*:: +*`zeek.connection.icmp.code`*:: + -- -This is a generic counter string key that should be used with the label dclass.c2 only +ICMP message code. -type: keyword + +type: integer -- -*`rsa.counters.dclass_r1_str`*:: +*`zeek.connection.history`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r1 only +Flags indicating the history of the session. + type: keyword -- -*`rsa.counters.dclass_r2`*:: +*`zeek.connection.vlan`*:: + -- -This is a generic ratio key that should be used with the label dclass.r2.str only +VLAN identifier. -type: keyword + +type: integer -- -*`rsa.counters.dclass_c3_str`*:: +*`zeek.connection.inner_vlan`*:: + -- -This is a generic counter string key that should be used with the label dclass.c3 only +VLAN identifier. -type: keyword --- +type: integer -*`rsa.counters.dclass_r3`*:: -+ -- -This is a generic ratio key that should be used with the label dclass.r3.str only -type: keyword +[float] +=== dce_rpc --- +Fields exported by the Zeek DCE_RPC log -*`rsa.counters.dclass_r2_str`*:: + + +*`zeek.dce_rpc.rtt`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r2 only +Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. -type: keyword + +type: integer -- -*`rsa.counters.dclass_r3_str`*:: +*`zeek.dce_rpc.named_pipe`*:: + -- -This is a generic ratio string key that should be used with the label dclass.r3 only +Remote pipe name. + type: keyword -- - -*`rsa.identity.auth_method`*:: +*`zeek.dce_rpc.endpoint`*:: + -- -This key is used to capture authentication methods used only +Endpoint name looked up from the uuid. + type: keyword -- -*`rsa.identity.user_role`*:: +*`zeek.dce_rpc.operation`*:: + -- -This key is used to capture the Role of a user only +Operation seen in the call. + type: keyword -- -*`rsa.identity.dn`*:: +[float] +=== dhcp + +Fields exported by the Zeek DHCP log + + + +*`zeek.dhcp.domain`*:: + -- -X.500 (LDAP) Distinguished Name +Domain given by the server in option 15. + type: keyword -- -*`rsa.identity.logon_type`*:: +*`zeek.dhcp.duration`*:: + -- -This key is used to capture the type of logon method used. +Duration of the DHCP session representing the time from the first +message to the last, in seconds. -type: keyword + +type: double -- -*`rsa.identity.profile`*:: +*`zeek.dhcp.hostname`*:: + -- -This key is used to capture the user profile +Name given by client in Hostname option 12. + type: keyword -- -*`rsa.identity.accesses`*:: +*`zeek.dhcp.client_fqdn`*:: + -- -This key is used to capture actual privileges used in accessing an object +FQDN given by client in Client FQDN option 81. + type: keyword -- -*`rsa.identity.realm`*:: +*`zeek.dhcp.lease_time`*:: + -- -Radius realm or similar grouping of accounts +IP address lease interval in seconds. -type: keyword + +type: integer -- -*`rsa.identity.user_sid_dst`*:: +[float] +=== address + +Addresses seen in this DHCP exchange. + + + +*`zeek.dhcp.address.assigned`*:: + -- -This key captures Destination User Session ID +IP address assigned by the server. -type: keyword + +type: ip -- -*`rsa.identity.dn_src`*:: +*`zeek.dhcp.address.client`*:: + -- -An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn +IP address of the client. If a transaction is only a client sending +INFORM messages then there is no lease information exchanged so this +is helpful to know who sent the messages. Getting an address in this +field does require that the client sources at least one DHCP message +using a non-broadcast address. -type: keyword + +type: ip -- -*`rsa.identity.org`*:: +*`zeek.dhcp.address.mac`*:: + -- -This key captures the User organization +Client's hardware address. + type: keyword -- -*`rsa.identity.dn_dst`*:: +*`zeek.dhcp.address.requested`*:: + -- -An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn +IP address requested by the client. -type: keyword + +type: ip -- -*`rsa.identity.firstname`*:: +*`zeek.dhcp.address.server`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +IP address of the DHCP server. -type: keyword + +type: ip -- -*`rsa.identity.lastname`*:: + +*`zeek.dhcp.msg.types`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +List of DHCP message types seen in this exchange. + type: keyword -- -*`rsa.identity.user_dept`*:: +*`zeek.dhcp.msg.origin`*:: + -- -User's Department Names only +(present if policy/protocols/dhcp/msg-orig.bro is loaded) +The address that originated each message from the msg.types field. -type: keyword + +type: ip -- -*`rsa.identity.user_sid_src`*:: +*`zeek.dhcp.msg.client`*:: + -- -This key captures Source User Session ID +Message typically accompanied with a DHCP_DECLINE so the client can +tell the server why it rejected an address. + type: keyword -- -*`rsa.identity.federated_sp`*:: +*`zeek.dhcp.msg.server`*:: + -- -This key is the Federated Service Provider. This is the application requesting authentication. +Message typically accompanied with a DHCP_NAK to let the client know +why it rejected the request. + type: keyword -- -*`rsa.identity.federated_idp`*:: + +*`zeek.dhcp.software.client`*:: + -- -This key is the federated Identity Provider. This is the server providing the authentication. +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + type: keyword -- -*`rsa.identity.logon_type_desc`*:: +*`zeek.dhcp.software.server`*:: + -- -This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. +(present if policy/protocols/dhcp/software.bro is loaded) +Software reported by the client in the vendor_class option. + type: keyword -- -*`rsa.identity.middlename`*:: + +*`zeek.dhcp.id.circuit`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +Added by DHCP relay agents which terminate switched or permanent +circuits. It encodes an agent-local identifier of the circuit from +which a DHCP client-to-server packet was received. Typically it +should represent a router or switch interface number. + type: keyword -- -*`rsa.identity.password`*:: +*`zeek.dhcp.id.remote_agent`*:: + -- -This key is for Passwords seen in any session, plain text or encrypted +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +A globally unique identifier added by relay agents to identify the +remote host end of the circuit. + type: keyword -- -*`rsa.identity.host_role`*:: +*`zeek.dhcp.id.subscriber`*:: + -- -This key should only be used to capture the role of a Host Machine +(present if policy/protocols/dhcp/sub-opts.bro is loaded) +The subscriber ID is a value independent of the physical network +configuration so that a customer's DHCP configuration can be given +to them correctly no matter where they are physically connected. + type: keyword -- -*`rsa.identity.ldap`*:: +[float] +=== dnp3 + +Fields exported by the Zeek DNP3 log + + + + +*`zeek.dnp3.function.request`*:: + -- -This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context +The name of the function message in the request. + type: keyword -- -*`rsa.identity.ldap_query`*:: +*`zeek.dnp3.function.reply`*:: + -- -This key is the Search criteria from an LDAP search +The name of the function message in the reply. + type: keyword -- -*`rsa.identity.ldap_response`*:: +*`zeek.dnp3.id`*:: + -- -This key is to capture Results from an LDAP search +The response's internal indication number. -type: keyword + +type: integer -- -*`rsa.identity.owner`*:: +[float] +=== dns + +Fields exported by the Zeek DNS log + + + +*`zeek.dns.trans_id`*:: + -- -This is used to capture username the process or service is running as, the author of the task +DNS transaction identifier. + type: keyword -- -*`rsa.identity.service_account`*:: +*`zeek.dns.rtt`*:: + -- -This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage +Round trip time for the query and response. -type: keyword --- +type: double +-- -*`rsa.email.email_dst`*:: +*`zeek.dns.query`*:: + -- -This key is used to capture the Destination email address only, when the destination context is not clear use email +The domain name that is the subject of the DNS query. + type: keyword -- -*`rsa.email.email_src`*:: +*`zeek.dns.qclass`*:: + -- -This key is used to capture the source email address only, when the source context is not clear use email +The QCLASS value specifying the class of the query. -type: keyword + +type: long -- -*`rsa.email.subject`*:: +*`zeek.dns.qclass_name`*:: + -- -This key is used to capture the subject string from an Email only. +A descriptive name for the class of the query. + type: keyword -- -*`rsa.email.email`*:: +*`zeek.dns.qtype`*:: + -- -This key is used to capture a generic email address where the source or destination context is not clear +A QTYPE value specifying the type of the query. -type: keyword + +type: long -- -*`rsa.email.trans_from`*:: +*`zeek.dns.qtype_name`*:: + -- -Deprecated key defined only in table map. +A descriptive name for the type of the query. + type: keyword -- -*`rsa.email.trans_to`*:: +*`zeek.dns.rcode`*:: + -- -Deprecated key defined only in table map. +The response code value in DNS response messages. -type: keyword --- +type: long +-- -*`rsa.file.privilege`*:: +*`zeek.dns.rcode_name`*:: + -- -Deprecated, use permissions +A descriptive name for the response code value. + type: keyword -- -*`rsa.file.attachment`*:: +*`zeek.dns.AA`*:: + -- -This key captures the attachment file name +The Authoritative Answer bit for response messages specifies that the responding +name server is an authority for the domain name in the question section. -type: keyword + +type: boolean -- -*`rsa.file.filesystem`*:: +*`zeek.dns.TC`*:: + -- -type: keyword +The Truncation bit specifies that the message was truncated. + + +type: boolean -- -*`rsa.file.binary`*:: +*`zeek.dns.RD`*:: + -- -Deprecated key defined only in table map. +The Recursion Desired bit in a request message indicates that the client +wants recursive service for this query. -type: keyword + +type: boolean -- -*`rsa.file.filename_dst`*:: +*`zeek.dns.RA`*:: + -- -This is used to capture name of the file targeted by the action +The Recursion Available bit in a response message indicates that the name +server supports recursive queries. -type: keyword + +type: boolean -- -*`rsa.file.filename_src`*:: +*`zeek.dns.answers`*:: + -- -This is used to capture name of the parent filename, the file which performed the action +The set of resource descriptions in the query answer. + type: keyword -- -*`rsa.file.filename_tmp`*:: +*`zeek.dns.TTLs`*:: + -- -type: keyword +The caching intervals of the associated RRs described by the answers field. + + +type: double -- -*`rsa.file.directory_dst`*:: +*`zeek.dns.rejected`*:: + -- -This key is used to capture the directory of the target process or file +Indicates whether the DNS query was rejected by the server. -type: keyword + +type: boolean -- -*`rsa.file.directory_src`*:: +*`zeek.dns.total_answers`*:: + -- -This key is used to capture the directory of the source process or file +The total number of resource records in the reply. -type: keyword + +type: integer -- -*`rsa.file.file_entropy`*:: +*`zeek.dns.total_replies`*:: + -- -This is used to capture entropy vale of a file +The total number of resource records in the reply message. -type: double + +type: integer -- -*`rsa.file.file_vendor`*:: +*`zeek.dns.saw_query`*:: + -- -This is used to capture Company name of file located in version_info +Whether the full DNS query has been seen. -type: keyword + +type: boolean -- -*`rsa.file.task_name`*:: +*`zeek.dns.saw_reply`*:: + -- -This is used to capture name of the task +Whether the full DNS reply has been seen. -type: keyword + +type: boolean -- +[float] +=== dpd -*`rsa.web.fqdn`*:: +Fields exported by the Zeek DPD log + + + +*`zeek.dpd.analyzer`*:: + -- -Fully Qualified Domain Names +The analyzer that generated the violation. + type: keyword -- -*`rsa.web.web_cookie`*:: +*`zeek.dpd.failure_reason`*:: + -- -This key is used to capture the Web cookies specifically. +The textual reason for the analysis failure. + type: keyword -- -*`rsa.web.alias_host`*:: +*`zeek.dpd.packet_segment`*:: + -- +(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) +A chunk of the payload that most likely resulted in the protocol violation. + + type: keyword -- -*`rsa.web.reputation_num`*:: -+ --- -Reputation Number of an entity. Typically used for Web Domains +[float] +=== files -type: double +Fields exported by the Zeek Files log. --- -*`rsa.web.web_ref_domain`*:: + +*`zeek.files.fuid`*:: + -- -Web referer's domain +A file unique identifier. + type: keyword -- -*`rsa.web.web_ref_query`*:: +*`zeek.files.tx_host`*:: + -- -This key captures Web referer's query portion of the URL +The host that transferred the file. -type: keyword + +type: ip -- -*`rsa.web.remote_domain`*:: +*`zeek.files.rx_host`*:: + -- -type: keyword +The host that received the file. + + +type: ip -- -*`rsa.web.web_ref_page`*:: +*`zeek.files.session_ids`*:: + -- -This key captures Web referer's page information +The sessions that have this file. + type: keyword -- -*`rsa.web.web_ref_root`*:: +*`zeek.files.source`*:: + -- -Web referer's root URL path +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. + type: keyword -- -*`rsa.web.cn_asn_dst`*:: +*`zeek.files.depth`*:: + -- -type: keyword +A value to represent the depth of this file in relation to its source. In SMTP, it +is the depth of the MIME attachment on the message. In HTTP, it is the depth of the +request within the TCP connection. --- -*`rsa.web.cn_rpackets`*:: -+ --- -type: keyword +type: long -- -*`rsa.web.urlpage`*:: +*`zeek.files.analyzers`*:: + -- +A set of analysis types done during the file analysis. + + type: keyword -- -*`rsa.web.urlroot`*:: +*`zeek.files.mime_type`*:: + -- +Mime type of the file. + + type: keyword -- -*`rsa.web.p_url`*:: +*`zeek.files.filename`*:: + -- +Name of the file if available. + + type: keyword -- -*`rsa.web.p_user_agent`*:: +*`zeek.files.local_orig`*:: + -- -type: keyword +If the source of this file is a network connection, this field indicates if the data +originated from the local network or not. + + +type: boolean -- -*`rsa.web.p_web_cookie`*:: +*`zeek.files.is_orig`*:: + -- -type: keyword +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. + + +type: boolean -- -*`rsa.web.p_web_method`*:: +*`zeek.files.duration`*:: + -- -type: keyword +The duration the file was analyzed for. Not the duration of the session. + + +type: double -- -*`rsa.web.p_web_referer`*:: +*`zeek.files.seen_bytes`*:: + -- -type: keyword +Number of bytes provided to the file analysis engine for the file. + + +type: long -- -*`rsa.web.web_extension_tmp`*:: +*`zeek.files.total_bytes`*:: + -- -type: keyword +Total number of bytes that are supposed to comprise the full file. + + +type: long -- -*`rsa.web.web_page`*:: +*`zeek.files.missing_bytes`*:: + -- -type: keyword +The number of bytes in the file stream that were completely missed during the process +of analysis. --- +type: long -*`rsa.threat.threat_category`*:: +-- + +*`zeek.files.overflow_bytes`*:: + -- -This key captures Threat Name/Threat Category/Categorization of alert +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. -type: keyword + +type: long -- -*`rsa.threat.threat_desc`*:: +*`zeek.files.timedout`*:: + -- -This key is used to capture the threat description from the session directly or inferred +Whether the file analysis timed out at least once for the file. -type: keyword + +type: boolean -- -*`rsa.threat.alert`*:: +*`zeek.files.parent_fuid`*:: + -- -This key is used to capture name of the alert +Identifier associated with a container file from which this one was extracted as part of +the file analysis. + type: keyword -- -*`rsa.threat.threat_source`*:: +*`zeek.files.md5`*:: + -- -This key is used to capture source of the threat +An MD5 digest of the file contents. + type: keyword -- - -*`rsa.crypto.crypto`*:: +*`zeek.files.sha1`*:: + -- -This key is used to capture the Encryption Type or Encryption Key only +A SHA1 digest of the file contents. + type: keyword -- -*`rsa.crypto.cipher_src`*:: +*`zeek.files.sha256`*:: + -- -This key is for Source (Client) Cipher +A SHA256 digest of the file contents. + type: keyword -- -*`rsa.crypto.cert_subject`*:: +*`zeek.files.extracted`*:: + -- -This key is used to capture the Certificate organization only +Local filename of extracted file. + type: keyword -- -*`rsa.crypto.peer`*:: +*`zeek.files.extracted_cutoff`*:: + -- -This key is for Encryption peer's IP Address +Indicate whether the file being extracted was cut off hence not extracted completely. -type: keyword + +type: boolean -- -*`rsa.crypto.cipher_size_src`*:: +*`zeek.files.extracted_size`*:: + -- -This key captures Source (Client) Cipher Size +The number of bytes extracted to disk. + type: long -- -*`rsa.crypto.ike`*:: +*`zeek.files.entropy`*:: + -- -IKE negotiation phase. +The information density of the contents of the file. -type: keyword + +type: double -- -*`rsa.crypto.scheme`*:: +[float] +=== ftp + +Fields exported by the Zeek FTP log + + + +*`zeek.ftp.user`*:: + -- -This key captures the Encryption scheme used +User name for the current FTP session. + type: keyword -- -*`rsa.crypto.peer_id`*:: +*`zeek.ftp.password`*:: + -- -This key is for Encryption peer’s identity +Password for the current FTP session if captured. + type: keyword -- -*`rsa.crypto.sig_type`*:: +*`zeek.ftp.command`*:: + -- -This key captures the Signature Type +Command given by the client. + type: keyword -- -*`rsa.crypto.cert_issuer`*:: +*`zeek.ftp.arg`*:: + -- +Argument for the command if one is given. + + type: keyword -- -*`rsa.crypto.cert_host_name`*:: + +*`zeek.ftp.file.size`*:: + -- -Deprecated key defined only in table map. +Size of the file if the command indicates a file transfer. -type: keyword + +type: long -- -*`rsa.crypto.cert_error`*:: +*`zeek.ftp.file.mime_type`*:: + -- -This key captures the Certificate Error String +Sniffed mime type of file. + type: keyword -- -*`rsa.crypto.cipher_dst`*:: +*`zeek.ftp.file.fuid`*:: + -- -This key is for Destination (Server) Cipher +(present if base/protocols/ftp/files.bro is loaded) +File unique ID. + type: keyword -- -*`rsa.crypto.cipher_size_dst`*:: + +*`zeek.ftp.reply.code`*:: + -- -This key captures Destination (Server) Cipher Size +Reply code from the server in response to the command. -type: long + +type: integer -- -*`rsa.crypto.ssl_ver_src`*:: +*`zeek.ftp.reply.msg`*:: + -- -Deprecated, use version +Reply message from the server in response to the command. + type: keyword -- -*`rsa.crypto.d_certauth`*:: -+ --- -type: keyword +[float] +=== data_channel --- +Expected FTP data channel. -*`rsa.crypto.s_certauth`*:: -+ --- -type: keyword --- -*`rsa.crypto.ike_cookie1`*:: +*`zeek.ftp.data_channel.passive`*:: + -- -ID of the negotiation — sent for ISAKMP Phase One +Whether PASV mode is toggled for control channel. -type: keyword + +type: boolean -- -*`rsa.crypto.ike_cookie2`*:: +*`zeek.ftp.data_channel.originating_host`*:: + -- -ID of the negotiation — sent for ISAKMP Phase Two +The host that will be initiating the data connection. -type: keyword + +type: ip -- -*`rsa.crypto.cert_checksum`*:: +*`zeek.ftp.data_channel.response_host`*:: + -- -type: keyword +The host that will be accepting the data connection. + + +type: ip -- -*`rsa.crypto.cert_host_cat`*:: +*`zeek.ftp.data_channel.response_port`*:: + -- -This key is used for the hostname category value of a certificate +The port at which the acceptor is listening for the data connection. -type: keyword + +type: integer -- -*`rsa.crypto.cert_serial`*:: +*`zeek.ftp.cwd`*:: + -- -This key is used to capture the Certificate serial number only +Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + type: keyword -- -*`rsa.crypto.cert_status`*:: +[float] +=== cmdarg + +Command that is currently waiting for a response. + + + +*`zeek.ftp.cmdarg.cmd`*:: + -- -This key captures Certificate validation status +Command. + type: keyword -- -*`rsa.crypto.ssl_ver_dst`*:: +*`zeek.ftp.cmdarg.arg`*:: + -- -Deprecated, use version +Argument for the command if one was given. + type: keyword -- -*`rsa.crypto.cert_keysize`*:: +*`zeek.ftp.cmdarg.seq`*:: + -- -type: keyword +Counter to track how many commands have been executed. + + +type: integer -- -*`rsa.crypto.cert_username`*:: +*`zeek.ftp.pending_commands`*:: + -- -type: keyword +Queue for commands that have been sent but not yet responded to are tracked here. + + +type: integer -- -*`rsa.crypto.https_insact`*:: +*`zeek.ftp.passive`*:: + -- -type: keyword +Indicates if the session is in active or passive mode. + + +type: boolean -- -*`rsa.crypto.https_valid`*:: +*`zeek.ftp.capture_password`*:: + -- -type: keyword +Determines if the password will be captured for this request. + + +type: boolean -- -*`rsa.crypto.cert_ca`*:: +*`zeek.ftp.last_auth_requested`*:: + -- -This key is used to capture the Certificate signing authority only +present if base/protocols/ftp/gridftp.bro is loaded. +Last authentication/security mechanism that was used. + type: keyword -- -*`rsa.crypto.cert_common`*:: +[float] +=== http + +Fields exported by the Zeek HTTP log + + + +*`zeek.http.trans_depth`*:: + -- -This key is used to capture the Certificate common name only +Represents the pipelined depth into the connection of this request/response transaction. -type: keyword --- +type: integer +-- -*`rsa.wireless.wlan_ssid`*:: +*`zeek.http.status_msg`*:: + -- -This key is used to capture the ssid of a Wireless Session +Status message returned by the server. + type: keyword -- -*`rsa.wireless.access_point`*:: +*`zeek.http.info_code`*:: + -- -This key is used to capture the access point name. +Last seen 1xx informational reply code returned by the server. -type: keyword + +type: integer -- -*`rsa.wireless.wlan_channel`*:: +*`zeek.http.info_msg`*:: + -- -This is used to capture the channel names +Last seen 1xx informational reply message returned by the server. -type: long + +type: keyword -- -*`rsa.wireless.wlan_name`*:: +*`zeek.http.tags`*:: + -- -This key captures either WLAN number/name +A set of indicators of various attributes discovered and related to a particular +request/response pair. + type: keyword -- - -*`rsa.storage.disk_volume`*:: +*`zeek.http.password`*:: + -- -A unique name assigned to logical units (volumes) within a physical disk +Password if basic-auth is performed for the request. + type: keyword -- -*`rsa.storage.lun`*:: +*`zeek.http.captured_password`*:: + -- -Logical Unit Number.This key is a very useful concept in Storage. +Determines if the password will be captured for this request. -type: keyword + +type: boolean -- -*`rsa.storage.pwwn`*:: +*`zeek.http.proxied`*:: + -- -This uniquely identifies a port on a HBA. +All of the headers that may indicate if the HTTP request was proxied. + type: keyword -- - -*`rsa.physical.org_dst`*:: +*`zeek.http.range_request`*:: + -- -This is used to capture the destination organization based on the GEOPIP Maxmind database. +Indicates if this request can assume 206 partial content in response. -type: keyword + +type: boolean -- -*`rsa.physical.org_src`*:: +*`zeek.http.client_header_names`*:: + -- -This is used to capture the source organization based on the GEOPIP Maxmind database. +The vector of HTTP header names sent by the client. No header values +are included here, just the header names. + type: keyword -- - -*`rsa.healthcare.patient_fname`*:: +*`zeek.http.server_header_names`*:: + -- -This key is for First Names only, this is used for Healthcare predominantly to capture Patients information +The vector of HTTP header names sent by the server. No header values +are included here, just the header names. + type: keyword -- -*`rsa.healthcare.patient_id`*:: +*`zeek.http.orig_fuids`*:: + -- -This key captures the unique ID for a patient +An ordered vector of file unique IDs from the originator. + type: keyword -- -*`rsa.healthcare.patient_lname`*:: +*`zeek.http.orig_mime_types`*:: + -- -This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information +An ordered vector of mime types from the originator. + type: keyword -- -*`rsa.healthcare.patient_mname`*:: +*`zeek.http.orig_filenames`*:: + -- -This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information +An ordered vector of filenames from the originator. + type: keyword -- - -*`rsa.endpoint.host_state`*:: +*`zeek.http.resp_fuids`*:: + -- -This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on +An ordered vector of file unique IDs from the responder. + type: keyword -- -*`rsa.endpoint.registry_key`*:: +*`zeek.http.resp_mime_types`*:: + -- -This key captures the path to the registry key +An ordered vector of mime types from the responder. + type: keyword -- -*`rsa.endpoint.registry_value`*:: +*`zeek.http.resp_filenames`*:: + -- -This key captures values or decorators used within a registry entry +An ordered vector of filenames from the responder. + type: keyword -- -[[exported-fields-traefik]] -== Traefik fields +*`zeek.http.orig_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP request message body. -Module for parsing the Traefik log files. +type: integer +-- -[float] -=== traefik +*`zeek.http.resp_mime_depth`*:: ++ +-- +Current number of MIME entities in the HTTP response message body. -Fields from the Traefik log files. +type: integer +-- [float] -=== access +=== intel -Contains fields for the Traefik access logs. +Fields exported by the Zeek Intel log. -*`traefik.access.user_identifier`*:: + +*`zeek.intel.seen.indicator`*:: + -- -Is the RFC 1413 identity of the client +The intelligence indicator. type: keyword -- -*`traefik.access.request_count`*:: +*`zeek.intel.seen.indicator_type`*:: + -- -The number of requests +The type of data the indicator represents. -type: long +type: keyword -- -*`traefik.access.frontend_name`*:: +*`zeek.intel.seen.host`*:: + -- -The name of the frontend used +If the indicator type was Intel::ADDR, then this field will be present. type: keyword -- -*`traefik.access.backend_url`*:: +*`zeek.intel.seen.conn`*:: + -- -The url of the backend where request is forwarded +If the data was discovered within a connection, the connection record should go here to give context to the data. + type: keyword -- -*`traefik.access.body_sent.bytes`*:: +*`zeek.intel.seen.where`*:: + -- -type: alias +Where the data was discovered. -alias to: http.response.body.bytes + +type: keyword -- -*`traefik.access.remote_ip`*:: +*`zeek.intel.seen.node`*:: + -- -type: alias +The name of the node where the match was discovered. -alias to: source.address + +type: keyword -- -*`traefik.access.user_name`*:: +*`zeek.intel.seen.uid`*:: + -- -type: alias +If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. -alias to: user.name + +type: keyword -- -*`traefik.access.method`*:: +*`zeek.intel.seen.f`*:: + -- -type: alias +If the data was discovered within a file, the file record should go here to provide context to the data. -alias to: http.request.method + +type: object -- -*`traefik.access.url`*:: +*`zeek.intel.seen.fuid`*:: + -- -type: alias +If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. -alias to: url.original + +type: keyword -- -*`traefik.access.http_version`*:: +*`zeek.intel.matched`*:: + -- -type: alias +Event to represent a match in the intelligence data from data that was seen. -alias to: http.version + +type: keyword -- -*`traefik.access.response_code`*:: +*`zeek.intel.sources`*:: + -- -type: alias +Sources which supplied data for this match. -alias to: http.response.status_code + +type: keyword -- -*`traefik.access.referrer`*:: +*`zeek.intel.fuid`*:: + -- -type: alias +If a file was associated with this intelligence hit, this is the uid for the file. -alias to: http.request.referrer + +type: keyword -- -*`traefik.access.agent`*:: +*`zeek.intel.file_mime_type`*:: + -- -type: alias +A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. -alias to: user_agent.original --- +type: keyword +-- -*`traefik.access.user_agent.device`*:: +*`zeek.intel.file_desc`*:: + -- -type: alias +Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. -alias to: user_agent.device.name --- +type: keyword -*`traefik.access.user_agent.name`*:: -+ -- -type: alias -alias to: user_agent.name +[float] +=== irc --- +Fields exported by the Zeek IRC log -*`traefik.access.user_agent.os`*:: + + +*`zeek.irc.nick`*:: + -- -type: alias +Nickname given for the connection. -alias to: user_agent.os.full_name + +type: keyword -- -*`traefik.access.user_agent.os_name`*:: +*`zeek.irc.user`*:: + -- -type: alias +Username given for the connection. -alias to: user_agent.os.name + +type: keyword -- -*`traefik.access.user_agent.original`*:: +*`zeek.irc.command`*:: + -- -type: alias +Command given by the client. -alias to: user_agent.original --- +type: keyword +-- -*`traefik.access.geoip.continent_name`*:: +*`zeek.irc.value`*:: + -- -type: alias +Value for the command given by the client. -alias to: source.geo.continent_name + +type: keyword -- -*`traefik.access.geoip.country_iso_code`*:: +*`zeek.irc.addl`*:: + -- -type: alias +Any additional data for the command. -alias to: source.geo.country_iso_code --- +type: keyword -*`traefik.access.geoip.location`*:: -+ -- -type: alias -alias to: source.geo.location --- -*`traefik.access.geoip.region_name`*:: +*`zeek.irc.dcc.file.name`*:: + -- -type: alias +Present if base/protocols/irc/dcc-send.bro is loaded. +DCC filename requested. -alias to: source.geo.region_name + +type: keyword -- -*`traefik.access.geoip.city_name`*:: +*`zeek.irc.dcc.file.size`*:: + -- -type: alias +Present if base/protocols/irc/dcc-send.bro is loaded. +Size of the DCC transfer as indicated by the sender. -alias to: source.geo.city_name + +type: long -- -*`traefik.access.geoip.region_iso_code`*:: +*`zeek.irc.dcc.mime_type`*:: + -- -type: alias +present if base/protocols/irc/dcc-send.bro is loaded. +Sniffed mime type of the file. -alias to: source.geo.region_iso_code + +type: keyword -- -[[exported-fields-zeek]] -== Zeek fields +*`zeek.irc.fuid`*:: ++ +-- +present if base/protocols/irc/files.bro is loaded. +File unique ID. -Module for handling logs produced by Zeek/Bro +type: keyword +-- [float] -=== zeek +=== kerberos -Fields from Zeek/Bro logs after normalization +Fields exported by the Zeek Kerberos log -*`zeek.session_id`*:: +*`zeek.kerberos.request_type`*:: + -- -A unique identifier of the session +Request type - Authentication Service (AS) or Ticket Granting Service (TGS). type: keyword -- -[float] -=== capture_loss - -Fields exported by the Zeek capture_loss log - - - -*`zeek.capture_loss.ts_delta`*:: +*`zeek.kerberos.client`*:: + -- -The time delay between this measurement and the last. +Client name. -type: integer +type: keyword -- -*`zeek.capture_loss.peer`*:: +*`zeek.kerberos.service`*:: + -- -In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. +Service name. type: keyword -- -*`zeek.capture_loss.gaps`*:: +*`zeek.kerberos.success`*:: + -- -Number of missed ACKs from the previous measurement interval. +Request result. -type: integer +type: boolean -- -*`zeek.capture_loss.acks`*:: + +*`zeek.kerberos.error.code`*:: + -- -Total number of ACKs seen in the previous measurement interval. +Error code. type: integer -- -*`zeek.capture_loss.percent_lost`*:: +*`zeek.kerberos.error.msg`*:: + -- -Percentage of ACKs seen where the data being ACKed wasn't seen. +Error message. -type: double +type: keyword -- -[float] -=== connection - -Fields exported by the Zeek Connection log - - -*`zeek.connection.local_orig`*:: +*`zeek.kerberos.valid.from`*:: + -- -Indicates whether the session is originated locally. +Ticket valid from. -type: boolean +type: date -- -*`zeek.connection.local_resp`*:: +*`zeek.kerberos.valid.until`*:: + -- -Indicates whether the session is responded locally. +Ticket valid until. -type: boolean +type: date -- -*`zeek.connection.missed_bytes`*:: +*`zeek.kerberos.valid.days`*:: + -- -Missed bytes for the session. +Number of days the ticket is valid for. -type: long +type: integer -- -*`zeek.connection.state`*:: +*`zeek.kerberos.cipher`*:: + -- -Code indicating the state of the session. +Ticket encryption type. type: keyword -- -*`zeek.connection.state_message`*:: +*`zeek.kerberos.forwardable`*:: + -- -The state of the session. +Forwardable ticket requested. -type: keyword +type: boolean -- - -*`zeek.connection.icmp.type`*:: +*`zeek.kerberos.renewable`*:: + -- -ICMP message type. +Renewable ticket requested. -type: integer +type: boolean -- -*`zeek.connection.icmp.code`*:: + +*`zeek.kerberos.ticket.auth`*:: + -- -ICMP message code. +Hash of ticket used to authorize request/transaction. -type: integer +type: keyword -- -*`zeek.connection.history`*:: +*`zeek.kerberos.ticket.new`*:: + -- -Flags indicating the history of the session. +Hash of ticket returned by the KDC. type: keyword -- -*`zeek.connection.vlan`*:: -+ --- -VLAN identifier. -type: integer - --- - -*`zeek.connection.inner_vlan`*:: +*`zeek.kerberos.cert.client.value`*:: + -- -VLAN identifier. +Client certificate. -type: integer +type: keyword -- -[float] -=== dce_rpc - -Fields exported by the Zeek DCE_RPC log - - - -*`zeek.dce_rpc.rtt`*:: +*`zeek.kerberos.cert.client.fuid`*:: + -- -Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. +File unique ID of client cert. -type: integer +type: keyword -- -*`zeek.dce_rpc.named_pipe`*:: +*`zeek.kerberos.cert.client.subject`*:: + -- -Remote pipe name. +Subject of client certificate. type: keyword -- -*`zeek.dce_rpc.endpoint`*:: + +*`zeek.kerberos.cert.server.value`*:: + -- -Endpoint name looked up from the uuid. +Server certificate. type: keyword -- -*`zeek.dce_rpc.operation`*:: +*`zeek.kerberos.cert.server.fuid`*:: + -- -Operation seen in the call. +File unique ID of server certificate. type: keyword -- -[float] -=== dhcp - -Fields exported by the Zeek DHCP log - - - -*`zeek.dhcp.domain`*:: +*`zeek.kerberos.cert.server.subject`*:: + -- -Domain given by the server in option 15. +Subject of server certificate. type: keyword -- -*`zeek.dhcp.duration`*:: -+ --- -Duration of the DHCP session representing the time from the first -message to the last, in seconds. +[float] +=== modbus +Fields exported by the Zeek modbus log. -type: double --- -*`zeek.dhcp.hostname`*:: +*`zeek.modbus.function`*:: + -- -Name given by client in Hostname option 12. +The name of the function message that was sent. type: keyword -- -*`zeek.dhcp.client_fqdn`*:: +*`zeek.modbus.exception`*:: + -- -FQDN given by client in Client FQDN option 81. +The exception if the response was a failure. type: keyword -- -*`zeek.dhcp.lease_time`*:: +*`zeek.modbus.track_address`*:: + -- -IP address lease interval in seconds. +Present if policy/protocols/modbus/track-memmap.bro is loaded. +Modbus track address. type: integer @@ -139170,1154 +156913,1069 @@ type: integer -- [float] -=== address - -Addresses seen in this DHCP exchange. - - - -*`zeek.dhcp.address.assigned`*:: -+ --- -IP address assigned by the server. +=== mysql +Fields exported by the Zeek MySQL log. -type: ip --- -*`zeek.dhcp.address.client`*:: +*`zeek.mysql.cmd`*:: + -- -IP address of the client. If a transaction is only a client sending -INFORM messages then there is no lease information exchanged so this -is helpful to know who sent the messages. Getting an address in this -field does require that the client sources at least one DHCP message -using a non-broadcast address. +The command that was issued. -type: ip +type: keyword -- -*`zeek.dhcp.address.mac`*:: +*`zeek.mysql.arg`*:: + -- -Client's hardware address. +The argument issued to the command. type: keyword -- -*`zeek.dhcp.address.requested`*:: +*`zeek.mysql.success`*:: + -- -IP address requested by the client. +Whether the command succeeded. -type: ip +type: boolean -- -*`zeek.dhcp.address.server`*:: +*`zeek.mysql.rows`*:: + -- -IP address of the DHCP server. +The number of affected rows, if any. -type: ip +type: integer -- - -*`zeek.dhcp.msg.types`*:: +*`zeek.mysql.response`*:: + -- -List of DHCP message types seen in this exchange. +Server message, if any. type: keyword -- -*`zeek.dhcp.msg.origin`*:: -+ --- -(present if policy/protocols/dhcp/msg-orig.bro is loaded) -The address that originated each message from the msg.types field. +[float] +=== notice +Fields exported by the Zeek Notice log. -type: ip --- -*`zeek.dhcp.msg.client`*:: +*`zeek.notice.connection_id`*:: + -- -Message typically accompanied with a DHCP_DECLINE so the client can -tell the server why it rejected an address. +Identifier of the related connection session. type: keyword -- -*`zeek.dhcp.msg.server`*:: +*`zeek.notice.icmp_id`*:: + -- -Message typically accompanied with a DHCP_NAK to let the client know -why it rejected the request. +Identifier of the related ICMP session. type: keyword -- - -*`zeek.dhcp.software.client`*:: +*`zeek.notice.file.id`*:: + -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. +An identifier associated with a single file that is related to this notice. type: keyword -- -*`zeek.dhcp.software.server`*:: +*`zeek.notice.file.parent_id`*:: + -- -(present if policy/protocols/dhcp/software.bro is loaded) -Software reported by the client in the vendor_class option. +Identifier associated with a container file from which this one was extracted. type: keyword -- - -*`zeek.dhcp.id.circuit`*:: +*`zeek.notice.file.source`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -Added by DHCP relay agents which terminate switched or permanent -circuits. It encodes an agent-local identifier of the circuit from -which a DHCP client-to-server packet was received. Typically it -should represent a router or switch interface number. +An identification of the source of the file data. E.g. it may be a network protocol +over which it was transferred, or a local file path which was read, or some other +input source. type: keyword -- -*`zeek.dhcp.id.remote_agent`*:: +*`zeek.notice.file.mime_type`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -A globally unique identifier added by relay agents to identify the -remote host end of the circuit. +A mime type if the notice is related to a file. type: keyword -- -*`zeek.dhcp.id.subscriber`*:: +*`zeek.notice.file.is_orig`*:: + -- -(present if policy/protocols/dhcp/sub-opts.bro is loaded) -The subscriber ID is a value independent of the physical network -configuration so that a customer's DHCP configuration can be given -to them correctly no matter where they are physically connected. +If the source of this file is a network connection, this field indicates if the file is +being sent by the originator of the connection or the responder. -type: keyword +type: boolean -- -[float] -=== dnp3 - -Fields exported by the Zeek DNP3 log +*`zeek.notice.file.seen_bytes`*:: ++ +-- +Number of bytes provided to the file analysis engine for the file. +type: long +-- -*`zeek.dnp3.function.request`*:: +*`zeek.notice.ffile.total_bytes`*:: + -- -The name of the function message in the request. +Total number of bytes that are supposed to comprise the full file. -type: keyword +type: long -- -*`zeek.dnp3.function.reply`*:: +*`zeek.notice.file.missing_bytes`*:: + -- -The name of the function message in the reply. +The number of bytes in the file stream that were completely missed during the process +of analysis. -type: keyword +type: long -- -*`zeek.dnp3.id`*:: +*`zeek.notice.file.overflow_bytes`*:: + -- -The response's internal indication number. +The number of bytes in the file stream that were not delivered to stream file analyzers. +This could be overlapping bytes or bytes that couldn't be reassembled. -type: integer +type: long -- -[float] -=== dns +*`zeek.notice.fuid`*:: ++ +-- +A file unique ID if this notice is related to a file. -Fields exported by the Zeek DNS log +type: keyword +-- -*`zeek.dns.trans_id`*:: +*`zeek.notice.note`*:: + -- -DNS transaction identifier. +The type of the notice. type: keyword -- -*`zeek.dns.rtt`*:: +*`zeek.notice.msg`*:: + -- -Round trip time for the query and response. +The human readable message for the notice. -type: double +type: keyword -- -*`zeek.dns.query`*:: +*`zeek.notice.sub`*:: + -- -The domain name that is the subject of the DNS query. +The human readable sub-message. type: keyword -- -*`zeek.dns.qclass`*:: +*`zeek.notice.n`*:: + -- -The QCLASS value specifying the class of the query. +Associated count, or a status code. type: long -- -*`zeek.dns.qclass_name`*:: +*`zeek.notice.peer_name`*:: + -- -A descriptive name for the class of the query. +Name of remote peer that raised this notice. type: keyword -- -*`zeek.dns.qtype`*:: +*`zeek.notice.peer_descr`*:: + -- -A QTYPE value specifying the type of the query. +Textual description for the peer that raised this notice. -type: long +type: text -- -*`zeek.dns.qtype_name`*:: +*`zeek.notice.actions`*:: + -- -A descriptive name for the type of the query. +The actions which have been applied to this notice. type: keyword -- -*`zeek.dns.rcode`*:: +*`zeek.notice.email_body_sections`*:: + -- -The response code value in DNS response messages. +By adding chunks of text into this element, other scripts can expand on notices +that are being emailed. -type: long +type: text -- -*`zeek.dns.rcode_name`*:: +*`zeek.notice.email_delay_tokens`*:: + -- -A descriptive name for the response code value. +Adding a string token to this set will cause the built-in emailing functionality +to delay sending the email either the token has been removed or the email +has been delayed for the specified time duration. type: keyword -- -*`zeek.dns.AA`*:: +*`zeek.notice.identifier`*:: + -- -The Authoritative Answer bit for response messages specifies that the responding -name server is an authority for the domain name in the question section. +This field is provided when a notice is generated for the purpose of deduplicating notices. -type: boolean +type: keyword -- -*`zeek.dns.TC`*:: +*`zeek.notice.suppress_for`*:: + -- -The Truncation bit specifies that the message was truncated. +This field indicates the length of time that this unique notice should be suppressed. -type: boolean +type: double -- -*`zeek.dns.RD`*:: +*`zeek.notice.dropped`*:: + -- -The Recursion Desired bit in a request message indicates that the client -wants recursive service for this query. +Indicate if the source IP address was dropped and denied network access. type: boolean -- -*`zeek.dns.RA`*:: -+ --- -The Recursion Available bit in a response message indicates that the name -server supports recursive queries. +[float] +=== ntlm +Fields exported by the Zeek NTLM log. -type: boolean --- -*`zeek.dns.answers`*:: +*`zeek.ntlm.domain`*:: + -- -The set of resource descriptions in the query answer. +Domain name given by the client. type: keyword -- -*`zeek.dns.TTLs`*:: +*`zeek.ntlm.hostname`*:: + -- -The caching intervals of the associated RRs described by the answers field. +Hostname given by the client. -type: double +type: keyword -- -*`zeek.dns.rejected`*:: +*`zeek.ntlm.success`*:: + -- -Indicates whether the DNS query was rejected by the server. +Indicate whether or not the authentication was successful. type: boolean -- -*`zeek.dns.total_answers`*:: +*`zeek.ntlm.username`*:: + -- -The total number of resource records in the reply. +Username given by the client. -type: integer +type: keyword -- -*`zeek.dns.total_replies`*:: + + +*`zeek.ntlm.server.name.dns`*:: + -- -The total number of resource records in the reply message. +DNS name given by the server in a CHALLENGE. -type: integer +type: keyword -- -*`zeek.dns.saw_query`*:: +*`zeek.ntlm.server.name.netbios`*:: + -- -Whether the full DNS query has been seen. +NetBIOS name given by the server in a CHALLENGE. -type: boolean +type: keyword -- -*`zeek.dns.saw_reply`*:: +*`zeek.ntlm.server.name.tree`*:: + -- -Whether the full DNS reply has been seen. +Tree name given by the server in a CHALLENGE. -type: boolean +type: keyword -- [float] -=== dpd +=== ocsp -Fields exported by the Zeek DPD log +Fields exported by the Zeek OCSP log +Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. -*`zeek.dpd.analyzer`*:: +*`zeek.ocsp.file_id`*:: + -- -The analyzer that generated the violation. +File id of the OCSP reply. type: keyword -- -*`zeek.dpd.failure_reason`*:: + +*`zeek.ocsp.hash.algorithm`*:: + -- -The textual reason for the analysis failure. +Hash algorithm used to generate issuerNameHash and issuerKeyHash. type: keyword -- -*`zeek.dpd.packet_segment`*:: + +*`zeek.ocsp.hash.issuer.name`*:: + -- -(present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) -A chunk of the payload that most likely resulted in the protocol violation. +Hash of the issuer's distingueshed name. type: keyword -- -[float] -=== files - -Fields exported by the Zeek Files log. - - - -*`zeek.files.fuid`*:: +*`zeek.ocsp.hash.issuer.key`*:: + -- -A file unique identifier. +Hash of the issuer's public key. type: keyword -- -*`zeek.files.tx_host`*:: +*`zeek.ocsp.serial_number`*:: + -- -The host that transferred the file. +Serial number of the affected certificate. -type: ip +type: keyword -- -*`zeek.files.rx_host`*:: +*`zeek.ocsp.status`*:: + -- -The host that received the file. +Status of the affected certificate. -type: ip +type: keyword -- -*`zeek.files.session_ids`*:: + +*`zeek.ocsp.revoke.time`*:: + -- -The sessions that have this file. +Time at which the certificate was revoked. -type: keyword +type: date -- -*`zeek.files.source`*:: +*`zeek.ocsp.revoke.reason`*:: + -- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. +Reason for which the certificate was revoked. type: keyword -- -*`zeek.files.depth`*:: + +*`zeek.ocsp.update.this`*:: + -- -A value to represent the depth of this file in relation to its source. In SMTP, it -is the depth of the MIME attachment on the message. In HTTP, it is the depth of the -request within the TCP connection. +The time at which the status being shows is known to have been correct. -type: long +type: date -- -*`zeek.files.analyzers`*:: +*`zeek.ocsp.update.next`*:: + -- -A set of analysis types done during the file analysis. +The latest time at which new information about the status of the certificate will be available. -type: keyword +type: date -- -*`zeek.files.mime_type`*:: -+ --- -Mime type of the file. +[float] +=== pe +Fields exported by the Zeek pe log. -type: keyword --- -*`zeek.files.filename`*:: +*`zeek.pe.client`*:: + -- -Name of the file if available. +The client's version string. type: keyword -- -*`zeek.files.local_orig`*:: +*`zeek.pe.id`*:: + -- -If the source of this file is a network connection, this field indicates if the data -originated from the local network or not. +File id of this portable executable file. -type: boolean +type: keyword -- -*`zeek.files.is_orig`*:: +*`zeek.pe.machine`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. +The target machine that the file was compiled for. -type: boolean +type: keyword -- -*`zeek.files.duration`*:: +*`zeek.pe.compile_time`*:: + -- -The duration the file was analyzed for. Not the duration of the session. +The time that the file was created at. -type: double +type: date -- -*`zeek.files.seen_bytes`*:: +*`zeek.pe.os`*:: + -- -Number of bytes provided to the file analysis engine for the file. +The required operating system. -type: long +type: keyword -- -*`zeek.files.total_bytes`*:: +*`zeek.pe.subsystem`*:: + -- -Total number of bytes that are supposed to comprise the full file. +The subsystem that is required to run this file. -type: long +type: keyword -- -*`zeek.files.missing_bytes`*:: +*`zeek.pe.is_exe`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +Is the file an executable, or just an object file? -type: long +type: boolean -- -*`zeek.files.overflow_bytes`*:: +*`zeek.pe.is_64bit`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +Is the file a 64-bit executable? -type: long +type: boolean -- -*`zeek.files.timedout`*:: +*`zeek.pe.uses_aslr`*:: + -- -Whether the file analysis timed out at least once for the file. +Does the file support Address Space Layout Randomization? type: boolean -- -*`zeek.files.parent_fuid`*:: +*`zeek.pe.uses_dep`*:: + -- -Identifier associated with a container file from which this one was extracted as part of -the file analysis. +Does the file support Data Execution Prevention? -type: keyword +type: boolean -- -*`zeek.files.md5`*:: +*`zeek.pe.uses_code_integrity`*:: + -- -An MD5 digest of the file contents. +Does the file enforce code integrity checks? -type: keyword +type: boolean -- -*`zeek.files.sha1`*:: +*`zeek.pe.uses_seh`*:: + -- -A SHA1 digest of the file contents. +Does the file use structured exception handing? -type: keyword +type: boolean -- -*`zeek.files.sha256`*:: +*`zeek.pe.has_import_table`*:: + -- -A SHA256 digest of the file contents. +Does the file have an import table? -type: keyword +type: boolean -- -*`zeek.files.extracted`*:: +*`zeek.pe.has_export_table`*:: + -- -Local filename of extracted file. +Does the file have an export table? -type: keyword +type: boolean -- -*`zeek.files.extracted_cutoff`*:: +*`zeek.pe.has_cert_table`*:: + -- -Indicate whether the file being extracted was cut off hence not extracted completely. +Does the file have an attribute certificate table? type: boolean -- -*`zeek.files.extracted_size`*:: +*`zeek.pe.has_debug_data`*:: + -- -The number of bytes extracted to disk. +Does the file have a debug table? -type: long +type: boolean -- -*`zeek.files.entropy`*:: +*`zeek.pe.section_names`*:: + -- -The information density of the contents of the file. +The names of the sections, in order. -type: double +type: keyword -- [float] -=== ftp +=== radius -Fields exported by the Zeek FTP log +Fields exported by the Zeek Radius log. -*`zeek.ftp.user`*:: +*`zeek.radius.username`*:: + -- -User name for the current FTP session. +The username, if present. type: keyword -- -*`zeek.ftp.password`*:: +*`zeek.radius.mac`*:: + -- -Password for the current FTP session if captured. +MAC address, if present. type: keyword -- -*`zeek.ftp.command`*:: +*`zeek.radius.framed_addr`*:: + -- -Command given by the client. +The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. -type: keyword +type: ip -- -*`zeek.ftp.arg`*:: +*`zeek.radius.remote_ip`*:: + -- -Argument for the command if one is given. +Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. -type: keyword +type: ip -- - -*`zeek.ftp.file.size`*:: +*`zeek.radius.connect_info`*:: + -- -Size of the file if the command indicates a file transfer. +Connect info, if present. -type: long +type: keyword -- -*`zeek.ftp.file.mime_type`*:: +*`zeek.radius.reply_msg`*:: + -- -Sniffed mime type of file. +Reply message from the server challenge. This is frequently shown to the user authenticating. type: keyword -- -*`zeek.ftp.file.fuid`*:: +*`zeek.radius.result`*:: + -- -(present if base/protocols/ftp/files.bro is loaded) -File unique ID. +Successful or failed authentication. type: keyword -- - -*`zeek.ftp.reply.code`*:: +*`zeek.radius.ttl`*:: + -- -Reply code from the server in response to the command. +The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. type: integer -- -*`zeek.ftp.reply.msg`*:: +*`zeek.radius.logged`*:: + -- -Reply message from the server in response to the command. +Whether this has already been logged and can be ignored. -type: keyword +type: boolean -- [float] -=== data_channel - -Expected FTP data channel. - - - -*`zeek.ftp.data_channel.passive`*:: -+ --- -Whether PASV mode is toggled for control channel. +=== rdp +Fields exported by the Zeek RDP log. -type: boolean --- -*`zeek.ftp.data_channel.originating_host`*:: +*`zeek.rdp.cookie`*:: + -- -The host that will be initiating the data connection. +Cookie value used by the client machine. This is typically a username. -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_host`*:: +*`zeek.rdp.result`*:: + -- -The host that will be accepting the data connection. +Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. -type: ip +type: keyword -- -*`zeek.ftp.data_channel.response_port`*:: +*`zeek.rdp.security_protocol`*:: + -- -The port at which the acceptor is listening for the data connection. +Security protocol chosen by the server. -type: integer +type: keyword -- -*`zeek.ftp.cwd`*:: +*`zeek.rdp.keyboard_layout`*:: + -- -Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. +Keyboard layout (language) of the client machine. type: keyword -- -[float] -=== cmdarg - -Command that is currently waiting for a response. - - -*`zeek.ftp.cmdarg.cmd`*:: +*`zeek.rdp.client.build`*:: + -- -Command. +RDP client version used by the client machine. type: keyword -- -*`zeek.ftp.cmdarg.arg`*:: +*`zeek.rdp.client.client_name`*:: + -- -Argument for the command if one was given. +Name of the client machine. type: keyword -- -*`zeek.ftp.cmdarg.seq`*:: -+ --- -Counter to track how many commands have been executed. - - -type: integer - --- - -*`zeek.ftp.pending_commands`*:: +*`zeek.rdp.client.product_id`*:: + -- -Queue for commands that have been sent but not yet responded to are tracked here. - +Product ID of the client machine. -type: integer --- +type: keyword -*`zeek.ftp.passive`*:: -+ -- -Indicates if the session is in active or passive mode. -type: boolean - --- - -*`zeek.ftp.capture_password`*:: +*`zeek.rdp.desktop.width`*:: + -- -Determines if the password will be captured for this request. +Desktop width of the client machine. -type: boolean +type: integer -- -*`zeek.ftp.last_auth_requested`*:: +*`zeek.rdp.desktop.height`*:: + -- -present if base/protocols/ftp/gridftp.bro is loaded. -Last authentication/security mechanism that was used. +Desktop height of the client machine. -type: keyword +type: integer -- -[float] -=== http - -Fields exported by the Zeek HTTP log - - - -*`zeek.http.trans_depth`*:: +*`zeek.rdp.desktop.color_depth`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. +The color depth requested by the client in the high_color_depth field. -type: integer +type: keyword -- -*`zeek.http.status_msg`*:: + +*`zeek.rdp.cert.type`*:: + -- -Status message returned by the server. +If the connection is being encrypted with native RDP encryption, this is the type of cert being used. type: keyword -- -*`zeek.http.info_code`*:: +*`zeek.rdp.cert.count`*:: + -- -Last seen 1xx informational reply code returned by the server. +The number of certs seen. X.509 can transfer an entire certificate chain. type: integer -- -*`zeek.http.info_msg`*:: +*`zeek.rdp.cert.permanent`*:: + -- -Last seen 1xx informational reply message returned by the server. +Indicates if the provided certificate or certificate chain is permanent or temporary. -type: keyword +type: boolean -- -*`zeek.http.tags`*:: + +*`zeek.rdp.encryption.level`*:: + -- -A set of indicators of various attributes discovered and related to a particular -request/response pair. +Encryption level of the connection. type: keyword -- -*`zeek.http.password`*:: +*`zeek.rdp.encryption.method`*:: + -- -Password if basic-auth is performed for the request. +Encryption method of the connection. type: keyword -- -*`zeek.http.captured_password`*:: +*`zeek.rdp.done`*:: + -- -Determines if the password will be captured for this request. +Track status of logging RDP connections. type: boolean -- -*`zeek.http.proxied`*:: +*`zeek.rdp.ssl`*:: + -- -All of the headers that may indicate if the HTTP request was proxied. +(present if policy/protocols/rdp/indicate_ssl.bro is loaded) +Flag the connection if it was seen over SSL. -type: keyword +type: boolean -- -*`zeek.http.range_request`*:: -+ --- -Indicates if this request can assume 206 partial content in response. +[float] +=== rfb +Fields exported by the Zeek RFB log. -type: boolean --- -*`zeek.http.client_header_names`*:: + + +*`zeek.rfb.version.client.major`*:: + -- -The vector of HTTP header names sent by the client. No header values -are included here, just the header names. +Major version of the client. type: keyword -- -*`zeek.http.server_header_names`*:: +*`zeek.rfb.version.client.minor`*:: + -- -The vector of HTTP header names sent by the server. No header values -are included here, just the header names. +Minor version of the client. type: keyword -- -*`zeek.http.orig_fuids`*:: + +*`zeek.rfb.version.server.major`*:: + -- -An ordered vector of file unique IDs from the originator. +Major version of the server. type: keyword -- -*`zeek.http.orig_mime_types`*:: +*`zeek.rfb.version.server.minor`*:: + -- -An ordered vector of mime types from the originator. +Minor version of the server. type: keyword -- -*`zeek.http.orig_filenames`*:: + +*`zeek.rfb.auth.success`*:: + -- -An ordered vector of filenames from the originator. +Whether or not authentication was successful. -type: keyword +type: boolean -- -*`zeek.http.resp_fuids`*:: +*`zeek.rfb.auth.method`*:: + -- -An ordered vector of file unique IDs from the responder. +Identifier of authentication method used. type: keyword -- -*`zeek.http.resp_mime_types`*:: +*`zeek.rfb.share_flag`*:: + -- -An ordered vector of mime types from the responder. +Whether the client has an exclusive or a shared session. -type: keyword +type: boolean -- -*`zeek.http.resp_filenames`*:: +*`zeek.rfb.desktop_name`*:: + -- -An ordered vector of filenames from the responder. +Name of the screen that is being shared. type: keyword -- -*`zeek.http.orig_mime_depth`*:: +*`zeek.rfb.width`*:: + -- -Current number of MIME entities in the HTTP request message body. +Width of the screen that is being shared. type: integer -- -*`zeek.http.resp_mime_depth`*:: +*`zeek.rfb.height`*:: + -- -Current number of MIME entities in the HTTP response message body. +Height of the screen that is being shared. type: integer @@ -140325,558 +157983,521 @@ type: integer -- [float] -=== intel - -Fields exported by the Zeek Intel log. +=== sip +Fields exported by the Zeek SIP log. -*`zeek.intel.seen.indicator`*:: +*`zeek.sip.transaction_depth`*:: + -- -The intelligence indicator. +Represents the pipelined depth into the connection of this request/response transaction. -type: keyword +type: integer -- -*`zeek.intel.seen.indicator_type`*:: + +*`zeek.sip.sequence.method`*:: + -- -The type of data the indicator represents. +Verb used in the SIP request (INVITE, REGISTER etc.). type: keyword -- -*`zeek.intel.seen.host`*:: +*`zeek.sip.sequence.number`*:: + -- -If the indicator type was Intel::ADDR, then this field will be present. +Contents of the CSeq: header from the client. type: keyword -- -*`zeek.intel.seen.conn`*:: +*`zeek.sip.uri`*:: + -- -If the data was discovered within a connection, the connection record should go here to give context to the data. +URI used in the request. type: keyword -- -*`zeek.intel.seen.where`*:: +*`zeek.sip.date`*:: + -- -Where the data was discovered. +Contents of the Date: header from the client. type: keyword -- -*`zeek.intel.seen.node`*:: + +*`zeek.sip.request.from`*:: + -- -The name of the node where the match was discovered. +Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword -- -*`zeek.intel.seen.uid`*:: +*`zeek.sip.request.to`*:: + -- -If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. +Contents of the To: header. type: keyword -- -*`zeek.intel.seen.f`*:: +*`zeek.sip.request.path`*:: + -- -If the data was discovered within a file, the file record should go here to provide context to the data. +The client message transmission path, as extracted from the headers. -type: object +type: keyword -- -*`zeek.intel.seen.fuid`*:: +*`zeek.sip.request.body_length`*:: + -- -If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. +Contents of the Content-Length: header from the client. -type: keyword +type: long -- -*`zeek.intel.matched`*:: + +*`zeek.sip.response.from`*:: + -- -Event to represent a match in the intelligence data from data that was seen. +Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. type: keyword -- -*`zeek.intel.sources`*:: +*`zeek.sip.response.to`*:: + -- -Sources which supplied data for this match. +Contents of the response To: header. type: keyword -- -*`zeek.intel.fuid`*:: +*`zeek.sip.response.path`*:: + -- -If a file was associated with this intelligence hit, this is the uid for the file. +The server message transmission path, as extracted from the headers. type: keyword -- -*`zeek.intel.file_mime_type`*:: +*`zeek.sip.response.body_length`*:: + -- -A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. +Contents of the Content-Length: header from the server. -type: keyword +type: long -- -*`zeek.intel.file_desc`*:: +*`zeek.sip.reply_to`*:: + -- -Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. +Contents of the Reply-To: header. type: keyword -- -[float] -=== irc - -Fields exported by the Zeek IRC log - - - -*`zeek.irc.nick`*:: +*`zeek.sip.call_id`*:: + -- -Nickname given for the connection. +Contents of the Call-ID: header from the client. type: keyword -- -*`zeek.irc.user`*:: +*`zeek.sip.subject`*:: + -- -Username given for the connection. +Contents of the Subject: header from the client. type: keyword -- -*`zeek.irc.command`*:: +*`zeek.sip.user_agent`*:: + -- -Command given by the client. +Contents of the User-Agent: header from the client. type: keyword -- -*`zeek.irc.value`*:: + +*`zeek.sip.status.code`*:: + -- -Value for the command given by the client. +Status code returned by the server. -type: keyword +type: integer -- -*`zeek.irc.addl`*:: +*`zeek.sip.status.msg`*:: + -- -Any additional data for the command. +Status message returned by the server. type: keyword -- - - -*`zeek.irc.dcc.file.name`*:: +*`zeek.sip.warning`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -DCC filename requested. +Contents of the Warning: header. type: keyword -- -*`zeek.irc.dcc.file.size`*:: +*`zeek.sip.content_type`*:: + -- -Present if base/protocols/irc/dcc-send.bro is loaded. -Size of the DCC transfer as indicated by the sender. +Contents of the Content-Type: header from the server. -type: long +type: keyword -- -*`zeek.irc.dcc.mime_type`*:: -+ --- -present if base/protocols/irc/dcc-send.bro is loaded. -Sniffed mime type of the file. +[float] +=== smb_cmd +Fields exported by the Zeek smb_cmd log. -type: keyword --- -*`zeek.irc.fuid`*:: +*`zeek.smb_cmd.command`*:: + -- -present if base/protocols/irc/files.bro is loaded. -File unique ID. +The command sent by the client. type: keyword -- -[float] -=== kerberos - -Fields exported by the Zeek Kerberos log - - - -*`zeek.kerberos.request_type`*:: +*`zeek.smb_cmd.sub_command`*:: + -- -Request type - Authentication Service (AS) or Ticket Granting Service (TGS). +The subcommand sent by the client, if present. type: keyword -- -*`zeek.kerberos.client`*:: +*`zeek.smb_cmd.argument`*:: + -- -Client name. +Command argument sent by the client, if any. type: keyword -- -*`zeek.kerberos.service`*:: +*`zeek.smb_cmd.status`*:: + -- -Service name. +Server reply to the client's command. type: keyword -- -*`zeek.kerberos.success`*:: +*`zeek.smb_cmd.rtt`*:: + -- -Request result. +Round trip time from the request to the response. -type: boolean +type: double -- - -*`zeek.kerberos.error.code`*:: +*`zeek.smb_cmd.version`*:: + -- -Error code. +Version of SMB for the command. -type: integer +type: keyword -- -*`zeek.kerberos.error.msg`*:: +*`zeek.smb_cmd.username`*:: + -- -Error message. +Authenticated username, if available. type: keyword -- - -*`zeek.kerberos.valid.from`*:: +*`zeek.smb_cmd.tree`*:: + -- -Ticket valid from. +If this is related to a tree, this is the tree that was used for the current command. -type: date +type: keyword -- -*`zeek.kerberos.valid.until`*:: +*`zeek.smb_cmd.tree_service`*:: + -- -Ticket valid until. +The type of tree (disk share, printer share, named pipe, etc.). -type: date +type: keyword -- -*`zeek.kerberos.valid.days`*:: -+ --- -Number of days the ticket is valid for. +[float] +=== file +If the command referenced a file, store it here. -type: integer --- -*`zeek.kerberos.cipher`*:: +*`zeek.smb_cmd.file.name`*:: + -- -Ticket encryption type. +Filename if one was seen. type: keyword -- -*`zeek.kerberos.forwardable`*:: +*`zeek.smb_cmd.file.action`*:: + -- -Forwardable ticket requested. +Action this log record represents. -type: boolean +type: keyword -- -*`zeek.kerberos.renewable`*:: +*`zeek.smb_cmd.file.uid`*:: + -- -Renewable ticket requested. +UID of the referenced file. -type: boolean +type: keyword -- -*`zeek.kerberos.ticket.auth`*:: +*`zeek.smb_cmd.file.host.tx`*:: + -- -Hash of ticket used to authorize request/transaction. +Address of the transmitting host. -type: keyword +type: ip -- -*`zeek.kerberos.ticket.new`*:: +*`zeek.smb_cmd.file.host.rx`*:: + -- -Hash of ticket returned by the KDC. +Address of the receiving host. -type: keyword +type: ip -- - - -*`zeek.kerberos.cert.client.value`*:: +*`zeek.smb_cmd.smb1_offered_dialects`*:: + -- -Client certificate. +Present if base/protocols/smb/smb1-main.bro is loaded. +Dialects offered by the client. type: keyword -- -*`zeek.kerberos.cert.client.fuid`*:: +*`zeek.smb_cmd.smb2_offered_dialects`*:: + -- -File unique ID of client cert. - +Present if base/protocols/smb/smb2-main.bro is loaded. +Dialects offered by the client. -type: keyword --- +type: integer -*`zeek.kerberos.cert.client.subject`*:: -+ -- -Subject of client certificate. +[float] +=== smb_files -type: keyword +Fields exported by the Zeek SMB Files log. --- -*`zeek.kerberos.cert.server.value`*:: +*`zeek.smb_files.action`*:: + -- -Server certificate. +Action this log record represents. type: keyword -- -*`zeek.kerberos.cert.server.fuid`*:: +*`zeek.smb_files.fid`*:: + -- -File unique ID of server certificate. +ID referencing this file. -type: keyword +type: integer -- -*`zeek.kerberos.cert.server.subject`*:: +*`zeek.smb_files.name`*:: + -- -Subject of server certificate. +Filename if one was seen. type: keyword -- -[float] -=== modbus - -Fields exported by the Zeek modbus log. - - - -*`zeek.modbus.function`*:: +*`zeek.smb_files.path`*:: + -- -The name of the function message that was sent. +Path pulled from the tree this file was transferred to or from. type: keyword -- -*`zeek.modbus.exception`*:: +*`zeek.smb_files.previous_name`*:: + -- -The exception if the response was a failure. +If the rename action was seen, this will be the file's previous name. type: keyword -- -*`zeek.modbus.track_address`*:: +*`zeek.smb_files.size`*:: + -- -Present if policy/protocols/modbus/track-memmap.bro is loaded. -Modbus track address. +Byte size of the file. -type: integer +type: long -- [float] -=== mysql +=== times -Fields exported by the Zeek MySQL log. +Timestamps of the file. -*`zeek.mysql.cmd`*:: +*`zeek.smb_files.times.accessed`*:: + -- -The command that was issued. +The file's access time. -type: keyword +type: date -- -*`zeek.mysql.arg`*:: +*`zeek.smb_files.times.changed`*:: + -- -The argument issued to the command. +The file's change time. -type: keyword +type: date -- -*`zeek.mysql.success`*:: +*`zeek.smb_files.times.created`*:: + -- -Whether the command succeeded. +The file's create time. -type: boolean +type: date -- -*`zeek.mysql.rows`*:: +*`zeek.smb_files.times.modified`*:: + -- -The number of affected rows, if any. +The file's modify time. -type: integer +type: date -- -*`zeek.mysql.response`*:: +*`zeek.smb_files.uuid`*:: + -- -Server message, if any. +UUID referencing this file if DCE/RPC. type: keyword @@ -140884,424 +158505,431 @@ type: keyword -- [float] -=== notice +=== smb_mapping -Fields exported by the Zeek Notice log. +Fields exported by the Zeek SMB_Mapping log. -*`zeek.notice.connection_id`*:: +*`zeek.smb_mapping.path`*:: + -- -Identifier of the related connection session. +Name of the tree path. type: keyword -- -*`zeek.notice.icmp_id`*:: +*`zeek.smb_mapping.service`*:: + -- -Identifier of the related ICMP session. +The type of resource of the tree (disk share, printer share, named pipe, etc.). type: keyword -- -*`zeek.notice.file.id`*:: +*`zeek.smb_mapping.native_file_system`*:: + -- -An identifier associated with a single file that is related to this notice. +File system of the tree. type: keyword -- -*`zeek.notice.file.parent_id`*:: +*`zeek.smb_mapping.share_type`*:: + -- -Identifier associated with a container file from which this one was extracted. +If this is SMB2, a share type will be included. For SMB1, the type of share +will be deduced and included as well. type: keyword -- -*`zeek.notice.file.source`*:: -+ --- -An identification of the source of the file data. E.g. it may be a network protocol -over which it was transferred, or a local file path which was read, or some other -input source. +[float] +=== smtp +Fields exported by the Zeek SMTP log. -type: keyword --- -*`zeek.notice.file.mime_type`*:: +*`zeek.smtp.transaction_depth`*:: + -- -A mime type if the notice is related to a file. +A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. -type: keyword +type: integer -- -*`zeek.notice.file.is_orig`*:: +*`zeek.smtp.helo`*:: + -- -If the source of this file is a network connection, this field indicates if the file is -being sent by the originator of the connection or the responder. +Contents of the Helo header. -type: boolean +type: keyword -- -*`zeek.notice.file.seen_bytes`*:: +*`zeek.smtp.mail_from`*:: + -- -Number of bytes provided to the file analysis engine for the file. +Email addresses found in the MAIL FROM header. -type: long +type: keyword -- -*`zeek.notice.ffile.total_bytes`*:: +*`zeek.smtp.rcpt_to`*:: + -- -Total number of bytes that are supposed to comprise the full file. +Email addresses found in the RCPT TO header. -type: long +type: keyword -- -*`zeek.notice.file.missing_bytes`*:: +*`zeek.smtp.date`*:: + -- -The number of bytes in the file stream that were completely missed during the process -of analysis. +Contents of the Date header. -type: long +type: date -- -*`zeek.notice.file.overflow_bytes`*:: +*`zeek.smtp.from`*:: + -- -The number of bytes in the file stream that were not delivered to stream file analyzers. -This could be overlapping bytes or bytes that couldn't be reassembled. +Contents of the From header. -type: long +type: keyword -- -*`zeek.notice.fuid`*:: +*`zeek.smtp.to`*:: + -- -A file unique ID if this notice is related to a file. +Contents of the To header. type: keyword -- -*`zeek.notice.note`*:: +*`zeek.smtp.cc`*:: + -- -The type of the notice. +Contents of the CC header. type: keyword -- -*`zeek.notice.msg`*:: +*`zeek.smtp.reply_to`*:: + -- -The human readable message for the notice. +Contents of the ReplyTo header. type: keyword -- -*`zeek.notice.sub`*:: +*`zeek.smtp.msg_id`*:: + -- -The human readable sub-message. +Contents of the MsgID header. type: keyword -- -*`zeek.notice.n`*:: +*`zeek.smtp.in_reply_to`*:: + -- -Associated count, or a status code. +Contents of the In-Reply-To header. -type: long +type: keyword -- -*`zeek.notice.peer_name`*:: +*`zeek.smtp.subject`*:: + -- -Name of remote peer that raised this notice. +Contents of the Subject header. type: keyword -- -*`zeek.notice.peer_descr`*:: +*`zeek.smtp.x_originating_ip`*:: + -- -Textual description for the peer that raised this notice. +Contents of the X-Originating-IP header. -type: text +type: keyword -- -*`zeek.notice.actions`*:: +*`zeek.smtp.first_received`*:: + -- -The actions which have been applied to this notice. +Contents of the first Received header. type: keyword -- -*`zeek.notice.email_body_sections`*:: +*`zeek.smtp.second_received`*:: + -- -By adding chunks of text into this element, other scripts can expand on notices -that are being emailed. +Contents of the second Received header. -type: text +type: keyword -- -*`zeek.notice.email_delay_tokens`*:: +*`zeek.smtp.last_reply`*:: + -- -Adding a string token to this set will cause the built-in emailing functionality -to delay sending the email either the token has been removed or the email -has been delayed for the specified time duration. +The last message that the server sent to the client. type: keyword -- -*`zeek.notice.identifier`*:: +*`zeek.smtp.path`*:: + -- -This field is provided when a notice is generated for the purpose of deduplicating notices. +The message transmission path, as extracted from the headers. -type: keyword +type: ip -- -*`zeek.notice.suppress_for`*:: +*`zeek.smtp.user_agent`*:: + -- -This field indicates the length of time that this unique notice should be suppressed. +Value of the User-Agent header from the client. -type: double +type: keyword -- -*`zeek.notice.dropped`*:: +*`zeek.smtp.tls`*:: + -- -Indicate if the source IP address was dropped and denied network access. +Indicates that the connection has switched to using TLS. type: boolean -- -[float] -=== ntlm +*`zeek.smtp.process_received_from`*:: ++ +-- +Indicates if the "Received: from" headers should still be processed. -Fields exported by the Zeek NTLM log. +type: boolean +-- -*`zeek.ntlm.domain`*:: +*`zeek.smtp.has_client_activity`*:: + -- -Domain name given by the client. +Indicates if client activity has been seen, but not yet logged. -type: keyword +type: boolean -- -*`zeek.ntlm.hostname`*:: +*`zeek.smtp.fuids`*:: + -- -Hostname given by the client. +(present if base/protocols/smtp/files.bro is loaded) +An ordered vector of file unique IDs seen attached to the message. type: keyword -- -*`zeek.ntlm.success`*:: +*`zeek.smtp.is_webmail`*:: + -- -Indicate whether or not the authentication was successful. +Indicates if the message was sent through a webmail interface. type: boolean -- -*`zeek.ntlm.username`*:: -+ --- -Username given by the client. +[float] +=== snmp +Fields exported by the Zeek SNMP log. -type: keyword + +*`zeek.snmp.duration`*:: ++ -- +The amount of time between the first packet beloning to the SNMP session and the latest one seen. +type: double -*`zeek.ntlm.server.name.dns`*:: +-- + +*`zeek.snmp.version`*:: + -- -DNS name given by the server in a CHALLENGE. +The version of SNMP being used. type: keyword -- -*`zeek.ntlm.server.name.netbios`*:: +*`zeek.snmp.community`*:: + -- -NetBIOS name given by the server in a CHALLENGE. +The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. type: keyword -- -*`zeek.ntlm.server.name.tree`*:: + +*`zeek.snmp.get.requests`*:: + -- -Tree name given by the server in a CHALLENGE. +The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. -type: keyword +type: integer -- -[float] -=== ocsp +*`zeek.snmp.get.bulk_requests`*:: ++ +-- +The number of variable bindings in GetBulkRequest PDUs seen for the session. -Fields exported by the Zeek OCSP log -Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. +type: integer +-- -*`zeek.ocsp.file_id`*:: +*`zeek.snmp.get.responses`*:: + -- -File id of the OCSP reply. +The number of variable bindings in GetResponse/Response PDUs seen for the session. -type: keyword +type: integer -- -*`zeek.ocsp.hash.algorithm`*:: +*`zeek.snmp.set.requests`*:: + -- -Hash algorithm used to generate issuerNameHash and issuerKeyHash. +The number of variable bindings in SetRequest PDUs seen for the session. -type: keyword +type: integer -- - -*`zeek.ocsp.hash.issuer.name`*:: +*`zeek.snmp.display_string`*:: + -- -Hash of the issuer's distingueshed name. +A system description of the SNMP responder endpoint. type: keyword -- -*`zeek.ocsp.hash.issuer.key`*:: +*`zeek.snmp.up_since`*:: + -- -Hash of the issuer's public key. +The time at which the SNMP responder endpoint claims it's been up since. -type: keyword +type: date -- -*`zeek.ocsp.serial_number`*:: +[float] +=== socks + +Fields exported by the Zeek SOCKS log. + + + +*`zeek.socks.version`*:: + -- -Serial number of the affected certificate. +Protocol version of SOCKS. -type: keyword +type: integer -- -*`zeek.ocsp.status`*:: +*`zeek.socks.user`*:: + -- -Status of the affected certificate. +Username used to request a login to the proxy. type: keyword -- - -*`zeek.ocsp.revoke.time`*:: +*`zeek.socks.password`*:: + -- -Time at which the certificate was revoked. +Password used to request a login to the proxy. -type: date +type: keyword -- -*`zeek.ocsp.revoke.reason`*:: +*`zeek.socks.status`*:: + -- -Reason for which the certificate was revoked. +Server status for the attempt at using the proxy. type: keyword @@ -141309,1157 +158937,1111 @@ type: keyword -- -*`zeek.ocsp.update.this`*:: +*`zeek.socks.request.host`*:: + -- -The time at which the status being shows is known to have been correct. +Client requested SOCKS address. Could be an address, a name or both. -type: date +type: keyword -- -*`zeek.ocsp.update.next`*:: +*`zeek.socks.request.port`*:: + -- -The latest time at which new information about the status of the certificate will be available. +Client requested port. -type: date +type: integer -- -[float] -=== pe - -Fields exported by the Zeek pe log. - - -*`zeek.pe.client`*:: +*`zeek.socks.bound.host`*:: + -- -The client's version string. +Server bound address. Could be an address, a name or both. type: keyword -- -*`zeek.pe.id`*:: +*`zeek.socks.bound.port`*:: + -- -File id of this portable executable file. +Server bound port. -type: keyword +type: integer -- -*`zeek.pe.machine`*:: +*`zeek.socks.capture_password`*:: + -- -The target machine that the file was compiled for. +Determines if the password will be captured for this request. -type: keyword +type: boolean -- -*`zeek.pe.compile_time`*:: -+ --- -The time that the file was created at. +[float] +=== ssh +Fields exported by the Zeek SSH log. -type: date --- -*`zeek.pe.os`*:: +*`zeek.ssh.client`*:: + -- -The required operating system. +The client's version string. type: keyword -- -*`zeek.pe.subsystem`*:: +*`zeek.ssh.direction`*:: + -- -The subsystem that is required to run this file. +Direction of the connection. If the client was a local host logging into +an external host, this would be OUTBOUND. INBOUND would be set for the +opposite situation. type: keyword -- -*`zeek.pe.is_exe`*:: +*`zeek.ssh.host_key`*:: + -- -Is the file an executable, or just an object file? +The server's key thumbprint. -type: boolean +type: keyword -- -*`zeek.pe.is_64bit`*:: +*`zeek.ssh.server`*:: + -- -Is the file a 64-bit executable? +The server's version string. -type: boolean +type: keyword -- -*`zeek.pe.uses_aslr`*:: +*`zeek.ssh.version`*:: + -- -Does the file support Address Space Layout Randomization? +SSH major version (1 or 2). -type: boolean +type: integer -- -*`zeek.pe.uses_dep`*:: -+ --- -Does the file support Data Execution Prevention? +[float] +=== algorithm +Cipher algorithms used in this session. -type: boolean --- -*`zeek.pe.uses_code_integrity`*:: +*`zeek.ssh.algorithm.cipher`*:: + -- -Does the file enforce code integrity checks? +The encryption algorithm in use. -type: boolean +type: keyword -- -*`zeek.pe.uses_seh`*:: +*`zeek.ssh.algorithm.compression`*:: + -- -Does the file use structured exception handing? +The compression algorithm in use. -type: boolean +type: keyword -- -*`zeek.pe.has_import_table`*:: +*`zeek.ssh.algorithm.host_key`*:: + -- -Does the file have an import table? +The server host key's algorithm. -type: boolean +type: keyword -- -*`zeek.pe.has_export_table`*:: +*`zeek.ssh.algorithm.key_exchange`*:: + -- -Does the file have an export table? +The key exchange algorithm in use. -type: boolean +type: keyword -- -*`zeek.pe.has_cert_table`*:: +*`zeek.ssh.algorithm.mac`*:: + -- -Does the file have an attribute certificate table? +The signing (MAC) algorithm in use. -type: boolean +type: keyword -- -*`zeek.pe.has_debug_data`*:: + +*`zeek.ssh.auth.attempts`*:: + -- -Does the file have a debug table? +The number of authentication attemps we observed. There's always at +least one, since some servers might support no authentication at all. +It's important to note that not all of these are failures, since some +servers require two-factor auth (e.g. password AND pubkey). -type: boolean +type: integer -- -*`zeek.pe.section_names`*:: +*`zeek.ssh.auth.success`*:: + -- -The names of the sections, in order. +Authentication result. -type: keyword +type: boolean -- [float] -=== radius +=== ssl -Fields exported by the Zeek Radius log. +Fields exported by the Zeek SSL log. -*`zeek.radius.username`*:: +*`zeek.ssl.version`*:: + -- -The username, if present. +SSL/TLS version that was logged. type: keyword -- -*`zeek.radius.mac`*:: +*`zeek.ssl.cipher`*:: + -- -MAC address, if present. +SSL/TLS cipher suite that was logged. type: keyword -- -*`zeek.radius.framed_addr`*:: +*`zeek.ssl.curve`*:: + -- -The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. +Elliptic curve that was logged when using ECDH/ECDHE. -type: ip +type: keyword -- -*`zeek.radius.remote_ip`*:: +*`zeek.ssl.resumed`*:: + -- -Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. +Flag to indicate if the session was resumed reusing the key material exchanged in an +earlier connection. -type: ip +type: boolean -- -*`zeek.radius.connect_info`*:: +*`zeek.ssl.next_protocol`*:: + -- -Connect info, if present. +Next protocol the server chose using the application layer next protocol extension. type: keyword -- -*`zeek.radius.reply_msg`*:: +*`zeek.ssl.established`*:: + -- -Reply message from the server challenge. This is frequently shown to the user authenticating. +Flag to indicate if this ssl session has been established successfully. -type: keyword +type: boolean -- -*`zeek.radius.result`*:: + +*`zeek.ssl.validation.status`*:: + -- -Successful or failed authentication. +Result of certificate validation for this connection. type: keyword -- -*`zeek.radius.ttl`*:: +*`zeek.ssl.validation.code`*:: + -- -The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. +Result of certificate validation for this connection, given as OpenSSL validation code. -type: integer +type: keyword -- -*`zeek.radius.logged`*:: +*`zeek.ssl.last_alert`*:: + -- -Whether this has already been logged and can be ignored. +Last alert that was seen during the connection. -type: boolean +type: keyword -- -[float] -=== rdp - -Fields exported by the Zeek RDP log. - - -*`zeek.rdp.cookie`*:: +*`zeek.ssl.server.name`*:: + -- -Cookie value used by the client machine. This is typically a username. +Value of the Server Name Indicator SSL/TLS extension. It indicates the server name +that the client was requesting. type: keyword -- -*`zeek.rdp.result`*:: +*`zeek.ssl.server.cert_chain`*:: + -- -Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. +Chain of certificates offered by the server to validate its complete signing chain. type: keyword -- -*`zeek.rdp.security_protocol`*:: +*`zeek.ssl.server.cert_chain_fuids`*:: + -- -Security protocol chosen by the server. +An ordered vector of certificate file identifiers for the certificates offered by the server. type: keyword -- -*`zeek.rdp.keyboard_layout`*:: -+ --- -Keyboard layout (language) of the client machine. - +[float] +=== issuer -type: keyword +Subject of the signer of the X.509 certificate offered by the server. --- -*`zeek.rdp.client.build`*:: +*`zeek.ssl.server.issuer.common_name`*:: + -- -RDP client version used by the client machine. +Common name of the signer of the X.509 certificate offered by the server. type: keyword -- -*`zeek.rdp.client.client_name`*:: +*`zeek.ssl.server.issuer.country`*:: + -- -Name of the client machine. +Country code of the signer of the X.509 certificate offered by the server. type: keyword -- -*`zeek.rdp.client.product_id`*:: +*`zeek.ssl.server.issuer.locality`*:: + -- -Product ID of the client machine. +Locality of the signer of the X.509 certificate offered by the server. type: keyword -- - -*`zeek.rdp.desktop.width`*:: +*`zeek.ssl.server.issuer.organization`*:: + -- -Desktop width of the client machine. +Organization of the signer of the X.509 certificate offered by the server. -type: integer +type: keyword -- -*`zeek.rdp.desktop.height`*:: +*`zeek.ssl.server.issuer.organizational_unit`*:: + -- -Desktop height of the client machine. +Organizational unit of the signer of the X.509 certificate offered by the server. -type: integer +type: keyword -- -*`zeek.rdp.desktop.color_depth`*:: +*`zeek.ssl.server.issuer.state`*:: + -- -The color depth requested by the client in the high_color_depth field. +State or province name of the signer of the X.509 certificate offered by the server. type: keyword -- +[float] +=== subject -*`zeek.rdp.cert.type`*:: -+ --- -If the connection is being encrypted with native RDP encryption, this is the type of cert being used. - +Subject of the X.509 certificate offered by the server. -type: keyword --- -*`zeek.rdp.cert.count`*:: +*`zeek.ssl.server.subject.common_name`*:: + -- -The number of certs seen. X.509 can transfer an entire certificate chain. +Common name of the X.509 certificate offered by the server. -type: integer +type: keyword -- -*`zeek.rdp.cert.permanent`*:: +*`zeek.ssl.server.subject.country`*:: + -- -Indicates if the provided certificate or certificate chain is permanent or temporary. +Country code of the X.509 certificate offered by the server. -type: boolean +type: keyword -- - -*`zeek.rdp.encryption.level`*:: +*`zeek.ssl.server.subject.locality`*:: + -- -Encryption level of the connection. +Locality of the X.509 certificate offered by the server. type: keyword -- -*`zeek.rdp.encryption.method`*:: +*`zeek.ssl.server.subject.organization`*:: + -- -Encryption method of the connection. +Organization of the X.509 certificate offered by the server. type: keyword -- -*`zeek.rdp.done`*:: +*`zeek.ssl.server.subject.organizational_unit`*:: + -- -Track status of logging RDP connections. +Organizational unit of the X.509 certificate offered by the server. -type: boolean +type: keyword -- -*`zeek.rdp.ssl`*:: +*`zeek.ssl.server.subject.state`*:: + -- -(present if policy/protocols/rdp/indicate_ssl.bro is loaded) -Flag the connection if it was seen over SSL. +State or province name of the X.509 certificate offered by the server. -type: boolean +type: keyword -- -[float] -=== rfb - -Fields exported by the Zeek RFB log. - - - - -*`zeek.rfb.version.client.major`*:: +*`zeek.ssl.client.cert_chain`*:: + -- -Major version of the client. +Chain of certificates offered by the client to validate its complete signing chain. type: keyword -- -*`zeek.rfb.version.client.minor`*:: +*`zeek.ssl.client.cert_chain_fuids`*:: + -- -Minor version of the client. +An ordered vector of certificate file identifiers for the certificates offered by the client. type: keyword -- +[float] +=== issuer -*`zeek.rfb.version.server.major`*:: +Subject of the signer of the X.509 certificate offered by the client. + + + +*`zeek.ssl.client.issuer.common_name`*:: + -- -Major version of the server. +Common name of the signer of the X.509 certificate offered by the client. type: keyword -- -*`zeek.rfb.version.server.minor`*:: +*`zeek.ssl.client.issuer.country`*:: + -- -Minor version of the server. +Country code of the signer of the X.509 certificate offered by the client. type: keyword -- - -*`zeek.rfb.auth.success`*:: +*`zeek.ssl.client.issuer.locality`*:: + -- -Whether or not authentication was successful. +Locality of the signer of the X.509 certificate offered by the client. -type: boolean +type: keyword -- -*`zeek.rfb.auth.method`*:: +*`zeek.ssl.client.issuer.organization`*:: + -- -Identifier of authentication method used. +Organization of the signer of the X.509 certificate offered by the client. type: keyword -- -*`zeek.rfb.share_flag`*:: +*`zeek.ssl.client.issuer.organizational_unit`*:: + -- -Whether the client has an exclusive or a shared session. +Organizational unit of the signer of the X.509 certificate offered by the client. -type: boolean +type: keyword -- -*`zeek.rfb.desktop_name`*:: +*`zeek.ssl.client.issuer.state`*:: + -- -Name of the screen that is being shared. +State or province name of the signer of the X.509 certificate offered by the client. type: keyword -- -*`zeek.rfb.width`*:: -+ --- -Width of the screen that is being shared. +[float] +=== subject +Subject of the X.509 certificate offered by the client. -type: integer --- -*`zeek.rfb.height`*:: +*`zeek.ssl.client.subject.common_name`*:: + -- -Height of the screen that is being shared. +Common name of the X.509 certificate offered by the client. -type: integer +type: keyword -- -[float] -=== sip - -Fields exported by the Zeek SIP log. - - - -*`zeek.sip.transaction_depth`*:: +*`zeek.ssl.client.subject.country`*:: + -- -Represents the pipelined depth into the connection of this request/response transaction. +Country code of the X.509 certificate offered by the client. -type: integer +type: keyword -- - -*`zeek.sip.sequence.method`*:: +*`zeek.ssl.client.subject.locality`*:: + -- -Verb used in the SIP request (INVITE, REGISTER etc.). +Locality of the X.509 certificate offered by the client. type: keyword -- -*`zeek.sip.sequence.number`*:: +*`zeek.ssl.client.subject.organization`*:: + -- -Contents of the CSeq: header from the client. +Organization of the X.509 certificate offered by the client. type: keyword -- -*`zeek.sip.uri`*:: +*`zeek.ssl.client.subject.organizational_unit`*:: + -- -URI used in the request. +Organizational unit of the X.509 certificate offered by the client. type: keyword -- -*`zeek.sip.date`*:: +*`zeek.ssl.client.subject.state`*:: + -- -Contents of the Date: header from the client. +State or province name of the X.509 certificate offered by the client. type: keyword -- +[float] +=== stats -*`zeek.sip.request.from`*:: +Fields exported by the Zeek stats log. + + + +*`zeek.stats.peer`*:: + -- -Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +Peer that generated this log. Mostly for clusters. type: keyword -- -*`zeek.sip.request.to`*:: +*`zeek.stats.memory`*:: + -- -Contents of the To: header. +Amount of memory currently in use in MB. -type: keyword +type: integer -- -*`zeek.sip.request.path`*:: + +*`zeek.stats.packets.processed`*:: + -- -The client message transmission path, as extracted from the headers. +Number of packets processed since the last stats interval. -type: keyword +type: long -- -*`zeek.sip.request.body_length`*:: +*`zeek.stats.packets.dropped`*:: + -- -Contents of the Content-Length: header from the client. +Number of packets dropped since the last stats interval if reading live traffic. type: long -- - -*`zeek.sip.response.from`*:: +*`zeek.stats.packets.received`*:: + -- -Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. +Number of packets seen on the link since the last stats interval if reading live traffic. -type: keyword +type: long -- -*`zeek.sip.response.to`*:: + +*`zeek.stats.bytes.received`*:: + -- -Contents of the response To: header. +Number of bytes received since the last stats interval if reading live traffic. -type: keyword +type: long -- -*`zeek.sip.response.path`*:: + + +*`zeek.stats.connections.tcp.active`*:: + -- -The server message transmission path, as extracted from the headers. +TCP connections currently in memory. -type: keyword +type: integer -- -*`zeek.sip.response.body_length`*:: +*`zeek.stats.connections.tcp.count`*:: + -- -Contents of the Content-Length: header from the server. +TCP connections seen since last stats interval. -type: long +type: integer -- -*`zeek.sip.reply_to`*:: + +*`zeek.stats.connections.udp.active`*:: + -- -Contents of the Reply-To: header. +UDP connections currently in memory. -type: keyword +type: integer -- -*`zeek.sip.call_id`*:: +*`zeek.stats.connections.udp.count`*:: + -- -Contents of the Call-ID: header from the client. +UDP connections seen since last stats interval. -type: keyword +type: integer -- -*`zeek.sip.subject`*:: + +*`zeek.stats.connections.icmp.active`*:: + -- -Contents of the Subject: header from the client. +ICMP connections currently in memory. -type: keyword +type: integer -- -*`zeek.sip.user_agent`*:: +*`zeek.stats.connections.icmp.count`*:: + -- -Contents of the User-Agent: header from the client. +ICMP connections seen since last stats interval. -type: keyword +type: integer -- -*`zeek.sip.status.code`*:: +*`zeek.stats.events.processed`*:: + -- -Status code returned by the server. +Number of events processed since the last stats interval. type: integer -- -*`zeek.sip.status.msg`*:: +*`zeek.stats.events.queued`*:: + -- -Status message returned by the server. +Number of events that have been queued since the last stats interval. -type: keyword +type: integer -- -*`zeek.sip.warning`*:: + +*`zeek.stats.timers.count`*:: + -- -Contents of the Warning: header. +Number of timers scheduled since last stats interval. -type: keyword +type: integer -- -*`zeek.sip.content_type`*:: +*`zeek.stats.timers.active`*:: + -- -Contents of the Content-Type: header from the server. +Current number of scheduled timers. -type: keyword +type: integer -- -[float] -=== smb_cmd - -Fields exported by the Zeek smb_cmd log. - - -*`zeek.smb_cmd.command`*:: +*`zeek.stats.files.count`*:: + -- -The command sent by the client. +Number of files seen since last stats interval. -type: keyword +type: integer -- -*`zeek.smb_cmd.sub_command`*:: +*`zeek.stats.files.active`*:: + -- -The subcommand sent by the client, if present. +Current number of files actively being seen. -type: keyword +type: integer -- -*`zeek.smb_cmd.argument`*:: + +*`zeek.stats.dns_requests.count`*:: + -- -Command argument sent by the client, if any. +Number of DNS requests seen since last stats interval. -type: keyword +type: integer -- -*`zeek.smb_cmd.status`*:: +*`zeek.stats.dns_requests.active`*:: + -- -Server reply to the client's command. +Current number of DNS requests awaiting a reply. -type: keyword +type: integer -- -*`zeek.smb_cmd.rtt`*:: + +*`zeek.stats.reassembly_size.tcp`*:: + -- -Round trip time from the request to the response. +Current size of TCP data in reassembly. -type: double +type: integer -- -*`zeek.smb_cmd.version`*:: +*`zeek.stats.reassembly_size.file`*:: + -- -Version of SMB for the command. +Current size of File data in reassembly. -type: keyword +type: integer -- -*`zeek.smb_cmd.username`*:: +*`zeek.stats.reassembly_size.frag`*:: + -- -Authenticated username, if available. +Current size of packet fragment data in reassembly. -type: keyword +type: integer -- -*`zeek.smb_cmd.tree`*:: +*`zeek.stats.reassembly_size.unknown`*:: + -- -If this is related to a tree, this is the tree that was used for the current command. +Current size of unknown data in reassembly (this is only PIA buffer right now). -type: keyword +type: integer -- -*`zeek.smb_cmd.tree_service`*:: +*`zeek.stats.timestamp_lag`*:: + -- -The type of tree (disk share, printer share, named pipe, etc.). +Lag between the wall clock and packet timestamps if reading live traffic. -type: keyword +type: integer -- [float] -=== file +=== syslog -If the command referenced a file, store it here. +Fields exported by the Zeek syslog log. -*`zeek.smb_cmd.file.name`*:: +*`zeek.syslog.facility`*:: + -- -Filename if one was seen. +Syslog facility for the message. type: keyword -- -*`zeek.smb_cmd.file.action`*:: +*`zeek.syslog.severity`*:: + -- -Action this log record represents. +Syslog severity for the message. type: keyword -- -*`zeek.smb_cmd.file.uid`*:: +*`zeek.syslog.message`*:: + -- -UID of the referenced file. +The plain text message. type: keyword -- +[float] +=== tunnel -*`zeek.smb_cmd.file.host.tx`*:: -+ --- -Address of the transmitting host. - - -type: ip - --- - -*`zeek.smb_cmd.file.host.rx`*:: -+ --- -Address of the receiving host. - +Fields exported by the Zeek SSH log. -type: ip --- -*`zeek.smb_cmd.smb1_offered_dialects`*:: +*`zeek.tunnel.type`*:: + -- -Present if base/protocols/smb/smb1-main.bro is loaded. -Dialects offered by the client. +The type of tunnel. type: keyword -- -*`zeek.smb_cmd.smb2_offered_dialects`*:: +*`zeek.tunnel.action`*:: + -- -Present if base/protocols/smb/smb2-main.bro is loaded. -Dialects offered by the client. +The type of activity that occurred. -type: integer +type: keyword -- [float] -=== smb_files +=== weird -Fields exported by the Zeek SMB Files log. +Fields exported by the Zeek Weird log. -*`zeek.smb_files.action`*:: +*`zeek.weird.name`*:: + -- -Action this log record represents. +The name of the weird that occurred. type: keyword -- -*`zeek.smb_files.fid`*:: +*`zeek.weird.additional_info`*:: + -- -ID referencing this file. +Additional information accompanying the weird if any. -type: integer +type: keyword -- -*`zeek.smb_files.name`*:: +*`zeek.weird.notice`*:: + -- -Filename if one was seen. +Indicate if this weird was also turned into a notice. -type: keyword +type: boolean -- -*`zeek.smb_files.path`*:: +*`zeek.weird.peer`*:: + -- -Path pulled from the tree this file was transferred to or from. +The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. type: keyword -- -*`zeek.smb_files.previous_name`*:: +*`zeek.weird.identifier`*:: + -- -If the rename action was seen, this will be the file's previous name. +This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. type: keyword -- -*`zeek.smb_files.size`*:: +[float] +=== x509 + +Fields exported by the Zeek x509 log. + + + +*`zeek.x509.id`*:: + -- -Byte size of the file. +File id of this certificate. -type: long +type: keyword -- [float] -=== times +=== certificate -Timestamps of the file. +Basic information about the certificate. -*`zeek.smb_files.times.accessed`*:: +*`zeek.x509.certificate.version`*:: + -- -The file's access time. +Version number. -type: date +type: integer -- -*`zeek.smb_files.times.changed`*:: +*`zeek.x509.certificate.serial`*:: + -- -The file's change time. +Serial number. -type: date +type: keyword -- -*`zeek.smb_files.times.created`*:: -+ --- -The file's create time. +[float] +=== subject +Subject. -type: date --- -*`zeek.smb_files.times.modified`*:: +*`zeek.x509.certificate.subject.country`*:: + -- -The file's modify time. +Country provided in the certificate subject. -type: date +type: keyword -- -*`zeek.smb_files.uuid`*:: +*`zeek.x509.certificate.subject.common_name`*:: + -- -UUID referencing this file if DCE/RPC. +Common name provided in the certificate subject. type: keyword -- -[float] -=== smb_mapping - -Fields exported by the Zeek SMB_Mapping log. - - - -*`zeek.smb_mapping.path`*:: +*`zeek.x509.certificate.subject.locality`*:: + -- -Name of the tree path. +Locality provided in the certificate subject. type: keyword -- -*`zeek.smb_mapping.service`*:: +*`zeek.x509.certificate.subject.organization`*:: + -- -The type of resource of the tree (disk share, printer share, named pipe, etc.). +Organization provided in the certificate subject. type: keyword -- -*`zeek.smb_mapping.native_file_system`*:: +*`zeek.x509.certificate.subject.organizational_unit`*:: + -- -File system of the tree. +Organizational unit provided in the certificate subject. type: keyword -- -*`zeek.smb_mapping.share_type`*:: +*`zeek.x509.certificate.subject.state`*:: + -- -If this is SMB2, a share type will be included. For SMB1, the type of share -will be deduced and included as well. +State or province provided in the certificate subject. type: keyword @@ -142467,1758 +160049,1806 @@ type: keyword -- [float] -=== smtp +=== issuer -Fields exported by the Zeek SMTP log. +Issuer. -*`zeek.smtp.transaction_depth`*:: +*`zeek.x509.certificate.issuer.country`*:: + -- -A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. +Country provided in the certificate issuer field. -type: integer +type: keyword -- -*`zeek.smtp.helo`*:: +*`zeek.x509.certificate.issuer.common_name`*:: + -- -Contents of the Helo header. +Common name provided in the certificate issuer field. type: keyword -- -*`zeek.smtp.mail_from`*:: +*`zeek.x509.certificate.issuer.locality`*:: + -- -Email addresses found in the MAIL FROM header. +Locality provided in the certificate issuer field. type: keyword -- -*`zeek.smtp.rcpt_to`*:: +*`zeek.x509.certificate.issuer.organization`*:: + -- -Email addresses found in the RCPT TO header. +Organization provided in the certificate issuer field. type: keyword -- -*`zeek.smtp.date`*:: +*`zeek.x509.certificate.issuer.organizational_unit`*:: + -- -Contents of the Date header. +Organizational unit provided in the certificate issuer field. -type: date +type: keyword -- -*`zeek.smtp.from`*:: +*`zeek.x509.certificate.issuer.state`*:: + -- -Contents of the From header. +State or province provided in the certificate issuer field. type: keyword -- -*`zeek.smtp.to`*:: +*`zeek.x509.certificate.common_name`*:: + -- -Contents of the To header. +Last (most specific) common name. type: keyword -- -*`zeek.smtp.cc`*:: +[float] +=== valid + +Certificate validity timestamps + + + +*`zeek.x509.certificate.valid.from`*:: + -- -Contents of the CC header. +Timestamp before when certificate is not valid. -type: keyword +type: date -- -*`zeek.smtp.reply_to`*:: +*`zeek.x509.certificate.valid.until`*:: + -- -Contents of the ReplyTo header. +Timestamp after when certificate is not valid. -type: keyword +type: date -- -*`zeek.smtp.msg_id`*:: + +*`zeek.x509.certificate.key.algorithm`*:: + -- -Contents of the MsgID header. +Name of the key algorithm. type: keyword -- -*`zeek.smtp.in_reply_to`*:: +*`zeek.x509.certificate.key.type`*:: + -- -Contents of the In-Reply-To header. +Key type, if key parseable by openssl (either rsa, dsa or ec). type: keyword -- -*`zeek.smtp.subject`*:: +*`zeek.x509.certificate.key.length`*:: + -- -Contents of the Subject header. +Key length in bits. -type: keyword +type: integer -- -*`zeek.smtp.x_originating_ip`*:: +*`zeek.x509.certificate.signature_algorithm`*:: + -- -Contents of the X-Originating-IP header. +Name of the signature algorithm. type: keyword -- -*`zeek.smtp.first_received`*:: +*`zeek.x509.certificate.exponent`*:: + -- -Contents of the first Received header. +Exponent, if RSA-certificate. type: keyword -- -*`zeek.smtp.second_received`*:: +*`zeek.x509.certificate.curve`*:: + -- -Contents of the second Received header. +Curve, if EC-certificate. type: keyword -- -*`zeek.smtp.last_reply`*:: +[float] +=== san + +Subject alternative name extension of the certificate. + + + +*`zeek.x509.san.dns`*:: + -- -The last message that the server sent to the client. +List of DNS entries in SAN. type: keyword -- -*`zeek.smtp.path`*:: +*`zeek.x509.san.uri`*:: + -- -The message transmission path, as extracted from the headers. +List of URI entries in SAN. -type: ip +type: keyword -- -*`zeek.smtp.user_agent`*:: +*`zeek.x509.san.email`*:: + -- -Value of the User-Agent header from the client. +List of email entries in SAN. type: keyword -- -*`zeek.smtp.tls`*:: +*`zeek.x509.san.ip`*:: + -- -Indicates that the connection has switched to using TLS. +List of IP entries in SAN. -type: boolean +type: ip -- -*`zeek.smtp.process_received_from`*:: +*`zeek.x509.san.other_fields`*:: + -- -Indicates if the "Received: from" headers should still be processed. +True if the certificate contained other, not recognized or parsed name fields. type: boolean -- -*`zeek.smtp.has_client_activity`*:: +[float] +=== basic_constraints + +Basic constraints extension of the certificate. + + + +*`zeek.x509.basic_constraints.certificate_authority`*:: + -- -Indicates if client activity has been seen, but not yet logged. +CA flag set or not. type: boolean -- -*`zeek.smtp.fuids`*:: +*`zeek.x509.basic_constraints.path_length`*:: + -- -(present if base/protocols/smtp/files.bro is loaded) -An ordered vector of file unique IDs seen attached to the message. +Maximum path length. -type: keyword +type: integer -- -*`zeek.smtp.is_webmail`*:: +*`zeek.x509.log_cert`*:: + -- -Indicates if the message was sent through a webmail interface. +Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded +Logging of certificate is suppressed if set to F. type: boolean -- -[float] -=== snmp +[[exported-fields-zoom]] +== Zoom fields -Fields exported by the Zeek SNMP log. +Module for handling incoming Zoom webhook requests -*`zeek.snmp.duration`*:: -+ --- -The amount of time between the first packet beloning to the SNMP session and the latest one seen. +[float] +=== zoom +Module for parsing Zoom API Webhooks. -type: double --- -*`zeek.snmp.version`*:: +*`zoom.master_account_id`*:: + -- -The version of SNMP being used. +Master Account related to a specific Sub Account type: keyword -- -*`zeek.snmp.community`*:: +*`zoom.sub_account_id`*:: + -- -The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. +Related Sub Account type: keyword -- - -*`zeek.snmp.get.requests`*:: +*`zoom.operator_id`*:: + -- -The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. +UserID that triggered the event -type: integer +type: keyword -- -*`zeek.snmp.get.bulk_requests`*:: +*`zoom.operator`*:: + -- -The number of variable bindings in GetBulkRequest PDUs seen for the session. +Username/Email related to the user that triggered the event -type: integer +type: keyword -- -*`zeek.snmp.get.responses`*:: +*`zoom.account_id`*:: + -- -The number of variable bindings in GetResponse/Response PDUs seen for the session. +Related accountID to the event -type: integer +type: keyword -- - -*`zeek.snmp.set.requests`*:: +*`zoom.timestamp`*:: + -- -The number of variable bindings in SetRequest PDUs seen for the session. +Timestamp related to the event -type: integer +type: date -- -*`zeek.snmp.display_string`*:: +*`zoom.creation_type`*:: + -- -A system description of the SNMP responder endpoint. +Creation type type: keyword -- -*`zeek.snmp.up_since`*:: +*`zoom.account.owner_id`*:: + -- -The time at which the SNMP responder endpoint claims it's been up since. +UserID of the user whose sub account was created/disassociated -type: date +type: keyword -- -[float] -=== socks +*`zoom.account.email`*:: ++ +-- +Email related to the user the action was performed on -Fields exported by the Zeek SOCKS log. +type: keyword +-- -*`zeek.socks.version`*:: +*`zoom.account.owner_email`*:: + -- -Protocol version of SOCKS. +Email of the user whose sub account was created/disassociated -type: integer +type: keyword -- -*`zeek.socks.user`*:: +*`zoom.account.account_name`*:: + -- -Username used to request a login to the proxy. +When an account name is updated, this is the new value set type: keyword -- -*`zeek.socks.password`*:: +*`zoom.account.account_alias`*:: + -- -Password used to request a login to the proxy. +When an account alias is updated, this is the new value set type: keyword -- -*`zeek.socks.status`*:: +*`zoom.account.account_support_name`*:: + -- -Server status for the attempt at using the proxy. +When an account support_name is updated, this is the new value set type: keyword -- - -*`zeek.socks.request.host`*:: +*`zoom.account.account_support_email`*:: + -- -Client requested SOCKS address. Could be an address, a name or both. +When an account support_email is updated, this is the new value set type: keyword -- -*`zeek.socks.request.port`*:: +*`zoom.chat_channel.name`*:: + -- -Client requested port. +The name of the channel that has been added/modified/deleted -type: integer +type: keyword -- - -*`zeek.socks.bound.host`*:: +*`zoom.chat_channel.id`*:: + -- -Server bound address. Could be an address, a name or both. +The ID of the channel that has been added/modified/deleted type: keyword -- -*`zeek.socks.bound.port`*:: +*`zoom.chat_channel.type`*:: + -- -Server bound port. +Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) -type: integer +type: keyword -- -*`zeek.socks.capture_password`*:: +*`zoom.chat_message.id`*:: + -- -Determines if the password will be captured for this request. +Unique ID of the related chat message -type: boolean +type: keyword -- -[float] -=== ssh +*`zoom.chat_message.type`*:: ++ +-- +Type of message, can be either "to_contact" or "to_channel" -Fields exported by the Zeek SSH log. +type: keyword +-- -*`zeek.ssh.client`*:: +*`zoom.chat_message.session_id`*:: + -- -The client's version string. +SessionID for the channel related to the message type: keyword -- -*`zeek.ssh.direction`*:: +*`zoom.chat_message.contact_email`*:: + -- -Direction of the connection. If the client was a local host logging into -an external host, this would be OUTBOUND. INBOUND would be set for the -opposite situation. +Email address related to the user sending the message type: keyword -- -*`zeek.ssh.host_key`*:: +*`zoom.chat_message.contact_id`*:: + -- -The server's key thumbprint. +UserID belonging to the user receiving a message type: keyword -- -*`zeek.ssh.server`*:: +*`zoom.chat_message.channel_id`*:: + -- -The server's version string. +ChannelID related to the message type: keyword -- -*`zeek.ssh.version`*:: +*`zoom.chat_message.channel_name`*:: + -- -SSH major version (1 or 2). +Channel name related to the message -type: integer +type: keyword -- -[float] -=== algorithm +*`zoom.chat_message.message`*:: ++ +-- +A string containing the full message that was sent -Cipher algorithms used in this session. +type: keyword +-- -*`zeek.ssh.algorithm.cipher`*:: +*`zoom.meeting.id`*:: + -- -The encryption algorithm in use. +Unique ID of the related meeting type: keyword -- -*`zeek.ssh.algorithm.compression`*:: +*`zoom.meeting.uuid`*:: + -- -The compression algorithm in use. +The UUID of the related meeting type: keyword -- -*`zeek.ssh.algorithm.host_key`*:: +*`zoom.meeting.host_id`*:: + -- -The server host key's algorithm. +The UserID of the configured meeting host type: keyword -- -*`zeek.ssh.algorithm.key_exchange`*:: +*`zoom.meeting.topic`*:: + -- -The key exchange algorithm in use. +Topic of the related meeting type: keyword -- -*`zeek.ssh.algorithm.mac`*:: +*`zoom.meeting.type`*:: + -- -The signing (MAC) algorithm in use. +Type of meeting created type: keyword -- - -*`zeek.ssh.auth.attempts`*:: +*`zoom.meeting.start_time`*:: + -- -The number of authentication attemps we observed. There's always at -least one, since some servers might support no authentication at all. -It's important to note that not all of these are failures, since some -servers require two-factor auth (e.g. password AND pubkey). +Date and time the meeting started -type: integer +type: date -- -*`zeek.ssh.auth.success`*:: +*`zoom.meeting.timezone`*:: + -- -Authentication result. +Which timezone is used for the meeting timestamps -type: boolean +type: keyword -- -[float] -=== ssl +*`zoom.meeting.duration`*:: ++ +-- +The duration of a meeting in minutes -Fields exported by the Zeek SSL log. +type: long +-- -*`zeek.ssl.version`*:: +*`zoom.meeting.issues`*:: + -- -SSL/TLS version that was logged. +When a user reports an issue with the meeting, for example: "Unstable audio quality" type: keyword -- -*`zeek.ssl.cipher`*:: +*`zoom.meeting.password`*:: + -- -SSL/TLS cipher suite that was logged. +Password related to the meeting type: keyword -- -*`zeek.ssl.curve`*:: +*`zoom.phone.id`*:: + -- -Elliptic curve that was logged when using ECDH/ECDHE. +Unique ID for the phone or conversation type: keyword -- -*`zeek.ssl.resumed`*:: +*`zoom.phone.user_id`*:: + -- -Flag to indicate if the session was resumed reusing the key material exchanged in an -earlier connection. +UserID for the phone owner related to a Call Log being completed -type: boolean +type: keyword -- -*`zeek.ssl.next_protocol`*:: +*`zoom.phone.download_url`*:: + -- -Next protocol the server chose using the application layer next protocol extension. +Download URL for the voicemail type: keyword -- -*`zeek.ssl.established`*:: +*`zoom.phone.ringing_start_time`*:: + -- -Flag to indicate if this ssl session has been established successfully. +The timestamp when a ringtone was established to the callee -type: boolean +type: date -- - -*`zeek.ssl.validation.status`*:: +*`zoom.phone.connected_start_time`*:: + -- -Result of certificate validation for this connection. +The date and time when a ringtone was established to the callee -type: keyword +type: date -- -*`zeek.ssl.validation.code`*:: +*`zoom.phone.answer_start_time`*:: + -- -Result of certificate validation for this connection, given as OpenSSL validation code. +The date and time when the call was answered -type: keyword +type: date -- -*`zeek.ssl.last_alert`*:: +*`zoom.phone.call_end_time`*:: + -- -Last alert that was seen during the connection. +The date and time when the call ended -type: keyword +type: date -- - -*`zeek.ssl.server.name`*:: +*`zoom.phone.call_id`*:: + -- -Value of the Server Name Indicator SSL/TLS extension. It indicates the server name -that the client was requesting. +Unique ID of the related call type: keyword -- -*`zeek.ssl.server.cert_chain`*:: +*`zoom.phone.duration`*:: + -- -Chain of certificates offered by the server to validate its complete signing chain. +Duration of a voicemail in minutes -type: keyword +type: long -- -*`zeek.ssl.server.cert_chain_fuids`*:: +*`zoom.phone.caller.id`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the server. +UserID of the caller related to the voicemail/call type: keyword -- -[float] -=== issuer +*`zoom.phone.caller.user_id`*:: ++ +-- +UserID of the person which initiated the call -Subject of the signer of the X.509 certificate offered by the server. +type: keyword +-- -*`zeek.ssl.server.issuer.common_name`*:: +*`zoom.phone.caller.number_type`*:: + -- -Common name of the signer of the X.509 certificate offered by the server. +The type of number, can be 1(Internal) or 2(External) type: keyword -- -*`zeek.ssl.server.issuer.country`*:: +*`zoom.phone.caller.name`*:: + -- -Country code of the signer of the X.509 certificate offered by the server. +The name of the related callee type: keyword -- -*`zeek.ssl.server.issuer.locality`*:: +*`zoom.phone.caller.phone_number`*:: + -- -Locality of the signer of the X.509 certificate offered by the server. +Phone Number of the caller related to the call type: keyword -- -*`zeek.ssl.server.issuer.organization`*:: +*`zoom.phone.caller.extension_type`*:: + -- -Organization of the signer of the X.509 certificate offered by the server. +Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup type: keyword -- -*`zeek.ssl.server.issuer.organizational_unit`*:: +*`zoom.phone.caller.extension_number`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the server. +Extension number of the caller type: keyword -- -*`zeek.ssl.server.issuer.state`*:: +*`zoom.phone.caller.timezone`*:: + -- -State or province name of the signer of the X.509 certificate offered by the server. +Timezone of the caller type: keyword -- -[float] -=== subject +*`zoom.phone.caller.device_type`*:: ++ +-- +Device type used by the caller -Subject of the X.509 certificate offered by the server. +type: keyword +-- -*`zeek.ssl.server.subject.common_name`*:: +*`zoom.phone.callee.id`*:: + -- -Common name of the X.509 certificate offered by the server. +UserID of the callee related to the voicemail/call type: keyword -- -*`zeek.ssl.server.subject.country`*:: +*`zoom.phone.callee.user_id`*:: + -- -Country code of the X.509 certificate offered by the server. +UserID of the related callee of a voicemail/call type: keyword -- -*`zeek.ssl.server.subject.locality`*:: +*`zoom.phone.callee.name`*:: + -- -Locality of the X.509 certificate offered by the server. +The name of the related callee type: keyword -- -*`zeek.ssl.server.subject.organization`*:: +*`zoom.phone.callee.number_type`*:: + -- -Organization of the X.509 certificate offered by the server. +The type of number, can be 1(Internal) or 2(External) type: keyword -- -*`zeek.ssl.server.subject.organizational_unit`*:: +*`zoom.phone.callee.phone_number`*:: + -- -Organizational unit of the X.509 certificate offered by the server. +Phone Number of the callee related to the call type: keyword -- -*`zeek.ssl.server.subject.state`*:: +*`zoom.phone.callee.extension_type`*:: + -- -State or province name of the X.509 certificate offered by the server. +Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup type: keyword -- - -*`zeek.ssl.client.cert_chain`*:: +*`zoom.phone.callee.extension_number`*:: + -- -Chain of certificates offered by the client to validate its complete signing chain. +Extension number of the callee related to the call type: keyword -- -*`zeek.ssl.client.cert_chain_fuids`*:: +*`zoom.phone.callee.timezone`*:: + -- -An ordered vector of certificate file identifiers for the certificates offered by the client. +Timezone of the callee related to the call type: keyword -- -[float] -=== issuer +*`zoom.phone.callee.device_type`*:: ++ +-- +Device type used by the callee related to the call -Subject of the signer of the X.509 certificate offered by the client. +type: keyword +-- -*`zeek.ssl.client.issuer.common_name`*:: +*`zoom.phone.date_time`*:: + -- -Common name of the signer of the X.509 certificate offered by the client. +Date and time of the related phone event -type: keyword +type: date -- -*`zeek.ssl.client.issuer.country`*:: +*`zoom.recording.id`*:: + -- -Country code of the signer of the X.509 certificate offered by the client. +Unique ID of the related recording type: keyword -- -*`zeek.ssl.client.issuer.locality`*:: +*`zoom.recording.uuid`*:: + -- -Locality of the signer of the X.509 certificate offered by the client. +UUID of the related recording type: keyword -- -*`zeek.ssl.client.issuer.organization`*:: +*`zoom.recording.host_id`*:: + -- -Organization of the signer of the X.509 certificate offered by the client. +UserID of the host of the meeting that was recorded type: keyword -- -*`zeek.ssl.client.issuer.organizational_unit`*:: +*`zoom.recording.topic`*:: + -- -Organizational unit of the signer of the X.509 certificate offered by the client. +Topic of the meeting related to the recording type: keyword -- -*`zeek.ssl.client.issuer.state`*:: +*`zoom.recording.type`*:: + -- -State or province name of the signer of the X.509 certificate offered by the client. +Type of recording, can be multiple type of values, please check Zoom documentation type: keyword -- -[float] -=== subject +*`zoom.recording.start_time`*:: ++ +-- +The date and time when the recording started -Subject of the X.509 certificate offered by the client. +type: date +-- -*`zeek.ssl.client.subject.common_name`*:: +*`zoom.recording.timezone`*:: + -- -Common name of the X.509 certificate offered by the client. +The timezone used for the recording date type: keyword -- -*`zeek.ssl.client.subject.country`*:: +*`zoom.recording.duration`*:: + -- -Country code of the X.509 certificate offered by the client. +Duration of the recording in minutes -type: keyword +type: long -- -*`zeek.ssl.client.subject.locality`*:: +*`zoom.recording.share_url`*:: + -- -Locality of the X.509 certificate offered by the client. +The URL to access the recording type: keyword -- -*`zeek.ssl.client.subject.organization`*:: +*`zoom.recording.total_size`*:: + -- -Organization of the X.509 certificate offered by the client. +Total size of the recording in bytes -type: keyword +type: long -- -*`zeek.ssl.client.subject.organizational_unit`*:: +*`zoom.recording.recording_count`*:: + -- -Organizational unit of the X.509 certificate offered by the client. +Number of recording files related to the recording -type: keyword +type: long -- -*`zeek.ssl.client.subject.state`*:: +*`zoom.recording.recording_file.recording_start`*:: + -- -State or province name of the X.509 certificate offered by the client. +The date and time the recording started -type: keyword +type: date -- -[float] -=== stats +*`zoom.recording.recording_file.recording_end`*:: ++ +-- +The date and time the recording finished -Fields exported by the Zeek stats log. +type: date +-- -*`zeek.stats.peer`*:: +*`zoom.recording.host_email`*:: + -- -Peer that generated this log. Mostly for clusters. +Email address of the host related to the meeting that was recorded type: keyword -- -*`zeek.stats.memory`*:: +*`zoom.user.id`*:: + -- -Amount of memory currently in use in MB. +UserID related to the user event -type: integer +type: keyword -- - -*`zeek.stats.packets.processed`*:: +*`zoom.user.first_name`*:: + -- -Number of packets processed since the last stats interval. +User first name related to the user event -type: long +type: keyword -- -*`zeek.stats.packets.dropped`*:: +*`zoom.user.last_name`*:: + -- -Number of packets dropped since the last stats interval if reading live traffic. +User last name related to the user event -type: long +type: keyword -- -*`zeek.stats.packets.received`*:: +*`zoom.user.email`*:: + -- -Number of packets seen on the link since the last stats interval if reading live traffic. +User email related to the user event -type: long +type: keyword -- - -*`zeek.stats.bytes.received`*:: +*`zoom.user.type`*:: + -- -Number of bytes received since the last stats interval if reading live traffic. +User type related to the user event -type: long +type: keyword -- - - -*`zeek.stats.connections.tcp.active`*:: +*`zoom.user.phone_number`*:: + -- -TCP connections currently in memory. +User phone number related to the user event -type: integer +type: keyword -- -*`zeek.stats.connections.tcp.count`*:: +*`zoom.user.phone_country`*:: + -- -TCP connections seen since last stats interval. +User country code related to the user event -type: integer +type: keyword -- - -*`zeek.stats.connections.udp.active`*:: +*`zoom.user.company`*:: + -- -UDP connections currently in memory. +User company related to the user event -type: integer +type: keyword -- -*`zeek.stats.connections.udp.count`*:: +*`zoom.user.pmi`*:: + -- -UDP connections seen since last stats interval. +User personal meeting ID related to the user event -type: integer +type: keyword -- - -*`zeek.stats.connections.icmp.active`*:: +*`zoom.user.use_pmi`*:: + -- -ICMP connections currently in memory. +If a user has PMI enabled -type: integer +type: boolean -- -*`zeek.stats.connections.icmp.count`*:: +*`zoom.user.pic_url`*:: + -- -ICMP connections seen since last stats interval. +Full URL to the profile picture used by the user -type: integer +type: keyword -- - -*`zeek.stats.events.processed`*:: +*`zoom.user.vanity_name`*:: + -- -Number of events processed since the last stats interval. +Name of the personal meeting room related to the user event -type: integer +type: keyword -- -*`zeek.stats.events.queued`*:: +*`zoom.user.timezone`*:: + -- -Number of events that have been queued since the last stats interval. +Timezone configured for the user -type: integer +type: keyword -- - -*`zeek.stats.timers.count`*:: +*`zoom.user.language`*:: + -- -Number of timers scheduled since last stats interval. +Language configured for the user -type: integer +type: keyword -- -*`zeek.stats.timers.active`*:: +*`zoom.user.host_key`*:: + -- -Current number of scheduled timers. +Host key set for the user -type: integer +type: keyword -- - -*`zeek.stats.files.count`*:: +*`zoom.user.role`*:: + -- -Number of files seen since last stats interval. +The configured role for the user -type: integer +type: keyword -- -*`zeek.stats.files.active`*:: +*`zoom.user.dept`*:: + -- -Current number of files actively being seen. +The configured departement for the user -type: integer +type: keyword -- - -*`zeek.stats.dns_requests.count`*:: +*`zoom.user.presence_status`*:: + -- -Number of DNS requests seen since last stats interval. +Current presence status of user -type: integer +type: keyword -- -*`zeek.stats.dns_requests.active`*:: +*`zoom.user.personal_notes`*:: + -- -Current number of DNS requests awaiting a reply. +Personal notes for the User -type: integer +type: keyword -- - -*`zeek.stats.reassembly_size.tcp`*:: +*`zoom.user.client_type`*:: + -- -Current size of TCP data in reassembly. +Type of client used by the user. Can be browser, mac, win, iphone or android -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.file`*:: +*`zoom.user.version`*:: + -- -Current size of File data in reassembly. +Version of the client used by the user -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.frag`*:: +*`zoom.webinar.id`*:: + -- -Current size of packet fragment data in reassembly. +Unique ID for the related webinar -type: integer +type: keyword -- -*`zeek.stats.reassembly_size.unknown`*:: +*`zoom.webinar.join_url`*:: + -- -Current size of unknown data in reassembly (this is only PIA buffer right now). +The URL configured to join the webinar -type: integer +type: keyword -- -*`zeek.stats.timestamp_lag`*:: +*`zoom.webinar.uuid`*:: + -- -Lag between the wall clock and packet timestamps if reading live traffic. +UUID for the related webinar -type: integer +type: keyword -- -[float] -=== syslog +*`zoom.webinar.host_id`*:: ++ +-- +UserID for the configured host of the webinar -Fields exported by the Zeek syslog log. +type: keyword +-- -*`zeek.syslog.facility`*:: +*`zoom.webinar.topic`*:: + -- -Syslog facility for the message. +Meeting topic of the related webinar type: keyword -- -*`zeek.syslog.severity`*:: +*`zoom.webinar.type`*:: + -- -Syslog severity for the message. +Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) type: keyword -- -*`zeek.syslog.message`*:: +*`zoom.webinar.start_time`*:: + -- -The plain text message. +The date and time when the webinar started -type: keyword +type: date -- -[float] -=== tunnel +*`zoom.webinar.timezone`*:: ++ +-- +Timezone used for the dates related to the webinar -Fields exported by the Zeek SSH log. +type: keyword +-- -*`zeek.tunnel.type`*:: +*`zoom.webinar.duration`*:: + -- -The type of tunnel. +Duration of the webinar in minutes -type: keyword +type: long -- -*`zeek.tunnel.action`*:: +*`zoom.webinar.agenda`*:: + -- -The type of activity that occurred. +The configured agenda of the webinar type: keyword -- -[float] -=== weird +*`zoom.webinar.password`*:: ++ +-- +Password configured to access the webinar -Fields exported by the Zeek Weird log. +type: keyword +-- -*`zeek.weird.name`*:: +*`zoom.webinar.issues`*:: + -- -The name of the weird that occurred. +Any reported issues about a webinar is reported in this field type: keyword -- -*`zeek.weird.additional_info`*:: +*`zoom.zoomroom.id`*:: + -- -Additional information accompanying the weird if any. +Unique ID of the Zoom room type: keyword -- -*`zeek.weird.notice`*:: +*`zoom.zoomroom.room_name`*:: + -- -Indicate if this weird was also turned into a notice. +The configured name of the Zoom room -type: boolean +type: keyword -- -*`zeek.weird.peer`*:: +*`zoom.zoomroom.calendar_name`*:: + -- -The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. +Calendar name of the Zoom room type: keyword -- -*`zeek.weird.identifier`*:: +*`zoom.zoomroom.calendar_id`*:: + -- -This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. +Unique ID of the calendar used by the Zoom room type: keyword -- -[float] -=== x509 +*`zoom.zoomroom.event_id`*:: ++ +-- +Unique ID of the calendar event associated with the Zoom Room -Fields exported by the Zeek x509 log. +type: keyword +-- -*`zeek.x509.id`*:: +*`zoom.zoomroom.change_key`*:: + -- -File id of this certificate. +Key used by Microsoft products integration that represents a specific version of a calendar type: keyword -- -[float] -=== certificate +*`zoom.zoomroom.resource_email`*:: ++ +-- +Email address associated with the calendar in use by the Zoom room -Basic information about the certificate. +type: keyword +-- -*`zeek.x509.certificate.version`*:: +*`zoom.zoomroom.email`*:: + -- -Version number. +Email address associated with the Zoom room itself -type: integer +type: keyword -- -*`zeek.x509.certificate.serial`*:: +*`zoom.zoomroom.issue`*:: + -- -Serial number. +Any reported alerts or issues related to the Zoom room or its equipment type: keyword -- -[float] -=== subject +*`zoom.zoomroom.alert_type`*:: ++ +-- +An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation -Subject. +type: keyword +-- -*`zeek.x509.certificate.subject.country`*:: +*`zoom.zoomroom.component`*:: + -- -Country provided in the certificate subject. +An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation type: keyword -- -*`zeek.x509.certificate.subject.common_name`*:: +*`zoom.zoomroom.alert_kind`*:: + -- -Common name provided in the certificate subject. +An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) type: keyword -- -*`zeek.x509.certificate.subject.locality`*:: +*`zoom.registrant.id`*:: + -- -Locality provided in the certificate subject. +Unique ID of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.subject.organization`*:: +*`zoom.registrant.status`*:: + -- -Organization provided in the certificate subject. +Status of the specific user registration type: keyword -- -*`zeek.x509.certificate.subject.organizational_unit`*:: +*`zoom.registrant.email`*:: + -- -Organizational unit provided in the certificate subject. +Email of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.subject.state`*:: +*`zoom.registrant.first_name`*:: + -- -State or province provided in the certificate subject. +First name of the user registering to a meeting or webinar type: keyword -- -[float] -=== issuer +*`zoom.registrant.last_name`*:: ++ +-- +Last name of the user registering to a meeting or webinar -Issuer. +type: keyword +-- -*`zeek.x509.certificate.issuer.country`*:: +*`zoom.registrant.address`*:: + -- -Country provided in the certificate issuer field. +Address of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.issuer.common_name`*:: +*`zoom.registrant.city`*:: + -- -Common name provided in the certificate issuer field. +City of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.issuer.locality`*:: +*`zoom.registrant.country`*:: + -- -Locality provided in the certificate issuer field. +Country of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.issuer.organization`*:: +*`zoom.registrant.zip`*:: + -- -Organization provided in the certificate issuer field. +Zip code of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.issuer.organizational_unit`*:: +*`zoom.registrant.state`*:: + -- -Organizational unit provided in the certificate issuer field. +State of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.issuer.state`*:: +*`zoom.registrant.phone`*:: + -- -State or province provided in the certificate issuer field. +Phone number of the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.common_name`*:: +*`zoom.registrant.industry`*:: + -- -Last (most specific) common name. +Related industry of the user registering to a meeting or webinar type: keyword -- -[float] -=== valid +*`zoom.registrant.org`*:: ++ +-- +Organization related to the user registering to a meeting or webinar -Certificate validity timestamps +type: keyword +-- -*`zeek.x509.certificate.valid.from`*:: +*`zoom.registrant.job_title`*:: + -- -Timestamp before when certificate is not valid. +Job title of the user registering to a meeting or webinar -type: date +type: keyword -- -*`zeek.x509.certificate.valid.until`*:: +*`zoom.registrant.purchasing_time_frame`*:: + -- -Timestamp after when certificate is not valid. +Choosen purchase timeframe of the user registering to a meeting or webinar -type: date +type: keyword -- - -*`zeek.x509.certificate.key.algorithm`*:: +*`zoom.registrant.role_in_purchase_process`*:: + -- -Name of the key algorithm. +Choosen role in a purchase process related to the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.key.type`*:: +*`zoom.registrant.no_of_employees`*:: + -- -Key type, if key parseable by openssl (either rsa, dsa or ec). +Number of employees choosen by the user registering to a meeting or webinar type: keyword -- -*`zeek.x509.certificate.key.length`*:: +*`zoom.registrant.comments`*:: + -- -Key length in bits. +Comments left by the user registering to a meeting or webinar -type: integer +type: keyword -- -*`zeek.x509.certificate.signature_algorithm`*:: +*`zoom.registrant.join_url`*:: + -- -Name of the signature algorithm. +The URL that the registrant can use to join the webinar type: keyword -- -*`zeek.x509.certificate.exponent`*:: +*`zoom.participant.id`*:: + -- -Exponent, if RSA-certificate. +Unique ID of the participant related to a meeting type: keyword -- -*`zeek.x509.certificate.curve`*:: +*`zoom.participant.user_id`*:: + -- -Curve, if EC-certificate. +UserID of the participant related to a meeting type: keyword -- -[float] -=== san +*`zoom.participant.user_name`*:: ++ +-- +Username of the participant related to a meeting -Subject alternative name extension of the certificate. +type: keyword +-- -*`zeek.x509.san.dns`*:: +*`zoom.participant.join_time`*:: + -- -List of DNS entries in SAN. +The date and time a participant joined a meeting -type: keyword +type: date -- -*`zeek.x509.san.uri`*:: +*`zoom.participant.leave_time`*:: + -- -List of URI entries in SAN. +The date and time a participant left a meeting -type: keyword +type: date -- -*`zeek.x509.san.email`*:: +*`zoom.participant.sharing_details.link_source`*:: + -- -List of email entries in SAN. +Method of sharing with dropbox integration type: keyword -- -*`zeek.x509.san.ip`*:: +*`zoom.participant.sharing_details.content`*:: + -- -List of IP entries in SAN. +Type of content that was shared -type: ip +type: keyword -- -*`zeek.x509.san.other_fields`*:: +*`zoom.participant.sharing_details.file_link`*:: + -- -True if the certificate contained other, not recognized or parsed name fields. +The file link that was shared -type: boolean +type: keyword -- -[float] -=== basic_constraints +*`zoom.participant.sharing_details.date_time`*:: ++ +-- +Timestamp the sharing started -Basic constraints extension of the certificate. +type: keyword +-- -*`zeek.x509.basic_constraints.certificate_authority`*:: +*`zoom.participant.sharing_details.source`*:: + -- -CA flag set or not. +The file source that was share -type: boolean +type: keyword -- -*`zeek.x509.basic_constraints.path_length`*:: +*`zoom.old_values`*:: + -- -Maximum path length. +Includes the old values when updating a object like user, meeting, account or webinar -type: integer +type: flattened -- -*`zeek.x509.log_cert`*:: +*`zoom.settings`*:: + -- -Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded -Logging of certificate is suppressed if set to F. +The current active settings related to a object like user, meeting, account or webinar -type: boolean +type: flattened -- diff --git a/filebeat/docs/filebeat-general-options.asciidoc b/filebeat/docs/filebeat-general-options.asciidoc index ad471c64084..a1a844f37af 100644 --- a/filebeat/docs/filebeat-general-options.asciidoc +++ b/filebeat/docs/filebeat-general-options.asciidoc @@ -33,13 +33,13 @@ filebeat.registry.path: registry ------------------------------------------------------------------------------------- NOTE: The registry is only updated when new events are flushed and not on a predefined period. -That means in case there are some states where the TTL expired, these are only removed when new event are processed. +That means in case there are some states where the TTL expired, these are only removed when new events are processed. -NOTE: The registry stores it's data in the subdirectory filebeat/data.json. It +NOTE: The registry stores its data in the subdirectory filebeat/data.json. It also contains a meta data file named filebeat/meta.json. The meta file contains the file format version number. -NOTE: The content stored in filebeat/data.json is compatible to the old registry file data format. +NOTE: The content stored in filebeat/data.json is compatible with the old registry file data format. [float] ==== `registry.file_permissions` diff --git a/filebeat/docs/filebeat-options.asciidoc b/filebeat/docs/filebeat-options.asciidoc index b6fa7edbe01..8bbd06ec7f8 100644 --- a/filebeat/docs/filebeat-options.asciidoc +++ b/filebeat/docs/filebeat-options.asciidoc @@ -84,6 +84,8 @@ You can configure {beatname_uc} to use the following inputs: include::multiline.asciidoc[] +include::../../x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc[] + include::../../x-pack/filebeat/docs/inputs/input-azure-eventhub.asciidoc[] include::../../x-pack/filebeat/docs/inputs/input-cloudfoundry.asciidoc[] diff --git a/filebeat/docs/images/filebeat-defender-atp-overview.png b/filebeat/docs/images/filebeat-defender-atp-overview.png new file mode 100644 index 00000000000..7df250e2ae8 Binary files /dev/null and b/filebeat/docs/images/filebeat-defender-atp-overview.png differ diff --git a/filebeat/docs/images/filebeat-suricata-alerts.png b/filebeat/docs/images/filebeat-suricata-alerts.png index a9eb5794ce9..bd45777eef8 100644 Binary files a/filebeat/docs/images/filebeat-suricata-alerts.png and b/filebeat/docs/images/filebeat-suricata-alerts.png differ diff --git a/filebeat/docs/images/filebeat-suricata-events.png b/filebeat/docs/images/filebeat-suricata-events.png index 9395c641ebf..b9501304ca6 100644 Binary files a/filebeat/docs/images/filebeat-suricata-events.png and b/filebeat/docs/images/filebeat-suricata-events.png differ diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc index d427d5d8a39..30e0ec38f46 100644 --- a/filebeat/docs/index.asciidoc +++ b/filebeat/docs/index.asciidoc @@ -64,4 +64,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/filebeat/docs/inputs/input-common-file-options.asciidoc b/filebeat/docs/inputs/input-common-file-options.asciidoc index 1947e7cdda7..9bd93e97efc 100644 --- a/filebeat/docs/inputs/input-common-file-options.asciidoc +++ b/filebeat/docs/inputs/input-common-file-options.asciidoc @@ -129,6 +129,10 @@ file is renamed or moved in such a way that it's no longer matched by the file patterns specified for the , the file will not be picked up again. {beatname_uc} will not finish reading the file. +Do not use this option when `path` based `file_identity` is configured. It does +not make sense to enable the option, as Filebeat cannot detect renames using +path names as unique identifiers. + WINDOWS: If your Windows log rotation system shows errors because it can't rotate the files, you should enable this option. @@ -397,3 +401,44 @@ file that hasn't been harvested for a longer period of time. This configuration option applies per input. You can use this option to indirectly set higher priorities on certain inputs by assigning a higher limit of harvesters. + +[float] +===== `file_identity` + +Different `file_identity` methods can be configured to suit the +environment where you are collecting log messages. + + +*`native`*:: The default behaviour of {beatname_uc} is to differentiate +between files using their inodes and device ids. + +[source,yaml] +---- +file_identity.native: ~ +---- + +*`path`*:: To identify files based on their paths use this strategy. + +WARNING: Only use this strategy if your log files are rotated to a folder +outside of the scope of your input or not at all. Otherwise you end up +with duplicated events. + +WARNING: This strategy does not support renaming files. +If an input file is renamed, {beatname_uc} will read it again if the new path +matches the settings of the input. + +[source,yaml] +---- +file_identity.path: ~ +---- + +*`inode_marker`*:: If the device id changes from time to time, you must use +this method to distinguish files. This option is not supported on Windows. + +Set the location of the marker file the following way: + +[source,yaml] +---- +file_identity.inode_marker.path: /logs/.filebeat-marker +---- + diff --git a/filebeat/docs/inputs/input-log.asciidoc b/filebeat/docs/inputs/input-log.asciidoc index 95670734b02..8d4ef24a55a 100644 --- a/filebeat/docs/inputs/input-log.asciidoc +++ b/filebeat/docs/inputs/input-log.asciidoc @@ -57,6 +57,55 @@ multiple input sections: IMPORTANT: Make sure a file is not defined more than once across all inputs because this can lead to unexpected behaviour. +[[file-identity]] +==== Reading files on network shares and cloud providers + +:WARNING: Filebeat does not support reading from network shares and cloud providers. + +However, one of the limitations of these data sources can be mitigated +if you configure Filebeat adequately. + +By default, {beatname_uc} identifies files based on their inodes and +device IDs. However, on network shares and cloud providers these +values might change during the lifetime of the file. If this happens +{beatname_uc} thinks that file is new and resends the whole content +of the file. To solve this problem you can configure `file_identity` option. Possible +values besides the default `inode_deviceid` are `path` and `inode_marker`. + +Selecting `path` instructs {beatname_uc} to identify files based on their +paths. This is a quick way to avoid rereading files if inode and device ids +might change. However, keep in mind if the files are rotated (renamed), they +will be reread and resubmitted. + +The option `inode_marker` can be used if the inodes stay the same even if +the device id is changed. You should choose this method if your files are +rotated instead of `path` if possible. You have to configure a marker file +readable by {beatname_uc} and set the path in the option `path` of `inode_marker`. + +The content of this file must be unique to the device. You can put the +UUID of the device or mountpoint where the input is stored. The following +example oneliner generates a hidden marker file for the selected mountpoint `/logs`: +Please note that you should not use this option on Windows as file identifiers might be +more volatile. + +["source","sh",subs="attributes"] +---- +$ lsblk -o MOUNTPOINT,UUID | grep /logs | awk '{print $2}' >> /logs/.filebeat-marker +---- + +To set the generated file as a marker for `file_identity` you should configure +the input the following way: + +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: log + paths: + - /logs/*.log + file_identity.inode_marker.path: /logs/.filebeat-marker +---- + + [[rotating-logs]] ==== Reading from rotating logs @@ -66,6 +115,10 @@ a pattern that matches the file you want to harvest and all of its rotated files. Also make sure your log rotation strategy prevents lost or duplicate messages. For more information, see <>. +Furthermore, to avoid duplicate of rotated log messages, do not use the +`path` method for `file_identity`. Or exclude the rotated files with `exclude_files` +option. + [id="{beatname_lc}-input-{type}-options"] ==== Configuration options diff --git a/filebeat/docs/modules/azure.asciidoc b/filebeat/docs/modules/azure.asciidoc index b194b7c320c..853fba43756 100644 --- a/filebeat/docs/modules/azure.asciidoc +++ b/filebeat/docs/modules/azure.asciidoc @@ -58,7 +58,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -69,9 +69,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ diff --git a/filebeat/docs/modules/barracuda.asciidoc b/filebeat/docs/modules/barracuda.asciidoc index 5929c50d7d4..4ec568d507c 100644 --- a/filebeat/docs/modules/barracuda.asciidoc +++ b/filebeat/docs/modules/barracuda.asciidoc @@ -56,7 +56,52 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `spamfirewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device revision 125. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9524` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/bluecoat.asciidoc b/filebeat/docs/modules/bluecoat.asciidoc index 753db835b54..519d0a75885 100644 --- a/filebeat/docs/modules/bluecoat.asciidoc +++ b/filebeat/docs/modules/bluecoat.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index c072057cd22..c12f818caca 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -22,17 +22,6 @@ Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in {beatname_uc}. -[WARNING] -======================================= -Some filesets in this module make extensive use of ingest pipeline scripts. -This can cause their ingest pipelines to fail loading due to exceeding the -default compilation limits: - -`[script] Too many dynamic script compilations within, max: [75/5m]` - -Check the <> section for more information. -======================================= - include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] @@ -334,7 +323,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: @@ -346,20 +335,49 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: [float] -[[dynamic-script-compilations]] -=== Dynamic Script Compilations +==== `meraki` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device revision 118. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause -the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following -parameters on your Elasticsearch cluster: +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. -- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: - Increase to at least `100/5m`. +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9525` -- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: - Increase to at least `200` if using both filesets or other script-heavy modules. +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: [float] === Example dashboard diff --git a/filebeat/docs/modules/citrix.asciidoc b/filebeat/docs/modules/citrix.asciidoc index ab0ade1561d..f5844cea3fe 100644 --- a/filebeat/docs/modules/citrix.asciidoc +++ b/filebeat/docs/modules/citrix.asciidoc @@ -12,22 +12,22 @@ This file is generated! See scripts/docs_collector.py experimental[] -This is a module for receiving Citrix XenApp logs over Syslog or a file. +This is a module for receiving Citrix NetScaler logs over Syslog or a file. include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: virtualapps +:fileset_ex: netscaler include::../include/config-option-intro.asciidoc[] [float] -==== `virtualapps` fileset settings +==== `netscaler` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. +NOTE: This was converted from RSA NetWitness log parser XML "citrixns" device revision 134. *`var.input`*:: @@ -41,7 +41,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9507` +The port to listen for syslog traffic. Defaults to `9526` NOTE: Ports below 1024 require Filebeat to run as root. @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/cyberark.asciidoc b/filebeat/docs/modules/cyberark.asciidoc new file mode 100644 index 00000000000..9f423f97625 --- /dev/null +++ b/filebeat/docs/modules/cyberark.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-cyberark]] +[role="xpack"] + +:modulename: cyberark +:has-dashboards: false + +== Cyberark module + +experimental[] + +This is a module for receiving Cyber-Ark logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: corepas + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `corepas` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9527` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/cylance.asciidoc b/filebeat/docs/modules/cylance.asciidoc index 1e27640f8df..2eafc21f913 100644 --- a/filebeat/docs/modules/cylance.asciidoc +++ b/filebeat/docs/modules/cylance.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc index e0f69dbffac..ed3aa87ede6 100644 --- a/filebeat/docs/modules/f5.asciidoc +++ b/filebeat/docs/modules/f5.asciidoc @@ -12,7 +12,11 @@ This file is generated! See scripts/docs_collector.py experimental[] -This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. +This is a module for F5 network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `bigipapm` fileset: supports F5 Big-IP Access Policy Manager. +- `bigipafm` fileset: supports F5 Big-IP Advanced Firewall Manager. include::../include/gs-link.asciidoc[] @@ -56,7 +60,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: @@ -68,11 +72,11 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: [float] -==== `firepass` fileset settings +==== `bigipafm` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. +NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device revision 121. *`var.input`*:: @@ -86,7 +90,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9509` +The port to listen for syslog traffic. Defaults to `9528` NOTE: Ports below 1024 require Filebeat to run as root. @@ -101,7 +105,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/fortinet.asciidoc b/filebeat/docs/modules/fortinet.asciidoc index cef820bd0bb..78c8825bdd1 100644 --- a/filebeat/docs/modules/fortinet.asciidoc +++ b/filebeat/docs/modules/fortinet.asciidoc @@ -10,7 +10,13 @@ This file is generated! See scripts/docs_collector.py == Fortinet module -This is a module for Fortinet FortiOS logs sent in the syslog format. +This is a module for Fortinet logs sent in the syslog format. It supports the +following devices: + +- `firewall` fileset: Supports FortiOS Firewall logs. +- `clientendpoint` fileset: Supports FortiClient Endpoint Protection logs. +- `fortimail` fileset: Supports FortiMail logs. +- `fortimanager` fileset: Supports FortiManager logs. To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. @@ -100,7 +106,97 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `fortimail` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9529` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `fortimanager` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9530` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index 0870f008c79..2b268425355 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -21,14 +21,28 @@ include::../include/gs-link.asciidoc[] It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== +[float] === Configure the module -In order for filebeat to ingest data from the Google Reports API you must set up a `ServiceAccount` that has access to the `Admin SDK API`. Additionally https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Domain-Wide Delegation] is required for your application to work properly. +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. -This module will make use of the following `oauth2 scope`: +This module will make use of the following *oauth2 scope*: - `https://www.googleapis.com/auth/admin.reports.audit.readonly` @@ -49,6 +63,22 @@ you can set up your module: enabled: true var.jwt_file: "./credentials_file.json" var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" ---- Every fileset has the following configuration options: @@ -68,29 +98,36 @@ Duration of the time limit on HTTP requests made by the module. Defaults to *`var.interval`*:: -Duration between requests to the API. Defaults to `60s`. +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. *`var.user_key`*:: Specifies the user key to fetch reports from. Defaults to `all`. +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + [float] ==== GSuite Reports ECS fields This is a list of GSuite Reports fields that are mapped to ECS. [options="header"] -|======================================================================================= -| GSuite Reports | ECS Fields | -| items[].id.time | @timestamp | -| items[].id.uniqueQualifier | event.id | -| items[].id.applicationName | event.provider | -| items[].events[].name | event.action | -| items[].customerId | organization.id | -| items[].ipAddress | client.ip, related.ip, client.as.*, client.geo.* | -| items[].actor.email | client.user.email, client.user.name, client.user.domain | -| items[].actor.profileId | client.user.id | -|======================================================================================= +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== These are the common ones to all filesets. diff --git a/filebeat/docs/modules/imperva.asciidoc b/filebeat/docs/modules/imperva.asciidoc index 7aa882cca43..f4a994f45fd 100644 --- a/filebeat/docs/modules/imperva.asciidoc +++ b/filebeat/docs/modules/imperva.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/infoblox.asciidoc b/filebeat/docs/modules/infoblox.asciidoc index 17a789383c3..ec404e8b00b 100644 --- a/filebeat/docs/modules/infoblox.asciidoc +++ b/filebeat/docs/modules/infoblox.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/juniper.asciidoc b/filebeat/docs/modules/juniper.asciidoc index 68d0fb7d52f..047e847bc5a 100644 --- a/filebeat/docs/modules/juniper.asciidoc +++ b/filebeat/docs/modules/juniper.asciidoc @@ -56,7 +56,52 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `netscreen` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9523` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/logstash.asciidoc b/filebeat/docs/modules/logstash.asciidoc index 5c9df956e05..73b285aa6da 100644 --- a/filebeat/docs/modules/logstash.asciidoc +++ b/filebeat/docs/modules/logstash.asciidoc @@ -86,7 +86,8 @@ image::./images/kibana-logstash-slowlog.png[] [float] === Known issues -When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON objct such that + +When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly. :has-dashboards!: diff --git a/filebeat/docs/modules/microsoft.asciidoc b/filebeat/docs/modules/microsoft.asciidoc index d58edefe56c..513ca155be6 100644 --- a/filebeat/docs/modules/microsoft.asciidoc +++ b/filebeat/docs/modules/microsoft.asciidoc @@ -6,22 +6,130 @@ This file is generated! See scripts/docs_collector.py [role="xpack"] :modulename: microsoft -:has-dashboards: false +:has-dashboards: true == Microsoft module -experimental[] +This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: + +- `defender_atp` fileset: Supports Microsoft Defender ATP +- `dhcp` fileset: Supports Microsoft DHCP logs -This is a module for receiving Microsoft DHCP logs over Syslog or a file. +include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: dhcp +:fileset_ex: defender_atp include::../include/config-option-intro.asciidoc[] +[float] +==== `defender_atp` fileset settings + +beta[] + +To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + defender_atp: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== Defender ATP ECS fields + +This is a list of Defender ATP fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| Defender ATP Fields | ECS Fields | +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| relatedUser.userName | host.user.name | +| relatedUser.domainName | host.user.domain | +| title | message | +| severity | event.severity | +|====================================================================== + +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. + +:fileset_ex: dhcp + [float] ==== `dhcp` fileset settings @@ -29,6 +137,8 @@ experimental[] NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. +include::../include/var-paths.asciidoc[] + *`var.input`*:: The input from which messages are read. One of `file`, `tcp` or `udp`. @@ -56,7 +166,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/netflow.asciidoc b/filebeat/docs/modules/netflow.asciidoc index 44ab1dca085..ebb40dfd5c9 100644 --- a/filebeat/docs/modules/netflow.asciidoc +++ b/filebeat/docs/modules/netflow.asciidoc @@ -44,7 +44,7 @@ traffic from network devices. netflow_port: 2055 ----- -`var.netflow_host`:: Address to find to. Defaults to `localhost`. +`var.netflow_host`:: Address to bind to. Defaults to `localhost`. `var.netflow_port`:: Port to listen on. Defaults to `2055`. diff --git a/filebeat/docs/modules/netscout.asciidoc b/filebeat/docs/modules/netscout.asciidoc index d53fec8c56e..a1d4d3dcdd5 100644 --- a/filebeat/docs/modules/netscout.asciidoc +++ b/filebeat/docs/modules/netscout.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/nginx.asciidoc b/filebeat/docs/modules/nginx.asciidoc index b5d52d7d0d9..46b3bf34795 100644 --- a/filebeat/docs/modules/nginx.asciidoc +++ b/filebeat/docs/modules/nginx.asciidoc @@ -28,7 +28,7 @@ The Nginx module was tested with logs from version 1.10. On Windows, the module was tested with Nginx installed from the Chocolatey repository. -`ingress_controller` fileset was tested with version 0.28.0 of `nginx-ingress-controller`. +`ingress_controller` fileset was tested with version v0.28.0 and v0.34.1 of `nginx-ingress-controller`. include::../include/configuring-intro.asciidoc[] diff --git a/filebeat/docs/modules/proofpoint.asciidoc b/filebeat/docs/modules/proofpoint.asciidoc new file mode 100644 index 00000000000..0fad171b32d --- /dev/null +++ b/filebeat/docs/modules/proofpoint.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-proofpoint]] +[role="xpack"] + +:modulename: proofpoint +:has-dashboards: false + +== Proofpoint module + +experimental[] + +This is a module for receiving Proofpoint Email Security logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: emailsecurity + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `emailsecurity` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device revision 131. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9531` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/radware.asciidoc b/filebeat/docs/modules/radware.asciidoc index 4531c23d470..c036143860f 100644 --- a/filebeat/docs/modules/radware.asciidoc +++ b/filebeat/docs/modules/radware.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/snort.asciidoc b/filebeat/docs/modules/snort.asciidoc new file mode 100644 index 00000000000..ff9d5809ae8 --- /dev/null +++ b/filebeat/docs/modules/snort.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-snort]] +[role="xpack"] + +:modulename: snort +:has-dashboards: false + +== Snort module + +experimental[] + +This is a module for receiving Snort/Sourcefire logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: log + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `log` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "snort" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9532` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc index d1a8f65838c..3994e7d36e4 100644 --- a/filebeat/docs/modules/sonicwall.asciidoc +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc new file mode 100644 index 00000000000..510afde1f65 --- /dev/null +++ b/filebeat/docs/modules/sophos.asciidoc @@ -0,0 +1,201 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-sophos]] +[role="xpack"] + +:modulename: sophos +:has-dashboards: false + +== Sophos module + +This is a module for Sophos Products, currently it accepts +logs in syslog format or from a file for the following devices: + +- `xg` fileset: supports Sophos XG SFOS logs. +- `utm` fileset: supports Sophos UTM logs. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: xg + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname + +[source,yaml] +---- +- module: sophos + xg: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.default_host_name: firewall.localgroup.local + var.known_devices: + - serial_number: "1234567890123457" + hostname: "a.host.local" + - serial_number: "1234234590678557" + hostname: "b.host.local" +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of SophosXG fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `utm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device revision 123. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9533` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/squid.asciidoc b/filebeat/docs/modules/squid.asciidoc index 187eed663b2..efcd537cd65 100644 --- a/filebeat/docs/modules/squid.asciidoc +++ b/filebeat/docs/modules/squid.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/symantec.asciidoc b/filebeat/docs/modules/symantec.asciidoc new file mode 100644 index 00000000000..0020888ff9a --- /dev/null +++ b/filebeat/docs/modules/symantec.asciidoc @@ -0,0 +1,79 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-symantec]] +[role="xpack"] + +:modulename: symantec +:has-dashboards: false + +== Symantec module + +experimental[] + +This is a module for receiving Symantec AntiVirus/Endpoint Protection logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: endpointprotection + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `endpointprotection` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "symantecav" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9534` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/tomcat.asciidoc b/filebeat/docs/modules/tomcat.asciidoc index 7a46670144d..6806a47d557 100644 --- a/filebeat/docs/modules/tomcat.asciidoc +++ b/filebeat/docs/modules/tomcat.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules/zeek.asciidoc b/filebeat/docs/modules/zeek.asciidoc index 6df419f6034..f582f9c738e 100644 --- a/filebeat/docs/modules/zeek.asciidoc +++ b/filebeat/docs/modules/zeek.asciidoc @@ -10,8 +10,8 @@ This file is generated! See scripts/docs_collector.py == Zeek (Bro) Module -This is a module for Zeek, which used to be called Bro. It parses logs that are in the -https://www.zeek.org/manual/release/logs/index.html[Zeek JSON format]. +This is a module for https://zeek.org/[Zeek], which used to be called Bro. It +parses logs that are in the Zeek JSON format. include::../include/gs-link.asciidoc[] @@ -21,8 +21,8 @@ include::../include/gs-link.asciidoc[] This module has been developed against Zeek 2.6.1, but is expected to work with other versions of Zeek. -Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X. -Find out how to use Zeek here: https://www.zeek.org/ +Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, +and Mac OS X. [float] === Example dashboard diff --git a/filebeat/docs/modules/zoom.asciidoc b/filebeat/docs/modules/zoom.asciidoc new file mode 100644 index 00000000000..4c191cf7abf --- /dev/null +++ b/filebeat/docs/modules/zoom.asciidoc @@ -0,0 +1,69 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zoom]] +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/zscaler.asciidoc b/filebeat/docs/modules/zscaler.asciidoc index f969982851e..671e3aa9f31 100644 --- a/filebeat/docs/modules/zscaler.asciidoc +++ b/filebeat/docs/modules/zscaler.asciidoc @@ -56,7 +56,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 345ee94ce87..cd466617a94 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -16,6 +16,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -32,7 +33,6 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> - * <> * <> * <> * <> @@ -49,19 +49,22 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> - * <> * <> * <> + * <> * <> + * <> * <> * <> + * <> * <> - * <> * <> * <> * <> + * <> * <> @@ -81,6 +84,7 @@ include::modules/cisco.asciidoc[] include::modules/citrix.asciidoc[] include::modules/coredns.asciidoc[] include::modules/crowdstrike.asciidoc[] +include::modules/cyberark.asciidoc[] include::modules/cylance.asciidoc[] include::modules/elasticsearch.asciidoc[] include::modules/envoyproxy.asciidoc[] @@ -97,7 +101,6 @@ include::modules/infoblox.asciidoc[] include::modules/iptables.asciidoc[] include::modules/juniper.asciidoc[] include::modules/kafka.asciidoc[] -include::modules/kaspersky.asciidoc[] include::modules/kibana.asciidoc[] include::modules/logstash.asciidoc[] include::modules/microsoft.asciidoc[] @@ -114,17 +117,20 @@ include::modules/okta.asciidoc[] include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] +include::modules/proofpoint.asciidoc[] include::modules/rabbitmq.asciidoc[] include::modules/radware.asciidoc[] -include::modules/rapid7.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] +include::modules/snort.asciidoc[] include::modules/sonicwall.asciidoc[] +include::modules/sophos.asciidoc[] include::modules/squid.asciidoc[] include::modules/suricata.asciidoc[] +include::modules/symantec.asciidoc[] include::modules/system.asciidoc[] -include::modules/tenable.asciidoc[] include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] +include::modules/zoom.asciidoc[] include::modules/zscaler.asciidoc[] diff --git a/filebeat/docs/multiline.asciidoc b/filebeat/docs/multiline.asciidoc index 546f71d3276..b73d6217897 100644 --- a/filebeat/docs/multiline.asciidoc +++ b/filebeat/docs/multiline.asciidoc @@ -23,7 +23,7 @@ Also read <> and <> to avoid common mistakes. You can specify the following options in the +{beatname_lc}.inputs+ section of the +{beatname_lc}.yml+ config file to control how {beatname_uc} deals with messages -that span multiple lines. +that span multiple lines. The following example shows how to configure {beatname_uc} to handle a multiline message where the first line of the message begins with a bracket (`[`). @@ -47,8 +47,8 @@ multiline.match: after at org.elasticsearch.action.admin.indices.delete.TransportDeleteIndexAction.checkBlock(TransportDeleteIndexAction.java:75) ------------------------------------------------------------------------------------- -*`multiline.type`*:: Defines which aggregation method to use. The default is `pattern`. The other option -is `count` which lets you aggregate constant number of lines. +*`multiline.type`*:: Defines which aggregation method to use. The default is `pattern`. The other options +are `count` which lets you aggregate constant number of lines and `while_pattern` which aggregate lines by pattern without match option. *`multiline.pattern`*:: Specifies the regular expression pattern to match. Note that the regexp patterns supported by {beatname_uc} differ somewhat from the patterns supported by Logstash. See <> for a list of supported regexp patterns. @@ -71,7 +71,7 @@ the pattern. + NOTE: The `after` setting is equivalent to `previous` in https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html[Logstash], and `before` is equivalent to `next`. -*`multiline.flush_pattern`*:: Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. +*`multiline.flush_pattern`*:: Specifies a regular expression, in which the current multiline will be flushed from memory, ending the multiline-message. Work only with `pattern` type. *`multiline.max_lines`*:: The maximum number of lines that can be combined into one event. If the multiline message contains more than `max_lines`, any additional diff --git a/filebeat/docs/running-on-kubernetes.asciidoc b/filebeat/docs/running-on-kubernetes.asciidoc index 0df3c811a95..40c18b3f8f2 100644 --- a/filebeat/docs/running-on-kubernetes.asciidoc +++ b/filebeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve and ship container logs. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e57e9cbfd43..bf29e0715ed 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -437,6 +437,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: @@ -1211,10 +1215,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1327,20 +1339,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1350,7 +1369,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1513,30 +1532,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1549,6 +1575,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1656,42 +1688,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1824,6 +1870,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default filebeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "filebeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "filebeat-%{[agent.version]}" @@ -1927,20 +1978,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1959,6 +2021,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2109,17 +2182,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2142,6 +2222,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 5428fb1f549..00ced07f6b8 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -142,7 +142,7 @@ func TestAvailableProcessors(t *testing.T) { } err = checkAvailableProcessors(client, requiredProcessors) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), "ingest-test") assert.Contains(t, err.Error(), "ingest-hello") } @@ -235,7 +235,7 @@ func TestLoadMultiplePipelinesWithRollback(t *testing.T) { } err = reg.LoadPipelines(client, false) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), "invalid_processor") status, _, _ := client.Request("GET", "/_ingest/pipeline/filebeat-6.6.0-foo-multibad-pipeline", "", nil, nil) diff --git a/filebeat/fileset/pipelines.go b/filebeat/fileset/pipelines.go index db129305463..fe7eb86c884 100644 --- a/filebeat/fileset/pipelines.go +++ b/filebeat/fileset/pipelines.go @@ -127,6 +127,15 @@ func loadPipeline(esClient PipelineLoader, pipelineID string, content map[string return fmt.Errorf("failed to adapt pipeline for ECS compatibility: %v", err) } + err = modifySetProcessor(esClient.GetVersion(), pipelineID, content) + if err != nil { + return fmt.Errorf("failed to modify set processor in pipeline: %v", err) + } + + if err := modifyAppendProcessor(esClient.GetVersion(), pipelineID, content); err != nil { + return fmt.Errorf("failed to modify append processor in pipeline: %v", err) + } + body, err := esClient.LoadJSON(path, content) if err != nil { return interpretError(err, body) @@ -232,3 +241,127 @@ func interpretError(initialErr error, body []byte) error { return fmt.Errorf("couldn't load pipeline: %v. Response body: %s", initialErr, body) } + +// modifySetProcessor replaces ignore_empty_value option with an if statement +// so ES less than 7.9 will still work +func modifySetProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error { + flagVersion := common.MustNewVersion("7.9.0") + if !esVersion.LessThan(flagVersion) { + return nil + } + + p, ok := content["processors"] + if !ok { + return nil + } + processors, ok := p.([]interface{}) + if !ok { + return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) + } + + for _, p := range processors { + processor, ok := p.(map[string]interface{}) + if !ok { + continue + } + if options, ok := processor["set"].(map[string]interface{}); ok { + _, ok := options["ignore_empty_value"].(bool) + if !ok { + // don't have ignore_empty_value nothing to do + continue + } + + logp.Debug("modules", "In pipeline %q removing unsupported 'ignore_empty_value' in set processor", pipelineID) + delete(options, "ignore_empty_value") + + _, ok = options["if"].(string) + if ok { + // assume if check is sufficient + continue + } + val, ok := options["value"].(string) + if !ok { + continue + } + + newIf := strings.TrimLeft(val, "{ ") + newIf = strings.TrimRight(newIf, "} ") + newIf = strings.ReplaceAll(newIf, ".", "?.") + newIf = "ctx?." + newIf + " != null" + + logp.Debug("modules", "In pipeline %q adding if %s to replace 'ignore_empty_value' in set processor", pipelineID, newIf) + options["if"] = newIf + } + } + return nil +} + +// modifyAppendProcessor replaces allow_duplicates option with an if statement +// so ES less than 7.10 will still work +func modifyAppendProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error { + flagVersion := common.MustNewVersion("7.10.0") + if !esVersion.LessThan(flagVersion) { + return nil + } + + p, ok := content["processors"] + if !ok { + return nil + } + processors, ok := p.([]interface{}) + if !ok { + return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p) + } + + for _, p := range processors { + processor, ok := p.(map[string]interface{}) + if !ok { + continue + } + if options, ok := processor["append"].(map[string]interface{}); ok { + allow, ok := options["allow_duplicates"].(bool) + if !ok { + // don't have allow_duplicates, nothing to do + continue + } + + logp.Debug("modules", "In pipeline %q removing unsupported 'allow_duplicates' in append processor", pipelineID) + delete(options, "allow_duplicates") + if allow { + // it was set to true, nothing else to do after removing the option + continue + } + + currIf, _ := options["if"].(string) + if strings.Contains(strings.ToLower(currIf), "contains") { + // if it has a contains statement, we assume it is checking for duplicates already + continue + } + field, ok := options["field"].(string) + if !ok { + continue + } + val, ok := options["value"].(string) + if !ok { + continue + } + + field = strings.ReplaceAll(field, ".", "?.") + + val = strings.TrimLeft(val, "{ ") + val = strings.TrimRight(val, "} ") + val = strings.ReplaceAll(val, ".", "?.") + + if currIf == "" { + // if there is not a previous if we add a value sanity check + currIf = fmt.Sprintf("ctx?.%s != null", val) + } + + newIf := fmt.Sprintf("%s && ((ctx?.%s instanceof List && !ctx?.%s.contains(ctx?.%s)) || ctx?.%s != ctx?.%s)", currIf, field, field, val, field, val) + + logp.Debug("modules", "In pipeline %q adding if %s to replace 'allow_duplicates: false' in append processor", pipelineID, newIf) + options["if"] = newIf + } + } + return nil +} diff --git a/filebeat/fileset/pipelines_test.go b/filebeat/fileset/pipelines_test.go index 648e82a1c2e..7c617034f10 100644 --- a/filebeat/fileset/pipelines_test.go +++ b/filebeat/fileset/pipelines_test.go @@ -215,3 +215,382 @@ func TestSetEcsProcessors(t *testing.T) { }) } } + +func TestModifySetProcessor(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.9.0", + esVersion: common.MustNewVersion("7.8.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.9.0", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.9.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "existing if", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": true, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ignore_empty_value is false", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "ignore_empty_value": false, + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "value": "{{panw.panos.ruleset}}", + "if": "ctx?.panw?.panos?.ruleset != null", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "no value", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + "ignore_empty_value": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "set": map[string]interface{}{ + "field": "rule.name", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := modifySetProcessor(*test.esVersion, "foo-pipeline", test.content) + if test.isErrExpected { + assert.Error(t, err) + } else { + assert.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} + +func TestModifyAppendProcessor(t *testing.T) { + cases := []struct { + name string + esVersion *common.Version + content map[string]interface{} + expected map[string]interface{} + isErrExpected bool + }{ + { + name: "ES < 7.10.0: set to true", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": true, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: set to false", + esVersion: common.MustNewVersion("7.9.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES == 7.10.0", + esVersion: common.MustNewVersion("7.10.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES > 7.10.0", + esVersion: common.MustNewVersion("8.0.0"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + }, + }, + }, + }, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: existing if", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + "if": "ctx?.host?.hostname != null", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: existing if with contains", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "allow_duplicates": false, + "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "!ctx?.related?.hosts.contains(ctx?.host?.hostname)", + }, + }, + }}, + isErrExpected: false, + }, + { + name: "ES < 7.10.0: no value", + esVersion: common.MustNewVersion("7.7.7"), + content: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + "allow_duplicates": false, + }, + }, + }}, + expected: map[string]interface{}{ + "processors": []interface{}{ + map[string]interface{}{ + "append": map[string]interface{}{ + "field": "related.hosts", + }, + }, + }}, + isErrExpected: false, + }, + } + + for _, test := range cases { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + err := modifyAppendProcessor(*test.esVersion, "foo-pipeline", test.content) + if test.isErrExpected { + assert.Error(t, err) + } else { + assert.NoError(t, err) + assert.Equal(t, test.expected, test.content, test.name) + } + }) + } +} diff --git a/filebeat/harvester/util_test.go b/filebeat/harvester/util_test.go index 0f0971a8a42..eb2017d8e0f 100644 --- a/filebeat/harvester/util_test.go +++ b/filebeat/harvester/util_test.go @@ -45,13 +45,13 @@ func InitMatchers(exprs ...string) ([]match.Matcher, error) { func TestMatchAnyRegexps(t *testing.T) { matchers, err := InitMatchers("\\.gz$") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, MatchAny(matchers, "/var/log/log.gz"), true) } func TestExcludeLine(t *testing.T) { regexp, err := InitMatchers("^DBG") - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, MatchAny(regexp, "DBG: a debug message")) assert.False(t, MatchAny(regexp, "ERR: an error message")) } @@ -59,7 +59,7 @@ func TestExcludeLine(t *testing.T) { func TestIncludeLine(t *testing.T) { regexp, err := InitMatchers("^ERR", "^WARN") - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, MatchAny(regexp, "DBG: a debug message")) assert.True(t, MatchAny(regexp, "ERR: an error message")) assert.True(t, MatchAny(regexp, "WARNING: a simple warning message")) @@ -67,5 +67,5 @@ func TestIncludeLine(t *testing.T) { func TestInitRegexp(t *testing.T) { _, err := InitMatchers("(((((") - assert.NotNil(t, err) + assert.Error(t, err) } diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 9f72e7fc7b0..77bce834092 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n71uY0cqXh7+dXqJwPiZ+CMWB8y/vkbDlgb3w2tzcku6fOqS0iZgRoPTMi0oyJ99c/pVZLo7lgwDFJNrVbqS0DM91Sd6vVavUFqmb7ZR1Lhv1UhLmyB/+iBq0t+Eh4plg8BZuMQyclKEoZ3xJ6IzjU329HbJHNXYHOwmAzQ/gcHHXOrLHOZGYMNdP5dYvedCFfzHfWiWFkunjxNAIjEqutGpRGzKJcuq8xBNcjaU3hvRyNLwbDFxfjd6Pz8W9X71+Mzy9G427vdDx4PhiPXpz3jo7/sUbDuJmbChYe7XZEhbcXr9q2B53KaBq1aSxSVuKagOB6V+kexwaucif6cAYyUZVJbup6ttnnMM4VvwEF+bE+pXE4pzz9SBRPQ/R4+y2KiLkmMDlgrmRkzFU9TufV1VUQbNxIZNVIdkTic9vAx6e1h7wWHV+ifnG0mUM05mpe3IsHRcCz5QLN8P6jnDw25VJlJbGwmTBzF1DW0NGhxJn2/Rg1p2oeJNHRjvgzKCmodMbkQuodsSjB/Gp4RCIOx0QxJcOLd46N5QhvSMjbYOVcmqwKxVXG0hBvk0zRXfA7mgZPLW8vc5dSBVOMZ7DopJgvFkxCFgrQq7pEOpcnx4OTy97g6Oj55fBkeHpx+vz0sv/88vllZ3B2MbgPT9Scdr8ZU0Yvzrt/ea6cXRyeHQ7PDruHp6enp8Pe6Wnv+HjQG551j3rd/rA77A4GF8975/fkTrHjfBP+9I6OmznkaOjlFHw5hwqohlMPs26OT08uj4+PzztH/YvL7sl55/Sid9nrHvcuzp/3B88HnWHv+OiiOzw5PTl6fnHSf355ODjp9gbnZ73h+eXGrSlwjlypfGcmz7DI0bLNJ7W9n0/+YKG7WjcjsJ/Akmvcj7C0dI1LVQIOXj97dTs0V2DvhMjI4LxF3nx4dpVOJVWZzEPwrb5nNGmR4eBZcmsDR4aDZzaOYXMC/kEPd7WP46UQpBYX4fkGL+adaqN6LpYmRnPBpBY2LWSj0cuDwtAmZE7TSM3pdf1ONOqzo0n3NDqeHB2FJ93eSe/07LDX64ZnxxPa628rT6nIxnSabSRSq3rpD2nGDt7zhPnGMrTsxXrmJatAkVRAPBPDxRrppeyvzYb+/497nV633dH/3nc6T+Ff0Ol0/rNxz1lvvhNI/fyKE0bbaOPJds9OOg8xWVPR7YGDByrt6pQgIY1jrS5TMnp9hVo1Y3FcKpdv7kbmQmUp9verdwZB6nFFqOlxhRdXeKoKyG+axp7W1k+WGrdUmh/PmCb7gmOSkB+Th2lCNeIvl8sAM/aCUGxLcKMqv6V6rinkQhE7sqxVyMmt7dD55sOzYamfzkPpYZUvzOXN2Bypd5UK505XiKbZdiid5c03cxbHYuW5ZcVpvnd0PP558Eqf5g9P+w1PXwyGGzz/OAiCzRd7LquNqHftBNEYizYscFUJ2e+Gxi2jC7E3YlNgj2Lhond0LDfuPMNURicxCP4GM50IETOaNk3oufmJTGNamhafWmcXSdlMZNxI+5JCXFzIlJrmMaGpl9MuaaqgvxX61FLC0lDeQme+LE9TFm98kE3Z52xs3WtflZXOp2da65hxsyggb5lhLDYT9oIkIb/w/PV50WH9ifVjauXJaWpaWVGl+CzVmkMdZLFqw0y0Na/n0DZwV/4QfJ5nSfyIxou0bcfY5pHar5yvsNd+Yb7HYgk3y6oudXqUB2tbA/lx0ipPdipwXFUcsSBwiBfCJwpfV2o8XfrdipRuLGZYdfa79Bri2Lb1Gtan9K28hqtGsut9bQdeQ58X9+LBd+01xOH+MF5Dy62/stfQ58mP4TX8llx5aK9hhTs/iNdwQw75h/W/nNcQ57hTr+FoK/9gzS9YbBVeTfxv4B9E9H/Qw50dRZsdhNjl86EchIdn/X6/SyfHRydHfdbrdU4mXdad9I9OJofH/W60JT0ewkH4nif6AJcsav4ydA59Dw5Cb75f7CDcdsJf3UGIk92tv2q0sWeqopIbVIA+WdqVHYQi2YkK2G1/29c51Akp5SnanWpBpbL1x/T3QvIZT2mM59sGCQh6GzMbkezawfAaCnvyP1lkDuGw+zn/Argr/Wmum2K2rpu/i4eSNLTJjzYmyvtqdVzUsCgyaoE016yFMKY/mdXH1BxppMhnc5Hb1UNJwkMpXIVlGc55xoxk0jjWBxt9BL7hbFmcrIqAf1wE3sCJlzpBJPuUM31ibRdCYrv3LtnE/m6PT1Mp0qzN0qhSG6+tp/MpZ1JvPNA+H+dR1GyY0PDaf3OLeCw9+h0Gva4ujmwQF/lU5+YbM1xVzA0TZExGbtF4GM/KE6Z3HZKJGdPWH1iGDmSRyWfyuizB9UYcG+Z5hSczJtvo1WEeJWsptf3J9Kw3PTw6OZkc9iN6TA9DdtY7izqsw/onh8dV8rpWyd+GyA59hdT2e5uPbZP+XZ0ayMlIGFW5xLINkODjCjur3LsK0ha0oy9EK+K+UCNfpzPtHJ9Q2pnQs05vcuJphVzGvkb48O7lGm3w4d1LG/9oS4viHQU4uWGdsoxhm3tYeB/evVQtCIPEJ63G0jSYSAZJ2SQSy1SLhCAqnLOEtVzlgwXN5vi+INaPt8lC223GKxrbNotNxq0iN7x8PbZXrnOrRMKw0iwFeib01gTrooP86q2e7YEmoaarSaeNb1sgESLPXFVBB9Vk8F/hrZ+GbVL4vZo0phLnTNjKGx/xag+LCNaEpuGGz10zWE/0rkj7fo5BtjafU6EbTCsni7zBDMDV4MiSy7hSRbUCgitTo1MxqHPOM/R4tjQXU5FpVShvIX56Duut/H4FeMwoJBEumOQiIkmuMgAy0boujPOIRQ1lFswZGR6eMLK3SGd7hZ9Dv74X6O/qHFrgDuglrc2SojjMg3PlrZCZVyxVEwWOPEacHn305D8Ti70KcT4++mgOLeUSFHbQlezbaR4/oAH2zXIbrqYmi1+rQEiG5Ile0pgQCY3dc8WKBXvr+UqgGGhxxuEp+ajlWcP7CHeH4HuBBY8FzhWRTJ+OwNTXh2Rpzw7W4CnXLfWr3jSE25c1wNN+//DAVOf96dOzUrXeR5lYlLhnF+QPwMHHH9JERFApvtAzIPqKKMbSEmXrFb+8Ngqpqz6aiJRnQpvzRgOICezckdsMJkyrGhSclqlHTpUvChQuW6FOs4GhX4UMgoyl5I8cSgkVB0fQXXofrdZocZLjsnTdaw4sBUt/SZUbaKu0zzc2A7mXEGloK34uydeCKuVJzYPfyyH4yqkiqIwh21UJhbc0m1dwe7oVCbRXGc4OKpX5FbJq4+j3D2uao98/LA1KH6Fud2kkAAIUYldzEcZrfsF776Y5+Hb0XkXYanvXT7B3wX1e5DsgfCxQg98YdM5qSYV+F1aol6hmfHfe2G2bGmlitQDfJM/cUy0PmZmsMVMcRFNIKSUsWWTFeGDo5smP+HalgHyp4wOZsGzJWDmEIVsKY6tWNuhvXR1Nq+C/S6N9P6XRzKFtV0IwAuirdSLsNnuVfddkQX582mh3mvGu2LfK/oS/i76Rv4u+3avo2w5Dij8g+AYbxR9BybljP6/pygeOu2rHiFINJdc1Ah415i1kzrIb6s4X6Gcod5HAJFstH9BCB9rTQSFsvyCu/oYzhTuqrSRFEgHVaqhxEfPIHpOtI4qmhEK8DxrcsFsrzz+cbFEC5oet1/ctS/X9XaWvsUrfj16g7y9Qm+9bl+X7uyLf2op837wY3991+IxRMaYz60b0TAtSfLuBgWFgWDOj6EMrEoYF8chEiqV3h+hX17tFR5eaiyXRyiuF6117qwzty0KRaOPQndXxVj13Q7Xn5C1sAuYaUX4FLYHYqizhb+e2QdNqwdzJgArS1QY1olMqeWlQ370TuKIHPPkYl+SjOtdX4k8ex/TgKOiQJ4Yb/48M3n5AzpA3I9LtjbvmcPOKhvqLf++T88UiZr+xyS88OzjuHAXdoHvkhvfklxfvX71smXd+ZuG12CfYnO6g2ws65JWY8JgddI8uuv1TJPfBcaePeRqO6CqY0oTHu/K6vRkRA588sWciyaI5zVokYhNO0xaZSsYmKmqRJU8jsVT79eRceLI27h/jyufNgknqFUq0tiGcRmx8rgu9ldAmZUVbJyM6r8Qf9IZVqXXNZMp2ZcbX5mCwuWGb0AO6XLVC+kE/6LS73V57xlImeVgd/Q9yBFjBa3tN73F6FXP/XaWMtU6/FmctPlzPIUszoVokn+Rplt+1hqlc8toa3m1oYG3wm8pjtxN0q5pyt0OtNBa9Y+fU2t2zr25i1IxoWf368vz1JjaVfq7cnNN4+F3j+dNOL+h+IhmdPVH7fp9P60Whyri/qCI8nUHMiDbNmfkT4FOlRGiy6Uw759ReCcJ5AQ4UetauxLDX99Qgw07IrvoXPvfa3IwGevZNs5AsFDLS4Hg6i3G2GZ1BqVm4Qs0hEAGSBy3zvHbSn9o8bX8iLA3pQuVmlKqFx52mkZHSbadrxYWg/cK41F3rKpYqIbES8X8Yu26R37hkak7l9T7cWUIpXKzHazsrSzqd8rBGCZ6mTK7kqgFBzEM4uYLBijyxrjSEir+V57+/YpJ3T69UlHrbWd4xvVJNAgjKsfdU+iQaRRwly46nJCvQBiky4dJIjozOZqALEOSbic3y8ITbSm/gSznm8jbIn30cQTrZ9o+zEL/uVgWGUtpDcMRVKBkcuqsrDGHCCDx4q/jitW/C3k0tc6LzuzxtcbTZmXMGJnQ1NJYiFqLGOHZH/bq+/seajfgrnHzeLEzBRjMDODJvMweRZ4pH7O6JOK2fxymTdMJj26LQqv/aD6v3Ab0NlABt4MSnDahJzaNvE/dv3Aa2Ud1JLCS/I/6U2qmjQaD1uR9RDhPJanShcLvjao/bgv0YemNNorZb30+mvg90CMcXjWv0YXSxr/8AM5fG8KADWrxAMzqBnUiSS1y3+6W7t6I2wKecxrdqllMZBebvIBTJwaclm8xZvDiYijFEkMUH16lYxiyaMQ36oDTBsa3LylQwz5L//n8A5AZWJkbx7O/7jdFBNjTRXq/Ub78e/3fPzmvv9y3K7zQUn99FIdwyIpdUUqKCCoUsLMsSc4pDuh/UBMlIUMEhvFHqoFa0dvDraLQpJbwRf7enohpVK/1X6ySFxYd7lnJbOI1hN/SxNb29YnmEN8yr/ws67GBKP4GYx4/CGzaG28SxNzg1DiWjGYv+O4BGGQ6tr1s5M3vxxeeFUFpzDH698Gf4e42/VylJaPhmREwaHOkF3V5w3PLDeMrkwEDBd28HW2ThszRP4NCz0wVitah3g+KVreHqDtbUF0cTixpWx8WmJNhxdXgzY1QNT66G+zZwAjvKL4qo5+bNkpgL7IBc+XfO2IO+igCB2vupOl2ru8emor+c02zM1VgvAR7to6xXZdxBr8n61fD3Bh61e53uWbvT6XS2KAez28rm50Qy20N0lYIp2c+obUwGScIzPjPHH0cLywwn/VGFL1XCNHMknPH2hKf6W3DnhTP+k/7jmaPjcbe7BRm14I13Kvx4ihSSqJCmzaJam7yeSbfTPQ22EQoNP2UyuGFpJHaVYf++3K67tsHDEIgZQr3uOEvpJF5jrvsTEpIF2vLaYDLTWNDGZuyPRxqMCYeRNJ3h1Vcn6GiLu9sJOsaZCH/a2lNzRhKhMqLYDZN+rPlzbWIqhCj06VNbbEoxpRK4awOtvYgFzyxREpZJHiryxJTWJzdwlV+kn5gw78/QqHwh+Q2P2YxhMhfeEmdMmqy2/RZ2Uimg+ne+GoaDq1+bSQALbbhM1ASMaR9TvUKxYCuMgAbzy5rqILrtCGvx7dcs1aPgaDsWs/SGSwH1uTa6yvpKvL7wh7WO6TS9JS6JAaQEOdQi9+EQXMhyyaBm2XfAoowlCyG/J+68xxGtYwzc/SQ0yw2hNUkjLKkHs2iV9mvLq/Dh1sWGFN6trxwO8q+p9baUtLY7Oj95/etwv9js9dGYZzTjN35llBsmQT5pes3TGbio916K5V6L7L1iEc+TPSPNey/4bL4HLNDHNHLT00x16tNBBElQVQekKcHgcGWAqoB1GHQwMvcWfIgRm/K0nMilIRQPl3jkSRE8wRURyxTqxkYkoSmdGd/T5dW70fvgjZy1yFUaBuQJfKGVJ/kwapsiKamAqoBT7h215Iymrl3Lci60MuDKJkNmgsxZvAC9Dx51xUIQTm3Zgp7Q1tdCpH6LGEYTRWgohTKG81LIOFohoulNFKRcZcFM3IDPoo2qCMS1rgzM5chmooos2aF14bjeaGFAUKumHigKuwna9i+yCIUgei8VkmfICCLZjJr+k54KuB8Fa0a8RhM61I1UbGuCPCUT006TpuFcSPOxHdojM/ojn5tnSpT5J8Ae2JwXbEc5gaaGeHVhoyJhKcUxZstpZoATrsl7aG7LbCXkEvtozF023IJmc/uw92DDAPV/Q7aQLITmOm3IvCxeBN8hfOLlizOttmdFDLMd3wQaX/KE/WmjcVYPzzhOKw8nfGYO9k9JJnNWhm4oUgIr/CI05sO4SZxXTN3xB+w22EtmuQSmGGRN89uA9JpD/nN3TguA3pend0LWxFVQsCPgqcpocQBdSyMoUW7eJfZdwiO7LMJY5FGxAgb6o92IpF7mNKIZbV4Ur/BXY02EpVfhxFpcJNAoGsMDYwtSPxkypcxpxa6R0qzhhWAhhZaGIsC2SBE3v7Q/3y0bfpAXvqJX6s+Q7mFmbA5MDch5QmesATVNeJtOwqjbO2zUpwX2Kw2BXA3dQdzQybIC5fIROdciAg+JOPJXiB2QJlzgSAJEXiNjjQ/fKWceDjvA4pB+Nxo3Iff81pg2WDYVXJuuHw9bQsM5Txkol42Q4QuB98KmuPxzxXgDTXr3W5tiRRnflHG19bUpHslmhdl8N47So43wrT6KRHgNsooKaWg/Nywv8xtRGYVL6Dg2lXZAG5nf9LpWcyGzsdkSCsvK2gEGX9spoxX7tRsWabgeLL9SUiJmW/J7rTcTyyNY8yuNRFuBSmuc7bGBpvMW1JZYK29uhvT+6DDZkzwi798M3zwlL8RS2zUJhTLHiv1UG0vJwiB3WxlktT4nTqebIQRWcvXGX8jtC/OpAchVOhW+tOK2oF8nVtd4Aqq/bxRP3DcuBiM/hobbqJGAhSq4TbD+/CO8BKbYEV0fnoo3K8kawhWZWS3pq1lTyqhoLo6+jrzTgiJw1VSwvY5XqGCS87iOss5Rt3vvdU+H3c7Z3mbDeTMigMF3vDcPJBQRa1wHd41FZZJl4XzzwVgsJiUrvXUSeJ1PmExZBjchKIe/+N81wC1+d8Ze2XIrgBJfCu/WqsVLazVradB3y1yV4gsRNaudrRazR4GFMC1V6szVqPIGHX5fTG9FRD5cDeuI9P/VgoYPN6kCYh2ZiGoq/wuR2XjvOjJUl//zxYrZ+3mc0MWCpzN8du9/NlxF3ohxI0nooj5kyNsy92nf3bi9sTUPXjJovaJY9rAsLuCuYHTEFrG4TSrn2y9HXMBdgVgbgmyaxw8+ZQ/wCtRr7KD7InZg16JtNvq+HK+BixsM6vJid3nrvmiAiz8W+4o71DbtAwVsstUmwD5vanYihoB9ZmGeefehpMH0xBn/IWJxzWmb5pmIuIKrjmL6/zK/kiH+ckv854h38l7rPWkA5e/COA4HcpVfEZ8LjHupfLOxhTvNBvhjQIeYugF4Yf7NOPldzugV6C5oOMesRVOI0IWXYMs4rLjBOFSFc5HC2LBLZVRm+cL6eAwgU/ImMZEtziGYYaFlmrBMT0zibRfwjWVgkpvCDPCF/tjC8AkYGvjIaQwlR5Rxm1+9bVnXEog7j1qQhwzXX6UhgbM8U0CZZhJitO1CiigPs+0JCfGAbu0iGG0murndhfbe4lJC+1i5zJUnHub9Nai90IktMZt3LamL6XuyoIjM09S0vmoehy0VuzX2D+9eYrF+fVQBdCitMJK7iB7mcvMeUgXW31xxRDu/JVVOxPFISfNsztLMRYWaQnZWrcViVmixl2JmKn9CLFG67gYkto/HPC1fcJSmGYtZoB8LvFJyTaTF6/a7EtHKBAfcoDONboCSNzxl2DaLRoEf3lsqsUonSsR5xmBDsJedMEiHwbuVeko+HtxQeRCL2QEGzsZi9jGozxMLI2JRkIea7MjEgdkSt9UpixleNNl5kwMClQ31gw2DFNOpYmWd4tXLux8bDEws0YOpA8ALUMmK0Oq9kj7s0uShKKQl10A0iSkSS9QWOsCUkMQF+Vhlkcizx3o16L+ZlI/Lw+PpIs98T28xHLAK1lIFAJiI0wq/Cl6ZcHrYaMpVKoGUwiubi3fn5QoVpiCtRvGRCBOgjJfuBrnCHC/Uh5c8ZnBbaRQEinuZKbcKVisNS2kSXy4iCJCwz5mkhW/W7JZwR3zbPBT764MNxQJ0BdIAT6l8U2UI9jZ8DAfEh1Rg8zyhRlbhftIiupspOx+GRVQZhjWaF1LM5MOt3Go0I4JvUFvTmM7UOmDN6h5etRiaWD3PskVgQz4C3P7GMUtnlS2r4WK49OpERLfB5LZwYt15h1KpMrL+tFO4GN2c66+sPiJV61LVOVgantYQlSP0ljaR0zkIysQyO71nbKUmhljUiYjyeLO4g9Kjd5Jdi/o4s115NgKOuRWbQDc3RAHNMvmgkQ0+3EK80WsFCZZFsCS5oZLr1azIUvIsY6k+PxoIjxX51+jNa+CNXlgzaEsguZfdZzPFvOsESFUtAlyWpvc2xn55JifuQGW4uD1VYy94mCzAVb69cF0NXr0F/3cTyNqN7uYgzYmsDHJ2f5A/FyBLMOmfeaWi0kYeDi2K83yycvUW39/h3fGjICzEoIarZCSSpq13DRq9/A2QOnCWfspZzswirOGI/Jaka3FYWBAaU0cF3Tn0u+MGp/12s3GgSNGFq+SBU3nC5Lisiu/FIjxGAzy/ihopxQF+yhkES4Br5gvnZqG5dIiyvF7T6TXdWl4zscCaKPemxC8aMQJazdsvmLxBULAWqfnw68EgwnOSwH7PCVOKzhr8udfs9iEId81uW6YGnrZPIqwiq1e++R1PF9CCwarulWOaxCK8ru2b5B7rFmkBobdPQpEs9LmWRfsGBSlQ1MYwZzRiUtVwQ8buZsjPbflUMcWBGKBYVUUV6YBIiZbro1UUrDH/7f3vNbv951Pyv0DHf+4F//i/AAAA//8VGTXW" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Pv258ZtpMHf769AKVU39p5ES/J77su35ZHsjb+d1449yXe72ZIhEpIQUwBDgNYoV/e/X6HxIPiQLXnMscfxVCplSSTQ3Wg0utGvCoSDk5VgNbWaBqTaBR1ghqMqpWyj+TvAmRI+AuO8bt63nE2pzCJ9XsdYwodqKPL/Ra2Ys9Zr1DncDQ56e0e73TZqxVi2XqO9/WC/u3/cO0L/71UFyAYvcV59FiTt2PO4dMGJXR/+NsL6ykFrYXyCpilmWYxTv/yonJElCqH6mlI7C8XQzLkpi5dGNNUaVUiYdi1AEkHMdQDVmKR54Sqr2uYnlAYvRslsKaj6Q18stlFot7UfnvaeS0Un9aDWwEFhVQffHA7IKeEW2+rtxpgLyVknCitrk5Ip5azJnfYJZrhto3X+MVgFV0NbzcBUu9P+kZExKRKq7MiswFDvxMzjFlzrZ31WbJ1/vNlT+tb5x5uD7eKZMcdhAwi/OxnUw1Iuqy6Dr/DavrpUtqOxpiC9xNf+x1gx7fuTS2dUm1Jr1Khb+UbkKEnpDZYEDd/9c9tTZIsbAEy0mOMIjXGMWQhb0PP68RSlPFM7s6SpKjwTvlYax0bpEj4BIGnu6ZJAm6UbqGqVLtFE3k8xK+X1VJbhK3OKDNlXsbgOziQpiUZ1KuEDdiGHwMnpjAjpTWpppOduAyJJQiIHcja2mqRb8rM8JaPtBR3DcMaMnPAUtSacB+a5IOTzFqICtfwvygW8tXPUhFJFRJdVhCJrJKRCGUqmbSaYrjG9NklL2vEnssmEfnEjwjNbMymT1zs7+hH9hDKQtgN0qYOZJNdW/xc6d7fM4yUSdJ7ESyTxdb6u2tSNsZBILjiK8ZjEQlvVjEsIUtFlRBX2l2+HwsUpt0IeZNet6kHoUaPAFZInI+CAb8AUZDIhUD5azWo0ErOMW+Ty7XC7rV0d14wvmL3jKoCFDO3b9hoRaJTgnPO9cJ6gyj/led2wXvKPIhEw0PfNOMA0q3gmX4n1uAe+L/BNJkgaNMsyvkGV5/i4kCTPN4P4ZJXUwAy9HZ58VMfBicZ46IbyeeVVFTsyxzRuCDmlvSOYwGon1biuYJLF8QNnOj/avYpC+JVACiWYDuyDWxzm8ZikEp1SJiQxLFagDVyTPhoDak9Z4xyokWzMS7i6FrjxBBpHIVwo7tgItRpG1XA2aO36K6EnqwLRZPkIQymQOxBWK7nXdtsPKdCxz1pAMYQZZ8s5/cOLOtMkdB8/6z4idIKuAAtot52aDwq7K9clPORsoteqHMbAoAFO7odBtj5FHVPdmcn+MKxkVgumrALxcObto0m0i5lSuJkpxxvzKWVVpD2RhkGkVUmR8rixRE/XoQoYEmayF0KQiW/grffKv/pX65qOMcMjHM0pa7VRKyXKaqFsOlID3pl+5vu2bfklz7ltv7q9Xb59u+Iqlf5vOtwTDLI8givCEhsIF1igkMcxCaHagPm20FTfNdSfUBbpTeW2eMynwuxtV6nfzg35RjpaYANPHklmZE5SHDfY7OHUzlHZmFQ48LfoBHIrdduo7Uqvowi2CRje2ukqbEOClED1BqG7PVyZAUGERZwIpXdWVckjvDfZ73YnBWI0IpNqel24CA7GdIyDhliHYuXcRAWUP0mp8AQ3n+gsIsYjYi48CyjnPkZXggAYBhTwiFSbSLlk5EqjCh8Yk/I8x9dEICpRwoWgY12HwPFnblIoPlUMOScypaHmWcicLXFtMRdHbRhlRdEwi3EK8LohyZxK25ilHAP3nkvj+KY6aYgR0yeNkPwFofdlAQyIbOcFsucRp56LXceua1UES3Sl3jPnojom4aOiPiiKuKatTrR7SPbJeEK6mByEe8eH/WhMjifd3uEe7h3sHo7HR/29w8lBgR8bun0taJSW2XRkgiedgFqlQENW8yI0czA7E+Q7ZFwZfsFxzBd6+SMqZErHmR/7bsYwSQxpBmkdtsGITusp6jj69sXGiwiJIfMarvXyHcKcm8AD/1x/G2IBGJwq65SGJtWpsIusugMFrozSo+/TMiGdcx15xv0bgqWoG0SbyOZYgi4tiSsP4R5VC3mVK2Y6PW+iNgaQ2+9xU3Oh4uPRMdutyEQ8Io26gCw3YccSMGVJznicIBdcyyLHSmoE+7KVilbtV7/BNvVCYv3SKZAvDWEIOp+s7S2CRd2JxdyDM7adedyg5jhxkNncQTvaerxUEskeCFWOKgGgntVr7sVHFhnV8GCgQFDT2xy8wk7mRLBXr3L9Egq4GX9wSBKpkXOzaYiBxFaNNECajCu/1Fyux3LY0ZRNMypmbtXyTQlbWp0XKEsKR70557hQoCLfXDAFNAxdGBH2et6JhHz4khQqck0uYCz3bKOOlgqOxgapOWY6qE6QGjXBztfpmn+9ooQWXq7ug/qidQK4Hr+Ea9GOaaiYAqi8NmZ743MCXiwVKNTGfI0+W9AT3AntKeYWE2+SU7tA5xM9CE/dGDglJejKO3SF6F1YzemqIFWv7pC6heWojQh+mBX5uVgS0y6ICyss2BbVVcllsOQo5vxamWDY5BISqVsulmwLrwqnk+5VauwG/WDPt7Mg+rBgZuXf3GJl6afujkW14Y26cxp4wnaKKmFxJC/o9I5wU99XaGJOn2RQpAnvfAmKfAmKfAmKfCJBkXpP2tJhuSB5xMhIDdJLZORLZOTDgPQSGbk+zV4iI18iI7+nyEh9VjyNyEiApeHISIPwHRGBODZhdPlW5C5YsDYq0MuwQzLFYEGx6ZOPklxJjuAr6fEEoyTX19S+YahkDc8/eqikrz++hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEq+hEo+11BJ3X8NnjUuvMv8m9UuvJZpRaI2W4yFoJOljb3CUMQZSp3iMOS6ug/UENNzIYm/cMbny18NhL86JUch/O788tMpOrm8/J+Dv0ODr0mK5wTKRv/KCvGTUOSEp0DAAiT5wAYOsAixq3RLU1dTVZu858OLNnr/t7Nf2lB9dNuGZWAU8vlcyVoDcpAPDd5vQCiQOJQ0DP4CELkq437dWGVzGe3WVQgzC6zHyMfVEP3aovMEh/LX1nZQmIqEM9jPwV98MlQmBZdZPug1ZWDNgbKKwxlU6HIlOuFqUGpvsp6nDQsWhnyexFTosKkpx7GGLh/315ZX4pUp4ccn1n2sQNfN2NbxqbpV/gbHlOFDN2XeWjFLda9EW9pU30dbvipo8nrR4Xe3KC7eE/aio2aAztxUZixauDNH1mxxDfEgmAyKmrGpK5CLiLJxdOcUiSibKjNeCQt9r0JkykWijYfYAxZPpxo9WxOpJEz8HVc0QDVfN6bktBRjU33NoKlZ4ElLvP9jSr5ngiBckQ+/OkR/NaO0CyYj2iJfAld1EEuJw+tgTmVKoOqgfkXsXJ50u3vdHbTdKpNH/1JHmAa1qlaBX210zrpE8mlSkadfT6QqjbSwqqNR07U3gYfcJFB++glRyh++SrV1RynS1Z0A32RfOtH2tVvTDrQZOe1bYueyt3d8XMN68P0KCj0TA71ViMjeeEX8ZfC5u6kVObUqwdCpBH72TXWZHklGrE1In4BVLn8oQt5XVpTH8ZV7U1bQavampu4mDQYxVBn3y2AWdPAJDzNhbyPymr22QCaiUpB4AloShYZcUMQzXiJ8wyn0K+hEJJEzV9A0V6E0CF+C/e6xGTUkqdSqk24gvEGLw5Ams8Y6V1zoZnCURaDWmeq0ekrNXFGWuq9NwK9H0opIe3sxOh0Mfzodfbo4Gf1yfvnT6OT0YtTrH40Gbwaji59O+vsHt5t3Hua6OIhHu4ao8PH0Xce2MhQSs6iDY85IYdU4hPK7zgAGNri/d9wPpomO4Zxnug5qh3wJ40zQG5CAV1WURuEMU3aFBGWhuYb3O10h7bzQGWeuxGZMRdWyfnd+HgRrN15ZBUnTdwY+rb3JK7H4BernxsYMYj9Xr8W91iAPr7argKVxyhRT1SY0FbLAFjbvZubC12o6YBRWpnO/hZphMQvm0X5D6zMoCKi8TX9esvrdcB9FFAw3PkHD009uGYvx5JD+t8bOOdM5HIIKSVhoXFymcVHemr/tWa7OU5Yvir6uzBtyZklCUsh5AXqVt0j37PBgcHjWH+zvvzkbHg6PTo/eHJ3tvTl7c9YdHJ8O7rMmYoZ7j7YoFz+d9L77VTk+3T3eHR7v9naPjo6Ohv2jo/7BwaA/PO7t93t7w96wNxicvumf3HN18hPnUdanv39Qv0KOhl4Gw9evUD6qXqmH2TcHR4dnBwcHJ939vdOz3uFJ9+i0f9bvHfRPT97sDd4MusP+wf5pb3h4dLj/5vRw783Z7uCw1x+cHPeHJ2drt/IwOFIhssZUnmGeEWZ7mPIJEtn4NxI6h7+GwH4CTa72PDKluCurVCbg4P2PJh0IfeJcosFJG334/OM5m6RYyDQL4erzkuB5Gw0HPzo333Dwo42tWJ98v+Hdpk5x46eCNOY8FUDPa3JclUo94wsdD5qQVLGaYrGLi7c7uZqN0AyzSMzwddVNG+2R/XHvKDoY7++Hh73+Yf/oeLff74XHB2Pc39uUmxiXIzyRazFUlC9ukWmwJDuXdE58VRn6Ppvq7wWdQCDGIcyKmK0aqY3s70waVR0j/W6/1+mq/y673dfwX9Dtdv+5duNiD98xpJl+Q4SNZrQ2sr3jw+5DIKtL5T1wPEOpuZ/gKMRxrIQlQxfvz41MlSSOC80FdLKPbcSoTNBqHxVDPSoQ1h3BjIvJ2FRI8gD9osjsiW31cKHTTamJ9pQoyifU5CT50YImK6lC/8ViEZgEwSDkm9Jcy8rHlM8ViZxLYkeWOyXyfGk7vX74/OOw0IDogSSxyBLtThlpk7pxj6yZpl53KNjy+psZiWO+0m5ZYc339w9Gfxu8U9b87tFezdOng+Eaz78KgmDT7f5lv3sc4BjCfCW9IbDxm6LqW6p1Nst73rw6wQBtXZy83w60h05C4/4bnC4V1euUBd1hkUrdd9tnXnCTjDNpnLY6RBvCM4p9jYfvL5CPMdJ9ahc0jkKcRmJbNysuhICRqtvs1V+8zX+vJdD6UaDBbVL62jUw3mwQB1uD99DvRgEBDfM9SjoaV5C2+pdSydFPdDpDJ0JkKVYGv6nPP9jUxCjSAhKQGqeDTnPaGmxDQogoo/l57eZjNThEvuxtcllrhPzW8D6rOvjx80UbfXDa9TkLQZzDAZeH3rZ9DbyGA9x+eghOgMSkPDWqKVaw01hZ9Ha7TJx3ilmUFPmZksVXIOQn6jaMlD+VQFsfvmKjn7PwgXDG8ShjtCmFpw51HCM1o6LA53uQoMT9X0EGKO4x4ukI4juac3S5s1YXE0mRnc+dtJdtdAHRIh8rfD7AMZ3wlFF8H0wfwj4ESwlLr6DeGgbhCtuo3+13O93DTu8AdXdf9/Zf7x7/LzCQ7ovcVxuDd2JXtv5WYtY77nSPALPe673u6/7+/THTqQ2ja7Icuc79jZmAZvy6DpguD+OaVDfip4t7HSQebmGW3jS16S61U++GFJtex7F6IDQ/5dghR+eq38v95AqzVGjBqJDJfn/txpUrCEK+JJzl2X33qZVxaoZwyxmRlN5UFtM5lNZA7mB/f/fQEp9F5Es5KOJ+yAr6xzqLvwpRqAlK/3DhWN5aigSH4L4a05rAun537+g+oAuSUhyP1q5m8hVR4XoqW6cEjqvc3q09JctX57kXw6aZ5/ctcTLDLIMKC+1iBZj86nxB5YyD0RYrZUVZXu4e3Q0dznCKQ0gbLRN5f//szZvjweHw9M1Z9/ioezzs9QeDk3tJDNeRunFheF5M7PBJnbfF9iTFL9DBlM/nRNFH+Gll+mif8AxiLNDfOHqL2RQN0mUiOYrpOMXpMkAXhLggkimVs2yslJqdKY8xm+5M+c445uOdKe8Fvb0dkYY7IQywowgD/wum/Ie3u7uHnbe7+7vV7sTgo+ncU1Sby4HHMYWFs4UtGGXkxAynJAqmMR/j2OmEeReZe+L6GKbuw1i6FoenYOqWRZW9aNKlLFbYuheXP+b6bhu9/fECM3SmrFgqQu7Zwm1lAQVg+TbCBU/GzC0Q4Gswemw7d9UmLizoQyH4BIzaEr73QulPYKCa+IBmtSqvcqOa1Kg5FVbcXRuBBu2WFVGLuSXjMk6hOK52irS1+xInUMCvLj1YkDDp7x+ka1soREg8jkGwr4HpmPOYYFaH0Bv9E5rEuIAWndjoVMTIlEuqvVMLDNn1IRFiksVK8XQqFXRmp+opEwTLEGGgD6nPGWMkXnu7MfJFjmw87DddSheEOybwFcBNogB9JHphdXAL8motQPnBk/cnppqH0huszrhYLAKKGYagYyyUljonTIodGYsOYKI4X+HQ0eOu/CH4MpPz+AccJ6xjYezQSGyXAqJ0PRXPaIj5ApKzRJXrFJQ7vWBtpkuJyOaNMhwVpchpYDgzL2QkOmyhwbxWcMpcujabmQ58TzLM18C2aZhvFaXHCvNdBUlDJG4yzNdfi3utwZMO8zXgPpswX7ta33OYr78mzyPM9zFX5aHDfEur80zCfNdcoXzU7zDM1+DYaJjvxUYBvZVA3vyo8PoDf/OAXjP5b3i3scix+ohePfGDRfTuHu/t7fXw+GD/cH+P9Pvdw3GP9MZ7+4fj3YO9XrQhPR7KYysknieVAFcTzfkUIno9fB/EibsJwt88otcg22x06cXacaQlgVwjACoxRo0JgJewx8cLe/SX4M8e9lhLi+8s7LEGh6fgC/rOwh5rqPhk/EH3CnusQeix3UGNhz3egfMT8BB9k7DHGjI8U6+Sj+mzC3ssI/d8wh59zJ5b2OMK3P68YY8rCPI8wx5XIPs9hD36oL+EPX7DsMcC4V/CHr9d2GOB8M887LEe1+8r7LEOh6dg6n4/YY91FHwyZu69wh7rMHpsO/dBwx7vQvAJGLWbhj3WofQnMFC/y7DH2t7aD1cKXKtmhd5E1q2c4FTYXuLqe57SKVXMp4PRahw2QX/tS3C7Fg1HA75X1I/pHyTSEXPgqnbBgHCI+GjehaItIroSQVdtNMWh1dBsxVHvq9VVR9Upl9JxBtGV+g0IbhJKeU64EHQcEx2HiePlH8S6T7GOP0p5NlW6tIESozkNU267puM0nFFJQqNaxkpZ5IygG0oWnpXmat0bQ8ADHHmtA1BKfs+IkAJ1ciahjELjjwUZ299trNMk5Ux2lPZa7HPfUej8npGUEoHmOHJ46CrDSUzQGIfX/psbVDsVCWbNlYd+tbKjiJrX9k6AzyHXlcuV4FYk9Tv7n+jHU2KchRBbwROSmvBc24IBgnExhFC2XacI7AgtuRsRMx3aYQjW1u3NIyzxWG0BRe5lTVP7yeQYHx0f9caHYRjtry1lNT6PQOUqIeEbzRMiZyDTj0N3OsuJaKIHx0QZ/kjyKVFEAwPXDZl3SDLtSQyxZ5hFsd4hbhpoCtkxca7EY9cKpffGk+P+ZHf/8HC8uxfhA7wbkuP+cdQlXbJ3uHtQJq+F+JGIbKffgKP9t0wbPNtu0bX9hTYQc4JFlpp7AGBzx7SKxXOWLrK6eY6kVeJ2u5PuwSHG3TE+7vbHh55gztLYF8qfP729QyB//vTWFng2HSmQKcKkzXYlKonRZHAKsu/zp7dCO5DNk/bQUDQYpwRa4aGIL5hiGI5EOCNz0nY9JxMsZ+Z9jmzc8zqyrtk+Y0PdBcw2D0rjXAS1iuW//H6E5wwJPicQqq4WUNFzjpe6BrlJKDj/qLDdUSRUdNVNzOJl290M4XIjRAaNE89NVTM1tu6c6PX4XcBF05TbnqdXpnSZplyVaWoqmLm0DBu53xRpL2emiriNVxAmbFiJLjt5jSZmdoMjS5bGhVaQlSGoQBAWIYhEVO1cEyHeVqvIuFSCMl1CWfgZ7Lfi+6XBY4Kho1FCUsojNM+EhEHGShKGcRaRqKa7pb4chIfHBLUSNm3lN4jq9VagvquuUGKUEK9PznS+3g32vVblI0+lUeUNxyPwb2l2+uHK43/Jk1aJOFc/XGmHVbHzpwW61PNsksUPqAM/WnuG84nunahEIHRjonO1pU1HpiXPoAh8vmGX3oWwkNyPCqMMXSl+VuNdQa4VKDSw4fVeoQJuRJmOjiKRtiZBgbI6J5z7bki/33BNP4GiBHi9t7e7I4jSmf/6+4/me/35B8mTwurZDfkMVvDVZzbnkTr/o1zOAOsLJAhhBco6irpp3nNp8iAoQ4xIfcJzRiVXFpWWAHwMJ3fkDoMxUaLGMA6sdUqw8FkBQ3IaivnUtPVXr0KLBEkY+i2DJs55qB3ILnWOljvjOs5xbcLca25YDMbWAgsHaLtwzjMuq8LpXkykRlvxc4G/EiyExzUPnsdkhi8ZdkEJBtlU48qPWM5Kc3uy1RCoVQKngR7xfm/yChx7e1WXx97ebgEoMKuaVBJgAsPE+tcx0bqC/sXkCdbh4OvRrRKzVc6uv8LZBflPkX8H5M8SKGmvFTqntTCu3oUdmuayR8dteLDDq/CM7k6r5htn0j3V9ibTyGo1xY2o21czROaJzOEB0PWTV+Zt00zOOagpJEcwSbEkaEzkgpBiyqdccK2rlg7ox+5Lr0TwS1P6J9WUXtttTfHBBYy+WizCgdMqHb06VOHqda3qqeFdcXQVLxxe2u2jl3b792u336AL+LMZvkZP8SEoXPDYz6tveIAL4WrP3PPYg7XYvXrMM+naJhsVF9qDkRvsbAxz12A6FZsvTScxxR8zfEPgyp2AS56n3hUlkyklwpyqtoc3mnPom4v1TT2NrKlsL6MwQxhypI3SDSe28K7p52bhHv8CaXWjet2IvME+9ZDJ0SBXFlNFgopp/8CBEY9mHSpcXwltqqnp2ohO8l4CFf34BJqJo1PKhCSGsSycukH+Y3EczN4oy2n8Gruur97Wuxo1gJrpQ6j7Je8kMZa6pX8VxAYFtk9/PVlhfi/vuClvhpWjM90TI9W9FAuSfQKuMS2CGMKMs+Wc/uHdRGnCuY+fBZlksWL8K+iMT6MrxRr6g0LsymWdhZxN9ArhuHiasEidB4zn+9JYKSUuKvNPmEegPyTv2CtOYRMTXcmeCnPcF4JHk1kXM2XWa70hRTGfek4MUZOIiUFoFY0/HjeWHekqnGjvopoJYa1pSJpvH6NSlGB99a/WNR1jhkc4mlPWaqOWbrhO2XSkBmz9+46QDF9xGuGpvS711CeUf7uGEqXHsKoUg/gLyMOcE32NgNE45QvPk+q21uWMLM2FnpjxBVICmkEkgQ1giPlUqKGUAuzuJEwAR+ZAtfcBG+g9RA3/rSShma28lvTjjDNyx+5rBKCcdNWgXjzBKS0A9eQvu0uyzuOPUYE/yri+43/QOMY7+0EXbenV+N9o8PGzWRn04QL1+qOeNuDe4VB98d/b6CRJYvILGf+dyp2D7n7QC3r7Drytv/90+e5tW7/zNxJe820bIrbT6wdd9I6PaUx2evunvb0jQ+6dg+6eqd/liC6CCZ7TuKnbxQ8XSI+Ptqzdl5JohmUbRWRMMWujSUrIWERttKAs4guxXe2zBk9W4H4erq0POhyHTY1OZfVfsLhs3RZXkiWFUGutF1b4TLPOO/4bviFlal2TlJGmTJUKDno2B7YOscCLVTtkL9gLup1er9+BxC0alqF/JmbOirW24QjeSq9a3P8uU8Zq4N9qZe18Zj+HhEku2igbZ0xmt+1hnC5oZQ83G4VaAX5dfux1g15ZUjYLqhfee8fJqaS7p1/dxEYyGs3q57cn79fRqdRzVpvCae7JMMr7Eh11+0HvdyTxdEtANDhGCQ6vibQ3RVjoKz4sEGVTiI2B4hb6TxgfC8FDaoLo1RDMuj7BJgKjSWHtAgyxy+Azk2mJl7dxN8+91x7gQGFfh0VKQp5GajjKprHBVuIpxCuCqziDgAsoKmkXb6YDCBSgv3co6/yOCAtxIjINpWgbk64OMlTw6splQkOln5qhzaUaBPVh574WhAmeoi0STAP0T0Ku2+gXmhIxw+n1Nvhm6Q2Jl8hp3mB8p3gCCY4lSlDGSLpyVfUQSD9kkMsXWKAte11oRjW/FfHfXoHk7ehp/My4m2J5C3qF3pIQfGT9ccrajiJqOMvCU+AVxei6uBCx5JB4OgVZYIb8MLbVvzzmttwb+FxuarzW8J993AzpeNs32aGykdsVJqDUGvoRFWFK4GKhvMPMmACBN96qdZnQlCxwHIs2SoH5RVubrThCYxxjFpJUbGDaNHYBBQidD7WmqJtS2rRRR/2qvL7dGP0mls+HxCTRAAZwL7AJDjyTgkZ3JCQ7qZ/FjKR4TF2ClxX/lR9WnwPqGCgMtIajAtdMjSpeC1vQOb9bWIel1G6c8mYDHaCSE59YhUDJcz95ARCRFbpg8GC5DGG4UhDEhhhZlajj9vfWxL/nHYL5oua6+Hxxuq3+0PUJYnjQDZq/YMPpeYrOzL7dLjgY85rRv2c4XopphtMo0H9D8u3vCzKekTjZmfARRMrFO9eML2ISTYkaeqeA4MiQnhIRzOT8X/+AgRxgRWLkz/57uzYKyoZgWhdS1cP36l8ti9edF0l+qXl1WEAuZnOKGNRcKEzk8pcKVBAhT3PNsrA4uZHuB29BDQ6o7B3eCLFTzUH7+WLthFkP4idrFVWo6n1RT1LYfObMEu4IxzGchv5sdW+v2B7hDQnmVKZE11RXMmxngn8HNo9/CG/ICDymIw84MQpTgiWJ/jWATG43rS9bKdFn8emXhAslOQY/n/oY/ruyvucMzXH44QLpci+oH/T6wUHbD1cqksMERH76ONigOjOBoghNbxArRb2bfq+dARW3LE11c9QtUc3uOF2XBI1pJgpzi7ERDVvnw20bHWIqXSR5dHf9YYm0kz5A575fHWVF54mZwAxqfXBVupZPj3VZfzHDckTFSG0BGm0bXi/zuBu9wuvnw3/XrFFHlxDqdrsbtAmAyLnGEoNPUEp0OPFqAVPQn4200ZkycyrpVJs/jhZ2MRz3R6V1KROmfkXCKe2MKVPfwnVeOKV/VX/86Oh40OttQEbFeKNGmd9YkTxFIsSsnlVri0r1ur2jYBOmUOMzkgY3hEW8qZRqhZIf9lM+4AEEpEGooHVJGB7H69cPCnlKgnFeeeY2ZCYxx7JWhb1Qw+iQnxSzqXF9dYOu0rh73aCrLxPhT9uTZEbQnAuJBLkhqR9T/0apmMKMyJX1qTQ2IYgQc/C1gdROYk6lJcqcyJSGAm1hKXF4jW4gXCFPs9Hh7F+oXLZRktIbGpMpMUlrxhMuSaqz97bbiM4THMp8VN+vrcZw46rXpikMq4YykSEAk6mpClmDK5SAGvXLqurAup2Ih5lCebuiqe4H+5stMWE3NOXQt2UtV9Y3WutTH6y7Fh2zJXLJGsAlZoXa6D4rBA5ZmhLoZfMElkiSecLTp7Q6lwaiuxYGfD9zLDNNaEXSyLRaAizahfParlX4cPtiTQo3e1cOhvx7W7KkcOORm85b738ebueHvTKNqYTa0I5GsAzAn5hdUzaFK+rWW75otVHrHYloNm9pbm79RKezFiyBMtPQTV8tqhOfbkTgBFG+gNTFud1cEqbKx9oNuib8eAl3iBGZUFZMWFMj5A8X1sjjIniCCsQXjERae8EMT/Xd09n5p4vL4EM61VVq0BZ8oYQn+nzR0eXzGYduURPqmVpefZg2Wsy4EgZU2KRPydGMxAnIfbhRFyQE5lSaLcgJpX0lnHnOMknwXCAcplxoxXnB0zhawaLsJgoYFTKY8hu4s+gYUQTsWhUG2jmyHquaJWlQu3CrXqthQOCuoh4ICnsIYii2BpXMY0ezJKU8pdIsBErJFKfgHPZEwP0oWFHi1TShm/qOe8gv+91j//oRStMMSrXVb7uBpEIpAbE+G7QLRhsial/Z+0i1V76U6t+LQo1L/6KS6noM8RLFfDo1+f/Q9EvJUu3IieiUwkFoK+LlZe4cQUiYSaXioTFlOKVKjbnYeXf+7rQ4GzMxumMewTNwfuJ4KSCLEBKdLZQcLvSvA/QL3PmzeJl7qEoVWw3oEDio71GLZQ7NiIwISSKUsYik6ErNdWVGn2ExI8Iynt+Ip1B8MSV5mG3b3eYSdKXev4LCHpDUnafTJjzJYmySIcEBqB1YMLvf5OZq2zdQjWMDTDAXxlhoXFWMnBxzOUMCZLetxOacbT6gwBdc12ULLYwFsuiIfiU0IcZWjVkdsoaPDFoyFoFX7elqe/0L7ZdGCI/SCOHP3vzge2148NLkwPy774o/mYqP92ps8GdpZvAnbmDwvJsWPLtGBc+rOcFza0jw0oSgSITn2Xjg+2s28NJg4Js1GHhpKvANmwo890YC32vzgJeGAV+x2k/GZLxfk4Bn2RjgmTQDeN4NAL6bov8dNfNrNCbgyMYsnPFUf+yENr7ReG/e6GcKIPwnjD2whdjMmaRed3km1n8A3oo4NiUc4ZpZgVp7Mw6pTTMupCeoNZ1wTF2JxgTLmX3Ye7AGQPVvSJKUhOCa6EA50PxF8MrAJ1rMcsLMplkV4FP4BZLOyR82dXo1eDrKvfTwnE51FOZrJNOMFEfXFCkMy/1e0vrDqI5vVqDu1geCbMDxP81SWBQ9WR1+a5BerZD/3K1owaD3XdNbR1bEFVDIP6BMSO+y9E4awfWDfhfZdxGN7LYIY55F+Q4YqI82aiBFcyJxhCWu3xTvzK869CMsvArhhbk9gqNoBA+M7JDqyZAIoUPL/D1SwBxeCugcT706+HlJiTnt4HEY9fq7tfIjZ5BzNQI6H7rgRQ2upYhhjx/QiVopeIjHkc+oFiAFf6ChsrjesdS1D9+63N4cFsA8sPH2aRxC7vmNZ1qDe0tzrcvG3mxzHM4oI7DH15rMvBB4L6w7lx+LNVpDoN3+1rqzJikHKbbmwpnHN1+3lExzre/2OQqP1o5vxULEw2vgVSMXhvZzzfbSv4Heoc7HONY9GkAo6N/UDhcznsqRlsy5PmGPYz1fx8mEFcemAwvVeKCLrxSEiD4doKaQ+7GOWB7B6l+pJdqKqZTE2Xw2kHTehtpw1tKb6016/+lMGVD0A7r8MPzwGv3EF0q9mONECVlB/lqBpXDQo9sPe7RaniMn0zUIgeVcdf7mfPuT/lQzyDmbcJ9bzbGgXkdW1ngMqr6vZU9zbpwOLvy8Y2ozbQMSimA5jwPznE6cw6m+U2WcdfI3S0W8uGtAsJrTVy9NodKWHWLMeUwwW5O8k5wikJ6TL3t1Xi6CcUbj6pTVFXWnd6t3NOx1j1vrgfPhAsEMfoxKPSAhj0jtPrgNFiFTIsPZ+sDYWXSpPrZ0HHidjUnKiIRQAMOHf/e/qxk3/93pXEUFKh8U+Vx4u1TNX7pTshaAvp3nyhRPeFQvdjbazB4FEq6vlaqLq6bKamT4fWf6yCP0+XxYnQhM5gSHD4dUPmJ1Mh5VRP5XTmZr5FQnM+LyL18tmL2fR3OcJJRNzbOtv6y5izyIzUEyx0kVZKjnpy+cnhzcHmz1wKckiWmIBZEPu8T5uCsWOiJJzJfzkpn59RPn466YGC6gJln84Ch7A6+Y+g496L4Tu2HvnLZe6fv6efW45oAxsjw/XT66L2rGNT/m54ozauvOgXxstNEhQL6sq3aaGYI8wPgW1dNg/BuP+TXFHZxJHlEB6SE5+v+lf0VD88sS+c8hz/K+8xKjZij/FDZwuCFXXe+Z5wJ9y1PMBtngVstefxoXL584ALzSSPVz0tsuX1dMd4rDman0qJtUuZRcE7xiKrETCh2DXHWVKNOVACROZZZYP5AeSLdDmOtsYHcvJ00fVDwnUiGWmgwhWDciQSXXBbvhC/WxbVJOATTIK8Ax1KIX2rN//lE/YdgL0agNMeCQMlQACRIMpADK1JPQhDsnKY+yUG5OyEsdWm32rhlGqYkOt9umvTe7FKZ9JVy1ry1v5u07pvbSTTecWb/rRZYb9D1eECjNGFMLTVk9HLaN4Mazf/70Fs2U8TlTpgpMZ7gVILmN6GGWllwVRTNpxay/uMZZFr8FFo7FjUmJMzkjTLpKGrrJkRVrMZ/mUuwtn+qucJB/ze5yRMT28Ziyop+hgGbMp4FpJmXCzG+hr8lTvK2CX47/hc4pt20BQXzmMW4KPO0HWUARIByhHQTdoNSDQRVIPpkIUtxrXiDPRpC5/nx6TJMAYcoQKXJpUSUQLrs9lBGI5w9FIbWiekRd5Co1bf3yvaHbbhlGfSVkxDP5SnGJ+puk6asieJQlmfRvQHNw4LS8kyowgE5iKK1XvlY2Ui8KSp29gJTcazVoYr6KFb119oya4grxxKYISTe5MPXijJw4ozEBZ5reOLBu5UVZCsUgExwWSi59PYuYARH5IiFCyevHZPLNlvWg2F8fDBQ7oOsoA/MU2l2UQLCZdSMwnB6KY6FHUjbHmlfBfWYnun1RGgfDTlQCwyqTScqn6cPt3HJlBDN8jdiaxHgq7hrM7aJiF1L1aqkMeWH8mZRJYNNHA3MsjGLCpq5j3Eq/ZeHVMY+WwXiZX+7c6lsoVSy/2wrIr94cztVXVpsO5T4e1RUsgAcJhaTGe7u2ruBkjhlKJ+U5uad1iLoFsVPPeZTF67nFC4/eSnbF6iNw9Eo8T9Ya3NRpWmd07TkJsJTpgzre/XFz9ja3OZDilhdeQDc4pWo3C7RIqZSEKbtKj/BKoP+6+PAe1gaSP6GVc0q9SoG26px3za5TSF38BZyyLo/cU8XMCVQc1xxP5dAAGs6TwAvJ24AY54N3H+FeuG7Iiqdz/SG1pVIccnr/If+WD1kYE/+RlVpQrGX5K1acZeOVuzf//pZbD79svh0xqMxVUBJR3dF7xzRq++tBqoMT9ntGMqI3YWWOyE8QvXMOOxZEblSngo7m6t1RzWX2Zti4oVCeM1K4mRLZnKSjoii+1xIZ8xLG87vOoEL4++8ZgSACPyzsvrjZ0VxppSK/XuPJNd6YXyVPaPh1lPi7mtgMtHptvwJ5PUG+tIaaD78f9ETGTuImCWBOhMDTmnvOa7J8CMJdk2Vb9wxS+klkuu6pna9/N9YFtK22onslTOOYh9eVcxPdY98aWkAZj62QzxNIyo629RQon6ICw4zgiKSiMjdU/1xv8hPbbo5PDCB6UFOhXeSlBQ0l2pYyXvF7/a/1H9dk+Z+v0X8AHf+zFfyP/x8AAP//lTSbPA==" } diff --git a/filebeat/input/file/file.go b/filebeat/input/file/file.go index 676a2d5cfcb..963a1015fb8 100644 --- a/filebeat/input/file/file.go +++ b/filebeat/input/file/file.go @@ -30,12 +30,8 @@ type File struct { State *State } -// Checks if the two files are the same. -func (f *File) IsSameFile(f2 *File) bool { - return os.SameFile(f.FileInfo, f2.FileInfo) -} - // IsSameFile checks if the given File path corresponds with the FileInfo given +// It is used to check if the file has been renamed. func IsSameFile(path string, info os.FileInfo) bool { fileInfo, err := os.Stat(path) diff --git a/filebeat/input/file/identifier.go b/filebeat/input/file/identifier.go new file mode 100644 index 00000000000..c16535f3e19 --- /dev/null +++ b/filebeat/input/file/identifier.go @@ -0,0 +1,121 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package file + +import ( + "fmt" + "strconv" + "strings" + + "github.com/mitchellh/hashstructure" + + "github.com/elastic/beats/v7/libbeat/common" +) + +const ( + nativeName = "native" + pathName = "path" + inodeMarkerName = "inode_marker" + + DefaultIdentifierName = nativeName + identitySep = "::" +) + +var ( + identifierFactories = map[string]IdentifierFactory{ + nativeName: newINodeDeviceIdentifier, + pathName: newPathIdentifier, + inodeMarkerName: newINodeMarkerIdentifier, + } +) + +type IdentifierFactory func(*common.Config) (StateIdentifier, error) + +// StateIdentifier generates an ID for a State. +type StateIdentifier interface { + // GenerateID generates and returns the ID of the state and its type + GenerateID(State) (id, identifierType string) +} + +// NewStateIdentifier creates a new state identifier for a log input. +func NewStateIdentifier(ns *common.ConfigNamespace) (StateIdentifier, error) { + if ns == nil { + return newINodeDeviceIdentifier(nil) + } + + identifierType := ns.Name() + f, ok := identifierFactories[identifierType] + if !ok { + return nil, fmt.Errorf("no such file_identity generator: %s", identifierType) + } + + return f(ns.Config()) +} + +type inodeDeviceIdentifier struct { + name string +} + +func newINodeDeviceIdentifier(_ *common.Config) (StateIdentifier, error) { + return &inodeDeviceIdentifier{ + name: nativeName, + }, nil +} + +func (i *inodeDeviceIdentifier) GenerateID(s State) (id, identifierType string) { + stateID := i.name + identitySep + s.FileStateOS.String() + return genIDWithHash(s.Meta, stateID), i.name +} + +type pathIdentifier struct { + name string +} + +func newPathIdentifier(_ *common.Config) (StateIdentifier, error) { + return &pathIdentifier{ + name: pathName, + }, nil +} + +func (p *pathIdentifier) GenerateID(s State) (id, identifierType string) { + stateID := p.name + identitySep + s.Source + return genIDWithHash(s.Meta, stateID), p.name +} + +func genIDWithHash(meta map[string]string, fileID string) string { + if len(meta) == 0 { + return fileID + } + + hashValue, _ := hashstructure.Hash(meta, nil) + var hashBuf [17]byte + hash := strconv.AppendUint(hashBuf[:0], hashValue, 16) + hash = append(hash, '-') + + var b strings.Builder + b.Grow(len(hash) + len(fileID)) + b.Write(hash) + b.WriteString(fileID) + + return b.String() +} + +// mockIdentifier is used for testing +type MockIdentifier struct{} + +func (m *MockIdentifier) GenerateID(s State) (string, string) { return s.Id, "mock" } diff --git a/filebeat/input/file/identifier_inode_deviceid.go b/filebeat/input/file/identifier_inode_deviceid.go new file mode 100644 index 00000000000..f5e191744d6 --- /dev/null +++ b/filebeat/input/file/identifier_inode_deviceid.go @@ -0,0 +1,98 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package file + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "time" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type inodeMarkerIdentifier struct { + log *logp.Logger + name string + markerPath string + + markerFileLastModifitaion time.Time + markerTxt string +} + +func newINodeMarkerIdentifier(cfg *common.Config) (StateIdentifier, error) { + var config struct { + MarkerPath string `config:"path" validate:"required"` + } + err := cfg.Unpack(&config) + if err != nil { + return nil, fmt.Errorf("error while reading configuration of INode + marker file configuration: %v", err) + } + + fi, err := os.Stat(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while opening marker file at %s: %v", config.MarkerPath, err) + } + markerContent, err := ioutil.ReadFile(config.MarkerPath) + if err != nil { + return nil, fmt.Errorf("error while reading marker file at %s: %v", config.MarkerPath, err) + } + return &inodeMarkerIdentifier{ + log: logp.NewLogger("inode_marker_identifier_" + filepath.Base(config.MarkerPath)), + name: inodeMarkerName, + markerPath: config.MarkerPath, + markerFileLastModifitaion: fi.ModTime(), + markerTxt: string(markerContent), + }, nil +} + +func (i *inodeMarkerIdentifier) markerContents() string { + f, err := os.Open(i.markerPath) + if err != nil { + i.log.Errorf("Failed to open marker file %s: %v", i.markerPath, err) + return "" + } + defer f.Close() + + fi, err := f.Stat() + if err != nil { + i.log.Errorf("Failed to fetch file information for %s: %v", i.markerPath, err) + return "" + } + if i.markerFileLastModifitaion.Before(fi.ModTime()) { + contents, err := ioutil.ReadFile(i.markerPath) + if err != nil { + i.log.Errorf("Error while reading contents of marker file: %v", err) + return "" + } + i.markerTxt = string(contents) + } + + return i.markerTxt +} + +func (i *inodeMarkerIdentifier) GenerateID(s State) (id, identifierType string) { + m := i.markerContents() + + stateID := fmt.Sprintf("%s%s%s-%s", i.name, identitySep, s.FileStateOS.InodeString(), m) + return genIDWithHash(s.Meta, stateID), i.name +} diff --git a/filebeat/input/file/identifier_inode_deviceid_windows.go b/filebeat/input/file/identifier_inode_deviceid_windows.go new file mode 100644 index 00000000000..9fb1152a33c --- /dev/null +++ b/filebeat/input/file/identifier_inode_deviceid_windows.go @@ -0,0 +1,30 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package file + +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func newINodeMarkerIdentifier(cfg *common.Config) (StateIdentifier, error) { + return nil, fmt.Errorf("inode_deviceid is not supported on Windows") +} diff --git a/filebeat/input/file/identifier_test.go b/filebeat/input/file/identifier_test.go new file mode 100644 index 00000000000..f47f4a37fb9 --- /dev/null +++ b/filebeat/input/file/identifier_test.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !windows + +package file + +import ( + "fmt" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/file" +) + +type stateTestCase struct { + states [2]State + isSame bool +} + +func TestINodeDeviceIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to different files": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + } + + identifier, _ := newINodeDeviceIdentifier(nil) + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func TestPathIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to different files": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + } + + identifier, _ := newPathIdentifier(nil) + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func TestInodeMarkerIdentifier(t *testing.T) { + tests := map[string]stateTestCase{ + "two states poiting to the same file i.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + }, + true, + }, + "two states poiting to the same file ii.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 2}, + }, + }, + true, + }, + "two states poiting to different files i.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/2", + FileStateOS: file.StateOS{Inode: 2, Device: 1}, + }, + }, + false, + }, + "two states poiting to different files ii.": { + [2]State{ + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 1, Device: 1}, + }, + State{ + Source: "/path/to/this/file/1", + FileStateOS: file.StateOS{Inode: 2, Device: 3}, + }, + }, + false, + }, + } + + identifier := newMockInodeMarkerIdentifier() + for name, test := range tests { + test := test + for i := 0; i < len(test.states); i++ { + test.states[i].Id, test.states[i].IdentifierName = identifier.GenerateID(test.states[i]) + } + t.Run(name, func(t *testing.T) { + isSame := test.states[0].IsEqual(&test.states[1]) + assert.Equal(t, isSame, test.isSame) + }) + } +} + +func newMockInodeMarkerIdentifier() StateIdentifier { + cfg := common.MustNewConfigFrom(map[string]string{"path": filepath.Join("testdata", "identifier_marker")}) + i, err := newINodeMarkerIdentifier(cfg) + fmt.Println(err) + return i +} diff --git a/filebeat/input/file/identifier_test_windows.go b/filebeat/input/file/identifier_test_windows.go new file mode 100644 index 00000000000..544dbad2546 --- /dev/null +++ b/filebeat/input/file/identifier_test_windows.go @@ -0,0 +1,29 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build windows + +package file + +import "testing" + +func TestInodeMarkerError(t *testing.T) { + _, err := newINodeMarkerIdentifier(nil) + if err == nil { + t.Fatal("inode_marker should not be supported on windows") + } +} diff --git a/filebeat/input/file/state.go b/filebeat/input/file/state.go index ef255243b4c..560daf8a7bc 100644 --- a/filebeat/input/file/state.go +++ b/filebeat/input/file/state.go @@ -18,36 +18,36 @@ package file import ( + "fmt" "os" - "strconv" - "strings" "time" - "github.com/mitchellh/hashstructure" - "github.com/elastic/beats/v7/libbeat/common/file" ) // State is used to communicate the reading state of a file type State struct { - Id string `json:"-" struct:"-"` // local unique id to make comparison more efficient - Finished bool `json:"-" struct:"-"` // harvester state - Fileinfo os.FileInfo `json:"-" struct:"-"` // the file info - Source string `json:"source" struct:"source"` - Offset int64 `json:"offset" struct:"offset"` - Timestamp time.Time `json:"timestamp" struct:"timestamp"` - TTL time.Duration `json:"ttl" struct:"ttl"` - Type string `json:"type" struct:"type"` - Meta map[string]string `json:"meta" struct:"meta,omitempty"` - FileStateOS file.StateOS `json:"FileStateOS" struct:"FileStateOS"` + Id string `json:"id" struct:"id"` + PrevId string `json:"prev_id" struct:"prev_id"` + Finished bool `json:"-" struct:"-"` // harvester state + Fileinfo os.FileInfo `json:"-" struct:"-"` // the file info + Source string `json:"source" struct:"source"` + Offset int64 `json:"offset" struct:"offset"` + Timestamp time.Time `json:"timestamp" struct:"timestamp"` + TTL time.Duration `json:"ttl" struct:"ttl"` + Type string `json:"type" struct:"type"` + Meta map[string]string `json:"meta" struct:"meta,omitempty"` + FileStateOS file.StateOS `json:"FileStateOS" struct:"FileStateOS"` + IdentifierName string `json:"identifier_name" struct:"identifier_name"` } // NewState creates a new file state -func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]string) State { +func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]string, identifier StateIdentifier) State { if len(meta) == 0 { meta = nil } - return State{ + + s := State{ Fileinfo: fileInfo, Source: path, Finished: false, @@ -57,43 +57,29 @@ func NewState(fileInfo os.FileInfo, path string, t string, meta map[string]strin Type: t, Meta: meta, } -} - -// ID returns a unique id for the state as a string -func (s *State) ID() string { - // Generate id on first request. This is needed as id is not set when converting back from json - if s.Id == "" { - if len(s.Meta) == 0 { - s.Id = s.FileStateOS.String() - } else { - hashValue, _ := hashstructure.Hash(s.Meta, nil) - var hashBuf [17]byte - hash := strconv.AppendUint(hashBuf[:0], hashValue, 16) - hash = append(hash, '-') - fileID := s.FileStateOS.String() - - var b strings.Builder - b.Grow(len(hash) + len(fileID)) - b.Write(hash) - b.WriteString(fileID) - - s.Id = b.String() - } - } + s.Id, s.IdentifierName = identifier.GenerateID(s) - return s.Id + return s } -// IsEqual compares the state to an other state supporting stringer based on the unique string +// IsEqual checks if the two states point to the same file. func (s *State) IsEqual(c *State) bool { - return s.ID() == c.ID() + return s.Id == c.Id } -// IsEmpty returns true if the state is empty -func (s *State) IsEmpty() bool { - return s.FileStateOS == file.StateOS{} && - s.Source == "" && - len(s.Meta) == 0 && - s.Timestamp.IsZero() +// String returns string representation of the struct +func (s *State) String() string { + return fmt.Sprintf( + "{Id: %v, Finished: %v, Fileinfo: %v, Source: %v, Offset: %v, Timestamp: %v, TTL: %v, Type: %v, Meta: %v, FileStateOS: %v}", + s.Id, + s.Finished, + s.Fileinfo, + s.Source, + s.Offset, + s.Timestamp, + s.TTL, + s.Type, + s.Meta, + s.FileStateOS) } diff --git a/filebeat/input/file/states.go b/filebeat/input/file/states.go index 34704b41dba..48cf338f80f 100644 --- a/filebeat/input/file/states.go +++ b/filebeat/input/file/states.go @@ -55,7 +55,7 @@ func (s *States) UpdateWithTs(newState State, ts time.Time) { s.Lock() defer s.Unlock() - id := newState.ID() + id := newState.Id index := s.findPrevious(id) newState.Timestamp = ts @@ -74,13 +74,20 @@ func (s *States) UpdateWithTs(newState State, ts time.Time) { func (s *States) FindPrevious(newState State) State { s.RLock() defer s.RUnlock() - i := s.findPrevious(newState.ID()) + i := s.findPrevious(newState.Id) if i < 0 { return State{} } return s.states[i] } +func (s *States) IsNew(state State) bool { + s.RLock() + defer s.RUnlock() + i := s.findPrevious(state.Id) + return i < 0 +} + // findPrevious returns the previous state for the file. // In case no previous state exists, index -1 is returned func (s *States) findPrevious(id string) int { @@ -120,17 +127,16 @@ func (s *States) CleanupWith(fn func(string)) (int, int) { continue } - id := state.ID() - delete(s.idx, id) + delete(s.idx, state.Id) if fn != nil { - fn(id) + fn(state.Id) } logp.Debug("state", "State removed for %v because of older: %v", state.Source, state.TTL) L-- if L != i { s.states[i] = s.states[L] - s.idx[s.states[i].ID()] = i + s.idx[s.states[i].Id] = i } } else { i++ @@ -172,7 +178,7 @@ func (s *States) SetStates(states []State) { // create new index s.idx = map[string]int{} for i := range states { - s.idx[states[i].ID()] = i + s.idx[states[i].Id] = i } } diff --git a/filebeat/input/file/testdata/identifier_marker b/filebeat/input/file/testdata/identifier_marker new file mode 100644 index 00000000000..2effed19113 --- /dev/null +++ b/filebeat/input/file/testdata/identifier_marker @@ -0,0 +1 @@ +1234-1234-1234-1234 diff --git a/filebeat/input/log/config.go b/filebeat/input/log/config.go index 835358b4e66..c5f9f2049da 100644 --- a/filebeat/input/log/config.go +++ b/filebeat/input/log/config.go @@ -27,6 +27,7 @@ import ( cfg "github.com/elastic/beats/v7/filebeat/config" "github.com/elastic/beats/v7/filebeat/harvester" "github.com/elastic/beats/v7/filebeat/input/file" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/common/match" "github.com/elastic/beats/v7/libbeat/logp" @@ -35,43 +36,6 @@ import ( "github.com/elastic/beats/v7/libbeat/reader/readjson" ) -var ( - defaultConfig = config{ - // Common - ForwarderConfig: harvester.ForwarderConfig{ - Type: cfg.DefaultType, - }, - CleanInactive: 0, - - // Input - Enabled: true, - IgnoreOlder: 0, - ScanFrequency: 10 * time.Second, - CleanRemoved: true, - HarvesterLimit: 0, - Symlinks: false, - TailFiles: false, - ScanSort: "", - ScanOrder: "asc", - RecursiveGlob: true, - - // Harvester - BufferSize: 16 * humanize.KiByte, - MaxBytes: 10 * humanize.MiByte, - LineTerminator: readfile.AutoLineTerminator, - LogConfig: LogConfig{ - Backoff: 1 * time.Second, - BackoffFactor: 2, - MaxBackoff: 10 * time.Second, - CloseInactive: 5 * time.Minute, - CloseRemoved: true, - CloseRenamed: false, - CloseEOF: false, - CloseTimeout: 0, - }, - } -) - type config struct { harvester.ForwarderConfig `config:",inline"` LogConfig `config:",inline"` @@ -81,16 +45,17 @@ type config struct { CleanInactive time.Duration `config:"clean_inactive" validate:"min=0"` // Input - Enabled bool `config:"enabled"` - ExcludeFiles []match.Matcher `config:"exclude_files"` - IgnoreOlder time.Duration `config:"ignore_older"` - Paths []string `config:"paths"` - ScanFrequency time.Duration `config:"scan_frequency" validate:"min=0,nonzero"` - CleanRemoved bool `config:"clean_removed"` - HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` - Symlinks bool `config:"symlinks"` - TailFiles bool `config:"tail_files"` - RecursiveGlob bool `config:"recursive_glob.enabled"` + Enabled bool `config:"enabled"` + ExcludeFiles []match.Matcher `config:"exclude_files"` + IgnoreOlder time.Duration `config:"ignore_older"` + Paths []string `config:"paths"` + ScanFrequency time.Duration `config:"scan_frequency" validate:"min=0,nonzero"` + CleanRemoved bool `config:"clean_removed"` + HarvesterLimit uint32 `config:"harvester_limit" validate:"min=0"` + Symlinks bool `config:"symlinks"` + TailFiles bool `config:"tail_files"` + RecursiveGlob bool `config:"recursive_glob.enabled"` + FileIdentity *common.ConfigNamespace `config:"file_identity"` // Harvester BufferSize int `config:"harvester_buffer_size"` @@ -147,6 +112,44 @@ var ValidScanSort = map[string]struct{}{ ScanSortFilename: {}, } +func defaultConfig() config { + return config{ + // Common + ForwarderConfig: harvester.ForwarderConfig{ + Type: cfg.DefaultType, + }, + CleanInactive: 0, + + // Input + Enabled: true, + IgnoreOlder: 0, + ScanFrequency: 10 * time.Second, + CleanRemoved: true, + HarvesterLimit: 0, + Symlinks: false, + TailFiles: false, + ScanSort: "", + ScanOrder: "asc", + RecursiveGlob: true, + FileIdentity: nil, + + // Harvester + BufferSize: 16 * humanize.KiByte, + MaxBytes: 10 * humanize.MiByte, + LineTerminator: readfile.AutoLineTerminator, + LogConfig: LogConfig{ + Backoff: 1 * time.Second, + BackoffFactor: 2, + MaxBackoff: 10 * time.Second, + CloseInactive: 5 * time.Minute, + CloseRemoved: true, + CloseRenamed: false, + CloseEOF: false, + CloseTimeout: 0, + }, + } +} + func (c *config) Validate() error { // DEPRECATED 6.0.0: warning is already outputted on input level if c.InputType != "" { diff --git a/filebeat/input/log/config_test.go b/filebeat/input/log/config_test.go index 7406014d049..f8160a830f7 100644 --- a/filebeat/input/log/config_test.go +++ b/filebeat/input/log/config_test.go @@ -59,7 +59,7 @@ func TestCleanOlderIgnoreOlderErrorEqual(t *testing.T) { func TestCleanOlderIgnoreOlder(t *testing.T) { config := config{ - CleanInactive: 10*time.Hour + defaultConfig.ScanFrequency + 1*time.Second, + CleanInactive: 10*time.Hour + defaultConfig().ScanFrequency + 1*time.Second, IgnoreOlder: 10 * time.Hour, Paths: []string{"hello"}, ForwarderConfig: harvester.ForwarderConfig{ diff --git a/filebeat/input/log/harvester.go b/filebeat/input/log/harvester.go index 94162ebfec9..6b16861f8ec 100644 --- a/filebeat/input/log/harvester.go +++ b/filebeat/input/log/harvester.go @@ -58,7 +58,7 @@ import ( var ( harvesterMetrics = monitoring.Default.NewRegistry("filebeat.harvester") - filesMetrics = harvesterMetrics.NewRegistry("files") + filesMetrics = monitoring.GetNamespace("dataset").GetRegistry() harvesterStarted = monitoring.NewInt(harvesterMetrics, "started") harvesterClosed = monitoring.NewInt(harvesterMetrics, "closed") @@ -83,6 +83,7 @@ type Harvester struct { // shutdown handling done chan struct{} + doneWg *sync.WaitGroup stopOnce sync.Once stopWg *sync.WaitGroup stopLock sync.Mutex @@ -132,12 +133,13 @@ func NewHarvester( } h := &Harvester{ - config: defaultConfig, + config: defaultConfig(), state: state, states: states, publishState: publishState, done: make(chan struct{}), stopWg: &sync.WaitGroup{}, + doneWg: &sync.WaitGroup{}, id: id, outletFactory: outletFactory, } @@ -291,12 +293,19 @@ func (h *Harvester) Run() error { } h.stop() - h.log.Close() + err := h.reader.Close() + if err != nil { + logp.Err("Failed to stop harvester for file %s: %v", h.state.Source, err) + } }(h.state.Source) logp.Info("Harvester started for file: %s", h.state.Source) - go h.monitorFileSize() + h.doneWg.Add(1) + go func() { + h.monitorFileSize() + h.doneWg.Done() + }() for { select { @@ -375,7 +384,8 @@ func (h *Harvester) monitorFileSize() { func (h *Harvester) stop() { h.stopOnce.Do(func() { close(h.done) - + // Wait for goroutines monitoring h.done to terminate before closing source. + h.doneWg.Wait() filesMetrics.Remove(h.id.String()) }) } @@ -505,6 +515,14 @@ func (h *Harvester) shouldExportLine(line string) bool { // is returned and the harvester is closed. The file will be picked up again the next time // the file system is scanned func (h *Harvester) openFile() error { + fi, err := os.Stat(h.state.Source) + if err != nil { + return fmt.Errorf("failed to stat source file %s: %v", h.state.Source, err) + } + if fi.Mode()&os.ModeNamedPipe != 0 { + return fmt.Errorf("failed to open file %s, named pipes are not supported", h.state.Source) + } + f, err := file_helper.ReadOpen(h.state.Source) if err != nil { return fmt.Errorf("Failed opening %s: %s", h.state.Source, err) @@ -631,6 +649,8 @@ func (h *Harvester) newLogFileReader() (reader.Reader, error) { var r reader.Reader var err error + logp.Debug("harvester", "newLogFileReader with config.MaxBytes: %d", h.config.MaxBytes) + // TODO: NewLineReader uses additional buffering to deal with encoding and testing // for new lines in input stream. Simple 8-bit based encodings, or plain // don't require 'complicated' logic. @@ -644,10 +664,17 @@ func (h *Harvester) newLogFileReader() (reader.Reader, error) { return nil, err } + // Configure MaxBytes limit for EncodeReader as multiplied by 4 + // for the worst case scenario where incoming UTF32 charchers are decoded to the single byte UTF-8 characters. + // This limit serves primarily to avoid memory bload or potential OOM with expectedly long lines in the file. + // The further size limiting is performed by LimitReader at the end of the readers pipeline as needed. + encReaderMaxBytes := h.config.MaxBytes * 4 + r, err = readfile.NewEncodeReader(reader, readfile.Config{ Codec: h.encoding, BufferSize: h.config.BufferSize, Terminator: h.config.LineTerminator, + MaxBytes: encReaderMaxBytes, }) if err != nil { return nil, err diff --git a/filebeat/input/log/harvester_test.go b/filebeat/input/log/harvester_test.go index 96ae5c7e5ed..537851979ca 100644 --- a/filebeat/input/log/harvester_test.go +++ b/filebeat/input/log/harvester_test.go @@ -41,7 +41,7 @@ func TestReadLine(t *testing.T) { logFile := absPath + "/tmp" + strconv.Itoa(rand.Int()) + ".log" assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) if err != nil { t.Fatalf("Error creating the absolute path: %s", absPath) @@ -51,18 +51,18 @@ func TestReadLine(t *testing.T) { defer file.Close() defer os.Remove(logFile) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, file) firstLineString := "9Characte\n" secondLineString := "This is line 2\n" length, err := file.WriteString(firstLineString) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, length) length, err = file.WriteString(secondLineString) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, length) file.Sync() @@ -70,7 +70,7 @@ func TestReadLine(t *testing.T) { // Open file for reading readFile, err := os.Open(logFile) defer readFile.Close() - assert.Nil(t, err) + assert.NoError(t, err) source := File{File: readFile} @@ -102,7 +102,7 @@ func TestReadLine(t *testing.T) { // Read third line _, text, bytesread, _, err := readLine(r) t.Logf("received line: '%s'\n", text) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, text, firstLineString[0:len(firstLineString)-1]) assert.Equal(t, bytesread, len(firstLineString)) @@ -111,7 +111,7 @@ func TestReadLine(t *testing.T) { t.Logf("received line: '%s'\n", text) assert.Equal(t, text, secondLineString[0:len(secondLineString)-1]) assert.Equal(t, bytesread, len(secondLineString)) - assert.Nil(t, err) + assert.NoError(t, err) // Read third line, which doesn't exist _, text, bytesread, _, err = readLine(r) diff --git a/filebeat/input/log/input.go b/filebeat/input/log/input.go index 032f5c11c92..365da416ed3 100644 --- a/filebeat/input/log/input.go +++ b/filebeat/input/log/input.go @@ -60,16 +60,17 @@ func init() { // Input contains the input and its config type Input struct { - cfg *common.Config - config config - states *file.States - harvesters *harvester.Registry - outlet channel.Outleter - stateOutlet channel.Outleter - done chan struct{} - numHarvesters atomic.Uint32 - meta map[string]string - stopOnce sync.Once + cfg *common.Config + config config + states *file.States + harvesters *harvester.Registry + outlet channel.Outleter + stateOutlet channel.Outleter + done chan struct{} + numHarvesters atomic.Uint32 + meta map[string]string + stopOnce sync.Once + fileStateIdentifier file.StateIdentifier } // NewInput instantiates a new Log @@ -85,7 +86,7 @@ func NewInput( } } - inputConfig := defaultConfig + inputConfig := defaultConfig() if err := cfg.Unpack(&inputConfig); err != nil { return nil, err @@ -101,6 +102,11 @@ func NewInput( return nil, fmt.Errorf("each input must have at least one path defined") } + identifier, err := file.NewStateIdentifier(inputConfig.FileIdentity) + if err != nil { + return nil, fmt.Errorf("failed to initialize file identity generator: %+v", err) + } + // Note: underlying output. // The input and harvester do have different requirements // on the timings the outlets must be closed/unblocked. @@ -125,14 +131,15 @@ func NewInput( } p := &Input{ - config: inputConfig, - cfg: cfg, - harvesters: harvester.NewRegistry(), - outlet: out, - stateOutlet: stateOut, - states: file.NewStates(), - done: context.Done, - meta: meta, + config: inputConfig, + cfg: cfg, + harvesters: harvester.NewRegistry(), + outlet: out, + stateOutlet: stateOut, + states: file.NewStates(), + done: context.Done, + meta: meta, + fileStateIdentifier: identifier, } // Create empty harvester to check if configs are fine @@ -168,7 +175,16 @@ func (p *Input) loadStates(states []file.State) error { // In case a input is tried to be started with an unfinished state matching the glob pattern if !state.Finished { - return fmt.Errorf("Can only start an input when all related states are finished: %+v", state) + return &common.ErrInputNotFinished{State: state.String()} + } + + // Convert state to current identifier if different + // and remove outdated state + newId, identifierName := p.fileStateIdentifier.GenerateID(state) + if state.IdentifierName != identifierName { + state.PrevId = state.Id + state.Id = newId + state.IdentifierName = identifierName } // Update input states and send new states to registry @@ -225,10 +241,14 @@ func (p *Input) Run() { } } else { // Check if existing source on disk and state are the same. Remove if not the case. - newState := file.NewState(stat, state.Source, p.config.Type, p.meta) - if !newState.FileStateOS.IsSame(state.FileStateOS) { + newState := file.NewState(stat, state.Source, p.config.Type, p.meta, p.fileStateIdentifier) + if state.IdentifierName != newState.IdentifierName { + logp.Debug("input", "file_identity configuration for file has changed from %s to %s, generating new id", state.IdentifierName, newState.IdentifierName) + state.Id, state.IdentifierName = p.fileStateIdentifier.GenerateID(state) + } + if !state.IsEqual(&newState) { p.removeState(state) - logp.Debug("input", "Remove state for file as file removed or renamed: %s", state.Source) + logp.Debug("input", "Remove state of file as its identity has changed: %s", state.Source) } } } @@ -418,7 +438,7 @@ func getFileState(path string, info os.FileInfo, p *Input) (file.State, error) { } logp.Debug("input", "Check file for harvesting: %s", absolutePath) // Create new state for comparison - newState := file.NewState(info, absolutePath, p.config.Type, p.meta) + newState := file.NewState(info, absolutePath, p.config.Type, p.meta, p.fileStateIdentifier) return newState, nil } @@ -476,11 +496,11 @@ func (p *Input) scan() { } // Load last state - lastState := p.states.FindPrevious(newState) + isNewState := p.states.IsNew(newState) // Ignores all files which fall under ignore_older if p.isIgnoreOlder(newState) { - err := p.handleIgnoreOlder(lastState, newState) + err := p.handleIgnoreOlder(isNewState, newState) if err != nil { logp.Err("Updating ignore_older state error: %s", err) } @@ -488,7 +508,7 @@ func (p *Input) scan() { } // Decides if previous state exists - if lastState.IsEmpty() { + if isNewState { logp.Debug("input", "Start harvester for new file: %s", newState.Source) err := p.startHarvester(newState, 0) if err == errHarvesterLimit { @@ -499,6 +519,7 @@ func (p *Input) scan() { logp.Err(harvesterErrMsg, newState.Source, err) } } else { + lastState := p.states.FindPrevious(newState) p.harvestExistingFile(newState, lastState) } } @@ -566,10 +587,11 @@ func (p *Input) harvestExistingFile(newState file.State, oldState file.State) { // handleIgnoreOlder handles states which fall under ignore older // Based on the state information it is decided if the state information has to be updated or not -func (p *Input) handleIgnoreOlder(lastState, newState file.State) error { +func (p *Input) handleIgnoreOlder(isNewState bool, newState file.State) error { logp.Debug("input", "Ignore file because ignore_older reached: %s", newState.Source) - if !lastState.IsEmpty() { + if !isNewState { + lastState := p.states.FindPrevious(newState) if !lastState.Finished { logp.Info("File is falling under ignore_older before harvesting is finished. Adjust your close_* settings: %s", newState.Source) } @@ -711,8 +733,26 @@ func (p *Input) updateState(state file.State) error { state.Meta = nil } + err := p.doUpdate(state) + if err != nil { + return err + } + + if state.PrevId != "" { + stateToRemove := file.State{Id: state.PrevId, TTL: 0, Finished: true, Meta: nil} + err := p.doUpdate(stateToRemove) + if err != nil { + return fmt.Errorf("failed to remove outdated states based on prev_id: %v", err) + } + } + + return nil +} + +func (p *Input) doUpdate(state file.State) error { // Update first internal state p.states.Update(state) + ok := p.outlet.OnEvent(beat.Event{ Private: state, }) @@ -720,7 +760,6 @@ func (p *Input) updateState(state file.State) error { logp.Info("input outlet closed") return errors.New("input outlet closed") } - return nil } diff --git a/filebeat/input/log/input_other_test.go b/filebeat/input/log/input_other_test.go index e37b4d0c1f2..0910bd2b291 100644 --- a/filebeat/input/log/input_other_test.go +++ b/filebeat/input/log/input_other_test.go @@ -147,8 +147,9 @@ func TestInit(t *testing.T) { config: config{ Paths: test.paths, }, - states: file.NewStates(), - outlet: TestOutlet{}, + states: file.NewStates(), + outlet: TestOutlet{}, + fileStateIdentifier: &file.MockIdentifier{}, } // Set states to finished diff --git a/filebeat/input/log/log.go b/filebeat/input/log/log.go index 1a89c5bc8d1..60728143764 100644 --- a/filebeat/input/log/log.go +++ b/filebeat/input/log/log.go @@ -208,7 +208,8 @@ func (f *Log) wait() { } // Close closes the done channel but no th the file handler -func (f *Log) Close() { +func (f *Log) Close() error { close(f.done) // Note: File reader is not closed here because that leads to race conditions + return nil } diff --git a/filebeat/input/runnerfactory.go b/filebeat/input/runnerfactory.go index 179057c4373..f4973e47948 100644 --- a/filebeat/input/runnerfactory.go +++ b/filebeat/input/runnerfactory.go @@ -59,5 +59,9 @@ func (r *RunnerFactory) Create( func (r *RunnerFactory) CheckConfig(cfg *common.Config) error { _, err := r.Create(pipeline.NewNilPipeline(), cfg) + if _, ok := err.(*common.ErrInputNotFinished); ok { + // error is related to state, and hence config can be considered valid + return nil + } return err } diff --git a/filebeat/input/syslog/parser.go b/filebeat/input/syslog/parser.go index f643bc7d7b3..4e5c38b8a45 100644 --- a/filebeat/input/syslog/parser.go +++ b/filebeat/input/syslog/parser.go @@ -289,35 +289,43 @@ func Parse(data []byte, event *event) { goto st_case_118 case 119: goto st_case_119 - case 1: - goto st_case_1 case 120: goto st_case_120 + case 1: + goto st_case_1 + case 121: + goto st_case_121 } goto st_out st_case_0: switch data[(p)] { + case 32: + goto tr1 + case 42: + goto tr1 + case 46: + goto tr1 case 60: - goto tr2 - case 65: goto tr3 - case 68: + case 65: goto tr4 - case 70: + case 68: goto tr5 - case 74: + case 70: goto tr6 - case 77: + case 74: goto tr7 - case 78: + case 77: goto tr8 - case 79: + case 78: goto tr9 - case 83: + case 79: goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr1 + goto tr2 } goto tr0 tr0: @@ -326,7 +334,7 @@ func Parse(data []byte, event *event) { tok = p goto st2 - tr75: + tr133: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -341,35 +349,74 @@ func Parse(data []byte, event *event) { goto _test_eof2 } st_case_2: -//line parser.go:332 +//line parser.go:340 goto st2 tr1: //line parser.rl:22 tok = p + goto st3 + tr134: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + goto st3 st3: if (p)++; (p) == (pe) { goto _test_eof3 } st_case_3: -//line parser.go:345 - if data[(p)] == 58 { - goto st48 +//line parser.go:363 + switch data[(p)] { + case 65: + goto tr4 + case 68: + goto tr5 + case 70: + goto tr6 + case 74: + goto tr7 + case 77: + goto tr8 + case 78: + goto tr9 + case 79: + goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st4 + goto tr14 } goto st2 + tr14: +//line parser.rl:22 + + tok = p + + goto st4 + tr135: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st4 st4: if (p)++; (p) == (pe) { goto _test_eof4 } st_case_4: - if data[(p)] == 58 { - goto st48 - } +//line parser.go:407 if 48 <= data[(p)] && data[(p)] <= 57 { goto st5 } @@ -379,9 +426,6 @@ func Parse(data []byte, event *event) { goto _test_eof5 } st_case_5: - if data[(p)] == 58 { - goto st48 - } if 48 <= data[(p)] && data[(p)] <= 57 { goto st6 } @@ -391,36 +435,23 @@ func Parse(data []byte, event *event) { goto _test_eof6 } st_case_6: - switch data[(p)] { - case 45: - goto tr17 - case 58: - goto st48 - } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st47 + goto st7 } goto st2 - tr17: -//line parser.rl:38 - - event.SetYear(data[tok:p]) - - goto st7 st7: if (p)++; (p) == (pe) { goto _test_eof7 } st_case_7: -//line parser.go:403 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr19 + if data[(p)] == 45 { + goto tr18 } goto st2 - tr19: -//line parser.rl:22 + tr18: +//line parser.rl:38 - tok = p + event.SetYear(data[tok:p]) goto st8 st8: @@ -428,16 +459,32 @@ func Parse(data []byte, event *event) { goto _test_eof8 } st_case_8: -//line parser.go:419 +//line parser.go:450 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st9 + goto tr19 } goto st2 + tr19: +//line parser.rl:22 + + tok = p + + goto st9 st9: if (p)++; (p) == (pe) { goto _test_eof9 } st_case_9: +//line parser.go:466 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st10 + } + goto st2 + st10: + if (p)++; (p) == (pe) { + goto _test_eof10 + } + st_case_10: if data[(p)] == 45 { goto tr21 } @@ -447,13 +494,13 @@ func Parse(data []byte, event *event) { event.SetMonthNumeric(data[tok:p]) - goto st10 - st10: + goto st11 + st11: if (p)++; (p) == (pe) { - goto _test_eof10 + goto _test_eof11 } - st_case_10: -//line parser.go:444 + st_case_11: +//line parser.go:491 if 48 <= data[(p)] && data[(p)] <= 51 { goto tr22 } @@ -463,22 +510,22 @@ func Parse(data []byte, event *event) { tok = p - goto st11 - st11: + goto st12 + st12: if (p)++; (p) == (pe) { - goto _test_eof11 + goto _test_eof12 } - st_case_11: -//line parser.go:460 + st_case_12: +//line parser.go:507 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st12 + goto st13 } goto st2 - st12: + st13: if (p)++; (p) == (pe) { - goto _test_eof12 + goto _test_eof13 } - st_case_12: + st_case_13: switch data[(p)] { case 32: goto tr24 @@ -496,13 +543,13 @@ func Parse(data []byte, event *event) { event.SetDay(data[tok:p]) - goto st13 - st13: + goto st14 + st14: if (p)++; (p) == (pe) { - goto _test_eof13 + goto _test_eof14 } - st_case_13: -//line parser.go:493 + st_case_14: +//line parser.go:540 if data[(p)] == 50 { goto tr26 } @@ -515,22 +562,22 @@ func Parse(data []byte, event *event) { tok = p - goto st14 - st14: + goto st15 + st15: if (p)++; (p) == (pe) { - goto _test_eof14 + goto _test_eof15 } - st_case_14: -//line parser.go:512 + st_case_15: +//line parser.go:559 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st15 + goto st16 } goto st2 - st15: + st16: if (p)++; (p) == (pe) { - goto _test_eof15 + goto _test_eof16 } - st_case_15: + st_case_16: if data[(p)] == 58 { goto tr28 } @@ -540,13 +587,13 @@ func Parse(data []byte, event *event) { event.SetHour(data[tok:p]) - goto st16 - st16: + goto st17 + st17: if (p)++; (p) == (pe) { - goto _test_eof16 + goto _test_eof17 } - st_case_16: -//line parser.go:537 + st_case_17: +//line parser.go:584 if 48 <= data[(p)] && data[(p)] <= 53 { goto tr29 } @@ -556,22 +603,22 @@ func Parse(data []byte, event *event) { tok = p - goto st17 - st17: + goto st18 + st18: if (p)++; (p) == (pe) { - goto _test_eof17 + goto _test_eof18 } - st_case_17: -//line parser.go:553 + st_case_18: +//line parser.go:600 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st18 + goto st19 } goto st2 - st18: + st19: if (p)++; (p) == (pe) { - goto _test_eof18 + goto _test_eof19 } - st_case_18: + st_case_19: if data[(p)] == 58 { goto tr31 } @@ -581,13 +628,13 @@ func Parse(data []byte, event *event) { event.SetMinute(data[tok:p]) - goto st19 - st19: + goto st20 + st20: if (p)++; (p) == (pe) { - goto _test_eof19 + goto _test_eof20 } - st_case_19: -//line parser.go:578 + st_case_20: +//line parser.go:625 if 48 <= data[(p)] && data[(p)] <= 53 { goto tr32 } @@ -597,22 +644,22 @@ func Parse(data []byte, event *event) { tok = p - goto st20 - st20: + goto st21 + st21: if (p)++; (p) == (pe) { - goto _test_eof20 + goto _test_eof21 } - st_case_20: -//line parser.go:594 + st_case_21: +//line parser.go:641 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st21 + goto st22 } goto st2 - st21: + st22: if (p)++; (p) == (pe) { - goto _test_eof21 + goto _test_eof22 } - st_case_21: + st_case_22: switch data[(p)] { case 32: goto tr34 @@ -638,25 +685,25 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st22 + goto st23 tr61: //line parser.rl:93 event.SetTimeZone(data[tok:p]) - goto st22 + goto st23 tr68: //line parser.rl:62 event.SetNanosecond(data[tok:p]) - goto st22 - st22: + goto st23 + st23: if (p)++; (p) == (pe) { - goto _test_eof22 + goto _test_eof23 } - st_case_22: -//line parser.go:647 + st_case_23: +//line parser.go:694 switch data[(p)] { case 58: goto tr41 @@ -699,7 +746,7 @@ func Parse(data []byte, event *event) { } } - goto st23 + goto st24 tr42: //line parser.rl:70 @@ -714,13 +761,13 @@ func Parse(data []byte, event *event) { } } - goto st23 - st23: + goto st24 + st24: if (p)++; (p) == (pe) { - goto _test_eof23 + goto _test_eof24 } - st_case_23: -//line parser.go:707 + st_case_24: +//line parser.go:754 switch data[(p)] { case 58: goto tr44 @@ -763,7 +810,7 @@ func Parse(data []byte, event *event) { } } - goto st24 + goto st25 tr43: //line parser.rl:70 @@ -778,13 +825,13 @@ func Parse(data []byte, event *event) { } } - goto st24 - st24: + goto st25 + st25: if (p)++; (p) == (pe) { - goto _test_eof24 + goto _test_eof25 } - st_case_24: -//line parser.go:767 + st_case_25: +//line parser.go:814 switch data[(p)] { case 32: goto tr45 @@ -821,13 +868,13 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st25 - st25: + goto st26 + st26: if (p)++; (p) == (pe) { - goto _test_eof25 + goto _test_eof26 } - st_case_25: -//line parser.go:810 + st_case_26: +//line parser.go:857 switch data[(p)] { case 32: goto tr0 @@ -845,13 +892,13 @@ func Parse(data []byte, event *event) { tok = p - goto st26 - st26: + goto st27 + st27: if (p)++; (p) == (pe) { - goto _test_eof26 + goto _test_eof27 } - st_case_26: -//line parser.go:834 + st_case_27: +//line parser.go:881 switch data[(p)] { case 32: goto st2 @@ -865,22 +912,22 @@ func Parse(data []byte, event *event) { if 9 <= data[(p)] && data[(p)] <= 13 { goto st2 } - goto st26 + goto st27 tr49: //line parser.rl:85 event.SetProgram(data[tok:p]) - goto st27 - st27: + goto st28 + st28: if (p)++; (p) == (pe) { - goto _test_eof27 + goto _test_eof28 } - st_case_27: -//line parser.go:860 + st_case_28: +//line parser.go:907 switch data[(p)] { case 32: - goto st28 + goto st29 case 58: goto tr49 case 91: @@ -889,27 +936,27 @@ func Parse(data []byte, event *event) { goto st2 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st28 + goto st29 } - goto st26 - st28: + goto st27 + st29: if (p)++; (p) == (pe) { - goto _test_eof28 + goto _test_eof29 } - st_case_28: + st_case_29: goto tr0 tr50: //line parser.rl:85 event.SetProgram(data[tok:p]) - goto st29 - st29: + goto st30 + st30: if (p)++; (p) == (pe) { - goto _test_eof29 + goto _test_eof30 } - st_case_29: -//line parser.go:892 + st_case_30: +//line parser.go:939 if 48 <= data[(p)] && data[(p)] <= 57 { goto tr52 } @@ -919,18 +966,18 @@ func Parse(data []byte, event *event) { tok = p - goto st30 - st30: + goto st31 + st31: if (p)++; (p) == (pe) { - goto _test_eof30 + goto _test_eof31 } - st_case_30: -//line parser.go:908 + st_case_31: +//line parser.go:955 if data[(p)] == 93 { goto tr54 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto st30 + goto st31 } goto st2 tr54: @@ -938,27 +985,27 @@ func Parse(data []byte, event *event) { event.SetPid(data[tok:p]) - goto st31 - st31: + goto st32 + st32: if (p)++; (p) == (pe) { - goto _test_eof31 + goto _test_eof32 } - st_case_31: -//line parser.go:927 + st_case_32: +//line parser.go:974 if data[(p)] == 58 { - goto st32 + goto st33 } goto st2 - st32: + st33: if (p)++; (p) == (pe) { - goto _test_eof32 + goto _test_eof33 } - st_case_32: + st_case_33: if data[(p)] == 32 { - goto st28 + goto st29 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st28 + goto st29 } goto st2 tr46: @@ -979,16 +1026,16 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st33 - st33: + goto st34 + st34: if (p)++; (p) == (pe) { - goto _test_eof33 + goto _test_eof34 } - st_case_33: -//line parser.go:966 + st_case_34: +//line parser.go:1013 switch data[(p)] { case 32: - goto st25 + goto st26 case 58: goto tr57 case 95: @@ -1002,7 +1049,7 @@ func Parse(data []byte, event *event) { goto tr42 } case data[(p)] >= 9: - goto st25 + goto st26 } case data[(p)] > 57: switch { @@ -1031,7 +1078,7 @@ func Parse(data []byte, event *event) { } } - goto st34 + goto st35 tr58: //line parser.rl:70 @@ -1050,13 +1097,13 @@ func Parse(data []byte, event *event) { event.SetHostname(data[tok:p]) - goto st34 - st34: + goto st35 + st35: if (p)++; (p) == (pe) { - goto _test_eof34 + goto _test_eof35 } - st_case_34: -//line parser.go:1033 + st_case_35: +//line parser.go:1080 switch data[(p)] { case 32: goto tr45 @@ -1106,7 +1153,7 @@ func Parse(data []byte, event *event) { } } - goto st35 + goto st36 tr44: //line parser.rl:70 @@ -1121,13 +1168,13 @@ func Parse(data []byte, event *event) { } } - goto st35 - st35: + goto st36 + st36: if (p)++; (p) == (pe) { - goto _test_eof35 + goto _test_eof36 } - st_case_35: -//line parser.go:1100 + st_case_36: +//line parser.go:1147 switch data[(p)] { case 58: goto tr57 @@ -1161,7 +1208,7 @@ func Parse(data []byte, event *event) { tok = p - goto st36 + goto st37 tr69: //line parser.rl:62 @@ -1171,22 +1218,13 @@ func Parse(data []byte, event *event) { tok = p - goto st36 - st36: - if (p)++; (p) == (pe) { - goto _test_eof36 - } - st_case_36: -//line parser.go:1150 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st37 - } - goto st2 + goto st37 st37: if (p)++; (p) == (pe) { goto _test_eof37 } st_case_37: +//line parser.go:1197 if 48 <= data[(p)] && data[(p)] <= 57 { goto st38 } @@ -1196,6 +1234,15 @@ func Parse(data []byte, event *event) { goto _test_eof38 } st_case_38: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st39 + } + goto st2 + st39: + if (p)++; (p) == (pe) { + goto _test_eof39 + } + st_case_39: switch data[(p)] { case 32: goto tr61 @@ -1205,26 +1252,26 @@ func Parse(data []byte, event *event) { switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st39 + goto st40 } case data[(p)] >= 9: goto tr61 } goto st2 - st39: + st40: if (p)++; (p) == (pe) { - goto _test_eof39 + goto _test_eof40 } - st_case_39: + st_case_40: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st40 + goto st41 } goto st2 - st40: + st41: if (p)++; (p) == (pe) { - goto _test_eof40 + goto _test_eof41 } - st_case_40: + st_case_41: switch data[(p)] { case 32: goto tr61 @@ -1240,30 +1287,30 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st41 + goto st42 tr65: //line parser.rl:93 event.SetTimeZone(data[tok:p]) - goto st41 + goto st42 tr71: //line parser.rl:62 event.SetNanosecond(data[tok:p]) - goto st41 - st41: + goto st42 + st42: if (p)++; (p) == (pe) { - goto _test_eof41 + goto _test_eof42 } - st_case_41: -//line parser.go:1231 + st_case_42: +//line parser.go:1278 if data[(p)] == 32 { - goto st22 + goto st23 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto st22 + goto st23 } goto st2 tr63: @@ -1271,23 +1318,23 @@ func Parse(data []byte, event *event) { event.SetTimeZone(data[tok:p]) - goto st42 - st42: + goto st43 + st43: if (p)++; (p) == (pe) { - goto _test_eof42 + goto _test_eof43 } - st_case_42: -//line parser.go:1250 + st_case_43: +//line parser.go:1297 if data[(p)] == 32 { - goto st22 + goto st23 } switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st39 + goto st40 } case data[(p)] >= 9: - goto st22 + goto st23 } goto st2 tr36: @@ -1295,13 +1342,13 @@ func Parse(data []byte, event *event) { event.SetSecond(data[tok:p]) - goto st43 - st43: + goto st44 + st44: if (p)++; (p) == (pe) { - goto _test_eof43 + goto _test_eof44 } - st_case_43: -//line parser.go:1274 + st_case_44: +//line parser.go:1321 if 48 <= data[(p)] && data[(p)] <= 57 { goto tr67 } @@ -1311,13 +1358,13 @@ func Parse(data []byte, event *event) { tok = p - goto st44 - st44: + goto st45 + st45: if (p)++; (p) == (pe) { - goto _test_eof44 + goto _test_eof45 } - st_case_44: -//line parser.go:1290 + st_case_45: +//line parser.go:1337 switch data[(p)] { case 32: goto tr68 @@ -1335,7 +1382,7 @@ func Parse(data []byte, event *event) { switch { case data[(p)] > 13: if 48 <= data[(p)] && data[(p)] <= 57 { - goto st44 + goto st45 } case data[(p)] >= 9: goto tr68 @@ -1350,7 +1397,7 @@ func Parse(data []byte, event *event) { tok = p - goto st45 + goto st46 tr72: //line parser.rl:62 @@ -1360,20 +1407,20 @@ func Parse(data []byte, event *event) { tok = p - goto st45 - st45: + goto st46 + st46: if (p)++; (p) == (pe) { - goto _test_eof45 + goto _test_eof46 } - st_case_45: -//line parser.go:1339 + st_case_46: +//line parser.go:1386 switch data[(p)] { case 32: goto tr61 case 43: - goto st36 + goto st37 case 45: - goto st36 + goto st37 case 58: goto tr65 } @@ -1386,102 +1433,99 @@ func Parse(data []byte, event *event) { tok = p - goto st46 - st46: - if (p)++; (p) == (pe) { - goto _test_eof46 - } - st_case_46: -//line parser.go:1365 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st15 - } - goto st2 + goto st47 st47: if (p)++; (p) == (pe) { goto _test_eof47 } st_case_47: - if data[(p)] == 58 { - goto st48 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st47 +//line parser.go:1412 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st16 } goto st2 + tr4: +//line parser.rl:22 + + tok = p + + goto st48 + tr136: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st48 st48: if (p)++; (p) == (pe) { goto _test_eof48 } st_case_48: - if data[(p)] == 32 { - goto tr74 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr74 +//line parser.go:1438 + switch data[(p)] { + case 112: + goto st49 + case 117: + goto st70 } goto st2 - tr74: -//line parser.rl:22 - - tok = p - - goto st49 st49: if (p)++; (p) == (pe) { goto _test_eof49 } st_case_49: -//line parser.go:1405 - switch data[(p)] { - case 65: - goto tr77 - case 68: - goto tr78 - case 70: - goto tr79 - case 74: - goto tr80 - case 77: - goto tr81 - case 78: - goto tr82 - case 79: - goto tr83 - case 83: - goto tr84 - } - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr76 + if data[(p)] == 114 { + goto st50 } - goto tr75 - tr76: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st50 + goto st2 st50: if (p)++; (p) == (pe) { goto _test_eof50 } st_case_50: -//line parser.go:1443 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st51 + switch data[(p)] { + case 32: + goto tr77 + case 105: + goto st68 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 + tr77: +//line parser.rl:34 + + event.SetMonth(data[tok:p]) + + goto st51 st51: if (p)++; (p) == (pe) { goto _test_eof51 } st_case_51: - if 48 <= data[(p)] && data[(p)] <= 57 { +//line parser.go:1481 + switch data[(p)] { + case 32: goto st52 + case 51: + goto tr81 + } + switch { + case data[(p)] < 49: + if 9 <= data[(p)] && data[(p)] <= 13 { + goto st52 + } + case data[(p)] > 50: + if 52 <= data[(p)] && data[(p)] <= 57 { + goto tr82 + } + default: + goto tr80 } goto st2 st52: @@ -1489,33 +1533,33 @@ func Parse(data []byte, event *event) { goto _test_eof52 } st_case_52: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st53 + if 49 <= data[(p)] && data[(p)] <= 57 { + goto tr82 } goto st2 + tr82: +//line parser.rl:22 + + tok = p + + goto st53 st53: if (p)++; (p) == (pe) { goto _test_eof53 } st_case_53: - if data[(p)] == 45 { - goto tr17 +//line parser.go:1521 + if data[(p)] == 32 { + goto tr83 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr83 } goto st2 - tr3: -//line parser.rl:22 - - tok = p - - goto st54 - tr77: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 + tr83: +//line parser.rl:46 - tok = p + event.SetDay(data[tok:p]) goto st54 st54: @@ -1523,20 +1567,27 @@ func Parse(data []byte, event *event) { goto _test_eof54 } st_case_54: -//line parser.go:1496 - switch data[(p)] { - case 112: - goto st55 - case 117: - goto st76 +//line parser.go:1540 + if data[(p)] == 50 { + goto tr85 + } + if 48 <= data[(p)] && data[(p)] <= 49 { + goto tr84 } goto st2 - st55: - if (p)++; (p) == (pe) { + tr84: +//line parser.rl:22 + + tok = p + + goto st55 + st55: + if (p)++; (p) == (pe) { goto _test_eof55 } st_case_55: - if data[(p)] == 114 { +//line parser.go:1559 + if 48 <= data[(p)] && data[(p)] <= 57 { goto st56 } goto st2 @@ -1545,20 +1596,14 @@ func Parse(data []byte, event *event) { goto _test_eof56 } st_case_56: - switch data[(p)] { - case 32: - goto tr91 - case 105: - goto st74 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 58 { + goto tr87 } goto st2 - tr91: -//line parser.rl:34 + tr87: +//line parser.rl:50 - event.SetMonth(data[tok:p]) + event.SetHour(data[tok:p]) goto st57 st57: @@ -1566,58 +1611,40 @@ func Parse(data []byte, event *event) { goto _test_eof57 } st_case_57: -//line parser.go:1539 - switch data[(p)] { - case 32: - goto st58 - case 51: - goto tr95 - } - switch { - case data[(p)] < 49: - if 9 <= data[(p)] && data[(p)] <= 13 { - goto st58 - } - case data[(p)] > 50: - if 52 <= data[(p)] && data[(p)] <= 57 { - goto tr96 - } - default: - goto tr94 +//line parser.go:1584 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr88 } goto st2 + tr88: +//line parser.rl:22 + + tok = p + + goto st58 st58: if (p)++; (p) == (pe) { goto _test_eof58 } st_case_58: - if 49 <= data[(p)] && data[(p)] <= 57 { - goto tr96 +//line parser.go:1600 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st59 } goto st2 - tr96: -//line parser.rl:22 - - tok = p - - goto st59 st59: if (p)++; (p) == (pe) { goto _test_eof59 } st_case_59: -//line parser.go:1579 - if data[(p)] == 32 { - goto tr97 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr97 + if data[(p)] == 58 { + goto tr90 } goto st2 - tr97: -//line parser.rl:46 + tr90: +//line parser.rl:54 - event.SetDay(data[tok:p]) + event.SetMinute(data[tok:p]) goto st60 st60: @@ -1625,15 +1652,12 @@ func Parse(data []byte, event *event) { goto _test_eof60 } st_case_60: -//line parser.go:1598 - if data[(p)] == 50 { - goto tr99 - } - if 48 <= data[(p)] && data[(p)] <= 49 { - goto tr98 +//line parser.go:1625 + if 48 <= data[(p)] && data[(p)] <= 53 { + goto tr91 } goto st2 - tr98: + tr91: //line parser.rl:22 tok = p @@ -1644,7 +1668,7 @@ func Parse(data []byte, event *event) { goto _test_eof61 } st_case_61: -//line parser.go:1617 +//line parser.go:1641 if 48 <= data[(p)] && data[(p)] <= 57 { goto st62 } @@ -1654,14 +1678,22 @@ func Parse(data []byte, event *event) { goto _test_eof62 } st_case_62: - if data[(p)] == 58 { - goto tr101 + switch data[(p)] { + case 32: + goto tr34 + case 46: + goto tr93 + case 58: + goto tr37 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr34 } goto st2 - tr101: -//line parser.rl:50 + tr93: +//line parser.rl:58 - event.SetHour(data[tok:p]) + event.SetSecond(data[tok:p]) goto st63 st63: @@ -1669,12 +1701,12 @@ func Parse(data []byte, event *event) { goto _test_eof63 } st_case_63: -//line parser.go:1642 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr102 +//line parser.go:1674 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr94 } goto st2 - tr102: + tr94: //line parser.rl:22 tok = p @@ -1685,24 +1717,42 @@ func Parse(data []byte, event *event) { goto _test_eof64 } st_case_64: -//line parser.go:1658 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st65 +//line parser.go:1690 + switch data[(p)] { + case 32: + goto tr68 + case 58: + goto tr71 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st64 + } + case data[(p)] >= 9: + goto tr68 } goto st2 + tr85: +//line parser.rl:22 + + tok = p + + goto st65 st65: if (p)++; (p) == (pe) { goto _test_eof65 } st_case_65: - if data[(p)] == 58 { - goto tr104 +//line parser.go:1717 + if 48 <= data[(p)] && data[(p)] <= 51 { + goto st56 } goto st2 - tr104: -//line parser.rl:54 + tr80: +//line parser.rl:22 - event.SetMinute(data[tok:p]) + tok = p goto st66 st66: @@ -1710,12 +1760,20 @@ func Parse(data []byte, event *event) { goto _test_eof66 } st_case_66: -//line parser.go:1683 - if 48 <= data[(p)] && data[(p)] <= 53 { - goto tr105 +//line parser.go:1733 + if data[(p)] == 32 { + goto tr83 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st53 + } + case data[(p)] >= 9: + goto tr83 } goto st2 - tr105: + tr81: //line parser.rl:22 tok = p @@ -1726,9 +1784,17 @@ func Parse(data []byte, event *event) { goto _test_eof67 } st_case_67: -//line parser.go:1699 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st68 +//line parser.go:1757 + if data[(p)] == 32 { + goto tr83 + } + switch { + case data[(p)] > 13: + if 48 <= data[(p)] && data[(p)] <= 49 { + goto st53 + } + case data[(p)] >= 9: + goto tr83 } goto st2 st68: @@ -1736,131 +1802,87 @@ func Parse(data []byte, event *event) { goto _test_eof68 } st_case_68: - switch data[(p)] { - case 32: - goto tr34 - case 46: - goto tr107 - case 58: - goto tr37 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr34 + if data[(p)] == 108 { + goto st69 } goto st2 - tr107: -//line parser.rl:58 - - event.SetSecond(data[tok:p]) - - goto st69 st69: if (p)++; (p) == (pe) { goto _test_eof69 } st_case_69: -//line parser.go:1732 - if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr108 + if data[(p)] == 32 { + goto tr77 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr108: -//line parser.rl:22 - - tok = p - - goto st70 st70: if (p)++; (p) == (pe) { goto _test_eof70 } st_case_70: -//line parser.go:1748 - switch data[(p)] { - case 32: - goto tr68 - case 58: - goto tr71 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st70 - } - case data[(p)] >= 9: - goto tr68 + if data[(p)] == 103 { + goto st71 } goto st2 - tr99: -//line parser.rl:22 - - tok = p - - goto st71 st71: if (p)++; (p) == (pe) { goto _test_eof71 } st_case_71: -//line parser.go:1775 - if 48 <= data[(p)] && data[(p)] <= 51 { - goto st62 + switch data[(p)] { + case 32: + goto tr77 + case 117: + goto st72 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr94: -//line parser.rl:22 - - tok = p - - goto st72 st72: if (p)++; (p) == (pe) { goto _test_eof72 } st_case_72: -//line parser.go:1791 - if data[(p)] == 32 { - goto tr97 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 57 { - goto st59 - } - case data[(p)] >= 9: - goto tr97 + if data[(p)] == 115 { + goto st73 } goto st2 - tr95: -//line parser.rl:22 - - tok = p - - goto st73 st73: if (p)++; (p) == (pe) { goto _test_eof73 } st_case_73: -//line parser.go:1815 - if data[(p)] == 32 { - goto tr97 - } - switch { - case data[(p)] > 13: - if 48 <= data[(p)] && data[(p)] <= 49 { - goto st59 - } - case data[(p)] >= 9: - goto tr97 + if data[(p)] == 116 { + goto st69 } goto st2 + tr5: +//line parser.rl:22 + + tok = p + + goto st74 + tr137: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st74 st74: if (p)++; (p) == (pe) { goto _test_eof74 } st_case_74: - if data[(p)] == 108 { +//line parser.go:1854 + if data[(p)] == 101 { goto st75 } goto st2 @@ -1869,11 +1891,8 @@ func Parse(data []byte, event *event) { goto _test_eof75 } st_case_75: - if data[(p)] == 32 { - goto tr91 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 99 { + goto st76 } goto st2 st76: @@ -1881,31 +1900,31 @@ func Parse(data []byte, event *event) { goto _test_eof76 } st_case_76: - if data[(p)] == 103 { + switch data[(p)] { + case 32: + goto tr77 + case 101: goto st77 } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 + } goto st2 st77: if (p)++; (p) == (pe) { goto _test_eof77 } st_case_77: - switch data[(p)] { - case 32: - goto tr91 - case 117: + if data[(p)] == 109 { goto st78 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st78: if (p)++; (p) == (pe) { goto _test_eof78 } st_case_78: - if data[(p)] == 115 { + if data[(p)] == 98 { goto st79 } goto st2 @@ -1914,17 +1933,26 @@ func Parse(data []byte, event *event) { goto _test_eof79 } st_case_79: - if data[(p)] == 116 { - goto st75 + if data[(p)] == 101 { + goto st80 } goto st2 - tr4: + st80: + if (p)++; (p) == (pe) { + goto _test_eof80 + } + st_case_80: + if data[(p)] == 114 { + goto st69 + } + goto st2 + tr6: //line parser.rl:22 tok = p - goto st80 - tr78: + goto st81 + tr138: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -1933,23 +1961,14 @@ func Parse(data []byte, event *event) { tok = p - goto st80 - st80: - if (p)++; (p) == (pe) { - goto _test_eof80 - } - st_case_80: -//line parser.go:1912 - if data[(p)] == 101 { - goto st81 - } - goto st2 + goto st81 st81: if (p)++; (p) == (pe) { goto _test_eof81 } st_case_81: - if data[(p)] == 99 { +//line parser.go:1940 + if data[(p)] == 101 { goto st82 } goto st2 @@ -1958,31 +1977,31 @@ func Parse(data []byte, event *event) { goto _test_eof82 } st_case_82: - switch data[(p)] { - case 32: - goto tr91 - case 101: + if data[(p)] == 98 { goto st83 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st83: if (p)++; (p) == (pe) { goto _test_eof83 } st_case_83: - if data[(p)] == 109 { + switch data[(p)] { + case 32: + goto tr77 + case 114: goto st84 } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 + } goto st2 st84: if (p)++; (p) == (pe) { goto _test_eof84 } st_case_84: - if data[(p)] == 98 { + if data[(p)] == 117 { goto st85 } goto st2 @@ -1991,7 +2010,7 @@ func Parse(data []byte, event *event) { goto _test_eof85 } st_case_85: - if data[(p)] == 101 { + if data[(p)] == 97 { goto st86 } goto st2 @@ -2001,16 +2020,25 @@ func Parse(data []byte, event *event) { } st_case_86: if data[(p)] == 114 { - goto st75 + goto st87 } goto st2 - tr5: + st87: + if (p)++; (p) == (pe) { + goto _test_eof87 + } + st_case_87: + if data[(p)] == 121 { + goto st69 + } + goto st2 + tr7: //line parser.rl:22 tok = p - goto st87 - tr79: + goto st88 + tr139: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2019,24 +2047,18 @@ func Parse(data []byte, event *event) { tok = p - goto st87 - st87: - if (p)++; (p) == (pe) { - goto _test_eof87 - } - st_case_87: -//line parser.go:1998 - if data[(p)] == 101 { - goto st88 - } - goto st2 + goto st88 st88: if (p)++; (p) == (pe) { goto _test_eof88 } st_case_88: - if data[(p)] == 98 { +//line parser.go:2026 + switch data[(p)] { + case 97: goto st89 + case 117: + goto st91 } goto st2 st89: @@ -2044,23 +2066,23 @@ func Parse(data []byte, event *event) { goto _test_eof89 } st_case_89: - switch data[(p)] { - case 32: - goto tr91 - case 114: + if data[(p)] == 110 { goto st90 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } goto st2 st90: if (p)++; (p) == (pe) { goto _test_eof90 } st_case_90: - if data[(p)] == 117 { - goto st91 + switch data[(p)] { + case 32: + goto tr77 + case 117: + goto st85 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st91: @@ -2068,8 +2090,11 @@ func Parse(data []byte, event *event) { goto _test_eof91 } st_case_91: - if data[(p)] == 97 { + switch data[(p)] { + case 108: goto st92 + case 110: + goto st93 } goto st2 st92: @@ -2077,8 +2102,14 @@ func Parse(data []byte, event *event) { goto _test_eof92 } st_case_92: - if data[(p)] == 114 { - goto st93 + switch data[(p)] { + case 32: + goto tr77 + case 121: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st93: @@ -2086,17 +2117,23 @@ func Parse(data []byte, event *event) { goto _test_eof93 } st_case_93: - if data[(p)] == 121 { - goto st75 + switch data[(p)] { + case 32: + goto tr77 + case 101: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr6: + tr8: //line parser.rl:22 tok = p goto st94 - tr80: + tr140: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2111,12 +2148,9 @@ func Parse(data []byte, event *event) { goto _test_eof94 } st_case_94: -//line parser.go:2084 - switch data[(p)] { - case 97: +//line parser.go:2121 + if data[(p)] == 97 { goto st95 - case 117: - goto st97 } goto st2 st95: @@ -2124,8 +2158,16 @@ func Parse(data []byte, event *event) { goto _test_eof95 } st_case_95: - if data[(p)] == 110 { + switch data[(p)] { + case 32: + goto tr77 + case 114: goto st96 + case 121: + goto st69 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 st96: @@ -2135,12 +2177,12 @@ func Parse(data []byte, event *event) { st_case_96: switch data[(p)] { case 32: - goto tr91 - case 117: - goto st91 + goto tr77 + case 99: + goto st97 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + goto tr77 } goto st2 st97: @@ -2148,26 +2190,34 @@ func Parse(data []byte, event *event) { goto _test_eof97 } st_case_97: - switch data[(p)] { - case 108: - goto st98 - case 110: - goto st99 + if data[(p)] == 104 { + goto st69 } goto st2 + tr9: +//line parser.rl:22 + + tok = p + + goto st98 + tr141: +//line parser.rl:97 + + event.SetSequence(data[tok:p]) + +//line parser.rl:22 + + tok = p + + goto st98 st98: if (p)++; (p) == (pe) { goto _test_eof98 } st_case_98: - switch data[(p)] { - case 32: - goto tr91 - case 121: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 +//line parser.go:2188 + if data[(p)] == 111 { + goto st99 } goto st2 st99: @@ -2175,23 +2225,17 @@ func Parse(data []byte, event *event) { goto _test_eof99 } st_case_99: - switch data[(p)] { - case 32: - goto tr91 - case 101: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if data[(p)] == 118 { + goto st76 } goto st2 - tr7: + tr10: //line parser.rl:22 tok = p goto st100 - tr81: + tr142: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2206,8 +2250,8 @@ func Parse(data []byte, event *event) { goto _test_eof100 } st_case_100: -//line parser.go:2179 - if data[(p)] == 97 { +//line parser.go:2223 + if data[(p)] == 99 { goto st101 } goto st2 @@ -2216,16 +2260,8 @@ func Parse(data []byte, event *event) { goto _test_eof101 } st_case_101: - switch data[(p)] { - case 32: - goto tr91 - case 114: + if data[(p)] == 116 { goto st102 - case 121: - goto st75 - } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 } goto st2 st102: @@ -2235,30 +2271,21 @@ func Parse(data []byte, event *event) { st_case_102: switch data[(p)] { case 32: - goto tr91 - case 99: - goto st103 + goto tr77 + case 111: + goto st78 } if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 - } - goto st2 - st103: - if (p)++; (p) == (pe) { - goto _test_eof103 - } - st_case_103: - if data[(p)] == 104 { - goto st75 + goto tr77 } goto st2 - tr8: + tr11: //line parser.rl:22 tok = p - goto st104 - tr82: + goto st103 + tr143: //line parser.rl:97 event.SetSequence(data[tok:p]) @@ -2267,14 +2294,23 @@ func Parse(data []byte, event *event) { tok = p - goto st104 + goto st103 + st103: + if (p)++; (p) == (pe) { + goto _test_eof103 + } + st_case_103: +//line parser.go:2273 + if data[(p)] == 101 { + goto st104 + } + goto st2 st104: if (p)++; (p) == (pe) { goto _test_eof104 } st_case_104: -//line parser.go:2246 - if data[(p)] == 111 { + if data[(p)] == 112 { goto st105 } goto st2 @@ -2283,42 +2319,41 @@ func Parse(data []byte, event *event) { goto _test_eof105 } st_case_105: - if data[(p)] == 118 { - goto st82 + switch data[(p)] { + case 32: + goto tr77 + case 116: + goto st106 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr77 } goto st2 - tr9: -//line parser.rl:22 - - tok = p - - goto st106 - tr83: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st106 st106: if (p)++; (p) == (pe) { goto _test_eof106 } st_case_106: -//line parser.go:2281 - if data[(p)] == 99 { - goto st107 + if data[(p)] == 101 { + goto st77 } goto st2 + tr2: +//line parser.rl:22 + + tok = p + + goto st107 st107: if (p)++; (p) == (pe) { goto _test_eof107 } st_case_107: - if data[(p)] == 116 { +//line parser.go:2322 + if data[(p)] == 58 { + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st108 } goto st2 @@ -2327,39 +2362,22 @@ func Parse(data []byte, event *event) { goto _test_eof108 } st_case_108: - switch data[(p)] { - case 32: - goto tr91 - case 111: - goto st84 + if data[(p)] == 58 { + goto st112 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st109 } goto st2 - tr10: -//line parser.rl:22 - - tok = p - - goto st109 - tr84: -//line parser.rl:97 - - event.SetSequence(data[tok:p]) - -//line parser.rl:22 - - tok = p - - goto st109 st109: if (p)++; (p) == (pe) { goto _test_eof109 } st_case_109: -//line parser.go:2331 - if data[(p)] == 101 { + if data[(p)] == 58 { + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st110 } goto st2 @@ -2368,7 +2386,13 @@ func Parse(data []byte, event *event) { goto _test_eof110 } st_case_110: - if data[(p)] == 112 { + switch data[(p)] { + case 45: + goto tr18 + case 58: + goto st112 + } + if 48 <= data[(p)] && data[(p)] <= 57 { goto st111 } goto st2 @@ -2377,14 +2401,11 @@ func Parse(data []byte, event *event) { goto _test_eof111 } st_case_111: - switch data[(p)] { - case 32: - goto tr91 - case 116: + if data[(p)] == 58 { goto st112 } - if 9 <= data[(p)] && data[(p)] <= 13 { - goto tr91 + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st111 } goto st2 st112: @@ -2392,11 +2413,14 @@ func Parse(data []byte, event *event) { goto _test_eof112 } st_case_112: - if data[(p)] == 101 { - goto st83 + if data[(p)] == 32 { + goto tr132 + } + if 9 <= data[(p)] && data[(p)] <= 13 { + goto tr132 } goto st2 - tr2: + tr132: //line parser.rl:22 tok = p @@ -2407,12 +2431,36 @@ func Parse(data []byte, event *event) { goto _test_eof113 } st_case_113: -//line parser.go:2380 - if 48 <= data[(p)] && data[(p)] <= 57 { +//line parser.go:2404 + switch data[(p)] { + case 32: + goto tr134 + case 42: + goto tr134 + case 46: + goto tr134 + case 65: + goto tr136 + case 68: + goto tr137 + case 70: + goto tr138 + case 74: + goto tr139 + case 77: + goto tr140 + case 78: goto tr141 + case 79: + goto tr142 + case 83: + goto tr143 } - goto st2 - tr141: + if 48 <= data[(p)] && data[(p)] <= 57 { + goto tr135 + } + goto tr133 + tr3: //line parser.rl:22 tok = p @@ -2423,21 +2471,25 @@ func Parse(data []byte, event *event) { goto _test_eof114 } st_case_114: -//line parser.go:2396 - if data[(p)] == 62 { - goto tr143 - } +//line parser.go:2444 if 48 <= data[(p)] && data[(p)] <= 57 { - goto st115 + goto tr144 } goto st2 + tr144: +//line parser.rl:22 + + tok = p + + goto st115 st115: if (p)++; (p) == (pe) { goto _test_eof115 } st_case_115: +//line parser.go:2460 if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st116 @@ -2449,7 +2501,7 @@ func Parse(data []byte, event *event) { } st_case_116: if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st117 @@ -2461,7 +2513,7 @@ func Parse(data []byte, event *event) { } st_case_117: if data[(p)] == 62 { - goto tr143 + goto tr146 } if 48 <= data[(p)] && data[(p)] <= 57 { goto st118 @@ -2473,41 +2525,59 @@ func Parse(data []byte, event *event) { } st_case_118: if data[(p)] == 62 { - goto tr143 + goto tr146 + } + if 48 <= data[(p)] && data[(p)] <= 57 { + goto st119 } goto st2 - tr143: + st119: + if (p)++; (p) == (pe) { + goto _test_eof119 + } + st_case_119: + if data[(p)] == 62 { + goto tr146 + } + goto st2 + tr146: //line parser.rl:26 event.SetPriority(data[tok:p]) - goto st119 - st119: + goto st120 + st120: if (p)++; (p) == (pe) { - goto _test_eof119 + goto _test_eof120 } - st_case_119: -//line parser.go:2460 + st_case_120: +//line parser.go:2524 switch data[(p)] { + case 32: + goto tr1 + case 42: + goto tr1 + case 46: + goto tr1 case 65: - goto tr3 - case 68: goto tr4 - case 70: + case 68: goto tr5 - case 74: + case 70: goto tr6 - case 77: + case 74: goto tr7 - case 78: + case 77: goto tr8 - case 79: + case 78: goto tr9 - case 83: + case 79: goto tr10 + case 83: + goto tr11 } if 48 <= data[(p)] && data[(p)] <= 57 { - goto tr1 + goto tr2 } goto tr0 st1: @@ -2515,20 +2585,20 @@ func Parse(data []byte, event *event) { goto _test_eof1 } st_case_1: - goto tr11 - tr11: + goto tr12 + tr12: //line parser.rl:22 tok = p - goto st120 - st120: + goto st121 + st121: if (p)++; (p) == (pe) { - goto _test_eof120 + goto _test_eof121 } - st_case_120: -//line parser.go:2500 - goto st120 + st_case_121: +//line parser.go:2570 + goto st121 st_out: _test_eof2: cs = 2 @@ -2884,11 +2954,14 @@ func Parse(data []byte, event *event) { _test_eof119: cs = 119 goto _test_eof + _test_eof120: + cs = 120 + goto _test_eof _test_eof1: cs = 1 goto _test_eof - _test_eof120: - cs = 120 + _test_eof121: + cs = 121 goto _test_eof _test_eof: @@ -2896,12 +2969,12 @@ func Parse(data []byte, event *event) { } if (p) == eof { switch cs { - case 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120: + case 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121: //line parser.rl:30 event.SetMessage(data[tok:p]) -//line parser.go:2632 +//line parser.go:2703 } } diff --git a/filebeat/input/syslog/parser_test.go b/filebeat/input/syslog/parser_test.go index 161cc3779df..1c83a990e55 100644 --- a/filebeat/input/syslog/parser_test.go +++ b/filebeat/input/syslog/parser_test.go @@ -391,6 +391,22 @@ func TestParseSyslog(t *testing.T) { second: 15, }, }, + { + title: "Space after priority", + log: []byte("<13> Aug 16 12:25:24 10.12.255.2-1 TRAPMGR[53034492]: traputil.c(696) 135956 %% Link Up: g5.\000"), + syslog: event{ + priority: 13, + message: "traputil.c(696) 135956 %% Link Up: g5.\000", + hostname: "10.12.255.2-1", + program: "TRAPMGR", + pid: 53034492, + month: 8, + day: 16, + hour: 12, + minute: 25, + second: 24, + }, + }, { log: []byte("<34>Oct 11 22:14:15 mymachine su[230]: 'su root' failed for lonvick on /dev/pts/8"), syslog: event{ diff --git a/filebeat/input/syslog/syslog_rfc3164.rl b/filebeat/input/syslog/syslog_rfc3164.rl index e16b9da35da..c40d1b42c4e 100644 --- a/filebeat/input/syslog/syslog_rfc3164.rl +++ b/filebeat/input/syslog/syslog_rfc3164.rl @@ -42,7 +42,8 @@ timestamp_rfc3164 = month space day space time; time_separator = "T" | "t"; timestamp_rfc3339 = year "-" month_numeric "-" day_two_digits (time_separator | space) time timezone?; - timestamp = (timestamp_rfc3339 | timestamp_rfc3164) ":"?; + syncflag = " " | "*" | "."; + timestamp = syncflag? (timestamp_rfc3339 | timestamp_rfc3164) ":"?; hostname = ([a-zA-Z0-9\.\-_:]*([a-zA-Z0-9] | "::"))+>tok $lookahead_duplicates %hostname; hostVars = (hostname ":") | hostname; diff --git a/filebeat/input/v2/input-cursor/clean.go b/filebeat/input/v2/input-cursor/clean.go index e4daaaf6e7d..67c28b875c8 100644 --- a/filebeat/input/v2/input-cursor/clean.go +++ b/filebeat/input/v2/input-cursor/clean.go @@ -44,8 +44,9 @@ type cleaner struct { // once the last event has been ACKed. func (c *cleaner) run(canceler unison.Canceler, store *store, interval time.Duration) { started := time.Now() - timed.Periodic(canceler, interval, func() { + timed.Periodic(canceler, interval, func() error { gcStore(c.log, started, store) + return nil }) } diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 32d9c8e8c0d..0d68e5a86c4 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -218,7 +218,7 @@ func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.Deps(Fields) } - runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "NOSE_"), "GENERATE")...) + runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "PYTEST_"), "GENERATE")...) if err != nil { return err } @@ -226,6 +226,6 @@ func PythonIntegTest(ctx context.Context) error { mg.Deps(devtools.BuildSystemTestBinary) args := devtools.DefaultPythonTestIntegrationArgs() args.Env["MODULES_PATH"] = devtools.CWD("module") - return devtools.PythonNoseTest(args) + return devtools.PythonTest(args) }) } diff --git a/filebeat/module/apache/access/ingest/pipeline.yml b/filebeat/module/apache/access/ingest/pipeline.yml index 6311bfef12b..a9f23eb4a10 100644 --- a/filebeat/module/apache/access/ingest/pipeline.yml +++ b/filebeat/module/apache/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for parsing Apache HTTP Server access logs. Requires the geoip and user_agent plugins." processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/apache/access/test/test-vhost.log-expected.json b/filebeat/module/apache/access/test/test-vhost.log-expected.json index d61237c3c8d..b332788ad2b 100644 --- a/filebeat/module/apache/access/test/test-vhost.log-expected.json +++ b/filebeat/module/apache/access/test/test-vhost.log-expected.json @@ -19,7 +19,7 @@ "source.ip": "192.168.33.2", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/test.log-expected.json b/filebeat/module/apache/access/test/test.log-expected.json index 7b15274997a..ebe88847586 100644 --- a/filebeat/module/apache/access/test/test.log-expected.json +++ b/filebeat/module/apache/access/test/test.log-expected.json @@ -39,7 +39,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json index cdf664d927e..e9680e5b7fb 100644 --- a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json +++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json @@ -45,7 +45,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -73,7 +73,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -101,7 +101,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -129,7 +129,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -157,7 +157,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -185,7 +185,7 @@ "source.ip": "192.168.33.1", "url.original": "/test", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -213,7 +213,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -241,7 +241,7 @@ "source.ip": "192.168.33.1", "url.original": "/crap", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/error/ingest/pipeline.yml b/filebeat/module/apache/error/ingest/pipeline.yml index 967f7a34b69..aad4c3f4a5f 100644 --- a/filebeat/module/apache/error/ingest/pipeline.yml +++ b/filebeat/module/apache/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing apache error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 2b7c114f10a..4f6d8ba2d0d 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -1,11 +1,15 @@ --- description: Pipeline for parsing Linux auditd logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: - AUDIT_TYPE: "^type=%{NOTSPACE:auditd.log.record_type}" - AUDIT_PREFIX: "%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" + AUDIT_TYPE: "type=%{NOTSPACE:auditd.log.record_type}" + AUDIT_NODE: "node=%{IPORHOST:auditd.log.node} " + AUDIT_PREFIX: "^(?:%{AUDIT_NODE})?%{AUDIT_TYPE} msg=audit\\(%{NUMBER:auditd.log.epoch}:%{NUMBER:auditd.log.sequence}\\):(%{DATA})?" AUDIT_KEY_VALUES: "%{WORD}=%{GREEDYDATA}" patterns: - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} @@ -137,24 +141,44 @@ processors: value: event - set: if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type + field: event.category value: authentication - set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.category value: driver - set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.category value: package - set: - if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category value: host - set: - if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category value: process +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info - set: if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log b/filebeat/module/auditd/log/test/audit-cent7-node.log new file mode 100644 index 00000000000..55b31cf3fe6 --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log @@ -0,0 +1,10 @@ +node=localhost.localdomain type=DAEMON_START msg=audit(1594053514.588:4686): op=start ver=2.8.5 format=raw kernel=3.10.0-1062.9.1.el7.x86_64 auid=4294967295 pid=1643 uid=0 ses=4294967295 subj=system_u:system_r:auditd_t:s0 res=success +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:4): audit_backlog_limit=8192 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=CONFIG_CHANGE msg=audit(1594053514.707:5): audit_failure=1 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 res=1 +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.709:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SYSTEM_BOOT msg=audit(1594053514.725:7): pid=1667 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.739:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.807:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rngd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.843:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.850:11): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' +node=localhost.localdomain type=SERVICE_START msg=audit(1594053514.857:12): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=abrt-xorg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json new file mode 100644 index 00000000000..6001a762f9f --- /dev/null +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -0,0 +1,219 @@ +[ + { + "@timestamp": "2020-07-06T16:38:34.588Z", + "auditd.log.format": "raw", + "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", + "auditd.log.node": "localhost.localdomain", + "auditd.log.op": "start", + "auditd.log.sequence": 4686, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:auditd_t:s0", + "auditd.log.ver": "2.8.5", + "event.action": "daemon_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "process.pid": 1643, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_backlog_limit": "8192", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "64", + "auditd.log.sequence": 4, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 234, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.707Z", + "auditd.log.audit_failure": "1", + "auditd.log.node": "localhost.localdomain", + "auditd.log.old": "1", + "auditd.log.sequence": 5, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", + "event.action": "config_change", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "1", + "fileset.name": "log", + "input.type": "log", + "log.offset": 425, + "service.type": "auditd", + "user.audit.id": "4294967295" + }, + { + "@timestamp": "2020-07-06T16:38:34.709Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 6, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "auditd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 606, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.725Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 7, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "event.action": "system_boot", + "event.category": "host", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "info", + "fileset.name": "log", + "input.type": "log", + "log.offset": 862, + "message": "", + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 1667, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.739Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 8, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-update-utmp", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1132, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.807Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 9, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "rngd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1401, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.843Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 10, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "irqbalance", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1655, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.850Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 11, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrtd", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1916, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-07-06T16:38:34.857Z", + "auditd.log.node": "localhost.localdomain", + "auditd.log.sequence": 12, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "abrt-xorg", + "event.action": "service_start", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2172, + "process.executable": "/usr/lib/systemd/systemd", + "process.name": "systemd", + "process.pid": 1, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + } +] \ No newline at end of file diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index a7bdfe6b83d..b2532651d2b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -212,11 +212,12 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -234,11 +235,12 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 64ddfa2cc49..b25dde0881b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -45,11 +45,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 419, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 2306d330fa5..f122becadda 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -167,11 +167,12 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", + "event.category": "package", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "package", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -188,11 +189,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2196, @@ -210,11 +212,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_shutdown", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2438, @@ -254,10 +257,11 @@ "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", "event.action": "syscall", + "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "process", + "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -283,10 +287,11 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", + "event.category": "driver", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "driver", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 3153, diff --git a/filebeat/module/elasticsearch/audit/_meta/fields.yml b/filebeat/module/elasticsearch/audit/_meta/fields.yml index 2461668157d..ceb94c00dd5 100644 --- a/filebeat/module/elasticsearch/audit/_meta/fields.yml +++ b/filebeat/module/elasticsearch/audit/_meta/fields.yml @@ -24,7 +24,7 @@ type: keyword - name: user.roles description: "Roles to which the principal belongs" - example: [ "kibana_user", "beats_admin" ] + example: [ "kibana_admin", "beats_admin" ] type: keyword - name: action description: "The name of the action that was executed" diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml index 8f1093f5eea..ec3873d2b9f 100644 --- a/filebeat/module/elasticsearch/audit/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/audit/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch audit logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml index 59b8cf882f9..e1f4838df9b 100644 --- a/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/deprecation/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch deprecation logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/fields.go b/filebeat/module/elasticsearch/fields.go index 4e0467c018c..4f44e586a19 100644 --- a/filebeat/module/elasticsearch/fields.go +++ b/filebeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzUmltv2zj2wN/7KQi//GeARH/nMtmJgR1g6qZJil7SOEm34wbCMXUksaZIhaTseIp+9wUp2ZFlSb5s2+36JZF4Ob9z4eGhpH0yxlmPIAdtGNUIisbPCDHMcOyRzln5fucZIQFqqlhqmBQ98sczQsjyWPJGBhnHZ4SEDHmge67LPhGQ4KoY+zOzFHskUjJLizs1MpanK09JZZJKgcIsWioTLOvw1J+ESiZkGqNCYmIkXEYEJ7ZBKhYxAQaDTmlSfIQkdUaRHnrUS7w3aOAFGOgrBIOXIsDHAaoJo1gel+s3xtlUqmAVn2faoPKyjAWNGtzeXr4gMnSYxYB6svNkokYX/O0NG9x9ZFfh7+PH6DTansZeNdK8hQQ3ogkkHaPar+nTTiFkgF6LOZ6MYXvWy34xYB/ozQxv4g/m9l+vn5++6j5/M92SYWMzNHNMPrx9pf862lwws2HULtlFmuteLzNkHEcIZt+gNvtMpJnZVn6b9Z101rA24N159GI6ur0O+3e//ePPAX0Y9aMt7K5jUEGr+GBudNe1nqK7uUDIAmZWepfT0QrDH6WGaloqT81hhmqpparMjc07ttc8GTEaExMzvZKJekShNnvEKBA6lcq2EZb6IeOVtbVsCTuq2lpvkDK5k+7bfmvxbSfrkRzYxGCIpDRTyjKDkGKWyEz7QClq7QcoGAZ7BDITozCMgp3KD4Fxd7vSK7+MFAhjr6kUAqkbUXdvPsxAkqLCwFf4kDmrqUz4UJqouM4HNBtvWf72Zszd562144fFJlQQrzie/LLakscMkOuzwQ358+pyPvjXcpQsxk1BE4UU2QQDIoWT9tSNxiAE8l/3CJcUuG8TGvkl3xYpcJfgCNM6w6DM+Wuz7Z7m2d5uCoEnayNvOYbyQQ6u0mA1nwBngTMaRMDE6poowDt228IQMm7s0tqBPdOovM0UsF3/T9fqsUdYWG5ojNKOC1PDJugHTCE1Us12hZYcdSv0te1BjFwkKiSpYoKyFDgZIZci0o0RMSSdMRuBAN9K6+yRjt2jtA9BwkSH3G8NDW7Vr7WyKO3T+ZA8S9mwwEekWbNxe6RTFC+9RApmpPr/BJjYwb6KeykoSNbY167k2+tL4vqiQdVszs4Xa0Y7/T8/Ax0LRuPDr51a6UwEjK5x7WXep0i5GJDRrLBWm0NDKfcPuwenXvfA6x5bny7dOVq5c7KLo4tks1wVrKpwK9hDhiSvDosxzeb78Pdrfzw6uRtM3sV/PnTN9Gpy8e79Lrkqh6tUbKt45c1ynpS3CMQ+R1ADqiTn1/W6bczqj2Qwqx0MnEE1TlIwcY/ExqTeXFc73qNSmOVjl/0lLFKQa2xUhi3bog9BoFBXxa0D0TJTFD2W7iA4U2xLaXbhFjsu30HgIjtuK1avHsI2lZmg1hBVR+YSDT6alQo4wFRhvvl8uzp4PnlEd5+TkPM+sbuwRlMI8DYsvdMYdL0JqtLXENjfSyeI6BQpCxm1G+B5PxfhVTrXMZW5anxKWpfuRoD2Vz6OnvcJlZznZXE9aMn9WR5SvkbaiBZyCdWlviFYv0KyEGj3GqkCJiJrUcv9CiZAJkyZDDhJgMZMtIBrqrKRr2fJSHLfwIijb1iC30sPcgWZRmJFECaIRipFoAnlCMLqkKUkZyGORa8FN4qJ6AeAb8DtUNZyTxHGvsJQ+6mStkxw/N+R/MYy69QeLJ8kOgyiMESFwpYsT0o1o9uCinPkvkJNQfwo6pK9E1BjS8/ZBIkcfUZqtK2jORJIUz6v/pkm2sg0xaBZGcpBaz8TXELwozTJpbl4EZmtDx3EhtanaeY4GxnrkvKGjFd5YJD+1W0e40W8oAqlSizwUyqsQWxO2aRyPmowMllr6A0Vsb+KEjIzmgX5k4ExKoG8ToFSYpnp/wIlE1VI0kppD7g/AvNGGuAEOaQ2XivQRro3ARxNTl7aL91jFW1AuV4hE0zHXm2V8XmS+CoTDUuwWZE1CriTgkV1JK/u3hQ0WVpabXsENIF8ehvlqWTCEJElI1T1tCZWCIH2jbWLb7NMU/LYmfwc1AiiJWsWUomT6nJb4Ya6pLEIZJsC3e4yZ/7WJrYIRsqxdXEOVXC2chmI6s8r9aXbOmv1CZdRlG+9UYPIGKGaGXcuZC8QUgKcy2KzARHM/cL+3rqWtWP88agxqTNhMFp5AL4BJlksXqu8k2MDf8y4HM1MW4Vid6bvhnRr04gjaoZZHHF54EdYfTi1s+Pe8YBEKLAonCWlWQqCzn5+DzrnydAapKzBT+DORpuu9+5MZiL6lv79aCf8H/fwrKrDT+DjFrvW0y3shmqyJHT5Wd7ANbtPBqpvCepjYNVPT1sd0LFRQJer45K8To8MbCfiellwao/RMiSolFTLG5J7fdsjIfCl5x+1j2OqWuX70fJjxaaQbnv44iKhbQF0cr+c95sfd9Y/3KxbWvVLYJGIxeqpY5mlKqmNYs7B5YqCixJhKn+EwIV+E1QxQuBrfGg1+QAfMnteLkrERssfHR+fnp4e1pq/keKp3vPnT3e8Ne86lk/J5/09+ydhnLOiAmskPDjpdjesAxdWGtkFDdsBuuzmalVr5OKdV6mynYIuJsZgC/rfN6JfpAcup1xGzZkob89fv+v8xLDy0dYKRGd42D34fb97sn94enPQ7XVPegfHe6dHR/fDy7cv35H7Yf4ZSD6FV0B4Dxmq2T0ZTvy7V/Hnu3syTNAoRt3HJifekdfdt/N63RPv8OR+2L13Jfbw2Pst0fd77sLPjTQ8dtf2IBIzo4cHp8dHv9lbsxT18H7PpkWT/+MQ3LcIw/e3Z9cf/ZuLs7f+y7Ob/sViDvcpiB4e2P7u/cDwy6eOo/3U6X351EnA0NgHzvPLkZTafOr0Drzu169f7/f+k/xtK/jK9rTsodeuw8rnOmVv1Bo7RLPsveazxiL3SDluIXFLjpnFuad46eTOv85YTXxH3W6it0Sxjmxjse1N8rYT5UKlRdTAtucebZToWg+2lPsUmW3S888Oba8m4dWw3hLDBbzvHNjGweW03ctbLJntCPHRKPBzzhbCM9utUIcwEUqVwOoL6F2j5CnZtEVlfupkpilQjg93EJpnp7VirfEZBvl3bU0Ah9sBKJkZVtm0q990uB5NRtbdg4u/Dt8/H59+nh5HJoKXRmxn+Mpb+yXpl8G38W37ErxpWXuBpLsst2Zpgzx+ZUgCSbNk8VGcrRZcnsegRd6/AwAA//9xEEfG" + return "eJzUmltv2zj2wN/7KQi//GeARH/nMtmJgR1g6qZJil7SOEm34wbCMXUksaZIhaTseIp+9wUp2ZFlSb5s2+36JZF4Ob9z4eGhpH0yxlmPIAdtGNUIisbPCDHMcOyRzln5fucZIQFqqlhqmBQ98sczQsjyWPJGBhnHZ4SEDHmge67LPhGQ4KoY+zOzFHskUjJLizs1MpanK09JZZJKgcIsWioTLOvw1J+ESiZkGqNCYmIkXEYEJ7ZBKhYxAQaDTmlSfIQkdUaRHnrUS7w3aOAFGOgrBIOXIsDHAaoJo1gel+s3xtlUqmAVn2faoPKyjAWNGtzeXr4gMnSYxYB6svNkokYX/O0NG9x9ZFfh7+PH6DTansZeNdK8hQQ3ogkkHaPar+nTTiFkgF6LOZ6MYXvWy34xYB/ozQxv4g/m9l+vn5++6j5/M92SYWMzNHNMPrx9pf862lwws2HULtlFmuteLzNkHEcIZt+gNvtMpJnZVn6b9Z101rA24N159GI6ur0O+3e//ePPAX0Y9aMt7K5jUEGr+GBudNe1nqK7uUDIAmZWepfT0QrDH6WGaloqT81hhmqpparMjc07ttc8GTEaExMzvZKJekShNnvEKBA6lcq2EZb6IeOVtbVsCTuq2lpvkDK5k+7bfmvxbSfrkRzYxGCIpDRTyjKDkGKWyEz7QClq7QcoGAZ7BDITozCMgp3KD4Fxd7vSK7+MFAhjr6kUAqkbUXdvPsxAkqLCwFf4kDmrqUz4UJqouM4HNBtvWf72Zszd562144fFJlQQrzie/LLakscMkOuzwQ358+pyPvjXcpQsxk1BE4UU2QQDIoWT9tSNxiAE8l/3CJcUuG8TGvkl3xYpcJfgCNM6w6DM+Wuz7Z7m2d5uCoEnayNvOYbyQQ6u0mA1nwBngTMaRMDE6poowDt228IQMm7s0tqBPdOovM0UsF3/T9fqsUdYWG5ojNKOC1PDJugHTCE1Us12hZYcdSv0te1BjFwkKiSpYoKyFDgZIZci0o0RMSSdMRuBAB+ChInOHunYTUoXl+R+a2pwy36tmUVpo86H5GnKxgU+Is2ardsjnaJ66SVSMCPV/yfAxA4GVtxLQUGyxsB2Kd9eXxLXFw2qZnt2vliv2en/+RnoWDAaH37t1EpnImB0jW8v8z5FzsWAjGaFtdo8Gkq5f9g9OPW6B1732Pp06c7Ryp2TXRxdZJvlsmBVhVvBHjIkeXlYjGk234e/X/vj0cndYPIu/vOha6ZXk4t373dJVjlcpWRbxSvvlvOsvEUg9jmCGlAlOb+u121jVn8kg1ntYOAMqnGSgol7JDYm9ea62vEelcIsn7vsL2GRglxjozJs2Rd9CAKFuipuHYiWmaLosXQHwZliW0qzC7fYcvkOAhfpcVuxevUUtqnMBLWGqDoyl2jw0ayUwAGmCvPd59sVwvPJI7r7nISc94ndhjWaQoC3Ye2dxqDrTVCVvobA/l46QUSnSFnIqN0Bz/u5CK/SuY6pzFXjU9K6dDcCtL/yefS8T6jkPK+L60FL7s/ykPI10ka0kEuoLvUNwfoVkoVAu9dIFTARWYta7lcwATJhymTASQI0ZqIFXFOVjXw9S0aS+wZGHH3DEvxeepAryDQSK4IwQTRSKQJNKEcQVocsJTkLcSx6LbhRTEQ/AHwDboeylnuKMPYVhtpPlbRlguP/juQ3llmn9mT5JNFhEIUhKhS2ZHlSqhndFlScI/cVagriR1GX7J2AGlt6ziZI5OgzUqNtIc2RQJryefnPNNFGpikGzcpQDlr7meASgh+lSS7NxYvIbH3oIDa0Pk0zx9nIWJeUN2S8ygOD9K9u8xgv4gVVKFVigZ9SYQ1ic8omlQNSg5HJWkNvqIj9VZSQmdEsyB8NjFEJ5HUKlBLLTP8XKJmoQpJWSnvC/RGYN9IAJ8ghtfFagTbSvQrgaHLy0n7pnqtoA8r1CplgOvZqq4zPk8RXmWhYgs2KrFHAnRQsqiN5dfemoMnS0mrbI6AJ5NPbKE8lE4aILBmhqqc1sUIItG+sXXybZZqSx87k56BGEC1Zs5BKnFSX2wo31CWNRSDbFOh2lznztzaxRTBSjq2Lc6iCs5XLQFR/Xqkv3dZZq0+4jKJ8640aRMYI1cy4cyF7gZAS4FwWmw2IYO4X9vfWtawd449HjUmdCYPRyhPwDTDJYvFa5Z0cG/hjxuVoZtoqFLszfTekW5tGHFEzzOKIywM/wurDqZ0d944HJEKBReEsKc1SEHT283vQOU+G1iBlDX4CdzbadL13ZzIT0bf070c74f+4h2dVHX4CH7fYtZ5uYTdUkyWhy8/yBq7ZfTNQfU1QHwOrfnra6oCOjQK6XB2X5HV6ZGA7EdfLglN7jJYhQaWkWt6Q3PvbHgmBLz3/qH0cU9Uq34+WHys2hXTbwxcXCW0LoJP75bzf/Liz/uFm3dKqXwKLRCxWTx3LLFVJbRRzDi5XFFyUCFP5IwQu9JugihECX+NDq8kH+JDZ83JRIjZa/uj4+PT09LDW/I0UT/WeP3+6461517F8Sj7v79k/CeOcFRVYI+HBSbe7YR24sNLILmjYDtBlN1erWiMXL71Kle0UdDExBlvQ/74R/SI9cDnlMmrORHl7/v5d5yeGla+2ViA6w8Puwe/73ZP9w9Obg26ve9I7ON47PTq6H16+ffmO3A/z70DyKbwCwnvIUM3uyXDi372KP9/dk2GCRjHqvjY58Y687r6d1+ueeIcn98PuvSuxh8feb4m+33MXfm6k4bG7tgeRmBk9PDg9PvrN3pqlqIf3ezYtmvwfh+A+Rhi+vz27/ujfXJy99V+e3fQvFnO4b0H08MD2d+8Hhl8+dRztp07vy6dOAobGPnCeX46k1OZTp3fgdb9+/Xq/95/kb1vBV7anZQ+9dh1Wvtcpe6PW2CGaZe81nzUWuUfKcQuJW3LMLM49xUsnd/51xmriO+p2E70linVkG4ttb5K3nSgXKi2iBrY992ijRNd6sKXcp8hsk55/d2h7NQmvhvWWGC7gfefANg4up+1e3mLJbEeIj0aBn3O2EJ7ZboU6hIlQqgRWX0DvGiVPyaYtKvNTJzNNgXJ8uIPQPDutFWuNzzDIP2xrAjjcDkDJzLDKpl39qMP1aDKy7h5c/HX4/vn49PP0ODIRvDRiO8NX3tovSb8Mvo1v25fgTcvaCyTdZbk1Sxvk8StDEkiaJYuv4my14PI8Bi3y/h0AAP//rvZIEA==" } diff --git a/filebeat/module/elasticsearch/gc/ingest/pipeline.yml b/filebeat/module/elasticsearch/gc/ingest/pipeline.yml index fc8ec5c73e3..d0980763ecc 100644 --- a/filebeat/module/elasticsearch/gc/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/gc/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Elasticsearch JVM garbage collection logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/elasticsearch/server/ingest/pipeline.yml b/filebeat/module/elasticsearch/server/ingest/pipeline.yml index 6e09a9dbde8..4d4e634cc4b 100644 --- a/filebeat/module/elasticsearch/server/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/server/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch server logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml index 360e86d9d77..ea501d9b3e0 100644 --- a/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml +++ b/filebeat/module/elasticsearch/slowlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing elasticsearch slow logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/haproxy/log/ingest/pipeline.yml b/filebeat/module/haproxy/log/ingest/pipeline.yml index fdcfc828701..d9315df0f02 100644 --- a/filebeat/module/haproxy/log/ingest/pipeline.yml +++ b/filebeat/module/haproxy/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing HAProxy http, tcp and default logs. Requires the geoip plugin. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/debug/ingest/pipeline.yml b/filebeat/module/icinga/debug/ingest/pipeline.yml index ee25b38e90e..dbe9f1ee39d 100644 --- a/filebeat/module/icinga/debug/ingest/pipeline.yml +++ b/filebeat/module/icinga/debug/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga debug logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/main/ingest/pipeline.yml b/filebeat/module/icinga/main/ingest/pipeline.yml index 5db480e07ab..654e8c3c4e7 100644 --- a/filebeat/module/icinga/main/ingest/pipeline.yml +++ b/filebeat/module/icinga/main/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga main logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/icinga/startup/ingest/pipeline.yml b/filebeat/module/icinga/startup/ingest/pipeline.yml index 61e0e6fef27..aee7377b140 100644 --- a/filebeat/module/icinga/startup/ingest/pipeline.yml +++ b/filebeat/module/icinga/startup/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing icinga startup logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/iis/access/ingest/pipeline.yml b/filebeat/module/iis/access/ingest/pipeline.yml index 8344cccac1b..84fabdc59b8 100644 --- a/filebeat/module/iis/access/ingest/pipeline.yml +++ b/filebeat/module/iis/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing IIS access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index 448779366ce..c3f4a4932da 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -37,7 +37,7 @@ "source.address": "::1%0", "source.ip": "::1", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 909bffb0e62..adb56a2eadd 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -133,7 +133,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/error/ingest/pipeline.yml b/filebeat/module/iis/error/ingest/pipeline.yml index 4611744d3c9..a16fde841da 100644 --- a/filebeat/module/iis/error/ingest/pipeline.yml +++ b/filebeat/module/iis/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing IIS error logs. Requires the geoip plugin. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/kafka/log/ingest/pipeline.yml b/filebeat/module/kafka/log/ingest/pipeline.yml index a1072489122..aa72addb642 100644 --- a/filebeat/module/kafka/log/ingest/pipeline.yml +++ b/filebeat/module/kafka/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Kafka log messages processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message trace_match: true diff --git a/filebeat/module/kibana/log/ingest/pipeline.yml b/filebeat/module/kibana/log/ingest/pipeline.yml index 0112e09fcfc..ced76d42c23 100644 --- a/filebeat/module/kibana/log/ingest/pipeline.yml +++ b/filebeat/module/kibana/log/ingest/pipeline.yml @@ -4,6 +4,9 @@ on_failure: field: error.message value: '{{ _ingest.on_failure_message }}' processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/logstash/_meta/docs.asciidoc b/filebeat/module/logstash/_meta/docs.asciidoc index 8f4e0d33a3c..4fe73d8681a 100644 --- a/filebeat/module/logstash/_meta/docs.asciidoc +++ b/filebeat/module/logstash/_meta/docs.asciidoc @@ -81,7 +81,8 @@ image::./images/kibana-logstash-slowlog.png[] [float] === Known issues -When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON objct such that + +When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly. :has-dashboards!: diff --git a/filebeat/module/logstash/log/ingest/pipeline.yml b/filebeat/module/logstash/log/ingest/pipeline.yml index 0a416e5758e..e7dc228a76d 100644 --- a/filebeat/module/logstash/log/ingest/pipeline.yml +++ b/filebeat/module/logstash/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing logstash node logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/logstash/slowlog/ingest/pipeline.yml b/filebeat/module/logstash/slowlog/ingest/pipeline.yml index 061a4f8c636..949ffdcb91e 100644 --- a/filebeat/module/logstash/slowlog/ingest/pipeline.yml +++ b/filebeat/module/logstash/slowlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing logstash slow logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: '@timestamp' target_field: event.created diff --git a/filebeat/module/mongodb/log/ingest/pipeline.yml b/filebeat/module/mongodb/log/ingest/pipeline.yml index 6460a2b02c6..9355e031802 100644 --- a/filebeat/module/mongodb/log/ingest/pipeline.yml +++ b/filebeat/module/mongodb/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MongoDB logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/mysql/error/ingest/pipeline.yml b/filebeat/module/mysql/error/ingest/pipeline.yml index b11f280d1ea..baf4c11aa40 100644 --- a/filebeat/module/mysql/error/ingest/pipeline.yml +++ b/filebeat/module/mysql/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MySQL error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/mysql/slowlog/ingest/pipeline.json b/filebeat/module/mysql/slowlog/ingest/pipeline.json index 93ce577a330..d3fbe49707c 100644 --- a/filebeat/module/mysql/slowlog/ingest/pipeline.json +++ b/filebeat/module/mysql/slowlog/ingest/pipeline.json @@ -1,6 +1,11 @@ { "description": "Pipeline for parsing MySQL slow logs.", "processors": [{ + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, { "grok": { "field": "message", "patterns":[ diff --git a/filebeat/module/nats/log/ingest/pipeline.yml b/filebeat/module/nats/log/ingest/pipeline.yml index 53c4f774b5e..bece77c1b8e 100644 --- a/filebeat/module/nats/log/ingest/pipeline.yml +++ b/filebeat/module/nats/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing nats log logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/_meta/docs.asciidoc b/filebeat/module/nginx/_meta/docs.asciidoc index e365dd079d8..e5d0ff17f95 100644 --- a/filebeat/module/nginx/_meta/docs.asciidoc +++ b/filebeat/module/nginx/_meta/docs.asciidoc @@ -23,7 +23,7 @@ The Nginx module was tested with logs from version 1.10. On Windows, the module was tested with Nginx installed from the Chocolatey repository. -`ingress_controller` fileset was tested with version 0.28.0 of `nginx-ingress-controller`. +`ingress_controller` fileset was tested with version v0.28.0 and v0.34.1 of `nginx-ingress-controller`. include::../include/configuring-intro.asciidoc[] diff --git a/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json new file mode 100644 index 00000000000..a3788ec20a6 --- /dev/null +++ b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-logs.json @@ -0,0 +1,359 @@ +{ + "objects": [ + { + "attributes": { + "description": "Dashboard for the Filebeat Nginx Ingress Controller", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "36b94fba-26a2-4a63-9260-1e5bdf3a9dd8", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "36b94fba-26a2-4a63-9260-1e5bdf3a9dd8", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "a7e7600a-703f-48a0-9a3a-3670294ee98b", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "a7e7600a-703f-48a0-9a3a-3670294ee98b", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "1a56c416-e1e4-4e0e-bd2b-ac5e3553d118", + "w": 48, + "x": 0, + "y": 16 + }, + "panelIndex": "1a56c416-e1e4-4e0e-bd2b-ac5e3553d118", + "panelRefName": "panel_2", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 28, + "i": "7e5729fd-aa67-4ee2-aaa3-8a67e529d4b1", + "w": 48, + "x": 0, + "y": 28 + }, + "panelIndex": "7e5729fd-aa67-4ee2-aaa3-8a67e529d4b1", + "panelRefName": "panel_3", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Nginx] Ingress Controller access and error logs", + "version": 1 + }, + "id": "0b3dba40-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "78738850-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "a832bcf0-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_2", + "type": "search" + }, + { + "id": "d20d4ea0-f342-11ea-a3fd-1b45ec532bb3", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T08:52:04.498Z", + "version": "WzIzNzIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Nginx Ingress Controller logs overview](#/dashboard/dfbc0840-f340-11ea-a3fd-1b45ec532bb3) | [Nginx Ingress Controller access and error logs](#/dashboard/0b3dba40-f341-11ea-a3fd-1b45ec532bb3)", + "openLinksInNewTab": false + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "type": "markdown" + } + }, + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:43:56.647Z", + "version": "WzIyOTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller access logs over time [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [ + { + "color": "#F00", + "icon": "fa-tag", + "id": "970b1420-a1f3-11e7-a062-a1c3587f4874", + "ignore_global_filters": 1, + "ignore_panel_filters": 1, + "index_pattern": "filebeat-*", + "time_field": "@timestamp" + } + ], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "3189aa80-a1f3-11e7-a062-a1c3587f4874" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Access logs", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "id": "1db649a0-a1f3-11e7-a062-a1c3587f4874" + } + ], + "split_mode": "everything", + "stacked": "none", + "terms_field": "url.original", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller access logs over time [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "78738850-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:49:00.245Z", + "version": "WzIzNTcsMV0=" + }, + { + "attributes": { + "columns": [ + "log.level", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx AND message:*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx Ingress Controller error logs [Filebeat Nginx]", + "version": 1 + }, + "id": "a832bcf0-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:50:20.351Z", + "version": "WzIzNjQsMV0=" + }, + { + "attributes": { + "columns": [ + "url.original", + "http.request.method", + "http.response.status_code", + "http.response.body.bytes" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx AND url.original:*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx Ingress Controller access logs [Filebeat Nginx]", + "version": 1 + }, + "id": "d20d4ea0-f342-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:51:30.569Z", + "version": "WzIzNzEsMV0=" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json new file mode 100644 index 00000000000..3f618adf2ec --- /dev/null +++ b/filebeat/module/nginx/_meta/kibana/7/dashboard/Filebeat-nginx-ingress-overview.json @@ -0,0 +1,1118 @@ +{ + "objects": [ + { + "attributes": { + "description": "Dashboard for the Filebeat Nginx Ingress Controller", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "3", + "w": 12, + "x": 36, + "y": 32 + }, + "panelIndex": "3", + "panelRefName": "panel_0", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "vis": { + "legendOpen": true + } + }, + "gridData": { + "h": 12, + "i": "4", + "w": 11, + "x": 25, + "y": 32 + }, + "panelIndex": "4", + "panelRefName": "panel_1", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "mapBounds": { + "bottom_right": { + "lat": -7.362466865535738, + "lon": 245.39062500000003 + }, + "top_left": { + "lat": 77.07878389624943, + "lon": -245.74218750000003 + } + }, + "mapCenter": null, + "mapCollar": { + "bottom_right": { + "lat": -49.583095, + "lon": 180 + }, + "top_left": { + "lat": 90, + "lon": -180 + }, + "zoom": 2 + }, + "mapZoom": null + }, + "gridData": { + "h": 16, + "i": "8", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "8", + "panelRefName": "panel_2", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "f760cd68-8472-4709-b516-ba74f0c00db8", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "f760cd68-8472-4709-b516-ba74f0c00db8", + "panelRefName": "panel_3", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "9351d7ed-b2f4-419b-8c15-4696f69c2831", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "9351d7ed-b2f4-419b-8c15-4696f69c2831", + "panelRefName": "panel_4", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "a62866e6-5c7f-4c52-a619-d01fb5005d7c", + "w": 12, + "x": 0, + "y": 32 + }, + "panelIndex": "a62866e6-5c7f-4c52-a619-d01fb5005d7c", + "panelRefName": "panel_5", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "453e4965-85d2-48a8-aea6-b37970d50ec5", + "w": 13, + "x": 12, + "y": 32 + }, + "panelIndex": "453e4965-85d2-48a8-aea6-b37970d50ec5", + "panelRefName": "panel_6", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "606dd662-23fe-4fec-a781-7a5831eb1dc4", + "w": 18, + "x": 0, + "y": 44 + }, + "panelIndex": "606dd662-23fe-4fec-a781-7a5831eb1dc4", + "panelRefName": "panel_7", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "23972f5a-8e18-457a-8288-adf6f15e792e", + "w": 15, + "x": 18, + "y": 44 + }, + "panelIndex": "23972f5a-8e18-457a-8288-adf6f15e792e", + "panelRefName": "panel_8", + "version": "7.8.0" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "4b4ec4d3-b8a2-4d94-9a6c-b469552940e8", + "w": 15, + "x": 33, + "y": 44 + }, + "panelIndex": "4b4ec4d3-b8a2-4d94-9a6c-b469552940e8", + "panelRefName": "panel_9", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "[Filebeat Nginx] Ingress Controller Overview", + "version": 1 + }, + "id": "dfbc0840-f340-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "Nginx-Access-Browsers-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "Nginx-Access-OSes-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "Nginx-Access-Map-ecs", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "ba138ab0-f344-11ea-a3fd-1b45ec532bb3", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "f137cb40-f345-11ea-a3fd-1b45ec532bb3", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "ee250270-f344-11ea-a3fd-1b45ec532bb3", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "1aa782a0-f345-11ea-a3fd-1b45ec532bb3", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "a3bf1ce0-f347-11ea-a3fd-1b45ec532bb3", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "afd506b0-f348-11ea-a3fd-1b45ec532bb3", + "name": "panel_9", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-10T09:37:31.793Z", + "version": "WzI0OTksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Browsers breakdown [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user_agent.name", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user_agent.version", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom", + "shareYAxis": true + }, + "title": "Nginx Access Browsers ECS", + "type": "pie" + } + }, + "id": "Nginx-Access-Browsers-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Operating systems breakdown [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user_agent.os.name", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user_agent.os.version", + "order": "desc", + "orderBy": "1", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "listeners": {}, + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "legendPosition": "bottom", + "shareYAxis": true + }, + "title": "Nginx Access OSes ECS", + "type": "pie" + } + }, + "id": "Nginx-Access-OSes-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [] + } + }, + "savedSearchRefName": "search_0", + "title": "Access Map [Filebeat Nginx] ECS", + "uiStateJSON": { + "mapCenter": [ + 12.039320557540572, + -0.17578125 + ] + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location" + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "listeners": {}, + "params": { + "addTooltip": true, + "heatBlur": 15, + "heatMaxZoom": 16, + "heatMinOpacity": 0.1, + "heatNormalizeData": true, + "heatRadius": 25, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 15, + 5 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "attribution": "Maps provided by USGS", + "format": "image/png", + "layers": "0", + "styles": "", + "transparent": true, + "version": "1.3.0" + }, + "url": "https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer" + } + }, + "title": "Nginx Access Map ECS", + "type": "tile_map" + } + }, + "id": "Nginx-Access-Map-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "Filebeat-Nginx-module-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNjksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Nginx Ingress Controller logs overview](#/dashboard/dfbc0840-f340-11ea-a3fd-1b45ec532bb3) | [Nginx Ingress Controller access and error logs](#/dashboard/0b3dba40-f341-11ea-a3fd-1b45ec532bb3)", + "openLinksInNewTab": false + }, + "title": "Dashboards Ingress Controller [Filebeat Nginx] ECS", + "type": "markdown" + } + }, + "id": "c37e2770-f341-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T08:43:56.647Z", + "version": "WzIyOTYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller response codes over time [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "bar", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "5acdc750-a29d-11e7-a062-a1c3587f4874", + "label": "200s" + }, + { + "color": "rgba(252,196,0,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[300 TO 399]" + }, + "id": "6efd2ae0-a29d-11e7-a062-a1c3587f4874", + "label": "300s" + }, + { + "color": "rgba(211,49,21,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[400 TO 499]" + }, + "id": "76089a90-a29d-11e7-a062-a1c3587f4874", + "label": "400s" + }, + { + "color": "rgba(171,20,158,1)", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[500 TO 599]" + }, + "id": "7c7929d0-a29d-11e7-a062-a1c3587f4874", + "label": "500s" + } + ], + "split_mode": "filters", + "stacked": "stacked", + "terms_field": "http.response.status_code", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller response codes over time [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "ba138ab0-f344-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:05:09.339Z", + "version": "WzIzOTcsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller top Upstreams [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "6252c320-a1f5-11e7-92ba-5d0b8663aece" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "nginx.ingress_controller.upstream.name", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "top_n" + }, + "title": "Ingress Controller top Upstreams [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "f137cb40-f345-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:13:51.348Z", + "version": "WzI0MzAsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller top pages [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "6252c320-a1f5-11e7-92ba-5d0b8663aece" + } + ], + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module:nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "url.original", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "top_n" + }, + "title": "Ingress Controller top pages [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "ee250270-f344-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:06:36.695Z", + "version": "WzI0MDIsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Data Volume [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "http.response.body.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "everything", + "stacked": "none", + "terms_field": null + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller Data Volume [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "1aa782a0-f345-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:07:51.369Z", + "version": "WzI0MTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Upstream Time Consumed By Path [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "s,s,", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "nginx.ingress_controller.upstream.response.time", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "terms", + "stacked": "none", + "terms_field": "url.original", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller Upstream Time Consumed By Path [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "a3bf1ce0-f347-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:26:00.366Z", + "version": "WzI0NjMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Ingress Controller Request Volume By Path [Filebeat Nginx]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "heartbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "lucene", + "query": "event.module: nginx AND fileset.name:ingress_controller" + }, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "bytes", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "", + "line_width": 1, + "metrics": [ + { + "field": "nginx.ingress_controller.upstream.response.length", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum", + "values": [ + "0.5", + "0.95", + "0.99" + ] + } + ], + "point_size": 1, + "seperate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "lucene", + "query": "http.response.status_code:[200 TO 299]" + }, + "id": "7c343c20-a29e-11e7-a062-a1c3587f4874", + "label": "200s" + } + ], + "split_mode": "terms", + "stacked": "none", + "terms_exclude": "", + "terms_field": "url.original", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Ingress Controller request Volume By Path [Filebeat Nginx]", + "type": "metrics" + } + }, + "id": "afd506b0-f348-11ea-a3fd-1b45ec532bb3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-09-10T09:33:30.139Z", + "version": "WzI0OTMsMV0=" + }, + { + "attributes": { + "columns": [ + "url.original", + "http.request.method", + "http.response.status_code", + "http.request.referrer", + "http.response.body.bytes" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlight": { + "fields": { + "*": {} + }, + "fragment_size": 2147483647, + "post_tags": [ + "@/kibana-highlighted-field@" + ], + "pre_tags": [ + "@kibana-highlighted-field@" + ], + "require_field_match": false + }, + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.module:nginx" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Nginx logs [Filebeat Nginx] ECS", + "version": 1 + }, + "id": "Filebeat-Nginx-module-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-09-10T08:33:36.686Z", + "version": "WzIxNzUsMV0=" + } + ], + "version": "7.8.0" +} diff --git a/filebeat/module/nginx/access/ingest/pipeline.yml b/filebeat/module/nginx/access/ingest/pipeline.yml index f07e82f2b60..57fe9031b55 100644 --- a/filebeat/module/nginx/access/ingest/pipeline.yml +++ b/filebeat/module/nginx/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Nginx access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -145,7 +148,7 @@ processors: - set: field: event.outcome value: failure - if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" - append: field: related.ip value: "{{source.ip}}" diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 38ced3a64ac..92519cc1e81 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -38,7 +38,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -86,7 +86,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -133,7 +133,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/adsasd", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -180,7 +180,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -228,7 +228,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -275,7 +275,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -322,7 +322,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -369,7 +369,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -407,7 +407,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -445,7 +445,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -483,7 +483,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -521,7 +521,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/taga", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index 426b08eafd8..a1968695184 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -32,7 +32,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -121,7 +121,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -170,7 +170,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 47d88c36ead..75caf6cf9f8 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -31,7 +31,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -118,7 +118,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -165,7 +165,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/error/ingest/pipeline.yml b/filebeat/module/nginx/error/ingest/pipeline.yml index 5a33c34710c..05691eeb737 100644 --- a/filebeat/module/nginx/error/ingest/pipeline.yml +++ b/filebeat/module/nginx/error/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing the Nginx error logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index 74118b7405e..c9f4a5860c7 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Nginx ingress controller access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 6a22bb503ca..4bf393a5906 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -336,7 +336,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -385,7 +385,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -433,7 +433,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -482,7 +482,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -530,7 +530,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -579,7 +579,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -627,7 +627,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -675,7 +675,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -724,7 +724,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -772,7 +772,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -821,7 +821,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -914,7 +914,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -962,7 +962,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1010,7 +1010,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2/some", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index f35881687e8..1d6d2e0d042 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index cbc45c202f9..2a0329133fa 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -2,6 +2,11 @@ "description": "Pipeline for parsing osquery result logs", "processors": [ { + "set":{ + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, { "rename": { "field": "@timestamp", "target_field": "event.created" @@ -201,6 +206,14 @@ "value": "{{osquery.result.name}}", "ignore_empty_value": true } + }, + { + "append": { + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''", + "allow_duplicates": false + } } ], "on_failure" : [{ diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index bedd286615d..953a63b299c 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -29,6 +29,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -66,6 +69,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -103,6 +109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -140,6 +149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -177,6 +189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -214,6 +229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -251,6 +269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -288,6 +309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -325,6 +349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -362,6 +389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -399,6 +429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -436,6 +469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -473,6 +509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -510,6 +549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -547,6 +589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -584,6 +629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -621,6 +669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -658,6 +709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -695,6 +749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -732,6 +789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -769,6 +829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -806,6 +869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -843,6 +909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -880,6 +949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -917,6 +989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -954,6 +1029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -991,6 +1069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1028,6 +1109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1065,6 +1149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1102,6 +1189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1139,6 +1229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1176,6 +1269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1213,6 +1309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1287,6 +1389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1324,6 +1429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1361,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1398,6 +1509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1435,6 +1549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1472,6 +1589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1509,6 +1629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1546,6 +1669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1583,6 +1709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1620,6 +1749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1657,6 +1789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1694,6 +1829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1731,6 +1869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1768,6 +1909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1805,6 +1949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1842,6 +1989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1879,6 +2029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1916,6 +2069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1953,6 +2109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1990,6 +2149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2027,6 +2189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2064,6 +2229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2101,6 +2269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2138,6 +2309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2195,6 +2369,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2252,6 +2429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index bc722ee249f..5a8083a37e2 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -22,6 +22,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "org.python.python.app", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -52,6 +55,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ruby", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -82,6 +88,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.a2p", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -112,6 +121,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.javajdk16.cmd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -142,6 +154,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.php", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -172,6 +187,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.nc", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -202,6 +220,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ksh", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -234,6 +255,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "httpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -266,6 +290,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "cupsd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -298,6 +325,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AEServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -330,6 +360,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ftpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -362,6 +395,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleFileServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -394,6 +430,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "sshd-keygen-wrapper", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -426,6 +465,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "smbd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -458,6 +500,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleVNCServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -490,6 +535,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ODSAgent", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -544,6 +592,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -599,6 +650,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -653,6 +707,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -707,6 +764,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -761,6 +821,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -815,6 +878,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -869,6 +935,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -923,6 +992,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -977,6 +1049,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1031,6 +1106,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1085,6 +1163,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1139,6 +1220,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1193,6 +1277,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1226,6 +1313,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1258,6 +1348,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1290,6 +1383,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1322,6 +1418,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1354,6 +1453,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1386,6 +1488,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1418,6 +1523,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1450,6 +1558,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1482,6 +1593,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1514,6 +1628,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1546,6 +1663,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1578,6 +1698,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1610,6 +1733,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1642,6 +1768,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1674,6 +1803,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1706,6 +1838,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1738,6 +1873,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1770,6 +1908,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1802,6 +1943,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1834,6 +1978,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1866,6 +2013,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1898,6 +2048,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1930,6 +2083,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1962,6 +2118,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1994,6 +2153,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2026,6 +2188,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2058,6 +2223,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2090,6 +2258,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2122,6 +2293,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2154,6 +2328,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2186,6 +2363,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2218,6 +2398,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2250,6 +2433,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2282,6 +2468,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2314,6 +2503,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2346,6 +2538,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2378,6 +2573,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2410,6 +2608,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2442,6 +2643,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2474,6 +2678,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2506,6 +2713,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2538,6 +2748,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2570,6 +2783,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2602,6 +2818,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2634,6 +2853,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2666,6 +2888,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2698,6 +2923,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2730,6 +2958,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2762,6 +2993,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2794,6 +3028,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2826,6 +3063,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2858,6 +3098,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2890,6 +3133,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2922,6 +3168,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2954,6 +3203,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2986,6 +3238,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3018,6 +3273,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3050,6 +3308,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3082,6 +3343,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3114,6 +3378,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3146,6 +3413,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3178,6 +3448,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3210,6 +3483,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3242,6 +3518,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3274,6 +3553,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3306,6 +3588,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3338,6 +3623,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3370,6 +3658,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3402,6 +3693,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3434,6 +3728,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3466,6 +3763,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index c339f8183fd..0f9afe755c1 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -26,6 +26,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -60,6 +63,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -94,6 +100,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -128,6 +137,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -162,6 +174,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -196,6 +211,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -230,6 +248,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -264,6 +285,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -298,6 +322,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -332,6 +359,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -366,6 +396,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -400,6 +433,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -434,6 +470,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -468,6 +507,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -502,6 +544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -536,6 +581,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -570,6 +618,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -604,6 +655,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -638,6 +692,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -672,6 +729,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -706,6 +766,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -740,6 +803,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -774,6 +840,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -808,6 +877,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -842,6 +914,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -876,6 +951,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -910,6 +988,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -944,6 +1025,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -978,6 +1062,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1012,6 +1099,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1046,6 +1136,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1080,6 +1173,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1114,6 +1210,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1148,6 +1247,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1182,6 +1284,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1216,6 +1321,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1358,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1284,6 +1395,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1318,6 +1432,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1352,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1386,6 +1506,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1420,6 +1543,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1454,6 +1580,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1488,6 +1617,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1522,6 +1654,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1556,6 +1691,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1590,6 +1728,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1624,6 +1765,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1658,6 +1802,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1692,6 +1839,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1726,6 +1876,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1760,6 +1913,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1794,6 +1950,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1828,6 +1987,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1862,6 +2024,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1896,6 +2061,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1930,6 +2098,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1964,6 +2135,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1998,6 +2172,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2032,6 +2209,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2066,6 +2246,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2100,6 +2283,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2134,6 +2320,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2168,6 +2357,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2202,6 +2394,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2236,6 +2431,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2270,6 +2468,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2304,6 +2505,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2341,6 +2545,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2394,6 +2601,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2428,6 +2638,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2462,6 +2675,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2496,6 +2712,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2530,6 +2749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2564,6 +2786,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2598,6 +2823,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2632,6 +2860,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2666,6 +2897,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2700,6 +2934,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2734,6 +2971,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2768,6 +3008,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2805,6 +3048,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2858,6 +3104,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2899,6 +3148,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2940,6 +3192,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2981,6 +3236,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3022,6 +3280,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3063,6 +3324,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3104,6 +3368,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3145,6 +3412,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3186,6 +3456,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3227,6 +3500,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3268,6 +3544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3309,6 +3588,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3350,6 +3632,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3391,6 +3676,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3432,6 +3720,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3473,6 +3764,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3514,6 +3808,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3555,6 +3852,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 37a56ff8f13..4f7d0589a04 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -33,6 +33,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], diff --git a/filebeat/module/postgresql/log/ingest/pipeline.yml b/filebeat/module/postgresql/log/ingest/pipeline.yml index bd208d1eb72..9233ed95c5f 100644 --- a/filebeat/module/postgresql/log/ingest/pipeline.yml +++ b/filebeat/module/postgresql/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing PostgreSQL logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true diff --git a/filebeat/module/redis/log/ingest/pipeline.yml b/filebeat/module/redis/log/ingest/pipeline.yml index d1c08cab378..472c3398e36 100644 --- a/filebeat/module/redis/log/ingest/pipeline.yml +++ b/filebeat/module/redis/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing redis logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/filebeat/module/santa/log/config/file.yml b/filebeat/module/santa/log/config/file.yml index 183de629867..b39221031f3 100644 --- a/filebeat/module/santa/log/config/file.yml +++ b/filebeat/module/santa/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml index 11ad4cead6c..482aef34e8b 100644 --- a/filebeat/module/santa/log/ingest/pipeline.yml +++ b/filebeat/module/santa/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Google Santa logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -20,6 +23,7 @@ processors: field: '@timestamp' value: '{{ process.start }}' ignore_failure: true + ignore_empty_value: true - split: field: santa.args separator: ' ' @@ -69,7 +73,7 @@ processors: - set: field: event.action value: "{{santa.action}}" - if: "ctx?.santa?.action != null" + ignore_empty_value: true - lowercase: field: event.action ignore_missing: true @@ -85,6 +89,10 @@ processors: field: related.hash value: "{{process.hash.sha256}}" if: "ctx?.process?.hash != null" +- set: + field: file.x509.issuer.common_name + value: "{{santa.certificate.common_name}}" + ignore_empty_value: true on_failure: - set: field: error.message diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index 6c1fbe81184..589aeae75f8 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -12,6 +12,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -58,6 +59,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -105,6 +107,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -151,6 +154,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -198,6 +202,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -244,6 +249,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -336,6 +342,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "20", "group.name": "staff", @@ -381,6 +388,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", "fileset.name": "log", "group.id": "20", "group.name": "staff", diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/auth/config/auth.yml +++ b/filebeat/module/system/auth/config/auth.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index 3f45705416a..54ab0dbf8f5 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing system authorisation/secure logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true @@ -139,6 +142,11 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index 74654cb6dc1..cff887d76e8 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -11,6 +11,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -23,6 +26,9 @@ "input.type": "log", "log.offset": 81, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -44,6 +50,9 @@ "log.offset": 464, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -57,6 +66,9 @@ "log.offset": 570, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -71,6 +83,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -83,6 +98,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -104,6 +122,9 @@ "log.offset": 1121, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -117,6 +138,9 @@ "log.offset": 1227, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -131,6 +155,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -143,6 +170,9 @@ "input.type": "log", "log.offset": 1393, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -164,6 +194,9 @@ "log.offset": 1776, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -177,6 +210,9 @@ "log.offset": 1882, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -191,6 +227,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -203,6 +242,9 @@ "input.type": "log", "log.offset": 2048, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -224,6 +266,9 @@ "log.offset": 2426, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -237,6 +282,9 @@ "log.offset": 2532, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -251,6 +299,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -263,6 +314,9 @@ "input.type": "log", "log.offset": 2698, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -284,6 +338,9 @@ "log.offset": 3083, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -297,6 +354,9 @@ "log.offset": 3189, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -311,6 +371,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -336,6 +399,9 @@ "input.type": "log", "log.offset": 3414, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -357,6 +423,9 @@ "log.offset": 3977, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -370,6 +439,9 @@ "log.offset": 4083, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -384,6 +456,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -396,6 +471,9 @@ "input.type": "log", "log.offset": 4249, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -417,6 +495,9 @@ "log.offset": 4632, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -430,6 +511,9 @@ "log.offset": 4738, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -444,6 +528,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -456,6 +543,9 @@ "input.type": "log", "log.offset": 4904, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -477,6 +567,9 @@ "log.offset": 5289, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -490,6 +583,9 @@ "log.offset": 5395, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -504,6 +600,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -516,6 +615,9 @@ "input.type": "log", "log.offset": 5561, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -537,6 +639,9 @@ "log.offset": 5942, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -550,6 +655,9 @@ "log.offset": 6048, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -564,6 +672,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -576,6 +687,9 @@ "input.type": "log", "log.offset": 6214, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -597,6 +711,9 @@ "log.offset": 6597, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -610,6 +727,9 @@ "log.offset": 6703, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -624,6 +744,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -636,6 +759,9 @@ "input.type": "log", "log.offset": 6869, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -657,6 +783,9 @@ "log.offset": 7254, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -670,6 +799,9 @@ "log.offset": 7360, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -684,6 +816,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -696,6 +831,9 @@ "input.type": "log", "log.offset": 7526, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -717,6 +855,9 @@ "log.offset": 7911, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -730,6 +871,9 @@ "log.offset": 8017, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -744,6 +888,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -756,6 +903,9 @@ "input.type": "log", "log.offset": 8183, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -777,6 +927,9 @@ "log.offset": 8564, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -790,6 +943,9 @@ "log.offset": 8670, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -804,6 +960,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -816,6 +975,9 @@ "input.type": "log", "log.offset": 8836, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -837,6 +999,9 @@ "log.offset": 9215, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -850,6 +1015,9 @@ "log.offset": 9321, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -864,6 +1032,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -876,6 +1047,9 @@ "input.type": "log", "log.offset": 9487, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -897,6 +1071,9 @@ "log.offset": 9869, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -910,6 +1087,9 @@ "log.offset": 9975, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -922,6 +1102,9 @@ "input.type": "log", "log.offset": 10060, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -943,6 +1126,9 @@ "log.offset": 11099, "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -956,6 +1142,9 @@ "log.offset": 11195, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -969,6 +1158,9 @@ "log.offset": 11301, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -983,6 +1175,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -997,6 +1192,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1009,6 +1207,9 @@ "input.type": "log", "log.offset": 11548, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1030,6 +1231,9 @@ "log.offset": 11928, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1043,6 +1247,9 @@ "log.offset": 12034, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1057,6 +1264,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1069,6 +1279,9 @@ "input.type": "log", "log.offset": 12200, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1090,6 +1303,9 @@ "log.offset": 12583, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1103,6 +1319,9 @@ "log.offset": 12689, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1117,6 +1336,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1129,6 +1351,9 @@ "input.type": "log", "log.offset": 12855, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1150,6 +1375,9 @@ "log.offset": 13241, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1163,6 +1391,9 @@ "log.offset": 13347, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1177,6 +1408,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1189,6 +1423,9 @@ "input.type": "log", "log.offset": 13513, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1210,6 +1447,9 @@ "log.offset": 13898, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1223,6 +1463,9 @@ "log.offset": 14004, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1237,6 +1480,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1249,6 +1495,9 @@ "input.type": "log", "log.offset": 14170, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1270,6 +1519,9 @@ "log.offset": 14549, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1283,6 +1535,9 @@ "log.offset": 14655, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1297,6 +1552,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1309,6 +1567,9 @@ "input.type": "log", "log.offset": 14821, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1330,6 +1591,9 @@ "log.offset": 15203, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1343,6 +1607,9 @@ "log.offset": 15309, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1357,6 +1624,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1369,6 +1639,9 @@ "input.type": "log", "log.offset": 15475, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1390,6 +1663,9 @@ "log.offset": 15860, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1403,6 +1679,9 @@ "log.offset": 15966, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1417,6 +1696,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1429,6 +1711,9 @@ "input.type": "log", "log.offset": 16132, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1450,6 +1735,9 @@ "log.offset": 16517, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1463,6 +1751,9 @@ "log.offset": 16623, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1477,6 +1768,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1489,6 +1783,9 @@ "input.type": "log", "log.offset": 16789, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 5242ff398d9..7d8ece1d7f2 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -52,6 +55,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -74,6 +80,9 @@ "log.offset": 209, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -107,6 +116,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -129,6 +141,9 @@ "log.offset": 418, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -162,6 +177,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -176,6 +194,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -190,6 +211,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -204,6 +228,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -218,6 +245,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -240,6 +270,9 @@ "log.offset": 1105, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -273,6 +306,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -295,6 +331,9 @@ "log.offset": 1314, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -328,6 +367,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -350,6 +392,9 @@ "log.offset": 1523, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -383,6 +428,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -405,6 +453,9 @@ "log.offset": 1732, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -438,6 +489,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -460,6 +514,9 @@ "log.offset": 1941, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -493,6 +550,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -507,6 +567,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -521,6 +584,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -535,6 +601,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -549,6 +618,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -563,6 +635,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -577,6 +652,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -599,6 +677,9 @@ "log.offset": 2889, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -632,6 +713,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -654,6 +738,9 @@ "log.offset": 3098, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -687,6 +774,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -709,6 +799,9 @@ "log.offset": 3306, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -742,6 +835,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -764,6 +860,9 @@ "log.offset": 3515, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -797,6 +896,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -819,6 +921,9 @@ "log.offset": 3723, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -852,6 +957,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -874,6 +982,9 @@ "log.offset": 3932, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -907,6 +1018,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -921,6 +1035,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -943,6 +1060,9 @@ "log.offset": 4259, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -976,6 +1096,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -998,6 +1121,9 @@ "log.offset": 4468, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1031,6 +1157,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1045,6 +1174,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1059,6 +1191,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1073,6 +1208,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1087,6 +1225,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1109,6 +1250,9 @@ "log.offset": 5155, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1142,6 +1286,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1164,6 +1311,9 @@ "log.offset": 5364, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1197,6 +1347,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1219,6 +1372,9 @@ "log.offset": 5573, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1252,6 +1408,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1274,6 +1433,9 @@ "log.offset": 5782, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1307,6 +1469,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1329,6 +1494,9 @@ "log.offset": 5991, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1362,6 +1530,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1376,6 +1547,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1390,6 +1564,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1404,6 +1581,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1418,6 +1598,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1440,6 +1623,9 @@ "log.offset": 6678, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1473,6 +1659,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1495,6 +1684,9 @@ "log.offset": 6887, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1528,6 +1720,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1550,6 +1745,9 @@ "log.offset": 7096, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1583,6 +1781,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1605,6 +1806,9 @@ "log.offset": 7305, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1638,6 +1842,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1660,6 +1867,9 @@ "log.offset": 7514, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1693,6 +1903,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1707,6 +1920,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1721,6 +1937,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1735,6 +1954,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1749,6 +1971,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1771,6 +1996,9 @@ "log.offset": 8199, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1804,6 +2032,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1826,6 +2057,9 @@ "log.offset": 8407, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1859,6 +2093,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1881,6 +2118,9 @@ "log.offset": 8615, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1914,6 +2154,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1928,6 +2171,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1942,6 +2188,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1956,6 +2205,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1978,6 +2230,9 @@ "log.offset": 9205, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2011,6 +2266,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2033,6 +2291,9 @@ "log.offset": 9414, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2066,6 +2327,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2088,6 +2352,9 @@ "log.offset": 9623, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2121,6 +2388,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2143,6 +2413,9 @@ "log.offset": 9832, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2176,6 +2449,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2198,6 +2474,9 @@ "log.offset": 10041, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2231,6 +2510,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2245,6 +2527,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2259,6 +2544,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2273,6 +2561,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2287,6 +2578,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2309,6 +2603,9 @@ "log.offset": 10728, "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2342,6 +2639,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 0203b1a1f3b..88d32188bb7 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 3402, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -53,6 +56,9 @@ "log.offset": 152, "process.name": "sshd", "process.pid": 7483, + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.33.1" ], @@ -86,6 +92,9 @@ "log.offset": 254, "process.name": "sshd", "process.pid": 3430, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -117,6 +126,9 @@ "log.offset": 324, "process.name": "sshd", "process.pid": 5774, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.24" ], @@ -148,6 +160,9 @@ "input.type": "log", "log.offset": 420, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -169,6 +184,9 @@ "log.offset": 522, "process.name": "sshd", "process.pid": 18406, + "related.hosts": [ + "slave22" + ], "related.ip": [ "123.57.245.163" ], @@ -195,6 +213,9 @@ "input.type": "log", "log.offset": 617, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -215,6 +236,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "tsg" ], @@ -247,6 +271,9 @@ "log.offset": 861, "process.name": "groupadd", "process.pid": 6991, + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -269,6 +296,9 @@ "log.offset": 934, "process.name": "useradd", "process.pid": 6995, + "related.hosts": [ + "localhost" + ], "related.user": [ "apache" ], diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 8903b63e89e..4d428b4d1cc 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -12,6 +12,9 @@ "log.offset": 0, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -27,6 +30,9 @@ "log.offset": 118, "message": "user nobody logged out.", "process.name": "pam", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/syslog/config/syslog.yml +++ b/filebeat/module/system/syslog/config/syslog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index e0c80b9aad6..b1352f2ad62 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing Syslog messages. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -49,8 +52,13 @@ processors: - remove: field: system.syslog.timestamp - set: - field: event.type + field: event.kind value: event +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 5a164aef94f..a5957f19b94 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -14,13 +14,16 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -28,13 +31,16 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "input.type": "log", "log.offset": 1176, diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index 45d44816cd1..6f12a7a5656 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -11,13 +11,16 @@ "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -28,13 +31,16 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -42,13 +48,16 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -56,13 +65,16 @@ "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -73,13 +85,16 @@ "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t>,\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t>\n\t)}\n\tUsing server: \n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -87,13 +102,16 @@ "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -101,13 +119,16 @@ "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -118,13 +139,16 @@ "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -132,13 +156,16 @@ "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -146,13 +173,16 @@ "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -160,13 +190,16 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -174,13 +207,16 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -188,13 +224,16 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -202,13 +241,16 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -216,13 +258,16 @@ "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -230,13 +275,16 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -244,13 +292,16 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -258,13 +309,16 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -272,13 +326,16 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -286,13 +343,16 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -300,13 +360,16 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -314,13 +377,16 @@ "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -331,13 +397,16 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t<>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -345,13 +414,16 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -362,13 +434,16 @@ "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -376,13 +451,16 @@ "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -390,13 +468,16 @@ "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -404,13 +485,16 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -418,13 +502,16 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -432,13 +519,16 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -446,13 +536,16 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -460,13 +553,16 @@ "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -477,13 +573,16 @@ "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=\n\t\tserverInfoStore=\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -491,13 +590,16 @@ "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -508,13 +610,16 @@ "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -522,13 +627,16 @@ "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -536,13 +644,16 @@ "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -550,13 +661,16 @@ "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -564,26 +678,32 @@ "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 15501, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -591,13 +711,16 @@ "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -605,13 +728,16 @@ "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -619,39 +745,48 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 16312, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 16527, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -659,26 +794,32 @@ "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 16952, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -686,13 +827,16 @@ "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -700,26 +844,32 @@ "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 17693, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -727,13 +877,16 @@ "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -741,13 +894,16 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -755,26 +911,32 @@ "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 18504, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -782,26 +944,32 @@ "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 18982, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -809,26 +977,32 @@ "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 19407, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -836,13 +1010,16 @@ "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -850,13 +1027,16 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -864,26 +1044,32 @@ "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 20078, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -891,26 +1077,32 @@ "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 20556, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -918,13 +1110,16 @@ "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -932,13 +1127,16 @@ "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -946,26 +1144,32 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 21367, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -973,13 +1177,16 @@ "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -987,26 +1194,32 @@ "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 22108, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1014,13 +1227,16 @@ "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1028,26 +1244,32 @@ "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 22849, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1055,13 +1277,16 @@ "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1069,26 +1294,32 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 23397, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1096,26 +1327,32 @@ "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 23822, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1123,26 +1360,32 @@ "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 24160, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1150,13 +1393,16 @@ "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1164,13 +1410,16 @@ "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1178,13 +1427,16 @@ "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1192,26 +1444,32 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 25094, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1219,13 +1477,16 @@ "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1233,26 +1494,32 @@ "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 22318, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 26456, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1260,13 +1527,16 @@ "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1274,26 +1544,32 @@ "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 27057, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1301,26 +1577,32 @@ "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 27342, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1328,13 +1610,16 @@ "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1342,13 +1627,16 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1356,26 +1644,32 @@ "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", "log.offset": 28153, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1383,13 +1677,16 @@ "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "a-mac-with-esc-key", "input.type": "log", @@ -1397,6 +1694,9 @@ "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index f517557a26e..4090efed2e7 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -1,9 +1,9 @@ [ { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", @@ -11,13 +11,16 @@ "message": "Stopped target Basic System.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" }, { "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "linux-sqrz", "input.type": "log", @@ -25,6 +28,9 @@ "message": "Stopped target Paths.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index f2e167a1fd7..905d8cfd95d 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -2,9 +2,9 @@ { "@timestamp": "1986-04-25T19:23:45.101-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -13,14 +13,17 @@ "message": "shutting down for system halt", "process.name": "shutdown", "process.pid": 2649, + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { "@timestamp": "1986-04-25T19:23:45.388-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "rmbkmonitor04", "input.type": "log", @@ -28,14 +31,17 @@ "log.offset": 89, "message": "constraint_0_power_limit_uw exceeded.", "process.name": "thermald", + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { "@timestamp": "2019-06-14T10:40:20.912-02:00", "event.dataset": "system.syslog", + "event.kind": "event", "event.module": "system", "event.timezone": "-02:00", - "event.type": "event", "fileset.name": "syslog", "host.hostname": "localhost", "input.type": "log", @@ -43,6 +49,9 @@ "log.offset": 184, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/traefik/access/ingest/pipeline.yml b/filebeat/module/traefik/access/ingest/pipeline.yml index ce489a4a92c..dd5de1b0b0b 100644 --- a/filebeat/module/traefik/access/ingest/pipeline.yml +++ b/filebeat/module/traefik/access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for parsing Traefik access logs. Requires the geoip and user_agent plugins. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - dissect: field: message pattern: '%{source.address} %{traefik.access.user_identifier} %{user.name} [%{traefik.access.time}] diff --git a/filebeat/processor/add_kubernetes_metadata/matchers_test.go b/filebeat/processor/add_kubernetes_metadata/matchers_test.go index e7b5f3dac56..5fc76514377 100644 --- a/filebeat/processor/add_kubernetes_metadata/matchers_test.go +++ b/filebeat/processor/add_kubernetes_metadata/matchers_test.go @@ -132,7 +132,7 @@ func executeTestWithResourceType(t *testing.T, cfgLogsPath string, cfgResourceTy } logMatcher, err := newLogsPathMatcher(*testConfig) - assert.Nil(t, err) + assert.NoError(t, err) input := common.MapStr{ "log": common.MapStr{ diff --git a/filebeat/registrar/migrate.go b/filebeat/registrar/migrate.go index 4a76771878a..39b63636e3b 100644 --- a/filebeat/registrar/migrate.go +++ b/filebeat/registrar/migrate.go @@ -31,7 +31,6 @@ import ( helper "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/paths" - "github.com/elastic/beats/v7/libbeat/statestore" "github.com/elastic/beats/v7/libbeat/statestore/backend/memlog" ) @@ -214,17 +213,15 @@ func (m *Migrator) updateToVersion1(regHome string) error { registryBackend, err := memlog.New(logp.NewLogger("migration"), memlog.Settings{ Root: m.dataPath, FileMode: m.permissions, - Checkpoint: func(_ uint64) bool { return true }, + Checkpoint: func(sz uint64) bool { return false }, IgnoreVersionCheck: true, }) if err != nil { return errors.Wrap(err, "failed to create new registry backend") } + defer registryBackend.Close() - reg := statestore.NewRegistry(registryBackend) - defer reg.Close() - - store, err := reg.Get("filebeat") + store, err := registryBackend.Access("filebeat") if err != nil { return errors.Wrap(err, "failed to open filebeat registry store") } @@ -234,6 +231,13 @@ func (m *Migrator) updateToVersion1(regHome string) error { return errors.Wrap(err, "failed to migrate registry states") } + if checkpointer, ok := store.(interface{ Checkpoint() error }); ok { + err := checkpointer.Checkpoint() + if err != nil { + return fmt.Errorf("failed to fsync filebeat storage state: %w", err) + } + } + if err := os.Remove(origDataFile); err != nil { return errors.Wrapf(err, "migration complete but failed to remove original data file: %v", origDataFile) } @@ -340,10 +344,9 @@ func fixStates(states []file.State) []file.State { state := &states[i] fixState(state) - id := state.ID() - old, exists := idx[id] + old, exists := idx[state.Id] if !exists { - idx[id] = state + idx[state.Id] = state } else { mergeStates(old, state) // overwrite the entry in 'old' } @@ -364,10 +367,16 @@ func fixStates(states []file.State) []file.State { // fixState updates a read state to fullfil required invariantes: // - "Meta" must be nil if len(Meta) == 0 +// - "Id" must be initialized func fixState(st *file.State) { if len(st.Meta) == 0 { st.Meta = nil } + + if len(st.IdentifierName) == 0 { + identifier, _ := file.NewStateIdentifier(nil) + st.Id, st.IdentifierName = identifier.GenerateID(*st) + } } // resetStates sets all states to finished and disable TTL on restart diff --git a/filebeat/registrar/migrate_bench_test.go b/filebeat/registrar/migrate_bench_test.go new file mode 100644 index 00000000000..2a1ba7820cb --- /dev/null +++ b/filebeat/registrar/migrate_bench_test.go @@ -0,0 +1,141 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux darwin + +package registrar + +import ( + "encoding/json" + "flag" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/elastic/beats/v7/filebeat/input/file" + libfile "github.com/elastic/beats/v7/libbeat/common/file" +) + +var keep bool + +func init() { + flag.BoolVar(&keep, "keep", false, "do not delete test directories") +} + +func BenchmarkMigration0To1(b *testing.B) { + for _, entries := range []int{1, 10, 100, 1000, 10000, 100000} { + b.Run(fmt.Sprintf("%v", entries), func(b *testing.B) { + b.StopTimer() + + dataHome := tempDir(b) + registryHome := filepath.Join(dataHome, "filebeat") + mkDir(b, registryHome) + + metaPath := filepath.Join(registryHome, "meta.json") + dataPath := filepath.Join(registryHome, "data.json") + + states := make([]file.State, entries) + for i := range states { + states[i] = file.State{ + Id: fmt.Sprintf("123455-%v", i), + Source: fmt.Sprintf("/path/to/test/file-%v.log", i), + FileStateOS: libfile.StateOS{ + Inode: uint64(i), + Device: 123455, + }, + } + } + + for i := 0; i < b.N; i++ { + b.StopTimer() + clearDir(b, registryHome) + // cleanup older run + + writeFile(b, metaPath, []byte(`{"version": "0"}`)) + func() { + f, err := os.Create(dataPath) + if err != nil { + b.Fatal(err) + } + defer f.Close() + + enc := json.NewEncoder(f) + if err := enc.Encode(states); err != nil { + b.Fatal(err) + } + }() + + migrator := &Migrator{ + dataPath: dataHome, + permissions: 0600, + } + + b.StartTimer() + if err := migrator.updateToVersion1(registryHome); err != nil { + b.Fatal(err) + } + } + }) + } +} + +func tempDir(t testing.TB) string { + cwd, err := os.Getwd() + if err != nil { + t.Fatal(err) + } + + path, err := ioutil.TempDir(cwd, "") + if err != nil { + t.Fatal(err) + } + + if !keep { + t.Cleanup(func() { + os.RemoveAll(path) + }) + } + return path +} + +func mkDir(t testing.TB, path string) { + if err := os.MkdirAll(path, 0700); err != nil { + t.Fatal(err) + } +} + +func clearDir(t testing.TB, path string) { + old, err := ioutil.ReadDir(path) + if err != nil { + t.Fatal(err) + } + for _, info := range old { + if err := os.RemoveAll(info.Name()); err != nil { + t.Fatal(err) + } + } +} + +func writeFile(t testing.TB, path string, contents []byte) { + t.Helper() + err := ioutil.WriteFile(path, contents, 0600) + if err != nil { + t.Fatal(err) + } +} diff --git a/filebeat/registrar/registrar.go b/filebeat/registrar/registrar.go index 118f7c276db..fa07048d205 100644 --- a/filebeat/registrar/registrar.go +++ b/filebeat/registrar/registrar.go @@ -29,6 +29,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/backend" ) type Registrar struct { @@ -114,7 +115,7 @@ func (r *Registrar) Start() error { // Load the previous log file locations now, for use in input err := r.loadStates() if err != nil { - return fmt.Errorf("Error loading state: %v", err) + return fmt.Errorf("error loading state: %v", err) } r.wg.Add(1) @@ -300,9 +301,9 @@ func readStatesFrom(store *statestore.Store) ([]file.State, error) { return states, nil } -func writeStates(store *statestore.Store, states []file.State) error { +func writeStates(store backend.Store, states []file.State) error { for i := range states { - key := fileStatePrefix + states[i].ID() + key := fileStatePrefix + states[i].Id if err := store.Set(key, states[i]); err != nil { return err } diff --git a/filebeat/scripts/docs_collector.py b/filebeat/scripts/docs_collector.py index 3173146f4e0..5d64a1ab2e2 100644 --- a/filebeat/scripts/docs_collector.py +++ b/filebeat/scripts/docs_collector.py @@ -45,7 +45,7 @@ def collect(beat_name): # Load title from fields.yml with open(beat_path + "/fields.yml", encoding='utf_8') as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] modules_list[module] = title @@ -61,7 +61,7 @@ def collect(beat_name): """ # Write module docs - docs_path = os.path.join(os.path.abspath("docs"), "modules", module + ".asciidoc") + docs_path = os.path.join(os.path.abspath("docs"), "modules", module + ".asciidoc") with open(docs_path, 'w', encoding='utf_8') as f: f.write(module_file) diff --git a/filebeat/tests/open-file-handlers/log_stdout.py b/filebeat/tests/open-file-handlers/log_stdout.py index c00c7bf2632..3a3f6112842 100644 --- a/filebeat/tests/open-file-handlers/log_stdout.py +++ b/filebeat/tests/open-file-handlers/log_stdout.py @@ -18,5 +18,5 @@ # Setup python log handler handler = logging.handlers.RotatingFileHandler( log_file, maxBytes=line_length * lines_per_file + 1, - backupCount=int(total_lines/lines_per_file) + 1) + backupCount=int(total_lines / lines_per_file) + 1) logger.addHandler(handler) diff --git a/filebeat/tests/system/filebeat.py b/filebeat/tests/system/filebeat.py index 52d6ea0fdda..92df15911bb 100644 --- a/filebeat/tests/system/filebeat.py +++ b/filebeat/tests/system/filebeat.py @@ -3,9 +3,6 @@ import stat import sys -curdir = os.path.dirname(__file__) -sys.path.append(os.path.join(curdir, '../../../libbeat/tests/system')) - from beat.beat import TestCase, TimeoutError, REGEXP_TYPE default_registry_path = 'registry/filebeat' @@ -18,7 +15,7 @@ def setUpClass(self): if not hasattr(self, "beat_name"): self.beat_name = "filebeat" if not hasattr(self, "beat_path"): - self.beat_path = os.path.abspath(os.path.join(curdir, "../../")) + self.beat_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../")) super(BaseTest, self).setUpClass() @@ -179,7 +176,7 @@ def contains(self, msg, ignore_case=False, count=1): if ignore_case: msg = msg.lower() - if type(msg) == REGEXP_TYPE: + if isinstance(msg, REGEXP_TYPE): def match(x): return msg.search(x) is not None else: def match(x): return x.find(msg) >= 0 diff --git a/filebeat/tests/system/test_autodiscover.py b/filebeat/tests/system/test_autodiscover.py index 0f8b44b0750..62dd7916437 100644 --- a/filebeat/tests/system/test_autodiscover.py +++ b/filebeat/tests/system/test_autodiscover.py @@ -1,8 +1,10 @@ -import os +import docker import filebeat +import os import unittest from beat.beat import INTEGRATION_TESTS +from contextlib import contextmanager class TestAutodiscover(filebeat.BaseTest): @@ -16,47 +18,30 @@ def test_docker(self): """ Test docker autodiscover starts input """ - import docker - docker_client = docker.from_env() - - self.render_config_template( - inputs=False, - autodiscover={ - 'docker': { - 'cleanup_timeout': '0s', - 'templates': ''' - - condition: - equals.docker.container.image: busybox - config: - - type: log - paths: - - %s/${data.docker.container.image}.log - ''' % self.working_dir, + with self.container_running() as container: + self.render_config_template( + inputs=False, + autodiscover={ + 'docker': { + 'cleanup_timeout': '0s', + 'templates': f''' + - condition: + equals.docker.container.name: {container.name} + config: + - type: log + paths: + - %s/${{data.docker.container.name}}.log + ''' % self.working_dir, + }, }, - }, - ) + ) - with open(os.path.join(self.working_dir, 'busybox.log'), 'wb') as f: - f.write(b'Busybox output 1\n') - - proc = self.start_beat() - docker_client.images.pull('busybox') - docker_client.containers.run('busybox', 'sleep 1') + proc = self.start_beat() + self._test(container) - self.wait_until(lambda: self.log_contains('Starting runner: input')) self.wait_until(lambda: self.log_contains('Stopping runner: input')) - - output = self.read_output_json() proc.check_kill_and_wait() - # Check metadata is added - assert output[0]['message'] == 'Busybox output 1' - assert output[0]['container']['image']['name'] == 'busybox' - assert output[0]['docker']['container']['labels'] == {} - assert 'name' in output[0]['container'] - - self.assert_fields_are_documented(output[0]) - @unittest.skipIf(not INTEGRATION_TESTS or os.getenv("TESTING_ENVIRONMENT") == "2x", "integration test not available on 2.x") @@ -64,41 +49,47 @@ def test_default_settings(self): """ Test docker autodiscover default config settings """ - import docker - docker_client = docker.from_env() - - self.render_config_template( - inputs=False, - autodiscover={ - 'docker': { - 'cleanup_timeout': '0s', - 'hints.enabled': 'true', - 'hints.default_config': ''' - type: log - paths: - - %s/${data.container.image}.log - ''' % self.working_dir, + with self.container_running() as container: + self.render_config_template( + inputs=False, + autodiscover={ + 'docker': { + 'cleanup_timeout': '0s', + 'hints.enabled': 'true', + 'hints.default_config': ''' + type: log + paths: + - %s/${data.container.name}.log + ''' % self.working_dir, + }, }, - }, - ) + ) + proc = self.start_beat() + self._test(container) - with open(os.path.join(self.working_dir, 'busybox.log'), 'wb') as f: - f.write(b'Busybox output 1\n') + self.wait_until(lambda: self.log_contains('Stopping runner: input')) + proc.check_kill_and_wait() - proc = self.start_beat() - docker_client.images.pull('busybox') - docker_client.containers.run('busybox', 'sleep 1') + def _test(self, container): + with open(os.path.join(self.working_dir, f'{container.name}.log'), 'wb') as f: + f.write(b'Busybox output 1\n') self.wait_until(lambda: self.log_contains('Starting runner: input')) - self.wait_until(lambda: self.log_contains('Stopping runner: input')) + self.wait_until(lambda: self.output_has(lines=1)) output = self.read_output_json() - proc.check_kill_and_wait() # Check metadata is added assert output[0]['message'] == 'Busybox output 1' - assert output[0]['container']['image']['name'] == 'busybox' - assert output[0]['docker']['container']['labels'] == {} + assert output[0]['container']['name'] == container.name + assert output[0]['docker']['container']['labels'] == container.labels assert 'name' in output[0]['container'] self.assert_fields_are_documented(output[0]) + + @contextmanager + def container_running(self, image_name='busybox:latest'): + docker_client = docker.from_env() + container = docker_client.containers.run(image_name, 'sleep 60', detach=True, remove=True) + yield container + container.remove(force=True) diff --git a/filebeat/tests/system/test_base.py b/filebeat/tests/system/test_base.py index 80394e0a34e..2b73a0165a7 100644 --- a/filebeat/tests/system/test_base.py +++ b/filebeat/tests/system/test_base.py @@ -3,9 +3,10 @@ from filebeat import BaseTest from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ diff --git a/filebeat/tests/system/test_container.py b/filebeat/tests/system/test_container.py index deb5cb12aab..ee0df7eb8e9 100644 --- a/filebeat/tests/system/test_container.py +++ b/filebeat/tests/system/test_container.py @@ -28,7 +28,7 @@ def test_container_input(self): filebeat = self.start_beat() - self.wait_until(lambda: self.output_has(lines=21)) + self.wait_until(lambda: self.output_has(lines=21)) filebeat.check_kill_and_wait() diff --git a/filebeat/tests/system/test_crawler.py b/filebeat/tests/system/test_crawler.py index 2b22e7e830b..f3b5d0877a6 100644 --- a/filebeat/tests/system/test_crawler.py +++ b/filebeat/tests/system/test_crawler.py @@ -1,13 +1,10 @@ # -*- coding: utf-8 -*- - -from filebeat import BaseTest - import codecs import os +import shutil import time import unittest -from nose.plugins.skip import Skip, SkipTest -import shutil +from filebeat import BaseTest # Additional tests to be added: # * Check what happens when file renamed -> no recrawling should happen @@ -767,7 +764,7 @@ def test_file_no_permission(self): """ if os.name != "nt" and os.geteuid() == 0: # root ignores permission flags, so we have to skip the test - raise SkipTest + raise unittest.SkipTest self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*", @@ -789,7 +786,7 @@ def test_file_no_permission(self): if os.name == "nt": - raise SkipTest + raise unittest.SkipTest # TODO: Currently skipping this test on windows as it requires `pip install win32api` # which seems to have windows only dependencies. # To solve this problem a requirements_windows.txt could be introduced which would diff --git a/filebeat/tests/system/test_harvester.py b/filebeat/tests/system/test_harvester.py index be2e4f42b8f..cb30dc4976b 100644 --- a/filebeat/tests/system/test_harvester.py +++ b/filebeat/tests/system/test_harvester.py @@ -79,7 +79,7 @@ def test_close_renamed(self): def test_close_removed(self): """ - Checks that a file is closed if removed + Checks that a file is closed if removed with native file identifier """ self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/test.log", diff --git a/filebeat/tests/system/test_input.py b/filebeat/tests/system/test_input.py index 684f4f852af..7192fd956d5 100644 --- a/filebeat/tests/system/test_input.py +++ b/filebeat/tests/system/test_input.py @@ -2,7 +2,9 @@ from filebeat import BaseTest import os +import sys import time +import unittest from beat.beat import Proc @@ -682,3 +684,113 @@ def test_input_processing_pipeline_disable_host(self): output = self.read_output() assert "host.name" not in output[0] + + def test_path_based_identity_tracking(self): + """ + Renamed files are picked up again as the path of the file has changed. + """ + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + close_eof="true", + input_raw=" file_identity.path: ~", + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.output_has(lines=1)) + + renamedfile = os.path.join(self.working_dir, "log", "renamed.log") + os.rename(testfile, renamedfile) + + # wait until the both messages are received by the output + self.wait_until(lambda: self.output_has(lines=2)) + proc.check_kill_and_wait() + + # assert that renaming of the file went undetected + assert not self.log_contains("File rename was detected:" + testfile + " -> " + renamedfile) + + @unittest.skip("Skipped as flaky: https://github.com/elastic/beats/issues/20010") + @unittest.skipIf(sys.platform.startswith("win"), "inode_marker is not supported on windows") + def test_inode_marker_based_identity_tracking(self): + """ + File is picked up again if the contents of the marker file changes. + """ + + marker_location = os.path.join(self.working_dir, "marker") + with open(marker_location, 'w') as m: + m.write("very-unique-string") + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + close_eof="true", + input_raw=" file_identity.inode_marker.path: " + marker_location, + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + # change the ID in the marker file to simulate a new file + with open(marker_location, 'w') as m: + m.write("different-very-unique-id") + + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + # wait until the both messages are received by the output + self.wait_until(lambda: self.output_has(lines=2)) + proc.check_kill_and_wait() + + @unittest.skipIf(sys.platform.startswith("win"), "inode_marker is not supported on windows") + def test_inode_marker_based_identity_tracking_to_path_based(self): + """ + File reading can be continued after file_identity is changed. + """ + + marker_location = os.path.join(self.working_dir, "marker") + with open(marker_location, 'w') as m: + m.write("very-unique-string") + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + input_raw=" file_identity.inode_marker.path: " + marker_location, + ) + + testfile = os.path.join(self.working_dir, "log", "test.log") + self.__write_hello_word_to_test_input_file(testfile) + + proc = self.start_beat() + + # wait until the file is picked up + self.wait_until(lambda: self.log_contains("Start harvester for new file: " + testfile)) + + self.wait_until(lambda: self.output_has(lines=1)) + proc.check_kill_and_wait() + + self.render_config_template( + path=os.path.abspath(self.working_dir) + "/log/*", + rotateonstartup="false", + input_raw=" file_identity.path: ~", + ) + + with open(testfile, 'w+') as f: + f.write("hello world again\n") + + proc = self.start_beat() + + # on startup output is rotated + self.wait_until(lambda: self.output_has(lines=1, output_file="output/filebeat.1")) + self.wait_until(lambda: self.output_has(lines=1)) + proc.check_kill_and_wait() + + def __write_hello_word_to_test_input_file(self, testfile): + os.mkdir(self.working_dir + "/log/") + with open(testfile, 'w') as f: + f.write("hello world\n") diff --git a/filebeat/tests/system/test_load.py b/filebeat/tests/system/test_load.py index b53a8d18032..6a35a6ce250 100644 --- a/filebeat/tests/system/test_load.py +++ b/filebeat/tests/system/test_load.py @@ -1,12 +1,12 @@ -from filebeat import BaseTest import os import logging import logging.handlers import json import time import unittest -from nose.plugins.skip import Skip, SkipTest -from nose.plugins.attrib import attr +import pytest + +from filebeat import BaseTest """ Test filebeat under different load scenarios @@ -25,7 +25,7 @@ def test_no_missing_events(self): if os.name == "nt": # This test is currently skipped on windows because very fast file # rotation cannot happen when harvester has file handler still open. - raise SkipTest + raise unittest.SkipTest log_file = self.working_dir + "/log/test.log" os.mkdir(self.working_dir + "/log/") @@ -63,7 +63,7 @@ def test_no_missing_events(self): for i in range(total_lines): # Make sure each line has the same length line = format(i, str(line_length - 1)) - logger.debug("%d", i) + logger.warning("%d", i) # wait until all lines are read self.wait_until( @@ -106,7 +106,7 @@ def test_no_missing_events(self): assert len(entry_list) == total_lines @unittest.skipUnless(LOAD_TESTS, "load test") - @attr('load') + @pytest.mark.load def test_large_number_of_files(self): """ Tests the number of files filebeat can open on startup @@ -148,7 +148,7 @@ def test_large_number_of_files(self): assert len(data) == number_of_files @unittest.skipUnless(LOAD_TESTS, "load test") - @attr('load') + @pytest.mark.load def test_concurrent_harvesters(self): """ Test large number of files on startup if harvester overlap happens and would create too many events diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 727775d8fa7..d449258c40f 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -75,14 +75,6 @@ def init(self): self.index_name = "test-filebeat-modules" - body = { - "transient": { - "script.max_compilations_rate": "2000/1m" - } - } - - self.es.transport.perform_request('PUT', "/_cluster/settings", body=body) - @parameterized.expand(load_fileset_test_cases) @unittest.skipIf(not INTEGRATION_TESTS, "integration tests are disabled, run with INTEGRATION_TESTS=1 to enable them.") @@ -113,7 +105,7 @@ def run_on_file(self, module, fileset, test_file, cfgfile): try: self.es.indices.delete(index=self.index_name) - except: + except BaseException: pass self.wait_until(lambda: not self.es.indices.exists(self.index_name)) @@ -169,8 +161,12 @@ def run_on_file(self, module, fileset, test_file, cfgfile): assert obj["event"]["module"] == module, "expected event.module={} but got {}".format( module, obj["event"]["module"]) - assert "error" not in obj, "not error expected but got: {}".format( - obj) + # All modules must include a set processor that adds the time that + # the event was ingested to Elasticsearch + assert "ingested" in obj["event"], "missing event.ingested timestamp" + + assert "error" not in obj, "not error expected but got: {}.\n The related error message is: {}".format( + obj, obj["error"].get("message")) if (module == "auditd" and fileset == "log") \ or (module == "osquery" and fileset == "result"): @@ -222,7 +218,7 @@ def clean_keys(obj): host_keys.append("host.name") # The create timestamps area always new - time_keys = ["event.created"] + time_keys = ["event.created", "event.ingested"] # source path and agent.version can be different for each run other_keys = ["log.file.path", "agent.version"] # ECS versions change for any ECS release, large or small @@ -230,21 +226,42 @@ def clean_keys(obj): # datasets for which @timestamp is removed due to date missing remove_timestamp = { "activemq.audit", + "barracuda.spamfirewall", "barracuda.waf", "bluecoat.director", "cef.log", "cisco.asa", "cisco.ios", - "f5.firepass", + "citrix.netscaler", + "cyberark.corepas", + "cylance.protect", + "f5.bigipafm", + "fortinet.clientendpoint", "haproxy.log", "icinga.startup", "imperva.securesphere", "infoblox.nios", "iptables.log", - "rapid7.nexpose", + "juniper.netscreen", + "netscout.sightline", + "proofpoint.emailsecurity", "redis.log", + "snort.log", + "symantec.endpointprotection", "system.auth", "system.syslog", + "microsoft.defender_atp", + "crowdstrike.falcon_endpoint", + "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", + "zoom.webhook", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { diff --git a/filebeat/tests/system/test_multiline.py b/filebeat/tests/system/test_multiline.py index 9366028f75a..ee5384ef5ef 100644 --- a/filebeat/tests/system/test_multiline.py +++ b/filebeat/tests/system/test_multiline.py @@ -18,7 +18,7 @@ def test_java_elasticsearch_log(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after" ) @@ -126,7 +126,7 @@ def test_max_lines(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", max_lines=3 @@ -165,7 +165,7 @@ def test_timeout(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", ) @@ -210,7 +210,7 @@ def test_max_bytes(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", max_bytes=60 @@ -247,7 +247,7 @@ def test_close_timeout_with_multiline(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", close_timeout="2s", @@ -303,7 +303,7 @@ def test_consecutive_newline(self): path=os.path.abspath(self.working_dir) + "/log/*", multiline=True, multiline_type="pattern", - pattern="^\[", + pattern=r"^\[", negate="true", match="after", close_timeout="2s", diff --git a/filebeat/tests/system/test_pipeline.py b/filebeat/tests/system/test_pipeline.py index 7b5b6c381bd..afb3219e62d 100644 --- a/filebeat/tests/system/test_pipeline.py +++ b/filebeat/tests/system/test_pipeline.py @@ -41,18 +41,10 @@ def test_input_pipeline_config(self): index_name = "filebeat-test-input" try: self.es.indices.delete(index=index_name) - except: + except BaseException: pass self.wait_until(lambda: not self.es.indices.exists(index_name)) - body = { - "transient": { - "script.max_compilations_rate": "100/1m" - } - } - - self.es.transport.perform_request('PUT', "/_cluster/settings", body=body) - self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*", elasticsearch=dict( @@ -91,7 +83,7 @@ def search_objects(): res = self.es.search(index=index_name, body={"query": {"match_all": {}}}) return [o["_source"] for o in res["hits"]["hits"]] - except: + except BaseException: return [] self.wait_until(lambda: len(search_objects()) > 0, max_timeout=20) diff --git a/filebeat/tests/system/test_publisher.py b/filebeat/tests/system/test_publisher.py index 227f09d1050..3f018cab6f3 100644 --- a/filebeat/tests/system/test_publisher.py +++ b/filebeat/tests/system/test_publisher.py @@ -1,11 +1,9 @@ -from filebeat import BaseTest - import os import platform import time import shutil import json -from nose.plugins.skip import Skip, SkipTest +from filebeat import BaseTest # Additional tests: to be implemented diff --git a/filebeat/tests/system/test_registrar.py b/filebeat/tests/system/test_registrar.py index 5dda351a5f9..9e9e9a31e42 100644 --- a/filebeat/tests/system/test_registrar.py +++ b/filebeat/tests/system/test_registrar.py @@ -7,9 +7,7 @@ import stat import time import unittest - from filebeat import BaseTest -from nose.plugins.skip import SkipTest # Additional tests: to be implemented @@ -63,10 +61,8 @@ def test_registrar_file_content(self): logfile_abs_path = os.path.abspath(testfile_path) record = self.get_registry_entry_by_path(logfile_abs_path) - self.assertDictContainsSubset({ - "source": logfile_abs_path, - "offset": iterations * line_len, - }, record) + self.assertEqual(logfile_abs_path, record.get('source')) + self.assertEqual(iterations * line_len, record.get('offset')) self.assertTrue("FileStateOS" in record) self.assertTrue("meta" not in record) file_state_os = record["FileStateOS"] @@ -84,10 +80,8 @@ def test_registrar_file_content(self): self.assertTrue("device" in file_state_os) else: stat = os.stat(logfile_abs_path) - self.assertDictContainsSubset({ - "inode": stat.st_ino, - "device": stat.st_dev, - }, file_state_os) + self.assertEqual(stat.st_ino, file_state_os.get('inode')) + self.assertEqual(stat.st_dev, file_state_os.get('device')) def test_registrar_files(self): """ @@ -163,7 +157,7 @@ def test_registry_file_default_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry" registry_path = os.path.join(registry_home, "filebeat") @@ -197,7 +191,7 @@ def test_registry_file_custom_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry" registry_path = os.path.join(registry_home, "filebeat") @@ -232,7 +226,7 @@ def test_registry_file_update_permissions(self): if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest registry_home = "a/b/c/registry_x" registry_path = os.path.join(registry_home, "filebeat") @@ -349,7 +343,7 @@ def test_data_path(self): self.wait_until(lambda: self.output_has(lines=1)) filebeat.check_kill_and_wait() - assert self.has_registry(data_path=self.working_dir+"/datapath") + assert self.has_registry(data_path=self.working_dir + "/datapath") def test_rotating_file_inode(self): """ @@ -363,7 +357,7 @@ def test_rotating_file_inode(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -453,7 +447,7 @@ def test_restart_continue(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -527,7 +521,7 @@ def test_rotating_file_with_restart(self): ) if os.name == "nt": - raise SkipTest + raise unittest.SkipTest os.mkdir(self.working_dir + "/log/") testfile_path = self.working_dir + "/log/input" @@ -772,7 +766,8 @@ def test_state_after_rotation_ignore_older(self): assert self.get_registry_entry_by_path(os.path.abspath(testfile_path1))["offset"] == 9 assert self.get_registry_entry_by_path(os.path.abspath(testfile_path2))["offset"] == 8 - @unittest.skipIf(os.name == 'nt' or platform.system() == "Darwin", 'flaky test https://github.com/elastic/beats/issues/8102') + @unittest.skipIf(os.name == 'nt' or platform.system() == "Darwin", + 'flaky test https://github.com/elastic/beats/issues/8102') def test_clean_inactive(self): """ Checks that states are properly removed after clean_inactive @@ -932,8 +927,8 @@ def test_restart_state(self): ignore_older="2000ms", ) - init_files = ["test"+str(i)+".log" for i in range(3)] - restart_files = ["test"+str(i+3)+".log" for i in range(1)] + init_files = ["test" + str(i) + ".log" for i in range(3)] + restart_files = ["test" + str(i + 3) + ".log" for i in range(1)] for name in init_files: self.input_logs.write(name, "Hello World\n") @@ -1320,10 +1315,8 @@ def test_registrar_files_with_input_level_processors(self): logfile_abs_path = os.path.abspath(testfile_path1) record = self.get_registry_entry_by_path(logfile_abs_path) - self.assertDictContainsSubset({ - "source": logfile_abs_path, - "offset": iterations * (len("hello world") + len(os.linesep)), - }, record) + self.assertEqual(logfile_abs_path, record.get('source')) + self.assertEqual(iterations * (len("hello world") + len(os.linesep)), record.get('offset')) self.assertTrue("FileStateOS" in record) file_state_os = record["FileStateOS"] @@ -1340,10 +1333,8 @@ def test_registrar_files_with_input_level_processors(self): self.assertTrue("device" in file_state_os) else: stat = os.stat(logfile_abs_path) - self.assertDictContainsSubset({ - "inode": stat.st_ino, - "device": stat.st_dev, - }, file_state_os) + self.assertEqual(stat.st_ino, file_state_os.get('inode')) + self.assertEqual(stat.st_dev, file_state_os.get('device')) def test_registrar_meta(self): """ diff --git a/filebeat/tests/system/test_registrar_upgrade.py b/filebeat/tests/system/test_registrar_upgrade.py index 7a077caea51..1e45d50eb84 100644 --- a/filebeat/tests/system/test_registrar_upgrade.py +++ b/filebeat/tests/system/test_registrar_upgrade.py @@ -3,8 +3,7 @@ import os import json - -from nose.plugins.skip import Skip, SkipTest +import unittest from filebeat import BaseTest @@ -55,7 +54,7 @@ def prepare_log(self): # test is current skipped on windows, due to FileStateOS must match the # current OS format. if os.name == "nt": - raise SkipTest + raise unittest.SkipTest self.render_config_template( path=os.path.abspath(self.working_dir) + "/log/*" @@ -95,5 +94,5 @@ def validate_if_registry_is_moved_under_folder(self): assert os.path.isdir(migrated_registry_dir) assert os.path.isdir(migrated_registry_dir + "/filebeat") assert os.path.isfile(migrated_registry_dir + "/filebeat/log.json") - assert os.path.isfile(migrated_registry_dir + "/filebeat/1.json") + assert os.path.isfile(migrated_registry_dir + "/filebeat/2.json") assert os.path.isfile(migrated_registry_dir + "/filebeat/active.dat") diff --git a/filebeat/tests/system/test_setup.py b/filebeat/tests/system/test_setup.py index dc77ca56acf..bd1a96a9194 100644 --- a/filebeat/tests/system/test_setup.py +++ b/filebeat/tests/system/test_setup.py @@ -60,4 +60,8 @@ def _setup_dummy_module(self): os.mkdir(directory) copytree(self.beat_path + "/tests/system/input/template-test-module", modules_path + "/template-test-module") - copyfile(self.beat_path + "/tests/system/input/template-test-module/_meta/config.yml", modules_d_path + "/test.yml") + copyfile( + self.beat_path + + "/tests/system/input/template-test-module/_meta/config.yml", + modules_d_path + + "/test.yml") diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 83813a5ccaa..4001fd863c9 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -1,9 +1,10 @@ -from filebeat import BaseTest import socket import ssl import unittest +import pytest + +from filebeat import BaseTest from os import path -from nose.tools import raises, assert_raises NUMBER_OF_EVENTS = 2 @@ -86,7 +87,6 @@ def test_tcp_over_tls_and_verify_valid_server_without_mutual_auth(self): sock.close() - @raises(ssl.SSLError) def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): """ Test filebeat TCP with TLS with an invalid cacert and not requiring mutual auth. @@ -123,9 +123,10 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # TCP tls = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=CERTIFICATE2, do_handshake_on_connect=True) - tls.connect((config.get('host'), config.get('port'))) - @raises(ssl.SSLError) + with pytest.raises(ssl.SSLError): + tls.connect((config.get('host'), config.get('port'))) + def test_tcp_over_tls_mutual_auth_fails(self): """ Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates @@ -162,12 +163,13 @@ def test_tcp_over_tls_mutual_auth_fails(self): tls = ssl.wrap_socket(sock, cert_reqs=ssl.CERT_REQUIRED, ca_certs=CERTIFICATE1, do_handshake_on_connect=True) - tls.connect((config.get('host'), config.get('port'))) - # In TLS 1.3 authentication failures are not detected by the initial - # connection and handshake. For the client to detect that authentication - # has failed (at least in python) it must wait for a server response - # so that the failure can be reported as an exception when it arrives. - tls.recv(1) + with pytest.raises(ssl.SSLError): + tls.connect((config.get('host'), config.get('port'))) + # In TLS 1.3 authentication failures are not detected by the initial + # connection and handshake. For the client to detect that authentication + # has failed (at least in python) it must wait for a server response + # so that the failure can be reported as an exception when it arrives. + tls.recv(1) def test_tcp_over_tls_mutual_auth_succeed(self): """ @@ -265,7 +267,7 @@ def test_tcp_tls_with_a_plain_text_socket(self): # The TLS handshake will close the connection, resulting in a broken pipe. # no events should be written on disk. - with assert_raises(IOError): + with pytest.raises(IOError): for n in range(0, 100000): sock.send(bytes("Hello World: " + str(n) + "\n", "utf-8")) diff --git a/filebeat/tests/system/test_unix.py b/filebeat/tests/system/test_unix.py index 66d261f3c91..bb9b7f25bd5 100644 --- a/filebeat/tests/system/test_unix.py +++ b/filebeat/tests/system/test_unix.py @@ -1,14 +1,16 @@ -from filebeat import BaseTest import os +import platform import socket import tempfile import unittest +from filebeat import BaseTest # AF_UNIX support in python isn't available until # Python 3.9, see https://bugs.python.org/issue33408 @unittest.skipIf(not hasattr(socket, 'AF_UNIX'), "No Windows AF_UNIX support before Python 3.9") +@unittest.skipIf(platform.system() == 'Darwin', 'Flaky test: https://github.com/elastic/beats/issues/20941') class Test(BaseTest): """ Test filebeat UNIX input diff --git a/generator/Jenkinsfile.yml b/generator/Jenkinsfile.yml new file mode 100644 index 00000000000..071d24858bb --- /dev/null +++ b/generator/Jenkinsfile.yml @@ -0,0 +1,43 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^generator/.*" + - "#generator/common/beatgen" ## special token regarding the project dependency + - "#metricbeat/beater" ## special token regarding the project dependency + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test generator" + labels: ## when PR labels matches any of those entries + - "generator" + parameters: ## when parameter was selected in the UI. + - "generator" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + metricbeat-test: + make: "make -C generator/_templates/metricbeat test test-package" + beat-test: + make: "make -C generator/_templates/beat test test-package" + macos-metricbeat: + make: "make -C generator/_templates/metricbeat test" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test generator for macos" + labels: + - "macOS" + parameters: + - "macosTest" + macos-beat: + make: "make -C generator/_templates/beat test" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test generator for macos" + labels: + - "macOS" + parameters: + - "macosTest" diff --git a/generator/_templates/beat/{beat}/tests/system/{beat}.py b/generator/_templates/beat/{beat}/tests/system/{beat}.py index 9cf1a5879a1..9bd7453c6fd 100644 --- a/generator/_templates/beat/{beat}/tests/system/{beat}.py +++ b/generator/_templates/beat/{beat}/tests/system/{beat}.py @@ -1,6 +1,5 @@ import os import sys -sys.path.append('../../vendor/github.com/elastic/beats/libbeat/tests/system') from beat.beat import TestCase diff --git a/generator/common/beatgen/setup/setup.go b/generator/common/beatgen/setup/setup.go index 42098c40f4d..0bae5ff18e2 100644 --- a/generator/common/beatgen/setup/setup.go +++ b/generator/common/beatgen/setup/setup.go @@ -35,7 +35,11 @@ func InitModule() error { return errors.Wrap(err, "error initializing a module for the Beat") } - return copyReplacedModules() + err = copyReplacedModules() + if err != nil { + return errors.Wrap(err, "error adding replaced modules to go.mod") + } + return gotool.Mod.Tidy() } func copyReplacedModules() error { diff --git a/go.mod b/go.mod index 7bbd6168394..2fafe750879 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.14 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b cloud.google.com/go v0.51.0 + cloud.google.com/go/bigquery v1.0.1 cloud.google.com/go/pubsub v1.0.1 cloud.google.com/go/storage v1.0.0 code.cloudfoundry.org/go-diodes v0.0.0-20190809170250-f77fb823c7ee // indirect @@ -18,14 +19,13 @@ require ( github.com/Azure/go-autorest/autorest/adal v0.8.1 github.com/Azure/go-autorest/autorest/azure/auth v0.4.2 github.com/Azure/go-autorest/autorest/date v0.2.0 - github.com/Masterminds/semver v1.4.2 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 - github.com/Shopify/sarama v0.0.0-00010101000000-000000000000 + github.com/Shopify/sarama v1.27.0 github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 github.com/aerospike/aerospike-client-go v1.27.1-0.20170612174108-0f3b54da6bdc github.com/akavel/rsrc v0.8.0 // indirect github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 - github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5 + github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 // indirect github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 github.com/aws/aws-lambda-go v1.6.0 @@ -53,14 +53,14 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-plugins-helpers v0.0.0-20181025120712-1e6269c305b8 github.com/docker/go-units v0.4.0 - github.com/dop251/goja v0.0.0-00010101000000-000000000000 + github.com/dop251/goja v0.0.0-20200831102558-9af81ddcf0e1 github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 - github.com/elastic/ecs v1.5.0 + github.com/elastic/ecs v1.6.0 github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a - github.com/elastic/go-concert v0.0.3 - github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 + github.com/elastic/go-concert v0.0.4 + github.com/elastic/go-libaudit/v2 v2.0.2 github.com/elastic/go-licenser v0.3.1 github.com/elastic/go-lookslike v0.3.0 github.com/elastic/go-lumber v0.1.0 @@ -71,9 +71,9 @@ require ( github.com/elastic/go-txfile v0.0.7 github.com/elastic/go-ucfg v0.8.3 github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/gosigar v0.10.5 + github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233 github.com/fatih/color v1.5.0 - github.com/fsnotify/fsevents v0.0.0-00010101000000-000000000000 + github.com/fsnotify/fsevents v0.1.1 github.com/fsnotify/fsnotify v1.4.7 github.com/garyburd/redigo v1.0.1-0.20160525165706-b8dc90050f24 github.com/go-ole/go-ole v1.2.5-0.20190920104607-14974a1cf647 // indirect @@ -123,7 +123,7 @@ require ( github.com/oklog/ulid v1.3.1 github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect - github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338 + github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 github.com/poy/eachers v0.0.0-20181020210610-23942921fe77 // indirect @@ -150,7 +150,7 @@ require ( github.com/vmware/govmomi v0.0.0-20170802214208-2cad15190b41 github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 // indirect - go.elastic.co/apm v1.7.2 + go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b go.elastic.co/apm/module/apmelasticsearch v1.7.2 go.elastic.co/apm/module/apmhttp v1.7.2 go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193 @@ -164,17 +164,19 @@ require ( golang.org/x/net v0.0.0-20200226121028-0de0cce0169b golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a - golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 + golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae golang.org/x/text v0.3.2 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 - golang.org/x/tools v0.0.0-20200701041122-1837592efa10 + golang.org/x/tools v0.0.0-20200904185747-39188db58858 google.golang.org/api v0.15.0 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb google.golang.org/grpc v1.29.1 + google.golang.org/protobuf v1.23.0 gopkg.in/inf.v0 v0.9.1 gopkg.in/jcmturner/gokrb5.v7 v7.5.0 gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 gopkg.in/yaml.v2 v2.3.0 + gotest.tools v2.2.0+incompatible howett.net/plist v0.0.0-20181124034731-591f970eefbb k8s.io/api v0.18.3 k8s.io/apimachinery v0.18.3 @@ -188,6 +190,7 @@ replace ( github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 + github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 diff --git a/go.sum b/go.sum index cb35fd158f0..44f6eeb2ba0 100644 --- a/go.sum +++ b/go.sum @@ -87,7 +87,6 @@ github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= -github.com/Sirupsen/logrus v1.0.1-0.20170608221441-85b1699d5056/go.mod h1:rmk17hk6i8ZSAJkSDa7nOxamrG+SP4P0mm+DAvExv4U= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= @@ -109,8 +108,8 @@ github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20/go.mod h1:cI59GRkC github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43 h1:WFwa9pqou0Nb4DdfBOyaBTH0GqLE74Qwdf61E7ITHwQ= github.com/andrewkroh/sys v0.0.0-20151128191922-287798fe3e43/go.mod h1:tJPYQG4mnMeUtQvQKNkbsFrnmZOg59Qnf8CcctFv5v4= github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q= -github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5 h1:nkZ9axP+MvUFCu8JRN/MCY+DmTfs6lY7hE0QnJbxSdI= -github.com/antlr/antlr4 v0.0.0-20200225173536-225249fdaef5/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= +github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d h1:OE3kzLBpy7pOJEzE55j9sdgrSilUPzzj++FWvp1cmIs= +github.com/antlr/antlr4 v0.0.0-20200820155224-be881fa6b91d/go.mod h1:T7PbCXFs94rrTttyxjbyT5+/1V8T2TYDejxUfHJjw1Y= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= @@ -224,16 +223,16 @@ github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6W github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= -github.com/elastic/ecs v1.5.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/ecs v1.6.0 h1:8NmgfnsjmKXh9hVsK3H2tZtfUptepNc3msJOAynhtmc= +github.com/elastic/ecs v1.6.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a h1:2NHgf1RUw+f240lpTnLrCp1aBNvq2wDi0E1A423/S1k= github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a/go.mod h1:uh/Gj9a0XEbYoM4NYz4LvaBVARz3QXLmlNjsrKY9fTc= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= -github.com/elastic/go-concert v0.0.3 h1:f0F4WOi8tBOFIgwA7YbHRQ+Ok8vR+/qFrG7vYvbpX5Q= -github.com/elastic/go-concert v0.0.3/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 h1:Jcnojiuok7Ea5hitJK9VWmBigganE2MMETOH0VZasEA= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8/go.mod h1:j2CZcVcluWDGhQTnq1SOPy1NKEIa74FtQ39Nnz87Jxk= +github.com/elastic/go-concert v0.0.4 h1:pzgYCmJ/xMJsW8PSk33inAWZ065hrwSeP79TpwAbsLE= +github.com/elastic/go-concert v0.0.4/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= +github.com/elastic/go-libaudit/v2 v2.0.2 h1:g83cmsDT0V4Aa6WuuGI9L6WC4fpo2zZjLwOlqBkSna4= +github.com/elastic/go-libaudit/v2 v2.0.2/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg= github.com/elastic/go-licenser v0.3.1 h1:RmRukU/JUmts+rpexAw0Fvt2ly7VVu6mw8z4HrEzObU= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-lookslike v0.3.0 h1:HDI/DQ65V85ZqM7D/sbxcK2wFFnh3+7iFvBk2v2FTHs= @@ -259,8 +258,8 @@ github.com/elastic/go-ucfg v0.8.3/go.mod h1:iaiY0NBIYeasNgycLyTvhJftQlQEUO2hpF+F github.com/elastic/go-windows v1.0.0/go.mod h1:TsU0Nrp7/y3+VwE82FoZF8gC/XFg/Elz6CcloAxnPgU= github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUtJm0= github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= -github.com/elastic/gosigar v0.10.5 h1:GzPQ+78RaAb4J63unidA/JavQRKrB6s8IOzN6Ib59jo= -github.com/elastic/gosigar v0.10.5/go.mod h1:cdorVVzy1fhmEqmtgqkoE3bYtCfSCkVyjTyCIo22xvs= +github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233 h1:PvAAw8rXlg0maTAhdJznCmlzVZIKPwD2BP1pljuncLA= +github.com/elastic/gosigar v0.10.6-0.20200715000138-f115143bb233/go.mod h1:cdorVVzy1fhmEqmtgqkoE3bYtCfSCkVyjTyCIo22xvs= github.com/elastic/sarama v1.19.1-0.20200629123429-0e7b69039eec h1:rAHd7DeHIHjSzvnkl197GKh9TCWGKg/z2BBbbGOEiWI= github.com/elastic/sarama v1.19.1-0.20200629123429-0e7b69039eec/go.mod h1:X690XXMxlbtN8c7xcpsENKNlbj8VClCZ2hwSOhSyNmE= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= @@ -569,8 +568,8 @@ github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOTh github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.4.1+incompatible h1:mFe7ttWaflA46Mhqh+jUfjp2qTbPYxLB2/OyBppH9dg= github.com/pierrec/lz4 v2.4.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338 h1:/VAZ3an4jHXs+61iNHugNR1mG25MSpaxtMnwOJVEAQM= -github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= +github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 h1:i5VIxp6QB8oWZ8IkK8zrDgeT6ORGIUeiN+61iETwJbI= +github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -700,6 +699,8 @@ github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7 h1:0gYLpmzecnaDCoe github.com/yuin/gopher-lua v0.0.0-20170403160031-b402f3114ec7/go.mod h1:aEV29XrmTYFr3CiRxZeGHpkvbwq+prZduBqMaascyCU= go.elastic.co/apm v1.7.2 h1:0nwzVIPp4PDBXSYYtN19+1W5V+sj+C25UjqxDVoKcA8= go.elastic.co/apm v1.7.2/go.mod h1:tCw6CkOJgkWnzEthFN9HUP1uL3Gjc/Ur6m7gRPLaoH0= +go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b h1:Sf+V3eV91ZuXjF3824SABFgXU+z4ZEuIX5ikDvt2lCE= +go.elastic.co/apm v1.8.1-0.20200909061013-2aef45b9cf4b/go.mod h1:qoOSi09pnzJDh5fKnfY7bPmQgl8yl2tULdOu03xhui0= go.elastic.co/apm/module/apmelasticsearch v1.7.2 h1:5STGHLZLSeAzxordMc+dFVKiyVtMmxADOV+TgRaXXJg= go.elastic.co/apm/module/apmelasticsearch v1.7.2/go.mod h1:ZyNFuyWdt42GBZkz0SogoLzDBrBGj4orxpiUuxYeYq8= go.elastic.co/apm/module/apmhttp v1.7.2 h1:2mRh7SwBuEVLmJlX+hsMdcSg9xaielCLElaPn/+i34w= @@ -708,6 +709,8 @@ go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193 h1:NjYJ/beChqugXSavTkH go.elastic.co/ecszap v0.1.1-0.20200424093508-cdd95a104193/go.mod h1:HTUi+QRmr3EuZMqxPX+5fyOdMNfUu5iPebgfhgsTJYQ= go.elastic.co/fastjson v1.0.0 h1:ooXV/ABvf+tBul26jcVViPT3sBir0PvXgibYB1IQQzg= go.elastic.co/fastjson v1.0.0/go.mod h1:PmeUOMMtLHQr9ZS9J9owrAVg0FkaZDRZJEFTTGHtchs= +go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= +go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= go.elastic.co/go-licence-detector v0.4.0 h1:it5dP+6LPxLsosdhtbAqk/zJQxzS0QSSpdNkKVuwKMs= go.elastic.co/go-licence-detector v0.4.0/go.mod h1:fSJQU8au4SAgDK+UQFbgUPsXKYNBDv4E/dwWevrMpXU= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= @@ -809,7 +812,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170608164803-0b25a408a500/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -839,8 +841,11 @@ golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0 golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo= +golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 1ea4bda3cc6..c0d8abfa9c8 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -9,8 +9,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/heartbeat/Jenkinsfile.yml b/heartbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..b8668715c3c --- /dev/null +++ b/heartbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^heartbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test heartbeat" + labels: ## when PR labels matches any of those entries + - "heartbeat" + parameters: ## when parameter was selected in the UI. + - "heartbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test heartbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/heartbeat/_meta/config/beat.reference.yml.tmpl b/heartbeat/_meta/config/beat.reference.yml.tmpl index efc94b31ed9..e72d7fd7ae1 100644 --- a/heartbeat/_meta/config/beat.reference.yml.tmpl +++ b/heartbeat/_meta/config/beat.reference.yml.tmpl @@ -31,6 +31,9 @@ heartbeat.monitors: # Human readable display name for this service in Uptime UI and elsewhere name: my-icmp-monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true @@ -77,6 +80,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -166,6 +177,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -258,6 +277,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false diff --git a/heartbeat/_meta/config/beat.yml.tmpl b/heartbeat/_meta/config/beat.yml.tmpl index 04c9b71f7a1..d1557176903 100644 --- a/heartbeat/_meta/config/beat.yml.tmpl +++ b/heartbeat/_meta/config/beat.yml.tmpl @@ -32,6 +32,8 @@ heartbeat.monitors: schedule: '@every 10s' # Total test connection and data exchange timeout #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name {{header "Elasticsearch template setting"}} diff --git a/heartbeat/beater/heartbeat.go b/heartbeat/beater/heartbeat.go index 7e0f2aa75a1..26b1202850d 100644 --- a/heartbeat/beater/heartbeat.go +++ b/heartbeat/beater/heartbeat.go @@ -72,7 +72,7 @@ func New(b *beat.Beat, rawConfig *common.Config) (beat.Beater, error) { config: parsedConfig, scheduler: scheduler, // dynamicFactory is the factory used for dynamic configs, e.g. autodiscover / reload - dynamicFactory: monitors.NewFactory(scheduler, false), + dynamicFactory: monitors.NewFactory(b.Info, scheduler, false), } return bt, nil } @@ -123,7 +123,7 @@ func (bt *Heartbeat) Run(b *beat.Beat) error { // RunStaticMonitors runs the `heartbeat.monitors` portion of the yaml config if present. func (bt *Heartbeat) RunStaticMonitors(b *beat.Beat) error { - factory := monitors.NewFactory(bt.scheduler, true) + factory := monitors.NewFactory(b.Info, bt.scheduler, true) for _, cfg := range bt.config.Monitors { created, err := factory.Create(b.Publisher, cfg) @@ -139,6 +139,8 @@ func (bt *Heartbeat) RunStaticMonitors(b *beat.Beat) error { func (bt *Heartbeat) RunCentralMgmtMonitors(b *beat.Beat) { monitors := cfgfile.NewRunnerList(management.DebugK, bt.dynamicFactory, b.Publisher) reload.Register.MustRegisterList(b.Info.Beat+".monitors", monitors) + inputs := cfgfile.NewRunnerList(management.DebugK, bt.dynamicFactory, b.Publisher) + reload.Register.MustRegisterList("inputs", inputs) } // RunReloadableMonitors runs the `heartbeat.config.monitors` portion of the yaml config if present. diff --git a/heartbeat/conftest.py b/heartbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/heartbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/heartbeat/docs/autodiscover-hints.asciidoc b/heartbeat/docs/autodiscover-hints.asciidoc index 0b6a44115c9..431812a13a6 100644 --- a/heartbeat/docs/autodiscover-hints.asciidoc +++ b/heartbeat/docs/autodiscover-hints.asciidoc @@ -84,7 +84,7 @@ container to have an TCP check. ----- annotations: co.elastic.monitor/type: http - co.elastic.monitor/hosts: ${data.host}:8080/healtlz + co.elastic.monitor/hosts: ${data.host}:8080/healthz co.elastic.monitor/schedule: "@every 5s" co.elastic.monitor.sidecar/type: tcp co.elastic.monitor.sidecar/hosts: ${data.host}:8081 @@ -101,7 +101,7 @@ Annotations without numeric prefixes would default into a single monitor configu ------------------------------------------------------------------------------------- annotations: co.elastic.monitor/type: http - co.elastic.monitor/hosts: ${data.host}:8080/healtlz + co.elastic.monitor/hosts: ${data.host}:8080/healthz co.elastic.monitor/schedule: "@every 5s" co.elastic.monitor/1.type: tcp co.elastic.monitor/1.hosts: ${data.host}:8080 diff --git a/heartbeat/docs/configuring-howto.asciidoc b/heartbeat/docs/configuring-howto.asciidoc index 11b1bfcbcfd..f562b8a42c1 100644 --- a/heartbeat/docs/configuring-howto.asciidoc +++ b/heartbeat/docs/configuring-howto.asciidoc @@ -23,6 +23,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -59,4 +60,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 1e2881bdbff..20e797faf1a 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -102,16 +102,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -434,6 +424,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -475,7 +477,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -691,8 +693,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -755,19 +756,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -854,7 +855,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -878,6 +879,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -896,6 +908,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -938,6 +962,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1248,8 +1296,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1312,19 +1359,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1411,7 +1458,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1435,6 +1482,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1563,6 +1621,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1596,6 +1665,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1667,7 +1748,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1746,7 +1827,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1754,12 +1835,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1778,7 +1859,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1895,6 +1976,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -2077,6 +2160,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -2106,6 +2191,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -2114,7 +2211,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2198,11 +2295,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2496,6 +2593,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2529,6 +2637,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2601,293 +2721,557 @@ example: 1001 -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`file.x509.alternative_names`*:: + -- -City name. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Montreal +example: *.elastic.co -- -*`geo.continent_name`*:: +*`file.x509.issuer.common_name`*:: + -- -Name of the continent. +List of common name (CN) of issuing certificate authority. type: keyword -example: North America +example: Example SHA2 High Assurance Server CA -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.country`*:: + -- -Country ISO code. +List of country (C) codes type: keyword -example: CA +example: US -- -*`geo.country_name`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country name. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: Canada +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.location`*:: +*`file.x509.issuer.locality`*:: + -- -Longitude and latitude. +List of locality names (L) -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Mountain View -- -*`geo.name`*:: +*`file.x509.issuer.organization`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizations (O) of issuing certificate authority. type: keyword -example: boston-dc +example: Example Inc -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -Region ISO code. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: CA-QC +example: www.example.com -- -*`geo.region_name`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region name. +List of state or province names (ST, S, or P) type: keyword -example: Quebec +example: California -- -[float] -=== group +*`file.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2020-07-16 03:15:39+00:00 -*`group.domain`*:: +-- + +*`file.x509.not_before`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`group.id`*:: +*`file.x509.public_key_algorithm`*:: + -- -Unique identifier for the group on the system/platform. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.name`*:: +*`file.x509.public_key_curve`*:: + -- -Name of the group. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -[float] -=== hash +*`file.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: long +example: 65537 -*`hash.md5`*:: +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: + -- -MD5 hash. +The size of the public key space in bits. -type: keyword +type: long + +example: 2048 -- -*`hash.sha1`*:: +*`file.x509.serial_number`*:: + -- -SHA1 hash. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`hash.sha256`*:: +*`file.x509.signature_algorithm`*:: + -- -SHA256 hash. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword +example: SHA256-RSA + -- -*`hash.sha512`*:: +*`file.x509.subject.common_name`*:: + -- -SHA512 hash. +List of common names (CN) of subject. type: keyword --- - -[float] -=== host - -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +example: shared.global.example.net +-- -*`host.architecture`*:: +*`file.x509.subject.country`*:: + -- -Operating system architecture. +List of country (C) code type: keyword -example: x86_64 +example: US -- -*`host.domain`*:: +*`file.x509.subject.distinguished_name`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: CONTOSO +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`host.geo.city_name`*:: +*`file.x509.subject.locality`*:: + -- -City name. +List of locality names (L) type: keyword -example: Montreal +example: San Francisco -- -*`host.geo.continent_name`*:: +*`file.x509.subject.organization`*:: + -- -Name of the continent. +List of organizations (O) of subject. type: keyword -example: North America +example: Example, Inc. -- -*`host.geo.country_iso_code`*:: +*`file.x509.subject.organizational_unit`*:: + -- -Country ISO code. +List of organizational units (OU) of subject. type: keyword -example: CA - -- -*`host.geo.country_name`*:: +*`file.x509.subject.state_or_province`*:: + -- -Country name. +List of state or province names (ST, S, or P) type: keyword -example: Canada +example: California -- -*`host.geo.location`*:: +*`file.x509.version_number`*:: + -- -Longitude and latitude. +Version of x509 format. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: 3 -- -*`host.geo.name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +City name. type: keyword -example: boston-dc +example: Montreal -- -*`host.geo.region_iso_code`*:: +*`geo.continent_name`*:: + -- -Region ISO code. +Name of the continent. type: keyword -example: CA-QC +example: North America -- -*`host.geo.region_name`*:: +*`geo.country_iso_code`*:: + -- -Region name. +Country ISO code. + +type: keyword + +example: CA + +-- + +*`geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. type: keyword @@ -3123,7 +3507,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3147,8 +3531,19 @@ type: text -- -[float] -=== http +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3201,11 +3596,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3335,6 +3732,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3373,7 +3782,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3403,6 +3813,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4371,6 +4783,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4404,6 +4827,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4635,12 +5070,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4831,6 +5266,84 @@ type: text -- +*`process.parent.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + +*`process.parent.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.parent.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.parent.pgid`*:: + -- @@ -4949,6 +5462,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4982,6 +5506,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5224,6 +5760,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5522,8 +6067,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5586,19 +6130,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5685,7 +6229,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5709,6 +6253,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5962,8 +6517,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -6026,19 +6580,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6125,7 +6679,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6149,10 +6703,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6170,7 +6735,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6181,7 +6746,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6192,7 +6757,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6203,7 +6768,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6214,11 +6779,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6232,7 +6797,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6319,7 +6884,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6359,7 +6924,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6374,7 +6939,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6389,808 +6954,1629 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -type: long +type: keyword -example: 443 +example: MII... -format: string +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] -- -*`url.query`*:: +*`tls.server.hash.md5`*:: + -- -The query field describes the query string of the request, such as "q=elasticsearch". -The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + -- -*`url.registered_domain`*:: +*`tls.server.hash.sha1`*:: + -- -The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: google.com +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`url.scheme`*:: +*`tls.server.hash.sha256`*:: + -- -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: https +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`url.top_level_domain`*:: +*`tls.server.issuer`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: co.uk +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`url.username`*:: +*`tls.server.ja3s`*:: + -- -Username of the request. +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword +example: 394441ab65754e2207b1e1b457b3641d + -- -[float] -=== user +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. -The user fields describe information about the user that is relevant to the event. -Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. +type: date + +example: 2021-01-01T00:00:00.000Z +-- -*`user.domain`*:: +*`tls.server.not_before`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +Timestamp indicating when server certificate is first considered valid. -type: keyword +type: date + +example: 1970-01-01T00:00:00.000Z -- -*`user.email`*:: +*`tls.server.subject`*:: + -- -User email address. +Subject of the x.509 certificate presented by the server. type: keyword +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + -- -*`user.full_name`*:: +*`tls.server.x509.alternative_names`*:: + -- -User's full name, if available. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Albert Einstein +example: *.elastic.co -- -*`user.full_name.text`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -type: text +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`user.group.domain`*:: +*`tls.server.x509.issuer.country`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +List of country (C) codes type: keyword +example: US + -- -*`user.group.id`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -Unique identifier for the group on the system/platform. +Distinguished name (DN) of issuing certificate authority. type: keyword +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + -- -*`user.group.name`*:: +*`tls.server.x509.issuer.locality`*:: + -- -Name of the group. +List of locality names (L) type: keyword +example: Mountain View + -- -*`user.hash`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +List of organizations (O) of issuing certificate authority. type: keyword +example: Example Inc + -- -*`user.id`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -Unique identifiers of the user. +List of organizational units (OU) of issuing certificate authority. type: keyword +example: www.example.com + -- -*`user.name`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -Short name or login of the user. +List of state or province names (ST, S, or P) type: keyword -example: albert +example: California -- -*`user.name.text`*:: +*`tls.server.x509.not_after`*:: + -- -type: text +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== user_agent +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The user_agent fields normally come from a browser request. -They often show up in web service logs coming from the parsed user agent string. +type: date +example: 2019-08-16 01:40:25+00:00 -*`user_agent.device.name`*:: +-- + +*`tls.server.x509.public_key_algorithm`*:: + -- -Name of the device. +Algorithm used to generate the public key. type: keyword -example: iPhone +example: RSA -- -*`user_agent.name`*:: +*`tls.server.x509.public_key_curve`*:: + -- -Name of the user agent. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: Safari +example: nistp521 -- -*`user_agent.original`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -Unparsed user_agent string. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 +example: 55FBB9C7DEBF09809D12CCAA -- -*`user_agent.original.text`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -type: text +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA -- -*`user_agent.os.family`*:: +*`tls.server.x509.subject.common_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +List of common names (CN) of subject. type: keyword -example: debian +example: shared.global.example.net -- -*`user_agent.os.full`*:: +*`tls.server.x509.subject.country`*:: + -- -Operating system name, including the version or code name. +List of country (C) code type: keyword -example: Mac OS Mojave +example: US -- -*`user_agent.os.full.text`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -type: text +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`user_agent.os.kernel`*:: +*`tls.server.x509.subject.locality`*:: + -- -Operating system kernel version as a raw string. +List of locality names (L) type: keyword -example: 4.4.0-112-generic +example: San Francisco -- -*`user_agent.os.name`*:: +*`tls.server.x509.subject.organization`*:: + -- -Operating system name, without the version. +List of organizations (O) of subject. type: keyword -example: Mac OS X +example: Example, Inc. -- -*`user_agent.os.name.text`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -type: text +List of organizational units (OU) of subject. + +type: keyword -- -*`user_agent.os.platform`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -Operating system platform (such centos, ubuntu, windows). +List of state or province names (ST, S, or P) type: keyword -example: darwin +example: California -- -*`user_agent.os.version`*:: +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: ++ +-- +The query field describes the query string of the request, such as "q=elasticsearch". +The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. + +type: keyword + +-- + +*`url.registered_domain`*:: ++ +-- +The highest registered url domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". + +type: keyword + +example: example.com + +-- + +*`url.scheme`*:: ++ +-- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + +type: keyword + +example: https + +-- + +*`url.top_level_domain`*:: ++ +-- +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". + +type: keyword + +example: co.uk + +-- + +*`url.username`*:: ++ +-- +Username of the request. + +type: keyword + +-- + +[float] +=== user + +The user fields describe information about the user that is relevant to the event. +Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. + + +*`user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`user.full_name.text`*:: ++ +-- +type: text + +-- + +*`user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`user.name.text`*:: ++ +-- +type: text + +-- + +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== user_agent + +The user_agent fields normally come from a browser request. +They often show up in web service logs coming from the parsed user agent string. + + +*`user_agent.device.name`*:: ++ +-- +Name of the device. + +type: keyword + +example: iPhone + +-- + +*`user_agent.name`*:: ++ +-- +Name of the user agent. + +type: keyword + +example: Safari + +-- + +*`user_agent.original`*:: ++ +-- +Unparsed user_agent string. + +type: keyword + +example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 + +-- + +*`user_agent.original.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`user_agent.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`user_agent.os.full.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.kernel`*:: ++ +-- +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`user_agent.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`user_agent.os.name.text`*:: ++ +-- +type: text + +-- + +*`user_agent.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`user_agent.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`user_agent.version`*:: ++ +-- +Version of the user agent. + +type: keyword + +example: 12.0 + +-- + +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== vulnerability + +The vulnerability fields describe information about a vulnerability that is relevant to an event. + + +*`vulnerability.category`*:: ++ +-- +The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) +This field must be an array. + +type: keyword + +example: ["Firewall"] + +-- + +*`vulnerability.classification`*:: ++ +-- +The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) + +type: keyword + +example: CVSS + +-- + +*`vulnerability.description`*:: ++ +-- +The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) + +type: keyword + +example: In macOS before 2.12.6, there is a vulnerability in the RPC... + +-- + +*`vulnerability.description.text`*:: ++ +-- +type: text + +-- + +*`vulnerability.enumeration`*:: ++ +-- +The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) + +type: keyword + +example: CVE + +-- + +*`vulnerability.id`*:: ++ +-- +The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] + +type: keyword + +example: CVE-2019-00001 + +-- + +*`vulnerability.reference`*:: ++ +-- +A resource that provides additional information, context, and mitigations for the identified vulnerability. + +type: keyword + +example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 + +-- + +*`vulnerability.report_id`*:: ++ +-- +The report or scan identification number. + +type: keyword + +example: 20191018.0001 + +-- + +*`vulnerability.scanner.vendor`*:: ++ +-- +The name of the vulnerability scanner vendor. + +type: keyword + +example: Tenable + +-- + +*`vulnerability.score.base`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.environmental`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) + +type: float + +example: 5.5 + +-- + +*`vulnerability.score.temporal`*:: ++ +-- +Scores can range from 0.0 to 10.0, with 10.0 being the most severe. +Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) + +type: float + +-- + +*`vulnerability.score.version`*:: ++ +-- +The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. +CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: 2.0 + +-- + +*`vulnerability.severity`*:: ++ +-- +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) + +type: keyword + +example: Critical + +-- + +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: + -- -Operating system version as a raw string. +List of organizations (O) of issuing certificate authority. type: keyword -example: 10.14.1 +example: Example Inc -- -*`user_agent.version`*:: +*`x509.issuer.organizational_unit`*:: + -- -Version of the user agent. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 12.0 +example: www.example.com -- -[float] -=== vlan - -The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. -Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. -Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. -Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. - - -*`vlan.id`*:: +*`x509.issuer.state_or_province`*:: + -- -VLAN ID as reported by the observer. +List of state or province names (ST, S, or P) type: keyword -example: 10 +example: California -- -*`vlan.name`*:: +*`x509.not_after`*:: + -- -Optional VLAN name as reported by the observer. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: outside +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== vulnerability +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The vulnerability fields describe information about a vulnerability that is relevant to an event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`vulnerability.category`*:: +-- + +*`x509.public_key_algorithm`*:: + -- -The type of system or architecture that the vulnerability affects. These may be platform-specific (for example, Debian or SUSE) or general (for example, Database or Firewall). For example (https://qualysguard.qualys.com/qwebhelp/fo_portal/knowledgebase/vulnerability_categories.htm[Qualys vulnerability categories]) -This field must be an array. +Algorithm used to generate the public key. type: keyword -example: ["Firewall"] +example: RSA -- -*`vulnerability.classification`*:: +*`x509.public_key_curve`*:: + -- -The classification of the vulnerability scoring system. For example (https://www.first.org/cvss/) +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword -example: CVSS +example: nistp521 -- -*`vulnerability.description`*:: +*`x509.public_key_exponent`*:: + -- -The description of the vulnerability that provides additional context of the vulnerability. For example (https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created[Common Vulnerabilities and Exposure CVE description]) +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: In macOS before 2.12.6, there is a vulnerability in the RPC... +example: 65537 + +Field is not indexed. -- -*`vulnerability.description.text`*:: +*`x509.public_key_size`*:: + -- -type: text +The size of the public key space in bits. + +type: long + +example: 2048 -- -*`vulnerability.enumeration`*:: +*`x509.serial_number`*:: + -- -The type of identifier used for this vulnerability. For example (https://cve.mitre.org/about/) +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: CVE +example: 55FBB9C7DEBF09809D12CCAA -- -*`vulnerability.id`*:: +*`x509.signature_algorithm`*:: + -- -The identification (ID) is the number portion of a vulnerability entry. It includes a unique identification number for the vulnerability. For example (https://cve.mitre.org/about/faqs.html#what_is_cve_id)[Common Vulnerabilities and Exposure CVE ID] +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: CVE-2019-00001 +example: SHA256-RSA -- -*`vulnerability.reference`*:: +*`x509.subject.common_name`*:: + -- -A resource that provides additional information, context, and mitigations for the identified vulnerability. +List of common names (CN) of subject. type: keyword -example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111 +example: shared.global.example.net -- -*`vulnerability.report_id`*:: +*`x509.subject.country`*:: + -- -The report or scan identification number. +List of country (C) code type: keyword -example: 20191018.0001 +example: US -- -*`vulnerability.scanner.vendor`*:: +*`x509.subject.distinguished_name`*:: + -- -The name of the vulnerability scanner vendor. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: Tenable +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`vulnerability.score.base`*:: +*`x509.subject.locality`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Base scores cover an assessment for exploitability metrics (attack vector, complexity, privileges, and user interaction), impact metrics (confidentiality, integrity, and availability), and scope. For example (https://www.first.org/cvss/specification-document) +List of locality names (L) -type: float +type: keyword -example: 5.5 +example: San Francisco -- -*`vulnerability.score.environmental`*:: +*`x509.subject.organization`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Environmental scores cover an assessment for any modified Base metrics, confidentiality, integrity, and availability requirements. For example (https://www.first.org/cvss/specification-document) +List of organizations (O) of subject. -type: float +type: keyword -example: 5.5 +example: Example, Inc. -- -*`vulnerability.score.temporal`*:: +*`x509.subject.organizational_unit`*:: + -- -Scores can range from 0.0 to 10.0, with 10.0 being the most severe. -Temporal scores cover an assessment for code maturity, remediation level, and confidence. For example (https://www.first.org/cvss/specification-document) +List of organizational units (OU) of subject. -type: float +type: keyword -- -*`vulnerability.score.version`*:: +*`x509.subject.state_or_province`*:: + -- -The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. -CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. For example (https://nvd.nist.gov/vuln-metrics/cvss) +List of state or province names (ST, S, or P) type: keyword -example: 2.0 +example: California -- -*`vulnerability.severity`*:: +*`x509.version_number`*:: + -- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) +Version of x509 format. type: keyword -example: Critical +example: 3 -- @@ -7903,167 +9289,7 @@ type: long Detailed x509 certificate metadata - -*`tls.server.x509.alternative_names`*:: -+ --- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co - --- - - -*`tls.server.x509.issuer.common_name`*:: -+ --- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: DigiCert SHA2 High Assurance Server CA - --- - -*`tls.server.x509.issuer.common_name.text`*:: -+ --- -type: text - --- - -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. - -type: keyword - -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - --- - -*`tls.server.x509.not_after`*:: -+ --- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39 - --- - -*`tls.server.x509.not_before`*:: -+ --- -Time at which the certificate is first considered valid. - -type: date - -example: 2019-08-16 01:40:25 - --- - -*`tls.server.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. - -type: keyword - -example: RSA - --- - -*`tls.server.x509.public_key_curve`*:: -+ --- -The curve used by the elliptic curve public key algorithm. This is algorithm specific. - -type: keyword - -example: nistp521 - --- - -*`tls.server.x509.public_key_exponent`*:: -+ --- -Exponent used to derive the public key. This is algorithm specific. - -type: long - -example: 65537 - --- - -*`tls.server.x509.public_key_size`*:: -+ --- -The size of the public key space in bits. - -type: long - -example: 2048 - --- - -*`tls.server.x509.serial_number`*:: -+ --- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - -type: keyword - -example: 55FBB9C7DEBF09809D12CCAA - --- - -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - -type: keyword - -example: SHA256-RSA - --- - - -*`tls.server.x509.subject.common_name`*:: -+ --- -List of common names (CN) of subject. - -type: keyword - -example: r2.shared.global.fastly.net - --- - -*`tls.server.x509.subject.common_name.text`*:: -+ --- -type: text - --- - -*`tls.server.x509.subject.distinguished_name`*:: -+ --- -Distinguished name (DN) of the certificate subject entity. - -type: keyword - -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - --- - -*`tls.server.x509.version_number`*:: +*`tls.server.version_number`*:: + -- Version of x509 format. diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 38857a227ca..21da1fb0547 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -43,7 +43,7 @@ include::{libbeat-dir}/tab-widgets/install-widget.asciidoc[] ==== Other installation options * <> -* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page] +* https://www.elastic.co/downloads/beats/{beatname_lc}[Download page] * <> [float] @@ -58,7 +58,7 @@ include::{libbeat-dir}/shared/connecting-to-es.asciidoc[] Heartbeat provides monitors to check the status of hosts at set intervals. Heartbeat currently provides monitors for ICMP, TCP, and HTTP (see -<> for more about these monitors). +<> for more about these monitors). You configure each monitor individually. In +{beatname_lc}.yml+, specify the list of monitors that you want to enable. Each item in the list begins with a @@ -71,10 +71,19 @@ heartbeat.monitors: - type: icmp schedule: '*/5 * * * * * *' <1> hosts: ["myhost"] + id: my-icmp-service + name: My ICMP Service - type: tcp schedule: '@every 5s' <2> hosts: ["myhost:12345"] mode: any <3> + id: my-tcp-service +- type: http + schedule: '@every 5s' + urls: ["http://example.net"] + service_name: apm-service-name <4> + id: my-http-service + name: My HTTP Service ---------------------------------------------------------------------- <1> The `icmp` monitor is scheduled to run exactly every 5 seconds (10:00:00, 10:00:05, and so on). The `schedule` option uses a cron-like syntax based on @@ -83,7 +92,7 @@ https://github.com/gorhill/cronexpr#implementation[this `cronexpr` implementatio was started. Heartbeat adds the `@every` keyword to the syntax provided by the `cronexpr` package. <3> The `mode` specifies whether to ping one IP (`any`) or all resolvable IPs -(`all`). +<4> The `service_name` field can be used to integrate heartbeat with elastic APM via the Uptime UI. include::{libbeat-dir}/shared/config-check.asciidoc[] @@ -106,7 +115,7 @@ include::{libbeat-dir}/tab-widgets/setup-widget.asciidoc[] `-e` is optional and sends output to standard error instead of the configured log output. This step loads the recommended {ref}/indices-templates.html[index template] for writing to {es}. -It does not install {beatname_uc} dashboards. Heartbeat dashboards and +It does not install {beatname_uc} dashboards. Heartbeat dashboards and installation steps are available in the https://github.com/elastic/uptime-contrib[uptime-contrib] GitHub repository. diff --git a/heartbeat/docs/heartbeat-options.asciidoc b/heartbeat/docs/heartbeat-options.asciidoc index 23f33c26a3d..5d29987f27b 100644 --- a/heartbeat/docs/heartbeat-options.asciidoc +++ b/heartbeat/docs/heartbeat-options.asciidoc @@ -38,6 +38,7 @@ heartbeat.monitors: - type: http id: service-status name: Service Status + service_name: my-apm-service-name hosts: ["http://localhost:80/service/status"] check.response.status: [200] schedule: '@every 5s' diff --git a/heartbeat/docs/index.asciidoc b/heartbeat/docs/index.asciidoc index 6da2775949f..35debec2659 100644 --- a/heartbeat/docs/index.asciidoc +++ b/heartbeat/docs/index.asciidoc @@ -51,4 +51,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/heartbeat/docs/monitors/monitor-common-options.asciidoc b/heartbeat/docs/monitors/monitor-common-options.asciidoc index 68194b28119..53a7e124281 100644 --- a/heartbeat/docs/monitors/monitor-common-options.asciidoc +++ b/heartbeat/docs/monitors/monitor-common-options.asciidoc @@ -32,6 +32,14 @@ it is recommended that you set this manually. Optional human readable name for this monitor. This value appears in the <> as `monitor.name`. + +[float] +[[service-name]] +==== `service_name` + +Optional APM service name for this monitor. Corresponds to the `service.name` ECS field. Set this when monitoring an app +that is also using APM to enable integrations between Uptime and APM data in Kibana. + [float] [[monitor-enabled]] ==== `enabled` @@ -135,6 +143,30 @@ A list of processors to apply to the data generated by the monitor. See <> for information about specifying processors in your config. +[float] +[[monitor-pipeline]] +===== `pipeline` + +The Ingest Node pipeline ID to set for the events generated by this input. + +NOTE: The pipeline ID can also be configured in the Elasticsearch output, but +this option usually results in simpler configuration files. If the pipeline is +configured both in the input and output, the option from the +input is used. + +[float] +[[monitor-index]] +===== `index` + +If present, this formatted string overrides the index for events from this input +(for elasticsearch outputs), or sets the `raw_index` field of the event's +metadata (for other outputs). This string can only refer to the agent name and +version and the event timestamp; for access to dynamic fields, use +`output.elasticsearch.index` or a processor. + +Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might +expand to `"heartbeat-myindex-2019.11.01"`. + [float] [[monitor-keep-null]] ==== `keep_null` diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..87b5c4bb395 --- /dev/null +++ b/heartbeat/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,76 @@ +[[running-on-kubernetes]] +=== Running {beatname_uc} on Kubernetes + +{beatname_uc} <> can be used on Kubernetes to +check resources uptime. + +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK] + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {beatname_uc} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +A single {beatname_uc} can check for uptime of the whole cluster. + +Everything is deployed under `kube-system` namespace, you can change that by +updating the YAML file. + +To get the manifests just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml +------------------------------------------------ + +[WARNING] +======================================= +If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located +under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in +Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself. +======================================= + +[float] +==== Settings + +Some parameters are exposed in the manifest to configure logs destination, by +default they will use an existing Elasticsearch deploy if it's present, but you +may want to change that behavior, so just edit the YAML file and modify them: + +["source", "yaml", subs="attributes"] +------------------------------------------------ +- name: ELASTICSEARCH_HOST + value: elasticsearch +- name: ELASTICSEARCH_PORT + value: "9200" +- name: ELASTICSEARCH_USERNAME + value: elastic +- name: ELASTICSEARCH_PASSWORD + value: changeme +------------------------------------------------ + +[float] +==== Deploy + +To deploy {beatname_uc} to Kubernetes just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f {beatname_lc}-kubernetes.yaml +------------------------------------------------ + +Then you should be able to check the status by running: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get deployment/{beatname_lc} + +NAME READY UP-TO-DATE AVAILABLE AGE +{beatname_lc} 1/1 1 1 1m +------------------------------------------------ diff --git a/heartbeat/docs/setting-up-running.asciidoc b/heartbeat/docs/setting-up-running.asciidoc index 4acaaa6ffea..9fbf90b7dc1 100644 --- a/heartbeat/docs/setting-up-running.asciidoc +++ b/heartbeat/docs/setting-up-running.asciidoc @@ -28,6 +28,8 @@ This section includes additional information on how to install, set up, and run * <> +* <> + * <> //MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too. @@ -42,6 +44,8 @@ include::{libbeat-dir}/repositories.asciidoc[] include::./running-on-docker.asciidoc[] +include::./running-on-kubernetes.asciidoc[] + include::{libbeat-dir}/shared-systemd.asciidoc[] include::{libbeat-dir}/shared/shutdown.asciidoc[] diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 3387a60e36d..687552ef33b 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -31,6 +31,9 @@ heartbeat.monitors: # Human readable display name for this service in Uptime UI and elsewhere name: my-icmp-monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true @@ -77,6 +80,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -166,6 +177,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -258,6 +277,14 @@ heartbeat.monitors: # Interval between file file changed checks. #interval: 5s + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + # Set to true to publish fields with null values in events. #keep_null: false @@ -639,10 +666,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -755,20 +790,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -778,7 +820,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -941,30 +983,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -977,6 +1026,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1084,42 +1139,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1252,6 +1321,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default heartbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "heartbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "heartbeat-%{[agent.version]}" @@ -1355,20 +1429,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1387,6 +1472,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1537,17 +1633,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1570,6 +1673,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/heartbeat/heartbeat.yml b/heartbeat/heartbeat.yml index 367f59d37a9..19c3f79e968 100644 --- a/heartbeat/heartbeat.yml +++ b/heartbeat/heartbeat.yml @@ -32,6 +32,8 @@ heartbeat.monitors: schedule: '@every 10s' # Total test connection and data exchange timeout #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name # ======================= Elasticsearch template setting ======================= diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 9488b8f247f..6a2cf20c88f 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n79ua2cWTf//dToJw/Jt4r0ZJs+ZFbuVuOZG98Nw/fyNk5dbamZIiEJIwpggFAK566H/4UGg+CD0mUbSWZ1Li2ZiOJxKO70ehuNH4NqNk+rGPBsJ+yMBPW8c8xaC3gI6JSkHgKNhmFSkoAShk/IHzPKODvtyOSyrkD6MwNNj2Er0G/c2aNdcKlNtR05dctatOFNJ3vrBLDSFfxokkERqRBW9VdajGLMu6+Nim4HkkrCu/daHwxGL69GH8anY9/vbp5Oz6/GI27vdPx4M1gPHp73usf/22DhnEz1wgWHu12RIXri/dtW4NOSJxEbRyzhBS4xiC53iHdm7FBqNyJPvhAOqtykWlczzb5GsaZoPegIG+rUxqHc0yTWyRoEpqIt1+iCOljAn0HzEFGxlRU83TeX10FQeNCIqtGsiMSn9sCPj6tvc4r2fEF6ueuzRyyMVfz4lE8yBOeLRewNOcfxctjU8qFLIiFvQkzdwllNRUdCpxpP45RcyzmwSLq74g/g4KCSmaEp1ztiDkE8/thH0UU3EQ2RcOLT46NxQxvuJDXYOVc6lsVggpJktCcJmnQXYg76gJPLW8vc4dSOVN0ZDCvpJilKeFwCwXoVV4incuT48HJZW/Q77+5HJ4MTy9O35xeHr25fHPZGZxdDB7DEzHH3e/GlNHb8+6fnitnF4dnh8Ozw+7h6enp6bB3eto7Ph70hmfdfq97NOwOu4PBxZve+SO5k+8434U/vf5xPYccDb07BU/nUN6q5tTzrJvj05PL4+Pj807/6OKye3LeOb3oXfa6x72L8zdHgzeDzrB33L/oDk9OT/pvLk6O3lweDk66vcH5WW94ftm4NIWZIxUi25nJM8zvaNnik8rezya/k9AdresR2E9gydXuRwZausKlMgEHH16/fxjqI7BPjEk0OG+hj59fXyVTjoXkWQix1RuCFy00HLxePNjEkeHgtc1jaE7A3/HhrvZxcygEV4vz9Hzdr7l3qozqOVvqHM2UcCVsSshGo3cHuaGN0BwnkZjju+qZaHRE+pPuaXQ86ffDk27vpHd6dtjrdcOz4wnuHW0rTwmTYzyVjURqVS39IZbk4IYuiG8sQ8leg2desAoEShjkMxGzWCO1lP21WVP//5dep9dtd9T/bjqdV/C/oNPp/HfjmrPefCdw9fMbTtjYRo0n2z076TzHZDWi2zMnD5TK1QmGQhzHSl0maPThymhVSeK4AJevz0bmTMjE1PerVgYx1KMCYV3jyhxcGa8qQL8qGntaWz1ZKNxSKn48I4rsKTWXhPycPHNNqEL85XIZmBt7Qci2JbhWld9TPVcUcq6IHVk2KuTFg63Q+fHz62Ghns5z6WGRpfrwZqxd6l1dhXPelemm3nYo+PL6mzmJY7bSb1nhzff6x+N/Dt4rb/7w9Kjm6YvBsMHzvwRB0HyxZ7xciHrXQRDVY16GBY4q4fa7pnFL60JTG7EusUeQMO31j3njyjNESDyJQfAbzHTCWExwUjehN/onNI1xYVp0aoNdKCEzJqmW9iWGvLiQCDHNYoQT7047x4mA+lYmppYgkoT8ASrzySxJSNzYkU3IVzm24bVvykoX09OldfS4SRSga6IZa4oJe0mScL/w/MN5XmH9pY1jKuVJcaJLWWEh6CxRmkMcyFi0YSbKmldzaOt2V/4QfJ3LRfwCx2nStmNs00jsl/wrU2s/N99jtoSTZVGVOjXKg42lgfw8aZEtdipwVJQCsSBwpl9In8hjXYmOdKl3S1LaWMwM6uwPGTU0Y9s2alid0veKGq4aya73tR1EDX1ePIoHP3TU0Az3p4kaWm79maOGPk9+jqjh9+TKc0cNS9z5SaKGDTnkO+t/uqihmeNOo4ajreKDlbhgvlV4mPjfIT5ouv8dH+7MFa0PEJoqn88VIDw8Ozo66uLJcf+kf0R6vc7JpEu6k6P+yeTw+KgbbUmP5wgQ3tCFcuAWaSVeZoJDP0KA0JvvkwOE2074mwcIzWR3G68aNY5MlVRyjQpQnqVd2UHIFjtRAbutb/shA5yQwj1Fu1OlmAuLP6a+Z5zOaIJj49/WSEDQa8xs08muAwwfANiT/kEi7YTD7ufiCxCu9Ke5aYpyUzV/lw/FcWgvP9qcKO+r1XlRwxxk1DZSj1kLaUx/EKuPsXZpOMtmc5bZ1YPRgoacOYRlHs6pJFoycRwrx0a5wPeULHPPKk/4N4vAGzjyrk4gTr5kRHms7VxIbPXeJZnY3637NOUskW2SRCVsvLaazpeMcLXxQPl8M48cs2GCwzv/zS3ysdTod5j0uhocWXec36c619/o4Yp8buaCjL6RmxceNr7yhKhdB0k2I8r6A8vQNZnf5NP3uizB1UYca+Z5wJOS8LaJ6hCPkpUrtUeT6Vlvetg/OZkcHkX4GB+G5Kx3FnVIhxydHB6XyetKJX8fIrvuS6S239v72PbSv8OpgTsZC4JFxg1sA1zwccDOIvOOgpQF7egL2YpmX6iQr9OZdo5PMO5M8FmnNznxtELGY18jfP70boM2+Pzpnc1/tNCi5owCgtywTokkpsw9LLzPn96JFqRBmietxlI0mHACl7JRxJaJEgmGRDgnC9JyyAcplnPzPkM2jtdkoe32xqsxtu0tNh638rvhxeOxvSLOrWALYpBmMdBzgR90sq4JkF9dq9keKBIquurrtPFDCySCZdKhCrpW9Q3+K3Pqp9rWV/g9TBqNxDljFnnj1hztGRDBitDUnPC5YwYbid4VaW/mJsnW3ucUJgymlJPtvMYMMKvBkSXjcQlFtdQEFRqjUxDAOafSRDxbiosJk0oV8gfIn57Deiu+X2o8JhguEaaEUxahRSYkNDJRui6Ms4hENTAL2keGhycE7aXJbC+Pc6jX9wL1XZVDqdkBvUtrs0UODvPsXLlmXHpgqYoo4PJocXpx68m/ZOleiTi3L26101KEoLCDLt2+nWbxMxpg3+1uw9VU3+JXKhAuQ9KFWtLmQiQUds8EyRfsgxcrATDQ3MehCbpV8qzau4WzQ4i9wII3AOcCcaK8IzD1lZPMre9gDZ4ibqmPelOTbl/UAK+Ojg4PNDrvP768LqD1vpAsLXDPLsifgIO/fE4WLAKk+FzPgOgLJAhJCpStIn55ZRQShz66YAmVTJnzWgOwCezckdsMJkSpGiM4LY1HjoUvChgOWwGnWbehXoUbBJIk6PcMoIRyxxF0l9pHyxgtTnLcLV33mmsWg6W/xMINtFXY52uLgTxKiFRrK34uyFeKhfCk5tnP5UzzJa8iKI1B7gpC4RrLealvT7caAu2VhrMDpDIfIasyjqOjw4rmODo6LAxKuVAPuzQSoAMjxA5zEcarfzHn3nVz8O3ovZKwVfauf8DeBed5kR+A8HsBDH5t0DmrJWHqXVih3kU1Hbvzxm7L1HCdqwX9TTLpnmp5nenJajPFtaiBlBJEFqnMxwND10/emrdLAPKFig9oQuSSkGIKg1wybauWNujvjY6mVPBf0Gg/DjSadtp2JQQjaH21ToTdZq+07+pbkLevau1OPd4V+1YxnvAX6Bv6C/TtUaBvO0wp/myar7FR/BEUgjv284aqfBC4K1eMKGAouaoR8Kg2b+HmLLnHzr8wcYZiFQlzyVbJB5TQgfJ0AITtA+KqbygRZke1SFJowQCtBusQMY2sm2wDUThBGPJ9jMENu7Xw4sOLLSBgflq8vu8J1fcXSl8tSt/PDtD3J8Dm+96wfH8h8m1E5PvuYHx/4fBpo2KMZzaM6JkWKP+2gYGh27BmRl6Hli2IAcRDE86W3hmij673YAJdYs6WSCmvBI537akylC8L2UIZh85XN6fqmRuq9ZO3sAmIK0T5DbSE6a3MEno9twWaVgvmTgaUk64yqBGeYk4Lg/rhg8AlPeDJx7ggH+W5vmd/0DjGB/2gg15qbvxvNLj+bDiDPo5QtzfuaufmPQ7VF/+1j87TNCa/ksm/qDw47vSDbtDtu+G9/Nfbm/fvWvqdf5Lwju0jU5zuoNsLOug9m9CYHHT7F92jU0Pug+POkbmn4Ygugile0HhXUbePI6TbRy+tT8RJNMeyhSIyoThpoSknZCKiFlrSJGJLsV+9nAtPVsb9cxz5fEwJxx5QorUNwRux+bku9ZZDmZQVZZ206Lxnv+N7UqbWHeEJ2ZUZX5mD7s0NW6ce4OWqFXIUHAWddrfba89IQjgNy6P/SVyAFby2x/Qep1cx97/KlLHW6bfirO3PrOeQJJKJFsomWSKzdWsY8yWtrOHdpgZWBt9UHrudoFvWlLsdaqmw6JqdU2l3z766j41mNJbVv9+df2hiU6nnisU5dYTfFZ4/7fSC7hck8eyl2PfrfNooChY6/IUFoskMckaUaU70P6F9LAQL9W06Xc45sUeC4C+AQ6Fm7SCGvbqnujNTCdmhf5nnPuiT0UDNvm4WnISMR6o5msxiM1uJZwA1C0eoGSQiwOVByzyvnPSXNk3aXxBJQpyKTI9StIy7UzcyVDjtdKW4TNM+MC52x7qCJIJxg0T834TctdCvlBMxx/xuH84sAQrX4PHaysocT6c0rFCCJgnhK7mqm0D6ITO5nMECvbShNNOq+a04//0Vk1w/vQIo9bazXDO9AiYBJOXYcyrliUYRNZJlx1OQFSiDFOl0aUMOiWcz0AWmyY8Te8vDE24rvYEv5eYub4382cdNk062fXcW8tfdqjCplNYJjqgIOQGnu7zCTJswAq+9VXzxyjeZ2k0t7dH5VZ62cG12FpyBCV0NtaVogKhNHrujflVf/23DRvwNPJ+PqQZs1DMAl3mbObBMChqR9RNxWj+LE8LxhMa2RKFV/5UfVu8DahsoNNQgiI9rukaViL69uH/vNrBGuJMGSH5H/CmUUzcGgdLnfkY5TERW6ILhdMdhj1vAfpN6Y02itlvfL6d+DHQI7ovqa/R5dLGv/gFmLo7hQddo/gKWeAI7EUeXZt3uF87ecmyALxmOH8QswzwK9L+DkC0OvizJZE7i9GDKxpBBFh/cJWwZk2hGVNMHhQmOLS4rEcFcLv7z/6AhN7AiMfJnf9uvzQ6yqYn2eKV6+vXLf/bsvPZ+2wJ+pwZ8fhdAuMWO3KWSAhVEyHhuWRaYkzvpflITXEYCBIfwXoiDCmjt4N+jUVNKeCP+Yb2iClVL9VerJIXFZ/Ys4bZwHMNu6PdW9/aK5RHeEw//F3TYwRR/ATGPX4T3ZAyniWNvcGIccoIlif4zgEIZrltft1Ki9+KLrykTSnMM/n3hz/C3Cn+vErTA4ccR0tfgUC/o9oLjlp/GUySHSRT8dD3Y4hY+SbIFOD07XSBWi3onKB5sDRVrWFNdHHUsqlkdF01JsGN0eD1joxpeXg33beKEqSif5lnP9Zsl0gfYAbryz5xNDfpyB6ZRez5VpWt592gq+ss5lmMqxmoJ0GjfyHpZxl3rFVm/Gv5Ww6N2r9M9a3c6nc4WcDC7RTY/R5zYGqKrFEzBfjbaRt8gWVBJZ9r9cbSwzHDSH5X4UiZMPUfCGW1PaKK+hXBeOKP/UP947eh43O1uQUYleOOdCr/xIhlHIsRJvahWJq9m0u10T4NthEK1nxAe3JMkYru6YX9TLNdd2eBhCEgPoYo7ThI8iTeY6/6EGCeBsrwaTGYaM1xbjP2XkWpGp8NwnMzM0Vcn6CiLu9sJOjqYCP+02FNzghZMSCTIPeF+rvkbZWIK0yJT3qey2IQgQizgrA20dhozKi1RFkRyGgr0UkPro3s4ys+vn+g0769QqDzl9J7GZEbMZS5zSiwJ17fa9lumkkreqn/mq9pw7arXZhyahTJcOmsCxrRvrnqFLCUrjIAa88ua6iC67chg8e1XLNV+0N+OxSS5p5wBPlejo6xvxOsLf1ibmI6TB+QuMYCUGA610GM4BAeylBPALPsBWCTJImX8R+LOjRnRJsbA2c8Cy0wTWpE0MpB6MItWYb+2vAqfb100pPBuY+XgyH/ANtpS0NrOdX754d/D/XyzV64xlVjSex8Z5Z5wkE+c3NFkBiHqvXdsuddCe+9JRLPFnpbmvbd0Nt8DFig3Dd33FFOd+nQtgiSIcgBSQzC4viR0lbd1GHRMZu4DxBAjMqVJ8SKXaiF/uMAjT4rgCSoQWyaAGxuhBU7wTMeeLq8+jW6Cj3zWQldJGKCX8IVSnujzqK1BUhIGqIBT6rlafIYTV65lOWdKGVBhL0NKhuYkTkHvQ0RdkBCEU1m2oCeU9ZWyxC8RQ/BCIBxyJrThvGQ8jlaIaHIfBQkVMpixe4hZtI0qAnGtKgN9ONJMVA1LdmhdOK7XWhiQ1KqoB4rCboK2/AvPUyGQ2ksZp9IwAnEyw7r+pKcCHkfBihGvugld17VUbCuCvEITXU4TJ+Gccf2xHVqX2cQj3+hnCpT5P9D2wN55MeUoJ1DU0Bxd2KxIWEpxbG7LKWZAEK4ueqhPyywScoF9OKbuNlyK5dw+7D1YM0D1NyQpJyEU12nDzcv8RYgdwidaPDhTanuW5zDb8U2g8CVdkD9sNs7q4enAaenhBZ1px/4VkjwjxdY1RQrNMh+ERn8Y14nziqk7/oDdBnvJLOPAFN1Z3fwakF5xyH9u7bSg0cfydG3LirgCADsCmgiJcwd0I40Aoly/i+y7iEZ2WYQxy6J8BQzUR7sRcbXMcYQlrl8U782v2poIC6+Cx5ofJOAoGsMDY9ukejIkQmhvxa6RwqzhhSDlTElDnmCbXxHXv7S/rpcNP8nLvKJW6j/huoeesXaYajqnCzwjNV3jBW3jSRh1e4e1+jTv/Uq1gK6GzhHXdLKsMHL5Ap0rEYGHWBz5K8QOSBEucCQBIm+QsdqH18qZ14cdYO6kr+/GTcg9v3VPDZZNqa+m68frbYHDOU0IKJdGnZkXAu+Fpn35fsW4gSZd/1bTXo2MN2VcZX017YeTWW42r++j8Ght+1YfRSy8A1k1CmloP9csL/0bEhLDIXQca6Qd0Eb6N7WuxZxxOdZbQm5ZWTtA99d2ymjFfu2GhWqOB4uvFJSI3pb8Wuv1xPIIVv9KLdFWdKU0zva9gabzFtSWvZbebNbp47szlz3RC3TzcfjxFXrLlsquWWCAORbkH5WxFCwMtN7KQKv1OXI6XQ8hsJKrNv5cbt/qTzWNXCVT5kur2RbU68jqGk9A1fe14mn2jYvByM+hoTZrJCChCB4WBn/+hTkExqYiunKe8jdLlzWYA5lZLemrWVO4UVEPjr6JvNOcInDUlLO92i8TwSSjcbXLKkfd7r3XPR12O2d7zYbzcYSgBz/wXj+QkEWkdh2sG4uQnMhw3nwwthd9JSt5cBJ4l00IT4iEkxAjh//yv6tpN//dGXtFyy1vFPlSuF6r5i9t1KyFQa+XuTLFUxbVq52tFrNHgZTpkipV5qqushod/tierlmEPl8Nqx2p/4oUh883qbzFamcsqqj8J3Zm872rnRl1+fcnK2bv5/ECpylNZubZvb83XEXeiM1GssBpdchwb0ufp/1w4/bGVj94TqD0iiDyeVmct7uC0RFJY/awKPm3T+84b3dFx8oQJNMsfvYpew2v6HqDHfTYjl2zG7utN/qe3q9u12wwRpfnu8u1+6KmXfNjvq84p7ZuH8jbRlttAuRrU7PT9BCQryTMpHceimpMTzPj31nM7ihu40yyiAo46sin/3/1r2hofnlA/nPI87w3Rk9qmvJ3YTMO1+SquKJ5LtDhpeLJxhbhNJvgbxI62NQNwEvzr++TrgtGr+juAodzc2tRAxG69BJTMs4gbhAKqHAuU9gU7BISc5mlNsajG9KQNwud2eICgtIALeMFkWpi3Jx2Ad+IBJNcAzPAF+pjy6RPwNAgRo5jgBwROmx+dd2yoSUQdxq14B4yHH8VhgTBcimAMvUkNNm2KWdRFsrtCQn5gG7tmmaUmejmtq7bR4tLodtfhLu58tLreX9D117qxJY963ctqfPpe7IgEM+SRJe+qh+HhYrduvfPn94ZsH7lqkB3RlphJOuIHma8eQ2pvNdfHTiind8SCyfixqXEmZyTRLqsUA1k56K+pYOPPZNQNSeYSzjbMCh+eyXdtULtmKdXKu+VUXvo1bxdjNSv1vheIG4Vv9b0aflmO9WLsdYOf7ZOCtwpxzxqEllL8/WzSf3h1PxgUMr5K40PVGMyPNWJKUwL4EF+ZxNzBQLSKicPuRgF33GiUVbILEW1glmZ7A2TOPYwLJEkQta1tW4imaidhgdPWNv30G5QNLE48iFLIlFj6fp4ZGiD3ZPxOKi8ULZ3VgypyPtzg7ac8dhCjBWOcW9lmN620K2Mhfq/uZTqo9r24N/itmahedGmJhMp4XY9ciJvbQlaNnWwCtoQMJxXVsBAq3FIIEhmEG2xz9Iig91LSvivrmtmSdPKHOlKGSxFw67XjvLKH1VxJPYoslVoD/CMaXpbh0HNiWDxPYkQTR20tju3yjgHC415aBVF56sg9yaPKqrw5TEBV339jXHFBKu5Q8AShuooGhiNOEpIBlc6criiquc0J+HduKwKHjG0cyTZHUmsyaqh6qlSdjghLBPxA6LJPbsjkcXrmerOhb6Lmt/kBCDcHCbs6lpHdOFhu6vbK6LDDyOTmF2dGhwWp7iq+BSZxpD101DV0wUx+WJg3aQ6h8NcEQOrG2xnaSpRCA39PDdj1oVT1VPKiCZJ5D0MX1uTLSFfJeiTKItJpF8O/mZtFZEtFhjuWVlj5b0RAPNLQxslbwdttlH2rovQ0oCpp/M6yIJCjS/jfGAzXo3m5mRTc9jDfItSRhODvW5y8DXXqZyj2wWLQO3Ft8HeBvOnRmAhnZHw5ht47te5gel8c6hzS/w6avkJ2LIqUc/X8RTTmESO6UYReUxXKhvFjN1laUOG5200YHg+VK+jwvHIao78sFvYc+9D+ZaQJeWyzyu2BS6rpFlrgDkjyO4f+oYysNKUj4CAid3cgu9lk1n1xMI70fcEdfRx8K9RXznfXxurJttGPY1WMMXvSKMTkKhEglUSuzVXSiv53QjF+IFwxEESJKep3naacsNgEdSypDyQDYNBbqfyBMbVCtfBH4t7cE+xJZt6yKigSnOuCl+e2uc1IlmB9EHp9bppo3WCiNYJY2XyqwXSSqQummXFUfHK1CSHzGvFtoZimVffaiyTnmQUBHKTCvUrJidMjsGqK9bgQwU7piCoNu3xFToJTl1ObZV0eX4kTdAU3+uokXJXbBzqa79z5pX/uw3QBeYxhSJESsawNBFJE2oyMvGLKJZdVnZboWzfppn61RU3zWkFER45Uej5NkDvsHzGWX53BeNqY+5MxUxpovSLGqrrzNMcMSc4evA0iEH2qDTsA8YUf/lemqTcTwEWZDURSyIowaJDX8sFH72c0nUTtZ2r9xvzsJ5i7jg3hkR1Se91rmGVfKv8P/23MpV+BQ3eUV2e2FTY9PvXp/Lo5ej8w36gM1QhXxzdY/6gfPe6Ou35H87knEGuPlyd8agLl50nmTQhXgCd1Ogsuf1GRAscyHoaIPRSNbqkcRRiHglzZa2Ae1xch/ovx0v4u1cT5ZcaEq2EHyszrFCyuMylOv5vXjOaLONSELbY8ir+N5KAFTJg7g2Axf5y8AEwqtT0lMHu889xtkpgj8RDOqMDwiWUwkZv6WyOzoXIOCR3jzQ4z+C8dmwbiY/WxmrL9KwJzRaJueaBSgx3VScRFZImswxKZH473g39bg3rhk9l3eD151ELfXztWHiVhFDIdrlcBhGdUdWkrm47+PB6HaNrqfpE5ueZQbJik/hkjur0UvXeQdGQ2FzguWxOVKjX6/Q67c5Ju3uMOoevuv1Xh2f/C0ofP0XNVMo972C25erODWbaPWt3TmGm3VdHnVe9/tNnqqtMjO/IwxjHMyWs88WON8Fz24+DG9NwQrJQGuOO1KwaR4tPo6o4P27WYcbvV3H5uWZ8o4Pl98Sdh0GliDhWD4Tmp3zeyHFClwSuU10if8hdqFxDr4QKmfZ73WciGvmasoTU+MlrbM0CRS5MA3llJsKhDExRAPKKyNtM9rjfPzx5ppkK+scq6dg8S7hDSf/I7xrlLIb8S2VnT6hcZzr1OkenT5mKIJzieKyjrDsWc4Mtr7u0gV2w2JzM1++OcGQImlBIkoQPrTqJnxpoHii4AyKRznGiq6e3EJVeKUmdlC1NTWEGtm/MEn05NUtTXYW8ppNwjjkOJeHrWNLvX755czY4GV68ueycnXbOht3eYHD+JIUk6CzBMlPU/kZa+KpYPcJnjBuMr4g+EWWwEgDCoLWupHZgdCQYbtOhdziZoQF/SCVDMZ1w5cm8HBHiEGVmVM6zCSC+zViMk9nBjB1MYjY5mLFu0D06EDw8gEgVO1BuH/wnmLEX7w4PT9rvDvuH+2sYpSyk/nH7iXuF8dV+Np9DOKfDTHCtjcp7gZhjTqJgFrMJjoMpFjJ+CBJSZ8r/5VM8j09R1pg2bKBWbiOnYnTzeoBjOmU8obiF3r0e4QRdKl+BipApp+MS+KhBFcC/eHZOlwCov81W5OFRQ7hJ7whrdMVhMxXhrnZJmfpHkTc311smyJkW0FYHkaqb7cLoeRYjanAQ6dUkQI89hhyZo8eMx87cNaSpiQqX0TVW6dV1AcEJix6eGBD0w8Ri/oh1vyFWrP7eYuHK3EKanJ08TMBlFzmnCHJD7DNCpwVolIYQQ332eTnollNVV7yqP+Csn8SGCdgdxDWNpiyO2VKPFXOw3gEBwyFeJjJA77CQiAJUrUmboPoKny22rGwPcJErPSqi2IbUG2LOlkn9fOcER8pm+3vtfCu3chBgGOJJTFaorE2Bf8jUSFiiGaE7t5zN863MatX8e/YDEWj9aSciNlGq8dopDOf/V+jijg9MYV0T4pg8SPCADD2guJFJTFhyKiWBmliV1vLVAY+aZHqtT8zIGQ+8TksHLZUGKwcvdcj8+Z8uqUqneWe2rqpqXg0JJJRxjd6OUcoJFCKV9S67+jM+UcSIbkmpgYdSCXIJ+aZw6pYUE29KbGIwEHgHFMiWim5np851nVlRG2+lq5vKG/OZVMwSwRpJqpATWLPp6D9Nxr8kAe1QEtSSJ2OjBh4lCWvlQJisQn1ObYr2+5qnRmNUNcWqo9of8Gh2hQGgJXysN6fnIXPxvNvqeJ/gLofT/1IRv0a5621ArU1vl4A8rsK+abS/4kfOuerC3XjI/mfhnLWcHpmcVslJ4ERySu5J5K5CmRxWGAoyYwnqBwMK6Nm1tT88e0XOCgqSHCdCA6wGaKTkSVu+VX8REowplNe8GVwXatlISRapDNBFEhm7GU6ucv1ddfaoyTIubBA/8l7wo0ixcYhpuPAd4qvB++uGjrB5E23jCF9d69TzZj6wUTaiYm5vlaz8wcSzp0hNDl2Ec/bJNAz67jlSXV3L6JOnID+RVMlD0cpvaOM/d5KrzSgMfW6r9bdVGmG4NcdVF1aVPyadMGV8m4zs0uNPCoQA6LhFF39uN9CR/kdJvK1V837ybUlZb+G25flKP4ry24FbvYaiuZujPglJ0px65KsOI5fI+6MQ6n8CAAD//+Z4xbw=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hvz5jZyZEH8/9+nQLAjfrZmqRJJ3d7onZApeVo7vp4lT7990xMUWAWSGBWB6gJKsnp3v/sGMgEU6qBEyqIlu6XomDHJKgB5IJGJvBorHB4tXNa6qGmX1ErQIRU0aWLKNZq/YzlTJkdgnLfN+1aKKddFgud1SjV8aIYi/2/SSaXovCKb+9vRXn/nYLvXJZ2U6s4rsrMb7fZ2D/sH5P++aCxyjZc4Lz4rlm+687h2wUl9H/4uoXjlgFqYnJBpTkWR0jwsP6pn7IbEUH3NqJ2VYmj23NTVSyOeo0YVM4GuBUgiSCUGUI1ZXhaucqpteULh8lKSzW4UN//Ai8Uuid22DsPT3ktt8GQeRA0cFFZz8M3hgJwy6aBt3m6MpdJSbCZxgzY5m3Ip1rnTPsEMt220zf8YLlrXmraaXVPrTvuPgo1ZFVF1R2ZjDe1OzDJuwbd+xrPi5enHqx2jb51+vNrbqJ4ZcxqvAeB3R8P2tdTLquvoK7y2L86N7WitKUgvCbX/MTVM+/7o3BvVttQat+pWuRElyXJ+RTUjx+/+ayNQZKsbAEy0VNKEjGlKRQxbMPD6yZzksjA7s6apGjgzuVQax0rpEiECIGnu6aIAzdIVVLVGl2im76eY1fJ6GmT4ypwii/ZFLI7BmSxnyahNJXzALuQQODmdMaWDSR2OcO4uAJJlLPFLLsZOk/Qkf1OmZHSDoGMYzpqRE5mTzkTKyD4XxXLeIVyRTvhFvYA3OkdtKFXCsKwiFFljMVfGULJtM8F0TfmlTVpCx58qJhP+xY8Iz7ycaZ292trCR/AJYyBtROQcg5m0RKv/C5/7W+bxDVF8nqU3RNPLkq5o6qZUaaKvJUnpmKUKrWohNQSpYBlRA/3522Pl45Q7sYyKy07zIAywUeEKLbMRcMA3YAo2mTAoH21mtRqJJeNLdv72eKOLro5LIa+Fu+OqLItY3HfdNSLgKKMl5wfhPFGTf+rz+mGD5B+DImCg75txgGkW8UxJieW4B76v8E2hWB6tl2VCg6rM8fEhSYFvhsjJIqlBBXl7fPTRHAdHCPGxHyrklRdN6Nic8nRNwBntncAETjtpxnVFkyJNHzjT+dHuVQzALxQxIMF0YB/c4jBPxyzX5IQLpZllsQpu4Jr00RgQPWVr50AEcm1ewsW1wK0n0DoK4UJxy0WotTAqrnON1m5ICZysuYh1lo+wmAK5A2G1WgZtt8OQAox9RgElCBVS3Mz5H0HUGaLQf/yMfUT4hFwAFNBuO7cfDHQXvkt4LMUEaVUPYxDQAKf0wxBXn6KNqe7MZH8YVrLUgimbi3g48/bRJNrZzCjcwpbjTeWUiybQgUijINKaqMhlurZET9+hChgSZnIXQpCJb9fb7pV/8c/OJR9TQUc0mXPR6ZJOzozVwsV0ZAa8M/0s9G278kuBc9t9dXu7fPd2w1Wqw98w3BMMsjKCK6Ga2hVeU0VimaYshmoD9ttKU33fUH/CRYKbym/xVE6V3du+Ur+bG/KNMFpgBU8ey2ZsznKarrHZw4mbo7ExufLLf8knkFuJbaM2Gr2OEtgmYHij01W5hgQ5g+oNCrs9XNgBQYQlkimjdzZVyQO6M9nt9SYVZKxFJrX0uvARHEJgjAOuGEOxSm7iCsqf5FwFgltOMItIyITZC88KyKWP0ZcgAIYBBTxhzSZSPhm50agiXIxNeZ7TS6YI1ySTSvEx1iHw/FmaFIZPDUPOmc55jDwLmbM1rq3m4pgNY6woHhcpzWG9fkg259o1ZqnHwL2X2jq+OSYNCWb7pDFWvqBwX1aWAZHtsoL2MuI0cLFj7DqqIlSTC/OePRfNMQkfDfZBUaQtbXWS7X22y8YT1qNsL9453B8kY3Y46fX3d2h/b3t/PD4Y7OxP9ir8uKbb14pG6ZgNIxMC6QTYqgUaipYXoZmD3Zkg3yHjyvILTVN5jeRPuNI5Hxdh7LsdwyYx5AWkdbgGI5jWU9Vx8PbFxYsoTSHzGq71yh0ivJsgWP4pfhtTBRCcGOuUxzbVqbKLnLoDBa6s0oP3aYXS3rlOAuP+NaNatQ2CJrI9lqBLS+bLQ/hHDSEvSsUM0/MmZmMAusMeNy0XKiEcm3a7VZlIJmytLiDHTdSzBExZkzMBJ+hribLIs5IZwb3spKJT+81vsE2DkNiwdArkS0MYAuaTdQMiONC9WCw9OGPXmccPao8TvzKXO+hGW46XaiI5WEKTo2oLMM8izYP4yCqjWh6MzBLM9C4Hr7KTJVPixYtSv4QCbtYfHLNMI3B+NlwxoNipkXaRNuMqLDVX6rESdjQX04KrmadauSlhS5vzghRZ5ai355xUZqkkNBdsAQ2LF8GUu573IqEcviaFqlxTChjHPRtkE6WCx7EFak4FBtUp1qImuPk2e/avX5XQKsjVfVBfNCaA4/g1WKt2zJqKKYDK62K2Vz4n4MVagUI05lv02Yqe4E/oQDF3kASTnDgCnU5wEJn7MWjOaqur79AFovfaaU4XFal6cYfUrZCjNSL4YSjyj2pJTEcQH1ZYsS2aVCllsJYklfLSmGDU5hIyjS0Xa7ZFUIXTS/cmNrajQbQT2lkQfVgxs8pvbrGy8Km7Y1FdeCN2TgNP2FZVJayOFASd3hFuGvoKbczpkwyKtOGdz0GRz0GRz0GRTyQoEvekKx1WCpJHjIzEJT1HRj5HRj7Mkp4jI5fH2XNk5HNk5PcUGYlnxdOIjIS1rDky0gJ8R0QgTW0YXbkVpQ8WbI0KDDLsiM4pWFBi+uSjJBeiI/pKfDzBKMnlNbVvGCrZwvOPHioZ6o/PoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZLPoZI/aqgk9l+DZ60L77z8ZrELr2NbkZjNllKl+OTGxV5RKOIMpU5pHEus7gM1xHAuoukXKeT85je7wt+8kmMAfnd6/umEHJ2f///Dv0ODr0lO5wzKRv8mKvGTUORE5oDAykrKge06wCKkvtItz31NVTR5T4/PuuT939782oXqoxsuLIOSWM7nRtbaJUfl0OD9BoAiTWPN4+gvsCJfZTysG2tsLqvd+gphlsA4Rjkurui3Dp9nNNa/dTaiylQsnsF+jv4SoqExKbjMykEvuQBrDpRVGs+gQpcv0QlXgxq9yThPFwgWx3KepVxh2NRU0hRXV477Wyco8SqM8JMT5z42S8dmbMv4VD2Vv8ExZfnQT1m2Vixy7JXoSpvifbTjq4omj0SH3z1RfLwn7EWPzYi88VPZsXjlzpw4s8U3xINgMihqJqa+QC5hxsbBzimacDE1ZrwRFnivwnQuVYbGQxoslk6nCJ6riVQTJuGOqxqgyNdrU3I6hrE5XjMgNis86ZD3v2zJ90IxQhvy4TcP6G92lG7FZCQv2ZfIVx2kWtP4MppznTOoOoivqK3zo15vp7dFNjp19OAvbYhZo1bVqfCri85ZFkkhThry9OuR1MQRCqs2HK279ibwkJ8Eyk8/IUyFwzextuwoVbz6E+Cb7Esv2r52a7qBVkOne0ttnfd3Dg9bWA++X4ChH8RA71QislemSEiGkLvXRZETpxIce5UgzL5pkumRZMTSiAwR2OTyh0LkfWVFfZxQubdlBZ1mb2vqrtJgkEKV8bAMZkUHn8i4UO42oqzZ6wpkEq4VSyegJXFoyAVFPNMbQq8kh34FmwnL9MwXNC1VKFzCl2i3d2hHjVmuUXXCBsIrtDiMeTZbW+eKM2wGx0UCap2tTotTInMlRe6/tgG/AUobIu3t2ehkePzLyejT2dHo19PzX0ZHJ2ej/uBgNHw9HJ39cjTY3bvdvAsgx+IgAe7WhIWPJ+82XStDpalINmkqBatQTUIov+8MYNcG9/ee+8E0wRjOeYF1UDfZlzgtFL8CCXjRBGkUzygXF0RxEdtr+LDTFUHnBWac+RKbKVdNy/rd6WkULd14ZdFK1n1nEOI6mLwRi1/BfmlszCD2czEt7kWDMrzaUYFq65SppqpNeK50hS1c3s3Mh6+1dMCoUGbzfoSaUTWL5snumugzrAiosk1/WbL63fEuSTgYbnJCjk8+eTJW48kh/W+JnfMGczgUV5qJ2Lq4bOOisjV/N7BcvaesJApeV5YNOYssYznkvAC+6luk92Z/b7j/ZjDc3X395nj/+ODk4PXBm53Xb16/6Q0PT4b3oYma0f6jEeXsl6P+d0+Vw5Ptw+3jw+3+9sHBwcHx4OBgsLc3HBwf9ncH/Z3j/nF/ODx5PTi6J3XKE+dR6DPY3WunkMdhkMHw9RQqR0VKPcy+2TvYf7O3t3fU2905edPfP+odnAzeDPp7g5Oj1zvD18Pe8WBv96R/vH+wv/v6ZH/n9Zvt4X5/MDw6HBwfvVm6lYeFkStVrE3lOS4zwlwPUzkhqhj/m8Xe4Y8rcJ9Ak2s9j2wp7gaV6ggcvv/ZpgORT1JqMjzqkg+ffz4Vk5wqnRcxXH2eMzrvkuPhz97Ndzz82cVWLI++f9PtdZ3i1k8FacxlKgDOa3NcjUo9k9cYD5qx3LCaYbGzs7dbpZpNyIyKRM3oZdNNm+yw3XH/INkb7+7G+/3B/uDgcHsw6MeHe2M62FmVm4TUIzrRSzFUUhK3yjRUs61zPmehqgx9n23194pOoIiQEGbF7FZNzEYOdyZPmo6RQW/Q3+yZ/857vVfwX9Tr9f5r6cbFAbxjSDP9hgBbzWhpYPuH+72HABZL5T1wPEOtuZ+SJKZpaoSlIGfvT61M1SxNK80FMNnHNWI0Jmizj4rFHleEYkcw62KyNhXRMiK/GjQHYts8XOl0U2uiPWUG8xm3OUlhtKDNSmrg//r6OrIJglEsV8U5ysrHlM8NiVxKYo+WOyXy/MZ1ev3w+efjSgOiB5LEqsjQnTJCk3rtHlk7TbvuULHl8ZsZS1O50G5ZYM0PdvdGfxu+M9b89sFOy9Mnw+Mlnn8RRdGq2/3Lbu8woimE+Wp+xWDjrwurbznqbI73gnkxwYC8PDt6vxGhh05D4/4rmt8YrLcpC9hhkWvsux0yL7hJxoW2TlsM0YbwjGpf4+P3ZySEmGCf2mueJjHNE7WBzYorIWCs6TZ78Zdg89+LBKgfRbjcdUpfRwPrzQZx8HL4HvrdmEVAw/wAkx7HDaCd/mVUcvILn87IkVJFTo3Bb+vzD1c1Maq4gASkteMB05xeDjcgIUTVwfy8dPOxFhiSUPauk6wtQv7l8X2oOvz581mXfPDa9amIQZzDAVeG3nZDDbyFA/x+eghOgMSkMjVqXazgpnGy6O1GHTnvDLMYKfIPzq6/AqAwUXfNQIVTKfLyw1ds9FMRPxDMNB0Vgq9L4WkDnabEzGgw8PkeKKhx/1egAYp7jGQ+gviO9Tm6/FmLxURy4ubzJ+15l5xBtMjHBp8PaconMhec3gfSh7APwVKiOiiot4RBuMA2GvQGvc3e/mZ/j/S2X/V3X20f/jcwkO4L3Fcbg3dCV7f+FkLWP9zsHQBk/Vc7vVeD3ftDhqkNo0t2M/Kd+9dmAtrx2zpg+jyMS9bciJ/O7nWQBLDFRX61rk13jk69K1Ztep2m5oHY/lRCRzyem34v/5MvzNLAheBKZ7uDpRtXLkAI+5JJUWb33adWxokdwpMzYTm/ahDTO5SWAG5vd3d73yFfJOxLPSjifsAq/scyxF8EKNQE5X/4cKyAliqjMbivxrwlsG7Q2zm4z9IVyzlNR0tXM/mKqHCcytUpgeOqtHdbT8n61XnpxXBp5uV9S5rNqCigwkK3WgGmvDq/5nomwWhLjbJiLC9/j+6Hjmc0pzGkjdaRvLv75vXrw+H+8cnrN73Dg97hcX8wHB7dS2L4jtRrF4an1cSOENVlW+xAUvwKHUzlfM4MflSYVoZH+0QWEGNB/ibJWyqmZJjfZFqSlI9zmt9E5IwxH0Qy5XpWjI1SszWVKRXTrancGqdyvDWV/ai/s6XyeCuGAbYMYuB/oqn86e329v7m2+3d7WZ3YvDRbN5TVNvLgccxhZW3hd0y6sCpGc1ZEk1TOaap1wnLLjL3hPUxTN2HsXQdDE/B1K2LKnfRhKUsFti6Z+c/l/pul7z9+YwK8sZYsVzFMrCFu8YCisDyXQsXPBkzt4KAr4Hose3cRZu4QtCHAvAJGLU1eO8F0p/AQLXxAevVqoLKjWZSq+Y0WHF7aQDWaLcsiFosLRmfcQrFcdEp0kX3Jc2ggF9berBicTbY3cuXtlCY0nScgmBfAtKxlCmjog2g1/gTmaS0AhafuOhUIthUao7eqWsK2fUxU2pSpEbx9CoVdGbn5ikbBCsIE6APmc+FECxdersJ9kWPXDzsNyWlD8IdM/gK1s2SiHxkSFgMbiFBrQUoP3j0/shW8zB6g9MZr6+vI04FhaBjqoyWOmdCqy2dqk2AxHC+gWETx134Q/RlpufpTzTNxKZb4yZP1EYtIArrqQRGQyqvITlLNbnOrHKrHy3NdDlTxXytDMdVLXIaGM7OCxmJHlpoMI8KTp1Ll2Yz24HvSYb52rWtGubbBOmxwnwXrWRNKF5nmG9Ii3vR4EmH+drl/jBhvo5a33OYb0iTHyPM9zGp8tBhvjXq/CBhvktSqBz1OwzztTCuNcz3bKWA3kYgb3lUBP2Bv3lAr53833R7bZFj7RG9OPGDRfRuH+7s7PTpeG93f3eHDQa9/XGf9cc7u/vj7b2dfrIiPh7KY6s0nWeNAFcbzfkUInoDeB/EibsKwN88otcCu97o0rOl40hrArlFADRijNYmAJ7DHh8v7DEkwZ897LEVF99Z2GMLDE/BF/SdhT22YPHJ+IPuFfbYAtBju4PWHvZ4B8xPwEP0TcIeW9Dwg3qVQkh/uLDHOnA/TthjCNmPFva4ALY/b9jjAoT8mGGPC4D9HsIew6U/hz1+w7DHCuKfwx6/XdhjBfE/eNhjO6zfV9hjGwxPwdT9fsIe2zD4ZMzce4U9tkH02Hbug4Y93gXgEzBqVw17bAPpT2Cgfpdhj629tR+uFDiqZpXeRM6tnNFcuV7i5nuZ8yk3zIfBaC0Om2iw9CW4o8WaowHfG+yn/A+WYMQcuKp9MCAcIiGYd4HoioguBNBXG81p7DQ0V3E0+Gpx1VFzyuV8XEB0Jb4BwU3KKM+ZVIqPU4ZxmDS9+YM59ynF+KNcFlOjS9tVUjLncS5d13SaxzOuWWxVy9Qoi1IwcsXZdWCl+Vr31hAIFk6C1gEkZ78XTGlFNksm4YJD449rNna/u1inSS6F3jTaa7XP/aYB5/eC5ZwpMqeJhwOrDGcpI2MaX4ZvrlDtVGVUrK889IuFHUXMvK53AnyOJVYuN4LboDTs7H+Ej+fMOgshtkJmLLfhua4FAwTjUgih7PpOEdQjWks/IhUY2mER1sX25gnVdGy2gEH3TUtT+8nkkB4cHvTH+3Gc7C4tZRGeR8ByE5HwDfKEKhnI9uPATmclEm304JgZw59oOWUGaWDg+iHLDkm2PYlF9oyKJMUd4qeBppCbNs6VBezawPTOeHI4mGzv7u+Pt3cSuke3Y3Y4OEx6rMd29rf36uh1K34kJLvpV+Do8C3bBs+1W/Rtf6ENxJxRVeT2HgDY3DOtYfGSpausbp9jeRO5vd6kt7dPaW9MD3uD8X4gmIs8DYXy509v7xDInz+9dQWebUcKYoswodluRCWzmgzNQfZ9/vRWoQPZPukODYODcc6gFR5J5LUwDCOJimdszrq+52RG9cy+L4mLe15G1q23z9gxdgFzzYPytBRBnWr5r7Af4akgSs4ZhKobAhp8zukN1iC3CQWnHw20WwaFBq/YxCy96fqbIVpvhCigceKprWpmxsbOiUGP32u4aJpK1/P0wpYuQ8w1maalgplPy3CR++tC7fnMVhF38QrKhg0b0eUmb9HE7G7waCnytNIKsjEEVwTCIhTThJudayPEu4aKQmojKPMbKAs/g/1Wfb82eMoodDTKWM5lQuaF0jDI2EjCOC0SlrR0t8TLQXh4zEgnE9NOeYNoXu9E5rsmhTKrhAR9cqbz5W6w70WVjzLXVpW3HE/Av4Xs9NNFwP9aZp0aci5+ukCHVbXzp1t0refZpEgfUAd+tPYMpxPsnWhEIHRj4nOzpW1HphtZQBH4csPeBBfCSsswKowLcmH42Yx3AblWoNDAhse9whXciAqMjmIJWpOgQDmdE859P2TYb7iln0BVArza2dneUszozH/9/Wf7PX7+ScusQj23IX8ACr74LOYyMed/UsoZYH1FFGOiglmPUT/Ne6ltHgQXRDCNJ7wUXEtjUaEEkGM4uRN/GIyZETWWcYDWOaMqZAUKyWkklVPb1t+8Ci0SNBPk3wU0cS5D7UB2mXO03hnXc45vE+Zf88NSMLauqfIL7VbOeSF1Uzjdi4nMaAt+rvBXRpUKuObB85js8DXDLqqtQa+rceVHqme1uQPZahHUqS1nDT3iw97kjXXs7DRdHjs725VFgVm1TiUBJrBMjL+OGeoK+IvNE2yDIdSjOzVma5xdf4WzC/KfkvAOKJwlMtIeFTqvtQhp3oUdmpeyB+M2grXDq/AMdqc1840L7Z/qBpMhsKim+BGxfbUgbJ7pcj2wdHzywr5tm8l5BzWH5AihOdWMjJm+Zqya8qmvJeqqtQP6sfvSGxH83JT+STWlR7ttXXxwBqMvFotw4HRqRy+GKly8alU9cb0Ljq7qhcNzu33y3G7/fu321+gC/myHb9FTwhVULnjc58U3PMCFcLVn73ncwVrtXj2WhfZtk62KC+3B2BX1Noa9a7Cdiu2XtpOY4Y8ZvWJw5c7AJS/z4IpS6JwzZU9V18ObzCX0zaV4U88TZyq7yygqCIUcaat0w4mtgmv6uSXc418gLW5Uj43I19inHjI51siV1VSRqGHaP3BgxKNZhwbWFwpNNTNdl/BJ2UugoR8fQTNxcsKF0swyllsnNsh/LI6D2dfKcgjf2q7rm7f1vkYNgGb7EGK/5K0spRpb+jeXuEaBHeIfJ6vMH+Qdr8ub4eToDHti5NhLsSLZJ+AaQxEkCBVS3Mz5H8FNFCLOf/ys2KRIDeNfQGd8nlwY1sAPBrALn3UWSzFBCtG0epqIxJwHQpb70lopNS6q809cRqA/JO+4K07lEhN9yZ4Gc9x3BY8ms85mxqxHvSEnqZwGTgzVkohJQWhVjT+Zri070lc4Qe+imYlQ1DQ0L7ePVSlqa33xz84lH1NBRzSZc9Hpkg42XOdiOjIDdv51R0hGqDiN6NRdlwbqEym/XUKJwjGcKiUg/gLyMOcMrxEoGefyOvCk+q11PmM39kJPzeQ1MQJaQCSBC2BI5VSZoYwC7O8kbABH4Zfq7gNW0HuYGf5bSUI7W52W/ONMCnbH7lvLgkrUNYN66YTmvLKoJ3/ZXZN1AX+MKvxRh/Wd/IOnKd3ajXrkJVLjv5Phx8+WMuTDGekPRn004N7R2HzxnxvkKMtS9isb/53rrb3ebtSP+rt+eS///sv5u7ddfOdvLL6UGy5EbKs/iHrknRzzlG31d0/6OwcW3Vt7vR1bv8sjXUUTOufpum4XP5wRHJ+8dHZfzpIZ1V2SsDGnoksmOWNjlXTJNReJvFYbzT5r8GRj3T+Ga+sDhuOIqdWpnP4LFper2+JLsuQQao16YYPPkHXeyX/TK1bH1iXLBVuXqdKAAWfzy8YQC3q9aIfsRDtRb7PfH2xC4haP66v/QcycBbR24QgBpRcR9z/rmHEa+LeirJvP7ueYCS1VlxTjQujitj1M82ve2MPrjUJtLH5Zfuz3on5dUq53qUF47x0np5HugX51lVrJaDWrf7w9er+MTmWec9oUzUtPhlXeb8hBbxD1fyeaTl8qiAanJKPxJdPupogqvOKjinAxhdgYKG6B/4TxqVIy5jaI3gwhnOsTbCIwmgzUPsCQ+gw+OxlKvLKNu33uPXqAIwN9GxQ5i2WemOG4mKYWWk2nEK8IruICAi6gqKQj3gwDCMxCf9/kYvN3wkRMM1XgKlXXmnRtKyMVr66+yXhs9FM7tL1Ug6A+6t3Xigklc/KSRdOI/Bdjl13yK8+ZmtH8cgN8s/yKpTfEa95gfOd0AgmONUxwIVi+kKo4BMGHLHAlgRV56a4L7aj2tyr8GwuAvB08hM+OuyqUt4BX6S0JwUfOH2es7SThlrPceiq8Yhgdiwsxhw5Np1OQBXbID2NX/Stgbse9UcjltsZrC/+5x+2QnrdDkx0qG/ldYQNKnaGfcBXnDC4W6jvMjgkrCMZbRJcJz9k1TVPVJTkwv+qi2UoTMqYpFTHL1QqmzdouoACg02PUFLEppUsb9dhvyuvbjdFvYvl8yGwSDUAA9wKrwCALrXhyR0Kyl/pFKlhOx9wneDnx3/hh8TlgjoHKQEs4KmjL1KThtXAFncu7hWVYyuzGqVxvoANUcpITpxAYeR4mLwAguoEXCh4snyEMVwqKuRAjpxJt+v39chLe8x6D+WLmOvt8drJh/oH1CVJ40A9avuDC6WVO3th9u1FxMJY1o38vaHqjpgXNkwj/Dcm3v1+z8Yyl2dZEjiBSLt26FPI6ZcmUmaG3KgCOLOo5U9FMz//5HzCQX1gVGeWz/9pojYJyIZjOhdT08L34Z8fBdedFUlhq3hwWkIu5PkUMai5UJvL5SxUsqFjmpWZZIU5ppIfBW1CDAyp7x1dKbTVz0P5xtnTCbLDiJ2sVNbAafNGOUth89sxS/ginKZyG4Wxtby/YHvEVi+Zc5wxrqhsZtjWhvwObpz/FV2wEHtNRsDg1inNGNUv+OYRMbj9tKFs5w7P45EsmlZEcw3+chBD+q0HfU0HmNP5wRrDcCxlE/UG01w3DlarosAGRnz4OV6jOzKAowro3iJOiwU1/0M6Aq1tI09wcbSRq2R0ny6JgbZqJgdxBbEXDy9PjDRcdYitdZGV0d/thSdBJH5HT0K9OiqrzxE5gB3U+uCZe66fHsqx/PaN6xNXIbAGebFher/O4H73B66fH/2qh0SaWEOr1eiu0CYDIubUlBh+RnGE48WIBU9GfrbTBTJk513yK5o/HhSOG5/6kRpc6YtopEk/55pgL8y1c58VT/lfzj589Hvf6/RXQaBhvtFbmt1akzImKqWhn1daiUv1e/yBahSnM+ILl0RUTiVxXSrUBKQz7qR/wsASCS2iAdc4EHafL1w+KZc6icVl55jZgJqmkulWFPTPDYMhPTsXUur56Uc9o3P1e1MPLRPin60kyY2QulSaKXbE8jKl/bVRMZUeUxvo0GptSTKk5+NpAamep5NohZc50zmNFXlKtaXxJriBcoUyzwXD2L1zfdEmW8yuesimzSWvWE65Zjtl7G13C5xmNdTlq6Nc2Y/hxzWvTHIY1Q9nIEFiTrakKWYMLlIAW9cup6sC6m4mMCwPyRkNT3Y12VyMxE1c8l9C3ZSlX1jei9Um4rLuITsUN8ckawCWWQl1yHwqBQ5bnDHrZPAESaTbPZP6UqHNuV3QXYcD3M6e6QEQblCa21RJA0a2c145W8cPtiyUxvN67cjDk37uSJZUbj9J0fvn+H8cb5WFvTGOuoTa0xxGQAfiTiksupnBF3Xkrrztd0nnHEl7MO8jNnV/4dNYBEhgzjVwNDFG9+PQjAieo+gUkFuf2c2mYqhxrO+rZ8OMbuENM2ISLasKaGaF8uEKjgIvgCa6IvBYsQe2FCjrFu6c3p5/OzqMP+RSr1JCX8IURnuTz2SaWzxcSukVNeGBqBfVhuuR6Jo0w4MolfWpJZizNQO7DjbpiMTCn0WxBThjtK5MicJZpRueK0DiXChXna5mnyQIWFVdJJLjS0VRewZ3FphVFwK5NYYDOkeVY1ZJkjdqFp3qrhgGBuwZ7ICjcIUih2BpUMk89zrKcy5xrSwiSsynNwTkciID7YbChxJtpYj/1HfeQX3Z7h+H1I5SmGdZqq992A8mVUQJSPBvQBYOGiNlX7j7S7JUvtfr3qlLjMryo5FiPIb0hqZxObf4/NP0yshQdOQmfcjgIXUW8ssydRwiLC21UPDLmgubcqDFnW+9O351UZxM2RncsE3gGzk+a3ijIIoREZ7dKCRf6lxH5Fe78RXpTeqhqFVvt0iFwEO9Rq2UO7YiCKc0SUoiE5eTCzHVhR59RNWPKMV7YiKdSfDFnZZht19/mMnJh3r+Awh6Q1F2m02YyK1JqkyHBAYgOLJg9bHJzsREaqNaxASaYD2OsNK6qRk6OpZ4RBbLbVWLzzrZwocAXEuuyxW6NFbRgRL8RmhBja8ZsDtnCRxYsnaooqPZ0sbH8hfZzI4RHaYTwZ29+8L02PHhucmD/7kvxJ1Px8V6NDf4szQz+xA0MfuymBT9co4IfqznBj9aQ4LkJQRUJP2bjge+v2cBzg4Fv1mDguanAN2wq8KM3Evhemwc8Nwz4Cmo/GZPxfk0CfsjGAD9IM4AfuwHAd1P0f9PM/IqMGTiyqYhnMsePm7GLb7Tem9f4TGUJ/wPGHrpCbPZMMq/7PBPnPwBvRZraEo5wzWyW2nozDqlNM6l0IKgRTzTlvkRjRvXMPRw82LJA83fMspzF4JrYhHKg5YvglYFPvJrlRIVLs6qsz8AXaT5nf7jU6cXLwyj32sNzPsUozFdE5wWrjo4YqQwrw17S+GHUxjcLQPf0gSAbcPxPixyIgpO1wbcE6g2FwuduBQsGvS9Nbx3ZIFdBIf+IC6WDy9I7cQTXD/guce8SnrhtEaeySModMDQfXdRATuZM04Rq2r4p3tlfMfQjrrwK4YWlPUKTZAQPjNyQ5smYKYWhZeEeqUAOL0V8TqdBHfyypMScb9JxnPQH263yo2SQUzMCOT32wYu4XIcRyx4/kSNDKXhIpknIqG5BZv0RrsrBegepWx++ldzBHG6BZWDj7dN4gPzzK8+0BPfW5lqWjYPZ5jSeccFgjy81mX0hCl5Ydq4wFmu0hEC7/a1lZ81yCVJsScLZx1enW86mpdZ3+xyVR1vHd2IhkfEl8KqVC8fuc8v2wt9A7zDnY5pijwYQCvib2eFqJnM9Qslc6hPuOMb5Nr1MWHBs+mWRFg909ZWKEMHTAWoK+R/bkBUgrP2VVqQtmMpInNVnA0kXbKgVZ629udyk95/OlgElP5HzD8cfXpFf5LVRL+Y0M0JWsb821lI56Mnthz1ZLM+Jl+m4hMhxrjl/S779BT+1DHIqJjLkVnssmNeJkzUBg5rvW9nTnhsnw7Mw75i7TNuIxSq6maeRfQ4T52iOd6pCis3yzVoRL+kbECzm9MWkqVTackOMpUwZFUuid1JiBNJzSrI355UqGhc8bU7ZpKg/vTv9g+N+77Cz3HI+nBGYIYxRaV9ILBPWug9uW4vSOdPxbPnFuFmwVJ+48Rx4WYxZLpiGUADLh38Pv2sZt/zd61xVBaoclIRceLtULV+6U7JWFn07z9UxnsmkXeystJkDDGQSr5WaxDVTFS0y/L4zfZQJ+Xx63JwITOaMxg8HVDliczKZNET+V07mauQ0J7Pi8i9fLZiDn0dzmmVcTO2znb8suYuCFduDZE6z5pKhnh9eOD25dQdra198zrKUx1Qx/bAkLsddQOiEZam8mdfMzK+fuBx3wcRwATUp0gcHORh4wdR36EH3ndgPe+e07Urf18+L49oDxsry8nT56L9oGdf+WJ4r3qhtOwfKsclKhwD7sqzaaWeIygDjW1RPC/G/ZSovOd2khZYJV5AeUoL/P/FXcmx/uSHhcySwvO+8xGgZKjyF7Tr8kIuu9+xzEd7yVLNBVrjVctef1sUrJ34BQWmk9jn5bZevC6Y7ofHMVnrEJlU+JdcGr9hK7IxDxyBfXSUpsBKAprkuMucHwoGwHcIcs4H9vZy2fVDpnGkDWG4zhIBuTINKjgW74QvzsWtTTmFpkFdAU6hFr9Czf/oRn7DsRXjShRhwSBmqLAkSDLQCzLSj0IY7Z7lMilivjshzDK22e9cOY9RED9tt096bXSrTvlC+2tfLYOaNO6YO0k1XnBnfDSLLLfgBLyiSF0IYQnPRvg7XRnDl2T9/ektmxvicGVMFprPcCiu5DelxkddcFVUzacGsv/rGWQ6+a6o8i1uTkhZ6xoT2lTSwyZG/fK35Hzo2CX3GaK7BxWA7PHVqsmuB2LFPLxTeCy/PYVb7dvXCfLHEDy7iFtHrljkd3dykuBlb9fAHm6RCnfqdR0vxjxq8YQWOcDktP9gmwvkr7BvRojJ8rRFTAQvKxv9bjm3ZKBen5tkoekRAk6JSjYO0MmYD2HOpaRr0NyOaKd021m2AFKoVjCA+rHXuY3dAceHaPMdSJKpF0w0b1ZA79J4iT6PGC3V9Z8GSqrQ/sp04izx1vWcqqW8XOs4uupC5Y/5vprX5aI49+Le6aNlowW3TMoDUGrrcE5BfrK8M3Na2FDUqApbyRgsYohiHpEsxhdsW9yyvEti/ZJj/9GMLlDxrwMgX8mDtNuzjras8DVdVXYnzCHYr40GSGc8u2vqT5kzJ9IolhGe+7ar3WxV5DhqaDCp8V42vCt/b3POkQZf7XLhiyUCZGyI4yY1JZxCz7OJ7HSa0hDJYZRuLpuU0Y/HlqC4K7rG0I6LlJRNOZcU2xtwIOyqYLFR6Q7i4kpcscX0cJji5wvqdZfVLaJJYto85/Yg3uvCwO9Vd0uLx+zNbzKYJGvhsM9oUfAZNI8iUXlLU8zmzOfag3WSY92rL6oHWDbqzto3iFbYFndk1g1oCTxklmokkeBi+diqbYF80yJOkSFmCL0f/n9NVVDGfUwiLc8rKO8sA9pcldZRyHHK3jtL5WG07Cr2WMLyCzTnEoFrjg9r1Ypcfz5tI4aAXUJJJLmxfXlu3CKnO9YxczGUCYi+9iDp3qD8tDAslIFi+/AFe2nV+YZggqoo4ZiwJbvBLD9h1k6MebuIJ5SlLPNGtIAqIbkQ2SaW8LLIlCV6OsQTBy6UGE1XcI4sp8mSPsIc+h8ojoRCl52rKr5hYdCzkuomaWxUwrwS58wOrugIpbWtxuDBxh1v0WDqZE08yvlS7AaOefRj+/WzXGN9flhZNbox2HC0gSjgRVnRmSQ0Fizh2ZarUdvLbM5LSG+huYjhB5zzDY2dZatj871aS1Bdyx2KIP6kChmFK03HK1Qwvf1yt6CtOHdrMQ1YENYbDohxSBBF2wSBaVlAf1V5vA5vcxojkNmZsAL+YIR1H6jS4oe0YWjEBMfpQrcaQbUm2xIHaCbPoRqTkjApD3iVCg9jtkZB6BFpdNQWOtCW84VJc9OErsh8d+DokTdSVYYpckAm9wlujeqGBqMy+u4jICc1TbmxA3Uyn8zzxQlUqZIDeVkmmuwvSMHvxLpgWIOGegMLMFxF5S/UDQvnoAmZGRaJm9JKtTcRMuDDyxSzVTxZIjjRnNLkJJIitht4YOCyyX/3lsSRJfZ5KKfXFSKyxoAaNrlE+JgztvB3QWwO+64tp2mz4tzDce8G6bw/8Lv8aIeDheC3B4D5KSOss1GrPzz+ueNdqR2inwyKd1kyzmkQuL8TJEjpt0BKI3FejPbNabJGn/ibRoqZFwNSLWy3iytuExFgmN0vLh7t2Y9D7sDngIva8U+yYv1+o8t304cbVAQ8A+Isqn/EM1wzuGYUWJsbdxzS19YmiVoTkDJtqtuvK7UDcAYDLDvFDk4lMU3mNa6U5pPlCToMvOC20OY6UJhwqxVsLnGM0mLY+F2N9wCHV1N5kcuMGMm+ombwW7fDOGE1YXg3uIIsDPAiUEDbSPKk3IloKF+Ano0IKJARO7ihbXt3Z3Yr0e/CzFUb/usPV3bnd72z9Pw28+JPI9u+3lQnGNxrMW4sP6C1obdzrnGvNoO1mY7Ryd8Cj1i+L8sSuXOZRMGntzG4M2DjD2xrjlH/Ytp1Pyslc73YzvFkScKjRybAQWZYzaHauZ7ztRDd/9t4kkQxHMmIAOrfYayrseq5pigqcqN7h1MgkYSHwDgiQJ6J23Mpqo5Vk9bL8JkMiVS8cKBZyrFwvtxw6+IdofOYEskZOMFuejawYuBcn3MoHyl5Q20qIWco0q0ieFonRlBSLtP4nqOUvUACQw0d4OD0Mmqumk5PxIcK9OyD80iC/RbjjMWD2ZnBKwJVg5dy00t/Qo6TcLTc93zvlnOZ0z3vOhnmbM51zdsUSH1Vj3SGwFGLXErUvBgTQg0vrcHku2soxCtE5FQrrm0fkzPATar5NexF8VRw6eJ8PP1ZayWnN5pmOyIlIrN4M1yOl/G4ae9w6rCoHxFM+C54KF1uDmMfz0CA+Hb77uKQhbN8kqxjCpx/Ri7mcDWyFjWqo2yv5vd7bOjkTYoAjJ/FMfrIDg7x7CK+JH5l8CgTkJ5YZfqhq+Uvq+A/tL3GX03FIbbP/VrqRjlemuJnCifL73ExnMl/FuVd7/KsuQqDnh2vu8dBmoEf9U/HhtIr50I9TE9YrmG2l6/KpCL81mNW3YLQ0c8wnpVlWYo99wao6NfQ+FUT9vwAAAP//L9KxFA==" } diff --git a/heartbeat/look/look_test.go b/heartbeat/look/look_test.go index e5b566ebb57..aed67a0d4ec 100644 --- a/heartbeat/look/look_test.go +++ b/heartbeat/look/look_test.go @@ -32,7 +32,7 @@ import ( // helper func testRTT(t *testing.T, expected time.Duration, provided time.Duration) { actual, err := RTT(provided).GetValue("us") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, actual) } diff --git a/heartbeat/magefile.go b/heartbeat/magefile.go index 298ee0443d1..6c592bbac38 100644 --- a/heartbeat/magefile.go +++ b/heartbeat/magefile.go @@ -24,7 +24,6 @@ import ( "time" "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" devtools "github.com/elastic/beats/v7/dev-tools/mage" "github.com/elastic/beats/v7/generator/common/beatgen" @@ -33,10 +32,12 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + "github.com/elastic/beats/v7/dev-tools/mage/target/build" // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) @@ -44,10 +45,6 @@ func init() { common.RegisterCheckDeps(Update) unittest.RegisterPythonTestDeps(Fields) integtest.RegisterPythonTestDeps(Fields) - - devtools.BeatDescription = "Ping remote services for availability and log " + - "results to Elasticsearch or send to Logstash." - devtools.BeatServiceName = "heartbeat-elastic" } // VendorUpdate updates elastic/beats/v7 in the vendor dir @@ -55,37 +52,6 @@ func VendorUpdate() error { return beatgen.VendorUpdate() } -// Build builds the Beat binary. -func Build() error { - return devtools.Build(devtools.DefaultBuildArgs()) -} - -// GolangCrossBuild build the Beat binary inside of the golang-builder. -// Do not use directly, use crossBuild instead. -func GolangCrossBuild() error { - return devtools.GolangCrossBuild(devtools.DefaultGolangCrossBuildArgs()) -} - -// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon). -func BuildGoDaemon() error { - return devtools.BuildGoDaemon() -} - -// CrossBuild cross-builds the beat for all target platforms. -func CrossBuild() error { - return devtools.CrossBuild() -} - -// CrossBuildXPack cross-builds the beat with XPack for all target platforms. -func CrossBuildXPack() error { - return devtools.CrossBuildXPack() -} - -// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker. -func CrossBuildGoDaemon() error { - return devtools.CrossBuildGoDaemon() -} - // Package packages the Beat for distribution. // Use SNAPSHOT=true to build snapshots. // Use PLATFORMS to control the target platforms. @@ -94,11 +60,12 @@ func Package() { start := time.Now() defer func() { fmt.Println("package ran for", time.Since(start)) }() - devtools.UseElasticBeatPackaging() - customizePackaging() + devtools.UseElasticBeatOSSPackaging() + devtools.PackageKibanaDashboardsFromBuildDir() + heartbeat.CustomizePackaging() mg.Deps(Update) - mg.Deps(CrossBuild, CrossBuildXPack, CrossBuildGoDaemon) + mg.Deps(build.CrossBuild, build.CrossBuildGoDaemon) mg.SerialDeps(devtools.Package, TestPackages) } @@ -107,14 +74,13 @@ func TestPackages() error { return devtools.TestPackages(devtools.WithMonitorsD()) } -// Update updates the generated files (aka make update). -func Update() error { - return sh.Run("make", "update") +func Fields() error { + return heartbeat.Fields() } -// Fields generates a fields.yml for the Beat. -func Fields() error { - return devtools.GenerateFieldsYAML("monitors/active") +// Update updates the generated files (aka make update). +func Update() { + mg.SerialDeps(Fields, Config, Imports) } // Imports generates an include/list.go file containing @@ -127,28 +93,6 @@ func Imports() error { return devtools.GenerateIncludeListGo(options) } -func customizePackaging() { - monitorsDTarget := "monitors.d" - unixMonitorsDir := "/etc/{{.BeatName}}/monitors.d" - monitorsD := devtools.PackageFile{ - Mode: 0644, - Source: "monitors.d", - } - - for _, args := range devtools.Packages { - pkgType := args.Types[0] - switch pkgType { - case devtools.Docker: - args.Spec.ExtraVar("linux_capabilities", "cap_net_raw=eip") - args.Spec.Files[monitorsDTarget] = monitorsD - case devtools.TarGz, devtools.Zip: - args.Spec.Files[monitorsDTarget] = monitorsD - case devtools.Deb, devtools.RPM, devtools.DMG: - args.Spec.Files[unixMonitorsDir] = monitorsD - } - } -} - // Config generates both the short/reference/docker configs. func Config() error { return devtools.Config(devtools.AllConfigTypes, heartbeat.ConfigFileParams(), ".") diff --git a/heartbeat/monitors.d/sample.http.yml.disabled b/heartbeat/monitors.d/sample.http.yml.disabled index 10e4c17de7b..93284e6ae40 100644 --- a/heartbeat/monitors.d/sample.http.yml.disabled +++ b/heartbeat/monitors.d/sample.http.yml.disabled @@ -10,6 +10,9 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My HTTP Monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors.d/sample.icmp.yml.disabled b/heartbeat/monitors.d/sample.icmp.yml.disabled index 372c17beb07..f41e018aba2 100644 --- a/heartbeat/monitors.d/sample.icmp.yml.disabled +++ b/heartbeat/monitors.d/sample.icmp.yml.disabled @@ -10,6 +10,9 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My ICMP Monitor + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors.d/sample.tcp.yml.disabled b/heartbeat/monitors.d/sample.tcp.yml.disabled index c6f98be0799..4e922a1b53e 100644 --- a/heartbeat/monitors.d/sample.tcp.yml.disabled +++ b/heartbeat/monitors.d/sample.tcp.yml.disabled @@ -12,8 +12,8 @@ # Human readable display name for this service in Uptime UI and elsewhere name: My TCP monitor - # Monitor name used for job name and document type - #name: tcp + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name # Enable/Disable monitor #enabled: true diff --git a/heartbeat/monitors/active/dialchain/_meta/fields.yml b/heartbeat/monitors/active/dialchain/_meta/fields.yml index eb7e66bd6f7..a2dd7815269 100644 --- a/heartbeat/monitors/active/dialchain/_meta/fields.yml +++ b/heartbeat/monitors/active/dialchain/_meta/fields.yml @@ -58,104 +58,6 @@ type: group description: Detailed x509 certificate metadata fields: - - name: x509 - type: group - fields: - - name: alternative_names - type: keyword - ignore_above: 1024 - description: List of subject alternative names (SAN). Name types vary by certificate - authority and certificate type but commonly contain IP addresses, DNS names - (and wildcards), and email addresses. - example: '*.elastic.co' - default_field: false - - name: issuer - type: group - fields: - - name: common_name - type: keyword - ignore_above: 1024 - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - default_field: false - multi_fields: - - name: text - type: text - analyzer: simple - - name: distinguished_name - type: keyword - ignore_above: 1024 - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance - Server CA - default_field: false - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16 03:15:39+00:00 - default_field: false - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16 01:40:25+00:00 - default_field: false - - name: public_key_algorithm - type: keyword - ignore_above: 1024 - description: Algorithm used to generate the public key. - example: RSA - default_field: false - - name: public_key_curve - type: keyword - ignore_above: 1024 - description: The curve used by the elliptic curve public key algorithm. This - is algorithm specific. - example: nistp521 - default_field: false - - name: public_key_exponent - type: long - description: Exponent used to derive the public key. This is algorithm specific. - example: 65537 - default_field: false - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - default_field: false - - name: serial_number - type: keyword - ignore_above: 1024 - description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. - example: 55FBB9C7DEBF09809D12CCAA - default_field: false - - name: signature_algorithm - type: keyword - ignore_above: 1024 - description: Identifier for certificate signature algorithm. Recommend using - names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - default_field: false - - name: subject - type: group - fields: - - name: common_name - type: keyword - ignore_above: 1024 - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - default_field: false - multi_fields: - - name: text - type: text - analyzer: simple - - name: distinguished_name - type: keyword - ignore_above: 1024 - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - default_field: false - name: version_number type: keyword ignore_above: 1024 diff --git a/heartbeat/monitors/active/http/config_test.go b/heartbeat/monitors/active/http/config_test.go index 952ce354869..d9a22b6c38e 100644 --- a/heartbeat/monitors/active/http/config_test.go +++ b/heartbeat/monitors/active/http/config_test.go @@ -88,10 +88,10 @@ func TestConfigValidate(t *testing.T) { err := config.Validate() if test.result { - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.convertedHost, config.Hosts[0]) } else { - assert.NotNil(t, err) + assert.Error(t, err) } }) diff --git a/heartbeat/monitors/active/http/http.go b/heartbeat/monitors/active/http/http.go index cf0f9833842..74463663567 100644 --- a/heartbeat/monitors/active/http/http.go +++ b/heartbeat/monitors/active/http/http.go @@ -33,6 +33,7 @@ import ( func init() { monitors.RegisterActive("http", create) + monitors.RegisterActive("synthetics/http", create) } var debugf = logp.MakeDebug("http") diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index c2a6b2c9318..a0bf14e73c9 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -35,6 +35,7 @@ import ( "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/heartbeat/hbtest" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -78,8 +79,8 @@ func sendTLSRequest(t *testing.T, testURL string, useUrls bool, extraConfig map[ jobs, endpoints, err := create("tls", config) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "tls", "", "http", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "tls", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) @@ -318,7 +319,7 @@ func TestLargeResponse(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) @@ -514,7 +515,7 @@ func TestRedirect(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] // Run this test multiple times since in the past we had an issue where the redirects // list was added onto by each request. See https://github.com/elastic/beats/pull/15944 @@ -561,7 +562,7 @@ func TestNoHeaders(t *testing.T) { require.NoError(t, err) sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "http", sched, time.Duration(0))[0] + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "http", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/active/http/respbody_test.go b/heartbeat/monitors/active/http/respbody_test.go index 071f4e27a47..3031bb5f38f 100644 --- a/heartbeat/monitors/active/http/respbody_test.go +++ b/heartbeat/monitors/active/http/respbody_test.go @@ -246,7 +246,7 @@ func Test_readPrefixAndHash(t *testing.T) { expectedHash := sha256.Sum256([]byte(tt.body)) assert.Equal(t, hex.EncodeToString(expectedHash[:]), gotHashStr) - assert.Nil(t, err) + assert.NoError(t, err) }) } } diff --git a/heartbeat/monitors/active/http/task_test.go b/heartbeat/monitors/active/http/task_test.go index 5d46befc8b1..7fd3948d0b1 100644 --- a/heartbeat/monitors/active/http/task_test.go +++ b/heartbeat/monitors/active/http/task_test.go @@ -131,7 +131,7 @@ func TestSplitHostnamePort(t *testing.T) { func makeTestHTTPRequest(t *testing.T) *http.Request { req, err := http.NewRequest("GET", "http://example.net", nil) - assert.Nil(t, err) + assert.NoError(t, err) return req } @@ -168,7 +168,7 @@ func TestRequestBuildingWithCustomHost(t *testing.T) { request, err := buildRequest("localhost", &config, encoder) - if assert.Nil(t, err) { + if assert.NoError(t, err) { assert.Equal(t, "custom-host", request.Host) assert.Equal(t, "custom-host", request.Header.Get("Host")) } @@ -177,7 +177,7 @@ func TestRequestBuildingWithCustomHost(t *testing.T) { func TestRequestBuildingWithNoUserAgent(t *testing.T) { request, err := buildRequest("localhost", &Config{}, nilEncoder{}) - require.Nil(t, err) + require.NoError(t, err) assert.Equal(t, useragent.UserAgent("Heartbeat"), request.Header.Get("User-Agent")) } @@ -196,6 +196,6 @@ func TestRequestBuildingWithExplicitUserAgent(t *testing.T) { request, err := buildRequest("localhost", &config, nilEncoder{}) - require.Nil(t, err) + require.NoError(t, err) assert.Equal(t, expectedUserAgent, request.Header.Get("User-Agent")) } diff --git a/heartbeat/monitors/active/icmp/icmp.go b/heartbeat/monitors/active/icmp/icmp.go index 45fdf8a54b3..f9119ab19ec 100644 --- a/heartbeat/monitors/active/icmp/icmp.go +++ b/heartbeat/monitors/active/icmp/icmp.go @@ -36,6 +36,7 @@ var debugf = logp.MakeDebug("icmp") func init() { monitors.RegisterActive("icmp", create) + monitors.RegisterActive("synthetics/icmp", create) } func create( diff --git a/heartbeat/monitors/active/icmp/icmp_test.go b/heartbeat/monitors/active/icmp/icmp_test.go index 11e7dae5380..955520b81ba 100644 --- a/heartbeat/monitors/active/icmp/icmp_test.go +++ b/heartbeat/monitors/active/icmp/icmp_test.go @@ -28,6 +28,7 @@ import ( "github.com/elastic/beats/v7/heartbeat/hbtest" "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/heartbeat/monitors" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -69,7 +70,7 @@ func execTestICMPCheck(t *testing.T, cfg Config) (mockLoop, *beat.Event) { require.Equal(t, 1, endpoints) e := &beat.Event{} sched, _ := schedule.Parse("@every 1s") - wrapped := wrappers.WrapCommon(j, "test", "", "icmp", sched, time.Duration(0)) + wrapped := wrappers.WrapCommon(j, stdfields.StdMonitorFields{ID: "test", Type: "icmp", Schedule: sched, Timeout: 1}) wrapped[0](e) return tl, e } diff --git a/heartbeat/monitors/active/tcp/helpers_test.go b/heartbeat/monitors/active/tcp/helpers_test.go index d1a8c1b5bc1..ea3a22b2888 100644 --- a/heartbeat/monitors/active/tcp/helpers_test.go +++ b/heartbeat/monitors/active/tcp/helpers_test.go @@ -22,13 +22,12 @@ import ( "net/http" "net/http/httptest" "testing" - "time" "github.com/pkg/errors" - "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/heartbeat/hbtest" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -42,8 +41,8 @@ func testTCPConfigCheck(t *testing.T, configMap common.MapStr, host string, port jobs, endpoints, err := create("tcp", config) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "tcp", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "tcp", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/active/tcp/tcp.go b/heartbeat/monitors/active/tcp/tcp.go index 26f96d2e010..6be682ee560 100644 --- a/heartbeat/monitors/active/tcp/tcp.go +++ b/heartbeat/monitors/active/tcp/tcp.go @@ -40,6 +40,7 @@ import ( func init() { monitors.RegisterActive("tcp", create) + monitors.RegisterActive("synthetics/tcp", create) } var debugf = logp.MakeDebug("tcp") diff --git a/heartbeat/monitors/active/tcp/tls_test.go b/heartbeat/monitors/active/tcp/tls_test.go index ff4cd569db5..88c539ee7e7 100644 --- a/heartbeat/monitors/active/tcp/tls_test.go +++ b/heartbeat/monitors/active/tcp/tls_test.go @@ -27,8 +27,8 @@ import ( "os" "strconv" "testing" - "time" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/monitors/wrappers" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" @@ -187,8 +187,8 @@ func testTLSTCPCheck(t *testing.T, host string, port uint16, certFileName string jobs, endpoints, err := createWithResolver(config, resolver) require.NoError(t, err) - sched, _ := schedule.Parse("@every 1s") - job := wrappers.WrapCommon(jobs, "test", "", "tcp", sched, time.Duration(0))[0] + sched := schedule.MustParse("@every 1s") + job := wrappers.WrapCommon(jobs, stdfields.StdMonitorFields{ID: "test", Type: "tcp", Schedule: sched, Timeout: 1})[0] event := &beat.Event{} _, err = job(event) diff --git a/heartbeat/monitors/factory.go b/heartbeat/monitors/factory.go index e453bc3a03a..10d039d0830 100644 --- a/heartbeat/monitors/factory.go +++ b/heartbeat/monitors/factory.go @@ -22,22 +22,52 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cfgfile" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/fmtstr" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/processors" + "github.com/elastic/beats/v7/libbeat/processors/add_formatted_index" + "github.com/elastic/beats/v7/libbeat/publisher/pipetool" ) // RunnerFactory that can be used to create cfg.Runner cast versions of Monitor // suitable for config reloading. type RunnerFactory struct { + info beat.Info sched *scheduler.Scheduler allowWatches bool } +type publishSettings struct { + // Fields and tags to add to monitor. + EventMetadata common.EventMetadata `config:",inline"` + Processors processors.PluginConfig `config:"processors"` + + PublisherPipeline struct { + DisableHost bool `config:"disable_host"` // Disable addition of host.name. + } `config:"publisher_pipeline"` + + // KeepNull determines whether published events will keep null values or omit them. + KeepNull bool `config:"keep_null"` + + // Output meta data settings + Pipeline string `config:"pipeline"` // ES Ingest pipeline name + Index fmtstr.EventFormatString `config:"index"` // ES output index pattern + DataSet string `config:"dataset"` +} + // NewFactory takes a scheduler and creates a RunnerFactory that can create cfgfile.Runner(Monitor) objects. -func NewFactory(sched *scheduler.Scheduler, allowWatches bool) *RunnerFactory { - return &RunnerFactory{sched, allowWatches} +func NewFactory(info beat.Info, sched *scheduler.Scheduler, allowWatches bool) *RunnerFactory { + return &RunnerFactory{info, sched, allowWatches} } // Create makes a new Runner for a new monitor with the given Config. -func (f *RunnerFactory) Create(p beat.PipelineConnector, c *common.Config) (cfgfile.Runner, error) { +func (f *RunnerFactory) Create(p beat.Pipeline, c *common.Config) (cfgfile.Runner, error) { + configEditor, err := newCommonPublishConfigs(f.info, c) + if err != nil { + return nil, err + } + + p = pipetool.WithClientConfigEdit(p, configEditor) monitor, err := newMonitor(c, globalPluginsReg, p, f.sched, f.allowWatches) return monitor, err } @@ -46,3 +76,67 @@ func (f *RunnerFactory) Create(p beat.PipelineConnector, c *common.Config) (cfgf func (f *RunnerFactory) CheckConfig(config *common.Config) error { return checkMonitorConfig(config, globalPluginsReg, f.allowWatches) } + +func newCommonPublishConfigs(info beat.Info, cfg *common.Config) (pipetool.ConfigEditor, error) { + var settings publishSettings + if err := cfg.Unpack(&settings); err != nil { + return nil, err + } + + var indexProcessor processors.Processor + if !settings.Index.IsEmpty() { + staticFields := fmtstr.FieldsForBeat(info.Beat, info.Version) + timestampFormat, err := + fmtstr.NewTimestampFormatString(&settings.Index, staticFields) + if err != nil { + return nil, err + } + indexProcessor = add_formatted_index.New(timestampFormat) + } + + userProcessors, err := processors.New(settings.Processors) + if err != nil { + return nil, err + } + + dataset := settings.DataSet + if dataset == "" { + dataset = "uptime" + } + + return func(clientCfg beat.ClientConfig) (beat.ClientConfig, error) { + logp.Info("Client connection with: %#v", clientCfg) + + fields := clientCfg.Processing.Fields.Clone() + fields.Put("event.dataset", dataset) + + meta := clientCfg.Processing.Meta.Clone() + if settings.Pipeline != "" { + meta.Put("pipeline", settings.Pipeline) + } + + // assemble the processors. Ordering is important. + // 1. add support for index configuration via processor + // 2. add processors added by the input that wants to connect + // 3. add locally configured processors from the 'processors' settings + procs := processors.NewList(nil) + if indexProcessor != nil { + procs.AddProcessor(indexProcessor) + } + if lst := clientCfg.Processing.Processor; lst != nil { + procs.AddProcessor(lst) + } + if userProcessors != nil { + procs.AddProcessors(*userProcessors) + } + + clientCfg.Processing.EventMetadata = settings.EventMetadata + clientCfg.Processing.Fields = fields + clientCfg.Processing.Meta = meta + clientCfg.Processing.Processor = procs + clientCfg.Processing.KeepNull = settings.KeepNull + clientCfg.Processing.DisableHost = settings.PublisherPipeline.DisableHost + + return clientCfg, nil + }, nil +} diff --git a/heartbeat/monitors/monitor.go b/heartbeat/monitors/monitor.go index e0fcb886357..66e7317482f 100644 --- a/heartbeat/monitors/monitor.go +++ b/heartbeat/monitors/monitor.go @@ -23,6 +23,8 @@ import ( "fmt" "sync" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" + "github.com/mitchellh/hashstructure" "github.com/pkg/errors" @@ -38,9 +40,7 @@ import ( // Monitor represents a configured recurring monitoring configuredJob loaded from a config file. Starting it // will cause it to run with the given scheduler until Stop() is called. type Monitor struct { - id string - name string - typ string + stdFields stdfields.StdMonitorFields pluginName string config *common.Config registrar *pluginsReg @@ -68,7 +68,7 @@ type Monitor struct { // String prints a description of the monitor in a threadsafe way. It is important that this use threadsafe // values because it may be invoked from another thread in cfgfile/runner. func (m *Monitor) String() string { - return fmt.Sprintf("Monitor", m.name, m.enabled) + return fmt.Sprintf("Monitor", m.stdFields.Name, m.enabled) } func checkMonitorConfig(config *common.Config, registrar *pluginsReg, allowWatches bool) error { @@ -120,20 +120,18 @@ func newMonitorUnsafe( // Extract just the Id, Type, and Enabled fields from the config // We'll parse things more precisely later once we know what exact type of // monitor we have - mpi, err := pluginInfo(config) + stdFields, err := stdfields.ConfigToStdMonitorFields(config) if err != nil { return nil, err } - monitorPlugin, found := registrar.get(mpi.Type) + monitorPlugin, found := registrar.get(stdFields.Type) if !found { - return nil, fmt.Errorf("monitor type %v does not exist, valid types are %v", mpi.Type, registrar.monitorNames()) + return nil, fmt.Errorf("monitor type %v does not exist, valid types are %v", stdFields.Type, registrar.monitorNames()) } m := &Monitor{ - id: mpi.ID, - name: mpi.Name, - typ: mpi.Type, + stdFields: stdFields, pluginName: monitorPlugin.name, scheduler: scheduler, configuredJobs: []*configuredJob{}, @@ -144,10 +142,10 @@ func newMonitorUnsafe( stats: monitorPlugin.stats, } - if m.id != "" { + if m.stdFields.ID != "" { // Ensure we don't have duplicate IDs - if _, loaded := uniqueMonitorIDs.LoadOrStore(m.id, m); loaded { - return m, ErrDuplicateMonitorID{m.id} + if _, loaded := uniqueMonitorIDs.LoadOrStore(m.stdFields.ID, m); loaded { + return m, ErrDuplicateMonitorID{m.stdFields.ID} } } else { // If there's no explicit ID generate one @@ -155,11 +153,11 @@ func newMonitorUnsafe( if err != nil { return m, err } - m.id = fmt.Sprintf("auto-%s-%#X", m.typ, hash) + m.stdFields.ID = fmt.Sprintf("auto-%s-%#X", m.stdFields.Type, hash) } rawJobs, endpoints, err := monitorPlugin.create(config) - wrappedJobs := wrappers.WrapCommon(rawJobs, m.id, m.name, m.typ, mpi.Schedule, mpi.Timeout) + wrappedJobs := wrappers.WrapCommon(rawJobs, m.stdFields) m.endpoints = endpoints if err != nil { @@ -181,7 +179,7 @@ func newMonitorUnsafe( return m, ErrWatchesDisabled } - logp.Info(`Obsolete option 'watch.poll_file' declared. This will be removed in a future release. + logp.Info(`Obsolete option 'watch.poll_file' declared. This will be removed in a future release. See https://www.elastic.co/guide/en/beats/heartbeat/current/configuration-heartbeat-options.html for more info`) } @@ -330,5 +328,5 @@ func (m *Monitor) Stop() { func (m *Monitor) freeID() { // Free up the monitor ID for reuse - uniqueMonitorIDs.Delete(m.id) + uniqueMonitorIDs.Delete(m.stdFields.ID) } diff --git a/heartbeat/monitors/pluginconf.go b/heartbeat/monitors/stdfields/stdfields.go similarity index 66% rename from heartbeat/monitors/pluginconf.go rename to heartbeat/monitors/stdfields/stdfields.go index 5df2c192cce..53ba59ada88 100644 --- a/heartbeat/monitors/pluginconf.go +++ b/heartbeat/monitors/stdfields/stdfields.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -package monitors +package stdfields import ( "time" @@ -29,18 +29,19 @@ import ( // ErrPluginDisabled is returned when the monitor plugin is marked as disabled. var ErrPluginDisabled = errors.New("Monitor not loaded, plugin is disabled") -// MonitorPluginInfo represents the generic configuration options around a monitor plugin. -type MonitorPluginInfo struct { - ID string `config:"id"` - Name string `config:"name"` - Type string `config:"type" validate:"required"` - Schedule *schedule.Schedule `config:"schedule" validate:"required"` - Timeout time.Duration `config:"timeout"` - Enabled bool `config:"enabled"` +// StdMonitorFields represents the generic configuration options around a monitor plugin. +type StdMonitorFields struct { + ID string `config:"id"` + Name string `config:"name"` + Type string `config:"type" validate:"required"` + Schedule *schedule.Schedule `config:"schedule" validate:"required"` + Timeout time.Duration `config:"timeout"` + ServiceName string `config:"service_name"` + Enabled bool `config:"enabled"` } -func pluginInfo(config *common.Config) (MonitorPluginInfo, error) { - mpi := MonitorPluginInfo{Enabled: true} +func ConfigToStdMonitorFields(config *common.Config) (StdMonitorFields, error) { + mpi := StdMonitorFields{Enabled: true} if err := config.Unpack(&mpi); err != nil { return mpi, errors.Wrap(err, "error unpacking monitor plugin config") diff --git a/heartbeat/monitors/task.go b/heartbeat/monitors/task.go index 92d28d225d9..eb53ddeb195 100644 --- a/heartbeat/monitors/task.go +++ b/heartbeat/monitors/task.go @@ -21,8 +21,6 @@ import ( "context" "fmt" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" "github.com/elastic/beats/v7/heartbeat/scheduler" @@ -30,39 +28,24 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/libbeat/processors" ) // configuredJob represents a job combined with its config and any // subsequent processors. type configuredJob struct { - job jobs.Job - config jobConfig - monitor *Monitor - processors *processors.Processors - cancelFn context.CancelFunc - client beat.Client + job jobs.Job + config jobConfig + monitor *Monitor + cancelFn context.CancelFunc + client beat.Client } func newConfiguredJob(job jobs.Job, config jobConfig, monitor *Monitor) (*configuredJob, error) { - t := &configuredJob{ + return &configuredJob{ job: job, config: config, monitor: monitor, - } - - processors, err := processors.New(config.Processors) - if err != nil { - return nil, ProcessorsError{err} - } - t.processors = processors - - if err != nil { - logp.Critical("Could not create client for monitor configuredJob %+v", t.monitor) - return nil, errors.Wrap(err, "could not create client for monitor configuredJob") - } - - return t, nil + }, nil } // jobConfig represents fields needed to execute a single job. @@ -70,13 +53,6 @@ type jobConfig struct { Name string `config:"pluginName"` Type string `config:"type"` Schedule *schedule.Schedule `config:"schedule" validate:"required"` - - // Fields and tags to add to monitor. - EventMetadata common.EventMetadata `config:",inline"` - Processors processors.PluginConfig `config:"processors"` - - // KeepNull determines whether published events will keep null values or omit them. - KeepNull bool `config:"keep_null"` } // ProcessorsError is used to indicate situations when processors could not be loaded. @@ -101,22 +77,14 @@ func (t *configuredJob) makeSchedulerTaskFunc() scheduler.TaskFunc { func (t *configuredJob) Start() { var err error - fields := common.MapStr{"event": common.MapStr{"dataset": "uptime"}} - t.client, err = t.monitor.pipelineConnector.ConnectWith(beat.ClientConfig{ - Processing: beat.ProcessingConfig{ - EventMetadata: t.config.EventMetadata, - Processor: t.processors, - KeepNull: t.config.KeepNull, - Fields: fields, - }, - }) + t.client, err = t.monitor.pipelineConnector.Connect() if err != nil { logp.Err("could not start monitor: %v", err) return } tf := t.makeSchedulerTaskFunc() - t.cancelFn, err = t.monitor.scheduler.Add(t.config.Schedule, t.monitor.id, tf) + t.cancelFn, err = t.monitor.scheduler.Add(t.config.Schedule, t.monitor.stdFields.ID, tf) if err != nil { logp.Err("could not start monitor: %v", err) } diff --git a/heartbeat/monitors/wrappers/monitors.go b/heartbeat/monitors/wrappers/monitors.go index 5868cdca636..7896bcf12f0 100644 --- a/heartbeat/monitors/wrappers/monitors.go +++ b/heartbeat/monitors/wrappers/monitors.go @@ -22,8 +22,6 @@ import ( "sync" "time" - "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" - "github.com/gofrs/uuid" "github.com/mitchellh/hashstructure" "github.com/pkg/errors" @@ -31,32 +29,34 @@ import ( "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/look" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" + "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) // WrapCommon applies the common wrappers that all monitor jobs get. -func WrapCommon(js []jobs.Job, id string, name string, typ string, sched *schedule.Schedule, timeout time.Duration) []jobs.Job { +func WrapCommon(js []jobs.Job, stdMonFields stdfields.StdMonitorFields) []jobs.Job { return jobs.WrapAllSeparately( jobs.WrapAll( js, addMonitorStatus, addMonitorDuration, ), func() jobs.JobWrapper { - return addMonitorMeta(id, name, typ, len(js) > 1, sched, timeout) + return addMonitorMeta(stdMonFields, len(js) > 1) }, func() jobs.JobWrapper { return makeAddSummary() }) } // addMonitorMeta adds the id, name, and type fields to the monitor. -func addMonitorMeta(id string, name string, typ string, isMulti bool, sched *schedule.Schedule, timeout time.Duration) jobs.JobWrapper { +func addMonitorMeta(stdMonFields stdfields.StdMonitorFields, isMulti bool) jobs.JobWrapper { return func(job jobs.Job) jobs.Job { return func(event *beat.Event) ([]jobs.Job, error) { started := time.Now() cont, e := job(event) - thisID := id + thisID := stdMonFields.ID if isMulti { url, err := event.GetValue("url.full") @@ -65,20 +65,25 @@ func addMonitorMeta(id string, name string, typ string, isMulti bool, sched *sch url = "n/a" } urlHash, _ := hashstructure.Hash(url, nil) - thisID = fmt.Sprintf("%s-%x", id, urlHash) + thisID = fmt.Sprintf("%s-%x", stdMonFields.ID, urlHash) } - eventext.MergeEventFields( - event, - common.MapStr{ - "monitor": common.MapStr{ - "id": thisID, - "name": name, - "type": typ, - "timespan": timespan(started, sched, timeout), - }, + fieldsToMerge := common.MapStr{ + "monitor": common.MapStr{ + "id": thisID, + "name": stdMonFields.Name, + "type": stdMonFields.Type, + "timespan": timespan(started, stdMonFields.Schedule, stdMonFields.Timeout), }, - ) + } + + if stdMonFields.ServiceName != "" { + fieldsToMerge["service"] = common.MapStr{ + "name": stdMonFields.ServiceName, + } + } + + eventext.MergeEventFields(event, fieldsToMerge) return cont, e } diff --git a/heartbeat/monitors/wrappers/monitors_test.go b/heartbeat/monitors/wrappers/monitors_test.go index 5cbcb43ebd5..49b2100827b 100644 --- a/heartbeat/monitors/wrappers/monitors_test.go +++ b/heartbeat/monitors/wrappers/monitors_test.go @@ -30,6 +30,7 @@ import ( "github.com/elastic/beats/v7/heartbeat/eventext" "github.com/elastic/beats/v7/heartbeat/hbtestllext" "github.com/elastic/beats/v7/heartbeat/monitors/jobs" + "github.com/elastic/beats/v7/heartbeat/monitors/stdfields" "github.com/elastic/beats/v7/heartbeat/scheduler/schedule" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -39,24 +40,25 @@ import ( "github.com/elastic/go-lookslike/validator" ) -type fields struct { - id string - name string - typ string +type testDef struct { + name string + stdFields stdfields.StdMonitorFields + jobs []jobs.Job + want []validator.Validator + metaWant []validator.Validator } -type testDef struct { - name string - fields fields - jobs []jobs.Job - want []validator.Validator - metaWant []validator.Validator +var testMonFields = stdfields.StdMonitorFields{ + ID: "myid", + Name: "myname", + Type: "mytype", + Schedule: schedule.MustParse("@every 1s"), + Timeout: 1, } func testCommonWrap(t *testing.T, tt testDef) { t.Run(tt.name, func(t *testing.T) { - schedule, _ := schedule.Parse("@every 1s") - wrapped := WrapCommon(tt.jobs, tt.fields.id, tt.fields.name, tt.fields.typ, schedule, time.Duration(0)) + wrapped := WrapCommon(tt.jobs, tt.stdFields) results, err := jobs.ExecJobsAndConts(t, wrapped) assert.NoError(t, err) @@ -77,7 +79,33 @@ func testCommonWrap(t *testing.T, tt testDef) { } func TestSimpleJob(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} + testCommonWrap(t, testDef{ + "simple", + testMonFields, + []jobs.Job{makeURLJob(t, "tcp://foo.com:80")}, + []validator.Validator{ + lookslike.Compose( + urlValidator(t, "tcp://foo.com:80"), + lookslike.MustCompile(map[string]interface{}{ + "monitor": map[string]interface{}{ + "duration.us": isdef.IsDuration, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, + "status": "up", + "check_group": isdef.IsString, + }, + }), + hbtestllext.MonitorTimespanValidator, + summaryValidator(1, 0), + )}, + nil, + }) +} + +func TestJobWithServiceName(t *testing.T) { + fields := testMonFields + fields.ServiceName = "testServiceName" testCommonWrap(t, testDef{ "simple", fields, @@ -88,12 +116,15 @@ func TestSimpleJob(t *testing.T) { lookslike.MustCompile(map[string]interface{}{ "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, - "id": fields.id, - "name": fields.name, - "type": fields.typ, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": isdef.IsString, }, + "service": map[string]interface{}{ + "name": fields.ServiceName, + }, }), hbtestllext.MonitorTimespanValidator, summaryValidator(1, 0), @@ -103,8 +134,6 @@ func TestSimpleJob(t *testing.T) { } func TestErrorJob(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - errorJob := func(event *beat.Event) ([]jobs.Job, error) { return nil, fmt.Errorf("myerror") } @@ -114,9 +143,9 @@ func TestErrorJob(t *testing.T) { lookslike.MustCompile(map[string]interface{}{ "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, - "id": fields.id, - "name": fields.name, - "type": fields.typ, + "id": testMonFields.ID, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "down", "check_group": isdef.IsString, }, @@ -125,7 +154,7 @@ func TestErrorJob(t *testing.T) { testCommonWrap(t, testDef{ "job error", - fields, + testMonFields, []jobs.Job{errorJob}, []validator.Validator{ lookslike.Compose( @@ -138,8 +167,6 @@ func TestErrorJob(t *testing.T) { } func TestMultiJobNoConts(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() validatorMaker := func(u string) validator.Validator { @@ -149,8 +176,8 @@ func TestMultiJobNoConts(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo("id"), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo("check_group"), }, @@ -162,7 +189,7 @@ func TestMultiJobNoConts(t *testing.T) { testCommonWrap(t, testDef{ "multi-job", - fields, + testMonFields, []jobs.Job{makeURLJob(t, "http://foo.com"), makeURLJob(t, "http://bar.com")}, []validator.Validator{validatorMaker("http://foo.com"), validatorMaker("http://bar.com")}, nil, @@ -170,8 +197,6 @@ func TestMultiJobNoConts(t *testing.T) { } func TestMultiJobConts(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() makeContJob := func(t *testing.T, u string) jobs.Job { @@ -198,8 +223,8 @@ func TestMultiJobConts(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo(u), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo(u), }, @@ -210,7 +235,7 @@ func TestMultiJobConts(t *testing.T) { testCommonWrap(t, testDef{ "multi-job-continuations", - fields, + testMonFields, []jobs.Job{makeContJob(t, "http://foo.com"), makeContJob(t, "http://bar.com")}, []validator.Validator{ contJobValidator("http://foo.com", "1st"), @@ -229,8 +254,6 @@ func TestMultiJobConts(t *testing.T) { } func TestMultiJobContsCancelledEvents(t *testing.T) { - fields := fields{"myid", "myname", "mytyp"} - uniqScope := isdef.ScopedIsUnique() makeContJob := func(t *testing.T, u string) jobs.Job { @@ -258,8 +281,8 @@ func TestMultiJobContsCancelledEvents(t *testing.T) { "monitor": map[string]interface{}{ "duration.us": isdef.IsDuration, "id": uniqScope.IsUniqueTo(u), - "name": fields.name, - "type": fields.typ, + "name": testMonFields.Name, + "type": testMonFields.Type, "status": "up", "check_group": uniqScope.IsUniqueTo(u), }, @@ -271,7 +294,7 @@ func TestMultiJobContsCancelledEvents(t *testing.T) { metaCancelledValidator := lookslike.MustCompile(map[string]interface{}{eventext.EventCancelledMetaKey: true}) testCommonWrap(t, testDef{ "multi-job-continuations", - fields, + testMonFields, []jobs.Job{makeContJob(t, "http://foo.com"), makeContJob(t, "http://bar.com")}, []validator.Validator{ lookslike.Compose( diff --git a/heartbeat/scheduler/schedule/schedule.go b/heartbeat/scheduler/schedule/schedule.go index 51755ae7059..543d0736c81 100644 --- a/heartbeat/scheduler/schedule/schedule.go +++ b/heartbeat/scheduler/schedule/schedule.go @@ -18,6 +18,7 @@ package schedule import ( + "fmt" "strings" "time" @@ -61,6 +62,14 @@ func Parse(in string) (*Schedule, error) { return &Schedule{s}, nil } +func MustParse(in string) *Schedule { + sched, err := Parse(in) + if err != nil { + panic(fmt.Sprintf("could not parse schedule parsed with MustParse: %s", err)) + } + return sched +} + func (s intervalScheduler) Next(t time.Time) time.Time { return t.Add(s.interval) } diff --git a/heartbeat/scheduler/scheduler.go b/heartbeat/scheduler/scheduler.go index 18f927a2d80..87db7075c44 100644 --- a/heartbeat/scheduler/scheduler.go +++ b/heartbeat/scheduler/scheduler.go @@ -188,6 +188,12 @@ func (s *Scheduler) Add(sched Schedule, id string, entrypoint TaskFunc) (removeF var taskFn timerqueue.TimerTaskFn taskFn = func(_ time.Time) { + select { + case <-jobCtx.Done(): + debugf("Job '%v' canceled", id) + return + default: + } s.stats.activeJobs.Inc() lastRanAt = s.runRecursiveJob(jobCtx, entrypoint) s.stats.activeJobs.Dec() diff --git a/heartbeat/scripts/generate_imports_helper.py b/heartbeat/scripts/generate_imports_helper.py index be85b8a2318..104ffd25d9f 100644 --- a/heartbeat/scripts/generate_imports_helper.py +++ b/heartbeat/scripts/generate_imports_helper.py @@ -1,11 +1,11 @@ +from os import listdir +from os.path import abspath, isdir, join + comment = """Package defaults imports all Monitor packages so that they register with the global monitor registry. This package can be imported in the main package to automatically register all of the standard supported Heartbeat modules.""" -from os.path import abspath, isdir, join -from os import listdir - blacklist = [ "monitors/active/dialchain" diff --git a/heartbeat/scripts/mage/package.go b/heartbeat/scripts/mage/package.go new file mode 100644 index 00000000000..50800a29b4b --- /dev/null +++ b/heartbeat/scripts/mage/package.go @@ -0,0 +1,69 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package mage + +import ( + "os" + + "github.com/magefile/mage/mg" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" +) + +func init() { + devtools.BeatDescription = "Ping remote services for availability and log " + + "results to Elasticsearch or send to Logstash." + devtools.BeatServiceName = "heartbeat-elastic" +} + +// CustomizePackaging modifies the package specs to add the modules and +// modules.d directory. You must declare a dependency on either +// PrepareModulePackagingOSS or PrepareModulePackagingXPack. +func CustomizePackaging() { + mg.Deps(dashboards) + + monitorsDTarget := "monitors.d" + unixMonitorsDir := "/etc/{{.BeatName}}/monitors.d" + monitorsD := devtools.PackageFile{ + Mode: 0644, + Source: devtools.OSSBeatDir("monitors.d"), + } + + for _, args := range devtools.Packages { + pkgType := args.Types[0] + switch pkgType { + case devtools.Docker: + args.Spec.ExtraVar("linux_capabilities", "cap_net_raw=eip") + args.Spec.Files[monitorsDTarget] = monitorsD + case devtools.TarGz, devtools.Zip: + args.Spec.Files[monitorsDTarget] = monitorsD + case devtools.Deb, devtools.RPM, devtools.DMG: + args.Spec.Files[unixMonitorsDir] = monitorsD + } + } +} + +func dashboards() error { + // Heartbeat doesn't have any dashboards so just create the empty directory. + return os.MkdirAll("build/kibana", 0755) +} + +// Fields generates a fields.yml for the Beat. +func Fields() error { + return devtools.GenerateFieldsYAML(devtools.OSSBeatDir("monitors/active")) +} diff --git a/heartbeat/tests/system/heartbeat.py b/heartbeat/tests/system/heartbeat.py index 3c93396c7ed..388c4ac42c4 100644 --- a/heartbeat/tests/system/heartbeat.py +++ b/heartbeat/tests/system/heartbeat.py @@ -2,11 +2,6 @@ import sys import http.server import threading -import nose.tools - -sys.path.append(os.path.join(os.path.dirname( - __file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase from time import sleep @@ -69,7 +64,7 @@ def monitors_dir(self): return self.working_dir + "/monitors.d/" def assert_last_status(self, status): - nose.tools.eq_(self.last_output_line()["monitor.status"], status) + self.assertEqual(self.last_output_line()["monitor.status"], status) def setup_dynamic(self, extra_beat_args=[]): os.mkdir(self.monitors_dir()) diff --git a/heartbeat/tests/system/test_base.py b/heartbeat/tests/system/test_base.py index 683ffde212a..85453825329 100644 --- a/heartbeat/tests/system/test_base.py +++ b/heartbeat/tests/system/test_base.py @@ -4,10 +4,10 @@ from heartbeat import BaseTest from elasticsearch import Elasticsearch from beat.beat import INTEGRATION_TESTS -import nose.tools +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ @@ -134,7 +134,7 @@ def run_fields(self, expected, local=None, top=None): heartbeat_proc.check_kill_and_wait() doc = self.read_output()[0] - self.assertDictContainsSubset(expected, doc) + assert expected.items() <= doc.items() return doc @unittest.skipUnless(INTEGRATION_TESTS, "integration test") @@ -180,7 +180,7 @@ def test_dataset(self): heartbeat_proc.check_kill_and_wait() for output in self.read_output(): - nose.tools.assert_equal( + self.assertEqual( output["event.dataset"], "uptime", "Check for event.dataset in {} failed".format(output) diff --git a/heartbeat/tests/system/test_icmp.py b/heartbeat/tests/system/test_icmp.py index 5e7fc551552..7f61a7430f8 100644 --- a/heartbeat/tests/system/test_icmp.py +++ b/heartbeat/tests/system/test_icmp.py @@ -1,15 +1,14 @@ +import logging import os -import unittest import platform import socket -import sys -from heartbeat import BaseTest -from elasticsearch import Elasticsearch -from beat.beat import INTEGRATION_TESTS -import nose.tools -import logging import subprocess +import sys import time +import unittest +from beat.beat import INTEGRATION_TESTS +from elasticsearch import Elasticsearch +from heartbeat import BaseTest class Test(BaseTest): diff --git a/heartbeat/tests/system/test_monitor.py b/heartbeat/tests/system/test_monitor.py index 9f5aa8d43c1..98ace615bd3 100644 --- a/heartbeat/tests/system/test_monitor.py +++ b/heartbeat/tests/system/test_monitor.py @@ -1,8 +1,8 @@ +import os +import unittest + from heartbeat import BaseTest from parameterized import parameterized -import os -from nose.plugins.skip import SkipTest -import nose.tools class Test(BaseTest): @@ -34,7 +34,7 @@ def test_http(self, status_code): if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) @parameterized.expand([ @@ -64,7 +64,7 @@ def test_http_with_hosts_config(self, status_code): if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) def test_http_delayed(self): @@ -83,7 +83,7 @@ def test_http_delayed(self): try: proc = self.start_beat() self.wait_until(lambda: self.output_has(lines=1)) - nose.tools.assert_greater_equal( + self.assertGreaterEqual( self.last_output_line()['http.rtt.total.us'], delay) finally: proc.check_kill_and_wait() @@ -125,7 +125,7 @@ def test_http_json(self, expected_status, body): self.assert_last_status(expected_status) if expected_status == "down": - nose.tools.eq_(self.last_output_line()["http.response.body.content"], body) + self.assertEqual(self.last_output_line()["http.response.body.content"], body) else: assert "http.response.body.content" not in self.last_output_line() finally: @@ -201,7 +201,7 @@ def test_tcp(self, url, status): self.assert_last_status(status) if os.name == "nt": # Currently skipped on Windows as fields.yml not generated - raise SkipTest + raise unittest.SkipTest self.assert_fields_are_documented(output[0]) finally: server.shutdown() diff --git a/heartbeat/tests/system/test_telemetry.py b/heartbeat/tests/system/test_telemetry.py index d6420c2c56b..aa0a5a40760 100644 --- a/heartbeat/tests/system/test_telemetry.py +++ b/heartbeat/tests/system/test_telemetry.py @@ -1,11 +1,10 @@ -from heartbeat import BaseTest +import unittest import urllib.request import urllib.error import urllib.parse import json -import nose.tools import os -from nose.plugins.skip import SkipTest +from heartbeat import BaseTest class Test(BaseTest): @@ -18,12 +17,12 @@ def test_telemetry(self): Test that telemetry metrics are correctly registered and increment / decrement """ # This test is flaky https://github.com/elastic/beats/issues/8966 - raise SkipTest + raise unittest.SkipTest if os.name == "nt": # This test is currently skipped on windows because file permission # configuration isn't implemented on Windows yet - raise SkipTest + raise unittest.SkipTest server = self.start_server("hello world", 200) try: @@ -64,7 +63,7 @@ def test_telemetry(self): "Start job 'tcp-tcp@{}".format(tcp_host))) init_lines = self.output_lines() - self.wait_until(lambda: self.output_has(lines=init_lines+2)) + self.wait_until(lambda: self.output_has(lines=init_lines + 2)) self.assert_stats({ "http": { @@ -90,8 +89,7 @@ def test_telemetry(self): self.proc.check_kill_and_wait() server.shutdown() - @staticmethod - def assert_state(expected={}): + def assert_state(self, expected={}): stats = json.loads(urllib.request.urlopen( "http://localhost:5066/state").read()) @@ -104,23 +102,22 @@ def assert_state(expected={}): endpoints = proto_expected.get("endpoints", 0) total_monitors += monitors total_endpoints += endpoints - nose.tools.assert_dict_equal(stats['heartbeat'][proto], { + self.assertDictEqual(stats['heartbeat'][proto], { 'monitors': monitors, 'endpoints': endpoints, }) - nose.tools.assert_equal(stats['heartbeat']['monitors'], total_monitors) - nose.tools.assert_equal( + self.assertEqual(stats['heartbeat']['monitors'], total_monitors) + self.assertEqual( stats['heartbeat']['endpoints'], total_endpoints) - @staticmethod - def assert_stats(expected={}): + def assert_stats(self, expected={}): stats = json.loads(urllib.request.urlopen( "http://localhost:5066/stats").read()) for proto in ("http", "tcp", "icmp"): proto_expected = expected.get(proto, {}) - nose.tools.assert_dict_equal(stats['heartbeat'][proto], { + self.assertDictEqual(stats['heartbeat'][proto], { 'monitor_starts': proto_expected.get("monitor_starts", 0), 'monitor_stops': proto_expected.get("monitor_stops", 0), 'endpoint_starts': proto_expected.get("endpoint_starts", 0), diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index b003f0da5c5..dd1d377f88d 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -11,8 +11,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/journalbeat/Jenkinsfile.yml b/journalbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..12bb63f4cc6 --- /dev/null +++ b/journalbeat/Jenkinsfile.yml @@ -0,0 +1,17 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^journalbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test journalbeat" + labels: ## when PR labels matches any of those entries + - "journalbeat" + parameters: ## when parameter was selected in the UI. + - "journalbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + unitTest: + mage: "mage build unitTest" diff --git a/journalbeat/Makefile b/journalbeat/Makefile index 62bf3778d21..85049183d4e 100644 --- a/journalbeat/Makefile +++ b/journalbeat/Makefile @@ -1,6 +1,6 @@ BEAT_NAME=journalbeat BEAT_TITLE=Journalbeat -SYSTEM_TESTS=false +SYSTEM_TESTS=true TEST_ENVIRONMENT=false ES_BEATS?=.. diff --git a/journalbeat/conftest.py b/journalbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/journalbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/journalbeat/docs/configuring-howto.asciidoc b/journalbeat/docs/configuring-howto.asciidoc index c813fa2d151..93083ac4ccc 100644 --- a/journalbeat/docs/configuring-howto.asciidoc +++ b/journalbeat/docs/configuring-howto.asciidoc @@ -21,6 +21,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -49,4 +50,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 158f4f672e8..bb7627508a4 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -95,16 +95,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -987,6 +977,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -1028,7 +1030,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -1244,8 +1246,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -1308,19 +1309,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1407,7 +1408,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1431,6 +1432,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -1449,6 +1461,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -1491,6 +1515,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1801,8 +1849,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1865,19 +1912,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1964,7 +2011,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1988,6 +2035,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -2116,6 +2174,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -2149,6 +2218,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -2220,7 +2301,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -2299,7 +2380,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -2307,12 +2388,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -2331,7 +2412,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -2448,6 +2529,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -2630,6 +2713,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -2659,6 +2744,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -2667,7 +2764,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2751,11 +2848,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -3049,6 +3146,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -3082,6 +3190,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -3154,211 +3274,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -3369,7 +3556,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -3380,7 +3567,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -3391,7 +3578,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -3402,7 +3589,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -3413,7 +3600,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -3426,7 +3613,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -3437,7 +3624,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -3448,20 +3635,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -3676,7 +4060,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3700,6 +4084,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3754,11 +4149,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3888,6 +4285,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3926,7 +4335,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3956,6 +4366,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4924,6 +5336,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4957,6 +5380,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -5188,12 +5623,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -5384,49 +5819,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -5502,6 +6015,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -5535,6 +6059,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5777,6 +6313,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -6075,8 +6620,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -6139,19 +6683,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6238,7 +6782,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6262,6 +6806,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -6515,8 +7070,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -6579,19 +7133,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6678,7 +7232,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6702,10 +7256,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6723,7 +7288,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6734,7 +7299,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6745,7 +7310,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6756,7 +7321,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6767,11 +7332,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6785,7 +7350,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6872,7 +7437,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6912,7 +7477,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6927,7 +7492,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6942,319 +7507,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -7268,12 +8373,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -7292,7 +8397,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7395,7 +8500,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -7419,6 +8524,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7747,6 +8863,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-host-processor]] == Host fields diff --git a/journalbeat/docs/index.asciidoc b/journalbeat/docs/index.asciidoc index 390b5134e3e..4ace63c41fc 100644 --- a/journalbeat/docs/index.asciidoc +++ b/journalbeat/docs/index.asciidoc @@ -44,4 +44,4 @@ include::./troubleshooting.asciidoc[] include::./faq.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index f493998cf90..ec06ec75566 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9l79uc0cqR/v79C5fyw8RWMAQO296t8Ww7YG9/l9cXJ7tVtbRExI0DJzIhIMybev/4rtR6jecFgg51NJbV1Z2BGanW3Wt2tfkDVbLesY06xnzE/Fcbwz2rQmoKPiCaChDPQySh0UoKilOEtwjeMQv39dkCWycIW6MwUNgXCV2/QOTPKOuGJUtRU59ctetP5dLnYWyeGa9XFi8YBKJG62qqaUrFZkHL7tQ7BdVBaEngvrycXo/GLi8m76/PJ71fvX0zOL64n3d7pZPR8NLl+cd4bDP+xQcLYlasKFg7u9oSFtxev2qYHnUhwHLRxyGKSoxqD4Hpb6V7DBq5yy/pgA6moyihVdT3b5KsfpoLegID8WF7SxF9gGn9Egsa+9ni7LYqQuiZQOWC2ZGRIRTlO59XVlec1biRSB8meUHxuGvi4uHYmL0XH57CfmTYLiMasp8WdaJAFPBsq4ETff+STx2aUiyTHFiYTZmEDyio6OuQo074boRZYLLwoGOyJPqOcgIrnhC+5PBGzEsyvxgMUUDAT2QyNL95ZMuYjvCEhr8HOuVRZFYKKhMS+vk1SRXfB76gaPLWcs8xeSmVEUZ7BrJNiulwSDlkogK/iFulcngxHJ5e90WDw/HJ8Mj69OH1+etl/fvn8sjM6uxjdhSZigbuPRpTrF+fdvz1Vzi6Oz47HZ8fd49PT09Nx7/S0NxyOeuOz7qDX7Y+74+5odPG8d35H6mQnzqPQpzcYVlPI4tDJKbg/hbJRFaV2s2+GpyeXw+HwvDPoX1x2T847pxe9y1532Ls4f94fPR91xr3h4KI7Pjk9GTy/OOk/vzwenXR7o/Oz3vj8snFrCr1GKkS6N5VnnOVomeaTUt9Pp5+Ib6/WFQTmE2hyleeRLi1dolIRgaPXz17djtUV2DvGEjQ6b6E3H55dxTOORcJTH3yr7wmOWmg8ehbdmsCR8eiZiWNojsBP+Hhf57i+FILU4iw8X82r806lUr1gKxWjuSRcMptksuvrl0eZoo3QAseBWODP5TvRoE8G0+5pMJwOBv5Jt3fSOz077vW6/tlwinv9bfkpZskEz5JGLFXXS3+ME3L0nkbEVZahZa+uZ57TCgSKGcQzEb1ZA7mV3b1Z0f//p16n12135H/vO52f4T+v0+n8t3HPWWe9U0j9fMAFa92o8WK7ZyedXSxWVXTbcfBAoV2dYMjHYSjFZYyuX19pqZqQMMyVy1d3Iwsmklj39yt3BtHYowJh1eNKX1xpq8pDv0scO1JbPplr3FJofjwnEu1LqpOE3Jg8nSZUQv5qtfJ0xp7ns20RrkTlY4rnkkDOBLFFy0aBHN2aDp1vPjwb5/rp7EoOi3SpLm8myqTeVyqcta70NNW6Q86WV98sSBiyWrulxprvDYaTX0evpDV/fNqvePpiNG7w/E+e5zXf7CkvNqLetxNEzpi1YYGrSsh+VzhuKVmoeyNWBfYI4i97gyFv3HmGiARPQ2D8BiudMhYSHFct6Ln6Cc1CnFsWnRlnF4rJnCVUcfsKQ1ycT4SYpSHCsZPTznEsoL+V9qnFiMQ+v4XOfEkaxyRsbMjG5GsyMe61ByWl9emp1joKbhJ46C1RhNXNhJ0gScgvPH99nnVYf2r8mFJ4UhyrVlZYCDqPpeQQR0ko2rASqc3LNbTVuLU/eF8XSRQ+weEybhsY2zQQhwX7Svfaz9T3kK3gZlmUuU5CebSxNZAbJy3SaK8MR0XBEQsMp+eF8InM1xUrT5d8t8CljdlMV539Jr2GGrZtvYblJT2W17AOkn2fa3vwGrq0uBMNvmmvoQb3u/EaGmr9nb2GLk2+D6/hY1Jl117DAnW+E69hQwq5xvrfzmuo17hXr+H1Vv7Bkl8wOyqcmviP4B/U03/Cx3szRasdhLrL564chMdn/X6/i6fDwcmgT3q9zsm0S7rT/uBkejzsd4Mt8bELB+F7GkkDLlqW/GXaOfQtOAid9d7bQbjtgh/cQagXu19/1XVjz1RBJFeIAGlZmp3t+SzaiwjYb3/b1ynUCcnlKZqTaom5MPXH5PeM0zmNcajt2woO8HqNia0n2beD4TUU9qR/kUAZ4XD6Wf8CuCvdZW5aYrKpm7+Nh+LYN8mPJibK+ao+LmqcFRk1g1TXrIUwpr+IkcdYmTScpfMFS83uwSiiPme2wjL3FzQhijNxGErDRprAN5SsMssqC/jXm8ABHDmpE4iTLymRFms7YxLTvXdFpuZ3Yz7NOIuTNomDQm28tlzOl5RwefBA+3y9jqxmwxT7n903t4jHktDvMei1vjiymjjLpzpX3yhwRbY2nSCjMnKzxsPaVp4SeeqghM2J1P5AM7RDZpl8Kq/LIFwexKEinlN4MiG8rb06xMFkKaW2P52d9WbHg5OT6XE/wEN87JOz3lnQIR3SPzkeFtFrWyU/DpLt9AVUm+9NPrZJ+rd1aiAnIyJYpFyXbYAEH1vYWaTOVZDUoC1+IVpRnwsl9HU6s87wBOPOFJ91etMTRyqkPHQlwod3LzdIgw/vXpr4R1NaVN9RgJMb9ilJiG5zDxvvw7uXogVhkPpJI7EkDqacQFI2CtgqlizBkPAXJCItW/lgiZOFfp8h48drstH2m/GqlW2TxcbDVpYbnr8eO8jXuRUsIrrSLAZ8RvhWBetqB/nVW7naI4lCiVeVThvetoAjWJrYqoJ2VJXBf6Vv/eTYKoXfqUmjKnHOmam88VFf7ekigiWmqbjhs9cMxhO9L9S+X+ggW5PPKbQbTAonM3mFGqB3g0VLysNCFdXCEFSoGp2CQJ1zmmiPZ0tSMWaJFIX8FuKnF7Df8u8XBg8JhiTCJeGUBShKRQKDTKWs88M0IEFFmQVlI8PDU4IOlvH8IPNzyNcPPPldmUJLfQI6SWvzKCsOs3OqvGU8cYqlSqSAyaPY6clHh/8TtjwoIOfjk4/KaMmXoDBAF7JvZ2m4QwXs0XIbrmYqi1+KQEiGpJHc0johEhq7p4JkG/bW8ZVAMdDMxqEx+ij5WY73Ee4OwfcCG14XOBeIE2kdgaovjWRubAej8OTrlrpVbyrC7fMS4Od+//hIVef95cuzXLXeJwlb5qhnNuR3QMGfPsQRC6BSfCZngPUFEoTEOcyWK345bRRiW300YjFNmFTnlQRgUzi5A3sYTIkUNZpxWqoeORYuK2C4bIU6zWoM+SpkECQkRp9SKCWUGY4gu+Q5WqzRYjnHZuna1+ywGDT9FRYW0FbunK9sBnInJpKj1fyc468lFsLhmp3fy+nhC1aFV4Ah2VcJhbc4WRTmdmSrRtBBAZw9VCpzK2SV4Oj3j0uSo98/zgElTajbfSoJMIFmYltzEeBVv+h776o1uHr0QYHZSmfXL3B2wX1e4Dog3FmgBr9S6KzWEjP5LuxQJ1FN+e4c2E2bGq5itWC+aZrYp1rOZGqxSk2xI6pCSjEi0TLJ4AHQ1ZMf9duFAvK5jg9oSpIVIfkQhmTFlK5aOKAfuzqaFME/SqN9O6XRlNG2Lya4htHrZSKcNgeFc1dlQX78uVLvVPDWnFt5f8KPom/oR9G3OxV922NI8Qc9fIWO4kKQc+6Yzxu68oHjrtgxIldDyXaNgEeVeguZs+QGW/tC+xnyXSR0kq3kD2ihA+3poBC2WxBXfkOJ0CeqqSSFIgbVarByEdPAmMnGEYVjhCHeRyvccFoLxz8cbVEC5rut1/eYpfp+VOmrrNL3vRfo+xvU5nvssnw/KvJtrMj36MX4ftThU0rFBM+NG9FRLVD2bQMFQ41h1IysDy2LiC6Ih6acrZw7RLe63q12dIkFWyEpvGK43jW3ytC+zGeRVA6tra5v1VMLqrGTt9AJiG1E+QBSQs9WJAl9uzANmuoZcy8AZagrAXWNZ5jTHFDfvBO4IAcc/pjk+KO41lfsLxqG+GjgddBTRY3/QaO3HzRl0Jtr1O1Nusq4eYV9+cV/DtH5chmS38n03zQ5GnYGXtfrDix4T//94v2rly31zq/E/8wOkW5Od9TteR30ik1pSI66g4tu/1Sj+2jY6es8DYt04c1wRMN9ed3eXCM1PnpqbCJOggVOWiggU4rjFppxQqYiaKEVjQO2Eofl5Fx4sgT393Hl82ZJOHYKJRrdEKwRE59rQ285tEmpaeukWOcV+4RvSBFbnwmPyb7U+NIa1GwWbBV6gFd1O6Tv9b1Ou9vtteckJpz6Rei/ExOghtbmmt6hdB1x/1PEjNFOH4qyZj69n30SJ0y0UDpN4yRdt4cxX9HSHt5vaGAJ+Kb82O143aKk3C+ohcaia05OKd0d/eom1JJRa1a/vTx/3USnks/lm3MqD79tPH/a6XndLyjB86fi0O3zabwoWCj3FxaIxnOIGZGqOVF/wvhYCOarbDrVzjk2V4JgL4BBIVdtSww7fU/VZLoTsq3+pZ97rW5GPbn6qlVw4jMeyOFoPA/1ahM8h1KzcIWaQiACJA8a4jntpL+0adz+gkjs46VIFZSipc2dKshQ7rbTtuLSQ7uFcbG91hUkFozrSsT/JeRzC/1OORELzD8fwp0llMLV9XhNZ2WOZzPqlzBB45jwWqqqIZB6SC8uI7BAT40rTY+qf8uv/7BmkeuXlytKve0q1ywvV5MAgnLMPZW0RIOAas4y8OR4BdogBSpcWqMjwfM5yAI95JupyfJwmNtwr+dyuc7lreA/87ge0vK2a85C/LrdFTqU0hjBARU+J2B0F3eYHhMgcMaro4vTvkn3bmopi87t8rSFabM35wws6GqsNEVdiFrHsVvsl+X1PzYcxA9g+bxZqoKNagVgMm+zBpYmggZk/UKs1E/DmHA8paFpUWjEf+mH+nNAHgO5gRo48XHF1Kjk0TeJ+zf2AGtUd1IXkt8TfXLt1LVCIOW5G1EOC0lKeMFwu2Nrj5uC/Tr0xqhEbbu/n85cH+gYzBc51/WH64tD+QeouTiEB+2g2Qs4wVM4iTi61Pv2MHf3ltUG+JLi8FbMU8wDT/3t+Sw6+rIi0wUJl0czNoEIsvDoc8xWIQnmRA59lFvgxNRlJcJbJNEf/wcDWcDyyMie/fOwMjrIhCaa65Xy7ddPfxyYdR38uUX5nYri8/sohJufyCaV5LAgfMYzzTJHnMxId4OaIBkJKjj4N0IclYrWjn67vm6KCQfib9YqKmG10H+1jFLYfPrMEvYIxyGchu5sVW/XbA//hjj1f0GGHc3wF2Dz8Il/QyZwmzhxgBMTnxOckOCPETTKsNO6spUSdRZffF0yISXH6LcLd4V/luh7FaMI+2+ukUqDQz2v2/OGLTeMJ48OHSj47u1oiyx8EqcRGD173SBGijo3KE7ZGirWkKa8OapIVLE7LpqiYM/V4dWKtWh4ejU+NIETuqP8Mot6rj4skbrA9tCVe+ese9AXJ9CDmvupMl6Lp0dT1l8tcDKhYiK3AA0ONa8XedyOXuL1q/GfFTRq9zrds3an0+lsUQ5mv5XNzxEnpodonYDJ6c9a2qgMkogmdK7MH4sLQwzL/UGBLkXEVFPEn9P2lMbyW3Dn+XP6i/zjmcXjsNvdAo2S8SZ7ZX5tRTKOhI/jalYtLV6upNvpnnrbMIUcPybcuyFxwPaVYf8+3667dMADCEiBUK47TmI8DTeo6+6CGCee1LwaLGYWMlzZjP2nazmMCofhOJ7rq6+O15Ead7fjdZQzEf40tacWBEVMJEiQG8LdWPPnUsUUekQmrU+psQlBhIjgrg2k9jJkNDFIiUjCqS/QU1VaH93AVX6WfqLCvL9Co/Ilpzc0JHOik7n0LXFCuMpqO2zpTirZqO6drxzDjitfm3MYFtpwqagJgOlQp3r5bElqlIAK9cuo6sC67UDX4jssaaoDb7AdiUl8QzmD+lyNrrIeiNYXLlibiI7jW2STGIBLNIVa6C4UggtZygnULPsGSJSQaMn4t0Sd9xqiTYSBu58IJ6lCtERpoEvqwSpaufPa0Mrf3b5oiOH9+srBkH+NjbclJ7Wt6fz09W/jw+ywl6YxTXBCb9zKKDeEA3/i+DON5+CiPnjJVgctdPCKBDSNDhQ3H7yg88UBkECaaeimJ4lqxacdEThBFB2QqgSDnSuBqbKxjr2Ojsy9BR9iQGY0zidyyRGyh3M0crgInqACsVUMdWMDFOEYz5Xv6fLq3fV77w2ft9BV7HvoKXwhhSf6cN1WRVJiBlUBZ9Qxtfgcx7Zdy2rBpDCgwiRDJgwtSLgEuQ8edUF8YE6p2YKckNrXksVuixiCI4Gwz5lQivOK8TCoYdH4JvBiKhJvzm7AZ9HWogjYtSwM1OVIM1bVJNmjdmGpXqlhQFCrxB4ICnMImvYvPAuFQPIsZZwmmhCIkzlW/ScdEXA3DJaUeDmNb6euxGJbIuRnNFXtNHHsLxhXH9u+MZm1P/K5eiaHmf+FsUcm50W3o5xCU0N9dWGiImErhaHOlpPEACdclfdQ3ZaZSsg58uGQ2my4JU4W5mHnwQoA5b8xWXLiQ3OdNmReZi+C7xA+0fzFmRTb8yyG2cA3hcaXNCJ/mWicevCU47TwcETnyrD/GSU8JfnRFUZywzK3CI36MKli55qlW/qA3gZnyTzlQBQ1WdX6GqBeUsh9bu2yYNC70nTtyBK5Agp2eDQWCc4M0I04ghLl6l1k3kU0MNvCD1kaZDtgJD+ag4jLbY4DnODqTfFK/6q0CT/3Klis2UUCDoIJPDAxQ8onfSKEslbMHsmtGl7wlpxJbsgCbLMUcfVL++t63nCDvPQrcqf+CukeasXKYKqYnEZ4TiqmxhFt46kfdHvHlfI0m/1KjoCuxtYQV3gypNB8+QSdSxaBh1gYuDvEACQR51mUAJI38Fjlw2v5zJnDAJgZ6eunsQuyz289U4NtU5ir6f5xZouwv6AxAeHSaDL9gue80HQu166YNJCk699qOqvm8aaEK+2vpvNwMs/U5vVz5B6tHN/Io4D5n4FXtUAam88V20v9hkSC4RI6DFWlHZBG6je5r8WC8WSijoRMszJ6gJqvbYVRzXltwUIV14P5V3JCRB1Lbq/1amQ5CKt+pRJpNVNJibP9bCDpnA215ayFN5tNevfpdLIneoLevxm/+Rm9YCup10QYyhwL8ksJlpyGgdZrGaheniMr0xUInuFcefBnfPtCfaoY5CqeMZdb9bEgX0dG1jgMKr+vZE99blyMrt0YGmqiRjziC+820vXnn+hLYKw7okvjKXuzkKzBbJGZek6vJ00uo6K6OPom9M4yjMBVU0b28rxMeNOUhuUpyxS1p/dB93Tc7ZwdNAPnzTWCGVzHezUgPgtI5T5YB4tIOEn8RXNgzCwqJSu+tRz4OZ0SHpMEbkI0H/7b/a5i3Ox3q+zlNbdsUORy4Xqpmr20UbLmgF7Pc0WML1lQLXa22swOBpZMtVQpE1dOlVbI8LvO9JYF6MPVuDyR/F+xxP7uFpWNWJ6MBSWRf8/JTLx3eTItLv95b8Hs/DyJ8HJJ47l+9uCfDXeRA7E+SCK8LIMMeVvqPu2bg9uBrRp4TqD1iiDJbkmcjVtD6IAsQ3YbFezb+0+cjVszsVQEySwNd75kZ+CaqTfoQXed2A67cdpqpe/+86px9QGjZXl2ury1X1SMq3/MzhVr1FadA9nYaKtDgHxtqnbqGTzylfhp4tyHogrVU6/4EwvZZ4rbOE1YQAVcdWTL/5f6FY31L7fIfQ45lvdG70nFUO4prOGwQ9b5FfVznnIv5W82tnCnmQB/HdDBZhYAJ8y/ek66zhldM90F9hc6a1EVIrThJbplnK64QShUhbORwrphl0gwT9Kl8fGogVTJm0hFtliHYKILLeOIJHJhXN92Ad1IAiq5KswAX8iPLR0+AaCBjxyHUHJEKLf51duWcS0Bu9OgBXnIcP2VAwmc5YkAzFSjUEfbLjkLUj/ZHpEQD2j3rh5Gqol2beumvTO75Kb9SdjMlafOzIcbpnZCJ7acWb1rUJ0t3+EFgXgax6r1VTUcplTs1rN/ePdSF+uXpgpMp7kVIFmHdD/lzXtIZbP+bosjmvWtsLAsrk1KnCYLEic2KlQVsrNe38LFx4EOqPoXS3mMwynByUGzi5B73IH4jJMgjZa1Ir/2rNJ1ViCKb3qro1qDthnQJPQtSLjMYnzqDpA0psn9Ds5zRxVjMxQRIfA8O0Ul2xnQhJL2OqBbTu3Eaeey0B8DLLg8cYDKWBbYIrgzpdzcDjPYJrqU1OvytBsQYKdPGAoZpOpMyQKHM3Uo2PJwErw5x5HnvF2EyoUMp0GONvXAbQQQ6CSHMxuJzdxEhPXwuDBBsYNJ3kTNw+YUR3T/6XCXoJglmv1zElc6nYrfNy5Q1w+GcgwfrsZGUisCW7WsdmmCiFzPpd0v7PjuqwJeMCA2WZmVflGRVHVbfPNiMmfSUUinR1oemv9H7bbc2Afb8aU606NIKi0hjd0btPpFFYyffa5qy+W4l4CZAVC9ikoD4X5r2QAd1ETVwTfrINwOKfY8KUmF2o1zr1U03Nu2KNEDgfXrdmAtHwist9uBpSm8u2PnWkuHex48bBVLbWUfB09DEeyy3SrOFL4yrJtOkuqdvVNgM1iNdNZA1UNd0AQfHGQ36twALWFaA3GFAvttgG0U3LLSnSs5gr4ldVNVSnqoo0iiTttPauJc+ZY8ZCKdKsw+AnB27jXwqQVMxG0U0vizeCgoz7NcHT21uoRBS0bjRNd0zWpgqUsTGqOjgNysXYh8cOKUZn8QfLtALm3tdirMD40A36VeeCcG1nX+xYKthK6p5lAg4YRA66cVkqpUWTr4LCi7me8iG6yXKiA6r9q2YS8dv+uEwozuUDvNlErPOxLcP/IZJ0cqHpt7/h0sh5zwVfls0FwGmj2oKsVsjqgwOCBBNf/M0thPykf2Lpb6iU0nIZtPRIKTVEy0e+SeazXwar+1XZ1dsp6merXSztqN7ukU4Ckatw1WBPZe5vu3DNt4UdWXOuhbOlW/WSfO38qHo/f2d+jDWbeyHz6c3azqhw+nsQ9nZ16JTBJsz0vZvjeXnepECNl8ro+Dtefbzjw+u1mEqp+tlsBT3YZv7d7YmSdtNwsAc3Yb+H28VIHlpGgM3VvlznpKOJNUCpxqj9b2l0q2MNLGqyQa3zB1ETppFMNXj4xs6572B51Zd3jSC8iwP/RPT/2ge3yMcRD0Z73gpNMwogvKdFjw3DwRnsYJjQjyb/0wK1Ic08TdZ3D1mylkNK4wXYr6zH1WfQR1tEVIfQJ/tru9477+rA/Qds+D9PYtEOCzOOEs1BsSjEwa5xw3C0o45v7itry+Kgdk5a6sX98G8GCGnNZTdCdBlYk6f169DrQ9JTZA2sC7aKEJaaMg0yZcUeCELShvwZTv1XjmwJt4f3AbQgI0XQtOs4v5JniL5zT+6um67ltgbbNH9i6hBPul9JbuWGgo7bT9awY4hO5VwS1uRcjmDcGFXJK8aQtylhOf0JuqKIZGqRMNzjOT9rDpQJsyluzuKAuCU//spI9FMOt0gynpkVlvGJzM5Be9Yd9vmighySwhc08x+GyQWX1YOfpAyOb3Rd9Gz1ptNoHKWr+9+zFSqdRtwJeZ1YBv9Gd0rvEB1QpwQt2il+XtMsN+vmrXgwBvZr0n8Flhth0xtEi30b5KTe63WIZVslKRsCjHuzERiQ3vq4a6BrJzPqUJx9yWOHWbfWhVmhQz2jnBwQTyxBNciKmrS9nXlQP1L2vTPm1UZe32rNtW2Zaufq/qXff9BBctq3UW/KYIBXng6JIlUE/bRAeb9LL/DwAA//9S+v4S" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3p0Zy5EH89+9fofBEfLvZswvbmFdfzG3QQO/w2X5tQ898bmc2jKpKtjWUJU9JhZu5uP/9QqlHqR4G27iAZuiY2MV2lZSZSqUyla8KhMdHC8FqajUNSLULeowZjquUso3m7wBnTPgQjPO6ed9zNqYyi/V5nWAJH6qhyP8HtRLOWm9QZ38n2OsNDna6bdRKsGy9QYPdYLe7e9g7QP/3VQXIBi9xXn0VJO3Y87h0wYldH/42wvrKQWthfITGKWZZglO//KickBsUQfU1pXYWiqGZc1MWL41oqjWqiDDtWoAkgoTrAKqQpHnhKqva5ieUBi9Bs8mNoOoPfbHYRpHd1n542kcuFZ3Ug1oDB4VVHXxTOCDHhFtsq7cbIReSs04cVdYmJWPKWZM77QvMcNtG6/zreBFcDW01A1PtTvtXRkJSJFTZkVmBod6JmcctuNbP+qx4ffb5eqD0rbPP13tbxTNjiqMGEP5wdFwPS7msugzu4bV9daFsR2NNQXqJr/2HWDHtx6MLZ1SbUmvUqFv5RuRoltJrLAk6+fDvLU+RLW4AMNESjmMU4gSzCLag5/XjKUp5pnZmSVNVeM74UmkcK6VL+ASApLmnSwJtlq6gqlW6RBO5nmJWyuupLMM9c4oM2RexuA7OJCmJh3Uq4Qa7kEPg5HhChPQmtTTSc7cBkdmMxA7kLLSapFvyd3lKRtsLOobhjBk54ilqjTgPzHNBxKctRAVq+V+UC3hr56gJpYqJLqsIRdZIRIUylEzbTDBdE3plkpa0409koxH95kaEZ15PpJy92d7Wj+gnlIG0FaALHcwkubb6v9Gpu2UOb5Cg01lygyS+ytdVm7oJFhLJOUcJDkkitFXNuIQgFV1GVGF/8f5EuDjlVsSD7KpVPQg9ahS4QvLZEDjgAZiCjEYEykerWY1GYpbxNbl4f7LV1q6OK8bnzN5xFcBChvZte40INJrhnPO9cJ6gyj/led2wXvKPIhEw0PfNOMA0i3gmX4nluAe+L/BNJkgaNMsyvkGV5/i4kCTPN4P4aJHUwAy9Pzn6rI6DI43xiRvK55VXVezIFNOkIeSU9o5gAqudVOO6glGWJBvOdH60exWF8CuBFEowHdgHtzjMk5CkEp1SJiQxLFagDVyTPhoDak9Z4xyokWzMS7i4FrjxBBpHIVwobtsItRpG1XA2aO36K6EnqwLRZPkIQymQOxBWK7nXdtsPKdCxz1pAMYQZZzdT+qcXdaZJ6D5+1X1E6AhdAhbQbjs1HxR2l65LeMTZSK9VOYyBQQOc3A+DbH2KOqa6M5N9M6xkVgumrAKxOfP20STa+UQp3MyU4034mLIq0p5IwyDSqqRIedJYoqfrUAUMCTPZCyHIxDfw1nvlX/3auqIhZniI4yllrTZqpURZLZSNh2rAO9PPfN+2Lb/kObftV7e3y7dvV1yl0v9Nh3uCQZZHcMVYYgPhHAsU8SQhEVQbMN8Wmuq7hvojymK9qdwWT/hYmL3tKvXbuSHfSEcLrODJI7MJmZIUJw02ezi1c1Q2JhUO/Nd0BLmVum3UVqXXUQzbBAxv7XQVtiFBSqB6g9DdHi7NgCDCYk6E0jurquQBHox2u91RgRiNyKSaXhcugoMxHeOgIdahWDk3UQHlT1IqPMHNRzqLiPGYmAvPAsq5j9GVIACGAQU8JtUmUi4ZudKowgfGpDxP8RURiEo040LQUNchcPyZmxSKTxVDTolMaaR5FjJnS1xbzMVRG0ZZUTTKEpwCvG5IMqXSNmYpx8B95NI4vqlOGmLE9EkjJH9B6H1ZAAMi23mB7HnEqedi17HrWhXBEl2q98y5qI5J+KioD4oirmmrE+/sk10SjkgXk71ocLjfj0NyOOr29ge4t7ezH4YH/cH+aK/Ajw3dvhY0SstsOjLBk05ArVKgIat5EZo5mJ0J8h0yrgy/4CThc738MRUypWHmx76bMUwSQ5pBWodtMKLTeoo6jr59sfEiQmLIvIZrvXyHMOcm8MA/099GWAAGp8o6pZFJdSrsIqvuQIEro/To+7RMSOdcR55x/5ZgKeoG0SayOZagS8vMlYdwj6qFvMwVM52eN1IbA8jt97ipuVDx8eiY7VZkIh6TRl1AlpuwYwmYsiRnPE6Qc65lkWMlNYJ92UpFq/ar32CbeiGxfukUyJeGMASdT9b2FsGi7sRi7sEJbWceN6g5ThxkNnfQjrYcL5VEsgdClaNKAKhn9Zp78ZFFRjU8GCgQ1PQ2B6+wkzkR7NWrXL+EAm7GHxyRmdTIudk0xEBiq0YaIE3GlV9qLtdjOexoysYZFRO3avmmhC2tzguUzQpHvTnnuFCgIt9cMAU0DF0YEfZ63omEfPiSFCpyTS5gLPdsoY6WCo7GBqkpZjqoTpAaNcHO1+maf72ihBZeru5GfdE6AVyPX8K1aMc0VEwBVF4bs73yOQEvlgoUamO+Rp8t6AnuhPYUc4uJN8mpXaCzkR6Ep24MnJISdOUdukD0zq3mdFmQqpd3SN3CctRGBG9mRX4ulsS0C+LCCgu2RXVVchksOUo4v1ImGDa5hETqlosl28Krwumke5UaO0E/GPh2FkQfFsys/JtbrCz91N2xqDa8UXdOA0/YdlElLI7kBZ3eEW7q+wpNzOmTDIo04Z0vQZEvQZEvQZFPJChS70lbOiwXJI8YGalBeomMfImM3AxIL5GRy9PsJTLyJTLye4qM1GfF04iMBFgajow0CN8REYgTE0aXb0XuggVrowK9DDskUwwWFBs/+SjJheQI7kmPJxglubym9oChkjU8/+ihkr7++BIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+RIq+VxDJXX/NXjWuPAu8m8Wu/BaphWJ2mwJFoKObmzsFYYizlDqFEcR19V9oIaYngtJ/I0zPr35zUD4m1NyFMIfzi6+nKKji4v///if0OBrlOIpgbLRv7FC/CQUOeEpELAAST6wgQMsQuwq3dLU1VTVJu/ZyXkbffzHu1/aUH10y4ZlYBTx6VTJWgNykA8N3m9AKJA4kjQK/gYQuSrjft1YZXMZ7dZVCDMLrMfIx9UQ/dai0xmO5G+traAwFYkmsJ+Dv/lkqEwKLrN80CvKwJoDZRVHE6jQ5Up0wtWg1N5kPU8bFiyK+HSWUKHDpsYcJxq6fNzfWl6JV6aEHx9Z97ECXTdjW8an6lb5AY4pw4duyry1YpbqXom2tKm+j7Z8VdDk9aLD725RXLwn7EVHzQC9c1OZsWjhzhxZs8U1xINgMihqxsauQC4iysbRnVMkomyszHglLPS9CpEpFzNtPCQesHg81ujZmkglYeLvuKIBqvm6MSWnpRib6msGTc0CT1ri/W9T8j0TBOGKfPjNIfqbGaVdMBnRa/ItcFUHsZQ4ugqmVKYEqg7qV8T2xVG3O+huo61WmTz6lzrCNKhVtQr8aqNzliWST5OKPL0/kao00sKqjkZN194EHnKTQPnpJ0Qpf/gq1ZYdpUhXdwI8yL50ou2+W9MOtBo57Vti+6I3ODysYT34fgGFnomB3ipEZK+8Iv4y+Nzd1IqcWpXgxKkEfvZNdZkeSUYsTUifgFUu3xQh15UV5XF85d6UFbSavampu0qDQQxVxv0ymAUdfMSjTNjbiLxmry2QiagUJBmBlkShIRcU8UxuEL7mFPoVdGIykxNX0DRXoTQI34Ld7qEZNSKp1KqTbiC8QovDiM4mjXWuONfN4CiLQa0z1Wn1lJq54ix1X5uAX4+kFZH2/nx4enzy0+nwy/nR8Jezi5+GR6fnw17/YHj89nh4/tNRf3fvdvPOw1wXB/Fo1xAVPp9+6NhWhkJiFndwwhkprBqHUH7XGcDABvf3jvvBNNExnNNM10HtkG9Rkgl6DRLwsorSMJpgyi6RoCwy1/B+pyuknRc648yV2EyoqFrWH87OgmDpxiuLIGn6zsCntTd5JRa/QP3c2JhA7OfitVhrDfLwarsKWBqnTDFVbURTIQtsYfNuJi58raYDRmFlOust1ASLSTCNdxtan+OCgMrb9Oclqz+c7KKYguHGR+jk9ItbxmI8OaT/LbFz3ukcDkGFJCwyLi7TuChvzd/2LFfnKcsXRV9X5g05s9mMpJDzAvQqb5Huu/294/13/ePd3bfvTvZPDk4P3h68G7x99/Zd9/jw9HidNRET3Hu0RTn/6aj33a/K4enO4c7J4U5v5+Dg4OCkf3DQ39s77p8c9nb7vcFJ76R3fHz6tn+05urkJ86jrE9/d69+hRwNvQyG+69QPqpeqc3sm72D/Xd7e3tH3d3B6bve/lH34LT/rt/b658evR0cvz3unvT3dk97J/sH+7tvT/cHb9/tHO/3+sdHh/2To3dLt/IwOFIhssZUnpM8I8z2MOUjJLLwdxI5h7+GwH4CTa72PDKluCurVCbg8ccfTToQ+sK5RMdHbfTp649nbJRiIdMsgqvPC4KnbXRy/KNz850c/2hjK5Yn3+94p6lT3PipII05TwXQ85ocV6VST/hcx4POSKpYTbHY+fn77VzNRmiCWSwm+Krqpo0HZDfsHcR74e5utN/r7/cPDnf6/V50uBfi/mBVbmJcDvFILsVQcb64RabBkmxf0CnxVWXo+2yqvxd0AoEYhzArYrZqrDayvzNpXHWM9Lv9Xqer/rvodt/Af0G32/330o2LPXxDSDN9QISNZrQ0sr3D/e4mkNWl8jYcz1Bq7ic4inCSKGHJ0PnHMyNTJUmSQnMBnexjGzEqE7TaR8VQjwqEdUcw42IyNhWSPEC/KDJ7Yls9XOh0U2qiPSaK8jNqcpL8aEGTlVSh/3w+D0yCYBDxVWmuZeVjyueKRM4lsSPLnRJ5emM7vX76+uNJoQHRhiSxyGbanTLUJnXjHlkzTb3uULDl9TcTkiR8od2ywJrv7+4N/3H8QVnzOweDmqdPj0+WeP5VEASrbvdvu93DACcQ5ivpNYGN3xRV31Ots1ne8+bVCQbo9fnRx61Ae+gkNO6/xumNonqdsqA7LFKp+277zAtukjCTxmmrQ7QhPKPY1/jk4znyMUa6T+2cJnGE01hs6WbFhRAwUnWbvfqbt/nXWgKtHwUa3Calr10D480GcfD6+CP0u1FAQMN8j5KOxhWkrf6lVHL0Ex1P0JEQWYqVwW/q8x+vamIUaQEJSI3TQac5vT7egoQQUUbz69LNx2pwiH3Z2+Sy1gj51yfrrOrxj1/P2+iT067PWATiHA64PPS27WvgNRzg9tMmOAESk/LUqKZYwU5jZdH7rTJxPihmUVLkZ0rm90DIT9RtGCl/KoFef7rHRj9j0YZwxskwY7QphacOdZwgNaOiwNc1SFDi/nuQAYp7DHk6hPiO5hxd7qzVxURSZOdzJ+1FG51DtMjnCp8f44SOeMooXgfTTdiHYClh6RXUW8IgXGAb9bv9bqe73+ntoe7Om97um53D/wEG0rrI3dsYvBO7svW3ELPeYad7AJj13gy6b/q762OmUxuGV+Rm6Dr3N2YCmvHrOmC6PIwrUt2IX87XOkg83KIsvW5q011op941KTa9ThL1QGR+yrFDjs5Vv5f7yRVmqdCCUSFnu/2lG1cuIAj5NuMsz+5bp1bGqRnCLWdMUnpdWUznUFoCub3d3Z19S3wWk2/loIj1kBX0z2UWfxGiUBOU/unCsby1FDMcgfsqpDWBdf3u4GAd0AVJKU6GS1czuUdUuJ7K1imB4yq3d2tPyfLVee7FsGnm+X1LMptglkGFhXaxAkx+dT6ncsLBaEuUsqIsL3eP7oaOJjjFEaSNlom8u/vu7dvD4/2T07fvuocH3cOTXv/4+GgtieE6UjcuDM+KiR0+qfO22J6k+AU6mPLplCj6CD+tTB/tI55BjAX6B0fvMRuj4/RmJjlKaJji9CZA54S4IJIxlZMsVErN9pgnmI23x3w7THi4Pea9oDfYFmm0HcEA24ow8D/BmP/wfmdnv/N+Z3en2p0YfDSdNUW1uRx4HFNYOFvYglFGTkxwSuJgnPAQJ04nzLvIrInrY5i6m7F0LQ5PwdQtiyp70aRLWSywdc8vfsz13TZ6/+M5ZuidsmKpiLhnC7eVBRSA5dsIFzwZM7dAgPtg9Nh27qJNXFjQTSH4BIzaEr5rofQXMFBNfECzWpVXuVFNatScCivuLI1Ag3bLgqjF3JJxGadQHFc7RdrafYlnUMCvLj1YkGjW391Ll7ZQiJA4TECwL4FpyHlCMKtD6K3+CY0SXECLjmx0KmJkzCXV3qk5huz6iAgxyhKleDqVCjqzU/WUCYJliDDQh9TnjDGSLL3dGPkmhzYe9kGX0gXhhgS+ArhJHKDPRC+sDm5BXq0FKD949PHIVPNQeoPVGefzeUAxwxB0jIXSUqeESbEtE9EBTBTnKxw6etyFPwTfJnKa/ICTGetYGDs0FlulgChdT8UzGhI+h+QsUeU6BeV2L1ia6VIismmjDEdFKXIaGM7MCxmJDltoMK8VnDKXLs1mpgPfkwzzNbCtGuZbRemxwnwXQdIQiZsM8/XXYq01eNJhvgbcZxPma1frew7z9dfkeYT5PuaqbDrMt7Q6zyTMd8kVykf9DsN8DY6NhvmerxTQWwnkzY8Krz/wgwf0msl/xzuNRY7VR/TqiTcW0btzOBgMejjc293fHZB+v7sf9kgvHOzuhzt7g168Ij025bEVEk9nlQBXE835FCJ6PXw34sRdBeEHj+g1yDYbXXq+dBxpSSDXCIBKjFFjAuAl7PHxwh79Jfirhz3W0uI7C3usweEp+IK+s7DHGio+GX/QWmGPNQg9tjuo8bDHO3B+Ah6iBwl7rCHDM/Uq+Zg+u7DHMnLPJ+zRx+y5hT0uwO2vG/a4gCDPM+xxAbLfQ9ijD/pL2OMDhj0WCP8S9vhwYY8Fwj/zsMd6XL+vsMc6HJ6Cqfv9hD3WUfDJmLlrhT3WYfTYdu5Gwx7vQvAJGLWrhj3WofQXMFC/y7DH2t7amysFrlWzQm8i61ae4VTYXuLqe57SMVXMp4PRahw2QX/pS3C7Fg1HA35U1E/onyTWEXPgqnbBgHCI+GjehaItIroQQVdtNMWR1dBsxVHvq8VVR9Upl9Iwg+hK/QYENwmlPM+4EDRMiI7DxMnNn8S6T7GOP0p5Nla6tIESoymNUm67puM0mlBJIqNaJkpZ5Iyga0rmnpXmat0bQ8ADHHmtA1BK/siIkAJ1ciahjELjjzkJ7e821mmUciY7Snst9rnvKHT+yEhKiUBTHDs8dJXhWUJQiKMr/80Vqp2KGWbNlYd+tbCjiJrX9k6AzxHXlcuV4FYk9Tv7H+nHU2KchRBbwWckNeG5tgUDBONiCKFsu04R2BFacjciZjq0wxCsrdubx1jiUG0BRe6bmqb2o9EhPjg86IX7URTvLi1lNT6PQOUqIeEbzRMiZyDTj0N3OsuJaKIHQ6IMfyT5mCiigYHrhsw7JJn2JIbYE8ziRO8QNw00heyYOFfisWuF0oNwdNgf7ezu74c7gxjv4Z2IHPYP4y7pksH+zl6ZvBbiRyKynX4FjvbfMm3wbLtF1/YX2kBMCRZZau4BgM0d0yoWz1m6yOrmOZJWidvtjrp7+xh3Q3zY7Yf7nmDO0sQXyl+/vL9DIH/98t4WeDYdKZApwqTNdiUqidFkcAqy7+uX90I7kM2T9tBQNAhTAq3wUMznTDEMRyKakClpu56TMywn5n2ObNzzMrKu2T5jJ7oLmG0elCa5CGoVy3/5/QjPGBJ8SiBUXS2goucU3+ga5Cah4OyzwnZbkVDRVTcxS27a7mYIlxshMmiceGaqmqmxdedEr8fvHC6axtz2PL00pcs05apMU1PBzKVl2Mj9pkh7MTFVxG28gjBhw0p02clrNDGzGxxZsjQptIKsDEEFgrAIQSSiaueaCPG2WkXGpRKU6Q2UhZ/Afiu+Xxo8IRg6Gs1ISnmMppmQMEioJGGUZDGJa7pb6stBeDgkqDVj41Z+g6hebwXqu+oKzYwS4vXJGU+Xu8Fea1U+81QaVd5wPAL/lmanHy49/pd81ioR5/KHS+2wKnb+tECXep6NsmSDOvCjtWc4G+neiUoEQjcmOlVb2nRkuuEZFIHPN+yNdyEsJPejwihDl4qf1XiXkGsFCg1seL1XqIAbUaajo0isrUlQoKzOCee+G9LvN1zTT6AoAd4MBjvbgiid+e9//Gi+159/kHxWWD27IZ/BCr76yqY8Vud/nMsZYH2BBCGsQFlHUTfNRy5NHgRliBGpT3jOqOTKotISgIdwcsfuMAiJEjWGcWCtU4KFzwoYktNQwsemrb96FVokSMLQ7xk0cc5D7UB2qXO03BnXcY5rE+Zec8NiMLbmWDhA24VznnFZFU5rMZEabcHPBf6aYSE8rtl4HpMZvmTYBSUYZFONKz9jOSnN7clWQ6BWCZwGesT7vckrcAwGVZfHYLBTAArMqiaVBJjAMLH+NSRaV9C/mDzBOhx8PbpVYrbK2fV3OLsg/yn274D8WQIl7bVC57QWxtW7sEPTXPbouA0PdngVntHdadV8YSbdU21vMo2sVlPciLp9NUNkOpM5PAC6fvLSvG2ayTkHNYXkCCYplgSFRM4JKaZ8yjnXumrpgH7svvRKBL80pX9STem13dYUH5zD6IvFIhw4rdLRq0MVLt/Uqp4a3gVHV/HC4aXdPnppt79eu/0GXcBfzfA1eooPQeGCx35efMMDXAhXe+aexx6sxe7VIc+ka5tsVFxoD0ausbMxzF2D6VRsvjSdxBR/TPA1gSt3Ai55nnpXlEymlAhzqtoe3mjKoW8u1jf1NLamsr2MwgxhyJE2Sjec2MK7pp+ahXv8C6TFjep1I/IG+9RDJkeDXFlMFQkqpv2GAyMezTpUuL4S2lRT07URHeW9BCr68RE0E0enlAlJDGNZOHWD/MfiOJi9UZbT+DV2XV+9rXc1agA104dQ90veniVY6pb+VRAbFNg+/fVkhfm9vOOmvBlWjk50T4xU91IsSPYRuMa0CGIIM85upvRP7yZKE859/CrIKEsU419CZ3waXyrW0B8UYpcu6yzibKRXCCfF04TF6jxgPN+XxkopcVGZf6I8An2TvGOvOIVNTHQleyrMsS4EjyazzifKrNd6Q4oSPvacGKImEROD0CoafzxpLDvSVTjR3kU1E8Ja05A03z5GpSjB+urX1hUNMcNDHE8pa7VRSzdcp2w8VAO2/nNHSIavOA3x2F6XeuoTyr9dQonSY1hVikH8BeRhTom+RsAoTPnc86S6rXUxITfmQk9M+BwpAc0gksAGMCR8LNRQSgF2dxImgCNzoNr7gBX0HqKGfyhJaGYrryX9POGM3LH7GgEoJ101qBePcEoLQD35y+6SrPP4Y1jgjzKuH/ifNEnw9m7QRa/1avxPdPz5q1kZ9Okc9frDnjbgPuBIffHfW+hoNkvILyT8J5Xbe93doBf0dh14r//508WH9239zj9IdMW3bIjYdq8fdNEHHtKEbPd2T3uDA0Pu7b3uwNTvckQXwQhPadLU7eKnc6THR6+t3ZeSeIJlG8UkpJi10SglJBRxG80pi/lcbFX7rMGTFbifh2vrkw7HYWOjU1n9FywuW7fFlWRJIdRa64UVPtOs84H/jq9JmVpXJGWkKVOlgoOezYGtQyzwfNEOGQSDoNvp9fodSNyiURn6Z2LmLFhrG47grfSixf3vMmWsBv5QK2vnM/s5Ikxy0UZZmDGZ3baHcTqnlT3cbBRqBfhl+bHXDXplSdksqF547x0np5Lunn51nRjJaDSrn98ffVxGp1LPWW0Kp7knwyjvN+ig2w96fyCJx68FRINjNMPRFZH2pggLfcWHBaJsDLExUNxC/wnjYyF4RE0QvRqCWdcn2ERgNCmsXYAhdhl8ZjIt8fI27ua5j9oDHCjs67BIScTTWA1H2Tgx2Eo8hnhFcBVnEHABRSXt4k10AIEC9I8OZZ0/EGERnolMQynaxqSrgwwVvLryZkYjpZ+aoc2lGgT1Yee+FoQJnqLXJBgH6N+EXLXRLzQlYoLTqy3wzdJrktwgp3mD8Z3iESQ4lihBGSPpwlXVQyD9kEEuX2CBXtvrQjOq+a2I/9YCJG9HT+Nnxl0Vy1vQK/SWhOAj649T1nYcU8NZFp4CryhG18WFiCWHxOMxyAIz5KfQVv/ymNtyb+BzuanxWsN/9nEzpONt32SHykZuV5iAUmvox1REKYGLhfIOM2MCBN54i9ZlRFMyx0ki2igF5hdtbbbiGIU4wSwiqVjBtGnsAgoQOjvRmqJuSmnTRh31q/L6dmP0QSyfTzOTRAMYwL3AKjjwTAoa35GQ7KR+ljCS4pC6BC8r/is/LD4H1DFQGGgJRwWumRpVvBa2oHN+t7AMS6ndOObNBjpAJSc+sgqBkud+8gIgIit0weDBchnCcKUgiA0xsipRx+3v1yP/nvcEzBc11/nX89Mt9YeuT5DAg27Q/AUbTs9T9M7s262CgzGvGf1HhpMbMc5wGgf6b0i+/WNOwglJZtsjPoRIuWT7ivF5QuIxUUNvFxAcGtJTIoKJnP76LxjIAVYkRv7sf7Zqo6BsCKZ1IVU9fK9+bVm87rxI8kvNq8MCcjGbU8Sg5kJhIpe/VKCCiHiaa5aFxcmNdD94C2pwQGXv6FqI7WoO2s/nSyfMehA/WauoQlXvi3qSwuYzZ5ZwRzhO4DT0Z6t7e8H2iK5JMKUyJbqmupJh2yP8B7B58kN0TYbgMR16wIlhlBIsSfzrMWRyu2l92UqJPotPv824UJLj+OdTH8P/VNb3jKEpjj6dI13uBfWDXj/Ya/vhSkVymIDIL5+PV6jOTKAoQtMbxEpR76bfa2dAxS1LU90cdUtUsztOlyVBY5qJwtxibETD67OTLRsdYipdzPLo7vrDEmknfYDOfL86yorOEzOBGdT64Kp0LZ8ey7L+fILlkIqh2gI03jK8XuZxN3qF189O/lOzRh1dQqjb7a7QJgAi5xpLDD5CKdHhxIsFTEF/NtJGZ8pMqaRjbf44WtjFcNwfl9alTJj6FYnGtBNSpr6F67xoTP+u/vjR0XGv11uBjIrxho0yv7EieYpEhFk9q9YWlep1ewfBKkyhxmckDa4Ji3lTKdUKJT/sp3zAAwhIg1BB64IwHCbL1w+KeEqCMK88cxsyo4RjWavCnqthdMhPitnYuL66QVdp3L1u0NWXifCn7UkyIWjKhUSCXJPUj6l/q1RMYUbkyvpUGpsQRIgp+NpAas8STqUlypTIlEYCvcZS4ugKXUO4Qp5mo8PZv1F500azlF7ThIyJSVoznnBJUp29t9VGdDrDkcxH9f3aagw3rnptnMKwaigTGQIwmZqqkDW4QAmoUb+sqg6s24l5lCmUtyqa6m6wu9oSE3ZNUw59W5ZyZT3QWp/6YN216JjdIJesAVxiVqiN1lkhcMjSlEAvmyewRJJMZzx9SqtzYSC6a2HA9zPFMtOEViSNTaslwKJdOK/tWkWb2xdLUrjZu3Iw5D/akiWFG4/cdH798eeTrfywV6YxlVAb2tEIlgH4E7MrysZwRd16z+etNmp9IDHNpi3Nza2f6HjSgiVQZhq67qtFdeLTjQicIMoXkLo4t5tLwlT5WDtB14Qf38AdYkxGlBUT1tQI+cOFNfK4CJ6gAvE5I7HWXjDDY3339O7sy/lF8Ckd6yo16DV8oYQn+nre0eXzGYduUSPqmVpefZg2mk+4EgZU2KRPydGEJDOQ+3CjLkgEzKk0W5ATSvuaceY5yyTBU4FwlHKhFec5T5N4AYuy6zhgVMhgzK/hzqJjRBGwa1UYaOfIcqxqlqRB7cKteq2GAYG7inogKOwhiKHYGlQyTxzNZinlKZVmIVBKxjgF57AnAtajYEWJV9NEbuo77iG/7XYP/etHKE1zXKqtftsNJBVKCUj02aBdMNoQUfvK3keqvfKtVP9eFGpc+heVVNdjSG5Qwsdjk/8PTb+ULNWOnJiOKRyEtiJeXubOEYREmVQqHgopwylVasz59oezD6fF2ZiJ0Q15DM/A+YmTGwFZhJDobKHkcKF/FaBf4M6fJTe5h6pUsdWADoGD+h61WObQjMiIkCRGGYtJii7VXJdm9AkWEyIs4/mNeArFF1OSh9m23W0uQZfq/Uso7AFJ3Xk67YzPsgSbZEhwAGoHFszuN7m53PINVOPYABPMhTEWGlcVIydDLidIgOy2ldics80HFPiC67pskYWxQBYd0a+EJsTYqjGrQ9bwkUFLJiLwqj1dbi1/of3SCOFRGiH81ZsffK8ND16aHJh/6674k6n4uFZjg79KM4O/cAOD59204Nk1KnhezQmeW0OClyYERSI8z8YD31+zgZcGAw/WYOClqcADNhV47o0EvtfmAS8NA+6x2k/GZFyvScCzbAzwTJoBPO8GAN9N0f+OmvkNCgk4sjGLJjzVHzuRjW803pu3+pkCCP8Lxj62hdjMmaRed3km1n8A3ookMSUc4ZpZgVp7Mw6pTRMupCeoNZ1wQl2JxhmWE/uw92ANgOrfCZmlJALXRAfKgeYvglcGPtFilhNmNs2qAJ/CL5B0Sv60qdOLwdNR7qWHp3SsozDfIJlmpDi6pkhhWO73ktYfhnV8swB1tz4QZAOO/3GWwqLoyerwW4L0aoX8525FCwZdd01vHVkRV0Ah/4AyIb3L0jtpBNcP+l1k30U0ttsiSngW5zvgWH20UQMpmhKJYyxx/ab4YH7VoR9R4VUIL8ztERzHQ3hgaIdUT0ZECB1a5u+RAubwUkCneOzVwc9LSkxpB4dR3Ovv1MqPnEHO1Ajo7MQFL2pwLUUMe/yAjtRKwUM8iX1GtQAp+AMNlcX1jqWuffjW5fbmsADmgY23T+MQcs+vPNMS3Fuaa1k29mab4mhCGYE9vtRk5oXAe2HZufxYrOESAu32t5addZZykGJLLpx5fPV1S8k41/pun6PwaO34VizEPLoCXjVy4cR+rtle+jfQO9T5mCS6RwMIBf2b2uFiwlM51JI51yfscazn6ziZsODYdGChGg908ZWCENGnA9QUcj/WEcsjWP0rtURbMJWSOKvPBpLO21Arzlp6c7lJ15/OlAFFP6CLTyef3qCf+FypF1M8U0JWkL9XYCkc9Oj2wx4tlufIyXQNQmA5V52/Od/+pD/VDHLGRtznVnMsqNeRlTUeg6rva9nTnBunx+d+3jG1mbYBiURwM00C85xOnMOpvlNlnHXyN0tFvLhrQLCY0xcvTaHSlh0i5DwhmC1J3lFOEUjPyZe9Oi8XQZjRpDpldUXd6d3qHZz0uoet5cD5dI5gBj9GpR6QiMekdh/cBouQKZHRZHlg7Cy6VB+7cRx4lYUkZURCKIDhw3/639WMm//udK6iApUPinwuvF2q5i/dKVkLQN/Oc2WKz3hcL3ZW2sweBWZcXytVF1dNldXI8HVn+sxj9PXspDoRmMwzHG0OqXzE6mQ8roj8e05ma+RUJzPi8m/3Fszez8Mpns0oG5tnW39bchd5EJuDZIpnVZChnp++cHpycHuw1QOfkllCIyyI3OwS5+MuWOiYzBJ+My2ZmfefOB93wcRwATXKko2j7A28YOo79KB1J3bD3jltvdJ3/3n1uOaAMbI8P10+uy9qxjU/5ueKM2rrzoF8bLTSIUC+Lat2mhmCPMD4FtXTYPw7T/gVxR2cSR5TAekhOfr/pX9FJ+aXG+Q/hzzL+85LjJqh/FPYwOGGXHS9Z54L9C1PMRtkhVste/1pXLx85ADwSiPVz0lvu3xdMN0pjiam0qNuUuVSck3wiqnETih0DHLVVeJMVwKQOJXZzPqB9EC6HcJUZwO7ezlp+qDiKZEKsdRkCMG6EQkquS7YDV+oj22TcgqgQV4BTqAWvdCe/bPP+gnDXojGbYgBh5ShAkiQYCAFUKaehCbceZbyOIvk6oS80KHVZu+aYZSa6HC7bdq12aUw7Svhqn299mbeumNqL910xZn1u15kuUHf4wWB0owxtdCU1cNh2wiuPPvXL+/RRBmfE2WqwHSGWwGS24geZWnJVVE0kxbM+otrnGXxm2PhWNyYlDiTE8Kkq6Shmxy5y9eS/6FlktD/i2cpw0lIsGwt54+4hysi4imJs+lsochfeFaZ+vs2LEpXAok7dkBbBHFCklmeF73oAPHce4uW/1ZgEDryVDE+QlMiBB7npygEdxrQhJb2pggO+PmCKkSCpMPHAAt8GB5QOcsCW8Rrr5RfD8sOdte6VNTr6rR3EMBNLzlKOJQ3C8kEJyN9KLjWQQq8cYqngfd2GSofMpzFhbVZDNydAMI6qeHsRuKjYmHo2+DxYYIq2MOiiVqEzYtO8/+ZFOG4XFkz/+cV+3IxnyshaHpLQp3ur2cnVlKb3CGrli1EzSSPNYjYzvpYAS9YEJfBzEm/aXmpFm3xu5HJL5O2ExpuG3lo/x91OlA4fDW+vDAZgUppSSjLgxdvQ6pk/DSJ1Yro+NWxcwOgHotaA+F+uNwBHfTLMwnLt0G4GlHceVKRCgs3zr2wWHJvu2YVDwTWP1YDa/ZAYH1eDSyzwps7ds6NdLjnwcPnTGkrTRw8S4pgn+3mLFf4qrDedZLU7+yNApvDaqWzAWox1CVN8MFBZp7otEArmG6BuEaBfRpgWwW3qnQXyrSjp6Ru6u4SD3UUKdIZ+0lPDFAskElZqCn7CMC5uW+BTyMwFDfThLIr8VBQHuX1zczUJhJyximTptdf3jdEO00oQ9sxub4VEfXg0Gvb+yD09oGcub6+VNgflgJ8k3rhWgxsekCLCZ8L04fGWwGZEoJCkvA5UqpUVTp4kfLoXrLB3VLFxKam2QpFleP3NqEwohvUTnOlMgh0SgdPybauYZMG0RqWQ0H46hqACmLdCFx3r+RjRIVLz4vr+WeUMb9KxCZR/Z2Hw4SPh0JimYmhuR65J64WXnNv7bBzKJtp6rFVdtZmdE+vaUHZuF0CI7D38rt/x7BLI1Xv1EFP6VR9spc439Udjtnbz/AO5zbMXu5wNoPVyx3O0nc4G7uVyCXB6ryU73vr7NQngqmZBWUWbzvfNnbjsxkkdF9VjUKaMXH33tjYTdpmEABzdhX4IzzTgeWkbAzdW+XOe417k9QKnPobrdWdSq6ZxJ2uJMquuXaEDpeK4VtMjHzrHgx2u6Pe3n4/JnuDvejgIIp7OzsYx/Fg1I/3u0tGdEFpcweenyeSZgzahUY3UZI3dmRU+vsMXL+5QkZZjelS1mfug/U2NFgVCY0I/Nnp9XcG5rM5QDv9AEoCr0CAiDOZ8sRsSDAyKStc3EwoSXEaTW6q+NVdQNbuysX43QEezFDQesrXSVCZe9F93mIdaPWVuAPSJW4XHTQJXSrIdBmuKHHCCivvwFTvLbiZg9vE+4O7JCSwpreCs5xjfhm6sTFl3wLTC3cFqt19I7tOKEGzK73idaxMMRMznq4GOITu1cEtbkTCx0uCC7kkRdMW5GxKIkKv66IYlkqdWOI8s2kPdx1oIedyc0dZHB9Eh/sDLOJRtxeHpE9G/b14f6S+6O8NomUTJdQyK8j8Uww+W2LWH1aePpDw8X3Jd+fN2sJsAl3p92b9Y6RWqbuDXnZWC77Vn9GRoQdUeMaS+o3CqttlhKNip5MHAd7Oek/g82Y2G2Joka2ifVWa5q+AhlOyMiFdNT4Nui6F+//dBvUCyI7SkMoUp64tnN8g3ajSpJxYnhIcDyFdW+JSTN2izHnTbcn8cmvap4uqXLg9F22rfEvXv1f3rv++xGXL6jYL/q4IBXXgmDLv0IPURgfb9LL/FwAA///QnKxL" } diff --git a/journalbeat/input/input.go b/journalbeat/input/input.go index f8cbf1fbf73..b45b99d1816 100644 --- a/journalbeat/input/input.go +++ b/journalbeat/input/input.go @@ -79,7 +79,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.NewLocal(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for local journal: %v", err) + return nil, fmt.Errorf("error creating reader for local journal: %+v", err) } readers = append(readers, r) } @@ -99,7 +99,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.New(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for journal: %v", err) + return nil, fmt.Errorf("error creating reader for journal: %+v", err) } readers = append(readers, r) } diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7ac42991b3b..4fe83567574 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -431,10 +431,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -547,20 +555,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -570,7 +585,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -733,30 +748,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -769,6 +791,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -876,42 +904,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1044,6 +1086,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default journalbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "journalbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "journalbeat-%{[agent.version]}" @@ -1147,20 +1194,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1179,6 +1237,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1329,17 +1398,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1362,6 +1438,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index fb5b91c5019..6b3136d65c6 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -76,6 +76,7 @@ func newReader(path string, c Config, done chan struct{}, state checkpoint.Journ instance.AddJournalToMonitor(c.Path, journal) return &Reader{ + r: r, journal: journal, config: c, done: done, diff --git a/journalbeat/tests/system/input/test.journal b/journalbeat/tests/system/input/test.journal index 887d4917905..c42b825e62d 100644 Binary files a/journalbeat/tests/system/input/test.journal and b/journalbeat/tests/system/input/test.journal differ diff --git a/journalbeat/tests/system/input/test.registry b/journalbeat/tests/system/input/test.registry index 5c6680edb42..9b9dee108b3 100644 --- a/journalbeat/tests/system/input/test.registry +++ b/journalbeat/tests/system/input/test.registry @@ -1,6 +1,6 @@ update_time: 2018-09-11T10:06:50.895829905Z journal_entries: - path: /home/n/go/src/github.com/elastic/beats/journalbeat/tests/system/input/test.journal - cursor: s=7d22fd7aa0c7482d88c303f47d5f32dc;i=2fcb;b=902dc834f07d4f41ade064f6b2ef8b4f;m=1bf0ff5c6d;t=55913a25fe765;x=c7e6480eec30822b - realtime_timestamp: 1505315746998117 - monotonic_timestamp: 120007384173 + cursor: s=018329e08e3a45a0ae03694421c4f553;i=2015d;b=fa3c2e3080dc4cd5be5cb5a43e140d51;m=29102136a4;t=5ab0792b1dc62;x=84a1467480b8f1af + realtime_timestamp: 1595423897803874 + monotonic_timestamp: 176364271268 diff --git a/journalbeat/tests/system/journalbeat.py b/journalbeat/tests/system/journalbeat.py index 11381395e29..2ad3bd3c37f 100644 --- a/journalbeat/tests/system/journalbeat.py +++ b/journalbeat/tests/system/journalbeat.py @@ -1,6 +1,5 @@ import os import sys -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) from beat.beat import TestCase diff --git a/journalbeat/tests/system/test_base.py b/journalbeat/tests/system/test_base.py index a94d4a7473c..2d7269dd5f4 100644 --- a/journalbeat/tests/system/test_base.py +++ b/journalbeat/tests/system/test_base.py @@ -6,9 +6,10 @@ import time import yaml from shutil import copyfile +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_start_with_local_journal(self): @@ -44,19 +45,14 @@ def test_start_with_journal_directory(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Tailing the journal file", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_start_with_selected_journal_file(self): """ @@ -73,17 +69,7 @@ def test_start_with_selected_journal_file(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Reading from the beginning of the journal file", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: unhandled HKEY event 0x60b0\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=23)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -105,21 +91,14 @@ def test_start_with_selected_journal_file_with_cursor_fallback(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in cursor_seek_fallback. - "Seeking method set to cursor, but no state is saved for reader. Starting to read from the end", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: please report the conditions when this event happened to ibm-acpi-devel@lists.sourceforge.net\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal with no cursor data + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_read_events_with_existing_registry(self): """ @@ -142,19 +121,7 @@ def test_read_events_with_existing_registry(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Seeked to position defined in cursor", - # message can be read from test journal - "please report the conditions when this event happened to", - # only one event is read and published - 'journalbeat successfully published events\t{"event.count": 1}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=9)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -172,27 +139,13 @@ def test_read_events_with_include_matches(self): ], "seek": "head", "include_matches": [ - "syslog.priority=5", + "syslog.priority=6", ] }], ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Added matcher expression", - # message can be read from test journal - "unhandled HKEY event 0x60b0", - "please report the conditions when this event happened to", - "unhandled HKEY event 0x60b1", - # Four events with priority 5 is publised - 'journalbeat successfully published events\t{"event.count": 4}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=6)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index 9b89e87b685..b72fbaa58b5 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/libbeat/Jenkinsfile.yml b/libbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..64a43269b13 --- /dev/null +++ b/libbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test libbeat" + labels: ## when PR labels matches any of those entries + - "libbeat" + parameters: ## when parameter was selected in the UI. + - "libbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + crosscompile: + make: "make -C libbeat crosscompile" + stress-tests: + make: "make STRESS_TEST_OPTIONS='-timeout=20m -race -v -parallel 1' -C libbeat stress-tests" diff --git a/libbeat/_meta/config/monitoring.reference.yml.tmpl b/libbeat/_meta/config/monitoring.reference.yml.tmpl index 187b92678eb..c40ad0d0c29 100644 --- a/libbeat/_meta/config/monitoring.reference.yml.tmpl +++ b/libbeat/_meta/config/monitoring.reference.yml.tmpl @@ -72,42 +72,7 @@ # Configure HTTP request timeout before failing an request to Elasticsearch. #timeout: 90 - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # SSL configuration. The default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl index 5de92febf3c..c364cb7b179 100644 --- a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl +++ b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl @@ -77,47 +77,7 @@ output.elasticsearch: # Configure HTTP request timeout before failing a request to Elasticsearch. #timeout: 90 - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - - # Configure a pin that can be used to do extra validation of the verified certificate chain, - # this allow you to ensure that a specific certificate is used to validate the chain of trust. - # - # The pin is a base64 encoded string of the SHA-256 fingerprint. - #ssl.ca_sha256: "" - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-kafka.reference.yml.tmpl b/libbeat/_meta/config/output-kafka.reference.yml.tmpl index 87b24c8d72e..169abe2efaa 100644 --- a/libbeat/_meta/config/output-kafka.reference.yml.tmpl +++ b/libbeat/_meta/config/output-kafka.reference.yml.tmpl @@ -127,42 +127,7 @@ # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. - #ssl.enabled: true - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-logstash.reference.yml.tmpl b/libbeat/_meta/config/output-logstash.reference.yml.tmpl index da182d0496e..f315099ba89 100644 --- a/libbeat/_meta/config/output-logstash.reference.yml.tmpl +++ b/libbeat/_meta/config/output-logstash.reference.yml.tmpl @@ -55,48 +55,7 @@ # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - - # Configure a pin that can be used to do extra validation of the verified certificate chain, - # this allow you to ensure that a specific certificate is used to validate the chain of trust. - # - # The pin is a base64 encoded string of the SHA-256 fingerprint. - #ssl.ca_sha256: "" - +{{include "ssl.reference.yml.tmpl" . | indent 2 }} # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting diff --git a/libbeat/_meta/config/output-redis.reference.yml.tmpl b/libbeat/_meta/config/output-redis.reference.yml.tmpl index 3b8fa47f292..a3c99bdf9ae 100644 --- a/libbeat/_meta/config/output-redis.reference.yml.tmpl +++ b/libbeat/_meta/config/output-redis.reference.yml.tmpl @@ -80,38 +80,4 @@ # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never +{{include "ssl.reference.yml.tmpl" . | indent 2 }} diff --git a/libbeat/_meta/config/setup.kibana.reference.yml.tmpl b/libbeat/_meta/config/setup.kibana.reference.yml.tmpl index 603b3da4196..6489909caaf 100644 --- a/libbeat/_meta/config/setup.kibana.reference.yml.tmpl +++ b/libbeat/_meta/config/setup.kibana.reference.yml.tmpl @@ -21,34 +21,8 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. - #ssl.enabled: true + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions from 1.1 - # up to 1.3 are enabled. - #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - - # SSL configuration. The default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client certificate key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the certificate key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE-based cipher suites - #ssl.curve_types: [] +{{include "ssl.reference.yml.tmpl" . | indent 2 }} diff --git a/libbeat/_meta/config/setup.template.reference.yml.tmpl b/libbeat/_meta/config/setup.template.reference.yml.tmpl index 48d23d9d0c9..3f8dc077446 100644 --- a/libbeat/_meta/config/setup.template.reference.yml.tmpl +++ b/libbeat/_meta/config/setup.template.reference.yml.tmpl @@ -7,6 +7,11 @@ # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default {{.BeatName}} uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "{{.BeatIndexPrefix}}-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "{{.BeatIndexPrefix}}-%{[agent.version]}" diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl new file mode 100644 index 00000000000..88f638e21b0 --- /dev/null +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -0,0 +1,48 @@ +# Use SSL settings for HTTPS. +#ssl.enabled: true + +# Controls the verification of certificates. Valid values are: +# * full, which verifies that the provided certificate is signed by a trusted +# authority (CA) and also verifies that the server's hostname (or IP address) +# matches the names identified within the certificate. +# * certificate, which verifies that the provided certificate is signed by a +# trusted authority (CA), but does not perform any hostname verification. +# * none, which performs no verification of the server's certificate. This +# mode disables many of the security benefits of SSL/TLS and should only be used +# after very careful consideration. It is primarily intended as a temporary +# diagnostic mechanism when attempting to resolve TLS errors; its use in +# production environments is strongly discouraged. +# The default value is full. +#ssl.verification_mode: full + +# List of supported/valid TLS versions. By default all TLS versions from 1.1 +# up to 1.3 are enabled. +#ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + +# List of root certificates for HTTPS server verifications +#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + +# Certificate for SSL client authentication +#ssl.certificate: "/etc/pki/client/cert.pem" + +# Client certificate key +#ssl.key: "/etc/pki/client/cert.key" + +# Optional passphrase for decrypting the certificate key. +#ssl.key_passphrase: '' + +# Configure cipher suites to be used for SSL connections +#ssl.cipher_suites: [] + +# Configure curve types for ECDHE-based cipher suites +#ssl.curve_types: [] + +# Configure what types of renegotiation are supported. Valid options are +# never, once, and freely. Default is never. +#ssl.renegotiation: never + +# Configure a pin that can be used to do extra validation of the verified certificate chain, +# this allow you to ensure that a specific certificate is used to validate the chain of trust. +# +# The pin is a base64 encoded string of the SHA-256 fingerprint. +#ssl.ca_sha256: "" diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 9032aafba00..aeaeed0e868 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.5.0. +# based on ECS version 1.6.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -64,6 +64,17 @@ systems such as Logstash or APM Server.' type: group fields: + - name: build.original + level: core + type: keyword + ignore_above: 1024 + description: 'Extended build information for the agent. + + This field is intended to contain any build information that a data source + may provide, no specific formatting is required.' + example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c + built 2020-02-05 23:10:10 +0000 UTC] + default_field: false - name: ephemeral_id level: extended type: keyword @@ -98,7 +109,7 @@ ignore_above: 1024 description: 'Type of the agent. - The agent type stays always the same and should be given by the agent used. + The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.' example: filebeat @@ -248,9 +259,7 @@ - name: ip level: core type: ip - description: 'IP address of the client. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the client (IPv4 or IPv6). - name: mac level: core type: keyword @@ -287,19 +296,19 @@ ignore_above: 1024 description: 'The highest registered client domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -358,7 +367,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -370,6 +379,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: cloud title: Cloud group: 2 @@ -391,6 +407,16 @@ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' example: 666777888999 + - name: account.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account name or alias used to identify different entities + in a multi-tenant environment. + + Examples: AWS account name, Google Cloud ORG display name.' + example: elastic-dev + default_field: false - name: availability_zone level: extended type: keyword @@ -414,6 +440,24 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium + - name: project.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project identifier. + + Examples: Google Cloud Project id, Azure Project id.' + example: my-project + default_field: false + - name: project.name + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud project name. + + Examples: Google Cloud Project name, Azure Project name.' + example: my project + default_field: false - name: provider level: extended type: keyword @@ -617,9 +661,7 @@ - name: ip level: core type: ip - description: 'IP address of the destination. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the destination (IPv4 or IPv6). - name: mac level: core type: keyword @@ -655,19 +697,19 @@ ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -726,7 +768,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -738,6 +780,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: dll title: DLL group: 2 @@ -837,6 +886,13 @@ description: Full file path of the library. example: C:\Windows\System32\kernel32.dll default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -858,6 +914,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -886,7 +953,6 @@ - name: answers level: extended type: object - object_type: keyword description: 'An array containing an object for each answer section returned by the server. @@ -920,7 +986,7 @@ If a chain of CNAME is being resolved, each answer''s `name` should be the one that corresponds with the answer''s `data`. It should not simply be the original `question.name` repeated.' - example: www.google.com + example: www.example.com - name: answers.ttl level: extended type: long @@ -975,19 +1041,19 @@ those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.' - example: www.google.com + example: www.example.com - name: question.registered_domain level: extended type: keyword ignore_above: 1024 description: 'The highest registered domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: question.subdomain level: extended type: keyword @@ -1003,7 +1069,7 @@ ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -1097,6 +1163,7 @@ norms: false default_field: false description: The stack trace of this error in plain text. + index: false - name: type level: extended type: keyword @@ -1262,6 +1329,7 @@ but it can be retrieved from `_source`.' example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 + index: false - name: outcome level: core type: keyword @@ -1296,6 +1364,19 @@ the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel + - name: reason + level: extended + type: keyword + ignore_above: 1024 + description: 'Reason why this event happened, according to the source. + + This describes the why of a particular action or outcome captured in the event. + Where `event.action` captures the action from the event, `event.reason` describes + why that action was taken. For example, a web proxy with an `event.action` + which denied the request may also populate `event.reason` with the reason + why (e.g. `blocked site`).' + example: Terminated an unexpected process + default_field: false - name: reference level: extended type: keyword @@ -1304,7 +1385,7 @@ This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' - example: https://system.vendor.com/event/#0001234 + example: https://system.example.com/event/#0001234 default_field: false - name: risk_score level: core @@ -1378,9 +1459,9 @@ this event. This URL links to another system where in-depth investigation of the specific - occurence of this event can take place. Alert events, indicated by `event.kind:alert`, + occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field.' - example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe default_field: false - name: file title: File @@ -1576,6 +1657,13 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -1597,6 +1685,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -1640,6 +1739,177 @@ ignore_above: 1024 description: The user ID (UID) or security identifier (SID) of the file owner. example: '1001' + - name: x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false - name: geo title: Geo group: 2 @@ -1984,7 +2254,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -1996,6 +2266,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: http title: HTTP group: 2 @@ -2032,9 +2309,14 @@ ignore_above: 1024 description: 'HTTP request method. - The field value must be normalized to lowercase for querying. See the documentation - section "Implementing ECS".' - example: get, post, put + Prior to ECS 1.6.0 the following guidance was provided: + + "The field value must be normalized to lowercase for querying." + + As of ECS 1.6.0, the guidance is deprecated because the original case of the + method may be useful in anomaly detection. Original case will be mandated + in ECS 2.0.0' + example: GET, POST, PUT, PoST - name: request.referrer level: extended type: keyword @@ -2122,6 +2404,16 @@ but rather in `event.*` or in other ECS fields.' type: group fields: + - name: file.path + level: extended + type: keyword + ignore_above: 1024 + description: 'Full path to the log file this event came from, including the + file name. It should include the drive letter, when appropriate. + + If the event wasn''t read from a log file, do not populate this field.' + example: /var/log/fun-times.log + default_field: false - name: level level: core type: keyword @@ -2151,8 +2443,11 @@ level: extended type: keyword ignore_above: 1024 - description: The name of the file containing the source code which originated - the log event. Note that this is not the name of the log file. + description: 'The name of the file containing the source code which originated + the log event. + + Note that this field is not meant to capture the log file. The correct field + to capture the log file is `log.file.path`.' example: Bootstrap.java - name: origin.function level: extended @@ -2175,10 +2470,10 @@ This field is not indexed and doc_values are disabled so it can''t be queried but the value can be retrieved from `_source`.' example: Sep 19 08:26:10 localhost My log + index: false - name: syslog level: extended type: object - object_type: keyword description: The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. - name: syslog.facility.code @@ -2295,7 +2590,6 @@ - name: inner level: extended type: object - object_type: keyword description: Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used @@ -2393,7 +2687,6 @@ - name: egress level: extended type: object - object_type: keyword description: Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress @@ -2506,7 +2799,6 @@ - name: ingress level: extended type: object - object_type: keyword description: Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress @@ -2836,6 +3128,13 @@ description: These fields contain Windows Portable Executable (PE) metadata. type: group fields: + - name: architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: company level: extended type: keyword @@ -2857,6 +3156,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: original_file_name level: extended type: keyword @@ -3032,11 +3342,12 @@ level: extended type: keyword ignore_above: 1024 - description: 'Array of process arguments. + description: 'Array of process arguments, starting with the absolute path to + the executable. May be filtered to protect sensitive information.' example: - - ssh + - /usr/bin/ssh - -l - user - 10.0.0.16 @@ -3179,6 +3490,59 @@ Sometimes called program name or similar.' example: ssh default_field: false + - name: parent.pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false + - name: parent.pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: parent.pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: parent.pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: parent.pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false + - name: parent.pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: parent.pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: parent.pgid level: extended type: long @@ -3249,6 +3613,13 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.architecture + level: extended + type: keyword + ignore_above: 1024 + description: CPU architecture target for the file. + example: x64 + default_field: false - name: pe.company level: extended type: keyword @@ -3270,6 +3641,17 @@ description: Internal version of the file, provided at compile-time. example: 6.3.9600.17415 default_field: false + - name: pe.imphash + level: extended + type: keyword + ignore_above: 1024 + description: 'A hash of the imports in a PE file. An imphash -- or import hash + -- can be used to fingerprint binaries even after recompilation or other code-level + transformations have occurred, which would change more traditional hash values. + + Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html.' + example: 0c6803c4e922103c4dca5963aad36ddf + default_field: false - name: pe.original_file_name level: extended type: keyword @@ -3437,6 +3819,13 @@ using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). default_field: false + - name: hosts + level: extended + type: keyword + ignore_above: 1024 + description: All hostnames or other host identifiers seen on your event. Example + identifiers include FQDNs, domain names, workstation names, or aliases. + default_field: false - name: ip level: extended type: ip @@ -3656,9 +4045,7 @@ - name: ip level: core type: ip - description: 'IP address of the server. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the server (IPv4 or IPv6). - name: mac level: core type: keyword @@ -3695,19 +4082,19 @@ ignore_above: 1024 description: 'The highest registered server domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -3766,7 +4153,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -3778,6 +4165,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: service title: Service group: 2 @@ -3967,9 +4361,7 @@ - name: ip level: core type: ip - description: 'IP address of the source. - - Can be one or multiple IPv4 or IPv6 addresses.' + description: IP address of the source (IPv4 or IPv6). - name: mac level: core type: keyword @@ -4006,19 +4398,19 @@ ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: top_level_domain level: extended type: keyword ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -4077,7 +4469,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: user.name level: core type: keyword @@ -4089,17 +4481,23 @@ default_field: false description: Short name or login of the user. example: albert + - name: user.roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: threat title: Threat group: 2 - description: 'Fields to classify events and alerts according to a threat taxonomy - such as the Mitre ATT&CK framework. - - These fields are for users to classify alerts from all of their sources (e.g. - IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to - capture the high level category of the threat (e.g. "impact"). The threat.technique.* - fields are meant to capture which kind of approach is used by this detected - threat, to accomplish the goal (e.g. "endpoint denial of service").' + description: "Fields to classify events and alerts according to a threat taxonomy\ + \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\ + \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\ + \ The threat.tactic.* are meant to capture the high level category of the threat\ + \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\ + \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\ + \ \"endpoint denial of service\")." type: group fields: - name: framework @@ -4115,33 +4513,30 @@ level: extended type: keyword ignore_above: 1024 - description: The id of tactic used by this threat. You can use the Mitre ATT&CK - Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\ + \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )" example: TA0040 - name: tactic.name level: extended type: keyword ignore_above: 1024 - description: Name of the type of tactic used by this threat. You can use the - Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "Name of the type of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)" example: impact - name: tactic.reference level: extended type: keyword ignore_above: 1024 - description: The reference url of tactic used by this threat. You can use the - Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ - ) + description: "The reference url of tactic used by this threat. You can use a\ + \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\ + \ )" example: https://attack.mitre.org/tactics/TA0040/ - name: technique.id level: extended type: keyword ignore_above: 1024 - description: The id of technique used by this tactic. You can use the Mitre - ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) + description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\ + \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" example: T1499 - name: technique.name level: extended @@ -4152,17 +4547,16 @@ type: text norms: false default_field: false - description: The name of technique used by this tactic. You can use the Mitre - ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) - example: endpoint denial of service + description: "The name of technique used by this threat. You can use a MITRE\ + \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)" + example: Endpoint Denial of Service - name: technique.reference level: extended type: keyword ignore_above: 1024 - description: The reference url of technique used by this tactic. You can use - the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ - ) + description: "The reference url of technique used by this threat. You can use\ + \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\ + \ )" example: https://attack.mitre.org/techniques/T1499/ - name: tls title: TLS @@ -4232,7 +4626,7 @@ ignore_above: 1024 description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. - example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: client.ja3 level: extended @@ -4261,7 +4655,7 @@ type: keyword ignore_above: 1024 description: Also called an SNI, this tells the server which hostname to which - the client is attempting to connect. When this value is available, it should + the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. example: www.elastic.co default_field: false @@ -4271,7 +4665,7 @@ ignore_above: 1024 description: Distinguished name of subject of the x.509 certificate presented by the client. - example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com + example: CN=myclient, OU=Documentation Team, DC=example, DC=com default_field: false - name: client.supported_ciphers level: extended @@ -4283,29 +4677,200 @@ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - '...' default_field: false - - name: curve + - name: client.x509.alternative_names level: extended type: keyword ignore_above: 1024 - description: String indicating the curve used for the given cipher, when applicable. - example: secp256r1 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' default_field: false - - name: established + - name: client.x509.issuer.common_name level: extended - type: boolean - description: Boolean flag indicating if the TLS negotiation was successful and - transitioned to an encrypted tunnel. + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA default_field: false - - name: next_protocol + - name: client.x509.issuer.country level: extended type: keyword ignore_above: 1024 - description: String indicating the protocol being tunneled. Per the values in - the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), - this string should be lower case. - example: http/1.1 + description: List of country (C) codes + example: US default_field: false - - name: resumed + - name: client.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: client.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: client.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: client.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: client.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: client.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: client.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: client.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: client.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: client.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: client.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: client.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: client.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: client.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: client.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: client.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: client.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: client.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: client.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: client.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false + - name: curve + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the curve used for the given cipher, when applicable. + example: secp256r1 + default_field: false + - name: established + level: extended + type: boolean + description: Boolean flag indicating if the TLS negotiation was successful and + transitioned to an encrypted tunnel. + default_field: false + - name: next_protocol + level: extended + type: keyword + ignore_above: 1024 + description: String indicating the protocol being tunneled. Per the values in + the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), + this string should be lower case. + example: http/1.1 + default_field: false + - name: resumed level: extended type: boolean description: Boolean flag indicating if this TLS connection was resumed from @@ -4364,7 +4929,7 @@ ignore_above: 1024 description: Subject of the issuer of the x.509 certificate presented by the server. - example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com default_field: false - name: server.ja3s level: extended @@ -4393,7 +4958,178 @@ type: keyword ignore_above: 1024 description: Subject of the x.509 certificate presented by the server. - example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com + example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + default_field: false + - name: server.x509.alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: server.x509.issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: server.x509.issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: server.x509.issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: server.x509.issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: server.x509.issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: server.x509.issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: server.x509.issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: server.x509.not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: server.x509.public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: server.x509.public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: server.x509.public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: server.x509.public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: server.x509.serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: server.x509.signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: server.x509.subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: server.x509.subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: server.x509.subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: server.x509.subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: server.x509.subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: server.x509.subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: server.x509.subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: server.x509.version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 default_field: false - name: version level: extended @@ -4418,6 +5154,16 @@ - to queries made through multiple back-end services. type: group fields: + - name: span.id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier of the span within the scope of its trace. + + A span represents an operation within a transaction, such as a request to + another service, or a database query.' + example: 3ff9a8981b7ccd5a + default_field: false - name: trace.id level: extended type: keyword @@ -4431,7 +5177,7 @@ level: extended type: keyword ignore_above: 1024 - description: 'Unique identifier of the transaction. + description: 'Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server.' @@ -4533,12 +5279,12 @@ ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. - For example, the registered domain for "foo.google.com" is "google.com". + For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".' - example: google.com + example: example.com - name: scheme level: extended type: keyword @@ -4553,7 +5299,7 @@ ignore_above: 1024 description: 'The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain - for google.com is "com". + for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking @@ -4627,7 +5373,7 @@ level: core type: keyword ignore_above: 1024 - description: Unique identifiers of the user. + description: Unique identifier of the user. - name: name level: core type: keyword @@ -4639,6 +5385,13 @@ default_field: false description: Short name or login of the user. example: albert + - name: roles + level: extended + type: keyword + ignore_above: 1024 + description: Array of user roles at the time of the event. + example: '["kibana_admin", "reporting_user"]' + default_field: false - name: user_agent title: User agent group: 2 @@ -4886,3 +5639,188 @@ prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) example: Critical default_field: false + - name: x509 + title: x509 Certificate + group: 2 + description: This implements the common core fields for x509 certificates. This + information is likely logged with TLS sessions, digital signatures found in + executable binaries, S/MIME information in email bodies, or analysis of files + on disk. When only a single certificate is logged in an event, it should be + nested under `file`. When hashes of the DER-encoded certificate are available, + the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For + events that contain certificate information for both sides of the connection, + the x509 object could be nested under the respective side of the connection + information (e.g. `tls.server.x509`). + type: group + fields: + - name: alternative_names + level: extended + type: keyword + ignore_above: 1024 + description: List of subject alternative names (SAN). Name types vary by certificate + authority and certificate type but commonly contain IP addresses, DNS names + (and wildcards), and email addresses. + example: '*.elastic.co' + default_field: false + - name: issuer.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common name (CN) of issuing certificate authority. + example: Example SHA2 High Assurance Server CA + default_field: false + - name: issuer.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) codes + example: US + default_field: false + - name: issuer.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance + Server CA + default_field: false + - name: issuer.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: Mountain View + default_field: false + - name: issuer.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of issuing certificate authority. + example: Example Inc + default_field: false + - name: issuer.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of issuing certificate authority. + example: www.example.com + default_field: false + - name: issuer.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: not_after + level: extended + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16 03:15:39+00:00 + default_field: false + - name: not_before + level: extended + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16 01:40:25+00:00 + default_field: false + - name: public_key_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Algorithm used to generate the public key. + example: RSA + default_field: false + - name: public_key_curve + level: extended + type: keyword + ignore_above: 1024 + description: The curve used by the elliptic curve public key algorithm. This + is algorithm specific. + example: nistp521 + default_field: false + - name: public_key_exponent + level: extended + type: long + description: Exponent used to derive the public key. This is algorithm specific. + example: 65537 + index: false + default_field: false + - name: public_key_size + level: extended + type: long + description: The size of the public key space in bits. + example: 2048 + default_field: false + - name: serial_number + level: extended + type: keyword + ignore_above: 1024 + description: Unique serial number issued by the certificate authority. For consistency, + if this value is alphanumeric, it should be formatted without colons and uppercase + characters. + example: 55FBB9C7DEBF09809D12CCAA + default_field: false + - name: signature_algorithm + level: extended + type: keyword + ignore_above: 1024 + description: Identifier for certificate signature algorithm. We recommend using + names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + example: SHA256-RSA + default_field: false + - name: subject.common_name + level: extended + type: keyword + ignore_above: 1024 + description: List of common names (CN) of subject. + example: shared.global.example.net + default_field: false + - name: subject.country + level: extended + type: keyword + ignore_above: 1024 + description: List of country (C) code + example: US + default_field: false + - name: subject.distinguished_name + level: extended + type: keyword + ignore_above: 1024 + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + default_field: false + - name: subject.locality + level: extended + type: keyword + ignore_above: 1024 + description: List of locality names (L) + example: San Francisco + default_field: false + - name: subject.organization + level: extended + type: keyword + ignore_above: 1024 + description: List of organizations (O) of subject. + example: Example, Inc. + default_field: false + - name: subject.organizational_unit + level: extended + type: keyword + ignore_above: 1024 + description: List of organizational units (OU) of subject. + default_field: false + - name: subject.state_or_province + level: extended + type: keyword + ignore_above: 1024 + description: List of state or province names (ST, S, or P) + example: California + default_field: false + - name: version_number + level: extended + type: keyword + ignore_above: 1024 + description: Version of x509 format. + example: 3 + default_field: false diff --git a/libbeat/autodiscover/appender_test.go b/libbeat/autodiscover/appender_test.go index 9dbf455e7b2..8c8f3190615 100644 --- a/libbeat/autodiscover/appender_test.go +++ b/libbeat/autodiscover/appender_test.go @@ -53,16 +53,16 @@ func TestAppenderRegistry(t *testing.T) { cfg, err := common.NewConfigFrom(&config) // Make sure that config building doesn't fail - assert.Nil(t, err) + assert.NoError(t, err) appender, err := reg.BuildAppender(cfg) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) // Attempt to build using an array of configs Registry.AddAppender("fake", newFakeAppender) cfgs := []*common.Config{cfg} appenders, err := NewAppenders(cfgs) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, len(appenders), 1) // Attempt to build using an incorrect config @@ -70,10 +70,10 @@ func TestAppenderRegistry(t *testing.T) { Type: "wrong", } icfg, err := common.NewConfigFrom(&incorrectConfig) - assert.Nil(t, err) + assert.NoError(t, err) cfgs = append(cfgs, icfg) appenders, err = NewAppenders(cfgs) - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, appenders) // Try to append onto an event using fakeAppender and the result should have one item diff --git a/libbeat/autodiscover/appenders/config/config_test.go b/libbeat/autodiscover/appenders/config/config_test.go index 36b4ee5b390..8256c852318 100644 --- a/libbeat/autodiscover/appenders/config/config_test.go +++ b/libbeat/autodiscover/appenders/config/config_test.go @@ -92,11 +92,11 @@ condition.equals: } appender, err := NewConfigAppender(config) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) eveConfig, err := common.NewConfigFrom(&test.eventConfig) - assert.Nil(t, err) + assert.NoError(t, err) test.event["config"] = []*common.Config{eveConfig} appender.Append(test.event) diff --git a/libbeat/autodiscover/autodiscover.go b/libbeat/autodiscover/autodiscover.go index e26a2521c16..ce175b65072 100644 --- a/libbeat/autodiscover/autodiscover.go +++ b/libbeat/autodiscover/autodiscover.go @@ -83,7 +83,7 @@ func NewAutodiscover( // Init providers var providers []Provider for _, providerCfg := range config.Providers { - provider, err := Registry.BuildProvider(bus, providerCfg, keystore) + provider, err := Registry.BuildProvider(name, bus, providerCfg, keystore) if err != nil { return nil, errors.Wrap(err, "error in autodiscover provider settings") } diff --git a/libbeat/autodiscover/autodiscover_test.go b/libbeat/autodiscover/autodiscover_test.go index deec66ece8e..49dc50509e6 100644 --- a/libbeat/autodiscover/autodiscover_test.go +++ b/libbeat/autodiscover/autodiscover_test.go @@ -140,7 +140,7 @@ func TestAutodiscover(t *testing.T) { // Register mock autodiscover provider busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b @@ -259,7 +259,7 @@ func TestAutodiscoverHash(t *testing.T) { busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b @@ -323,7 +323,7 @@ func TestAutodiscoverWithConfigCheckFailures(t *testing.T) { // Register mock autodiscover provider busChan := make(chan bus.Bus, 1) Registry = NewRegistry() - Registry.AddProvider("mock", func(b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { + Registry.AddProvider("mock", func(beatName string, b bus.Bus, uuid uuid.UUID, c *common.Config, k keystore.Keystore) (Provider, error) { // intercept bus to mock events busChan <- b diff --git a/libbeat/autodiscover/builder_test.go b/libbeat/autodiscover/builder_test.go index c5e08a77e39..398754da3fb 100644 --- a/libbeat/autodiscover/builder_test.go +++ b/libbeat/autodiscover/builder_test.go @@ -55,10 +55,10 @@ func TestBuilderRegistry(t *testing.T) { cfg, err := common.NewConfigFrom(&config) // Make sure that config building doesn't fail - assert.Nil(t, err) + assert.NoError(t, err) builder, err := reg.BuildBuilder(cfg) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, builder) // Try to create a config with fake builder and assert length diff --git a/libbeat/autodiscover/provider.go b/libbeat/autodiscover/provider.go index 510e09ab4bf..ce4a0c50423 100644 --- a/libbeat/autodiscover/provider.go +++ b/libbeat/autodiscover/provider.go @@ -35,7 +35,7 @@ type Provider interface { } // ProviderBuilder creates a new provider based on the given config and returns it -type ProviderBuilder func(bus.Bus, uuid.UUID, *common.Config, keystore.Keystore) (Provider, error) +type ProviderBuilder func(string, bus.Bus, uuid.UUID, *common.Config, keystore.Keystore) (Provider, error) // AddProvider registers a new ProviderBuilder func (r *registry) AddProvider(name string, provider ProviderBuilder) error { @@ -70,7 +70,7 @@ func (r *registry) GetProvider(name string) ProviderBuilder { } // BuildProvider reads provider configuration and instantiate one -func (r *registry) BuildProvider(bus bus.Bus, c *common.Config, keystore keystore.Keystore) (Provider, error) { +func (r *registry) BuildProvider(beatName string, bus bus.Bus, c *common.Config, keystore keystore.Keystore) (Provider, error) { var config ProviderConfig err := c.Unpack(&config) if err != nil { @@ -87,5 +87,5 @@ func (r *registry) BuildProvider(bus bus.Bus, c *common.Config, keystore keystor return nil, err } - return builder(bus, uuid, c, keystore) + return builder(beatName, bus, uuid, c, keystore) } diff --git a/libbeat/autodiscover/providers/docker/docker.go b/libbeat/autodiscover/providers/docker/docker.go index 553b981177e..2680eab54b3 100644 --- a/libbeat/autodiscover/providers/docker/docker.go +++ b/libbeat/autodiscover/providers/docker/docker.go @@ -59,7 +59,13 @@ type Provider struct { } // AutodiscoverBuilder builds and returns an autodiscover provider -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { logger := logp.NewLogger("docker") errWrap := func(err error) error { diff --git a/libbeat/autodiscover/providers/docker/docker_integration_test.go b/libbeat/autodiscover/providers/docker/docker_integration_test.go index 0e10af438ff..bbb2bc979bc 100644 --- a/libbeat/autodiscover/providers/docker/docker_integration_test.go +++ b/libbeat/autodiscover/providers/docker/docker_integration_test.go @@ -36,6 +36,8 @@ import ( // Test docker start emits an autodiscover event func TestDockerStart(t *testing.T) { + t.Skip("#20360 Flaky TestDockerStart skipped") + log := logp.NewLogger("docker") d, err := dk.NewClient() @@ -54,7 +56,7 @@ func TestDockerStart(t *testing.T) { s := &template.MapperSettings{nil, nil} config.Templates = *s k, _ := keystore.NewFileKeystore("test") - provider, err := AutodiscoverBuilder(bus, UUID, common.MustNewConfigFrom(config), k) + provider, err := AutodiscoverBuilder("mockBeat", bus, UUID, common.MustNewConfigFrom(config), k) if err != nil { t.Fatal(err) } diff --git a/libbeat/autodiscover/providers/jolokia/jolokia.go b/libbeat/autodiscover/providers/jolokia/jolokia.go index 5a8876a011a..928c1cc8e78 100644 --- a/libbeat/autodiscover/providers/jolokia/jolokia.go +++ b/libbeat/autodiscover/providers/jolokia/jolokia.go @@ -53,7 +53,13 @@ type Provider struct { // AutodiscoverBuilder builds a Jolokia Discovery autodiscover provider, it fails if // there is some problem with the configuration -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { errWrap := func(err error) error { return errors.Wrap(err, "error setting up jolokia autodiscover provider") } diff --git a/libbeat/autodiscover/providers/kubernetes/config.go b/libbeat/autodiscover/providers/kubernetes/config.go index a1ec2db5dd5..84672659f74 100644 --- a/libbeat/autodiscover/providers/kubernetes/config.go +++ b/libbeat/autodiscover/providers/kubernetes/config.go @@ -44,6 +44,9 @@ type Config struct { // Scope can be either node or cluster. Scope string `config:"scope"` Resource string `config:"resource"` + // Unique identifies if this provider enables its templates only when it is elected as leader in a k8s cluster + Unique bool `config:"unique"` + LeaderLease string `config:"leader_lease"` Prefix string `config:"prefix"` Hints *common.Config `config:"hints"` @@ -60,6 +63,7 @@ func defaultConfig() *Config { Resource: "pod", CleanupTimeout: 60 * time.Second, Prefix: "co.elastic", + Unique: false, } } @@ -98,6 +102,9 @@ func (c *Config) Validate() error { if c.Scope != "node" && c.Scope != "cluster" { return fmt.Errorf("invalid `scope` configured. supported values are `node` and `cluster`") } + if c.Unique && c.Scope != "cluster" { + logp.L().Warnf("can only set `unique` when scope is `cluster`") + } return nil } diff --git a/libbeat/autodiscover/providers/kubernetes/config_test.go b/libbeat/autodiscover/providers/kubernetes/config_test.go index 0cbe2d14ef2..5be6f334703 100644 --- a/libbeat/autodiscover/providers/kubernetes/config_test.go +++ b/libbeat/autodiscover/providers/kubernetes/config_test.go @@ -44,7 +44,7 @@ func TestConfigWithCustomBuilders(t *testing.T) { config := common.MustNewConfigFrom(&cfg) c := defaultConfig() err := config.Unpack(&c) - assert.Nil(t, err) + assert.NoError(t, err) cfg1 := common.MapStr{ "hints.enabled": false, @@ -52,7 +52,7 @@ func TestConfigWithCustomBuilders(t *testing.T) { config, err = common.NewConfigFrom(&cfg1) c = defaultConfig() err = config.Unpack(&c) - assert.NotNil(t, err) + assert.Error(t, err) } func TestConfigWithIncorrectScope(t *testing.T) { @@ -65,7 +65,7 @@ func TestConfigWithIncorrectScope(t *testing.T) { config := common.MustNewConfigFrom(&cfg) c := defaultConfig() err := config.Unpack(&c) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "service", c.Resource) assert.Equal(t, "cluster", c.Scope) diff --git a/libbeat/autodiscover/providers/kubernetes/kubernetes.go b/libbeat/autodiscover/providers/kubernetes/kubernetes.go index e1a2cb02ee0..190c646ef0c 100644 --- a/libbeat/autodiscover/providers/kubernetes/kubernetes.go +++ b/libbeat/autodiscover/providers/kubernetes/kubernetes.go @@ -20,7 +20,14 @@ package kubernetes import ( + "context" "fmt" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + k8s "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/leaderelection" + "k8s.io/client-go/tools/leaderelection/resourcelock" "github.com/gofrs/uuid" "github.com/pkg/errors" @@ -47,19 +54,45 @@ type Eventer interface { Stop() } +// EventManager allows defining ways in which kubernetes resource events are observed and processed +type EventManager interface { + GenerateHints(event bus.Event) bus.Event + Start() + Stop() +} + // Provider implements autodiscover provider for docker containers type Provider struct { - config *Config - bus bus.Bus - templates template.Mapper - builders autodiscover.Builders - appenders autodiscover.Appenders - logger *logp.Logger - eventer Eventer + config *Config + bus bus.Bus + templates template.Mapper + builders autodiscover.Builders + appenders autodiscover.Appenders + logger *logp.Logger + eventManager EventManager +} + +// eventerManager implements start/stop methods for autodiscover provider with resource eventer +type eventerManager struct { + eventer Eventer + logger *logp.Logger +} + +// leaderElectionManager implements start/stop methods for autodiscover provider with leaderElection +type leaderElectionManager struct { + leaderElection leaderelection.LeaderElectionConfig + cancelLeaderElection context.CancelFunc + logger *logp.Logger } // AutodiscoverBuilder builds and returns an autodiscover provider -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { logger := logp.NewLogger("autodiscover") errWrap := func(err error) error { @@ -67,6 +100,7 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore } config := defaultConfig() + config.LeaderLease = fmt.Sprintf("%v-cluster-leader", beatName) err := c.Unpack(&config) if err != nil { return nil, errWrap(err) @@ -103,15 +137,10 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore logger: logger, } - switch config.Resource { - case "pod": - p.eventer, err = NewPodEventer(uuid, c, client, p.publish) - case "node": - p.eventer, err = NewNodeEventer(uuid, c, client, p.publish) - case "service": - p.eventer, err = NewServiceEventer(uuid, c, client, p.publish) - default: - return nil, fmt.Errorf("unsupported autodiscover resource %s", config.Resource) + if p.config.Unique { + p.eventManager, err = NewLeaderElectionManager(uuid, config, client, p.startLeading, p.stopLeading, logger) + } else { + p.eventManager, err = NewEventerManager(uuid, c, config, client, p.publish) } if err != nil { @@ -123,14 +152,12 @@ func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore // Start for Runner interface. func (p *Provider) Start() { - if err := p.eventer.Start(); err != nil { - p.logger.Errorf("Error starting kubernetes autodiscover provider: %s", err) - } + p.eventManager.Start() } // Stop signals the stop channel to force the watch loop routine to stop. func (p *Provider) Stop() { - p.eventer.Stop() + p.eventManager.Stop() } // String returns a description of kubernetes autodiscover provider. @@ -144,7 +171,7 @@ func (p *Provider) publish(event bus.Event) { event["config"] = config } else { // If there isn't a default template then attempt to use builders - e := p.eventer.GenerateHints(event) + e := p.eventManager.GenerateHints(event) if config := p.builders.GetConfig(e); config != nil { event["config"] = config } @@ -154,3 +181,149 @@ func (p *Provider) publish(event bus.Event) { p.appenders.Append(event) p.bus.Publish(event) } + +func (p *Provider) startLeading(uuid string, eventID string) { + event := bus.Event{ + "start": true, + "provider": uuid, + "id": eventID, + "unique": "true", + } + if config := p.templates.GetConfig(event); config != nil { + event["config"] = config + } + p.bus.Publish(event) +} + +func (p *Provider) stopLeading(uuid string, eventID string) { + event := bus.Event{ + "stop": true, + "provider": uuid, + "id": eventID, + "unique": "true", + } + if config := p.templates.GetConfig(event); config != nil { + event["config"] = config + } + p.bus.Publish(event) +} + +func NewEventerManager( + uuid uuid.UUID, + c *common.Config, + cfg *Config, + client k8s.Interface, + publish func(event bus.Event), +) (EventManager, error) { + var err error + em := &eventerManager{} + switch cfg.Resource { + case "pod": + em.eventer, err = NewPodEventer(uuid, c, client, publish) + case "node": + em.eventer, err = NewNodeEventer(uuid, c, client, publish) + case "service": + em.eventer, err = NewServiceEventer(uuid, c, client, publish) + default: + return nil, fmt.Errorf("unsupported autodiscover resource %s", cfg.Resource) + } + + if err != nil { + return nil, err + } + return em, nil +} + +func NewLeaderElectionManager( + uuid uuid.UUID, + cfg *Config, + client k8s.Interface, + startLeading func(uuid string, eventID string), + stopLeading func(uuid string, eventID string), + logger *logp.Logger, +) (EventManager, error) { + lem := &leaderElectionManager{logger: logger} + var id string + if cfg.Node != "" { + id = "beats-leader-" + cfg.Node + } else { + id = "beats-leader-" + uuid.String() + } + lease := metav1.ObjectMeta{ + Name: cfg.LeaderLease, + Namespace: "default", + } + metaUID := lease.GetObjectMeta().GetUID() + lem.leaderElection = leaderelection.LeaderElectionConfig{ + Lock: &resourcelock.LeaseLock{ + LeaseMeta: lease, + Client: client.CoordinationV1(), + LockConfig: resourcelock.ResourceLockConfig{ + Identity: id, + }, + }, + ReleaseOnCancel: true, + LeaseDuration: 15 * time.Second, + RenewDeadline: 10 * time.Second, + RetryPeriod: 2 * time.Second, + Callbacks: leaderelection.LeaderCallbacks{ + OnStartedLeading: func(ctx context.Context) { + logger.Debugf("leader election lock GAINED, id %v", id) + eventID := fmt.Sprintf("%v-%v", metaUID, time.Now().UnixNano()) + startLeading(uuid.String(), eventID) + }, + OnStoppedLeading: func() { + logger.Debugf("leader election lock LOST, id %v", id) + eventID := fmt.Sprintf("%v-%v", metaUID, time.Now().UnixNano()) + stopLeading(uuid.String(), eventID) + }, + }, + } + return lem, nil +} + +// Start for EventManager interface. +func (p *eventerManager) Start() { + if err := p.eventer.Start(); err != nil { + p.logger.Errorf("Error starting kubernetes autodiscover provider: %s", err) + } +} + +// Stop signals the stop channel to force the watch loop routine to stop. +func (p *eventerManager) Stop() { + p.eventer.Stop() +} + +// GenerateHints for EventManager interface. +func (p *eventerManager) GenerateHints(event bus.Event) bus.Event { + return p.eventer.GenerateHints(event) +} + +// Start for EventManager interface. +func (p *leaderElectionManager) Start() { + ctx, cancel := context.WithCancel(context.TODO()) + p.cancelLeaderElection = cancel + p.startLeaderElector(ctx, p.leaderElection) +} + +// Stop signals the stop channel to force the leader election loop routine to stop. +func (p *leaderElectionManager) Stop() { + if p.cancelLeaderElection != nil { + p.cancelLeaderElection() + } +} + +// GenerateHints for EventManager interface. +func (p *leaderElectionManager) GenerateHints(event bus.Event) bus.Event { + return event +} + +// startLeaderElector starts a Leader Elector in the background with the provided config +func (p *leaderElectionManager) startLeaderElector(ctx context.Context, lec leaderelection.LeaderElectionConfig) { + le, err := leaderelection.NewLeaderElector(lec) + if err != nil { + p.logger.Errorf("error while creating Leader Elector: %v", err) + } + p.logger.Debugf("Starting Leader Elector") + go le.Run(ctx) +} diff --git a/libbeat/autodiscover/providers/kubernetes/node.go b/libbeat/autodiscover/providers/kubernetes/node.go index bd529582f0c..a78622756cd 100644 --- a/libbeat/autodiscover/providers/kubernetes/node.go +++ b/libbeat/autodiscover/providers/kubernetes/node.go @@ -23,6 +23,7 @@ import ( "github.com/gofrs/uuid" v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/equality" k8s "k8s.io/client-go/kubernetes" "github.com/elastic/beats/v7/libbeat/autodiscover/builder" @@ -66,6 +67,7 @@ func NewNodeEventer(uuid uuid.UUID, cfg *common.Config, client k8s.Interface, pu watcher, err := kubernetes.NewWatcher(client, &kubernetes.Node{}, kubernetes.WatchOptions{ SyncTimeout: config.SyncPeriod, Node: config.Node, + IsUpdated: isUpdated, }, nil) if err != nil { @@ -190,6 +192,39 @@ func (n *node) emit(node *kubernetes.Node, flag string) { n.publish(event) } +func isUpdated(o, n interface{}) bool { + old, _ := o.(*kubernetes.Node) + new, _ := n.(*kubernetes.Node) + + // Consider as not update in case one of the two objects is not a Node + if old == nil || new == nil { + return true + } + + // This is a resync. It is not an update + if old.ResourceVersion == new.ResourceVersion { + return false + } + + // If the old object and new object are different + oldCopy := old.DeepCopy() + oldCopy.ResourceVersion = "" + + newCopy := new.DeepCopy() + newCopy.ResourceVersion = "" + + // If the old object and new object are different in either meta or spec then there is a valid change + if !equality.Semantic.DeepEqual(oldCopy.Spec, newCopy.Spec) || !equality.Semantic.DeepEqual(oldCopy.ObjectMeta, newCopy.ObjectMeta) { + return true + } + + // If there is a change in the node status then there is a valid change. + if isNodeReady(old) != isNodeReady(new) { + return true + } + return false +} + func getAddress(node *kubernetes.Node) string { for _, address := range node.Status.Addresses { if address.Type == v1.NodeExternalIP && address.Address != "" { diff --git a/libbeat/autodiscover/providers/kubernetes/node_test.go b/libbeat/autodiscover/providers/kubernetes/node_test.go index 59fb67ada7d..8c29c008fc8 100644 --- a/libbeat/autodiscover/providers/kubernetes/node_test.go +++ b/libbeat/autodiscover/providers/kubernetes/node_test.go @@ -246,8 +246,9 @@ func TestEmitEvent_Node(t *testing.T) { } metaGen := metadata.NewNodeMetadataGenerator(common.NewConfig(), nil) + config := defaultConfig() p := &Provider{ - config: defaultConfig(), + config: config, bus: bus.New(logp.NewLogger("bus"), "test"), templates: mapper, logger: logp.NewLogger("kubernetes"), @@ -261,7 +262,7 @@ func TestEmitEvent_Node(t *testing.T) { logger: logp.NewLogger("kubernetes.no"), } - p.eventer = no + p.eventManager = NewMockNodeEventerManager(no) listener := p.bus.Subscribe() @@ -278,3 +279,184 @@ func TestEmitEvent_Node(t *testing.T) { }) } } + +func NewMockNodeEventerManager(no *node) EventManager { + em := &eventerManager{} + em.eventer = no + return em +} + +func TestNode_isUpdated(t *testing.T) { + tests := []struct { + old *kubernetes.Node + new *kubernetes.Node + updated bool + test string + }{ + { + test: "one of the objects is nil then its updated", + old: nil, + new: &kubernetes.Node{}, + updated: true, + }, + { + test: "both empty nodes should return not updated", + old: &kubernetes.Node{}, + new: &kubernetes.Node{}, + updated: false, + }, + { + test: "resource version is the same should return not updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + }, + }, + }, + { + test: "if meta changes then it should return updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{}, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + }, + updated: true, + }, + { + test: "if spec changes then it should return updated", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: false, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + }, + updated: true, + }, + { + test: "if overall status doesn't change then its not an update", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + updated: false, + }, + { + test: "if node status changes then its an update", + old: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "1", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionFalse, + }, + }, + }, + }, + new: &kubernetes.Node{ + ObjectMeta: kubernetes.ObjectMeta{ + ResourceVersion: "2", + Annotations: map[string]string{ + "a": "b", + }, + }, + Spec: v1.NodeSpec{ + ProviderID: "1", + Unschedulable: true, + }, + Status: v1.NodeStatus{ + Conditions: []v1.NodeCondition{ + { + Type: v1.NodeReady, + Status: v1.ConditionTrue, + }, + }, + }, + }, + updated: true, + }, + } + + for _, test := range tests { + t.Run(test.test, func(t *testing.T) { + assert.Equal(t, test.updated, isUpdated(test.old, test.new)) + }) + } +} diff --git a/libbeat/autodiscover/providers/kubernetes/pod.go b/libbeat/autodiscover/providers/kubernetes/pod.go index c856f790a6e..b8679f59ef9 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod.go +++ b/libbeat/autodiscover/providers/kubernetes/pod.go @@ -138,7 +138,7 @@ func (p *pod) OnUpdate(obj interface{}) { switch pod.Status.Phase { case kubernetes.PodSucceeded, kubernetes.PodFailed: // If Pod is in a phase where all containers in the have terminated emit a stop event - p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + p.logger.Debugf("Watcher Pod update (terminated): %+v", obj) time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) return case kubernetes.PodPending: @@ -146,6 +146,23 @@ func (p *pod) OnUpdate(obj interface{}) { return } + // here handle the case when a Pod is in `Terminating` phase. + // In this case the pod is neither `PodSucceeded` nor `PodFailed` and + // hence requires special handling. + if pod.GetObjectMeta().GetDeletionTimestamp() != nil { + p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + // Pod is terminating, don't reload its configuration and ignore the event + // if some pod is still running, we will receive more events when containers + // terminate. + for _, container := range pod.Status.ContainerStatuses { + if container.State.Running != nil { + return + } + } + time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) + return + } + p.logger.Debugf("Watcher Pod update: %+v", obj) p.emit(pod, "stop") p.emit(pod, "start") @@ -318,19 +335,29 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet // so it works also on `stop` if containers have been already deleted. eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + meta := p.metagen.Generate( + pod, + metadata.WithFields("container.name", c.Name), + metadata.WithFields("container.image", c.Image), + ) + cmeta := common.MapStr{ - "id": cid, - "name": c.Name, - "image": c.Image, + "id": cid, + "image": common.MapStr{ + "name": c.Image, + }, "runtime": runtimes[c.Name], } - meta := p.metagen.Generate(pod, metadata.WithFields("container.name", c.Name), - metadata.WithFields("container.image", c.Image)) // Information that can be used in discovering a workload kubemeta := meta.Clone() - kubemeta["container"] = cmeta kubemeta["annotations"] = annotations + kubemeta["container"] = common.MapStr{ + "id": cid, + "name": c.Name, + "image": c.Image, + "runtime": runtimes[c.Name], + } if len(nsAnn) != 0 { kubemeta["namespace_annotations"] = nsAnn } @@ -347,6 +374,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) @@ -363,6 +391,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) diff --git a/libbeat/autodiscover/providers/kubernetes/pod_test.go b/libbeat/autodiscover/providers/kubernetes/pod_test.go index f22bfc64cea..f8213c5612f 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod_test.go +++ b/libbeat/autodiscover/providers/kubernetes/pod_test.go @@ -446,15 +446,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -565,15 +571,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "docker", + "id": "foobar", }, }, "config": []*common.Config{}, @@ -604,15 +616,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -769,15 +787,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", }, }, "config": []*common.Config{}, @@ -874,13 +898,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "", + "runtime": "", + }, }, "config": []*common.Config{}, }, @@ -976,13 +1006,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", + }, }, "config": []*common.Config{}, }, @@ -1013,7 +1049,7 @@ func TestEmitEvent(t *testing.T) { logger: logp.NewLogger("kubernetes.pod"), } - p.eventer = pod + p.eventManager = NewMockPodEventerManager(pod) listener := p.bus.Subscribe() @@ -1034,6 +1070,12 @@ func TestEmitEvent(t *testing.T) { } } +func NewMockPodEventerManager(pod *pod) EventManager { + em := &eventerManager{} + em.eventer = pod + return em +} + func getNestedAnnotations(in common.MapStr) common.MapStr { out := common.MapStr{} diff --git a/libbeat/autodiscover/providers/kubernetes/service_test.go b/libbeat/autodiscover/providers/kubernetes/service_test.go index 7ead61fc3a0..c45c691f75e 100644 --- a/libbeat/autodiscover/providers/kubernetes/service_test.go +++ b/libbeat/autodiscover/providers/kubernetes/service_test.go @@ -414,8 +414,7 @@ func TestEmitEvent_Service(t *testing.T) { logger: logp.NewLogger("kubernetes.service"), } - p.eventer = service - + p.eventManager = NewMockServiceEventerManager(service) listener := p.bus.Subscribe() service.emit(test.Service, test.Flag) @@ -431,3 +430,9 @@ func TestEmitEvent_Service(t *testing.T) { }) } } + +func NewMockServiceEventerManager(svc *service) EventManager { + em := &eventerManager{} + em.eventer = svc + return em +} diff --git a/libbeat/autodiscover/template/config.go b/libbeat/autodiscover/template/config.go index a34cec10444..a1f87d2bcfc 100644 --- a/libbeat/autodiscover/template/config.go +++ b/libbeat/autodiscover/template/config.go @@ -18,7 +18,10 @@ package template import ( + "fmt" + "github.com/elastic/go-ucfg" + "github.com/elastic/go-ucfg/parse" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" @@ -123,7 +126,16 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u if err != nil { logp.Err("Error building config: %v", err) } + opts := []ucfg.Option{ + // Catch-all resolve function to log fields not resolved in any other way, + // it needs to be the first resolver added, so it is executed the last one. + // Being the last one, its returned error will be the one returned by `Unpack`, + // this is important to give better feedback in case of failure. + ucfg.Resolve(func(name string) (string, parse.Config, error) { + return "", parse.Config{}, fmt.Errorf("field '%s' not available in event or environment", name) + }), + ucfg.PathSep("."), ucfg.Env(vars), ucfg.ResolveEnv, @@ -139,9 +151,9 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u } // Unpack config to process any vars in the template: var unpacked map[string]interface{} - c.Unpack(&unpacked, opts...) + err = c.Unpack(&unpacked, opts...) if err != nil { - logp.Err("Error unpacking config: %v", err) + logp.Debug("autodiscover", "Configuration template cannot be resolved: %v", err) continue } // Repack again: diff --git a/libbeat/autodiscover/template/config_test.go b/libbeat/autodiscover/template/config_test.go index 87e9ef5592a..7964ba24126 100644 --- a/libbeat/autodiscover/template/config_test.go +++ b/libbeat/autodiscover/template/config_test.go @@ -28,9 +28,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" "github.com/elastic/beats/v7/libbeat/keystore" + "github.com/elastic/beats/v7/libbeat/logp" ) func TestConfigsMapping(t *testing.T) { + logp.TestingSetup() + config, _ := common.NewConfigFrom(map[string]interface{}{ "correct": "config", }) @@ -40,6 +43,13 @@ func TestConfigsMapping(t *testing.T) { "hosts": [1]string{"1.2.3.4:8080"}, }) + const envValue = "valuefromenv" + configFromEnv, _ := common.NewConfigFrom(map[string]interface{}{ + "correct": envValue, + }) + + os.Setenv("CONFIGS_MAPPING_TESTENV", envValue) + tests := []struct { mapping string event bus.Event @@ -79,6 +89,16 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{config}, }, + // No condition, value from environment + { + mapping: ` +- config: + - correct: ${CONFIGS_MAPPING_TESTENV}`, + event: bus.Event{ + "foo": 3, + }, + expected: []*common.Config{configFromEnv}, + }, // Match config and replace data.host and data.ports. properly { mapping: ` @@ -111,6 +131,17 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{configPorts}, }, + // Missing variable, config is not generated + { + mapping: ` +- config: + - module: something + hosts: ["${not.exists.host}"]`, + event: bus.Event{ + "host": "1.2.3.4", + }, + expected: nil, + }, } for _, test := range tests { diff --git a/libbeat/cfgfile/cfgfile_test.go b/libbeat/cfgfile/cfgfile_test.go index df2ceaabde2..a5e0900f290 100644 --- a/libbeat/cfgfile/cfgfile_test.go +++ b/libbeat/cfgfile/cfgfile_test.go @@ -47,7 +47,7 @@ func TestRead(t *testing.T) { os.Setenv("TEST_KEY", "test_value") assert.NotNil(t, absPath) - assert.Nil(t, err) + assert.NoError(t, err) config := &TestConfig{} diff --git a/libbeat/cfgfile/list.go b/libbeat/cfgfile/list.go index fc50baa3345..9b62d95f6a9 100644 --- a/libbeat/cfgfile/list.go +++ b/libbeat/cfgfile/list.go @@ -92,7 +92,12 @@ func (r *RunnerList) Reload(configs []*reload.ConfigWithMeta) error { for hash, config := range startList { runner, err := createRunner(r.factory, r.pipeline, config) if err != nil { - r.logger.Errorf("Error creating runner from config: %s", err) + if _, ok := err.(*common.ErrInputNotFinished); ok { + // error is related to state, we should not log at error level + r.logger.Debugf("Error creating runner from config: %s", err) + } else { + r.logger.Errorf("Error creating runner from config: %s", err) + } errs = append(errs, errors.Wrap(err, "Error creating runner from config")) continue } diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index 0ffd804a299..ca58b9b321f 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -888,12 +888,9 @@ func (b *Beat) clusterUUIDFetchingCallback() (elasticsearch.ConnectCallback, err } func (b *Beat) setupMonitoring(settings Settings) (report.Reporter, error) { - monitoringCfg, reporterSettings, err := monitoring.SelectConfig(b.Config.MonitoringBeatConfig) - if err != nil { - return nil, err - } + monitoringCfg := b.Config.MonitoringBeatConfig.Monitoring - monitoringClusterUUID, err := monitoring.GetClusterUUID(b.Config.MonitoringBeatConfig.Monitoring) + monitoringClusterUUID, err := monitoring.GetClusterUUID(monitoringCfg) if err != nil { return nil, err } @@ -914,7 +911,6 @@ func (b *Beat) setupMonitoring(settings Settings) (report.Reporter, error) { settings := report.Settings{ DefaultUsername: settings.Monitoring.DefaultUsername, - Format: reporterSettings.Format, ClusterUUID: monitoringClusterUUID, } reporter, err := report.New(b.Info, settings, monitoringCfg, b.Config.Output) diff --git a/libbeat/cmd/instance/metrics.go b/libbeat/cmd/instance/metrics.go index 54cd3ab55d8..fa0d42bbeaf 100644 --- a/libbeat/cmd/instance/metrics.go +++ b/libbeat/cmd/instance/metrics.go @@ -28,6 +28,7 @@ import ( "github.com/elastic/beats/v7/libbeat/metric/system/cpu" "github.com/elastic/beats/v7/libbeat/metric/system/process" "github.com/elastic/beats/v7/libbeat/monitoring" + "github.com/elastic/gosigar/cgroup" ) var ( @@ -65,10 +66,15 @@ func setupMetrics(name string) error { } func setupPlatformSpecificMetrics() { + switch runtime.GOOS { + case "linux": + monitoring.NewFunc(beatMetrics, "cgroup", reportBeatCgroups, monitoring.Report) + case "windows": + setupWindowsHandlesMetrics() + } + if runtime.GOOS != "windows" { monitoring.NewFunc(systemMetrics, "load", reportSystemLoadAverage, monitoring.Report) - } else { - setupWindowsHandlesMetrics() } setupLinuxBSDFDMetrics() @@ -254,3 +260,79 @@ func reportRuntime(_ monitoring.Mode, V monitoring.Visitor) { monitoring.ReportInt(V, "goroutines", int64(runtime.NumGoroutine())) } + +func reportBeatCgroups(_ monitoring.Mode, V monitoring.Visitor) { + V.OnRegistryStart() + defer V.OnRegistryFinished() + + pid, err := process.GetSelfPid() + if err != nil { + logp.Err("error getting PID for self process: %v", err) + return + } + + cgroups, err := cgroup.NewReader("", true) + if err != nil { + if err == cgroup.ErrCgroupsMissing { + logp.Warn("cgroup data collection disabled: %v", err) + } else { + logp.Err("cgroup data collection disabled: %v", err) + } + return + } + selfStats, err := cgroups.GetStatsForProcess(pid) + if err != nil { + logp.Err("error getting group status: %v", err) + return + } + + if cpu := selfStats.CPU; cpu != nil { + monitoring.ReportNamespace(V, "cpu", func() { + if cpu.ID != "" { + monitoring.ReportString(V, "id", cpu.ID) + } + monitoring.ReportNamespace(V, "cfs", func() { + monitoring.ReportNamespace(V, "period", func() { + monitoring.ReportInt(V, "us", int64(cpu.CFS.PeriodMicros)) + }) + monitoring.ReportNamespace(V, "quota", func() { + monitoring.ReportInt(V, "us", int64(cpu.CFS.QuotaMicros)) + }) + }) + monitoring.ReportNamespace(V, "stats", func() { + monitoring.ReportInt(V, "periods", int64(cpu.Stats.Periods)) + monitoring.ReportNamespace(V, "throttled", func() { + monitoring.ReportInt(V, "periods", int64(cpu.Stats.ThrottledPeriods)) + monitoring.ReportInt(V, "ns", int64(cpu.Stats.ThrottledTimeNanos)) + }) + }) + }) + } + + if cpuacct := selfStats.CPUAccounting; cpuacct != nil { + monitoring.ReportNamespace(V, "cpuacct", func() { + if cpuacct.ID != "" { + monitoring.ReportString(V, "id", cpuacct.ID) + } + monitoring.ReportNamespace(V, "total", func() { + monitoring.ReportInt(V, "ns", int64(cpuacct.TotalNanos)) + }) + }) + } + + if memory := selfStats.Memory; memory != nil { + monitoring.ReportNamespace(V, "memory", func() { + if memory.ID != "" { + monitoring.ReportString(V, "id", memory.ID) + } + monitoring.ReportNamespace(V, "mem", func() { + monitoring.ReportNamespace(V, "limit", func() { + monitoring.ReportInt(V, "bytes", int64(memory.Mem.Limit)) + }) + monitoring.ReportNamespace(V, "usage", func() { + monitoring.ReportInt(V, "bytes", int64(memory.Mem.Usage)) + }) + }) + }) + } +} diff --git a/libbeat/common/datetime_test.go b/libbeat/common/datetime_test.go index ff9b433b958..f9c2dfab512 100644 --- a/libbeat/common/datetime_test.go +++ b/libbeat/common/datetime_test.go @@ -50,7 +50,7 @@ func TestParseTime(t *testing.T) { for _, test := range tests { result, err := ParseTime(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, time.Time(result)) } } @@ -70,7 +70,7 @@ func TestParseTimeNegative(t *testing.T) { for _, test := range tests { _, err := ParseTime(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, test.Err, err.Error()) } } @@ -99,7 +99,7 @@ func TestTimeMarshal(t *testing.T) { for _, test := range tests { result, err := json.Marshal(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, string(result)) } } diff --git a/libbeat/common/errors.go b/libbeat/common/errors.go new file mode 100644 index 00000000000..68fecb8f550 --- /dev/null +++ b/libbeat/common/errors.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package common + +import ( + "fmt" +) + +// ErrInputNotFinished struct for reporting errors related to not finished inputs +type ErrInputNotFinished struct { + State string +} + +// Error method of ErrInputNotFinished +func (e *ErrInputNotFinished) Error() string { + return fmt.Sprintf("Can only start an input when all related states are finished: %+v", e.State) +} diff --git a/libbeat/common/file/file_other.go b/libbeat/common/file/file_other.go index 599108f480b..fa2082da8ac 100644 --- a/libbeat/common/file/file_other.go +++ b/libbeat/common/file/file_other.go @@ -68,3 +68,8 @@ func IsRemoved(f *os.File) bool { _, err := os.Stat(f.Name()) return err != nil } + +// InodeString returns the inode in string. +func (s *StateOS) InodeString() string { + return strconv.FormatUint(s.Inode, 10) +} diff --git a/libbeat/common/file/file_other_test.go b/libbeat/common/file/file_other_test.go index 9efeb10e6e5..79ebadbfc1e 100644 --- a/libbeat/common/file/file_other_test.go +++ b/libbeat/common/file/file_other_test.go @@ -31,10 +31,10 @@ import ( func TestGetOSFileState(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := file.Stat() - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) @@ -50,10 +50,10 @@ func TestGetOSFileState(t *testing.T) { func TestGetOSFileStateStat(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := os.Stat(file.Name()) - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) diff --git a/libbeat/common/file/file_windows.go b/libbeat/common/file/file_windows.go index 1a9ac6e1c76..1b8a9da49de 100644 --- a/libbeat/common/file/file_windows.go +++ b/libbeat/common/file/file_windows.go @@ -146,3 +146,12 @@ func IsRemoved(f *os.File) bool { } return info.DeletePending } + +// InodeString returns idxhi and idxlo as a string. +func (fs *StateOS) InodeString() string { + var buf [61]byte + current := strconv.AppendUint(buf[:0], fs.IdxHi, 10) + current = append(current, '-') + current = strconv.AppendUint(current, fs.IdxLo, 10) + return string(current) +} diff --git a/libbeat/common/file/file_windows_test.go b/libbeat/common/file/file_windows_test.go index 6a25df71e60..b2f732712fb 100644 --- a/libbeat/common/file/file_windows_test.go +++ b/libbeat/common/file/file_windows_test.go @@ -29,10 +29,10 @@ import ( func TestGetOSState(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := file.Stat() - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) @@ -43,10 +43,10 @@ func TestGetOSState(t *testing.T) { func TestGetOSStateStat(t *testing.T) { file, err := ioutil.TempFile("", "") - assert.Nil(t, err) + assert.NoError(t, err) fileinfo, err := os.Stat(file.Name()) - assert.Nil(t, err) + assert.NoError(t, err) state := GetOSState(fileinfo) diff --git a/libbeat/common/kubernetes/metadata/namespace_test.go b/libbeat/common/kubernetes/metadata/namespace_test.go index 40763887197..d059e899137 100644 --- a/libbeat/common/kubernetes/metadata/namespace_test.go +++ b/libbeat/common/kubernetes/metadata/namespace_test.go @@ -139,7 +139,7 @@ func TestNamespace_GenerateFromName(t *testing.T) { metagen := NewNamespaceMetadataGenerator(cfg, namespaces) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetName()))) diff --git a/libbeat/common/kubernetes/metadata/node_test.go b/libbeat/common/kubernetes/metadata/node_test.go index 100db49c6d8..707ee06ccc3 100644 --- a/libbeat/common/kubernetes/metadata/node_test.go +++ b/libbeat/common/kubernetes/metadata/node_test.go @@ -121,7 +121,7 @@ func TestNode_GenerateFromName(t *testing.T) { metagen := NewNodeMetadataGenerator(cfg, nodes) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetName()))) diff --git a/libbeat/common/kubernetes/metadata/pod_test.go b/libbeat/common/kubernetes/metadata/pod_test.go index 34bea7a75d3..82095fb8f43 100644 --- a/libbeat/common/kubernetes/metadata/pod_test.go +++ b/libbeat/common/kubernetes/metadata/pod_test.go @@ -138,7 +138,7 @@ func TestPod_Generate(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) metagen := NewPodMetadataGenerator(config, nil, nil, nil) for _, test := range tests { @@ -254,13 +254,13 @@ func TestPod_GenerateFromName(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) pods := cache.NewStore(cache.MetaNamespaceKeyFunc) pods.Add(test.input) metagen := NewPodMetadataGenerator(config, pods, nil, nil) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetNamespace(), "/", accessor.GetName()))) @@ -360,7 +360,7 @@ func TestPod_GenerateWithNodeNamespace(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "include_annotations": []string{"app"}, }) - assert.Nil(t, err) + assert.NoError(t, err) pods := cache.NewStore(cache.MetaNamespaceKeyFunc) pods.Add(test.input) diff --git a/libbeat/common/kubernetes/metadata/service_test.go b/libbeat/common/kubernetes/metadata/service_test.go index 0fc06af3a0b..63b3499fb47 100644 --- a/libbeat/common/kubernetes/metadata/service_test.go +++ b/libbeat/common/kubernetes/metadata/service_test.go @@ -209,7 +209,7 @@ func TestService_GenerateFromName(t *testing.T) { metagen := NewServiceMetadataGenerator(cfg, services, nil) accessor, err := meta.Accessor(test.input) - require.Nil(t, err) + require.NoError(t, err) t.Run(test.name, func(t *testing.T) { assert.Equal(t, test.output, metagen.GenerateFromName(fmt.Sprint(accessor.GetNamespace(), "/", accessor.GetName()))) diff --git a/libbeat/common/kubernetes/watcher.go b/libbeat/common/kubernetes/watcher.go index 606a36ac109..3cef13944ec 100644 --- a/libbeat/common/kubernetes/watcher.go +++ b/libbeat/common/kubernetes/watcher.go @@ -66,6 +66,9 @@ type WatchOptions struct { Node string // Namespace is used for filtering watched resource to given namespace, use "" for all namespaces Namespace string + // IsUpdated allows registering a func that allows the invoker of the Watch to decide what amounts to an update + // vs what does not. + IsUpdated func(old, new interface{}) bool } type item struct { @@ -100,6 +103,19 @@ func NewWatcher(client kubernetes.Interface, resource Resource, opts WatchOption queue = workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), objType) ctx, cancel := context.WithCancel(context.Background()) + if opts.IsUpdated == nil { + opts.IsUpdated = func(o, n interface{}) bool { + old, _ := accessor.ResourceVersion(o.(runtime.Object)) + new, _ := accessor.ResourceVersion(n.(runtime.Object)) + + // Only enqueue changes that have a different resource versions to avoid processing resyncs. + if old != new { + return true + } + return false + } + } + w := &watcher{ client: client, informer: informer, @@ -119,11 +135,7 @@ func NewWatcher(client kubernetes.Interface, resource Resource, opts WatchOption w.enqueue(o, delete) }, UpdateFunc: func(o, n interface{}) { - old, _ := accessor.ResourceVersion(o.(runtime.Object)) - new, _ := accessor.ResourceVersion(n.(runtime.Object)) - - // Only enqueue changes that have a different resource versions to avoid processing resyncs. - if old != new { + if opts.IsUpdated(o, n) { w.enqueue(n, update) } }, diff --git a/libbeat/common/net_test.go b/libbeat/common/net_test.go index 85831579061..d67c411c76c 100644 --- a/libbeat/common/net_test.go +++ b/libbeat/common/net_test.go @@ -28,13 +28,13 @@ import ( func TestIsLoopback(t *testing.T) { check, err := IsLoopback("127.0.0.1") - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, check) } func TestIsLoopback_false(t *testing.T) { check, err := IsLoopback("192.168.1.1") - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, check) } diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go index acbc69ddd1f..796b071a104 100644 --- a/libbeat/common/seccomp/policy_linux_386.go +++ b/libbeat/common/seccomp/policy_linux_386.go @@ -46,7 +46,9 @@ func init() { "exit_group", "fchdir", "fchmod", + "fchmodat", "fchown32", + "fchownat", "fcntl", "fcntl64", "fdatasync", diff --git a/libbeat/common/seccomp/policy_linux_amd64.go b/libbeat/common/seccomp/policy_linux_amd64.go index bf1e4bc31c5..4246e6a1a51 100644 --- a/libbeat/common/seccomp/policy_linux_amd64.go +++ b/libbeat/common/seccomp/policy_linux_amd64.go @@ -51,7 +51,9 @@ func init() { "exit_group", "fchdir", "fchmod", + "fchmodat", "fchown", + "fchownat", "fcntl", "fdatasync", "flock", diff --git a/libbeat/common/streambuf/ascii_test.go b/libbeat/common/streambuf/ascii_test.go index 2abbe7ca18b..3ec25c80f0c 100644 --- a/libbeat/common/streambuf/ascii_test.go +++ b/libbeat/common/streambuf/ascii_test.go @@ -30,7 +30,7 @@ func Test_UntilCRLFOK(t *testing.T) { b.Advance(2) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test")) assert.Equal(t, 0, b.Len()) @@ -51,13 +51,13 @@ func Test_UntilCRLFCont(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte("\r\nabc")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.LeftBehind()) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test")) assert.Equal(t, 3, b.Len()) @@ -67,7 +67,7 @@ func Test_UntilCRLFOnlyCRThenCRLF(t *testing.T) { b := New([]byte("test\rtest\r\nabc")) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test\rtest")) assert.Equal(t, 3, b.Len()) @@ -80,13 +80,13 @@ func Test_UntilCRLFOnlyCRThenCRLFWithCont(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte("\nabc")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 9, b.LeftBehind()) d, err := b.UntilCRLF() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, d, []byte("test\rtest")) assert.Equal(t, 3, b.Len()) @@ -96,7 +96,7 @@ func Test_IgnoreSymbolOK(t *testing.T) { b := New([]byte(" test")) err := b.IgnoreSymbol(' ') b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.Len()) } @@ -118,7 +118,7 @@ func Test_IgnoreSymbolCont(t *testing.T) { b.Append([]byte(" test")) err = b.IgnoreSymbol(' ') b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) assert.Equal(t, 4, b.Len()) } @@ -127,7 +127,7 @@ func Test_UntilSymbolOK(t *testing.T) { b := New([]byte("test ")) d, err := b.UntilSymbol(' ', true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -148,7 +148,7 @@ func Test_UntilSymbolCont(t *testing.T) { b.Append([]byte("t ")) d, err := b.UntilSymbol(' ', true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -156,7 +156,7 @@ func Test_UntilSymbolOrEnd(t *testing.T) { b := New([]byte("test")) d, err := b.UntilSymbol(' ', false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } @@ -164,7 +164,7 @@ func Test_AsciiUintOK(t *testing.T) { b := New([]byte("123 ")) v, err := b.UintASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(123), v) } @@ -195,7 +195,7 @@ func Test_AsciiUintCont(t *testing.T) { b.Append([]byte("34 ")) v, err := b.UintASCII(true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(1234), v) } @@ -203,7 +203,7 @@ func Test_AsciiUintOrEndOK(t *testing.T) { b := New([]byte("12")) v, err := b.UintASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(12), v) } @@ -211,7 +211,7 @@ func Test_AsciiIntOK(t *testing.T) { b := New([]byte("123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(123), v) } @@ -219,7 +219,7 @@ func Test_AsciiIntPosOK(t *testing.T) { b := New([]byte("+123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(123), v) } @@ -227,7 +227,7 @@ func Test_AsciiIntNegOK(t *testing.T) { b := New([]byte("-123 ")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(-123), v) } @@ -258,7 +258,7 @@ func Test_AsciiIntCont(t *testing.T) { b.Append([]byte("34 ")) v, err := b.IntASCII(true) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(1234), v) } @@ -266,7 +266,7 @@ func Test_AsciiIntOrEndOK(t *testing.T) { b := New([]byte("12")) v, err := b.IntASCII(false) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, int64(12), v) } @@ -274,7 +274,7 @@ func Test_AsciiMatchOK(t *testing.T) { b := New([]byte("match test")) r, err := b.MatchASCII([]byte("match")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } @@ -283,7 +283,7 @@ func Test_AsciiMatchNo(t *testing.T) { b := New([]byte("match test")) r, err := b.MatchASCII([]byte("batch")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } @@ -297,7 +297,7 @@ func Test_AsciiMatchCont(t *testing.T) { b.Append([]byte("ch test")) r, err := b.MatchASCII([]byte("match")) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, r) assert.Equal(t, 10, b.Len()) // check no bytes consumed } diff --git a/libbeat/common/streambuf/io_test.go b/libbeat/common/streambuf/io_test.go index 40fb8c1e9be..dcbfb4a232a 100644 --- a/libbeat/common/streambuf/io_test.go +++ b/libbeat/common/streambuf/io_test.go @@ -67,7 +67,7 @@ func Test_ReadByteOK(t *testing.T) { b := New([]byte{1}) v, err := b.ReadByte() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, byte(1), v) _, err = b.ReadByte() @@ -79,10 +79,10 @@ func Test_ReadUnreadByteOK(t *testing.T) { v, err := b.ReadByte() b.checkInvariants(t) assert.Equal(t, byte(1), v) - assert.Nil(t, err) + assert.NoError(t, err) err = b.UnreadByte() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, b.Len()) } @@ -109,7 +109,7 @@ func Test_UnreadAfterEOFOK(t *testing.T) { assert.Equal(t, io.EOF, err) err = b.UnreadByte() - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteByte(t *testing.T) { @@ -117,7 +117,7 @@ func Test_WriteByte(t *testing.T) { err := b.WriteByte(1) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 1, b.Len()) assert.Equal(t, byte(1), b.Bytes()[0]) } @@ -130,7 +130,7 @@ func Test_WriteByteEOFCheck(t *testing.T) { err = b.WriteByte(1) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteByteFixedFail(t *testing.T) { @@ -147,13 +147,13 @@ func Test_ReadBufSmaller(t *testing.T) { n, err := b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 5, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4, 5}, tmp[:n]) n, err = b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{6, 7, 8}, tmp[:n]) n, err = b.Read(tmp) @@ -168,7 +168,7 @@ func Test_ReadBufBigger(t *testing.T) { n, err := b.Read(tmp) b.checkInvariants(t) assert.Equal(t, 8, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4, 5, 6, 7, 8}, tmp[:n]) n, err = b.Read(tmp) @@ -189,7 +189,7 @@ func Test_WriteOK(t *testing.T) { n, err := b.Write([]byte{1, 2, 3}) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 3, b.Len()) } @@ -200,7 +200,7 @@ func Test_WriteDoesNotRetain(t *testing.T) { n, err := b.Write(tmp) b.checkInvariants(t) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) b.Bytes()[0] = 'a' assert.Equal(t, byte(1), tmp[0]) @@ -217,7 +217,7 @@ func Test_WriteNil(t *testing.T) { b := New([]byte{1, 2, 3}) n, err := b.Write(nil) assert.Equal(t, 0, n) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_ReadFromOK(t *testing.T) { @@ -226,7 +226,7 @@ func Test_ReadFromOK(t *testing.T) { n, err := b.ReadFrom(from) assert.Equal(t, int64(4), n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4}, b.Bytes()) // check buffers are not retained @@ -249,7 +249,7 @@ func Test_ReadFromIfEOF(t *testing.T) { // copy from n, err := b.ReadFrom(from) assert.Equal(t, int64(4), n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{1, 2, 3, 4}, b.Bytes()) // check buffers are not retained @@ -273,12 +273,12 @@ func Test_ReadFromFailOnFixed(t *testing.T) { func Test_ReadRuneOK(t *testing.T) { b := New([]byte("xäüö")) r, s, err := b.ReadRune() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 'x', r) assert.Equal(t, 1, s) r, s, err = b.ReadRune() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 'ä', r) assert.Equal(t, 2, s) } @@ -302,7 +302,7 @@ func Test_ReadAtOK(t *testing.T) { tmp := make([]byte, 2) n, err := b.ReadAt(tmp, 1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 2, n) assert.Equal(t, []byte{3, 4}, tmp[:n]) @@ -328,7 +328,7 @@ func Test_WriteAtToNil(t *testing.T) { b := New(nil) n, err := b.WriteAt([]byte{1, 2, 3}, 4) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_WriteAtOverwrites(t *testing.T) { @@ -336,14 +336,14 @@ func Test_WriteAtOverwrites(t *testing.T) { b.Advance(1) n, err := b.WriteAt([]byte{1, 2, 3}, 1) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte{'b', 1, 2, 3}, b.Bytes()) b = New(make([]byte, 3, 20)) b.Advance(2) n, err = b.WriteAt([]byte{1, 2, 3}, 1) assert.Equal(t, 3, n) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 4, b.Len()) // assert.Equal(t, []byte{0, 1, 2, 3}, b.Bytes()) } diff --git a/libbeat/common/streambuf/net_test.go b/libbeat/common/streambuf/net_test.go index cbdf5ce5178..c3ddcb1a3a4 100644 --- a/libbeat/common/streambuf/net_test.go +++ b/libbeat/common/streambuf/net_test.go @@ -44,7 +44,7 @@ func Test_ReadNetUint8Data(t *testing.T) { b := New([]byte{10}) v, err := b.ReadNetUint8() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(10), v) } @@ -59,7 +59,7 @@ func Test_ReadNetUint8AtFailed(t *testing.T) { func Test_ReadNetUint8AtInRange(t *testing.T) { b := New([]byte{1, 2, 3}) v, err := b.ReadNetUint8At(2) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(3), v) } @@ -73,11 +73,11 @@ func Test_ReadNetUint8AtOutOfRange(t *testing.T) { func Test_WriteNetUint8At(t *testing.T) { b := New(nil) err := b.WriteNetUint8At(10, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint8() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint8(10), tmp) } @@ -100,7 +100,7 @@ func Test_ReadNetUint16Data(t *testing.T) { b := New([]byte{0xf1, 0xf2}) v, err := b.ReadNetUint16() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0xf1f2), v) } @@ -115,7 +115,7 @@ func Test_ReadNetUint16AtFailed(t *testing.T) { func Test_ReadNetUint16AtInRange(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3}) v, err := b.ReadNetUint16At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0xf2f3), v) } @@ -129,11 +129,11 @@ func Test_ReadNetUint16AtOutOfRange(t *testing.T) { func Test_WriteNetUint16At(t *testing.T) { b := New(nil) err := b.WriteNetUint16At(0x1f2f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint16() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint16(0x1f2f), tmp) } @@ -156,7 +156,7 @@ func Test_ReadNetUint32Data(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3, 0xf4}) v, err := b.ReadNetUint32() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0xf1f2f3f4), v) } @@ -171,7 +171,7 @@ func Test_ReadNetUint32AtFailed(t *testing.T) { func Test_ReadNetUint32AtInRange(t *testing.T) { b := New([]byte{0xf1, 0xf2, 0xf3, 0xf4, 0xf5}) v, err := b.ReadNetUint32At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0xf2f3f4f5), v) } @@ -185,11 +185,11 @@ func Test_ReadNetUint32AtOutOfRange(t *testing.T) { func Test_WriteNetUint32At(t *testing.T) { b := New(nil) err := b.WriteNetUint32At(0x1f2f3f4f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint32() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint32(0x1f2f3f4f), tmp) } @@ -216,7 +216,7 @@ func Test_ReadNetUint64Data(t *testing.T) { }) v, err := b.ReadNetUint64() b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0xf0f1f2f3f4f5f6f7), v) } @@ -235,7 +235,7 @@ func Test_ReadNetUint64AtInRange(t *testing.T) { 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, }) v, err := b.ReadNetUint64At(1) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0xf1f2f3f4f5f6f7f8), v) } @@ -249,10 +249,10 @@ func Test_ReadNetUint64AtOutOfRange(t *testing.T) { func Test_WriteNetUint64At(t *testing.T) { b := New(nil) err := b.WriteNetUint64At(0x1f2f3f4f5f6f7f8f, 1) - assert.Nil(t, err) + assert.NoError(t, err) b.Advance(1) tmp, err := b.ReadNetUint64() - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, uint64(0x1f2f3f4f5f6f7f8f), tmp) } diff --git a/libbeat/common/streambuf/streambuf_test.go b/libbeat/common/streambuf/streambuf_test.go index 9c571c6231c..b21b1a3f03d 100644 --- a/libbeat/common/streambuf/streambuf_test.go +++ b/libbeat/common/streambuf/streambuf_test.go @@ -83,7 +83,7 @@ func Test_SnapshotRestore(t *testing.T) { err := b.Advance(5) assert.Equal(t, 5, b.BufferConsumed()) assert.Equal(t, 4, b.Len()) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) b.Restore(snapshot) @@ -139,7 +139,7 @@ func Test_AppendOnFixedLater(t *testing.T) { b := New([]byte("abc")) err := b.Append([]byte("def")) - assert.Nil(t, err) + assert.NoError(t, err) b.Fix() err = b.Append([]byte("def")) @@ -163,7 +163,7 @@ func Test_AppendAfterNoMoreBytes(t *testing.T) { assert.Equal(t, ErrNoMoreBytes, err) err = b.Append([]byte(" test")) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, b.Failed()) } @@ -244,7 +244,7 @@ func Test_CollectData(t *testing.T) { d, err := b.Collect(2) b.checkInvariants(t) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("te"), d) } @@ -281,7 +281,7 @@ func Test_CollectWithSuffixData(t *testing.T) { d, err := b.CollectWithSuffix(4, []byte("\r\n")) b.checkInvariants(t) assert.False(t, b.Failed()) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, []byte("test"), d) } diff --git a/libbeat/common/transport/tlscommon/ca_pinning.go b/libbeat/common/transport/tlscommon/ca_pinning.go index e489ca6d6f4..310d9a63723 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning.go +++ b/libbeat/common/transport/tlscommon/ca_pinning.go @@ -32,27 +32,21 @@ var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match a // TLS connection is used. type verifyPeerCertFunc func([][]byte, [][]*x509.Certificate) error -// MakeCAPinCallback loops through the verified chains and will try to match the certificates pin. +// verifyCAPin loops through the verified chains and will try to match the certificates pin. // // NOTE: Defining a PIN to check certificates is not a replacement for the normal TLS validations it's // an additional validation. In fact if you set `InsecureSkipVerify` to true and a PIN, the // verifiedChains variable will be empty and the added validation will fail. -func MakeCAPinCallback(hashes []string) func([][]byte, [][]*x509.Certificate) error { - return func(_ [][]byte, verifiedChains [][]*x509.Certificate) error { - // The chain of trust has been already established before the call to the VerifyPeerCertificate - // function, after we go through the chain to make sure we have at least a certificate certificate - // that match the provided pin. - for _, chain := range verifiedChains { - for _, certificate := range chain { - h := Fingerprint(certificate) - if matches(hashes, h) { - return nil - } +func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error { + for _, chain := range verifiedChains { + for _, certificate := range chain { + h := Fingerprint(certificate) + if matches(hashes, h) { + return nil } } - - return ErrCAPinMissmatch } + return ErrCAPinMissmatch } // Fingerprint takes a certificate and create a hash of the DER encoded public key. diff --git a/libbeat/common/transport/tlscommon/testdata/ca.crt b/libbeat/common/transport/tlscommon/testdata/ca.crt new file mode 100644 index 00000000000..da2bce043f7 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIJAIVZ8xw3LMNkMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC21vcmVsbG8ub3ZoMB4XDTE5MDgwOTA5MzQwMFoXDTI5MDgwNjA5MzQwMFow +FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQCoM2HYyuTTlu41SlgVO0Hdx7eUQevGSKO6pjPjN49/KKY1z/3DoKzr +seWaGOjiWUAqx/GHX8AsR9ToVoKGBbSNeDxT33pt3I9aCnnOPTt3yDIOlr4ZWnKq +NnNHwfydsMBfBAYgdU/L506KuNHJQ18Zey5+A0roTWyHUT48mQBsjetXg77RfDMB +MYVOWETfl70GKAaAlVGZfJHCkfBzYnPcEjqtcuU/7d27WZrSMhXifzHAEmm0KPER +EWdo4UHTK23wLY6dvkp2O5i0bKHv+PuLpqYrm7R7SWGhhwD651n5S5W20FHDow+d +js0yW2gqYsZZN6S1uAsJ8rdYAEPhK9J9AgMBAAGjUDBOMB0GA1UdDgQWBBQ6Lsen +0HbE+7M6iV9r8n5rZrbl4jAfBgNVHSMEGDAWgBQ6Lsen0HbE+7M6iV9r8n5rZrbl +4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAgrLJnK4s/OVnh8CRk +GmikP+ZxhDs4k1nlr7+rTYkU0huoHK8p802w4zd74szYsHpo8kON/zSmFD7JpU4L +o2kseENqMsgrCPhF3+TDwf/Li43pbK162iAq8ZEpYnSXbQsRyP+Tz0lzoEoli6o7 +6KVn4VNookLMyhGIAOmhfbNm0jG+B2zz+bvoTAe9CiDfvq1k0fnuKFzRtRsj09NJ +FNMhSc02N4EDrGpL5CYmEXjPZS3lUsoYPwbYlmUt3Bzuf5hI0mDHCt3BYKH1vFI4 +W8/h9wwGn/yytsH21dkj41KEQK6N65gT9i0fBBiubuS2H1SVMMJ/J7PUqol278Ar +zGpS +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/tls.crt b/libbeat/common/transport/tlscommon/testdata/tls.crt new file mode 100644 index 00000000000..d6528ccec0d --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/tls.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw +FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 +MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl +bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p +yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH +hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c +jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 +t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n +R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv +MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou +x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft +cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz +LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC +AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 +JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC +l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg +3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT +itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC +zODbmFEr7N0FzCN6hU8PjcLLhg== +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt b/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt new file mode 100644 index 00000000000..710dda0acef --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/unsigned_tls.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN +BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA +MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG +A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz +NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE +AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL +4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao +2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u +mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc +bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp +IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G +A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 +YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC +AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik +TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb +jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb +Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB +pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi +GQ6OHiviqMYraJMVFsc= +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 7dcd2162aa1..22cebb2bf8d 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,6 +20,7 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "time" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -68,6 +69,10 @@ type TLSConfig struct { // CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust // the server certificate. CASha256 []string + + // time returns the current time as the number of seconds since the epoch. + // If time is nil, TLS uses time.Now. + time func() time.Time } // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with @@ -78,18 +83,16 @@ func (c *TLSConfig) ToConfig() *tls.Config { } minVersion, maxVersion := extractMinMaxVersion(c.Versions) + + // When we are using the CAsha256 pin to validate the CA used to validate the chain, + // or when we are using 'certificate' TLS verification mode, we add a custom callback + verifyPeerCertFn := makeVerifyPeerCertificate(c) + insecure := c.Verification != VerifyFull - if insecure { + if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } - // When we are usign the CAsha256 pin to validate the CA used to validate the chain - // we add a custom callback. - var verifyPeerCertFn verifyPeerCertFunc - if len(c.CASha256) > 0 { - verifyPeerCertFn = MakeCAPinCallback(c.CASha256) - } - return &tls.Config{ MinVersion: minVersion, MaxVersion: maxVersion, @@ -102,6 +105,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { Renegotiation: c.Renegotiation, ClientAuth: c.ClientAuth, VerifyPeerCertificate: verifyPeerCertFn, + Time: c.time, } } @@ -116,3 +120,34 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { config.ServerName = host return config } + +// makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config +func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { + pin := len(cfg.CASha256) > 0 + skipHostName := cfg.Verification == VerifyCertificate + + if pin && !skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + return verifyCAPin(cfg.CASha256, verifiedChains) + } + } + + if pin && skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + if err != nil { + return err + } + return verifyCAPin(cfg.CASha256, verifiedChains) + } + } + + if !pin && skipHostName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + return err + } + } + + return nil +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index b89308494e0..42748770069 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -55,7 +55,7 @@ func mustLoad(t *testing.T, yamlStr string) *Config { func TestEmptyTlsConfig(t *testing.T) { cfg, err := load("") - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, cfg, &Config{}) } @@ -73,20 +73,20 @@ func TestLoadWithEmptyValues(t *testing.T) { supported_protocols: `) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, cfg, &Config{}) } func TestNoLoadNilConfig(t *testing.T) { cfg, err := LoadTLSConfig(nil) - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, cfg) } func TestNoLoadDisabledConfig(t *testing.T) { enabled := false cfg, err := LoadTLSConfig(&Config{Enabled: &enabled}) - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, cfg) } diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index 3c14f1f1ca9..c130a57c71a 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -117,27 +117,23 @@ var tlsClientAuthTypes = map[string]tlsClientAuth{ "required": tlsClientAuthRequired, } -// TLSVerificationMode represents the type of verification to do on the remote host, -// `none` or `full` and we default to `full`, internally this option is transformed into the -// `insecure` field in the `tls.Config` struct. +// TLSVerificationMode represents the type of verification to do on the remote host: +// `none`, `certificate`, and `full` and we default to `full`. +// Internally this option is transformed into the `insecure` field in the `tls.Config` struct. type TLSVerificationMode uint8 // Constants of the supported verification mode. const ( VerifyFull TLSVerificationMode = iota VerifyNone - - // TODO: add VerifyCertificate support. Due to checks being run - // during handshake being limited, verify certificates in - // postVerifyTLSConnection - // VerifyCertificate + VerifyCertificate ) var tlsVerificationModes = map[string]TLSVerificationMode{ - "": VerifyFull, - "full": VerifyFull, - "none": VerifyNone, - // "certificate": verifyCertificate, + "": VerifyFull, + "full": VerifyFull, + "none": VerifyNone, + "certificate": VerifyCertificate, } func (m TLSVerificationMode) String() string { diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go new file mode 100644 index 00000000000..867e70874a9 --- /dev/null +++ b/libbeat/common/transport/tlscommon/verify.go @@ -0,0 +1,100 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Copyright (c) 2009 The Go Authors. All rights reserved. + +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: + +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. + +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// This file contains code adapted from golang's crypto/tls/handshake_client.go + +package tlscommon + +import ( + "crypto/x509" + "time" + + "github.com/pkg/errors" +) + +// verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided +// certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be +// as similar as possible to the default verify, but does not verify that the provided certificate matches the +// ServerName in the tls.Config. +func verifyCertificateExceptServerName( + rawCerts [][]byte, + c *TLSConfig, +) ([]*x509.Certificate, [][]*x509.Certificate, error) { + // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented + // during the handshake. + // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 + certs := make([]*x509.Certificate, len(rawCerts)) + for i, asn1Data := range rawCerts { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server") + } + certs[i] = cert + } + + var t time.Time + if c.time != nil { + t = c.time() + } else { + t = time.Now() + } + + // DNSName omitted in VerifyOptions in order to skip ServerName verification + opts := x509.VerifyOptions{ + Roots: c.RootCAs, + CurrentTime: t, + Intermediates: x509.NewCertPool(), + } + + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + + headCert := certs[0] + + // defer to the default verification performed + chains, err := headCert.Verify(opts) + return certs, chains, err +} diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go new file mode 100644 index 00000000000..c08e60642f5 --- /dev/null +++ b/libbeat/common/transport/tlscommon/verify_test.go @@ -0,0 +1,110 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tlscommon + +import ( + "crypto/x509" + "encoding/pem" + "io/ioutil" + "path/filepath" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +// This does not actually test that it ignores the server name because no part of the func even consumes the server name +func Test_verifyCertificateExceptServerName(t *testing.T) { + + tests := []struct { + name string + ca string + chain string + cert string + time func() time.Time + wantErr bool + }{ + { + name: "happy path", + // a CA for morello.ovh valid from August 9 2019 to 2029 + ca: "ca.crt", + // a cert signed by morello.ovh that expired in nov 2019 + cert: "tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2019-10-01") + return t + }, + wantErr: false, + }, + { + name: "cert not signed by CA", + ca: "ca.crt", + // a self-signed cert for www.example.com valid from July 23 2020 to 2030 + cert: "unsigned_tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2020-07-24") + return t + }, + wantErr: true, + }, + { + name: "cert expired", + ca: "ca.crt", + cert: "tls.crt", + wantErr: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + cfg := &TLSConfig{time: tc.time} + // load the CA + if tc.ca != "" { + ca := loadFileBytes(tc.ca) + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(ca) + cfg.RootCAs = caCertPool + } + + // load the cert + rawCerts := [][]byte{} + if tc.cert != "" { + pemCert := loadFileBytes(tc.cert) + block, _ := pem.Decode(pemCert) + rawCerts = append(rawCerts, block.Bytes) + } + + _, _, got := verifyCertificateExceptServerName(rawCerts, cfg) + if tc.wantErr { + assert.Error(t, got) + } else { + assert.NoError(t, got) + } + }) + } +} + +func loadFileBytes(fileName string) []byte { + contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) + if err != nil { + panic(err) + } + return contents +} diff --git a/libbeat/common/transport/transptest/testing_test.go b/libbeat/common/transport/transptest/testing_test.go index 050ed11076b..8e317ef17ed 100644 --- a/libbeat/common/transport/transptest/testing_test.go +++ b/libbeat/common/transport/transptest/testing_test.go @@ -149,7 +149,7 @@ func TestTransportFailConnectUnknownAddress(t *testing.T) { } err = transp.Connect() - assert.NotNil(t, err) + assert.Error(t, err) }) } }) @@ -171,7 +171,7 @@ func TestTransportClosedOnWriteReadError(t *testing.T) { var buf [10]byte transp.Write([]byte("test3")) _, err = transp.Read(buf[:]) - assert.NotNil(t, err) + assert.Error(t, err) }) } diff --git a/libbeat/common/url_test.go b/libbeat/common/url_test.go index aaded710f83..1a8f5519b1d 100644 --- a/libbeat/common/url_test.go +++ b/libbeat/common/url_test.go @@ -81,7 +81,7 @@ func TestGetUrl(t *testing.T) { for input, output := range inputOutput { urlNew, err := MakeURL("", "", input, 9200) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlNew, fmt.Sprintf("input: %v", input)) } @@ -94,7 +94,7 @@ func TestGetUrl(t *testing.T) { for input, output := range inputOutputWithDefaults { urlNew, err := MakeURL("https", "/hello", input, 9200) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlNew) } } @@ -111,7 +111,7 @@ func TestURLParamsEncode(t *testing.T) { for input, output := range inputOutputWithParams { urlNew, err := MakeURL("", "", input, 5601) urlWithParams := EncodeURLParams(urlNew, params) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, output, urlWithParams) } } diff --git a/libbeat/conditions/conditions_test.go b/libbeat/conditions/conditions_test.go index 0977fe313e1..1161f817f4f 100644 --- a/libbeat/conditions/conditions_test.go +++ b/libbeat/conditions/conditions_test.go @@ -36,7 +36,7 @@ func TestCreateNilCondition(t *testing.T) { func GetCondition(t *testing.T, config Config) Condition { cond, err := NewCondition(&config) - assert.Nil(t, err) + assert.NoError(t, err) return cond } diff --git a/libbeat/conditions/equals_test.go b/libbeat/conditions/equals_test.go index 0ddaa0ccefe..f38da727a7a 100644 --- a/libbeat/conditions/equals_test.go +++ b/libbeat/conditions/equals_test.go @@ -31,7 +31,7 @@ func TestEqualsCreate(t *testing.T) { } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestEqualsSingleFieldPositiveMatch(t *testing.T) { diff --git a/libbeat/conditions/matcher_test.go b/libbeat/conditions/matcher_test.go index 13d14462594..0bdf3ea6a68 100644 --- a/libbeat/conditions/matcher_test.go +++ b/libbeat/conditions/matcher_test.go @@ -35,7 +35,7 @@ func TestRegxpCreate(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestContainsMultiFieldPositiveMatch(t *testing.T) { diff --git a/libbeat/conditions/range_test.go b/libbeat/conditions/range_test.go index 311df211580..aca5ce007ad 100644 --- a/libbeat/conditions/range_test.go +++ b/libbeat/conditions/range_test.go @@ -34,7 +34,7 @@ func TestRangeCreateNumeric(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestRangeCreateLexicographic(t *testing.T) { @@ -44,7 +44,7 @@ func TestRangeCreateLexicographic(t *testing.T) { }}, } _, err := NewCondition(&config) - assert.NotNil(t, err) + assert.Error(t, err) } func TestRangeSingleFieldNegativeMatch(t *testing.T) { diff --git a/libbeat/dashboards/importer.go b/libbeat/dashboards/importer.go index bf08fcd327f..f467f21c67c 100644 --- a/libbeat/dashboards/importer.go +++ b/libbeat/dashboards/importer.go @@ -246,6 +246,8 @@ func (imp Importer) ImportArchive() error { if err != nil { return err } + } else { + imp.loader.statusMsg("Skipping import of %s directory. Beat name: %s, base dir name: %s.", dir, imp.cfg.Beat, filepath.Base(dir)) } } return nil @@ -305,7 +307,9 @@ func (imp Importer) ImportKibanaDir(dir string) error { // Loads the internal index pattern if imp.fields != nil { - imp.loader.ImportIndex(imp.fields) + if err = imp.loader.ImportIndex(imp.fields); err != nil { + return errw.Wrap(err, "failed to import Kibana index pattern") + } } dir = path.Join(dir, versionPath) diff --git a/libbeat/docker-compose.yml b/libbeat/docker-compose.yml index be4c0be7dfa..ebd23373325 100644 --- a/libbeat/docker-compose.yml +++ b/libbeat/docker-compose.yml @@ -65,8 +65,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] - + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] elasticsearchssl: extends: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc index 4a600650209..a00a2baed24 100644 --- a/libbeat/docs/command-reference.asciidoc +++ b/libbeat/docs/command-reference.asciidoc @@ -156,18 +156,7 @@ Create an API Key with the specified privilege(s). No required flags. + The user requesting to create an API Key needs to have APM privileges used by the APM Server. A superuser, by default, has these privileges. For other users, -you can create them. Create a role that is then assigned to the user: -+ -["source","sh",subs="attributes"] ----- -PUT /_security/role/apm-privileges { - "applications": [{ - "application": "apm", - "privileges": ["sourcemap:write", "event:write", "config_agent:read"], - "resources": ["*"] - }] -} ----- +you can create them. See <> for required privileges. *`info`*:: Query API Key(s). `--id` or `--name` required. @@ -252,7 +241,7 @@ the credentials required by your cloud service provider. ---- *`FUNCTION_NAME`*:: -Specifies the name of the function to deploy. +Specifies the name of the function to deploy. *FLAGS* @@ -498,7 +487,7 @@ ifeval::["{beatname_lc}"=="functionbeat"] [[package-command]] ==== `package` command -{package-command-short-desc}. +{package-command-short-desc}. *SYNOPSIS* @@ -513,7 +502,7 @@ ifeval::["{beatname_lc}"=="functionbeat"] Shows help for the `package` command. *`-o, --output`*:: -Specifies the full path pattern to use when creating the packages. +Specifies the full path pattern to use when creating the packages. {global-flags} @@ -538,7 +527,7 @@ the credentials required by your cloud service provider. ---- *`FUNCTION_NAME`*:: -Specifies the name of the function to remove. +Specifies the name of the function to remove. *FLAGS* @@ -941,7 +930,7 @@ the credentials required by your cloud service provider. ---- *`FUNCTION_NAME`*:: -Specifies the name of the function to update. +Specifies the name of the function to update. *FLAGS* diff --git a/libbeat/docs/communitybeats.asciidoc b/libbeat/docs/communitybeats.asciidoc index 4ea5e120639..9fc12e4be96 100644 --- a/libbeat/docs/communitybeats.asciidoc +++ b/libbeat/docs/communitybeats.asciidoc @@ -9,8 +9,8 @@ The open source community has been hard at work developing new Beats. You can check out some of them here. -Have a question about a community Beat? You can post questions and discuss issues in the -https://discuss.elastic.co/c/beats/community-beats[Community Beats] category of the Beats discussion forum. +Have a question about developing a community Beat? You can post questions and discuss issues in the +https://discuss.elastic.co/tags/c/elastic-stack/beats/28/beats-development[Beats discussion forum]. Have you created a Beat that's not listed? Add the name and description of your Beat to the source document for https://github.com/elastic/beats/blob/master/libbeat/docs/communitybeats.asciidoc[Community Beats] and https://help.github.com/articles/using-pull-requests[open a pull request] in the https://github.com/elastic/beats[Beats GitHub repository] to get your change merged. When you're ready, go ahead and https://discuss.elastic.co/c/announcements[announce] your new Beat in the Elastic @@ -23,11 +23,11 @@ endif::[] NOTE: Elastic provides no warranty or support for community-sourced Beats. [horizontal] -https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/awormuth/amazonbeat[amazonbeat]:: Reads data from a specified Amazon product. https://github.com/radoondas/apachebeat[apachebeat]:: Reads status from Apache HTTPD server-status. https://github.com/verticle-io/apexbeat[apexbeat]:: Extracts configurable contextual data and metrics from Java applications via the http://toolkits.verticle.io[APEX] toolkit. -https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). +https://github.com/MelonSmasher/browserbeat[browserbeat]:: Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output. +https://github.com/toravir/cborbeat[cborbeat]:: Reads from cbor encoded files (specifically log files). More: https://cbor.io[CBOR Encoding] https://github.com/toravir/csd[Decoder] https://github.com/hartfordfive/cloudflarebeat[cloudflarebeat]:: Indexes log entries from the Cloudflare Enterprise Log Share API. https://github.com/jarl-tornroos/cloudfrontbeat[cloudfrontbeat]:: Reads log events from Amazon Web Services https://aws.amazon.com/cloudfront/[CloudFront]. https://github.com/aidan-/cloudtrailbeat[cloudtrailbeat]:: Reads events from Amazon Web Services' https://aws.amazon.com/cloudtrail/[CloudTrail]. @@ -46,7 +46,7 @@ https://github.com/gamegos/etcdbeat[etcdbeat]:: Reads stats from the Etcd v2 API https://gitlab.com/hatricker/etherbeat[etherbeat]:: Reads blocks from Ethereum compatible blockchain and indexes them into Elasticsearch. https://github.com/christiangalsterer/execbeat[execbeat]:: Periodically executes shell commands and sends the standard output and standard error to Logstash or Elasticsearch. -https://github.com/jarpy/factbeat[factbeat]:: Collects facts from https://puppetlabs.com/facter[Facter]. +https://github.com/jarpy/factbeat[factbeat]:: Collects facts from https://github.com/puppetlabs/facter[Facter]. https://github.com/ctindel/fastcombeat[fastcombeat]:: Periodically gather internet download speed from https://fast.com[fast.com]. https://github.com/cloudronics/fileoccurancebeat[fileoccurencebeat]:: Checks for file existence recurssively under a given directory, handy while handling queues/pipeline buffers. https://github.com/FStelzer/flowbeat[flowbeat]:: Collects, parses, and indexes http://www.sflow.org/index.php[sflow] samples. @@ -59,8 +59,10 @@ https://github.com/ullaakut/hackerbeat[hackerbeat]:: Indexes the top stories of https://github.com/YaSuenag/hsbeat[hsbeat]:: Reads all performance counters in Java HotSpot VM. https://github.com/christiangalsterer/httpbeat[httpbeat]:: Polls multiple HTTP(S) endpoints and sends the data to Logstash or Elasticsearch. Supports all HTTP methods and proxies. +https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). https://github.com/jasperla/hwsensorsbeat[hwsensorsbeat]:: Reads sensors information from OpenBSD. https://github.com/icinga/icingabeat[icingabeat]:: Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash. +https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/devopsmakers/iobeat[iobeat]:: Reads IO stats from /proc/diskstats on Linux. https://github.com/radoondas/jmxproxybeat[jmxproxybeat]:: Reads Tomcat JMX metrics exposed over 'JMX Proxy Servlet' to HTTP. https://github.com/mheese/journalbeat[journalbeat]:: Used for log shipping from systemd/journald based Linux systems. @@ -89,7 +91,8 @@ https://github.com/aristanetworks/openconfigbeat[openconfigbeat]:: Streams data https://github.com/radoondas/owmbeat[owmbeat]:: Open Weather Map beat to pull weather data from all around the world and store and visualize them in Elastic Stack https://github.com/joehillen/packagebeat[packagebeat]:: Collects information about system packages from package managers. -https://github.com/WuerthIT/perfstatbeat[perfstatbeat]:: Collect performance metrics on the AIX operating system. +https://github.com/WuerthIT/perfstatbeat[perfstatbeat]:: Collects performance metrics on the AIX operating system. +https://github.com/stric-co/phishbeat[phishbeat]:: Monitors Certificate Transparency logs for phishing and defamatory domains. https://github.com/kozlice/phpfpmbeat[phpfpmbeat]:: Reads status from PHP-FPM. https://github.com/joshuar/pingbeat[pingbeat]:: Sends ICMP pings to a list of targets and stores the round trip time (RTT) in Elasticsearch. diff --git a/libbeat/docs/howto/load-index-templates.asciidoc b/libbeat/docs/howto/load-index-templates.asciidoc index 0cdd4ed80fb..bd5e249b90c 100644 --- a/libbeat/docs/howto/load-index-templates.asciidoc +++ b/libbeat/docs/howto/load-index-templates.asciidoc @@ -4,7 +4,7 @@ {es} uses {ref}/indices-templates.html[index templates] to define: * Settings that control the behavior of your indices. The settings include the -lifecycle policy used to manage indices as they grow and age. +lifecycle policy used to manage indices as they grow and age. * Mappings that determine how fields are analyzed. Each mapping sets the {ref}/mapping-types.html[{es} datatype] to use for a specific data field. @@ -17,7 +17,7 @@ it's not overwritten unless you configure {beatname_uc} to do so. ifndef::no-output-logstash[] NOTE: A connection to {es} is required to load the index template. If the output is not {es} (or {ess}), you must -<>. +<>. endif::[] This page shows how to change the default template loading behavior to: @@ -83,9 +83,10 @@ The examples here assume that Logstash output is enabled. endif::[] You can omit the `-E` flags if {es} output is already enabled. - +ifndef::apm-server[] If you are connecting to a secured {es} cluster, make sure you've configured credentials as described in the <<{beatname_lc}-installation-configuration>>. +endif::[] If the host running {beatname_uc} does not have direct connectivity to {es}, see <>. diff --git a/libbeat/docs/index.asciidoc b/libbeat/docs/index.asciidoc index 2e603fc2270..e40163fa23b 100644 --- a/libbeat/docs/index.asciidoc +++ b/libbeat/docs/index.asciidoc @@ -21,6 +21,8 @@ include::{libbeat-dir}/shared-beats-attributes.asciidoc[] include::./overview.asciidoc[] +include::./release-notes/whats-new.asciidoc[] + include::./communitybeats.asciidoc[] include::./getting-started.asciidoc[] @@ -29,8 +31,6 @@ include::./config-file-format.asciidoc[] include::./upgrading.asciidoc[] -include::./release-notes/highlights/highlights.asciidoc[] - include::./release-notes/breaking/breaking.asciidoc[] include::./release.asciidoc[] diff --git a/libbeat/docs/monitoring/monitoring-beats.asciidoc b/libbeat/docs/monitoring/monitoring-beats.asciidoc index ab73fdbce92..6f31c73aa2d 100644 --- a/libbeat/docs/monitoring/monitoring-beats.asciidoc +++ b/libbeat/docs/monitoring/monitoring-beats.asciidoc @@ -10,10 +10,10 @@ You can use the {stack} {monitor-features} to gain insight into the health of ifndef::apm-server[] -{beatname_uc} instances running in your environment. +{beatname_uc} instances running in your environment. endif::[] ifdef::apm-server[] -{beatname_uc}. +{beatname_uc}. endif::[] To monitor {beatname_uc}, make sure monitoring is enabled on your {es} cluster, @@ -23,18 +23,15 @@ of following methods: * <> - Internal collectors send monitoring data directly to your monitoring cluster. ifndef::serverless[] -* <> - +* <> - {metricbeat} collects monitoring data from your {beatname_uc} instance and sends it directly to your monitoring cluster. endif::[] -* <> - -Legacy collectors send monitoring data to your production cluster. - //Commenting out this link temporarily until the general monitoring docs can be -//updated. -//To learn about monitoring in general, see -//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster]. +//updated. +//To learn about monitoring in general, see +//{ref}/monitor-elasticsearch-cluster.html[Monitor a cluster]. -- @@ -43,5 +40,3 @@ include::monitoring-internal-collection.asciidoc[] ifndef::serverless[] include::monitoring-metricbeat.asciidoc[] endif::[] - -include::monitoring-internal-collection-legacy.asciidoc[] diff --git a/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc b/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc deleted file mode 100644 index 05378411a00..00000000000 --- a/libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc +++ /dev/null @@ -1,38 +0,0 @@ -////////////////////////////////////////////////////////////////////////// -//// This content is shared by all Elastic Beats. Make sure you keep the -//// descriptions here generic enough to work for all Beats that include -//// this file. When using cross references, make sure that the cross -//// references resolve correctly for any files that include this one. -//// Use the appropriate variables defined in the index.asciidoc file to -//// resolve Beat names: beatname_uc and beatname_lc. -//// Use the following include to pull this content into a doc file: -//// include::../../libbeat/docs/monitoring/monitoring-internal-collection-legacy.asciidoc[] -////////////////////////////////////////////////////////////////////////// - -[role="xpack"] -[[monitoring-internal-collection-legacy]] -== Use legacy collection to send monitoring data -++++ -Use legacy collection (deprecated) -++++ - -deprecated[7.2.0] - -In {beatname_uc} version 7.1 and earlier, you configured internal collectors -that sent monitoring data to the production cluster, which would either index -the data locally, or forward the data to a dedicated monitoring cluster via HTTP -exporters. - -Starting in {beatname_uc} version 7.2, legacy collection settings are deprecated -and will be removed in version 8.0.0. Instead of sending monitoring data to your -production cluster, it's recommended that you use the configuration described -under -<> to route -monitoring data directly to your monitoring cluster. - -ifndef::serverless[] -Or as an alternative to internal collection, use -<>. -endif::[] - -include::shared-monitor-config-legacy.asciidoc[] diff --git a/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc b/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc deleted file mode 100644 index 0f6c90833ac..00000000000 --- a/libbeat/docs/monitoring/shared-monitor-config-legacy.asciidoc +++ /dev/null @@ -1,138 +0,0 @@ -////////////////////////////////////////////////////////////////////////// -//// This content is shared by all Elastic Beats. Make sure you keep the -//// descriptions here generic enough to work for all Beats that include -//// this file. When using cross references, make sure that the cross -//// references resolve correctly for any files that include this one. -//// Use the appropriate variables defined in the index.asciidoc file to -//// resolve Beat names: beatname_uc and beatname_lc. -//// Use the following include to pull this content into a doc file: -//// include::../../libbeat/docs/monitoring/shared-monitor-config.asciidoc[] -//// Make sure this content appears below a level 2 heading. -////////////////////////////////////////////////////////////////////////// - -[role="xpack"] -[[configuration-monitor-legacy]] -=== Settings for legacy collection - -deprecated::[7.2.0,These settings are deprecated and will be removed in version 8.0.0. Instead of sending monitoring data to your production cluster it's recommended that you use the configuration described under <> to route monitoring data directly to your monitoring cluster.] - -[float] -=== `xpack.monitoring.enabled` deprecated:[7.2] - -The `enabled` config is a boolean setting to enable or disable {monitoring}. -If set to `true`, monitoring is enabled. - -The default value is `false`. - -[float] -=== `xpack.monitoring.elasticsearch` deprecated:[7.2] - -The {es} instances that you want to ship your {beatname_uc} metrics to. This -configuration option contains the following fields: - -[float] -==== `bulk_max_size` - -The maximum number of metrics to bulk in a single {es} bulk API index request. -The default is `50`. For more information, see <>. - -[float] -==== `backoff.init` - -The number of seconds to wait before trying to reconnect to Elasticsearch after -a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to -reconnect. If the attempt fails, the backoff timer is increased exponentially up -to `backoff.max`. After a successful connection, the backoff timer is reset. The -default is 1s. - -[float] -===== `backoff.max` - -The maximum number of seconds to wait before attempting to connect to -Elasticsearch after a network error. The default is 60s. - -[float] -==== `compression_level` - -The gzip compression level. Setting this value to `0` disables compression. The -compression level must be in the range of `1` (best speed) to `9` (best -compression). The default value is `0`. Increasing the compression level -reduces the network usage but increases the CPU usage. - -[float] -==== `headers` - -Custom HTTP headers to add to each request. For more information, see -<>. - -[float] -==== `hosts` - -The list of {es} nodes to connect to. Monitoring metrics are distributed to -these nodes in round-robin order. For more information, see -<>. - -[float] -==== `max_retries` - -The number of times to retry sending the monitoring metrics after a failure. -After the specified number of retries, the metrics are typically dropped. The -default value is `3`. For more information, see <>. - -[float] -==== `parameters` - -Dictionary of HTTP parameters to pass within the url with index operations. - -[float] -==== `password` - -The password that {beatname_uc} uses to authenticate with the {es} instances for -shipping monitoring data. - -[float] -==== `metrics.period` - -The time interval (in seconds) when metrics are sent to the {es} cluster. A new -snapshot of {beatname_uc} metrics is generated and scheduled for publishing each -period. The default value is 10 * time.Second. - -[float] -==== `state.period` - -The time interval (in seconds) when state information are sent to the {es} cluster. A new -snapshot of {beatname_uc} state is generated and scheduled for publishing each -period. The default value is 60 * time.Second. - -[float] -==== `protocol` - -The name of the protocol to use when connecting to the {es} cluster. The options -are: `http` or `https`. The default is `http`. If you specify a URL for `hosts`, -however, the value of protocol is overridden by the scheme you specify in the URL. - -[float] -==== `proxy_url` - -The URL of the proxy to use when connecting to the {es} cluster. For more -information, see <>. - -[float] -==== `timeout` - -The HTTP request timeout in seconds for the {es} request. The default is `90`. - -[float] -==== `ssl` - -Configuration options for Transport Layer Security (TLS) or Secure Sockets Layer -(SSL) parameters like the certificate authority (CA) to use for HTTPS-based -connections. If the `ssl` section is missing, the host CAs are used for -HTTPS connections to {es}. For more information, see <>. - -[float] -==== `username` - -The user ID that {beatname_uc} uses to authenticate with the {es} instances for -shipping monitoring data. - diff --git a/libbeat/docs/output-cloud.asciidoc b/libbeat/docs/output-cloud.asciidoc index f7d4039676b..6ad8329ff7d 100644 --- a/libbeat/docs/output-cloud.asciidoc +++ b/libbeat/docs/output-cloud.asciidoc @@ -1,21 +1,21 @@ [[configure-cloud-id]] -=== Configure the output for the {ecloud} +=== Configure the output for {ess} on {ecloud} [subs="attributes"] ++++ -{ecloud} +{ess} ++++ ifdef::apm-server[] NOTE: This page refers to using a separate instance of APM Server with an existing -https://www.elastic.co/cloud/elasticsearch-service[{ess} deployment]. -If you want to use APM on {ecloud}, see the cloud docs: -{cloud}/ec-create-deployment.html[Create your deployment] or +{ess-product}[{ess} deployment]. +If you want to use APM on {ess}, see: +{cloud}/ec-create-deployment.html[Create your deployment] and {cloud}/ec-manage-apm-settings.html[Add APM user settings]. endif::apm-server[] {beatname_uc} comes with two settings that simplify the output configuration -when used together with https://cloud.elastic.co/[{ecloud}]. When defined, +when used together with {ess-product}[{ess}]. When defined, these setting overwrite settings from other parts in the configuration. Example: @@ -37,11 +37,11 @@ These settings can be also specified at the command line, like this: ==== `cloud.id` -The Cloud ID, which can be found in the {ecloud} web console, is used by +The Cloud ID, which can be found in the {ess} web console, is used by {beatname_uc} to resolve the {es} and {kib} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. -NOTE: The base64 encoded `cloud.id` found in the {ecloud} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. +NOTE: The base64 encoded `cloud.id` found in the {ess} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. ==== `cloud.auth` @@ -49,4 +49,3 @@ When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {es} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options. - diff --git a/libbeat/docs/outputs-list.asciidoc b/libbeat/docs/outputs-list.asciidoc index 6c47991cb02..bd3b2878aa6 100644 --- a/libbeat/docs/outputs-list.asciidoc +++ b/libbeat/docs/outputs-list.asciidoc @@ -3,6 +3,9 @@ //# tag::outputs-list[] +ifndef::no_cloud_id[] +* <> +endif::[] ifndef::no_es_output[] * <> endif::[] @@ -21,13 +24,17 @@ endif::[] ifndef::no_console_output[] * <> endif::[] -ifndef::no_cloud_id[] -* <> -endif::[] //# end::outputs-list[] //# tag::outputs-include[] +ifndef::no_cloud_id[] +ifdef::requires_xpack[] +[role="xpack"] +endif::[] +include::output-cloud.asciidoc[] +endif::[] + ifndef::no_es_output[] ifdef::requires_xpack[] [role="xpack"] @@ -70,13 +77,6 @@ endif::[] include::{libbeat-outputs-dir}/console/docs/console.asciidoc[] endif::[] -ifndef::no_cloud_id[] -ifdef::requires_xpack[] -[role="xpack"] -endif::[] -include::output-cloud.asciidoc[] -endif::[] - ifndef::no_codec[] ifdef::requires_xpack[] [role="xpack"] diff --git a/libbeat/docs/overview.asciidoc b/libbeat/docs/overview.asciidoc index c28047243a6..11dc10f2b8f 100644 --- a/libbeat/docs/overview.asciidoc +++ b/libbeat/docs/overview.asciidoc @@ -1,5 +1,5 @@ [[beats-reference]] -== Beats overview +== What are {beats}? {beats} are open source data shippers that you install as agents on your servers to send operational data to diff --git a/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc b/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc new file mode 100644 index 00000000000..19feb7c4d3b --- /dev/null +++ b/libbeat/docs/release-notes/breaking/breaking-7.9.asciidoc @@ -0,0 +1,23 @@ +[[breaking-changes-7.9]] + +=== Breaking changes in 7.9 +++++ +7.9 +++++ + +{see-relnotes} + +//NOTE: The notable-breaking-changes tagged regions are re-used in the +//Installation and Upgrade Guide + +//tag::notable-breaking-changes[] +[float] +==== Some {filebeat} Okta module settings no longer accept JSON strings + +Prior to version 7.9, the OKTA module accepted JSON strings for some +configuration settings (`http_headers`, `http_request_body`, `pagination`, +`rate_limit`, and `ssl`). This was inconsistent with other {beats} settings, so +it has been removed. + +The affected settings now expect regular YAML objects for values. +// end::notable-breaking-changes[] diff --git a/libbeat/docs/release-notes/breaking/breaking.asciidoc b/libbeat/docs/release-notes/breaking/breaking.asciidoc index 7e758e91d3c..c4ffb88115b 100644 --- a/libbeat/docs/release-notes/breaking/breaking.asciidoc +++ b/libbeat/docs/release-notes/breaking/breaking.asciidoc @@ -11,6 +11,8 @@ changes, but there are breaking changes between major versions (e.g. 6.x to See the following topics for a description of breaking changes: +* <> + * <> * <> @@ -29,6 +31,8 @@ See the following topics for a description of breaking changes: * <> +include::breaking-7.9.asciidoc[] + include::breaking-7.8.asciidoc[] include::breaking-7.7.asciidoc[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc deleted file mode 100644 index 2eadf156ead..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.0.0.asciidoc +++ /dev/null @@ -1,107 +0,0 @@ -[[release-highlights-7.0.0]] -=== 7.0 release highlights -++++ -7.0 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.0. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-0-0-released[{beats} 7.0 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== Elastic Common Schema (ECS) - -The {ecs-ref}/index.html[Elastic Common Schema], or ECS, is an open source -specification that defines a common set of document fields for event data -ingested into {es}. ECS makes it dramatically easier for users to correlate data -across sources and develop common content, such as dashboards and machine -learning jobs. - -In 7.0, all {beats} and {beats} modules generate ECS format events by default. -This means that adopting ECS is as easy as upgrading to {beats} 7.0. All {beats} -module dashboards in 7.0 make use of ECS. - -Migrating to a common schema means that many fields have been renamed. We have -developed an upgrade procedure that uses {es} field aliases to make the -transition easier. After the upgrade is complete, we strongly advise that you -adjust your custom {kib} dashboards, machine learning jobs, and other content to -use the new ECS field names. - -See the {beats-ref}/upgrading.html[{beats} upgrade documentation] for more -information. - -[float] -==== Index lifecycle management (ILM) - -In 6.6, {es} added advanced capabilities for index management. Rather than -simply performing management actions on your indices on a set schedule, you can -base actions on other factors such as shard size and performance requirements. -You control how indices are handled as they age by attaching a lifecycle policy -to the index template used to create them. You can update the policy to modify -the lifecycle of both new and existing indices. This set of capabilities are -grouped in the {ref}/index-lifecycle-management.html[index lifecycle management -(ILM)] APIs. - -In 7.0, {beats} defaults to rotating indices by using ILM policies, if the {es} -version to which they connect supports ILM. The default policy rotates indices -when they reach 50 GB or 30 days. You can edit the ILM policy by using the {kib} -management UI, or directly via the {es} API. - -[float] -==== Stack monitoring - -The full suite of modules to {ref}/monitoring-production.html[monitor your -{stack}] are now GA. These include the {metricbeat} modules for {es}, {ls}, and -{kib}. - -In the future, we will switch to {metricbeat} as the recommended agent -for monitoring the {stack}. To prepare for the switch, see -{ref}/configuring-metricbeat.html[Collecting {es} monitoring data with {metricbeat}]. - -[float] -==== Logs and infrastructure metrics - -{beats} adds several new modules, focusing on datastores and the cloud. - -On the cloud side, {metricbeat} adds the -{metricbeat-ref}/metricbeat-module-aws.html[AWS] module, which collects and -centralizes basic resource utilization metrics from all your EC2 instances, -directly from Cloudwatch. A widely used messaging platform, -{metricbeat-ref}/metricbeat-module-nats.html[NATS], earns its own module for -capturing stats, connections, routes, and subscriptions metrics. - -For datastores, {metricbeat} offers modules for Microsoft SQL Server and -CouchDB. The {metricbeat-ref}/metricbeat-module-mssql.html[MSSQL] module -captures transaction log and performance counters, while the -{metricbeat-ref}/metricbeat-module-couchdb.html[CouchDB] module provides a -server metricset. - -[float] -==== Security analytics data sources - -For data relevant to security analytics, {filebeat} adds a -{filebeat-ref}/filebeat-module-zeek.html[Zeek] module that integrates with the -popular open-source Zeek project, formerly known as Bro, and a -{filebeat-ref}/filebeat-module-santa.html[Santa] module, which tracks process -executions on macOS. These modules add to the list of data sources already -supported in the 6.x series, including -{filebeat-ref}/filebeat-module-suricata.html[Suricata], -{filebeat-ref}/filebeat-module-iptables.html[IPtables], and -{filebeat-ref}/filebeat-input-netflow.html[NetFlow]. - -In addition, the {auditbeat} -{auditbeat-ref}/auditbeat-module-system.html[system] module keeps improving, and -the transition to ECS makes all {beats} modules more useful for security -use cases. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc deleted file mode 100644 index 3ce62777e92..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.1.0.asciidoc +++ /dev/null @@ -1,20 +0,0 @@ -[[release-highlights-7.1.0]] -=== 7.1 release highlights -++++ -7.1 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.1. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -Some Elastic Stack security features, such as encrypted communications, -file and native authentication, and role-based access control, are now available -in more subscription levels. For details, see https://www.elastic.co/subscriptions. -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc deleted file mode 100644 index 42ca5ab7a1c..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.2.0.asciidoc +++ /dev/null @@ -1,75 +0,0 @@ -[[release-highlights-7.2.0]] -=== 7.2 release highlights -++++ -7.2 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.2. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-2-0-released[{beats} 7.2 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== Scripted processing - -In this release, Beats offers a {filebeat-ref}/processor-script.html[script -processor] for processing events with Javascript code. It also includes an event -API that eases the overall event manipulation experience. As Beats often run on -host servers, the script processor has been properly sandboxed to only execute -https://www.ecma-international.org/ecma-262/5.1/[ECMAScript 5.1 code]. It can -therefore only manipulate the event that it’s given and cannot interact with the -host or any external services. - -[float] -==== Security analytics - -{beats} adds several new integrations for security use cases. {filebeat} offers -new logging modules for popular firewall technologies. The -{filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks module] monitors -PAN-OS firewall logs, and the {filebeat-ref}/filebeat-module-cisco.html[Cisco -ASA module] monitors Cisco ASA firewall logs. These logs can be received via -syslog or extracted directly from a file. {filebeat} also offers a new -{filebeat-ref}/filebeat-module-netflow.html[NetFlow module] that monitors -NetFlow and IPFIX flow records. - -Beyond these integrations, the 7.2 release introduces the Elastic -{kibana-ref}/xpack-siem.html[SIEM application in {kib}]. - -[float] -==== Cloud monitoring - -The {filebeat-ref}/filebeat-module-nats.html[NATS module] is now available in -{filebeat} for monitoring the NATS messaging system logs. This complements the -{metricbeat-ref}/metricbeat-module-nats.html[NATS module in {metricbeat}] that -was introduced in {beats} 7.0.0. This release also adds -{filebeat-ref}/filebeat-module-coredns.html[CoreDNS modules in {filebeat}] and -{metricbeat-ref}/metricbeat-module-coredns.html[{metricbeat}] to monitor CoreDNS -logs and metrics. - -{filebeat} also introduces a new -{filebeat-ref}/filebeat-input-container.html[container input] as a more dynamic -way of collecting container logs. It supports auto-detection of both Docker and -CRI-O log formats. CRI-O is an increasingly popular container runtime for -Kubernetes. You should use the container input in favor of the existing Docker -input, which is now deprecated. - -[float] -==== Windows monitoring - -Winlogbeat adds two new modules in this release. The -{winlogbeat-ref}/winlogbeat-module-sysmon.html[Sysmon module] monitors event log -records from the Sysinternals System Monitor, and the -{winlogbeat-ref}/winlogbeat-module-security.html[Security module] monitors -Windows security event logs. This release also adds support for the newer -Windows XML Event Log (EVTX) format. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc deleted file mode 100644 index d37d58321a1..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.3.0.asciidoc +++ /dev/null @@ -1,121 +0,0 @@ -[[release-highlights-7.3.0]] -=== 7.3 release highlights -++++ -7.3 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.3. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-3-0-released[{beats} 7.3 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== Automated {functionbeat} deployment with CloudFormation templates - -{functionbeat} 7.3.0 introduces the ability to export a CloudFormation -template for integration with automation systems. Previously, {functionbeat} was -only available for manual command line deployment, but with this new -functionality, you can more easily automate {functionbeat} deployments through -their own CloudFormation stacks. - -To export CloudFormation templates, use the following command: - -[source,shell] ----- -$ ./functionbeat export function ----- - -[float] -==== Google Cloud integrations - -{filebeat} 7.3.0 introduces a -{filebeat-ref}/filebeat-module-googlecloud.html[Google Cloud module] that -monitors Virtual Private Cloud (VPC) flow logs from Google Cloud through -Stackdriver. It ships data to {es} in ECS format, so it’s immediately available -for analysis in the https://www.elastic.co/products/siem[SIEM app] (or with -https://www.elastic.co/products/maps[Maps] or a -https://www.elastic.co/what-is/kibana-canvas[Canvas] workpad). - -Along with the module, {filebeat} also introduces a -{filebeat-ref}/filebeat-input-google-pubsub.html[Google Cloud Pub/Sub] input for -consuming from Google Cloud Pub/Sub topics. You can use this input to ingest all -your events from Google Cloud for real-time analytics with the {stack}. - -[float] -==== Expanded database monitoring - -7.3.0 introduces support for three new databases in {metricbeat} and a new -database source in {filebeat}. - -* *Oracle Database* -+ -The {metricbeat} {metricbeat-ref}/metricbeat-module-oracle.html[Oracle -module] provides the -{metricbeat-ref}/metricbeat-metricset-oracle-tablespace.html[`tablespace`] -metricset, which includes information about data files and temp files, grouped -by tablespace. This module includes information about used and free space, the -status of the data files, and the status of the tablespace itself. - -* *Amazon RDS* -+ -If you’re using https://aws.amazon.com/rds/[Amazon Relational Database Service -(RDS)], you can now collect a rich set of metrics about your deployment, from -CPU and memory usage, to disk and network throughput and latency. See all the -details in the {metricbeat-ref}/metricbeat-metricset-aws-rds.html[`RDS`] -metricset, now available in the {metricbeat} -{metricbeat-ref}/metricbeat-module-aws.html[AWS module]. - -* *CockroachDB* -+ -The {metricbeat} {metricbeat-ref}/metricbeat-module-cockroachdb.html[CockroachDB -module] exposes the -{metricbeat-ref}/metricbeat-metricset-cockroachdb-status.html[`status`] -metricset, which is compatible with any CockroachDB version exposing metrics in -Prometheus format. - -* *Microsoft SQL Server* -+ -The {filebeat} {filebeat-ref}/filebeat-module-mssql.html[MS SQL module] monitors -the Microsoft SQL Server error logs with the {stack}. - -[float] -==== Improved Kubernetes monitoring - -{metricbeat} 7.3.0 strengthens Kubernetes observability by introducing -metricsets for three additional Kubernetes components: - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-controllermanager.html[`controllermanager`] -metricset captures metrics from -https://kubernetes.io/docs/reference/command-line-tools-reference/cloud-controller-manager/[kube-controller-manager]. - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-proxy.html[`proxy`] -metricset covers -https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/[kube-proxy], -the network proxy component in Kubernetes. - -* The {metricbeat-ref}/metricbeat-metricset-kubernetes-scheduler.html[`scheduler`] -metricset provides visibility into the -https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/[kube-scheduler]. - -[float] -==== Configuration-only {metricbeat} modules - -For developers, we've streamlined the process of adding new data sources. 7.3.0 -introduces a new way of creating {metricbeat} modules, called _light modules_, -that doesn’t require a single line of Go code. Light modules provide pre-defined -configurations on top of existing, more generic modules, such as -{metricbeat-ref}/metricbeat-module-prometheus.html[Prometheus] or -{metricbeat-ref}/metricbeat-module-jolokia.html[Jolokia]. In fact, the -{metricbeat-ref}/metricbeat-module-cockroachdb.html[CockroachDB] module, -introduced in this release, is a light module. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc deleted file mode 100644 index bd46278c550..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.4.0.asciidoc +++ /dev/null @@ -1,53 +0,0 @@ -[[release-highlights-7.4.0]] -=== 7.4 release highlights -++++ -7.4 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.4. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-4-0-released[{beats} 7.4 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE -[float] -==== New {filebeat} inputs for ingesting S3 and Kafka logs - -The {filebeat-ref}/filebeat-input-s3.html[S3 input] in {filebeat} is a beta -feature available under the Basic license, meaning it’s free to use. It ingests -raw log lines from S3 buckets by leveraging SQS queues for scalable consumption. -We recommend using this {filebeat} input instead of the {ls} S3 input if you are -looking for a horizontally scalable solution for ingesting logs from S3. - -The {filebeat-ref}/filebeat-input-kafka.html[kafka input] in {filebeat} enables -data consumption from Kafka topics. Multiple {filebeat} instances can subscribe -to the same Kafka consumer group for parallel processing from topics. -Additionally, the Kafka input can consume data from Azure Event Hubs given the -service supports Kafka interface compatibility. -// end::notable-highlights[] - -[float] -==== {functionbeat} improvements - -{functionbeat} now supports {ls} as an output for data processing. - -We've also added configurable function tags that you can use for grouping, -filtering, and cost allocation with AWS Lambda. - -[float] -==== Expanded platform support -In Beats 7.4.0, we’ve added support for the following platforms: - -* RHEL 8 -* Amazon Linux 2 -* Ubuntu 18.04 -* Windows Server 2019. - diff --git a/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc deleted file mode 100644 index bc800536f95..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.5.0.asciidoc +++ /dev/null @@ -1,38 +0,0 @@ -[[release-highlights-7.5.0]] -=== 7.5 release highlights -++++ -7.5 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.5. - -For a complete list of highlights, see the -https://www.elastic.co/blog/beats-7-5-0-released[{beats} 7.5 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== New modules for Azure cloud monitoring - -With the addition of {metricbeat-ref}/metricbeat-module-azure.html[{metricbeat}] -and {filebeat-ref}/filebeat-module-azure.html[{filebeat}] modules for Azure -monitoring, Azure users can now directly monitor logs and metrics from Azure -Event Hub and Azure Monitor and use prebuilt {kib} dashboards to speed up the -analysis. - - -[float] -==== {heartbeat} enhanced with hint-based autodiscover - -In 7.5, we’ve enhanced {heartbeat}, as part of our Uptime solution, to include -{heartbeat-ref}/[hint-based autodiscover], which is a particularly great fit -for monitoring the health of Kubernetes services. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc deleted file mode 100644 index e209c82a06c..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.6.0.asciidoc +++ /dev/null @@ -1,85 +0,0 @@ -[[release-highlights-7.6.0]] -=== 7.6 release highlights -++++ -7.6 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.6. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-6-0-released[Observability 7.6 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -==== Support added for TLS 1.3 - -In 7.6, we've added support for TLS 1.3, enabling you to take advantage -of the security and performance improvements available in TLS 1.3 when {beats} -connects to an {es} cluster that supports it. - -TLS 1.1, 1.2, and 1.3 are now enabled by default. - -[float] -==== Azure cloud monitoring improvements - -The new {metricbeat-ref}/metricbeat-metricset-azure-storage.html[`storage`] -metricset in the {metricbeat} {metricbeat-ref}/metricbeat-module-azure.html[Azure -module] adds the ability to collect metrics from storage accounts. - -We've also made it easier for you to do a cost analysis on metrics -collection by adding a cost warning message to each metrics API call. The -message indicates the cost applied while retrieving metric values from Azure -resources. - -[float] -==== Google cloud monitoring improvements - -Starting with 7.6, you can deploy {functionbeat} as a Google Function via Google -Cloud Deployment Manager and pull log events from -https://cloud.google.com/pubsub/[Google Pub/Sub] and -https://cloud.google.com/storage/[Google Cloud Storage]. - -We've also expanded support in {metricbeat} by adding a beta release of the -{metricbeat-ref}/metricbeat-module-googlecloud.html[Google Cloud Platform module]. -This module fetches monitoring metrics from Google Cloud Platform (GCP) by using -the -https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API]. - -On the logging side, we've added two new filesets to the {filebeat} -{filebeat-ref}/filebeat-module-googlecloud.html[Google Cloud module] to make it -easier for you to ingest Gloogle Cloud logs: - -* The `audit` fileset parses -https://cloud.google.com/logging/docs/audit/[Google Cloud Audit Logs]. -* The `firewall` fileset parses firewall logs generated by firewall rules -logging. - -[float] -==== Better support for document deduplication - -To help prevent duplicate events, we've introduced `document_id` settings -in {beats} that you can use to set the document ID _before_ sending events to -an output. The ID is stored in the {beats} `@metadata._id` field and used to -set the document ID during indexing. Both the `decode_json_fields` processor and -`json` options in the {filebeat} have been enhanced to include a -`document_id` setting to use when decoding JSON data. - -We've also added new processors for generating IDs when your data has no natural -key field. The {filebeat-ref}/add-id.html[`add_id`] processor generates a unique -ID for an event. The {filebeat-ref}/fingerprint.html[`fingerprint`] processor -generates a fingerprint of an event based on a specified subset of its fields. - -To learn more, see {filebeat-ref}/filebeat-deduplication.html[Data -deduplication]. - -//Description - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc deleted file mode 100644 index a00e4113b1b..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.7.0.asciidoc +++ /dev/null @@ -1,152 +0,0 @@ -[[release-highlights-7.7.0]] -=== 7.7 release highlights -++++ -7.7 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.7. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-7-0-released[Observability 7.7 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -[float] -[role="xpack"] -==== Azure Kubernetes and container monitoring - -We've enhanced the {metricbeat} Azure module with three new metricsets -for monitoring Microsoft Azure container services: -{metricbeat-ref}/metricbeat-metricset-azure-container_instance.html[`container_instance`], -{metricbeat-ref}/metricbeat-metricset-azure-container_registry.html[`container_registry`], and -{metricbeat-ref}/metricbeat-metricset-azure-container_service.html[`container_service`]. -These metricsets collect metrics from the following services: - -* Azure Kubernetes Service -* Azure Container Instances -* Azure Container Registry - -Each metricset comes with a dashboard that makes it easy to get started -monitoring Azure containers. - -[float] -[role="xpack"] -==== AWS VPCs, Lambdas, and DynamoDB monitoring - -In the {metricbeat} AWS module, we've added support for monitoring -mission-critical services in the Amazon VPC ecosystem: - -* The {metricbeat-ref}/metricbeat-metricset-aws-natgateway.html[`natgateway`] -metricset enables you to monitor NAT gateway services to gain a -better perspective on how web applications or services are performing. -* The {metricbeat-ref}/metricbeat-metricset-aws-natgateway.html[`transitgateway`] -metricset collects metrics sent to CloudWatch by VPC when requests are flowing -through the gateway.  -* The {metricbeat-ref}/metricbeat-metricset-aws-vpn.html[`vpn`] metricset -enables you to monitor VPN tunnels. VPN metric data is automatically sent to -CloudWatch as it becomes available. - -Also new in this release, the -{metricbeat-ref}/metricbeat-metricset-aws-lambda.html[`lambda`] metricset monitors -Lambda functions across multiple accounts and regions. The metricset collects -metrics such as total invocations, errors, duration, throttles, dead-letter queue -errors, and iterator age for stream-based invocations. You can use these metrics -to configure alerts to respond to events such as changes in performance and -error rates. - -We’ve also added the -{metricbeat-ref}/metricbeat-metricset-aws-dynamodb.html[`dynamodb`] metricset to -monitor AWS DynamoDB instances. This metricset collects metrics, such as request -latency, transaction conflicts, provisioned and consumed capacity, and many -others.   
 - -For Amazon Aurora users, we've enhanced the -{metricbeat-ref}/metricbeat-metricset-aws-rds.html[`rds`] metricset to collect -metrics about your Aurora instances. - -[float] -[role="xpack"] -==== Google Cloud Platform (GCP) Pub/Sub and Load Balancer monitoring - -We've enhanced the {metricbeat} Google Cloud Platform module with support -for monitoring additional services: - -* The {metricbeat-ref}/metricbeat-metricset-googlecloud-pubsub.html[`pubsub`] -metricset connects to the Stackdriver API and collects metrics for topics, -subscriptions, and snapshots used by a specified account.  -* The {metricbeat-ref}/metricbeat-metricset-googlecloud-loadbalancing.html[`loadbalancing`] -metricset captures load balancing performance metrics for HTTP(S), TCP, and UDP -applications. - -[float] -[role="xpack"] -==== Pivotal Cloud Foundry (PCF) monitoring - -We continue to expand coverage of container platforms by adding support for -Pivotal Cloud Foundry. - -The new {metricbeat} -{metricbeat-ref}/metricbeat-module-cloudfoundry.html[Cloudfoundry module] -connects to the Cloud Foundry API and pulls container, counter, and value -metrics from it. These metrics are stored in `cloudfoundry.container`, -`cloudfoundry.counter` and `cloudfoundry.value` metricsets. - -In {filebeat}, the new -{filebeat-ref}/filebeat-input-cloudfoundry.html[`cloudfoundry`] input collects -http access logs, container logs, and error logs from Cloud Foundry. - -To learn how to run {beats} on Cloud Foundry, see: - -* {metricbeat-ref}/running-on-cloudfoundry.html[Run {metricbeat} on Cloud Foundry] -* {filebeat-ref}/running-on-cloudfoundry.html[Run {filebeat} on Cloud Foundry] - -[float] -[role="xpack"] -==== IBM MQ monitoring - -Prior to this release, we offered support in {filebeat} for collecting and -parsing queue manager error logs from IBM MQ. - -In this release, we’ve added the missing piece: metrics. The new {metricbeat} -{metricbeat-ref}/metricbeat-module-ibmmq.html[IBM MQ module] pulls status -information for the Queue Manager, which is responsible for maintaining queues -and ensuring that messages in the queues reach their destination. - -[float] -[role="xpack"] -==== Redis Enterprise monitoring - -In addition to our existing Redis module, which focuses on the open source -version of the database, we’ve added the new {metricbeat} -{metricbeat-ref}/metricbeat-module-redisenterprise.html[Redis Enterprise] module -to monitor features such as nodes and proxies in a Redis cluster. - -[float] -[role="xpack"] -==== Istio monitoring - -For Istio users, we've introduced the {metricbeat} -{metricbeat-ref}/metricbeat-module-istio.html[Istio module] to -collect metrics about service traffic (in, out, and within a service mesh), -control-plane metrics for Istio Pilot, Galley, Mixer components, and much -more. - -[float] -==== ECS field improvements in {filebeat} - -The {ecs-ref}/index.html[Elastic Common Schema] (ECS) defines a common set of -fields to be used when storing event data in {es}. - -In 7.7, we've improved ECS field mappings in numerous {filebeat} modules, -making it easier for you to analyze, visualize, and correlate data across -events. For a list of affected modules, see the -{beats-ref}/release-notes.html[Release Notes] for 7.7.0. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc deleted file mode 100644 index 054403656ea..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-7.8.0.asciidoc +++ /dev/null @@ -1,48 +0,0 @@ -[[release-highlights-7.8.0]] -=== 7.8 release highlights -++++ -7.8 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 7.8. - -For a complete list of related highlights, see the -https://www.elastic.co/blog/elastic-observability-7-7-0-released[Observability 7.8 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] - -// -[float] -[role="xpack"] -==== Support for monitoring Google Cloud service metrics - -In this release, we've added support for monitoring Google Cloud operations -suite (formerly Stackdriver). The new -{metricbeat-ref}/metricbeat-metricset-googlecloud-stackdriver.html[stackdriver] -metricset in the Google Cloud Platform module collects any service metrics from -Google Cloud by using the `ListTimeSeries` API call. - -For a full list of metric types that Google Cloud monitoring supports, see the -https://cloud.google.com/monitoring/api/metrics_gcp#gcp[Google Cloud metrics] -documentation. - -[float] -==== Specialized Linux integration - -To simplify Linux monitoring, we’ve introduced a new -{metricbeat-ref}/metricbeat-module-linux.html[Linux] module that contains metrics -exclusive to the Linux kernel and various subsystems. This is done primarily to -avoid cluttering the System module with metricsets that are not broadly -cross-compatible. The new Linux module currently includes these metricsets: -{metricbeat-ref}/metricbeat-metricset-linux-pageinfo.html[pageinfo], -{metricbeat-ref}/metricbeat-metricset-linux-ksm.html[ksm], and -{metricbeat-ref}/metricbeat-metricset-linux-conntrack.html[conntrack]. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc b/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc deleted file mode 100644 index 91941572402..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights-8.0.0.asciidoc +++ /dev/null @@ -1,32 +0,0 @@ -[[release-highlights-8.0.0]] -=== 8.0 release highlights -++++ -8.0 -++++ - -Each release of {beats} brings new features and product improvements. -Following are the most notable features and enhancements in 8.0. - -//For a complete list of highlights, see the -//https://www.elastic.co/blog/beats-8-0-0-released[{beats} 8.0 release blog]. - -For a list of bug fixes and other changes, see the {beats} -<> and <>. - -//NOTE: The notable-highlights tagged regions are re-used in the -//Installation and Upgrade Guide - -// tag::notable-highlights[] -// ADD NOTABLE HIGHLIGHTS HERE - -//[float] -//==== Add title here - -//Add description here. - -//[float] -//==== Add title here - -//Add description here. - -// end::notable-highlights[] diff --git a/libbeat/docs/release-notes/highlights/highlights.asciidoc b/libbeat/docs/release-notes/highlights/highlights.asciidoc deleted file mode 100644 index c963c6dd06a..00000000000 --- a/libbeat/docs/release-notes/highlights/highlights.asciidoc +++ /dev/null @@ -1,41 +0,0 @@ -[[release-highlights]] -== Release highlights - -This section summarizes the most important changes in each release. For the -full list, see <> and <>. - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -* <> - -include::highlights-7.8.0.asciidoc[] - -include::highlights-7.7.0.asciidoc[] - -include::highlights-7.6.0.asciidoc[] - -include::highlights-7.5.0.asciidoc[] - -include::highlights-7.4.0.asciidoc[] - -include::highlights-7.3.0.asciidoc[] - -include::highlights-7.2.0.asciidoc[] - -include::highlights-7.1.0.asciidoc[] - -include::highlights-7.0.0.asciidoc[] \ No newline at end of file diff --git a/libbeat/docs/release-notes/whats-new.asciidoc b/libbeat/docs/release-notes/whats-new.asciidoc new file mode 100644 index 00000000000..64e2cd9ef40 --- /dev/null +++ b/libbeat/docs/release-notes/whats-new.asciidoc @@ -0,0 +1,33 @@ +[[whats-new]] +== What's new in {beats} {minor-version} +++++ +What's new in {minor-version} +++++ + +Here are the highlights of what's new and improved in {minor-version}. +//Uncomment when release notes are available. +//For detailed information about this release, check out the +//<> and +//<>. + +[float] +=== {log-driver-long} now supports `docker logs` command + +Starting with version 7.9, the {log-driver-long} fully supports the `docker logs` +command. The plugin maintains a local copy of logs that can be read without a +connection to {es}. The plugin mounts the `/var/lib/docker` directory on the +host to write logs to `/var/log/containers`. For more information, see the +{docker-logging-ref}/index.html[Elastic Logging Plugin for Docker] docs. + +//Starting with n.1, uncomment this list and add links to previous releases +//with most recent listed first: +//Other versions: {beats-ref-all}/8.0/release-highlights-8.0.0.html[8.0] | +//{beats-ref-all}/n.n/release-highlights-n.n.n.html[n.n] | +//{beats-ref-all}/n.n/release-highlights-n.n.n.html[n.n] + +//NOTE: The notable-highlights tagged regions are re-used in the +//Installation and Upgrade Guide + +// tag::notable-highlights[] +// +// end::notable-highlights[] diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 19d710515e9..4215186d430 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,8 +8,18 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> * <> * <> +* <> * <> * <> * <> @@ -27,6 +37,12 @@ upgrade. * <> * <> * <> +* <> +* <> +* <> +* <> +* <> +* <> * <> * <> * <> diff --git a/libbeat/docs/security/api-keys.asciidoc b/libbeat/docs/security/api-keys.asciidoc index 403fd011122..aa397ff5fee 100644 --- a/libbeat/docs/security/api-keys.asciidoc +++ b/libbeat/docs/security/api-keys.asciidoc @@ -14,6 +14,8 @@ API key. For different clusters, you need to use an API key per cluster. NOTE: For security reasons, we recommend using a unique API key per {beatname_uc} instance. You can create as many API keys per user as necessary. +IMPORTANT: Review <> before creating API keys for {beatname_uc}. + [float] [[beats-api-key-publish]] === Create an API key for publishing @@ -41,6 +43,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to publish events. + The return value will look something like this: [source,console-result,subs="attributes,callouts"] @@ -89,6 +93,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to send monitoring data. + The return value will look something like this: [source,console-result,subs="attributes,callouts"] diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index dbf731bc494..62d1749eff9 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -81,7 +81,7 @@ endif::has_ml_jobs[] Omit any privileges that aren't relevant in your environment. + NOTE: These instructions assume that you are using the default name for -{beatname_uc} indices. If you are using a custom name, modify the privileges to +{beatname_uc} indices. If +{beat_default_index_prefix}-*+ is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern. . Assign the *setup role*, along with the following built-in roles, to users who @@ -169,7 +169,7 @@ users who need to monitor {beatname_uc}: |==== |Role | Purpose -|`kibana_user` +|`kibana_admin` |Use {kib} |`monitoring_user` @@ -231,7 +231,7 @@ endif::serverless[] Users who publish events to {es} need to create and write to {beatname_uc} indices. To minimize the privileges required by the writer role, use the <> to pre-load dependencies. This section -assumes that you've pre-loaded dependencies. +assumes that you've run the setup. ifndef::no_ilm[] When using ILM, turn off the ILM setup check in the {beatname_uc} config file before diff --git a/libbeat/docs/shared-autodiscover.asciidoc b/libbeat/docs/shared-autodiscover.asciidoc index 7c59b9f8452..c7993c29bef 100644 --- a/libbeat/docs/shared-autodiscover.asciidoc +++ b/libbeat/docs/shared-autodiscover.asciidoc @@ -242,6 +242,40 @@ running configuration for a container, 60s by default. include_labels: ["nodelabel2"] ------------------------------------------------------------------------------------- +`unique`:: (Optional) Defaults to `false`. Marking an autodiscover provider as unique results into + making the provider to enable the provided templates only when it will gain the leader lease. + This setting can only be combined with `cluster` scope. When `unique` is enabled enabled, `resource` + and `add_resource_metadata` settings are not taken into account. +`leader_lease`:: (Optional) Defaults to `{beatname_lc}-cluster-leader`. This will be name of the lock lease. + One can monitor the status of the lease with `kubectl describe lease beats-cluster-leader`. + Different Beats that refer to the same leader lease will be competetitors in holding the lease + and only one will be elected as leader each time. Example: + +["source","yaml",subs="attributes"] +------------------------------------------------------------------------------------- +metricbeat.autodiscover: + providers: + - type: kubernetes + scope: cluster + node: ${NODE_NAME} + unique: true + identifier: leader-election-metricbeat + templates: + - config: + - module: kubernetes + hosts: ["kube-state-metrics:8080"] + period: 10s + add_metadata: true + metricsets: + - state_node +------------------------------------------------------------------------------------- + +The above configuration when deployed on one or more Metribceat instances will enable `state_node` +metricset only for the Metricbeat instance that will gain the leader lease/lock. With this deployment +strategy we can ensure that cluster-wide metricsets are only enabled by one Beat instance when +deploying a Beat as Daemonset. + + include::../../{beatname_lc}/docs/autodiscover-kubernetes-config.asciidoc[] ifdef::autodiscoverJolokia[] diff --git a/libbeat/docs/shared-beats-attributes.asciidoc b/libbeat/docs/shared-beats-attributes.asciidoc index 4a285b4759c..56dee789d4d 100644 --- a/libbeat/docs/shared-beats-attributes.asciidoc +++ b/libbeat/docs/shared-beats-attributes.asciidoc @@ -1,4 +1,5 @@ :beatsdevguide: http://www.elastic.co/guide/en/beats/devguide/{branch} +:beats-ref-all: https://www.elastic.co/guide/en/beats/libbeat :dashboards: https://artifacts.elastic.co/downloads/beats/beats-dashboards/beats-dashboards-{version}.zip :dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} :dockerconfig: https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/docker/{beatname_lc}.docker.yml diff --git a/libbeat/docs/shared-faq.asciidoc b/libbeat/docs/shared-faq.asciidoc index 7610dc6f8c9..9aa8c3442c1 100644 --- a/libbeat/docs/shared-faq.asciidoc +++ b/libbeat/docs/shared-faq.asciidoc @@ -98,8 +98,8 @@ telnet 5044 + TIP: For testing purposes only, you can set `verification_mode: none` to disable hostname checking. -* Use OpenSSL to test connectivity to the {ls} server and diagnose problems. See the https://www.openssl.org/docs/manmaster/apps/s_client.html[OpenSSL documentation] for more info. -* Make sure that you have enabled SSL (set `ssl => true`) when configuring the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for {ls}]. +* Use OpenSSL to test connectivity to the {ls} server and diagnose problems. See the https://www.openssl.org/docs/manmaster/man1/openssl-s_client.html[OpenSSL documentation] for more info. +* Make sure that you have enabled SSL (set `ssl => true`) when configuring the {logstash-ref}/plugins-inputs-beats.html[Beats input plugin for {ls}]. ==== Common SSL-Related Errors and Resolutions diff --git a/libbeat/docs/shared-instrumentation.asciidoc b/libbeat/docs/shared-instrumentation.asciidoc new file mode 100644 index 00000000000..9b3d72bfd67 --- /dev/null +++ b/libbeat/docs/shared-instrumentation.asciidoc @@ -0,0 +1,91 @@ +[[configuration-instrumentation]] +== Configure APM instrumentation + +++++ +Instrumentation +++++ + +Libbeat uses the Elastic APM Go Agent to instrument its publishing pipeline. +Currently, only the Elasticsearch output is instrumented. +To gain insight into the performance of {beatname_uc}, you can enable this instrumentation and send trace data to APM Server. + +Example configuration with instrumentation enabled: + +["source","yaml"] +---- +instrumentation: + enabled: true + environment: production + hosts: + - "http://localhost:8200" + api_key: L5ER6FEvjkmlfalBealQ3f3fLqf03fazfOV +---- + +[float] +=== Configuration options + +You can specify the following options in the `instrumentation` section of the +{beatname_lc}.yml+ config file: + +[float] +==== `enabled` + +Set to `true` to enable instrumentation of {beatname_uc}. +Defaults to `false`. + +[float] +==== `environment` + +Set the environment in which {beatname_uc} is running, for example, `staging`, `production`, `dev`, etc. +Environments can be filtered in the {kibana-ref}/xpack-apm.html[APM app]. + +[float] +==== `hosts` + +The {apm-server-ref-v}/getting-started-apm-server.html[APM Server] hosts to report instrumentation data to. +Defaults to `http://localhost:8200`. + +[float] +==== `api_key` + +{apm-server-ref-v}/api-key.html[API key] used to secure communication with the APM Server(s). +If `api_key` is set then `secret_token` will be ignored. + +[float] +==== `secret_token` + +{apm-server-ref-v}/secret-token.html[Secret token] used to secure communication with the APM Server(s). + +[float] +==== `profiling.cpu.enabled` + +Set to `true` to enable CPU profiling, where profile samples are recorded as events. + +This feature is experimental. + +[float] +==== `profiling.cpu.interval` + +Configure the CPU profiling interval. Defaults to `60s`. + +This feature is experimental. + +[float] +==== `profiling.cpu.duration` + +Configure the CPU profiling duration. Defaults to `10s`. + +This feature is experimental. + +[float] +==== `profiling.heap.enabled` + +Set to `true` to enable heap profiling. + +This feature is experimental. + +[float] +==== `profiling.heap.interval` + +Configure the heap profiling interval. Defaults to `60s`. + +This feature is experimental. diff --git a/libbeat/docs/shared-kibana-config.asciidoc b/libbeat/docs/shared-kibana-config.asciidoc index e39fec57013..6cb3a1e9e29 100644 --- a/libbeat/docs/shared-kibana-config.asciidoc +++ b/libbeat/docs/shared-kibana-config.asciidoc @@ -97,6 +97,18 @@ The {kibana-ref}/xpack-spaces.html[Kibana space] ID to use. If specified, {beatname_uc} loads Kibana assets into this Kibana space. Omit this option to use the default space. +[float] +===== `setup.kibana.headers` + +Custom HTTP headers to add to each request sent to Kibana. +Example: + +[source,yaml] +------------------------------------------------------------------------------ +setup.kibana.headers: + X-My-Header: Header contents +------------------------------------------------------------------------------ + [float] ==== `setup.kibana.ssl.enabled` diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index e578c2d60f8..8aa9a33a828 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -143,46 +143,58 @@ The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. [float] ==== `verification_mode` -This option controls whether the client verifies server certificates and host -names. Valid values are `none` and `full`. If `verification_mode` is set -to `none`, all server host names and certificates are accepted. In this mode, -TLS-based connections are susceptible to man-in-the-middle attacks. Use this -option for testing only. +Controls the verification of certificates. Valid values are: -The default is `full`. + * `full`, which verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. + * `certificate`, which verifies that the provided certificate is signed by a +trusted authority (CA), but does not perform any hostname verification. + * `none`, which performs _no verification_ of the server's certificate. This +mode disables many of the security benefits of SSL/TLS and should only be used +after very careful consideration. It is primarily intended as a temporary +diagnostic mechanism when attempting to resolve TLS errors; its use in +production environments is strongly discouraged. + +The default value is `full`. [float] ==== `cipher_suites` The list of cipher suites to use. The first entry has the highest priority. -If this option is omitted, the Go crypto library's default -suites are used (recommended). Note that TLS 1.3 cipher suites are not +If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites] +are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. +// tag::cipher_suites[] The following cipher suites are available: -* ECDHE-ECDSA-AES-128-CBC-SHA -* ECDHE-ECDSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-ECDSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-ECDSA-AES-256-CBC-SHA -* ECDHE-ECDSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2 only) -* ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended) -* ECDHE-RSA-3DES-CBC3-SHA -* ECDHE-RSA-AES-128-CBC-SHA -* ECDHE-RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-RSA-AES-256-CBC-SHA -* ECDHE-RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-RSA-CHACHA20-POLY1205 (TLS 1.2 only) -* ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended) -* RSA-3DES-CBC3-SHA -* RSA-AES-128-CBC-SHA -* RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* RSA-AES-256-CBC-SHA -* RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* RSA-RC4-128-SHA (disabled by default - RC4 not recommended) +[options="header"] +|=== +| Cypher | Notes +| ECDHE-ECDSA-AES-128-CBC-SHA | +| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-ECDSA-AES-256-CBC-SHA | +| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. +| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| ECDHE-RSA-3DES-CBC3-SHA | +| ECDHE-RSA-AES-128-CBC-SHA | +| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-RSA-AES-256-CBC-SHA | +| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. +| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| RSA-3DES-CBC3-SHA | +| RSA-AES-128-CBC-SHA | +| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| RSA-AES-256-CBC-SHA | +| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +|=== Here is a list of acronyms used in defining the cipher suites: @@ -212,6 +224,7 @@ Here is a list of acronyms used in defining the cipher suites: * SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384. +// end::cipher_suites[] [float] ==== `curve_types` diff --git a/libbeat/docs/shared/configuring-intro.asciidoc b/libbeat/docs/shared/configuring-intro.asciidoc index e7be5e4f24c..82812c34bd1 100644 --- a/libbeat/docs/shared/configuring-intro.asciidoc +++ b/libbeat/docs/shared/configuring-intro.asciidoc @@ -1,12 +1,14 @@ +ifndef::apm-server[] TIP: To get started quickly, read <<{beatname_lc}-installation-configuration>>. +endif::[] To configure {beatname_uc}, edit the configuration file. The default configuration file is called +{beatname_lc}.yml+. The location of the file -varies by platform. To locate the file, see <>. +varies by platform. To locate the file, see <>. -ifeval::["{beatname_lc}"!="apm-server"] -There’s also a full example configuration file called +{beatname_lc}.reference.yml+ +ifndef::apm-server[] +There’s also a full example configuration file called +{beatname_lc}.reference.yml+ that shows all non-deprecated options. endif::[] diff --git a/libbeat/docs/shared/redirects.asciidoc b/libbeat/docs/shared/redirects.asciidoc deleted file mode 100644 index dc9ca1d0d74..00000000000 --- a/libbeat/docs/shared/redirects.asciidoc +++ /dev/null @@ -1,34 +0,0 @@ -["appendix",role="exclude",id="redirects"] -= Deleted pages - -The following pages have moved or been deleted. - -[role="exclude",id="{beatname_lc}-configuration"] -=== Configure {beatname_uc} - -See <>. - -[role="exclude",id="{beatname_lc}-installation"] -=== Install {beatname_uc} - -See <<{beatname_lc}-installation-configuration>>. - -[role="exclude",id="view-kibana-dashboards"] -=== View the sample {kib} dashboards - -See <<{beatname_lc}-installation-configuration>>. - -[role="exclude",id="{beatname_lc}-getting-started"] -=== Get started with {beatname_uc} - -See <<{beatname_lc}-installation-configuration>>. - -ifeval::["{beatname_lc}"=="filebeat"] - -[role="exclude",id="{beatname_lc}-modules-quickstart"] -=== Quick start: modules for common log formats - -See <<{beatname_lc}-installation-configuration>>. - -//TODO: Remove any internal cross references that point to these IDs, set up -//redirects, then delete this file. diff --git a/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc new file mode 100644 index 00000000000..8c293b4c9a6 --- /dev/null +++ b/libbeat/docs/tab-widgets/install-widget-filebeat.asciidoc @@ -0,0 +1,114 @@ +:beatname_uc: Filebeat +:beatname_lc: filebeat +++++ +
+
+ + + + + + +
+
+++++ + +include::install.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ diff --git a/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc new file mode 100644 index 00000000000..34cace94017 --- /dev/null +++ b/libbeat/docs/tab-widgets/install-widget-heartbeat.asciidoc @@ -0,0 +1,114 @@ +:beatname_uc: Heartbeat +:beatname_lc: heartbeat +++++ +
+
+ + + + + + +
+
+++++ + +include::install.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ diff --git a/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc b/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc new file mode 100644 index 00000000000..5a4a46e8e9e --- /dev/null +++ b/libbeat/docs/tab-widgets/install-widget-metricbeat.asciidoc @@ -0,0 +1,114 @@ +:beatname_uc: Metricbeat +:beatname_lc: metricbeat +++++ +
+
+ + + + + + +
+
+++++ + +include::install.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ diff --git a/libbeat/docs/tab-widgets/set-connection.asciidoc b/libbeat/docs/tab-widgets/set-connection.asciidoc index fe2e1c8a036..571e9cec570 100644 --- a/libbeat/docs/tab-widgets/set-connection.asciidoc +++ b/libbeat/docs/tab-widgets/set-connection.asciidoc @@ -1,7 +1,9 @@ // tag::cloud[] -Specify the <> of your {ess}, and set -<> to a user who is authorized to +:beatname_url: {beats-ref-root}/{beatname_lc}/{branch} + +Specify the {beatname_url}/configure-cloud-id.html[cloud.id] of your {ess}, and set +{beatname_url}/configure-cloud-id.html[cloud.auth] to a user who is authorized to set up {beatname_uc}. For example: ["source","yaml",subs="attributes"] @@ -12,7 +14,7 @@ cloud.auth: "{beatname_lc}_setup:{pwd}" <1> <1> This examples shows a hard-coded password, but you should store sensitive values ifndef::serverless[] -in the <>. +in the {beatname_url}/keystore.html[secrets keystore]. endif::[] ifdef::serverless[] in environment variables. @@ -34,7 +36,7 @@ output.elasticsearch: <1> This examples shows a hard-coded password, but you should store sensitive values ifndef::serverless[] -in the <>. +in the {beatname_url}/keystore.html[secrets keystore]. endif::[] ifdef::serverless[] in environment variables. @@ -56,7 +58,8 @@ include the scheme and port: `http://mykibanahost:5601/path`. <2> The `username` and `password` settings for {kib} are optional. If you don't specify credentials for {kib}, {beatname_uc} uses the `username` and `password` specified for the {es} output. -<3> To use the pre-built Kibana dashboards, this user must have the -`kibana_user` {ref}/built-in-roles.html[built-in role] or equivalent -privileges. +<3> To use the pre-built {kib} dashboards, this user must be authorized to +view dashboards or have the +`kibana_admin` {ref}/built-in-roles.html[built-in role]. // end::self-managed[] + diff --git a/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc new file mode 100644 index 00000000000..a5516816bf3 --- /dev/null +++ b/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc @@ -0,0 +1,115 @@ +:beatname_uc: Filebeat +:beatname_lc: filebeat +:beatname_pkg: filebeat +++++ +
+
+ + + + + + +
+
+++++ + +include::start.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc new file mode 100644 index 00000000000..92d57b71fa3 --- /dev/null +++ b/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc @@ -0,0 +1,115 @@ +:beatname_uc: Heartbeat +:beatname_lc: heartbeat +:beatname_pkg: heartbeat +++++ +
+
+ + + + + + +
+
+++++ + +include::start.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc new file mode 100644 index 00000000000..986377ffd8e --- /dev/null +++ b/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc @@ -0,0 +1,115 @@ +:beatname_uc: Metricbeat +:beatname_lc: metricbeat +:beatname_pkg: metricbeat +++++ +
+
+ + + + + + +
+
+++++ + +include::start.asciidoc[tag=deb] + +++++ +
+ + + + + +
+++++ \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/start.asciidoc b/libbeat/docs/tab-widgets/start.asciidoc index ce97a667a94..0dd2728d53c 100644 --- a/libbeat/docs/tab-widgets/start.asciidoc +++ b/libbeat/docs/tab-widgets/start.asciidoc @@ -1,4 +1,7 @@ // tag::deb[] + +:beatname_url: {beats-ref-root}/{beatname_lc}/{branch} + ["source","sh",subs="attributes"] ---------------------------------------------------------------------- sudo service {beatname_pkg} start @@ -6,12 +9,12 @@ sudo service {beatname_pkg} start // tag::initd-note[] NOTE: If you use an `init.d` script to start {beatname_uc}, you can't specify command -line flags (see <>). To specify flags, start {beatname_uc} in +line flags (see {beatname_url}/command-line-options.html[Command reference]). To specify flags, start {beatname_uc} in the foreground. // end::initd-note[] -Also see <>. +Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd]. // end::deb[] // tag::rpm[] @@ -22,7 +25,7 @@ sudo service {beatname_pkg} start include::start.asciidoc[tag=initd-note] -Also see <>. +Also see {beatname_url}/running-with-systemd.html[{beatname_uc} and systemd]. // end::rpm[] diff --git a/libbeat/docs/template-config.asciidoc b/libbeat/docs/template-config.asciidoc index 3271d567c2a..9ac888503d1 100644 --- a/libbeat/docs/template-config.asciidoc +++ b/libbeat/docs/template-config.asciidoc @@ -26,6 +26,11 @@ existing one. *`setup.template.enabled`*:: Set to false to disable template loading. If set this to false, you must <>. +*`setup.template.type`*:: The type of template to use. Available options: `legacy` (default), index templates +before Elasticsearch v7.8. Use this to avoid breaking existing deployments. New options are `composite` +and `index`. Selecting `component` loads a component template which can be included in new index templates. +The option `index` loads the new index template. + *`setup.template.name`*:: The name of the template. The default is +{beatname_lc}+. The {beatname_uc} version is always appended to the given name, so the final name is +{beatname_lc}-%{[{beat_version_key}]}+. diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index a4936388f9e..d2c668c7392 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.14.4 +:go-version: 1.14.7 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/esleg/eslegclient/api_test.go b/libbeat/esleg/eslegclient/api_test.go index 9055eb1f942..21897b9c1a1 100644 --- a/libbeat/esleg/eslegclient/api_test.go +++ b/libbeat/esleg/eslegclient/api_test.go @@ -81,7 +81,7 @@ func TestReadQueryResult(t *testing.T) { json := queryResult.Source result, err := readQueryResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, queryResult.Ok, result.Ok) assert.Equal(t, queryResult.Index, result.Index) assert.Equal(t, queryResult.Type, result.Type) @@ -96,7 +96,7 @@ func TestReadQueryResult(t *testing.T) { func TestReadQueryResult_empty(t *testing.T) { result, err := readQueryResult(nil) assert.Nil(t, result) - assert.Nil(t, err) + assert.NoError(t, err) } // Check invalid query result object @@ -125,7 +125,7 @@ func TestReadSearchResult(t *testing.T) { results, err := readSearchResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, resultsObject.Took, results.Took) assert.Equal(t, resultsObject.Hits, results.Hits) assert.Equal(t, resultsObject.Shards, results.Shards) @@ -147,7 +147,7 @@ func TestReadSearchResult(t *testing.T) { results, err := readSearchResult(json) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, resultsObject.Took, results.Took) assert.Equal(t, resultsObject.Hits, results.Hits) assert.Equal(t, resultsObject.Shards, results.Shards) @@ -158,7 +158,7 @@ func TestReadSearchResult(t *testing.T) { func TestReadSearchResult_empty(t *testing.T) { results, err := readSearchResult(nil) assert.Nil(t, results) - assert.Nil(t, err) + assert.NoError(t, err) } func TestReadSearchResult_invalid(t *testing.T) { diff --git a/libbeat/esleg/eslegclient/bulkapi.go b/libbeat/esleg/eslegclient/bulkapi.go index 2bfe241b718..8a8e391a7eb 100644 --- a/libbeat/esleg/eslegclient/bulkapi.go +++ b/libbeat/esleg/eslegclient/bulkapi.go @@ -30,7 +30,6 @@ import ( "go.elastic.co/apm" "go.elastic.co/apm/module/apmhttp" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -94,43 +93,6 @@ func (conn *Connection) Bulk( return conn.sendBulkRequest(requ) } -// SendMonitoringBulk creates a HTTP request to the X-Pack Monitoring API containing a bunch of -// operations and sends them to Elasticsearch. The request is retransmitted up to max_retries -// before returning an error. -func (conn *Connection) SendMonitoringBulk( - params map[string]string, - body []interface{}, -) (BulkResult, error) { - if len(body) == 0 { - return nil, nil - } - - enc := conn.Encoder - enc.Reset() - if err := bulkEncode(conn.log, enc, body); err != nil { - return nil, err - } - - if !conn.version.IsValid() { - if err := conn.Connect(); err != nil { - return nil, err - } - } - - mergedParams := mergeParams(conn.ConnectionSettings.Parameters, params) - - requ, err := newMonitoringBulkRequest(conn.GetVersion(), conn.URL, mergedParams, enc) - if err != nil { - return nil, err - } - - _, result, err := conn.sendBulkRequest(requ) - if err != nil { - return nil, err - } - return result, nil -} - func newBulkRequest( urlStr string, index, docType string, @@ -145,20 +107,6 @@ func newBulkRequest( return newBulkRequestWithPath(urlStr, path, params, body) } -func newMonitoringBulkRequest( - esVersion common.Version, - urlStr string, - params map[string]string, - body BodyEncoder, -) (*bulkRequest, error) { - path, err := makePath("_monitoring", "bulk", "") - if err != nil { - return nil, err - } - - return newBulkRequestWithPath(urlStr, path, params, body) -} - func newBulkRequestWithPath( urlStr string, path string, diff --git a/libbeat/keystore/file_keystore_test.go b/libbeat/keystore/file_keystore_test.go index 63c25afdadf..fbfaea83da9 100644 --- a/libbeat/keystore/file_keystore_test.go +++ b/libbeat/keystore/file_keystore_test.go @@ -280,7 +280,7 @@ func createAndReadKeystoreSecret(t *testing.T, password []byte, key string, valu defer os.Remove(path) keyStore, err := NewFileKeystoreWithPassword(path, NewSecureString(password)) - assert.Nil(t, err) + assert.NoError(t, err) writableKeystore, err := AsWritableKeystore(keyStore) assert.NoError(t, err) diff --git a/libbeat/keystore/secure_string_test.go b/libbeat/keystore/secure_string_test.go index 9f4a91b6cfe..5ce407ecc89 100644 --- a/libbeat/keystore/secure_string_test.go +++ b/libbeat/keystore/secure_string_test.go @@ -30,7 +30,7 @@ func TestGet(t *testing.T) { s := NewSecureString(secret) v, err := s.Get() assert.Equal(t, secret, v) - assert.Nil(t, err) + assert.NoError(t, err) } func TestStringMarshalingS(t *testing.T) { diff --git a/libbeat/kibana/client.go b/libbeat/kibana/client.go index d2e30ed5f2a..3b951ee5e34 100644 --- a/libbeat/kibana/client.go +++ b/libbeat/kibana/client.go @@ -41,6 +41,7 @@ type Connection struct { URL string Username string Password string + Headers http.Header HTTP *http.Client Version common.Version @@ -132,11 +133,17 @@ func NewClientWithConfig(config *ClientConfig) (*Client, error) { return nil, err } + headers := make(http.Header) + for k, v := range config.Headers { + headers.Set(k, v) + } + client := &Client{ Connection: Connection{ URL: kibanaURL, Username: username, Password: password, + Headers: headers, HTTP: &http.Client{ Transport: &http.Transport{ Dial: dialer.Dial, @@ -203,17 +210,21 @@ func (conn *Connection) SendWithContext(ctx context.Context, method, extraPath s req.SetBasicAuth(conn.Username, conn.Password) } + addHeaders(req.Header, conn.Headers) + addHeaders(req.Header, headers) req.Header.Set("Content-Type", "application/json") - req.Header.Add("Accept", "application/json") + req.Header.Set("Accept", "application/json") req.Header.Set("kbn-xsrf", "1") - for header, values := range headers { - for _, value := range values { - req.Header.Add(header, value) + return conn.RoundTrip(req) +} + +func addHeaders(out, in http.Header) { + for k, vs := range in { + for _, v := range vs { + out.Add(k, v) } } - - return conn.RoundTrip(req) } // Implements RoundTrip interface diff --git a/libbeat/kibana/client_config.go b/libbeat/kibana/client_config.go index 07897b9fad9..09709e3d81d 100644 --- a/libbeat/kibana/client_config.go +++ b/libbeat/kibana/client_config.go @@ -25,14 +25,18 @@ import ( // ClientConfig to connect to Kibana type ClientConfig struct { - Protocol string `config:"protocol" yaml:"protocol,omitempty"` - Host string `config:"host" yaml:"host,omitempty"` - Path string `config:"path" yaml:"path,omitempty"` - SpaceID string `config:"space.id" yaml:"space.id,omitempty"` - Username string `config:"username" yaml:"username,omitempty"` - Password string `config:"password" yaml:"password,omitempty"` - TLS *tlscommon.Config `config:"ssl" yaml:"ssl"` - Timeout time.Duration `config:"timeout" yaml:"timeout"` + Protocol string `config:"protocol" yaml:"protocol,omitempty"` + Host string `config:"host" yaml:"host,omitempty"` + Path string `config:"path" yaml:"path,omitempty"` + SpaceID string `config:"space.id" yaml:"space.id,omitempty"` + Username string `config:"username" yaml:"username,omitempty"` + Password string `config:"password" yaml:"password,omitempty"` + TLS *tlscommon.Config `config:"ssl" yaml:"ssl"` + Timeout time.Duration `config:"timeout" yaml:"timeout"` + + // Headers holds headers to include in every request sent to Kibana. + Headers map[string]string `config:"headers" yaml:"headers,omitempty"` + IgnoreVersion bool } diff --git a/libbeat/kibana/client_test.go b/libbeat/kibana/client_test.go index 00d736e60d6..ac5b9cff7e2 100644 --- a/libbeat/kibana/client_test.go +++ b/libbeat/kibana/client_test.go @@ -18,12 +18,16 @@ package kibana import ( + "fmt" "net/http" "net/http/httptest" "net/url" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/common" ) func TestErrorJson(t *testing.T) { @@ -74,3 +78,44 @@ func TestSuccess(t *testing.T) { assert.Equal(t, http.StatusOK, code) assert.NoError(t, err) } + +func TestNewKibanaClient(t *testing.T) { + var requests []*http.Request + kibanaTs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + requests = append(requests, r) + if r.URL.Path == "/api/status" { + w.Write([]byte(`{"version":{"number":"1.2.3-beta","build_snapshot":true}}`)) + } + })) + defer kibanaTs.Close() + + client, err := NewKibanaClient(common.MustNewConfigFrom(fmt.Sprintf(` +protocol: http +host: %s +headers: + key: value + content-type: text/plain + accept: text/plain + kbn-xsrf: 0 +`, kibanaTs.Listener.Addr().String()))) + require.NoError(t, err) + require.NotNil(t, client) + + client.Request(http.MethodPost, "/foo", url.Values{}, http.Header{"key": []string{"another_value"}}, nil) + + // NewKibanaClient issues a request to /api/status to fetch the version. + require.Len(t, requests, 2) + assert.Equal(t, "/api/status", requests[0].URL.Path) + assert.Equal(t, []string{"value"}, requests[0].Header.Values("key")) + assert.Equal(t, "1.2.3-beta-SNAPSHOT", client.Version.String()) + + // Headers specified in cient.Request are added to those defined in config. + // + // Content-Type, Accept, and kbn-xsrf cannot be overridden. + assert.Equal(t, "/foo", requests[1].URL.Path) + assert.Equal(t, []string{"value", "another_value"}, requests[1].Header.Values("key")) + assert.Equal(t, []string{"application/json"}, requests[1].Header.Values("Content-Type")) + assert.Equal(t, []string{"application/json"}, requests[1].Header.Values("Accept")) + assert.Equal(t, []string{"1"}, requests[1].Header.Values("kbn-xsrf")) + +} diff --git a/libbeat/logp/configure/logging.go b/libbeat/logp/configure/logging.go index 6e4d60ece1f..43a32dd7f2f 100644 --- a/libbeat/logp/configure/logging.go +++ b/libbeat/logp/configure/logging.go @@ -22,6 +22,8 @@ import ( "fmt" "strings" + "go.uber.org/zap/zapcore" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -40,7 +42,7 @@ func init() { flag.BoolVar(&verbose, "v", false, "Log at INFO level") flag.BoolVar(&toStderr, "e", false, "Log to stderr and disable syslog/file output") common.StringArrVarFlag(nil, &debugSelectors, "d", "Enable certain debug selectors") - flag.Var((*environmentVar)(&environment), "environment", "set environment the Beat is run in") + flag.Var((*environmentVar)(&environment), "environment", "set environment being ran in") } // Logging builds a logp.Config based on the given common.Config and the specified @@ -58,6 +60,21 @@ func Logging(beatName string, cfg *common.Config) error { return logp.Configure(config) } +// Logging builds a logp.Config based on the given common.Config and the specified +// CLI flags along with the given outputs. +func LoggingWithOutputs(beatName string, cfg *common.Config, outputs ...zapcore.Core) error { + config := logp.DefaultConfig(environment) + config.Beat = beatName + if cfg != nil { + if err := cfg.Unpack(&config); err != nil { + return err + } + } + + applyFlags(&config) + return logp.ConfigureWithOutputs(config, outputs...) +} + func applyFlags(cfg *logp.Config) { if toStderr { cfg.ToStderr = true diff --git a/libbeat/logp/core.go b/libbeat/logp/core.go index e5a4f94e8ee..afb4f57378d 100644 --- a/libbeat/logp/core.go +++ b/libbeat/logp/core.go @@ -27,6 +27,8 @@ import ( "sync/atomic" "unsafe" + "github.com/hashicorp/go-multierror" + "github.com/pkg/errors" "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -62,6 +64,13 @@ type coreLogger struct { // Configure configures the logp package. func Configure(cfg Config) error { + return ConfigureWithOutputs(cfg) +} + +// XXX: ConfigureWithOutputs is used by elastic-agent only (See file: x-pack/elastic-agent/pkg/core/logger/logger.go). +// The agent requires that the output specified in the config object is configured and merged with the +// logging outputs given. +func ConfigureWithOutputs(cfg Config, outputs ...zapcore.Core) error { var ( sink zapcore.Core observedLogs *observer.ObservedLogs @@ -105,6 +114,7 @@ func Configure(cfg Config) error { sink = selectiveWrapper(sink, selectors) } + sink = newMultiCore(append(outputs, sink)...) root := zap.New(sink, makeOptions(cfg)...) storeLogger(&coreLogger{ selectors: selectors, @@ -262,3 +272,62 @@ func storeLogger(l *coreLogger) { } atomic.StorePointer(&_log, unsafe.Pointer(l)) } + +// newMultiCore creates a sink that sends to multiple cores. +func newMultiCore(cores ...zapcore.Core) zapcore.Core { + return &multiCore{cores} +} + +// multiCore allows multiple cores to be used for logging. +type multiCore struct { + cores []zapcore.Core +} + +// Enabled returns true if the level is enabled in any one of the cores. +func (m multiCore) Enabled(level zapcore.Level) bool { + for _, core := range m.cores { + if core.Enabled(level) { + return true + } + } + return false +} + +// With creates a new multiCore with each core set with the given fields. +func (m multiCore) With(fields []zapcore.Field) zapcore.Core { + cores := make([]zapcore.Core, len(m.cores)) + for i, core := range m.cores { + cores[i] = core.With(fields) + } + return &multiCore{cores} +} + +// Check will place each core that checks for that entry. +func (m multiCore) Check(entry zapcore.Entry, checked *zapcore.CheckedEntry) *zapcore.CheckedEntry { + for _, core := range m.cores { + checked = core.Check(entry, checked) + } + return checked +} + +// Write writes the entry to each core. +func (m multiCore) Write(entry zapcore.Entry, fields []zapcore.Field) error { + var errs error + for _, core := range m.cores { + if err := core.Write(entry, fields); err != nil { + errs = multierror.Append(errs, err) + } + } + return errs +} + +// Sync syncs each core. +func (m multiCore) Sync() error { + var errs error + for _, core := range m.cores { + if err := core.Sync(); err != nil { + errs = multierror.Append(errs, err) + } + } + return errs +} diff --git a/libbeat/logp/encoding.go b/libbeat/logp/encoding.go index 7c3e56507c0..b1977285602 100644 --- a/libbeat/logp/encoding.go +++ b/libbeat/logp/encoding.go @@ -44,13 +44,13 @@ func buildEncoder(cfg Config) zapcore.Encoder { var encCfg zapcore.EncoderConfig var encCreator encoderCreator if cfg.JSON { - encCfg = jsonEncoderConfig() + encCfg = JSONEncoderConfig() encCreator = zapcore.NewJSONEncoder } else if cfg.ToSyslog { - encCfg = syslogEncoderConfig() + encCfg = SyslogEncoderConfig() encCreator = zapcore.NewConsoleEncoder } else { - encCfg = consoleEncoderConfig() + encCfg = ConsoleEncoderConfig() encCreator = zapcore.NewConsoleEncoder } @@ -60,19 +60,19 @@ func buildEncoder(cfg Config) zapcore.Encoder { return encCreator(encCfg) } -func jsonEncoderConfig() zapcore.EncoderConfig { +func JSONEncoderConfig() zapcore.EncoderConfig { return baseEncodingConfig } -func consoleEncoderConfig() zapcore.EncoderConfig { +func ConsoleEncoderConfig() zapcore.EncoderConfig { c := baseEncodingConfig c.EncodeLevel = zapcore.CapitalLevelEncoder c.EncodeName = bracketedNameEncoder return c } -func syslogEncoderConfig() zapcore.EncoderConfig { - c := consoleEncoderConfig() +func SyslogEncoderConfig() zapcore.EncoderConfig { + c := ConsoleEncoderConfig() // Time is generally added by syslog. // But when logging with ECS the empty TimeKey will be // ignored and @timestamp is still added to log line diff --git a/libbeat/logp/logger.go b/libbeat/logp/logger.go index b776a6166f3..6f1c42fe022 100644 --- a/libbeat/logp/logger.go +++ b/libbeat/logp/logger.go @@ -213,6 +213,11 @@ func (l *Logger) Recover(msg string) { } } +// Sync syncs the logger. +func (l *Logger) Sync() error { + return l.logger.Sync() +} + // L returns an unnamed global logger. func L() *Logger { return loadLogger().logger diff --git a/libbeat/mapping/field_test.go b/libbeat/mapping/field_test.go index 0236ac4a6ae..31a9b6c3684 100644 --- a/libbeat/mapping/field_test.go +++ b/libbeat/mapping/field_test.go @@ -527,7 +527,7 @@ func TestFieldsCanConcat(t *testing.T) { t.Run(name, func(t *testing.T) { err := test.fields.canConcat(test.key, strings.Split(test.key, ".")) if test.err == "" { - assert.Nil(t, err) + assert.NoError(t, err) return } if assert.Error(t, err) { diff --git a/libbeat/metric/system/memory/memory_test.go b/libbeat/metric/system/memory/memory_test.go index 58fb7402124..e71e092de52 100644 --- a/libbeat/metric/system/memory/memory_test.go +++ b/libbeat/metric/system/memory/memory_test.go @@ -33,7 +33,7 @@ func TestGetMemory(t *testing.T) { mem, err := Get() assert.NotNil(t, mem) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, (mem.Total > 0)) assert.True(t, (mem.Used > 0)) @@ -50,7 +50,7 @@ func TestGetSwap(t *testing.T) { swap, err := GetSwap() assert.NotNil(t, swap) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, (swap.Total >= 0)) assert.True(t, (swap.Used >= 0)) diff --git a/libbeat/metric/system/process/process_test.go b/libbeat/metric/system/process/process_test.go index 527f6030716..5e04346edbf 100644 --- a/libbeat/metric/system/process/process_test.go +++ b/libbeat/metric/system/process/process_test.go @@ -37,7 +37,7 @@ func TestPids(t *testing.T) { pids, err := Pids() assert.NotNil(t, pids) - assert.Nil(t, err) + assert.NoError(t, err) // Assuming at least 2 processes are running assert.True(t, (len(pids) > 1)) diff --git a/libbeat/monitoring/monitoring.go b/libbeat/monitoring/monitoring.go index 04014b818cb..2fb587510ee 100644 --- a/libbeat/monitoring/monitoring.go +++ b/libbeat/monitoring/monitoring.go @@ -21,14 +21,11 @@ import ( "errors" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) // BeatConfig represents the part of the $BEAT.yml to do with monitoring settings type BeatConfig struct { - XPackMonitoring *common.Config `config:"xpack.monitoring"` - Monitoring *common.Config `config:"monitoring"` + Monitoring *common.Config `config:"monitoring"` } type Mode uint8 @@ -42,11 +39,6 @@ const ( Full ) -var ( - errMonitoringBothConfigEnabled = errors.New("both xpack.monitoring.* and monitoring.* cannot be set. Prefer to set monitoring.* and set monitoring.elasticsearch.hosts to monitoring cluster hosts") - warnMonitoringDeprecatedConfig = "xpack.monitoring.* settings are deprecated. Use monitoring.* instead, but set monitoring.elasticsearch.hosts to monitoring cluster hosts." -) - // Default is the global default metrics registry provided by the monitoring package. var Default = NewRegistry() @@ -85,24 +77,6 @@ func Clear() error { return Default.Clear() } -// SelectConfig selects the appropriate monitoring configuration based on the user's settings in $BEAT.yml. Users may either -// use xpack.monitoring.* settings OR monitoring.* settings but not both. -func SelectConfig(beatCfg BeatConfig) (*common.Config, *report.Settings, error) { - switch { - case beatCfg.Monitoring.Enabled() && beatCfg.XPackMonitoring.Enabled(): - return nil, nil, errMonitoringBothConfigEnabled - case beatCfg.XPackMonitoring.Enabled(): - cfgwarn.Deprecate("8.0.0", warnMonitoringDeprecatedConfig) - monitoringCfg := beatCfg.XPackMonitoring - return monitoringCfg, &report.Settings{Format: report.FormatXPackMonitoringBulk}, nil - case beatCfg.Monitoring.Enabled(): - monitoringCfg := beatCfg.Monitoring - return monitoringCfg, &report.Settings{Format: report.FormatBulk}, nil - default: - return nil, nil, nil - } -} - // GetClusterUUID returns the value of the monitoring.cluster_uuid setting, if it is set. func GetClusterUUID(monitoringCfg *common.Config) (string, error) { if monitoringCfg == nil { diff --git a/libbeat/monitoring/report/elasticsearch/client.go b/libbeat/monitoring/report/elasticsearch/client.go index e4f7bb50036..cb9994b1e3c 100644 --- a/libbeat/monitoring/report/elasticsearch/client.go +++ b/libbeat/monitoring/report/elasticsearch/client.go @@ -42,7 +42,6 @@ var createDocPrivAvailableESVersion = common.MustNewVersion("7.5.0") type publishClient struct { es *eslegclient.Connection params map[string]string - format report.Format log *logp.Logger } @@ -50,12 +49,10 @@ type publishClient struct { func newPublishClient( es *eslegclient.Connection, params map[string]string, - format report.Format, ) (*publishClient, error) { p := &publishClient{ es: es, params: params, - format: format, log: logp.NewLogger(logSelector), } @@ -141,14 +138,7 @@ func (c *publishClient) Publish(ctx context.Context, batch publisher.Batch) erro } } - switch c.format { - case report.FormatXPackMonitoringBulk: - err = c.publishXPackBulk(params, event, typ) - case report.FormatBulk: - err = c.publishBulk(ctx, event, typ) - } - - if err != nil { + if err := c.publishBulk(ctx, event, typ); err != nil { failed = append(failed, event) reason = err } @@ -170,26 +160,6 @@ func (c *publishClient) String() string { return "monitoring(" + c.es.URL + ")" } -func (c *publishClient) publishXPackBulk(params map[string]string, event publisher.Event, typ string) error { - meta := common.MapStr{ - "_index": "", - "_routing": nil, - "_type": typ, - } - bulk := [2]interface{}{ - common.MapStr{"index": meta}, - report.Event{ - Timestamp: event.Content.Timestamp, - Fields: event.Content.Fields, - }, - } - - // Currently one request per event is sent. Reason is that each event can contain different - // interval params and X-Pack requires to send the interval param. - _, err := c.es.SendMonitoringBulk(params, bulk[:]) - return err -} - func (c *publishClient) publishBulk(ctx context.Context, event publisher.Event, typ string) error { meta := common.MapStr{ "_index": getMonitoringIndexName(), diff --git a/libbeat/monitoring/report/elasticsearch/config.go b/libbeat/monitoring/report/elasticsearch/config.go index a603c73788b..8712bf1a88b 100644 --- a/libbeat/monitoring/report/elasticsearch/config.go +++ b/libbeat/monitoring/report/elasticsearch/config.go @@ -22,7 +22,6 @@ import ( "time" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) // config is subset of libbeat/outputs/elasticsearch config tailored @@ -46,7 +45,6 @@ type config struct { BufferSize int `config:"buffer_size"` Tags []string `config:"tags"` Backoff backoff `config:"backoff"` - Format report.Format `config:"_format"` ClusterUUID string `config:"cluster_uuid"` } diff --git a/libbeat/monitoring/report/elasticsearch/elasticsearch.go b/libbeat/monitoring/report/elasticsearch/elasticsearch.go index c9b392a0e2e..8913264a779 100644 --- a/libbeat/monitoring/report/elasticsearch/elasticsearch.go +++ b/libbeat/monitoring/report/elasticsearch/elasticsearch.go @@ -19,7 +19,6 @@ package elasticsearch import ( "errors" - "fmt" "io" "math/rand" "net/url" @@ -61,12 +60,6 @@ const logSelector = "monitoring" var errNoMonitoring = errors.New("xpack monitoring not available") -// default x-pack monitoring api parameters -var defaultXPackParams = map[string]string{ - "system_id": "beats", - "system_api_version": "7", -} - func init() { report.RegisterReporterFactory("elasticsearch", makeReporter) } @@ -94,7 +87,6 @@ func defaultConfig(settings report.Settings) config { Init: 1 * time.Second, Max: 60 * time.Second, }, - Format: report.FormatXPackMonitoringBulk, ClusterUUID: settings.ClusterUUID, } @@ -102,10 +94,6 @@ func defaultConfig(settings report.Settings) config { c.Username = settings.DefaultUsername } - if settings.Format != report.FormatUnknown { - c.Format = settings.Format - } - return c } @@ -168,7 +156,7 @@ func makeReporter(beat beat.Info, settings report.Settings, cfg *common.Config) }), nil } - monitoring := monitoring.Default.GetRegistry("xpack.monitoring") + monitoring := monitoring.Default.GetRegistry("monitoring") outClient := outputs.NewFailoverClient(clients) outClient = outputs.WithBackoff(outClient, config.Backoff.Init, config.Backoff.Max) @@ -345,11 +333,7 @@ func makeClient( return nil, err } - if config.Format != report.FormatXPackMonitoringBulk && config.Format != report.FormatBulk { - return nil, fmt.Errorf("unknown reporting format: %v", config.Format) - } - - return newPublishClient(esClient, params, config.Format) + return newPublishClient(esClient, params) } func closing(log *logp.Logger, c io.Closer) { @@ -387,11 +371,6 @@ func getClusterUUID() string { func makeClientParams(config config) map[string]string { params := map[string]string{} - if config.Format == report.FormatXPackMonitoringBulk { - for k, v := range defaultXPackParams { - params[k] = v - } - } for k, v := range config.Params { params[k] = v } diff --git a/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go b/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go index 6b6897b3261..02da90aaa1d 100644 --- a/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go +++ b/libbeat/monitoring/report/elasticsearch/elasticsearch_test.go @@ -21,46 +21,20 @@ import ( "testing" "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/monitoring/report" ) func TestMakeClientParams(t *testing.T) { - tests := map[string]struct { - format report.Format - params map[string]string - expected map[string]string - }{ - "format_bulk": { - report.FormatBulk, - map[string]string{ - "foo": "bar", - }, - map[string]string{ - "foo": "bar", - }, - }, - "format_xpack_monitoring_bulk": { - report.FormatXPackMonitoringBulk, - map[string]string{ - "foo": "bar", - }, - map[string]string{ - "foo": "bar", - "system_id": "beats", - "system_api_version": "7", - }, - }, + var params, expected map[string]string + params = map[string]string{ + "foo": "bar", + } + expected = map[string]string{ + "foo": "bar", } - for name, test := range tests { - t.Run(name, func(t *testing.T) { - params := makeClientParams(config{ - Format: test.format, - Params: test.params, - }) + p := makeClientParams(config{ + Params: params, + }) - require.Equal(t, test.expected, params) - }) - } + require.Equal(t, expected, p) } diff --git a/libbeat/monitoring/report/report.go b/libbeat/monitoring/report/report.go index 0f79af4e874..ca43631ac47 100644 --- a/libbeat/monitoring/report/report.go +++ b/libbeat/monitoring/report/report.go @@ -27,23 +27,6 @@ import ( "github.com/elastic/beats/v7/libbeat/common" ) -// Format encodes the type of format to report monitoring data in. This -// is currently only being used by the elaticsearch reporter. -// This is a hack that is necessary so we can map certain monitoring -// configuration options to certain behaviors in reporters. Depending on -// the configuration option used, the correct format is set, and reporters -// that know how to interpret the format use it to choose the appropriate -// reporting behavior. -type Format int - -// Enumerations of various Formats. A reporter can choose whether to -// interpret this setting or not, and if so, how to interpret it. -const ( - FormatUnknown Format = iota // to protect against zero-value errors - FormatXPackMonitoringBulk - FormatBulk -) - type config struct { // allow for maximum one reporter being configured Reporter common.ConfigNamespace `config:",inline"` @@ -51,7 +34,6 @@ type config struct { type Settings struct { DefaultUsername string - Format Format ClusterUUID string } @@ -120,13 +102,6 @@ func getReporterConfig( hosts := hostsCfg{} rc.Unpack(&hosts) - if settings.Format == FormatXPackMonitoringBulk && len(hosts.Hosts) > 0 { - pathMonHosts := rc.PathOf("hosts") - pathOutHost := outCfg.PathOf("hosts") - err := fmt.Errorf("'%v' and '%v' are configured", pathMonHosts, pathOutHost) - return "", nil, err - } - merged, err := common.MergeConfigs(outCfg, rc) if err != nil { return "", nil, err diff --git a/libbeat/outputs/console/console_test.go b/libbeat/outputs/console/console_test.go index a8e85601a89..ce3b414448d 100644 --- a/libbeat/outputs/console/console_test.go +++ b/libbeat/outputs/console/console_test.go @@ -115,7 +115,7 @@ func TestConsoleOutput(t *testing.T) { t.Run(test.title, func(t *testing.T) { batch := outest.NewBatch(test.events...) lines, err := run(test.codec, batch) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.expected, lines) // check batch correctly signalled diff --git a/libbeat/outputs/elasticsearch/bulk_test.go b/libbeat/outputs/elasticsearch/bulk_test.go index 49e84128a47..30a44a5c14b 100644 --- a/libbeat/outputs/elasticsearch/bulk_test.go +++ b/libbeat/outputs/elasticsearch/bulk_test.go @@ -83,7 +83,7 @@ func TestESNoErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 200}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 200, code) assert.Equal(t, "", msg) } @@ -92,7 +92,7 @@ func TestES1StyleErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 400, "error": "test error"}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) assert.Equal(t, `"test error"`, msg) } @@ -101,7 +101,7 @@ func TestES2StyleErrorStatus(t *testing.T) { response := []byte(`{"create": {"status": 400, "error": {"reason": "test_error"}}}`) code, msg, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) assert.Equal(t, `{"reason": "test_error"}`, msg) } @@ -120,7 +120,7 @@ func TestES2StyleExtendedErrorStatus(t *testing.T) { }`) code, _, err := readStatusItem(response) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 400, code) } diff --git a/libbeat/outputs/elasticsearch/client.go b/libbeat/outputs/elasticsearch/client.go index 3afa7084057..0794ee1c13b 100644 --- a/libbeat/outputs/elasticsearch/client.go +++ b/libbeat/outputs/elasticsearch/client.go @@ -90,6 +90,7 @@ func NewClient( Kerberos: s.Kerberos, Proxy: s.Proxy, ProxyDisable: s.ProxyDisable, + Observer: s.Observer, Parameters: s.Parameters, CompressionLevel: s.CompressionLevel, EscapeHTML: s.EscapeHTML, diff --git a/libbeat/outputs/elasticsearch/client_integration_test.go b/libbeat/outputs/elasticsearch/client_integration_test.go index 9abbbe39873..e243cb7d1e4 100644 --- a/libbeat/outputs/elasticsearch/client_integration_test.go +++ b/libbeat/outputs/elasticsearch/client_integration_test.go @@ -40,6 +40,7 @@ import ( "github.com/elastic/beats/v7/libbeat/esleg/eslegtest" "github.com/elastic/beats/v7/libbeat/idxmgmt" "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/outputs" "github.com/elastic/beats/v7/libbeat/outputs/outest" ) @@ -78,7 +79,7 @@ func TestClientPublishEventKerberosAware(t *testing.T) { } func testPublishEvent(t *testing.T, index string, cfg map[string]interface{}) { - output, client := connectTestEs(t, cfg) + output, client := connectTestEsWithStats(t, cfg, index) // drop old index preparing test client.conn.Delete(index, "", "", nil) @@ -107,6 +108,12 @@ func testPublishEvent(t *testing.T, index string, cfg map[string]interface{}) { } assert.Equal(t, 1, resp.Count) + + outputSnapshot := monitoring.CollectFlatSnapshot(monitoring.Default.GetRegistry("output-"+index), monitoring.Full, true) + assert.Greater(t, outputSnapshot.Ints["write.bytes"], int64(0), "output.events.write.bytes must be greater than 0") + assert.Greater(t, outputSnapshot.Ints["read.bytes"], int64(0), "output.events.read.bytes must be greater than 0") + assert.Equal(t, int64(0), outputSnapshot.Ints["write.errors"]) + assert.Equal(t, int64(0), outputSnapshot.Ints["read.errors"]) } func TestClientPublishEventWithPipeline(t *testing.T) { @@ -117,7 +124,7 @@ func TestClientPublishEventWithPipeline(t *testing.T) { index := "beat-int-pub-single-with-pipeline" pipeline := "beat-int-pub-single-pipeline" - output, client := connectTestEs(t, obj{ + output, client := connectTestEsWithoutStats(t, obj{ "index": index, "pipeline": "%{[pipeline]}", }) @@ -199,7 +206,7 @@ func TestClientBulkPublishEventsWithPipeline(t *testing.T) { index := "beat-int-pub-bulk-with-pipeline" pipeline := "beat-int-pub-bulk-pipeline" - output, client := connectTestEs(t, obj{ + output, client := connectTestEsWithoutStats(t, obj{ "index": index, "pipeline": "%{[pipeline]}", }) @@ -276,7 +283,7 @@ func TestClientBulkPublishEventsWithPipeline(t *testing.T) { func TestClientPublishTracer(t *testing.T) { index := "beat-apm-tracer-test" - output, client := connectTestEs(t, map[string]interface{}{ + output, client := connectTestEsWithoutStats(t, map[string]interface{}{ "index": index, }) @@ -314,7 +321,17 @@ func TestClientPublishTracer(t *testing.T) { assert.Equal(t, "/_bulk", secondSpan.Context.HTTP.URL.Path) } -func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) { +func connectTestEsWithStats(t *testing.T, cfg interface{}, suffix string) (outputs.Client, *Client) { + m := monitoring.Default.NewRegistry("output-" + suffix) + s := outputs.NewStats(m) + return connectTestEs(t, cfg, s) +} + +func connectTestEsWithoutStats(t *testing.T, cfg interface{}) (outputs.Client, *Client) { + return connectTestEs(t, cfg, outputs.NewNilObserver()) +} + +func connectTestEs(t *testing.T, cfg interface{}, stats outputs.Observer) (outputs.Client, *Client) { config, err := common.NewConfigFrom(map[string]interface{}{ "hosts": eslegtest.GetEsHost(), "username": eslegtest.GetUser(), @@ -337,7 +354,7 @@ func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) { info := beat.Info{Beat: "libbeat"} im, _ := idxmgmt.DefaultSupport(nil, info, nil) - output, err := makeES(im, info, outputs.NewNilObserver(), config) + output, err := makeES(im, info, stats, config) if err != nil { t.Fatal(err) } @@ -356,7 +373,7 @@ func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) { // setupRoleMapping sets up role mapping for the Kerberos user beats@ELASTIC func setupRoleMapping(t *testing.T, host string) error { - _, client := connectTestEs(t, map[string]interface{}{ + _, client := connectTestEsWithoutStats(t, map[string]interface{}{ "hosts": host, "username": "elastic", "password": "changeme", diff --git a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc index 9bca19a62f3..fbe9a918db3 100644 --- a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc +++ b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc @@ -5,69 +5,54 @@ Elasticsearch ++++ -When you specify Elasticsearch for the output, {beatname_uc} sends the transactions directly to Elasticsearch by using the Elasticsearch HTTP API. +The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API. Example configuration: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - index: "{beat_default_index_prefix}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}" - ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - ssl.certificate: "/etc/pki/client/cert.pem" - ssl.key: "/etc/pki/client/cert.key" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] <1> +---- +<1> To enable SSL, add `https` to all URLs defined under __hosts__. -Notes about the previous example and client based PKI authentication: +When sending data to a secured cluster through the `elasticsearch` +output, {beatname_uc} can use any of the following authentication methods: -- The `ssl.certificate` and `ssl.key` settings are ONLY needed if {es} is configured to require client based PKI authentication (with `xpack.security.http.ssl.client_authentication: required` or `xpack.security.http.ssl.client_authentication: optional`). -- The `ssl.certificate_authorities` setting needs to include the CA used to sign the remote server certificate, not the client cert. -- If client PKI is used, the remote server ({es}) should include the CA used for signing the client cert in the `xpack.security.http.ssl.certificate_authorities: []` list. +* Basic authentication credentials (username and password). +* Token-based (API key) authentication. +* Public Key Infrastructure (PKI) certificates. -To enable SSL, just add `https` to all URLs defined under __hosts__. +*Basic authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - username: "{beatname_lc}_internal" + hosts: ["https://myEShost:9200"] + username: "{beat_default_index_prefix}_writer" password: "{pwd}" ------------------------------------------------------------------------------- +---- -To use an API key to connect to {es}, use `api_key`. The value must be the ID of -the API key and the API key joined by a colon. +*API key authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - api_key: "VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] + api_key: "KnR6yE41RrSowb0kQ0HWoA" +---- -If the Elasticsearch nodes are defined by `IP:PORT`, then add `protocol: https` to the yaml file. +*PKI certificate authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["localhost"] - protocol: "https" - username: "{beatname_lc}_internal" - password: "{pwd}" ------------------------------------------------------------------------------- - + hosts: ["https://myEShost:9200"] + ssl.certificate: "/etc/pki/client/cert.pem" + ssl.key: "/etc/pki/client/cert.key" +---- -For more information about securing {beatname_uc}, see -<>. - -ifndef::no_ilm[] -If you are indexing large amounts of time-series data, you might also want to -configure {beatname_uc} to use index lifecycle management. For more information -about configuring and using index lifecycle management with {beatname_uc}, see -<>. -endif::no_ilm[] +See <> for details on each authentication method. ==== Compatibility @@ -82,9 +67,9 @@ You can specify the following options in the `elasticsearch` section of the +{be ===== `enabled` The enabled config is a boolean setting to enable or disable the output. If set -to false, the output is disabled. +to `false`, the output is disabled. -The default value is true. +The default value is `true`. [[hosts-option]] @@ -102,7 +87,7 @@ NOTE: When a node is defined as an `IP:PORT`, the _scheme_ and _path_ are taken [source,yaml] ------------------------------------------------------------------------------ output.elasticsearch: - hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] + hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1> protocol: https path: /elasticsearch ------------------------------------------------------------------------------ @@ -112,12 +97,12 @@ In the previous example, the Elasticsearch nodes are available at `https://10.45 ===== `compression_level` -The gzip compression level. Setting this value to 0 disables compression. -The compression level must be in the range of 1 (best speed) to 9 (best compression). +The gzip compression level. Setting this value to `0` disables compression. +The compression level must be in the range of `1` (best speed) to `9` (best compression). Increasing the compression level will reduce the network usage but will increase the cpu usage. -The default value is 0. +The default value is `0`. ===== `escape_html` @@ -132,18 +117,22 @@ The number of workers per configured host publishing events to Elasticsearch. Th is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). -The default value is 1. +The default value is `1`. ===== `api_key` -Instead of using usernames and passwords, you can use API keys to secure communication -with {es}. The value must be the ID of the API key and the API key joined by a colon. -For more information, see <>. +Instead of using a username and password, you can use API keys to secure communication +with {es}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`. + +See <> for more information. ===== `username` The basic authentication username for connecting to Elasticsearch. +This user needs the privileges required to publish events to {es}. +To create a user like this, see <>. + ===== `password` The basic authentication password for connecting to Elasticsearch. @@ -178,7 +167,7 @@ output.elasticsearch.headers: X-My-Header: Header contents ------------------------------------------------------------------------------ -It is generally possible to specify multiple header values for the same header +It is possible to specify multiple header values for the same header name by separating them with a comma. ===== `proxy_url` @@ -193,29 +182,13 @@ for more information about the environment variables. [[index-option-es]] ===== `index` +// Begin exclude for APM Server docs ifndef::apm-server[] The index name to write events to when you're using daily indices. The default is -+"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+ (for example, -+"{beatname_lc}-{version}-{localdate}"+). If you change this setting, you also ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+, for example, ++"{beatname_lc}-{version}-{localdate}"+. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see <>). -endif::apm-server[] - -ifdef::apm-server[] -The index name to write events to. The default is -+"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, -+"apm-{version}-transaction-{localdate}"+). See -<> for more information on -default index configuration. - -IMPORTANT: If you change this setting, -you need to configure the `setup.template.name` and `setup.template.pattern` options -(see <>). You also must set the default index configuration -in the `apm-server.yml` file. - -NOTE: +{beat_version_key}+ is a field managed by Beats that is added to every document. -It holds the current version of APM Server. -endif::apm-server[] ifndef::no_dashboards[] If you are using the pre-built Kibana @@ -223,11 +196,12 @@ dashboards, you also need to set the `setup.dashboards.index` option (see <>). endif::no_dashboards[] -ifndef::apm-server[] ifndef::no_ilm[] -The `index` setting is ignored when index lifecycle management is enabled. If -you’re sending events to a cluster that supports index lifecycle management, see -<> to learn how to change the index name. +When <> is enabled, the default `index` is ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}-%{index_num}"+, for example, ++"{beatname_lc}-{version}-{localdate}-000001"+. Custom `index` settings are ignored +when ILM is enabled. If you’re sending events to a cluster that supports index +lifecycle management, see <> to learn how to change the index name. endif::no_ilm[] You can set the index dynamically by using a format string to access any event @@ -249,11 +223,23 @@ index named +normal-{version}-{localdate}+, and all events with `log_type: critical` are sent to an index named +critical-{version}-{localdate}+. endif::apm-server[] +// End exclude for APM Server docs +// Start include for APM Server docs ifdef::apm-server[] +The index name to write events to when you're using daily indices. The default is ++"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, ++"apm-{version}-transaction-{localdate}"+). If you change this setting, +you need to configure the `setup.template.name` and `setup.template.pattern` options +(see <>). + +When <> is enabled, the default `index` is ++"apm-%{[{beat_version_key}]}-{type}-%{index_num}"+ (for example, ++"apm-{version}-transaction-000001"+). **Defining a custom `index` here will disable <>**. + You can set the index dynamically by using a format string to access any event -field. For example, this configuration uses the field, `processor.event`, -to set the index: +field. For example, this configuration uses the field, `processor.event` to separate +events into different indices: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------ @@ -261,14 +247,13 @@ output.elasticsearch: hosts: ["http://localhost:9200"] index: "apm-%{[observer.version]}-%{[processor.event]}-%{+yyyy.MM.dd}\" <1> ------------------------------------------------------------------------------ - -<1> `observer` refers to {beatname_uc}. We recommend including -+{beat_version_key}+ in the name to avoid mapping issues when you upgrade +<1> +{beat_version_key}+ is a field managed by Beats that is added to every document; +It holds the current version of APM Server. We recommend including ++{beat_version_key}+ in the index name to avoid mapping issues when you upgrade {beatname_uc}. -With this configuration, -all events are separated by their `processor.event` into different indices. endif::apm-server[] +// End include for APM Server docs TIP: To learn how to add custom fields to events, see the <> option. @@ -276,7 +261,6 @@ TIP: To learn how to add custom fields to events, see the See the <> setting for other ways to set the index dynamically. - [[indices-option-es]] ===== `indices` @@ -286,6 +270,10 @@ matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the <> setting is used. +ifndef::no_ilm[] +Similar to `index`, defining custom `indices` will disable <>. +endif::no_ilm[] + Rule settings: *`index`*:: The index format string to use. If this string contains field @@ -359,23 +347,23 @@ output.elasticsearch: - index: "apm-%{[observer.version]}-sourcemap" when.contains: processor.event: "sourcemap" - + - index: "apm-%{[observer.version]}-error-%{+yyyy.MM.dd}" when.contains: processor.event: "error" - + - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM.dd}" when.contains: processor.event: "transaction" - + - index: "apm-%{[observer.version]}-span-%{+yyyy.MM.dd}" when.contains: processor.event: "span" - + - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM.dd}" when.contains: processor.event: "metric" - + - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM.dd}" when.contains: processor.event: "onboarding" @@ -385,7 +373,7 @@ NOTE: `observer` refers to {beatname_uc}. We recommend including +{beat_version_key}+ in the name to avoid mapping issues when you upgrade {beatname_uc}. -This is the default configuration for {beatname_uc} and results in indices +This is the default configuration for {beatname_uc} when ILM is disabled, and results in indices named in the following format: +"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ For example: +"apm-{version}-transaction-{localdate}"+. @@ -452,7 +440,6 @@ output.elasticsearch: pipeline: "%{[fields.log_type]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`. @@ -470,13 +457,12 @@ output.elasticsearch: pipeline: "%{[processor.event]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `processor.event: transaction` are sent to a pipeline named `transaction_pipeline`. Similarly, all events with `processor.event: error` are sent to a pipeline named `error_pipeline`. -The default pipeline is `apm`. It adds user agent and geo ip information to events. -To disable this, or any other pipeline, set `output.elasticsearch.pipeline: _none`. +The default pipeline is `apm`. To disable this, or any other pipeline, set +`output.elasticsearch.pipeline: _none`. endif::apm-server[] TIP: To learn how to add custom fields to events, see the @@ -565,23 +551,23 @@ output.elasticsearch: - pipeline: "sourcemap_pipeline" when.contains: processor.event: "sourcemap" - + - pipeline: "error_pipeline" when.contains: processor.event: "error" - + - pipeline: "transaction_pipeline" when.contains: processor.event: "transaction" - + - pipeline: "span_pipeline" when.contains: processor.event: "span" - + - pipeline: "metric_pipeline" when.contains: processor.event: "metric" - + - pipeline: "onboarding_pipeline" when.contains: processor.event: "onboarding" @@ -658,13 +644,13 @@ The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The -default is 1s. +default is `1s`. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Elasticsearch after a network error. The default is 60s. +Elasticsearch after a network error. The default is `60s`. ===== `timeout` @@ -676,7 +662,8 @@ Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch. -See <> for more information. +See the <> guide +or <> for more information. ===== `kerberos` diff --git a/libbeat/outputs/logstash/docs/logstash.asciidoc b/libbeat/outputs/logstash/docs/logstash.asciidoc index 122f1178b2e..910551f9252 100644 --- a/libbeat/outputs/logstash/docs/logstash.asciidoc +++ b/libbeat/outputs/logstash/docs/logstash.asciidoc @@ -5,8 +5,8 @@ Logstash ++++ -The Logstash output sends events directly to Logstash by using the lumberjack -protocol, which runs over TCP. Logstash allows for additional processing and routing of +The {ls} output sends events directly to {ls} by using the lumberjack +protocol, which runs over TCP. {ls} allows for additional processing and routing of generated events. // tag::shared-logstash-config[] @@ -26,11 +26,10 @@ If you want to use {ls} to perform additional processing on the data collected b To do this, edit the {beatname_uc} configuration file to disable the {es} output by commenting it out and enable the {ls} output by uncommenting the -logstash section: +{ls} section: [source,yaml] ------------------------------------------------------------------------------ -#----------------------------- Logstash output -------------------------------- output.logstash: hosts: ["127.0.0.1:5044"] ------------------------------------------------------------------------------ @@ -51,8 +50,8 @@ endif::[] ==== Accessing metadata fields -Every event sent to Logstash contains the following metadata fields that you can -use in Logstash for indexing and filtering: +Every event sent to {ls} contains the following metadata fields that you can +use in {ls} for indexing and filtering: ifndef::apm-server[] ["source","json",subs="attributes"] @@ -65,12 +64,15 @@ ifndef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The current version of {beatname_uc}. + +You can access this metadata from within the {ls} config file to set values +dynamically based on the contents of the metadata. endif::[] ifdef::apm-server[] @@ -85,24 +87,24 @@ ifdef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The default pipeline configuration: `apm`. Additional pipelines can be enabled -with a {logstash-ref}/use-ingest-pipelines.html[Logstash pipeline config]. +with a {logstash-ref}/use-ingest-pipelines.html[{ls} pipeline config]. <4> The current version of {beatname_uc}. -endif::[] -You can access this metadata from within the Logstash config file to set values -dynamically based on the contents of the metadata. - -For example, the following Logstash configuration file tells -Logstash to use the index reported by {beatname_uc} for indexing events -into Elasticsearch: +In addition to metadata, {beatname_uc} provides the `processor.event` field, which +can be used to separate {apm-overview-ref-v}/apm-data-model.html[event types] into different indices. +endif::[] ifndef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------------------------------------------------------------------------------ @@ -126,6 +128,10 @@ the Beat's version. For example: endif::[] ifdef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index and event types reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------ input { @@ -156,26 +162,26 @@ output { } ------ <1> Creates a new field named `@metadata.index`. -`%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field. +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. `%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. `%{[processor][event]}` sets the final part based on the APM event type. For example: +{beat_default_index_prefix}-{version}-sourcemap+. -<2> In addition to the above rules, this pattern appends a date to the `index` name so Logstash creates a new index each day. +<2> In addition to the above rules, this pattern appends a date to the `index` name so {ls} creates a new index each day. For example: +{beat_default_index_prefix}-{version}-transaction-{sample_date_0}+. endif::[] -Events indexed into Elasticsearch with the Logstash configuration shown here -will be similar to events directly indexed by {beatname_uc} into Elasticsearch. +Events indexed into {es} with the {ls} configuration shown here +will be similar to events directly indexed by {beatname_uc} into {es}. ifndef::apm-server[] -NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so Logstash creates an index per day, based on the `@timestamp` value of the events coming from Beats. +NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {ls} creates an index per day, based on the `@timestamp` value of the events coming from Beats. endif::[] ifdef::apm-server[] -==== Logstash and ILM +==== {ls} and ILM -When used with {apm-server-ref}/ilm.html[Index lifecycle management], Logstash does not need to create a new index each day. -Here's a sample Logstash configuration file that would accomplish this: +When used with {apm-server-ref}/ilm.html[Index lifecycle management], {ls} does not need to create a new index each day. +Here's a sample {ls} configuration file that would accomplish this: [source,logstash] ------ @@ -188,15 +194,20 @@ input { output { elasticsearch { hosts => ["http://localhost:9200"] - index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" + index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" <1> } } ------ +<1> Outputs documents to an index: +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. +`%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. +`%{[processor][event]}` sets the final part based on the APM event type. +For example: +{beat_default_index_prefix}-{version}-sourcemap+. endif::[] ==== Compatibility -This output works with all compatible versions of Logstash. See the +This output works with all compatible versions of {ls}. See the https://www.elastic.co/support/matrix#matrix_compatibility[Elastic Support Matrix]. @@ -220,18 +231,18 @@ endif::[] [[hosts]] ===== `hosts` -The list of known Logstash servers to connect to. If load balancing is disabled, but +The list of known {ls} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly. -All entries in this list can contain a port number. The default port number 5044 will be used, if no number is given. +All entries in this list can contain a port number. The default port number 5044 will be used if no number is given. ===== `compression_level` The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression). -Increasing the compression level will reduce the network usage but will increase the cpu usage. +Increasing the compression level will reduce the network usage but will increase the CPU usage. The default value is 3. @@ -243,15 +254,15 @@ The default value is `false`. ===== `worker` -The number of workers per configured host publishing events to Logstash. This +The number of workers per configured host publishing events to {ls}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). [[loadbalance]] ===== `loadbalance` -If set to true and multiple Logstash hosts are configured, the output plugin -load balances published events onto all Logstash hosts. If set to false, +If set to true and multiple {ls} hosts are configured, the output plugin +load balances published events onto all {ls} hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the selected one becomes unresponsive. The default value is false. @@ -265,28 +276,28 @@ output.logstash: ===== `ttl` -Time to live for a connection to Logstash after which the connection will be re-established. -Useful when Logstash hosts represent load balancers. Since the connections to Logstash hosts +Time to live for a connection to {ls} after which the connection will be re-established. +Useful when {ls} hosts represent load balancers. Since the connections to {ls} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances. Specifying a TTL of 0 will disable this feature. The default value is 0. -NOTE: The "ttl" option is not yet supported on an async Logstash client (one with the "pipelining" option set). +NOTE: The "ttl" option is not yet supported on an async {ls} client (one with the "pipelining" option set). ===== `pipelining` -Configures number of batches to be sent asynchronously to logstash while waiting -for ACK from logstash. Output only becomes blocking once number of `pipelining` +Configures the number of batches to be sent asynchronously to {ls} while waiting +for ACK from {ls}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2. ===== `proxy_url` -The URL of the SOCKS5 proxy to use when connecting to the Logstash servers. The +The URL of the SOCKS5 proxy to use when connecting to the {ls} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to -communicate to Logstash is not based on HTTP so a web-proxy cannot be used. +communicate to {ls} is not based on HTTP so a web-proxy cannot be used. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example. @@ -305,8 +316,8 @@ output.logstash: [[logstash-proxy-use-local-resolver]] ===== `proxy_use_local_resolver` -The `proxy_use_local_resolver` option determines if Logstash hostnames are -resolved locally when using a proxy. The default value is false which means +The `proxy_use_local_resolver` option determines if {ls} hostnames are +resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server. [[logstash-index]] @@ -317,17 +328,17 @@ example +"{beat_default_index_prefix}"+ generates +"[{beat_default_index_prefix} indices (for example, +"{beat_default_index_prefix}-{version}-2017.04.26"+). NOTE: This parameter's value will be assigned to the `metadata.beat` field. It -can then be accessed in Logstash's output section as `%{[@metadata][beat]}`. +can then be accessed in {ls}'s output section as `%{[@metadata][beat]}`. ===== `ssl` -Configuration options for SSL parameters like the root CA for Logstash connections. See +Configuration options for SSL parameters like the root CA for {ls} connections. See <> for more information. To use SSL, you must also configure the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for Logstash] to use SSL/TLS. ===== `timeout` -The number of seconds to wait for responses from the Logstash server before timing out. The default is 30 (seconds). +The number of seconds to wait for responses from the {ls} server before timing out. The default is 30 (seconds). ===== `max_retries` @@ -346,7 +357,7 @@ endif::[] ===== `bulk_max_size` -The maximum number of events to bulk in a single Logstash request. The default is 2048. +The maximum number of events to bulk in a single {ls} request. The default is 2048. If the Beat sends single events, the events are collected into batches. If the Beat publishes a large batch of events (larger than the value specified by `bulk_max_size`), the batch is @@ -364,15 +375,15 @@ number of events to be contained in a batch. ===== `slow_start` -If enabled only a subset of events in a batch of events is transferred per transaction. +If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. -On error the number of events per transaction is reduced again. +On error, the number of events per transaction is reduced again. The default is `false`. ===== `backoff.init` -The number of seconds to wait before trying to reconnect to Logstash after +The number of seconds to wait before trying to reconnect to {ls} after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The @@ -381,4 +392,4 @@ default is 1s. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Logstash after a network error. The default is 60s. +{ls} after a network error. The default is 60s. diff --git a/libbeat/processors/actions/copy_fields.go b/libbeat/processors/actions/copy_fields.go index 44c13f41c8a..43a797e0fd5 100644 --- a/libbeat/processors/actions/copy_fields.go +++ b/libbeat/processors/actions/copy_fields.go @@ -104,7 +104,7 @@ func (f *copyFields) copyField(from string, to string, fields common.MapStr) err return fmt.Errorf("could not fetch value for key: %s, Error: %s", from, err) } - _, err = fields.Put(to, value) + _, err = fields.Put(to, cloneValue(value)) if err != nil { return fmt.Errorf("could not copy value to %s: %v, %+v", to, value, err) } @@ -114,3 +114,24 @@ func (f *copyFields) copyField(from string, to string, fields common.MapStr) err func (f *copyFields) String() string { return "copy_fields=" + fmt.Sprintf("%+v", f.config.Fields) } + +// cloneValue returns a shallow copy of a map. All other types are passed +// through in the return. This should be used when making straight copies of +// maps without doing any type conversions. +func cloneValue(value interface{}) interface{} { + switch v := value.(type) { + case common.MapStr: + return v.Clone() + case map[string]interface{}: + return common.MapStr(v).Clone() + case []interface{}: + len := len(v) + newArr := make([]interface{}, len) + for idx, val := range v { + newArr[idx] = cloneValue(val) + } + return newArr + default: + return value + } +} diff --git a/libbeat/processors/actions/copy_fields_test.go b/libbeat/processors/actions/copy_fields_test.go index 2ccbb1187b8..96b382a596a 100644 --- a/libbeat/processors/actions/copy_fields_test.go +++ b/libbeat/processors/actions/copy_fields_test.go @@ -122,6 +122,29 @@ func TestCopyFields(t *testing.T) { "message": 42, }, }, + "copy map from nested key message.original to top level field message_copied": { + FromTo: fromTo{ + From: "message.original", + To: "message_copied", + }, + Input: common.MapStr{ + "message": common.MapStr{ + "original": common.MapStr{ + "original": "original", + }, + }, + }, + Expected: common.MapStr{ + "message": common.MapStr{ + "original": common.MapStr{ + "original": "original", + }, + }, + "message_copied": common.MapStr{ + "original": "original", + }, + }, + }, } for name, test := range tests { diff --git a/libbeat/processors/actions/decode_base64_field_test.go b/libbeat/processors/actions/decode_base64_field_test.go index 3941198a565..f85904bc86f 100644 --- a/libbeat/processors/actions/decode_base64_field_test.go +++ b/libbeat/processors/actions/decode_base64_field_test.go @@ -179,9 +179,9 @@ func TestDecodeBase64Run(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.Output, newEvent.Fields) diff --git a/libbeat/processors/actions/decompress_gzip_field_test.go b/libbeat/processors/actions/decompress_gzip_field_test.go index 0792d60e64d..73d000563b6 100644 --- a/libbeat/processors/actions/decompress_gzip_field_test.go +++ b/libbeat/processors/actions/decompress_gzip_field_test.go @@ -180,9 +180,9 @@ func TestDecompressGzip(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.output, newEvent.Fields) diff --git a/libbeat/processors/actions/extract_field_test.go b/libbeat/processors/actions/extract_field_test.go index 3cbcf2f714f..be466a39da2 100644 --- a/libbeat/processors/actions/extract_field_test.go +++ b/libbeat/processors/actions/extract_field_test.go @@ -92,10 +92,10 @@ func TestCommonPaths(t *testing.T) { event, err := runExtractField(t, testConfig, input) if test.Error { - assert.NotNil(t, err) + assert.Error(t, err) } else { - assert.Nil(t, err) + assert.NoError(t, err) result, err := event.Fields.GetValue(test.Target) if err != nil { t.Fatalf("could not get target field: %s", err) diff --git a/libbeat/processors/actions/rename_test.go b/libbeat/processors/actions/rename_test.go index 1bc34e149e8..53c5a41d5bf 100644 --- a/libbeat/processors/actions/rename_test.go +++ b/libbeat/processors/actions/rename_test.go @@ -245,9 +245,9 @@ func TestRenameRun(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.True(t, reflect.DeepEqual(newEvent.Fields, test.Output)) diff --git a/libbeat/processors/actions/replace_test.go b/libbeat/processors/actions/replace_test.go index e54d16c5012..aa95b4fd9ea 100644 --- a/libbeat/processors/actions/replace_test.go +++ b/libbeat/processors/actions/replace_test.go @@ -152,9 +152,9 @@ func TestReplaceRun(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.True(t, reflect.DeepEqual(newEvent.Fields, test.Output)) diff --git a/libbeat/processors/add_cloud_metadata/_meta/fields.yml b/libbeat/processors/add_cloud_metadata/_meta/fields.yml index e008747b47b..c33f8f2b869 100644 --- a/libbeat/processors/add_cloud_metadata/_meta/fields.yml +++ b/libbeat/processors/add_cloud_metadata/_meta/fields.yml @@ -3,11 +3,6 @@ description: > Metadata from cloud providers added by the add_cloud_metadata processor. fields: - - - name: cloud.project.id - example: project-x - description: > - Name of the project in Google Cloud. - name: cloud.image.id example: ami-abcd1234 diff --git a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc index 9a5fcfcbf91..41c0dd6d9f3 100644 --- a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc +++ b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc @@ -143,7 +143,7 @@ _Azure Virtual Machine_ ------------------------------------------------------------------------------- { "cloud": { - "provider": "az", + "provider": "azure", "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "instance.name": "test-az-vm", "machine.type": "Standard_D3_v2", diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go index 077e9b610dd..9cd3eba55b8 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go @@ -46,7 +46,7 @@ var azureVMMetadataFetcher = provider{ return out } - fetcher, err := newMetadataFetcher(config, "az", azHeaders, metadataHost, azSchema, azMetadataURI) + fetcher, err := newMetadataFetcher(config, "azure", azHeaders, metadataHost, azSchema, azMetadataURI) return fetcher, err }, } diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go index 57f26c8ecd5..307ac60abad 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go @@ -79,7 +79,7 @@ func TestRetrieveAzureMetadata(t *testing.T) { expected := common.MapStr{ "cloud": common.MapStr{ - "provider": "az", + "provider": "azure", "instance": common.MapStr{ "id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "name": "test-az-vm", diff --git a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc index 801437a4624..9329786ad34 100644 --- a/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc +++ b/libbeat/processors/add_docker_metadata/docs/add_docker_metadata.asciidoc @@ -29,6 +29,12 @@ To avoid privilege issues, you may also need to add `--user=root` to the `docker run` flags. Because the user must be part of the docker group in order to access `/var/run/docker.sock`, root access is required if {beatname_uc} is running as non-root inside the container. + +If Docker daemon is restarted the mounted socket will become invalid and metadata +will stop working, in these situations there are two options: + + - Restart {beatname_uc} every time Docker is restarted + - Mount the entire `/var/run` directory (instead of just the socket) ===== [source,yaml] diff --git a/libbeat/processors/add_host_metadata/add_host_metadata.go b/libbeat/processors/add_host_metadata/add_host_metadata.go index 1cf1bd90503..69612bd651f 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata.go @@ -81,6 +81,11 @@ func New(cfg *common.Config) (processors.Processor, error) { // Run enriches the given event with the host meta data func (p *addHostMetadata) Run(event *beat.Event) (*beat.Event, error) { + // check replace_host_fields field + if !p.config.ReplaceFields && skipAddingHostMetadata(event) { + return event, nil + } + err := p.loadData() if err != nil { return nil, err @@ -146,3 +151,39 @@ func (p *addHostMetadata) String() string { return fmt.Sprintf("%v=[netinfo.enabled=[%v], cache.ttl=[%v]]", processorName, p.config.NetInfoEnabled, p.config.CacheTTL) } + +func skipAddingHostMetadata(event *beat.Event) bool { + // If host fields exist(besides host.name added by libbeat) in event, skip add_host_metadata. + hostFields, err := event.Fields.GetValue("host") + + // Don't skip if there are no fields + if err != nil || hostFields == nil { + return false + } + + switch m := hostFields.(type) { + case common.MapStr: + // if "name" is the only field, don't skip + hasName, _ := m.HasKey("name") + if hasName && len(m) == 1 { + return false + } + return true + case map[string]interface{}: + hostMapStr := common.MapStr(m) + // if "name" is the only field, don't skip + hasName, _ := hostMapStr.HasKey("name") + if hasName && len(m) == 1 { + return false + } + return true + case map[string]string: + // if "name" is the only field, don't skip + if m["name"] != "" && len(m) == 1 { + return false + } + return true + default: + return false + } +} diff --git a/libbeat/processors/add_host_metadata/add_host_metadata_test.go b/libbeat/processors/add_host_metadata/add_host_metadata_test.go index 500fc4ba9d8..c41c7696635 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata_test.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata_test.go @@ -31,6 +31,11 @@ import ( "github.com/elastic/go-sysinfo/types" ) +var ( + hostName = "testHost" + hostID = "9C7FAB7B" +) + func TestConfigDefault(t *testing.T) { event := &beat.Event{ Fields: common.MapStr{}, @@ -153,6 +158,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", @@ -196,3 +202,259 @@ func TestConfigGeoDisabled(t *testing.T) { assert.Error(t, err) assert.Equal(t, nil, eventGeoField) } + +func TestEventWithReplaceFieldsFalse(t *testing.T) { + cfg := map[string]interface{}{} + cfg["replace_fields"] = false + testConfig, err := common.NewConfigFrom(cfg) + assert.NoError(t, err) + + p, err := New(testConfig) + switch runtime.GOOS { + case "windows", "darwin", "linux": + assert.NoError(t, err) + default: + assert.IsType(t, types.ErrNotImplemented, err) + return + } + + cases := []struct { + title string + event beat.Event + hostLengthLargerThanOne bool + hostLengthEqualsToOne bool + expectedHostFieldLength int + }{ + { + "replace_fields=false with only host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + true, + false, + -1, + }, + { + "replace_fields=false with only host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + false, + true, + 1, + }, + { + "replace_fields=false with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + false, + 2, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + newEvent, err := p.Run(&c.event) + assert.NoError(t, err) + + v, err := newEvent.GetValue("host") + assert.NoError(t, err) + assert.Equal(t, c.hostLengthLargerThanOne, len(v.(common.MapStr)) > 1) + assert.Equal(t, c.hostLengthEqualsToOne, len(v.(common.MapStr)) == 1) + if c.expectedHostFieldLength != -1 { + assert.Equal(t, c.expectedHostFieldLength, len(v.(common.MapStr))) + } + }) + } +} + +func TestEventWithReplaceFieldsTrue(t *testing.T) { + cfg := map[string]interface{}{} + cfg["replace_fields"] = true + testConfig, err := common.NewConfigFrom(cfg) + assert.NoError(t, err) + + p, err := New(testConfig) + switch runtime.GOOS { + case "windows", "darwin", "linux": + assert.NoError(t, err) + default: + assert.IsType(t, types.ErrNotImplemented, err) + return + } + + cases := []struct { + title string + event beat.Event + hostLengthLargerThanOne bool + hostLengthEqualsToOne bool + }{ + { + "replace_fields=true with host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + true, + false, + }, + { + "replace_fields=true with host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + true, + false, + }, + { + "replace_fields=true with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + false, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + newEvent, err := p.Run(&c.event) + assert.NoError(t, err) + + v, err := newEvent.GetValue("host") + assert.NoError(t, err) + assert.Equal(t, c.hostLengthLargerThanOne, len(v.(common.MapStr)) > 1) + assert.Equal(t, c.hostLengthEqualsToOne, len(v.(common.MapStr)) == 1) + }) + } +} + +func TestSkipAddingHostMetadata(t *testing.T) { + hostIDMap := map[string]string{} + hostIDMap["id"] = hostID + + hostNameMap := map[string]string{} + hostNameMap["name"] = hostName + + hostIDNameMap := map[string]string{} + hostIDNameMap["id"] = hostID + hostIDNameMap["name"] = hostName + + cases := []struct { + title string + event beat.Event + expectedSkip bool + }{ + { + "event only with host.name", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + }, + }, + }, + false, + }, + { + "event only with host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "id": hostID, + }, + }, + }, + true, + }, + { + "event with host.name and host.id", + beat.Event{ + Fields: common.MapStr{ + "host": common.MapStr{ + "name": hostName, + "id": hostID, + }, + }, + }, + true, + }, + { + "event without host field", + beat.Event{ + Fields: common.MapStr{}, + }, + false, + }, + { + "event with field type map[string]string hostID", + beat.Event{ + Fields: common.MapStr{ + "host": hostIDMap, + }, + }, + true, + }, + { + "event with field type map[string]string host name", + beat.Event{ + Fields: common.MapStr{ + "host": hostNameMap, + }, + }, + false, + }, + { + "event with field type map[string]string host ID and name", + beat.Event{ + Fields: common.MapStr{ + "host": hostIDNameMap, + }, + }, + true, + }, + { + "event with field type string", + beat.Event{ + Fields: common.MapStr{ + "host": "string", + }, + }, + false, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + skip := skipAddingHostMetadata(&c.event) + assert.Equal(t, c.expectedSkip, skip) + }) + } +} diff --git a/libbeat/processors/add_host_metadata/config.go b/libbeat/processors/add_host_metadata/config.go index 81c0452f4d9..36f4a0a13f8 100644 --- a/libbeat/processors/add_host_metadata/config.go +++ b/libbeat/processors/add_host_metadata/config.go @@ -29,11 +29,13 @@ type Config struct { CacheTTL time.Duration `config:"cache.ttl"` Geo *util.GeoConfig `config:"geo"` Name string `config:"name"` + ReplaceFields bool `config:"replace_fields"` // replace existing host fields with add_host_metadata } func defaultConfig() Config { return Config{ NetInfoEnabled: true, CacheTTL: 5 * time.Minute, + ReplaceFields: true, } } diff --git a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc index 0c71f10d200..21d308b23c1 100644 --- a/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc +++ b/libbeat/processors/add_host_metadata/docs/add_host_metadata.asciidoc @@ -42,6 +42,8 @@ It has the following settings: `geo.region_iso_code`:: (Optional) ISO region code. +`replace_fields`:: (Optional) Default true. If set to false, original host +fields from the event will not be replaced by host fields from `add_host_metadata`. The `add_host_metadata` processor annotates each event with relevant metadata from the host machine. The fields added to the event look like the following: @@ -75,3 +77,9 @@ The fields added to the event look like the following: } } ------------------------------------------------------------------------------- + +Note: `add_host_metadata` processor will overwrite host fields if `host.*` +fields already exist in the event from Beats by default with `replace_fields` +equals to `true`. +Please use `add_observer_metadata` if the beat is being used to monitor external +systems. diff --git a/libbeat/processors/add_kubernetes_metadata/indexers.go b/libbeat/processors/add_kubernetes_metadata/indexers.go index 76c9c002c11..017913771fc 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers.go @@ -183,14 +183,19 @@ func NewContainerIndexer(_ common.Config, metaGen metadata.MetaGen) (Indexer, er func (c *ContainerIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { var m []MetadataIndex for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { - cID := kubernetes.ContainerID(status) + cID, runtime := kubernetes.ContainerIDWithRuntime(status) if cID == "" { continue } m = append(m, MetadataIndex{ Index: cID, - Data: c.metaGen.Generate(pod, metadata.WithFields("container.name", status.Name), - metadata.WithFields("container.image", status.Image)), + Data: c.metaGen.Generate( + pod, + metadata.WithFields("container.name", status.Name), + metadata.WithFields("container.image", status.Image), + metadata.WithFields("container.id", cID), + metadata.WithFields("container.runtime", runtime), + ), }) } @@ -234,14 +239,30 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { Data: h.metaGen.Generate(pod), }) + cIDs := make(map[string]string) + runtimes := make(map[string]string) + for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { + cID, runtime := kubernetes.ContainerIDWithRuntime(status) + if cID == "" { + continue + } + cIDs[status.Name] = cID + runtimes[status.Name] = runtime + } + for _, container := range pod.Spec.Containers { for _, port := range container.Ports { if port.ContainerPort != 0 { m = append(m, MetadataIndex{ Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort), - Data: h.metaGen.Generate(pod, metadata.WithFields("container.name", container.Name), - metadata.WithFields("container.image", container.Image)), + Data: h.metaGen.Generate( + pod, + metadata.WithFields("container.name", container.Name), + metadata.WithFields("container.image", container.Image), + metadata.WithFields("container.id", cIDs[container.Name]), + metadata.WithFields("container.runtime", runtimes[container.Name]), + ), }) } } diff --git a/libbeat/processors/add_kubernetes_metadata/indexers_test.go b/libbeat/processors/add_kubernetes_metadata/indexers_test.go index 5eca3050fae..f5144e2c9ee 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers_test.go @@ -38,7 +38,7 @@ func TestPodIndexer(t *testing.T) { var testConfig = common.NewConfig() podIndexer, err := NewPodNameIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" uid := "005f3b90-4b9d-12f8-acf0-31020a840133" @@ -89,7 +89,7 @@ func TestPodUIDIndexer(t *testing.T) { metaGenWithPodUID := metadata.NewPodMetadataGenerator(common.NewConfig(), nil, nil, nil) podUIDIndexer, err := NewPodUIDIndexer(*testConfig, metaGenWithPodUID) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -138,7 +138,7 @@ func TestContainerIndexer(t *testing.T) { var testConfig = common.NewConfig() conIndexer, err := NewContainerIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -211,14 +211,18 @@ func TestContainerIndexer(t *testing.T) { assert.Equal(t, indices[1], "fghij") expected["container"] = common.MapStr{ - "name": container, - "image": containerImage, + "name": container, + "image": containerImage, + "id": "abcde", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[0].Data.String()) expected["container"] = common.MapStr{ - "name": initContainer, - "image": initContainerImage, + "name": initContainer, + "image": initContainerImage, + "id": "fghij", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[1].Data.String()) } @@ -227,7 +231,7 @@ func TestFilteredGenMeta(t *testing.T) { var testConfig = common.NewConfig() podIndexer, err := NewPodNameIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -264,12 +268,12 @@ func TestFilteredGenMeta(t *testing.T) { "include_annotations": []string{"a"}, "include_labels": []string{"foo"}, }) - assert.Nil(t, err) + assert.NoError(t, err) filteredGen := metadata.NewPodMetadataGenerator(config, nil, nil, nil) podIndexer, err = NewPodNameIndexer(*testConfig, filteredGen) - assert.Nil(t, err) + assert.NoError(t, err) indexers = podIndexer.GetMetadata(&pod) assert.Equal(t, len(indexers), 1) @@ -301,12 +305,12 @@ func TestFilteredGenMetaExclusion(t *testing.T) { config, err := common.NewConfigFrom(map[string]interface{}{ "exclude_labels": []string{"x"}, }) - assert.Nil(t, err) + assert.NoError(t, err) filteredGen := metadata.NewPodMetadataGenerator(config, nil, nil, nil) podIndexer, err := NewPodNameIndexer(*testConfig, filteredGen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -326,7 +330,7 @@ func TestFilteredGenMetaExclusion(t *testing.T) { Spec: v1.PodSpec{}, } - assert.Nil(t, err) + assert.NoError(t, err) indexers := podIndexer.GetMetadata(&pod) assert.Equal(t, len(indexers), 1) @@ -349,7 +353,7 @@ func TestIpPortIndexer(t *testing.T) { var testConfig = common.NewConfig() ipIndexer, err := NewIPPortIndexer(*testConfig, metagen) - assert.Nil(t, err) + assert.NoError(t, err) podName := "testpod" ns := "testns" @@ -372,7 +376,8 @@ func TestIpPortIndexer(t *testing.T) { }, Status: v1.PodStatus{ - PodIP: ip, + PodIP: ip, + ContainerStatuses: make([]kubernetes.PodContainerStatus, 0), }, } @@ -386,7 +391,7 @@ func TestIpPortIndexer(t *testing.T) { // Meta doesn't have container info _, err = indexers[0].Data.GetValue("kubernetes.container.name") - assert.NotNil(t, err) + assert.Error(t, err) expected := common.MapStr{ "pod": common.MapStr{ @@ -414,6 +419,13 @@ func TestIpPortIndexer(t *testing.T) { }, }, } + pod.Status.ContainerStatuses = []kubernetes.PodContainerStatus{ + { + Name: container, + Image: containerImage, + ContainerID: "docker://foobar", + }, + } nodeName := "testnode" pod.Spec.NodeName = nodeName @@ -429,6 +441,6 @@ func TestIpPortIndexer(t *testing.T) { assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1]) assert.Equal(t, expected.String(), indexers[0].Data.String()) - expected["container"] = common.MapStr{"name": container, "image": containerImage} + expected["container"] = common.MapStr{"name": container, "image": containerImage, "id": "foobar", "runtime": "docker"} assert.Equal(t, expected.String(), indexers[1].Data.String()) } diff --git a/libbeat/processors/add_kubernetes_metadata/kubernetes.go b/libbeat/processors/add_kubernetes_metadata/kubernetes.go index 94bc3739145..2a5f4d2faed 100644 --- a/libbeat/processors/add_kubernetes_metadata/kubernetes.go +++ b/libbeat/processors/add_kubernetes_metadata/kubernetes.go @@ -218,8 +218,25 @@ func (k *kubernetesAnnotator) Run(event *beat.Event) (*beat.Event, error) { return event, nil } + metaClone := metadata.Clone() + metaClone.Delete("container.name") + containerImage, err := metadata.GetValue("container.image") + if err == nil { + metaClone.Delete("container.image") + metaClone.Put("container.image.name", containerImage) + } + cmeta, err := metaClone.Clone().GetValue("container") + if err == nil { + event.Fields.DeepUpdate(common.MapStr{ + "container": cmeta, + }) + } + + kubeMeta := metadata.Clone() + kubeMeta.Delete("container.id") + kubeMeta.Delete("container.runtime") event.Fields.DeepUpdate(common.MapStr{ - "kubernetes": metadata.Clone(), + "kubernetes": kubeMeta, }) return event, nil diff --git a/libbeat/processors/add_kubernetes_metadata/matchers_test.go b/libbeat/processors/add_kubernetes_metadata/matchers_test.go index 13e453426e7..c6b6a98d42c 100644 --- a/libbeat/processors/add_kubernetes_metadata/matchers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/matchers_test.go @@ -31,16 +31,16 @@ func TestFieldMatcher(t *testing.T) { } fieldCfg, err := common.NewConfigFrom(testCfg) - assert.Nil(t, err) + assert.NoError(t, err) matcher, err := NewFieldMatcher(*fieldCfg) - assert.NotNil(t, err) + assert.Error(t, err) testCfg["lookup_fields"] = "foo" fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) input := common.MapStr{ "foo": "bar", @@ -61,16 +61,16 @@ func TestFieldFormatMatcher(t *testing.T) { testCfg := map[string]interface{}{} fieldCfg, err := common.NewConfigFrom(testCfg) - assert.Nil(t, err) + assert.NoError(t, err) matcher, err := NewFieldFormatMatcher(*fieldCfg) - assert.NotNil(t, err) + assert.Error(t, err) testCfg["format"] = `%{[namespace]}/%{[pod]}` fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldFormatMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) event := common.MapStr{ "namespace": "foo", @@ -90,7 +90,7 @@ func TestFieldFormatMatcher(t *testing.T) { fieldCfg, _ = common.NewConfigFrom(testCfg) matcher, err = NewFieldFormatMatcher(*fieldCfg) assert.NotNil(t, matcher) - assert.Nil(t, err) + assert.NoError(t, err) event = common.MapStr{ "dimensions": common.MapStr{ diff --git a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go index 69de476b7fd..3932d193d78 100644 --- a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go +++ b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go @@ -120,6 +120,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", diff --git a/libbeat/processors/add_process_metadata/add_process_metadata.go b/libbeat/processors/add_process_metadata/add_process_metadata.go index 4aff1df8576..c41ca9a73d6 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata.go @@ -190,15 +190,29 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul return nil, errors.Errorf("cannot parse field '%s' (not an integer or string)", pidField) } + var meta common.MapStr + metaPtr, err := p.provider.GetProcessMetadata(pid) if err != nil || metaPtr == nil { + // no process metadata, lets still try to get container id p.log.Debugf("failed to get process metadata for PID=%d: %v", pid, err) - return nil, ErrNoProcess + meta = common.MapStr{} + } else { + meta = metaPtr.fields } - meta := metaPtr.fields - if err = p.enrichContainerID(pid, meta); err != nil { - return nil, err + cid, err := p.getContainerID(pid) + if cid == "" || err != nil { + p.log.Debugf("failed to get container id for PID=%d: %v", pid, err) + } else { + if _, err = meta.Put("container", common.MapStr{"id": cid}); err != nil { + return nil, err + } + } + + if len(meta) == 0 { + // no metadata nor container id + return nil, ErrNoProcess } result = event.Clone() @@ -216,8 +230,8 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul value, err := meta.GetValue(source) if err != nil { - // Should never happen - return nil, err + // skip missing values + continue } if _, err = result.Put(dest, value); err != nil { @@ -228,19 +242,15 @@ func (p *addProcessMetadata) enrich(event common.MapStr, pidField string) (resul return result, nil } -// enrichContainerID adds container.id into meta for mapping to pickup -func (p *addProcessMetadata) enrichContainerID(pid int, meta common.MapStr) error { +func (p *addProcessMetadata) getContainerID(pid int) (string, error) { if p.cidProvider == nil { - return nil + return "", nil } cid, err := p.cidProvider.GetCid(pid) if err != nil { - return err - } - if _, err = meta.Put("container", common.MapStr{"id": cid}); err != nil { - return err + return "", err } - return nil + return cid, nil } // String returns the processor representation formatted as a string diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index 8bb2cd4b625..f9b4aaa681c 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -49,12 +49,42 @@ func TestAddProcessMetadata(t *testing.T) { ppid: 0, startTime: startTime, }, + 3: { + name: "systemd", + title: "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + exe: "/usr/lib/systemd/systemd", + args: []string{"/usr/lib/systemd/systemd", "--switched-root", "--system", "--deserialize", "22"}, + env: map[string]string{ + "HOME": "/", + "TERM": "linux", + "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64", + "LANG": "en_US.UTF-8", + }, + pid: 1, + ppid: 0, + startTime: startTime, + }, } // mock of the cgroup processCgroupPaths processCgroupPaths = func(_ string, pid int) (map[string]string, error) { testMap := map[int]map[string]string{ - 1: map[string]string{ + 1: { + "cpu": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "net_prio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "blkio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "perf_event": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "freezer": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "pids": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "hugetlb": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "cpuacct": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "cpuset": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "net_cls": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "devices": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "memory": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + "name=systemd": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + }, + 2: { "cpu": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", "net_prio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", "blkio": "/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -510,6 +540,60 @@ func TestAddProcessMetadata(t *testing.T) { }, }, }, + { + description: "no process metadata available", + config: common.MapStr{ + "match_pids": []string{"system.process.ppid"}, + "cgroup_regex": "\\/.+\\/.+\\/.+\\/([0-9a-f]{64}).*", + }, + event: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "2", + }, + }, + }, + expected: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "2", + }, + }, + "container": common.MapStr{ + "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", + }, + }, + }, + { + description: "no container id available", + config: common.MapStr{ + "match_pids": []string{"system.process.ppid"}, + "cgroup_regex": "\\/.+\\/.+\\/.+\\/([0-9a-f]{64}).*", + }, + event: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "3", + }, + }, + }, + expected: common.MapStr{ + "system": common.MapStr{ + "process": common.MapStr{ + "ppid": "3", + }, + }, + "process": common.MapStr{ + "name": "systemd", + "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", + "executable": "/usr/lib/systemd/systemd", + "args": []string{"/usr/lib/systemd/systemd", "--switched-root", "--system", "--deserialize", "22"}, + "pid": 1, + "ppid": 0, + "start_time": startTime, + }, + }, + }, { description: "without cgroup cache", config: common.MapStr{ diff --git a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc index 3066107a009..ddf5802a821 100644 --- a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc +++ b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc @@ -72,7 +72,7 @@ field will be present in the output. `host_path`:: (Optional) By default, the `host_path` field is set to the root directory of the host `/`. This is the path where `/proc` is mounted. For -different runtime configurations of Kubernetes or Docker, the `host_path` can +different runtime configurations of Kubernetes or Docker, the `host_path` can be set to overwrite the default. `cgroup_prefixes`:: (Optional) By default, the `cgroup_prefixes` field is set @@ -80,15 +80,21 @@ to `/kubepods` and `/docker`. This is the prefix where the container ID is inside cgroup. For different runtime configurations of Kubernetes or Docker, the `cgroup_prefixes` can be set to overwrite the defaults. -`cgroup_regex`:: (Optional) By default, the container id is extracted from -cgroup file based on `cgroup_prefixes`. This can be overwritten by specifying -regular expression with capture group for capturing container id from cgroup -path. For example: `^\/.+\/.+\/.+\/([0-9a-f]{64}).*` - -`cgroup_cache_expire_time`:: (Optional) By default, the +`cgroup_regex`:: (Optional) By default, the container id is extracted from +cgroup file based on `cgroup_prefixes`. This can be overwritten by specifying +regular expression with capture group for capturing container id from cgroup +path. Examples: +. `^\/.+\/.+\/.+\/([0-9a-f]{64}).*` will match the container id of a cgroup +like `/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1` +. `^\/.+\/.+\/.+\/docker-([0-9a-f]{64}).scope` will match the container id of a cgroup +like `/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/docker-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scope` +. `^\/.+\/.+\/.+\/crio-([0-9a-f]{64}).scope` will match the container id of a cgroup +like `/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/crio-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scope` + +`cgroup_cache_expire_time`:: (Optional) By default, the `cgroup_cache_expire_time` is set to 30 seconds. This is the length of time before cgroup cache elements expire in seconds. It can be set to 0 to disable -the cgroup cache. In some container runtimes technology like runc, the +the cgroup cache. In some container runtimes technology like runc, the container's process is also process in the host kernel, and will be affected by -PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap +PID rollover/reuse. The expire time needs to set smaller than the PIDs wrap around time to avoid wrong container id. diff --git a/libbeat/processors/dns/cache.go b/libbeat/processors/dns/cache.go index 6bd6b373db9..d8be672d920 100644 --- a/libbeat/processors/dns/cache.go +++ b/libbeat/processors/dns/cache.go @@ -35,8 +35,9 @@ func (r ptrRecord) IsExpired(now time.Time) bool { type ptrCache struct { sync.RWMutex - data map[string]ptrRecord - maxSize int + data map[string]ptrRecord + maxSize int + minSuccessTTL time.Duration } func (c *ptrCache) set(now time.Time, key string, ptr *PTR) { @@ -135,11 +136,10 @@ func (ce *cachedError) Cause() error { return ce.err } // reverse DNS queries. It caches the results of queries regardless of their // outcome (success or failure). type PTRLookupCache struct { - success *ptrCache - failure *failureCache - failureTTL time.Duration - resolver PTRResolver - stats cacheStats + success *ptrCache + failure *failureCache + resolver PTRResolver + stats cacheStats } type cacheStats struct { @@ -155,8 +155,9 @@ func NewPTRLookupCache(reg *monitoring.Registry, conf CacheConfig, resolver PTRR c := &PTRLookupCache{ success: &ptrCache{ - data: make(map[string]ptrRecord, conf.SuccessCache.InitialCapacity), - maxSize: conf.SuccessCache.MaxCapacity, + data: make(map[string]ptrRecord, conf.SuccessCache.InitialCapacity), + maxSize: conf.SuccessCache.MaxCapacity, + minSuccessTTL: conf.SuccessCache.MinTTL, }, failure: &failureCache{ data: make(map[string]failureRecord, conf.FailureCache.InitialCapacity), @@ -198,11 +199,14 @@ func (c PTRLookupCache) LookupPTR(ip string) (*PTR, error) { return nil, err } + // We set the ptr.TTL to the minimum TTL in case it is less than that. + ptr.TTL = max(ptr.TTL, uint32(c.success.minSuccessTTL/time.Second)) + c.success.set(now, ip, ptr) return ptr, nil } -func max(a, b int) int { +func max(a, b uint32) uint32 { if a >= b { return a } diff --git a/libbeat/processors/dns/cache_test.go b/libbeat/processors/dns/cache_test.go index d64dbd460b4..2242d1527c0 100644 --- a/libbeat/processors/dns/cache_test.go +++ b/libbeat/processors/dns/cache_test.go @@ -19,8 +19,8 @@ package dns import ( "io" - "strings" "testing" + "time" "github.com/stretchr/testify/assert" @@ -30,12 +30,14 @@ import ( type stubResolver struct{} func (r *stubResolver) LookupPTR(ip string) (*PTR, error) { - if ip == gatewayIP { + switch ip { + case gatewayIP: return &PTR{Host: gatewayName, TTL: gatewayTTL}, nil - } else if strings.HasSuffix(ip, "11") { + case gatewayIP + "1": return nil, io.ErrUnexpectedEOF + case gatewayIP + "2": + return &PTR{Host: gatewayName, TTL: 0}, nil } - return nil, &dnsError{"fake lookup returned NXDOMAIN"} } @@ -98,4 +100,29 @@ func TestCache(t *testing.T) { assert.EqualValues(t, 3, c.stats.Hit.Get()) assert.EqualValues(t, 3, c.stats.Miss.Get()) // Cache miss. } + + minTTL := defaultConfig.CacheConfig.SuccessCache.MinTTL + // Initial success returned TTL=0 with MinTTL. + ptr, err = c.LookupPTR(gatewayIP + "2") + if assert.NoError(t, err) { + assert.EqualValues(t, gatewayName, ptr.Host) + + assert.EqualValues(t, minTTL/time.Second, ptr.TTL) + assert.EqualValues(t, 3, c.stats.Hit.Get()) + assert.EqualValues(t, 4, c.stats.Miss.Get()) + + expectedExpire := time.Now().Add(minTTL).Unix() + gotExpire := c.success.data[gatewayIP+"2"].expires.Unix() + assert.InDelta(t, expectedExpire, gotExpire, 1) + } + + // Cached success from a previous TTL=0 response. + ptr, err = c.LookupPTR(gatewayIP + "2") + if assert.NoError(t, err) { + assert.EqualValues(t, gatewayName, ptr.Host) + // TTL counts down while in cache. + assert.InDelta(t, minTTL/time.Second, ptr.TTL, 1) + assert.EqualValues(t, 4, c.stats.Hit.Get()) + assert.EqualValues(t, 4, c.stats.Miss.Get()) + } } diff --git a/libbeat/processors/dns/config.go b/libbeat/processors/dns/config.go index ae447a20c72..b5e7cf0a0d3 100644 --- a/libbeat/processors/dns/config.go +++ b/libbeat/processors/dns/config.go @@ -36,6 +36,7 @@ type Config struct { Action FieldAction `config:"action"` // Append or replace (defaults to append) when target exists. TagOnFailure []string `config:"tag_on_failure"` // Tags to append when a failure occurs. Fields common.MapStr `config:"fields"` // Mapping of source fields to target fields. + Transport string `config:"transport"` // Can be tls or udp. reverseFlat map[string]string } @@ -87,6 +88,9 @@ type CacheSettings struct { // from the DNS record. TTL time.Duration `config:"ttl"` + // Minimum TTL value for successful DNS responses. + MinTTL time.Duration `config:"min_ttl" validate:"min=1"` + // Initial capacity. How much space is allocated at initialization. InitialCapacity int `config:"capacity.initial" validate:"min=0"` @@ -117,11 +121,22 @@ func (c *Config) Validate() error { c.reverseFlat[k] = target } + c.Transport = strings.ToLower(c.Transport) + switch c.Transport { + case "tls": + case "udp": + default: + return errors.Errorf("invalid transport method type '%v' specified in "+ + "config (valid value is: tls or udp)", c.Transport) + } return nil } // Validate validates the data contained in the CacheConfig. func (c *CacheConfig) Validate() error { + if c.SuccessCache.MinTTL <= 0 { + return errors.Errorf("success_cache.min_ttl must be > 0") + } if c.FailureCache.TTL <= 0 { return errors.Errorf("failure_cache.ttl must be > 0") } @@ -146,6 +161,7 @@ func (c *CacheConfig) Validate() error { var defaultConfig = Config{ CacheConfig: CacheConfig{ SuccessCache: CacheSettings{ + MinTTL: time.Minute, InitialCapacity: 1000, MaxCapacity: 10000, }, @@ -155,5 +171,6 @@ var defaultConfig = Config{ MaxCapacity: 10000, }, }, - Timeout: 500 * time.Millisecond, + Transport: "udp", + Timeout: 500 * time.Millisecond, } diff --git a/libbeat/processors/dns/dns.go b/libbeat/processors/dns/dns.go index 49b4946733e..2ac913f3016 100644 --- a/libbeat/processors/dns/dns.go +++ b/libbeat/processors/dns/dns.go @@ -65,7 +65,7 @@ func New(cfg *common.Config) (processors.Processor, error) { ) log.Debugf("DNS processor config: %+v", c) - resolver, err := NewMiekgResolver(metrics, c.Timeout, c.Nameservers...) + resolver, err := NewMiekgResolver(metrics, c.Timeout, c.Transport, c.Nameservers...) if err != nil { return nil, err } diff --git a/libbeat/processors/dns/docs/dns.asciidoc b/libbeat/processors/dns/docs/dns.asciidoc index b75fb8bf87a..8d03e8b4c0a 100644 --- a/libbeat/processors/dns/docs/dns.asciidoc +++ b/libbeat/processors/dns/docs/dns.asciidoc @@ -45,12 +45,14 @@ processors: - dns: type: reverse action: append + transport: tls fields: server.ip: server.hostname client.ip: client.hostname success_cache: capacity.initial: 1000 capacity.max: 10000 + min_ttl: 1m failure_cache: capacity.initial: 1000 capacity.max: 10000 @@ -80,6 +82,9 @@ the memory for this number of items. Default value is `1000`. cache can hold. When the maximum capacity is reached a random item is evicted. Default value is `10000`. +`success_cache.min_ttl`:: The duration of the minimum alternative cache TTL for successful DNS responses. Ensures that `TTL=0` successful reverse DNS responses can be cached. +Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Default value is `1m`. + `failure_cache.capacity.initial`:: The initial number of items that the failure cache will be allocated to hold. When initialized the processor will allocate the memory for this number of items. Default value is `1000`. @@ -104,3 +109,6 @@ for each DNS request so if you have 2 nameservers then the total timeout will be `tag_on_failure`:: A list of tags to add to the event when any lookup fails. The tags are only added once even if multiple lookups fail. By default no tags are added upon failure. + +`transport`:: The type of transport connection that should be used can either be +`tls` (DNS over TLS) or `udp`. Defaults to `udp`. diff --git a/libbeat/processors/dns/resolver.go b/libbeat/processors/dns/resolver.go index 701ee8e49ac..366f00e165f 100644 --- a/libbeat/processors/dns/resolver.go +++ b/libbeat/processors/dns/resolver.go @@ -64,7 +64,7 @@ type nameserverStats struct { // NewMiekgResolver returns a new MiekgResolver. It returns an error if no // nameserver are given and none can be read from /etc/resolv.conf. -func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers ...string) (*MiekgResolver, error) { +func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, transport string, servers ...string) (*MiekgResolver, error) { // Use /etc/resolv.conf if no nameservers are given. (Won't work for Windows). if len(servers) == 0 { config, err := dns.ClientConfigFromFile(etcResolvConf) @@ -77,7 +77,14 @@ func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers . // Add port if one was not specified. for i, s := range servers { if _, _, err := net.SplitHostPort(s); err != nil { - withPort := s + ":53" + var withPort string + switch transport { + case "tls": + withPort = s + ":853" + default: + withPort = s + ":53" + } + if _, _, retryErr := net.SplitHostPort(withPort); retryErr == nil { servers[i] = withPort continue @@ -90,9 +97,17 @@ func NewMiekgResolver(reg *monitoring.Registry, timeout time.Duration, servers . timeout = defaultConfig.Timeout } + var clientTransferType string + switch transport { + case "tls": + clientTransferType = "tcp-tls" + default: + clientTransferType = "udp" + } + return &MiekgResolver{ client: &dns.Client{ - Net: "udp", + Net: clientTransferType, Timeout: timeout, }, servers: servers, diff --git a/libbeat/processors/dns/resolver_test.go b/libbeat/processors/dns/resolver_test.go index 0340da316d7..904979514db 100644 --- a/libbeat/processors/dns/resolver_test.go +++ b/libbeat/processors/dns/resolver_test.go @@ -18,6 +18,7 @@ package dns import ( + "crypto/tls" "net" "strings" "testing" @@ -38,7 +39,7 @@ func TestMiekgResolverLookupPTR(t *testing.T) { defer stop() reg := monitoring.NewRegistry() - res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, addr) + res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, "udp", addr) if err != nil { t.Fatal(err) } @@ -68,8 +69,61 @@ func TestMiekgResolverLookupPTR(t *testing.T) { assert.Equal(t, 12, metricCount) } +func TestMiekgResolverLookupPTRTLS(t *testing.T) { + //Build Cert + cert, err := tls.X509KeyPair(CertPEMBlock, KeyPEMBlock) + if err != nil { + t.Fatalf("unable to build certificate: %v", err) + } + config := tls.Config{ + Certificates: []tls.Certificate{cert}, + } + // serve TLS with cert + stop, addr, err := ServeDNSTLS(FakeDNSHandler, &config) + if err != nil { + t.Fatal(err) + } + defer stop() + + reg := monitoring.NewRegistry() + + res, err := NewMiekgResolver(reg.NewRegistry(logName), 0, "tls", addr) + if err != nil { + t.Fatal(err) + } + // we use a self signed certificate for localhost + // we have to pass InsecureSSL to the DNS resolver + res.client.TLSConfig = &tls.Config{ + InsecureSkipVerify: true, + } + // Success + ptr, err := res.LookupPTR("8.8.8.8") + if err != nil { + t.Fatal(err) + } + assert.EqualValues(t, "google-public-dns-a.google.com", ptr.Host) + assert.EqualValues(t, 19273, ptr.TTL) + + // NXDOMAIN + _, err = res.LookupPTR("1.1.1.1") + if assert.Error(t, err) { + assert.Contains(t, err.Error(), "NXDOMAIN") + } + + // Validate that our metrics exist. + var metricCount int + reg.Do(monitoring.Full, func(name string, v interface{}) { + if strings.Contains(name, "processor.dns") { + metricCount++ + } + t.Logf("%v: %+v", name, v) + }) + assert.Equal(t, 12, metricCount) +} + func ServeDNS(h dns.HandlerFunc) (cancel func() error, addr string, err error) { // Setup listener on ephemeral port. + a, err := net.ResolveUDPAddr("udp4", "localhost:0") if err != nil { return nil, "", err @@ -86,6 +140,20 @@ func ServeDNS(h dns.HandlerFunc) (cancel func() error, addr string, err error) { return s.Shutdown, s.PacketConn.LocalAddr().String(), err } +func ServeDNSTLS(h dns.HandlerFunc, config *tls.Config) (cancel func() error, addr string, err error) { + // Setup listener on ephemeral port. + l, err := tls.Listen("tcp", "localhost:0", config) + if err != nil { + return nil, "", err + } + + var s dns.Server + s.Handler = h + s.Listener = l + go s.ActivateAndServe() + return s.Shutdown, l.Addr().String(), err +} + func FakeDNSHandler(w dns.ResponseWriter, msg *dns.Msg) { m := new(dns.Msg) m.SetReply(msg) @@ -98,3 +166,55 @@ func FakeDNSHandler(w dns.ResponseWriter, msg *dns.Msg) { } w.WriteMsg(m) } + +var ( + KeyPEMBlock = []byte(`-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2g2zpEtWaIUx5o6MEnWnGsf0Ba1SDc3AwgOmxeNIPBJYVCrk +sWe8Qt/5nymReVFcum76995ncr/zT+e4e8l+hXuGzTKZJpOj27Igb0/wa3j2hIcu +rnbzfwkJ+KMag2UUKdSo31ChMU+64bwziEXunF347Ot7dBLtw3PJKbabNCP+/oil +iUv2TzxxYosN+AEg4gNKLa3DMpbUnD+9Igb9KmaVp1FVhZted/AP4vn7h6Urb4ER +xMuvv3xqZvIKQ9/G1XAISYXk2feZ5yP+k1HF4ds7HJDwrP+Bv+EVyv38EKdmu9N3 +Oej8wKf3Acjln/ucbg1S3Dmkyg0x2388S4c35wIDAQABAoIBAB8MnGvknmU7siNW +YPOv9R+HIWQ9jdWRWsVFp9W9y2diZVl20iHA17neErlrPd+8iiux6eKptKlOU+Mo +58gYpP9023kUn2Iy275I2v1+sIldLB0q8qa9IWcRbm4NK5VSK1DZi0JhRNK0u7Ox +DNV2v8dcSjnSPj4FA/402owqCGegBQuheYE0LDEMiNAm6hZmQ5Npf0mTfJA/OuM4 +ONSR7lNncrR0pOZ3f3WWH+021eoZCgu2A64yfX5FFI7y5jvRn8KigXEDfXcdyFKO +725Slq4V2E2NmrMyRKNBLUSUC2hcy0tQsfo3+yANxA6PBNQ0EVqkF4uGn1IzNWOz +gDSyfSECgYEA2jgTpv9v0SrURdY3lOOjYZNCoJ9ZhUTxOsQQZLUJ+1/bQQ4Y0ONK +cnC/Ve76C/k+otbILAaRnOxGw5Apq25yPNoxjFFzP7tbN85IB+4db637qZNK2gfX +oEJd6wat4Urs8NbUKCE+XkbdENOIdXUiQxp9U6jXxprd5Ii4jICwRvsCgYEA/85J +1to++Td64gKfWDv4FUo5ZqVn70JdM/Knf5Pd37z/sjNowxhDz7AhismRditX02lt +T2g/raIW9Z/SpxI44VHCRJGPOvBvaMgCNGOH0FBHatFsfKwKzpMwapTfobqj3ZYa +DDDc8r9WQM8IDcLM6B7aOV46LWMEhMRSfDa9bwUCgYEAokbRVn7eSE3xTX3gF3ix +Jv67rXbSu6hpO6pSBpIaujSud9Jj4fMkibYOk3kDuaPAUJgog5Te9DNA7G1oj3Oy +wE4CSrbHXb2WOAnOxxbsDQD1BUXjhAAQ+bxg20Y8SC3Pxcn8O1t9Zd6MxtaHw9E3 +iW9Jg80rqSXBnRGPK+0HKcECgYBsRYk1WjzLSTNG1CtTslZH1JnFG3+JYoKGiU9i +DVkc6Sck6uONqAiTsI4R600ZQjEzN21f7dT+Dhw/rH0B4BGZNPzP/vgrzzaol/du +6y3B+yivSqLrhfoxA1W71vVsw8217WFrBYePa3L7jWVwRaJrIRvmqj5flYiFFX+A +Ob8mbQKBgAHhlnVzoKCq4mZ7Glpc0K6L57btVZNn0TEGyVli1ECvgC3zRm1rEofG +LatVl7h6ud25ZJYnP7DelGxHsZnDXNirLFlSB0CL4F6I5xNoBvCoH0Q8ckDSh4C7 +tlAyD5m9gwvgdkNFWq6/lcUPxGksTtTk8dGnhJz8pGlZvp6+dZCM +-----END RSA PRIVATE KEY-----`) + + CertPEMBlock = []byte(`-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIQGqg47wLgbjwwrZASuakmwjANBgkqhkiG9w0BAQsFADAy +MRQwEgYDVQQKEwtMb2cgQ291cmllcjEaMBgGA1UEAxMRYmVhdHMuZWxhc3RpYy5j +b20wHhcNMjAwNjIzMDY0NDEwWhcNMjEwNjIzMDY0NDEwWjAyMRQwEgYDVQQKEwtM +b2cgQ291cmllcjEaMBgGA1UEAxMRYmVhdHMuZWxhc3RpYy5jb20wggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDbOkS1ZohTHmjowSdacax/QFrVINzcDC +A6bF40g8ElhUKuSxZ7xC3/mfKZF5UVy6bvr33mdyv/NP57h7yX6Fe4bNMpkmk6Pb +siBvT/BrePaEhy6udvN/CQn4oxqDZRQp1KjfUKExT7rhvDOIRe6cXfjs63t0Eu3D +c8kptps0I/7+iKWJS/ZPPHFiiw34ASDiA0otrcMyltScP70iBv0qZpWnUVWFm153 +8A/i+fuHpStvgRHEy6+/fGpm8gpD38bVcAhJheTZ95nnI/6TUcXh2zsckPCs/4G/ +4RXK/fwQp2a703c56PzAp/cByOWf+5xuDVLcOaTKDTHbfzxLhzfnAgMBAAGjezB5 +MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E +BTADAQH/MEEGA1UdEQQ6MDiCATqCCWxvY2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAA +AIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAL6px +cjflhqqewqa9cvhFNT6E7UDnA7Mf34GIQPQrORXyOnyE11mDp5sEMGaz8bDajHHc +0JL8Q/5rDyRsSfe1pIyViAOxn+V/7qXfgowI3tkJbSaqHX7SlHF0dEiuGQ1coBMx +RgW17XhPtV+fk/DiXtUEkgtB7/q0Kc9C9C2GJIbOtupZ/mnkdk/5YT4tfXywNnWC +lLjT6T5+wZgRkcnr7lYNiTdS+GtN0YspPT+YD3ZTJCYD9KPcbA6k9XXXwmU8Ij6H +waodyGzG03YJbY3l2zSt3lG3jv9Tj+Ic0kRyEzzxk8exyi6nWXue/6a884kgAjiL +bXmdL6wkIJz1U+XtuQ== +-----END CERTIFICATE-----`) +) diff --git a/libbeat/processors/urldecode/urldecode_test.go b/libbeat/processors/urldecode/urldecode_test.go index e6053905214..8d962bd9470 100644 --- a/libbeat/processors/urldecode/urldecode_test.go +++ b/libbeat/processors/urldecode/urldecode_test.go @@ -201,9 +201,9 @@ func TestURLDecode(t *testing.T) { newEvent, err := f.Run(event) if !test.error { - assert.Nil(t, err) + assert.NoError(t, err) } else { - assert.NotNil(t, err) + assert.Error(t, err) } assert.Equal(t, test.Output, newEvent.Fields) diff --git a/libbeat/processors/util/geo.go b/libbeat/processors/util/geo.go index 48d39780d22..f37a4b7bc97 100644 --- a/libbeat/processors/util/geo.go +++ b/libbeat/processors/util/geo.go @@ -29,6 +29,7 @@ type GeoConfig struct { Name string `config:"name"` Location string `config:"location"` ContinentName string `config:"continent_name"` + CountryName string `config:"country_name"` CountryISOCode string `config:"country_iso_code"` RegionName string `config:"region_name"` RegionISOCode string `config:"region_iso_code"` @@ -59,6 +60,7 @@ func GeoConfigToMap(config GeoConfig) (common.MapStr, error) { "name": config.Name, "location": config.Location, "continent_name": config.ContinentName, + "country_name": config.CountryName, "country_iso_code": config.CountryISOCode, "region_name": config.RegionName, "region_iso_code": config.RegionISOCode, diff --git a/libbeat/publisher/pipeline/client.go b/libbeat/publisher/pipeline/client.go index 07b40f276fc..2ce792ed887 100644 --- a/libbeat/publisher/pipeline/client.go +++ b/libbeat/publisher/pipeline/client.go @@ -271,7 +271,7 @@ func (w *clientCloseWaiter) signalClose() { return } - w.closing.Store(false) + w.closing.Store(true) if w.events.Load() == 0 { w.finishClose() return diff --git a/libbeat/publisher/pipeline/client_test.go b/libbeat/publisher/pipeline/client_test.go index 88c3a67eb81..6c4c3006845 100644 --- a/libbeat/publisher/pipeline/client_test.go +++ b/libbeat/publisher/pipeline/client_test.go @@ -21,11 +21,14 @@ import ( "context" "sync" "testing" + "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/outputs" + "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/beats/v7/libbeat/publisher/queue" + "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" "github.com/elastic/beats/v7/libbeat/tests/resources" ) @@ -113,3 +116,92 @@ func TestClient(t *testing.T) { } }) } + +func TestClientWaitClose(t *testing.T) { + routinesChecker := resources.NewGoroutinesChecker() + defer routinesChecker.Check(t) + + makePipeline := func(settings Settings, qu queue.Queue) *Pipeline { + p, err := New(beat.Info{}, + Monitors{}, + func(queue.ACKListener) (queue.Queue, error) { return qu, nil }, + outputs.Group{}, + settings, + ) + if err != nil { + panic(err) + } + + return p + } + if testing.Verbose() { + logp.TestingSetup() + } + + q := memqueue.NewQueue(logp.L(), memqueue.Settings{Events: 1}) + pipeline := makePipeline(Settings{}, q) + defer pipeline.Close() + + t.Run("WaitClose blocks", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: 500 * time.Millisecond, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which never gets acknowledged. + client.Publish(beat.Event{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + t.Fatal("expected Close to wait for event acknowledgement") + case <-time.After(100 * time.Millisecond): + } + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after WaitClose elapses") + } + }) + + t.Run("ACKing events unblocks WaitClose", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: time.Minute, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which gets acknowledged immediately. + client.Publish(beat.Event{}) + output := newMockClient(func(batch publisher.Batch) error { + batch.ACK() + return nil + }) + defer output.Close() + pipeline.output.Set(outputs.Group{Clients: []outputs.Client{output}}) + defer pipeline.output.Set(outputs.Group{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after event acknowledgement") + } + }) +} diff --git a/libbeat/publisher/pipeline/output.go b/libbeat/publisher/pipeline/output.go index febccdc7067..00c3fc54281 100644 --- a/libbeat/publisher/pipeline/output.go +++ b/libbeat/publisher/pipeline/output.go @@ -167,7 +167,7 @@ func (w *netClientWorker) run() { func (w *netClientWorker) publishBatch(batch publisher.Batch) error { ctx := context.Background() - if w.tracer != nil { + if w.tracer != nil && w.tracer.Recording() { tx := w.tracer.StartTransaction("publish", "output") defer tx.End() tx.Context.SetLabel("worker", "netclient") diff --git a/libbeat/publisher/pipeline/output_test.go b/libbeat/publisher/pipeline/output_test.go index da1bac4f5d0..5be34fa9436 100644 --- a/libbeat/publisher/pipeline/output_test.go +++ b/libbeat/publisher/pipeline/output_test.go @@ -120,6 +120,7 @@ func TestReplaceClientWorker(t *testing.T) { var numEvents int for i := uint(0); i < numBatches; i++ { batch := randomBatch(minEventsInBatch, maxEventsInBatch).withRetryer(retryer) + batch.events[0].Content.Private = i numEvents += batch.Len() batches = append(batches, batch) } @@ -129,6 +130,7 @@ func TestReplaceClientWorker(t *testing.T) { go func() { defer wg.Done() for _, batch := range batches { + t.Logf("publish batch: %v", batch.(*mockBatch).events[0].Content.Private) wqu <- batch } }() @@ -145,7 +147,9 @@ func TestReplaceClientWorker(t *testing.T) { <-blockCtrl } - publishedFirst.Add(uint(len(batch.Events()))) + count := len(batch.Events()) + publishedFirst.Add(uint(count)) + t.Logf("#1 processed batch: %v (%v)", batch.(*mockBatch).events[0].Content.Private, count) return nil } @@ -170,7 +174,9 @@ func TestReplaceClientWorker(t *testing.T) { // Start new worker to drain work queue var publishedLater atomic.Uint countingPublishFn := func(batch publisher.Batch) error { - publishedLater.Add(uint(len(batch.Events()))) + count := len(batch.Events()) + publishedLater.Add(uint(count)) + t.Logf("#2 processed batch: %v (%v)", batch.(*mockBatch).events[0].Content.Private, count) return nil } diff --git a/libbeat/reader/debug/debug.go b/libbeat/reader/debug/debug.go index 5e0b1e7c93a..a3bb7cc93fd 100644 --- a/libbeat/reader/debug/debug.go +++ b/libbeat/reader/debug/debug.go @@ -46,7 +46,7 @@ type CheckFunc func(offset int64, buf []byte) bool // Is is useful is you want to detect if you have received garbage from a network volume. type Reader struct { log *logp.Logger - reader io.Reader + reader io.ReadCloser buffer bytes.Buffer minBufferSize int maxFailures int @@ -59,7 +59,7 @@ type Reader struct { // NewReader returns a debug reader. func NewReader( log *logp.Logger, - reader io.Reader, + reader io.ReadCloser, minBufferSize int, maxFailures int, predicate CheckFunc, @@ -115,6 +115,10 @@ func (r *Reader) Read(p []byte) (int, error) { return n, err } +func (r *Reader) Close() error { + return r.reader.Close() +} + func makeNullCheck(log *logp.Logger, minSize int) CheckFunc { // create a slice with null bytes to match on the buffer. pattern := make([]byte, minSize, minSize) @@ -159,7 +163,7 @@ func summarizeBufferInfo(idx int, buf []byte) (int, []byte) { // AppendReaders look into the current enabled log selector and will add any debug reader that match // the selectors. -func AppendReaders(reader io.Reader) (io.Reader, error) { +func AppendReaders(reader io.ReadCloser) (io.ReadCloser, error) { var err error if logp.HasSelector("detect_null_bytes") || logp.HasSelector("*") { diff --git a/libbeat/reader/debug/debug_test.go b/libbeat/reader/debug/debug_test.go index ac6b6878c9b..c913cc2f0e6 100644 --- a/libbeat/reader/debug/debug_test.go +++ b/libbeat/reader/debug/debug_test.go @@ -20,6 +20,7 @@ package debug import ( "bytes" "io" + "io/ioutil" "testing" "github.com/stretchr/testify/assert" @@ -78,8 +79,9 @@ func testCheckContent(t *testing.T) { s.WriteString("hello world") s.WriteByte(0x00) s.WriteString("hello world") + r := ioutil.NopCloser(&s) - reader, _ := NewReader(logp.L(), &s, 5, 3, check) + reader, _ := NewReader(logp.L(), r, 5, 3, check) _, err := reader.Read(make([]byte, 20)) if !assert.NoError(t, err) { @@ -91,7 +93,7 @@ func testCheckContent(t *testing.T) { func testConsumeAll(t *testing.T) { c, _ := common.RandomBytes(2000) - reader := bytes.NewReader(c) + reader := ioutil.NopCloser(bytes.NewReader(c)) var buf bytes.Buffer consumed := 0 debug, _ := NewReader(logp.L(), reader, 8, 20, makeNullCheck(logp.L(), 1)) @@ -106,8 +108,8 @@ func testConsumeAll(t *testing.T) { } func testEmptyBuffer(t *testing.T) { - var buf bytes.Buffer - debug, _ := NewReader(logp.L(), &buf, 8, 20, makeNullCheck(logp.L(), 1)) + buf := ioutil.NopCloser(&bytes.Buffer{}) + debug, _ := NewReader(logp.L(), buf, 8, 20, makeNullCheck(logp.L(), 1)) data := make([]byte, 33) n, err := debug.Read(data) assert.Equal(t, io.EOF, err) @@ -134,8 +136,9 @@ func testSilent(t *testing.T) { b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) b.Write([]byte{'a', 'b', 'c', 'd', 0x00, 'e'}) + r := ioutil.NopCloser(&b) - debug, _ := NewReader(logp.L(), &b, 3, 2, check) + debug, _ := NewReader(logp.L(), r, 3, 2, check) consumed := 0 for consumed < b.Len() { n, _ := debug.Read(make([]byte, 3)) diff --git a/libbeat/reader/multiline/counter.go b/libbeat/reader/multiline/counter.go index bd410bc4ef7..602ac265885 100644 --- a/libbeat/reader/multiline/counter.go +++ b/libbeat/reader/multiline/counter.go @@ -18,6 +18,8 @@ package multiline import ( + "io" + "github.com/elastic/beats/v7/libbeat/reader" ) @@ -131,3 +133,12 @@ func (cr *counterReader) resetState() { func (cr *counterReader) setState(next func(cr *counterReader) (reader.Message, error)) { cr.state = next } + +func (cr *counterReader) Close() error { + cr.setState((*counterReader).readClosed) + return cr.reader.Close() +} + +func (cr *counterReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} diff --git a/libbeat/reader/multiline/multiline.go b/libbeat/reader/multiline/multiline.go index 04f5941c11d..689ea1536f0 100644 --- a/libbeat/reader/multiline/multiline.go +++ b/libbeat/reader/multiline/multiline.go @@ -31,10 +31,14 @@ func New( maxBytes int, config *Config, ) (reader.Reader, error) { - if config.Type == patternMode { + switch config.Type { + case patternMode: return newMultilinePatternReader(r, separator, maxBytes, config) - } else if config.Type == countMode { + case countMode: return newMultilineCountReader(r, separator, maxBytes, config) + case whilePatternMode: + return newMultilineWhilePatternReader(r, separator, maxBytes, config) + default: + return nil, fmt.Errorf("unknown multiline type %d", config.Type) } - return nil, fmt.Errorf("unknown multiline type %d", config.Type) } diff --git a/libbeat/reader/multiline/multiline_config.go b/libbeat/reader/multiline/multiline_config.go index 586816c55e3..b2f54eb92c7 100644 --- a/libbeat/reader/multiline/multiline_config.go +++ b/libbeat/reader/multiline/multiline_config.go @@ -29,15 +29,18 @@ type multilineType uint8 const ( patternMode multilineType = iota countMode + whilePatternMode - patternStr = "pattern" - countStr = "count" + patternStr = "pattern" + countStr = "count" + whilePatternStr = "while_pattern" ) var ( multilineTypes = map[string]multilineType{ - patternStr: patternMode, - countStr: countMode, + patternStr: patternMode, + countStr: countMode, + whilePatternStr: whilePatternMode, } ) @@ -69,6 +72,10 @@ func (c *Config) Validate() error { if c.LinesCount == 0 { return fmt.Errorf("multiline.count_lines cannot be zero when count based is selected") } + } else if c.Type == whilePatternMode { + if c.Pattern == nil { + return fmt.Errorf("multiline.pattern cannot be empty when pattern based matching is selected") + } } return nil } diff --git a/libbeat/reader/multiline/multiline_test.go b/libbeat/reader/multiline/multiline_test.go index 2297fbc98b5..93d36151fa7 100644 --- a/libbeat/reader/multiline/multiline_test.go +++ b/libbeat/reader/multiline/multiline_test.go @@ -22,6 +22,7 @@ package multiline import ( "bytes" "errors" + "io/ioutil" "os" "strings" "testing" @@ -241,6 +242,48 @@ func TestMultilineCount(t *testing.T) { ) } +func TestMultilineWhilePattern(t *testing.T) { + pattern := match.MustCompile(`^{`) + testMultilineOK(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + Negate: false, + }, + 3, + "{line1\n{line1.1\n", + "not matched line\n", + "{line2\n{line2.1\n", + ) + // use negated + testMultilineOK(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + Negate: true, + }, + 3, + "{line1\n", + "panic:\n~stacktrace~\n", + "{line2\n", + ) + // truncated + maxLines := 2 + testMultilineTruncated(t, + Config{ + Type: whilePatternMode, + Pattern: &pattern, + MaxLines: &maxLines, + }, + 1, + true, + []string{ + "{line1\n{line1.1\n{line1.2\n"}, + []string{ + "{line1\n{line1.1\n"}, + ) +} + func testMultilineOK(t *testing.T, cfg Config, events int, expected ...string) { _, buf := createLineBuffer(expected...) r := createMultilineTestReader(t, buf, cfg) @@ -333,7 +376,7 @@ func createMultilineTestReader(t *testing.T, in *bytes.Buffer, cfg Config) reade } var r reader.Reader - r, err = readfile.NewEncodeReader(in, readfile.Config{ + r, err = readfile.NewEncodeReader(ioutil.NopCloser(in), readfile.Config{ Codec: enc, BufferSize: 4096, Terminator: readfile.LineFeed, diff --git a/libbeat/reader/multiline/pattern.go b/libbeat/reader/multiline/pattern.go index 116af80135a..93cd390da4d 100644 --- a/libbeat/reader/multiline/pattern.go +++ b/libbeat/reader/multiline/pattern.go @@ -20,6 +20,7 @@ package multiline import ( "errors" "fmt" + "io" "time" "github.com/elastic/beats/v7/libbeat/common/match" @@ -254,6 +255,15 @@ func (pr *patternReader) setState(next func(pr *patternReader) (reader.Message, pr.state = next } +func (pr *patternReader) Close() error { + pr.setState((*patternReader).readClosed) + return pr.reader.Close() +} + +func (pr *patternReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} + // matchers func afterMatcher(pat match.Matcher) (matcher, error) { return genPatternMatcher(pat, func(last, current []byte) []byte { diff --git a/libbeat/reader/multiline/while.go b/libbeat/reader/multiline/while.go new file mode 100644 index 00000000000..8ef6532e97a --- /dev/null +++ b/libbeat/reader/multiline/while.go @@ -0,0 +1,236 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package multiline + +import ( + "io" + + "github.com/elastic/beats/v7/libbeat/common/match" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/reader" + "github.com/elastic/beats/v7/libbeat/reader/readfile" +) + +// MultiLine reader combining multiple line events into one multi-line event. +// +// Consecutive lines that satisfy the regular expression will be combined. +// +// The maximum number of bytes and lines to be returned is fully configurable. +// Even if limits are reached subsequent lines are matched, until event is +// fully finished. +// +// Errors will force the multiline reader to return the currently active +// multiline event first and finally return the actual error on next call to Next. +type whilePatternReader struct { + reader reader.Reader + matcher lineMatcherFunc + logger *logp.Logger + msgBuffer *messageBuffer + state func(*whilePatternReader) (reader.Message, error) +} + +func newMultilineWhilePatternReader( + r reader.Reader, + separator string, + maxBytes int, + config *Config, +) (reader.Reader, error) { + maxLines := defaultMaxLines + if config.MaxLines != nil { + maxLines = *config.MaxLines + } + + tout := defaultMultilineTimeout + if config.Timeout != nil { + tout = *config.Timeout + } + + if tout > 0 { + r = readfile.NewTimeoutReader(r, sigMultilineTimeout, tout) + } + + matcherFunc := lineMatcher(*config.Pattern) + if config.Negate { + matcherFunc = negatedLineMatcher(matcherFunc) + } + + pr := &whilePatternReader{ + reader: r, + matcher: matcherFunc, + msgBuffer: newMessageBuffer(maxBytes, maxLines, []byte(separator), config.SkipNewLine), + logger: logp.NewLogger("reader_multiline"), + state: (*whilePatternReader).readFirst, + } + return pr, nil +} + +// Next returns next multi-line event. +func (pr *whilePatternReader) Next() (reader.Message, error) { + return pr.state(pr) +} + +func (pr *whilePatternReader) readFirst() (reader.Message, error) { + for { + message, err := pr.reader.Next() + if err != nil { + // no lines buffered -> ignore timeout + if err == sigMultilineTimeout { + continue + } + + pr.logger.Debug("Multiline event flushed because timeout reached.") + + // pass error to caller (next layer) for handling + return message, err + } + + if message.Bytes == 0 { + continue + } + + // no match, return message + if !pr.matcher(message.Content) { + return message, nil + } + + // Start new multiline event + pr.msgBuffer.startNewMessage(message) + pr.setState((*whilePatternReader).readNext) + return pr.readNext() + } +} + +func (pr *whilePatternReader) readNext() (reader.Message, error) { + for { + message, err := pr.reader.Next() + if err != nil { + // handle multiline timeout signal + if err == sigMultilineTimeout { + // no lines buffered -> ignore timeout + if pr.msgBuffer.isEmpty() { + continue + } + + pr.logger.Debug("Multiline event flushed because timeout reached.") + + // return collected multiline event and + // empty buffer for new multiline event + msg := pr.msgBuffer.finalize() + pr.resetState() + return msg, nil + } + + // handle error without any bytes returned from reader + if message.Bytes == 0 { + // no lines buffered -> return error + if pr.msgBuffer.isEmpty() { + return reader.Message{}, err + } + + // lines buffered, return multiline and error on next read + return pr.collectMessageAfterError(err) + } + + // handle error with some content being returned by reader and + // line matching multiline criteria or no multiline started yet + if pr.msgBuffer.isEmptyMessage() || pr.matcher(message.Content) { + pr.msgBuffer.addLine(message) + + // return multiline and error on next read + return pr.collectMessageAfterError(err) + } + + // no match, return current multiline and return current line on next + // call to readNext + msg := pr.msgBuffer.finalize() + pr.msgBuffer.load(message) + pr.setState((*whilePatternReader).notMatchedMessageLoad) + return msg, nil + } + + // no match, return message if buffer is empty, otherwise return current + // multiline and save message to buffer + if !pr.matcher(message.Content) { + if pr.msgBuffer.isEmptyMessage() { + return message, nil + } + msg := pr.msgBuffer.finalize() + pr.msgBuffer.load(message) + pr.setState((*whilePatternReader).notMatchedMessageLoad) + return msg, nil + } + + // add line to current multiline event + pr.msgBuffer.addLine(message) + } +} + +func (pr *whilePatternReader) collectMessageAfterError(err error) (reader.Message, error) { + msg := pr.msgBuffer.finalize() + pr.msgBuffer.setErr(err) + pr.setState((*whilePatternReader).readFailed) + return msg, nil +} + +// readFailed returns empty message and error and resets line reader +func (pr *whilePatternReader) readFailed() (reader.Message, error) { + err := pr.msgBuffer.err + pr.msgBuffer.setErr(nil) + pr.resetState() + return reader.Message{}, err +} + +// notMatchedMessageLoad returns not matched message from buffer +func (pr *whilePatternReader) notMatchedMessageLoad() (reader.Message, error) { + msg := pr.msgBuffer.finalize() + pr.resetState() + return msg, nil +} + +// resetState sets state of the reader to readFirst +func (pr *whilePatternReader) resetState() { + pr.setState((*whilePatternReader).readFirst) +} + +// setState sets state to the given function +func (pr *whilePatternReader) setState(next func(pr *whilePatternReader) (reader.Message, error)) { + pr.state = next +} + +type lineMatcherFunc func(content []byte) bool + +func lineMatcher(pat match.Matcher) lineMatcherFunc { + return func(content []byte) bool { + return pat.Match(content) + } +} + +func negatedLineMatcher(m lineMatcherFunc) lineMatcherFunc { + return func(content []byte) bool { + return !m(content) + } +} + +func (pr *whilePatternReader) Close() error { + pr.setState((*whilePatternReader).readClosed) + return pr.reader.Close() +} + +func (pr *whilePatternReader) readClosed() (reader.Message, error) { + return reader.Message{}, io.EOF +} diff --git a/libbeat/reader/reader.go b/libbeat/reader/reader.go index 5aadcd611eb..81ae4ad8241 100644 --- a/libbeat/reader/reader.go +++ b/libbeat/reader/reader.go @@ -19,6 +19,7 @@ package reader import ( "errors" + "io" ) // Reader is the interface that wraps the basic Next method for @@ -26,6 +27,7 @@ import ( // Next returns the message being read or and error. EOF is returned // if reader will not return any new message on subsequent calls. type Reader interface { + io.Closer Next() (Message, error) } diff --git a/libbeat/reader/readfile/encode.go b/libbeat/reader/readfile/encode.go index d2cf3cce4be..84442d9d0d5 100644 --- a/libbeat/reader/readfile/encode.go +++ b/libbeat/reader/readfile/encode.go @@ -38,11 +38,12 @@ type Config struct { Codec encoding.Encoding BufferSize int Terminator LineTerminator + MaxBytes int } // New creates a new Encode reader from input reader by applying // the given codec. -func NewEncodeReader(r io.Reader, config Config) (EncoderReader, error) { +func NewEncodeReader(r io.ReadCloser, config Config) (EncoderReader, error) { eReader, err := NewLineReader(r, config) return EncoderReader{eReader}, err } @@ -58,3 +59,7 @@ func (r EncoderReader) Next() (reader.Message, error) { Bytes: sz, }, err } + +func (r EncoderReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/encode_test.go b/libbeat/reader/readfile/encode_test.go index 9d6205c229f..6c65c48846e 100644 --- a/libbeat/reader/readfile/encode_test.go +++ b/libbeat/reader/readfile/encode_test.go @@ -19,6 +19,7 @@ package readfile import ( "bytes" + "io/ioutil" "testing" "github.com/stretchr/testify/assert" @@ -46,7 +47,7 @@ func TestEncodeLines(t *testing.T) { for name, testCase := range testCases { t.Run(name, func(t *testing.T) { - r := bytes.NewReader(testCase.Input) + r := ioutil.NopCloser(bytes.NewReader(testCase.Input)) codec, err := encFactory(r) assert.Nil(t, err, "failed to initialize encoding: %v", err) diff --git a/libbeat/reader/readfile/limit.go b/libbeat/reader/readfile/limit.go index d547ff09dfe..fb907ba06a3 100644 --- a/libbeat/reader/readfile/limit.go +++ b/libbeat/reader/readfile/limit.go @@ -49,3 +49,7 @@ func (r *LimitReader) Next() (reader.Message, error) { } return message, err } + +func (r *LimitReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/limit_test.go b/libbeat/reader/readfile/limit_test.go index e310e151cf8..08639495952 100644 --- a/libbeat/reader/readfile/limit_test.go +++ b/libbeat/reader/readfile/limit_test.go @@ -37,6 +37,8 @@ func (m *mockReader) Next() (reader.Message, error) { }, nil } +func (m *mockReader) Close() error { return nil } + var limitTests = []struct { line string maxBytes int diff --git a/libbeat/reader/readfile/line.go b/libbeat/reader/readfile/line.go index 5ea9150a8b9..3d10eb7664d 100644 --- a/libbeat/reader/readfile/line.go +++ b/libbeat/reader/readfile/line.go @@ -28,12 +28,15 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" ) +const unlimited = 0 + // lineReader reads lines from underlying reader, decoding the input stream // using the configured codec. The reader keeps track of bytes consumed // from raw input stream for every decoded line. type LineReader struct { - reader io.Reader + reader io.ReadCloser bufferSize int + maxBytes int // max bytes per line limit to avoid OOM with malformatted files nl []byte decodedNl []byte inBuffer *streambuf.Buffer @@ -45,7 +48,7 @@ type LineReader struct { } // New creates a new reader object -func NewLineReader(input io.Reader, config Config) (*LineReader, error) { +func NewLineReader(input io.ReadCloser, config Config) (*LineReader, error) { encoder := config.Codec.NewEncoder() // Create newline char based on encoding @@ -62,6 +65,7 @@ func NewLineReader(input io.Reader, config Config) (*LineReader, error) { return &LineReader{ reader: input, bufferSize: config.BufferSize, + maxBytes: config.MaxBytes, decoder: config.Codec.NewDecoder(), nl: nl, decodedNl: terminator, @@ -121,9 +125,9 @@ func (r *LineReader) advance() error { // Initial check if buffer has already a newLine character idx := r.inBuffer.IndexFrom(r.inOffset, r.nl) - // fill inBuffer until newline sequence has been found in input buffer + // Fill inBuffer until newline sequence has been found in input buffer for idx == -1 { - // increase search offset to reduce iterations on buffer when looping + // Increase search offset to reduce iterations on buffer when looping newOffset := r.inBuffer.Len() - len(r.nl) if newOffset > r.inOffset { r.inOffset = newOffset @@ -131,7 +135,7 @@ func (r *LineReader) advance() error { buf := make([]byte, r.bufferSize) - // try to read more bytes into buffer + // Try to read more bytes into buffer n, err := r.reader.Read(buf) // Appends buffer also in case of err @@ -140,16 +144,39 @@ func (r *LineReader) advance() error { return err } - // empty read => return buffer error (more bytes required error) + // Empty read => return buffer error (more bytes required error) if n == 0 { return streambuf.ErrNoMoreBytes } // Check if buffer has newLine character idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + + // If max bytes limit per line is set, then drop the lines that are longer + if r.maxBytes != 0 { + // If newLine is found, drop the lines longer than maxBytes + for idx != -1 && idx > r.maxBytes { + r.logger.Warnf("Exceeded %d max bytes in line limit, skipped %d bytes line", r.maxBytes, idx) + err = r.inBuffer.Advance(idx + len(r.nl)) + r.inBuffer.Reset() + r.inOffset = 0 + idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + } + + // If newLine is not found and the incoming data buffer exceeded max bytes limit, then skip until the next newLine + if idx == -1 && r.inBuffer.Len() > r.maxBytes { + skipped, err := r.skipUntilNewLine(buf) + if err != nil { + r.logger.Error("Error skipping until new line, err:", err) + return err + } + r.logger.Warnf("Exceeded %d max bytes in line limit, skipped %d bytes line", r.maxBytes, skipped) + idx = r.inBuffer.IndexFrom(r.inOffset, r.nl) + } + } } - // found encoded byte sequence for newline in buffer + // Found encoded byte sequence for newline in buffer // -> decode input sequence into outBuffer sz, err := r.decode(idx + len(r.nl)) if err != nil { @@ -158,20 +185,63 @@ func (r *LineReader) advance() error { sz = idx + len(r.nl) } - // consume transformed bytes from input buffer + // Consume transformed bytes from input buffer err = r.inBuffer.Advance(sz) r.inBuffer.Reset() - // continue scanning input buffer from last position + 1 + // Continue scanning input buffer from last position + 1 r.inOffset = idx + 1 - sz if r.inOffset < 0 { - // fix inOffset if newline has encoding > 8bits + firl line has been decoded + // Fix inOffset if newline has encoding > 8bits + firl line has been decoded r.inOffset = 0 } return err } +func (r *LineReader) skipUntilNewLine(buf []byte) (int, error) { + // The length of the line skipped + skipped := r.inBuffer.Len() + + // Clean up the buffer + err := r.inBuffer.Advance(skipped) + r.inBuffer.Reset() + + // Reset inOffset + r.inOffset = 0 + + if err != nil { + return 0, err + } + + // Read until the new line is found + for idx := -1; idx == -1; { + n, err := r.reader.Read(buf) + + // Check bytes read for newLine + if n > 0 { + idx = bytes.Index(buf[:n], r.nl) + + if idx != -1 { + r.inBuffer.Append(buf[idx+len(r.nl) : n]) + skipped += idx + } else { + skipped += n + } + } + + if err != nil { + return skipped, err + } + + if n == 0 { + return skipped, streambuf.ErrNoMoreBytes + } + } + + return skipped, nil +} + func (r *LineReader) decode(end int) (int, error) { var err error buffer := make([]byte, 1024) @@ -201,3 +271,7 @@ func (r *LineReader) decode(end int) (int, error) { r.byteCount += start return start, err } + +func (r *LineReader) Close() error { + return r.reader.Close() +} diff --git a/libbeat/reader/readfile/line_test.go b/libbeat/reader/readfile/line_test.go index 13b13127a86..d91544162c5 100644 --- a/libbeat/reader/readfile/line_test.go +++ b/libbeat/reader/readfile/line_test.go @@ -21,8 +21,13 @@ package readfile import ( "bytes" + "encoding/hex" + "io" + "io/ioutil" "math/rand" + "strings" "testing" + "time" "github.com/stretchr/testify/assert" "golang.org/x/text/transform" @@ -31,10 +36,12 @@ import ( ) // Sample texts are from http://www.columbia.edu/~kermit/utf8.html -var tests = []struct { +type lineTestCase struct { encoding string strings []string -}{ +} + +var tests = []lineTestCase{ {"plain", []string{"I can", "eat glass"}}, {"latin1", []string{"I kå Glas frässa", "ond des macht mr nix!"}}, {"utf-16be", []string{"Pot să mănânc sticlă", "și ea nu mă rănește."}}, @@ -71,13 +78,10 @@ var tests = []struct { } func TestReaderEncodings(t *testing.T) { - for _, test := range tests { - t.Logf("test codec: %v", test.encoding) - + runTest := func(t *testing.T, test lineTestCase) { codecFactory, ok := encoding.FindEncoding(test.encoding) if !ok { - t.Errorf("can not find encoding '%v'", test.encoding) - continue + t.Fatalf("can not find encoding '%v'", test.encoding) } buffer := bytes.NewBuffer(nil) @@ -94,10 +98,9 @@ func TestReaderEncodings(t *testing.T) { } // create line reader - reader, err := NewLineReader(buffer, Config{codec, 1024, LineFeed}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, 1024, LineFeed, unlimited}) if err != nil { - t.Errorf("failed to initialize reader: %v", err) - continue + t.Fatal("failed to initialize reader:", err) } // read decodec lines from buffer @@ -120,9 +123,8 @@ func TestReaderEncodings(t *testing.T) { // validate lines and byte offsets if len(test.strings) != len(readLines) { - t.Errorf("number of lines mismatch (expected=%v actual=%v)", + t.Fatalf("number of lines mismatch (expected=%v actual=%v)", len(test.strings), len(readLines)) - continue } for i := range test.strings { expected := test.strings[i] @@ -131,6 +133,12 @@ func TestReaderEncodings(t *testing.T) { assert.Equal(t, expectedCount[i], byteCounts[i]) } } + + for _, test := range tests { + t.Run(test.encoding, func(t *testing.T) { + runTest(t, test) + }) + } } func TestLineTerminators(t *testing.T) { @@ -150,7 +158,7 @@ func TestLineTerminators(t *testing.T) { buffer.Write([]byte("this is my second line")) buffer.Write(nl) - reader, err := NewLineReader(buffer, Config{codec, 1024, terminator}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, 1024, terminator, unlimited}) if err != nil { t.Errorf("failed to initialize reader: %v", err) continue @@ -222,7 +230,7 @@ func testReadLines(t *testing.T, inputLines [][]byte) { // initialize reader buffer := bytes.NewBuffer(inputStream) codec, _ := encoding.Plain(buffer) - reader, err := NewLineReader(buffer, Config{codec, buffer.Len(), LineFeed}) + reader, err := NewLineReader(ioutil.NopCloser(buffer), Config{codec, buffer.Len(), LineFeed, unlimited}) if err != nil { t.Fatalf("Error initializing reader: %v", err) } @@ -248,3 +256,137 @@ func testReadLines(t *testing.T, inputLines [][]byte) { func testReadLine(t *testing.T, line []byte) { testReadLines(t, [][]byte{line}) } + +func randomInt(r *rand.Rand, min, max int) int { + return r.Intn(max+1-min) + min +} + +func randomBool(r *rand.Rand) bool { + n := randomInt(r, 0, 1) + return n != 0 +} + +func randomBytes(r *rand.Rand, sz int) ([]byte, error) { + bytes := make([]byte, sz) + if _, err := rand.Read(bytes); err != nil { + return nil, err + } + return bytes, nil +} + +func randomString(r *rand.Rand, sz int) (string, error) { + if sz == 0 { + return "", nil + } + + var bytes []byte + var err error + if bytes, err = randomBytes(r, sz/2+sz%2); err != nil { + return "", err + } + s := hex.EncodeToString(bytes) + return s[:sz], nil +} + +func setupTestMaxBytesLimit(lineMaxLimit, lineLen int, nl []byte) (lines []string, data string, err error) { + rnd := rand.New(rand.NewSource(time.Now().UnixNano())) + + lineCount := randomInt(rnd, 11, 142) + lines = make([]string, lineCount) + + var b strings.Builder + + for i := 0; i < lineCount; i++ { + var sz int + // Non-empty line + if randomBool(rnd) { + // Boundary to the lineMaxLimit + if randomBool(rnd) { + sz = randomInt(rnd, lineMaxLimit-1, lineMaxLimit+1) + } else { + sz = randomInt(rnd, 0, lineLen) + } + } else { + // Randomly empty or one characters lines(another possibly boundary conditions) + sz = randomInt(rnd, 0, 1) + } + + s, err := randomString(rnd, sz) + if err != nil { + return nil, "", err + } + + lines[i] = s + if len(s) > 0 { + b.WriteString(s) + } + b.Write(nl) + } + return lines, b.String(), nil +} + +func TestMaxBytesLimit(t *testing.T) { + const ( + enc = "plain" + numberOfLines = 102 + bufferSize = 1024 + lineMaxLimit = 3012 + lineLen = 5720 // exceeds lineMaxLimit + ) + + codecFactory, ok := encoding.FindEncoding(enc) + if !ok { + t.Fatalf("can not find encoding '%v'", enc) + } + + buffer := bytes.NewBuffer(nil) + codec, _ := codecFactory(buffer) + nl := lineTerminatorCharacters[LineFeed] + + // Generate random lines lengths including empty lines + lines, input, err := setupTestMaxBytesLimit(lineMaxLimit, lineLen, nl) + if err != nil { + t.Fatal("failed to generate random input:", err) + } + + // Create line reader + reader, err := NewLineReader(ioutil.NopCloser(strings.NewReader(input)), Config{codec, bufferSize, LineFeed, lineMaxLimit}) + if err != nil { + t.Fatal("failed to initialize reader:", err) + } + + // Read decodec lines and test + var idx int + for i := 0; ; i++ { + b, n, err := reader.Next() + if err != nil { + if err == io.EOF { + break + } else { + t.Fatal("unexpected error:", err) + } + } + + // Find the next expected line from the original test array + var line string + for ; idx < len(lines); idx++ { + // Expected to be dropped + if len(lines[idx]) > lineMaxLimit { + continue + } + line = lines[idx] + idx++ + break + } + + gotLen := n - len(nl) + s := string(b[:len(b)-len(nl)]) + if len(line) != gotLen { + t.Fatalf("invalid line length, expected: %d got: %d", len(line), gotLen) + } + + if line != s { + t.Fatalf("lines do not match, expected: %s got: %s", line, s) + } + } +} diff --git a/libbeat/reader/readfile/strip_newline.go b/libbeat/reader/readfile/strip_newline.go index 97cc005da92..6c5e5c513d2 100644 --- a/libbeat/reader/readfile/strip_newline.go +++ b/libbeat/reader/readfile/strip_newline.go @@ -81,3 +81,7 @@ func (p *StripNewline) autoLineEndingChars(l []byte) int { } return 1 } + +func (p *StripNewline) Close() error { + return p.reader.Close() +} diff --git a/libbeat/reader/readfile/timeout.go b/libbeat/reader/readfile/timeout.go index fd3d1c8ba7c..8e6f7f06023 100644 --- a/libbeat/reader/readfile/timeout.go +++ b/libbeat/reader/readfile/timeout.go @@ -19,6 +19,7 @@ package readfile import ( "errors" + "io" "time" "github.com/elastic/beats/v7/libbeat/reader" @@ -36,6 +37,7 @@ type TimeoutReader struct { signal error running bool ch chan lineMessage + done chan struct{} } type lineMessage struct { @@ -54,6 +56,7 @@ func NewTimeoutReader(reader reader.Reader, signal error, t time.Duration) *Time signal: signal, timeout: t, ch: make(chan lineMessage, 1), + done: make(chan struct{}), } } @@ -68,9 +71,13 @@ func (r *TimeoutReader) Next() (reader.Message, error) { go func() { for { message, err := r.reader.Next() - r.ch <- lineMessage{message, err} - if err != nil { - break + select { + case <-r.done: + return + case r.ch <- lineMessage{message, err}: + if err != nil { + return + } } } }() @@ -85,5 +92,13 @@ func (r *TimeoutReader) Next() (reader.Message, error) { return msg.line, msg.err case <-timer.C: return reader.Message{}, r.signal + case <-r.done: + return reader.Message{}, io.EOF } } + +func (r *TimeoutReader) Close() error { + close(r.done) + + return r.reader.Close() +} diff --git a/libbeat/reader/readjson/docker_json.go b/libbeat/reader/readjson/docker_json.go index c38e0a1a51c..59dded97ec3 100644 --- a/libbeat/reader/readjson/docker_json.go +++ b/libbeat/reader/readjson/docker_json.go @@ -244,3 +244,7 @@ func stripNewLineWin(msg *reader.Message) { return r == '\n' || r == '\r' }) } + +func (p *DockerJSONReader) Close() error { + return p.reader.Close() +} diff --git a/libbeat/reader/readjson/docker_json_test.go b/libbeat/reader/readjson/docker_json_test.go index 23cc862d964..2c9e2e71104 100644 --- a/libbeat/reader/readjson/docker_json_test.go +++ b/libbeat/reader/readjson/docker_json_test.go @@ -365,3 +365,5 @@ func (m *mockReader) Next() (reader.Message, error) { Bytes: len(message), }, nil } + +func (m *mockReader) Close() error { return nil } diff --git a/libbeat/reader/readjson/json.go b/libbeat/reader/readjson/json.go index aca7c535148..b2c0e5e028f 100644 --- a/libbeat/reader/readjson/json.go +++ b/libbeat/reader/readjson/json.go @@ -111,6 +111,10 @@ func (r *JSONReader) Next() (reader.Message, error) { return message, nil } +func (r *JSONReader) Close() error { + return r.reader.Close() +} + func createJSONError(message string) common.MapStr { return common.MapStr{"message": message, "type": "json"} } diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 5d540dabef0..b0c48d7c9fd 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -25,7 +25,7 @@ ELASTIC_LICENSE_FILE?=../licenses/ELASTIC-LICENSE.txt SECCOMP_BINARY?=${BEAT_NAME} SECCOMP_BLACKLIST?=${ES_BEATS}/libbeat/common/seccomp/seccomp-profiler-blacklist.txt SECCOMP_ALLOWLIST?=${ES_BEATS}/libbeat/common/seccomp/seccomp-profiler-allow.txt -INSTALL_CMD?=get +INSTALL_CMD?=install export INSTALL_FLAG export INSTALL_CMD MAGE_PRESENT := $(shell command -v mage 2> /dev/null) @@ -81,7 +81,7 @@ REVIEWDOG_REPO?=github.com/reviewdog/reviewdog/cmd/reviewdog PROCESSES?= 4 TIMEOUT?= 90 PYTHON_TEST_FILES?=$(shell find . -type f -name 'test_*.py' -not -path "*/build/*" -not -path "*/vendor/*" 2>/dev/null) -NOSETESTS_OPTIONS?=--process-timeout=$(TIMEOUT) --with-timer -v --with-xunit --xunit-file=${BUILD_DIR}/TEST-system.xml ## @testing the options to pass when calling nosetests +PYTEST_OPTIONS?=--timeout=$(TIMEOUT) --durations=20 --junit-xml=${BUILD_DIR}/TEST-system.xml ## @testing the options to pass when calling pytest TEST_ENVIRONMENT?=false ## @testing if true, "make testsuite" runs integration tests and system tests in a dockerized test environment SYSTEM_TESTS?=false ## @testing if true, "make test" and "make testsuite" run unit tests and system tests STRESS_TESTS?=false ## @testing if true, "make test" and "make testsuite" run also run the stress tests @@ -237,7 +237,7 @@ integration-tests-environment: prepare-tests build-image .PHONY: system-tests system-tests: ## @testing Runs the system tests system-tests: prepare-tests ${BEAT_NAME}.test python-env - . ${PYTHON_ENV}/bin/activate; INTEGRATION_TESTS=${INTEGRATION_TESTS} TESTING_ENVIRONMENT=${TESTING_ENVIRONMENT} DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} nosetests ${PYTHON_TEST_FILES} ${NOSETESTS_OPTIONS} + . ${PYTHON_ENV}/bin/activate; INTEGRATION_TESTS=${INTEGRATION_TESTS} TESTING_ENVIRONMENT=${TESTING_ENVIRONMENT} DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} pytest ${PYTHON_TEST_FILES} ${PYTEST_OPTIONS} ${PYTHON_ENV_EXE} ${ES_BEATS}/dev-tools/aggregate_coverage.py -o ${COVERAGE_DIR}/system.cov ${BUILD_DIR}/system-tests/run # Runs the system tests @@ -255,7 +255,7 @@ system-tests-environment: prepare-tests build-image .PHONY: fast-system-tests fast-system-tests: ## @testing Runs system tests without coverage reports and in parallel fast-system-tests: ${BEAT_NAME}.test python-env - . ${PYTHON_ENV}/bin/activate; nosetests ${PYTHON_TEST_FILES} ${NOSETESTS_OPTIONS} + . ${PYTHON_ENV}/bin/activate; pytest ${PYTHON_TEST_FILES} ${PYTEST_OPTIONS} # Runs the go based stress tests .PHONY: stress-tests @@ -274,7 +274,7 @@ benchmark-tests: ## @testing Runs benchmarks (NOT YET IMPLEMENTED) # Run load tests .PHONY: load-tests load-tests: ## @testing Runs load tests - . ${PYTHON_ENV}/bin/activate; LOAD_TESTS=1 nosetests ${PYTHON_TEST_FILES} --processes=$(PROCESSES) --process-timeout=$(TIMEOUT) -a 'load' + . ${PYTHON_ENV}/bin/activate; LOAD_TESTS=1 pytest ${PYTHON_TEST_FILES} --processes=$(PROCESSES) --timeout=$(TIMEOUT) -a 'load' # Sets up the virtual python environment .PHONY: python-env diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index f25ebc00779..89a80d83d27 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -106,7 +106,7 @@ def fields_to_asciidoc(input, output, beat): """.format(**dict)) - docs = yaml.load(input) + docs = yaml.load(input, Loader=yaml.FullLoader) # fields file is empty if docs is None: diff --git a/libbeat/scripts/generate_makefile_doc.py b/libbeat/scripts/generate_makefile_doc.py index 0bae7b2cab6..22f59c3e099 100644 --- a/libbeat/scripts/generate_makefile_doc.py +++ b/libbeat/scripts/generate_makefile_doc.py @@ -63,11 +63,11 @@ def parse_line(line, regexp, categories, categories_set): try: name = matches.group("varname") is_variable = True - except: + except BaseException: pass try: default = matches.group("default").strip() - except: + except BaseException: default = "" if not name: diff --git a/libbeat/statestore/backend/memlog/store.go b/libbeat/statestore/backend/memlog/store.go index 29880a6aae8..55da9db06ed 100644 --- a/libbeat/statestore/backend/memlog/store.go +++ b/libbeat/statestore/backend/memlog/store.go @@ -196,6 +196,16 @@ func (s *store) Remove(key string) error { return s.logOperation(&opRemove{K: key}) } +// Checkpoint triggers a state checkpoint operation. All state will be written +// to a new transaction data file and fsync'ed. The log file will be reset after +// a successful write. +func (s *store) Checkpoint() error { + s.lock.Lock() + defer s.lock.Unlock() + + return s.disk.WriteCheckpoint(s.mem.table) +} + // lopOperation ensures that the diskstore reflects the recent changes to the // in memory store by either triggering a checkpoint operations or adding the // operation type to the update log file. diff --git a/libbeat/statestore/backend/memlog/util.go b/libbeat/statestore/backend/memlog/util.go index 2027c87adca..e2c5d4e6f68 100644 --- a/libbeat/statestore/backend/memlog/util.go +++ b/libbeat/statestore/backend/memlog/util.go @@ -55,7 +55,7 @@ func (e *ensureWriter) Write(p []byte) (int, error) { for len(p) > 0 { n, err := e.w.Write(p) N, p = N+n, p[n:] - if isRetryErr(err) { + if err != nil && !isRetryErr(err) { return N, err } } diff --git a/libbeat/statestore/backend/memlog/util_test.go b/libbeat/statestore/backend/memlog/util_test.go new file mode 100644 index 00000000000..fca2a2bbaf6 --- /dev/null +++ b/libbeat/statestore/backend/memlog/util_test.go @@ -0,0 +1,81 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package memlog + +import ( + "syscall" + "testing" +) + +// A mock Writer implementation that always returns a configurable +// error on the first write call, to test error handling in ensureWriter. +type mockErrorWriter struct { + errorType error + reportedError bool +} + +func (mew *mockErrorWriter) Write(data []byte) (n int, err error) { + if !mew.reportedError { + mew.reportedError = true + return 0, mew.errorType + } + return len(data), nil +} + +func TestEnsureWriter_RetriableError(t *testing.T) { + // EAGAIN is retriable, ensureWriter.Write should succeed. + errorWriter := &mockErrorWriter{errorType: syscall.EAGAIN} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter shouldn't propagate retriable errors") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} + +func TestEnsureWriter_NonRetriableError(t *testing.T) { + // EINVAL is not retriable, ensureWriter.Write should return an error. + errorWriter := &mockErrorWriter{errorType: syscall.EINVAL} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != syscall.EINVAL { + t.Fatalf("ensureWriter should propagate nonretriable errors") + } + if written != 0 { + t.Fatalf("Expected 0 bytes written, got %d", written) + } +} + +func TestEnsureWriter_NoError(t *testing.T) { + // This tests the case where the underlying writer returns with no error, + // but without writing the full buffer. + var bytes []byte = []byte{1, 2, 3} + errorWriter := &mockErrorWriter{errorType: nil} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter should only error if the underlying writer does") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} diff --git a/libbeat/template/config.go b/libbeat/template/config.go index c9e963d6135..7eb6ff522f4 100644 --- a/libbeat/template/config.go +++ b/libbeat/template/config.go @@ -17,7 +17,27 @@ package template -import "github.com/elastic/beats/v7/libbeat/mapping" +import ( + "fmt" + + "github.com/elastic/beats/v7/libbeat/mapping" +) + +const ( + IndexTemplateLegacy IndexTemplateType = iota + IndexTemplateComponent + IndexTemplateIndex +) + +var ( + templateTypes = map[string]IndexTemplateType{ + "legacy": IndexTemplateLegacy, + "component": IndexTemplateComponent, + "index": IndexTemplateIndex, + } +) + +type IndexTemplateType uint8 // TemplateConfig holds config information about the Elasticsearch template type TemplateConfig struct { @@ -30,10 +50,12 @@ type TemplateConfig struct { Path string `config:"path"` Name string `config:"name"` } `config:"json"` - AppendFields mapping.Fields `config:"append_fields"` - Overwrite bool `config:"overwrite"` - Settings TemplateSettings `config:"settings"` - Order int `config:"order"` + AppendFields mapping.Fields `config:"append_fields"` + Overwrite bool `config:"overwrite"` + Settings TemplateSettings `config:"settings"` + Order int `config:"order"` + Priority int `config:"priority"` + Type IndexTemplateType `config:"type"` } // TemplateSettings are part of the Elasticsearch template and hold index and source specific information. @@ -45,8 +67,26 @@ type TemplateSettings struct { // DefaultConfig for index template func DefaultConfig() TemplateConfig { return TemplateConfig{ - Enabled: true, - Fields: "", - Order: 1, + Enabled: true, + Fields: "", + Type: IndexTemplateLegacy, + Order: 1, + Priority: 150, } } + +func (t *IndexTemplateType) Unpack(v string) error { + if v == "" { + *t = IndexTemplateLegacy + return nil + } + + var tt IndexTemplateType + var ok bool + if tt, ok = templateTypes[v]; !ok { + return fmt.Errorf("unknown index template type: %s", v) + } + *t = tt + + return nil +} diff --git a/libbeat/template/load.go b/libbeat/template/load.go index b018fda9788..5b0e0f58440 100644 --- a/libbeat/template/load.go +++ b/libbeat/template/load.go @@ -31,6 +31,14 @@ import ( "github.com/elastic/beats/v7/libbeat/paths" ) +var ( + templateLoaderPath = map[IndexTemplateType]string{ + IndexTemplateLegacy: "/_template/", + IndexTemplateComponent: "/_component_template/", + IndexTemplateIndex: "/_index_template/", + } +) + //Loader interface for loading templates type Loader interface { Load(config TemplateConfig, info beat.Info, fields []byte, migration bool) error @@ -97,7 +105,7 @@ func (l *ESLoader) Load(config TemplateConfig, info beat.Info, fields []byte, mi templateName = config.JSON.Name } - if l.templateExists(templateName) && !config.Overwrite { + if l.templateExists(templateName, config.Type) && !config.Overwrite { l.log.Infof("Template %s already exists and will not be overwritten.", templateName) return nil } @@ -107,7 +115,7 @@ func (l *ESLoader) Load(config TemplateConfig, info beat.Info, fields []byte, mi if err != nil { return err } - if err := l.loadTemplate(templateName, body); err != nil { + if err := l.loadTemplate(templateName, config.Type, body); err != nil { return fmt.Errorf("could not load template. Elasticsearch returned: %v. Template is: %s", err, body.StringToPrint()) } l.log.Infof("template with name '%s' loaded.", templateName) @@ -117,10 +125,11 @@ func (l *ESLoader) Load(config TemplateConfig, info beat.Info, fields []byte, mi // loadTemplate loads a template into Elasticsearch overwriting the existing // template if it exists. If you wish to not overwrite an existing template // then use CheckTemplate prior to calling this method. -func (l *ESLoader) loadTemplate(templateName string, template map[string]interface{}) error { +func (l *ESLoader) loadTemplate(templateName string, templateType IndexTemplateType, template map[string]interface{}) error { l.log.Infof("Try loading template %s to Elasticsearch", templateName) - path := "/_template/" + templateName - params := esVersionParams(l.client.GetVersion()) + clientVersion := l.client.GetVersion() + path := templateLoaderPath[templateType] + templateName + params := esVersionParams(clientVersion) status, body, err := l.client.Request("PUT", path, "", params, template) if err != nil { return fmt.Errorf("couldn't load template: %v. Response body: %s", err, body) @@ -133,11 +142,16 @@ func (l *ESLoader) loadTemplate(templateName string, template map[string]interfa // templateExists checks if a given template already exist. It returns true if // and only if Elasticsearch returns with HTTP status code 200. -func (l *ESLoader) templateExists(templateName string) bool { +func (l *ESLoader) templateExists(templateName string, templateType IndexTemplateType) bool { if l.client == nil { return false } + if templateType == IndexTemplateComponent { + status, _, _ := l.client.Request("GET", "/_component_template/"+templateName, "", nil, nil) + return status == http.StatusOK + } + status, body, _ := l.client.Request("GET", "/_cat/templates/"+templateName, "", nil, nil) return status == http.StatusOK && strings.Contains(string(body), templateName) diff --git a/libbeat/template/load_integration_test.go b/libbeat/template/load_integration_test.go index 1a53cc75073..7a75b5d4f46 100644 --- a/libbeat/template/load_integration_test.go +++ b/libbeat/template/load_integration_test.go @@ -65,8 +65,8 @@ func newTestSetup(t *testing.T, cfg TemplateConfig) *testSetup { t.Fatal(err) } s := testSetup{t: t, client: client, loader: NewESLoader(client), config: cfg} - client.Request("DELETE", "/_template/"+cfg.Name, "", nil, nil) - require.False(t, s.loader.templateExists(cfg.Name)) + client.Request("DELETE", templateLoaderPath[cfg.Type]+cfg.Name, "", nil, nil) + require.False(t, s.loader.templateExists(cfg.Name, cfg.Type)) return &s } func (ts *testSetup) loadFromFile(fileElems []string) error { @@ -82,7 +82,7 @@ func (ts *testSetup) load(fields []byte) error { func (ts *testSetup) mustLoad(fields []byte) { require.NoError(ts.t, ts.load(fields)) - require.True(ts.t, ts.loader.templateExists(ts.config.Name)) + require.True(ts.t, ts.loader.templateExists(ts.config.Name, ts.config.Type)) } func TestESLoader_Load(t *testing.T) { @@ -91,7 +91,7 @@ func TestESLoader_Load(t *testing.T) { setup := newTestSetup(t, TemplateConfig{Enabled: false}) setup.load(nil) - assert.False(t, setup.loader.templateExists(setup.config.Name)) + assert.False(t, setup.loader.templateExists(setup.config.Name, setup.config.Type)) }) t.Run("invalid version", func(t *testing.T) { @@ -115,14 +115,14 @@ func TestESLoader_Load(t *testing.T) { t.Run("disabled", func(t *testing.T) { setup.load(nil) - tmpl := getTemplate(t, setup.client, setup.config.Name) + tmpl := getTemplate(t, setup.client, setup.config.Name, setup.config.Type) assert.Equal(t, true, tmpl.SourceEnabled()) }) t.Run("enabled", func(t *testing.T) { setup.config.Overwrite = true setup.load(nil) - tmpl := getTemplate(t, setup.client, setup.config.Name) + tmpl := getTemplate(t, setup.client, setup.config.Name, setup.config.Type) assert.Equal(t, false, tmpl.SourceEnabled()) }) }) @@ -140,7 +140,7 @@ func TestESLoader_Load(t *testing.T) { Name string `config:"name"` }{Enabled: true, Path: path(t, []string{"testdata", "fields.json"}), Name: nameJSON} setup.load(nil) - assert.True(t, setup.loader.templateExists(nameJSON)) + assert.True(t, setup.loader.templateExists(nameJSON, setup.config.Type)) }) t.Run("load template successful", func(t *testing.T) { @@ -157,10 +157,19 @@ func TestESLoader_Load(t *testing.T) { fields: fields, properties: []string{"foo", "bar"}, }, + "default config with fields and component": { + cfg: TemplateConfig{Enabled: true, Type: IndexTemplateComponent}, + fields: fields, + properties: []string{"foo", "bar"}, + }, "minimal template": { cfg: TemplateConfig{Enabled: true}, fields: nil, }, + "minimal template component": { + cfg: TemplateConfig{Enabled: true, Type: IndexTemplateComponent}, + fields: nil, + }, "fields from file": { cfg: TemplateConfig{Enabled: true, Fields: path(t, []string{"testdata", "fields.yml"})}, fields: fields, @@ -181,7 +190,7 @@ func TestESLoader_Load(t *testing.T) { setup.mustLoad(data.fields) // Fetch properties - tmpl := getTemplate(t, setup.client, setup.config.Name) + tmpl := getTemplate(t, setup.client, setup.config.Name, setup.config.Type) val, err := tmpl.GetValue("mappings.properties") if data.properties == nil { assert.Error(t, err) @@ -203,7 +212,7 @@ func TestESLoader_Load(t *testing.T) { func TestTemplate_LoadFile(t *testing.T) { setup := newTestSetup(t, TemplateConfig{Enabled: true}) assert.NoError(t, setup.loadFromFile([]string{"..", "fields.yml"})) - assert.True(t, setup.loader.templateExists(setup.config.Name)) + assert.True(t, setup.loader.templateExists(setup.config.Name, setup.config.Type)) } func TestLoadInvalidTemplate(t *testing.T) { @@ -211,9 +220,9 @@ func TestLoadInvalidTemplate(t *testing.T) { // Try to load invalid template template := map[string]interface{}{"json": "invalid"} - err := setup.loader.loadTemplate(setup.config.Name, template) + err := setup.loader.loadTemplate(setup.config.Name, setup.config.Type, template) assert.Error(t, err) - assert.False(t, setup.loader.templateExists(setup.config.Name)) + assert.False(t, setup.loader.templateExists(setup.config.Name, setup.config.Type)) } // Tests loading the templates for each beat @@ -225,7 +234,7 @@ func TestLoadBeatsTemplate_fromFile(t *testing.T) { for _, beat := range beats { setup := newTestSetup(t, TemplateConfig{Name: beat, Enabled: true}) assert.NoError(t, setup.loadFromFile([]string{"..", "..", beat, "fields.yml"})) - assert.True(t, setup.loader.templateExists(setup.config.Name)) + assert.True(t, setup.loader.templateExists(setup.config.Name, setup.config.Type)) } } @@ -238,7 +247,7 @@ func TestTemplateSettings(t *testing.T) { require.NoError(t, setup.loadFromFile([]string{"..", "fields.yml"})) // Check that it contains the mapping - templateJSON := getTemplate(t, setup.client, setup.config.Name) + templateJSON := getTemplate(t, setup.client, setup.config.Name, setup.config.Type) assert.Equal(t, 1, templateJSON.NumberOfShards()) assert.Equal(t, false, templateJSON.SourceEnabled()) } @@ -289,27 +298,42 @@ var dataTests = []struct { func TestTemplateWithData(t *testing.T) { setup := newTestSetup(t, TemplateConfig{Enabled: true}) require.NoError(t, setup.loadFromFile([]string{"testdata", "fields.yml"})) - require.True(t, setup.loader.templateExists(setup.config.Name)) + require.True(t, setup.loader.templateExists(setup.config.Name, setup.config.Type)) esClient := setup.client.(*eslegclient.Connection) for _, test := range dataTests { _, _, err := esClient.Index(setup.config.Name, "_doc", "", nil, test.data) if test.error { - assert.NotNil(t, err) + assert.Error(t, err) } else { - assert.Nil(t, err) + assert.NoError(t, err) } } } -func getTemplate(t *testing.T, client ESClient, templateName string) testTemplate { - status, body, err := client.Request("GET", "/_template/"+templateName, "", nil, nil) +func getTemplate(t *testing.T, client ESClient, templateName string, templateType IndexTemplateType) testTemplate { + status, body, err := client.Request("GET", templateLoaderPath[templateType]+templateName, "", nil, nil) require.NoError(t, err) require.Equal(t, status, 200) var response common.MapStr err = json.Unmarshal(body, &response) require.NoError(t, err) + require.NotNil(t, response) + + if templateType == IndexTemplateComponent { + var tmpl map[string]interface{} + components := response["component_templates"].([]interface{}) + for _, ct := range components { + componentTemplate := ct.(map[string]interface{})["component_template"].(map[string]interface{}) + tmpl = componentTemplate["template"].(map[string]interface{}) + } + return testTemplate{ + t: t, + client: client, + MapStr: common.MapStr(tmpl), + } + } return testTemplate{ t: t, diff --git a/libbeat/template/template.go b/libbeat/template/template.go index b11599eb205..2aaa7712d02 100644 --- a/libbeat/template/template.go +++ b/libbeat/template/template.go @@ -32,9 +32,10 @@ import ( var ( // Defaults used in the template - defaultDateDetection = false - defaultTotalFieldsLimit = 10000 - defaultNumberOfRoutingShards = 30 + defaultDateDetection = false + defaultTotalFieldsLimit = 10000 + defaultNumberOfRoutingShards = 30 + defaultMaxDocvalueFieldsSearch = 200 // Array to store dynamicTemplate parts in dynamicTemplates []common.MapStr @@ -45,14 +46,16 @@ var ( // Template holds information for the ES template. type Template struct { sync.Mutex - name string - pattern string - beatVersion common.Version - beatName string - esVersion common.Version - config TemplateConfig - migration bool - order int + name string + pattern string + beatVersion common.Version + beatName string + esVersion common.Version + config TemplateConfig + migration bool + templateType IndexTemplateType + order int + priority int } // New creates a new template instance @@ -122,14 +125,16 @@ func New( } return &Template{ - pattern: pattern, - name: name, - beatVersion: *bV, - esVersion: esVersion, - beatName: beatName, - config: config, - migration: migration, - order: config.Order, + pattern: pattern, + name: name, + beatVersion: *bV, + esVersion: esVersion, + beatName: beatName, + config: config, + migration: migration, + templateType: config.Type, + order: config.Order, + priority: config.Priority, }, nil } @@ -183,23 +188,56 @@ func (t *Template) LoadBytes(data []byte) (common.MapStr, error) { // LoadMinimal loads the template only with the given configuration func (t *Template) LoadMinimal() (common.MapStr, error) { - keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) - m := common.MapStr{ - keyPattern: patterns, - "order": t.order, - "settings": common.MapStr{ - "index": t.config.Settings.Index, - }, + m := common.MapStr{} + switch t.templateType { + case IndexTemplateLegacy: + m = t.loadMinimalLegacy() + case IndexTemplateComponent: + m = t.loadMinimalComponent() + case IndexTemplateIndex: + m = t.loadMinimalIndex() + default: + return nil, fmt.Errorf("unknown template type %v", t.templateType) } + if t.config.Settings.Source != nil { m["mappings"] = buildMappings( t.beatVersion, t.esVersion, t.beatName, nil, nil, common.MapStr(t.config.Settings.Source)) } + return m, nil } +func (t *Template) loadMinimalLegacy() common.MapStr { + keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) + return common.MapStr{ + keyPattern: patterns, + "order": t.order, + "settings": common.MapStr{ + "index": t.config.Settings.Index, + }, + } +} + +func (t *Template) loadMinimalComponent() common.MapStr { + return common.MapStr{ + "template": common.MapStr{ + "settings": common.MapStr{ + "index": t.config.Settings.Index, + }, + }, + } +} + +func (t *Template) loadMinimalIndex() common.MapStr { + m := t.loadMinimalLegacy() + m["priority"] = t.priority + delete(m, "order") + return m +} + // GetName returns the name of the template func (t *Template) GetName() string { return t.name @@ -213,6 +251,19 @@ func (t *Template) GetPattern() string { // Generate generates the full template // The default values are taken from the default variable. func (t *Template) Generate(properties common.MapStr, dynamicTemplates []common.MapStr) common.MapStr { + switch t.templateType { + case IndexTemplateLegacy: + return t.generateLegacy(properties) + case IndexTemplateComponent: + return t.generateComponent(properties) + case IndexTemplateIndex: + return t.generateIndex(properties) + default: + } + return nil +} + +func (t *Template) generateLegacy(properties common.MapStr) common.MapStr { keyPattern, patterns := buildPatternSettings(t.esVersion, t.GetPattern()) return common.MapStr{ keyPattern: patterns, @@ -231,6 +282,31 @@ func (t *Template) Generate(properties common.MapStr, dynamicTemplates []common. } } +func (t *Template) generateComponent(properties common.MapStr) common.MapStr { + return common.MapStr{ + "template": common.MapStr{ + "mappings": buildMappings( + t.beatVersion, t.esVersion, t.beatName, + properties, + append(dynamicTemplates, buildDynTmpl(t.esVersion)), + common.MapStr(t.config.Settings.Source)), + "settings": common.MapStr{ + "index": buildIdxSettings( + t.esVersion, + t.config.Settings.Index, + ), + }, + }, + } +} + +func (t *Template) generateIndex(properties common.MapStr) common.MapStr { + tmpl := t.generateLegacy(properties) + tmpl["priority"] = t.priority + delete(tmpl, "order") + return tmpl +} + func buildPatternSettings(ver common.Version, pattern string) (string, interface{}) { if ver.Major < 6 { return "template", pattern @@ -325,6 +401,10 @@ func buildIdxSettings(ver common.Version, userSettings common.MapStr) common.Map indexSettings.Put("query.default_field", fields) } + if ver.Major >= 6 { + indexSettings.Put("max_docvalue_fields_search", defaultMaxDocvalueFieldsSearch) + } + indexSettings.DeepUpdate(userSettings) return indexSettings } diff --git a/libbeat/template/template_test.go b/libbeat/template/template_test.go index 7e6a688db5d..52080274dd6 100644 --- a/libbeat/template/template_test.go +++ b/libbeat/template/template_test.go @@ -113,6 +113,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings.doc._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 7.x", func(t *testing.T) { @@ -120,6 +121,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 8.x", func(t *testing.T) { @@ -127,6 +129,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) } diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index bf77ae98230..436b6e489d9 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -109,12 +109,12 @@ def __del__(self): try: self.proc.terminate() self.proc.kill() - except: + except BaseException: pass # Ensure the output is closed. try: self.output.close() - except: + except BaseException: pass @@ -134,14 +134,11 @@ def setUpClass(self): if not hasattr(self, 'test_binary'): self.test_binary = os.path.abspath(self.beat_path + "/" + self.beat_name + ".test") - template_paths = [ - self.beat_path, - os.path.abspath(os.path.join(self.beat_path, "../libbeat")) - ] if not hasattr(self, 'template_paths'): - self.template_paths = template_paths - else: - self.template_paths.append(template_paths) + self.template_paths = [ + self.beat_path, + os.path.abspath(os.path.join(self.beat_path, "../libbeat")) + ] # Create build path build_dir = self.beat_path + "/build" @@ -183,7 +180,7 @@ def run_beat(self, proc = self.start_beat(cmd=cmd, config=config, output=output, logging_args=logging_args, extra_args=extra_args, env=env) - if exit_code != None: + if exit_code is not None: return proc.check_wait(exit_code) return proc.wait() @@ -279,7 +276,7 @@ def read_output(self, try: jsons.append(self.flatten_object(json.loads( line, object_pairs_hook=self.json_raise_on_duplicates), [])) - except: + except BaseException: print("Fail to load the json {}".format(line)) raise @@ -345,7 +342,7 @@ def setUp(self): os.unlink(self.build_path + "last_run") os.symlink(self.build_path + "run/{}".format(self.id()), self.build_path + "last_run") - except: + except BaseException: # symlink is best effort and can fail when # running tests in parallel pass @@ -412,7 +409,7 @@ def log_contains_count(self, msg, logfile=None, ignore_case=False): """ Returns the number of appearances of the given string in the log file """ - is_regexp = type(msg) == REGEXP_TYPE + is_regexp = isinstance(msg, REGEXP_TYPE) counter = 0 if ignore_case: @@ -488,6 +485,21 @@ def output_has(self, lines, output_file=None): except IOError: return False + def output_is_empty(self, output_file=None): + """ + Returns true if the output is empty. + """ + + # Init defaults + if output_file is None: + output_file = "output/" + self.beat_name + + try: + with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f: + return len([1 for line in f]) == 0 + except IOError: + return True + def output_has_message(self, message, output_file=None): """ Returns true if the output has the given message field. @@ -743,7 +755,7 @@ def is_ecs_version_set(path): # the file make that difficult with open(path) as fhandle: for line in fhandle: - if re.search("ecs\.version", line): + if re.search(r"ecs\.version", line): return True return False diff --git a/libbeat/tests/system/beat/common_tests.py b/libbeat/tests/system/beat/common_tests.py new file mode 100644 index 00000000000..c9cdbc52cc0 --- /dev/null +++ b/libbeat/tests/system/beat/common_tests.py @@ -0,0 +1,81 @@ +import json +import unittest +import yaml + +from beat.beat import INTEGRATION_TESTS + + +class TestExportsMixin: + + def run_export_cmd(self, cmd, extra=[]): + """ + Runs the given export command and returns the output as a string. + Raises an exception if the command fails. + :param cmd: the export command + :param extra: Extra arguments (optional) + :return: The output as a string. + """ + self.render_config_template() + + args = ["export", cmd] + if len(extra) != 0: + args += extra + exit_code = self.run_beat(extra_args=args, logging_args=[]) + output = self.get_log() + if exit_code != 0: + raise Exception("export command returned with an error: {}".format(output)) + trailer = "\nPASS\n" + pos = output.rfind(trailer) + if pos == -1: + raise Exception("didn't return expected trailer:{} got:{}".format( + trailer.__repr__(), + output[-100:].__repr__())) + return output[:pos] + + def test_export_ilm_policy(self): + """ + Test that the ilm-policy can be exported with `export ilm-policy` + """ + output = self.run_export_cmd("ilm-policy") + js = json.loads(output) + assert "policy" in js + + def test_export_template(self): + """ + Test that the template can be exported with `export template` + """ + output = self.run_export_cmd("template") + js = json.loads(output) + assert "index_patterns" in js and "mappings" in js + + def test_export_index_pattern(self): + """ + Test that the index-pattern can be exported with `export index-pattern` + """ + output = self.run_export_cmd("index-pattern") + js = json.loads(output) + assert "objects" in js + size = len(output.encode('utf-8')) + assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + "to keep the Beat setup request size below " \ + "Kibana's server.maxPayloadBytes." + + def test_export_index_pattern_migration(self): + """ + Test that the index-pattern can be exported with `export index-pattern` (migration enabled) + """ + output = self.run_export_cmd("index-pattern", extra=['-E', 'migration.6_to_7.enabled=true']) + js = json.loads(output) + assert "objects" in js + size = len(output.encode('utf-8')) + assert size < 1024 * 1024, "Kibana index pattern must be less than 1MiB " \ + "to keep the Beat setup request size below " \ + "Kibana's server.maxPayloadBytes." + + def test_export_config(self): + """ + Test that the config can be exported with `export config` + """ + output = self.run_export_cmd("config") + yml = yaml.load(output, Loader=yaml.FullLoader) + assert isinstance(yml, dict) diff --git a/libbeat/tests/system/beat/compose.py b/libbeat/tests/system/beat/compose.py index f50ab299dff..77b3707fb20 100644 --- a/libbeat/tests/system/beat/compose.py +++ b/libbeat/tests/system/beat/compose.py @@ -1,8 +1,11 @@ +import io +import logging import os import sys import tarfile import time -import io + +from contextlib import contextmanager INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -54,9 +57,12 @@ def is_healthy(container): return container.inspect()['State']['Health']['Status'] == 'healthy' project = cls.compose_project() - project.pull( - ignore_pull_failures=True, - service_names=cls.COMPOSE_SERVICES) + + with disabled_logger('compose.service'): + project.pull( + ignore_pull_failures=True, + service_names=cls.COMPOSE_SERVICES) + project.up( strategy=ConvergenceStrategy.always, service_names=cls.COMPOSE_SERVICES, @@ -196,7 +202,7 @@ def compose_project_name(cls): basename = os.path.basename(cls.find_compose_path()) def positivehash(x): - return hash(x) % ((sys.maxsize+1) * 2) + return hash(x) % ((sys.maxsize + 1) * 2) return "%s_%X" % (basename, positivehash(frozenset(cls.COMPOSE_ENV.items()))) @@ -231,3 +237,14 @@ def service_log_contains(cls, service, msg): if line.find(msg.encode("utf-8")) >= 0: counter += 1 return counter > 0 + + +@contextmanager +def disabled_logger(name): + logger = logging.getLogger(name) + old_level = logger.getEffectiveLevel() + logger.setLevel(logging.CRITICAL) + try: + yield logger + finally: + logger.setLevel(old_level) diff --git a/libbeat/tests/system/config/mockbeat.yml.j2 b/libbeat/tests/system/config/mockbeat.yml.j2 index cd3fe5f7dad..50d3ca3fce6 100644 --- a/libbeat/tests/system/config/mockbeat.yml.j2 +++ b/libbeat/tests/system/config/mockbeat.yml.j2 @@ -107,13 +107,6 @@ logging.metrics.period: {{ metrics_period }} keystore.path: {{keystore_path}} {% endif %} -{% if xpack and xpack.monitoring -%} -#================================ X-Pack Monitoring ===================================== -xpack.monitoring.elasticsearch.hosts: {{xpack.monitoring.elasticsearch.hosts}} -xpack.monitoring.elasticsearch.metrics.period: 2s # to speed up tests -xpack.monitoring.elasticsearch.state.period: 3s # to speed up tests -{% endif -%} - {% if monitoring -%} #================================ X-Pack Monitoring (direct) ===================================== monitoring: diff --git a/libbeat/tests/system/idxmgmt.py b/libbeat/tests/system/idxmgmt.py index 095533f7f89..864d134a9c9 100644 --- a/libbeat/tests/system/idxmgmt.py +++ b/libbeat/tests/system/idxmgmt.py @@ -1,7 +1,7 @@ -from elasticsearch import NotFoundError -from nose.tools import raises import datetime import unittest +import pytest +from elasticsearch import NotFoundError class IdxMgmt(unittest.TestCase): @@ -52,9 +52,9 @@ def delete_policy(self, policy): except NotFoundError: pass - @raises(NotFoundError) def assert_index_template_not_loaded(self, template): - self._client.transport.perform_request('GET', '/_template/' + template) + with pytest.raises(NotFoundError): + self._client.transport.perform_request('GET', '/_template/' + template) def assert_index_template_loaded(self, template): resp = self._client.transport.perform_request('GET', '/_template/' + template) @@ -86,9 +86,9 @@ def assert_alias_created(self, alias, pattern=None): assert name in resp assert resp[name]["aliases"][alias]["is_write_index"] == True - @raises(NotFoundError) def assert_policy_not_created(self, policy): - self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) + with pytest.raises(NotFoundError): + self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) def assert_policy_created(self, policy): resp = self._client.transport.perform_request('GET', '/_ilm/policy/' + policy) diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index d2aa5c3889b..08843d6144d 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -1,36 +1,48 @@ -autopep8==1.3.5 +attrs==19.3.0 +autopep8==1.5.4 backports.ssl-match-hostname==3.5.0.1 cached-property==1.4.2 certifi==2018.1.18 chardet==3.0.4 +deepdiff==4.2.0 docker==4.1.0 docker-compose==1.25.3 docker-pycreds==0.4.0 dockerpty==0.4.1 docopt==0.6.2 -elasticsearch==7.1.0 +elasticsearch==7.8.1 enum34==1.1.6 idna==2.6 +importlib-metadata==1.7.0 +iniconfig==1.0.1 ipaddress==1.0.19 -Jinja2==2.10.1 -jsonschema==2.6.0 -MarkupSafe==1.0 -nose==1.3.7 -nose-timer==0.7.1 -pycodestyle==2.4.0 -PyYAML==4.2b1 -Pillow==7.0.0 +Jinja2==2.11.2 +jsondiff==1.1.2 +jsonschema==3.2.0 +kafka-python==1.4.3 +MarkupSafe==1.1.1 +more-itertools==8.4.0 +ordered-set==3.1.1 +packaging==20.4 +parameterized==0.7.0 +pluggy==0.13.1 +py==1.9.0 +pycodestyle==2.6.0 +pyparsing==2.4.7 +pyrsistent==0.16.0 +pytest==6.0.1 +pytest-timeout==1.3.4 +pytest-rerunfailures==9.0 +PyYAML==5.3.1 redis==2.10.6 requests==2.20.0 -six==1.11.0 +semver==2.8.1 +six==1.15.0 +stomp.py==4.1.22 termcolor==1.1.0 texttable==0.9.1 +toml==0.10.1 urllib3==1.24.2 +wcwidth==0.2.5 websocket-client==0.47.0 -parameterized==0.7.0 -jsondiff==1.1.2 -semver==2.8.1 -stomp.py==4.1.22 -ordered-set==3.1.1 -deepdiff==4.2.0 -kafka-python==1.4.3 +zipp>=1.2.0,<=3.1.0 diff --git a/libbeat/tests/system/test_base.py b/libbeat/tests/system/test_base.py index 10fe859bf1e..330b831041a 100644 --- a/libbeat/tests/system/test_base.py +++ b/libbeat/tests/system/test_base.py @@ -1,4 +1,5 @@ from base import BaseTest +from beat import common_tests import json import os @@ -9,7 +10,7 @@ import unittest -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_base(self): """ diff --git a/libbeat/tests/system/test_ca_pinning.py b/libbeat/tests/system/test_ca_pinning.py index 1e0dd6f6a43..4c1480b82a0 100644 --- a/libbeat/tests/system/test_ca_pinning.py +++ b/libbeat/tests/system/test_ca_pinning.py @@ -1,11 +1,10 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import logging import os -from nose.plugins.attrib import attr +import pytest import unittest -import logging -from nose.tools import raises +from base import BaseTest from elasticsearch import RequestError +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -16,7 +15,7 @@ class TestCAPinning(BaseTest): """ @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_sending_events_with_a_good_sha256(self): """ Test Sending events while using ca pinning with a good sha256 @@ -48,7 +47,7 @@ def test_sending_events_with_a_good_sha256(self): proc.check_kill_and_wait() @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_sending_events_with_a_bad_sha256(self): """ Test Sending events while using ca pinning with a bad sha256 diff --git a/libbeat/tests/system/test_cmd_setup_index_management.py b/libbeat/tests/system/test_cmd_setup_index_management.py index 1ce764d640e..234f4e76a0b 100644 --- a/libbeat/tests/system/test_cmd_setup_index_management.py +++ b/libbeat/tests/system/test_cmd_setup_index_management.py @@ -1,11 +1,11 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import logging import os -from nose.plugins.attrib import attr +import pytest import unittest -import logging -from nose.tools import raises + +from base import BaseTest from elasticsearch import RequestError +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -47,7 +47,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_default(self): """ Test setup --index-management with default config @@ -64,8 +64,7 @@ def test_setup_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - @raises(RequestError) + @pytest.mark.tag('integration') def test_setup_default(self): """ Test setup --index-management with default config @@ -80,10 +79,11 @@ def test_setup_default(self): self.idxmgmt.assert_alias_created(self.alias_name) self.idxmgmt.assert_policy_created(self.policy_name) # try deleting policy needs to raise an error as it is in use - self.idxmgmt.delete_policy(self.policy_name) + with pytest.raises(RequestError): + self.idxmgmt.delete_policy(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_disabled(self): """ Test setup --index-management when ilm disabled @@ -99,7 +99,7 @@ def test_setup_template_disabled(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_disabled(self): """ Test setup --index-management when ilm disabled @@ -115,7 +115,7 @@ def test_setup_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_policy_name(self): """ Test setup --index-management when policy_name is configured @@ -130,7 +130,7 @@ def test_setup_policy_name(self): self.idxmgmt.assert_policy_created(self.custom_policy) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_policy_no_overwrite(self): """ Test setup --index-management respects overwrite configuration @@ -159,7 +159,7 @@ def test_setup_ilm_policy_no_overwrite(self): extra_args=["setup", self.cmd, "-E", "setup.ilm.enabled=true", "-E", "setup.ilm.overwrite=false", - "-E", "setup.ilm.policy_name="+policy_name]) + "-E", "setup.ilm.policy_name=" + policy_name]) assert exit_code == 0 resp = self.es.transport.perform_request('GET', '/_ilm/policy/' + policy_name) assert "delete" in resp[policy_name]["policy"]["phases"] @@ -170,14 +170,14 @@ def test_setup_ilm_policy_no_overwrite(self): extra_args=["setup", self.cmd, "-E", "setup.ilm.enabled=true", "-E", "setup.ilm.overwrite=true", - "-E", "setup.ilm.policy_name="+policy_name]) + "-E", "setup.ilm.policy_name=" + policy_name]) assert exit_code == 0 resp = self.es.transport.perform_request('GET', '/_ilm/policy/' + policy_name) assert "delete" not in resp[policy_name]["policy"]["phases"] assert "hot" in resp[policy_name]["policy"]["phases"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_rollover_alias(self): """ Test setup --index-management when ilm.rollover_alias is configured @@ -193,7 +193,7 @@ def test_setup_rollover_alias(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_rollover_alias_with_fieldref(self): """ Test setup --index-management when ilm.rollover_alias is configured and using field reference. @@ -212,7 +212,7 @@ def test_setup_rollover_alias_with_fieldref(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_name_and_pattern(self): """ Test setup --index-management ignores template.name and template.pattern when ilm is enabled @@ -229,7 +229,7 @@ def test_setup_template_name_and_pattern(self): self.idxmgmt.assert_alias_created(self.alias_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_name_and_pattern_on_ilm_disabled(self): """ Test setup --index-management respects template.name and template.pattern when ilm is disabled @@ -248,7 +248,7 @@ def test_setup_template_name_and_pattern_on_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_opts(self): """ Test setup --index-management with config options @@ -270,7 +270,7 @@ def test_setup_template_with_opts(self): assert index["number_of_shards"] == "2", index["number_of_shards"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_overwrite_template_on_ilm_policy_created(self): """ Test setup --index-management overwrites template when new ilm policy is created diff --git a/libbeat/tests/system/test_cmd_test.py b/libbeat/tests/system/test_cmd_test.py index 77b2d8f4b64..38f15ef095f 100644 --- a/libbeat/tests/system/test_cmd_test.py +++ b/libbeat/tests/system/test_cmd_test.py @@ -1,8 +1,8 @@ -from base import BaseTest import os import logging import unittest -from nose.plugins.attrib import attr +import pytest +from base import BaseTest INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -41,7 +41,7 @@ def test_bad_config(self): assert self.log_contains("Config OK") is False @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Test test output works diff --git a/libbeat/tests/system/test_dashboard.py b/libbeat/tests/system/test_dashboard.py index 2ed79fd2743..a7b3145c1e7 100644 --- a/libbeat/tests/system/test_dashboard.py +++ b/libbeat/tests/system/test_dashboard.py @@ -1,5 +1,6 @@ import os import os.path +import pytest import re import requests import semver @@ -7,8 +8,6 @@ import unittest from base import BaseTest -from nose.plugins.attrib import attr -from unittest import SkipTest INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -16,7 +15,7 @@ class Test(BaseTest): @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_without_dashboard(self): """ Test loading without dashboards @@ -41,7 +40,7 @@ def test_load_without_dashboard(self): assert self.log_contains("Skipping loading dashboards") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_dashboard(self): """ Test loading dashboards @@ -66,7 +65,7 @@ def test_load_dashboard(self): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_dashboard_into_space(self, create_space=True): """ Test loading dashboards into Kibana space @@ -74,7 +73,7 @@ def test_load_dashboard_into_space(self, create_space=True): version = self.get_version() if semver.compare(version, "6.5.0") == -1: # Skip for Kibana versions < 6.5.0 as Kibana Spaces not available - raise SkipTest + raise unittest.SkipTest self.render_config_template() if create_space: @@ -100,7 +99,7 @@ def test_load_dashboard_into_space(self, create_space=True): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_load_only_index_patterns(self): """ Test loading dashboards @@ -126,7 +125,7 @@ def test_load_only_index_patterns(self): assert self.log_contains("Kibana dashboards successfully loaded") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id_and_decoding(self): """ Test testbeat export dashboard can export dashboards @@ -150,7 +149,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id_and_decoding(self): assert self.log_contains("\"id\": \"Metricbeat-system-overview\",") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id(self): """ Test testbeat export dashboard can export dashboards @@ -172,7 +171,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id(self): assert self.log_contains("\"id\": \"Metricbeat-system-overview\",") is True @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_by_id_unknown_id(self): """ Test testbeat export dashboard fails gracefully when dashboard with unknown ID is requested @@ -194,7 +193,7 @@ def test_export_dashboard_cmd_export_dashboard_by_id_unknown_id(self): assert self.log_contains(expected_error) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_from_yml(self): """ Test testbeat export dashboard can export dashboards from dashboards YAML file @@ -227,7 +226,7 @@ def test_export_dashboard_cmd_export_dashboard_from_yml(self): os.remove(exported_dashboard_path) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_export_dashboard_cmd_export_dashboard_from_not_existent_yml(self): """ Test testbeat export dashboard fails gracefully when cannot find YAML file @@ -249,7 +248,7 @@ def test_export_dashboard_cmd_export_dashboard_from_not_existent_yml(self): assert self.log_contains("error opening the list of dashboards") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id(self): """ Test dev-tools/cmd/dashboards exports dashboard and removes unsupported characters @@ -275,7 +274,7 @@ def test_dev_tool_export_dashboard_by_id(self): os.remove("output.json") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id_unknown_id(self): """ Test dev-tools/cmd/dashboards fails gracefully when dashboard with unknown ID is requested @@ -291,7 +290,7 @@ def test_dev_tool_export_dashboard_by_id_unknown_id(self): assert p.returncode != 0 @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_by_id_from_space(self): """ Test dev-tools/cmd/dashboards exports dashboard from Kibana space @@ -300,7 +299,7 @@ def test_dev_tool_export_dashboard_by_id_from_space(self): version = self.get_version() if semver.compare(version, "6.5.0") == -1: # Skip for Kibana versions < 6.5.0 as Kibana Spaces not available - raise SkipTest + raise unittest.SkipTest self.test_load_dashboard_into_space(False) @@ -322,7 +321,7 @@ def test_dev_tool_export_dashboard_by_id_from_space(self): os.remove("output.json") @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_dev_tool_export_dashboard_from_yml(self): """ Test dev-tools/cmd/dashboards exports dashboard from dashboards YAML file diff --git a/libbeat/tests/system/test_http.py b/libbeat/tests/system/test_http.py index c2379676da5..5c1baa81bd2 100644 --- a/libbeat/tests/system/test_http.py +++ b/libbeat/tests/system/test_http.py @@ -24,7 +24,7 @@ def test_root(self): r = requests.get("http://localhost:5066") assert r.status_code == 200 - data = json.loads(r.content) + data = json.loads(r.content.decode('utf_8')) assert data["beat"] == "mockbeat" assert data["version"] == "9.9.9" @@ -36,7 +36,7 @@ def test_stats(self): r = requests.get("http://localhost:5066/stats") assert r.status_code == 200 - data = json.loads(r.content) + data = json.loads(r.content.decode('utf_8')) # Test one data point assert data["libbeat"]["config"]["scans"] == 0 diff --git a/libbeat/tests/system/test_ilm.py b/libbeat/tests/system/test_ilm.py index 293544f8dd6..3d37125f6e4 100644 --- a/libbeat/tests/system/test_ilm.py +++ b/libbeat/tests/system/test_ilm.py @@ -1,12 +1,13 @@ -from base import BaseTest -from idxmgmt import IdxMgmt -import os -from nose.plugins.attrib import attr -import unittest -import shutil import datetime -import logging import json +import logging +import os +import pytest +import shutil +import unittest + +from base import BaseTest +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -37,7 +38,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_ilm_default(self): """ Test ilm default settings to load ilm policy, write alias and ilm template @@ -55,7 +56,7 @@ def test_ilm_default(self): self.idxmgmt.assert_docs_written_to_alias(self.alias_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_ilm_disabled(self): """ Test ilm disabled to not load ilm related components @@ -72,7 +73,7 @@ def test_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_policy_name(self): """ Test setting ilm policy name @@ -92,7 +93,7 @@ def test_policy_name(self): self.idxmgmt.assert_policy_created(policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_rollover_alias(self): """ Test settings ilm rollover alias @@ -111,7 +112,7 @@ def test_rollover_alias(self): self.idxmgmt.assert_alias_created(self.custom_alias) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_pattern(self): """ Test setting ilm pattern @@ -131,7 +132,7 @@ def test_pattern(self): self.idxmgmt.assert_docs_written_to_alias(self.alias_name, pattern=pattern) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_pattern_date(self): """ Test setting ilm pattern with date @@ -187,7 +188,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_policy_and_template(self): """ Test combination of ilm policy and template setup @@ -204,7 +205,7 @@ def test_setup_ilm_policy_and_template(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_default(self): """ Test ilm policy setup with default config @@ -221,7 +222,7 @@ def test_setup_ilm_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_ilm_disabled(self): """ Test ilm policy setup when ilm disabled @@ -238,7 +239,7 @@ def test_setup_ilm_disabled(self): self.idxmgmt.assert_policy_not_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_policy_name(self): """ Test ilm policy setup when policy_name is configured @@ -254,7 +255,7 @@ def test_policy_name(self): self.idxmgmt.assert_policy_created(self.custom_policy) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_rollover_alias(self): """ Test ilm policy setup when rollover_alias is configured diff --git a/libbeat/tests/system/test_migration.py b/libbeat/tests/system/test_migration.py index fec98ef39f7..81ab3b679dd 100644 --- a/libbeat/tests/system/test_migration.py +++ b/libbeat/tests/system/test_migration.py @@ -1,11 +1,9 @@ -from base import BaseTest -from nose.plugins.attrib import attr -from elasticsearch import Elasticsearch, TransportError - import logging import os import shutil import unittest +from base import BaseTest +from elasticsearch import Elasticsearch, TransportError INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) diff --git a/libbeat/tests/system/test_monitoring.py b/libbeat/tests/system/test_monitoring.py index b339ac2bd94..2232b19712f 100644 --- a/libbeat/tests/system/test_monitoring.py +++ b/libbeat/tests/system/test_monitoring.py @@ -1,12 +1,13 @@ -from base import BaseTest import os -from elasticsearch import Elasticsearch +import pytest +import random import re -from nose.plugins.attrib import attr -import unittest import requests -import random import string +import unittest + +from base import BaseTest +from elasticsearch import Elasticsearch INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -21,50 +22,12 @@ def setUp(self): self.es_monitoring = Elasticsearch([self.get_elasticsearch_monitoring_url()]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - def test_via_output_cluster(self): - """ - Test shipping monitoring data via the elasticsearch output cluster. - Make sure expected documents are indexed in monitoring cluster. - """ - - self.render_config_template( - "mockbeat", - xpack={ - "monitoring": { - "elasticsearch": { - "hosts": [self.get_elasticsearch_url()] - } - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - self.init_output_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - for monitoring_doc_type in ['beats_stats', 'beats_state']: - field_names = ['cluster_uuid', 'timestamp', 'interval_ms', 'type', 'source_node', monitoring_doc_type] - self.assert_monitoring_doc_contains_fields(monitoring_doc_type, field_names) - - @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_direct_to_monitoring_cluster(self): """ Test shipping monitoring data directly to the monitoring cluster. Make sure expected documents are indexed in monitoring cluster. """ - self.render_config_template( "mockbeat", monitoring={ @@ -79,9 +42,9 @@ def test_direct_to_monitoring_cluster(self): proc = self.start_beat(config="mockbeat.yml") self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) + self.wait_until(lambda: self.log_contains(re.compile(r"\[monitoring\].*Publish event"))) self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_monitoring_url()+"\).* established"))) + r"Connection to .*elasticsearch\({}\).* established".format(self.get_elasticsearch_monitoring_url())))) self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) @@ -92,70 +55,7 @@ def test_direct_to_monitoring_cluster(self): self.assert_monitoring_doc_contains_fields(monitoring_doc_type, field_names) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') - def test_compare(self): - """ - Test that monitoring docs are the same, regardless of how they are shipped. - """ - - self.render_config_template( - "mockbeat", - xpack={ - "monitoring": { - "elasticsearch": { - "hosts": [self.get_elasticsearch_url()] - } - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - self.init_output_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - indirect_beats_stats_doc = self.get_monitoring_doc('beats_stats') - indirect_beats_state_doc = self.get_monitoring_doc('beats_state') - - self.render_config_template( - "mockbeat", - monitoring={ - "elasticsearch": { - "hosts": [self.get_elasticsearch_monitoring_url()] - } - } - ) - - self.clean_output_cluster() - self.clean_monitoring_cluster() - - proc = self.start_beat(config="mockbeat.yml") - self.wait_until(lambda: self.log_contains("mockbeat start running.")) - self.wait_until(lambda: self.log_contains(re.compile("\[monitoring\].*Publish event"))) - self.wait_until(lambda: self.log_contains(re.compile( - "Connection to .*elasticsearch\("+self.get_elasticsearch_monitoring_url()+"\).* established"))) - self.wait_until(lambda: self.monitoring_doc_exists('beats_stats')) - self.wait_until(lambda: self.monitoring_doc_exists('beats_state')) - - proc.check_kill_and_wait() - - direct_beats_stats_doc = self.get_monitoring_doc('beats_stats') - direct_beats_state_doc = self.get_monitoring_doc('beats_state') - - self.assert_same_structure(indirect_beats_state_doc['beats_state'], direct_beats_state_doc['beats_state']) - self.assert_same_structure(indirect_beats_stats_doc['beats_stats'], direct_beats_stats_doc['beats_stats']) - - @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_cluster_uuid_setting(self): """ Test that monitoring.cluster_uuid setting may be set without any other monitoring.* settings @@ -178,7 +78,7 @@ def test_cluster_uuid_setting(self): self.assertEqual(test_cluster_uuid, state["monitoring"]["cluster_uuid"]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_cluster_uuid_setting_monitoring_disabled(self): """ Test that monitoring.cluster_uuid setting may be set with monitoring.enabled explicitly set to false @@ -204,7 +104,7 @@ def test_cluster_uuid_setting_monitoring_disabled(self): def search_monitoring_doc(self, monitoring_type): results = self.es_monitoring.search( index='.monitoring-beats-*', - q='type:'+monitoring_type, + q='type:' + monitoring_type, size=1 ) return results['hits']['hits'] @@ -222,7 +122,7 @@ def get_monitoring_doc(self, monitoring_type): def assert_monitoring_doc_contains_fields(self, monitoring_type, field_names): results = self.es_monitoring.search( index='.monitoring-beats-*', - q='type:'+monitoring_type, + q='type:' + monitoring_type, size=1 ) hits = results['hits']['hits'] @@ -269,24 +169,6 @@ def clean_monitoring_cluster(self): # Delete any old beats monitoring data self.es_monitoring.indices.delete(index=".monitoring-beats-*", ignore=[404]) - def init_output_cluster(self): - # Setup remote exporter - self.es.cluster.put_settings(body={ - "transient": { - "xpack.monitoring.exporters.my_remote": { - "type": "http", - "host": [self.get_elasticsearch_monitoring_url()] - } - } - }) - - # Enable collection - self.es.cluster.put_settings(body={ - "transient": { - "xpack.monitoring.collection.enabled": True - } - }) - def get_elasticsearch_monitoring_url(self): return "http://{host}:{port}".format( host=os.getenv("ES_MONITORING_HOST", "localhost"), diff --git a/libbeat/tests/system/test_template.py b/libbeat/tests/system/test_template.py index c1c4f5ea32c..67a34457484 100644 --- a/libbeat/tests/system/test_template.py +++ b/libbeat/tests/system/test_template.py @@ -1,11 +1,12 @@ -from base import BaseTest -from idxmgmt import IdxMgmt +import json +import logging import os -from nose.plugins.attrib import attr -import unittest +import pytest import shutil -import logging -import json +import unittest + +from base import BaseTest +from idxmgmt import IdxMgmt INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) @@ -83,7 +84,7 @@ def test_index_with_pattern_name(self): proc.check_kill_and_wait() @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_json_template(self): """ Test loading of json based template @@ -140,7 +141,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_default(self): """ Test run cmd with default settings for template @@ -157,7 +158,7 @@ def test_template_default(self): self.idxmgmt.assert_docs_written_to_alias(self.index_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_disabled(self): """ Test run cmd does not load template when disabled in config @@ -201,7 +202,7 @@ def render_config(self, **kwargs): ) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup(self): """ Test setup cmd with template and ilm-policy subcommands @@ -216,7 +217,7 @@ def test_setup(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_default(self): """ Test template setup with default config @@ -235,7 +236,7 @@ def test_setup_template_default(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_disabled(self): """ Test template setup when ilm disabled @@ -254,7 +255,7 @@ def test_setup_template_disabled(self): self.idxmgmt.assert_policy_created(self.policy_name) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_opts(self): """ Test template setup with config options @@ -275,7 +276,7 @@ def test_setup_template_with_opts(self): assert index["number_of_shards"] == "2", index["number_of_shards"] @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_setup_template_with_ilm_changed_pattern(self): """ Test template setup with changed ilm.rollover_alias config @@ -290,7 +291,7 @@ def test_setup_template_with_ilm_changed_pattern(self): self.idxmgmt.assert_index_template_index_pattern(self.custom_alias, [self.custom_alias + "-*"]) @unittest.skipUnless(INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_template_created_on_ilm_policy_created(self): """ Test template setup overwrites template when new ilm policy is created diff --git a/magefile.go b/magefile.go index ac4614e2cde..75c6d60faef 100644 --- a/magefile.go +++ b/magefile.go @@ -135,7 +135,6 @@ func CheckLicenseHeaders() error { licenser.Exclude("x-pack"), licenser.Exclude("generator/_templates/beat/{beat}"), licenser.Exclude("generator/_templates/metricbeat/{beat}"), - licenser.Exclude("generator/_templates/beat/{beat}"), ), licenser( licenser.Check(), diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index e3bd6006dc5..d3255cfb2fd 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt update \ @@ -11,8 +11,6 @@ RUN \ unzip \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/metricbeat/Jenkinsfile.yml b/metricbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..1219a27af77 --- /dev/null +++ b/metricbeat/Jenkinsfile.yml @@ -0,0 +1,40 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^metricbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test metricbeat" + labels: ## when PR labels matches any of those entries + - "metricbeat" + parameters: ## when parameter was selected in the UI. + - "metricbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + unitTest: + mage: "mage build unitTest" + goIntegTest: + mage: "mage goIntegTest" + withModule: true + pythonIntegTest: + mage: "mage pythonIntegTest" + withModule: true + crosscompile: + make: "make -C metricbeat crosscompile" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test metricbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/metricbeat/_meta/fields.common.yml b/metricbeat/_meta/fields.common.yml index 44bab6f614e..8e38e5d129f 100644 --- a/metricbeat/_meta/fields.common.yml +++ b/metricbeat/_meta/fields.common.yml @@ -41,3 +41,33 @@ - name: systemd.unit type: keyword description: the unit name of the systemd service + + - name: host + type: group + fields: + - name: cpu.pct + type: scaled_float + format: percent + description: Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + - name: network.in.bytes + type: long + format: bytes + description: The number of bytes received on all network interfaces by the host in a given period of time. + - name: network.out.bytes + type: long + format: bytes + description: The number of bytes sent out on all network interfaces by the host in a given period of time. + - name: network.in.packets + type: long + description: The number of packets received on all network interfaces by the host in a given period of time. + - name: network.out.packets + type: long + description: The number of packets sent out on all network interfaces by the host in a given period of time. + - name: disk.read.bytes + type: long + format: bytes + description: The total number of bytes read successfully in a given period of time. + - name: disk.write.bytes + type: long + format: bytes + description: The total number of bytes write successfully in a given period of time. diff --git a/metricbeat/autodiscover/appender/kubernetes/token/token_test.go b/metricbeat/autodiscover/appender/kubernetes/token/token_test.go index 28b0ecb611e..d5c1ec54da4 100644 --- a/metricbeat/autodiscover/appender/kubernetes/token/token_test.go +++ b/metricbeat/autodiscover/appender/kubernetes/token/token_test.go @@ -84,7 +84,7 @@ token_path: "test" writeFile("test", "foo bar") appender, err := NewTokenAppender(config) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, appender) appender.Append(test.event) diff --git a/metricbeat/conftest.py b/metricbeat/conftest.py new file mode 100644 index 00000000000..818eb72a9db --- /dev/null +++ b/metricbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/metricbeat/docker-compose.yml b/metricbeat/docker-compose.yml index b8c10f95c18..bb39912eefb 100644 --- a/metricbeat/docker-compose.yml +++ b/metricbeat/docker-compose.yml @@ -15,11 +15,11 @@ services: # Used by base tests elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ./module/elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "ES_JAVA_OPTS=-Xms256m -Xmx256m" - "network.host=" @@ -37,11 +37,11 @@ services: # Used by base tests kibana: - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ./module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: @@ -49,11 +49,11 @@ services: # Used by base tests metricbeat: - image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.9.0}-1 build: context: ./module/beat/_meta args: - BEAT_VERSION: ${BEAT_VERSION:-7.7.0} + BEAT_VERSION: ${BEAT_VERSION:-7.9.0} command: '-e' ports: - 5066 diff --git a/metricbeat/docs/autodiscover-hints.asciidoc b/metricbeat/docs/autodiscover-hints.asciidoc index 1f2daf2533d..629b337ac75 100644 --- a/metricbeat/docs/autodiscover-hints.asciidoc +++ b/metricbeat/docs/autodiscover-hints.asciidoc @@ -193,5 +193,5 @@ You can label Docker containers with useful info to spin up {beatname_uc} module co.elastic.metrics/period: 10s ------------------------------------------------------------------------------------- -The above labels would allow {beatname_uc} to configure a Prometheus collector to poll port `9090` -of the Docker container every 1 minute. +The above labels would allow {beatname_uc} to run the nginx module and poll port `80` +of the Docker container every 10 seconds. diff --git a/metricbeat/docs/configuring-howto.asciidoc b/metricbeat/docs/configuring-howto.asciidoc index d379bb9e8f9..60f8928df53 100644 --- a/metricbeat/docs/configuring-howto.asciidoc +++ b/metricbeat/docs/configuring-howto.asciidoc @@ -25,6 +25,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -61,4 +62,6 @@ include::{libbeat-dir}/http-endpoint.asciidoc[] include::{libbeat-dir}/regexp.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 2c9c7c00124..ae34419db2e 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -1569,8 +1569,7 @@ type: object - -*`aws.billing.metrics.EstimatedCharges.max`*:: +*`aws.billing.EstimatedCharges`*:: + -- Maximum estimated charges for AWS acccount. @@ -1579,6 +1578,166 @@ type: long -- +*`aws.billing.Currency`*:: ++ +-- +Estimated charges currency unit. + +type: keyword + +-- + +*`aws.billing.ServiceName`*:: ++ +-- +Service name for the maximum estimated charges. + +type: keyword + +-- + + +*`aws.billing.AmortizedCost.amount`*:: ++ +-- +Amortized cost amount + +type: double + +-- + +*`aws.billing.AmortizedCost.unit`*:: ++ +-- +Amortized cost unit + +type: keyword + +-- + + +*`aws.billing.BlendedCost.amount`*:: ++ +-- +Blended cost amount + +type: double + +-- + +*`aws.billing.BlendedCost.unit`*:: ++ +-- +Blended cost unit + +type: keyword + +-- + + +*`aws.billing.NormalizedUsageAmount.amount`*:: ++ +-- +Normalized usage amount + +type: double + +-- + +*`aws.billing.NormalizedUsageAmount.unit`*:: ++ +-- +Normalized usage amount unit + +type: keyword + +-- + + +*`aws.billing.UnblendedCost.amount`*:: ++ +-- +Unblended cost amount + +type: double + +-- + +*`aws.billing.UnblendedCost.unit`*:: ++ +-- +Unblended cost unit + +type: keyword + +-- + + +*`aws.billing.UsageQuantity.amount`*:: ++ +-- +Usage quantity amount + +type: double + +-- + +*`aws.billing.UsageQuantity.unit`*:: ++ +-- +Usage quantity unit + +type: keyword + +-- + +*`aws.billing.start_date`*:: ++ +-- +Start date for retrieving AWS costs + +type: keyword + +-- + +*`aws.billing.end_date`*:: ++ +-- +End date for retrieving AWS costs + +type: keyword + +-- + + +*`aws.billing.group_definition.key`*:: ++ +-- +The string that represents a key for a specified group + +type: keyword + +-- + +*`aws.billing.group_definition.type`*:: ++ +-- +The string that represents the type of group + +type: keyword + +-- + +*`aws.billing.group_by.*`*:: ++ +-- +Cost explorer group by key values + + +type: object + +-- + [float] === cloudwatch @@ -2041,7 +2200,7 @@ type: long *`aws.ec2.network.in.packets`*:: + -- -The number of packets received on all network interfaces by the instance. +The total number of packets received on all network interfaces by the instance in collection period. type: long @@ -2054,14 +2213,14 @@ type: long The number of packets per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.out.packets`*:: + -- -The number of packets sent out on all network interfaces by the instance. +The total number of packets sent out on all network interfaces by the instance in collection period. type: long @@ -2074,14 +2233,14 @@ type: long The number of packets per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.in.bytes`*:: + -- -The number of bytes received on all network interfaces by the instance. +The total number of bytes received on all network interfaces by the instance in collection period. type: long @@ -2096,14 +2255,14 @@ format: bytes The number of bytes per second received on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.network.out.bytes`*:: + -- -The number of bytes sent out on all network interfaces by the instance. +The total number of bytes sent out on all network interfaces by the instance in collection period. type: long @@ -2118,14 +2277,14 @@ format: bytes The number of bytes per second sent out on all network interfaces by the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.read.bytes`*:: + -- -Bytes read from all instance store volumes available to the instance. +Total bytes read from all instance store volumes available to the instance in collection period. type: long @@ -2140,14 +2299,14 @@ format: bytes Bytes read per second from all instance store volumes available to the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.write.bytes`*:: + -- -Bytes written to all instance store volumes available to the instance. +Total bytes written to all instance store volumes available to the instance in collection period. type: long @@ -2162,14 +2321,14 @@ format: bytes Bytes written per second to all instance store volumes available to the instance. -type: long +type: scaled_float -- *`aws.ec2.diskio.read.ops`*:: + -- -Completed read operations from all instance store volumes available to the instance in a specified period of time. +Total completed read operations from all instance store volumes available to the instance in collection period. type: long @@ -2189,7 +2348,7 @@ type: long *`aws.ec2.diskio.write.ops`*:: + -- -Completed write operations to all instance store volumes available to the instance in a specified period of time. +Total completed write operations to all instance store volumes available to the instance in collection period. type: long @@ -4516,6 +4675,16 @@ type: keyword Azure metric dimensions. +type: object + +-- + +*`azure.metrics.*.*`*:: ++ +-- +Metrics returned. + + type: object -- @@ -4750,17 +4919,6 @@ type: object monitor - -*`azure.monitor.metrics.*.*`*:: -+ --- -Metrics returned. - - -type: object - --- - *`azure.storage.*.*`*:: + -- @@ -6040,16 +6198,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -6395,6 +6543,80 @@ type: keyword -- + +*`host.cpu.pct`*:: ++ +-- +Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. + +type: scaled_float + +format: percent + +-- + +*`host.network.in.bytes`*:: ++ +-- +The number of bytes received on all network interfaces by the host in a given period of time. + +type: long + +format: bytes + +-- + +*`host.network.out.bytes`*:: ++ +-- +The number of bytes sent out on all network interfaces by the host in a given period of time. + +type: long + +format: bytes + +-- + +*`host.network.in.packets`*:: ++ +-- +The number of packets received on all network interfaces by the host in a given period of time. + +type: long + +-- + +*`host.network.out.packets`*:: ++ +-- +The number of packets sent out on all network interfaces by the host in a given period of time. + +type: long + +-- + +*`host.disk.read.bytes`*:: ++ +-- +The total number of bytes read successfully in a given period of time. + +type: long + +format: bytes + +-- + +*`host.disk.write.bytes`*:: ++ +-- +The total number of bytes write successfully in a given period of time. + +type: long + +format: bytes + +-- + [[exported-fields-consul]] == Consul fields @@ -9005,6 +9227,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -9046,7 +9280,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -9262,8 +9496,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -9326,19 +9559,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9425,7 +9658,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -9449,6 +9682,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -9467,6 +9711,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -9509,21 +9765,45 @@ example: t2.medium -- -*`cloud.provider`*:: +*`cloud.project.id`*:: + -- -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. type: keyword -example: aws +example: my-project -- -*`cloud.region`*:: +*`cloud.project.name`*:: + -- -Region in which this host is running. +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + +*`cloud.provider`*:: ++ +-- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + +type: keyword + +example: aws + +-- + +*`cloud.region`*:: ++ +-- +Region in which this host is running. type: keyword @@ -9819,8 +10099,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -9883,19 +10162,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -9982,7 +10261,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -10006,6 +10285,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -10134,6 +10424,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -10167,6 +10468,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -10238,7 +10551,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -10317,7 +10630,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -10325,12 +10638,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -10349,7 +10662,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -10466,6 +10779,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -10648,6 +10963,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -10677,6 +10994,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -10685,7 +11014,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -10769,11 +11098,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -11067,6 +11396,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -11100,6 +11440,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -11172,211 +11524,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code + +type: keyword + +example: US + +-- + +*`file.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha256`*:: +*`file.x509.subject.locality`*:: + -- -SHA256 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -*`hash.sha512`*:: +*`file.x509.subject.organization`*:: + -- -SHA512 hash. +List of organizations (O) of subject. type: keyword +example: Example, Inc. + -- -[float] -=== host +*`file.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +-- -*`host.architecture`*:: +*`file.x509.subject.state_or_province`*:: + -- -Operating system architecture. +List of state or province names (ST, S, or P) type: keyword -example: x86_64 +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -11387,7 +11806,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -11398,7 +11817,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -11409,7 +11828,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -11420,7 +11839,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -11431,7 +11850,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -11444,7 +11863,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -11455,7 +11874,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -11466,59 +11885,256 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. +Unique identifier for the group on the system/platform. type: keyword -- -*`host.ip`*:: +*`group.name`*:: + -- -Host ip addresses. +Name of the group. -type: ip +type: keyword -- -*`host.mac`*:: +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: + -- -Host mac addresses. +MD5 hash. type: keyword -- -*`host.name`*:: +*`hash.sha1`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +SHA1 hash. type: keyword -- -*`host.os.family`*:: +*`hash.sha256`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. + +type: keyword + +-- + +*`host.ip`*:: ++ +-- +Host ip addresses. + +type: ip + +-- + +*`host.mac`*:: ++ +-- +Host mac addresses. + +type: keyword + +-- + +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). type: keyword @@ -11694,7 +12310,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -11718,6 +12334,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -11772,11 +12399,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -11906,6 +12535,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -11944,7 +12585,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -11974,6 +12616,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -12942,6 +13586,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -12975,6 +13630,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -13206,12 +13873,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -13402,58 +14069,136 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +example: 6.3.9600.17415 -- -*`process.parent.thread.id`*:: +*`process.parent.pe.imphash`*:: + -- -Thread ID. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date + +example: 2016-05-23T08:05:34.853Z + +-- + +*`process.parent.thread.id`*:: ++ +-- +Thread ID. type: long @@ -13520,6 +14265,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -13553,6 +14309,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -13795,6 +14563,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -14093,8 +14870,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -14157,19 +14933,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -14256,7 +15032,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -14280,6 +15056,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -14533,8 +15320,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -14597,19 +15383,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -14696,7 +15482,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -14720,10 +15506,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -14741,7 +15538,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -14752,7 +15549,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -14763,7 +15560,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -14774,7 +15571,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -14785,11 +15582,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -14803,7 +15600,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -14890,7 +15687,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -14930,7 +15727,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -14945,7 +15742,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -14960,315 +15757,855 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... + +-- + +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string -- @@ -15286,12 +16623,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -15310,7 +16647,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -15413,7 +16750,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -15437,6 +16774,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -15765,6 +17113,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-elasticsearch]] == Elasticsearch fields @@ -16501,14 +18119,8 @@ type: boolean [float] === node.stats -node_stats - - - -[float] -=== indices +Statistics about each node in a Elasticsearch cluster -Node indices stats @@ -16564,18 +18176,6 @@ type: long -- -[float] -=== jvm.mem.pools - -JVM memory pool stats - - - -[float] -=== old - -Old memory pool stats. - *`elasticsearch.node.stats.jvm.mem.pools.old.max.bytes`*:: @@ -16583,6 +18183,7 @@ Old memory pool stats. -- Max bytes. + type: long format: bytes @@ -16594,6 +18195,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16605,6 +18207,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16616,24 +18219,20 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== young - -Young memory pool stats. - - *`elasticsearch.node.stats.jvm.mem.pools.young.max.bytes`*:: + -- Max bytes. + type: long format: bytes @@ -16645,6 +18244,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16656,6 +18256,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16667,24 +18268,20 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== survivor - -Survivor memory pool stats. - - *`elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes`*:: + -- Max bytes. + type: long format: bytes @@ -16696,6 +18293,7 @@ format: bytes -- Peak bytes. + type: long format: bytes @@ -16707,6 +18305,7 @@ format: bytes -- Peak max bytes. + type: long format: bytes @@ -16718,31 +18317,18 @@ format: bytes -- Used bytes. + type: long format: bytes -- -[float] -=== jvm.gc.collectors - -GC collector stats. - - - -[float] -=== old.collection - -Old collection gc. - *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.count`*:: + -- - - type: long -- @@ -16750,24 +18336,14 @@ type: long *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms`*:: + -- - - type: long -- -[float] -=== young.collection - -Young collection gc. - - *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.count`*:: + -- - - type: long -- @@ -16775,24 +18351,14 @@ type: long *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms`*:: + -- - - type: long -- -[float] -=== fs.summary - -File system summary - - *`elasticsearch.node.stats.fs.summary.total.bytes`*:: + -- - - type: long format: bytes @@ -16802,8 +18368,6 @@ format: bytes *`elasticsearch.node.stats.fs.summary.free.bytes`*:: + -- - - type: long format: bytes @@ -16813,8 +18377,6 @@ format: bytes *`elasticsearch.node.stats.fs.summary.available.bytes`*:: + -- - - type: long format: bytes @@ -18398,16 +19960,58 @@ type: object -- -*`googlecloud.stackdriver.*.*.*.*`*:: +*`googlecloud.metrics.*.*.*.*`*:: + -- -Metrics that returned from StackDriver API query. +Metrics that returned from Google Cloud API query. type: object -- +[float] +=== billing + +Google Cloud Billing metrics + + +*`googlecloud.billing.cost_type`*:: ++ +-- +Cost types include regular, tax, adjustment, and rounding_error. + +type: keyword + +-- + +*`googlecloud.billing.invoice_month`*:: ++ +-- +Billing report month. + +type: keyword + +-- + +*`googlecloud.billing.project_id`*:: ++ +-- +Project ID of the billing report belongs to. + +type: keyword + +-- + +*`googlecloud.billing.total`*:: ++ +-- +Total billing amount. + +type: float + +-- + [float] === compute @@ -26312,6 +27916,67 @@ type: double -- Deadline seconds after schedule for considering failed +type: long + +-- + +[float] +=== daemonset + +Kubernetes DaemonSet metrics + + + +*`kubernetes.daemonset.name`*:: ++ +-- +type: keyword + +-- + +[float] +=== replicas + +Kubernetes DaemonSet replica metrics + + + +*`kubernetes.daemonset.replicas.available`*:: ++ +-- +The number of available replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.desired`*:: ++ +-- +The desired number of replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.ready`*:: ++ +-- +The number of ready replicas per DaemonSet + + +type: long + +-- + +*`kubernetes.daemonset.replicas.unavailable`*:: ++ +-- +The number of unavailable replicas per DaemonSet + + type: long -- @@ -26780,7 +28445,7 @@ type: keyword -- Internal IP for the service. -type: ip +type: keyword -- @@ -32345,6 +34010,153 @@ type: long The number of failed attempts to connect to the MySQL server. +type: long + +-- + +[float] +=== connection + + + + +[float] +=== errors + + + + +*`mysql.status.connection.errors.peer_address`*:: ++ +-- +The number of errors that occurred while searching for connecting client IP addresses. + +type: long + +-- + +*`mysql.status.connection.errors.accept`*:: ++ +-- +The number of errors that occurred during calls to accept() on the listening port. + +type: long + +-- + +*`mysql.status.connection.errors.internal`*:: ++ +-- +The number of connections refused due to internal errors in the server, such as failure to start a new thread or an out-of-memory condition. + + +type: long + +-- + +*`mysql.status.connection.errors.max`*:: ++ +-- +The number of connections refused because the server max_connections limit was reached. thread or an out-of-memory condition. + +type: long + +-- + +*`mysql.status.connection.errors.tcpwrap`*:: ++ +-- +The number of connections refused by the libwrap library. + +type: long + +-- + +*`mysql.status.connection.errors.select`*:: ++ +-- +The number of errors that occurred during calls to select() or poll() on the listening port. (Failure of this operation does not necessarily means a client connection was rejected.) + + +type: long + +-- + +[float] +=== cache + + + + +[float] +=== ssl + +SSL session cache hits and misses. + + +*`mysql.status.cache.ssl.hits`*:: ++ +-- +The number of SSL session cache hits. + +type: long + +-- + +*`mysql.status.cache.ssl.misses`*:: ++ +-- +The number of SSL session cache misses. + +type: long + +-- + +*`mysql.status.cache.ssl.size`*:: ++ +-- +The SSL session cache size. + +type: long + +-- + +[float] +=== table + + + + +[float] +=== open_cache + + + + +*`mysql.status.cache.table.open_cache.hits`*:: ++ +-- +The number of hits for open tables cache lookups. + +type: long + +-- + +*`mysql.status.cache.table.open_cache.misses`*:: ++ +-- +The number of misses for open tables cache lookups. + +type: long + +-- + +*`mysql.status.cache.table.open_cache.overflows`*:: ++ +-- +Number of times, after a table is opened or closed, a cache instance has an unused entry and the size of the instance is larger than table_open_cache / table_open_cache_instances + + type: long -- @@ -32737,7 +34549,7 @@ type: long *`mysql.status.handler.read.last`*:: + -- -The number of requests to read the last key in an index. +The number of requests to read the last key in an index. type: long @@ -32767,7 +34579,7 @@ type: long *`mysql.status.handler.read.rnd`*:: + -- -The number of requests to read a row based on a fixed position. +The number of requests to read a row based on a fixed position. type: long @@ -32777,7 +34589,7 @@ type: long *`mysql.status.handler.read.rnd_next`*:: + -- -The number of requests to read the next row in the data file. +The number of requests to read the next row in the data file. type: long @@ -32840,6 +34652,48 @@ type: long +[float] +=== rows + + + + +*`mysql.status.innodb.rows.reads`*:: ++ +-- +The number of rows reads into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.inserted`*:: ++ +-- +The number of rows inserted into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.deleted`*:: ++ +-- +The number of rows deleted into InnoDB tables. + +type: long + +-- + +*`mysql.status.innodb.rows.updated`*:: ++ +-- +The number of rows updated into InnoDB tables. + +type: long + +-- + [float] === buffer_pool @@ -32875,7 +34729,7 @@ type: long *`mysql.status.innodb.buffer_pool.bytes.data`*:: + -- -The total number of bytes in the InnoDB buffer pool containing data. +The total number of bytes in the InnoDB buffer pool containing data. type: long diff --git a/metricbeat/docs/images/metricbeat-aws-billing-overview.png b/metricbeat/docs/images/metricbeat-aws-billing-overview.png index 9544b1fa8a8..283f2398f99 100644 Binary files a/metricbeat/docs/images/metricbeat-aws-billing-overview.png and b/metricbeat/docs/images/metricbeat-aws-billing-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-aws-ec2-overview.png b/metricbeat/docs/images/metricbeat-aws-ec2-overview.png index f9b2d621f4f..67d90263c10 100644 Binary files a/metricbeat/docs/images/metricbeat-aws-ec2-overview.png and b/metricbeat/docs/images/metricbeat-aws-ec2-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-cloudfoundry-overview.png b/metricbeat/docs/images/metricbeat-cloudfoundry-overview.png new file mode 100644 index 00000000000..8ac90f6e357 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-cloudfoundry-overview.png differ diff --git a/metricbeat/docs/images/metricbeat-cloudfoundry-platform-health.png b/metricbeat/docs/images/metricbeat-cloudfoundry-platform-health.png new file mode 100644 index 00000000000..64d3e438e84 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-cloudfoundry-platform-health.png differ diff --git a/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png b/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png new file mode 100644 index 00000000000..b697c285a11 Binary files /dev/null and b/metricbeat/docs/images/metricbeat-googlecloud-billing-overview.png differ diff --git a/metricbeat/docs/index.asciidoc b/metricbeat/docs/index.asciidoc index fc3972a4b21..42a00fe97af 100644 --- a/metricbeat/docs/index.asciidoc +++ b/metricbeat/docs/index.asciidoc @@ -65,4 +65,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/metricbeat/docs/modules/activemq/broker.asciidoc b/metricbeat/docs/modules/activemq/broker.asciidoc index 98002403c88..91aa38d4961 100644 --- a/metricbeat/docs/modules/activemq/broker.asciidoc +++ b/metricbeat/docs/modules/activemq/broker.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-broker]] +[role="xpack"] === ActiveMQ broker metricset include::../../../../x-pack/metricbeat/module/activemq/broker/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/queue.asciidoc b/metricbeat/docs/modules/activemq/queue.asciidoc index dde22c0fe02..321e653c3f8 100644 --- a/metricbeat/docs/modules/activemq/queue.asciidoc +++ b/metricbeat/docs/modules/activemq/queue.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-queue]] +[role="xpack"] === ActiveMQ queue metricset include::../../../../x-pack/metricbeat/module/activemq/queue/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/topic.asciidoc b/metricbeat/docs/modules/activemq/topic.asciidoc index 416726f5768..a7f28177f01 100644 --- a/metricbeat/docs/modules/activemq/topic.asciidoc +++ b/metricbeat/docs/modules/activemq/topic.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-topic]] +[role="xpack"] === ActiveMQ topic metricset include::../../../../x-pack/metricbeat/module/activemq/topic/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/appsearch/stats.asciidoc b/metricbeat/docs/modules/appsearch/stats.asciidoc index e9bcccbed76..d2cbb6a5671 100644 --- a/metricbeat/docs/modules/appsearch/stats.asciidoc +++ b/metricbeat/docs/modules/appsearch/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-appsearch-stats]] +[role="xpack"] === App Search stats metricset beta[] diff --git a/metricbeat/docs/modules/aws.asciidoc b/metricbeat/docs/modules/aws.asciidoc index add39a7cbbb..42d24c65ccd 100644 --- a/metricbeat/docs/modules/aws.asciidoc +++ b/metricbeat/docs/modules/aws.asciidoc @@ -10,10 +10,12 @@ This file is generated! See scripts/mage/docs_collector.go This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -196,6 +198,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/metricbeat/docs/modules/aws/billing.asciidoc b/metricbeat/docs/modules/aws/billing.asciidoc index bb2ac58819b..357ad2f564b 100644 --- a/metricbeat/docs/modules/aws/billing.asciidoc +++ b/metricbeat/docs/modules/aws/billing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-billing]] +[role="xpack"] === AWS billing metricset beta[] diff --git a/metricbeat/docs/modules/aws/cloudwatch.asciidoc b/metricbeat/docs/modules/aws/cloudwatch.asciidoc index f0673a0213f..23688481521 100644 --- a/metricbeat/docs/modules/aws/cloudwatch.asciidoc +++ b/metricbeat/docs/modules/aws/cloudwatch.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-cloudwatch]] +[role="xpack"] === AWS cloudwatch metricset include::../../../../x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/dynamodb.asciidoc b/metricbeat/docs/modules/aws/dynamodb.asciidoc index 3f5a642e919..103c7f23025 100644 --- a/metricbeat/docs/modules/aws/dynamodb.asciidoc +++ b/metricbeat/docs/modules/aws/dynamodb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-dynamodb]] +[role="xpack"] === AWS dynamodb metricset beta[] diff --git a/metricbeat/docs/modules/aws/ebs.asciidoc b/metricbeat/docs/modules/aws/ebs.asciidoc index 3c52e61924e..970ff4d6604 100644 --- a/metricbeat/docs/modules/aws/ebs.asciidoc +++ b/metricbeat/docs/modules/aws/ebs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ebs]] +[role="xpack"] === AWS ebs metricset include::../../../../x-pack/metricbeat/module/aws/ebs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/ec2.asciidoc b/metricbeat/docs/modules/aws/ec2.asciidoc index 151c97ca0b7..8c71f9dbea5 100644 --- a/metricbeat/docs/modules/aws/ec2.asciidoc +++ b/metricbeat/docs/modules/aws/ec2.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ec2]] +[role="xpack"] === AWS ec2 metricset include::../../../../x-pack/metricbeat/module/aws/ec2/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/elb.asciidoc b/metricbeat/docs/modules/aws/elb.asciidoc index 65afc9458a4..1391dc54428 100644 --- a/metricbeat/docs/modules/aws/elb.asciidoc +++ b/metricbeat/docs/modules/aws/elb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-elb]] +[role="xpack"] === AWS elb metricset include::../../../../x-pack/metricbeat/module/aws/elb/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc index dd605738360..202820844ad 100644 --- a/metricbeat/docs/modules/aws/lambda.asciidoc +++ b/metricbeat/docs/modules/aws/lambda.asciidoc @@ -3,10 +3,9 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-lambda]] +[role="xpack"] === AWS lambda metricset -beta[] - include::../../../../x-pack/metricbeat/module/aws/lambda/_meta/docs.asciidoc[] This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. diff --git a/metricbeat/docs/modules/aws/natgateway.asciidoc b/metricbeat/docs/modules/aws/natgateway.asciidoc index e685ee3d62d..29b8d0f9013 100644 --- a/metricbeat/docs/modules/aws/natgateway.asciidoc +++ b/metricbeat/docs/modules/aws/natgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-natgateway]] +[role="xpack"] === AWS natgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/rds.asciidoc b/metricbeat/docs/modules/aws/rds.asciidoc index 66ec3c6e130..41aa085518f 100644 --- a/metricbeat/docs/modules/aws/rds.asciidoc +++ b/metricbeat/docs/modules/aws/rds.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-rds]] +[role="xpack"] === AWS rds metricset include::../../../../x-pack/metricbeat/module/aws/rds/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc index 39acd46fde5..251fe923231 100644 --- a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc +++ b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_daily_storage]] +[role="xpack"] === AWS s3_daily_storage metricset include::../../../../x-pack/metricbeat/module/aws/s3_daily_storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_request.asciidoc b/metricbeat/docs/modules/aws/s3_request.asciidoc index da4eb8a9cbe..53bef698894 100644 --- a/metricbeat/docs/modules/aws/s3_request.asciidoc +++ b/metricbeat/docs/modules/aws/s3_request.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_request]] +[role="xpack"] === AWS s3_request metricset include::../../../../x-pack/metricbeat/module/aws/s3_request/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/sns.asciidoc b/metricbeat/docs/modules/aws/sns.asciidoc index 5d8ad8bfed4..82c3a7946f5 100644 --- a/metricbeat/docs/modules/aws/sns.asciidoc +++ b/metricbeat/docs/modules/aws/sns.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sns]] +[role="xpack"] === AWS sns metricset beta[] diff --git a/metricbeat/docs/modules/aws/sqs.asciidoc b/metricbeat/docs/modules/aws/sqs.asciidoc index d3e67466634..7c6129cbacb 100644 --- a/metricbeat/docs/modules/aws/sqs.asciidoc +++ b/metricbeat/docs/modules/aws/sqs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sqs]] +[role="xpack"] === AWS sqs metricset include::../../../../x-pack/metricbeat/module/aws/sqs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/transitgateway.asciidoc b/metricbeat/docs/modules/aws/transitgateway.asciidoc index bd9cb86f668..53d897aeacd 100644 --- a/metricbeat/docs/modules/aws/transitgateway.asciidoc +++ b/metricbeat/docs/modules/aws/transitgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-transitgateway]] +[role="xpack"] === AWS transitgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/usage.asciidoc b/metricbeat/docs/modules/aws/usage.asciidoc index a8609480ad8..2a3f3f64a75 100644 --- a/metricbeat/docs/modules/aws/usage.asciidoc +++ b/metricbeat/docs/modules/aws/usage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-usage]] +[role="xpack"] === AWS usage metricset beta[] diff --git a/metricbeat/docs/modules/aws/vpn.asciidoc b/metricbeat/docs/modules/aws/vpn.asciidoc index 8edc574ed51..21ff29237db 100644 --- a/metricbeat/docs/modules/aws/vpn.asciidoc +++ b/metricbeat/docs/modules/aws/vpn.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-vpn]] +[role="xpack"] === AWS vpn metricset beta[] diff --git a/metricbeat/docs/modules/azure.asciidoc b/metricbeat/docs/modules/azure.asciidoc index 93d644bd999..4db38120041 100644 --- a/metricbeat/docs/modules/azure.asciidoc +++ b/metricbeat/docs/modules/azure.asciidoc @@ -16,7 +16,9 @@ The azure monitor metrics are numerical values that describe some aspect of a sy The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. -The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` + +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. [float] === Dashboards @@ -119,6 +121,7 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. @@ -237,7 +240,8 @@ metricbeat.modules: period: 300s application_id: '' api_key: '' - + metrics: + - id: ["requests/count", "requests/duration"] ---- [float] diff --git a/metricbeat/docs/modules/azure/app_insights.asciidoc b/metricbeat/docs/modules/azure/app_insights.asciidoc index 2cc018c73f5..4bd8c2dd7c9 100644 --- a/metricbeat/docs/modules/azure/app_insights.asciidoc +++ b/metricbeat/docs/modules/azure/app_insights.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-app_insights]] +[role="xpack"] === Azure app_insights metricset beta[] diff --git a/metricbeat/docs/modules/azure/billing.asciidoc b/metricbeat/docs/modules/azure/billing.asciidoc index 81b3b2c028e..6cb341be97b 100644 --- a/metricbeat/docs/modules/azure/billing.asciidoc +++ b/metricbeat/docs/modules/azure/billing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-billing]] +[role="xpack"] === Azure billing metricset beta[] diff --git a/metricbeat/docs/modules/azure/compute_vm.asciidoc b/metricbeat/docs/modules/azure/compute_vm.asciidoc index c28fb01498c..fdac6f7d06a 100644 --- a/metricbeat/docs/modules/azure/compute_vm.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm]] +[role="xpack"] === Azure compute_vm metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc index 06191a8f44e..b291342cbef 100644 --- a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm_scaleset]] +[role="xpack"] === Azure compute_vm_scaleset metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_instance.asciidoc b/metricbeat/docs/modules/azure/container_instance.asciidoc index 3bf12d7263a..81cd5febddc 100644 --- a/metricbeat/docs/modules/azure/container_instance.asciidoc +++ b/metricbeat/docs/modules/azure/container_instance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_instance]] +[role="xpack"] === Azure container_instance metricset include::../../../../x-pack/metricbeat/module/azure/container_instance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_registry.asciidoc b/metricbeat/docs/modules/azure/container_registry.asciidoc index c14fffa4753..03e4eb7abc6 100644 --- a/metricbeat/docs/modules/azure/container_registry.asciidoc +++ b/metricbeat/docs/modules/azure/container_registry.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_registry]] +[role="xpack"] === Azure container_registry metricset include::../../../../x-pack/metricbeat/module/azure/container_registry/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_service.asciidoc b/metricbeat/docs/modules/azure/container_service.asciidoc index a5fcb472273..c2a580959c0 100644 --- a/metricbeat/docs/modules/azure/container_service.asciidoc +++ b/metricbeat/docs/modules/azure/container_service.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_service]] +[role="xpack"] === Azure container_service metricset include::../../../../x-pack/metricbeat/module/azure/container_service/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/database_account.asciidoc b/metricbeat/docs/modules/azure/database_account.asciidoc index fcfa5f0b953..5a35100d23a 100644 --- a/metricbeat/docs/modules/azure/database_account.asciidoc +++ b/metricbeat/docs/modules/azure/database_account.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-database_account]] +[role="xpack"] === Azure database_account metricset include::../../../../x-pack/metricbeat/module/azure/database_account/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/monitor.asciidoc b/metricbeat/docs/modules/azure/monitor.asciidoc index 327ab61f22b..9f5a20d5b2c 100644 --- a/metricbeat/docs/modules/azure/monitor.asciidoc +++ b/metricbeat/docs/modules/azure/monitor.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-monitor]] +[role="xpack"] === Azure monitor metricset include::../../../../x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/storage.asciidoc b/metricbeat/docs/modules/azure/storage.asciidoc index 6447523e519..45b788d6b17 100644 --- a/metricbeat/docs/modules/azure/storage.asciidoc +++ b/metricbeat/docs/modules/azure/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-storage]] +[role="xpack"] === Azure storage metricset include::../../../../x-pack/metricbeat/module/azure/storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/cloudfoundry.asciidoc b/metricbeat/docs/modules/cloudfoundry.asciidoc index 3a8ba132280..4d153933c23 100644 --- a/metricbeat/docs/modules/cloudfoundry.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry.asciidoc @@ -17,6 +17,22 @@ The cloudfoundry module metrics are numerical values that describe some aspect o The cloudfoundry module mericsets are `container`, `counter` and `value`. +[float] +=== Dashboards + +The Cloud Foundry module includes some dashboards. + +The overview dashboard can be used to visualize the current status of your Cloud +Foundry deployments. + +image::./images/metricbeat-cloudfoundry-overview.png[] + +The platform health dashboard includes visualizations that help diagnosting +issues related to the applications deployed in Cloud Foundry. + +image::./images/metricbeat-cloudfoundry-platform-health.png[] + + [float] === Module-specific configuration notes diff --git a/metricbeat/docs/modules/cloudfoundry/container.asciidoc b/metricbeat/docs/modules/cloudfoundry/container.asciidoc index 025c2152033..f308fb56150 100644 --- a/metricbeat/docs/modules/cloudfoundry/container.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/container.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-container]] +[role="xpack"] === Cloudfoundry container metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc index c623a969373..bc033c21616 100644 --- a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-counter]] +[role="xpack"] === Cloudfoundry counter metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/value.asciidoc b/metricbeat/docs/modules/cloudfoundry/value.asciidoc index a26103907fe..a5150fe534e 100644 --- a/metricbeat/docs/modules/cloudfoundry/value.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/value.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-value]] +[role="xpack"] === Cloudfoundry value metricset beta[] diff --git a/metricbeat/docs/modules/cockroachdb/status.asciidoc b/metricbeat/docs/modules/cockroachdb/status.asciidoc index d15dd6fc0b8..2ce97f39b2a 100644 --- a/metricbeat/docs/modules/cockroachdb/status.asciidoc +++ b/metricbeat/docs/modules/cockroachdb/status.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cockroachdb-status]] +[role="xpack"] === CockroachDB status metricset beta[] diff --git a/metricbeat/docs/modules/coredns/stats.asciidoc b/metricbeat/docs/modules/coredns/stats.asciidoc index 97f262a5077..0f328e1d8c4 100644 --- a/metricbeat/docs/modules/coredns/stats.asciidoc +++ b/metricbeat/docs/modules/coredns/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-coredns-stats]] +[role="xpack"] === Coredns stats metricset include::../../../../x-pack/metricbeat/module/coredns/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/elasticsearch.asciidoc b/metricbeat/docs/modules/elasticsearch.asciidoc index 6dc13a8dd5c..18f9004a99a 100644 --- a/metricbeat/docs/modules/elasticsearch.asciidoc +++ b/metricbeat/docs/modules/elasticsearch.asciidoc @@ -13,7 +13,16 @@ The `elasticsearch` module collects metrics about {es}. The `elasticsearch` module works with {es} 6.7.0 and later. [float] -=== Usage for Stack Monitoring +=== Module-specific configuration notes + +Like other {beatname_uc} modules, the `elasticsearch` module accepts a `hosts` configuration setting. +This setting can contain a list of entries. The related `scope` setting determines how each entry in +the `hosts` list is interpreted by the module. + +* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an + {es} cluster. +* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct + {es} cluster (for example, a load-balancing proxy fronting the cluster). The `elasticsearch` module can be used to collect metrics shown in our {stack} {monitor-features} UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` @@ -45,12 +54,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node ---- This module supports TLS connections when using `ssl` config field, as described in <>. diff --git a/metricbeat/docs/modules/googlecloud.asciidoc b/metricbeat/docs/modules/googlecloud.asciidoc index 03426f40aae..ce450aee4ca 100644 --- a/metricbeat/docs/modules/googlecloud.asciidoc +++ b/metricbeat/docs/modules/googlecloud.asciidoc @@ -10,7 +10,10 @@ beta[] This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -138,16 +141,28 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations. [float] == Metricsets -Currently, we have `compute`, `loadbalancing`, `pubsub`, `stackdriver` and +Currently, we have `billing`, `compute`, `loadbalancing`, `pubsub`, `metrics` and `storage` metricset in `googlecloud` module. +[float] +=== `billing` +This metricset fetches billing metrics from https://cloud.google.com/bigquery[GCP BigQuery] +Cloud Billing allows users to export billing data into BigQuery automatically +throughout the day. This metricset gets access to the daily cost detail table +periodically to export billing metrics for further analysis. + +The `billing` metricset comes with a predefined dashboard: + +image::./images/metricbeat-googlecloud-billing-overview.png[] + [float] === `compute` This metricset fetches metrics from https://cloud.google.com/compute/[Compute Engine] @@ -196,10 +211,11 @@ The `pubsub` metricset comes with a predefined dashboard: image::./images/metricbeat-googlecloud-pubsub-overview.png[] [float] -=== `stackdriver` -Stackdriver provides visibility into the performance, uptime, and overall health -of cloud-powered applications. It collects metrics, events, and metadata from -different services from Google Cloud. +=== `metrics` +`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides +visibility into the performance, uptime, and overall health of cloud-powered +applications. It collects metrics, events, and metadata from different services +from Google Cloud. This metricset is to collect https://cloud.google.com/monitoring/api/metrics_gcp[monitoring metrics] from Google Cloud using `ListTimeSeries` API. @@ -256,7 +272,7 @@ metricbeat.modules: - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -269,6 +285,16 @@ metricbeat.modules: - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" ---- [float] @@ -276,23 +302,27 @@ metricbeat.modules: The following metricsets are available: +* <> + * <> * <> -* <> +* <> -* <> +* <> * <> +include::googlecloud/billing.asciidoc[] + include::googlecloud/compute.asciidoc[] include::googlecloud/loadbalancing.asciidoc[] -include::googlecloud/pubsub.asciidoc[] +include::googlecloud/metrics.asciidoc[] -include::googlecloud/stackdriver.asciidoc[] +include::googlecloud/pubsub.asciidoc[] include::googlecloud/storage.asciidoc[] diff --git a/metricbeat/docs/modules/googlecloud/stackdriver.asciidoc b/metricbeat/docs/modules/googlecloud/billing.asciidoc similarity index 51% rename from metricbeat/docs/modules/googlecloud/stackdriver.asciidoc rename to metricbeat/docs/modules/googlecloud/billing.asciidoc index 16609f7b01e..cfb91238840 100644 --- a/metricbeat/docs/modules/googlecloud/stackdriver.asciidoc +++ b/metricbeat/docs/modules/googlecloud/billing.asciidoc @@ -2,12 +2,13 @@ This file is generated! See scripts/mage/docs_collector.go //// -[[metricbeat-metricset-googlecloud-stackdriver]] -=== Google Cloud Platform stackdriver metricset +[[metricbeat-metricset-googlecloud-billing]] +[role="xpack"] +=== Google Cloud Platform billing metricset beta[] -include::../../../../x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc[] +include::../../../../x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc[] ==== Fields @@ -19,5 +20,5 @@ Here is an example document generated by this metricset: [source,json] ---- -include::../../../../x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json[] +include::../../../../x-pack/metricbeat/module/googlecloud/billing/_meta/data.json[] ---- diff --git a/metricbeat/docs/modules/googlecloud/compute.asciidoc b/metricbeat/docs/modules/googlecloud/compute.asciidoc index fb6474bf756..bd8e4202788 100644 --- a/metricbeat/docs/modules/googlecloud/compute.asciidoc +++ b/metricbeat/docs/modules/googlecloud/compute.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-compute]] +[role="xpack"] === Google Cloud Platform compute metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc index 22ea8bf98b4..f6cdbcb5f6e 100644 --- a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc +++ b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-loadbalancing]] +[role="xpack"] === Google Cloud Platform loadbalancing metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/metrics.asciidoc b/metricbeat/docs/modules/googlecloud/metrics.asciidoc new file mode 100644 index 00000000000..404c35a430d --- /dev/null +++ b/metricbeat/docs/modules/googlecloud/metrics.asciidoc @@ -0,0 +1,24 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-googlecloud-metrics]] +[role="xpack"] +=== Google Cloud Platform metrics metricset + +beta[] + +include::../../../../x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../../x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc index df751605e5a..605d4fae7ec 100644 --- a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc +++ b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-pubsub]] +[role="xpack"] === Google Cloud Platform pubsub metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/storage.asciidoc b/metricbeat/docs/modules/googlecloud/storage.asciidoc index 86d42459977..2606dff2fff 100644 --- a/metricbeat/docs/modules/googlecloud/storage.asciidoc +++ b/metricbeat/docs/modules/googlecloud/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-storage]] +[role="xpack"] === Google Cloud Platform storage metricset beta[] diff --git a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc index 7617b660ad6..357f4965f9d 100644 --- a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc +++ b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-ibmmq-qmgr]] +[role="xpack"] === IBM MQ qmgr metricset beta[] diff --git a/metricbeat/docs/modules/iis/application_pool.asciidoc b/metricbeat/docs/modules/iis/application_pool.asciidoc index 8b68e8f4801..042d41384c4 100644 --- a/metricbeat/docs/modules/iis/application_pool.asciidoc +++ b/metricbeat/docs/modules/iis/application_pool.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-application_pool]] +[role="xpack"] === IIS application_pool metricset beta[] diff --git a/metricbeat/docs/modules/iis/webserver.asciidoc b/metricbeat/docs/modules/iis/webserver.asciidoc index 85c8d1474a1..00be405b058 100644 --- a/metricbeat/docs/modules/iis/webserver.asciidoc +++ b/metricbeat/docs/modules/iis/webserver.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-webserver]] +[role="xpack"] === IIS webserver metricset beta[] diff --git a/metricbeat/docs/modules/iis/website.asciidoc b/metricbeat/docs/modules/iis/website.asciidoc index e1f1b77ffe7..c7c170b2e92 100644 --- a/metricbeat/docs/modules/iis/website.asciidoc +++ b/metricbeat/docs/modules/iis/website.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-website]] +[role="xpack"] === IIS website metricset beta[] diff --git a/metricbeat/docs/modules/istio/citadel.asciidoc b/metricbeat/docs/modules/istio/citadel.asciidoc index e22881f1424..2560ae00a38 100644 --- a/metricbeat/docs/modules/istio/citadel.asciidoc +++ b/metricbeat/docs/modules/istio/citadel.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-citadel]] +[role="xpack"] === Istio citadel metricset beta[] diff --git a/metricbeat/docs/modules/istio/galley.asciidoc b/metricbeat/docs/modules/istio/galley.asciidoc index 903ca49cbcc..559db7ffe08 100644 --- a/metricbeat/docs/modules/istio/galley.asciidoc +++ b/metricbeat/docs/modules/istio/galley.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-galley]] +[role="xpack"] === Istio galley metricset beta[] diff --git a/metricbeat/docs/modules/istio/mesh.asciidoc b/metricbeat/docs/modules/istio/mesh.asciidoc index 081312a28c9..b1d170be31b 100644 --- a/metricbeat/docs/modules/istio/mesh.asciidoc +++ b/metricbeat/docs/modules/istio/mesh.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mesh]] +[role="xpack"] === Istio mesh metricset beta[] diff --git a/metricbeat/docs/modules/istio/mixer.asciidoc b/metricbeat/docs/modules/istio/mixer.asciidoc index 760abaa7811..214cc4694fa 100644 --- a/metricbeat/docs/modules/istio/mixer.asciidoc +++ b/metricbeat/docs/modules/istio/mixer.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mixer]] +[role="xpack"] === Istio mixer metricset beta[] diff --git a/metricbeat/docs/modules/istio/pilot.asciidoc b/metricbeat/docs/modules/istio/pilot.asciidoc index 2aa6b03a385..5e406608ebc 100644 --- a/metricbeat/docs/modules/istio/pilot.asciidoc +++ b/metricbeat/docs/modules/istio/pilot.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-pilot]] +[role="xpack"] === Istio pilot metricset beta[] diff --git a/metricbeat/docs/modules/kafka/broker.asciidoc b/metricbeat/docs/modules/kafka/broker.asciidoc index 9ef1c702ce2..191351eb98f 100644 --- a/metricbeat/docs/modules/kafka/broker.asciidoc +++ b/metricbeat/docs/modules/kafka/broker.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/broker/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kafka/consumer.asciidoc b/metricbeat/docs/modules/kafka/consumer.asciidoc index a30bd900118..3a2acd51cda 100644 --- a/metricbeat/docs/modules/kafka/consumer.asciidoc +++ b/metricbeat/docs/modules/kafka/consumer.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/consumer/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kafka/producer.asciidoc b/metricbeat/docs/modules/kafka/producer.asciidoc index d7e9e6b9d53..2ce5ab0a3f4 100644 --- a/metricbeat/docs/modules/kafka/producer.asciidoc +++ b/metricbeat/docs/modules/kafka/producer.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/kafka/producer/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/kubernetes.asciidoc b/metricbeat/docs/modules/kubernetes.asciidoc index de25089fa14..c197db1d476 100644 --- a/metricbeat/docs/modules/kubernetes.asciidoc +++ b/metricbeat/docs/modules/kubernetes.asciidoc @@ -210,6 +210,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -303,6 +304,8 @@ The following metricsets are available: * <> +* <> + * <> * <> @@ -345,6 +348,8 @@ include::kubernetes/state_container.asciidoc[] include::kubernetes/state_cronjob.asciidoc[] +include::kubernetes/state_daemonset.asciidoc[] + include::kubernetes/state_deployment.asciidoc[] include::kubernetes/state_node.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc b/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc new file mode 100644 index 00000000000..fa5904cf6ec --- /dev/null +++ b/metricbeat/docs/modules/kubernetes/state_daemonset.asciidoc @@ -0,0 +1,21 @@ +//// +This file is generated! See scripts/mage/docs_collector.go +//// + +[[metricbeat-metricset-kubernetes-state_daemonset]] +=== Kubernetes state_daemonset metricset + +include::../../../module/kubernetes/state_daemonset/_meta/docs.asciidoc[] + + +==== Fields + +For a description of each field in the metricset, see the +<> section. + +Here is an example document generated by this metricset: + +[source,json] +---- +include::../../../module/kubernetes/state_daemonset/_meta/data.json[] +---- diff --git a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc b/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc index f0bce748d0d..e648f71d7e1 100644 --- a/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_persistentvolumeclaim.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_persistentvolumeclaim]] === Kubernetes state_persistentvolumeclaim metricset -experimental[] - include::../../../module/kubernetes/state_persistentvolumeclaim/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_service.asciidoc b/metricbeat/docs/modules/kubernetes/state_service.asciidoc index 5921d593971..018aa1f7f66 100644 --- a/metricbeat/docs/modules/kubernetes/state_service.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_service.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_service]] === Kubernetes state_service metricset -experimental[] - include::../../../module/kubernetes/state_service/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc b/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc index 02aec973cd9..d4f100d8ea4 100644 --- a/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc +++ b/metricbeat/docs/modules/kubernetes/state_storageclass.asciidoc @@ -5,8 +5,6 @@ This file is generated! See scripts/mage/docs_collector.go [[metricbeat-metricset-kubernetes-state_storageclass]] === Kubernetes state_storageclass metricset -experimental[] - include::../../../module/kubernetes/state_storageclass/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mssql/performance.asciidoc b/metricbeat/docs/modules/mssql/performance.asciidoc index b21411b5a60..f0202e4574d 100644 --- a/metricbeat/docs/modules/mssql/performance.asciidoc +++ b/metricbeat/docs/modules/mssql/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-performance]] +[role="xpack"] === MSSQL performance metricset include::../../../../x-pack/metricbeat/module/mssql/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mssql/transaction_log.asciidoc b/metricbeat/docs/modules/mssql/transaction_log.asciidoc index 63bf00583c4..8e373dc7558 100644 --- a/metricbeat/docs/modules/mssql/transaction_log.asciidoc +++ b/metricbeat/docs/modules/mssql/transaction_log.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-transaction_log]] +[role="xpack"] === MSSQL transaction_log metricset include::../../../../x-pack/metricbeat/module/mssql/transaction_log/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mysql.asciidoc b/metricbeat/docs/modules/mysql.asciidoc index 21762cbeb66..f762f5c8642 100644 --- a/metricbeat/docs/modules/mysql.asciidoc +++ b/metricbeat/docs/modules/mysql.asciidoc @@ -58,8 +58,10 @@ in <>. Here is an example configuration: metricbeat.modules: - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/docs/modules/mysql/performance.asciidoc b/metricbeat/docs/modules/mysql/performance.asciidoc index e0e47239f21..d94b12a53fa 100644 --- a/metricbeat/docs/modules/mysql/performance.asciidoc +++ b/metricbeat/docs/modules/mysql/performance.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/mysql/performance/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/mysql/query.asciidoc b/metricbeat/docs/modules/mysql/query.asciidoc index fd8cdf650f9..31a8e1638c1 100644 --- a/metricbeat/docs/modules/mysql/query.asciidoc +++ b/metricbeat/docs/modules/mysql/query.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/mysql/query/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index fd5026ff378..1a18fb93e6c 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-openmetrics-collector]] +[role="xpack"] === Openmetrics collector metricset beta[] diff --git a/metricbeat/docs/modules/oracle/performance.asciidoc b/metricbeat/docs/modules/oracle/performance.asciidoc index 2c57d8f6202..64802664b0d 100644 --- a/metricbeat/docs/modules/oracle/performance.asciidoc +++ b/metricbeat/docs/modules/oracle/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-performance]] +[role="xpack"] === Oracle performance metricset include::../../../../x-pack/metricbeat/module/oracle/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/oracle/tablespace.asciidoc b/metricbeat/docs/modules/oracle/tablespace.asciidoc index af25323b220..be1a2ebcec6 100644 --- a/metricbeat/docs/modules/oracle/tablespace.asciidoc +++ b/metricbeat/docs/modules/oracle/tablespace.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-tablespace]] +[role="xpack"] === Oracle tablespace metricset include::../../../../x-pack/metricbeat/module/oracle/tablespace/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/redisenterprise/node.asciidoc b/metricbeat/docs/modules/redisenterprise/node.asciidoc index 90103d11923..6460b9f87cb 100644 --- a/metricbeat/docs/modules/redisenterprise/node.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/node.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-node]] +[role="xpack"] === Redis Enterprise node metricset beta[] diff --git a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc index cee1e06ebd4..b375211ab85 100644 --- a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-proxy]] +[role="xpack"] === Redis Enterprise proxy metricset beta[] diff --git a/metricbeat/docs/modules/sql/query.asciidoc b/metricbeat/docs/modules/sql/query.asciidoc index 16e999eb98c..cc3832ca234 100644 --- a/metricbeat/docs/modules/sql/query.asciidoc +++ b/metricbeat/docs/modules/sql/query.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-sql-query]] +[role="xpack"] === SQL query metricset beta[] diff --git a/metricbeat/docs/modules/stan/channels.asciidoc b/metricbeat/docs/modules/stan/channels.asciidoc index 63ff79005a3..c57c85c52ea 100644 --- a/metricbeat/docs/modules/stan/channels.asciidoc +++ b/metricbeat/docs/modules/stan/channels.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-channels]] +[role="xpack"] === Stan channels metricset include::../../../../x-pack/metricbeat/module/stan/channels/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/stats.asciidoc b/metricbeat/docs/modules/stan/stats.asciidoc index 62b6532b8ef..f8b5d0647e3 100644 --- a/metricbeat/docs/modules/stan/stats.asciidoc +++ b/metricbeat/docs/modules/stan/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-stats]] +[role="xpack"] === Stan stats metricset include::../../../../x-pack/metricbeat/module/stan/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/subscriptions.asciidoc b/metricbeat/docs/modules/stan/subscriptions.asciidoc index 9ab2e2bd884..39631877264 100644 --- a/metricbeat/docs/modules/stan/subscriptions.asciidoc +++ b/metricbeat/docs/modules/stan/subscriptions.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-subscriptions]] +[role="xpack"] === Stan subscriptions metricset include::../../../../x-pack/metricbeat/module/stan/subscriptions/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/statsd/server.asciidoc b/metricbeat/docs/modules/statsd/server.asciidoc index b3e983bbbd6..1462697808e 100644 --- a/metricbeat/docs/modules/statsd/server.asciidoc +++ b/metricbeat/docs/modules/statsd/server.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-statsd-server]] +[role="xpack"] === Statsd server metricset include::../../../../x-pack/metricbeat/module/statsd/server/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/tomcat/cache.asciidoc b/metricbeat/docs/modules/tomcat/cache.asciidoc index ddddaae045e..a19c257349b 100644 --- a/metricbeat/docs/modules/tomcat/cache.asciidoc +++ b/metricbeat/docs/modules/tomcat/cache.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-cache]] +[role="xpack"] === Tomcat cache metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/memory.asciidoc b/metricbeat/docs/modules/tomcat/memory.asciidoc index 1d850e840cd..bafbb9cfc93 100644 --- a/metricbeat/docs/modules/tomcat/memory.asciidoc +++ b/metricbeat/docs/modules/tomcat/memory.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-memory]] +[role="xpack"] === Tomcat memory metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/requests.asciidoc b/metricbeat/docs/modules/tomcat/requests.asciidoc index 8f2db18d4d4..50a153e463e 100644 --- a/metricbeat/docs/modules/tomcat/requests.asciidoc +++ b/metricbeat/docs/modules/tomcat/requests.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-requests]] +[role="xpack"] === Tomcat requests metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/threading.asciidoc b/metricbeat/docs/modules/tomcat/threading.asciidoc index 4d356cb2a9a..3b8516fe805 100644 --- a/metricbeat/docs/modules/tomcat/threading.asciidoc +++ b/metricbeat/docs/modules/tomcat/threading.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-threading]] +[role="xpack"] === Tomcat threading metricset beta[] diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc index b6398eb65f6..2232cf3b070 100644 --- a/metricbeat/docs/modules_list.asciidoc +++ b/metricbeat/docs/modules_list.asciidoc @@ -22,7 +22,7 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |<> -|<> beta[] +|<> |<> beta[] |<> |<> @@ -60,7 +60,7 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |<> -|<> beta[] |image:./images/icon-no.png[No prebuilt dashboards] | +|<> beta[] |image:./images/icon-yes.png[Prebuilt dashboards are available] | .3+| .3+| |<> beta[] |<> beta[] |<> beta[] @@ -111,10 +111,11 @@ This file is generated! See scripts/mage/docs_collector.go .2+| .2+| |<> |<> |<> beta[] |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.5+| .5+| |<> beta[] +.6+| .6+| |<> beta[] +|<> beta[] |<> beta[] +|<> beta[] |<> beta[] -|<> beta[] |<> beta[] |<> |image:./images/icon-no.png[No prebuilt dashboards] | .1+| .1+| |<> @@ -148,7 +149,7 @@ This file is generated! See scripts/mage/docs_collector.go .2+| .2+| |<> |<> |<> |image:./images/icon-yes.png[Prebuilt dashboards are available] | -.21+| .21+| |<> +.22+| .22+| |<> |<> |<> |<> @@ -158,15 +159,16 @@ This file is generated! See scripts/mage/docs_collector.go |<> |<> |<> +|<> |<> |<> -|<> experimental[] +|<> |<> |<> |<> -|<> experimental[] +|<> |<> -|<> experimental[] +|<> |<> |<> |<> beta[] |image:./images/icon-no.png[No prebuilt dashboards] | diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index 78844f9e1a0..786977cb294 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve cluster metrics. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been @@ -15,18 +17,21 @@ endif::[] [float] ==== Kubernetes deploy manifests -You deploy {beatname_uc} in two different ways at the same time: - -* As a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] +You deploy {beatname_uc} as a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] to ensure that there's a running instance on each node of the cluster. These instances are used to retrieve most metrics from the host, such as system metrics, Docker stats, and metrics from all the services running on top of Kubernetes. -* As a single {beatname_uc} instance created using a https://kubernetes.io/docs/concepts/workloads/controllers/Deployment/[Deployment]. +In addition, one of the Pods in the DaemonSet will constantly hold a _leader lock_ which makes it responsible for +handling cluster-wide monitoring. This instance is used to retrieve metrics that are unique for the whole cluster, such as Kubernetes events or https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]. +You can find more information about leader election configuration options at <>. + +Note: If you are upgrading from older versions, please make sure there are no redundant parts +as left-overs from the old manifests. Deployment specification and its ConfigMaps might be the case. Everything is deployed under the `kube-system` namespace by default. To change the namespace, modify the manifest file. @@ -195,3 +200,12 @@ metricbeat 1 1 1 1 1m ------------------------------------------------ Metrics should start flowing to Elasticsearch. + + +[float] +==== Deploying Metricbeat to collect cluster-level metrics in large clusters + +The size and the number of nodes in a Kubernetes cluster can be fairly large at times, and in such cases +the Pod that will be collecting cluster level metrics might face performance issues due to +resources limitations. In this case users might consider to avoid using the leader election strategy +and instead run a dedicated, standalone Metribceat instance using a Deployment in addition to the DaemonSet. diff --git a/metricbeat/helper/prometheus/prometheus.go b/metricbeat/helper/prometheus/prometheus.go index 2859178d98f..0add9edd9bb 100644 --- a/metricbeat/helper/prometheus/prometheus.go +++ b/metricbeat/helper/prometheus/prometheus.go @@ -18,10 +18,12 @@ package prometheus import ( + "compress/gzip" "fmt" "io" "io/ioutil" "net/http" + "regexp" "github.com/pkg/errors" dto "github.com/prometheus/client_model/go" @@ -62,19 +64,33 @@ func NewPrometheusClient(base mb.BaseMetricSet) (Prometheus, error) { } http.SetHeaderDefault("Accept", acceptHeader) + http.SetHeaderDefault("Accept-Encoding", "gzip") return &prometheus{http, base.Logger()}, nil } // GetFamilies requests metric families from prometheus endpoint and returns them func (p *prometheus) GetFamilies() ([]*dto.MetricFamily, error) { + var reader io.Reader + resp, err := p.FetchResponse() if err != nil { return nil, err } defer resp.Body.Close() + if resp.Header.Get("Content-Encoding") == "gzip" { + greader, err := gzip.NewReader(resp.Body) + if err != nil { + return nil, err + } + defer greader.Close() + reader = greader + } else { + reader = resp.Body + } + if resp.StatusCode > 399 { - bodyBytes, err := ioutil.ReadAll(resp.Body) + bodyBytes, err := ioutil.ReadAll(reader) if err == nil { p.logger.Debug("error received from prometheus endpoint: ", string(bodyBytes)) } @@ -86,7 +102,7 @@ func (p *prometheus) GetFamilies() ([]*dto.MetricFamily, error) { return nil, fmt.Errorf("Invalid format for response of response") } - decoder := expfmt.NewDecoder(resp.Body, format) + decoder := expfmt.NewDecoder(reader, format) if decoder == nil { return nil, fmt.Errorf("Unable to create decoder to decode response") } @@ -284,3 +300,31 @@ func getLabels(metric *dto.Metric) common.MapStr { } return labels } + +// CompilePatternList compiles a pattern list and returns the list of the compiled patterns +func CompilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { + var compiledPatterns []*regexp.Regexp + compiledPatterns = []*regexp.Regexp{} + if patterns != nil { + for _, pattern := range *patterns { + r, err := regexp.Compile(pattern) + if err != nil { + return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) + } + compiledPatterns = append(compiledPatterns, r) + } + return compiledPatterns, nil + } + return []*regexp.Regexp{}, nil +} + +// MatchMetricFamily checks if the given family/metric name matches any of the given patterns +func MatchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { + for _, checkMetric := range matchMetrics { + matched := checkMetric.MatchString(family) + if matched { + return true + } + } + return false +} diff --git a/metricbeat/helper/prometheus/prometheus_test.go b/metricbeat/helper/prometheus/prometheus_test.go index b1557115d83..974f51f1a10 100644 --- a/metricbeat/helper/prometheus/prometheus_test.go +++ b/metricbeat/helper/prometheus/prometheus_test.go @@ -19,6 +19,7 @@ package prometheus import ( "bytes" + "compress/gzip" "io/ioutil" "net/http" "sort" @@ -185,10 +186,17 @@ var _ = httpfetcher(&mockFetcher{}) // FetchResponse returns an HTTP response but for the Body, which // returns the mockFetcher.Response contents func (m mockFetcher) FetchResponse() (*http.Response, error) { + body := bytes.NewBuffer(nil) + writer := gzip.NewWriter(body) + writer.Write([]byte(m.response)) + writer.Close() + return &http.Response{ StatusCode: 200, - Header: make(http.Header), - Body: ioutil.NopCloser(bytes.NewReader([]byte(m.response))), + Header: http.Header{ + "Content-Encoding": []string{"gzip"}, + }, + Body: ioutil.NopCloser(body), }, nil } diff --git a/metricbeat/helper/windows/pdh/pdh_query_windows.go b/metricbeat/helper/windows/pdh/pdh_query_windows.go index 65ad0372fcb..3c51df5073a 100644 --- a/metricbeat/helper/windows/pdh/pdh_query_windows.go +++ b/metricbeat/helper/windows/pdh/pdh_query_windows.go @@ -212,6 +212,12 @@ func (q *Query) ExpandWildCardPath(wildCardPath string) ([]string, error) { expdPaths, err = PdhExpandCounterPath(utfPath) } else { expdPaths, err = PdhExpandWildCardPath(utfPath) + // rarely the PdhExpandWildCardPathW will not retrieve the expanded buffer size initially so the next call will encounter the PDH_MORE_DATA error since the specified size on the input is still less than + // the required size. If this is the case we will fallback on the PdhExpandCounterPathW api since it looks to act in a more stable manner. The PdhExpandCounterPathW api does come with some limitations but will + // satisfy most cases and return valid paths. + if err == PDH_MORE_DATA { + expdPaths, err = PdhExpandCounterPath(utfPath) + } } if err != nil { return nil, err diff --git a/metricbeat/helper/windows/pdh/pdh_query_windows_test.go b/metricbeat/helper/windows/pdh/pdh_query_windows_test.go index 2b5038e42c4..20d894d3924 100644 --- a/metricbeat/helper/windows/pdh/pdh_query_windows_test.go +++ b/metricbeat/helper/windows/pdh/pdh_query_windows_test.go @@ -28,7 +28,7 @@ import ( func TestOpenSuccessful(t *testing.T) { var q Query err := q.Open() - assert.Nil(t, err) + assert.NoError(t, err) defer q.Close() } @@ -85,7 +85,7 @@ func TestSuccessfulQuery(t *testing.T) { t.Fatal(err) } list, err := q.GetFormattedCounterValues() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, list) } diff --git a/metricbeat/helper/windows/pdh/pdh_windows_test.go b/metricbeat/helper/windows/pdh/pdh_windows_test.go index 88286751fba..1ff28f12783 100644 --- a/metricbeat/helper/windows/pdh/pdh_windows_test.go +++ b/metricbeat/helper/windows/pdh/pdh_windows_test.go @@ -59,7 +59,7 @@ func TestPdhGetFormattedCounterValueInvalidCounter(t *testing.T) { // TestPdhExpandWildCardPathInvalidPath will test for invalid query path. func TestPdhExpandWildCardPathInvalidPath(t *testing.T) { utfPath, err := syscall.UTF16PtrFromString("sdfhsdhfd") - assert.Nil(t, err) + assert.NoError(t, err) queryList, err := PdhExpandWildCardPath(utfPath) assert.Nil(t, queryList) assert.EqualValues(t, err, PDH_INVALID_PATH) @@ -122,7 +122,7 @@ func TestPdhSuccessfulCounterRetrieval(t *testing.T) { } for _, counter := range counters { counterType, counterValue, err := PdhGetFormattedCounterValueDouble(counter) - assert.Nil(t, err) + assert.NoError(t, err) assert.NotZero(t, counterType) assert.NotNil(t, counterValue) } diff --git a/metricbeat/include/list_docker.go b/metricbeat/include/list_docker.go index 18a34924bd8..6a9201efc72 100644 --- a/metricbeat/include/list_docker.go +++ b/metricbeat/include/list_docker.go @@ -42,6 +42,7 @@ import ( _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/scheduler" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_container" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_cronjob" + _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_daemonset" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_deployment" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_node" _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes/state_persistentvolume" diff --git a/metricbeat/magefile.go b/metricbeat/magefile.go index 84474e39fe5..661239410b2 100644 --- a/metricbeat/magefile.go +++ b/metricbeat/magefile.go @@ -191,19 +191,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). // Use MODULE=module to run only tests for `module`. -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } - runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("NOSE_")...) + runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("PYTEST_")...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTestForModule(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTestForModule(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/metricbeat/mb/lightmetricset.go b/metricbeat/mb/lightmetricset.go index 2354187b4ea..b78b2ef997c 100644 --- a/metricbeat/mb/lightmetricset.go +++ b/metricbeat/mb/lightmetricset.go @@ -18,9 +18,6 @@ package mb import ( - "fmt" - "net/url" - "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" @@ -55,13 +52,17 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error originalFactory := registration.Factory registration.IsDefault = m.Default + // Disable the host parser, we will call it as part of the factory so the original + // host in the base module is not modified. + originalHostParser := registration.HostParser + registration.HostParser = nil + // Light modules factory has to override defaults and reproduce builder // functionality with the resulting configuration, it does: // - Override defaults // - Call module factory if registered (it wouldn't have been called // if light module is really a registered mixed module) - // - Call host parser if defined (it would have already been called - // without the light module defaults) + // - Call host parser if there was one defined // - Finally, call the original factory for the registered metricset registration.Factory = func(base BaseMetricSet) (MetricSet, error) { // Override default config on base module and metricset @@ -83,11 +84,9 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error base.module = module } - // At this point host parser was already run, we need to run this again - // with the overriden defaults - if registration.HostParser != nil { - host := m.useHostURISchemeIfPossible(base.host, base.hostData.URI) - base.hostData, err = registration.HostParser(base.module, host) + // Run the host parser if there was anyone defined + if originalHostParser != nil { + base.hostData, err = originalHostParser(base.module, base.host) if err != nil { return nil, errors.Wrapf(err, "host parser failed on light metricset factory for '%s/%s'", m.Module, m.Name) } @@ -100,18 +99,6 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error return registration, nil } -// useHostURISchemeIfPossible method parses given URI to extract protocol scheme and prepend it to the host. -// It prevents from skipping protocol scheme (e.g. https) while executing HostParser. -func (m *LightMetricSet) useHostURISchemeIfPossible(host, uri string) string { - u, err := url.ParseRequestURI(uri) - if err == nil { - if u.Scheme != "" { - return fmt.Sprintf("%s://%s", u.Scheme, u.Host) - } - } - return host -} - // baseModule does the configuration overrides in the base module configuration // taking into account the light metric set default configurations func (m *LightMetricSet) baseModule(from Module) (*BaseModule, error) { diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go index f8375b4adf6..f0d1552c815 100644 --- a/metricbeat/mb/module/wrapper.go +++ b/metricbeat/mb/module/wrapper.go @@ -142,7 +142,7 @@ func (mw *Wrapper) Start(done <-chan struct{}) <-chan beat.Event { defer msw.close() registry.Add(metricsPath, msw.Metrics(), monitoring.Full) - monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time{}.String()) + monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time(time.Now()).String()) msw.run(done, out) }(msw) @@ -392,7 +392,7 @@ func (r reporterV2) Event(event mb.Event) bool { } if event.Host == "" { - event.Host = r.msw.Host() + event.Host = r.msw.HostData().SanitizedURI } if event.Error == nil { diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 2badf80ceff..9b6f37eb447 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -273,12 +273,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node #------------------------------ Envoyproxy Module ------------------------------ - module: envoyproxy @@ -492,6 +489,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -647,8 +645,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -1255,10 +1255,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1371,20 +1379,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1394,7 +1409,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1557,30 +1572,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1593,6 +1615,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1700,42 +1728,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1868,6 +1910,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default metricbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "metricbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "metricbeat-%{[agent.version]}" @@ -1971,20 +2018,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2003,6 +2061,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2153,17 +2222,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2186,6 +2262,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/metricbeat/module/aerospike/test_aerospike.py b/metricbeat/module/aerospike/test_aerospike.py index 4c7e026ca92..d3a1e7ec2a6 100644 --- a/metricbeat/module/aerospike/test_aerospike.py +++ b/metricbeat/module/aerospike/test_aerospike.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/apache/test_apache.py b/metricbeat/module/apache/test_apache.py index f47d046bdae..181fb73593d 100644 --- a/metricbeat/module/apache/test_apache.py +++ b/metricbeat/module/apache/test_apache.py @@ -1,15 +1,13 @@ +import metricbeat import os +import pytest +import semver +import sys +import time import unittest -from nose.plugins.attrib import attr -import urllib.request import urllib.error import urllib.parse -import time -import semver -import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat +import urllib.request APACHE_FIELDS = metricbeat.COMMON_FIELDS + ["apache"] @@ -39,7 +37,7 @@ class ApacheStatusTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['apache'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Apache module outputs an event. diff --git a/metricbeat/module/ceph/test_ceph.py b/metricbeat/module/ceph/test_ceph.py index 9f9c70561f5..91bb6e56e7c 100644 --- a/metricbeat/module/ceph/test_ceph.py +++ b/metricbeat/module/ceph/test_ceph.py @@ -1,3 +1,4 @@ +import metricbeat import os import requests import sys @@ -5,9 +6,6 @@ import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/consul/test_consul.py b/metricbeat/module/consul/test_consul.py index 5ee0f5ac2a8..c18dff5a2f1 100644 --- a/metricbeat/module/consul/test_consul.py +++ b/metricbeat/module/consul/test_consul.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat CONSUL_FIELDS = metricbeat.COMMON_FIELDS + ["consul"] @@ -27,7 +25,7 @@ class ConsulAgentTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['consul'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ Consul agent module outputs an event. diff --git a/metricbeat/module/couchbase/test_couchbase.py b/metricbeat/module/couchbase/test_couchbase.py index 71c5edd92cb..c42133233dc 100644 --- a/metricbeat/module/couchbase/test_couchbase.py +++ b/metricbeat/module/couchbase/test_couchbase.py @@ -1,11 +1,9 @@ +import metricbeat import os import sys import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/couchdb/test_couchdb.py b/metricbeat/module/couchdb/test_couchdb.py index b7f2b539440..c80a5f231a0 100644 --- a/metricbeat/module/couchdb/test_couchdb.py +++ b/metricbeat/module/couchdb/test_couchdb.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/docker/test_docker.py b/metricbeat/module/docker/test_docker.py index 22a86784e02..a7379cdbcbb 100644 --- a/metricbeat/module/docker/test_docker.py +++ b/metricbeat/module/docker/test_docker.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/dropwizard/test_dropwizard.py b/metricbeat/module/dropwizard/test_dropwizard.py index 8e771c511c2..1e81d70175e 100644 --- a/metricbeat/module/dropwizard/test_dropwizard.py +++ b/metricbeat/module/dropwizard/test_dropwizard.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/elasticsearch/_meta/config.reference.yml b/metricbeat/module/elasticsearch/_meta/config.reference.yml index cc446dfc6e7..61599fa2ae2 100644 --- a/metricbeat/module/elasticsearch/_meta/config.reference.yml +++ b/metricbeat/module/elasticsearch/_meta/config.reference.yml @@ -13,9 +13,6 @@ #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node diff --git a/metricbeat/module/elasticsearch/_meta/docs.asciidoc b/metricbeat/module/elasticsearch/_meta/docs.asciidoc index 0a259e61e3c..b2b1a585a69 100644 --- a/metricbeat/module/elasticsearch/_meta/docs.asciidoc +++ b/metricbeat/module/elasticsearch/_meta/docs.asciidoc @@ -6,7 +6,16 @@ The `elasticsearch` module collects metrics about {es}. The `elasticsearch` module works with {es} 6.7.0 and later. [float] -=== Usage for Stack Monitoring +=== Module-specific configuration notes + +Like other {beatname_uc} modules, the `elasticsearch` module accepts a `hosts` configuration setting. +This setting can contain a list of entries. The related `scope` setting determines how each entry in +the `hosts` list is interpreted by the module. + +* If `scope` is set to `node` (default), each entry in the `hosts` list indicates a distinct node in an + {es} cluster. +* If `scope` is set to `cluster`, each entry in the `hosts` list indicates a single endpoint for a distinct + {es} cluster (for example, a load-balancing proxy fronting the cluster). The `elasticsearch` module can be used to collect metrics shown in our {stack} {monitor-features} UI in {kib}. To enable this usage, set `xpack.enabled: true` and remove any `metricsets` diff --git a/metricbeat/module/elasticsearch/ccr/ccr.go b/metricbeat/module/elasticsearch/ccr/ccr.go index 591f3d12e22..74f7a232281 100644 --- a/metricbeat/module/elasticsearch/ccr/ccr.go +++ b/metricbeat/module/elasticsearch/ccr/ccr.go @@ -56,14 +56,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each follower shard from the _ccr/stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch ccr stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go b/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go index 425ef0abacf..cd076cac83d 100644 --- a/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go +++ b/metricbeat/module/elasticsearch/cluster_stats/cluster_stats.go @@ -18,8 +18,6 @@ package cluster_stats import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -51,14 +49,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+clusterStatsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch cluster stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/elasticsearch.go b/metricbeat/module/elasticsearch/elasticsearch.go index 48050b224cc..a84bf644f3c 100644 --- a/metricbeat/module/elasticsearch/elasticsearch.go +++ b/metricbeat/module/elasticsearch/elasticsearch.go @@ -60,17 +60,23 @@ func NewModule(base mb.BaseModule) (mb.Module, error) { return elastic.NewModule(&base, xpackEnabledMetricSets, logp.NewLogger(ModuleName)) } -// CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. -var CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") +var ( + // CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. + CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") + + // EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. + EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") -// EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. -var EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") + // BulkStatsAvailableVersion is the version since when bulk indexing stats are available + BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") -// BulkStatsAvailableVersion is the version since when bulk indexing stats are available -var BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") + //ExpandWildcardsHiddenAvailableVersion is the version since when the "expand_wildcards" query parameter to + // the Indices Stats API can accept "hidden" as a value. + ExpandWildcardsHiddenAvailableVersion = common.MustNewVersion("7.7.0") -// Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. -var clusterIDCache = map[string]string{} + // Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. + clusterIDCache = map[string]string{} +) // ModuleName is the name of this module. const ModuleName = "elasticsearch" @@ -436,6 +442,28 @@ func IsMLockAllEnabled(http *helper.HTTP, resetURI, nodeID string) (bool, error) return false, fmt.Errorf("could not determine if mlockall is enabled on node ID = %v", nodeID) } +// GetMasterNodeID returns the ID of the Elasticsearch cluster's master node +func GetMasterNodeID(http *helper.HTTP, resetURI string) (string, error) { + content, err := fetchPath(http, resetURI, "_nodes/_master", "filter_path=nodes.*.name") + if err != nil { + return "", err + } + + var response struct { + Nodes map[string]interface{} `json:"nodes"` + } + + if err := json.Unmarshal(content, &response); err != nil { + return "", err + } + + for nodeID, _ := range response.Nodes { + return nodeID, nil + } + + return "", errors.New("could not determine master node ID") +} + // PassThruField copies the field at the given path from the given source data object into // the same path in the given target data object. func PassThruField(fieldPath string, sourceData, targetData common.MapStr) error { diff --git a/metricbeat/module/elasticsearch/enrich/enrich.go b/metricbeat/module/elasticsearch/enrich/enrich.go index 6b60394a23e..c533657502a 100644 --- a/metricbeat/module/elasticsearch/enrich/enrich.go +++ b/metricbeat/module/elasticsearch/enrich/enrich.go @@ -55,14 +55,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each enrich coordinator node func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch enrich stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/fields.go b/metricbeat/module/elasticsearch/fields.go index aadc37a05c3..03c96ad20a5 100644 --- a/metricbeat/module/elasticsearch/fields.go +++ b/metricbeat/module/elasticsearch/fields.go @@ -32,5 +32,5 @@ func init() { // AssetElasticsearch returns asset data. // This is the base64 encoded gzipped contents of module/elasticsearch. func AssetElasticsearch() string { - return "eJzsXN1u47oRvvdTDHK1B0j0AL7ozfacbQpsuuhmCxRFoaWlsc2EPwpJOXafviAp2bJMWbIkx14c+y6W9c03v5yhqDzAK26mgIxoQxONRCXLCYChhuEU7n6vfn83AUhRJ4pmhkoxhb9MAAD2fgNcpjnDCYBChkTjFBZkAqDRGCoWegr/udOa3d3D3dKY7O6/9tpSKhMnUszpYgpzwrS9f06RpXrqRDyAIBwPadqP2WRWiJJ5VnwT4LgPV4VMWK4Nqsj+tb1Yor7i5l2qtPJ9ENt/9u1Q4Dop0aRRLE3PIZSmR0RqQwyOLNhhhsUKmQ6X9iRThMe/NqAP953D9646MFuiDrCr0daC/FlJrR9KxyjMGE2I/aGzma78dj9hyk89bqvUGJIU1d6lJoZNUFU4KlJcH1xttmcH7cvPE+EIcl4wbpBU8uBkHWt8i4VsJMOkWPRj8pWsKc85aHzLUSQIIuczVJaczFB510gBZoklW70kNb1LpnPJmHz/tVxQcm5xglM68sY5gxuetla3hnbC4J2aJfWWP85t6ygdvytqDIqzMtyJ87wwhU9lImP6G1BhpGO9Na3XZ64kPx5HVaUM5RhrKhKMbWmNFZI04voMmj1TjvdABXB9D07iPnsrHuZokiUeKNFIf8HkjLA4WWLymkkqzBmIf3EyYCcDVoTlaNN13/RH1z49qJwXhXx48bYIed29x/K8xUBVZrmGTwuFKO5hg9Yw96Aw/S0KErFLaJhHqIK1sLALqXYcqGsPok4FcOsmmQcC50jYtAbNszSEVWq8U9bGfhkRDUw4sVdHpbIrKB78ARld0BnDzqRSYsiZKFnoFh6VNYom40XMo4e74pgpFO7gIFd8Dkt2s206sPnu1pJm67Q3FWELjbCO1OzktT9iph2lTFFOFD2IonPQ8rI27fS2XZ21p02IiCOXahPNNibAdEiIfXXAkGu7wkpVEXmwdKFQdDvsQp8163eHMMKS9ZZjjpGm/8Ng8gdM0bZa7GLHz5HKduXaOC/ZpsNLDJJRyKXBuLxjtBY8yZXCs+TLZ49cnThyow0RKRWLQp+tBZpzx9j4Pm/D20wLcI1JbjAtGke7ZNjIUibPwn4qb4i9i1FHIQXGjyCzJKZIHsiUTFBrqTQsyQq7KdE0k52cf3WA0xOvtsEBwzrFR8unttsBLQHWP59Smejoo5agVCY5R7ErIM72zbnkyKXI0GBorB6dnpd0Mk1tpPKFt2EtaqE6l4oTM4WmmzurYimUQ7vjbBVwqEfI48Lp+mFB4IltxbYTO7rMf5Rpd/x5pTmYbfwGSUE1YO5wvYoUJnKFanPZwkXrWdW3zvsuuFTK7TSH5Fn48QplTahFCostWsyg5JmUDEl9h6pF8rPKEWitdw3L1oYsRtT5n6W2DjcQZlXZhqgFmqjBy73kPztIvyQ3etmLXUpdLycjCbbIQNJUodbwKZE5S2GG8Pht+6VU7keWT8O2SkFy3KW7SnJ/AQ/HhsxVgqP657uDPO6fQuy4/qkKHsM/Bclx/VMlGX6c5KuzznmtYFygODcN4bdebxR6t17v1uu18j+t14PblHbL3Fvm/oKZu32uxKIXORuy7nN2jomsV7fzQ9C3HIEzeJGz5m7QEDNii/V3OfOQYWkpMSR2MayjYtsP09jOcCqNQ7HddyL9VoL7Z2e4OgzjECcqVoTRNE6JwVH5PC+rZ1m8wtqdqQCkZokKCHCqNRULSwh9lNhGmfi/3Yap76WFNLafzojSmAZmjIOwtg3vkKCu3X96WK9QaSrrU/aAMHMnwgrUsFdfVrzz8tsW0//6Co9iLrs9+WzTuk3zDoRKUkEDVBkURXmJJIuooOZi5flvSDKwDPYqstWhfe2rKsHJ+rI6cLLur4KQ4vKueJLiYQR3lLpc0iNbVbp7ZTddu/Uh4kwmr4SFW/Vem4OP8xIcLDam7iyXN1qwMg8/9mRR4uEPkEc+OuJqNK2cH6kjX9XUg2uqjVt9y7nieieeK5oTfrUJoRy+WsZ4GHFw7DUYOqEtNexlxa1Ro0xKNlrW2tJZDE8Wt1fiStacFuFzVp2s9A+WHlI79FszP9g/xt7oTmhzKXQIybpSDT9xZ96bQrBKOEPyeiWMvyF57Uo5vh5DO9q8m7VtN3EltH/4xuZojdrIPEhkcM792wLfsu4aGN+y7tqyTudqRVey+Q2cAYn3vcC+5d41ML7l3qVzr7EDXiRRIhnDxEg1Whf85TNsQcNZ16EHLnkd2wMc2A7vJMAi6VsYmmZF6OL0DkS3Bah3ZLUI2euCzmx13xD9ue0ezMW5DpybgSFJ+AdlCHqjDXIIQ7cloXsKf5Edh61VFF7meXNJgKwIZWTGPpZF/c3ODN37CrEh+nVSF33CTufPEOBPSKQwhAoNBIoLYC9UkapJ2mdrVKMysVRNb/Sf/kTw0UHCIWTlAJhU1ITTqc8T0QDc/nG7oKQBJ+0i+EMqwDXhGbMK5eaBkyyjNep771hTEfvXig6qVu9Hr5S7nTQHexCh9de+Tw7J4m1yFzyDYuxsx5TNkmqg2u0rdjiyHPyvAuM893ZMjp+WHvMwwrPbSCUGu8hWyGRCjC0qoX9bMgIVd+608g8ViC6FFm/yR5P/BwAA//+sJJat" + return "eJzsXM1u47YTv/spBjntAokewIf/Zf/bNgU2WHSzvRSFlpbGFhN+KCTl2H36gqQkyzJlybYcZwv7Fsua+c33DD9yB8+4ngIyog1NNBKVZBMAQw3DKdx8bn5/MwFIUSeK5oZKMYX/TQAAtn4DXKYFwwmAQoZE4xQWZAKg0RgqFnoKf91ozW5u4SYzJr/52z7LpDJxIsWcLqYwJ0zb9+cUWaqnjsUdCMJxF6b9mHVumShZ5OU3AYzb5JokE1Zogyqyf9UPK6rPuH6VKm18H6TtP9t6KOk6LtGkky1Nz8GUpntYakMMjszY0QyzFTI9nduDTBHu/99B/XTbOfreVDtqS9QO7aa39VD+pKTWd5VhFOaMJsT+0OlMN367HTDVp+23TWgMSYpq61EXwi5STXJUpLjaedqtzwHSV58HwhHkvETcwanCwckq1vgSC9kJhkmxOA7JF7KivOCg8aVAkSCIgs9QWXAyR+VNIwWYDCu0OiMtuSukc8mYfP25TFBh7jGCEzryyjmDGR5qrVtFO2bwSk1Gveb3Y6sNpeNXRY1BcVaEG3YeF6bwoQpkTD8CFUY61LVqvTxzJfl+P2oKZSjHWFORYGxTa6yQpBHXZ5DskXK8BSqA61twHLfRW/YwR5NkuCNEJ/wFkzPC4iTD5DmXVJgzAP/V8YAND1gSVqAN123V7619+qR0Xiby05O3pVC0zbsvznsU1ERWaPiwUIjiFtZoFXMLCtOPURCILaFhHKEM1oPCFlLtMFDXHkSDEmBtJlkEHGeP2/Q6zaM0hDVyvBPW+n7lER1IOLFPR4WySSie+B0yuqAzhoNBpcSQM0GypHtwNGoUTcbzmHtP7h37TCnwAAO55LObsrt1MwDNN1dLurXT31SENTRCHWnpyUu/R00bSLminCi640XngOV5rfvh1V2d1acNiIgjl2odzdYmgPQUF/viCEOhbYWVqsFyp3ShULQeduGYmvXZURihZL0UWGCk6T8YDP6AKvqqxcZ3/BypbFeujbOSbTo8xyAYhVwajKs3RmvBk0IpPEu8fPKUmxNHYbQhIqViUcpTa6A7doz17/M2vN2wAFeYFAbTsnG0JcN6ljJFHrZT9ULsTYw6CgkwvgeZjJgyeCBXMkGtpdKQkSUOE6JrJjs4/toEDg+81gIHnNYp3ls8rdUO6HGw4+MplYmO3qoEpTIpOIpNAnG6744lBy5FhgZDY/Xo8Dyng2FqI5VPvB21qAfqXCpOzBS6Xh4sioVQDe0OsxXAUd0DHhdO1jdzAg+sZtsPbG+ZfyvVbvDzRnMwW/sFkhJqQN3hfBUpTOQS1fqyiYu2o+rYPO+74Eoot9Ic4mfJj5coW0wtpTDbssUMcp5JyZC0V6h6OD+qAoG2etcwb23IYkSZ/6ikdXQDbtbkbYhaoIk6rHwU/0dH0pfkTit7tpnU7XQyEmNLGUiaKtQaPiSyYCnMEO6/1l9K5X5k8XQsq5Qgxy3dTZDbBTzsG7JQCY5qn2+O5H77lGzHtU+T8Rj2KUGOa58myPB2ks/OuuCthHGB5Nw1hF97vVHgXXu9a6/Xi/+wXg+uU9o1cq+R+xNGbr2vxKInOTul7nN2jonsqG7nu6AvBQJn8CRn3d2gIWbEFut3OfMkw9xSYkjsfFhH5bIfprGd4VQah3z72In0a0Xc753hcteNQ5ioWBJG0zglBkfF85g1z7J4gbU7UwFITYYKCHCqNRULCwi9l9hGmfi/3YKp76WFNLafzonSmAZmjB23tg3vKU7dev9wt16i0lS2p+wT3MydCCuphq36tOSDy2+fT//5Be7FXA7b+eyTuk/yAYAqUEEFNBGUSTlDkkdUUHOx9Pwbkhwsgq2MbGXor31NIThZXVYGTlbHiyCkuLwpHqS4G8EclSyXtEgtynCrbKZrVx8izmTyTFi4VT9qcfB+XhEHSxtTd5bLKy2YmU8/9vStPn4AZCYLA0iSrFwEEkDCx5BP61MOPGXyrgYcXFll2UJbjRDvd7h5RyPBzzYMVHNWz8QOI86IR82AjmlPunpacqvUKJeSjRd1knX7dPg8VDdN2D4i3qk/6NMhDPABGKZr8CfKu6zehJwjeX43mL8ieR4KOn5PynbA+TCN23r9boB/983D3uSwlkUQyjVeLo35Gi9vDXxIvOhCLelSdt9PuYbM5TBfQ+atgYdCprPXWyRRIhnDxEg1ar9Xkd23LnVKXHYNI9Cv7Tq0j7DWVo3+j8kYdJK5DpxS2C9en3e4LctzzGw1ZoVn2Xur6JMloYzM2KhM2nfUcnQnr2ND9POkTfmANZsfIYI/IJHCECo0ECgfgH3QpNTMeces3GhUJpaq627y4Xsb944k7JJsHGWRipqwqx6ztxMgt31wKMjphDNDEfwiFeCK8JxZgQpzx0me0xb0rduiVMT+gsROsB+9iUS5WyhwZHc8tH2B9WCXLO/FOuc5ycfOduDSZFQD1W7ZZMDhy+D96HF28ByS/ec+x9xWfXTrRMTgEN4KmUyIsUkl9A8YRoDilpYbV8OJrpiWd5Kjyb8BAAD//5BO1pw=" } diff --git a/metricbeat/module/elasticsearch/index/index.go b/metricbeat/module/elasticsearch/index/index.go index 372f9a2dc82..69a291aa708 100644 --- a/metricbeat/module/elasticsearch/index/index.go +++ b/metricbeat/module/elasticsearch/index/index.go @@ -38,8 +38,12 @@ func init() { } const ( - statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" - statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&expand_wildcards=open,hidden" + statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" + expandWildcards = "expand_wildcards=open" + statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&" + expandWildcards + + bulkSuffix = ",bulk" + hiddenSuffix = ",hidden" ) // MetricSet type defines all fields of the MetricSet @@ -59,15 +63,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index stats from a non-master node") + if shouldSkip { return nil } @@ -118,21 +118,18 @@ func (m *MetricSet) updateServicePath(esVersion common.Version) error { func getServicePath(esVersion common.Version) (string, error) { currPath := statsPath - if esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { - // Can't request bulk stats so don't change service URI - return currPath, nil - } - u, err := url.Parse(currPath) if err != nil { return "", err } - if strings.HasSuffix(u.Path, ",bulk") { - // Bulk stats already being requested so don't change service URI - return currPath, nil + if !esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { + u.Path += bulkSuffix + } + + if !esVersion.LessThan(elasticsearch.ExpandWildcardsHiddenAvailableVersion) { + u.RawQuery = strings.Replace(u.RawQuery, expandWildcards, expandWildcards+hiddenSuffix, 1) } - u.Path += ",bulk" return u.String(), nil } diff --git a/metricbeat/module/elasticsearch/index/index_test.go b/metricbeat/module/elasticsearch/index/index_test.go index 3f6119180ae..fe44dca6ba9 100644 --- a/metricbeat/module/elasticsearch/index/index_test.go +++ b/metricbeat/module/elasticsearch/index/index_test.go @@ -27,18 +27,29 @@ import ( "github.com/stretchr/testify/require" ) -func TestGetServiceURI(t *testing.T) { +func TestGetServiceURIExpectedPath(t *testing.T) { + path770 := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path800 := strings.Replace(path770, statsMetrics, statsMetrics+bulkSuffix, 1) + tests := map[string]struct { esVersion *common.Version expectedPath string }{ "bulk_stats_unavailable": { - esVersion: common.MustNewVersion("7.7.0"), + esVersion: common.MustNewVersion("7.6.0"), expectedPath: statsPath, }, "bulk_stats_available": { esVersion: common.MustNewVersion("8.0.0"), - expectedPath: strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1), + expectedPath: path800, + }, + "expand_wildcards_hidden_unavailable": { + esVersion: common.MustNewVersion("7.6.0"), + expectedPath: statsPath, + }, + "expand_wildcards_hidden_available": { + esVersion: common.MustNewVersion("7.7.0"), + expectedPath: path770, }, } @@ -52,6 +63,9 @@ func TestGetServiceURI(t *testing.T) { } func TestGetServiceURIMultipleCalls(t *testing.T) { + path := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path = strings.Replace(path, statsMetrics, statsMetrics+bulkSuffix, 1) + err := quick.Check(func(r uint) bool { numCalls := 2 + (r % 10) // between 2 and 11 @@ -64,7 +78,7 @@ func TestGetServiceURIMultipleCalls(t *testing.T) { } } - return err == nil && uri == strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1) + return err == nil && uri == path }, nil) require.NoError(t, err) } diff --git a/metricbeat/module/elasticsearch/index_recovery/index_recovery.go b/metricbeat/module/elasticsearch/index_recovery/index_recovery.go index 68d1ee295d3..e30463e3848 100644 --- a/metricbeat/module/elasticsearch/index_recovery/index_recovery.go +++ b/metricbeat/module/elasticsearch/index_recovery/index_recovery.go @@ -18,8 +18,6 @@ package index_recovery import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -67,14 +65,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index recovery stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/index_summary/index_summary.go b/metricbeat/module/elasticsearch/index_summary/index_summary.go index 569e23492cb..dc3dbdd7207 100644 --- a/metricbeat/module/elasticsearch/index_summary/index_summary.go +++ b/metricbeat/module/elasticsearch/index_summary/index_summary.go @@ -62,14 +62,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch gathers stats for each index from the _stats API func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statsPath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch index summary stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/metricset.go b/metricbeat/module/elasticsearch/metricset.go index c1daae4f577..22b4b2c6c49 100644 --- a/metricbeat/module/elasticsearch/metricset.go +++ b/metricbeat/module/elasticsearch/metricset.go @@ -18,6 +18,10 @@ package elasticsearch import ( + "fmt" + + "github.com/pkg/errors" + "github.com/elastic/beats/v7/metricbeat/helper" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" @@ -36,6 +40,31 @@ var ( }.Build() ) +type Scope int + +const ( + // Indicates that each item in the hosts list points to a distinct Elasticsearch node in a + // cluster. + ScopeNode Scope = iota + + // Indicates that each item in the hosts lists points to a endpoint for a distinct Elasticsearch + // cluster (e.g. a load-balancing proxy) fronting the cluster. + ScopeCluster +) + +func (h *Scope) Unpack(str string) error { + switch str { + case "node": + *h = ScopeNode + case "cluster": + *h = ScopeCluster + default: + return fmt.Errorf("invalid scope: %v", str) + } + + return nil +} + // MetricSet can be used to build other metric sets that query RabbitMQ // management plugin type MetricSet struct { @@ -43,6 +72,7 @@ type MetricSet struct { servicePath string *helper.HTTP XPack bool + Scope Scope } // NewMetricSet creates an metric set that can be used to build other metric @@ -54,9 +84,11 @@ func NewMetricSet(base mb.BaseMetricSet, servicePath string) (*MetricSet, error) } config := struct { - XPack bool `config:"xpack.enabled"` + XPack bool `config:"xpack.enabled"` + Scope Scope `config:"scope"` }{ XPack: false, + Scope: ScopeNode, } if err := base.Module().UnpackConfig(&config); err != nil { return nil, err @@ -67,6 +99,7 @@ func NewMetricSet(base mb.BaseMetricSet, servicePath string) (*MetricSet, error) servicePath, http, config.XPack, + config.Scope, } ms.SetServiceURI(servicePath) @@ -84,3 +117,22 @@ func (m *MetricSet) SetServiceURI(servicePath string) { m.servicePath = servicePath m.HTTP.SetURI(m.GetServiceURI()) } + +func (m *MetricSet) ShouldSkipFetch() (bool, error) { + // If we're talking to a set of ES nodes directly, only collect stats from the master node so + // we don't collect the same stats from every node and end up duplicating them. + if m.Scope == ScopeNode { + isMaster, err := IsMaster(m.HTTP, m.GetServiceURI()) + if err != nil { + return false, errors.Wrap(err, "error determining if connected Elasticsearch node is master") + } + + // Not master, no event sent + if !isMaster { + m.Logger().Debugf("trying to fetch %v stats from a non-master node", m.Name()) + return true, nil + } + } + + return false, nil +} diff --git a/metricbeat/module/elasticsearch/ml_job/ml_job.go b/metricbeat/module/elasticsearch/ml_job/ml_job.go index 5f4dbe9f002..d5d58b2d2c6 100644 --- a/metricbeat/module/elasticsearch/ml_job/ml_job.go +++ b/metricbeat/module/elasticsearch/ml_job/ml_job.go @@ -18,8 +18,6 @@ package ml_job import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -54,15 +52,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch machine learning job stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml b/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml index 82c0d9feb70..07e5f502d14 100644 --- a/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml +++ b/metricbeat/module/elasticsearch/node_stats/_meta/fields.yml @@ -1,13 +1,11 @@ - name: node.stats type: group description: > - node_stats + Statistics about each node in a Elasticsearch cluster release: ga fields: - name: indices type: group - description: > - Node indices stats fields: - name: docs.count type: long @@ -32,127 +30,104 @@ Total size of the store in bytes. - name: jvm.mem.pools type: group - description: > - JVM memory pool stats fields: - name: old type: group - description: > - Old memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: young type: group - description: > - Young memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: survivor type: group - description: > - Survivor memory pool stats. fields: - name: max.bytes type: long format: bytes - description: + description: > Max bytes. - name: peak.bytes type: long format: bytes - description: + description: > Peak bytes. - name: peak_max.bytes type: long format: bytes - description: + description: > Peak max bytes. - name: used.bytes type: long format: bytes - description: + description: > Used bytes. - name: jvm.gc.collectors type: group - description: > - GC collector stats. fields: - name: old.collection type: group - description: > - Old collection gc. fields: - name: count type: long - description: > - name: ms type: long - description: > - name: young.collection type: group - description: > - Young collection gc. fields: - name: count type: long - description: > - name: ms type: long - description: > - name: fs.summary type: group - description: > - File system summary fields: - name: total.bytes type: long format: bytes - description: > - name: free.bytes type: long format: bytes - description: > - name: available.bytes type: long format: bytes - description: > diff --git a/metricbeat/module/elasticsearch/node_stats/data_xpack.go b/metricbeat/module/elasticsearch/node_stats/data_xpack.go index 53340103176..e4efeb3b8e8 100644 --- a/metricbeat/module/elasticsearch/node_stats/data_xpack.go +++ b/metricbeat/module/elasticsearch/node_stats/data_xpack.go @@ -187,18 +187,14 @@ func eventsMappingXPack(r mb.ReporterV2, m *MetricSet, info elasticsearch.Info, return errors.Wrap(err, "failure parsing Elasticsearch Node Stats API response") } - // Normally the nodeStruct should only contain one node. But if _local is removed - // from the path and Metricbeat is not installed on the same machine as the node - // it will provid the data for multiple nodes. This will mean the detection of the - // master node will not be accurate anymore as often in these cases a proxy is in front - // of ES and it's not know if the request will be routed to the same node as before. + masterNodeID, err := elasticsearch.GetMasterNodeID(m.HTTP, m.HTTP.GetURI()) + if err != nil { + return err + } + var errs multierror.Errors for nodeID, node := range nodesStruct.Nodes { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HTTP.GetURI()) - if err != nil { - errs = append(errs, errors.Wrap(err, "error determining if connected Elasticsearch node is master")) - continue - } + isMaster := nodeID == masterNodeID event := mb.Event{} @@ -207,6 +203,7 @@ func eventsMappingXPack(r mb.ReporterV2, m *MetricSet, info elasticsearch.Info, errs = append(errs, errors.Wrap(err, "failure to apply node schema")) continue } + nodeData["node_master"] = isMaster nodeData["node_id"] = nodeID diff --git a/metricbeat/module/elasticsearch/node_stats/node_stats.go b/metricbeat/module/elasticsearch/node_stats/node_stats.go index 7498948fd76..5f856e2eeac 100644 --- a/metricbeat/module/elasticsearch/node_stats/node_stats.go +++ b/metricbeat/module/elasticsearch/node_stats/node_stats.go @@ -18,6 +18,8 @@ package node_stats import ( + "net/url" + "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -33,7 +35,8 @@ func init() { } const ( - nodeStatsPath = "/_nodes/_local/stats" + nodeLocalStatsPath = "/_nodes/_local/stats" + nodesAllStatsPath = "/_nodes/_all/stats" ) // MetricSet type defines all fields of the MetricSet @@ -44,7 +47,7 @@ type MetricSet struct { // New create a new instance of the MetricSet func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Get the stats from the local node - ms, err := elasticsearch.NewMetricSet(base, nodeStatsPath) + ms, err := elasticsearch.NewMetricSet(base, "") // servicePath will be set in Fetch() if err != nil { return nil, err } @@ -53,6 +56,14 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { + if err := m.updateServiceURI(); err != nil { + if m.XPack { + m.Logger().Error(err) + return nil + } + return err + } + content, err := m.HTTP.FetchContent() if err != nil { return err @@ -78,3 +89,28 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { return nil } + +func (m *MetricSet) updateServiceURI() error { + u, err := getServiceURI(m.GetURI(), m.Scope) + if err != nil { + return err + } + + m.HTTP.SetURI(u) + return nil + +} + +func getServiceURI(currURI string, scope elasticsearch.Scope) (string, error) { + u, err := url.Parse(currURI) + if err != nil { + return "", err + } + + u.Path = nodeLocalStatsPath + if scope == elasticsearch.ScopeCluster { + u.Path = nodesAllStatsPath + } + + return u.String(), nil +} diff --git a/metricbeat/module/elasticsearch/node_stats/node_stats_test.go b/metricbeat/module/elasticsearch/node_stats/node_stats_test.go new file mode 100644 index 00000000000..120493947b5 --- /dev/null +++ b/metricbeat/module/elasticsearch/node_stats/node_stats_test.go @@ -0,0 +1,50 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package node_stats + +import ( + "testing" + + "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" + + "github.com/stretchr/testify/require" +) + +func TestGetServiceURI(t *testing.T) { + tests := map[string]struct { + scope elasticsearch.Scope + expectedURI string + }{ + "scope_node": { + scope: elasticsearch.ScopeNode, + expectedURI: "/_nodes/_local/stats", + }, + "scope_cluster": { + scope: elasticsearch.ScopeCluster, + expectedURI: "/_nodes/_all/stats", + }, + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + newURI, err := getServiceURI("/foo/bar", test.scope) + require.NoError(t, err) + require.Equal(t, test.expectedURI, newURI) + }) + } +} diff --git a/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go b/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go index 01f11e76318..a25ffb2b9a8 100644 --- a/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go +++ b/metricbeat/module/elasticsearch/pending_tasks/pending_tasks.go @@ -18,8 +18,6 @@ package pending_tasks import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -59,14 +57,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.GetServiceURI()) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch pending tasks from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/shard/shard.go b/metricbeat/module/elasticsearch/shard/shard.go index fa46777dffd..4367810a8ca 100644 --- a/metricbeat/module/elasticsearch/shard/shard.go +++ b/metricbeat/module/elasticsearch/shard/shard.go @@ -18,8 +18,6 @@ package shard import ( - "github.com/pkg/errors" - "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/elasticsearch" ) @@ -53,14 +51,11 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // Fetch methods implements the data gathering and data conversion to the right format func (m *MetricSet) Fetch(r mb.ReporterV2) error { - isMaster, err := elasticsearch.IsMaster(m.HTTP, m.HostData().SanitizedURI+statePath) + shouldSkip, err := m.ShouldSkipFetch() if err != nil { - return errors.Wrap(err, "error determining if connected Elasticsearch node is master") + return err } - - // Not master, no event sent - if !isMaster { - m.Logger().Debug("trying to fetch shard stats from a non-master node") + if shouldSkip { return nil } diff --git a/metricbeat/module/elasticsearch/test_elasticsearch.py b/metricbeat/module/elasticsearch/test_elasticsearch.py index f8e2762b8cf..e11dd4b63de 100644 --- a/metricbeat/module/elasticsearch/test_elasticsearch.py +++ b/metricbeat/module/elasticsearch/test_elasticsearch.py @@ -1,19 +1,15 @@ +import json +import metricbeat +import os import re +import semver import sys -import os import unittest -from elasticsearch import Elasticsearch, TransportError, client -from parameterized import parameterized -from nose.plugins.skip import SkipTest -import urllib.request import urllib.error import urllib.parse -import json -import semver - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat +import urllib.request +from elasticsearch import Elasticsearch, TransportError, client +from parameterized import parameterized class Test(metricbeat.BaseTest): @@ -24,7 +20,7 @@ class Test(metricbeat.BaseTest): def setUp(self): super(Test, self).setUp() self.es = Elasticsearch(self.get_hosts()) - self.ml_es = client.xpack.ml.MlClient(self.es) + self.ml_es = client.ml.MlClient(self.es) es_version = self.get_version() if es_version["major"] < 7: @@ -299,7 +295,7 @@ def start_trial(self): # Enable xpack trial try: self.es.transport.perform_request('POST', self.license_url + "/start_trial?acknowledge=true") - except: + except BaseException: e = sys.exc_info()[0] print("Trial already enabled. Error: {}".format(e)) @@ -311,16 +307,18 @@ def start_basic(self): try: self.es.transport.perform_request('POST', self.license_url + "/start_basic?acknowledge=true") - except: + except BaseException: e = sys.exc_info()[0] print("Basic license already enabled. Error: {}".format(e)) def check_skip(self, metricset): if metricset == 'ccr' and not self.is_ccr_available(): - raise SkipTest("elasticsearch/ccr metricset system test only valid with Elasticsearch versions >= 6.5.0") + raise unittest.SkipTest( + "elasticsearch/ccr metricset system test only valid with Elasticsearch versions >= 6.5.0") if metricset == 'enrich' and not self.is_enrich_available(): - raise SkipTest("elasticsearch/enrich metricset system test only valid with Elasticsearch versions >= 7.5.0") + raise unittest.SkipTest( + "elasticsearch/enrich metricset system test only valid with Elasticsearch versions >= 7.5.0") def is_ccr_available(self): es_version = self.get_version() diff --git a/metricbeat/module/envoyproxy/test_envoyproxy.py b/metricbeat/module/envoyproxy/test_envoyproxy.py index 978283ab5b1..b8964eb67fc 100644 --- a/metricbeat/module/envoyproxy/test_envoyproxy.py +++ b/metricbeat/module/envoyproxy/test_envoyproxy.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/etcd/test_etcd.py b/metricbeat/module/etcd/test_etcd.py index 1832f2dfe46..4cd629ee63f 100644 --- a/metricbeat/module/etcd/test_etcd.py +++ b/metricbeat/module/etcd/test_etcd.py @@ -1,13 +1,10 @@ +import metricbeat import os import sys -import unittest import time +import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat - @metricbeat.parameterized_with_supported_versions class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/golang/test_golang.py b/metricbeat/module/golang/test_golang.py index 5000c0de8fd..e5b372a3a26 100644 --- a/metricbeat/module/golang/test_golang.py +++ b/metricbeat/module/golang/test_golang.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - GOLANG_FIELDS = metricbeat.COMMON_FIELDS + ["golang"] diff --git a/metricbeat/module/graphite/server/data_test.go b/metricbeat/module/graphite/server/data_test.go index a29dbccf426..066b0a1d868 100644 --- a/metricbeat/module/graphite/server/data_test.go +++ b/metricbeat/module/graphite/server/data_test.go @@ -84,7 +84,7 @@ func TestMetricProcessorDeleteTemplate(t *testing.T) { func TestMetricProcessorProcess(t *testing.T) { processor := GetMetricProcessor() event, err := processor.Process("test.localhost.bash.stats 42 1500934723") - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, event) tag := event["tag"].(common.MapStr) @@ -101,7 +101,7 @@ func TestMetricProcessorProcess(t *testing.T) { assert.Equal(t, event["@timestamp"], timestamp) event, err = processor.Process("test.localhost.bash.stats 42") - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, event) assert.NotNil(t, event["stats"]) diff --git a/metricbeat/module/haproxy/test_haproxy.py b/metricbeat/module/haproxy/test_haproxy.py index 40ab58f847f..86dc1c1fb34 100644 --- a/metricbeat/module/haproxy/test_haproxy.py +++ b/metricbeat/module/haproxy/test_haproxy.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat HAPROXY_FIELDS = metricbeat.COMMON_FIELDS + ["haproxy"] diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 5d36c7f7b19..132ad0271df 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 COPY test/main.go main.go diff --git a/metricbeat/module/http/test_http.py b/metricbeat/module/http/test_http.py index ce9e1c81b27..792cbd86b68 100644 --- a/metricbeat/module/http/test_http.py +++ b/metricbeat/module/http/test_http.py @@ -1,12 +1,9 @@ +import metricbeat import os import requests import sys import time import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat HTTP_FIELDS = metricbeat.COMMON_FIELDS + ["http"] diff --git a/metricbeat/module/jolokia/test_jolokia.py b/metricbeat/module/jolokia/test_jolokia.py index 509b9f5681e..aefa63c9a4c 100644 --- a/metricbeat/module/jolokia/test_jolokia.py +++ b/metricbeat/module/jolokia/test_jolokia.py @@ -1,12 +1,9 @@ +import metricbeat import os import sys import unittest -from nose.plugins.attrib import attr from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/kafka/broker/manifest.yml b/metricbeat/module/kafka/broker/manifest.yml index c2d5b543318..1ff01429fd7 100644 --- a/metricbeat/module/kafka/broker/manifest.yml +++ b/metricbeat/module/kafka/broker/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/consumer/manifest.yml b/metricbeat/module/kafka/consumer/manifest.yml index 4d431393f14..e7332aa69a3 100644 --- a/metricbeat/module/kafka/consumer/manifest.yml +++ b/metricbeat/module/kafka/consumer/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/producer/manifest.yml b/metricbeat/module/kafka/producer/manifest.yml index a10e366103b..49618aae769 100644 --- a/metricbeat/module/kafka/producer/manifest.yml +++ b/metricbeat/module/kafka/producer/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: jolokia metricset: jmx diff --git a/metricbeat/module/kafka/test_kafka.py b/metricbeat/module/kafka/test_kafka.py index adfc8eb5978..c57ac4b0d5a 100644 --- a/metricbeat/module/kafka/test_kafka.py +++ b/metricbeat/module/kafka/test_kafka.py @@ -1,11 +1,9 @@ +import metricbeat import os import sys import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - @metricbeat.parameterized_with_supported_versions class KafkaTest(metricbeat.BaseTest): diff --git a/metricbeat/module/kibana/stats/stats.go b/metricbeat/module/kibana/stats/stats.go index 526a525951c..a6e19d50f42 100644 --- a/metricbeat/module/kibana/stats/stats.go +++ b/metricbeat/module/kibana/stats/stats.go @@ -38,9 +38,10 @@ func init() { } const ( - statsPath = "api/stats" - settingsPath = "api/settings" - usageCollectionPeriod = 24 * time.Hour + statsPath = "api/stats" + settingsPath = "api/settings" + usageCollectionPeriod = 24 * time.Hour + usageCollectionBackoff = 1 * time.Hour ) var ( @@ -57,6 +58,7 @@ type MetricSet struct { statsHTTP *helper.HTTP settingsHTTP *helper.HTTP usageLastCollectedOn time.Time + usageNextCollectOn time.Time isUsageExcludable bool } @@ -165,6 +167,10 @@ func (m *MetricSet) fetchStats(r mb.ReporterV2, now time.Time) error { content, err = m.statsHTTP.FetchContent() if err != nil { + if shouldCollectUsage { + // When errored in collecting the usage stats it may be counterproductive to try again on the next poll, try to collect the stats again after usageCollectionBackoff + m.usageNextCollectOn = now.Add(usageCollectionBackoff) + } return err } @@ -215,5 +221,5 @@ func (m *MetricSet) calculateIntervalMs() int64 { } func (m *MetricSet) shouldCollectUsage(now time.Time) bool { - return now.Sub(m.usageLastCollectedOn) > usageCollectionPeriod + return now.Sub(m.usageLastCollectedOn) > usageCollectionPeriod && now.Sub(m.usageNextCollectOn) > 0 } diff --git a/metricbeat/module/kibana/stats/stats_test.go b/metricbeat/module/kibana/stats/stats_test.go index b6757e5ecb2..56cbfc17e1f 100644 --- a/metricbeat/module/kibana/stats/stats_test.go +++ b/metricbeat/module/kibana/stats/stats_test.go @@ -23,6 +23,7 @@ import ( "net/http" "net/http/httptest" "testing" + "time" "github.com/stretchr/testify/require" @@ -48,12 +49,12 @@ func TestFetchUsage(t *testing.T) { w.WriteHeader(503) case 1: // second call - // Make sure exclude_usage is still false since first call failed - require.Equal(t, "false", excludeUsage) + // Make sure exclude_usage is true since first call failed and it should not try again until usageCollectionBackoff time has passed + require.Equal(t, "true", excludeUsage) w.WriteHeader(200) case 2: // third call - // Make sure exclude_usage is now true since second call succeeded + // Make sure exclude_usage is still true require.Equal(t, "true", excludeUsage) w.WriteHeader(200) } @@ -76,3 +77,40 @@ func TestFetchUsage(t *testing.T) { // Third fetch mbtest.ReportingFetchV2Error(f) } + +func TestShouldCollectUsage(t *testing.T) { + now := time.Now() + + cases := map[string]struct { + usageLastCollectedOn time.Time + usageNextCollectOn time.Time + expectedResult bool + }{ + "within_usage_collection_period": { + usageLastCollectedOn: now.Add(-1 * usageCollectionPeriod), + expectedResult: false, + }, + "after_usage_collection_period_but_before_next_scheduled_collection": { + usageLastCollectedOn: now.Add(-2 * usageCollectionPeriod), + usageNextCollectOn: now.Add(3 * time.Hour), + expectedResult: false, + }, + "after_usage_collection_period_and_after_next_scheduled_collection": { + usageLastCollectedOn: now.Add(-2 * usageCollectionPeriod), + usageNextCollectOn: now.Add(-1 * time.Hour), + expectedResult: true, + }, + } + + for name, test := range cases { + t.Run(name, func(t *testing.T) { + m := MetricSet{ + usageLastCollectedOn: test.usageLastCollectedOn, + usageNextCollectOn: test.usageNextCollectOn, + } + + actualResult := m.shouldCollectUsage(now) + require.Equal(t, test.expectedResult, actualResult) + }) + } +} diff --git a/metricbeat/module/kibana/test_kibana.py b/metricbeat/module/kibana/test_kibana.py index 08e7657a1e8..3955baf190e 100644 --- a/metricbeat/module/kibana/test_kibana.py +++ b/metricbeat/module/kibana/test_kibana.py @@ -1,4 +1,5 @@ import json +import metricbeat import os import semver import sys @@ -6,10 +7,6 @@ import urllib.error import urllib.parse import urllib.request -from nose.plugins.skip import SkipTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -27,12 +24,12 @@ def test_status(self): if env == "2x" or env == "5x": # Skip for 5.x and 2.x tests as Kibana endpoint not available - raise SkipTest + raise unittest.SkipTest version = self.get_version() if semver.compare(version, "6.4.0") == -1: # Skip for Kibana versions < 6.4.0 as Kibana endpoint not available - raise SkipTest + raise unittest.SkipTest self.render_config_template(modules=[{ "name": "kibana", diff --git a/metricbeat/module/kubernetes/_meta/config.reference.yml b/metricbeat/module/kubernetes/_meta/config.reference.yml index ca5ab455311..827b48a51f3 100644 --- a/metricbeat/module/kubernetes/_meta/config.reference.yml +++ b/metricbeat/module/kubernetes/_meta/config.reference.yml @@ -29,6 +29,7 @@ enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset diff --git a/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json b/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json index b3341000c45..155a53b11c1 100644 --- a/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json +++ b/metricbeat/module/kubernetes/_meta/kibana/7/dashboard/Metricbeat-kubernetes-overview.json @@ -126,6 +126,28 @@ "field": "kubernetes.container.cpu.usage.nanocores", "id": "0d5c9221-2bf2-11e7-859b-f78b612cde28", "type": "sum" + }, + { + "id": "8b346300-bf95-11ea-a07c-851701f0d645", + "type": "avg", + "field": "metricset.period" + }, + { + "id": "25ae6580-bf95-11ea-a07c-851701f0d645", + "type": "calculation", + "variables": [ + { + "id": "39e40aa0-bf95-11ea-a07c-851701f0d645", + "name": "sum_nanocores", + "field": "0d5c9221-2bf2-11e7-859b-f78b612cde28" + }, + { + "id": "85213600-bf95-11ea-a07c-851701f0d645", + "name": "avg_period", + "field": "8b346300-bf95-11ea-a07c-851701f0d645" + } + ], + "script": "params.sum_nanocores / (params._interval / params.avg_period)" } ], "override_index_pattern": 0, diff --git a/metricbeat/module/kubernetes/fields.go b/metricbeat/module/kubernetes/fields.go index 7b32ae8f209..f574bc21d8e 100644 --- a/metricbeat/module/kubernetes/fields.go +++ b/metricbeat/module/kubernetes/fields.go @@ -32,5 +32,5 @@ func init() { // AssetKubernetes returns asset data. // This is the base64 encoded gzipped contents of module/kubernetes. func AssetKubernetes() string { - return "eJzsXU9z27iSv+dToHLKbHl02NraQw5bNeN5b58rf57XTiaHrS0NTLYkjEmAA4B29D79FkCQhEgAJEVIdmzykIolsfuH7gbQ3QAaP6N72L9H9+UdcAoSxBuEJJEZvEdvPzQfvn2DUAoi4aSQhNH36L/eIIRQ+wOUg+QkUW9zyAALeI+2+A1CAqQkdCveo/99K0T29gK93UlZvP0/9d2OcblOGN2Q7Xu0wZmANwhtCGSpeK8Z/IwozqEDTz1yXygOnJWF+cQBTz1XdMN4jtXHCNMUCYklEZIkArENKlgqUI4p3kKK7vYWn5WhYKOxEeGCCOAPwJtvXKACwDry++X6ClUELVHWz6FI66cLzYbH4a8ShFwlGQEqD35S47yH/SPjaee7AFr1XGp6CL5DUiq91oxEEAUHwUqeQDwcNxVlSJGTdheAKO9OicFHvgcjYUV8AEiTRe+SrBQS+IVmKgqcwEUjnZ+CuB6A38WD9Y8vX65Rj2TPMlkaURSaZ49knyeVQOVaMYqvBoNBs0A9Fl0sKd+veUnjwfgGcgccyR3UPFApQKCU71GXURfMPaFdbjOQfCA0VaOroT6gkrxgNO4YVZNEO0zTTI1SllCCaLpj90wkalDXJNGG1ZoZMUw8ABeERTQNQ7BB0W9mF4KW3MHkNhNC3UlchLvMc5A7FtEedcd0EO01momIZti0uEu1ZltwloAQTo4uQ3TN9za9pChXApLe9zXNlJV3WXfc6zXk8vorEpAwmnaRtZxyyBnfq2mdpEDl6m7femZ9vhmjW8eXlV/2HvlePkD1q/oRIhTVPA2GIYgPhMsSZ+dEaFgOAdykYsUKoKuElb3RbxDaAevPZX4HXI24iiDakAyaHzDuV6OQmEtIIxjNbWUwSBCagB5ijHHXPJwdQAUC0ay/mVdLrr39VSlWBfAEqCQZrP7N20J29yckLgVUX6ynyKHu8zUIlJOEM9OdUAvHrxNXM0SZz9RPGFdS5mWGJXkA5GIVgjbfeGtompKeoWr6g0AE+RdUPTumpqeAVggmqdWCHNJqjAHpAONEFVswT6FhRT6AQRSMCnhS9VYQpui3D/r0CrZRjtZwH2gMFRsoblJ9pz++TdUNc840VRpkFeLv5e2ZauvEB8ICObIsnSbHc/IiegvO3I3NLMMSaLI/xpJd2hI1wQtlogpB9TepHCd7ThqEFM+EGkx0umDuyuQe5FmnHMMa7YiQbMtxjioQfrBjXYkpKGqalSbHKu80nkOLhdqOcPXhODBPoMcW9XhNJiXnahybL7srusnIdidHmDqjW15SSug2aqjSjp+JnrTU28gwCmeVQSbpqpJ7lJG8TfobbQqEpebiZI/LlMgVPPgUMZW9poc0PXd7K4YcFDRII/KsSXaZt3MNlZjQeWsclnQbelGWOHRkuZYkd6dyUyy7XwwkbG4VQdQjaKVXRs/iQxnK66+oFHgLDkH4mm1D0e96+6ELUIjqQSMZdxEeJj7EwGbiGJS7bDxjSf0MyNd+LhujU1K/ZByM6Cmm3gnrAC2mTInFB3oQ8EiwlVFAOsCwgcVSWBXOOalFJRKcQbreZAz7fliHHCbKidEGJV0sEK5pqr/ZRqeFJJM409gRzjKWYInvMlDvBRubkZzIH6+1KWwIhbSC32Tf22HwnfrEKxFENqik+l1I3Qt4GduOzx8PtOoj2yo3fMMmDkb4AZMMu5NQ8wckXySMxvS8oXAajde1lk7TVJTgAidE7pXr66bejKjmly9fOpUlj5eMGuxevlT0kD5eKESNBP6Vinlzu9t7RxEnsS/aBtp+4m2OtRDCIexyxEKlGI0B5LHL+IC0aTgAHa5hRUsdvY6BumuBA8twp3Oln5dAKjF4m/vM/cpPFvqJrqVH/+jZe5dj2jzDwTQG4fcxbQnx3jYF9KL6yM3tbbiH1IAfGb8ndCvAnwZ7CfL4VjUTCZDj5FLgLWxwmTkSiVPSg25Ebd5KsUEePs2sif9k/Ex4NC8vqqb3MCY3Eff5vIaI4oYxqXeyiL2QkE8OLl6Hs+OWku1+v/YYzC0h43k/XSx2hhjjqyO6sDP7nGUZ8Orww6wM/2VDzByliJPff5ItqOfclX7uba5n3t6q/o3H7jPOYdwu6n8xGpHvFd1wLCQvE1ly6BNfNvNWzVk28y6beZfNvCOasWzmdQNZNvOOxrhs5l028y6beedv5nV4mVO39z4yfv9XCaXb4zxm6lOgQTmc1Za7+dP5x4pgs7fOTOYhX6KkG0KJ2EVxJ742xMawxmkaw4a/1XpRBAcMOYVC7qLy1BQHu4/kJEp/bfnaO5g1dXdgxlJYJSpgTyRzx9fHGC48kER7EjF9YL1sUVMOGewOcCZ3MfaFt8wbqsidCDrFnvwwpwqPZ6lqPLvrg4UkfyObMQlwCnxFxDrHQnpyMneMZYC7jt7QofVde2pd65oI1OHxpotG71Z902U/IWH1ZQd26Y1q92udswI1D+m+0Xwjd1gizAFtgQLHsqoVUu8VNuPqAQdCVWCrhPuhW7kETUiG+Q3Mo+ugtC+r6VVxQRwSxlNRyb0xPklyqD4rMJckKTPMKyGgHRaIJXoDeupAqN+UOC8cKPuDSSjttyFcyLVhRT31OqZv7v1SA1Tt1DxQy0N91rUq+7DHyQEpFgN42lyI6K3EVRgkfJfjreFTRcdYAqRtcQDyANQhjoQV+7VkLgTtnIZFJ9Tzp96C6G40pbHgGivsFt04kvuXfdEssYc5OvKQPqMPc9TL9nXdCg4F47IqXEGEQxehDnTSihobznL0uCPJTgunGhuIaEdGd24oaub5s5onFGHE6FgsVs4dp1ji+Rr7ZCghLARLiJ4VHoncBftQSG/uIXS6R9bYAYeeQlBowBqxsnQwaGkGhNFwT2kB1XpZx10Z+G9D1pjEpjUGt/cbf1liFE9dkCkuY00SkboTVB3gEQ/1xnr1ZB29zszvps6MLZDwYk1JIi6AfaXkrxKQXlIgG6LcSmYBcaSUmmEcss06I/Q+Ipibj2oc5yAUGlODyDeNEPrAsgdI1w6Mpxqdap4uuYTGKVyQ+Jbzy/VVU6XIWE9AXXHLVSne96Zk1QDjuIOHPWAFmJ6uv9aUJ4g+bof9evXbAG87aTEn5rOOIeo4czmBuJxA9DyxTyBqf/XHPny4nEhwPcuJhM4T70TCsvG8A3jZeO4Gvmw8D2w8pyCV3UQbr/n3F218N5AAedDZfR+tZg2Cc9cq5kjMY/F89/FpckYvWyFfOKYiJ1I+H518ceqkWbxYTnlUz0hp/n054DFRQMvZjvbpCec1HOuwtid4jo93QZ3j3H+L6nmc+G/x+E79Nz5NSb0ZnGPGbZIrD/BEFRz8c8IwgyEmaGQPR2NTJGN6OpqWSrnKtcc7fdZAI2cO9JrFOGJuQVMGu1coQvcM1ASrByez5uSwC5b+kCnsJSKtniUibZ8fSSE/XET6KtaMnskqSQ/WcyylM6VE46sqy6im1KZyjuiWzjH1GBkFxDjKGQf7x4awIoE5DFVtjLyKtiwYdWA/y363lLCK1xmPrmP1OpKGB93F3+TO0uL6pa8tVmJ57K0w+oOLF774XAmkKcKgJKJPnw6IpcBbWJ9sjbMCNXq9dX0ONP7VVqv8x/f9nNjeOo+kac2/DLjZfO8od3P0qQxfBZ0215xGOYHhqpxj7eHvlriZw6VHzntqYa7UDulZptOrHDPl4NRBrOc8rxs8rTuyXsyh7zpULSbQ7cLj1zF1YjrQwlViIiML1odp1jvC1WECkGZUhjnI8HkOco83jCk1YZr+060Ic5xVT64FEywgMaYOTJQqMCH4rpoOsRAFS0eEQM0zztGVX7oQxhYGGa/V8WAHKoIEoPo1OHdoGV/pJQAvti4dNV6s0wnTKrzEVeS42i4hsKdU5eiaLiGAc5UZqObSNaGIduNyDocKtxxzqn1kyZZmOtzTZNSkFGR6X95B5aYbZ31PE2dWfGBqKzMQI2eGYfHf7mlyreDcKLKdK/rYpvlg6LJFP7p55uHFN+LaPj8m79V9MccZL/Shu/s6654F1z/OCd1GU/vnijSyaE+6nnEkxJm+axDkBAMYQHkWawg3xm8SvayBSHaQltm88rtW5qCht6QN+jxeWNqgdxT1SDZDhXUtz6TMojTs1lgpwlJCXsg+6ZpnMxpEZKs6q4vuko5Z0jFDkJZ0zJKOmYhoSccs6ZglHbOkY5Z0jBNDsLJkxd9VVzIIYUpNyV4s1q3keNwkCf8O5w9L/0ZTJBkCmlqNcU9LI2HPSUtMQBPogF1E83qEG1OoJxYsXRUcVJiiEOhCtPmgPoeRXLMUtXSRoTsNxBztuPkHFOHBME8fHhRDCjFxYwzuNakgz8YAjb2e09+9dfSd4Ym1h3iei+sCMWr+7OGYmUH2ddo3XcbN3sE3XS7Hnbdpr9SMcerm6BpaPfFcNriIu9ifkFiW8U6lFzss/Jsn3Q3oNiK0dbtpjmaE3pniyhfoEROp/yOB54Ti8HWlgFP/wXl3oeqRKFuEmolbvgcOpArI/VvTCJWw7VXUPgJMxWew6HyvQK8NZpb+vlUaQu8aVJe6QKhS2iXHYveRseJXnNyzzeYC/Y1zfYTuusyyC9T813zfV616GG+0r0agd5csLzKQkF60krjElDJ5U1LNgvEL9M9/fvpAsgzSn0zzV86OMuWgzOAdDno3tu+ASEXXtwl7ktovr7/qgmmiYhnQe+3jnwWSYQcpcjM8lFPoMM3A/s2CQ6KGgvfoP1f/EQN5g2WkQEPYh+HN3Z3qk/pZi7hVSjz9nWxDIjD73atzBINFIGoFPj3uVm31UQbf8eGEM/onu4vl0lTUojg0vcWo8S4NujQ4ejS6q6RzGTjpWA6jqb7v7hlj+LQkUMEy0qHUnEFJlNM849qiNsVSkVIxkWgvf+8ZieV3irUoRQE07Z3cD7lGB9zt7EptQkRFji66reXqWuSOVY9AEHIYuhcs2SHRW/eoITxi4ax43oxSWMh1bQHRcCih67sbahi8pO4OAt9PxF5RHmSfAk4zQv2ch2zuN0OgYY03EnjTpTSShOlbT7hyAjeYZJYmxvwn/Kc/1EuhyNg+n3knjDUwtgSjjI0FdhTKGN3d+rPHByfSiosrHGlnvCIjCR4fCx6Fo+aCCN2wiZ5ECoLwQM2qWbHSby3GdruR4diificKSOacH4yFsa3F4tGbdf6Xng+WxWsEsCJ13kARHVTFpw/IPhAcaXCIWTw8ZmImnPKYFdjr+tV2tgO9k7yEC7TBmdDH4Ut6T9kj9febkpqZImiksxIzGuUBn9BgGDPat04jny7AboqI22efw9F1XRVrANSMcrQ1pqb+1vkqh1syf6oQ7rPvKPpQ7Nko5kmRG7Th2mnWsstJdKcP9Z/KNG3dqBhpWCEnhaNrGnQr+DUCBi6IkEDlA8vKPNZ01ZJFFd167qpu8lK//FkNk/BzYE6D7wVwoqbaA+GcKiHwewVUkfCkakP9Z1w8Y3g4CyqG1jqmNqJaxsBJwniqLwFilnY8fgHjeAvrJMO98gOjud9WRJAm0qQGepaFxgRcPgtNMkzyk5lpkuEfwlivf78MWGrVmFkXnv1KaAppLRY/K5NGXBv7mdE3btrsfd3R4vcPJTdNwE0bJwkIsc675wImcPhFk0CKhJvHCXva9e+XK1/Hck+ps3pPpGKQxH31YO/j8YkBhezq2slsx4Rcn4ajIu1jOzHsmsbYhEfHlcc74dJ6B6ZZW7+p19avgarJabVaHbukHhPdvEizzkj6sw4xsTbcXHgv+mi7uTiIlbM0BE1Vo/lDwQmThTZUf9YyxuVRM8r+7A4v0zfZwQI4uqn+uHUUyxqbx3wqXOE+HA+V6r9TsbE7XfDoVEIzN6LqewYNJ3S313N1C07v8uIs6x57RAfrSHcQGl1iSXFTZtm+5jYoTWu7kT6/91fJDu44nje0WDSjDC6nWw28MVj/R2MdWhPsSmkKgooDoRvGc0jRux3mqZ6gBKQ/hc5Txgk7DhvqXTqX3QvRJ7CwW1j1HPXqBfpDNfUP1dY/VGP/8MwfjoYf0T5NTouyMj9cFBkBgSTrB6rhP/2BrRoOSBIr42KohTrKmUPUW4MokFDJSiGBH+eOX1EJnOIMXV03dm+E4OYG36sXZoXFdaNqYui3z7f+ftCw9LTwGIaeACNjOF3f4QzTxC/REfw+MpyiXw2dxqo8TOf087phPRpNWEi3XAXjx7flqqLgQ18zUHHbHJuo2fzDRacz+biH/YHrDmpRNTffH7xgh5iwKbN43n1NMZp7HxLCUHqo77182VkikSQHIXFeoHegZulqMrw1Lei6gGeINw6E1zhSR4UcJ3ZSrTIotY964Pj5hIieIPbo7ZwIAazBtV74qfVs+fuWB/O81N0o2QL7PNRcK3cEsE4ytZtLnTfq2anVZ+RPHeDye1UFZw9EEEZ74eTkVaSWUuti2Sh8SwJ6jWbt2Iw6yRXXVMyW1qqWwJ7inCRYhahmKjELFO41LbMMckd0nnFWVv8TS6vdhml1zW4rG0K3CNMUGS7xJ/8DtQ+4APpOqFj9oLpgyiqHH8UFcJyQm6QJxwUxzZ52/17uM9839Squv0kYP/1ddr2KbH02A7ewjTwDiIysLxkHI3CKqefkegfj87gH6ER7npZ7Xuy57YXfzXBzeztOEOY+i5d+ece33rUdA3I500X8oy+qOBOe4asqou4vO9xUNsshmeOS96VibSJzcltuajfPyP633NQ+VUDLTe3t8ypvav868n72M1yH/nfPJehdKOe4Kr5y8gyY/w8AAP//aFTWYw==" + return "eJzsXU9zHKmSv/tTED55NjR92NjYgw8bMSO/t08xtp9WsseHjY0eVJXdzagKaoCS3O/Tb0D9o6qAorrolix1HybGkjp/PzITSBJIfkb3sH+P7ss74BQkiDcISSIzeI/e/tb+8O0bhFIQCSeFJIy+R//1BiGEuj9AOUhOEvVtDhlgAe/RFr9BSICUhG7Fe/S/b4XI3l6gtzspi7f/p363Y1yuE0Y3ZPsebXAm4A1CGwJZKt5rgJ8RxTkM6KmP3BcKgbOyqH9ioac+V3TDeI7VjxGmKRISSyIkSQRiG1SwVKAcU7yFFN3tDZxVLcFkYzLCBRHAH4C3v7GR8hAb6O+X6ytUCTRU2Xz6Km0+Q2omPQ5/lSDkKskIUNn7k4bnPewfGU8Hv/OwVZ9LLQ/Bd0hKZdcGSHhZcBCs5AnE43FTSYYUWWUPCYjy7pgcXOJHNBJWxCeAtFj0LslKIYFfaFBR4AQuWu385OX1APwuHq1/fPlyjUYiR57J0oiq0JgjkWNMKoHKtQKKb4aag4ZAI4ghl5Tv17yk8Wh8A7kDjuQOGgxUChAo5Xs0BBqSuSd0iLaAyW+Epmp0raVPmCQvGI07RjUi0Q7TNFOjlKEUL5vh2L2QiRrUtUi0YY1lAoaJB+CCsIiuUQtsWYybOaSgNdeb3BZSaDqJTfAQPAe5YxH9UXdMi9BRo5mI6IZti4dSG9iCswSEsCLaHNE235vykqJcCUhGv29kpqy8y4bj3qghl9dfkYCE0XTIrEPKIWd8r6Z1kgKVq7t9F5mNcTNGt5ZfVnHZe+T6co/Vr+qPEKGowaw5TFF8IFyWODslwxpyiuAmFStWAF0lrByNfpPUetCfy/wOuBpxlUC0IRm0f8C424xCYi4hjeA0t5XDIEFoAnqIqZ27wbB2ALUQiOb97bxach3tr0qxKoAnQCXJYPVvzhayuz8hsRmg+sV6jh6aPt+QQDlJOKu7E+rouG1ia4Yo84X28fNKyrzMsCQPgGxQPmrLnbehpiXpGaqRP0lEkH9B1bNjWnoOacVgllkNyj6rxhiQehxnmtigeQwLK/EeDqJgVMCTmreiMMe+Y9LHN7DJMtjCY6IxTFxTsYsaB/3xfappmHWmqdIgKx++E9sx1TaJD4QFsmRZBk2OF+RFjBasuRsTLMMSaLI/xJNt1hKNwAvloopB9W9SBU7mnDRJKZ4LtZzofMXclck9yJNOOTU02hEh2ZbjHFUk3GRDQ4k5LBqZlSVDjXecyKHjQs1AuPphGJknsGPHOtySScm5GseW6+6KbjKy3ckAV2d0y0tKCd1GXap042eiJy31bVQD+bPKIJN0Vek9ykjeJf1rawqEpUaxwuMyJXIFDy5DzIXX8pCWZ29vBchBUYM0ImYjcgjezTVUYkKX7XEY2m3lRdni0CvLtSS5PZWbYjn8xUTC5lYJRCOBRnoleBafylBef0WlwFuwKMLVbJOK/q6zH9oI+aT2Gsm4TfC08CkAE8QyKA9hHGNJ85nQr/m5bJ1Oaf2ScahVTzF1Tlg9tpgypRYX6UnCgWQrp4B0ArClxVJYFdY5qWMlEpxBut5kDLv+sFly1KucGG1Q2sUC4Uam+jfb6LSQZBJnmjvCWcYSLPFdBup73sZmJCfyx2ttChtCIa3ot9n3bhh8p37i1AgiG1RS/V1I7Rt4GduG548nWvWRbVUYvmEzByP8gEmG7Umo5QOSayWMQnre1HIahdtaa6dtKkpwgRMi9yr0tUtvR9T6L1++dipPDteMGuxevlb0kB6uFKJGAvdOxbK53R69o4iT2BftA10/cTbH2Ajh4A85YrFSQCGEHH4Zn5B2DQuh/h5WtNTR6xiohx44sQ13vFD6eSmkUoOzuc88rvxksJ8ZWjrsj559dBnS5gUBZu0Q7hjT1BAfHVNAL6qP3Nze+ntIQ/iR8XtCtwLcabCXoI9vVTORABmmlwJvYYPLzJJInJMetDPq8lYKBjlw2lkT/8n4ifhoLCertvcwJjcRz/m8hhXFDWNSn2QReyEhn724eB3Bjl1LZvj92tdgdg3VkffTrcVOsMb4alldmJl9zrIMeHX5YVGG/7IVVl+liJPff5IjqKc8lX7qY64nPt6q/hsP7jPOIewU9b8YjYh7RTccC8nLRJYcxsLPh3mr5pwP854P854P8wY043yY107kfJg3mOP5MO/5MO/5MO/yw7yWKHPu8d5Hxu//KqG0R5yHTH2KNKiAszpyt3w6/1gJbM/W1ZO5L5Yo6YZQInZRwomvrbAQaJymMXz4W2MXJXDCkVMo5C4qppY42X0kJ1H6a4drnmDW0u0LM5bCKlEL9kQy+/r6EMeFB5LoSCJmDKy3LRrJPofdAc7kLsa58A68lYrsiaBjnMn3I1V8HFtV4XDXvY0kdyPbMQlwCnxFxDrHQjpyMneMZYCHgd7UpfVdd2td25oINMB4M2SjT6u+GcLPSFh92YFZeqM6/drkrEDNQ7pvtL+ROywR5oC2QIFjWdUKac4K1+NqD4FQtbBVyv1tWLkEzUiGuR3MYWuvti+r6VWhIA4J46mo9N46nyQ5VD8rMJckKTPMKyWgHRaIJfoAemphqL8pcV5YWI4HE1/ab0O4kOsaijrqdcw/3PulIajaqTFQh6F+NvQq87LH0QkpiAk+XS5EjHbiKg4Svstwb/hUyak9AdKuOAB5AGpRR8KK/VoyG4NuTsNisNRzp9687G60pFByrRcOi24ciP5lX7Rb7H5ESx7S5fR+RL1t39St4FAwLqvCFURYbOHrQEetqLHhLEePO5LstHKqsYGIbmS054aiZp4/q3lCCUaMhnIxcu44xRIvt9inWhLCQrCE6Fnhkcidtw/57GYfQudHZK0fcBgZBPkGrICdpd6gpQEIo/6e0hFq7LKOuzPw37XY2iU2nTPYo9/42xJBmLogU1xgLRKRphNUHeART/XGZvdkHb3OzO91nRlTIf7NmpJE3AD7SslfJSC9pUA2RIWVzCBiSSm1wzhkm3VG6H1EMjcf1TjOQSg2dQ0i1zRC6APLHiBdWzgea3RqMG168Y1TuCDxPeeX66u2SlHtPR5zxS1XpbDv65JVE8BxBw9zwPKAHq+/NpJnqD5uh/169WEC20xaLFnzGdcQ9TrzfAPxfAPR8Yl9A1HHqz/25cPzjQTb53wjYfCJdyPhfPB8QPh88NxO/Hzw3HPwnIJUfhNtvObfX7Tz3UAC5EFn912y2j0Izm27mIGcQ/l8d+G0OaOXbZAvHFOREymfj02+WG3Sbl6cb3lUn0Bt/v18wWOmgs53O7rPSDmv4VqHcTzBcX18SOoU9/47Vs/jxn/Hx3Xrv41pSurM4BwybpNcRYBHquDgnhOmAaZAUGAPR6EpkpCejualUq5yHfHOnzVQ4MyBXrMaA+YWNGewe4UqtM9A7WK1dzNrSQ67YOkPmcI+r0irz3lF2n1+JIP8cCvSV7Fn9Ex2SUa0nmMpnTklGl9VWUY1pbaVc8SwdE5dj5FRQIyjnHEw/7gWrERgDlNVGyPvop03jAa0n2W/O5ewitcZD65j9TqShr3u4m7yYGtx/dL3Fiu1PI52GN2Lixe++VwppC3CoDSib59OqKXAW1gfbY+zIhW837o+BRv3bqtR/uP7fsna3riPpGUtfwy4PXxvKXdz8K0MVwWdLtecRrmBYaucY5zhH5a4WYIyEue8tbBUa315huuMKsfMuTjVW+tZ7+t6b+sG1ovpx65T1WI83c4/fh1SJ2ZAzV8lJjIzb32Ydr/DXx3GQ2lBZZhehs9xkTvcMebUhGn7z7AizGFePbsWjLeAREgdmChVYHz0bTUdYjHylo7wkVrmnMGVX4YUQguDhFs1nOxERRAPVbcFlw4t4ZVePPRi29JS48W4nTCvwktcQ4bVdvGRPaYpg2u6+AguNaanmsvQhSL6jS04nCrccsit9sCSLe10uKdJ0KTkBb0v76AK0+tgfU8Ta1Z8YmorMxCBM8O0+m/3NLlWdG6U2METfWzT/mDqsUU3u2Xu4eQX8Gyfm5Pz6b6Y44yT+tTbfYN9z4LrP84J3UYz++dKNDJkz3qeMZDiwtjVS3KGA0ywPIk3+BvjdolR1kAkO0jLbFn5XSNz0Mo7pw3GGC8sbTC6inogzFRhXSMyKbMoDbutvRRhKSEv5Fh0g9mOBhFhVWe1yT2nY87pmClK53TMOR0zk9E5HXNOx5zTMed0zDkdY+XgrSxZ4dvqSnopzKkpOVqLDSs5HjZJwr/D6Zelf6MpkgwBTY3G2KelQNpL0hIz2Hg64JDRsh5h5+TriQVLVwUHtUxRDHQh2nzSntNMrlmKOrmoljuPxBLr2PE9hnBwWGYPB4spg9TrxhjojSgvZuuAtb+eMt69tfSd6Yl1xHhZiGsjETR/jngszCC7Ou2bIXB7dvDNEOWw+zbdk5oxbt0cXENrpJ7LlhexF/sTEssy3q30YoeF+/CkvQHDRviObrfN0UDoXV1c+QI9YiL1/0jgOaHY/1wp4NR9cd5eqDqQZcdQg9j12wsg1YLcfTSNUAnbUUXtA8hUOJNF50cFek0yi+z3rbIQeteyutQFQpXRLjkWu4+MFb/i5J5tNhfob5zrK3TXZZZdoPZ/69+PTas+jLfWVyPQu0uWFxlISC86TVxiSpm8KamGYPwC/fOfn34jWQbpT3XzV9aOMueizOQbDvo0tuuCSCXXdQh7ltkvr7/qgmmigvTYvYnxT0KphoMU2QH7evJdppk4v1lwSNRQ8B795+o/YjBvuQQq1Md9mt7S06kurZ+0iFtlxOO/yTalgvq8e3WPYLIIRGPAp+fdma25yuC6PpxwRv9kd7FCmkpalIBmtBkVHtKgy5rHSMZwl3QpgFWOETDW1fftPSMEpxOBCpaRgaT2DkqiguYFzxZ1KZZKlFoTie7x95GTGHGnWItSFEDT0c19X2jUQzezK40LEbVytMntPFfXIrfsengWIf2le8GSHRKjfY+GwiMW1orn7SiFhVw3HhCNh1K6fruhocFLau8g8P1I8EryJHwKOM0IdSNP+dyHWkALjTcSeNulNJOE6VdPuAoCN5hkhiVC/sf/T/dSL8WQM9q/vLTkEMUHLe9WXw868cjYTU5FRhIcvmybmHCsratBDrzMPX2TbsGlm96jNF1VkkYtqADeNcRJMQVBuKcE1jKCtfTem1uz6PkXqbG0V61SZ1Ir6enMa2BN0ewMW2Rsny98BcoIhTqBUfp8gS2lcYInWG/3NZhWKLYExAmGEYNHazRCN2zmKDLVRRdlRz50HDt3a7pty/qdKCBZcmM4FsdxN1jUP2PRsvVPN7Eitb45E51UhTMmZJYAiDQ4xHwuIGYq1j9/LErl6Yr1Zn4TvZO8hAu0wZnQBTBKek/ZI3X3m5LWsaHXSRelYjXLHo5vMIyZ3zPqDxwvpdY+G2BWO/Dn05o6eBOkFhSgbji1FfdO91aAofOnStp8dhWfmMo2tYZ5UuY1W3+1RGOj9Si202U8juWapm0KZnlbY2SQo9LRVUyGNTtbBQMXREig8oFlZR5ruurEokpuM3dVb/epv/xZDZPw81Mn/n6v6CkRji0ZX68Jy1vUGNbCqb49zbmNqLYrcZIwnurHvphhE0c0wDjewjrJ8KjMSDD6bSUEaSFtCnDkTygkseLyyyTDJD+acyYZfsYuev37pcc/qyYses7wV0JTSBtluKHqTYJ17TULesRNtzfXdK/4vULpTQuwy8ZJAkKs8+GtnxkIv2gRSImwYxyxf13/frlydSf79Lmoz0Qq9UrsD4uOfhyeBFDMrq6tYDsm5Po4iEq0C3bmEmsecL0UOixfesSDMwOa9cmZm+bkzDVQNSWtVqtDD8zEZLdsVdnsN7gzDDG5tmg2vhdjtsO827ItCWMIaFL1ItKmxBETgyZVd4byOe0v9JLON9U/nm5b4XBeT7afEMCN3elyZsdSWv3esX5FtEZCd3s9V3fk9BlOzrLhpWbU2yW+A9/oEkuLmzLL9g3apDaNw4T6du5fJeu9YL5saDFkRhlcjrfXf1Nz/R/NdWrHf6ilOQwqBEI3jOeQonc7zFM9QQlIf/Ldlo6z7Og31HkwRsk7FMJsYdVz1Fcv0B+qqX+otv6hGvuHY/6wNPyA9mlxWpWV++GiyAgIJNl4eer/p3s5q4YDksTKrtTSnvzQ1G3Nw5M8yUohgbuC8ACMKyqBU5yhq+vW5ev22yHhe/WFRSvipmWNMPTh8627C7SQhzdzBOhYW2QMp+s7nGGaLFLrR4ZT9Gstp3UoB+iSLt40bCSjXRHSLVfr8CUuoiW42DcAasm2xCcamH/Y5AzmHfuIP/GOSaMqLUMNhr0vmKtL2JRZvMC+kRgtsvcpYSozNA5cvuwMlUiSg5A4L9A7UBN0NQ/e1i0YRn8nWGr0lNfGUAetNo4cnxr1jZrwtBfzuZSInmDZMTog4SPYkOsC8GPb2Qj1jeDleZm7NbJB9nmYuTFuALFBHnWYRl026plZ1ScPpXps3AFVwdkDEYTR0fpx9mZRJ6kLrEwWrj0AvRWztpwtnxV7ayn1CfWqNMie4pwkWK1J6wmk3pGwb13V+x53RCcWF6XxP7G0OjycVq9md7ohdIswTVGNEn/K75l9YuLXT7zF8v7qvTjjdYsoE7/lwussS1jee2qvqLivZpz4+bhX8ZpVwvjxn6YcFVgcw0w8qhh4pRfVur5kHGqFU0wdhSgGHJ/Hs15HOtB0frbJnNte+FMrN7e3YYqon6d56W/xfBu9wjOhlwJv4WivvHQ36oLfnTkRn+mXZ6IeHuufGHuykHysFeOsmBVt9OD24eOy55Htl9P/Rk/nTz+hHb4z+yIVFPA4djezexbwL1I59mevh/Qtr/Cb3JdoZvIt8uVR4teqjY4mGEMRB3/4vpzK3zlACBV7MZi4XKogrybz/wEAAP//aN7Gug==" } diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/data.json b/metricbeat/module/kubernetes/state_daemonset/_meta/data.json new file mode 100644 index 00000000000..27a03cb7d97 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/data.json @@ -0,0 +1,28 @@ +{ + "@timestamp": "2019-03-01T08:05:34.853Z", + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "daemonset": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "namespace": "kube-system" + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } +} diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc b/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc new file mode 100644 index 00000000000..c9e09cfb85f --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/docs.asciidoc @@ -0,0 +1 @@ +This is the `state_daemonset` metricset of the Kubernetes module. diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml b/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml new file mode 100644 index 00000000000..986786b707c --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/fields.yml @@ -0,0 +1,29 @@ +- name: daemonset + type: group + description: > + Kubernetes DaemonSet metrics + release: ga + fields: + - name: name + type: keyword + - name: replicas + type: group + description: > + Kubernetes DaemonSet replica metrics + fields: + - name: available + type: long + description: > + The number of available replicas per DaemonSet + - name: desired + type: long + description: > + The desired number of replicas per DaemonSet + - name: ready + type: long + description: > + The number of ready replicas per DaemonSet + - name: unavailable + type: long + description: > + The number of unavailable replicas per DaemonSet diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected new file mode 100644 index 00000000000..bb804c32cfe --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.3.0.expected @@ -0,0 +1,27 @@ +[ + { + "RootFields": null, + "ModuleFields": { + "namespace": "kube-system" + }, + "MetricSetFields": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "Index": "", + "ID": "", + "Namespace": "kubernetes.daemonset", + "Timestamp": "0001-01-01T00:00:00Z", + "Error": null, + "Host": "", + "Service": "", + "Took": 0, + "Period": 0, + "DisableTimeSeries": false + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected new file mode 100644 index 00000000000..bb804c32cfe --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/test/ksm.v1.8.0.expected @@ -0,0 +1,27 @@ +[ + { + "RootFields": null, + "ModuleFields": { + "namespace": "kube-system" + }, + "MetricSetFields": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + }, + "Index": "", + "ID": "", + "Namespace": "kubernetes.daemonset", + "Timestamp": "0001-01-01T00:00:00Z", + "Error": null, + "Host": "", + "Service": "", + "Took": 0, + "Period": 0, + "DisableTimeSeries": false + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml new file mode 100644 index 00000000000..ab6bf241654 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/config.yml @@ -0,0 +1,3 @@ +type: http +url: "/metrics" +suffix: plain diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain new file mode 100644 index 00000000000..9e6b14d0bd8 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain @@ -0,0 +1,1368 @@ +# HELP kube_certificatesigningrequest_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_certificatesigningrequest_labels gauge +# HELP kube_certificatesigningrequest_created Unix creation timestamp +# TYPE kube_certificatesigningrequest_created gauge +# HELP kube_certificatesigningrequest_condition The number of each certificatesigningrequest condition +# TYPE kube_certificatesigningrequest_condition gauge +# HELP kube_certificatesigningrequest_cert_length Length of the issued cert +# TYPE kube_certificatesigningrequest_cert_length gauge +# HELP kube_configmap_info Information about configmap. +# TYPE kube_configmap_info gauge +kube_configmap_info{namespace="local-path-storage",configmap="local-path-config"} 1 +kube_configmap_info{namespace="kube-public",configmap="cluster-info"} 1 +kube_configmap_info{namespace="kube-system",configmap="coredns"} 1 +kube_configmap_info{namespace="kube-system",configmap="extension-apiserver-authentication"} 1 +kube_configmap_info{namespace="kube-system",configmap="kube-proxy"} 1 +kube_configmap_info{namespace="kube-system",configmap="kubeadm-config"} 1 +kube_configmap_info{namespace="kube-system",configmap="kubelet-config-1.18"} 1 +# HELP kube_configmap_created Unix creation timestamp +# TYPE kube_configmap_created gauge +kube_configmap_created{namespace="kube-system",configmap="kubelet-config-1.18"} 1.597194032e+09 +kube_configmap_created{namespace="local-path-storage",configmap="local-path-config"} 1.597194034e+09 +kube_configmap_created{namespace="kube-public",configmap="cluster-info"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="coredns"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="extension-apiserver-authentication"} 1.59719403e+09 +kube_configmap_created{namespace="kube-system",configmap="kube-proxy"} 1.597194033e+09 +kube_configmap_created{namespace="kube-system",configmap="kubeadm-config"} 1.597194032e+09 +# HELP kube_configmap_metadata_resource_version Resource version representing a specific version of the configmap. +# TYPE kube_configmap_metadata_resource_version gauge +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kubeadm-config"} 157 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kubelet-config-1.18"} 160 +kube_configmap_metadata_resource_version{namespace="local-path-storage",configmap="local-path-config"} 247 +kube_configmap_metadata_resource_version{namespace="kube-public",configmap="cluster-info"} 233575 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="coredns"} 185 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="extension-apiserver-authentication"} 35 +kube_configmap_metadata_resource_version{namespace="kube-system",configmap="kube-proxy"} 193 +# HELP kube_cronjob_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_cronjob_labels gauge +# HELP kube_cronjob_info Info about cronjob. +# TYPE kube_cronjob_info gauge +# HELP kube_cronjob_created Unix creation timestamp +# TYPE kube_cronjob_created gauge +# HELP kube_cronjob_status_active Active holds pointers to currently running jobs. +# TYPE kube_cronjob_status_active gauge +# HELP kube_cronjob_status_last_schedule_time LastScheduleTime keeps information of when was the last time the job was successfully scheduled. +# TYPE kube_cronjob_status_last_schedule_time gauge +# HELP kube_cronjob_spec_suspend Suspend flag tells the controller to suspend subsequent executions. +# TYPE kube_cronjob_spec_suspend gauge +# HELP kube_cronjob_spec_starting_deadline_seconds Deadline in seconds for starting the job if it misses scheduled time for any reason. +# TYPE kube_cronjob_spec_starting_deadline_seconds gauge +# HELP kube_cronjob_next_schedule_time Next time the cronjob should be scheduled. The time after lastScheduleTime, or after the cron job's creation time if it's never been scheduled. Use this to determine if the job is delayed. +# TYPE kube_cronjob_next_schedule_time gauge +# HELP kube_daemonset_created Unix creation timestamp +# TYPE kube_daemonset_created gauge +kube_daemonset_created{namespace="kube-system",daemonset="kube-proxy"} 1.597194033e+09 +kube_daemonset_created{namespace="kube-system",daemonset="kindnet"} 1.597194034e+09 +# HELP kube_daemonset_status_current_number_scheduled The number of nodes running at least one daemon pod and are supposed to. +# TYPE kube_daemonset_status_current_number_scheduled gauge +kube_daemonset_status_current_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_status_current_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_status_desired_number_scheduled The number of nodes that should be running the daemon pod. +# TYPE kube_daemonset_status_desired_number_scheduled gauge +kube_daemonset_status_desired_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_desired_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_number_available The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available +# TYPE kube_daemonset_status_number_available gauge +kube_daemonset_status_number_available{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_number_available{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_number_misscheduled The number of nodes running a daemon pod but are not supposed to. +# TYPE kube_daemonset_status_number_misscheduled gauge +kube_daemonset_status_number_misscheduled{namespace="kube-system",daemonset="kindnet"} 0 +kube_daemonset_status_number_misscheduled{namespace="kube-system",daemonset="kube-proxy"} 0 +# HELP kube_daemonset_status_number_ready The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready. +# TYPE kube_daemonset_status_number_ready gauge +kube_daemonset_status_number_ready{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_status_number_ready{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_status_number_unavailable The number of nodes that should be running the daemon pod and have none of the daemon pod running and available +# TYPE kube_daemonset_status_number_unavailable gauge +kube_daemonset_status_number_unavailable{namespace="kube-system",daemonset="kindnet"} 0 +kube_daemonset_status_number_unavailable{namespace="kube-system",daemonset="kube-proxy"} 0 +# HELP kube_daemonset_status_observed_generation The most recent generation observed by the daemon set controller. +# TYPE kube_daemonset_status_observed_generation gauge +kube_daemonset_status_observed_generation{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_observed_generation{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_status_updated_number_scheduled The total number of nodes that are running updated daemon pod +# TYPE kube_daemonset_status_updated_number_scheduled gauge +kube_daemonset_status_updated_number_scheduled{namespace="kube-system",daemonset="kindnet"} 1 +kube_daemonset_status_updated_number_scheduled{namespace="kube-system",daemonset="kube-proxy"} 1 +# HELP kube_daemonset_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_daemonset_metadata_generation gauge +kube_daemonset_metadata_generation{namespace="kube-system",daemonset="kube-proxy"} 1 +kube_daemonset_metadata_generation{namespace="kube-system",daemonset="kindnet"} 1 +# HELP kube_daemonset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_daemonset_labels gauge +kube_daemonset_labels{namespace="kube-system",daemonset="kindnet",label_app="kindnet",label_k8s_app="kindnet",label_tier="node"} 1 +kube_daemonset_labels{namespace="kube-system",daemonset="kube-proxy",label_k8s_app="kube-proxy"} 1 +# HELP kube_deployment_created Unix creation timestamp +# TYPE kube_deployment_created gauge +kube_deployment_created{namespace="kube-system",deployment="coredns"} 1.597194033e+09 +kube_deployment_created{namespace="local-path-storage",deployment="local-path-provisioner"} 1.597194034e+09 +kube_deployment_created{namespace="kube-system",deployment="kube-state-metrics"} 1.597289948e+09 +# HELP kube_deployment_status_replicas The number of replicas per deployment. +# TYPE kube_deployment_status_replicas gauge +kube_deployment_status_replicas{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_replicas_available The number of available replicas per deployment. +# TYPE kube_deployment_status_replicas_available gauge +kube_deployment_status_replicas_available{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas_available{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas_available{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_replicas_unavailable The number of unavailable replicas per deployment. +# TYPE kube_deployment_status_replicas_unavailable gauge +kube_deployment_status_replicas_unavailable{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_status_replicas_unavailable{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_status_replicas_unavailable{namespace="kube-system",deployment="coredns"} 0 +# HELP kube_deployment_status_replicas_updated The number of updated replicas per deployment. +# TYPE kube_deployment_status_replicas_updated gauge +kube_deployment_status_replicas_updated{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_replicas_updated{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_replicas_updated{namespace="kube-system",deployment="coredns"} 2 +# HELP kube_deployment_status_observed_generation The generation observed by the deployment controller. +# TYPE kube_deployment_status_observed_generation gauge +kube_deployment_status_observed_generation{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_status_observed_generation{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_status_observed_generation{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_status_condition The current status conditions of a deployment. +# TYPE kube_deployment_status_condition gauge +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="local-path-storage",deployment="local-path-provisioner",condition="Progressing",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="kube-state-metrics",condition="Progressing",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Available",status="unknown"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="true"} 1 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="false"} 0 +kube_deployment_status_condition{namespace="kube-system",deployment="coredns",condition="Progressing",status="unknown"} 0 +# HELP kube_deployment_spec_replicas Number of desired pods for a deployment. +# TYPE kube_deployment_spec_replicas gauge +kube_deployment_spec_replicas{namespace="kube-system",deployment="coredns"} 2 +kube_deployment_spec_replicas{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_spec_replicas{namespace="kube-system",deployment="kube-state-metrics"} 1 +# HELP kube_deployment_spec_paused Whether the deployment is paused and will not be processed by the deployment controller. +# TYPE kube_deployment_spec_paused gauge +kube_deployment_spec_paused{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_spec_paused{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_spec_paused{namespace="kube-system",deployment="coredns"} 0 +# HELP kube_deployment_spec_strategy_rollingupdate_max_unavailable Maximum number of unavailable replicas during a rolling update of a deployment. +# TYPE kube_deployment_spec_strategy_rollingupdate_max_unavailable gauge +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="local-path-storage",deployment="local-path-provisioner"} 0 +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="kube-system",deployment="kube-state-metrics"} 0 +kube_deployment_spec_strategy_rollingupdate_max_unavailable{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_spec_strategy_rollingupdate_max_surge Maximum number of replicas that can be scheduled above the desired number of replicas during a rolling update of a deployment. +# TYPE kube_deployment_spec_strategy_rollingupdate_max_surge gauge +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_spec_strategy_rollingupdate_max_surge{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_deployment_metadata_generation gauge +kube_deployment_metadata_generation{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_metadata_generation{namespace="kube-system",deployment="kube-state-metrics"} 1 +kube_deployment_metadata_generation{namespace="kube-system",deployment="coredns"} 1 +# HELP kube_deployment_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_deployment_labels gauge +kube_deployment_labels{namespace="local-path-storage",deployment="local-path-provisioner"} 1 +kube_deployment_labels{namespace="kube-system",deployment="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7"} 1 +kube_deployment_labels{namespace="kube-system",deployment="coredns",label_k8s_app="kube-dns"} 1 +# HELP kube_endpoint_info Information about endpoint. +# TYPE kube_endpoint_info gauge +kube_endpoint_info{namespace="kube-system",endpoint="kube-state-metrics"} 1 +kube_endpoint_info{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-controller-manager"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-dns"} 1 +kube_endpoint_info{namespace="kube-system",endpoint="kube-scheduler"} 1 +kube_endpoint_info{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1 +# HELP kube_endpoint_created Unix creation timestamp +# TYPE kube_endpoint_created gauge +kube_endpoint_created{namespace="kube-system",endpoint="kube-state-metrics"} 1.597289948e+09 +kube_endpoint_created{namespace="default",endpoint="kubernetes"} 1.597194032e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-controller-manager"} 1.597194034e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-dns"} 1.597194051e+09 +kube_endpoint_created{namespace="kube-system",endpoint="kube-scheduler"} 1.597194033e+09 +kube_endpoint_created{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1.597194091e+09 +# HELP kube_endpoint_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_endpoint_labels gauge +kube_endpoint_labels{namespace="kube-system",endpoint="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_service_kubernetes_io_headless=""} 1 +kube_endpoint_labels{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-controller-manager"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-dns",label_k8s_app="kube-dns",label_kubernetes_io_cluster_service="true",label_kubernetes_io_name="KubeDNS"} 1 +kube_endpoint_labels{namespace="kube-system",endpoint="kube-scheduler"} 1 +kube_endpoint_labels{namespace="local-path-storage",endpoint="rancher.io-local-path"} 1 +# HELP kube_endpoint_address_available Number of addresses available in endpoint. +# TYPE kube_endpoint_address_available gauge +kube_endpoint_address_available{namespace="default",endpoint="kubernetes"} 1 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-controller-manager"} 0 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-dns"} 6 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-scheduler"} 0 +kube_endpoint_address_available{namespace="local-path-storage",endpoint="rancher.io-local-path"} 0 +kube_endpoint_address_available{namespace="kube-system",endpoint="kube-state-metrics"} 2 +# HELP kube_endpoint_address_not_ready Number of addresses not ready in endpoint +# TYPE kube_endpoint_address_not_ready gauge +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-state-metrics"} 0 +kube_endpoint_address_not_ready{namespace="default",endpoint="kubernetes"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-controller-manager"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-dns"} 0 +kube_endpoint_address_not_ready{namespace="kube-system",endpoint="kube-scheduler"} 0 +kube_endpoint_address_not_ready{namespace="local-path-storage",endpoint="rancher.io-local-path"} 0 +# HELP kube_horizontalpodautoscaler_metadata_generation The generation observed by the HorizontalPodAutoscaler controller. +# TYPE kube_horizontalpodautoscaler_metadata_generation gauge +# HELP kube_horizontalpodautoscaler_spec_max_replicas Upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas. +# TYPE kube_horizontalpodautoscaler_spec_max_replicas gauge +# HELP kube_horizontalpodautoscaler_spec_min_replicas Lower limit for the number of pods that can be set by the autoscaler, default 1. +# TYPE kube_horizontalpodautoscaler_spec_min_replicas gauge +# HELP kube_horizontalpodautoscaler_spec_target_metric The metric specifications used by this autoscaler when calculating the desired replica count. +# TYPE kube_horizontalpodautoscaler_spec_target_metric gauge +# HELP kube_horizontalpodautoscaler_status_current_replicas Current number of replicas of pods managed by this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_current_replicas gauge +# HELP kube_horizontalpodautoscaler_status_desired_replicas Desired number of replicas of pods managed by this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_desired_replicas gauge +# HELP kube_horizontalpodautoscaler_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_horizontalpodautoscaler_labels gauge +# HELP kube_horizontalpodautoscaler_status_condition The condition of this autoscaler. +# TYPE kube_horizontalpodautoscaler_status_condition gauge +# HELP kube_ingress_info Information about ingress. +# TYPE kube_ingress_info gauge +# HELP kube_ingress_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_ingress_labels gauge +# HELP kube_ingress_created Unix creation timestamp +# TYPE kube_ingress_created gauge +# HELP kube_ingress_metadata_resource_version Resource version representing a specific version of ingress. +# TYPE kube_ingress_metadata_resource_version gauge +# HELP kube_ingress_path Ingress host, paths and backend service information. +# TYPE kube_ingress_path gauge +# HELP kube_ingress_tls Ingress TLS host and secret information. +# TYPE kube_ingress_tls gauge +# HELP kube_job_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_job_labels gauge +# HELP kube_job_info Information about job. +# TYPE kube_job_info gauge +# HELP kube_job_created Unix creation timestamp +# TYPE kube_job_created gauge +# HELP kube_job_spec_parallelism The maximum desired number of pods the job should run at any given time. +# TYPE kube_job_spec_parallelism gauge +# HELP kube_job_spec_completions The desired number of successfully finished pods the job should be run with. +# TYPE kube_job_spec_completions gauge +# HELP kube_job_spec_active_deadline_seconds The duration in seconds relative to the startTime that the job may be active before the system tries to terminate it. +# TYPE kube_job_spec_active_deadline_seconds gauge +# HELP kube_job_status_succeeded The number of pods which reached Phase Succeeded. +# TYPE kube_job_status_succeeded gauge +# HELP kube_job_status_failed The number of pods which reached Phase Failed. +# TYPE kube_job_status_failed gauge +# HELP kube_job_status_active The number of actively running pods. +# TYPE kube_job_status_active gauge +# HELP kube_job_complete The job has completed its execution. +# TYPE kube_job_complete gauge +# HELP kube_job_failed The job has failed its execution. +# TYPE kube_job_failed gauge +# HELP kube_job_status_start_time StartTime represents time when the job was acknowledged by the Job Manager. +# TYPE kube_job_status_start_time gauge +# HELP kube_job_status_completion_time CompletionTime represents time when the job was completed. +# TYPE kube_job_status_completion_time gauge +# HELP kube_job_owner Information about the Job's owner. +# TYPE kube_job_owner gauge +# HELP kube_lease_owner Information about the Lease's owner. +# TYPE kube_lease_owner gauge +kube_lease_owner{lease="kind-control-plane",owner_kind="Node",owner_name="kind-control-plane"} 1 +# HELP kube_lease_renew_time Kube lease renew time. +# TYPE kube_lease_renew_time gauge +kube_lease_renew_time{lease="kind-control-plane"} 1.597382452e+09 +# HELP kube_limitrange Information about limit range. +# TYPE kube_limitrange gauge +# HELP kube_limitrange_created Unix creation timestamp +# TYPE kube_limitrange_created gauge +# HELP kube_mutatingwebhookconfiguration_info Information about the MutatingWebhookConfiguration. +# TYPE kube_mutatingwebhookconfiguration_info gauge +# HELP kube_mutatingwebhookconfiguration_created Unix creation timestamp. +# TYPE kube_mutatingwebhookconfiguration_created gauge +# HELP kube_mutatingwebhookconfiguration_metadata_resource_version Resource version representing a specific version of the MutatingWebhookConfiguration. +# TYPE kube_mutatingwebhookconfiguration_metadata_resource_version gauge +# HELP kube_namespace_created Unix creation timestamp +# TYPE kube_namespace_created gauge +kube_namespace_created{namespace="kube-public"} 1.59719403e+09 +kube_namespace_created{namespace="kube-system"} 1.59719403e+09 +kube_namespace_created{namespace="local-path-storage"} 1.597194034e+09 +kube_namespace_created{namespace="default"} 1.597194032e+09 +kube_namespace_created{namespace="kube-node-lease"} 1.59719403e+09 +# HELP kube_namespace_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_namespace_labels gauge +kube_namespace_labels{namespace="kube-system"} 1 +kube_namespace_labels{namespace="local-path-storage"} 1 +kube_namespace_labels{namespace="default"} 1 +kube_namespace_labels{namespace="kube-node-lease"} 1 +kube_namespace_labels{namespace="kube-public"} 1 +# HELP kube_namespace_status_phase kubernetes namespace status phase. +# TYPE kube_namespace_status_phase gauge +kube_namespace_status_phase{namespace="kube-node-lease",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-node-lease",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="kube-public",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-public",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="kube-system",phase="Active"} 1 +kube_namespace_status_phase{namespace="kube-system",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="local-path-storage",phase="Active"} 1 +kube_namespace_status_phase{namespace="local-path-storage",phase="Terminating"} 0 +kube_namespace_status_phase{namespace="default",phase="Active"} 1 +kube_namespace_status_phase{namespace="default",phase="Terminating"} 0 +# HELP kube_namespace_status_condition The condition of a namespace. +# TYPE kube_namespace_status_condition gauge +# HELP kube_networkpolicy_created Unix creation timestamp of network policy +# TYPE kube_networkpolicy_created gauge +# HELP kube_networkpolicy_labels Kubernetes labels converted to Prometheus labels +# TYPE kube_networkpolicy_labels gauge +# HELP kube_networkpolicy_spec_ingress_rules Number of ingress rules on the networkpolicy +# TYPE kube_networkpolicy_spec_ingress_rules gauge +# HELP kube_networkpolicy_spec_egress_rules Number of egress rules on the networkpolicy +# TYPE kube_networkpolicy_spec_egress_rules gauge +# HELP kube_node_info Information about a cluster node. +# TYPE kube_node_info gauge +kube_node_info{node="kind-control-plane",kernel_version="5.7.12-arch1-1",os_image="Ubuntu 19.10",container_runtime_version="containerd://1.3.3-14-g449e9269",kubelet_version="v1.18.2",kubeproxy_version="v1.18.2",provider_id="",pod_cidr="10.244.0.0/24",internal_ip="172.20.0.2"} 1 +# HELP kube_node_created Unix creation timestamp +# TYPE kube_node_created gauge +kube_node_created{node="kind-control-plane"} 1.59719403e+09 +# HELP kube_node_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_node_labels gauge +kube_node_labels{node="kind-control-plane",label_beta_kubernetes_io_arch="amd64",label_beta_kubernetes_io_os="linux",label_kubernetes_io_arch="amd64",label_kubernetes_io_hostname="kind-control-plane",label_kubernetes_io_os="linux",label_node_role_kubernetes_io_master=""} 1 +# HELP kube_node_role The role of a cluster node. +# TYPE kube_node_role gauge +kube_node_role{node="kind-control-plane",role="master"} 1 +# HELP kube_node_spec_unschedulable Whether a node can schedule new pods. +# TYPE kube_node_spec_unschedulable gauge +kube_node_spec_unschedulable{node="kind-control-plane"} 0 +# HELP kube_node_spec_taint The taint of a cluster node. +# TYPE kube_node_spec_taint gauge +# HELP kube_node_status_condition The condition of a cluster node. +# TYPE kube_node_status_condition gauge +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="MemoryPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="DiskPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="true"} 0 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="false"} 1 +kube_node_status_condition{node="kind-control-plane",condition="PIDPressure",status="unknown"} 0 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="true"} 1 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="false"} 0 +kube_node_status_condition{node="kind-control-plane",condition="Ready",status="unknown"} 0 +# HELP kube_node_status_capacity The capacity for different resources of a node. +# TYPE kube_node_status_capacity gauge +kube_node_status_capacity{node="kind-control-plane",resource="cpu",unit="core"} 6 +kube_node_status_capacity{node="kind-control-plane",resource="ephemeral_storage",unit="byte"} 1.006526459904e+12 +kube_node_status_capacity{node="kind-control-plane",resource="hugepages_1Gi",unit="byte"} 0 +kube_node_status_capacity{node="kind-control-plane",resource="hugepages_2Mi",unit="byte"} 0 +kube_node_status_capacity{node="kind-control-plane",resource="memory",unit="byte"} 6.632820736e+10 +kube_node_status_capacity{node="kind-control-plane",resource="pods",unit="integer"} 110 +# HELP kube_node_status_allocatable The allocatable for different resources of a node that are available for scheduling. +# TYPE kube_node_status_allocatable gauge +kube_node_status_allocatable{node="kind-control-plane",resource="memory",unit="byte"} 6.632820736e+10 +kube_node_status_allocatable{node="kind-control-plane",resource="pods",unit="integer"} 110 +kube_node_status_allocatable{node="kind-control-plane",resource="cpu",unit="core"} 6 +kube_node_status_allocatable{node="kind-control-plane",resource="ephemeral_storage",unit="byte"} 1.006526459904e+12 +kube_node_status_allocatable{node="kind-control-plane",resource="hugepages_1Gi",unit="byte"} 0 +kube_node_status_allocatable{node="kind-control-plane",resource="hugepages_2Mi",unit="byte"} 0 +# HELP kube_persistentvolumeclaim_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_persistentvolumeclaim_labels gauge +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",label_app="elasticsearch-master"} 1 +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",label_app="elasticsearch-master"} 1 +kube_persistentvolumeclaim_labels{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",label_app="elasticsearch-master"} 1 +# HELP kube_persistentvolumeclaim_info Information about persistent volume claim. +# TYPE kube_persistentvolumeclaim_info gauge +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",storageclass="standard",volumename="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 1 +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",storageclass="standard",volumename=""} 1 +kube_persistentvolumeclaim_info{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",storageclass="standard",volumename=""} 1 +# HELP kube_persistentvolumeclaim_status_phase The phase the persistent volume claim is currently in. +# TYPE kube_persistentvolumeclaim_status_phase gauge +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Bound"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",phase="Pending"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Bound"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",phase="Pending"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Lost"} 0 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Bound"} 1 +kube_persistentvolumeclaim_status_phase{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",phase="Pending"} 0 +# HELP kube_persistentvolumeclaim_resource_requests_storage_bytes The capacity of storage requested by the persistent volume claim. +# TYPE kube_persistentvolumeclaim_resource_requests_storage_bytes gauge +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0"} 3.221225472e+10 +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1"} 3.221225472e+10 +kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2"} 3.221225472e+10 +# HELP kube_persistentvolumeclaim_access_mode The access mode(s) specified by the persistent volume claim. +# TYPE kube_persistentvolumeclaim_access_mode gauge +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-0",access_mode="ReadWriteOnce"} 1 +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-1",access_mode="ReadWriteOnce"} 1 +kube_persistentvolumeclaim_access_mode{namespace="default",persistentvolumeclaim="elasticsearch-master-elasticsearch-master-2",access_mode="ReadWriteOnce"} 1 +# HELP kube_persistentvolumeclaim_status_condition Information about status of different conditions of persistent volume claim. +# TYPE kube_persistentvolumeclaim_status_condition gauge +# HELP kube_persistentvolume_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_persistentvolume_labels gauge +kube_persistentvolume_labels{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 1 +# HELP kube_persistentvolume_status_phase The phase indicates if a volume is available, bound to a claim, or released by a claim. +# TYPE kube_persistentvolume_status_phase gauge +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Pending"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Available"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Bound"} 1 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Released"} 0 +kube_persistentvolume_status_phase{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",phase="Failed"} 0 +# HELP kube_persistentvolume_info Information about persistentvolume. +# TYPE kube_persistentvolume_info gauge +kube_persistentvolume_info{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b",storageclass="standard",gce_persistent_disk_name="",ebs_volume_id=""} 1 +# HELP kube_persistentvolume_capacity_bytes Persistentvolume capacity in bytes. +# TYPE kube_persistentvolume_capacity_bytes gauge +kube_persistentvolume_capacity_bytes{persistentvolume="pvc-ed5e27b1-2f07-4fd0-9a64-8035b202a35b"} 3.221225472e+10 +# HELP kube_poddisruptionbudget_created Unix creation timestamp +# TYPE kube_poddisruptionbudget_created gauge +# HELP kube_poddisruptionbudget_status_current_healthy Current number of healthy pods +# TYPE kube_poddisruptionbudget_status_current_healthy gauge +# HELP kube_poddisruptionbudget_status_desired_healthy Minimum desired number of healthy pods +# TYPE kube_poddisruptionbudget_status_desired_healthy gauge +# HELP kube_poddisruptionbudget_status_pod_disruptions_allowed Number of pod disruptions that are currently allowed +# TYPE kube_poddisruptionbudget_status_pod_disruptions_allowed gauge +# HELP kube_poddisruptionbudget_status_expected_pods Total number of pods counted by this disruption budget +# TYPE kube_poddisruptionbudget_status_expected_pods gauge +# HELP kube_poddisruptionbudget_status_observed_generation Most recent generation observed when updating this PDB status +# TYPE kube_poddisruptionbudget_status_observed_generation gauge +# HELP kube_pod_info Information about pod. +# TYPE kube_pod_info gauge +kube_pod_info{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="57eea2c6-4a8c-4ba9-9a2d-8251371d9cb1",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="coredns-66bff467f8-29ms4",host_ip="172.20.0.2",pod_ip="10.244.0.5",uid="f3c8b454-1396-4c2e-8ceb-4350e27316b7",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="coredns-66bff467f8",priority_class="system-cluster-critical",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kube-proxy-47h5s",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="6d9c3e8c-cea1-478b-940e-0f8707d23c03",node="kind-control-plane",created_by_kind="DaemonSet",created_by_name="kube-proxy",priority_class="system-node-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="kube-scheduler-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="c81f8188-cbd0-4ce0-b630-8fc55c44c987",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="etcd-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="3a1969e5-3de7-4bdb-ae70-d9e353f8ce39",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="kube-apiserver-kind-control-plane",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="69f1035b-05c7-439b-aad5-fbd520ccd541",node="kind-control-plane",created_by_kind="Node",created_by_name="kind-control-plane",priority_class="system-cluster-critical",host_network="true"} 1 +kube_pod_info{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",host_ip="172.20.0.2",pod_ip="10.244.0.4",uid="39d790bf-9a0a-447b-9e27-200160c4695d",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="coredns-66bff467f8",priority_class="system-cluster-critical",host_network="false"} 1 +kube_pod_info{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",host_ip="172.20.0.2",pod_ip="10.244.0.2",uid="39275f72-c1f0-4556-a922-49e50dc0638a",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="local-path-provisioner-bd4bb6b75",priority_class="",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",host_ip="172.20.0.2",pod_ip="10.244.0.6",uid="0cfacb71-ecc2-4807-ac6d-4f8705bb8e35",node="kind-control-plane",created_by_kind="ReplicaSet",created_by_name="kube-state-metrics-5c5cb55b4",priority_class="",host_network="false"} 1 +kube_pod_info{namespace="kube-system",pod="kindnet-9zfls",host_ip="172.20.0.2",pod_ip="172.20.0.2",uid="d745c5f7-bbe8-4511-aef3-798f5def368e",node="kind-control-plane",created_by_kind="DaemonSet",created_by_name="kindnet",priority_class="",host_network="true"} 1 +# HELP kube_pod_start_time Start time in unix timestamp for a pod. +# TYPE kube_pod_start_time gauge +kube_pod_start_time{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194089e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="etcd-kind-control-plane"} 1.597197855e+09 +kube_pod_start_time{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_start_time{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194092e+09 +kube_pod_start_time{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194089e+09 +kube_pod_start_time{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +# HELP kube_pod_container_state_started Start time in unix timestamp for a pod container. +# TYPE kube_pod_container_state_started gauge +kube_pod_container_state_started{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1.597289959e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1.597197871e+09 +kube_pod_container_state_started{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1.597197885e+09 +kube_pod_container_state_started{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1.597197874e+09 +kube_pod_container_state_started{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1.597197856e+09 +kube_pod_container_state_started{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1.597197879e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1.59719786e+09 +kube_pod_container_state_started{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1.597197856e+09 +# HELP kube_pod_completion_time Completion time in unix timestamp for a pod. +# TYPE kube_pod_completion_time gauge +# HELP kube_pod_owner Information about the Pod's owner. +# TYPE kube_pod_owner gauge +kube_pod_owner{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",owner_kind="ReplicaSet",owner_name="kube-state-metrics-5c5cb55b4",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kindnet-9zfls",owner_kind="DaemonSet",owner_name="kindnet",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",owner_kind="ReplicaSet",owner_name="coredns-66bff467f8",owner_is_controller="true"} 1 +kube_pod_owner{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",owner_kind="ReplicaSet",owner_name="local-path-provisioner-bd4bb6b75",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-scheduler-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="etcd-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-apiserver-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",owner_kind="Node",owner_name="kind-control-plane",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="coredns-66bff467f8-29ms4",owner_kind="ReplicaSet",owner_name="coredns-66bff467f8",owner_is_controller="true"} 1 +kube_pod_owner{namespace="kube-system",pod="kube-proxy-47h5s",owner_kind="DaemonSet",owner_name="kube-proxy",owner_is_controller="true"} 1 +# HELP kube_pod_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_pod_labels gauge +kube_pod_labels{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_pod_template_hash="5c5cb55b4"} 1 +kube_pod_labels{namespace="kube-system",pod="kindnet-9zfls",label_app="kindnet",label_controller_revision_hash="7968cb6854",label_k8s_app="kindnet",label_pod_template_generation="1",label_tier="node"} 1 +kube_pod_labels{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +kube_pod_labels{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",label_app="local-path-provisioner",label_pod_template_hash="bd4bb6b75"} 1 +kube_pod_labels{namespace="kube-system",pod="etcd-kind-control-plane",label_component="etcd",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-apiserver-kind-control-plane",label_component="kube-apiserver",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",label_component="kube-controller-manager",label_tier="control-plane"} 1 +kube_pod_labels{namespace="kube-system",pod="coredns-66bff467f8-29ms4",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-proxy-47h5s",label_controller_revision_hash="5f7b7d4f89",label_k8s_app="kube-proxy",label_pod_template_generation="1"} 1 +kube_pod_labels{namespace="kube-system",pod="kube-scheduler-kind-control-plane",label_component="kube-scheduler",label_tier="control-plane"} 1 +# HELP kube_pod_created Unix creation timestamp +# TYPE kube_pod_created gauge +kube_pod_created{namespace="kube-system",pod="etcd-kind-control-plane"} 1.59719404e+09 +kube_pod_created{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597194039e+09 +kube_pod_created{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597194039e+09 +kube_pod_created{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.59719404e+09 +kube_pod_created{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +kube_pod_created{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_created{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194051e+09 +kube_pod_created{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194051e+09 +# HELP kube_pod_deletion_timestamp Unix deletion timestamp +# TYPE kube_pod_deletion_timestamp gauge +# HELP kube_pod_restart_policy Describes the restart policy in use by this pod. +# TYPE kube_pod_restart_policy gauge +kube_pod_restart_policy{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kindnet-9zfls",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",type="Always"} 1 +kube_pod_restart_policy{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="etcd-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-apiserver-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="coredns-66bff467f8-29ms4",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-proxy-47h5s",type="Always"} 1 +kube_pod_restart_policy{namespace="kube-system",pod="kube-scheduler-kind-control-plane",type="Always"} 1 +# HELP kube_pod_status_scheduled_time Unix timestamp when pod moved into scheduled status +# TYPE kube_pod_status_scheduled_time gauge +kube_pod_status_scheduled_time{namespace="kube-system",pod="coredns-66bff467f8-29ms4"} 1.597194089e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-proxy-47h5s"} 1.597194051e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-scheduler-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="etcd-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-apiserver-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-controller-manager-kind-control-plane"} 1.597197855e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx"} 1.597289949e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="kindnet-9zfls"} 1.597194051e+09 +kube_pod_status_scheduled_time{namespace="kube-system",pod="coredns-66bff467f8-vlcsv"} 1.597194092e+09 +kube_pod_status_scheduled_time{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn"} 1.597194089e+09 +# HELP kube_pod_status_unschedulable Describes the unschedulable status for the pod. +# TYPE kube_pod_status_unschedulable gauge +# HELP kube_pod_status_phase The pods current phase. +# TYPE kube_pod_status_phase gauge +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-proxy-47h5s",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-scheduler-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="etcd-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-apiserver-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-29ms4",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="kindnet-9zfls",phase="Running"} 1 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Pending"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Failed"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Unknown"} 0 +kube_pod_status_phase{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",phase="Running"} 1 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Pending"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Succeeded"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Failed"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Unknown"} 0 +kube_pod_status_phase{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",phase="Running"} 1 +# HELP kube_pod_status_ready Describes whether the pod is ready to serve requests. +# TYPE kube_pod_status_ready gauge +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kindnet-9zfls",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="unknown"} 0 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="true"} 1 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="false"} 0 +kube_pod_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",condition="unknown"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="true"} 1 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="false"} 0 +kube_pod_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="unknown"} 0 +# HELP kube_pod_status_scheduled Describes the status of the scheduling process for the pod. +# TYPE kube_pod_status_scheduled gauge +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kindnet-9zfls",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="true"} 1 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="false"} 0 +kube_pod_status_scheduled{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-proxy-47h5s",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-scheduler-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="etcd-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-apiserver-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",condition="unknown"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="true"} 1 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="false"} 0 +kube_pod_status_scheduled{namespace="kube-system",pod="coredns-66bff467f8-29ms4",condition="unknown"} 0 +# HELP kube_pod_status_reason The pod status reasons +# TYPE kube_pod_status_reason gauge +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-proxy-47h5s",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="etcd-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="kindnet-9zfls",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="Evicted"} 0 +kube_pod_status_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",reason="UnexpectedAdmissionError"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="NodeLost"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="Evicted"} 0 +kube_pod_status_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",reason="UnexpectedAdmissionError"} 0 +# HELP kube_pod_container_info Information about a container in a pod. +# TYPE kube_pod_container_info gauge +kube_pod_container_info{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",image="k8s.gcr.io/coredns:1.6.7",image_id="sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",container_id="containerd://3fa05133df6246a57009d7f2ae05002107f27cb86e7e0d871405548b91710789"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",image="k8s.gcr.io/kube-proxy:v1.18.2",image_id="sha256:312d3d1cb6c7217e2f7514f20c08bc79d6bebdbfe8f77efbe235fee0738c3f8c",container_id="containerd://a8a4fff7dfb7269205fee1205e68fa11e03716d44d8d6646e0f9139c4da439ba"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",image="k8s.gcr.io/kube-scheduler:v1.18.2",image_id="sha256:121edc8356c58baee60330191aeaf245aab147f9eb89281dccfe68875a657117",container_id="containerd://2f625b2c90354d3f0546fba5be7ea58da108d6cd40e630ac4cde3ee9f68b912e"} 1 +kube_pod_container_info{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",image="k8s.gcr.io/etcd:3.4.3-0",image_id="sha256:303ce5db0e90dab1c5728ec70d21091201a23cdf8aeca70ab54943bbaaf0833f",container_id="containerd://2c766a0e64d6b0b47351aecf7f2824d05118f20895cb3bfb471f946913fba6db"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",image="k8s.gcr.io/kube-apiserver:v1.18.2",image_id="sha256:7df05884b1e25c456468f037faa511ba004b2dfab13be4d204fc47524b917cef",container_id="containerd://887d0a6de86f54e78339c218213e91651398c88a5e2b09bc1fffb30acb9dbcd5"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",image="k8s.gcr.io/kube-controller-manager:v1.18.2",image_id="sha256:31fd71c85722f1879c6af82ade97ecc31ca468e8239930d35fde046f5b93a146",container_id="containerd://1693e6742feac7bd9ee430be70705e1d8433c34998f227194ea85d1c9142f173"} 1 +kube_pod_container_info{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",image="quay.io/coreos/kube-state-metrics:v1.9.7",image_id="quay.io/coreos/kube-state-metrics@sha256:2f82f0da199c60a7699c43c63a295c44e673242de0b7ee1b17c2d5a23bec34cb",container_id="containerd://a4724b1381ab83580270a17b8cf11d95752bcff4fe987c18145b691979261508"} 1 +kube_pod_container_info{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",image="docker.io/kindest/kindnetd:0.5.4",image_id="sha256:2186a1a396deb58f1ea5eaf20193a518ca05049b46ccd754ec83366b5c8c13d5",container_id="containerd://ba7e710ed0dd267e5999bc6c7fd68a772f690ff11f6e07a1e594d1b52d01ca63"} 1 +kube_pod_container_info{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",image="k8s.gcr.io/coredns:1.6.7",image_id="sha256:67da37a9a360e600e74464da48437257b00a754c77c40f60c65e4cb327c34bd5",container_id="containerd://51c619a2184e88149ae554ecd06534d27a0ed4780ce1ad25ada8b17e34c8735d"} 1 +kube_pod_container_info{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",image="docker.io/rancher/local-path-provisioner:v0.0.12",image_id="sha256:db10073a6f829f72cc09655e92fbc3c74410c647c626b431ecd5257d1f6b59c1",container_id="containerd://d2a93308ca021e3f2ad559e36618581e1b0a72fecec0e8a5daa4d53313d4d9c2"} 1 +# HELP kube_pod_init_container_info Information about an init container in a pod. +# TYPE kube_pod_init_container_info gauge +# HELP kube_pod_container_status_waiting Describes whether the container is currently in waiting state. +# TYPE kube_pod_container_status_waiting gauge +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0 +kube_pod_container_status_waiting{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +kube_pod_container_status_waiting{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0 +# HELP kube_pod_init_container_status_waiting Describes whether the init container is currently in waiting state. +# TYPE kube_pod_init_container_status_waiting gauge +# HELP kube_pod_container_status_waiting_reason Describes the reason the container is currently in waiting state. +# TYPE kube_pod_container_status_waiting_reason gauge +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="InvalidImageName"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCreating"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CrashLoopBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CreateContainerConfigError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ErrImagePull"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ImagePullBackOff"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="CreateContainerError"} 0 +kube_pod_container_status_waiting_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="InvalidImageName"} 0 +# HELP kube_pod_init_container_status_waiting_reason Describes the reason the init container is currently in waiting state. +# TYPE kube_pod_init_container_status_waiting_reason gauge +# HELP kube_pod_container_status_running Describes whether the container is currently in running state. +# TYPE kube_pod_container_status_running gauge +kube_pod_container_status_running{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1 +kube_pod_container_status_running{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1 +kube_pod_container_status_running{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1 +# HELP kube_pod_init_container_status_running Describes whether the init container is currently in running state. +# TYPE kube_pod_init_container_status_running gauge +# HELP kube_pod_container_status_terminated Describes whether the container is currently in terminated state. +# TYPE kube_pod_container_status_terminated gauge +kube_pod_container_status_terminated{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0 +kube_pod_container_status_terminated{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0 +# HELP kube_pod_init_container_status_terminated Describes whether the init container is currently in terminated state. +# TYPE kube_pod_init_container_status_terminated gauge +# HELP kube_pod_container_status_terminated_reason Describes the reason the container is currently in terminated state. +# TYPE kube_pod_container_status_terminated_reason gauge +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Evicted"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="OOMKilled"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Completed"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Error"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCannotRun"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="DeadlineExceeded"} 0 +kube_pod_container_status_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Evicted"} 0 +# HELP kube_pod_init_container_status_terminated_reason Describes the reason the init container is currently in terminated state. +# TYPE kube_pod_init_container_status_terminated_reason gauge +# HELP kube_pod_container_status_last_terminated_reason Describes the last reason the container was in terminated state. +# TYPE kube_pod_container_status_last_terminated_reason gauge +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Error"} 1 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver",reason="Evicted"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="OOMKilled"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Completed"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Error"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="ContainerCannotRun"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="DeadlineExceeded"} 0 +kube_pod_container_status_last_terminated_reason{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager",reason="Evicted"} 0 +# HELP kube_pod_init_container_status_last_terminated_reason Describes the last reason the init container was in terminated state. +# TYPE kube_pod_init_container_status_last_terminated_reason gauge +# HELP kube_pod_container_status_ready Describes whether the containers readiness check succeeded. +# TYPE kube_pod_container_status_ready gauge +kube_pod_container_status_ready{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 1 +kube_pod_container_status_ready{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1 +kube_pod_container_status_ready{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 1 +# HELP kube_pod_init_container_status_ready Describes whether the init containers readiness check succeeded. +# TYPE kube_pod_init_container_status_ready gauge +# HELP kube_pod_container_status_restarts_total The number of container restarts per container. +# TYPE kube_pod_container_status_restarts_total counter +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-proxy-47h5s",container="kube-proxy"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="etcd-kind-control-plane",container="etcd"} 1 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 2 +kube_pod_container_status_restarts_total{namespace="local-path-storage",pod="local-path-provisioner-bd4bb6b75-l5nqn",container="local-path-provisioner"} 2 +kube_pod_container_status_restarts_total{namespace="kube-system",pod="kube-state-metrics-5c5cb55b4-h2gxx",container="kube-state-metrics"} 0 +# HELP kube_pod_init_container_status_restarts_total The number of restarts for the init container. +# TYPE kube_pod_init_container_status_restarts_total counter +# HELP kube_pod_container_resource_requests_cpu_cores The number of CPU cores requested by a container. +# TYPE kube_pod_container_resource_requests_cpu_cores gauge +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-apiserver-kind-control-plane",container="kube-apiserver"} 0.25 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-controller-manager-kind-control-plane",container="kube-controller-manager"} 0.2 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 0.1 +kube_pod_container_resource_requests_cpu_cores{namespace="kube-system",pod="kube-scheduler-kind-control-plane",container="kube-scheduler"} 0.1 +# HELP kube_pod_container_resource_requests_memory_bytes Bytes of memory requested by a container. +# TYPE kube_pod_container_resource_requests_memory_bytes gauge +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 7.340032e+07 +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 7.340032e+07 +kube_pod_container_resource_requests_memory_bytes{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 5.24288e+07 +# HELP kube_pod_container_resource_requests_storage_bytes Bytes of storage requested by a container. +# TYPE kube_pod_container_resource_requests_storage_bytes gauge +# HELP kube_pod_container_resource_requests_ephemeral_storage_bytes Bytes of ephemeral-storage requested by a container. +# TYPE kube_pod_container_resource_requests_ephemeral_storage_bytes gauge +# HELP kube_pod_container_resource_requests The number of requested request resource by a container. +# TYPE kube_pod_container_resource_requests gauge +# HELP kube_pod_container_resource_limits_cpu_cores The number of CPU cores requested limit by a container. +# TYPE kube_pod_container_resource_limits_cpu_cores gauge +kube_pod_container_resource_limits_cpu_cores{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 0.1 +# HELP kube_pod_container_resource_limits_memory_bytes Bytes of memory requested limit by a container. +# TYPE kube_pod_container_resource_limits_memory_bytes gauge +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-29ms4",container="coredns"} 1.7825792e+08 +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="kindnet-9zfls",container="kindnet-cni"} 5.24288e+07 +kube_pod_container_resource_limits_memory_bytes{namespace="kube-system",pod="coredns-66bff467f8-vlcsv",container="coredns"} 1.7825792e+08 +# HELP kube_pod_container_resource_limits_storage_bytes Bytes of storage requested limit by a container. +# TYPE kube_pod_container_resource_limits_storage_bytes gauge +# HELP kube_pod_container_resource_limits_ephemeral_storage_bytes Bytes of ephemeral-storage requested limit by a container. +# TYPE kube_pod_container_resource_limits_ephemeral_storage_bytes gauge +# HELP kube_pod_container_resource_limits The number of requested limit resource by a container. +# TYPE kube_pod_container_resource_limits gauge +# HELP kube_pod_init_container_resource_requests_cpu_cores The number of CPU cores requested by an init container. +# TYPE kube_pod_init_container_resource_requests_cpu_cores gauge +# HELP kube_pod_init_container_resource_requests_memory_bytes Bytes of memory requested by an init container. +# TYPE kube_pod_init_container_resource_requests_memory_bytes gauge +# HELP kube_pod_init_container_resource_requests_storage_bytes Bytes of storage requested by an init container. +# TYPE kube_pod_init_container_resource_requests_storage_bytes gauge +# HELP kube_pod_init_container_resource_requests_ephemeral_storage_bytes Bytes of ephemeral-storage requested by an init container. +# TYPE kube_pod_init_container_resource_requests_ephemeral_storage_bytes gauge +# HELP kube_pod_init_container_resource_requests The number of requested request resource by an init container. +# TYPE kube_pod_init_container_resource_requests gauge +# HELP kube_pod_init_container_resource_limits_cpu_cores The number of CPU cores requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_cpu_cores gauge +# HELP kube_pod_init_container_resource_limits_memory_bytes Bytes of memory requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_memory_bytes gauge +# HELP kube_pod_init_container_resource_limits_storage_bytes Bytes of storage requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_storage_bytes gauge +# HELP kube_pod_init_container_resource_limits_ephemeral_storage_bytes Bytes of ephemeral-storage requested limit by an init container. +# TYPE kube_pod_init_container_resource_limits_ephemeral_storage_bytes gauge +# HELP kube_pod_init_container_resource_limits The number of requested limit resource by an init container. +# TYPE kube_pod_init_container_resource_limits gauge +# HELP kube_pod_spec_volumes_persistentvolumeclaims_info Information about persistentvolumeclaim volumes in a pod. +# TYPE kube_pod_spec_volumes_persistentvolumeclaims_info gauge +# HELP kube_pod_spec_volumes_persistentvolumeclaims_readonly Describes whether a persistentvolumeclaim is mounted read only. +# TYPE kube_pod_spec_volumes_persistentvolumeclaims_readonly gauge +# HELP kube_pod_overhead_cpu_cores The pod overhead in regards to cpu cores associated with running a pod. +# TYPE kube_pod_overhead_cpu_cores gauge +# HELP kube_pod_overhead_memory_bytes The pod overhead in regards to memory associated with running a pod. +# TYPE kube_pod_overhead_memory_bytes gauge +# HELP kube_replicaset_created Unix creation timestamp +# TYPE kube_replicaset_created gauge +kube_replicaset_created{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1.597194051e+09 +kube_replicaset_created{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1.597289948e+09 +kube_replicaset_created{namespace="kube-system",replicaset="coredns-66bff467f8"} 1.597194051e+09 +# HELP kube_replicaset_status_replicas The number of replicas per ReplicaSet. +# TYPE kube_replicaset_status_replicas gauge +kube_replicaset_status_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_fully_labeled_replicas The number of fully labeled replicas per ReplicaSet. +# TYPE kube_replicaset_status_fully_labeled_replicas gauge +kube_replicaset_status_fully_labeled_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_fully_labeled_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_fully_labeled_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_ready_replicas The number of ready replicas per ReplicaSet. +# TYPE kube_replicaset_status_ready_replicas gauge +kube_replicaset_status_ready_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_ready_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_ready_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_status_observed_generation The generation observed by the ReplicaSet controller. +# TYPE kube_replicaset_status_observed_generation gauge +kube_replicaset_status_observed_generation{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_status_observed_generation{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_status_observed_generation{namespace="kube-system",replicaset="coredns-66bff467f8"} 1 +# HELP kube_replicaset_spec_replicas Number of desired pods for a ReplicaSet. +# TYPE kube_replicaset_spec_replicas gauge +kube_replicaset_spec_replicas{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_spec_replicas{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_spec_replicas{namespace="kube-system",replicaset="coredns-66bff467f8"} 2 +# HELP kube_replicaset_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_replicaset_metadata_generation gauge +kube_replicaset_metadata_generation{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75"} 1 +kube_replicaset_metadata_generation{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4"} 1 +kube_replicaset_metadata_generation{namespace="kube-system",replicaset="coredns-66bff467f8"} 1 +# HELP kube_replicaset_owner Information about the ReplicaSet's owner. +# TYPE kube_replicaset_owner gauge +kube_replicaset_owner{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75",owner_kind="Deployment",owner_name="local-path-provisioner",owner_is_controller="true"} 1 +kube_replicaset_owner{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4",owner_kind="Deployment",owner_name="kube-state-metrics",owner_is_controller="true"} 1 +kube_replicaset_owner{namespace="kube-system",replicaset="coredns-66bff467f8",owner_kind="Deployment",owner_name="coredns",owner_is_controller="true"} 1 +# HELP kube_replicaset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_replicaset_labels gauge +kube_replicaset_labels{namespace="local-path-storage",replicaset="local-path-provisioner-bd4bb6b75",label_app="local-path-provisioner",label_pod_template_hash="bd4bb6b75"} 1 +kube_replicaset_labels{namespace="kube-system",replicaset="kube-state-metrics-5c5cb55b4",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7",label_pod_template_hash="5c5cb55b4"} 1 +kube_replicaset_labels{namespace="kube-system",replicaset="coredns-66bff467f8",label_k8s_app="kube-dns",label_pod_template_hash="66bff467f8"} 1 +# HELP kube_replicationcontroller_created Unix creation timestamp +# TYPE kube_replicationcontroller_created gauge +# HELP kube_replicationcontroller_status_replicas The number of replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_replicas gauge +# HELP kube_replicationcontroller_status_fully_labeled_replicas The number of fully labeled replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_fully_labeled_replicas gauge +# HELP kube_replicationcontroller_status_ready_replicas The number of ready replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_ready_replicas gauge +# HELP kube_replicationcontroller_status_available_replicas The number of available replicas per ReplicationController. +# TYPE kube_replicationcontroller_status_available_replicas gauge +# HELP kube_replicationcontroller_status_observed_generation The generation observed by the ReplicationController controller. +# TYPE kube_replicationcontroller_status_observed_generation gauge +# HELP kube_replicationcontroller_spec_replicas Number of desired pods for a ReplicationController. +# TYPE kube_replicationcontroller_spec_replicas gauge +# HELP kube_replicationcontroller_metadata_generation Sequence number representing a specific generation of the desired state. +# TYPE kube_replicationcontroller_metadata_generation gauge +# HELP kube_replicationcontroller_owner Information about the ReplicationController's owner. +# TYPE kube_replicationcontroller_owner gauge +# HELP kube_resourcequota_created Unix creation timestamp +# TYPE kube_resourcequota_created gauge +# HELP kube_resourcequota Information about resource quota. +# TYPE kube_resourcequota gauge +# HELP kube_secret_info Information about secret. +# TYPE kube_secret_info gauge +kube_secret_info{namespace="kube-public",secret="default-token-wjfhf"} 1 +kube_secret_info{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1 +kube_secret_info{namespace="kube-system",secret="expand-controller-token-brhlh"} 1 +kube_secret_info{namespace="kube-system",secret="disruption-controller-token-f824v"} 1 +kube_secret_info{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1 +kube_secret_info{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1 +kube_secret_info{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1 +kube_secret_info{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1 +kube_secret_info{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1 +kube_secret_info{namespace="kube-system",secret="namespace-controller-token-979rk"} 1 +kube_secret_info{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1 +kube_secret_info{namespace="kube-system",secret="default-token-9msb9"} 1 +kube_secret_info{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1 +kube_secret_info{namespace="kube-system",secret="replication-controller-token-74mfc"} 1 +kube_secret_info{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1 +kube_secret_info{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1 +kube_secret_info{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1 +kube_secret_info{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1 +kube_secret_info{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1 +kube_secret_info{namespace="local-path-storage",secret="default-token-sjlj4"} 1 +kube_secret_info{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1 +kube_secret_info{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1 +kube_secret_info{namespace="kube-system",secret="kindnet-token-zhvx7"} 1 +kube_secret_info{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1 +kube_secret_info{namespace="kube-system",secret="service-controller-token-jzdgb"} 1 +kube_secret_info{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1 +kube_secret_info{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1 +kube_secret_info{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1 +kube_secret_info{namespace="kube-system",secret="coredns-token-nh62k"} 1 +kube_secret_info{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1 +kube_secret_info{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1 +kube_secret_info{namespace="kube-system",secret="job-controller-token-r44zt"} 1 +kube_secret_info{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1 +kube_secret_info{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1 +kube_secret_info{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1 +kube_secret_info{namespace="kube-node-lease",secret="default-token-k96v9"} 1 +kube_secret_info{namespace="default",secret="default-token-75lgl"} 1 +kube_secret_info{namespace="kube-system",secret="node-controller-token-xmc4z"} 1 +# HELP kube_secret_type Type about secret. +# TYPE kube_secret_type gauge +kube_secret_type{namespace="kube-system",secret="statefulset-controller-token-lnrq2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-node-lease",secret="default-token-k96v9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="default",secret="default-token-75lgl",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="node-controller-token-xmc4z",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-public",secret="default-token-wjfhf",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="expand-controller-token-brhlh",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="disruption-controller-token-f824v",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kube-state-metrics-token-gtv8j",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="replicaset-controller-token-wkd6d",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="persistent-volume-binder-token-j6b99",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pv-protection-controller-token-nx6pm",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="endpoint-controller-token-4qnv2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="namespace-controller-token-979rk",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="deployment-controller-token-h5sjg",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="default-token-9msb9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="resourcequota-controller-token-trp74",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="replication-controller-token-74mfc",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="endpointslice-controller-token-px765",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="token-cleaner-token-fxx6r",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="ttl-controller-token-2xjx9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="bootstrap-signer-token-j4qld",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="local-path-storage",secret="default-token-sjlj4",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="cronjob-controller-token-r472z",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="service-account-controller-token-lsw9x",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kindnet-token-zhvx7",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="generic-garbage-collector-token-nslln",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="service-controller-token-jzdgb",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="attachdetach-controller-token-blnbc",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="certificate-controller-token-qm62r",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="coredns-token-nh62k",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="daemon-set-controller-token-4qg5f",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="job-controller-token-r44zt",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="kube-proxy-token-c9cxs",type="kubernetes.io/service-account-token"} 1 +kube_secret_type{namespace="kube-system",secret="pod-garbage-collector-token-6wc89",type="kubernetes.io/service-account-token"} 1 +# HELP kube_secret_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_secret_labels gauge +kube_secret_labels{namespace="kube-system",secret="expand-controller-token-brhlh"} 1 +kube_secret_labels{namespace="kube-system",secret="disruption-controller-token-f824v"} 1 +kube_secret_labels{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1 +kube_secret_labels{namespace="kube-public",secret="default-token-wjfhf"} 1 +kube_secret_labels{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1 +kube_secret_labels{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1 +kube_secret_labels{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1 +kube_secret_labels{namespace="kube-system",secret="namespace-controller-token-979rk"} 1 +kube_secret_labels{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1 +kube_secret_labels{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1 +kube_secret_labels{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1 +kube_secret_labels{namespace="kube-system",secret="replication-controller-token-74mfc"} 1 +kube_secret_labels{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1 +kube_secret_labels{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1 +kube_secret_labels{namespace="kube-system",secret="default-token-9msb9"} 1 +kube_secret_labels{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1 +kube_secret_labels{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1 +kube_secret_labels{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1 +kube_secret_labels{namespace="local-path-storage",secret="default-token-sjlj4"} 1 +kube_secret_labels{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1 +kube_secret_labels{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1 +kube_secret_labels{namespace="kube-system",secret="service-controller-token-jzdgb"} 1 +kube_secret_labels{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1 +kube_secret_labels{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1 +kube_secret_labels{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1 +kube_secret_labels{namespace="kube-system",secret="kindnet-token-zhvx7"} 1 +kube_secret_labels{namespace="kube-system",secret="job-controller-token-r44zt"} 1 +kube_secret_labels{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1 +kube_secret_labels{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1 +kube_secret_labels{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1 +kube_secret_labels{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1 +kube_secret_labels{namespace="kube-system",secret="coredns-token-nh62k"} 1 +kube_secret_labels{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1 +kube_secret_labels{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1 +kube_secret_labels{namespace="kube-node-lease",secret="default-token-k96v9"} 1 +kube_secret_labels{namespace="default",secret="default-token-75lgl"} 1 +kube_secret_labels{namespace="kube-system",secret="node-controller-token-xmc4z"} 1 +kube_secret_labels{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1 +# HELP kube_secret_created Unix creation timestamp +# TYPE kube_secret_created gauge +kube_secret_created{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 1.597194039e+09 +kube_secret_created{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="namespace-controller-token-979rk"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="default-token-9msb9"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 1.597194039e+09 +kube_secret_created{namespace="kube-system",secret="replication-controller-token-74mfc"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="endpointslice-controller-token-px765"} 1.59719404e+09 +kube_secret_created{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 1.597194039e+09 +kube_secret_created{namespace="local-path-storage",secret="default-token-sjlj4"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="cronjob-controller-token-r472z"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 1.59719404e+09 +kube_secret_created{namespace="kube-system",secret="kindnet-token-zhvx7"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="service-controller-token-jzdgb"} 1.597194035e+09 +kube_secret_created{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 1.597194036e+09 +kube_secret_created{namespace="kube-system",secret="certificate-controller-token-qm62r"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="coredns-token-nh62k"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="job-controller-token-r44zt"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 1.597194038e+09 +kube_secret_created{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 1.597194034e+09 +kube_secret_created{namespace="kube-node-lease",secret="default-token-k96v9"} 1.597194051e+09 +kube_secret_created{namespace="default",secret="default-token-75lgl"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="node-controller-token-xmc4z"} 1.597194035e+09 +kube_secret_created{namespace="kube-public",secret="default-token-wjfhf"} 1.597194051e+09 +kube_secret_created{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="expand-controller-token-brhlh"} 1.597194034e+09 +kube_secret_created{namespace="kube-system",secret="disruption-controller-token-f824v"} 1.597194037e+09 +kube_secret_created{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 1.597289948e+09 +# HELP kube_secret_metadata_resource_version Resource version representing a specific version of secret. +# TYPE kube_secret_metadata_resource_version gauge +kube_secret_metadata_resource_version{namespace="kube-system",secret="kindnet-token-zhvx7"} 216 +kube_secret_metadata_resource_version{namespace="kube-system",secret="generic-garbage-collector-token-nslln"} 271 +kube_secret_metadata_resource_version{namespace="kube-system",secret="service-controller-token-jzdgb"} 252 +kube_secret_metadata_resource_version{namespace="kube-system",secret="attachdetach-controller-token-blnbc"} 263 +kube_secret_metadata_resource_version{namespace="kube-system",secret="cronjob-controller-token-r472z"} 249 +kube_secret_metadata_resource_version{namespace="kube-system",secret="service-account-controller-token-lsw9x"} 334 +kube_secret_metadata_resource_version{namespace="kube-system",secret="daemon-set-controller-token-4qg5f"} 277 +kube_secret_metadata_resource_version{namespace="kube-system",secret="job-controller-token-r44zt"} 217 +kube_secret_metadata_resource_version{namespace="kube-system",secret="kube-proxy-token-c9cxs"} 219 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pod-garbage-collector-token-6wc89"} 296 +kube_secret_metadata_resource_version{namespace="kube-system",secret="certificate-controller-token-qm62r"} 285 +kube_secret_metadata_resource_version{namespace="kube-system",secret="clusterrole-aggregation-controller-token-ckqw4"} 363 +kube_secret_metadata_resource_version{namespace="kube-system",secret="coredns-token-nh62k"} 218 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pvc-protection-controller-token-5mhp9"} 293 +kube_secret_metadata_resource_version{namespace="kube-system",secret="statefulset-controller-token-lnrq2"} 228 +kube_secret_metadata_resource_version{namespace="kube-node-lease",secret="default-token-k96v9"} 386 +kube_secret_metadata_resource_version{namespace="default",secret="default-token-75lgl"} 375 +kube_secret_metadata_resource_version{namespace="kube-system",secret="node-controller-token-xmc4z"} 255 +kube_secret_metadata_resource_version{namespace="kube-system",secret="horizontal-pod-autoscaler-token-w5nvk"} 237 +kube_secret_metadata_resource_version{namespace="kube-system",secret="expand-controller-token-brhlh"} 234 +kube_secret_metadata_resource_version{namespace="kube-system",secret="disruption-controller-token-f824v"} 280 +kube_secret_metadata_resource_version{namespace="kube-system",secret="kube-state-metrics-token-gtv8j"} 259263 +kube_secret_metadata_resource_version{namespace="kube-public",secret="default-token-wjfhf"} 384 +kube_secret_metadata_resource_version{namespace="kube-system",secret="persistent-volume-binder-token-j6b99"} 305 +kube_secret_metadata_resource_version{namespace="kube-system",secret="pv-protection-controller-token-nx6pm"} 322 +kube_secret_metadata_resource_version{namespace="kube-system",secret="endpoint-controller-token-4qnv2"} 260 +kube_secret_metadata_resource_version{namespace="kube-system",secret="namespace-controller-token-979rk"} 331 +kube_secret_metadata_resource_version{namespace="kube-system",secret="replicaset-controller-token-wkd6d"} 274 +kube_secret_metadata_resource_version{namespace="kube-system",secret="default-token-9msb9"} 380 +kube_secret_metadata_resource_version{namespace="kube-system",secret="resourcequota-controller-token-trp74"} 299 +kube_secret_metadata_resource_version{namespace="kube-system",secret="replication-controller-token-74mfc"} 268 +kube_secret_metadata_resource_version{namespace="kube-system",secret="endpointslice-controller-token-px765"} 325 +kube_secret_metadata_resource_version{namespace="kube-system",secret="deployment-controller-token-h5sjg"} 225 +kube_secret_metadata_resource_version{namespace="local-path-storage",secret="local-path-provisioner-service-account-token-v7pj2"} 242 +kube_secret_metadata_resource_version{namespace="kube-system",secret="token-cleaner-token-fxx6r"} 231 +kube_secret_metadata_resource_version{namespace="kube-system",secret="ttl-controller-token-2xjx9"} 288 +kube_secret_metadata_resource_version{namespace="kube-system",secret="bootstrap-signer-token-j4qld"} 302 +kube_secret_metadata_resource_version{namespace="local-path-storage",secret="default-token-sjlj4"} 378 +# HELP kube_service_info Information about service. +# TYPE kube_service_info gauge +kube_service_info{namespace="default",service="kubernetes",cluster_ip="10.96.0.1",external_name="",load_balancer_ip=""} 1 +kube_service_info{namespace="kube-system",service="kube-dns",cluster_ip="10.96.0.10",external_name="",load_balancer_ip=""} 1 +kube_service_info{namespace="kube-system",service="kube-state-metrics",cluster_ip="None",external_name="",load_balancer_ip=""} 1 +# HELP kube_service_created Unix creation timestamp +# TYPE kube_service_created gauge +kube_service_created{namespace="kube-system",service="kube-dns"} 1.597194033e+09 +kube_service_created{namespace="kube-system",service="kube-state-metrics"} 1.597289948e+09 +kube_service_created{namespace="default",service="kubernetes"} 1.597194032e+09 +# HELP kube_service_spec_type Type about service. +# TYPE kube_service_spec_type gauge +kube_service_spec_type{namespace="default",service="kubernetes",type="ClusterIP"} 1 +kube_service_spec_type{namespace="kube-system",service="kube-dns",type="ClusterIP"} 1 +kube_service_spec_type{namespace="kube-system",service="kube-state-metrics",type="ClusterIP"} 1 +# HELP kube_service_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_service_labels gauge +kube_service_labels{namespace="default",service="kubernetes",label_component="apiserver",label_provider="kubernetes"} 1 +kube_service_labels{namespace="kube-system",service="kube-dns",label_k8s_app="kube-dns",label_kubernetes_io_cluster_service="true",label_kubernetes_io_name="KubeDNS"} 1 +kube_service_labels{namespace="kube-system",service="kube-state-metrics",label_app_kubernetes_io_name="kube-state-metrics",label_app_kubernetes_io_version="1.9.7"} 1 +# HELP kube_service_spec_external_ip Service external ips. One series for each ip +# TYPE kube_service_spec_external_ip gauge +# HELP kube_service_status_load_balancer_ingress Service load balancer ingress status +# TYPE kube_service_status_load_balancer_ingress gauge +# HELP kube_statefulset_created Unix creation timestamp +# TYPE kube_statefulset_created gauge +# HELP kube_statefulset_status_replicas The number of replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas gauge +# HELP kube_statefulset_status_replicas_current The number of current replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_current gauge +# HELP kube_statefulset_status_replicas_ready The number of ready replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_ready gauge +# HELP kube_statefulset_status_replicas_updated The number of updated replicas per StatefulSet. +# TYPE kube_statefulset_status_replicas_updated gauge +# HELP kube_statefulset_status_observed_generation The generation observed by the StatefulSet controller. +# TYPE kube_statefulset_status_observed_generation gauge +# HELP kube_statefulset_replicas Number of desired pods for a StatefulSet. +# TYPE kube_statefulset_replicas gauge +# HELP kube_statefulset_metadata_generation Sequence number representing a specific generation of the desired state for the StatefulSet. +# TYPE kube_statefulset_metadata_generation gauge +# HELP kube_statefulset_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_statefulset_labels gauge +# HELP kube_statefulset_status_current_revision Indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas). +# TYPE kube_statefulset_status_current_revision gauge +# HELP kube_statefulset_status_update_revision Indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas) +# TYPE kube_statefulset_status_update_revision gauge +# HELP kube_storageclass_info Information about storageclass. +# TYPE kube_storageclass_info gauge +kube_storageclass_info{storageclass="standard",provisioner="rancher.io/local-path",reclaim_policy="Delete",volume_binding_mode="WaitForFirstConsumer"} 1 +# HELP kube_storageclass_created Unix creation timestamp +# TYPE kube_storageclass_created gauge +kube_storageclass_created{storageclass="standard"} 1.597194034e+09 +# HELP kube_storageclass_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_storageclass_labels gauge +kube_storageclass_labels{storageclass="standard"} 1 +# HELP kube_validatingwebhookconfiguration_info Information about the ValidatingWebhookConfiguration. +# TYPE kube_validatingwebhookconfiguration_info gauge +# HELP kube_validatingwebhookconfiguration_created Unix creation timestamp. +# TYPE kube_validatingwebhookconfiguration_created gauge +# HELP kube_validatingwebhookconfiguration_metadata_resource_version Resource version representing a specific version of the ValidatingWebhookConfiguration. +# TYPE kube_validatingwebhookconfiguration_metadata_resource_version gauge +# HELP kube_volumeattachment_labels Kubernetes labels converted to Prometheus labels. +# TYPE kube_volumeattachment_labels gauge +# HELP kube_volumeattachment_info Information about volumeattachment. +# TYPE kube_volumeattachment_info gauge +# HELP kube_volumeattachment_created Unix creation timestamp +# TYPE kube_volumeattachment_created gauge +# HELP kube_volumeattachment_spec_source_persistentvolume PersistentVolume source reference. +# TYPE kube_volumeattachment_spec_source_persistentvolume gauge +# HELP kube_volumeattachment_status_attached Information about volumeattachment. +# TYPE kube_volumeattachment_status_attached gauge +# HELP kube_volumeattachment_status_attachment_metadata volumeattachment metadata. +# TYPE kube_volumeattachment_status_attachment_metadata gauge diff --git a/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json new file mode 100644 index 00000000000..30791b52b99 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/_meta/testdata/docs.plain-expected.json @@ -0,0 +1,56 @@ +[ + { + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "namespace": "kube-system", + "daemonset": { + "name": "kube-proxy", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + } + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } + }, + { + "event": { + "dataset": "kubernetes.daemonset", + "duration": 115000, + "module": "kubernetes" + }, + "kubernetes": { + "namespace": "kube-system", + "daemonset": { + "name": "kindnet", + "replicas": { + "available": 1, + "desired": 1, + "ready": 1, + "unavailable": 0 + } + } + }, + "metricset": { + "name": "state_daemonset", + "period": 10000 + }, + "service": { + "address": "127.0.0.1:55555", + "type": "kubernetes" + } + } +] diff --git a/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go new file mode 100644 index 00000000000..32c4f84d4a3 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset.go @@ -0,0 +1,132 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package state_daemonset + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/kubernetes" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/kubernetes/util" +) + +const ( + defaultScheme = "http" + defaultPath = "/metrics" +) + +var ( + hostParser = parse.URLHostParserBuilder{ + DefaultScheme: defaultScheme, + DefaultPath: defaultPath, + }.Build() + + mapping = &p.MetricsMapping{ + Metrics: map[string]p.MetricMap{ + "kube_daemonset_metadata_generation": p.InfoMetric(), + "kube_daemonset_status_number_available": p.Metric("replicas.available"), + "kube_daemonset_status_desired_number_scheduled": p.Metric("replicas.desired"), + "kube_daemonset_status_number_ready": p.Metric("replicas.ready"), + "kube_daemonset_status_number_unavailable": p.Metric("replicas.unavailable"), + }, + + Labels: map[string]p.LabelMap{ + "daemonset": p.KeyLabel("name"), + "namespace": p.KeyLabel(mb.ModuleDataKey + ".namespace"), + }, + } +) + +// init registers the MetricSet with the central registry. +// The New method will be called after the setup of the module and before starting to fetch data +func init() { + if err := mb.Registry.AddMetricSet("kubernetes", "state_daemonset", New, hostParser); err != nil { + panic(err) + } +} + +// MetricSet type defines all fields of the MetricSet +// As a minimum it must inherit the mb.BaseMetricSet fields, but can be extended with +// additional entries. These variables can be used to persist data or configuration between +// multiple fetch calls. +type MetricSet struct { + mb.BaseMetricSet + prometheus p.Prometheus + enricher util.Enricher +} + +// New create a new instance of the MetricSet +// Part of new is also setting up the configuration by processing additional +// configuration entries if needed. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + prometheus, err := p.NewPrometheusClient(base) + if err != nil { + return nil, err + } + return &MetricSet{ + BaseMetricSet: base, + prometheus: prometheus, + enricher: util.NewResourceMetadataEnricher(base, &kubernetes.ReplicaSet{}, false), + }, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(reporter mb.ReporterV2) { + m.enricher.Start() + + events, err := m.prometheus.GetProcessedMetrics(mapping) + if err != nil { + m.Logger().Error(err) + reporter.Error(err) + return + } + + m.enricher.Enrich(events) + for _, event := range events { + + var moduleFieldsMapStr common.MapStr + moduleFields, ok := event[mb.ModuleDataKey] + if ok { + moduleFieldsMapStr, ok = moduleFields.(common.MapStr) + if !ok { + m.Logger().Errorf("error trying to convert '%s' from event to common.MapStr", mb.ModuleDataKey) + } + } + delete(event, mb.ModuleDataKey) + + if reported := reporter.Event(mb.Event{ + MetricSetFields: event, + ModuleFields: moduleFieldsMapStr, + Namespace: "kubernetes.daemonset", + }); !reported { + m.Logger().Debug("error trying to emit event") + return + } + } + + return +} + +// Close stops this metricset +func (m *MetricSet) Close() error { + m.enricher.Stop() + return nil +} diff --git a/filebeat/input/file/file_test.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go similarity index 53% rename from filebeat/input/file/file_test.go rename to metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go index 1e2bc94d4bf..649ab87d565 100644 --- a/filebeat/input/file/file_test.go +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_integration_test.go @@ -15,49 +15,25 @@ // specific language governing permissions and limitations // under the License. -// +build !integration +// +build integration,linux -package file +package state_daemonset import ( - "os" - "path/filepath" "testing" "github.com/stretchr/testify/assert" -) - -func TestIsSameFile(t *testing.T) { - absPath, err := filepath.Abs("../../tests/files/") - - assert.NotNil(t, absPath) - assert.Nil(t, err) - - fileInfo1, err := os.Stat(absPath + "/logs/test.log") - fileInfo2, err := os.Stat(absPath + "/logs/system.log") - - assert.Nil(t, err) - assert.NotNil(t, fileInfo1) - assert.NotNil(t, fileInfo2) - - file1 := &File{ - FileInfo: fileInfo1, - } - file2 := &File{ - FileInfo: fileInfo2, - } + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/metricbeat/module/kubernetes/test" +) - file3 := &File{ - FileInfo: fileInfo2, +func TestFetchMetricset(t *testing.T) { + config := test.GetKubeStateMetricsConfig(t, "state_daemonset") + metricSet := mbtest.NewFetcher(t, config) + events, errs := metricSet.FetchEvents() + if len(errs) > 0 { + t.Fatalf("Expected 0 error, had %d. %v\n", len(errs), errs) } - - assert.False(t, file1.IsSameFile(file2)) - assert.False(t, file2.IsSameFile(file1)) - - assert.True(t, file1.IsSameFile(file1)) - assert.True(t, file2.IsSameFile(file2)) - - assert.True(t, file3.IsSameFile(file2)) - assert.True(t, file2.IsSameFile(file3)) + assert.NotEmpty(t, events) } diff --git a/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go new file mode 100644 index 00000000000..11c4a5cc414 --- /dev/null +++ b/metricbeat/module/kubernetes/state_daemonset/state_daemonset_test.go @@ -0,0 +1,48 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build !integration + +package state_daemonset + +import ( + "testing" + + "github.com/elastic/beats/v7/metricbeat/helper/prometheus/ptest" + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + _ "github.com/elastic/beats/v7/metricbeat/module/kubernetes" +) + +func TestEventMapping(t *testing.T) { + ptest.TestMetricSet(t, "kubernetes", "state_daemonset", + ptest.TestCases{ + { + MetricsFile: "../_meta/test/ksm.v1.3.0", + ExpectedFile: "./_meta/test/ksm.v1.3.0.expected", + }, + { + MetricsFile: "../_meta/test/ksm.v1.8.0", + ExpectedFile: "./_meta/test/ksm.v1.8.0.expected", + }, + }, + ) +} + +func TestData(t *testing.T) { + mbtest.TestDataFiles(t, "kubernetes", "state_daemonset") +} diff --git a/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml b/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml index bfc7e903cdc..458560dc602 100644 --- a/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_persistentvolume/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes persistent volume metrics from kube-state-metrics - release: experimental + release: ga fields: - name: name type: keyword diff --git a/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml b/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml index ad14467cea7..ba72fb9e964 100644 --- a/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_persistentvolumeclaim/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes persistent volume clame metrics from kube-state-metrics - release: experimental + release: ga fields: - name: name type: keyword @@ -22,4 +22,4 @@ - name: storage_class type: keyword description: Storage class for the PVC. - \ No newline at end of file + diff --git a/metricbeat/module/kubernetes/state_service/_meta/fields.yml b/metricbeat/module/kubernetes/state_service/_meta/fields.yml index e5a0a1824cf..71fb59bc098 100644 --- a/metricbeat/module/kubernetes/state_service/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_service/_meta/fields.yml @@ -2,13 +2,13 @@ type: group description: > kubernetes service metrics - release: experimental + release: ga fields: - name: name type: keyword description: Service name. - name: cluster_ip - type: ip + type: keyword description: Internal IP for the service. - name: external_name type: keyword diff --git a/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml b/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml index 2f3adac5747..df0c03aaae0 100644 --- a/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml +++ b/metricbeat/module/kubernetes/state_storageclass/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > kubernetes storage class metrics - release: experimental + release: ga fields: - name: name type: keyword diff --git a/metricbeat/module/logstash/docker-compose.yml b/metricbeat/module/logstash/docker-compose.yml index f717242a21c..a776d6d4b66 100644 --- a/metricbeat/module/logstash/docker-compose.yml +++ b/metricbeat/module/logstash/docker-compose.yml @@ -2,22 +2,22 @@ version: '2.3' services: logstash: - image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.9.0}-1 build: context: ./_meta args: - LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.7.0} + LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.9.0} ports: - 9600 depends_on: - elasticsearch elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ../elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "network.host=" - "transport.host=127.0.0.1" diff --git a/metricbeat/module/logstash/test_logstash.py b/metricbeat/module/logstash/test_logstash.py index 4d5f7c233fc..5c37f52057f 100644 --- a/metricbeat/module/logstash/test_logstash.py +++ b/metricbeat/module/logstash/test_logstash.py @@ -1,4 +1,5 @@ import json +import metricbeat import os import semver import sys @@ -7,10 +8,6 @@ import urllib.error import urllib.parse import urllib.request -from nose.plugins.skip import SkipTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -41,7 +38,7 @@ def test_xpack(self): version = self.get_version() if semver.compare(version, "7.3.0") == -1: # Skip for Logstash versions < 7.3.0 as necessary APIs not available - raise SkipTest + raise unittest.SkipTest self.render_config_template(modules=[{ "name": "logstash", diff --git a/metricbeat/module/memcached/test_memcached.py b/metricbeat/module/memcached/test_memcached.py index d5858e08c02..39f2bf2d707 100644 --- a/metricbeat/module/memcached/test_memcached.py +++ b/metricbeat/module/memcached/test_memcached.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/mongodb/test_mongodb.py b/metricbeat/module/mongodb/test_mongodb.py index c62801b9853..1cfe51cb0b4 100644 --- a/metricbeat/module/mongodb/test_mongodb.py +++ b/metricbeat/module/mongodb/test_mongodb.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat MONGODB_FIELDS = metricbeat.COMMON_FIELDS + ["mongodb"] @@ -15,7 +13,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['mongodb'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MongoDB module outputs an event. diff --git a/metricbeat/module/munin/munin_test.go b/metricbeat/module/munin/munin_test.go index 9ae6407d7ee..b6f0f544b9d 100644 --- a/metricbeat/module/munin/munin_test.go +++ b/metricbeat/module/munin/munin_test.go @@ -39,7 +39,7 @@ func TestList(t *testing.T) { list, err := n.List() - assert.Nil(t, err) + assert.NoError(t, err) expected := []string{"cpu", "df", "uptime"} assert.ElementsMatch(t, expected, list) diff --git a/metricbeat/module/munin/test_munin.py b/metricbeat/module/munin/test_munin.py index 43f68a04e22..456b136372e 100644 --- a/metricbeat/module/munin/test_munin.py +++ b/metricbeat/module/munin/test_munin.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/mysql/_meta/config.epr.yml b/metricbeat/module/mysql/_meta/config.epr.yml index 450b99a3761..3d65e506f97 100644 --- a/metricbeat/module/mysql/_meta/config.epr.yml +++ b/metricbeat/module/mysql/_meta/config.epr.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.reference.yml b/metricbeat/module/mysql/_meta/config.reference.yml index 6715260a5e9..03880a5ad6a 100644 --- a/metricbeat/module/mysql/_meta/config.reference.yml +++ b/metricbeat/module/mysql/_meta/config.reference.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.yml b/metricbeat/module/mysql/_meta/config.yml index 81db7e28eed..367b32e9173 100644 --- a/metricbeat/module/mysql/_meta/config.yml +++ b/metricbeat/module/mysql/_meta/config.yml @@ -2,6 +2,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -15,4 +17,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json b/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json index 57b699a443a..8391437537f 100644 --- a/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json +++ b/metricbeat/module/mysql/_meta/kibana/7/dashboard/Metricbeat-mysql-overview.json @@ -27,14 +27,14 @@ "gridData": { "h": 15, "i": "14", - "w": 24, - "x": 24, + "w": 16, + "x": 15, "y": 38 }, "panelIndex": "14", "panelRefName": "panel_0", "title": "Open Tables, Files, Streams", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -50,7 +50,7 @@ "panelIndex": "050b110b-0b4d-404a-86c0-fa97f7eed2a0", "panelRefName": "panel_1", "title": "Rate of Questions", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -66,7 +66,7 @@ "panelIndex": "988a61d7-ac3e-481e-a6ae-aa75aaa32a3a", "panelRefName": "panel_2", "title": "Rate of SELECT statements", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -82,7 +82,7 @@ "panelIndex": "a1f8fa38-a62f-4e05-adde-e995dae9ad83", "panelRefName": "panel_3", "title": "Rate of INSERT, UPDATE, DELETE", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -98,7 +98,7 @@ "panelIndex": "d126fb61-605f-43af-b5d5-3fa3c128f726", "panelRefName": "panel_4", "title": "Connected Threads", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -114,7 +114,7 @@ "panelIndex": "59586d96-3abd-48a3-a258-cfd620826ec2", "panelRefName": "panel_5", "title": "Connections", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -130,7 +130,7 @@ "panelIndex": "dd0cf202-fe22-4daf-8f25-09c64d412bf3", "panelRefName": "panel_6", "title": "Aborted Connections Rate", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -146,7 +146,7 @@ "panelIndex": "ead16a55-a2d3-49ae-a09b-a0b03560e9a0", "panelRefName": "panel_7", "title": "Thread Activity", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -162,7 +162,7 @@ "panelIndex": "24fc2926-610d-4910-8f3e-eb63ca69788c", "panelRefName": "panel_8", "title": "Buffer Pool Pages", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { @@ -178,7 +178,23 @@ "panelIndex": "33c10c95-be67-492e-afb5-863f375cffc2", "panelRefName": "panel_9", "title": "Buffer Pool Utilization", - "version": "7.3.1" + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Buffer Pool Efficiency" + }, + "gridData": { + "h": 14, + "i": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "w": 17, + "x": 31, + "y": 24 + }, + "panelIndex": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "panelRefName": "panel_10", + "title": "Buffer Pool Efficiency", + "version": "7.7.0" }, { "embeddableConfig": { @@ -187,30 +203,78 @@ "gridData": { "h": 15, "i": "3cd58868-0d03-4715-9ecc-9fba3cde47c1", - "w": 24, + "w": 15, "x": 0, "y": 38 }, "panelIndex": "3cd58868-0d03-4715-9ecc-9fba3cde47c1", - "panelRefName": "panel_10", + "panelRefName": "panel_11", "title": "Network Traffic", - "version": "7.3.1" + "version": "7.7.0" }, { "embeddableConfig": { - "title": "Buffer Pool Efficiency" + "title": "Open Tables Cache" }, "gridData": { - "h": 14, - "i": "d35d7c5e-8832-40e2-8c77-953ad320c853", + "h": 15, + "i": "277c8209-3c5f-41f5-95f4-de0782917fba", "w": 17, "x": 31, - "y": 24 + "y": 38 }, - "panelIndex": "d35d7c5e-8832-40e2-8c77-953ad320c853", - "panelRefName": "panel_11", - "title": "Buffer Pool Efficiency", - "version": "7.3.1" + "panelIndex": "277c8209-3c5f-41f5-95f4-de0782917fba", + "panelRefName": "panel_12", + "title": "Open Tables Cache", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Connection Errors" + }, + "gridData": { + "h": 13, + "i": "9487b742-3e7f-4d57-af32-014ad360235c", + "w": 13, + "x": 0, + "y": 53 + }, + "panelIndex": "9487b742-3e7f-4d57-af32-014ad360235c", + "panelRefName": "panel_13", + "title": "Connection Errors", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "Commands Operations" + }, + "gridData": { + "h": 13, + "i": "00cd9f15-01bd-43f3-a8c5-43d6ff17dad3", + "w": 20, + "x": 13, + "y": 53 + }, + "panelIndex": "00cd9f15-01bd-43f3-a8c5-43d6ff17dad3", + "panelRefName": "panel_14", + "title": "Commands Operations", + "version": "7.7.0" + }, + { + "embeddableConfig": { + "title": "SSL Cache" + }, + "gridData": { + "h": 13, + "i": "cd4deb30-c0dd-4f23-8868-ecffd73b2406", + "w": 15, + "x": 33, + "y": 53 + }, + "panelIndex": "cd4deb30-c0dd-4f23-8868-ecffd73b2406", + "panelRefName": "panel_15", + "title": "SSL Cache", + "version": "7.7.0" } ], "timeRestore": false, @@ -273,19 +337,39 @@ "type": "visualization" }, { - "id": "c8661020-6310-11ea-a83e-25b8612d00cc", + "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", "name": "panel_10", "type": "visualization" }, { - "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "id": "c8661020-6310-11ea-a83e-25b8612d00cc", "name": "panel_11", "type": "visualization" + }, + { + "id": "cd72e030-c6a6-11ea-a106-5be590f42b74", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "0774bbb0-c69c-11ea-a106-5be590f42b74", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "3e5c4490-c6a1-11ea-a106-5be590f42b74", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "8b276c80-c6ad-11ea-a106-5be590f42b74", + "name": "panel_15", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-03-16T13:01:34.528Z", - "version": "WzQ2NzAsMV0=" + "updated_at": "2020-07-15T15:17:01.974Z", + "version": "WzM4MywxXQ==" }, { "attributes": { @@ -334,6 +418,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -356,6 +441,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -378,6 +464,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -394,12 +481,12 @@ }, "id": "aaa326b0-f1f5-11e7-85ab-594b1652e0d1-ecs", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:01:07.859Z", - "version": "WzQ2NjksMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwNywxXQ==" }, { "attributes": { @@ -465,6 +552,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -481,12 +569,12 @@ }, "id": "4fa69a10-630b-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:58:09.873Z", - "version": "WzQ2NTQsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwOCwxXQ==" }, { "attributes": { @@ -552,6 +640,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -568,12 +657,12 @@ }, "id": "7ea77d30-630a-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:11.517Z", - "version": "WzQ2NTUsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIwOSwxXQ==" }, { "attributes": { @@ -639,6 +728,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -673,6 +763,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -707,6 +798,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -723,12 +815,12 @@ }, "id": "779ee920-6309-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:32.603Z", - "version": "WzQ2NTYsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMCwxXQ==" }, { "attributes": { @@ -790,6 +882,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -806,12 +899,12 @@ }, "id": "fc6b5a40-630d-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T12:59:47.044Z", - "version": "WzQ2NTcsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMSwxXQ==" }, { "attributes": { @@ -872,6 +965,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -894,6 +988,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -916,6 +1011,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -932,12 +1028,12 @@ }, "id": "493e8460-630d-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:08.292Z", - "version": "WzQ2NTgsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMiwxXQ==" }, { "attributes": { @@ -1003,6 +1099,7 @@ ], "point_size": 1, "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1035,6 +1132,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1051,12 +1149,12 @@ }, "id": "bf60bc10-639b-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:17.572Z", - "version": "WzQ2NTksMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxMywxXQ==" }, { "attributes": { @@ -1105,6 +1203,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none" }, @@ -1149,6 +1248,7 @@ ], "point_size": "0", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1165,12 +1265,12 @@ }, "id": "822df290-630f-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:25.480Z", - "version": "WzQ2NjAsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNCwxXQ==" }, { "attributes": { @@ -1224,6 +1324,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1246,6 +1347,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1268,6 +1370,7 @@ ], "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1284,12 +1387,12 @@ }, "id": "98c7bca0-63a2-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:34.413Z", - "version": "WzQ2NjQsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNSwxXQ==" }, { "attributes": { @@ -1383,6 +1486,7 @@ ], "point_size": "2", "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1399,12 +1503,129 @@ }, "id": "96d46630-63a4-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": 0, + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "0f20fa60-63a3-11ea-90a2-c51229c5db5f" + } + ], + "bar_color_rules": [ + { + "id": "0e1ecca0-63a3-11ea-90a2-c51229c5db5f" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "filter": { + "language": "kuery", + "query": "" + }, + "gauge_color_rules": [ + { + "id": "07c08ce0-63a3-11ea-90a2-c51229c5db5f" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "515b9dd0-639f-11ea-96d8-1943b9bb65d9", + "index_pattern": "metricbeat-*", + "interval": "auto", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(87,177,211,1)", + "fill": "0.1", + "formatter": "number", + "hidden": false, + "id": "a397d570-63a2-11ea-90a2-c51229c5db5f", + "label": "Effeciency (lower is better)", + "line_width": "2", + "metrics": [ + { + "field": "mysql.status.innodb.buffer_pool.pool.reads", + "id": "a397d571-63a2-11ea-90a2-c51229c5db5f", + "type": "max" + }, + { + "field": "mysql.status.innodb.buffer_pool.read.requests", + "id": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "type": "max" + }, + { + "id": "af58ddf0-63a2-11ea-90a2-c51229c5db5f", + "script": "params.pool_read_requests != null \u0026\u0026 params.pool_read_requests \u003e 0 ? (params.pool_reads/params.pool_read_requests) * 100: null", + "type": "calculation", + "variables": [ + { + "field": "a397d571-63a2-11ea-90a2-c51229c5db5f", + "id": "b1b6cb20-63a2-11ea-90a2-c51229c5db5f", + "name": "pool_reads" + }, + { + "field": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "id": "c3fe5be0-63a2-11ea-90a2-c51229c5db5f", + "name": "pool_read_requests" + } + ] + } + ], + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "migrationVersion": { + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:42.999Z", - "version": "WzQ2NjUsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxOCwxXQ==" }, { "attributes": { @@ -1477,6 +1698,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1511,6 +1733,7 @@ ], "point_size": "0", "seperate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "type": "timeseries" @@ -1527,12 +1750,12 @@ }, "id": "c8661020-6310-11ea-a83e-25b8612d00cc", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:59.606Z", - "version": "WzQ2NjcsMV0=" + "updated_at": "2020-07-15T12:11:22.038Z", + "version": "WzIxNywxXQ==" }, { "attributes": { @@ -1546,86 +1769,298 @@ } } }, - "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "title": "Open Tables Cache [Metricbeat MySQL] ECS", "uiStateJSON": {}, "version": 1, "visState": { "aggs": [], "params": { "axis_formatter": "number", - "axis_min": 0, "axis_position": "left", "axis_scale": "normal", - "background_color_rules": [ - { - "id": "0f20fa60-63a3-11ea-90a2-c51229c5db5f" - } - ], - "bar_color_rules": [ - { - "id": "0e1ecca0-63a3-11ea-90a2-c51229c5db5f" - } - ], "default_index_pattern": "metricbeat-*", "default_timefield": "@timestamp", - "filter": { - "language": "kuery", - "query": "" - }, - "gauge_color_rules": [ - { - "id": "07c08ce0-63a3-11ea-90a2-c51229c5db5f" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "515b9dd0-639f-11ea-96d8-1943b9bb65d9", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metricbeat-*", - "interval": "auto", + "interval": "", "isModelInvalid": false, - "legend_position": "bottom", "series": [ { "axis_position": "right", "chart_type": "line", - "color": "rgba(87,177,211,1)", - "fill": "0.1", + "color": "#68BC00", + "fill": 0.5, "formatter": "number", - "hidden": false, - "id": "a397d570-63a2-11ea-90a2-c51229c5db5f", - "label": "Effeciency (lower is better)", - "line_width": "2", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Hits", + "line_width": 1, "metrics": [ { - "field": "mysql.status.innodb.buffer_pool.pool.reads", - "id": "a397d571-63a2-11ea-90a2-c51229c5db5f", - "type": "max" - }, - { - "field": "mysql.status.innodb.buffer_pool.read.requests", - "id": "ad177970-63a2-11ea-90a2-c51229c5db5f", + "field": "mysql.status.cache.table.open_cache.hits", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", "type": "max" }, { - "id": "af58ddf0-63a2-11ea-90a2-c51229c5db5f", - "script": "params.pool_read_requests != null \u0026\u0026 params.pool_read_requests \u003e 0 ? (params.pool_reads/params.pool_read_requests) * 100: null", - "type": "calculation", - "variables": [ - { - "field": "a397d571-63a2-11ea-90a2-c51229c5db5f", - "id": "b1b6cb20-63a2-11ea-90a2-c51229c5db5f", - "name": "pool_reads" - }, + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "534a23e0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "60ab20c0-c6a6-11ea-880f-352bebf10188", + "label": "Misses", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.table.open_cache.misses", + "id": "60ab47d0-c6a6-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "60ab47d0-c6a6-11ea-880f-352bebf10188", + "id": "6a1519e0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(254,146,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "69113e70-c6a6-11ea-880f-352bebf10188", + "label": "Overflows", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.table.open_cache.overflows", + "id": "69113e71-c6a6-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "69113e71-c6a6-11ea-880f-352bebf10188", + "id": "75a108a0-c6a6-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "Open Tables Cache [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "cd72e030-c6a6-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T15:12:29.413Z", + "version": "WzM3NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Connection Errors [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Max", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.max", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "percentiles": [ { - "field": "ad177970-63a2-11ea-90a2-c51229c5db5f", - "id": "c3fe5be0-63a2-11ea-90a2-c51229c5db5f", - "name": "pool_read_requests" + "id": "968f0500-c69a-11ea-880f-352bebf10188", + "mode": "line", + "shade": 0.2, + "value": 50 } - ] + ], + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "a088e210-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" } ], - "point_size": "2", + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "a61998a0-c69a-11ea-880f-352bebf10188", + "label": "Accept", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.accept", + "id": "a61998a1-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "a61998a1-c69a-11ea-880f-352bebf10188", + "id": "a8f8c3c0-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,196,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "b6a26260-c69a-11ea-880f-352bebf10188", + "label": "Internal", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.internal", + "id": "b6a26261-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "b6a26261-c69a-11ea-880f-352bebf10188", + "id": "c09d02c0-c69a-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,204,202,1)", + "fill": 0.5, + "formatter": "number", + "id": "c713d390-c69a-11ea-880f-352bebf10188", + "label": "Select", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.select", + "id": "c713d391-c69a-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "c713d391-c69a-11ea-880f-352bebf10188", + "id": "4ace8360-c69b-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(253,161,255,1)", + "fill": 0.5, + "formatter": "number", + "id": "50c798b0-c69b-11ea-880f-352bebf10188", + "label": "Peer Address", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.connection.errors.peer_address", + "id": "50c798b1-c69b-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "50c798b1-c69b-11ea-880f-352bebf10188", + "id": "78d49650-c69b-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, "separate_axis": 0, "split_mode": "everything", "stacked": "none", @@ -1634,22 +2069,314 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "@timestamp", + "time_field": "", "type": "timeseries" }, - "title": "Buffer Pool Efficiency [Metricbeat MySQL] ECS", + "title": "Connection Errors [Metricbeat MySQL] ECS", "type": "metrics" } }, - "id": "a1e00160-63a4-11ea-a83e-25b8612d00cc", + "id": "0774bbb0-c69c-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T13:06:43.051Z", + "version": "WzM0OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Commands Operations [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Select", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.select", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "e76f75d0-c6a0-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(219,223,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "ed3a0110-c6a0-11ea-880f-352bebf10188", + "label": "Update", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.update", + "id": "ed3a0111-c6a0-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "ed3a0111-c6a0-11ea-880f-352bebf10188", + "id": "f961e1b0-c6a0-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(244,78,59,1)", + "fill": 0.5, + "formatter": "number", + "id": "00b3f750-c6a1-11ea-880f-352bebf10188", + "label": "Delete", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.delete", + "id": "00b3f751-c6a1-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "00b3f751-c6a1-11ea-880f-352bebf10188", + "id": "09f46f70-c6a1-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": 0.5, + "formatter": "number", + "id": "0f38dac0-c6a1-11ea-880f-352bebf10188", + "label": "Insert", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.command.insert", + "id": "0f38dac1-c6a1-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "0f38dac1-c6a1-11ea-880f-352bebf10188", + "id": "1d1cc340-c6a1-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "Commands Operations [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "3e5c4490-c6a1-11ea-a106-5be590f42b74", + "migrationVersion": { + "visualization": "7.7.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-07-15T13:44:02.649Z", + "version": "WzM1NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "SSL Cache [Metricbeat MySQL] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Hits", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.hits", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "max" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "1a353d40-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "kibana", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(253,161,255,1)", + "fill": 0.5, + "formatter": "number", + "id": "2dd02900-c6ad-11ea-880f-352bebf10188", + "label": "Misses", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.misses", + "id": "2dd02901-c6ad-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "2dd02901-c6ad-11ea-880f-352bebf10188", + "id": "327cc120-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,204,202,1)", + "fill": 0.5, + "formatter": "number", + "id": "3f459cb0-c6ad-11ea-880f-352bebf10188", + "label": "Size", + "line_width": 1, + "metrics": [ + { + "field": "mysql.status.cache.ssl.size", + "id": "3f459cb1-c6ad-11ea-880f-352bebf10188", + "type": "max" + }, + { + "field": "3f459cb1-c6ad-11ea-880f-352bebf10188", + "id": "426ccd50-c6ad-11ea-880f-352bebf10188", + "type": "derivative", + "unit": "" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "SSL Cache [Metricbeat MySQL] ECS", + "type": "metrics" + } + }, + "id": "8b276c80-c6ad-11ea-a106-5be590f42b74", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.7.0" }, "references": [], "type": "visualization", - "updated_at": "2020-03-16T13:00:51.577Z", - "version": "WzQ2NjYsMV0=" + "updated_at": "2020-07-15T15:12:05.448Z", + "version": "WzM3NCwxXQ==" } ], - "version": "7.3.1" + "version": "7.7.0" } diff --git a/metricbeat/module/mysql/fields.go b/metricbeat/module/mysql/fields.go index 8b04d180f45..227a3306ea6 100644 --- a/metricbeat/module/mysql/fields.go +++ b/metricbeat/module/mysql/fields.go @@ -32,5 +32,5 @@ func init() { // AssetMysql returns asset data. // This is the base64 encoded gzipped contents of module/mysql. func AssetMysql() string { - return "eJzkXc1z2ziyv+ev6JrLZKocvbnsYVP1tsrrOLuuip2s7ey8d9K0yBaJNQgwAChF89e/QoNfkkiJ+qCct6tLbIsEft3obzSQd/BCq/eQrew3+QbACSfpPfx0v3r6x6ef3gDEZCMjcie0eg9/eQMAwN+BJbMgA9ahKyxk5IyILERaSoocxTA3OguPTt4A2FQbN420movkPcxRWnoDYEgSWnoPCb4BmAuSsX3Pc7wDhRk1uPzHrXL/qNFFXv6lA5z//M5v/Q6RVg6FsuBSqhG6FB0syRDomf92DWo9xLeCzGpS/toG1gaXoCSD08CC+tsuoP5TEzsjh62/9xDBhKzNMJyg2YqfKNfGrxbTA1rB33jESWuaTeraFGKey9XaN33U7aHEf679YBWoMOtk46EuLG08Wmva+rKCFOtiJru+3oPLf/6ul6DnjhSTLIJgGy/HSyMcvbPkAjOESkAX7p2ev9MmJgNvczQoJUnxB/oZgOZzEQlS0eqXhrxdFMmRKWooWKIFq8FKvQSnA0Gl/DTPCJdCKpLU84C+Kf2zDdIVGBMDofEM2ly68PknyoIsRFJbMn6OX8HQPPyIkBhCRwYSzL0WLIlUAIMqhjnaFg47gHdLoWK9HIV71wsymBDEwjpUEdVwmTPWMWKpl/7HSKuoMIaUk6uaS8y6Hhoq/BEZdy7luiHjxFxEQQZPUrKYcjutCH917jIjYeHlKohqhApmBLm2VsxaHBcKKlWEt7l2pJxACTElhgj0HDYUdYh2ChXT96kVf/TzQWqVHMeF55RAFdmMjEdHyhlB1pPhbXe0tp6MYxBeR2aB41iUatUazM6gshj5lywYikgsvMVMhSTA9rdgKJeeGOrT61onZGEdmbOpRRjuNIXwYctUxGOIgHYoWwwtqYeM/F9sKnKIUlQJWUgxz0lRPEAKRpLXm2DkWnBLmLXMBvRDEG6GTOsYX2i11KaL4QNgPoWl9uKZCluzNNJZrhUpN4Fnb0aEvYJlSs77OQ9e6ZhAWG8lnH8Z4cvj3f314/+CNvDw+WFa/doMtEeSdZaJ89l3Hu3Hj57WtN7HG4ENPpLSBTOWw6bTvfvxcny0b29IGeTdtVKcCnWKQLeI70F/N2dRDc5QWPj88eNVI7wpWlDawYpcMzkHXmoV1IG2tWFLiLxfEhYyXHkvG3uvqyETNuRuhWGHNIGblKIXHpKM0QakTmCuDeRG52QgFpgobZ2I9hl8WmzagaN1BG4XFj4epRq0ENGmru5brCGIAOCTsC5kbF+/3n34mS0TSslrZsPEVQ7aaUTXCQxPh3cjVH69Df1Lr1tgKJQTEla6AEOcyPhvhQnpdOwXKSJre50xbJjqfqtxmqVO9TJwhuMWhTLMVgnr7T+f4IvRTkda7pGiudTLaeQ2A5+jRemjz0putHJGyyOtbY6F3VJ+OIu99ZHj3JRG1jNLZARWeFvm+SZ9JvXx09env8PT8/Xz1ye2XN6qcQBdxWKVhQ5AK1X3nORCg2kzvf25U6DZbfqVt1eQ6iVkRZSGmoPEhUeQePvkczufMMd6eWiEEEBNVX+QcFrg7TjyCozLfVQjvPMqWRGkMCO0hQmZhUKlLUVaxUN0xlC0GAH3I7nClNWfJgj7eDP9cv316RZo4e35uj+ogvIrECqSRexXw6Xa0vpjdi2caX++KileCDJt6+BjgUbgTJINvifShddetv4ccWlFEGsKzsiQJeehmVXgNhulIojDWpVtlw0i1W+cL8rPH5BRFZO81k/rEKXTEHawag+bvKpY+laQty2BR1c+IOYA6Koy1GxwmuioFQLuw6yjrWT1aJv94BfJ5hT5vPk8md9sPsWZNm4UK7SR+zEv1lPqprTLKEJlN1jYtedCxi0U0HeKih18h43q03SOQhaGXpM+D4HijYKHI9uXX8FWjvVK6GuBP9UjdMn6QJjrMu9n6ZF02CHtbaDfCiq6ohLYx9OBgKFVSHgrlM/AHCrShf0FJKnEpZVRYWIYzg7+bkGf4qIP3Z646wACHmtoFWYMOWUMekGmLsMNicm6vQm0aulaWRGTwZlcgUSTcMECFfw6+dXHKCqoUe2myqwgFPebejqg5RJ773TIrm4FaKip5fmgcSmkhIQUGR8VIUjNeXw7jHSp0c5JoZKD1irD7yOLmvdfGX4XWZH1itdhqzSELKEuQZZQY5LVWK5c4uoSJnazXowrWyUlaFdZ2O/0hvgFEoOqkGiEGxg+9udhZzO+PjT8tzG+nmU/qPF9qqF1G9+hyfBphleomPczesygj5EVuaU2L/zXIknzwoGw9kCOvqaJbITg38pEno2sC5TI7qrCWOjbqLOaj0/3ZZUi2M89eZYhjLv7OI6qQ//W2jcp+4CEDZOwtY4iyh0nrWLvhl8VapwrC/yNI54nctXIp+79FaPUHra8XytSq6MvLgqHWhtXfAfI4mzlRszmrPiDTgTbjivOteaPLRt8WusDOpxehoV+qmZbfIiZeaGLhGF+msOBXYhrh4NjibwQuiD9M+EOxDiWkdlpYyp88JYjV6fbyjukOeYVTM02T+v9AjJzbbKNlqVui7Kr47I1Tqvfsuq1NCSx3FT1vq/1cGgZCK2xIbJeA9LX/Lmr+TLUn7n5kzL/4y6j+EiRNrGF+umqfG2LLEMj/iiLh1FKGXJaH4uEtsoB/SZ4n+n8OcPvEx97m8kShfv5JMG4L+NRP1II6KvYraGmLs+j45qFf2w7yqrh+QBvYolUP7K4O4xbQ/bswaCDZSrKHa/AR95J4+K/d4jcLuAn68fzrUDlhKTJn/90Gq98oPvnP7nUS6OfWciGW7UweLFV0eqKu+REVO1l9TvCLuFocDn63vXlGq4vLeUoxa5n1JonbAcn1qE5jSUPtcXbkpf+yXGRnE1+qxaT0+S3guZwJmkq9NQPd2S3RGUfeCy4+6/PjM16m8DNhQdqu579i3Y0TPQVVYYUQYKs7MwO+1OqLbqfguT5oXfO2vvAEXM+M487R1xrLJ30THqGvPEBG5njucq9JLTAO9zLlMLO4ro8BKHkxwwLDMWTug+uKnmUMlu/2QmAZ2EfaUSGppSyCTx8/fSJq9abo4Q3lK4evFOWjLOsGmHnNAZMvDd2cPfw4fZ/pg/X97fw3zzi7shqMicXpWeyKCgl8HigcwrdUBb+Ar9uRSS8Z7s3FjnmVAiP/HsVlJALeMhCVFinsyrxbnqKClt14K8HKLuOgfS2ah4eU53p+Mqki23J0Giq3EE9V8p5XW7InlZckKLTJ527t7zsBuzbU6YIi7IjJCCCWHgbIVyqC8eHOULfCLVGKjv95JACfPnW+ISWe8noHGW5d666mrsK2duH1/ZUKGZCSb0J60iB2SsJGKU0iYV9mRb2XM3be2YbaaJd6eHR6vZXPxgr28FK1lNg5Fd9fOpGzGTXhJNn2aiXeW9SWoGR+qD20XgkGVXNYD8BdRSbGsKtlONoiXgOwx0nE6wAoxzoWLe7PE1F+RBDyQfkLgAszHMIsp5u9hGwNa3rg9GZQinROf15sZXz7EG2wTPvdjulfng7XvfwncIykoNyWR7cEwfs5zKWO6ebiwtNNB5JzZFKiatLLRUfyBidcYLzs2m3VT/7bFwFHnWJ5rKw6bTc9B1FXzP8PuWm9pHtgs636o4jSdpFNNQ6Q5iNbwhGNwKaz292G9DzOIQgvJdZ+5gk7eh6OJfH/XD76fb5ti5phIYNPtJU5IMORNvtQ/bnR3n38HT7+Hw0SktyVzX1XCifbj/d3hyPssh7NkjOi/Lrlw/XB654u+QmTtatbljNNlzZZd8qVIVqQjg4WR36KA/ckO18cylcKhRYpw3xebzEYGavoAinSPyo/yjIhpJNNeQE7lxzYIRLm3Dz+X765e7hb6AN//z0fP189/R8d1M3MO2LUr9V87wq22puaVVeElO+VSWarV6j2apKOXkj0zPjeB6zkDUcXl/DHmZfbbC6+v3+efrl8fbL9eNt6y83nz4/3V4163P/PH28fbp9Hro+KapYnutGhP3tTh2H1ndKwwCJ2JaK+rznzef7+7vn1vINsEMX8jxOZNVWh9FLCykuCGZEqgRQndlldz4ANn0PNE+ljl5GQl8146nIlNrg1uR5rg0QRilEKKXXKsEK0wL29heYF4qD06tykzu0/ku5Ah1FhbFQnjaYUSJCOuy1kFTM2yNRRNaGzQZX2sHNzYZeFmXGTIW6gPxVa1tzrLBkAdlWYEJAKhGKfraglwruC+nEu0dUCcEjYQwiyyWzN3Sc8Xk+JjUQP+R0q6EczRgyfL1xzJCquSBP0YY9waV+F34J2t7ayBp0HgBHaKYfsjE8F6b3+Mo5u4a7xITn5jt6VnxSuLySp9wpxaHNzy+02YU7LgGG2LuzPnqYgN6WwQwtxaAVoEc0ELvsPzx0IfB1n/YLra3CBIZRoLq7Vi5MgUfBqyAUE7LvPhRYtxtdxwgvTIFHIXRhj6XCdB7HuSARW1owF999iKitCLebDKZj+uPJFPekoUOuzuwipSZDSznD0WKSDujeNW06W09P2U/J6xMwNb5pSBqNC8q1GKeV9kBKJEbkv6kgHQJ/+uOsiEcCvBAc0R1CzoXKBW19CFOW6s0XenBcNuSyKSMujDVUpoZibepZSsezTTrOmgzW+/fFfE5mmnddULor2tvDlf5Ir87viizfvlR3c/JeuzrIqj6zG9OJ8cmKT1tUY2mCZY20Kb0d8vV7JOPKut4ppT/8tWQQeAZdgTMiSci0qxvO8UHAeblo0xZDp0wjuqlNC8e342jT+5jSy52OtblMA+PX5tsSTQZF3sMmzxvvszxfWOQtuXAzZ8LnLY0hm2sVbqnRfvDysllgo8P8FxkdzG3mjOd2qCL2MJufGsrsvnaKfZnQID7vyobWDyv1Bg17g4/B4Uf7vqTNLpBehah6/fj2J3S4L6Rqd54b15ckjUVWtHWzZSCvUnrGVEppL8mDxIbH+A8RmzXXt4d5W/LyY4rLtqCcLhqwuQnd2WMzDj3doQmjKGmqe4hPocpQX2/9mCT5ac+2MhJdT8vY2GSUM5+NkkzY6BXI2GcA6nMws8Ku2j3Jq1blHaXU4dAiJyxxJpSwzocfC+LbH1LC+ApsEaWAoT4hdfRioayFYow5P5uiTffeqr3ON3YVF3ZM1SHIvqiT7zxPdm4/7K3cXtD1YNoHAS4ge1wtEarcS+yOTsMVOhi/Y6ic+Xq+qKoZcbC08PvT8nbX/9ckt04M2GIWLgN0clXfXFsdE0hx4b130FPeCAnh+e5rIPo4118jHJNrPxlUsc5+ajHE2yzhBJYb14GHg4mp3Opr+A2diAhlkIEKx7Agtfv/JLmgoejrKWzDGJtn5d5vqTSRLmTZaoBO2PmqiYzWLDKqGFKM6+psLAxFXl348VjYlwNkx5v/XRn9GMyw9fX52zURdkc9liReKcw88+RqIz+vcvNwFnEr7eZBczSYkSPTHmcwp5Yo3PRiUeaDNlkgM3SlQr95Df9pQxX1NKZ1Ar+lpKo3FFHc1PO1KTu7+T7ihMoeF4gkYenuOU7CBQqJM0lX1Tghe7BgdUZriUnYveS7/PjQb9gaRre+vnMfTKVlC0y1i8z/2noTv/x/FciGs83D7AmzabrTFJ6rNrVx14WFWIdCdl/Q/H8BAAD//468214=" + return "eJzkXc1z2ziyv+ev6JrLZKoc7Vz2sKl6W+XNOLuuip2s7ey8d+K0yJaIMQgwAChZ89e/QoNfkkiJ+qCc3dUlsUQBv240+hvQO3im1XvIVvabfAPghJP0Hn64Wz3+89MPbwASsrERuRNavYe/vgEA4M/AklmQAevQFRYyckbEFmItJcWOEpgZnYVHJ28AbKqNi2KtZmL+HmYoLb0BMCQJLb2HOb4BmAmSiX3Pc7wDhRk1uPzLrXL/qNFFXr7TAc6/fuNv/QaxVg6FsuBSqhG6FB0syRDoqf90DWo9xLeCzGpS/tkG1gY3R0kGo8CC+tMuoP5VEzslh633e4hgQtZmGE7QdMVPlGvjV4vpAa3g7zzipDXNJnVtCjHP5Wrtkz7q9lDiX9d+sApUmHWy8VAXljYerTVtfVhBSnQxlV0f78HlX//QS9AzR4pJFkGwjZfjpRGO3llygRlCzUEX7p2evdMmIQNvczQoJUnxB/oZgGYzEQtS8eqnhrxdFMmRKWooWKIFq8FKvQSnA0Gl/DTPCJdCKuap5wF9U/pHG6QrMCYBQuMZtLl04fUvlAVZiKW2ZPwcP4OhWfgvwtwQOjIwx9zvgiWRCmBQJTBD28JhB/BuKVSil6Nw73pBBucEibAOVUw1XOaMdYxY6qX/b6xVXBhDyslVzSVmXQ8NFf6YjDvX5vpAxomZiIMMnrTJEsptVBH+6txlRsLCy1UQ1RgVTAlyba2YtjguFFRbEd7m2pFyAiUkNDdEoGewsVGH7E6hEnqJrPijnw9Sq/lxXHhKCVSRTcl4dKScEWQ9GV53x2vryTgG4XVkFjiORqlWrcHsDCqLsf+SBUMxiYXXmKmQBNj+FAzl0hNDffu63hOysI7M2bZFGO60DeHdlkgkY4iAdihbDC2ph4z8OzYVOcQpqjlZSDHPSVEyQApGktcPQcm14JYwa5kN6Icg3HSZ1jE+02qpTRfDB8B8DEvtxTMVtmZprLNcK1JuAk9ejQh7BcuUnLdzHrzSCYGwXks4/2WELw+3d9cP/wfawP3n+6j6sxlojyTrLBPn0+882vfvPa3teu9vBDZ4T0oXzFh2m0637sfL8dG2vSFlkHXXSnEo1CkC3SK+B/3tjEU1GENh4fPHj1eN8KZoQWkHK3LN5Ox4qVXYDrS9G7aEyNslYSHDlbeyibe6GjJhQ+xWGDZIE/iQUvzMQ5Ix2oDUc5hpA7nRORlIBM6Vtk7E+xQ+LTb1wNF7BG4WFj4etTVoIeLNvbpvsYYgAoBPwroQsX39evvLj6yZUEpeMxsmrmLQTiW6TmB4Onw3RuXX29Dvel0DQ6GckLDSBRjiQMZ/KkwIpxO/SDFZ22uMYUNV92uN0zR1qpeBM+y3KJRhtkpYb/71CF+MdjrWco8UzaReRrHbdHyOFqWPPir5oJUzWh6pbXMs7Nbmh7PoW+85zkypZD2zREZghddlnm/SR1IfP319/Ac8Pl0/fX1kzeW1GjvQlS9WaegAtNrqnpOcaDBtprdftwo0m02/8vYKUr2ErIjTkHOQuPAI5l4/+djOB8yJXh7qIQRQkep3Ek5zvB17XoFxufdqhDdeJSuCFGaEtjAhslCotKVYq2TInjEUL0bA/UCuMGX2p3HCPn6Ivlx/fbwBWnh9vm4PKqf8CoSKZZH41XCptrT+mF1zZ9qvr0qKZ4JM29r5WKAROJVkg+2JdeF3L2t/9ri0Ikg0BWNkyJLz0MwqcJuVUhHEYS3LtksHkepXzhfl53fIqIpJftdHtYvSqQg7WLWHTX6rWPpWkNctgUdX3iFmB+iqUtSscBrvqOUC7sOs461g9Widfe8XyeYU+7j5PJHfdBbhVBs3ihbaiP2YF+shdZPaZRQhsxs07NpzIeIWCuiF4mIH32Ej+xTNUMjC0GvS5yFQspHwcGT74ivYirFeCX0t8KdahC5ZHwhzXeb9LD2SDjukvQ30W0FFl1cC+3g6EDC0EglvhfIRmENFurA/gSQ1d2mlVJgYhrODv1vQI1z0odvjdx1AwEMNrcKMIaZMQC/I1Gm4IT5ZtzWBVi5dKysSMjiVK5Bo5pywQAU/T372PooK26g2U2VUEJL7TT4d0HKKvXc6ZFO3AjTU5PK807gUUsKcFBnvFSFIzXF82410qdHOSaHmB61Vhi8ji5q3Xxm+iKzIesXrsFUaQpZQlyBLqDHJajRXLnF1CRW7mS/Gla2CErSrLNQ7vSJ+hrlBVUg0wg10H/vjsLMpX+8a/scoX8+y71T5PtbQupXv0GD4NMUrVML1jB416H1kRW6pzTO/W8zTvHAgrD2Qo6+pIhsh+I9SkWcj6wIpstsqMRb6Nuqo5uPjXZmlCPpzT5xlCJPuPo6j8tC/tuomZR+QsGES1tZxTLnjoFXsLfhVrsa5osBf2eN5JFeNfGrtrxgl97Bl/VqeWu19cVI45No44ztAFqcrN2I0Z8UfdCLYtl9xrjV/aOng01of0GF0GRb6qZqy+BA180wXccP8NIcDuxDXDgfHEnkhdEH6p8IdiHEsJbNTx1T44C17rk63N++Q5phXUDXbPK3rBWRm2mQbLUvdGmVXx2VrnFa/ZdVraUhiWVT1tq/1cGgZCK2xwbNeA9LX/Lmr+TLkn7n5kzL/311K8YFibRIL9dNV+toWWYZG/FEmD+OUMuSwPhFz2koH9KvgfarzxwxfJt73NpMlCvfjSYJxV/qjfqTg0Fe+W0NNnZ5HxzkL/9i2l1XD8w7exBKpfmRJtxu3huzJg0EHy1SUFa/AR66kcfLfG0RuF/CT9eP5VqByQtLkL38+jVfe0f3Ln13qpdHPLGTDrVoYvNiqeHXFXXIirmpZ/YawSzgaXI5euj5cw/WltTlKsesZteYJ68GJdWhOY8l9rfG25KV/clzMzya/VYvJafJbQXM4lRQJHfnhjuyWqPQDjwW3f/rM2KzXCdxceOBu19PfaUfDRF9SZUgSJMjKzuiwP6TaovsxSJ4feuesvQ8cMecT87hzxLXG0knPpGeIG++xkTmeq6wloQWucC9TCpXFdXkIQsmPGRYYSiZ1H1yV8ihltv5mJwCehW2kERmaUsomcP/10yfOWm+OEr6hdPXgrbJknOWtESqnCeDcW2MHt/e/3PxvdH99dwP/wyPu9qwmM3JxeiaNglICjwc6p9ANZeGv8POWR8I1272+yDGnQnjk3yqnhFzAQxbiwjqdVYF301NU2KoDf91B2XUMpLdV83Cf6kzHVyZdbJsP9abKCuq5Qs7rsiB7WnJBik6bdO7e8rIbsK+mTDEWZUdIQASJ8DpCuFQXjg9zhL4Rao1UdvrJIQn48lvjE1rWktE5ynJvXHU1d+Wytw+vDWvgFHrTiztSaPb2IBqjTT+Pji5UDDG6OZGJMEkM2S4EcHBiduNwA5MWZE/H3FFbnROwhCZOvXzNtKl5ruaVKN5+gRIXddZVWjuc046XQp8UhlGilLZJer79CXQwrFJYR8o/kmvT0zO0dmxDdR7bOBz77pR4t1IwNGv3ANbtmCXlZXdp2DVXYIs4DeVkbh7x3whNpgiKujq2SzJSQ5iANoCqOkOXUabNymNJxHrfShefzlUM2c+Itk4sM9wZvkTtR6XIROUqYZzSjoLS6ZS7OF8a7Nr+o1C/KkV46if1/xpct7/bCC3J7ojgcIBDJXjQvgy4/L40kGspD9uh/vX2Yynn1ZGS2vFruvcUxWQtGiFXpXeLlQJrmcwgLL9zY/7kpz3Wx8vUZQyPtf0HxgZZncdHb1Kt9TQybkh9bIkqgUz0Ke4hZintbu6CE2W+G+8e3cOEXARMP8/2nvE6Dsw2BD/8NoC1hMTrOCo6JxV17Y1hGAbh2IcFhkkoDFmLLUDrwsH7yDtGnu7Ad1sukdT6uch7xASGSu45QIYJToWpF2RmUi/Pi7TflvhXE9Y7kZG9Apw5MoBlWiLoeh+SetdUakvJlVfsTFgVRHNfOCooFNtOUs6sIBy26JPR8KoqHK49mLBrrSYh9dcIPfxp662o+q7dbVCmQkm9ybeRLAoDmyTCPkeFPddZ1D2zjTTRrmrX0dmDv/nBOHdwcM6gp1+Cv6pNhm7EwtzarudZNsr/KGWV1BjpWMc+Go8koyqB7iegtoHs059NIp7CcMfJBG+AUc6nr4cKPE1F+ZC8D9/3cQFgYZ5DkPUczh0BW3MSdzA6Uygfl4yOrZxnD7LtfFi31A8/XdQ9fKewjGSgXJYH8xR8lbEtlJ9uJi400XgkNTfESFxdaqn2pEXPxDjB5aaoW6uffTZuahl1iWaysGlU9rCOsl8zfIn4jO7IesF7upeRtIvsUOsMYTa+IhhdCYTIqFuBnscgBOG9zNonJGlHE/e5LO4vN59unm7qCm3oP+fkeZEPut/Jbt8Zdn6Ut/ePNw9PR6PsTQWfF+XjzaebD8ejLPKefq/zovz65ZfrA1e83UEgTt5b3bCarsLy0HCr7h6Ko+EemOoMe3l/ANnOby6FS4UC67Qhvl5kbjCzV1CEQ/F+1H8WZEOVoRpyAreuyaBzpwZ8+HwXfbm9/ztow/9/fLp+un18uv1Qn8fY56V+q+Z5VbbV3NKqvPOy/FYVaLYKS9NVFXJy2sgz43ges5A1HF5fwx5mX22wuvr77in68nDz5frhpvXOh0+fH2+umvW5e4oebh5vnoauT4oqkee64G3/6Y2OO7h2SsMAidiWirpe+uHz3d3tU2v5BuihC1keTnCWF8DopYUUFwRTIlUCqK4gYnM+ADa9BJojqePnkdBXZ4tUbMrd4NbkeaYNEMYpV/u4cM0bpgXs7U8wKxQ7p1dlz244ySzlKtQMLZSHp6c0FyEc9ruQVMLdXnFMNtT3q5zwVu9UL4syYyKhLiB/1drWHCssWUDWFTgnIDUXin60oJcK7grpxLsHVHOCB8IERJZLZm+oafL1JExqIH7IZT2GcjRjyPD1xq0pVM0FeYo2pM+X+l34I+z2Vl/eoOPNOMLZ4CGVrJkwvafxx6mXN2LCc5elCqEAyxtGq26GoWc5n2nzUOG4BBhi6877kTsq0OsymKKlBLQC9IgGYpf9dyFcCHx97PSZ1lZhIAGquwf/wgR4FLwIQjEd+253hHW10XUpyoUp8CiELuyxVJjOywUuSMTWJpiJF+8harvRWLSPjOj7Eyk+YIMOOTczRJ1rKac4mkPSgdzbpU1L68kpz4bx6gRMjWEaEkPjgnItxjkWeCAlEmPyn1SQDoEffT8r4pEALwS7c4eQc6FcQXs7hCnLzc2XE7JTNuTiXCMujDWkpYZibZJZSifTMQPBRit0dJXscvH2cKPfvWu7ld2NLHsU6Y42Gw7bQpVYKKfhVin9y9+2IrZtMGF5OmudJ+Opxj4QUhlzjoGoCmcPAxS22yiAyqEHAKp7TYrZjEyUd/02yKhimxRZvv17Nsdxos8HeGKfS8+ND6x9iK1aDbXsB8TalK4Z8s33JJPKFyjZFxgEnkFX4IyYz8m0M3GOTxBwZsbrmKjF0IhpRBfZtHB8Ma02vY8pvdzpPjX3WGLy2nxbosmgyHvY5HnjdYfnC2toSy78KMacrzoyhmyuVbggVvvBy995AbaRzH+R0cHcZs54boeMdw+z+amhzO5r/dnf+zmAz7v7Ptv3hPS6uAOaFAe3KDZXFW92LPVuiOqYHV+8jA73+P/tM9/G9cXzY1EVb/2mRKCu2vOMqRTSXooHSQ2P8V8iNWs2aA/z/k3EZVtQThcN2OyX6LH/Y9DT7UgzipKm+vTuKVQZ6u9BHo8kP+3ZVkai6+luHJuMcuazUZIJG78CGfsUQH0DxbSwq/bJt1WrSIRS6nBdEIfXSSaUsM57Hwvi1v2UMGmOBvpAUOr42UKZtscEc342RZsOynO2elm8qbiwYWo353c5nfxrY/OdlbK9RYYLmh5M+yDABWSPU3sc/vQ7p+HyWkzeMVTO03i+qKpvdrC08Pej8ndV/q1Jbp3Vt8U0XMPv5Kr+zZjqgH6KC2+9wz7lml3wzndfwNjHuf589phc+8GgSnT2Q4shXmcJJ7DssQg8HExMZVZfw27ouYhRBhmocAxzUrt/DfSCiqI/cQUX41nZplBumlgXsuyKQSfsbNV4RmsaGVUCKSZ1KSERhmK/XfjxRNjnA2THq/9dAf0YzLD1D9dtp0TYHPVokmSlMPPMk6uN8LwKzcMJs62omwfN0WBGjkx7nMGcWqJw0cW8zHttskBmaKCGfvUafi6x8noa1TqBX1NS1TcUUdIUn7QpDyHwLwHNqWzHglgSluae/SRcoJA4lXRVjROiBwtWZ7QWmIRCO9+ij9VRznBevb2+M+9MpWW3VtXwwP/aut+k/EVDsuFWsWH6hNkU7VSF50pNbdwyaSHRoezS5zT/fwAAAP//t0fTvw==" } diff --git a/metricbeat/module/mysql/performance/manifest.yml b/metricbeat/module/mysql/performance/manifest.yml index b88a2694cf7..51aa01614b5 100644 --- a/metricbeat/module/mysql/performance/manifest.yml +++ b/metricbeat/module/mysql/performance/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: mysql metricset: query diff --git a/metricbeat/module/mysql/query/query.go b/metricbeat/module/mysql/query/query.go index 24f09218d47..d7664cc8635 100644 --- a/metricbeat/module/mysql/query/query.go +++ b/metricbeat/module/mysql/query/query.go @@ -32,11 +32,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/metricbeat/helper/sql" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/mysql" ) func init() { mb.Registry.MustAddMetricSet("mysql", "query", New, - mb.DefaultMetricSet(), + mb.WithHostParser(mysql.ParseDSN), ) } diff --git a/metricbeat/module/mysql/status/_meta/data.json b/metricbeat/module/mysql/status/_meta/data.json index 09c4e618c20..d4bba333e0e 100644 --- a/metricbeat/module/mysql/status/_meta/data.json +++ b/metricbeat/module/mysql/status/_meta/data.json @@ -1,41 +1,105 @@ { - "@timestamp": "2017-10-12T08:05:34.853Z", - "event": { - "dataset": "mysql.status", - "duration": 115000, - "module": "mysql" + "@timestamp": "2020-07-13T16:36:00.626Z", + "@metadata": { + "beat": "metricbeat", + "type": "_doc", + "version": "8.0.0" }, - "metricset": { - "name": "status" + "agent": { + "version": "8.0.0", + "ephemeral_id": "d9d0d455-c440-453e-aea3-3b6fa512f6f3", + "id": "803dfdba-e638-4590-a2de-80cb1cebe78d", + "name": "mcastro", + "type": "metricbeat" }, "mysql": { "status": { - "aborted": { - "clients": 3, - "connects": 4 + "connections": 28, + "threads": { + "running": 2, + "cached": 1, + "created": 4, + "connected": 3 }, - "binlog": { - "cache": { - "disk_use": 0, - "use": 0 + "innodb": { + "rows": { + "updated": 0, + "deleted": 0, + "inserted": 0, + "reads": 0 + }, + "buffer_pool": { + "write_requests": 1634, + "bytes": { + "data": 15908864, + "dirty": 0 + }, + "pages": { + "data": 971, + "dirty": 0, + "flushed": 144, + "free": 7216, + "misc": 5, + "total": 8192 + }, + "read": { + "requests": 15600, + "ahead": 0, + "ahead_evicted": 0, + "ahead_rnd": 0 + }, + "pool": { + "reads": 830, + "wait_free": 0 + } } }, - "bytes": { - "received": 1272, - "sent": 47735 - }, - "command": { + "handler": { + "update": 315, + "read": { + "rnd_next": 394983, + "first": 33, + "key": 2100, + "last": 0, + "next": 4533, + "prev": 0, + "rnd": 2494 + }, + "write": 168505, + "mrr_init": 0, "delete": 0, - "insert": 0, - "select": 1, - "update": 0 + "external_lock": 8167, + "savepoint_rollback": 0, + "rollback": 0, + "commit": 625, + "savepoint": 0, + "prepare": 0 + }, + "bytes": { + "sent": 6228481, + "received": 143324 }, - "connections": 12, "created": { "tmp": { + "tables": 364, "disk_tables": 0, - "files": 5, - "tables": 6 + "files": 5 + } + }, + "binlog": { + "cache": { + "disk_use": 0, + "use": 0 + } + }, + "connection": { + "errors": { + "max": 0, + "peer_address": 0, + "select": 0, + "tcpwrap": 0, + "accept": 0, + "internal": 0 } }, "delayed": { @@ -43,74 +107,59 @@ "insert_threads": 0, "writes": 0 }, - "flush_commands": 1, - "handler": { - "commit": 0, - "delete": 0, - "external_lock": 140, - "mrr_init": 0, - "prepare": 0, - "read": { - "first": 3, - "key": 2, - "last": 0, - "next": 32, - "prev": 0, - "rnd": 0, - "rnd_next": 1728 - }, - "rollback": 0, - "savepoint": 0, - "savepoint_rollback": 0, + "max_used_connections": 4, + "opened_tables": 195, + "queries": 1183, + "flush_commands": 3, + "command": { + "insert": 0, + "select": 705, "update": 0, - "write": 1705 + "delete": 0 }, - "innodb": { - "buffer_pool": { - "bytes": { - "data": 6914048, - "dirty": 0 - }, - "pages": { - "data": 422, - "dirty": 0, - "flushed": 207, - "free": 7768, - "misc": 1, - "total": 8191 - }, - "pool": { - "reads": 423, - "wait_free": 0 - }, - "read": { - "ahead": 0, - "ahead_evicted": 0, - "ahead_rnd": 0, - "requests": 14198 - }, - "write_requests": 207 + "aborted": { + "clients": 0, + "connects": 2 + }, + "cache": { + "table": { + "open_cache": { + "hits": 3889, + "misses": 195, + "overflows": 0 + } + }, + "ssl": { + "size": 128, + "hits": 0, + "misses": 0 } }, - "max_used_connections": 3, + "questions": 1173, "open": { - "files": 16, "streams": 0, - "tables": 60 - }, - "opened_tables": 67, - "queries": 10, - "questions": 9, - "threads": { - "cached": 0, - "connected": 3, - "created": 3, - "running": 1 + "tables": 116, + "files": 2 } } }, + "event": { + "dataset": "mysql.status", + "module": "mysql", + "duration": 1871014 + }, + "metricset": { + "name": "status", + "period": 10000 + }, "service": { - "address": "127.0.0.1:3306", + "address": "172.17.0.2:3306", "type": "mysql" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "mcastro" } -} \ No newline at end of file +} diff --git a/metricbeat/module/mysql/status/_meta/fields.yml b/metricbeat/module/mysql/status/_meta/fields.yml index 56fd1580b0f..74cd2f54e7f 100644 --- a/metricbeat/module/mysql/status/_meta/fields.yml +++ b/metricbeat/module/mysql/status/_meta/fields.yml @@ -19,6 +19,75 @@ description: > The number of failed attempts to connect to the MySQL server. + - name: connection + type: group + description: > + fields: + - name: errors + type: group + description: > + fields: + - name: peer_address + type: long + description: The number of errors that occurred while searching for connecting client IP addresses. + - name: accept + type: long + description: The number of errors that occurred during calls to accept() on the listening port. + - name: internal + type: long + description: > + The number of connections refused due to internal errors in the server, such as failure to start a new + thread or an out-of-memory condition. + - name: max + type: long + description: The number of connections refused because the server max_connections limit was reached. + thread or an out-of-memory condition. + - name: tcpwrap + type: long + description: The number of connections refused by the libwrap library. + - name: select + type: long + description: > + The number of errors that occurred during calls to select() or poll() on the listening port. + (Failure of this operation does not necessarily means a client connection was rejected.) + + - name: cache + type: group + description: > + fields: + - name: ssl + type: group + description: SSL session cache hits and misses. + fields: + - name: hits + type: long + description: The number of SSL session cache hits. + - name: misses + type: long + description: The number of SSL session cache misses. + - name: size + type: long + description: The SSL session cache size. + - name: table + type: group + description: > + fields: + - name: open_cache + type: group + description: > + fields: + - name: hits + type: long + description: The number of hits for open tables cache lookups. + - name: misses + type: long + description: The number of misses for open tables cache lookups. + - name: overflows + type: long + description: > + Number of times, after a table is opened or closed, a cache instance has an unused entry and the + size of the instance is larger than table_open_cache / table_open_cache_instances + - name: binlog type: group description: > @@ -217,7 +286,7 @@ - name: last type: long description: > - The number of requests to read the last key in an index. + The number of requests to read the last key in an index. - name: next type: long @@ -232,12 +301,12 @@ - name: rnd type: long description: > - The number of requests to read a row based on a fixed position. + The number of requests to read a row based on a fixed position. - name: rnd_next type: long description: > - The number of requests to read the next row in the data file. + The number of requests to read the next row in the data file. - name: rollback type: long @@ -264,10 +333,26 @@ description: > The number of requests to insert a row in a table. - - name: innodb + - name: innodb type: group description: > fields: + - name: rows + type: group + description: > + fields: + - name: reads + type: long + description: The number of rows reads into InnoDB tables. + - name: inserted + type: long + description: The number of rows inserted into InnoDB tables. + - name: deleted + type: long + description: The number of rows deleted into InnoDB tables. + - name: updated + type: long + description: The number of rows updated into InnoDB tables. - name: buffer_pool type: group description: > @@ -289,7 +374,7 @@ - name: data type: long description: > - The total number of bytes in the InnoDB buffer pool containing data. + The total number of bytes in the InnoDB buffer pool containing data. - name: dirty type: long @@ -381,4 +466,4 @@ - name: write_requests type: long description: > - The number of writes done to the InnoDB buffer pool. \ No newline at end of file + The number of writes done to the InnoDB buffer pool. diff --git a/metricbeat/module/mysql/status/data.go b/metricbeat/module/mysql/status/data.go index de1f9579e95..ab55a47e450 100644 --- a/metricbeat/module/mysql/status/data.go +++ b/metricbeat/module/mysql/status/data.go @@ -125,6 +125,36 @@ var ( }, "write_requests": c.Int("Innodb_buffer_pool_write_requests"), }, + "rows": s.Object{ + "reads": c.Int("Innodb_rows_read"), + "updated": c.Int("Innodb_rows_updated"), + "deleted": c.Int("Innodb_rows_deleted"), + "inserted": c.Int("Innodb_rows_inserted"), + }, + }, + "cache": s.Object{ + "table": s.Object{ + "open_cache": s.Object{ + "hits": c.Int("Table_open_cache_hits"), + "misses": c.Int("Table_open_cache_misses"), + "overflows": c.Int("Table_open_cache_overflows"), + }, + }, + "ssl": s.Object{ + "hits": c.Int("Ssl_session_cache_hits"), + "misses": c.Int("Ssl_session_cache_misses"), + "size": c.Int("Ssl_session_cache_size"), + }, + }, + "connection": s.Object{ + "errors": s.Object{ + "accept": c.Int("Connection_errors_accept"), + "internal": c.Int("Connection_errors_internal"), + "max": c.Int("Connection_errors_max_connections"), + "peer_address": c.Int("Connection_errors_peer_address"), + "select": c.Int("Connection_errors_select"), + "tcpwrap": c.Int("Connection_errors_tcpwrap"), + }, }, } ) diff --git a/metricbeat/module/mysql/test_mysql.py b/metricbeat/module/mysql/test_mysql.py index 2422422a685..f2c59053c85 100644 --- a/metricbeat/module/mysql/test_mysql.py +++ b/metricbeat/module/mysql/test_mysql.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat MYSQL_FIELDS = metricbeat.COMMON_FIELDS + ["mysql"] @@ -18,7 +16,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['mysql'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MySQL module outputs an event. diff --git a/metricbeat/module/nats/test_nats.py b/metricbeat/module/nats/test_nats.py index 0b9e547e471..406ee61d66d 100644 --- a/metricbeat/module/nats/test_nats.py +++ b/metricbeat/module/nats/test_nats.py @@ -1,11 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - NATS_FIELDS = metricbeat.COMMON_FIELDS + ["nats"] diff --git a/metricbeat/module/php_fpm/test_phpfpm.py b/metricbeat/module/php_fpm/test_phpfpm.py index a325b62c297..ca2eaf42a3a 100644 --- a/metricbeat/module/php_fpm/test_phpfpm.py +++ b/metricbeat/module/php_fpm/test_phpfpm.py @@ -1,11 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - PHPFPM_FIELDS = metricbeat.COMMON_FIELDS + ["php_fpm"] diff --git a/metricbeat/module/postgresql/test_postgresql.py b/metricbeat/module/postgresql/test_postgresql.py index 8dded22cd32..6ac3c0aa131 100644 --- a/metricbeat/module/postgresql/test_postgresql.py +++ b/metricbeat/module/postgresql/test_postgresql.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat class Test(metricbeat.BaseTest): @@ -32,7 +30,7 @@ def get_hosts(self): ) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_activity(self): """ PostgreSQL module outputs an event. @@ -59,7 +57,7 @@ def test_activity(self): assert "state" in evt["postgresql"]["activity"] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_database(self): """ PostgreSQL module outputs an event. @@ -89,7 +87,7 @@ def test_database(self): assert "deadlocks" in evt["postgresql"]["database"] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_bgwriter(self): """ PostgreSQL module outputs an event. diff --git a/metricbeat/module/prometheus/_meta/prometheus.yml b/metricbeat/module/prometheus/_meta/prometheus.yml index 06707841f8d..b11de8df003 100644 --- a/metricbeat/module/prometheus/_meta/prometheus.yml +++ b/metricbeat/module/prometheus/_meta/prometheus.yml @@ -17,7 +17,7 @@ rule_files: # - "second_rules.yml" remote_write: - - url: "http://REMOTE/write" + - url: "http://0.0.0.0:9201/write" # A scrape configuration containing exactly one endpoint to scrape: # Here it's Prometheus itself. diff --git a/metricbeat/module/prometheus/_meta/run.sh b/metricbeat/module/prometheus/_meta/run.sh index b2cadc95a3e..87b83b6d705 100755 --- a/metricbeat/module/prometheus/_meta/run.sh +++ b/metricbeat/module/prometheus/_meta/run.sh @@ -1,25 +1,5 @@ #!/bin/sh - -for i in 1 2 3 4 5; -do - a=`nslookup host.docker.internal | grep "** server can't find " | wc -l`; - if [ $a -gt 0 ]; then - # this works only on Linux envs - HOST_DOMAIN="0.0.0.0" - else - # this works only on Mac envs - HOST_DOMAIN="host.docker.internal" - break - fi -done - - - -REMOTE="$HOST_DOMAIN:9201" - -sed -i "s/REMOTE/$REMOTE/g" /etc/prometheus/prometheus.yml - /bin/prometheus --config.file=/etc/prometheus/prometheus.yml \ --storage.tsdb.path=/prometheus \ --web.console.libraries=/usr/share/prometheus/console_libraries \ diff --git a/metricbeat/module/prometheus/collector/_meta/docs.asciidoc b/metricbeat/module/prometheus/collector/_meta/docs.asciidoc index c3609b083dd..022b6172b61 100644 --- a/metricbeat/module/prometheus/collector/_meta/docs.asciidoc +++ b/metricbeat/module/prometheus/collector/_meta/docs.asciidoc @@ -40,10 +40,10 @@ metricbeat.modules: rate_counters: false ------------------------------------------------------------------------------------- -`use_types` paramater (default: false) enables a different layout for metrics storage, leveraging Elasticsearch +`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch types, including https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html[histograms]. -`rate_counters` paramater (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores +`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores the counter increment since the last collection. This metric should make some aggregations easier and with better performance. This parameter can only be enabled in combination with `use_types`. @@ -122,8 +122,8 @@ The configuration above will include only metrics that match `node_filesystem_*` To keep only specific metrics, anchor the start and the end of the regexp of each metric: -- the caret ^ matches the beginning of a text or line, -- the dollar sign $ matches the end of a text. +- the caret `^` matches the beginning of a text or line, +- the dollar sign `$` matches the end of a text. [source,yaml] ------------------------------------------------------------------------------------- diff --git a/metricbeat/module/prometheus/collector/collector.go b/metricbeat/module/prometheus/collector/collector.go index 6941f30bd8a..ce3cee8cb60 100644 --- a/metricbeat/module/prometheus/collector/collector.go +++ b/metricbeat/module/prometheus/collector/collector.go @@ -111,11 +111,11 @@ func MetricSetBuilder(namespace string, genFactory PromEventsGeneratorFactory) f } // store host here to use it as a pointer when building `up` metric ms.host = ms.Host() - ms.excludeMetrics, err = compilePatternList(config.MetricsFilters.ExcludeMetrics) + ms.excludeMetrics, err = p.CompilePatternList(config.MetricsFilters.ExcludeMetrics) if err != nil { return nil, errors.Wrapf(err, "unable to compile exclude patterns") } - ms.includeMetrics, err = compilePatternList(config.MetricsFilters.IncludeMetrics) + ms.includeMetrics, err = p.CompilePatternList(config.MetricsFilters.IncludeMetrics) if err != nil { return nil, errors.Wrapf(err, "unable to compile include patterns") } @@ -237,39 +237,13 @@ func (m *MetricSet) skipFamilyName(family string) bool { // if include_metrics are defined, check if this metric should be included if len(m.includeMetrics) > 0 { - if !matchMetricFamily(family, m.includeMetrics) { + if !p.MatchMetricFamily(family, m.includeMetrics) { return true } } // now exclude the metric if it matches any of the given patterns if len(m.excludeMetrics) > 0 { - if matchMetricFamily(family, m.excludeMetrics) { - return true - } - } - return false -} - -func compilePatternList(patterns *[]string) ([]*regexp.Regexp, error) { - var compiledPatterns []*regexp.Regexp - compiledPatterns = []*regexp.Regexp{} - if patterns != nil { - for _, pattern := range *patterns { - r, err := regexp.Compile(pattern) - if err != nil { - return nil, errors.Wrapf(err, "compiling pattern '%s'", pattern) - } - compiledPatterns = append(compiledPatterns, r) - } - return compiledPatterns, nil - } - return []*regexp.Regexp{}, nil -} - -func matchMetricFamily(family string, matchMetrics []*regexp.Regexp) bool { - for _, checkMetric := range matchMetrics { - matched := checkMetric.MatchString(family) - if matched { + if p.MatchMetricFamily(family, m.excludeMetrics) { return true } } diff --git a/metricbeat/module/prometheus/collector/collector_test.go b/metricbeat/module/prometheus/collector/collector_test.go index 94477a0aa2b..541b83b8f83 100644 --- a/metricbeat/module/prometheus/collector/collector_test.go +++ b/metricbeat/module/prometheus/collector/collector_test.go @@ -29,6 +29,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" _ "github.com/elastic/beats/v7/metricbeat/module/prometheus" @@ -330,8 +331,8 @@ func TestSkipMetricFamily(t *testing.T) { } // test with no filters - ms.includeMetrics, _ = compilePatternList(&[]string{}) - ms.excludeMetrics, _ = compilePatternList(&[]string{}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) metricsToKeep := 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -341,8 +342,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, len(testFamilies)) // test with only one include filter - ms.includeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = compilePatternList(&[]string{}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -352,8 +353,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, metricsToKeep, 2) // test with only one exclude filter - ms.includeMetrics, _ = compilePatternList(&[]string{""}) - ms.excludeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{""}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { @@ -363,8 +364,8 @@ func TestSkipMetricFamily(t *testing.T) { assert.Equal(t, len(testFamilies)-2, metricsToKeep) // test with ine include and one exclude - ms.includeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) - ms.excludeMetrics, _ = compilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) + ms.includeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_*"}) + ms.excludeMetrics, _ = p.CompilePatternList(&[]string{"http_request_duration_microseconds_a_b_*"}) metricsToKeep = 0 for _, testFamily := range testFamilies { if !ms.skipFamily(testFamily) { diff --git a/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc b/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc index 99f5e120d1a..a22f9631af8 100644 --- a/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc +++ b/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc @@ -61,3 +61,109 @@ remote_write: # Disable validation of the server certificate. #insecure_skip_verify: true ------------------------------------------------------------------------------ + + +[float] +[role="xpack"] +=== Histograms and types + +beta[] + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" +------------------------------------------------------------------------------------- + +`use_types` parameter (default: false) enables a different layout for metrics storage, leveraging Elasticsearch +types, including https://www.elastic.co/guide/en/elasticsearch/reference/current/histogram.html[histograms]. + +`rate_counters` parameter (default: false) enables calculating a rate out of Prometheus counters. When enabled, Metricbeat stores +the counter increment since the last collection. This metric should make some aggregations easier and with better +performance. This parameter can only be enabled in combination with `use_types`. + +When `use_types` and `rate_counters` are enabled, metrics are stored like this: + +[source,json] +---- +{ + "prometheus": { + "labels": { + "instance": "172.27.0.2:9090", + "job": "prometheus" + }, + "prometheus_target_interval_length_seconds_count": { + "counter": 1, + "rate": 0 + }, + "prometheus_target_interval_length_seconds_sum": { + "counter": 15.000401344, + "rate": 0 + } + "prometheus_tsdb_compaction_chunk_range_seconds_bucket": { + "histogram": { + "values": [50, 300, 1000, 4000, 16000], + "counts": [10, 2, 34, 7] + } + } + }, +} +---- + + +[float] +==== Types' patterns + +Unlike `collector` metricset, `remote_write` receives metrics in raw format from the prometheus server. +In this, the module has to internally use a heuristic in order to identify efficiently the type of each raw metric. +For these purpose some name patterns are used in order to identify the type of each metric. +The default patterns are the following: + +. `_total` suffix: the metric is of Counter type +. `_sum` suffix: the metric is of Counter type +. `_count` suffix: the metric is of Counter type +. `_bucket` suffix and `le` in labels: the metric is of Histogram type + +Everything else is handled as a Gauge. In addition there is no special handling for Summaries so it is expected that +Summary's quantiles are handled as Gauges and Summary's sum and count as Counters. + +Users have the flexibility to add their own patterns using the following configuration: + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" + types_patterns: + counter_patterns: ["_my_counter_suffix"] + histogram_patterns: ["_my_histogram_suffix"] +------------------------------------------------------------------------------------- + +The configuration above will consider metrics with names that match `_my_counter_suffix` as Counters +and those that match `_my_histogram_suffix` (and have `le` in their labels) as Histograms. + + +To match only specific metrics, anchor the start and the end of the regexp of each metric: + +- the caret `^` matches the beginning of a text or line, +- the dollar sign `$` matches the end of a text. + +[source,yaml] +------------------------------------------------------------------------------------- +metricbeat.modules: +- module: prometheus + metricsets: ["remote_write"] + host: "localhost" + port: "9201" + types_patterns: + histogram_patterns: ["^my_histogram_metric$"] +------------------------------------------------------------------------------------- + +Note that when using `types_patterns`, the provided patterns have higher priority than the default patterns. +For instance if `_histogram_total` is a defined histogram pattern, then a metric like `network_bytes_histogram_total` +will be handled as a histogram, even if it has the suffix `_total` which is a default pattern for counters. diff --git a/metricbeat/module/prometheus/remote_write/data.go b/metricbeat/module/prometheus/remote_write/data.go index 8dfa6072d6a..3afaa7e9529 100644 --- a/metricbeat/module/prometheus/remote_write/data.go +++ b/metricbeat/module/prometheus/remote_write/data.go @@ -26,7 +26,17 @@ import ( "github.com/elastic/beats/v7/metricbeat/mb" ) -func samplesToEvents(metrics model.Samples) map[string]mb.Event { +// DefaultRemoteWriteEventsGeneratorFactory returns the default prometheus events generator +func DefaultRemoteWriteEventsGeneratorFactory(ms mb.BaseMetricSet) (RemoteWriteEventsGenerator, error) { + return &remoteWriteEventGenerator{}, nil +} + +type remoteWriteEventGenerator struct{} + +func (p *remoteWriteEventGenerator) Start() {} +func (p *remoteWriteEventGenerator) Stop() {} + +func (p *remoteWriteEventGenerator) GenerateEvents(metrics model.Samples) map[string]mb.Event { eventList := map[string]mb.Event{} for _, metric := range metrics { @@ -35,6 +45,11 @@ func samplesToEvents(metrics model.Samples) map[string]mb.Event { if metric == nil { continue } + val := float64(metric.Value) + if math.IsNaN(val) || math.IsInf(val, 0) { + continue + } + name := string(metric.Metric["__name__"]) delete(metric.Metric, "__name__") @@ -42,31 +57,28 @@ func samplesToEvents(metrics model.Samples) map[string]mb.Event { labels[string(k)] = v } - val := float64(metric.Value) - if !math.IsNaN(val) && !math.IsInf(val, 0) { - // join metrics with same labels in a single event - labelsHash := labels.String() - if _, ok := eventList[labelsHash]; !ok { - eventList[labelsHash] = mb.Event{ - ModuleFields: common.MapStr{ - "metrics": common.MapStr{}, - }, - } - - // Add labels - if len(labels) > 0 { - eventList[labelsHash].ModuleFields["labels"] = labels - } + // join metrics with same labels and same timestamp in a single event + labelsHash := labels.String() + metric.Timestamp.Time().String() + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{ + "metrics": common.MapStr{}, + }, + Timestamp: metric.Timestamp.Time(), } - // Not checking anything here because we create these maps some lines before - e := eventList[labelsHash] - e.Timestamp = metric.Timestamp.Time() - data := common.MapStr{ - name: val, + // Add labels + if len(labels) > 0 { + eventList[labelsHash].ModuleFields["labels"] = labels } - e.ModuleFields["metrics"].(common.MapStr).Update(data) } + + // Not checking anything here because we create these maps some lines before + e := eventList[labelsHash] + data := common.MapStr{ + name: val, + } + e.ModuleFields["metrics"].(common.MapStr).Update(data) } return eventList diff --git a/metricbeat/module/prometheus/remote_write/remote_write.go b/metricbeat/module/prometheus/remote_write/remote_write.go index b0f22455eb9..72bd93185f6 100644 --- a/metricbeat/module/prometheus/remote_write/remote_write.go +++ b/metricbeat/module/prometheus/remote_write/remote_write.go @@ -33,15 +33,33 @@ import ( ) func init() { - mb.Registry.MustAddMetricSet("prometheus", "remote_write", New, + mb.Registry.MustAddMetricSet("prometheus", "remote_write", + MetricSetBuilder(DefaultRemoteWriteEventsGeneratorFactory), mb.WithHostParser(parse.EmptyHostParser), ) } +// RemoteWriteEventsGenerator converts Prometheus Samples to a map of mb.Event +type RemoteWriteEventsGenerator interface { + // Start must be called before using the generator + Start() + + // converts Prometheus Samples to a map of mb.Event + GenerateEvents(metrics model.Samples) map[string]mb.Event + + // Stop must be called when the generator won't be used anymore + Stop() +} + +// RemoteWriteEventsGeneratorFactory creates a RemoteWriteEventsGenerator when instanciating a metricset +type RemoteWriteEventsGeneratorFactory func(ms mb.BaseMetricSet) (RemoteWriteEventsGenerator, error) + type MetricSet struct { mb.BaseMetricSet - server serverhelper.Server - events chan mb.Event + server serverhelper.Server + events chan mb.Event + promEventsGen RemoteWriteEventsGenerator + eventGenStarted bool } func New(base mb.BaseMetricSet) (mb.MetricSet, error) { @@ -50,10 +68,19 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + promEventsGen, err := DefaultRemoteWriteEventsGeneratorFactory(base) + if err != nil { + return nil, err + } + m := &MetricSet{ - BaseMetricSet: base, - events: make(chan mb.Event), + BaseMetricSet: base, + events: make(chan mb.Event), + promEventsGen: promEventsGen, + eventGenStarted: false, } + svc, err := httpserver.NewHttpServerWithHandler(base, m.handleFunc) if err != nil { return nil, err @@ -62,6 +89,37 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return m, nil } +// MetricSetBuilder returns a builder function for a new Prometheus remote_write metricset using +// the given namespace and event generator +func MetricSetBuilder(genFactory RemoteWriteEventsGeneratorFactory) func(base mb.BaseMetricSet) (mb.MetricSet, error) { + return func(base mb.BaseMetricSet) (mb.MetricSet, error) { + config := defaultConfig() + err := base.Module().UnpackConfig(&config) + if err != nil { + return nil, err + } + + promEventsGen, err := genFactory(base) + if err != nil { + return nil, err + } + + m := &MetricSet{ + BaseMetricSet: base, + events: make(chan mb.Event), + promEventsGen: promEventsGen, + eventGenStarted: false, + } + svc, err := httpserver.NewHttpServerWithHandler(base, m.handleFunc) + if err != nil { + return nil, err + } + m.server = svc + + return m, nil + } +} + func (m *MetricSet) Run(reporter mb.PushReporterV2) { // Start event watcher m.server.Start() @@ -77,7 +135,20 @@ func (m *MetricSet) Run(reporter mb.PushReporterV2) { } } +// Close stops the metricset +func (m *MetricSet) Close() error { + if m.eventGenStarted { + m.promEventsGen.Stop() + } + return nil +} + func (m *MetricSet) handleFunc(writer http.ResponseWriter, req *http.Request) { + if !m.eventGenStarted { + m.promEventsGen.Start() + m.eventGenStarted = true + } + compressed, err := ioutil.ReadAll(req.Body) if err != nil { m.Logger().Errorf("Read error %v", err) @@ -100,7 +171,7 @@ func (m *MetricSet) handleFunc(writer http.ResponseWriter, req *http.Request) { } samples := protoToSamples(&protoReq) - events := samplesToEvents(samples) + events := m.promEventsGen.GenerateEvents(samples) for _, e := range events { select { diff --git a/metricbeat/module/prometheus/remote_write/remote_write_test.go b/metricbeat/module/prometheus/remote_write/remote_write_test.go new file mode 100644 index 00000000000..f0e533f49bc --- /dev/null +++ b/metricbeat/module/prometheus/remote_write/remote_write_test.go @@ -0,0 +1,80 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package remote_write + +import ( + "testing" + + "github.com/prometheus/common/model" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" +) + +// TestGenerateEventsCounter tests counter simple cases +func TestGenerateEventsCounter(t *testing.T) { + g := remoteWriteEventGenerator{} + + timestamp := model.Time(424242) + timestamp1 := model.Time(424243) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: timestamp1, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "metrics": common.MapStr{ + "net_conntrack_listener_conn_closed_total": float64(42), + }, + "labels": labels, + } + expected1 := common.MapStr{ + "metrics": common.MapStr{ + "net_conntrack_listener_conn_closed_total": float64(43), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 2) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + assert.EqualValues(t, e.Timestamp, timestamp.Time()) + e = events[labels.String()+timestamp1.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected1) + assert.EqualValues(t, e.Timestamp, timestamp1.Time()) +} diff --git a/metricbeat/module/prometheus/test_prometheus.py b/metricbeat/module/prometheus/test_prometheus.py index e58b1138b99..f882cedb6df 100644 --- a/metricbeat/module/prometheus/test_prometheus.py +++ b/metricbeat/module/prometheus/test_prometheus.py @@ -1,12 +1,9 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - - PROMETHEUS_FIELDS = metricbeat.COMMON_FIELDS + ["prometheus"] diff --git a/metricbeat/module/redis/test_redis.py b/metricbeat/module/redis/test_redis.py index 98ffb982ca3..cbfef13cf7b 100644 --- a/metricbeat/module/redis/test_redis.py +++ b/metricbeat/module/redis/test_redis.py @@ -1,11 +1,9 @@ +import metricbeat import os +import pytest import redis import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat REDIS_FIELDS = metricbeat.COMMON_FIELDS + ["redis"] @@ -29,7 +27,7 @@ class Test(metricbeat.BaseTest): COMPOSE_SERVICES = ['redis'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_info(self): """ Test redis info metricset @@ -59,7 +57,7 @@ def test_info(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_keyspace(self): """ Test redis keyspace metricset @@ -95,7 +93,7 @@ def test_keyspace(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_key(self): """ Test redis key metricset @@ -133,7 +131,7 @@ def test_key(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_module_processors(self): """ Test local processors for Redis info event. diff --git a/metricbeat/module/system/cpu/_meta/data.json b/metricbeat/module/system/cpu/_meta/data.json index ff6b7a15491..4a5fd7c8ff7 100644 --- a/metricbeat/module/system/cpu/_meta/data.json +++ b/metricbeat/module/system/cpu/_meta/data.json @@ -1,36 +1,38 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.cpu", "duration": 115000, "module": "system" }, + "host": { + "cpu": { + "pct": 0.0816 + } + }, "metricset": { - "name": "cpu" + "name": "cpu", + "period": 10000 }, "service": { "type": "system" }, "system": { "cpu": { - "cores": 4, + "cores": 12, "idle": { "norm": { - "pct": 0.7198 + "pct": 0.9184 }, - "pct": 2.8792, - "ticks": 81308898 + "pct": 11.0208, + "ticks": 1964402 }, "iowait": { "norm": { "pct": 0 }, "pct": 0, - "ticks": 499109 + "ticks": 5083 }, "irq": { "norm": { @@ -44,14 +46,14 @@ "pct": 0 }, "pct": 0, - "ticks": 172471 + "ticks": 9752 }, "softirq": { "norm": { - "pct": 0 + "pct": 0.0058 }, - "pct": 0, - "ticks": 578041 + "pct": 0.0699, + "ticks": 10386 }, "steal": { "norm": { @@ -62,23 +64,23 @@ }, "system": { "norm": { - "pct": 0.0591 + "pct": 0.005 }, - "pct": 0.2365, - "ticks": 25140781 + "pct": 0.06, + "ticks": 22274 }, "total": { "norm": { - "pct": 0.2802 + "pct": 0.0816 }, - "pct": 1.1208 + "pct": 0.9792 }, "user": { "norm": { - "pct": 0.2211 + "pct": 0.0708 }, - "pct": 0.8843, - "ticks": 75216920 + "pct": 0.8493, + "ticks": 123767 } } } diff --git a/metricbeat/module/system/cpu/cpu.go b/metricbeat/module/system/cpu/cpu.go index 8d017f0d373..7333df6dec7 100644 --- a/metricbeat/module/system/cpu/cpu.go +++ b/metricbeat/module/system/cpu/cpu.go @@ -70,7 +70,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } event := common.MapStr{"cores": cpu.NumCores} - + hostFields := common.MapStr{} for _, metric := range m.config.Metrics { switch strings.ToLower(metric) { case percentages: @@ -95,6 +95,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { event.Put("softirq.norm.pct", normalizedPct.SoftIRQ) event.Put("steal.norm.pct", normalizedPct.Steal) event.Put("total.norm.pct", normalizedPct.Total) + hostFields.Put("host.cpu.pct", normalizedPct.Total) case ticks: ticks := sample.Ticks() event.Put("user.ticks", ticks.User) @@ -109,6 +110,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } r.Event(mb.Event{ + RootFields: hostFields, MetricSetFields: event, }) diff --git a/metricbeat/module/system/diskio/_meta/data.json b/metricbeat/module/system/diskio/_meta/data.json index 291b1d23840..b9c8533b0c8 100644 --- a/metricbeat/module/system/diskio/_meta/data.json +++ b/metricbeat/module/system/diskio/_meta/data.json @@ -1,16 +1,13 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.diskio", "duration": 115000, "module": "system" }, "metricset": { - "name": "diskio" + "name": "diskio", + "period": 10000 }, "service": { "type": "system" @@ -18,7 +15,7 @@ "system": { "diskio": { "io": { - "time": 656 + "time": 364 }, "iostat": { "await": 0, @@ -51,16 +48,16 @@ } } }, - "name": "nvme0n1p1", + "name": "loop1", "read": { - "bytes": 8028160, - "count": 3290, - "time": 130016 + "bytes": 5267456, + "count": 4124, + "time": 557 }, "write": { - "bytes": 5120, - "count": 3, - "time": 12 + "bytes": 0, + "count": 0, + "time": 0 } } } diff --git a/metricbeat/module/system/diskio/diskio.go b/metricbeat/module/system/diskio/diskio.go index 80c494409a3..9da3a3c2344 100644 --- a/metricbeat/module/system/diskio/diskio.go +++ b/metricbeat/module/system/diskio/diskio.go @@ -38,6 +38,13 @@ type MetricSet struct { mb.BaseMetricSet statistics *DiskIOStat includeDevices []string + prevCounters diskCounter +} + +// diskCounter stores previous disk counter values for calculating gauges in next collection +type diskCounter struct { + prevDiskReadBytes uint64 + prevDiskWriteBytes uint64 } // New is a mb.MetricSetFactory that returns a new MetricSet. @@ -54,6 +61,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { BaseMetricSet: base, statistics: NewDiskIOStat(), includeDevices: config.IncludeDevices, + prevCounters: diskCounter{}, }, nil } @@ -70,6 +78,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { // Store the last cpu counter when finished defer m.statistics.CloseSampling() + var diskReadBytes, diskWriteBytes uint64 for _, counters := range stats { event := common.MapStr{ "name": counters.Name, @@ -87,6 +96,11 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { "time": counters.IoTime, }, } + + // accumulate values from all interfaces + diskReadBytes += counters.ReadBytes + diskWriteBytes += counters.WriteBytes + var extraMetrics DiskIOMetric err := m.statistics.CalIOStatistics(&extraMetrics, counters) if err == nil { @@ -135,5 +149,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { } } + if m.prevCounters != (diskCounter{}) { + // convert network metrics from counters to gauges + r.Event(mb.Event{ + RootFields: common.MapStr{ + "host": common.MapStr{ + "disk": common.MapStr{ + "read.bytes": diskReadBytes - m.prevCounters.prevDiskReadBytes, + "write.bytes": diskWriteBytes - m.prevCounters.prevDiskWriteBytes, + }, + }, + }, + }) + } + + // update prevCounters + m.prevCounters.prevDiskReadBytes = diskReadBytes + m.prevCounters.prevDiskWriteBytes = diskWriteBytes + return nil } diff --git a/metricbeat/module/system/network/_meta/data.json b/metricbeat/module/system/network/_meta/data.json index 8cf8a5f69a6..81c174c93e8 100644 --- a/metricbeat/module/system/network/_meta/data.json +++ b/metricbeat/module/system/network/_meta/data.json @@ -1,16 +1,13 @@ { "@timestamp": "2017-10-12T08:05:34.853Z", - "agent": { - "hostname": "host.example.com", - "name": "host.example.com" - }, "event": { "dataset": "system.network", "duration": 115000, "module": "system" }, "metricset": { - "name": "network" + "name": "network", + "period": 10000 }, "service": { "type": "system" @@ -18,17 +15,17 @@ "system": { "network": { "in": { - "bytes": 37904869172, - "dropped": 32, + "bytes": 0, + "dropped": 0, "errors": 0, - "packets": 32143403 + "packets": 0 }, - "name": "wlp4s0", + "name": "br-18285ad7f418", "out": { - "bytes": 6299331926, + "bytes": 0, "dropped": 0, "errors": 0, - "packets": 13362703 + "packets": 0 } } } diff --git a/metricbeat/module/system/network/network.go b/metricbeat/module/system/network/network.go index d9c04d83420..4796b5af841 100644 --- a/metricbeat/module/system/network/network.go +++ b/metricbeat/module/system/network/network.go @@ -43,7 +43,16 @@ func init() { // MetricSet for fetching system network IO metrics. type MetricSet struct { mb.BaseMetricSet - interfaces map[string]struct{} + interfaces map[string]struct{} + prevCounters networkCounter +} + +// networkCounter stores previous network counter values for calculating gauges in next collection +type networkCounter struct { + prevNetworkInBytes uint64 + prevNetworkInPackets uint64 + prevNetworkOutBytes uint64 + prevNetworkOutPackets uint64 } // New is a mb.MetricSetFactory that returns a new MetricSet. @@ -69,6 +78,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return &MetricSet{ BaseMetricSet: base, interfaces: interfaceSet, + prevCounters: networkCounter{}, }, nil } @@ -79,6 +89,8 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { return errors.Wrap(err, "network io counters") } + var networkInBytes, networkOutBytes, networkInPackets, networkOutPackets uint64 + for _, counters := range stats { if m.interfaces != nil { // Select stats by interface name. @@ -91,11 +103,44 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error { isOpen := r.Event(mb.Event{ MetricSetFields: ioCountersToMapStr(counters), }) + + // accumulate values from all interfaces + networkInBytes += counters.BytesRecv + networkOutBytes += counters.BytesSent + networkInPackets += counters.PacketsRecv + networkOutPackets += counters.PacketsSent + if !isOpen { return nil } } + if m.prevCounters != (networkCounter{}) { + // convert network metrics from counters to gauges + r.Event(mb.Event{ + RootFields: common.MapStr{ + "host": common.MapStr{ + "network": common.MapStr{ + "in": common.MapStr{ + "bytes": networkInBytes - m.prevCounters.prevNetworkInBytes, + "packets": networkInPackets - m.prevCounters.prevNetworkInPackets, + }, + "out": common.MapStr{ + "bytes": networkOutBytes - m.prevCounters.prevNetworkOutBytes, + "packets": networkOutPackets - m.prevCounters.prevNetworkOutPackets, + }, + }, + }, + }, + }) + } + + // update prevCounters + m.prevCounters.prevNetworkInBytes = networkInBytes + m.prevCounters.prevNetworkInPackets = networkInPackets + m.prevCounters.prevNetworkOutBytes = networkOutBytes + m.prevCounters.prevNetworkOutPackets = networkOutPackets + return nil } diff --git a/metricbeat/module/system/service/dbus.go b/metricbeat/module/system/service/dbus.go index 62112922136..c3c5bf1dc41 100644 --- a/metricbeat/module/system/service/dbus.go +++ b/metricbeat/module/system/service/dbus.go @@ -139,33 +139,43 @@ func listUnitsWrapper(conn *dbus.Conn, states, patterns []string) ([]dbus.UnitSt if err != nil { return nil, errors.Wrap(err, "ListUnits error") } - if len(patterns) > 0 { - units, err = matchUnitPatterns(patterns, units) - if err != nil { - return nil, errors.Wrap(err, "error matching unit patterns") - } + + units, err = matchUnitPatterns(patterns, units) + if err != nil { + return nil, errors.Wrap(err, "error matching unit patterns") } - if len(states) > 0 { - var finalUnits []dbus.UnitStatus - for _, unit := range units { - for _, state := range states { - if unit.LoadState == state || unit.ActiveState == state || unit.SubState == state { - finalUnits = append(finalUnits, unit) - break - } + finalUnits := matchUnitState(states, units) + + return finalUnits, nil +} + +// matchUnitState returns a list of units that match the pattern list +// This checks the LoadState, ActiveState, and SubState for a matching status string +func matchUnitState(states []string, units []dbus.UnitStatus) []dbus.UnitStatus { + if len(states) == 0 { + return units + } + var finalUnits []dbus.UnitStatus + for _, unit := range units { + for _, state := range states { + if unit.LoadState == state || unit.ActiveState == state || unit.SubState == state { + finalUnits = append(finalUnits, unit) + break } } - return finalUnits, nil } + return finalUnits - return units, nil } // matchUnitPatterns returns a list of units that match the pattern list. // This algo, including filepath.Match, is designed to (somewhat) emulate the behavior of ListUnitsByPatterns, which uses `fnmatch`. func matchUnitPatterns(patterns []string, units []dbus.UnitStatus) ([]dbus.UnitStatus, error) { var matchUnits []dbus.UnitStatus + if len(patterns) == 0 { + return units, nil + } for _, unit := range units { for _, pattern := range patterns { match, err := filepath.Match(pattern, unit.Name) diff --git a/metricbeat/module/system/service/service_test.go b/metricbeat/module/system/service/service_test.go index 10549f81c74..87581ff45f8 100644 --- a/metricbeat/module/system/service/service_test.go +++ b/metricbeat/module/system/service/service_test.go @@ -31,10 +31,12 @@ import ( var exampleUnits = []dbus.UnitStatus{ dbus.UnitStatus{ - Name: "sshd.service", + Name: "sshd.service", + LoadState: "active", }, dbus.UnitStatus{ - Name: "metricbeat.service", + Name: "metricbeat.service", + LoadState: "active", }, dbus.UnitStatus{ Name: "filebeat.service", @@ -104,3 +106,23 @@ func TestFilterMatches(t *testing.T) { assert.NoError(t, err) assert.Len(t, shouldMatch, 1) } + +func TestNoFilter(t *testing.T) { + shouldReturnResults, err := matchUnitPatterns([]string{}, exampleUnits) + assert.NoError(t, err) + assert.Len(t, shouldReturnResults, 3) +} + +func TestUnitStateFilter(t *testing.T) { + stateFilter := []string{ + "active", + } + shouldReturnResults := matchUnitState(stateFilter, exampleUnits) + assert.Len(t, shouldReturnResults, 2) + +} + +func TestUnitStateNoFilter(t *testing.T) { + shouldReturnResults := matchUnitState([]string{}, exampleUnits) + assert.Len(t, shouldReturnResults, 3) +} diff --git a/metricbeat/module/system/test_system.py b/metricbeat/module/system/test_system.py index cc6b731b113..f689b99fb4c 100644 --- a/metricbeat/module/system/test_system.py +++ b/metricbeat/module/system/test_system.py @@ -1,12 +1,10 @@ +import getpass +import metricbeat +import os import re import six import sys import unittest -import getpass -import os - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat SYSTEM_CPU_FIELDS = ["cores", "idle.pct", "iowait.pct", "irq.pct", "nice.pct", @@ -47,6 +45,12 @@ SYSTEM_NETWORK_FIELDS = ["name", "out.bytes", "in.bytes", "out.packets", "in.packets", "in.error", "out.error", "in.dropped", "out.dropped"] +SYSTEM_CPU_HOST_FIELDS = ["pct"] + +SYSTEM_NETWORK_HOST_FIELDS = ["in.bytes", "out.bytes", "in.packets", "out.packets"] + +SYSTEM_DISK_HOST_FIELDS = ["read.bytes", "write.bytes"] + # cmdline is also part of the system process fields, but it may not be present # for some kernel level processes. fd is also part of the system process, but # is not available on all OSes and requires root to read for all processes. @@ -76,8 +80,12 @@ def test_cpu(self): evt = output[0] self.assert_fields_are_documented(evt) - cpu = evt["system"]["cpu"] - self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS), cpu.keys()) + if "system" in evt: + cpu = evt["system"]["cpu"] + self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS), cpu.keys()) + else: + host_cpu = evt["host"]["cpu"] + self.assertCountEqual(self.de_dot(SYSTEM_CPU_HOST_FIELDS), host_cpu.keys()) @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os") def test_cpu_ticks_option(self): @@ -198,8 +206,12 @@ def test_diskio(self): for evt in output: self.assert_fields_are_documented(evt) if 'error' not in evt: - diskio = evt["system"]["diskio"] - self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS), diskio.keys()) + if "system" in evt: + diskio = evt["system"]["diskio"] + self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS), diskio.keys()) + elif "host" in evt: + host_disk = evt["host"]["disk"] + self.assertCountEqual(SYSTEM_DISK_HOST_FIELDS, host_disk.keys()) @unittest.skipUnless(re.match("(?i)linux", sys.platform), "os") def test_diskio_linux(self): @@ -221,8 +233,12 @@ def test_diskio_linux(self): for evt in output: self.assert_fields_are_documented(evt) - diskio = evt["system"]["diskio"] - self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS_LINUX), diskio.keys()) + if "system" in evt: + diskio = evt["system"]["diskio"] + self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS_LINUX), diskio.keys()) + else: + host_disk = evt["host"]["disk"] + self.assertCountEqual(SYSTEM_DISK_HOST_FIELDS, host_disk.keys()) @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os") def test_filesystem(self): @@ -330,8 +346,12 @@ def test_network(self): for evt in output: self.assert_fields_are_documented(evt) - network = evt["system"]["network"] - self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_FIELDS), network.keys()) + if "system" in evt: + network = evt["system"]["network"] + self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_FIELDS), network.keys()) + else: + host_network = evt["host"]["network"] + self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_HOST_FIELDS), host_network.keys()) @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd", sys.platform), "os") def test_process_summary(self): @@ -392,41 +412,85 @@ def test_process(self): self.assertGreater(len(output), 0) found_cmdline = False - found_env = False + for evt in output: + process = evt["system"]["process"] + found_cmdline |= "cmdline" in process + + # Remove 'env' prior to checking documented fields because its keys are dynamic. + process.pop("env", None) + self.assert_fields_are_documented(evt) + + # Remove optional keys. + process.pop("cgroup", None) + process.pop("fd", None) + process.pop("cmdline", None) + + self.assertCountEqual(SYSTEM_PROCESS_FIELDS, process.keys()) + + self.assertTrue(found_cmdline, "cmdline not found in any process events") + + @unittest.skipUnless(re.match("(?i)linux|darwin|freebsd", sys.platform), "os") + def test_process_unix(self): + """ + Test system/process output for fields specific of unix systems. + """ + import getpass + + self.render_config_template( + modules=[{ + "name": "system", + "metricsets": ["process"], + "period": "5s", + "extras": { + "process.env.whitelist": ["PATH"], + "process.include_cpu_ticks": True, + + # Remove 'percpu' prior to checking documented fields because its keys are dynamic. + "process.include_per_cpu": False, + }, + }], + # Some info is only guaranteed in processes with permissions, check + # only on own processes. + processors=[{ + "drop_event": { + "when": "not.equals.user.name: " + getpass.getuser(), + }, + }], + ) + proc = self.start_beat() + self.wait_until(lambda: self.output_lines() > 0) + proc.check_kill_and_wait() + self.assert_no_logged_warnings() + + output = self.read_output_json() + self.assertGreater(len(output), 0) + found_fd = False + found_env = False found_cwd = not sys.platform.startswith("linux") for evt in output: + found_cwd |= "working_directory" in evt["process"] + process = evt["system"]["process"] + found_fd |= "fd" in process + found_env |= "env" in process # Remove 'env' prior to checking documented fields because its keys are dynamic. env = process.pop("env", None) - if env is not None: - found_env = True - self.assert_fields_are_documented(evt) # Remove optional keys. process.pop("cgroup", None) - cmdline = process.pop("cmdline", None) - if cmdline is not None: - found_cmdline = True - fd = process.pop("fd", None) - if fd is not None: - found_fd = True - cwd = process.pop("cwd", None) - if cwd is not None: - found_cwd = True + process.pop("cmdline", None) + process.pop("fd", None) self.assertCountEqual(SYSTEM_PROCESS_FIELDS, process.keys()) - self.assertTrue(found_cmdline, "cmdline not found in any process events") - - if sys.platform.startswith("linux") or sys.platform.startswith("freebsd"): + if not sys.platform.startswith("darwin"): self.assertTrue(found_fd, "fd not found in any process events") - if sys.platform.startswith("linux") or sys.platform.startswith("freebsd")\ - or sys.platform.startswith("darwin"): - self.assertTrue(found_env, "env not found in any process events") + self.assertTrue(found_env, "env not found in any process events") + self.assertTrue(found_cwd, "working_directory not found in any process events") @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd", sys.platform), "os") def test_process_metricbeat(self): @@ -491,7 +555,7 @@ def test_socket_summary(self): assert isinstance(udp["all"]["count"], int) def check_username(self, observed, expected=None): - if expected == None: + if expected is None: expected = getpass.getuser() if os.name == 'nt': diff --git a/metricbeat/module/traefik/test_traefik.py b/metricbeat/module/traefik/test_traefik.py index cc2cfe667d4..2752033d023 100644 --- a/metricbeat/module/traefik/test_traefik.py +++ b/metricbeat/module/traefik/test_traefik.py @@ -1,13 +1,10 @@ +import metricbeat import os import sys -import unittest import time +import unittest from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) - -import metricbeat - class Test(metricbeat.BaseTest): diff --git a/metricbeat/module/uwsgi/test_uwsgi.py b/metricbeat/module/uwsgi/test_uwsgi.py index 6f58c0d6911..e780a7119b0 100644 --- a/metricbeat/module/uwsgi/test_uwsgi.py +++ b/metricbeat/module/uwsgi/test_uwsgi.py @@ -1,13 +1,11 @@ import logging +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr from parameterized import parameterized -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - logger = logging.getLogger(__name__) @@ -56,7 +54,7 @@ def common_checks(self, output): @parameterized.expand(["http", "tcp"]) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self, proto): """ uWSGI module outputs an event. @@ -75,4 +73,4 @@ def test_status(self, proto): self.common_checks(output) def get_host(self, proto): - return proto + "://" + self.compose_host(service="uwsgi_"+proto) + return proto + "://" + self.compose_host(service="uwsgi_" + proto) diff --git a/metricbeat/module/vsphere/test_vsphere.py b/metricbeat/module/vsphere/test_vsphere.py index b9e3e4709e9..c0c2b0db4bb 100644 --- a/metricbeat/module/vsphere/test_vsphere.py +++ b/metricbeat/module/vsphere/test_vsphere.py @@ -1,10 +1,8 @@ +import metricbeat import os import sys import unittest -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat - VSPHERE_FIELDS = metricbeat.COMMON_FIELDS + ["vsphere"] diff --git a/metricbeat/module/windows/perfmon/perfmon.go b/metricbeat/module/windows/perfmon/perfmon.go index 7f4712a5f3b..52865a28107 100644 --- a/metricbeat/module/windows/perfmon/perfmon.go +++ b/metricbeat/module/windows/perfmon/perfmon.go @@ -61,7 +61,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { // if the ignore_non_existent_counters flag is set and no valid counter paths are found the Read func will still execute, a check is done before if len(m.reader.query.Counters) == 0 { - return errors.New("no counters to read") + m.log.Error("no counter paths were found") } // refresh performance counter list diff --git a/metricbeat/module/windows/perfmon/reader.go b/metricbeat/module/windows/perfmon/reader.go index c65c4a8118a..6f90b18e348 100644 --- a/metricbeat/module/windows/perfmon/reader.go +++ b/metricbeat/module/windows/perfmon/reader.go @@ -38,6 +38,7 @@ const ( defaultInstanceField = "instance" defaultObjectField = "object" replaceUpperCaseRegex = `(?:[^A-Z_\W])([A-Z])[^A-Z]` + collectFailedMsg = "failed collecting counter values" ) // Reader will contain the config options @@ -152,7 +153,13 @@ func (re *Reader) Read() ([]mb.Event, error) { // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). if err := re.query.CollectData(); err != nil { - return nil, errors.Wrap(err, "failed querying counter values") + // users can encounter the case no counters are found (services/processes stopped), this should not generate an event with the error message, + //could be the case the specific services are started after and picked up by the next RefreshCounterPaths func + if err == pdh.PDH_NO_COUNTERS { + re.log.Warnf("%s %v", collectFailedMsg, err) + } else { + return nil, errors.Wrap(err, collectFailedMsg) + } } // Get the values. diff --git a/metricbeat/module/windows/perfmon/reader_integration_test.go b/metricbeat/module/windows/perfmon/reader_integration_test.go index 68fb593da32..56247e00d6d 100644 --- a/metricbeat/module/windows/perfmon/reader_integration_test.go +++ b/metricbeat/module/windows/perfmon/reader_integration_test.go @@ -37,7 +37,7 @@ func TestNewReaderWhenQueryPathNotProvided(t *testing.T) { Counters: []Counter{counter}, } reader, err := NewReader(config) - assert.NotNil(t, err) + assert.Error(t, err) assert.Nil(t, reader) assert.EqualValues(t, err.Error(), `failed to expand counter (query=""): no query path given`) } @@ -52,7 +52,7 @@ func TestNewReaderWithValidQueryPath(t *testing.T) { } reader, err := NewReader(config) defer reader.Close() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, reader) assert.NotNil(t, reader.query) assert.NotNil(t, reader.query.Handle) @@ -76,11 +76,11 @@ func TestReadSuccessfully(t *testing.T) { //Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we call reader.Read() twice. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). events, err := reader.Read() - assert.Nil(t, err) + assert.NoError(t, err) assert.Nil(t, events) assert.Zero(t, len(events)) events, err = reader.Read() - assert.Nil(t, err) + assert.NoError(t, err) assert.NotNil(t, events) assert.NotZero(t, len(events)) } diff --git a/metricbeat/module/zookeeper/test_zookeeper.py b/metricbeat/module/zookeeper/test_zookeeper.py index 65db80bf48b..079c3696c4c 100644 --- a/metricbeat/module/zookeeper/test_zookeeper.py +++ b/metricbeat/module/zookeeper/test_zookeeper.py @@ -1,10 +1,8 @@ +import metricbeat import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) -import metricbeat ZK_FIELDS = metricbeat.COMMON_FIELDS + ["zookeeper"] @@ -21,7 +19,7 @@ class ZooKeeperMntrTest(metricbeat.BaseTest): COMPOSE_SERVICES = ['zookeeper'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ ZooKeeper mntr module outputs an event. @@ -55,7 +53,7 @@ def test_output(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_output(self): """ ZooKeeper server module outputs an event. @@ -83,7 +81,7 @@ def test_output(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_connection(self): """ ZooKeeper server module outputs an event. diff --git a/metricbeat/modules.d/mysql.yml.disabled b/metricbeat/modules.d/mysql.yml.disabled index 610b5830cd9..2b3371b1890 100644 --- a/metricbeat/modules.d/mysql.yml.disabled +++ b/metricbeat/modules.d/mysql.yml.disabled @@ -5,6 +5,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -18,4 +20,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/scripts/mage/template/metricsetDoc.tmpl b/metricbeat/scripts/mage/template/metricsetDoc.tmpl index 4d68b28db18..da91e2a4fa3 100644 --- a/metricbeat/scripts/mage/template/metricsetDoc.tmpl +++ b/metricbeat/scripts/mage/template/metricsetDoc.tmpl @@ -3,6 +3,8 @@ This file is generated! See scripts/mage/docs_collector.go //// [[{{getBeatName}}-metricset-{{.Mod.Base}}-{{.Metricset.Title}}]] +{{- if .Mod.IsXpack}} +[role="xpack"]{{end}} === {{.Mod.Title}} {{.Metricset.Title}} metricset {{if not ( eq .Metricset.Release "ga") -}} diff --git a/metricbeat/tests/system/metricbeat.py b/metricbeat/tests/system/metricbeat.py index b0a0a232b0c..1fbf12cce88 100644 --- a/metricbeat/tests/system/metricbeat.py +++ b/metricbeat/tests/system/metricbeat.py @@ -1,10 +1,8 @@ +import logging import os import re import sys import yaml - -sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system'))) - from beat.beat import TestCase from beat.tags import tag from parameterized import parameterized_class @@ -14,7 +12,6 @@ INTEGRATION_TESTS = os.environ.get('INTEGRATION_TESTS', False) -import logging logging.getLogger("urllib3").setLevel(logging.WARNING) @@ -53,7 +50,7 @@ def de_dot(self, existing_fields): # Dedot further levels recursively for key in fields: - if type(fields[key]) is dict: + if isinstance(fields[key], dict): fields[key] = self.de_dot(fields[key]) return fields @@ -64,7 +61,7 @@ def assert_no_logged_warnings(self, replace=None): """ log = self.get_log() - pattern = self.build_log_regex("\[cfgwarn\]") + pattern = self.build_log_regex(r"\[cfgwarn\]") log = pattern.sub("", log) # Jenkins runs as a Windows service and when Jenkins executes these diff --git a/metricbeat/tests/system/test_autodiscover_jolokia.py b/metricbeat/tests/system/test_autodiscover_jolokia.py index 727e4e62807..51d5dddd5a8 100644 --- a/metricbeat/tests/system/test_autodiscover_jolokia.py +++ b/metricbeat/tests/system/test_autodiscover_jolokia.py @@ -1,7 +1,6 @@ import os import metricbeat import unittest -from nose.plugins.attrib import attr class Test(metricbeat.BaseTest): diff --git a/metricbeat/tests/system/test_base.py b/metricbeat/tests/system/test_base.py index 4f680d29172..1c42b967ac3 100644 --- a/metricbeat/tests/system/test_base.py +++ b/metricbeat/tests/system/test_base.py @@ -1,14 +1,18 @@ +import os +import pytest import re +import shutil import sys import unittest -import os -import shutil + from metricbeat import BaseTest -from elasticsearch import Elasticsearch + from beat.beat import INTEGRATION_TESTS +from beat import common_tests +from elasticsearch import Elasticsearch -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): COMPOSE_SERVICES = ['elasticsearch', 'kibana'] @@ -53,6 +57,7 @@ def test_template(self): assert len(es.cat.templates(name='metricbeat-*', h='name')) > 0 @unittest.skipUnless(INTEGRATION_TESTS, "integration test") + @pytest.mark.timeout(180, func_only=True) def test_dashboards(self): """ Test that the dashboards can be loaded with `setup --dashboards` diff --git a/metricbeat/tests/system/test_cmd.py b/metricbeat/tests/system/test_cmd.py index ad9a507d08c..6cde1802d03 100644 --- a/metricbeat/tests/system/test_cmd.py +++ b/metricbeat/tests/system/test_cmd.py @@ -156,7 +156,7 @@ def test_modules_test_error(self): self.log_contains("ERROR error fetching status"), self.log_contains("ERROR timeout waiting for an event"), )) - except: + except BaseException: # Print log to help debugging this if error message changes print(self.get_log()) raise diff --git a/metricbeat/tests/system/test_config.py b/metricbeat/tests/system/test_config.py index d1cd2702265..a09a23f5ede 100644 --- a/metricbeat/tests/system/test_config.py +++ b/metricbeat/tests/system/test_config.py @@ -1,7 +1,6 @@ import os from metricbeat import BaseTest import unittest -from nose.plugins.attrib import attr import urllib.request import urllib.error import urllib.parse diff --git a/metricbeat/tests/system/test_template.py b/metricbeat/tests/system/test_template.py index 5899796524d..75b366ab15d 100644 --- a/metricbeat/tests/system/test_template.py +++ b/metricbeat/tests/system/test_template.py @@ -1,7 +1,7 @@ import os import metricbeat import json -from nose.plugins.skip import SkipTest +import unittest class Test(metricbeat.BaseTest): @@ -12,7 +12,7 @@ def test_export_template(self): """ if os.name == "nt": - raise SkipTest + raise unittest.SkipTest self.render_config_template("metricbeat", os.path.join(self.working_dir, diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2711edfeeff..52a31a9e99d 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -11,8 +11,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/packetbeat/Jenkinsfile.yml b/packetbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..416e69a203b --- /dev/null +++ b/packetbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^packetbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test packetbeat" + labels: ## when PR labels matches any of those entries + - "packetbeat" + parameters: ## when parameter was selected in the UI. + - "packetbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test packetbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/packetbeat/SUPPORT_PROTOCOL.md b/packetbeat/SUPPORT_PROTOCOL.md index 035eb793b85..5bc304f6745 100644 --- a/packetbeat/SUPPORT_PROTOCOL.md +++ b/packetbeat/SUPPORT_PROTOCOL.md @@ -16,7 +16,7 @@ Test suites are based on [pcap files](./tests/system/pcaps), that are dumps from tcpdump -s 0 port 27017 -i docker0 -w tests/system/pcaps/mongodb_find.pcap -# Nosetests +# Python tests The 'tests' directory contains tests written in python that run the full packetbeat program. You can add some of yours based on the pcaps files of you test dataset. diff --git a/packetbeat/_meta/sample_outputs/flow.json b/packetbeat/_meta/sample_outputs/flow.json index d51644e16d3..7fbcfaaa468 100644 --- a/packetbeat/_meta/sample_outputs/flow.json +++ b/packetbeat/_meta/sample_outputs/flow.json @@ -70,6 +70,12 @@ "end": "2018-11-30T01:16:45.645Z", "duration": 3965826800, "type": "flow", - "start": "2018-11-30T01:16:41.679Z" + "start": "2018-11-30T01:16:41.679Z", + "dataset": "flow", + "kind": "event", + "action": "network_flow", + "category": [ + "network" + ] } } diff --git a/packetbeat/conftest.py b/packetbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/packetbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/packetbeat/docs/configuring-howto.asciidoc b/packetbeat/docs/configuring-howto.asciidoc index 1975d3c7dcb..cc9e3c9a926 100644 --- a/packetbeat/docs/configuring-howto.asciidoc +++ b/packetbeat/docs/configuring-howto.asciidoc @@ -25,6 +25,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -51,4 +52,6 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] include::{libbeat-dir}/http-endpoint.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index cb66e939a76..2c73f3dd277 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -1271,16 +1271,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -2200,6 +2190,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -2241,7 +2243,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -2457,8 +2459,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -2521,19 +2522,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -2620,7 +2621,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -2644,6 +2645,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -2662,6 +2674,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -2704,6 +2728,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -3014,8 +3062,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -3078,19 +3125,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3177,7 +3224,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3201,6 +3248,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -3329,6 +3387,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -3362,6 +3431,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -3433,7 +3514,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -3512,7 +3593,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -3520,12 +3601,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -3544,7 +3625,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -3661,6 +3742,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -3843,6 +3926,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -3872,6 +3957,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -3880,7 +3977,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -3964,11 +4061,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -4262,6 +4359,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -4295,6 +4403,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -4367,660 +4487,937 @@ example: 1001 -- -[float] -=== geo - -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. - - -*`geo.city_name`*:: +*`file.x509.alternative_names`*:: + -- -City name. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: Montreal +example: *.elastic.co -- -*`geo.continent_name`*:: +*`file.x509.issuer.common_name`*:: + -- -Name of the continent. +List of common name (CN) of issuing certificate authority. type: keyword -example: North America +example: Example SHA2 High Assurance Server CA -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.country`*:: + -- -Country ISO code. +List of country (C) codes type: keyword -example: CA +example: US -- -*`geo.country_name`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country name. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: Canada +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.location`*:: +*`file.x509.issuer.locality`*:: + -- -Longitude and latitude. +List of locality names (L) -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Mountain View -- -*`geo.name`*:: +*`file.x509.issuer.organization`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizations (O) of issuing certificate authority. type: keyword -example: boston-dc +example: Example Inc -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -Region ISO code. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: CA-QC +example: www.example.com -- -*`geo.region_name`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region name. +List of state or province names (ST, S, or P) type: keyword -example: Quebec +example: California -- -[float] -=== group - -The group fields are meant to represent groups that are relevant to the event. - - -*`group.domain`*:: +*`file.x509.not_after`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`group.id`*:: +*`file.x509.not_before`*:: + -- -Unique identifier for the group on the system/platform. +Time at which the certificate is first considered valid. -type: keyword +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`group.name`*:: +*`file.x509.public_key_algorithm`*:: + -- -Name of the group. +Algorithm used to generate the public key. type: keyword --- - -[float] -=== hash - -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +example: RSA +-- -*`hash.md5`*:: +*`file.x509.public_key_curve`*:: + -- -MD5 hash. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`hash.sha1`*:: +*`file.x509.public_key_exponent`*:: + -- -SHA1 hash. - -type: keyword +Exponent used to derive the public key. This is algorithm specific. --- +type: long -*`hash.sha256`*:: -+ --- -SHA256 hash. +example: 65537 -type: keyword +Field is not indexed. -- -*`hash.sha512`*:: +*`file.x509.public_key_size`*:: + -- -SHA512 hash. - -type: keyword - --- +The size of the public key space in bits. -[float] -=== host +type: long -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +example: 2048 +-- -*`host.architecture`*:: +*`file.x509.serial_number`*:: + -- -Operating system architecture. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: x86_64 +example: 55FBB9C7DEBF09809D12CCAA -- -*`host.domain`*:: +*`file.x509.signature_algorithm`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: CONTOSO +example: SHA256-RSA -- -*`host.geo.city_name`*:: +*`file.x509.subject.common_name`*:: + -- -City name. +List of common names (CN) of subject. type: keyword -example: Montreal +example: shared.global.example.net -- -*`host.geo.continent_name`*:: +*`file.x509.subject.country`*:: + -- -Name of the continent. +List of country (C) code type: keyword -example: North America +example: US -- -*`host.geo.country_iso_code`*:: +*`file.x509.subject.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: CA +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`host.geo.country_name`*:: +*`file.x509.subject.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: San Francisco -- -*`host.geo.location`*:: +*`file.x509.subject.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of subject. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example, Inc. -- -*`host.geo.name`*:: +*`file.x509.subject.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of subject. type: keyword -example: boston-dc - -- -*`host.geo.region_iso_code`*:: +*`file.x509.subject.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`host.geo.region_name`*:: +*`file.x509.version_number`*:: + -- -Region name. +Version of x509 format. type: keyword -example: Quebec +example: 3 -- -*`host.hostname`*:: -+ --- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +[float] +=== geo -type: keyword +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. --- -*`host.id`*:: +*`geo.city_name`*:: + -- -Unique host id. -As hostname is not always unique, use values that are meaningful in your environment. -Example: The current usage of `beat.name`. +City name. type: keyword --- - -*`host.ip`*:: -+ --- -Host ip addresses. - -type: ip +example: Montreal -- -*`host.mac`*:: +*`geo.continent_name`*:: + -- -Host mac addresses. +Name of the continent. type: keyword +example: North America + -- -*`host.name`*:: +*`geo.country_iso_code`*:: + -- -Name of the host. -It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +Country ISO code. type: keyword +example: CA + -- -*`host.os.family`*:: +*`geo.country_name`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Country name. type: keyword -example: debian +example: Canada -- -*`host.os.full`*:: +*`geo.location`*:: + -- -Operating system name, including the version or code name. +Longitude and latitude. -type: keyword +type: geo_point -example: Mac OS Mojave +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.os.full.text`*:: +*`geo.name`*:: + -- -type: text +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc -- -*`host.os.kernel`*:: +*`geo.region_iso_code`*:: + -- -Operating system kernel version as a raw string. +Region ISO code. type: keyword -example: 4.4.0-112-generic +example: CA-QC -- -*`host.os.name`*:: +*`geo.region_name`*:: + -- -Operating system name, without the version. +Region name. type: keyword -example: Mac OS X +example: Quebec -- -*`host.os.name.text`*:: -+ --- -type: text +[float] +=== group --- +The group fields are meant to represent groups that are relevant to the event. -*`host.os.platform`*:: + +*`group.domain`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: darwin - -- -*`host.os.version`*:: +*`group.id`*:: + -- -Operating system version as a raw string. +Unique identifier for the group on the system/platform. type: keyword -example: 10.14.1 - -- -*`host.type`*:: +*`group.name`*:: + -- -Type of host. -For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +Name of the group. type: keyword -- -*`host.uptime`*:: -+ --- -Seconds the host has been up. - -type: long +[float] +=== hash -example: 1325 +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). --- -*`host.user.domain`*:: +*`hash.md5`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +MD5 hash. type: keyword -- -*`host.user.email`*:: +*`hash.sha1`*:: + -- -User email address. +SHA1 hash. type: keyword -- -*`host.user.full_name`*:: +*`hash.sha256`*:: + -- -User's full name, if available. +SHA256 hash. type: keyword -example: Albert Einstein - -- -*`host.user.full_name.text`*:: +*`hash.sha512`*:: + -- -type: text +SHA512 hash. --- +type: keyword -*`host.user.group.domain`*:: -+ -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. -type: keyword +[float] +=== host --- +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. -*`host.user.group.id`*:: + +*`host.architecture`*:: + -- -Unique identifier for the group on the system/platform. +Operating system architecture. type: keyword +example: x86_64 + -- -*`host.user.group.name`*:: +*`host.domain`*:: + -- -Name of the group. +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. type: keyword +example: CONTOSO + -- -*`host.user.hash`*:: +*`host.geo.city_name`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +City name. type: keyword +example: Montreal + -- -*`host.user.id`*:: +*`host.geo.continent_name`*:: + -- -Unique identifiers of the user. +Name of the continent. type: keyword +example: North America + -- -*`host.user.name`*:: +*`host.geo.country_iso_code`*:: + -- -Short name or login of the user. +Country ISO code. type: keyword -example: albert +example: CA -- -*`host.user.name.text`*:: +*`host.geo.country_name`*:: + -- -type: text - --- +Country name. -[float] -=== http +type: keyword -Fields related to HTTP activity. Use the `url` field set to store the url of the request. +example: Canada +-- -*`http.request.body.bytes`*:: +*`host.geo.location`*:: + -- -Size in bytes of the request body. - -type: long +Longitude and latitude. -example: 887 +type: geo_point -format: bytes +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`http.request.body.content`*:: +*`host.geo.name`*:: + -- -The full HTTP request body. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: Hello world +example: boston-dc -- -*`http.request.body.content.text`*:: +*`host.geo.region_iso_code`*:: + -- -type: text +Region ISO code. + +type: keyword + +example: CA-QC -- -*`http.request.bytes`*:: +*`host.geo.region_name`*:: + -- -Total size in bytes of the request (body and headers). - -type: long +Region name. -example: 1437 +type: keyword -format: bytes +example: Quebec -- -*`http.request.method`*:: +*`host.hostname`*:: + -- -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. type: keyword -example: get, post, put - -- -*`http.request.referrer`*:: +*`host.id`*:: + -- -Referrer for this HTTP request. +Unique host id. +As hostname is not always unique, use values that are meaningful in your environment. +Example: The current usage of `beat.name`. type: keyword -example: https://blog.example.com/ - -- -*`http.response.body.bytes`*:: +*`host.ip`*:: + -- -Size in bytes of the response body. - -type: long - -example: 887 +Host ip addresses. -format: bytes +type: ip -- -*`http.response.body.content`*:: +*`host.mac`*:: + -- -The full HTTP response body. +Host mac addresses. type: keyword -example: Hello world - -- -*`http.response.body.content.text`*:: +*`host.name`*:: ++ +-- +Name of the host. +It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. + +type: keyword + +-- + +*`host.os.family`*:: ++ +-- +OS family (such as redhat, debian, freebsd, windows). + +type: keyword + +example: debian + +-- + +*`host.os.full`*:: ++ +-- +Operating system name, including the version or code name. + +type: keyword + +example: Mac OS Mojave + +-- + +*`host.os.full.text`*:: + -- type: text -- -*`http.response.bytes`*:: +*`host.os.kernel`*:: + -- -Total size in bytes of the response (body and headers). +Operating system kernel version as a raw string. + +type: keyword + +example: 4.4.0-112-generic + +-- + +*`host.os.name`*:: ++ +-- +Operating system name, without the version. + +type: keyword + +example: Mac OS X + +-- + +*`host.os.name.text`*:: ++ +-- +type: text + +-- + +*`host.os.platform`*:: ++ +-- +Operating system platform (such centos, ubuntu, windows). + +type: keyword + +example: darwin + +-- + +*`host.os.version`*:: ++ +-- +Operating system version as a raw string. + +type: keyword + +example: 10.14.1 + +-- + +*`host.type`*:: ++ +-- +Type of host. +For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. + +type: keyword + +-- + +*`host.uptime`*:: ++ +-- +Seconds the host has been up. + +type: long + +example: 1325 + +-- + +*`host.user.domain`*:: ++ +-- +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.email`*:: ++ +-- +User email address. + +type: keyword + +-- + +*`host.user.full_name`*:: ++ +-- +User's full name, if available. + +type: keyword + +example: Albert Einstein + +-- + +*`host.user.full_name.text`*:: ++ +-- +type: text + +-- + +*`host.user.group.domain`*:: ++ +-- +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. + +type: keyword + +-- + +*`host.user.group.id`*:: ++ +-- +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`host.user.group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +*`host.user.hash`*:: ++ +-- +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. + +type: keyword + +-- + +*`host.user.id`*:: ++ +-- +Unique identifier of the user. + +type: keyword + +-- + +*`host.user.name`*:: ++ +-- +Short name or login of the user. + +type: keyword + +example: albert + +-- + +*`host.user.name.text`*:: ++ +-- +type: text + +-- + +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + +[float] +=== http + +Fields related to HTTP activity. Use the `url` field set to store the url of the request. + + +*`http.request.body.bytes`*:: ++ +-- +Size in bytes of the request body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.request.body.content`*:: ++ +-- +The full HTTP request body. + +type: keyword + +example: Hello world + +-- + +*`http.request.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.request.bytes`*:: ++ +-- +Total size in bytes of the request (body and headers). + +type: long + +example: 1437 + +format: bytes + +-- + +*`http.request.method`*:: ++ +-- +HTTP request method. +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 + +type: keyword + +example: GET, POST, PUT, PoST + +-- + +*`http.request.referrer`*:: ++ +-- +Referrer for this HTTP request. + +type: keyword + +example: https://blog.example.com/ + +-- + +*`http.response.body.bytes`*:: ++ +-- +Size in bytes of the response body. + +type: long + +example: 887 + +format: bytes + +-- + +*`http.response.body.content`*:: ++ +-- +The full HTTP response body. + +type: keyword + +example: Hello world + +-- + +*`http.response.body.content.text`*:: ++ +-- +type: text + +-- + +*`http.response.bytes`*:: ++ +-- +Total size in bytes of the response (body and headers). type: long @@ -5033,1111 +5430,1620 @@ format: bytes *`http.response.status_code`*:: + -- -HTTP response status code. - -type: long +HTTP response status code. + +type: long + +example: 404 + +format: string + +-- + +*`http.version`*:: ++ +-- +HTTP version. + +type: keyword + +example: 1.1 + +-- + +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +[float] +=== log + +Details about the event's logging mechanism or logging transport. +The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. +The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. + + +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + +*`log.level`*:: ++ +-- +Original log level of the log event. +If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). +Some examples are `warn`, `err`, `i`, `informational`. + +type: keyword + +example: error + +-- + +*`log.logger`*:: ++ +-- +The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. + +type: keyword + +example: org.elasticsearch.bootstrap.Bootstrap + +-- + +*`log.origin.file.line`*:: ++ +-- +The line number of the file containing the source code which originated the log event. + +type: integer + +example: 42 + +-- + +*`log.origin.file.name`*:: ++ +-- +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. + +type: keyword + +example: Bootstrap.java + +-- + +*`log.origin.function`*:: ++ +-- +The name of the function or method which originated the log event. + +type: keyword + +example: init + +-- + +*`log.original`*:: ++ +-- +This is the original log message and contains the full log message before splitting it up in multiple parts. +In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. +This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. + +type: keyword + +example: Sep 19 08:26:10 localhost My log + +Field is not indexed. + +-- + +*`log.syslog`*:: ++ +-- +The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. + +type: object + +-- + +*`log.syslog.facility.code`*:: ++ +-- +The Syslog numeric facility of the log event, if available. +According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. + +type: long + +example: 23 + +format: string + +-- + +*`log.syslog.facility.name`*:: ++ +-- +The Syslog text-based facility of the log event, if available. + +type: keyword + +example: local7 + +-- + +*`log.syslog.priority`*:: ++ +-- +Syslog numeric priority of the event, if available. +According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. + +type: long + +example: 135 + +format: string + +-- + +*`log.syslog.severity.code`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. + +type: long + +example: 3 + +-- + +*`log.syslog.severity.name`*:: ++ +-- +The Syslog numeric severity of the log event, if available. +If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. + +type: keyword + +example: Error + +-- + +[float] +=== network + +The network is defined as the communication path over which a host or network event happens. +The network.* fields should be populated with details about the network activity associated with an event. + + +*`network.application`*:: ++ +-- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: aim + +-- + +*`network.bytes`*:: ++ +-- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + +type: long + +example: 368 + +format: bytes + +-- + +*`network.community_id`*:: ++ +-- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + +type: keyword + +example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= + +-- + +*`network.direction`*:: ++ +-- +Direction of the network traffic. +Recommended values are: + * inbound + * outbound + * internal + * external + * unknown + +When mapping events from a host-based monitoring context, populate this field from the host's point of view. +When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. + +type: keyword + +example: inbound + +-- + +*`network.forwarded_ip`*:: ++ +-- +Host IP address when the source IP address is the proxy. + +type: ip + +example: 192.1.1.2 + +-- + +*`network.iana_number`*:: ++ +-- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + +type: keyword + +example: 6 + +-- + +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`network.name`*:: ++ +-- +Name given by operators to sections of their network. + +type: keyword + +example: Guest Wifi + +-- + +*`network.packets`*:: ++ +-- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + +type: long + +example: 24 + +-- + +*`network.protocol`*:: ++ +-- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: http + +-- + +*`network.transport`*:: ++ +-- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: tcp + +-- + +*`network.type`*:: ++ +-- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + +type: keyword + +example: ipv4 + +-- + +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +[float] +=== observer + +An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. +This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. + + +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + +*`observer.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`observer.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`observer.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`observer.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`observer.geo.location`*:: ++ +-- +Longitude and latitude. -example: 404 +type: geo_point -format: string +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`http.version`*:: +*`observer.geo.name`*:: + -- -HTTP version. +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. type: keyword -example: 1.1 +example: boston-dc -- -[float] -=== interface - -The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. - - -*`interface.alias`*:: +*`observer.geo.region_iso_code`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Region ISO code. type: keyword -example: outside +example: CA-QC -- -*`interface.id`*:: +*`observer.geo.region_name`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Region name. type: keyword -example: 10 +example: Quebec -- -*`interface.name`*:: +*`observer.hostname`*:: + -- -Interface name as reported by the system. +Hostname of the observer. type: keyword -example: eth0 - -- -[float] -=== log +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. -Details about the event's logging mechanism or logging transport. -The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under `log.syslog.*`. -The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +type: object +-- -*`log.level`*:: +*`observer.ingress.interface.alias`*:: + -- -Original log level of the log event. -If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). -Some examples are `warn`, `err`, `i`, `informational`. +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. type: keyword -example: error +example: outside -- -*`log.logger`*:: +*`observer.ingress.interface.id`*:: + -- -The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. +Interface ID as reported by an observer (typically SNMP interface ID). type: keyword -example: org.elasticsearch.bootstrap.Bootstrap +example: 10 -- -*`log.origin.file.line`*:: +*`observer.ingress.interface.name`*:: + -- -The line number of the file containing the source code which originated the log event. +Interface name as reported by the system. -type: integer +type: keyword -example: 42 +example: eth0 -- -*`log.origin.file.name`*:: +*`observer.ingress.vlan.id`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +VLAN ID as reported by the observer. type: keyword -example: Bootstrap.java +example: 10 -- -*`log.origin.function`*:: +*`observer.ingress.vlan.name`*:: + -- -The name of the function or method which originated the log event. +Optional VLAN name as reported by the observer. type: keyword -example: init +example: outside -- -*`log.original`*:: +*`observer.ingress.zone`*:: + -- -This is the original log message and contains the full log message before splitting it up in multiple parts. -In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. -This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. type: keyword -example: Sep 19 08:26:10 localhost My log +example: DMZ -- -*`log.syslog`*:: +*`observer.ip`*:: + -- -The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. +IP addresses of the observer. -type: object +type: ip -- -*`log.syslog.facility.code`*:: +*`observer.mac`*:: + -- -The Syslog numeric facility of the log event, if available. -According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. - -type: long - -example: 23 +MAC addresses of the observer -format: string +type: keyword -- -*`log.syslog.facility.name`*:: +*`observer.name`*:: + -- -The Syslog text-based facility of the log event, if available. +Custom name of the observer. +This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. +If no custom name is needed, the field can be left empty. type: keyword -example: local7 +example: 1_proxySG -- -*`log.syslog.priority`*:: +*`observer.os.family`*:: + -- -Syslog numeric priority of the event, if available. -According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. - -type: long +OS family (such as redhat, debian, freebsd, windows). -example: 135 +type: keyword -format: string +example: debian -- -*`log.syslog.severity.code`*:: +*`observer.os.full`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. +Operating system name, including the version or code name. -type: long +type: keyword -example: 3 +example: Mac OS Mojave -- -*`log.syslog.severity.name`*:: +*`observer.os.full.text`*:: + -- -The Syslog numeric severity of the log event, if available. -If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. - -type: keyword - -example: Error +type: text -- -[float] -=== network - -The network is defined as the communication path over which a host or network event happens. -The network.* fields should be populated with details about the network activity associated with an event. - - -*`network.application`*:: +*`observer.os.kernel`*:: + -- -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Operating system kernel version as a raw string. type: keyword -example: aim +example: 4.4.0-112-generic -- -*`network.bytes`*:: +*`observer.os.name`*:: + -- -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -type: long +Operating system name, without the version. -example: 368 +type: keyword -format: bytes +example: Mac OS X -- -*`network.community_id`*:: +*`observer.os.name.text`*:: + -- -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -type: keyword - -example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= +type: text -- -*`network.direction`*:: +*`observer.os.platform`*:: + -- -Direction of the network traffic. -Recommended values are: - * inbound - * outbound - * internal - * external - * unknown - -When mapping events from a host-based monitoring context, populate this field from the host's point of view. -When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: inbound +example: darwin -- -*`network.forwarded_ip`*:: +*`observer.os.version`*:: + -- -Host IP address when the source IP address is the proxy. +Operating system version as a raw string. -type: ip +type: keyword -example: 192.1.1.2 +example: 10.14.1 -- -*`network.iana_number`*:: +*`observer.product`*:: + -- -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. +The product name of the observer. type: keyword -example: 6 +example: s200 -- -*`network.inner`*:: +*`observer.serial_number`*:: + -- -Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) +Observer serial number. -type: object +type: keyword -- -*`network.inner.vlan.id`*:: +*`observer.type`*:: + -- -VLAN ID as reported by the observer. +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. type: keyword -example: 10 +example: firewall -- -*`network.inner.vlan.name`*:: +*`observer.vendor`*:: + -- -Optional VLAN name as reported by the observer. +Vendor name of the observer. type: keyword -example: outside +example: Symantec -- -*`network.name`*:: +*`observer.version`*:: + -- -Name given by operators to sections of their network. +Observer version. type: keyword -example: Guest Wifi - --- - -*`network.packets`*:: -+ -- -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. -type: long +[float] +=== organization -example: 24 +The organization fields enrich data with information about the company or entity the data is associated with. +These fields help you arrange or filter data stored in an index by one or multiple organizations. --- -*`network.protocol`*:: +*`organization.id`*:: + -- -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Unique identifier for the organization. type: keyword -example: http - -- -*`network.transport`*:: +*`organization.name`*:: + -- -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Organization name. type: keyword -example: tcp - -- -*`network.type`*:: +*`organization.name.text`*:: + -- -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +type: text -type: keyword +-- -example: ipv4 +[float] +=== os --- +The OS fields contain information about the operating system. -*`network.vlan.id`*:: + +*`os.family`*:: + -- -VLAN ID as reported by the observer. +OS family (such as redhat, debian, freebsd, windows). type: keyword -example: 10 +example: debian -- -*`network.vlan.name`*:: +*`os.full`*:: + -- -Optional VLAN name as reported by the observer. +Operating system name, including the version or code name. type: keyword -example: outside +example: Mac OS Mojave -- -[float] -=== observer - -An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. -This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. - - -*`observer.egress`*:: +*`os.full.text`*:: + -- -Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. - -type: object +type: text -- -*`observer.egress.interface.alias`*:: +*`os.kernel`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Operating system kernel version as a raw string. type: keyword -example: outside +example: 4.4.0-112-generic -- -*`observer.egress.interface.id`*:: +*`os.name`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Operating system name, without the version. type: keyword -example: 10 +example: Mac OS X -- -*`observer.egress.interface.name`*:: +*`os.name.text`*:: + -- -Interface name as reported by the system. - -type: keyword - -example: eth0 +type: text -- -*`observer.egress.vlan.id`*:: +*`os.platform`*:: + -- -VLAN ID as reported by the observer. +Operating system platform (such centos, ubuntu, windows). type: keyword -example: 10 +example: darwin -- -*`observer.egress.vlan.name`*:: +*`os.version`*:: + -- -Optional VLAN name as reported by the observer. +Operating system version as a raw string. type: keyword -example: outside +example: 10.14.1 -- -*`observer.egress.zone`*:: +[float] +=== package + +These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. + + +*`package.architecture`*:: + -- -Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. +Package architecture. type: keyword -example: Public_Internet +example: x86_64 -- -*`observer.geo.city_name`*:: +*`package.build_version`*:: + -- -City name. +Additional information about the build version of the installed package. +For example use the commit SHA of a non-released package. type: keyword -example: Montreal +example: 36f4f7e89dd61b0988b12ee000b98966867710cd -- -*`observer.geo.continent_name`*:: +*`package.checksum`*:: + -- -Name of the continent. +Checksum of the installed package for verification. type: keyword -example: North America +example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`observer.geo.country_iso_code`*:: +*`package.description`*:: + -- -Country ISO code. +Description of the package. type: keyword -example: CA +example: Open source programming language to build simple/reliable/efficient software. -- -*`observer.geo.country_name`*:: +*`package.install_scope`*:: + -- -Country name. +Indicating how the package was installed, e.g. user-local, global. type: keyword -example: Canada +example: global -- -*`observer.geo.location`*:: +*`package.installed`*:: + -- -Longitude and latitude. - -type: geo_point +Time when package was installed. -example: { "lon": -73.614830, "lat": 45.505918 } +type: date -- -*`observer.geo.name`*:: +*`package.license`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). type: keyword -example: boston-dc +example: Apache License 2.0 -- -*`observer.geo.region_iso_code`*:: +*`package.name`*:: + -- -Region ISO code. +Package name type: keyword -example: CA-QC +example: go -- -*`observer.geo.region_name`*:: +*`package.path`*:: + -- -Region name. +Path where the package is installed. type: keyword -example: Quebec +example: /usr/local/Cellar/go/1.12.9/ -- -*`observer.hostname`*:: +*`package.reference`*:: + -- -Hostname of the observer. +Home page or reference URL of the software in this package, if available. type: keyword +example: https://golang.org + -- -*`observer.ingress`*:: +*`package.size`*:: + -- -Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. +Package size in bytes. -type: object +type: long + +example: 62231 + +format: string -- -*`observer.ingress.interface.alias`*:: +*`package.type`*:: + -- -Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. type: keyword -example: outside +example: rpm -- -*`observer.ingress.interface.id`*:: +*`package.version`*:: + -- -Interface ID as reported by an observer (typically SNMP interface ID). +Package version type: keyword -example: 10 - --- +example: 1.12.9 -*`observer.ingress.interface.name`*:: -+ -- -Interface name as reported by the system. -type: keyword +[float] +=== pe -example: eth0 +These fields contain Windows Portable Executable (PE) metadata. --- -*`observer.ingress.vlan.id`*:: +*`pe.architecture`*:: + -- -VLAN ID as reported by the observer. +CPU architecture target for the file. type: keyword -example: 10 +example: x64 -- -*`observer.ingress.vlan.name`*:: +*`pe.company`*:: + -- -Optional VLAN name as reported by the observer. +Internal company name of the file, provided at compile-time. type: keyword -example: outside +example: Microsoft Corporation -- -*`observer.ingress.zone`*:: +*`pe.description`*:: + -- -Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. +Internal description of the file, provided at compile-time. type: keyword -example: DMZ +example: Paint -- -*`observer.ip`*:: +*`pe.file_version`*:: + -- -IP addresses of the observer. +Internal version of the file, provided at compile-time. -type: ip +type: keyword + +example: 6.3.9600.17415 -- -*`observer.mac`*:: +*`pe.imphash`*:: + -- -MAC addresses of the observer +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`observer.name`*:: +*`pe.original_file_name`*:: + -- -Custom name of the observer. -This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. -If no custom name is needed, the field can be left empty. +Internal name of the file, provided at compile-time. type: keyword -example: 1_proxySG +example: MSPAINT.EXE -- -*`observer.os.family`*:: +*`pe.product`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +Internal product name of the file, provided at compile-time. type: keyword -example: debian +example: Microsoft® Windows® Operating System -- -*`observer.os.full`*:: +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: + -- -Operating system name, including the version or code name. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: Mac OS Mojave +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`observer.os.full.text`*:: +*`process.args_count`*:: + -- -type: text +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +type: long + +example: 4 -- -*`observer.os.kernel`*:: +*`process.code_signature.exists`*:: + -- -Operating system kernel version as a raw string. +Boolean to capture if a signature is present. -type: keyword +type: boolean -example: 4.4.0-112-generic +example: true -- -*`observer.os.name`*:: +*`process.code_signature.status`*:: + -- -Operating system name, without the version. +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: Mac OS X +example: ERROR_UNTRUSTED_ROOT -- -*`observer.os.name.text`*:: +*`process.code_signature.subject_name`*:: + -- -type: text +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation -- -*`observer.os.platform`*:: +*`process.code_signature.trusted`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: darwin +example: true -- -*`observer.os.version`*:: +*`process.code_signature.valid`*:: + -- -Operating system version as a raw string. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: 10.14.1 +example: true -- -*`observer.product`*:: +*`process.command_line`*:: + -- -The product name of the observer. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword -example: s200 +example: /usr/bin/ssh -l user 10.0.0.16 -- -*`observer.serial_number`*:: +*`process.command_line.text`*:: + -- -Observer serial number. - -type: keyword +type: text -- -*`observer.type`*:: +*`process.entity_id`*:: + -- -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword -example: firewall +example: c2c455d9f99375d -- -*`observer.vendor`*:: +*`process.executable`*:: + -- -Vendor name of the observer. +Absolute path to the process executable. type: keyword -example: Symantec +example: /usr/bin/ssh -- -*`observer.version`*:: +*`process.executable.text`*:: + -- -Observer version. +type: text -type: keyword +-- +*`process.exit_code`*:: ++ -- +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -[float] -=== organization +type: long -The organization fields enrich data with information about the company or entity the data is associated with. -These fields help you arrange or filter data stored in an index by one or multiple organizations. +example: 137 +-- -*`organization.id`*:: +*`process.hash.md5`*:: + -- -Unique identifier for the organization. +MD5 hash. type: keyword -- -*`organization.name`*:: +*`process.hash.sha1`*:: + -- -Organization name. +SHA1 hash. type: keyword -- -*`organization.name.text`*:: +*`process.hash.sha256`*:: + -- -type: text - --- - -[float] -=== os +SHA256 hash. -The OS fields contain information about the operating system. +type: keyword +-- -*`os.family`*:: +*`process.hash.sha512`*:: + -- -OS family (such as redhat, debian, freebsd, windows). +SHA512 hash. type: keyword -example: debian - -- -*`os.full`*:: +*`process.name`*:: + -- -Operating system name, including the version or code name. +Process name. +Sometimes called program name or similar. type: keyword -example: Mac OS Mojave +example: ssh -- -*`os.full.text`*:: +*`process.name.text`*:: + -- type: text -- -*`os.kernel`*:: +*`process.parent.args`*:: + -- -Operating system kernel version as a raw string. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: 4.4.0-112-generic +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`os.name`*:: +*`process.parent.args_count`*:: + -- -Operating system name, without the version. +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. -type: keyword +type: long -example: Mac OS X +example: 4 -- -*`os.name.text`*:: +*`process.parent.code_signature.exists`*:: + -- -type: text +Boolean to capture if a signature is present. + +type: boolean + +example: true -- -*`os.platform`*:: +*`process.parent.code_signature.status`*:: + -- -Operating system platform (such centos, ubuntu, windows). +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: darwin +example: ERROR_UNTRUSTED_ROOT -- -*`os.version`*:: +*`process.parent.code_signature.subject_name`*:: + -- -Operating system version as a raw string. +Subject name of the code signer type: keyword -example: 10.14.1 +example: Microsoft Corporation -- -[float] -=== package +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -These fields contain information about an installed software package. It contains general information about a package, such as name, version or size. It also contains installation details, such as time or location. +type: boolean +example: true -*`package.architecture`*:: +-- + +*`process.parent.code_signature.valid`*:: + -- -Package architecture. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: keyword +type: boolean -example: x86_64 +example: true -- -*`package.build_version`*:: +*`process.parent.command_line`*:: + -- -Additional information about the build version of the installed package. -For example use the commit SHA of a non-released package. +Full command line that started the process, including the absolute path to the executable, and all arguments. +Some arguments may be filtered to protect sensitive information. type: keyword -example: 36f4f7e89dd61b0988b12ee000b98966867710cd +example: /usr/bin/ssh -l user 10.0.0.16 -- -*`package.checksum`*:: +*`process.parent.command_line.text`*:: + -- -Checksum of the installed package for verification. - -type: keyword - -example: 68b329da9893e34099c7d8ad5cb9c940 +type: text -- -*`package.description`*:: +*`process.parent.entity_id`*:: + -- -Description of the package. +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: c2c455d9f99375d -- -*`package.install_scope`*:: +*`process.parent.executable`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +Absolute path to the process executable. type: keyword -example: global +example: /usr/bin/ssh -- -*`package.installed`*:: +*`process.parent.executable.text`*:: + -- -Time when package was installed. - -type: date +type: text -- -*`package.license`*:: +*`process.parent.exit_code`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +The exit code of the process, if this is a termination event. +The field should be absent if there is no exit code for the event (e.g. process start). -type: keyword +type: long -example: Apache License 2.0 +example: 137 -- -*`package.name`*:: +*`process.parent.hash.md5`*:: + -- -Package name +MD5 hash. type: keyword -example: go - -- -*`package.path`*:: +*`process.parent.hash.sha1`*:: + -- -Path where the package is installed. +SHA1 hash. type: keyword -example: /usr/local/Cellar/go/1.12.9/ - -- -*`package.reference`*:: +*`process.parent.hash.sha256`*:: + -- -Home page or reference URL of the software in this package, if available. +SHA256 hash. type: keyword -example: https://golang.org - -- -*`package.size`*:: +*`process.parent.hash.sha512`*:: + -- -Package size in bytes. - -type: long - -example: 62231 +SHA512 hash. -format: string +type: keyword -- -*`package.type`*:: +*`process.parent.name`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +Process name. +Sometimes called program name or similar. type: keyword -example: rpm +example: ssh + +-- + +*`process.parent.name.text`*:: ++ +-- +type: text -- -*`package.version`*:: +*`process.parent.pe.architecture`*:: + -- -Package version +CPU architecture target for the file. type: keyword -example: 1.12.9 +example: x64 -- -[float] -=== pe - -These fields contain Windows Portable Executable (PE) metadata. - - -*`pe.company`*:: +*`process.parent.pe.company`*:: + -- Internal company name of the file, provided at compile-time. @@ -6148,7 +7054,7 @@ example: Microsoft Corporation -- -*`pe.description`*:: +*`process.parent.pe.description`*:: + -- Internal description of the file, provided at compile-time. @@ -6159,7 +7065,7 @@ example: Paint -- -*`pe.file_version`*:: +*`process.parent.pe.file_version`*:: + -- Internal version of the file, provided at compile-time. @@ -6170,7 +7076,19 @@ example: 6.3.9600.17415 -- -*`pe.original_file_name`*:: +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: + -- Internal name of the file, provided at compile-time. @@ -6181,7 +7099,7 @@ example: MSPAINT.EXE -- -*`pe.product`*:: +*`process.parent.pe.product`*:: + -- Internal product name of the file, provided at compile-time. @@ -6192,959 +7110,1036 @@ example: Microsoft® Windows® Operating System -- -[float] -=== process +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: long +format: string -*`process.args`*:: +-- + +*`process.parent.pid`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Process id. -type: keyword +type: long -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] +example: 4242 + +format: string -- -*`process.args_count`*:: +*`process.parent.ppid`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Parent process' pid. type: long -example: 4 +example: 4241 + +format: string -- -*`process.code_signature.exists`*:: +*`process.parent.start`*:: + -- -Boolean to capture if a signature is present. +The time the process started. -type: boolean +type: date -example: true +example: 2016-05-23T08:05:34.853Z -- -*`process.code_signature.status`*:: +*`process.parent.thread.id`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Thread ID. -type: keyword +type: long -example: ERROR_UNTRUSTED_ROOT +example: 4242 + +format: string -- -*`process.code_signature.subject_name`*:: +*`process.parent.thread.name`*:: + -- -Subject name of the code signer +Thread name. type: keyword -example: Microsoft Corporation +example: thread-0 -- -*`process.code_signature.trusted`*:: +*`process.parent.title`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: boolean +type: keyword -example: true +-- + +*`process.parent.title.text`*:: ++ +-- +type: text -- -*`process.code_signature.valid`*:: +*`process.parent.uptime`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Seconds the process has been up. -type: boolean +type: long -example: true +example: 1325 -- -*`process.command_line`*:: +*`process.parent.working_directory`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +The working directory of the process. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: /home/alice -- -*`process.command_line.text`*:: +*`process.parent.working_directory.text`*:: + -- type: text -- -*`process.entity_id`*:: +*`process.pe.architecture`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +CPU architecture target for the file. type: keyword -example: c2c455d9f99375d +example: x64 -- -*`process.executable`*:: +*`process.pe.company`*:: + -- -Absolute path to the process executable. +Internal company name of the file, provided at compile-time. type: keyword -example: /usr/bin/ssh +example: Microsoft Corporation -- -*`process.executable.text`*:: +*`process.pe.description`*:: + -- -type: text +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint -- -*`process.exit_code`*:: +*`process.pe.file_version`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). +Internal version of the file, provided at compile-time. -type: long +type: keyword -example: 137 +example: 6.3.9600.17415 -- -*`process.hash.md5`*:: +*`process.pe.imphash`*:: + -- -MD5 hash. +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. type: keyword +example: 0c6803c4e922103c4dca5963aad36ddf + -- -*`process.hash.sha1`*:: +*`process.pe.original_file_name`*:: + -- -SHA1 hash. +Internal name of the file, provided at compile-time. type: keyword +example: MSPAINT.EXE + -- -*`process.hash.sha256`*:: +*`process.pe.product`*:: + -- -SHA256 hash. +Internal product name of the file, provided at compile-time. type: keyword +example: Microsoft® Windows® Operating System + -- -*`process.hash.sha512`*:: +*`process.pgid`*:: + -- -SHA512 hash. +Identifier of the group of processes the process belongs to. -type: keyword +type: long + +format: string -- -*`process.name`*:: +*`process.pid`*:: + -- -Process name. -Sometimes called program name or similar. +Process id. -type: keyword +type: long -example: ssh +example: 4242 + +format: string -- -*`process.name.text`*:: +*`process.ppid`*:: + -- -type: text +Parent process' pid. + +type: long + +example: 4241 + +format: string -- -*`process.parent.args`*:: +*`process.start`*:: + -- -Array of process arguments. -May be filtered to protect sensitive information. +The time the process started. -type: keyword +type: date -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: 2016-05-23T08:05:34.853Z -- -*`process.parent.args_count`*:: +*`process.thread.id`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Thread ID. type: long -example: 4 +example: 4242 + +format: string -- -*`process.parent.code_signature.exists`*:: +*`process.thread.name`*:: + -- -Boolean to capture if a signature is present. +Thread name. -type: boolean +type: keyword -example: true +example: thread-0 -- -*`process.parent.code_signature.status`*:: +*`process.title`*:: + -- -Additional information about the certificate status. -This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. +Process title. +The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. + +type: keyword + +-- + +*`process.title.text`*:: ++ +-- +type: text + +-- + +*`process.uptime`*:: ++ +-- +Seconds the process has been up. + +type: long + +example: 1325 + +-- + +*`process.working_directory`*:: ++ +-- +The working directory of the process. type: keyword -example: ERROR_UNTRUSTED_ROOT +example: /home/alice + +-- + +*`process.working_directory.text`*:: ++ +-- +type: text + +-- + +[float] +=== registry + +Fields related to Windows Registry operations. --- -*`process.parent.code_signature.subject_name`*:: +*`registry.data.bytes`*:: + -- -Subject name of the code signer +Original bytes written with base64 encoding. +For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. type: keyword -example: Microsoft Corporation +example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= -- -*`process.parent.code_signature.trusted`*:: +*`registry.data.strings`*:: + -- -Stores the trust status of the certificate chain. -Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. +Content when writing string types. +Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: boolean +type: keyword -example: true +example: ["C:\rta\red_ttp\bin\myapp.exe"] -- -*`process.parent.code_signature.valid`*:: +*`registry.data.type`*:: + -- -Boolean to capture if the digital signature is verified against the binary content. -Leave unpopulated if a certificate was unchecked. +Standard registry type for encoding contents -type: boolean +type: keyword -example: true +example: REG_SZ -- -*`process.parent.command_line`*:: +*`registry.hive`*:: + -- -Full command line that started the process, including the absolute path to the executable, and all arguments. -Some arguments may be filtered to protect sensitive information. +Abbreviated name for the hive. type: keyword -example: /usr/bin/ssh -l user 10.0.0.16 +example: HKLM -- -*`process.parent.command_line.text`*:: +*`registry.key`*:: + -- -type: text +Hive-relative path of keys. + +type: keyword + +example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe -- -*`process.parent.entity_id`*:: +*`registry.path`*:: + -- -Unique identifier for the process. -The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. -Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. +Full path, including hive, key and value type: keyword -example: c2c455d9f99375d +example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger -- -*`process.parent.executable`*:: +*`registry.value`*:: + -- -Absolute path to the process executable. +Name of the value written. type: keyword -example: /usr/bin/ssh +example: Debugger -- -*`process.parent.executable.text`*:: -+ --- -type: text +[float] +=== related --- +This field set is meant to facilitate pivoting around a piece of data. +Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. -*`process.parent.exit_code`*:: + +*`related.hash`*:: + -- -The exit code of the process, if this is a termination event. -The field should be absent if there is no exit code for the event (e.g. process start). - -type: long +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). -example: 137 +type: keyword -- -*`process.parent.hash.md5`*:: +*`related.hosts`*:: + -- -MD5 hash. +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. type: keyword -- -*`process.parent.hash.sha1`*:: +*`related.ip`*:: + -- -SHA1 hash. +All of the IPs seen on your event. -type: keyword +type: ip -- -*`process.parent.hash.sha256`*:: +*`related.user`*:: + -- -SHA256 hash. +All the user names seen on your event. type: keyword -- -*`process.parent.hash.sha512`*:: +[float] +=== rule + +Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. + + +*`rule.author`*:: + -- -SHA512 hash. +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. type: keyword +example: ['Star-Lord'] + -- -*`process.parent.name`*:: +*`rule.category`*:: + -- -Process name. -Sometimes called program name or similar. +A categorization value keyword used by the entity using the rule for detection of this event. type: keyword -example: ssh +example: Attempted Information Leak -- -*`process.parent.name.text`*:: +*`rule.description`*:: + -- -type: text +The description of the rule generating the event. + +type: keyword + +example: Block requests to public DNS over HTTPS / TLS protocols -- -*`process.parent.pgid`*:: +*`rule.id`*:: + -- -Identifier of the group of processes the process belongs to. +A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. -type: long +type: keyword -format: string +example: 101 -- -*`process.parent.pid`*:: +*`rule.license`*:: + -- -Process id. - -type: long +Name of the license under which the rule used to generate this event is made available. -example: 4242 +type: keyword -format: string +example: Apache 2.0 -- -*`process.parent.ppid`*:: +*`rule.name`*:: + -- -Parent process' pid. - -type: long +The name of the rule or signature generating the event. -example: 4241 +type: keyword -format: string +example: BLOCK_DNS_over_TLS -- -*`process.parent.start`*:: +*`rule.reference`*:: + -- -The time the process started. +Reference URL to additional information about the rule used to generate this event. +The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +example: https://en.wikipedia.org/wiki/DNS_over_TLS -- -*`process.parent.thread.id`*:: +*`rule.ruleset`*:: + -- -Thread ID. - -type: long +Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. -example: 4242 +type: keyword -format: string +example: Standard_Protocol_Filters -- -*`process.parent.thread.name`*:: +*`rule.uuid`*:: + -- -Thread name. +A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. type: keyword -example: thread-0 +example: 1100110011 -- -*`process.parent.title`*:: +*`rule.version`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +The version / revision of the rule being used for analysis. type: keyword +example: 1.1 + -- -*`process.parent.title.text`*:: +[float] +=== server + +A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. +For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + +*`server.address`*:: + -- -type: text +Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + +type: keyword -- -*`process.parent.uptime`*:: +*`server.as.number`*:: + -- -Seconds the process has been up. +Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. type: long -example: 1325 +example: 15169 -- -*`process.parent.working_directory`*:: +*`server.as.organization.name`*:: + -- -The working directory of the process. +Organization name. type: keyword -example: /home/alice +example: Google LLC -- -*`process.parent.working_directory.text`*:: +*`server.as.organization.name.text`*:: + -- type: text -- -*`process.pe.company`*:: +*`server.bytes`*:: + -- -Internal company name of the file, provided at compile-time. +Bytes sent from the server to the client. -type: keyword +type: long -example: Microsoft Corporation +example: 184 + +format: bytes -- -*`process.pe.description`*:: +*`server.domain`*:: + -- -Internal description of the file, provided at compile-time. +Server domain. type: keyword -example: Paint - -- -*`process.pe.file_version`*:: +*`server.geo.city_name`*:: + -- -Internal version of the file, provided at compile-time. +City name. type: keyword -example: 6.3.9600.17415 +example: Montreal -- -*`process.pe.original_file_name`*:: +*`server.geo.continent_name`*:: + -- -Internal name of the file, provided at compile-time. +Name of the continent. type: keyword -example: MSPAINT.EXE +example: North America -- -*`process.pe.product`*:: +*`server.geo.country_iso_code`*:: + -- -Internal product name of the file, provided at compile-time. +Country ISO code. type: keyword -example: Microsoft® Windows® Operating System +example: CA -- -*`process.pgid`*:: +*`server.geo.country_name`*:: + -- -Identifier of the group of processes the process belongs to. +Country name. -type: long +type: keyword -format: string +example: Canada -- -*`process.pid`*:: +*`server.geo.location`*:: + -- -Process id. - -type: long +Longitude and latitude. -example: 4242 +type: geo_point -format: string +example: { "lon": -73.614830, "lat": 45.505918 } -- -*`process.ppid`*:: +*`server.geo.name`*:: + -- -Parent process' pid. - -type: long +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. -example: 4241 +type: keyword -format: string +example: boston-dc -- -*`process.start`*:: +*`server.geo.region_iso_code`*:: + -- -The time the process started. +Region ISO code. -type: date +type: keyword -example: 2016-05-23T08:05:34.853Z +example: CA-QC -- -*`process.thread.id`*:: +*`server.geo.region_name`*:: + -- -Thread ID. - -type: long +Region name. -example: 4242 +type: keyword -format: string +example: Quebec -- -*`process.thread.name`*:: +*`server.ip`*:: + -- -Thread name. +IP address of the server (IPv4 or IPv6). -type: keyword - -example: thread-0 +type: ip -- -*`process.title`*:: +*`server.mac`*:: + -- -Process title. -The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +MAC address of the server. type: keyword -- -*`process.title.text`*:: +*`server.nat.ip`*:: + -- -type: text +Translated ip of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. + +type: ip -- -*`process.uptime`*:: +*`server.nat.port`*:: + -- -Seconds the process has been up. +Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Typically used with load balancers, firewalls, or routers. type: long -example: 1325 +format: string -- -*`process.working_directory`*:: +*`server.packets`*:: + -- -The working directory of the process. +Packets sent from the server to the client. -type: keyword +type: long -example: /home/alice +example: 12 -- -*`process.working_directory.text`*:: +*`server.port`*:: + -- -type: text - --- +Port of the server. -[float] -=== registry +type: long -Fields related to Windows Registry operations. +format: string +-- -*`registry.data.bytes`*:: +*`server.registered_domain`*:: + -- -Original bytes written with base64 encoding. -For Windows registry operations, such as SetValueEx and RegQueryValueEx, this corresponds to the data pointed by `lp_data`. This is optional but provides better recoverability and should be populated for REG_BINARY encoded values. +The highest registered server domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= +example: example.com -- -*`registry.data.strings`*:: +*`server.top_level_domain`*:: + -- -Content when writing string types. -Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". +This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword -example: ["C:\rta\red_ttp\bin\myapp.exe"] +example: co.uk -- -*`registry.data.type`*:: +*`server.user.domain`*:: + -- -Standard registry type for encoding contents +Name of the directory the user is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: REG_SZ - -- -*`registry.hive`*:: +*`server.user.email`*:: + -- -Abbreviated name for the hive. +User email address. type: keyword -example: HKLM - -- -*`registry.key`*:: +*`server.user.full_name`*:: + -- -Hive-relative path of keys. +User's full name, if available. type: keyword -example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe +example: Albert Einstein -- -*`registry.path`*:: +*`server.user.full_name.text`*:: + -- -Full path, including hive, key and value - -type: keyword - -example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger +type: text -- -*`registry.value`*:: +*`server.user.group.domain`*:: + -- -Name of the value written. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -example: Debugger - -- -[float] -=== related - -This field set is meant to facilitate pivoting around a piece of data. -Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. - - -*`related.hash`*:: +*`server.user.group.id`*:: + -- -All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). +Unique identifier for the group on the system/platform. type: keyword -- -*`related.ip`*:: +*`server.user.group.name`*:: + -- -All of the IPs seen on your event. +Name of the group. -type: ip +type: keyword -- -*`related.user`*:: +*`server.user.hash`*:: + -- -All the user names seen on your event. +Unique user hash to correlate information for a user in anonymized form. +Useful if `user.id` or `user.name` contain confidential information and cannot be used. type: keyword -- -[float] -=== rule +*`server.user.id`*:: ++ +-- +Unique identifier of the user. -Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +type: keyword +-- -*`rule.author`*:: +*`server.user.name`*:: + -- -Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. +Short name or login of the user. type: keyword -example: ['Star-Lord'] +example: albert -- -*`rule.category`*:: +*`server.user.name.text`*:: + -- -A categorization value keyword used by the entity using the rule for detection of this event. - -type: keyword - -example: Attempted Information Leak +type: text -- -*`rule.description`*:: +*`server.user.roles`*:: + -- -The description of the rule generating the event. +Array of user roles at the time of the event. type: keyword -example: Block requests to public DNS over HTTPS / TLS protocols +example: ["kibana_admin", "reporting_user"] -- -*`rule.id`*:: +[float] +=== service + +The service fields describe the service for or from which the data was collected. +These fields help you find and correlate logs for a specific service and version. + + +*`service.ephemeral_id`*:: + -- -A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. type: keyword -example: 101 +example: 8a4f500f -- -*`rule.license`*:: +*`service.id`*:: + -- -Name of the license under which the rule used to generate this event is made available. +Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. +This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. +Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. type: keyword -example: Apache 2.0 +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 -- -*`rule.name`*:: +*`service.name`*:: + -- -The name of the rule or signature generating the event. +Name of the service data is collected from. +The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. +In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. type: keyword -example: BLOCK_DNS_over_TLS +example: elasticsearch-metrics -- -*`rule.reference`*:: +*`service.node.name`*:: + -- -Reference URL to additional information about the rule used to generate this event. -The URL can point to the vendor's documentation about the rule. If that's not available, it can also be a link to a more general page describing this type of alert. +Name of a service node. +This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. +In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. type: keyword -example: https://en.wikipedia.org/wiki/DNS_over_TLS +example: instance-0000000016 -- -*`rule.ruleset`*:: +*`service.state`*:: + -- -Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. +Current state of the service. type: keyword -example: Standard_Protocol_Filters - -- -*`rule.uuid`*:: +*`service.type`*:: + -- -A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. +The type of the service data is collected from. +The type can be used to group and correlate logs and metrics from one service type. +Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. type: keyword -example: 1100110011 +example: elasticsearch -- -*`rule.version`*:: +*`service.version`*:: + -- -The version / revision of the rule being used for analysis. +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. type: keyword -example: 1.1 +example: 3.2.4 -- [float] -=== server +=== source -A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. -For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +Source fields describe details about the source of a packet/event. +Source fields are usually populated in conjunction with destination fields. -*`server.address`*:: +*`source.address`*:: + -- -Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. type: keyword -- -*`server.as.number`*:: +*`source.as.number`*:: + -- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. @@ -7155,7 +8150,7 @@ example: 15169 -- -*`server.as.organization.name`*:: +*`source.as.organization.name`*:: + -- Organization name. @@ -7166,17 +8161,17 @@ example: Google LLC -- -*`server.as.organization.name.text`*:: +*`source.as.organization.name.text`*:: + -- type: text -- -*`server.bytes`*:: +*`source.bytes`*:: + -- -Bytes sent from the server to the client. +Bytes sent from the source to the destination. type: long @@ -7186,16 +8181,16 @@ format: bytes -- -*`server.domain`*:: +*`source.domain`*:: + -- -Server domain. +Source domain. type: keyword -- -*`server.geo.city_name`*:: +*`source.geo.city_name`*:: + -- City name. @@ -7206,7 +8201,7 @@ example: Montreal -- -*`server.geo.continent_name`*:: +*`source.geo.continent_name`*:: + -- Name of the continent. @@ -7217,7 +8212,7 @@ example: North America -- -*`server.geo.country_iso_code`*:: +*`source.geo.country_iso_code`*:: + -- Country ISO code. @@ -7228,7 +8223,7 @@ example: CA -- -*`server.geo.country_name`*:: +*`source.geo.country_name`*:: + -- Country name. @@ -7239,7 +8234,7 @@ example: Canada -- -*`server.geo.location`*:: +*`source.geo.location`*:: + -- Longitude and latitude. @@ -7250,7 +8245,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`server.geo.name`*:: +*`source.geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -7263,7 +8258,7 @@ example: boston-dc -- -*`server.geo.region_iso_code`*:: +*`source.geo.region_iso_code`*:: + -- Region ISO code. @@ -7274,7 +8269,7 @@ example: CA-QC -- -*`server.geo.region_name`*:: +*`source.geo.region_name`*:: + -- Region name. @@ -7285,39 +8280,38 @@ example: Quebec -- -*`server.ip`*:: +*`source.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip -- -*`server.mac`*:: +*`source.mac`*:: + -- -MAC address of the server. +MAC address of the source. type: keyword -- -*`server.nat.ip`*:: +*`source.nat.ip`*:: + -- -Translated ip of destination based NAT sessions (e.g. internet to private DMZ) -Typically used with load balancers, firewalls, or routers. +Translated ip of source based NAT sessions (e.g. internal client to internet) +Typically connections traversing load balancers, firewalls, or routers. type: ip -- -*`server.nat.port`*:: +*`source.nat.port`*:: + -- -Translated port of destination based NAT sessions (e.g. internet to private DMZ) +Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. type: long @@ -7326,10 +8320,10 @@ format: string -- -*`server.packets`*:: +*`source.packets`*:: + -- -Packets sent from the server to the client. +Packets sent from the source to the destination. type: long @@ -7337,10 +8331,10 @@ example: 12 -- -*`server.port`*:: +*`source.port`*:: + -- -Port of the server. +Port of the source. type: long @@ -7348,23 +8342,23 @@ format: string -- -*`server.registered_domain`*:: +*`source.registered_domain`*:: + -- -The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +The highest registered source domain, stripped of the subdomain. +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- -*`server.top_level_domain`*:: +*`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -7373,7 +8367,7 @@ example: co.uk -- -*`server.user.domain`*:: +*`source.user.domain`*:: + -- Name of the directory the user is a member of. @@ -7383,7 +8377,7 @@ type: keyword -- -*`server.user.email`*:: +*`source.user.email`*:: + -- User email address. @@ -7392,7 +8386,7 @@ type: keyword -- -*`server.user.full_name`*:: +*`source.user.full_name`*:: + -- User's full name, if available. @@ -7403,14 +8397,14 @@ example: Albert Einstein -- -*`server.user.full_name.text`*:: +*`source.user.full_name.text`*:: + -- type: text -- -*`server.user.group.domain`*:: +*`source.user.group.domain`*:: + -- Name of the directory the group is a member of. @@ -7420,7 +8414,7 @@ type: keyword -- -*`server.user.group.id`*:: +*`source.user.group.id`*:: + -- Unique identifier for the group on the system/platform. @@ -7429,7 +8423,7 @@ type: keyword -- -*`server.user.group.name`*:: +*`source.user.group.name`*:: + -- Name of the group. @@ -7438,7 +8432,7 @@ type: keyword -- -*`server.user.hash`*:: +*`source.user.hash`*:: + -- Unique user hash to correlate information for a user in anonymized form. @@ -7448,16 +8442,16 @@ type: keyword -- -*`server.user.id`*:: +*`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword -- -*`server.user.name`*:: +*`source.user.name`*:: + -- Short name or login of the user. @@ -7468,840 +8462,939 @@ example: albert -- -*`server.user.name.text`*:: +*`source.user.name.text`*:: + -- type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] -=== service +=== threat -The service fields describe the service for or from which the data was collected. -These fields help you find and correlate logs for a specific service and version. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. +These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). -*`service.ephemeral_id`*:: +*`threat.framework`*:: + -- -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. +Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. type: keyword -example: 8a4f500f +example: MITRE ATT&CK -- -*`service.id`*:: +*`threat.tactic.id`*:: + -- -Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes. -This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event. -Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead. +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 +example: TA0040 -- -*`service.name`*:: +*`threat.tactic.name`*:: + -- -Name of the service data is collected from. -The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. -In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword -example: elasticsearch-metrics +example: impact -- -*`service.node.name`*:: +*`threat.tactic.reference`*:: + -- -Name of a service node. -This allows for two nodes of the same service running on the same host to be differentiated. Therefore, `service.node.name` should typically be unique across nodes of a given service. -In the case of Elasticsearch, the `service.node.name` could contain the unique node name within the Elasticsearch cluster. In cases where the service doesn't have the concept of a node name, the host name or container name can be used to distinguish running instances that make up this service. If those do not provide uniqueness (e.g. multiple instances of the service running on the same host) - the node name can be manually set. +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword -example: instance-0000000016 +example: https://attack.mitre.org/tactics/TA0040/ -- -*`service.state`*:: +*`threat.technique.id`*:: + -- -Current state of the service. +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword +example: T1499 + -- -*`service.type`*:: +*`threat.technique.name`*:: + -- -The type of the service data is collected from. -The type can be used to group and correlate logs and metrics from one service type. -Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: elasticsearch +example: Endpoint Denial of Service -- -*`service.version`*:: +*`threat.technique.name.text`*:: + -- -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. +type: text + +-- + +*`threat.technique.reference`*:: ++ +-- +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword -example: 3.2.4 +example: https://attack.mitre.org/techniques/T1499/ -- [float] -=== source +=== tls -Source fields describe details about the source of a packet/event. -Source fields are usually populated in conjunction with destination fields. +Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. -*`source.address`*:: +*`tls.cipher`*:: + -- -Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +String indicating the cipher used during the current connection. type: keyword +example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + -- -*`source.as.number`*:: +*`tls.client.certificate`*:: + -- -Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. +PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. -type: long +type: keyword -example: 15169 +example: MII... -- -*`source.as.organization.name`*:: +*`tls.client.certificate_chain`*:: + -- -Organization name. +Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. type: keyword -example: Google LLC +example: ['MII...', 'MII...'] -- -*`source.as.organization.name.text`*:: +*`tls.client.hash.md5`*:: + -- -type: text +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.client.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.client.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.client.issuer`*:: ++ +-- +Distinguished name of subject of the issuer of the x.509 certificate presented by the client. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.client.ja3`*:: ++ +-- +A hash that identifies clients based on how they perform an SSL/TLS handshake. + +type: keyword + +example: d4e5b18d6b55c71272893221c96ba240 + +-- + +*`tls.client.not_after`*:: ++ +-- +Date/Time indicating when client certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.client.not_before`*:: ++ +-- +Date/Time indicating when client certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.client.server_name`*:: ++ +-- +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. + +type: keyword + +example: www.elastic.co + +-- + +*`tls.client.subject`*:: ++ +-- +Distinguished name of subject of the x.509 certificate presented by the client. + +type: keyword + +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- -*`source.bytes`*:: +*`tls.client.supported_ciphers`*:: + -- -Bytes sent from the source to the destination. - -type: long +Array of ciphers offered by the client during the client hello. -example: 184 +type: keyword -format: bytes +example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] -- -*`source.domain`*:: +*`tls.client.x509.alternative_names`*:: + -- -Source domain. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword +example: *.elastic.co + -- -*`source.geo.city_name`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`source.geo.continent_name`*:: +*`tls.client.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`source.geo.country_iso_code`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`source.geo.country_name`*:: +*`tls.client.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`source.geo.location`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`source.geo.name`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`source.geo.region_iso_code`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`source.geo.region_name`*:: +*`tls.client.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -*`source.ip`*:: +*`tls.client.x509.not_before`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +Time at which the certificate is first considered valid. -type: ip +type: date + +example: 2019-08-16 01:40:25+00:00 -- -*`source.mac`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -MAC address of the source. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`source.nat.ip`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Translated ip of source based NAT sessions (e.g. internal client to internet) -Typically connections traversing load balancers, firewalls, or routers. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: ip +type: keyword + +example: nistp521 -- -*`source.nat.port`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Translated port of source based NAT sessions. (e.g. internal client to internet) -Typically used with load balancers, firewalls, or routers. +Exponent used to derive the public key. This is algorithm specific. type: long -format: string +example: 65537 + +Field is not indexed. -- -*`source.packets`*:: +*`tls.client.x509.public_key_size`*:: + -- -Packets sent from the source to the destination. +The size of the public key space in bits. type: long -example: 12 +example: 2048 -- -*`source.port`*:: +*`tls.client.x509.serial_number`*:: + -- -Port of the source. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. -type: long +type: keyword -format: string +example: 55FBB9C7DEBF09809D12CCAA -- -*`source.registered_domain`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: google.com +example: SHA256-RSA -- -*`source.top_level_domain`*:: +*`tls.client.x509.subject.common_name`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". -This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". +List of common names (CN) of subject. type: keyword -example: co.uk +example: shared.global.example.net -- -*`source.user.domain`*:: +*`tls.client.x509.subject.country`*:: + -- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. +List of country (C) code type: keyword +example: US + -- -*`source.user.email`*:: +*`tls.client.x509.subject.distinguished_name`*:: + -- -User email address. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`source.user.full_name`*:: +*`tls.client.x509.subject.locality`*:: + -- -User's full name, if available. +List of locality names (L) type: keyword -example: Albert Einstein +example: San Francisco -- -*`source.user.full_name.text`*:: +*`tls.client.x509.subject.organization`*:: + -- -type: text +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. -- -*`source.user.group.domain`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +List of organizational units (OU) of subject. type: keyword -- -*`source.user.group.id`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -Unique identifier for the group on the system/platform. +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`source.user.group.name`*:: +*`tls.client.x509.version_number`*:: + -- -Name of the group. +Version of x509 format. type: keyword +example: 3 + -- -*`source.user.hash`*:: +*`tls.curve`*:: + -- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. +String indicating the curve used for the given cipher, when applicable. type: keyword +example: secp256r1 + -- -*`source.user.id`*:: +*`tls.established`*:: + -- -Unique identifiers of the user. +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. -type: keyword +type: boolean -- -*`source.user.name`*:: +*`tls.next_protocol`*:: + -- -Short name or login of the user. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword -example: albert +example: http/1.1 -- -*`source.user.name.text`*:: +*`tls.resumed`*:: + -- -type: text - --- - -[float] -=== threat +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. -These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). +type: boolean +-- -*`threat.framework`*:: +*`tls.server.certificate`*:: + -- -Name of the threat framework used to further categorize and classify the tactic and technique of the reported threat. Framework classification can be provided by detecting systems, evaluated at ingest time, or retrospectively tagged to events. +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. type: keyword -example: MITRE ATT&CK +example: MII... -- -*`threat.tactic.id`*:: +*`tls.server.certificate_chain`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. type: keyword -example: TA0040 +example: ['MII...', 'MII...'] -- -*`threat.tactic.name`*:: +*`tls.server.hash.md5`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: impact +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC -- -*`threat.tactic.reference`*:: +*`tls.server.hash.sha1`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: https://attack.mitre.org/tactics/TA0040/ +example: 9E393D93138888D288266C2D915214D1D1CCEB2A -- -*`threat.technique.id`*:: +*`tls.server.hash.sha256`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. type: keyword -example: T1499 +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- -*`threat.technique.name`*:: +*`tls.server.issuer`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +Subject of the issuer of the x.509 certificate presented by the server. type: keyword -example: endpoint denial of service - --- - -*`threat.technique.name.text`*:: -+ --- -type: text +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- -*`threat.technique.reference`*:: +*`tls.server.ja3s`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +A hash that identifies servers based on how they perform an SSL/TLS handshake. type: keyword -example: https://attack.mitre.org/techniques/T1499/ +example: 394441ab65754e2207b1e1b457b3641d -- -[float] -=== tls - -Fields related to a TLS connection. These fields focus on the TLS protocol itself and intentionally avoids in-depth analysis of the related x.509 certificate files. - - -*`tls.cipher`*:: +*`tls.server.not_after`*:: + -- -String indicating the cipher used during the current connection. +Timestamp indicating when server certificate is no longer considered valid. -type: keyword +type: date -example: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +example: 2021-01-01T00:00:00.000Z -- -*`tls.client.certificate`*:: +*`tls.server.not_before`*:: + -- -PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. +Timestamp indicating when server certificate is first considered valid. -type: keyword +type: date -example: MII... +example: 1970-01-01T00:00:00.000Z -- -*`tls.client.certificate_chain`*:: +*`tls.server.subject`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. +Subject of the x.509 certificate presented by the server. type: keyword -example: ['MII...', 'MII...'] +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com -- -*`tls.client.hash.md5`*:: +*`tls.server.x509.alternative_names`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: *.elastic.co -- -*`tls.client.hash.sha1`*:: +*`tls.server.x509.issuer.common_name`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of common name (CN) of issuing certificate authority. type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: Example SHA2 High Assurance Server CA -- -*`tls.client.hash.sha256`*:: +*`tls.server.x509.issuer.country`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of country (C) codes type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: US -- -*`tls.client.issuer`*:: +*`tls.server.x509.issuer.distinguished_name`*:: + -- -Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.client.ja3`*:: +*`tls.server.x509.issuer.locality`*:: + -- -A hash that identifies clients based on how they perform an SSL/TLS handshake. +List of locality names (L) type: keyword -example: d4e5b18d6b55c71272893221c96ba240 +example: Mountain View -- -*`tls.client.not_after`*:: +*`tls.server.x509.issuer.organization`*:: + -- -Date/Time indicating when client certificate is no longer considered valid. +List of organizations (O) of issuing certificate authority. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: Example Inc -- -*`tls.client.not_before`*:: +*`tls.server.x509.issuer.organizational_unit`*:: + -- -Date/Time indicating when client certificate is first considered valid. +List of organizational units (OU) of issuing certificate authority. -type: date +type: keyword -example: 1970-01-01T00:00:00.000Z +example: www.example.com -- -*`tls.client.server_name`*:: +*`tls.server.x509.issuer.state_or_province`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +List of state or province names (ST, S, or P) type: keyword -example: www.elastic.co +example: California -- -*`tls.client.subject`*:: +*`tls.server.x509.not_after`*:: + -- -Distinguished name of subject of the x.509 certificate presented by the client. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: 2020-07-16 03:15:39+00:00 -- -*`tls.client.supported_ciphers`*:: +*`tls.server.x509.not_before`*:: + -- -Array of ciphers offered by the client during the client hello. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', '...'] +example: 2019-08-16 01:40:25+00:00 -- -*`tls.curve`*:: +*`tls.server.x509.public_key_algorithm`*:: + -- -String indicating the curve used for the given cipher, when applicable. +Algorithm used to generate the public key. type: keyword -example: secp256r1 +example: RSA -- -*`tls.established`*:: +*`tls.server.x509.public_key_curve`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: boolean +type: keyword + +example: nistp521 -- -*`tls.next_protocol`*:: +*`tls.server.x509.public_key_exponent`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +Exponent used to derive the public key. This is algorithm specific. -type: keyword +type: long -example: http/1.1 +example: 65537 + +Field is not indexed. -- -*`tls.resumed`*:: +*`tls.server.x509.public_key_size`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +The size of the public key space in bits. -type: boolean +type: long + +example: 2048 -- -*`tls.server.certificate`*:: +*`tls.server.x509.serial_number`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: MII... +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.server.certificate_chain`*:: +*`tls.server.x509.signature_algorithm`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: ['MII...', 'MII...'] +example: SHA256-RSA -- -*`tls.server.hash.md5`*:: +*`tls.server.x509.subject.common_name`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of common names (CN) of subject. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: shared.global.example.net -- -*`tls.server.hash.sha1`*:: +*`tls.server.x509.subject.country`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of country (C) code type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: US -- -*`tls.server.hash.sha256`*:: +*`tls.server.x509.subject.distinguished_name`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Distinguished name (DN) of the certificate subject entity. type: keyword -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`tls.server.issuer`*:: +*`tls.server.x509.subject.locality`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +List of locality names (L) type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: San Francisco -- -*`tls.server.ja3s`*:: +*`tls.server.x509.subject.organization`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +List of organizations (O) of subject. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: Example, Inc. -- -*`tls.server.not_after`*:: +*`tls.server.x509.subject.organizational_unit`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. - -type: date +List of organizational units (OU) of subject. -example: 2021-01-01T00:00:00.000Z +type: keyword -- -*`tls.server.not_before`*:: +*`tls.server.x509.subject.state_or_province`*:: + -- -Timestamp indicating when server certificate is first considered valid. +List of state or province names (ST, S, or P) -type: date +type: keyword -example: 1970-01-01T00:00:00.000Z +example: California -- -*`tls.server.subject`*:: +*`tls.server.x509.version_number`*:: + -- -Subject of the x.509 certificate presented by the server. +Version of x509 format. type: keyword -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 3 -- @@ -8333,6 +9426,18 @@ example: tls Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + *`tracing.trace.id`*:: + -- @@ -8348,7 +9453,7 @@ example: 4bf92f3577b34da6a3ce929d0e0e4736 *`tracing.transaction.id`*:: + -- -Unique identifier of the transaction. +Unique identifier of the transaction within the scope of its trace. A transaction is the highest level of work measured within a service, such as a request to a server. type: keyword @@ -8481,12 +9586,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -8505,7 +9610,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -8608,7 +9713,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -8632,6 +9737,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -8945,1886 +10061,1689 @@ CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit orga type: keyword -example: 2.0 - --- - -*`vulnerability.severity`*:: -+ --- -The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) - -type: keyword - -example: Critical - --- - -[[exported-fields-flows_event]] -== Flow Event fields - -These fields contain data about the flow itself. - - - -*`flow.final`*:: -+ --- -Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. - - -type: boolean - --- - -*`flow.id`*:: -+ --- -Internal flow ID based on connection meta data and address. - - --- - -*`flow.vlan`*:: -+ --- -VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. - - -type: long - --- - -*`flow_id`*:: -+ --- -type: alias - -alias to: flow.id - --- - -*`final`*:: -+ --- -type: alias - -alias to: flow.final - --- - -*`vlan`*:: -+ --- -type: alias - -alias to: flow.vlan - --- - -*`source.stats.net_bytes_total`*:: -+ --- -type: alias - -alias to: source.bytes - --- - -*`source.stats.net_packets_total`*:: -+ --- -type: alias - -alias to: source.packets - --- - -*`dest.stats.net_bytes_total`*:: -+ --- -type: alias - -alias to: destination.bytes +example: 2.0 -- -*`dest.stats.net_packets_total`*:: +*`vulnerability.severity`*:: + -- -type: alias - -alias to: destination.packets +The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. For example (https://nvd.nist.gov/vuln-metrics/cvss) --- +type: keyword -[[exported-fields-host-processor]] -== Host fields +example: Critical -Info collected for the host machine. +-- +[float] +=== x509 +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). -*`host.containerized`*:: +*`x509.alternative_names`*:: + -- -If the host is a container. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +type: keyword -type: boolean +example: *.elastic.co -- -*`host.os.build`*:: +*`x509.issuer.common_name`*:: + -- -OS build information. - +List of common name (CN) of issuing certificate authority. type: keyword -example: 18D109 +example: Example SHA2 High Assurance Server CA -- -*`host.os.codename`*:: +*`x509.issuer.country`*:: + -- -OS codename, if any. - +List of country (C) codes type: keyword -example: stretch +example: US -- -[[exported-fields-http]] -== HTTP fields - -HTTP-specific event fields. +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. +type: keyword -[float] -=== http +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -Information about the HTTP request and response. +-- +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) -[float] -=== request +type: keyword -HTTP request +example: Mountain View +-- -*`http.request.headers`*:: +*`x509.issuer.organization`*:: + -- -A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +List of organizations (O) of issuing certificate authority. +type: keyword -type: object +example: Example Inc -- -*`http.request.params`*:: +*`x509.issuer.organizational_unit`*:: + -- -type: alias +List of organizational units (OU) of issuing certificate authority. -alias to: url.query +type: keyword + +example: www.example.com -- -[float] -=== response +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) -HTTP response +type: keyword + +example: California +-- -*`http.response.status_phrase`*:: +*`x509.not_after`*:: + -- -The HTTP status phrase. +Time at which the certificate is no longer considered valid. -example: Not Found +type: date + +example: 2020-07-16 03:15:39+00:00 -- -*`http.response.headers`*:: +*`x509.not_before`*:: + -- -A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +Time at which the certificate is first considered valid. +type: date -type: object +example: 2019-08-16 01:40:25+00:00 -- -*`http.response.code`*:: +*`x509.public_key_algorithm`*:: + -- -type: alias +Algorithm used to generate the public key. -alias to: http.response.status_code +type: keyword + +example: RSA -- -*`http.response.phrase`*:: +*`x509.public_key_curve`*:: + -- -type: alias +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -alias to: http.response.status_phrase +type: keyword + +example: nistp521 -- -[[exported-fields-icmp]] -== ICMP fields +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. -ICMP specific event fields. +type: long +example: 65537 +Field is not indexed. +-- -*`icmp.version`*:: +*`x509.public_key_size`*:: + -- -The version of the ICMP protocol. +The size of the public key space in bits. + +type: long + +example: 2048 -- -*`icmp.request.message`*:: +*`x509.serial_number`*:: + -- -A human readable form of the request. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -*`icmp.request.type`*:: +*`x509.signature_algorithm`*:: + -- -The request type. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -type: long +type: keyword + +example: SHA256-RSA -- -*`icmp.request.code`*:: +*`x509.subject.common_name`*:: + -- -The request code. +List of common names (CN) of subject. -type: long +type: keyword + +example: shared.global.example.net -- -*`icmp.response.message`*:: +*`x509.subject.country`*:: + -- -A human readable form of the response. +List of country (C) code type: keyword +example: US + -- -*`icmp.response.type`*:: +*`x509.subject.distinguished_name`*:: + -- -The response type. +Distinguished name (DN) of the certificate subject entity. -type: long +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -- -*`icmp.response.code`*:: +*`x509.subject.locality`*:: + -- -The response code. +List of locality names (L) -type: long +type: keyword + +example: San Francisco -- -[[exported-fields-jolokia-autodiscover]] -== Jolokia Discovery autodiscover provider fields +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -Metadata from Jolokia Discovery added by the jolokia provider. +type: keyword +example: Example, Inc. +-- -*`jolokia.agent.version`*:: +*`x509.subject.organizational_unit`*:: + -- -Version number of jolokia agent. - +List of organizational units (OU) of subject. type: keyword -- -*`jolokia.agent.id`*:: +*`x509.subject.state_or_province`*:: + -- -Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. - +List of state or province names (ST, S, or P) type: keyword +example: California + -- -*`jolokia.server.product`*:: +*`x509.version_number`*:: + -- -The container product if detected. - +Version of x509 format. type: keyword --- +example: 3 -*`jolokia.server.version`*:: -+ -- -The container's version (if detected). +[[exported-fields-flows_event]] +== Flow Event fields -type: keyword +These fields contain data about the flow itself. --- -*`jolokia.server.vendor`*:: + +*`flow.final`*:: + -- -The vendor of the container the agent is running in. +Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. -type: keyword +type: boolean -- -*`jolokia.url`*:: +*`flow.id`*:: + -- -The URL how this agent can be contacted. - +Internal flow ID based on connection meta data and address. -type: keyword -- -*`jolokia.secured`*:: +*`flow.vlan`*:: + -- -Whether the agent was configured for authentication or not. +VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. -type: boolean +type: long -- -[[exported-fields-kubernetes-processor]] -== Kubernetes fields - -Kubernetes metadata added by the kubernetes processor - +*`flow_id`*:: ++ +-- +type: alias +alias to: flow.id +-- -*`kubernetes.pod.name`*:: +*`final`*:: + -- -Kubernetes pod name - +type: alias -type: keyword +alias to: flow.final -- -*`kubernetes.pod.uid`*:: +*`vlan`*:: + -- -Kubernetes Pod UID - +type: alias -type: keyword +alias to: flow.vlan -- -*`kubernetes.namespace`*:: +*`source.stats.net_bytes_total`*:: + -- -Kubernetes namespace - +type: alias -type: keyword +alias to: source.bytes -- -*`kubernetes.node.name`*:: +*`source.stats.net_packets_total`*:: + -- -Kubernetes node name - +type: alias -type: keyword +alias to: source.packets -- -*`kubernetes.labels.*`*:: +*`dest.stats.net_bytes_total`*:: + -- -Kubernetes labels map - +type: alias -type: object +alias to: destination.bytes -- -*`kubernetes.annotations.*`*:: +*`dest.stats.net_packets_total`*:: + -- -Kubernetes annotations map +type: alias + +alias to: destination.packets + +-- + +[[exported-fields-host-processor]] +== Host fields + +Info collected for the host machine. -type: object --- -*`kubernetes.replicaset.name`*:: +*`host.containerized`*:: + -- -Kubernetes replicaset name +If the host is a container. -type: keyword +type: boolean -- -*`kubernetes.deployment.name`*:: +*`host.os.build`*:: + -- -Kubernetes deployment name +OS build information. type: keyword +example: 18D109 + -- -*`kubernetes.statefulset.name`*:: +*`host.os.codename`*:: + -- -Kubernetes statefulset name +OS codename, if any. type: keyword --- +example: stretch -*`kubernetes.container.name`*:: -+ -- -Kubernetes container name - -type: keyword - --- +[[exported-fields-http]] +== HTTP fields -*`kubernetes.container.image`*:: -+ --- -Kubernetes container image +HTTP-specific event fields. -type: keyword +[float] +=== http --- +Information about the HTTP request and response. -[[exported-fields-memcache]] -== Memcache fields -Memcached-specific event fields +[float] +=== request +HTTP request -*`memcache.protocol_type`*:: +*`http.request.headers`*:: + -- -The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. +A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -type: keyword +type: object -- -*`memcache.request.line`*:: +*`http.request.params`*:: + -- -The raw command line for unknown commands ONLY. - - -type: keyword +type: alias --- +alias to: url.query -*`memcache.request.command`*:: -+ -- -The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. +[float] +=== response -type: keyword +HTTP response --- -*`memcache.response.command`*:: +*`http.response.status_phrase`*:: + -- -Either the text based protocol response message type or the name of the originating request if binary protocol is used. - +The HTTP status phrase. -type: keyword +example: Not Found -- -*`memcache.request.type`*:: +*`http.response.headers`*:: + -- -The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". +A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -type: keyword +type: object -- -*`memcache.response.type`*:: +*`http.response.code`*:: + -- -The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). - +type: alias -type: keyword +alias to: http.response.status_code -- -*`memcache.response.error_msg`*:: +*`http.response.phrase`*:: + -- -The optional error message in the memcache response (text based protocol only). - +type: alias -type: keyword +alias to: http.response.status_phrase -- -*`memcache.request.opcode`*:: -+ --- -The binary protocol message opcode name. +[[exported-fields-icmp]] +== ICMP fields +ICMP specific event fields. -type: keyword --- -*`memcache.response.opcode`*:: + +*`icmp.version`*:: + -- -The binary protocol message opcode name. - - -type: keyword +The version of the ICMP protocol. -- -*`memcache.request.opcode_value`*:: +*`icmp.request.message`*:: + -- -The binary protocol message opcode value. - +A human readable form of the request. -type: long +type: keyword -- -*`memcache.response.opcode_value`*:: +*`icmp.request.type`*:: + -- -The binary protocol message opcode value. - +The request type. type: long -- -*`memcache.request.opaque`*:: +*`icmp.request.code`*:: + -- -The binary protocol opaque header value used for correlating request with response messages. - +The request code. type: long -- -*`memcache.response.opaque`*:: +*`icmp.response.message`*:: + -- -The binary protocol opaque header value used for correlating request with response messages. - +A human readable form of the response. -type: long +type: keyword -- -*`memcache.request.vbucket`*:: +*`icmp.response.type`*:: + -- -The vbucket index sent in the binary message. - +The response type. type: long -- -*`memcache.response.status`*:: +*`icmp.response.code`*:: + -- -The textual representation of the response error code (binary protocol only). - +The response code. -type: keyword +type: long -- -*`memcache.response.status_code`*:: -+ --- -The status code value returned in the response (binary protocol only). +[[exported-fields-jolokia-autodiscover]] +== Jolokia Discovery autodiscover provider fields +Metadata from Jolokia Discovery added by the jolokia provider. -type: long --- -*`memcache.request.keys`*:: +*`jolokia.agent.version`*:: + -- -The list of keys sent in the store or load commands. +Version number of jolokia agent. -type: array +type: keyword -- -*`memcache.response.keys`*:: +*`jolokia.agent.id`*:: + -- -The list of keys returned for the load command (if present). +Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. -type: array +type: keyword -- -*`memcache.request.count_values`*:: +*`jolokia.server.product`*:: + -- -The number of values found in the memcache request message. If the command does not send any data, this field is missing. +The container product if detected. -type: long +type: keyword -- -*`memcache.response.count_values`*:: +*`jolokia.server.version`*:: + -- -The number of values found in the memcache response message. If the command does not send any data, this field is missing. +The container's version (if detected). -type: long +type: keyword -- -*`memcache.request.values`*:: +*`jolokia.server.vendor`*:: + -- -The list of base64 encoded values sent with the request (if present). +The vendor of the container the agent is running in. -type: array +type: keyword -- -*`memcache.response.values`*:: +*`jolokia.url`*:: + -- -The list of base64 encoded values sent with the response (if present). +The URL how this agent can be contacted. -type: array +type: keyword -- -*`memcache.request.bytes`*:: +*`jolokia.secured`*:: + -- -The byte count of the values being transferred. - +Whether the agent was configured for authentication or not. -type: long -format: bytes +type: boolean -- -*`memcache.response.bytes`*:: -+ --- -The byte count of the values being transferred. +[[exported-fields-kubernetes-processor]] +== Kubernetes fields +Kubernetes metadata added by the kubernetes processor -type: long -format: bytes --- -*`memcache.request.delta`*:: +*`kubernetes.pod.name`*:: + -- -The counter increment/decrement delta value. +Kubernetes pod name -type: long +type: keyword -- -*`memcache.request.initial`*:: +*`kubernetes.pod.uid`*:: + -- -The counter increment/decrement initial value parameter (binary protocol only). +Kubernetes Pod UID -type: long +type: keyword -- -*`memcache.request.verbosity`*:: +*`kubernetes.namespace`*:: + -- -The value of the memcache "verbosity" command. +Kubernetes namespace -type: long +type: keyword -- -*`memcache.request.raw_args`*:: +*`kubernetes.node.name`*:: + -- -The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. +Kubernetes node name type: keyword -- -*`memcache.request.source_class`*:: +*`kubernetes.labels.*`*:: + -- -The source class id in 'slab reassign' command. +Kubernetes labels map -type: long +type: object -- -*`memcache.request.dest_class`*:: +*`kubernetes.annotations.*`*:: + -- -The destination class id in 'slab reassign' command. +Kubernetes annotations map -type: long +type: object -- -*`memcache.request.automove`*:: +*`kubernetes.replicaset.name`*:: + -- -The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. +Kubernetes replicaset name type: keyword -- -*`memcache.request.flags`*:: +*`kubernetes.deployment.name`*:: + -- -The memcache command flags sent in the request (if present). +Kubernetes deployment name -type: long +type: keyword -- -*`memcache.response.flags`*:: +*`kubernetes.statefulset.name`*:: + -- -The memcache message flags sent in the response (if present). +Kubernetes statefulset name -type: long +type: keyword -- -*`memcache.request.exptime`*:: +*`kubernetes.container.name`*:: + -- -The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). +Kubernetes container name -type: long +type: keyword -- -*`memcache.request.sleep_us`*:: +*`kubernetes.container.image`*:: + -- -The sleep setting in microseconds for the 'lru_crawler sleep' command. +Kubernetes container image -type: long +type: keyword -- -*`memcache.response.value`*:: -+ --- -The counter value returned by a counter operation. +[[exported-fields-memcache]] +== Memcache fields +Memcached-specific event fields -type: long --- -*`memcache.request.noreply`*:: +*`memcache.protocol_type`*:: + -- -Set to true if noreply was set in the request. The `memcache.response` field will be missing. +The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. -type: boolean +type: keyword -- -*`memcache.request.quiet`*:: +*`memcache.request.line`*:: + -- -Set to true if the binary protocol message is to be treated as a quiet message. +The raw command line for unknown commands ONLY. -type: boolean +type: keyword -- -*`memcache.request.cas_unique`*:: +*`memcache.request.command`*:: + -- -The CAS (compare-and-swap) identifier if present. +The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. -type: long +type: keyword -- -*`memcache.response.cas_unique`*:: +*`memcache.response.command`*:: + -- -The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). +Either the text based protocol response message type or the name of the originating request if binary protocol is used. -type: long +type: keyword -- -*`memcache.response.stats`*:: +*`memcache.request.type`*:: + -- -The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". +The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". -type: array +type: keyword -- -*`memcache.response.version`*:: +*`memcache.response.type`*:: + -- -The returned memcache version string. +The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). type: keyword -- -[[exported-fields-mongodb]] -== MongoDb fields - -MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. +*`memcache.response.error_msg`*:: ++ +-- +The optional error message in the memcache response (text based protocol only). +type: keyword +-- -*`mongodb.error`*:: +*`memcache.request.opcode`*:: + -- -If the MongoDB request has resulted in an error, this field contains the error message returned by the server. +The binary protocol message opcode name. +type: keyword + -- -*`mongodb.fullCollectionName`*:: +*`memcache.response.opcode`*:: + -- -The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. +The binary protocol message opcode name. +type: keyword + -- -*`mongodb.numberToSkip`*:: +*`memcache.request.opcode_value`*:: + -- -Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. +The binary protocol message opcode value. type: long -- -*`mongodb.numberToReturn`*:: +*`memcache.response.opcode_value`*:: + -- -The requested maximum number of documents to be returned. +The binary protocol message opcode value. type: long -- -*`mongodb.numberReturned`*:: +*`memcache.request.opaque`*:: + -- -The number of documents in the reply. +The binary protocol opaque header value used for correlating request with response messages. type: long -- -*`mongodb.startingFrom`*:: +*`memcache.response.opaque`*:: + -- -Where in the cursor this reply is starting. +The binary protocol opaque header value used for correlating request with response messages. +type: long + -- -*`mongodb.query`*:: +*`memcache.request.vbucket`*:: + -- -A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. +The vbucket index sent in the binary message. +type: long + -- -*`mongodb.returnFieldsSelector`*:: +*`memcache.response.status`*:: + -- -A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. +The textual representation of the response error code (binary protocol only). +type: keyword + -- -*`mongodb.selector`*:: +*`memcache.response.status_code`*:: + -- -A BSON document that specifies the query for selecting the document to update or delete. +The status code value returned in the response (binary protocol only). +type: long + -- -*`mongodb.update`*:: +*`memcache.request.keys`*:: + -- -A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. +The list of keys sent in the store or load commands. --- +type: array -*`mongodb.cursorId`*:: -+ -- -The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. - +*`memcache.response.keys`*:: ++ -- - -[[exported-fields-mysql]] -== MySQL fields - -MySQL-specific event fields. +The list of keys returned for the load command (if present). +type: array +-- -*`mysql.affected_rows`*:: +*`memcache.request.count_values`*:: + -- -If the MySQL command is successful, this field contains the affected number of rows of the last statement. +The number of values found in the memcache request message. If the command does not send any data, this field is missing. type: long -- -*`mysql.insert_id`*:: +*`memcache.response.count_values`*:: + -- -If the INSERT query is successful, this field contains the id of the newly inserted row. - - --- +The number of values found in the memcache response message. If the command does not send any data, this field is missing. -*`mysql.num_fields`*:: -+ --- -If the SELECT query is successful, this field is set to the number of fields returned. +type: long -- -*`mysql.num_rows`*:: +*`memcache.request.values`*:: + -- -If the SELECT query is successful, this field is set to the number of rows returned. +The list of base64 encoded values sent with the request (if present). +type: array + -- -*`mysql.query`*:: +*`memcache.response.values`*:: + -- -The row mysql query as read from the transaction's request. +The list of base64 encoded values sent with the response (if present). +type: array + -- -*`mysql.error_code`*:: +*`memcache.request.bytes`*:: + -- -The error code returned by MySQL. +The byte count of the values being transferred. type: long --- +format: bytes -*`mysql.error_message`*:: -+ -- -The error info message returned by MySQL. - +*`memcache.response.bytes`*:: ++ -- +The byte count of the values being transferred. -[[exported-fields-nfs]] -== NFS fields -NFS v4/3 specific event fields. +type: long +format: bytes +-- -*`nfs.version`*:: +*`memcache.request.delta`*:: + -- -NFS protocol version number. +The counter increment/decrement delta value. + type: long -- -*`nfs.minor_version`*:: +*`memcache.request.initial`*:: + -- -NFS protocol minor version number. +The counter increment/decrement initial value parameter (binary protocol only). + type: long -- -*`nfs.tag`*:: +*`memcache.request.verbosity`*:: + -- -NFS v4 COMPOUND operation tag. - --- +The value of the memcache "verbosity" command. -*`nfs.opcode`*:: -+ --- -NFS operation name, or main operation name, in case of COMPOUND calls. +type: long -- -*`nfs.status`*:: +*`memcache.request.raw_args`*:: + -- -NFS operation reply status. - --- +The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. -[float] -=== rpc -ONC RPC specific event fields. +type: keyword +-- -*`rpc.xid`*:: +*`memcache.request.source_class`*:: + -- -RPC message transaction identifier. +The source class id in 'slab reassign' command. --- -*`rpc.status`*:: -+ --- -RPC message reply status. +type: long -- -*`rpc.auth_flavor`*:: +*`memcache.request.dest_class`*:: + -- -RPC authentication flavor. +The destination class id in 'slab reassign' command. + + +type: long -- -*`rpc.cred.uid`*:: +*`memcache.request.automove`*:: + -- -RPC caller's user id, in case of auth-unix. +The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. -type: long + +type: keyword -- -*`rpc.cred.gid`*:: +*`memcache.request.flags`*:: + -- -RPC caller's group id, in case of auth-unix. +The memcache command flags sent in the request (if present). + type: long -- -*`rpc.cred.gids`*:: +*`memcache.response.flags`*:: + -- -RPC caller's secondary group ids, in case of auth-unix. +The memcache message flags sent in the response (if present). + + +type: long -- -*`rpc.cred.stamp`*:: +*`memcache.request.exptime`*:: + -- -Arbitrary ID which the caller machine may generate. +The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). + type: long -- -*`rpc.cred.machinename`*:: +*`memcache.request.sleep_us`*:: + -- -The name of the caller's machine. +The sleep setting in microseconds for the 'lru_crawler sleep' command. + + +type: long -- -*`rpc.call_size`*:: +*`memcache.response.value`*:: + -- -RPC call size with argument. +The counter value returned by a counter operation. -type: alias -alias to: source.bytes +type: long -- -*`rpc.reply_size`*:: +*`memcache.request.noreply`*:: + -- -RPC reply size with argument. +Set to true if noreply was set in the request. The `memcache.response` field will be missing. -type: alias -alias to: destination.bytes +type: boolean -- -[[exported-fields-pgsql]] -== PostgreSQL fields - -PostgreSQL-specific event fields. +*`memcache.request.quiet`*:: ++ +-- +Set to true if the binary protocol message is to be treated as a quiet message. +type: boolean +-- -*`pgsql.error_code`*:: +*`memcache.request.cas_unique`*:: + -- -The PostgreSQL error code. +The CAS (compare-and-swap) identifier if present. + type: long -- -*`pgsql.error_message`*:: +*`memcache.response.cas_unique`*:: + -- -The PostgreSQL error message. +The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). --- -*`pgsql.error_severity`*:: -+ --- -The PostgreSQL error severity. +type: long -- -*`pgsql.num_fields`*:: +*`memcache.response.stats`*:: + -- -If the SELECT query if successful, this field is set to the number of fields returned. +The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". +type: array + -- -*`pgsql.num_rows`*:: +*`memcache.response.version`*:: + -- -If the SELECT query if successful, this field is set to the number of rows returned. +The returned memcache version string. +type: keyword + -- -[[exported-fields-process]] -== Process fields +[[exported-fields-mongodb]] +== MongoDb fields -Process metadata fields +MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. -*`process.exe`*:: +*`mongodb.error`*:: + -- -type: alias +If the MongoDB request has resulted in an error, this field contains the error message returned by the server. -alias to: process.executable -- -[[exported-fields-raw]] -== Raw fields +*`mongodb.fullCollectionName`*:: ++ +-- +The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. -These fields contain the raw transaction data. +-- -*`request`*:: +*`mongodb.numberToSkip`*:: + -- -For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. +Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. -type: text +type: long -- -*`response`*:: +*`mongodb.numberToReturn`*:: + -- -For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. +The requested maximum number of documents to be returned. -type: text +type: long -- -[[exported-fields-redis]] -== Redis fields - -Redis-specific event fields. +*`mongodb.numberReturned`*:: ++ +-- +The number of documents in the reply. +type: long +-- -*`redis.return_value`*:: +*`mongodb.startingFrom`*:: + -- -The return value of the Redis command in a human readable format. +Where in the cursor this reply is starting. -- -*`redis.error`*:: +*`mongodb.query`*:: + -- -If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. +A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. -- -[[exported-fields-thrift]] -== Thrift-RPC fields - -Thrift-RPC specific event fields. - - - - -*`thrift.params`*:: +*`mongodb.returnFieldsSelector`*:: + -- -The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. +A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. -- -*`thrift.service`*:: +*`mongodb.selector`*:: + -- -The name of the Thrift-RPC service as defined in the IDL files. +A BSON document that specifies the query for selecting the document to update or delete. -- -*`thrift.return_value`*:: +*`mongodb.update`*:: + -- -The value returned by the Thrift-RPC call. This is encoded in a human readable format. +A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. -- -*`thrift.exceptions`*:: +*`mongodb.cursorId`*:: + -- -If the call resulted in exceptions, this field contains the exceptions in a human readable format. +The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. -- -[[exported-fields-tls_detailed]] -== Detailed TLS fields - -Detailed TLS-specific event fields. - +[[exported-fields-mysql]] +== MySQL fields +MySQL-specific event fields. -*`tls.client.x509.version`*:: +*`mysql.affected_rows`*:: + -- -Version of x509 format. +If the MySQL command is successful, this field contains the affected number of rows of the last statement. -type: keyword -example: 3 +type: long -- -*`tls.client.x509.version_number`*:: +*`mysql.insert_id`*:: + -- -Version of x509 format. - -type: keyword +If the INSERT query is successful, this field contains the id of the newly inserted row. -example: 3 -- -*`tls.client.x509.serial_number`*:: +*`mysql.num_fields`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - - -type: keyword +If the SELECT query is successful, this field is set to the number of fields returned. -example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.client.x509.issuer.distinguished_name`*:: +*`mysql.num_rows`*:: + -- -Distinguished name (DN) of issuing certificate authority. - -type: keyword +If the SELECT query is successful, this field is set to the number of rows returned. -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA -- -*`tls.client.x509.issuer.common_name`*:: +*`mysql.query`*:: + -- -List of common name (CN) of issuing certificate authority. - -type: keyword +The row mysql query as read from the transaction's request. -example: DigiCert SHA2 High Assurance Server CA -- -*`tls.client.x509.issuer.organizational_unit`*:: +*`mysql.error_code`*:: + -- -List of organizational units (OU) of issuing certificate authority. +The error code returned by MySQL. -type: keyword -example: www.digicert.com +type: long -- -*`tls.client.x509.issuer.organization`*:: +*`mysql.error_message`*:: + -- -List of organizations (O) of issuing certificate authority. - -type: keyword +The error info message returned by MySQL. -example: DigiCert Inc -- -*`tls.client.x509.issuer.locality`*:: -+ --- -List of locality names (L) +[[exported-fields-nfs]] +== NFS fields -type: keyword +NFS v4/3 specific event fields. -example: Mountain View --- -*`tls.client.x509.issuer.province`*:: +*`nfs.version`*:: + -- -Province or region within country. +NFS protocol version number. -type: keyword +type: long -- -*`tls.client.x509.issuer.state_or_province`*:: +*`nfs.minor_version`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword +NFS protocol minor version number. -example: California +type: long -- -*`tls.client.x509.issuer.country`*:: +*`nfs.tag`*:: + -- -List of country (C) codes - -type: keyword - -example: US +NFS v4 COMPOUND operation tag. -- -*`tls.client.x509.signature_algorithm`*:: +*`nfs.opcode`*:: + -- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - -type: keyword +NFS operation name, or main operation name, in case of COMPOUND calls. -example: SHA256-RSA -- -*`tls.client.x509.not_before`*:: +*`nfs.status`*:: + -- -Time at which the certificate is first considered valid. +NFS operation reply status. -type: date +-- + +[float] +=== rpc -example: 2019-08-16 01:40:25 +ONC RPC specific event fields. --- -*`tls.client.x509.not_after`*:: +*`rpc.xid`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date - -example: 2020-07-16 03:15:39 +RPC message transaction identifier. -- -*`tls.client.x509.subject.distinguished_name`*:: +*`rpc.status`*:: + -- -Distinguished name (DN) of the certificate subject entity. +RPC message reply status. -type: keyword +-- -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net +*`rpc.auth_flavor`*:: ++ +-- +RPC authentication flavor. -- -*`tls.client.x509.subject.common_name`*:: +*`rpc.cred.uid`*:: + -- -List of common names (CN) of subject. - -type: keyword +RPC caller's user id, in case of auth-unix. -example: r2.shared.global.fastly.net +type: long -- -*`tls.client.x509.subject.organizational_unit`*:: +*`rpc.cred.gid`*:: + -- -List of organizational units (OU) of subject. +RPC caller's group id, in case of auth-unix. -type: keyword +type: long -- -*`tls.client.x509.subject.organization`*:: +*`rpc.cred.gids`*:: + -- -List of organizations (O) of subject. - -type: keyword - -example: Fastly, Inc. +RPC caller's secondary group ids, in case of auth-unix. -- -*`tls.client.x509.subject.locality`*:: +*`rpc.cred.stamp`*:: + -- -List of locality names (L) - -type: keyword +Arbitrary ID which the caller machine may generate. -example: San Francisco +type: long -- -*`tls.client.x509.subject.province`*:: +*`rpc.cred.machinename`*:: + -- -Province or region within country. - -type: keyword +The name of the caller's machine. -- -*`tls.client.x509.subject.state_or_province`*:: +*`rpc.call_size`*:: + -- -List of state or province names (ST, S, or P) +RPC call size with argument. -type: keyword +type: alias -example: California +alias to: source.bytes -- -*`tls.client.x509.subject.country`*:: +*`rpc.reply_size`*:: + -- -List of country (C) code +RPC reply size with argument. -type: keyword +type: alias -example: US +alias to: destination.bytes -- -*`tls.client.x509.public_key_algorithm`*:: -+ --- -Algorithm used to generate the public key. +[[exported-fields-pgsql]] +== PostgreSQL fields -type: keyword +PostgreSQL-specific event fields. -example: RSA --- -*`tls.client.x509.public_key_size`*:: + +*`pgsql.error_code`*:: + -- -The size of the public key space in bits. +The PostgreSQL error code. type: long -example: 2048 - -- -*`tls.client.x509.alternative_names`*:: +*`pgsql.error_message`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - -type: keyword - -example: *.elastic.co +The PostgreSQL error message. -- - - -*`tls.server.x509.version`*:: +*`pgsql.error_severity`*:: + -- -Version of x509 format. - -type: keyword - -example: 3 +The PostgreSQL error severity. -- -*`tls.server.x509.version_number`*:: +*`pgsql.num_fields`*:: + -- -Version of x509 format. - -type: keyword +If the SELECT query if successful, this field is set to the number of fields returned. -example: 3 -- -*`tls.server.x509.serial_number`*:: +*`pgsql.num_rows`*:: + -- -Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. - - -type: keyword +If the SELECT query if successful, this field is set to the number of rows returned. -example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.server.x509.issuer.distinguished_name`*:: -+ --- -Distinguished name (DN) of issuing certificate authority. +[[exported-fields-process]] +== Process fields -type: keyword +Process metadata fields -example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA --- -*`tls.server.x509.issuer.common_name`*:: + +*`process.exe`*:: + -- -List of common name (CN) of issuing certificate authority. - -type: keyword - -example: DigiCert SHA2 High Assurance Server CA +type: alias --- +alias to: process.executable -*`tls.server.x509.issuer.organizational_unit`*:: -+ -- -List of organizational units (OU) of issuing certificate authority. -type: keyword +[[exported-fields-raw]] +== Raw fields -example: www.digicert.com +These fields contain the raw transaction data. --- -*`tls.server.x509.issuer.organization`*:: +*`request`*:: + -- -List of organizations (O) of issuing certificate authority. +For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. -type: keyword -example: DigiCert Inc +type: text -- -*`tls.server.x509.issuer.locality`*:: +*`response`*:: + -- -List of locality names (L) +For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. -type: keyword -example: Mountain View +type: text -- -*`tls.server.x509.issuer.province`*:: -+ --- -Province or region within country. +[[exported-fields-redis]] +== Redis fields -type: keyword +Redis-specific event fields. --- -*`tls.server.x509.issuer.state_or_province`*:: + + +*`redis.return_value`*:: + -- -List of state or province names (ST, S, or P) - -type: keyword +The return value of the Redis command in a human readable format. -example: California -- -*`tls.server.x509.issuer.country`*:: +*`redis.error`*:: + -- -List of country (C) codes - -type: keyword +If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. -example: US -- -*`tls.server.x509.signature_algorithm`*:: -+ --- -Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). +[[exported-fields-thrift]] +== Thrift-RPC fields -type: keyword +Thrift-RPC specific event fields. -example: SHA256-RSA --- -*`tls.server.x509.not_before`*:: + +*`thrift.params`*:: + -- -Time at which the certificate is first considered valid. - -type: date +The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. -example: 2019-08-16 01:40:25 -- -*`tls.server.x509.not_after`*:: +*`thrift.service`*:: + -- -Time at which the certificate is no longer considered valid. - -type: date +The name of the Thrift-RPC service as defined in the IDL files. -example: 2020-07-16 03:15:39 -- -*`tls.server.x509.subject.distinguished_name`*:: +*`thrift.return_value`*:: + -- -Distinguished name (DN) of the certificate subject entity. - -type: keyword +The value returned by the Thrift-RPC call. This is encoded in a human readable format. -example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net -- -*`tls.server.x509.subject.common_name`*:: +*`thrift.exceptions`*:: + -- -List of common names (CN) of subject. - -type: keyword +If the call resulted in exceptions, this field contains the exceptions in a human readable format. -example: r2.shared.global.fastly.net -- -*`tls.server.x509.subject.organizational_unit`*:: -+ --- -List of organizational units (OU) of subject. +[[exported-fields-tls_detailed]] +== Detailed TLS fields -type: keyword +Detailed TLS-specific event fields. --- -*`tls.server.x509.subject.organization`*:: -+ --- -List of organizations (O) of subject. -type: keyword -example: Fastly, Inc. --- -*`tls.server.x509.subject.locality`*:: +*`tls.client.x509.version`*:: + -- -List of locality names (L) +Version of x509 format. type: keyword -example: San Francisco +example: 3 -- -*`tls.server.x509.subject.province`*:: +*`tls.client.x509.issuer.province`*:: + -- Province or region within country. @@ -10833,59 +11752,44 @@ type: keyword -- -*`tls.server.x509.subject.state_or_province`*:: +*`tls.client.x509.subject.province`*:: + -- -List of state or province names (ST, S, or P) +Province or region within country. type: keyword -example: California - --- - -*`tls.server.x509.subject.country`*:: -+ -- -List of country (C) code -type: keyword - -example: US --- -*`tls.server.x509.public_key_algorithm`*:: +*`tls.server.x509.version`*:: + -- -Algorithm used to generate the public key. +Version of x509 format. type: keyword -example: RSA +example: 3 -- -*`tls.server.x509.public_key_size`*:: +*`tls.server.x509.issuer.province`*:: + -- -The size of the public key space in bits. - -type: long +Province or region within country. -example: 2048 +type: keyword -- -*`tls.server.x509.alternative_names`*:: +*`tls.server.x509.subject.province`*:: + -- -List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. +Province or region within country. type: keyword -example: *.elastic.co - -- diff --git a/packetbeat/docs/index.asciidoc b/packetbeat/docs/index.asciidoc index 5f1da41e677..7ff9a667c6d 100644 --- a/packetbeat/docs/index.asciidoc +++ b/packetbeat/docs/index.asciidoc @@ -57,4 +57,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/packetbeat/docs/packetbeat-options.asciidoc b/packetbeat/docs/packetbeat-options.asciidoc index 490e49f3ed7..32d9c473054 100644 --- a/packetbeat/docs/packetbeat-options.asciidoc +++ b/packetbeat/docs/packetbeat-options.asciidoc @@ -31,7 +31,7 @@ Currently Packetbeat has several options for traffic capturing: The `af_packet` option, also known as "memory-mapped sniffing," makes use of a Linux-specific -http://lxr.free-electrons.com/source/Documentation/networking/packet_mmap.txt[feature]. +https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt[feature]. This could be the optimal sniffing mode for both the dedicated server and when Packetbeat is deployed on an existing application server. diff --git a/packetbeat/flows/worker.go b/packetbeat/flows/worker.go index 8bfce02084a..56445801781 100644 --- a/packetbeat/flows/worker.go +++ b/packetbeat/flows/worker.go @@ -213,7 +213,7 @@ func createEvent( "duration": f.ts.Sub(f.createTS), "dataset": "flow", "kind": "event", - "category": "network_traffic", + "category": []string{"network"}, "action": "network_flow", } flow := common.MapStr{ diff --git a/packetbeat/flows/worker_test.go b/packetbeat/flows/worker_test.go index dab0d11eb14..15cef57cc25 100644 --- a/packetbeat/flows/worker_test.go +++ b/packetbeat/flows/worker_test.go @@ -100,6 +100,9 @@ func TestCreateEvent(t *testing.T) { "end": isdef.KeyPresent, "duration": isdef.KeyPresent, "dataset": "flow", + "kind": "event", + "category": []string{"network"}, + "action": "network_flow", }, "type": "flow", }) diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index ff955217366..19f604c880d 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9m78uY2bmT//34KlPxHpC1yRFJ3XuWlZJKK9WLZWlFKtnYrRYEzIIloZkADGNHKp3+FxjGYg5csRo4rWymvSM7gaDQa3Y3uXwNqtg/rWFDsxyzMhDX8cwxaC/iIqBQkHoNORqGSEoBSxk8IPzIK+PvNiMzk1AF05gqbHsLn4Kh1ZpV1wqVW1HTl1w1q04V0Nt1aJYaBruJF0wiUSIO2qrvUbBZl3H1tQnA9klYE3vvBsN/tvesPbwbnw18vb98Nz/uDYbtzOuy+7Q4H7847R8f/WCFh3Mw1goVHuy1R4bp/1bQ16ITEadTEMUtJYdUYBNc7pHszNnCVO9YHG0hHVSaZxvVsks9hnAn6CALyvjqlYTjFNL1Hgqah8Xj7JYqQvibQOWAOMjKmohqnc3V5GQRrFxJZNJItkfjcFvDxae11XomOL1A/N22mEI25eC2etQZ5wLNdBSzN/UcxeWxMuZAFtrCZMFMXUFZT0aGwMs3nLdQUi2mQREdbWp9uQUClE8JnXJ2IOQTzVe8IRRTMRDZGvf6NW8ZihDck5K2xcy50VoWgQpI0NLdJGnQX/I66wFPDO8vcpVS+KNozmFdSzGYzwiELBehV3iKti5Pj7slFp3t09Paid9I77Z++Pb04fHvx9qLVPet3n7MmYorbr7Yog3fn7b/8qpz1D84OemcH7YPT09PTXuf0tHN83O30ztpHnfZhr91rd7v9t53zZ65OfuK8yvp0jo7rV8jR0Msp+PIVylvVK/Uy++b49OTi+Pj4vHV02L9on5y3Tvudi077uNM/f3vYfdtt9TrHR/127+T05Oht/+Tw7cVB96Td6Z6fdXrnF2uXpjBzpEJkW1N5enmOli0+qfT9bPQ7Cd3Vuh6B/QSaXO15ZKClK6tUJmD3ww9XTz19BXbDmETd8wb6ePfDZTrmWEieheBbvSU4aaBe94fkyQaO9Lo/2DiG9Qn4Oz7Y1jluLoUgtTgPz9f9mrxTpVRP2VzHaM4IV8ymmGwweL+fK9oITXEaiSl+qN6JRofkaNQ+jY5HR0fhSbtz0jk9O+h02uHZ8Qh3Djflp5TJIR7LtVhqUS39HpZk/5YmxFeWoWSvwTMvaAUCpQzimYjZrJHayv7erKn//12n1Wk3W+q/21bre/gvaLVa/1m75qw33xGkfv6JEza60dqTbZ+dtF5ishrR7YWDB0rl6gRDIY5jJS5TNPhwaaSqJHFcgMvXdyNTJmRq6vtVK4MY6lGBsK5xZS6ujFUVoF8VjT2prZ4sFG4pFT+eEEX2GTVJQn5MnkkTqhB/Pp8HJmMvCNmmBNei8jXFc0Ug54LYkWWlQE6ebIXOj3c/9Ar1dF5KDotspi9vhtqk3lYqnLOuTDf1ukPBltffTEkcs4V2ywJrvnN0PPype6Ws+YPTw5qn+93eGs9/FwTB+ps94+VC1Nt2gqge8zIscFUJ2e+axg0tC01txLrAHkHCWefomK9deYYIiUcxMP4aMx0xFhOc1k3orf4JjWNcmBYdW2cXSsmESaq5fY4hLi4kQoyzGOHUy2nnOBVQ38r41FJE0pA/QWU+maUpidc2ZFPyWQ6te+1PXUrn09OldfS4SRSga6IX1hQT9oIkIb/w/MN5XmF91/oxlfCkONWlrLAQdJIqySH2ZSyaMBOlzas5NHW7C38IPk9lEr/B8Sxt2jE2aST2SvaVqbWfq+8xm8PNsqhynRrl/srSQH6ctMiSrTIcFSVHLDCc6RfCJ3JfV6o9XerdEpeuzWYGdfar9BqasW3qNaxO6bW8hotGsu1zbQteQ38tnrUGX7XX0Az3m/Ea2tX6K3sN/TX5NryGr7kqL+01LK3ON+I1XHOFfGP9L+c1NHPcqtdwsJF/sOIXzI8KDxP/FfyDpvvf8cHWTNF6B6Gp8vlSDsKDs8PDwzYeHR+dHB2STqd1MmqT9ujw6GR0cHzYjjakx0s4CG9pogy4ZFbxlxnn0NfgIPTm+8UOwk0n/Kc7CM1kt+uvGqztmSqJ5BoRoCxLu7ODkCVbEQHbrW/7IQOckEKeoj2pZpgLiz+mvmecTmiKY2Pf1nBA0Fl7sU0n23YwfABgT/oHibQRDqef8y+Au9Kf5qopylXV/F08FMehTX60MVHeV4vjono5yKhtpB6zFsKY/iBWHmNt0nCWTaYss7sHo4SGnDmEZR5OqSSaM3EcK8NGmcCPlMxzyyoP+DebwBs48lInECefMqIs1mbOJLZ675yM7O/WfBpzlsomSaMSNl5TTedTRrg6eKB8vplHjtkwwuGD/+YG8Vhq9FsMel0Mjqw7zvOpzvU3ergin5tJkNEZuXnhYWMrj4g6dZBkE6K0P9AMXZN5Jp/O67IEVwdxrBfPA56UhDeNV4d4lKyk1B6Oxmed8cHRycno4DDCx/ggJGeds6hFWuTw5OC4TF5XKvl1iOy6L5Hafm/zsW3Sv8OpgZyMhGCRcQPbAAk+DthZZN5VkNKgHX0hWtGcCxXytVrj1vEJxq0RPmt1RieeVMh47EuEu5v3K6TB3c17G/9ooUXNHQU4uWGfEklMmXvYeHc370UDwiDNk1ZiKRqMOIGkbBSxeapYgiERTklCGg75YIbl1LzPkPXjrbPRtpvxapRtm8XG40aeG168Htsp4twKlhCDNIuBngl+0sG6xkF+ea1mu69IqOiq02njpwZwBMukQxV0reoM/ktz66fa1in8HiaNRuKcMIu8cW+u9gyIYIVpam743DWD9URvi7S3UxNka/M5hXGDKeFkO69RA8xucGTJeFxCUS01QYXG6BQEcM6pNB7PhlrFlEklCvkTxE9PYb8V3y81HhMMSYQzwimLUJIJCY2MlKwL4ywiUQ3MgraR4eERQTuzdLKT+znU6zuB+q66QjNzAnpJa5MkB4d58VW5Zlx6YKmKKGDyaHZ6c+/xv2SznRJx7t/ca6OlCEFhB13Kvh1n8QsqYK+W23A51ln8SgRCMiRN1JY2CZFQ2D0TJN+wT56vBMBAcxuHpuhe8bNq7x7uDsH3AhveAJwLxImyjkDVV0Yyt7aDVXiKuKU+6k1NuH1RAnx/eHiwr9F5f/z0QwGt941ks8Lq2Q35Dazgd3dpwiJAis/lDLC+QIKQtEDZKuKXV0YhdeijCUupZEqd1xKAjeDkjtxhMCJK1BjGaWg8cix8VsBw2Qo4zboN9SpkEEiSot8zgBLKDUeQXeocLWO0OM5xWbruNdcsBk1/joUbaKNwztcWA3kWE6nWFvxc4K8ZFsLjmhe/lzPNl6yKoDQGuS0IhWssp6W+PdlqCLRTGs4WkMp8hKzKOA4PDyqS4/DwoDAoZUI9bVNJgA4MEzvMRRiv/sXce9fNwdejd0rMVjm7foSzC+7zIt8B4fcCGPxaoXNaS8rUu7BDvUQ17bvzxm7L1HAdqwX9jTLpnmp4nenJajXFtaiBlFJEkpnMxwND10/em7dLAPKFig9oROSckGIIg5wzrauWDujXRkdTIvhvaLSvBxpNG23bYoIBtL5YJsJps1M6d3UW5P33tXqnHu+Cc6voT/gb9A39Dfr2LNC3LYYU35nma3QUfwQF5479vKIqHzjuyhUjChhKrmoEPKrVW8icJY/Y2RfGz1CsImGSbBV/QAkdKE8HQNg+IK76hhJhTlSLJIUSBmg1WLuIaWTNZOuIwinCEO9jFG44rYXnH042gID5ZvH6XhOq72+UvlqUvm8doO8vgM332rB8fyPyrUTke3Uwvr9x+LRSMcQT60b0VAuUf7uGgqHbsGpGXoeWJcQA4qERZ3PvDtFH13syji4xZXOkhFcK17v2VhnKl4UsUcqhs9XNrXrmhmrt5A10AuIKUf4JUsL0Vl4Sej21BZoWM+ZWBpSTrjKoAR5jTguD+uqdwCU54PHHsMAf5blesT9oHOP9o6CFdvVq/A/qXt+ZlUEfB6jdGba1cXOFQ/XFv/fQ+WwWk1/J6Gcq949bR0E7aB+54e3+/O726n1Dv/MTCR/YHjLF6fbbnaCFrtiIxmS/fdRvH54acu8ftw5NnoYjugjGOKHxtrxuHwdIt492rU3ESTTFsoEiMqI4baAxJ2Qkogaa0zRic7FXTc6FJyvj/jaufD7OCMceUKLVDcEasfG5LvSWQ5mUBWWdNOtcsd/xIylT64HwlGxLja/MQffmhq1DD/B80Q45DA6DVrPd7jQnJCWchuXRfyMmwIK1ttf03kovWtx/lyljtdM/a2Vtf2Y/hySVTDRQNspSmS3bw5jPaWUPbzc0sDL4dfmx3QraZUm53aGWCosuOTmVdPf0q8fYSEajWf3y/vzDOjqVeq5YnFN7+F3h+dNWJ2h/QhJPdsWeX+fTelGw0O4vLBBNJxAzolRzov+E9rEQLNTZdLqcc2qvBMFeAINCzdpBDHt1T3VnphKyQ/8yz33QN6OBmn3dLDgJGY9UczSdxGa2Ek8AahauUDMIRIDkQbt4XjnpT02aNj8hkoZ4JjI9StEw5k7dyFDhttOV4jJN+8C42F3rCpIKxg0S8X8IeWigXyknYor5wx7cWQIUrsHjtZWVOR6PaVihBE1Twheuqm4C6YfM5PIFFmjXutJMq+a34vz3Fkxy+fQKoNSbznLJ9AqYBBCUY++plCUaRdRwlh1PgVegDFKkw6UNOSSeTEAWmCY/jmyWh8fclnsDn8tNLm8N/9nHTZOOt31zFuLX3a4woZTWCI6oCDkBo7u8w0ybMAKvvUXr4pVvMrWbGtqi86s8bWDabM05AxO67GlN0QBRmzh2R/2qvP7HioP4T7B8Ps40YKOeAZjMm8yBZVLQiCyfiJP6WZwSjkc0tiUKrfiv/LD4HFDHQKGhNZz4uKZrVPHo28T9R3eArYU7aYDkt7Q+hXLqRiFQ8tyPKIeJyApdMNzuOOxxC9hvQm+sStR0+3t37PtAe2C+qL4Gd4P+nvoD1Fwcw4Ou0fwFLPEITiKOLsy+3SvcveXYAJ8yHD+JSYZ5FOi/g5Al+5/mZDQl8Wx/zIYQQRbvP6RsHpNoQlTT+4UJDi0uKxHBVCb//Rc05AZWJEb+7G97tdFBNjTRXq9Ub7+++++OndfObxvA79SAz28DCLfYkUsqKVBBhIznmmVhcXIj3Q9qgmQkQHAIH4XYr4DWdn8ZDNalhDfir9YqqlC1VH+1SlLYfObMEu4IxzGchn5vdW8v2B7hI/Hwf0GG7Y/xJ2Dz+E34SIZwmzj0BieGISdYkui/XSiU4br1ZSsl+izuf54xoSRH95e+P8PfKut7maIEhx8HSKfBoU7Q7gTHDT+Mp0gOEyh4c93dIAufpFkCRs9WN4iVot4NigdbQ8WSpalujrolqtkd/XVJsGV0eD1jIxp2L3t7NnDCVJSf5VHP9Ycl0hfYAbr075xNDfpyB6ZRez9VpWv59FiX9edTLIdUDNUWoNGe4fUyj7vWK7x+2futZo2anVb7rNlqtVobwMFsF9n8HHFia4guEjAF/dlIG51BklBJJ9r8cbSwi+G4PyqtS5kw9SsSTmhzRFP1Lbjzwgn9Uf3xg6Pjcbu9ARkV4w23yvzGimQciRCn9axambyaSbvVPg02YQrVfkp48EjSiG0rw/62WK67csDDEJAeQhV3nKR4FK9Q1/0JMU4CpXmtMZlxzHBtMfbvBqoZHQ7DcToxV1+toKU07nYraGlnIvxpsaemBCVMSCTII+F+rPlbpWIK0yJT1qfS2IQgQiRw1wZSexYzKi1REiI5DQXa1dD66BGu8vP0Ex3m/RkKlc84faQxmRCTzGVuiSXhOqttr2EqqeSt+ne+qg3XrnptwqFZKMOloyZgTHsm1StkM7JACahRv6yqDqzbjAwW315FUz0KjjZbYpI+Us4An2utq6w/aa37/rBWLTpOn5BLYgAuMSvUQM9ZIbiQpZwAZtlXsESSJDPGv6bVuTUjWrUwcPeTYJlpQiuSRgZSD2bRKJzXdq3Cl9sXa1J4u75yMOQ/YOttKUhtZzrvfvilt5cf9so0phJL+ugjozwSDvyJ0weaTsBFvfOezXcaaOeKRDRLdjQ377yjk+kOLIEy09BjRy2qE5+uReAEUXZAaggG15eErvK2DoKWicx9Ah9iRMY0LSZyqRbyhwtr5HERPEEFYvMUcGMjlOAUT7Tv6eLyZnAbfOSTBrpMwwDtwhdKeKK7QVODpKQMUAHH1DO1+ASnrlzLfMqUMKDCJkNKhqYknoHcB4+6ICEwp9JsQU4o7WvGUr9EDMGJQDjkTGjFec54HC1g0fQxClIqZDBhj+CzaBpRBOxaFQb6cmQ9VjVLskXtwq16rYYBQa2KeiAo7CFoy7/wPBQCqbOUcSrNQiBOJljXn/REwPMoWFHiVTeh67qWik1FkO/RSJfTxGk4ZVx/bIbWZDb+yLf6mQJl/hfa7tqcF1OOcgRFDc3VhY2KhK0UxyZbTi0GOOHqvIf6tswiIReWD8fUZcPNsJzah70Hawao/tcjM05CKK7ThMzL/EXwHcInWrw4U2J7kscw2/GNoPAlTcgfNhpn8fC047T0cEIn2rD/HkmekWLrmiKFZpkPQqM/DOvYecHU3fqA3gZnySTjsCi6s7r5rUF6tUL+c0unBY0+d02XtqyIKwCwI6CpkDg3QFfSCCDK9bvIvotoZLdFGLMsyndAV320BxFX2xxHWOL6TXFlftXaRFh4FSzW/CIBR9EQHhjaJtWTIRFCWyt2jxRmDS8EM84UN+QBtnmKuP6l+Xk5b/hBXuYVtVN/gnQPPWNtMNV0ThM8ITVd44Q28SiM2p2DWnma936pWkCXPWeIazrZpTB8+QadKxaBh1gc+TvEDkgRLnAkASKv4LHah5fymdeHHWBupC/vxk3IPb9xT2tsm1Jf6+4fr7cEh1OaEhAua3VmXgi8F9bty7crhmtI0uVvrdur4fF1F66yv9bth5NJrjYv76PwaG37Vh5FLHwAXjUCqWc/12wv/RsSEsMldBxrpB2QRvo3ta/FlHE51EdCrllZPUD313TCaMF57YaFaq4Hi68UhIg+lvxa6/XE8ghW/0ot0RZ0pSTO5r2BpPM21Ia9lt5cr9Pnd2eSPdEbdPux9/F79I7NlV6TYIA5FuTHylgKGgZarmWgxfIcOZmuhxBYzlUHf8637/SnmkYu0zHzudUcC+p1ZGWNx6Dq+1r2NOdGvzvwY2iojRoJSCiCp8Tgz78xl8DYVERXxlP+ZilZgzmQmcWcvnhpChkV9eDoq8g7zikCV035slf7ZSIYZTSudlldUXd677RPe+3W2c56w/k4QNCD73ivH0jIIlK7D5aNRUhOZDhdfzC2F52SlT45DnzIRoSnRMJNiOHDn/3vatrNf3fKXlFzyxtFPhcul6r5Sysla2HQy3muTPEZi+rFzkab2aPAjOmSKtXFVV1lNTL8uT1dswjdXfaqHal/xQyHLzepvMVqZyyqiPwv7MzGe1c7M+Lyn18smL2fhwmezWg6Mc/u/HPNXeSN2BwkCZ5Vhwx5W/o+7asbtze2+sFzAqVXBJEvu8R5uwsWOiKzmD0lJfv2yzvO213QsVIEyTiLX3zKXsMLul6hBz23Y9fsym7rlb4v71e3aw4YI8vz0+XafVHTrvkxP1ecUVt3DuRto40OAfJ5XbXT9BCQzyTMpHcfimpUTzPj31nMHihu4kyyiAq46sin/3/6V9Qzvzwh/znkWd4rvSc1TfmnsBmHa3KRX9E8F2j3UvFmYwN3mg3wNwEdbOwG4IX51/dJlzmjF3TXx+HUZC1qIEIXXmJKxhnEDUIBFc5FCpuCXUJiLrOZ9fHohjTkTaIjW5xDUBqgZZwQqSbGzW0XrBuRoJJrYAb4Qn1smPAJGBr4yHEMkCNCu80vrxvWtQTsTqMG5CHD9VdhSOAslwIoU09CE2074yzKQrk5ISEe0O1d04xSE93clnX7bHYpdPudcJkru17Peyu69kInNuxZv2tJnU/f4wWBeJamuvRV/TgsVOzGvd/dvDdg/cpUge4Mt8JIlhE9zPj6NaTyXn914Ih2fnMsHIsbkxJnckpS6aJCNZCd8/qWLj5c7GBtl9p0NEamC/YHS8FhpXiRBJCvDNs2r+zg4wMzjsYxm+tR45lUY14kzzyn25I1sBF+JYTiUmTzu9vb6wa6ehr8630D3ZCI6qSCm7urPeSFpu2owe2oSdj8GvWFC6c24QFRnXMs375w0Ky+sSkH9VgZArFfBjaxHnZ5QZeYT8Q6ezVJcBo1Y5q+XNeVY3XBAM5HgsWZJHAq5zfO3JyYMIi8reV9zhl/UGq0g/xYPXfziocSYjGzCkNY3i+cOGvwJU1I3fTgdcX0hT5MUcwX4h4NDC9XrmKp1xdioGf2/kU8ZGp2ruShUp8vyUPFISzvd1MeKk2vyEPm/ogUr4w4wfGQzgpHTNVFb1POxozPMY9IlL9S1oqXjvaysI8MB9hQohJAPGiyn58aHsKva6eAiu1Qac30c8zvPL/lgnEj3MdlwDcPIpx8lhznFwS4cEvs2lLtoCnBEeENpXybkAJ0/+/mhaWP+uvex4lJY834PuRsRIVqOIKSxDie4ydhlFvIwGsYbRAlWIZTL3YZ4Kb1ZId0dg9TSpXSquhlC4mXOAuI62Gkrlrp8vMbLfOtXU0Ir3W1PQqVYP0Nr/giZdIGAhmF2sPhDDU8k4CCl8E/rI4Cp+7QYjobRWXnQmkOffXlTr26so6yAuoHlYLE40WKh3okGHsIHxsoaJcmWVMozVsHg1ChYfnMp1S3DwjawN2Kc3Bsge2LQNY6kBkqikGojY6hMbMA1wRklJZ4AjqgKxTYSxO6o9u67OX1p7xkYWW/GwqmUb77qr257O4aPN5FhiYkhHrQVhbPxuT0jrnF/rfKGNapP02JJxPYy76/xduCAH3o5XXpuKVCNvV3otJ/TIVfJFvHGy4TsWriq29ai4uxIjamzHMLmvMfXNpiZVkWNOg9t7Q9AwMO165BSuRw9CSJGEomVw7cvAovPKsrnc2+UWfmlXW6i4iQz5qXX1R+7cmVettkan5/K+ZnpClI5Io0vfVO5S8VqoUTfqlsVXPO1tAyp3QyNXCt+pW6KjRaIcNPGvYNAjtBDLiWNGZrRGYkjYRFy7PHVgOQqDXEqFDnvD6iE4JTH1aVpvp9JbxzdRdaWGAXmtUyBaSGOuve915+/Nn70Ofcs0CbaKB1qPLXXa0D6a8LJE2InLK1vDSguO8/Ej7a1y/VEjVXqaSpUuVXaTQvgu2x+1P/toGuPw7Uv3e3XimbPa2PDf713m8Eqa5dS7uD/vt+97aB7q5757f9Bur13/fV/+etlE4amx+1eq4xm9AQ6qb4GVUwFJ9XIaVLIMlqZl3Qyu5u3mt7I5tZkwPOdBFjMUW7+3slwGFTTl7XLnAt3e9ngnCx3763SN1mdFTY3+51Q5GJDheVB/NhOfQEWEGId4T0LJQXmTHw0GMax9Y3FMc+BfzWSPlg9woB1HL4Evpr26wkGZZR25KrqNkr/imQIn/Wn7B69IE8NU1RVsm4fTrfxfqtB1LWlXwk/w3dfxp4HgpZTbMEqwniSMedQqyAP00qtVaSr9rIi+9nalcpcwlQ0u5/6t8iwypDUzQC8u0kEdIwiHFlUemzRLkdvcEQNWYPtKhrbiCvvfKic5wUr2K8lOYl1LAFu5yHXRSX2Q9BUSIDMY7URL3nC2t/O+V0LJs3193y2/kbuc5YhFLML7nLsQU1IcxKogYJESK/RVswzSv9kOn2Gg5fiAY3Z56PLWBrpjuLlhQEeuKaYibXbMaJs5g5ngPf20KBHrqFcTBPSTwbZ3ncPVhfnGWjmIgpY1IDxBgFgON5fvDfwIdyBkD1iLfj8HcwjGnByV4sUbUu56iVVk+5M7W0zS1X2aI05gyfUy+ZZRfP4FpapxfhJ8LBKDIyeURTzJ/y9l3zLOO+naVrwxSAFOqZqpQn8nIz1c2+9lQLSqMp2QcJcZ7ueOV9jXY9TVLsbaJF+q1rjC0NSlTxGxY5rt4a0xo7XWXu1Jghy1ys7hIUXihTy6uCBKQW9A9SVh2qK2b2PopJOpHTIqqe/s72c3nt307cdq17qpLSAHPPa5Fuaqs8hwKaW1+TBP8fAAD//y/Hjgg=" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2HsXpkZyJED4ryiYiK9hP7uwzbsv5jZoQ89wSz+2oWf2dmfDyFWyraEseUoq3MzF/fcLZUoq1cNgaNzQDB0bs9iukpQPpTKVr9oK+4cLl7UqatolNRK0TwVN6phyjeZvWc6YyQEY503znkox5jpP8LxOqYYP9VDk/0PWUinWXpP23la0293e3+q0yFpK9dprsr0T7XR2Drr75P++qi1yhZc4rz4rlrXdeVy54KS+D3+LULxyQC1Mjsg4oyJPaRaWH9UTdk1iqL5m1M5SMTR7burypRHPUKOKmUDXAiQRpBIDqIYsKwpXOdW2OKFweSmZTa4VN3/gxWKLxG5bh+Fp76U2eDIPogYOCqs5+KZwQI6ZdNDWbzeGUmkp2klco03GxlyKVe60TzDDTRut/c/+onWtaKvZNTXutH/mbMjKiKo6MmtraHZiFnELvvUznhXrJx+vto2+dfLxanejfGZMabwCgN8d9pvXUi2rrqOv8Nq+Oje2o7WmIL0k1P6H1DDt+8Nzb1TbUmvcqlvFRpRklvErqhk5evfvjUCRLW8AMNFSSRMypCkVMWzBwOsnM5LJ3OzMiqZq4JzJpdI47pQuESIAkuaeLgrQLL2DqlbrEs30/RSzSl5PjQxfmVNk0b6IxTE4k2UsGTSphA/YhRwCJ8cTpnQwqcMRzt0CQGYzlvgl50OnSXqSvy1SMlpB0DEMZ83IkczI2kjKyD4XxXK6Rrgia+EX1QLe6By1oVQJw7KKUGSNxVwZQ8m2zQTTNeWXNmkJHX8qH434Fz8iPLM+0Xr2enMTH8EnjIG0EZFzDGbSEq3+L3zqb5mH10Tx6Sy9JppeFnRFUzelShM9lySlQ5YqtKqF1BCkgmVEDfTnp0fKxymvxTLKL9fqB2GAjRJXaDkbAAd8A6ZgoxGD8tFmVquRWDKus/PTo40WujouhZwLd8dVWhaxuG+5a0TA0YwWnB+E80R1/qnO64cNkn8MioCBvm/GAaZZxDMFJZbjHvi+xDe5Ylm0WpYJDaoix8eHJAW+GSJHi6QGFeT06PCjOQ4OEeIjP1TIK6/q0LEp5emKgDPaO4EJnHZSj+uKRnmaPnCm86PdqxiAXyliQILpwD64wWGeDlmmyTEXSjPLYiXcwDXpozEgespWzoEI5Mq8hItrgVtPoHUUwoXipotQa2BUXOcKrd2QEjhZfRGrLB9hMQVyB8JqtQzabochBRj7jAJKECqkuJ7yP4OoM0Sh//gZ+4jwEbkAKKDddmY/GOgufJfwWIoR0qoaxiCgAU7hhyGuPkUTU92ayf4wrGSpBVPWF/Fw5u2jSbSziVG4hS3Hm8oxF3WgA5FGQaTVUZHJdGWJnr5DFTAkzOQuhCAT36632Sv/6j9rl3xIBR3QZMrFWousZcxYLVyMB2bAW9PPQt+2K78UOLfdVze3y3dv11ylOvwNwz3BICsiuBKqqV3hnCoSyzRlMVQbsN+Wmur7hvojLhLcVH6Lp3Ks7N72lfrd3JBvhNECd/DksdmETVlG0xU2ezh2c9Q2Jld++et8BLmV2DZqo9brKIFtAoY3Ol2Va0iQMajeoLDbw4UdEERYIpkyemddldyn26OdTmdUQsZKZFJDrwsfwSEExjjgijEUq+AmrqD8ScZVILjlCLOIhEyYvfAsgVz4GH0JAmAYUMATVm8i5ZORa40qwsXYlOcpvWSKcE1mUik+xDoEnj8Lk8LwqWHIKdMZj5FnIXO2wrXlXByzYYwVxeM8pRms1w/Jply7xizVGLj3UlvHN8ekIcFsnzTGihcU7svSMiCyXZbQXkScBi52jF1HVYRqcmHes+eiOSbho8E+KIq0oa1OsrXHdthwxDqU7cbbB3u9ZMgORp3u3jbt7m7tDYf7ve290W6JH1d0+1rSKB2zYWRCIJ0AW5VAQ9HwIjRzsDsT5DtkXFl+oWkq50j+hCud8WEexr7bMWwSQ5ZDWodrMIJpPWUdB29fXLyI0hQyr+Far9ghwrsJguWf4LcxVQDBsbFOeWxTnUq7yKk7UODKKj14n5Yr7Z3rJDDu3zCqVdMgaCLbYwm6tMx8eQj/qCHkRaGYYXreyGwMQHfY46bhQiWEo223W5mJZMJW6gJy3EQ9S8CUFTkTcIKeS5RFnpXMCO5lJxWd2m9+g20ahMSGpVMgXxrCEDCfrBUQwYHuxWLhwRm6zjx+UHuc+JW53EE32nK8VBHJwRLqHFVZgHkWaR7ER5YZ1fJgZJZgpnc5eKWdLJkSr14V+iUUcLP+4JjNNALnZ8MVA4qdGmkXaTOuwlJzhR4rYUdzMc65mniqFZsStrQ5L0g+Kx319pyTyiyVhOaCLaBh8SKYctfzXiQUw1ekUJlrCgHjuGeDtFEqeBxboKZUYFCdYg1qgpuv3bH/umUJrYJc3Qf1RWMCOI5fgbVsx6yomAKovC5m+87nBLxYKVCIxnyDPlvSE/wJHSjmDpJgkmNHoJMRDiIzPwbNWGV11R26QPTOneZ0UZKqF7dI3RI5GiOCH4Yiv5RLYjqC+LDCkm1Rp0ohg7UkqZSXxgSjNpeQaWy5WLEtgiqcXrrXsbEV9aLt0M6C6MOSmVV8c4OVhU/dHovqwhuxcxp4wjbLKmF5pCDo9JZw09BXaGNOn2RQpA3vfAmKfAmKfAmKfCJBkbgnXemwQpA8YmQkLuklMvIlMvJhlvQSGbk8zl4iI18iI7+nyEg8K55GZCSsZcWRkRbgWyICaWrD6IqtKH2wYGNUYJBhR3RGwYIS4ycfJbkQHdFX4uMJRkkur6l9w1DJBp5/9FDJUH98CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8CZV8rqGS2H8NnrUuvPPim8UuvDXbisRstpQqxUfXLvaKQhFnKHVK41hidR+oIYZzEU2/SCGn17/ZFf7mlRwD8LuT80/H5PD8/P/r/wMafI0yOmVQNvo3UYqfhCInMgMEllZSDGzXARYh9ZVueeZrqqLJe3J01iLvf3r7awuqj264sAxKYjmdGllrlxwVQ4P3GwCKNI01j6O/wYp8lfGwbqyxuax26yuEWQLjGMW4uKLf1vh0RmP929pGVJqKxRPYz9HfQjTUJgWXWTHoJRdgzYGySuMJVOjyJTrhalCjNxnnaQHB4lhOZylXGDY1ljTF1RXj/rYWlHgVRvjJkXMfm6VjM7ZlfKqeyt/gmLJ86KcsWivmGfZKdKVN8T7a8VVJk0eiw++eKD7eE/aix2ZE3vqp7Fi8dGdOnNniG+JBMBkUNRNjXyCXMGPjYOcUTbgYGzPeCAu8V2E6k2qGxkMaLJaOxwieq4lUESbhjisboMjXK1Ny1gxjc7xmQGyWeNIh73/bku+5YoTW5MNvHtDf7CitkslI1tmXyFcdpFrT+DKacp0xqDqIr6jN88NOZ7uzSTbWqujBX5oQs0Ktaq3Ery46Z1kkhTipydOvR1IdRyismnC06tqbwEN+Eig//YQwFQ5fx9qyo5Tx6k+Ab7IvvWj72q3pBrobOt1bavO8u31w0MB68P0CDD0TA32tFJF9Z4qEZAi5e1UUOXYqwZFXCcLsmzqZHklGLI3IEIF1Ln8oRN5XVlTHCZV7W1bQafa2pu5dGgxSqDIelsEs6eAjGefK3UYUNXtdgUzCtWLpCLQkDg25oIhnek3oleTQr6CdsJme+IKmhQqFS/gS7XQO7KgxyzSqTthA+A4tDmM+m6ysc8UZNoPjIgG1zlanxSmRuZI881/bgN8ApTWRdno2OO4f/Xw8+HR2OPj15PznweHx2aDb2x/03/QHZz8f9nZ2bzbvAsixOEiAuxVh4ePxu7ZrZag0FUmbplKwEtUkhPL7zgB2bXB/77kfTBOM4ZzmWAe1zb7Eaa74FUjAizpIg3hCubggiovYXsOHna4IOi8w48yX2Ey5qlvW705OomjpxiuLVrLqO4MQ18HktVj8EvYLY2MCsZ+LaXEvGhTh1Y4KVFunTDlVbcQzpUts4fJuJj58raEDRoky7fsRakLVJJomOyuiT78koIo2/UXJ6ndHOyThYLjJETk6/uTJWI4nh/S/JXbOW8zhUFxpJmLr4rKNi4rW/K3AcvWesoIoeF1ZNOTMZzOWQc4L4Ku6RTpv93b7e297/Z2dN2+P9o72j/ff7L/dfvP2zdtO/+C4fx+aqAntPhpRzn4+7H73VDk43jrYOjrY6m7t7+/vH/X293u7u/3e0UF3p9fdPuoedfv94ze9w3tSpzhxHoU+vZ3dZgp5HAYZDF9PoWJUpNTD7Jvd/b23u7u7h52d7eO33b3Dzv5x722vu9s7Pnyz3X/T7xz1dneOu0d7+3s7b473tt+83ervdXv9w4Pe0eHbpVt5WBi5UvnKVJ6jIiPM9TCVI6Ly4e8s9g5/XIH7BJpc43lkS3HXqFRFYP/9jzYdiHySUpP+YYt8+PzjiRhlVOksj+Hq85zRaYsc9X/0br6j/o8utmJ59P1Ot1Z1ils/FaQxF6kAOK/NcTUq9UTOMR50xjLDaobFzs5ONws1m5AJFYma0Mu6mzbZZjvD7n6yO9zZife6vb3e/sFWr9eND3aHtLd9V24SUg/oSC/FUElB3DLTUM02z/mUhaoy9H221d9LOoEiQkKYFbNbNTEbOdyZPKk7RnqdXrfdMf8773Rew/+iTqfz76UbFwfwDiHN9BsCbDWjpYHtHux1HgJYLJX3wPEMleZ+SpKYpqkRloKcvT+xMlWzNC01F8BkH9eI0Zig9T4qFntcEYodwayLydpURMuI/GrQHIht83Cp002lifaYGczPuM1JCqMFbVZSDf/z+TyyCYJRLO+Kc5SVjymfaxK5kMQeLbdK5Om16/T64fOPR6UGRA8kiVU+Q3fKAE3qlXtk7TTNukPJlsdvJixN5UK7ZYE139vZHfzUf2es+a397Yanj/tHSzz/Koqiu273Lzudg4imEOar+RWDjb8qrJ5y1Nkc7wXzYoIBWT87fL8RoYdOQ+P+K5pdG6w3KQvYYZFr7LsdMi+4SYa5tk5bDNGG8IxyX+Oj92ckhJhgn9o5T5OYZonawGbFpRAwVnebvfpbsPnvRQLUjyJc7iqlr6OB9WaDOFjvv4d+N2YR0DA/wKTHcQ1op38ZlZz8zMcTcqhUnlFj8Nv6/P27mhhlXEAC0srxgGlO6/0NSAhRVTA/L918rAGGJJS9qyRrg5BfP7oPVfs/fj5rkQ9euz4RMYhzOOCK0NtWqIE3cIDfTw/BCZCYVKRGrYoV3DROFp1uVJHzzjCLkSK/cDb/CoDCRN0VAxVOpcj6h6/Y6CcifiCYaTrIBV+VwtMEOk2JmdFg4PM9UFDh/q9AAxT3GMhsAPEdq3N0+bMWi4lkxM3nT9rzFjmDaJGPNT7v05SPZCY4vQ+kD2EfgqVEdVBQbwmDcIFt1Ov0Ou3OXru7Szpbr7s7r7cO/n8wkO4L3Fcbg7dCV7X+FkLWPWh39gGy7uvtzuvezv0hw9SGwSW7HvjO/SszAe34TR0wfR7GJatvxE9n9zpIAtjiPLta1aY7R6feFSs3vU5T80BsfyqgIx7Pdb+X/8kXZqnhQnClZzu9pRtXLkAI+zKTosjuu0+tjGM7hCdnwjJ+VSOmdygtAdzuzs7WnkO+SNiXalDE/YBV/M9liL8IUKgJyv/04VgBLdWMxuC+GvKGwLpeZ3v/PktXLOM0HSxdzeQrosJxKlenBI6rwt5tPCWrV+eFF8OlmRf3LelsQkUOFRZa5QowxdX5nOuJBKMtNcqKsbz8PbofOp7QjMaQNlpF8s7O2zdvDvp7R8dv3nYO9jsHR91ev394L4nhO1KvXBielBM7QlQXbbEDSfErdDCV0ykz+FFhWhke7SOZQ4wF+UmSUyrGpJ9dz7QkKR9mNLuOyBljPohkzPUkHxqlZnMsUyrGm2O5OUzlcHMsu1F3e1Nl8WYMA2waxMB/orH84XRra699urWzVe9ODD6a9j1Ftb0ceBxTWHlb2C2jCpya0Iwl0TiVQ5p6nbDoInNPWB/D1H0YS9fB8BRM3aqochdNWMpiga17dv5joe+2yOmPZ1SQt8aK5SqWgS3cMhZQBJbvSrjgyZi5JQR8DUSPbecu2sQlgj4UgE/AqK3Aey+Q/gIGqo0PWK1WFVRuNJNaNafGiltLA7BCu2VB1GJhyfiMUyiOi06RFrov6QwK+DWlBysWz3o7u9nSFgpTmg5TEOxLQDqUMmVUNAH0Bn8io5SWwOIjF51KBBtLzdE7NaeQXR8zpUZ5ahRPr1JBZ3ZunrJBsIIwAfqQ+ZwLwdKlt5tgX/TAxcN+U1L6INwhg69g3SyJyEeGhMXgFhLUWoDyg4fvD201D6M3OJ1xPp9HnAoKQcdUGS11yoRWmzpVbYDEcL6BoY3jLvwh+jLR0/QHms5E262xzRO1UQmIwnoqgdGQyjkkZ6k615lVbnajpZkuYyqfrpThuKpETgPD2XkhI9FDCw3mUcGpcunSbGY78D3JMF+7truG+dZBeqww30UrWRGKVxnmG9LiXjR40mG+drnPJszXUet7DvMNafI8wnwfkyoPHeZboc4zCfNdkkLFqN9hmK+FcaVhvmd3CuitBfIWR0XQH/ibB/TayX+nWyuLHGuO6MWJHyyid+tge3u7S4e7O3s726zX6+wNu6w73N7ZG27tbneTO+LjoTy2StPprBbgaqM5n0JEbwDvgzhx7wLwN4/otcCuNrr0bOk40opAbhAAtRijlQmAl7DHxwt7DEnwVw97bMTFdxb22ADDU/AFfWdhjw1YfDL+oHuFPTYA9NjuoJWHPd4C8xPwEH2TsMcGNDxTr1II6bMLe6wC93zCHkPInlvY4wLY/rphjwsQ8jzDHhcA+z2EPYZLfwl7/IZhjyXEv4Q9fruwxxLin3nYYzOs31fYYxMMT8HU/X7CHpsw+GTM3HuFPTZB9Nh27oOGPd4G4BMwau8a9tgE0l/AQP0uwx4be2s/XClwVM1KvYmcW3lGM+V6iZvvZcbH3DAfBqM1OGyi3tKX4I4WK44GfG+wn/I/WYIRc+Cq9sGAcIiEYN4GoisiuhBAX200o7HT0FzF0eCrxVVHzSmX8WEO0ZX4BgQ3KaM8z6RSfJgyjMOk6fWfzLlPKcYfZTIfG13arpKSKY8z6bqm0yyecM1iq1qmRlmUgpErzuaBleZr3VtDIFg4CVoHkIz9kTOlFWkXTMIFh8YfczZ0v7tYp1EmhW4b7bXc575twPkjZxlnikxp4uHAKsOzlJEhjS/DN+9Q7VTNqFhdeehXCzuKmHld7wT4HEusXG4Et0Fp2Nn/EB/PmHUWQmyFnLHMhue6FgwQjEshhLLlO0VQj2gt/YhUYGiHRVgL25snVNOh2QIG3dcNTe1HowO6f7DfHe7FcbKztJRFeB4By3VEwjfIE6pgINuPAzudFUi00YNDZgx/ouWYGaSBgeuHLDok2fYkFtkTKpIUd4ifBppCtm2cKwvYtYbp7eHooDfa2tnbG25tJ3SXbsXsoHeQdFiHbe9t7VbR61b8SEh209+Bo8O3bBs8127Rt/2FNhBTRlWe2XsAYHPPtIbFC5Yus7p9jmV15HY6o87uHqWdIT3o9IZ7gWDOszQUyp8/nd4ikD9/OnUFnm1HCmKLMKHZbkQls5oMzUD2ff50qtCBbJ90h4bBwTBj0AqPJHIuDMNIouIJm7KW7zk5o3pi35fExT0vI+tW22fsCLuAueZBWVqIoLVy+a+wH+GJIEpOGYSqGwIafE7pNdYgtwkFJx8NtJsGhQav2MQsvW75myFabYQooHHiia1qZsbGzolBj985XDSNpet5emFLlyHm6kzTUMHMp2W4yP1VofZ8YquIu3gFZcOGjehykzdoYnY3eLTkWVpqBVkbgisCYRGKacLNzrUR4i1DRSG1EZTZNZSFn8B+K79fGTxlFDoazVjGZUKmudIwyNBIwjjNE5Y0dLfEy0F4eMjI2kyM14obRPP6WmS+q1NoZpWQoE/OeLrcDfa9qPJRZtqq8pbjCfi3kJ1+uAj4X8vZWgU5Fz9coMOq3PnTLbrS82yUpw+oAz9ae4aTEfZONCIQujHxqdnStiPTtcyhCHyxYa+DC2GlZRgVxgW5MPxsxruAXCtQaGDD417hCm5EBUZHsQStSVCgnM4J574fMuw33NBPoCwBXm9vb20qZnTmv//xo/0eP/+g5axEPbchnwEFX30WU5mY8z8p5AywviKKMVHCrMeon+a91DYPggsimMYTXgqupbGoUALIIZzciT8MhsyIGss4QOuMURWyAoXkNJLKsW3rb16FFgmaCfJ7Dk2ci1A7kF3mHK12xvWc49uE+df8sBSMrTlVfqGt0jkvpK4Lp3sxkRltwc8l/ppRpQKuefA8Jjt8xbCLKmvQq2pc+ZHqSWXuQLZaBK1VlrOCHvFhb/LaOra36y6P7e2t0qLArFqlkgATWCbGX4cMdQX8xeYJNsEQ6tFrFWarnV1/h7ML8p+S8A4onCUy0h4VOq+1CGnehR2aFbIH4zaCtcOr8Ax2pzXzDXPtn2oFkyGwqKb4EbF9tSBsOtPFemDp+OSFfds2k/MOag7JEUJzqhkZMj1nrJzyqecSddXKAf3YfemNCH5pSv+kmtKj3bYqPjiD0ReLRThw1ipHL4YqXLxuVD1xvQuOrvKFw0u7ffLSbv9+7fZX6AL+bIdv0FPCFZQueNznxTc8wIVwtWfvedzBWu5ePZS59m2TrYoL7cHYFfU2hr1rsJ2K7Ze2k5jhjwm9YnDlzsAlL7PgilLojDNlT1XXw5tMJfTNpXhTzxNnKrvLKCoIhRxpq3TDia2Ca/qpJdzjXyAtblSPjchX2KceMjlWyJXlVJGoZto/cGDEo1mHBtZXCk01M12L8FHRS6CmHx9CM3FyzIXSzDKWWyc2yH8sjoPZV8pyCN/Kruvrt/W+Rg2AZvsQYr/kzVlKNbb0ry9xhQI7xD9OVpo/yDtelTfDydEJ9sTIsJdiSbKPwDWGIkgQKqS4nvI/g5soRJz/+FmxUZ4axr+Azvg8uTCsgR8MYBc+6yyWYoQUomn5NBGJOQ+ELPaltVIqXFTln7iIQH9I3nFXnMolJvqSPTXmuO8KHk1mnU2MWY96Q0ZSOQ6cGKohEZOC0CobfzJdWXakr3CC3kUzE6GoaWhebB+rUlTW+uo/a5d8SAUd0GTKxVqLrGHDdS7GAzPg2n9vCckIFacBHbvr0kB9IsW3SyhROIZTpQTEX0Ae5pThNQIlw0zOA0+q31rnE3ZtL/TURM6JEdACIglcAEMqx8oMZRRgfydhAzhyv1R3H3AHvYeZ4b+VJLSzVWnJP06kYLfsvpUsqEBdPaiXjmjGS4t68pfdFVkX8MegxB9VWN/JP3ma0s2dqEPWkRr/g/Q/fraUIR/OSLc36KIB947G5ot/bZDD2Sxlv7LhP7je3O3sRN2ou+OXt/6Pn8/fnbbwnZ9YfCk3XIjYZrcXdcg7OeQp2+zuHHe39y26N3c727Z+l0e6ikZ0ytNV3S5+OCM4Pll3dl/GkgnVLZKwIaeiRUYZY0OVtMici0TO1Ua9zxo8WVv383BtfcBwHDG2OpXTf8HicnVbfEmWDEKtUS+s8Rmyzjv5O71iVWxdskywVZkqNRhwNr9sDLGg80U7ZDvajjrtbrfXhsQtHldX/0zMnAW0duEIAaUXEfdfVcw4DfxbUdbNZ/dzzISWqkXyYS50ftMeptmc1/bwaqNQa4tflh+7nahblZSrXWoQ3nvLyWmke6BfXaVWMlrN6pfTw/fL6FTmOadN0azwZFjl/Zrsd3pR9w+i6XhdQTQ4JTMaXzLtboqowis+qggXY4iNgeIW+CeMT5WSMbdB9GYI4VyfYBOB0WSg9gGG1Gfw2clQ4hVt3O1z79EDHBnom6DIWCyzxAzHxTi10Go6hnhFcBXnEHABRSUd8SYYQGAW+kebi/YfhImYzlSOq1Qta9I1rYyUvLr6esZjo5/aoe2lGgT1Ue++VkwomZF1Fo0j8m/GLlvkV54xNaHZ5Qb4ZvkVS6+J17zB+M7oCBIcK5jgQrBsIVVxCIIPWeAKAiuy7q4L7aj2tzL8GwuAvBk8hM+Oe1cobwCv1FsSgo+cP85Y20nCLWe59ZR4xTA6FhdiDh2ajscgC+yQH4au+lfA3I57o5DLbY3XBv5zj9shPW+HJjtUNvK7wgaUOkM/4SrOGFwsVHeYHRNWEIy3iC4jnrE5TVPVIhkwv2qh2UoTMqQpFTHL1B1Mm5VdQAFAJ0eoKWJTSpc26rFfl9c3G6PfxPL5MLNJNAAB3AvcBQaZa8WTWxKSvdTPU8EyOuQ+wcuJ/9oPi88BcwyUBlrCUUEbpiY1r4Ur6FzcLSzDUmY3juVqAx2gkpMcOYXAyPMweQEA0TW8UPBg+QxhuFJQzIUYOZWo7ff3+ii85z0C88XMdfb57HjD/IH1CVJ40A9avODC6WVG3tp9u1FyMBY1o//IaXqtxjnNkgj/huTbP+ZsOGHpbHMkBxApl25eCjlPWTJmZujNEoADi3rOVDTR0//8EwbyCysjo3j2vxuNUVAuBNO5kOoevlf/WXNw3XqRFJaaN4cF5GKuThGDmguliXz+UgkLKpZZoVmWiFMY6WHwFtTggMre8ZVSm/UctF/Olk6YDVb8ZK2iGlaDL5pRCpvPnlnKH+E0hdMwnK3p7QXbI75i0ZTrjGFNdSPDNkf0D2Dz9If4ig3AYzoIFqcGccaoZsl/+pDJ7acNZStneBYff5lJZSRH/5fjEML/1uh7IsiUxh/OCJZ7Ib2o24t2W2G4UhkdNiDy08f+HaozMyiKsOoN4qRocNMftDPg6gbS1DdHE4kadsfxsihYmWZiIHcQW9GwfnK04aJDbKWLWRHd3XxYEnTSR+Qk9KuTvOw8sRPYQZ0Pro7X6umxLOvPJ1QPuBqYLcCTDcvrVR73o9d4/eTovw00amMJoU6nc4c2ARA5t7LE4EOSMQwnXixgSvqzlTaYKTPlmo/R/PG4cMTw3J9U6FJFTDNF4jFvD7kw38J1Xjzmfzd//OjxuNvt3gGNhvEGK2V+a0XKjKiYimZWbSwq1e1096O7MIUZX7AsumIikatKqTYghWE/1QMelkBwCTWwzpmgw3T5+kGxzFg0LCrP3ATMKJVUN6qwZ2YYDPnJqBhb11cn6hiNu9uJOniZCH+6niQTRqZSaaLYFcvCmPo3RsVUdkRprE+jsSnFlJqCrw2k9iyVXDukTJnOeKzIOtWaxpfkCsIVijQbDGf/wvV1i8wyfsVTNmY2ac16wjXLMHtvo0X4dEZjXYwa+rXNGH5c89o4g2HNUDYyBNZka6pC1uACJaBB/XKqOrBuO5FxbkDeqGmqO9HO3UjMxBXPJPRtWcqV9Y1ofRwu6zaiU3FNfLIGcImlUIvch0LgkOUZg142T4BEmk1nMntK1Dm3K7qNMOD7mVKdI6INShPbagmgaJXOa0er+OH2xZIYXu1dORjy713JktKNR2E6r7//5WijOOyNacw11Ib2OAIyAH9SccnFGK6o107lfK1F1t6xhOfTNeTmtZ/5eLIGJDBmGrnqGaJ68elHBE5Q1QtILM7t59IwVTHWVtSx4cfXcIeYsBEX5YQ1M0LxcIlGARfBE1wRORcsQe2FCjrGu6e3J5/OzqMP2Rir1JB1+MIIT/L5rI3l84WEblEjHphaQX2YFplPpBEGXLmkTy3JhKUzkPtwo65YDMxpNFuQE0b7mkkROMs0o1NFaJxJhYrzXGZpsoBFxVUSCa50NJZXcGfRtqII2LUuDNA5shyrWpKsULvwVG/UMCBw12APBIU7BCkUW4NK5qnH2SzjMuPaEoJkbEwzcA4HIuB+GKwp8Waa2E99yz3kl53OQXj9CKVp+pXa6jfdQHJllIAUzwZ0waAhYvaVu480e+VLpf69KtW4DC8qOdZjSK9JKsdjm/8PTb+MLEVHTsLHHA5CVxGvKHPnEcLiXBsVjwy5oBk3aszZ5ruTd8fl2YSN0R3KBJ6B85Om1wqyCCHR2a1SwoX+ZUR+hTt/kV4XHqpKxVa7dAgcxHvUcplDO6JgSrOE5CJhGbkwc13Y0SdUTZhyjBc24ikVX8xYEWbb8re5jFyY9y+gsAckdRfptDM5y1NqkyHBAYgOLJg9bHJzsREaqNaxASaYD2MsNa4qR04OpZ4QBbLbVWLzzrZwocAXEuuyxW6NJbRgRL8RmhBja8asD9nARxYsnaooqPZ0sbH8hfZLI4RHaYTwV29+8L02PHhpcmD/3ZfiT6bi470aG/xVmhn8hRsYPO+mBc+uUcHzak7w3BoSvDQhKCPheTYe+P6aDbw0GPhmDQZemgp8w6YCz72RwPfaPOClYcBXUPvJmIz3axLwLBsDPJNmAM+7AcB3U/S/bWZ+TYYMHNlUxBOZ4cd27OIbrffmDT5TWsL/hLH7rhCbPZPM6z7PxPkPwFuRpraEI1wzm6U23oxDatNEKh0IasQTTbkv0TijeuIeDh5sWKD5d8RmGYvBNdGGcqDFi+CVgU+8nOVEhUuzKq3PwBdpPmV/utTpxcvDKPfKw1M+xijM10RnOSuPjhgpDSvDXtL4YdDENwtA9/SBIBtw/I/zDIiCkzXBtwTqDYXC524ECwa9L01vHNkgV0Eh/4gLpYPL0ltxBNcP+C5x7xKeuG0RpzJPih3QNx9d1EBGpkzThGravCne2V8x9CMuvQrhhYU9QpNkAA8M3JDmyZgphaFl4R4pQQ4vRXxKx0Ed/KKkxJS36TBOur2tRvlRMMiJGYGcHPngRVyuw4hljx/IoaEUPCTTJGRUtyCz/ghX5WC9hdSND99I7mAOt8AisPHmaTxA/vk7z7QE91bmWpaNg9mmNJ5wwWCPLzWZfSEKXlh2rjAWa7CEQLv5rWVnnWUSpNiShLOP351uGRsXWt/Nc5QebRzfiYVExpfAq1YuHLnPDdsLfwO9w5yPaYo9GkAo4G9mh6uJzPQAJXOhT7jjGOdre5mw4Nj0yyINHujyKyUhgqcD1BTyPzYhK0BY8yuNSFswlZE4d58NJF2woe44a+XN5Sa9/3S2DCj5gZx/OPrwmvws50a9mNKZEbKK/b22ltJBT24+7MlieU68TMclRI5zzflb8O3P+KlhkBMxkiG32mPBvE6crAkY1HzfyJ723Djun4V5x9xl2kYsVtH1NI3sc5g4RzO8UxVStIs3K0W8pG9AsJjTF5OmVGnLDTGUMmVULIneUYERSM8pyF6fV6pomPO0PmWdov70XuvuH3U7B2vLLefDGYEZwhiV5oXEMmGN++CmtSidMR1Pll+MmwVL9Ylrz4GX+ZBlgmkIBbB8+I/wu4Zxi9+9zlVWoIpBSciFN0vV4qVbJWtp0TfzXBXjM5k0i507beYAAzOJ10p14pqp8gYZft+ZPsqEfD45qk8EJvOMxg8HVDFifTKZ1ET+V07mauTUJ7Pi8m9fLZiDnwdTOptxMbbPrv1tyV0UrNgeJFM6qy8Z6vnhhdOTW3ewtubFZ2yW8pgqph+WxMW4CwidsFkqr6cVM/PrJy7GXTAxXECN8vTBQQ4GXjD1LXrQfSf2w946bbPS9/Xz4rj2gLGyvDhdPvovGsa1Pxbnijdqm86BYmxyp0OAfVlW7bQzREWA8Q2qp4X4d5nKS07bNNcy4QrSQwrw/xf+So7sL9ckfI4ElvetlxgNQ4WnsF2HH3LR9Z59LsJbnnI2yB1utdz1p3XxypFfQFAaqXlOftPl64Lpjmk8sZUesUmVT8m1wSu2Ejvj0DHIV1dJcqwEoGmm85nzA+FA2A5hitnA/l5O2z6odMq0ASyzGUJAN6ZBJceC3fCF+diyKaewNMgroCnUolfo2T/5iE9Y9iI8aUEMOKQMlZYECQZaAWaaUWjDnWeZTPJY3x2R5xhabfeuHcaoiR62m6a9N7uUpn2lfLWv9WDmjVumDtJN7zgzvhtEllvwA15QJMuFMITmonkdro3gnWf//OmUTIzxOTGmCkxnuRVWchPS4zyruCrKZtKCWX/1jbMcfHOqPItbk5LmesKE9pU0sMmRv3yt+B98vYXGKdF0tEamL5AEloKvoR9kX0KNVxdz5sALekfKjIxSOcdV05k2a14kz4JLtxto4KoiVHtblqvB/Hx+/rFF3l2f/fO0RT6xhGPOyKfP7zZIkM6/Zha3ZoBwNcnMFz6GxKZUJk2XY8X2hYPmdsdJNRHayRBI1rAttSpARTdOSbOxWmavTqdUJO2Ui4ebunasLljA4VDJNNcMTuUiSy+zJyYsohjr5jnnMrs0arQvBX877PaVoHq8a6ZSWsLN88KJswRf8ilrAg9eN0xfmiNOuTlAH4h7sG+zvpWKlVkfiIHuOftX8RCOdTsPVeZ8SB4qL+Hmee/KQxXwyjxk/Ues7DLKGE0HfFY6YupX9K5M30hmc5olLCleqWrFN672pLSPLAe49OtK82DQZL9AWzBXvcqPU+qY6jsWWvCLbKeiJthbmVnhPqp2Agrax7IvGsIBE1e1PHTW+rHMOGTCaMKyllG+rWefXPyr/dbhx/x1EfYPECkyftiOMOHKDJxADCNN5/RaWeUWQh1bVhskU6rjSZCuBTmACOyAzy4AJGGUVoMvi4UqZwFyg/55t1G6+vydyHzuqAklSXzr/aAMUXnDG74QUrtAXatQBz3aYmzboVQ+BX62OgqcugPX79MqKmtvjeZwbL5ca1ZXllFWQP3gWrF0tEjxMI9Eo6Aq+h0UtBNb4FIZzRtjMrjCdk32k8DxobsqcLfhHJq6psflJqdY/AU6yEN6MuYdWyhs0I1Irys8ARPwWxTYE5vujGOdHBFMR4csYF9g1djvFoMiKXZffTZfEfe2gOjA0IQimkGMq+sBYOugjjLXF9opYxTLpbU1hTxdeCDYPH4LQkusoBYeJiOXKtC+UrX5U6502CgEajTcJGIN4Ld7WsvEuCVEpcpzC4YLH7xxxBpZFgwYPHfjeLZFLLhdI8H0YHitmRpoqW9duH0VXrjXVFgB+E6T2VeWmS5hSt8LLvMiF+gZWhq4ymx3AS2c7xb4rDQFiVyTpufBqfy1QrV0wt8oWw3M+RJa5oSPJ7aPH77SYONhj9A5vcZ2QFAMA8SAHwkzCxI2YyJRrouSO7ZakFNtE9XNOY9H9JRREYbOc4HvG+FdqLswwgK70FJLKsWHKRtgpeLw9vLDP4IPx1kWWKBtl4da/bqPOhB+XULplOmJXOqWBhT3zSuWDTfxpUakFiqVthk3hS1P7Gw2Avun4/MW+fjhzPz387mtCSUJlJky+sDZP0/DQYiZ2o+0fnZ8etw/b5HPH48Oz49b5Oj49Nj8fzFK5aRxNeVuhzWVYx5DT/2wCh0sJeRVKIOniJYNUJe0ss+fTtHeyGfO5IAzXaVUTcj65kalEyUfkaKvtR/pYjNXLFOb3QvXxdWujiv32wUOlNiKOqr2YLEsX3EaKAhhhwJOTIMAr4sa9WvE09TdDaVpiIFwNFY92IMm0Y0cfgP+0TarSIabsO3QVdbsDf+UUFE8GwJsHr1k123c7tB63j5d7GJ8C7L/SkCGXZ7veP2HTYm5IJRM8ik1ANIEwz8xZDgAk2vUSgqqDYOaSNLsKmMuQWeZi5+Oz4lllYFtKG4W+6NmSlsGsVdZXIcsUR0HNxjh1uyBEbEfOwnGqxI9o9OyKyYoA3sDNmwDqOKGXZXJHIagGJFBZEYMoMHzJdqfTzI+0u1PH/vVt4s3Cp2x3H4qyKWtxBY0RBIbiRpNmVKFF20BmO/wITvtRzh8ISjbnnlhPeZc5bZXlrVoWUmgT/1Q0tbnm2XMW8wZnQPfu6THoECKvWCesHQ2yotaRWB9ZTIfpkxNpNRYVN8qABmdFwf/J/hQTVKsH/FuHeEOhjUtONktBe7IOYbS5il/pla2ueMq8L9A/R6sXsWDAmDrdAZuaVhiSq9ZBkaRlclQSOi6GN8PL/MstLMyppjQpeLTzUxVqa31cJDisI8NaklpnDKqcltEMNAd3wVfk/VAk1Qbd9Eiw9GxLwkmANfuDcsc12yNocbObzN3GsyQm65YvRMUXqhiC9p0B7oFZPpWVIc6xezeJykTYz0pdyLC79w8Jx9D78R5311P1TILAHaZ33YJtMhWuQ8GkFsfEwX/LwAA//8QbzxB" } diff --git a/packetbeat/magefile.go b/packetbeat/magefile.go index 00622696bc4..fd00c932ab4 100644 --- a/packetbeat/magefile.go +++ b/packetbeat/magefile.go @@ -35,7 +35,7 @@ import ( // mage:import "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" + "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest/notests" // mage:import @@ -44,6 +44,7 @@ import ( func init() { common.RegisterCheckDeps(Update) + unittest.RegisterPythonTestDeps(fieldsYML, Dashboards) devtools.BeatDescription = "Packetbeat analyzes network traffic and sends the data to Elasticsearch." } diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 4093b9db371..0dc551698e9 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -915,10 +915,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1031,20 +1039,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1054,7 +1069,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1217,30 +1232,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1253,6 +1275,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1360,42 +1388,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1528,6 +1570,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default packetbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "packetbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "packetbeat-%{[agent.version]}" @@ -1631,20 +1678,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1663,6 +1721,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1813,17 +1882,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1846,6 +1922,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go index 73387c7f796..f0287665c0d 100644 --- a/packetbeat/pb/event.go +++ b/packetbeat/pb/event.go @@ -81,7 +81,7 @@ func NewFields() *Fields { Kind: "event", }, Type: []string{"connection", "protocol"}, - Category: []string{"network_traffic", "network"}, + Category: []string{"network"}, }, } } diff --git a/packetbeat/pb/event_test.go b/packetbeat/pb/event_test.go index 1fdb8425756..5722d6d9faa 100644 --- a/packetbeat/pb/event_test.go +++ b/packetbeat/pb/event_test.go @@ -41,7 +41,7 @@ func TestMarshalMapStr(t *testing.T) { assert.Equal(t, common.MapStr{ "event": common.MapStr{ "kind": "event", - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, }, "source": common.MapStr{"ip": "127.0.0.1"}, diff --git a/packetbeat/procs/procs_linux.go b/packetbeat/procs/procs_linux.go index 944924c88b1..cd4e81bfb8b 100644 --- a/packetbeat/procs/procs_linux.go +++ b/packetbeat/procs/procs_linux.go @@ -30,6 +30,7 @@ import ( "path/filepath" "strconv" "strings" + "sync" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/packetbeat/protos/applayer" @@ -51,6 +52,8 @@ var procFiles = map[applayer.Transport]struct { applayer.TransportTCP: {"/proc/net/tcp", "/proc/net/tcp6"}, } +var warnIPv6Once sync.Once + // GetLocalPortToPIDMapping returns the list of local port numbers and the PID // that owns them. func (proc *ProcessesWatcher) GetLocalPortToPIDMapping(transport applayer.Transport) (ports map[endpoint]int, err error) { @@ -68,10 +71,18 @@ func (proc *ProcessesWatcher) GetLocalPortToPIDMapping(transport applayer.Transp logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv4, err) return nil, err } + ipv6socks, err := socketsFromProc(sourceFiles.ipv6, true) + // Ignore the error when /proc/net/tcp6 doesn't exists (ipv6 disabled). if err != nil { - logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv6, err) - return nil, err + if os.IsNotExist(err) { + warnIPv6Once.Do(func() { + logp.Warn("No IPv6 socket info reported by the kernel. Process monitor won't enrich IPv6 events") + }) + } else { + logp.Err("GetLocalPortToPIDMapping: parsing '%s': %s", sourceFiles.ipv6, err) + return nil, err + } } socksMap := map[uint64]*socketInfo{} for _, s := range ipv4socks { diff --git a/packetbeat/protos/amqp/amqp_test.go b/packetbeat/protos/amqp/amqp_test.go index d9f583cdc22..37be71c571d 100644 --- a/packetbeat/protos/amqp/amqp_test.go +++ b/packetbeat/protos/amqp/amqp_test.go @@ -78,7 +78,7 @@ func TestAmqp_UnknownMethod(t *testing.T) { _, amqp := amqpModForTests() data, err := hex.DecodeString("0100010000000f006e000c0000075465737447657401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -97,7 +97,7 @@ func TestAmqp_FrameSize(t *testing.T) { //incomplete frame data, err := hex.DecodeString("0100000000000c000a001fffff000200") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -119,7 +119,7 @@ func TestAmqp_PartialFrameSize(t *testing.T) { //incomplete frame data, err := hex.DecodeString("414d515000060606010000000000") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -139,7 +139,7 @@ func TestAmqp_WrongShortStringSize(t *testing.T) { data, err := hex.DecodeString("02000100000019003c000000000000000000058000ac" + "746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, _ := amqp.amqpMessageParser(stream) @@ -156,7 +156,7 @@ func TestAmqp_QueueDeclaration(t *testing.T) { data, err := hex.DecodeString("0100010000001a0032000a00000e5468697320697" + "3206120544553541800000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -188,7 +188,7 @@ func TestAmqp_ExchangeDeclaration(t *testing.T) { data, err := hex.DecodeString("0100010000001c0028000a00000a6c6f67735f746f7" + "0696305746f7069630200000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -221,7 +221,7 @@ func TestAmqp_BasicConsume(t *testing.T) { data, err := hex.DecodeString("01000100000028003c001400000e4957616e74" + "546f436f6e73756d650d6d6973746572436f6e73756d650300000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -254,7 +254,7 @@ func TestAmqp_ExchangeDeletion(t *testing.T) { data, err := hex.DecodeString("010001000000100028001400000844656c65746" + "54d6501ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -282,7 +282,7 @@ func TestAmqp_ExchangeBind(t *testing.T) { data, err := hex.DecodeString("0100010000001c0028001e0000057465737431" + "057465737432044d5346540000000000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} @@ -316,9 +316,9 @@ func TestAmqp_ExchangeUnbindTransaction(t *testing.T) { data, err := hex.DecodeString("0100010000001c00280028000005746573743105" + "7465737432044d5346540000000000ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000000400280033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -351,13 +351,13 @@ func TestAmqp_PublishMessage(t *testing.T) { data, err := hex.DecodeString("0100010000001b003c002800000a6c6f67735f746f70" + "696308414d51507465737400ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("02000100000019003c0000000000000000001c800" + "00a746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) data3, err := hex.DecodeString("0300010000001c48656c6c6f204461726c696e67" + "2049276d20686f6d6520616761696ece") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -401,12 +401,12 @@ func TestAmqp_DeliverMessage(t *testing.T) { data, err := hex.DecodeString("01000100000034003c003c0d6d6973746572436f6e73" + "756d650000000000000002000c7465737445786368616e67650b7465737444656c697" + "66572ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("02000100000019003c000000000000000000058" + "0000a746578742f706c61696ece") - assert.Nil(t, err) + assert.NoError(t, err) data3, err := hex.DecodeString("030001000000056b696b6f6fce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -450,7 +450,7 @@ func TestAmqp_MessagePropertiesFields(t *testing.T) { "40000000000002060a656c206d656e73616a650000000055f81dc00c6c6f7665206d65" + "7373616765ce0300010000001a5465737420686561646572206669656c647320666f72" + "65766572ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -492,7 +492,7 @@ func TestAmqp_ChannelError(t *testing.T) { "6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" + "52720696e2076686f737420272f273a207265636569766564202774727565272062757" + "42063757272656e74206973202766616c7365270028000ace") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data1, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -537,7 +537,7 @@ func TestAmqp_NoWaitQueueDeleteMethod(t *testing.T) { data, err := hex.DecodeString("010001000000120032002800000a546573745468" + "6f6d617304ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -568,7 +568,7 @@ func TestAmqp_RejectMessage(t *testing.T) { amqp.sendRequest = true data, err := hex.DecodeString("0100010000000d003c005a000000000000000101ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -599,9 +599,9 @@ func TestAmqp_GetEmptyMethod(t *testing.T) { data, err := hex.DecodeString("01000100000013003c004600000b526f626269" + "654b65616e6501ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000100000005003c004800ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -627,12 +627,12 @@ func TestAmqp_GetMethod(t *testing.T) { data, err := hex.DecodeString("0100010000000f003c0046000007546573744" + "7657401ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000001a003c00470000000000000001" + "0000075465737447657400000001ce02000100000019003c000000000000000000" + "1280000a746578742f706c61696ece03000100000012476574206d6520696620796" + "f752064617265ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -660,7 +660,7 @@ func TestAmqp_MaxBodyLength(t *testing.T) { data, err := hex.DecodeString("01000100000010003c002800000007546573744d617" + "800ce02000100000019003c0000000000000000001680000a746578742f706c61696ece" + "0300010000001649276d2061207665727920626967206d657373616765ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -691,7 +691,7 @@ func TestAmqp_MaxBodyLength(t *testing.T) { "17800ce02000100000018003c0000000000000000003a800009696d6167652f676966" + "ce0300010000003a41414141414141414141414141414141414141414141414141414141" + "414141414141414141414141414141414141414141414141414141414141ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple = testTCPTuple() @@ -731,7 +731,7 @@ func TestAmqp_HideArguments(t *testing.T) { data, err := hex.DecodeString("0100010000004d0032000a00000a5465737448656164" + "6572180000003704626f6f6c74010362697462050568656c6c6f530000001f4869206461" + "726c696e6720c3aac3aac3aac3aac3aac3aac3aae697a5e69cacce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: data} private := protos.ProtocolData(new(amqpPrivateData)) @@ -757,7 +757,7 @@ func TestAmqp_HideArguments(t *testing.T) { "4657200ce02000100000026003c0000000000000000001a98800a746578742f706c61696" + "e02060a656c206d656e73616a65ce0300010000001a54657374206865616465722066696" + "56c647320666f7265766572ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple = testTCPTuple() req = protos.Packet{Payload: data} private = protos.ProtocolData(new(amqpPrivateData)) @@ -787,9 +787,9 @@ func TestAmqp_RecoverMethod(t *testing.T) { amqp.sendRequest = true data, err := hex.DecodeString("01000100000005003c006e01ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000100000004003c006fce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -814,7 +814,7 @@ func TestAmqp_BasicNack(t *testing.T) { _, amqp := amqpModForTests() data1, err := hex.DecodeString("0100010000000d003c0078000000000000000102ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data1, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -841,7 +841,7 @@ func TestAmqp_GetTable(t *testing.T) { "696d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aa" + "c3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f" + "6174664124cccd04626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -900,7 +900,7 @@ func TestAmqp_TableInception(t *testing.T) { "000006445245414d5306696e6365703253000000064d4152494f4e056c696d626f46" + "00000021066c696d626f315300000004436f6262066c696d626f3253000000055361" + "69746f06626967496e746c00071afd498d0000ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -950,7 +950,7 @@ func TestAmqp_ArrayFields(t *testing.T) { //byte array, rabbitMQ specific field data, err := hex.DecodeString("010001000000260028000a0000057465737431057" + "46f706963020000000f05617272617978000000040a007dd2ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -975,7 +975,7 @@ func TestAmqp_ArrayFields(t *testing.T) { "0a66666666666096172726179626f6f6c410000000a740174007400740174010b617272" + "6179737472696e674100000030530000000441414141530000000442424242530000001" + "9d090d0bdd0bdd0b020d09ad0b0d180d0b5d0bdd0b8d0bdd0b0ce") - assert.Nil(t, err) + assert.NoError(t, err) stream = &amqpStream{data: data, message: new(amqpMessage)} ok, complete = amqp.amqpMessageParser(stream) @@ -1030,7 +1030,7 @@ func TestAmqp_WrongTable(t *testing.T) { "96d616c440500ec49050568656c6c6f530000001f4869206461726c696e6720c3aac3aac" + "3aac3aac3aac3aac3aae697a5e69cac06646f75626c656440453e100cbd7da405666c6f6" + "174664124cccd04626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream := &amqpStream{data: data, message: new(amqpMessage)} ok, complete := amqp.amqpMessageParser(stream) @@ -1053,7 +1053,7 @@ func TestAmqp_WrongTable(t *testing.T) { "96d616c447600ec49180568036c6c0b536400001f480a2064076e6c696e0520c3aac3aac" + "34613aac3aac3aa01aae697a5e69cac3c780b75626c6564a4453e100cbd7da4320a6c0b0" + "90b664124cc1904626f6f6c7401ce") - assert.Nil(t, err) + assert.NoError(t, err) stream = &amqpStream{data: data, message: new(amqpMessage)} ok, complete = amqp.amqpMessageParser(stream) @@ -1101,9 +1101,9 @@ func TestAmqp_ChannelCloseErrorMethod(t *testing.T) { "6f5f64656c6574652720666f722065786368616e676520277465737445786368616e676" + "52720696e2076686f737420272f273a207265636569766564202774727565272062757" + "42063757272656e74206973202766616c7365270028000ace") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0100010000000400280033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -1127,9 +1127,9 @@ func TestAmqp_ConnectionCloseNoError(t *testing.T) { amqp.hideConnectionInformation = false data, err := hex.DecodeString("01000000000012000a003200c8076b74687862616900000000ce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("01000000000004000a0033ce") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() @@ -1161,9 +1161,9 @@ func TestAmqp_MultipleBodyFrames(t *testing.T) { "02000100000021003c0000000000000000002a80400a746578742f706c61696e00000000" + "56a22873ce030001000000202a2a2a68656c6c6f2049206c696b6520746f207075626c69" + "736820626967206dce") - assert.Nil(t, err) + assert.NoError(t, err) data2, err := hex.DecodeString("0300010000000a657373616765732a2a2ace") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: data} diff --git a/packetbeat/protos/dhcpv4/dhcpv4_test.go b/packetbeat/protos/dhcpv4/dhcpv4_test.go index 704c4d2bece..1f7d416248a 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4_test.go +++ b/packetbeat/protos/dhcpv4/dhcpv4_test.go @@ -117,7 +117,7 @@ func TestParseDHCPRequest(t *testing.T) { "port": 67, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", @@ -201,7 +201,7 @@ func TestParseDHCPACK(t *testing.T) { "bytes": 300, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go index efa344ab163..4b2367c0239 100644 --- a/packetbeat/protos/http/http.go +++ b/packetbeat/protos/http/http.go @@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) { unmatchedResponses.Add(1) resp := conn.responses.pop() debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple) + + if resp.statusCode == 100 { + debugf("Drop first 100-continue response") + return + } + event := http.newTransaction(nil, resp) http.publishTransaction(event) } diff --git a/packetbeat/protos/http/http_test.go b/packetbeat/protos/http/http_test.go index 69c8cd792ed..2e2995ff463 100644 --- a/packetbeat/protos/http/http_test.go +++ b/packetbeat/protos/http/http_test.go @@ -767,7 +767,7 @@ func TestHttpParser_requestURIWithSpace(t *testing.T) { assert.True(t, ok) assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/test", path) assert.Equal(t, string(msg.requestURI), "http://localhost:8080/test?password=two secret") assert.False(t, strings.Contains(params, "two secret")) @@ -802,7 +802,7 @@ func TestHttpParser_censorPasswordURL(t *testing.T) { assert.True(t, ok) assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/test", path) assert.False(t, strings.Contains(params, "secret")) } @@ -829,7 +829,7 @@ func TestHttpParser_censorPasswordPOST(t *testing.T) { assert.True(t, complete) path, params, err := http.extractParameters(msg) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, "/users/login", path) assert.True(t, strings.Contains(params, "username=ME")) assert.False(t, strings.Contains(params, "secret")) diff --git a/packetbeat/protos/memcache/memcache_test.go b/packetbeat/protos/memcache/memcache_test.go index 7e6f61cd67e..b36483770c1 100644 --- a/packetbeat/protos/memcache/memcache_test.go +++ b/packetbeat/protos/memcache/memcache_test.go @@ -90,7 +90,7 @@ func Test_TryMergeUnmergeableResponses(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_TryMergeUnmergeableResponseWithValue(t *testing.T) { @@ -99,7 +99,7 @@ func Test_TryMergeUnmergeableResponseWithValue(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_TryMergeUnmergeableResponseWithStat(t *testing.T) { @@ -108,7 +108,7 @@ func Test_TryMergeUnmergeableResponseWithStat(t *testing.T) { msg2 := textParseNoFail(t, "0\r\n") b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.False(t, b) - assert.Nil(t, err) + assert.NoError(t, err) } func Test_MergeTextValueResponses(t *testing.T) { @@ -119,12 +119,12 @@ func Test_MergeTextValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -136,12 +136,12 @@ func Test_MergeTextStatsValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -159,12 +159,12 @@ func Test_MergeBinaryStatsValueResponses(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) } @@ -179,12 +179,12 @@ func Test_MergeTextValueResponsesNoLimits(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) msg := msg1 @@ -206,12 +206,12 @@ func Test_MergeTextValueResponsesWithLimits(t *testing.T) { b, err := tryMergeResponses(mct.mc, msg1, msg2) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.False(t, msg1.isComplete) b, err = tryMergeResponses(mct.mc, msg1, msg3) assert.True(t, b) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, msg1.isComplete) msg := msg1 diff --git a/packetbeat/protos/mongodb/mongodb_test.go b/packetbeat/protos/mongodb/mongodb_test.go index 4bd16ec121d..639a2ee7e78 100644 --- a/packetbeat/protos/mongodb/mongodb_test.go +++ b/packetbeat/protos/mongodb/mongodb_test.go @@ -88,7 +88,7 @@ func TestSimpleFindLimit1(t *testing.T) { "00000000746573742e72667374617572" + "616e7473000000000001000000050000" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) respData, err := hex.DecodeString( "020200004a0000000a00000001000000" + "08000000000000000000000000000000" + @@ -123,7 +123,7 @@ func TestSimpleFindLimit1(t *testing.T) { "53686f70000272657374617572616e74" + "5f696400090000003330303735343435" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -157,7 +157,7 @@ func TestSimpleFindLimit1_split(t *testing.T) { "00000000746573742e72667374617572" + "616e7473000000000001000000050000" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) respData1, err := hex.DecodeString( "020200004a0000000a00000001000000" + "08000000000000000000000000000000" + @@ -196,7 +196,7 @@ func TestSimpleFindLimit1_split(t *testing.T) { "53686f70000272657374617572616e74" + "5f696400090000003330303735343435" + "0000") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -381,7 +381,7 @@ func TestDocumentLengthBoundsChecked(t *testing.T) { "06000000" + // Document (1 byte instead of 2) "00") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} diff --git a/packetbeat/protos/mysql/mysql_test.go b/packetbeat/protos/mysql/mysql_test.go index 9bdfdb2cf07..d55917114ee 100644 --- a/packetbeat/protos/mysql/mysql_test.go +++ b/packetbeat/protos/mysql/mysql_test.go @@ -519,7 +519,7 @@ func Test_gap_in_response(t *testing.T) { reqData, err := hex.DecodeString( "130000000373656c656374202a20" + "66726f6d2074657374") - assert.Nil(t, err) + assert.NoError(t, err) respData, err := hex.DecodeString( "0100000103240000020364656604" + "74657374047465737404746573740161" + @@ -537,7 +537,7 @@ func Test_gap_in_response(t *testing.T) { "6f6620746865207072696e74696e6720" + "616e64207479706573657474696e6720" + "696e6475737472792e204c6f72656d20") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} @@ -571,7 +571,7 @@ func Test_gap_in_eat_message(t *testing.T) { reqData, err := hex.DecodeString( "130000000373656c656374202a20" + "66726f6d20746573") - assert.Nil(t, err) + assert.NoError(t, err) stream := &mysqlStream{data: reqData, message: new(mysqlMessage), isClient: true} ok, complete := mysqlMessageParser(stream) @@ -589,13 +589,13 @@ func Test_read_length(t *testing.T) { var length int _, err = readLength([]byte{}, 0) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readLength([]byte{0x00, 0x00}, 0) - assert.NotNil(t, err) + assert.Error(t, err) length, err = readLength([]byte{0x01, 0x00, 0x00}, 0) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, length, 1) } @@ -662,7 +662,7 @@ func Test_PreparedStatement(t *testing.T) { send := func(dir uint8, data string) { rawData, err := hex.DecodeString(data) - assert.Nil(t, err) + assert.NoError(t, err) packet := protos.Packet{Payload: rawData} var private protos.ProtocolData diff --git a/packetbeat/protos/pgsql/pgsql_test.go b/packetbeat/protos/pgsql/pgsql_test.go index 356d367c391..db735c64a5d 100644 --- a/packetbeat/protos/pgsql/pgsql_test.go +++ b/packetbeat/protos/pgsql/pgsql_test.go @@ -352,7 +352,7 @@ func Test_gap_in_response(t *testing.T) { reqData, err := hex.DecodeString( "510000001873656c656374202a20" + "66726f6d20746573743b00") - assert.Nil(t, err) + assert.NoError(t, err) // response is incomplete respData, err := hex.DecodeString( @@ -365,7 +365,7 @@ func Test_gap_in_response(t *testing.T) { "63440000001e0003000000046d656131" + "000000046d656231000000046d656331" + "440000001e0003000000046d65613200") - assert.Nil(t, err) + assert.NoError(t, err) tcptuple := testTCPTuple() req := protos.Packet{Payload: reqData} diff --git a/packetbeat/protos/tcp/tcp_test.go b/packetbeat/protos/tcp/tcp_test.go index c3461172937..092d1f6310c 100644 --- a/packetbeat/protos/tcp/tcp_test.go +++ b/packetbeat/protos/tcp/tcp_test.go @@ -153,7 +153,7 @@ func Test_configToPortsMap(t *testing.T) { for _, test := range configTests { output, err := buildPortsMap(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, output) } } @@ -178,7 +178,7 @@ func Test_configToPortsMap_negative(t *testing.T) { for _, test := range tests { _, err := buildPortsMap(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), test.Err) } } diff --git a/packetbeat/protos/tls/_meta/fields.yml b/packetbeat/protos/tls/_meta/fields.yml index 259540c695a..1fb72d28f74 100644 --- a/packetbeat/protos/tls/_meta/fields.yml +++ b/packetbeat/protos/tls/_meta/fields.yml @@ -19,125 +19,14 @@ description: Version of x509 format. example: 3 - - name: version_number - type: keyword - description: Version of x509 format. - example: 3 - - - name: serial_number - type: keyword - description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. - example: 55FBB9C7DEBF09809D12CCAA - - - name: issuer.distinguished_name - type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - - - name: issuer.common_name - type: keyword - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - - - name: issuer.organizational_unit - type: keyword - description: List of organizational units (OU) of issuing certificate authority. - example: www.digicert.com - - - name: issuer.organization - type: keyword - description: List of organizations (O) of issuing certificate authority. - example: DigiCert Inc - - - name: issuer.locality - type: keyword - description: List of locality names (L) - example: Mountain View - - name: issuer.province type: keyword description: Province or region within country. - - name: issuer.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: issuer.country - type: keyword - description: List of country (C) codes - example: US - - - name: signature_algorithm - type: keyword - description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16T01:40:25Z - - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16T03:15:39Z - - - name: subject.distinguished_name - type: keyword - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - - - name: subject.common_name - type: keyword - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - - - name: subject.organizational_unit - type: keyword - description: List of organizational units (OU) of subject. - - - name: subject.organization - type: keyword - description: List of organizations (O) of subject. - example: Fastly, Inc. - - - name: subject.locality - type: keyword - description: List of locality names (L) - example: San Francisco - - name: subject.province type: keyword description: Province or region within country. - - name: subject.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: subject.country - type: keyword - description: List of country (C) code - example: US - - - name: public_key_algorithm - type: keyword - description: Algorithm used to generate the public key. - example: RSA - - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - - - name: alternative_names - type: keyword - description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - example: '*.elastic.co' - # get rid of this when we upgrade to ECS 1.6 - name: server type: group @@ -151,125 +40,14 @@ description: Version of x509 format. example: 3 - - name: version_number - type: keyword - description: Version of x509 format. - example: 3 - - - name: serial_number - type: keyword - description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. - example: 55FBB9C7DEBF09809D12CCAA - - - name: issuer.distinguished_name - type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA - - - name: issuer.common_name - type: keyword - description: List of common name (CN) of issuing certificate authority. - example: DigiCert SHA2 High Assurance Server CA - - - name: issuer.organizational_unit - type: keyword - description: List of organizational units (OU) of issuing certificate authority. - example: www.digicert.com - - - name: issuer.organization - type: keyword - description: List of organizations (O) of issuing certificate authority. - example: DigiCert Inc - - - name: issuer.locality - type: keyword - description: List of locality names (L) - example: Mountain View - - name: issuer.province type: keyword description: Province or region within country. - - name: issuer.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: issuer.country - type: keyword - description: List of country (C) codes - example: US - - - name: signature_algorithm - type: keyword - description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). - example: SHA256-RSA - - - name: not_before - type: date - description: Time at which the certificate is first considered valid. - example: 2019-08-16T01:40:25Z - - - name: not_after - type: date - description: Time at which the certificate is no longer considered valid. - example: 2020-07-16T03:15:39Z - - - name: subject.distinguished_name - type: keyword - description: Distinguished name (DN) of the certificate subject entity. - example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net - - - name: subject.common_name - type: keyword - description: List of common names (CN) of subject. - example: r2.shared.global.fastly.net - - - name: subject.organizational_unit - type: keyword - description: List of organizational units (OU) of subject. - - - name: subject.organization - type: keyword - description: List of organizations (O) of subject. - example: Fastly, Inc. - - - name: subject.locality - type: keyword - description: List of locality names (L) - example: San Francisco - - name: subject.province type: keyword description: Province or region within country. - - name: subject.state_or_province - type: keyword - description: List of state or province names (ST, S, or P) - example: California - - - name: subject.country - type: keyword - description: List of country (C) code - example: US - - - name: public_key_algorithm - type: keyword - description: Algorithm used to generate the public key. - example: RSA - - - name: public_key_size - type: long - description: The size of the public key space in bits. - example: 2048 - - - name: alternative_names - type: keyword - description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. - example: '*.elastic.co' - - name: detailed type: group default_fields: false diff --git a/packetbeat/protos/tls/alerts_test.go b/packetbeat/protos/tls/alerts_test.go index 5c35d3bbf28..33cd5a08e06 100644 --- a/packetbeat/protos/tls/alerts_test.go +++ b/packetbeat/protos/tls/alerts_test.go @@ -36,14 +36,14 @@ func getParser() *parser { func mkBuf(t *testing.T, s string, length int) *bufferView { bytes, err := hex.DecodeString(s) - assert.Nil(t, err) + assert.NoError(t, err) return newBufferView(streambuf.New(bytes), 0, length) } func TestParse(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "0102", 2)) - assert.Nil(t, err) + assert.NoError(t, err) assert.Len(t, parser.alerts, 1) assert.Equal(t, alertSeverity(1), parser.alerts[0].severity) assert.Equal(t, alertCode(2), parser.alerts[0].code) @@ -52,17 +52,17 @@ func TestParse(t *testing.T) { func TestShortBuffer(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "", 2)) - assert.NotNil(t, err) + assert.Error(t, err) assert.Empty(t, parser.alerts) err = parser.parseAlert(mkBuf(t, "01", 2)) - assert.NotNil(t, err) + assert.Error(t, err) assert.Empty(t, parser.alerts) } func TestEncrypted(t *testing.T) { parser := getParser() err := parser.parseAlert(mkBuf(t, "010200000000", 6)) - assert.Nil(t, err) + assert.NoError(t, err) assert.Empty(t, parser.alerts) } diff --git a/packetbeat/protos/tls/fields.go b/packetbeat/protos/tls/fields.go index b0c0a67e3a2..112984a5d3a 100644 --- a/packetbeat/protos/tls/fields.go +++ b/packetbeat/protos/tls/fields.go @@ -32,5 +32,5 @@ func init() { // AssetTls returns asset data. // This is the base64 encoded gzipped contents of protos/tls. func AssetTls() string { - return "eJzsW19v2zgSf8+nGOw+JDk4yr/N7iZAF3Cd9DZALi3qZO9wLwItjSVeaVJLUnbdT38YSrJlW5Yd20nTVn4IYkua+c1wOPxxODqCTzi+AiuMH6JlXGC4B2C5FXgF+9f5T/Bw193fAwjRBJonlit5BX/sAQCUbzkyCQa8zwPAIUoLfY4iNN4e5P9duSeOQLIBOp3uO4AdJ3gFkVZpkv9Svp8+P0OEFjQPQfXBxtzAKEYJI4Q0iTQLEayCm04XTr1fJw8VigLBUdrJz1X6qnSWRXy+OLmcubBMCH1C7LNUWD8XCH0mDM7dU6WsrHCI2nAlF64Xej/heKR0WHF9Zoz+ysSQ18gE6Cs9YNareAw/s0FCg36+twqUL9NBD/XrwmZQcyZ2BO2PihsAHiX/O8VcE2SagBuTYgi9MdgYIUBtaQIwi8BSGyvN7diDd0pDoKThxqIMxi3geRQPmUgRuAEmkpjJdICaBy3gFkysUhFCbz5wsk/mK4shjLiNVWohUEJJA0yGkCYJ6oAZhCBmmgUWtal168XFu7dvLzu/Xd+8fXdy+fvJ5fXpWafTbi/3trNaeyE3lsso5SbG0KdL23r+uizRKYOD6/tDChLSyWW0xMd19nXePHZb8P7NNY94B7WFWxm04P3jm9Fo5IU84iTSC9SgBZ376V3dP9tn8CePYmgbk2omA4Qu6iFq6Kz2TaAGA5orO3DKHTeWPJCJzL3S2dYrO7JT6YhJ/oURVCb8VHK7K3tnRQOJNnDw/nFLw+dH/UkmPodtZNSuBvNWBivtESpggtvxrmwp5DktBg7uDuug/kul0jIu4S+Oo5VYE62GXAZbz6EPuRxQGjRGtPBQ6uQSAsKjx95KKMYyi77S/q4wFf5zgglYIbhwZPehBd0WXflQ69IOE7yvtORsjbTkrN1dSnLi4KBzCIEK0dTBfOzWrN88ksymGn0mIor3eLAtxtsQJU0j1LRezkyqiTaYaPPgI1KCRVpBDc3CbBD6KpUhcAn/VHDHZAQdPU6sAsF7mpHlXUSIrU3M1fFxxG2c9iipHEdKMBkdR+q4J1TvOFKn3ukvx0YHx4ETcEykx/3xIvXz3fn5b0d35xfnh7XTnFL1xa9HH7s1eVkq6/ewr/Ty+AyZrbo4470HPkBgFkYxD+IFcsMN9Lk2NqM1IWoMiczwsBb+2cnp5dHJ70envz6cnF79cnJ1dvHfekNY39bQuZ3YIRUIJSPUT7Xl7OTo5Ddny/nV6cXV+WWNLSbt/Q8D+7KMad7YHATQtFiLMnUf3kxTSwvu3nSZhHfEELgJFFGqd8xYMW7RsuM59qTPPBMzjaEXCdVjwuu7OzyJdrV3npczmQlpKvTVeWArQ74WKZoY9iSEz8pp1vF1OYpWQ/+69GVmCqwG+xr4S4Hl2yYw0yTxrAxmUwKTpD3BA/8TjnfHYNqFIEgNhmAVRChRk7Mpt2cqSVjt7KplCyXYhn9ZHhG0RK5camNiVl+wWHum+MAkLEBiUT1u64sRZye//L4cLhMWtWSWD9EtE1V8c7MQztfGkoJJELfvDz24p5WVRBsYEu/rjau3aa4EU75Cz0DPlWhoKRJj4hluA3T7AVgYajQGTQuu77uFRhIx4iIMmA7NYcuJxAHjYnp/rQ/3/+GhYMbywAvU/t5uyqjGlQSaMmpTRm3KqJVubcqoTRm1KaOuZ2JTRm3KqN/kLqQpozZl1KaM2pRRmzJqU0ZtyqhNGfWbIzBNGbUpozZl1K3KqIUXSx2zs06bL2euKmXW1UyrS5h1g7OiBkfhNZwWDSnCHu66lHOsCpRwc2TeLVOX0K2n3vn+XiVYjSYdOM3+AG2s5qFtAfs2g2rQOOQxM9BDlJlKDFvuaipD1GJM245Mf2YNvJc0mxZk/sTDn9ymhqwqJN9eU6L9yfLgE9rp5ew74GeLku7zqj2QNRv7pcj1Nf6dorFY7YyeUgLZ/PiucMa/Y7Qx6twjrsZEDployjirg0LpjmYVsdWMq1uDYtEX2WaNFU+VDKi3NEYh1NpF/Rcq2FdXnldFfm9c3t5kfhjRhsCAnTcx+1AuSmXm1zDV5EFXkM5jqY5MZHf4vMqW3VXZ8/K6VcCzbfx4ZhZRcDtjldZoEiVDXrk+kaVSYmALwlRyUS1jShKlLYZ+oAaJzk3OZubWS87yMRbTTUuhNE8Hpjy0ObrKNQCgXI8YjUYeZ5IR3T9mxvBIDlBac0wajkj0EQ/nvnmfYzsQy30zSSTLHVE1gRbcQAa7OViSmBHIsHSgko/UoqxlExIWTv4cUfC5DCncq+corDGGCwYU1CFWxmZcpBYMSxKRI/AFG6Oj4W7++hIjZflOwVUHGX0K2CU8Rw7PJJ/MBBs3REWEyxCKVqWKaQMV+SFbdl7AHJSRjYu0WOSHTLs7aCtCym1DmAQcJHYMxuplGcMBVMDCIS0lBov5liUdJ9iscsIkf+Rpu2qu7NoR+bjSylBoBRszu9VoTgxxc/oFzbgRgm4OoJPqIeZV10izJB7DwU2HdmvuQi0umBown1HqzV6sRr+g6RXV6XwkB2wMPaRxo71UyCNumVhueyFnVbhi4CeKS2v87GD56w3zwU3nEByW/IzbeHCbZW50aWm5sejkzTy7EP4Bk5AwvTLs/VS620L/5TxRWgUd7BFqBIF9CwUYCuEPjPJPD9l8CM+ted8Ru3Xe4CargWTEr8xUq0TeugdIUsyjGI2dKFjIB/kuRCraIgWIS4mkLcGc7le4LMeX83oteRYYVNPK5/PtIpuc4JhzQl+rgftORLRS3oSfPdXuH2DT8KLEOBuxTYnxy3LR+1wkhmXFMEs6XxerfMzrrUxKlcoAsyTE5vil41K0IBejs1Te7KhBW4zY2Myz0VdIKktDV+KV5JmMhoQ/PLPIU+cPwCwWK4Rr84sZwJ1Scbx6v+8ydan2V7HOb8tY1jnP+M+0LbWQV5P+f5ju2IfZtoJ9M9sSW+OiHbWmXFPkZHLq2jps0cVRi2f7DhMHx4lZggY/J7x6E/ach4fLCSGbPVacUOrZQa0/XYT8aAI+dtstuO62QWm46Vx32+uZufVhY7fyoLGOg+6+w+yJLl6YNgWiGtQ7P/Ds5ged7dJB533e6bYYB6u7CrbjugUajbRFQTnZk8zDWJSzDs9d3iuwjt8W0HbyXoFAhavW+RX9NRupf1+S6dQ8AcPyLqSNoDxKbosGlLKaFYhqGk82grFJVwzMxEddw9lGkFyfgNLuVCBrx+NFH2rVayIrANb0Om2E7i6Xt0LtWm2KGwHYabsifL2Wxaydervkd+MMK+pb7j0iJkO3LLiT8CYHLqpvcmCTA7dE9y3lwCzNvJ4UOHfK8Ky1gKIo3dQCmlrAUgBNLaCpBTS1gA0xN7WAtf22gLbhwd8ZD17n7ZivAqwh6NVqXwVBb4oUTXJeUN8k5yY5bw6pSc61AL7L6okfxIxXvyvHtGbzozeb7OhRZ75OjZ3sL4rGlHXfh3peNGu/ncUEauu7Fy0rAWz0Dl5bZsCLVy+z952yPlOnMHtLk8DiEPU4/1FjgHyIobf3/wAAAP//PewGKg==" + return "eJzsW99v47gRfs9fMbg+ZBdwtL0eWqABUiBwckCAxe6h3m37JtDSWGKXInXkyI73ry9ISjatH7Y3dnLprvwUW9LMN8PhNx/J6Aq+4PoaSJg4RWJcYHoBQJwEXsPlXf0TfHo/u7wASNEkmpfElbyGf1wAAIS3XJkSE77gCeASJcGCo0hNdAH1X9fuiSuQrEDn030HoHWJ15BpVZX1L+H99vMnyJBA8xTUAijnBlY5SlghVGWmWYpACu6nM/g5+tvmocZRIjhK2vzc56/PZ2ji8a9//vvOhSEj9pPiglWC4togLJgw2Lqnz1nocInacCU71xu/X3C9Ujrtub4zRv/yZmzWbAiwULpgFPU8ho+sKO2g/3IxCIobU6GOSq2WXCbtkL4Z3G+1HVAaNGYW54pTziUkqpKk19EwFFPN/4sJ/SFYTipGg3qJeizGsRjPg6XBELD3rs92URwqiH2V118I+2Lr6Rjh51OOjVE/mdD2ESi1IpUoAZXBtF0gm+K4tLf+HP1yedELVqOpCuc5LpBy1YZ2AuwHD9WgcchzZmCOKL1LTCfuaiVT1GLNZQbev48GPkoEtejY/ImnP9kp4RLQWH64szXwE/HkC9L2sv8O+Ego7X1RfwZ844sT1GS7MiOMNf5eoSHsT8ZcKYGsPb4HkvHvHClHXWfEsptLyMaTu+ChWGJkFeUoycEBTgZFNxeVsVljzVNBAPsjzVEIdTQ1vhDtdTMGR1T+fA2rnCd5mL0VNzkaoHaI/pOooqikz2taaZtB15zqWtrHX/6OmPfFcoZYP0v+e4Ugq2Ju60QBT20FLNY7s8gWtwtWaY2mVDLlMhuIVEpMqOHFIEV7SboslSZM40QVpa5D9jPTPN8YC27IDnDgtKYDEw5tjc70dUOAGSLkRKW5fvdutVpFnEkWKZ29Y8bwTBYoybyzHq6s6Suetr5FjzkVYjg3GyIZTkTfBOqkwQbs5mBgEVxXTDG1JR2OVNfW0ISEjn6K7ZeYy9SWe/8chSPGsBPA+3q0cmXIujDdnIVgWFmKGkEs2Bp13MzfWGKmiJ8VXH+R2U8DO8Bz5fBs+GSn2Kxi5UI4hlC2K/VMG+jhB992XiAclBnlDS02/OC9T4AvNiU1sd2RScCipDUY0kOM4QAqYOnSthKDzXzzpOMMm0NJ2PBHTdt9c+XciajH1XaGxitQzuik0dwE4ub0C4ZxL4S9OYFppZcIU70uSWWalfka3txPp28hcRf24oJtAG1G2R82zySjSmPMRKY0p7x4wdA33mHr3Y9kwdYwRztuwCWkPOPExHDsjZ1D5YpJXCouycR+mfXHDfOb++lbcFjqFZ+J4MEzNzpaGg4Wnb2dZzvlnzAJJdMHyz6upLstjV8uE0EXdLBXqBEELggaMLaEf2OWf+bI2iXc6nnfkbp12eDGrYhq4Rcq1T6TD+4BaynnWY6GNg46fFCvQqSyS6QEcVBIUgBzu17hMqwvl/W94llg0i8rny+3XTW5wdFKwkKrwn23QrTX3kaffWvcP8Ci4UWFsR+xpwrjl9WiH2qTmIaOYVd0vi5V+dlyjRWBUqpKJuhJiLX0pdNStiE3ozNob3fU4Fas2Nq01egrFJXB0AW60mbGy5D0h1cWNXX+AMqiu0N4tL7YATzdGhhY7zumDvb+evr8qYpFqF7q3wH6n+3BQ2NvD/3Xd8S+CZ3a5857/mFQcybOBM1piu0YXprafN1+96RIKornuFB6+NQj7ZZVB8CdrRxvJ9z3DMqKGyfolkzwPoYK8bAF7UnJ0XCcmQE0+Fjy/kVYA6Ss5oIn8RdcbxeczycINy5aknp3UD0m661fY/ujCfjn7HYCd7NbUBrup3ez2+PCNPzrcBEcMzln/Cs2y4UQ6vAc6K7pXzjFnWnTINqDmglCLRnxJcZ+k/FEzDN//gi3W8PwwRrurYPDB5mnad0GjUa7REG5WZO0YXTtHKNz6yPQc7XaqTcHiUoP9XmlMyb517Pq6I+BTefmGzAwEVeSn005f5acmnPm0M0BRHsOvZ8E4ykH8bBTH0VhWzYrzgbJziULJ1eGnJdmLcoDlbN3goUAhUqY4HS2Cn5f2zvgNuWGuMwqbnJMz5qeu9Cyz8+buw9vGyYP22ZNMGCzRwNNKJA/05vPswnMPt1MmeALpSVnE3h/M2MSftVMJtwkagIfb35lhsR6Ag8yiSYw/XCj/xKZnGlMo0yoORPRwt0RSaRD/1FyGvndu8Ca/S1T2fWxTF1bcCfhIwd23Y8cOHLgiej+nzjQ08zrocDWKcOz7gU0m9LjXsC4FzAIYNwLGPcCxr2AJ2Ie9wKOzlsH7aiDvzMdbIgRxsodhb4qYKNA73f7KgT6uEkxknPH/UjOIzk/HdJIznsBfJe7J3GSM97/rhzTmrVHb5fs7KMufF0Z2qwvmn9MOfZ9qOdFc/TbWUygptg6ay9vTngH71Z64JAoSYxL/76T/z9T59AZd2BxiXpd/6gxQb7ENLr4XwAAAP//dxGgaw==" } diff --git a/packetbeat/protos/tls/parse_test.go b/packetbeat/protos/tls/parse_test.go index f8635371494..b6084ca5943 100644 --- a/packetbeat/protos/tls/parse_test.go +++ b/packetbeat/protos/tls/parse_test.go @@ -114,19 +114,19 @@ const ( func sBuf(t *testing.T, hexString string) *streambuf.Buffer { bytes, err := hex.DecodeString(hexString) - assert.Nil(t, err) + assert.NoError(t, err) return streambuf.New(bytes) } func mapGet(t *testing.T, m common.MapStr, key string) interface{} { value, err := m.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) return value } func mapInt(t *testing.T, m common.MapStr, key string) uint32 { value, err := m.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) return value.(uint32) } @@ -137,17 +137,17 @@ func TestParseRecordHeader(t *testing.T) { } _, err := readRecordHeader(sBuf(t, "")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "11")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "1122")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readRecordHeader(sBuf(t, "11223344")) - assert.NotNil(t, err) + assert.Error(t, err) header, err := readRecordHeader(sBuf(t, "1103024455")) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, recordType(0x11), header.recordType) assert.Equal(t, "TLS 1.1", header.version.String()) assert.Equal(t, uint16(0x4455), header.length) @@ -164,13 +164,13 @@ func TestParseHandshakeHeader(t *testing.T) { } _, err := readHandshakeHeader(sBuf(t, "")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "11")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) _, err = readHandshakeHeader(sBuf(t, "112233")) - assert.NotNil(t, err) + assert.Error(t, err) header, err := readHandshakeHeader(sBuf(t, "11223344")) assert.Equal(t, handshakeType(0x11), header.handshakeType) assert.Equal(t, 0x223344, header.length) diff --git a/packetbeat/protos/tls/tls_test.go b/packetbeat/protos/tls/tls_test.go index 64a79024806..512294f2d4f 100644 --- a/packetbeat/protos/tls/tls_test.go +++ b/packetbeat/protos/tls/tls_test.go @@ -39,7 +39,7 @@ type eventStore struct { } const ( - expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network_traffic","network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` + expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` expectedServerHello = `{"extensions":{"_unparsed_":["renegotiation_info","status_request"],"application_layer_protocol_negotiation":["h2"],"ec_points_formats":["uncompressed","ansiX962_compressed_prime","ansiX962_compressed_char2"],"session_ticket":""},"selected_compression_method":"NULL","version":"3.3"}` rawClientHello = "16030100c2010000be03033367dfae0d46ec0651e49cca2ae47317e8989df710" + "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + @@ -116,7 +116,7 @@ func TestAlert(t *testing.T) { reqData, err := hex.DecodeString( "1503010002022d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -151,7 +151,7 @@ func TestInvalidAlert(t *testing.T) { reqData, err := hex.DecodeString( "1503010003010203") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -167,7 +167,7 @@ func TestClientHello(t *testing.T) { reqData, err := hex.DecodeString(rawClientHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -179,7 +179,7 @@ func TestClientHello(t *testing.T) { event := results.events[0] b, err := json.Marshal(event.Fields) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedClientHello, string(b)) } @@ -188,7 +188,7 @@ func TestServerHello(t *testing.T) { reqData, err := hex.DecodeString(rawServerHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -200,9 +200,9 @@ func TestServerHello(t *testing.T) { event := results.events[0] hello, err := event.GetValue("tls.detailed.server_hello") - assert.Nil(t, err) + assert.NoError(t, err) b, err := json.Marshal(hello) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedServerHello, string(b)) } @@ -215,7 +215,7 @@ func TestFragmentedHandshake(t *testing.T) { "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + "009c009d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -227,7 +227,7 @@ func TestFragmentedHandshake(t *testing.T) { "1603010083002f0035000a01000079dada0000ff0100010000000010000e00000b" + "6578616d706c652e6f72670017000000230000000d0014001204030804040105" + "0308050501080606010201000500050100000000001200000010000e000c0268") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -235,7 +235,7 @@ func TestFragmentedHandshake(t *testing.T) { reqData, err = hex.DecodeString( "3208687474702f312e3175500000000b00020100000a000a00086a6a001d0017" + "0018aaaa000100") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -245,7 +245,7 @@ func TestFragmentedHandshake(t *testing.T) { event := results.events[0] b, err := json.Marshal(event.Fields) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expectedClientHello, string(b)) } @@ -258,7 +258,7 @@ func TestInterleavedRecords(t *testing.T) { "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + "009c009d") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -268,14 +268,14 @@ func TestInterleavedRecords(t *testing.T) { // Then two records containing one alert each, merged in a single packet reqData, err = hex.DecodeString( "1503010002FFFF15030100020101") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) // And an application data record reqData, err = hex.DecodeString( "17030100080123456789abcdef") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -286,7 +286,7 @@ func TestInterleavedRecords(t *testing.T) { "0308050501080606010201000500050100000000001200000010000e000c0268" + "3208687474702f312e3175500000000b00020100000a000a00086a6a001d0017" + "0018aaaa000100") - assert.Nil(t, err) + assert.NoError(t, err) req = protos.Packet{Payload: reqData} private = tls.Parse(&req, tcpTuple, 0, private) @@ -297,11 +297,11 @@ func TestInterleavedRecords(t *testing.T) { // Event contains the client hello _, err = event.GetValue("tls.detailed.client_hello") - assert.Nil(t, err) + assert.NoError(t, err) // and the alert alerts, err := event.GetValue("tls.detailed.alerts") - assert.Nil(t, err) + assert.NoError(t, err) assert.Len(t, alerts.([]common.MapStr), 2) } @@ -312,7 +312,7 @@ func TestCompletedHandshake(t *testing.T) { // First, a certificates record reqData, err := hex.DecodeString(certsMsg) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -357,7 +357,7 @@ func TestTLS13VersionNegotiation(t *testing.T) { "d809edfcd417861a3ca83e40cf631616e0791efbcc79a0fdfe0d57c6ede4dd4f" + "8dc54cdb7904a8924f10c55f97e5fcc1f813e6002120720c822a09c99a10b09e" + "de25dded2e4c62eff486bf7827f89613f3038d5a200a") - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -391,7 +391,7 @@ func TestTLS13VersionNegotiation(t *testing.T) { "tls.detailed.version": "TLS 1.3", } { version, err := results.events[0].Fields.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, version) } } @@ -401,7 +401,7 @@ func TestLegacyVersionNegotiation(t *testing.T) { // First, a client hello reqData, err := hex.DecodeString(rawClientHello) - assert.Nil(t, err) + assert.NoError(t, err) tcpTuple := testTCPTuple() req := protos.Packet{Payload: reqData} var private protos.ProtocolData @@ -430,7 +430,7 @@ func TestLegacyVersionNegotiation(t *testing.T) { "tls.detailed.version": "TLS 1.2", } { version, err := results.events[0].Fields.GetValue(key) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, expected, version) } } diff --git a/packetbeat/protos/udp/udp_test.go b/packetbeat/protos/udp/udp_test.go index 32eae60308a..4d09882c981 100644 --- a/packetbeat/protos/udp/udp_test.go +++ b/packetbeat/protos/udp/udp_test.go @@ -169,7 +169,7 @@ func Test_buildPortsMap(t *testing.T) { for _, test := range configTests { output, err := buildPortsMap(test.Input) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, test.Output, output) } } @@ -198,7 +198,7 @@ func Test_buildPortsMap_portOverlapError(t *testing.T) { for _, test := range tests { _, err := buildPortsMap(test.Input) - assert.NotNil(t, err) + assert.Error(t, err) assert.Contains(t, err.Error(), test.Err) } } diff --git a/packetbeat/tests/system/README.md b/packetbeat/tests/system/README.md index 370ba15b4e5..05f8e479bbb 100644 --- a/packetbeat/tests/system/README.md +++ b/packetbeat/tests/system/README.md @@ -1,7 +1,7 @@ # System tests for Packetbeat This folder contains the system tests for Packetbeat. The system tests -are written in Python and they make use of the nose framework. +are written in Python and they make use of the pytest framework. ## Running @@ -13,4 +13,4 @@ the setup and run all the tests with: Running a single test, e.g.: . env/bin/activate - nosetests test_0002_thrift_basics.py:Test.test_thrift_integration + pytest test_0002_thrift_basics.py:Test.test_thrift_integration diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index 5ce92528a02..3cfa141af3a 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -251,4 +250,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/non_established_tls-expected.json b/packetbeat/tests/system/golden/non_established_tls-expected.json index 573bb673774..39641270769 100644 --- a/packetbeat/tests/system/golden/non_established_tls-expected.json +++ b/packetbeat/tests/system/golden/non_established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "151.101.134.217", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -113,4 +112,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_1_3-expected.json b/packetbeat/tests/system/golden/tls_1_3-expected.json index 30285212e32..35fae5ab58e 100644 --- a/packetbeat/tests/system/golden/tls_1_3-expected.json +++ b/packetbeat/tests/system/golden/tls_1_3-expected.json @@ -8,7 +8,6 @@ "destination.ip": "216.58.201.174", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -123,4 +122,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index f1ba1cf337d..0106aa9048d 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -258,4 +257,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_no_certs-expected.json b/packetbeat/tests/system/golden/tls_no_certs-expected.json index 3f4587b2586..69af5c89b75 100644 --- a/packetbeat/tests/system/golden/tls_no_certs-expected.json +++ b/packetbeat/tests/system/golden/tls_no_certs-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -147,4 +146,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_not_detailed-expected.json b/packetbeat/tests/system/golden/tls_not_detailed-expected.json index ae23944e096..94283acb4bb 100644 --- a/packetbeat/tests/system/golden/tls_not_detailed-expected.json +++ b/packetbeat/tests/system/golden/tls_not_detailed-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -91,4 +90,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/packetbeat.py b/packetbeat/tests/system/packetbeat.py index 54d7404d928..32a9366ee33 100644 --- a/packetbeat/tests/system/packetbeat.py +++ b/packetbeat/tests/system/packetbeat.py @@ -2,9 +2,6 @@ import sys import subprocess import json - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase from beat.beat import Proc @@ -126,7 +123,7 @@ def read_output(self, types=None, required_fields=None): jsons = [] - with open(os.path.join(self.working_dir, output_file), "r") as f: + with open(os.path.join(self.working_dir, output_file), "r", encoding='utf_8') as f: for line in f: document = self.flatten_object(json.loads(line), self.dict_fields) if not types or document["type"] in types: diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap new file mode 100644 index 00000000000..be1438e3080 Binary files /dev/null and b/packetbeat/tests/system/pcaps/http_100_continue.pcap differ diff --git a/packetbeat/tests/system/test_0012_http_basicauth.py b/packetbeat/tests/system/test_0012_http_basicauth.py index db06f5cb6c2..feaf3a3378a 100644 --- a/packetbeat/tests/system/test_0012_http_basicauth.py +++ b/packetbeat/tests/system/test_0012_http_basicauth.py @@ -39,5 +39,5 @@ def test_http_auth_raw(self): assert len(objs) >= 1 assert all([o["type"] == "http" for o in objs]) - assert all([re.search("[Aa]uthorization:\*+", o["request"]) + assert all([re.search(r"[Aa]uthorization:\*+", o["request"]) is not None for o in objs]) diff --git a/packetbeat/tests/system/test_0015_udpjson.py b/packetbeat/tests/system/test_0015_udpjson.py index 454dd3a3523..06e38f49990 100644 --- a/packetbeat/tests/system/test_0015_udpjson.py +++ b/packetbeat/tests/system/test_0015_udpjson.py @@ -1,11 +1,11 @@ -from packetbeat import BaseTest -from nose.tools import nottest import socket +import unittest +from packetbeat import BaseTest +@unittest.skip("udpjson not supported anymore") class Test(BaseTest): - @nottest def test_udpjson_config(self): """ Should start with sniffer and udpjson inputs configured. @@ -21,7 +21,6 @@ def test_udpjson_config(self): assert all([o["type"] == "mysql" for o in objs]) assert len(objs) == 7 - @nottest def test_only_udpjson_config(self): """ It should be possible to start without the sniffer configured. @@ -39,7 +38,6 @@ def test_only_udpjson_config(self): packetbeat.kill_and_wait() - @nottest def test_send_udpjson_msg(self): """ It should be possible to send a UDP message and read it from diff --git a/packetbeat/tests/system/test_0050_icmp.py b/packetbeat/tests/system/test_0050_icmp.py index 8500963aa9f..c0f876c1b73 100644 --- a/packetbeat/tests/system/test_0050_icmp.py +++ b/packetbeat/tests/system/test_0050_icmp.py @@ -68,7 +68,7 @@ def test_icmp6_ping_over_vlan(self): def assert_common_fields(self, objs): assert all([o["type"] == "icmp" for o in objs]) assert all([o["event.dataset"] == "icmp" for o in objs]) - assert all([o["event.category"] == ['network_traffic', 'network'] for o in objs]) + assert all([o["event.category"] == ['network'] for o in objs]) assert all([o["event.type"] == ["connection"] for o in objs]) assert all([o["source.bytes"] == 4 for o in objs]) assert all([o["destination.bytes"] == 4 for o in objs]) diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py new file mode 100644 index 00000000000..877bb90a280 --- /dev/null +++ b/packetbeat/tests/system/test_0070_http_100_continue.py @@ -0,0 +1,32 @@ +from packetbeat import BaseTest + +""" +Tests for checking expect 100-continue only generate 1 event +""" + + +class Test(BaseTest): + + def test_http_100_continue(self): + """ + Should only generate one event + """ + self.render_config_template( + iface_device="lo0", + http_ports=["9200"], + http_send_all_headers=True + ) + self.run_packetbeat(pcap="http_100_continue.pcap") + objs = self.read_output_json() + + assert len(objs) == 1 + o = objs[0] + + assert o["type"] == "http" + assert "request" in o["http"] + assert "headers" in o["http"]["request"] + assert o["http"]["request"]["headers"]["expect"] == "100-continue" + + assert "response" in o["http"] + + assert not "error" in o diff --git a/packetbeat/tests/system/test_base.py b/packetbeat/tests/system/test_base.py new file mode 100644 index 00000000000..9ec4bc6c24f --- /dev/null +++ b/packetbeat/tests/system/test_base.py @@ -0,0 +1,8 @@ +import os +import sys +from beat import common_tests +from packetbeat import BaseTest + + +class Test(BaseTest, common_tests.TestExportsMixin): + pass diff --git a/pytest.ini b/pytest.ini new file mode 100644 index 00000000000..ea6388ddd7e --- /dev/null +++ b/pytest.ini @@ -0,0 +1,15 @@ +[pytest] +junit_family=xunit1 + +addopts = --strict-markers +markers = + load: Load tests + tag(name): Tag tests with Go-like semantics + +# Ignore setup and teardown for the timeout +timeout_func_only = True + +# Fail on deprecation warnings +filterwarnings = + error::DeprecationWarning + error::yaml.YAMLLoadWarning diff --git a/script/check_python_requirements.sh b/script/check_python_requirements.sh new file mode 100755 index 00000000000..3ba5924a4c6 --- /dev/null +++ b/script/check_python_requirements.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Helper script to check that packages defined in a requirements.txt +# file can be installed in different Python versions, it checks by +# default the requirements.txt file for libbeat tests. +# +# Usage: check_python_requirements.sh /path/to/requirements.txt +# +# VERSIONS environment variable can be set to a space-separated list +# of versions of python to test with. +# + +set -e + +function abspath() { + local path=$1 + if [ -d "$path" ]; then + cd "$path"; pwd; cd - > /dev/null + else + echo $(abspath "$(dirname "$path")")/$(basename "$path") + fi +} + +BEATS_PATH=$(abspath "$(dirname "${BASH_SOURCE[0]}")"/..) + +VERSIONS=${VERSIONS:-3.5 3.6 3.7 3.8 3.9-rc} +REQUIREMENTS=${1:-${BEATS_PATH}/libbeat/tests/system/requirements.txt} + +if [ ! -f "$REQUIREMENTS" ]; then + echo "Requirements file doesn't exist: $REQUIREMENTS" + exit -1 +fi + +REQUIREMENTS=$(abspath "$REQUIREMENTS") + +echo "Versions: $VERSIONS" +echo "Requirements file: $REQUIREMENTS" + +for version in $VERSIONS; do + echo "==== Version: $version" + + docker run -it --rm -v "$REQUIREMENTS":/requirements.txt python:$version \ + python -m pip install -q -r /requirements.txt + + echo "==== OK" +done diff --git a/script/config_collector.py b/script/config_collector.py index 73e18ae7062..6a87e13cb1d 100644 --- a/script/config_collector.py +++ b/script/config_collector.py @@ -45,7 +45,7 @@ def collect(beat_name, beat_path, full=False): # Load title from fields.yml with open(beat_path + "/fields.yml") as f: - fields = yaml.load(f.read()) + fields = yaml.load(f.read(), Loader=yaml.FullLoader) title = fields[0]["title"] # Check if short config was disabled in fields.yml diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index 24bf0996193..484b294c39a 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -10,8 +10,10 @@ ENV TERM=linux RUN apt-get update && apt-get install -y curl openjdk-8-jre-headless netcat -RUN mkdir -p ${KAFKA_LOGS_DIR} && mkdir -p ${KAFKA_HOME} && curl -s -o $INSTALL_DIR/kafka.tgz \ - "http://mirror.easyname.ch/apache/kafka/${KAFKA_VERSION}/kafka_2.11-${KAFKA_VERSION}.tgz" && \ +RUN mkdir -p ${KAFKA_LOGS_DIR} && mkdir -p ${KAFKA_HOME} && \ + curl -J -L -s -f -o - https://github.com/kadwanev/retry/releases/download/1.0.1/retry-1.0.1.tar.gz | tar xfz - -C /usr/local/bin && \ + retry --min 1 --max 180 -- curl -J -L -s -f --show-error -o $INSTALL_DIR/kafka.tgz \ + "https://archive.apache.org/dist/kafka/${KAFKA_VERSION}/kafka_2.11-${KAFKA_VERSION}.tgz" && \ tar xzf ${INSTALL_DIR}/kafka.tgz -C ${KAFKA_HOME} --strip-components 1 ADD run.sh /run.sh diff --git a/testing/environments/latest.yml b/testing/environments/latest.yml index adf6a188379..59dde477bed 100644 --- a/testing/environments/latest.yml +++ b/testing/environments/latest.yml @@ -3,9 +3,9 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.7.0 + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.0 healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -16,7 +16,7 @@ services: - "xpack.security.enabled=false" logstash: - image: docker.elastic.co/logstash/logstash:7.7.0 + image: docker.elastic.co/logstash/logstash:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 300 @@ -26,7 +26,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana:7.7.0 + image: docker.elastic.co/kibana/kibana:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5601"] retries: 300 diff --git a/testing/environments/snapshot-oss.yml b/testing/environments/snapshot-oss.yml index a95b4c9f33d..371493305cd 100644 --- a/testing/environments/snapshot-oss.yml +++ b/testing/environments/snapshot-oss.yml @@ -5,7 +5,7 @@ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch-oss:8.0.0-SNAPSHOT healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -27,7 +27,7 @@ services: kibana: image: docker.elastic.co/kibana/kibana-oss:8.0.0-SNAPSHOT healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 600 interval: 1s diff --git a/testing/environments/snapshot.yml b/testing/environments/snapshot.yml index 16c20266a6e..9d3555d7854 100644 --- a/testing/environments/snapshot.yml +++ b/testing/environments/snapshot.yml @@ -5,7 +5,7 @@ services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:9200"] + test: ["CMD-SHELL", "curl -s http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 300 interval: 1s environment: @@ -29,6 +29,6 @@ services: kibana: image: docker.elastic.co/kibana/kibana:8.0.0-SNAPSHOT healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -s http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 600 interval: 1s diff --git a/winlogbeat/Jenkinsfile.yml b/winlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..74eb55586d0 --- /dev/null +++ b/winlogbeat/Jenkinsfile.yml @@ -0,0 +1,21 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@oss" ## special token regarding the changeset for the oss + comments: ## when PR comment contains any of those entries + - "/test winlogbeat" + labels: ## when PR labels matches any of those entries + - "winlogbeat" + parameters: ## when parameter was selected in the UI. + - "winlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + crosscompile: + make: "make -C winlogbeat crosscompile" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index 02c1d508cfb..59b2eafe6b6 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -4,13 +4,6 @@ Fields from the Windows Event Log. fields: - - name: log.file.path - type: keyword - required: false - description: > - The name of the file the event was read from when Winlogbeat is - reading directly from an .evtx file. - - name: event.original overwrite: true description: > @@ -508,11 +501,6 @@ path: winlog.user.identifier migration: true - - name: user.domain - type: alias - path: winlog.user.domain - migration: true - - name: user.type type: alias path: winlog.user.type diff --git a/winlogbeat/conftest.py b/winlogbeat/conftest.py new file mode 100644 index 00000000000..2f3f8199559 --- /dev/null +++ b/winlogbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../libbeat/tests/system')) diff --git a/winlogbeat/docs/configuring-howto.asciidoc b/winlogbeat/docs/configuring-howto.asciidoc index d0447dc3099..5c1c6086ace 100644 --- a/winlogbeat/docs/configuring-howto.asciidoc +++ b/winlogbeat/docs/configuring-howto.asciidoc @@ -22,6 +22,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -48,4 +49,6 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] include::{libbeat-dir}/http-endpoint.asciidoc[] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index ed7eb3f63f5..d0b1a0a1473 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -99,16 +99,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -293,6 +283,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -334,7 +336,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -550,8 +552,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -614,19 +615,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -713,7 +714,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -737,6 +738,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -755,6 +767,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -797,6 +821,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1107,8 +1155,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1171,19 +1218,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1270,7 +1317,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1294,6 +1341,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1422,6 +1480,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1455,6 +1524,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1526,7 +1607,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1605,7 +1686,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1613,12 +1694,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1637,7 +1718,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1754,6 +1835,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -1936,6 +2019,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -1965,6 +2050,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -1973,7 +2070,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2057,11 +2154,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2355,6 +2452,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2388,6 +2496,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2460,211 +2580,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -2675,7 +2862,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -2686,7 +2873,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -2697,7 +2884,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -2708,7 +2895,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -2719,7 +2906,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -2732,7 +2919,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -2743,7 +2930,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -2754,20 +2941,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -2982,7 +3366,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3006,6 +3390,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3060,11 +3455,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3194,6 +3591,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3232,7 +3641,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3262,6 +3672,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4230,6 +4642,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4263,6 +4686,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4494,12 +4929,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4690,49 +5125,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -4808,6 +5321,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4841,6 +5365,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5083,6 +5619,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5381,8 +5926,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5445,19 +5989,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5544,7 +6088,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5568,6 +6112,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5821,8 +6376,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -5885,19 +6439,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5984,7 +6538,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6008,10 +6562,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6029,7 +6594,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6040,7 +6605,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6051,7 +6616,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6062,7 +6627,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6073,11 +6638,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6091,7 +6656,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6178,7 +6743,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6218,7 +6783,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6233,7 +6798,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6248,319 +6813,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -6574,12 +7679,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -6598,7 +7703,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6701,7 +7806,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6725,6 +7830,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7053,6 +8169,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-eventlog]] == Legacy Winlogbeat alias fields @@ -7204,15 +8590,6 @@ alias to: winlog.user.identifier -- -*`user.domain`*:: -+ --- -type: alias - -alias to: winlog.user.domain - --- - *`user.type`*:: + -- @@ -7907,18 +9284,6 @@ Fields from the Windows Event Log. -*`log.file.path`*:: -+ --- -The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file. - - -type: keyword - -required: False - --- - *`event.original`*:: + -- diff --git a/winlogbeat/docs/index.asciidoc b/winlogbeat/docs/index.asciidoc index e92cdcc3df6..d953f0d641c 100644 --- a/winlogbeat/docs/index.asciidoc +++ b/winlogbeat/docs/index.asciidoc @@ -50,4 +50,4 @@ include::./faq.asciidoc[] include::{libbeat-dir}/contributing-to-beats.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 468483a71d7..9302417be2e 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -55,6 +55,12 @@ var ( readErrors = expvar.NewMap("read_errors") ) +// Keyword Constants +const ( + keywordAuditFailure = 0x10000000000000 + keywordAuditSuccess = 0x20000000000000 +) + // EventLog is an interface to a Windows Event Log. type EventLog interface { // Open the event log. state points to the last successfully read event @@ -138,6 +144,12 @@ func (e Record) ToEvent() beat.Event { m.Put("event.created", time.Now()) + if e.KeywordsRaw&keywordAuditFailure > 0 { + m.Put("event.outcome", "failure") + } else if e.KeywordsRaw&keywordAuditSuccess > 0 { + m.Put("event.outcome", "success") + } + addOptional(m, "log.file.path", e.File) addOptional(m, "log.level", strings.ToLower(e.Level)) addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message)) diff --git a/winlogbeat/eventlog/factory.go b/winlogbeat/eventlog/factory.go index 965ddbdac10..f66c158b2f2 100644 --- a/winlogbeat/eventlog/factory.go +++ b/winlogbeat/eventlog/factory.go @@ -28,7 +28,7 @@ import ( ) var commonConfigKeys = []string{"type", "api", "name", "fields", "fields_under_root", - "tags", "processors", "index"} + "tags", "processors", "index", "id", "meta", "revision"} // ConfigCommon is the common configuration data used to instantiate a new // EventLog. Each implementation is free to support additional configuration diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index cdca64521d7..b54c093e254 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n79uZGbmPf//MpUPIfXp0iRyT19i3flJaUbN1IuzpLrZ1KKqHAGZCENTOgAYwo5dPfQuMxmAdfI3F34/Kp1CmvOGgAjUaj0ej+NaBm+7COBcN+wsJM2It/jkFrAR8RlYLEE7DJKFRSAlDK+AXhJ0YBf78dkbmcOYDO3GDTQ3gOjjvn1lgnXGpDTVd+3aI2XUjns51VYhjqKl40jcCINGirukstZlHG3Z9NCK7H0orCuxmOLvuDny9Hn4YXo1+v738eXVwOR93e2aj/vj8a/nzROz75yxoN42auESw83u2IC3eXt21bg05InEZtHLOUFFaNQXC9Q7o3YwNXuRN9uAPpqMok07iebfIcxpmgT6AgH6pTGoUzTNMHJGgaGo+3X6II6WcCnQPmICNjKqpxOrfX10GwcSGRZSPZEYsvbAEfn9de55Xo+AL386vNDKIxl69FozXIA57tKmBp3j+KyWMTyoUsiIXNhJm5gLKaig6FlWk3W6gZFrMgiY53tD79goJKp4TPuToRcwjm28ExiihcE9kEDS4/uWUsRnhDQt4GO+dKZ1UIKiRJQ/OapEF3we+oCzy1vLPMPUrli6I9g3klxWw+JxyyUIBf5S3SuTo96Z9e9frHx++vBqeDs8uz92dXR++v3l91+ueX/SZrIma4+9UWZfjzRfe/flXOLw/PDwfnh93Ds7Ozs0Hv7Kx3ctLvDc67x73u0aA76Pb7l+97Fw1XJz9xvsr69I5P6lfI8dDLKXj9CuVU9Uq9zb45OTu9Ojk5uegcH11edU8vOmeXvate96R3efH+qP++3xn0To4vu4PTs9Pj95enR++vDvun3V7/4rw3uLjauDSFmSMVItuZyTPIc7Rs8Ull72fj30jontb1COy/wJKrPY8MtHRllcoM7H/48fZloJ/APjEmUf+ihT5+/vE6nXAsJM9C8K3eE5y00KD/Y/JiA0cG/R9tHMPmDPwNH+7qHDePQpBanIfn635N3qkyqmdsoWM054QrYVNCNhzeHOSGNkIznEZihh+rb6LRETked8+ik/HxcXja7Z32zs4Pe71ueH4yxr2jbeUpZXKEJ3IjkVpWS3+AJTm4pwnxjWUo2WvwzAtWgUApg3gmYjZrpLayvzdr6v9/3+v0uu2O+t99p/MD/C/odDr/2LjmrDffMaR+fsEJG9to48l2z087bzFZjej2xsEDpXJ1gqEQx7FSlykafrg2WlWSOC7A5eu3kRkTMjX1/aqVQQz3qEBY17gyD1fmVhWgXxWPPa2tviwUbikVP54SxfY5NUlCfkyeSROqMH+xWAQmYy8I2bYM16rya6rnikLOFbFjy1qFnLzYCp0fP/84KNTTeSs9LLK5frwZ6Sv1rlLh3O3KdFNvOxTu8vovMxLHbOm9Zcltvnd8Mvqpf6tu84dnRzVfX/YHG3z/fRAEm2/2jJcLUe/aCaJ6zMuwwFMlZL9rHre0LjS1EesCewQJ573jE75x5RkiJB7HIPgbzHTMWExwWjeh9/onNIlxYVp0Yp1dKCVTJqmW9gWGuLiQCDHJYoRTL6ed41RAfSvjU0sRSUP+ApX5ZJamJN74IpuSZzmy7rUvupTOp6dL6+hxkyhAd0QvrCkm7AVJQn7hxYeLvML6O+vHVMqT4lSXssJC0GmqNIc4kLFow0yUNa/m0NZ0l/4QPM9kEn+H43natmNs00jsl+5XptZ+br7HbAEvy6IqdWqUB2tLA/lx0iJLdipwVJQcsSBwpl8In8h9Xan2dKm2JSndWMwM6uw36TU0Y9vWa1id0tfyGi4bya7PtR14Df21aLQG37TX0Az3D+M1tKv13+w19Nfkj+E1/Jqr8tZew9Lq/EG8hhuukH9Z/6/zGpo57tRrONzKP1jxC+ZHhYeJ/xX8g6b73/Dhzq6i9Q5CU+XzrRyEh+dHR0ddPD45Pj0+Ir1e53TcJd3x0fHp+PDkqBttyY+3cBDe00Rd4JJ5xV9mnEPfgoPQm++rHYTbTviLOwjNZHfrrxpu7JkqqeQaFaBulnZnByFLdqICdlvf9kMGOCGFPEV7Us0xFxZ/TP2dcTqlKY7N/bZGAoLexottOtm1g+EDAHvS/5BIX8Lh9HP+BXBX+tNcN0W5rpq/i4fiOLTJjzYmyvvT8rioQQ4yaonUY9ZCGNN/iNXHWF9pOMumM5bZ3YNRQkPOHMIyD2dUEi2ZOI7VxUZdgZ8oWeQ3qzzg32wCb+DIS51AnPyeEXVjbedCYqv3LsjY/m6vTxPOUtkmaVTCxmur6fyeEa4OHiifb+aRYzaMcfjot9wiHkuNfodBr8vBkXXHeT7Vhf6LHq7I52YSZHRGbl542NyVx0SdOkiyKVHWH1iGjmSeyafzuizD1UEc68XzgCcl4W3j1SEeJysptUfjyXlvcnh8ejo+PIrwCT4MyXnvPOqQDjk6PTwps9eVSv46THbdl1ht/27zsW3Sv8OpgZyMhGCRcQPbAAk+DthZZN5TkLKgHX8hWtGcCxX2dTqTzskpxp0xPu/0xqeeVsh47GuEz59u1miDz59ubPyjhRY1bxTg5IZ9SiQxZe5h433+dCNaEAZpvrQaS/FgzAkkZaOILVIlEgyJcEYS0nLIB3MsZ6Y9Q9aPt8lG223GqzG2bRYbj1t5bnjxeWyviHMrWEIM0iwGfib4RQfrGgf59Z2a7YFioeKrTqeNX1ogESyTDlXQUdUZ/Nfm1U/R1in8HiaNRuKcMou88WCe9gyIYEVoal743DOD9UTvirX3MxNka/M5hXGDKeVkO68xA8xucGzJeFxCUS2RoEJjdAoCOOdUGo9nS61iyqRShfwF4qdnsN+K7UvEY4IhiXBOOGURSjIhgchY6bowziIS1cAs6DsyfDwmaG+eTvdyP4dqvheov1VXaG5OQC9pbZrk4DBvvip3jEsPLFUxBa48Wpy+e/DkX7L5Xok5D9896EtLEYLCDrqUfTvJ4jc0wL5absP1RGfxKxUIyZA0UVvaJERCYfdMkHzDvni+EgADze84NEUPSp4VvQd4OwTfC2x4A3AuECfqdgSmvrokc3t3sAZPEbfUR72pCbcvaoAfjo4ODzQ6719//7GA1vudZPPC6tkN+QdYwe8/pwmLACk+1zMg+gIJQtICZ6uIX14ZhdShjyYspZIpc15rADaGkztyh8GYKFVjBKel8cix8EUBw2Mr4DRrGqopZBBIkqLfMoASyi+OoLvUOVrGaHGS47J0XTNHFoOlv8DCDbRVOOdri4E0EiJFbcnPBfmaYyE8qXnzdzlDvnSrCEpjkLuCULjDclbq29OthkF7peHsAKnMR8iqjOPo6LCiOY6ODguDUleol10aCdCBEWKHuQjj1b+Yd++6Ofh29F5J2Cpn11/h7IL3vMh3QPi9AAa/Nuic1ZIy1RZ2qJeopn133thtmRquY7Wgv3Em3VctrzM9WW2mOIoaSClFJJnLfDwwdP3lg2ldApAvVHxAYyIXhBRDGOSCaVu1dEB/bXQ0pYL/hEb7dqDR9KVtV0IwBOrLdSKcNnulc1dnQT78UGt36vEuObeK/oQ/Qd/Qn6BvjUDfdhhS/NmQr7FR/BEUnDv232uq8oHjrlwxooCh5KpGwKfavIXMWfKE3f3C+BmKVSRMkq2SDyihA+XpAAjbB8RVf6FEmBPVIkmhhAFaDdYuYhrZa7J1ROEUYYj3MQY3nNbC8w8nW0DA/GHx+r4mVN+fKH21KH1/dIC+/wJsvq8Ny/cnIt9aRL6vDsb3Jw6fNipGeGrdiJ5pgfK/bmBgaBrWzMjr0LKEGEA8NOZs4b0h+uh6L8bRJWZsgZTySuF5174qQ/mykCXKOHR3dfOqnrmh2nvyFjYBcYUov4CWML2Vl4TezWyBpuWCuZMB5ayrDGqIJ5jTwqC+eSdwSQ948jEqyEd5rrfsPzSO8cFx0EHv9Gr8H9S/+2xWBn0com5v1NWXm1scqj/8fR9dzOcx+ZWM/0blwUnnOOgG3WM3vHd/+/n+9qal2/xEwke2j0xxuoNuL+igWzamMTnoHl92j84Muw9OOkcmT8MxXQQTnNB4V163j0Ok6aN39k7ESTTDsoUiMqY4baEJJ2QsohZa0DRiC7FfTc6FLyvj/mM8+XycE449oERrG8JtxMbnutBbDmVSlpR10qJzy37DT6TMrUfCU7IrM74yB92bG7YOPcCLZTvkKDgKOu1ut9eekpRwGpZH/we5AixZa/tM7630ssX9e5kz1jr9Uitr+zP7OSSpZKKFsnGWymzVHsZ8QSt7eLehgZXBbyqP3U7QLWvK3Q61VFh0xcmptLtnXz3FRjMay+qXm4sPm9hU6rticU7t4XeF5886vaD7O5J4+k7s+3U+rRcFC+3+wgLRdAoxI8o0J/o/gT4WgoU6m06Xc07tkyDcF+BCoWbtIIa9uqe6M1MJ2aF/me8+6JfRQM2+bhachIxHihxNp7GZrcRTgJqFJ9QMAhEgedAunldO+vc2Tdu/I5KGeC4yPUrRMtedupGhwmunK8VlSPvAuNg96wqSCsYNEvE/CHlsoV8pJ2KG+eM+vFkCFK7B47WVlTmeTGhY4QRNU8KXrqomgfRHZnL5Agv0zrrSDFXzW3H++0smuXp6BVDqbWe5YnoFTAIIyrHvVOomGkXUSJYdT0FWoAxSpMOlDTsknk5BFxiSH8c2y8MTbiu9gS/lJpe3Rv7s54akk23/Ogvx625XmFBKewmOqAg5gUt3eYcZmjACj96ydfHKN5naTS19o/OrPG1xtdmZcwYmdD3QlqIBojZx7I77VX39lzUH8Re4+Xyca8BGPQO4Mm8zB5ZJQSOyeiJO62dxSjge09iWKLTqv/LD8nNAHQMFQhs48XFN16ji0beJ+0/uANsId9IAye9ofQrl1I1BoPS5H1EOE5EVvmB43XHY4xaw34TeWJOo7fb3u4nvAx3A9UX1Nfw8vNxX/wFmLo7hQ0c0b4AlHsNJxNGV2bf7hbe3HBvg9wzHL2KaYR4F+r+DkCUHvy/IeEbi+cGEjSCCLD54TNkiJtGUKNIHhQmOLC4rEcFMJv/8XyDkBlZkRv7tv/Zro4NsaKJ9Xqm+fn3/zz07r71/bQG/UwM+vwsg3GJHLqmkwAURMp5bloXFyS/pflATJCMBgkP4JMRBBbS2/8twuCknvBF/s7eiCldL9VerLIXNZ84s4Y5wHMNp6PdW13rJ9gifiIf/CzrsYIJ/BzGPvwufyAheE0fe4MQo5ARLEv2zD4UyXLe+bqVEn8WXz3MmlObo/3Lpz/BflfW9TlGCw49DpNPgUC/o9oKTlh/GU2SHCRT8dNffIgufpFkCl56dbhCrRb0XFA+2hooVS1PdHHVLVLM7LjdlwY7R4fWMjWp4dz3Yt4ETpqL8PI96rj8skX7ADtC1/+ZsatCXOzBE7ftUla/l02NT0V/MsBxRMVJbgEb7RtbLMu6oV2T9evCvmjVq9zrd83an0+lsAQezW2TzC8SJrSG6TMEU7GejbXQGSUIlnerrj+OFXQwn/VFpXcqMqV+RcErbY5qqv4I7L5zSv6r/+NHx8aTb3YKNSvBGOxV+c4tkHIkQp/WiWpm8mkm30z0LthEKRT8lPHgiacR2lWF/XyzXXTngYQhID6GKO05SPI7XmOv+hBgngbK8NpjMJGa4thj790NFRofDcJxOzdNXJ+goi7vbCTramQj/abGnZgQlTEgkyBPhfqz5e2ViCkORqdunstiEIEIk8NYGWnseMyotUxIiOQ0Feqeh9dETPOXn6Sc6zPsZCpXPOX2iMZkSk8xlXokl4Tqrbb9lKqnkVP03X0XD0VXNphzIQhkuHTUBY9o3qV4hm5MlRkCN+WVNdRDddmSw+PYrlupxcLzdEpP0iXIG+FwbPWV9obW+9Ie1btFx+oJcEgNIiVmhFmqyQvAgSzkBzLJvYIkkSeaMf0urc29GtG5h4O0nwTLTjFYsjQykHsyiVTiv7VqFb7cvNuTwbn3lcJH/gK23paC13dX53YdfBvv5Ya+uxlRiSZ98ZJQnwkE+cfpI0ym4qPdu2GKvhfZuSUSzZE9L897PdDrbgyVQ1zT01FOL6tSnowiSIMoOSA3B4PqS0FVO6zDomMjcF/AhRmRC02Iil6KQf1xYI0+K4AsqEFukgBsboQSneKp9T1fXn4b3wUc+baHrNAzQO/iDUp7o87CtQVJSBqiAE+pdtfgUp65cy2LGlDKgwiZDSoZmJJ6D3gePuiAhCKeybEFPKOtrzlK/RAzBiUA45Exow3nBeBwtEdH0KQpSKmQwZU/gs2gbVQTiWlUG+nFkM1E1S7JD68Kteq2FAUGtinugKOwhaMu/8DwUAqmzlHEqzUIgTqZY15/0VEAzDlaMeNVN6Lqu5WJbMeQHNNblNHEazhjX/2yH9sps/JHv9TcFzvxfoN23OS+mHOUYihqapwsbFQlbKY5NtpxaDHDC1XkP9WuZRUIuLB+OqcuGm2M5sx97H9YMUP3fgMw5CaG4ThsyL/OG4DuEf9Hiw5lS29M8htmObwyFL2lC/mOjcZYPTztOSx8ndKov9j8gyTNSpK45UiDLfBAa/Y9RnTgvmbpbH7Db4CyZZhwWRXdWN78NWK9WyP9u5bSAaNM1XUlZMVcAYEdAUyFxfgFdyyOAKNdtkW2LaGS3RRizLMp3QF/90x5EXG1zHGGJ6zfFrflVWxNhoSncWPOHBBxFI/hgZEmqL0MihL6t2D1SmDU0COacKWnIA2zzFHH9S/t5tWz4QV6midqpP0G6h56xvjDVdE4TPCU1XeOEtvE4jLq9w1p9mvd+rSig64G7iGs+2aUwcvkdulAiAh+xOPJ3iB2QYlzgWAJMXiNjtR+vlDOvDzvA/JK+uhs3Iff91j1tsG1KfW26f7zeEhzOaEpAuWzUmWkQeA027cu/V4w20KSrW23aq5HxTReusr827YeTaW42r+6j8GktfauPIhY+gqwahTSw/67ZXvo3JCSGR+g41kg7oI30b2pfixnjcqSPhNyysnaA7q/tlNGS89oNC9U8DxabFJSIPpb8Wuv1zPIYVt+klmlLulIaZ/veQNN5G2rLXkstN+u0eXcm2RN9h+4/Dj7+gH5mC2XXJBhgjgX5a2UsBQsDrbYy0HJ9jpxO10MIrOSqgz+X25/1v2qIXKcT5kurORZUc2R1jSeg6u+14mnOjcv+0I+hoTZqJCChCF4Sgz//nXkExqYiuro85S1LyRrMgcwsl/TlS1PIqKgHR1/H3knOEXhqype92i8TwTijcbXL6oq603uvezbods73NhvOxyGCHnzHe/1AQhaR2n2waixCciLD2eaDsb3olKz0xUngYzYmPCUSXkKMHP7N/1sN3fx3Z+wVLbecKPKlcLVWzRut1ayFQa+WuTLH5yyqVztbbWaPA3OmS6pUF1d1ldXo8KY93bEIfb4eVDtS/1/Mcfh2k8opVjtjUUXlv7IzG+9d7cyoy/95tWL2fh4leD6n6dR8u/c/G+4ib8TmIEnwvDpkyNvS72nf3Li9sdUPnhMovSKIfNslzukuWeiIzGP2kpTut6/vOKe7pGNlCJJJFr/5lD3CS7peYwc17diRXdttvdH3+n41XXPAGF2eny537g81dM2P+bniLrV150BOG211CJDnTc1O00NAnkmYSe89FNWYnmbGv7GYPVLcxplkERXw1JFP///pX9HA/PKC/O+Qd/Ne6z2pIeWfwmYcjuQyv6L5LtDupeLLxhbuNBvgbwI62MQNwAvzr++TrnJGL+nuEoczk7WogQhdeIkpGWcQNwgFVDgXKWwKdgmJuczm1sejCWnIm0RHtjiHoDRAyzghUk2Mm9cuWDciwSTXwAzwB/XPlgmfgKGBjxzHADkitNv8+q5lXUsg7jRqQR4yPH8VhgTOcimAM/UsNNG2c86iLJTbMxLiAd3eNWSUmejmtqrbxuJS6PZ74TJX3nk976/p2gud2LJn3dayOp++JwsC8SxNdemr+nFYqNite//86caA9aurCnRnpBVGsorpYcY3ryGV9/qrA0e081tg4UTcXClxJmcklS4qVAPZWbW2oGnMprki2/sV/jAmWO7VaysDbeLyjX/VqVPoEt46bth0qRc3ZtNgQmMSeJhydTw27+6rMtKKnPejYQC5NEcq1BW0sPEFQdJCPkPkFZfiBtTUotCa7OwUBeRJPgPZ0suBfu0opf8qjb3gVBJzeqwdO8cL9PfbmxyPsBC8qyfBxiDIZhKG4aXiWA7hEHJK8pcoRauUTyYsQLF93TcUcy1slxJd3F2jd7eAZM4m0q31L1So22EaoZQsCN8PSiiLPsiBhYRVB5h5ltOPvCbcWgckwc+CSBjTg2kzek5izce8hBQWFS3O5jmoQwoJMk80yrB9flNiV8S5W8dvKHIFiA/gk+EsG8dEzBiTPsLSPONzJojQAHRwgFu8db1F/BwKT+icUkjm2Ec+NU/uPiE1UICvw9OUafz8cUyS8huW28So1mBaIn0XceySkmwGgBlDZU/7L/xoBlEgntjVeYHwnHpGVb6lvV2xYmx2pdwKgiRC/G6eq4QjAwkVMh7pVXA4/XlyU4Hm3oKmQDNm0z3ncatOV/XGONqz305pmn9foOjaqE9UO0/W7Cwq34Baioig09RoaTuEoc6n6nU6hwUy3ie9TqdT3dMAi13Yny1Pos0UCiRpsV6G1pR2UAH6WCIHaVcYbCXbd4GcGUdrBUf1vooCfzco8yrBspB3aEVD2QvCGH6w/gwesxW/rLp20xM1jjgcSvpE5ctoI39N/bGzRkgv0DRmY0hbyyrwPOXaPlJXS+VgApqxgdwWSJpcOmisth0AwkFJCAi4APPC6wQ+8RH/itdOlPdUd2vU8S+jDe+qTbexf0C7mBuYoM4ogpob3laGys66zFf5bHIcUmKw0OEkpgoX9KK0q4b71KflQzHA4qGGC0BuZF63iyzY1rPTSIacosszsdRgyoeqrbeI8nqLSiAKpACRCKbyAJeXF5aBgIR4LvUVSfMODhmWWvtc6EidAinJ6tSJuzFBuNhDzroH6EcxNEIP8FX3oVUcG/y19+DVOGihMQmx2tO5ovd6gNTUVNOkaVEEMI8phDmbCbCJM4y2WmH/oFy7TqZMCzyakOcZzgRggwF+I5v4Q3e716T2FghZvuqdHqD3L2iGn4w1Jkiez6jPW2MMSJLMYw38SIqa0ke7pSmKsJiNGeaRMNF08JTUjgnmcPP5jY29nMCqQ8Xn3EXh9nCHw0c8JR/KKma5xsgpvacp5i8NmskYnlw/C8Kv03km72mT3hmTtyxq1vA+f/DfomFG4+iXUpXITRv3lXGYbs+tPuM8A+G9gGD1ofTLu25MhRNY7s8ybMTsQSXPb5u2Msdt3KbZEw2bCWbe9Iak05JC3ZxAQ06ppkZKbvFvJR28PQmaNiHB6VND3qmW/JVNm7Jd/fIL3l5WLlPJX/osS+X2TZ8lx9fphG3d8grTOOPNuOy1bcirKxqTprroiqY4VookE1u3/al0um7W6jqKyXUyjyH1AjdSI4oEKL9m63ydzAkXLIXOb8gT2V7Krm1mScPm8wuNLNug5V1eJGHzZn8jLw2F6wYLqY7JnxiLGjUezjIZsUXajEDyGqvkhk1Z+lPxQX+LltcN25kXseZDbmSSwAHTVA3c4meaZMldXvXwjvCQNNhct4C+22juuumwwXLd0vSthq8p3c84kzJ+DZnmi/GBLIwINZDAvHGjNfhAFrpOQaNt84EsGllKH1iizqErQElNw+1N4w/wgrl1s49x9IrZfoyjRrP9aF4V1LndaJHucANF7m2OVx6/d5w8UZaJ194kLJ2GjU0m7w0V2+/P5vvrNZvLtG22fKZtAzm9K7wzb9Euw80MrLsM37GYhi8N+Pu/k8a27CeCRYNmoAFw006HcBl+H7Pw8d7Hg9m4vYZ7biRPpm3joRvLTHsTGhkdlgQ8BfSbuGAshaaLR6cplhlv0LFt2fD2M4SnlO2bScybebmauXuazk6yebNR6krwurBsM6nWFJqa4Kb5Z9HQCvXaNzFF74cNxnyP+ZS8hmeaQCPfhW7a/KrktW88c/0w+oqZN17tvHmjxYbKUDgeEsg+bzJ/9kjSy5g84cY6+J7jVCRUShKZA2H77d6UAU2Pnl8ZfxQNzU/9/tSsWa9Zs8NmzY6aNTtu1uykWbPTZs3OVjb7S7mNfqTb8qm+SThJ/niug0Z0LTdaDYMx+Ft+bFDN46IZnthq3Fs+D9s+Cmi9Bu/xxcMsrQwunOE0Lbgfd/q2r3uzwXY0NOEKBlfYBuMFfg09WlRFLHXUFGUv0NA8NsdsKh5s2hzgeaQ23DOPCavhhB7DbuXLzPN6UIwni9m0EKUE4DWOKVzp5aKO83BooXHOQhOH3dWP6AzCP/VPWjb07yWjU4DPRFIcxy+2BmuJICc4nJkQlUR7+sz6vOv9+7D37wI9GzdVjWtSg+r9++To36tjq/aLkQGw2ORZlsYENQvHBHVqVzPGkkSjbzHEx45JLSNsggK5kKWSsxg2g1Tn8oRwDhs6MDIEM7NhQAuoky5nxFQSlLPShvFDgaB/ytGDx5YHX9/VJCvOw+Kd7M11l+6hHM2gFRa6x+JRi7L+CtJSHRK40XR189XZEDEzYc2GKp5DSpKOBzURv7wUD1ygFrPplEQ1fLH5FaPpZtl+X0a0HB4H/KgHX9lKy84Cm/Yyr5mQVzD7VYtt+hhRV6W4H1PFeBPY+ClLJU2I9VWtYny625i0msPdU9ToXVmcGHd1txTza6TIU6v7NROTWDzucp8p+t/2LtPpIQYuXXdrspqqJ8k7lqI5J8UYtKKlUA6BBUhbc5xqE86Gz63YDHIGFsn2W6JC0YXeVSh92ShC9PooQi+sr4Z1pgSiVVSvkum8slq72z5u97rtw+Oj7tFh57x31u51jrun3W6v22l3D8+7h2dHhyfn7W4OyLoBS6z85AhvuYZ9N7we7LvMrDBkWSpd8RcTb1vSrlRU1CvSQAXFCP+UAYQci5/0vhheD8CqAxa29HkORm1eQrIULQk/6FqjJmRS/0nx+MGGCFoTienLfW4sezUMvDG+sAy5pERvwPlo1XYaXg9EC3HyRMnC7P8pmpTiikIdXy+0kWPKD5j8BFNhYJnobKjYVyxstVpfcdHqF6owiFLZ7x3oY1Mn1tVmWCJg3liXF6ctDF0WXUBvf5AYmPT1A64Z4VPF3fMaA+PeKyKXp6A6Af/eBMlSc+cz4FlEuOuHB6FlMt5sSkee83ZDpjgspOjYtOFl6W/6AyKQBqBkhaSyk+DZQHYzqmuKeDlBFmoeaD3l1bPy9oEH0KIzfw0FmkbkOY8CXszMpfHBZSwHJyPJRqeBTqkymVPg2CByyTW5PnlYrofE0jlHQZ7msxIsqnpNW0e30mAl/bpEhjU91DVZ2UfJP7WGfOnrlZRLHqQ1lEtfr6Qcs+k2LCk4i9agfwmBp2REOGfr0Ofgm8C02IS4cdWkfsTGmqGXvTtr6C9zHqztZVnDlf0V7thruih8u5Jq3Q11DfG6Juv6MNe5jTsoXTFXktd3sC0ktO5yuBovM790rSHtfbmaIlwYtuZI+Z6xso96C3tZT7ar+lbrOyqYQmumU22wnv7mp0n585W060AKllIufryS7nMSr1NodZnfZZr/PwAA//9xtgg1" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2Hv3pkZy5FH0//spFEzEbdhrF7Z59405GzTQM5yFbrahZ37nt7Nr5CrZ1lCWPJIKN3PifPcTSj1K9TDYBW7oHiY2NhoopVKpVCpT+apgeHQ4F61V7aZFqXZDjzDDSZVSrtH8A+iMCO+DcV437xlnI6qyxNzXKVbwQzUU+X+jtZSztbeovbcV7Xa397c6LbSWYrX2Fm3vRDudnYPuPvo/bypIrvAR581nSUTb3celB07s+/C3EDZPDkYL40M0EphlKRZh+VE1JncohuprWu0sFEOz96YqPhpRYTSqmDDjWoAkgpSbAKoBEXnhKqfa5jeUQS9F0/GdpPof5mGxhWJ3rMPwtA9caTrpD40GDgqrvvgmcEGOCHerrb5uDLhUnLWTuLI3gowoZ6s8aZ9ghvsOWvufR/PwWtFRszjVnrR/ZmRAioQqOzIrONQ7MfO4Bd/62dwV66cXt9ta3zq9uN3dKN4ZExyvYMHnh0f1uJTLqqvoEV7bN1fadrTWFKSXhNr/AGum/XB45Y1qW2qNWnUrP4gcTQW9xYqg4/P/3ggU2eIBABMt5ThBA5xiFsMRDLx+XCDBM30yS5qqXueUL5TGsVS6REgASJp7uSQwZukSqlqlSzRRzRSzUl5PZRsemVNkyT6PxU1wJhEk6dephE/YhRwCJ0djIlUwqaORmbsFC5lOSeJRzgZOk/Rb/j5PyWgFQccAzpqRQy7Q2pDzyH4XxXyyhqhEa+EvygW8jXPUhlIlxJRVhCJrJKZSG0q2bSaYrim9sUlLxvEns+GQfvEQ4Zv1sVLTt5ub5hPzhTaQNiJ0ZYKZFDdW/xc68a/Mgzsk6WSa3iGFb/J9NaZuiqVCasZRigcklcaqZlxBkIopI6pXf3V2LH2c8lrMo+xmrXoRBtQocIXi0z5wwFdgCjIcEigfrWe1GondxnVydXa80TKujhvGZ8y9cRXQQpb2LfeMCDSa4pzzg3CeqMo/5Xk92CD5R5MIGOjbZhxgmnk8k+/EYtwDvy/wTSaJiFbLMqFBlef4+JCkwDeD+HCe1MAMnR0fXujr4NCs+NiDCnnlTXV1ZIJpuqLFae0dwQROO6nGdUXDLE2fONP52d5V9ILfSKSXBNOBfXCPwzwdEKHQCWVSEctiBdrAM+mzMaDxlK2cA80iV+YlnF8L3HoCraMQHhQ3XYRaDaMaPFdo7YY7YSarIrHK8hGWUiB3IKxW8aDtdhhSYGKfjYBiCDPO7ib0zyDqzJDQ//jZ9BGhQ3QNq4B228L+oFd37buEx5wNzV6VwxgYNMDJ/TDI1aeoY6oHM9mfhpXsbsGUVSSezrx9Nol2OdYKN7PleFM+oqy66ECkYRBpVVIInq4s0dN3qAKGhJncgxBk4lt8673yb/61dkMHmOE+TiaUrbXQmiDaaqFs1NcAH0w/C33brvxS4Nx2v7q/Xb4bXXGVqvBvJtwTDLI8givBClsMZ1iimKcpiaHagP1toam+b6g/pCwxh8of8ZSPpD3bvlK/mxvyjUy0wBKePDIdkwkROF1hs4cTN0flYFLp0V+nQ8itNG2jNiq9jhI4JmB4G6erdA0JBIHqDdJ0e7i2AEGEJZxIrXdWVcl9vD3c6XSGBWKsRCbV9LrwERyMmRgHg7EJxcq5iUoofyKoDAQ3H5osIsYTYh88C0vOfYy+BAEwDCjgCak2kfLJyJVGFSEyNuV5gm+IRFShKZeSDkwdAs+fuUmh+VQz5IQoQWPDs5A5W+LaYi6OPjDaiqJxlmIB+HqQZEKVa8xSjoH7wJV1fFOTNMSI7ZNGSD5AmnNZQAMi23mB7HnEaeBiN7HrRhXBCl3rcfZe1Nck/KipD4oirmmrk2ztkR0yGJIOJrvx9sFeLxmQg2Gnu7eNu7tbe4PBfm97b7hb4McVvb4WNErHbCYyIZBOQK1SoCGrGQjNHOzJBPkOGVeWX3Ca8pnZ/oRKJeggC2PfLQybxCAySOtwDUZMWk9RxzGvLy5eRCoMmdfwrJefEObdBAH6p+a3MZawghNtndLYpjoVTpFTd6DAlVV6zHtaJpV3rqPAuH9HsJJ1QIyJbK8l6NIy9eUh/Kd6I69zxcyk5w31wQByhz1uah5UwnW07XErMhFPyEpdQI6bsGcJmLIkZwJOUDNuZJFnJQ3BDXZS0an9+m9wTIOQ2LB0CuRLQxiCySdrBZvglu7FYu7BGbjOPB6ovU48Zi530EFbjJdKIjlAocpRJQT0t2bPg/jIIqNaHow0Cnp6l4NXOMmcSPbmTa5fQgE36w+OyVSZxfnZDMZAYqdGWiRtxlVYai7XYzmcaMpGGZVjv2v5oYQjre8LlE0LV72957jUqKLQXLAFNCxdGJHued6LhBx8SQoVuSYXMI57NlDbSAVPY7uoCWYmqE6SGjXBzdfu2P+6RQktg1zdJ/VFmwRwA7+01qIds6JiCqDyupjtpe8JGFgqUGiM+Rp9tqAn+Bs6UMzdSoJJTtwGnQ4NEC48DCxICbvyCZ0jemdOc7ouSNXrB6RuYTtqI4KfZkd+KZbEdBviwwoLtkV1V3IZrDhKOb/RJhi2uYREmZaLJdsiqMLppXuVGltRL9oO7SyIPiyYWflv7rGyzFcPx6K68EbTOQ08YZtFlbAIKQg6fSDcNPQV2pjTFxkUacM7X4MiX4MiX4MiX0hQpDmTrnRYLkieMTLSoPQaGfkaGfk0KL1GRi5Os9fIyNfIyG8pMtLcFS8jMhJwWXFkpF3wAxGBOLVhdPlR5D5YsDYqMMiwQ0pgsKDY6MVHSc4lR/RIerzAKMnFNbWvGCpZw/PPHioZ6o+voZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZKvoZLfa6ik6b8G31oX3lX+m/kuvDXbikQfthRLSYd3LvYKQxFnKHWK45ib6j5QQ8zMhRT+whmf3P1mMfzNKzl6weenV59O0OHV1f979A9o8DUUeEKgbPRvrBA/CUVOuAACFjDJAVs8wCLEvtItFb6mqjF5T48vW+jDT+9/bUH10Q0XloFRzCcTLWstylEOGrzfsKBI4VjROPobYOSrjId1Y7XNZbVbXyHMbrCBkcM1GP22RidTHKvf1jaiwlQkHsN5jv4WkqEyKbjMcqA3lIE1B8oqjsdQocuX6ISnQWW8yWaeFmxYHPPJNKXShE2NOE4Ndjnc39aCEq9MCz8+dO5jjbppxraIT9Xv8le4piwf+inz1oqZML0SXWlT8x7t+KqgyZtNh7/7TfHxnnAWPTUj9N5PZWHRwps5cmaLb4gHwWRQ1IyNfIFcRLSNYzqnKETZSJvxWliYdxWiBJdTYzykAbJ4NDLLczWRSsIkPHFFA9Tw9cqUnDXN2NQ8MxhqFnjSEe9/2ZLvmSQIV+TDb36hv1korYLJiNbJl8hXHcRK4fgmmlAlCFQdNEPk5tVhp7Pd2UQba2XymL/UEWaFWtVagV9ddM6iRAppUpGnjydSlUZGWNXRaNW1N4GH/CRQfvoFUSoEX6XaolCKdPU3wFc5l160PfZoOkDLkdONkptX3e2DgxrWg9/PodB3YqCvFSKyl96RcBtC7l7Vjpw4leDYqwRh9k11m55JRixMyJCAVS5/KkI2lRVlOKFyb8sKOs3e1tRdpsEghirjYRnMgg4+5HEm3WtEXrPXFchEVEmSDkFLotCQC4p4pncI33IK/QraCZmqsS9omqtQBoUv0U7nwEKNiVBGdTINhJdocRjT6XhlnSsuTTM4yhJQ62x1WjOlYa4kE/7XNuA3IGlFpJ1d9k+Ojn8+6X+6POz/enr1c//w5LLf7e33j94d9S9/Puzt7N5v3gUrN8VBAtqtiAoXJ+dt18pQKsySNk45I4Vd4xDK7zsDWNzg/d5zP5gmJoZzkpk6qG3yJU4zSW9BAl5Xl9SPx5iyayQpi+0zfNjpChnnhck48yU2UyqrlvX56WkULdx4ZR4mq34zCGkdTF6JxS9QPzc2xhD7OX8vGu1BHl7tdgEr65QppqoNqZCqwBYu72bsw9dqOmAUdqbdbKPGWI6jSbKzov05KgiovE1/XrL6/HgHJRQMNz5Exyef/DYW48kh/W+Bk/Pe5HBIKhVhsXVx2cZFeWv+VmC5ek9ZvinmuTJvyJlNp0RAzgvQq3xEOu/3do/23veOdnbevT/eO94/2X+3/3773ft37ztHBydHTfZEjnH32Tbl8ufD7je/KwcnWwdbxwdb3a39/f39497+fm9396h3fNDd6XW3j7vH3aOjk3e9w4a7k984z7I/vZ3d+h3yNAwyGB6/QzlUs1NPc2529/fe7+7uHnZ2tk/ed/cOO/snvfe97m7v5PDd9tG7o85xb3fnpHu8t7+38+5kb/vd+62jvW7v6PCgd3z4fuFWHnaNVMpsZSrPcZ4R5nqY8iGS2eB3EnuHv8HA/QSaXO19ZEtxV3apTMCjDz/adCD0iXOFjg5b6OPnH0/ZUGCpRBbD0+cVwZMWOj760bv5jo9+dLEVi5Pvd7y1qlvc+qkgjTlPBTDz2hxXrVKP+czEg06J0KymWezy8mwzV7MRGmOWyDG+qbppk22yM+juJ7uDnZ14r9vb6+0fbPV63fhgd4B728tyE+Oqj4dqIYZK8s0tMg1WZPOKTkioKkPfZ1v9vaATSMQ4hFkRe1QTfZDDk0mTqmOk1+l12x39v6tO5y38L+p0Ov+9cOPiYL0DSDP9igu2mtHCi+0e7HWeYrGmVN4TxzOUmvtJjmKcplpYMnT54dTKVEXStNBcwCT7uEaM2gSt9lGx1KMSYdMRzLqYrE2FFI/Qr5rMgdjWHxc63ZSaaI+IpvyU2pykMFrQZiVV6D+bzSKbIBjFfFmaG1n5nPK5IpFzSezJ8qBEnty5Tq8fP/94XGhA9ESSWGZT407pG5N65R5ZO0297lCw5c1vxiRN+Vy7ZY4139vZ7f90dK6t+a397ZqvT46OF/j+TRRFyx73LzudgwinEOar6C2Bg78qqp5Ro7M53gvmNQkGaP3y8MNGZDx0Chr332Jxp6lepyyYDotUmb7bIfOCm2SQKeu0NSHaEJ5R7Gt8/OEShStGpk/tjKZJjEUiN0yz4kIIGKm6zd78LTj8jbbA6EeRQXeV0tftgfVmgzhYP/oA/W40EtAwP6Ckp3Fl0U7/0io5+pmOxuhQykxgbfDb+vxHy5oYRVpAAtLK6WDSnNaPNiAhRJaX+Xnh5mM1a0hC2bvKba0R8uvHTXb16MfPly300WvXpywGcQ4XXB562wo18BoO8OfpKTgBEpPy1KhVsYKbxsmis40ycc41s2gp8gsls0csKEzUXfGiwqkkWv/4iIN+yuInWjNO+xmjq1J46paOU6Rn1BT43IAEJe5/BBmguEefiz7Ed6zO0eXvWlNMRCA3n79pr1roEqJFLip8foRTOuSCUdxkpU9hH4KlhFVQUG8Bg3CObdTr9Drtzl67u4s6W2+7O2+3Dv4/MJCaLu7RxuCDqytbf3NX1j1od/ZhZd232523vZ3mKzOpDf0bctf3nftXZgJa+HUdMH0exg2pHsRPl40ukmBtcSZuV3XoroxT75YUm16nqf4gtn/KV4c8nat+L/8nX5ilQgtGpZru9BZuXDmHIOTLlLM8u69JrYwTC8JvZ0IEva1spncoLbC43Z2drT1HfJaQL+WgiGaLlfTPRTZ/3kKhJij904djBXsppzgG99WA1gTW9Trb+01Ql0RQnPYXrmbyiKhwM5WrUwLXVW7v1t6S5afz3Ivh0szz95Z0OsYsgwoLrWIFmPzpfEbVmIPRlmplRVte/h3dg47HWOAY0kbLRN7Zef/u3cHR3vHJu/edg/3OwXG3d3R02Ehi+I7UKxeGp8XEjpDUeVvsQFL8Ch1M+WRCNH1kmFZmrvYhzyDGAv3E0RlmI3Qk7qaKo5QOBBZ3EbokxAeRjKgaZwOt1GyOeIrZaHPENwcpH2yOeDfqbm9KEW/GAGBTEwb+LxrxH862tvbaZ1s7W9XuxOCjaTcU1fZx4HlMYeltYYdGeXFyjAVJolHKBzj1OmHeRabhWp/D1H0aS9et4SWYumVR5R6aTCmLObbu5dWPub7bQmc/XmKG3msrlsqYB7ZwS1tAEVi+K+GCF2PmFgjwmBU9t5077xAXNvSpFvgCjNrSehst6S9goNr4gNVqVUHlRj2pVXMqrLi18AJWaLfMiVrMLRmfcQrFcY1TpGXcl3gKBfzq0oMliae9nV2xsIVCpMKDFAT7AisdcJ4SzOoW9M78CQ1TXFgWHbroVMTIiCtqvFMzDNn1MZFymKVa8fQqFXRmp/orGwTLEGGgD+mfM8ZIuvBxY+SL6rt42K+6lT4Id0DgV4A3SSJ0QczGmuAWFNRagPKDhx8ObTUPrTc4nXE2m0UUMwxBx1hqLXVCmJKbKpVtWInmfL2GtoE79w/Rl7GapD/gdMraDsc2TeRGKSDK1FMJjIaUzyA5S1a5TmO52Y0WZjpBZDZZKcNRWYqcBoaz80JGol8tNJg3Ck6ZSxdmM9uB70WG+Vrclg3zrS7pucJ852GyIhKvMsw33ItGe/Ciw3wtut9NmK/brW85zDfck+8jzPc5d+Wpw3xLu/OdhPkuuEM51G8wzNeucaVhvpdLBfRWAnnzqyLoD/zVA3rt5L/jrZVFjtVH9JqJnyyid+tge3u7iwe7O3s726TX6+wNuqQ72N7ZG2ztbneTJenxVB5bqfBkWglwtdGcLyGiN1jvkzhxl1nwV4/otYtdbXTp5cJxpCWBXCMAKjFGKxMAr2GPzxf2GG7BXz3ssZYW31jYY80aXoIv6BsLe6yh4ovxBzUKe6xZ0HO7g1Ye9vjAml+Ah+irhD3WkOE79SqFK/3uwh7Li/t+wh7DlX1vYY9z1vbXDXucQ5DvM+xxzmK/hbDHEPXXsMevGPZYIPxr2OPXC3ssEP47D3usX+u3FfZYt4aXYOp+O2GPdRR8MWZuo7DHuhU9t537pGGPDy3wBRi1y4Y91i3pL2CgfpNhj7W9tZ+uFLhRzQq9iZxbeYqFdL3E9e+5oCOqmc8Eo9U4bKLewo/gbi9WHA34QVM/pX+SxETMgavaBwPCJRIu86EluiKicxfoq40KHDsNzVUcDX41v+qovuUEHWQQXWlGQHCT1MrzlEtJBykxcZg4vfuTOPcpNvFHgmcjrUtbLDGa0Fhw1zUdi3hMFYmtaplqZZEzgm4pmQVWmq91bw2BAHEUtA5AgvyREakkaudMQhmFxh8zMnB/d7FOQ8GZamvttdjnvq2X80dGBCUSTXDi12GqDE9TggY4vglHLlHtVE4xW1156DdzO4roeV3vBPg55qZyuRbcmqRhZ/9D87kg1lkIsRV8SoQNz3UtGCAYF0MIZct3isCe0Ip7iJiZ0A5LsJZpb55ghQf6CGhy39U0tR8OD/D+wX53sBfHyc7CUtas5xmoXCUk/MbwhMwZyPbjMJ3OciLa6MEB0YY/UnxENNHAwPUg8w5Jtj2JJfYYsyQ1J8RPA00h2zbOlQTsWqH09mB40Btu7eztDba2E7yLt2Jy0DtIOqRDtve2dsvkdRg/E5Hd9EtwdDjKtsFz7RZ9219oAzEhWGbCvgMAm3um1Syes3SR1e13RFSJ2+kMO7t7GHcG+KDTG+wFgjkTaSiUP386e0Agf/505go8244UyBZhMma7FpXEajJYgOz7/OlMGgey/dJdGpoGA0GgFR5K+IxphuFIxmMyIS3fc3KK1diO58jFPS8i61bbZ+zYdAFzzYNEmougtWL5r7Af4SlDkk8IhKrrDdT0nOA7U4PcJhScXujVbmoSarqaJmbpXcu/DOFyI0QGjRNPbVUzDdt0Tgx6/M7goWnEXc/Ta1u6zFCuyjQ1Fcx8WoaL3F8Vaa/Gtoq4i1eQNmxYiy43eY0mZk+DJ0sm0kIryAoIKhGERUiiENUn10aIt/QuMq60oBR3UBZ+DOetOL4EPCUYOhpNiaA8QZNMKgAy0JIwTrOEJDXdLc3jIHw8IGhtykZr+QuiHr4W6d9Vd2hqlZCgT85ostgLdqNdueBCWVXecjwC/5Zhpx+uA/5XfLpWIs71D9fGYVXs/OmQLvU8G2bpE+rAz9ae4XRoeidqEQjdmOhEH2nbkemOZ1AEPj+wd8GDsFQ8jAqjDF1rftbwriHXChQaOPDmrFAJL6LMREeRxFiToEA5nRPufQ8y7Ddc00+gKAHebm9vbUqidea///Gj/b35+QfFp4XdcwfyO9jBN5/ZhCf6/k9yOQOsL5EkhBUo6ynqp/nAlc2DoAwxoswNzxlVXFtURgLwAdzcib8MBkSLGss4sNeCYBmyAobkNJTykW3rr4dCiwRFGPo9gybOeagdyC59j5Y743rO8W3C/DAPFoOxNcPSI9oq3POMq6pwasREGtqcPxf4a4qlDLjmyfOYLPiSYReVcFCralx5gdW4NHcgWy2B1krorKBHfNibvILH9nbV5bG9vVVACsyqVSoJMIFlYvPXATG6gvmLzROsW0OoR6+VmK1yd/0d7i7If0rCN6BwlkhLe6PQea2FcT0WTqjIZY+J2whwh6HwjelOq+cbZMp/1QomM4s1aoqHaNpXM0QmU5XjA6ibL6/taNtMzjuoKSRHMEWxImhA1IyQYsqnmnGjq5Yu6OfuS69F8GtT+hfVlN7Ybavig0uAPl8swoWzVrp6TajC9dta1dPgO+fqKj44vLbbR6/t9pu121+hC/izBV+jp4QYFB543M/zX3iAC+Fpz77zuIu12L16wDPl2yZbFRfag5Fb7G0M+9ZgOxXbX9pOYpo/xviWwJM7AZc8F8ETJVOCEmlvVdfDG0049M3F5qWeJs5Udo9RmCEMOdJW6YYbWwbP9BO7cc//gDS/Ub1pRL7CPvWQybFCriymikQV0/6JAyOezTrUa30jjammp2shOsx7CVT040NoJo5OKJOKWMZyeJoG+c/FcTD7SlnOrG9lz/XV13pfowaWZvsQmn7Jm9MUK9PSv4riCgV2SH8zWWH+IO94Vd4MJ0fHpieGML0UC5J9CK4xI4IYwoyzuwn9M3iJMoTzP36WZJilmvGvoTM+Ta41a5gf9MKufdZZzNnQ7BBOi7cJS/R9wHh+Lq2VUuKiMv/EeQT6U/KOe+KULjHRl+ypMEdTDJ5NZl2OtVlv9AaBUj4KnBiyJhETg9AqGn88XVl2pK9wYryLeiaEjaahaH58rEpRwvXNv9Zu6AAz3MfJhLK1FlozDdcpG/U1wLV/PxCSESpOfTxyz6WB+oTy3y6gRBkYTpViEH8BeZgTYp4RMBoIPgs8qf5oXY3JnX3Qk2M+Q1pAM4gkcAEMKR9JDUorwP5NwgZwZB5V9x6whN5DNPivJQntbOW9pBdjzsgDp28lCOWkqwb14iEWtIDUi3/sLsm6gD/6Bf4or/Wc/0nTFG/uRB20bnbj/0dHF5/tzqCPl6jb63eNAXeOY/2L/9pAh9NpSn4lg39Qtbnb2Ym6UXfHo7f+j5+vzs9aZsxPJL7hGy5EbLPbizronA9oSja7Oyfd7X1L7s3dzrat3+WJLqMhntB0Va+LHy+RgY/Wnd0nSDLGqoUSMqCYtdBQEDKQSQvNKEv4TG5U+6zBlxW8vw/X1kcTjsNGVqdy+i9YXK5uiy/JIiDU2uiFFT4zrHPOf8e3pEytGyIYWZWpUlmDmc2jbUIs8GzeCdmOtqNOu9vttSFxi8Zl7L8TM2fOXrtwhGCn523uf5Up4zTwr7Wzbj57nmPCFJctlA0yprL7zjAWM1o5w6uNQq0gvyg/djtRtywpV4tqEN77wM2ppXugX92mVjJazeqXs8MPi+hU+junTWGRezKs8n6H9ju9qPsHUni0LiEaHKMpjm+Ici9FWJonPiwRZSOIjYHiFuafAB9LyWNqg+g1COZcn2ATgdGkV+0DDLHP4LOTGYmXt3G3330wHuBIr75uFYLEXCQaHGWj1K5W4RHEK4KrOIOACygq6TZvbAIINKJ/tClr/4EIi/FUZgZL2bImXR1mqODVVXdTGmv91IK2j2oQ1Ie9+1oSJrlA6yQaRei/CblpoV+pIHKMxc0G+GbpLUnvkNe8wfgWeAgJjiVKUMaImLurBgQyH9nF5Rss0bp7LrRQ7d+K69+Ys8j7l2fWZ+Euu8p7llfoLQnBR84fp63tJKGWsxw+BV7RjG6KCxFHDoVHI5AFFuTHgav+FTC3494o5HJb47WG/9znFqTn7dBkh8pG/lTYgFJn6CdUxoLAw0L5hFmYgEEAb96+DKkgM5ymsoUEML9sGbMVJ2iAU8xiIuQSps3KHqBgQafHRlM0TSld2qinflVe32+MfhXL5+PUJtHACuBdYJk18ExJmjyQkOylfpYyIvCA+gQvJ/4rf5h/D+hroABoAUcFrpkaVbwWrqBz/rawCEvp0zjiqw10gEpOfOgUAi3Pw+QFWIiq0AWDB8tnCMOTgiQuxMipRG1/vteH4TvvMZgveq7Lz5cnG/ofpj5BCh96oPkAF07PBXpvz+1GwcGY14z+I8PpnRxlWCSR+Tck3/4xI4MxSaebQ96HSLl084bxWUqSEdGgNwsL7FvSUyKjsZr8658AyCNWJEb+7b83aqOgXAimcyFVPXxv/rXm1vXgQ1JYal5fFpCLuTpFDGouFCby+UsFKsiYi1yzLGxObqSHwVtQgwMqe8e3Um5Wc9B+uVw4YTbA+MVaRRWqBr+oJykcPntnSX+F4xRuw3C2utFzjkd8S6IJVYKYmupahm0O8R/A5ukP8S3pg8e0HyAn+7EgWJHkX0eQye2nDWUrJeYuPvky5VJLjqNfTsIV/ruyv6cMTXD88RKZci+oF3V70W4rDFcqksMGRH66OFqiOjOBogirPiBOigYv/UE7Ayrv2Zrq4ajboprTcbIoCVammeiVuxVb0bB+erzhokNspYtpHt1df1ki46SP0GnoV0dZ0XliJ7BAnQ+uStfy7bEo68/GWPWp7OsjQJMNy+tlHvfQK7x+evzvmj1qmxJCnU5niTYBEDm3ssTgQySICSeeL2AK+rOVNiZTZkIVHRnzx9PCbYbn/qS0L2XC1O9IPKLtAWX6t/CcF4/o3/U/fvR03O12lyCjZrz+SpnfWpFcIBljVs+qtUWlup3ufrQMU2j4jIjolrCEryqlWi8pDPspX/CAAjIoVJZ1RRgepIvXD4q5INEgrzxz32KGKceqVoW91GBMyI/AbGRdX52oozXubifqmMdE+KfrSTImaMKlQpLcEhHG1L/TKqa0ELm2PrXGJiWRcgK+NpDa05RT5YgyIUrQWKJ1rBSOb9AthCvkaTYmnP0LVXctNBX0lqZkRGzSmvWEKyJM9t5GC9HJFMcqhxr6tTUMD1cPGwkAq0HZyBDAydZUhazBOUpAjfrlVHVg3XbC40wveaOiqe5EO8ttMWG3VHDo27KQK+sr7fVJiNZDm47ZHfLJGsAldodaqMkOgUOWCgK9bF7AFikymXLxknbnymL00MaA72eCVWYIrUma2FZLsIpW4b52exU/3blYkMKrfSsHQ/6DK1lSePHITef1D78cb+SXvTaNqYLa0J5GsA3An5jdUDaCJ+q1Mz5ba6G1c5LQbLJmuHntZzoar8EWaDMN3fb0pnrx6SECJ8jyA6Qpzu3nUjBVDmsr6tjw4zt4Q0zIkLJiwpqGkH9c2KOAi+ALKhGfMZIY7QUzPDJvT+9PP11eRR/FyFSpQevwCy080efLtimfzzh0ixrSwNQK6sO00GzMtTCg0iV9Ko7GJJ2C3IcXdUliYE6t2YKc0NrXlLPAWaYInkiEY8GlUZxnXKTJHBZlt0nEqFTRiN/Cm0XbiiJg16owMM6RxVjVbskKtQu/67UaBgTuauqBoHCXIIZia1DJPPU0mwrKBVV2I5AgIyzAORyIgGYUrCjxeprYT/3AO+SXnc5B+PwIpWmOSrXV73uBpFIrAam5G4wLxhgi+ly590h9Vr6U6t/LQo3L8KGSmnoM6R1K+Whk8/+h6ZeWpcaRk9ARhYvQVcTLy9x5gpA4U1rFQwPKsKBajbncPD89PynOxmyM7oAn8A3cnzi9k5BFCInODksOD/o3EfoV3vxZepd7qEoVWy3qEDho3lGLZQ4tREakIgnKWEIEutZzXVvoYyzHRDrGCxvxFIovCpKH2bb8ay5B13r8NRT2gKTuPJ12yqdZim0yJDgAjQMLZg+b3FxvhAaqdWyACebDGAuNq4qRkwOuxkiC7HaV2LyzLUQU+IKbumyxw7FAFhPRr4UmxNhqmFWQNXxkl6VSGQXVnq43Fn/Qfm2E8CyNEP7qzQ++1YYHr00O7H9Nd/zFVHxs1Njgr9LM4C/cwOD7blrw3TUq+L6aE3xvDQlemxAUifB9Nh749poNvDYY+GoNBl6bCnzFpgLfeyOBb7V5wGvDgEfs9osxGZs1CfguGwN8J80Avu8GAN9M0f+2nvktGhBwZGMWj7kwP7ZjF99ovTfvzDcFFP4HwD5yhdjsnaSH+zwT5z8Ab0Wa2hKO8MysUa19GYfUpjGXKhDUhk44pb5E4xSrsfs4+LAGQf3fMZkKEoNrog3lQPOB4JWBn2gxywkzl2ZVwE+vL1J0Qv50qdPz0TNR7qWPJ3RkojDfIiUyUoRuKFIAy8Ne0uaHfh3fzFm63x8IsgHH/ygTsClmsrr1LUB6vUPhd/cuC4A23dN7IWviSijkH1EmVfBY+iCN4PnBjEVuLKKJOxZxyrMkPwFH+kcXNSDQhCicYIXrD8W5/asJ/YgLQyG8MLdHcJL04YO+A6m/jImUJrQsPCOFlcOgiE7wKKiDn5eUmNA2HsRJt7dVKz9yBjnVENDpsQ9eNOg6ilj2+AEd6p2Cj3iahIzqENL4RwYrt9YHtrr243u3O5jDIZgHNt4/jV+Q/37pmRbg3tJci7JxMNsEx2PKCJzxhSazA6JgwKJzhbFY/QUE2v2jFp11KjhIsQU3zn6+/L4JMsq1vvvnKHxaC9+JhYTHN8CrVi4cu59rjpf5G+gd+n5MU9OjAYSC+Zs+4XLMheobyZzrE+46NvO1vUyYc216tFCNB7o4pCBEzO0ANYX8H+uIFRCsfkgt0eZMpSXO8rOBpAsO1JKzlkYuNmnz6WwZUPQDuvp4/PEt+pnPtHoxwVMtZCX5ewWXwkWP7r/s0Xx5jrxMNyhEjnP1/Zvz7c/mpxogp2zIQ26114IejpysCRhU/76WPe29cXJ0GeYdU5dpG5FYRneTNLLfmcQ5LMybKuOsnY8sFfHivgHBfE6fvzWFSlsOxIDzlGC2IHmHOUUgPSff9uq8XEaDjKbVKas76m/vte7+cbdzsLYYOh8vEcwQxqjUIxLzhNSeg/twkUoQFY8XR8bNYkr1sTvPgTfZgAhGFIQCWD78R/i7Grj5373OVVSgcqAo5ML7pWo+6EHJWkD6fp4rU3zKk3qxs9RhDigw5eZZqbq5eqqsRoY3nemCJ+jz6XF1IjCZpzh+ukXlEKuT8aQi8h85mauRU53Misu/PVowB3/uT/B0StnIfrv2twVPUYCxvUgmeFpFGer5mQenF4d3gFs98oJMUxpjSdTTbnEOd85GJ2Sa8rtJycx8/MQ53DkTwwPUMEuffMkB4DlTP6AHNZ3Yg31w2nql7/HzGrj2grGyPL9dLvwvauDaP+b3ijdq6+6BHDZa6hIgXxZVO+0MUR5gfI/qaVf8O0/5DcVtnCmeUAnpIfny/6f5Kzq2f7lD4XcosLwffMSoARXewhYPD3Le8579LjKvPMVskCVetdzzp3Xx8qFHICiNVD8nve/xdc50Jzge20qPpkmVT8m1wSu2Ejuh0DHIV1dJMlMJQGGhsqnzAxlAph3CxGQD+3c5Zfug4glRemHCZgjBvhEFKrkp2A2/0D+2bMopoAZ5BTiFWvTSePZPL8wXlr0QTVoQAw4pQwWUIMFASaBMPQltuPNU8CSL1fKEvDKh1fbsWjBaTfRru2/axuxSmPaN9NW+1oOZNx6YOkg3XXJmMzaILLfLD3hBIpExpjeasno8XBvBpWf//OkMjbXxOdamCkxnuRUwuY/ocSZKroqimTRn1l994yy3vhmWnsWtSYkzNSZM+UoapsmRE2szylI+ygXZ2q/wiwHBaq1eWtmS975G66+m3Bw6AZfDGR9FZdPUC2h4pS/VGNUibiaoIlbcPkhmgWfov87P8uZOhQohxvHBB7Dz9gXIYlgKhvLtokwSiPegcN+e1ZcWka7bo0shtBBzseXWjg4vTtH6OXTm5UPlifMLldqcYgliZEbERlRqWRVWi3b99bTEt+4kk0lma7qYrGf4syQKcLq2Y/pfJqmh47UHh2VF7PGpz/HADKpw3dIkw85tlPJRqWnQQ/Sm4PUYZqbZhBI8G6REjjlXYdjJNBNTLk3aEDF5La5/sOGpsFBTzof5KZpMcdhGzub1hYA0otALCI8YN/2gBymZlH0vnutRrYYxh/sO09RXPnNlhiwOlUMQphGiMaSaBmxX92yCpzTQQmy+blI4Fffg5nbK7yBwIuSK5AXRcGIzcWIuErMLvu90XkGtAHNtRhnATPlozT9RVZerZ+MCrblvR5Tl3xcg+jH6Ez0u4DW3iso3INgSIumIWbHmULCB+r1OZ6sAJvik1+l0qmcaeowWzmcr4Gi7hAJIyoYCm46EmSCAkiAOqQh9LIGD2m4YlAs3dwGcxaN1D0XNuUqi8DRofWSCVaG4oWMNfcFKqynB/nNwwmp6CdvQ0y9P1rxc4VjRW6ru+gs9cOQ8WizFei+THiITMZPelcut+NYr7mebjJgJATqTxQ34tgAyzGvTxw6iKiEyCNIO4T4OJoFPwt5JRTsN5TPVmVkmyba/oHHX9BiHNTF8Yi8s0EUxF48y5BtCkF/lbvIU0mwwMzmrLUMUmEVLV9M7zdyW18XAgOsaKgC4vvXKFkmw7FNIIx7ygi4v96aRKV+qk0xlwGjQ7E7SWwIMUQAFrR1gKdeg7d/xDBgkxlNlbApDO7hkOHMKrTTpwAVQiteJE29iQE76dU66a5hHEzRB1/BV97pVxA1+27sOGka30IDEWJ/pXNAHM0D9S2ZgUlZkASxSCrVU7AL40CtGS+1weFE+uE82Rhu8DOTLGGcSMiJTGygUoO5Pr60fWgDk6GpOeoTe3aExvrXamCR50URz31plQJHJNLUB/0VJGbYOpAwlWI4HHItE2pR98L20U4IFmAq/80FQeLD6AhFS7rCgbl/g+AaPyIeyiJkvMXJI7yjD4q7BMJWCj/KzJOKUTTN1RZvMzrk6z6NClxt4lXvIlxiY0TT5pWB5Lj74SCuHbHlqHXEhMmDeQ0hCvlRhFu7CUASB7f6s4kbEPq4UE1xmrMobYC0z7JbGzRgzH3pG2KgkUBcH0JBSeqjlknP8e0kGLw+CsiYgBL1tSDs9UjxyaFOy67/8gpfnlROmxN0Rz5hafugXJfApG/KlR77HNM1EMyoHYxvS6j1NSVNZ9J4ynGpBksmlx/5Uul0XG3WapOTU1fDAjcSIBgHCr9k+n06mREjOYPIzckuW57JTV76q4fDpoSli0GDkRd5xevFh/yB3DZnrDEulr8mfOE8aDb4cZyrhM9YMwOQxWskZH3H2U9EDvsTI04bjrAupOcqNVBK4YJqKgXP8hU6yyQURECzCYnJBREwaHK5zaGPYaO1m6GWD7Tqn7KnQN5CuxoIrlT4GTPPN+EBmloUacGA+uNEefCAz0/G50bH5QGaNNKUPfKLvoffQio3Fy6vGH8K0isWHfUyTR6z2Y5o0Wu1H61XQ93ajTbrADQR5cDgeef1eCHJLeSYfa0k4OA0H23KhZ1Qufz6bn6/HHC47ttn22bEN+PSi4JhdYlyGmylYFxm+4CmN7xrQ95/DxrrsJ4Jlg2EgAXDTSS/BGH6X8vjmKiw6v/B401OyET/ZsY1Rt5qZeU1opHQ4EOAKOGryBOMgNN08l07efGRD6+cSXCnLD1NYNHvlavbc03R1ik+bYWnyOI+hIXUzrjYQmqrgdvhn2VALDcY3UUWvLhvgfIXFiDyGZgZAo7cLM7S5qRSMb7xy4xh9xMob73Y+vNFmEwGK66WpFNpk/fyGsJOU3OLGMvhKYCYnVCmS2Ath+ePelABNr55fubiRDdVP439qNqzXbNhWs2HbzYbtNBu222zYXrNh+/cO+3/KY4yTbklXfZNwktx5boJGfImechiMbfJR7GtewduiJ5fCe0n3sJuj0BLQNpW6CxqjVZCLx5ixwvPjSn37ZjbjeXfl2aCLGzQvNCEmOLGebUf3AkjOPDRm6vq4yDzrbE75SF67PDNbL9nGR+YxYTWUMDislr/sOk+Pi/FkKR8VopRMfTpHFKHlclHGBc3uYHBOQhu43DVOdA7xkuZPhjfM30tKp4Q3E0Vxmt5FLgutCFAQHI9tiMrEvPTZ/Vnv/Wer958CPBc3VY1r0kj1/rO7/Z/7Y6s2ipEBsNnkiyrhNKNpigYEdWp3EypG919iiI/DSW8jHIICuJgzJXgKh0Hpe3lIhIADHVkeMrWwbRjQDIqEKVOAGwrHlQ5MGAoE81OBrgOyXIfyria7bxoXbbInl11mhnI0gxFY6ArLG8PK5ivI4/TtRq2kq1uvSR9IeYxDIYCnkMNj4kGNECI2M9ScphkuUs9URa+hi0tI6I8WS4/7Oqzl60jAHw3ylaM07y5weSLTmgUFJf4etdl2jj5NnAg8SqkmvA1s/JQxRSfEvVXdR3i22pi0mss9ENRovcxOXCBpdGcgfg0XBWJ1o2ZhCsubVZ4zDf9lnzKTT2F7shaKf1ZvknXO0FSQYgxaUVMoh8BC3zx7nRoVzoXP3XMY1Bg0kuWPRAWiD72rQPq6UYTo8VGEQVhfDen0QqNcUD2Kp/Nqbe1ue6fd67a3dra721udg95+u9fZ6e51u71up93dOuhu7W9v7R60u3nXtwVI4vgnbyOTS9j1y9NjX2UPx1BB0HeYt/G2JelKZUW8IpPZX4zwZxz61PDU1nq9PD0GrQ5I2DL3OSi1QEz9y3K0JPwhgfceGzJpfqVpfO1CBJ2KxI1xnyvLQaPkAMc7niGfxRcgnGOrj9Pl6bFsIUFuKZnZ8z9Cw1JcUWzi66VRcmyPY5ufYNsYz2OdBQX7PRv7IbA5oD5VadPqN6qAhKHsKuWxmSFvAD2HwQJcTXDphNjcxHmoq+IT0NNfJLYX68MI12B4W3nueYyCYdLgyjmbnsHf2CBZam0+W22KSG9+BDWnbIqYS+nIk8TOyAjHhRQdl2c7L1/MfEAkMl2uOAsH70ZfbF9QTk3j8iAnyPWzBVi3eTG+fHwUVDQxqbIWAtR6zqOAZ2NrNF77FN9ot694fy8yKVU2cwoeNoiaYybXZ9uqh2tImZyjKE/zube6UtVMewhuZcC98OsSGR6YoW7IvXOU3qceAF/6+l7IpRekByCXvr4XcspHy5Ck8Fj0QLksKfGI9IkQ/KFybfBNZEcsAtw+1RQKYT6Aevl15wH48x4PHpxl3sB75yvY2A9MUfj2Xqh1FuoDwOuGPDSHNecWnqBkYt4L3thgS3BonXF4f53H3Oh6AHTw5f0QwWBYmiJlO+PeOeo17HkzuanqRz080eLSvvz5vbDrsu7nQi5+fC/cL5P0IYFTl5ldhvl/AwAA///oKFmA" } diff --git a/winlogbeat/sys/event.go b/winlogbeat/sys/event.go index d88617d8925..b6674d41f40 100644 --- a/winlogbeat/sys/event.go +++ b/winlogbeat/sys/event.go @@ -235,10 +235,10 @@ func (v *HexInt64) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error { return err } - num, err := strconv.ParseInt(s, 0, 64) + num, err := strconv.ParseUint(s, 0, 64) if err != nil { // Ignore invalid version values. - return nil + return err } *v = HexInt64(num) diff --git a/winlogbeat/sys/event_test.go b/winlogbeat/sys/event_test.go index 8d0f6ee04f8..d4a4d2a564d 100644 --- a/winlogbeat/sys/event_test.go +++ b/winlogbeat/sys/event_test.go @@ -37,7 +37,7 @@ const allXML = ` 4 9 0 - 0x4000000000000004 + 0x8020000000000000 100 @@ -94,7 +94,7 @@ func TestXML(t *testing.T) { EventIdentifier: EventIdentifier{ID: 91}, LevelRaw: 4, TaskRaw: 9, - KeywordsRaw: 0x4000000000000004, + KeywordsRaw: 0x8020000000000000, TimeCreated: TimeCreated{allXMLTimeCreated}, RecordID: 100, Correlation: Correlation{"{A066CCF1-8AB3-459B-B62F-F79F957A5036}", "{85FC0930-9C49-42DA-804B-A7368104BD1B}"}, diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 16862bf44f9..18df0594fca 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -3,6 +3,7 @@ import sys import unittest from winlogbeat import BaseTest +from beat import common_tests """ Contains tests for config parsing. @@ -10,7 +11,7 @@ @unittest.skipUnless(sys.platform.startswith("win"), "requires Windows") -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): def test_valid_config(self): """ diff --git a/winlogbeat/tests/system/winlogbeat.py b/winlogbeat/tests/system/winlogbeat.py index eb34445bcfe..f10f10f9cb0 100644 --- a/winlogbeat/tests/system/winlogbeat.py +++ b/winlogbeat/tests/system/winlogbeat.py @@ -11,8 +11,6 @@ import win32security import win32evtlogutil -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../libbeat/tests/system')) - from beat.beat import TestCase PROVIDER = "WinlogbeatTestPython" @@ -111,7 +109,7 @@ def read_events(self, config=None, expected_events=1): def read_registry(self, requireBookmark=False): f = open(os.path.join(self.working_dir, "data", ".winlogbeat.yml"), "r") - data = yaml.load(f) + data = yaml.load(f, Loader=yaml.FullLoader) self.assertIn("update_time", data) self.assertIn("event_logs", data) @@ -132,20 +130,21 @@ def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, assert host_name(evt["winlog.computer_name"]).lower() == host_name(platform.node()).lower() assert "winlog.record_id" in evt - self.assertDictContainsSubset({ + expected = { "winlog.event_id": eventID, "event.code": eventID, "log.level": level.lower(), "winlog.channel": self.providerName, "winlog.provider_name": self.applicationName, "winlog.api": self.api, - }, evt) + } + assert expected.items() <= evt.items() if msg is None: assert "message" not in evt else: self.assertEqual(evt["message"], msg) - self.assertDictContainsSubset({"winlog.event_data.param1": msg}, evt) + self.assertEqual(msg, evt.get("winlog.event_data.param1")) if sid is None: self.assertEqual(evt["winlog.user.identifier"], self.get_sid_string()) @@ -159,7 +158,7 @@ def assert_common_fields(self, evt, msg=None, eventID=10, sid=None, assert "winlog.user.type" not in evt if extra is not None: - self.assertDictContainsSubset(extra, evt) + assert extra.items() <= evt.items() def host_name(fqdn): diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index aa8b7893d8a..71ec0007631 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -411,10 +411,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -527,20 +535,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -550,7 +565,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -713,30 +728,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -749,6 +771,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -856,42 +884,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1024,6 +1066,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default winlogbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "winlogbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "winlogbeat-%{[agent.version]}" @@ -1127,20 +1174,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1159,6 +1217,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1309,17 +1378,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1342,6 +1418,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..86f0832d3f2 --- /dev/null +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/auditbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test auditbeat" + labels: ## when PR labels matches any of those entries + - "auditbeat" + parameters: ## when parameter was selected in the UI. + - "auditbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage update build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test auditbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 9bb714069f7..f2167a6293e 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -545,10 +545,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -661,20 +669,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -684,7 +699,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -847,30 +862,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -883,6 +905,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -990,42 +1018,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1158,6 +1200,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default auditbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "auditbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "auditbeat-%{[agent.version]}" @@ -1261,20 +1308,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1293,6 +1351,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1443,17 +1512,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1476,6 +1552,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/auditbeat/conftest.py b/x-pack/auditbeat/conftest.py new file mode 100644 index 00000000000..2f3a40d0838 --- /dev/null +++ b/x-pack/auditbeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../metricbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go index f484cbb371d..7484e6465b7 100644 --- a/x-pack/auditbeat/magefile.go +++ b/x-pack/auditbeat/magefile.go @@ -84,7 +84,7 @@ func Package() { // TestPackages tests the generated packages (i.e. file modes, owners, groups). func TestPackages() error { - return devtools.TestPackages(devtools.WithRootUserContainer()) + return devtools.TestPackages() } // Update is an alias for running fields, dashboards, config. @@ -132,13 +132,13 @@ var ( "linux/386": installLinux386, "linux/amd64": installLinuxAMD64, "linux/arm64": installLinuxARM64, - "linux/armv5": installLinuxARMLE, - "linux/armv6": installLinuxARMLE, + "linux/armv5": installLinuxARMEL, + "linux/armv6": installLinuxARMEL, "linux/armv7": installLinuxARMHF, "linux/mips": installLinuxMIPS, - "linux/mipsle": installLinuxMIPSLE, - "linux/mips64le": installLinuxMIPS64LE, - "linux/ppc64le": installLinuxPPC64LE, + "linux/mipsle": installLinuxMIPSEL, + "linux/mips64le": installLinuxMIPS64EL, + "linux/ppc64le": installLinuxPPC64EL, "linux/s390x": installLinuxS390X, //"linux/ppc64": installLinuxPpc64, @@ -148,49 +148,56 @@ var ( const ( librpmDevPkgName = "librpm-dev" + + // Dependency of librpm-dev in ARM architectures, that needs to be explicitly + // installed to replace other conflicting packages pre-installed in the image. + libicuDevPkgName = "libicu-dev" ) func installLinuxAMD64() error { - return installDependencies(librpmDevPkgName, "") + return installDependencies("", librpmDevPkgName) } func installLinuxARM64() error { - return installDependencies(librpmDevPkgName+":arm64", "arm64") + return installDependencies("arm64", librpmDevPkgName+":arm64") } func installLinuxARMHF() error { - return installDependencies(librpmDevPkgName+":armhf", "armhf") + return installDependencies("armhf", librpmDevPkgName+":armhf", libicuDevPkgName+":armhf") } -func installLinuxARMLE() error { - return installDependencies(librpmDevPkgName+":armel", "armel") +func installLinuxARMEL() error { + return installDependencies("armel", librpmDevPkgName+":armel", libicuDevPkgName+":armel") } func installLinux386() error { - return installDependencies(librpmDevPkgName+":i386", "i386") + return installDependencies("i386", librpmDevPkgName+":i386") } func installLinuxMIPS() error { - return installDependencies(librpmDevPkgName+":mips", "mips") + return installDependencies("mips", librpmDevPkgName+":mips") } -func installLinuxMIPS64LE() error { - return installDependencies(librpmDevPkgName+":mips64el", "mips64el") +func installLinuxMIPS64EL() error { + return installDependencies("mips64el", librpmDevPkgName+":mips64el") } -func installLinuxMIPSLE() error { - return installDependencies(librpmDevPkgName+":mipsel", "mipsel") +func installLinuxMIPSEL() error { + return installDependencies("mispel", librpmDevPkgName+":mipsel") } -func installLinuxPPC64LE() error { - return installDependencies(librpmDevPkgName+":ppc64el", "ppc64el") +func installLinuxPPC64EL() error { + return installDependencies("ppc64el", librpmDevPkgName+":ppc64el") } func installLinuxS390X() error { - return installDependencies(librpmDevPkgName+":s390x", "s390x") + return installDependencies("s390x", librpmDevPkgName+":s390x") } -func installDependencies(pkg, arch string) error { +func installDependencies(arch string, pkgs ...string) error { + if len(pkgs) == 0 { + return nil + } if arch != "" { err := sh.Run("dpkg", "--add-architecture", arch) if err != nil { @@ -206,5 +213,6 @@ func installDependencies(pkg, arch string) error { return err } - return sh.Run("apt-get", "install", "-y", "--no-install-recommends", pkg) + args := append([]string{"install", "-y", "--no-install-recommends"}, pkgs...) + return sh.Run("apt-get", args...) } diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go index 6c9e5a7db6a..3fd94e5ea96 100644 --- a/x-pack/auditbeat/module/system/process/process.go +++ b/x-pack/auditbeat/module/system/process/process.go @@ -39,7 +39,6 @@ const ( eventTypeState = "state" eventTypeEvent = "event" - eventTypeError = "error" ) type eventAction uint8 @@ -247,7 +246,7 @@ func (ms *MetricSet) reportState(report mb.ReporterV2) error { report.Event(event) } else { ms.log.Warn(p.Error) - report.Event(ms.processEvent(p, eventTypeError, eventActionProcessError)) + report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessError)) } } @@ -287,7 +286,7 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error { report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessStarted)) } else { ms.log.Warn(p.Error) - report.Event(ms.processEvent(p, eventTypeError, eventActionProcessError)) + report.Event(ms.processEvent(p, eventTypeEvent, eventActionProcessError)) } } diff --git a/x-pack/auditbeat/module/system/socket/socket_linux.go b/x-pack/auditbeat/module/system/socket/socket_linux.go index 4c2cfd7e782..78fdd8ae4ca 100644 --- a/x-pack/auditbeat/module/system/socket/socket_linux.go +++ b/x-pack/auditbeat/module/system/socket/socket_linux.go @@ -9,8 +9,11 @@ package socket import ( "context" "fmt" + "os" + "path/filepath" "sort" "strconv" + "strings" "sync/atomic" "syscall" "time" @@ -36,17 +39,18 @@ import ( ) const ( - moduleName = "system" - metricsetName = "socket" - fullName = moduleName + "/" + metricsetName - namespace = "system.audit.socket" - detailSelector = metricsetName + "detailed" - auditbeatGroup = "auditbeat" + moduleName = "system" + metricsetName = "socket" + fullName = moduleName + "/" + metricsetName + namespace = "system.audit.socket" + detailSelector = metricsetName + "detailed" + groupNamePrefix = "auditbeat_" // Magic value to detect clock-sync events generated by the metricset. clockSyncMagic uint64 = 0x42DEADBEEFABCDEF ) var ( + groupName = fmt.Sprintf("%s%d", groupNamePrefix, os.Getpid()) kernelVersion string eventCount uint64 ) @@ -290,7 +294,7 @@ func (m *MetricSet) Setup() (err error) { extra = WithFilterPort(22) } m.installer = newProbeInstaller(traceFS, - WithGroup(auditbeatGroup), + WithGroup(groupName), WithTemplates(m.templateVars), extra) defer func() { @@ -300,10 +304,18 @@ func (m *MetricSet) Setup() (err error) { }() // - // remove existing KProbes from Auditbeat + // remove dangling KProbes from terminated Auditbeat processes. + // Not a fatal error if they can't be removed. // - if err = m.installer.UninstallIf(isOwnProbe); err != nil { - return errors.Wrap(err, "unable to delete existing KProbes. Is Auditbeat already running?") + if err = m.installer.UninstallIf(isDeadAuditbeat); err != nil { + m.log.Debugf("Removing existing probes from terminated instances: %+v", err) + } + + // + // remove existing Auditbeat KProbes that match the current PID. + // + if err = m.installer.UninstallIf(isThisAuditbeat); err != nil { + return errors.Wrapf(err, "unable to delete existing KProbes for group %s", groupName) } // @@ -409,7 +421,7 @@ func (m *MetricSet) Cleanup() { } } if m.installer != nil { - if err := m.installer.UninstallIf(isOwnProbe); err != nil { + if err := m.installer.UninstallIf(isThisAuditbeat); err != nil { m.log.Warnf("Failed to remove KProbes on exit: %v", err) } } @@ -468,8 +480,28 @@ func triggerClockSync() { unix.Uname(&buf) } -func isOwnProbe(probe tracing.Probe) bool { - return probe.Group == auditbeatGroup +func isRunningAuditbeat(pid int) bool { + path := fmt.Sprintf("/proc/%d/exe", pid) + exePath, err := os.Readlink(path) + if err != nil { + // Not a running process + return false + } + exeName := filepath.Base(exePath) + return strings.HasPrefix(exeName, "auditbeat") +} + +func isDeadAuditbeat(probe tracing.Probe) bool { + if strings.HasPrefix(probe.Group, groupNamePrefix) && probe.Group != groupName { + if pid, err := strconv.Atoi(probe.Group[len(groupNamePrefix):]); err == nil && !isRunningAuditbeat(pid) { + return true + } + } + return false +} + +func isThisAuditbeat(probe tracing.Probe) bool { + return probe.Group == groupName } type mountPoint struct { diff --git a/x-pack/auditbeat/tests/system/auditbeat_xpack.py b/x-pack/auditbeat/tests/system/auditbeat_xpack.py index af8e5ae68fa..8086ee52c5e 100644 --- a/x-pack/auditbeat/tests/system/auditbeat_xpack.py +++ b/x-pack/auditbeat/tests/system/auditbeat_xpack.py @@ -1,9 +1,6 @@ import jinja2 import os import sys - -sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '../../../../metricbeat/tests/system'))) - from metricbeat import BaseTest as MetricbeatTest diff --git a/x-pack/auditbeat/tests/system/test_exports.py b/x-pack/auditbeat/tests/system/test_exports.py new file mode 100644 index 00000000000..9aa546c93d9 --- /dev/null +++ b/x-pack/auditbeat/tests/system/test_exports.py @@ -0,0 +1,13 @@ +import jinja2 +import os +import platform +import sys +import time +import unittest + +from auditbeat_xpack import * +from beat import common_tests + + +class Test(AuditbeatXPackTest, common_tests.TestExportsMixin): + pass diff --git a/x-pack/auditbeat/tests/system/test_system_socket.py b/x-pack/auditbeat/tests/system/test_system_socket.py index b4c6b7cec60..fed1b806683 100644 --- a/x-pack/auditbeat/tests/system/test_system_socket.py +++ b/x-pack/auditbeat/tests/system/test_system_socket.py @@ -638,7 +638,7 @@ def expected(self): "user.id": str(os.getuid()), }, { "agent.type": "auditbeat", - "client.bytes": client_bytes, + "client.bytes": client_bytes, "client.ip": self.client_addr[0], "client.packets": client_packets, "client.port": self.client_addr[1], @@ -664,7 +664,7 @@ def expected(self): "server.packets": server_packets, "server.port": self.server_addr[1], "service.type": "system", - "source.bytes": client_bytes, + "source.bytes": client_bytes, "source.ip": self.client_addr[0], "source.packets": client_packets, "source.port": self.client_addr[1], diff --git a/x-pack/dockerlogbeat/Jenkinsfile.yml b/x-pack/dockerlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..703bb3d66a9 --- /dev/null +++ b/x-pack/dockerlogbeat/Jenkinsfile.yml @@ -0,0 +1,18 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/dockerlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/dockerlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-dockerlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-dockerlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. diff --git a/x-pack/dockerlogbeat/docs/configuration.asciidoc b/x-pack/dockerlogbeat/docs/configuration.asciidoc index f1bf6821489..e29cbb4cba0 100644 --- a/x-pack/dockerlogbeat/docs/configuration.asciidoc +++ b/x-pack/dockerlogbeat/docs/configuration.asciidoc @@ -76,6 +76,11 @@ indices. For example: +"dockerlogs-%{+yyyy.MM.dd}"+. 3+|*Advanced:* +|`name` +|`testbeat` +| A custom value that will be inserted into the document as `agent.name`. +If not set, it will be the hostname of Docker host. + |`backoff_init` |`1s` |The number of seconds to wait before trying to reconnect to {es} after diff --git a/x-pack/dockerlogbeat/main.go b/x-pack/dockerlogbeat/main.go index e3a5b8d0310..e363aefb667 100644 --- a/x-pack/dockerlogbeat/main.go +++ b/x-pack/dockerlogbeat/main.go @@ -73,7 +73,13 @@ func main() { if err != nil { fatal("DESTROY_LOGS_ON_STOP must be 'true' or 'false': %s", err) } - pipelines := pipelinemanager.NewPipelineManager(logDestroy) + + hostname, err := os.Hostname() + if err != nil { + fatal("Error fetching hostname: %s", err) + } + + pipelines := pipelinemanager.NewPipelineManager(logDestroy, hostname) sdkHandler := sdk.NewHandler(`{"Implements": ["LoggingDriver"]}`) // Create handlers for startup and shutdown of the log driver diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go index 1a82dd214e5..6fb52fb52aa 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader.go @@ -32,16 +32,20 @@ type ClientLogger struct { logger *logp.Logger // ContainerMeta is the metadata object for the container we get from docker ContainerMeta logger.Info + // ContainerECSMeta is a container metadata object appended to every event + ContainerECSMeta common.MapStr // logFile is the FIFO reader that reads from the docker container stdio logFile *pipereader.PipeReader // client is the libbeat client object that sends logs upstream client beat.Client // localLog manages the local JSON logs for containers localLog logger.Logger + // hostname for event metadata + hostname string } // newClientFromPipeline creates a new Client logger with a FIFO reader and beat client -func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereader.PipeReader, hash uint64, info logger.Info, localLog logger.Logger) (*ClientLogger, error) { +func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereader.PipeReader, hash uint64, info logger.Info, localLog logger.Logger, hostname string) (*ClientLogger, error) { // setup the beat client settings := beat.ClientConfig{ WaitClose: 0, @@ -59,11 +63,13 @@ func newClientFromPipeline(pipeline beat.PipelineConnector, inputFile *pipereade clientLogger.Debugf("Created new logger for %d", hash) return &ClientLogger{logFile: inputFile, - client: client, - pipelineHash: hash, - ContainerMeta: info, - localLog: localLog, - logger: clientLogger}, nil + client: client, + pipelineHash: hash, + ContainerMeta: info, + ContainerECSMeta: constructECSContainerData(info), + localLog: localLog, + logger: clientLogger, + hostname: hostname}, nil } // Close closes the pipeline client and reader @@ -100,6 +106,26 @@ func (cl *ClientLogger) ConsumePipelineAndSend() { } } +// constructECSContainerData creates an ES-ready MapString object with container metadata. +func constructECSContainerData(metadata logger.Info) common.MapStr { + + var containerImageName, containerImageTag string + if idx := strings.IndexRune(metadata.ContainerImageName, ':'); idx >= 0 { + containerImageName = string([]rune(metadata.ContainerImageName)[:idx]) + containerImageTag = string([]rune(metadata.ContainerImageName)[idx+1:]) + } + + return common.MapStr{ + "labels": helper.DeDotLabels(metadata.ContainerLabels, true), + "id": metadata.ContainerID, + "name": helper.ExtractContainerName([]string{metadata.ContainerName}), + "image": common.MapStr{ + "name": containerImageName, + "tag": containerImageTag, + }, + } +} + // publishLoop sits in a loop and waits for events to publish // Publish() can block if there is an upstream output issue. This is a problem because if the FIFO queues that handle the docker logs fill up, plugins can no longer send logs // A buffered channel with its own publish gives us a little more wiggle room. @@ -117,20 +143,14 @@ func (cl *ClientLogger) publishLoop(reader chan logdriver.LogEntry) { cl.client.Publish(beat.Event{ Timestamp: time.Unix(0, entry.TimeNano), Fields: common.MapStr{ - "message": line, - "container": common.MapStr{ - "labels": helper.DeDotLabels(cl.ContainerMeta.ContainerLabels, true), - "id": cl.ContainerMeta.ContainerID, - "name": helper.ExtractContainerName([]string{cl.ContainerMeta.ContainerName}), - "image": common.MapStr{ - "name": cl.ContainerMeta.ContainerImageName, - }, + "message": line, + "container": cl.ContainerECSMeta, + "host": common.MapStr{ + "name": cl.hostname, }, }, }) - } - } func constructLogSpoolMsg(line logdriver.LogEntry) *logger.Message { diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go index b53d26e234d..fbb790479c7 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go @@ -76,15 +76,7 @@ func setupTestReader(t *testing.T, logString string, containerConfig logger.Info } // createNewClient sets up the "write side" of the pipeline, creating a log event to write and send back into the test. -func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock.MockPipelineConnector, containerConfig logger.Info) *ClientLogger { - // an example container metadata struct - cfgObject := logger.Info{ - Config: map[string]string{"output.elasticsearch": "localhost:9200"}, - ContainerLabels: map[string]string{"test.label": "test"}, - ContainerID: "3acc92989a97c415905eba090277b8a8834d087e58a95bed55450338ce0758dd", - ContainerName: "testContainer", - ContainerImageName: "TestImage", - } +func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock.MockPipelineConnector, cfgObject logger.Info) *ClientLogger { // create a new pipeline reader for use with the libbeat client reader, err := pipereader.NewReaderFromReadCloser(pipelinemock.CreateTestInputFromLine(t, logString)) @@ -100,7 +92,7 @@ func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock localLog, err := jsonfilelog.New(info) assert.NoError(t, err) - client, err := newClientFromPipeline(mockConnector, reader, 123, cfgObject, localLog) + client, err := newClientFromPipeline(mockConnector, reader, 123, cfgObject, localLog, "test") require.NoError(t, err) return client diff --git a/x-pack/dockerlogbeat/pipelinemanager/config.go b/x-pack/dockerlogbeat/pipelinemanager/config.go index 92d6e98ee9f..30813db4bf6 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/config.go +++ b/x-pack/dockerlogbeat/pipelinemanager/config.go @@ -27,6 +27,7 @@ type ContainerOutputConfig struct { CloudID string `struct:"cloud.id,omitempty"` CloudAuth string `struct:"cloud.auth,omitempty"` ProxyURL string `struct:"output.elasticsearch.proxy_url,omitempty"` + BeatName string `struct:"-"` } // NewCfgFromRaw returns a ContainerOutputConfig based on a raw config we get from the API @@ -53,6 +54,7 @@ func NewCfgFromRaw(input map[string]string) (ContainerOutputConfig, error) { newCfg.Timeout = input["timeout"] newCfg.BackoffInit = input["backoff_init"] newCfg.BackoffMax = input["backoff_max"] + newCfg.BeatName = input["name"] return newCfg, nil } diff --git a/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go b/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go index 5c965a309c6..c96c563b3b9 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go +++ b/x-pack/dockerlogbeat/pipelinemanager/libbeattools.go @@ -19,7 +19,6 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/cloudid" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/outputs" @@ -49,8 +48,7 @@ func makeConfigHash(cfg map[string]string) string { } // load pipeline starts up a new pipeline with the given config -func loadNewPipeline(logOptsConfig ContainerOutputConfig, name string, log *logp.Logger) (*Pipeline, error) { - +func loadNewPipeline(logOptsConfig ContainerOutputConfig, hostname string, log *logp.Logger) (*Pipeline, error) { cfg, err := logOptsConfig.CreateConfig() if err != nil { return nil, err @@ -68,7 +66,7 @@ func loadNewPipeline(logOptsConfig ContainerOutputConfig, name string, log *logp return nil, fmt.Errorf("unpacking config failed: %v", err) } - info, err := getBeatInfo(cfg) + info, err := getBeatInfo(logOptsConfig, hostname) if err != nil { return nil, err } @@ -131,38 +129,25 @@ func parseCfgKeys(cfg map[string]string) (map[string]interface{}, error) { } // getBeatInfo returns the beat.Info type needed to start the pipeline -func getBeatInfo(cfg *common.Config) (beat.Info, error) { +func getBeatInfo(pluginOpts ContainerOutputConfig, hostname string) (beat.Info, error) { vers := version.GetDefaultVersion() - hostname, err := os.Hostname() - if err != nil { - return beat.Info{}, errors.Wrap(err, "error getting hostname") - } + eid, err := uuid.NewV4() if err != nil { return beat.Info{}, errors.Wrap(err, "error creating ephemeral ID") } - type nameStr struct { - Name string `config:"name"` - } - name := nameStr{} - err = cfg.Unpack(&name) - if err != nil { - return beat.Info{}, fmt.Errorf("unpacking config failed: %v", err) - } - - if name.Name == "" { - name.Name = "elastic-log-driver" - } id, err := loadMeta("/tmp/meta.json") if err != nil { return beat.Info{}, errors.Wrap(err, "error loading UUID") } + beatName := "elastic-log-driver" + info := beat.Info{ - Beat: name.Name, - Name: name.Name, - IndexPrefix: name.Name, + Beat: beatName, + Name: pluginOpts.BeatName, + IndexPrefix: "logs-docker", Hostname: hostname, Version: vers, EphemeralID: eid, diff --git a/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go b/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go index b1d04d16541..7a8f89f5bb5 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go +++ b/x-pack/dockerlogbeat/pipelinemanager/pipelineManager.go @@ -55,10 +55,12 @@ type PipelineManager struct { logDirectory string // destroyLogsOnStop indicates for the client to remove log files when a container stops destroyLogsOnStop bool + // hostname of the docker host + hostname string } // NewPipelineManager creates a new Pipeline map -func NewPipelineManager(logDestroy bool) *PipelineManager { +func NewPipelineManager(logDestroy bool, hostname string) *PipelineManager { return &PipelineManager{ Logger: logp.NewLogger("PipelineManager"), pipelines: make(map[uint64]*Pipeline), @@ -66,6 +68,7 @@ func NewPipelineManager(logDestroy bool) *PipelineManager { clientLogger: make(map[string]logger.Logger), logDirectory: "/var/log/docker/containers", destroyLogsOnStop: logDestroy, + hostname: hostname, } } @@ -102,7 +105,7 @@ func (pm *PipelineManager) CreateClientWithConfig(containerConfig ContainerOutpu if err != nil { return nil, errors.Wrap(err, "error creating config hash") } - pipeline, err := pm.getOrCreatePipeline(containerConfig, file, hashstring) + pipeline, err := pm.getOrCreatePipeline(containerConfig, hashstring) if err != nil { return nil, errors.Wrap(err, "error getting pipeline") } @@ -135,7 +138,7 @@ func (pm *PipelineManager) CreateClientWithConfig(containerConfig ContainerOutpu } //actually get to crafting the new client. - cl, err := newClientFromPipeline(pipeline.pipeline, reader, hashstring, info, localLog) + cl, err := newClientFromPipeline(pipeline.pipeline, reader, hashstring, info, localLog, pm.hostname) if err != nil { return nil, errors.Wrap(err, "error creating client") } @@ -198,7 +201,7 @@ func (pm *PipelineManager) CreateReaderForContainer(info logger.Info, config log // checkAndCreatePipeline performs the pipeline check and creation as one atomic operation // It will either return a new pipeline, or an existing one from the pipeline map -func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConfig, file string, hash uint64) (*Pipeline, error) { +func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConfig, hash uint64) (*Pipeline, error) { pm.mu.Lock() defer pm.mu.Unlock() @@ -206,7 +209,7 @@ func (pm *PipelineManager) getOrCreatePipeline(logOptsConfig ContainerOutputConf var err error pipeline, test := pm.pipelines[hash] if !test { - pipeline, err = loadNewPipeline(logOptsConfig, file, pm.Logger) + pipeline, err = loadNewPipeline(logOptsConfig, pm.hostname, pm.Logger) if err != nil { return nil, errors.Wrap(err, "error loading pipeline") } diff --git a/x-pack/dockerlogbeat/readme.md b/x-pack/dockerlogbeat/readme.md index be06d96daa9..8be33cf2b3d 100644 --- a/x-pack/dockerlogbeat/readme.md +++ b/x-pack/dockerlogbeat/readme.md @@ -9,7 +9,7 @@ To build and install, just run `mage Package`. The build process happens entire ## Running -`docker run --log-driver=elastic-logging-plugin:8.0.0 --log-opt output.elasticsearch.hosts="172.18.0.2:9200" --log-opt output.elasticsearch.index="dockerbeat-test" -it debian:jessie /bin/bash` +`docker run --log-driver=elastic/elastic-logging-plugin:8.0.0 --log-opt hosts="172.18.0.2:9200" -it debian:jessie /bin/bash` ## Config Options @@ -57,4 +57,4 @@ This plugin fully supports `docker logs`, and it maintains a local copy of logs docker plugin set d805664c550e DESTROY_LOGS_ON_STOP=true ``` -You can also set `max-file`, `max-size` and `compress` via `--log-opts` \ No newline at end of file +You can also set `max-file`, `max-size` and `compress` via `--log-opts` diff --git a/x-pack/elastic-agent/.gitignore b/x-pack/elastic-agent/.gitignore index 34b1341919e..22e2de50947 100644 --- a/x-pack/elastic-agent/.gitignore +++ b/x-pack/elastic-agent/.gitignore @@ -1,5 +1,6 @@ # agent build/ +elastic-agent elastic-agent.dev.yml pkg/agent/operation/tests/scripts/short--1.0.yml pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86/configurable diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index 855041d47b3..bd3983e5716 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -3,15 +3,55 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ - -[[release-notes-8.0.0]] -=== Agent version 8.0.0 +[[release-notes-7.9.0]] +=== Elastic Agent version 7.9.0 ==== Breaking changes -- Rename agent to elastic-agent {pull}17391[17391] - Change fleet.yml structure, causes upgraded agent to register as new agent {pull}19248[19248] - Remove obfuscation of fleet.yml, causes re-enroll of agent to Fleet {pull}19678[19678] +- Rename enroll --ca_sha256 to --ca-sha256 {pull}19900[19900] +- Rename enroll --certificate_authorities to --certificate-authorities {pull}19900[19900] + +==== Bugfixes + +- Fix install service script for windows {pull}18814[18814] +- Properly stops subprocess on shutdown {pull}19567[19567] +- Forward revision number of the configuration to the endpoint. {pull}19759[19759] +- Remove support for logs type and use logfile {pull}19761[19761] +- Avoid comparing uncomparable types on enroll {issue}19976[19976] +- Fix issues with merging of elastic-agent.yml and fleet.yml {pull}20026[20026] +- Unzip failures on Windows 8/Windows server 2012 {pull}20088[20088] +- Fix failing unit tests on windows {pull}20127[20127] +- Prevent closing closed reader {pull}20214[20214] +- Improve GRPC stop to be more relaxed {pull}20118[20118] +- Fix Windows service installation script {pull}20203[20203] +- Fix timeout issue stopping service applications {pull}20256[20256] + +==== New features + +- Change monitoring defaults for agent {pull}18927[18927] +- Agent verifies packages before using them {pull}18876[18876] +- Change stream.* to dataset.* fields {pull}18967[18967] +- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] +- Rename input.type logs to logfile {pull}19360[19360] +- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] +- Agent now downloads Elastic Endpoint {pull}19503[19503] +- Refuse invalid stream values in configuration {pull}19587[19587] +- Agent now load balances across multiple Kibana instances {pull}19628[19628] +- Configuration cleanup {pull}19848[19848] +- Agent now sends its own logs to elasticsearch {pull}19811[19811] +- Add --insecure option to enroll command {pull}19900[19900] +- Will retry to enroll if the server return a 429. {pull}19918[19811] +- Add --staging option to enroll command {pull}20026[20026] +- Add `event.dataset` to all events {pull}20076[20076] +- Send datastreams fields {pull}20416[20416] + +[[release-notes-7.8.0]] +=== Elastic Agent version 7.8.0 + +==== Breaking changes +- Rename agent to elastic-agent {pull}17391[17391] ==== Bugfixes @@ -20,33 +60,30 @@ - Fixed merge of config {pull}17399[17399] - Handle abs paths on windows correctly {pull}17461[17461] - Improved cancellation of agent {pull}17318[17318] -- Rename the User-Agent string from Beats Agent to Elastic Agent. {pull}17765[17765] +- Fixed process spawning on Windows {pull}17751[17751] - Fix issues when running `mage package` for all the platforms. {pull}17767[17767] +- Rename the User-Agent string from Beats Agent to Elastic Agent. {pull}17765[17765] - Remove the kbn-version on each request to the Kibana API. {pull}17764[17764] -- Fixed process spawning on Windows {pull}17751[17751] - Fixed injected log path to monitoring beat {pull}17833[17833] - Make sure that the Elastic Agent connect over TLS in cloud. {pull}17843[17843] - Moved stream.* fields to top of event {pull}17858[17858] -- Fix an issue where the checkin_frequency, jitter, and backoff options where not configurable. {pull}17843[17843] -- ECS compliant Elastic agent metadata sent to fleet {pull}18006[18006] -- Use default output by default {pull}18091[18091] - Use /tmp for default monitoring endpoint location for libbeat {pull}18131[18131] +- Use default output by default {pull}18091[18091] - Fix panic and flaky tests for the Agent. {pull}18135[18135] - Fix default configuration after enroll {pull}18232[18232] - Fix make sure the collected logs or metrics include streams information. {pull}18261[18261] +- Fix version to 7.8 {pull}18286[18286] +- Fix an issue where the checkin_frequency, jitter, and backoff options where not configurable. {pull}17843[17843] +- Ensure that the beats uses the params prefer_v2_templates on bulk request. {pull}18318[18318] - Stop monitoring on config change {pull}18284[18284] - Enable more granular control of monitoring {pull}18346[18346] - Fix jq: command not found {pull}18408[18408] - Avoid Chown on windows {pull}18512[18512] -- Remove fleet admin from setup script {pull}18611[18611] -- Correctly report platform and family. {issue}18665[18665] - Clean action store after enrolling to new configuration {pull}18656[18656] - Avoid watching monitor logs {pull}18723[18723] +- Correctly report platform and family. {issue}18665[18665] - Guard against empty stream.datasource and namespace {pull}18769[18769] - Fix install service script for windows {pull}18814[18814] -- Properly stops subprocess on shutdown {pull}19567[19567] -- Forward revision number of the configuration to the endpoint. {pull}19759[19759] -- Remove support for logs type and use logfile {pull}19761[19761] ==== New features @@ -63,22 +100,12 @@ - Enable Filebeat input: S3, Azureeventhub, cloudfoundry, httpjson, netflow, o365audit. {pull}17909[17909] - Configurable log level {pull}18083[18083] - Use data subfolder as default for process logs {pull}17960[17960] -- Do not require unnecessary configuration {pull}18003[18003] -- Enable debug log level for Metricbeat and Filebeat when run under the Elastic Agent. {pull}17935[17935] - Enable introspecting configuration {pull}18124[18124] - Follow home path for all config files {pull}18161[18161] +- Do not require unnecessary configuration {pull}18003[18003] - Use nested objects so fleet can handle metadata correctly {pull}18234[18234] -- More clear output of inspect command {pull}18405[18405] +- Enable debug log level for Metricbeat and Filebeat when run under the Elastic Agent. {pull}17935[17935] - Pick up version from libbeat {pull}18350[18350] -- Use shorter hash for application differentiator {pull}18770[18770] +- More clear output of inspect command {pull}18405[18405] - When not port are specified and the https is used fallback to 443 {pull}18844[18844] -- Change monitoring defaults for agent {pull}18927[18927] -- Agent verifies packages before using them {pull}18876[18876] -- Change stream.* to dataset.* fields {pull}18967[18967] -- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] -- Rename input.type logs to logfile {pull}19360[19360] -- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] -- Agent now downloads Elastic Endpoint {pull}19503[19503] -- Refuse invalid stream values in configuration {pull}19587[19587] -- Agent now load balances across multiple Kibana instances {pull}19628[19628] -- Configuration cleanup {pull}19848[19848] +- Basic upgrade process {pull}21002[21002] diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc new file mode 100644 index 00000000000..3963dda9a12 --- /dev/null +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -0,0 +1,28 @@ +// Use these for links to issue and pulls. Note issues and pulls redirect one to +// each other on Github, so don't worry too much on using the right prefix. +:issue: https://github.com/elastic/beats/issues/ +:pull: https://github.com/elastic/beats/pull/ + +=== Elastic Agent version HEAD + +==== Breaking changes + +- Docker container is not run as root by default. {pull}21213[21213] + +==== Bugfixes +- Thread safe sorted set {pull}21290[21290] +- Copy Action store on upgrade {pull}21298[21298] +- Include inputs in action store actions {pull}21298[21298] + +==== New features + +- Prepare packaging for endpoint and asc files {pull}20186[20186] +- Improved version CLI {pull}20359[20359] +- Enroll CLI now restarts running daemon {pull}20359[20359] +- Add restart CLI cmd {pull}20359[20359] +- Add new `synthetics/*` inputs to run Heartbeat {pull}20387[20387] +- Users of the Docker image can now pass `FLEET_ENROLL_INSECURE=1` to include the `--insecure` flag with the `elastic-agent enroll` command {issue}20312[20312] {pull}20713[20713] +- Add `docker` composable dynamic provider. {pull}20842[20842] +- Add support for dynamic inputs with providers and `{{variable|"default"}}` substitution. {pull}20839[20839] +- Add support for EQL based condition on inputs {pull}20994[20994] +- Send `fleet.host.id` to Endpoint Security {pull}21042[21042] diff --git a/x-pack/elastic-agent/GPG-KEY-elasticsearch b/x-pack/elastic-agent/GPG-KEY-elasticsearch new file mode 100644 index 00000000000..1b50dcca799 --- /dev/null +++ b/x-pack/elastic-agent/GPG-KEY-elasticsearch @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.14 (GNU/Linux) + +mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD +A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9 +CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ +j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd +1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD +2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg +KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy +Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC +F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75 +nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/ +7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm +TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe +8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/ +eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl +zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT +RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+ +1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+ +Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt +KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww +EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0 +c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J +TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j +6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7 +vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM +cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/ +qPDlGRlOgVTd9xUfHFkzB52c70E= +=92oX +-----END PGP PUBLIC KEY BLOCK----- diff --git a/x-pack/elastic-agent/Jenkinsfile.yml b/x-pack/elastic-agent/Jenkinsfile.yml new file mode 100644 index 00000000000..8f99e11da3c --- /dev/null +++ b/x-pack/elastic-agent/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/elastic-agent/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/elastic-agent" + labels: ## when PR labels matches any of those entries + - "x-pack-elastic-agent" + parameters: ## when parameter was selected in the UI. + - "x-pack-elastic-agent" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/elastic-agent for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl index c81236e8844..e88dea9534e 100644 --- a/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl @@ -17,7 +17,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -27,13 +27,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # agent.monitoring: # # enabled turns on monitoring of running processes diff --git a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl index e0b1b26dfd9..55ed22e65a3 100644 --- a/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl @@ -17,7 +17,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -27,13 +27,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: diff --git a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl index 90e83056932..2f8187a1604 100644 --- a/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl +++ b/x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl @@ -17,7 +17,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -27,13 +27,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: diff --git a/x-pack/elastic-agent/_meta/elastic-agent.yml b/x-pack/elastic-agent/_meta/elastic-agent.yml index b084f0661a1..eca546cec03 100644 --- a/x-pack/elastic-agent/_meta/elastic-agent.yml +++ b/x-pack/elastic-agent/_meta/elastic-agent.yml @@ -17,7 +17,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -27,13 +27,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: diff --git a/x-pack/elastic-agent/control.proto b/x-pack/elastic-agent/control.proto new file mode 100644 index 00000000000..0c5645faab9 --- /dev/null +++ b/x-pack/elastic-agent/control.proto @@ -0,0 +1,119 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +syntax = "proto3"; + +package proto; + +option cc_enable_arenas = true; +option go_package = "pkg/agent/control/proto;proto"; + +// Status codes for the current state. +enum Status { + STARTING = 0; + CONFIGURING = 1; + HEALTHY = 2; + DEGRADED = 3; + FAILED = 4; + STOPPING = 5; + UPGRADING = 6; + ROLLBACK = 7; +} + +// Action status codes for restart and upgrade response. +enum ActionStatus { + // Action was successful. + SUCCESS = 0; + // Action failed. + FAILURE = 1; +} + +// Empty message. +message Empty { +} + +// Version response message. +message VersionResponse { + // Current running version. + string version = 1; + // Current running commit. + string commit = 2; + // Current running build time. + string buildTime = 3; + // Current running version is a snapshot. + bool snapshot = 4; +} + +message RestartResponse { + // Response status. + ActionStatus status = 1; + // Error message when it fails to trigger restart. + string error = 2; +} + +// Upgrade request message. +message UpgradeRequest { + // (Optional) Version to upgrade to. + // + // If not provided Elastic Agent will auto discover the latest version in the same major + // to upgrade to. If wanting to upgrade to a new major that major must be present in the + // this version field. + string version = 1; + + // (Optional) Use a different source URI then configured. + // + // If provided the upgrade process will use the provided sourceURI instead of the configured + // sourceURI in the configuration. + string sourceURI = 2; +} + +// A upgrade response message. +message UpgradeResponse { + // Response status. + ActionStatus status = 1; + + // Version that is being upgraded to. + string version = 2; + + // Error message when it fails to trigger upgrade. + string error = 3; +} + +// Current status of the application in Elastic Agent. +message ApplicationStatus { + // Unique application ID. + string id = 1; + // Application name. + string name = 2; + // Current status. + Status status = 3; + // Current status message. + string message = 4; + // Current status payload. + string payload = 5; +} + +// Status is the current status of Elastic Agent. +message StatusResponse { + // Overall status of Elastic Agent. + Status status = 1; + // Overall status message of Elastic Agent. + string message = 2; + // Status of each application in Elastic Agent. + repeated ApplicationStatus applications = 3; +} + +service ElasticAgentControl { + // Fetches the currently running version of the Elastic Agent. + rpc Version(Empty) returns (VersionResponse); + + // Fetches the currently status of the Elastic Agent. + rpc Status(Empty) returns (StatusResponse); + + // Restart restarts the current running Elastic Agent. + rpc Restart(Empty) returns (RestartResponse); + + // Upgrade starts the upgrade process of Elastic Agent. + rpc Upgrade(UpgradeRequest) returns (UpgradeResponse); +} diff --git a/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go b/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go new file mode 100644 index 00000000000..55bb33f1fc0 --- /dev/null +++ b/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go @@ -0,0 +1,113 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "bytes" + "flag" + "fmt" + "go/format" + "io/ioutil" + "os" + "text/template" + + "github.com/elastic/beats/v7/licenses" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/packer" +) + +var ( + input string + output string + license string +) + +func init() { + flag.StringVar(&input, "in", "", "Source of input. \"-\" means reading from stdin") + flag.StringVar(&output, "out", "-", "Output path. \"-\" means writing to stdout") + flag.StringVar(&license, "license", "Elastic", "License header for generated file.") +} + +var tmplPgp = template.Must(template.New("pgp").Parse(` +{{ .License }} +// Code generated by x-pack/dev-tools/cmd/buildspec/buildPgp.go - DO NOT EDIT. + +package release + +import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/packer" +) + +// pgp bytes is a packed in public gpg key +var pgpBytes []byte + +func init() { + // Packed Files + {{ range $i, $f := .Files -}} + // {{ $f }} + {{ end -}} + pgpBytes = packer.MustUnpack("{{ .Pack }}")["GPG-KEY-elasticsearch"] +} + +// PGP return pgpbytes and a flag describing whether or not no pgp is valid. +func PGP() (bool, []byte) { + return allowEmptyPgp == "true", pgpBytes +} +`)) + +func main() { + flag.Parse() + + if len(input) == 0 { + fmt.Fprintln(os.Stderr, "Invalid input source") + os.Exit(1) + } + + l, err := licenses.Find(license) + if err != nil { + fmt.Fprintf(os.Stderr, "problem to retrieve the license, error: %+v", err) + os.Exit(1) + return + } + + data, err := gen(input, l) + if err != nil { + fmt.Fprintf(os.Stderr, "Error while generating the file, err: %+v\n", err) + os.Exit(1) + } + + if output == "-" { + os.Stdout.Write(data) + return + } else { + ioutil.WriteFile(output, data, 0640) + } + + return +} + +func gen(path string, l string) ([]byte, error) { + pack, files, err := packer.Pack(input) + if err != nil { + return nil, err + } + + var buf bytes.Buffer + tmplPgp.Execute(&buf, struct { + Pack string + Files []string + License string + }{ + Pack: pack, + Files: files, + License: l, + }) + + formatted, err := format.Source(buf.Bytes()) + if err != nil { + return nil, err + } + + return formatted, nil +} diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json index d76fe58aed2..327b79ed347 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json @@ -1,6 +1,5 @@ { "action": "checkin", - "success": true, "actions": [ { "type": "CONFIG_CHANGE", diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go index 3a40641678a..11d90d13773 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/main.go @@ -27,12 +27,11 @@ var ( mutex sync.Mutex pathCheckin = regexp.MustCompile(`^/api/fleet/agents/(.+)/checkin`) - checkinResponse = response{Actions: make([]action, 0), Success: true} + checkinResponse = response{Actions: make([]action, 0)} ) type response struct { Actions []action `json:"actions"` - Success bool `json:"success"` } type action interface{} @@ -78,8 +77,7 @@ func handlerEnroll(w http.ResponseWriter, r *http.Request) { } response := &fleetapi.EnrollResponse{ - Action: "created", - Success: true, + Action: "created", Item: fleetapi.EnrollItemResponse{ ID: "a4937110-e53e-11e9-934f-47a8e38a522c", Active: true, @@ -147,7 +145,6 @@ func handlerAction(w http.ResponseWriter, r *http.Request) { checkinResponse = resp w.WriteHeader(http.StatusCreated) - w.Write([]byte(`{ "success": true }`)) log.Println("Action request: ", string(c)) } diff --git a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc index bbbd083e8cc..e102d5b4787 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-command-line.asciidoc @@ -1,22 +1,277 @@ +:global-flags-link: For more flags, see <>. + [[elastic-agent-cmd-options]] [role="xpack"] -= Command line options += {agent} command line options -experimental[] +++++ +Command line options +++++ -The `elastic-agent run` command provides flags that alter the behavior of an -agent: +beta[] + +{agent} provides commands for running the agent and doing common tasks: + +* <> +* <> +* <> +* <> +* <> + +++++ +
+++++ + +[discrete] +[[elastic-agent-enroll-command]] +== elastic-agent enroll + +Enroll the {elastic-agent} in {fleet}. + +We recommend that you run this command as the root user because some +integrations require root privileges to collect sensitive data. This command +overwrites the `elastic-agent.yml` file in the agent directory. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent enroll [--ca-sha256 ] + [--certificate-authorities ] [--force] [--help] + [--insecure][global-flags] +---- + +[discrete] +=== Options + +`kibana_url`:: +Required. URL of the {kib} endpoint where {ingest-manager} is running. + +`enrollment_token`:: +Required. Enrollment token generated by {ingest-manager}. You can use the same +enrollment token for multiple agents. + +`--ca-sha256 `:: +Comma-separated list of certificate authority hash pins used for certificate +verification. + +`--certificate-authorities `:: +Comma-separated list of root certificates used for server verification. + +`--force`:: +Force overwrite of current configuration without prompting for confirmation. +This flag is helpful when using automation software or scripted deployments. + +`--help`:: +Show help for the `enroll` command. + +`--insecure`:: +Allow an insecure connection to {kib}. When this flag is specified, API keys are +sent in clear text. We strongly recommend that you use a secure connection. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent enroll http://localhost:5601 ZnmNIdzVITUJua2QIdU5FTWROVjY6dHY2N1EybWNTMUdPejg5ODbYcVpNUQ== +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-help-command]] +== elastic-agent help + +Show help for a specific command. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent help [--help] [global-flags] +---- + +[discrete] +=== Options + +`command`:: +The name of the command. + +`--help`:: +Show help for the `help` command. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent help enroll +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-inspect-command]] +== elastic-agent inspect + +Show the current {agent} configuration. + +If no parameters are specified, shows the full {agent} configuration. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent inspect [--help] [global-flags] +elastic-agent inspect output [--output ] [--program ] + [--help] [global-flags] +---- -`-path.home`:: -The home directory of the {agent}. `path.home` determines the location of the -configuration files and data directory. -`-c`:: -The configuration file to load. If not specified, {agent} uses +//TODO: Clarify what these commands return. + +[discrete] +=== Options + +`output`:: Display the current configuration for the output. This command +accepts additional flags: ++ +-- +`--output `:: +The name of the output to inspect. + +`--program `:: +The type of program to inspect. For example, `filebeat`. This option must be +combined with `--output`. +-- + +`--help`:: +Show help for the `inspect` command. + +{global-flags-link} + +[discrete] +=== Examples + +[source,shell] +---- +elastic-agent inspect +elastic-agent inspect output --output default +elastic-agent inspect output --output default --program filebeat +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-run-command]] +== elastic-agent run + +Start the `elastic-agent` process. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent run [global-flags] +---- + +[discrete] +[[elastic-agent-global-flags]] +=== Global flags + +These flags are valid whenever you run `elastic-agent` on the command line. + +`-c `:: +The configuration file to use. If not specified, {agent} uses `{path.home}/elastic-agent.yml`. -`-path.data`:: -The data directory used by {agent} to store downloaded artifacts. Also stores -logs for any {beats} started and managed by {agent}. +`--e`:: +Log to stderr and disable syslog/file output. + +`--environment `:: +The environment in which the agent will run. + +//TODO: Clarify what we mean by environment by showing an example. + +`--path.config `:: +The directory where {agent} looks for its configuration file. The default +varies by platform. + +`--path.data `:: +The data directory where {agent} stores managed binaries and their logs. Also +stores logs for any programs started and managed by {agent}. + If not specified, {agent} uses `{path.home}/data`. + +`--path.home `:: +The home directory of {agent}. `path.home` determines the location of the +configuration files and data directory. ++ +If not specified, {agent} uses the current working directory. + +`--path.logs `:: +Path to the log output for {agent}. The default varies by platform. + +`--v`:: +Set log level to INFO. + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent run -v --path.logs path/to/my/logs +---- + +++++ +
+++++ + +[discrete] +[[elastic-agent-version-command]] +== elastic-agent version + +Show the version of {agent}. + +[discrete] +=== Synopsis + +[source,shell] +---- +elastic-agent version [--help] [global-flags] +---- + +[discrete] +=== Options + +`--help`:: +Show help for the `version` command. + +{global-flags-link} + +[discrete] +=== Example + +[source,shell] +---- +elastic-agent version +---- + +++++ +
+++++ diff --git a/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc index 464712c6a27..b5f0ed0aef6 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-configuration-example.asciidoc @@ -2,7 +2,7 @@ [role="xpack"] = Configuration example -experimental[] +beta[] The following example shows a full list of configuration options: diff --git a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc index 4dcdad698b5..d72c572370c 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc @@ -2,20 +2,29 @@ [role="xpack"] = Configuration settings -experimental[] +beta[] + +// TODO: This topic assumes users know what standalone and fleet are. When we +// add the settings reference, we should clean this up: describe the available +// options, then show how to configure them manually for standalone. We should +// assume Fleet is the common use case, even if it's not the default, and make +// sure this reference is useful for both use cases. By default {agent} runs in standalone mode to ingest system data and send it to a local {es} instance running on port 9200. It uses the demo credentials of the -`elastic` user. It's also configured to monitor all {beats} managed by the Agent -and send the {beats} logs and metrics to the same {es) instance. +`elastic` user. It's also configured to monitor all programs managed by {agent} +and send the logs and metrics to the same {es} instance. -To alter this behavior, configure the output and other configuration settings: +To alter this behavior, configure the output and other configuration settings. +When running the agent standalone, specify configuration settings in the +`elastic-agent.yml` file. When using {fleet}, do not modify settings in +the `elastic-agent.yml` file. Instead, use {ingest-manager} in {kib} to change +settings. -* <> -* <> -* <> +TIP: To get started quickly, you can use {fleet} to generate a standalone +configuration. For more information, see <>. -[float] +[discrete] [[elastic-agent-output-configuration]] == Output settings @@ -51,7 +60,7 @@ username and password pair, and the second one contains an API key. A default output configuration is required. ============== -[float] +[discrete] [[elastic-agent-monitoring-configuration]] == {beats} monitoring settings @@ -81,8 +90,9 @@ To enable monitoring, set `agent.monitoring.enabled` to `true`. Also set the collected. If neither setting is specified, monitoring is disabled. Set `use_output` to specify the output to which monitoring events are sent. -[[elastic-agent-datasource-configuration]] -== Datasource settings +[discrete] +[[elastic-agent-input-configuration]] +== Input settings By default {agent} collects system metrics, such as cpu, memory, network, and filesystem metrics, and sends them to the default output. For example: @@ -92,17 +102,17 @@ filesystem metrics, and sends them to the default output. For example: ------------------------------------------------------------------------------------- inputs: - type: system/metrics - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem ------------------------------------------------------------------------------------- If `use_output` is not specified, the `default` output is used. diff --git a/x-pack/elastic-agent/docs/elastic-agent.asciidoc b/x-pack/elastic-agent/docs/elastic-agent.asciidoc index 1dc9a1a8ba3..274cf9b0b63 100644 --- a/x-pack/elastic-agent/docs/elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent.asciidoc @@ -1,20 +1,24 @@ +:release-state: released + [[elastic-agent-installation-configuration]] [role="xpack"] = Manage your {agent}s -experimental[] +beta[] // tag::agent-install-intro[] {agent} is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the {stack}. Behind the scenes, {agent} runs the -{beats} shippers or Endpoint required for your configuration. +{beats} shippers or Elastic Endpoint required for your configuration. // end::agent-install-intro[] To learn how to install, configure, and run your {agent}s, see: * <> * <> +* <> +* <> * <> * <> @@ -22,6 +26,10 @@ include::install-elastic-agent.asciidoc[leveloffset=+1] include::run-elastic-agent.asciidoc[leveloffset=+1] +include::stop-elastic-agent.asciidoc[leveloffset=+1] + +include::unenroll-elastic-agent.asciidoc[leveloffset=+1] + include::elastic-agent-command-line.asciidoc[leveloffset=+1] include::elastic-agent-configuration.asciidoc[leveloffset=+1] diff --git a/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml b/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml index 5bffc62d44d..c0e21caae6e 100644 --- a/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml +++ b/x-pack/elastic-agent/docs/elastic-agent_configuration_example.yml @@ -109,7 +109,7 @@ inputs: - type: logfile name: epm/nginx version: 1.7.0 - dataset.namespace: prod + data_stream.namespace: prod # constraints are still Experimental and should not be used in production. constraints?: # Contraints look are not final @@ -120,16 +120,16 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: nginx.acccess + data_stream.dataset: nginx.acccess paths: /var/log/nginx/access.log - id?: {id} enabled?: true # default to true - dataset.name: nginx.error + data_stream.dataset: nginx.error paths: /var/log/nginx/error.log - type: nginx/metricspackage?: name: epm/nginx version: 1.7.0 - dataset.namespace: prod + data_stream.namespace: prod # constraints are still Experimental and should not be used in production. constraints?: # Contraints look are not final @@ -139,7 +139,7 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: nginx.stub_status + data_stream.dataset: nginx.stub_status metricset: stub_status ################################################################################################# @@ -148,11 +148,11 @@ inputs: - type: kafka id: kafka-x1 title: "Consume data from kafka" - dataset.namespace: prod + data_stream.namespace: prod use_output: long_term_storage host: localhost:6566 streams: - - dataset.name: foo.dataset + - data_stream.dataset: foo.dataset topic: foo processors: - extract_bro_specifics @@ -171,54 +171,54 @@ inputs: - id?: {id} enabled?: false # default true metricset: cpu - dataset.name: system.cpu + data_stream.dataset: system.cpu metrics: ["percentages", "normalized_percentages"] period: 10s - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory period: 10s - metricset: diskio - dataset.name: system.diskio + data_stream.dataset: system.diskio period: 10s - metricset: load - dataset.name: system.load + data_stream.dataset: system.load period: 10s - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory period: 10s - metricset: process - dataset.name: system.process + data_stream.dataset: system.process processes: ["firefox*"] include_top_n: by_cpu: 5 # include top 5 processes by CPU by_memory: 5 # include top 5 processes by memory period: 10s - metricset: process_summary - dataset.name: system.process_summary + data_stream.dataset: system.process_summary period: 10s - metricset: uptime - dataset.name: system.uptime + data_stream.dataset: system.uptime period: 15m - metricset: socket_summary - dataset.name: system.socket_summary + data_stream.dataset: system.socket_summary period: 10s - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem period: 10s - metricset: raid - dataset.name: system.raid + data_stream.dataset: system.raid period: 10s - metricset: socket - dataset.name: system.socket + data_stream.dataset: system.socket period: 10s - metricset: service - dataset.name: system.service + data_stream.dataset: system.service period: 10s - metricset: fsstat - dataset.name: system.fsstat + data_stream.dataset: system.fsstat period: 10s - metricset: foo - dataset.name: system.foo + data_stream.dataset: system.foo period: 10s @@ -234,23 +234,23 @@ inputs: streams: - id?: {id} enabled?: true # default to true - dataset.name: elasticsearch.audit + data_stream.dataset: elasticsearch.audit paths: [/var/log/elasticsearch/*_access.log, /var/log/elasticsearch/*_audit.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.deprecation + data_stream.dataset: elasticsearch.deprecation paths: [/var/log/elasticsearch/*_deprecation.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.gc + data_stream.dataset: elasticsearch.gc paths: [/var/log/elasticsearch/*_gc.log, /var/log/elasticsearch/*_gc.log.[0-9]*] - id?: {id} enabled?: true - dataset.name: elasticsearch.server + data_stream.dataset: elasticsearch.server paths: [/var/log/elasticsearch/*.log] - id?: {id} enabled?: true - dataset.name: elasticsearch.slowlog + data_stream.dataset: elasticsearch.slowlog paths: [/var/log/elasticsearch/*_index_search_slowlog.log, /var/log/elasticsearch/*_index_indexing_slowlog.log] - type: elasticsearch/metrics id?: my-endpoint @@ -271,36 +271,36 @@ inputs: streams: - id?: {id} metricset: ccr - dataset.name: elasticseach.ccr + data_stream.dataset: elasticseach.ccr period: 10s - id?: {id} metricset: cluster_stats - dataset.name: elasticseach.cluster_stats + data_stream.dataset: elasticseach.cluster_stats period: 10s - id?: {id} metricset: enrich - dataset.name: elasticseach.enrich + data_stream.dataset: elasticseach.enrich period: 10s - id?: {id} metricset: index - dataset.name: elasticseach.index + data_stream.dataset: elasticseach.index period: 10s - id?: {id} metricset: index_recovery - dataset.name: elasticseach.index_recovery + data_stream.dataset: elasticseach.index_recovery active_only: true period: 10s - id?: {id} metricset: ml_jobs - dataset.name: elasticseach.ml_jobs + data_stream.dataset: elasticseach.ml_jobs period: 10s - id?: {id} metricset: node_stats - dataset.name: elasticseach.node_stats + data_stream.dataset: elasticseach.node_stats period: 10s - id?: {id} metricset: shard - dataset.name: elasticseach.shard + data_stream.dataset: elasticseach.shard period: 10s ################################################################################################# @@ -318,16 +318,16 @@ inputs: #shared_credential_file: /etc/filebeat/aws_credentials streams: - id?: {id} - dataset.name: aws.s3 + data_stream.dataset: aws.s3 queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.s3access + data_stream.dataset: aws.s3access queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.vpcflow + data_stream.dataset: aws.vpcflow queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - id?: {id} - dataset.name: aws.cloudtrail + data_stream.dataset: aws.cloudtrail queue_url: https://sqs.myregion.amazonaws.com/123456/sqs-queue - type: aws/metrics id?: my-aws @@ -343,11 +343,11 @@ inputs: streams: - id?: {id} metricset: usage - dataset.name: aws.usage + data_stream.dataset: aws.usage period: 5m - id?: {id} metricset: cloudwatch - dataset.name: aws.cloudwatch + data_stream.dataset: aws.cloudwatch period: 5m name: ["CPUUtilization", "DiskWriteOps"] resource_type: ec2:instance @@ -357,43 +357,43 @@ inputs: statistic: ["Average", "Maximum"] - id?: {id} metricset: ebs - dataset.name: aws.ebs + data_stream.dataset: aws.ebs period: 5m - id?: {id} metricset: ec2 - dataset.name: aws.ec2 + data_stream.dataset: aws.ec2 period: 5m - id?: {id} metricset: elb - dataset.name: aws.elb + data_stream.dataset: aws.elb period: 5m - id?: {id} metricset: sns - dataset.name: aws.sns + data_stream.dataset: aws.sns period: 5m - id?: {id} metricset: sqs - dataset.name: aws.sqs + data_stream.dataset: aws.sqs period: 5m - id?: {id} metricset: rds - dataset.name: aws.rds + data_stream.dataset: aws.rds period: 5m - id?: {id} metricset: billing - dataset.name: aws.billing + data_stream.dataset: aws.billing period: 12h - id?: {id} metricset: billing - dataset.name: aws.billing + data_stream.dataset: aws.billing period: 12h - id?: {id} metricset: s3_daily_storage - dataset.name: aws.s3_daily_storage + data_stream.dataset: aws.s3_daily_storage period: 24h - id?: {id} metricset: s3_request - dataset.name: aws.s3_request + data_stream.dataset: aws.s3_request period: 24h @@ -418,27 +418,27 @@ inputs: streams: - id?: {id} metricset: node - dataset.name: kubernetes.node + data_stream.dataset: kubernetes.node period: 10s - id?: {id} metricset: system - dataset.name: kubernetes.system + data_stream.dataset: kubernetes.system period: 10s - id?: {id} metricset: pod - dataset.name: kubernetes.pod + data_stream.dataset: kubernetes.pod period: 10s - id?: {id} metricset: container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: event - dataset.name: kubernetes.event + data_stream.dataset: kubernetes.event period: 10s - type: kubernetes-state/metrics id?: my-kubernetes @@ -450,51 +450,51 @@ inputs: streams: - id?: {id} metricset: state_node - dataset.name: kubernetes.node + data_stream.dataset: kubernetes.node period: 10s - id?: {id} metricset: state_deployment - dataset.name: kubernetes.deployment + data_stream.dataset: kubernetes.deployment period: 10s - id?: {id} metricset: state_replicaset - dataset.name: kubernetes.replicaset + data_stream.dataset: kubernetes.replicaset period: 10s - id?: {id} metricset: state_statefulset - dataset.name: kubernetes.statefulset + data_stream.dataset: kubernetes.statefulset period: 10s - id?: {id} metricset: state_pod - dataset.name: kubernetes.pod + data_stream.dataset: kubernetes.pod period: 10s - id?: {id} metricset: state_container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: state_container - dataset.name: kubernetes.container + data_stream.dataset: kubernetes.container period: 10s - id?: {id} metricset: state_cronjob - dataset.name: kubernetes.cronjob + data_stream.dataset: kubernetes.cronjob period: 10s - id?: {id} metricset: state_resourcequota - dataset.name: kubernetes.resourcequota + data_stream.dataset: kubernetes.resourcequota period: 10s - id?: {id} metricset: state_service - dataset.name: kubernetes.service + data_stream.dataset: kubernetes.service period: 10s - id?: {id} metricset: state_persistentvolume - dataset.name: kubernetes.persistentvolume + data_stream.dataset: kubernetes.persistentvolume period: 10s - id?: {id} metricset: state_persistentvolumeclaim - dataset.name: kubernetes.persistentvolumeclaim + data_stream.dataset: kubernetes.persistentvolumeclaim period: 10s ################################################################################################# @@ -517,35 +517,35 @@ inputs: streams: - id?: {id} metricset: container - dataset.name: docker.container + data_stream.dataset: docker.container period: 10s - id?: {id} metricset: cpu - dataset.name: docker.cpu + data_stream.dataset: docker.cpu period: 10s - id?: {id} metricset: diskio - dataset.name: docker.diskio + data_stream.dataset: docker.diskio period: 10s - id?: {id} metricset: event - dataset.name: docker.event + data_stream.dataset: docker.event period: 10s - id?: {id} metricset: healthcheck - dataset.name: docker.healthcheck + data_stream.dataset: docker.healthcheck period: 10s - id?: {id} metricset: info - dataset.name: docker.info + data_stream.dataset: docker.info period: 10s - id?: {id} metricset: memory - dataset.name: docker.memory + data_stream.dataset: docker.memory period: 10s - id?: {id} metricset: network - dataset.name: docker.network + data_stream.dataset: docker.network period: 10s ################################################################################################# @@ -555,14 +555,14 @@ inputs: - type: log id?: suricata-x1 title: Suricata's data - dataset.namespace: "abc" + data_stream.namespace: "abc" package: name: suricata version: x.x.x streams: - id?: {id} type: "typeX" - dataset.name: suricata.logs + data_stream.dataset: suricata.logs path: /var/log/surcata/eve.json ################################################################################################# @@ -571,7 +571,7 @@ inputs: - type: endpoint # Reserved key word id?: myendpoint-x1 title: Endpoint configuration - dataset.namespace: "canada" + data_stream.namespace: "canada" package: name: endpoint version: xxx @@ -627,7 +627,7 @@ inputs: - type: endpoint # Reserved key word id?: myendpoint-1 title: Endpoint configuration - dataset.namespace: "canada" + data_stream.namespace: "canada" package: name: epm/endpoint # This establish the link with the package and will allow to link it to endpoint app. version: xxx diff --git a/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc index 3f8df7bb94c..d8dfd49d5c4 100644 --- a/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/install-elastic-agent.asciidoc @@ -2,84 +2,99 @@ [role="xpack"] = Install {agent} -experimental[] +beta[] -Download and install the Agent on each system you want to monitor. - -//TODO: Replace with tabbed panel when the code is stable. +Download and install {agent} on each system you want to monitor. // tag::install-elastic-agent[] To download and install {elastic-agent}, use the commands that work with your system: -*mac:* +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc[] -ifeval::["{release-state}"=="unreleased"] +// end::install-elastic-agent[] -Version {version} of {agent} has not yet been released. +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] -endif::[] +[[elastic-agent-install-service-macos]] +== Manually install {agent} as a service on macOS -ifeval::["{release-state}"!="unreleased"] +If you want {agent} to be persistent after restarts, you need to +install and run it as a service. Improved support for running {agent} as a +service on macOS will be available in a future release. -["source","sh",subs="attributes"] +. Create a file called `co.elastic.agent.plist` in `/Library/LaunchDaemons/` +and copy the following settings into the new file: ++ +[source,text] ---- -curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-darwin-x86_64.tar.gz -tar xzvf elastic-agent-{version}-darwin-x86_64.tar.gz + + + + + Label + co.elastic.agent + ProgramArguments + + /Library/Elastic/Agent/elastic-agent + run + + RunAtLoad + + WorkingDirectory + /Library/Elastic/Agent + UserName + root + KeepAlive + + ThrottleInterval + 15 + EnableTransactions + + ExitTimeOut + 60 + + ---- -endif::[] - -*linux:* - -ifeval::["{release-state}"=="unreleased"] - -Version {version} of {agent} has not yet been released. - -endif::[] - -ifeval::["{release-state}"!="unreleased"] - -["source","sh",subs="attributes"] +. Change the ownership of the `.plist` file to `root`: ++ +[source,shell] ---- -curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-linux-x86_64.tar.gz -tar xzvf elastic-agent-{version}-linux-x86_64.tar.gz +sudo chown root:wheel /Library/LaunchDaemons/co.elastic.agent.plist ---- -endif::[] - -*win:* - -ifeval::["{release-state}"=="unreleased"] +. Create the path `/Library/Elastic/Agent/`. -Version {version} of {agent} has not yet been released. +. Copy the files that you extracted from ++elastic-agent-{version}-darwin-x86_64.tar.gz+ into +`/Library/Elastic/Agent/`. -endif::[] - -ifeval::["{release-state}"!="unreleased"] - -. Download the {agent} Windows zip file from the -https://www.elastic.co/downloads/beats/elastic-agent[downloads page]. - -. Extract the contents of the zip file into `C:\Program Files`. - -. Rename the `elastic-agent--windows` directory to `Elastic-Agent`. - -. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select *Run As Administrator*). - -. From the PowerShell prompt, run the following commands to install Filebeat as a -Windows service: +. Start the agent as a service: + [source,shell] ---- -PS > cd 'C:\Program Files\Elastic-Agent' -PS C:\Program Files\Elastic-Agent> .\install-service-elastic-agent.ps1 +sudo launchctl load -w /Library/LaunchDaemons/co.elastic.agent.plist ---- ++ +This command starts the agent, so do not attempt to use the `run` command. -NOTE: If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: `PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-elastic-agent.ps1`. +*To stop and remove the service:* -endif::[] +. Stop the service and remove the property list file: ++ +[source,shell] +---- +sudo launchctl unload -w /Library/Launchdaemons/co.elastic.agent.plist +rm /Library/Launchdaemons/co.elastic.agent.plist +---- -// end::install-elastic-agent[] +. <>. ++ +Unenrolling the agent should stop {agent} and any other programs started by +the agent, such as Elastic {endpoint-sec} and data shippers. +. If necessary, manually kill the `elastic-agent` process and any other +processes started by the agent. diff --git a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc index 7ea68c4770d..7c48084b8fb 100644 --- a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc @@ -2,66 +2,71 @@ [role="xpack"] = Run {agent} -experimental[] +beta[] {agent} runs in two modes: standalone or fleet. The two modes differ in how you -configure and manage the Agent. +configure and manage the agent. -[float] +[discrete] [[fleet-mode]] == Run in {fleet} mode -With _fleet mode_, you manage {agent} remotely. The Agent uses a trusted {kib} -instance to retrieve configurations and report Agent events. This trusted {kib} +With _fleet mode_, you manage {agent} remotely. The agent uses a trusted {kib} +instance to retrieve configurations and report agent events. This trusted {kib} instance must have {ingest-manager} and {fleet} enabled. To create a trusted communication channel between {agent} and {kib}, enroll the -Agent to {fleet}. +agent to {fleet}. To enroll an {agent} to {fleet}: -. Stop the Agent, if it's already running. +. Stop {agent}, if it's already running. -. Go the **{fleet}** tab in {ingest-manager}, and click **Enroll new agent** to -generate a token. See <> for detailed steps. - -. Enroll the Agent: +. In {ingest-manager}, click **Settings** and change the defaults, if necessary. +For self-managed installations, set the URLs for {es} and {kib}, including +the http ports, then save your changes. + -[source,shell] ----- -./elastic-agent enroll http://localhost:5601 $token ----- +[role="screenshot"] +image::images/kibana-ingest-manager-settings.png[{ingest-manager} settings] + +. Select **{fleet}**, then click **Add agent** to get an enrollment token. See +<> for detailed steps. + +. Change to the directory where {agent} is installed, and enroll the agent to +{fleet}: + -Where `$token` is an enrollment token acquired from {fleet}. +-- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc[] +-- -To start {agent}, run: -[source,shell] ----- -./elastic-agent run ----- +. Run the agent: ++ +-- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc[] +-- -[float] +[discrete] [[standalone-mode]] == Run in standalone mode (default) -With _standalone mode_, you manually configure and manage the Agent locally. -Each Agent is configured to be in standalone mode by default after installation. +With _standalone mode_, you manually configure and manage {agent} locally on the +system where the agent is installed. {agent} is configured to run in standalone +mode by default unless you enroll it in {fleet}. If {agent} is installed as an auto-starting service, it will run automatically when you restart your system. To start {agent} manually, run: -[source,shell] ----- -./elastic-agent run ----- +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc[] -If no configuration file is specified, {agent} uses the default configuration, -`elastic-agent.yml`, which is located in the same directory as {agent}. Specify -the `-c` flag to use a different configuration file. +Use the `-c` flag to specify the configuration file. If no configuration file is +specified, {agent} uses the default configuration, `elastic-agent.yml`, which is +located in the same directory as {agent}. For configuration options, see <>. //<> +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] diff --git a/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..19b4628fde9 --- /dev/null +++ b/x-pack/elastic-agent/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,109 @@ +[[running-on-kubernetes]] +[role="xpack"] +=== Run {agent} on Kubernetes + +You can use {agent} https://www.docker.elastic.co/r/beats/elastic-agent[Docker images] on Kubernetes to +retrieve cluster metrics. + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {agent} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +You deploy {agent} in two different ways at the same time: + +* As a https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/[DaemonSet] +to ensure that there's a running instance on each node of the cluster. These +instances are used to retrieve most metrics from the host, such as system +metrics, Docker stats, and metrics from all the services running on top of +Kubernetes. + +* As a single {agent} instance created using a https://kubernetes.io/docs/concepts/workloads/controllers/Deployment/[Deployment]. +This instance is used to retrieve metrics that are unique for the whole +cluster, such as Kubernetes events or +https://github.com/kubernetes/kube-state-metrics[kube-state-metrics]. + +Everything is deployed under the `kube-system` namespace by default. To change +the namespace, modify the manifest file. + +To download the manifest file, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/elastic-agent-kubernetes.yaml +------------------------------------------------ + +[float] +==== Settings + +By default, {agent} is enrolled to an existing Kibana deployment, +if present using the specified credentials. FLEET_ENROLLMENT_TOKEN parameter is used to connect Agent to the +corresponding Ingest Management configuration. It is suggested to connect Daemonset Agents to a node scope configuration +and Deployment Agent to a cluster scope configuration. Then Kubernetes package will be deployed enabling cluster scope +datasets using cluster scope configuration while node scope datasets will be enabled under node scope configuration. + +To specify different destination/credentials, +change the following parameters in the manifest file: + +[source,yaml] +------------------------------------------------ +- name: FLEET_ENROLLMENT_TOKEN + value: "abcdf_token" +- name: KIBANA_HOST + value: "http://kibana:5601" +- name: KIBANA_USERNAME + value: "elastic" +- name: KIBANA_PASSWORD + value: "changeme" +------------------------------------------------ + +[float] +===== Running {agent} on master nodes + +Kubernetes master nodes can use https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/[taints] +to limit the workloads that can run on them. To run {agent} on master nodes you may need to +update the Daemonset spec to include proper tolerations: + +[source,yaml] +------------------------------------------------ +spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule +------------------------------------------------ + + +[float] +==== Deploy + +If planing to deploy `state_*` datasets of Kubernetes package, +https://github.com/kubernetes/kube-state-metrics#usage[kube-state-metrics] is needed to be already deployed +in the cluster. If `kube-state-metrics` is not already running, deploy it now (see the +https://github.com/kubernetes/kube-state-metrics#kubernetes-deployment[Kubernetes +deployment] docs). + +To deploy to Kubernetes, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f elastic-agent-kubernetes.yaml +------------------------------------------------ + +To check the status, run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get pods -l group=ingest-management + +NAME READY STATUS RESTARTS AGE +agent-ingest-management-clusterscope-574dbfc48f-sfrdt 1/1 Running 3 8d +agent-ingest-management-nodescope-jt9zj 1/1 Running 3 8d +------------------------------------------------ + +Agents should be enrolled to Fleet and user should be able to deploy Kubernetes package accordingly. diff --git a/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc new file mode 100644 index 00000000000..82078c5eb78 --- /dev/null +++ b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc @@ -0,0 +1,11 @@ +[[stop-elastic-agent]] +[role="xpack"] += Stop {agent} + +To stop {agent} and its related executables, stop the {agent} process. Use the +commands that work for your system. + +include::{beats-repo-dir}/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc[] + +// Add Javascript and CSS for tabbed panels +include::tab-widgets/code.asciidoc[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc new file mode 100644 index 00000000000..61b18b0015d --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/code.asciidoc @@ -0,0 +1,166 @@ +// Defining styles and script here for simplicity. +++++ + + + +++++ diff --git a/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc new file mode 100644 index 00000000000..202c38913db --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/enroll-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::enroll.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc new file mode 100644 index 00000000000..479e8cfba7c --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/enroll.asciidoc @@ -0,0 +1,70 @@ +// tag::deb[] + +// tag::enroll-tip[] +TIP: We recommend that you run this command as the root user because some +integrations require root privileges to collect sensitive data. + +// end::enroll-tip[] +[source,shell] +---- +elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::deb[] + +// tag::rpm[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::rpm[] + +// tag::mac[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +./elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::mac[] + +// tag::linux[] + +include::enroll.asciidoc[tag=enroll-tip] + +[source,shell] +---- +./elastic-agent enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::linux[] + +// tag::win[] +Open a PowerShell prompt as an Administrator (right-click the PowerShell icon +and select **Run As Administrator**). + +From the PowerShell prompt, change to the directory where you installed {agent}, +and run: + +[source,shell] +---- +.\elastic-agent.exe enroll KIBANA_URL ENROLLMENT_KEY +---- + +include::enroll.asciidoc[tag=where-description] +// end::win[] + +// tag::where-description[] +Where `KIBANA_URL` is the {kib} URL where {fleet} is running, and +`ENROLLMENT_KEY` is the enrollment token acquired from {fleet}. +// end::where-description[] \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc new file mode 100644 index 00000000000..c25fc7fadbe --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/install-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::install.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc new file mode 100644 index 00000000000..824825f86df --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/install.asciidoc @@ -0,0 +1,93 @@ +// tag::deb[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-amd64.deb +sudo dpkg -i elastic-agent-{version}-amd64.deb +---- + +endif::[] +// end::deb[] + +// tag::rpm[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-x86_64.rpm +sudo rpm -vi elastic-agent-{version}-x86_64.rpm +---- +endif::[] +// end::rpm[] + +// tag::mac[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-darwin-x86_64.tar.gz +tar xzvf elastic-agent-{version}-darwin-x86_64.tar.gz +---- + +endif::[] +// end::mac[] + +// tag::linux[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +---- +curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-{version}-linux-x86_64.tar.gz +tar xzvf elastic-agent-{version}-linux-x86_64.tar.gz +---- + +NOTE: We recommend that you use the DEB or RPM distribution, instead of the +tarball, to ensure that {agent} restarts automatically if the system is +rebooted. + +endif::[] +// end::linux[] + +// tag::win[] +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {agent} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +. Download the {agent} Windows zip file from the +https://www.elastic.co/downloads/beats/elastic-agent[downloads page]. + +. Extract the contents of the zip file into `C:\Program Files`. + +. Rename the `elastic-agent--windows` directory to `Elastic-Agent`. + +endif::[] +// end::win[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc new file mode 100644 index 00000000000..63993c2106c --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run-standalone-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::run.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc new file mode 100644 index 00000000000..34382f822e9 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::run.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc new file mode 100644 index 00000000000..569ea013236 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/run.asciidoc @@ -0,0 +1,109 @@ +// tag::deb[] + +The DEB package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands: + +[source,shell] +---- +systemctl enable elastic-agent +systemctl start elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent start +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::deb[] + +// tag::rpm[] +The RPM package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands: + +[source,shell] +---- +systemctl enable elastic-agent +systemctl start elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent start +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::rpm[] + +// tag::mac[] +[source,shell] +---- +./elastic-agent run +---- + +[NOTE] +==== +This command starts {agent} in the foreground. You must restart {agent} +manually if the agent terminates or the system is rebooted. + +To start the agent automatically when the system is rebooted, +{ingest-guide}/elastic-agent-installation.html#elastic-agent-install-service-macos[Install the agent as a service]. +==== + +// end::mac[] + +// tag::linux[] +[source,shell] +---- +./elastic-agent run +---- + +[NOTE] +==== +This command starts {agent} in the foreground. You must restart {agent} manually +if the agent terminates or the system is rebooted. + +To start the agent automatically when the system is rebooted, +use the DEB or RPM package instead of the tarball. +==== + +// end::linux[] + +// tag::win[] +The first time you run {agent}, you need to install it as auto-starting Windows +service. To do this, run the PowerShell script provided in the archive you +downloaded: + +. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon +and select *Run As Administrator*). + +. From the PowerShell prompt, run the following commands to install {agent} as +an service and start the service: ++ +[source,shell] +---- +cd 'C:\Program Files\Elastic-Agent' +.\install-service-elastic-agent.ps1 <1> <2> +---- +<1> You must run {agent} under the SYSTEM account if you plan +to use the {elastic-endpoint} integration. +<2> If script execution is disabled on your system, set the execution policy for +the current session to allow the script to run. For example: +`PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-elastic-agent.ps1`. ++ +If the service stops and you need to restart it manually, run: ++ +[source,shell] +---- +Start-Service elastic-agent +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::win[] diff --git a/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc new file mode 100644 index 00000000000..f4527cbcd49 --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/stop-widget.asciidoc @@ -0,0 +1,92 @@ +++++ +
+
+ + + + + +
+
+++++ + +include::stop.asciidoc[tag=deb] + +++++ +
+ + + + +
+++++ \ No newline at end of file diff --git a/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc b/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc new file mode 100644 index 00000000000..7d1f8f97a3f --- /dev/null +++ b/x-pack/elastic-agent/docs/tab-widgets/stop.asciidoc @@ -0,0 +1,74 @@ +// tag::deb[] + +The DEB package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands. + +// tag::stop-command[] +Use `systemctl` to stop the agent: + +[source,shell] +---- +systemctl stop elastic-agent +---- + +Otherwise, use: + +[source,shell] +---- +sudo service elastic-agent stop +---- + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::stop-command[] + +// end::deb[] + +// tag::rpm[] +The RPM package includes a service unit for Linux systems with systemd. On these +systems, you can manage {agent} by using the usual systemd commands. + +include::stop.asciidoc[tag=stop-command] + +// end::rpm[] + +// tag::mac[] +// tag::kill-process[] +Get the process ID (PID) of the `elastic-agent` process: + +[source,shell] +---- +ps | grep elastic-agent +---- + +Then kill the process, replacing the PID in this example with the PID from +the grep command: + +[source,shell] +---- +kill -9 90682 +---- + +NOTE: {agent} will NOT restart automatically if the system is rebooted. + +// end::kill-process[] +// end::mac[] + +// tag::linux[] +include::stop.asciidoc[tag=kill-process] +// end::linux[] + +// tag::win[] + +If you installed {agent} as a service, stop the service. +[source,shell] +---- +Stop-Service elastic-agent +---- + +If necessary, use Task Manager on Windows to stop {agent}. This will kill the +`elastic-agent` process and any sub-processes it created (such as {beats}). + +NOTE: {agent} will restart automatically if the system is rebooted. + +// end::win[] diff --git a/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc new file mode 100644 index 00000000000..cd77fc3dde3 --- /dev/null +++ b/x-pack/elastic-agent/docs/unenroll-elastic-agent.asciidoc @@ -0,0 +1,19 @@ +[[unenroll-elastic-agent]] +[role="xpack"] += Unenroll {agent} + +You can unenroll an agent to invalidate the API key used to connect to {es}. + +. In {ingest-manager}, select **{fleet}**. + +. Under Agents, choose **Unenroll** from the **Actions** menu next to the agent +you want to unenroll. + +. Click **Unenroll**. ++ +The agent will continue to run, but will not be able to send data. It will show +this error instead: `invalid api key to authenticate with fleet`. + +TIP: If unenrollment hangs, select **Force unenroll** to invalidate all API +keys related to the agent and change the status to `inactive` so that the agent +no longer appears in {fleet}. diff --git a/x-pack/elastic-agent/elastic-agent.docker.yml b/x-pack/elastic-agent/elastic-agent.docker.yml index 90e83056932..2f8187a1604 100644 --- a/x-pack/elastic-agent/elastic-agent.docker.yml +++ b/x-pack/elastic-agent/elastic-agent.docker.yml @@ -17,7 +17,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -27,13 +27,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: diff --git a/x-pack/elastic-agent/elastic-agent.reference.yml b/x-pack/elastic-agent/elastic-agent.reference.yml index 6e9589c3fa1..08a12d7907a 100644 --- a/x-pack/elastic-agent/elastic-agent.reference.yml +++ b/x-pack/elastic-agent/elastic-agent.reference.yml @@ -23,7 +23,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -33,13 +33,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # management: # # Mode of management, the Elastic Agent support two modes of operation: diff --git a/x-pack/elastic-agent/elastic-agent.yml b/x-pack/elastic-agent/elastic-agent.yml index a78b0598142..232ff03c62e 100644 --- a/x-pack/elastic-agent/elastic-agent.yml +++ b/x-pack/elastic-agent/elastic-agent.yml @@ -23,7 +23,7 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.namespace: default + data_stream.namespace: default use_output: default streams: - metricset: cpu @@ -33,13 +33,13 @@ inputs: # Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # # Cannot start with -, _, + # Cannot be . or .. - dataset.name: system.cpu + data_stream.dataset: system.cpu - metricset: memory - dataset.name: system.memory + data_stream.dataset: system.memory - metricset: network - dataset.name: system.network + data_stream.dataset: system.network - metricset: filesystem - dataset.name: system.filesystem + data_stream.dataset: system.filesystem # agent.monitoring: # # enabled turns on monitoring of running processes diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 613490b1241..7296e8189be 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -7,12 +7,14 @@ package main import ( + "context" "errors" "fmt" "os" "os/exec" "path/filepath" "runtime" + "strconv" "strings" "time" @@ -39,7 +41,9 @@ const ( buildDir = "build" metaDir = "_meta" snapshotEnv = "SNAPSHOT" + devEnv = "DEV" configFile = "elastic-agent.yml" + agentDropPath = "AGENT_DROP_PATH" ) // Aliases for commands required by master makefile @@ -77,6 +81,9 @@ type Format mg.Namespace // Demo runs agent out of container. type Demo mg.Namespace +// Dev runs package and build for dev purposes. +type Dev mg.Namespace + // Env returns information about the environment. func (Prepare) Env() { mg.Deps(Mkdir("build"), Build.GenerateConfig) @@ -84,6 +91,26 @@ func (Prepare) Env() { RunGo("env") } +// Build builds the agent binary with DEV flag set. +func (Dev) Build() { + dev := os.Getenv(devEnv) + defer os.Setenv(devEnv, dev) + + os.Setenv(devEnv, "true") + devtools.DevBuild = true + mg.Deps(Build.All) +} + +// Package packages the agent binary with DEV flag set. +func (Dev) Package() { + dev := os.Getenv(devEnv) + defer os.Setenv(devEnv, dev) + + os.Setenv(devEnv, "true") + devtools.DevBuild = true + Package() +} + // InstallGoLicenser install go-licenser to check license of the files. func (Prepare) InstallGoLicenser() error { return GoGet(goLicenserRepo) @@ -166,12 +193,15 @@ func (Build) Clean() { func (Build) TestBinaries() error { p := filepath.Join("pkg", "agent", "operation", "tests", "scripts") - binaryName := "configurable" + configurableName := "configurable" + serviceableName := "serviceable" if runtime.GOOS == "windows" { - binaryName += ".exe" + configurableName += ".exe" + serviceableName += ".exe" } return combineErr( - RunGo("build", "-o", filepath.Join(p, "configurable-1.0-darwin-x86_64", binaryName), filepath.Join(p, "configurable-1.0-darwin-x86_64", "main.go")), + RunGo("build", "-o", filepath.Join(p, "configurable-1.0-darwin-x86_64", configurableName), filepath.Join(p, "configurable-1.0-darwin-x86_64", "main.go")), + RunGo("build", "-o", filepath.Join(p, "serviceable-1.0-darwin-x86_64", serviceableName), filepath.Join(p, "serviceable-1.0-darwin-x86_64", "main.go")), ) } @@ -232,13 +262,10 @@ func (Test) All() { } // Unit runs all the unit tests. -func (Test) Unit() error { +func (Test) Unit(ctx context.Context) error { mg.Deps(Prepare.Env, Build.TestBinaries) - raceFlag := "" - if os.Getenv("DEV_ARCH") == "amd64" { - raceFlag = "-race" - } - return RunGo("test", raceFlag, "-v", "-coverprofile", filepath.Join(buildDir, "coverage.out"), "./...") + params := devtools.DefaultGoTestUnitArgs() + return devtools.GoTest(ctx, params) } // Coverage takes the coverages report from running all the tests and display the results in the browser. @@ -268,14 +295,30 @@ func Package() { start := time.Now() defer func() { fmt.Println("package ran for", time.Since(start)) }() - packageAgent([]string{ - "darwin-x86_64.tar.gz", - "linux-x86.tar.gz", - "linux-x86_64.tar.gz", - "windows-x86.zip", - "windows-x86_64.zip", - "linux-arm64.tar.gz", - }, devtools.UseElasticAgentPackaging) + platformPackages := []struct { + platform string + packages string + }{ + {"darwin/amd64", "darwin-x86_64.tar.gz"}, + {"linux/386", "linux-x86.tar.gz"}, + {"linux/amd64", "linux-x86_64.tar.gz"}, + {"linux/arm64", "linux-arm64.tar.gz"}, + {"windows/386", "windows-x86.zip"}, + {"windows/amd64", "windows-x86_64.zip"}, + } + + var requiredPackages []string + for _, p := range platformPackages { + if _, enabled := devtools.Platforms.Get(p.platform); enabled { + requiredPackages = append(requiredPackages, p.packages) + } + } + + if len(requiredPackages) == 0 { + panic("elastic-agent package is expected to include other packages") + } + + packageAgent(requiredPackages, devtools.UseElasticAgentPackaging) } func requiredPackagesPresent(basePath, beat, version string, requiredPackages []string) bool { @@ -325,9 +368,9 @@ func commitID() string { return commitID } -// Update is an alias for executing fields, dashboards, config, includes. +// Update is an alias for executing control protocol, configs, and specs. func Update() { - mg.SerialDeps(Config, BuildSpec, BuildFleetCfg) + mg.SerialDeps(Config, BuildSpec, BuildPGP, BuildFleetCfg) } // CrossBuild cross-builds the beat for all target platforms. @@ -345,9 +388,14 @@ func Config() { mg.Deps(configYML) } +// ControlProto generates pkg/agent/control/proto module. +func ControlProto() error { + return sh.RunV("protoc", "--go_out=plugins=grpc:.", "control.proto") +} + // BuildSpec make sure that all the suppported program spec are built into the binary. func BuildSpec() error { - // go run x-pack/agent/dev-tools/cmd/buildspec/buildspec.go --in x-pack/agent/spec/*.yml --out x-pack/agent/pkg/agent/program/supported.go + // go run x-pack/elastic-agent/dev-tools/cmd/buildspec/buildspec.go --in x-pack/agent/spec/*.yml --out x-pack/elastic-agent/pkg/agent/program/supported.go goF := filepath.Join("dev-tools", "cmd", "buildspec", "buildspec.go") in := filepath.Join("spec", "*.yml") out := filepath.Join("pkg", "agent", "program", "supported.go") @@ -356,6 +404,16 @@ func BuildSpec() error { return RunGo("run", goF, "--in", in, "--out", out) } +func BuildPGP() error { + // go run x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go --in x-pack/agent/spec/GPG-KEY-elasticsearch --out x-pack/elastic-agent/pkg/release/pgp.go + goF := filepath.Join("dev-tools", "cmd", "buildpgp", "build_pgp.go") + in := "GPG-KEY-elasticsearch" + out := filepath.Join("pkg", "release", "pgp.go") + + fmt.Printf(">> BuildPGP from %s to %s\n", in, out) + return RunGo("run", goF, "--in", in, "--out", out) +} + func configYML() error { return devtools.Config(devtools.AllConfigTypes, ConfigFileParams(), ".") } @@ -495,26 +553,50 @@ func packageAgent(requiredPackages []string, packagingFn func()) { version = release.Version() } - packedBeats := []string{"filebeat", "metricbeat"} - - for _, b := range packedBeats { - pwd, err := filepath.Abs(filepath.Join("..", b)) + // build deps only when drop is not provided + if dropPathEnv, found := os.LookupEnv(agentDropPath); !found || len(dropPathEnv) == 0 { + // prepare new drop + dropPath := filepath.Join("build", "distributions", "elastic-agent-drop") + dropPath, err := filepath.Abs(dropPath) if err != nil { panic(err) } - if requiredPackagesPresent(pwd, b, version, requiredPackages) { - continue + if err := os.MkdirAll(dropPath, 0755); err != nil { + panic(err) } - cmd := exec.Command("mage", "package") - cmd.Dir = pwd - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on") - - if err := cmd.Run(); err != nil { - panic(err) + os.Setenv(agentDropPath, dropPath) + + // cleanup after build + defer os.RemoveAll(dropPath) + defer os.Unsetenv(agentDropPath) + + packedBeats := []string{"filebeat", "heartbeat", "metricbeat"} + + for _, b := range packedBeats { + pwd, err := filepath.Abs(filepath.Join("..", b)) + if err != nil { + panic(err) + } + + if !requiredPackagesPresent(pwd, b, version, requiredPackages) { + cmd := exec.Command("mage", "package") + cmd.Dir = pwd + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + cmd.Env = append(os.Environ(), fmt.Sprintf("PWD=%s", pwd), "AGENT_PACKAGING=on") + + if err := cmd.Run(); err != nil { + panic(err) + } + } + + // copy to new drop + sourcePath := filepath.Join(pwd, "build", "distributions") + if err := copyAll(sourcePath, dropPath); err != nil { + panic(err) + } } } @@ -523,7 +605,24 @@ func packageAgent(requiredPackages []string, packagingFn func()) { mg.Deps(Update) mg.Deps(CrossBuild, CrossBuildGoDaemon) - mg.SerialDeps(devtools.Package) + mg.SerialDeps(devtools.Package, TestPackages) +} + +func copyAll(from, to string) error { + return filepath.Walk(from, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + if info.IsDir() { + return nil + } + + targetFile := filepath.Join(to, info.Name()) + + // overwrites with current build + return sh.Copy(targetFile, path) + }) } func dockerTag() string { @@ -556,6 +655,12 @@ func buildVars() map[string]string { isSnapshot, _ := os.LookupEnv(snapshotEnv) vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.snapshot"] = isSnapshot + if isDevFlag, devFound := os.LookupEnv(devEnv); devFound { + if isDev, err := strconv.ParseBool(isDevFlag); err == nil && isDev { + vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowEmptyPgp"] = "true" + } + } + return vars } diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store.go b/x-pack/elastic-agent/pkg/agent/application/action_store.go index cc7e6b6e665..25dbf7a5b82 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store.go @@ -33,6 +33,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { if err != nil { return &actionStore{log: log, store: store}, nil } + defer reader.Close() var action actionConfigChangeSerializer @@ -142,6 +143,7 @@ var _ actionConfigChangeSerializer = actionConfigChangeSerializer(fleetapi.Actio type actionUnenrollSerializer struct { ActionID string `yaml:"action_id"` ActionType string `yaml:"action_type"` + IsDetected bool `yaml:"is_detected"` } // Add a guards between the serializer structs and the original struct. diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go index 08bd0f94b8d..e003eed61a6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/application.go +++ b/x-pack/elastic-agent/pkg/agent/application/application.go @@ -21,12 +21,16 @@ type Application interface { AgentInfo() *info.AgentInfo } +type reexecManager interface { + ReExec(argOverrides ...string) +} + // New creates a new Agent and bootstrap the required subsystem. -func New(log *logger.Logger, pathConfigFile string) (Application, error) { +func New(log *logger.Logger, pathConfigFile string, reexec reexecManager) (Application, error) { // Load configuration from disk to understand in which mode of operation // we must start the elastic-agent, the mode of operation cannot be changed without restarting the // elastic-agent. - rawConfig, err := config.LoadYAML(pathConfigFile) + rawConfig, err := LoadConfigFromFile(pathConfigFile) if err != nil { return nil, err } @@ -35,13 +39,14 @@ func New(log *logger.Logger, pathConfigFile string) (Application, error) { return nil, err } - return createApplication(log, pathConfigFile, rawConfig) + return createApplication(log, pathConfigFile, rawConfig, reexec) } func createApplication( log *logger.Logger, pathConfigFile string, rawConfig *config.Config, + reexec reexecManager, ) (Application, error) { warn.LogNotGA(log) log.Info("Detecting execution mode") @@ -58,7 +63,7 @@ func createApplication( } log.Info("Agent is managed by Fleet") - return newManaged(ctx, log, rawConfig) + return newManaged(ctx, log, rawConfig, reexec) } // missing of fleet.enabled: true or fleet.{access_token,kibana} will place Elastic Agent into standalone mode. diff --git a/x-pack/elastic-agent/pkg/agent/application/config.go b/x-pack/elastic-agent/pkg/agent/application/config.go index 8dfd093e040..e42f3dcab28 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config.go +++ b/x-pack/elastic-agent/pkg/agent/application/config.go @@ -5,8 +5,16 @@ package application import ( + "io/ioutil" + + "github.com/elastic/go-ucfg" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" ) @@ -26,3 +34,53 @@ func createFleetConfigFromEnroll(accessAPIKey string, kbn *kibana.Config) (*conf } return cfg, nil } + +// LoadConfigFromFile loads the Agent configuration from a file. +// +// This must be used to load the Agent configuration, so that variables defined in the inputs are not +// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. +func LoadConfigFromFile(path string) (*config.Config, error) { + in, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + var m map[string]interface{} + if err := yaml.Unmarshal(in, &m); err != nil { + return nil, err + } + return LoadConfig(m) +} + +// LoadConfig loads the Agent configuration from a map. +// +// This must be used to load the Agent configuration, so that variables defined in the inputs are not +// parsed by go-ucfg. Variables from the inputs should be parsed by the transpiler. +func LoadConfig(in map[string]interface{}) (*config.Config, error) { + // make copy of a map so we dont affect a caller + m := common.MapStr(in).Clone() + + inputs, ok := m["inputs"] + if ok { + // remove the inputs + delete(m, "inputs") + } + cfg, err := config.NewConfigFrom(m) + if err != nil { + return nil, err + } + if ok { + inputsOnly := map[string]interface{}{ + "inputs": inputs, + } + // convert to config without variable substitution + inputsCfg, err := config.NewConfigFrom(inputsOnly, ucfg.PathSep("."), ucfg.ResolveNOOP) + if err != nil { + return nil, err + } + err = cfg.Merge(inputsCfg, ucfg.PathSep("."), ucfg.ResolveNOOP) + if err != nil { + return nil, err + } + } + return cfg, err +} diff --git a/x-pack/elastic-agent/pkg/agent/application/config_test.go b/x-pack/elastic-agent/pkg/agent/application/config_test.go index fe9453ac8f4..4d4527a1e60 100644 --- a/x-pack/elastic-agent/pkg/agent/application/config_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/config_test.go @@ -5,9 +5,14 @@ package application import ( + "io/ioutil" + "os" + "path/filepath" "testing" "time" + "gopkg.in/yaml.v2" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -15,6 +20,44 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" ) +func TestLoadConfig(t *testing.T) { + contents := map[string]interface{}{ + "outputs": map[string]interface{}{ + "default": map[string]interface{}{ + "type": "elasticsearch", + "hosts": []interface{}{"127.0.0.1:9200"}, + "username": "elastic", + "password": "changeme", + }, + }, + "inputs": []interface{}{ + map[string]interface{}{ + "type": "logfile", + "streams": []interface{}{ + map[string]interface{}{ + "paths": []interface{}{"/var/log/${host.name}"}, + }, + }, + }, + }, + } + + tmp, err := ioutil.TempDir("", "config") + require.NoError(t, err) + defer os.RemoveAll(tmp) + + cfgPath := filepath.Join(tmp, "config.yml") + dumpToYAML(t, cfgPath, contents) + + cfg, err := LoadConfigFromFile(cfgPath) + require.NoError(t, err) + + cfgData, err := cfg.ToMapStr() + require.NoError(t, err) + + assert.Equal(t, contents, cfgData) +} + func TestConfig(t *testing.T) { testMgmtMode(t) testLocalConfig(t) @@ -74,3 +117,9 @@ func mustWithConfigMode(standalone bool) *config.Config { }, ) } + +func dumpToYAML(t *testing.T, out string, in interface{}) { + b, err := yaml.Marshal(in) + require.NoError(t, err) + ioutil.WriteFile(out, b, 0600) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter.go b/x-pack/elastic-agent/pkg/agent/application/emitter.go index 249acdd213f..d8a19492e2b 100644 --- a/x-pack/elastic-agent/pkg/agent/application/emitter.go +++ b/x-pack/elastic-agent/pkg/agent/application/emitter.go @@ -5,11 +5,15 @@ package application import ( + "context" + "fmt" "strings" + "sync" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) @@ -30,54 +34,128 @@ type programsDispatcher interface { Dispatch(id string, grpProg map[routingKey][]program.Program) error } -func emitter(log *logger.Logger, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) emitterFunc { - return func(c *config.Config) error { - if err := InjectAgentConfig(c); err != nil { - return err - } +type emitterController struct { + logger *logger.Logger + controller composable.Controller + router programsDispatcher + modifiers *configModifiers + reloadables []reloadable + + // state + lock sync.RWMutex + config *config.Config + ast *transpiler.AST + vars []*transpiler.Vars +} - log.Debug("Transforming configuration into a tree") - m, err := c.ToMapStr() - if err != nil { - return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) +func (e *emitterController) Update(c *config.Config) error { + if err := InjectAgentConfig(c); err != nil { + return err + } + + // perform and verify ast translation + m, err := c.ToMapStr() + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + rawAst, err := transpiler.NewAST(m) + if err != nil { + return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + } + for _, filter := range e.modifiers.Filters { + if err := filter(e.logger, rawAst); err != nil { + return errors.New(err, "failed to filter configuration", errors.TypeConfig) } + } + + e.lock.Lock() + e.config = c + e.ast = rawAst + e.lock.Unlock() + + return e.update() +} + +func (e *emitterController) Set(vars []*transpiler.Vars) { + e.lock.Lock() + ast := e.ast + e.vars = vars + e.lock.Unlock() - ast, err := transpiler.NewAST(m) + if ast != nil { + err := e.update() if err != nil { - return errors.New(err, "could not create the AST from the configuration", errors.TypeConfig) + e.logger.Errorf("Failed to render configuration with latest context from composable controller: %s", err) } + } +} - for _, filter := range modifiers.Filters { - if err := filter(log, ast); err != nil { - return errors.New(err, "failed to filter configuration", errors.TypeConfig) - } +func (e *emitterController) update() error { + e.lock.RLock() + cfg := e.config + rawAst := e.ast + varsArray := e.vars + e.lock.RUnlock() + + ast := rawAst.Clone() + inputs, ok := transpiler.Lookup(ast, "inputs") + if ok { + renderedInputs, err := renderInputs(inputs, varsArray) + if err != nil { + return err } - - log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) - log.Debug("Converting single configuration into specific programs configuration") - - programsToRun, err := program.Programs(ast) + err = transpiler.Insert(ast, renderedInputs, "inputs") if err != nil { return err } + } - for _, decorator := range modifiers.Decorators { - for outputType, ptr := range programsToRun { - programsToRun[outputType], err = decorator(outputType, ast, ptr) - if err != nil { - return err - } - } - } + e.logger.Debug("Converting single configuration into specific programs configuration") - for _, r := range reloadables { - if err := r.Reload(c); err != nil { + programsToRun, err := program.Programs(ast) + if err != nil { + return err + } + + for _, decorator := range e.modifiers.Decorators { + for outputType, ptr := range programsToRun { + programsToRun[outputType], err = decorator(outputType, ast, ptr) + if err != nil { return err } } + } - return router.Dispatch(ast.HashStr(), programsToRun) + for _, r := range e.reloadables { + if err := r.Reload(cfg); err != nil { + return err + } + } + + return e.router.Dispatch(ast.HashStr(), programsToRun) +} + +func emitter(ctx context.Context, log *logger.Logger, controller composable.Controller, router programsDispatcher, modifiers *configModifiers, reloadables ...reloadable) (emitterFunc, error) { + log.Debugf("Supported programs: %s", strings.Join(program.KnownProgramNames(), ", ")) + + init, _ := transpiler.NewVars(map[string]interface{}{}) + ctrl := &emitterController{ + logger: log, + controller: controller, + router: router, + modifiers: modifiers, + reloadables: reloadables, + vars: []*transpiler.Vars{init}, + } + err := controller.Run(ctx, func(vars []*transpiler.Vars) { + ctrl.Set(vars) + }) + if err != nil { + return nil, errors.New(err, "failed to start composable controller") } + return func(c *config.Config) error { + return ctrl.Update(c) + }, nil } func readfiles(files []string, emitter emitterFunc) error { @@ -88,3 +166,84 @@ func readfiles(files []string, emitter emitterFunc) error { return emitter(c) } + +func renderInputs(inputs transpiler.Node, varsArray []*transpiler.Vars) (transpiler.Node, error) { + l, ok := inputs.Value().(*transpiler.List) + if !ok { + return nil, fmt.Errorf("inputs must be an array") + } + nodes := []transpiler.Node{} + nodesMap := map[string]*transpiler.Dict{} + for _, vars := range varsArray { + for _, node := range l.Value().([]transpiler.Node) { + dict, ok := node.Clone().(*transpiler.Dict) + if !ok { + continue + } + n, err := dict.Apply(vars) + if err == transpiler.ErrNoMatch { + // has a variable that didn't exist, so we ignore it + continue + } + if err != nil { + // another error that needs to be reported + return nil, err + } + if n == nil { + // condition removed it + continue + } + dict = n.(*transpiler.Dict) + dict = promoteProcessors(dict) + hash := string(dict.Hash()) + _, exists := nodesMap[hash] + if !exists { + nodesMap[hash] = dict + nodes = append(nodes, dict) + } + } + } + return transpiler.NewList(nodes), nil +} + +func promoteProcessors(dict *transpiler.Dict) *transpiler.Dict { + p := dict.Processors() + if p == nil { + return dict + } + current, ok := dict.Find("processors") + currentList, isList := current.Value().(*transpiler.List) + if !isList { + return dict + } + ast, _ := transpiler.NewAST(map[string]interface{}{ + "processors": p, + }) + procs, _ := transpiler.Lookup(ast, "processors") + nodes := nodesFromList(procs.Value().(*transpiler.List)) + if ok { + nodes = append(nodes, nodesFromList(currentList)...) + } + dictNodes := dict.Value().([]transpiler.Node) + set := false + for i, node := range dictNodes { + switch n := node.(type) { + case *transpiler.Key: + if n.Name() == "processors" { + dictNodes[i] = transpiler.NewKey("processors", transpiler.NewList(nodes)) + set = true + } + } + if set { + break + } + } + if !set { + dictNodes = append(dictNodes, transpiler.NewKey("processors", transpiler.NewList(nodes))) + } + return transpiler.NewDict(dictNodes) +} + +func nodesFromList(list *transpiler.List) []transpiler.Node { + return list.Value().([]transpiler.Node) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/emitter_test.go b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go new file mode 100644 index 00000000000..32770eaa5df --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/emitter_test.go @@ -0,0 +1,511 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package application + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" +) + +func TestRenderInputs(t *testing.T) { + testcases := map[string]struct { + input transpiler.Node + expected transpiler.Node + varsArray []*transpiler.Vars + err bool + }{ + "inputs not list": { + input: transpiler.NewKey("inputs", transpiler.NewStrVal("not list")), + err: true, + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{}), + }, + }, + "bad variable error": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name|'missing ending quote}")), + }), + })), + err: true, + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + }, + }, + "basic single var": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + }, + }, + "duplicate result is removed": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "missing var removes input": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.missing|var1.diff}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.removed}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "duplicate var result but unique input not removed": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + transpiler.NewKey("unique", transpiler.NewStrVal("0")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + transpiler.NewKey("unique", transpiler.NewStrVal("1")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + transpiler.NewKey("unique", transpiler.NewStrVal("0")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + transpiler.NewKey("unique", transpiler.NewStrVal("1")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + }, + }, + "duplicates across vars array handled": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.name}")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("${var1.diff}")), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value1")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value2")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value3")), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("key", transpiler.NewStrVal("value4")), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value3", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + "diff": "value4", + }, + }), + }, + }, + "nested in streams": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value3.log"), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value4.log"), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value3", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value4", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "missing": "other", + }, + }), + }, + }, + "inputs with processors": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }), + mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }), + }, + }, + "vars with processors": { + input: transpiler.NewKey("inputs", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/${var1.name}.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + })), + expected: transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value1.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("type", transpiler.NewStrVal("logfile")), + transpiler.NewKey("streams", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("paths", transpiler.NewList([]transpiler.Node{ + transpiler.NewStrVal("/var/log/value2.log"), + })), + }), + })), + transpiler.NewKey("processors", transpiler.NewList([]transpiler.Node{ + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("custom", transpiler.NewStrVal("value2")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("dynamic")), + })), + }), + transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("add_fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("fields", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("user", transpiler.NewStrVal("user1")), + })), + transpiler.NewKey("to", transpiler.NewStrVal("user")), + })), + }), + })), + }), + }), + varsArray: []*transpiler.Vars{ + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value1", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value1", + }, + "to": "dynamic", + }, + }, + }), + mustMakeVarsP(map[string]interface{}{ + "var1": map[string]interface{}{ + "name": "value2", + }, + }, + "var1", + []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "fields": map[string]interface{}{ + "custom": "value2", + }, + "to": "dynamic", + }, + }, + }), + }, + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + v, err := renderInputs(test.input, test.varsArray) + if test.err { + require.Error(t, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.expected.String(), v.String()) + } + }) + } +} + +func mustMakeVars(mapping map[string]interface{}) *transpiler.Vars { + v, err := transpiler.NewVars(mapping) + if err != nil { + panic(err) + } + return v +} + +func mustMakeVarsP(mapping map[string]interface{}, processorKey string, processors transpiler.Processors) *transpiler.Vars { + v, err := transpiler.NewVarsWithProcessors(mapping, processorKey, processors) + if err != nil { + panic(err) + } + return v +} diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go index 65ba03b679e..7d905b80f8c 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd.go @@ -7,6 +7,7 @@ package application import ( "bytes" "context" + "fmt" "io" "net/http" "net/url" @@ -21,6 +22,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/kibana" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) type store interface { @@ -60,8 +62,10 @@ type EnrollCmdOption struct { URL string CAs []string CASha256 []string + Insecure bool UserProvidedMetadata map[string]interface{} EnrollAPIKey string + Staging string } func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { @@ -69,6 +73,9 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { if err != nil { return nil, err } + if cfg.Protocol == kibana.ProtocolHTTP && !e.Insecure { + return nil, fmt.Errorf("connection to Kibana is insecure, strongly recommended to use a secure connection (override with --insecure)") + } // Add any SSL options from the CLI. if len(e.CAs) > 0 || len(e.CASha256) > 0 { @@ -77,6 +84,11 @@ func (e *EnrollCmdOption) kibanaConfig() (*kibana.Config, error) { CASha256: e.CASha256, } } + if e.Insecure { + cfg.TLS = &tlscommon.Config{ + VerificationMode: tlscommon.VerifyNone, + } + } return cfg, nil } @@ -113,16 +125,16 @@ func NewEnrollCmdWithStore( cfg, err := options.kibanaConfig() if err != nil { - return nil, errors.New(err, - "invalid Kibana configuration", + return nil, errors.New( + err, "Error", errors.TypeConfig, errors.M(errors.MetaKeyURI, options.URL)) } client, err := fleetapi.NewWithConfig(log, cfg) if err != nil { - return nil, errors.New(err, - "fail to create the API client", + return nil, errors.New( + err, "Error", errors.TypeNetwork, errors.M(errors.MetaKeyURI, options.URL)) } @@ -163,11 +175,19 @@ func (c *EnrollCmd) Execute() error { } fleetConfig, err := createFleetConfigFromEnroll(resp.Item.AccessAPIKey, c.kibanaConfig) + agentConfig := map[string]interface{}{ + "id": resp.Item.ID, + } + if c.options.Staging != "" { + staging := fmt.Sprintf("https://staging.elastic.co/%s-%s/downloads/", release.Version(), c.options.Staging[:8]) + agentConfig["download"] = map[string]interface{}{ + "sourceURI": staging, + } + } + configToStore := map[string]interface{}{ "fleet": fleetConfig, - "agent": map[string]interface{}{ - "id": resp.Item.ID, - }, + "agent": agentConfig, } reader, err := yamlToReader(configToStore) diff --git a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go index 0fe2e3a2d1e..beab1b253d6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/enroll_cmd_test.go @@ -54,7 +54,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -108,7 +107,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -170,7 +168,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -200,6 +197,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-api-key", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", @@ -230,7 +228,6 @@ func TestEnroll(t *testing.T) { w.Write([]byte(` { "action": "created", - "success": true, "item": { "id": "a9328860-ec54-11e9-93c4-d72ab8a69391", "active": true, @@ -260,6 +257,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-api-key", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", @@ -304,6 +302,7 @@ func TestEnroll(t *testing.T) { URL: url, CAs: []string{}, EnrollAPIKey: "my-enrollment-token", + Insecure: true, UserProvidedMetadata: map[string]interface{}{"custom": "customize"}, }, "", diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go b/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go deleted file mode 100644 index d9abd6c7aa3..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter.go +++ /dev/null @@ -1,244 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package filters - -import ( - "fmt" - - "github.com/Masterminds/semver" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" -) - -const ( - inputsKey = "inputs" - constraintsKey = "constraints" - validateVersionFuncName = "validate_version" -) - -var ( - boolexpVarStore *constraintVarStore - boolexpMethodsRegs *boolexp.MethodsReg -) - -// ConstraintFilter filters ast based on included constraints. -// constraints are still Experimental and should not be used in production. -func ConstraintFilter(log *logger.Logger, ast *transpiler.AST) error { - // get datasources - inputsNode, found := transpiler.Lookup(ast, inputsKey) - if !found { - return nil - } - - inputsListNode, ok := inputsNode.Value().(*transpiler.List) - if !ok { - return nil - } - - inputsList, ok := inputsListNode.Value().([]transpiler.Node) - if !ok { - return nil - } - - // for each datasource - i := 0 - originalLen := len(inputsList) - for i < len(inputsList) { - constraintMatch, err := evaluateConstraints(log, inputsList[i]) - if err != nil { - return err - } - - if constraintMatch { - i++ - continue - } - inputsList = append(inputsList[:i], inputsList[i+1:]...) - } - - if len(inputsList) == originalLen { - return nil - } - - // Replace datasources with limited set - if err := transpiler.RemoveKey(inputsKey).Apply(ast); err != nil { - return err - } - - newList := transpiler.NewList(inputsList) - return transpiler.Insert(ast, newList, inputsKey) -} - -func evaluateConstraints(log *logger.Logger, datasourceNode transpiler.Node) (bool, error) { - constraintsNode, found := datasourceNode.Find(constraintsKey) - if !found { - return true, nil - } - - constraintsListNode, ok := constraintsNode.Value().(*transpiler.List) - if !ok { - return false, errors.New("constraints not a list", errors.TypeConfig) - } - - constraintsList, ok := constraintsListNode.Value().([]transpiler.Node) - if !ok { - return false, errors.New("constraints not a list", errors.TypeConfig) - } - - for _, c := range constraintsList { - strval, ok := c.(*transpiler.StrVal) - if !ok { - return false, errors.New("constraints is not a string") - } - - constraint := strval.String() - if isOK, err := evaluateConstraint(constraint); !isOK || err != nil { - if err == nil { - // log only constraint not matching - log.Infof("constraint '%s' not matching for datasource '%s'", constraint, datasourceIdentifier(datasourceNode)) - } - - return false, err - } - } - - return true, nil -} - -func datasourceIdentifier(datasourceNode transpiler.Node) string { - namespace := "default" - output := "default" - - if nsNode, found := datasourceNode.Find("namespace"); found { - nsKey, ok := nsNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - namespace = valNode.String() - } - } - } - - if outNode, found := datasourceNode.Find("use_output"); found { - nsKey, ok := outNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - output = valNode.String() - } - } - } - - ID := "unknown" - if idNode, found := datasourceNode.Find("id"); found { - nsKey, ok := idNode.(*transpiler.Key) - if ok { - if valNode, ok := nsKey.Value().(transpiler.Node); ok { - ID = valNode.String() - } - } - } - - return fmt.Sprintf("namespace:%s, output:%s, id:%s", namespace, output, ID) -} - -func evaluateConstraint(constraint string) (bool, error) { - store, regs, err := boolexpMachinery() - if err != nil { - return false, err - } - - return boolexp.Eval(constraint, regs, store) -} - -func boolexpMachinery() (*constraintVarStore, *boolexp.MethodsReg, error) { - if boolexpMethodsRegs != nil && boolexpVarStore != nil { - return boolexpVarStore, boolexpMethodsRegs, nil - } - - regs := boolexp.NewMethodsReg() - if err := regs.Register(validateVersionFuncName, regValidateVersion); err != nil { - return nil, nil, err - } - - store, err := newVarStore() - if err != nil { - return nil, nil, err - } - - if err := initVarStore(store); err != nil { - return nil, nil, err - } - - boolexpMethodsRegs = regs - boolexpVarStore = store - - return boolexpVarStore, boolexpMethodsRegs, nil -} - -func regValidateVersion(args []interface{}) (interface{}, error) { - if len(args) != 2 { - return false, errors.New("validate_version: invalid number of arguments, expecting 2") - } - - version, isString := args[0].(string) - if !isString { - return false, errors.New("version should be a string") - } - - constraint, isString := args[1].(string) - if !isString { - return false, errors.New("version constraint should be a string") - } - - c, err := semver.NewConstraint(constraint) - if err != nil { - return false, errors.New(fmt.Sprintf("constraint '%s' is invalid", constraint)) - } - - v, err := semver.NewVersion(version) - if err != nil { - return false, errors.New(fmt.Sprintf("version '%s' is invalid", version)) - } - - isOK, _ := c.Validate(v) - return isOK, nil -} - -type constraintVarStore struct { - vars map[string]interface{} -} - -func (s *constraintVarStore) Lookup(v string) (interface{}, bool) { - val, ok := s.vars[v] - return val, ok -} - -func newVarStore() (*constraintVarStore, error) { - return &constraintVarStore{ - vars: make(map[string]interface{}), - }, nil -} - -func initVarStore(store *constraintVarStore) error { - agentInfo, err := info.NewAgentInfo() - if err != nil { - return err - } - - meta, err := agentInfo.ECSMetadataFlatMap() - if err != nil { - return errors.New(err, "failed to gather host metadata") - } - - // keep existing, overwrite gathered - for k, v := range meta { - store.vars[k] = v - } - - return nil -} diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go deleted file mode 100644 index d7e3190dd92..00000000000 --- a/x-pack/elastic-agent/pkg/agent/application/filters/constraints_filter_test.go +++ /dev/null @@ -1,46 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package filters - -import ( - "os" - "runtime" - "testing" - - "github.com/stretchr/testify/assert" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -func TestEvaluation(t *testing.T) { - type testCase struct { - name string - condition string - result bool - } - - testCases := []testCase{ - {"simple version", "validate_version(%{[agent.version]}, '" + release.Version() + "')", true}, - {"~ version release", "validate_version(%{[agent.version]}, '~" + release.Version() + "')", true}, - {"^ version release", "validate_version(%{[agent.version]}, '^" + release.Version() + "')", true}, - {"range to release", "validate_version(%{[agent.version]}, '1.0.0 - " + release.Version() + "')", true}, - {"range lower", "validate_version(%{[agent.version]}, '1.0.0 - 5.0.0')", false}, - {"range include", "validate_version(%{[agent.version]}, '1.0.0 - 100.0.0')", true}, - {"family should equal", "%{[os.family]} == '" + runtime.GOOS + "'", true}, - {"family should not equal", "%{[os.family]} != '" + runtime.GOOS + "'", false}, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - r, err := evaluateConstraint(tc.condition) - assert.NoError(t, err) - assert.Equal(t, tc.result, r) - - // cleanup - os.Remove("fleet.yml") - os.Remove("fleet.yml.old") - }) - } -} diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go index 470cb776ab1..3a6a7843b72 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go @@ -16,11 +16,11 @@ import ( // ErrInvalidNamespace is error returned when namespace value provided is invalid. var ErrInvalidNamespace = errors.New("provided namespace is invalid", errors.TypeConfig) -// ErrInvalidDataset is error returned when dataset name value provided is invalid. -var ErrInvalidDataset = errors.New("provided dataset name is invalid", errors.TypeConfig) +// ErrInvalidDataset is error returned when datastream name value provided is invalid. +var ErrInvalidDataset = errors.New("provided datastream dataset is invalid", errors.TypeConfig) -// ErrInvalidIndex occurs when concatenation of {dataset.type}-{dataset.name}-{dataset.namespace} does not meet index criteria. -var ErrInvalidIndex = errors.New("provided combination of type, dataset name and namespace is invalid", errors.TypeConfig) +// ErrInvalidIndex occurs when concatenation of {data_stream.type}-{data_stream.dataset}-{data_stream.namespace} does not meet index criteria. +var ErrInvalidIndex = errors.New("provided combination of type, datastream dataset and namespace is invalid", errors.TypeConfig) // StreamChecker checks for invalid values in stream namespace and dataset. func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { @@ -42,9 +42,9 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { for _, inputNode := range inputsNodeListCollection { namespace := "default" datasetName := "generic" - // fail only if dataset.namespace or dataset[namespace] is found and invalid + // fail only if data_stream.namespace or data_stream[namespace] is found and invalid // not provided values are ok and will be fixed by rules - if nsNode, found := inputNode.Find("dataset.namespace"); found { + if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*transpiler.Key) if ok { newNamespace := nsKey.Value().(transpiler.Node).String() @@ -54,9 +54,9 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { namespace = newNamespace } } else { - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { - // got a dataset + // got a datastream datasetMap, ok := dsNode.Value().(*transpiler.Dict) if ok { nsNode, found := datasetMap.Find("namespace") @@ -76,14 +76,14 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { // get the type, longest type for now is metrics datasetType := "metrics" - if nsNode, found := inputNode.Find("dataset.type"); found { + if nsNode, found := inputNode.Find("data_stream.type"); found { nsKey, ok := nsNode.(*transpiler.Key) if ok { newDataset := nsKey.Value().(transpiler.Node).String() datasetType = newDataset } } else { - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { // got a dataset datasetMap, ok := dsNode.Value().(*transpiler.Dict) @@ -116,7 +116,7 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } // fix this only if in compact form - if dsNameNode, found := streamMap.Find("dataset.name"); found { + if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { newDataset := dsKey.Value().(transpiler.Node).String() @@ -126,14 +126,14 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { datasetName = newDataset } } else { - datasetNode, found := streamMap.Find("dataset") + datasetNode, found := streamMap.Find("data_stream") if found { datasetMap, ok := datasetNode.Value().(*transpiler.Dict) if !ok { continue } - dsNameNode, found := datasetMap.Find("name") + dsNameNode, found := datasetMap.Find("dataset") if found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go index b6d9bc22e0d..1daa14a1ad6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go @@ -40,8 +40,8 @@ func TestStreamCheck(t *testing.T) { configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ { - "dataset.namespace": "somenamespace", - "streams": []map[string]interface{}{{"dataset.name": "somedatasetname"}}, + "data_stream.namespace": "somenamespace", + "streams": []map[string]interface{}{{"data_stream.dataset": "somedatasetname"}}, }, }, }, @@ -52,13 +52,13 @@ func TestStreamCheck(t *testing.T) { configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ { - "dataset": map[string]interface{}{ + "data_stream": map[string]interface{}{ "namespace": "somenamespace", }, "streams": []map[string]interface{}{ { - "dataset": map[string]interface{}{ - "name": "somedatasetname", + "data_stream": map[string]interface{}{ + "dataset": "somedatasetname", }, }, }, @@ -68,23 +68,23 @@ func TestStreamCheck(t *testing.T) { result: nil, }, { - name: "dataset.name invalid - compact", + name: "dataset invalid - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": ""}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": ""}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid - long", + name: "dataset invalid - long", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ { "streams": []map[string]interface{}{ { - "dataset": map[string]interface{}{ - "name": "", + "data_stream": map[string]interface{}{ + "dataset": "", }, }, }, @@ -95,55 +95,55 @@ func TestStreamCheck(t *testing.T) { }, { - name: "dataset.name invalid dot - compact", + name: "dataset invalid dot - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": "."}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": "."}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid dotdot- compact", + name: "dataset invalid dotdot- compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": ".."}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": ".."}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid uppercase - compact", + name: "dataset invalid uppercase - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": "myNameIs"}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": "myNameIs"}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid space- compact", + name: "dataset invalid space- compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": "outer space"}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": "outer space"}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid invalid char- compact", + name: "dataset invalid invalid char- compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": "is\\thisvalid"}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": "is\\thisvalid"}}}, }, }, result: ErrInvalidDataset, }, { - name: "dataset.name invalid invalid prefix- compact", + name: "dataset invalid invalid prefix- compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": "_isthisvalid"}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": "_isthisvalid"}}}, }, }, result: ErrInvalidDataset, @@ -152,7 +152,7 @@ func TestStreamCheck(t *testing.T) { { name: "namespace invalid - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": ""}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": ""}}, }, result: ErrInvalidNamespace, }, @@ -160,7 +160,7 @@ func TestStreamCheck(t *testing.T) { name: "namespace invalid name 1 - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"dataset.namespace": "."}, + {"data_stream.namespace": "."}, }, }, result: ErrInvalidNamespace, @@ -168,35 +168,35 @@ func TestStreamCheck(t *testing.T) { { name: "namespace invalid name 2 - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": ".."}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": ".."}}, }, result: ErrInvalidNamespace, }, { name: "namespace invalid name uppercase - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": "someUpper"}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": "someUpper"}}, }, result: ErrInvalidNamespace, }, { name: "namespace invalid name space - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": "some space"}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": "some space"}}, }, result: ErrInvalidNamespace, }, { name: "namespace invalid name invalid char - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": "isitok?"}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": "isitok?"}}, }, result: ErrInvalidNamespace, }, { name: "namespace invalid name invalid prefix - compact", configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"dataset.namespace": "+isitok"}}, + "inputs": []map[string]interface{}{{"data_stream.namespace": "+isitok"}}, }, result: ErrInvalidNamespace, }, @@ -205,7 +205,7 @@ func TestStreamCheck(t *testing.T) { configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ { - "dataset": map[string]interface{}{ + "data_stream": map[string]interface{}{ "namespace": "", }, }, @@ -217,7 +217,7 @@ func TestStreamCheck(t *testing.T) { name: "type invalid name 1 - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"dataset.type": "-invalidstart"}, + {"data_stream.type": "-invalidstart"}, }, }, result: ErrInvalidIndex, @@ -227,9 +227,9 @@ func TestStreamCheck(t *testing.T) { configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ { - "dataset.type": semiLongString, - "dataset.namespace": semiLongString, - "streams": []map[string]interface{}{{"dataset.name": semiLongString}}, + "data_stream.type": semiLongString, + "data_stream.namespace": semiLongString, + "streams": []map[string]interface{}{{"data_stream.dataset": semiLongString}}, }, }, }, @@ -239,7 +239,7 @@ func TestStreamCheck(t *testing.T) { name: "type invalid type length 1 - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"dataset.type": longString}, + {"data_stream.type": longString}, }, }, result: ErrInvalidIndex, @@ -249,17 +249,17 @@ func TestStreamCheck(t *testing.T) { name: "type invalid namespace length 1 - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"dataset.namespace": longString}, + {"data_stream.namespace": longString}, }, }, result: ErrInvalidNamespace, }, { - name: "type invalid dataset.name length 1 - compact", + name: "type invalid dataset length 1 - compact", configMap: map[string]interface{}{ "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"dataset.name": longString}}}, + {"streams": []map[string]interface{}{{"data_stream.dataset": longString}}}, }, }, result: ErrInvalidDataset, diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go index 624824e14ec..41e42df7376 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_acker_test.go @@ -48,7 +48,7 @@ func TestAcker(t *testing.T) { assert.EqualValues(t, 1, len(cr.Events)) assert.EqualValues(t, testID, cr.Events[0].ActionID) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go b/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go index ebb676cb2cd..6402b89e742 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_decorator.go @@ -7,12 +7,14 @@ package application import ( "fmt" + "github.com/elastic/go-sysinfo/types" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) -func injectFleet(cfg *config.Config) func(*logger.Logger, *transpiler.AST) error { +func injectFleet(cfg *config.Config, hostInfo types.HostInfo) func(*logger.Logger, *transpiler.AST) error { return func(logger *logger.Logger, rootAst *transpiler.AST) error { config, err := cfg.ToMapStr() if err != nil { @@ -37,7 +39,11 @@ func injectFleet(cfg *config.Config) func(*logger.Logger, *transpiler.AST) error return fmt.Errorf("failed to get agent key from fleet config") } - fleet := transpiler.NewDict([]transpiler.Node{agent, token, kbn}) + host := transpiler.NewKey("host", transpiler.NewDict([]transpiler.Node{ + transpiler.NewKey("id", transpiler.NewStrVal(hostInfo.UniqueID)), + })) + + fleet := transpiler.NewDict([]transpiler.Node{agent, token, kbn, host}) err = transpiler.Insert(rootAst, fleet, "fleet") if err != nil { return err diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go index e45c2f4ecc0..4bb9d2e6280 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway.go @@ -16,13 +16,15 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/scheduler" ) +const maxUnauthCounter int = 6 + // Default Configuration for the Fleet Gateway. var defaultGatewaySettings = &fleetGatewaySettings{ Duration: 1 * time.Second, // time between successful calls Jitter: 500 * time.Millisecond, // used as a jitter for duration Backoff: backoffSettings{ // time after a failed call - Init: 5 * time.Second, - Max: 60 * time.Second, + Init: 60 * time.Second, + Max: 10 * time.Minute, }, } @@ -59,18 +61,19 @@ type fleetAcker interface { // call the API to send the events and will receive actions to be executed locally. // The only supported action for now is a "ActionPolicyChange". type fleetGateway struct { - bgContext context.Context - log *logger.Logger - dispatcher dispatcher - client clienter - scheduler scheduler.Scheduler - backoff backoff.Backoff - settings *fleetGatewaySettings - agentInfo agentInfo - reporter fleetReporter - done chan struct{} - wg sync.WaitGroup - acker fleetAcker + bgContext context.Context + log *logger.Logger + dispatcher dispatcher + client clienter + scheduler scheduler.Scheduler + backoff backoff.Backoff + settings *fleetGatewaySettings + agentInfo agentInfo + reporter fleetReporter + done chan struct{} + wg sync.WaitGroup + acker fleetAcker + unauthCounter int } func newFleetGateway( @@ -203,6 +206,20 @@ func (f *fleetGateway) execute(ctx context.Context) (*fleetapi.CheckinResponse, } resp, err := cmd.Execute(ctx, req) + if isUnauth(err) { + f.unauthCounter++ + + if f.shouldUnroll() { + f.log.Warnf("retrieved unauthorized for '%d' times. Unrolling.", f.unauthCounter) + return &fleetapi.CheckinResponse{ + Actions: []fleetapi.Action{&fleetapi.ActionUnenroll{ActionID: "", ActionType: "UNENROLL", IsDetected: true}}, + }, nil + } + + return nil, err + } + + f.unauthCounter = 0 if err != nil { return nil, err } @@ -212,6 +229,14 @@ func (f *fleetGateway) execute(ctx context.Context) (*fleetapi.CheckinResponse, return resp, nil } +func (f *fleetGateway) shouldUnroll() bool { + return f.unauthCounter >= maxUnauthCounter +} + +func isUnauth(err error) bool { + return errors.Is(err, fleetapi.ErrInvalidAPIKey) +} + func (f *fleetGateway) Start() { f.wg.Add(1) go func(wg *sync.WaitGroup) { diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go index 61fd509d995..bd9037416dc 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go @@ -179,7 +179,7 @@ func TestFleetGateway(t *testing.T) { ) { received := ackSeq( client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -220,8 +220,7 @@ func TestFleetGateway(t *testing.T) { "type": "ANOTHER_ACTION", "id": "id2" } - ], - "success": true + ] } `) return resp, nil @@ -265,7 +264,7 @@ func TestFleetGateway(t *testing.T) { for { received := ackSeq( client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -305,7 +304,7 @@ func TestFleetGateway(t *testing.T) { require.Equal(t, 1, len(cr.Events)) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), dispatcher.Answer(func(actions ...action) error { @@ -358,7 +357,7 @@ func TestFleetGateway(t *testing.T) { // Make sure that all API calls to the checkin API are successfull, the following will happen: ch2 := client.Answer(func(headers http.Header, body io.Reader) (*http.Response, error) { - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) @@ -424,7 +423,7 @@ func TestRetriesOnFailures(t *testing.T) { require.Equal(t, 1, len(cr.Events)) - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }), diff --git a/x-pack/elastic-agent/pkg/agent/application/global_config.go b/x-pack/elastic-agent/pkg/agent/application/global_config.go index 16d5f21639e..dd513ba0f17 100644 --- a/x-pack/elastic-agent/pkg/agent/application/global_config.go +++ b/x-pack/elastic-agent/pkg/agent/application/global_config.go @@ -26,8 +26,10 @@ func InjectAgentConfig(c *config.Config) error { func agentGlobalConfig() map[string]interface{} { return map[string]interface{}{ "path": map[string]interface{}{ - "data": paths.Data(), - "home": paths.Home(), + "data": paths.Data(), + "config": paths.Config(), + "home": paths.Home(), + "logs": paths.Logs(), }, } } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go index 996811260ef..34fd5716980 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go @@ -9,7 +9,6 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) @@ -26,7 +25,7 @@ func (h *handlerConfigChange) Handle(ctx context.Context, a action, acker fleetA return fmt.Errorf("invalid type, expected ActionConfigChange and received %T", a) } - c, err := config.NewConfigFrom(action.Config) + c, err := LoadConfig(action.Config) if err != nil { return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go index 5ef04947be9..da33f2001ff 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_unenroll.go @@ -16,10 +16,11 @@ import ( // After running Unenroll agent is in idle state, non managed non standalone. // For it to be operational again it needs to be either enrolled or reconfigured. type handlerUnenroll struct { - log *logger.Logger - emitter emitterFunc - dispatcher programsDispatcher - closers []context.CancelFunc + log *logger.Logger + emitter emitterFunc + dispatcher programsDispatcher + closers []context.CancelFunc + actionStore *actionStore } func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker) error { @@ -33,13 +34,20 @@ func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker noPrograms := make(map[routingKey][]program.Program) h.dispatcher.Dispatch(a.ID(), noPrograms) - if err := acker.Ack(ctx, action); err != nil { - return err - } - - // commit all acks before quitting. - if err := acker.Commit(ctx); err != nil { - return err + if !action.IsDetected { + // ACK only events comming from fleet + if err := acker.Ack(ctx, action); err != nil { + return err + } + + // commit all acks before quitting. + if err := acker.Commit(ctx); err != nil { + return err + } + } else if h.actionStore != nil { + // backup action for future start to avoid starting fleet gateway loop + h.actionStore.Add(a) + h.actionStore.Save() } // close fleet gateway loop @@ -47,10 +55,5 @@ func (h *handlerUnenroll) Handle(ctx context.Context, a action, acker fleetAcker c() } - // clean action store - // if err := os.Remove(info.AgentActionStoreFile()); err != nil && !os.IsNotExist(err) { - // return errors.New(err, "failed to clear action store") - // } - return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go new file mode 100644 index 00000000000..4d0026d4d79 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package application + +import ( + "context" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" +) + +// After running Upgrade agent should download its own version specified by action +// from repository specified by fleet. +type handlerUpgrade struct { + log *logger.Logger + upgrader *upgrade.Upgrader +} + +func (h *handlerUpgrade) Handle(ctx context.Context, a action, acker fleetAcker) error { + h.log.Debugf("handlerUpgrade: action '%+v' received", a) + action, ok := a.(*fleetapi.ActionUpgrade) + if !ok { + return fmt.Errorf("invalid type, expected ActionUpgrade and received %T", a) + } + + return h.upgrader.Upgrade(ctx, action) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go index fa55c264ba5..a93483ca1cd 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go @@ -37,7 +37,7 @@ type ioStore interface { // AgentConfigFile is a name of file used to store agent information func AgentConfigFile() string { - return filepath.Join(paths.Home(), defaultAgentConfigFile) + return filepath.Join(paths.Config(), defaultAgentConfigFile) } // AgentActionStoreFile is the file that will contains the action that can be replayed after restart. @@ -86,6 +86,7 @@ func getInfoFromStore(s ioStore) (*persistentAgentInfo, error) { return nil, err } + // reader is closed by this function cfg, err := config.NewConfigFrom(reader) if err != nil { return nil, errors.New(err, @@ -94,10 +95,6 @@ func getInfoFromStore(s ioStore) (*persistentAgentInfo, error) { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return nil, err - } - configMap, err := cfg.ToMapStr() if err != nil { return nil, errors.New(err, @@ -130,6 +127,7 @@ func updateAgentInfo(s ioStore, agentInfo *persistentAgentInfo) error { return err } + // reader is closed by this function cfg, err := config.NewConfigFrom(reader) if err != nil { return errors.New(err, fmt.Sprintf("fail to read configuration %s for the agent", agentConfigFile), @@ -137,10 +135,6 @@ func updateAgentInfo(s ioStore, agentInfo *persistentAgentInfo) error { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return err - } - configMap := make(map[string]interface{}) if err := cfg.Unpack(&configMap); err != nil { return errors.New(err, "failed to unpack stored config to map") diff --git a/x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go similarity index 84% rename from x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go rename to x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go index 80a21133e08..2c53fc62bf2 100644 --- a/x-pack/elastic-agent/pkg/agent/application/introspect_config_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go @@ -17,25 +17,25 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) -// IntrospectConfigCmd is an introspect subcommand that shows configurations of the agent. -type IntrospectConfigCmd struct { +// InspectConfigCmd is an inspect subcommand that shows configurations of the agent. +type InspectConfigCmd struct { cfgPath string } -// NewIntrospectConfigCmd creates a new introspect command. -func NewIntrospectConfigCmd(configPath string, -) (*IntrospectConfigCmd, error) { - return &IntrospectConfigCmd{ +// NewInspectConfigCmd creates a new inspect command. +func NewInspectConfigCmd(configPath string, +) (*InspectConfigCmd, error) { + return &InspectConfigCmd{ cfgPath: configPath, }, nil } -// Execute introspects agent configuration. -func (c *IntrospectConfigCmd) Execute() error { - return c.introspectConfig() +// Execute inspects agent configuration. +func (c *InspectConfigCmd) Execute() error { + return c.inspectConfig() } -func (c *IntrospectConfigCmd) introspectConfig() error { +func (c *InspectConfigCmd) inspectConfig() error { rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err @@ -61,7 +61,7 @@ func (c *IntrospectConfigCmd) introspectConfig() error { } func loadConfig(configPath string) (*config.Config, error) { - rawConfig, err := config.LoadYAML(configPath) + rawConfig, err := LoadConfigFromFile(configPath) if err != nil { return nil, err } diff --git a/x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go similarity index 71% rename from x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go rename to x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go index 25a9c744922..8f648887d10 100644 --- a/x-pack/elastic-agent/pkg/agent/application/introspect_output_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_output_cmd.go @@ -5,27 +5,30 @@ package application import ( + "context" "fmt" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" + "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring/noop" ) -// IntrospectOutputCmd is an introspect subcommand that shows configurations of the agent. -type IntrospectOutputCmd struct { +// InspectOutputCmd is an inspect subcommand that shows configurations of the agent. +type InspectOutputCmd struct { cfgPath string output string program string } -// NewIntrospectOutputCmd creates a new introspect command. -func NewIntrospectOutputCmd(configPath, output, program string) (*IntrospectOutputCmd, error) { - return &IntrospectOutputCmd{ +// NewInspectOutputCmd creates a new inspect command. +func NewInspectOutputCmd(configPath, output, program string) (*InspectOutputCmd, error) { + return &InspectOutputCmd{ cfgPath: configPath, output: output, program: program, @@ -33,15 +36,15 @@ func NewIntrospectOutputCmd(configPath, output, program string) (*IntrospectOutp } // Execute tries to enroll the agent into Fleet. -func (c *IntrospectOutputCmd) Execute() error { +func (c *InspectOutputCmd) Execute() error { if c.output == "" { - return c.introspectOutputs() + return c.inspectOutputs() } - return c.introspectOutput() + return c.inspectOutput() } -func (c *IntrospectOutputCmd) introspectOutputs() error { +func (c *InspectOutputCmd) inspectOutputs() error { rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err @@ -94,7 +97,7 @@ func listOutputsFromMap(log *logger.Logger, cfg map[string]interface{}) error { return listOutputsFromConfig(log, c) } -func (c *IntrospectOutputCmd) introspectOutput() error { +func (c *InspectOutputCmd) inspectOutput() error { rawConfig, err := loadConfig(c.cfgPath) if err != nil { return err @@ -149,7 +152,7 @@ func printOutputFromConfig(log *logger.Logger, output, programName string, cfg * } if !programFound { - return fmt.Errorf("program '%s' is not recognized within output '%s', try running `elastic-agent introspect output` to find available outputs", + return fmt.Errorf("program '%s' is not recognized within output '%s', try running `elastic-agent inspect output` to find available outputs", programName, output) } @@ -157,7 +160,7 @@ func printOutputFromConfig(log *logger.Logger, output, programName string, cfg * return nil } - return fmt.Errorf("output '%s' is not recognized, try running `elastic-agent introspect output` to find available outputs", output) + return fmt.Errorf("output '%s' is not recognized, try running `elastic-agent inspect output` to find available outputs", output) } @@ -173,19 +176,31 @@ func printOutputFromMap(log *logger.Logger, output, programName string, cfg map[ func getProgramsFromConfig(log *logger.Logger, cfg *config.Config) (map[string][]program.Program, error) { monitor := noop.NewMonitor() router := &inmemRouter{} - emit := emitter( + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + composableCtrl, err := composable.New(log, cfg) + if err != nil { + return nil, err + } + composableWaiter := newWaitForCompose(composableCtrl) + emit, err := emitter( + ctx, log, + composableWaiter, router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{filters.ConstraintFilter}, }, monitor, ) + if err != nil { + return nil, err + } if err := emit(cfg); err != nil { return nil, err } + composableWaiter.Wait() return router.programs, nil } @@ -201,3 +216,27 @@ func (r *inmemRouter) Dispatch(id string, grpProg map[routingKey][]program.Progr func newErrorLogger() (*logger.Logger, error) { return logger.NewWithLogpLevel("", logp.ErrorLevel) } + +type waitForCompose struct { + controller composable.Controller + done chan bool +} + +func newWaitForCompose(wrapped composable.Controller) *waitForCompose { + return &waitForCompose{ + controller: wrapped, + done: make(chan bool), + } +} + +func (w *waitForCompose) Run(ctx context.Context, cb composable.VarsCallback) error { + err := w.controller.Run(ctx, func(vars []*transpiler.Vars) { + cb(vars) + w.done <- true + }) + return err +} + +func (w *waitForCompose) Wait() { + <-w.done +} diff --git a/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go b/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go index aa48e9bd949..24c708c0d91 100644 --- a/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/lazy_acker_test.go @@ -64,7 +64,7 @@ func TestLazyAcker(t *testing.T) { assert.EqualValues(t, 1, len(cr.Events)) } - resp := wrapStrToResp(http.StatusOK, `{ "actions": [], "success": true }`) + resp := wrapStrToResp(http.StatusOK, `{ "actions": [] }`) return resp, nil }) diff --git a/x-pack/elastic-agent/pkg/agent/application/local_mode.go b/x-pack/elastic-agent/pkg/agent/application/local_mode.go index df89b97bb96..5559089404e 100644 --- a/x-pack/elastic-agent/pkg/agent/application/local_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/local_mode.go @@ -13,6 +13,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" @@ -102,16 +103,26 @@ func newLocal( } localApplication.router = router + composableCtrl, err := composable.New(log, rawConfig) + if err != nil { + return nil, errors.New(err, "failed to initialize composable controller") + } + discover := discoverer(pathConfigFile, cfg.Settings.Path) - emit := emitter( + emit, err := emitter( + localApplication.bgContext, log, + composableCtrl, router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{filters.StreamChecker, filters.ConstraintFilter}, + Filters: []filterFunc{filters.StreamChecker}, }, monitor, ) + if err != nil { + return nil, err + } var cfgSource source if !cfg.Settings.Reload.Enabled { diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go index d035f65479f..a4e4bf92379 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go @@ -11,12 +11,16 @@ import ( "net/http" "net/url" + "github.com/elastic/go-sysinfo" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/storage" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" @@ -50,12 +54,14 @@ type Managed struct { router *router srv *server.Server as *actionStore + upgrader *upgrade.Upgrader } func newManaged( ctx context.Context, log *logger.Logger, rawConfig *config.Config, + reexec reexecManager, ) (*Managed, error) { agentInfo, err := info.NewAgentInfo() if err != nil { @@ -81,9 +87,15 @@ func newManaged( } // merge local configuration and configuration persisted from fleet. - rawConfig.Merge(config) + err = rawConfig.Merge(config) + if err != nil { + return nil, errors.New(err, + fmt.Sprintf("fail to merge configuration with %s for the elastic-agent", path), + errors.TypeConfig, + errors.M(errors.MetaKeyPath, path)) + } - cfg, err := configuration.NewFromConfig(config) + cfg, err := configuration.NewFromConfig(rawConfig) if err != nil { return nil, errors.New(err, fmt.Sprintf("fail to unpack configuration from %s", path), @@ -106,6 +118,13 @@ func newManaged( errors.M(errors.MetaKeyURI, cfg.Fleet.Kibana.Host)) } + sysInfo, err := sysinfo.Host() + if err != nil { + return nil, errors.New(err, + "fail to get system information", + errors.TypeUnexpected) + } + managedApplication := &Managed{ log: log, agentInfo: agentInfo, @@ -141,15 +160,25 @@ func newManaged( } managedApplication.router = router - emit := emitter( + composableCtrl, err := composable.New(log, rawConfig) + if err != nil { + return nil, errors.New(err, "failed to initialize composable controller") + } + + emit, err := emitter( + managedApplication.bgContext, log, + composableCtrl, router, &configModifiers{ Decorators: []decoratorFunc{injectMonitoring}, - Filters: []filterFunc{filters.StreamChecker, injectFleet(config), filters.ConstraintFilter}, + Filters: []filterFunc{filters.StreamChecker, injectFleet(config, sysInfo.Info())}, }, monitor, ) + if err != nil { + return nil, err + } acker, err := newActionAcker(log, agentInfo, client) if err != nil { return nil, err @@ -170,6 +199,13 @@ func newManaged( return nil, err } + managedApplication.upgrader = upgrade.NewUpgrader( + cfg.Settings.DownloadConfig, + log, + []context.CancelFunc{managedApplication.cancelCtxFn}, + reexec, + acker) + actionDispatcher.MustRegister( &fleetapi.ActionConfigChange{}, &handlerConfigChange{ @@ -181,10 +217,19 @@ func newManaged( actionDispatcher.MustRegister( &fleetapi.ActionUnenroll{}, &handlerUnenroll{ - log: log, - emitter: emit, - dispatcher: router, - closers: []context.CancelFunc{managedApplication.cancelCtxFn}, + log: log, + emitter: emit, + dispatcher: router, + closers: []context.CancelFunc{managedApplication.cancelCtxFn}, + actionStore: actionStore, + }, + ) + + actionDispatcher.MustRegister( + &fleetapi.ActionUpgrade{}, + &handlerUpgrade{ + upgrader: managedApplication.upgrader, + log: log, }, ) @@ -229,6 +274,10 @@ func (m *Managed) Start() error { return nil } + if err := m.upgrader.Ack(m.bgContext); err != nil { + m.log.Warnf("failed to ack update %v", err) + } + m.gateway.Start() return nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go index b9e4e4b5f3c..9b51016a126 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go @@ -10,9 +10,10 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) @@ -26,12 +27,17 @@ func TestManagedModeRouting(t *testing.T) { return m, nil } + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + log, _ := logger.New("") router, _ := newRouter(log, streamFn) - emit := emitter(log, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}, Filters: []filterFunc{filters.ConstraintFilter}}) + composableCtrl, _ := composable.New(log, nil) + emit, err := emitter(ctx, log, composableCtrl, router, &configModifiers{Decorators: []decoratorFunc{injectMonitoring}}) + require.NoError(t, err) - actionDispatcher, err := newActionDispatcher(context.Background(), log, &handlerDefault{log: log}) - assert.NoError(t, err) + actionDispatcher, err := newActionDispatcher(ctx, log, &handlerDefault{log: log}) + require.NoError(t, err) actionDispatcher.MustRegister( &fleetapi.ActionConfigChange{}, @@ -42,10 +48,10 @@ func TestManagedModeRouting(t *testing.T) { ) actions, err := testActions() - assert.NoError(t, err) + require.NoError(t, err) err = actionDispatcher.Dispatch(newNoopAcker(), actions...) - assert.NoError(t, err) + require.NoError(t, err) // has 1 config request for fb, mb and monitoring? assert.Equal(t, 1, len(streams)) @@ -92,7 +98,6 @@ func (m *mockStreamStore) Shutdown() {} const fleetResponse = ` { "action": "checkin", - "success": true, "actions": [{ "agent_id": "17e93530-7f42-11ea-9330-71e968b29fa4", "type": "CONFIG_CHANGE", @@ -115,7 +120,7 @@ const fleetResponse = ` "streams": [{ "id": "system/metrics-system.core", "enabled": true, - "dataset.name": "system.core", + "data_stream.dataset": "system.core", "period": "10s", "metrics": [ "percentages" @@ -124,7 +129,7 @@ const fleetResponse = ` { "id": "system/metrics-system.cpu", "enabled": true, - "dataset.name": "system.cpu", + "data_stream.dataset": "system.cpu", "period": "10s", "metrics": [ "percentages", @@ -134,59 +139,59 @@ const fleetResponse = ` { "id": "system/metrics-system.diskio", "enabled": true, - "dataset.name": "system.diskio", + "data_stream.dataset": "system.diskio", "period": "10s", "include_devices": [] }, { "id": "system/metrics-system.entropy", "enabled": true, - "dataset.name": "system.entropy", + "data_stream.dataset": "system.entropy", "period": "10s", "include_devices": [] }, { "id": "system/metrics-system.filesystem", "enabled": true, - "dataset.name": "system.filesystem", + "data_stream.dataset": "system.filesystem", "period": "1m", "ignore_types": [] }, { "id": "system/metrics-system.fsstat", "enabled": true, - "dataset.name": "system.fsstat", + "data_stream.dataset": "system.fsstat", "period": "1m", "ignore_types": [] }, { "id": "system/metrics-system.load", "enabled": true, - "dataset.name": "system.load", + "data_stream.dataset": "system.load", "period": "10s" }, { "id": "system/metrics-system.memory", "enabled": true, - "dataset.name": "system.memory", + "data_stream.dataset": "system.memory", "period": "10s" }, { "id": "system/metrics-system.network", "enabled": true, - "dataset.name": "system.network", + "data_stream.dataset": "system.network", "period": "10s" }, { "id": "system/metrics-system.network_summary", "enabled": true, - "dataset.name": "system.network_summary", + "data_stream.dataset": "system.network_summary", "period": "10s" }, { "id": "system/metrics-system.process", "enabled": true, - "dataset.name": "system.process", + "data_stream.dataset": "system.process", "period": "10s", "processes": [ ".*" @@ -202,39 +207,39 @@ const fleetResponse = ` { "id": "system/metrics-system.process_summary", "enabled": true, - "dataset.name": "system.process_summary", + "data_stream.dataset": "system.process_summary", "period": "10s" }, { "id": "system/metrics-system.raid", "enabled": true, - "dataset.name": "system.raid", + "data_stream.dataset": "system.raid", "period": "10s", "mount_point": "/" }, { "id": "system/metrics-system.service", "enabled": true, - "dataset.name": "system.service", + "data_stream.dataset": "system.service", "period": "10s", "state_filter": [] }, { "id": "system/metrics-system.socket_summary", "enabled": true, - "dataset.name": "system.socket_summary", + "data_stream.dataset": "system.socket_summary", "period": "10s" }, { "id": "system/metrics-system.uptime", "enabled": true, - "dataset.name": "system.uptime", + "data_stream.dataset": "system.uptime", "period": "15m" }, { "id": "system/metrics-system.users", "enabled": true, - "dataset.name": "system.users", + "data_stream.dataset": "system.users", "period": "10s" } ] @@ -245,7 +250,7 @@ const fleetResponse = ` "streams": [{ "id": "logs-system.auth", "enabled": true, - "dataset.name": "system.auth", + "data_stream.dataset": "system.auth", "paths": [ "/var/log/auth.log*", "/var/log/secure*" @@ -254,7 +259,7 @@ const fleetResponse = ` { "id": "logs-system.syslog", "enabled": true, - "dataset.name": "system.syslog", + "data_stream.dataset": "system.syslog", "paths": [ "/var/log/messages*", "/var/log/syslog*" diff --git a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go index a45000b40ae..48544ec7593 100644 --- a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go +++ b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go @@ -8,38 +8,119 @@ import ( "flag" "os" "path/filepath" + "runtime" + "sync" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" ) var ( - homePath string - dataPath string + homePath string + configPath string + dataPath string + logsPath string + serviceName string + + overridesLoader sync.Once ) func init() { - exePath := retrieveExecutablePath() + initialHome := initialHome() fs := flag.CommandLine - fs.StringVar(&homePath, "path.home", exePath, "Agent root path") - fs.StringVar(&dataPath, "path.data", filepath.Join(exePath, "data"), "Data path contains Agent managed binaries") + fs.StringVar(&homePath, "path.home", initialHome, "Agent root path") + fs.StringVar(&configPath, "path.config", initialHome, "Config path is the directory Agent looks for its config file") + fs.StringVar(&dataPath, "path.data", filepath.Join(initialHome, "data"), "Data path contains Agent managed binaries") + fs.StringVar(&logsPath, "path.logs", initialHome, "Logs path contains Agent log output") +} + +// UpdatePaths update paths based on changes in paths file. +func UpdatePaths() { + getOverrides() +} + +func getOverrides() { + type paths struct { + HomePath string `config:"path.home" yaml:"path.home"` + ConfigPath string `config:"path.config" yaml:"path.config"` + DataPath string `config:"path.data" yaml:"path.data"` + LogsPath string `config:"path.logs" yaml:"path.logs"` + ServiceName string `config:"path.service_name" yaml:"path.service_name"` + } + + defaults := &paths{ + HomePath: homePath, + ConfigPath: configPath, + DataPath: dataPath, + LogsPath: logsPath, + } + + pathsFile := filepath.Join(dataPath, "paths.yml") + rawConfig, err := config.LoadYAML(pathsFile) + if err != nil { + return + } + + rawConfig.Unpack(defaults) + homePath = defaults.HomePath + configPath = defaults.ConfigPath + dataPath = defaults.DataPath + logsPath = defaults.LogsPath + serviceName = defaults.ServiceName +} + +// ServiceName return predefined service name if defined by initial call. +func ServiceName() string { + // needs to do this at this place because otherwise it will + // get overwritten by flags behavior. + overridesLoader.Do(getOverrides) + return serviceName } // Home returns a directory where binary lives // Executable is not supported on nacl. func Home() string { + overridesLoader.Do(getOverrides) return homePath } -// Data returns a home directory of current user +// Config returns a directory where configuration file lives +func Config() string { + overridesLoader.Do(getOverrides) + return configPath +} + +// Data returns the data directory for Agent func Data() string { + overridesLoader.Do(getOverrides) return dataPath } -func retrieveExecutablePath() string { +// Logs returns a the log directory for Agent +func Logs() string { + overridesLoader.Do(getOverrides) + return logsPath +} +func retrieveExecutablePath() string { execPath, err := os.Executable() if err != nil { panic(err) } - return filepath.Dir(execPath) + evalPath, err := filepath.EvalSymlinks(execPath) + if err != nil { + panic(err) + } + + return filepath.Dir(evalPath) +} + +func initialHome() string { + exePath := retrieveExecutablePath() + if runtime.GOOS == "windows" { + return exePath + } + + return filepath.Dir(filepath.Dir(exePath)) // is two level up the executable (symlink evaluated) } diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go new file mode 100644 index 00000000000..b21bb9b8c46 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/manager.go @@ -0,0 +1,66 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package reexec + +import ( + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// ExecManager is the interface that the global reexec manager implements. +type ExecManager interface { + // ReExec asynchronously re-executes command in the same PID and memory address + // as the currently running application. + ReExec(argOverrides ...string) + + // ShutdownChan returns the shutdown channel the main function should use to + // handle shutdown of the current running application. + ShutdownChan() <-chan bool + + // ShutdownComplete gets called from the main function once ShutdownChan channel + // has been closed and the running application has completely shutdown. + ShutdownComplete() +} + +type manager struct { + logger *logger.Logger + exec string + trigger chan bool + shutdown chan bool + complete chan bool +} + +// NewManager returns the reexec manager. +func NewManager(log *logger.Logger, exec string) ExecManager { + return &manager{ + logger: log, + exec: exec, + trigger: make(chan bool), + shutdown: make(chan bool), + complete: make(chan bool), + } +} + +func (m *manager) ReExec(argOverrides ...string) { + go func() { + close(m.trigger) + <-m.shutdown + + if err := reexec(m.logger, m.exec, argOverrides...); err != nil { + // panic; because there is no going back, everything is shutdown + panic(err) + } + + close(m.complete) + }() +} + +func (m *manager) ShutdownChan() <-chan bool { + return m.trigger +} + +func (m *manager) ShutdownComplete() { + close(m.shutdown) + <-m.complete +} diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go new file mode 100644 index 00000000000..9265ba15266 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package reexec + +import ( + "os" + "path/filepath" + + "golang.org/x/sys/unix" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +func reexec(log *logger.Logger, executable string, argOverrides ...string) error { + // force log sync, before re-exec + _ = log.Sync() + + args := []string{filepath.Base(executable)} + args = append(args, os.Args[1:]...) + args = append(args, argOverrides...) + return unix.Exec(executable, args, os.Environ()) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go new file mode 100644 index 00000000000..7f2f3230dc5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/reexec/reexec_windows.go @@ -0,0 +1,97 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package reexec + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "strconv" + + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/mgr" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// exec performs execution on Windows. +// +// Windows does not support the ability to execute over the same PID and memory. Depending on the execution context +// different scenarios need to occur. +// +// * Services.msc - A new child process is spawned that waits for the service to stop, then restarts it and the +// current process just exits. +// +// * Sub-process - As a sub-process a new child is spawned and the current process just exits. +func reexec(log *logger.Logger, executable string, argOverrides ...string) error { + svc, status, err := getService() + if err == nil { + // running as a service; spawn re-exec windows sub-process + log.Infof("Running as Windows service %s; triggering service restart", svc.Name) + args := []string{filepath.Base(executable), "reexec_windows", svc.Name, strconv.Itoa(int(status.ProcessId))} + args = append(args, argOverrides...) + cmd := exec.Cmd{ + Path: executable, + Args: args, + Stdin: os.Stdin, + Stdout: os.Stdout, + Stderr: os.Stderr, + } + if err := cmd.Start(); err != nil { + return err + } + } else { + log.Debugf("Discovering Windows service result: %s", err) + + // running as a sub-process of another process; just execute as a child + log.Infof("Running as Windows process; spawning new child process") + args := []string{filepath.Base(executable)} + args = append(args, os.Args[1:]...) + args = append(args, argOverrides...) + cmd := exec.Cmd{ + Path: executable, + Args: args, + Stdin: os.Stdin, + Stdout: os.Stdout, + Stderr: os.Stderr, + } + if err := cmd.Start(); err != nil { + return err + } + } + // force log sync before exit + _ = log.Sync() + return nil +} + +func getService() (*mgr.Service, svc.Status, error) { + pid := uint32(os.Getpid()) + manager, err := mgr.Connect() + if err != nil { + return nil, svc.Status{}, err + } + names, err := manager.ListServices() + if err != nil { + return nil, svc.Status{}, err + } + for _, name := range names { + service, err := manager.OpenService(name) + if err != nil { + continue + } + status, err := service.Query() + if err != nil { + continue + } + if status.ProcessId == pid { + // pid match; found ourself + return service, status, nil + } + } + return nil, svc.Status{}, fmt.Errorf("failed to find service") +} diff --git a/x-pack/elastic-agent/pkg/agent/application/stream.go b/x-pack/elastic-agent/pkg/agent/application/stream.go index ee2b1f2d019..41999fcb832 100644 --- a/x-pack/elastic-agent/pkg/agent/application/stream.go +++ b/x-pack/elastic-agent/pkg/agent/application/stream.go @@ -19,6 +19,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) type operatorStream struct { @@ -56,7 +57,8 @@ func streamFactory(ctx context.Context, cfg *configuration.SettingsConfig, srv * func newOperator(ctx context.Context, log *logger.Logger, id routingKey, config *configuration.SettingsConfig, srv *server.Server, r state.Reporter, m monitoring.Monitor) (*operation.Operator, error) { fetcher := downloader.NewDownloader(log, config.DownloadConfig) - verifier, err := downloader.NewVerifier(log, config.DownloadConfig) + allowEmptyPgp, pgp := release.PGP() + verifier, err := downloader.NewVerifier(log, config.DownloadConfig, allowEmptyPgp, pgp) if err != nil { return nil, errors.New(err, "initiating verifier") } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go new file mode 100644 index 00000000000..28e93949fbf --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go @@ -0,0 +1,43 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "context" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + downloader "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/localremote" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI string) (string, error) { + // do not update source config + settings := *u.settings + if sourceURI != "" { + settings.SourceURI = sourceURI + } + + allowEmptyPgp, pgp := release.PGP() + verifier, err := downloader.NewVerifier(u.log, &settings, allowEmptyPgp, pgp) + if err != nil { + return "", errors.New(err, "initiating verifier") + } + + fetcher := downloader.NewDownloader(u.log, &settings) + path, err := fetcher.Download(ctx, agentName, agentArtifactName, version) + if err != nil { + return "", errors.New(err, "failed upgrade of agent binary") + } + + matches, err := verifier.Verify(agentName, version) + if err != nil { + return "", errors.New(err, "failed verification of agent binary") + } + if !matches { + return "", errors.New("failed verification of agent binary, hash does not match", errors.TypeSecurity) + } + + return path, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go new file mode 100644 index 00000000000..0d8253bb9ca --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go @@ -0,0 +1,123 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "context" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "runtime" + "time" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +const markerFilename = ".update-marker" + +type updateMarker struct { + // Hash agent is updated to + Hash string `json:"hash" yaml:"hash"` + //UpdatedOn marks a date when update happened + UpdatedOn time.Time `json:"updated_on" yaml:"updated_on"` + + // PrevVersion is a version agent is updated from + PrevVersion string `json:"prev_version" yaml:"prev_version"` + // PrevHash is a hash agent is updated from + PrevHash string `json:"prev_hash" yaml:"prev_hash"` + + // Acked is a flag marking whether or not action was acked + Acked bool `json:"acked" yaml:"acked"` + Action *fleetapi.ActionUpgrade `json:"action" yaml:"action"` +} + +// markUpgrade marks update happened so we can handle grace period +func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetapi.ActionUpgrade) error { + if err := updateHomePath(hash); err != nil { + return err + } + + prevVersion := release.Version() + prevHash := release.Commit() + if len(prevHash) > hashLen { + prevHash = prevHash[:hashLen] + } + + marker := updateMarker{ + Hash: hash, + UpdatedOn: time.Now(), + PrevVersion: prevVersion, + PrevHash: prevHash, + Action: action, + } + + markerBytes, err := yaml.Marshal(marker) + if err != nil { + return errors.New(err, errors.TypeConfig, "failed to parse marker file") + } + + markerPath := filepath.Join(paths.Data(), markerFilename) + if err := ioutil.WriteFile(markerPath, markerBytes, 0600); err != nil { + return errors.New(err, errors.TypeFilesystem, "failed to create update marker file", errors.M(errors.MetaKeyPath, markerPath)) + } + + activeCommitPath := filepath.Join(paths.Config(), agentCommitFile) + if err := ioutil.WriteFile(activeCommitPath, []byte(hash), 0644); err != nil { + return errors.New(err, errors.TypeFilesystem, "failed to update active commit", errors.M(errors.MetaKeyPath, activeCommitPath)) + } + + return nil +} + +func updateHomePath(hash string) error { + if err := createPathsSymlink(hash); err != nil { + return errors.New(err, errors.TypeFilesystem, "failed to create paths symlink") + } + + pathsMap := make(map[string]string) + pathsFilepath := filepath.Join(paths.Data(), "paths.yml") + + pathsBytes, err := ioutil.ReadFile(pathsFilepath) + if err != nil { + return errors.New(err, errors.TypeConfig, "failed to read paths file") + } + + if err := yaml.Unmarshal(pathsBytes, &pathsMap); err != nil { + return errors.New(err, errors.TypeConfig, "failed to parse paths file") + } + + pathsMap["path.home"] = filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, hash)) + + pathsBytes, err = yaml.Marshal(pathsMap) + if err != nil { + return errors.New(err, errors.TypeConfig, "failed to marshal paths file") + } + + return ioutil.WriteFile(pathsFilepath, pathsBytes, 0740) +} + +func createPathsSymlink(hash string) error { + // only on windows, as windows resolves PWD using symlinks in a different way. + // we create symlink for each versioned agent inside `data/` directory + // on other systems path is shared + if runtime.GOOS != "windows" { + return nil + } + + dir := filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash)) + versionedPath := filepath.Join(dir, "data", "paths.yml") + if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { + return err + } + + pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") + return os.Symlink(pathsCfgPath, versionedPath) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go new file mode 100644 index 00000000000..48d22de36cf --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go @@ -0,0 +1,42 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "context" + "fmt" + "os" + "path/filepath" + "runtime" + + "github.com/elastic/beats/v7/libbeat/common/file" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +// changeSymlink changes root symlink so it points to updated version +func (u *Upgrader) changeSymlink(ctx context.Context, newHash string) error { + // create symlink to elastic-agent-{hash} + hashedDir := fmt.Sprintf("%s-%s", agentName, newHash) + + agentBakName := agentName + ".bak" + symlinkPath := filepath.Join(paths.Config(), agentName) + newPath := filepath.Join(paths.Data(), hashedDir, agentName) + + // handle windows suffixes + if runtime.GOOS == "windows" { + agentBakName = agentName + ".exe.back" //.bak is already used + symlinkPath += ".exe" + newPath += ".exe" + } + + bakNewPath := filepath.Join(paths.Config(), agentBakName) + if err := os.Symlink(newPath, bakNewPath); err != nil { + return errors.New(err, errors.TypeFilesystem, "failed to update agent symlink") + } + + // safely rotate + return file.SafeFileRotate(symlinkPath, bakNewPath) +} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go new file mode 100644 index 00000000000..ae3d05edd16 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go @@ -0,0 +1,219 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "archive/tar" + "archive/zip" + "compress/gzip" + "context" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + "runtime" + "strings" + + "github.com/hashicorp/go-multierror" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +// untar unpacks archive correctly, skips root (symlink, config...) unpacks data/* +func (u *Upgrader) unpack(ctx context.Context, version, sourceURI, archivePath string) (string, error) { + // unpack must occur in directory that holds the installation directory + // or the extraction will be double nested + var hash string + var err error + if runtime.GOOS == "windows" { + hash, err = unzip(version, archivePath) + } else { + hash, err = untar(version, archivePath) + } + if err != nil { + return "", err + } + + return hash, nil +} + +func unzip(version, archivePath string) (string, error) { + var hash, rootDir string + r, err := zip.OpenReader(archivePath) + if err != nil { + return "", err + } + defer r.Close() + + fileNamePrefix := strings.TrimSuffix(filepath.Base(archivePath), ".zip") + "/" // omitting `elastic-agent-{version}-{os}-{arch}/` in filename + + unpackFile := func(f *zip.File) (err error) { + rc, err := f.Open() + if err != nil { + return err + } + defer func() { + if cerr := rc.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + //get hash + fileName := strings.TrimPrefix(f.Name, fileNamePrefix) + if fileName == agentCommitFile { + hashBytes, err := ioutil.ReadAll(rc) + if err != nil || len(hashBytes) < hashLen { + return err + } + + hash = string(hashBytes[:hashLen]) + return nil + } + + // skip everything outside data/ + if !strings.HasPrefix(fileName, "data/") { + return nil + } + + path := filepath.Join(paths.Data(), strings.TrimPrefix(fileName, "data/")) + + if f.FileInfo().IsDir() { + os.MkdirAll(path, f.Mode()) + } else { + os.MkdirAll(filepath.Dir(path), f.Mode()) + f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + if err != nil { + return err + } + defer func() { + if cerr := f.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + if _, err = io.Copy(f, rc); err != nil { + return err + } + } + return nil + } + + for _, f := range r.File { + if rootDir == "" && filepath.Base(f.Name) == filepath.Dir(f.Name) { + return f.Name, nil + } + if currentDir := filepath.Dir(f.Name); rootDir == "" || len(currentDir) < len(rootDir) { + rootDir = currentDir + } + + if err := unpackFile(f); err != nil { + return "", err + } + } + + return hash, nil +} + +func untar(version, archivePath string) (string, error) { + r, err := os.Open(archivePath) + if err != nil { + return "", errors.New(fmt.Sprintf("artifact for 'elastic-agent' version '%s' could not be found at '%s'", version, archivePath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, archivePath)) + } + defer r.Close() + + zr, err := gzip.NewReader(r) + if err != nil { + return "", errors.New("requires gzip-compressed body", err, errors.TypeFilesystem) + } + + tr := tar.NewReader(zr) + var rootDir string + var hash string + fileNamePrefix := strings.TrimSuffix(filepath.Base(archivePath), ".tar.gz") + "/" // omitting `elastic-agent-{version}-{os}-{arch}/` in filename + + // go through all the content of a tar archive + // if elastic-agent.active.commit file is found, get commit of the version unpacked + // otherwise copy everything inside data directory (everything related to new version), + // pieces outside of data we already have and should not be overwritten as they are usually configs + for { + f, err := tr.Next() + if err == io.EOF { + break + } + if err != nil { + return "", err + } + + if !validFileName(f.Name) { + return "", errors.New("tar contained invalid filename: %q", f.Name, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, f.Name)) + } + + //get hash + fileName := strings.TrimPrefix(f.Name, fileNamePrefix) + + if fileName == agentCommitFile { + hashBytes, err := ioutil.ReadAll(tr) + if err != nil || len(hashBytes) < hashLen { + return "", err + } + + hash = string(hashBytes[:hashLen]) + continue + } + + // skip everything outside data/ + if !strings.HasPrefix(fileName, "data/") { + continue + } + + rel := filepath.FromSlash(strings.TrimPrefix(fileName, "data/")) + abs := filepath.Join(paths.Data(), rel) + + // find the root dir + if currentDir := filepath.Dir(abs); rootDir == "" || len(filepath.Dir(rootDir)) > len(currentDir) { + rootDir = currentDir + } + + fi := f.FileInfo() + mode := fi.Mode() + switch { + case mode.IsRegular(): + // just to be sure, it should already be created by Dir type + if err := os.MkdirAll(filepath.Dir(abs), 0755); err != nil { + return "", errors.New(err, "TarInstaller: creating directory for file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs)) + } + + wf, err := os.OpenFile(abs, os.O_RDWR|os.O_CREATE|os.O_TRUNC, mode.Perm()) + if err != nil { + return "", errors.New(err, "TarInstaller: creating file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs)) + } + + _, err = io.Copy(wf, tr) + if closeErr := wf.Close(); closeErr != nil && err == nil { + err = closeErr + } + if err != nil { + return "", fmt.Errorf("TarInstaller: error writing to %s: %v", abs, err) + } + case mode.IsDir(): + if err := os.MkdirAll(abs, 0755); err != nil { + return "", errors.New(err, "TarInstaller: creating directory for file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs)) + } + default: + return "", errors.New(fmt.Sprintf("tar file entry %s contained unsupported file type %v", fileName, mode), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, fileName)) + } + } + + return hash, nil +} + +func validFileName(p string) bool { + if p == "" || strings.Contains(p, `\`) || strings.HasPrefix(p, "/") || strings.Contains(p, "../") { + return false + } + return true +} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go new file mode 100644 index 00000000000..08c38aba8c5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -0,0 +1,162 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package upgrade + +import ( + "context" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + "gopkg.in/yaml.v2" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +const ( + agentName = "elastic-agent" + hashLen = 6 + agentCommitFile = ".elastic-agent.active.commit" + agentArtifactName = "beats/" + agentName +) + +// Upgrader performs an upgrade +type Upgrader struct { + settings *artifact.Config + log *logger.Logger + closers []context.CancelFunc + reexec reexecManager + acker acker +} + +type reexecManager interface { + ReExec(argOverrides ...string) +} + +type acker interface { + Ack(ctx context.Context, action fleetapi.Action) error + Commit(ctx context.Context) error +} + +// NewUpgrader creates an upgrader which is capable of performing upgrade operation +func NewUpgrader(settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker) *Upgrader { + return &Upgrader{ + settings: settings, + log: log, + closers: closers, + reexec: reexec, + acker: a, + } +} + +// Upgrade upgrades running agent +func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error { + archivePath, err := u.downloadArtifact(ctx, a.Version, a.SourceURI) + if err != nil { + return err + } + + newHash, err := u.unpack(ctx, a.Version, a.SourceURI, archivePath) + if err != nil { + return err + } + + if newHash == "" { + return errors.New("unknown hash") + } + + if strings.HasPrefix(release.Commit(), newHash) { + return errors.New("upgrading to same version") + } + + if err := copyActionStore(newHash); err != nil { + return errors.New(err, "failed to copy action store") + } + + if err := u.changeSymlink(ctx, newHash); err != nil { + rollbackInstall(newHash) + return err + } + + if err := u.markUpgrade(ctx, newHash, a); err != nil { + rollbackInstall(newHash) + return err + } + + u.reexec.ReExec() + return nil +} + +// Ack acks last upgrade action +func (u *Upgrader) Ack(ctx context.Context) error { + // get upgrade action + markerFile := filepath.Join(paths.Data(), markerFilename) + markerBytes, err := ioutil.ReadFile(markerFile) + if err != nil && os.IsNotExist(err) { + return nil + } else if err != nil { + return err + } + + marker := &updateMarker{} + if err := yaml.Unmarshal(markerBytes, marker); err != nil { + return err + } + + if marker.Acked { + return nil + } + + if err := u.acker.Ack(ctx, marker.Action); err != nil { + return err + } + + if err := u.acker.Commit(ctx); err != nil { + return err + } + + marker.Acked = true + markerBytes, err = yaml.Marshal(marker) + if err != nil { + return err + } + + return ioutil.WriteFile(markerFile, markerBytes, 0600) +} + +func isSubdir(base, target string) (bool, error) { + relPath, err := filepath.Rel(base, target) + return strings.HasPrefix(relPath, ".."), err +} + +func rollbackInstall(hash string) { + os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))) +} + +func copyActionStore(newHash string) error { + currentActionStorePath := info.AgentActionStoreFile() + + newHome := filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, newHash)) + newActionStorePath := filepath.Join(newHome, filepath.Base(currentActionStorePath)) + + currentActionStore, err := ioutil.ReadFile(currentActionStorePath) + if os.IsNotExist(err) { + // nothing to copy + return nil + } + if err != nil { + return err + } + + return ioutil.WriteFile(newActionStorePath, currentActionStore, 0600) +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks.go b/x-pack/elastic-agent/pkg/agent/cmd/checks.go new file mode 100644 index 00000000000..4fee7497009 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/checks.go @@ -0,0 +1,57 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package cmd + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + + "github.com/spf13/cobra" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// preRunCheck is noop because +// - darwin.tar - symlink created during packaging +// - linux.tar - symlink created during packaging +// - linux.rpm - symlink created using install script +// - linux.deb - symlink created using install script +// - linux.docker - symlink created using Dockerfile +func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { + return func(cmd *cobra.Command, args []string) error { + if sn := paths.ServiceName(); sn != "" { + // paths were created we're running as child. + return nil + } + + // get versioned path + smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) + commitFilepath := filepath.Join(paths.Config(), commitFile) // use other file in the future + if content, err := ioutil.ReadFile(commitFilepath); err == nil { + smallHash = hashedDirName(content) + } + + origExecPath, err := os.Executable() + if err != nil { + return err + } + reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) + + // generate paths + if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { + return err + } + + paths.UpdatePaths() + return nil + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go new file mode 100644 index 00000000000..36108c8e08b --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go @@ -0,0 +1,114 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package cmd + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + + "github.com/spf13/cobra" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { + return func(cmd *cobra.Command, args []string) error { + if sn := paths.ServiceName(); sn != "" { + // replacing with correct service name so we + // can talk to service manager. + if !filepath.IsAbs(os.Args[0]) { + os.Args[0] = sn + } + + // paths were created we're running as child. + return nil + } + + smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) + commitFilepath := filepath.Join(paths.Config(), commitFile) + if content, err := ioutil.ReadFile(commitFilepath); err == nil { + smallHash = hashedDirName(content) + } + + // rename itself + origExecPath, err := os.Executable() + if err != nil { + return err + } + + if err := os.Rename(origExecPath, origExecPath+".bak"); err != nil { + return err + } + + // create symlink to elastic-agent-{hash} + reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) + if err := os.Symlink(reexecPath, origExecPath); err != nil { + return err + } + + // generate paths + if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { + return err + } + + paths.UpdatePaths() + + // reexec if running run + if cmd.Use == "run" { + pathConfigFile := flags.Config() + rawConfig, err := config.LoadYAML(pathConfigFile) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not read configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + cfg, err := configuration.NewFromConfig(rawConfig) + if err != nil { + return errors.New(err, + fmt.Sprintf("could not parse configuration file %s", pathConfigFile), + errors.TypeFilesystem, + errors.M(errors.MetaKeyPath, pathConfigFile)) + } + + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) + if err != nil { + return err + } + + rexLogger := logger.Named("reexec") + rm := reexec.NewManager(rexLogger, reexecPath) + + argsOverrides := []string{ + "--path.data", paths.Data(), + "--path.home", filepath.Dir(reexecPath), + "--path.config", paths.Config(), + } + rm.ReExec(argsOverrides...) + + // trigger reexec + rm.ShutdownComplete() + + // return without running Run method + os.Exit(0) + } + + return nil + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/common.go b/x-pack/elastic-agent/pkg/agent/cmd/common.go index 54b51202ef5..d5c195566bd 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/common.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/common.go @@ -7,36 +7,41 @@ package cmd import ( "flag" "fmt" + "io/ioutil" "os" "path/filepath" + "runtime" + "strings" "github.com/spf13/cobra" + "gopkg.in/yaml.v2" + + // import logp flags + _ "github.com/elastic/beats/v7/libbeat/logp/configure" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) -const defaultConfig = "elastic-agent.yml" +const ( + defaultConfig = "elastic-agent.yml" + hashLen = 6 + commitFile = ".elastic-agent.active.commit" +) type globalFlags struct { - PathConfig string - PathConfigFile string - FlagStrictPerms bool + PathConfigFile string } // Config returns path which identifies configuration file. func (f *globalFlags) Config() string { if len(f.PathConfigFile) == 0 || f.PathConfigFile == defaultConfig { - return filepath.Join(paths.Home(), defaultConfig) + return filepath.Join(paths.Config(), defaultConfig) } return f.PathConfigFile } -func (f *globalFlags) StrictPermission() bool { - return f.FlagStrictPerms -} - // NewCommand returns the default command for the agent. func NewCommand() *cobra.Command { return NewCommandWithArgs(os.Args, cli.NewIOStreams()) @@ -50,18 +55,83 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { flags := &globalFlags{} + // path flags cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.home")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.config")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.data")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.logs")) + cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "c", "c", defaultConfig, `Configuration file, relative to path.config`) - cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "", "c", defaultConfig, fmt.Sprintf(`Configuration file, relative to path.config (default "%s")`, defaultConfig)) - cmd.PersistentFlags().StringVarP(&flags.PathConfig, "path.config", "", "${path.home}", "Configuration path") - cmd.PersistentFlags().BoolVarP(&flags.FlagStrictPerms, "strict.perms", "", true, "Strict permission checking on config files") + // logging flags + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("v")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("e")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("d")) + cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("environment")) - // Add version. + // sub-commands + run := newRunCommandWithArgs(flags, args, streams) cmd.AddCommand(basecmd.NewDefaultCommandsWithArgs(args, streams)...) - cmd.AddCommand(newRunCommandWithArgs(flags, args, streams)) + cmd.AddCommand(run) cmd.AddCommand(newEnrollCommandWithArgs(flags, args, streams)) - cmd.AddCommand(newIntrospectCommandWithArgs(flags, args, streams)) + cmd.AddCommand(newInspectCommandWithArgs(flags, args, streams)) + + // windows special hidden sub-command (only added on windows) + reexec := newReExecWindowsCommand(flags, args, streams) + if reexec != nil { + cmd.AddCommand(reexec) + } + cmd.PersistentPreRunE = preRunCheck(flags) + cmd.Run = run.Run return cmd } + +func hashedDirName(filecontent []byte) string { + s := strings.TrimSpace(string(filecontent)) + if len(s) == 0 { + return "elastic-agent" + } + + s = smallHash(s) + + return fmt.Sprintf("elastic-agent-%s", s) +} + +func smallHash(hash string) string { + if len(hash) > hashLen { + hash = hash[:hashLen] + } + + return hash +} + +func generatePaths(dir, origExec string) error { + pathsCfg := map[string]interface{}{ + "path.data": paths.Data(), + "path.home": dir, + "path.config": paths.Config(), + "path.service_name": origExec, + } + + pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") + pathsContent, err := yaml.Marshal(pathsCfg) + if err != nil { + return err + } + + if err := ioutil.WriteFile(pathsCfgPath, pathsContent, 0740); err != nil { + return err + } + + if runtime.GOOS == "windows" { + // due to two binaries we need to do a path dance + // as versioned binary will look for path inside it's own directory + versionedPath := filepath.Join(dir, "data", "paths.yml") + if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { + return err + } + return os.Symlink(pathsCfgPath, versionedPath) + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index bfa1e73cb6a..6749b57b250 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -5,21 +5,25 @@ package cmd import ( + "context" "fmt" "math/rand" "os" "time" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/spf13/cobra" + "github.com/elastic/beats/v7/libbeat/common/backoff" c "github.com/elastic/beats/v7/libbeat/common/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) var defaultDelay = 1 * time.Second @@ -38,9 +42,12 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr }, } - cmd.Flags().StringP("certificate_authorities", "a", "", "Comma separated list of root certificate for server verifications") - cmd.Flags().StringP("ca_sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") + cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") + cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") + cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") + cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") return cmd } @@ -48,7 +55,7 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { warn.PrintNotGA(streams.Out) pathConfigFile := flags.Config() - rawConfig, err := config.LoadYAML(pathConfigFile) + rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -64,6 +71,13 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args errors.M(errors.MetaKeyPath, pathConfigFile)) } + staging, _ := cmd.Flags().GetString("staging") + if staging != "" { + if len(staging) < 8 { + return errors.New(fmt.Errorf("invalid staging build hash; must be at least 8 characters"), "Error") + } + } + force, _ := cmd.Flags().GetBool("force") if !force { confirm, err := c.Confirm("This will replace your current settings. Do you want to continue?", true) @@ -76,6 +90,8 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } } + insecure, _ := cmd.Flags().GetBool("insecure") + logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) if err != nil { return err @@ -84,10 +100,10 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args url := args[0] enrollmentToken := args[1] - caStr, _ := cmd.Flags().GetString("certificate_authorities") + caStr, _ := cmd.Flags().GetString("certificate-authorities") CAs := cli.StringToSlice(caStr) - caSHA256str, _ := cmd.Flags().GetString("ca_sha256") + caSHA256str, _ := cmd.Flags().GetString("ca-sha256") caSHA256 := cli.StringToSlice(caSHA256str) delay(defaultDelay) @@ -98,7 +114,9 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args URL: url, CAs: CAs, CASha256: caSHA256, + Insecure: insecure, UserProvidedMetadata: make(map[string]interface{}), + Staging: staging, } c, err := application.NewEnrollCmd( @@ -112,11 +130,42 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } err = c.Execute() + signal := make(chan struct{}) + + backExp := backoff.NewExpBackoff(signal, 60*time.Second, 10*time.Minute) + + for errors.Is(err, fleetapi.ErrTooManyRequests) { + fmt.Fprintln(streams.Out, "Too many requests on the remote server, will retry in a moment.") + backExp.Wait() + fmt.Fprintln(streams.Out, "Retrying to enroll...") + err = c.Execute() + } + + close(signal) + if err != nil { return errors.New(err, "fail to enroll") } - fmt.Fprintln(streams.Out, "Successfully enrolled the Agent.") + fmt.Fprintln(streams.Out, "Successfully enrolled the Elastic Agent.") + + // skip restarting + noRestart, _ := cmd.Flags().GetBool("no-restart") + if noRestart { + return nil + } + + daemon := client.New() + err = daemon.Connect(context.Background()) + if err == nil { + defer daemon.Disconnect() + err = daemon.Restart(context.Background()) + if err == nil { + fmt.Fprintln(streams.Out, "Successfully triggered restart on running Elastic Agent.") + return nil + } + } + fmt.Fprintln(streams.Out, "Elastic Agent might not be running; unable to trigger restart") return nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/include.go b/x-pack/elastic-agent/pkg/agent/cmd/include.go new file mode 100644 index 00000000000..87506b88415 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/include.go @@ -0,0 +1,16 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + // include the composable providers + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/agent" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/docker" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/env" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/host" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/local" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/localdynamic" + _ "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/composable/providers/path" +) diff --git a/x-pack/elastic-agent/pkg/agent/cmd/introspect.go b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go similarity index 72% rename from x-pack/elastic-agent/pkg/agent/cmd/introspect.go rename to x-pack/elastic-agent/pkg/agent/cmd/inspect.go index f6cb40e1894..bf6d3009f10 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/introspect.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/inspect.go @@ -14,14 +14,14 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) -func newIntrospectCommandWithArgs(flags *globalFlags, s []string, streams *cli.IOStreams) *cobra.Command { +func newInspectCommandWithArgs(flags *globalFlags, s []string, streams *cli.IOStreams) *cobra.Command { cmd := &cobra.Command{ Use: "inspect", Short: "Shows configuration of the agent", Long: "Shows current configuration of the agent", Args: cobra.ExactArgs(0), Run: func(c *cobra.Command, args []string) { - command, err := application.NewIntrospectConfigCmd(flags.Config()) + command, err := application.NewInspectConfigCmd(flags.Config()) if err != nil { fmt.Fprintf(streams.Err, "%v\n", err) os.Exit(1) @@ -34,12 +34,12 @@ func newIntrospectCommandWithArgs(flags *globalFlags, s []string, streams *cli.I }, } - cmd.AddCommand(newIntrospectOutputCommandWithArgs(flags, s, streams)) + cmd.AddCommand(newInspectOutputCommandWithArgs(flags, s, streams)) return cmd } -func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { +func newInspectOutputCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { cmd := &cobra.Command{ Use: "output", Short: "Displays configuration generated for output", @@ -49,7 +49,7 @@ func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams outName, _ := c.Flags().GetString("output") program, _ := c.Flags().GetString("program") - command, err := application.NewIntrospectOutputCmd(flags.Config(), outName, program) + command, err := application.NewInspectOutputCmd(flags.Config(), outName, program) if err != nil { fmt.Fprintf(streams.Err, "%v\n", err) os.Exit(1) @@ -62,8 +62,8 @@ func newIntrospectOutputCommandWithArgs(flags *globalFlags, _ []string, streams }, } - cmd.Flags().StringP("output", "o", "", "name of the output to be introspected") - cmd.Flags().StringP("program", "p", "", "type of program to introspect, needs to be combined with output. e.g filebeat") + cmd.Flags().StringP("output", "o", "", "name of the output to be inspected") + cmd.Flags().StringP("program", "p", "", "type of program to inspect, needs to be combined with output. e.g filebeat") return cmd } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/reexec.go b/x-pack/elastic-agent/pkg/agent/cmd/reexec.go new file mode 100644 index 00000000000..575828212a2 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/reexec.go @@ -0,0 +1,17 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package cmd + +import ( + "github.com/spf13/cobra" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newReExecWindowsCommand(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go new file mode 100644 index 00000000000..b47678801fc --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/reexec_windows.go @@ -0,0 +1,76 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package cmd + +import ( + "fmt" + "os" + "strconv" + "time" + + "github.com/spf13/cobra" + "golang.org/x/sys/windows/svc" + "golang.org/x/sys/windows/svc/mgr" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newReExecWindowsCommand(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Hidden: true, + Use: "reexec_windows ", + Short: "ReExec the windows service", + Long: "This waits for the windows service to stop then restarts it to allow self-upgrading.", + Args: cobra.ExactArgs(2), + Run: func(c *cobra.Command, args []string) { + serviceName := args[0] + servicePid, err := strconv.Atoi(args[1]) + if err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + err = reExec(serviceName, servicePid) + if err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + return cmd +} + +func reExec(serviceName string, servicePid int) error { + manager, err := mgr.Connect() + if err != nil { + return errors.New(err, "failed to connect to service manager") + } + service, err := manager.OpenService(serviceName) + if err != nil { + return errors.New(err, "failed to open service") + } + for { + status, err := service.Query() + if err != nil { + return errors.New(err, "failed to query service") + } + if status.State == svc.Stopped { + err = service.Start() + if err != nil { + return errors.New(err, "failed to start service") + } + // triggered restart; done + return nil + } + if int(status.ProcessId) != servicePid { + // already restarted; has different PID, done! + return nil + } + <-time.After(300 * time.Millisecond) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index 2f1bf8e0db1..77beeb6fe1a 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -5,6 +5,7 @@ package cmd import ( + "context" "fmt" "os" "os/signal" @@ -12,13 +13,17 @@ import ( "github.com/spf13/cobra" + "github.com/elastic/beats/v7/libbeat/service" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) func newRunCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { @@ -34,9 +39,30 @@ func newRunCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStream } } -func run(flags *globalFlags, streams *cli.IOStreams) error { +func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark service as stopped. + // After this is run, the service is considered by the OS to be stopped. + // This must be the first deferred cleanup task (last to execute). + defer service.NotifyTermination() + + locker := application.NewAppLocker(paths.Data()) + if err := locker.TryLock(); err != nil { + return err + } + defer locker.Unlock() + + service.BeforeRun() + defer service.Cleanup() + + // register as a service + stop := make(chan bool) + _, cancel := context.WithCancel(context.Background()) + var stopBeat = func() { + close(stop) + } + service.HandleSignals(stopBeat, cancel) + pathConfigFile := flags.Config() - rawConfig, err := config.LoadYAML(pathConfigFile) + rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { return errors.New(err, fmt.Sprintf("could not read configuration file %s", pathConfigFile), @@ -57,13 +83,25 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { return err } - locker := application.NewAppLocker(paths.Data()) - if err := locker.TryLock(); err != nil { + if allowEmptyPgp, _ := release.PGP(); allowEmptyPgp { + logger.Warn("Artifact has been build with security disabled. Elastic Agent will not verify signatures of used artifacts.") + } + + execPath, err := os.Executable() + if err != nil { return err } - defer locker.Unlock() + rexLogger := logger.Named("reexec") + rex := reexec.NewManager(rexLogger, execPath) + + // start the control listener + control := server.New(logger.Named("control"), rex) + if err := control.Start(); err != nil { + return err + } + defer control.Stop() - app, err := application.New(logger, pathConfigFile) + app, err := application.New(logger, pathConfigFile, rex) if err != nil { return err } @@ -72,11 +110,39 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { return err } - // listen for kill signal + // listen for signals signals := make(chan os.Signal, 1) - signal.Notify(signals, syscall.SIGINT, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGQUIT) - - <-signals + signal.Notify(signals, syscall.SIGINT, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP) + reexecing := false + for { + breakout := false + select { + case <-stop: + breakout = true + case <-rex.ShutdownChan(): + reexecing = true + breakout = true + case sig := <-signals: + if sig == syscall.SIGHUP { + rexLogger.Infof("SIGHUP triggered re-exec") + rex.ReExec() + } else { + breakout = true + } + } + if breakout { + if !reexecing { + logger.Info("Shutting down Elastic Agent and sending last events...") + } + break + } + } - return app.Stop() + err = app.Stop() + if !reexecing { + logger.Info("Shutting down completed.") + return err + } + rex.ShutdownComplete() + return err } diff --git a/x-pack/elastic-agent/pkg/agent/control/addr.go b/x-pack/elastic-agent/pkg/agent/control/addr.go new file mode 100644 index 00000000000..20bc1e6a005 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/addr.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package control + +import ( + "crypto/sha256" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" +) + +// Address returns the address to connect to Elastic Agent daemon. +func Address() string { + data := paths.Data() + // entire string cannot be longer than 107 characters, this forces the + // length to always be 88 characters (but unique per data path) + return fmt.Sprintf(`unix:///tmp/elastic-agent-%x.sock`, sha256.Sum256([]byte(data))) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go new file mode 100644 index 00000000000..bf2e164fbae --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package control + +import ( + "crypto/sha256" + "fmt" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" +) + +// Address returns the address to connect to Elastic Agent daemon. +func Address() string { + data := paths.Data() + // entire string cannot be longer than 256 characters, this forces the + // length to always be 87 characters (but unique per data path) + return fmt.Sprintf(`\\.\pipe\elastic-agent-%x`, sha256.Sum256([]byte(data))) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/client.go b/x-pack/elastic-agent/pkg/agent/control/client/client.go new file mode 100644 index 00000000000..5e55fce9349 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/client.go @@ -0,0 +1,188 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package client + +import ( + "context" + "encoding/json" + "fmt" + + "sync" + "time" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" +) + +// Status is the status of the Elastic Agent +type Status = proto.Status + +const ( + // Starting is when the it is still starting. + Starting Status = proto.Status_STARTING + // Configuring is when it is configuring. + Configuring Status = proto.Status_CONFIGURING + // Healthy is when it is healthy. + Healthy Status = proto.Status_HEALTHY + // Degraded is when it is degraded. + Degraded Status = proto.Status_DEGRADED + // Failed is when it is failed. + Failed Status = proto.Status_FAILED + // Stopping is when it is stopping. + Stopping Status = proto.Status_STOPPING + // Upgrading is when it is upgrading. + Upgrading Status = proto.Status_UPGRADING +) + +// Version is the current running version of the daemon. +type Version struct { + Version string + Commit string + BuildTime time.Time + Snapshot bool +} + +// ApplicationStatus is a status of an application inside of Elastic Agent. +type ApplicationStatus struct { + ID string + Name string + Status Status + Message string + Payload map[string]interface{} +} + +// AgentStatus is the current status of the Elastic Agent. +type AgentStatus struct { + Status Status + Message string + Applications []*ApplicationStatus +} + +// Client communicates to Elastic Agent through the control protocol. +type Client interface { + // Connect connects to the running Elastic Agent. + Connect(ctx context.Context) error + // Disconnect disconnects from the running Elastic Agent. + Disconnect() + // Version returns the current version of the running agent. + Version(ctx context.Context) (Version, error) + // Status returns the current status of the running agent. + Status(ctx context.Context) (*AgentStatus, error) + // Restart triggers restarting the current running daemon. + Restart(ctx context.Context) error + // Upgrade triggers upgrade of the current running daemon. + Upgrade(ctx context.Context, version string, sourceURI string) (string, error) +} + +// client manages the state and communication to the Elastic Agent. +type client struct { + ctx context.Context + cancel context.CancelFunc + wg sync.WaitGroup + client proto.ElasticAgentControlClient + cfgLock sync.RWMutex + obsLock sync.RWMutex +} + +// New creates a client connection to Elastic Agent. +func New() Client { + return &client{} +} + +// Connect connects to the running Elastic Agent. +func (c *client) Connect(ctx context.Context) error { + c.ctx, c.cancel = context.WithCancel(ctx) + conn, err := dialContext(ctx) + if err != nil { + return err + } + c.client = proto.NewElasticAgentControlClient(conn) + return nil +} + +// Disconnect disconnects from the running Elastic Agent. +func (c *client) Disconnect() { + if c.cancel != nil { + c.cancel() + c.wg.Wait() + c.ctx = nil + c.cancel = nil + } +} + +// Version returns the current version of the running agent. +func (c *client) Version(ctx context.Context) (Version, error) { + res, err := c.client.Version(ctx, &proto.Empty{}) + if err != nil { + return Version{}, err + } + bt, err := time.Parse(control.TimeFormat(), res.BuildTime) + if err != nil { + return Version{}, err + } + return Version{ + Version: res.Version, + Commit: res.Commit, + BuildTime: bt, + Snapshot: res.Snapshot, + }, nil +} + +// Status returns the current status of the running agent. +func (c *client) Status(ctx context.Context) (*AgentStatus, error) { + res, err := c.client.Status(ctx, &proto.Empty{}) + if err != nil { + return nil, err + } + s := &AgentStatus{ + Status: res.Status, + Message: res.Message, + Applications: make([]*ApplicationStatus, len(res.Applications)), + } + for i, appRes := range res.Applications { + var payload map[string]interface{} + if appRes.Payload != "" { + err := json.Unmarshal([]byte(appRes.Payload), &payload) + if err != nil { + return nil, err + } + } + s.Applications[i] = &ApplicationStatus{ + ID: appRes.Id, + Name: appRes.Name, + Status: appRes.Status, + Message: appRes.Message, + Payload: payload, + } + } + return s, nil +} + +// Restart triggers restarting the current running daemon. +func (c *client) Restart(ctx context.Context) error { + res, err := c.client.Restart(ctx, &proto.Empty{}) + if err != nil { + return err + } + if res.Status == proto.ActionStatus_FAILURE { + return fmt.Errorf(res.Error) + } + return nil +} + +// Upgrade triggers upgrade of the current running daemon. +func (c *client) Upgrade(ctx context.Context, version string, sourceURI string) (string, error) { + res, err := c.client.Upgrade(ctx, &proto.UpgradeRequest{ + Version: version, + SourceURI: sourceURI, + }) + if err != nil { + return "", err + } + if res.Status == proto.ActionStatus_FAILURE { + return "", fmt.Errorf(res.Error) + } + return res.Version, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/dial.go b/x-pack/elastic-agent/pkg/agent/control/client/dial.go new file mode 100644 index 00000000000..56313b12c82 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/dial.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package client + +import ( + "context" + "net" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + + "google.golang.org/grpc" +) + +func dialContext(ctx context.Context) (*grpc.ClientConn, error) { + return grpc.DialContext(ctx, strings.TrimPrefix(control.Address(), "unix://"), grpc.WithInsecure(), grpc.WithContextDialer(dialer)) +} + +func dialer(ctx context.Context, addr string) (net.Conn, error) { + var d net.Dialer + return d.DialContext(ctx, "unix", addr) +} diff --git a/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go b/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go new file mode 100644 index 00000000000..c061753d327 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/client/dial_windows.go @@ -0,0 +1,26 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package client + +import ( + "context" + "net" + + "google.golang.org/grpc" + + "github.com/elastic/beats/v7/libbeat/api/npipe" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" +) + +func dialContext(ctx context.Context) (*grpc.ClientConn, error) { + return grpc.DialContext(ctx, control.Address(), grpc.WithInsecure(), grpc.WithContextDialer(dialer)) +} + +func dialer(ctx context.Context, addr string) (net.Conn, error) { + return npipe.DialContext(addr)(ctx, "", "") +} diff --git a/x-pack/elastic-agent/pkg/agent/control/control_test.go b/x-pack/elastic-agent/pkg/agent/control/control_test.go new file mode 100644 index 00000000000..9454179ae60 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/control_test.go @@ -0,0 +1,53 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package control_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +func TestServerClient_Version(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + err := srv.Start() + require.NoError(t, err) + defer srv.Stop() + + c := client.New() + err = c.Connect(context.Background()) + require.NoError(t, err) + defer c.Disconnect() + + ver, err := c.Version(context.Background()) + require.NoError(t, err) + + assert.Equal(t, client.Version{ + Version: release.Version(), + Commit: release.Commit(), + BuildTime: release.BuildTime(), + Snapshot: release.Snapshot(), + }, ver) +} + +func newErrorLogger(t *testing.T) *logger.Logger { + t.Helper() + + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + + log, err := logger.NewFromConfig("", loggerCfg) + require.NoError(t, err) + return log +} diff --git a/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go b/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go new file mode 100644 index 00000000000..a0e2e710f0c --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/proto/control.pb.go @@ -0,0 +1,1037 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.22.0 +// protoc v3.11.4 +// source: control.proto + +package proto + +import ( + context "context" + reflect "reflect" + sync "sync" + + proto "github.com/golang/protobuf/proto" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// This is a compile-time assertion that a sufficiently up-to-date version +// of the legacy proto package is being used. +const _ = proto.ProtoPackageIsVersion4 + +// Status codes for the current state. +type Status int32 + +const ( + Status_STARTING Status = 0 + Status_CONFIGURING Status = 1 + Status_HEALTHY Status = 2 + Status_DEGRADED Status = 3 + Status_FAILED Status = 4 + Status_STOPPING Status = 5 + Status_UPGRADING Status = 6 + Status_ROLLBACK Status = 7 +) + +// Enum value maps for Status. +var ( + Status_name = map[int32]string{ + 0: "STARTING", + 1: "CONFIGURING", + 2: "HEALTHY", + 3: "DEGRADED", + 4: "FAILED", + 5: "STOPPING", + 6: "UPGRADING", + 7: "ROLLBACK", + } + Status_value = map[string]int32{ + "STARTING": 0, + "CONFIGURING": 1, + "HEALTHY": 2, + "DEGRADED": 3, + "FAILED": 4, + "STOPPING": 5, + "UPGRADING": 6, + "ROLLBACK": 7, + } +) + +func (x Status) Enum() *Status { + p := new(Status) + *p = x + return p +} + +func (x Status) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (Status) Descriptor() protoreflect.EnumDescriptor { + return file_control_proto_enumTypes[0].Descriptor() +} + +func (Status) Type() protoreflect.EnumType { + return &file_control_proto_enumTypes[0] +} + +func (x Status) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use Status.Descriptor instead. +func (Status) EnumDescriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{0} +} + +// Action status codes for restart and upgrade response. +type ActionStatus int32 + +const ( + // Action was successful. + ActionStatus_SUCCESS ActionStatus = 0 + // Action failed. + ActionStatus_FAILURE ActionStatus = 1 +) + +// Enum value maps for ActionStatus. +var ( + ActionStatus_name = map[int32]string{ + 0: "SUCCESS", + 1: "FAILURE", + } + ActionStatus_value = map[string]int32{ + "SUCCESS": 0, + "FAILURE": 1, + } +) + +func (x ActionStatus) Enum() *ActionStatus { + p := new(ActionStatus) + *p = x + return p +} + +func (x ActionStatus) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (ActionStatus) Descriptor() protoreflect.EnumDescriptor { + return file_control_proto_enumTypes[1].Descriptor() +} + +func (ActionStatus) Type() protoreflect.EnumType { + return &file_control_proto_enumTypes[1] +} + +func (x ActionStatus) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use ActionStatus.Descriptor instead. +func (ActionStatus) EnumDescriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{1} +} + +// Empty message. +type Empty struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *Empty) Reset() { + *x = Empty{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *Empty) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Empty) ProtoMessage() {} + +func (x *Empty) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Empty.ProtoReflect.Descriptor instead. +func (*Empty) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{0} +} + +// Version response message. +type VersionResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Current running version. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // Current running commit. + Commit string `protobuf:"bytes,2,opt,name=commit,proto3" json:"commit,omitempty"` + // Current running build time. + BuildTime string `protobuf:"bytes,3,opt,name=buildTime,proto3" json:"buildTime,omitempty"` + // Current running version is a snapshot. + Snapshot bool `protobuf:"varint,4,opt,name=snapshot,proto3" json:"snapshot,omitempty"` +} + +func (x *VersionResponse) Reset() { + *x = VersionResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *VersionResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*VersionResponse) ProtoMessage() {} + +func (x *VersionResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use VersionResponse.ProtoReflect.Descriptor instead. +func (*VersionResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{1} +} + +func (x *VersionResponse) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *VersionResponse) GetCommit() string { + if x != nil { + return x.Commit + } + return "" +} + +func (x *VersionResponse) GetBuildTime() string { + if x != nil { + return x.BuildTime + } + return "" +} + +func (x *VersionResponse) GetSnapshot() bool { + if x != nil { + return x.Snapshot + } + return false +} + +type RestartResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Response status. + Status ActionStatus `protobuf:"varint,1,opt,name=status,proto3,enum=proto.ActionStatus" json:"status,omitempty"` + // Error message when it fails to trigger restart. + Error string `protobuf:"bytes,2,opt,name=error,proto3" json:"error,omitempty"` +} + +func (x *RestartResponse) Reset() { + *x = RestartResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *RestartResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RestartResponse) ProtoMessage() {} + +func (x *RestartResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RestartResponse.ProtoReflect.Descriptor instead. +func (*RestartResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{2} +} + +func (x *RestartResponse) GetStatus() ActionStatus { + if x != nil { + return x.Status + } + return ActionStatus_SUCCESS +} + +func (x *RestartResponse) GetError() string { + if x != nil { + return x.Error + } + return "" +} + +// Upgrade request message. +type UpgradeRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // (Optional) Version to upgrade to. + // + // If not provided Elastic Agent will auto discover the latest version in the same major + // to upgrade to. If wanting to upgrade to a new major that major must be present in the + // this version field. + Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` + // (Optional) Use a different source URI then configured. + // + // If provided the upgrade process will use the provided sourceURI instead of the configured + // sourceURI in the configuration. + SourceURI string `protobuf:"bytes,2,opt,name=sourceURI,proto3" json:"sourceURI,omitempty"` +} + +func (x *UpgradeRequest) Reset() { + *x = UpgradeRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpgradeRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpgradeRequest) ProtoMessage() {} + +func (x *UpgradeRequest) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpgradeRequest.ProtoReflect.Descriptor instead. +func (*UpgradeRequest) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{3} +} + +func (x *UpgradeRequest) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *UpgradeRequest) GetSourceURI() string { + if x != nil { + return x.SourceURI + } + return "" +} + +// A upgrade response message. +type UpgradeResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Response status. + Status ActionStatus `protobuf:"varint,1,opt,name=status,proto3,enum=proto.ActionStatus" json:"status,omitempty"` + // Version that is being upgraded to. + Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"` + // Error message when it fails to trigger upgrade. + Error string `protobuf:"bytes,3,opt,name=error,proto3" json:"error,omitempty"` +} + +func (x *UpgradeResponse) Reset() { + *x = UpgradeResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *UpgradeResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*UpgradeResponse) ProtoMessage() {} + +func (x *UpgradeResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use UpgradeResponse.ProtoReflect.Descriptor instead. +func (*UpgradeResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{4} +} + +func (x *UpgradeResponse) GetStatus() ActionStatus { + if x != nil { + return x.Status + } + return ActionStatus_SUCCESS +} + +func (x *UpgradeResponse) GetVersion() string { + if x != nil { + return x.Version + } + return "" +} + +func (x *UpgradeResponse) GetError() string { + if x != nil { + return x.Error + } + return "" +} + +// Current status of the application in Elastic Agent. +type ApplicationStatus struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Unique application ID. + Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Application name. + Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` + // Current status. + Status Status `protobuf:"varint,3,opt,name=status,proto3,enum=proto.Status" json:"status,omitempty"` + // Current status message. + Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"` + // Current status payload. + Payload string `protobuf:"bytes,5,opt,name=payload,proto3" json:"payload,omitempty"` +} + +func (x *ApplicationStatus) Reset() { + *x = ApplicationStatus{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ApplicationStatus) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ApplicationStatus) ProtoMessage() {} + +func (x *ApplicationStatus) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ApplicationStatus.ProtoReflect.Descriptor instead. +func (*ApplicationStatus) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{5} +} + +func (x *ApplicationStatus) GetId() string { + if x != nil { + return x.Id + } + return "" +} + +func (x *ApplicationStatus) GetName() string { + if x != nil { + return x.Name + } + return "" +} + +func (x *ApplicationStatus) GetStatus() Status { + if x != nil { + return x.Status + } + return Status_STARTING +} + +func (x *ApplicationStatus) GetMessage() string { + if x != nil { + return x.Message + } + return "" +} + +func (x *ApplicationStatus) GetPayload() string { + if x != nil { + return x.Payload + } + return "" +} + +// Status is the current status of Elastic Agent. +type StatusResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Overall status of Elastic Agent. + Status Status `protobuf:"varint,1,opt,name=status,proto3,enum=proto.Status" json:"status,omitempty"` + // Overall status message of Elastic Agent. + Message string `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"` + // Status of each application in Elastic Agent. + Applications []*ApplicationStatus `protobuf:"bytes,3,rep,name=applications,proto3" json:"applications,omitempty"` +} + +func (x *StatusResponse) Reset() { + *x = StatusResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_control_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *StatusResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*StatusResponse) ProtoMessage() {} + +func (x *StatusResponse) ProtoReflect() protoreflect.Message { + mi := &file_control_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use StatusResponse.ProtoReflect.Descriptor instead. +func (*StatusResponse) Descriptor() ([]byte, []int) { + return file_control_proto_rawDescGZIP(), []int{6} +} + +func (x *StatusResponse) GetStatus() Status { + if x != nil { + return x.Status + } + return Status_STARTING +} + +func (x *StatusResponse) GetMessage() string { + if x != nil { + return x.Message + } + return "" +} + +func (x *StatusResponse) GetApplications() []*ApplicationStatus { + if x != nil { + return x.Applications + } + return nil +} + +var File_control_proto protoreflect.FileDescriptor + +var file_control_proto_rawDesc = []byte{ + 0x0a, 0x0d, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, + 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, + 0x7d, 0x0a, 0x0f, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, + 0x63, 0x6f, 0x6d, 0x6d, 0x69, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x63, 0x6f, + 0x6d, 0x6d, 0x69, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x54, 0x69, 0x6d, + 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x54, 0x69, + 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x73, 0x6e, 0x61, 0x70, 0x73, 0x68, 0x6f, 0x74, 0x22, 0x54, + 0x0a, 0x0f, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x13, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x14, + 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, + 0x72, 0x72, 0x6f, 0x72, 0x22, 0x48, 0x0a, 0x0e, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, + 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x55, 0x52, 0x49, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x55, 0x52, 0x49, 0x22, 0x6e, + 0x0a, 0x0f, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, + 0x65, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x13, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, + 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, + 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x92, + 0x01, 0x0a, 0x11, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, + 0x61, 0x74, 0x75, 0x73, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, + 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, + 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x61, 0x79, + 0x6c, 0x6f, 0x61, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x61, 0x79, 0x6c, + 0x6f, 0x61, 0x64, 0x22, 0x8f, 0x01, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x53, + 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x18, 0x0a, + 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x3c, 0x0a, 0x0c, 0x61, 0x70, 0x70, 0x6c, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0c, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2a, 0x79, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, + 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x41, 0x52, 0x54, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, 0x0f, 0x0a, + 0x0b, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x55, 0x52, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x0b, + 0x0a, 0x07, 0x48, 0x45, 0x41, 0x4c, 0x54, 0x48, 0x59, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x44, + 0x45, 0x47, 0x52, 0x41, 0x44, 0x45, 0x44, 0x10, 0x03, 0x12, 0x0a, 0x0a, 0x06, 0x46, 0x41, 0x49, + 0x4c, 0x45, 0x44, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x54, 0x4f, 0x50, 0x50, 0x49, 0x4e, + 0x47, 0x10, 0x05, 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x50, 0x47, 0x52, 0x41, 0x44, 0x49, 0x4e, 0x47, + 0x10, 0x06, 0x12, 0x0c, 0x0a, 0x08, 0x52, 0x4f, 0x4c, 0x4c, 0x42, 0x41, 0x43, 0x4b, 0x10, 0x07, + 0x2a, 0x28, 0x0a, 0x0c, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x12, 0x0b, 0x0a, 0x07, 0x53, 0x55, 0x43, 0x43, 0x45, 0x53, 0x53, 0x10, 0x00, 0x12, 0x0b, 0x0a, + 0x07, 0x46, 0x41, 0x49, 0x4c, 0x55, 0x52, 0x45, 0x10, 0x01, 0x32, 0xe0, 0x01, 0x0a, 0x13, 0x45, + 0x6c, 0x61, 0x73, 0x74, 0x69, 0x63, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x12, 0x2f, 0x0a, 0x07, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x16, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x2d, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x15, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x0c, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x16, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x2e, 0x52, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x07, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x12, 0x15, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x55, 0x70, + 0x67, 0x72, 0x61, 0x64, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x22, 0x5a, + 0x1d, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, + 0x6f, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x3b, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0xf8, 0x01, + 0x01, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_control_proto_rawDescOnce sync.Once + file_control_proto_rawDescData = file_control_proto_rawDesc +) + +func file_control_proto_rawDescGZIP() []byte { + file_control_proto_rawDescOnce.Do(func() { + file_control_proto_rawDescData = protoimpl.X.CompressGZIP(file_control_proto_rawDescData) + }) + return file_control_proto_rawDescData +} + +var file_control_proto_enumTypes = make([]protoimpl.EnumInfo, 2) +var file_control_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_control_proto_goTypes = []interface{}{ + (Status)(0), // 0: proto.Status + (ActionStatus)(0), // 1: proto.ActionStatus + (*Empty)(nil), // 2: proto.Empty + (*VersionResponse)(nil), // 3: proto.VersionResponse + (*RestartResponse)(nil), // 4: proto.RestartResponse + (*UpgradeRequest)(nil), // 5: proto.UpgradeRequest + (*UpgradeResponse)(nil), // 6: proto.UpgradeResponse + (*ApplicationStatus)(nil), // 7: proto.ApplicationStatus + (*StatusResponse)(nil), // 8: proto.StatusResponse +} +var file_control_proto_depIdxs = []int32{ + 1, // 0: proto.RestartResponse.status:type_name -> proto.ActionStatus + 1, // 1: proto.UpgradeResponse.status:type_name -> proto.ActionStatus + 0, // 2: proto.ApplicationStatus.status:type_name -> proto.Status + 0, // 3: proto.StatusResponse.status:type_name -> proto.Status + 7, // 4: proto.StatusResponse.applications:type_name -> proto.ApplicationStatus + 2, // 5: proto.ElasticAgentControl.Version:input_type -> proto.Empty + 2, // 6: proto.ElasticAgentControl.Status:input_type -> proto.Empty + 2, // 7: proto.ElasticAgentControl.Restart:input_type -> proto.Empty + 5, // 8: proto.ElasticAgentControl.Upgrade:input_type -> proto.UpgradeRequest + 3, // 9: proto.ElasticAgentControl.Version:output_type -> proto.VersionResponse + 8, // 10: proto.ElasticAgentControl.Status:output_type -> proto.StatusResponse + 4, // 11: proto.ElasticAgentControl.Restart:output_type -> proto.RestartResponse + 6, // 12: proto.ElasticAgentControl.Upgrade:output_type -> proto.UpgradeResponse + 9, // [9:13] is the sub-list for method output_type + 5, // [5:9] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_control_proto_init() } +func file_control_proto_init() { + if File_control_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_control_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Empty); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*VersionResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*RestartResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpgradeRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*UpgradeResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ApplicationStatus); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_control_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*StatusResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_control_proto_rawDesc, + NumEnums: 2, + NumMessages: 7, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_control_proto_goTypes, + DependencyIndexes: file_control_proto_depIdxs, + EnumInfos: file_control_proto_enumTypes, + MessageInfos: file_control_proto_msgTypes, + }.Build() + File_control_proto = out.File + file_control_proto_rawDesc = nil + file_control_proto_goTypes = nil + file_control_proto_depIdxs = nil +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConnInterface + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion6 + +// ElasticAgentControlClient is the client API for ElasticAgentControl service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type ElasticAgentControlClient interface { + // Fetches the currently running version of the Elastic Agent. + Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionResponse, error) + // Fetches the currently status of the Elastic Agent. + Status(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*StatusResponse, error) + // Restart restarts the current running Elastic Agent. + Restart(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*RestartResponse, error) + // Upgrade starts the upgrade process of Elastic Agent. + Upgrade(ctx context.Context, in *UpgradeRequest, opts ...grpc.CallOption) (*UpgradeResponse, error) +} + +type elasticAgentControlClient struct { + cc grpc.ClientConnInterface +} + +func NewElasticAgentControlClient(cc grpc.ClientConnInterface) ElasticAgentControlClient { + return &elasticAgentControlClient{cc} +} + +func (c *elasticAgentControlClient) Version(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*VersionResponse, error) { + out := new(VersionResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Version", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Status(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*StatusResponse, error) { + out := new(StatusResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Status", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Restart(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*RestartResponse, error) { + out := new(RestartResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Restart", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *elasticAgentControlClient) Upgrade(ctx context.Context, in *UpgradeRequest, opts ...grpc.CallOption) (*UpgradeResponse, error) { + out := new(UpgradeResponse) + err := c.cc.Invoke(ctx, "/proto.ElasticAgentControl/Upgrade", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// ElasticAgentControlServer is the server API for ElasticAgentControl service. +type ElasticAgentControlServer interface { + // Fetches the currently running version of the Elastic Agent. + Version(context.Context, *Empty) (*VersionResponse, error) + // Fetches the currently status of the Elastic Agent. + Status(context.Context, *Empty) (*StatusResponse, error) + // Restart restarts the current running Elastic Agent. + Restart(context.Context, *Empty) (*RestartResponse, error) + // Upgrade starts the upgrade process of Elastic Agent. + Upgrade(context.Context, *UpgradeRequest) (*UpgradeResponse, error) +} + +// UnimplementedElasticAgentControlServer can be embedded to have forward compatible implementations. +type UnimplementedElasticAgentControlServer struct { +} + +func (*UnimplementedElasticAgentControlServer) Version(context.Context, *Empty) (*VersionResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Version not implemented") +} +func (*UnimplementedElasticAgentControlServer) Status(context.Context, *Empty) (*StatusResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Status not implemented") +} +func (*UnimplementedElasticAgentControlServer) Restart(context.Context, *Empty) (*RestartResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Restart not implemented") +} +func (*UnimplementedElasticAgentControlServer) Upgrade(context.Context, *UpgradeRequest) (*UpgradeResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method Upgrade not implemented") +} + +func RegisterElasticAgentControlServer(s *grpc.Server, srv ElasticAgentControlServer) { + s.RegisterService(&_ElasticAgentControl_serviceDesc, srv) +} + +func _ElasticAgentControl_Version_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Version(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Version", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Version(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Status(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Status", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Status(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Restart_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(Empty) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Restart(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Restart", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Restart(ctx, req.(*Empty)) + } + return interceptor(ctx, in, info, handler) +} + +func _ElasticAgentControl_Upgrade_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(UpgradeRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ElasticAgentControlServer).Upgrade(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/proto.ElasticAgentControl/Upgrade", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ElasticAgentControlServer).Upgrade(ctx, req.(*UpgradeRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _ElasticAgentControl_serviceDesc = grpc.ServiceDesc{ + ServiceName: "proto.ElasticAgentControl", + HandlerType: (*ElasticAgentControlServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Version", + Handler: _ElasticAgentControl_Version_Handler, + }, + { + MethodName: "Status", + Handler: _ElasticAgentControl_Status_Handler, + }, + { + MethodName: "Restart", + Handler: _ElasticAgentControl_Restart_Handler, + }, + { + MethodName: "Upgrade", + Handler: _ElasticAgentControl_Upgrade_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "control.proto", +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener.go b/x-pack/elastic-agent/pkg/agent/control/server/listener.go new file mode 100644 index 00000000000..7edfc7b8ee9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener.go @@ -0,0 +1,55 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package server + +import ( + "fmt" + + "net" + "os" + "path/filepath" + "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +func createListener(log *logger.Logger) (net.Listener, error) { + path := strings.TrimPrefix(control.Address(), "unix://") + if _, err := os.Stat(path); !os.IsNotExist(err) { + err = os.Remove(path) + if err != nil && !os.IsNotExist(err) { + log.Errorf("%s", errors.New(err, fmt.Sprintf("Failed to cleanup %s", path), errors.TypeFilesystem, errors.M("path", path))) + } + } + dir := filepath.Dir(path) + if _, err := os.Stat(dir); os.IsNotExist(err) { + err = os.MkdirAll(dir, 0755) + if err != nil { + return nil, err + } + } + lis, err := net.Listen("unix", path) + if err != nil { + return nil, err + } + err = os.Chmod(path, 0700) + if err != nil { + // failed to set permissions (close listener) + lis.Close() + return nil, err + } + return lis, err +} + +func cleanupListener(log *logger.Logger) { + path := strings.TrimPrefix(control.Address(), "unix://") + if err := os.Remove(path); err != nil { + log.Errorf("%s", errors.New(err, fmt.Sprintf("Failed to cleanup %s", path), errors.TypeFilesystem, errors.M("path", path))) + } +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go new file mode 100644 index 00000000000..f98c32bcee3 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go @@ -0,0 +1,34 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package server + +import ( + "net" + "os/user" + + "github.com/elastic/beats/v7/libbeat/api/npipe" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" +) + +// createListener creates a named pipe listener on Windows +func createListener(_ *logger.Logger) (net.Listener, error) { + u, err := user.Current() + if err != nil { + return nil, err + } + sd, err := npipe.DefaultSD(u.Username) + if err != nil { + return nil, err + } + return npipe.NewListener(control.Address(), sd) +} + +func cleanupListener(_ *logger.Logger) { + // nothing to do on windows +} diff --git a/x-pack/elastic-agent/pkg/agent/control/server/server.go b/x-pack/elastic-agent/pkg/agent/control/server/server.go new file mode 100644 index 00000000000..faa7982c814 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/server/server.go @@ -0,0 +1,109 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package server + +import ( + "context" + "net" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" + + "google.golang.org/grpc" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/proto" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// Server is the daemon side of the control protocol. +type Server struct { + logger *logger.Logger + rex reexec.ExecManager + listener net.Listener + server *grpc.Server +} + +// New creates a new control protocol server. +func New(log *logger.Logger, rex reexec.ExecManager) *Server { + return &Server{ + logger: log, + rex: rex, + } +} + +// Start starts the GRPC endpoint and accepts new connections. +func (s *Server) Start() error { + if s.server != nil { + // already started + return nil + } + + lis, err := createListener(s.logger) + if err != nil { + return err + } + s.listener = lis + s.server = grpc.NewServer() + proto.RegisterElasticAgentControlServer(s.server, s) + + // start serving GRPC connections + go func() { + err := s.server.Serve(lis) + if err != nil { + s.logger.Errorf("error listening for GRPC: %s", err) + } + }() + + return nil +} + +// Stop stops the GRPC endpoint. +func (s *Server) Stop() { + if s.server != nil { + s.server.Stop() + s.server = nil + s.listener = nil + cleanupListener(s.logger) + } +} + +// Version returns the currently running version. +func (s *Server) Version(_ context.Context, _ *proto.Empty) (*proto.VersionResponse, error) { + return &proto.VersionResponse{ + Version: release.Version(), + Commit: release.Commit(), + BuildTime: release.BuildTime().Format(control.TimeFormat()), + Snapshot: release.Snapshot(), + }, nil +} + +// Status returns the overall status of the agent. +func (s *Server) Status(_ context.Context, _ *proto.Empty) (*proto.StatusResponse, error) { + // not implemented + return &proto.StatusResponse{ + Status: proto.Status_HEALTHY, + Message: "not implemented", + Applications: nil, + }, nil +} + +// Restart performs re-exec. +func (s *Server) Restart(_ context.Context, _ *proto.Empty) (*proto.RestartResponse, error) { + s.rex.ReExec() + return &proto.RestartResponse{ + Status: proto.ActionStatus_SUCCESS, + }, nil +} + +// Upgrade performs the upgrade operation. +func (s *Server) Upgrade(ctx context.Context, request *proto.UpgradeRequest) (*proto.UpgradeResponse, error) { + // not implemented + return &proto.UpgradeResponse{ + Status: proto.ActionStatus_FAILURE, + Version: "", + Error: "not implemented", + }, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/time.go b/x-pack/elastic-agent/pkg/agent/control/time.go new file mode 100644 index 00000000000..c87902bbc37 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/control/time.go @@ -0,0 +1,10 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package control + +// TimeFormat returns the time format shared between the protocol. +func TimeFormat() string { + return "2006-01-02 15:04:05 -0700 MST" +} diff --git a/x-pack/elastic-agent/pkg/agent/errors/error.go b/x-pack/elastic-agent/pkg/agent/errors/error.go index c3c1d6a5ddb..7ce5c770349 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error.go @@ -4,7 +4,27 @@ package errors -import "github.com/pkg/errors" +import ( + goerrors "errors" + "reflect" + + "github.com/pkg/errors" +) + +// As is just a helper so user dont have to use multiple imports for errors. +func As(err error, target interface{}) bool { + return goerrors.As(err, target) +} + +// Is is just a helper so user dont have to use multiple imports for errors. +func Is(err, target error) bool { + return goerrors.Is(err, target) +} + +// Unwrap is just a helper so user dont have to use multiple imports for errors. +func Unwrap(err error) error { + return goerrors.Unwrap(err) +} // MetaRecord is a entry of metadata enhancing an error. type MetaRecord struct { @@ -101,6 +121,31 @@ func (e agentError) Meta() map[string]interface{} { return resultingMeta } +// Equal compares errors and evaluates if they are the same or not. +// Agent error is not comparable due to included map so we need to +// do the heavy lifting ourselves. +func (e agentError) Equal(target error) bool { + targetErr, ok := target.(agentError) + if !ok { + return false + } + + return errors.Is(e.err, targetErr.err) && + e.errType == targetErr.errType && + e.msg == targetErr.msg && + reflect.DeepEqual(e.meta, targetErr.meta) + +} + +// Is checks whether agent err is an err. +func (e agentError) Is(target error) bool { + if agentErr, ok := target.(agentError); ok { + return e.Equal(agentErr) + } + + return goerrors.Is(e.err, target) +} + // Check it implements Error var _ Error = agentError{} diff --git a/x-pack/elastic-agent/pkg/agent/errors/error_test.go b/x-pack/elastic-agent/pkg/agent/errors/error_test.go index 8b764f48ee5..faee302b8a0 100644 --- a/x-pack/elastic-agent/pkg/agent/errors/error_test.go +++ b/x-pack/elastic-agent/pkg/agent/errors/error_test.go @@ -6,12 +6,60 @@ package errors import ( "fmt" + "io" "strings" "testing" "github.com/pkg/errors" + "gotest.tools/assert" ) +func TestErrorsIs(t *testing.T) { + type testCase struct { + id string + actualErr error + expectedErr error + expectedMatch bool + } + + simpleErr := io.ErrNoProgress + simpleWrap := errors.Wrap(simpleErr, "wrapping %w") + agentErr := New() + nestedSimple := New(simpleErr) + nestedWrap := New(simpleWrap) + agentInErr := errors.Wrap(nestedWrap, "wrapping %w") + + tt := []testCase{ + {"simple wrap", simpleWrap, simpleErr, true}, + {"simple mismatch", simpleWrap, errors.New("sample"), false}, + + {"direct nested - root check", nestedSimple, simpleErr, true}, + {"direct nested - mismatch", nestedSimple, errors.New("sample"), false}, + {"direct nested - comparing agent errors", nestedSimple, agentErr, false}, + + {"deep nested - root check", New(nestedSimple), simpleErr, true}, + {"deep nested - mismatch", New(nestedSimple), errors.New("sample"), false}, + {"deep nested - comparing agent errors", New(nestedSimple), agentErr, false}, + + {"nested wrap - wrap check", New(nestedWrap), simpleWrap, true}, + {"nested wrap - root", New(nestedWrap), simpleErr, true}, + + {"comparing agent errors", New(agentErr), agentErr, true}, + + {"agent in error", agentInErr, nestedWrap, true}, + {"agent in error wrap", agentInErr, simpleWrap, true}, + {"agent in error root", agentInErr, simpleErr, true}, + {"agent in error nil check", agentInErr, nil, false}, + } + + for _, tc := range tt { + t.Run(tc.id, func(t *testing.T) { + match := Is(tc.actualErr, tc.expectedErr) + assert.Equal(t, tc.expectedMatch, match) + }) + } +} + func TestErrorsWrap(t *testing.T) { ce := New("custom error", TypePath, M("k", "v")) ew := errors.Wrap(ce, "wrapper") diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index 1e57335c121..cc17733c656 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -58,7 +58,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } @@ -94,15 +94,13 @@ func getLogger() *logger.Logger { } func getProgram(binary, version string) *app.Descriptor { + spec := program.SupportedMap[binary] downloadCfg := &artifact.Config{ InstallPath: installPath, OperatingSystem: "darwin", Architecture: "32", } - return app.NewDescriptor(program.Spec{ - Name: binary, - Cmd: binary, - }, version, downloadCfg, nil) + return app.NewDescriptor(spec, version, downloadCfg, nil) } func getAbsPath(path string) string { diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go index 034e47be64a..fe33de852d1 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go @@ -6,9 +6,11 @@ package operation import ( "fmt" + "path/filepath" "github.com/hashicorp/go-multierror" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configrequest" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/program" @@ -16,12 +18,11 @@ import ( ) const ( - monitoringName = "FLEET_MONITORING" - outputKey = "output" - monitoringEnabledSubkey = "enabled" - logsProcessName = "filebeat" - metricsProcessName = "metricbeat" - artifactPrefix = "beats" + monitoringName = "FLEET_MONITORING" + outputKey = "output" + logsProcessName = "filebeat" + metricsProcessName = "metricbeat" + artifactPrefix = "beats" ) func (o *Operator) handleStartSidecar(s configrequest.Step) (result error) { @@ -174,37 +175,78 @@ func (o *Operator) generateMonitoringSteps(version string, output interface{}) [ } func (o *Operator) getMonitoringFilebeatConfig(output interface{}) (map[string]interface{}, bool) { - paths := o.getLogFilePaths() - if len(paths) == 0 { - return nil, false + inputs := []interface{}{ + map[string]interface{}{ + "type": "log", + "json": map[string]interface{}{ + "keys_under_root": true, + "overwrite_keys": true, + "message_key": "message", + }, + "paths": []string{ + filepath.Join(paths.Home(), "logs", "elastic-agent-json.log"), + }, + "index": "logs-elastic.agent-default", + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "logs", + "dataset": "elastic.agent", + "namespace": "default", + }, + }, + }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": "elastic.agent", + }, + }, + }, + }, + }, } - - result := map[string]interface{}{ - "filebeat": map[string]interface{}{ - "inputs": []interface{}{ - map[string]interface{}{ - "type": "log", - "multiline": map[string]interface{}{ - "pattern": "^[0-9]{4}", - "negate": true, - "match": "after", + logPaths := o.getLogFilePaths() + if len(logPaths) > 0 { + for name, paths := range logPaths { + inputs = append(inputs, map[string]interface{}{ + "type": "log", + "json": map[string]interface{}{ + "keys_under_root": true, + "overwrite_keys": true, + "message_key": "message", + }, + "paths": paths, + "index": fmt.Sprintf("logs-elastic.agent.%s-default", name), + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "logs", + "dataset": fmt.Sprintf("elastic.agent.%s", name), + "namespace": "default", + }, + }, }, - "paths": paths, - "index": "logs-agent-default", - "processors": []map[string]interface{}{ - { - "add_fields": map[string]interface{}{ - "target": "dataset", - "fields": map[string]interface{}{ - "type": "logs", - "name": "agent", - "namespace": "default", - }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), }, }, }, }, - }, + }) + } + } + result := map[string]interface{}{ + "filebeat": map[string]interface{}{ + "inputs": inputs, }, "output": map[string]interface{}{ "elasticsearch": output, @@ -221,30 +263,39 @@ func (o *Operator) getMonitoringMetricbeatConfig(output interface{}) (map[string if len(hosts) == 0 { return nil, false } - - result := map[string]interface{}{ - "metricbeat": map[string]interface{}{ - "modules": []interface{}{ - map[string]interface{}{ - "module": "beat", - "metricsets": []string{"stats", "state"}, - "period": "10s", - "hosts": hosts, - "index": "metrics-agent-default", - "processors": []map[string]interface{}{ - { - "add_fields": map[string]interface{}{ - "target": "dataset", - "fields": map[string]interface{}{ - "type": "metrics", - "name": "agent", - "namespace": "default", - }, - }, + var modules []interface{} + for name, endpoints := range hosts { + modules = append(modules, map[string]interface{}{ + "module": "beat", + "metricsets": []string{"stats", "state"}, + "period": "10s", + "hosts": endpoints, + "index": fmt.Sprintf("metrics-elastic.agent.%s-default", name), + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "target": "data_stream", + "fields": map[string]interface{}{ + "type": "metrics", + "dataset": fmt.Sprintf("elastic.agent.%s", name), + "namespace": "default", + }, + }, + }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), }, }, }, }, + }) + } + result := map[string]interface{}{ + "metricbeat": map[string]interface{}{ + "modules": modules, }, "output": map[string]interface{}{ "elasticsearch": output, @@ -256,8 +307,8 @@ func (o *Operator) getMonitoringMetricbeatConfig(output interface{}) (map[string return result, true } -func (o *Operator) getLogFilePaths() []string { - var paths []string +func (o *Operator) getLogFilePaths() map[string][]string { + paths := map[string][]string{} o.appsLock.Lock() defer o.appsLock.Unlock() @@ -265,15 +316,15 @@ func (o *Operator) getLogFilePaths() []string { for _, a := range o.apps { logPath := a.Monitor().LogPath(a.Name(), o.pipelineID) if logPath != "" { - paths = append(paths, logPath) + paths[a.Name()] = append(paths[a.Name()], logPath) } } return paths } -func (o *Operator) getMetricbeatEndpoints() []string { - var endpoints []string +func (o *Operator) getMetricbeatEndpoints() map[string][]string { + endpoints := map[string][]string{} o.appsLock.Lock() defer o.appsLock.Unlock() @@ -281,7 +332,7 @@ func (o *Operator) getMetricbeatEndpoints() []string { for _, a := range o.apps { metricEndpoint := a.Monitor().MetricsPathPrefixed(a.Name(), o.pipelineID) if metricEndpoint != "" { - endpoints = append(endpoints, metricEndpoint) + endpoints[a.Name()] = append(endpoints[a.Name()], metricEndpoint) } } diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go index 49eb3ea7187..eef904096f7 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go @@ -122,7 +122,7 @@ func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.M if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go index 6c43bc12274..e178620d228 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/operator_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/operator_test.go @@ -7,7 +7,9 @@ package operation import ( "fmt" "math/rand" + "net" "os" + "os/exec" "path/filepath" "runtime" "testing" @@ -27,17 +29,26 @@ func TestMain(m *testing.M) { Cmd: "configurable", Args: []string{}, } + port, err := getFreePort() + if err != nil { + panic(err) + } + serviceSpec := program.Spec{ + ServicePort: port, + Name: "serviceable", + Cmd: "serviceable", + Args: []string{fmt.Sprintf("%d", port)}, + } - program.Supported = append(program.Supported, configurableSpec) + program.Supported = append(program.Supported, configurableSpec, serviceSpec) + program.SupportedMap["configurable"] = configurableSpec + program.SupportedMap["serviceable"] = serviceSpec - p := getProgram("configurable", "1.0") - spec := p.Spec() - path := spec.BinaryPath - if runtime.GOOS == "windows" { - path += ".exe" + if err := isAvailable("configurable", "1.0"); err != nil { + panic(err) } - if s, err := os.Stat(path); err != nil || s == nil { - panic(fmt.Errorf("binary not available %s", spec.BinaryPath)) + if err := isAvailable("serviceable", "1.0"); err != nil { + panic(err) } os.Exit(m.Run()) @@ -366,3 +377,95 @@ func TestConfigurableStartStop(t *testing.T) { }) } } + +func TestConfigurableService(t *testing.T) { + t.Skipf("flaky see https://github.com/elastic/beats/issues/20836") + + p := getProgram("serviceable", "1.0") + + operator := getTestOperator(t, downloadPath, installPath, p) + if err := operator.start(p, nil); err != nil { + t.Fatal(err) + } + defer operator.stop(p) // failure catch, to ensure no sub-process stays running + + // emulating a service, so we need to start the binary here in the test + spec := p.Spec() + cmd := exec.Command(spec.BinaryPath, fmt.Sprintf("%d", p.ServicePort())) + cmd.Env = append(cmd.Env, os.Environ()...) + cmd.Dir = filepath.Dir(spec.BinaryPath) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Start(); err != nil { + t.Fatal(err) + } + + waitFor(t, func() error { + items := operator.State() + item, ok := items[p.ID()] + if !ok { + return fmt.Errorf("no state for process") + } + if item.Status != state.Running { + return fmt.Errorf("process never went to running") + } + return nil + }) + + // try to configure + cfg := make(map[string]interface{}) + tstFilePath := filepath.Join(os.TempDir(), fmt.Sprintf("tmp%d", rand.Uint32())) + cfg["TestFile"] = tstFilePath + if err := operator.pushConfig(p, cfg); err != nil { + t.Fatalf("failed to config: %v", err) + } + + waitFor(t, func() error { + if s, err := os.Stat(tstFilePath); err != nil || s == nil { + return fmt.Errorf("failed to create a file using Config call %s", tstFilePath) + } + return nil + }) + + items := operator.State() + item0, ok := items[p.ID()] + if !ok || item0.Status != state.Running { + t.Fatalf("Process no longer running after config %#v", items) + } + + // stop the process + if err := operator.stop(p); err != nil { + t.Fatalf("Failed to stop service: %v", err) + } + + if err := cmd.Wait(); err != nil { + t.Fatalf("Process failed: %v", err) + } +} + +func isAvailable(name, version string) error { + p := getProgram(name, version) + spec := p.Spec() + path := spec.BinaryPath + if runtime.GOOS == "windows" { + path += ".exe" + } + if s, err := os.Stat(path); err != nil || s == nil { + return fmt.Errorf("binary not available %s", spec.BinaryPath) + } + return nil +} + +// getFreePort finds a free port. +func getFreePort() (int, error) { + addr, err := net.ResolveTCPAddr("tcp", "localhost:0") + if err != nil { + return 0, err + } + l, err := net.ListenTCP("tcp", addr) + if err != nil { + return 0, err + } + defer l.Close() + return l.Addr().(*net.TCPAddr).Port, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md index 71e80463f7c..309d9b655d8 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86_64/README.md @@ -1 +1 @@ -Testing program emulating tool which is configurable using GRPC communication channel. +Testing program emulating tool which is configurable using GRPC communication channel when running as a sub-process. diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md new file mode 100644 index 00000000000..da8cc52049c --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/README.md @@ -0,0 +1 @@ +Testing program emulating tool which is configurable using GRPC communication channel when running as an external service. diff --git a/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go new file mode 100644 index 00000000000..da9123f4587 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/operation/tests/scripts/serviceable-1.0-darwin-x86_64/main.go @@ -0,0 +1,141 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "fmt" + "net" + "os" + "path/filepath" + "strconv" + + protobuf "github.com/golang/protobuf/proto" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "gopkg.in/yaml.v2" + + "github.com/elastic/elastic-agent-client/v7/pkg/client" + "github.com/elastic/elastic-agent-client/v7/pkg/proto" +) + +func main() { + srvPort, err := strconv.Atoi(os.Args[1]) + if err != nil { + panic(err) + } + f, _ := os.OpenFile(filepath.Join(os.TempDir(), "testing.out"), os.O_APPEND|os.O_CREATE|os.O_RDWR, 0666) + f.WriteString("starting \n") + ctx, cancel := context.WithCancel(context.Background()) + s := &configServer{ + f: f, + ctx: ctx, + cancel: cancel, + } + f.WriteString(fmt.Sprintf("reading creds from port: %d\n", srvPort)) + client, err := clientFromNet(srvPort, s) + if err != nil { + f.WriteString(err.Error()) + panic(err) + } + s.client = client + err = client.Start(ctx) + if err != nil { + f.WriteString(err.Error()) + panic(err) + } + <-ctx.Done() + f.WriteString("finished \n") +} + +type configServer struct { + f *os.File + ctx context.Context + cancel context.CancelFunc + client client.Client +} + +func (s *configServer) OnConfig(cfgString string) { + s.client.Status(proto.StateObserved_CONFIGURING, "Writing config file", nil) + + testCfg := &TestConfig{} + if err := yaml.Unmarshal([]byte(cfgString), &testCfg); err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to unmarshall config: %s", err), nil) + return + } + + if testCfg.TestFile != "" { + tf, err := os.Create(testCfg.TestFile) + if err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to create file %s: %s", testCfg.TestFile, err), nil) + return + } + + err = tf.Close() + if err != nil { + s.client.Status(proto.StateObserved_FAILED, fmt.Sprintf("Failed to close file %s: %s", testCfg.TestFile, err), nil) + return + } + } + + s.client.Status(proto.StateObserved_HEALTHY, "Running", map[string]interface{}{ + "status": proto.StateObserved_HEALTHY, + "message": "Running", + }) +} + +func (s *configServer) OnStop() { + s.client.Status(proto.StateObserved_STOPPING, "Stopping", nil) + s.cancel() +} + +func (s *configServer) OnError(err error) { + s.f.WriteString(err.Error()) +} + +// TestConfig is a configuration for testing Config calls +type TestConfig struct { + TestFile string `config:"TestFile" yaml:"TestFile"` +} + +func getCreds(port int) (*proto.ConnInfo, error) { + c, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%d", port)) + if err != nil { + return nil, err + } + defer c.Close() + buf := make([]byte, 1024*1024) + n, err := c.Read(buf) + if err != nil { + return nil, err + } + var connInfo proto.ConnInfo + err = protobuf.Unmarshal(buf[:n], &connInfo) + if err != nil { + return nil, err + } + return &connInfo, nil +} + +func clientFromNet(port int, impl client.StateInterface, actions ...client.Action) (client.Client, error) { + connInfo, err := getCreds(port) + if err != nil { + return nil, err + } + cert, err := tls.X509KeyPair(connInfo.PeerCert, connInfo.PeerKey) + if err != nil { + return nil, err + } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(connInfo.CaCert) + trans := credentials.NewTLS(&tls.Config{ + ServerName: connInfo.ServerName, + Certificates: []tls.Certificate{cert}, + RootCAs: caCertPool, + }) + return client.New(connInfo.Addr, connInfo.Token, impl, actions, grpc.WithTransportCredentials(trans)), nil +} diff --git a/x-pack/elastic-agent/pkg/agent/program/methods.go b/x-pack/elastic-agent/pkg/agent/program/methods.go deleted file mode 100644 index e89d8a5f19f..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/methods.go +++ /dev/null @@ -1,168 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package program - -import ( - "fmt" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" -) - -type env struct { - ast *transpiler.AST - vars boolexp.VarStore -} - -type envFunc = func(*env, []interface{}) (interface{}, error) - -func methodsEnv(ast *transpiler.AST) *boolexp.MethodsReg { - env := &env{ - ast: ast, - vars: &varStoreAST{ast: ast}, - } - - var methods = boolexp.NewMethodsReg() - methods.MustRegister("HasItems", withEnv(env, hasItems)) - methods.MustRegister("HasNamespace", withEnv(env, hasNamespace)) - methods.MustRegister("HasAny", withEnv(env, hasAny)) - return methods -} - -// hasItems the methods take a selector which must be a list, and look for the presence item in the -// list which are "enabled". The logic to determine if an item is enabled is the following: -// - When the "enabled" key is present and set to "true", The item is enabled. -// - When the "enabled" key is missing, the item is enabled. -// - When the "enabled" key is present and set to "false", The item is NOT enabled. -func hasItems(_ *env, args []interface{}) (interface{}, error) { - if len(args) != 1 { - return false, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - - if args[0] == boolexp.Null { - return false, nil - } - - v, ok := args[0].(transpiler.Node).Value().(*transpiler.List) - if !ok { - return false, fmt.Errorf("expecting List and received %T", args[0]) - } - - for _, item := range v.Value().([]transpiler.Node) { - d, ok := item.(*transpiler.Dict) - if !ok { - return false, fmt.Errorf("expecting Dict and received %T", args[0]) - } - - if isEnabled(d) { - return true, nil - } - } - - return false, nil -} - -// hasItems the methods take a selector which must be map and look if the map is enabled. -// The logic to determine if a map is enabled is the following: -// - When the "enabled" key is present and set to "true", The item is enabled. -// - When the "enabled" key is missing, the item is enabled. -// - When the "enabled" key is present and set to "false", The item is NOT enabled. -func hasNamespace(env *env, args []interface{}) (interface{}, error) { - if len(args) < 2 { - return false, fmt.Errorf("expecting at least 2 arguments received %d", len(args)) - } - - namespace, ok := args[0].(string) - if !ok { - return false, fmt.Errorf("invalid namespace %+v", args[0]) - } - - possibleSubKey := make([]string, 0, len(args)) - - for _, v := range args[1:] { - sk, ok := v.(string) - if !ok { - return false, fmt.Errorf("invalid sub key %+v for namespace", v) - } - possibleSubKey = append(possibleSubKey, sk) - } - - var enabledCount int - for _, key := range possibleSubKey { - f := namespace + "." + key - s, ok := transpiler.Lookup(env.ast, transpiler.Selector(f)) - if !ok { - continue - } - - if isEnabled(s) { - enabledCount++ - } - - if enabledCount > 1 { - return false, fmt.Errorf("only one namespace must be enabled in %s", namespace) - } - } - - if enabledCount == 0 { - return false, nil - } - - return true, nil -} - -// hasAny the methods take a list of possible keys where at least one of those keys must exist. -func hasAny(env *env, args []interface{}) (interface{}, error) { - if len(args) < 1 { - return false, fmt.Errorf("expecting at least 1 argument received %d", len(args)) - } - - possibleKeys := make([]string, 0, len(args)) - - for _, v := range args { - sk, ok := v.(string) - if !ok { - return false, fmt.Errorf("invalid key %+v", v) - } - possibleKeys = append(possibleKeys, sk) - } - - for _, key := range possibleKeys { - _, ok := transpiler.Lookup(env.ast, transpiler.Selector(key)) - if ok { - return true, nil - } - } - return false, nil -} - -func withEnv(env *env, method envFunc) boolexp.CallFunc { - return func(args []interface{}) (interface{}, error) { - return method(env, args) - } -} - -func isEnabled(n transpiler.Node) bool { - enabled, ok := n.Find("enabled") - if !ok { - return true - } - - // Get the actual value of the node. - value, ok := enabled.Value().(transpiler.Node).Value().(bool) - if !ok { - return false - } - - return value -} - -type varStoreAST struct { - ast *transpiler.AST -} - -func (v *varStoreAST) Lookup(needle string) (interface{}, bool) { - return transpiler.Lookup(v.ast, transpiler.Selector(needle)) -} diff --git a/x-pack/elastic-agent/pkg/agent/program/program.go b/x-pack/elastic-agent/pkg/agent/program/program.go index 17f796aa75f..25b56081e68 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program.go +++ b/x-pack/elastic-agent/pkg/agent/program/program.go @@ -10,7 +10,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql" ) // Program represents a program that must be started or must run. @@ -78,12 +78,12 @@ func detectPrograms(singleConfig *transpiler.AST) ([]Program, error) { return nil, ErrMissingWhen } - expression, err := boolexp.New(spec.When, methodsEnv(specificAST)) + expression, err := eql.New(spec.When) if err != nil { return nil, err } - ok, err := expression.Eval(&varStoreAST{ast: specificAST}) + ok, err := expression.Eval(specificAST) if err != nil { return nil, err } @@ -131,7 +131,7 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) // Recreates multiple configuration grouped by the name of the outputs. // Each configuration will be started into his own operator with the same name as the output. - grouped := make(map[string]map[string]interface{}) + grouped := make(map[string]*outputType) m, ok := normMap[outputsKey] if !ok { @@ -164,13 +164,21 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) delete(outputsOptions, typeKey) + enabled, err := isEnabled(outputsOptions) + if err != nil { + return nil, err + } + // Propagate global configuration to each individual configuration. clone := cloneMap(normMap) delete(clone, outputsKey) clone[outputKey] = map[string]interface{}{n: v} clone[inputsKey] = make([]map[string]interface{}, 0) - grouped[k] = clone + grouped[k] = &outputType{ + enabled: enabled, + config: clone, + } } s, ok := normMap[inputsKey] @@ -199,21 +207,24 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) return nil, fmt.Errorf("unknown configuration output with name %s", targetName) } - streams := config[inputsKey].([]map[string]interface{}) + streams := config.config[inputsKey].([]map[string]interface{}) streams = append(streams, stream) - config[inputsKey] = streams + config.config[inputsKey] = streams grouped[targetName] = config } transpiled := make(map[string]*transpiler.AST) for name, group := range grouped { - if len(group[inputsKey].([]map[string]interface{})) == 0 { + if !group.enabled { + continue + } + if len(group.config[inputsKey].([]map[string]interface{})) == 0 { continue } - ast, err := transpiler.NewAST(group) + ast, err := transpiler.NewAST(group.config) if err != nil { return nil, errors.New(err, "fail to generate configuration for output name %s", name) } @@ -224,6 +235,22 @@ func groupByOutputs(single *transpiler.AST) (map[string]*transpiler.AST, error) return transpiled, nil } +func isEnabled(m map[string]interface{}) (bool, error) { + const ( + enabledKey = "enabled" + ) + + enabled, ok := m[enabledKey] + if !ok { + return true, nil + } + switch e := enabled.(type) { + case bool: + return e, nil + } + return false, fmt.Errorf("invalid type received for enabled %T and expecting a boolean", enabled) +} + func findOutputName(m map[string]interface{}) string { const ( defaultOutputName = "default" @@ -251,3 +278,8 @@ func cloneMap(m map[string]interface{}) map[string]interface{} { return newMap } + +type outputType struct { + enabled bool + config map[string]interface{} +} diff --git a/x-pack/elastic-agent/pkg/agent/program/program_test.go b/x-pack/elastic-agent/pkg/agent/program/program_test.go index c9c4f9eb9d0..c15510b6655 100644 --- a/x-pack/elastic-agent/pkg/agent/program/program_test.go +++ b/x-pack/elastic-agent/pkg/agent/program/program_test.go @@ -17,10 +17,8 @@ import ( "github.com/stretchr/testify/require" yaml "gopkg.in/yaml.v2" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/internal/yamltest" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/transpiler" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" ) func TestGroupBy(t *testing.T) { @@ -382,15 +380,12 @@ func TestConfiguration(t *testing.T) { testcases := map[string]struct { programs []string expected int + empty bool err bool }{ "single_config": { - programs: []string{"filebeat", "metricbeat", "endpoint"}, - expected: 3, - }, - "constraints_config": { - programs: []string{"filebeat"}, - expected: 1, + programs: []string{"filebeat", "heartbeat", "metricbeat", "endpoint"}, + expected: 4, }, // "audit_config": { // programs: []string{"auditbeat"}, @@ -400,10 +395,10 @@ func TestConfiguration(t *testing.T) { // programs: []string{"journalbeat"}, // expected: 1, // }, - // "monitor_config": { - // programs: []string{"heartbeat"}, - // expected: 1, - // }, + "synthetics_config": { + programs: []string{"heartbeat"}, + expected: 1, + }, "enabled_true": { programs: []string{"filebeat"}, expected: 1, @@ -416,7 +411,7 @@ func TestConfiguration(t *testing.T) { expected: 1, }, "enabled_output_false": { - expected: 0, + empty: true, }, "endpoint_basic": { programs: []string{"endpoint"}, @@ -430,7 +425,6 @@ func TestConfiguration(t *testing.T) { }, } - l, _ := logger.New("") for name, test := range testcases { t.Run(name, func(t *testing.T) { singleConfig, err := ioutil.ReadFile(filepath.Join("testdata", name+".yml")) @@ -443,14 +437,16 @@ func TestConfiguration(t *testing.T) { ast, err := transpiler.NewAST(m) require.NoError(t, err) - filters.ConstraintFilter(l, ast) - programs, err := Programs(ast) if test.err { require.Error(t, err) return } require.NoError(t, err) + if test.empty { + require.Equal(t, 0, len(programs)) + return + } require.Equal(t, 1, len(programs)) diff --git a/x-pack/elastic-agent/pkg/agent/program/supported.go b/x-pack/elastic-agent/pkg/agent/program/supported.go index c87ac1a427b..3b314bfa3f4 100644 --- a/x-pack/elastic-agent/pkg/agent/program/supported.go +++ b/x-pack/elastic-agent/pkg/agent/program/supported.go @@ -19,8 +19,9 @@ func init() { // Packed Files // spec/endpoint.yml // spec/filebeat.yml + // spec/heartbeat.yml // spec/metricbeat.yml - unpacked := packer.MustUnpack("eJy8mF1zozjWx++fj9G3z9YuiHZ22aq5sMnyZoe0SSIJ3SHJBmwJs22MDVv73bcEGIOT9EzPVM1Fyg4W0jlH5/zPT/rPl2OxYX/b5Lw4ZHn511qKL//8QqVdktdDEqLZnjlmQfN18gbgjmO/4O5+GQF9/5wtBJXhmQJx4pbeEBToTAptsy5SlocFkfaOPx4ScpujJA4EVh4IlpMiAm8P3mNkPD8mywikIgLlNkazhjv2kT4elquXhdg4cIcBKajz9mBl88SzFucIh4fnbJ6N52U327J+XMokb56TQ+JZ82T1Ms+4hHWMyMzrn3FHlASZurLxqZkvmWM23FbzBVqELsfn5FB6DvxKULAlUhzJ62Gp3vPcRcqd5MGz/I/9f/G6cY5dE+Opt3teepY/zO2N7Fq96DpzeB2hUNw9rwkOKo79HcFP2WieT9adjD9tpDh/5Guwm5+tfFETaOpUihMzwpQ65wcr0xKCUxHppozRRVxjxxxbix8PiSfhibiLKkYzbYUDERmwjnE4xDPCfs6aPkbXmKPZO5/f2+Lr1IFNF29SbGyz4a4vIqQ9eG5pWv1z6oaCCRNE6KITfI3roiHoIiIjrNjukMRoduY4bPrfvhO8f/DccMact37vSEpdKG52auP8XLYxkOLIHVhj426sGwjqwB13zPo5WxQ0X+jcfer3uhSb1zbX00heBJn3vkr7yBEc5eFCYzkUrU/X+dqcC6sh3gAeCQo0avjNc7agRM2H16cIBTuCgwYD+xxDU/l29BxyJAhqK1kWkbRPEdSmOTr8bp/jdVtTZYTnd7W0kNSBgvc2sxweb/Gdl57rC4pMQLo1r8/bvxjA2XO2SCMQCGYE2wgvCgxKsVkP/tYE6RWXcNuO7X0cxywGIovQLJ3s8+59zCd71sVk+H+67/PSc0yduwv96lNrByYFA6KiyWHJQSro7pC8OHazRrPZ0uJdDCxWeFYkvX+lKdOERpDeLC34dwTEiblQY7puLl/m0s8WXoSD5wjpghnK/7eDD/o1LXb0LC6oYzfcETsGYMpkcPDr/fLLXzq53WZiQzfxO7lVMoN8EeH1VWLbUowkTPm86CQtW1Av020vOydeHgjuwvNKiiN9mQkq7Yw6cP8NqdQNRDvmfmweCooXxwiHYiXhKUL+kaC1SaR9ZOAtW1nzbPXWfVJknyLEBUXwxK1ZSUEovuGkZI69i2u9D5l39CyvDF/Up1+qrSQAlkTJxGh+7vo6eZmMPVLA8xjN8pW8CC7h8RsKRZTD3BPaMsK+FiOSRsb6wXNUTMJm1bYCmBFka78qG1mbFv9WpYSBOBEHfr2mH3fFWcWbOmbOzm1ZFFQWSka2zAhrguwSG4uadmldDenomCcMgopKcoxRoHUyoNpZuI0Q0Qjupb+TnAfPuVTEeGplhSL7fC+pd3JVc3SZSFMEzPMGmil1LlvumFvqiIY/3iTWsxYabQ7J1WZ2HpfXO1tPFJjncfkSnO4IXmhtTuWBxiRMKX5q9z5G6/ZzkLR2n/0zk2YrQ0qe1D7d2apR3TzGONCmpa5KSe3LKKb50+/14xZzCSU1/F5OVVts66jfK1JToD14Tl+652v7+cftmTH4vOzbn8YUttidDxh0EvDZvt3bG+NQ0Nf3fkzWPH8qw9OW4g75fWsd0j4xcEn5gEPziV1tXq/HsdNT5i5ucjo8v1Skx6r2+zjebV4QQfN11WNPWyfj9Txroer1xC2z4U5YKCllRriP0de7dSBodcAId0zZ5wTnT+bRiTt/8Fy4Z/OpLWrtFQirCJTKj4Q45i4GsL6b50gBq5iE+xgHWwYuFQeXiqicap89vfe/NpsNDtR7D54bzNQ71zj8lrbFcSAw+KDN/Mp7xLG1CAfid71jzU6jljPUHpOwpAYRbet9nehDh0BOmHLHbhRGtDXSoYDqLRrB/vYeU24I4r2rn77laxu8EH3+3iGZar+TWHY5cstjtdeD7aOcKD2n3+dkHJuwYKO5+j27+d48Dd+phBqRl4rfxh+4G57jPKhG61dPTaRHWOXFDSEiXOhMwi4fnVSPbuN31DF14pCKK1TM9zcMAWZFwEUwF2bMgDdEd8qUyDL9w+jqDP3zU3xt+2q3nztqLIb8IblfKS26m7fVWTLijDHyfoigtziMWOQWS47DMx+jGIAzpnySbxPMelHaiJ8OPi7paP3T1T6MtRF6zVKKYKM4g7wkOTWgpnLQr8+JD+AxwoEWo6AhyK4jkOQra573dZ6vWtv49wiR79FLi2KKM9SxsoktVljJL79cMUxuyu8Z+wDEXhHUmBS7Hrx2FCkI0QV3/SICPaB1550E1QPQNASHOrNmBXW009A4H3UZoUtzBz/XsarBnKlja+TXAE7qKZV2TpCuxPlEkbknr/rXFVZicCx7Jv4RwN3mx2HN0R3sOWZOFCjVs2PbAB71PUG+TmqfW9KuuSNk1DXgFsBYbZYEh3WMgh7IFhUzwskZviuGTtwmZ+jJuVKviNueOU7EakVZwcJpg/ThzKgSV8Wb4LU6dysQbZvjSq4rZoiGO7Bc5aKk1kw1gCuwLG9nmTbJv+Jrw389JBtDm4BfjGZ7gpNrcbYC95wtrj42XTGLUyzbM1sPm/qWuX4VAdgwYA4FRMFsGwHzROSl6ABWnBiANbfNlOThIHADiPb51sNBrXKHouHOQzJplu8BIaxuz4KrPb2desoe7+4rPoCeT0CjFRIM7CO1PwG6bu3bmqNm/N73WUWN+bgpiY0TCOauHzz7mA2wVLd1UfSgOeRqd3iZgGOG13e2GmGFwaVgxnp6Pr0C2WiPJnD5U34Me5gRRFqB+5Oh8V3DxgYvuJNumYQ5welwwPigSdcqz3D29fsK9DpmPO1/2Ij+3Ob1B4EYbjkQWmybNUFcbNz5bwNk11c1vlk+mutv3aHt/1fZsXgfo+6vXePxkPjjO6UOwFowm8JbfwCZjL01YaXf6sB3gwY9jQHcRtivo/t7lj5HBp0AUJvY1ebK1WZ10H/6CTgcvfczUHp31/Vnwe9P3EvtIxymKlYrOQKKn7ibuoP8n4IsOmGIH+r6pI+u5EcH1qFH/gywTfvz53dj3wlWPdSsVS1+Bm0Tf7rLoLYe/xC4dbDWQX7dwtqPwe2///e/AAAA//+pKFpS") + unpacked := packer.MustUnpack("eJzEWEtz47rR3X8/Y7b3q4QER06YqixEufiSRI9oGwCxIwCJpARSuuZDolL57ymQFB+yPXMnt2qymNIIhoDuRvfpc/pfX/LTlv11m/HTMcmKv9Sp+PKPLzQ1C/JyjHw0OzBLP9FsE70CuOfYPXH7sAyAenhKDEFT/0yBKPlCvRLkqSwVynZzilnmn0hq7vnjMSLDGQWxIFhknmAZOQXg9cF5DLSnx2gZgFgEoNiFaHbllpnTx+Ny9WyIrQX3GJATtV4fFsk8chbGOcD+8SmZJ+Nz2WBb0u2LWcqvT9ExchbzaPU8T3gK6xCRmdOtcUsUBOmqtHF9nS+ZpV+5Kc/zlABd8qfoWDgW/EqQtyOpyMnLcSl/59hGzK3owVm4H/v/7LT7LLMm2rqze144C7c/2xnZtXpWVWbxOkC+uFuvCfYqjt09wetkdM4n9072l9tUnD/y1dvPz4vMqAnUVZqKkml+TK3zwyJRIoJjEah6GqKLuMWOWaYSPh4jJ4UlsY0qRDNlhT0RaLAOsd/HM8Buxq5djG4xR7N3Pr+3xVWpBa9tvMlpa+pXbrsiQMqDYxf6olunti+Y0EGALirBt7gaV4IuItD8iu2PUYhmZ479a/e3N4IPD47tz5j12r0diakNxWCnMs7PZRODVOTcgjXW7vbanqAW3HNLr58S40QzQ+X2unvrQmxfmlyPg/QiyLzzNTVzjuAoDw2FZVA0Pt3Oa3LOr/p4A5gT5ClUc69PiUGJPA9vygB5e4K9KwbmOYS69C13LJITBJVVWpyC1CwDqExztP+7eQ43TU0VAZ7f1ZKRUgsK3tnMMpgP8Z0Xju0KinRA2jtv682/EMDZU2LEAfAE07xdgI0TBoXYbnp/a4LUiqdw1+ztfBzHLAQiCdAsnrzz/n3MJ2/WxqT/Pn33eeFYusptQ7351NiByYkBUdHouOQgFnR/jKgFS6L5x+XC/1t7pq8vn+e/OY/zKECzg2NdBE25Ei6iwxaIktlQYZpych6/RuuFEdN0E4WWeX0GcCbPoBpU5J7d8zlyAcwD7Ckh8q4EmXUAomy5Of7zy/+3kLtLxJZuw3eQK6EGuSLAmxvMNuUYpDDm81MLa4lBnUQ1neQcOZknuA3Pq1Tk9HkmaGom1IKHb0imryeaPfd7M19QbOQB9sUqhWWA3JygjU5SM2fgNVkt5snqtf2kyCwDxAVFsOSLWUGBL77hqGCWuQ9rtU2dhZM7C6fwn+WnW8jnJAAWRELF6Hxuuyp5nuzNKeBZiGbZKr0InsL8G/JFkMHMEcoywK4SIhIH2ubBsWRM/OuqaQcwIchUfggdSZMav8tywkCUxIJfbynIbXGW8aaWnrFzUxonmp4klOyY5tcEmQXWjJq2qV31KWnpJQZeRVOSh8hTWiiQLc3fBYgoBHfw38LOg2NdKqKtG2ihyDzfw+odZNUcXSbwFAD9vIV6TK3Ljlv6jlriyh8HmHUWhkKvx+hmMzuPS+ydrSUF+nlcwgTHe4INpcmpzFNYCmOK183bh2jTfPaw1ryze2ap3kCRhCj5Tne2KlTV8xB7yrTchUKadxnFNFv/t34MMU9hSjW3g1TZGps66t6K1BQoD47Vle751oL+Pqxpvc/LrgUqTFIXs/UBA2m3ev3s3e7tDbEv6Mt7PyZ3nj+F4mlbsfv8HtpHapYMXGLeU6L5xK4mrzfj2Kkxs40BUvv1S0U6atX8fxzvJi+IoNmm6qhPUyfj+5yFIeu15Av9yi3/JOGUaf4hRF/v7oGgwQHN3zNpn+WdPzlHJfb8wbHhgc2ntsi7V8CvAlBIPyJi6fsQwPrunJwCVrEUHkLs7Ri4VBxcKiJzqllbv/e/1q9b7MnfPTi2N5O/ucXhj7Qujj2BwQet5ge/I5apBLDHqr5+WAoLqhHRtNCXSY23VMbyY26ZPT6t0llMEbxKLCY/0XLv7i+b79iTFEDmpew3CsHu7p6+DNTEeVdTHRVQttgQXU7fUTXZlk2NAS+nGjxwYCoBiAbswCeVpa9Fm3f+kSNnhCuXiiM/pZqkoO5sOM+raObHIZoJNtTIgQLvrcdhSReAXhFwEStsqEHmqcGw98ht/4zBQG2Hs2OF28bvDOjlsFbEJC3i4fskXwqG/dHvZ4JbJKca6+2g1zXwkKkSSyhjekUsMVAXez36v6cQS5Sj7/c5qgTavD+fI/887IVliIf4ciDKpob/LJ22+n7+KaVu+nxLN/dUM/ocJJlbSWy8O7fBfTLiPWMa/iEtHt5vxI36tYpj/8zH9BDAGZM+pa+fUL/+7vJm2+75EH1L5mfHMkuyMI4B9lYEH46uXXTn+/pqMc8IusRM80+B5okAu/twwXJnwWuC/BOrWS59dEGbN24taaHkA56st6NbH5Y3Ohhvw7fiAz74bEEpp1u+k3oFkb1nstbKTMfMe87GAFQ4npchuhQ/4ne3vdyCBbOavlL2/f5RTQN0ud5xtjt+p1bEetW3C/UcIO9thVrJMeGdqRrT1MwIUmVPGZ/fyKHpXtmX+ImmrKRN7zjrxIIJRyzBd6OF5t3tdTWJRzbumU0efcW3Hv9yjLZag7cf1IC340AooanXBHGxtedDf73h/aS3GrV8H5x5M4lXBMscWFerJO9x+3O8/I7M/AHOflqHH8jNu3qc3DvsGdV8tp5wioYTj/nI4mN59Ufr7H9VW+m2eEvYB8X1gqDCUrHvxNWeIik0VMFt9xSAToS1c40I1X0BXAn2VbaYnail/KhYbnsliTxTy1TIj0TaXbFQpB/Ii/p1haXOzotO+35PpA3nY7/m6E7QWXpGpBiqZ3nTbB/VA0GuSmqXSzDhlkiDlmQ3BcVqvSDYr0PkdQVmVEzzJ7O6Nila0jGZlU3mR2pF7Ga2UJJFQ7ykICi3SO1nQ7IZyHgTvHmQQEOB3xTzKt1UTBNXCVKrTBR0MZMk7yZKlsPM4uOCH4u7EM0OBEe3htcQlqfEuPl4bRukKMO0mc10JEndMdutAgCvDOh98VAw2wVAL0l6ObUiVZQMwJqbekwyvyclvdjs8q0TALXMHYr62WbKUr14LwL8aljzbvZ0dqoxe7ybS34gbD4RE01zxsDMqfmJaGvvHu4cgcN732cV7clIS+y3lieYvWmaUy+I6qYuTp2Y7HO1HVBMxGGCN3e2an6FweXEtM10DnUTXaM3mgjIn/Kjf8OEINKA2S8Whu8IONb4iVvxjqUwIzjuhwgfkO62KSVf31agwzFtffguufu1hPBPil74eZP+ngi2XVnj2+WjvvnWDmZ+WyX56X2MukYq73g8Ru54dtwKtDJAqpiKqm7IMNk7EFuJ3xxdxCAM1DgEcBdgtw7u56ldjvQ4AaAysavJlZvNnhga8x8Rj6Pf/YxYvZtp/1qB23y/jme9v0ok34n7nxIzdMIrvov1k966Sj8aVPV982eE0bRnfz4XfyNY9lW9lvX5EWmb+NIOgJv6/DMkriFuWit8W+L2HRL37//7TwAAAP//S6KvFQ==") SupportedMap = make(map[string]Spec) for f, v := range unpacked { diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml deleted file mode 100644 index 31e7b27eafd..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml +++ /dev/null @@ -1,23 +0,0 @@ -filebeat: - inputs: - - type: log - paths: - - /var/log/hello1.log - - /var/log/hello2.log - index: logs-generic-default - processors: - - add_fields: - target: "dataset" - fields: - type: logs - name: generic - namespace: default -output: - elasticsearch: - hosts: - - 127.0.0.1:9200 - - 127.0.0.1:9300 - username: elastic - password: changeme - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml deleted file mode 100644 index 1dce338f6b9..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Production Website DB Servers - -outputs: - default: - type: elasticsearch - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme - api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA - ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= - - monitoring: - type: elasticsearch - api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw - hosts: ["monitoring:9200"] - ca_sha256: "7lHLiyp4J8m9kw38SJ7SURJP4bXRZv/BNxyyXkCcE/M=" - -inputs: - - type: logfile - streams: - - paths: - - /var/log/hello1.log - - /var/log/hello2.log - - type: apache/metrics - constraints: - - "validate_version(%{[agent.version]}, '1.0.0 - 7.0.0')" - dataset.namespace: testing - streams: - - enabled: true - metricset: info - -agent.monitoring: - use_output: monitoring - -agent: - reload: 123 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml index 97b9e529bc6..8edc27061b0 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml @@ -7,11 +7,15 @@ filebeat: index: logs-generic-default processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: enabled: true diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml index 080303e6d19..8bd5d93a3b9 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml @@ -8,11 +8,15 @@ filebeat: index: logs-generic-default processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml index f1ad8c1c646..b77a83633ae 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic-endpoint-security.yml @@ -2,6 +2,8 @@ revision: 5 fleet: agent: id: fleet-agent-id + host: + id: host-agent-id api: access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw kibana: @@ -21,12 +23,13 @@ output: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml index 54e3b549236..9eee9b3a01d 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_basic.yml @@ -3,6 +3,8 @@ name: Endpoint Host fleet: agent: id: fleet-agent-id + host: + id: host-agent-id access_api_key: VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw kibana: protocol: https @@ -20,12 +22,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml index 6a7aea5099d..de7ccd2a11c 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_no_fleet.yml @@ -11,12 +11,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml index 7c813b3732d..48e362849be 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/endpoint_unknown_output.yml @@ -16,12 +16,13 @@ outputs: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml deleted file mode 100644 index 59feb756885..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config-heartbeat.yml +++ /dev/null @@ -1,18 +0,0 @@ -heartbeat: - monitors: - - type: icmp - name: icmp - schedule: "*/5 * * * * * *" - hosts: ["localhost"] - ipv4: true - ipv6: true - mode: any - timeout: 16s - wait: 1s - - type: tcp - name: tcp -output: - elasticsearch: - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml deleted file mode 100644 index 97e5d9d8980..00000000000 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/monitor_config.yml +++ /dev/null @@ -1,23 +0,0 @@ -streams: -- type: monitor/icmp - name: icmp - schedule: '*/5 * * * * * *' - hosts: ["localhost"] - ipv4: true - ipv6: true - mode: any - timeout: 16s - wait: 1s -- type: log/file -- type: monitor/tcp - name: tcp -management: - host: "localhost" -config: - reload: 123 -outputs: - default: - type: elasticsearch - hosts: [127.0.0.1:9200, 127.0.0.1:9300] - username: elastic - password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml index 0296e357bee..42d78b09ca5 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-endpoint-security.yml @@ -21,12 +21,13 @@ output: inputs: - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml index 25b7af4e40a..b996e13b531 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml @@ -9,11 +9,15 @@ filebeat: var: value processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: logs - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - type: log paths: - /var/log/hello3.log @@ -23,11 +27,15 @@ filebeat: var: value processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: testtype - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml new file mode 100644 index 00000000000..76bad6aeeb7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-heartbeat.yml @@ -0,0 +1,18 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s + data_stream.namespace: default +output: + elasticsearch: + hosts: + - 127.0.0.1:9200 + - 127.0.0.1:9300 + username: elastic + password: changeme + api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA + ca_sha256: 7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y= diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml index 2e5e070dfb1..c62882ff6da 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml @@ -6,22 +6,30 @@ metricbeat: hosts: ["http://127.0.0.1:8080"] processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: docker.status + dataset: docker.status namespace: default + - add_fields: + target: "event" + fields: + dataset: docker.status - module: docker metricsets: [info] index: metrics-generic-default hosts: ["http://127.0.0.1:8080"] processors: - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: generic + dataset: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - module: apache metricsets: [info] index: metrics-generic-testing @@ -31,11 +39,15 @@ metricbeat: fields: should_be: first - add_fields: - target: "dataset" + target: "data_stream" fields: type: metrics - name: generic + dataset: generic namespace: testing + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml index a4b8a8024a3..01d51100408 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config.yml @@ -29,11 +29,11 @@ inputs: use_output: default streams: - metricset: status - dataset: - name: docker.status + data_stream: + dataset: docker.status - metricset: info - dataset: - name: "" + data_stream: + dataset: "" hosts: ["http://127.0.0.1:8080"] - type: logfile use_output: default @@ -44,7 +44,7 @@ inputs: vars: var: value - type: logfile - dataset: + data_stream: type: testtype use_output: default streams: @@ -55,7 +55,7 @@ inputs: var: value - id: apache-metrics-id type: apache/metrics - dataset: + data_stream: namespace: testing use_output: default processors: @@ -67,13 +67,21 @@ inputs: metricset: info hosts: ["http://apache.remote"] hosts: ["http://apache.local"] +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s - id: endpoint-id + type: endpoint name: endpoint-1 enabled: true package: name: endpoint version: 0.3.0 - dataset: + data_stream: namespace: default artifact_manifest: schema_version: v22 diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml new file mode 100644 index 00000000000..c9af2356e12 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config-heartbeat.yml @@ -0,0 +1,33 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s + data_stream.namespace: default +- type: synthetics/tcp + id: unique-tcp-id + name: my-tcp + schedule: '*/5 * * * * * *' + host: "localhost:777" + timeout: 16s + wait: 1s + data_stream.namespace: default +- type: synthetics/icmp + id: unique-icmp-id + name: my-icmp + schedule: '@every 5s' + host: "localhost" + ipv4: true + ipv6: true + mode: any + timeout: 16s + wait: 1s + data_stream.namespace: default +output: + elasticsearch: + hosts: [127.0.0.1:9200, 127.0.0.1:9300] + username: elastic + password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml new file mode 100644 index 00000000000..74aa9916a65 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/synthetics_config.yml @@ -0,0 +1,31 @@ +inputs: +- type: synthetics/http + id: unique-http-id + name: my-http + schedule: '*/5 * * * * * *' + host: "http://localhost:80/service/status" + timeout: 16s + wait: 1s +- type: synthetics/tcp + id: unique-tcp-id + name: my-tcp + schedule: '*/5 * * * * * *' + host: "localhost:777" + timeout: 16s + wait: 1s +- type: synthetics/icmp + id: unique-icmp-id + name: my-icmp + schedule: '@every 5s' + host: "localhost" + ipv4: true + ipv6: true + mode: any + timeout: 16s + wait: 1s +outputs: + default: + type: elasticsearch + hosts: [127.0.0.1:9200, 127.0.0.1:9300] + username: elastic + password: changeme diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go index 498c32b15d7..cfb02d1660a 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast.go @@ -14,9 +14,19 @@ import ( "sort" "strconv" "strings" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql" + + "github.com/elastic/go-ucfg" ) -const selectorSep = "." +const ( + selectorSep = "." + // conditionKey is the name of the reserved key that will be computed using EQL to a boolean result. + // + // This makes the key "condition" inside of a dictionary a reserved name. + conditionKey = "condition" +) // Selector defines a path to access an element in the Tree, currently selectors only works when the // target is a Dictionary, accessing list values are not currently supported by any methods using @@ -28,6 +38,9 @@ var ( falseVal = []byte{0} ) +// Processors represent an attached list of processors. +type Processors []map[string]interface{} + // Node represents a node in the configuration Tree a Node can point to one or multiples children // nodes. type Node interface { @@ -44,6 +57,12 @@ type Node interface { // Hash compute a sha256 hash of the current node and recursively call any children. Hash() []byte + + // Apply apply the current vars, returning the new value for the node. + Apply(*Vars) (Node, error) + + // Processors returns any attached processors, because of variable substitution. + Processors() Processors } // AST represents a raw configuration which is purely data, only primitives are currently supported, @@ -61,12 +80,18 @@ func (a *AST) String() string { // Dict represents a dictionary in the Tree, where each key is a entry into an array. The Dict will // keep the ordering. type Dict struct { - value []Node + value []Node + processors []map[string]interface{} } // NewDict creates a new dict with provided nodes. func NewDict(nodes []Node) *Dict { - return &Dict{nodes} + return NewDictWithProcessors(nodes, nil) +} + +// NewDictWithProcessors creates a new dict with provided nodes and attached processors. +func NewDictWithProcessors(nodes []Node, processors Processors) *Dict { + return &Dict{nodes, processors} } // Find takes a string which is a key and try to find the elements in the associated K/V. @@ -115,6 +140,45 @@ func (d *Dict) Hash() []byte { return h.Sum(nil) } +// Apply applies the vars to all the nodes in the dictionary. +func (d *Dict) Apply(vars *Vars) (Node, error) { + nodes := make([]Node, 0, len(d.value)) + for _, v := range d.value { + k := v.(*Key) + n, err := k.Apply(vars) + if err != nil { + return nil, err + } + if n == nil { + continue + } + if k.name == conditionKey { + b := n.Value().(*BoolVal) + if !b.value { + // condition failed; whole dictionary should be removed + return nil, nil + } + // condition successful, but don't include condition in result + continue + } + nodes = append(nodes, n) + } + return &Dict{nodes, nil}, nil +} + +// Processors returns any attached processors, because of variable substitution. +func (d *Dict) Processors() Processors { + if d.processors != nil { + return d.processors + } + for _, v := range d.value { + if p := v.Processors(); p != nil { + return p + } + } + return nil +} + // sort sorts the keys in the dictionary func (d *Dict) sort() { sort.Slice(d.value, func(i, j int) bool { @@ -157,6 +221,11 @@ func (k *Key) Find(key string) (Node, bool) { } } +// Name returns the name for the key. +func (k *Key) Name() string { + return k.name +} + // Value returns the raw value. func (k *Key) Value() interface{} { return k.value @@ -181,26 +250,68 @@ func (k *Key) Hash() []byte { return h.Sum(nil) } +// Apply applies the vars to the value. +func (k *Key) Apply(vars *Vars) (Node, error) { + if k.value == nil { + return k, nil + } + if k.name == conditionKey { + switch v := k.value.(type) { + case *BoolVal: + return k, nil + case *StrVal: + cond, err := eql.Eval(v.value, vars) + if err != nil { + return nil, fmt.Errorf(`condition "%s" evaluation failed: %s`, v.value, err) + } + return &Key{k.name, NewBoolVal(cond)}, nil + } + return nil, fmt.Errorf("condition key's value must be a string; recieved %T", k.value) + } + v, err := k.value.Apply(vars) + if err != nil { + return nil, err + } + if v == nil { + return nil, nil + } + return &Key{k.name, v}, nil +} + +// Processors returns any attached processors, because of variable substitution. +func (k *Key) Processors() Processors { + if k.value != nil { + return k.value.Processors() + } + return nil +} + // List represents a slice in our Tree. type List struct { - value []Node + value []Node + processors Processors } // NewList creates a new list with provided nodes. func NewList(nodes []Node) *List { - return &List{nodes} + return NewListWithProcessors(nodes, nil) +} + +// NewListWithProcessors creates a new list with provided nodes with processors attached. +func NewListWithProcessors(nodes []Node, processors Processors) *List { + return &List{nodes, processors} } func (l *List) String() string { var sb strings.Builder + sb.WriteString("[") for i := 0; i < len(l.value); i++ { - sb.WriteString("[") sb.WriteString(l.value[i].String()) - sb.WriteString("]") if i < len(l.value)-1 { sb.WriteString(",") } } + sb.WriteString("]") return sb.String() } @@ -244,14 +355,49 @@ func (l *List) Clone() Node { return &List{value: nodes} } +// Apply applies the vars to all nodes in the list. +func (l *List) Apply(vars *Vars) (Node, error) { + nodes := make([]Node, 0, len(l.value)) + for _, v := range l.value { + n, err := v.Apply(vars) + if err != nil { + return nil, err + } + if n == nil { + continue + } + nodes = append(nodes, n) + } + return NewList(nodes), nil +} + +// Processors returns any attached processors, because of variable substitution. +func (l *List) Processors() Processors { + if l.processors != nil { + return l.processors + } + for _, v := range l.value { + if p := v.Processors(); p != nil { + return p + } + } + return nil +} + // StrVal represents a string. type StrVal struct { - value string + value string + processors Processors } // NewStrVal creates a new string value node with provided value. func NewStrVal(val string) *StrVal { - return &StrVal{val} + return NewStrValWithProcessors(val, nil) +} + +// NewStrValWithProcessors creates a new string value node with provided value and processors. +func NewStrValWithProcessors(val string, processors Processors) *StrVal { + return &StrVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -279,14 +425,30 @@ func (s *StrVal) Hash() []byte { return []byte(s.value) } +// Apply applies the vars to the string value. +func (s *StrVal) Apply(vars *Vars) (Node, error) { + return vars.Replace(s.value) +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *StrVal) Processors() Processors { + return s.processors +} + // IntVal represents an int. type IntVal struct { - value int + value int + processors Processors } // NewIntVal creates a new int value node with provided value. func NewIntVal(val int) *IntVal { - return &IntVal{val} + return NewIntValWithProcessors(val, nil) +} + +// NewIntValWithProcessors creates a new int value node with provided value and attached processors. +func NewIntValWithProcessors(val int, processors Processors) *IntVal { + return &IntVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -309,19 +471,35 @@ func (s *IntVal) Clone() Node { return &k } +// Apply does nothing. +func (s *IntVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + // Hash we convert the value into a string and return the byte slice. func (s *IntVal) Hash() []byte { return []byte(s.String()) } +// Processors returns any linked processors that are now connected because of Apply. +func (s *IntVal) Processors() Processors { + return s.processors +} + // UIntVal represents an int. type UIntVal struct { - value uint64 + value uint64 + processors Processors } // NewUIntVal creates a new uint value node with provided value. func NewUIntVal(val uint64) *UIntVal { - return &UIntVal{val} + return NewUIntValWithProcessors(val, nil) +} + +// NewUIntValWithProcessors creates a new uint value node with provided value with processors attached. +func NewUIntValWithProcessors(val uint64, processors Processors) *UIntVal { + return &UIntVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -349,15 +527,31 @@ func (s *UIntVal) Hash() []byte { return []byte(s.String()) } +// Apply does nothing. +func (s *UIntVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *UIntVal) Processors() Processors { + return s.processors +} + // FloatVal represents a float. // NOTE: We will convert float32 to a float64. type FloatVal struct { - value float64 + value float64 + processors Processors } // NewFloatVal creates a new float value node with provided value. func NewFloatVal(val float64) *FloatVal { - return &FloatVal{val} + return NewFloatValWithProcessors(val, nil) +} + +// NewFloatValWithProcessors creates a new float value node with provided value with processors attached. +func NewFloatValWithProcessors(val float64, processors Processors) *FloatVal { + return &FloatVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -385,14 +579,30 @@ func (s *FloatVal) Hash() []byte { return []byte(strconv.FormatFloat(s.value, 'f', -1, 64)) } +// Apply does nothing. +func (s *FloatVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *FloatVal) Processors() Processors { + return s.processors +} + // BoolVal represents a boolean in our Tree. type BoolVal struct { - value bool + value bool + processors Processors } // NewBoolVal creates a new bool value node with provided value. func NewBoolVal(val bool) *BoolVal { - return &BoolVal{val} + return NewBoolValWithProcessors(val, nil) +} + +// NewBoolValWithProcessors creates a new bool value node with provided value with processors attached. +func NewBoolValWithProcessors(val bool, processors Processors) *BoolVal { + return &BoolVal{val, processors} } // Find receive a key and return false since the node is not a List or Dict. @@ -426,13 +636,22 @@ func (s *BoolVal) Hash() []byte { return falseVal } +// Apply does nothing. +func (s *BoolVal) Apply(_ *Vars) (Node, error) { + return s, nil +} + +// Processors returns any linked processors that are now connected because of Apply. +func (s *BoolVal) Processors() Processors { + return s.processors +} + // NewAST takes a map and convert it to an internal Tree, allowing us to executes rules on the // data to shape it in a different way or to filter some of the information. func NewAST(m map[string]interface{}) (*AST, error) { - val := reflect.ValueOf(m) - root, err := load(val) + root, err := loadForNew(m) if err != nil { - return nil, fmt.Errorf("could not parse configuration into a tree, error: %+v", err) + return nil, err } return &AST{root: root}, nil } @@ -446,6 +665,40 @@ func MustNewAST(m map[string]interface{}) *AST { return v } +// NewASTFromConfig takes a config and converts it to an internal Tree, allowing us to executes rules on the +// data to shape it in a different way or to filter some of the information. +func NewASTFromConfig(cfg *ucfg.Config) (*AST, error) { + var v interface{} + if cfg.IsDict() { + var m map[string]interface{} + if err := cfg.Unpack(&m); err != nil { + return nil, err + } + v = m + } else if cfg.IsArray() { + var l []string + if err := cfg.Unpack(&l); err != nil { + return nil, err + } + v = l + } else { + return nil, fmt.Errorf("cannot create AST from none dict or array type") + } + root, err := loadForNew(v) + if err != nil { + return nil, err + } + return &AST{root: root}, nil +} + +func loadForNew(val interface{}) (Node, error) { + root, err := load(reflect.ValueOf(val)) + if err != nil { + return nil, fmt.Errorf("could not parse configuration into a tree, error: %+v", err) + } + return root, nil +} + func load(val reflect.Value) (Node, error) { val = lookupVal(val) @@ -557,6 +810,36 @@ func (a *AST) MarshalJSON() ([]byte, error) { return b, nil } +// Apply applies the variables to the replacement in the AST. +func (a *AST) Apply(vars *Vars) error { + n, err := a.root.Apply(vars) + if err != nil { + return err + } + a.root = n + return nil +} + +// Lookup looks for a value from the AST. +// +// Return type is in the native form and not in the Node types from the AST. +func (a *AST) Lookup(name string) (interface{}, bool) { + node, ok := Lookup(a, name) + if !ok { + return nil, false + } + _, isKey := node.(*Key) + if isKey { + // matched on a key, return the value + node = node.Value().(Node) + } + + m := &MapVisitor{} + a.dispatch(node, m) + + return m.Content, true +} + func splitPath(s Selector) []string { if s == "" { return nil @@ -666,6 +949,26 @@ func lookupVal(val reflect.Value) reflect.Value { return val } +func attachProcessors(node Node, processors Processors) Node { + switch n := node.(type) { + case *Dict: + n.processors = processors + case *List: + n.processors = processors + case *StrVal: + n.processors = processors + case *IntVal: + n.processors = processors + case *UIntVal: + n.processors = processors + case *FloatVal: + n.processors = processors + case *BoolVal: + n.processors = processors + } + return node +} + // Select takes an AST and a selector and will return a sub AST based on the selector path, will // return false if the path could not be found. func Select(a *AST, selector Selector) (*AST, bool) { @@ -763,7 +1066,7 @@ func Insert(a *AST, node Node, to Selector) error { case *List: d.value = node default: - d.value = &Dict{[]Node{node}} + d.value = &Dict{[]Node{node}, nil} } return nil } diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go index 80c7a1d7401..4c56b993e64 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/ast_test.go @@ -112,13 +112,13 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range", - value: &List{ + value: NewList( []Node{ &IntVal{value: 20}, &IntVal{value: 30}, &IntVal{value: 40}, }, - }, + ), }, &Key{name: "timeout", value: &IntVal{value: 12}}, }, @@ -135,13 +135,13 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range", - value: &List{ + value: NewList( []Node{ &UIntVal{value: uint64(20)}, &UIntVal{value: uint64(30)}, &UIntVal{value: uint64(40)}, }, - }, + ), }, &Key{name: "timeout", value: &IntVal{value: 12}}, }, @@ -159,23 +159,23 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "range32", - value: &List{ + value: NewList( []Node{ &FloatVal{value: 20.0}, &FloatVal{value: 30.0}, &FloatVal{value: 40.0}, }, - }, + ), }, &Key{ name: "range64", - value: &List{ + value: NewList( []Node{ &FloatVal{value: 20.0}, &FloatVal{value: 30.0}, &FloatVal{value: 40.0}, }, - }, + ), }, &Key{name: "ratio", value: &FloatVal{value: 0.5}}, }, @@ -195,7 +195,7 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -203,8 +203,8 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -225,11 +225,11 @@ func TestAST(t *testing.T) { }, }, ast: &AST{ - root: &Dict{ - value: []Node{ + root: NewDict( + []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -237,42 +237,37 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, &Key{ name: "outputs", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "elasticsearch", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "ssl", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "certificates_authorities", - value: &List{ + value: NewList( []Node{ &StrVal{value: "abc1"}, &StrVal{value: "abc2"}, }, - }, + ), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, }, - "Keys with multiple levels of deeps with compact keys": { hashmap: map[string]interface{}{ "inputs": map[string]interface{}{ @@ -305,7 +300,7 @@ func TestAST(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "ignore_older", value: &StrVal{value: "20s"}}, &Key{name: "paths", value: &List{value: []Node{ @@ -313,36 +308,33 @@ func TestAST(t *testing.T) { &StrVal{value: "/var/log/log2"}, }}}, &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, &Key{ name: "outputs", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "elasticsearch", - value: &Dict{ + value: NewDict( []Node{ &Key{ name: "ssl", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "certificates_authorities", - value: &List{ + value: NewList( []Node{ &StrVal{value: "abc1"}, &StrVal{value: "abc2"}, }, - }, + ), }, - }, - }, + }), }, - }, - }, + }), }, - }, - }, + }), }, }, }, @@ -404,11 +396,11 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "type", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -431,17 +423,18 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, + }), + }, + }), + }, }, }, }, @@ -471,11 +464,11 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ &Key{name: "1", value: &StrVal{value: "log/docker"}}, - }, - }}, + }), + }, }, }, }, @@ -495,21 +488,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -536,32 +528,31 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - &Key{name: "y", value: &Dict{ + })}, + }), + }, + &Key{name: "y", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -588,21 +579,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -623,21 +613,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -662,21 +651,20 @@ func TestSelector(t *testing.T) { value: []Node{ &Key{ name: "inputs", - value: &Dict{ + value: NewDict( []Node{ - &Key{name: "x", value: &Dict{ + &Key{name: "x", value: NewDict( []Node{ - &Key{name: "ssl", value: &Dict{ + &Key{name: "ssl", value: NewDict( []Node{ &Key{name: "ca", value: &List{ value: []Node{&StrVal{value: "ca1"}, &StrVal{value: "ca2"}}, }}, &Key{name: "certificate", value: &StrVal{value: "/etc/ssl/my.crt"}}, - }}}, - }, - }}, - }, - }, + })}, + }), + }, + }), }, }, }, @@ -704,6 +692,529 @@ func TestSelector(t *testing.T) { } } +func TestAST_Apply(t *testing.T) { + testcases := map[string]struct { + input map[string]interface{} + expected *AST + vars *Vars + matchErr bool + }{ + "2 vars missing with default": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}", "/var/log/${var1.missing|'other'}"}, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/value1"}, + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "log/docker"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": "value1", + }, + }), + }, + "2 vars missing no default": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}", "/var/log/${var1.missing}"}, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": "value1", + }, + }), + matchErr: true, + }, + "vars not string": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "log/docker", + "paths": []string{"/var/log/${var1.key1}"}, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/1"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "log/docker"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "var1": map[string]interface{}{ + "key1": 1, + }, + }), + }, + "vars replace with object": { + input: map[string]interface{}{ + "inputs": map[string]interface{}{ + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + "processors": []map[string]interface{}{ + { + "add_fields": map[string]interface{}{ + "labels": "${host.labels}", + }, + }, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{ + name: "processors", + value: &List{ + value: []Node{ + NewDict( + []Node{ + &Key{ + name: "add_fields", + value: NewDict( + []Node{ + &Key{ + name: "labels", + value: &List{ + value: []Node{ + &StrVal{value: "label1"}, + &StrVal{value: "label2"}, + }, + }, + }, + }, + ), + }, + }, + ), + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition false str removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "false", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition false removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": false, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition true string keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "true", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition true keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": true, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + }, + "condition eval keeps dict in list w/o condition key": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "arrayContains(${host.labels}, 'label2')", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition eval removes dict from list": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "condition": "arrayContains(${host.labels}, 'missing')", + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + "condition eval removes dict from dict": { + input: map[string]interface{}{ + "inputs": []map[string]interface{}{ + { + "type": "logfile", + "paths": []string{"/var/log/syslog"}, + }, + { + "type": "logfile", + "paths": []string{"/var/log/other"}, + "nested": map[string]interface{}{ + "removed": "whole dict removed", + "condition": "arrayContains(${host.labels}, 'missing')", + }, + }, + }, + }, + expected: &AST{ + root: &Dict{ + value: []Node{ + &Key{ + name: "inputs", + value: NewList([]Node{ + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/syslog"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + NewDict( + []Node{ + &Key{ + name: "paths", + value: &List{ + value: []Node{ + &StrVal{value: "/var/log/other"}, + }, + }, + }, + &Key{name: "type", value: &StrVal{value: "logfile"}}, + }), + }), + }, + }, + }, + }, + vars: mustMakeVars(map[string]interface{}{ + "host": map[string]interface{}{ + "labels": []string{ + "label1", + "label2", + }, + }, + }), + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + v, err := NewAST(test.input) + require.NoError(t, err) + err = v.Apply(test.vars) + if test.matchErr { + require.Equal(t, ErrNoMatch, err) + } else { + require.NoError(t, err) + if !assert.True(t, reflect.DeepEqual(test.expected, v)) { + t.Logf( + `received: %+v + expected: %+v`, v, test.expected) + } + } + }) + } +} + func TestCount(t *testing.T) { ast := &AST{ root: &Dict{ @@ -1103,3 +1614,11 @@ func TestHash(t *testing.T) { }) } } + +func mustMakeVars(mapping map[string]interface{}) *Vars { + v, err := NewVars(mapping) + if err != nil { + panic(err) + } + return v +} diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go index 69dd59a459f..5ad790eb31e 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go @@ -409,7 +409,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { for _, inputNode := range inputsNodeList.value { // fix this only if in compact form - if nsNode, found := inputNode.Find("dataset.namespace"); found { + if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*Key) if ok { if newNamespace := nsKey.value.String(); newNamespace == "" { @@ -417,12 +417,12 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } } else { - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { - // got a dataset - datasetMap, ok := dsNode.Value().(*Dict) + // got a datastream + datastreamMap, ok := dsNode.Value().(*Dict) if ok { - nsNode, found := datasetMap.Find("namespace") + nsNode, found := datastreamMap.Find("namespace") if found { nsKey, ok := nsNode.(*Key) if ok { @@ -434,7 +434,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { inputMap, ok := inputNode.(*Dict) if ok { inputMap.value = append(inputMap.value, &Key{ - name: "dataset.namespace", + name: "data_stream.namespace", value: &StrVal{value: defaultNamespace}, }) } @@ -444,7 +444,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { inputMap, ok := inputNode.(*Dict) if ok { inputMap.value = append(inputMap.value, &Key{ - name: "dataset.namespace", + name: "data_stream.namespace", value: &StrVal{value: defaultNamespace}, }) } @@ -468,7 +468,7 @@ func (r *FixStreamRule) Apply(ast *AST) error { } // fix this only if in compact form - if dsNameNode, found := streamMap.Find("dataset.name"); found { + if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*Key) if ok { if newDataset := dsKey.value.String(); newDataset == "" { @@ -477,14 +477,14 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } else { - datasetNode, found := streamMap.Find("dataset") + datastreamNode, found := streamMap.Find("data_stream") if found { - datasetMap, ok := datasetNode.Value().(*Dict) + datastreamMap, ok := datastreamNode.Value().(*Dict) if !ok { continue } - dsNameNode, found := datasetMap.Find("name") + dsNameNode, found := datastreamMap.Find("dataset") if found { dsKey, ok := dsNameNode.(*Key) if ok { @@ -494,13 +494,13 @@ func (r *FixStreamRule) Apply(ast *AST) error { } } else { streamMap.value = append(streamMap.value, &Key{ - name: "dataset.name", + name: "data_stream.dataset", value: &StrVal{value: defaultDataset}, }) } } else { streamMap.value = append(streamMap.value, &Key{ - name: "dataset.name", + name: "data_stream.dataset", value: &StrVal{value: defaultDataset}, }) } @@ -517,10 +517,10 @@ func FixStream() *FixStreamRule { } // InjectIndexRule injects index to each input. -// Index is in form {type}-{namespace}-{dataset-type} +// Index is in form {type}-{namespace}-{dataset} // type: is provided to the rule. // namespace: is collected from streams[n].namespace. If not found used 'default'. -// dataset-type: is collected from streams[n].dataset.type. If not found used 'generic'. +// dataset: is collected from streams[n].data_stream.dataset. If not found used 'generic'. type InjectIndexRule struct { Type string } @@ -538,8 +538,8 @@ func (r *InjectIndexRule) Apply(ast *AST) error { } for _, inputNode := range inputsList.value { - namespace := datasetNamespaceFromInputNode(inputNode) - datasetType := datasetTypeFromInputNode(inputNode, r.Type) + namespace := datastreamNamespaceFromInputNode(inputNode) + datastreamType := datastreamTypeFromInputNode(inputNode, r.Type) streamsNode, ok := inputNode.Find("streams") if !ok { @@ -560,7 +560,7 @@ func (r *InjectIndexRule) Apply(ast *AST) error { dataset := datasetNameFromStreamNode(streamNode) streamMap.value = append(streamMap.value, &Key{ name: "index", - value: &StrVal{value: fmt.Sprintf("%s-%s-%s", datasetType, dataset, namespace)}, + value: &StrVal{value: fmt.Sprintf("%s-%s-%s", datastreamType, dataset, namespace)}, }) } } @@ -595,8 +595,8 @@ func (r *InjectStreamProcessorRule) Apply(ast *AST) error { } for _, inputNode := range inputsList.value { - namespace := datasetNamespaceFromInputNode(inputNode) - datasetType := datasetTypeFromInputNode(inputNode, r.Type) + namespace := datastreamNamespaceFromInputNode(inputNode) + datastreamType := datastreamTypeFromInputNode(inputNode, r.Type) streamsNode, ok := inputNode.Find("streams") if !ok { @@ -632,16 +632,25 @@ func (r *InjectStreamProcessorRule) Apply(ast *AST) error { return errors.New("InjectStreamProcessorRule: processors is not a list") } + // datastream processorMap := &Dict{value: make([]Node, 0)} - processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "dataset"}}) + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "data_stream"}}) processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ - &Key{name: "type", value: &StrVal{value: datasetType}}, + &Key{name: "type", value: &StrVal{value: datastreamType}}, &Key{name: "namespace", value: &StrVal{value: namespace}}, - &Key{name: "name", value: &StrVal{value: dataset}}, + &Key{name: "dataset", value: &StrVal{value: dataset}}, }}}) - addFieldsMap := &Dict{value: []Node{&Key{"add_fields", processorMap}}} processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) + + // event + processorMap = &Dict{value: make([]Node, 0)} + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "event"}}) + processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ + &Key{name: "dataset", value: &StrVal{value: dataset}}, + }}}) + addFieldsMap = &Dict{value: []Node{&Key{"add_fields", processorMap}}} + processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) } } @@ -1190,7 +1199,7 @@ func (r *FilterValuesWithRegexpRule) Apply(ast *AST) error { newAST, ok := Lookup(newRoot, r.Key) if !ok { - newNodes = append(newNodes, item) + // doesn't have key so its filtered out continue } @@ -1201,7 +1210,7 @@ func (r *FilterValuesWithRegexpRule) Apply(ast *AST) error { } if n.name != r.Key { - newNodes = append(newNodes, item) + // doesn't match so its filtered out continue } @@ -1233,10 +1242,10 @@ func keys(m map[string]interface{}) []string { return keys } -func datasetNamespaceFromInputNode(inputNode Node) string { +func datastreamNamespaceFromInputNode(inputNode Node) string { const defaultNamespace = "default" - if namespaceNode, found := inputNode.Find("dataset.namespace"); found { + if namespaceNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := namespaceNode.(*Key) if ok { if newNamespace := nsKey.value.String(); newNamespace != "" { @@ -1245,7 +1254,7 @@ func datasetNamespaceFromInputNode(inputNode Node) string { } } - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { @@ -1264,17 +1273,17 @@ func datasetNamespaceFromInputNode(inputNode Node) string { return defaultNamespace } -func datasetTypeFromInputNode(inputNode Node, defaultType string) string { - if dsTypeNode, found := inputNode.Find("dataset.type"); found { +func datastreamTypeFromInputNode(inputNode Node, defaultType string) string { + if dsTypeNode, found := inputNode.Find("data_stream.type"); found { dsTypeKey, ok := dsTypeNode.(*Key) if ok { - if newDatasetType := dsTypeKey.value.String(); newDatasetType != "" { - return newDatasetType + if newDatastreamType := dsTypeKey.value.String(); newDatastreamType != "" { + return newDatastreamType } } } - dsNode, found := inputNode.Find("dataset") + dsNode, found := inputNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { @@ -1282,8 +1291,8 @@ func datasetTypeFromInputNode(inputNode Node, defaultType string) string { if found { typeKey, ok := typeNode.(*Key) if ok { - if newDatasetType := typeKey.value.String(); newDatasetType != "" { - return newDatasetType + if newDatastreamType := typeKey.value.String(); newDatastreamType != "" { + return newDatastreamType } } } @@ -1296,7 +1305,7 @@ func datasetTypeFromInputNode(inputNode Node, defaultType string) string { func datasetNameFromStreamNode(streamNode Node) string { const defaultDataset = "generic" - if dsNameNode, found := streamNode.Find("dataset.name"); found { + if dsNameNode, found := streamNode.Find("data_stream.dataset"); found { dsNameKey, ok := dsNameNode.(*Key) if ok { if newDatasetName := dsNameKey.value.String(); newDatasetName != "" { @@ -1305,11 +1314,11 @@ func datasetNameFromStreamNode(streamNode Node) string { } } - dsNode, found := streamNode.Find("dataset") + dsNode, found := streamNode.Find("data_stream") if found { dsMapNode, ok := dsNode.Value().(*Dict) if ok { - dsNameNode, found := dsMapNode.Find("name") + dsNameNode, found := dsMapNode.Find("dataset") if found { dsKey, ok := dsNameNode.(*Key) if ok { diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go index 5619d847de6..c3207f48cea 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules_test.go @@ -31,59 +31,59 @@ inputs: - paths: /var/log/mysql/error.log - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - name: Specified dataset type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" `, expectedYAML: ` inputs: - name: All default type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic - name: Specified dataset type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: default + data_stream.namespace: default streams: - paths: /var/log/mysql/error.log - dataset.name: generic + data_stream.dataset: generic `, rule: &RuleList{ Rules: []Rule{ @@ -101,7 +101,7 @@ inputs: - paths: /var/log/mysql/error.log - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log @@ -109,19 +109,19 @@ inputs: type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" `, expectedYAML: ` inputs: @@ -132,7 +132,7 @@ inputs: index: mytype-generic-default - name: Specified namespace type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log index: mytype-generic-nsns @@ -141,21 +141,21 @@ inputs: type: file streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds index: mytype-dsds-default - name: All specified type: file - dataset.namespace: nsns + data_stream.namespace: nsns streams: - paths: /var/log/mysql/error.log - dataset.name: dsds + data_stream.dataset: dsds index: mytype-dsds-nsns - name: All specified with empty strings type: file - dataset.namespace: "" + data_stream.namespace: "" streams: - paths: /var/log/mysql/error.log - dataset.name: "" + data_stream.dataset: "" index: mytype-generic-default `, rule: &RuleList{ diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/vars.go b/x-pack/elastic-agent/pkg/agent/transpiler/vars.go new file mode 100644 index 00000000000..698847edd16 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/transpiler/vars.go @@ -0,0 +1,212 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package transpiler + +import ( + "fmt" + "regexp" + "strings" + "unicode" +) + +var varsRegex = regexp.MustCompile(`\${([\p{L}\d\s\\\-_|.'"]*)}`) + +// ErrNoMatch is return when the replace didn't fail, just that no vars match to perform the replace. +var ErrNoMatch = fmt.Errorf("no matching vars") + +// Vars is a context of variables that also contain a list of processors that go with the mapping. +type Vars struct { + tree *AST + processorsKey string + processors Processors +} + +// NewVars returns a new instance of vars. +func NewVars(mapping map[string]interface{}) (*Vars, error) { + return NewVarsWithProcessors(mapping, "", nil) +} + +// NewVarsWithProcessors returns a new instance of vars with attachment of processors. +func NewVarsWithProcessors(mapping map[string]interface{}, processorKey string, processors Processors) (*Vars, error) { + tree, err := NewAST(mapping) + if err != nil { + return nil, err + } + return &Vars{tree, processorKey, processors}, nil +} + +// Replace returns a new value based on variable replacement. +func (v *Vars) Replace(value string) (Node, error) { + var processors Processors + matchIdxs := varsRegex.FindAllSubmatchIndex([]byte(value), -1) + if !validBrackets(value, matchIdxs) { + return nil, fmt.Errorf("starting ${ is missing ending }") + } + + result := "" + lastIndex := 0 + for _, r := range matchIdxs { + for i := 0; i < len(r); i += 4 { + vars, err := extractVars(value[r[i+2]:r[i+3]]) + if err != nil { + return nil, fmt.Errorf(`error parsing variable "%s": %s`, value[r[i]:r[i+1]], err) + } + set := false + for _, val := range vars { + switch val.(type) { + case *constString: + result += value[lastIndex:r[0]] + val.Value() + set = true + case *varString: + node, ok := Lookup(v.tree, val.Value()) + if ok { + node := nodeToValue(node) + if v.processorsKey != "" && varPrefixMatched(val.Value(), v.processorsKey) { + processors = v.processors + } + if r[i] == 0 && r[i+1] == len(value) { + // possible for complete replacement of object, because the variable + // is not inside of a string + return attachProcessors(node, processors), nil + } + result += value[lastIndex:r[0]] + node.String() + set = true + } + } + if set { + break + } + } + if !set { + return NewStrVal(""), ErrNoMatch + } + lastIndex = r[1] + } + } + return NewStrValWithProcessors(result+value[lastIndex:], processors), nil +} + +// Lookup returns the value from the vars. +func (v *Vars) Lookup(name string) (interface{}, bool) { + return v.tree.Lookup(name) +} + +// nodeToValue ensures that the node is an actual value. +func nodeToValue(node Node) Node { + switch n := node.(type) { + case *Key: + return n.value.(Node) + } + return node +} + +// validBrackets returns true when all starting {$ have a matching ending }. +func validBrackets(s string, matchIdxs [][]int) bool { + result := "" + lastIndex := 0 + match := false + for _, r := range matchIdxs { + match = true + for i := 0; i < len(r); i += 4 { + result += s[lastIndex:r[0]] + lastIndex = r[1] + } + } + if !match { + return !strings.Contains(s, "${") + } + return !strings.Contains(result, "${") +} + +type varI interface { + Value() string +} + +type varString struct { + value string +} + +func (v *varString) Value() string { + return v.value +} + +type constString struct { + value string +} + +func (v *constString) Value() string { + return v.value +} + +func extractVars(i string) ([]varI, error) { + const out = rune(0) + + quote := out + constant := false + escape := false + is := make([]rune, 0, len(i)) + res := make([]varI, 0) + for _, r := range i { + if r == '|' { + if escape { + return nil, fmt.Errorf(`variable pipe cannot be escaped; remove \ before |`) + } + if quote == out { + if constant { + res = append(res, &constString{string(is)}) + } else if len(is) > 0 { + if is[len(is)-1] == '.' { + return nil, fmt.Errorf("variable cannot end with '.'") + } + res = append(res, &varString{string(is)}) + } + is = is[:0] // slice to zero length; to keep allocated memory + constant = false + } else { + is = append(is, r) + } + continue + } + if !escape && (r == '"' || r == '\'') { + if quote == out { + // start of unescaped quote + quote = r + constant = true + } else if quote == r { + // end of unescaped quote + quote = out + } else { + is = append(is, r) + } + continue + } + // escape because of backslash (\); except when it is the second backslash of a pair + escape = !escape && r == '\\' + if r == '\\' { + if !escape { + is = append(is, r) + } + } else if quote != out || !unicode.IsSpace(r) { + is = append(is, r) + } + } + if quote != out { + return nil, fmt.Errorf(`starting %s is missing ending %s`, string(quote), string(quote)) + } + if constant { + res = append(res, &constString{string(is)}) + } else if len(is) > 0 { + if is[len(is)-1] == '.' { + return nil, fmt.Errorf("variable cannot end with '.'") + } + res = append(res, &varString{string(is)}) + } + return res, nil +} + +func varPrefixMatched(val string, key string) bool { + s := strings.SplitN(val, ".", 2) + return s[0] == key +} diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go b/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go new file mode 100644 index 00000000000..0b6566a7a94 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/transpiler/vars_test.go @@ -0,0 +1,248 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package transpiler + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestVars_Replace(t *testing.T) { + vars := mustMakeVars(map[string]interface{}{ + "un-der_score": map[string]interface{}{ + "key1": "data1", + "key2": "data2", + "list": []string{ + "array1", + "array2", + }, + "dict": map[string]interface{}{ + "key1": "value1", + "key2": "value2", + }, + }, + "other": map[string]interface{}{ + "data": "info", + }, + }) + tests := []struct { + Input string + Result Node + Error bool + NoMatch bool + }{ + { + "${un-der_score.key1}", + NewStrVal("data1"), + false, + false, + }, + { + "${un-der_score.missing}", + NewStrVal(""), + false, + true, + }, + { + "${un-der_score.missing|un-der_score.key2}", + NewStrVal("data2"), + false, + false, + }, + { + "${un-der_score.missing|un-der_score.missing2|other.data}", + NewStrVal("info"), + false, + false, + }, + { + "${un-der_score.missing|'fallback'}", + NewStrVal("fallback"), + false, + false, + }, + { + `${un-der_score.missing|||||||||"fallback"}`, + NewStrVal("fallback"), + false, + false, + }, + { + `${"direct"}`, + NewStrVal("direct"), + false, + false, + }, + { + `${un-der_score.}`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing|"oth}`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing`, + NewStrVal(""), + true, + false, + }, + { + `${un-der_score.missing ${other}`, + NewStrVal(""), + true, + false, + }, + { + `${}`, + NewStrVal(""), + true, + false, + }, + { + "around ${un-der_score.key1} the var", + NewStrVal("around data1 the var"), + false, + false, + }, + { + "multi ${un-der_score.key1} var ${ un-der_score.missing | un-der_score.key2 } around", + NewStrVal("multi data1 var data2 around"), + false, + false, + }, + { + `multi ${un-der_score.key1} var ${ un-der_score.missing| 'other"s with space' } around`, + NewStrVal(`multi data1 var other"s with space around`), + false, + false, + }, + { + `start ${ un-der_score.missing| 'others | with space' } end`, + NewStrVal(`start others | with space end`), + false, + false, + }, + { + `start ${ un-der_score.missing| 'other\'s with space' } end`, + NewStrVal(`start other's with space end`), + false, + false, + }, + { + `${un-der_score.list}`, + NewList([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }), + false, + false, + }, + { + `list inside string ${un-der_score.list} causes no match`, + NewList([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }), + false, + true, + }, + { + `${un-der_score.dict}`, + NewDict([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }), + false, + false, + }, + { + `dict inside string ${un-der_score.dict} causes no match`, + NewDict([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }), + false, + true, + }, + } + for _, test := range tests { + t.Run(test.Input, func(t *testing.T) { + res, err := vars.Replace(test.Input) + if test.Error { + assert.Error(t, err) + } else if test.NoMatch { + assert.Error(t, ErrNoMatch, err) + } else { + require.NoError(t, err) + assert.Equal(t, test.Result, res) + } + }) + } +} + +func TestVars_ReplaceWithProcessors(t *testing.T) { + processers := Processors{ + { + "add_fields": map[string]interface{}{ + "dynamic": "added", + }, + }, + } + vars, err := NewVarsWithProcessors( + map[string]interface{}{ + "testing": map[string]interface{}{ + "key1": "data1", + }, + "dynamic": map[string]interface{}{ + "key1": "dynamic1", + "list": []string{ + "array1", + "array2", + }, + "dict": map[string]string{ + "key1": "value1", + "key2": "value2", + }, + }, + }, + "dynamic", + processers) + require.NoError(t, err) + + res, err := vars.Replace("${testing.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrVal("data1"), res) + + res, err = vars.Replace("${dynamic.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrValWithProcessors("dynamic1", processers), res) + + res, err = vars.Replace("${other.key1|dynamic.key1}") + require.NoError(t, err) + assert.Equal(t, NewStrValWithProcessors("dynamic1", processers), res) + + res, err = vars.Replace("${dynamic.list}") + require.NoError(t, err) + assert.Equal(t, processers, res.Processors()) + assert.Equal(t, NewListWithProcessors([]Node{ + NewStrVal("array1"), + NewStrVal("array2"), + }, processers), res) + + res, err = vars.Replace("${dynamic.dict}") + require.NoError(t, err) + assert.Equal(t, processers, res.Processors()) + assert.Equal(t, NewDictWithProcessors([]Node{ + NewKey("key1", NewStrVal("value1")), + NewKey("key2", NewStrVal("value2")), + }, processers), res) +} diff --git a/x-pack/elastic-agent/pkg/artifact/config.go b/x-pack/elastic-agent/pkg/artifact/config.go index a8a09de8e48..5b0766cb257 100644 --- a/x-pack/elastic-agent/pkg/artifact/config.go +++ b/x-pack/elastic-agent/pkg/artifact/config.go @@ -30,10 +30,6 @@ type Config struct { // Timeout: timeout for downloading package Timeout time.Duration `json:"timeout" config:"timeout"` - // PgpFile: filepath to a public key used for verifying downloaded artifacts - // if not file is present elastic-agent will try to load public key from elastic.co website. - PgpFile string `json:"pgpfile" config:"pgpfile"` - // InstallPath: path to the directory containing installed packages InstallPath string `yaml:"installPath" config:"install_path"` @@ -47,13 +43,12 @@ type Config struct { // DefaultConfig creates a config with pre-set default values. func DefaultConfig() *Config { - dataPath := paths.Data() + homePath := paths.Home() return &Config{ SourceURI: "https://artifacts.elastic.co/downloads/", - TargetDirectory: filepath.Join(dataPath, "downloads"), + TargetDirectory: filepath.Join(homePath, "downloads"), Timeout: 30 * time.Second, - PgpFile: filepath.Join(dataPath, "elastic.pgp"), - InstallPath: filepath.Join(dataPath, "install"), + InstallPath: filepath.Join(homePath, "install"), } } diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go index df289ae03ad..04f4c667e02 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/downloader.go @@ -11,6 +11,7 @@ import ( "os" "path/filepath" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -19,10 +20,6 @@ const ( packagePermissions = 0660 ) -var ( - defaultDropSubdir = filepath.Join("data", "downloads") -) - // Downloader is a downloader able to fetch artifacts from elastic.co web page. type Downloader struct { dropPath string @@ -117,13 +114,13 @@ func (e *Downloader) downloadFile(filename, fullPath string) (string, error) { func getDropPath(cfg *artifact.Config) string { // if drop path is not provided fallback to beats subfolder if cfg == nil || cfg.DropPath == "" { - return defaultDropSubdir + return filepath.Join(paths.Home(), "downloads") } // if droppath does not exist fallback to beats subfolder stat, err := os.Stat(cfg.DropPath) if err != nil || !stat.IsDir() { - return defaultDropSubdir + return filepath.Join(paths.Home(), "downloads") } return cfg.DropPath diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go index 942a412efdf..d934b20faef 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go @@ -14,7 +14,6 @@ import ( "os" "path/filepath" "strings" - "sync" "golang.org/x/crypto/openpgp" @@ -29,15 +28,22 @@ const ( // Verifier verifies a downloaded package by comparing with public ASC // file from elastic.co website. type Verifier struct { - config *artifact.Config - pgpBytes []byte + config *artifact.Config + pgpBytes []byte + allowEmptyPgp bool } // NewVerifier create a verifier checking downloaded package on preconfigured // location agains a key stored on elastic.co website. -func NewVerifier(config *artifact.Config) (*Verifier, error) { +func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) { + if len(pgp) == 0 && !allowEmptyPgp { + return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity) + } + v := &Verifier{ - config: config, + config: config, + allowEmptyPgp: allowEmptyPgp, + pgpBytes: pgp, } return v, nil @@ -58,9 +64,11 @@ func (v *Verifier) Verify(programName, version string) (bool, error) { // remove bits so they can be redownloaded os.Remove(fullPath) os.Remove(fullPath + ".sha512") + os.Remove(fullPath + ".asc") + return isMatch, err } - return isMatch, err + return v.verifyAsc(filename, fullPath) } func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { @@ -86,7 +94,7 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { } if expectedHash == "" { - return false, fmt.Errorf("hash for '%s' not found", filename) + return false, fmt.Errorf("hash for '%s' not found in '%s'", filename, hashFilePath) } // compute file hash @@ -106,19 +114,16 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { } func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) { - var err error - var pgpBytesLoader sync.Once - - pgpBytesLoader.Do(func() { - err = v.loadPGP(v.config.PgpFile) - }) - - if err != nil { - return false, errors.New(err, "loading PGP") + if len(v.pgpBytes) == 0 { + // no pgp available skip verification process + return true, nil } - ascBytes, err := v.getPublicAsc(filename) - if err != nil { + ascBytes, err := v.getPublicAsc(fullPath) + if err != nil && v.allowEmptyPgp { + // asc not available but we allow empty for dev use-case + return true, nil + } else if err != nil { return false, err } @@ -142,10 +147,8 @@ func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) { return true, nil } -func (v *Verifier) getPublicAsc(filename string) ([]byte, error) { - ascFile := fmt.Sprintf("%s%s", filename, ascSuffix) - fullPath := filepath.Join(defaultDropSubdir, ascFile) - +func (v *Verifier) getPublicAsc(fullPath string) ([]byte, error) { + fullPath = fmt.Sprintf("%s%s", fullPath, ascSuffix) b, err := ioutil.ReadFile(fullPath) if err != nil { return nil, errors.New(err, fmt.Sprintf("fetching asc file from '%s'", fullPath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, fullPath)) @@ -153,18 +156,3 @@ func (v *Verifier) getPublicAsc(filename string) ([]byte, error) { return b, nil } - -func (v *Verifier) loadPGP(file string) error { - var err error - - if file == "" { - return errors.New("pgp file not specified for verifier", errors.TypeConfig) - } - - v.pgpBytes, err = ioutil.ReadFile(file) - if err != nil { - return errors.New(err, errors.TypeFilesystem) - } - - return nil -} diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go index 4787656d8b0..4fd845482c5 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go +++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go @@ -59,7 +59,7 @@ func TestFetchVerify(t *testing.T) { assert.NoError(t, err) downloader := NewDownloader(config) - verifier, err := NewVerifier(config) + verifier, err := NewVerifier(config, true, nil) assert.NoError(t, err) // first download verify should fail: @@ -157,7 +157,7 @@ func TestVerify(t *testing.T) { t.Fatal(err) } - testVerifier, err := NewVerifier(config) + testVerifier, err := NewVerifier(config, true, nil) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go index a1e1ced0b66..0edb979a320 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go +++ b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go @@ -105,7 +105,7 @@ func TestVerify(t *testing.T) { t.Fatal(err) } - testVerifier, err := NewVerifier(config) + testVerifier, err := NewVerifier(config, true, nil) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go index 171b3363aec..9f2eacd9395 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go @@ -16,7 +16,6 @@ import ( "os" "path" "strings" - "sync" "golang.org/x/crypto/openpgp" @@ -32,20 +31,27 @@ const ( // Verifier verifies a downloaded package by comparing with public ASC // file from elastic.co website. type Verifier struct { - config *artifact.Config - client http.Client - pgpBytes []byte + config *artifact.Config + client http.Client + pgpBytes []byte + allowEmptyPgp bool } // NewVerifier create a verifier checking downloaded package on preconfigured // location agains a key stored on elastic.co website. -func NewVerifier(config *artifact.Config) (*Verifier, error) { +func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) { + if len(pgp) == 0 && !allowEmptyPgp { + return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity) + } + client := http.Client{Timeout: config.Timeout} rtt := withHeaders(client.Transport, headers) client.Transport = rtt v := &Verifier{ - config: config, - client: client, + config: config, + client: client, + allowEmptyPgp: allowEmptyPgp, + pgpBytes: pgp, } return v, nil @@ -71,9 +77,11 @@ func (v *Verifier) Verify(programName, version string) (bool, error) { // remove bits so they can be redownloaded os.Remove(fullPath) os.Remove(fullPath + ".sha512") + os.Remove(fullPath + ".asc") + return isMatch, err } - return isMatch, err + return v.verifyAsc(programName, version) } func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { @@ -120,15 +128,9 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) { } func (v *Verifier) verifyAsc(programName, version string) (bool, error) { - var err error - var pgpBytesLoader sync.Once - - pgpBytesLoader.Do(func() { - err = v.loadPGP(v.config.PgpFile) - }) - - if err != nil { - return false, errors.New(err, "loading PGP") + if len(v.pgpBytes) == 0 { + // no pgp available skip verification process + return true, nil } filename, err := artifact.GetArtifactName(programName, version, v.config.OS(), v.config.Arch()) @@ -147,7 +149,10 @@ func (v *Verifier) verifyAsc(programName, version string) (bool, error) { } ascBytes, err := v.getPublicAsc(ascURI) - if err != nil { + if err != nil && v.allowEmptyPgp { + // asc not available but we allow empty for dev use-case + return true, nil + } else if err != nil { return false, errors.New(err, fmt.Sprintf("fetching asc file from %s", ascURI), errors.TypeNetwork, errors.M(errors.MetaKeyURI, ascURI)) } @@ -202,33 +207,3 @@ func (v *Verifier) getPublicAsc(sourceURI string) ([]byte, error) { return ioutil.ReadAll(resp.Body) } - -func (v *Verifier) loadPGP(file string) error { - var err error - - if file == "" { - v.pgpBytes, err = v.loadPGPFromWeb() - return err - } - - v.pgpBytes, err = ioutil.ReadFile(file) - if err != nil { - return errors.New(err, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, file)) - } - - return nil -} - -func (v *Verifier) loadPGPFromWeb() ([]byte, error) { - resp, err := v.client.Get(publicKeyURI) - if err != nil { - return nil, errors.New(err, "failed loading public key", errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI)) - } - defer resp.Body.Close() - - if resp.StatusCode != 200 { - return nil, errors.New(fmt.Sprintf("call to '%s' returned unsuccessful status code: %d", publicKeyURI, resp.StatusCode), errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI)) - } - - return ioutil.ReadAll(resp.Body) -} diff --git a/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go index 34863270679..4f33cbbdb8e 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go @@ -17,10 +17,10 @@ import ( // NewVerifier creates a downloader which first checks local directory // and then fallbacks to remote if configured. -func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier, error) { +func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) { verifiers := make([]download.Verifier, 0, 3) - fsVer, err := fs.NewVerifier(config) + fsVer, err := fs.NewVerifier(config, allowEmptyPgp, pgp) if err != nil { return nil, err } @@ -28,7 +28,7 @@ func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier // try snapshot repo before official if release.Snapshot() { - snapshotVerifier, err := snapshot.NewVerifier(config) + snapshotVerifier, err := snapshot.NewVerifier(config, allowEmptyPgp, pgp) if err != nil { log.Error(err) } else { @@ -36,7 +36,7 @@ func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier } } - remoteVer, err := http.NewVerifier(config) + remoteVer, err := http.NewVerifier(config, allowEmptyPgp, pgp) if err != nil { return nil, err } diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go index f45a38d3f97..6f28ad8d926 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go @@ -38,7 +38,6 @@ func snapshotConfig(config *artifact.Config) (*artifact.Config, error) { SourceURI: snapshotURI, TargetDirectory: config.TargetDirectory, Timeout: config.Timeout, - PgpFile: config.PgpFile, InstallPath: config.InstallPath, DropPath: config.DropPath, }, nil diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go index 91626a6b55b..e9d8bbd4dc1 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go +++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go @@ -12,10 +12,10 @@ import ( // NewVerifier creates a downloader which first checks local directory // and then fallbacks to remote if configured. -func NewVerifier(config *artifact.Config, downloaders ...download.Downloader) (download.Verifier, error) { +func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) { cfg, err := snapshotConfig(config) if err != nil { return nil, err } - return http.NewVerifier(cfg) + return http.NewVerifier(cfg, allowEmptyPgp, pgp) } diff --git a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go index 451cd701627..ffc90f2dce8 100644 --- a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go +++ b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go @@ -7,11 +7,12 @@ package zip import ( "archive/zip" "context" - "fmt" + "io" "os" - "os/exec" "path/filepath" + "github.com/hashicorp/go-multierror" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -47,7 +48,7 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir os.RemoveAll(installDir) } - if err := i.unzip(artifactPath, programName, version); err != nil { + if err := i.unzip(artifactPath); err != nil { return err } @@ -67,14 +68,59 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir return nil } -func (i *Installer) unzip(artifactPath, programName, version string) error { - if _, err := os.Stat(artifactPath); err != nil { - return errors.New(fmt.Sprintf("artifact for '%s' version '%s' could not be found at '%s'", programName, version, artifactPath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, artifactPath)) +func (i *Installer) unzip(artifactPath string) error { + r, err := zip.OpenReader(artifactPath) + if err != nil { + return err + } + defer r.Close() + + if err := os.MkdirAll(i.config.InstallPath, 0755); err != nil && !os.IsExist(err) { + // failed to create install dir + return err + } + + unpackFile := func(f *zip.File) (err error) { + rc, err := f.Open() + if err != nil { + return err + } + defer func() { + if cerr := rc.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + path := filepath.Join(i.config.InstallPath, f.Name) + + if f.FileInfo().IsDir() { + os.MkdirAll(path, f.Mode()) + } else { + os.MkdirAll(filepath.Dir(path), f.Mode()) + f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + if err != nil { + return err + } + defer func() { + if cerr := f.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + if _, err = io.Copy(f, rc); err != nil { + return err + } + } + return nil } - powershellArg := fmt.Sprintf("Expand-Archive -LiteralPath \"%s\" -DestinationPath \"%s\"", artifactPath, i.config.InstallPath) - installCmd := exec.Command("powershell", "-command", powershellArg) - return installCmd.Run() + for _, f := range r.File { + if err := unpackFile(f); err != nil { + return err + } + } + + return nil } // retrieves root directory from zip archive diff --git a/x-pack/elastic-agent/pkg/basecmd/cmd.go b/x-pack/elastic-agent/pkg/basecmd/cmd.go index 9b957916fb1..b30b540d472 100644 --- a/x-pack/elastic-agent/pkg/basecmd/cmd.go +++ b/x-pack/elastic-agent/pkg/basecmd/cmd.go @@ -7,6 +7,7 @@ package basecmd import ( "github.com/spf13/cobra" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd/restart" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/basecmd/version" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" ) @@ -14,6 +15,7 @@ import ( // NewDefaultCommandsWithArgs returns a list of default commands to executes. func NewDefaultCommandsWithArgs(args []string, streams *cli.IOStreams) []*cobra.Command { return []*cobra.Command{ + restart.NewCommandWithArgs(streams), version.NewCommandWithArgs(streams), } } diff --git a/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go b/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go new file mode 100644 index 00000000000..ebb3bf6effd --- /dev/null +++ b/x-pack/elastic-agent/pkg/basecmd/restart/cmd.go @@ -0,0 +1,37 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package restart + +import ( + "context" + + "github.com/spf13/cobra" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +// NewCommandWithArgs returns a new version command. +func NewCommandWithArgs(streams *cli.IOStreams) *cobra.Command { + return &cobra.Command{ + Use: "restart", + Short: "Restart the currently running Elastic Agent daemon", + RunE: func(cmd *cobra.Command, _ []string) error { + c := client.New() + err := c.Connect(context.Background()) + if err != nil { + return errors.New(err, "Failed communicating to running daemon", errors.TypeNetwork, errors.M("socket", control.Address())) + } + defer c.Disconnect() + err = c.Restart(context.Background()) + if err != nil { + return errors.New(err, "Failed trigger restart of daemon") + } + return nil + }, + } +} diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd.go index 0bf25438e80..b4e602759cb 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd.go @@ -5,32 +5,95 @@ package version import ( + "context" "fmt" "github.com/spf13/cobra" + "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/client" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) +// Output returns the output when `--yaml` is used. +type Output struct { + Binary *release.VersionInfo `yaml:"binary"` + Daemon *release.VersionInfo `yaml:"daemon,omitempty"` +} + // NewCommandWithArgs returns a new version command. func NewCommandWithArgs(streams *cli.IOStreams) *cobra.Command { - return &cobra.Command{ + cmd := &cobra.Command{ Use: "version", Short: "Display the version of the elastic-agent.", - Run: func(_ *cobra.Command, _ []string) { - version := release.Version() - if release.Snapshot() { - version = version + "-SNAPSHOT" + Run: func(cmd *cobra.Command, _ []string) { + var daemon *release.VersionInfo + var daemonError error + + binary := release.Info() + binaryOnly, _ := cmd.Flags().GetBool("binary-only") + if !binaryOnly { + c := client.New() + daemonError = c.Connect(context.Background()) + if daemonError == nil { + defer c.Disconnect() + + var version client.Version + version, daemonError = c.Version(context.Background()) + if daemonError == nil { + daemon = &release.VersionInfo{ + Version: version.Version, + Commit: version.Commit, + BuildTime: version.BuildTime, + Snapshot: version.Snapshot, + } + } + } + } + if daemonError != nil { + fmt.Fprintf(streams.Err, "Failed talking to running daemon: %s\n", daemonError) + } + + outputYaml, _ := cmd.Flags().GetBool("yaml") + if outputYaml { + p := Output{ + Binary: &binary, + Daemon: daemon, + } + out, err := yaml.Marshal(p) + if err != nil { + fmt.Fprintf(streams.Err, "Failed to render YAML: %s\n", err) + } + fmt.Fprintf(streams.Out, "%s", out) + return } - fmt.Fprintf( - streams.Out, - "Agent version is %s (build: %s at %s)\n", - version, - release.Commit(), - release.BuildTime(), - ) + if !binaryOnly { + mismatch := false + str := "" + if daemon != nil { + str = daemon.String() + mismatch = isMismatch(&binary, daemon) + } + if mismatch { + fmt.Fprintf(streams.Err, "WARN: Then running daemon of Elastic Agent does not match this version.\n") + } + fmt.Fprintf(streams.Out, "Daemon: %s\n", str) + } + fmt.Fprintf(streams.Out, "Binary: %s\n", binary.String()) }, } + + cmd.Flags().Bool("binary-only", false, "Version of current binary only") + cmd.Flags().Bool("yaml", false, "Output information in YAML format") + + return cmd +} + +func isMismatch(a *release.VersionInfo, b *release.VersionInfo) bool { + if a.Commit != "unknown" && b.Commit != "unknown" { + return a.Commit != b.Commit + } + return a.Version != b.Version || a.BuildTime != b.BuildTime || a.Snapshot != b.Snapshot } diff --git a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go index 111d174608f..119809338d6 100644 --- a/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go +++ b/x-pack/elastic-agent/pkg/basecmd/version/cmd_test.go @@ -10,17 +10,90 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "gopkg.in/yaml.v2" + "github.com/elastic/beats/v7/libbeat/logp" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control/server" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) -func TestCmd(t *testing.T) { +func TestCmdBinaryOnly(t *testing.T) { + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("binary-only", "true") + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + assert.True(t, strings.Contains(string(version), "Binary: ")) + assert.False(t, strings.Contains(string(version), "Daemon: ")) +} + +func TestCmdBinaryOnlyYAML(t *testing.T) { + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("binary-only", "true") + cmd.Flags().Set("yaml", "true") + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + + var output Output + err = yaml.Unmarshal(version, &output) + require.NoError(t, err) + + assert.Nil(t, output.Daemon) + assert.Equal(t, release.Info(), *output.Binary) +} + +func TestCmdDaemon(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + require.NoError(t, srv.Start()) + defer srv.Stop() + + streams, _, out, _ := cli.NewTestingIOStreams() + cmd := NewCommandWithArgs(streams) + cmd.Execute() + version, err := ioutil.ReadAll(out) + + require.NoError(t, err) + assert.True(t, strings.Contains(string(version), "Binary: ")) + assert.True(t, strings.Contains(string(version), "Daemon: ")) +} + +func TestCmdDaemonYAML(t *testing.T) { + srv := server.New(newErrorLogger(t), nil) + require.NoError(t, srv.Start()) + defer srv.Stop() + streams, _, out, _ := cli.NewTestingIOStreams() - NewCommandWithArgs(streams).Execute() + cmd := NewCommandWithArgs(streams) + cmd.Flags().Set("yaml", "true") + cmd.Execute() version, err := ioutil.ReadAll(out) - if !assert.NoError(t, err) { - return - } - assert.True(t, strings.Contains(string(version), "Agent version is")) + require.NoError(t, err) + + var output Output + err = yaml.Unmarshal(version, &output) + require.NoError(t, err) + + assert.Equal(t, release.Info(), *output.Daemon) + assert.Equal(t, release.Info(), *output.Binary) +} + +func newErrorLogger(t *testing.T) *logger.Logger { + t.Helper() + + loggerCfg := logger.DefaultLoggingConfig() + loggerCfg.Level = logp.ErrorLevel + + log, err := logger.NewFromConfig("", loggerCfg) + require.NoError(t, err) + return log } diff --git a/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 b/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 deleted file mode 100644 index fd587c1c8b0..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/Boolexp.g4 +++ /dev/null @@ -1,55 +0,0 @@ -// boolexp.g4 -grammar Boolexp; - -// Tokens -EQ: '=='; -NEQ: '!='; -GT: '>'; -LT: '<'; -GTE: '>='; -LTE: '<='; -AND: 'and' | 'AND' | '&&'; -OR: 'or' | 'OR' | '||'; -TRUE: 'true' | 'TRUE'; -FALSE: 'false' | 'FALSE'; -FLOAT: [0-9]+ '.' [0-9]+; -NUMBER: [0-9]+; -WHITESPACE: [ \r\n\t]+ -> skip; -NOT: 'NOT' | '!' | 'not'; -VARIABLE: BEGIN_VARIABLE [a-zA-Z0-9_.]+('.'[a-zZ0-9_]+)* END_VARIABLE; -METHODNAME: [a-zA-Z_] [a-zA-Z0-9_]*; -TEXT : '\'' ~[\r\n']* '\''; -LPAR: '('; -RPAR: ')'; -fragment BEGIN_VARIABLE: '%{['; -fragment END_VARIABLE: ']}'; - -expList: exp EOF; - -exp -: LPAR exp RPAR # ExpInParen -| NOT exp # ExpNot -| left=exp EQ right=exp # ExpArithmeticEQ -| left=exp NEQ right=exp # ExpArithmeticNEQ -| left=exp LTE right=exp # ExpArithmeticLTE -| left=exp GTE right=exp # ExpArithmeticGTE -| left=exp LT right=exp # ExpArithmeticLT -| left=exp GT right=exp # ExpArithmeticGT -| left=exp AND right=exp # ExpLogicalAnd -| left=exp OR right=exp # ExpLogicalOR -| boolean # ExpBoolean -| VARIABLE # ExpVariable -| METHODNAME LPAR arguments? RPAR # ExpFunction -| TEXT # ExpText -| FLOAT # ExpFloat -| NUMBER # ExpNumber -; - -boolean -: TRUE | FALSE -; - -arguments -: exp( ',' exp)* -; - diff --git a/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go b/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go deleted file mode 100644 index 44faa8e2bb0..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/boolexp_test.go +++ /dev/null @@ -1,273 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package boolexp - -import ( - "fmt" - "os" - "strings" - "testing" - - "github.com/antlr/antlr4/runtime/Go/antlr" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp/parser" -) - -var showDebug = lookupEnvOrDefault("DEBUG", "0") - -type testVarStore struct { - vars map[string]interface{} -} - -func (s *testVarStore) Lookup(v string) (interface{}, bool) { - val, ok := s.vars[v] - return val, ok -} - -func TestBoolexp(t *testing.T) { - testcases := []struct { - expression string - result bool - err bool - }{ - // Variables - {expression: "%{[hello.var]} == 'hello'", result: true}, - {expression: "%{[hello.var]} != 'hello'", result: false}, - {expression: "contains(%{[hello.var]}, 'hell')", result: true}, - - {expression: "true", result: true}, - {expression: "false", result: false}, - {expression: "!false", result: true}, - {expression: "!true", result: false}, - {expression: "!(1 == 1)", result: false}, - {expression: "NOT false", result: true}, - {expression: "NOT true", result: false}, - {expression: "not false", result: true}, - {expression: "not true", result: false}, - {expression: "NOT (1 == 1)", result: false}, - - {expression: "1 == 1", result: true}, - {expression: "1 == 2", result: false}, - {expression: "1 != 2", result: true}, - {expression: "1 != 1", result: false}, - {expression: "'hello' == 'hello'", result: true}, - {expression: "'hello' == 'hola'", result: false}, - - // and - {expression: "(1 == 1) AND (2 == 2)", result: true}, - {expression: "(1 == 4) AND (2 == 2)", result: false}, - {expression: "(1 == 1) AND (2 == 3)", result: false}, - {expression: "(1 == 5) AND (2 == 3)", result: false}, - - {expression: "1 == 1 AND 2 == 2", result: true}, - {expression: "1 == 4 AND 2 == 2", result: false}, - {expression: "1 == 1 AND 2 == 3", result: false}, - {expression: "1 == 5 AND 2 == 3", result: false}, - - {expression: "(1 == 1) and (2 == 2)", result: true}, - {expression: "(1 == 4) and (2 == 2)", result: false}, - {expression: "(1 == 1) and (2 == 3)", result: false}, - {expression: "(1 == 5) and (2 == 3)", result: false}, - - {expression: "(1 == 1) && (2 == 2)", result: true}, - {expression: "(1 == 4) && (2 == 2)", result: false}, - {expression: "(1 == 1) && (2 == 3)", result: false}, - {expression: "(1 == 5) && (2 == 3)", result: false}, - - // or - {expression: "(1 == 1) OR (2 == 2)", result: true}, - {expression: "(1 == 1) OR (3 == 2)", result: true}, - {expression: "(1 == 2) OR (2 == 2)", result: true}, - {expression: "(1 == 2) OR (2 == 2)", result: true}, - {expression: "(1 == 2) OR (1 == 2)", result: false}, - - {expression: "(1 == 1) or (2 == 2)", result: true}, - {expression: "(1 == 1) or (3 == 2)", result: true}, - {expression: "(1 == 2) or (2 == 2)", result: true}, - {expression: "(1 == 2) or (2 == 2)", result: true}, - {expression: "(1 == 2) or (1 == 2)", result: false}, - - {expression: "(1 == 1) || (2 == 2)", result: true}, - {expression: "(1 == 1) || (3 == 2)", result: true}, - {expression: "(1 == 2) || (2 == 2)", result: true}, - {expression: "(1 == 2) || (2 == 2)", result: true}, - {expression: "(1 == 2) || (1 == 2)", result: false}, - - // mixed - {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, - {expression: "(1 == 1 OR 2 == 2) AND 2 != 3", result: true}, - {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, - {expression: "1 == 1 OR 2 == 2 AND 2 != 3", result: true}, - - // functions - {expression: "len('hello') == 5", result: true}, - {expression: "len('hello') != 1", result: true}, - {expression: "len('hello') == 1", result: false}, - {expression: "(len('hello') == 5) AND (len('Hi') == 2)", result: true}, - {expression: "len('hello') == size('hello')", result: true}, - {expression: "len('hello') == size('hi')", result: false}, - {expression: "contains('hello', 'eial')", result: false}, - {expression: "contains('hello', 'hel')", result: true}, - {expression: "!contains('hello', 'hel')", result: false}, - {expression: "contains('hello', 'hel') == true", result: true}, - {expression: "contains('hello', 'hel') == false", result: false}, - {expression: "countArgs('A', 'B', 'C', 'D', 'E', 'F') == 6", result: true}, - {expression: "countArgs('A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J') == 10", result: true}, - - // integers - {expression: "1 < 5", result: true}, - {expression: "10 < 5", result: false}, - {expression: "1 > 5", result: false}, - {expression: "10 > 5", result: true}, - {expression: "1 <= 5", result: true}, - {expression: "5 <= 5", result: true}, - {expression: "10 <= 5", result: false}, - {expression: "10 >= 5", result: true}, - {expression: "5 >= 5", result: true}, - {expression: "4 >= 5", result: false}, - - // Floats - {expression: "1 == 1.0", result: true}, - {expression: "1.0 == 1.0", result: true}, - {expression: "1.0 == 1", result: true}, - {expression: "1 != 2.0", result: true}, - {expression: "1.0 != 2.0", result: true}, - {expression: "1.0 != 2", result: true}, - {expression: "1 < 5.0", result: true}, - {expression: "10 < 5.0", result: false}, - {expression: "1 > 5.0", result: false}, - {expression: "10 > 5.0", result: true}, - {expression: "1 <= 5.0", result: true}, - {expression: "10 <= 5.0", result: false}, - {expression: "1 >= 5.0", result: false}, - {expression: "10 >= 5.0", result: true}, - {expression: "10 >= 10.0", result: true}, - {expression: "10 <= 10.0", result: true}, - - // Bad expression and malformed expression - {expression: "contains('hello')", err: true}, - {expression: "contains()", err: true}, - {expression: "contains()", err: true}, - {expression: "donotexist()", err: true}, - } - - store := &testVarStore{ - vars: map[string]interface{}{ - "hello.var": "hello", - }, - } - - fn := func(args []interface{}) (interface{}, error) { - if len(args) != 1 { - return nil, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - val, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("expecting a string received %T", args[0]) - } - return len(val), nil - } - - methods := NewMethodsReg() - methods.Register("len", fn) - // test function aliasing - methods.Register("size", fn) - // test multiples arguments function. - methods.Register("contains", func(args []interface{}) (interface{}, error) { - if len(args) != 2 { - return nil, fmt.Errorf("expecting 2 arguments received %d", len(args)) - } - - haystack, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("args 1 must be a string and received %T", args[0]) - } - - needle, ok := args[1].(string) - if !ok { - return nil, fmt.Errorf("args 2 must be a string and received %T", args[0]) - } - - return strings.Contains(haystack, needle), nil - }, - ) - - methods.Register("countArgs", func(args []interface{}) (interface{}, error) { - return len(args), nil - }) - - for _, test := range testcases { - test := test - var title string - if test.err { - title = fmt.Sprintf("%s failed parsing", test.expression) - } else { - title = fmt.Sprintf("%s => return %v", test.expression, test.result) - } - t.Run(title, func(t *testing.T) { - if showDebug == "1" { - debug(test.expression) - } - - r, err := Eval(test.expression, methods, store) - - if test.err { - require.Error(t, err) - return - } - - assert.Equal(t, test.result, r) - }) - } -} - -func debug(expression string) { - raw := antlr.NewInputStream(expression) - - lexer := parser.NewBoolexpLexer(raw) - for { - t := lexer.NextToken() - if t.GetTokenType() == antlr.TokenEOF { - break - } - fmt.Printf("%s (%q)\n", - lexer.SymbolicNames[t.GetTokenType()], t.GetText()) - } -} - -var result bool - -func BenchmarkEval(b *testing.B) { - fn := func(args []interface{}) (interface{}, error) { - if len(args) != 1 { - return nil, fmt.Errorf("expecting 1 argument received %d", len(args)) - } - val, ok := args[0].(string) - if !ok { - return nil, fmt.Errorf("expecting a string received %T", args[0]) - } - return len(val), nil - } - - methods := NewMethodsReg() - methods.Register("len", fn) - - expression, _ := New("(len('hello') == 5) AND (len('Hi') == 2)", methods) - - var r bool - for n := 0; n < b.N; n++ { - r, _ = expression.Eval(nil) - } - result = r -} - -func lookupEnvOrDefault(name, d string) string { - if v, ok := os.LookupEnv(name); ok { - return v - } - return d -} diff --git a/x-pack/elastic-agent/pkg/boolexp/methods.go b/x-pack/elastic-agent/pkg/boolexp/methods.go deleted file mode 100644 index eada71e1bde..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/methods.go +++ /dev/null @@ -1,58 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package boolexp - -import "fmt" - -// CallFunc is a function called while the expression evaluation is done, the function is responsable -// of doing the type conversion and allow checking the arity of the function. -type CallFunc func(args []interface{}) (interface{}, error) - -// Method encapsulate a method. -type Method struct { - Name string - Func CallFunc -} - -// MethodsReg is the registry of the methods, when the evaluation is done and a function is found we -// will lookup the function in the registry. If the method is found the methods will be executed, -// otherwise the evaluation will fail. -// -// NOTE: Define methods must have a unique name and capitalization is important. -type MethodsReg struct { - methods map[string]Method -} - -// Register registers a new methods, the method will return an error if the method with the same -// name already exists in the registry. -func (m *MethodsReg) Register(name string, f CallFunc) error { - _, ok := m.methods[name] - if ok { - return fmt.Errorf("method %s already exists", name) - } - m.methods[name] = Method{Name: name, Func: f} - return nil -} - -// MustRegister registers a new methods and will panic on any error. -func (m *MethodsReg) MustRegister(name string, f CallFunc) { - err := m.Register(name, f) - if err != nil { - panic(err) - } -} - -// Lookup search a methods by name and return it, will return false if the method is not found. -// -// NOTE: When looking methods name capitalization is important. -func (m *MethodsReg) Lookup(name string) (Method, bool) { - v, ok := m.methods[name] - return v, ok -} - -// NewMethodsReg returns a new methods registry. -func NewMethodsReg() *MethodsReg { - return &MethodsReg{methods: make(map[string]Method)} -} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp b/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp deleted file mode 100644 index b3a5b7da1f5..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.interp +++ /dev/null @@ -1,55 +0,0 @@ -token literal names: -null -',' -'==' -'!=' -'>' -'<' -'>=' -'<=' -null -null -null -null -null -null -null -null -null -null -null -'(' -')' - -token symbolic names: -null -null -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR - -rule names: -expList -exp -boolean -arguments - - -atn: -[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 22, 73, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 3, 2, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 26, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 32, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 3, 58, 10, 3, 12, 3, 14, 3, 61, 11, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 7, 5, 68, 10, 5, 12, 5, 14, 5, 71, 11, 5, 3, 5, 2, 3, 4, 6, 2, 4, 6, 8, 2, 3, 3, 2, 12, 13, 2, 85, 2, 10, 3, 2, 2, 2, 4, 31, 3, 2, 2, 2, 6, 62, 3, 2, 2, 2, 8, 64, 3, 2, 2, 2, 10, 11, 5, 4, 3, 2, 11, 12, 7, 2, 2, 3, 12, 3, 3, 2, 2, 2, 13, 14, 8, 3, 1, 2, 14, 15, 7, 21, 2, 2, 15, 16, 5, 4, 3, 2, 16, 17, 7, 22, 2, 2, 17, 32, 3, 2, 2, 2, 18, 19, 7, 17, 2, 2, 19, 32, 5, 4, 3, 17, 20, 32, 5, 6, 4, 2, 21, 32, 7, 18, 2, 2, 22, 23, 7, 19, 2, 2, 23, 25, 7, 21, 2, 2, 24, 26, 5, 8, 5, 2, 25, 24, 3, 2, 2, 2, 25, 26, 3, 2, 2, 2, 26, 27, 3, 2, 2, 2, 27, 32, 7, 22, 2, 2, 28, 32, 7, 20, 2, 2, 29, 32, 7, 14, 2, 2, 30, 32, 7, 15, 2, 2, 31, 13, 3, 2, 2, 2, 31, 18, 3, 2, 2, 2, 31, 20, 3, 2, 2, 2, 31, 21, 3, 2, 2, 2, 31, 22, 3, 2, 2, 2, 31, 28, 3, 2, 2, 2, 31, 29, 3, 2, 2, 2, 31, 30, 3, 2, 2, 2, 32, 59, 3, 2, 2, 2, 33, 34, 12, 16, 2, 2, 34, 35, 7, 4, 2, 2, 35, 58, 5, 4, 3, 17, 36, 37, 12, 15, 2, 2, 37, 38, 7, 5, 2, 2, 38, 58, 5, 4, 3, 16, 39, 40, 12, 14, 2, 2, 40, 41, 7, 9, 2, 2, 41, 58, 5, 4, 3, 15, 42, 43, 12, 13, 2, 2, 43, 44, 7, 8, 2, 2, 44, 58, 5, 4, 3, 14, 45, 46, 12, 12, 2, 2, 46, 47, 7, 7, 2, 2, 47, 58, 5, 4, 3, 13, 48, 49, 12, 11, 2, 2, 49, 50, 7, 6, 2, 2, 50, 58, 5, 4, 3, 12, 51, 52, 12, 10, 2, 2, 52, 53, 7, 10, 2, 2, 53, 58, 5, 4, 3, 11, 54, 55, 12, 9, 2, 2, 55, 56, 7, 11, 2, 2, 56, 58, 5, 4, 3, 10, 57, 33, 3, 2, 2, 2, 57, 36, 3, 2, 2, 2, 57, 39, 3, 2, 2, 2, 57, 42, 3, 2, 2, 2, 57, 45, 3, 2, 2, 2, 57, 48, 3, 2, 2, 2, 57, 51, 3, 2, 2, 2, 57, 54, 3, 2, 2, 2, 58, 61, 3, 2, 2, 2, 59, 57, 3, 2, 2, 2, 59, 60, 3, 2, 2, 2, 60, 5, 3, 2, 2, 2, 61, 59, 3, 2, 2, 2, 62, 63, 9, 2, 2, 2, 63, 7, 3, 2, 2, 2, 64, 69, 5, 4, 3, 2, 65, 66, 7, 3, 2, 2, 66, 68, 5, 4, 3, 2, 67, 65, 3, 2, 2, 2, 68, 71, 3, 2, 2, 2, 69, 67, 3, 2, 2, 2, 69, 70, 3, 2, 2, 2, 70, 9, 3, 2, 2, 2, 71, 69, 3, 2, 2, 2, 7, 25, 31, 57, 59, 69] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens b/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens deleted file mode 100644 index 6892b3a80c1..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/Boolexp.tokens +++ /dev/null @@ -1,29 +0,0 @@ -T__0=1 -EQ=2 -NEQ=3 -GT=4 -LT=5 -GTE=6 -LTE=7 -AND=8 -OR=9 -TRUE=10 -FALSE=11 -FLOAT=12 -NUMBER=13 -WHITESPACE=14 -NOT=15 -VARIABLE=16 -METHODNAME=17 -TEXT=18 -LPAR=19 -RPAR=20 -','=1 -'=='=2 -'!='=3 -'>'=4 -'<'=5 -'>='=6 -'<='=7 -'('=19 -')'=20 diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp b/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp deleted file mode 100644 index 11612b59eb9..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.interp +++ /dev/null @@ -1,79 +0,0 @@ -token literal names: -null -',' -'==' -'!=' -'>' -'<' -'>=' -'<=' -null -null -null -null -null -null -null -null -null -null -null -'(' -')' - -token symbolic names: -null -null -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR - -rule names: -T__0 -EQ -NEQ -GT -LT -GTE -LTE -AND -OR -TRUE -FALSE -FLOAT -NUMBER -WHITESPACE -NOT -VARIABLE -METHODNAME -TEXT -LPAR -RPAR -BEGIN_VARIABLE -END_VARIABLE - -channel names: -DEFAULT_TOKEN_CHANNEL -HIDDEN - -mode names: -DEFAULT_MODE - -atn: -[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 22, 183, 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, 9, 23, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 5, 3, 5, 3, 6, 3, 6, 3, 7, 3, 7, 3, 7, 3, 8, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, 5, 9, 74, 10, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 5, 10, 82, 10, 10, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 5, 11, 92, 10, 11, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 5, 12, 104, 10, 12, 3, 13, 6, 13, 107, 10, 13, 13, 13, 14, 13, 108, 3, 13, 3, 13, 6, 13, 113, 10, 13, 13, 13, 14, 13, 114, 3, 14, 6, 14, 118, 10, 14, 13, 14, 14, 14, 119, 3, 15, 6, 15, 123, 10, 15, 13, 15, 14, 15, 124, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 136, 10, 16, 3, 17, 3, 17, 6, 17, 140, 10, 17, 13, 17, 14, 17, 141, 3, 17, 3, 17, 6, 17, 146, 10, 17, 13, 17, 14, 17, 147, 7, 17, 150, 10, 17, 12, 17, 14, 17, 153, 11, 17, 3, 17, 3, 17, 3, 18, 3, 18, 7, 18, 159, 10, 18, 12, 18, 14, 18, 162, 11, 18, 3, 19, 3, 19, 7, 19, 166, 10, 19, 12, 19, 14, 19, 169, 11, 19, 3, 19, 3, 19, 3, 20, 3, 20, 3, 21, 3, 21, 3, 22, 3, 22, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 2, 2, 24, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, 21, 41, 22, 43, 2, 45, 2, 3, 2, 9, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 92, 92, 97, 97, 99, 124, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 2, 197, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 3, 47, 3, 2, 2, 2, 5, 49, 3, 2, 2, 2, 7, 52, 3, 2, 2, 2, 9, 55, 3, 2, 2, 2, 11, 57, 3, 2, 2, 2, 13, 59, 3, 2, 2, 2, 15, 62, 3, 2, 2, 2, 17, 73, 3, 2, 2, 2, 19, 81, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 103, 3, 2, 2, 2, 25, 106, 3, 2, 2, 2, 27, 117, 3, 2, 2, 2, 29, 122, 3, 2, 2, 2, 31, 135, 3, 2, 2, 2, 33, 137, 3, 2, 2, 2, 35, 156, 3, 2, 2, 2, 37, 163, 3, 2, 2, 2, 39, 172, 3, 2, 2, 2, 41, 174, 3, 2, 2, 2, 43, 176, 3, 2, 2, 2, 45, 180, 3, 2, 2, 2, 47, 48, 7, 46, 2, 2, 48, 4, 3, 2, 2, 2, 49, 50, 7, 63, 2, 2, 50, 51, 7, 63, 2, 2, 51, 6, 3, 2, 2, 2, 52, 53, 7, 35, 2, 2, 53, 54, 7, 63, 2, 2, 54, 8, 3, 2, 2, 2, 55, 56, 7, 64, 2, 2, 56, 10, 3, 2, 2, 2, 57, 58, 7, 62, 2, 2, 58, 12, 3, 2, 2, 2, 59, 60, 7, 64, 2, 2, 60, 61, 7, 63, 2, 2, 61, 14, 3, 2, 2, 2, 62, 63, 7, 62, 2, 2, 63, 64, 7, 63, 2, 2, 64, 16, 3, 2, 2, 2, 65, 66, 7, 99, 2, 2, 66, 67, 7, 112, 2, 2, 67, 74, 7, 102, 2, 2, 68, 69, 7, 67, 2, 2, 69, 70, 7, 80, 2, 2, 70, 74, 7, 70, 2, 2, 71, 72, 7, 40, 2, 2, 72, 74, 7, 40, 2, 2, 73, 65, 3, 2, 2, 2, 73, 68, 3, 2, 2, 2, 73, 71, 3, 2, 2, 2, 74, 18, 3, 2, 2, 2, 75, 76, 7, 113, 2, 2, 76, 82, 7, 116, 2, 2, 77, 78, 7, 81, 2, 2, 78, 82, 7, 84, 2, 2, 79, 80, 7, 126, 2, 2, 80, 82, 7, 126, 2, 2, 81, 75, 3, 2, 2, 2, 81, 77, 3, 2, 2, 2, 81, 79, 3, 2, 2, 2, 82, 20, 3, 2, 2, 2, 83, 84, 7, 118, 2, 2, 84, 85, 7, 116, 2, 2, 85, 86, 7, 119, 2, 2, 86, 92, 7, 103, 2, 2, 87, 88, 7, 86, 2, 2, 88, 89, 7, 84, 2, 2, 89, 90, 7, 87, 2, 2, 90, 92, 7, 71, 2, 2, 91, 83, 3, 2, 2, 2, 91, 87, 3, 2, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 104, 2, 2, 94, 95, 7, 99, 2, 2, 95, 96, 7, 110, 2, 2, 96, 97, 7, 117, 2, 2, 97, 104, 7, 103, 2, 2, 98, 99, 7, 72, 2, 2, 99, 100, 7, 67, 2, 2, 100, 101, 7, 78, 2, 2, 101, 102, 7, 85, 2, 2, 102, 104, 7, 71, 2, 2, 103, 93, 3, 2, 2, 2, 103, 98, 3, 2, 2, 2, 104, 24, 3, 2, 2, 2, 105, 107, 9, 2, 2, 2, 106, 105, 3, 2, 2, 2, 107, 108, 3, 2, 2, 2, 108, 106, 3, 2, 2, 2, 108, 109, 3, 2, 2, 2, 109, 110, 3, 2, 2, 2, 110, 112, 7, 48, 2, 2, 111, 113, 9, 2, 2, 2, 112, 111, 3, 2, 2, 2, 113, 114, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 114, 115, 3, 2, 2, 2, 115, 26, 3, 2, 2, 2, 116, 118, 9, 2, 2, 2, 117, 116, 3, 2, 2, 2, 118, 119, 3, 2, 2, 2, 119, 117, 3, 2, 2, 2, 119, 120, 3, 2, 2, 2, 120, 28, 3, 2, 2, 2, 121, 123, 9, 3, 2, 2, 122, 121, 3, 2, 2, 2, 123, 124, 3, 2, 2, 2, 124, 122, 3, 2, 2, 2, 124, 125, 3, 2, 2, 2, 125, 126, 3, 2, 2, 2, 126, 127, 8, 15, 2, 2, 127, 30, 3, 2, 2, 2, 128, 129, 7, 80, 2, 2, 129, 130, 7, 81, 2, 2, 130, 136, 7, 86, 2, 2, 131, 136, 7, 35, 2, 2, 132, 133, 7, 112, 2, 2, 133, 134, 7, 113, 2, 2, 134, 136, 7, 118, 2, 2, 135, 128, 3, 2, 2, 2, 135, 131, 3, 2, 2, 2, 135, 132, 3, 2, 2, 2, 136, 32, 3, 2, 2, 2, 137, 139, 5, 43, 22, 2, 138, 140, 9, 4, 2, 2, 139, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 139, 3, 2, 2, 2, 141, 142, 3, 2, 2, 2, 142, 151, 3, 2, 2, 2, 143, 145, 7, 48, 2, 2, 144, 146, 9, 5, 2, 2, 145, 144, 3, 2, 2, 2, 146, 147, 3, 2, 2, 2, 147, 145, 3, 2, 2, 2, 147, 148, 3, 2, 2, 2, 148, 150, 3, 2, 2, 2, 149, 143, 3, 2, 2, 2, 150, 153, 3, 2, 2, 2, 151, 149, 3, 2, 2, 2, 151, 152, 3, 2, 2, 2, 152, 154, 3, 2, 2, 2, 153, 151, 3, 2, 2, 2, 154, 155, 5, 45, 23, 2, 155, 34, 3, 2, 2, 2, 156, 160, 9, 6, 2, 2, 157, 159, 9, 7, 2, 2, 158, 157, 3, 2, 2, 2, 159, 162, 3, 2, 2, 2, 160, 158, 3, 2, 2, 2, 160, 161, 3, 2, 2, 2, 161, 36, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 163, 167, 7, 41, 2, 2, 164, 166, 10, 8, 2, 2, 165, 164, 3, 2, 2, 2, 166, 169, 3, 2, 2, 2, 167, 165, 3, 2, 2, 2, 167, 168, 3, 2, 2, 2, 168, 170, 3, 2, 2, 2, 169, 167, 3, 2, 2, 2, 170, 171, 7, 41, 2, 2, 171, 38, 3, 2, 2, 2, 172, 173, 7, 42, 2, 2, 173, 40, 3, 2, 2, 2, 174, 175, 7, 43, 2, 2, 175, 42, 3, 2, 2, 2, 176, 177, 7, 39, 2, 2, 177, 178, 7, 125, 2, 2, 178, 179, 7, 93, 2, 2, 179, 44, 3, 2, 2, 2, 180, 181, 7, 95, 2, 2, 181, 182, 7, 127, 2, 2, 182, 46, 3, 2, 2, 2, 17, 2, 73, 81, 91, 103, 108, 114, 119, 124, 135, 141, 147, 151, 160, 167, 3, 8, 2, 2] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens b/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens deleted file mode 100644 index 6892b3a80c1..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/BoolexpLexer.tokens +++ /dev/null @@ -1,29 +0,0 @@ -T__0=1 -EQ=2 -NEQ=3 -GT=4 -LT=5 -GTE=6 -LTE=7 -AND=8 -OR=9 -TRUE=10 -FALSE=11 -FLOAT=12 -NUMBER=13 -WHITESPACE=14 -NOT=15 -VARIABLE=16 -METHODNAME=17 -TEXT=18 -LPAR=19 -RPAR=20 -','=1 -'=='=2 -'!='=3 -'>'=4 -'<'=5 -'>='=6 -'<='=7 -'('=19 -')'=20 diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go deleted file mode 100644 index 3956df34c1f..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_listener.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import "github.com/antlr/antlr4/runtime/Go/antlr" - -// BaseBoolexpListener is a complete listener for a parse tree produced by BoolexpParser. -type BaseBoolexpListener struct{} - -var _ BoolexpListener = &BaseBoolexpListener{} - -// VisitTerminal is called when a terminal node is visited. -func (s *BaseBoolexpListener) VisitTerminal(node antlr.TerminalNode) {} - -// VisitErrorNode is called when an error node is visited. -func (s *BaseBoolexpListener) VisitErrorNode(node antlr.ErrorNode) {} - -// EnterEveryRule is called when any rule is entered. -func (s *BaseBoolexpListener) EnterEveryRule(ctx antlr.ParserRuleContext) {} - -// ExitEveryRule is called when any rule is exited. -func (s *BaseBoolexpListener) ExitEveryRule(ctx antlr.ParserRuleContext) {} - -// EnterExpList is called when production expList is entered. -func (s *BaseBoolexpListener) EnterExpList(ctx *ExpListContext) {} - -// ExitExpList is called when production expList is exited. -func (s *BaseBoolexpListener) ExitExpList(ctx *ExpListContext) {} - -// EnterExpArithmeticNEQ is called when production ExpArithmeticNEQ is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} - -// ExitExpArithmeticNEQ is called when production ExpArithmeticNEQ is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} - -// EnterExpArithmeticEQ is called when production ExpArithmeticEQ is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} - -// ExitExpArithmeticEQ is called when production ExpArithmeticEQ is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} - -// EnterExpArithmeticGTE is called when production ExpArithmeticGTE is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} - -// ExitExpArithmeticGTE is called when production ExpArithmeticGTE is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} - -// EnterExpArithmeticLTE is called when production ExpArithmeticLTE is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} - -// ExitExpArithmeticLTE is called when production ExpArithmeticLTE is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} - -// EnterExpArithmeticGT is called when production ExpArithmeticGT is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticGT(ctx *ExpArithmeticGTContext) {} - -// ExitExpArithmeticGT is called when production ExpArithmeticGT is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticGT(ctx *ExpArithmeticGTContext) {} - -// EnterExpText is called when production ExpText is entered. -func (s *BaseBoolexpListener) EnterExpText(ctx *ExpTextContext) {} - -// ExitExpText is called when production ExpText is exited. -func (s *BaseBoolexpListener) ExitExpText(ctx *ExpTextContext) {} - -// EnterExpNumber is called when production ExpNumber is entered. -func (s *BaseBoolexpListener) EnterExpNumber(ctx *ExpNumberContext) {} - -// ExitExpNumber is called when production ExpNumber is exited. -func (s *BaseBoolexpListener) ExitExpNumber(ctx *ExpNumberContext) {} - -// EnterExpLogicalAnd is called when production ExpLogicalAnd is entered. -func (s *BaseBoolexpListener) EnterExpLogicalAnd(ctx *ExpLogicalAndContext) {} - -// ExitExpLogicalAnd is called when production ExpLogicalAnd is exited. -func (s *BaseBoolexpListener) ExitExpLogicalAnd(ctx *ExpLogicalAndContext) {} - -// EnterExpLogicalOR is called when production ExpLogicalOR is entered. -func (s *BaseBoolexpListener) EnterExpLogicalOR(ctx *ExpLogicalORContext) {} - -// ExitExpLogicalOR is called when production ExpLogicalOR is exited. -func (s *BaseBoolexpListener) ExitExpLogicalOR(ctx *ExpLogicalORContext) {} - -// EnterExpFloat is called when production ExpFloat is entered. -func (s *BaseBoolexpListener) EnterExpFloat(ctx *ExpFloatContext) {} - -// ExitExpFloat is called when production ExpFloat is exited. -func (s *BaseBoolexpListener) ExitExpFloat(ctx *ExpFloatContext) {} - -// EnterExpVariable is called when production ExpVariable is entered. -func (s *BaseBoolexpListener) EnterExpVariable(ctx *ExpVariableContext) {} - -// ExitExpVariable is called when production ExpVariable is exited. -func (s *BaseBoolexpListener) ExitExpVariable(ctx *ExpVariableContext) {} - -// EnterExpNot is called when production ExpNot is entered. -func (s *BaseBoolexpListener) EnterExpNot(ctx *ExpNotContext) {} - -// ExitExpNot is called when production ExpNot is exited. -func (s *BaseBoolexpListener) ExitExpNot(ctx *ExpNotContext) {} - -// EnterExpInParen is called when production ExpInParen is entered. -func (s *BaseBoolexpListener) EnterExpInParen(ctx *ExpInParenContext) {} - -// ExitExpInParen is called when production ExpInParen is exited. -func (s *BaseBoolexpListener) ExitExpInParen(ctx *ExpInParenContext) {} - -// EnterExpBoolean is called when production ExpBoolean is entered. -func (s *BaseBoolexpListener) EnterExpBoolean(ctx *ExpBooleanContext) {} - -// ExitExpBoolean is called when production ExpBoolean is exited. -func (s *BaseBoolexpListener) ExitExpBoolean(ctx *ExpBooleanContext) {} - -// EnterExpFunction is called when production ExpFunction is entered. -func (s *BaseBoolexpListener) EnterExpFunction(ctx *ExpFunctionContext) {} - -// ExitExpFunction is called when production ExpFunction is exited. -func (s *BaseBoolexpListener) ExitExpFunction(ctx *ExpFunctionContext) {} - -// EnterExpArithmeticLT is called when production ExpArithmeticLT is entered. -func (s *BaseBoolexpListener) EnterExpArithmeticLT(ctx *ExpArithmeticLTContext) {} - -// ExitExpArithmeticLT is called when production ExpArithmeticLT is exited. -func (s *BaseBoolexpListener) ExitExpArithmeticLT(ctx *ExpArithmeticLTContext) {} - -// EnterBoolean is called when production boolean is entered. -func (s *BaseBoolexpListener) EnterBoolean(ctx *BooleanContext) {} - -// ExitBoolean is called when production boolean is exited. -func (s *BaseBoolexpListener) ExitBoolean(ctx *BooleanContext) {} - -// EnterArguments is called when production arguments is entered. -func (s *BaseBoolexpListener) EnterArguments(ctx *ArgumentsContext) {} - -// ExitArguments is called when production arguments is exited. -func (s *BaseBoolexpListener) ExitArguments(ctx *ArgumentsContext) {} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go deleted file mode 100644 index 44adc6d7c10..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_base_visitor.go +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import "github.com/antlr/antlr4/runtime/Go/antlr" - -type BaseBoolexpVisitor struct { - *antlr.BaseParseTreeVisitor -} - -func (v *BaseBoolexpVisitor) VisitExpList(ctx *ExpListContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticEQ(ctx *ExpArithmeticEQContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticGT(ctx *ExpArithmeticGTContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpText(ctx *ExpTextContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpNumber(ctx *ExpNumberContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpLogicalAnd(ctx *ExpLogicalAndContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpLogicalOR(ctx *ExpLogicalORContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpFloat(ctx *ExpFloatContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpVariable(ctx *ExpVariableContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpNot(ctx *ExpNotContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpInParen(ctx *ExpInParenContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpBoolean(ctx *ExpBooleanContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpFunction(ctx *ExpFunctionContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitExpArithmeticLT(ctx *ExpArithmeticLTContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitBoolean(ctx *BooleanContext) interface{} { - return v.VisitChildren(ctx) -} - -func (v *BaseBoolexpVisitor) VisitArguments(ctx *ArgumentsContext) interface{} { - return v.VisitChildren(ctx) -} diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go deleted file mode 100644 index b89f1dbc517..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_lexer.go +++ /dev/null @@ -1,191 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser - -import ( - "fmt" - "unicode" - - "github.com/antlr/antlr4/runtime/Go/antlr" -) - -// Suppress unused import error -var _ = fmt.Printf -var _ = unicode.IsLetter - -var serializedLexerAtn = []uint16{ - 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 22, 183, - 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, - 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, - 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, - 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, - 9, 23, 3, 2, 3, 2, 3, 3, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 5, 3, 5, 3, 6, - 3, 6, 3, 7, 3, 7, 3, 7, 3, 8, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 9, 3, 9, - 3, 9, 3, 9, 3, 9, 5, 9, 74, 10, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 10, 3, - 10, 5, 10, 82, 10, 10, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, 3, 11, - 3, 11, 5, 11, 92, 10, 11, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, 12, 3, - 12, 3, 12, 3, 12, 3, 12, 5, 12, 104, 10, 12, 3, 13, 6, 13, 107, 10, 13, - 13, 13, 14, 13, 108, 3, 13, 3, 13, 6, 13, 113, 10, 13, 13, 13, 14, 13, - 114, 3, 14, 6, 14, 118, 10, 14, 13, 14, 14, 14, 119, 3, 15, 6, 15, 123, - 10, 15, 13, 15, 14, 15, 124, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, - 3, 16, 3, 16, 3, 16, 5, 16, 136, 10, 16, 3, 17, 3, 17, 6, 17, 140, 10, - 17, 13, 17, 14, 17, 141, 3, 17, 3, 17, 6, 17, 146, 10, 17, 13, 17, 14, - 17, 147, 7, 17, 150, 10, 17, 12, 17, 14, 17, 153, 11, 17, 3, 17, 3, 17, - 3, 18, 3, 18, 7, 18, 159, 10, 18, 12, 18, 14, 18, 162, 11, 18, 3, 19, 3, - 19, 7, 19, 166, 10, 19, 12, 19, 14, 19, 169, 11, 19, 3, 19, 3, 19, 3, 20, - 3, 20, 3, 21, 3, 21, 3, 22, 3, 22, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 2, - 2, 24, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, - 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, - 21, 41, 22, 43, 2, 45, 2, 3, 2, 9, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, - 34, 34, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 92, - 92, 97, 97, 99, 124, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, - 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 2, 197, 2, 3, 3, 2, 2, 2, - 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, - 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, - 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, - 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, - 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 3, 47, - 3, 2, 2, 2, 5, 49, 3, 2, 2, 2, 7, 52, 3, 2, 2, 2, 9, 55, 3, 2, 2, 2, 11, - 57, 3, 2, 2, 2, 13, 59, 3, 2, 2, 2, 15, 62, 3, 2, 2, 2, 17, 73, 3, 2, 2, - 2, 19, 81, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 103, 3, 2, 2, 2, 25, 106, - 3, 2, 2, 2, 27, 117, 3, 2, 2, 2, 29, 122, 3, 2, 2, 2, 31, 135, 3, 2, 2, - 2, 33, 137, 3, 2, 2, 2, 35, 156, 3, 2, 2, 2, 37, 163, 3, 2, 2, 2, 39, 172, - 3, 2, 2, 2, 41, 174, 3, 2, 2, 2, 43, 176, 3, 2, 2, 2, 45, 180, 3, 2, 2, - 2, 47, 48, 7, 46, 2, 2, 48, 4, 3, 2, 2, 2, 49, 50, 7, 63, 2, 2, 50, 51, - 7, 63, 2, 2, 51, 6, 3, 2, 2, 2, 52, 53, 7, 35, 2, 2, 53, 54, 7, 63, 2, - 2, 54, 8, 3, 2, 2, 2, 55, 56, 7, 64, 2, 2, 56, 10, 3, 2, 2, 2, 57, 58, - 7, 62, 2, 2, 58, 12, 3, 2, 2, 2, 59, 60, 7, 64, 2, 2, 60, 61, 7, 63, 2, - 2, 61, 14, 3, 2, 2, 2, 62, 63, 7, 62, 2, 2, 63, 64, 7, 63, 2, 2, 64, 16, - 3, 2, 2, 2, 65, 66, 7, 99, 2, 2, 66, 67, 7, 112, 2, 2, 67, 74, 7, 102, - 2, 2, 68, 69, 7, 67, 2, 2, 69, 70, 7, 80, 2, 2, 70, 74, 7, 70, 2, 2, 71, - 72, 7, 40, 2, 2, 72, 74, 7, 40, 2, 2, 73, 65, 3, 2, 2, 2, 73, 68, 3, 2, - 2, 2, 73, 71, 3, 2, 2, 2, 74, 18, 3, 2, 2, 2, 75, 76, 7, 113, 2, 2, 76, - 82, 7, 116, 2, 2, 77, 78, 7, 81, 2, 2, 78, 82, 7, 84, 2, 2, 79, 80, 7, - 126, 2, 2, 80, 82, 7, 126, 2, 2, 81, 75, 3, 2, 2, 2, 81, 77, 3, 2, 2, 2, - 81, 79, 3, 2, 2, 2, 82, 20, 3, 2, 2, 2, 83, 84, 7, 118, 2, 2, 84, 85, 7, - 116, 2, 2, 85, 86, 7, 119, 2, 2, 86, 92, 7, 103, 2, 2, 87, 88, 7, 86, 2, - 2, 88, 89, 7, 84, 2, 2, 89, 90, 7, 87, 2, 2, 90, 92, 7, 71, 2, 2, 91, 83, - 3, 2, 2, 2, 91, 87, 3, 2, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 104, 2, - 2, 94, 95, 7, 99, 2, 2, 95, 96, 7, 110, 2, 2, 96, 97, 7, 117, 2, 2, 97, - 104, 7, 103, 2, 2, 98, 99, 7, 72, 2, 2, 99, 100, 7, 67, 2, 2, 100, 101, - 7, 78, 2, 2, 101, 102, 7, 85, 2, 2, 102, 104, 7, 71, 2, 2, 103, 93, 3, - 2, 2, 2, 103, 98, 3, 2, 2, 2, 104, 24, 3, 2, 2, 2, 105, 107, 9, 2, 2, 2, - 106, 105, 3, 2, 2, 2, 107, 108, 3, 2, 2, 2, 108, 106, 3, 2, 2, 2, 108, - 109, 3, 2, 2, 2, 109, 110, 3, 2, 2, 2, 110, 112, 7, 48, 2, 2, 111, 113, - 9, 2, 2, 2, 112, 111, 3, 2, 2, 2, 113, 114, 3, 2, 2, 2, 114, 112, 3, 2, - 2, 2, 114, 115, 3, 2, 2, 2, 115, 26, 3, 2, 2, 2, 116, 118, 9, 2, 2, 2, - 117, 116, 3, 2, 2, 2, 118, 119, 3, 2, 2, 2, 119, 117, 3, 2, 2, 2, 119, - 120, 3, 2, 2, 2, 120, 28, 3, 2, 2, 2, 121, 123, 9, 3, 2, 2, 122, 121, 3, - 2, 2, 2, 123, 124, 3, 2, 2, 2, 124, 122, 3, 2, 2, 2, 124, 125, 3, 2, 2, - 2, 125, 126, 3, 2, 2, 2, 126, 127, 8, 15, 2, 2, 127, 30, 3, 2, 2, 2, 128, - 129, 7, 80, 2, 2, 129, 130, 7, 81, 2, 2, 130, 136, 7, 86, 2, 2, 131, 136, - 7, 35, 2, 2, 132, 133, 7, 112, 2, 2, 133, 134, 7, 113, 2, 2, 134, 136, - 7, 118, 2, 2, 135, 128, 3, 2, 2, 2, 135, 131, 3, 2, 2, 2, 135, 132, 3, - 2, 2, 2, 136, 32, 3, 2, 2, 2, 137, 139, 5, 43, 22, 2, 138, 140, 9, 4, 2, - 2, 139, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 139, 3, 2, 2, 2, 141, - 142, 3, 2, 2, 2, 142, 151, 3, 2, 2, 2, 143, 145, 7, 48, 2, 2, 144, 146, - 9, 5, 2, 2, 145, 144, 3, 2, 2, 2, 146, 147, 3, 2, 2, 2, 147, 145, 3, 2, - 2, 2, 147, 148, 3, 2, 2, 2, 148, 150, 3, 2, 2, 2, 149, 143, 3, 2, 2, 2, - 150, 153, 3, 2, 2, 2, 151, 149, 3, 2, 2, 2, 151, 152, 3, 2, 2, 2, 152, - 154, 3, 2, 2, 2, 153, 151, 3, 2, 2, 2, 154, 155, 5, 45, 23, 2, 155, 34, - 3, 2, 2, 2, 156, 160, 9, 6, 2, 2, 157, 159, 9, 7, 2, 2, 158, 157, 3, 2, - 2, 2, 159, 162, 3, 2, 2, 2, 160, 158, 3, 2, 2, 2, 160, 161, 3, 2, 2, 2, - 161, 36, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 163, 167, 7, 41, 2, 2, 164, - 166, 10, 8, 2, 2, 165, 164, 3, 2, 2, 2, 166, 169, 3, 2, 2, 2, 167, 165, - 3, 2, 2, 2, 167, 168, 3, 2, 2, 2, 168, 170, 3, 2, 2, 2, 169, 167, 3, 2, - 2, 2, 170, 171, 7, 41, 2, 2, 171, 38, 3, 2, 2, 2, 172, 173, 7, 42, 2, 2, - 173, 40, 3, 2, 2, 2, 174, 175, 7, 43, 2, 2, 175, 42, 3, 2, 2, 2, 176, 177, - 7, 39, 2, 2, 177, 178, 7, 125, 2, 2, 178, 179, 7, 93, 2, 2, 179, 44, 3, - 2, 2, 2, 180, 181, 7, 95, 2, 2, 181, 182, 7, 127, 2, 2, 182, 46, 3, 2, - 2, 2, 17, 2, 73, 81, 91, 103, 108, 114, 119, 124, 135, 141, 147, 151, 160, - 167, 3, 8, 2, 2, -} - -var lexerDeserializer = antlr.NewATNDeserializer(nil) -var lexerAtn = lexerDeserializer.DeserializeFromUInt16(serializedLexerAtn) - -var lexerChannelNames = []string{ - "DEFAULT_TOKEN_CHANNEL", "HIDDEN", -} - -var lexerModeNames = []string{ - "DEFAULT_MODE", -} - -var lexerLiteralNames = []string{ - "", "','", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", "", "", "", "", - "", "", "", "", "", "", "", "'('", "')'", -} - -var lexerSymbolicNames = []string{ - "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", -} - -var lexerRuleNames = []string{ - "T__0", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", "BEGIN_VARIABLE", "END_VARIABLE", -} - -type BoolexpLexer struct { - *antlr.BaseLexer - channelNames []string - modeNames []string - // TODO: EOF string -} - -var lexerDecisionToDFA = make([]*antlr.DFA, len(lexerAtn.DecisionToState)) - -func init() { - for index, ds := range lexerAtn.DecisionToState { - lexerDecisionToDFA[index] = antlr.NewDFA(ds, index) - } -} - -func NewBoolexpLexer(input antlr.CharStream) *BoolexpLexer { - - l := new(BoolexpLexer) - - l.BaseLexer = antlr.NewBaseLexer(input) - l.Interpreter = antlr.NewLexerATNSimulator(l, lexerAtn, lexerDecisionToDFA, antlr.NewPredictionContextCache()) - - l.channelNames = lexerChannelNames - l.modeNames = lexerModeNames - l.RuleNames = lexerRuleNames - l.LiteralNames = lexerLiteralNames - l.SymbolicNames = lexerSymbolicNames - l.GrammarFileName = "Boolexp.g4" - // TODO: l.EOF = antlr.TokenEOF - - return l -} - -// BoolexpLexer tokens. -const ( - BoolexpLexerT__0 = 1 - BoolexpLexerEQ = 2 - BoolexpLexerNEQ = 3 - BoolexpLexerGT = 4 - BoolexpLexerLT = 5 - BoolexpLexerGTE = 6 - BoolexpLexerLTE = 7 - BoolexpLexerAND = 8 - BoolexpLexerOR = 9 - BoolexpLexerTRUE = 10 - BoolexpLexerFALSE = 11 - BoolexpLexerFLOAT = 12 - BoolexpLexerNUMBER = 13 - BoolexpLexerWHITESPACE = 14 - BoolexpLexerNOT = 15 - BoolexpLexerVARIABLE = 16 - BoolexpLexerMETHODNAME = 17 - BoolexpLexerTEXT = 18 - BoolexpLexerLPAR = 19 - BoolexpLexerRPAR = 20 -) diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go b/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go deleted file mode 100644 index 2805c35e9e5..00000000000 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_parser.go +++ /dev/null @@ -1,1952 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. - -package parser // Boolexp - -import ( - "fmt" - "reflect" - "strconv" - - "github.com/antlr/antlr4/runtime/Go/antlr" -) - -// Suppress unused import errors -var _ = fmt.Printf -var _ = reflect.Copy -var _ = strconv.Itoa - -var parserATN = []uint16{ - 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 22, 73, 4, - 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 3, 2, 3, 2, 3, 2, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 26, - 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, 5, 3, 32, 10, 3, 3, 3, 3, 3, 3, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, - 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 3, 58, 10, 3, 12, 3, - 14, 3, 61, 11, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 7, 5, 68, 10, 5, 12, 5, - 14, 5, 71, 11, 5, 3, 5, 2, 3, 4, 6, 2, 4, 6, 8, 2, 3, 3, 2, 12, 13, 2, - 85, 2, 10, 3, 2, 2, 2, 4, 31, 3, 2, 2, 2, 6, 62, 3, 2, 2, 2, 8, 64, 3, - 2, 2, 2, 10, 11, 5, 4, 3, 2, 11, 12, 7, 2, 2, 3, 12, 3, 3, 2, 2, 2, 13, - 14, 8, 3, 1, 2, 14, 15, 7, 21, 2, 2, 15, 16, 5, 4, 3, 2, 16, 17, 7, 22, - 2, 2, 17, 32, 3, 2, 2, 2, 18, 19, 7, 17, 2, 2, 19, 32, 5, 4, 3, 17, 20, - 32, 5, 6, 4, 2, 21, 32, 7, 18, 2, 2, 22, 23, 7, 19, 2, 2, 23, 25, 7, 21, - 2, 2, 24, 26, 5, 8, 5, 2, 25, 24, 3, 2, 2, 2, 25, 26, 3, 2, 2, 2, 26, 27, - 3, 2, 2, 2, 27, 32, 7, 22, 2, 2, 28, 32, 7, 20, 2, 2, 29, 32, 7, 14, 2, - 2, 30, 32, 7, 15, 2, 2, 31, 13, 3, 2, 2, 2, 31, 18, 3, 2, 2, 2, 31, 20, - 3, 2, 2, 2, 31, 21, 3, 2, 2, 2, 31, 22, 3, 2, 2, 2, 31, 28, 3, 2, 2, 2, - 31, 29, 3, 2, 2, 2, 31, 30, 3, 2, 2, 2, 32, 59, 3, 2, 2, 2, 33, 34, 12, - 16, 2, 2, 34, 35, 7, 4, 2, 2, 35, 58, 5, 4, 3, 17, 36, 37, 12, 15, 2, 2, - 37, 38, 7, 5, 2, 2, 38, 58, 5, 4, 3, 16, 39, 40, 12, 14, 2, 2, 40, 41, - 7, 9, 2, 2, 41, 58, 5, 4, 3, 15, 42, 43, 12, 13, 2, 2, 43, 44, 7, 8, 2, - 2, 44, 58, 5, 4, 3, 14, 45, 46, 12, 12, 2, 2, 46, 47, 7, 7, 2, 2, 47, 58, - 5, 4, 3, 13, 48, 49, 12, 11, 2, 2, 49, 50, 7, 6, 2, 2, 50, 58, 5, 4, 3, - 12, 51, 52, 12, 10, 2, 2, 52, 53, 7, 10, 2, 2, 53, 58, 5, 4, 3, 11, 54, - 55, 12, 9, 2, 2, 55, 56, 7, 11, 2, 2, 56, 58, 5, 4, 3, 10, 57, 33, 3, 2, - 2, 2, 57, 36, 3, 2, 2, 2, 57, 39, 3, 2, 2, 2, 57, 42, 3, 2, 2, 2, 57, 45, - 3, 2, 2, 2, 57, 48, 3, 2, 2, 2, 57, 51, 3, 2, 2, 2, 57, 54, 3, 2, 2, 2, - 58, 61, 3, 2, 2, 2, 59, 57, 3, 2, 2, 2, 59, 60, 3, 2, 2, 2, 60, 5, 3, 2, - 2, 2, 61, 59, 3, 2, 2, 2, 62, 63, 9, 2, 2, 2, 63, 7, 3, 2, 2, 2, 64, 69, - 5, 4, 3, 2, 65, 66, 7, 3, 2, 2, 66, 68, 5, 4, 3, 2, 67, 65, 3, 2, 2, 2, - 68, 71, 3, 2, 2, 2, 69, 67, 3, 2, 2, 2, 69, 70, 3, 2, 2, 2, 70, 9, 3, 2, - 2, 2, 71, 69, 3, 2, 2, 2, 7, 25, 31, 57, 59, 69, -} -var deserializer = antlr.NewATNDeserializer(nil) -var deserializedATN = deserializer.DeserializeFromUInt16(parserATN) - -var literalNames = []string{ - "", "','", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", "", "", "", "", - "", "", "", "", "", "", "", "'('", "')'", -} -var symbolicNames = []string{ - "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "AND", "OR", "TRUE", "FALSE", - "FLOAT", "NUMBER", "WHITESPACE", "NOT", "VARIABLE", "METHODNAME", "TEXT", - "LPAR", "RPAR", -} - -var ruleNames = []string{ - "expList", "exp", "boolean", "arguments", -} -var decisionToDFA = make([]*antlr.DFA, len(deserializedATN.DecisionToState)) - -func init() { - for index, ds := range deserializedATN.DecisionToState { - decisionToDFA[index] = antlr.NewDFA(ds, index) - } -} - -type BoolexpParser struct { - *antlr.BaseParser -} - -func NewBoolexpParser(input antlr.TokenStream) *BoolexpParser { - this := new(BoolexpParser) - - this.BaseParser = antlr.NewBaseParser(input) - - this.Interpreter = antlr.NewParserATNSimulator(this, deserializedATN, decisionToDFA, antlr.NewPredictionContextCache()) - this.RuleNames = ruleNames - this.LiteralNames = literalNames - this.SymbolicNames = symbolicNames - this.GrammarFileName = "Boolexp.g4" - - return this -} - -// BoolexpParser tokens. -const ( - BoolexpParserEOF = antlr.TokenEOF - BoolexpParserT__0 = 1 - BoolexpParserEQ = 2 - BoolexpParserNEQ = 3 - BoolexpParserGT = 4 - BoolexpParserLT = 5 - BoolexpParserGTE = 6 - BoolexpParserLTE = 7 - BoolexpParserAND = 8 - BoolexpParserOR = 9 - BoolexpParserTRUE = 10 - BoolexpParserFALSE = 11 - BoolexpParserFLOAT = 12 - BoolexpParserNUMBER = 13 - BoolexpParserWHITESPACE = 14 - BoolexpParserNOT = 15 - BoolexpParserVARIABLE = 16 - BoolexpParserMETHODNAME = 17 - BoolexpParserTEXT = 18 - BoolexpParserLPAR = 19 - BoolexpParserRPAR = 20 -) - -// BoolexpParser rules. -const ( - BoolexpParserRULE_expList = 0 - BoolexpParserRULE_exp = 1 - BoolexpParserRULE_boolean = 2 - BoolexpParserRULE_arguments = 3 -) - -// IExpListContext is an interface to support dynamic dispatch. -type IExpListContext interface { - antlr.ParserRuleContext - - // GetParser returns the parser. - GetParser() antlr.Parser - - // IsExpListContext differentiates from other interfaces. - IsExpListContext() -} - -type ExpListContext struct { - *antlr.BaseParserRuleContext - parser antlr.Parser -} - -func NewEmptyExpListContext() *ExpListContext { - var p = new(ExpListContext) - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) - p.RuleIndex = BoolexpParserRULE_expList - return p -} - -func (*ExpListContext) IsExpListContext() {} - -func NewExpListContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpListContext { - var p = new(ExpListContext) - - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) - - p.parser = parser - p.RuleIndex = BoolexpParserRULE_expList - - return p -} - -func (s *ExpListContext) GetParser() antlr.Parser { return s.parser } - -func (s *ExpListContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpListContext) EOF() antlr.TerminalNode { - return s.GetToken(BoolexpParserEOF, 0) -} - -func (s *ExpListContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpListContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { - return antlr.TreesStringTree(s, ruleNames, recog) -} - -func (s *ExpListContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpList(s) - } -} - -func (s *ExpListContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpList(s) - } -} - -func (s *ExpListContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpList(s) - - default: - return t.VisitChildren(s) - } -} - -func (p *BoolexpParser) ExpList() (localctx IExpListContext) { - localctx = NewExpListContext(p, p.GetParserRuleContext(), p.GetState()) - p.EnterRule(localctx, 0, BoolexpParserRULE_expList) - - defer func() { - p.ExitRule() - }() - - defer func() { - if err := recover(); err != nil { - if v, ok := err.(antlr.RecognitionException); ok { - localctx.SetException(v) - p.GetErrorHandler().ReportError(p, v) - p.GetErrorHandler().Recover(p, v) - } else { - panic(err) - } - } - }() - - p.EnterOuterAlt(localctx, 1) - { - p.SetState(8) - p.exp(0) - } - { - p.SetState(9) - p.Match(BoolexpParserEOF) - } - - return localctx -} - -// IExpContext is an interface to support dynamic dispatch. -type IExpContext interface { - antlr.ParserRuleContext - - // GetParser returns the parser. - GetParser() antlr.Parser - - // IsExpContext differentiates from other interfaces. - IsExpContext() -} - -type ExpContext struct { - *antlr.BaseParserRuleContext - parser antlr.Parser -} - -func NewEmptyExpContext() *ExpContext { - var p = new(ExpContext) - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) - p.RuleIndex = BoolexpParserRULE_exp - return p -} - -func (*ExpContext) IsExpContext() {} - -func NewExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpContext { - var p = new(ExpContext) - - p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) - - p.parser = parser - p.RuleIndex = BoolexpParserRULE_exp - - return p -} - -func (s *ExpContext) GetParser() antlr.Parser { return s.parser } - -func (s *ExpContext) CopyFrom(ctx *ExpContext) { - s.BaseParserRuleContext.CopyFrom(ctx.BaseParserRuleContext) -} - -func (s *ExpContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { - return antlr.TreesStringTree(s, ruleNames, recog) -} - -type ExpArithmeticNEQContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticNEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticNEQContext { - var p = new(ExpArithmeticNEQContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticNEQContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticNEQContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticNEQContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticNEQContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticNEQContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticNEQContext) NEQ() antlr.TerminalNode { - return s.GetToken(BoolexpParserNEQ, 0) -} - -func (s *ExpArithmeticNEQContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticNEQContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticNEQContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticNEQ(s) - } -} - -func (s *ExpArithmeticNEQContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticNEQ(s) - } -} - -func (s *ExpArithmeticNEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticNEQ(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticEQContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticEQContext { - var p = new(ExpArithmeticEQContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticEQContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticEQContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticEQContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticEQContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticEQContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticEQContext) EQ() antlr.TerminalNode { - return s.GetToken(BoolexpParserEQ, 0) -} - -func (s *ExpArithmeticEQContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticEQContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticEQContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticEQ(s) - } -} - -func (s *ExpArithmeticEQContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticEQ(s) - } -} - -func (s *ExpArithmeticEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticEQ(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticGTEContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticGTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTEContext { - var p = new(ExpArithmeticGTEContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticGTEContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticGTEContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticGTEContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticGTEContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticGTEContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticGTEContext) GTE() antlr.TerminalNode { - return s.GetToken(BoolexpParserGTE, 0) -} - -func (s *ExpArithmeticGTEContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticGTEContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticGTEContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticGTE(s) - } -} - -func (s *ExpArithmeticGTEContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticGTE(s) - } -} - -func (s *ExpArithmeticGTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticGTE(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticLTEContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticLTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTEContext { - var p = new(ExpArithmeticLTEContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticLTEContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticLTEContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticLTEContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticLTEContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticLTEContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticLTEContext) LTE() antlr.TerminalNode { - return s.GetToken(BoolexpParserLTE, 0) -} - -func (s *ExpArithmeticLTEContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticLTEContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticLTEContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticLTE(s) - } -} - -func (s *ExpArithmeticLTEContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticLTE(s) - } -} - -func (s *ExpArithmeticLTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticLTE(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticGTContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticGTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTContext { - var p = new(ExpArithmeticGTContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticGTContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticGTContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticGTContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticGTContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticGTContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticGTContext) GT() antlr.TerminalNode { - return s.GetToken(BoolexpParserGT, 0) -} - -func (s *ExpArithmeticGTContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticGTContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticGTContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticGT(s) - } -} - -func (s *ExpArithmeticGTContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticGT(s) - } -} - -func (s *ExpArithmeticGTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticGT(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpTextContext struct { - *ExpContext -} - -func NewExpTextContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpTextContext { - var p = new(ExpTextContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpTextContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpTextContext) TEXT() antlr.TerminalNode { - return s.GetToken(BoolexpParserTEXT, 0) -} - -func (s *ExpTextContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpText(s) - } -} - -func (s *ExpTextContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpText(s) - } -} - -func (s *ExpTextContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpText(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpNumberContext struct { - *ExpContext -} - -func NewExpNumberContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNumberContext { - var p = new(ExpNumberContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpNumberContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpNumberContext) NUMBER() antlr.TerminalNode { - return s.GetToken(BoolexpParserNUMBER, 0) -} - -func (s *ExpNumberContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpNumber(s) - } -} - -func (s *ExpNumberContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpNumber(s) - } -} - -func (s *ExpNumberContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpNumber(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpLogicalAndContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpLogicalAndContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalAndContext { - var p = new(ExpLogicalAndContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpLogicalAndContext) GetLeft() IExpContext { return s.left } - -func (s *ExpLogicalAndContext) GetRight() IExpContext { return s.right } - -func (s *ExpLogicalAndContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpLogicalAndContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpLogicalAndContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpLogicalAndContext) AND() antlr.TerminalNode { - return s.GetToken(BoolexpParserAND, 0) -} - -func (s *ExpLogicalAndContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpLogicalAndContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpLogicalAndContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpLogicalAnd(s) - } -} - -func (s *ExpLogicalAndContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpLogicalAnd(s) - } -} - -func (s *ExpLogicalAndContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpLogicalAnd(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpLogicalORContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpLogicalORContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalORContext { - var p = new(ExpLogicalORContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpLogicalORContext) GetLeft() IExpContext { return s.left } - -func (s *ExpLogicalORContext) GetRight() IExpContext { return s.right } - -func (s *ExpLogicalORContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpLogicalORContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpLogicalORContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpLogicalORContext) OR() antlr.TerminalNode { - return s.GetToken(BoolexpParserOR, 0) -} - -func (s *ExpLogicalORContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpLogicalORContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpLogicalORContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpLogicalOR(s) - } -} - -func (s *ExpLogicalORContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpLogicalOR(s) - } -} - -func (s *ExpLogicalORContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpLogicalOR(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpFloatContext struct { - *ExpContext -} - -func NewExpFloatContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFloatContext { - var p = new(ExpFloatContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpFloatContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpFloatContext) FLOAT() antlr.TerminalNode { - return s.GetToken(BoolexpParserFLOAT, 0) -} - -func (s *ExpFloatContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpFloat(s) - } -} - -func (s *ExpFloatContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpFloat(s) - } -} - -func (s *ExpFloatContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpFloat(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpVariableContext struct { - *ExpContext -} - -func NewExpVariableContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpVariableContext { - var p = new(ExpVariableContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpVariableContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpVariableContext) VARIABLE() antlr.TerminalNode { - return s.GetToken(BoolexpParserVARIABLE, 0) -} - -func (s *ExpVariableContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpVariable(s) - } -} - -func (s *ExpVariableContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpVariable(s) - } -} - -func (s *ExpVariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpVariable(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpNotContext struct { - *ExpContext -} - -func NewExpNotContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNotContext { - var p = new(ExpNotContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpNotContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpNotContext) NOT() antlr.TerminalNode { - return s.GetToken(BoolexpParserNOT, 0) -} - -func (s *ExpNotContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpNotContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpNot(s) - } -} - -func (s *ExpNotContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpNot(s) - } -} - -func (s *ExpNotContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpNot(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpInParenContext struct { - *ExpContext -} - -func NewExpInParenContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpInParenContext { - var p = new(ExpInParenContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpInParenContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpInParenContext) LPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserLPAR, 0) -} - -func (s *ExpInParenContext) Exp() IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpInParenContext) RPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserRPAR, 0) -} - -func (s *ExpInParenContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpInParen(s) - } -} - -func (s *ExpInParenContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpInParen(s) - } -} - -func (s *ExpInParenContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpInParen(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpBooleanContext struct { - *ExpContext -} - -func NewExpBooleanContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpBooleanContext { - var p = new(ExpBooleanContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpBooleanContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpBooleanContext) Boolean() IBooleanContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IBooleanContext) -} - -func (s *ExpBooleanContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpBoolean(s) - } -} - -func (s *ExpBooleanContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpBoolean(s) - } -} - -func (s *ExpBooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpBoolean(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpFunctionContext struct { - *ExpContext -} - -func NewExpFunctionContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFunctionContext { - var p = new(ExpFunctionContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpFunctionContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpFunctionContext) METHODNAME() antlr.TerminalNode { - return s.GetToken(BoolexpParserMETHODNAME, 0) -} - -func (s *ExpFunctionContext) LPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserLPAR, 0) -} - -func (s *ExpFunctionContext) RPAR() antlr.TerminalNode { - return s.GetToken(BoolexpParserRPAR, 0) -} - -func (s *ExpFunctionContext) Arguments() IArgumentsContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IArgumentsContext)(nil)).Elem(), 0) - - if t == nil { - return nil - } - - return t.(IArgumentsContext) -} - -func (s *ExpFunctionContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpFunction(s) - } -} - -func (s *ExpFunctionContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpFunction(s) - } -} - -func (s *ExpFunctionContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpFunction(s) - - default: - return t.VisitChildren(s) - } -} - -type ExpArithmeticLTContext struct { - *ExpContext - left IExpContext - right IExpContext -} - -func NewExpArithmeticLTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTContext { - var p = new(ExpArithmeticLTContext) - - p.ExpContext = NewEmptyExpContext() - p.parser = parser - p.CopyFrom(ctx.(*ExpContext)) - - return p -} - -func (s *ExpArithmeticLTContext) GetLeft() IExpContext { return s.left } - -func (s *ExpArithmeticLTContext) GetRight() IExpContext { return s.right } - -func (s *ExpArithmeticLTContext) SetLeft(v IExpContext) { s.left = v } - -func (s *ExpArithmeticLTContext) SetRight(v IExpContext) { s.right = v } - -func (s *ExpArithmeticLTContext) GetRuleContext() antlr.RuleContext { - return s -} - -func (s *ExpArithmeticLTContext) LT() antlr.TerminalNode { - return s.GetToken(BoolexpParserLT, 0) -} - -func (s *ExpArithmeticLTContext) AllExp() []IExpContext { - var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) - var tst = make([]IExpContext, len(ts)) - - for i, t := range ts { - if t != nil { - tst[i] = t.(IExpContext) - } - } - - return tst -} - -func (s *ExpArithmeticLTContext) Exp(i int) IExpContext { - var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) - - if t == nil { - return nil - } - - return t.(IExpContext) -} - -func (s *ExpArithmeticLTContext) EnterRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.EnterExpArithmeticLT(s) - } -} - -func (s *ExpArithmeticLTContext) ExitRule(listener antlr.ParseTreeListener) { - if listenerT, ok := listener.(BoolexpListener); ok { - listenerT.ExitExpArithmeticLT(s) - } -} - -func (s *ExpArithmeticLTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { - switch t := visitor.(type) { - case BoolexpVisitor: - return t.VisitExpArithmeticLT(s) - - default: - return t.VisitChildren(s) - } -} - -func (p *BoolexpParser) Exp() (localctx IExpContext) { - return p.exp(0) -} - -func (p *BoolexpParser) exp(_p int) (localctx IExpContext) { - var _parentctx antlr.ParserRuleContext = p.GetParserRuleContext() - _parentState := p.GetState() - localctx = NewExpContext(p, p.GetParserRuleContext(), _parentState) - var _prevctx IExpContext = localctx - var _ antlr.ParserRuleContext = _prevctx // TODO: To prevent unused variable warning. - _startState := 2 - p.EnterRecursionRule(localctx, 2, BoolexpParserRULE_exp, _p) - var _la int - - defer func() { - p.UnrollRecursionContexts(_parentctx) - }() - - defer func() { - if err := recover(); err != nil { - if v, ok := err.(antlr.RecognitionException); ok { - localctx.SetException(v) - p.GetErrorHandler().ReportError(p, v) - p.GetErrorHandler().Recover(p, v) - } else { - panic(err) - } - } - }() - - var _alt int - - p.EnterOuterAlt(localctx, 1) - p.SetState(29) - p.GetErrorHandler().Sync(p) - - switch p.GetTokenStream().LA(1) { - case BoolexpParserLPAR: - localctx = NewExpInParenContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - - { - p.SetState(12) - p.Match(BoolexpParserLPAR) - } - { - p.SetState(13) - p.exp(0) - } - { - p.SetState(14) - p.Match(BoolexpParserRPAR) - } - - case BoolexpParserNOT: - localctx = NewExpNotContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(16) - p.Match(BoolexpParserNOT) - } - { - p.SetState(17) - p.exp(15) - } - - case BoolexpParserTRUE, BoolexpParserFALSE: - localctx = NewExpBooleanContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(18) - p.Boolean() - } - - case BoolexpParserVARIABLE: - localctx = NewExpVariableContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(19) - p.Match(BoolexpParserVARIABLE) - } - - case BoolexpParserMETHODNAME: - localctx = NewExpFunctionContext(p, localctx) - p.SetParserRuleContext(localctx) - _prevctx = localctx - { - p.SetState(20) - p.Match(BoolexpParserMETHODNAME) - } - { - p.SetState(21) - p.Match(BoolexpParserLPAR) - } - p.SetState(23) - p.GetErrorHandler().Sync(p) - _la = p.GetTokenStream().LA(1) - - if ((_la)&-(0x1f+1)) == 0 && ((1<'; +LT: '<'; +GTE: '>='; +LTE: '<='; +ADD: '+'; +SUB: '-'; +MUL: '*'; +DIV: '/'; +MOD: '%'; +AND: 'and' | 'AND'; +OR: 'or' | 'OR'; +TRUE: 'true' | 'TRUE'; +FALSE: 'false' | 'FALSE'; +FLOAT: [\-]? [0-9]+ '.' [0-9]+; +NUMBER: [\-]? [0-9]+; +WHITESPACE: [ \r\n\t]+ -> skip; +NOT: 'NOT' | 'not'; +NAME: [a-zA-Z_] [a-zA-Z0-9_]*; +VNAME: [a-zA-Z0-9_.]+('.'[a-zA-Z0-9_]+)*; +STEXT: '\'' ~[\r\n']* '\''; +DTEXT: '"' ~[\r\n"]* '"'; +LPAR: '('; +RPAR: ')'; +LARR: '['; +RARR: ']'; +LDICT: '{'; +RDICT: '}'; +BEGIN_VARIABLE: '${'; + +expList: exp EOF; + +boolean +: TRUE | FALSE +; + +constant +: STEXT +| DTEXT +| FLOAT +| NUMBER +| boolean +; + +variable +: NAME +| VNAME +| constant +; + +variableExp +: variable( '|' variable)* +; + +exp +: LPAR exp RPAR # ExpInParen +| left=exp (MUL | DIV | MOD) right=exp # ExpArithmeticMulDivMod +| left=exp (ADD | SUB) right=exp # ExpArithmeticAddSub +| NOT exp # ExpNot +| left=exp EQ right=exp # ExpArithmeticEQ +| left=exp NEQ right=exp # ExpArithmeticNEQ +| left=exp LTE right=exp # ExpArithmeticLTE +| left=exp GTE right=exp # ExpArithmeticGTE +| left=exp LT right=exp # ExpArithmeticLT +| left=exp GT right=exp # ExpArithmeticGT +| left=exp AND right=exp # ExpLogicalAnd +| left=exp OR right=exp # ExpLogicalOR +| boolean # ExpBoolean +| BEGIN_VARIABLE variableExp RDICT # ExpVariable +| NAME LPAR arguments? RPAR # ExpFunction +| LARR array? RARR # ExpArray +| LDICT dict? RDICT # ExpDict +| (STEXT | DTEXT) # ExpText +| FLOAT # ExpFloat +| NUMBER # ExpNumber +; + +arguments +: exp( ',' exp)* +; + +array +: constant( ',' constant)* +; + +key +: (NAME | STEXT | DTEXT) ':' constant +; + +dict +: key( ',' key)* +; diff --git a/x-pack/elastic-agent/pkg/boolexp/compare.go b/x-pack/elastic-agent/pkg/eql/compare.go similarity index 71% rename from x-pack/elastic-agent/pkg/boolexp/compare.go rename to x-pack/elastic-agent/pkg/eql/compare.go index 9a68286e3df..9381f254fde 100644 --- a/x-pack/elastic-agent/pkg/boolexp/compare.go +++ b/x-pack/elastic-agent/pkg/eql/compare.go @@ -2,9 +2,12 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql -import "fmt" +import ( + "fmt" + "sort" +) type operand interface{} @@ -12,6 +15,12 @@ type compare func(left, right operand) (bool, error) func compareEQ(left, right operand) (bool, error) { switch v := left.(type) { + case *null: + _, ok := right.(*null) + if ok { + return true, nil + } + return false, nil case bool: rV, ok := right.(bool) if !ok { @@ -23,6 +32,8 @@ func compareEQ(left, right operand) (bool, error) { return false, nil case int: switch rv := right.(type) { + case *null: + return false, nil case int: return v == rv, nil case float64: @@ -38,6 +49,8 @@ func compareEQ(left, right operand) (bool, error) { } case float64: switch rv := right.(type) { + case *null: + return false, nil case int: return v == float64(rv), nil case float64: @@ -58,6 +71,42 @@ func compareEQ(left, right operand) (bool, error) { return true, nil } return false, nil + case []interface{}: + rV, ok := right.([]interface{}) + if !ok { + return false, nil + } + if len(v) != len(rV) { + return false, nil + } + for i := range v { + b, err := compareEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if !b { + return false, nil + } + } + return true, nil + case map[string]interface{}: + rV, ok := right.(map[string]interface{}) + if !ok { + return false, nil + } + if !keysEqual(v, rV) { + return false, nil + } + for i := range v { + b, err := compareEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if !b { + return false, nil + } + } + return true, nil default: return false, fmt.Errorf( "compare: ==, incompatible type to compare, left=%T, right=%T", @@ -69,10 +118,16 @@ func compareEQ(left, right operand) (bool, error) { func compareNEQ(left, right operand) (bool, error) { switch v := left.(type) { + case *null: + _, ok := right.(*null) + if ok { + return false, nil + } + return true, nil case bool: rV, ok := right.(bool) if !ok { - return false, nil + return true, nil } if rV == v { return false, nil @@ -80,6 +135,8 @@ func compareNEQ(left, right operand) (bool, error) { return true, nil case int: switch rv := right.(type) { + case *null: + return true, nil case int: return v != rv, nil case float64: @@ -95,6 +152,8 @@ func compareNEQ(left, right operand) (bool, error) { } case float64: switch rv := right.(type) { + case *null: + return true, nil case int: return v != float64(rv), nil case float64: @@ -109,12 +168,48 @@ func compareNEQ(left, right operand) (bool, error) { case string: rV, ok := right.(string) if !ok { - return false, nil + return true, nil } if rV == v { return false, nil } return true, nil + case []interface{}: + rV, ok := right.([]interface{}) + if !ok { + return true, nil + } + if len(v) != len(rV) { + return true, nil + } + for i := range v { + b, err := compareNEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if b { + return true, nil + } + } + return false, nil + case map[string]interface{}: + rV, ok := right.(map[string]interface{}) + if !ok { + return true, nil + } + if !keysEqual(v, rV) { + return true, nil + } + for i := range v { + b, err := compareNEQ(v[i], rV[i]) + if err != nil { + return false, err + } + if b { + return true, nil + } + } + return false, nil default: return false, fmt.Errorf( "compare: !=, incompatible type to compare, left=%T, right=%T", @@ -275,9 +370,56 @@ func compareGTE(left, right operand) (bool, error) { type logical func(left, right operand) (bool, error) func logicalAND(left, right operand) (bool, error) { - return left.(bool) && right.(bool), nil + switch l := left.(type) { + case bool: + switch r := right.(type) { + case bool: + return l && r, nil + } + } + return false, fmt.Errorf( + "and: incompatible type to and both operands must be booleans, left=%T, right=%T", + left, + right, + ) } func logicalOR(left, right operand) (bool, error) { - return left.(bool) == true || right.(bool), nil + switch l := left.(type) { + case bool: + switch r := right.(type) { + case bool: + return l || r, nil + } + } + return false, fmt.Errorf( + "and: incompatible type to and both operands must be booleans, left=%T, right=%T", + left, + right, + ) +} + +func keys(v map[string]interface{}) []string { + ks := make([]string, len(v)) + i := 0 + for k := range v { + ks[i] = k + i++ + } + sort.Strings(ks) + return ks +} + +func keysEqual(v1, v2 map[string]interface{}) bool { + ks1 := keys(v1) + ks2 := keys(v2) + if len(ks1) != len(ks2) { + return false + } + for i, v := range ks1 { + if v != ks2[i] { + return false + } + } + return true } diff --git a/x-pack/elastic-agent/pkg/boolexp/boolexp.go b/x-pack/elastic-agent/pkg/eql/eql.go similarity index 70% rename from x-pack/elastic-agent/pkg/boolexp/boolexp.go rename to x-pack/elastic-agent/pkg/eql/eql.go index 87d43ab2eb6..0993f251eaf 100644 --- a/x-pack/elastic-agent/pkg/boolexp/boolexp.go +++ b/x-pack/elastic-agent/pkg/eql/eql.go @@ -2,14 +2,14 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql -//go:generate antlr4 -Dlanguage=Go -o parser Boolexp.g4 -visitor +//go:generate antlr4 -Dlanguage=Go -o parser Eql.g4 -visitor // Eval takes an expression, parse and evaluate it, everytime this method is called a new // parser is created, if you want to reuse the parsed tree see the `New` method. -func Eval(expression string, methods *MethodsReg, store VarStore) (bool, error) { - e, err := New(expression, methods) +func Eval(expression string, store VarStore) (bool, error) { + e, err := New(expression) if err != nil { return false, err } diff --git a/x-pack/elastic-agent/pkg/eql/eql_test.go b/x-pack/elastic-agent/pkg/eql/eql_test.go new file mode 100644 index 00000000000..56df991b449 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/eql_test.go @@ -0,0 +1,377 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "os" + "testing" + + "github.com/antlr/antlr4/runtime/Go/antlr" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql/parser" +) + +var showDebug = lookupEnvOrDefault("DEBUG", "0") + +type testVarStore struct { + vars map[string]interface{} +} + +func (s *testVarStore) Lookup(v string) (interface{}, bool) { + val, ok := s.vars[v] + return val, ok +} + +func TestEql(t *testing.T) { + testcases := []struct { + expression string + result bool + err bool + }{ + // variables + {expression: "${env.HOSTNAME|host.name|'fallback'} == 'my-hostname'", result: true}, + {expression: "${env.MISSING|host.name|'fallback'} == 'host-name'", result: true}, + {expression: "${env.MISSING|host.MISSING|'fallback'} == 'fallback'", result: true}, + {expression: "${env.MISSING|host.MISSING|2} == 2", result: true}, + {expression: "${env.MISSING|host.MISSING|2.0} == 2.0", result: true}, + {expression: "${env.MISSING|host.MISSING|true} == true", result: true}, + {expression: "${env.MISSING|host.MISSING|false} == false", result: true}, + {expression: "${'constant'} == 'constant'", result: true}, + + // boolean + {expression: "true", result: true}, + {expression: "false", result: false}, + + // equal + {expression: "'hello' == 'hello'", result: true}, + {expression: "'hello' == 'other'", result: false}, + {expression: "'other' == 'hello'", result: false}, + {expression: "1 == 1", result: true}, + {expression: "1 == 2", result: false}, + {expression: "2 == 1", result: false}, + {expression: "1.0 == 1", result: true}, + {expression: "1.1 == 1", result: false}, + {expression: "1 == 1.1", result: false}, + {expression: "true == true", result: true}, + {expression: "true == false", result: false}, + {expression: "false == false", result: true}, + {expression: "true == false", result: false}, + {expression: "${missing} == ${missing}", result: true}, + {expression: "${missing} == false", result: false}, + {expression: "false == ${missing}", result: false}, + + // not equal + {expression: "'hello' != 'hello'", result: false}, + {expression: "'hello' != 'other'", result: true}, + {expression: "'other' != 'hello'", result: true}, + {expression: "1 != 1", result: false}, + {expression: "1 != 2", result: true}, + {expression: "2 != 1", result: true}, + {expression: "1.0 != 1", result: false}, + {expression: "1.1 != 1", result: true}, + {expression: "1 != 1.1", result: true}, + {expression: "true != true", result: false}, + {expression: "true != false", result: true}, + {expression: "false != false", result: false}, + {expression: "true != false", result: true}, + {expression: "${missing} != ${missing}", result: false}, + {expression: "${missing} != false", result: true}, + {expression: "false != ${missing}", result: true}, + + // gt + {expression: "1 > 5", result: false}, + {expression: "10 > 5", result: true}, + {expression: "10 > 10", result: false}, + {expression: "1.1 > 5", result: false}, + {expression: "10.1 > 5", result: true}, + {expression: "1 > 5.0", result: false}, + {expression: "10 > 5.0", result: true}, + {expression: "10.1 > 10.1", result: false}, + + // lt + {expression: "1 < 5", result: true}, + {expression: "10 < 5", result: false}, + {expression: "10 < 10", result: false}, + {expression: "1.1 < 5", result: true}, + {expression: "10.1 < 5", result: false}, + {expression: "1 < 5.0", result: true}, + {expression: "10 < 5.0", result: false}, + {expression: "10.1 < 10.1", result: false}, + + // gte + {expression: "1 >= 5", result: false}, + {expression: "10 >= 5", result: true}, + {expression: "10 >= 10", result: true}, + {expression: "1.1 >= 5", result: false}, + {expression: "10.1 >= 5", result: true}, + {expression: "1 >= 5.0", result: false}, + {expression: "10 >= 5.0", result: true}, + {expression: "10.1 >= 10.1", result: true}, + + // lte + {expression: "1 <= 5", result: true}, + {expression: "10 <= 5", result: false}, + {expression: "10 <= 10", result: true}, + {expression: "1.1 <= 5", result: true}, + {expression: "10.1 <= 5", result: false}, + {expression: "1 <= 5.0", result: true}, + {expression: "10 <= 5.0", result: false}, + {expression: "10.1 <= 10.1", result: true}, + + // math (pemdas) + {expression: "4 * (5 + 3) == 32", result: true}, + {expression: "4 * 5 + 3 == 23", result: true}, + {expression: "2 + 5 * 3 == 17", result: true}, + {expression: "(2 + 5) * 3 == 21", result: true}, + {expression: "30 / 5 * 3 == 18", result: true}, + {expression: "30 / (5 * 3) == 2", result: true}, + {expression: "(18 / 6 * 5) - 14 / 7 == 13", result: true}, + {expression: "(18 / 6 * 5) - 14 / 7 == 13", result: true}, + {expression: "1.0 / 2 * 6 == 3", result: true}, + {expression: "24.0 / (-2 * -6) == 2", result: true}, + {expression: "24.0 / 0 == 0", err: true}, + {expression: "-4 * (5 + 3) == -32", result: true}, + {expression: "-4 * 5 + 3 == -17", result: true}, + {expression: "-24.0 / (2 * 6) == -2", result: true}, + {expression: "-24.0 / (5 % 3) == -12", result: true}, + {expression: "-24 % 5 * 3 == -12", result: true}, + + // not + {expression: "not false", result: true}, + {expression: "not true", result: false}, + {expression: "not (1 == 1)", result: false}, + {expression: "not (1 != 1)", result: true}, + {expression: "NOT false", result: true}, + {expression: "NOT true", result: false}, + {expression: "NOT (1 == 1)", result: false}, + {expression: "NOT (1 != 1)", result: true}, + + // and + {expression: "(1 == 1) and (2 == 2)", result: true}, + {expression: "(1 == 4) and (2 == 2)", result: false}, + {expression: "(1 == 1) and (2 == 3)", result: false}, + {expression: "(1 == 5) and (2 == 3)", result: false}, + {expression: "(1 == 1) AND (2 == 2)", result: true}, + {expression: "(1 == 4) AND (2 == 2)", result: false}, + {expression: "(1 == 1) AND (2 == 3)", result: false}, + {expression: "(1 == 5) AND (2 == 3)", result: false}, + {expression: "1 == 1 AND 2 == 2", result: true}, + {expression: "1 == 4 AND 2 == 2", result: false}, + {expression: "1 == 1 AND 2 == 3", result: false}, + {expression: "1 == 5 AND 2 == 3", result: false}, + {expression: "1 == 1 and 2 == 2", result: true}, + {expression: "1 == 4 and 2 == 2", result: false}, + {expression: "1 == 1 and 2 == 3", result: false}, + {expression: "1 == 5 and 2 == 3", result: false}, + + // or + {expression: "(1 == 1) OR (2 == 2)", result: true}, + {expression: "(1 == 1) OR (3 == 2)", result: true}, + {expression: "(1 == 2) OR (2 == 2)", result: true}, + {expression: "(1 == 2) OR (2 == 2)", result: true}, + {expression: "(1 == 2) OR (1 == 2)", result: false}, + {expression: "(1 == 1) or (2 == 2)", result: true}, + {expression: "(1 == 1) or (3 == 2)", result: true}, + {expression: "(1 == 2) or (2 == 2)", result: true}, + {expression: "(1 == 2) or (2 == 2)", result: true}, + {expression: "(1 == 2) or (1 == 2)", result: false}, + + // mixed + {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, + {expression: "(1 == 1 OR 2 == 2) AND 2 != 3", result: true}, + {expression: "((1 == 1) AND (2 == 2)) OR (2 != 3)", result: true}, + {expression: "1 == 1 OR 2 == 2 AND 2 != 3", result: true}, + + // arrays + {expression: "[true, false, 1, 1.0, 'test'] == [true, false, 1, 1.0, 'test']", result: true}, + {expression: "[true, false, 1, 1.0, 'test'] == [true, false, 1, 1.1, 'test']", result: false}, + {expression: "[true, false, 1, 1.0, 'test'] != [true, false, 1, 1.0, 'test']", result: false}, + {expression: "[true, false, 1, 1.0, 'test'] != [true, false, 1, 1.1, 'test']", result: true}, + + // dict + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test'} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "other"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt2: "test"} == {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: false}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test'} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "other"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + {expression: `{bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt2: "test"} != {bt: true, bf: false, number: 1, float: 1.0, st: 'test', dt: "test"}`, result: true}, + + // methods array + {expression: "arrayContains([true, 1, 3.5, 'str'], 1)", result: true}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 2)", result: false}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str')", result: true}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str2')", result: false}, + {expression: "arrayContains([true, 1, 3.5, 'str'], 'str2', 3.5)", result: true}, + {expression: "arrayContains(${null.data}, 'str2', 3.5)", result: false}, + {expression: "arrayContains(${data.array}, 'array5', 'array2')", result: true}, + {expression: "arrayContains('not array', 'str2')", err: true}, + + // methods dict + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'key2')", result: true}, + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'other', 'key1')", result: true}, + {expression: "hasKey({key1: 'val1', key2: 'val2'}, 'missing', 'still')", result: false}, + {expression: "hasKey(${data.dict}, 'key3', 'still')", result: true}, + {expression: "hasKey(${null}, 'key3', 'still')", result: false}, + {expression: "hasKey(${data.dict})", err: true}, + {expression: "hasKey(${data.array}, 'not present')", err: true}, + + // methods length + {expression: "length('hello') == 5", result: true}, + {expression: "length([true, 1, 3.5, 'str']) == 4", result: true}, + {expression: "length({key: 'data', other: '2'}) == 2", result: true}, + {expression: "length(${data.dict}) == 3", result: true}, + {expression: "length(${null}) == 0", result: true}, + {expression: "length(4) == 2", err: true}, + {expression: "length('hello', 'too many args') == 2", err: true}, + + // methods math + {expression: "add(2, 2) == 4", result: true}, + {expression: "add(2.2, 2.2) == 4.4", result: true}, + {expression: "add(2) == 4", err: true}, + {expression: "add(2, 2, 2) == 4", err: true}, + {expression: "add('str', 'str') == 4", err: true}, + {expression: "subtract(2, 2) == 0", result: true}, + {expression: "subtract(2.2, 2.2) == 0", result: true}, + {expression: "subtract(2) == 0", err: true}, + {expression: "subtract(2, 2, 2) == 0", err: true}, + {expression: "subtract('str', 'str') == 0", err: true}, + {expression: "multiply(4, 2) == 8", result: true}, + {expression: "multiply(4.2, 2) == 8.4", result: true}, + {expression: "multiply(4) == 4", err: true}, + {expression: "multiply(2, 2, 2) == 4", err: true}, + {expression: "multiply('str', 'str') == 4", err: true}, + {expression: "divide(8, 2) == 4", result: true}, + {expression: "divide(4.2, 2) == 2.1", result: true}, + {expression: "divide(4.2, 0) == 2.1", err: true}, + {expression: "divide(4) == 4", err: true}, + {expression: "divide(2, 2, 2) == 4", err: true}, + {expression: "divide('str', 'str') == 4", err: true}, + {expression: "modulo(8, 3) == 2", result: true}, + {expression: "modulo(8, 0) == 2", err: true}, + {expression: "modulo(4.2, 2) == 1.2", err: true}, + {expression: "modulo(4) == 4", err: true}, + {expression: "modulo(2, 2, 2) == 4", err: true}, + {expression: "modulo('str', 'str') == 4", err: true}, + + // methods str + {expression: "concat('hello ', 2, ' the world') == 'hello 2 the world'", result: true}, + {expression: "concat('h', 2, 2.0, ['a', 'b'], true, {key: 'value'}) == 'h22E+00[a,b]true{key:value}'", result: true}, + {expression: "endsWith('hello world', 'world')", result: true}, + {expression: "endsWith('hello world', 'wor')", result: false}, + {expression: "endsWith('hello world', 'world', 'too many args')", err: true}, + {expression: "endsWith('not enough')", err: true}, + {expression: "indexOf('elastic.co', '.') == 7", result: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 15) == 21", result: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 15.2) == 21", err: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', 'not int') == 21", err: true}, + {expression: "indexOf('elastic-agent.elastic.co', '.', '15, 'too many args') == 21", err: true}, + {expression: "match('elastic.co', '[a-z]+.[a-z]{2}')", result: true}, + {expression: "match('elastic.co', '[a-z]+', '[a-z]+.[a-z]{2}')", result: true}, + {expression: "match('not enough')", err: true}, + {expression: "match('elastic.co', '[a-z')", err: true}, + {expression: "number('002020') == 2020", result: true}, + {expression: "number('0xdeadbeef', 16) == 3735928559", result: true}, + {expression: "number('not a number') == 'not'", err: true}, + {expression: "number('0xdeadbeef', 16, 2) == 'too many args'", err: true}, + {expression: "startsWith('hello world', 'hello')", result: true}, + {expression: "startsWith('hello world', 'llo')", result: false}, + {expression: "startsWith('hello world', 'hello', 'too many args')", err: true}, + {expression: "startsWith('not enough')", err: true}, + {expression: "string('str') == 'str'", result: true}, + {expression: "string(2) == '2'", result: true}, + {expression: "string(2.0) == '2E+00'", result: true}, + {expression: "string(true) == 'true'", result: true}, + {expression: "string(false) == 'false'", result: true}, + {expression: "string(['a', 'b']) == '[a,b]'", result: true}, + {expression: "string({key:'value'}) == '{key:value}'", result: true}, + {expression: "string(2, 'too many') == '2'", err: true}, + {expression: "stringContains('hello world', 'o w')", result: true}, + {expression: "stringContains('hello world', 'rol')", result: false}, + {expression: "stringContains('hello world', 'o w', 'too many')", err: true}, + {expression: "stringContains(0, 'o w', 'too many')", err: true}, + {expression: "stringContains('hello world', 0)", err: true}, + + // Bad expression and malformed expression + {expression: "length('hello')", err: true}, + {expression: "length()", err: true}, + {expression: "donotexist()", err: true}, + } + + store := &testVarStore{ + vars: map[string]interface{}{ + "env.HOSTNAME": "my-hostname", + "host.name": "host-name", + "data.array": []interface{}{"array1", "array2", "array3"}, + "data.dict": map[string]interface{}{ + "key1": "dict1", + "key2": "dict2", + "key3": "dict3", + }, + }, + } + + for _, test := range testcases { + test := test + var title string + if test.err { + title = fmt.Sprintf("%s failed parsing", test.expression) + } else { + title = fmt.Sprintf("%s => return %v", test.expression, test.result) + } + t.Run(title, func(t *testing.T) { + if showDebug == "1" { + debug(test.expression) + } + + r, err := Eval(test.expression, store) + + if test.err { + require.Error(t, err) + return + } + + require.NoError(t, err) + assert.Equal(t, test.result, r) + }) + } +} + +func debug(expression string) { + raw := antlr.NewInputStream(expression) + + lexer := parser.NewEqlLexer(raw) + for { + t := lexer.NextToken() + if t.GetTokenType() == antlr.TokenEOF { + break + } + fmt.Printf("%s (%q)\n", + lexer.SymbolicNames[t.GetTokenType()], t.GetText()) + } +} + +var result bool + +func BenchmarkEval(b *testing.B) { + expression, _ := New("(length('hello') == 5) AND (length('Hi') == 2)") + + var r bool + for n := 0; n < b.N; n++ { + r, _ = expression.Eval(nil) + } + result = r +} + +func lookupEnvOrDefault(name, d string) string { + if v, ok := os.LookupEnv(name); ok { + return v + } + return d +} diff --git a/x-pack/elastic-agent/pkg/boolexp/expression.go b/x-pack/elastic-agent/pkg/eql/expression.go similarity index 79% rename from x-pack/elastic-agent/pkg/boolexp/expression.go rename to x-pack/elastic-agent/pkg/eql/expression.go index 69d30603d5c..eb0d5b08b4b 100644 --- a/x-pack/elastic-agent/pkg/boolexp/expression.go +++ b/x-pack/elastic-agent/pkg/eql/expression.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package boolexp +package eql import ( "errors" @@ -10,17 +10,17 @@ import ( "github.com/antlr/antlr4/runtime/Go/antlr" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/boolexp/parser" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/eql/parser" ) // VarStore is the interface to implements when you want the expression engine to be able to fetch // the value of a variables. Variables are defined using the field reference syntax likes -/// this: `%{[hello.var]}`. +// this: `${hello.var|other.var|'constant'}`. type VarStore interface { // Lookup allows to lookup a value of a variable from the store, the lookup method will received // the name of variable like this. // - // %{[hello.var]} => hello.var + // ${hello.var|other.var} => hello.var, followed by other.var if hello.var is not found Lookup(string) (interface{}, bool) } @@ -33,7 +33,6 @@ var ( type Expression struct { expression string tree antlr.ParseTree - methodsReg *MethodsReg vars VarStore } @@ -48,7 +47,7 @@ func (e *Expression) Eval(store VarStore) (result bool, err error) { } }() - visitor := &expVisitor{methodsReg: e.methodsReg, vars: store} + visitor := &expVisitor{vars: store} r := visitor.Visit(e.tree) if visitor.err != nil { @@ -59,18 +58,18 @@ func (e *Expression) Eval(store VarStore) (result bool, err error) { } // New create a new boolean expression parser will return an error if the expression if invalid. -func New(expression string, methods *MethodsReg) (*Expression, error) { +func New(expression string) (*Expression, error) { if len(expression) == 0 { return nil, ErrEmptyExpression } input := antlr.NewInputStream(expression) - lexer := parser.NewBoolexpLexer(input) + lexer := parser.NewEqlLexer(input) lexer.RemoveErrorListeners() tokens := antlr.NewCommonTokenStream(lexer, antlr.TokenDefaultChannel) - p := parser.NewBoolexpParser(tokens) + p := parser.NewEqlParser(tokens) p.RemoveErrorListeners() tree := p.ExpList() - return &Expression{expression: expression, tree: tree, methodsReg: methods}, nil + return &Expression{expression: expression, tree: tree}, nil } diff --git a/x-pack/elastic-agent/pkg/eql/math.go b/x-pack/elastic-agent/pkg/eql/math.go new file mode 100644 index 00000000000..6808c577c47 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/math.go @@ -0,0 +1,212 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +func mathAdd(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v + rv, nil + case float64: + return float64(v) + rv, nil + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v + float64(rv), nil + case float64: + return v + rv, nil + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: +, incompatible type to add both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathSub(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v - rv, nil + case float64: + return float64(v) - rv, nil + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v - float64(rv), nil + case float64: + return v - rv, nil + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: -, incompatible type to subtract both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathMul(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + return v * rv, nil + case float64: + return float64(v) * rv, nil + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + return v * float64(rv), nil + case float64: + return v * rv, nil + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: *, incompatible type to multiply both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathDiv(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / rv, nil + case float64: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return float64(v) / rv, nil + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + case float64: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / float64(rv), nil + case float64: + if rv == 0 { + return 0, fmt.Errorf( + "math: /, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v / rv, nil + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: /, incompatible type to divide both operands must be numbers, left=%T, right=%T", + left, + right, + ) + } +} + +func mathMod(left, right operand) (interface{}, error) { + switch v := left.(type) { + case int: + switch rv := right.(type) { + case int: + if rv == 0 { + return 0, fmt.Errorf( + "math: %%, division by zero, left=%T, right=%T", + left, + right, + ) + } + return v % rv, nil + default: + return 0, fmt.Errorf( + "math: %%, incompatible type to modulus both operands must be integers, left=%T, right=%T", + left, + right, + ) + } + default: + return 0, fmt.Errorf( + "math: %%, incompatible type to modulus both operands must be integers, left=%T, right=%T", + left, + right, + ) + } +} diff --git a/x-pack/elastic-agent/pkg/eql/methods.go b/x-pack/elastic-agent/pkg/eql/methods.go new file mode 100644 index 00000000000..ac803a0ff83 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +// callFunc is a function called while the expression evaluation is done, the function is responsible +// of doing the type conversion and allow checking the arity of the function. +type callFunc func(args []interface{}) (interface{}, error) + +// methods are the methods enabled in EQL. +var methods = map[string]callFunc{ + // array + "arrayContains": arrayContains, + + // dict + "hasKey": hasKey, + + // length: + "length": length, + + // math + "add": add, + "subtract": subtract, + "multiply": multiply, + "divide": divide, + "modulo": modulo, + + // str + "concat": concat, + "endsWith": endsWith, + "indexOf": indexOf, + "match": match, + "number": number, + "startsWith": startsWith, + "string": str, + "stringContains": stringContains, +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_array.go b/x-pack/elastic-agent/pkg/eql/methods_array.go new file mode 100644 index 00000000000..2d07e4d105c --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_array.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "reflect" +) + +// arrayContains check if value is a member of the array. +func arrayContains(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("arrayContains: accepts minimum 2 arguments; recieved %d", len(args)) + } + switch a := args[0].(type) { + case *null: + return false, nil + case []interface{}: + for _, check := range args[1:] { + for _, i := range a { + if reflect.DeepEqual(i, check) { + return true, nil + } + } + } + return false, nil + } + return nil, fmt.Errorf("arrayContains: first argument must be an array; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_dict.go b/x-pack/elastic-agent/pkg/eql/methods_dict.go new file mode 100644 index 00000000000..c49cd7278b7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_dict.go @@ -0,0 +1,32 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// hasKey check if dict has anyone of the provided keys. +func hasKey(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("hasKey: accepts minimum 2 arguments; recieved %d", len(args)) + } + switch d := args[0].(type) { + case *null: + return false, nil + case map[string]interface{}: + for i, check := range args[1:] { + switch c := check.(type) { + case string: + _, ok := d[c] + if ok { + return true, nil + } + default: + return nil, fmt.Errorf("hasKey: %d argument must be a string; recieved %T", i+1, check) + } + } + return false, nil + } + return nil, fmt.Errorf("hasKey: first argument must be a dictionary; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_length.go b/x-pack/elastic-agent/pkg/eql/methods_length.go new file mode 100644 index 00000000000..026da65261f --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_length.go @@ -0,0 +1,25 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// length returns the length of the string, array, or dictionary +func length(args []interface{}) (interface{}, error) { + if len(args) != 1 { + return nil, fmt.Errorf("length: accepts exactly 1 argument; recieved %d", len(args)) + } + switch a := args[0].(type) { + case *null: + return 0, nil + case string: + return len(a), nil + case []interface{}: + return len(a), nil + case map[string]interface{}: + return len(a), nil + } + return nil, fmt.Errorf("length: accepts only a string, array, or dictionary; recieved %T", args[0]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_math.go b/x-pack/elastic-agent/pkg/eql/methods_math.go new file mode 100644 index 00000000000..508f73ae47c --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_math.go @@ -0,0 +1,47 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import "fmt" + +// add performs x + y +func add(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("add: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathAdd(args[0], args[1]) +} + +// subtract performs x - y +func subtract(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("subtract: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathSub(args[0], args[1]) +} + +// multiply performs x * y +func multiply(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("multiply: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathMul(args[0], args[1]) +} + +// divide performs x / y +func divide(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("divide: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathDiv(args[0], args[1]) +} + +// modulo performs x % y +func modulo(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("modulo: accepts exactly 2 arguments; recieved %d", len(args)) + } + return mathMod(args[0], args[1]) +} diff --git a/x-pack/elastic-agent/pkg/eql/methods_str.go b/x-pack/elastic-agent/pkg/eql/methods_str.go new file mode 100644 index 00000000000..781e193d924 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/methods_str.go @@ -0,0 +1,186 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package eql + +import ( + "fmt" + "regexp" + "strconv" + "strings" +) + +// concat concatenates the arguments into a string +func concat(args []interface{}) (interface{}, error) { + var sb strings.Builder + for _, arg := range args { + sb.WriteString(toString(arg)) + } + return sb.String(), nil +} + +// endsWith returns true if the string ends with given suffix +func endsWith(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("endsWith: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + suffix, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("endsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.HasSuffix(input, suffix), nil +} + +// indexOf returns the starting index of substring +func indexOf(args []interface{}) (interface{}, error) { + if len(args) < 2 || len(args) > 3 { + return nil, fmt.Errorf("indexOf: accepts 2-3 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + substring, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("indexOf: argument 0 and 1 must be a string; recieved %T and %T", args[0], args[1]) + } + start := 0 + if len(args) > 2 { + s, sOk := args[2].(int) + if !sOk { + return nil, fmt.Errorf("indexOf: argument 2 must be a integer; recieved %T", args[2]) + } + start = s + } + return start + strings.Index(input[start:], substring), nil +} + +// match returns true if the string matches any of the provided regular expressions +func match(args []interface{}) (interface{}, error) { + if len(args) < 2 { + return nil, fmt.Errorf("match: accepts minimum of 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + if !iOk { + return nil, fmt.Errorf("match: argument 0 must be a string; recieved %T", args[0]) + } + for i, reg := range args[1:] { + switch r := reg.(type) { + case string: + exp, err := regexp.Compile(r) + if err != nil { + return nil, fmt.Errorf("match: failed to compile regexp: %s", err) + } + if exp.Match([]byte(input)) { + return true, nil + } + default: + return nil, fmt.Errorf("match: argument %d must be a string; recieved %T", i+1, reg) + } + } + return false, nil +} + +// number converts the string into a integer +func number(args []interface{}) (interface{}, error) { + if len(args) < 1 || len(args) > 2 { + return nil, fmt.Errorf("number: accepts between 1-2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + if !iOk { + return nil, fmt.Errorf("number: argument 0 must be a string; recieved %T", args[0]) + } + base := 10 + if len(args) > 1 { + switch a := args[1].(type) { + case int: + base = a + default: + return nil, fmt.Errorf("number: argument 1 must be an integer; recieved %T", args[1]) + } + } + if strings.HasPrefix(input, "0x") { + input = input[2:] + } + n, err := strconv.ParseInt(input, base, 64) + if err != nil { + return nil, fmt.Errorf("number: failed to convert '%s' to integer", input) + } + return int(n), nil +} + +// startsWith returns true if the string starts with given prefix +func startsWith(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("startsWith: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + prefix, pOk := args[1].(string) + if !iOk || !pOk { + return nil, fmt.Errorf("startsWith: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.HasPrefix(input, prefix), nil +} + +// str converts the argument into a string +func str(args []interface{}) (interface{}, error) { + if len(args) != 1 { + return nil, fmt.Errorf("string: accepts exactly 1 argument; recieved %d", len(args)) + } + return toString(args[0]), nil +} + +// stringContains returns true if the string contains substring +func stringContains(args []interface{}) (interface{}, error) { + if len(args) != 2 { + return nil, fmt.Errorf("stringContains: accepts exactly 2 arguments; recieved %d", len(args)) + } + input, iOk := args[0].(string) + substr, sOk := args[1].(string) + if !iOk || !sOk { + return nil, fmt.Errorf("stringContains: accepts exactly 2 string arguments; recieved %T and %T", args[0], args[1]) + } + return strings.Contains(input, substr), nil +} + +func toString(arg interface{}) string { + switch a := arg.(type) { + case *null: + return "null" + case string: + return a + case int: + return strconv.Itoa(a) + case float64: + return strconv.FormatFloat(a, 'E', -1, 64) + case bool: + return strconv.FormatBool(a) + case []interface{}: + var sb strings.Builder + sb.WriteString("[") + for idx, item := range a { + sb.WriteString(toString(item)) + if idx < len(a)-1 { + sb.WriteString(",") + } + } + sb.WriteString("]") + return sb.String() + case map[string]interface{}: + var sb strings.Builder + sb.WriteString("{") + idx := 0 + for k, v := range a { + sb.WriteString(k) + sb.WriteString(":") + sb.WriteString(toString(v)) + if idx < len(a)-1 { + sb.WriteString(",") + } + idx++ + } + sb.WriteString("}") + return sb.String() + default: + return fmt.Sprintf("%s", a) + } +} diff --git a/x-pack/elastic-agent/pkg/eql/parser/Eql.interp b/x-pack/elastic-agent/pkg/eql/parser/Eql.interp new file mode 100644 index 00000000000..08538b25565 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/Eql.interp @@ -0,0 +1,87 @@ +token literal names: +null +'|' +',' +':' +'==' +'!=' +'>' +'<' +'>=' +'<=' +'+' +'-' +'*' +'/' +'%' +null +null +null +null +null +null +null +null +null +null +null +null +'(' +')' +'[' +']' +'{' +'}' +'${' + +token symbolic names: +null +null +null +null +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +rule names: +expList +boolean +constant +variable +variableExp +exp +arguments +array +key +dict + + +atn: +[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 35, 144, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 3, 2, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 5, 4, 33, 10, 4, 3, 5, 3, 5, 3, 5, 5, 5, 38, 10, 5, 3, 6, 3, 6, 3, 6, 7, 6, 43, 10, 6, 12, 6, 14, 6, 46, 11, 6, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 63, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 68, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 73, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 79, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 7, 7, 111, 10, 7, 12, 7, 14, 7, 114, 11, 7, 3, 8, 3, 8, 3, 8, 7, 8, 119, 10, 8, 12, 8, 14, 8, 122, 11, 8, 3, 9, 3, 9, 3, 9, 7, 9, 127, 10, 9, 12, 9, 14, 9, 130, 11, 9, 3, 10, 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 11, 7, 11, 139, 10, 11, 12, 11, 14, 11, 142, 11, 11, 3, 11, 2, 3, 12, 12, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 2, 7, 3, 2, 19, 20, 3, 2, 27, 28, 3, 2, 14, 16, 3, 2, 12, 13, 4, 2, 25, 25, 27, 28, 2, 165, 2, 22, 3, 2, 2, 2, 4, 25, 3, 2, 2, 2, 6, 32, 3, 2, 2, 2, 8, 37, 3, 2, 2, 2, 10, 39, 3, 2, 2, 2, 12, 78, 3, 2, 2, 2, 14, 115, 3, 2, 2, 2, 16, 123, 3, 2, 2, 2, 18, 131, 3, 2, 2, 2, 20, 135, 3, 2, 2, 2, 22, 23, 5, 12, 7, 2, 23, 24, 7, 2, 2, 3, 24, 3, 3, 2, 2, 2, 25, 26, 9, 2, 2, 2, 26, 5, 3, 2, 2, 2, 27, 33, 7, 27, 2, 2, 28, 33, 7, 28, 2, 2, 29, 33, 7, 21, 2, 2, 30, 33, 7, 22, 2, 2, 31, 33, 5, 4, 3, 2, 32, 27, 3, 2, 2, 2, 32, 28, 3, 2, 2, 2, 32, 29, 3, 2, 2, 2, 32, 30, 3, 2, 2, 2, 32, 31, 3, 2, 2, 2, 33, 7, 3, 2, 2, 2, 34, 38, 7, 25, 2, 2, 35, 38, 7, 26, 2, 2, 36, 38, 5, 6, 4, 2, 37, 34, 3, 2, 2, 2, 37, 35, 3, 2, 2, 2, 37, 36, 3, 2, 2, 2, 38, 9, 3, 2, 2, 2, 39, 44, 5, 8, 5, 2, 40, 41, 7, 3, 2, 2, 41, 43, 5, 8, 5, 2, 42, 40, 3, 2, 2, 2, 43, 46, 3, 2, 2, 2, 44, 42, 3, 2, 2, 2, 44, 45, 3, 2, 2, 2, 45, 11, 3, 2, 2, 2, 46, 44, 3, 2, 2, 2, 47, 48, 8, 7, 1, 2, 48, 49, 7, 29, 2, 2, 49, 50, 5, 12, 7, 2, 50, 51, 7, 30, 2, 2, 51, 79, 3, 2, 2, 2, 52, 53, 7, 24, 2, 2, 53, 79, 5, 12, 7, 19, 54, 79, 5, 4, 3, 2, 55, 56, 7, 35, 2, 2, 56, 57, 5, 10, 6, 2, 57, 58, 7, 34, 2, 2, 58, 79, 3, 2, 2, 2, 59, 60, 7, 25, 2, 2, 60, 62, 7, 29, 2, 2, 61, 63, 5, 14, 8, 2, 62, 61, 3, 2, 2, 2, 62, 63, 3, 2, 2, 2, 63, 64, 3, 2, 2, 2, 64, 79, 7, 30, 2, 2, 65, 67, 7, 31, 2, 2, 66, 68, 5, 16, 9, 2, 67, 66, 3, 2, 2, 2, 67, 68, 3, 2, 2, 2, 68, 69, 3, 2, 2, 2, 69, 79, 7, 32, 2, 2, 70, 72, 7, 33, 2, 2, 71, 73, 5, 20, 11, 2, 72, 71, 3, 2, 2, 2, 72, 73, 3, 2, 2, 2, 73, 74, 3, 2, 2, 2, 74, 79, 7, 34, 2, 2, 75, 79, 9, 3, 2, 2, 76, 79, 7, 21, 2, 2, 77, 79, 7, 22, 2, 2, 78, 47, 3, 2, 2, 2, 78, 52, 3, 2, 2, 2, 78, 54, 3, 2, 2, 2, 78, 55, 3, 2, 2, 2, 78, 59, 3, 2, 2, 2, 78, 65, 3, 2, 2, 2, 78, 70, 3, 2, 2, 2, 78, 75, 3, 2, 2, 2, 78, 76, 3, 2, 2, 2, 78, 77, 3, 2, 2, 2, 79, 112, 3, 2, 2, 2, 80, 81, 12, 21, 2, 2, 81, 82, 9, 4, 2, 2, 82, 111, 5, 12, 7, 22, 83, 84, 12, 20, 2, 2, 84, 85, 9, 5, 2, 2, 85, 111, 5, 12, 7, 21, 86, 87, 12, 18, 2, 2, 87, 88, 7, 6, 2, 2, 88, 111, 5, 12, 7, 19, 89, 90, 12, 17, 2, 2, 90, 91, 7, 7, 2, 2, 91, 111, 5, 12, 7, 18, 92, 93, 12, 16, 2, 2, 93, 94, 7, 11, 2, 2, 94, 111, 5, 12, 7, 17, 95, 96, 12, 15, 2, 2, 96, 97, 7, 10, 2, 2, 97, 111, 5, 12, 7, 16, 98, 99, 12, 14, 2, 2, 99, 100, 7, 9, 2, 2, 100, 111, 5, 12, 7, 15, 101, 102, 12, 13, 2, 2, 102, 103, 7, 8, 2, 2, 103, 111, 5, 12, 7, 14, 104, 105, 12, 12, 2, 2, 105, 106, 7, 17, 2, 2, 106, 111, 5, 12, 7, 13, 107, 108, 12, 11, 2, 2, 108, 109, 7, 18, 2, 2, 109, 111, 5, 12, 7, 12, 110, 80, 3, 2, 2, 2, 110, 83, 3, 2, 2, 2, 110, 86, 3, 2, 2, 2, 110, 89, 3, 2, 2, 2, 110, 92, 3, 2, 2, 2, 110, 95, 3, 2, 2, 2, 110, 98, 3, 2, 2, 2, 110, 101, 3, 2, 2, 2, 110, 104, 3, 2, 2, 2, 110, 107, 3, 2, 2, 2, 111, 114, 3, 2, 2, 2, 112, 110, 3, 2, 2, 2, 112, 113, 3, 2, 2, 2, 113, 13, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 115, 120, 5, 12, 7, 2, 116, 117, 7, 4, 2, 2, 117, 119, 5, 12, 7, 2, 118, 116, 3, 2, 2, 2, 119, 122, 3, 2, 2, 2, 120, 118, 3, 2, 2, 2, 120, 121, 3, 2, 2, 2, 121, 15, 3, 2, 2, 2, 122, 120, 3, 2, 2, 2, 123, 128, 5, 6, 4, 2, 124, 125, 7, 4, 2, 2, 125, 127, 5, 6, 4, 2, 126, 124, 3, 2, 2, 2, 127, 130, 3, 2, 2, 2, 128, 126, 3, 2, 2, 2, 128, 129, 3, 2, 2, 2, 129, 17, 3, 2, 2, 2, 130, 128, 3, 2, 2, 2, 131, 132, 9, 6, 2, 2, 132, 133, 7, 5, 2, 2, 133, 134, 5, 6, 4, 2, 134, 19, 3, 2, 2, 2, 135, 140, 5, 18, 10, 2, 136, 137, 7, 4, 2, 2, 137, 139, 5, 18, 10, 2, 138, 136, 3, 2, 2, 2, 139, 142, 3, 2, 2, 2, 140, 138, 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 21, 3, 2, 2, 2, 142, 140, 3, 2, 2, 2, 14, 32, 37, 44, 62, 67, 72, 78, 110, 112, 120, 128, 140] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens b/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens new file mode 100644 index 00000000000..80081750b0b --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/Eql.tokens @@ -0,0 +1,54 @@ +T__0=1 +T__1=2 +T__2=3 +EQ=4 +NEQ=5 +GT=6 +LT=7 +GTE=8 +LTE=9 +ADD=10 +SUB=11 +MUL=12 +DIV=13 +MOD=14 +AND=15 +OR=16 +TRUE=17 +FALSE=18 +FLOAT=19 +NUMBER=20 +WHITESPACE=21 +NOT=22 +NAME=23 +VNAME=24 +STEXT=25 +DTEXT=26 +LPAR=27 +RPAR=28 +LARR=29 +RARR=30 +LDICT=31 +RDICT=32 +BEGIN_VARIABLE=33 +'|'=1 +','=2 +':'=3 +'=='=4 +'!='=5 +'>'=6 +'<'=7 +'>='=8 +'<='=9 +'+'=10 +'-'=11 +'*'=12 +'/'=13 +'%'=14 +'('=27 +')'=28 +'['=29 +']'=30 +'{'=31 +'}'=32 +'${'=33 diff --git a/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp new file mode 100644 index 00000000000..2131aba8177 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.interp @@ -0,0 +1,116 @@ +token literal names: +null +'|' +',' +':' +'==' +'!=' +'>' +'<' +'>=' +'<=' +'+' +'-' +'*' +'/' +'%' +null +null +null +null +null +null +null +null +null +null +null +null +'(' +')' +'[' +']' +'{' +'}' +'${' + +token symbolic names: +null +null +null +null +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +rule names: +T__0 +T__1 +T__2 +EQ +NEQ +GT +LT +GTE +LTE +ADD +SUB +MUL +DIV +MOD +AND +OR +TRUE +FALSE +FLOAT +NUMBER +WHITESPACE +NOT +NAME +VNAME +STEXT +DTEXT +LPAR +RPAR +LARR +RARR +LDICT +RDICT +BEGIN_VARIABLE + +channel names: +DEFAULT_TOKEN_CHANNEL +HIDDEN + +mode names: +DEFAULT_MODE + +atn: +[3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 35, 230, 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, 9, 23, 4, 24, 9, 24, 4, 25, 9, 25, 4, 26, 9, 26, 4, 27, 9, 27, 4, 28, 9, 28, 4, 29, 9, 29, 4, 30, 9, 30, 4, 31, 9, 31, 4, 32, 9, 32, 4, 33, 9, 33, 4, 34, 9, 34, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 3, 6, 3, 6, 3, 6, 3, 7, 3, 7, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 12, 3, 12, 3, 13, 3, 13, 3, 14, 3, 14, 3, 15, 3, 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 108, 10, 16, 3, 17, 3, 17, 3, 17, 3, 17, 5, 17, 114, 10, 17, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 3, 18, 5, 18, 124, 10, 18, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 5, 19, 136, 10, 19, 3, 20, 5, 20, 139, 10, 20, 3, 20, 6, 20, 142, 10, 20, 13, 20, 14, 20, 143, 3, 20, 3, 20, 6, 20, 148, 10, 20, 13, 20, 14, 20, 149, 3, 21, 5, 21, 153, 10, 21, 3, 21, 6, 21, 156, 10, 21, 13, 21, 14, 21, 157, 3, 22, 6, 22, 161, 10, 22, 13, 22, 14, 22, 162, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 3, 23, 3, 23, 3, 23, 5, 23, 173, 10, 23, 3, 24, 3, 24, 7, 24, 177, 10, 24, 12, 24, 14, 24, 180, 11, 24, 3, 25, 6, 25, 183, 10, 25, 13, 25, 14, 25, 184, 3, 25, 3, 25, 6, 25, 189, 10, 25, 13, 25, 14, 25, 190, 7, 25, 193, 10, 25, 12, 25, 14, 25, 196, 11, 25, 3, 26, 3, 26, 7, 26, 200, 10, 26, 12, 26, 14, 26, 203, 11, 26, 3, 26, 3, 26, 3, 27, 3, 27, 7, 27, 209, 10, 27, 12, 27, 14, 27, 212, 11, 27, 3, 27, 3, 27, 3, 28, 3, 28, 3, 29, 3, 29, 3, 30, 3, 30, 3, 31, 3, 31, 3, 32, 3, 32, 3, 33, 3, 33, 3, 34, 3, 34, 3, 34, 2, 2, 35, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, 20, 39, 21, 41, 22, 43, 23, 45, 24, 47, 25, 49, 26, 51, 27, 53, 28, 55, 29, 57, 30, 59, 31, 61, 32, 63, 33, 65, 34, 67, 35, 3, 2, 10, 3, 2, 47, 47, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 5, 2, 67, 92, 97, 97, 99, 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 7, 2, 48, 48, 50, 59, 67, 92, 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 5, 2, 12, 12, 15, 15, 36, 36, 2, 246, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, 2, 2, 2, 41, 3, 2, 2, 2, 2, 43, 3, 2, 2, 2, 2, 45, 3, 2, 2, 2, 2, 47, 3, 2, 2, 2, 2, 49, 3, 2, 2, 2, 2, 51, 3, 2, 2, 2, 2, 53, 3, 2, 2, 2, 2, 55, 3, 2, 2, 2, 2, 57, 3, 2, 2, 2, 2, 59, 3, 2, 2, 2, 2, 61, 3, 2, 2, 2, 2, 63, 3, 2, 2, 2, 2, 65, 3, 2, 2, 2, 2, 67, 3, 2, 2, 2, 3, 69, 3, 2, 2, 2, 5, 71, 3, 2, 2, 2, 7, 73, 3, 2, 2, 2, 9, 75, 3, 2, 2, 2, 11, 78, 3, 2, 2, 2, 13, 81, 3, 2, 2, 2, 15, 83, 3, 2, 2, 2, 17, 85, 3, 2, 2, 2, 19, 88, 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 93, 3, 2, 2, 2, 25, 95, 3, 2, 2, 2, 27, 97, 3, 2, 2, 2, 29, 99, 3, 2, 2, 2, 31, 107, 3, 2, 2, 2, 33, 113, 3, 2, 2, 2, 35, 123, 3, 2, 2, 2, 37, 135, 3, 2, 2, 2, 39, 138, 3, 2, 2, 2, 41, 152, 3, 2, 2, 2, 43, 160, 3, 2, 2, 2, 45, 172, 3, 2, 2, 2, 47, 174, 3, 2, 2, 2, 49, 182, 3, 2, 2, 2, 51, 197, 3, 2, 2, 2, 53, 206, 3, 2, 2, 2, 55, 215, 3, 2, 2, 2, 57, 217, 3, 2, 2, 2, 59, 219, 3, 2, 2, 2, 61, 221, 3, 2, 2, 2, 63, 223, 3, 2, 2, 2, 65, 225, 3, 2, 2, 2, 67, 227, 3, 2, 2, 2, 69, 70, 7, 126, 2, 2, 70, 4, 3, 2, 2, 2, 71, 72, 7, 46, 2, 2, 72, 6, 3, 2, 2, 2, 73, 74, 7, 60, 2, 2, 74, 8, 3, 2, 2, 2, 75, 76, 7, 63, 2, 2, 76, 77, 7, 63, 2, 2, 77, 10, 3, 2, 2, 2, 78, 79, 7, 35, 2, 2, 79, 80, 7, 63, 2, 2, 80, 12, 3, 2, 2, 2, 81, 82, 7, 64, 2, 2, 82, 14, 3, 2, 2, 2, 83, 84, 7, 62, 2, 2, 84, 16, 3, 2, 2, 2, 85, 86, 7, 64, 2, 2, 86, 87, 7, 63, 2, 2, 87, 18, 3, 2, 2, 2, 88, 89, 7, 62, 2, 2, 89, 90, 7, 63, 2, 2, 90, 20, 3, 2, 2, 2, 91, 92, 7, 45, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, 47, 2, 2, 94, 24, 3, 2, 2, 2, 95, 96, 7, 44, 2, 2, 96, 26, 3, 2, 2, 2, 97, 98, 7, 49, 2, 2, 98, 28, 3, 2, 2, 2, 99, 100, 7, 39, 2, 2, 100, 30, 3, 2, 2, 2, 101, 102, 7, 99, 2, 2, 102, 103, 7, 112, 2, 2, 103, 108, 7, 102, 2, 2, 104, 105, 7, 67, 2, 2, 105, 106, 7, 80, 2, 2, 106, 108, 7, 70, 2, 2, 107, 101, 3, 2, 2, 2, 107, 104, 3, 2, 2, 2, 108, 32, 3, 2, 2, 2, 109, 110, 7, 113, 2, 2, 110, 114, 7, 116, 2, 2, 111, 112, 7, 81, 2, 2, 112, 114, 7, 84, 2, 2, 113, 109, 3, 2, 2, 2, 113, 111, 3, 2, 2, 2, 114, 34, 3, 2, 2, 2, 115, 116, 7, 118, 2, 2, 116, 117, 7, 116, 2, 2, 117, 118, 7, 119, 2, 2, 118, 124, 7, 103, 2, 2, 119, 120, 7, 86, 2, 2, 120, 121, 7, 84, 2, 2, 121, 122, 7, 87, 2, 2, 122, 124, 7, 71, 2, 2, 123, 115, 3, 2, 2, 2, 123, 119, 3, 2, 2, 2, 124, 36, 3, 2, 2, 2, 125, 126, 7, 104, 2, 2, 126, 127, 7, 99, 2, 2, 127, 128, 7, 110, 2, 2, 128, 129, 7, 117, 2, 2, 129, 136, 7, 103, 2, 2, 130, 131, 7, 72, 2, 2, 131, 132, 7, 67, 2, 2, 132, 133, 7, 78, 2, 2, 133, 134, 7, 85, 2, 2, 134, 136, 7, 71, 2, 2, 135, 125, 3, 2, 2, 2, 135, 130, 3, 2, 2, 2, 136, 38, 3, 2, 2, 2, 137, 139, 9, 2, 2, 2, 138, 137, 3, 2, 2, 2, 138, 139, 3, 2, 2, 2, 139, 141, 3, 2, 2, 2, 140, 142, 9, 3, 2, 2, 141, 140, 3, 2, 2, 2, 142, 143, 3, 2, 2, 2, 143, 141, 3, 2, 2, 2, 143, 144, 3, 2, 2, 2, 144, 145, 3, 2, 2, 2, 145, 147, 7, 48, 2, 2, 146, 148, 9, 3, 2, 2, 147, 146, 3, 2, 2, 2, 148, 149, 3, 2, 2, 2, 149, 147, 3, 2, 2, 2, 149, 150, 3, 2, 2, 2, 150, 40, 3, 2, 2, 2, 151, 153, 9, 2, 2, 2, 152, 151, 3, 2, 2, 2, 152, 153, 3, 2, 2, 2, 153, 155, 3, 2, 2, 2, 154, 156, 9, 3, 2, 2, 155, 154, 3, 2, 2, 2, 156, 157, 3, 2, 2, 2, 157, 155, 3, 2, 2, 2, 157, 158, 3, 2, 2, 2, 158, 42, 3, 2, 2, 2, 159, 161, 9, 4, 2, 2, 160, 159, 3, 2, 2, 2, 161, 162, 3, 2, 2, 2, 162, 160, 3, 2, 2, 2, 162, 163, 3, 2, 2, 2, 163, 164, 3, 2, 2, 2, 164, 165, 8, 22, 2, 2, 165, 44, 3, 2, 2, 2, 166, 167, 7, 80, 2, 2, 167, 168, 7, 81, 2, 2, 168, 173, 7, 86, 2, 2, 169, 170, 7, 112, 2, 2, 170, 171, 7, 113, 2, 2, 171, 173, 7, 118, 2, 2, 172, 166, 3, 2, 2, 2, 172, 169, 3, 2, 2, 2, 173, 46, 3, 2, 2, 2, 174, 178, 9, 5, 2, 2, 175, 177, 9, 6, 2, 2, 176, 175, 3, 2, 2, 2, 177, 180, 3, 2, 2, 2, 178, 176, 3, 2, 2, 2, 178, 179, 3, 2, 2, 2, 179, 48, 3, 2, 2, 2, 180, 178, 3, 2, 2, 2, 181, 183, 9, 7, 2, 2, 182, 181, 3, 2, 2, 2, 183, 184, 3, 2, 2, 2, 184, 182, 3, 2, 2, 2, 184, 185, 3, 2, 2, 2, 185, 194, 3, 2, 2, 2, 186, 188, 7, 48, 2, 2, 187, 189, 9, 6, 2, 2, 188, 187, 3, 2, 2, 2, 189, 190, 3, 2, 2, 2, 190, 188, 3, 2, 2, 2, 190, 191, 3, 2, 2, 2, 191, 193, 3, 2, 2, 2, 192, 186, 3, 2, 2, 2, 193, 196, 3, 2, 2, 2, 194, 192, 3, 2, 2, 2, 194, 195, 3, 2, 2, 2, 195, 50, 3, 2, 2, 2, 196, 194, 3, 2, 2, 2, 197, 201, 7, 41, 2, 2, 198, 200, 10, 8, 2, 2, 199, 198, 3, 2, 2, 2, 200, 203, 3, 2, 2, 2, 201, 199, 3, 2, 2, 2, 201, 202, 3, 2, 2, 2, 202, 204, 3, 2, 2, 2, 203, 201, 3, 2, 2, 2, 204, 205, 7, 41, 2, 2, 205, 52, 3, 2, 2, 2, 206, 210, 7, 36, 2, 2, 207, 209, 10, 9, 2, 2, 208, 207, 3, 2, 2, 2, 209, 212, 3, 2, 2, 2, 210, 208, 3, 2, 2, 2, 210, 211, 3, 2, 2, 2, 211, 213, 3, 2, 2, 2, 212, 210, 3, 2, 2, 2, 213, 214, 7, 36, 2, 2, 214, 54, 3, 2, 2, 2, 215, 216, 7, 42, 2, 2, 216, 56, 3, 2, 2, 2, 217, 218, 7, 43, 2, 2, 218, 58, 3, 2, 2, 2, 219, 220, 7, 93, 2, 2, 220, 60, 3, 2, 2, 2, 221, 222, 7, 95, 2, 2, 222, 62, 3, 2, 2, 2, 223, 224, 7, 125, 2, 2, 224, 64, 3, 2, 2, 2, 225, 226, 7, 127, 2, 2, 226, 66, 3, 2, 2, 2, 227, 228, 7, 38, 2, 2, 228, 229, 7, 125, 2, 2, 229, 68, 3, 2, 2, 2, 20, 2, 107, 113, 123, 135, 138, 143, 149, 152, 157, 162, 172, 178, 184, 190, 194, 201, 210, 3, 8, 2, 2] \ No newline at end of file diff --git a/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens new file mode 100644 index 00000000000..80081750b0b --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/EqlLexer.tokens @@ -0,0 +1,54 @@ +T__0=1 +T__1=2 +T__2=3 +EQ=4 +NEQ=5 +GT=6 +LT=7 +GTE=8 +LTE=9 +ADD=10 +SUB=11 +MUL=12 +DIV=13 +MOD=14 +AND=15 +OR=16 +TRUE=17 +FALSE=18 +FLOAT=19 +NUMBER=20 +WHITESPACE=21 +NOT=22 +NAME=23 +VNAME=24 +STEXT=25 +DTEXT=26 +LPAR=27 +RPAR=28 +LARR=29 +RARR=30 +LDICT=31 +RDICT=32 +BEGIN_VARIABLE=33 +'|'=1 +','=2 +':'=3 +'=='=4 +'!='=5 +'>'=6 +'<'=7 +'>='=8 +'<='=9 +'+'=10 +'-'=11 +'*'=12 +'/'=13 +'%'=14 +'('=27 +')'=28 +'['=29 +']'=30 +'{'=31 +'}'=32 +'${'=33 diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go b/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go new file mode 100644 index 00000000000..1ceadb12562 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_base_listener.go @@ -0,0 +1,200 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import "github.com/antlr/antlr4/runtime/Go/antlr" + +// BaseEqlListener is a complete listener for a parse tree produced by EqlParser. +type BaseEqlListener struct{} + +var _ EqlListener = &BaseEqlListener{} + +// VisitTerminal is called when a terminal node is visited. +func (s *BaseEqlListener) VisitTerminal(node antlr.TerminalNode) {} + +// VisitErrorNode is called when an error node is visited. +func (s *BaseEqlListener) VisitErrorNode(node antlr.ErrorNode) {} + +// EnterEveryRule is called when any rule is entered. +func (s *BaseEqlListener) EnterEveryRule(ctx antlr.ParserRuleContext) {} + +// ExitEveryRule is called when any rule is exited. +func (s *BaseEqlListener) ExitEveryRule(ctx antlr.ParserRuleContext) {} + +// EnterExpList is called when production expList is entered. +func (s *BaseEqlListener) EnterExpList(ctx *ExpListContext) {} + +// ExitExpList is called when production expList is exited. +func (s *BaseEqlListener) ExitExpList(ctx *ExpListContext) {} + +// EnterBoolean is called when production boolean is entered. +func (s *BaseEqlListener) EnterBoolean(ctx *BooleanContext) {} + +// ExitBoolean is called when production boolean is exited. +func (s *BaseEqlListener) ExitBoolean(ctx *BooleanContext) {} + +// EnterConstant is called when production constant is entered. +func (s *BaseEqlListener) EnterConstant(ctx *ConstantContext) {} + +// ExitConstant is called when production constant is exited. +func (s *BaseEqlListener) ExitConstant(ctx *ConstantContext) {} + +// EnterVariable is called when production variable is entered. +func (s *BaseEqlListener) EnterVariable(ctx *VariableContext) {} + +// ExitVariable is called when production variable is exited. +func (s *BaseEqlListener) ExitVariable(ctx *VariableContext) {} + +// EnterVariableExp is called when production variableExp is entered. +func (s *BaseEqlListener) EnterVariableExp(ctx *VariableExpContext) {} + +// ExitVariableExp is called when production variableExp is exited. +func (s *BaseEqlListener) ExitVariableExp(ctx *VariableExpContext) {} + +// EnterExpArithmeticNEQ is called when production ExpArithmeticNEQ is entered. +func (s *BaseEqlListener) EnterExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} + +// ExitExpArithmeticNEQ is called when production ExpArithmeticNEQ is exited. +func (s *BaseEqlListener) ExitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) {} + +// EnterExpArithmeticEQ is called when production ExpArithmeticEQ is entered. +func (s *BaseEqlListener) EnterExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} + +// ExitExpArithmeticEQ is called when production ExpArithmeticEQ is exited. +func (s *BaseEqlListener) ExitExpArithmeticEQ(ctx *ExpArithmeticEQContext) {} + +// EnterExpArithmeticGTE is called when production ExpArithmeticGTE is entered. +func (s *BaseEqlListener) EnterExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} + +// ExitExpArithmeticGTE is called when production ExpArithmeticGTE is exited. +func (s *BaseEqlListener) ExitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) {} + +// EnterExpArithmeticLTE is called when production ExpArithmeticLTE is entered. +func (s *BaseEqlListener) EnterExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} + +// ExitExpArithmeticLTE is called when production ExpArithmeticLTE is exited. +func (s *BaseEqlListener) ExitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) {} + +// EnterExpArithmeticGT is called when production ExpArithmeticGT is entered. +func (s *BaseEqlListener) EnterExpArithmeticGT(ctx *ExpArithmeticGTContext) {} + +// ExitExpArithmeticGT is called when production ExpArithmeticGT is exited. +func (s *BaseEqlListener) ExitExpArithmeticGT(ctx *ExpArithmeticGTContext) {} + +// EnterExpArithmeticMulDivMod is called when production ExpArithmeticMulDivMod is entered. +func (s *BaseEqlListener) EnterExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) {} + +// ExitExpArithmeticMulDivMod is called when production ExpArithmeticMulDivMod is exited. +func (s *BaseEqlListener) ExitExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) {} + +// EnterExpDict is called when production ExpDict is entered. +func (s *BaseEqlListener) EnterExpDict(ctx *ExpDictContext) {} + +// ExitExpDict is called when production ExpDict is exited. +func (s *BaseEqlListener) ExitExpDict(ctx *ExpDictContext) {} + +// EnterExpText is called when production ExpText is entered. +func (s *BaseEqlListener) EnterExpText(ctx *ExpTextContext) {} + +// ExitExpText is called when production ExpText is exited. +func (s *BaseEqlListener) ExitExpText(ctx *ExpTextContext) {} + +// EnterExpNumber is called when production ExpNumber is entered. +func (s *BaseEqlListener) EnterExpNumber(ctx *ExpNumberContext) {} + +// ExitExpNumber is called when production ExpNumber is exited. +func (s *BaseEqlListener) ExitExpNumber(ctx *ExpNumberContext) {} + +// EnterExpLogicalAnd is called when production ExpLogicalAnd is entered. +func (s *BaseEqlListener) EnterExpLogicalAnd(ctx *ExpLogicalAndContext) {} + +// ExitExpLogicalAnd is called when production ExpLogicalAnd is exited. +func (s *BaseEqlListener) ExitExpLogicalAnd(ctx *ExpLogicalAndContext) {} + +// EnterExpLogicalOR is called when production ExpLogicalOR is entered. +func (s *BaseEqlListener) EnterExpLogicalOR(ctx *ExpLogicalORContext) {} + +// ExitExpLogicalOR is called when production ExpLogicalOR is exited. +func (s *BaseEqlListener) ExitExpLogicalOR(ctx *ExpLogicalORContext) {} + +// EnterExpFloat is called when production ExpFloat is entered. +func (s *BaseEqlListener) EnterExpFloat(ctx *ExpFloatContext) {} + +// ExitExpFloat is called when production ExpFloat is exited. +func (s *BaseEqlListener) ExitExpFloat(ctx *ExpFloatContext) {} + +// EnterExpVariable is called when production ExpVariable is entered. +func (s *BaseEqlListener) EnterExpVariable(ctx *ExpVariableContext) {} + +// ExitExpVariable is called when production ExpVariable is exited. +func (s *BaseEqlListener) ExitExpVariable(ctx *ExpVariableContext) {} + +// EnterExpArray is called when production ExpArray is entered. +func (s *BaseEqlListener) EnterExpArray(ctx *ExpArrayContext) {} + +// ExitExpArray is called when production ExpArray is exited. +func (s *BaseEqlListener) ExitExpArray(ctx *ExpArrayContext) {} + +// EnterExpNot is called when production ExpNot is entered. +func (s *BaseEqlListener) EnterExpNot(ctx *ExpNotContext) {} + +// ExitExpNot is called when production ExpNot is exited. +func (s *BaseEqlListener) ExitExpNot(ctx *ExpNotContext) {} + +// EnterExpInParen is called when production ExpInParen is entered. +func (s *BaseEqlListener) EnterExpInParen(ctx *ExpInParenContext) {} + +// ExitExpInParen is called when production ExpInParen is exited. +func (s *BaseEqlListener) ExitExpInParen(ctx *ExpInParenContext) {} + +// EnterExpBoolean is called when production ExpBoolean is entered. +func (s *BaseEqlListener) EnterExpBoolean(ctx *ExpBooleanContext) {} + +// ExitExpBoolean is called when production ExpBoolean is exited. +func (s *BaseEqlListener) ExitExpBoolean(ctx *ExpBooleanContext) {} + +// EnterExpArithmeticAddSub is called when production ExpArithmeticAddSub is entered. +func (s *BaseEqlListener) EnterExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) {} + +// ExitExpArithmeticAddSub is called when production ExpArithmeticAddSub is exited. +func (s *BaseEqlListener) ExitExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) {} + +// EnterExpFunction is called when production ExpFunction is entered. +func (s *BaseEqlListener) EnterExpFunction(ctx *ExpFunctionContext) {} + +// ExitExpFunction is called when production ExpFunction is exited. +func (s *BaseEqlListener) ExitExpFunction(ctx *ExpFunctionContext) {} + +// EnterExpArithmeticLT is called when production ExpArithmeticLT is entered. +func (s *BaseEqlListener) EnterExpArithmeticLT(ctx *ExpArithmeticLTContext) {} + +// ExitExpArithmeticLT is called when production ExpArithmeticLT is exited. +func (s *BaseEqlListener) ExitExpArithmeticLT(ctx *ExpArithmeticLTContext) {} + +// EnterArguments is called when production arguments is entered. +func (s *BaseEqlListener) EnterArguments(ctx *ArgumentsContext) {} + +// ExitArguments is called when production arguments is exited. +func (s *BaseEqlListener) ExitArguments(ctx *ArgumentsContext) {} + +// EnterArray is called when production array is entered. +func (s *BaseEqlListener) EnterArray(ctx *ArrayContext) {} + +// ExitArray is called when production array is exited. +func (s *BaseEqlListener) ExitArray(ctx *ArrayContext) {} + +// EnterKey is called when production key is entered. +func (s *BaseEqlListener) EnterKey(ctx *KeyContext) {} + +// ExitKey is called when production key is exited. +func (s *BaseEqlListener) ExitKey(ctx *KeyContext) {} + +// EnterDict is called when production dict is entered. +func (s *BaseEqlListener) EnterDict(ctx *DictContext) {} + +// ExitDict is called when production dict is exited. +func (s *BaseEqlListener) ExitDict(ctx *DictContext) {} diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go b/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go new file mode 100644 index 00000000000..fd7523997fd --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_base_visitor.go @@ -0,0 +1,129 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import "github.com/antlr/antlr4/runtime/Go/antlr" + +type BaseEqlVisitor struct { + *antlr.BaseParseTreeVisitor +} + +func (v *BaseEqlVisitor) VisitExpList(ctx *ExpListContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitBoolean(ctx *BooleanContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitConstant(ctx *ConstantContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitVariable(ctx *VariableContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitVariableExp(ctx *VariableExpContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticNEQ(ctx *ExpArithmeticNEQContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticEQ(ctx *ExpArithmeticEQContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticGTE(ctx *ExpArithmeticGTEContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticLTE(ctx *ExpArithmeticLTEContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticGT(ctx *ExpArithmeticGTContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticMulDivMod(ctx *ExpArithmeticMulDivModContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpDict(ctx *ExpDictContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpText(ctx *ExpTextContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpNumber(ctx *ExpNumberContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpLogicalAnd(ctx *ExpLogicalAndContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpLogicalOR(ctx *ExpLogicalORContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpFloat(ctx *ExpFloatContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpVariable(ctx *ExpVariableContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArray(ctx *ExpArrayContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpNot(ctx *ExpNotContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpInParen(ctx *ExpInParenContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpBoolean(ctx *ExpBooleanContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticAddSub(ctx *ExpArithmeticAddSubContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpFunction(ctx *ExpFunctionContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitExpArithmeticLT(ctx *ExpArithmeticLTContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitArguments(ctx *ArgumentsContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitArray(ctx *ArrayContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitKey(ctx *KeyContext) interface{} { + return v.VisitChildren(ctx) +} + +func (v *BaseEqlVisitor) VisitDict(ctx *DictContext) interface{} { + return v.VisitChildren(ctx) +} diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go b/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go new file mode 100644 index 00000000000..da1bf4d112e --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_lexer.go @@ -0,0 +1,228 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser + +import ( + "fmt" + "unicode" + + "github.com/antlr/antlr4/runtime/Go/antlr" +) + +// Suppress unused import error +var _ = fmt.Printf +var _ = unicode.IsLetter + +var serializedLexerAtn = []uint16{ + 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 2, 35, 230, + 8, 1, 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, + 9, 7, 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 4, 12, 9, 12, + 4, 13, 9, 13, 4, 14, 9, 14, 4, 15, 9, 15, 4, 16, 9, 16, 4, 17, 9, 17, 4, + 18, 9, 18, 4, 19, 9, 19, 4, 20, 9, 20, 4, 21, 9, 21, 4, 22, 9, 22, 4, 23, + 9, 23, 4, 24, 9, 24, 4, 25, 9, 25, 4, 26, 9, 26, 4, 27, 9, 27, 4, 28, 9, + 28, 4, 29, 9, 29, 4, 30, 9, 30, 4, 31, 9, 31, 4, 32, 9, 32, 4, 33, 9, 33, + 4, 34, 9, 34, 3, 2, 3, 2, 3, 3, 3, 3, 3, 4, 3, 4, 3, 5, 3, 5, 3, 5, 3, + 6, 3, 6, 3, 6, 3, 7, 3, 7, 3, 8, 3, 8, 3, 9, 3, 9, 3, 9, 3, 10, 3, 10, + 3, 10, 3, 11, 3, 11, 3, 12, 3, 12, 3, 13, 3, 13, 3, 14, 3, 14, 3, 15, 3, + 15, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 3, 16, 5, 16, 108, 10, 16, 3, 17, + 3, 17, 3, 17, 3, 17, 5, 17, 114, 10, 17, 3, 18, 3, 18, 3, 18, 3, 18, 3, + 18, 3, 18, 3, 18, 3, 18, 5, 18, 124, 10, 18, 3, 19, 3, 19, 3, 19, 3, 19, + 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 3, 19, 5, 19, 136, 10, 19, 3, 20, 5, + 20, 139, 10, 20, 3, 20, 6, 20, 142, 10, 20, 13, 20, 14, 20, 143, 3, 20, + 3, 20, 6, 20, 148, 10, 20, 13, 20, 14, 20, 149, 3, 21, 5, 21, 153, 10, + 21, 3, 21, 6, 21, 156, 10, 21, 13, 21, 14, 21, 157, 3, 22, 6, 22, 161, + 10, 22, 13, 22, 14, 22, 162, 3, 22, 3, 22, 3, 23, 3, 23, 3, 23, 3, 23, + 3, 23, 3, 23, 5, 23, 173, 10, 23, 3, 24, 3, 24, 7, 24, 177, 10, 24, 12, + 24, 14, 24, 180, 11, 24, 3, 25, 6, 25, 183, 10, 25, 13, 25, 14, 25, 184, + 3, 25, 3, 25, 6, 25, 189, 10, 25, 13, 25, 14, 25, 190, 7, 25, 193, 10, + 25, 12, 25, 14, 25, 196, 11, 25, 3, 26, 3, 26, 7, 26, 200, 10, 26, 12, + 26, 14, 26, 203, 11, 26, 3, 26, 3, 26, 3, 27, 3, 27, 7, 27, 209, 10, 27, + 12, 27, 14, 27, 212, 11, 27, 3, 27, 3, 27, 3, 28, 3, 28, 3, 29, 3, 29, + 3, 30, 3, 30, 3, 31, 3, 31, 3, 32, 3, 32, 3, 33, 3, 33, 3, 34, 3, 34, 3, + 34, 2, 2, 35, 3, 3, 5, 4, 7, 5, 9, 6, 11, 7, 13, 8, 15, 9, 17, 10, 19, + 11, 21, 12, 23, 13, 25, 14, 27, 15, 29, 16, 31, 17, 33, 18, 35, 19, 37, + 20, 39, 21, 41, 22, 43, 23, 45, 24, 47, 25, 49, 26, 51, 27, 53, 28, 55, + 29, 57, 30, 59, 31, 61, 32, 63, 33, 65, 34, 67, 35, 3, 2, 10, 3, 2, 47, + 47, 3, 2, 50, 59, 5, 2, 11, 12, 15, 15, 34, 34, 5, 2, 67, 92, 97, 97, 99, + 124, 6, 2, 50, 59, 67, 92, 97, 97, 99, 124, 7, 2, 48, 48, 50, 59, 67, 92, + 97, 97, 99, 124, 5, 2, 12, 12, 15, 15, 41, 41, 5, 2, 12, 12, 15, 15, 36, + 36, 2, 246, 2, 3, 3, 2, 2, 2, 2, 5, 3, 2, 2, 2, 2, 7, 3, 2, 2, 2, 2, 9, + 3, 2, 2, 2, 2, 11, 3, 2, 2, 2, 2, 13, 3, 2, 2, 2, 2, 15, 3, 2, 2, 2, 2, + 17, 3, 2, 2, 2, 2, 19, 3, 2, 2, 2, 2, 21, 3, 2, 2, 2, 2, 23, 3, 2, 2, 2, + 2, 25, 3, 2, 2, 2, 2, 27, 3, 2, 2, 2, 2, 29, 3, 2, 2, 2, 2, 31, 3, 2, 2, + 2, 2, 33, 3, 2, 2, 2, 2, 35, 3, 2, 2, 2, 2, 37, 3, 2, 2, 2, 2, 39, 3, 2, + 2, 2, 2, 41, 3, 2, 2, 2, 2, 43, 3, 2, 2, 2, 2, 45, 3, 2, 2, 2, 2, 47, 3, + 2, 2, 2, 2, 49, 3, 2, 2, 2, 2, 51, 3, 2, 2, 2, 2, 53, 3, 2, 2, 2, 2, 55, + 3, 2, 2, 2, 2, 57, 3, 2, 2, 2, 2, 59, 3, 2, 2, 2, 2, 61, 3, 2, 2, 2, 2, + 63, 3, 2, 2, 2, 2, 65, 3, 2, 2, 2, 2, 67, 3, 2, 2, 2, 3, 69, 3, 2, 2, 2, + 5, 71, 3, 2, 2, 2, 7, 73, 3, 2, 2, 2, 9, 75, 3, 2, 2, 2, 11, 78, 3, 2, + 2, 2, 13, 81, 3, 2, 2, 2, 15, 83, 3, 2, 2, 2, 17, 85, 3, 2, 2, 2, 19, 88, + 3, 2, 2, 2, 21, 91, 3, 2, 2, 2, 23, 93, 3, 2, 2, 2, 25, 95, 3, 2, 2, 2, + 27, 97, 3, 2, 2, 2, 29, 99, 3, 2, 2, 2, 31, 107, 3, 2, 2, 2, 33, 113, 3, + 2, 2, 2, 35, 123, 3, 2, 2, 2, 37, 135, 3, 2, 2, 2, 39, 138, 3, 2, 2, 2, + 41, 152, 3, 2, 2, 2, 43, 160, 3, 2, 2, 2, 45, 172, 3, 2, 2, 2, 47, 174, + 3, 2, 2, 2, 49, 182, 3, 2, 2, 2, 51, 197, 3, 2, 2, 2, 53, 206, 3, 2, 2, + 2, 55, 215, 3, 2, 2, 2, 57, 217, 3, 2, 2, 2, 59, 219, 3, 2, 2, 2, 61, 221, + 3, 2, 2, 2, 63, 223, 3, 2, 2, 2, 65, 225, 3, 2, 2, 2, 67, 227, 3, 2, 2, + 2, 69, 70, 7, 126, 2, 2, 70, 4, 3, 2, 2, 2, 71, 72, 7, 46, 2, 2, 72, 6, + 3, 2, 2, 2, 73, 74, 7, 60, 2, 2, 74, 8, 3, 2, 2, 2, 75, 76, 7, 63, 2, 2, + 76, 77, 7, 63, 2, 2, 77, 10, 3, 2, 2, 2, 78, 79, 7, 35, 2, 2, 79, 80, 7, + 63, 2, 2, 80, 12, 3, 2, 2, 2, 81, 82, 7, 64, 2, 2, 82, 14, 3, 2, 2, 2, + 83, 84, 7, 62, 2, 2, 84, 16, 3, 2, 2, 2, 85, 86, 7, 64, 2, 2, 86, 87, 7, + 63, 2, 2, 87, 18, 3, 2, 2, 2, 88, 89, 7, 62, 2, 2, 89, 90, 7, 63, 2, 2, + 90, 20, 3, 2, 2, 2, 91, 92, 7, 45, 2, 2, 92, 22, 3, 2, 2, 2, 93, 94, 7, + 47, 2, 2, 94, 24, 3, 2, 2, 2, 95, 96, 7, 44, 2, 2, 96, 26, 3, 2, 2, 2, + 97, 98, 7, 49, 2, 2, 98, 28, 3, 2, 2, 2, 99, 100, 7, 39, 2, 2, 100, 30, + 3, 2, 2, 2, 101, 102, 7, 99, 2, 2, 102, 103, 7, 112, 2, 2, 103, 108, 7, + 102, 2, 2, 104, 105, 7, 67, 2, 2, 105, 106, 7, 80, 2, 2, 106, 108, 7, 70, + 2, 2, 107, 101, 3, 2, 2, 2, 107, 104, 3, 2, 2, 2, 108, 32, 3, 2, 2, 2, + 109, 110, 7, 113, 2, 2, 110, 114, 7, 116, 2, 2, 111, 112, 7, 81, 2, 2, + 112, 114, 7, 84, 2, 2, 113, 109, 3, 2, 2, 2, 113, 111, 3, 2, 2, 2, 114, + 34, 3, 2, 2, 2, 115, 116, 7, 118, 2, 2, 116, 117, 7, 116, 2, 2, 117, 118, + 7, 119, 2, 2, 118, 124, 7, 103, 2, 2, 119, 120, 7, 86, 2, 2, 120, 121, + 7, 84, 2, 2, 121, 122, 7, 87, 2, 2, 122, 124, 7, 71, 2, 2, 123, 115, 3, + 2, 2, 2, 123, 119, 3, 2, 2, 2, 124, 36, 3, 2, 2, 2, 125, 126, 7, 104, 2, + 2, 126, 127, 7, 99, 2, 2, 127, 128, 7, 110, 2, 2, 128, 129, 7, 117, 2, + 2, 129, 136, 7, 103, 2, 2, 130, 131, 7, 72, 2, 2, 131, 132, 7, 67, 2, 2, + 132, 133, 7, 78, 2, 2, 133, 134, 7, 85, 2, 2, 134, 136, 7, 71, 2, 2, 135, + 125, 3, 2, 2, 2, 135, 130, 3, 2, 2, 2, 136, 38, 3, 2, 2, 2, 137, 139, 9, + 2, 2, 2, 138, 137, 3, 2, 2, 2, 138, 139, 3, 2, 2, 2, 139, 141, 3, 2, 2, + 2, 140, 142, 9, 3, 2, 2, 141, 140, 3, 2, 2, 2, 142, 143, 3, 2, 2, 2, 143, + 141, 3, 2, 2, 2, 143, 144, 3, 2, 2, 2, 144, 145, 3, 2, 2, 2, 145, 147, + 7, 48, 2, 2, 146, 148, 9, 3, 2, 2, 147, 146, 3, 2, 2, 2, 148, 149, 3, 2, + 2, 2, 149, 147, 3, 2, 2, 2, 149, 150, 3, 2, 2, 2, 150, 40, 3, 2, 2, 2, + 151, 153, 9, 2, 2, 2, 152, 151, 3, 2, 2, 2, 152, 153, 3, 2, 2, 2, 153, + 155, 3, 2, 2, 2, 154, 156, 9, 3, 2, 2, 155, 154, 3, 2, 2, 2, 156, 157, + 3, 2, 2, 2, 157, 155, 3, 2, 2, 2, 157, 158, 3, 2, 2, 2, 158, 42, 3, 2, + 2, 2, 159, 161, 9, 4, 2, 2, 160, 159, 3, 2, 2, 2, 161, 162, 3, 2, 2, 2, + 162, 160, 3, 2, 2, 2, 162, 163, 3, 2, 2, 2, 163, 164, 3, 2, 2, 2, 164, + 165, 8, 22, 2, 2, 165, 44, 3, 2, 2, 2, 166, 167, 7, 80, 2, 2, 167, 168, + 7, 81, 2, 2, 168, 173, 7, 86, 2, 2, 169, 170, 7, 112, 2, 2, 170, 171, 7, + 113, 2, 2, 171, 173, 7, 118, 2, 2, 172, 166, 3, 2, 2, 2, 172, 169, 3, 2, + 2, 2, 173, 46, 3, 2, 2, 2, 174, 178, 9, 5, 2, 2, 175, 177, 9, 6, 2, 2, + 176, 175, 3, 2, 2, 2, 177, 180, 3, 2, 2, 2, 178, 176, 3, 2, 2, 2, 178, + 179, 3, 2, 2, 2, 179, 48, 3, 2, 2, 2, 180, 178, 3, 2, 2, 2, 181, 183, 9, + 7, 2, 2, 182, 181, 3, 2, 2, 2, 183, 184, 3, 2, 2, 2, 184, 182, 3, 2, 2, + 2, 184, 185, 3, 2, 2, 2, 185, 194, 3, 2, 2, 2, 186, 188, 7, 48, 2, 2, 187, + 189, 9, 6, 2, 2, 188, 187, 3, 2, 2, 2, 189, 190, 3, 2, 2, 2, 190, 188, + 3, 2, 2, 2, 190, 191, 3, 2, 2, 2, 191, 193, 3, 2, 2, 2, 192, 186, 3, 2, + 2, 2, 193, 196, 3, 2, 2, 2, 194, 192, 3, 2, 2, 2, 194, 195, 3, 2, 2, 2, + 195, 50, 3, 2, 2, 2, 196, 194, 3, 2, 2, 2, 197, 201, 7, 41, 2, 2, 198, + 200, 10, 8, 2, 2, 199, 198, 3, 2, 2, 2, 200, 203, 3, 2, 2, 2, 201, 199, + 3, 2, 2, 2, 201, 202, 3, 2, 2, 2, 202, 204, 3, 2, 2, 2, 203, 201, 3, 2, + 2, 2, 204, 205, 7, 41, 2, 2, 205, 52, 3, 2, 2, 2, 206, 210, 7, 36, 2, 2, + 207, 209, 10, 9, 2, 2, 208, 207, 3, 2, 2, 2, 209, 212, 3, 2, 2, 2, 210, + 208, 3, 2, 2, 2, 210, 211, 3, 2, 2, 2, 211, 213, 3, 2, 2, 2, 212, 210, + 3, 2, 2, 2, 213, 214, 7, 36, 2, 2, 214, 54, 3, 2, 2, 2, 215, 216, 7, 42, + 2, 2, 216, 56, 3, 2, 2, 2, 217, 218, 7, 43, 2, 2, 218, 58, 3, 2, 2, 2, + 219, 220, 7, 93, 2, 2, 220, 60, 3, 2, 2, 2, 221, 222, 7, 95, 2, 2, 222, + 62, 3, 2, 2, 2, 223, 224, 7, 125, 2, 2, 224, 64, 3, 2, 2, 2, 225, 226, + 7, 127, 2, 2, 226, 66, 3, 2, 2, 2, 227, 228, 7, 38, 2, 2, 228, 229, 7, + 125, 2, 2, 229, 68, 3, 2, 2, 2, 20, 2, 107, 113, 123, 135, 138, 143, 149, + 152, 157, 162, 172, 178, 184, 190, 194, 201, 210, 3, 8, 2, 2, +} + +var lexerDeserializer = antlr.NewATNDeserializer(nil) +var lexerAtn = lexerDeserializer.DeserializeFromUInt16(serializedLexerAtn) + +var lexerChannelNames = []string{ + "DEFAULT_TOKEN_CHANNEL", "HIDDEN", +} + +var lexerModeNames = []string{ + "DEFAULT_MODE", +} + +var lexerLiteralNames = []string{ + "", "'|'", "','", "':'", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", + "'+'", "'-'", "'*'", "'/'", "'%'", "", "", "", "", "", "", "", "", "", + "", "", "", "'('", "')'", "'['", "']'", "'{'", "'}'", "'${'", +} + +var lexerSymbolicNames = []string{ + "", "", "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", "MUL", + "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +var lexerRuleNames = []string{ + "T__0", "T__1", "T__2", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", + "MUL", "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +type EqlLexer struct { + *antlr.BaseLexer + channelNames []string + modeNames []string + // TODO: EOF string +} + +var lexerDecisionToDFA = make([]*antlr.DFA, len(lexerAtn.DecisionToState)) + +func init() { + for index, ds := range lexerAtn.DecisionToState { + lexerDecisionToDFA[index] = antlr.NewDFA(ds, index) + } +} + +func NewEqlLexer(input antlr.CharStream) *EqlLexer { + + l := new(EqlLexer) + + l.BaseLexer = antlr.NewBaseLexer(input) + l.Interpreter = antlr.NewLexerATNSimulator(l, lexerAtn, lexerDecisionToDFA, antlr.NewPredictionContextCache()) + + l.channelNames = lexerChannelNames + l.modeNames = lexerModeNames + l.RuleNames = lexerRuleNames + l.LiteralNames = lexerLiteralNames + l.SymbolicNames = lexerSymbolicNames + l.GrammarFileName = "Eql.g4" + // TODO: l.EOF = antlr.TokenEOF + + return l +} + +// EqlLexer tokens. +const ( + EqlLexerT__0 = 1 + EqlLexerT__1 = 2 + EqlLexerT__2 = 3 + EqlLexerEQ = 4 + EqlLexerNEQ = 5 + EqlLexerGT = 6 + EqlLexerLT = 7 + EqlLexerGTE = 8 + EqlLexerLTE = 9 + EqlLexerADD = 10 + EqlLexerSUB = 11 + EqlLexerMUL = 12 + EqlLexerDIV = 13 + EqlLexerMOD = 14 + EqlLexerAND = 15 + EqlLexerOR = 16 + EqlLexerTRUE = 17 + EqlLexerFALSE = 18 + EqlLexerFLOAT = 19 + EqlLexerNUMBER = 20 + EqlLexerWHITESPACE = 21 + EqlLexerNOT = 22 + EqlLexerNAME = 23 + EqlLexerVNAME = 24 + EqlLexerSTEXT = 25 + EqlLexerDTEXT = 26 + EqlLexerLPAR = 27 + EqlLexerRPAR = 28 + EqlLexerLARR = 29 + EqlLexerRARR = 30 + EqlLexerLDICT = 31 + EqlLexerRDICT = 32 + EqlLexerBEGIN_VARIABLE = 33 +) diff --git a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go b/x-pack/elastic-agent/pkg/eql/parser/eql_listener.go similarity index 66% rename from x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go rename to x-pack/elastic-agent/pkg/eql/parser/eql_listener.go index 12ff6e0fe89..b4bfa5b5d4d 100644 --- a/x-pack/elastic-agent/pkg/boolexp/parser/boolexp_listener.go +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_listener.go @@ -2,19 +2,31 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -// Code generated from Boolexp.g4 by ANTLR 4.7.2. DO NOT EDIT. +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. -package parser // Boolexp +package parser // Eql import "github.com/antlr/antlr4/runtime/Go/antlr" -// BoolexpListener is a complete listener for a parse tree produced by BoolexpParser. -type BoolexpListener interface { +// EqlListener is a complete listener for a parse tree produced by EqlParser. +type EqlListener interface { antlr.ParseTreeListener // EnterExpList is called when entering the expList production. EnterExpList(c *ExpListContext) + // EnterBoolean is called when entering the boolean production. + EnterBoolean(c *BooleanContext) + + // EnterConstant is called when entering the constant production. + EnterConstant(c *ConstantContext) + + // EnterVariable is called when entering the variable production. + EnterVariable(c *VariableContext) + + // EnterVariableExp is called when entering the variableExp production. + EnterVariableExp(c *VariableExpContext) + // EnterExpArithmeticNEQ is called when entering the ExpArithmeticNEQ production. EnterExpArithmeticNEQ(c *ExpArithmeticNEQContext) @@ -30,6 +42,12 @@ type BoolexpListener interface { // EnterExpArithmeticGT is called when entering the ExpArithmeticGT production. EnterExpArithmeticGT(c *ExpArithmeticGTContext) + // EnterExpArithmeticMulDivMod is called when entering the ExpArithmeticMulDivMod production. + EnterExpArithmeticMulDivMod(c *ExpArithmeticMulDivModContext) + + // EnterExpDict is called when entering the ExpDict production. + EnterExpDict(c *ExpDictContext) + // EnterExpText is called when entering the ExpText production. EnterExpText(c *ExpTextContext) @@ -48,6 +66,9 @@ type BoolexpListener interface { // EnterExpVariable is called when entering the ExpVariable production. EnterExpVariable(c *ExpVariableContext) + // EnterExpArray is called when entering the ExpArray production. + EnterExpArray(c *ExpArrayContext) + // EnterExpNot is called when entering the ExpNot production. EnterExpNot(c *ExpNotContext) @@ -57,21 +78,42 @@ type BoolexpListener interface { // EnterExpBoolean is called when entering the ExpBoolean production. EnterExpBoolean(c *ExpBooleanContext) + // EnterExpArithmeticAddSub is called when entering the ExpArithmeticAddSub production. + EnterExpArithmeticAddSub(c *ExpArithmeticAddSubContext) + // EnterExpFunction is called when entering the ExpFunction production. EnterExpFunction(c *ExpFunctionContext) // EnterExpArithmeticLT is called when entering the ExpArithmeticLT production. EnterExpArithmeticLT(c *ExpArithmeticLTContext) - // EnterBoolean is called when entering the boolean production. - EnterBoolean(c *BooleanContext) - // EnterArguments is called when entering the arguments production. EnterArguments(c *ArgumentsContext) + // EnterArray is called when entering the array production. + EnterArray(c *ArrayContext) + + // EnterKey is called when entering the key production. + EnterKey(c *KeyContext) + + // EnterDict is called when entering the dict production. + EnterDict(c *DictContext) + // ExitExpList is called when exiting the expList production. ExitExpList(c *ExpListContext) + // ExitBoolean is called when exiting the boolean production. + ExitBoolean(c *BooleanContext) + + // ExitConstant is called when exiting the constant production. + ExitConstant(c *ConstantContext) + + // ExitVariable is called when exiting the variable production. + ExitVariable(c *VariableContext) + + // ExitVariableExp is called when exiting the variableExp production. + ExitVariableExp(c *VariableExpContext) + // ExitExpArithmeticNEQ is called when exiting the ExpArithmeticNEQ production. ExitExpArithmeticNEQ(c *ExpArithmeticNEQContext) @@ -87,6 +129,12 @@ type BoolexpListener interface { // ExitExpArithmeticGT is called when exiting the ExpArithmeticGT production. ExitExpArithmeticGT(c *ExpArithmeticGTContext) + // ExitExpArithmeticMulDivMod is called when exiting the ExpArithmeticMulDivMod production. + ExitExpArithmeticMulDivMod(c *ExpArithmeticMulDivModContext) + + // ExitExpDict is called when exiting the ExpDict production. + ExitExpDict(c *ExpDictContext) + // ExitExpText is called when exiting the ExpText production. ExitExpText(c *ExpTextContext) @@ -105,6 +153,9 @@ type BoolexpListener interface { // ExitExpVariable is called when exiting the ExpVariable production. ExitExpVariable(c *ExpVariableContext) + // ExitExpArray is called when exiting the ExpArray production. + ExitExpArray(c *ExpArrayContext) + // ExitExpNot is called when exiting the ExpNot production. ExitExpNot(c *ExpNotContext) @@ -114,15 +165,24 @@ type BoolexpListener interface { // ExitExpBoolean is called when exiting the ExpBoolean production. ExitExpBoolean(c *ExpBooleanContext) + // ExitExpArithmeticAddSub is called when exiting the ExpArithmeticAddSub production. + ExitExpArithmeticAddSub(c *ExpArithmeticAddSubContext) + // ExitExpFunction is called when exiting the ExpFunction production. ExitExpFunction(c *ExpFunctionContext) // ExitExpArithmeticLT is called when exiting the ExpArithmeticLT production. ExitExpArithmeticLT(c *ExpArithmeticLTContext) - // ExitBoolean is called when exiting the boolean production. - ExitBoolean(c *BooleanContext) - // ExitArguments is called when exiting the arguments production. ExitArguments(c *ArgumentsContext) + + // ExitArray is called when exiting the array production. + ExitArray(c *ArrayContext) + + // ExitKey is called when exiting the key production. + ExitKey(c *KeyContext) + + // ExitDict is called when exiting the dict production. + ExitDict(c *DictContext) } diff --git a/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go b/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go new file mode 100644 index 00000000000..6507c67a388 --- /dev/null +++ b/x-pack/elastic-agent/pkg/eql/parser/eql_parser.go @@ -0,0 +1,3284 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated from Eql.g4 by ANTLR 4.7.1. DO NOT EDIT. + +package parser // Eql + +import ( + "fmt" + "reflect" + "strconv" + + "github.com/antlr/antlr4/runtime/Go/antlr" +) + +// Suppress unused import errors +var _ = fmt.Printf +var _ = reflect.Copy +var _ = strconv.Itoa + +var parserATN = []uint16{ + 3, 24715, 42794, 33075, 47597, 16764, 15335, 30598, 22884, 3, 35, 144, + 4, 2, 9, 2, 4, 3, 9, 3, 4, 4, 9, 4, 4, 5, 9, 5, 4, 6, 9, 6, 4, 7, 9, 7, + 4, 8, 9, 8, 4, 9, 9, 9, 4, 10, 9, 10, 4, 11, 9, 11, 3, 2, 3, 2, 3, 2, 3, + 3, 3, 3, 3, 4, 3, 4, 3, 4, 3, 4, 3, 4, 5, 4, 33, 10, 4, 3, 5, 3, 5, 3, + 5, 5, 5, 38, 10, 5, 3, 6, 3, 6, 3, 6, 7, 6, 43, 10, 6, 12, 6, 14, 6, 46, + 11, 6, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 63, 10, 7, 3, 7, 3, 7, 3, 7, 5, 7, 68, 10, + 7, 3, 7, 3, 7, 3, 7, 5, 7, 73, 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 5, 7, 79, + 10, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, + 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 3, 7, 7, 7, 111, 10, 7, 12, 7, 14, + 7, 114, 11, 7, 3, 8, 3, 8, 3, 8, 7, 8, 119, 10, 8, 12, 8, 14, 8, 122, 11, + 8, 3, 9, 3, 9, 3, 9, 7, 9, 127, 10, 9, 12, 9, 14, 9, 130, 11, 9, 3, 10, + 3, 10, 3, 10, 3, 10, 3, 11, 3, 11, 3, 11, 7, 11, 139, 10, 11, 12, 11, 14, + 11, 142, 11, 11, 3, 11, 2, 3, 12, 12, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, + 2, 7, 3, 2, 19, 20, 3, 2, 27, 28, 3, 2, 14, 16, 3, 2, 12, 13, 4, 2, 25, + 25, 27, 28, 2, 165, 2, 22, 3, 2, 2, 2, 4, 25, 3, 2, 2, 2, 6, 32, 3, 2, + 2, 2, 8, 37, 3, 2, 2, 2, 10, 39, 3, 2, 2, 2, 12, 78, 3, 2, 2, 2, 14, 115, + 3, 2, 2, 2, 16, 123, 3, 2, 2, 2, 18, 131, 3, 2, 2, 2, 20, 135, 3, 2, 2, + 2, 22, 23, 5, 12, 7, 2, 23, 24, 7, 2, 2, 3, 24, 3, 3, 2, 2, 2, 25, 26, + 9, 2, 2, 2, 26, 5, 3, 2, 2, 2, 27, 33, 7, 27, 2, 2, 28, 33, 7, 28, 2, 2, + 29, 33, 7, 21, 2, 2, 30, 33, 7, 22, 2, 2, 31, 33, 5, 4, 3, 2, 32, 27, 3, + 2, 2, 2, 32, 28, 3, 2, 2, 2, 32, 29, 3, 2, 2, 2, 32, 30, 3, 2, 2, 2, 32, + 31, 3, 2, 2, 2, 33, 7, 3, 2, 2, 2, 34, 38, 7, 25, 2, 2, 35, 38, 7, 26, + 2, 2, 36, 38, 5, 6, 4, 2, 37, 34, 3, 2, 2, 2, 37, 35, 3, 2, 2, 2, 37, 36, + 3, 2, 2, 2, 38, 9, 3, 2, 2, 2, 39, 44, 5, 8, 5, 2, 40, 41, 7, 3, 2, 2, + 41, 43, 5, 8, 5, 2, 42, 40, 3, 2, 2, 2, 43, 46, 3, 2, 2, 2, 44, 42, 3, + 2, 2, 2, 44, 45, 3, 2, 2, 2, 45, 11, 3, 2, 2, 2, 46, 44, 3, 2, 2, 2, 47, + 48, 8, 7, 1, 2, 48, 49, 7, 29, 2, 2, 49, 50, 5, 12, 7, 2, 50, 51, 7, 30, + 2, 2, 51, 79, 3, 2, 2, 2, 52, 53, 7, 24, 2, 2, 53, 79, 5, 12, 7, 19, 54, + 79, 5, 4, 3, 2, 55, 56, 7, 35, 2, 2, 56, 57, 5, 10, 6, 2, 57, 58, 7, 34, + 2, 2, 58, 79, 3, 2, 2, 2, 59, 60, 7, 25, 2, 2, 60, 62, 7, 29, 2, 2, 61, + 63, 5, 14, 8, 2, 62, 61, 3, 2, 2, 2, 62, 63, 3, 2, 2, 2, 63, 64, 3, 2, + 2, 2, 64, 79, 7, 30, 2, 2, 65, 67, 7, 31, 2, 2, 66, 68, 5, 16, 9, 2, 67, + 66, 3, 2, 2, 2, 67, 68, 3, 2, 2, 2, 68, 69, 3, 2, 2, 2, 69, 79, 7, 32, + 2, 2, 70, 72, 7, 33, 2, 2, 71, 73, 5, 20, 11, 2, 72, 71, 3, 2, 2, 2, 72, + 73, 3, 2, 2, 2, 73, 74, 3, 2, 2, 2, 74, 79, 7, 34, 2, 2, 75, 79, 9, 3, + 2, 2, 76, 79, 7, 21, 2, 2, 77, 79, 7, 22, 2, 2, 78, 47, 3, 2, 2, 2, 78, + 52, 3, 2, 2, 2, 78, 54, 3, 2, 2, 2, 78, 55, 3, 2, 2, 2, 78, 59, 3, 2, 2, + 2, 78, 65, 3, 2, 2, 2, 78, 70, 3, 2, 2, 2, 78, 75, 3, 2, 2, 2, 78, 76, + 3, 2, 2, 2, 78, 77, 3, 2, 2, 2, 79, 112, 3, 2, 2, 2, 80, 81, 12, 21, 2, + 2, 81, 82, 9, 4, 2, 2, 82, 111, 5, 12, 7, 22, 83, 84, 12, 20, 2, 2, 84, + 85, 9, 5, 2, 2, 85, 111, 5, 12, 7, 21, 86, 87, 12, 18, 2, 2, 87, 88, 7, + 6, 2, 2, 88, 111, 5, 12, 7, 19, 89, 90, 12, 17, 2, 2, 90, 91, 7, 7, 2, + 2, 91, 111, 5, 12, 7, 18, 92, 93, 12, 16, 2, 2, 93, 94, 7, 11, 2, 2, 94, + 111, 5, 12, 7, 17, 95, 96, 12, 15, 2, 2, 96, 97, 7, 10, 2, 2, 97, 111, + 5, 12, 7, 16, 98, 99, 12, 14, 2, 2, 99, 100, 7, 9, 2, 2, 100, 111, 5, 12, + 7, 15, 101, 102, 12, 13, 2, 2, 102, 103, 7, 8, 2, 2, 103, 111, 5, 12, 7, + 14, 104, 105, 12, 12, 2, 2, 105, 106, 7, 17, 2, 2, 106, 111, 5, 12, 7, + 13, 107, 108, 12, 11, 2, 2, 108, 109, 7, 18, 2, 2, 109, 111, 5, 12, 7, + 12, 110, 80, 3, 2, 2, 2, 110, 83, 3, 2, 2, 2, 110, 86, 3, 2, 2, 2, 110, + 89, 3, 2, 2, 2, 110, 92, 3, 2, 2, 2, 110, 95, 3, 2, 2, 2, 110, 98, 3, 2, + 2, 2, 110, 101, 3, 2, 2, 2, 110, 104, 3, 2, 2, 2, 110, 107, 3, 2, 2, 2, + 111, 114, 3, 2, 2, 2, 112, 110, 3, 2, 2, 2, 112, 113, 3, 2, 2, 2, 113, + 13, 3, 2, 2, 2, 114, 112, 3, 2, 2, 2, 115, 120, 5, 12, 7, 2, 116, 117, + 7, 4, 2, 2, 117, 119, 5, 12, 7, 2, 118, 116, 3, 2, 2, 2, 119, 122, 3, 2, + 2, 2, 120, 118, 3, 2, 2, 2, 120, 121, 3, 2, 2, 2, 121, 15, 3, 2, 2, 2, + 122, 120, 3, 2, 2, 2, 123, 128, 5, 6, 4, 2, 124, 125, 7, 4, 2, 2, 125, + 127, 5, 6, 4, 2, 126, 124, 3, 2, 2, 2, 127, 130, 3, 2, 2, 2, 128, 126, + 3, 2, 2, 2, 128, 129, 3, 2, 2, 2, 129, 17, 3, 2, 2, 2, 130, 128, 3, 2, + 2, 2, 131, 132, 9, 6, 2, 2, 132, 133, 7, 5, 2, 2, 133, 134, 5, 6, 4, 2, + 134, 19, 3, 2, 2, 2, 135, 140, 5, 18, 10, 2, 136, 137, 7, 4, 2, 2, 137, + 139, 5, 18, 10, 2, 138, 136, 3, 2, 2, 2, 139, 142, 3, 2, 2, 2, 140, 138, + 3, 2, 2, 2, 140, 141, 3, 2, 2, 2, 141, 21, 3, 2, 2, 2, 142, 140, 3, 2, + 2, 2, 14, 32, 37, 44, 62, 67, 72, 78, 110, 112, 120, 128, 140, +} +var deserializer = antlr.NewATNDeserializer(nil) +var deserializedATN = deserializer.DeserializeFromUInt16(parserATN) + +var literalNames = []string{ + "", "'|'", "','", "':'", "'=='", "'!='", "'>'", "'<'", "'>='", "'<='", + "'+'", "'-'", "'*'", "'/'", "'%'", "", "", "", "", "", "", "", "", "", + "", "", "", "'('", "')'", "'['", "']'", "'{'", "'}'", "'${'", +} +var symbolicNames = []string{ + "", "", "", "", "EQ", "NEQ", "GT", "LT", "GTE", "LTE", "ADD", "SUB", "MUL", + "DIV", "MOD", "AND", "OR", "TRUE", "FALSE", "FLOAT", "NUMBER", "WHITESPACE", + "NOT", "NAME", "VNAME", "STEXT", "DTEXT", "LPAR", "RPAR", "LARR", "RARR", + "LDICT", "RDICT", "BEGIN_VARIABLE", +} + +var ruleNames = []string{ + "expList", "boolean", "constant", "variable", "variableExp", "exp", "arguments", + "array", "key", "dict", +} +var decisionToDFA = make([]*antlr.DFA, len(deserializedATN.DecisionToState)) + +func init() { + for index, ds := range deserializedATN.DecisionToState { + decisionToDFA[index] = antlr.NewDFA(ds, index) + } +} + +type EqlParser struct { + *antlr.BaseParser +} + +func NewEqlParser(input antlr.TokenStream) *EqlParser { + this := new(EqlParser) + + this.BaseParser = antlr.NewBaseParser(input) + + this.Interpreter = antlr.NewParserATNSimulator(this, deserializedATN, decisionToDFA, antlr.NewPredictionContextCache()) + this.RuleNames = ruleNames + this.LiteralNames = literalNames + this.SymbolicNames = symbolicNames + this.GrammarFileName = "Eql.g4" + + return this +} + +// EqlParser tokens. +const ( + EqlParserEOF = antlr.TokenEOF + EqlParserT__0 = 1 + EqlParserT__1 = 2 + EqlParserT__2 = 3 + EqlParserEQ = 4 + EqlParserNEQ = 5 + EqlParserGT = 6 + EqlParserLT = 7 + EqlParserGTE = 8 + EqlParserLTE = 9 + EqlParserADD = 10 + EqlParserSUB = 11 + EqlParserMUL = 12 + EqlParserDIV = 13 + EqlParserMOD = 14 + EqlParserAND = 15 + EqlParserOR = 16 + EqlParserTRUE = 17 + EqlParserFALSE = 18 + EqlParserFLOAT = 19 + EqlParserNUMBER = 20 + EqlParserWHITESPACE = 21 + EqlParserNOT = 22 + EqlParserNAME = 23 + EqlParserVNAME = 24 + EqlParserSTEXT = 25 + EqlParserDTEXT = 26 + EqlParserLPAR = 27 + EqlParserRPAR = 28 + EqlParserLARR = 29 + EqlParserRARR = 30 + EqlParserLDICT = 31 + EqlParserRDICT = 32 + EqlParserBEGIN_VARIABLE = 33 +) + +// EqlParser rules. +const ( + EqlParserRULE_expList = 0 + EqlParserRULE_boolean = 1 + EqlParserRULE_constant = 2 + EqlParserRULE_variable = 3 + EqlParserRULE_variableExp = 4 + EqlParserRULE_exp = 5 + EqlParserRULE_arguments = 6 + EqlParserRULE_array = 7 + EqlParserRULE_key = 8 + EqlParserRULE_dict = 9 +) + +// IExpListContext is an interface to support dynamic dispatch. +type IExpListContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsExpListContext differentiates from other interfaces. + IsExpListContext() +} + +type ExpListContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyExpListContext() *ExpListContext { + var p = new(ExpListContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_expList + return p +} + +func (*ExpListContext) IsExpListContext() {} + +func NewExpListContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpListContext { + var p = new(ExpListContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_expList + + return p +} + +func (s *ExpListContext) GetParser() antlr.Parser { return s.parser } + +func (s *ExpListContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpListContext) EOF() antlr.TerminalNode { + return s.GetToken(EqlParserEOF, 0) +} + +func (s *ExpListContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpListContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *ExpListContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpList(s) + } +} + +func (s *ExpListContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpList(s) + } +} + +func (s *ExpListContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpList(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) ExpList() (localctx IExpListContext) { + localctx = NewExpListContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 0, EqlParserRULE_expList) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(20) + p.exp(0) + } + { + p.SetState(21) + p.Match(EqlParserEOF) + } + + return localctx +} + +// IBooleanContext is an interface to support dynamic dispatch. +type IBooleanContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsBooleanContext differentiates from other interfaces. + IsBooleanContext() +} + +type BooleanContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyBooleanContext() *BooleanContext { + var p = new(BooleanContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_boolean + return p +} + +func (*BooleanContext) IsBooleanContext() {} + +func NewBooleanContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *BooleanContext { + var p = new(BooleanContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_boolean + + return p +} + +func (s *BooleanContext) GetParser() antlr.Parser { return s.parser } + +func (s *BooleanContext) TRUE() antlr.TerminalNode { + return s.GetToken(EqlParserTRUE, 0) +} + +func (s *BooleanContext) FALSE() antlr.TerminalNode { + return s.GetToken(EqlParserFALSE, 0) +} + +func (s *BooleanContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *BooleanContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *BooleanContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterBoolean(s) + } +} + +func (s *BooleanContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitBoolean(s) + } +} + +func (s *BooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitBoolean(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Boolean() (localctx IBooleanContext) { + localctx = NewBooleanContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 2, EqlParserRULE_boolean) + var _la int + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(23) + _la = p.GetTokenStream().LA(1) + + if !(_la == EqlParserTRUE || _la == EqlParserFALSE) { + p.GetErrorHandler().RecoverInline(p) + } else { + p.GetErrorHandler().ReportMatch(p) + p.Consume() + } + } + + return localctx +} + +// IConstantContext is an interface to support dynamic dispatch. +type IConstantContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsConstantContext differentiates from other interfaces. + IsConstantContext() +} + +type ConstantContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyConstantContext() *ConstantContext { + var p = new(ConstantContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_constant + return p +} + +func (*ConstantContext) IsConstantContext() {} + +func NewConstantContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ConstantContext { + var p = new(ConstantContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_constant + + return p +} + +func (s *ConstantContext) GetParser() antlr.Parser { return s.parser } + +func (s *ConstantContext) STEXT() antlr.TerminalNode { + return s.GetToken(EqlParserSTEXT, 0) +} + +func (s *ConstantContext) DTEXT() antlr.TerminalNode { + return s.GetToken(EqlParserDTEXT, 0) +} + +func (s *ConstantContext) FLOAT() antlr.TerminalNode { + return s.GetToken(EqlParserFLOAT, 0) +} + +func (s *ConstantContext) NUMBER() antlr.TerminalNode { + return s.GetToken(EqlParserNUMBER, 0) +} + +func (s *ConstantContext) Boolean() IBooleanContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IBooleanContext) +} + +func (s *ConstantContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ConstantContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *ConstantContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterConstant(s) + } +} + +func (s *ConstantContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitConstant(s) + } +} + +func (s *ConstantContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitConstant(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Constant() (localctx IConstantContext) { + localctx = NewConstantContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 4, EqlParserRULE_constant) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.SetState(30) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserSTEXT: + p.EnterOuterAlt(localctx, 1) + { + p.SetState(25) + p.Match(EqlParserSTEXT) + } + + case EqlParserDTEXT: + p.EnterOuterAlt(localctx, 2) + { + p.SetState(26) + p.Match(EqlParserDTEXT) + } + + case EqlParserFLOAT: + p.EnterOuterAlt(localctx, 3) + { + p.SetState(27) + p.Match(EqlParserFLOAT) + } + + case EqlParserNUMBER: + p.EnterOuterAlt(localctx, 4) + { + p.SetState(28) + p.Match(EqlParserNUMBER) + } + + case EqlParserTRUE, EqlParserFALSE: + p.EnterOuterAlt(localctx, 5) + { + p.SetState(29) + p.Boolean() + } + + default: + panic(antlr.NewNoViableAltException(p, nil, nil, nil, nil, nil)) + } + + return localctx +} + +// IVariableContext is an interface to support dynamic dispatch. +type IVariableContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsVariableContext differentiates from other interfaces. + IsVariableContext() +} + +type VariableContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyVariableContext() *VariableContext { + var p = new(VariableContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_variable + return p +} + +func (*VariableContext) IsVariableContext() {} + +func NewVariableContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *VariableContext { + var p = new(VariableContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_variable + + return p +} + +func (s *VariableContext) GetParser() antlr.Parser { return s.parser } + +func (s *VariableContext) NAME() antlr.TerminalNode { + return s.GetToken(EqlParserNAME, 0) +} + +func (s *VariableContext) VNAME() antlr.TerminalNode { + return s.GetToken(EqlParserVNAME, 0) +} + +func (s *VariableContext) Constant() IConstantContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IConstantContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IConstantContext) +} + +func (s *VariableContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *VariableContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *VariableContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterVariable(s) + } +} + +func (s *VariableContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitVariable(s) + } +} + +func (s *VariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitVariable(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Variable() (localctx IVariableContext) { + localctx = NewVariableContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 6, EqlParserRULE_variable) + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.SetState(35) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserNAME: + p.EnterOuterAlt(localctx, 1) + { + p.SetState(32) + p.Match(EqlParserNAME) + } + + case EqlParserVNAME: + p.EnterOuterAlt(localctx, 2) + { + p.SetState(33) + p.Match(EqlParserVNAME) + } + + case EqlParserTRUE, EqlParserFALSE, EqlParserFLOAT, EqlParserNUMBER, EqlParserSTEXT, EqlParserDTEXT: + p.EnterOuterAlt(localctx, 3) + { + p.SetState(34) + p.Constant() + } + + default: + panic(antlr.NewNoViableAltException(p, nil, nil, nil, nil, nil)) + } + + return localctx +} + +// IVariableExpContext is an interface to support dynamic dispatch. +type IVariableExpContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsVariableExpContext differentiates from other interfaces. + IsVariableExpContext() +} + +type VariableExpContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyVariableExpContext() *VariableExpContext { + var p = new(VariableExpContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_variableExp + return p +} + +func (*VariableExpContext) IsVariableExpContext() {} + +func NewVariableExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *VariableExpContext { + var p = new(VariableExpContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_variableExp + + return p +} + +func (s *VariableExpContext) GetParser() antlr.Parser { return s.parser } + +func (s *VariableExpContext) AllVariable() []IVariableContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IVariableContext)(nil)).Elem()) + var tst = make([]IVariableContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IVariableContext) + } + } + + return tst +} + +func (s *VariableExpContext) Variable(i int) IVariableContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IVariableContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IVariableContext) +} + +func (s *VariableExpContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *VariableExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +func (s *VariableExpContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterVariableExp(s) + } +} + +func (s *VariableExpContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitVariableExp(s) + } +} + +func (s *VariableExpContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitVariableExp(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) VariableExp() (localctx IVariableExpContext) { + localctx = NewVariableExpContext(p, p.GetParserRuleContext(), p.GetState()) + p.EnterRule(localctx, 8, EqlParserRULE_variableExp) + var _la int + + defer func() { + p.ExitRule() + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + p.EnterOuterAlt(localctx, 1) + { + p.SetState(37) + p.Variable() + } + p.SetState(42) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + + for _la == EqlParserT__0 { + { + p.SetState(38) + p.Match(EqlParserT__0) + } + { + p.SetState(39) + p.Variable() + } + + p.SetState(44) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + } + + return localctx +} + +// IExpContext is an interface to support dynamic dispatch. +type IExpContext interface { + antlr.ParserRuleContext + + // GetParser returns the parser. + GetParser() antlr.Parser + + // IsExpContext differentiates from other interfaces. + IsExpContext() +} + +type ExpContext struct { + *antlr.BaseParserRuleContext + parser antlr.Parser +} + +func NewEmptyExpContext() *ExpContext { + var p = new(ExpContext) + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(nil, -1) + p.RuleIndex = EqlParserRULE_exp + return p +} + +func (*ExpContext) IsExpContext() {} + +func NewExpContext(parser antlr.Parser, parent antlr.ParserRuleContext, invokingState int) *ExpContext { + var p = new(ExpContext) + + p.BaseParserRuleContext = antlr.NewBaseParserRuleContext(parent, invokingState) + + p.parser = parser + p.RuleIndex = EqlParserRULE_exp + + return p +} + +func (s *ExpContext) GetParser() antlr.Parser { return s.parser } + +func (s *ExpContext) CopyFrom(ctx *ExpContext) { + s.BaseParserRuleContext.CopyFrom(ctx.BaseParserRuleContext) +} + +func (s *ExpContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpContext) ToStringTree(ruleNames []string, recog antlr.Recognizer) string { + return antlr.TreesStringTree(s, ruleNames, recog) +} + +type ExpArithmeticNEQContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticNEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticNEQContext { + var p = new(ExpArithmeticNEQContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticNEQContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticNEQContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticNEQContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticNEQContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticNEQContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticNEQContext) NEQ() antlr.TerminalNode { + return s.GetToken(EqlParserNEQ, 0) +} + +func (s *ExpArithmeticNEQContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticNEQContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticNEQContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticNEQ(s) + } +} + +func (s *ExpArithmeticNEQContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticNEQ(s) + } +} + +func (s *ExpArithmeticNEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticNEQ(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticEQContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticEQContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticEQContext { + var p = new(ExpArithmeticEQContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticEQContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticEQContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticEQContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticEQContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticEQContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticEQContext) EQ() antlr.TerminalNode { + return s.GetToken(EqlParserEQ, 0) +} + +func (s *ExpArithmeticEQContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticEQContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticEQContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticEQ(s) + } +} + +func (s *ExpArithmeticEQContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticEQ(s) + } +} + +func (s *ExpArithmeticEQContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticEQ(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticGTEContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticGTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTEContext { + var p = new(ExpArithmeticGTEContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticGTEContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticGTEContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticGTEContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticGTEContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticGTEContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticGTEContext) GTE() antlr.TerminalNode { + return s.GetToken(EqlParserGTE, 0) +} + +func (s *ExpArithmeticGTEContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticGTEContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticGTEContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticGTE(s) + } +} + +func (s *ExpArithmeticGTEContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticGTE(s) + } +} + +func (s *ExpArithmeticGTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticGTE(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticLTEContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticLTEContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTEContext { + var p = new(ExpArithmeticLTEContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticLTEContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticLTEContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticLTEContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticLTEContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticLTEContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticLTEContext) LTE() antlr.TerminalNode { + return s.GetToken(EqlParserLTE, 0) +} + +func (s *ExpArithmeticLTEContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticLTEContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticLTEContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticLTE(s) + } +} + +func (s *ExpArithmeticLTEContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticLTE(s) + } +} + +func (s *ExpArithmeticLTEContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticLTE(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticGTContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticGTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticGTContext { + var p = new(ExpArithmeticGTContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticGTContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticGTContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticGTContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticGTContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticGTContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticGTContext) GT() antlr.TerminalNode { + return s.GetToken(EqlParserGT, 0) +} + +func (s *ExpArithmeticGTContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticGTContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticGTContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticGT(s) + } +} + +func (s *ExpArithmeticGTContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticGT(s) + } +} + +func (s *ExpArithmeticGTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticGT(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticMulDivModContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticMulDivModContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticMulDivModContext { + var p = new(ExpArithmeticMulDivModContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticMulDivModContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticMulDivModContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticMulDivModContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticMulDivModContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticMulDivModContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticMulDivModContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticMulDivModContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticMulDivModContext) MUL() antlr.TerminalNode { + return s.GetToken(EqlParserMUL, 0) +} + +func (s *ExpArithmeticMulDivModContext) DIV() antlr.TerminalNode { + return s.GetToken(EqlParserDIV, 0) +} + +func (s *ExpArithmeticMulDivModContext) MOD() antlr.TerminalNode { + return s.GetToken(EqlParserMOD, 0) +} + +func (s *ExpArithmeticMulDivModContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticMulDivMod(s) + } +} + +func (s *ExpArithmeticMulDivModContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticMulDivMod(s) + } +} + +func (s *ExpArithmeticMulDivModContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticMulDivMod(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpDictContext struct { + *ExpContext +} + +func NewExpDictContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpDictContext { + var p = new(ExpDictContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpDictContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpDictContext) LDICT() antlr.TerminalNode { + return s.GetToken(EqlParserLDICT, 0) +} + +func (s *ExpDictContext) RDICT() antlr.TerminalNode { + return s.GetToken(EqlParserRDICT, 0) +} + +func (s *ExpDictContext) Dict() IDictContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IDictContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IDictContext) +} + +func (s *ExpDictContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpDict(s) + } +} + +func (s *ExpDictContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpDict(s) + } +} + +func (s *ExpDictContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpDict(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpTextContext struct { + *ExpContext +} + +func NewExpTextContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpTextContext { + var p = new(ExpTextContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpTextContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpTextContext) STEXT() antlr.TerminalNode { + return s.GetToken(EqlParserSTEXT, 0) +} + +func (s *ExpTextContext) DTEXT() antlr.TerminalNode { + return s.GetToken(EqlParserDTEXT, 0) +} + +func (s *ExpTextContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpText(s) + } +} + +func (s *ExpTextContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpText(s) + } +} + +func (s *ExpTextContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpText(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpNumberContext struct { + *ExpContext +} + +func NewExpNumberContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNumberContext { + var p = new(ExpNumberContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpNumberContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpNumberContext) NUMBER() antlr.TerminalNode { + return s.GetToken(EqlParserNUMBER, 0) +} + +func (s *ExpNumberContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpNumber(s) + } +} + +func (s *ExpNumberContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpNumber(s) + } +} + +func (s *ExpNumberContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpNumber(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpLogicalAndContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpLogicalAndContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalAndContext { + var p = new(ExpLogicalAndContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpLogicalAndContext) GetLeft() IExpContext { return s.left } + +func (s *ExpLogicalAndContext) GetRight() IExpContext { return s.right } + +func (s *ExpLogicalAndContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpLogicalAndContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpLogicalAndContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpLogicalAndContext) AND() antlr.TerminalNode { + return s.GetToken(EqlParserAND, 0) +} + +func (s *ExpLogicalAndContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpLogicalAndContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpLogicalAndContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpLogicalAnd(s) + } +} + +func (s *ExpLogicalAndContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpLogicalAnd(s) + } +} + +func (s *ExpLogicalAndContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpLogicalAnd(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpLogicalORContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpLogicalORContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpLogicalORContext { + var p = new(ExpLogicalORContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpLogicalORContext) GetLeft() IExpContext { return s.left } + +func (s *ExpLogicalORContext) GetRight() IExpContext { return s.right } + +func (s *ExpLogicalORContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpLogicalORContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpLogicalORContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpLogicalORContext) OR() antlr.TerminalNode { + return s.GetToken(EqlParserOR, 0) +} + +func (s *ExpLogicalORContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpLogicalORContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpLogicalORContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpLogicalOR(s) + } +} + +func (s *ExpLogicalORContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpLogicalOR(s) + } +} + +func (s *ExpLogicalORContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpLogicalOR(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpFloatContext struct { + *ExpContext +} + +func NewExpFloatContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFloatContext { + var p = new(ExpFloatContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpFloatContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpFloatContext) FLOAT() antlr.TerminalNode { + return s.GetToken(EqlParserFLOAT, 0) +} + +func (s *ExpFloatContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpFloat(s) + } +} + +func (s *ExpFloatContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpFloat(s) + } +} + +func (s *ExpFloatContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpFloat(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpVariableContext struct { + *ExpContext +} + +func NewExpVariableContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpVariableContext { + var p = new(ExpVariableContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpVariableContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpVariableContext) BEGIN_VARIABLE() antlr.TerminalNode { + return s.GetToken(EqlParserBEGIN_VARIABLE, 0) +} + +func (s *ExpVariableContext) VariableExp() IVariableExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IVariableExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IVariableExpContext) +} + +func (s *ExpVariableContext) RDICT() antlr.TerminalNode { + return s.GetToken(EqlParserRDICT, 0) +} + +func (s *ExpVariableContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpVariable(s) + } +} + +func (s *ExpVariableContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpVariable(s) + } +} + +func (s *ExpVariableContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpVariable(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArrayContext struct { + *ExpContext +} + +func NewExpArrayContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArrayContext { + var p = new(ExpArrayContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArrayContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArrayContext) LARR() antlr.TerminalNode { + return s.GetToken(EqlParserLARR, 0) +} + +func (s *ExpArrayContext) RARR() antlr.TerminalNode { + return s.GetToken(EqlParserRARR, 0) +} + +func (s *ExpArrayContext) Array() IArrayContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IArrayContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IArrayContext) +} + +func (s *ExpArrayContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArray(s) + } +} + +func (s *ExpArrayContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArray(s) + } +} + +func (s *ExpArrayContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArray(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpNotContext struct { + *ExpContext +} + +func NewExpNotContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpNotContext { + var p = new(ExpNotContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpNotContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpNotContext) NOT() antlr.TerminalNode { + return s.GetToken(EqlParserNOT, 0) +} + +func (s *ExpNotContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpNotContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpNot(s) + } +} + +func (s *ExpNotContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpNot(s) + } +} + +func (s *ExpNotContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpNot(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpInParenContext struct { + *ExpContext +} + +func NewExpInParenContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpInParenContext { + var p = new(ExpInParenContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpInParenContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpInParenContext) LPAR() antlr.TerminalNode { + return s.GetToken(EqlParserLPAR, 0) +} + +func (s *ExpInParenContext) Exp() IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpInParenContext) RPAR() antlr.TerminalNode { + return s.GetToken(EqlParserRPAR, 0) +} + +func (s *ExpInParenContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpInParen(s) + } +} + +func (s *ExpInParenContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpInParen(s) + } +} + +func (s *ExpInParenContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpInParen(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpBooleanContext struct { + *ExpContext +} + +func NewExpBooleanContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpBooleanContext { + var p = new(ExpBooleanContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpBooleanContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpBooleanContext) Boolean() IBooleanContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IBooleanContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IBooleanContext) +} + +func (s *ExpBooleanContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpBoolean(s) + } +} + +func (s *ExpBooleanContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpBoolean(s) + } +} + +func (s *ExpBooleanContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpBoolean(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticAddSubContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticAddSubContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticAddSubContext { + var p = new(ExpArithmeticAddSubContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticAddSubContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticAddSubContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticAddSubContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticAddSubContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticAddSubContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticAddSubContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticAddSubContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticAddSubContext) ADD() antlr.TerminalNode { + return s.GetToken(EqlParserADD, 0) +} + +func (s *ExpArithmeticAddSubContext) SUB() antlr.TerminalNode { + return s.GetToken(EqlParserSUB, 0) +} + +func (s *ExpArithmeticAddSubContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticAddSub(s) + } +} + +func (s *ExpArithmeticAddSubContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticAddSub(s) + } +} + +func (s *ExpArithmeticAddSubContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticAddSub(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpFunctionContext struct { + *ExpContext +} + +func NewExpFunctionContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpFunctionContext { + var p = new(ExpFunctionContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpFunctionContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpFunctionContext) NAME() antlr.TerminalNode { + return s.GetToken(EqlParserNAME, 0) +} + +func (s *ExpFunctionContext) LPAR() antlr.TerminalNode { + return s.GetToken(EqlParserLPAR, 0) +} + +func (s *ExpFunctionContext) RPAR() antlr.TerminalNode { + return s.GetToken(EqlParserRPAR, 0) +} + +func (s *ExpFunctionContext) Arguments() IArgumentsContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IArgumentsContext)(nil)).Elem(), 0) + + if t == nil { + return nil + } + + return t.(IArgumentsContext) +} + +func (s *ExpFunctionContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpFunction(s) + } +} + +func (s *ExpFunctionContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpFunction(s) + } +} + +func (s *ExpFunctionContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpFunction(s) + + default: + return t.VisitChildren(s) + } +} + +type ExpArithmeticLTContext struct { + *ExpContext + left IExpContext + right IExpContext +} + +func NewExpArithmeticLTContext(parser antlr.Parser, ctx antlr.ParserRuleContext) *ExpArithmeticLTContext { + var p = new(ExpArithmeticLTContext) + + p.ExpContext = NewEmptyExpContext() + p.parser = parser + p.CopyFrom(ctx.(*ExpContext)) + + return p +} + +func (s *ExpArithmeticLTContext) GetLeft() IExpContext { return s.left } + +func (s *ExpArithmeticLTContext) GetRight() IExpContext { return s.right } + +func (s *ExpArithmeticLTContext) SetLeft(v IExpContext) { s.left = v } + +func (s *ExpArithmeticLTContext) SetRight(v IExpContext) { s.right = v } + +func (s *ExpArithmeticLTContext) GetRuleContext() antlr.RuleContext { + return s +} + +func (s *ExpArithmeticLTContext) LT() antlr.TerminalNode { + return s.GetToken(EqlParserLT, 0) +} + +func (s *ExpArithmeticLTContext) AllExp() []IExpContext { + var ts = s.GetTypedRuleContexts(reflect.TypeOf((*IExpContext)(nil)).Elem()) + var tst = make([]IExpContext, len(ts)) + + for i, t := range ts { + if t != nil { + tst[i] = t.(IExpContext) + } + } + + return tst +} + +func (s *ExpArithmeticLTContext) Exp(i int) IExpContext { + var t = s.GetTypedRuleContext(reflect.TypeOf((*IExpContext)(nil)).Elem(), i) + + if t == nil { + return nil + } + + return t.(IExpContext) +} + +func (s *ExpArithmeticLTContext) EnterRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.EnterExpArithmeticLT(s) + } +} + +func (s *ExpArithmeticLTContext) ExitRule(listener antlr.ParseTreeListener) { + if listenerT, ok := listener.(EqlListener); ok { + listenerT.ExitExpArithmeticLT(s) + } +} + +func (s *ExpArithmeticLTContext) Accept(visitor antlr.ParseTreeVisitor) interface{} { + switch t := visitor.(type) { + case EqlVisitor: + return t.VisitExpArithmeticLT(s) + + default: + return t.VisitChildren(s) + } +} + +func (p *EqlParser) Exp() (localctx IExpContext) { + return p.exp(0) +} + +func (p *EqlParser) exp(_p int) (localctx IExpContext) { + var _parentctx antlr.ParserRuleContext = p.GetParserRuleContext() + _parentState := p.GetState() + localctx = NewExpContext(p, p.GetParserRuleContext(), _parentState) + var _prevctx IExpContext = localctx + var _ antlr.ParserRuleContext = _prevctx // TODO: To prevent unused variable warning. + _startState := 10 + p.EnterRecursionRule(localctx, 10, EqlParserRULE_exp, _p) + var _la int + + defer func() { + p.UnrollRecursionContexts(_parentctx) + }() + + defer func() { + if err := recover(); err != nil { + if v, ok := err.(antlr.RecognitionException); ok { + localctx.SetException(v) + p.GetErrorHandler().ReportError(p, v) + p.GetErrorHandler().Recover(p, v) + } else { + panic(err) + } + } + }() + + var _alt int + + p.EnterOuterAlt(localctx, 1) + p.SetState(76) + p.GetErrorHandler().Sync(p) + + switch p.GetTokenStream().LA(1) { + case EqlParserLPAR: + localctx = NewExpInParenContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + + { + p.SetState(46) + p.Match(EqlParserLPAR) + } + { + p.SetState(47) + p.exp(0) + } + { + p.SetState(48) + p.Match(EqlParserRPAR) + } + + case EqlParserNOT: + localctx = NewExpNotContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(50) + p.Match(EqlParserNOT) + } + { + p.SetState(51) + p.exp(17) + } + + case EqlParserTRUE, EqlParserFALSE: + localctx = NewExpBooleanContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(52) + p.Boolean() + } + + case EqlParserBEGIN_VARIABLE: + localctx = NewExpVariableContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(53) + p.Match(EqlParserBEGIN_VARIABLE) + } + { + p.SetState(54) + p.VariableExp() + } + { + p.SetState(55) + p.Match(EqlParserRDICT) + } + + case EqlParserNAME: + localctx = NewExpFunctionContext(p, localctx) + p.SetParserRuleContext(localctx) + _prevctx = localctx + { + p.SetState(57) + p.Match(EqlParserNAME) + } + { + p.SetState(58) + p.Match(EqlParserLPAR) + } + p.SetState(60) + p.GetErrorHandler().Sync(p) + _la = p.GetTokenStream().LA(1) + + if ((_la-17)&-(0x1f+1)) == 0 && ((1< 0 and length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') diff --git a/x-pack/elastic-agent/spec/filebeat.yml b/x-pack/elastic-agent/spec/filebeat.yml index f9dc8bb4507..1b184b10098 100644 --- a/x-pack/elastic-agent/spec/filebeat.yml +++ b/x-pack/elastic-agent/spec/filebeat.yml @@ -49,31 +49,37 @@ rules: - remove_key: key: use_output - remove_key: - key: dataset + key: data_stream - remove_key: - key: dataset.namespace + key: data_stream.namespace - remove_key: - key: dataset.name + key: data_stream.dataset - filter_values: selector: inputs key: type values: - - log - - stdin - - udp - - tcp + - awscloudwatch + - azure-eventhub + - cloudfoundry + - container - docker - - redis - - syslog - - s3 - - netflow + - google-pubsub + - http_endpoint - httpjson - - o365audit - - azureeventhub - - cloudfoundry - - googlepubsub - kafka + - log + - mqtt + - netflow + - o365audit + - redis + - s3 + - stdin + - syslog + - tcp + - udp + - unix + - winlog - filter_values: selector: inputs @@ -90,5 +96,5 @@ rules: - filebeat - output - keystore -when: HasItems(%{[filebeat.inputs]}) && HasNamespace('output', 'elasticsearch', 'redis', +when: length(${filebeat.inputs}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/heartbeat.yml b/x-pack/elastic-agent/spec/heartbeat.yml new file mode 100644 index 00000000000..399fd7d0885 --- /dev/null +++ b/x-pack/elastic-agent/spec/heartbeat.yml @@ -0,0 +1,22 @@ +name: Heartbeat +cmd: heartbeat +args: ["-E", "setup.ilm.enabled=false", "-E", "setup.template.enabled=false", "-E", "management.mode=x-pack-fleet", "-E", "management.enabled=true", "-E", "logging.level=debug"] +artifact: beats/heartbeat +rules: + - fix_stream: {} + - filter_values_with_regexp: + key: type + re: ^synthetics/.+ + selector: inputs + - filter_values: + selector: inputs + key: enabled + values: + - true + - filter: + selectors: + - inputs + - output + - keystore +when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', + 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/heartbeat.yml.disabled b/x-pack/elastic-agent/spec/heartbeat.yml.disabled deleted file mode 100644 index 14aaa1d3da4..00000000000 --- a/x-pack/elastic-agent/spec/heartbeat.yml.disabled +++ /dev/null @@ -1,27 +0,0 @@ -name: Heartbeat -cmd: heartbeat -rules: -- filter_values_with_regexp: - key: type - re: ^monitor/.+ - selector: streams -- map: - path: streams - rules: - - translate_with_regexp: - path: type - re: ^monitor/(?P.+) - with: $type -- copy: - from: streams - to: heartbeat -- rename: - from: heartbeat.streams - to: monitors -- filter: - selectors: - - heartbeat - - output - - keystore -when: HasItems(%{[heartbeat.monitors]}) && HasNamespace('output', 'elasticsearch', - 'redis', 'kafka', 'logstash') diff --git a/x-pack/elastic-agent/spec/metricbeat.yml b/x-pack/elastic-agent/spec/metricbeat.yml index fcc8428517a..94b69e9a2f3 100644 --- a/x-pack/elastic-agent/spec/metricbeat.yml +++ b/x-pack/elastic-agent/spec/metricbeat.yml @@ -65,11 +65,11 @@ rules: - remove_key: key: enabled - remove_key: - key: dataset + key: data_stream - remove_key: - key: dataset.name + key: data_stream.dataset - remove_key: - key: dataset.namespace + key: data_stream.namespace - remove_key: key: use_output @@ -87,5 +87,5 @@ rules: - output - keystore -when: HasItems(%{[metricbeat.modules]}) && HasNamespace('output', 'elasticsearch', +when: length(${metricbeat.modules}) > 0 and hasKey(${output}, 'elasticsearch', 'redis', 'kafka', 'logstash') diff --git a/x-pack/filebeat/Jenkinsfile.yml b/x-pack/filebeat/Jenkinsfile.yml new file mode 100644 index 00000000000..d3d5e6d862e --- /dev/null +++ b/x-pack/filebeat/Jenkinsfile.yml @@ -0,0 +1,33 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/filebeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/filebeat" + labels: ## when PR labels matches any of those entries + - "x-pack-filebeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-filebeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/filebeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/filebeat/conftest.py b/x-pack/filebeat/conftest.py new file mode 100644 index 00000000000..4592085fbd9 --- /dev/null +++ b/x-pack/filebeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../filebeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/filebeat/docker-compose.yml b/x-pack/filebeat/docker-compose.yml index af81ccb13fb..0c0b477a611 100644 --- a/x-pack/filebeat/docker-compose.yml +++ b/x-pack/filebeat/docker-compose.yml @@ -26,6 +26,4 @@ services: extends: file: ${ES_BEATS}/testing/environments/${STACK_ENVIRONMENT}.yml service: elasticsearch - environment: - script.cache.max_size: "500" diff --git a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc index 023ed4d9fb5..8891e38fcc4 100644 --- a/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-aws-s3.asciidoc @@ -5,7 +5,7 @@ :type: s3 [id="{beatname_lc}-input-{type}"] -=== s3 input +=== S3 input ++++ S3 @@ -67,6 +67,31 @@ type will not be checked. If a file has "application/json" content-type, `expand_event_list_from_field` becomes required to read the json file. +[float] +==== `file_selectors` + +If the SQS queue will have events that correspond to files that +{beatname_uc} shouldn't process `file_selectors` can be used to limit +the files that are downloaded. This is a list of selectors which are +made up of `regex` and `expand_event_list_from_field` options. The +`regex` should match the S3 object key in the SQS message, and the +optional `expand_event_list_from_field` is the same as the global +setting. If `file_selectors` is given, then any global +`expand_event_list_from_field` value is ignored in favor of the ones +specified in the `file_selectors`. Regex syntax is the same as the Go +language. Files that don't match one of the regexes won't be +processed. + +["source", "yml"] +---- +file_selectors: + - regex: '^AWSLogs/\d+/CloudTrail/' + expand_event_list_from_field: 'Records' + - regex: '^AWSLogs/\d+/CloudTrail-Digest' +``` +---- + + [float] ==== `api_timeout` diff --git a/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc b/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc index 76f80963d5a..415721b54f0 100644 --- a/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-awscloudwatch.asciidoc @@ -5,10 +5,10 @@ :type: awscloudwatch [id="{beatname_lc}-input-{type}"] -=== awscloudwatch input +=== AWS CloudWatch input ++++ -awscloudwatch +AWS CloudWatch ++++ beta[] @@ -113,7 +113,4 @@ logs:FilterLogEvents [id="{beatname_lc}-input-{type}-common-options"] include::../../../../filebeat/docs/inputs/input-common-options.asciidoc[] -[id="aws-credentials-config"] -include::{libbeat-xpack-dir}/docs/aws-credentials-config.asciidoc[] - :type!: diff --git a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc index 2a949b01d26..fa81dc8726f 100644 --- a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc @@ -41,6 +41,17 @@ Custom response example: prefix: "json" ---- +Disable Content-Type checks +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: http_endpoint + enabled: true + listen_address: 192.168.1.1 + content_type: "" + prefix: "json" +---- + Basic auth and SSL example: ["source","yaml",subs="attributes"] ---- @@ -59,6 +70,18 @@ Basic auth and SSL example: password: somepassword ---- +Authentication or checking that a specific header includes a specific value +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: http_endpoint + enabled: true + listen_address: 192.168.1.1 + listen_port: 8080 + secret.header: someheadername + secret.value: secretheadertoken +---- + ==== Configuration options @@ -80,6 +103,22 @@ If `basic_auth` is enabled, this is the username used for authentication against If `basic_auth` is eanbled, this is the password used for authentication against the HTTP listener. Requires `username` to also be set. +[float] +==== `secret.header` + +The header to check for a specific value specified by `secret.value`. Certain webhooks provide the possibility to include a special header and secret to identify the source. + +[float] +==== `secret.value` + +The secret stored in the header name specified by `secret.header`. Certain webhooks provide the possibility to include a special header and secret to identify the source. + +[float] +==== `content_type` + +By default the input expects the incoming POST to include a Content-Type of `application/json` to try to enforce the incoming data to be valid JSON. +In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null + [float] ==== `response_code` diff --git a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc index cca6ed138a4..080bd8aa657 100644 --- a/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-o365audit.asciidoc @@ -38,6 +38,7 @@ Example configuration: Multi-tenancy and certificate-based authentication is also supported: +["source","yaml",subs="attributes"] ---- {beatname_lc}.inputs: - type: o365audit diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 853eec3f827..9797291bdf4 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -102,6 +102,18 @@ filebeat.modules: # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Process CloudTrail logs + # default is true, set to false to skip Cloudtrail logs + # var.process_cloudtrail_logs: false + + # Process CloudTrail Digest logs + # default true, set to false to skip CloudTrail Digest logs + # var.process_digest_logs: false + + # Process CloudTrail Insight logs + # default true, set to false to skip CloudTrail Insight logs + # var.process_insight_logs: false + # Filename of AWS credential file # If not set "$HOME/.aws/credentials" is used on Linux/Mac # "%UserProfile%\.aws\credentials" is used on Windows @@ -355,6 +367,25 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local + spamfirewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9524 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: @@ -473,15 +504,34 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local -#---------------------------- Citrix XenApp Module ---------------------------- + meraki: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9525 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + +#--------------------------- Citrix NetScaler Module --------------------------- - module: citrix - virtualapps: + netscaler: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9507 + # var.syslog_port: 9526 # Set paths for the log files when file input is used. # var.paths: @@ -514,6 +564,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#------------------------------ Cyber-Ark Module ------------------------------ +- module: cyberark + corepas: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9527 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: @@ -600,13 +671,13 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local - firepass: + bigipafm: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9509 + # var.syslog_port: 9528 # Set paths for the log files when file input is used. # var.paths: @@ -653,6 +724,44 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local + fortimail: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9529 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimanager: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9530 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- Google Cloud Module ----------------------------- - module: googlecloud vpcflow: @@ -711,11 +820,54 @@ filebeat.modules: #-------------------------------- Gsuite Module -------------------------------- - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h #------------------------------- HAProxy Module ------------------------------- - module: haproxy @@ -879,29 +1031,13 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local -#-------------------------------- Kafka Module -------------------------------- -- module: kafka - # All logs - log: - enabled: true - - # Set custom paths for Kafka. If left empty, - # Filebeat will look under /opt. - #var.kafka_home: - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: - -#------------------------- Kaspersky Anti-Virus Module ------------------------- -- module: kaspersky - av: + netscreen: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9514 + # var.syslog_port: 9523 # Set paths for the log files when file input is used. # var.paths: @@ -914,6 +1050,20 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#-------------------------------- Kafka Module -------------------------------- +- module: kafka + # All logs + log: + enabled: true + + # Set custom paths for Kafka. If left empty, + # Filebeat will look under /opt. + #var.kafka_home: + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #-------------------------------- Kibana Module -------------------------------- - module: kibana # All logs @@ -942,8 +1092,22 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: -#---------------------------- Microsoft DHCP Module ---------------------------- +#------------------------------ Microsoft Module ------------------------------ - module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: enabled: true @@ -1201,25 +1365,15 @@ filebeat.modules: # can be added under this section. #input: -#------------------------------- RabbitMQ Module ------------------------------- -- module: rabbitmq - # All logs - log: - enabled: true - - # Set custom paths for the log files. If left empty, - # Filebeat will choose the paths depending on your OS. - #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] - -#-------------------------- Radware DefensePro Module -------------------------- -- module: radware - defensepro: +#---------------------- Proofpoint Email Security Module ---------------------- +- module: proofpoint + emailsecurity: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9518 + # var.syslog_port: 9531 # Set paths for the log files when file input is used. # var.paths: @@ -1232,15 +1386,25 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local -#---------------------------- Rapid7 NeXpose Module ---------------------------- -- module: rapid7 - nexpose: +#------------------------------- RabbitMQ Module ------------------------------- +- module: rabbitmq + # All logs + log: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"] + +#-------------------------- Radware DefensePro Module -------------------------- +- module: radware + defensepro: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9517 + # var.syslog_port: 9518 # Set paths for the log files when file input is used. # var.paths: @@ -1281,6 +1445,27 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#--------------------------- Snort/Sourcefire Module --------------------------- +- module: snort + log: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9532 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #----------------------------- Sonicwall-FW Module ----------------------------- - module: sonicwall firewall: @@ -1302,6 +1487,51 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local +#-------------------------------- Sophos Module -------------------------------- +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + + utm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9533 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + #-------------------------------- Squid Module -------------------------------- - module: squid log: @@ -1333,15 +1563,15 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: -#------------------- Tenable Network Security Nessus Module ------------------- -- module: tenable - nessus_security: +#---------------- Symantec AntiVirus/Endpoint Protection Module ---------------- +- module: symantec + endpointprotection: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9516 + # var.syslog_port: 9534 # Set paths for the log files when file input is used. # var.paths: @@ -1470,6 +1700,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------------------- Zoom Module --------------------------------- +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN + #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: @@ -1545,6 +1796,10 @@ filebeat.inputs: # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] + # Method to determine if two files are the same or not. By default + # the Beat considers two files the same if their inode and device id are the same. + #file_identity.native: ~ + # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: @@ -2395,10 +2650,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -2511,20 +2774,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2534,7 +2804,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2697,30 +2967,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2733,6 +3010,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -2840,42 +3123,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -3008,6 +3305,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default filebeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "filebeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "filebeat-%{[agent.version]}" @@ -3111,20 +3413,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -3143,6 +3456,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -3293,17 +3617,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -3326,6 +3657,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 1e2831bb599..fe3dd04ad7d 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -11,8 +11,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/input/awscloudwatch" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/azureeventhub" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/googlepubsub" - _ "github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint" - _ "github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/netflow" _ "github.com/elastic/beats/v7/x-pack/filebeat/input/s3" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/activemq" @@ -26,6 +24,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/citrix" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/crowdstrike" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cyberark" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/cylance" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/envoyproxy" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" @@ -37,7 +36,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/infoblox" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/iptables" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/juniper" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/kaspersky" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/microsoft" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" @@ -46,15 +44,18 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/o365" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/proofpoint" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/radware" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rapid7" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/snort" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sonicwall" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/sophos" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/squid" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" - _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tenable" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/symantec" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) diff --git a/x-pack/filebeat/input/azureeventhub/config.go b/x-pack/filebeat/input/azureeventhub/config.go index 0521d3a76e6..68ad8d109e0 100644 --- a/x-pack/filebeat/input/azureeventhub/config.go +++ b/x-pack/filebeat/input/azureeventhub/config.go @@ -7,6 +7,7 @@ package azureeventhub import ( "errors" "fmt" + "unicode" ) type azureInputConfig struct { @@ -36,6 +37,32 @@ func (conf *azureInputConfig) Validate() error { } if conf.SAContainer == "" { conf.SAContainer = fmt.Sprintf("%s-%s", ephContainerName, conf.EventHubName) + + } + err := storageContainerValidate(conf.SAContainer) + if err != nil { + return err + } + + return nil +} + +func storageContainerValidate(name string) error { + runes := []rune(name) + length := len(runes) + if length < 3 { + return fmt.Errorf("storage_account_container (%s) must be 3 or more characters", name) + } + if length > 63 { + return fmt.Errorf("storage_account_container (%s) must be less than 63 characters", name) + } + if !unicode.IsLower(runes[0]) && !unicode.IsNumber(runes[0]) { + return fmt.Errorf("storage_account_container (%s) must start with a lowercase letter or number", name) + } + for i := 0; i < length; i++ { + if !unicode.IsLower(runes[i]) && !unicode.IsNumber(runes[i]) && !('-' == runes[i]) { + return fmt.Errorf("rune %d of storage_account_container (%s) is not a lowercase letter, number or dash", i, name) + } } return nil } diff --git a/x-pack/filebeat/input/azureeventhub/config_test.go b/x-pack/filebeat/input/azureeventhub/config_test.go new file mode 100644 index 00000000000..b6f264911d8 --- /dev/null +++ b/x-pack/filebeat/input/azureeventhub/config_test.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azureeventhub + +import ( + "testing" +) + +func TestStorageContainerValidate(t *testing.T) { + var tests = []struct { + input string + errIsNil bool + }{ + {"a-valid-name", true}, + {"a", false}, + {"a-name-that-is-really-too-long-to-be-valid-and-should-never-be-used-no-matter-what", false}, + {"-not-valid", false}, + {"capital-A-not-valid", false}, + {"no_underscores_either", false}, + } + for _, test := range tests { + err := storageContainerValidate(test.input) + if (err == nil) != test.errIsNil { + t.Errorf("storageContainerValidate(%s) = %v", test.input, err) + } + } +} diff --git a/x-pack/filebeat/input/azureeventhub/file_persister_test.go b/x-pack/filebeat/input/azureeventhub/file_persister_test.go index 06f6a308ca8..ed055d75d3c 100644 --- a/x-pack/filebeat/input/azureeventhub/file_persister_test.go +++ b/x-pack/filebeat/input/azureeventhub/file_persister_test.go @@ -22,9 +22,9 @@ func TestFilePersister_Read(t *testing.T) { partitionID := "0" dir := path.Join(os.TempDir(), "read") persister, err := persist.NewFilePersister(dir) - assert.Nil(t, err) + assert.NoError(t, err) ckp, err := persister.Read(namespace, name, consumerGroup, partitionID) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, persist.NewCheckpointFromStartOfStream(), ckp) } @@ -35,12 +35,12 @@ func TestFilePersister_Write(t *testing.T) { partitionID := "0" dir := path.Join(os.TempDir(), "write") persister, err := persist.NewFilePersister(dir) - assert.Nil(t, err) + assert.NoError(t, err) ckp := persist.NewCheckpoint("120", 22, time.Now()) err = persister.Write(namespace, name, consumerGroup, partitionID, ckp) - assert.Nil(t, err) + assert.NoError(t, err) ckp2, err := persister.Read(namespace, name, consumerGroup, partitionID) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, ckp.Offset, ckp2.Offset) assert.Equal(t, ckp.SequenceNumber, ckp2.SequenceNumber) } diff --git a/x-pack/filebeat/input/default-inputs/inputs.go b/x-pack/filebeat/input/default-inputs/inputs.go index afac3c2e61c..1fe245b80f7 100644 --- a/x-pack/filebeat/input/default-inputs/inputs.go +++ b/x-pack/filebeat/input/default-inputs/inputs.go @@ -11,6 +11,8 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/x-pack/filebeat/input/cloudfoundry" + "github.com/elastic/beats/v7/x-pack/filebeat/input/http_endpoint" + "github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson" "github.com/elastic/beats/v7/x-pack/filebeat/input/o365audit" ) @@ -23,7 +25,9 @@ func Init(info beat.Info, log *logp.Logger, store beater.StateStore) []v2.Plugin func xpackInputs(info beat.Info, log *logp.Logger, store beater.StateStore) []v2.Plugin { return []v2.Plugin{ - o365audit.Plugin(log, store), cloudfoundry.Plugin(), + http_endpoint.Plugin(), + httpjson.Plugin(), + o365audit.Plugin(log, store), } } diff --git a/x-pack/filebeat/input/http_endpoint/config.go b/x-pack/filebeat/input/http_endpoint/config.go index 0626f5e2afd..242f59b3b6c 100644 --- a/x-pack/filebeat/input/http_endpoint/config.go +++ b/x-pack/filebeat/input/http_endpoint/config.go @@ -23,6 +23,9 @@ type config struct { ListenPort string `config:"listen_port"` URL string `config:"url"` Prefix string `config:"prefix"` + ContentType string `config:"content_type"` + SecretHeader string `config:"secret.header"` + SecretValue string `config:"secret.value"` } func defaultConfig() config { @@ -36,6 +39,9 @@ func defaultConfig() config { ListenPort: "8000", URL: "/", Prefix: "json", + ContentType: "application/json", + SecretHeader: "", + SecretValue: "", } } @@ -44,5 +50,15 @@ func (c *config) Validate() error { return errors.New("response_body must be valid JSON") } + if c.BasicAuth { + if c.Username == "" || c.Password == "" { + return errors.New("Username and password required when basicauth is enabled") + } + } + + if (c.SecretHeader != "" && c.SecretValue == "") || (c.SecretHeader == "" && c.SecretValue != "") { + return errors.New("Both secret.header and secret.value must be set") + } + return nil } diff --git a/x-pack/filebeat/input/http_endpoint/handler.go b/x-pack/filebeat/input/http_endpoint/handler.go new file mode 100644 index 00000000000..ff31a08e9bd --- /dev/null +++ b/x-pack/filebeat/input/http_endpoint/handler.go @@ -0,0 +1,109 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package http_endpoint + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "io" + "io/ioutil" + "net/http" + "time" + + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type httpHandler struct { + log *logp.Logger + publisher stateless.Publisher + + messageField string + responseCode int + responseBody string +} + +var errBodyEmpty = errors.New("Body cannot be empty") +var errUnsupportedType = errors.New("Only JSON objects are accepted") + +// Triggers if middleware validation returns successful +func (h *httpHandler) apiResponse(w http.ResponseWriter, r *http.Request) { + obj, status, err := httpReadJsonObject(r.Body) + if err != nil { + w.Header().Add("Content-Type", "application/json") + sendErrorResponse(w, status, err) + return + } + + h.publishEvent(obj) + w.Header().Add("Content-Type", "application/json") + h.sendResponse(w, h.responseCode, h.responseBody) +} + +func (h *httpHandler) sendResponse(w http.ResponseWriter, status int, message string) { + w.WriteHeader(status) + io.WriteString(w, message) +} + +func (h *httpHandler) publishEvent(obj common.MapStr) { + event := beat.Event{ + Timestamp: time.Now().UTC(), + Fields: common.MapStr{ + h.messageField: obj, + }, + } + + h.publisher.Publish(event) +} + +func withValidator(v validator, handler http.HandlerFunc) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + if status, err := v.ValidateHeader(r); status != 0 && err != nil { + sendErrorResponse(w, status, err) + } else { + handler(w, r) + } + } +} + +func sendErrorResponse(w http.ResponseWriter, status int, err error) { + w.Header().Add("Content-Type", "application/json") + w.WriteHeader(status) + fmt.Fprintf(w, `{"message": %q}`, err.Error()) +} + +func httpReadJsonObject(body io.Reader) (obj common.MapStr, status int, err error) { + if body == http.NoBody { + return nil, http.StatusNotAcceptable, errBodyEmpty + } + + contents, err := ioutil.ReadAll(body) + if err != nil { + return nil, http.StatusInternalServerError, fmt.Errorf("failed reading body: %w", err) + } + + if !isObject(contents) { + return nil, http.StatusBadRequest, errUnsupportedType + } + + obj = common.MapStr{} + if err := json.Unmarshal(contents, &obj); err != nil { + return nil, http.StatusBadRequest, fmt.Errorf("Malformed JSON body: %w", err) + } + + return obj, 0, nil +} + +func isObject(b []byte) bool { + obj := bytes.TrimLeft(b, " \t\r\n") + if len(obj) > 0 && obj[0] == '{' { + return true + } + return false +} diff --git a/x-pack/filebeat/input/http_endpoint/httpserver.go b/x-pack/filebeat/input/http_endpoint/httpserver.go deleted file mode 100644 index 68325caaeb4..00000000000 --- a/x-pack/filebeat/input/http_endpoint/httpserver.go +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package http_endpoint - -import ( - "context" - "net/http" - "time" - - "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" - "github.com/elastic/beats/v7/libbeat/logp" -) - -type HttpServer struct { - log *logp.Logger - server *http.Server - ctx context.Context - stop context.CancelFunc -} - -func (h *HttpServer) Start() { - go func() { - if h.server.TLSConfig != nil { - h.log.Infof("Starting HTTPS server on %s", h.server.Addr) - //certificate is already loaded. That's why the parameters are empty - err := h.server.ListenAndServeTLS("", "") - if err != nil && err != http.ErrServerClosed { - h.log.Fatalf("Unable to start HTTPS server due to error: %v", err) - } - } else { - h.log.Infof("Starting HTTP server on %s", h.server.Addr) - err := h.server.ListenAndServe() - if err != nil && err != http.ErrServerClosed { - h.log.Fatalf("Unable to start HTTP server due to error: %v", err) - } - } - }() -} - -func (h *HttpServer) Stop() { - h.log.Info("Stopping HTTP server") - h.stop() - if err := h.server.Shutdown(h.ctx); err != nil { - h.log.Fatalf("Unable to stop HTTP server due to error: %v", err) - } -} - -func createServer(in *HttpEndpoint) (*HttpServer, error) { - mux := http.NewServeMux() - responseHandler := http.HandlerFunc(in.apiResponse) - mux.Handle(in.config.URL, in.validateRequest(responseHandler)) - server := &http.Server{ - Addr: in.config.ListenAddress + ":" + in.config.ListenPort, - Handler: mux, - } - - tlsConfig, err := tlscommon.LoadTLSServerConfig(in.config.TLS) - if err != nil { - return nil, err - } - - if tlsConfig != nil { - server.TLSConfig = tlsConfig.BuildModuleConfig(in.config.ListenAddress) - } - - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - h := &HttpServer{ - ctx: ctx, - stop: cancel, - log: logp.NewLogger("http_server"), - } - h.server = server - - return h, nil -} diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index 555880fab6d..bddf2be0a9e 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -5,259 +5,121 @@ package http_endpoint import ( - "bytes" - "context" - "encoding/json" + "crypto/tls" "fmt" - "io/ioutil" + "net" "net/http" - "sync" - "time" - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" - "github.com/elastic/beats/v7/libbeat/beat" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/go-concert/ctxtool" ) const ( inputName = "http_endpoint" ) -func init() { - err := input.Register(inputName, NewInput) - if err != nil { - panic(errors.Wrapf(err, "failed to register %v input", inputName)) - } +type httpEndpoint struct { + config config + addr string + tlsConfig *tls.Config } -type HttpEndpoint struct { - config - log *logp.Logger - outlet channel.Outleter // Output of received messages. - inputCtx context.Context // Wraps the Done channel from parent input.Context. - - workerCtx context.Context // Worker goroutine context. It's cancelled when the input stops or the worker exits. - workerCancel context.CancelFunc // Used to signal that the worker should stop. - workerOnce sync.Once // Guarantees that the worker goroutine is only started once. - workerWg sync.WaitGroup // Waits on worker goroutine. - server *HttpServer // Server instance - eventObject *map[string]interface{} // Current event object - finalHandler http.HandlerFunc +func Plugin() v2.Plugin { + return v2.Plugin{ + Name: inputName, + Stability: feature.Beta, + Deprecated: false, + Manager: stateless.NewInputManager(configure), + } } -// NewInput creates a new httpjson input -func NewInput( - cfg *common.Config, - connector channel.Connector, - inputContext input.Context, -) (input.Input, error) { - // Extract and validate the input's configuration. +func configure(cfg *common.Config) (stateless.Input, error) { conf := defaultConfig() if err := cfg.Unpack(&conf); err != nil { return nil, err } - // Build outlet for events. - out, err := connector.Connect(cfg) - if err != nil { + return newHTTPEndpoint(conf) +} + +func newHTTPEndpoint(config config) (*httpEndpoint, error) { + if err := config.Validate(); err != nil { return nil, err } - // Wrap input.Context's Done channel with a context.Context. This goroutine - // stops with the parent closes the Done channel. - inputCtx, cancelInputCtx := context.WithCancel(context.Background()) - go func() { - defer cancelInputCtx() - select { - case <-inputContext.Done: - case <-inputCtx.Done(): - } - }() + addr := fmt.Sprintf("%v:%v", config.ListenAddress, config.ListenPort) - // If the input ever needs to be made restartable, then context would need - // to be recreated with each restart. - workerCtx, workerCancel := context.WithCancel(inputCtx) - - in := &HttpEndpoint{ - config: conf, - log: logp.NewLogger(inputName), - outlet: out, - inputCtx: inputCtx, - workerCtx: workerCtx, - workerCancel: workerCancel, - } - - // Create an instance of the HTTP server with the beat context - in.server, err = createServer(in) + var tlsConfig *tls.Config + tlsConfigBuilder, err := tlscommon.LoadTLSServerConfig(config.TLS) if err != nil { return nil, err } - - in.log.Infof("Initialized %v input on %v:%v", inputName, in.config.ListenAddress, in.config.ListenPort) - - return in, nil -} - -// Run starts the input worker then returns. Only the first invocation -// will ever start the worker. -func (in *HttpEndpoint) Run() { - in.workerOnce.Do(func() { - in.workerWg.Add(1) - go in.run() - }) -} - -func (in *HttpEndpoint) run() { - defer in.workerWg.Done() - defer in.log.Infof("%v worker has stopped.", inputName) - in.server.Start() -} - -// Stops HTTP input and waits for it to finish -func (in *HttpEndpoint) Stop() { - in.workerCancel() - in.workerWg.Wait() -} - -// Wait is an alias for Stop. -func (in *HttpEndpoint) Wait() { - in.Stop() -} - -// If middleware validation successed, event is sent -func (in *HttpEndpoint) sendEvent(w http.ResponseWriter, r *http.Request) { - event := in.outlet.OnEvent(beat.Event{ - Timestamp: time.Now().UTC(), - Fields: common.MapStr{ - in.config.Prefix: in.eventObject, - }, - }) - if !event { - in.sendResponse(w, http.StatusInternalServerError, in.createErrorMessage("Unable to send event")) + if tlsConfigBuilder != nil { + tlsConfig = tlsConfigBuilder.BuildModuleConfig(addr) } -} -// Triggers if middleware validation returns successful -func (in *HttpEndpoint) apiResponse(w http.ResponseWriter, r *http.Request) { - in.sendEvent(w, r) - w.Header().Add("Content-Type", "application/json") - in.sendResponse(w, uint(in.config.ResponseCode), in.config.ResponseBody) + return &httpEndpoint{ + config: config, + tlsConfig: tlsConfig, + addr: addr, + }, nil } -func (in *HttpEndpoint) sendResponse(w http.ResponseWriter, h uint, b string) { - w.WriteHeader(int(h)) - w.Write([]byte(b)) -} - -// Runs all validations for each request -func (in *HttpEndpoint) validateRequest(next http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if in.config.BasicAuth { - status, err := in.validateAuth(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - } - - status, err := in.validateMethod(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } +func (*httpEndpoint) Name() string { return inputName } - status, err = in.validateHeader(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - - status, err = in.validateBody(w, r) - if err != "" && status != 0 { - in.sendResponse(w, status, err) - return - } - - next.ServeHTTP(w, r) - }) -} - -// Validate that only supported Accept and Content type headers are used -func (in *HttpEndpoint) validateHeader(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Header.Get("Content-Type") != "application/json" { - return http.StatusUnsupportedMediaType, in.createErrorMessage("Wrong Content-Type header, expecting application/json") - } - - return 0, "" -} - -// Validate if headers are current and authentication is successful -func (in *HttpEndpoint) validateAuth(w http.ResponseWriter, r *http.Request) (uint, string) { - if in.config.Username == "" || in.config.Password == "" { - return http.StatusUnauthorized, in.createErrorMessage("Username and password required when basicauth is enabled") - } - - username, password, _ := r.BasicAuth() - if in.config.Username != username || in.config.Password != password { - return http.StatusUnauthorized, in.createErrorMessage("Incorrect username or password") - } - - return 0, "" -} - -// Validates that body is not empty, not a list of objects and valid JSON -func (in *HttpEndpoint) validateBody(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Body == http.NoBody { - return http.StatusNotAcceptable, in.createErrorMessage("Body cannot be empty") - } - - body, err := ioutil.ReadAll(r.Body) +func (e *httpEndpoint) Test(_ v2.TestContext) error { + l, err := net.Listen("tcp", e.addr) if err != nil { - return http.StatusInternalServerError, in.createErrorMessage("Unable to read body") + return err } + return l.Close() +} - isObject := in.isObjectOrList(body) - if isObject == "list" { - return http.StatusBadRequest, in.createErrorMessage("List of JSON objects is not supported") - } +func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error { + log := ctx.Logger.With("address", e.addr) - objmap := make(map[string]interface{}) - err = json.Unmarshal(body, &objmap) - if err != nil { - return http.StatusBadRequest, in.createErrorMessage("Malformed JSON body") + validator := &apiValidator{ + basicAuth: e.config.BasicAuth, + username: e.config.Username, + password: e.config.Password, + method: http.MethodPost, + contentType: e.config.ContentType, + secretHeader: e.config.SecretHeader, + secretValue: e.config.SecretValue, } - in.eventObject = &objmap - - return 0, "" -} - -// Ensure only valid HTTP Methods used -func (in *HttpEndpoint) validateMethod(w http.ResponseWriter, r *http.Request) (uint, string) { - if r.Method != http.MethodPost { - return http.StatusMethodNotAllowed, in.createErrorMessage("Only POST requests supported") + handler := &httpHandler{ + log: log, + publisher: publisher, + messageField: e.config.Prefix, + responseCode: e.config.ResponseCode, + responseBody: e.config.ResponseBody, } - return 0, "" -} - -func (in *HttpEndpoint) createErrorMessage(r string) string { - return fmt.Sprintf(`{"message": "%v"}`, r) -} + mux := http.NewServeMux() + mux.HandleFunc(e.config.URL, withValidator(validator, handler.apiResponse)) + server := &http.Server{Addr: e.addr, TLSConfig: e.tlsConfig, Handler: mux} + _, cancel := ctxtool.WithFunc(ctxtool.FromCanceller(ctx.Cancelation), func() { + server.Close() + }) + defer cancel() -func (in *HttpEndpoint) isObjectOrList(b []byte) string { - obj := bytes.TrimLeft(b, " \t\r\n") - if len(obj) > 0 && obj[0] == '{' { - return "object" + var err error + if server.TLSConfig != nil { + log.Infof("Starting HTTPS server on %s", server.Addr) + //certificate is already loaded. That's why the parameters are empty + err = server.ListenAndServeTLS("", "") + } else { + log.Infof("Starting HTTP server on %s", server.Addr) + err = server.ListenAndServe() } - if len(obj) > 0 && obj[0] == '[' { - return "list" + if err != nil && err != http.ErrServerClosed { + return fmt.Errorf("Unable to start server due to error: %w", err) } - - return "" + return nil } diff --git a/x-pack/filebeat/input/http_endpoint/validate.go b/x-pack/filebeat/input/http_endpoint/validate.go new file mode 100644 index 00000000000..348cf9e2dd8 --- /dev/null +++ b/x-pack/filebeat/input/http_endpoint/validate.go @@ -0,0 +1,54 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package http_endpoint + +import ( + "errors" + "fmt" + "net/http" +) + +type validator interface { + // ValidateHeader checks the HTTP headers for compliance. The body must not + // be touched. + ValidateHeader(*http.Request) (int, error) +} + +type apiValidator struct { + basicAuth bool + username, password string + method string + contentType string + secretHeader string + secretValue string +} + +var errIncorrectUserOrPass = errors.New("Incorrect username or password") +var errIncorrectHeaderSecret = errors.New("Incorrect header or header secret") + +func (v *apiValidator) ValidateHeader(r *http.Request) (int, error) { + if v.basicAuth { + username, password, _ := r.BasicAuth() + if v.username != username || v.password != password { + return http.StatusUnauthorized, errIncorrectUserOrPass + } + } + + if v.secretHeader != "" && v.secretValue != "" { + if v.secretValue != r.Header.Get(v.secretHeader) { + return http.StatusUnauthorized, errIncorrectHeaderSecret + } + } + + if v.method != "" && v.method != r.Method { + return http.StatusMethodNotAllowed, fmt.Errorf("Only %v requests supported", v.method) + } + + if v.contentType != "" && r.Header.Get("Content-Type") != v.contentType { + return http.StatusUnsupportedMediaType, fmt.Errorf("Wrong Content-Type header, expecting %v", v.contentType) + } + + return 0, nil +} diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go index 63d20221de4..95ca205be0d 100644 --- a/x-pack/filebeat/input/httpjson/config.go +++ b/x-pack/filebeat/input/httpjson/config.go @@ -5,13 +5,14 @@ package httpjson import ( + "errors" + "fmt" + "net/url" "regexp" "strings" "text/template" "time" - "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) @@ -35,7 +36,7 @@ type config struct { RetryWaitMin time.Duration `config:"retry.wait_min"` RetryWaitMax time.Duration `config:"retry.wait_max"` TLS *tlscommon.Config `config:"ssl"` - URL string `config:"url" validate:"required"` + URL *URL `config:"url" validate:"required"` DateCursor *DateCursor `config:"date_cursor"` } @@ -46,6 +47,7 @@ type Pagination struct { Header *Header `config:"header"` IDField string `config:"id_field"` RequestField string `config:"req_field"` + URLField string `config:"url_field"` URL string `config:"url"` } @@ -69,7 +71,7 @@ type RateLimit struct { type DateCursor struct { Enabled *bool `config:"enabled"` - Field string `config:"field" validate:"required"` + Field string `config:"field"` URLField string `config:"url_field" validate:"required"` ValueTemplate *Template `config:"value_template"` DateFormat string `config:"date_format"` @@ -91,6 +93,21 @@ func (t *Template) Unpack(in string) error { return nil } +type URL struct { + *url.URL +} + +func (u *URL) Unpack(in string) error { + parsed, err := url.Parse(in) + if err != nil { + return err + } + + *u = URL{URL: parsed} + + return nil +} + // IsEnabled returns true if the `enable` field is set to true in the yaml. func (dc *DateCursor) IsEnabled() bool { return dc != nil && (dc.Enabled == nil || *dc.Enabled) @@ -120,29 +137,26 @@ func (c *config) Validate() error { case "GET", "POST": break default: - return errors.Errorf("httpjson input: Invalid http_method, %s", c.HTTPMethod) + return fmt.Errorf("httpjson input: Invalid http_method, %s", c.HTTPMethod) } if c.NoHTTPBody { if len(c.HTTPRequestBody) > 0 { - return errors.Errorf("invalid configuration: both no_http_body and http_request_body cannot be set simultaneously") + return errors.New("invalid configuration: both no_http_body and http_request_body cannot be set simultaneously") } if c.Pagination != nil && (len(c.Pagination.ExtraBodyContent) > 0 || c.Pagination.RequestField != "") { - return errors.Errorf("invalid configuration: both no_http_body and pagination.extra_body_content or pagination.req_field cannot be set simultaneously") + return errors.New("invalid configuration: both no_http_body and pagination.extra_body_content or pagination.req_field cannot be set simultaneously") } } if c.Pagination != nil { - if c.DateCursor.IsEnabled() { - return errors.Errorf("invalid configuration: date_cursor cannnot be set in combination with other pagination mechanisms") - } if c.Pagination.Header != nil { if c.Pagination.RequestField != "" || c.Pagination.IDField != "" || len(c.Pagination.ExtraBodyContent) > 0 { - return errors.Errorf("invalid configuration: both pagination.header and pagination.req_field or pagination.id_field or pagination.extra_body_content cannot be set simultaneously") + return errors.New("invalid configuration: both pagination.header and pagination.req_field or pagination.id_field or pagination.extra_body_content cannot be set simultaneously") } } } if c.OAuth2.IsEnabled() { if c.APIKey != "" || c.AuthenticationScheme != "" { - return errors.Errorf("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") + return errors.New("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") } } return nil diff --git a/x-pack/filebeat/input/httpjson/config_oauth.go b/x-pack/filebeat/input/httpjson/config_oauth.go index 6a09cf2fb92..0ff55dcbc33 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth.go +++ b/x-pack/filebeat/input/httpjson/config_oauth.go @@ -7,13 +7,13 @@ package httpjson import ( "context" "encoding/json" + "errors" "fmt" "io/ioutil" "net/http" "os" "strings" - "github.com/pkg/errors" "golang.org/x/oauth2" "golang.org/x/oauth2/clientcredentials" "golang.org/x/oauth2/endpoints" diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go index 904702ee116..0de07311239 100644 --- a/x-pack/filebeat/input/httpjson/config_test.go +++ b/x-pack/filebeat/input/httpjson/config_test.go @@ -6,11 +6,12 @@ package httpjson import ( "context" + "errors" "os" "testing" "time" - "github.com/pkg/errors" + "github.com/stretchr/testify/assert" "golang.org/x/oauth2/google" "github.com/elastic/beats/v7/libbeat/common" @@ -110,6 +111,16 @@ func TestConfigValidationCase7(t *testing.T) { } } +func TestConfigMustFailWithInvalidURL(t *testing.T) { + m := map[string]interface{}{ + "url": "::invalid::", + } + cfg := common.MustNewConfigFrom(m) + conf := defaultConfig() + err := cfg.Unpack(&conf) + assert.EqualError(t, err, `parse "::invalid::": missing protocol scheme accessing 'url'`) +} + func TestConfigOauth2Validation(t *testing.T) { cases := []struct { name string @@ -351,17 +362,6 @@ func TestConfigOauth2Validation(t *testing.T) { "url": "localhost", }, }, - { - name: "date_cursor must fail in combination with pagination", - expectedErr: "invalid configuration: date_cursor cannnot be set in combination with other pagination mechanisms accessing config", - input: map[string]interface{}{ - "date_cursor": map[string]interface{}{"field": "foo", "url_field": "foo"}, - "pagination": map[string]interface{}{ - "header": map[string]interface{}{"field_name": "foo", "regex_pattern": "bar"}, - }, - "url": "localhost", - }, - }, { name: "date_cursor.date_format will fail if invalid", expectedErr: "invalid configuration: date_format is not a valid date layout accessing 'date_cursor'", diff --git a/x-pack/filebeat/input/httpjson/date_cursor.go b/x-pack/filebeat/input/httpjson/date_cursor.go new file mode 100644 index 00000000000..2a9db44bd2a --- /dev/null +++ b/x-pack/filebeat/input/httpjson/date_cursor.go @@ -0,0 +1,105 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "bytes" + "net/url" + "time" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type dateCursor struct { + log *logp.Logger + enabled bool + field string + url url.URL + urlField string + initialInterval time.Duration + dateFormat string + + value string + valueTpl *Template +} + +func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { + c := &dateCursor{ + enabled: config.DateCursor.IsEnabled(), + url: *config.URL.URL, + } + + if !c.enabled { + return c + } + + c.log = log + c.field = config.DateCursor.Field + c.urlField = config.DateCursor.URLField + c.initialInterval = config.DateCursor.InitialInterval + c.dateFormat = config.DateCursor.GetDateFormat() + c.valueTpl = config.DateCursor.ValueTemplate + + return c +} + +func (c *dateCursor) getURL() string { + if !c.enabled { + return c.url.String() + } + + var dateStr string + if c.value == "" { + t := timeNow().UTC().Add(-c.initialInterval) + dateStr = t.Format(c.dateFormat) + } else { + dateStr = c.value + } + + q := c.url.Query() + + var value string + if c.valueTpl == nil { + value = dateStr + } else { + buf := new(bytes.Buffer) + if err := c.valueTpl.Template.Execute(buf, dateStr); err != nil { + return c.url.String() + } + value = buf.String() + } + + q.Set(c.urlField, value) + + c.url.RawQuery = q.Encode() + + return c.url.String() +} + +func (c *dateCursor) advance(m common.MapStr) { + if c.field == "" { + c.value = time.Now().UTC().Format(c.dateFormat) + return + } + + v, err := m.GetValue(c.field) + if err != nil { + c.log.Warnf("date_cursor field: %q", err) + return + } + switch t := v.(type) { + case string: + _, err := time.Parse(c.dateFormat, t) + if err != nil { + c.log.Warn("date_cursor field does not have the expected layout") + return + } + c.value = t + default: + c.log.Warn("date_cursor field must be a string, cursor will not advance") + return + } +} diff --git a/x-pack/filebeat/input/httpjson/httpjson_test.go b/x-pack/filebeat/input/httpjson/httpjson_test.go index 75374404eea..b541c16002e 100644 --- a/x-pack/filebeat/input/httpjson/httpjson_test.go +++ b/x-pack/filebeat/input/httpjson/httpjson_test.go @@ -6,772 +6,427 @@ package httpjson import ( "context" - "encoding/json" "fmt" "io/ioutil" - "log" "math/rand" "net/http" "net/http/httptest" - "reflect" - "regexp" - "strconv" - "sync" "testing" "time" - "golang.org/x/sync/errgroup" - "github.com/stretchr/testify/assert" + "golang.org/x/sync/errgroup" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" - "github.com/elastic/beats/v7/libbeat/beat" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" + beattest "github.com/elastic/beats/v7/libbeat/publisher/testing" ) -const ( - HTTPTestServer int = iota - TLSTestServer - RateLimitRetryServer - ErrorRetryServer - ArrayResponseServer -) - -var ( - once sync.Once -) - -func testSetup(t *testing.T) { - t.Helper() - once.Do(func() { - logp.TestingSetup() - }) -} - -func createTestServer(testServer int) *httptest.Server { - var ts *httptest.Server - newServer := httptest.NewServer - switch testServer { - case HTTPTestServer: - ts = createServer(newServer) - case TLSTestServer: - ts = createServer(httptest.NewTLSServer) - case RateLimitRetryServer: - ts = createCustomServer(newServer) - case ErrorRetryServer: - ts = createCustomRetryServer(newServer) - case ArrayResponseServer: - ts = createCustomServerWithArrayResponse(newServer) - default: - ts = createServer(newServer) - } - return ts -} - -func createServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodPost { - req, err := ioutil.ReadAll(r.Body) - defer r.Body.Close() - if err != nil { - log.Fatalln(err) - } - var m interface{} - err = json.Unmarshal(req, &m) - w.Header().Set("Content-Type", "application/json") - if err != nil { - w.WriteHeader(http.StatusBadRequest) - } else { - w.WriteHeader(http.StatusOK) - w.Write(req) - } - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - "list": []map[string]interface{}{ - {"foo": "bar"}, - {"hello": "world"}, - }, - } - b, _ := json.Marshal(message) - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusOK) - w.Write(b) - } - })) -} - -func createCustomServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - var isRetry bool - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - if !isRetry { - w.Header().Set("X-Rate-Limit-Limit", "0") - w.Header().Set("X-Rate-Limit-Remaining", "0") - w.Header().Set("X-Rate-Limit-Reset", strconv.FormatInt(time.Now().Unix(), 10)) - w.WriteHeader(http.StatusTooManyRequests) - w.Write([]byte{}) - isRetry = true - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - isRetry = false - } - })) -} - -func createCustomRetryServer(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - retryCount := 0 - statusCodes := []int{http.StatusInternalServerError, http.StatusBadGateway, http.StatusServiceUnavailable, http.StatusGatewayTimeout, http.StatusHTTPVersionNotSupported, http.StatusVariantAlsoNegotiates, http.StatusInsufficientStorage, http.StatusLoopDetected, http.StatusNotExtended, http.StatusNetworkAuthenticationRequired} - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - // Test retry for two times - if retryCount < 2 { - rand.Seed(time.Now().Unix()) - code := statusCodes[rand.Intn(len(statusCodes))] - w.WriteHeader(code) - w.Write([]byte{}) - retryCount++ - } else { - message := map[string]interface{}{ - "hello": "world", - "embedded": map[string]string{ - "hello": "world", - }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - retryCount = 0 - } - })) -} - -func createCustomServerWithArrayResponse(newServer func(handler http.Handler) *httptest.Server) *httptest.Server { - return newServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - message := map[string]interface{}{ - "hello": []map[string]interface{}{ - { - "foo": "bar", - "list": []map[string]interface{}{ - {"foo": "bar"}, - {"hello": "world"}, - }, - }, - { - "foo": "bar", - "list": []map[string]interface{}{ - {"foo": "bar"}, - }, +func TestHTTPJSONInput(t *testing.T) { + testCases := []struct { + name string + setupServer func(*testing.T, http.HandlerFunc, map[string]interface{}) + baseConfig map[string]interface{} + handler http.HandlerFunc + expected []string + }{ + { + name: "Test simple GET request", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test simple HTTPS GET request", + setupServer: newTestServer(httptest.NewTLSServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "ssl.verification_mode": "none", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test request honors rate limit", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "rate_limit.limit": "X-Rate-Limit-Limit", + "rate_limit.remaining": "X-Rate-Limit-Remaining", + "rate_limit.reset": "X-Rate-Limit-Reset", + }, + handler: rateLimitHandler(), + expected: []string{`{"hello":"world"}`}, + }, + { + name: "Test request retries when failed", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + }, + handler: retryHandler(), + expected: []string{`{"hello":"world"}`}, + }, + { + name: "Test POST request with body", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": 0, + "http_request_body": map[string]interface{}{ + "test": "abc", }, - { - "bar": "foo", - "list": []map[string]interface{}{}, + }, + handler: defaultHandler("POST", `{"test":"abc"}`), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test repeated POST requests", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": "100ms", + }, + handler: defaultHandler("POST", ""), + expected: []string{ + `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`, + `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`, + }, + }, + { + name: "Test json objects array", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "json_objects_array": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"world":"moon"}`, `{"space":[{"cake":"pumpkin"}]}`}, + }, + { + name: "Test split events by", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{ + `{"hello":{"world":"moon"}}`, + `{"hello":{"space":[{"cake":"pumpkin"}]}}`, + }, + }, + { + name: "Test split events by with array", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "space", + "json_objects_array": "hello", + }, + handler: defaultHandler("GET", ""), + expected: []string{ + `{"world":"moon"}`, + `{"space":{"cake":"pumpkin"}}`, + }, + }, + { + name: "Test split events by not found", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "split_events_by": "unknwown", + }, + handler: defaultHandler("GET", ""), + expected: []string{`{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}`}, + }, + { + name: "Test date cursor", + setupServer: func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + // mock timeNow func to return a fixed value + timeNow = func() time.Time { + t, _ := time.Parse(time.RFC3339, "2002-10-02T15:00:00Z") + return t + } + + server := httptest.NewServer(h) + config["url"] = server.URL + t.Cleanup(server.Close) + }, + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": "100ms", + "date_cursor.field": "@timestamp", + "date_cursor.url_field": "$filter", + "date_cursor.value_template": "alertCreationTime ge {{.}}", + "date_cursor.initial_interval": "10m", + "date_cursor.date_format": "2006-01-02T15:04:05Z", + }, + handler: dateCursorHandler(), + expected: []string{ + `{"@timestamp":"2002-10-02T15:00:00Z","foo":"bar"}`, + `{"@timestamp":"2002-10-02T15:00:01Z","foo":"bar"}`, + `{"@timestamp":"2002-10-02T15:00:02Z","foo":"bar"}`, + }, + }, + { + name: "Test pagination", + setupServer: newTestServer(httptest.NewServer), + baseConfig: map[string]interface{}{ + "http_method": "GET", + "interval": 0, + "pagination.id_field": "nextPageToken", + "pagination.url_field": "page", + "json_objects_array": "items", + }, + handler: paginationHandler(), + expected: []string{`{"foo":"bar"}`, `{"foo":"bar"}`}, + }, + { + name: "Test oauth2", + setupServer: func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + server := httptest.NewServer(h) + config["url"] = server.URL + config["oauth2.token_url"] = server.URL + "/token" + t.Cleanup(server.Close) + }, + baseConfig: map[string]interface{}{ + "http_method": "POST", + "interval": "0", + "oauth2.client.id": "a_client_id", + "oauth2.client.secret": "a_client_secret", + "oauth2.endpoint_params": map[string]interface{}{ + "param1": "v1", }, - {"bar": "foo"}, + "oauth2.scopes": []string{"scope1", "scope2"}, }, - } - b, _ := json.Marshal(message) - w.WriteHeader(http.StatusOK) - w.Write(b) - })) -} - -func runTest(t *testing.T, ts *httptest.Server, m map[string]interface{}, run func(input *HttpjsonInput, out *stubOutleter, t *testing.T)) { - testSetup(t) - defer ts.Close() - m["url"] = ts.URL - cfg := common.MustNewConfigFrom(m) - // Simulate input.Context from Filebeat input runner. - inputCtx := newInputContext() - defer close(inputCtx.Done) - - // Stub outlet for receiving events generated by the input. - eventOutlet := newStubOutlet() - defer eventOutlet.Close() - - connector := channel.ConnectorFunc(func(_ *common.Config, _ beat.ClientConfig) (channel.Outleter, error) { - return eventOutlet, nil - }) - - in, err := NewInput(cfg, connector, inputCtx) - if err != nil { - t.Fatal(err) + handler: oauth2Handler, + expected: []string{`{"hello": "world"}`}, + }, } - input := in.(*HttpjsonInput) - defer input.Stop() - run(input, eventOutlet, t) -} - -func newInputContext() input.Context { - return input.Context{ - Done: make(chan struct{}), + for _, testCase := range testCases { + tc := testCase + t.Run(tc.name, func(t *testing.T) { + tc.setupServer(t, tc.handler, tc.baseConfig) + + cfg := common.MustNewConfigFrom(tc.baseConfig) + + input, err := configure(cfg) + + assert.NoError(t, err) + assert.Equal(t, "httpjson", input.Name()) + assert.NoError(t, input.Test(v2.TestContext{})) + + pub := beattest.NewChanClient(len(tc.expected)) + t.Cleanup(func() { _ = pub.Close() }) + + ctx, cancel := newV2Context() + t.Cleanup(cancel) + + var g errgroup.Group + g.Go(func() error { return input.Run(ctx, pub) }) + + timeout := time.NewTimer(5 * time.Second) + t.Cleanup(func() { _ = timeout.Stop() }) + + var receivedCount int + wait: + for { + select { + case <-timeout.C: + t.Errorf("timed out waiting for %d events", len(tc.expected)) + return + case got := <-pub.Channel: + val, err := got.Fields.GetValue("message") + assert.NoError(t, err) + assert.JSONEq(t, tc.expected[receivedCount], val.(string)) + receivedCount += 1 + if receivedCount == len(tc.expected) { + cancel() + break wait + } + } + } + assert.NoError(t, g.Wait()) + }) } } -type stubOutleter struct { - sync.Mutex - cond *sync.Cond - done bool - Events []beat.Event -} - -func newStubOutlet() *stubOutleter { - o := &stubOutleter{} - o.cond = sync.NewCond(o) - return o -} - -func (o *stubOutleter) waitForEvents(numEvents int) ([]beat.Event, bool) { - o.Lock() - defer o.Unlock() - - for len(o.Events) < numEvents && !o.done { - o.cond.Wait() +func newTestServer( + newServer func(http.Handler) *httptest.Server, +) func(*testing.T, http.HandlerFunc, map[string]interface{}) { + return func(t *testing.T, h http.HandlerFunc, config map[string]interface{}) { + server := newServer(h) + config["url"] = server.URL + t.Cleanup(server.Close) } - - size := numEvents - if size >= len(o.Events) { - size = len(o.Events) - } - - out := make([]beat.Event, size) - copy(out, o.Events) - return out, len(out) == numEvents } -func (o *stubOutleter) Close() error { - o.Lock() - defer o.Unlock() - o.done = true - return nil +func newV2Context() (v2.Context, func()) { + ctx, cancel := context.WithCancel(context.Background()) + return v2.Context{ + Logger: logp.NewLogger("httpjson_test"), + ID: "test_id", + Cancelation: ctx, + }, cancel } -func (o *stubOutleter) Done() <-chan struct{} { return nil } - -func (o *stubOutleter) OnEvent(event beat.Event) bool { - o.Lock() - defer o.Unlock() - o.Events = append(o.Events, event) - o.cond.Broadcast() - return !o.done -} - -func newOAuth2TestServer(t *testing.T) *httptest.Server { - return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - defer r.Body.Close() - - if r.Method != "POST" { - t.Errorf("expected POST request, got %v", r.Method) - return - } - - if err := r.ParseForm(); err != nil { - t.Errorf("no error expected, got %q", err) - return - } - - if gt := r.FormValue("grant_type"); gt != "client_credentials" { - t.Errorf("expected grant_type was client_credentials, got %q", gt) - return - } - - clientID := r.FormValue("client_id") - clientSecret := r.FormValue("client_secret") - if clientID == "" || clientSecret == "" { - clientID, clientSecret, _ = r.BasicAuth() - } - if clientID != "a_client_id" || clientSecret != "a_client_secret" { - t.Errorf("expected client credentials \"a_client_id:a_client_secret\", got \"%s:%s\"", clientID, clientSecret) - } - - if s := r.FormValue("scope"); s != "scope1 scope2" { - t.Errorf("expected scope was scope1+scope2, got %q", s) - return - } - - expectedParams := []string{"v1", "v2"} - if p := r.Form["param1"]; !reflect.DeepEqual(expectedParams, p) { - t.Errorf("expected params were %q, but got %q", expectedParams, p) - return - } - +func defaultHandler(expectedMethod, expectedBody string) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { w.Header().Set("content-type", "application/json") - w.Write([]byte(`{"token_type":"Bearer","expires_in":"3599","access_token":"abcdef1234567890"}`)) - })) -} - -// --- Test Cases - -func TestGetNextLinkFromHeader(t *testing.T) { - header := make(http.Header) - header.Add("Link", "; rel=\"self\"") - header.Add("Link", "; rel=\"next\"") - re, _ := regexp.Compile("<([^>]+)>; *rel=\"next\"(?:,|$)") - url, err := getNextLinkFromHeader(header, "Link", re) - if url != "https://dev-168980.okta.com/api/v1/logs?after=1581658181086_1" { - t.Fatal("Failed to test getNextLinkFromHeader. URL " + url + " is not expected") - } - if err != nil { - t.Fatal("Failed to test getNextLinkFromHeader with error:", err) - } -} - -func TestCreateRequestInfoFromBody(t *testing.T) { - m := map[string]interface{}{ - "id": 100, - } - extraBodyContent := common.MapStr{"extra_body": "abc"} - ri, err := createRequestInfoFromBody(common.MapStr(m), "id", "pagination_id", extraBodyContent, "https://test-123", &RequestInfo{ - URL: "", - ContentMap: common.MapStr{}, - Headers: common.MapStr{}, - }) - if ri.URL != "https://test-123" { - t.Fatal("Failed to test createRequestInfoFromBody. URL should be https://test-123.") - } - p, err := ri.ContentMap.GetValue("pagination_id") - if err != nil { - t.Fatal("Failed to test createRequestInfoFromBody with error", err) - } - switch pt := p.(type) { - case int: - if pt != 100 { - t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %d should be 100.", pt) - } - default: - t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %T should be int.", pt) - } - b, err := ri.ContentMap.GetValue("extra_body") - if err != nil { - t.Fatal("Failed to test createRequestInfoFromBody with error", err) - } - switch bt := b.(type) { - case string: - if bt != "abc" { - t.Fatalf("Failed to test createRequestInfoFromBody. extra_body value %s does not match \"abc\".", bt) - } - default: - t.Fatalf("Failed to test createRequestInfoFromBody. extra_body type %T should be string.", bt) - } -} - -// Test getRateLimit function with a remaining quota, expect to receive 0, nil. -func TestGetRateLimitCase1(t *testing.T) { - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "120") - header.Add("X-Rate-Limit-Remaining", "118") - header.Add("X-Rate-Limit-Reset", "1581658643") - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch, err := getRateLimit(header, rateLimit) - if err != nil || epoch != 0 { - t.Fatal("Failed to test getRateLimit.") - } -} - -// Test getRateLimit function with a past time, expect to receive 0, nil. -func TestGetRateLimitCase2(t *testing.T) { - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "10") - header.Add("X-Rate-Limit-Remaining", "0") - header.Add("X-Rate-Limit-Reset", "1581658643") - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch, err := getRateLimit(header, rateLimit) - if err != nil || epoch != 0 { - t.Fatal("Failed to test getRateLimit.") - } -} - -// Test getRateLimit function with a time yet to come, expect to receive , nil. -func TestGetRateLimitCase3(t *testing.T) { - epoch := time.Now().Unix() + 100 - header := make(http.Header) - header.Add("X-Rate-Limit-Limit", "10") - header.Add("X-Rate-Limit-Remaining", "0") - header.Add("X-Rate-Limit-Reset", strconv.FormatInt(epoch, 10)) - rateLimit := &RateLimit{ - Limit: "X-Rate-Limit-Limit", - Reset: "X-Rate-Limit-Reset", - Remaining: "X-Rate-Limit-Remaining", - } - epoch2, err := getRateLimit(header, rateLimit) - if err != nil || epoch2 != epoch { - t.Fatal("Failed to test getRateLimit.") - } -} - -func TestGET(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestGetHTTPS(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - "ssl.verification_mode": "none", - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestRateLimitRetry(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, - } - ts := createTestServer(RateLimitRetryServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) + msg := `{"hello":[{"world":"moon"},{"space":[{"cake":"pumpkin"}]}]}` + switch { + case r.Method != expectedMethod: + w.WriteHeader(http.StatusBadRequest) + msg = fmt.Sprintf(`{"error":"expected method was %q"}`, expectedMethod) + case expectedBody != "": + body, _ := ioutil.ReadAll(r.Body) + r.Body.Close() + if expectedBody != string(body) { + w.WriteHeader(http.StatusBadRequest) + msg = fmt.Sprintf(`{"error":"expected body was %q"}`, expectedBody) + } } - }) -} -func TestErrorRetry(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, + _, _ = w.Write([]byte(msg)) } - ts := createTestServer(ErrorRetryServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestArrayResponse(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "json_objects_array": "hello", - "interval": 0, - } - ts := createTestServer(ArrayResponseServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func rateLimitHandler() http.HandlerFunc { + var isRetry bool + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + if isRetry { + _, _ = w.Write([]byte(`{"hello":"world"}`)) + return } - }) -} - -func TestPOST(t *testing.T) { - m := map[string]interface{}{ - "http_method": "POST", - "http_request_body": map[string]interface{}{"test": "abc", "testNested": map[string]interface{}{"testNested1": 123}}, - "interval": 0, + w.Header().Set("X-Rate-Limit-Limit", "0") + w.Header().Set("X-Rate-Limit-Remaining", "0") + w.Header().Set("X-Rate-Limit-Reset", fmt.Sprint(time.Now().Unix())) + w.WriteHeader(http.StatusTooManyRequests) + isRetry = true + _, _ = w.Write([]byte(`{"error":"too many requests"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestRepeatedPOST(t *testing.T) { - m := map[string]interface{}{ - "http_method": "POST", - "http_request_body": map[string]interface{}{"test": "abc", "testNested": map[string]interface{}{"testNested1": 123}}, - "interval": 10 ^ 9, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(3) - if !ok { - t.Fatalf("Expected 3 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func retryHandler() http.HandlerFunc { + count := 0 + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + if count == 2 { + _, _ = w.Write([]byte(`{"hello":"world"}`)) + return } - }) -} - -func TestRunStop(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "interval": 0, + w.WriteHeader(rand.Intn(100) + 500) + count += 1 + } +} + +func oauth2TokenHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + _ = r.ParseForm() + switch { + case r.Method != "POST": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong method"}`)) + case r.FormValue("grant_type") != "client_credentials": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong grant_type"}`)) + case r.FormValue("client_id") != "a_client_id": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong client_id"}`)) + case r.FormValue("client_secret") != "a_client_secret": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong client_secret"}`)) + case r.FormValue("scope") != "scope1 scope2": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong scope"}`)) + case r.FormValue("param1") != "v1": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong param1"}`)) + default: + _, _ = w.Write([]byte(`{"token_type": "Bearer", "expires_in": "60", "access_token": "abcd"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - input.Run() - input.Stop() - input.Run() - input.Stop() - }) } -func TestOAuth2(t *testing.T) { - oAuth2Server := newOAuth2TestServer(t) - defer oAuth2Server.Close() - ts := createTestServer(HTTPTestServer) - defer ts.Close() - m := map[string]interface{}{ - "http_method": "GET", - "oauth2.client.id": "a_client_id", - "oauth2.client.secret": "a_client_secret", - "oauth2.token_url": oAuth2Server.URL, - "oauth2.endpoint_params": map[string][]string{ - "param1": {"v1", "v2"}, - }, - "oauth2.scopes": []string{"scope1", "scope2"}, - "interval": 0, +func oauth2Handler(w http.ResponseWriter, r *http.Request) { + if r.URL.Path == "/token" { + oauth2TokenHandler(w, r) + return } - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestSplitResponseWithKey(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "split_events_by": "list", - "interval": 0, + w.Header().Set("content-type", "application/json") + switch { + case r.Method != "POST": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong method"}`)) + case r.Header.Get("Authorization") != "Bearer abcd": + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong bearer"}`)) + default: + _, _ = w.Write([]byte(`{"hello":"world"}`)) } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) } -func TestSplitResponseWithoutKey(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "split_events_by": "not_found", - "interval": 0, - } - ts := createTestServer(HTTPTestServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(1) - if !ok { - t.Fatalf("Expected 1 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - }) -} - -func TestArrayWithSplitResponse(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "json_objects_array": "hello", - "split_events_by": "list", - "interval": 0, - } - - expectedFields := []string{ - `{ - "foo": "bar", - "list": { - "foo": "bar" +func dateCursorHandler() http.HandlerFunc { + var count int + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + switch count { + case 0: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T14:50:00Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong initial cursor value"`)) + return } - }`, - `{ - "foo": "bar", - "list": { - "hello": "world" + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:00Z","foo":"bar"}`)) + case 1: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T15:00:00Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong cursor value"`)) + return } - }`, - `{ - "foo": "bar", - "list": { - "foo": "bar" + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:01Z","foo":"bar"}`)) + case 2: + if r.URL.Query().Get("$filter") != "alertCreationTime ge 2002-10-02T15:00:01Z" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong cursor value"`)) + return } - }`, - `{ - "bar": "foo", - "list": [] - }`, - `{"bar": "foo"}`, - } - - ts := createTestServer(ArrayResponseServer) - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(5) - if !ok { - t.Fatalf("Expected 5 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) - } - - for i, e := range events { - message, _ := e.GetValue("message") - assert.JSONEq(t, expectedFields[i], message.(string)) + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:02Z","foo":"bar"}`)) } - }) -} - -func TestCursor(t *testing.T) { - m := map[string]interface{}{ - "http_method": "GET", - "date_cursor.field": "@timestamp", - "date_cursor.url_field": "$filter", - "date_cursor.value_template": "alertCreationTime ge {{.}}", - "date_cursor.initial_interval": "10m", - "date_cursor.date_format": "2006-01-02T15:04:05Z", - } - - timeNow = func() time.Time { - t, _ := time.Parse("2006-01-02T15:04:05Z", "2002-10-02T15:10:00Z") - return t + count += 1 } +} - const ( - expectedQuery = "%24filter=alertCreationTime+ge+2002-10-02T15%3A00%3A00Z" - expectedNextCursorValue = "2002-10-02T15:00:01Z" - expectedNextQuery = "%24filter=alertCreationTime+ge+2002-10-02T15%3A00%3A01Z" - ) - var gotQuery string - ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "application/json") - gotQuery = r.URL.Query().Encode() - w.Write([]byte(`[{"@timestamp":"2002-10-02T15:00:00Z"},{"@timestamp":"2002-10-02T15:00:01Z"}]`)) - })) - - runTest(t, ts, m, func(input *HttpjsonInput, out *stubOutleter, t *testing.T) { - group, _ := errgroup.WithContext(context.Background()) - group.Go(input.run) - - events, ok := out.waitForEvents(2) - if !ok { - t.Fatalf("Expected 2 events, but got %d.", len(events)) - } - input.Stop() - - if err := group.Wait(); err != nil { - t.Fatal(err) +func paginationHandler() http.HandlerFunc { + var count int + return func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("content-type", "application/json") + switch count { + case 0: + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:00Z","nextPageToken":"bar","items":[{"foo":"bar"}]}`)) + case 1: + if r.URL.Query().Get("page") != "bar" { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(`{"error":"wrong page token value"}`)) + return + } + _, _ = w.Write([]byte(`{"@timestamp":"2002-10-02T15:00:01Z","items":[{"foo":"bar"}]}`)) } - - assert.Equal(t, expectedQuery, gotQuery) - assert.Equal(t, expectedNextCursorValue, input.nextCursorValue) - assert.Equal(t, fmt.Sprintf("%s?%s", ts.URL, expectedNextQuery), input.getURL()) - }) + count += 1 + } } diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 3ed396db6c8..766fa364864 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -5,70 +5,37 @@ package httpjson import ( - "bytes" "context" - "encoding/json" - "io" - "io/ioutil" + "fmt" "net" "net/http" - "net/url" - "regexp" - "strconv" - "sync" "time" - "github.com/pkg/errors" + "github.com/hashicorp/go-retryablehttp" + "go.uber.org/zap" - "github.com/elastic/beats/v7/filebeat/channel" - "github.com/elastic/beats/v7/filebeat/input" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" "github.com/elastic/beats/v7/libbeat/common/useragent" + "github.com/elastic/beats/v7/libbeat/feature" "github.com/elastic/beats/v7/libbeat/logp" - - "github.com/hashicorp/go-retryablehttp" - "go.uber.org/zap" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/timed" ) const ( inputName = "httpjson" ) -var userAgent = useragent.UserAgent("Filebeat") - -// for testing -var timeNow = time.Now +var ( + userAgent = useragent.UserAgent("Filebeat") -func init() { - err := input.Register(inputName, NewInput) - if err != nil { - panic(errors.Wrapf(err, "failed to register %v input", inputName)) - } -} - -// HttpjsonInput struct has the HttpJsonInput configuration and other userful info. -type HttpjsonInput struct { - config - log *logp.Logger - outlet channel.Outleter // Output of received messages. - inputCtx context.Context // Wraps the Done channel from parent input.Context. - - workerCtx context.Context // Worker goroutine context. It's cancelled when the input stops or the worker exits. - workerCancel context.CancelFunc // Used to signal that the worker should stop. - workerOnce sync.Once // Guarantees that the worker goroutine is only started once. - workerWg sync.WaitGroup // Waits on worker goroutine. - - nextCursorValue string -} - -// RequestInfo struct has the information for generating an HTTP request -type RequestInfo struct { - URL string - ContentMap common.MapStr - Headers common.MapStr -} + // for testing + timeNow = time.Now +) type retryLogger struct { log *logp.Logger @@ -80,502 +47,137 @@ func newRetryLogger() *retryLogger { } } -func (l *retryLogger) Printf(s string, args ...interface{}) { - l.log.Debugf(s, args...) +func (log *retryLogger) Error(format string, args ...interface{}) { + log.log.Errorf(format, args...) } -// NewInput creates a new httpjson input -func NewInput( - cfg *common.Config, - connector channel.Connector, - inputContext input.Context, -) (input.Input, error) { - // Extract and validate the input's configuration. - conf := defaultConfig() - if err := cfg.Unpack(&conf); err != nil { - return nil, err - } - // Build outlet for events. - out, err := connector.Connect(cfg) - if err != nil { - return nil, err - } - - // Wrap input.Context's Done channel with a context.Context. This goroutine - // stops with the parent closes the Done channel. - inputCtx, cancelInputCtx := context.WithCancel(context.Background()) - go func() { - defer cancelInputCtx() - select { - case <-inputContext.Done: - case <-inputCtx.Done(): - } - }() - - // If the input ever needs to be made restartable, then context would need - // to be recreated with each restart. - workerCtx, workerCancel := context.WithCancel(inputCtx) - - in := &HttpjsonInput{ - config: conf, - log: logp.NewLogger("httpjson").With( - "url", conf.URL), - outlet: out, - inputCtx: inputCtx, - workerCtx: workerCtx, - workerCancel: workerCancel, - } - - in.log.Info("Initialized httpjson input.") - return in, nil +func (log *retryLogger) Info(format string, args ...interface{}) { + log.log.Infof(format, args...) } -// Run starts the input worker then returns. Only the first invocation -// will ever start the worker. -func (in *HttpjsonInput) Run() { - in.workerOnce.Do(func() { - in.workerWg.Add(1) - go func() { - in.log.Info("httpjson input worker has started.") - defer in.log.Info("httpjson input worker has stopped.") - defer in.workerWg.Done() - defer in.workerCancel() - if err := in.run(); err != nil { - in.log.Error(err) - return - } - }() - }) +func (log *retryLogger) Debug(format string, args ...interface{}) { + log.log.Debugf(format, args...) } -// createHTTPRequest creates an HTTP/HTTPs request for the input -func (in *HttpjsonInput) createHTTPRequest(ctx context.Context, ri *RequestInfo) (*http.Request, error) { - var body io.Reader - if len(ri.ContentMap) == 0 || in.config.NoHTTPBody { - body = nil - } else { - b, err := json.Marshal(ri.ContentMap) - if err != nil { - return nil, err - } - body = bytes.NewReader(b) - } - req, err := http.NewRequest(in.config.HTTPMethod, ri.URL, body) - if err != nil { - return nil, err - } - req = req.WithContext(ctx) - req.Header.Set("Accept", "application/json") - req.Header.Set("Content-Type", "application/json") - req.Header.Set("User-Agent", userAgent) - if in.config.APIKey != "" { - if in.config.AuthenticationScheme != "" { - req.Header.Set("Authorization", in.config.AuthenticationScheme+" "+in.config.APIKey) - } else { - req.Header.Set("Authorization", in.config.APIKey) - } - } - for k, v := range ri.Headers { - switch vv := v.(type) { - case string: - req.Header.Set(k, vv) - default: - } - } - return req, nil +func (log *retryLogger) Warn(format string, args ...interface{}) { + log.log.Warnf(format, args...) } -// processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. -func (in *HttpjsonInput) processEventArray(events []interface{}) (map[string]interface{}, error) { - var last map[string]interface{} - for _, t := range events { - switch v := t.(type) { - case map[string]interface{}: - for _, e := range in.splitEvent(v) { - last = e - d, err := json.Marshal(e) - if err != nil { - return nil, errors.Wrapf(err, "failed to marshal %+v", e) - } - ok := in.outlet.OnEvent(makeEvent(string(d))) - if !ok { - return nil, errors.New("function OnEvent returned false") - } - } - default: - return nil, errors.Errorf("expected only JSON objects in the array but got a %T", v) - } - } - return last, nil +type httpJSONInput struct { + config config + tlsConfig *tlscommon.TLSConfig } -func (in *HttpjsonInput) splitEvent(event map[string]interface{}) []map[string]interface{} { - m := common.MapStr(event) - - hasSplitKey, _ := m.HasKey(in.config.SplitEventsBy) - if in.config.SplitEventsBy == "" || !hasSplitKey { - return []map[string]interface{}{event} - } - - splitOnIfc, _ := m.GetValue(in.config.SplitEventsBy) - splitOn, ok := splitOnIfc.([]interface{}) - // if not an array or is empty, we do nothing - if !ok || len(splitOn) == 0 { - return []map[string]interface{}{event} - } - - var events []map[string]interface{} - for _, split := range splitOn { - s, ok := split.(map[string]interface{}) - // if not an object, we do nothing - if !ok { - return []map[string]interface{}{event} - } - - mm := m.Clone() - _, err := mm.Put(in.config.SplitEventsBy, s) - if err != nil { - return []map[string]interface{}{event} - } - - events = append(events, mm) +func Plugin() v2.Plugin { + return v2.Plugin{ + Name: inputName, + Stability: feature.Beta, + Deprecated: false, + Manager: stateless.NewInputManager(configure), } - - return events } -// getNextLinkFromHeader retrieves the next URL for pagination from the HTTP Header of the response -func getNextLinkFromHeader(header http.Header, fieldName string, re *regexp.Regexp) (string, error) { - links, ok := header[fieldName] - if !ok { - return "", errors.Errorf("field %s does not exist in the HTTP Header", fieldName) - } - for _, link := range links { - matchArray := re.FindAllStringSubmatch(link, -1) - if len(matchArray) == 1 { - return matchArray[0][1], nil - } +func configure(cfg *common.Config) (stateless.Input, error) { + conf := defaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, err } - return "", nil -} -// getRateLimit get the rate limit value if specified in the HTTP Header of the response, -// and returns an init64 value in seconds since unix epoch for rate limit reset time. -// When there is a remaining rate limit quota, or when the rate limit reset time has expired, it -// returns 0 for the epoch value. -func getRateLimit(header http.Header, rateLimit *RateLimit) (int64, error) { - if rateLimit != nil { - if rateLimit.Remaining != "" { - remaining := header.Get(rateLimit.Remaining) - if remaining == "" { - return 0, errors.Errorf("field %s does not exist in the HTTP Header, or is empty", rateLimit.Remaining) - } - m, err := strconv.ParseInt(remaining, 10, 64) - if err != nil { - return 0, errors.Wrapf(err, "failed to parse rate-limit remaining value") - } - if m == 0 { - reset := header.Get(rateLimit.Reset) - if reset == "" { - return 0, errors.Errorf("field %s does not exist in the HTTP Header, or is empty", rateLimit.Reset) - } - epoch, err := strconv.ParseInt(reset, 10, 64) - if err != nil { - return 0, errors.Wrapf(err, "failed to parse rate-limit reset value") - } - if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { - return 0, nil - } - return epoch, nil - } - } - } - return 0, nil + return newHTTPJSONInput(conf) } -// applyRateLimit applies appropriate rate limit if specified in the HTTP Header of the response -func (in *HttpjsonInput) applyRateLimit(ctx context.Context, header http.Header, rateLimit *RateLimit) error { - epoch, err := getRateLimit(header, rateLimit) - if err != nil { - return err - } - t := time.Unix(epoch, 0) - w := time.Until(t) - if epoch == 0 || w <= 0 { - in.log.Debugf("Rate Limit: No need to apply rate limit.") - return nil - } - in.log.Debugf("Rate Limit: Wait until %v for the rate limit to reset.", t) - ticker := time.NewTicker(w) - defer ticker.Stop() - select { - case <-ctx.Done(): - in.log.Info("Context done.") - return nil - case <-ticker.C: - in.log.Debug("Rate Limit: time is up.") - return nil +func newHTTPJSONInput(config config) (*httpJSONInput, error) { + if err := config.Validate(); err != nil { + return nil, err } -} -// createRequestInfoFromBody creates a new RequestInfo for a new HTTP request in pagination based on HTTP response body -func createRequestInfoFromBody(m common.MapStr, idField string, requestField string, extraBodyContent common.MapStr, url string, ri *RequestInfo) (*RequestInfo, error) { - v, err := m.GetValue(idField) + tlsConfig, err := tlscommon.LoadTLSConfig(config.TLS) if err != nil { - if err == common.ErrKeyNotFound { - return nil, nil - } else { - return nil, errors.Wrapf(err, "failed to retrieve id_field for pagination") - } - } - if requestField != "" { - ri.ContentMap.Put(requestField, v) - if url != "" { - ri.URL = url - } - } else { - switch vt := v.(type) { - case string: - ri.URL = vt - default: - return nil, errors.New("pagination ID is not of string type") - } - } - if len(extraBodyContent) > 0 { - ri.ContentMap.Update(extraBodyContent) + return nil, err } - return ri, nil + + return &httpJSONInput{ + config: config, + tlsConfig: tlsConfig, + }, nil } -// processHTTPRequest processes HTTP request, and handles pagination if enabled -func (in *HttpjsonInput) processHTTPRequest(ctx context.Context, client *http.Client, ri *RequestInfo) error { - ri.URL = in.getURL() - for { - req, err := in.createHTTPRequest(ctx, ri) - if err != nil { - return errors.Wrapf(err, "failed to create http request") - } - msg, err := client.Do(req) - if err != nil { - return errors.Wrapf(err, "failed to execute http client.Do") - } - responseData, err := ioutil.ReadAll(msg.Body) - header := msg.Header - msg.Body.Close() - if err != nil { - return errors.Wrapf(err, "failed to read http.response.body") - } - if msg.StatusCode != http.StatusOK { - in.log.Debugw("HTTP request failed", "http.response.status_code", msg.StatusCode, "http.response.body", string(responseData)) - if msg.StatusCode == http.StatusTooManyRequests { - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - continue - } - return errors.Errorf("http request was unsuccessful with a status code %d", msg.StatusCode) - } - var m, v interface{} - var mm map[string]interface{} - err = json.Unmarshal(responseData, &m) - if err != nil { - in.log.Debug("failed to unmarshal http.response.body", string(responseData)) - return errors.Wrapf(err, "failed to unmarshal http.response.body") - } - switch obj := m.(type) { - // Top level Array - case []interface{}: - mm, err = in.processEventArray(obj) - if err != nil { - return err - } - case map[string]interface{}: - if in.config.JSONObjects == "" { - mm, err = in.processEventArray([]interface{}{obj}) - if err != nil { - return err - } - } else { - v, err = common.MapStr(obj).GetValue(in.config.JSONObjects) - if err != nil { - if err == common.ErrKeyNotFound { - return nil - } - return err - } - switch ts := v.(type) { - case []interface{}: - mm, err = in.processEventArray(ts) - if err != nil { - return err - } - default: - return errors.Errorf("content of %s is not a valid array", in.config.JSONObjects) - } - } - default: - in.log.Debug("http.response.body is not a valid JSON object", string(responseData)) - return errors.Errorf("http.response.body is not a valid JSON object, but a %T", obj) - } - if mm != nil && in.config.Pagination.IsEnabled() { - if in.config.Pagination.Header != nil { - // Pagination control using HTTP Header - url, err := getNextLinkFromHeader(header, in.config.Pagination.Header.FieldName, in.config.Pagination.Header.RegexPattern) - if err != nil { - return errors.Wrapf(err, "failed to retrieve the next URL for pagination") - } - if ri.URL == url || url == "" { - in.log.Info("Pagination finished.") - return nil - } - ri.URL = url - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - in.log.Info("Continuing with pagination to URL: ", ri.URL) - continue - } else { - // Pagination control using HTTP Body fields - ri, err = createRequestInfoFromBody(common.MapStr(mm), in.config.Pagination.IDField, in.config.Pagination.RequestField, common.MapStr(in.config.Pagination.ExtraBodyContent), in.config.Pagination.URL, ri) - if err != nil { - return err - } - if ri == nil { - return nil - } - if err = in.applyRateLimit(ctx, header, in.config.RateLimit); err != nil { - return err - } - in.log.Info("Continuing with pagination to URL: ", ri.URL) - continue - } +func (*httpJSONInput) Name() string { return inputName } + +func (in *httpJSONInput) Test(v2.TestContext) error { + port := func() string { + if in.config.URL.Port() != "" { + return in.config.URL.Port() } - if mm != nil && in.config.DateCursor.IsEnabled() { - in.advanceCursor(common.MapStr(mm)) + switch in.config.URL.Scheme { + case "https": + return "443" } - return nil - } -} + return "80" + }() -func (in *HttpjsonInput) getURL() string { - if !in.config.DateCursor.IsEnabled() { - return in.config.URL + _, err := net.DialTimeout("tcp", net.JoinHostPort(in.config.URL.Hostname(), port), time.Second) + if err != nil { + return fmt.Errorf("url %q is unreachable", in.config.URL) } - var dateStr string - if in.nextCursorValue == "" { - t := timeNow().UTC().Add(-in.config.DateCursor.InitialInterval) - dateStr = t.Format(in.config.DateCursor.GetDateFormat()) - } else { - dateStr = in.nextCursorValue - } + return nil +} - url, err := url.Parse(in.config.URL) - if err != nil { - return in.config.URL - } +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) error { + log := ctx.Logger.With("url", in.config.URL) - q := url.Query() + stdCtx := ctxtool.FromCanceller(ctx.Cancelation) - var value string - if in.config.DateCursor.ValueTemplate == nil { - value = dateStr - } else { - buf := new(bytes.Buffer) - if err := in.config.DateCursor.ValueTemplate.Execute(buf, dateStr); err != nil { - return in.config.URL - } - value = buf.String() + httpClient, err := in.newHTTPClient(stdCtx) + if err != nil { + return err } - q.Set(in.config.DateCursor.URLField, value) - - url.RawQuery = q.Encode() + dateCursor := newDateCursorFromConfig(in.config, log) - return url.String() -} + rateLimiter := newRateLimiterFromConfig(in.config, log) -func (in *HttpjsonInput) advanceCursor(m common.MapStr) { - v, err := m.GetValue(in.config.DateCursor.Field) - if err != nil { - in.log.Warnf("date_cursor field: %q", err) - return - } - switch t := v.(type) { - case string: - _, err := time.Parse(in.config.DateCursor.GetDateFormat(), t) - if err != nil { - return - } - in.nextCursorValue = t - default: - in.log.Warn("date_cursor field must be a string, cursor will not advance") - return - } -} + pagination := newPaginationFromConfig(in.config) -func (in *HttpjsonInput) run() error { - ctx, cancel := context.WithCancel(in.workerCtx) - defer cancel() + requester := newRequester( + in.config, + rateLimiter, + dateCursor, + pagination, + httpClient, + log, + ) - client, err := in.newHTTPClient(ctx) - if err != nil { - return err + // TODO: disallow passing interval = 0 as a mean to run once. + if in.config.Interval == 0 { + return requester.processHTTPRequest(stdCtx, publisher) } - ri := &RequestInfo{ - ContentMap: common.MapStr{}, - Headers: in.HTTPHeaders, - } - if in.config.HTTPMethod == "POST" && in.config.HTTPRequestBody != nil { - ri.ContentMap.Update(common.MapStr(in.config.HTTPRequestBody)) - } - err = in.processHTTPRequest(ctx, client, ri) - if err == nil && in.Interval > 0 { - ticker := time.NewTicker(in.Interval) - defer ticker.Stop() - for { - select { - case <-ctx.Done(): - in.log.Info("Context done.") - return nil - case <-ticker.C: - in.log.Info("Process another repeated request.") - err = in.processHTTPRequest(ctx, client, ri) - if err != nil { - return err - } - } + err = timed.Periodic(stdCtx, in.config.Interval, func() error { + log.Info("Process another repeated request.") + if err := requester.processHTTPRequest(stdCtx, publisher); err != nil { + log.Error(err) } - } - return err -} + return nil + }) -// Stop stops the misp input and waits for it to fully stop. -func (in *HttpjsonInput) Stop() { - in.workerCancel() - in.workerWg.Wait() -} + log.Infof("Context done: %v", err) -// Wait is an alias for Stop. -func (in *HttpjsonInput) Wait() { - in.Stop() + return nil } -func (in *HttpjsonInput) newHTTPClient(ctx context.Context) (*http.Client, error) { - tlsConfig, err := tlscommon.LoadTLSConfig(in.config.TLS) - if err != nil { - return nil, err - } - +func (in *httpJSONInput) newHTTPClient(ctx context.Context) (*http.Client, error) { // Make retryable HTTP client - var client *retryablehttp.Client = &retryablehttp.Client{ + client := &retryablehttp.Client{ HTTPClient: &http.Client{ Transport: &http.Transport{ DialContext: (&net.Dialer{ Timeout: in.config.HTTPClientTimeout, }).DialContext, - TLSClientConfig: tlsConfig.ToConfig(), + TLSClientConfig: in.tlsConfig.ToConfig(), DisableKeepAlives: true, }, Timeout: in.config.HTTPClientTimeout, diff --git a/x-pack/filebeat/input/httpjson/pagination.go b/x-pack/filebeat/input/httpjson/pagination.go new file mode 100644 index 00000000000..9a7bf82b2b4 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/pagination.go @@ -0,0 +1,125 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "errors" + "fmt" + "net/http" + "net/url" + "regexp" + + "github.com/elastic/beats/v7/libbeat/common" +) + +type pagination struct { + extraBodyContent common.MapStr + header *Header + idField string + requestField string + urlField string + url string +} + +func newPaginationFromConfig(config config) *pagination { + if !config.Pagination.IsEnabled() { + return nil + } + return &pagination{ + extraBodyContent: config.Pagination.ExtraBodyContent.Clone(), + header: config.Pagination.Header, + idField: config.Pagination.IDField, + requestField: config.Pagination.RequestField, + urlField: config.Pagination.URLField, + url: config.Pagination.URL, + } +} + +func (p *pagination) nextRequestInfo(ri *requestInfo, response response, lastObj common.MapStr) (*requestInfo, bool, error) { + if p == nil { + return ri, false, nil + } + + if p.header == nil { + var err error + // Pagination control using HTTP Body fields + if err = p.setRequestInfoFromBody(response.body, lastObj, ri); err != nil { + // if the field is not found, there is no next page + if errors.Is(err, common.ErrKeyNotFound) { + return ri, false, nil + } + return ri, false, err + } + + return ri, true, nil + } + + // Pagination control using HTTP Header + url, err := getNextLinkFromHeader(response.header, p.header.FieldName, p.header.RegexPattern) + if err != nil { + return ri, false, fmt.Errorf("failed to retrieve the next URL for pagination: %w", err) + } + if ri.url == url || url == "" { + return ri, false, nil + } + + ri.url = url + + return ri, true, nil +} + +// getNextLinkFromHeader retrieves the next URL for pagination from the HTTP Header of the response +func getNextLinkFromHeader(header http.Header, fieldName string, re *regexp.Regexp) (string, error) { + links, ok := header[fieldName] + if !ok { + return "", fmt.Errorf("field %s does not exist in the HTTP Header", fieldName) + } + for _, link := range links { + matchArray := re.FindAllStringSubmatch(link, -1) + if len(matchArray) == 1 { + return matchArray[0][1], nil + } + } + return "", nil +} + +// createRequestInfoFromBody creates a new RequestInfo for a new HTTP request in pagination based on HTTP response body +func (p *pagination) setRequestInfoFromBody(response, last common.MapStr, ri *requestInfo) error { + // we try to get it from last element, if not found, from the original response + v, err := last.GetValue(p.idField) + if err == common.ErrKeyNotFound { + v, err = response.GetValue(p.idField) + } + + if err != nil { + return fmt.Errorf("failed to retrieve id_field for pagination: %w", err) + } + + if p.requestField != "" { + _, _ = ri.contentMap.Put(p.requestField, v) + if p.url != "" { + ri.url = p.url + } + } else if p.urlField != "" { + url, err := url.Parse(ri.url) + if err == nil { + q := url.Query() + q.Set(p.urlField, fmt.Sprint(v)) + url.RawQuery = q.Encode() + ri.url = url.String() + } + } else { + switch vt := v.(type) { + case string: + ri.url = vt + default: + return errors.New("pagination ID is not of string type") + } + } + if len(p.extraBodyContent) > 0 { + ri.contentMap.Update(common.MapStr(p.extraBodyContent)) + } + return nil +} diff --git a/x-pack/filebeat/input/httpjson/pagination_test.go b/x-pack/filebeat/input/httpjson/pagination_test.go new file mode 100644 index 00000000000..9b04de75819 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/pagination_test.go @@ -0,0 +1,77 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "net/http" + "regexp" + "testing" + + "github.com/elastic/beats/v7/libbeat/common" +) + +func TestGetNextLinkFromHeader(t *testing.T) { + header := make(http.Header) + header.Add("Link", "; rel=\"self\"") + header.Add("Link", "; rel=\"next\"") + re, _ := regexp.Compile("<([^>]+)>; *rel=\"next\"(?:,|$)") + url, err := getNextLinkFromHeader(header, "Link", re) + if url != "https://dev-168980.okta.com/api/v1/logs?after=1581658181086_1" { + t.Fatal("Failed to test getNextLinkFromHeader. URL " + url + " is not expected") + } + if err != nil { + t.Fatal("Failed to test getNextLinkFromHeader with error:", err) + } +} + +func TestCreateRequestInfoFromBody(t *testing.T) { + m := map[string]interface{}{ + "id": 100, + } + extraBodyContent := common.MapStr{"extra_body": "abc"} + pagination := &pagination{ + idField: "id", + requestField: "pagination_id", + extraBodyContent: extraBodyContent, + url: "https://test-123", + } + ri := &requestInfo{ + url: "", + contentMap: common.MapStr{}, + headers: common.MapStr{}, + } + err := pagination.setRequestInfoFromBody( + common.MapStr(m), + common.MapStr(m), + ri, + ) + if ri.url != "https://test-123" { + t.Fatal("Failed to test createRequestInfoFromBody. URL should be https://test-123.") + } + p, err := ri.contentMap.GetValue("pagination_id") + if err != nil { + t.Fatal("Failed to test createRequestInfoFromBody with error", err) + } + switch pt := p.(type) { + case int: + if pt != 100 { + t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %d should be 100.", pt) + } + default: + t.Fatalf("Failed to test createRequestInfoFromBody. pagination_id value %T should be int.", pt) + } + b, err := ri.contentMap.GetValue("extra_body") + if err != nil { + t.Fatal("Failed to test createRequestInfoFromBody with error", err) + } + switch bt := b.(type) { + case string: + if bt != "abc" { + t.Fatalf("Failed to test createRequestInfoFromBody. extra_body value %s does not match \"abc\".", bt) + } + default: + t.Fatalf("Failed to test createRequestInfoFromBody. extra_body type %T should be string.", bt) + } +} diff --git a/x-pack/filebeat/input/httpjson/rate_limiter.go b/x-pack/filebeat/input/httpjson/rate_limiter.go new file mode 100644 index 00000000000..57d206224ac --- /dev/null +++ b/x-pack/filebeat/input/httpjson/rate_limiter.go @@ -0,0 +1,130 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "context" + "fmt" + "net/http" + "strconv" + "time" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +type rateLimiter struct { + log *logp.Logger + + limit string + reset string + remaining string +} + +func newRateLimiterFromConfig(config config, log *logp.Logger) *rateLimiter { + if config.RateLimit == nil { + return nil + } + + return &rateLimiter{ + log: log, + limit: config.RateLimit.Limit, + reset: config.RateLimit.Reset, + remaining: config.RateLimit.Remaining, + } +} + +func (r *rateLimiter) execute(ctx context.Context, f func(context.Context) (*http.Response, error)) (*http.Response, error) { + for { + resp, err := f(ctx) + if err != nil { + return nil, err + } + + header := resp.Header + if err != nil { + return nil, fmt.Errorf("failed to read http.response.body: %w", err) + } + + if r == nil || resp.StatusCode == http.StatusOK { + return resp, nil + } + + if resp.StatusCode != http.StatusTooManyRequests { + return nil, fmt.Errorf("http request was unsuccessful with a status code %d", resp.StatusCode) + } + + if err := r.applyRateLimit(ctx, header); err != nil { + return nil, err + } + } +} + +// applyRateLimit applies appropriate rate limit if specified in the HTTP Header of the response +func (r *rateLimiter) applyRateLimit(ctx context.Context, header http.Header) error { + epoch, err := r.getRateLimit(header) + if err != nil { + return err + } + + t := time.Unix(epoch, 0) + w := time.Until(t) + if epoch == 0 || w <= 0 { + r.log.Debugf("Rate Limit: No need to apply rate limit.") + return nil + } + r.log.Debugf("Rate Limit: Wait until %v for the rate limit to reset.", t) + ticker := time.NewTicker(w) + defer ticker.Stop() + + select { + case <-ctx.Done(): + r.log.Info("Context done.") + return nil + case <-ticker.C: + r.log.Debug("Rate Limit: time is up.") + return nil + } +} + +// getRateLimit gets the rate limit value if specified in the HTTP Header of the response, +// and returns an int64 value in seconds since unix epoch for rate limit reset time. +// When there is a remaining rate limit quota, or when the rate limit reset time has expired, it +// returns 0 for the epoch value. +func (r *rateLimiter) getRateLimit(header http.Header) (int64, error) { + if r == nil { + return 0, nil + } + + if r.remaining == "" { + return 0, nil + } + + remaining := header.Get(r.remaining) + if remaining == "" { + return 0, fmt.Errorf("field %s does not exist in the HTTP Header, or is empty", r.remaining) + } + m, err := strconv.ParseInt(remaining, 10, 64) + if err != nil { + return 0, fmt.Errorf("failed to parse rate-limit remaining value: %w", err) + } + + if m != 0 { + return 0, nil + } + + reset := header.Get(r.reset) + if reset == "" { + return 0, fmt.Errorf("field %s does not exist in the HTTP Header, or is empty", r.reset) + } + epoch, err := strconv.ParseInt(reset, 10, 64) + if err != nil { + return 0, fmt.Errorf("failed to parse rate-limit reset value: %w", err) + } + if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { + return 0, nil + } + + return epoch, nil +} diff --git a/x-pack/filebeat/input/httpjson/rate_limiter_test.go b/x-pack/filebeat/input/httpjson/rate_limiter_test.go new file mode 100644 index 00000000000..e349e725f2f --- /dev/null +++ b/x-pack/filebeat/input/httpjson/rate_limiter_test.go @@ -0,0 +1,64 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "net/http" + "strconv" + "testing" + "time" +) + +// Test getRateLimit function with a remaining quota, expect to receive 0, nil. +func TestGetRateLimitCase1(t *testing.T) { + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "120") + header.Add("X-Rate-Limit-Remaining", "118") + header.Add("X-Rate-Limit-Reset", "1581658643") + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch, err := rateLimit.getRateLimit(header) + if err != nil || epoch != 0 { + t.Fatal("Failed to test getRateLimit.") + } +} + +// Test getRateLimit function with a past time, expect to receive 0, nil. +func TestGetRateLimitCase2(t *testing.T) { + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "10") + header.Add("X-Rate-Limit-Remaining", "0") + header.Add("X-Rate-Limit-Reset", "1581658643") + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch, err := rateLimit.getRateLimit(header) + if err != nil || epoch != 0 { + t.Fatal("Failed to test getRateLimit.") + } +} + +// Test getRateLimit function with a time yet to come, expect to receive , nil. +func TestGetRateLimitCase3(t *testing.T) { + epoch := time.Now().Unix() + 100 + header := make(http.Header) + header.Add("X-Rate-Limit-Limit", "10") + header.Add("X-Rate-Limit-Remaining", "0") + header.Add("X-Rate-Limit-Reset", strconv.FormatInt(epoch, 10)) + rateLimit := &rateLimiter{ + limit: "X-Rate-Limit-Limit", + reset: "X-Rate-Limit-Reset", + remaining: "X-Rate-Limit-Remaining", + } + epoch2, err := rateLimit.getRateLimit(header) + if err != nil || epoch2 != epoch { + t.Fatal("Failed to test getRateLimit.") + } +} diff --git a/x-pack/filebeat/input/httpjson/requester.go b/x-pack/filebeat/input/httpjson/requester.go new file mode 100644 index 00000000000..b5f58179aa0 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/requester.go @@ -0,0 +1,275 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" + "strings" + + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" +) + +type requestInfo struct { + url string + contentMap common.MapStr + headers common.MapStr +} + +type requester struct { + log *logp.Logger + client *http.Client + dateCursor *dateCursor + rateLimiter *rateLimiter + pagination *pagination + + method string + reqBody common.MapStr + headers common.MapStr + noHTTPBody bool + apiKey string + authScheme string + jsonObjects string + splitEventsBy string +} + +func newRequester( + config config, + rateLimiter *rateLimiter, + dateCursor *dateCursor, + pagination *pagination, + client *http.Client, + log *logp.Logger) *requester { + return &requester{ + log: log, + client: client, + rateLimiter: rateLimiter, + dateCursor: dateCursor, + pagination: pagination, + method: config.HTTPMethod, + reqBody: config.HTTPRequestBody.Clone(), + headers: config.HTTPHeaders.Clone(), + noHTTPBody: config.NoHTTPBody, + apiKey: config.APIKey, + authScheme: config.AuthenticationScheme, + splitEventsBy: config.SplitEventsBy, + jsonObjects: config.JSONObjects, + } +} + +type response struct { + header http.Header + body common.MapStr +} + +// processHTTPRequest processes HTTP request, and handles pagination if enabled +func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless.Publisher) error { + ri := &requestInfo{ + url: r.dateCursor.getURL(), + contentMap: common.MapStr{}, + headers: r.headers, + } + + if r.method == "POST" && r.reqBody != nil { + ri.contentMap.Update(common.MapStr(r.reqBody)) + } + + var ( + m, v interface{} + response response + lastObj common.MapStr + ) + + // always request at least once + hasNext := true + + for hasNext { + resp, err := r.rateLimiter.execute( + ctx, + func(ctx context.Context) (*http.Response, error) { + req, err := r.createHTTPRequest(ctx, ri) + if err != nil { + return nil, fmt.Errorf("failed to create http request: %w", err) + } + msg, err := r.client.Do(req) + if err != nil { + return nil, fmt.Errorf("failed to execute http client.Do: %w", err) + } + return msg, nil + }, + ) + if err != nil { + return err + } + + responseData, err := ioutil.ReadAll(resp.Body) + if err != nil { + return fmt.Errorf("failed to read http response: %w", err) + } + _ = resp.Body.Close() + + if err = json.Unmarshal(responseData, &m); err != nil { + r.log.Debug("failed to unmarshal http.response.body", string(responseData)) + return fmt.Errorf("failed to unmarshal http.response.body: %w", err) + } + + switch obj := m.(type) { + // Top level Array + case []interface{}: + lastObj, err = r.processEventArray(publisher, obj) + if err != nil { + return err + } + case map[string]interface{}: + response.body = obj + if r.jsonObjects == "" { + lastObj, err = r.processEventArray(publisher, []interface{}{obj}) + if err != nil { + return err + } + } else { + v, err = common.MapStr(obj).GetValue(r.jsonObjects) + if err != nil { + if err == common.ErrKeyNotFound { + break + } + return err + } + switch ts := v.(type) { + case []interface{}: + lastObj, err = r.processEventArray(publisher, ts) + if err != nil { + return err + } + default: + return fmt.Errorf("content of %s is not a valid array", r.jsonObjects) + } + } + default: + r.log.Debug("http.response.body is not a valid JSON object", string(responseData)) + return fmt.Errorf("http.response.body is not a valid JSON object, but a %T", obj) + } + + ri, hasNext, err = r.pagination.nextRequestInfo(ri, response, lastObj) + if err != nil { + return err + } + } + + if lastObj != nil && r.dateCursor.enabled { + r.dateCursor.advance(common.MapStr(lastObj)) + } + + return nil +} + +// createHTTPRequest creates an HTTP/HTTPs request for the input +func (r *requester) createHTTPRequest(ctx context.Context, ri *requestInfo) (*http.Request, error) { + var body io.Reader + if len(ri.contentMap) == 0 || r.noHTTPBody { + body = nil + } else { + b, err := json.Marshal(ri.contentMap) + if err != nil { + return nil, err + } + body = bytes.NewReader(b) + } + req, err := http.NewRequest(r.method, ri.url, body) + if err != nil { + return nil, err + } + req = req.WithContext(ctx) + req.Header.Set("Accept", "application/json") + req.Header.Set("Content-Type", "application/json") + req.Header.Set("User-Agent", userAgent) + if r.apiKey != "" { + if r.authScheme != "" { + req.Header.Set("Authorization", r.authScheme+" "+r.apiKey) + } else { + req.Header.Set("Authorization", r.apiKey) + } + } + for k, v := range ri.headers { + switch vv := v.(type) { + case string: + req.Header.Set(k, vv) + default: + } + } + return req, nil +} + +// processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. +func (r *requester) processEventArray(publisher stateless.Publisher, events []interface{}) (map[string]interface{}, error) { + var last map[string]interface{} + for _, t := range events { + switch v := t.(type) { + case map[string]interface{}: + for _, e := range splitEvent(r.splitEventsBy, v) { + last = e + d, err := json.Marshal(e) + if err != nil { + return nil, fmt.Errorf("failed to marshal %+v: %w", e, err) + } + publisher.Publish(makeEvent(string(d))) + } + default: + return nil, fmt.Errorf("expected only JSON objects in the array but got a %T", v) + } + } + return last, nil +} + +func splitEvent(splitKey string, event map[string]interface{}) []map[string]interface{} { + m := common.MapStr(event) + + // NOTE: this notation is only used internally, not meant to be documented + // and will be removed in the next release + keys := strings.SplitN(splitKey, "..", 2) + if len(keys) < 2 { + // we append an empty key to force the recursive call + keys = append(keys, "") + } + + hasSplitKey, _ := m.HasKey(keys[0]) + if keys[0] == "" || !hasSplitKey { + return []map[string]interface{}{event} + } + + splitOnIfc, _ := m.GetValue(keys[0]) + splitOn, ok := splitOnIfc.([]interface{}) + // if not an array or is empty, we do nothing + if !ok || len(splitOn) == 0 { + return []map[string]interface{}{event} + } + + var events []map[string]interface{} + for _, split := range splitOn { + s, ok := split.(map[string]interface{}) + // if not an object, we do nothing + if !ok { + return []map[string]interface{}{event} + } + + // call splitEvent recursively for each part + for _, nestedSplit := range splitEvent(keys[1], s) { + mm := m.Clone() + if _, err := mm.Put(keys[0], nestedSplit); err != nil { + return []map[string]interface{}{event} + } + events = append(events, mm) + } + } + + return events +} diff --git a/x-pack/filebeat/input/httpjson/requester_test.go b/x-pack/filebeat/input/httpjson/requester_test.go new file mode 100644 index 00000000000..31e65a57c73 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/requester_test.go @@ -0,0 +1,86 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestSplitEventsBy(t *testing.T) { + event := map[string]interface{}{ + "this": "is kept", + "alerts": []interface{}{ + map[string]interface{}{ + "this_is": "also kept", + "entities": []interface{}{ + map[string]interface{}{ + "something": "something", + }, + map[string]interface{}{ + "else": "else", + }, + }, + }, + map[string]interface{}{ + "this_is": "also kept 2", + "entities": []interface{}{ + map[string]interface{}{ + "something": "something 2", + }, + map[string]interface{}{ + "else": "else 2", + }, + }, + }, + }, + } + + expectedEvents := []map[string]interface{}{ + { + "this": "is kept", + "alerts": map[string]interface{}{ + "this_is": "also kept", + "entities": map[string]interface{}{ + "something": "something", + }, + }, + }, + { + "this": "is kept", + "alerts": map[string]interface{}{ + "this_is": "also kept", + "entities": map[string]interface{}{ + "else": "else", + }, + }, + }, + { + "this": "is kept", + "alerts": map[string]interface{}{ + "this_is": "also kept 2", + "entities": map[string]interface{}{ + "something": "something 2", + }, + }, + }, + { + "this": "is kept", + "alerts": map[string]interface{}{ + "this_is": "also kept 2", + "entities": map[string]interface{}{ + "else": "else 2", + }, + }, + }, + } + + const key = "alerts..entities" + + got := splitEvent(key, event) + + assert.Equal(t, expectedEvents, got) +} diff --git a/x-pack/filebeat/input/s3/config.go b/x-pack/filebeat/input/s3/config.go index 72960ad9ade..f9780d82277 100644 --- a/x-pack/filebeat/input/s3/config.go +++ b/x-pack/filebeat/input/s3/config.go @@ -6,6 +6,7 @@ package s3 import ( "fmt" + "regexp" "time" "github.com/elastic/beats/v7/filebeat/harvester" @@ -19,6 +20,14 @@ type config struct { AwsConfig awscommon.ConfigAWS `config:",inline"` ExpandEventListFromField string `config:"expand_event_list_from_field"` APITimeout time.Duration `config:"api_timeout"` + FileSelectors []FileSelectorCfg `config:"file_selectors"` +} + +// FileSelectorCfg defines type and configuration of FileSelectors +type FileSelectorCfg struct { + RegexString string `config:"regex"` + Regex *regexp.Regexp `config:",ignore"` + ExpandEventListFromField string `config:"expand_event_list_from_field"` } func defaultConfig() config { @@ -40,5 +49,12 @@ func (c *config) Validate() error { return fmt.Errorf("api timeout %v needs to be larger than"+ " 0s and smaller than half of the visibility timeout", c.APITimeout) } + for i := range c.FileSelectors { + r, err := regexp.Compile(c.FileSelectors[i].RegexString) + if err != nil { + return err + } + c.FileSelectors[i].Regex = r + } return nil } diff --git a/x-pack/filebeat/input/s3/input.go b/x-pack/filebeat/input/s3/input.go index b5201686597..1085c9dccbd 100644 --- a/x-pack/filebeat/input/s3/input.go +++ b/x-pack/filebeat/input/s3/input.go @@ -74,10 +74,11 @@ type s3Input struct { } type s3Info struct { - name string - key string - region string - arn string + name string + key string + region string + arn string + expandEventListFromField string } type bucket struct { @@ -252,7 +253,7 @@ func (p *s3Input) processor(queueURL string, messages []sqs.Message, visibilityT func (p *s3Input) processMessage(svcS3 s3iface.ClientAPI, message sqs.Message, wg *sync.WaitGroup, errC chan error) { defer wg.Done() - s3Infos, err := handleSQSMessage(message) + s3Infos, err := p.handleSQSMessage(message) if err != nil { p.logger.Error(errors.Wrap(err, "handleSQSMessage failed")) return @@ -352,7 +353,7 @@ func getRegionFromQueueURL(queueURL string) (string, error) { } // handle message -func handleSQSMessage(m sqs.Message) ([]s3Info, error) { +func (p *s3Input) handleSQSMessage(m sqs.Message) ([]s3Info, error) { msg := sqsMessage{} err := json.Unmarshal([]byte(*m.Body), &msg) if err != nil { @@ -361,21 +362,40 @@ func handleSQSMessage(m sqs.Message) ([]s3Info, error) { var s3Infos []s3Info for _, record := range msg.Records { - if record.EventSource == "aws:s3" && strings.HasPrefix(record.EventName, "ObjectCreated:") { - // Unescape substrings from s3 log name. For example, convert "%3D" back to "=" - filename, err := url.QueryUnescape(record.S3.object.Key) - if err != nil { - return nil, errors.Wrapf(err, "url.QueryUnescape failed for '%s'", record.S3.object.Key) - } + if record.EventSource != "aws:s3" || !strings.HasPrefix(record.EventName, "ObjectCreated:") { + return nil, errors.New("this SQS queue should be dedicated to s3 ObjectCreated event notifications") + } + // Unescape substrings from s3 log name. For example, convert "%3D" back to "=" + filename, err := url.QueryUnescape(record.S3.object.Key) + if err != nil { + return nil, errors.Wrapf(err, "url.QueryUnescape failed for '%s'", record.S3.object.Key) + } + if len(p.config.FileSelectors) == 0 { s3Infos = append(s3Infos, s3Info{ - region: record.AwsRegion, - name: record.S3.bucket.Name, - key: filename, - arn: record.S3.bucket.Arn, + region: record.AwsRegion, + name: record.S3.bucket.Name, + key: filename, + arn: record.S3.bucket.Arn, + expandEventListFromField: p.config.ExpandEventListFromField, }) - } else { - return nil, errors.New("this SQS queue should be dedicated to s3 ObjectCreated event notifications") + continue + } + + for _, fs := range p.config.FileSelectors { + if fs.Regex == nil { + continue + } + if fs.Regex.MatchString(filename) { + s3Infos = append(s3Infos, s3Info{ + region: record.AwsRegion, + name: record.S3.bucket.Name, + key: filename, + arn: record.S3.bucket.Arn, + expandEventListFromField: fs.ExpandEventListFromField, + }) + break + } } } return s3Infos, nil @@ -455,17 +475,10 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C gzipReader.Close() } - // Check if expand_event_list_from_field is given with document content-type = "application/json" - if resp.ContentType != nil && *resp.ContentType == "application/json" && p.config.ExpandEventListFromField == "" { - err := errors.New("expand_event_list_from_field parameter is missing in config for application/json content-type file") - p.logger.Error(err) - return err - } - - // Decode JSON documents when expand_event_list_from_field is given in config - if p.config.ExpandEventListFromField != "" { + // Decode JSON documents when content-type is "application/json" or expand_event_list_from_field is given in config + if resp.ContentType != nil && *resp.ContentType == "application/json" || info.expandEventListFromField != "" { decoder := json.NewDecoder(reader) - err := p.decodeJSONWithKey(decoder, objectHash, info, s3Ctx) + err := p.decodeJSON(decoder, objectHash, info, s3Ctx) if err != nil { err = errors.Wrapf(err, "decodeJSONWithKey failed for '%s' from S3 bucket '%s'", info.key, info.name) p.logger.Error(err) @@ -477,11 +490,7 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C // handle s3 objects that are not json content-type offset := 0 for { - log, err := reader.ReadString('\n') - if log == "" { - break - } - + log, err := readStringAndTrimDelimiter(reader) if err == io.EOF { // create event for last line offset += len([]byte(log)) @@ -494,11 +503,15 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C } return nil } else if err != nil { - err = errors.Wrap(err, "ReadString failed") + err = errors.Wrap(err, "readStringAndTrimDelimiter failed") p.logger.Error(err) return err } + if log == "" { + break + } + // create event per log line offset += len([]byte(log)) event := createEvent(log, offset, info, objectHash, s3Ctx) @@ -512,33 +525,20 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C return nil } -func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { offset := 0 for { - var jsonFields map[string][]interface{} + var jsonFields interface{} err := decoder.Decode(&jsonFields) if jsonFields == nil { return nil } if err == io.EOF { - // create event for last line - // get logs from expand_event_list_from_field - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } - - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return err - } - } } else if err != nil { // decode json failed, skip this log file err = errors.Wrapf(err, "decode json failed for '%s' from S3 bucket '%s', skipping this file", s3Info.key, s3Info.name) @@ -546,27 +546,71 @@ func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3 return nil } - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offsetNew, err := p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } + offset = offsetNew + } +} - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) +func (p *s3Input) jsonFieldsType(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { + switch f := jsonFields.(type) { + case map[string][]interface{}: + if s3Info.expandEventListFromField != "" { + textValues, ok := f[s3Info.expandEventListFromField] + if !ok { + err := errors.Errorf("key '%s' not found", s3Info.expandEventListFromField) p.logger.Error(err) - return err + return offset, err + } + for _, v := range textValues { + offset, err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } } + return offset, nil } + case map[string]interface{}: + if s3Info.expandEventListFromField != "" { + textValues, ok := f[s3Info.expandEventListFromField] + if !ok { + err := errors.Errorf("key '%s' not found", s3Info.expandEventListFromField) + p.logger.Error(err) + return offset, err + } + + valuesConverted := textValues.([]interface{}) + for _, textValue := range valuesConverted { + offsetNew, err := p.convertJSONToEvent(textValue, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } + offset = offsetNew + } + return offset, nil + } + + offset, err := p.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } + return offset, nil } + return offset, nil } -func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { vJSON, err := json.Marshal(jsonFields) - log := string(vJSON) + logOriginal := string(vJSON) + log := trimLogDelimiter(logOriginal) offset += len([]byte(log)) event := createEvent(log, offset, s3Info, objectHash, s3Ctx) @@ -574,9 +618,9 @@ func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectH if err != nil { err = errors.Wrap(err, "forwardEvent failed") p.logger.Error(err) - return err + return offset, err } - return nil + return offset, nil } func (p *s3Input) forwardEvent(event beat.Event) error { @@ -609,6 +653,18 @@ func (p *s3Input) deleteMessage(queueURL string, messagesReceiptHandle string, s return nil } +func trimLogDelimiter(log string) string { + return strings.TrimSuffix(log, "\n") +} + +func readStringAndTrimDelimiter(reader *bufio.Reader) (string, error) { + logOriginal, err := reader.ReadString('\n') + if err != nil { + return logOriginal, err + } + return trimLogDelimiter(logOriginal), nil +} + func createEvent(log string, offset int, info s3Info, objectHash string, s3Ctx *s3Context) beat.Event { s3Ctx.Inc() diff --git a/x-pack/filebeat/input/s3/input_test.go b/x-pack/filebeat/input/s3/input_test.go index 5eddbaad956..d1fab05cb3c 100644 --- a/x-pack/filebeat/input/s3/input_test.go +++ b/x-pack/filebeat/input/s3/input_test.go @@ -32,10 +32,12 @@ type MockS3Client struct { } var ( - s3LogString1 = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png \n" - s3LogString2 = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png \n" - mockSvc = &MockS3Client{} - info = s3Info{ + s3LogString1 = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png\n" + s3LogString1Trimmed = "36c1f test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5141F REST.HEAD.OBJECT Screen1.png" + s3LogString2 = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png\n" + s3LogString2Trimmed = "28kdg test-s3-ks [20/Jun/2019] 1.2.3.4 arn:aws:iam::1234:user/test@elastic.co 5A070 REST.HEAD.OBJECT Screen2.png" + mockSvc = &MockS3Client{} + info = s3Info{ name: "test-s3-ks", key: "log2019-06-21-16-16-54", region: "us-west-1", @@ -118,9 +120,10 @@ func TestHandleMessage(t *testing.T) { }, } + p := &s3Input{context: &channelContext{}} for _, c := range casesPositive { t.Run(c.title, func(t *testing.T) { - s3Info, err := handleSQSMessage(c.message) + s3Info, err := p.handleSQSMessage(c.message) assert.NoError(t, err) assert.Equal(t, len(c.expectedS3Infos), len(s3Info)) if len(s3Info) > 0 { @@ -153,7 +156,7 @@ func TestHandleMessage(t *testing.T) { for _, c := range casesNegative { t.Run(c.title, func(t *testing.T) { - s3Info, err := handleSQSMessage(c.message) + s3Info, err := p.handleSQSMessage(c.message) assert.Error(t, err) assert.Nil(t, s3Info) }) @@ -182,15 +185,15 @@ func TestNewS3BucketReader(t *testing.T) { for i := 0; i < 3; i++ { switch i { case 0: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.NoError(t, err) - assert.Equal(t, s3LogString1, log) + assert.Equal(t, s3LogString1Trimmed, log) case 1: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.NoError(t, err) - assert.Equal(t, s3LogString2, log) + assert.Equal(t, s3LogString2Trimmed, log) case 2: - log, err := reader.ReadString('\n') + log, err := readStringAndTrimDelimiter(reader) assert.Error(t, io.EOF, err) assert.Equal(t, "", log) } @@ -373,3 +376,32 @@ May 28 03:03:29 Shaunaks-MacBook-Pro-Work VTDecoderXPCService[57953]: DEPRECATED }) } } + +func TestTrimLogDelimiter(t *testing.T) { + cases := []struct { + title string + logOriginal string + expectedLog string + }{ + {"string with delimiter", + `test +`, + "test", + }, + {"string without delimiter", + "test", + "test", + }, + {"string just with delimiter", + ` +`, + "", + }, + } + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + log := trimLogDelimiter(c.logOriginal) + assert.Equal(t, c.expectedLog, log) + }) + } +} diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index d8ca14651e9..9c7f436e2e4 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -174,7 +174,7 @@ func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.Deps(Fields) } - runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "NOSE_"), "GENERATE")...) + runner, err := devtools.NewDockerIntegrationRunner(append(devtools.ListMatchingEnvVars("TESTING_FILEBEAT_", "PYTEST_"), "GENERATE")...) if err != nil { return err } @@ -182,6 +182,6 @@ func PythonIntegTest(ctx context.Context) error { mg.Deps(devtools.BuildSystemTestBinary) args := devtools.DefaultPythonTestIntegrationArgs() args.Env["MODULES_PATH"] = devtools.CWD("module") - return devtools.PythonNoseTest(args) + return devtools.PythonTest(args) }) } diff --git a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml index afc4c50f3dc..c5cb5ee8ed1 100644 --- a/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing ActiveMQ audit logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml index c33d77295e5..b84807be893 100644 --- a/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/activemq/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing ActiveMQ logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/aws/_meta/config.yml b/x-pack/filebeat/module/aws/_meta/config.yml index 7c9c9f0e7b0..b7e0c25b674 100644 --- a/x-pack/filebeat/module/aws/_meta/config.yml +++ b/x-pack/filebeat/module/aws/_meta/config.yml @@ -5,6 +5,18 @@ # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Process CloudTrail logs + # default is true, set to false to skip Cloudtrail logs + # var.process_cloudtrail_logs: false + + # Process CloudTrail Digest logs + # default true, set to false to skip CloudTrail Digest logs + # var.process_digest_logs: false + + # Process CloudTrail Insight logs + # default true, set to false to skip CloudTrail Insight logs + # var.process_insight_logs: false + # Filename of AWS credential file # If not set "$HOME/.aws/credentials" is used on Linux/Mac # "%UserProfile%\.aws\credentials" is used on Windows diff --git a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml index d4bd04b548b..155908315e9 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml @@ -223,3 +223,70 @@ description: >- Identifies the service event, including what triggered the event and the result. + - name: digest + type: group + description: >- + Fields from Cloudtrail Digest Logs + fields: + - name: log_files + type: nested + description: >- + A list of Logfiles contained in the digest. + - name: start_time + type: date + description: >- + The starting UTC time range that the digest file covers, + taking as a reference the time in which log files have + been delivered by CloudTrail. + - name: end_time + type: date + description: >- + The ending UTC time range that the digest file covers, + taking as a reference the time in which log files have + been delivered by CloudTrail. + - name: s3_bucket + type: keyword + description: >- + The name of the Amazon S3 bucket to which the current + digest file has been delivered. + - name: s3_object + type: keyword + description: >- + The Amazon S3 object key (that is, the Amazon S3 bucket + location) of the current digest file. + - name: newest_event_time + type: date + description: >- + The UTC time of the most recent event among all of the + events in the log files in the digest. + - name: oldest_event_time + type: date + description: >- + The UTC time of the oldest event among all of the events + in the log files in the digest. + - name: previous_s3_bucket + type: keyword + description: >- + The Amazon S3 bucket to which the previous digest file was + delivered. + - name: previous_hash_algorithm + type: keyword + description: >- + The name of the hash algorithm that was used to hash the + previous digest file. + - name: public_key_fingerprint + type: keyword + description: >- + The hexadecimal encoded fingerprint of the public key that + matches the private key used to sign this digest file. + - name: signature_algorithm + type: keyword + description: >- + The algorithm used to sign the digest file. + - name: insight_details + type: flattened + description: >- + Shows information about the underlying triggers of an Insights + event, such as event source, user agent, statistics, API name, + and whether the event is the start or end of the Insights + event. diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index 2a6f38d1fad..2094f77c712 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -1,6 +1,19 @@ type: s3 queue_url: {{ .queue_url }} -expand_event_list_from_field: Records +file_selectors: +{{ if .process_cloudtrail_logs }} + - regex: '^AWSLogs/\d+/CloudTrail/' + expand_event_list_from_field: 'Records' +{{ end }} + +{{ if .process_digest_logs }} + - regex: '^AWSLogs/\d+/CloudTrail-Digest/' +{{ end }} + +{{ if .process_insight_logs }} + - regex: '^AWSLogs/\d+/CloudTrail-Insight/' + expand_event_list_from_field: 'Records' +{{ end }} {{ if .credential_profile_name }} credential_profile_name: {{ .credential_profile_name }} diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 36773124439..8421e12d7f0 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -1,6 +1,12 @@ --- description: Pipeline for AWS CloudTrail Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' - rename: field: "message" target_field: "event.original" @@ -55,7 +61,7 @@ processors: field: "json.userIdentity.sessionContext.sessionIssuer.type" target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.type" ignore_failure: true -# userIdentity.sessionIssuer.userName is only set with assumed roles. + # userIdentity.sessionIssuer.userName is only set with assumed roles. - rename: field: "json.userIdentity.sessionContext.sessionIssuer.userName" target_field: "user.name" @@ -85,6 +91,11 @@ processors: value: "{{json.eventName}}" ignore_failure: true ignore_empty_value: true + - set: + field: "event.action" + value: "{{json.eventCategory}}" + ignore_failure: true + ignore_empty_value: true - rename: field: "json.awsRegion" target_field: "cloud.region" @@ -116,9 +127,9 @@ processors: target_field: source.as.number ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - user_agent: field: "json.userAgent" target_field: "user_agent" @@ -138,7 +149,7 @@ processors: - rename: field: json.requestParameters target_field: "aws.cloudtrail.flattened.request_parameters" - if: ctx.json.requestParameters != null + if: ctx?.json?.requestParameters != null - script: lang: painless source: | @@ -149,7 +160,7 @@ processors: - rename: field: json.responseElements target_field: "aws.cloudtrail.flattened.response_elements" - if: ctx.json.responseElements != null + if: ctx?.json?.responseElements != null - script: lang: painless source: | @@ -211,7 +222,7 @@ processors: - rename: field: json.serviceEventDetails target_field: "aws.cloudtrail.flattened.service_event_details" - if: ctx.json.serviceEventDetails != null + if: ctx?.json?.serviceEventDetails != null - script: lang: painless source: | @@ -465,12 +476,6 @@ processors: type: - user - info - ListGroupsForUser: - category: - - iam - type: - - user - - info ListGroupPolicies: category: - iam @@ -614,10 +619,85 @@ processors: if (ctx.event.action == 'ConsoleLogin' && ctx?.aws?.cloudtrail?.flattened?.response_elements.ConsoleLogin != null) { ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin); } - + def hm = new HashMap(params.get(ctx.event.action)); hm.forEach((k, v) -> ctx.event[k] = v); + - rename: + field: "json.awsAccountId" + target_field: "cloud.account.id" + ignore_failure: true + - rename: + field: "json.previousDigestS3Object" + target_field: "file.path" + ignore_failure: true + - rename: + field: "json.previousDigestSignature" + target_field: "file.hash.sha256" + if: >- + ctx?.json?.previousDigestHashAlgorithm != null && ctx.json.previousDigestHashAlgorithm == 'SHA-256' + - append: + field: "related.hash" + value: "{{json.previousDigestSignature}}" + if: "ctx?.json?.previousDigestSignature != null" + - rename: + field: "json.logFiles" + target_field: "aws.cloudtrail.digest.log_files" + ignore_failure: true + - date: + field: "json.digestStartTime" + target_field: "aws.cloudtrail.digest.start_time" + ignore_failure: true + formats: + - ISO8601 + - date: + field: "json.digestEndTime" + target_field: "@timestamp" + ignore_failure: true + formats: + - ISO8601 + - date: + field: "json.digestEndTime" + target_field: "aws.cloudtrail.digest.end_time" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: "json.digestS3Bucket" + target_field: "aws.cloudtrail.digest.s3_bucket" + ignore_failure: true + - date: + field: "json.newestEventTime" + target_field: "aws.cloudtrail.digest.newest_event_time" + ignore_failure: true + formats: + - ISO8601 + - date: + field: "json.oldestEventTime" + target_field: "aws.cloudtrail.digest.oldest_event_time" + ignore_failure: true + formats: + - ISO8601 + - rename: + field: "json.previousDigestS3Bucket" + target_field: "aws.cloudtrail.digest.previous_s3_bucket" + ignore_failure: true + - rename: + field: "json.previousDigestHashAlgorithm" + target_field: "aws.cloudtrail.digest.previous_hash_algorithm" + ignore_failure: true + - rename: + field: "json.publicKeyFingerprint" + target_field: "aws.cloudtrail.digest.public_key_fingerprint" + ignore_failure: true + - rename: + field: "json.digestSignatureAlgorithm" + target_field: "aws.cloudtrail.digest.signature_algorithm" + ignore_failure: true + - rename: + field: "json.insightDetails" + target_field: "aws.cloudtrail.insight_details" + ignore_failure: true - remove: field: - "json" diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml index 2878c79936d..732967ff0b0 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -15,6 +15,12 @@ var: - name: role_arn - name: tags default: [forwarded] + - name: process_cloudtrail_logs + default: true + - name: process_digest_logs + default: true + - name: process_insight_logs + default: true ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log new file mode 100644 index 00000000000..f3393babceb --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log @@ -0,0 +1 @@ +{"awsAccountId":"123456789123","digestStartTime":"2020-09-11T18:36:49Z","digestEndTime":"2020-09-11T19:36:49Z","digestS3Bucket":"alice-bucket","digestS3Object":"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T193649Z.json.gz","digestPublicKeyFingerprint":"47aaa19f7eec22e9bd0b5e58cfade8cb","digestSignatureAlgorithm":"SHA256withRSA","newestEventTime":"2020-09-11T19:26:24Z","oldestEventTime":"2020-09-11T18:32:04Z","previousDigestS3Bucket":"alice-bucket","previousDigestS3Object":"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T183649Z.json.gz","previousDigestHashValue":"531914fcfa0dbacf0c9dd1475a1fdcb5dea6e85921409f3c3ec0ba39063c860","previousDigestHashAlgorithm":"SHA-256","previousDigestSignature":"10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987","logFiles":[{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz","hashValue":"420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:26:24Z","oldestEventTime":"2020-09-11T19:26:24Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz","hashValue":"4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:11:18Z","oldestEventTime":"2020-09-11T19:11:18Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz","hashValue":"2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:32:04Z","oldestEventTime":"2020-09-11T18:32:04Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz","hashValue":"45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:21:28Z","oldestEventTime":"2020-09-11T19:21:28Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1855Z_RqN9YzoKAJCKbejj.json.gz","hashValue":"515cc8be750d815266b4fc799c7600765f22502d29f5bb9d5c8969ffc5ab7097","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:51:21Z","oldestEventTime":"2020-09-11T18:51:21Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz","hashValue":"18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:46:45Z","oldestEventTime":"2020-09-11T18:46:45Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1905Z_jBNdmg4bSGxZ3wC8.json.gz","hashValue":"54050ec665636f1985f5b51ae43c74a58282cb2e500492a45f20a4dc1bf8a6d5","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:01:06Z","oldestEventTime":"2020-09-11T19:01:06Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz","hashValue":"6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:16:12Z","oldestEventTime":"2020-09-11T19:16:12Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz","hashValue":"b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:56:05Z","oldestEventTime":"2020-09-11T18:56:05Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz","hashValue":"4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T19:06:31Z","oldestEventTime":"2020-09-11T19:06:31Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz","hashValue":"94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:41:58Z","oldestEventTime":"2020-09-11T18:41:58Z"},{"s3Bucket":"alice-bucket","s3Object":"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz","hashValue":"9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771","hashAlgorithm":"SHA-256","newestEventTime":"2020-09-11T18:37:10Z","oldestEventTime":"2020-09-11T18:37:10Z"}]} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json new file mode 100644 index 00000000000..e4cf4e32a06 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/cloudtrail-digest-json.log-expected.json @@ -0,0 +1,126 @@ +[ + { + "@timestamp": "2020-09-11T19:36:49.000Z", + "aws.cloudtrail.digest.end_time": "2020-09-11T19:36:49.000Z", + "aws.cloudtrail.digest.log_files": [ + { + "hashAlgorithm": "SHA-256", + "hashValue": "420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c", + "newestEventTime": "2020-09-11T19:26:24Z", + "oldestEventTime": "2020-09-11T19:26:24Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196", + "newestEventTime": "2020-09-11T19:11:18Z", + "oldestEventTime": "2020-09-11T19:11:18Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70", + "newestEventTime": "2020-09-11T18:32:04Z", + "oldestEventTime": "2020-09-11T18:32:04Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689", + "newestEventTime": "2020-09-11T19:21:28Z", + "oldestEventTime": "2020-09-11T19:21:28Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "515cc8be750d815266b4fc799c7600765f22502d29f5bb9d5c8969ffc5ab7097", + "newestEventTime": "2020-09-11T18:51:21Z", + "oldestEventTime": "2020-09-11T18:51:21Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1855Z_RqN9YzoKAJCKbejj.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b", + "newestEventTime": "2020-09-11T18:46:45Z", + "oldestEventTime": "2020-09-11T18:46:45Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "54050ec665636f1985f5b51ae43c74a58282cb2e500492a45f20a4dc1bf8a6d5", + "newestEventTime": "2020-09-11T19:01:06Z", + "oldestEventTime": "2020-09-11T19:01:06Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1905Z_jBNdmg4bSGxZ3wC8.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7", + "newestEventTime": "2020-09-11T19:16:12Z", + "oldestEventTime": "2020-09-11T19:16:12Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba", + "newestEventTime": "2020-09-11T18:56:05Z", + "oldestEventTime": "2020-09-11T18:56:05Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7", + "newestEventTime": "2020-09-11T19:06:31Z", + "oldestEventTime": "2020-09-11T19:06:31Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6", + "newestEventTime": "2020-09-11T18:41:58Z", + "oldestEventTime": "2020-09-11T18:41:58Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz" + }, + { + "hashAlgorithm": "SHA-256", + "hashValue": "9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771", + "newestEventTime": "2020-09-11T18:37:10Z", + "oldestEventTime": "2020-09-11T18:37:10Z", + "s3Bucket": "alice-bucket", + "s3Object": "AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz" + } + ], + "aws.cloudtrail.digest.newest_event_time": "2020-09-11T19:26:24.000Z", + "aws.cloudtrail.digest.oldest_event_time": "2020-09-11T18:32:04.000Z", + "aws.cloudtrail.digest.previous_hash_algorithm": "SHA-256", + "aws.cloudtrail.digest.previous_s3_bucket": "alice-bucket", + "aws.cloudtrail.digest.s3_bucket": "alice-bucket", + "aws.cloudtrail.digest.signature_algorithm": "SHA256withRSA", + "aws.cloudtrail.digest.start_time": "2020-09-11T18:36:49.000Z", + "cloud.account.id": "123456789123", + "event.dataset": "aws.cloudtrail", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"awsAccountId\":\"123456789123\",\"digestStartTime\":\"2020-09-11T18:36:49Z\",\"digestEndTime\":\"2020-09-11T19:36:49Z\",\"digestS3Bucket\":\"alice-bucket\",\"digestS3Object\":\"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T193649Z.json.gz\",\"digestPublicKeyFingerprint\":\"47aaa19f7eec22e9bd0b5e58cfade8cb\",\"digestSignatureAlgorithm\":\"SHA256withRSA\",\"newestEventTime\":\"2020-09-11T19:26:24Z\",\"oldestEventTime\":\"2020-09-11T18:32:04Z\",\"previousDigestS3Bucket\":\"alice-bucket\",\"previousDigestS3Object\":\"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T183649Z.json.gz\",\"previousDigestHashValue\":\"531914fcfa0dbacf0c9dd1475a1fdcb5dea6e85921409f3c3ec0ba39063c860\",\"previousDigestHashAlgorithm\":\"SHA-256\",\"previousDigestSignature\":\"10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987\",\"logFiles\":[{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz\",\"hashValue\":\"420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:26:24Z\",\"oldestEventTime\":\"2020-09-11T19:26:24Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz\",\"hashValue\":\"4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:11:18Z\",\"oldestEventTime\":\"2020-09-11T19:11:18Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz\",\"hashValue\":\"2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:32:04Z\",\"oldestEventTime\":\"2020-09-11T18:32:04Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz\",\"hashValue\":\"45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:21:28Z\",\"oldestEventTime\":\"2020-09-11T19:21:28Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1855Z_RqN9YzoKAJCKbejj.json.gz\",\"hashValue\":\"515cc8be750d815266b4fc799c7600765f22502d29f5bb9d5c8969ffc5ab7097\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:51:21Z\",\"oldestEventTime\":\"2020-09-11T18:51:21Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz\",\"hashValue\":\"18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:46:45Z\",\"oldestEventTime\":\"2020-09-11T18:46:45Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1905Z_jBNdmg4bSGxZ3wC8.json.gz\",\"hashValue\":\"54050ec665636f1985f5b51ae43c74a58282cb2e500492a45f20a4dc1bf8a6d5\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:01:06Z\",\"oldestEventTime\":\"2020-09-11T19:01:06Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz\",\"hashValue\":\"6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:16:12Z\",\"oldestEventTime\":\"2020-09-11T19:16:12Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz\",\"hashValue\":\"b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:56:05Z\",\"oldestEventTime\":\"2020-09-11T18:56:05Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz\",\"hashValue\":\"4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:06:31Z\",\"oldestEventTime\":\"2020-09-11T19:06:31Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz\",\"hashValue\":\"94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:41:58Z\",\"oldestEventTime\":\"2020-09-11T18:41:58Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz\",\"hashValue\":\"9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:37:10Z\",\"oldestEventTime\":\"2020-09-11T18:37:10Z\"}]}", + "event.type": "info", + "file.hash.sha256": "10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987", + "file.path": "AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T183649Z.json.gz", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log b/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log new file mode 100644 index 00000000000..c5c536fe7a6 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log @@ -0,0 +1 @@ +{"eventVersion":"1.07","eventTime":"2020-09-09T23:00:00Z","awsRegion":"us-east-1","eventID":"41ed77ca-d659-b45a-8e9a-74e504300007","eventType":"AwsCloudTrailInsight","recipientAccountId":"123456789012","sharedEventID":"e672c2b1-e71a-4779-f96c-02da7bb30d2e","insightDetails":{"state":"End","eventSource":"iam.amazonaws.com","eventName":"AttachUserPolicy","insightType":"ApiCallRateInsight","insffightContext":{"statistics":{"baseline":{"average":0.0},"insight":{"average":2.0},"insightDuration":1,"baselineDuration":11459},"attributions":[{"attribute":"userIdentityArn","insight":[{"value":"arn:aws:iam::123456789012:user/Alice","average":2.0}],"baseline":[]},{"attribute":"userAgent","insight":[{"value":"console.amazonaws.com","average":2.0}],"baseline":[]},{"attribute":"errorCode","insight":[{"value":"null","average":2.0}],"baseline":[]}]}},"eventCategory":"Insight"} diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log-expected.json new file mode 100644 index 00000000000..2bfe4bedd30 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudtrail/test/insight-json.log-expected.json @@ -0,0 +1,64 @@ +[ + { + "@timestamp": "2020-09-09T23:00:00.000Z", + "aws.cloudtrail.event_type": "AwsCloudTrailInsight", + "aws.cloudtrail.event_version": "1.07", + "aws.cloudtrail.insight_details.eventName": "AttachUserPolicy", + "aws.cloudtrail.insight_details.eventSource": "iam.amazonaws.com", + "aws.cloudtrail.insight_details.insffightContext.attributions": [ + { + "attribute": "userIdentityArn", + "baseline": [], + "insight": [ + { + "average": 2.0, + "value": "arn:aws:iam::123456789012:user/Alice" + } + ] + }, + { + "attribute": "userAgent", + "baseline": [], + "insight": [ + { + "average": 2.0, + "value": "console.amazonaws.com" + } + ] + }, + { + "attribute": "errorCode", + "baseline": [], + "insight": [ + { + "average": 2.0, + "value": "null" + } + ] + } + ], + "aws.cloudtrail.insight_details.insffightContext.statistics.baseline.average": 0.0, + "aws.cloudtrail.insight_details.insffightContext.statistics.baselineDuration": 11459, + "aws.cloudtrail.insight_details.insffightContext.statistics.insight.average": 2.0, + "aws.cloudtrail.insight_details.insffightContext.statistics.insightDuration": 1, + "aws.cloudtrail.insight_details.insightType": "ApiCallRateInsight", + "aws.cloudtrail.insight_details.state": "End", + "aws.cloudtrail.recipient_account_id": "123456789012", + "cloud.region": "us-east-1", + "event.action": "Insight", + "event.dataset": "aws.cloudtrail", + "event.id": "41ed77ca-d659-b45a-8e9a-74e504300007", + "event.kind": "event", + "event.module": "aws", + "event.original": "{\"eventVersion\":\"1.07\",\"eventTime\":\"2020-09-09T23:00:00Z\",\"awsRegion\":\"us-east-1\",\"eventID\":\"41ed77ca-d659-b45a-8e9a-74e504300007\",\"eventType\":\"AwsCloudTrailInsight\",\"recipientAccountId\":\"123456789012\",\"sharedEventID\":\"e672c2b1-e71a-4779-f96c-02da7bb30d2e\",\"insightDetails\":{\"state\":\"End\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AttachUserPolicy\",\"insightType\":\"ApiCallRateInsight\",\"insffightContext\":{\"statistics\":{\"baseline\":{\"average\":0.0},\"insight\":{\"average\":2.0},\"insightDuration\":1,\"baselineDuration\":11459},\"attributions\":[{\"attribute\":\"userIdentityArn\",\"insight\":[{\"value\":\"arn:aws:iam::123456789012:user/Alice\",\"average\":2.0}],\"baseline\":[]},{\"attribute\":\"userAgent\",\"insight\":[{\"value\":\"console.amazonaws.com\",\"average\":2.0}],\"baseline\":[]},{\"attribute\":\"errorCode\",\"insight\":[{\"value\":\"null\",\"average\":2.0}],\"baseline\":[]}]}},\"eventCategory\":\"Insight\"}", + "event.outcome": "success", + "event.type": "info", + "fileset.name": "cloudtrail", + "input.type": "log", + "log.offset": 0, + "service.type": "aws", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml index ff7e20d1c3d..05f25463414 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for CloudWatch logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml index 0ada24c6f77..878aa14aef5 100644 --- a/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for EC2 logs in CloudWatch" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml index fbd1195dcae..de772ccdf01 100644 --- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for ELB logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message # Classic ELB patterns documented in https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 5b8a3d61898..352932f1b1c 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzMXF9z4zZwf79PsZOX2DOSOrlkOh130hmdz9eocS6upUvaJwYCVxJqCGAA0Drdp+8sAFKkSEqyReVOD4nPpBa/Xex/LDyEJ9zeANvYNwBOOIk3MP5z+gbAoERm8Qbm6NgbgBQtNyJzQqsb+I83AAC/6TSXCAttYMVUKoVagtRLCwuj10Rm9AZgIVCm9sZ/YQiKrbFYjj5um+ENLI3Os/iblnXo88GTKSn7dUbxaXWJ6jJc6jx1hglZPmpbkT773BafFBcsly7xS9zAgkmLtcetYKuAtfF4bwnLjLDUoLfBr7KAz6hc8ozGCq1qbxScPOF2o0269+wAMPrMVlhFFOmDXoBbIQEMCxP6NXOjVmi5RZOIFJUTbtsKbV/ITWDDVmREeRIJA0pcExSulWNCWUjRMSEtsLnOncdLq4FeNGhNxr9BARDcijlYsxT9Vwz+naN1A2Aqhc1K8BVwg/5dJi1s0GCDXG4xHcFkAQ7XmTbMbBvf8e8M/AoFbrvSGwsrvaHfNmg2COg5cYnpaO/VNiWp7gbJoPHwsI40t6PlhbAjUcKesY4tr1i32dfUlyNpKkYBZbxmX7SCR7Q6NxzhI1sjXI0fP14XADMjFBcZk3t7zpmU+2KtoOYcrU2ecJuINnx94Q/rECGYvA8IN8x6xQGnwYqlqmpoN2CLlow2IcPAz64TcpsVngp4sqhi8UC9ODfCrSpmYJHnpk0loK7iZG6lYXjWM6OfRYoWhAq+htzQzrIjj610S9Fxg8xh6l2tW2mL1SVbvtplSlXhrhcsYblbERVO1FvfPq4VpwoaonY8M5kjCAvO0P+j+LV23imCNt6p+Z83xGonsVbPFEW021AmrfYyrPEatpe1i50+v30YQ4rPguO/g3YrNBthcRCiY1Nhq3L1e0VamzLXBT7I9MALLxEokfFO3ok1wmaFwbqautuUmLA2bzriOj+FEfp3zUGGuuzwJRz1YY/wepvspBfD2+nhrPgcskU4Ht6KzylmCC+QM0TtiTEmBpbDSjMAm/PVQZLMwqPWbkBG/MmiGZBBP2rZYTRVAZRBrT06XVoQQjk0ikmKWVEa1byqGsGW2K0nUNe942y35xKX5nb8+LHgMmrAFeNc5ypsnfe/fu+Mlnh9kFybeI4o0glSCWC+jirExQNneqPs5bSh4FeoZ/2EaTJv82h9JWa0VLHrVLFZNBThugoHMnZgbfkFFDnq3e1bGOdOw5QzXxzHWvBOMusEh3fIlHVMPrUXWGiMNgnX6b7nO73wa6+vqtz5RcpEI8YVgy43yvrIQM8P4VujtWzZJ8TJYTChvKoQKR1SN9RIK8mYYWt0aPb37VyR7ggPSJhMbQfRFigKWoqtIUZ3Z/brXDqRHK3zDqX6HQ+PNDGqYrKZVhaTmA/0LaWCfplvUD7KOH3HFnb2hMBXTC3RwlXI7AfNSjyjtM574BQlUoYXiFx/g0JlaSoIHJOJb6qkrNZhOleu45I85bqsUjyFFk7pkZV2pKYumkuDUGFvFNbiPn2D0iwsuRH6ztXNUHl5aYUOx0KgrdlryAij35yjUMtmO4dJiSksUaFhzn9f2EC6w4f6/l5LdnuWA63jL5o3FX0oAKYVRTHItUnbYbJMnN2EPIpz/DApO5HMWs3Frhj1zzd2nIlbJmWDkudgRnwekPWaKbb0ficYYp9GCO+0lshUhxptVkhlckXawsK+F4AKwvBWVzBjaaKVbG+6nr0VO6zCgs5IT2hHCLBfekhL7x50YQyJc3sEeU1jeAxSWO+8Stqxl4YpCLUT7Us7p5drV5Y9yvHjx2aieFIy3weMcUzYd6VbIUFK31u6Fr32lI+Ixjun0lJMsZOh8eDPom5u2MYOo98demQ3FOmG9FX/7w4N5CITZOydAj7HYB4xM0h5XfBdbCdjb/sGOYpn71+FPWTMka/gkZJ4tnE5H1um/bTcAITiMk+pNNkQamfEcokmhIV2Jxt6aUGHcvktJrF2xQymUaC97vl/fpq8r4TO+bZ6huY05Er8naPcFvpcfd4uzXig6XeGyk+qzEIqG0OIDbWD05CKxQIN/SOcz9Y/Uf9su5I9ZzxBlWZa9C2SPfX64+EWioXIlMPJWkygYkvQl9Ke7WYApO87DUz5rnK1UC0L7qK4nv7YzivXymqJidRL0Z6svCb6xNNcmyEXC8EJ5G1Y6J7Wibv50shzvDI4jLqJvD0A7EqEO2/D76lQoNrrOA+H+KjystZzIbEjSaxzMg+pUsc7J7fCmxlLjRsqebyWBWRwCFnBhNeZxOmD8Ps57Pn0eN/YgcMCXrAkt0cOoi4mWu/XYcG4o4p9d1hEnmrT0QWDeGYOaW4oxHSyWrC4kMw5VA0eX2+2d9MdUV8e+3SD5K7n/4fceQZN6OzZfB4UHZhB9b2DJ6U3irwYS5+Z4o1quFfz7uK9yeUxEz+vCwCndQJe0Fp7DY/dXdoeGm2n97v6hd5X9wte1AF7WarZH8c9Jp5wNPmsTXxtmKudw33Nia8/CcuLJr4O9dNbUuMjvqEOoiDeFBzyt19fYne3b8P8oFAV4KcKTmQJS1OD9vXlU0N8u6NPdBCp74po713QtEhTzk+X5vIysrx/9yK1a9TRZ8utep4mNUthziSF0Y4jmrN6oK0AqkNrNQBeSM9v4Z5++S7+sqN0csws0SV+90bNVtGZECsHzWGhoCa7cdrOMFamrMKSl95v4pyJy2tPpNxoaCDVWAp5d/cvM9pprveL3jNBFVTb9/Rq5VxG8dDx7PrIKaDRHK0Vapk4scaRRd6KdCE1e6G/9XqnHZNh3kgosMi1otJRKI570gsZVki2hN3JOFdOSBC1+p+BwSVtCUXJOeNPqDqa9fHhN8RmhQ16EgGCE1LWfmEdM87GRImyg87mckjbvjKHZUJX3buyoVPjsr6XXjxSdDYFd6ILfK3bQ5rUjSOol3EVDam6UwrWQkoRmR1EbgN8nfk6qsIQl9ruD3eVnlPahPyYXbEnvCwfxVjj7H4K5ZIkaK7Xmc+O9/gC3aKlK2ZhjqgArWNzKeyqi7XC/MR+PXqmh5s87CcZhRLtND10lI954AJhps3rz7navbA2rujSn4uOXPaoLDGtYy635w28tEIOhIEIN83zqvq0aaDhCxQPyX6dNuG06a9O6H+1cmytTLjIVn0H6un0HgLd0GoRiozgX/yvy03oSG0I02UiNS1fRusX4+IrbVElHI27aMYV1gFaRyz85DPEM50wulZRgtfCt2gE61m4gSaofD1Hc2FehOJ67cOrtAmT2LczodpqiSaemuuF9+B+nUpEnW/bUvjCjgNXvhkUOe4OR/RTmrQ1Es/kg2B74iF/70BgGMdzjl9al/bXP5QrI8Zf/zMcr7+o4YxWG07Sv2CFLO2qutZUYWOamFxSOiV0y9j42Wl7oLrbZJ875bIcrfQQ6tOVYkEJL70TH3fMpYQkCT8jz5uXNM4EHg/iCuLh8kAt1O2GFK8W2myYSQewEJ8xHRaRYVC7WTEaja5HMHHAmSoutIHFZzRMBvF02KHBVBjkLslNz97k0+N99NBe4nEdP4LDi+5+KYIDc6Ajg8z2fUUxDKcGysWMarkdEd+CCVlFVka3H8N0yNduxEx/9L1PNMXNr5d0ZeY5f0KXtI1pnOs2mNJKcCbDZaLdbIhfa2/6PcDoyOX8s8u1jgL94Cr2775EYyRlWDKhunokBtfaYdKRrTd+fYpryDJmQjA9uTkIzU7EP7ap5Xr+xIDB0KtnrurXvopz+sPdkz4D2Bis82eDtamK8oS/fagC2W6moB1qOZzWr3h3w3C+N5bCKlwTgxS5ZFQZMAvT38cPo/LNATzeTWejX2azh2SNbqXTUTF85ac+B/Dn3bvpZHZ36BVt4N14dvvL6P3d/d3sbvT7u/+6u521s/6EPYfv755w+131yHAXpCl2oKKiJ/Ugvxt+V3jpnahSjeHU0VFNzvzF1/IQ77Cm5Ub0y8tjIDz89DipcUSyLx1L44ykCo3KviRUez22MlS+RiN4wFGtR3fzei2nsD3eE2kvlUozvPNx+FanWN1npWOA1pznxnQ2S7YObWK7Bm5fLbFY/ZRNOL+Or+AHgJ+L40Uv0l3n+BkNpcNVNr6g0R1uxM8IJFZ8aZfsOX0rIlqGXL8OFWZeAzvbJv6bvpN2EUnWGmT7oVYoWEixXLnKxJpPa763kKGxGWWNzx0a6nKjEmZ0rtJ/DD5zFQW2GQXrSu6+1bk5HEMMLtCYviN0rQbyuvkY14ll2vFC1v/dDbY8Z4D9RGifLJrhmFY6WEPGyareK9viLsDkfdFvLCPPqcEmkpikx0LOSvec2RADn4ds/WUo0uFbf/Ov1Eb87FClu4QLJu87OnRiqZjLTddc3bmdpIJ8IacBTMXyD4+Wfvhp0LzPWc0Ya07i1XllaF8mNheNC//ntiGRE3NTTRWEhXu2RQNX0+n9ddEz3Y1F4VI7Uf4ZCVL/aRtr9KCjFVEbijvvSk973IjH2eXfbqhP4YW/PDPO3eoXb6thuqj+TrBiO4D/ztFspyH1pvf+pn8XufhVZnBIuoEppXjXr99ab1Vh0Z4bA8WMcaGWsZNJPx6ZD3bSXsaaZoYp609HgqJNi6vdV7P76XXpzSqaFhub+yeBlanthdSb0xsYl5rL+ePhFgjJi1oXF5ExIflASO710hZL+L/JtNU5KUO8G+wZj5dIwn3hQvzCwtvyC2GcewsMeG6dXnd9o0OVerhY0p54+1sA5YWS4nSz2IKuVr1Ds7hEh3nXRlDoNto87dby2MKQv59hMWyxEDyeh2uTHu7b9gtz795E2w3CiG8A49vbu4eZ/+sbd921tNTLQ7Xeq5FKvVySo42VXhRusb0D+P3XAXz8/f14NvaR+NfJA/3cte3WMXXRXS+W8KL9vinZV2jFoEjdStrC+s6jd4pbnXfMFT25xBrO0rQ9nrymlZcxyg6GEp9RwpU2YikUk9dF67N5JB/Z6UaYWvePIEypVlQhsldgFu7iIM7njF9QY/w1HrLD8o/29eo9bD5X2L/b3eEPC1ySBcezZCHZsmfPMhduzexTrOXKwKGl1BvyOLPbB/DL3sDbn6f/+3Hww7/R/4bj218HP/z8YfJx8NPPj9NZO+TLDWgGqd3A5OH5pwH99199iXf3YTx68/8BAAD//624A44=" + return "eJzcXN+T4raTf9+/oisvma0Crr6b1NXVXOWq2NnJhctkMzewyd2TI+wGdCMkR5JhyV9/1ZL8AywDM5jd1JeHXQbb0qdb/VstD+EZd7fAtuYNgOVW4C2Mf5++AdAokBm8hTla9gYgQ5Nqnluu5C38xxsAgF9UVgiEhdKwYjITXC5BqKWBhVZrGmb0BmDBUWTm1j0wBMnWWE5HH7vL8RaWWhV5+CUyD31+dMNUI7t5RuFqc4rmNKlQRWY146K6FJuRPofUlp8MF6wQNnFT3MKCCYN7l6Ngm4CVdnjvCMuMsOxBj8FvkoAblDbZoDZcyb07SkqecbdVOju4dgQYfWYrbCIK44NagF0hAfQTE/o1s6MotMKgTniG0nK7i0I7ZHIb2DCKjEaehIEBBa4JSqqkZVwayNAyLgywuSqsw0uzgVq0xpqMf4ESINgVs7BmGbpHNP5ZoLEDYDKD7YqnK0g1unuZMLBFja3hCoPZCCYLsLjOlWZ613rG3TNwM5S4zUptDazUln5tjdkaQM2JSsxGB7fGhKS5GsSD1sXjMtJejsgNfkUChx1hHUve0G59KKkvR9IWjBLKeM3+UhKe0KhCpwgf2RrhZvz08W0JMNdcpjxn4mDNUybEIVsbqNMUjUmecZfwGL6+8Pt5aCCYfPAIt8w4wQGrwPClbEpoN2CDhpQ2IcXAz7YTckwLzwU8WTSxOKCOnVtuVw01MJgWOiYSsC/ipG6VYjjSc602PEMDXHpbQ2ao1uxAY3TcinWpRmYxc6bWrpTB5pSRR7tUqcnc9YIlrLArGiWl0aN3n5aKcxkNQTo2TBQI3IDV9H9gv1LWGUVQ2hk1931LpHYOFrVMgUX1gjJhlOPhHq1+eVmc7fT55ccxZLjhKf47KLtCveUGB947tgW2yVe3ViS1GbNd4D1Pj9zwEobSMM7IW75G2K7Qa1dbdtsc48YUbUO8T0+phO5efZSgLj18CUV96CO8Xic7xwvu7Xx3Vn6O6SKcdm/l5xw1hBfwGYL0BB8THMtxoRmAKdLV0SGZgSel7ICU+JNBPSCFflKiQ2maDKicWtw7XZsRXFrUkgnyWYEbzbiq6cGW2C0nsC97p8mOxxLXpnb89LGkMkjADUtTVUi/dM7+urXTSuDbo8PF2HNCkM7gigfzdUQhTO4pU1tpricNJb1cbtQzZsk8ZtH6CsxoqnLVKWMzqMnDdSUOpOzAYvEFlDHq/d07GBdWwTRlLjkOueC9YMbyFN4jk8Yy8RxPsFBrpZNUZYeW7/zEL55fNalzk1SBRvArGm2hpXGega4fw7dGY9iyT4iT42B8etUYpDJI3VDDWEnONFujRX24bpeytB54QMxkcjcIukBe0JBv9T66O7JfF8Ly5GSedyzU77h4oojRZJPJlTSYhHigby6V41fxBsWjLKVnTKlnzwjpisklGrjxkf2gnYnnFNY5C5yhQIrw/CBv/4ZMZVnGCRwTiSuqZGyvwnQpX8fV8BTrskby5Es4lUWWypKY2qAurYFKfSO3Ftbpb8jNUpNbru9S2fSZl+OWr3AsOJo9ffURYbCbc+Ry2S7nMCEwgyVK1My657nxQ3fYUFffi0S3FxnQffxl8aYhDyXArCEoGlOlszhMlvOLi5AncY4fJ1UlkhmjUl4no+761oxzfseEaI3kKJgRnUd4vWaSLZ3d8YrYpxLCe6UEMtkhRtsVUprc4DY3cGgFoIHQ39XlzFiWKCniRdeLl6LGyg2onOSEVoQAu6mHNHV9oQujD5zjHuQ1heExCG6c8arGDrU0zIDLmrUvrZxer1xZ1SjHTx/bgeJZwXwfMMYhYK9Tt5KDFL5Hqha91pRPsMYZp0pTdLmSvvDg9qJub9nWDIPdHTpkt+TphvSo+7tDAlOec1L2TgZfojBPmGukuM7bLlbz2Om+xhT5xtlXbo4pc6DLW6Qk7G1cz8ZWYT9NNwAuU1FklJpsCbXVfLlE7d1C3Mj6WpqXoUL8HYNYs2Ias8DQXtf8Pz9NPjRc53zX3EOzCgrJ/yxQ7Ep5bl6PczNsaLqVofSTMjMfygYXYnzuYBVkfLFATX/4/dn9T5A/ExeyTZ4mKLNc8b5ZciBevz3eQTkRqbLfWQsBVCgJulTakd12gPS8VcCkqyo3E9Uq4S6T6+l3cVpTJY0SmAi15PFg5TXeJ+zmmhxTvuApgbzzEz3QPGE1X+p5TmcGx1G3kccdQJ0i3Dsd/kCJAuVep2k4RkeTlrWac4EdQeI+JXMfKnXcc3YpvB2x7FFDKY+TMo8MjiEriXAyk1h1FH4/mz2fnh5aK3CcwQuWFObERtTVWOvsOixYailjrzeLyFJtO6pgEPbMISs0uZhOUksSF4JZi7JF4+vV9n5aD+rSYxduEN/V/P8wtY5A7St7pph7QQemUX5r4VmqrSQrxrINk2krG+5Vvbtob1N5SsUvqwLAeZWAF5TWXkNjd5W2h0Lb+fWufqH3Vf2CF1XAXhZq9kdxj4EnnBV8lmRmfIkmntxf4PmdK7mrGsrgg5sFHtTypV5fqGWy4KKVGtcwJZp4x8FZ2V6VJz+opZunbJ2q82TPoiOSYpm2ieXr7vSvY3v+XF1wM9Dyf5rd+a15TVLv1aCGCEQApIqcd1wRLHumYZivTrgIOfX23I1axaBCLcFzY8U2cRGbI0rSJr5xkrgX3nfzCmV2VU6hzP4p+GS+S+ZF+hzdDrzKFl6ZJoCflkJ2T6JrVCi0bpcAw2wNlq6YOaD3KIU+qrgihTVVfirXR3YTcsVBlPDoWEL54K1qmgsMaRLfTanELbn8ULy+ovBXUh9QrpXxtZWyQgpsrUishTgW0IRcO1i/WsTPNIdKZF+HXD9xB6Xd+Rq8mtJc44arwiRfQluPa2gJZU8du1KNM7SzIm3FzCphYqk0t6v1F7JGNClUk7bbJNz1LvGNseIIocVc8NQ1si64XKLONY9aur7oXOFnlmHK10wAylRlmEFj5qot1+FyBovIjw63ZjZdhYgx13zDLLoHDrpj+ZmsoNuZLTR+kfWul7fVzNuJtu5wMXy5Ol4A7orIT+Gbug70eINtITPUYkehQYjBDa0XkzDxiNr6FiL4shznjZOv5g98Zypb+jsss9xYnpqB29sjStvBiW/Aj2yP2TJMpCQHZVbK0XFgNXv3ToFsSbDeHHL065wC+Z2wvOgUyLEem0i5/ES9YB9EOXibcZi++/ocu797588UcdkAfi7jeJ6wLNNoXr+l0mJf3Q6JFsLo9caaqzigjnBTzM/n5vI6vHx4/yKxa+2tXcy3pksUimUwZ4LJFDvati7qi4gCaB5k2QPgmLR5Bw/04/vwY8d2imV6iTZxqzdqbx9fCLHRfOon8mJSH7HrLG1VFQZuyE8cbuxeiMtJTxi5tclJyaeUmHZ3BORaWZWqw42wC0GVo8bX9GZlbU7uw6b52xOdgVqlaAyXSxfhjwymHU5YtWKXc+ROWSaqVNtgqmRmwPAyCa+556uuvgDLTc3jQlougO/tCVIqv6QlcXk4S59RdjTwhIt/IzIbZNCVABAsF2LvBxcCmFA8zbhcdjac+FLuV6awKvI2167a5N2jcn8tHXsE72wUqFnn6VrHXZpQrba0l1FV1gMaKyVhzYXggdhBoNbDV7nbW2kQlAplDhOxynIKyr9kZlbsGa9LR3nUafYwhWpKYnSq1rmrmB/QBSoipVX9B41lc8HNqou0Uv34YYH5Qgs3eTwMMkohqiXdp0SnLHCJMFf69b1vcSustC1LDJeiI5M9qradKIcozGVN8FHIfmCggdvqedO82lZQ/wD5Q9Jfq7SvrP/RCf2PKMXGiCTl+apvRz2dPoAf1yeiXJIS/Iv7uVqEjtCGMF3HU9P0lbd+Ma50pQzKJEVtrxpx+XmA5uELdxoSQp+Xz+gbQvBa+AY1Zz0z148JsljPUV+ZFi5TtXbuVZiECezbmFButUQdOmnVwllwN0/Do853sRC+1GNPldsgDhR3uyP6liWxncEL6SDYbnAfv3cg0CzFS1qyolO7I+HSVh7jj/8Zjtd/yeGMZhtOsj9ghSzryrp8ES5LdCEonOIqcpT04rDdj1ovsoudClEdt3IQ9k9c8QUFvHRPuNzRq+6DJPyMadHeRr0QeGjOKwf3B4r3XF19cOlmofSW6WwAC/4Zs2HpGQZ7p61Ho9HbEUwspEyWO7VgcIOaCc+eDj3UmHGNqU0K3bM1+fT0ECy043iYxxUO07Ljp2LBkbNhI43M9P3aEn9gzY9cnlurliPgWzAumsjqHTrfMf61CzHT71w/BOrybRAvqcr4zZIk1rp9qdlgUkmeMuHLuHW/uJvr4ESsh9ERy8W2jnosHZX7ReUmePM8fFBGEoYl47KrRqJxrSwmHdF66+dzTEOeM+2d6dnFQWhXIr7YolbzuS4iBkMnnoXcfxVE2bt7vHrSpwMbg7GuX3Cv07reLIw2WiOr+4zjUKsDK/2ytz4g42pjGaz8qyMgw1QwygyYgemv48dRdecAnu6ns9FPs9ljska7UtmoPJDhToIN4Pf799PJ7P7YLUrD+/Hs7qfRh/uH+9n96Nf3/3V/N4uT/ow9u+9vnnH3TbONsHbS5DvCJqAD+c3wm9JK16zKFPpOREs5OXNbfFVj33FJKzTvl5YnP/Dw09NkjyLifWVYWnskTWiU9iU+2+uxlCGLNWqeehzNfLQ+wxPpzOzx7Hg8VarU8N754TuVYXOdpQoOWqWuo6SrWLKzaBLTdQjv1RwL2U9VhHPzuAx+APi5bDl0LK0rxxvUFA43yfgLteowI67tJjH8rzhnL6lb0aCVy/XtPVyCk8DOsol7MtaU0g8n9wpkh66WS1gIvlzZxikWF9Z8ayBHbXKKGjcdEmoLLROmVRHvn7sKfGYbAmxyctaN2H2nCn3ch7jGOd23h97LgZxsPoV5Qpp2OpF17+Jz2+7XhvbJoB6OaaajOWQ4bdF7ZlueD558KOuNlec519mEISbZKZezUj1HNkTA5yFb/zXk2fCdextIJY342aLM6oALJh86KnRVT8tV3gpZDV/yaQBTvvzNoaUv3w/azUvNiHHPSLw6rvTly8QUvNVPd2kZElMibqoogzDwwHao4WY6fXhb1kzroxK4VJZXr5Yj8Z/GSKMLHaWIvYMylx3zj/uNsJ1dvc9t/2SOfxvluLCrn5yu+hMH+/d4LTYD+O8C9W7qQ2+670/6u4zFb3KNQ5INzCjEe/v6pXVa5SftuTBQnjssxTJUMunriTODVpjraNNMM2nc7ogXtGn5uqeb2cP0bWXNGpIWCpuHO4GNk5wLobbnFzCu1Zfz2+MdEJIXlS6uwmNC8iMheVBLU07h3tO6UwUJQ3hfkCM8HCz3ndIl+7mBd9UD/ojnDhikhbFq3fVEhyj1cNg8Hni7k8HVIfNyd7Ncgq5SvUW9uEaFuS4jSLRbpZ/ruRy2uo/XarZY8DTshyudHa/b9gvz4Cx17K0iAd8Axnd3948z90a+++5cWqjlsVzv1UiFWi7J0IZMLzC3XN4B/PrzAD7++mE8GztP/PPkkb53NpNaJq+66uUUjrXftjn7CqkYlKFbNTY3rvLojOJOFR19Rc82MTplWRb3J68p5eWMooOhwA0KuFGaL7lk4m1Z+mxvyQdyuhFmxn4RhBnlitJ79gbM0lwcxbnJ0ytKjDvaT3pYvci7V+thirnE/s1ujd9PcE0SbJonC8FaBwovJGHO7ZqZ55DLVY5DCaG2ZHFmd4/gpr2Fdz9M//fj4B//Rv8Nx3c/D/7xw4+Tj4Pvf3iazuKQr9eg6bl2C5PHzfcD+vdfXYp3/+N49Ob/AwAA//+8xDjD" } diff --git a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml index efd1a9d358a..dd8613a904a 100644 --- a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: "Pipeline for s3 server access logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml index 0ad04419cbd..bd9b1d32769 100644 --- a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for AWS VPC Flow Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # Convert Unix epoch to timestamp - date: field: "aws.vpcflow.end" diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc index eea82995532..aa5c854b457 100644 --- a/x-pack/filebeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/azure/_meta/docs.asciidoc @@ -53,7 +53,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -64,9 +64,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 8c4c42d60cf..a4567959194 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-activitylogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index dac11495608..2d75cb07241 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure activity logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub @@ -71,7 +74,12 @@ processors: field: azure.activitylogs.result_type target_field: event.outcome type: string - if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')" + if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')" +- convert: + field: azure.activitylogs.properties.result + target_field: event.outcome + type: string + if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)" - rename: field: azure.activitylogs.operationName target_field: azure.activitylogs.operation_name diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index 7ba307ee669..db962bd4df6 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -45,6 +45,7 @@ "event.duration": -1468967296, "event.kind": "event", "event.module": "azure", + "event.outcome": "success", "event.type": [ "change" ], diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 239e7ef2249..3633cc4e5de 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-auditlogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: diff --git a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml index 2bf26322faf..e6a29f6cc13 100644 --- a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure activity logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index 239e7ef2249..dd8e1473a68 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -5,6 +5,7 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +storage_account_container: filebeat-signinlogs-{{ .eventhub }} tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index 9d5351bf36a..72eb516184b 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing azure signin logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - rename: field: azure target_field: azure-eventhub @@ -256,12 +259,14 @@ processors: - set: field: event.outcome value: failure - if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null || ctx.azure.signinlogs.properties.status.error_code > 0" + if: "ctx?.azure?.signinlogs?.properties?.status?.error_code != null && ctx.azure.signinlogs.properties.status.error_code > 0" - grok: field: azure.signinlogs.properties.user_principal_name patterns: - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' + - '%{GREEDYDATA:user.name}' ignore_missing: true + ignore_failure: true - convert: field: azure.signinlogs.properties.user_display_name target_field: user.full_name diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log index 387bda6f369..1160b01bc21 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log @@ -1 +1,2 @@ {"Level":4,"callerIpAddress":"81.171.241.231","category":"SignInLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"test@elastic.co"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} +{"Level":4,"callerIpAddress":"8.8.8.8","category":"SignInLogs","correlationId":"a8d4eb85-90c5-740d-9af6-7a15036cd135","durationMs":0,"identity":"Test LTest","location":"FR","operationName":"Sign-in activity","operationVersion":"1.0","properties":{"appDisplayName":"Office 365","appId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","clientAppUsed":"Browser","conditionalAccessStatus":"notApplied","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","createdDateTime":"2019-10-18T04:45:48.0729893-05:00","deviceDetail":{"browser":"Chrome 77.0.3865","deviceId":"","operatingSystem":"MacOs"},"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"81.171.241.231","isInteractive":false,"location":{"city":"Champs-Sur-Marne","countryOrRegion":"FR","geoCoordinates":{"latitude":48.12341234,"longitude":2.12341234},"state":"Seine-Et-Marne"},"originalRequestId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","processingTimeInMilliseconds":239,"riskDetail":"none","riskLevelAggregated":"none","riskLevelDuringSignIn":"none","riskState":"none","servicePrincipalId":"","status":{"errorCode":50140,"failureReason":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in."},"tokenIssuerName":"","tokenIssuerType":"AzureAD","userDisplayName":"Test LTest","userId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","userPrincipalName":"c3813493-bf92-5123-2717-8a8b2979c38b"},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultDescription":"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.","resultSignature":"None","resultType":"50140","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T09:45:48.0729893Z"} diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index b7e28171a54..6a0f96ae261 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -78,5 +78,81 @@ "user.full_name": "Test LTest", "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", "user.name": "test" + }, + { + "@timestamp": "2019-10-18T09:45:48.072Z", + "azure.correlation_id": "a8d4eb85-90c5-740d-9af6-7a15036cd135", + "azure.resource.id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam", + "azure.resource.provider": "Microsoft.aadiam", + "azure.signinlogs.category": "SignInLogs", + "azure.signinlogs.identity": "Test LTest", + "azure.signinlogs.operation_name": "Sign-in activity", + "azure.signinlogs.operation_version": "1.0", + "azure.signinlogs.properties.app_display_name": "Office 365", + "azure.signinlogs.properties.app_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.client_app_used": "Browser", + "azure.signinlogs.properties.conditional_access_status": "notApplied", + "azure.signinlogs.properties.correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.created_at": "2019-10-18T04:45:48.0729893-05:00", + "azure.signinlogs.properties.device_detail.browser": "Chrome 77.0.3865", + "azure.signinlogs.properties.device_detail.device_id": "", + "azure.signinlogs.properties.device_detail.operating_system": "MacOs", + "azure.signinlogs.properties.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.ip_address": "81.171.241.231", + "azure.signinlogs.properties.is_interactive": false, + "azure.signinlogs.properties.original_request_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.processing_time_ms": 239, + "azure.signinlogs.properties.risk_detail": "none", + "azure.signinlogs.properties.risk_level_aggregated": "none", + "azure.signinlogs.properties.risk_level_during_signin": "none", + "azure.signinlogs.properties.risk_state": "none", + "azure.signinlogs.properties.service_principal_id": "", + "azure.signinlogs.properties.status.error_code": 50140, + "azure.signinlogs.properties.token_issuer_name": "", + "azure.signinlogs.properties.token_issuer_type": "AzureAD", + "azure.signinlogs.properties.user_display_name": "Test LTest", + "azure.signinlogs.properties.user_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "azure.signinlogs.properties.user_principal_name": "c3813493-bf92-5123-2717-8a8b2979c38b", + "azure.signinlogs.result_description": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "azure.signinlogs.result_signature": "None", + "azure.signinlogs.result_type": "50140", + "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "cloud.provider": "azure", + "event.action": "Sign-in activity", + "event.category": [ + "authentication" + ], + "event.dataset": "azure.signinlogs", + "event.duration": 0, + "event.kind": "event", + "event.module": "azure", + "event.outcome": "failure", + "event.type": [ + "info" + ], + "fileset.name": "signinlogs", + "geo.city_name": "Champs-Sur-Marne", + "geo.country_iso_code": "FR", + "geo.country_name": "Seine-Et-Marne", + "geo.location.lat": 48.12341234, + "geo.location.lon": 2.12341234, + "input.type": "log", + "log.level": 4, + "log.offset": 1688, + "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "service.type": "azure", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "tags": [ + "forwarded" + ], + "user.full_name": "Test LTest", + "user.id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "user.name": "c3813493-bf92-5123-2717-8a8b2979c38b" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml index 12971cecc2a..36ecc93be83 100644 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -17,3 +17,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + spamfirewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9524 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc index 5ebc34fa334..d0adf72682d 100644 --- a/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/barracuda/_meta/docs.asciidoc @@ -51,7 +51,52 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `spamfirewall` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "barracudasf" device revision 125. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9524` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/barracuda/fields.go b/x-pack/filebeat/module/barracuda/fields.go index e01b040a745..f405ad135dd 100644 --- a/x-pack/filebeat/module/barracuda/fields.go +++ b/x-pack/filebeat/module/barracuda/fields.go @@ -19,5 +19,5 @@ func init() { // AssetBarracuda returns asset data. // This is the base64 encoded gzipped contents of module/barracuda. func AssetBarracuda() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dkSrWmrCnpnwix3Ap4Tf7W/on8DlPypq4FZ9RyJckvXMOKCvEnQkowTPPa/fk1+eufCCEbUGTGQZRm8icS/us1fu7+9x2RtILXRIJdKX014dKCnlEGE/f37muEqCXoleYWXhOrm/4ndl3Da4f8Sumy9/cSZrQRtsAlX5MZFQa2Ph4g3P7vPa2AqBmxC2gRIx1iZLUADfiZ1XQ244wsqCFTAEnU1IBeQjkZ0KcNvQMxc62a+vak7DJ1syxiLanYIm989bH1Y0tsFqnMfOvv+1cY37DBrnxccOO+R7ghjYGSWEUYrW0T+K/pilRgDJ27f1NLmKrAOKKV+3wHNCFv1ZycAlMl6DghHhbfRepQclq4sARpC0daYsAB4czcDyw3yHOmpAVpjbsfXBpLpW3RMFEcLa8OQbCkdveDIXbc4+SWINSS1YKzBaHEgDFOPC24NYSS92B/51aCMe3uTwZHoyPWLFQjSiJhCZpMoTt3NdUGyDuw1KFGyUyrqrfU07dqbl5cUHYF1jwbgD/lGpgV6+fEBrwp+QBeWPgTLntoTqKMFLAEcQAnhZK793OLk6dQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD17/C7c8/PTH8iSiibceF6CtHzGw+mEa8osEWru90sPNgKp4/h4+dOC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+/J/v3xK2aZ0Pud33V9F8FErK7LY8GuyU9ROhlR02DUY1mmd7e+7Mt1/2/H2bGUgsVSPsYkaNNyW3BBN25w48EPZBWrx8jYgunUz1GxLg8DLG8GlMrOR7vSSuBHiI98rJtBlCmtKFG9JqYndn7YusWcNgM9JCBknA/K2JHDxlAv8GKGOfijmvlSFyUPa9KlH2eXQMyE7GPRDh4Z/axY6jVjeRfGtio0bqjP/xpvW3UnijJ3ONArXrslu2IuFnyvOKwz90TtwyftS7McCDfqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0IT2GvhsetlUVNJ5rDSXEIHhndZe9Eh5XA3h9okhaiV9ZMzSqt71DAaM3WoOxeHts4awBXfWjSrBTMi7xlg0k/pA3a2kdiQvl1o4cJP2CrDZzOG9hGNoQrjJ7YKedxpmoEEyfyCoU61LvuSl02zwPMQF2WUryD7uMC9O5HXN9dEo3OynjwVdu5PIrVh7Yo0Tek5fc0jhAd3vG0246aMunOdOGnfybDJYsksnU01qCVQNFLn7Quz4n/qqoAb5pYHmaEfJnW5/ijbycUUNQSTKkXODyP2QmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gL5NDzaAr9V6RhzEhd8zH6BszeC7v9OYcKjZvkmuHBAs2D8RON4TUjiDKBkp8CsXaNCJ32GnEilKNZaqCFx6HznjBrGw1G5wQKgMLtgzIkQMCS9Dc5iwd2UNYu3ooAuxFdva5fPIWLw56B/pXuqt0cdAw7lQD4zO+MXzi2q0P5oz1VAm6cv5spsgGdC5GXm4KJloXVRmCLFG8g9l8rE34vG2l9y1BpclvlyE1lps2IWDXr4brtzs0ViVpamV4QsFxq7OF5rQsfYcpTOVv7+5oF55G2CJf66I7iiLZVKA5u6ssitJ2hCq2PYT1K9m6m+HFkr/fA9KWIEulQ8LsXsrU9F8P0L2mDe2q6b+Axe1oh1j+WvABu50E3Y+Yl/Q5e9V9M7yQoeo/iJng5VrQLrdYKksoWYSOF/EEWqHmRZuo8iBCvT2Idxbqx+iZsiX7/o7pVti1GsVHXPFXgrN17tuzRy5cIAKhubYU6xG53IicedNxBn5oBCBicXGqpIXr3Bprh9C59P66TT9UWpbG/R8+qlS0CMUawNzwOLMFlXMoJKxyy4KxwCWseqF+VEKs1XzaWOhJiGGOvvGoO229//zFRYepaTJh13FO8GxtK/cxDQ3B3fwij0xff4sYt1gB5hjWNhw0m5wvvQQ9IZfgN6UxoCd0DtjKO2S6z5RucRjAbsF4vZ3h74n/fa9vhdJkqtXKfdb+Neia3uwa7Sd9Xl5QbVO76TrAqT0q4U6pQXXose6UEmWnNua6UqqGEFDM9Ra/kYQK0LbLLtKbRcPffHgriI9eEwBMQooozCWRSn6noQa0ZPZlP6DZcMwnhzVauwvT2Su4k6jHveA+wtaGfwaUrbhdBGXZy3pyigtOsdpEEiW/myv333teAlRSiojimJFu2gsGvkAEHJJqRpx0sBzMhFxuZMruYIN+ZVUejE98OV9jnBHjS0Z9sk0ZxG9gPCVMNMa2BzL8Y7BN+BNu3E6Gmujg33CKL346rgIdXfvxNyxu0fu2TPmUsic3GV4Oy1PEglBjFOPoL3W7EbUnccPe8it4TSipF2vDGRWk5ObqOak1zkR5TsCyJ3FFmWp6SO3lHR96X2ejaQUWtCE1NdjFy2AjB9+LgKmqclJMbQXth6U1YNledc+/Bw+l8fX2MMPD5MU3U1XdDO9ghm2jZMVlqVYhn5YpyaC2z7tMilFmDMicNUKsyZeGCu/8LFVFuQxSQ/YWEmrk6ep7PVOpS3tIdyrhWy6voAy1QG0iOjXonQoGivvkmw61CS/3bZwYdIXIKur6k528W2IXgRa93y4fCq/f6uB5JZfDdj1d0Bl0xXcHO+V2sYY1EVt//vdr2j8m1rRnXOS/4x3Jv+Bq3TXWUDYMSBs5gri7zYDmVBSR1zTbI3KJS7Zq8+772HsA3Qsz6hcAdmUOajmQwmMcVncP3YKaRXdDnVoYqTJs2MJn/rY1Nl2Z4UkLaadFmCOkW2ZiNHO/6v49rDQlTp5LwjHnrpFMANXuT9gIb4NaKCAM3k7dFnbeHH3wwq8Z9nl61C8WU9WUy65vdv/BCmWj+g6v15Lrxhzb09fXRhCBcY/fcQKkkStx4lf3PRnHPaXegsvuGu/Y573M56fkvZc0T0PjBuKn7YWiX4fbs7he7R3QD+HL77mfz0+RpaHkrRMTQ+/BdkTOpwF6Eib+EDlZsOImbqQuzTpnL/vtqG4o0Pbqwl4/tvTG9xFPjWP9SbcwOT+9UZNN5Z+7QZN1iL2U5UajnZATX58Z+p0K/8F+bRYR1Nvf+OGb4I6bNrar3FS2e4waKcB4zij/oKwUWVLN6VQMqgB9UwYuSS3oiCAwIE3W/ihbG9pXVf3KEyepnIbR1hdyt8+XL84vdnVoElrGeo/CWF32gQMFb10LuYm0eCTJubTkks8lRWExckRrpXM2r30ykF/ukF60upvCro74nw6R3l3GU1aqyMF5/9tHwiUTTQlOnIVBtu7nE/L07JpWtYDX5MI7RDxYlN6TuF8EI3NHj22ic2rztMQx4+bKqdwH4HWHUryeG/N9eBo+cHO1J+RqNZ/PQecbYRdn2ed+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9yN4Foax9yCVn37wOsazrhnH+Wm8jOTW0Xmmqro4ct4V7krIvcIxrt6/Z5rpdw4dJbE+dYbjZlTZsDErLailD5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+mAy9YVd9J11peIgcESOtkZ86IUrJO8rafspx5daJoKPaMUp+1yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7M7HCLT9U14eWL8ffLvazNMTB0GH0aND72d8FhEb+67TuWefre4JCfDufuHfKccamaVDHOXh2JmSe/U06SpnQ6DDyyPyUGnLsz49aReCOEk3vENIyBMbNGkDO3PmGqBOOORNvsN25ZcFnCdWIGCG7sYZrnPWULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz8zv02SpnMcA7V1DcXeiCNOKxOnnb5nDVoU4eiWy9hBiwLKsImIb7t8PRspMjQu7mG73HuhBKvfHVJXsFX5b/tPqRcGlKCpVxEnAxT1dje70ZIU+LouZmtx5Z2eWyIx/hDaqGqRbZsnjekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeRm6k+wCt7vBrmLVV4N5Xbyy3DTZmJFHCNrbBsGHTfa9r0ihWz7/DaGpMM8gqpqrK3ac8x+jEQye8l+xba7XkpfeftV3kKjCjiVClYocHGu/uLfuFi43WyPp5eXHV4LrGpKeHkfXt6nll/b/U9EC/08Hk/W81DQGY+O2qeb7GuaeYUOx3/vLinJwPFKo+Gtm61obqkv0YJCzs6qph50kN6bv4w0JudVy59yKimKoyd8XXoOJuV+kIuBCHy4h6tEjfLcGHDI5Qed5zAYfSYZ9A28VD+JyXXShnxIlXpbYaB2XgCV7+dEpeR3fd5Hym2uneF59895w2EIXJGtfAmr4Xwad+TSFW3tp2YdqXuHEER0jUK15uO0S66kq6pFzQYSCDdK5wgvWVM9B6ZNKCv0OH+PrTxd2CsVKFBlA+ADsgKaQbGD6fjEhEXhXTpizXyf0zvCqS1gH14DYGDmt0vtdLlR6i5iphl4OdErvCNMcoSOCmn73qe67SpuS2q6zb9EULGMUG220qNrwo2YQX9hPps8RSc3B5NKv85PMZeRpqJT43wunKUy6wgAPzwM6ua2XcN5+R74aOBrkbhbmSaiW3DCEDrMFmFstt6COTNhk9ggtuNy30pK1yfx9Kk97CnLI1+TRqrgk+1fQhivLDwlss5pJUlMuZphXsTceoqcapvfn7JGwplxe4LHmvSp8cvWkL2Ms6iyBFbtC+MFXAMSKXhbTdN+49rMivjURT8p0qQZCnXC4n3z4nXLHnZOr+D9z/UUnF2nAz+TYeX7SsLmaCDibnp9ahtjX8kwuCi6KvC+Xkuh1+pWZ7GzVYlRVT/9dpwLNtg2BAu4McRWhZpZW7O5h9fvc71UA++gTgb7/9/O73Nx/Ovv3W59wuqaZ89EyulL5KWbJ84wX7vV2wH2EbdYJRmVqJCDU7abuUdM8BZe65WGcwYWZKgzScpRQgPVdSBoyr9F6QSHwgFdBiRflwOPG9vQPY+zw1UHd9Upeom2aa6VLYaWmsTl35jvXa2Rxi/bc02Tva1nzkc5IeWuyyGQw2UGlCscmm7iXUuzgQMz7qaGpJzeaIPZTUaDeiCJm75T1xoXxwP8G7Oy4c8kH//zBcdaMy+8l/D3LEyp6PPiCyF8kHORxtHHcffkodIWlra2d7dulT22W0t1l22CfzGbrdBif35sh027KaHyMehkVfM8qF43XbzOUiyIzz035tG3bicuaghXmkhcF4VmGbc104FfEAeg5JvMZ061B9dKKqqpG7nqgBdvKwxk33xe49XNu/Q1yn7nAzh2nW98XtksrybyoeNdvgZqnlh0iGe2M3XHgLOdOYmjOukmWJHsuCR+xXVMth0OGxo25kVRcqlzC+fP/ugvzm/aibpNQ4Il+Omkpw+R9vyZcG9Ejv1kbIQsNup868yQ09h+iafGiLzqJpXZ2WzhI+pH2gKvUYAQe0PshxdBNUGwmO3RtumX5AAxVUVxl2y4HN4F6gdcIC5A5oUyabSrsFM223qy3QJbW7WuF94U5BskVFdaqykg7uuqaD8cX3jj5RNkinSgKzWCQ/CwxmaQuoOsCzObZaygBWTf+VAWpNk0/C8B2nkh8vDLoXPPWDEzq3VeBUz+RIy4IyHIySvvzEwTYyofHeAzyd18uf5LVdJH/fmSyY1UVpkvZd70F3kA+LPN0C8FLQ5BJDFiDnXCYsihyCzpEbLYtZYVbcsuTyQxYzoVaGVulzV/qwpV3mg54h6sJkwWVOccJlDbqarpMlvA9g1+wqD/AlFTnOCq+LWiurivQhKYS+/KlAj2N62CLb3RRqXpQ5mO0Ap89/Y7Ko6HVhbSq3wTZgd6IFZHgUKi4zIc1lPqRrYQoxFUXqsOgW7O8zAk/eGbwHO3UvxD7s1FW9fdg/Z4T9KiPsf8sI+39khP3nPLCtqgWdQg6R0kFPb57JomoEKt/TdYZ3sgVeX2XQS6pG8HlV59G+nZZJxTx1ElKAzHMoJQa+sPS+EVkYn5CYYQeNZnmsSQc4jzVp1qapM8wiZbIrq85iqlplnekB1xlEiFXWGWa5YKNZkwV4I/m1pFIZYBkO4fKV40qmR2H5StV2AbTM4FZTVV0wkcGH7QBnCJIgXD1d2/RuUQfZZIFcN0WGmAbT3HJGRYYCIlPQOUi2Tph11YctqVj/AeU0B97LAtuAZoHs28Hkwdon1maBPp3Xy1d5fNCmmHL75yyNxpgp0s6K2wGsVXJRbbJcc4QKTKevcjPex59s1lYPMNiF9/Ond4544Kj2ZQHuu8mn6yDXgz3jAnLYMKaY5dhEPktZnL0NOIduYApeY5JikUXU8Xr5U2lsPWjmnwi20SwLbMFnkMOMMehorqDkyQpGt2FzmeeUVKpsBBimcnA7AOfzDLJJ1WZFbdKZ/z3osQzyJIA1zLmxmqb3hGxgZ9D4NNS5WK2z8dpgJ3KdSb76zHx/xDNAtxpolUGR9KVAudDOp1yvFoqbwk+YTQ99TTXNcsDLkULYFJCXfr59arjcWCqTzzkujZ02OtWwwBYq+FlBOaA2yXFNr0e3NcmpweLkhln6YdeHdhrYB3NOyzL1HeBl6rBq2zoow1vEq4JppaosXYkc4AxmGq+KPMmRoeNRDjbXV8nbM9UmfctSXpta88RABbXcNsmzzwSXkK7FzgaqSTpRp4OLxbfp3VpC+a6nxUyo5M95BzxDyr+zeZNLHQc0g8RxNnQGVJPnJgg1z3J05TzLBa6VTi3Aqmkzz3HNKm5YDrFQmSwHNsccCAkWmyslh5tchvsG0Kkz/jzU1Ol4crVKbYFkqShTfgB0cktUpdeMlObzIjKP695wVxJ0+jerLvxQ3uRgk06m3oD1I16zHLIMhZthJk5qYRDAppYGdeEdScnRpca4Dwu2SFXnPwAN1zVPHgioQVdzTaUd9NxNAXmVBXD6p9d3Ivv0aWcKaALAWs0LauqEAwP6oDVNDVUDFTn0Ow0M+eC7jmYCnp7JDnLaFq49yEqXGTBO78g0GXzDxvuGM+QDGEidCOAHHmcwTgx8SX8AYg1ak0HNYEoZPs8geE2d2stmNMtxDzQrkyvSRrNYV9wEgG26EVt9mI1J3lVzyWTqQonotNj7AvVNOlOTb+c2/bHyQNNH9LqZnqnhruvk3VqbcpolD73RIsNb2BjQRclTV71nGVvRRoZysMEyY2mV2hu8LLg0ls4yaAZLrm0ONXxZywytm6zSjUzpZo21RYt0FH3TWEU+NJIMlu6yRzIOy/tMBS/JiYaSW3JCdRm6GRps/x5Hx0/OysilsQmhCAaH6BPsb8CUILFSnS4fgst8nDuraqHWMBgseCP/ZqpJ1tT7lmfM8dD7jHDemYY5XJOK7jZa2MRi5bzZHQaSHUnBDQ5naFcPW48NlIhp6lppS4aNRwlZLagl3JJaw2zsKNwjLfcuQyhijA9WR4cC4TJ0dh/pCy24zD2Rv4eqW62PpyFWzcEuQE823zcL1QxeNEIkLEF344isIjXVBsg7sBQngvu7SjsWPH2r5ubFhS97fUZOw4iv58QuIlOKsBnwBwijjxFtSd6D/Z1bCSa+z8NDnYV5MxzZ3d0iXNwTa4BqtphwyaP44czdI/TX3hGfOAsDkyFeCNpInPU7b3COa9vEPd7Afadf+x6a8rfj7mjqmnCH+cUjxr7biCJhTdPtOq/isuQjXFu8FWPugmNMox4RSJvBde9xQrUUIxMvsXtuxnHg2D/XgCUavjRg7J6m3YdnK9+9V75XGXAsj1/VS+xdj1SXd7rtTtmHk8cIY2Nbf8cO7eZ1lPKUs/9vnm/oFjs/bYUCrh0/G2g1pEviveMRdo/LlBogPl27w4YMblW3S+EXD4Ov7EbBd5gr7dvXR9lICDXEAOC4M7p/XpWm0lB2hPG+gw7TfmmJau/m0LBG4wS0fUjXoCvu1Y1jIb1Z0g/m4EsuYA5EwBIEocbwufQbt5nXHz/62JL5AeU3rr/npE8fZNKzw6yR/EsDu2MSafzy9fA9rGPiYVNQWo2Gl/5CMiUlYG4FWXG7GBMUhEQqQzqNXcNB5UV3Ni0cO1GedE+UUHPOqCAOgxHTB7F4WOxwqZExjQ/Hu3qxNnH0eulsK7WT1Zr6gaeCU1MsVHabwBtxnbmGs1Q2Q42cVOyP4In3AyD+0jhs8U0Lg1iYAKonb4RRzhDfum+nGCwnv4ZfTMgbue7+NYBu0ZY30hJaTpiq6saCjovhLG58R1g+8+yb3b3AGYtbG8LtP5uX3//wZ2f7nva2o+XYN1G0wzkt0kbMbuu4oWvQ5N86n5x5EdBA5OK3PnX9T/4zLzc4b536vftxYPLyTbLtye7AFLfOhLz/7eOZox00eOcJ+ktLbpiGmkq2dlplUM/Ebi4IQQ49Jx/fvSbn0v748jk5f3969p+vyadzaV/9RJ6uFmsigdsFaMIWyoRRaUprYBa/9cOr//Xfnj2JcgTsIqOM2+UHytRJRePjeEzm03fHa37pz+J5i1T8ipePC+m+bLoB8wMbxt36gY/hu6OYbqyTz1zbhgry9s37KLJ/KAn5fFmHnYz/oyRM4rx16H41IhQJuVl44hY8xjd4zz7MqYUVfYAR6Xi6L8ibstTop/WnPIZO9/Syqj40znnfWMj5ybsL/yqNhscqao4Y/dhyKnlNNbzd5PzCoTLi/XI8PHASRBIeurXHedhqYoWfrnVcAdFDl5Yld1+mYhOw7c3yj79zRzwAziTEC67CDT/dPgIDVDa51ln0uts+aZS8DxheKG07kTwQuiUG2HADuF3fLHnNkXnv6eFy3j4mLVnvxhgvIWY3HsuLG7BDy5caoxh3Kqf3Gw10HOLksqZyDpPOdGJKzvi80VCS6RphgiwxayguZ+oDWw8MikZHtOXoorMM/Q5EQt2/X8KV3AGgoVIWipDZnT7PKD1rS2kKWvhU/Ayga6vzAJ9lOBKzDNXCIsd1yNX/pM7AVFoWrScun1q+a8E7Oia7q/WdCQ+gwZ7ZBWgJlnxc1/CcfGqfsbfoAPuRXLQOsMFL8NuYptaO6jmCMjFiGrdIB7/4c0KFiCoT9eaLmOBGNSbmLUG7N5BLq4ix+JhzST6djwoUhgmy2eRVcpHtgKo6w9g3B1iDSZ3R68BmKHHxL2LqVHT0t2fA1o9WKATIefJJkYizUz4yaqEjGqhXeajoBWAkYZhOMCOU/KL0iupyOKebkDdzTPbShLobf425dFOwKwAZVz0Td028a4xbWSr6oTqPDMGW8ZgZMaCQy5DnimkJFbdOLIURG3ESl4LKY8Txb+GgbBNEei7KAYHbLstNJGXpLNg5GrDbL0/qSCUw7EKwTNcP7nYRe6otZ42gmmC/aNIi8fTs+vVbNVezWXz6O7DCLiD79m4h+9Et6G9jD+8zh7dD901jFyBtSBYfRds0KTsn3C6hxy85jvonA3oUYdVYpo7L6bDkOMKXDWNgzAjO2Hn8sOZohyWeIF7EqbhzpdckUpgwwO0YwmkLR9jB0UklDPCZWkn3rji5FVMOux+SgaK0TdUyXT+6kXeTEt+1FGsGBIeyoyf4YXb0YS6J4baJyE+CxQUQRHSAuqCG0FLV7nWxC+CaqJXcbJlnnKXXSqpqJK8WZ3IY7lvUH1eJcMo9l6WTP0qbjgGU/MIFkDcBscmADbdx9sqOMH8nRxPGO/ofJF1hlAWXIWshLRdiNEYYkbLe/R6M8Pl6l6FeIzUnxhNCpypn9UCE+Cks6JKrBrVLpqpaq4qPZCjCsZE7k3QqsIhsRk7248blshM7GZHcxXBL6yRRBLYwTDpc5gAEI+t3+OXe3d4ru7lvo8duU2bZSLtbzpZaoy+xDLxgh5j1t9KC8D2egwTNWUsSMgQT/XZTC7hd4FMbm+1GArIT9sPEWD0e/GxpOqTt1oPR9HI/TUG98GtlpCtqmnZGuOUVGCfXvbanoYbRIFLYhWRNIW7cCGw8eM9t0Lc8Wof07n6wo/Xj7Wj6oTDJhpzemrTgML6JwgFtSPFGINxCGHy91L28kTp91L3zFy0JbfrmnUvWS/U4AuQGOd4JkK/3OP5485alGm1wnC27nXzUR5UgKe/YLeTHUY9jStoGh7FT6rEEbcdPnbxyp7GLogK7UA8QJaFbnmTi0QhfG91w7KWkVVav056ozgclgr/WIbLnXGbyhPzn5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfmPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T/+AYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp5/84IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++ce7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++rc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyF+M1UrO/zoVlF0JbiyUf3kR/va8+5TLGbD4RzOuYUVFVJGhU9H7DaGyJEaRkWOpYc6N1Wtn2R9TWNTULkKz/g4HsovDAEl0Sh0LTV8I7eu1mNK9LuSdPtlhDtLq9Z/+bwAAAP//MzrDOQ==" + return "eJzsff9zGzey5+/7V+Dyw9lOOXTiJH63vn175ZWUjW5tR8+ynVdXWzUFYkASKwwwBjCkmL/+Cg3MF85gSIkChvK72x+2YpFsNBpAo7vR/env0A3dvkZzrBQmVY7/hJBhhtPX6G/1n9DvdI7elCVnBBsmBfqFKbrBnP8JoZxqolhp//wa/fVPCKGWFFowynM9+xPy//UaPrf/+w4JXNDXSFCzkepmxoShaoEJndm/N19DSK6p2ihm6GtkVNX9xGxL+toyv5Eq7/w9pwtccZPBkK/RAnNNdz4eMFz/7z0uKJILZFa0Zgw1jKHNiioKnxmFFwtG0AprNKdUIDnXVK1pPhvMT2l8j8kslazKu0+lL9R2WOBaYL4zvfHRx8YPDdEOUujlzt/3jzC+YINV+bhi2n4PMY0qTXNkJCK4NJWXv8IbVFCt8dL+GxtEZEG1nbS0n/dII/RWLtE5JTKnKjwRR4v1mTp2OjVduqbCZHZqkQl7hhNL34tcg8yJFIYKo+35YEIbLEzNhg7yaFhxDIM5Nv0Phtwxx5MdAmGDNitGVggjTbW26mnFjEYYvafmd2YE1bpe/dlgazST1StZ8RwJuqYKzWmz70qsNEXvqMGWNYwWShadoZ6+lUv94gqTG2r0swH5c6YoMXz7HBnPN0YfqFMWboeLDpuzoCA5XVN+hCS5FP3zuSPJc1oqSrDxnOR0wQTNkRQc2DJ4zikqcBnmqtDLLNqB2bPG7/w5vzz/Aa0xr/yJZzkVhi2Y3530FhODuFy69VKDhYDZMbi83G6B79nlKLEyjFQcK/i9X9jZ6M4YkD5qp4R2xoDy+E4ZXZL1tGvy8v+vyf41saOmWZCHHV85/1cGE+kvy6Phbo2PUXrJWVNUy0qRRHfvw8WW6vw/jDNtsKEFFeYxMoernJmMcNw7w4+EPSqM2j5GxlbWpnqMjDFxHGNpLaZaczzenZZTfIz2SCu2BaV5TB9qxK4J+ZmdL9ZhAcvNwA4ZGAkP8yJ6dsiA+gEvYlyKvdDKRFIUnahKUHxOXINpRhIfCkjw3uIjU5jVlWBfKtqa0aqZv//TdtepPZOC2MsBG/nYPdsRdbNmadVhV7pndhi2qEOYfkO+lUt0sabCoGtQzqgSOVXWBVHUK6rB1BfsluZIU2OJ7Px4dww97rDUizCg/WCHpVmEAel7LcowEhg/vnTcxhzM6x4yuZ8MVlInsle7+/JXqU1XRfL+jtRU5Ews6w91aNt0Ykhfj3zZMRts8KNRwV5erX9COM+V1ZVjx70v3MHsjfxahbt+lVq8r/7fFa+VVnrd0NcLLpDWjZblCKMlW1PRBMm+XkPAiui4+EVaDyR/jMbf1/GiMRrQkOU2U/RLgrXuPh7CAsO851uQ8oUbGl3BQXruo9kGo4/bkiKChxpkThFlZkUV+nQpzA+vkFToFy6x+fElmmMNu6h+IFuwZaXA9Dsw72PM3a943vAMms75jBBfsL9eylRhtn3ecT3yVx9gkGqDVZ7MqOtotM60u5K8vPq8Y+9hpCjH/SVFSG+1oYW/RD3bltqKup2qnfDsv6ViSyYwr3+za60ckEMq+2tPYsTl1edXARF49geSeLgIGo6GUo5x+7QbdWg4Hnv7rCjOqZrk7fpXGApdnj/kldTx230sBTLHvZU+6iAbJ1nyOBuuDa3L1tCCg2JdlzPJOSVGqq9RAVvpnSDnxu45phFxoqO55XTHUH0r+2YL2iPoR+jxFWT+WEzVQmpIdiukQPPtYNEQUvRLRbWxBDUrSr7162S/bBU9opiskGY5RU+/R2alKvTy55+foQ3WSFMqmlH2SOJRGK93kIQupdA0nSjIV7MriKyEaWIKVTF3Ss8eZR2kgJ7iuVzTjjCYCGZW1upNG0VxMXp+yFezbU4sKpqzqm+nxRDUNyHLsQkssAVi5p/Vy+9/+LN2Kv1FCQq0Zvqfg9n80/qDb/GWKvQSXQiCS11x97JiXcp76fUQ9Qc+fgRyK0Oj/PgS/bud7nP044/o3xGRytrLMAs/6HP037n5n/aLTKNdoXwTXEIhc/pofV2xoRnBnM8xuUlrATvmhDRwbLBxfoUVIhV5KZkw4JoYGk5whs2RUaVkovy01h7UJSUMc+AYONVGKmtZi62zOuwHa8xZ7jZGiCmEFrISub1hOAXmmVh64+hg8uLuiRhQjvEW6I/DnmejkVXYconzx3LPeXaQZn9QVFCjGAl4Hd4V7n4ZfGF33ddK2F772LQWrVzUyzZDv8qNXZqhz8kEkso6Y0aiG0rLA0J7FDfeVyI0JQnVOluzPMtTvbpe1JpnSQVV2MAhz60EO37hmilTYW6d9p3YuwiEOFjBrNsNb+UgDDcLf9Qvz5Gy2lpDQAWEhtWSmuZrByWhVaKkp5NLwmXC7ZeESvIUNFT8l+d17PUDLaSh6Nrvd6IoXLTz7ZiitP+rH2K+gocXP1KmS85SZjY8andes4HZ/yhsM6tzE+53OHX2DvB7vd51tdfir5D/Gi+MTr0sGD/BG70d1TpHV2dvrrztS7Cw4mFFKVXf4kVwRX51aRDV4wh/fHJXFTji4LqHQqm7rnzV/qR12J2dA575DL38+RXagNwLigXCnIdjBRDUBzOpjR+hDVXUkcUGcYq1QVL0ykV2hXhyM/HrFmLgrKZ4tvWy+12qHAQHWU2UrITkcrntP8QtmBpYsQj9jMgKK0yME6I91FvgH4LmAlXC5/TwnZj5aEVt7IJu91Cf8hFhz9sleBSFNTKlqJ8RFN6M6jTQrD2zEhOwWN0bhfAxB0lIpWqK2mCRY5UjIVWBOfsjlN8rVRGUT+6zHI4WkazmgyvpXkJquW6YecHZgsKMAw6+pkSKfMTAbpc70yZlnGXPhJggsig5NcENMBpExWDAG8V6arBTb6bMiTbytR07uJ3HtvLuzhzdfoUUZhVpmdr61Fg5L22WU34iwV+IPIXYLck/pEiNtrBHLdrRaxPTpdd+7Et4oKKSneg3yNBb4w8fWlOlO+UU+b48sMD6PnSzbSmONc22TI9IldM83T3ok2z8NaWbEWsbo860ab7YfV8f3lZKFjOgWkFRviZUYMWkM+uLihv2nWFUIdwB8GmxbAos8DJUmosQh+ed2l90TDleNWLmiUZyI9zLmMFF2Y8Meo7taJbF4ekzGpEVs96NzKmeoXeVNuAmdYnaU4nNSF4uNvTIRdqrwBYLy/eaTmEJwSLXAzrZKbqgigriNgS2pnXO1iy3lg3sh7Aiu64V2cee8MKTvC2ZmmyG7Xq6t6BbuxOZ4Vs3WW2VnrXXLFOwQffHRiMu+mgI57nVxo0+mw2GbNLJZBVbAxUDQ+6hFBv5xz4qYEF+qWg12Vayu9vtolY/brBGwEQ+sm+AuR9iCzWiUbAj0AQ6bVmYBLfvskjBa5klYLXMUljPZUxVtEv0ZXSqCWylzi1yGhey5z4G75jBdXmvO+dYtXlIrx3zWNBeED00hNiBIEwGRnwMw1pXPPWz04gXJStDZEFfOB4a5wWysuVisEOw8CLYcSBHNghdU8VMytKRPROrR/dFgJ2XnX0hn7TFiwPsQHdLN5Uulhq8O5WUsAVrHZ+wdesec8YwVbytnD6bKbAATYiR5W3BRB2iyv0jS5Bv7zZPtQifd730ricoFfrt2qfGMl0nBPTjajB+vUJjVZK6lJpFVBx32lvgTovcIUxBKn99dkdReCpusnTQRfdURaIqqGLkvrooOLcJqtj2TKxbydacDKeW3PkeTG1NRS6VT5jdOzM5/9cJ0Gvqp105/xclYT/aMpa+FnwgbqtB9zPmNH1KrLpvhgfSV/17NeOjXCvc5BYLaRBGK494EU6g5XKZ1YkqJ1Hq9Ua8t1KfAjNlR/f9HdKtALUa1EfY8JeckW3q07NHL1wBAx5cW/DtiF6ueMq86bAAP1ScAmNhdSqFobepLdaGoUvh4nUtHirOc23/Dy5VzGuGQgAwBy5nssJiSTNBN6l1wdjDJd10nvrBCDFGsXllaEdDDHP0tWPdWuvd6y+sOnSJoym7RnKcJYOt3Cc0cAT7+UWOma79FnBuoQLMCqwGHNRtzpdaUzVD19QtSqWpmuElBShvn+m+kKrmYUC7JuPsdgK/R+73HdwKqdBcyY39rP6rtzWd2zWKJ32ZX2FlYofpGsKxIyr+TMlBdehUZ0ryvDEbUx0pWVL/oJjqLn4jEOZUmSa7SLWD+r+55y2vPjogAJCEFDCYcySk+E7RkoInsy/7AdyGKa8cUillD0zjr8BKgh33grkXtvr5ZzCzDTMrbyw7XY/OYcA5VJsIJMV3S2n/e89NAEZKFjAcE84bdx4DXwADlkm5QFY7GEb1DF23OqXf2KBbWZWG4zNXzldp68S4klGXbJN79esFjxHhlTb1hvT/GCwT/IRpu5K+JtrHN6zhC5+Om0CTWz/uhIU9egfLlM4oe3LI8bJcngMXCGstCYN4qV2NoD8JC/aW3dDXCKNytdWMYI5ypm+eo1JBT5TniBryJGwoY4WPqb2850Xv6mwULqihSqMSa0Dx0gDk4LAIiCwKq8XkzqP9sLSGGrLX3HP3waksvs4aJriYnPomsiir4RlMsGwYbZjI5cbn0xIpCC3N8yaTYlQYg2kuKs636EuFuQt+5rLATHitIToDcTlydXWjnrHMpT1TtybhWyZuaO5rgepEdKwhOuUdFPvJNw1rM5bvWzg+QIVIquq6nZ1cWKLPQM3eb9en4uu30kde0fUQrqd5dKaqYP3GTqlDrH5M4Nbt//2W9o+RLe0F4+nPeDPlX2C05hgrmleEovrliIbDbZoqhnkWuE2TXSLXMGRtNvfvx84FaG+Y0bgAJTf6KMiBGBFjP7q96FZYr5oTas3CQJVhRVYu87eusWnKDM9qSj2IMDuRZpiZVsT+qvn3sNIUWX0uEIOcu0oQTrGyfwIgvJY1X0Doo52qLuw8/PrglF81xHl61DcWkcWciQY3u3th+bJRdY/ba81UpaeO9HWtEWBgPOI3zQNp4EicudEdJuN4pNR5cMlD4434XJT58hy9d5rmqQduQK7bni/6tbw9C9vVLgB9ilh+J/x8eQ4i9SVvjZoYRg92X+RcGqCbwsxtIqsLNkyHndS13qbEst991fUF2s5c2BvHFs75nnDXWNGfNQOjy/ODlmys+NwBS9Yy9lLkrUU7Q2euPtPjnXL3wX5rFhhUu9/44RsfjptXpqnclKa5jCrBqXaSke5C2Ui0xorhOR9UATpQBiZQyfGIItBU6KT4KDsL2jVV3cgzq6mshVHXFzK7ztcvLq/6NjTykLEuojBWl31kQ8E710K2Ly2OSXQpDLpmS4FBWYxs0VKqlOC1Twb6y27Sq9p2k4DqCP9pGemcZdhluQxsnPe/fURMEF7l1Koz38jW/nyGnl7c4qLk9DW6cgERRxa09ywcF4GXucnfNiE41V4tYc6YvrEm9xF83aMUrxPGfO+vhg9M3+x5cjWKLZdUpWthFxbZ5+5bgOcBrNOVonoleW53j/PVRzqN7jy9TxBZGL69e6389IOzMZ41YByX5+Eykju/zhNZlNnEeVewKj73Ctq4uvierubfWXakgPrUBbSbkXlFxrw0b5aeKGusy3mjLaUC5AGr12v+RrrEYZVvsDpNht4QVd9qV+wvIjuJEWjkp1aJYvQOkxpPOWzcWhU0qR8jxXe1gar2ayHna0Zvaq0o1tFzg7XBpoplODfxKMz4ydwOO/hc3iKWvxi/v+zNWk3BoeXo0wD42J0Fy0X46Nb3WOLue4NNfj7su3fMdcaErGK9cXbqSPQy+pmymjRm0GEQkf0pMuHUyIw7W+IN51bvIV0RQrVeVBxd2PERkTnVdkvUYL9hz4KJnN5GFgBn2hxneT5Qt8DA4Iqpmok5VfC+WWDFOGTwBCJ47v1dLBEGIX5nfxucmUiwD+XcgQudyCL2o6OnTT5nSZUufdGt0zADkXkToU2IrxGeno0UGbow1/A+Tp1Q4oyvJsnLx6rct+2HmAmNcmow44Egw1xWpvO7kalJPnluZh2xxU0eG/AxfpEaWpQ8WTbPG5TTBfZPQB75sn7D99ma1ipeU8XxFgq5jPSXK3oaOJH2A/C6/a/poq4Cd7F6bZipAJgRBSfW+gZDwKaHHteor1id+A7BsTlNoKuILAp7ntJsozNHHbFOsm+p5JrlLn5Wo8gVVI8mQuWSHP/QeP9o2S+Mt1Yj6eblhU2D2xKSnk6j6+vR0+r6f8n5kXGno6f3v+XcP8CET1fJ0gHnnkNCsVv566tLdDkwqLpsJEOt9dUl+zmIWNjVVMMuozrS94mH+dzqsHHvVEQ2l3nqiq9BxV3f6PC8IMvLiHm0io+W4J4MJqg874SAfemwS6Bt3kPYkuXNU85IEK+I7TUOysAj3PzxjLxm3mWV8pqqu3tffXLoOfVDFCRr3FJSdaMILvVrTkPlrTUK077EjQkCIcGoeL4bEGmqK/EaM46HDxmoCYUjqK9cUKVGOi24M3RMrD/eu5t3VgoPAOUeYAdT8ukGmi1nIxqRFdm8yvNt9PgMK7KodUAdupWmxwGd741SxaeomIyIctArsct0NUVBAtPd7FWHuYqrnJmmsq7FRfMchRrbtRUbTpW0zwv7J+myxGJLcD2ZV372+QI99bUSnytubeU541DAAXlgF7el1Pabz9B3w0CD6L/C3Ai5ETuOkKakAjCL9S71kU6bBE8QguunhZ7VVe7vfWnSW7rEZIs+jbprnM0VPkVRvh94R8RMoAIzsVC4oHvTMUqsoGtvepyEHePyCoZF72XukqNbWMBO1lmAKXTA+oJUASuIVB7SLm7ce7pBv1YCXMl3MqccPWViPfv2OWKSPEdz+3/U/h8WmG8107Nvw++LhpTZguNB5/zYNtSuhX92hWBQiHWBntzWza/kYi9Qg5FJOXV/nXs+axgETZXdyEGG1kVcvdvj7PO737Gi6KNLAP7228/vfn/z4eLbb13O7RorzEb35Eaqm5glywcP2O/1gN0XttEgGBaxjQhfsxMXpaS5DjCx18U2gQuzkIoKzUhMBdIJJSXguIgfBQm8D8Qimm0wGzYnfnB0ALDPYxO1xyd2ibqu5okOhZnn2qjYle9Qr50sINa9S6Pdo3XNR7og6bHFLm1jsIFJ44tN2roXX+9iSSzYaKCpnmqyQOyxUw2iEQWm2S/vCSvlo/EE7x+4sMx7+//DcNTWZHad/06yxfJOjN4zspfJk2yO+h13H39STpC0tbOyHb/0qWky2ussO8DJfAZht8HOPfwyXUNWsynew6Doa4EZt7KuwVyuvM64PO/WtgESl3UHDV0GIAzGswrrnOvMmohHzOeYxGtIt/bVR2eyKCrRj0QNuBPHATc9lLv39Nb8nYZt6oY3fZxl/VDerrHI/ybDr2YtbwYbdoxmeDB3w4F3mNOVLhlhMlqW6FQePHC/wUoMHx0eO+taFGUmUynj6/fvrtBvLo7aJqWGGfkyaSrB9X+8RV8qqkawWysuMkX7SJ1pkxs6AdEt+lAXnQXTuhornUS8SLtEZew2ApZoeVTg6BBVE3gcezDdPH6DBsyxKhKsliWbILyAy4gFyA3RKo/WlXaHZly0qx3SOTZ9q/ChdOdUkFWBVayykobutsSD9sUPfn3CZJBOFYVmtoq+FwhdxC2gaggvlgC1lICsnP8rAdUSR++E4RCnom8veHTPWOwLxyO3FdSantGZFhkm0BglfvmJpa1FROe9Q3i+LNc/iVuzin6/E5ERo7JcR8Vd71C3lI97eboD4TXH0TWGyKhYMhGxKHJIOkVutMgWmd4wQ6LrD5EtuNxoXMTPXenSFmadjnqCVxciMiZSqhMmSqqK+TZawvuAdklu0hBfY55ir7AyK5U0Mov/JAXU1z9lEHGMT5snO5tcLrM8hbAt4fj5b0RkBb7NjIkVNtglbHc0pwkuhYKJREwzkY7pkuuMz3kW+1l0h/b3CYlHRwbv0I6NhdilHbuqt0v754S0XyWk/W8Jaf+PhLT/nIa2kSXHc5pCpTTU47tnIisqDsb3fJvgnqyJlzcJ7JKi4mxZlGmsb2tlYr6MnYTkKbMURommX0j82IjItEtITLCCWpE03qQlnMab1FtdlQl6kRLRlFUncVWNNNb1oLcJVIiRxjpmqWiDW5OEeCXYrcBCakoSbML1KyuVRJfC+pUszYriPEFYTRZlRniCGLYlnOCRBOiq+dbED4tayjoJ5bLKErxpEMUMI5gnKCDSGV5SQbYRs666tAXm2z9oPk/B9zoDGNAklB0cTBquXWJtEurzZbl+lSYGrbM5M39OAjRGdBa3V1yPsJLRVbVOcsyBKiUqfpWbdjH+aL22OoSpWbk4f/zgiCMOZl8S4g5NPh6CXIf2gnGawofR2SLFIrJFzOLsXcIpbAOdsRKSFLMkqo6V659ybcoBmH8k2lqRJLQ5W9AUboyGQHNBcxatYHSXNhNpdkkh84pTTWQKaXvibJlAN8lSb7CJ2vO/Qz2UQR6FsKJLpo3C8SMhLe0EFp+iZSpRq2Sy1oBErhLpV5eZ77Z4AupGUVwkMCRdKVAqttMZ15uVZDpzHWbjU99ihZNs8HykEDYG5bXrbx+bLtMGi+h9jnNt5pWK1Sywpkpdr6AUVKvovMa3o+ua5NhkoXPDIn6z62ORBvbRXOI8j30GWB77WbWGDkpwF7EiI0rKIgkqkSWcwE1jRZYmOdIjHqUQc3kTHZ6p1PEhS1mpS8UiE+XYMFNFzz7jTNB4EDstVR21o05DF4pv44e1uHSop9mCy+jXeUM8Qcq/9Xmjax1LNIHGsT50Alaj5yZwuUyydcUyyQEupYqtwIp5tUxxzAqmSQq1UOgkGzZFHwhBDYArRacbXYc7AOjYGX+Oaux0PLHZxPZAklSUSdcAOronKuNbRlKxZRbox/VguhtBVfw7q8xcU97oZKN2pm7JuhavSTZZgsJN3xMntjLwZGNrgzJzgaTo7GKt7YcZWcWq8x+Qprcli/4QUFJVLBUWZoC5G4PyJgnh+FevQyL79KnXBTQCYSWXGdZlxIYBXdIKx6aqKOYp7DtFCcjBoY4mIh5fyJZyXAjXDmWp8gQcxw9k6gSxYe1iwwnyATSNnQjgGh4ncE40/RJ/A4QAWqNRTeBKabZMoHh1GTvKphVJcQ4UyaMb0lqRECpuBMImXoutLs1KR0fVXBMRu1Ai2C32oUQdSGfs6Zulib+tHNH4L3pNT8/YdLdldLTWKp8nyUOvFE9wF1aaqixnsavek7StqF+GUojBEG1wETsavM6Y0AYvElgGa6ZMCjN8XYoE0E1GqkrEDLOGYNECiKJvKiPRh0qgwdBN9kjCZnmfMWc5OlM0ZwadYZV7NEMN8O9hdlznrIRSGusQCmSgiT4CfAMiOQqV6jT5EEykk9xFUXK5pYPGggflt5BVNFDvO+4xK0MXM4J+Z4ou6S0qcB9ooX2LFcuq3wwkOZOcaWjOUI/ulx4AlJCuylIqg4bAowhtVtggZlCp6GJsKzwgLfc+TShCgvdeR8MCYsIju4/gQnMmUnfk77BqR+vyqZGRS2pWVM3a7+uVrAY3GkKCrqlq2hEZiUqsNEXvqMHQEdydVdyI4OlbudQvrlzZ6zN07lt8PUdmFehSBGDAH6hvfQxsC/Semt+ZEVSH13m4qZMIbwEtu5tTBIO7yWqKFVnNmGBB/qDn7gT42j31Cb0wIBniBceVgF6/ywr6uNYg7mEA9x5e+545pYfjbubUgHD7/sUjzr5diCxiTdPdkFdhWPSR3ho4FWPhgim6UY8opLZx3XvoUC34SMdLQM9N2A4c8HM1NUjRLxXVZg9o9/HZyvfHyncmA7TlcaM6jd2PSDV5p7vhlH08OY7gbWzn74DQrl8HZx6z9//h/oZ2sMvzWinA2OG9AV5DvCTee25he7nMsabIpWs33KDBqWpWyf/iNPyKphV8w7lUDr4+KEaEsEaaUmh3hvf3q1JYaEwmaO87QJh2Qwswe9tNQyoFHdD2MV1SVTBnbkzFdDuka8zB1ozTJUWcrilHWGu2FG7h2n794a0PkMwn1N8w/p6dPj9Jp2fLWSXYl4r22yTi8OHr8HscYuJxXVBqi4bl7kASKQSF3Aq0YWY1pigQClSGNBa7okeVF93btbDiBH3SXFFcLhnBHFkORlwf4OK03MFQI20aTye7crXVYfY66Wwb2ctqjX3BY86wzlYyuU/gnLjGXYNeKm1TI6sVuy14wngAyB0ayy3cab4RC+EUq9kbrqV1xHfO2zk8lqNf/S9m6I3YNv8aUDfgy2thEM5nRBZlZagKq+EkYXw7sXTu2Tf9tYAeizsLwsw/q5ff//Bn6/ued5ajltg3Qbb9Ps3ivpjdNXCDt1Shf2ticvqFZwOYC5/62PU/6fe8aHne2fV71+PI5OVDuu1Jv2GKHWeG3v/28cLOnSrqgicQL82ZJoqWWJCttSq9ecb7uSAIJPQcfXz3Gl0K8+PL5+jy/fnFf75Gny6FefUTerpZbZGgzKyoQmQltW+VJpWixMC3fnj1v/7bsydBiVCzSqjj+vIAnTorcLgdj068++55zK/dXrysmQof8fxxMd3VTQc4PxIw7s4XfIjfnmHaeiefmTIV5ujtm/dBZv+QgqaLZR23M/6PFHQWlq1l96tRoTCRw8oTluAx3sF71mGJDd3gE7RIh919hd7kuYI4rdvlIXaaq5cU5bHvnA99C7k8e3flbqXR57EC6wlfP3aCSs5S9Xc3uryyrIxEv6wMj+wEEUWGduxxGdaWWOa6a02rIDrs4jxn9suYtw+2nV7+4Xtuwg1gXUI44NKf8PPdLTBgpc21TmLX3fVKw+i95/BKKtOo5IHSzeGBDRaAme1hzasnlr2bDxPL+jKpp/VuTPCChvzGqaK4njvwfLHWkjBrcrq40cDGQVYvKyyWdNa4TkSKBVtWiuZovgWaVOSQNRTWM+WR0AODotERazk46CIB3gGPaPt3S7iiBwAULaShmc/sjp9nFF+0udAZzlwqfgLSpVFpiC8SbIlFgmphnuI4pMI/KRMIFedZHYlLZ5b3PXg7j1l/tG4w4QQW7IVZUSWoQR+3JX2OPtXX2FsIgP2IruoA2OAm+G3MUqtb9UxgTIy4xjXTPi7+HGHOg8ZE2X4REtywgsS8NVX2DmTCSKQNXOZMoE+XowqFQIJsMn0VXWVborJM0PbNElZUx87otWQTlLi4GzF2KjrE2xNw61orZJyKZfROkcCzNT4SWqEjFqgzeTDvPMAIRCCdYIEw+kWqDVb5sE83Qm+WkOylELYn/hZy6ebUbCgVYdMzMmrifd+4pcG8+1TnmEEAGQ+ZEYMZMuHzXCEtoWDGqiXfYiM8xTXHYop3/DsEKOsEkU6IcjDB3ZBl+5Kyth7sEhzY3Zsn9kslJYBCsI6HB3e3F3usDCMVxwoBXjSqmXh6cfv6rVzKxSLc/Z2SzKxo8uXdYfajHdCdxg7fF5Zvy+6byqyoMD5ZfJRtXcVETrhbQo8bcpz1T5qqUYZlZYicVtJ+yHGGrytCqNYjPAPy+HHgaMclngBfyJq4S6m2KFCYMOBtCuW0wyPt8Wi1Ejzw6VIKe69YvRUyDpsfooGhtDurdTw8upF7EyOHWgo1A5zRvJmPj8P07GEmkGamCuhPBMUF1KtoT3WFNcK5LO3tYlaUKSQ3ol0yJziDb6WQxUheLfTk0MxB1E9rRFjjnonc6h+pdCMAjH5hnKI3nrHZQAx3CfaKZmLuTI4mjDfzP0m6wqgIrn3WQlwphOYYEETMevcHCMLl6137eo3YkhhPCJ3LlNUDgcnP6QqvmazAuiSyKJUs2EiGIp2auQuB5xyKyBbobD9vTKwbtZOQyT6HO1YnCjKww2HU5jJHMBgYv+Ev9ep2btn2vI1uu7bMshKmX84W26LPoQw8I8e49XeyguA+XlJBFSP1lEAgkOjXTy1gZgVXbai3G/LMzsgPM23U+ONnPadjYLdONqeX++fkzQs3VsJ5BV3Txgk3rKDa6nVn7Sla0tFHJL8K0UAhDi4EAA8+cBnUHbfWMdjdJ9taP95tTj9kOlqT0ztPzQeMD81wMDeYcasQ7qAMvt7ZvTw4OzXp2rmDFmVu6vDKRcNSnUaBHNDjjQL5erfjj4eXLFZrg2mW7G76UU2qQWKesTvoj0m3Y8y5DTZjY9RDCVovTh29cqcyq6ygZiVP8EqCdyLJyLHhvza64IClpGTSqNOeV50Pkvt4rWVkz75MFAn5z9nP33+Pnr49f3P1DJ0zbZhYVkyvaA6l8EFeuFzK5LhA+17CIFt24fjwywxfHMkYUzJxVHFf/add1RAHzYmBiHy0ps/3OS4E0v6but9O4A94Cr2ZYhGCSW8zxTCPhU7Xm8gHnLNKuxGQVEizgnGsnHqyatOeIQL3eri8Cs65ZvmUSCPdTPlPdiPUUcQeLmZ7yNPVWbwR+846PGv4SsNO/NcHieCTwV7wgRvaKcvIw6FMqVImBgyebEDUUi2xYH/syaoW6bbCXYV9hKS7e2pE3AumgrWkiVB/frHDwW3hIL4cdtFOVvOvFHOzIlhRVCqay4IJHCy466inK2wYFUYfTI/neMrZvsUnnayDfqRloo1rj84Tq7hKrAyAIbVT3a9WJwQ78srmLhp1QXOqsKF5Fi2pbM/+sMrnl3rE5vHsSsk1yxvwMP89XJbcW6qDjeHBf+y1tmvThg2cdpIsn2iWzZAe689sR6YZbB4KmZNr5l7PV33DfQQCrjE6YzYFv6/lSW/BZur8qFMJvQxM1NmoYLFijbSRyml8S62gBsNoT+BbM/utJ+HZFyzPOZ1Oy72D8e6q5wLL29F7R+m5uj3GNNO98qN1EIbEtn6dfY5Kju2S2ftZKkQFUdtyLMoPqZAT+JN3yKBTjW/5q9QGvcNkxcSIS5fjRJrjm76sPwnI9C8VterD2kcO5EzP0Nscl+gz/MPZR7kUru70n8PLE63wmlrLiVOs0JeKqi0CDEJdSqFpbVGFi1PtfDP4zTT60mPgEUtZsRoFUrjpO1y+cT7rKU3AaruBPnhw1LtyCl2e0gbM+nu8hpbeATGyvqG/eJlGqhIi6Mfq583N416eHYzUSI2dp5h5DzP9QmC0YSKXG410SQlbMGI/eR6qE/R5ssMDYqfn+G1zbtBTQISlgrTXEDxdPutIC1UC7vG3dInJFn3Su8C3zQts0S+kjZ5da0eYwGEfue27rhawArVqsMnsjTiQeIMDEKj+36k0hXKeofh2p53eoB5D53XmdWDGMMPgRvO/OWKy0+T1jk3VZ/j60Hut6y5g6uMooMPZTBOwax4MdtemTch0yzBYoTAgxeHiZygbiNkScLTCDaac0wUTPlYPyglQ/QpcjoAOAndHFYol4q0NwPTMv9iKsYnZpp67x1IawaZsYtjGYLIqJobAb0cFgaOBd9RdjiRNXuZMxOsgFvVs2ClDUWHayzOgpLplO7AsDka7Le8PdO0ccJ327jvAdYlVvafsn5+3U9ms2ABKHdnTYX1Zl/x+p+mZ6D1LHKyFVNt0C/4XXWLx14OIMTUjuyjqtXkeupqsWP7yAqgfmNvJTKLBrGq89f2zGt0FGRVGyfIY1ZHLaj4ILtxpj/sxrbdND5QjAI+uumPac3gmixKLbXMe4dhBO33nr6ypstdQxsRCho0CrG9S1wgd0B89L7LmbEPToqIvvqTKEfil4nyL/qPCnC0YzdE51D274GCQlQ2dZ0TKG3aiR/ff6Ry58Vv/GfMxaz462mz7HF5WBkzuI1uYHj7rH5ohfJcdH452MfkZ+rgt3dTbyIEVjlvB8cVTdJFFBZPtsW15cIEI9USHYGv7zEwRqmuMy13uXGSxlKqO9sMT84e3I0vewcqJvJ1qWZRp+xDtEYUd+WDkvmZTSZnIEtllyo5j1wOV2IRDk0RkWMd87e8QVr6cPjLlSvGIy9yhGnFVGmc0q1SsaEiHpqYqw8t4PmVLOvr1tEs6avrjLmm/6xMoFnprqADTKr5zYulH282NobdStJcqE9uickNMUUu4o3M/wrBgXr3w/33mWXjh/8PnNYXC/phTFc7O89M54eu5m0z38Rwirp1Wa4Pp5L4hmnWpmFhQpUbeXYfznmReXcP/oOiD4dkJmKxxiRedZQgcKXjWlkmPVGCIybbfhXu3t9vuI2QQq+6f/kGHCVrjDT9ZuaJqmniEtdl9xtPTM2j9+Aydwfhh1qgyE4GljMj5jCrf/JPuZGHuAeelSZ+OO4LsLLgd9InuIEXvXWn2x7FRyftDo4RXG12zP8LRGnaTSKdc/uMCCbqUhrkFLFdYj3SA0mRqWKHOUrrBx5sL2qVO1gFqkODS22M1cHpdfxNOSNFsOUVFxS6+UdP18ONoo2WrTZjWVXSjEyhDslS6aN3D3lCAQ6pU0hjoYFG62vPCDo6u4XF6n3aaJEOiQQb3r8hPryG1c/9l1NGexzF5f+25h8dxFao1z9Ypb/T+k6oPZAeZyTO79XAVHaZRpyLMbqj3qBOBG3zTtivpXkigW39CGt7rpEKX12/+8e4KXdl7Cv0mRrqvtNwmqqQ+htuPGxnmFtQQWVFyo48KIt9NCafFIAs1nWvwOhuIMEgD9S0IWy24x8qlig1AIU9g5Do+GlSQUacBeDbYVJN1+Oxyucac5W4jBpjoK8LJUK33KUKQ2A3d6r7ajrTz6wTSyLRXxpQ6Y9CDNglpWMoUAiH4EZwmthR15YtUzGwPnCgiiyIpTtwd+XZ8+IBQuAR/wxTlfU8zdohlw7HItD5Vw1s7stPhv/vZ1jVaQW5dqXFWSjZFWnWIYccBAg6AqbA3AGIlKyzEADgjNdyUHxUYGXmznQi2ublYfM/D39++ee/vvRe94ZsLxUjVj/1Hx2xj+iZbS16lEsCbuo+z8H1ums7YdTvfSjCj0VPHhH4GaB1Q2Ft31O2RR8B0cDa8SqTN3npePwlmfLrAbLfoYE0VZAosKo6IFISWxjrK124NR+AVNpuU2tcJ3jrsdQtty2gplUHSyvfXv70JpeAGxR5730m1nD7Bsl9gsBNinWMHdhIEivn7xW9Xl1foHb4tmMibtt7hZbVzmzwNc6eJ4si0/DQGs9s3rcZ8CpcsRk/PdlWO2WK6gs1TF+HXU05uduwEy7xWvjz3KL2ei70c8ukW5cRYAfWMi//ydcNNYY7Ih5Zk7NMN8RLrQp8ou9G3qwYvvnnULVxx73Okq0CKOtboL9ooKZZ/nXNMbjjThuZ/eeH/9rz5lIkFJeGPFkzRDeZBQwbPeec3CIscaYlGtqWiS6aN2lrPfkplUWKz8mD9DQ+oz8OASQhKTcWmK4R29VpEqg4KeWNPNpxTYTo5KTXfviHjrOmmNusd/nHex/jO6QJX3GRwJl6jBeY7pcg7U9rN4H/fSY6oO0W2LePbsjWj8GLBCDQSmFMqkJwDbkQH0KtZF43vMZn+wT4wleGpb0LGlmuR2JwsdGqYpBGNovAGFVRrvPS4RERa/Q0NzEKG5Fu5ROeUyHzk2cfTih6jcpjPEROYegxPqY2gCNPeaHKBmNAGC1OzEfbxDTvqEs+H91TQFIdzyKx3a1ydU9ueAK2sbwsddn9nRlCt69U/3AVB0DVVXYCKEitN0TtqMFjqvua2GerpW7nUL65cUu2zAflznw7WmhUYfaBOWbgdLjpsjiDJ0HWSEM7DXpsLvUxrPPs1fufP+eX5D/7BxcG+td41YALcYmIQl0u3XkNcG5gddLL2uwW+p3f7Dtnf+4Wdje6MAemjdkpoZwwoj++U0SVZT7smL///muxfEztqmgV52PGV839lQayrR8PdOtVT6cNYUzRlVuzDxZbq/D+MM/D90hXcP4w5XOXMZIBH/RjZ23WcHhFjq4gddaMyxsRxjKW1mGrN8Xh3Wk6PahabVmwLSvPURSDjzxZd2EQHJEnzgR0yMBIe5kX07JAB9QNexLgUp68z7zfGDYrPiWswzUjiQwEJ3lt8ZAqz2r8ONGa0aubv/7TddWrPpCD2csBGPnbPdkTdAEhdQnXYle6ZHcYlv3TO81u59G1dfRUDYMlZF0RRr6gGU1+wW5ojTaHT7s6Pd8fQ4w5LvQgD2g92WJpFGJC+16IMI4Hx40vHbczBvO4hk/vJICLEwp59+WudV+p3JO/vSE1FgzzM5VKHtk0nhvT1yJcds8EGPxoV7OXV+qcWD3DkuPeFO5i9kV+rcNevUov31f+74k1c++Rl3NcLLpDWjZblCKMlW1PRBMm+XkPAiui4+EVaDyR/jMbf1/GiMRrQkOU2U/RLgrXuPh7CAsO8PZjfhccUu4KD9NxHsw12FdYEDzXInNbJo58uhfnhFZIK/cIlNj++3E3zIlIs2LJS4/kt7byPMXe/4nnDM+hjLZsEz3gCzIyx7Ji6muhrDzBItcEqT2bU7e9U7wySzzv2HkaKcjxMTXPQqv4S9Wx7MEzYqbpF+ZCKLZnAvP7NrrVyQA6p7K89iRGXV59fBUSAgmiyKIIIGo6GUo5x+7QbdWg4Hnv7rCjOE5bX77h2MBS6PH/IK6njt/tYCmSOeyt91EE2TrLkcTbc5OC2hhYcFOu6nEnOATf1a1TAVnonyLmxe45pRJzo6vZwHUP1rRy2sxgX9CP0+AoyfyymaiG1qQv35tvBojWduCxBzYqSb/062S9DMjPFZIU0yyl6+j0yK1Whlz///AxtsG8lVI+yRxKPwni9gyR8X51koiBfza5wTVXqmEKDu2qPsg5SQE/xXK5pRxgsXKJTqzdtFMXF6PkhX822ObGoaM6OAk04JKhvQpZjE1hgC8RMjfsDKv2FgwmtmR62s/ongnqRLVXoJboQBJe64rgBK7uXXg9Rf+DjRyC3MjTKjy/Rv9vpPkc//oj+HRGprL3sMAfqZmr/nZv/ab/INNoVShj+QsicPlpfV2xoRjDnc0xu0pc+5VRIU7dGA7/CCrGueQHXZKwrHWyO5GBGsGUAcBtz4Nj1sTdSWctabJ3VYT/ogFGEmEJoISuR2xuGQ0MGDYgAd0te3D0RA8ox3gL9cdjzbDSyClsucf5Y7jnPDtLsD2hGqRgJeB3eFe5+GXxhd93XSthe+9i0Fq1c1Ms2Q7/KjV2aoc/JBJLKOmNGohtKywNCexQ33lciNNeYIlunbHh+UWseaEvl+lML6MTf8QvXTEHL1Mvz3di7CIQ4uj3dQRhuFv6oX54jZbW1hoDKsLfIaPf/RhLJ6plPLondfiQj+XJJnoKGir8Fv/oAaPhNj2aiKPaNgEYUpf1f/RDzFTy8+JEyXXKWGr3k0brzmqUqhH1givRxoFF33e9w6uwdUHcE8ruu9lr8FfJf44XRqZdBu6BJ3uihBZBU6OrszZW3fQkWVjysKKXqW7wIrsivLg2iehzhj0/uqgJHPNTqFg1d+ar9SeuwOzsHPPMZevnzK7QBuRcUC4Q5D8cK6urnBWrjR2hDFXVksUGcYm2QFL1ykV0hntxM/LqFGDirKZ5tvex+lyoHwUFWEyUrIblcbvsPcQumBlYsQj8jssIKE+OESAG+yHLhOrijSvicHr4TMx+tqI1d0O0e6lM+IuzrtmA9isIamVLUzwgKb0Z1GmjWnlmJCVis7o1C+JiDJKRSNUVtsMixypGQqsCc/RHK75WqCMon91kOR4vobr3w9gip5bph5gVnCwozDjj4mhIp8hEDu13uTJsJAO1DE2KCyKLk1AQ3wGgQFYMBPw40rQ1W5kQb+dqOHdzOY1t5d2eObr9CiuhIyPkgQeLBoAciP5HgL0SeQuyW5B9SnAg9px69NjFdeu3HvoQHKirZiX6DoBm3b0Hu4XBr7vJ9eWCB9X3oZtv2W4E/nKSiRKqc5unuQZ9k468p3YxY2xh1pk3zxe77+vC2UrKYAdUKivI1oQIrJp1ZX1TcsO8MowrhsuR19UuLZVNggZeh0lyEODzv1P6iY8rxqhEzTzSSG+Fexgwuyn5k0HNcd00anj6jEVkx693InOoZeldpA25Sl6hDzxrJy8WGHrlIexXYYmH5XtMpLCFY5HpAJzvXNE0QtyGwNa1ztma5tWxgP4QV2XWtyD72hBee5G3J1GQzbNfTvQXd2p3IDN+6yWqr9Ky9ZpmCDbo/Nhpx0Q+gfdf6bDYYskVXq2JroCJ6K85G/rGPCliQXypaTbaV7O52u6jVjxsMbU+rLgBXl80SmIvV6qERakSjYEegCXTasjAJbt9lkYLXMkvAapmlsJ7LmKpol2isVh8t1QS2UucWOY0L2XMfg3fM4Lq8151zrNo8pNeOeSxoL4geGkLsQBAmAyM+hmGtK34i0HxZGSIL+sLx0DgvvoHLYIdg4UWw40CObBC6poqZ1NCgY+jTfnRfBDjWmrQX8pm4cZu7pZtKF0sN3p1cq/vW8Qlbt+4xZwxTxdvK6bOZAgvQhBhZPugM23SCDfId6iKTcBE+73rpXU9QKvTbtU+NZbpOCOjH1WD8eoXGqiR1KTWLqDjutLfAnRZ5iy7cnN1RFJ6KmywddNE9VZGoCqoYua8uCs5tos7Pd6hka06GU0vufA+mtqYihz7JB/WWnP/rBOg19dOuHHan7TKWvhZ8IG7oB7yXMafpU2LVfTPaCdarGR/lWuEmt1hIg3DTSS2cQMvlMqsTVU6i1OuNeG+lPgVmyo7u+zukWwFq9RD2uzH8JWdkO0W3nRG9cAUMeHBtwbcjerniKfOmwwL8UHnw/7A6lcLQ29QWa8PQZdsqoK6uynNt/w8uVcxrhkIAMAcuZ7LCYkkzQTepdcHYwyXddJ76wQgxRrF5ZWhHQwxz9LVj3Vrr3etvpClxiaMpu0ZyfNChY5KTA45gP7/IMdO13wLOLVSAWYHVgIO6zflSa6pm6Jq6Rak0VTO8pADl7TPdF1LVPAxo12Sc3U7g98j9voNbIRWaK7mxn9V/JXUfR+t2jeJJX+ZXWJnYYbqGcOyIij9TclAdOtWZkjxve5AmOlKypP5BMdVd/EYgzKkyTXaRagf1f3PPW159dEAAIAkpYDDnSEjxnaIlBU9mX/bDFH1RdnH0Q91QnB33grkXtvr5ZzAz31Sj1fXoHAacQ7WJQFJ8t5T2v/fcBGCkZAHDMeG8cecx8AUwYJmUCwQd5hnVM3Td6pR+Y4NuZVUajs9cOV+lrRPjSkZdsk3u1W/TzYTwSpt6Q/p/DJYJfsK0XUlfE+3jG9bwhU/HTaDJrR93wsIevYNlSmeUPTnkeFkuz4ELhLWWhEG81K5G0J+EBXvLbujrTiNDaFz4HJUKeqI8R9SQJ2FDGSscq2H1gUcsGIoaqjQqsQYULw1ADr6btCwKq8XkzqP9sLSGGrLX3HP3waksvs4aJriYnPomsiir4RlMsGwYbZjI5cbn0/puk8+bTIpRYQymuag436IvFeYu+JnLAjPfiBfmXQ/E5cjV1Y16JmpgP2gNx8QNzX0tUJ2IjjVEp7yDYj/5pmFtxvJ9C8cHqBBJVV23s5MLS/QZqNn77fpUfP1W+sgruh7C9TSPzlQVrN/YKXWI1Y/ZaZO339L+MbKlvWA8/RlvpvwLjNYcY0XzilBUvxzRcLjN9dTPArdpskvkeqeNf/9+7FyA9oYZjQtQcqOPghyIETH2o9uLboX1qjmh1iwMVBlWZOUyf+sam6bM8Kym1IMIsxNphplpReyvmn8PK02R1ecCMci5qwThFCv7JwDCa1nzBYR159e6sPPw64NTftUQ5+lR31hEFvOmfe9i58LyZaPqHrfXmqlKTx3p61ojwMB4xG+aB9LAkThzoztMxvFIqfPgpmtc66LMl+e+BTd66oEb6t6UrujX8vYsbFe7APSpGvz78PPlebe/a6MmhtGD3Rc5lwbopjBzm8jqgg3TYSd1rbcpsex3X3V9gbYzF/bGsYVzvidud3zWDIwuzw9asrHicwcsWcvYS5G3Fu0Mnbn6TI93yt0H+61ZYFDtfuOHb3w4bl6ZpnJTmuYyqgSn2klGugtlI9EaK4bnfFAF6EAZmEAlxyOKQFOhk+Kj7Cxo11R1I8+sprIWRl1fyOw6X7+4vOrb0MhDxrqIwlhd9pENBe9cC9m+tDgm0aUw6JotBQZlMbJFS6lSgtc+Gegvu0mvattNAqoj/KdlpHOWYZflMrBx3v/2ETFBeJVTq858I1v78xl6enGLi5LT1+jKBUQcWdDes3BcBF7mJn/bhOBUe7WEOWP6xprcR/B1j1K8Thjzvb8aPjB9s+fJ1Si2XFKVroVdWGSfu28BngewTleK6pXkud09zlcf6TS68/Q+QWRh+PbutfLTD87GeNaAcVyeh8tI7vw6T2RRZhPnXcGq+NwraOPq4nu6mn9n2ZEC6lMX0G5G5hUZ89K8WXqirLEu5422lAqQB6xer/kb6RKHVb7B6jQZekNUfatdsb+I7CRGoJGfWiWK0TtMajzlsHFrVdCkfowU39UGqtqvhZyvGb2ptaJYR88N1gabKpbh3MSjMOMnczvs4HN5i1j+Yvz+sjdrNQWHlqNPA+BjdxYsF+GjW99jibvvDTb5+bDv3jHXGROyivXG2akj0cvoZ8pq0phBh0FE9qfIhFMjM+5siTecW72HdEUI1XpRcXRhx0dE5lTbLVGD/YY9CyZyehtZAJxpc5zl+UDdAgODK6ZqJuZUwftmgRXjkMETiOC593exRBiE+J39bXBmIsE+lHMHLnQii9iPjp42+ZwlVbr0RbdOwwxE5k2ENiG+Rnh6NlJk6MJcw/s4dUKJM76aJC8fq3Lfth9iJjTKqcGMB4IMc1mZzu9Gpib55LmZdcQWN3lswMf4RWpoUfJk2TxvUE4X2D8BeeTL+g3fZ2taq3hNFcdbKOQy0l+u6GngRNoPwOv2v6aLugrcxeq1YaYCYEYUnFjrGwwBmx56XKO+YnXiOwTH5jSBriKyKOx5SrONzhx1xDrJvqWSa5a7+FmNIldQPZoIlUty/EPj/aNlvzDeWo2km5cXNg1uS0h6Oo2ur0dPq+v/JedHxp2Ont7/lnP/ABM+XSVLB5x7DgnFbuWvry7R5cCg6rKRDLXWV5fs5yBiYVdTDbuM6kjfJx7mc6vDxr1TEdlc5qkrvgYVd32jw/OCLC8j5tEqPlqCezKYoPK8EwL2pcMugbZ5D2FLljdPOSNBvCK21zgoA49w88cz8pp5l1XKa6ru7n31yaHn1A9RkKxxS0nVjSK41K85DZW31ihM+xI3JgiEBKPi+W5ApKmuxGvMOB4+ZKAmFI6gvnJBlRrptODO0DGx/njvbt5ZKTwAlHuAHUzJpxtotpyNaERWZPMqz7fR4zOsyKLWAXXoVpoeB3S+N0oVn6JiMiLKQa/ELtPVFAUJTHezVx3mKq5yZprKuhYXzXMUamzXVmw4VdI+L+yfpMsSiy3B9WRe+dnnC/TU10p8rri1leeMQwEH5IFd3JZS228+Q98NAw2i/wpzI+RG7DhCmpIKwCzWu9RHOm0SPEEIrp8WelZXub/3pUlv6RKTLfo06q5xNlf4FEX5fuAdETOBCszEQuGC7k3HKLGCrr3pcRJ2jMsrGBa9l7lLjm5hATtZZwGm0AHrC1IFrCBSeUi7uHHv6Qb9WglwJd/JnHL0lIn17NvniEnyHM3t/1H7f1hgvtVMz74Nvy8aUmYLjged82PbULsW/tkVgkEh1gV6cls3v5KLvUANRibl1P117vmsYRA0VXYjBxlaF3H1bo+zz+9+x4qijy4B+NtvP7/7/c2Hi2+/dTm3a6wwG92TG6luYpYsHzxgv9cDdl/YRoNgWMQ2InzNTlyUkuY6wMReF9sELsxCKio0IzEVSCeUlIDjIn4UJPA+EItotsFs2Jz4wdEBwD6PTdQen9gl6rqaJzoUZp5ro2JXvkO9drKAWPcujXaP1jUf6YKkxxa7tI3BBiaNLzZp6158vYslsWCjgaZ6qskCscdONYhGFJhmv7wnrJSPxhO8f+DCMu/t/w/DUVuT2XX+O8kWyzsxes/IXiZPsjnqd9x9/Ek5QdLWzsp2/NKnpslor7PsACfzGYTdBjv38Mt0DVnNpngPg6KvBWbcyroGc7nyOuPyvFvbBkhc1h00dBmAMBjPKqxzrjNrIh4xn2MSryHd2lcfncmiqEQ/EjXgThwH3PRQ7t7TW/N3GrapG970cZb1Q3m7xiL/mwy/mrW8GWzYMZrhwdwNB95hTle6ZITJaFmiU3nwwP0GKzF8dHjsrGtRlJlMpYyv37+7Qr+5OGqblBpm5MukqQTX//EWfamoGsFurbjIFO0jdaZNbugERLfoQ110Fkzraqx0EvEi7RKVsdsIWKLlUYGjQ1RN4HHswXTz+A0aMMeqSLBalmyC8AIuIxYgN0SrPFpX2h2acdGudkjn2PStwofSnVNBVgVWscpKGrrbEg/aFz/49QmTQTpVFJrZKvpeIHQRt4CqIbxYAtRSArJy/q8EVEscvROGQ5yKvr3g0T1jsS8cj9xWUGt6RmdaZJhAY5T45SeWthYRnfcO4fmyXP8kbs0q+v1OREaMynIdFXe9Q91SPu7l6Q6E1xxH1xgio2LJRMSiyCHpFLnRIltkesMMia4/RLbgcqNxET93pUtbmHU66gleXYjImEipTpgoqSrm22gJ7wPaJblJQ3yNeYq9wsqsVNLILP6TFFBf/5RBxDE+bZ7sbHK5zPIUwraE4+e/EZEV+DYzJlbYYJew3dGcJrgUCiYSMc1EOqZLrjM+51nsZ9Ed2t8nJB4dGbxDOzYWYpd27KreLu2fE9J+lZD2vyWk/T8S0v5zGtpGlhzPaQqV0lCP756JrKg4GN/zbYJ7siZe3iSwS4qKs2VRprG+rZWJ+TJ2EpKnzFIYJZp+IfFjIyLTLiExwQpqRdJ4k5ZwGm9Sb3VVJuhFSkRTVp3EVTXSWNeD3iZQIUYa65ilog1uTRLilWC3AgupKUmwCdevrFQSXQrrV7I0K4rzBGE1WZQZ4Qli2JZwgkcSoKvmWxM/LGop6ySUyypL8KZBFDOMYJ6ggEhneEkF2UbMuurSFphv/6D5PAXf6wxgQJNQdnAwabh2ibVJqM+X5fpVmhi0zubM/DkJ0BjRWdxecT3CSkZX1TrJMQeqlKj4VW7axfij9drqEKZm5eL88YMjjjiYfUmIOzT5eAhyHdoLxmkKH0ZnixSLyBYxi7N3CaewDXTGSkhSzJKoOlauf8q1KQdg/pFoa0WS0OZsQVO4MRoCzQXNWbSC0V3aTKTZJYXMK041kSmk7YmzZQLdJEu9wSZqz/8O9VAGeRTCii6ZNgrHj4S0tBNYfIqWqUStkslaAxK5SqRfXWa+2+IJqBtFcZHAkHSlQKnYTmdcb1aS6cx1mI1PfYsVTrLB85FC2BiU166/fWy6TBssovc5zrWZVypWs8CaKnW9glJQraLzGt+OrmuSY5OFzg2L+M2uj0Ua2EdzifM89hlgeexn1Ro6KMFdxIqMKCmLJKhElnACN40VWZrkSI94lELM5U10eKZSx4csZaUuFYtMlGPDTBU9+4wzQeNB7LRUddSOOg1dKL6NH9bi0qGeZgsuo1/nDfEEKf/W542udSzRBBrH+tAJWI2em8DlMsnWFcskB7iUKrYCK+bVMsUxK5gmKdRCoZNs2BR9IAQ1AK4UnW50He4AoGNn/DmqsdPxxGYT2wNJUlEmXQPo6J6ojG8ZScWWWaAf14PpbgRV8e+sMnNNeaOTjdqZuiXrWrwm2WQJCjd9T5zYysCTja0NyswFkqKzi7W2H2ZkFavOf0Ca3pYs+kNASVWxVFiYAeZuDMqbJITjX70OiezTp14X0AiElVxmWJcRGwZ0SSscm6qimKew7xQlIAeHOpqIeHwhW8pxIVw7lKXKE3AcP5CpE8SGtYsNJ8gH0DR2IoBreJzAOdH0S/wNEAJojUY1gSul2TKB4tVl7CibViTFOVAkj25Ia0VCqLgRCJt4Lba6NCsdHVVzTUTsQolgt9iHEnUgnbGnb5Ym/rZyROO/6DU9PWPT3ZbR0VqrfJ4kD71SPMFdWGmqspzFrnpP0raifhlKIQZDtMFF7GjwOmNCG7xIYBmsmTIpzPB1KRJANxmpKhEzzBqCRQsgir6pjEQfKoEGQzfZIwmb5X3GnOXoTNGcGXSGVe7RDDXAv4fZcZ2zEkpprEMokIEm+gjwDYjkKFSq0+RDMJFOchdFyeWWDhoLHpTfQlbRQL3vuMesDF3MCPqdKbqkt6jAfaCF9i1WLKt+M5DkTHKmoTlDPbpfegBQQroqS6kMGgKPIrRZYYOYQaWii7Gt8IC03Ps0oQgJ3nsdDQuICY/sPoILzZlI3ZG/w6odrcunRkYuqVlRNWu/r1eyGtxoCAm6pqppR2QkKrHSFL2jBkNHcHdWcSOCp2/lUr+4cmWvz9C5b/H1HJlVoEsRgAF/oL71MbAt0HtqfmdGUB1e5+GmTiK8BbTsbk4RDO4mqylWZDVjggX5g567E+Br99Qn9MKAZIgXHFcCev0uK+jjWoO4hwHce3jte+aUHo67mVMDwu37F484+3Yhsog1TXdDXoVh0Ud6a+BUjIULpuhGPaKQ2sZ176FDteAjHS8BPTdhO3DAz9XUIEW/VFSbPaDdx2cr3x8r35kM0JbHjeo0dj8i1eSd7oZT9vHkOIK3sZ2/A0K7fh2cecze/4f7G9rBLs9rpQBjh/cGeA3xknjvuYXt5TLHmiKXrt1wgwanqlkl/4vT8CuaVvAN51I5+PqgGBHCGmlKod0Z3t+vSmGhMZmgve8AYdoNLcDsbTcNqRR0QNvHdElVwZy5MRXT7ZCuMQdbM06XFHG6phxhrdlSuIVr+/WHtz5AMp9Qf8P4e3b6/CSdni1nlWBfKtpvk4jDh6/D73GIicd1QaktGpa7A0mkEBRyK9CGmdWYokAoUBnSWOyKHlVedG/XwooT9ElzRXG5ZARzZDkYcX2Ai9NyB0ONtGk8nezK1VaH2euks21kL6s19gWPOcM6W8nkPoFz4hp3DXqptE2NrFbstuAJ4wEgd2gst3Cn+UYshFOsZm+4ltYR3zlv5/BYjn71v5ihN2Lb/GtA3YAvr4VBOJ8RWZSVoSqshpOE8e3E0rln3/TXAnos7iwIM/+sXn7/w5+t73veWY5aYt8E2fb7NIv7YnbXwA3eUoX+rYnJ6ReeDWAufOpj1/+k3/Oi5Xln1+9djyOTlw/ptif9hil2nBl6/9vHCzt3qqgLnkC8NGeaKFpiQbbWqvTmGe/ngiCQ0HP08d1rdCnMjy+fo8v35xf/+Rp9uhTm1U/o6Wa1RYIys6IKkZXUvlWaVIoSA9/64dX/+m/PngQlQs0qoY7rywN06qzA4XY8OvHuu+cxv3Z78bJmKnzE88fFdFc3HeD8SMC4O1/wIX57hmnrnXxmylSYo7dv3geZ/UMKmi6WddzO+D9S0FlYtpbdr0aFwkQOK09Ygsd4B+9ZhyU2dINP0CIddvcVepPnCuK0bpeH2GmuXlKUx75zPvQt5PLs3ZW7lUafxwqsJ3z92AkqOUvV393o8sqyMhL9sjI8shNEFBnascdlWFtimeuuNa2C6LCL85zZL2PePth2evmH77kJN4B1CeGAS3/Cz3e3wICVNtc6iV131ysNo/eewyupTKOSB0o3hwc2WABmtoc1r55Y9m4+TCzry6Se1rsxwQsa8huniuJ67sDzxVpLwqzJ6eJGAxsHWb2ssFjSWeM6ESkWbFkpmqP5FmhSkUPWUFjPlEdCDwyKRkes5eCgiwR4Bzyi7d8t4YoeAFC0kIZmPrM7fp5RfNHmQmc4c6n4CUiXRqUhvkiwJRYJqoV5iuOQCv+kTCBUnGd1JC6dWd734O08Zv3RusGEE1iwF2ZFlaAGfdyW9Dn6VF9jbyEA9iO6qgNgg5vgtzFLrW7VM4ExMeIa10z7uPhzhDkPGhNl+0VIcMMKEvPWVNk7kAkjkTZwmTOBPl2OKhQCCbLJ9FV0lW2JyjJB2zdLWFEdO6PXkk1Q4uJuxNip6BBvT8Cta62QcSqW0TtFAs/W+EhohY5YoM7kwbzzACMQgXSCBcLoF6k2WOXDPt0IvVlCspdC2J74W8ilm1OzoVSETc/IqIn3feOWBvPuU51jBgFkPGRGDGbIhM9zhbSEghmrlnyLjfAU1xyLKd7x7xCgrBNEOiHKwQR3Q5btS8raerBLcGB3b57YL5WUAArBOh4e3N1e7LEyjFQcKwR40ahm4unF7eu3cikXi3D3d0oys6LJl3eH2Y92QHcaO3xfWL4tu28qs6LC+GTxUbZ1FRM54W4JPW7IcdY/aapGGZaVIXJaSfshxxm+rgihWo/wDMjjx4GjHZd4Anwha+IupdqiQGHCgLcplNMOj7THo9VK8MCnSynsvWL1Vsg4bH6IBobS7qzW8fDoRu5NjBxqKdQMcEbzZj4+DtOzh5lAmpkqoD8RFBdQr6I91RXWCOeytLeLWVGmkNyIdsmc4Ay+lUIWI3m10JNDMwdRP60RYY17JnKrf6TSjQAw+oVxit54xmYDMdwl2CuaibkzOZow3sz/JOkKoyK49lkLcaUQmmNAEDHr3R8gCJevd+3rNWJLYjwhdC5TVg8EJj+nK7xmsgLrksiiVLJgIxmKdGrmLgSecygiW6Cz/bwxsW7UTkIm+xzuWJ0oyMAOh1GbyxzBYGD8hr/Uq9u5ZdvzNrrt2jLLSph+OVtsiz6HMvCMHOPW38kKgvt4SQVVjNRTAoFAol8/tYCZFVy1od5uyDM7Iz/MtFHjj5/1nI6B3TrZnF7un5M3L9xYCecVdE0bJ9ywgmqr1521p2hJRx+R/CpEA4U4uBAAPPjAZVB33FrHYHefbGv9eLc5/ZDpaE1O7zw1HzA+NMPB3GDGrUK4gzL4emf38uDs1KRr5w5alLmpwysXDUt1GgVyQI83CuTr3Y4/Hl6yWK0Nplmyu+lHNakGiXnG7qA/Jt2OMec22IyNUQ8laL04dfTKncqssoKalTzBKwneiSQjx4b/2uiCA5aSkkmjTntedT5I7uO1lpE9+zJRJOQ/Zz9//z16+vb8zdUzdM60YWJZMb2iOZTCB3nhcimT4wLtewmDbNmF48MvM3xxJGNMycRRxX31n3ZVQxw0JwYi8tGaPt/nuBBI+2/qfjuBP+Ap9GaKRQgmvc0UwzwWOl1vIh9wzirtRkBSIc0KxrFy6smqTXuGCNzr4fIqOOea5VMijXQz5T/ZjVBHEXu4mO0hT1dn8UbsO+vwrOErDTvxXx8kgk8Ge8EHbminLCMPhzKlSpkYMHiyAVFLtcSC/bEnq1qk2wp3FfYRku7uqRFxL5gK1pImQv35xQ4Ht4WD+HLYRTtZzb9SzM2KYEVRqWguCyZwsOCuo56usGFUGH0wPZ7jKWf7Fp90sg76kZaJNq49Ok+s4iqxMgCG1E51v1qdEOzIK5u7aNQFzanChuZZtKSyPfvDKp9f6hGbx7MrJdcsb8DD/PdwWXJvqQ42hgf/sdfark0bNnDaSbJ8olk2Q3qsP7MdmWaweShkTq6Zez1f9Q33EQi4xuiM2RT8vpYnvQWbqfOjTiX0MjBRZ6OCxYo10kYqp/EttYIaDKM9gW/N7LeehGdfsDzndDot9w7Gu6ueCyxvR+8dpefq9hjTTPfKj9ZBGBLb+nX2OSo5tktm72epEBVEbcuxKD+kQk7gT94hg041vuWvUhv0DpMVEyMuXY4TaY5v+rL+JCDTv1TUqg9rHzmQMz1Db3Ncos/wD2cf5VK4utN/Di9PtMJrai0nTrFCXyqqtggwCHUphaa1RRUuTrXzzeA30+hLj4FHLGXFahRI4abvcPnG+aynNAGr7Qb64MFR78opdHlKGzDr7/EaWnoHxMj6hv7iZRqpSoigH6ufNzePe3l2MFIjNXaeYuY9zPQLgdGGiVxuNNIlJWzBiP3keahO0OfJDg+InZ7jt825QU8BEZYK0l5D8HT5rCMtVAm4x9/SJSZb9EnvAt82L7BFv5A2enatHWECh33ktu+6WsAK1KrBJrM34kDiDQ5AoPp/p9IUynmG4tuddnqDegyd15nXgRnDDIMbzf/miMlOk9c7NlWf4etD77Wuu4Cpj6OADmczTcCueTDYXZs2IdMtw2CFwoAUh4ufoWwgZkvA0Qo3mHJOF0z4WD0oJ0D1K3A5AjoI3B1VKJaItzYA0zP/YivGJmabeu4eS2kEm7KJYRuDyaqYGAK/HRUEjgbeUXc5kjR5mTMRr4NY1LNhpwxFhWkvz4CS6pbtwLI4GO22vD/QtXPAddq77wDXJVb1nrJ/ft5OZbNiAyh1ZE+H9WVd8vudpmei9yxxsBZSbdMt+F90icVfDyLG1IzsoqjX5nnoarJi+csLoH5gbicziQazqvHW989qdBdkVBgly2NURy6r+SC4cKc97se03jY9UI4APLrqjmnP4ZksSiy2zXmEYwft9J2/sqbKXkMZEwsZNgqwvkldI3RAf/S8yJqzDU2Lir74kipH4JeK8y36jwpztmA0R+dQ9+yCg0FWNnSeESlv2Ike3X+nc+TGb/1nzMes+ehos+1zeFkZMLmPbGF6+Kx/aIbwXXZ8ONrF5Gfo47Z0U28jB1Y4bgXHF0/RRRYVTLbHtuXBBSLUEx2Cre0zM0WorjEud7lzkcVSqjraD0/MH96OLHkHKyfydqplUabtQ7RHFHbkg5H7mk0lZSJLZJcpO45dD1RiEw5NEpFhHfO1v0NY+XL6yJQrxSMuc4dqxFVpnNGsUrGiIR2amqoML+P5lC3p6NfTLumo6Y+7pP2uT6BY6K2hAkyr+M6JpR9tNzeG3krRXqpMbIvKDTFFLeGOzv0Iw4J59cL/95ln4YX/D5/XFAr7Y05VODvPT+eEr+duMt3Hc4i4dlqtDaaT+4Zo1qViYkGVGnl3Hc57knl1Df+Dog+GZydgssYlXnSWIXCk4FlbJj1SgSEm234X7t3ebruPkEGsun/6Bx0maI03/GTliqpp4hHWZvcZT0/PoPXjM3QG44dZo8pMBJYyIuczqnzzT7qThbkHnJcmfTruCLKz4HbQJ7qDFL13pdkfx0Yl7w+NEl5tdM3+CEdr2E0inXL5jwsk6FIa5hawXGE90gFKk6lhhTpL6QYfby5olzpZB6hBgktvj9XA6XX9TTghRbPlFBUVu/hGTdfDj6ONlq02YVpX0Y1OoAzJUumidQ97QwEOqVJJY6CDRelqzws7OLqGx+l92mmSDIkGGdy/Ij+9htTO/ZdRR3sex+T9teceHsdVqNY8W6e80ftPqj6QHWQmz+zWw1V0mEadijC7od6jTgRu8E3brqR7IYFu/QlpeK+TCl1ev/nHuyt0Ze8p9JsY6b7ScpuokvoYbj9uZJhbUENkRcmNPiqIfDclnBaDLNR0rsHrbCDCIA3UtyBsteAeK5cqNgCFPIGR6/hoUEFGnQbg2WBTTdbhs8vlGnOWu40YYKKvCCdDtd6nCEFiN3Sr+2o70s6vE0gj014ZU+qMQQ/aJKRhKVMIhOBHcJrYUtSVL1Ixsz1woogsiqQ4cXfk2/HhA0LhEvwNU5T3Pc3YIZYNxyLT+lQNb+3ITof/7mdb12gFuXWlxlkp2RRp1SGGHQcIOACmwt4AiJWssBAD4IzUcFN+VGBk5M12Itjm5mLxPQ9/f/vmvb/3XvSGby4UI1U/9h8ds43pm2wteZVKAG/qPs7C97lpOmPX7XwrwYxGTx0T+hmgdUBhb91Rt0ceAdPB2fAqkTZ763n9JJjx6QKz3aKDNVWQKbCoOCJSEFoa6yhfuzUcgVfYbFJqXyd467DXLbQto6VUBkkr31//9iaUghsUe+x9J9Vy+gTLfoHBToh1jh3YSRAo5u8Xv11dXqF3+LZgIm/aeoeX1c5t8jTMnSaKI9Py0xjMbt+0GvMpXLIYPT3bVTlmi+kKNk9dhF9PObnZsRMs81r58tyj9Hou9nLIp1uUE2MF1DMu/svXDTeFOSIfWpKxTzfES6wLfaLsRt+uGrz45lG3cMW9z5GuAinqWKO/aKOkWP51zjG54Uwbmv/lhf/b8+ZTJhaUhD9aMEU3mAcNGTznnd8gLHKkJRrZlooumTZqaz37KZVFic3Kg/U3PKA+DwMmISg1FZuuENrVaxGpOijkjT3ZcE6FUds//d8AAAD//7FxYfk=" } diff --git a/x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml b/x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/citrix/virtualapps/_meta/fields.yml rename to x-pack/filebeat/module/barracuda/spamfirewall/_meta/fields.yml diff --git a/x-pack/filebeat/module/kaspersky/av/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml similarity index 75% rename from x-pack/filebeat/module/kaspersky/av/config/input.yml rename to x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index 5d86e5c695c..cdafe4ebde0 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -20,8 +20,8 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} fields_under_root: true fields: observer: - vendor: "Kaspersky" - product: "Kaspersky" + vendor: "Barracuda" + product: "Spam" type: "Anti-Virus" processors: @@ -34,12 +34,12 @@ processors: keep_raw: {{.keep_raw_fields}} debug: {{.debug}} files: - - ${path.home}/module/kaspersky/av/config/liblogparser.js - - ${path.home}/module/kaspersky/av/config/pipeline.js + - ${path.home}/module/barracuda/spamfirewall/config/liblogparser.js + - ${path.home}/module/barracuda/spamfirewall/config/pipeline.js {{ if .community_id }} - community_id: ~ {{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js similarity index 95% rename from x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js rename to x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js index c8cf5e2ee06..6cdb48abb26 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -1975,6 +2049,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2417,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js new file mode 100644 index 00000000000..37a1fa68d5e --- /dev/null +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/pipeline.js @@ -0,0 +1,833 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +function DeviceProcessor() { + var builder = new processor.Chain(); + builder.Add(save_flags); + builder.Add(strip_syslog_priority); + builder.Add(chain1); + builder.Add(populate_fields); + builder.Add(restore_flags); + var chain = builder.Build(); + return { + process: chain.Run, + } +} + +var map_getActionName = { + keyvaluepairs: { + "0": constant("Allowed Message"), + "1": constant("Aborted Message"), + "10": constant("Attachments Stubbed"), + "2": constant("Blocked Message"), + "3": constant("Quarantined Message"), + "4": constant("Tagged Message"), + "5": dup21, + "6": constant("Per-User Quarantined Message"), + "7": constant("Whitelisted Message"), + "8": constant("Encrypted Message"), + "9": constant("Redirected Message"), + }, +}; + +var map_getActionNameForSend = { + keyvaluepairs: { + "1": constant("Delivered Message"), + "2": constant("Rejected Message"), + "3": dup21, + "4": constant("Expired Message"), + }, +}; + +var map_getReasonName = { + keyvaluepairs: { + "1": constant("Virus"), + "11": constant("Client IP"), + "12": constant("Recipient Address"), + "13": constant("No Valid Recipients"), + "14": constant("Domain Not Found"), + "15": constant("Sender Address"), + "17": constant("Need Fully Qualified Recipient"), + "18": constant("Need Fully Qualified Sender"), + "19": constant("Unsupported Command"), + "2": constant("Banned Attachment"), + "20": constant("MAIL FROM Syntax Error"), + "21": constant("Bad Address Syntax"), + "22": constant("RCPT TO Syntax Error"), + "23": constant("Send EHLO/HELO First"), + "24": constant("Need MAIL Command"), + "25": constant("Nested MAIL Command"), + "27": constant("EHLO/HELO Syntax Error"), + "3": constant("RBL Match"), + "30": constant("Mail Protocol Violation"), + "31": constant("Score"), + "34": constant("Header Filter Match"), + "35": constant("Sender Block/Accept"), + "36": constant("Recipient Block/Accept"), + "37": constant("Body Filter Match"), + "38": constant("Message Size Bypass"), + "39": constant("Intention Analysis Match"), + "4": constant("Rate Control"), + "40": constant("SPF/Caller-ID"), + "41": constant("Client Host Rejected"), + "44": constant("Authentication Not Enabled"), + "45": constant("Allowed Message Size Exceeded"), + "46": constant("Too Many Recipients"), + "47": constant("Need RCPT Command"), + "48": constant("DATA Syntax Error"), + "49": constant("Internal Error"), + "5": constant("Too Many Message In Session"), + "50": constant("Too Many Hops"), + "51": constant("Mail Protocol Error"), + "55": constant("Invalid Parameter Syntax"), + "56": constant("STARTTLS Syntax Error"), + "57": constant("TLS Already Active"), + "58": constant("Too Many Errors"), + "59": constant("Need STARTTLS First"), + "6": constant("Timeout Exceeded"), + "60": constant("Spam Fingerprint Found"), + "61": constant("Barracuda Reputation Whitelist"), + "62": constant("Barracuda Reputation Blocklist"), + "63": constant("DomainKeys"), + "64": constant("Recipient Verification Unavailable"), + "65": constant("Realtime Intent"), + "66": constant("Client Reverse DNS"), + "67": constant("Email Registry"), + "68": constant("Invalid Bounce"), + "69": constant("Intent - Adult"), + "7": constant("No Such Domain"), + "70": constant("Intent - Political"), + "71": constant("Multi-Level Intent"), + "72": constant("Attachment Limit Exceeded"), + "73": constant("System Busy"), + "74": constant("BRTS Intent"), + "75": constant("Per Domain Recipient"), + "76": constant("Per Domain Sender"), + "77": constant("Per Domain Client IP"), + "78": constant("Sender Spoofed"), + "79": constant("Attachment Content"), + "8": constant("No Such User"), + "80": constant("Outlook Add-in"), + "82": constant("Barracuda IP/Domain Reputation"), + "83": constant("Authentication Failure"), + "85": constant("Attachment Size"), + "86": constant("Virus detected by Extended Malware Protection"), + "87": constant("Extended Malware Protection engine is busy"), + "88": constant("A message was categorized for Email Category"), + "89": constant("Macro Blocked"), + "9": constant("Subject Filter Match"), + }, +}; + +var map_getEventLegacyCategoryName = { + keyvaluepairs: { + "1207000000": constant("Content.Email"), + "1207010000": constant("Content.Email.Delivery"), + "1207010100": constant("Content.Email.Delivery.Success"), + "1207010201": constant("Content.Email.Delivery.Error.Nondelivery Receipt"), + "1207040100": constant("Content.Email.Spam.Suspect"), + "1207040200": constant("Content.Email.Spam.Blocked"), + }, + "default": constant("Other.Default"), +}; + +var map_getEventLegacyCategory = { + keyvaluepairs: { + "Aborted Message": dup23, + "Allowed Message": dup22, + "Attachments Stubbed": dup26, + "Blocked Message": dup23, + "Deferred Message": constant("1207010201"), + "Delivered Message": dup22, + "Encrypted Message": dup25, + "Expired Message": dup25, + "Per-User Quarantined Message": dup25, + "Quarantined Message": dup24, + "Redirected Message": dup26, + "Rejected Message": dup23, + "Tagged Message": dup24, + "Whitelisted Message": dup22, + }, + "default": constant("1901000000"), +}; + +var dup1 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" +match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); + +var dup2 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + +var dup3 = setc("eventcategory","1207010201"); + +var dup4 = setf("msg","$MSG"); + +var dup5 = setc("direction","inbound"); + +var dup6 = date_time({ + dest: "starttime", + args: ["fld1"], + fmts: [ + [dX], + ], +}); + +var dup7 = date_time({ + dest: "endtime", + args: ["fld2"], + fmts: [ + [dX], + ], +}); + +var dup8 = field("fld3"); + +var dup9 = field("resultcode"); + +var dup10 = field("disposition"); + +var dup11 = field("event_cat"); + +var dup12 = setc("action"," RECV"); + +var dup13 = setc("eventcategory","1207010000"); + +var dup14 = setc("direction","outbound"); + +var dup15 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" +match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + +var dup16 = setc("eventcategory","1207040000"); + +var dup17 = setc("eventcategory","1701020000"); + +var dup18 = setc("ec_subject","User"); + +var dup19 = setc("ec_activity","Logon"); + +var dup20 = setc("ec_theme","Authentication"); + +var dup21 = constant("Deferred Message"); + +var dup22 = constant("1207010100"); + +var dup23 = constant("1207040200"); + +var dup24 = constant("1207040100"); + +var dup25 = constant("1207010000"); + +var dup26 = constant("1207000000"); + +var dup27 = linear_select([ + dup1, + dup2, +]); + +var dup28 = lookup({ + dest: "nwparser.disposition", + map: map_getActionName, + key: dup8, +}); + +var dup29 = lookup({ + dest: "nwparser.result", + map: map_getReasonName, + key: dup9, +}); + +var dup30 = lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: dup10, +}); + +var dup31 = lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: dup11, +}); + +var dup32 = lookup({ + dest: "nwparser.disposition", + map: map_getActionNameForSend, + key: dup8, +}); + +var dup33 = linear_select([ + dup15, + dup2, +]); + +var hdr1 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" +match("HEADER#0:0001", "message", "%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), +])); + +var hdr2 = // "Pattern{Field(hfld1,false), Constant('/'), Field(messageid,false), Constant('['), Field(hfld14,false), Constant(']: '), Field(p0,false)}" +match("HEADER#1:0002", "message", "%{hfld1}/%{messageid}[%{hfld14}]: %{p0}", processor_chain([ + setc("header_id","0002"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant("/"), + field("messageid"), + constant("["), + field("hfld14"), + constant("]: "), + field("p0"), + ], + }), +])); + +var hdr3 = // "Pattern{Field(messageid,false), Constant(': '), Field(p0,false)}" +match("HEADER#2:0003", "message", "%{messageid}: %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], + }), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, +]); + +var part1 = // "Pattern{Constant('inbound/pass1['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:000001/0", "nwparser.payload", "inbound/pass1[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + +var all1 = all_match({ + processors: [ + part1, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), +}); + +var msg1 = msg("000001", all1); + +var part2 = // "Pattern{Constant('inbound/pass1: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' SCAN '), Field(fld4,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1:inbound/pass1/0", "nwparser.payload", "inbound/pass1: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} SCAN %{fld4->} %{from->} %{to->} %{fld5->} %{fld3->} %{resultcode->} %{p0}"); + +var part3 = // "Pattern{Field(fld6,true), Constant(' SZ:'), Field(fld8,true), Constant(' SUBJ:'), Field(subject,false)}" +match("MESSAGE#1:inbound/pass1/1_0", "nwparser.p0", "%{fld6->} SZ:%{fld8->} SUBJ:%{subject}"); + +var part4 = // "Pattern{Field(domain,true), Constant(' '), Field(info,false)}" +match("MESSAGE#1:inbound/pass1/1_1", "nwparser.p0", "%{domain->} %{info}"); + +var select2 = linear_select([ + part3, + part4, +]); + +var all2 = all_match({ + processors: [ + part2, + select2, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + setc("action"," SCAN"), + ]), +}); + +var msg2 = msg("inbound/pass1", all2); + +var part5 = // "Pattern{Constant('inbound/pass1:'), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' RECV '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#2:inbound/pass1:01/0", "nwparser.payload", "inbound/pass1:%{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} RECV %{from->} %{to->} %{p0}"); + +var all3 = all_match({ + processors: [ + part5, + dup27, + ], + on_success: processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + dup12, + ]), +}); + +var msg3 = msg("inbound/pass1:01", all3); + +var select3 = linear_select([ + msg1, + msg2, + msg3, +]); + +var part6 = // "Pattern{Constant('outbound/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#3:000002/0", "nwparser.payload", "outbound/smtp[%{fld14}]: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{p0}"); + +var part7 = // "Pattern{Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" +match("MESSAGE#3:000002/1_0", "nwparser.p0", "%{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{info}"); + +var select4 = linear_select([ + part7, + dup2, +]); + +var all4 = all_match({ + processors: [ + part6, + select4, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), +}); + +var msg4 = msg("000002", all4); + +var part8 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#4:outbound/smtp/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{fld5->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + +var part9 = // "Pattern{Field(fld8,true), Constant(' <<'), Field(from,false), Constant('> '), Field(p0,false)}" +match("MESSAGE#4:outbound/smtp/1_0", "nwparser.p0", "%{fld8->} \u003c\u003c%{from}> %{p0}"); + +var part10 = // "Pattern{Constant('<<'), Field(from,false), Constant('>'), Field(p0,false)}" +match("MESSAGE#4:outbound/smtp/1_1", "nwparser.p0", "\u003c\u003c%{from}>%{p0}"); + +var select5 = linear_select([ + part9, + part10, +]); + +var part11 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#4:outbound/smtp/2", "nwparser.p0", "%{} %{p0}"); + +var part12 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" +match("MESSAGE#4:outbound/smtp/3_0", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{event_description->} #to#%{ddomain}"); + +var part13 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant('] '), Field(event_description,true), Constant(' #to#'), Field(daddr,false)}" +match("MESSAGE#4:outbound/smtp/3_1", "nwparser.p0", "[InternalId=%{id}] %{event_description->} #to#%{daddr}"); + +var part14 = // "Pattern{Constant('[InternalId='), Field(id,false), Constant(', Hostname='), Field(hostname,false), Constant('] '), Field(info,false)}" +match("MESSAGE#4:outbound/smtp/3_2", "nwparser.p0", "[InternalId=%{id}, Hostname=%{hostname}] %{info}"); + +var part15 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" +match("MESSAGE#4:outbound/smtp/3_3", "nwparser.p0", "%{event_description->} #to#%{ddomain}[%{daddr}]:%{dport}"); + +var part16 = // "Pattern{Field(event_description,true), Constant(' #to#'), Field(ddomain,false)}" +match("MESSAGE#4:outbound/smtp/3_4", "nwparser.p0", "%{event_description->} #to#%{ddomain}"); + +var select6 = linear_select([ + part12, + part13, + part14, + part15, + part16, +]); + +var all5 = all_match({ + processors: [ + part8, + select5, + part11, + select6, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), +}); + +var msg5 = msg("outbound/smtp", all5); + +var part17 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#5:000009/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{p0}"); + +var part18 = // "Pattern{Field(fld8,true), Constant(' ok'), Field(p0,false)}" +match("MESSAGE#5:000009/1_0", "nwparser.p0", "%{fld8->} ok%{p0}"); + +var part19 = // "Pattern{Constant('ok'), Field(p0,false)}" +match("MESSAGE#5:000009/1_1", "nwparser.p0", "ok%{p0}"); + +var select7 = linear_select([ + part18, + part19, +]); + +var part20 = // "Pattern{Field(fld9,true), Constant(' Message '), Field(fld10,true), Constant(' accepted #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" +match("MESSAGE#5:000009/2", "nwparser.p0", "%{fld9->} Message %{fld10->} accepted #to#%{ddomain}[%{daddr}]:%{dport}"); + +var all6 = all_match({ + processors: [ + part17, + select7, + part20, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), +}); + +var msg6 = msg("000009", all6); + +var part21 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' Message accepted for delivery #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" +match("MESSAGE#6:outbound/smtp:01", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} Message accepted for delivery #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + setc("result"," Message accepted for delivery"), + dup32, + dup30, + dup31, +])); + +var msg7 = msg("outbound/smtp:01", part21); + +var part22 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' conversation with '), Field(fld5,false), Constant('['), Field(fld6,false), Constant('] timed out while sending '), Field(fld7,true), Constant(' #to#'), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']:'), Field(dport,false)}" +match("MESSAGE#7:outbound/smtp:02", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} conversation with %{fld5}[%{fld6}] timed out while sending %{fld7->} #to#%{ddomain}[%{daddr}]:%{dport}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, +])); + +var msg8 = msg("outbound/smtp:02", part22); + +var part23 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#8:000010/0", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} %{p0}"); + +var part24 = // "Pattern{Constant('Ok '), Field(fld9,true), Constant(' '), Field(fld10,true), Constant(' - gsmtp #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_0", "nwparser.p0", "Ok %{fld9->} %{fld10->} - gsmtp #to#%{p0}"); + +var part25 = // "Pattern{Constant('Ok: queued as '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_1", "nwparser.p0", "Ok: queued as %{fld9->} #to#%{p0}"); + +var part26 = // "Pattern{Constant('ok '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_2", "nwparser.p0", "ok %{fld9->} #to#%{p0}"); + +var part27 = // "Pattern{Constant('Ok ('), Field(fld9,false), Constant(') #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_3", "nwparser.p0", "Ok (%{fld9}) #to#%{p0}"); + +var part28 = // "Pattern{Constant('OK '), Field(fld9,true), Constant(' #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_4", "nwparser.p0", "OK %{fld9->} #to#%{p0}"); + +var part29 = // "Pattern{Field(fld9,true), Constant(' #to#'), Field(p0,false)}" +match("MESSAGE#8:000010/1_5", "nwparser.p0", "%{fld9->} #to#%{p0}"); + +var select8 = linear_select([ + part24, + part25, + part26, + part27, + part28, + part29, +]); + +var part30 = // "Pattern{Field(daddr,false)}" +match_copy("MESSAGE#8:000010/2", "nwparser.p0", "daddr"); + +var all7 = all_match({ + processors: [ + part23, + select8, + part30, + ], + on_success: processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, + ]), +}); + +var msg9 = msg("000010", all7); + +var part31 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' connect to '), Field(ddomain,false), Constant('['), Field(daddr,false), Constant(']: '), Field(event_description,false)}" +match("MESSAGE#9:000011", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} connect to %{ddomain}[%{daddr}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, +])); + +var msg10 = msg("000011", part31); + +var part32 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(fld7,true), Constant(' ['), Field(ddomain,false), Constant(']: '), Field(event_description,false)}" +match("MESSAGE#10:000012", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{fld7->} [%{ddomain}]: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, +])); + +var msg11 = msg("000012", part32); + +var part33 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' <<'), Field(from,false), Constant('>: '), Field(event_description,false)}" +match("MESSAGE#11:000013", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld7->} \u003c\u003c%{from}>: %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, +])); + +var msg12 = msg("000013", part33); + +var part34 = // "Pattern{Constant('outbound/smtp: '), Field(saddr,true), Constant(' '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld8,true), Constant(' '), Field(event_description,false)}" +match("MESSAGE#12:000014", "nwparser.payload", "outbound/smtp: %{saddr->} %{id->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{resultcode->} %{fld8->} %{event_description}", processor_chain([ + dup13, + dup4, + dup14, + dup32, + dup30, + dup31, +])); + +var msg13 = msg("000014", part34); + +var select9 = linear_select([ + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, +]); + +var part35 = // "Pattern{Constant('scan['), Field(fld14,false), Constant(']: '), Field(username,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#13:000003/0", "nwparser.payload", "scan[%{fld14}]: %{username}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + +var all8 = all_match({ + processors: [ + part35, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), +}); + +var msg14 = msg("000003", all8); + +var part36 = // "Pattern{Constant('scan: '), Field(web_domain,false), Constant('['), Field(saddr,false), Constant('] '), Field(id,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld8,true), Constant(' '), Field(from,true), Constant(' '), Field(to,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(fld7,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#14:scan/0", "nwparser.payload", "scan: %{web_domain}[%{saddr}] %{id->} %{fld1->} %{fld2->} %{action->} %{fld8->} %{from->} %{to->} %{fld4->} %{fld3->} %{resultcode->} %{fld7->} %{p0}"); + +var all9 = all_match({ + processors: [ + part36, + dup33, + ], + on_success: processor_chain([ + dup16, + dup4, + dup6, + dup7, + dup28, + dup29, + dup30, + dup31, + ]), +}); + +var msg15 = msg("scan", all9); + +var select10 = linear_select([ + msg14, + msg15, +]); + +var part37 = // "Pattern{Constant('web: Ret Policy Summary (Del:'), Field(fld1,true), Constant(' Kept:'), Field(fld2,false), Constant(')')}" +match("MESSAGE#15:000004", "nwparser.payload", "web: Ret Policy Summary (Del:%{fld1->} Kept:%{fld2})", processor_chain([ + dup17, + dup4, +])); + +var msg16 = msg("000004", part37); + +var part38 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] FAILED_LOGIN ('), Field(username,false), Constant(')')}" +match("MESSAGE#16:000005", "nwparser.payload", "web: [%{saddr}] FAILED_LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401030000"), + dup18, + dup19, + dup20, + setc("ec_outcome","Failure"), + dup4, + setc("action","FAILED_LOGIN"), +])); + +var msg17 = msg("000005", part38); + +var part39 = // "Pattern{Constant('web: Retention violating accounts: '), Field(fld1,true), Constant(' total')}" +match("MESSAGE#17:000006", "nwparser.payload", "web: Retention violating accounts: %{fld1->} total", processor_chain([ + setc("eventcategory","1605000000"), + dup4, +])); + +var msg18 = msg("000006", part39); + +var part40 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] global CHANGE '), Field(category,true), Constant(' ('), Field(info,false), Constant(')')}" +match("MESSAGE#18:000007", "nwparser.payload", "web: [%{saddr}] global CHANGE %{category->} (%{info})", processor_chain([ + dup17, + dup4, + setc("action","CHANGE"), +])); + +var msg19 = msg("000007", part40); + +var part41 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGOUT ('), Field(username,false), Constant(')')}" +match("MESSAGE#19:000029", "nwparser.payload", "web: [%{saddr}] LOGOUT (%{username})", processor_chain([ + setc("eventcategory","1401070000"), + dup18, + setc("ec_activity","Logoff"), + dup20, + dup4, + setc("action","LOGOUT"), +])); + +var msg20 = msg("000029", part41); + +var part42 = // "Pattern{Constant('web: ['), Field(saddr,false), Constant('] LOGIN ('), Field(username,false), Constant(')')}" +match("MESSAGE#20:000030", "nwparser.payload", "web: [%{saddr}] LOGIN (%{username})", processor_chain([ + setc("eventcategory","1401060000"), + dup18, + dup19, + dup20, + dup4, + setc("action","LOGIN"), +])); + +var msg21 = msg("000030", part42); + +var select11 = linear_select([ + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, +]); + +var part43 = // "Pattern{Constant('notify/smtp['), Field(fld14,false), Constant(']: '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(action,true), Constant(' '), Field(fld4,true), Constant(' '), Field(fld3,true), Constant(' '), Field(sessionid,true), Constant(' '), Field(bytes,true), Constant(' '), Field(version,true), Constant(' '), Field(from,true), Constant(' '), Field(info,false)}" +match("MESSAGE#21:000008", "nwparser.payload", "notify/smtp[%{fld14}]: %{saddr->} %{fld1->} %{fld2->} %{action->} %{fld4->} %{fld3->} %{sessionid->} %{bytes->} %{version->} %{from->} %{info}", processor_chain([ + dup13, + dup4, + dup32, + dup30, + dup31, +])); + +var msg22 = msg("000008", part43); + +var part44 = // "Pattern{Constant('reports: REPORTS ('), Field(process,false), Constant(') queued as '), Field(fld1,false)}" +match("MESSAGE#22:reports", "nwparser.payload", "reports: REPORTS (%{process}) queued as %{fld1}", processor_chain([ + dup16, + dup4, + setc("event_description","report queued"), +])); + +var msg23 = msg("reports", part44); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "inbound/pass1": select3, + "notify/smtp": msg22, + "outbound/smtp": select9, + "reports": msg23, + "scan": select10, + "web": select11, + }), +]); + +var part45 = // "Pattern{Field(fld3,true), Constant(' '), Field(resultcode,true), Constant(' '), Field(info,false)}" +match("MESSAGE#0:000001/1_0", "nwparser.p0", "%{fld3->} %{resultcode->} %{info}"); + +var part46 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#0:000001/1_1", "nwparser.p0", "info"); + +var part47 = // "Pattern{Constant('SZ:'), Field(fld9,true), Constant(' SUBJ:'), Field(subject,false)}" +match("MESSAGE#13:000003/1_0", "nwparser.p0", "SZ:%{fld9->} SUBJ:%{subject}"); + +var select12 = linear_select([ + dup1, + dup2, +]); + +var select13 = linear_select([ + dup15, + dup2, +]); diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml new file mode 100644 index 00000000000..2ae84bd17e5 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Barracuda Spam Firewall + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx?.url?.domain != null && ctx?.url?.domain != "" + allow_duplicates: false + - append: + field: related.hosts + value: '{{server.domain}}' + if: ctx?.server?.domain != null && ctx?.url?.domain != "" + allow_duplicates: false +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml b/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml new file mode 100644 index 00000000000..9ffc06e93aa --- /dev/null +++ b/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["barracuda.spamfirewall", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9524 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log new file mode 100644 index 00000000000..ce95de02d11 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log @@ -0,0 +1,100 @@ +notify/smtp[avolupt]: 10.224.15.48 nto sse accept tur 3 illumqui 1090 1.2364 ivelitse ritin +inbound/pass1: etdo[10.173.228.223] ntsunti 1455282753 1455282753 SCAN nseq itinvol psa umq 0 31 psaq SZ:cer SUBJ:reveri +outbound/smtp: 10.104.162.169 eosquir orsi nulapari allow vol 4 uidolor nibus mipsumq <: enatus +notify/smtp[iatu]: 10.57.70.73 dolo meumfug deny roinBCS 2 com 1060 1.2548 byC tinculp +outbound/smtp: 10.236.42.236 tconsec nsequat taev block untutl 1 llu uptassi tamremap tur +reports: REPORTS (enatuse.exe) queued as magn +inbound/pass1[sit]: avol[10.162.151.94] laboreet 1461457525 1461457525 RECV aquaeabi giatq quid +inbound/pass1: tempor[10.138.137.28] eip 1462692479 1462692479 SCAN lupta iusmodt doloreeu pori 7 8 ect SZ:reetdolo SUBJ:nrepreh +scan: ari[10.108.180.105] nsequat 1463927433 1463927433 block llam llamcorp ari eataevit 4 38 uovol dmi +inbound/pass1: [10.206.159.177] ididu 1465162388 1465162388 RECV ciunt turQuisa 10 74 lit +inbound/pass1[umdo]: sed[10.206.224.241] reetdolo 1466397342 1466397342 RECV olupta turveli 4 40 tatno +inbound/pass1: aveniam[10.82.201.113] essequ 1467632296 1467632296 SCAN taevi ender snulapar aedic 5 13 iumto SZ:aboreetd SUBJ:sun +reports: REPORTS (tem.exe) queued as ons +outbound/smtp: 10.110.109.5 ittenbyC aperi lor accept ipi 4 paqu eseru remeum #to#10.18.165.35 +scan: dolore[10.195.109.134] eddoei 1471337159 1471337159 deny etM nimadmin ditautfu piscing 6 74 ostr rudexerc +scan[colabor]: iusmodt[10.21.92.218] lorumw 1472572113 1472572113 accept llitani inima tlabo suntexp 4 45 stiae SZ:nofdeF SUBJ:sunt +reports: REPORTS (tat.exe) queued as tion +reports: REPORTS (emp.exe) queued as aperia +web: Ret Policy Summary (Del:eritquii Kept:dexeac) +web: [10.45.25.68] LOGOUT (rehender) +web: Ret Policy Summary (Del:hil Kept:atquovo) +notify/smtp[tatn]: 10.18.109.121 ents pida allow idolor 1 emoeni 269 1.2857 utlabore ecillu +web: [10.19.194.101] global CHANGE orinrepr (conse) +reports: REPORTS (lumqui.exe) queued as itinvo +reports: REPORTS (usmodt.exe) queued as siar +notify/smtp[sci]: 10.116.193.182 snostrud nama allow data 1 ationul 2530 1.5361 commod adol +inbound/pass1: hitect[10.198.6.166] modocon 1486156610 1486156610 SCAN que atevel nsecte itame 0 38 lit5929.test quamnih +outbound/smtp: 10.198.19.111 aquaeabi lita adeseru accept amc 4 amest corp modtemp <: iae +inbound/pass1: equat[10.77.137.72] ione 1488626519 1488626519 SCAN ihilmole eriamea amre rsita 8 56 uptat3156.www5.test tmo +inbound/pass1: vitaedi[10.128.114.77] temqu 1489861473 1489861473 SCAN edol colab ommodico quatD 4 59 neav6028.internal.domain agnid +outbound/smtp: 10.181.80.139 hitecto ents liquide allow tenatu 1 boN eprehend aevit aboN +inbound/pass1[ris]: uamqu[10.138.252.123] quioffi 1492331381 1492331381 RECV uptate ncidid quaturve +reports: REPORTS (aera.exe) queued as ate +inbound/pass1: [10.153.108.27] uir 1494801290 1494801290 RECV dol essecil citation +outbound/smtp: 10.120.167.239 gnido ratvolu olup deny nsecte 3 eveli eroi dtemp aliquide +inbound/pass1[ris]: nisi[10.105.88.20] ecte 1497271198 1497271198 RECV tinvolu iurer iciadese +scan: olupta[10.98.92.244] idolor 1498506153 1498506153 deny uta llumdolo nre ercitat 7 38 riosamn SZ:ept SUBJ:iumtotam +scan[sperna]: sintocc[10.185.107.75] tDuisaut 1499741107 1499741107 allow tate imvenia spi stquido 8 62 ptas SZ:pta SUBJ:tetu +reports: REPORTS (nevo.exe) queued as ide +notify/smtp[etcons]: 10.80.214.206 ate uiac accept officiad 4 quinesc 6218 1.5651 tur roi +notify/smtp[nof]: 10.48.34.226 ccaec ten allow isc 2 ntN 6179 1.2364 tateve itinvol +reports: REPORTS (etconsec.exe) queued as ios +inbound/pass1: tquov[10.211.93.62] mod 1505915878 1505915878 SCAN hilm ataevi com tnulapa 5 57 tiumt SZ:reetdolo SUBJ:norum +reports: REPORTS (uidol.exe) queued as mporin +scan: qui[10.199.182.123] entor 1508385787 1508385787 accept Sedutp utp ema rsitv 0 69 ntiumt iquipe +reports: REPORTS (tvolupt.exe) queued as eufugi +scan[pid]: illoin[10.130.38.118] uamni 1510855695 1510855695 block gnamal metMalo ntexplic archite 1 56 untu asi +inbound/pass1: [10.153.152.219] eumiu 1512090649 1512090649 RECV orumSe boree intoc +web: Retention violating accounts: rnatur total +reports: REPORTS (isisten.exe) queued as cusant +reports: REPORTS (naal.exe) queued as borios +outbound/smtp: 10.167.227.44 tali lillum cusant deny ender 2 oles edic seq tutlab +notify/smtp[atevelit]: 10.56.136.27 aperia ccaeca deny ttenby 1 amc 5163 1.375 orumSe ratv +web: [10.194.90.130] FAILED_LOGIN (siut) +inbound/pass1: [10.103.69.44] velitess 1520735329 1520735329 RECV naali uunturm temUte +inbound/pass1: aveni[10.29.155.171] uptatema 1521970284 1521970284 SCAN oeni tdol sit tiaec 6 23 oremagna3521.mail.home asiar +inbound/pass1: [10.145.193.93] nonp 1523205238 1523205238 RECV labo ulapar aboreetd +inbound/pass1[ama]: uatur[10.143.79.226] exeacom 1524440192 1524440192 RECV roidents tem dol +web: [10.30.25.84] FAILED_LOGIN (utlab) +inbound/pass1: [10.141.225.182] bor 1526910101 1526910101 RECV rauto ationev 8 57 uaUten +reports: REPORTS (dun.exe) queued as reprehe +web: [10.90.9.88] global CHANGE umexerc (oremipsu) +reports: REPORTS (amco.exe) queued as ssecillu +reports: REPORTS (olo.exe) queued as psumqu +notify/smtp[rationev]: 10.226.20.199 tatem untutlab allow eveli 2 lillum 7809 1.2000 uisaute imide +web: [10.134.140.191] global CHANGE nte (mvel) +outbound/smtp[conse]: 10.252.40.172 nimadmin isiu licabo cancel etdolor 3 dic cola amcor +scan[xea]: ites[10.126.26.131] nisiut 1536789735 1536789735 accept teturad perspici itation sequatD 5 24 isciv rroqu +scan[rExc]: iusmo[10.187.210.173] reetd 1538024689 1538024689 accept ulpa sitam rad loi 2 15 Nequepor SZ:eirure SUBJ:deserun +reports: REPORTS (orroq.exe) queued as vitaedic +reports: REPORTS (orem.exe) queued as rcit +scan[untincul]: ssecil[10.180.147.129] atise 1541729552 1541729552 allow umetMalo oluptas emvele isnost 2 5 ido emqu +notify/smtp[exeaco]: 10.99.17.210 olorsit tore cancel illu 4 turadip 688 1.7484 boreetdo undeom +notify/smtp[uov]: 10.230.46.162 sBono loremqu accept quunt 3 siuta 1107 1.2607 dquia temporin +scan[nimveni]: idi[10.96.135.47] rum 1545434414 1545434414 accept eporroq ulla iqu oin 1 55 cingel modocon +reports: REPORTS (atv.exe) queued as onu +scan: obeataev[10.139.127.232] nsec 1547904323 1547904323 cancel maperi agnaaliq tlaboree norumet 7 48 tin SZ:fugitse SUBJ:imad +inbound/pass1: inv[10.163.209.70] atu 1549139277 1549139277 SCAN lloin remipsum tempor citatio 0 57 mveniamq SZ:taedict SUBJ:edquian +reports: REPORTS (mipsamvo.exe) queued as eiusmod +scan[avolu]: Except[10.191.7.121] umetMal 1551609186 1551609186 accept sciun metcons itasper uae 2 21 uia iciad +inbound/pass1: [10.157.196.101] gnaa 1552844140 1552844140 RECV mod doei cipitl +web: [10.171.72.5] global CHANGE eprehend (asnu) +scan: eritatis[10.209.184.60] mquisn 1555314049 1555314049 cancel uto emUte molestia quir 4 18 emip SZ:ver SUBJ:erc +inbound/pass1[dolorsit]: archite[10.143.228.97] isqua 1556549003 1556549003 RECV uta emo itq +reports: REPORTS (ntexpl.exe) queued as dunt +scan: plic[10.17.87.79] tetur 1559018911 1559018911 block amali ate idolor ratvolu 7 64 onse olorem +web: [10.163.18.29] FAILED_LOGIN (nim) +web: Retention violating accounts: erspi total +reports: REPORTS (billoi.exe) queued as moles +scan: taedi[10.17.98.243] etconsec 1563958728 1563958728 cancel ill mporinc onsectet idolo 8 55 docon SZ:mdolore SUBJ:eosquira +reports: REPORTS (apariatu.exe) queued as lorsita +reports: REPORTS (ever.exe) queued as tali +inbound/pass1[mipsumqu]: tatio[10.181.247.224] onnu 1567663591 1567663591 RECV olorema aquiof ende +scan[ugitse]: quiineav[10.235.116.121] ventore 1568898545 1568898545 deny obea emp agnaaliq est 0 73 aev SZ:inrepr SUBJ:mol +outbound/smtp: 10.178.30.158 llit tenimad sitametc allow onproide 2 cillumd riosa Ok: queued as tNe #to#10.1.6.115 +notify/smtp[rautod]: 10.124.32.120 lapar ritati accept qui 3 mullam 4965 1.4254 meaque uid +reports: REPORTS (ataevita.exe) queued as oremqu +reports: REPORTS (velitsed.exe) queued as magnaali +inbound/pass1: der[10.77.182.191] enbyCi 1575073317 1575073317 SCAN quameiu diduntu eiusmod itation 8 79 piciatis2460.api.host iusmodt +scan: iame[10.193.110.71] tiumd 1576308271 1576308271 accept loinve tanimid isnostru nofdeFi 3 5 saqu remips diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json new file mode 100644 index 00000000000..ff70486fab5 --- /dev/null +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -0,0 +1,3344 @@ +[ + { + "event.action": "accept", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[avolupt]: 10.224.15.48 nto sse accept tur 3 illumqui 1090 1.2364 ivelitse ritin", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 0, + "network.bytes": 1090, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2364", + "related.ip": [ + "10.224.15.48" + ], + "rsa.db.index": "ritin", + "rsa.email.email_src": "ivelitse", + "rsa.internal.messageid": "notify/smtp", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.log_session_id": "illumqui", + "rsa.misc.version": "1.2364", + "service.type": "barracuda", + "source.ip": [ + "10.224.15.48" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " SCAN", + "event.code": "ntsunti", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: etdo[10.173.228.223] ntsunti 1455282753 1455282753 SCAN nseq itinvol psa umq 0 31 psaq SZ:cer SUBJ:reveri", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 92, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "etdo" + ], + "related.ip": [ + "10.173.228.223" + ], + "rsa.email.email_dst": "psa", + "rsa.email.email_src": "itinvol", + "rsa.email.subject": "reveri", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Allowed Message", + "rsa.misc.reference_id": "ntsunti", + "rsa.misc.result": "Score", + "rsa.misc.result_code": "31", + "rsa.time.endtime": "2016-02-12T13:12:33.000Z", + "rsa.time.starttime": "2016-02-12T13:12:33.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.173.228.223" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "etdo" + }, + { + "event.action": "allow", + "event.code": "eosquir", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.104.162.169 eosquir orsi nulapari allow vol 4 uidolor nibus mipsumq <: enatus", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 213, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.104.162.169" + ], + "rsa.email.email_src": "gnaali", + "rsa.internal.event_desc": "enatus", + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Expired Message", + "rsa.misc.log_session_id": "uidolor", + "rsa.misc.reference_id": "eosquir", + "rsa.misc.result_code": "nibus", + "service.type": "barracuda", + "source.ip": [ + "10.104.162.169" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[iatu]: 10.57.70.73 dolo meumfug deny roinBCS 2 com 1060 1.2548 byC tinculp", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 317, + "network.bytes": 1060, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2548", + "related.ip": [ + "10.57.70.73" + ], + "rsa.db.index": "tinculp", + "rsa.email.email_src": "byC", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Rejected Message", + "rsa.misc.log_session_id": "com", + "rsa.misc.version": "1.2548", + "service.type": "barracuda", + "source.ip": [ + "10.57.70.73" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "tconsec", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.236.42.236 tconsec nsequat taev block untutl 1 llu uptassi tamremap tur", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 404, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.236.42.236" + ], + "rsa.internal.event_desc": "tur", + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.disposition": "Delivered Message", + "rsa.misc.log_session_id": "llu", + "rsa.misc.reference_id": "tconsec", + "rsa.misc.result_code": "uptassi", + "service.type": "barracuda", + "source.ip": [ + "10.236.42.236" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (enatuse.exe) queued as magn", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 494, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "enatuse.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " RECV", + "event.code": "laboreet", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[sit]: avol[10.162.151.94] laboreet 1461457525 1461457525 RECV aquaeabi giatq quid", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 540, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.162.151.94" + ], + "related.user": [ + "avol" + ], + "rsa.db.index": "quid", + "rsa.email.email_dst": "giatq", + "rsa.email.email_src": "aquaeabi", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "laboreet", + "rsa.time.endtime": "2016-04-24T00:25:25.000Z", + "rsa.time.starttime": "2016-04-24T00:25:25.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.162.151.94" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "avol" + }, + { + "event.action": " SCAN", + "event.code": "eip", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: tempor[10.138.137.28] eip 1462692479 1462692479 SCAN lupta iusmodt doloreeu pori 7 8 ect SZ:reetdolo SUBJ:nrepreh", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 636, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "tempor" + ], + "related.ip": [ + "10.138.137.28" + ], + "rsa.email.email_dst": "doloreeu", + "rsa.email.email_src": "iusmodt", + "rsa.email.subject": "nrepreh", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Whitelisted Message", + "rsa.misc.reference_id": "eip", + "rsa.misc.result": "No Such User", + "rsa.misc.result_code": "8", + "rsa.time.endtime": "2016-05-08T07:27:59.000Z", + "rsa.time.starttime": "2016-05-08T07:27:59.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.138.137.28" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "tempor" + }, + { + "event.action": "block", + "event.code": "nsequat", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: ari[10.108.180.105] nsequat 1463927433 1463927433 block llam llamcorp ari eataevit 4 38 uovol dmi", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 765, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "ari" + ], + "related.ip": [ + "10.108.180.105" + ], + "rsa.db.index": "dmi", + "rsa.email.email_dst": "ari", + "rsa.email.email_src": "llamcorp", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.disposition": "Tagged Message", + "rsa.misc.reference_id": "nsequat", + "rsa.misc.result": "Message Size Bypass", + "rsa.misc.result_code": "38", + "rsa.time.endtime": "2016-05-22T14:30:33.000Z", + "rsa.time.starttime": "2016-05-22T14:30:33.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.108.180.105" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "ari" + }, + { + "event.action": " RECV", + "event.code": "ididu", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.206.159.177] ididu 1465162388 1465162388 RECV ciunt turQuisa 10 74 lit", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 869, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.206.159.177" + ], + "rsa.db.index": "lit", + "rsa.email.email_dst": "turQuisa", + "rsa.email.email_src": "ciunt", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.disposition": "Attachments Stubbed", + "rsa.misc.reference_id": "ididu", + "rsa.misc.result": "BRTS Intent", + "rsa.misc.result_code": "74", + "rsa.time.endtime": "2016-06-05T21:33:08.000Z", + "rsa.time.starttime": "2016-06-05T21:33:08.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.206.159.177" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.action": " RECV", + "event.code": "reetdolo", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[umdo]: sed[10.206.224.241] reetdolo 1466397342 1466397342 RECV olupta turveli 4 40 tatno", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 959, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.206.224.241" + ], + "related.user": [ + "sed" + ], + "rsa.db.index": "tatno", + "rsa.email.email_dst": "turveli", + "rsa.email.email_src": "olupta", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.disposition": "Tagged Message", + "rsa.misc.reference_id": "reetdolo", + "rsa.misc.result": "SPF/Caller-ID", + "rsa.misc.result_code": "40", + "rsa.time.endtime": "2016-06-20T04:35:42.000Z", + "rsa.time.starttime": "2016-06-20T04:35:42.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.206.224.241" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "sed" + }, + { + "event.action": " SCAN", + "event.code": "essequ", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: aveniam[10.82.201.113] essequ 1467632296 1467632296 SCAN taevi ender snulapar aedic 5 13 iumto SZ:aboreetd SUBJ:sun", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1062, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "aveniam" + ], + "related.ip": [ + "10.82.201.113" + ], + "rsa.email.email_dst": "snulapar", + "rsa.email.email_src": "ender", + "rsa.email.subject": "sun", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.reference_id": "essequ", + "rsa.misc.result": "No Valid Recipients", + "rsa.misc.result_code": "13", + "rsa.time.endtime": "2016-07-04T11:38:16.000Z", + "rsa.time.starttime": "2016-07-04T11:38:16.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.82.201.113" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "aveniam" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (tem.exe) queued as ons", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1193, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "tem.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.18.165.35" + ], + "event.action": "accept", + "event.code": "ittenbyC", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.110.109.5 ittenbyC aperi lor accept ipi 4 paqu eseru remeum #to#10.18.165.35", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1234, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.18.165.35", + "10.110.109.5" + ], + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Expired Message", + "rsa.misc.log_session_id": "paqu", + "rsa.misc.reference_id": "ittenbyC", + "rsa.misc.result_code": "eseru", + "service.type": "barracuda", + "source.ip": [ + "10.110.109.5" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "eddoei", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: dolore[10.195.109.134] eddoei 1471337159 1471337159 deny etM nimadmin ditautfu piscing 6 74 ostr rudexerc", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1329, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "dolore" + ], + "related.ip": [ + "10.195.109.134" + ], + "rsa.db.index": "rudexerc", + "rsa.email.email_dst": "ditautfu", + "rsa.email.email_src": "nimadmin", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Per-User Quarantined Message", + "rsa.misc.reference_id": "eddoei", + "rsa.misc.result": "BRTS Intent", + "rsa.misc.result_code": "74", + "rsa.time.endtime": "2016-08-16T08:45:59.000Z", + "rsa.time.starttime": "2016-08-16T08:45:59.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.195.109.134" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "dolore" + }, + { + "event.action": "accept", + "event.code": "lorumw", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[colabor]: iusmodt[10.21.92.218] lorumw 1472572113 1472572113 accept llitani inima tlabo suntexp 4 45 stiae SZ:nofdeF SUBJ:sunt", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1441, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.21.92.218" + ], + "related.user": [ + "iusmodt" + ], + "rsa.email.email_dst": "tlabo", + "rsa.email.email_src": "inima", + "rsa.email.subject": "sunt", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Tagged Message", + "rsa.misc.reference_id": "lorumw", + "rsa.misc.result": "Allowed Message Size Exceeded", + "rsa.misc.result_code": "45", + "rsa.time.endtime": "2016-08-30T15:48:33.000Z", + "rsa.time.starttime": "2016-08-30T15:48:33.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.21.92.218" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "iusmodt" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (tat.exe) queued as tion", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1573, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "tat.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (emp.exe) queued as aperia", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1615, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "emp.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: Ret Policy Summary (Del:eritquii Kept:dexeac)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1659, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "web", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "LOGOUT", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.45.25.68] LOGOUT (rehender)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1710, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.45.25.68" + ], + "related.user": [ + "rehender" + ], + "rsa.internal.messageid": "web", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "LOGOUT" + ], + "service.type": "barracuda", + "source.ip": [ + "10.45.25.68" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "rehender" + }, + { + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: Ret Policy Summary (Del:hil Kept:atquovo)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1747, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "web", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[tatn]: 10.18.109.121 ents pida allow idolor 1 emoeni 269 1.2857 utlabore ecillu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1794, + "network.bytes": 269, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2857", + "related.ip": [ + "10.18.109.121" + ], + "rsa.db.index": "ecillu", + "rsa.email.email_src": "utlabore", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Delivered Message", + "rsa.misc.log_session_id": "emoeni", + "rsa.misc.version": "1.2857", + "service.type": "barracuda", + "source.ip": [ + "10.18.109.121" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "CHANGE", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.19.194.101] global CHANGE orinrepr (conse)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1886, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.19.194.101" + ], + "rsa.db.index": "conse", + "rsa.internal.messageid": "web", + "rsa.misc.action": [ + "CHANGE" + ], + "rsa.misc.category": "orinrepr", + "service.type": "barracuda", + "source.ip": [ + "10.19.194.101" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (lumqui.exe) queued as itinvo", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1938, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "lumqui.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (usmodt.exe) queued as siar", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 1985, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "usmodt.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[sci]: 10.116.193.182 snostrud nama allow data 1 ationul 2530 1.5361 commod adol", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2030, + "network.bytes": 2530, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.5361", + "related.ip": [ + "10.116.193.182" + ], + "rsa.db.index": "adol", + "rsa.email.email_src": "commod", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Delivered Message", + "rsa.misc.log_session_id": "ationul", + "rsa.misc.version": "1.5361", + "service.type": "barracuda", + "source.ip": [ + "10.116.193.182" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " SCAN", + "event.code": "modocon", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: hitect[10.198.6.166] modocon 1486156610 1486156610 SCAN que atevel nsecte itame 0 38 lit5929.test quamnih", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2122, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "hitect", + "lit5929.test" + ], + "related.ip": [ + "10.198.6.166" + ], + "rsa.db.index": "quamnih", + "rsa.email.email_dst": "nsecte", + "rsa.email.email_src": "atevel", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Allowed Message", + "rsa.misc.reference_id": "modocon", + "rsa.misc.result": "Message Size Bypass", + "rsa.misc.result_code": "38", + "rsa.network.domain": "lit5929.test", + "rsa.time.endtime": "2017-02-03T21:16:50.000Z", + "rsa.time.starttime": "2017-02-03T21:16:50.000Z", + "server.domain": "lit5929.test", + "service.type": "barracuda", + "source.ip": [ + "10.198.6.166" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "hitect" + }, + { + "event.action": "accept", + "event.code": "aquaeabi", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.198.19.111 aquaeabi lita adeseru accept amc 4 amest corp modtemp <: iae", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2243, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.198.19.111" + ], + "rsa.email.email_src": "rehender", + "rsa.internal.event_desc": "iae", + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Expired Message", + "rsa.misc.log_session_id": "amest", + "rsa.misc.reference_id": "aquaeabi", + "rsa.misc.result_code": "corp", + "service.type": "barracuda", + "source.ip": [ + "10.198.19.111" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " SCAN", + "event.code": "ione", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: equat[10.77.137.72] ione 1488626519 1488626519 SCAN ihilmole eriamea amre rsita 8 56 uptat3156.www5.test tmo", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2343, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "equat", + "uptat3156.www5.test" + ], + "related.ip": [ + "10.77.137.72" + ], + "rsa.db.index": "tmo", + "rsa.email.email_dst": "amre", + "rsa.email.email_src": "eriamea", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Encrypted Message", + "rsa.misc.reference_id": "ione", + "rsa.misc.result": "STARTTLS Syntax Error", + "rsa.misc.result_code": "56", + "rsa.network.domain": "uptat3156.www5.test", + "rsa.time.endtime": "2017-03-04T11:21:59.000Z", + "rsa.time.starttime": "2017-03-04T11:21:59.000Z", + "server.domain": "uptat3156.www5.test", + "service.type": "barracuda", + "source.ip": [ + "10.77.137.72" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "equat" + }, + { + "event.action": " SCAN", + "event.code": "temqu", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: vitaedi[10.128.114.77] temqu 1489861473 1489861473 SCAN edol colab ommodico quatD 4 59 neav6028.internal.domain agnid", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2467, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "vitaedi", + "neav6028.internal.domain" + ], + "related.ip": [ + "10.128.114.77" + ], + "rsa.db.index": "agnid", + "rsa.email.email_dst": "ommodico", + "rsa.email.email_src": "colab", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Tagged Message", + "rsa.misc.reference_id": "temqu", + "rsa.misc.result": "Need STARTTLS First", + "rsa.misc.result_code": "59", + "rsa.network.domain": "neav6028.internal.domain", + "rsa.time.endtime": "2017-03-18T18:24:33.000Z", + "rsa.time.starttime": "2017-03-18T18:24:33.000Z", + "server.domain": "neav6028.internal.domain", + "service.type": "barracuda", + "source.ip": [ + "10.128.114.77" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "vitaedi" + }, + { + "event.action": "allow", + "event.code": "hitecto", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.181.80.139 hitecto ents liquide allow tenatu 1 boN eprehend aevit aboN", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2600, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.181.80.139" + ], + "rsa.internal.event_desc": "aboN", + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Delivered Message", + "rsa.misc.log_session_id": "boN", + "rsa.misc.reference_id": "hitecto", + "rsa.misc.result_code": "eprehend", + "service.type": "barracuda", + "source.ip": [ + "10.181.80.139" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " RECV", + "event.code": "quioffi", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[ris]: uamqu[10.138.252.123] quioffi 1492331381 1492331381 RECV uptate ncidid quaturve", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2689, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.138.252.123" + ], + "related.user": [ + "uamqu" + ], + "rsa.db.index": "quaturve", + "rsa.email.email_dst": "ncidid", + "rsa.email.email_src": "uptate", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "quioffi", + "rsa.time.endtime": "2017-04-16T08:29:41.000Z", + "rsa.time.starttime": "2017-04-16T08:29:41.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.138.252.123" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "uamqu" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (aera.exe) queued as ate", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2789, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "aera.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " RECV", + "event.code": "uir", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.153.108.27] uir 1494801290 1494801290 RECV dol essecil citation", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2831, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.153.108.27" + ], + "rsa.db.index": "citation", + "rsa.email.email_dst": "essecil", + "rsa.email.email_src": "dol", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "uir", + "rsa.time.endtime": "2017-05-14T22:34:50.000Z", + "rsa.time.starttime": "2017-05-14T22:34:50.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.153.108.27" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.action": "deny", + "event.code": "gnido", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.120.167.239 gnido ratvolu olup deny nsecte 3 eveli eroi dtemp aliquide", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 2914, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.120.167.239" + ], + "rsa.internal.event_desc": "aliquide", + "rsa.internal.messageid": "outbound/smtp", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.log_session_id": "eveli", + "rsa.misc.reference_id": "gnido", + "rsa.misc.result_code": "eroi", + "service.type": "barracuda", + "source.ip": [ + "10.120.167.239" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " RECV", + "event.code": "ecte", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[ris]: nisi[10.105.88.20] ecte 1497271198 1497271198 RECV tinvolu iurer iciadese", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3003, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.105.88.20" + ], + "related.user": [ + "nisi" + ], + "rsa.db.index": "iciadese", + "rsa.email.email_dst": "iurer", + "rsa.email.email_src": "tinvolu", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "ecte", + "rsa.time.endtime": "2017-06-12T12:39:58.000Z", + "rsa.time.starttime": "2017-06-12T12:39:58.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.105.88.20" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "nisi" + }, + { + "event.action": "deny", + "event.code": "idolor", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: olupta[10.98.92.244] idolor 1498506153 1498506153 deny uta llumdolo nre ercitat 7 38 riosamn SZ:ept SUBJ:iumtotam", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3097, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "olupta" + ], + "related.ip": [ + "10.98.92.244" + ], + "rsa.email.email_dst": "nre", + "rsa.email.email_src": "llumdolo", + "rsa.email.subject": "iumtotam", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Whitelisted Message", + "rsa.misc.reference_id": "idolor", + "rsa.misc.result": "Message Size Bypass", + "rsa.misc.result_code": "38", + "rsa.time.endtime": "2017-06-26T19:42:33.000Z", + "rsa.time.starttime": "2017-06-26T19:42:33.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.98.92.244" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "olupta" + }, + { + "event.action": "allow", + "event.code": "tDuisaut", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[sperna]: sintocc[10.185.107.75] tDuisaut 1499741107 1499741107 allow tate imvenia spi stquido 8 62 ptas SZ:pta SUBJ:tetu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3217, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.185.107.75" + ], + "related.user": [ + "sintocc" + ], + "rsa.email.email_dst": "spi", + "rsa.email.email_src": "imvenia", + "rsa.email.subject": "tetu", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Encrypted Message", + "rsa.misc.reference_id": "tDuisaut", + "rsa.misc.result": "Barracuda Reputation Blocklist", + "rsa.misc.result_code": "62", + "rsa.time.endtime": "2017-07-11T02:45:07.000Z", + "rsa.time.starttime": "2017-07-11T02:45:07.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.185.107.75" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "sintocc" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (nevo.exe) queued as ide", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3343, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "nevo.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[etcons]: 10.80.214.206 ate uiac accept officiad 4 quinesc 6218 1.5651 tur roi", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3385, + "network.bytes": 6218, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.5651", + "related.ip": [ + "10.80.214.206" + ], + "rsa.db.index": "roi", + "rsa.email.email_src": "tur", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Expired Message", + "rsa.misc.log_session_id": "quinesc", + "rsa.misc.version": "1.5651", + "service.type": "barracuda", + "source.ip": [ + "10.80.214.206" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[nof]: 10.48.34.226 ccaec ten allow isc 2 ntN 6179 1.2364 tateve itinvol", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3475, + "network.bytes": 6179, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2364", + "related.ip": [ + "10.48.34.226" + ], + "rsa.db.index": "itinvol", + "rsa.email.email_src": "tateve", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Rejected Message", + "rsa.misc.log_session_id": "ntN", + "rsa.misc.version": "1.2364", + "service.type": "barracuda", + "source.ip": [ + "10.48.34.226" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (etconsec.exe) queued as ios", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3559, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "etconsec.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " SCAN", + "event.code": "mod", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: tquov[10.211.93.62] mod 1505915878 1505915878 SCAN hilm ataevi com tnulapa 5 57 tiumt SZ:reetdolo SUBJ:norum", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3605, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "tquov" + ], + "related.ip": [ + "10.211.93.62" + ], + "rsa.email.email_dst": "com", + "rsa.email.email_src": "ataevi", + "rsa.email.subject": "norum", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.reference_id": "mod", + "rsa.misc.result": "TLS Already Active", + "rsa.misc.result_code": "57", + "rsa.time.endtime": "2017-09-20T13:57:58.000Z", + "rsa.time.starttime": "2017-09-20T13:57:58.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.211.93.62" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "tquov" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (uidol.exe) queued as mporin", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3729, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "uidol.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "entor", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: qui[10.199.182.123] entor 1508385787 1508385787 accept Sedutp utp ema rsitv 0 69 ntiumt iquipe", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3775, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "qui" + ], + "related.ip": [ + "10.199.182.123" + ], + "rsa.db.index": "iquipe", + "rsa.email.email_dst": "ema", + "rsa.email.email_src": "utp", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Allowed Message", + "rsa.misc.reference_id": "entor", + "rsa.misc.result": "Intent - Adult", + "rsa.misc.result_code": "69", + "rsa.time.endtime": "2017-10-19T04:03:07.000Z", + "rsa.time.starttime": "2017-10-19T04:03:07.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.199.182.123" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "qui" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (tvolupt.exe) queued as eufugi", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3876, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "tvolupt.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "uamni", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[pid]: illoin[10.130.38.118] uamni 1510855695 1510855695 block gnamal metMalo ntexplic archite 1 56 untu asi", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 3924, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.130.38.118" + ], + "related.user": [ + "illoin" + ], + "rsa.db.index": "asi", + "rsa.email.email_dst": "ntexplic", + "rsa.email.email_src": "metMalo", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.disposition": "Aborted Message", + "rsa.misc.reference_id": "uamni", + "rsa.misc.result": "STARTTLS Syntax Error", + "rsa.misc.result_code": "56", + "rsa.time.endtime": "2017-11-16T18:08:15.000Z", + "rsa.time.starttime": "2017-11-16T18:08:15.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.130.38.118" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "illoin" + }, + { + "event.action": " RECV", + "event.code": "eumiu", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.153.152.219] eumiu 1512090649 1512090649 RECV orumSe boree intoc", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4037, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.153.152.219" + ], + "rsa.db.index": "intoc", + "rsa.email.email_dst": "boree", + "rsa.email.email_src": "orumSe", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "eumiu", + "rsa.time.endtime": "2017-12-01T01:10:49.000Z", + "rsa.time.starttime": "2017-12-01T01:10:49.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.153.152.219" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: Retention violating accounts: rnatur total", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4121, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "web", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (isisten.exe) queued as cusant", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4169, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "isisten.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (naal.exe) queued as borios", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4217, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "naal.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "tali", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.167.227.44 tali lillum cusant deny ender 2 oles edic seq tutlab", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4262, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.167.227.44" + ], + "rsa.internal.event_desc": "tutlab", + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Rejected Message", + "rsa.misc.log_session_id": "oles", + "rsa.misc.reference_id": "tali", + "rsa.misc.result_code": "edic", + "service.type": "barracuda", + "source.ip": [ + "10.167.227.44" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[atevelit]: 10.56.136.27 aperia ccaeca deny ttenby 1 amc 5163 1.375 orumSe ratv", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4344, + "network.bytes": 5163, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.375", + "related.ip": [ + "10.56.136.27" + ], + "rsa.db.index": "ratv", + "rsa.email.email_src": "orumSe", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Delivered Message", + "rsa.misc.log_session_id": "amc", + "rsa.misc.version": "1.375", + "service.type": "barracuda", + "source.ip": [ + "10.56.136.27" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "FAILED_LOGIN", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.194.90.130] FAILED_LOGIN (siut)", + "event.outcome": "failure", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4435, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.194.90.130" + ], + "related.user": [ + "siut" + ], + "rsa.internal.messageid": "web", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "FAILED_LOGIN" + ], + "service.type": "barracuda", + "source.ip": [ + "10.194.90.130" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "siut" + }, + { + "event.action": " RECV", + "event.code": "velitess", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.103.69.44] velitess 1520735329 1520735329 RECV naali uunturm temUte", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4476, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.103.69.44" + ], + "rsa.db.index": "temUte", + "rsa.email.email_dst": "uunturm", + "rsa.email.email_src": "naali", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "velitess", + "rsa.time.endtime": "2018-03-11T02:28:49.000Z", + "rsa.time.starttime": "2018-03-11T02:28:49.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.103.69.44" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.action": " SCAN", + "event.code": "uptatema", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: aveni[10.29.155.171] uptatema 1521970284 1521970284 SCAN oeni tdol sit tiaec 6 23 oremagna3521.mail.home asiar", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4563, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "aveni", + "oremagna3521.mail.home" + ], + "related.ip": [ + "10.29.155.171" + ], + "rsa.db.index": "asiar", + "rsa.email.email_dst": "sit", + "rsa.email.email_src": "tdol", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Per-User Quarantined Message", + "rsa.misc.reference_id": "uptatema", + "rsa.misc.result": "Send EHLO/HELO First", + "rsa.misc.result_code": "23", + "rsa.network.domain": "oremagna3521.mail.home", + "rsa.time.endtime": "2018-03-25T09:31:24.000Z", + "rsa.time.starttime": "2018-03-25T09:31:24.000Z", + "server.domain": "oremagna3521.mail.home", + "service.type": "barracuda", + "source.ip": [ + "10.29.155.171" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "aveni" + }, + { + "event.action": " RECV", + "event.code": "nonp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.145.193.93] nonp 1523205238 1523205238 RECV labo ulapar aboreetd", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4689, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.145.193.93" + ], + "rsa.db.index": "aboreetd", + "rsa.email.email_dst": "ulapar", + "rsa.email.email_src": "labo", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "nonp", + "rsa.time.endtime": "2018-04-08T16:33:58.000Z", + "rsa.time.starttime": "2018-04-08T16:33:58.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.145.193.93" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.action": " RECV", + "event.code": "exeacom", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[ama]: uatur[10.143.79.226] exeacom 1524440192 1524440192 RECV roidents tem dol", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4773, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.143.79.226" + ], + "related.user": [ + "uatur" + ], + "rsa.db.index": "dol", + "rsa.email.email_dst": "tem", + "rsa.email.email_src": "roidents", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "exeacom", + "rsa.time.endtime": "2018-04-22T23:36:32.000Z", + "rsa.time.starttime": "2018-04-22T23:36:32.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.143.79.226" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "uatur" + }, + { + "event.action": "FAILED_LOGIN", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.30.25.84] FAILED_LOGIN (utlab)", + "event.outcome": "failure", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4866, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.30.25.84" + ], + "related.user": [ + "utlab" + ], + "rsa.internal.messageid": "web", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "FAILED_LOGIN" + ], + "service.type": "barracuda", + "source.ip": [ + "10.30.25.84" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "utlab" + }, + { + "event.action": " RECV", + "event.code": "bor", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.141.225.182] bor 1526910101 1526910101 RECV rauto ationev 8 57 uaUten", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4906, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.141.225.182" + ], + "rsa.db.index": "uaUten", + "rsa.email.email_dst": "ationev", + "rsa.email.email_src": "rauto", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.disposition": "Encrypted Message", + "rsa.misc.reference_id": "bor", + "rsa.misc.result": "TLS Already Active", + "rsa.misc.result_code": "57", + "rsa.time.endtime": "2018-05-21T13:41:41.000Z", + "rsa.time.starttime": "2018-05-21T13:41:41.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.141.225.182" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (dun.exe) queued as reprehe", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 4995, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "dun.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "CHANGE", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.90.9.88] global CHANGE umexerc (oremipsu)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5040, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.90.9.88" + ], + "rsa.db.index": "oremipsu", + "rsa.internal.messageid": "web", + "rsa.misc.action": [ + "CHANGE" + ], + "rsa.misc.category": "umexerc", + "service.type": "barracuda", + "source.ip": [ + "10.90.9.88" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (amco.exe) queued as ssecillu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5091, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "amco.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (olo.exe) queued as psumqu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5138, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "olo.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[rationev]: 10.226.20.199 tatem untutlab allow eveli 2 lillum 7809 1.2000 uisaute imide", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5182, + "network.bytes": 7809, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2000", + "related.ip": [ + "10.226.20.199" + ], + "rsa.db.index": "imide", + "rsa.email.email_src": "uisaute", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Rejected Message", + "rsa.misc.log_session_id": "lillum", + "rsa.misc.version": "1.2000", + "service.type": "barracuda", + "source.ip": [ + "10.226.20.199" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "CHANGE", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.134.140.191] global CHANGE nte (mvel)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5281, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.134.140.191" + ], + "rsa.db.index": "mvel", + "rsa.internal.messageid": "web", + "rsa.misc.action": [ + "CHANGE" + ], + "rsa.misc.category": "nte", + "service.type": "barracuda", + "source.ip": [ + "10.134.140.191" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "nimadmin", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp[conse]: 10.252.40.172 nimadmin isiu licabo cancel etdolor 3 dic cola amcor", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5328, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.252.40.172" + ], + "rsa.db.index": "amcor", + "rsa.internal.messageid": "outbound/smtp", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.log_session_id": "dic", + "rsa.misc.reference_id": "nimadmin", + "rsa.misc.result_code": "cola", + "service.type": "barracuda", + "source.ip": [ + "10.252.40.172" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "nisiut", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[xea]: ites[10.126.26.131] nisiut 1536789735 1536789735 accept teturad perspici itation sequatD 5 24 isciv rroqu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5417, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.126.26.131" + ], + "related.user": [ + "ites" + ], + "rsa.db.index": "rroqu", + "rsa.email.email_dst": "itation", + "rsa.email.email_src": "perspici", + "rsa.internal.messageid": "scan", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.reference_id": "nisiut", + "rsa.misc.result": "Need MAIL Command", + "rsa.misc.result_code": "24", + "rsa.time.endtime": "2018-09-12T22:02:15.000Z", + "rsa.time.starttime": "2018-09-12T22:02:15.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.126.26.131" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "ites" + }, + { + "event.action": "accept", + "event.code": "reetd", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[rExc]: iusmo[10.187.210.173] reetd 1538024689 1538024689 accept ulpa sitam rad loi 2 15 Nequepor SZ:eirure SUBJ:deserun", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5534, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.187.210.173" + ], + "related.user": [ + "iusmo" + ], + "rsa.email.email_dst": "rad", + "rsa.email.email_src": "sitam", + "rsa.email.subject": "deserun", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Blocked Message", + "rsa.misc.reference_id": "reetd", + "rsa.misc.result": "Sender Address", + "rsa.misc.result_code": "15", + "rsa.time.endtime": "2018-09-27T05:04:49.000Z", + "rsa.time.starttime": "2018-09-27T05:04:49.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.187.210.173" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "iusmo" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (orroq.exe) queued as vitaedic", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5659, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "orroq.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (orem.exe) queued as rcit", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5707, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "orem.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "atise", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[untincul]: ssecil[10.180.147.129] atise 1541729552 1541729552 allow umetMalo oluptas emvele isnost 2 5 ido emqu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5750, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.180.147.129" + ], + "related.user": [ + "ssecil" + ], + "rsa.db.index": "emqu", + "rsa.email.email_dst": "emvele", + "rsa.email.email_src": "oluptas", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Blocked Message", + "rsa.misc.reference_id": "atise", + "rsa.misc.result": "Too Many Message In Session", + "rsa.misc.result_code": "5", + "rsa.time.endtime": "2018-11-09T02:12:32.000Z", + "rsa.time.starttime": "2018-11-09T02:12:32.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.180.147.129" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "ssecil" + }, + { + "event.action": "cancel", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[exeaco]: 10.99.17.210 olorsit tore cancel illu 4 turadip 688 1.7484 boreetdo undeom", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5867, + "network.bytes": 688, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.7484", + "related.ip": [ + "10.99.17.210" + ], + "rsa.db.index": "undeom", + "rsa.email.email_src": "boreetdo", + "rsa.internal.messageid": "notify/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.disposition": "Expired Message", + "rsa.misc.log_session_id": "turadip", + "rsa.misc.version": "1.7484", + "service.type": "barracuda", + "source.ip": [ + "10.99.17.210" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[uov]: 10.230.46.162 sBono loremqu accept quunt 3 siuta 1107 1.2607 dquia temporin", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 5963, + "network.bytes": 1107, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.2607", + "related.ip": [ + "10.230.46.162" + ], + "rsa.db.index": "temporin", + "rsa.email.email_src": "dquia", + "rsa.internal.messageid": "notify/smtp", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.log_session_id": "siuta", + "rsa.misc.version": "1.2607", + "service.type": "barracuda", + "source.ip": [ + "10.230.46.162" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "rum", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[nimveni]: idi[10.96.135.47] rum 1545434414 1545434414 accept eporroq ulla iqu oin 1 55 cingel modocon", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6057, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.96.135.47" + ], + "related.user": [ + "idi" + ], + "rsa.db.index": "modocon", + "rsa.email.email_dst": "iqu", + "rsa.email.email_src": "ulla", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Aborted Message", + "rsa.misc.reference_id": "rum", + "rsa.misc.result": "Invalid Parameter Syntax", + "rsa.misc.result_code": "55", + "rsa.time.endtime": "2018-12-21T23:20:14.000Z", + "rsa.time.starttime": "2018-12-21T23:20:14.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.96.135.47" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "idi" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (atv.exe) queued as onu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6164, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "atv.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "nsec", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: obeataev[10.139.127.232] nsec 1547904323 1547904323 cancel maperi agnaaliq tlaboree norumet 7 48 tin SZ:fugitse SUBJ:imad", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6205, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "obeataev" + ], + "related.ip": [ + "10.139.127.232" + ], + "rsa.email.email_dst": "tlaboree", + "rsa.email.email_src": "agnaaliq", + "rsa.email.subject": "imad", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.disposition": "Whitelisted Message", + "rsa.misc.reference_id": "nsec", + "rsa.misc.result": "DATA Syntax Error", + "rsa.misc.result_code": "48", + "rsa.time.endtime": "2019-01-19T13:25:23.000Z", + "rsa.time.starttime": "2019-01-19T13:25:23.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.139.127.232" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "obeataev" + }, + { + "event.action": " SCAN", + "event.code": "atu", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: inv[10.163.209.70] atu 1549139277 1549139277 SCAN lloin remipsum tempor citatio 0 57 mveniamq SZ:taedict SUBJ:edquian", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6333, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "inv" + ], + "related.ip": [ + "10.163.209.70" + ], + "rsa.email.email_dst": "tempor", + "rsa.email.email_src": "remipsum", + "rsa.email.subject": "edquian", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Allowed Message", + "rsa.misc.reference_id": "atu", + "rsa.misc.result": "TLS Already Active", + "rsa.misc.result_code": "57", + "rsa.time.endtime": "2019-02-02T20:27:57.000Z", + "rsa.time.starttime": "2019-02-02T20:27:57.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.163.209.70" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "inv" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (mipsamvo.exe) queued as eiusmod", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6466, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "mipsamvo.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "umetMal", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[avolu]: Except[10.191.7.121] umetMal 1551609186 1551609186 accept sciun metcons itasper uae 2 21 uia iciad", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6516, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.191.7.121" + ], + "related.user": [ + "Except" + ], + "rsa.db.index": "iciad", + "rsa.email.email_dst": "itasper", + "rsa.email.email_src": "metcons", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Blocked Message", + "rsa.misc.reference_id": "umetMal", + "rsa.misc.result": "Bad Address Syntax", + "rsa.misc.result_code": "21", + "rsa.time.endtime": "2019-03-03T10:33:06.000Z", + "rsa.time.starttime": "2019-03-03T10:33:06.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.191.7.121" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "Except" + }, + { + "event.action": " RECV", + "event.code": "gnaa", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: [10.157.196.101] gnaa 1552844140 1552844140 RECV mod doei cipitl", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6628, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.157.196.101" + ], + "rsa.db.index": "cipitl", + "rsa.email.email_dst": "doei", + "rsa.email.email_src": "mod", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "gnaa", + "rsa.time.endtime": "2019-03-17T17:35:40.000Z", + "rsa.time.starttime": "2019-03-17T17:35:40.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.157.196.101" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "" + }, + { + "event.action": "CHANGE", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.171.72.5] global CHANGE eprehend (asnu)", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6708, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.171.72.5" + ], + "rsa.db.index": "asnu", + "rsa.internal.messageid": "web", + "rsa.misc.action": [ + "CHANGE" + ], + "rsa.misc.category": "eprehend", + "service.type": "barracuda", + "source.ip": [ + "10.171.72.5" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "mquisn", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: eritatis[10.209.184.60] mquisn 1555314049 1555314049 cancel uto emUte molestia quir 4 18 emip SZ:ver SUBJ:erc", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6757, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "eritatis" + ], + "related.ip": [ + "10.209.184.60" + ], + "rsa.email.email_dst": "molestia", + "rsa.email.email_src": "emUte", + "rsa.email.subject": "erc", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.disposition": "Tagged Message", + "rsa.misc.reference_id": "mquisn", + "rsa.misc.result": "Need Fully Qualified Sender", + "rsa.misc.result_code": "18", + "rsa.time.endtime": "2019-04-15T07:40:49.000Z", + "rsa.time.starttime": "2019-04-15T07:40:49.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.209.184.60" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "eritatis" + }, + { + "event.action": " RECV", + "event.code": "isqua", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[dolorsit]: archite[10.143.228.97] isqua 1556549003 1556549003 RECV uta emo itq", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6873, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.143.228.97" + ], + "related.user": [ + "archite" + ], + "rsa.db.index": "itq", + "rsa.email.email_dst": "emo", + "rsa.email.email_src": "uta", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "isqua", + "rsa.time.endtime": "2019-04-29T14:43:23.000Z", + "rsa.time.starttime": "2019-04-29T14:43:23.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.143.228.97" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "archite" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (ntexpl.exe) queued as dunt", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 6966, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "ntexpl.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "tetur", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: plic[10.17.87.79] tetur 1559018911 1559018911 block amali ate idolor ratvolu 7 64 onse olorem", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7011, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "plic" + ], + "related.ip": [ + "10.17.87.79" + ], + "rsa.db.index": "olorem", + "rsa.email.email_dst": "idolor", + "rsa.email.email_src": "ate", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.disposition": "Whitelisted Message", + "rsa.misc.reference_id": "tetur", + "rsa.misc.result": "Recipient Verification Unavailable", + "rsa.misc.result_code": "64", + "rsa.time.endtime": "2019-05-28T04:48:31.000Z", + "rsa.time.starttime": "2019-05-28T04:48:31.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.17.87.79" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "plic" + }, + { + "event.action": "FAILED_LOGIN", + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: [10.163.18.29] FAILED_LOGIN (nim)", + "event.outcome": "failure", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7111, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.163.18.29" + ], + "related.user": [ + "nim" + ], + "rsa.internal.messageid": "web", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "FAILED_LOGIN" + ], + "service.type": "barracuda", + "source.ip": [ + "10.163.18.29" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "nim" + }, + { + "event.code": "web", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "web: Retention violating accounts: erspi total", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7150, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "rsa.internal.messageid": "web", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (billoi.exe) queued as moles", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7197, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "billoi.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "etconsec", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: taedi[10.17.98.243] etconsec 1563958728 1563958728 cancel ill mporinc onsectet idolo 8 55 docon SZ:mdolore SUBJ:eosquira", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7243, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "taedi" + ], + "related.ip": [ + "10.17.98.243" + ], + "rsa.email.email_dst": "onsectet", + "rsa.email.email_src": "mporinc", + "rsa.email.subject": "eosquira", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.disposition": "Encrypted Message", + "rsa.misc.reference_id": "etconsec", + "rsa.misc.result": "Invalid Parameter Syntax", + "rsa.misc.result_code": "55", + "rsa.time.endtime": "2019-07-24T08:58:48.000Z", + "rsa.time.starttime": "2019-07-24T08:58:48.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.17.98.243" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "taedi" + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (apariatu.exe) queued as lorsita", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7370, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "apariatu.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (ever.exe) queued as tali", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7420, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "ever.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " RECV", + "event.code": "onnu", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1[mipsumqu]: tatio[10.181.247.224] onnu 1567663591 1567663591 RECV olorema aquiof ende", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7463, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.181.247.224" + ], + "related.user": [ + "tatio" + ], + "rsa.db.index": "ende", + "rsa.email.email_dst": "aquiof", + "rsa.email.email_src": "olorema", + "rsa.internal.messageid": "inbound/pass1", + "rsa.misc.action": [ + " RECV" + ], + "rsa.misc.reference_id": "onnu", + "rsa.time.endtime": "2019-09-05T06:06:31.000Z", + "rsa.time.starttime": "2019-09-05T06:06:31.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.181.247.224" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "tatio" + }, + { + "event.action": "deny", + "event.code": "ventore", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan[ugitse]: quiineav[10.235.116.121] ventore 1568898545 1568898545 deny obea emp agnaaliq est 0 73 aev SZ:inrepr SUBJ:mol", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7562, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.235.116.121" + ], + "related.user": [ + "quiineav" + ], + "rsa.email.email_dst": "agnaaliq", + "rsa.email.email_src": "emp", + "rsa.email.subject": "mol", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "Allowed Message", + "rsa.misc.reference_id": "ventore", + "rsa.misc.result": "System Busy", + "rsa.misc.result_code": "73", + "rsa.time.endtime": "2019-09-19T13:09:05.000Z", + "rsa.time.starttime": "2019-09-19T13:09:05.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.235.116.121" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "user.name": "quiineav" + }, + { + "destination.ip": [ + "10.1.6.115" + ], + "event.action": "allow", + "event.code": "llit", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "outbound/smtp: 10.178.30.158 llit tenimad sitametc allow onproide 2 cillumd riosa Ok: queued as tNe #to#10.1.6.115", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7686, + "network.direction": "outbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.ip": [ + "10.1.6.115", + "10.178.30.158" + ], + "rsa.internal.messageid": "outbound/smtp", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "Rejected Message", + "rsa.misc.log_session_id": "cillumd", + "rsa.misc.reference_id": "llit", + "rsa.misc.result_code": "riosa", + "service.type": "barracuda", + "source.ip": [ + "10.178.30.158" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "notify/smtp", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "notify/smtp[rautod]: 10.124.32.120 lapar ritati accept qui 3 mullam 4965 1.4254 meaque uid", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7801, + "network.bytes": 4965, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "observer.version": "1.4254", + "related.ip": [ + "10.124.32.120" + ], + "rsa.db.index": "uid", + "rsa.email.email_src": "meaque", + "rsa.internal.messageid": "notify/smtp", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.log_session_id": "mullam", + "rsa.misc.version": "1.4254", + "service.type": "barracuda", + "source.ip": [ + "10.124.32.120" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (ataevita.exe) queued as oremqu", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7892, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "ataevita.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.code": "reports", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "reports: REPORTS (velitsed.exe) queued as magnaali", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7941, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "process.name": "velitsed.exe", + "rsa.internal.event_desc": "report queued", + "rsa.internal.messageid": "reports", + "service.type": "barracuda", + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ] + }, + { + "event.action": " SCAN", + "event.code": "enbyCi", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "inbound/pass1: der[10.77.182.191] enbyCi 1575073317 1575073317 SCAN quameiu diduntu eiusmod itation 8 79 piciatis2460.api.host iusmodt", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 7992, + "network.direction": "inbound", + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "der", + "piciatis2460.api.host" + ], + "related.ip": [ + "10.77.182.191" + ], + "rsa.db.index": "iusmodt", + "rsa.email.email_dst": "eiusmod", + "rsa.email.email_src": "diduntu", + "rsa.internal.messageid": "inbound/pass1", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + " SCAN" + ], + "rsa.misc.disposition": "Encrypted Message", + "rsa.misc.reference_id": "enbyCi", + "rsa.misc.result": "Attachment Content", + "rsa.misc.result_code": "79", + "rsa.network.domain": "piciatis2460.api.host", + "rsa.time.endtime": "2019-11-30T00:21:57.000Z", + "rsa.time.starttime": "2019-11-30T00:21:57.000Z", + "server.domain": "piciatis2460.api.host", + "service.type": "barracuda", + "source.ip": [ + "10.77.182.191" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "der" + }, + { + "event.action": "accept", + "event.code": "tiumd", + "event.dataset": "barracuda.spamfirewall", + "event.module": "barracuda", + "event.original": "scan: iame[10.193.110.71] tiumd 1576308271 1576308271 accept loinve tanimid isnostru nofdeFi 3 5 saqu remips", + "fileset.name": "spamfirewall", + "input.type": "log", + "log.offset": 8127, + "observer.product": "Spam", + "observer.type": "Anti-Virus", + "observer.vendor": "Barracuda", + "related.hosts": [ + "iame" + ], + "related.ip": [ + "10.193.110.71" + ], + "rsa.db.index": "remips", + "rsa.email.email_dst": "isnostru", + "rsa.email.email_src": "tanimid", + "rsa.internal.messageid": "scan", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "Quarantined Message", + "rsa.misc.reference_id": "tiumd", + "rsa.misc.result": "Too Many Message In Session", + "rsa.misc.result_code": "5", + "rsa.time.endtime": "2019-12-14T07:24:31.000Z", + "rsa.time.starttime": "2019-12-14T07:24:31.000Z", + "service.type": "barracuda", + "source.ip": [ + "10.193.110.71" + ], + "tags": [ + "barracuda.spamfirewall", + "forwarded" + ], + "url.domain": "iame" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index 30e0d5f2745..d90859f5f61 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml index dffea972086..8f0ef057c18 100644 --- a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Barracuda Web Application Firewall processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original diff --git a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc index e2c798214dd..1e9765b19ac 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/bluecoat/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index 7fc587fb028..3e7d940acf9 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml index e26891a1ad0..97fbbb72c92 100644 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Blue Coat Director processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 94a001da91a..1d0de305beb 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -247,6 +247,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "seq3874.mail.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.change_new": "fug", "rsa.misc.change_old": "quid", @@ -988,6 +991,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "elitse6672.internal.localdomain" + ], "rsa.db.index": "mquisno", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1218,6 +1224,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "itation4168.api.domain" + ], "rsa.db.index": "dipisci", "rsa.internal.event_desc": "This file is automatically generated", "rsa.internal.messageid": "configd", @@ -1569,6 +1578,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "sBonor2001.www5.example" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "medium", @@ -1639,6 +1651,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "ersp6625.internal.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "high", @@ -1754,6 +1769,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "eleumiu2454.api.local" + ], "rsa.db.index": "tat", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1866,6 +1884,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.db.index": "orumSe", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index 75a86ea2758..7dab1ca3382 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Filebeat CEF processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index 9a74b0b7c72..d21d421ce0f 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing checkpoint firewall logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -157,7 +160,7 @@ processors: target_field: source.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true if: "ctx.checkpoint?.xlatesport != '0'" - rename: field: checkpoint.mac_source_address @@ -691,7 +694,7 @@ processors: field: client.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - convert: field: client.bytes type: long @@ -711,7 +714,7 @@ processors: field: server.nat.port type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - convert: field: server.bytes type: long @@ -721,7 +724,7 @@ processors: field: server.packets type: long ignore_failure: true - ignore_missing: true + ignore_missing: true - script: lang: painless source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" @@ -797,4 +800,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 056512d4769..79f755c2c1f 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -70,3 +70,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + meraki: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9525 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index b5d7a81d900..08dc160fab0 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -17,17 +17,6 @@ Cisco ASA devices also support exporting flow records using NetFlow, which is supported by the {filebeat-ref}/filebeat-module-netflow.html[netflow module] in {beatname_uc}. -[WARNING] -======================================= -Some filesets in this module make extensive use of ingest pipeline scripts. -This can cause their ingest pipelines to fail loading due to exceeding the -default compilation limits: - -`[script] Too many dynamic script compilations within, max: [75/5m]` - -Check the <> section for more information. -======================================= - include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] @@ -329,7 +318,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: @@ -341,20 +330,49 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: [float] -[[dynamic-script-compilations]] -=== Dynamic Script Compilations +==== `meraki` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "ciscomeraki" device revision 118. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause -the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following -parameters on your Elasticsearch cluster: +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. -- {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: - Increase to at least `100/5m`. +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9525` -- {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache.max_size]: - Increase to at least `200` if using both filesets or other script-heavy modules. +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: [float] === Example dashboard diff --git a/x-pack/filebeat/module/cisco/_meta/fields.yml b/x-pack/filebeat/module/cisco/_meta/fields.yml index 8209de0cd6f..fbe1e33d2c8 100644 --- a/x-pack/filebeat/module/cisco/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/_meta/fields.yml @@ -3,8 +3,4 @@ description: > Module for handling Cisco network device logs. fields: - - name: cisco - type: group - description: > - Fields from Cisco logs. - fields: + diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 5915c246ff5..b3bb3b5eb1d 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: asa +- name: cisco.asa type: group description: > Fields for Cisco ASA Firewall. @@ -109,3 +109,69 @@ type: keyword description: > The assigned DAP records + + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 0cffa76a01f..b5271fe8598 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log new file mode 100644 index 00000000000..f9ba86b8d0c --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -0,0 +1,69 @@ +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 +May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) +May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 +May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log +May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 +May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session +May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 +May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] +May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 +May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow +May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief +May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 +May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) +May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 +May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 +May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/ +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] +Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK +Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' +Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 +Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user "*****" +Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" +Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json new file mode 100644 index 00000000000..73d42d43af7 --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -0,0 +1,3153 @@ +[ + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 162, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 324, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T17:51:17.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T19:51:17.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 466, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 557, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 628, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 111, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 111, + "cisco.asa.message_id": "805001", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 111, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 770, + "network.transport": "tcp flow", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 111, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "941243214", + "cisco.asa.destination_interface": "fw109", + "cisco.asa.mapped_destination_ip": "10.192.70.66", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "10.192.18.4", + "cisco.asa.mapped_source_port": 51261, + "cisco.asa.message_id": "805002", + "cisco.asa.source_interface": "net", + "destination.address": "10.192.70.66", + "destination.ip": "10.192.70.66", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 932, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw109", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.192.18.4", + "10.192.70.66" + ], + "service.type": "cisco", + "source.address": "10.192.18.4", + "source.ip": "10.192.18.4", + "source.port": 51261, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "710005", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 67, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1119, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 68, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "303002", + "cisco.asa.source_interface": "net", + "client.user.name": "testuser", + "destination.address": "10.192.18.4", + "destination.ip": "10.192.18.4", + "destination.port": 21, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 303002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "/export/home/sysm/ftproot/sdsdsds/tmp.log", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1223, + "network.protocol": "ftp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.192.18.4" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 63656, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "710006", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1396, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "313005", + "cisco.asa.source_interface": "fw111", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 1492, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302021", + "cisco.asa.source_username": "type", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1722, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1859, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "identity", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:24:31.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T20:24:31.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1930, + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2026, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.192.46.90", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.192.46.90", + "source.ip": "10.192.46.90", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2155, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "2960892904", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "out111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 55225, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2298, + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 443, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1588662", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 54839, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 80, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "intfacename", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.nat.ip": "8.8.8.8", + "destination.port": 54839, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2462, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "source.port": 80, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "302012", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 54230, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2623, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 54230, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_type": 0, + "cisco.asa.message_id": "313004", + "cisco.asa.source_interface": "fw502", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 2768, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw502", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 57006, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2904, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 57006, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106001", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 14322, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3029, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 43803, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1671727", + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.186.2.2", + "destination.as.number": 395776, + "destination.as.organization.name": "FEDERAL ONLINE GROUP LLC", + "destination.geo.city_name": "Thousand Oaks", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.197, + "destination.geo.location.lon": -118.8199, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "192.186.2.2", + "destination.port": 53356, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 124000000000, + "event.end": "2020-05-05T18:40:50.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "event.severity": 2, + "event.start": "2020-05-05T20:38:46.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3172, + "network.bytes": 64585, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.186.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3328, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3491, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "out1111_access_out", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3654, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 64388, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106021", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3818, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106006", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 65020, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3935, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 65020, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4053, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 53089, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4197, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 17127, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4337, + "network.transport": "(no", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 24223, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4949, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list fw211111_access_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5369, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list aaa_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5476, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "ptaaac", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 3452, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5571, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "ptaaac", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 62157, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "net", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 6007, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5743, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 49033, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302027", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302027, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5922, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302026", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302026, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6113, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "710005", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 1985, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 6256, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 1985, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302025", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302025, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6362, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302024", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302024, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6571, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106014", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10(type", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106014, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 6722, + "network.direction": "inbound", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "7", + "cisco.asa.burst.configured_avg_rate": "-4", + "cisco.asa.burst.configured_rate": "-4", + "cisco.asa.burst.cumulative_count": "9063", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.2.2", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 6838, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106010", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 2, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 7071, + "network.direction": "inbound", + "network.transport": "sctp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 5114, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "507003", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 80, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 507003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 7178, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 49574, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7351, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7446, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/IOFUHSIU98[0]" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7563, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7699, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.connection_id": "2751765169", + "cisco.asa.destination_interface": "server.deflan", + "cisco.asa.message_id": "302304", + "cisco.asa.source_interface": "server.deflan", + "destination.address": "2.3.4.5", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.city_name": "Clermont-Ferrand", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 45.7838, + "destination.geo.location.lon": 3.0966, + "destination.geo.region_iso_code": "FR-63", + "destination.geo.region_name": "Puy-de-D\u00f4me", + "destination.ip": "2.3.4.5", + "destination.port": 9101, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302304, + "event.dataset": "cisco.asa", + "event.duration": 3602000000000, + "event.end": "2020-04-27T04:12:23.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "event.severity": 6, + "event.start": "2020-04-27T05:12:21.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 7808, + "network.bytes": 245, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "server.deflan", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "server.deflan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "1.2.3.4", + "2.3.4.5" + ], + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 54242, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "srv", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "global_access_1", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 51635, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 8003, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "srv", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.10.2", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.2", + "source.ip": "10.10.10.2", + "source.port": 56444, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "testrulename", + "cisco.asa.source_interface": "insideintf", + "destination.address": "195.122.12.242", + "destination.as.number": 12578, + "destination.as.organization.name": "SIA Tet", + "destination.geo.city_name": "Riga", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "LV", + "destination.geo.location.lat": 56.9496, + "destination.geo.location.lon": 24.0978, + "destination.geo.region_iso_code": "LV-RIX", + "destination.geo.region_name": "Riga", + "destination.ip": "195.122.12.242", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8160, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "insideintf", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "somedomainname.local" + ], + "related.ip": [ + "195.122.12.242" + ], + "service.type": "cisco", + "source.address": "somedomainname.local", + "source.domain": "somedomainname.local", + "source.port": 27218, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "111004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111004: console end configuration: OK", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8353, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "console" + ], + "service.type": "cisco", + "source.address": "console", + "source.domain": "console", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "'clear'", + "cisco.asa.message_id": "111010", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8421, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "502103", + "cisco.asa.privilege.new": "15", + "cisco.asa.privilege.old": "1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 502103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8528, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605004", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8623, + "network.protocol": "https", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.1.212", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.1.212", + "source.ip": "10.10.1.212", + "source.port": 51923, + "source.user.name": "*****", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611102", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "failed", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8746, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605005", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8849, + "network.protocol": "ssh", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.0.87", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "source.port": 6651, + "source.user.name": "admin", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611101", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611101, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "succeeded", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8971, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713049", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713049, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 9077, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113019", + "destination.address": "91.240.17.178", + "destination.as.number": 201126, + "destination.as.organization.name": "CDW Ltd", + "destination.bytes": 1216163, + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5888, + "destination.geo.location.lon": -0.0247, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.240.17.178", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113019, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "event.severity": 4, + "event.start": "2020-04-27T04:03:03.000Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9288, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.bytes": 297103, + "source.user.name": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.assigned_ip": "8.8.4.4", + "cisco.asa.message_id": "722051", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 722051, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9527, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716002", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 9683, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "710003", + "destination.address": "195.74.114.34", + "destination.as.number": 8468, + "destination.as.organization.name": "Entanet", + "destination.geo.city_name": "Stoke Newington", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5638, + "destination.geo.location.lon": -0.0765, + "destination.geo.region_iso_code": "GB-HCK", + "destination.geo.region_name": "Hackney", + "destination.ip": "195.74.114.34", + "destination.port": 23, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 9810, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "104.46.88.19", + "195.74.114.34" + ], + "service.type": "cisco", + "source.address": "104.46.88.19", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "IE", + "source.geo.location.lat": 53.3338, + "source.geo.location.lon": -6.2488, + "source.geo.region_iso_code": "IE-L", + "source.geo.region_name": "Leinster", + "source.ip": "104.46.88.19", + "source.port": 6370, + "tags": [ + "cisco-asa", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log index 19509b9f9ef..80efe8a5553 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log @@ -5,3 +5,7 @@ Apr 17 2020 14:16:20 SNL-ASA-VPN-A01 : %ASA-4-106023: Deny udp src Inside:10.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-2-106017: Deny IP due to Land Attack from 10.123.123.123 to 10.123.123.123 Apr 17 2020 14:15:07 SNL-ASA-VPN-A01 : %ASA-3-313008: Denied IPv6-ICMP type=134, code=0 from fe80::1ff:fe23:4567:890a on interface ISP1 Jun 08 2020 12:59:57: %ASA-4-313009: Denied invalid ICMP code 9, for Inside:10.255.0.206/8795 (10.255.0.206/8795) to identity:10.12.31.51/0 (10.12.31.51/0), ICMP id 295, ICMP type 8 +Oct 20 2019 15:42:53: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Oct 20 2019 15:42:54: %ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f] +Aug 6 2020 11:01:37: %ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] +Aug 6 2020 11:01:38: %ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3] diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 9fb6401ea55..94f2b616d27 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -34,6 +34,15 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -77,6 +86,15 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -119,6 +137,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -164,6 +187,15 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -202,6 +234,13 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -242,6 +281,14 @@ "log.offset": 853, "network.iana_number": 58, "network.transport": "ipv6-icmp", + "observer.egress.interface.name": "ISP1", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "fe80::1ff:fe23:4567:890a" ], @@ -287,6 +334,11 @@ "log.offset": 989, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.255.0.206", "10.12.31.51" @@ -299,5 +351,212 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1171, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "incoming", + "cisco.asa.source_interface": "dmz2", + "destination.address": "127.3.4.5", + "destination.ip": "127.3.4.5", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list incoming permitted udp dmz2/127.2.3.4(56575)(LOCAL\\\\username) -> inside/127.3.4.5(53) hit-cnt 1 first hit [0x93d0e533, 0x578ef52f]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "informational", + "log.offset": 1334, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "127.2.3.4", + "127.3.4.5" + ], + "service.type": "cisco", + "source.address": "127.2.3.4", + "source.ip": "127.2.3.4", + "source.port": 56575, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106102", + "cisco.asa.rule_name": "dev_inward_client", + "cisco.asa.source_interface": "outside", + "cisco.asa.suffix": "session", + "destination.address": "10.223.223.40", + "destination.ip": "10.223.223.40", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-session-3-106102: access-list dev_inward_client permitted udp for user redacted outside/10.123.123.20(49721) -> inside/10.223.223.40(53) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "event.outcome": "allow", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "error", + "log.offset": 1514, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.123.20", + "10.223.223.40" + ], + "related.user": [ + "redacted" + ], + "service.type": "cisco", + "source.address": "10.123.123.20", + "source.ip": "10.123.123.20", + "source.port": 49721, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "redacted" + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "106103", + "cisco.asa.rule_name": "filter", + "cisco.asa.source_interface": "inside", + "destination.address": "1.2.33.40", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "CN", + "destination.geo.location.lat": 23.1167, + "destination.geo.location.lon": 113.25, + "destination.geo.region_iso_code": "CN-GD", + "destination.geo.region_name": "Guangdong", + "destination.ip": "1.2.33.40", + "destination.port": 8080, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-1-106103: access-list filter denied icmp for user joe inside/10.1.2.3(64321) -> outside/1.2.33.40(8080) hit-cnt 1 first hit [0x3c8b88c1, 0xbee595c3]", + "event.outcome": "deny", + "event.severity": 1, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "input.type": "log", + "log.level": "alert", + "log.offset": 1723, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.1.2.3", + "1.2.33.40" + ], + "related.user": [ + "joe" + ], + "service.type": "cisco", + "source.address": "10.1.2.3", + "source.ip": "10.1.2.3", + "source.port": 64321, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "joe" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 09cce4899fc..ea4dcecdef3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -22,9 +27,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-asa", "forwarded" @@ -32,7 +55,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11757", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1772, + "cisco.asa.mapped_source_ip": "100.66.205.104", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -53,9 +86,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -97,8 +149,17 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -148,8 +209,17 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -199,8 +269,17 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -250,8 +329,17 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -301,8 +389,17 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -352,8 +449,17 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -403,8 +509,17 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -454,8 +569,17 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -505,8 +629,17 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -556,8 +689,17 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -607,8 +749,17 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -658,8 +809,17 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -709,8 +869,17 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -760,8 +929,17 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -811,8 +989,17 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -862,8 +1049,17 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -913,8 +1109,17 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -930,7 +1135,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -951,9 +1161,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -961,7 +1189,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11758", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.80.32", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -982,9 +1220,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1026,8 +1283,17 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1043,7 +1309,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11759", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.252.6", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1064,9 +1340,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1108,8 +1403,17 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1125,7 +1429,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1146,9 +1455,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-asa", "forwarded" @@ -1156,7 +1483,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11760", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1773, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1177,9 +1514,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1187,7 +1543,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1208,9 +1569,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-asa", "forwarded" @@ -1218,7 +1597,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11761", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1774, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1239,9 +1628,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1249,7 +1657,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11762", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.238.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1270,9 +1688,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1280,7 +1717,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11763", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.93.51", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1301,9 +1748,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1345,8 +1811,17 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1396,8 +1871,17 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1413,7 +1897,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1434,9 +1923,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-asa", "forwarded" @@ -1444,7 +1951,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11764", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1775, + "cisco.asa.mapped_source_ip": "100.66.225.103", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1465,9 +1982,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -1475,7 +2011,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1496,9 +2037,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -1506,7 +2065,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11772", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.240.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1527,9 +2096,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1537,7 +2125,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11773", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.44.45", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1558,9 +2156,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1602,8 +2219,17 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -1653,8 +2279,17 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -1670,7 +2305,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1691,9 +2331,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-asa", "forwarded" @@ -1701,7 +2359,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11774", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1452, + "cisco.asa.mapped_source_ip": "100.66.179.219", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1722,9 +2390,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1732,7 +2419,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11775", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.157.232", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1753,9 +2450,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1763,7 +2479,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11776", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.178.133", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1784,9 +2510,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1828,8 +2573,17 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -1879,8 +2633,17 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -1896,7 +2659,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1917,9 +2685,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-asa", "forwarded" @@ -1927,7 +2713,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11777", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1453, + "cisco.asa.mapped_source_ip": "100.66.133.112", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1948,9 +2744,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1992,8 +2807,17 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2009,7 +2833,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11779", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.204.197", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2030,9 +2864,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2074,8 +2927,17 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2125,8 +2987,17 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2142,7 +3013,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,9 +3039,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -2173,7 +3067,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11780", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1454, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2194,9 +3098,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2204,7 +3127,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2225,9 +3153,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -2235,7 +3181,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11781", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1455, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2256,9 +3212,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2266,7 +3241,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2287,9 +3267,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -2297,7 +3295,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11782", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1456, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2318,9 +3326,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2328,7 +3355,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11783", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.100.4", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2349,9 +3386,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2393,8 +3449,17 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -2410,7 +3475,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3501,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -2441,7 +3529,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11784", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1457, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2462,9 +3560,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2472,7 +3589,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2493,9 +3615,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -2503,7 +3643,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11785", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1458, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2524,9 +3674,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2534,7 +3703,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11786", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.1.107", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2555,9 +3734,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2599,8 +3797,17 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -2616,7 +3823,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2637,9 +3849,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -2647,7 +3877,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11787", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1459, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2668,9 +3908,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2712,8 +3971,17 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -2729,7 +3997,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2750,9 +4023,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -2760,7 +4051,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11788", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1460, + "cisco.asa.mapped_source_ip": "100.66.192.44", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2781,9 +4082,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2812,8 +4132,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2822,7 +4149,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2843,9 +4175,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-asa", "forwarded" @@ -2853,7 +4203,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11797", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1385, + "cisco.asa.mapped_source_ip": "100.66.19.254", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2874,9 +4234,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2905,8 +4284,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2936,8 +4322,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2967,8 +4360,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2998,8 +4398,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3029,8 +4436,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3060,8 +4474,15 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3104,8 +4525,17 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -3155,8 +4585,17 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -3172,7 +4611,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3193,9 +4637,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-asa", "forwarded" @@ -3203,7 +4665,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11798", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1386, + "cisco.asa.mapped_source_ip": "100.66.115.46", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3224,9 +4696,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3265,8 +4756,17 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3313,8 +4813,17 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3361,8 +4870,17 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3409,8 +4927,17 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3457,8 +4984,17 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3505,8 +5041,17 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3553,8 +5098,17 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3601,8 +5155,17 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3649,8 +5212,17 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3697,8 +5269,17 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3745,8 +5326,17 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3793,8 +5383,17 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3841,8 +5440,17 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3858,7 +5466,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3879,9 +5492,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-asa", "forwarded" @@ -3889,7 +5520,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11799", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1275, + "cisco.asa.mapped_source_ip": "100.66.205.99", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3910,9 +5551,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3920,7 +5580,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3941,9 +5606,27 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -3951,7 +5634,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11800", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.14.30", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3972,9 +5665,28 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index cff051f89ae..bb691462f78 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -24,6 +24,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "1.2.3.4" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 0cdbce9fc70..948f6c85ab4 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -20,8 +20,15 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -58,8 +65,16 @@ "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "10.13.12.11", "192.168.33.12" diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 5af2ac66dca..70df45cbf91 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -27,6 +27,15 @@ "log.offset": 0, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "target.destination.hostname.local", + "Prod-host.name.addr" + ], "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -65,6 +74,13 @@ "log.offset": 169, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "MYHOSTNAME", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "MYHOSTNAME" + ], "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 8747c17b868..85bfef8b52a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -31,6 +31,14 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -73,6 +81,13 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -100,7 +115,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -126,6 +140,16 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index ce31629c9fc..fcf7d339222 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -76,6 +81,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -122,6 +132,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -168,6 +183,15 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -214,6 +238,15 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -229,7 +262,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -249,7 +287,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-asa", "forwarded" @@ -257,7 +309,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743274", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_port": 12834, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -277,7 +340,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -285,7 +363,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -305,7 +388,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-asa", "forwarded" @@ -313,7 +410,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743275", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.1.35", + "cisco.asa.mapped_destination_port": 25882, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -333,7 +441,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -341,7 +465,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -361,7 +490,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-asa", "forwarded" @@ -369,7 +512,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743276", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.130", + "cisco.asa.mapped_destination_port": 45392, + "cisco.asa.mapped_source_ip": "192.0.2.1", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -389,7 +544,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -430,6 +600,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -480,6 +655,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -522,6 +702,13 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -536,7 +723,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -556,7 +748,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-asa", "forwarded" @@ -564,7 +770,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743277", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "10.0.0.130", + "cisco.asa.mapped_destination_port": 10879, + "cisco.asa.mapped_source_ip": "192.0.0.17", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -584,7 +802,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -621,6 +854,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -666,6 +902,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -711,6 +952,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -756,6 +1002,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -801,6 +1052,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -846,6 +1102,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -891,6 +1152,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -936,6 +1202,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -981,6 +1252,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1026,6 +1302,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1071,6 +1352,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1115,6 +1401,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1159,6 +1449,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1204,6 +1497,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1249,6 +1547,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1294,6 +1597,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1339,6 +1647,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1384,6 +1697,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1429,6 +1747,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1474,6 +1797,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1519,6 +1847,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1564,6 +1897,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1610,6 +1948,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1625,7 +1968,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.asa.connection_id": "447235", + "cisco.asa.destination_interface": "identity", + "cisco.asa.mapped_destination_ip": "10.0.13.13", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "192.168.77.12", + "cisco.asa.mapped_source_port": 11180, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1645,37 +1998,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5967, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.asa.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 6142, - "process.name": "", "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-asa", "forwarded" @@ -1713,6 +2052,11 @@ "log.offset": 6322, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1759,6 +2103,11 @@ "log.offset": 6472, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1775,7 +2124,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1795,8 +2154,25 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6622, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1804,7 +2180,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1824,8 +2210,25 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6792, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1866,6 +2269,11 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1915,6 +2323,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1964,6 +2377,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1994,20 +2412,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2038,20 +2458,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2098,6 +2520,11 @@ "log.offset": 7743, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.34", @@ -2114,7 +2541,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2134,8 +2571,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7894, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2143,7 +2595,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,8 +2625,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 8068, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2205,6 +2682,11 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2254,6 +2736,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2295,6 +2782,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8549, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2335,6 +2830,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8670, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2375,6 +2878,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8791, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2415,6 +2926,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8912, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2455,6 +2974,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9033, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2495,6 +3022,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9154, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2535,6 +3070,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9275, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2575,6 +3118,14 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9397, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2620,6 +3171,15 @@ "log.offset": 9519, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2663,6 +3223,14 @@ "log.offset": 9673, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -2704,6 +3272,10 @@ "log.offset": 9783, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2753,6 +3325,14 @@ "log.offset": 9919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2806,6 +3386,11 @@ "log.offset": 10170, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2814,7 +3399,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2859,6 +3443,11 @@ "log.offset": 10469, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2867,7 +3456,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2900,6 +3488,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10766, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2939,6 +3530,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10843, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2979,6 +3573,10 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10935, + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index a644fa716ac..fac83c30f27 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/Qv++FsiaAmb5ez/zLqCX8hcybryfwmsav/3CgGRmZKlX7FZwv6vu0x3Kapp+7fQYjsW7C4qlV/z9PqUvOIKVrQoJp2v9tffYFCC1nQOGc+3IDtUbmC9kmr7kx3oEPJhAR1MPGzCcxCGzzioDU4BVHQ9m/HbO6IBt7SsLDdo0JpLcXcc3+HfaeHXI3RmQJH/3yJ8V0RlrRhkXBhQM8ogBuWuESZpYeKhmgWQWSFXRCoCSxBmJ1o5aMMFtfDj4na+AfwgBFVdQGb/MwZSb2kJRM4QhVPGQGtyJoVRsiCvuTa4GDELakhJDVtATsyC6ztg6U+31qBS4GrhOry4xj+49Tw574Rh96CPhmZn0fvgWtKqgjxrrkwVwLP3x70CxigqdEEN5A3tLq8IzXMFWt8Dl4XU5s5Um9G6MBmK0V/IjBYaHoqzXf4e2FZShbAtpJg/FBML+i6YbMmXyAfZ5a77nWYXq8c60i72dz3XLt4pDreL094TNgsF1GQFLKGIowdYeAThobQoabGiCsgLMpVGgLGYzmacTcg7gTJnCWr9bSFXJ8T+Xw9cKXNQ1MAJWfD5wj42+HX7j7tsi1EDc6nWMXZ25mG1z9/4zl7ZR7FRU5Zc1frEf6e/P6Pk71ScEDBs536YFAKYu4BR9LWPgn+uuwoabovim74TE87KKrOLBrDQiz4778Th8uzNFf5y/4JM5rEWtKDuSuuRfaYRK5+u3nbWJltrh3QBWmUKmFS5vh8iD9DwqdZ8LiAn56dXpL94g9jM5FFNG2vWVHIFqhEu5zADoeGJ2DuvPpx/WfaORfhPe+dPe+dPe+eLtnfIRw3k4uzafzQR1Ex49acZdKAZFCLnE7aPWnQ7n9+DBf60nfbjtM0WfTr/aVn9aVn9aVltLbjXstLAasVNiGnk9Hdg4wv2lntPV17TR+Jee7jkwr7Su51HX7h1lxLFO1l3XOqo1t3lu+utgBnZacRR1H+zgt/jybqjHmgfV6ddW+g7eWhGGS/CfLzTgru+OLvfiTQLESPJasHZwolHb20qmIHS5NlsIxRPyPXbN1cn5Pp/X58QKqyK0wM7k8osnk/I6QY4o4JMgVCyoCpHwetipSeEkkpJI5ksTggKsdKFWeWsL22ter/WBkqi5cxYIBNyaUgOQhrYUv+9jGe01i3t3U/7L5Tb5mTAgj6iO2kttEnPLpBLUCvFjX2uVA0Dfh0e0p7Ls+OguizUhJo3puNqAQrwM/+EkQXVZAogiJxqUEvIh/tTW7HhfZsZXr6dWxm/W4i1oNvKyvjqY+uHlujocXreO+ZdK+y6Vb1T+WCttBtYWyuu1tYIloTRytSe/oqu2ouD1h6TJWi7aWk/74Em5LWck3OwT5oKb8TB4n2kDt1OAxcNTavnssiAPcKJqe9J7m48k8LYB9neDy60ocI0aOggjoaXhyCYU9P/YIidt+7tEoQaL05p41UjC240oeQtmN+4EfYZ8Kc/GbBGu1m9kHWREwFLUFaCNnxXUaWBvAFDLWrU5YZslnr2Ws71iyvKbsDo5wPw51wBM8X6xHkeuEXrPThh4ThcdNCcBAk5tDruRsmB8dSj5DlUChiaShaTHGbcKgxSFIiWodPCqu9VGKtSz/tKdlwO9Gf8xt/zy/PvyZIWtb/xrUruvgW3lBmre7jzUoODwN1xVNcct+D37HFUVBnO6oIq/L0/2MkoZwxAH8QpIc4YQB7nlNEjWR73TF7+eSa7z8SumuZAHnZ95fT3DDfSP5Yng92SHiL0kqOmwOm+TxE3S7ZU9/9hmGlDDZQgzFNEjtY5NxkraO8OPxH0QJieb+6JILYY+JueCGJcHIZYWo2pkRxPl9NyoIdIj7Rkm4GLFcSyoUb0mpCd2fli4xaw2Az0kIGS8DAroqeHDKDvsSLGqTgIuR6FiqLjVQmSz5FrsM1I5CMBCt6bfOwYanU9iDY0+/d/Wm8btWdSMPs4UCOfumU7Im6WPK047FL3zC7DZ5zR7n1+Lecu0tDkstQiB4XOUvCCarD1Gb+FnGgwFsjWj7fX0OMGS3MIA9gPNljaQxiAvtehDD2B8f1LhzHmYF/3oMn9aDAIpifhy1+lNl0RWfQ5UoPIuZg3H+oQ23R8SF8OffkhDDb40ShhL6+WPzY5FqPXvU/cwe6N/FKJu/w5NXl//n+XvIN4cxLZ0JcLzpHW9ZblhJI5X4JonWRfriJgSXSY/yKtBZI/ReXvy4hojDo0ZLXOFHxOcNbd4CEeMO57ukYqX7ilyRVepBPvzTaUfFhXQBgdSpApEOBmAYp8vBTm+5+JVORVIan54SWZUo1c1ATIZnxeK1T99uz7EHX3C943hkHTGZ8R/AvBFLijWMfNyl+8g0GqFVV5MqWuI9E62+5S8vLq05a+R4mCgvaPlDS5Le4R9Whjoj04TvX1//bfUvE5x6oL95ttbWUPHVLpXzsSIy6vPv0cIEE4J4dEIEGL0ZDKMV6fDaMOFcdDX58F0BzUUWLXv+JS5PL8IVFSh283WIpgDouVPmknW8Gy5H422ihalxtFCy+KNV3OZFEAM1J9iQLYUu8Rcm4sz3FNmCMd5BbTLUX1teyrLWQHoZ+gxVey6VNRVUupMdmtlIJM14NDI0TB5xo0lj9pXlbF2p+T/TIm6gJlC6J5DuTZd8QsVE1e/vTTc7KimmgA0a6ygxJPQnm9AyV0JYWGdKRgXwxXMFmLtiRO1OXUCT17lXUQAnlGp3IJHWJwEcysbMSbNgpoOXp/2BfDNo9MKsh53dfTYhDqq5Dm2DoW+Ixw88/65Xff/1U7kf6iQgHaIP3PwW7+ae3B13QNirwkF4LRSteFi6xYk/Jecj0E/YHBj0BuZWiVH16Sf7XbPSE//ED+lTCprL6Mu/CLnpD/Vpj/Yb/INdkmylfBIxQyD5QLPxFbV6wgY7QoppTdpNWAHXJNwQA1zq6wRASRV5ILg6aJgXCCMzJHBkrJRPlpG31QV8A4LRBjxFQbqaxmLdZO67AfLGnBc8cYIaQImcla5PaFKQCR52LulaO9yYvbN2IAOUYs0F+HHWGjkVNYF5LmT+Wd8+gQzf8AUoJRnAWsDm8Kd7+MtrB77hshbJ99ajYarZw1xzYhv8qVPZqhzckFkcoaY0aSG4BqD9GexIv3hRBNSSwGW/I8y1NFXS8ayTMHgfWyGsuqamdHe7twyZWpaWGN9i3fuwi4OHjJrdmNsXIkhtuFv+qX50RZaa3RoYJEo2oOpv3aXkpolSjp6dEp0VTr76KEShIKGgr+y/PG9/oeSmmAXHt+ZwrwoZ2uxwQlwT4jLhDzBQRe/EqZrgqeMrPhSZvzmg/U/iehm1mZm5Df8dbZN6Ap0/Rc11gt/gn5rxFhdOJlxotHiNHbVa1xdHV2euV1X1+Uy8tKqr7GS/CJ/OLSIOqn4f7wDRrQEEfTPeRK3Tbl681PNga703PQMp+Qlz/9TFZI9xKoILQowr4CdOqjmrTxH5EVKHBgscEH1YZI0SsX2Sbio6uJXzYRA3c1RdjW0+43qXIkHGY1AVsIWcj5uh+Im3E10GIJ+YmwBVWUGUdEe6nXiD86zQWphc/pKbZ85qMVtbELul2gPmUQYUfsEi2K0iqZUjRhBEVXozINJWtPraQMNVYXoxDe5yAZq1UDURsqcqpyIqQqacH/COX3SlUG6ZP7LIeDSSTr6eBJuheRNli3yLwo+AxwxwEDXwOTIh9RsDfHnWmT0s+yY0NcMFlWBZggA4w6USkq8Ebxnhjs1Jsp80iMfG3XDrLzGCtvc+Yo+5VSmEWkY9rUp8bKedlkOeWPRPgLkacguwX5hxSpuy3sEIt29UbFdOm1H/oUHoioZDf6lBi4Nf7ykSUo3SmnyHflgQXO96HMtgYaa5ubMj0mVQ55unfQJ9n4Z0q3KzY6RpNp036xG18fvlZKlhOEWmNRvmYgqOLSqfVlXRj+reGgCK2qoql+2fSyKamg81BpLiEFhne22vo0raQIN19rIlfCRcYMLau+Z9BjjJ03lRwmH3GjCVtwa93IHPSEvKm1QTOpC9TeSmpG8nKpgQMPaacAm80s3ks4hiaEh9ws6GiHraBAMMcQ1KrWOV/y3Go2yA9hQXbdCLIPPeKFN3lbcXW0HW7O08WCbi0nclOsm75XRqK+ZpFybRl3+kYjHvqoC+fESuNWnk0GS7bpZLKOLYHKgSL3UIgt/WNfFdQgP9dQH42VLHc7LtrIxxXVBJHIR/gGkfs+NlEjKgVbBE0g0+alSfD6zssUuFZZAlSrLIX2XMUURdtAX0aHmkBX6rwij2NC9szH4BszeC7v9eYcKjb3ybVDggWbB6LXDSG2I4iygRIfQ7HWdZE67DRiRcnaMFnCC4dDa7xgVvagASaxfOFIsGVAjjAILGHQCPdoG2tW90WAncjOLpdP2uLFQe9A90q3lS4WGsadKmB8xjeGT1i79U3cR3jK68rps5kCB9C6GHm+KZhoXFS5D7IE8fZm87EO4dO2ld61BKUi7659aizXTUJA369GfF/Y3ugEslUlqSupeUTBcSfeQnNa5K7DFKbyN3d3tAtPXZhhq+zHEkWiLkFxdl9ZFNzbEarYdmysW8nW3gwnltz9HmxtCSKXyifM7tyZnP7+CN1rmtBuoKF5F7H0teADclsJuhsxJ+lT9qr7anghfdW/FzPey7WgbW6xkIZQHBBhkQwn0BZynjWJKo8i1BtGvLdQP0bPlC3Z93dMt8Ku1Sg+woq/LDhbp749O+TCFSLgm2uLYj0il4NjlhIT8H1dACIWFqdSGLhNrbG2CF0K56/b9EOlea7t/+GjSosGoVADmD2PM1tQMYdMwCq1LBgLXMKqE+pHJcQYxae1gY6EGOboa4e61da7z19YdOiqPzvs4VYLK3iytpW7iIaGYD+/yCHT1d8Cxi1WgFmCNQ0H9SbnSy1BTcg1uEOpNagJnQO28vaZ7jOpGhwGsBswTm9nbtyW+32nb4VUZKrkyn7W/NXrms7sGu0nfZlfUWViu+lawLE9Kv5OyUF16LHulCzyVm1MdaVkBT6gmOotPhWEFqBMm12kNov6v7nwlhcfnSYAmIQUUJhzIqT4VkEFaMnsyn5As+GYTw6rlbIXprVX8CRRj3vBXYStCf8MdrbiZuGVZSfryTkuOMVqE0Gk+HYu7X/veAlQSckCimPCfdNOMPAFImCRlDNipYPhoCfkeiNT+oMNupVVaTA+c+V8tbZGjCsZdck2uRe/nvCUsKLWpmFI/4/BMeFPuLYn6WuivX/DKr746bgKdHTtx92wsEXv2jKlU8q+3md4WSzPEQtCtZaMo7/UnkbQnsQDe81v4BdCSbVYa85oQXKub05IpXAmCg4R+zqsKFNFD6m9vOdD7+psFC3BgNKkohq7eGls5OB6ETBZllaKya2g/bC0ZmseGhk+Te49eCyNr3OGCR4mJ76ZLKt6eAcTHBslKy5yufL5tEwKBpU5aTMpRokx2OasLoo1+VzTwjk/c1lSLrzUEJ2FCjnydHW9nrHUpR1btyrhay5uIPe1QE0iOtXonfIGiv3kqxa1Cc93HVwx6AqRVNR1Jzs5t0QfgQa9d9ePhde7ynteyfWwXU8bdAZV8v5gp9QuVr8mYuv4f7em/UNkTXvGi/R3vN3yK1ytvcYK8poBaSJHEHa3aVCcFlngNU32iFzjko3a3H8fOw+gfWFG/QLAbvRBLQdieIz96vahW1C9aG+oVQsDVYY1W7jM36bGpi0zPGsg9VqE2Y20y0y0YvZX7b+HlabEynNBOObc1YIVQJX9EzbC26DmCwg3Q/BcYef+6IMTfvWwz9OTfrGYLKfNJF0523qwfNmousfrhaNej+3p62ojiMC4x+84AdLAlThzq7uejOOeUmfBJXeNt+RzXubLc/LWSZpnvnEDcdP2fNGvxe15WK92DujH8OV33M+X50hSX/LWiomh92A7IufSAN0WJo6JrCxYcR02Upd6nbKX/XZU1xdoO3Vhpx97ZCxy4kt3tpmRe3m+V5ON5Z/bo8laxF6KfKPRTsiZq8/0/U4L98FubRYRVNvf+P4r746b1qat3JSmfYxqUYB2lJHuQVlJsqSK02kxqAJ0TRm4IFVBRwSBBqGT9kfZOtCuqupWnlhJZTWMpr6Q23O+fnF51dehiW8Z6zwKY3XZBw4UvHMt5CbS4pAkl8KQaz4XFIXFCItWUqVsXvv1QH5ZJr1qdDeJXR3xPy0i3bHTlstyGWCct+8+EC5YUedgxZkfZOtG4D+7aAYYXzmHiAOL0nsS9otgZO7osU10Tm2eljBmXN9YlfsAvO5RitdxY771T8N7rm92hFyN4vM5qHQj7MIk+9SNBXgc3IhmBXohi9xyj7PVRyaNboXej+BZGMbevVR+9t7pGM/bZhyX5+EykjtH55ksq+zIeVd4Kj73Cse4Ov+erqffWnSkwPrUmZvNnddszErzaukjZY11MW+lpVTYecDK9Qa/kSlxfhD5oyiAw676M5x97h4iu4mR1sjPrBCl5A1lTT/lsHJrRdBR7Rgpvm0UVLVbCjlbM/pQawVUR88N1oaaOpbi3PqjKC8ezeywi0/lLeH5i/H3y76s9TEwtBh9HDQ+dnfBYhG+us07lnj63oDJz4dz9w55zriQdawYZ6eORM+j3ykrSWM6HQYe2R8jA07dmXGLJU6Lwso9omvGQOtZXZALuz5hMgdtWaJp9hu2LLjI4TYyAQquzWGa5wNlCy6MpphqkJiCwvhmSRUvMIMn4MFz8XcxJxSJ+K39bXBnIgEfyqlrLvRIGrFfnTxr8zkrULryRbdOwgxI5lWETUJ80+Hp+UiRoXNzDd/j1AklTvlqk7y8r8p9235IudAkB0N5EXAyTGVtOr8b2Zosjp6b2XhsaZvHhniMP6QGyqpIls1zSnKYUR8C8p0vmxi+z9a0WvESVEHXWMhlpH9cybPAjbQfoNXtfw2zpgrc+eq14abGxowkuLGNbTBs2PTQ6xo1itXx7zAaG9MEsorJsrT3KQ0bnTnohHeSfSsllzx3/rOmi1wJejQRKpfs8EDj/b1lr3ix0RpZNy8vrBrcVpj09Diyvlk9raz/XU4P9DsdvL3/Jac+ABO+XRVP1zj3HBOK3clfX12Sy4FC1UUjWddaX12yG4OIhV1tNew8qiF9H3+Yz60OK/dORGRTmaeu+BpU3PWVDo8LsbiMqEeL+N0SXMjgCJXnHRewLx12CbRtPITPed6GckaceGVsq3FQBh7h5Y+n5LX7ruqUz1Qz3fvqo+ue0wSiMFnjFljd9SK41K8phMpbmy5MuxI3juAICXrF822HSFtdSZeUF3QYyCCtK5xgfeUMlBqZtODu0CG+/nhxN2+slL4BlAvADrbk0w00n09GJCIvs2md5+vo/hleZlHrgDpwaw2HNTrf6aWKD1FxGbHLQa/ELtP1MQoSuO5mr7qeq7TOuWkr6zZ90TxGocF2m4oNJ0o24YXdm3RZYrEpuDyaVX726YI887USn+rC6spTXmABB+aBXdxWUttvPiffDh0Noh+FuRFyJbYMIQ2sxmYWy23oI5M2GT2CC66fFnrWVLm/9aVJr2FO2Zp8HDXXCj5V9DGK8v3CWyTmgpSUi5miJexMx6iowqm96fskbCmXV7gseStzlxy9aQvYyToLIEX2aF+YKmAJkcpC2u4b9xZW5NdaoCn5RuZQkGdcLCffnBAu2QmZ2v8D+39U0GKtuZ58E44vGlZls4IOJufH1qG2NfyzK4KLoq8L5eS6GX4lZzsbNRiZFFP316nHs2mDoEFZRg4itCzjyt0eZp/e/EYVkA8uAfibbz69+e30/cU337ic2yVVlI/y5Eqqm5gly3sv2G/Ngt0I26gTjIrYSoSv2YnbpaR9Diizz8U6gQkzkwqE5iymAOm4khJgXMb3ggTiA7GAZivKh8OJH+wdwN7nsYHa6xO7RF3X00SXwkxzbVTsynes107mEOu+pdHe0abmI52T9NBil81gsIFK44tNNnUvvt7FgpjxUUdTs9VkjthDtxrsRhTYZr+8JyyUD+4neH/HhUXe6//vh6tuVGY3+e9RWCzv+Og9IjuRfBTmaOK4u/CT8ghJW1sn27FLn5k2o73JssM+mc/R7Tbg3P2R6aZlNT9GPAyLvmaUF5bWTTOXKy8zLs+7tW3YicuagwbmgRYG41mFTc51ZlXEA/ZzSOI1plv76qMzWZa16HuiBtiJwxo3PRS7t3Br/g5hnbrFTR+mWT8Ut2sq8n+X4ajZBjdDDT9EMjwYu+HCW8jpWleccRktS/RYFjxiv6JKDIMOTx11Lcoqk6mE8fXbN1fknfOjbpJSw4h8PmoqwfV/vCafa1AjvVvrQmQK+p060yY3dByia/K+KToLpnW1WjqL+JB2gcrYYwQs0Oogx9E+qCYQHHsw3Dz+gAZaUFUmOC0LNoF7gVYRC5BboHUebSrtFsy43a62QOfU9LXCh8KdgmCLkqpYZSUt3HVFB+OLHxx9omyQThUFZraIzgsMZnELqFrAszm2WkoAVk5/TwC1otEnYbiOU9HZC4PuGY/94PjObSVY1TM60iKjDAejxC8/sbC1iGi8dwBP59XyR3FrFtHfdyYyZlSW66h91zvQLeTDIk93ALwsaHSJITIQcy4iFkUOQafIjRbZLNMrblh0+SGyWSFXmpbxc1e6sIVZpoOeIOrCRMZFSnHCRQWqnK6jJbwPYFfsJg3wJS1S8AqvskpJI7P4ISmEvvwxQ49jfNhFsrtZyHmWpyC2BRw//42JrKS3mTGx3AbbgC1HF5DgUSi5SIQ0F+mQrgqdFdMiix0W3YL9XULg0TuDd2DH7oXYhR27qrcL+6eEsH9OCPtfEsL+7wlh/zUNbCOrgk4hhUhpocc3z0RW1gUq39N1gneyAV7dJNBLyrrg87JKo31bLZMW89hJSB4yT6GUaPjM4vtGRKZdQmKCE9SKpbEmLeA01qRe67pKMIuUibasOompaqSxpgfcJhAhRhprmKWCjWZNEuC14LeCCqmBJWDC5c+WKokeheXPsjILoHkCt5osq4wVCXzYFnCCIAnCVdO1ie8WtZB1EshVnSWIaTDFDWe0SFBApDM6B8HWEbOuurAFLdZ/QD5NgfcywzagSSC7djBpsHaJtUmgT+fV8uc0PmidTbn5a5JGY0xncWfF9QArGV1U6yTXHKECU/Gr3LTz8UebtdUBDGbh/PzxnSMOOKp9SYC7bvLxOsh1YM94ASlsGJ3NUhwin8Uszt4GnEI30BmvMEkxSyLqeLX8MdemGjTzjwRbK5YEdsFnkMKM0ehoLiHn0QpGt2FzkYZLSpnXBWgmU1DbA+fzBLJJVnpFTdSZ/x3ooQzyKIAVzLk2isb3hGxgJ9D4FFSpSK2S0VpjJ3KVSL66zHzH4gmgGwW0TKBIulKgVGinU65XC8l15ibMxoe+poomYfB8pBA2BuSlm28fGy7Xhoroc45zbaa1ijUssIEKblZQCqh1dFzj69FNTXJssDi5YRZ/2PWhnQZ2wZzTPI99B3geO6zatA5K8BbxMmNKyjJJVyILOIGZxsssTXKk73iUgszVTfT2TJWO37KUV7pSPDLQghpu6ujZZwUXEK/FzgaqjjpRp4WLxbfx3VqFdF1Ps1khoz/nLfAEKf/W5o0udSzQBBLH2tAJUI2em1DIeRLWFfMkF7iSKrYAK6f1PMU1K7lmKcRCqZMwbIo5EAIMNleKDje6DHcNoGNn/DmosdPxxGoV2wJJUlEm3QDo6JaojK8ZScXnWWAe14PhrgSo+G9WlbmhvNHBRp1MvQHrRrwmYbIEhZt+Jk5sYeDBxpYGVeYcSdHRpVrbDzO2iFXnPwANtxWPHgioQJVzRYUZ9NyNAXmVBHD8p9d1Ivv4sTcFNAJgJecZ1VXEgQFd0IrGhqqAFin0OwUM6eC6jiYCHp/IFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaIidCOAGHicwTjR8js8AoQat0aAmMKU0nycQvLqK7WXTiqW4B4rl0RVprVioK24EwCbeiK0uzFpH76q5ZCJ2oURwWuxDgbomnbG3b+YmPls5oPEjeu1Mz9hw11X0bq11Pk2Sh16rIsFbWGtQWc5jV70nGVvRRIZSkMEwbWgZ2xu8zLjQhs4SaAZLrkwKNXxZiQStm4xUtYjpZg21RQt0FD2tjSTva0EGS7fZIwmH5X2iBc/JmYKcG3JGVe67GWps/x5Gx03OSkilsQmhCAaH6BPsb8BkQUKlOm0+BBfpKHdRVoVcw2Cw4F76zWQdran3HXnM0tD5jHDemYI53JKS9hstbGKxYl73h4EkR7LgGoczNKv7o8cGSkTXVSWVIcPGo4SsFtQQbkilYDbGCg9Iy73PEIoQ4b3V0aJAuPCd3Uf6QhdcpJ7I30HVrtbFUxMj52AWoCab7+uFrAcvGiEClqDacURGkooqDeQNGIoTwd1dpS0Jnr2Wc/3iypW9PifnfsTXCTGLwJQibAb8HvzoY0RbkLdgfuNGgA6f85CpkxBvhiO721uEi7vNaqCKLSZc8CB+OHP3CP21e+ITZ2FgMsSLgtYCZ/3Oa5zj2jRxDzdw7/Vr37Gn9O242z21Tbj9/OIRY98eRBaxpulunVdxWfIBbg3eijF3wTGmUY8IpM3gurc4oVoUIxMvsXtuwnHg2D9XgyEKPtegzY6m3YdnK9+/V75TGXAsj1vVSey+R6rNO912p+zCyWGEsbGtv2OHdv1LcOcxZ//vn29oF7s8b4QCrh3mDbQa4iXx3pOF7eMypRqIS9dusSGDW9Wekv/F4+Ar2lHwLeZSufb1QTISQjXRADjujO6eV6Wo0JQdYbzvoMO0W1qg2rthGlYrnIC2C+kKVMmdunEspDdLusEcfMkLmAMpYAkFoVrzuXAHt5nXH2Z9bMn8iPIb19/B6dNHmfRsMasF/1xDf0wiDV++Dr6HdUw8bApKo9Hw3F1IJoUAzK0gK24WY4KCkEBlSKuxKziovOjepoUlJ8qT9okq5JwzWhCLwYjpg1g8Lna41MiYxsejXbVY6zB6nXS2lexltcZ+4GnBqc4WMrlN4Iy41lzDWSqboUZWKnZH8IT7ARB3aSy2+Kb5QSysAKomp4WW1hDfum/nGCwnv/pfTMipWLf/GkA3aMtrYQjNJ0yWVW1AhcVwEje+3Vg68+yr/lngjMWtA+Hmn/XL777/q7V9zzvH0VDsqyDank+zuBGzuzpu6BoU+ZfWJ6dfeDQQufCtj13/k57nxQbnLa7feR4HJi/vk21f9wem2HUm5O27Dxd276DAOU/QX5pzzRRUVLC11Sq9elb0c0EIUuiEfHjzC7kU5oeXJ+Ty7fnFf/5CPl4K8/OP5NlqsSYCuFmAImwhtR+VJpUCZvBb3//8P/+/518HKQJmkVDG9emBMnVS0vA4Hp2Y++55za8dL142SIWveP60kO7Kpj2YH9gw7s4PfAjfnmK6sU4+cWVqWpDXp2+DyP4hBaTzZR3GGf9HCpiEaWvR/WJEKG5kv/DEI3iKb/COc5hTAyv6CCPSkbuvyGmeK/TTOi4PodM+vaysDo1zPjQWcnn25sq9SqPhsZLqI0Y/tpxKTlP1bze5vLKojHi/LA0PnAQRhYZ27XEaNppY5qZrHVdAdNClec7tl2mxCdh2ZvmH37kjMoA1CfGCS3/Dz7dZYIDKJtc6iV531yeNkrcewyupTCuSB0I3xwAbHgA36/2SVx+Z9m4/XMybx6TZ1psxwgsI2Y3H8uJ67NDypVpLxq3K6fxGAx2HWLmsqJjDpDWdmBQzPq8V5GS6RpggcswaCsuZ6sDWA4Oi0RFtObjoLEG/gyKi7t8t4YruAFBQSgOZz+yOn2cUn7S50BnNXCp+AtCVUWmAzxKwxCxBtXCR4jqk6n9SJSAqzbPGE5dOLe9b8HYfk/5qXWfCI2iwF2YBSoAhH9YVnJCPzTP2Gh1gP5CrxgE2eAnejWlqzaieIygTI6Zxg7T3i58QWhRBZaLafBET3KjCxLwlKPsGcmEk0QYfcy7Ix8tRgcIwQTaZvIousi1QWSUY+2YBK9CxM3ot2AQlLu5FjJ2Kjv72BNi60QpZAWIefVIk4myVj4Ra6IgG6lQeWnQCMIIwTCeYEUpeSbWiKh/O6SbkdI7JXopQe+NvMZduCmYFIMKqZ+SuifeNcUtDi26oziFDsGU8ZkYMdsiFz3PFtISSGyuW/IiN8BaXBRXHiOPfwUHZJIh0XJSDDW67LDeRlKW1YOdowG6/PLEjlcCwC8EyXj+4u0XsqTKc1QVVBPtFkwaJZxe3v7yWczmbhae/A8vMApIf7xayH+yC7jZ28L6weFt0T2uzAGF8svgo2rqO2Tnhbgk9bslx1D9qUKMIy9oweVxK+yXHEb6uGQOtR3DGzuOHNUc7LPEE8SJWxZ1LtSaBwoQBbscQTls4Qg9HK5UwwKcrKey7YuVWSDlsf0gGitL2rpbx+tGNvJuUuK6lWDNQcMjb/Xg/TE8f5oJobuqA/CRYXABeRHuoC6oJzWVlXxezAK6IXInNkTnCGXorhSxH8mpxJofmrkX9cZUIq9xzkVv5I5VuCUDJK14AOfWITQZkuIuzV7Qbc3dyNGG83f+jpCuMkuDaZy3EpUJojwFCxKx3fwAhXL7eta/XiE2J8YTQqUxZPRDY/BQWdMlljdolk2WlZMlHMhTh2MhdCDotsIhsRs5248bFshU7CZHsY7ildZIgAlsYRh0ucwCCgfVb/FKfbueV3dy3UbbblFnWwvTL2WJr9DmWgWfsELP+TloQvsdzEKA4a7aEBMFEv35qATcLfGpDs92IR3bCvp9oo8aDn82eDmm79Wh7erl7T169cGsl3FfQNG2NcMNL0FauO21PQQWjQSR/CtGaQuw9CGw8+MBjUHdkrUN6dz8aa/1wtz19n+loQ07vvDXvMN63w8HecMcbgXAHYfDl7u7l3t2po56du2hR9qb2n1y0XqrHESB75HgrQL5cdvxh/5HFGm1wnCO7m3xUR5UgMe/YHeTHUdkx5t4GzNgq9ViC1vNTR6/cqc0iK8Es5CNESeiWJ5k4NPzXRg8ceykpmdTrtCOq814W3l9rEdnBl4k8If85+em778iz1+enV8/JOdeGi3nN9QJyLIUP4lLIuUzeF2hXJAyzZWcOD3/M+MWRjDElE3sVd9V/2lMNYdDeGPTIRxv6fJ/rwjDtv6377Tj+EKdQzJSKUJv0TaYYLWJ1p+tt5D3Nea3dCkQqonnJC6qceLJi094hhu96uLwK77nm+TE7jXQz5T9aRmi8iL2+mJtLnq7O4lTsuusY1vCVhh3/r3cS4ScDXvCOG+iUZeRhV6ZUKRMDBiEbJLVUcyr4HzuyqkU6VrgrsQ+gdJenRsg94ypYS5qo688ruxy+Fq7Fl+tdtJXV/CvQwiwYVUAqBbksuaDBgruOeLqihoMwem96fEGPudvX9FE361o/QpWIce3V+doKrooqg82QNlvdLVaP2OzIC5u7SNQZ5KCogTyLllS2gz+s8HnVrNgGz66UXPK8bR7mv0erqvCa6oAxfPMf+6xt67RhBWezSZ4faZftkr7Xn1mPbDM4PBQzJ5fcRc8XfcV9pAVcq3TGHAp+X80TblFn6vyoUwk9D2zU6aiosVJNtJHKSXwLrQRDcbWv8VsT+62vw7sveZ4XcDwp9wbXu6ucCxxvR+4dJOea8RjH2e6VX63TYUism+jsCakKao/Mvs9SERBMrasxLz+mQh7BnrxDBp1qbctfpTbkDWULLkZMupwmkhxf9Wn9UWCmf6XAig+rH7kmZ3pCXue0Ip/wH04/yqVwdaf/HD6eZEGXYDWnAqgin2tQa4I9CHUlhYZGowoXp9r9Zvib48hL3wOPWciKN10ghdu+68s3jmezpSOgumGg97456l0xxSlPaR1mfR5vWktvNTGytqF/eLkmqhYiaMfqk/blcZFn10ZqpMbOQ8y8hZn+IChZcZHLlSa6AsZnnNlPTkJ1gj5PdnhB7PYcvpucG/IMO8KCYJtnCEOXzzvUIrXAd/w1zClbk496u/FtG4Et+4W00bNr7QpHMNhHXvuuqYWoYK0aMpl9EQcUb/sABKr/typNsZxnSL7tbadXqMe68zr1OrBj3GGQ0fxvDtjscfJ6x7bqM3y9672RdRe49fEuoMPdHMdh1wYMts9mk5DpjmFwQuGGFPuLn7FsIOZIwNEKN9xyDjMuvK8ehRN29StpNdJ0ELE7qFAsEW4bB0xP/YstGFufbeq9+15KI70pWx+2MZQtyiO3wN+sigQnA+uoexxJhrxMuYg3QSzq3bBbxqLCtI9nQEh1y3bwWFwb7U15f2Bq5wDrtG/fHqwrqhqesn8+2WxlteCDVurE3g5ry7rk9zttz0SfWeLaWki1Tnfgf9MVFf+2t2NMg8h2F/VGPQ89TZYsf3uB0Pfs7dFUosGumn7ru3c1ygUZCKNkdYjoyGU9HTgX7sTjfk1rbcOecgTE0VV3HPcensmyomLd3ke8djhO39krS1D2Gcq4mMmwUkD1TeoaoT3yo2dFNpitIG1X9NnnVDkCr+qiWJP/qGnBZxxyco51z845GERlBdOMSXnDHyno/htMiVt/Yz/TYkybj95tdhMOr2qDKveBI0z33/X37RJ+yo53Rzuf/IR8WFdu6xvPgSWOO8Hxw1Mwy6I2k+2hbXFwjgj1tQ61re0jcwxXXatcbmPnPIuVVI23H0PM71+PHHmnV05kdmpoUaWdQ7SDFHblvZ77Bk0lZSJNZBspu449D1JRE3ZNMpFRHTPa3wGsfDl9ZMi1KiIecwdqxFNpjdGsVrG8IR2YGlRG5/Fsyg3o6M/TNuio6Y/boD3XJxAscGtAoGoV3zix8KNxc6voLRT0UmVia1RuiWPUEm7J3A+4LKpXL/x/n3kUXvj/8HlNIbc/LUCFs/P8dh4xeu420w2eo8e1M2ptsJ3cD0SzJhUXM1BqJO463PdR9tVV/PeSPuiePQKSTV/iWecYAlcKw9oy6ZUKLHE09rtwcXvLdh8wg1h1//QPGCZojQ/85NUC1HH8EVZn9xlPz85w9ONzcobrh1EDZY7ULGWEzmeg/PBP2MrC3NGcF5KGjjuE7By4XfRr3ekUvfOk+R+HeiXv3xolfNrkmv8R9tbwm0Qy5fIfF0TAXBruDrBaUD0yAUqzY7cV6hylW3x8uKA96mQToAYJLj0eaxqnN/U34YQUzefHqKjY7m/UTj38MDpo2UoTrnUdXelEyJgslc5b97AYCmIISiX1gQ4OpSs9L+zi5BqD07uk01EyJNrO4D6K/OwaUzt3P0Yd6XkYkveXnjtwHBehWhfZMuWL3g+pekd2EJk8s6xH6+htGnUqwPwGvEWdqLnBV5txJd0HCWXrj0RjvE4qcnl9+o83V+TKvlPknRiZvrLBNlEl9SHYfljJMLYohtgC2I0+yIl8NyGctgdZaOhc26+zbRGGaaB+BOFGCu7QckHxQVPIR1ByHR5tV5BRowFxNtTUR5vw2cVySQueO0YMINEXhEfrar1LECLFbmCt+2I7Euc3CaSRYS+MqXTGcQZtEtB4lCkIwugTuE18LprKF6m4We+5UUyWZdI+cXfE2+HhHULhEvwVV1D0Lc3YLpZVQUWm9WMNvLUrOxn+m99tU6MVxNaVGmeV5MdIqw4h7DAgiAEiFbYGkKxsQYUYNM5I3W7Kr4qIjMRsj9S2uX1Y/MzD316fvvXv3ove8u2DYqTq+/6j92zj+iZbyqJORYDTZo6z8HNu2snYzTjfWnCjyTOHhH6O3TqwsLeZqNsDTxDp4G6KOpE0e+1x/Si48ekCk+2igyUozBSY1QVhUjCojDWUr90ZjrRXWK1SSl9HeGuwNyO0LaKVVIZIS99f//00lIIbJHtsvpNqfvwEy36BwZaLdUpds5Ngo5i/X7y7urwib+htyUXejvUOH6vd29HTMLeGKI5sy29jsLtd22rVp3DJYvT0bFflmM2OV7D52EX4zZaTqx1bzjIvlS/PfZdej8VODIvjHcoj9wpodlz+l68bbgtzRD7UJGPfbvSXWBP6kbIb/bhqtOLboG7pintPiK4DKepUk79po6SY/9u0oOym4NpA/rcX/m8n7adczICFP5pxBStaBBUZOi06vyFU5ERLMsKWCuZcG7W2lv0xhUVFzcI3629xIH0cBkiiU+pYaLpCaFevxaTqdCFv9ckWcxBGrf/yfwMAAP//iL61wg==" + return "eJzsvW1zIzeSIPx9fwXOEc+52yGzx+2XvfHN7oVWkte66W5rW93tfS4mogJEgSRGKKAaQJGif/0FEqgXVqFIiQKK6r3xB4ctkolEIpHI9/wW3dHtz4gwTeQ/IWSY4fRndOH/N6eaKFYaJsXP6F//CSGE3sq84hQtpEIrLHLOxNJ9HQlqNlLdoZyuGaGIy6We/RNCC0Z5rn/+J/i1/edbJHBB/ZozrHHzCUJmW9Kf0VLJquz8NYBG/c8vAB3QcVic356jX5iiG8z5rPPVGo32LzUeBdUaL2nG8h3IDpU7ut1ItfvJHnQQ+rCiHUw8bMRyKgxbMKpanAKo6GqxYPcPRIPe46K0p6Wp1kyKh+P4G/wdc78ewgtDFfr/LMIPRVRWitCMCUPVAhMag3K3ABM1MOFQzYqiBZcbJBWiayrMXrRyqg0T2MKPi9tlC/hJCKqK08z+Zwyk3uGCIrkAFM4JoVqjCymMkhy9YdrAYsissEEFNmRFc2RWTD8AS3+6laYqBa4WrsOLafiDW8+T80EYdg96MjQ7iz4G1wKXJc2z+sqUATx7fzwoYIzCQnNsaF7T7voG4TxXVOtH4LKS2jyYagtccZOBGP0ZLTDX9Kk42+UfgW0pVQhbLsXyqZhY0A/BZEe+RD7ILnc97jS7WJ3qSLvYP/Rcu3inONwuTgdP2KwUxSbjdE15HD3AwkMAD6RFgfkGK4peobk0ghqL6WLByAz9JkDmrKnafsvl5gzZf/XAFTKnCht6hlZsubKPDXzd/s9DtkWwoUuptjF2duFhNc/f+M5+sY9iraasmar0mf9Of39Gyb9jcYaoIXv3Q6QQlLgLGEVf+yjY56qroMG2MLzpezFhpCgzu2gAC73qs/NeHK4v3t7ALw8vSGQea0EL6qG0HtlnGrHy6eZdZ220s3ZIF8BlpiiRKtePQ+QJGj7Wmi0FzdHl+Q3qLx4kZVFgkWecCZphtawKKsx06PrlkV0eNctbE21JczTfwjXmkmCOcJUzYz/Zt516+/1H8IF7eOwr2T6HLeGNRNhxCmdUGKQr0IAXFefbhnvE3l2Uiq0Zp0s6k/yRPHzkWfy+ogJh0Cx1u7zVL8kKi2WtoXt9U/IcrTGv9nJ/uwlBN89wE4JuDm9iXiltZnL+d0r6UizdpVDUqQluWRD7gAfaYCWYWO690A5jNg3bdLG1SgC6vjwKXVIpRYXJLIzpZI9b1CML6GtKxQOwlWLBlpWi+WkQbtfv4H4YbbxengZfvKYKL+mTCH0y5DvEDuwDcy43NH8IhxcVx4ataUZkJaYTJkYazBGsaXX5Du4rZjTSTBDqhLqTNhusEbGquRVAChFOsepscNdHujBdbJ7uI/2FKVrKDVW1lXJJF1Ro+kwcp798uPyyHKcW4X84Tv/hOP2H4/SLdpyij5qiq4tb/9FMYDNj5T/8qUf6U0PkfMaO1gbdzuePYIF/OGEP47TLFn06/8NF+w8X7T9ctDsLHnTRakoqxUyIaYLelHbB3nLv8cZr+kDcWw8XXdlXen8U6gt3E6dEca+beNfGY1JHtfGuf7ttUnDqf8ZNOQxacMbZIx6uB2qD9ol1OraFvpeTFpgwHubmvXbc7dXF486lXggZiTYrRlZOSHqbU9EFVRq9WLSi8Qzdvnt7c4Zu///bM4SFVXR6YBdSmdXLGTpvgRMs0JwijFZY5SB+XWrUGcKoVNJIIvkZAlFWuKwquejLXKvkb7WhBdJyYSyQGbo2KKdCGrpjBHhJT3ClG9q7n/bfKbfN2YARfQLXrLHTZj3rQK6p2ihm7KOlKjrg1+EhHbhCew6qy0J1ZllrQG5WVDl/in/I0AprNKdUIDnXVK1pPtyf2kk1O7SZ4eXbu5XxuwVYC7yrsoyvPrZ+aImONqeXvWPet8K+W9U7lQ/WVrujW2vLVdoFXgguTeXpr/CmuThg8xFZUG03Le3nPdAIvZFLdEntw6bCG3GwWB+pY7dTwwVz02q7JDJgj3Bi6nuSuxtPpDAQwJMLxIQ2WJgaDR3E0bDiGATzvic4hJ238e0SCBsvTnHtW3PuT4zeUfM7M8I+A/70ZwPWaDarV7LiORJ0TZWVoDXflVhpit5Sgy1qGC2ULDpLvXgjl/rVDSZ31OiXA/CXTFFi+PasiU9h9J46YeE4XHTQnAUJObQ9HkbJgQnVo+QlLRUlYDBZTHK6YFZtkIIDWgbPuVXiyzBWhV72Ve24HOjP+K2/59eX37mYnvfy1Iq5+xa9xwQiyO681OAgYHcMlDbHLfA9exwlVoaRimMFv/cHOxvljAHoozglxBkDyOOcMnok62nP5PU/zmT/mdhV0xzI066vnP89g430j+XZYLfGxwi95Kgp6nTf54ibJVuq+/80zLTBhha0Fxx9JshB+lFGOO7d4WeCHhWm56F7JoitBl6nZ4IYE8chllZjqiXH8+W0nOJjpEdasi2oixjEsqFG9JqQndn5Yu0WsNgM9JCBkvA0K6KnhwygH7Aixqk4CLxOQkXR8aoEyefINdhmJPKhAAUfTT4yhVpdDWIO9f79n7a7Ru2FFMQ+DtjI527ZjoibNUsrDrvUvbDLsAUjuHuf38ilizfUGS2VyKkCZyn1gmqw9QW7pznSFLKudn68u4YeN1jqQxjAfrLB0hzCAPSjDmXoCYzvXzqOMQf7egRNHkeDQUg9CV/+KrXpikje50hNRc7Esv5Qh9im40P6cujLjmGwwY9GCXt9s/6hyeEfu+594g52b+SXStz1T6nJ+9P/u+QdRJ2TyIa+XHCOtK63LEcYLdmaisZJ9uUqApZEx/kv0log+XNU/r6MiMaoQ0OW20zRzwnOuhs8hAOGfft6syu3NLqBi3TmvdkGow/bkiKChxJkThFlZkUV+ngtzHc/IanQL1xi8/1rNMcauKgOkEE1Aah+B/Z9jLr7Be8bwqDpjM8I/oVgItwk1nG98hfvYJBqg9WgOjOa1tGRaJ1tdyl5ffNpR9/DUL/WP1JU57a4R9SjDen21HGqdsSDwhnFlgxqL9xvdrWVA3RIpX/tSYy4vvn0U4AE4ZwcFIEEDUZDKsd4fVpGHSqOx74+K4pzqiaJXf8KS6Hry6dESR2+3WApgDkuVvqsnWycZMn9bLhWtK5bRQsuijVdLiTnlBipvkQBbKl3gpwby3NMI+JIR3OL6Y6i+kb21Ra0h9DP0OIryPy5qKqF1JDsVkiB5tvBoSGk6OeKaiiC0qwo+dafk/0yJOpSTFZIs5yiF39CZqUq9PrHH19CaaimVDSr7KHEs1BeH0AJXUqhaTpSkC+GK1yJcO1TqIq5E3r2KusgBPQCz+WadojBRDCzshZv2iiKi9H7Q74YtjkxqWjOqr6eFoNQX4U0x8axwBaImb9Vr//03Z+1E+mvShCgNdJ/G+zmb9YefIO3VKHX6EoQXGoogpcCTMpHyfUQ9CcGPwK5laFVvn+N/sVu9wx9/z36F0SkgpYXcExu0TP037n5n/aLTKNdonwVPEIh80DR8DOxdcWGZgRzPsfkLq0G7JCrCwawcXaFJSIVeSmZMHV3kSCiwBwZVUomyk9r9UFdUsIwB4wBU22kspq12Dqtw36wxpzljjFCSCG0kJXI7QvDKSDPxNIrRweTF3dvxAByjFigvw57wkYjp7DlEufP5Z3z6CDN/qCooEYxErA6vCnc/TLYwu65r4WwffaxaTVauaiPbYZ+lRt7NEObkwkklTXGjER3lJYHiPYsXrwvhGhKQjHYmuVZnirqelVLniUVUDWroayqcna0twvXTJkKc2u07/jeRcDFwQpmzW6IlQMx3C78Vb++RMpKaw0OFSAaVktqmq8dpIRWiZKeTk6JumZ/HyVUklDQUPBfX9a+1/e0kIaiW8/vda+c+XZMUCLoNuICMV9A4MWvlOmSs5SZDc/anNdsoPY/C93MytyE/A63zr4BdZmm57raavFPyH+NCKMTLwvGTxCjt6ta4+jm4vzG676+KJcVpVR9jRfBE/nFpUFUz8P94ds0gCE+bL6GnCt115Sv2p+0BrvTc8Ayn6HXP/6ENkD3gmKBMOdhXwE49UFNav1HaEOV64GHoM0H1gZJ0SsX2SXiydXEL5uIgbuaImzrafe7VDkQDrKaKFkJyeVy2w/ELZgaaLEI/YjICitMjCOivdRbwB+c5gJVwuf08B2f+WhFbeyCbheoTxlE2BO7BIuisEqmFHUYQeHNqEwDydpTKzEBjdXFKIT3OUhCoMcjQNQGixyrHAmpCszZH6H8XqmKIH1yn+VwNIlkNR88SY8iUot1g8wrzhYUdhww8DUlUuQjCnZ73Jk2Kf0sezbEBJFFyakJMsCoExWDAm8U64nBTr2ZMidi5Fu7dpCdx1h5lzNH2a+QwqwiHVNbnxor56XNcspPRPgrkacguwX5hxSpuy3sEYt29VrFdOm1H/oUHoioZDf6HBl6b/zlQ2uqdKecIt+XBxY436cy25biWNtsy/SIVDnN072DPsnGP1O6WbHWMepMm+aL3fj68LVSspgB1AqK8jWhAismnVpfVNywbw2jCuGy5HX1S9vLpsACL0OluQhxCO/stPWpG0ohZr7WSG6Ei4wZXJR9z6DHGPpvKjlMPmJGI7Ji1rqROdUz9LbSBsykLlB7K7EZycvFhh55SHsF2GJh8V7TKTQhOOR6QUc7aAVFBXEMga1qnbM1y61mA/wQFmS3tSD70CNeeJP3JVOT7bA9TxcLurecyAzf1n2vjAR9zSLlmjPu9Y1GPPRRF86ZlcaNPJsNlmzSyWQVWwIVA0XuqRAb+se+KqBBfq5oNRkrWe52XNTKxw3WCJDIR/gGkPsuNlEjKgU7BE0g05aFSfD6LosUuJZZAlTLLIX2XMYURbtAX0eHmkBX6rwipzEhe+Zj8I0ZPJePenOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xVOHnUasKFkZIgv6yuHQGC+QlT1ogIksXzgS7BiQIwxC13TQDneyjdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zd+lbuIzzldeX02UyBA2hcjCxvCyZqF1XugyxBvL3ZPNUhfNq10ruWoFTot1ufGst0nRDQ96sh3xe2N0AB7VRJ6lJqFlFwPIi3wJwWueswBan89d0d7cJTcTNsmH0qUSSqgipGHiuLgnuboIptz8a6lWzNzXBiyd3vwdbWVORS+YTZvTuT87+foHtNHdoNtDXvIpa+FnxAbitB9yPmJH3KXnVfDS+kr/r3YsZ7uVa4yS0W0iAMYyIskuEEWi6XWZ2ochKhXjPio4X6FD1TdmTfv0O6FXSt3h132MWqlJyRberbs0cu3AACvrm24NsRuRwctpSYgO8rTgGxsDiVwtD71Bprg9C1cP66th8qznNt/wWPKox6A4RCDWAOPM5uSmbWH9eZQBaMBS7rkZxNrxBsjGLzytCOhBjm6PsBn1Zb7z5/YdGhy/4EsadbLW7U6/Q3BwzBfn6Rnzvb0d8Cxi1UgFmC1Q0HdZvzpdZUzdAtdYdSaapmeEmhlbfPdF9IVeMwgF2DcXo7cUO33O87fSukQnMlN/az+q9e13Rm12g/6ev8BisT203XAI7tUfF3qj/Hd7o71czqTXilZEl9QDHVW3wuEOZUmSa7SLWL+r+58JYXH50mAJCEFFCYcySk+FbRkoIlsy/7AcyGKZ+cevhoY6+YZkDnK+YibHX4Z7CzDTMrryw7WY8uYcE5VJsIJMW3S2n/e89LAEpKFlAcE+4bd4KBrwABi6RcICsdDKN6hm5bmdIfbNCtrEqD8YUr56u0NWJcyahLtsm9+PWEx4jwSpuaIf3/DI4JfsK0PUlfE+39G1bxhU/HVaDJtR93w8IWvWvLlE4p+/qQ4WWxvAQsENZaEgb+UnsaQXsSDuwNu6M/I4zK1VYzgjnKmb47Q6WCmSgwSuzrsKKMFT6m9vKRD72rs1G4oAaGmWMNXbw0NHJwvQjq0flyJ2g/LK3ZmYqGhk+Tew9OpfF1zjDBw+TEN5FFWQ3vYIJjw2jDRC43Pp+WSEFoac6aTIpRYgy2uag436LPFebO+ZnLAjPhpYboLMTlyNPV9XrGUpf2bN2qhG+YuKO5rwWqE9GxBu+UN1DsJ181qM1Yvu/g+KArRFJR153s5NwSfQRq9H67PRVev5Xe84puh+16mqAzVQXrD3ZK7WL1awK2jv/3a9rfR9a0F4ynv+PNln+B1ZprrGheEYrqyBENu9s0VQzzLPCaJntEbmHJWm3uv4+dB9C+MKN+AUru9FEtB2J4jP3q9qFbYb1qbqhVCwNVhhVZuczfusamKTO8qCH1WoTZjTTLzLQiMPi+/v9hpSmy8lwgBjl3lYAR+fZP0AivRc0XELZD8Fxh5+HogxN+1bDP07N+sYgs5vU8XbnYebB82ah6xOsFA1+n9vR1tRFAYNzjN02ANHAlLtzqrifjuKfUWXDJXeMN+ZyX+foSvXOS5oVv3IDctD1f9GtxexnWq50D+hS+/I77+foSSOpL3hoxMfQe7EbkXBqg28LMMZGVBRumw0bqWm9T9rLfjer6Am2nLuz1Y48MR0586S7aSbnXlwc12Vj+uQOarEXstchbjXaGLlx9pu93yt0H+7VZQFDtfuO7r7w7bl6ZpnJTmuYxqgSn2lFGugdlI9EaK4bnfFAF6JoyMIFKjkcEgaZCJ+2PsnOgXVXVrTyzkspqGHV9IbPnfPvq+qavQyPfMtZ5FMbqso8cKPjgWsg20uKQRNfCoFu2FBiExQiLllKlbF779UB+WSa9qXU3CV0d4T8tIt3h05bLchlgnHe/fUBMEF7l1IozP8jWDcJ/cVUPML5xDhEHFqT3LOwXgcjc5LFNcE61T0sYM6bvrMp9BF6PKMXruDHf+afhPdN3e0KuRrHlkqp0I+zCJPvUjQV4HNyIZkX1SvLcco+z1Ucmje6E3ifwLAxj714qv3jvdIyXTTOO68twGcmDo/NEFmU2cd4VnIrPvYIxrs6/p6v5txYdKaA+deFmc+cVGbPSvFp6oqyxLuaNtJQKOg9YuV7jNzIlzg8iP4kCOOyqv4DZ5+4hspsYaY38wgpRjN5iUvdTDiu3VgRNasdI8W2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6X94jlr8bfL/uyVlNgaDH6OGh87O6CxSJ8det3LPH0vQGTXw7n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9EBpy6M+MOS5xzbuUe0hUhVOtFxdGVXR8RmVNtWaJu9hu2LJjI6X1kAnCmzXGa5xNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+K39bXBnIgEfyrlrLnQijdivjl40+ZwlVbr0RbdOwgxI5lWENiG+7vD0cqTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnnOUU4X2IeAfOfLOobvszWtVrymiuMtFHIZ6R9X9CJwI+0HYHX7X9NFXQXufPXaMFNBY0YU3FhrGwwbNj31ukaNYnX8OwTHxjSBrCKyKOx9SsNGFw46Yp1k31LJNcud/6zuIldQPZoIlUtyfKDx8d6yXxhvtUbSzcsLqwb3JSQ9nUbW16unlfV/l/Mj/U5Hb+9/y7kPwIRvV8nSNc69hIRid/K3N9foeqBQddFI1rXWV5fsxyBiYVdTDbuMakg/xh/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne998dN1z6kAUJGvcU1J1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+cWnK/TC10p8qrjVleeMQwEH5IFd3ZdS22++RN8OHQ2iH4W5E3IjdgwhTUkFzSzWu9BHJm0SPIELrp8WelFXub/zpUlv6BKTLfo4aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJc3sCx6J3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Rzfo10qAKflW5pSjF0ysZ9+cISbJGZrbf1H7Lyww32qmZ9+E44uGlNmC48Hk/Ng61K6Gf3GDYFHwdYGc3NbDr+Rib6MGI5Ni6v4693jWbRA0VZaRgwiti7hyt4fZp7e/Y0XRB5cA/M03n97+fv7+6ptvXM7tGivMRnlyI9VdzJLlgxfs93rBboRt1AmGRWwlwtfsxO1S0jwHmNjnYpvAhFlIRYVmJKYA6biSEmBcxPeCBOIDsYBmG8yGw4mf7B2A3uexgdrrE7tEXVfzRJfCzHNtVOzKd6jXTuYQ676l0d7RuuYjnZP02GKXdjDYQKXxxSZt3Yuvd7EgFmzU0VRvNZkj9titBrsRBbbZL+8JC+Wj+wk+3nFhkff6//vhqq3K7Cb/nYTF8o6P3iOyF8mTMEcdx92Hn5QTJG3tnGzHLn1hmoz2OssO+mS+BLfbgHMPR6brltVsingYFH0tMOOW1nUzlxsvM64vu7Vt0InLmoOGLgMtDMazCuuc68yqiEfs55jEa0i39tVHF7IoKtH3RA2wE8c1bnoqdu/ovfl3GtapG9z0cZr1U3G7xSL/NxmOmrW4GWzYMZLhydgNF95BTle6ZITJaFmiU1nwgP0GKzEMOjx31LUoykymEsa3797eoN+cH7VNSg0j8nnSVILb/3iDPldUjfRurbjIFO136kyb3NBxiG7R+7roLJjW1WjpJOJD2gUqY48RsEDLoxxHh6CaQHDsyXDz+AMaMMeqSHBaFmwC9wIuIxYgN0CrPNpU2h2Ycbtd7YDOselrhU+FO6eCrAqsYpWVNHC3JR6ML35y9AmTQTpVFJjZKjovELqIW0DVAF4sodVSArBy/vcEUEscfRKG6zgVnb0g6J6x2A+O79xWUKt6RkdaZJjAYJT45ScWthYRjfcO4PmyXP8g7s0q+vtOREaMynIdte96B7qFfFzk6QGA1xxHlxgio2LJRMSiyCHoFLnRIltkesMMiS4/RLbgcqNxET93pQtbmHU66AmiLkRkTKQUJ0yUVBXzbbSE9wHsktylAb7GPAWvsDIrlTQyix+SAujrHzLwOMaHzZPdTS6XWZ6C2BZw/Pw3IrIC32fGxHIb7AK2HM1pgkehYCIR0kykQ7rkOuNznsUOi+7A/lNC4NE7g3dgx+6F2IUdu6q3C/vHhLB/Sgj7nxPC/h8JYf85DWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMv7xLoJUXF2bIo02jfVsvEfBk7CclDZimUEk0/k/i+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlB7xOIECONNcxSwQazJgnwSrB7gYXUlCRgwvVPliqJHoX1T7I0K4rzBG41WZQZ4Ql82BZwgiAJwFXzrYnvFrWQdRLIZZUliGkQxQwjmCcoINIZXlJBthGzrrqwBebbP2g+T4H3OoM2oEkgu3YwabB2ibVJoM+X5fqnND5onc2Z+XOSRmNEZ3FnxfUAKxldVOsk1xygUqLiV7lp5+OPNmurA5ialfPzx3eOOOCg9iUB7rrJx+sg14G9YJymsGF0tkhxiGwRszh7F3AK3UBnrIQkxSyJqGPl+odcm3LQzD8SbK1IEticLWgKM0aDo7mgOYtWMLoLm4k0XFLIvOJUE5mC2h44WyaQTbLUG2yizvzvQA9lkEcBrOiSaaNwfE9ICzuBxqdomYrUKhmtNXQiV4nkq8vMdyyeALpRFBcJFElXCpQK7XTK9WYlmc7chNn40LdY4SQMno8UwsaAvHbz7WPDZdpgEX3Oca7NvFKxhgXWUKmbFZQCahUd1/h6dF2THBssTG5YxB92fWyngX0wlzjPY98BlscOq9atgxK8RazIiJKySNKVyAJOYKaxIkuTHOk7HqUgc3kXvT1TqeO3LGWlLhWLDJRjw0wVPfuMM0HjtdhpoeqoE3UauFB8G9+txaXrepotuIz+nDfAE6T8W5s3utSxQBNIHGtDJ0A1em4Cl8skrCuWSS5wKVVsAVbMq2WKa1YwTVKIhUInYdgUcyAENdBcKTrc6DLcNYCOnfHnoMZOxxObTWwLJElFmXQDoKNbojK+ZiQVW2aBeVxPhrsRVMV/s8rMDeWNDjbqZOoWrBvxmoTJEhRu+pk4sYWBBxtbGpSZcyRFRxdrbT/MyCpWnf8ANL0vWfRAQElVsVRYmEHP3RiQN0kAx396XSeyjx97U0AjAFZymWFdRhwY0AWtcGyoimKeQr9TlAAdXNfRRMDjE9lCjtvCtQNZqjwBxvEdmTqBb1g733CCfABNYycCuIHHCYwTTT/HZ4BQg9ZoUBOYUpotEwheXcb2smlFUtwDRfLoirRWJNQVNwJgE2/EVhdmpaN31VwTEbtQIjgt9qlAXZPO2Ns3SxOfrRzQ+BG9ZqZnbLjbMnq31iqfJ8lDrxRP8BZWmqosZ7Gr3pOMragjQynIYIg2uIjtDV5nTGiDFwk0gzVTJoUavi5FgtZNRqpKxHSzhtqiBTqKnldGoveVQIOlm+yRhMPyPmHOcnShaM4MusAq990MNbR/D6PjJmclpNLYhFAAA0P0EfQ3IJKjUKlOkw/BRDrKXRUll1s6GCx4kH4LWUVr6v1AHrM0dD4jmHem6JLeowL3Gy20sVixrPrDQJIjyZmG4Qz16v7ooYES0lVZSmXQsPEoQpsVNogZVCq6GGOFJ6TlPmYIRYjw3upoUEBM+M7uI32hOROpJ/J3ULWrdfHUyMglNSuqZu339UpWgxcNIUHXVDXjiIxEJVaaorfUYJgI7u4qbkjw4o1c6lc3ruz1Jbr0I77OkFkFphRBM+D31I8+BrQFekfN78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGK40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWND2s8yosiz7QewO3YsxdMMU06hGB1A6uewcTqgUfmXgJ3XMTjgOH/rmaGqTo54pqs6dp9/HZyo/vle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXf8c3HnM2f+H5xvaxa4va6EAa4d5A6yGeEm8j2Rh+7jMsabIpWs32KDBrWpOyf/iNPiKZhR8g7lUrn19kIwIYY00pTDuDO+fV6Ww0JhMMN530GHaLS1A7W2ZhlQKJqDtQ7qkqmBO3ZgK6XZJN5iDrRmnS4o4XVOOsNZsKdzBtfP6w6wPLZlPKL9h/T2cPj/JpGeLWSXY54r2xyTi8OXr4Htcx8TjpqDUGg3L3YUkUggKuRVow8xqTFAgFKgMaTR2RY8qL3q0aWHJCfKkeaK4XDKCObIYjJg+gMVpsYOlRsY0no525Wqrw+h10tk2spfVGvuBx5xhna1kcpvAGXGNuQazVNqhRlYqdkfwhPsBIHdpLLbwpvlBLIRTrGbnXEtriO/ct0sIlqNf/S9m6Fxsm/8bQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Vf9s4AZizsHwszfqtd/+u7P1va97BxHTbGvgmh7Ps3iRswe6rjBW6rQPzc+Of3KowHIhW997Pqf9DwvWpx3uH7veRyZvHxItn3dH5hi15mhd799uLJ7p4o65wn4S3OmiaIlFmRrtUqvnvF+LggCCp2hD29/RtfCfP/6DF2/u7z6z5/Rx2thfvoBvdistkhQZlZUIbKS2o9Kk0pRYuBb3/30v/7by6+DFKFmlVDG9ekBMnVW4PA4Hp2Y+x55zW8dL17XSIWveP68kO7KpgOYH9kw7sEPfAjfnmLaWiefmDIV5ujN+bsgsn9IQdP5so7jjP8jBZ2FaWvR/WJEKGzksPCEI3iOb/Cec1hiQzf4BCPSgbtv0HmeK/DTOi4PodM8vaQoj41zPjUWcn3x9sa9SqPhsQLrCaMfO04lp6n6txtd31hURrxfloZHToKIQkO79jgNa00sc9O1phUQHXRxnjP7ZczbgG1nln/4nZuQAaxJCBdc+ht+ucsCA1TaXOsket1DnzSM3nkMb6QyjUgeCN0cAmxwAMxsD0tePTHt3X6YWNaPSb2tt2OEFzRkN07lxfXYgeWLtZaEWZXT+Y0GOg6ycllhsaSzxnQiUizYslI0R/MtwKQih6yhsJwpj2w9MCgaHdGWg4suEvQ74BF1/24JV3QHgKKFNDTzmd3x84zikzYXOsOZS8VPALo0Kg3wRQKWWCSoFuYprkOq/idlAqLiPKs9cenU8r4Fb/cx66/WdSacQIO9MiuqBDXow7akZ+hj/Yy9AQfY9+imdoANXoLfxjS1elTPBMrEiGlcI+394mcIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9vB4VKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53QidLyHZSyFsb/w95NLNqdlQKsKqZ+SuiY+NcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfwHOCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wf3sIg9VoaRimOFoF80qpF4cXX/8xu5lItFePo7JZlZ0eTHu4PsB7ugu40dvK8s3hbd88qsqDA+WXwUbV3F7JzwsIQet+Q46h81VaMIy8oQOS2l/ZLjCN9WhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/heClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xTdO4Rmw3I8BBnr2g25u7kaMJ4s/+TpCuMkuDWZy3EpUJojwFCxKx3fwIhXL7era/XiE2J8YTQuUxZPRDY/Jyu8JrJCrRLIotSyYKNZCjSqZG7EnjOoYhsgS7248bEuhE7CZHsY7ijdaIgAjsYRh0ucwSCgfUb/FKfbueVbe/bKNu1ZZaVMP1yttgafQ5l4Bk5xqx/kBYE7/GSCqoYqbcEBIFEv35qATMreGpDs92QR3ZGvptpo8aDn/Wejmm7dbI9vd6/J69euLUS7itomjZGuGEF1VauO21P0ZKOBpH8KURrCnHwIKDx4BOPQT2QtY7p3X0y1vr+YXv6LtPRhpw+eGveYXxoh4O9wY5bgfAAYfDl7u71wd2pSc/OXbQoe1OHTy5aL9VpBMgBOd4IkC+XHb8/fGSxRhtMc2QPk49qUgkS8449QH5Myo4x9zZgxkaphxK0np86euVOZVZZQc1KniBKgnc8ycih4b82euDQS0nJpF6nPVGd95J7f61FZA9fJvKE/Ofsxz/9Cb14c3l+8xJdMm2YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHPj7kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreR9zhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1pGqL2Ivb6Y7SVPV2dxLvbddQhr+ErDjv/XO4ngkwEveMcN7ZRl5GFXplQpEwMGIRsgtVRLLNgfe7KqRTpWeCixj6B0l6dGyL1gKlhLmqjrzy92OXgtXIsv17toJ6v5V4q5WRGsKCoVzWXBBA4W3HXE0w02jAqjD6bHczzlbt/gk27WtX6kZSLGtVfnayu4SqwMNENqt7pfrE7Y7MgLm4dI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7EbJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPyxmie9B52p86NOJfQysFGno4LGijXSRion8S20ghoMq30N35rZb30d3n3B8pzT6aTcW1jvoXIucLwduXeUnKvHY0yz3Ru/WqfDkNjW0dkzVHJsj8y+z1IhKojalmNefkiFnMCefEAGnWpsy1+lNugtJismRky6HCeSHF/1af1RQKZ/qagVH1Y/ck3O9Ay9yXGJPsH/OP0ol8LVnf5t+HiiFV5TqzlxihX6XFG1RdCDUJdSaFprVOHiVLvfDH4zjbz0PfCIhaxY3QVSuO27vnzjeNZbmgDVloHe++aoD8UUpjyldZj1ebxuLb3TxMjahv7hZRqpSoigHavPmpfHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH5yFqoT9Hmywwtit+fwbXNu0AvoCEsFaZ8hCF2+7FALVQLe8Td0ickWfdS7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rrmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in757N2K5sVG7RSR/Z2WFvWJb8/aHsm+swS19ZCqm26A/+LLrH414MdY2pEdruo1+p56GmyZPnLK4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAufAgHvdrWmubHihHABxddce09/BCFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+lrhE6ID96VmSN2Yam7Yq++JwqR+CXivMt+o8Kc7ZgNEeXUPfsnINBVDZ0nhEp79iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzX3zdL+Ck73h3tfPIz9GFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1Nc61La2j8wUrrpGudzFznkWS6lqbz+EmN+/GTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTeUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wLKgXr3y/33hUXjl/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftdubi9ZbsPkEGsun/6Kx0maI0P/GTliqpp/BFWZ/cZTy8uYPTjS3QB64dRo8pM1CxlhM4XVPnhn3QnC3NPc16aNHTcIWTnwO2iX+tOp+i9J83+ONYr+fjWKOHTRrfsj7C3ht0lkinXf71Cgi6lYe4AyxXWIxOgNJm6rVDnKN3i48MF7VEnmwA1SHDp8VjdOL2uvwknpGi2nKKiYre/UTP18MPooGUrTZjWVXSlEyBDslQ6b93TYiiAIVUqqQ90cChd6XllF0e3EJzeJ50myZBoOoP7KPKLW0jt3P8YdaTncUg+XnruwXFchGrNs3XKF70fUvWO7CAyeWZZD1fR2zTqVIDZHfUWdaLmBl+140q6DxLI1h+QhnidVOj69vyvb2/QjX2n0G9iZPpKi22iSupjsP2wkWFsQQyRFSV3+ign8sOEcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsTu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4GdwmthR15YtUzGwP3CgiiyJpn7gH4u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v7m/J1/9171lm8eFCNV3/cfvWcb03fZWvIqFQHO6znOws+5aSZj1+N8K8GMRi8cEvoldOuAwt56om4PPAKkg7vhVSJp9sbj+lEw49MFZrtFB2uqIFNgUXFEpCC0NNZQvnVnONJeYbNJKX0d4a3BXo/QtoiWUhkkLX1//bfzUApukOyx+U6q5fQJlv0Cgx0X6xy7ZifBRjH/fvXbzfUNeovvCybyZqx3+Fjt3iZPw9wZojiyLb+Nwe72batRn8Ili9HTs12VY7aYrmDz1EX49ZaTqx07zjIvla8vfZdej8VeDPl0h3LiXgH1jov/8nXDTWGOyIeaZOzbDf4Sa0KfKLvRj6sGK74J6hauuPcM6SqQoo41+os2Sorlv845JnecaUPzv7zyfztrPmViQUn4owVTdIN5UJHBc975DcIiR1qiEbZUdMm0UVtr2U8pLEpsVr5Zf4MD6uMwQBKcUlOh6QqhXb0WkarThbzRJxvMqTCdnJQabz+QcdZMU5v1Lv847mN453SBK24yuBM/owXmO6XIO1vazeB/10mOqCdFtiPj27I1o/BiwQgMEphTKpCcQ9+ITkOv5lw0fsRm+hf7wFaGt75xGVusRWJ1stCp2ySNSBSFN6igWuOl70tEpJXfMMAspEi+kUt0SYnMR8I+HlZ0H5Xr+RwxgamH8JTSCIow7YsmF4gJbbAwNRphG9+wox7xfPhOBVVxuIfMWrfG1Tm14wnQytq2MGH3d2YE1bo+/cNTEARdU9VtUFFipSl6Sw0GTd3X3DZLvXgjl/rVjUuqfTkAf+nTwVq1AqP31AkLx+Gig+ZIJxm6TuLCeVq0udDLtMqzP+O3/p5fX37nAy6u7VtrXUNPgHtMDOJy6c5r2NcGdgeTrD23wPf07twh+3t/sLNRzhiAPopTQpwxgDzOKaNHsp72TF7/40z2n4ldNc2BPO36yvnfs2Cvq2eD3TpVqPRpqCmaMiv26WRLdf+fhhnYfukK7p+GHK5yZjLoR/0c0ds1nJ4RYquIE3WjIsbEcYil1ZhqyfF8OS2nRw2LTUu2BaV56iKQ8bBFt22iayRJ84EeMlASnmZF9PSQAfQDVsQ4FaevM+8Pxg2Sz5FrsM1I5EMBCj6afGQKtdpHBxo1WjX793/a7hq1F1IQ+zhgI5+7ZTsibqBJXUJx2KXuhV3GJb907vMbufRjXX0VA/SSsyaIol5QDba+YPc0R5rCpN2dH++uoccNlvoQBrCfbLA0hzAA/ahDGXoC4/uXjmPMwb4eQZPH0SBii4U9fPlrnVfqOZL3OVJT0XQe5nKpQ2zT8SF9OfRlxzDY4EejhL2+Wf/Q9gMcue594g52b+SXStz1T6nJ+9P/u+RNXPvkadyXC86R1vWW5QijJVtT0TjJvlxFwJLoOP9FWgskf47K35cR0Rh1aMhymyn6OcFZd4OHcMCwb9/M78r3FLuBi3TmvdkGuwprgocSZE7r5NGP18J89xOSCv3CJTbfv95N8yJSLNiyUuP5Le2+j1F3v+B9Qxj0uZZNgmU8Qc+MseyYuproS3cwSLXBKk+m1O2fVO8Ukk87+h5GinI8TE1zrVX9I+rR9s0wgVN12+VDKrZkAvP6N7vaygE6pNK/9iRGXN98+ilAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0PXlU6KkDt9usBTAHBcrfdZONk6y5H423OTgtooWXBRrulxIzqFv6pcogC31TpBzY3mOaUQc6erxcB1F9Y0cjrMYJ/QztPgKMn8uqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevEnZFaqQq9//PEl2mA/SqheZQ8lnoXy+gBK+Lk6yUhBvhiucENVap9C03fVXmUdhIBe4Llc0w4xWLhEpxZv2iiKi9H7Q74YtjkxqWjOjmqacIhQX4U0x8axwBaImbrvD4j0V65NaI30cJzV3xDUi2ypQq/RlSC41BXHTbOyR8n1EPQnBj8CuZWhVb5/jf7FbvcMff89+hdEpLL6sus5UA9T++/c/E/7RabRLlHC7S+EzOmztXXFhmYEcz7H5C596VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8DDkhd3b8QAcoxYoL8Oe8JGI6ew5RLnz+Wd8+ggzf6AYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6o7Q8QLRn8eJ9IURzgymydcqB51e15IGxVG4+tYBJ/B27cM0UjEy9vtz1vYuAi6M70x2I4Xbhr/r1JVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOr99ANv5nRTBTFfhDQiKC0/9SBmC8g8OJXynTJWeruJc/WnNcsVSHsE1Okj2sa9VB+h1tn34B6IpDnutpq8U/If40IoxMvg3FBk8ToYQSQVOjm4vzG674EC0seVpRS9TVeBE/kF5cGUT0P98dH91SBIR4adYuGpnzV/qQ12J2eA5b5DL3+8Se0AboXFAuEOQ/7Curq5wVq/UdoQxV1YLFBnGJtkBS9cpFdIp5cTfyyiRi4qynCtp52v0uVA+Egq4mSlZBcLrf9QNyCqYEWi9CPiKywwsQ4IlJoX2SxcBPcUSV8Tg/f8ZmPVtTGLuh2gfqUQYR90xasRVFYJVOKOoyg8GZUpoFk7amVmIDG6mIUwvscJCGVqiFqg0WOVY6EVAXm7I9Qfq9URZA+uc9yOJpED5uFt4dILdYNMq84W1DYccDA15RIkY8o2O1xZ9pM0NA+tCEmiCxKTk2QAUadqBgU+PFG09pgZU7EyLd27SA7j7HyLmeOsl8hRfROyPkgQeLJTQ9EfiLCX4k8BdktyD+kOFH3nHr1WsV06bUf+hQeiKhkN/ocwTBuP4Lct8Otscv35YEFzvepzLbtjwJ/OkhFiVQ5zdO9gz7Jxj9Tulmx1jHqTJvmi934+vC1UrKYAdQKivI1oQIrJp1aX1TcsG8NowrhsuR19Uvby6bAAi9DpbkIcQjv1PaiQ8rhqhEzX2skN8JFxgwuyr5n0GNcT00a3j6jEVkxa93InOoZeltpA2ZSF6jrnjWSl4sNPfKQ9gqwxcLivaZTaEJwyPWCjnZuaJogjiGwVa1ztma51WyAH8KC7LYWZB96xAtv8r5karIdtufpYkH3lhOZ4Vu3WW2FntXXLFLAoPt9oxEP/UC371qezQZLtt3VqtgSqIg+irOhf+yrAhrk54pWk7GS5W7HRa183GAYe1p1G3B10SwBuVijHhqiRlQKdgiaQKYtC5Pg9V0WKXAtswSollkK7bmMKYp2gcYa9dFCTaArdV6R05iQPfMx+MYMnstHvTnHis1Dcu2YYEH7QPS6IcR2BGEyUOJjKNa64idqmi8rQ2RBXzkcGuPFD3AZcAgWngQ7BuQIg9A1Vcykbg061n3ar+6LAMdGk/ZcPhMPbnOvdFPpYqFB3MmNum8Nn7B264I5Yz1VvK6cPpspcACNi5Hlg8mwzSTYIN6hKTIJD+HTrpXetQSlQr/d+tRYpuuEgL5fDdavT2isSlKXUrOIguNBvAXmtMjb7sLN3R3twlNxk6VrXfRIUSSqgipGHiuLgnubaPLzAyrZmpvhxJK734OtranIYU7yQbkl538/QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhqdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUjPlqoT9EzZUf2/TukW0HX6mHb70bxl5yR7RTTdkbkwg0g4JtrC74dkcsVT5k3HSbg+8o3/w+LUykMvU+tsTYIXbejAurqqjzX9l/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q7fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0tf5DVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i88Fwpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ypaUrBk9mU/TDEXZbePfmgaitPjXjEXYavDP4Od+aEaraxHl7DgHKpNBJLi26W0/73nJQAlJQsojgn3jTvBwFeAgEVSLhBMmGdUz9BtK1P6gw26lVVpML5w5XyVtkaMKxl1yTa5F7/NNBPCK21qhvT/Mzgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7OtDhpfF8hKwQFhrSRj4S+1pBO1JOLA37I7+3BlkCIMLz1CpYCbKGaKGfB1WlLHCsQZWHwhiwVLUUKVRiTV08dLQyMFPk5ZFYaWY3AnaD0trqCF71T33HpxK4+ucYYKHyYlvIouyGt7BBMeG0YaJXG58Pq2fNnnWZFKMEmOwzUXF+RZ9rjB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCbuaO5rgepEdKzBO+UNFPvJVw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9325Phddvpfe8otthu54m6ExVwfqDnVK7WP2anTF5+zXt7yNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0itztj/PvvY+cBtC/MqF+Akjt9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDC9qSL0WYXYjzTIzrYj9VfP/w0pTZOW5QAxy7ipBOMXK/gka4bWo+QLCevJrXdh5OPrghF817PP0rF8sIot5M753sfNg+bJR9YjXa81Upaf29HW1EUBg3OM3TYA0cCUu3OquJ+O4p9RZcNMNrnVe5utLP4IbvfCNG+rZlK7o1+L2MqxXOwf0qQb8e/fz9WV3vmsjJobeg92InEsDdFuYOSaysmDDdNhIXettyl72u1FdX6Dt1IW9fmzhjO+Jxx1fNAuj68uDmmws/9wBTdYi9lrkrUY7QxeuPtP3O+Xug/3aLCCodr/x3VfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc759dX3T16GRbxnrPApjddlHDhR8cC1kG2lxSKJrYdAtWwoMwmKERUupUjav/XogvyyT3tS6m4SujvCfFpHOXQYuy2WAcd799gExQXiVUyvO/CBb+/MZenF1j4uS05/RjXOIOLAgvWdhvwhE5iaPbYJzqn1awpgxfWdV7iPwekQpXseN+c4/De+ZvtsTcjWKLZdUpRthFybZp24swOMA2ulKUb2SPLfc42z1kUmjO6H3CTwLw9i7l8ov3jsd42XTjOP6MlxG8uDoPJFFmU2cdwWn4nOvYIyr8+/pav6tRUcKqE9dwLgZmVdkzErzaumJssa6mDfSUiroPGDleo3fyJQ4rPINVqfJ0Bt21bfSFfuHyG5ipDXyCytEMXqLSd1POazcWhE0qR0jxbe1gqr2SyFna0Yfaq0o1tFzg7XBpoqlODf+KMz4ycwOu/hc3iOWvxp/v+zLWk2BocXo46DxsbsLFovw1a3fscTT9wZMfjmcu3fMc8aErGLFODt1JHoZ/U5ZSRrT6TDwyP4QGXDqzow7LHHOuZV7SFeEUK0XFUdXdn1EZE61ZYm62W/YsmAip/eRCcCZNsdpnk+ULbAwmGKqRmJOFcQ3C6wYhwyegAfPxd/FEmEg4rf2t8GdiQR8KOeuudCJNGK/OnrR5HOWVOnSF906CTMgmVcR2oT4usPTy5EiQ+fmGr7HqRNKnPLVJHl5X5X7tv0QM6FRTg1mPOBkmMvKdH43sjXJJ8/NrD22uMljAzzGH1JDi5Iny+Y5RzldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0YvAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTU6xo1itXx7xAcG9MEsorIorD3KQ0bXTjoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHGx3vLfmG81RpJNy8vrBrcl5D0dBpZX6+eVtb/Xc6P9Dsdvb3/Lec+ABO+XSVL1zj3EhKK3cnf3lyj64FC1UUjWddaX12yH4OIhV1NNewyqiH9GH+Yz60OK/dORGRzmaeu+BpU3PWVDo8LsriMqEer+N0SXMhggsrzjgvYlw67BNomHsKWLG9COSNOvCK21TgoA4/w8sdT8pp9l1XKZ6qe7n3z0XXPqQNRkKxxT0nV9SK41K85DZW31l2Y9iVuTOAICXrF812HSFNdideYcTwMZKDGFY6gvnJBlRqZtODu0DG+/nhxN2+sFL4BlAvADrbk0w00W85GJCIrsnmV59vo/hlWZFHrgDpwK02Pa3S+10sVH6JiMmKXg16JXaarKQoSmO5mr7qeq7jKmWkq69q+aB6j0GC7tmLDiZI2vLB/ky5LLDYF15NZ5RefrtALXyvxqeJWV54zDgUckAd2dV9Kbb/5En07dDSIfhTmTsiN2DGENCUVNLNY70IfmbRJ8AQuuH5a6EVd5f7Olya9oUtMtujjqLnG2VzhUxTl+4V3SMwEKjATC4ULujcdo8QKpvam75Owo1zewLLoncxdcnTbFrCTdRZACh3QviBVwBIilYW02zfuHd2gXysBpuRbmVOOXjCxnn1zhpgkZ2hu/0Xtv7DAfKuZnn0Tji8aUmYLjgeT82PrULsa/sUNgkXB1wVyclsPv5KLvY0ajEyKqfvr3ONZt0HQVFlGDiK0LuLK3R5mn97+jhVFH1wC8DfffHr7+/n7q2++cTm3a6wwG+XJjVR3MUuWD16w3+sFuxG2UScYFrGVCF+zE7dLSfMcYGKfi20CE2YhFRWakZgCpONKSoBxEd8LEogPxAKabTAbDid+sncAep/HBmqvT+wSdV3NE10KM8+1UbEr36FeO5lDrPuWRntH65qPdE7SY4td2sFgA5XGF5u0dS++3sWCWLBRR1O91WSO2GO3GuxGFNhmv7wnLJSP7if4eMeFRd7r/++Hq7Yqs5v8dxIWyzs+eo/IXiRPwhx1HHcfflJOkLS1c7Idu/SFaTLa6yw76JP5EtxuA849HJmuW1azKeJhUPS1wIxbWtfNXG68zLi+7Na2QScuaw4augy0MBjPKqxzrjOrIh6xn2MSryHd2lcfXciiqETfEzXAThzXuOmp2L2j9+bfaVinbnDTx2nWT8XtFov832Q4atbiZrBhx0iGJ2M3XHgHOV3pkhEmo2WJTmXBA/YbrMQw6PDcUdeiKDOZShjfvnt7g35zftQ2KTWMyOdJUwlu/+MN+lxRNdK7teIiU7TfqTNtckPHIbpF7+uis2BaV6Olk4gPaReojD1GwAItj3IcHYJqAsGxJ8PN4w9owByrIsFpWbAJ3Au4jFiA3ACt8mhTaXdgxu12tQM6x6avFT4V7pwKsiqwilVW0sDdlngwvvjJ0SdMBulUUWBmq+i8QOgibgFVA3ixhFZLCcDK+d8TQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2DuDer6O87ERkxKst11L7rHegW8nGRpwcAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KXBvga8xS8wsqsVNLILH5ICqCvf8jA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJ8ZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+08JgUfvDN6BHbsXYhd27KreLuwfE8L+KSHsf04I+38khP3nNLCNLDme0xQipYEe3zwTWVFxUL7n2wTvZA28vEuglxQVZ8uiTKN9Wy0T82XsJCQPmaVQSjT9TOL7RkSmXUJighPUiqSxJi3gNNak3uqqTDCLlIimrDqJqWqksaYHvU8gQow01jBLBRvMmiTAK8HuBRZSU5KACdc/WaokehTWP8nSrCjOE7jVZFFmhCfwYVvACYIkAFfNtya+W9RC1kkgl1WWIKZBFDOMYJ6ggEhneEkF2UbMuurCFphv/6D5PAXe6wzagCaB7NrBpMHaJdYmgT5fluuf0vigdTZn5s9JGo0RncWdFdcDrGR0Ua2TXHOASomKX+WmnY8/2qytDmBqVs7PH9854oCD2pcEuOsmH6+DXAf2gnGawobR2SLFIbJFzOLsXcApdAOdsRKSFLMkoo6V6x9ybcpBM/9IsLUiSWBztqApzBgNjuaC5ixawegubCbScEkh84pTTWQKanvgbJlANslSb7CJOvO/Az2UQR4FsKJLpo3C8T0hLewEGp+iZSpSq2S01tCJXCWSry4z37F4AuhGUVwkUCRdKVAqtNMp15uVZDpzE2bjQ99ihZMweD5SCBsD8trNt48Nl2mDRfQ5x7k280rFGhZYQ6VuVlAKqFV0XOPr0XVNcmywMLlhEX/Y9bGdBvbBXOI8j30HWB47rFq3DkrwFrEiI0rKIklXIgs4gZnGiixNcqTveJSCzOVd9PZMpY7fspSVulQsMlCODTNV9OwzzgSN12KnhaqjTtRp4ELxbXy3Fpeu62m24DL6c94AT5Dyb23e6FLHAk0gcawNnQDV6LkJXC6TsK5YJrnApVSxBVgxr5YprlnBNEkhFgqdhGFTzIEQ1EBzpehwo8tw1wA6dsafgxo7HU9sNrEtkCQVZdINgI5uicr4mpFUbJkF5nE9Ge5GUBX/zSozN5Q3Otiok6lbsG7EaxImS1C46WfixBYGHmxsaVBmzpEUHV2stf0wI6tYdf4D0PS+ZNEDASVVxVJhYQY9d2NA3iQBHP/pdZ3IPn7sTQGNAFjJZYZ1GXFgQBe0wrGhKop5Cv1OUQJ0cF1HEwGPT2QLOW4L1w5kqfIEGMd3ZOoEvmHtfMMJ8gE0jZ0I4AYeJzBONP0cnwFCDVqjQU1gSmm2TCB4dRnby6YVSXEPFMmjK9JakVBX3AiATbwRW12YlY7eVXNNROxCieC02KcCdU06Y2/fLE18tnJA40f0mpmeseFuy+jdWqt8niQPvVI8wVtYaaqynMWuek8ytqKODKUggyHa4CK2N3idMaENXiTQDNZMmRRq+LoUCVo3GakqEdPNGmqLFugoel4Zid5XAg2WbrJHEg7L+4Q5y9GFojkz6AKr3Hcz1ND+PYyOm5yVkEpjE0IBDAzRR9DfgEiOQqU6TT4EE+kod1WUXG7pYLDgQfotZBWtqfcDeczS0PmMYN6Zokt6jwrcb7TQxmLFsuoPA0mOJGcahjPUq/ujhwZKSFdlKZVBw8ajCG1W2CBmUKnoYowVnpCW+5ghFCHCe6ujQQEx4Tu7j/SF5kyknsjfQdWu1sVTIyOX1KyomrXf1ytZDV40hARdU9WMIzISlVhpit5Sg2EiuLuruCHBizdyqV/duLLXl+jSj/g6Q2YVmFIEzYDfUz/6GNAW6B01vzMjqA6f85CpkxBvASO7m1sEi7vNaooVWc2YYEH8YObuBP21e+ITZmFAMsQrjisBs36XFcxxrZu4hxu49/q179lT+nbczZ6aJtx+fvGIsW8PIotY0/SwzquwLPpA7w3cijF3wRTTqEcEUju47h1MqBZ8ZOIldM9NOA4c+udqapCinyuqzZ6m3cdnKz++V75TGWAsj1vVSey+R6rJO911p+zDyWEEsbGdv0OHdv1zcOcxZ/8fnm9oF7u+rIUCrB3mDbAa4iXxPpKF7eMyx5oil67dYIMGt6o5Jf+L0+ArmlHwDeZSufb1QTIihDXSlMK4M7x/XpXCQmMywXjfQYdpt7QAtbdlGlIpmIC2D+mSqoI5dWMqpNsl3WAOtmacLinidE05wlqzpXAH187rD7M+tGQ+ofyG9fdw+vwkk54tZpVgnyvaH5OIw5evg+9xHROPm4JSazQsdxeSSCEo5FagDTOrMUGBUKAypNHYFT2qvOjRpoUlJ8iT5onicskI5shiMGL6ABanxQ6WGhnTeDralautDqPXSWfbyF5Wa+wHHnOGdbaSyW0CZ8Q15hrMUmmHGlmp2B3BE+4HgNylsdjCm+YHsRBOsZqdcy2tIb5z3y4hWI5+9b+YoXOxbf5vAN2ALa+FQTifEVmUlaEqLIaTuPHtxtKZZ1/1zwJmLO4cCDN/q17/6bs/W9v3snMcNcW+CqLt+TSLGzF7qOMGb6lC/9z45PQrjwYgF771set/0vO8aHHe4fq953Fk8vIh2fZ1f2CKXWeG3v324crunSrqnCfgL82ZJoqWWJCt1Sq9esb7uSAIKHSGPrz9GV0L8/3rM3T97vLqP39GH6+F+ekH9GKz2iJBmVlRhchKaj8qTSpFiYFvfffT//pvL78OUoSaVUIZ16cHyNRZgcPjeHRi7nvkNb91vHhdIxW+4vnzQrormw5gfmTDuAc/8CF8e4ppa518YspUmKM35++CyP4hBU3nyzqOM/6PFHQWpq1F94sRobCRw8ITjuA5vsF7zmGJDd3gE4xIB+6+Qed5rsBP67g8hE7z9JKiPDbO+dRYyPXF2xv3Ko2GxwqsJ4x+7DiVnKbq3250fWNRGfF+WRoeOQkiCg3t2uM0rDWxzE3XmlZAdNDFec7slzFvA7adWf7hd25CBrAmIVxw6W/45S4LDFBpc62T6HUPfdIweucxvJHKNCJ5IHRzCLDBATCzPSx59cS0d/thYlk/JvW23o4RXtCQ3TiVF9djB5Yv1loSZlVO5zca6DjIymWFxZLOGtOJSLFgy0rRHM23AJOKHLKGwnKmPLL1wKBodERbDi66SNDvgEfU/bslXNEdAIoW0tDMZ3bHzzOKT9pc6AxnLhU/AejSqDTAFwlYYpGgWpinuA6p+p+UCYiK86z2xKVTy/sWvN3HrL9a15lwAg32yqyoEtSgD9uSnqGP9TP2Bhxg36Ob2gE2eAl+G9PU6lE9EygTI6ZxjbT3i58hzHlQmSjbL0KCG1aQmLemyr6BTBiJtIHHnAn08XpUoBBIkE0mr6KLbAtUlgnGvlnAiurYGb0WbIISF/cixk5FB397AmzdaIWMU7GMPikScLbKR0ItdEQDdSoP5p0AjEAE0gkWCKNfpNpglQ/ndCN0voRkL4WwvfH3kEs3p2ZDqQirnpG7Jj42xi0N5t1QnUMGQct4yIwY7JAJn+cKaQkFM1Ys+REb4S2uORZTxPEf4KCsE0Q6LsrBBnddlm0kZW0t2CUYsLsvT+xIJSXQhWAdrx/cwyL2WBlGKo4Vgn7RqEbixdX9z2/kUi4W4envlGRmRZMf7w6yH+yC7jZ28L6yeFt0zyuzosL4ZPFRtHUVs3PCwxJ63JLjqH/UVI0iLCtD5LSU9kuOI3xbEUK1HsEZOo8f1xztuMQTwAtZFXcp1RYFChMGuE0hnHZwpD0crVSCAJ8upbDvipVbIeWw+SEaKEq7u1rH60c38m5i5LqWQs0AZzRv9uP9MD19mAmkmakC8hNBcQH1ItpDXWGNcC5L+7qYFWUKyY1oj8wRzuB7KWQxklcLMzk0cy3qp1UirHLPRG7lj1S6IQBGvzBO0blHbDYgw0OcvaLZmLuTownjzf5Pkq4wSoJbn7UQlwqhPQYIEbPe/QmEcPl6t75eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buSuA5hyKyBbrYjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+QVoQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+W6mjRoPftZ7Oqbt1sn29Hr/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGg088BvVA1jqmd/fJWOv7h+3pu0xHG3L64K15h/GhHQ72BjtuBcIDhMGXu7vXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5cdvz+8JHFGm0wzZE9TD6qSSVIzDv2APkxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR13kvu/bUWkT18mcgT8p+zH//0J/TizeX5zUt0ybRhYlkxvaI5lMIHceFyKZP3BdoXCYNs2YXDwx8zfHEkY0zJxF7FffWf9lRDGDQ3Bjzy0YY+P+a6EEj7b+p+O44/wCkUM8Ui1Ca9zRTDPFZ3ut5G3uOcVdqtgKRCmhWMY+XEkxWb9g4ReNfD5VVwzzXLp+w00s2U/2gZofYi9vpitpc8XZ3Fudh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7MmqFulY4aHEPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRTzfYMCqMPpgez/GUu32DT7pZ1/qRlokY116dr63gKrEy0Ayp3ep+sTphsyMvbB4iURc0pwobmmfRksr28IcVPr/UKzbBsxsl1yxvmof57+Gy5F5THTCGb/5jn7VdnTas4LSbZPlEu2yW9L3+zHZkm8HhoZA5uWYuer7qK+4jLeAapTPmUPDHap70HnSmzo86ldDLwEadjgoaK9ZIG6mcxLfQCmowrPY1fGtmv/V1ePcFy3NOp5Nyb2G9h8q5wPF25N5Rcq4ejzHNdm/8ap0OQ2JbR2fPUMmxPTL7PkuFqCBqW455+SEVcgJ78gEZdKqxLX+V2qC3mKyYGDHpcpxIcnzVp/VHAZn+paJWfFj9yDU50zP0Jscl+gT/4/SjXApXd/q34eOJVnhNrebEKVboc0XVFkEPQl1KoWmtUYWLU+1+M/jNNPLS98AjFrJidRdI4bbv+vKN41lvaQJUWwZ675ujPhRTmPKU1mHW5/G6tfROEyNrG/qHl2mkKiGCdqw+a14eF3l2baRGauw8xMxbmOkPAqMNE7ncaKRLStiCEfvJWahO0OfJDi+I3Z7Dt825QS+gIywVpH2GIHT5skMtVAl4x9/QJSZb9FHvNr5tIrBFv5A2enatXWECg33kte+aWoAK1KoBk9kXcUDxpg9AoPp/p9IUynmG5NvddnqFeqw7r1OvAzuGHQYZzf/miM1Ok9c7tlWf4etd77Wsu4Ktj3cBHe5mGoddEzDYPZs2IdMdw+CEwg0pDhc/Q9lAzJGAoxVusOWcLpjwvnoQTtDVr8DlSNNBwO6oQrFEuLUOmJ76F1swNj7b1Hv3vZRGelM2PmxjMFkVE7fAb1cFgqOBddQ9jiRDXuZMxJsgFvVu2C1DUWHaxzMgpLplO3Asro12W94fmNo5wDrt23cA6xKrmqfsn8/arWxWbNBKHdnbYW1Zl/z+oO2Z6DNLXFsLqbbpDvwvusTiXw92jKkR2e2iXqvnoafJkuUvrwD6gb2dTCUa7Krut75/V6NckFFhlCyPER25rOYD58KDeNyvaa1teqAcAXB01R3T3sMLWZRYbJv7CNcOxuk7e2VNlX2GMiYWMqwUYH2XukbogPzoWZE1Zhuativ64nOqHIFfKs636D8qzNmC0RxdQt2zcw4GUdnQeUakvGMnCrr/TufIrd/az5iPafPRu8224fCyMqByHznC9PBdf98s4afseHe088nP0Idt6bbeeg4scdwJjh+eoossajPZHtoWB+eIUF/rUNvaPjJTuOoa5XIXO+dZLKWqvf0QYn7/ZuTIO71yIrNTTYsy7RyiPaSwKx/03NdoKikTaSK7SNl17HmgEpuwa5KIDOuY0f4OYOXL6SNDrhSPeMwdqBFPpTFGs0rF8oZ0YGqqMryMZ1O2oKM/T7ugo6Y/7oL2XJ9AsNB7QwWoVvGNEws/Gjc3it5K0V6qTGyNyi0xRS3hjsz9AMuCevXK//eFR+GV/w+f1xRy+2NOVTg7z2/nhNFzt5lu8Bw8rp1Ra4Pt5H4gmjWpmFhQpUbirsN9T7KvruJ/kPRB9+wESNZ9iRedYwhcKQhry6RXKrDEZOx35eL2lu0+QAax6v7pr3SYoDU+8JOVK6qm8UdYnd1nPL24gNGPL9EFrB9GjSozUbOUETpfUOWHf9KdLMw9zXlp0tBxh5CdA7eLfq07naL3njT741iv5ONbo4RPG92yP8LeGnaXSKZc//UKCbqUhrkDLFdYj0yA0mTqtkKdo3SLjw8XtEedbALUIMGlx2N14/S6/iackKLZcoqKit3+Rs3Uww+jg5atNGFaV9GVToAMyVLpvHVPi6EAhlSppD7QwaF0peeVXRzdQnB6n3SaJEOi6Qzuo8gvbiG1c/9j1JGexyH5eOm5B8dxEao1z9YpX/R+SNU7soPI5JllPVxFb9OoUwFmd9Rb1ImaG3zVjivpPkggW39AGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqmPwfbDRoaxBTFEVpTc6aOcyA8Twml7kIWGzjX9OpsWYZAG6kcQtlJwj5ZLFRs0hTyBkuvwaLqCjBoNgLPBpppswmcXyzXmLHeMGECiLwgn62q9TxACxe7oVvfFdiTOrxNII8NeGVPqjMEM2iSg4ShTEITgZ3Cb2FLUlS9SMbM9cKOILIqkfeIeiLfDwzuEwiX4G6Yo71uasV0sG45FpvWpBt7alZ0M/93vtq7RCmLrSo2zUrIp0qpDCDsMEGAASIWtASArWWEhBo0zUreb8qsCIiMx24naNjcPi595+Pub83f+3XvVW755UIxUfd9/9J5tTN9la8mrVAQ4r+c4Cz/nppmMXY/zrQQzGr1wSOiX0K0DCnvribo98AiQDu6GV4mk2RuP60fBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dad4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/OQym4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8+9VvN9c36C2+L5jIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL6+9F16PRZ7MeTTHcqJewXUOy7+y9cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t4zpKtAijrW6C/aKCmW/zrnmNxxpg3N//LK/+2s+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7T/93wAAAP//Gm+GWA==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index e6db84b9385..7c31ecd11ff 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ftd +- name: cisco.ftd type: group description: > Fields for Cisco Firepower Threat Defense Firewall. diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index a505d3030eb..4892400a8b9 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 94cd0b8b7bd..72b115c6975 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -35,6 +35,15 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -79,6 +88,15 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -122,6 +140,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -168,6 +191,15 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -207,6 +239,13 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 37b0b3de1b6..70e87e332d9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -21,9 +26,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-ftd", "forwarded" @@ -31,7 +54,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11757", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1772, + "cisco.ftd.mapped_source_ip": "100.66.205.104", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -51,9 +84,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -94,8 +146,17 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -144,8 +205,17 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -194,8 +264,17 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -244,8 +323,17 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -294,8 +382,17 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -344,8 +441,17 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -394,8 +500,17 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -444,8 +559,17 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -494,8 +618,17 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -544,8 +677,17 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -594,8 +736,17 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -644,8 +795,17 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -694,8 +854,17 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -744,8 +913,17 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -794,8 +972,17 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -844,8 +1031,17 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -894,8 +1090,17 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -911,7 +1116,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -931,9 +1141,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -941,7 +1169,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.80.32", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -961,9 +1199,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1004,8 +1261,17 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1021,7 +1287,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.252.6", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1041,9 +1317,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1084,8 +1379,17 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1101,7 +1405,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1121,9 +1430,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-ftd", "forwarded" @@ -1131,7 +1458,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11760", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1773, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1151,9 +1488,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1161,7 +1517,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1181,9 +1542,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-ftd", "forwarded" @@ -1191,7 +1570,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11761", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1774, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1211,9 +1600,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1221,7 +1629,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.238.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1241,9 +1659,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1251,7 +1688,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.93.51", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1271,9 +1718,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1314,8 +1780,17 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1364,8 +1839,17 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1381,7 +1865,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1401,9 +1890,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-ftd", "forwarded" @@ -1411,7 +1918,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11764", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1775, + "cisco.ftd.mapped_source_ip": "100.66.225.103", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1431,9 +1948,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -1441,7 +1977,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1461,9 +2002,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -1471,7 +2030,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.240.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1491,9 +2060,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1501,7 +2089,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.44.45", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1521,9 +2119,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1564,8 +2181,17 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -1614,8 +2240,17 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -1631,7 +2266,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1651,9 +2291,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-ftd", "forwarded" @@ -1661,7 +2319,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11774", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1452, + "cisco.ftd.mapped_source_ip": "100.66.179.219", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1681,9 +2349,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1691,7 +2378,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.157.232", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1711,9 +2408,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1721,7 +2437,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.178.133", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1741,9 +2467,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1784,8 +2529,17 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -1834,8 +2588,17 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -1851,7 +2614,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1871,9 +2639,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-ftd", "forwarded" @@ -1881,7 +2667,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1453, + "cisco.ftd.mapped_source_ip": "100.66.133.112", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1901,9 +2697,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1944,8 +2759,17 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -1961,7 +2785,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.204.197", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1981,9 +2815,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2024,8 +2877,17 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2074,8 +2936,17 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2091,7 +2962,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,9 +2987,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -2121,7 +3015,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11780", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1454, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2141,9 +3045,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2151,7 +3074,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2171,9 +3099,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -2181,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11781", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1455, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2201,9 +3157,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2211,7 +3186,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2231,9 +3211,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -2241,7 +3239,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11782", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1456, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2261,9 +3269,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2271,7 +3298,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.100.4", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2291,9 +3328,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2334,8 +3390,17 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -2351,7 +3416,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2371,9 +3441,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -2381,7 +3469,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1457, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2401,9 +3499,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2411,7 +3528,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3553,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -2441,7 +3581,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11785", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1458, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2461,9 +3611,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2471,7 +3640,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.1.107", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2491,9 +3670,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2534,8 +3732,17 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -2551,7 +3758,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2571,9 +3783,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -2581,7 +3811,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11787", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1459, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2601,9 +3841,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2644,8 +3903,17 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -2661,7 +3929,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2681,9 +3954,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -2691,7 +3982,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11788", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1460, + "cisco.ftd.mapped_source_ip": "100.66.192.44", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2711,9 +4012,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2741,8 +4061,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2751,7 +4078,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2771,9 +4103,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-ftd", "forwarded" @@ -2781,7 +4131,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1385, + "cisco.ftd.mapped_source_ip": "100.66.19.254", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2801,9 +4161,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2831,8 +4210,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2861,8 +4247,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2891,8 +4284,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2921,8 +4321,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2951,8 +4358,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -2981,8 +4395,15 @@ "input.type": "log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -3024,8 +4445,17 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -3074,8 +4504,17 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -3091,7 +4530,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3111,9 +4555,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-ftd", "forwarded" @@ -3121,7 +4583,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11798", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1386, + "cisco.ftd.mapped_source_ip": "100.66.115.46", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3141,9 +4613,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3181,8 +4672,17 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3228,8 +4728,17 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3275,8 +4784,17 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3322,8 +4840,17 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3369,8 +4896,17 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3416,8 +4952,17 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3463,8 +5008,17 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3510,8 +5064,17 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3557,8 +5120,17 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3604,8 +5176,17 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3651,8 +5232,17 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3698,8 +5288,17 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3745,8 +5344,17 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -3762,7 +5370,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3782,9 +5395,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-ftd", "forwarded" @@ -3792,7 +5423,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11799", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1275, + "cisco.ftd.mapped_source_ip": "100.66.205.99", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3812,9 +5453,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3822,7 +5482,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3842,9 +5507,27 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -3852,7 +5535,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11800", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.14.30", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3872,9 +5565,28 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost" + ], + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b18307a7571..37efb99f483 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -76,6 +76,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -175,6 +184,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -272,6 +290,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -371,6 +398,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -469,6 +505,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -566,6 +611,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -666,6 +720,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -763,6 +826,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -861,6 +933,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -960,6 +1041,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1060,6 +1150,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1153,6 +1252,15 @@ "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1251,6 +1359,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1348,6 +1465,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1446,6 +1572,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1545,6 +1680,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1642,6 +1786,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1739,6 +1892,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1836,6 +1998,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1931,6 +2102,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2030,6 +2210,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 4397eb76e17..6e77e652aff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -21,8 +21,15 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 3540a3f6a15..605eba1e2a7 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -11,6 +11,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -31,6 +34,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 194, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -51,6 +57,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 386, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -71,6 +80,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 568, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -91,6 +103,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 774, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "lights_out_mgmt.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -111,6 +126,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 943, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -131,6 +149,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1072, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -151,6 +172,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1191, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -171,6 +195,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1316, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -191,6 +218,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -211,6 +241,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1575, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -231,6 +264,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1721, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -251,6 +287,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1867, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -271,6 +310,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1984, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -291,6 +333,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2128, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -311,6 +356,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2285, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -331,6 +379,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2436, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -351,6 +402,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2580, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -371,6 +425,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2737, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -391,6 +448,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2888, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -411,6 +471,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3032, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -431,6 +494,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3143, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -451,6 +517,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3267, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -471,6 +540,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -491,6 +563,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3564, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -511,6 +586,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3739, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -531,6 +609,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3874, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -551,6 +632,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4002, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -571,6 +655,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4113, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -591,6 +678,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4238, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "index.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -611,6 +701,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4357, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -631,6 +724,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4492, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -651,6 +747,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4686, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -671,6 +770,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4870, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index ba0bb71f417..681c8052cb0 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -56,6 +56,15 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -132,6 +141,15 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -204,6 +222,15 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -276,6 +303,15 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2b46be5b166..b204f179fa3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -31,8 +31,15 @@ "message": "Intrusion attempt", "network.application": "webserver", "network.protocol": "http", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "10.1.123.45", "10.8.12.47" @@ -71,8 +78,15 @@ "log.level": "debug", "log.offset": 150, "message": "Some message here (1:36330:2).", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -106,8 +120,15 @@ "log.level": "debug", "log.offset": 247, "message": "Some message here (1:36330:2)", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -153,8 +174,15 @@ "This one has a type id", "And two messages" ], + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats" + ], "related.ip": [ "127.0.0.1", "192.168.3.33" diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 36a494d8f89..cc0af87b551 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -30,6 +30,14 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -71,6 +79,13 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -98,7 +113,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -123,6 +137,16 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 05fc4af2cbc..592e7ae85e9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -74,6 +79,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -119,6 +129,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -164,6 +179,15 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -209,6 +233,15 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -224,7 +257,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -243,7 +281,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-ftd", "forwarded" @@ -251,7 +303,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743274", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_port": 12834, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -270,7 +333,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -278,7 +356,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -297,7 +380,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-ftd", "forwarded" @@ -305,7 +402,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.1.35", + "cisco.ftd.mapped_destination_port": 25882, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -324,7 +432,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -332,7 +456,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -351,7 +480,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-ftd", "forwarded" @@ -359,7 +502,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743276", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.130", + "cisco.ftd.mapped_destination_port": 45392, + "cisco.ftd.mapped_source_ip": "192.0.2.1", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -378,7 +533,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -418,6 +588,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -467,6 +642,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -508,6 +688,13 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -522,7 +709,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -541,7 +733,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-ftd", "forwarded" @@ -549,7 +755,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743277", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "10.0.0.130", + "cisco.ftd.mapped_destination_port": 10879, + "cisco.ftd.mapped_source_ip": "192.0.0.17", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -568,7 +786,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -604,6 +837,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -648,6 +884,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -692,6 +933,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -736,6 +982,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -780,6 +1031,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -824,6 +1080,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -868,6 +1129,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -912,6 +1178,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -956,6 +1227,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1000,6 +1276,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1044,6 +1325,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1087,6 +1373,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1130,6 +1420,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1174,6 +1467,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1218,6 +1516,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1262,6 +1565,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1306,6 +1614,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1350,6 +1663,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1394,6 +1712,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1438,6 +1761,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1482,6 +1810,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1526,6 +1859,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1571,6 +1909,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1586,7 +1929,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.ftd.connection_id": "447235", + "cisco.ftd.destination_interface": "identity", + "cisco.ftd.mapped_destination_ip": "10.0.13.13", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.168.77.12", + "cisco.ftd.mapped_source_port": 11180, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1606,35 +1959,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 5967, - "service.type": "cisco", - "tags": [ - "cisco-ftd", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.ftd.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "identity", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" ], - "event.code": 302015, - "event.dataset": "cisco.ftd", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "ftd", - "host.hostname": "127.0.0.1", - "input.type": "log", - "log.level": "informational", - "log.offset": 6147, "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-ftd", "forwarded" @@ -1672,6 +2016,15 @@ "log.offset": 6332, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1717,6 +2070,15 @@ "log.offset": 6487, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1732,7 +2094,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1752,7 +2124,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 6642, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "OCSP_Server" + ], + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1760,7 +2151,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1780,7 +2181,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 6817, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "OCSP_Server" + ], + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1821,6 +2241,15 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1869,6 +2298,15 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1917,6 +2355,15 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1946,20 +2393,26 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1989,20 +2442,26 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2048,6 +2507,15 @@ "log.offset": 7798, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2063,7 +2531,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2083,7 +2561,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 7954, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2091,7 +2588,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,7 +2618,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 8133, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2152,6 +2678,15 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2199,6 +2734,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2239,6 +2779,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 8624, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2278,6 +2826,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 8745, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2317,6 +2873,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 8866, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2356,6 +2920,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 8987, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2395,6 +2967,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 9108, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2434,6 +3014,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 9229, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2473,6 +3061,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 9350, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2512,6 +3108,14 @@ "input.type": "log", "log.level": "critical", "log.offset": 9472, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2556,6 +3160,15 @@ "log.offset": 9594, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2598,6 +3211,14 @@ "log.offset": 9748, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -2638,6 +3259,10 @@ "log.offset": 9858, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2686,6 +3311,14 @@ "log.offset": 9994, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2717,7 +3350,6 @@ "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.225", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -2740,6 +3372,11 @@ "log.offset": 10245, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2748,7 +3385,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2769,7 +3405,6 @@ "cisco.ftd.threat_level": "very-high", "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", - "destination.nat.ip": "192.0.2.223", "destination.nat.port": "8080", "destination.port": 80, "event.action": "firewall-rule", @@ -2794,6 +3429,11 @@ "log.offset": 10544, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2802,7 +3442,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2834,6 +3473,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10843, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2872,6 +3514,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10920, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2911,6 +3556,10 @@ "input.type": "log", "log.level": "notification", "log.offset": 11012, + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 89bd797ebff..3cef5df9a0f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -59,6 +59,15 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -142,6 +151,15 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -233,6 +251,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -331,6 +358,15 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -417,6 +453,15 @@ "log.offset": 2515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -521,6 +566,15 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -610,6 +664,15 @@ "log.offset": 3919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -710,6 +773,15 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -789,6 +861,15 @@ "log.offset": 5177, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -881,6 +962,15 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "input", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "output", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 2d02ecd67d3..8ab3e55fc87 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -47,6 +47,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -114,6 +121,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -181,6 +195,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -248,6 +269,13 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -321,9 +349,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -397,9 +432,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -477,9 +519,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -565,9 +614,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -644,9 +700,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -733,9 +796,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower" + ], "related.ip": [ "10.0.1.20", "18.197.225.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index e9a6b15f242..73ab6378da1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -79,7 +79,16 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "s1p1", + "observer.hostname": "CISCO-SENSOR-3D", + "observer.ingress.interface.name": "s1p2", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "Alerts", + "related.hosts": [ + "CISCO-SENSOR-3D" + ], "related.ip": [ "3.3.3.3", "2.2.2.2" diff --git a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml index 8acb2c9cf4e..2f394f7ac87 100644 --- a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ios +- name: cisco.ios type: group description: > Fields for Cisco IOS logs. diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 2ed8ae959c2..e3e336cbe03 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml index 6ffe20df8f5..a09d2b31c5e 100644 --- a/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/ios/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Cisco IOS logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/cisco/meraki/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/f5/firepass/_meta/fields.yml rename to x-pack/filebeat/module/cisco/meraki/_meta/fields.yml diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml similarity index 73% rename from x-pack/filebeat/module/rapid7/nexpose/config/input.yml rename to x-pack/filebeat/module/cisco/meraki/config/input.yml index 40fb8a664b9..be15aeb075c 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -20,9 +20,9 @@ publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} fields_under_root: true fields: observer: - vendor: "Rapid7" - product: "Nexpose" - type: "Vulnerability" + vendor: "Cisco" + product: "Meraki" + type: "Wireless" processors: - script: @@ -34,12 +34,12 @@ processors: keep_raw: {{.keep_raw_fields}} debug: {{.debug}} files: - - ${path.home}/module/rapid7/nexpose/config/liblogparser.js - - ${path.home}/module/rapid7/nexpose/config/pipeline.js + - ${path.home}/module/cisco/meraki/config/liblogparser.js + - ${path.home}/module/cisco/meraki/config/pipeline.js {{ if .community_id }} - community_id: ~ {{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js similarity index 95% rename from x-pack/filebeat/module/f5/firepass/config/liblogparser.js rename to x-pack/filebeat/module/cisco/meraki/config/liblogparser.js index c8cf5e2ee06..6cdb48abb26 100644 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -1975,6 +2049,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2417,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/cisco/meraki/config/pipeline.js b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js new file mode 100644 index 00000000000..45a7b628d63 --- /dev/null +++ b/x-pack/filebeat/module/cisco/meraki/config/pipeline.js @@ -0,0 +1,730 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. +var tvm = { + pair_separator: " ", + kv_separator: "=", + open_quote: "'", + close_quote: "'", +}; + +function DeviceProcessor() { + var builder = new processor.Chain(); + builder.Add(save_flags); + builder.Add(strip_syslog_priority); + builder.Add(chain1); + builder.Add(populate_fields); + builder.Add(restore_flags); + var chain = builder.Build(); + return { + process: chain.Run, + } +} + +var map_actionType = { + keyvaluepairs: { + "0": dup19, + "1": constant("Deny"), + "allow": dup19, + }, +}; + +var dup1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" +match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); + +var dup2 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant("_appliance "), + field("p0"), + ], +}); + +var dup3 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld4"), + constant(" "), + field("p0"), + ], +}); + +var dup4 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + +var dup5 = setc("eventcategory","1605020000"); + +var dup6 = setf("msg","$MSG"); + +var dup7 = setc("event_source","appliance"); + +var dup8 = setf("sensor","node"); + +var dup9 = date_time({ + dest: "event_time", + args: ["hfld2"], + fmts: [ + [dX], + ], +}); + +var dup10 = // "Pattern{}" +match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + +var dup11 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + +var dup12 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + +var dup13 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + +var dup14 = // "Pattern{Field(signame,false)}" +match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + +var dup15 = setc("eventcategory","1607000000"); + +var dup16 = setc("event_type","ids-alerts"); + +var dup17 = date_time({ + dest: "event_time", + args: ["fld3"], + fmts: [ + [dX], + ], +}); + +var dup18 = setc("event_type","security_event"); + +var dup19 = constant("Allow"); + +var dup20 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" +match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, +])); + +var dup21 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" +match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, +])); + +var dup22 = linear_select([ + dup11, + dup12, +]); + +var dup23 = linear_select([ + dup20, + dup21, +]); + +var part1 = // "Pattern{Constant('urls '), Field(p0,false)}" +match("HEADER#0:0003/2", "nwparser.p0", "urls %{p0}"); + +var all1 = all_match({ + processors: [ + dup1, + dup23, + part1, + ], + on_success: processor_chain([ + setc("header_id","0003"), + setc("messageid","urls"), + ]), +}); + +var part2 = // "Pattern{Field(node,false), Constant('_appliance events '), Field(p0,false)}" +match("HEADER#1:0002/1_0", "nwparser.p0", "%{node}_appliance events %{p0}"); + +var part3 = // "Pattern{Field(node,true), Constant(' events '), Field(p0,false)}" +match("HEADER#1:0002/1_1", "nwparser.p0", "%{node->} events %{p0}"); + +var select1 = linear_select([ + part2, + part3, +]); + +var part4 = // "Pattern{Field(payload,false)}" +match_copy("HEADER#1:0002/2", "nwparser.p0", "payload"); + +var all2 = all_match({ + processors: [ + dup1, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + setc("messageid","events"), + ]), +}); + +var part5 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#2:0001/2", "nwparser.p0", "%{messageid->} %{p0}"); + +var all3 = all_match({ + processors: [ + dup1, + dup23, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), +}); + +var part6 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" +match("HEADER#3:0005/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}"); + +var part7 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" +match("HEADER#3:0005/1_1", "nwparser.p0", "%{hfld4->} %{p0}"); + +var select2 = linear_select([ + part6, + part7, +]); + +var part8 = // "Pattern{Field(,true), Constant(' '), Field(hfld5,true), Constant(' '), Field(hfld6,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#3:0005/2", "nwparser.p0", "%{} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld6"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var all4 = all_match({ + processors: [ + dup1, + select2, + part8, + ], + on_success: processor_chain([ + setc("header_id","0005"), + ]), +}); + +var hdr1 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(hfld4,false), Constant('_'), Field(space,true), Constant(' '), Field(messageid,true), Constant(' '), Field(payload,false)}" +match("HEADER#4:0004", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{hfld4}_%{space->} %{messageid->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var select3 = linear_select([ + all1, + all2, + all3, + all4, + hdr1, +]); + +var part9 = // "Pattern{Field(node,false), Constant('_appliance '), Field(p0,false)}" +match("MESSAGE#0:flows/0_0", "nwparser.payload", "%{node}_appliance %{p0}"); + +var part10 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/0_1", "nwparser.payload", "%{node->} %{p0}"); + +var select4 = linear_select([ + part9, + part10, +]); + +var part11 = // "Pattern{Constant('flows src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/1", "nwparser.p0", "flows src=%{saddr->} dst=%{daddr->} %{p0}"); + +var part12 = // "Pattern{Constant('mac='), Field(dmacaddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/2_0", "nwparser.p0", "mac=%{dmacaddr->} %{p0}"); + +var select5 = linear_select([ + part12, + dup4, +]); + +var part13 = // "Pattern{Constant('protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/3", "nwparser.p0", "protocol=%{protocol->} %{p0}"); + +var part14 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/4_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} %{p0}"); + +var part15 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#0:flows/4_1", "nwparser.p0", "type=%{event_type->} %{p0}"); + +var select6 = linear_select([ + part14, + part15, + dup4, +]); + +var part16 = // "Pattern{Constant('pattern: '), Field(fld21,true), Constant(' '), Field(info,false)}" +match("MESSAGE#0:flows/5", "nwparser.p0", "pattern: %{fld21->} %{info}"); + +var all5 = all_match({ + processors: [ + select4, + part11, + select5, + part13, + select6, + part16, + ], + on_success: processor_chain([ + dup5, + dup6, + lookup({ + dest: "nwparser.action", + map: map_actionType, + key: field("fld21"), + }), + dup7, + dup8, + dup9, + ]), +}); + +var msg1 = msg("flows", all5); + +var part17 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' mac='), Field(smacaddr,true), Constant(' protocol='), Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1:flows:01/0", "nwparser.payload", "%{node->} flows %{action->} src=%{saddr->} dst=%{daddr->} mac=%{smacaddr->} protocol=%{protocol->} %{p0}"); + +var part18 = // "Pattern{Constant('sport='), Field(sport,true), Constant(' dport='), Field(dport,true), Constant(' ')}" +match("MESSAGE#1:flows:01/1_0", "nwparser.p0", "sport=%{sport->} dport=%{dport->} "); + +var part19 = // "Pattern{Constant('type='), Field(event_type,true), Constant(' ')}" +match("MESSAGE#1:flows:01/1_1", "nwparser.p0", "type=%{event_type->} "); + +var select7 = linear_select([ + part18, + part19, + dup10, +]); + +var all6 = all_match({ + processors: [ + part17, + select7, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), +}); + +var msg2 = msg("flows:01", all6); + +var part20 = // "Pattern{Field(node,true), Constant(' flows '), Field(action,false)}" +match("MESSAGE#2:flows:02", "nwparser.payload", "%{node->} flows %{action}", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, +])); + +var msg3 = msg("flows:02", part20); + +var select8 = linear_select([ + msg1, + msg2, + msg3, +]); + +var part21 = // "Pattern{Field(node,false), Constant('_appliance urls src='), Field(p0,false)}" +match("MESSAGE#3:urls/0_0", "nwparser.payload", "%{node}_appliance urls src=%{p0}"); + +var part22 = // "Pattern{Field(node,true), Constant(' urls src='), Field(p0,false)}" +match("MESSAGE#3:urls/0_1", "nwparser.payload", "%{node->} urls src=%{p0}"); + +var part23 = // "Pattern{Constant('src='), Field(p0,false)}" +match("MESSAGE#3:urls/0_2", "nwparser.payload", "src=%{p0}"); + +var select9 = linear_select([ + part21, + part22, + part23, +]); + +var part24 = // "Pattern{Field(sport,false), Constant(':'), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(macaddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#3:urls/1", "nwparser.p0", "%{sport}:%{saddr->} dst=%{daddr}:%{dport->} mac=%{macaddr->} %{p0}"); + +var part25 = // "Pattern{Constant('agent=''), Field(user_agent,false), Constant('' request: '), Field(p0,false)}" +match("MESSAGE#3:urls/2_0", "nwparser.p0", "agent='%{user_agent}' request: %{p0}"); + +var part26 = // "Pattern{Constant('agent='), Field(user_agent,true), Constant(' request: '), Field(p0,false)}" +match("MESSAGE#3:urls/2_1", "nwparser.p0", "agent=%{user_agent->} request: %{p0}"); + +var part27 = // "Pattern{Constant('request: '), Field(p0,false)}" +match("MESSAGE#3:urls/2_2", "nwparser.p0", "request: %{p0}"); + +var select10 = linear_select([ + part25, + part26, + part27, +]); + +var part28 = // "Pattern{Field(,true), Constant(' '), Field(web_method,false), Constant(''), Field(url,false)}" +match("MESSAGE#3:urls/3", "nwparser.p0", "%{} %{web_method}%{url}"); + +var all7 = all_match({ + processors: [ + select9, + part24, + select10, + part28, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), +}); + +var msg4 = msg("urls", all7); + +var part29 = // "Pattern{Constant('dhcp lease of ip '), Field(saddr,true), Constant(' from server mac '), Field(smacaddr,true), Constant(' for client mac '), Field(p0,false)}" +match("MESSAGE#4:events/0", "nwparser.payload", "dhcp lease of ip %{saddr->} from server mac %{smacaddr->} for client mac %{p0}"); + +var part30 = // "Pattern{Field(dmacaddr,true), Constant(' with hostname '), Field(hostname,true), Constant(' from router '), Field(p0,false)}" +match("MESSAGE#4:events/1_0", "nwparser.p0", "%{dmacaddr->} with hostname %{hostname->} from router %{p0}"); + +var part31 = // "Pattern{Field(dmacaddr,true), Constant(' from router '), Field(p0,false)}" +match("MESSAGE#4:events/1_1", "nwparser.p0", "%{dmacaddr->} from router %{p0}"); + +var select11 = linear_select([ + part30, + part31, +]); + +var part32 = // "Pattern{Field(hostip,true), Constant(' on subnet '), Field(mask,true), Constant(' with dns '), Field(dns_a_record,false)}" +match("MESSAGE#4:events/2", "nwparser.p0", "%{hostip->} on subnet %{mask->} with dns %{dns_a_record}"); + +var all8 = all_match({ + processors: [ + part29, + select11, + part32, + ], + on_success: processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + ]), +}); + +var msg5 = msg("events", all8); + +var part33 = // "Pattern{Constant('content_filtering_block url=''), Field(url,false), Constant('' category0=''), Field(category,false), Constant('' server=''), Field(daddr,false), Constant(':'), Field(dport,false), Constant('''), Field(p0,false)}" +match("MESSAGE#5:events:02/0", "nwparser.payload", "content_filtering_block url='%{url}' category0='%{category}' server='%{daddr}:%{dport}'%{p0}"); + +var part34 = // "Pattern{Constant(' client_mac=''), Field(dmacaddr,false), Constant(''')}" +match("MESSAGE#5:events:02/1_0", "nwparser.p0", " client_mac='%{dmacaddr}'"); + +var select12 = linear_select([ + part34, + dup10, +]); + +var all9 = all_match({ + processors: [ + part33, + select12, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","content_filtering_block"), + dup8, + dup9, + ]), +}); + +var msg6 = msg("events:02", all9); + +var part35 = tagval("MESSAGE#6:events:01", "nwparser.payload", tvm, { + "aid": "fld1", + "arp_resp": "fld2", + "arp_src": "fld3", + "auth_neg_dur": "fld4", + "auth_neg_failed": "fld5", + "category0": "category", + "channel": "fld6", + "client_ip": "daddr", + "client_mac": "dmacaddr", + "connectivity": "fld28", + "dhcp_ip": "fld23", + "dhcp_lease_completed": "fld22", + "dhcp_resp": "fld26", + "dhcp_server": "fld24", + "dhcp_server_mac": "fld25", + "dns_req_rtt": "fld7", + "dns_resp": "fld8", + "dns_server": "fld9", + "duration": "duration", + "full_conn": "fld11", + "http_resp": "fld21", + "identity": "fld12", + "instigator": "fld20", + "ip_resp": "fld13", + "ip_src": "saddr", + "is_8021x": "fld15", + "is_wpa": "fld16", + "last_auth_ago": "fld17", + "radio": "fld18", + "reason": "fld19", + "rssi": "dclass_ratio1", + "server": "daddr", + "type": "event_type", + "url": "url", + "vap": "fld22", + "vpn_type": "fld27", +}, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, +])); + +var msg7 = msg("events:01", part35); + +var part36 = // "Pattern{Constant('IDS: '), Field(info,false)}" +match("MESSAGE#7:events:03", "nwparser.payload", "IDS: %{info}", processor_chain([ + dup5, + dup6, + setc("event_description","events IDS"), + dup8, + dup9, +])); + +var msg8 = msg("events:03", part36); + +var part37 = // "Pattern{Constant('dhcp '), Field(p0,false)}" +match("MESSAGE#8:events:04/0", "nwparser.payload", "dhcp %{p0}"); + +var part38 = // "Pattern{Constant('no offers'), Field(p0,false)}" +match("MESSAGE#8:events:04/1_0", "nwparser.p0", "no offers%{p0}"); + +var part39 = // "Pattern{Constant('release'), Field(p0,false)}" +match("MESSAGE#8:events:04/1_1", "nwparser.p0", "release%{p0}"); + +var select13 = linear_select([ + part38, + part39, +]); + +var part40 = // "Pattern{Field(,false), Constant('for mac '), Field(macaddr,false)}" +match("MESSAGE#8:events:04/2", "nwparser.p0", "%{}for mac %{macaddr}"); + +var all10 = all_match({ + processors: [ + part37, + select13, + part40, + ], + on_success: processor_chain([ + dup5, + dup6, + setc("event_description","events DHCP"), + dup8, + dup9, + ]), +}); + +var msg9 = msg("events:04", all10); + +var part41 = // "Pattern{Constant('MAC '), Field(macaddr,true), Constant(' and MAC '), Field(macaddr,true), Constant(' both claim IP: '), Field(saddr,false)}" +match("MESSAGE#9:events:05", "nwparser.payload", "MAC %{macaddr->} and MAC %{macaddr->} both claim IP: %{saddr}", processor_chain([ + dup5, + dup6, + setc("event_description"," events MAC"), + dup8, + dup9, +])); + +var msg10 = msg("events:05", part41); + +var select14 = linear_select([ + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, +]); + +var part42 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/0", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + +var part43 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message: '), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message: %{p0}"); + +var part44 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message: '), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message: %{p0}"); + +var select15 = linear_select([ + part43, + part44, +]); + +var all11 = all_match({ + processors: [ + part42, + dup22, + dup13, + select15, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, + ]), +}); + +var msg11 = msg("ids-alerts:01", all11); + +var part45 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('direction='), Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#11:ids-alerts:03", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}direction=%{direction->} protocol=%{protocol->} src=%{saddr}:%{sport}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, +])); + +var msg12 = msg("ids-alerts:03", part45); + +var part46 = // "Pattern{Field(node,true), Constant(' ids-alerts signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,false), Constant('protocol='), Field(protocol,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,false), Constant('message: '), Field(signame,false)}" +match("MESSAGE#12:ids-alerts:02", "nwparser.payload", "%{node->} ids-alerts signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4}protocol=%{protocol->} src=%{saddr->} dst=%{daddr}message: %{signame}", processor_chain([ + dup15, + dup6, + dup16, + dup8, + dup17, +])); + +var msg13 = msg("ids-alerts:02", part46); + +var select16 = linear_select([ + msg11, + msg12, + msg13, +]); + +var part47 = // "Pattern{Field(node,false), Constant('security_event '), Field(event_description,true), Constant(' url='), Field(url,true), Constant(' src='), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' mac='), Field(smacaddr,true), Constant(' name='), Field(fld10,true), Constant(' sha256='), Field(fld11,true), Constant(' disposition='), Field(disposition,true), Constant(' action='), Field(action,false)}" +match("MESSAGE#13:security_event", "nwparser.payload", "%{node}security_event %{event_description->} url=%{url->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} mac=%{smacaddr->} name=%{fld10->} sha256=%{fld11->} disposition=%{disposition->} action=%{action}", processor_chain([ + dup5, + dup6, + dup18, + dup8, + dup9, +])); + +var msg14 = msg("security_event", part47); + +var part48 = // "Pattern{Field(node,true), Constant(' security_event '), Field(event_description,true), Constant(' signature='), Field(fld1,true), Constant(' priority='), Field(fld2,true), Constant(' timestamp='), Field(fld3,false), Constant('.'), Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#14:security_event:01/0", "nwparser.payload", "%{node->} security_event %{event_description->} signature=%{fld1->} priority=%{fld2->} timestamp=%{fld3}.%{fld4->} %{p0}"); + +var part49 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' dst='), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' message:'), Field(p0,false)}" +match("MESSAGE#14:security_event:01/3_0", "nwparser.p0", "%{saddr}:%{sport->} dst=%{daddr}:%{dport->} message:%{p0}"); + +var part50 = // "Pattern{Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' message:'), Field(p0,false)}" +match("MESSAGE#14:security_event:01/3_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} message:%{p0}"); + +var select17 = linear_select([ + part49, + part50, +]); + +var all12 = all_match({ + processors: [ + part48, + dup22, + dup13, + select17, + dup14, + ], + on_success: processor_chain([ + dup15, + dup6, + dup18, + dup8, + dup17, + ]), +}); + +var msg15 = msg("security_event:01", all12); + +var select18 = linear_select([ + msg14, + msg15, +]); + +var chain1 = processor_chain([ + select3, + msgid_select({ + "events": select14, + "flows": select8, + "ids-alerts": select16, + "security_event": select18, + "urls": msg4, + }), +]); + +var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,false), Constant('.'), Field(hfld3,true), Constant(' '), Field(p0,false)}" +match("HEADER#0:0003/0", "message", "%{hfld1->} %{hfld2}.%{hfld3->} %{p0}"); + +var part51 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#0:flows/2_1", "nwparser.p0", "p0"); + +var part52 = // "Pattern{}" +match_copy("MESSAGE#1:flows:01/1_2", "nwparser.p0", ""); + +var part53 = // "Pattern{Constant('dhost='), Field(dmacaddr,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/1_0", "nwparser.p0", "dhost=%{dmacaddr->} direction=%{p0}"); + +var part54 = // "Pattern{Constant('shost='), Field(smacaddr,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/1_1", "nwparser.p0", "shost=%{smacaddr->} direction=%{p0}"); + +var part55 = // "Pattern{Field(direction,true), Constant(' protocol='), Field(protocol,true), Constant(' src='), Field(p0,false)}" +match("MESSAGE#10:ids-alerts:01/2", "nwparser.p0", "%{direction->} protocol=%{protocol->} src=%{p0}"); + +var part56 = // "Pattern{Field(signame,false)}" +match_copy("MESSAGE#10:ids-alerts:01/4", "nwparser.p0", "signame"); + +var part57 = // "Pattern{Field(hfld4,false), Constant('_appliance '), Field(p0,false)}" +match("HEADER#0:0003/1_0", "nwparser.p0", "%{hfld4}_appliance %{p0}", processor_chain([ + dup2, +])); + +var part58 = // "Pattern{Field(hfld4,true), Constant(' '), Field(p0,false)}" +match("HEADER#0:0003/1_1", "nwparser.p0", "%{hfld4->} %{p0}", processor_chain([ + dup3, +])); + +var select19 = linear_select([ + dup11, + dup12, +]); + +var select20 = linear_select([ + dup20, + dup21, +]); diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml new file mode 100644 index 00000000000..cf0d61d1a52 --- /dev/null +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Cisco Meraki + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null + allow_duplicates: false + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/kaspersky/av/manifest.yml b/x-pack/filebeat/module/cisco/meraki/manifest.yml similarity index 89% rename from x-pack/filebeat/module/kaspersky/av/manifest.yml rename to x-pack/filebeat/module/cisco/meraki/manifest.yml index e0a8302ce70..a86afb8f019 100644 --- a/x-pack/filebeat/module/kaspersky/av/manifest.yml +++ b/x-pack/filebeat/module/cisco/meraki/manifest.yml @@ -3,11 +3,11 @@ module_version: "1.0" var: - name: paths - name: tags - default: ["kaspersky.av", "forwarded"] + default: ["cisco.meraki", "forwarded"] - name: syslog_host default: localhost - name: syslog_port - default: 9514 + default: 9525 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log b/x-pack/filebeat/module/cisco/meraki/test/generated.log new file mode 100644 index 00000000000..05501480e40 --- /dev/null +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log @@ -0,0 +1,100 @@ +modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny +umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu +uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe +mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents +obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140 +iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83' +ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198 +ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34 +orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225 +olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307 +uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept +omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu +omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26 +agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290 +olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125 +amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq +giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese +agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d' +apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu +ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237 +tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin +emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam +ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176 +spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp +smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev +nisiuta 1484921656.roid inibusB flows cancel +str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite +amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98 +isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios +oin 1489861473.mvenia madminim events IDS: fugitsed +dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal +umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev +velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 +iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc +tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin +ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv +dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912' +itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb +leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn +sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse +tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4 +undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat +itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq +archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem +umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16 +unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5 +esci 1510855695.uov quaeab_ events IDS: moles +accusa 1512090649.natu liquid events IDS: enim +dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta +tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010' +lapar 1515795512.ritati edquia_appliance events IDS: itesse +amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur +uide 1518265421.scivel henderi_appliance events IDS: iusmodt +tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole +runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119 +tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido +osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum +umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny +atnul 1525675146.umfugi stquidol_ flows luptatem flows accept +essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni +lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia +inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem +eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute +runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86 +inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi +lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95 +hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori +dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim +oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus +nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt +rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 +idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu +ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve +quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb +eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7 +uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2 +sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas +edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333' +antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27 +oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230 +asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut +estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum +ercitati 1555314049.atem serro flows cancel +amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88 +abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin +lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat +saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58 +tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9 +aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui +nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe +tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq +oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8' +metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents +veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor +atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua +deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598' +orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19 +explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92 +rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib +orr 1576308271.pre aute events IDS: rchite diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json new file mode 100644 index 00000000000..beeffa9b5eb --- /dev/null +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -0,0 +1,3379 @@ +[ + { + "@timestamp": "2016-01-29T06:09:59.000Z", + "destination.ip": [ + "10.193.124.51" + ], + "destination.port": 5293, + "event.action": "deny", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "modtempo 1454047799.olab nto_ security_event olaborissecurity_event tur url=https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac src=10.15.44.253:5078 dst=10.193.124.51:5293 mac=01:00:5e:28:ae:7d name=psa sha256=umq disposition=ntium action=deny", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 0, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.193.124.51", + "10.15.44.253" + ], + "rsa.internal.event_desc": "olaborissecurity_event tur", + "rsa.internal.messageid": "security_event", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "ntium", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "nto_", + "rsa.misc.sensor": "nto_", + "rsa.time.event_time": "2016-01-29T06:09:59.000Z", + "service.type": "cisco", + "source.ip": [ + "10.15.44.253" + ], + "source.mac": "01:00:5e:28:ae:7d", + "source.port": 5078, + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://example.org/odoco/ria.jpg?ritin=uredolor#tatemac" + }, + { + "@timestamp": "2016-02-12T13:12:33.000Z", + "destination.mac": "01:00:5e:0f:87:e3", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "umdo 1455282753.itessequ vol_ events dhcp lease of ip 10.102.218.31 from server mac 01:00:5e:9c:c2:9c for client mac 01:00:5e:0f:87:e3 from router 10.15.16.212 on subnet ameaqu with dns aqu", + "fileset.name": "meraki", + "host.ip": "10.15.16.212", + "input.type": "log", + "log.offset": 250, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.102.218.31", + "10.15.16.212" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "vol_", + "rsa.misc.sensor": "vol_", + "rsa.network.dns_a_record": "aqu", + "rsa.network.mask": "ameaqu", + "rsa.time.event_time": "2016-02-12T13:12:33.000Z", + "service.type": "cisco", + "source.ip": [ + "10.102.218.31" + ], + "source.mac": "01:00:5e:9c:c2:9c", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-26T20:15:08.000Z", + "event.action": "ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "uipexea 1456517708.tatio minim_ flows ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 440, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "minim_", + "rsa.misc.sensor": "minim_", + "rsa.time.event_time": "2016-02-26T20:15:08.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T03:17:42.000Z", + "destination.ip": [ + "10.112.46.169" + ], + "event.action": "radip flows block", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "mipsu 1457752662.consec taliquip_ flows radip flows block src=10.155.236.240 dst=10.112.46.169 mac=01:00:5e:7a:74:89 protocol=ipv6 type=roidents ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 560, + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.155.236.240", + "10.112.46.169" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "radip flows block" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "taliquip_", + "rsa.misc.sensor": "taliquip_", + "rsa.time.event_time": "2016-03-12T03:17:42.000Z", + "service.type": "cisco", + "source.ip": [ + "10.155.236.240" + ], + "source.mac": "01:00:5e:7a:74:89", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T10:20:16.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "obeataev 1458987616.lor uidexea_appliance events MAC 01:00:5e:e1:89:ac and MAC 01:00:5e:a3:d9:ac both claim IP: 10.14.107.140", + "fileset.name": "meraki", + "host.mac": "01:00:5e:a3:d9:ac", + "input.type": "log", + "log.offset": 706, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.14.107.140" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "uidexea", + "rsa.misc.sensor": "uidexea", + "rsa.network.eth_host": "01:00:5e:a3:d9:ac", + "rsa.time.event_time": "2016-03-26T10:20:16.000Z", + "service.type": "cisco", + "source.ip": [ + "10.14.107.140" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T17:22:51.000Z", + "destination.ip": [ + "10.108.180.105" + ], + "destination.mac": "01:00:5e:40:9b:83", + "destination.port": 5098, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "iutal 1460222571.dexe urerep events content_filtering_block url='https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu' category0='ari' server='10.108.180.105:5098' client_mac='01:00:5e:40:9b:83'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 832, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.108.180.105" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "ari", + "rsa.misc.node": "urerep", + "rsa.misc.sensor": "urerep", + "rsa.time.event_time": "2016-04-09T17:22:51.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://api.example.org/liqu/lorem.gif?ueipsaqu=uidolore#niamqu" + }, + { + "@timestamp": "2016-04-24T00:25:25.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ipit 1461457525.idexea riat_appliance events MAC 01:00:5e:25:4f:e4 and MAC 01:00:5e:3f:49:e4 both claim IP: 10.149.88.198", + "fileset.name": "meraki", + "host.mac": "01:00:5e:3f:49:e4", + "input.type": "log", + "log.offset": 1038, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.149.88.198" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "riat", + "rsa.misc.sensor": "riat", + "rsa.network.eth_host": "01:00:5e:3f:49:e4", + "rsa.time.event_time": "2016-04-24T00:25:25.000Z", + "service.type": "cisco", + "source.ip": [ + "10.149.88.198" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T07:27:59.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ntsuntin 1462692479.aecatcup animi events dhcp release for mac 01:00:5e:e3:10:34", + "fileset.name": "meraki", + "host.mac": "01:00:5e:e3:10:34", + "input.type": "log", + "log.offset": 1160, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "animi", + "rsa.misc.sensor": "animi", + "rsa.network.eth_host": "01:00:5e:e3:10:34", + "rsa.time.event_time": "2016-05-08T07:27:59.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T14:30:33.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "orsitame 1463927433.quiratio ite events MAC 01:00:5e:48:62:22 and MAC 01:00:5e:9f:b6:a6 both claim IP: 10.243.206.225", + "fileset.name": "meraki", + "host.mac": "01:00:5e:9f:b6:a6", + "input.type": "log", + "log.offset": 1241, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.243.206.225" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ite", + "rsa.misc.sensor": "ite", + "rsa.network.eth_host": "01:00:5e:9f:b6:a6", + "rsa.time.event_time": "2016-05-22T14:30:33.000Z", + "service.type": "cisco", + "source.ip": [ + "10.243.206.225" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T21:33:08.000Z", + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "olupta turveli.toccae tatno_ ids-alerts taliqu ids-alerts signature=temUten priority=ccusan timestamp=1465162388.iqudirection=outbound protocol=icmp src=10.131.82.116:7307", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 1359, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.131.82.116" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "tatno_ ids-alerts taliqu", + "rsa.misc.sensor": "tatno_ ids-alerts taliqu", + "rsa.time.event_time": "2016-06-05T21:33:08.000Z", + "service.type": "cisco", + "source.ip": [ + "10.131.82.116" + ], + "source.port": 7307, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T04:35:42.000Z", + "destination.ip": [ + "10.134.0.141" + ], + "destination.port": 2703, + "event.action": "accept", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "uaera 1466397342.sitas ehenderi_ security_event atquovosecurity_event iumto url=https://www5.example.net/sun/essecill.html?saute=vel#quu src=10.210.213.18:7616 dst=10.134.0.141:2703 mac=01:00:5e:aa:42:fa name=idolores sha256=llumquid disposition=tation action=accept", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 1531, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.134.0.141", + "10.210.213.18" + ], + "rsa.internal.event_desc": "atquovosecurity_event iumto", + "rsa.internal.messageid": "security_event", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "tation", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "ehenderi_", + "rsa.misc.sensor": "ehenderi_", + "rsa.time.event_time": "2016-06-20T04:35:42.000Z", + "service.type": "cisco", + "source.ip": [ + "10.210.213.18" + ], + "source.mac": "01:00:5e:aa:42:fa", + "source.port": 7616, + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www5.example.net/sun/essecill.html?saute=vel#quu" + }, + { + "@timestamp": "2016-07-04T11:38:16.000Z", + "destination.ip": [ + "10.74.237.180" + ], + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "omn ipsumq.atcu oremagna_ security_event remipsum security_event liq signature=ist priority=tnon timestamp=1467632296.ionul shost=01:00:5e:c8:9c:2f direction=outbound protocol=udp src=10.163.72.17 dst=10.74.237.180 message:nsequu", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 1798, + "network.direction": "outbound", + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.163.72.17", + "10.74.237.180" + ], + "rsa.internal.event_desc": "remipsum security_event liq", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "oremagna_", + "rsa.misc.policy_name": "nsequu", + "rsa.misc.sensor": "oremagna_", + "rsa.time.event_time": "2016-07-04T11:38:16.000Z", + "service.type": "cisco", + "source.ip": [ + "10.163.72.17" + ], + "source.mac": "01:00:5e:c8:9c:2f", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T18:40:50.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "omm 1468867250.idestla Nemoeni_appliance events MAC 01:00:5e:c4:69:7f and MAC 01:00:5e:e2:67:d2 both claim IP: 10.72.31.26", + "fileset.name": "meraki", + "host.mac": "01:00:5e:e2:67:d2", + "input.type": "log", + "log.offset": 2028, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.72.31.26" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "Nemoeni", + "rsa.misc.sensor": "Nemoeni", + "rsa.network.eth_host": "01:00:5e:e2:67:d2", + "rsa.time.event_time": "2016-07-18T18:40:50.000Z", + "service.type": "cisco", + "source.ip": [ + "10.72.31.26" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-02T01:43:25.000Z", + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "agna tionemu.eomnisis mqui ids-alerts signature=civeli priority=errorsi timestamp=1470102205.desdirection=internal protocol=tcp src=10.70.95.74:4290", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 2151, + "network.direction": "internal", + "network.protocol": "tcp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.70.95.74" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "mqui", + "rsa.misc.sensor": "mqui", + "rsa.time.event_time": "2016-08-02T01:43:25.000Z", + "service.type": "cisco", + "source.ip": [ + "10.70.95.74" + ], + "source.port": 4290, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T08:45:59.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "olupt 1471337159.dit sumquiad events MAC 01:00:5e:ea:e8:7a and MAC 01:00:5e:9c:d2:4a both claim IP: 10.17.21.125", + "fileset.name": "meraki", + "host.mac": "01:00:5e:9c:d2:4a", + "input.type": "log", + "log.offset": 2300, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.17.21.125" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "sumquiad", + "rsa.misc.sensor": "sumquiad", + "rsa.network.eth_host": "01:00:5e:9c:d2:4a", + "rsa.time.event_time": "2016-08-16T08:45:59.000Z", + "service.type": "cisco", + "source.ip": [ + "10.17.21.125" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T15:48:33.000Z", + "destination.mac": "01:00:5e:46:17:35", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "amqu 1472572113.uines nsec events dhcp lease of ip 10.85.10.165 from server mac 01:00:5e:63:93:48 for client mac 01:00:5e:46:17:35 from router 10.53.150.119 on subnet uiineavo with dns tisetq", + "fileset.name": "meraki", + "host.ip": "10.53.150.119", + "input.type": "log", + "log.offset": 2413, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.85.10.165", + "10.53.150.119" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "nsec", + "rsa.misc.sensor": "nsec", + "rsa.network.dns_a_record": "tisetq", + "rsa.network.mask": "uiineavo", + "rsa.time.event_time": "2016-08-30T15:48:33.000Z", + "service.type": "cisco", + "source.ip": [ + "10.85.10.165" + ], + "source.mac": "01:00:5e:63:93:48", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-13T22:51:07.000Z", + "destination.ip": [ + "10.187.77.245" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "giatquov eritquii.dexeac iscinge ids-alerts signature=atvol priority=umiur timestamp=1473807067.imadprotocol=igmp src=10.88.231.224 dst=10.187.77.245message: iadese", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 2605, + "network.protocol": "igmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.88.231.224", + "10.187.77.245" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "iscinge", + "rsa.misc.policy_name": "iadese", + "rsa.misc.sensor": "iscinge", + "rsa.time.event_time": "2016-09-13T22:51:07.000Z", + "service.type": "cisco", + "source.ip": [ + "10.88.231.224" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T05:53:42.000Z", + "destination.ip": [ + "10.186.58.115" + ], + "destination.mac": "01:00:5e:8f:16:6d", + "destination.port": 7238, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "agnaali 1475042022.gnam tat events content_filtering_block url='https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci' category0='aqu' server='10.186.58.115:7238' client_mac='01:00:5e:8f:16:6d'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 2770, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.186.58.115" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "aqu", + "rsa.misc.node": "tat", + "rsa.misc.sensor": "tat", + "rsa.time.event_time": "2016-09-28T05:53:42.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://internal.example.com/quae/maccusa.htm?rQuisau=idex#xerci" + }, + { + "@timestamp": "2016-10-12T12:56:16.000Z", + "destination.mac": "01:00:5e:87:e1:a0", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "apariat 1476276976.tlabore untmolli_ events dhcp lease of ip 10.219.84.37 from server mac 01:00:5e:e8:bf:69 for client mac 01:00:5e:87:e1:a0 from router 10.205.47.51 on subnet uovolup with dns samvolu", + "fileset.name": "meraki", + "host.ip": "10.205.47.51", + "input.type": "log", + "log.offset": 2975, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.205.47.51", + "10.219.84.37" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "untmolli_", + "rsa.misc.sensor": "untmolli_", + "rsa.network.dns_a_record": "samvolu", + "rsa.network.mask": "uovolup", + "rsa.time.event_time": "2016-10-12T12:56:16.000Z", + "service.type": "cisco", + "source.ip": [ + "10.219.84.37" + ], + "source.mac": "01:00:5e:e8:bf:69", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-26T19:58:50.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ento 1477511930.pic evita events MAC 01:00:5e:ce:61:db and MAC 01:00:5e:ec:f8:cc both claim IP: 10.3.134.237", + "fileset.name": "meraki", + "host.mac": "01:00:5e:ec:f8:cc", + "input.type": "log", + "log.offset": 3176, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.3.134.237" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "evita", + "rsa.misc.sensor": "evita", + "rsa.network.eth_host": "01:00:5e:ec:f8:cc", + "rsa.time.event_time": "2016-10-26T19:58:50.000Z", + "service.type": "cisco", + "source.ip": [ + "10.3.134.237" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-10T03:01:24.000Z", + "destination.ip": [ + "10.63.194.87" + ], + "destination.mac": "01:00:5e:e3:b1:24", + "event.action": "texp", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tmo 1478746884.fficiade uscipit events aid=vitaedi arp_resp=fugitse arp_src=veniamq auth_neg_dur=one auth_neg_failed=etMalor channel=ipi dns_req_rtt=reseos dns_resp=pariatu dns_server=tin duration=48.123000 full_conn=oquisqu identity=sperna ip_resp=eabilloi ip_src=10.182.178.217 is_8021x=tlab is_wpa=volupt last_auth_ago=osqui radio=xerc reason=iutali rssi=fdeFi type=texp vap=tasuntex client_mac=01:00:5e:e3:b1:24 client_ip=10.194.114.58 instigator=ectio http_resp=dutper dhcp_lease_completed=lamcolab dhcp_ip=ati dhcp_server=tlabo dhcp_server_mac=uames dhcp_resp=iduntu url=https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate category0=ncidid server=10.63.194.87 vpn_type=quisno connectivity=sin", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 3285, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.63.194.87", + "10.182.178.217" + ], + "rsa.counters.dclass_r1": "fdeFi", + "rsa.internal.messageid": "events", + "rsa.misc.category": "ncidid", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "texp", + "rsa.misc.node": "uscipit", + "rsa.misc.sensor": "uscipit", + "rsa.time.duration_time": 48.123, + "rsa.time.event_time": "2016-11-10T03:01:24.000Z", + "service.type": "cisco", + "source.ip": [ + "10.182.178.217" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://internal.example.net/ris/uamqu.txt?liqui=quioffi#uptate" + }, + { + "@timestamp": "2016-11-24T10:03:59.000Z", + "destination.ip": [ + "10.163.154.210" + ], + "destination.mac": "01:00:5e:9e:7b:a4", + "event.action": "rau", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "emvel 1479981839.tmollita fde events aid=nsecte arp_resp=inculpa arp_src=abo auth_neg_dur=veniamqu auth_neg_failed=nse channel=non dns_req_rtt=paquioff dns_resp=mquisnos dns_server=maven duration=71.798000 full_conn=atcu identity=labor ip_resp=didunt ip_src=10.153.0.77 is_8021x=udan is_wpa=orema last_auth_ago=invento radio=qua reason=aturQui rssi=utlabor type=rau vap=idex client_mac=01:00:5e:9e:7b:a4 client_ip=10.105.88.20 instigator=ecte http_resp=tinvolu dhcp_lease_completed=iurer dhcp_ip=iciadese dhcp_server=quidolor dhcp_server_mac=tessec dhcp_resp=olupta url=https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt category0=siste server=10.163.154.210 vpn_type=ept connectivity=iumtotam", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 3996, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.153.0.77", + "10.163.154.210" + ], + "rsa.counters.dclass_r1": "utlabor", + "rsa.internal.messageid": "events", + "rsa.misc.category": "siste", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "rau", + "rsa.misc.node": "fde", + "rsa.misc.sensor": "fde", + "rsa.time.duration_time": 71.798, + "rsa.time.event_time": "2016-11-24T10:03:59.000Z", + "service.type": "cisco", + "source.ip": [ + "10.153.0.77" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://mail.example.com/icabo/itatio.jpg?eleum=sintoc#volupt" + }, + { + "@timestamp": "2016-12-08T17:06:33.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ionevo 1481216793.ugiatnu ciati_appliance events MAC 01:00:5e:b8:7a:96 and MAC 01:00:5e:b9:6b:a8 both claim IP: 10.73.69.176", + "fileset.name": "meraki", + "host.mac": "01:00:5e:b9:6b:a8", + "input.type": "log", + "log.offset": 4701, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.73.69.176" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ciati", + "rsa.misc.sensor": "ciati", + "rsa.network.eth_host": "01:00:5e:b9:6b:a8", + "rsa.time.event_time": "2016-12-08T17:06:33.000Z", + "service.type": "cisco", + "source.ip": [ + "10.73.69.176" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T00:09:07.000Z", + "event.action": "ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "spi 1482451747.stquido ommodico_ flows ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 4826, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "ommodico_", + "rsa.misc.sensor": "ommodico_", + "rsa.time.event_time": "2016-12-23T00:09:07.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T07:11:41.000Z", + "destination.ip": [ + "10.12.182.70" + ], + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "smo etcons.iusmodi uamest_ security_event uiac security_event epte signature=idolo priority=quinesc timestamp=1483686701.madmi shost=01:00:5e:1c:4c:64 direction=internal protocol=icmp src=10.31.77.157 dst=10.12.182.70 message:tev", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 4952, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.31.77.157", + "10.12.182.70" + ], + "rsa.internal.event_desc": "uiac security_event epte", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "uamest_", + "rsa.misc.policy_name": "tev", + "rsa.misc.sensor": "uamest_", + "rsa.time.event_time": "2017-01-06T07:11:41.000Z", + "service.type": "cisco", + "source.ip": [ + "10.31.77.157" + ], + "source.mac": "01:00:5e:1c:4c:64", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T14:14:16.000Z", + "event.action": "cancel", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "nisiuta 1484921656.roid inibusB flows cancel", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5182, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "inibusB", + "rsa.misc.sensor": "inibusB", + "rsa.time.event_time": "2017-01-20T14:14:16.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T21:16:50.000Z", + "destination.ip": [ + "10.135.217.12" + ], + "event.action": "cteturad flows deny", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "str 1486156610.idolore pid_ flows cteturad flows deny src=10.93.68.231 dst=10.135.217.12 mac=01:00:5e:4a:69:5b protocol=ipv6 type=archite ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5227, + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.135.217.12", + "10.93.68.231" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "cteturad flows deny" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "pid_", + "rsa.misc.sensor": "pid_", + "rsa.time.event_time": "2017-02-03T21:16:50.000Z", + "service.type": "cisco", + "source.ip": [ + "10.93.68.231" + ], + "source.mac": "01:00:5e:4a:69:5b", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T04:19:24.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "amnih 1487391564.ium esciuntN_ events dhcp release for mac 01:00:5e:8b:99:98", + "fileset.name": "meraki", + "host.mac": "01:00:5e:8b:99:98", + "input.type": "log", + "log.offset": 5366, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "esciuntN_", + "rsa.misc.sensor": "esciuntN_", + "rsa.network.eth_host": "01:00:5e:8b:99:98", + "rsa.time.event_time": "2017-02-18T04:19:24.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-04T11:21:59.000Z", + "destination.ip": [ + "10.66.89.5" + ], + "event.action": "iscinge flows", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "isnost 1488626519.queips ncidi_ flows iscinge flows src=10.247.30.212 dst=10.66.89.5 mac=01:00:5e:7f:65:da protocol=igmp pattern: 1 borios", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5443, + "network.protocol": "igmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.247.30.212", + "10.66.89.5" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "iscinge flows" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "ncidi_", + "rsa.misc.sensor": "ncidi_", + "rsa.time.event_time": "2017-03-04T11:21:59.000Z", + "service.type": "cisco", + "source.ip": [ + "10.247.30.212" + ], + "source.mac": "01:00:5e:7f:65:da", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T18:24:33.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "oin 1489861473.mvenia madminim events IDS: fugitsed", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5582, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "fugitsed", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "madminim", + "rsa.misc.sensor": "madminim", + "rsa.time.event_time": "2017-03-18T18:24:33.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T01:27:07.000Z", + "destination.ip": [ + "10.173.136.186" + ], + "destination.mac": "01:00:5e:c1:53:b1", + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "dmin fugi.quia iduntu security_event idestlab signature=rnatur priority=ofdeFin timestamp=1491096427.essequam dhost=01:00:5e:c1:53:b1 direction=inbound protocol=tcp src=10.221.102.245 dst=10.173.136.186 message:naal", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5634, + "network.direction": "inbound", + "network.protocol": "tcp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.221.102.245", + "10.173.136.186" + ], + "rsa.internal.event_desc": "idestlab", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "iduntu", + "rsa.misc.policy_name": "naal", + "rsa.misc.sensor": "iduntu", + "rsa.time.event_time": "2017-04-02T01:27:07.000Z", + "service.type": "cisco", + "source.ip": [ + "10.221.102.245" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-16T08:29:41.000Z", + "destination.ip": [ + "10.54.37.86" + ], + "destination.mac": "01:00:5e:1f:c6:29", + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "umqu tinv.adipisc uscipitl_ ids-alerts ritatise ids-alerts signature=uamei priority=siut timestamp=1492331381.ciad dhost=01:00:5e:1f:c6:29 direction=external protocol=udp src=10.58.64.108 dst=10.54.37.86 message: entorev", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 5850, + "network.direction": "external", + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.54.37.86", + "10.58.64.108" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "uscipitl_ ids-alerts ritatise", + "rsa.misc.policy_name": "entorev", + "rsa.misc.sensor": "uscipitl_ ids-alerts ritatise", + "rsa.time.event_time": "2017-04-16T08:29:41.000Z", + "service.type": "cisco", + "source.ip": [ + "10.58.64.108" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T15:32:16.000Z", + "destination.ip": [ + "10.163.93.20" + ], + "event.action": "veli flows block", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "velitess 1493566336.naali uunturm_ flows veli flows block src=10.147.76.202 dst=10.163.93.20 mac=01:00:5e:1d:85:ec protocol=ipv6 sport=1085 dport=3141 ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 6071, + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.147.76.202", + "10.163.93.20" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "veli flows block" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "uunturm_", + "rsa.misc.sensor": "uunturm_", + "rsa.time.event_time": "2017-04-30T15:32:16.000Z", + "service.type": "cisco", + "source.ip": [ + "10.147.76.202" + ], + "source.mac": "01:00:5e:1d:85:ec", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-14T22:34:50.000Z", + "destination.ip": [ + "10.183.44.198" + ], + "destination.mac": "01:00:5e:35:71:1e", + "destination.port": 1702, + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "iumdol tpersp.stla uptatema_ security_event uradi security_event tot signature=llamco priority=nea timestamp=1494801290.psum dhost=01:00:5e:35:71:1e direction=internal protocol=icmp src=10.0.200.27:5905 dst=10.183.44.198:1702 message:asiarc", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 6223, + "network.direction": "internal", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.183.44.198", + "10.0.200.27" + ], + "rsa.internal.event_desc": "uradi security_event tot", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "uptatema_", + "rsa.misc.policy_name": "asiarc", + "rsa.misc.sensor": "uptatema_", + "rsa.time.event_time": "2017-05-14T22:34:50.000Z", + "service.type": "cisco", + "source.ip": [ + "10.0.200.27" + ], + "source.port": 5905, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T05:37:24.000Z", + "destination.mac": "01:00:5e:06:12:98", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tiaec 1496036244.rumwrit icabo_ events dhcp lease of ip 10.148.124.84 from server mac 01:00:5e:0b:2c:22 for client mac 01:00:5e:06:12:98 from router 10.28.144.180 on subnet ritin with dns temporin", + "fileset.name": "meraki", + "host.ip": "10.28.144.180", + "input.type": "log", + "log.offset": 6464, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.148.124.84", + "10.28.144.180" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "icabo_", + "rsa.misc.sensor": "icabo_", + "rsa.network.dns_a_record": "temporin", + "rsa.network.mask": "ritin", + "rsa.time.event_time": "2017-05-29T05:37:24.000Z", + "service.type": "cisco", + "source.ip": [ + "10.148.124.84" + ], + "source.mac": "01:00:5e:0b:2c:22", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T12:39:58.000Z", + "destination.ip": [ + "10.98.194.212" + ], + "destination.mac": "01:00:5e:bb:60:a6", + "event.action": "utaliqu", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ica 1497271198.lillum remips_appliance events aid=uisaute arp_resp=imide arp_src=poriss auth_neg_dur=tvolup auth_neg_failed=itesseq channel=dictasun dns_req_rtt=veniamqu dns_resp=rum dns_server=quaea duration=165.611000 full_conn=mvel identity=nof ip_resp=usmodi ip_src=10.204.230.166 is_8021x=dat is_wpa=aincidu last_auth_ago=nimadmin radio=isiu reason=licabo rssi=enimadmi type=utaliqu vap=dic client_mac=01:00:5e:bb:60:a6 client_ip=10.62.71.118 instigator=ineavol http_resp=iosa dhcp_lease_completed=boNemoe dhcp_ip=onsequ dhcp_server=equinesc dhcp_server_mac=cab dhcp_resp=atisund url=https://example.net/ites/isetq.gif?nisiut=tur#avolupt category0=ariatur server=10.98.194.212 vpn_type=nimave connectivity=isciv", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 6661, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.98.194.212", + "10.204.230.166" + ], + "rsa.counters.dclass_r1": "enimadmi", + "rsa.internal.messageid": "events", + "rsa.misc.category": "ariatur", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "utaliqu", + "rsa.misc.node": "remips", + "rsa.misc.sensor": "remips", + "rsa.time.duration_time": 165.611, + "rsa.time.event_time": "2017-06-12T12:39:58.000Z", + "service.type": "cisco", + "source.ip": [ + "10.204.230.166" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://example.net/ites/isetq.gif?nisiut=tur#avolupt" + }, + { + "@timestamp": "2017-06-26T19:42:33.000Z", + "destination.ip": [ + "10.197.13.39" + ], + "destination.port": 5912, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "dipisci 1498506153.spernatu admi events content_filtering_block url='https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori' category0='borisnis' server='10.197.13.39:5912'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 7378, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.197.13.39" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "borisnis", + "rsa.misc.node": "admi", + "rsa.misc.sensor": "admi", + "rsa.time.event_time": "2017-06-26T19:42:33.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.org/ueipsa/tae.html?eriti=atcupi#corpori" + }, + { + "@timestamp": "2017-07-11T02:45:07.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "itsedd 1499741107.leumiur eratvol events dhcp release for mac 01:00:5e:fd:84:bb", + "fileset.name": "meraki", + "host.mac": "01:00:5e:fd:84:bb", + "input.type": "log", + "log.offset": 7557, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "eratvol", + "rsa.misc.sensor": "eratvol", + "rsa.network.eth_host": "01:00:5e:fd:84:bb", + "rsa.time.event_time": "2017-07-11T02:45:07.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-25T09:47:41.000Z", + "destination.ip": [ + "10.150.245.88" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "leumiu tla.item nimid ids-alerts signature=dat priority=periam timestamp=1500976061.dquprotocol=icmp src=10.242.77.170 dst=10.150.245.88message: orisn", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 7637, + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.150.245.88", + "10.242.77.170" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "nimid", + "rsa.misc.policy_name": "orisn", + "rsa.misc.sensor": "nimid", + "rsa.time.event_time": "2017-07-25T09:47:41.000Z", + "service.type": "cisco", + "source.ip": [ + "10.242.77.170" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T16:50:15.000Z", + "destination.ip": [ + "10.180.195.43" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "sitam rad.loi isc_ ids-alerts volupt ids-alerts signature=rem priority=idid timestamp=1502211015.tesse shost=01:00:5e:9d:eb:fb direction=external protocol=tcp src=10.247.139.239 dst=10.180.195.43 message: tenatuse", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 7788, + "network.direction": "external", + "network.protocol": "tcp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.247.139.239", + "10.180.195.43" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "isc_ ids-alerts volupt", + "rsa.misc.policy_name": "tenatuse", + "rsa.misc.sensor": "isc_ ids-alerts volupt", + "rsa.time.event_time": "2017-08-08T16:50:15.000Z", + "service.type": "cisco", + "source.ip": [ + "10.247.139.239" + ], + "source.mac": "01:00:5e:9d:eb:fb", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-22T23:52:50.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tore 1503445970.elits consequa events dhcp release for mac 01:00:5e:50:48:c4", + "fileset.name": "meraki", + "host.mac": "01:00:5e:50:48:c4", + "input.type": "log", + "log.offset": 8002, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "consequa", + "rsa.misc.sensor": "consequa", + "rsa.network.eth_host": "01:00:5e:50:48:c4", + "rsa.time.event_time": "2017-08-22T23:52:50.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T06:55:24.000Z", + "destination.ip": [ + "10.147.15.213" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "undeom uamnihi.risnis uov_ ids-alerts isn ids-alerts signature=sBono priority=loremqu timestamp=1504680924.teturprotocol=rdp src=10.94.6.140 dst=10.147.15.213message: uptat", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 8079, + "network.protocol": "rdp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.147.15.213", + "10.94.6.140" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "uov_ ids-alerts isn", + "rsa.misc.policy_name": "uptat", + "rsa.misc.sensor": "uov_ ids-alerts isn", + "rsa.time.event_time": "2017-09-06T06:55:24.000Z", + "service.type": "cisco", + "source.ip": [ + "10.94.6.140" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T13:57:58.000Z", + "destination.ip": [ + "10.111.157.56" + ], + "event.action": "obeata flows block", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "itasper 1505915878.uae mve_ flows obeata flows block src=10.230.6.127 dst=10.111.157.56 mac=01:00:5e:39:a7:fc protocol=icmp type=aliquamq ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 8252, + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.230.6.127", + "10.111.157.56" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "obeata flows block" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "mve_", + "rsa.misc.sensor": "mve_", + "rsa.time.event_time": "2017-09-20T13:57:58.000Z", + "service.type": "cisco", + "source.ip": [ + "10.230.6.127" + ], + "source.mac": "01:00:5e:39:a7:fc", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T21:00:32.000Z", + "destination.ip": [ + "10.193.219.34" + ], + "destination.mac": "01:00:5e:58:2d:1c", + "event.action": "inBC", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "archite 1507150832.remq veniamq events aid=occ arp_resp=oloreseo arp_src=iruredol auth_neg_dur=veniamqu auth_neg_failed=licaboN channel=atquo dns_req_rtt=cupi dns_resp=strude dns_server=eritin duration=85.513000 full_conn=litsedq identity=nderiti ip_resp=ntNe ip_src=10.179.40.170 is_8021x=olorema is_wpa=mollita last_auth_ago=tatem radio=iae reason=quido rssi=emip type=inBC vap=mol client_mac=01:00:5e:58:2d:1c client_ip=10.153.81.206 instigator=rsita http_resp=nsequun dhcp_lease_completed=eetd dhcp_ip=illu dhcp_server=iatqu dhcp_server_mac=lorsi dhcp_resp=repreh url=https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi category0=uamei server=10.193.219.34 vpn_type=onse connectivity=olorem", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 8391, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.179.40.170", + "10.193.219.34" + ], + "rsa.counters.dclass_r1": "emip", + "rsa.internal.messageid": "events", + "rsa.misc.category": "uamei", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "inBC", + "rsa.misc.node": "veniamq", + "rsa.misc.sensor": "veniamq", + "rsa.time.duration_time": 85.513, + "rsa.time.event_time": "2017-10-04T21:00:32.000Z", + "service.type": "cisco", + "source.ip": [ + "10.179.40.170" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.net/irured/illumqui.txt?tionula=ritqu#ecatcupi" + }, + { + "@timestamp": "2017-10-19T04:03:07.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "umwritte 1508385787.vol oremquel_appliance events MAC 01:00:5e:16:5e:b1 and MAC 01:00:5e:ee:e8:77 both claim IP: 10.255.199.16", + "fileset.name": "meraki", + "host.mac": "01:00:5e:ee:e8:77", + "input.type": "log", + "log.offset": 9101, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.255.199.16" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "oremquel", + "rsa.misc.sensor": "oremquel", + "rsa.network.eth_host": "01:00:5e:ee:e8:77", + "rsa.time.event_time": "2017-10-19T04:03:07.000Z", + "service.type": "cisco", + "source.ip": [ + "10.255.199.16" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T11:05:41.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "unte 1509620741.uamnihil llam_appliance events MAC 01:00:5e:ee:1d:77 and MAC 01:00:5e:f1:21:bd both claim IP: 10.94.88.5", + "fileset.name": "meraki", + "host.mac": "01:00:5e:f1:21:bd", + "input.type": "log", + "log.offset": 9228, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.94.88.5" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "llam", + "rsa.misc.sensor": "llam", + "rsa.network.eth_host": "01:00:5e:f1:21:bd", + "rsa.time.event_time": "2017-11-02T11:05:41.000Z", + "service.type": "cisco", + "source.ip": [ + "10.94.88.5" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T18:08:15.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "esci 1510855695.uov quaeab_ events IDS: moles", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9349, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "moles", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "quaeab_", + "rsa.misc.sensor": "quaeab_", + "rsa.time.event_time": "2017-11-16T18:08:15.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T01:10:49.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "accusa 1512090649.natu liquid events IDS: enim", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9395, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "enim", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "liquid", + "rsa.misc.sensor": "liquid", + "rsa.time.event_time": "2017-12-01T01:10:49.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T08:13:24.000Z", + "destination.ip": [ + "10.124.63.4" + ], + "destination.mac": "01:00:5e:01:60:e0", + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "dquiaco nibus.vitaed ser security_event etconsec signature=elillum priority=upt timestamp=1513325604.rnat dhost=01:00:5e:01:60:e0 direction=internal protocol=ipv6 src=10.90.99.245 dst=10.124.63.4 message:pta", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9442, + "network.direction": "internal", + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.124.63.4", + "10.90.99.245" + ], + "rsa.internal.event_desc": "etconsec", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "ser", + "rsa.misc.policy_name": "pta", + "rsa.misc.sensor": "ser", + "rsa.time.event_time": "2017-12-15T08:13:24.000Z", + "service.type": "cisco", + "source.ip": [ + "10.90.99.245" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T15:15:58.000Z", + "destination.ip": [ + "10.249.7.146" + ], + "destination.port": 2010, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tetura 1514560558.imadmini moe_appliance events content_filtering_block url='https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori' category0='laudan' server='10.249.7.146:2010'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9650, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.249.7.146" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "laudan", + "rsa.misc.node": "moe", + "rsa.misc.sensor": "moe", + "rsa.time.event_time": "2017-12-29T15:15:58.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://mail.example.net/uat/lupta.html?uptassit=ncidi#tlabori" + }, + { + "@timestamp": "2018-01-12T22:18:32.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "lapar 1515795512.ritati edquia_appliance events IDS: itesse", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9837, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "itesse", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "edquia", + "rsa.misc.sensor": "edquia", + "rsa.time.event_time": "2018-01-12T22:18:32.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T05:21:06.000Z", + "destination.ip": [ + "10.81.234.34" + ], + "destination.mac": "01:00:5e:c9:b7:22", + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "amvolu mip.tion tobeatae_ security_event Utenima security_event iqua signature=luptat priority=deriti timestamp=1517030466.sintocc dhost=01:00:5e:c9:b7:22 direction=inbound protocol=icmp src=10.196.96.162 dst=10.81.234.34 message:equuntur", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 9897, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.196.96.162", + "10.81.234.34" + ], + "rsa.internal.event_desc": "Utenima security_event iqua", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "tobeatae_", + "rsa.misc.policy_name": "equuntur", + "rsa.misc.sensor": "tobeatae_", + "rsa.time.event_time": "2018-01-27T05:21:06.000Z", + "service.type": "cisco", + "source.ip": [ + "10.196.96.162" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T12:23:41.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "uide 1518265421.scivel henderi_appliance events IDS: iusmodt", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 10136, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "iusmodt", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "henderi", + "rsa.misc.sensor": "henderi", + "rsa.time.event_time": "2018-02-10T12:23:41.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-24T19:26:15.000Z", + "destination.mac": "01:00:5e:7c:01:ab", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tiumd 1519500375.ntmoll mexer events dhcp lease of ip 10.40.101.224 from server mac 01:00:5e:0a:df:72 for client mac 01:00:5e:7c:01:ab with hostname remips188.api.invalid from router 10.78.199.43 on subnet ehender with dns ilmole", + "fileset.name": "meraki", + "host.ip": "10.78.199.43", + "host.name": "remips188.api.invalid", + "input.type": "log", + "log.offset": 10197, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.hosts": [ + "remips188.api.invalid" + ], + "related.ip": [ + "10.40.101.224", + "10.78.199.43" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "mexer", + "rsa.misc.sensor": "mexer", + "rsa.network.alias_host": [ + "remips188.api.invalid" + ], + "rsa.network.dns_a_record": "ilmole", + "rsa.network.mask": "ehender", + "rsa.time.event_time": "2018-02-24T19:26:15.000Z", + "service.type": "cisco", + "source.ip": [ + "10.40.101.224" + ], + "source.mac": "01:00:5e:0a:df:72", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T02:28:49.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "runtmo 1520735329.ore isund_appliance events MAC 01:00:5e:17:87:3e and MAC 01:00:5e:5f:c1:3e both claim IP: 10.244.29.119", + "fileset.name": "meraki", + "host.mac": "01:00:5e:5f:c1:3e", + "input.type": "log", + "log.offset": 10427, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.244.29.119" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "isund", + "rsa.misc.sensor": "isund", + "rsa.network.eth_host": "01:00:5e:5f:c1:3e", + "rsa.time.event_time": "2018-03-11T02:28:49.000Z", + "service.type": "cisco", + "source.ip": [ + "10.244.29.119" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T09:31:24.000Z", + "destination.ip": [ + "10.39.172.93" + ], + "event.action": "pteurs flows deny", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tutlabor 1521970284.reseosq gna_ flows pteurs flows deny src=10.83.131.245 dst=10.39.172.93 mac=01:00:5e:c4:12:c7 protocol=udp type=uido ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 10549, + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.83.131.245", + "10.39.172.93" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "pteurs flows deny" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "gna_", + "rsa.misc.sensor": "gna_", + "rsa.time.event_time": "2018-03-25T09:31:24.000Z", + "service.type": "cisco", + "source.ip": [ + "10.83.131.245" + ], + "source.mac": "01:00:5e:c4:12:c7", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T16:33:58.000Z", + "destination.mac": "01:00:5e:7e:cd:15", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "osquira 1523205238.umd sciveli_ events dhcp lease of ip 10.86.188.179 from server mac 01:00:5e:48:4b:78 for client mac 01:00:5e:7e:cd:15 from router 10.201.168.116 on subnet umiure with dns laborum", + "fileset.name": "meraki", + "host.ip": "10.201.168.116", + "input.type": "log", + "log.offset": 10687, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.86.188.179", + "10.201.168.116" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "sciveli_", + "rsa.misc.sensor": "sciveli_", + "rsa.network.dns_a_record": "laborum", + "rsa.network.mask": "umiure", + "rsa.time.event_time": "2018-04-08T16:33:58.000Z", + "service.type": "cisco", + "source.ip": [ + "10.86.188.179" + ], + "source.mac": "01:00:5e:48:4b:78", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-22T23:36:32.000Z", + "destination.ip": [ + "10.122.204.151" + ], + "destination.port": 3903, + "event.action": "deny", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "umdolors 1524440192.lumdo acom_ security_event umexercisecurity_event duntut url=https://mail.example.com/prehend/eufug.htm?eufug=est#civelits src=10.148.211.222:2053 dst=10.122.204.151:3903 mac=01:00:5e:c3:a0:dc name=ine sha256=urerepre disposition=asnulap action=deny", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 10885, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.122.204.151", + "10.148.211.222" + ], + "rsa.internal.event_desc": "umexercisecurity_event duntut", + "rsa.internal.messageid": "security_event", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "asnulap", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "acom_", + "rsa.misc.sensor": "acom_", + "rsa.time.event_time": "2018-04-22T23:36:32.000Z", + "service.type": "cisco", + "source.ip": [ + "10.148.211.222" + ], + "source.mac": "01:00:5e:c3:a0:dc", + "source.port": 2053, + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://mail.example.com/prehend/eufug.htm?eufug=est#civelits" + }, + { + "@timestamp": "2018-05-07T06:39:06.000Z", + "event.action": "luptatem flows accept", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "atnul 1525675146.umfugi stquidol_ flows luptatem flows accept", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 11155, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "luptatem flows accept" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "stquidol_", + "rsa.misc.sensor": "stquidol_", + "rsa.time.event_time": "2018-05-07T06:39:06.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T13:41:41.000Z", + "destination.ip": [ + "10.120.4.9" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "essequam ueporro.aliqu upt ids-alerts signature=orum priority=Bonoru timestamp=1526910101.madminimprotocol=ipv6-icmp src=10.97.46.16 dst=10.120.4.9message: teni", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 11217, + "network.protocol": "ipv6-icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.120.4.9", + "10.97.46.16" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "upt", + "rsa.misc.policy_name": "teni", + "rsa.misc.sensor": "upt", + "rsa.time.event_time": "2018-05-21T13:41:41.000Z", + "service.type": "cisco", + "source.ip": [ + "10.97.46.16" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T20:44:15.000Z", + "destination.ip": [ + "10.165.173.162" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "lorsitam tanimid.onpr litseddo_ ids-alerts oremqu ids-alerts signature=idex priority=radip timestamp=1528145055.uptaprotocol=ipv6-icmp src=10.171.206.139 dst=10.165.173.162message: lestia", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 11378, + "network.protocol": "ipv6-icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.171.206.139", + "10.165.173.162" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "litseddo_ ids-alerts oremqu", + "rsa.misc.policy_name": "lestia", + "rsa.misc.sensor": "litseddo_ ids-alerts oremqu", + "rsa.time.event_time": "2018-06-04T20:44:15.000Z", + "service.type": "cisco", + "source.ip": [ + "10.171.206.139" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-19T03:46:49.000Z", + "destination.mac": "01:00:5e:f2:d3:12", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "inibusB 1529380009.nostrud cteturad events dhcp lease of ip 10.150.163.151 from server mac 01:00:5e:72:b7:79 for client mac 01:00:5e:f2:d3:12 with hostname uames4985.mail.localdomain from router 10.144.57.239 on subnet oinBCSed with dns orem", + "fileset.name": "meraki", + "host.ip": "10.144.57.239", + "host.name": "uames4985.mail.localdomain", + "input.type": "log", + "log.offset": 11566, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.hosts": [ + "uames4985.mail.localdomain" + ], + "related.ip": [ + "10.150.163.151", + "10.144.57.239" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "cteturad", + "rsa.misc.sensor": "cteturad", + "rsa.network.alias_host": [ + "uames4985.mail.localdomain" + ], + "rsa.network.dns_a_record": "orem", + "rsa.network.mask": "oinBCSed", + "rsa.time.event_time": "2018-06-19T03:46:49.000Z", + "service.type": "cisco", + "source.ip": [ + "10.150.163.151" + ], + "source.mac": "01:00:5e:72:b7:79", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T10:49:23.000Z", + "destination.ip": [ + "10.54.44.231" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "eritq rehen.ipsamvol elillum_ ids-alerts tco ids-alerts signature=tvol priority=oluptate timestamp=1530614963.lit shost=01:00:5e:ac:6d:d3 direction=unknown protocol=igmp src=10.52.202.158 dst=10.54.44.231 message: Ute", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 11808, + "network.direction": "unknown", + "network.protocol": "igmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.54.44.231", + "10.52.202.158" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "elillum_ ids-alerts tco", + "rsa.misc.policy_name": "Ute", + "rsa.misc.sensor": "elillum_ ids-alerts tco", + "rsa.time.event_time": "2018-07-03T10:49:23.000Z", + "service.type": "cisco", + "source.ip": [ + "10.52.202.158" + ], + "source.mac": "01:00:5e:ac:6d:d3", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T17:51:58.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "runtm 1531849918.eturadip olorsi_ events MAC 01:00:5e:67:1d:0f and MAC 01:00:5e:f0:a9:cd both claim IP: 10.101.183.86", + "fileset.name": "meraki", + "host.mac": "01:00:5e:f0:a9:cd", + "input.type": "log", + "log.offset": 12026, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.101.183.86" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "olorsi_", + "rsa.misc.sensor": "olorsi_", + "rsa.network.eth_host": "01:00:5e:f0:a9:cd", + "rsa.time.event_time": "2018-07-17T17:51:58.000Z", + "service.type": "cisco", + "source.ip": [ + "10.101.183.86" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T00:54:32.000Z", + "event.action": "orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "inesciu 1533084872.quid atcupid_ flows orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 12144, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "atcupid_", + "rsa.misc.sensor": "atcupid_", + "rsa.time.event_time": "2018-08-01T00:54:32.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-15T07:57:06.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "lamco 1534319826.cit siar events MAC 01:00:5e:80:cd:ca and MAC 01:00:5e:45:aa:51 both claim IP: 10.83.130.95", + "fileset.name": "meraki", + "host.mac": "01:00:5e:45:aa:51", + "input.type": "log", + "log.offset": 12264, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.83.130.95" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "siar", + "rsa.misc.sensor": "siar", + "rsa.network.eth_host": "01:00:5e:45:aa:51", + "rsa.time.event_time": "2018-08-15T07:57:06.000Z", + "service.type": "cisco", + "source.ip": [ + "10.83.130.95" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T14:59:40.000Z", + "destination.ip": [ + "10.103.49.129" + ], + "destination.mac": "01:00:5e:59:bf:36", + "event.action": "olor", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "hite 1535554780.ianonnum nofdeFi events aid=henderit arp_resp=remq arp_src=unt auth_neg_dur=tla auth_neg_failed=arch channel=lite dns_req_rtt=ugia dns_resp=meum dns_server=borumSec duration=91.439000 full_conn=nvolupta identity=tev ip_resp=nre ip_src=10.2.110.73 is_8021x=eturadip is_wpa=ent last_auth_ago=rumSecti radio=Utenima reason=olore rssi=orumS type=olor vap=radip client_mac=01:00:5e:59:bf:36 client_ip=10.230.98.81 instigator=aaliquaU http_resp=olu dhcp_lease_completed=iameaque dhcp_ip=identsun dhcp_server=ender dhcp_server_mac=inc dhcp_resp=tect url=https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq category0=uidolo server=10.103.49.129 vpn_type=oquisq connectivity=abori", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 12373, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.2.110.73", + "10.103.49.129" + ], + "rsa.counters.dclass_r1": "orumS", + "rsa.internal.messageid": "events", + "rsa.misc.category": "uidolo", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "olor", + "rsa.misc.node": "nofdeFi", + "rsa.misc.sensor": "nofdeFi", + "rsa.time.duration_time": 91.439, + "rsa.time.event_time": "2018-08-29T14:59:40.000Z", + "service.type": "cisco", + "source.ip": [ + "10.2.110.73" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.net/doconse/eni.html?mSec=smoditem#tatisetq" + }, + { + "@timestamp": "2018-09-12T22:02:15.000Z", + "destination.ip": [ + "10.132.176.96" + ], + "destination.mac": "01:00:5e:e6:a6:a2", + "event.action": "rvelill", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "dunt 1536789735.ames amni events aid=tatio arp_resp=amquisno arp_src=modoc auth_neg_dur=magnam auth_neg_failed=uinesc channel=cid dns_req_rtt=emi dns_resp=Bonorum dns_server=lesti duration=59.289000 full_conn=iosamni identity=idu ip_resp=sis ip_src=10.158.61.228 is_8021x=tsedquia is_wpa=its last_auth_ago=umdolor radio=isiu reason=assi rssi=eserun type=rvelill vap=lupta client_mac=01:00:5e:e6:a6:a2 client_ip=10.186.16.20 instigator=tisu http_resp=remagnam dhcp_lease_completed=nvolupt dhcp_ip=meiusm dhcp_server=nidolo dhcp_server_mac=atquovol dhcp_resp=quunt url=https://www.example.com/seq/moll.htm?sunt=dquianon#urExc category0=tDuis server=10.132.176.96 vpn_type=aria connectivity=inim", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 13073, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.132.176.96", + "10.158.61.228" + ], + "rsa.counters.dclass_r1": "eserun", + "rsa.internal.messageid": "events", + "rsa.misc.category": "tDuis", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "rvelill", + "rsa.misc.node": "amni", + "rsa.misc.sensor": "amni", + "rsa.time.duration_time": 59.289, + "rsa.time.event_time": "2018-09-12T22:02:15.000Z", + "service.type": "cisco", + "source.ip": [ + "10.158.61.228" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.com/seq/moll.htm?sunt=dquianon#urExc" + }, + { + "@timestamp": "2018-09-27T05:04:49.000Z", + "destination.mac": "01:00:5e:69:92:4a", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "oremeumf 1538024689.lesti sintocca events dhcp lease of ip 10.105.136.146 from server mac 01:00:5e:bb:aa:f6 for client mac 01:00:5e:69:92:4a with hostname lors2232.api.example from router 10.46.217.155 on subnet amnihil with dns orissus", + "fileset.name": "meraki", + "host.ip": "10.46.217.155", + "host.name": "lors2232.api.example", + "input.type": "log", + "log.offset": 13766, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.hosts": [ + "lors2232.api.example" + ], + "related.ip": [ + "10.46.217.155", + "10.105.136.146" + ], + "rsa.internal.messageid": "events", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "sintocca", + "rsa.misc.sensor": "sintocca", + "rsa.network.alias_host": [ + "lors2232.api.example" + ], + "rsa.network.dns_a_record": "orissus", + "rsa.network.mask": "amnihil", + "rsa.time.event_time": "2018-09-27T05:04:49.000Z", + "service.type": "cisco", + "source.ip": [ + "10.105.136.146" + ], + "source.mac": "01:00:5e:bb:aa:f6", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T12:07:23.000Z", + "destination.ip": [ + "10.123.62.215" + ], + "destination.mac": "01:00:5e:1f:7f:1d", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "nimadmin 1539259643.lumqui quiavolu flows src=10.245.199.23 dst=10.123.62.215 mac=01:00:5e:1f:7f:1d protocol=udp pattern: 0 iusmodt", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 14003, + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.62.215", + "10.245.199.23" + ], + "rsa.db.index": "iusmodt", + "rsa.internal.messageid": "flows", + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "quiavolu", + "rsa.misc.sensor": "quiavolu", + "rsa.time.event_time": "2018-10-11T12:07:23.000Z", + "service.type": "cisco", + "source.ip": [ + "10.245.199.23" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T19:09:57.000Z", + "event.action": "cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "rep 1540494597.remap deri flows cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6 ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 14135, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "deri", + "rsa.misc.sensor": "deri", + "rsa.time.event_time": "2018-10-25T19:09:57.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T02:12:32.000Z", + "destination.ip": [ + "10.16.230.121" + ], + "destination.mac": "01:00:5e:99:a6:b4", + "event.action": "nonpro", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "idexeac 1541729552.nimadmin midest_appliance events aid=modt arp_resp=iduntutl arp_src=rsitam auth_neg_dur=xercit auth_neg_failed=ulpaquio channel=itqu dns_req_rtt=minimav dns_resp=smodtem dns_server=roquisqu duration=116.294000 full_conn=iquid identity=evo ip_resp=mcorpori ip_src=10.196.176.243 is_8021x=itesse is_wpa=expl last_auth_ago=essecill radio=totamre reason=rpo rssi=velites type=nonpro vap=nula client_mac=01:00:5e:99:a6:b4 client_ip=10.90.50.149 instigator=nemulla http_resp=asp dhcp_lease_completed=dexercit dhcp_ip=amn dhcp_server=itessequ dhcp_server_mac=porissu dhcp_resp=umd url=https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames category0=tconsec server=10.16.230.121 vpn_type=laboree connectivity=udantiu", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 14245, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.196.176.243", + "10.16.230.121" + ], + "rsa.counters.dclass_r1": "velites", + "rsa.internal.messageid": "events", + "rsa.misc.category": "tconsec", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "nonpro", + "rsa.misc.node": "midest", + "rsa.misc.sensor": "midest", + "rsa.time.duration_time": 116.294, + "rsa.time.event_time": "2018-11-09T02:12:32.000Z", + "service.type": "cisco", + "source.ip": [ + "10.196.176.243" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.net/sectetur/edquian.html?turQuis=taevi#uames" + }, + { + "@timestamp": "2018-11-23T09:15:06.000Z", + "destination.ip": [ + "10.34.62.190" + ], + "destination.mac": "01:00:5e:6a:c8:f8", + "destination.port": 1641, + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ttenb olor.quiav gna security_event Nem signature=tdolorem priority=eacomm timestamp=1542964506.upidata dhost=01:00:5e:6a:c8:f8 direction=unknown protocol=ipv6 src=10.246.152.72:4293 dst=10.34.62.190:1641 message:eve", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 14985, + "network.direction": "unknown", + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.246.152.72", + "10.34.62.190" + ], + "rsa.internal.event_desc": "Nem", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "gna", + "rsa.misc.policy_name": "eve", + "rsa.misc.sensor": "gna", + "rsa.time.event_time": "2018-11-23T09:15:06.000Z", + "service.type": "cisco", + "source.ip": [ + "10.246.152.72" + ], + "source.port": 4293, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T16:17:40.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "quisn 1544199460.rem ulamcola events dhcp no offers for mac 01:00:5e:67:fc:cb", + "fileset.name": "meraki", + "host.mac": "01:00:5e:67:fc:cb", + "input.type": "log", + "log.offset": 15202, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ulamcola", + "rsa.misc.sensor": "ulamcola", + "rsa.network.eth_host": "01:00:5e:67:fc:cb", + "rsa.time.event_time": "2018-12-07T16:17:40.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-21T23:20:14.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "eruntmo 1545434414.nimve usanti_ events dhcp release for mac 01:00:5e:7d:de:f7", + "fileset.name": "meraki", + "host.mac": "01:00:5e:7d:de:f7", + "input.type": "log", + "log.offset": 15280, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "usanti_", + "rsa.misc.sensor": "usanti_", + "rsa.network.eth_host": "01:00:5e:7d:de:f7", + "rsa.time.event_time": "2018-12-21T23:20:14.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T06:22:49.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "uatu 1546669369.olupta consequu_ events dhcp release for mac 01:00:5e:6b:96:f2", + "fileset.name": "meraki", + "host.mac": "01:00:5e:6b:96:f2", + "input.type": "log", + "log.offset": 15359, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "consequu_", + "rsa.misc.sensor": "consequu_", + "rsa.network.eth_host": "01:00:5e:6b:96:f2", + "rsa.time.event_time": "2019-01-05T06:22:49.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T13:25:23.000Z", + "destination.ip": [ + "10.121.9.5" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "sitam inibusBo.illoin emUtenim ids-alerts signature=ende priority=dexea timestamp=1547904323.acoprotocol=ipv6 src=10.244.32.189 dst=10.121.9.5message: uptas", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 15438, + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.121.9.5", + "10.244.32.189" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "emUtenim", + "rsa.misc.policy_name": "uptas", + "rsa.misc.sensor": "emUtenim", + "rsa.time.event_time": "2019-01-19T13:25:23.000Z", + "service.type": "cisco", + "source.ip": [ + "10.244.32.189" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T20:27:57.000Z", + "destination.ip": [ + "10.41.124.15" + ], + "destination.port": 333, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "edol 1549139277.sequuntu quameius_ events content_filtering_block url='https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor' category0='auto' server='10.41.124.15:333'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 15595, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.41.124.15" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "auto", + "rsa.misc.node": "quameius_", + "rsa.misc.sensor": "quameius_", + "rsa.time.event_time": "2019-02-02T20:27:57.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www.example.com/totamrem/aliqu.htm?sBonorum=moenimi#lor" + }, + { + "@timestamp": "2019-02-17T03:30:32.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "antium 1550374232.remaper eseosq events dhcp no offers for mac 01:00:5e:c3:77:27", + "fileset.name": "meraki", + "host.mac": "01:00:5e:c3:77:27", + "input.type": "log", + "log.offset": 15774, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "eseosq", + "rsa.misc.sensor": "eseosq", + "rsa.network.eth_host": "01:00:5e:c3:77:27", + "rsa.time.event_time": "2019-02-17T03:30:32.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T10:33:06.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "oditau 1551609186.onsec dit events MAC 01:00:5e:19:86:21 and MAC 01:00:5e:ed:ed:79 both claim IP: 10.43.235.230", + "fileset.name": "meraki", + "host.mac": "01:00:5e:ed:ed:79", + "input.type": "log", + "log.offset": 15855, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.43.235.230" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "dit", + "rsa.misc.sensor": "dit", + "rsa.network.eth_host": "01:00:5e:ed:ed:79", + "rsa.time.event_time": "2019-03-03T10:33:06.000Z", + "service.type": "cisco", + "source.ip": [ + "10.43.235.230" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T17:35:40.000Z", + "destination.ip": [ + "10.103.91.159" + ], + "destination.port": 7116, + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "asper dictasun.psa lorese_ ids-alerts ctobeat ids-alerts signature=onsec priority=idestl timestamp=1552844140.litani shost=01:00:5e:a0:b2:c9 direction=unknown protocol=icmp src=10.199.19.205:5823 dst=10.103.91.159:7116 message: ntut", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 15967, + "network.direction": "unknown", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.199.19.205", + "10.103.91.159" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "lorese_ ids-alerts ctobeat", + "rsa.misc.policy_name": "ntut", + "rsa.misc.sensor": "lorese_ ids-alerts ctobeat", + "rsa.time.event_time": "2019-03-17T17:35:40.000Z", + "service.type": "cisco", + "source.ip": [ + "10.199.19.205" + ], + "source.mac": "01:00:5e:a0:b2:c9", + "source.port": 5823, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T00:38:14.000Z", + "destination.ip": [ + "10.65.0.157" + ], + "destination.mac": "01:00:5e:49:c4:17", + "event.action": "Deny", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "estiaec 1554079094.pitlabo tas_appliance flows src=10.17.111.91 dst=10.65.0.157 mac=01:00:5e:49:c4:17 protocol=udp pattern: 1 nostrum", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 16200, + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.65.0.157", + "10.17.111.91" + ], + "rsa.db.index": "nostrum", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "Deny" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "tas", + "rsa.misc.sensor": "tas", + "rsa.time.event_time": "2019-04-01T00:38:14.000Z", + "service.type": "cisco", + "source.ip": [ + "10.17.111.91" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T07:40:49.000Z", + "event.action": "cancel", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "ercitati 1555314049.atem serro flows cancel", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 16334, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "serro", + "rsa.misc.sensor": "serro", + "rsa.time.event_time": "2019-04-15T07:40:49.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T14:43:23.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "amquaera 1556549003.rsitamet leumiur events MAC 01:00:5e:fd:79:9e and MAC 01:00:5e:4d:c0:dd both claim IP: 10.20.130.88", + "fileset.name": "meraki", + "host.mac": "01:00:5e:4d:c0:dd", + "input.type": "log", + "log.offset": 16378, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.130.88" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "leumiur", + "rsa.misc.sensor": "leumiur", + "rsa.network.eth_host": "01:00:5e:4d:c0:dd", + "rsa.time.event_time": "2019-04-29T14:43:23.000Z", + "service.type": "cisco", + "source.ip": [ + "10.20.130.88" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-13T21:45:57.000Z", + "destination.ip": [ + "10.140.242.86" + ], + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "abill ametcon.ofdeFini tasnu_ ids-alerts tionev ids-alerts signature=uasiarch priority=velites timestamp=1557783957.uredolorprotocol=ipv6 src=10.177.64.152 dst=10.140.242.86message: temporin", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 16498, + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.140.242.86", + "10.177.64.152" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "tasnu_ ids-alerts tionev", + "rsa.misc.policy_name": "temporin", + "rsa.misc.sensor": "tasnu_ ids-alerts tionev", + "rsa.time.event_time": "2019-05-13T21:45:57.000Z", + "service.type": "cisco", + "source.ip": [ + "10.177.64.152" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T04:48:31.000Z", + "destination.ip": [ + "10.51.121.223" + ], + "destination.port": 24, + "event.action": "security_event", + "event.code": "security_event", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "lor nvolupt.dquia ora_ security_event dipi security_event ecatc signature=quovolu priority=ite timestamp=1559018911.itse shost=01:00:5e:b8:73:c8 direction=external protocol=icmp src=10.199.103.185:2449 dst=10.51.121.223:24 message:stenat", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 16689, + "network.direction": "external", + "network.protocol": "icmp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.199.103.185", + "10.51.121.223" + ], + "rsa.internal.event_desc": "dipi security_event ecatc", + "rsa.internal.messageid": "security_event", + "rsa.misc.event_type": "security_event", + "rsa.misc.node": "ora_", + "rsa.misc.policy_name": "stenat", + "rsa.misc.sensor": "ora_", + "rsa.time.event_time": "2019-05-28T04:48:31.000Z", + "service.type": "cisco", + "source.ip": [ + "10.199.103.185" + ], + "source.mac": "01:00:5e:b8:73:c8", + "source.port": 2449, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T11:51:06.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "saq 1560253866.asiarch ssuscipi events MAC 01:00:5e:93:48:61 and MAC 01:00:5e:21:c2:55 both claim IP: 10.126.242.58", + "fileset.name": "meraki", + "host.mac": "01:00:5e:21:c2:55", + "input.type": "log", + "log.offset": 16927, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.126.242.58" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ssuscipi", + "rsa.misc.sensor": "ssuscipi", + "rsa.network.eth_host": "01:00:5e:21:c2:55", + "rsa.time.event_time": "2019-06-11T11:51:06.000Z", + "service.type": "cisco", + "source.ip": [ + "10.126.242.58" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T18:53:40.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tlab 1561488820.vel ionevo events dhcp release for mac 01:00:5e:8a:1a:f9", + "fileset.name": "meraki", + "host.mac": "01:00:5e:8a:1a:f9", + "input.type": "log", + "log.offset": 17043, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ionevo", + "rsa.misc.sensor": "ionevo", + "rsa.network.eth_host": "01:00:5e:8a:1a:f9", + "rsa.time.event_time": "2019-06-25T18:53:40.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T01:56:14.000Z", + "destination.ip": [ + "10.113.152.241" + ], + "event.action": "uira flows deny", + "event.code": "flows", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "aeab 1562723774.uradipis aerat_ flows uira flows deny src=10.121.37.244 dst=10.113.152.241 mac=01:00:5e:9c:86:62 protocol=udp type=utaliqui ", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 17116, + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.113.152.241", + "10.121.37.244" + ], + "rsa.internal.messageid": "flows", + "rsa.misc.action": [ + "uira flows deny" + ], + "rsa.misc.event_source": "appliance", + "rsa.misc.node": "aerat_", + "rsa.misc.sensor": "aerat_", + "rsa.time.event_time": "2019-07-10T01:56:14.000Z", + "service.type": "cisco", + "source.ip": [ + "10.121.37.244" + ], + "source.mac": "01:00:5e:9c:86:62", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T08:58:48.000Z", + "destination.ip": [ + "10.254.96.130" + ], + "destination.mac": "01:00:5e:10:8b:c3", + "event.action": "ionu", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "nesciu 1563958728.mali roinBCSe_appliance events aid=eetdolor arp_resp=tpersp arp_src=assi auth_neg_dur=rch auth_neg_failed=psa channel=nreprehe dns_req_rtt=pidatatn dns_resp=isno dns_server=luptatev duration=39.622000 full_conn=lla identity=urau ip_resp=aeca ip_src=10.247.118.132 is_8021x=atcupi is_wpa=enima last_auth_ago=uptateve radio=fugitsed reason=lumqui rssi=ectet type=ionu vap=eratv client_mac=01:00:5e:10:8b:c3 client_ip=10.153.33.99 instigator=liq http_resp=xerc dhcp_lease_completed=atisetqu dhcp_ip=squir dhcp_server=gnaaliq dhcp_server_mac=quam dhcp_resp=deriti url=https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae category0=tevel server=10.254.96.130 vpn_type=ita connectivity=iquipexe", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 17257, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.247.118.132", + "10.254.96.130" + ], + "rsa.counters.dclass_r1": "ectet", + "rsa.internal.messageid": "events", + "rsa.misc.category": "tevel", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "ionu", + "rsa.misc.node": "roinBCSe", + "rsa.misc.sensor": "roinBCSe", + "rsa.time.duration_time": 39.622, + "rsa.time.event_time": "2019-07-24T08:58:48.000Z", + "service.type": "cisco", + "source.ip": [ + "10.247.118.132" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www5.example.org/eturadi/umS.txt?mSecti=henderi#taevitae" + }, + { + "@timestamp": "2019-08-07T16:01:23.000Z", + "destination.ip": [ + "10.200.98.243" + ], + "destination.mac": "01:00:5e:95:ae:d0", + "event.action": "ntium", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "tot 1565193683.reme emeumfu events aid=inBCSedu arp_resp=ita arp_src=ade auth_neg_dur=nihilmol auth_neg_failed=nder channel=ano dns_req_rtt=rumexer dns_resp=eab dns_server=iaconseq duration=18.963000 full_conn=eli identity=rissusci ip_resp=ectetur ip_src=10.101.13.122 is_8021x=oconsequ is_wpa=roqui last_auth_ago=oluptate radio=ntut reason=mremaper rssi=uteirur type=ntium vap=ide client_mac=01:00:5e:95:ae:d0 client_ip=10.78.143.52 instigator=ntiumdol http_resp=conse dhcp_lease_completed=aturve dhcp_ip=edqui dhcp_server=tvolu dhcp_server_mac=psu dhcp_resp=strud url=https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate category0=udanti server=10.200.98.243 vpn_type=cteturad connectivity=umq", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 17976, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.200.98.243", + "10.101.13.122" + ], + "rsa.counters.dclass_r1": "uteirur", + "rsa.internal.messageid": "events", + "rsa.misc.category": "udanti", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "ntium", + "rsa.misc.node": "emeumfu", + "rsa.misc.sensor": "emeumfu", + "rsa.time.duration_time": 18.963, + "rsa.time.event_time": "2019-08-07T16:01:23.000Z", + "service.type": "cisco", + "source.ip": [ + "10.101.13.122" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://internal.example.org/fdeFi/ratv.htm?sequatu=tiumtot#tate" + }, + { + "@timestamp": "2019-08-21T23:03:57.000Z", + "destination.ip": [ + "10.247.205.185" + ], + "destination.mac": "01:00:5e:6f:21:c8", + "destination.port": 7676, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "oinvento 1566428637.mporin orissusc_appliance events content_filtering_block url='https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec' category0='lorem' server='10.247.205.185:7676' client_mac='01:00:5e:6f:21:c8'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 18684, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.247.205.185" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "lorem", + "rsa.misc.node": "orissusc", + "rsa.misc.sensor": "orissusc", + "rsa.time.event_time": "2019-08-21T23:03:57.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www5.example.net/uov/pariat.htm?litsed=lumd#tiaec" + }, + { + "@timestamp": "2019-09-05T06:06:31.000Z", + "destination.ip": [ + "10.147.165.30" + ], + "destination.mac": "01:00:5e:0a:88:bb", + "destination.port": 7662, + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "metMa emoen.ptate mipsumqu_ ids-alerts ccusa ids-alerts signature=billo priority=doloremi timestamp=1567663591.ectetura dhost=01:00:5e:0a:88:bb direction=inbound protocol=ipv6 src=10.195.90.73:3914 dst=10.147.165.30:7662 message: idents", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 18903, + "network.direction": "inbound", + "network.protocol": "ipv6", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.147.165.30", + "10.195.90.73" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "mipsumqu_ ids-alerts ccusa", + "rsa.misc.policy_name": "idents", + "rsa.misc.sensor": "mipsumqu_ ids-alerts ccusa", + "rsa.time.event_time": "2019-09-05T06:06:31.000Z", + "service.type": "cisco", + "source.ip": [ + "10.195.90.73" + ], + "source.port": 3914, + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T13:09:05.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "veniamqu 1568898545.iconsequ ueporr_appliance events IDS: empor", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 19140, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "empor", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "ueporr", + "rsa.misc.sensor": "ueporr", + "rsa.time.event_time": "2019-09-19T13:09:05.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T20:11:40.000Z", + "destination.ip": [ + "10.162.202.14" + ], + "destination.mac": "01:00:5e:dd:cb:5b", + "event.action": "ids-alerts", + "event.code": "ids-alerts", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "atDuisa mipsa.uas iat ids-alerts signature=hite priority=adipis timestamp=1570133500.abo dhost=01:00:5e:dd:cb:5b direction=inbound protocol=udp src=10.137.166.97 dst=10.162.202.14 message: ipsaqua", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 19204, + "network.direction": "inbound", + "network.protocol": "udp", + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.162.202.14", + "10.137.166.97" + ], + "rsa.internal.messageid": "ids-alerts", + "rsa.misc.event_type": "ids-alerts", + "rsa.misc.node": "iat", + "rsa.misc.policy_name": "ipsaqua", + "rsa.misc.sensor": "iat", + "rsa.time.event_time": "2019-10-03T20:11:40.000Z", + "service.type": "cisco", + "source.ip": [ + "10.137.166.97" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T03:14:14.000Z", + "destination.ip": [ + "10.227.135.142" + ], + "destination.port": 6598, + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "deom 1571368454.tiumdo rautod_appliance events content_filtering_block url='https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu' category0='adeserun' server='10.227.135.142:6598'", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 19401, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.227.135.142" + ], + "rsa.internal.event_desc": "content_filtering_block", + "rsa.internal.messageid": "events", + "rsa.misc.category": "adeserun", + "rsa.misc.node": "rautod", + "rsa.misc.sensor": "rautod", + "rsa.time.event_time": "2019-10-18T03:14:14.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://www5.example.com/illoinve/etcon.htm?nevolup=erspici#itinvolu" + }, + { + "@timestamp": "2019-11-01T10:16:48.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "orese 1572603408.umdolore umqui_appliance events MAC 01:00:5e:f1:b8:3a and MAC 01:00:5e:37:9c:af both claim IP: 10.199.29.19", + "fileset.name": "meraki", + "host.mac": "01:00:5e:37:9c:af", + "input.type": "log", + "log.offset": 19597, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.199.29.19" + ], + "rsa.internal.event_desc": " events MAC", + "rsa.internal.messageid": "events", + "rsa.misc.node": "umqui", + "rsa.misc.sensor": "umqui", + "rsa.network.eth_host": "01:00:5e:37:9c:af", + "rsa.time.event_time": "2019-11-01T10:16:48.000Z", + "service.type": "cisco", + "source.ip": [ + "10.199.29.19" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T17:19:22.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "explicab 1573838362.samvolu teiru_appliance events dhcp no offers for mac 01:00:5e:b8:06:92", + "fileset.name": "meraki", + "host.mac": "01:00:5e:b8:06:92", + "input.type": "log", + "log.offset": 19722, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.internal.event_desc": "events DHCP", + "rsa.internal.messageid": "events", + "rsa.misc.node": "teiru", + "rsa.misc.sensor": "teiru", + "rsa.network.eth_host": "01:00:5e:b8:06:92", + "rsa.time.event_time": "2019-11-15T17:19:22.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T00:21:57.000Z", + "destination.ip": [ + "10.75.122.111" + ], + "destination.mac": "01:00:5e:92:d8:95", + "event.action": "modoco", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "rissusci 1575073317.uaturQ iusmod_ events aid=mips arp_resp=iduntutl arp_src=mipsumd auth_neg_dur=eiusmo auth_neg_failed=quelauda channel=rcit dns_req_rtt=dolo dns_resp=ulamc dns_server=doe duration=10.574000 full_conn=remquela identity=toreve ip_resp=squirat ip_src=10.85.59.172 is_8021x=mto is_wpa=iae last_auth_ago=dent radio=Uten reason=tatiset rssi=sequat type=modoco vap=beataevi client_mac=01:00:5e:92:d8:95 client_ip=10.158.215.216 instigator=deritin http_resp=ptate dhcp_lease_completed=lloi dhcp_ip=nseq dhcp_server=equunt dhcp_server_mac=tutla dhcp_resp=usmod url=https://example.com/qui/itse.gif?orsitame=tasn#exeaco category0=upta server=10.75.122.111 vpn_type=reprehe connectivity=deFinib", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 19814, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "related.ip": [ + "10.75.122.111", + "10.85.59.172" + ], + "rsa.counters.dclass_r1": "sequat", + "rsa.internal.messageid": "events", + "rsa.misc.category": "upta", + "rsa.misc.event_source": "appliance", + "rsa.misc.event_type": "modoco", + "rsa.misc.node": "iusmod_", + "rsa.misc.sensor": "iusmod_", + "rsa.time.duration_time": 10.574, + "rsa.time.event_time": "2019-11-30T00:21:57.000Z", + "service.type": "cisco", + "source.ip": [ + "10.85.59.172" + ], + "tags": [ + "cisco.meraki", + "forwarded" + ], + "url.original": "https://example.com/qui/itse.gif?orsitame=tasn#exeaco" + }, + { + "@timestamp": "2019-12-14T07:24:31.000Z", + "event.code": "events", + "event.dataset": "cisco.meraki", + "event.module": "cisco", + "event.original": "orr 1576308271.pre aute events IDS: rchite", + "fileset.name": "meraki", + "input.type": "log", + "log.offset": 20517, + "observer.product": "Meraki", + "observer.type": "Wireless", + "observer.vendor": "Cisco", + "rsa.db.index": "rchite", + "rsa.internal.event_desc": "events IDS", + "rsa.internal.messageid": "events", + "rsa.misc.node": "aute", + "rsa.misc.sensor": "aute", + "rsa.time.event_time": "2019-12-14T07:24:31.000Z", + "service.type": "cisco", + "tags": [ + "cisco.meraki", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index 5608926d955..747a6cf0085 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index 33dda070fcb..b85ab503dda 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Cisco Nexus processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null && ctx.host?.name != '' + allow_duplicates: false + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 8f14c7df3c0..c828c45250a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1,6 +1,9 @@ --- description: "Pipeline for Cisco {< .internal_PREFIX >} logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # # Parse the syslog header # @@ -193,10 +196,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" @@ -209,14 +213,16 @@ processors: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" value: inbound - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -253,19 +259,70 @@ processors: - dissect: if: "ctx._temp_.cisco.message_id == '106100'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port}) -> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port}) %{}" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '106102' || ctx._temp_.cisco.message_id == '106103'" + field: "message" + pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - dissect: - if: "ctx._temp_.cisco.message_id == '106102'" + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: - if: "ctx._temp_.cisco.message_id == '106103'" + if: "ctx._temp_.cisco.message_id == '303002'" field: "message" - pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{_temp_.cisco.username} %{_temp_.cisco.source_interface}/%{source.address} %{source.port} %{_temp_.cisco.destination_interface}/%{destination.address} %{destination.port} %{}" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -274,6 +331,10 @@ processors: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -436,10 +497,76 @@ processors: field: "server.port" value: "{{source.port}}" ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." + - dissect: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" @@ -449,7 +576,7 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - grok: @@ -1246,22 +1373,22 @@ processors: - set: field: source.nat.ip value: "{{_temp_.cisco.mapped_source_ip}}" - if: "(ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" ignore_empty_value: true - set: field: source.nat.port value: "{{_temp_.cisco.mapped_source_port}}" - if: "(ctx?._temp_?.cisco.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" ignore_empty_value: true - set: field: destination.nat.ip value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "(ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" ignore_empty_value: true - set: field: destination.nat.port value: "{{_temp_.cisco.mapped_destination_port}}" - if: "(ctx?._temp_?.cisco?.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true # @@ -1378,6 +1505,32 @@ processors: ctx.event.type.add('denied'); } } + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "{< .internal_prefix >}" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.{< .internal_prefix >}.source_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.{< .internal_prefix >}.destination_interface }}" + ignore_empty_value: true - append: field: related.ip value: "{{source.ip}}" @@ -1394,6 +1547,26 @@ processors: field: related.hash value: "{{file.hash.sha256}}" if: "ctx?.file?.hash?.sha256 != null" + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null && ctx.destination?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null && ctx.source?.domain != '' + allow_duplicates: false on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/x-pack/filebeat/module/citrix/README.md b/x-pack/filebeat/module/citrix/README.md index 1c8c3a2b2dc..f79bbf66178 100644 --- a/x-pack/filebeat/module/citrix/README.md +++ b/x-pack/filebeat/module/citrix/README.md @@ -1,7 +1,7 @@ # citrix module -This is a module for Citrix XenApp logs. +This is a module for Citrix NetScaler logs. -Autogenerated from RSA NetWitness log parser 2.0 XML citrixxa version 79 -at 2020-07-13 17:55:35.817587 +0000 UTC. +Autogenerated from RSA NetWitness log parser 2.0 XML citrixns version 134 +at 2020-09-01 14:17:45.397 +0000 UTC. diff --git a/x-pack/filebeat/module/citrix/_meta/config.yml b/x-pack/filebeat/module/citrix/_meta/config.yml index d894a18356d..65405894f02 100644 --- a/x-pack/filebeat/module/citrix/_meta/config.yml +++ b/x-pack/filebeat/module/citrix/_meta/config.yml @@ -1,11 +1,11 @@ - module: citrix - virtualapps: + netscaler: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9507 + # var.syslog_port: 9526 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/module/citrix/_meta/docs.asciidoc b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc index fd7f80791a0..3487483b3a2 100644 --- a/x-pack/filebeat/module/citrix/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/citrix/_meta/docs.asciidoc @@ -7,22 +7,22 @@ experimental[] -This is a module for receiving Citrix XenApp logs over Syslog or a file. +This is a module for receiving Citrix NetScaler logs over Syslog or a file. include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: virtualapps +:fileset_ex: netscaler include::../include/config-option-intro.asciidoc[] [float] -==== `virtualapps` fileset settings +==== `netscaler` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "citrixxa" device revision 79. +NOTE: This was converted from RSA NetWitness log parser XML "citrixns" device revision 134. *`var.input`*:: @@ -36,7 +36,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9507` +The port to listen for syslog traffic. Defaults to `9526` NOTE: Ports below 1024 require Filebeat to run as root. @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/citrix/_meta/fields.yml b/x-pack/filebeat/module/citrix/_meta/fields.yml index 836b1bbca37..8b2c16a1216 100644 --- a/x-pack/filebeat/module/citrix/_meta/fields.yml +++ b/x-pack/filebeat/module/citrix/_meta/fields.yml @@ -1,5 +1,5 @@ - key: citrix - title: Citrix XenApp + title: Citrix NetScaler description: > citrix fields. fields: diff --git a/x-pack/filebeat/module/citrix/fields.go b/x-pack/filebeat/module/citrix/fields.go index d82bbef0ac6..922f14975d6 100644 --- a/x-pack/filebeat/module/citrix/fields.go +++ b/x-pack/filebeat/module/citrix/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCitrix returns asset data. // This is the base64 encoded gzipped contents of module/citrix. func AssetCitrix() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69eEcav59Z8IsdwKeE1O8N/kHyDf1PWfCCnBMM1ry5V8Tf76J0JI+AmZcRClmfyJhP96jR+6/31HJK3gNZFgV0pfTbi0oGeUwcT9vfsaIWoJeqW5hdfE6qb/iV3X8NphuFK67P29hBlthC1wyddkRoWBrY8H2Lb/e08rIGpG7AJaxEiHGFktQAN+ZjWdzTgjC2rIFEASNTWgl1BOBvRpQ+9AzFyrpr49KbtM3SyLWEsqtsgbX31s/dgSm0UqM9/6+/4VxjdssCsfF9y47xFuSGOgJFYRRmvbBP5ruiIVGEPn7t/UEqYqMI5o5T7fAU3IWzUnp8BUCTpOiIfFd5E6lJwWLixB2sKRlhhwQDgz9wPLDfKcKWlBWuPuB5fGUmlbNEwUR8urQxAsqd39YIgd9zi5JQi1ZLXgbEEoMWAMV5IsuDWEkvdgf+dWgjHt7k8GR6Mj1ixUI0oiYQmaTKE7dzXVBsg7sNShRslMq6q31NO3am5eXFB2BdY8G4A/5RqYFevnxAa8KfkAXlj4Ey57aE6ijBSwBHEAJ4WSu/dzi5OnUGtg1AZMSphxCSVRUiBalk4FkIrWcawqMy+SXZg9e/wu3PPz0x/Ikoom3HhegrR8xsPphGvKLBFq7vdLDzYCqeMOfDgt+D23HTXVlrNGUI2/Dxs7GT0ZA9AHnZTYyRhAHj8po1uyPO6evPz/e7J/T9yqeTbkftdXTf9VICG72/JosFvSQ4RedtQ0GNVoluntvT/bct3/+2FmLLVQgbSPETnalNwWTNCdO/xI0ANp9foxIrZwOtVjRIzLwxDLqzG1kuPxnrQS6CHSIy/bZgBlShtqRK+J2Zm9L7ZuAYfNQA8ZKAn3syJ29JAB9BusiHEu7rhWjsRF2fOqRNnn2TUgMxH7SISDd2YfO4Za3Uj+pYGNGq07+sOf1ttG7YmSzD0O1KrHbtmOiJslzysO+9w9ccvwGWe0f5/fqjk5W4K05BKFM2lkCdqZIBqCoBqQPuPXUBID1gHZ+vH2GmbcYGk3YQD73gZLtwkD0HfalKEnML1/6bCDOaDrDjy5Gw8WymTSV/vn8ldlbF9Eit0TaUCWXM7bD03s2PR8SF8Pf/khB2zwo1HGnl8sfyK0LLWTlWPXfZe5A+qt+lqZu3yVm72v/t9lr+NWftmwKxe8I63vLSsJJXO+BNk5yb5eRcCx6DD/RV4LpHyMyt/XEdEYdWioel1o+JJhr/vBQ9xgpHu6Ri6f+aXJBV6k58GbbSn5uK6BMDqUIFMgwO0CNPl0Lu0Pr4jS5BehqP3xJZlSg6eoDZDN+LzRqPrdQPch6u5XTDeGQfMZnwn8C+7Xc5XLzbbPOm5X/uodDEqvqC6zKXU9idYju8/J84vPW/oeJRoE3d1SQszaWKjCIxrQdtAW4E+q8cxz/1aaz7mkov3NtrZyAx9y6V97EiPOLz6/irAgoD/gxP1Z0GE05HKK12dzUIeK46GvzwJoCfoosetfcSlyfnqfKKnHtx8sRTCHxUoftZNNsCK7n422itb5RtHCi+JMlxMlBDCr9NcogB33HiDnxp05bgjzrIPSYbqlqL5Vu2oL2cPoR2jxVWz6WFTVShlMdquUJNP1YNMI0fClAWMdQMOrWqzDPrkvO0FPgLIFMbwE8vR7Yhe6IS9//vkZWVFDDIDsVtnDiUehvN6CE6ZW0kA+VrCv5lQw1Ujb+RSaauqFnrvKJgqBPKVTtYQeM7iMZla24s1YDbQavT/sqzk2D8wqKHmzq6elYNQ3Mc2xcyzwGeH2n83L73/4s/Ei/UWNArRF+p8Dav7p7MG3dA2avCRnktHaNMJHVpxJeSe5HoN+z+BHJLcytsqPL8m/O3Kfkx9/JP9OmNJOX0YqwqLPyX8X9n+6L3JDtpnyTXQLpSrh0dq6cgUFo0JMKbvKqwF75KSyeG2o9XaFYyLIslZcWjRNLMQTnPFwFKC1ypSfttEHTQ2MU4EYI6bGKu00a7n2Wof7YEkFL/3BiCFFyEw1snQvjABEnst5UI5uTF7cvhEDyCligeE67AkbjezCWihaPpZ3LqBDDP8DSAVWcxaxOoIp3P8y2sL+uW+FsHv2qd1otGrWbtuE/KpWbmuGNieXRGlnjFlFrgDqG5j2KF68r4RpWjEwpljysihzRV3PWskzBwmaWrzkpeNgzy5ccm0bKpzRvuV7lxEXB6+4M7sxVo7M8FSEq35+SrST1gYdKsg0qudgu6/dyAmjMyU9PTgnfCbcfk7oLKGgoeA/P219rx+gUhbIZTjvTAM+tNP1mKB0/2sDMV9B4CWsVJha8JyZDY/anDd8oPY/Ct3MydyM5x1vnXsDwllvT11rtYQn5L9GhNGLlxkXDxCjd6s64+ji5M1F0H0ZlY49vKqV3tV4CT6RX10aRPM43B+f/FOFhjia7jFX6rYp32x+sjHYvZ6DlvmEvPz5FVkh3yugklAh4r4CdOqjmrTxH5EVaPBgqSUCqLFEyZ1ykW0mPria+HUzMXJXc4RtA+9+V7pExmFWE7CFVELN17uBuBnXAy2WkJ8JW1BNmfVMdJd6jfij01ySRoacHrHlMx+tqE1d0O0D9TmDCHtil2hRVE7JVLINI2i6GpVpKFl31ErKUGP1MQoZfA6KsUa3EI2lsqS6JFLpigr+Ryy/V+kqyp8yZDkczCLVTAdP0p2YtMG6Q+aF4DNAiiMGvgGmZDmiYG+2uzA2p59lD0FcMlXVAmz0AIw6USkq8FbzHTHYqzfT9oEO8qVbO3qcx47y9skcPX6VknaRaJs29ampcl42WU7lAzH+TJY52O5A/qFk7m4Le8SiW71VMX167cddDg9EVLYb/YZYuLbh8pElaNMrpyj35YFF9ve+h20NNBWZmzI9pnQJZb53MCTZhGfKdCu2OkabadN9sR9fH75WWlUThNpgUb5hIKnmyqv1VSMs/85y0ITWtWirXza9bCoq6TxWmkuIwPBOay96pDyuhnD7xBC1kj4yZmlV73oGA8ZuNYfi8PZZQ9iCO+tGlWAm5F1jLJpJfaDuVlI7kpdLLRy4SXsF2Gzm8F7CMTQh3OR2Qc87DTPQIJk/ENSp1iVf8tJpNnge4oLsshVkH3eYFyfyuub6aBRu9tPHgq7dSeRWrD2xxgk9p685pPCA7veNJtz0URfOcyeNO3k2GSzZpZOpJrUEqgaK3H0hdvxPfVVQg/zSQHO0o+ROtz9FG/m4ooYgEuXIuUHkfkjN1IRKwRZDM8i0eWUzvL7zKgeudZEB1brIoT3XKUXRNtCXyaFm0JV6r8jDmJA75mP0jRk8l3d6cw4VmzfJtUOCBZsHYqcbQmpHEGUDJT6FYm0akTvsNGJFqcYyVcELj0NnvGBWtpoNTgiVgQVbBuTIAYElaG5zlo7sIaxdPRQB9iI7+1w+eYsXB70D/SvdVbo4aBh3qoHxGd8YPnHt1gdzxnqqBF05fzZTZAM6FyMvNwUTrYuqDEGWKN7BbD7WJnzettL7lqDS5LfLkBrLTZsQsOtXw/XbHRqrkjS1Mjyh4LjV2UJzWpa+wxSm8rd3d7QLTyNska910R1FkWwq0JzdVRZFaTtCFdsewvqVbN3N8GLJ3+8BaUuQpdIhYXYvZWr6rwfoXtOGdtX0X8DidrRDLH8t+IDdToLuR8xL+py96r4ZXshQ9R/ETPByLWiXWyyVJZQsQseLeAKtUPOiTVR5EKHeHsQ7C/Vj9EzZkn1/w3Qr7FqN4iOu+CvB2Tr37dkjFy4QgdBcW4r1iFxuRM686TgDPzQCELG4OFXSwnVujbVD6Fx6f92mHyotS+P+Dx9VKlqEYg1gbnic2YLKORQSVrllwVjgEla9UD8qIdZqPm0s9CTEMEffeNSdtt5//uKiw9Q0mbDrOCd4traV+5iGhuBufpFHpq+/RYxbrABzDGsbDppNzpdegp6QS/Cb0hjQEzoHbOUdMt1nSrc4DGC3YLzezvD3xP++17dCaTLVauU+a/8adE1vdo32kz4vL6i2qd10HeDUHpVwp9SgOvRYd0qJslMbc10pVUMIKOZ6i99IQgVo22UX6c2i4W8+vBXER68JACYhRRTmkkglv9NQA1oy+7If0Gw45pPDGq3dhensFdxJ1ONecB9ha8M/A8pW3C6CsuxlPTnFBadYbSKJkt/NlfvvPS8BKilFRHHMSDftBQNfIAIOSTUjTjpYDmZCLjcyZXewQb+yKg/GJ76crzHOiPEloz7ZpgziNzCeEiYaY9sDGf4x2Cb8CTduJ0NNdPBvOMUXPx1XgY6u/fgbFrfofVumfErZk5sML4flKWJBqDGKcfSXut2I2pO4YW/5FbwmlNSLteGMClJyc/Wc1BpnojwnYNmTuKJMNT2k9vKOD72vs9G0AgvakJoa7OJlsJGD70XAVFU5Kaa2gvbD0hqwbK+659+Dh9L4enuY4WHy4pupqm6GdzDDtlGy4rJUq5BPy5RkUNvnXSbFKDMGZM4aIdbkS0OFd36WqqJcBqkhewsJNfJ09b2eqdSlPaQ7lfAtl1dQhlqgNhGdGvROBQPFffJNh9qEl/s2Tgy6QmQVdf3JTt4tsYtAi95vlw+F12918LySy2G7ni7oDLriu4OdcrtYw5qIrT//+zXtHxNr2jMu8t/xjuRfcLXuGmsoGwakjRxB3N1mQHMqishrmu0RucQlW7V5933sPYDuhRn1CwC7Mge1HEjhMQ6ru4duQc2iu6FOLYxUGTZs4TN/2xqbrszwpIW00yLMEdItMzGauV91/x5WmhInzyXhmHPXSCaAavcnbIS3QS0UEAZvp24LO2+OPnjh1wz7PD3qF4upaspl1ze7/2CFslF9h9dryXVjju3p62sjiMC4x+84AdLIlTjxq/uejOOeUm/BZXeNd+zzXubzU/LeS5qnoXED8dP2QtGvw+1ZXK/2DuiH8OX33M/np8jSUPLWiYmh92A7IufTAD0JE3+InCxYcRM3UpdmnbOX/XZUNxRoe3Vhrx9beuP7iKfGsf6kW5icn96oyabyz92gyTrEXspyo9FOyImvzwz9ToX/YL82iwjq7W/88E1wx00b21VuKts9Ro0UYDxnlH9QVoosqeZ0KgZVgL4pA5ekFnREEBiQJmt/lK0N7auqfuWJk1ROw2jrC7nb58sX5xe7OjQJLWO9R2GsLvvAgYK3roXcRFo8kuRcWnLJ55KisBg5orXSOZvXPhnIL3dIL1rdTWFXR/xPh0jvLuMpK1Xk4Lz/7SPhkommBCfOwiBb9/MJeXp2TatawGty4R0iHixK70ncL4KRuaPHNtE5tXla4phxc+VU7gPwukMpXs+N+T48DR+4udoTcrWaz+eg842wi7Pscz8WEHBA7XShwSyUKN3p8bb6yKTRrdD7ETwLw9h7kMpPP3gd41nXjOP8NF5GcuvoPFNVXRw57wp3JeRe4RhX798zzfQ7h46SWJ86w3EzqmzYmJUW1NIHyhrrY95JS6Wx84CT6y1+I1PiqC5XVD9Mht6wq76TrjQ8RI6IkdbIT50QpeQdZW0/5bhy60TQUe0YJb9rFVS9Xwp5WzP5UGsN1CTPDTaW2iaV4tz5oygXD2Z2uMWn6prw8sX4++Ve1uYYGDqMPg0aH/u74LCIX932Hcs8fW9wyE+Hc/cOec64VE2qGGevjsTMk98pJ0lTOh0GHtmfEgPO3Zlx60i8EcLJPWIaxsCYWSPImVufMFWCcUeibfYbtyy4LOE6MQMEN/YwzfOesgUXRlNMt0hMQWN8s6KaC8zgiXjwfPxdzglFJn7nfhulTGY4h2rqmws9kEYcVidPu3zOGrSpQ9GtlzADlgUVYZMQ33Z4ejZSZOjdXMP3OHdCiVe+uiSv4Kvy33YfUi4NKcFSLiJOhqlqbO93I6QpcfTczNZjS7s8NsRj/CG1UNUiWzbPG1LCjIYQUOh82cbwQ7am04qXoAVdYyGXVeFxJU8jN9J9gFZ3+DXM2ipw76s3ltsGGzOSKGEb22DYsOm+1zVpFKvn32E0NaYZZBVTVeXuU55jdOKhE95L9q21WvLS+8/aLnIVmNFEqFKxwwONd/eW/cLFRmtk/by8uGpwXWPS08PI+nb1vLL+X2p6oN/pYPL+t5qGAEz8dtU8X+PcU0wo9jt/eXFOzgcKVR+NbF1rQ3XJfgwSFnZ11bDzpIb0XfxhIbc6rtx7EVFMVZm74mtQcberdARciMNlRD1apO+W4EMGR6g877mAQ+mwT6Dt4iF8zssulDPixKtSW42DMvAEL386Ja+ju25yPlPtdO+LT757ThuIwmSNa2BN34vgU7+mECtvbbsw7UvcOIIjJOoVL7cdIl11JV1SLugwkEE6VzjB+soZaD0yacHfoUN8/enibsFYqUIDKB+AHZAU0g0Mn09GJCKvimlTluvk/hleFUnrgHpwGwOHNTrf66VKD1FzlbDLwU6JXWGaYxQkcNPPXvU9V2lTcttV1m36ogWMYoPtNhUbXpRswgv7ifRZYqk5uDyaVX7y+Yw8DbUSnxvhdOUpF1jAgXlgZ9e1Mu6bz8h3Q0eD3I3CXEm1kluGkAHWYDOL5Tb0kUmbjB7BBbebFnrSVrm/D6VJb2FO2Zp8GjXXBJ9q+hBF+WHhLRZzSSrK5UzTCvamY9RU49Te/H0StpTLC1yWvFelT47etAXsZZ1FkCI3aF+YKuAYkctC2u4b9x5W5NdGoin5TpUgyFMul5NvnxOu2HMydf8H7v+opGJtuJl8G48vWlYXM0EHk/NT61DbGv7JBcFF0deFcnLdDr9Ss72NGqzKiqn/6zTg2bZBMKDdQY4itKzSyt0dzD6/+51qIB99AvC3335+9/ubD2fffutzbpdUUz56JldKX6UsWb7xgv3eLtiPsI06wahMrUSEmp20XUq654Ay91ysM5gwM6VBGs5SCpCeKykDxlV6L0gkPpAKaLGifDic+N7eAex9nhqouz6pS9RNM810Key0NFanrnzHeu1sDrH+W5rsHW1rPvI5SQ8tdtkMBhuoNKHYZFP3EupdHIgZH3U0taRmc8QeSmq0G1GEzN3ynrhQPrif4N0dFw75oP9/GK66UZn95L8HOWJlz0cfENmL5IMcjjaOuw8/pY6QtLW1sz279KntMtrbLDvsk/kM3W6Dk3tzZLptWc2PEQ/Doq8Z5cLxum3mchFkxvlpv7YNO3E5c9DCPNLCYDyrsM25LpyKeAA9hyReY7p1qD46UVXVyF1P1AA7eVjjpvti9x6u7d8grlN3uJnDNOv74nZJZfkfKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5n2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2j9fk07m0r34iT1eLNZHA7QI0YQtlwqg0pTUwi9/64dX/+m/PnkQ5AnaRUcbt8gNl6qSi8XE8JvPpu+M1v/Rn8bxFKn7Fy8eFdF823YD5gQ3jbv3Ax/DdUUw31slnrm1DBXn75n0U2T+UhHy+rMNOxv9REiZx3jp0vxoRioTcLDxxCx7jG7xnH+bUwoo+wIh0PN0X5E1ZavTT+lMeQ6d7ellVHxrnvG8s5Pzk3YV/lUbDYxU1R4x+bDmVvKYa3m5yfuFQGfF+OR4eOAkiCQ/d2uM8bDWxwk/XOq6A6KFLy5K7L1OxCdj2ZvnH37kjHgBnEuIFV+GGn24fgQEqm1zrLHrdbZ80St4HDC+Utp1IHgjdEgNsuAHcrm+WvObIvPf0cDlvH5OWrHdjjJcQsxuP5cUN2KHlS41RjDuV0/uNBjoOcXJZUzmHSWc6MSVnfN5oKMl0jTBBlpg1FJcz9YGtBwZFoyPacnTRWYZ+ByKh7t8v4UruANBQKQtFyOxOn2eUnrWlNAUtfCp+BtC11XmAzzIciVmGamGR4zrk6n9SZ2AqLYvWE5dPLd+14B0dk93V+s6EB9Bgz+wCtARLPq5reE4+tc/YW3SA/UguWgfY4CX4bUxTa0f1HEGZGDGNW6SDX/w5oUJElYl680VMcKMaE/OWoN0byKVVxFh8zLkkn85HBQrDBNls8iq5yHZAVZ1h7JsDrMGkzuh1YDOUuPgXMXUqOvrbM2DrRysUAuQ8+aRIxNkpHxm10BEN1Ks8VPQCMJIwTCeYEUp+UXpFdTmc003Imzkme2lC3Y2/xly6KdgVgIyrnom7Jt41xq0sFf1QnUeGYMt4zIwYUMhlyHPFtISKWyeWwoiNOIlLQeUx4vi3cFC2CSI9F+WAwG2X5SaSsnQW7BwN2O2XJ3WkEhh2IVim6wd3u4g91ZazRlBNsF80aZF4enb9+q2aq9ksPv0dWGEXkH17t5D96Bb0t7GH95nD26H7prELkDYki4+ibZqUnRNul9DjlxxH/ZMBPYqwaixTx+V0WHIc4cuGMTBmBGfsPH5Yc7TDEk8QL+JU3LnSaxIpTBjgdgzhtIUj7ODopBIG+EytpHtXnNyKKYfdD8lAUdqmapmuH93Iu0mJ71qKNQOCQ9nRE/wwO/owl8Rw20TkJ8HiAggiOkBdUENoqWr3utgFcE3USm62zDPO0mslVTWSV4szOQz3LeqPq0Q45Z7L0skfpU3HAEp+4QLIm4DYZMCG2zh7ZUeYv5OjCeMd/Q+SrjDKgsuQtZCWCzEaI4xIWe9+D0b4fL3LUK+RmhPjCaFTlbN6IEL8FBZ0yVWD2iVTVa1VxUcyFOHYyJ1JOhVYRDYjJ/tx43LZiZ2MSO5iuKV1kigCWxgmHS5zAIKR9Tv8cu9u75Xd3LfRY7cps2yk3S1nS63Rl1gGXrBDzPpbaUH4Hs9BguasJQkZgol+u6kF3C7wqY3NdiMB2Qn7YWKsHg9+tjQd0nbrwWh6uZ+moF74tTLSFTVNOyPc8gqMk+te29NQw2gQKexCsqYQN24ENh685zboWx6tQ3p3P9jR+vF2NP1QmGRDTm9NWnAY30ThgDakeCMQbiEMvl7qXt5InT7q3vmLloQ2ffPOJeulehwBcoMc7wTI13scf7x5y1KNNjjOlt1OPuqjSpCUd+wW8uOoxzElbYPD2Cn1WIK246dOXrnT2EVRgV2oB4iS0C1PMvFohK+Nbjj2UtIqq9dpT1TngxLBX+sQ2XMuM3lC/jH5+fvvydO3p28unpFTbiyX84abBZRYCh/FRai5yt4XaF8kDLNlZx6PsM34xZGMMa0yexX31X+6XY1h0N0Y9MgnG/p8l+vCMO2/q/vtOf4Qp1jMlMpYm/RNphgVqbrT7RDygZa8MX4FojQxvOKCai+enNh0d4jhux4vr8J7bnh5zE4j/Uz5T+4gtF7Enb6Ym0uer87ijdx31zGsESoNe/7f4CTCTwZnIThuoFeWUcZdmUrnTAwYhGyQ1UrPqeR/7MmqlvmOwm2ZfQCn+2dqhN0zrqO1pJm6/vzilsPXwrf48r2LtrKafwUq7IJRDaTWUKqKSxotuOuJpwtqOUhrbkyPF/SY1L6lD0qsb/0IdaaD667OEye4aqotNkPakLpfrB6x2VEQNreRqDMoQVMLZZEsqWzP+XDC55d2xS54dqHVkpdd87DwPVrXImiqg4MRmv+4Z21bp40rOBsieXkkKrslQ68/ux4hMzo8FDMnl9xHzxe7ivtIC7hO6Uw5FPyumidco87U+1GvEnoeIdTrqKixUkOMVdpLfAetAktxtSf4rYn71pM49RUvSwHHk3LvcL3byrnI9vbk3kFyrh2PcRxyL8JqvQ5Dct1GZ5+TWlC3Ze59VpqAZHpdj3n5MRXyCPbkLTLodGdb/qqMJe8oW3A5YtKVNJPk+GaX158kZvrXGpz4cPqRb3JmJuRtSWvyGf/h9aNSSV93+s/h40kWdAlOcxJANfnSgF4T7EFoaiUNtBpVvDjV0Vvgb44jL0MPPOYga952gZSefN+XbxzPlqQjoLo5QB9Cc9TbYopTnvI6zHbPeNtaequJkbMNw8PLDdGNlFE71jzvXh4fefZtpEZq7ALEIliY+TeCkhWXpVoZYmpgfMaZ++R5rE4w5MkOL4gjz+O7ybkhT7EjLEi2eYYwdPmsxy3SSHzH38KcsjX5ZLYb33YR2Gq3kDZ5dq1b4QgG+8hr3ze1EBWsVcND5l7EAce7PgCR6v+tSlMs5xmyb5vs/Ar1WHder15HKEYKowct/OYAYo+T1ztGasjwDa73VtadIenjXUCH1BzHYdcFDLb3ZpOQ6bdhsEPxhhQ3Fz9j2UDKkYCjFW5IcgkzLoOvHoUTdvWraD3SdBCxO6hQLBNuGwfMjvqXWjB2PtvctIdeSiO9KTsftrWULaojt8DfrIoMJwPrqL8dWYa8TLlMN0Es6d1wJGNRYd7HMyKk+mU7uC2+jfamvD8ytXOAdd637wasa6rbM+X+/HxDymrBB63Uibsdzpb1ye+3Is8mn1ni21oovc634X8xNZV/vbFjTIvIdhf1Vj2PPU2OLX95gdBvoO3BVKIBVW2/9f1UjZ6CAqTVqj5EdJSqmQ6cC7c642FNZ23DDeUIiKOv7jjuPTxRVU3luruPeO1wnL63V5ag3TNUcDlTcaWAmqvcNUI3yI8dK7LFbAV5u6LPvuTKEfilEWJN/rOhgs84lOQU6569czCKygqmBVPqij9Q0P13mBK//sZ+pmJMm0/ebXYTDq8biyr3gSNMb77rH7olwpSd4I72PvkJ+biuPekbz4Fjjt/B8c3TMCuSNpPdQdvh4B0R+omJta3dReYYrrpOudzGznsWa6Vbbz+GmD+8HdnyXq+cxMep5UWddw7RHla4lW/03LdoaqUyaSLbSLl13H6Qmtq4a5LJgpqU0f4eYB3K6RNDbrRIuM09qAl3pTNGi0an8ob0YBrQBZ2nsyk3oJM/T9ugk6Y/boMOpz6DYIFrCxJVq/TGiYOf7DR3it5Cw06qTGqNyi9xjFrCLZn7EZdF9epF+O+TgMKL8B8hrynm9qcCdDw7L5DzgNFzT0w/eI4e196otQE5ZRiI5kwqLmeg9UjcdUj3UejqK/43sj7qnj0Ckm1f4llvGyJXCsPaKuuViixxtON35uP27th9xAxi3f/T32GYoDU+8JPXC9DH8Uc4nT1kPD09wdGPz8gJrh9HDbQ9UrOUET6fgA7DP2ErC3NPc17IGjruMbK34W7RJ6bXKXrvTvM/DvVK3r01Sny3ySX/I+6t4VeZZMr538+IhLmy3G9gvaBmZAKUYcduK9TbSr/4+HBBt9XZJkANElx2zljbOL2tv4knpBg+P0ZFxXZ/o27q4cfRQctOmnBjmuRKJ0LGZKl83rr7xVAQQ9A6qw90sCl96XnmFieXGJzeJ52OkiHRdQYPUeSnl5jauf8x6knPw5C8u/Tcg+O4CDVGFMucL/puSDU4sqPIlIU7erRJ3qbR5ALMryBY1JmaG3yzGVfSf5BQtv5EDMbrlCbnl2/+/u6CXLh3ivwmR6avbLDNVEl9CLYfVyqOLYohtgB2ZQ5yIt9OCOftQRYbOtf16+xahGEaaBhBuJGCe7Rc0HzQFPIBlFyPR9cVZNRoQJwttc3RJnz2sVxSwUt/ECNI7ArCo3W13icIkWNXsDa7YjvRyW8TSBPDXlhbm4LjDNosoHErczCE0Udwm/hctpUvSnO7vuFGMVVVWfvE3RJvj0dwCMVL8Fdcg9i1NFO7WFaCysKYhxp461b2Mvz3QG1boxXF1pcaF7Xix0irjiHsMSCIASIVtwaQrWxBpRw0zsjdbiqsioiMxGyP1La5e1jCzMPf3755H969FzvLdw+KVXrX95+8Zxs3V8VSiSYXA960c5xlmHPTTcZux/k2kltDnnokzDPs1oGFve1E3R3wBJGOUiOaTNLsbcD1k+Q2pAtMtosOlqAxU2DWCMKUZFBbZyhf+j0caa+wWuWUvp7xzmBvR2g7RGulLVGOv7/+x5tYCm6U7anPndLz4ydY7hYYbLlYp9Q3O4k2ivnb2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//ydcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkL8ZqJed/nQrKrgQ3Fsq/vAh/e959yuUMWPyjGdewoiKqyNCp6P2GUFkSo8jIsdQw58bqtbPsjyksamoXoVl/hwPZxWGAJDqljoWmL4T29VpM6V4X8k6f7DAHafX6T/83AAD//3X+uUc=" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8J41bz678QYrkV8Jqc4L/Je7CXjArQfyGkBMM0ry1X8jX5t78QQsKvyIyDKM3kLyT812v80P3vOyJpBa+JBLtS+mrCpQU9owwm7u/d1whRS9ArzS28JlY3/U/suobXDsmV0mXv7yXMaCNsgUu+JjMqDGx9PMC2/d97WgFRM2IX0CJGOsTIagEa8DOr6WzGGVlQQ6YAkqipAb2EcjKgTxt6B2LmWjX17UnZZepmWcRaUrFF3vjqY+vHltgsUpn51t/3rzC+YYNd+bjgxn2PcEMaAyWxijBa2ybwX9MVqcAYOnf/ppYwVYFxRCv3+Q5oQt6qOTkFpko8rhFCPCy+i9Sh5LRwYQnSFo60xIADwpm5H1hukOdMSQvSGnc/uDSWStuiYaI4Wl4dgmBJ7e4HQ+y4x8ktQaglqwVnC0KJAWO4kmTBrSHUyajfuZVgTLv7k8HR6Ig1C9WIkkhYgiZT6M5dTbUB8g4sdahRMtOq6i319K2amxcXlF2BNc8G4E+5BmbF+jmxAW9KPoAXFv6Eyx6akygjBSxBHMBJoeTu/dzi5CnUGhi1AZMSZlxCSZQUiJalUwGkonUcq8rMi2QXZs8evwv3/Pz0B7Kkogk3npcgLZ/xcDrhmjJLhJr7/dKDjUDquAMfTgt+z21HTbXlrBFU4+/Dxk5GT8YA9EEnJXYyBpDHT8roliyPuycv//+e7N8Tt2qeDbnf9VXTPwokZHdbHg12S3qI0MuOmgajGs0yvb33Z1uu+38/zIylFiqQ9jEiR5uS24IJunOHHwl6IK1eP0bEFk6neoyIcXkYYnk1plZyPN6TVgI9RHrkZdsMoExpQ43oNTE7s/fF1i3gsBnoIQMl4X5WxI4eMoB+gxUxzsUd18qRuCh7XpUo+zy7BmQmYh+JcPDO7GPHUKsbyb80sFGjdUd/+NN626g9UZK5x4Fa9dgt2xFxs+R5xWGfuyduGT7jjPbv81s1J2dLkJZconAmjSxBOxNEQxBUA9Jn/BpKYsA6IFs/3l7DjBss7SYMYN/bYOk2YQD6Tpsy9ASm9y8ddjAHdN2BJ3fjwUKZTPpq/1z+qozti0ixeyINyJLLefuhiR2bng/p6+EvP+SADX40ytjzi+VPhJaldrJy7LrvMndAvVVfK3OXr3Kz99X/u+x13MovG3blgnek9b1lJaFkzpcgOyfZ16sIOBYd5r/Ia4GUj1H5+zoiGqMODVWvCw1fMux1P3iIG4x0T9fI5TO/NLnAi/Q8eLMtJR/XNRBGhxJkCgS4XYAmn86l/eEVUZr8IhS1P74kU2rwFLUBshmfNxpVvxvoPkTd/YrpxjBoPuMzgX/B/XqucrnZ9lnH7cpfvYNB6RXVZTalrifRemT3OXl+8XlL36NEg6C7W0qIWRsLVXhEA9oO2gL8STWeee7fSvM5l1S0v9nWVm7gQy79a09ixPnF51cRFgT0B5y4Pws6jIZcTvH6bA7qUHE89PVZAC1BHyV2/SsuRc5P7xMl9fj2g6UI5rBY6aN2sglWZPez0VbROt8oWnhRnOlyooQAZpX+GgWw494D5Ny4M8cNYZ51UDpMtxTVt2pXbSF7GP0ILb6KTR+Lqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92Un6AlQtiCGl0Cefk/sQjfk5c8/PyMraogBkN0qezjxKJTXW3DC1EoayMcK9tWcCqYaaTufQlNNvdBzV9lEIZCndKqW0GMGl9HMyla8GauBVqP3h301x+aBWQUlb3b1tBSM+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c0DNP509+JauQZOX5EwyWptG+MiKMynvJNdj0O8Z/IjkVsZW+fEl+VdH7nPy44/kXwlT2unLSEVY9Dn578L+T/dFbsg2U76JbqFUJTxaW1euoGBUiCllV3k1YI+cVBavDbXernBMBFnWikuLpomFeIIzHo4CtFaZ8tM2+qCpgXEqEGPE1FilnWYt117rcB8sqeClPxgxpAiZqUaW7oURgMhzOQ/K0Y3Ji9s3YgA5RSwwXIc9YaORXVgLRcvH8s4FdIjhfwKpwGrOIlZHMIX7X0Zb2D/3rRB2zz61G41Wzdptm5Bf1cptzdDm5JIo7Ywxq8gVQH0D0x7Fi/eVME0rBsYUS14WZa6o61kreeYgQVOLl7x0HOzZhUuubUOFM9q3fO8y4uLgFXdmN8bKkRmeinDVz0+JdtLaoEMFmUb1HGz3tRs5YXSmpKcH54TPhNvPCZ0lFDQU/Oenre/1A1TKArkM551pwId2uh4TlO5/bSDmKwi8hJUKUwueM7PhUZvzhg/U/kehmzmZm/G8461zb0A46+2pa62W8IT814gwevEy4+IBYvRuVWccXZy8uQi6L6PSsYdXtdK7Gi/BJ/KrS4NoHof745N/qtAQR9M95krdNuWbzU82BrvXc9Ayn5CXP78iK+R7BVQSKkTcV4BOfVSTNv4jsgINHiy1RAA1lii5Uy6yzcQHVxO/biZG7mqOsG3g3e9Kl8g4zGoCtpBKqPl6NxA343qgxRLyM2ELqimznonuUq8Rf3SaS9LIkNMjtnzmoxW1qQu6faA+ZxBhT+wSLYrKKZlKtmEETVejMg0l645aSRlqrD5GIYPPQTHW6BaisVSWVJdEKl1Rwf+M5fcqXUX5U4Ysh4NZpJrp4Em6E5M2WHfIvBB8BkhxxMA3wJQsRxTszXYXxub0s+whiEumqlqAjR6AUScqRQXear4jBnv1Zto+0EG+dGtHj/PYUd4+maPHr1LSLhJt06Y+NVXOyybLqXwgxp/JMgfbHcg/lczdbWGPWHSrtyqmT6/9uMvhgYjKdqPfEAvXNlw+sgRteuUU5b48sMj+3vewrYGmInNTpseULqHM9w6GJJvwTJluxVbHaDNtui/24+vD10qraoJQGyzKNwwk1Vx5tb5qhOXfWQ6a0LoWbfXLppdNRSWdx0pzCREY3mntRY+Ux9UQbp8YolbSR8Ysrepdz2DA2K3mUBzePmsIW3Bn3agSzIS8a4xFM6kP1N1KakfycqmFAzdprwCbzRzeSziGJoSb3C7oeadhBhok8weCOtW65EteOs0Gz0NckF22guzjDvPiRF7XXB+Nws1++ljQtTuJ3Iq1J9Y4oef0NYcUHtD9vtGEmz7qwnnupHEnzyaDJbt0MtWklkDVQJG7L8SO/6mvCmqQXxpojnaU3On2p2gjH1fUEESiHDk3iNwPqZmaUCnYYmgGmTavbIbXd17lwLUuMqBaFzm05zqlKNoG+jI51Ay6Uu8VeRgTcsd8jL4xg+fyTm/OoWLzJrl2SLBg80DsdENI7QiibKDEp1CsTSNyh51GrCjVWKYqeOFx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKFwcN4041MD7jG8Mnrt36YM5YT5WgK+fPZopsQOdi5OWmYKJ1UZUhyBLFO5jNx9qEz9tWet8SVJr8dhlSY7lpEwJ2/Wq4frtDY1WSplaGJxQctzpbaE7L0neYwlT+9u6OduFphC3ytS66oyiSTQWas7vKoihtR6hi20NYv5KtuxleLPn7PSBtCbJUOiTM7qVMTf94gO41bWhXTf8AFrejHWL5a8EH7HYSdD9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyoMI9fYg3lmoH6Nnypbs+zumW2HXahQfccVfCc7WuW/PHrlwgQiE5tpSrEfkciNy5k3HGfihEYCIxcWpkhauc2usHULn0vvrNv1QaVka93/4qFLRIhRrAHPD48wWVM6hkLDKLQvGApew6oX6UQmxVvNpY6EnIYY5+saj7rT1/vMXFx2mpsmEXcc5wbO1rdzHNDQEd/OLPDJ9/S1i3GIFmGNY23DQbHK+9BL0hFyC35TGgJ7QOWAr75DpPlO6xWEAuwXj9XaGvyf+972+FUqTqVYr91n716BrerNrtJ/0eXlBtU3tpusAp/aohDulBtWhx7pTSpSd2pjrSqkaQkAx11v8RhIqQNsuu0hvFg1/8+GtID56TQAwCSmiMJdEKvmdhhrQktmX/YBmwzGfHNZo7S5MZ6/gTqIe94L7CFsb/hlQtuJ2EZRlL+vJKS44xWoTSZT8bq7cf+95CVBJKSKKY0a6aS8Y+AIRcEiqGXHSwXIwE3K5kSm7gw36lVV5MD7x5XyNcUaMLxn1yTZlEL+B8ZQw0RjbHsjwj8E24U+4cTsZaqKDf8MpvvjpuAp0dO3H37C4Re/bMuVTyp7cZHg5LE8RC0KNUYyjv9TtRtSexA17y6/gNaGkXqwNZ1SQkpur56TWOBPlOQHLnsQVZarpIbWXd3zofZ2NphVY0IbU1GAXL4ONHHwvAqaqykkxtRW0H5bWgGV71T3/HjyUxtfbwwwPkxffTFV1M7yDGbaNkhWXpVqFfFqmJIPaPu8yKUaZMSBz1gixJl8aKrzzs1QV5TJIDdlbSKiRp6vv9UylLu0h3amEb7m8gjLUArWJ6NSgdyoYKO6TbzrUJrzct3Fi0BUiq6jrT3byboldBFr0frt8KLx+q4PnlVwO2/V0QWfQFd8d7JTbxRrWRGz9+d+vaf+YWNOecZH/jnck/4KrdddYQ9kwIG3kCOLuNgOaU1FEXtNsj8glLtmqzbvvY+8BdC/MqF8A2JU5qOVACo9xWN09dAtqFt0NdWphpMqwYQuf+dvW2HRlhictpJ0WYY6QbpmJ0cz9qvv3sNKUOHkuCcecu0YyAVS7P2EjvA1qoYAweDt1W9h5c/TBC79m2OfpUb9YTFVTLru+2f0HK5SN6ju8XkuuG3NsT19fG0EExj1+xwmQRq7EiV/d92Qc95R6Cy67a7xjn/cyn5+S917SPA2NG4iftheKfh1uz+J6tXdAP4Qvv+d+Pj9FloaSt05MDL0H2xE5nwboSZj4Q+RkwYqbuJG6NOucvey3o7qhQNurC3v92NIb30c8NY71J93C5Pz0Rk02lX/uBk3WIfZSlhuNdkJOfH1m6Hcq/Af7tVlEUG9/44dvgjtu2tiuclPZ7jFqpADjOaP8g7JSZEk1p1MxqAL0TRm4JLWgI4LAgDRZ+6NsbWhfVfUrT5ykchpGW1/I3T5fvji/2NWhSWgZ6z0KY3XZBw4UvHUt5CbS4pEk59KSSz6XFIXFyBGtlc7ZvPbJQH65Q3rR6m4KuzrifzpEencZT1mpIgfn/W8fCZdMNCU4cRYG2bqfT8jTs2ta1QJekwvvEPFgUXpP4n4RjMwdPbaJzqnN0xLHjJsrp3IfgNcdSvF6bsz34Wn4wM3VnpCr1Xw+B51vhF2cZZ/7sYCAA2qnCw1moUTpTo+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXuCsh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFyRIy0Rn7qhCgl7yhr+ynHlVsngo5qxyj5Xaug6v1SyNuayYdaa6AmeW6wsdQ2qRTnzh9FuXgws8MtPlXXhJcvxt8v97I2x8DQYfRp0PjY3wWHRfzqtu9Y5ul7g0N+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFtH4o0QTu4R0zAGxswaQc7c+oSpEow7Em2z37hlwWUJ14kZILixh2me95QtuDCaYrpFYgoa45sV1VxgBk/Eg+fj73JOKDLxO/fbKGUywzlUU99c6IE04rA6edrlc9agTR2Kbr2EGbAsqAibhPi2w9OzkSJD7+Yavse5E0q88tUleQVflf+2+5ByaUgJlnIRcTJMVWN7vxshTYmj52a2Hlva5bEhHuMPqYWqFtmyed6QEmY0hIBC58s2hh+yNZ1WvAQt6BoLuawKjyt5GrmR7gO0usOvYdZWgXtfvbHcNtiYkUQJ29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/yHKMTD53wXrJvrdWSl95/1naRq8CMJkKVih0eaLy7t+wXLjZaI+vn5cVVg+sak54eRta3q+eV9X+o6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/h7hO3eFmDtOs74vbJZXlv6t41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X+8JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf0jA9SaJp+E4TtOJT9eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnKcFV4XtVZWFelDUgh9+VOBHsf0sEW2uynUvChzMNsBTp//xmRR0evC2lRug23A7kQLyPAoVFxmQprLfEjXwhRiKorUYdEt2N9nBJ68M3gPdupeiH3Yqat6+7B/zgj7VUbY/5IR9v/ICPuveWBbVQs6hRwipYOe3jyTRdUIVL6n6wzvZAu8vsqgl1SN4POqzqN9Oy2TinnqJKQAmedQSgx8Yel9I7IwPiExww4azfJYkw5wHmvSrE1TZ5hFymRXVp3FVLXKOtMDrjOIEKusM8xywUazJgvwRvJrSaUywDIcwuUrx5VMj8LylartAmiZwa2mqrpgIoMP2wHOECRBuHq6tundog6yyQK5booMMQ2mueWMigwFRKagc5BsnTDrqg9bUrH+E8ppDryXBbYBzQLZt4PJg7VPrM0CfTqvl6/y+KBNMeX2r1kajTFTpJ0VtwNYq+Si2mS55ggVmE5f5Wa8jz/ZrK0eYLAL7+dP7xzxwFHtywLcd5NP10GuB3vGBeSwYUwxy7GJfJayOHsbcA7dwBS8xiTFIouo4/Xyp9LYetDMPxFso1kW2ILPIIcZY9DRXEHJkxWMbsPmMs8pqVTZCDBM5eB2AM7nGWSTqs2K2qQz/3vQYxnkSQBrmHNjNU3vCdnAzqDxaahzsVpn47XBTuQ6k3z1mfn+iGeAbjXQKoMi6UuBcqGdT7leLRQ3hZ8wmx76mmqa5YCXI4WwKSAv/Xz71HC5sVQmn3NcGjttdKphgS1U8LOCckBtkuOaXo9ua5JTg8XJDbP0w64P7TSwD+aclmXqO8DL1GHVtnVQhreIVwXTSlVZuhI5wBnMNF4VeZIjQ8ejHGyur5K3Z6pN+palvDa15omBCmq5bZJnnwkuIV2LnQ1Uk3SiTgcXi2/Tu7WE8l1Pi5lQyZ/zDniGlH9n8yaXOg5oBonjbOgMqCbPTRBqnuXoynmWC1wrnVqAVdNmnuOaVdywHGKhMlkObI45EBIsNldKDje5DPcNoFNn/HmoqdPx5GqV2gLJUlGm/ADo5JaoSq8ZKc3nRWQe173hriTo9G9WXfihvMnBJp1MvQHrR7xmOWQZCjfDTJzUwiCATS0N6sI7kpKjS41xHxZskarOfwAarmuePBBQg67mmko76LmbAvIqC+D0T6/vRPbp084U0ASAtZoX1NQJBwb0QWuaGqoGKnLodxoY8sF3Hc0EPD2THeS0LVx7kJUuM2Cc3pFpMviGjfcNZ8gHMJA6EcAPPM5gnBj4kv4AxBq0JoOawZQyfJ5B8Jo6tZfNaJbjHmhWJlekjWaxrrgJANt0I7b6MBuTvKvmksnUhRLRabH3BeqbdKYm385t+mPlgaaP6HUzPVPDXdfJu7U25TRLHnqjRYa3sDGgi5KnrnrPMraijQzlYINlxtIqtTd4WXBpLJ1l0AyWXNscaviylhlaN1mlG5nSzRprixbpKPqmsYp8aCQZLN1lj2QclveZCl6SEw0lt+SE6jJ0MzTY/j2Ojp+clZFLYxNCEQwO0SfY34ApQWKlOl0+BJf5OHdW1UKtYTBY8Eb+zVSTrKn3Lc+Y46H3GeG8Mw1zuCYV3W20sInFynmzOwwkO5KCGxzO0K4eth4bKBHT1LXSlgwbjxKyWlBLuCW1htnYUbhHWu5dhlDEGB+sjg4FwmXo7D7SF1pwmXsifw9Vt1ofT0OsmoNdgJ5svm8Wqhm8aIRIWILuxhFZRWqqDZB3YClOBPd3lXYsePpWzc2LC1/2+oychhFfz4ldRKYUYTPgDxBGHyPakrwH+zu3Ekx8n4eHOgvzZjiyu7tFuLgn1gDVbDHhkkfxw5m7R+ivvSM+cRYGJkO8ELSROOt33uAc17aJe7yB+06/9j005W/H3dHUNeEO84tHjH23EUXCmqbbdV7FZclHuLZ4K8bcBceYRj0ikDaD697jhGopRiZeYvfcjOPAsX+uAUs0fGnA2D1Nuw/PVr57r3yvMuBYHr+ql9i7Hqku73TbnbIPJ48Rxsa2/o4d2s3rKOUpZ//fPN/QLXZ+2goFXDt+NtBqSJfEe8cj7B6XKTVAfLp2hw0Z3Kpul8IvHgZf2Y2C7zBX2revj7KREGqIAcBxZ3T/vCpNpaHsCON9Bx2m/dIS1d7NoWGNxglo+5CuQVfcqxvHQnqzpB/MwZdcwByIgCUIQo3hc+k3bjOvP370sSXzA8pvXH/PSZ8+yKRnh1kj+ZcGdsck0vjl6+F7WMfEw6agtBoNL/2FZEpKwNwKsuJ2MSYoCIlUhnQau4aDyovubFo4dqI86Z4ooeacUUEcBiOmD2LxsNjhUiNjGh+Od/VibeLo9dLZVmonqzX1A08Fp6ZYqOw2gTfiOnMNZ6lshho5qdgfwRPvB0D8pXHY4psWBrEwAVRP3gijnCG+dd9OMVhOfg2/mJA3ct39awDdoi1vpCW0nDBV1Y0FHRfDWdz4jrB85tk3u3uBMxa3NoTbfzYvv//hr872Pe1tR8uxb6Joh3NapI2Y3dZxQ9egyb90PjnzIqCByMVvfer6n/xnXm5w3jr1e/fjwOTlm2Tbk92BKW6dCXn/28czRzto8M4T9JeW3DANNZVs7bTKoJ6J3VwQghx6Tj6+e03Opf3x5XNy/v707D9fk0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/VBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnPyc/ff0+evj19c/GMnHJjuZw33CygxFL4KC5CzVX2vkD7ImGYLTvzeIRtxi+OZIxpldmruK/+0+1qDIPuxqBHPtnQ57tcF4Zp/13db8/xhzjFYqZUxtqkbzLFqEjVnW6HkA+05I3xKxClieEVF1R78eTEprtDDN/1eHkV3nPDy2N2Gulnyn9yB6H1Iu70xdxc8nx1Fm/kvruOYY1Qadjz/wYnEX4yOAvBcQO9sowy7spUOmdiwCBkg6xWek4l/3NPVrXMdxRuy+wDON0/UyPsnnEdrSXN1PXnF7ccvha+xZfvXbSV1fwrUGEXjGogtYZSVVzSaMFdTzxdUMtBWnNjerygx6T2LX1QYn3rR6gzHVx3dZ44wVVTbbEZ0obU/WL1iM2OgrC5jUSdQQmaWiiLZElle86HEz6/tCt2wbMLrZa87JqHhe/RuhZBUx0cjND8xz1r2zptXMHZEMnLI1HZLRl6/dn1CJnR4aGYObnkPnq+2FXcR1rAdUpnyqHgd9U84Rp1pt6PepXQ8wihXkdFjZUaYqzSXuI7aBVYiqs9wW9N3LeexKmveFkKOJ6Ue4fr3VbORba3J/cOknPteIzjkHsRVut1GJLrNjr7nNSCui1z77PSBCTT63rMy4+pkEewJ2+RQac72/JXZSx5R9mCyxGTrqSZJMc3u7z+JDHTv9bgxIfTj3yTMzMhb0tak8/4D68flUr6utN/Dh9PsqBLcJqTAKrJlwb0mmAPQlMraaDVqOLFqY7eAn9zHHkZeuAxB1nztguk9OT7vnzjeLYkHQHVzQH6EJqj3hZTnPKU12G2e8bb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsy/EZSsuCzVyhBTA+Mzztwnz2N1giFPdnhBHHke303ODXmKHWFBss0zhKHLZz1ukUbiO/4W5pStySez3fi2i8BWu4W0ybNr3QpHMNhHXvu+qYWoYK0aHjL3Ig443vUBiFT/b1WaYjnPkH3bZOdXqMe683r1OkIxUhg9aOE3BxB7nLzeMVJDhm9wvbey7gxJH+8COqTmOA67LmCwvTebhEy/DYMdijekuLn4GcsGUo4EHK1wQ5JLmHEZfPUonLCrX0XrkaaDiN1BhWKZcNs4YHbUv9SCsfPZ5qY99FIa6U3Z+bCtpWxRHbkF/mZVZDgZWEf97cgy5GXKZboJYknvhiMZiwrzPp4RIdUv28Ft8W20N+X9kamdA6zzvn03YF1T3Z4p9+fnG1JWCz5opU7c7XC2rE9+vxV5NvnMEt/WQul1vg3/m6mp/LcbO8a0iGx3UW/V89jT5NjytxcI/QbaHkwlGlDV9lvfT9XoKShAWq3qQ0RHqZrpwLlwqzMe1nTWNtxQjoA4+uqO497DE1XVVK67+4jXDsfpe3tlCdo9QwWXMxVXCqi5yl0jdIP82LEiW8xWkLcr+uxLrhyBXxoh1uQ/Gir4jENJTrHu2TsHo6isYFowpa74AwXdf4cp8etv7GcqxrT55N1mN+HwurGoch84wvTmu/6hWyJM2QnuaO+Tn5CP69qTvvEcOOb4HRzfPA2zImkz2R20HQ7eEaGfmFjb2l1kjuGq65TLbey8Z7FWuvX2Y4j5w9uRLe/1ykl8nFpe1HnnEO1hhVv5Rs99i6ZWKpMmso2UW8ftB6mpjbsmmSyoSRnt7wHWoZw+MeRGi4Tb3IOacFc6Y7RodCpvSA+mAV3QeTqbcgM6+fO0DTpp+uM26HDqMwgWuLYgUbVKb5w4+MlOc6foLTTspMqk1qj8EseoJdySuR9xWVSvXoT/PgkovAj/EfKaYm5/KkDHs/MCOQ8YPffE9IPn6HHtjVobkFOGgWjOpOJyBlqPxF2HdB+Frr7ifyPro+7ZIyDZ9iWe9bYhcqUwrK2yXqnIEkc7fmc+bu+O3UfMINb9P/0Dhgla4wM/eb0AfRx/hNPZQ8bT0xMc/fiMnOD6cdRA2yM1Sxnh8wnoMPwTtrIw9zTnhayh4x4jexvuFn1iep2i9+40//NQr+TdW6PEd5tc8j/j3hp+lUmmnP/jjEiYK8v9BtYLakYmQBl27LZCva30i48PF3RbnW0C1CDBZeeMtY3T2/qbeEKK4fNjVFRs9zfqph5+HB207KQJN6ZJrnQiZEyWyuetu18MBTEErbP6QAeb0peeZ25xconB6X3S6SgZEl1n8BBFfnqJqZ37H6Oe9DwMybtLzz04jotQY0SxzPmi74ZUgyM7ikxZuKNHm+RtGk0uwPwKgkWdqbnBN5txJf0HCWXrT8RgvE5pcn755h/vLsiFe6fIb3Jk+soG20yV1Idg+3Gl4tiiGGILYFfmICfy7YRw3h5ksaFzXb/OrkUYpoGGEYQbKbhHywXNB00hH0DJ9Xh0XUFGjQbE2VLbHG3CZx/LJRW89AcxgsSuIDxaV+t9ghA5dgVrsyu2E538NoE0MeyFtbUpOM6gzQIatzIHQxh9BLeJz2Vb+aI0t+sbbhRTVZW1T9wt8fZ4BIdQvAR/xTWIXUsztYtlJagsjHmogbduZS/Dfw/UtjVaUWx9qXFRK36MtOoYwh4DghggUnFrANnKFlTKQeOM3O2mwqqIyEjM9khtm7uHJcw8/P3tm/fh3Xuxs3z3oFild33/yXu2cXNVLJVocjHgTTvHWYY5N91k7HacbyO5NeSpR8I8w24dWNjbTtTdAU8Q6Sg1oskkzd4GXD9JbkO6wGS76GAJGjMFZo0gTEkGtXWG8qXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj767+/iaXgRtme+twpPT9+guVugcGWi3VKfbOTaKOYv5/9dnF+Qd7R64rLshvrHd9WR9vR0zC3hiiOkBXIGFC3j6xOfYqXLCZPz/ZVjsXseAWbD12E35KcXe3YcpYFqXx+Grr0Biz2YiiOtykP3Cugpbj6L1833BXmyHKoSaa+3egvcSb0A2U3hnHVaMV3Qd3KF/c+J6aJpKhTQ/5mrFZy/m9TQdmV4MZC+bcX4W/Pu0+5nAGLfzTjGlZURBUZOhW93xAqS2IUGTmWGubcWL12lv0xhUVN7SI06+9wILs4DJBEp9Sx0PSF0L5eiynd60Le6ZMd5iCtXv/l/wYAAP//TiG6fA==" } diff --git a/x-pack/filebeat/module/kaspersky/av/_meta/fields.yml b/x-pack/filebeat/module/citrix/netscaler/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/kaspersky/av/_meta/fields.yml rename to x-pack/filebeat/module/citrix/netscaler/_meta/fields.yml diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/input.yml b/x-pack/filebeat/module/citrix/netscaler/config/input.yml similarity index 75% rename from x-pack/filebeat/module/citrix/virtualapps/config/input.yml rename to x-pack/filebeat/module/citrix/netscaler/config/input.yml index a70d6b3c181..42bba0c0995 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/config/input.yml +++ b/x-pack/filebeat/module/citrix/netscaler/config/input.yml @@ -21,8 +21,8 @@ fields_under_root: true fields: observer: vendor: "Citrix" - product: "Virtual" - type: "Virtualization" + product: "Netscaler" + type: "Firewall" processors: - script: @@ -34,12 +34,12 @@ processors: keep_raw: {{.keep_raw_fields}} debug: {{.debug}} files: - - ${path.home}/module/citrix/virtualapps/config/liblogparser.js - - ${path.home}/module/citrix/virtualapps/config/pipeline.js + - ${path.home}/module/citrix/netscaler/config/liblogparser.js + - ${path.home}/module/citrix/netscaler/config/pipeline.js {{ if .community_id }} - community_id: ~ {{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js b/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js similarity index 95% rename from x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js rename to x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js index c8cf5e2ee06..6cdb48abb26 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -1975,6 +2049,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2417,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js new file mode 100644 index 00000000000..0da0631e21e --- /dev/null +++ b/x-pack/filebeat/module/citrix/netscaler/config/pipeline.js @@ -0,0 +1,3978 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. +var tvm = { + pair_separator: " ", + kv_separator: "=", + open_quote: "\"", + close_quote: "\"", +}; + +function DeviceProcessor() { + var builder = new processor.Chain(); + builder.Add(save_flags); + builder.Add(strip_syslog_priority); + builder.Add(chain1); + builder.Add(populate_fields); + builder.Add(restore_flags); + var chain = builder.Build(); + return { + process: chain.Run, + } +} + +var map_getEventLegacyCategoryName = { + keyvaluepairs: { + "1204010000": constant("Content.Web Traffic.Successful"), + "1204020000": constant("Content.Web Traffic.Denied"), + }, + "default": constant("Other.Default"), +}; + +var map_getEventLegacyCategory = { + keyvaluepairs: { + "blocked": constant("1204020000"), + "not blocked": constant("1204010000"), + }, + "default": constant("1901000000"), +}; + +var dup1 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup2 = setc("eventcategory","1605020000"); + +var dup3 = setc("severity","Informational"); + +var dup4 = date_time({ + dest: "event_time", + args: ["hdatetime"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup5 = setc("eventcategory","1401030000"); + +var dup6 = setc("ec_activity","Logon"); + +var dup7 = setc("ec_theme","Authentication"); + +var dup8 = setc("ec_outcome","Failure"); + +var dup9 = setc("eventcategory","1605000000"); + +var dup10 = setc("severity","Notice"); + +var dup11 = setc("eventcategory","1603000000"); + +var dup12 = setc("eventcategory","1201000000"); + +var dup13 = setc("event_description","AppFw Buffer Overflow violation in URL"); + +var dup14 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); + +var dup15 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); + +var dup16 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); + +var dup17 = setc("event_description","AppFw SQL Injection violation"); + +var dup18 = setc("event_description","AppFw Request error. Generated 400 Response"); + +var dup19 = setc("severity","Warning"); + +var dup20 = // "Pattern{Constant('"'), Field(p0,false)}" +match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); + +var dup21 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" +match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); + +var dup22 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); + +var dup23 = // "Pattern{Field(info,false), Constant('"')}" +match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); + +var dup24 = setc("event_description","Routing details"); + +var dup25 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" +match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); + +var dup26 = // "Pattern{Field(space,false)}" +match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); + +var dup27 = setc("ec_subject","Configuration"); + +var dup28 = setc("ec_activity","Stop"); + +var dup29 = setc("ec_theme","Configuration"); + +var dup30 = setc("ec_activity","Start"); + +var dup31 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); + +var dup32 = // "Pattern{Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); + +var dup33 = // "Pattern{}" +match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); + +var dup34 = setc("ec_subject","Service"); + +var dup35 = date_time({ + dest: "event_time", + args: ["hdatetime"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + [dW,dc("/"),dG,dc("/"),dF,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup36 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); + +var dup37 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); + +var dup38 = // "Pattern{Constant(''), Field(obj_name,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); + +var dup39 = setc("event_description","The monitor bound to the service is up"); + +var dup40 = setc("ec_subject","NetworkComm"); + +var dup41 = setc("severity","Debug"); + +var dup42 = // "Pattern{Constant('" '), Field(p0,false)}" +match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); + +var dup43 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" +match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); + +var dup44 = date_time({ + dest: "starttime", + args: ["fld10"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW], + ], +}); + +var dup45 = setc("event_description","Process"); + +var dup46 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); + +var dup47 = setc("event_description","SNMP TRAP SENT"); + +var dup48 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); + +var dup49 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); + +var dup50 = date_time({ + dest: "event_time", + args: ["hdatetime"], + fmts: [ + [dM,dc("/"),dD,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + [dD,dc("/"),dM,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup51 = setc("ec_activity","Request"); + +var dup52 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); + +var dup53 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); + +var dup54 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); + +var dup55 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); + +var dup56 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); + +var dup57 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); + +var dup58 = setc("event_description","ICA connection related information for a connection belonging to a SSLVPN session"); + +var dup59 = setc("dclass_ratio1_string"," Compression_ratio_send"); + +var dup60 = setc("dclass_ratio2_string"," Compression_ratio_recv"); + +var dup61 = date_time({ + dest: "endtime", + args: ["fld11"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup62 = date_time({ + dest: "starttime", + args: ["fld10"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup63 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); + +var dup64 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); + +var dup65 = // "Pattern{Constant('User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); + +var dup66 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); + +var dup67 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); + +var dup68 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); + +var dup69 = setc("eventcategory","1401060000"); + +var dup70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" +match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); + +var dup71 = setc("eventcategory","1401070000"); + +var dup72 = setc("ec_activity","Logoff"); + +var dup73 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); + +var dup74 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); + +var dup75 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); + +var dup76 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); + +var dup77 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); + +var dup78 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); + +var dup79 = setc("event_description","A Server side and a Client side TCP connection is delinked"); + +var dup80 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); + +var dup81 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); + +var dup82 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); + +var dup83 = setc("event_description","TCP connection terminated"); + +var dup84 = setc("event_description","UI command executed in NetScaler"); + +var dup85 = setc("disposition","Success"); + +var dup86 = call({ + dest: "nwparser.action", + fn: STRCAT, + args: [ + field("login"), + field("fld11"), + ], +}); + +var dup87 = call({ + dest: "nwparser.action", + fn: STRCAT, + args: [ + field("logout"), + field("fld11"), + ], +}); + +var dup88 = setc("eventcategory","1401040000"); + +var dup89 = setc("event_description","CLI or GUI command executed in NetScaler"); + +var dup90 = // "Pattern{Field(info,true), Constant(' "')}" +match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); + +var dup91 = setf("msg","$MSG"); + +var dup92 = setc("event_description","GUI command executed in NetScaler"); + +var dup93 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); + +var dup94 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); + +var dup95 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); + +var dup96 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); + +var dup97 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); + +var dup98 = linear_select([ + dup21, + dup22, +]); + +var dup99 = linear_select([ + dup25, + dup26, +]); + +var dup100 = linear_select([ + dup32, + dup33, +]); + +var dup101 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" +match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ + dup5, + dup4, +])); + +var dup102 = linear_select([ + dup52, + dup53, + dup54, +]); + +var dup103 = linear_select([ + dup55, + dup56, + dup57, +]); + +var dup104 = linear_select([ + dup63, + dup64, + dup65, +]); + +var dup105 = linear_select([ + dup67, + dup68, +]); + +var dup106 = linear_select([ + dup76, + dup77, +]); + +var dup107 = linear_select([ + dup81, + dup82, +]); + +var dup108 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" +match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ + dup88, + dup89, + dup3, + dup4, +])); + +var dup109 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" +match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ + dup9, + dup91, +])); + +var dup110 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" +match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ + dup11, + dup91, +])); + +var dup111 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ + dup9, + dup4, +])); + +var dup112 = linear_select([ + dup95, + dup96, +]); + +var dup113 = all_match({ + processors: [ + dup20, + dup98, + dup23, + ], + on_success: processor_chain([ + dup2, + dup24, + dup3, + dup4, + ]), +}); + +var dup114 = all_match({ + processors: [ + dup94, + dup112, + dup97, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var hdr1 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(hfld2,false), Constant(':'), Field(payload,false)}" +match("HEADER#0:0001", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} %{hfld2}:%{payload}", processor_chain([ + setc("header_id","0001"), + dup1, +])); + +var hdr2 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' :'), Field(payload,false)}" +match("HEADER#1:0005", "message", "%{hdatetime->} %{hfld1->} : %{msgIdPart1->} %{msgIdPart2->} :%{payload}", processor_chain([ + setc("header_id","0005"), + dup1, +])); + +var hdr3 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hfld1,true), Constant(' : '), Field(hfld2,true), Constant(' '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#2:0002/0", "message", "%{hdatetime->} %{hfld1->} : %{hfld2->} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); + +var part1 = // "Pattern{Field(hfld3,true), Constant(' '), Field(p0,false)}" +match("HEADER#2:0002/1_0", "nwparser.p0", "%{hfld3->} %{p0}"); + +var part2 = // "Pattern{Field(p0,false)}" +match_copy("HEADER#2:0002/1_1", "nwparser.p0", "p0"); + +var select1 = linear_select([ + part1, + part2, +]); + +var part3 = // "Pattern{Constant(':'), Field(payload,false)}" +match("HEADER#2:0002/2", "nwparser.p0", ":%{payload}"); + +var all1 = all_match({ + processors: [ + hdr3, + select1, + part3, + ], + on_success: processor_chain([ + setc("header_id","0002"), + dup1, + ]), +}); + +var hdr4 = // "Pattern{Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#3:0003", "message", "%{messageid->} %{p0}", processor_chain([ + setc("header_id","0003"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr5 = // "Pattern{Constant('CEF:0|Citrix|'), Field(fld1,false), Constant('|'), Field(fld2,false), Constant('|'), Field(fld3,false), Constant('|'), Field(messageid,false), Constant('| '), Field(p0,false)}" +match("HEADER#4:0004", "message", "CEF:0|Citrix|%{fld1}|%{fld2}|%{fld3}|%{messageid}| %{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("fld1"), + constant("|"), + field("fld2"), + constant("|"), + field("fld3"), + constant("|"), + field("messageid"), + constant("| "), + field("p0"), + ], + }), +])); + +var hdr6 = // "Pattern{Constant('CEF:0|Citrix|'), Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(hfld1,false), Constant('|'), Field(severity,false), Constant('| '), Field(payload,false)}" +match("HEADER#5:0006", "message", "CEF:0|Citrix|%{product}|%{version}|%{rule}|%{hfld1}|%{severity}| %{payload}", processor_chain([ + setc("header_id","0006"), + setc("messageid","CITRIX_TVM"), +])); + +var select2 = linear_select([ + hdr1, + hdr2, + all1, + hdr4, + hdr5, + hdr6, +]); + +var part4 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('" ')}" +match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_0", "nwparser.payload", "Extracted_groups \"%{group}\" "); + +var part5 = // "Pattern{Constant(' Extracted_groups "'), Field(group,false)}" +match("MESSAGE#0:AAA_EXTRACTED_GROUPS/0_1", "nwparser.payload", " Extracted_groups \"%{group}"); + +var select3 = linear_select([ + part4, + part5, +]); + +var all2 = all_match({ + processors: [ + select3, + ], + on_success: processor_chain([ + dup2, + setc("event_description","The groups extracted after user logs in"), + dup3, + dup4, + ]), +}); + +var msg1 = msg("AAA_EXTRACTED_GROUPS", all2); + +var part6 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Failure_reason "'), Field(result,false), Constant('"')}" +match("MESSAGE#1:AAA_LOGIN_FAILED", "nwparser.payload", "User %{username->} - Client_ip %{saddr->} - Failure_reason \"%{result}\"", processor_chain([ + dup5, + setc("ec_subject","User"), + dup6, + dup7, + dup8, + setc("event_description","The aaa module failed to login the user"), + setc("severity","Alert"), + dup4, +])); + +var msg2 = msg("AAA_LOGIN_FAILED", part6); + +var part7 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' --> Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Protocol '), Field(protocol,true), Constant(' - TimeStamp '), Field(info,true), Constant(' - Hitcount '), Field(dclass_counter1,true), Constant(' - Hit Rule '), Field(rulename,true), Constant(' - Data '), Field(message_body,false)}" +match("MESSAGE#2:ACL_ACL_PKT_LOG", "nwparser.payload", "Source %{saddr}:%{sport->} --> Destination %{daddr}:%{dport->} - Protocol %{protocol->} - TimeStamp %{info->} - Hitcount %{dclass_counter1->} - Hit Rule %{rulename->} - Data %{message_body}", processor_chain([ + dup9, + setc("event_description","ACL_PKT_LOG"), + dup10, + dup4, +])); + +var msg3 = msg("ACL_ACL_PKT_LOG", part7); + +var part8 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#3:APPFW_APPFW_BUFFEROVERFLOW_COOKIE", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ + dup11, + setc("event_description","AppFw Buffer Overflow violation in Cookie"), + dup3, + dup4, +])); + +var msg4 = msg("APPFW_APPFW_BUFFEROVERFLOW_COOKIE", part8); + +var part9 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#4:APPFW_APPFW_BUFFEROVERFLOW_HDR", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ + dup11, + setc("event_description","AppFw Buffer Overflow violation in HTTP Headers"), + dup3, + dup4, +])); + +var msg5 = msg("APPFW_APPFW_BUFFEROVERFLOW_HDR", part9); + +var part10 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(info,false), Constant(': '), Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#5:APPFW_APPFW_BUFFEROVERFLOW_URL", "nwparser.payload", "%{saddr->} %{fld2->} %{rule_group->} %{info}: %{url->} \u003c\u003c%{disposition}>", processor_chain([ + dup12, + dup13, + dup3, + dup4, +])); + +var msg6 = msg("APPFW_APPFW_BUFFEROVERFLOW_URL", part10); + +var part11 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(info,false), Constant(': '), Field(url,false)}" +match("MESSAGE#137:APPFW_APPFW_BUFFEROVERFLOW_URL:01", "nwparser.payload", "%{saddr->} %{fld2->} %{info}: %{url}", processor_chain([ + dup12, + dup13, + dup3, + dup4, +])); + +var msg7 = msg("APPFW_APPFW_BUFFEROVERFLOW_URL:01", part11); + +var select4 = linear_select([ + msg6, + msg7, +]); + +var part12 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Cookie%{p0}"); + +var part13 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Cookie%{p0}"); + +var part14 = // "Pattern{Field(rule_group,true), Constant(' Cookie'), Field(p0,false)}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/1_2", "nwparser.p0", "%{rule_group->} Cookie%{p0}"); + +var select5 = linear_select([ + part12, + part13, + part14, +]); + +var part15 = // "Pattern{Field(url,true), Constant(' validation failed for '), Field(fld3,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/2", "nwparser.p0", "%{url->} validation failed for %{fld3->} \u003c\u003c%{disposition}>"); + +var all3 = all_match({ + processors: [ + dup14, + select5, + part15, + ], + on_success: processor_chain([ + dup11, + setc("event_description","AppFw Cookie violation"), + dup3, + dup4, + ]), +}); + +var msg8 = msg("APPFW_APPFW_COOKIE", all3); + +var part16 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" +match("MESSAGE#7:APPFW_APPFW_DENYURL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Deny URL: %{p0}"); + +var part17 = // "Pattern{Field(rule_group,true), Constant(' Disallow Deny URL: '), Field(p0,false)}" +match("MESSAGE#7:APPFW_APPFW_DENYURL/1_1", "nwparser.p0", "%{rule_group->} Disallow Deny URL: %{p0}"); + +var select6 = linear_select([ + part16, + part17, +]); + +var all4 = all_match({ + processors: [ + dup14, + select6, + dup15, + ], + on_success: processor_chain([ + dup12, + setc("ec_activity","Deny"), + setc("ec_theme","Policy"), + setc("event_description","AppFw DenyURL violation"), + dup3, + dup4, + ]), +}); + +var msg9 = msg("APPFW_APPFW_DENYURL", all4); + +var part18 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" +match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_0", "nwparser.p0", "%{fld1->} %{fld2->} %{rule_group->} Field consistency%{p0}"); + +var part19 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" +match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Field consistency%{p0}"); + +var part20 = // "Pattern{Field(rule_group,true), Constant(' Field consistency'), Field(p0,false)}" +match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/1_2", "nwparser.p0", "%{rule_group->} Field consistency%{p0}"); + +var select7 = linear_select([ + part18, + part19, + part20, +]); + +var all5 = all_match({ + processors: [ + dup14, + select7, + dup16, + ], + on_success: processor_chain([ + dup11, + setc("event_description","AppFw Field Consistency violation"), + dup3, + dup4, + ]), +}); + +var msg10 = msg("APPFW_APPFW_FIELDCONSISTENCY", all5); + +var part21 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Field'), Field(p0,false)}" +match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Field%{p0}"); + +var part22 = // "Pattern{Field(rule_group,true), Constant(' Field'), Field(p0,false)}" +match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/1_1", "nwparser.p0", "%{rule_group->} Field%{p0}"); + +var select8 = linear_select([ + part21, + part22, +]); + +var part23 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' ="'), Field(fld4,false), Constant('" <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#9:APPFW_APPFW_FIELDFORMAT/2", "nwparser.p0", "%{url->} %{info->} =\"%{fld4}\" \u003c\u003c%{disposition}>"); + +var all6 = all_match({ + processors: [ + dup14, + select8, + part23, + ], + on_success: processor_chain([ + dup11, + setc("event_description","AppFw Field Format violation"), + dup3, + dup4, + ]), +}); + +var msg11 = msg("APPFW_APPFW_FIELDFORMAT", all6); + +var part24 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" +match("MESSAGE#10:APPFW_APPFW_SQL/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} SQL%{p0}"); + +var part25 = // "Pattern{Field(rule_group,true), Constant(' SQL'), Field(p0,false)}" +match("MESSAGE#10:APPFW_APPFW_SQL/1_1", "nwparser.p0", "%{rule_group->} SQL%{p0}"); + +var select9 = linear_select([ + part24, + part25, +]); + +var all7 = all_match({ + processors: [ + dup14, + select9, + dup16, + ], + on_success: processor_chain([ + dup11, + dup17, + dup3, + dup4, + ]), +}); + +var msg12 = msg("APPFW_APPFW_SQL", all7); + +var part26 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#11:APPFW_APPFW_SQL_1/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{p0}"); + +var part27 = // "Pattern{Field(rule_group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#11:APPFW_APPFW_SQL_1/1_1", "nwparser.p0", "%{rule_group->} %{p0}"); + +var select10 = linear_select([ + part26, + part27, +]); + +var all8 = all_match({ + processors: [ + dup14, + select10, + dup16, + ], + on_success: processor_chain([ + dup11, + dup17, + dup3, + dup4, + ]), +}); + +var msg13 = msg("APPFW_APPFW_SQL_1", all8); + +var select11 = linear_select([ + msg12, + msg13, +]); + +var part28 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" +match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Maximum no. %{p0}"); + +var part29 = // "Pattern{Field(rule_group,true), Constant(' Maximum no. '), Field(p0,false)}" +match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/1_1", "nwparser.p0", "%{rule_group->} Maximum no. %{p0}"); + +var select12 = linear_select([ + part28, + part29, +]); + +var part30 = // "Pattern{Field(url,true), Constant(' of potential credit card numbers seen <<'), Field(info,false), Constant('>')}" +match("MESSAGE#12:APPFW_APPFW_SAFECOMMERCE/2", "nwparser.p0", "%{url->} of potential credit card numbers seen \u003c\u003c%{info}>"); + +var all9 = all_match({ + processors: [ + dup14, + select12, + part30, + ], + on_success: processor_chain([ + dup9, + setc("event_description","AppFw SafeCommerce credit cards seen"), + dup3, + dup4, + ]), +}); + +var msg14 = msg("APPFW_APPFW_SAFECOMMERCE", all9); + +var part31 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Transformed ('), Field(info,false), Constant(') Maximum no. '), Field(p0,false)}" +match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} %{url->} Transformed (%{info}) Maximum no. %{p0}"); + +var part32 = // "Pattern{Field(rule_group,true), Constant(' '), Field(url,true), Constant(' ('), Field(info,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/1_1", "nwparser.p0", "%{rule_group->} %{url->} (%{info}) %{p0}"); + +var select13 = linear_select([ + part31, + part32, +]); + +var part33 = // "Pattern{Constant('potential credit card numbers seen in server response'), Field(,false)}" +match("MESSAGE#13:APPFW_APPFW_SAFECOMMERCE_XFORM/2", "nwparser.p0", "potential credit card numbers seen in server response%{}"); + +var all10 = all_match({ + processors: [ + dup14, + select13, + part33, + ], + on_success: processor_chain([ + dup9, + setc("event_description","AppFw SafeCommerce Transformed for credit cards seen in server repsonse"), + dup3, + dup4, + ]), +}); + +var msg15 = msg("APPFW_APPFW_SAFECOMMERCE_XFORM", all10); + +var part34 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" +match("MESSAGE#14:APPFW_APPFW_STARTURL/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{rule_group->} Disallow Illegal URL: %{p0}"); + +var part35 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" +match("MESSAGE#14:APPFW_APPFW_STARTURL/1_1", "nwparser.p0", "%{fld2->} %{rule_group->} Disallow Illegal URL: %{p0}"); + +var part36 = // "Pattern{Field(rule_group,true), Constant(' Disallow Illegal URL: '), Field(p0,false)}" +match("MESSAGE#14:APPFW_APPFW_STARTURL/1_2", "nwparser.p0", "%{rule_group->} Disallow Illegal URL: %{p0}"); + +var select14 = linear_select([ + part34, + part35, + part36, +]); + +var all11 = all_match({ + processors: [ + dup14, + select14, + dup15, + ], + on_success: processor_chain([ + dup12, + setc("event_description","AppFw StartURL violation"), + dup3, + dup4, + ]), +}); + +var msg16 = msg("APPFW_APPFW_STARTURL", all11); + +var part37 = // "Pattern{Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" +match("MESSAGE#15:APPFW_APPFW_XSS/1_0", "nwparser.p0", "%{fld2->} %{rule_group->} Cross-site%{p0}"); + +var part38 = // "Pattern{Field(rule_group,true), Constant(' Cross-site'), Field(p0,false)}" +match("MESSAGE#15:APPFW_APPFW_XSS/1_1", "nwparser.p0", "%{rule_group->} Cross-site%{p0}"); + +var select15 = linear_select([ + part37, + part38, +]); + +var part39 = // "Pattern{Field(url,true), Constant(' script '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#15:APPFW_APPFW_XSS/2", "nwparser.p0", "%{url->} script %{info->} \u003c\u003c%{disposition}>"); + +var all12 = all_match({ + processors: [ + dup14, + select15, + part39, + ], + on_success: processor_chain([ + dup12, + setc("event_description","AppFw XSS violation"), + dup3, + dup4, + ]), +}); + +var msg17 = msg("APPFW_APPFW_XSS", all12); + +var part40 = // "Pattern{Field(saddr,true), Constant(' "'), Field(info,false), Constant('"')}" +match("MESSAGE#16:APPFW_AF_400_RESP", "nwparser.payload", "%{saddr->} \"%{info}\"", processor_chain([ + dup11, + dup18, + dup3, + dup4, +])); + +var msg18 = msg("APPFW_AF_400_RESP", part40); + +var part41 = // "Pattern{Field(saddr,true), Constant(' '), Field(info,false)}" +match("MESSAGE#138:APPFW_AF_400_RESP:01", "nwparser.payload", "%{saddr->} %{info}", processor_chain([ + dup11, + dup18, + dup3, + dup4, +])); + +var msg19 = msg("APPFW_AF_400_RESP:01", part41); + +var select16 = linear_select([ + msg18, + msg19, +]); + +var part42 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' Match found with Safe Object: '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#17:APPFW_APPFW_SAFEOBJECT", "nwparser.payload", "%{saddr->} %{fld10->} Match found with Safe Object: %{info->} \u003c\u003c%{disposition}>", processor_chain([ + dup11, + setc("event_description","AppFw Safe Object"), + dup3, + dup4, +])); + +var msg20 = msg("APPFW_APPFW_SAFEOBJECT", part42); + +var part43 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld10,true), Constant(' CSRF Tag validation failed: <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#18:APPFW_APPFW_CSRF_TAG", "nwparser.payload", "%{saddr->} %{fld10->} CSRF Tag validation failed: \u003c\u003c%{disposition}>", processor_chain([ + dup11, + setc("event_description","AppFw CSRF Tag Validation Failed"), + dup3, + dup4, +])); + +var msg21 = msg("APPFW_APPFW_CSRF_TAG", part43); + +var part44 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,false)}" +match("MESSAGE#135:APPFW_APPFW_CSRF_TAG:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url}", processor_chain([ + dup9, + dup3, + dup4, +])); + +var msg22 = msg("APPFW_APPFW_CSRF_TAG:01", part44); + +var select17 = linear_select([ + msg21, + msg22, +]); + +var part45 = // "Pattern{Constant('Memory allocation request for '), Field(bytes,true), Constant(' bytes failed. Call stack PCs: '), Field(fld1,false)}" +match("MESSAGE#19:APPFW_AF_MEMORY_ERR", "nwparser.payload", "Memory allocation request for %{bytes->} bytes failed. Call stack PCs: %{fld1}", processor_chain([ + dup11, + setc("event_description","Memory allocation request for some bytes failed"), + dup19, + dup4, +])); + +var msg23 = msg("APPFW_AF_MEMORY_ERR", part45); + +var part46 = // "Pattern{Constant('Invalid rule id '), Field(p0,false)}" +match("MESSAGE#20:APPFW_Message/1_0", "nwparser.p0", "Invalid rule id %{p0}"); + +var part47 = // "Pattern{Constant('Duplicate rule id '), Field(p0,false)}" +match("MESSAGE#20:APPFW_Message/1_1", "nwparser.p0", "Duplicate rule id %{p0}"); + +var select18 = linear_select([ + part46, + part47, +]); + +var part48 = // "Pattern{Field(fld1,false), Constant('"')}" +match("MESSAGE#20:APPFW_Message/2", "nwparser.p0", "%{fld1}\""); + +var all13 = all_match({ + processors: [ + dup20, + select18, + part48, + ], + on_success: processor_chain([ + dup11, + setc("event_description","Invalid/Duplicate Rule id"), + dup19, + dup4, + ]), +}); + +var msg24 = msg("APPFW_Message", all13); + +var part49 = // "Pattern{Constant('"Setting default custom settings for profile '), Field(fld1,true), Constant(' ('), Field(fld2,false), Constant(')"')}" +match("MESSAGE#21:APPFW_Message:01", "nwparser.payload", "\"Setting default custom settings for profile %{fld1->} (%{fld2})\"", processor_chain([ + dup9, + setc("event_description","Setting default custom settings for profile"), + dup19, + dup4, +])); + +var msg25 = msg("APPFW_Message:01", part49); + +var part50 = // "Pattern{Constant('"Setting same CustomSettings( ) to profile. '), Field(fld2,false), Constant('"')}" +match("MESSAGE#22:APPFW_Message:02", "nwparser.payload", "\"Setting same CustomSettings( ) to profile. %{fld2}\"", processor_chain([ + dup9, + setc("event_description","Setting same CustomSettings( ) to profile."), + dup4, +])); + +var msg26 = msg("APPFW_Message:02", part50); + +var select19 = linear_select([ + msg24, + msg25, + msg26, +]); + +var msg27 = msg("DR_HA_Message", dup113); + +var part51 = // "Pattern{Field(process,true), Constant(' ended '), Field(p0,false)}" +match("MESSAGE#24:EVENT_ALERTENDED/0", "nwparser.payload", "%{process->} ended %{p0}"); + +var all14 = all_match({ + processors: [ + part51, + dup99, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Alert process ended"), + dup3, + dup4, + ]), +}); + +var msg28 = msg("EVENT_ALERTENDED", all14); + +var part52 = // "Pattern{Field(process,true), Constant(' started '), Field(p0,false)}" +match("MESSAGE#25:EVENT_ALERTSTARTED/0", "nwparser.payload", "%{process->} started %{p0}"); + +var all15 = all_match({ + processors: [ + part52, + dup99, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Alert process started"), + dup3, + dup4, + ]), +}); + +var msg29 = msg("EVENT_ALERTSTARTED", all15); + +var part53 = // "Pattern{Constant('CONFIG '), Field(info,false)}" +match("MESSAGE#26:EVENT_CONFIGEND", "nwparser.payload", "CONFIG %{info}", processor_chain([ + dup2, + dup27, + dup28, + dup29, + setc("event_description","Configuration read completed from ns.conf file during boot-up"), + dup3, + dup4, +])); + +var msg30 = msg("EVENT_CONFIGEND", part53); + +var part54 = // "Pattern{Constant('CONFIG '), Field(info,false)}" +match("MESSAGE#27:EVENT_CONFIGSTART", "nwparser.payload", "CONFIG %{info}", processor_chain([ + dup2, + dup27, + dup30, + dup29, + setc("event_description","Configuration read started from ns.conf file during boot-up"), + dup3, + dup4, +])); + +var msg31 = msg("EVENT_CONFIGSTART", part54); + +var all16 = all_match({ + processors: [ + dup31, + dup100, + ], + on_success: processor_chain([ + dup11, + dup34, + dup28, + setc("event_description","Device Down"), + dup10, + dup35, + ]), +}); + +var msg32 = msg("EVENT_DEVICEDOWN", all16); + +var part55 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" +match("MESSAGE#29:EVENT_DEVICEOFS", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ + dup11, + dup34, + dup28, + setc("event_description","Device Out Of Service"), + dup10, + dup4, +])); + +var msg33 = msg("EVENT_DEVICEOFS", part55); + +var all17 = all_match({ + processors: [ + dup31, + dup100, + ], + on_success: processor_chain([ + dup2, + dup34, + dup30, + setc("event_description","Device UP"), + dup10, + dup35, + ]), +}); + +var msg34 = msg("EVENT_DEVICEUP", all17); + +var part56 = // "Pattern{Constant('"'), Field(obj_name,false), Constant('"')}" +match("MESSAGE#31:EVENT_MONITORDOWN/1_1", "nwparser.p0", "\"%{obj_name}\""); + +var select20 = linear_select([ + dup37, + part56, + dup38, +]); + +var all18 = all_match({ + processors: [ + dup36, + select20, + ], + on_success: processor_chain([ + dup11, + setc("event_description","The monitor bound to the service is down"), + dup3, + dup4, + ]), +}); + +var msg35 = msg("EVENT_MONITORDOWN", all18); + +var select21 = linear_select([ + dup37, + dup38, +]); + +var all19 = all_match({ + processors: [ + dup36, + select21, + ], + on_success: processor_chain([ + dup2, + dup39, + dup3, + dup4, + ]), +}); + +var msg36 = msg("EVENT_MONITORUP", all19); + +var part57 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" +match("MESSAGE#33:EVENT_NICRESET", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ + dup2, + dup39, + dup3, + dup4, +])); + +var msg37 = msg("EVENT_NICRESET", part57); + +var part58 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#34:EVENT_ROUTEDOWN", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ + dup11, + dup40, + dup28, + setc("event_description","Route is Down"), + dup3, + dup4, +])); + +var msg38 = msg("EVENT_ROUTEDOWN", part58); + +var part59 = // "Pattern{Field(obj_type,true), Constant(' '), Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#35:EVENT_ROUTEUP", "nwparser.payload", "%{obj_type->} %{obj_name->} - State %{event_state}", processor_chain([ + dup2, + dup40, + dup30, + setc("event_description","Route is UP"), + dup41, + dup4, +])); + +var msg39 = msg("EVENT_ROUTEUP", part59); + +var part60 = // "Pattern{Constant('CPU_started '), Field(info,false)}" +match("MESSAGE#36:EVENT_STARTCPU", "nwparser.payload", "CPU_started %{info}", processor_chain([ + dup2, + setc("event_description","CPU Started"), + dup3, + dup4, +])); + +var msg40 = msg("EVENT_STARTCPU", part60); + +var part61 = // "Pattern{Constant('SAVECONFIG '), Field(info,false)}" +match("MESSAGE#37:EVENT_STARTSAVECONFIG", "nwparser.payload", "SAVECONFIG %{info}", processor_chain([ + dup2, + setc("event_description","Save configuration started"), + dup3, + dup4, +])); + +var msg41 = msg("EVENT_STARTSAVECONFIG", part61); + +var part62 = // "Pattern{Constant('System started - '), Field(info,false)}" +match("MESSAGE#38:EVENT_STARTSYS", "nwparser.payload", "System started - %{info}", processor_chain([ + dup2, + dup34, + dup30, + setc("event_description","Netscaler Started"), + dup3, + dup4, +])); + +var msg42 = msg("EVENT_STARTSYS", part62); + +var part63 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - State '), Field(event_state,false)}" +match("MESSAGE#39:EVENT_STATECHANGE", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - State %{event_state}", processor_chain([ + dup2, + dup34, + dup30, + setc("event_description","HA State has changed"), + dup3, + dup4, +])); + +var msg43 = msg("EVENT_STATECHANGE", part63); + +var part64 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(obj_name,false), Constant(') - '), Field(event_state,true), Constant(' '), Field(info,false)}" +match("MESSAGE#40:EVENT_STATECHANGE_HEARTBEAT", "nwparser.payload", "%{obj_type->} (%{obj_name}) - %{event_state->} %{info}", processor_chain([ + dup2, + setc("event_description","Heartbeat State report"), + dup3, + dup4, +])); + +var msg44 = msg("EVENT_STATECHANGE_HEARTBEAT", part64); + +var part65 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('" - '), Field(event_state,true), Constant(' '), Field(info,false)}" +match("MESSAGE#41:EVENT_STATECHANGE:01", "nwparser.payload", "%{obj_type->} \"%{obj_name}\" - %{event_state->} %{info}", processor_chain([ + dup2, + dup4, +])); + +var msg45 = msg("EVENT_STATECHANGE:01", part65); + +var select22 = linear_select([ + msg43, + msg44, + msg45, +]); + +var part66 = // "Pattern{Constant('SAVECONFIG'), Field(info,false)}" +match("MESSAGE#42:EVENT_STOPSAVECONFIG", "nwparser.payload", "SAVECONFIG%{info}", processor_chain([ + dup2, + dup27, + dup28, + setc("event_description","Save configuration stopped"), + dup3, + dup4, +])); + +var msg46 = msg("EVENT_STOPSAVECONFIG", part66); + +var part67 = // "Pattern{Constant('System stopped - '), Field(info,false)}" +match("MESSAGE#43:EVENT_STOPSYS", "nwparser.payload", "System stopped - %{info}", processor_chain([ + dup2, + dup34, + dup28, + setc("event_description","Netscaler Stopped"), + dup3, + dup4, +])); + +var msg47 = msg("EVENT_STOPSYS", part67); + +var part68 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#44:EVENT_UNKNOWN", "nwparser.payload", "info", processor_chain([ + dup11, + setc("event_description","Unknown Event"), + dup3, + dup4, +])); + +var msg48 = msg("EVENT_UNKNOWN", part68); + +var part69 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Adding '), Field(p0,false)}" +match("MESSAGE#45:PITBOSS_Message1/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Adding %{p0}"); + +var part70 = // "Pattern{Constant('Adding '), Field(p0,false)}" +match("MESSAGE#45:PITBOSS_Message1/1_1", "nwparser.p0", "Adding %{p0}"); + +var select23 = linear_select([ + part69, + part70, +]); + +var all20 = all_match({ + processors: [ + dup42, + select23, + dup43, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Pitboss watch is added"), + dup3, + dup4, + ]), +}); + +var msg49 = msg("PITBOSS_Message1", all20); + +var part71 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' Deleting '), Field(p0,false)}" +match("MESSAGE#46:PITBOSS_Message2/1_0", "nwparser.p0", "%{fld1->} %{fld10->} Deleting %{p0}"); + +var part72 = // "Pattern{Constant('Deleting '), Field(p0,false)}" +match("MESSAGE#46:PITBOSS_Message2/1_1", "nwparser.p0", "Deleting %{p0}"); + +var select24 = linear_select([ + part71, + part72, +]); + +var all21 = all_match({ + processors: [ + dup42, + select24, + dup23, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Pitboss watch is deleted"), + dup3, + dup4, + ]), +}); + +var msg50 = msg("PITBOSS_Message2", all21); + +var part73 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#47:PITBOSS_Message3/0", "nwparser.payload", "\"%{fld1->} %{fld10->} %{p0}"); + +var part74 = // "Pattern{Constant('Pitboss policy is'), Field(p0,false)}" +match("MESSAGE#47:PITBOSS_Message3/1_0", "nwparser.p0", "Pitboss policy is%{p0}"); + +var part75 = // "Pattern{Constant('PB_OP_CHANGE_POLICY new policy'), Field(p0,false)}" +match("MESSAGE#47:PITBOSS_Message3/1_1", "nwparser.p0", "PB_OP_CHANGE_POLICY new policy%{p0}"); + +var part76 = // "Pattern{Constant('pb_op_longer_hb'), Field(p0,false)}" +match("MESSAGE#47:PITBOSS_Message3/1_2", "nwparser.p0", "pb_op_longer_hb%{p0}"); + +var select25 = linear_select([ + part74, + part75, + part76, +]); + +var part77 = // "Pattern{Field(,true), Constant(' '), Field(info,false), Constant('"')}" +match("MESSAGE#47:PITBOSS_Message3/2", "nwparser.p0", "%{} %{info}\""); + +var all22 = all_match({ + processors: [ + part73, + select25, + part77, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Pitboss policy"), + dup3, + dup4, + dup44, + ]), +}); + +var msg51 = msg("PITBOSS_Message3", all22); + +var part78 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' process '), Field(p0,false)}" +match("MESSAGE#48:PITBOSS_Message4/1_0", "nwparser.p0", "%{fld1->} %{fld10->} process %{p0}"); + +var part79 = // "Pattern{Constant('process '), Field(p0,false)}" +match("MESSAGE#48:PITBOSS_Message4/1_1", "nwparser.p0", "process %{p0}"); + +var select26 = linear_select([ + part78, + part79, +]); + +var all23 = all_match({ + processors: [ + dup42, + select26, + dup43, + ], + on_success: processor_chain([ + dup2, + dup45, + dup3, + dup4, + dup44, + ]), +}); + +var msg52 = msg("PITBOSS_Message4", all23); + +var part80 = // "Pattern{Field(fld1,true), Constant(' '), Field(fld10,true), Constant(' New '), Field(p0,false)}" +match("MESSAGE#49:PITBOSS_Message5/1_0", "nwparser.p0", "%{fld1->} %{fld10->} New %{p0}"); + +var part81 = // "Pattern{Constant('New '), Field(p0,false)}" +match("MESSAGE#49:PITBOSS_Message5/1_1", "nwparser.p0", "New %{p0}"); + +var select27 = linear_select([ + part80, + part81, +]); + +var all24 = all_match({ + processors: [ + dup42, + select27, + dup43, + ], + on_success: processor_chain([ + dup2, + dup45, + dup3, + dup4, + dup44, + ]), +}); + +var msg53 = msg("PITBOSS_Message5", all24); + +var select28 = linear_select([ + msg49, + msg50, + msg51, + msg52, + msg53, +]); + +var part82 = // "Pattern{Constant('"IMI: '), Field(event_description,true), Constant(' : nodeID('), Field(fld1,false), Constant(') IP('), Field(saddr,false), Constant(') instance('), Field(fld2,false), Constant(') Configuration Coordinator('), Field(fld3,false), Constant(') Nodeset('), Field(fld4,false), Constant(')"')}" +match("MESSAGE#50:ROUTING_Message", "nwparser.payload", "\"IMI: %{event_description->} : nodeID(%{fld1}) IP(%{saddr}) instance(%{fld2}) Configuration Coordinator(%{fld3}) Nodeset(%{fld4})\"", processor_chain([ + dup9, + dup4, +])); + +var msg54 = msg("ROUTING_Message", part82); + +var msg55 = msg("ROUTING_Message:01", dup113); + +var part83 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' started"')}" +match("MESSAGE#52:ROUTING_Message:02", "nwparser.payload", "\"%{fld1->} started\"", processor_chain([ + dup9, + dup4, +])); + +var msg56 = msg("ROUTING_Message:02", part83); + +var select29 = linear_select([ + msg54, + msg55, + msg56, +]); + +var part84 = // "Pattern{Field(obj_type,true), Constant(' Command "'), Field(action,false), Constant('" '), Field(info,false)}" +match("MESSAGE#53:ROUTING_ZEBOS_CMD_EXECUTED", "nwparser.payload", "%{obj_type->} Command \"%{action}\" %{info}", processor_chain([ + dup2, + setc("event_description","User has executed a command in ZebOS(vtysh)"), + dup3, + dup4, +])); + +var msg57 = msg("ROUTING_ZEBOS_CMD_EXECUTED", part84); + +var part85 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('entityName = "'), Field(p0,false)}" +match("MESSAGE#54:SNMP_TRAP_SENT7/0", "nwparser.payload", "%{obj_type->} ( %{space}entityName = \"%{p0}"); + +var part86 = // "Pattern{Field(obj_name,false), Constant('('), Field(info,false), Constant('...",'), Field(p0,false)}" +match("MESSAGE#54:SNMP_TRAP_SENT7/1_0", "nwparser.p0", "%{obj_name}(%{info}...\",%{p0}"); + +var part87 = // "Pattern{Field(obj_name,false), Constant('...",'), Field(p0,false)}" +match("MESSAGE#54:SNMP_TRAP_SENT7/1_1", "nwparser.p0", "%{obj_name}...\",%{p0}"); + +var select30 = linear_select([ + part86, + part87, +]); + +var part88 = // "Pattern{Field(,false), Constant('alarmEntityCurState = '), Field(event_state,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#54:SNMP_TRAP_SENT7/2", "nwparser.p0", "%{}alarmEntityCurState = %{event_state}, %{p0}"); + +var part89 = // "Pattern{Constant('svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(service,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" +match("MESSAGE#54:SNMP_TRAP_SENT7/3_0", "nwparser.p0", "svcServiceFullName.%{fld2->} = \"%{service}\", nsPartitionName = %{fld4})"); + +var part90 = // "Pattern{Constant('vsvrFullName.'), Field(fld3,true), Constant(' = "'), Field(obj_server,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" +match("MESSAGE#54:SNMP_TRAP_SENT7/3_1", "nwparser.p0", "vsvrFullName.%{fld3->} = \"%{obj_server}\", nsPartitionName = %{fld4})"); + +var part91 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld4,false), Constant(')')}" +match("MESSAGE#54:SNMP_TRAP_SENT7/3_2", "nwparser.p0", "svcGrpMemberFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld4})"); + +var select31 = linear_select([ + part89, + part90, + part91, + dup46, +]); + +var all25 = all_match({ + processors: [ + part85, + select30, + part88, + select31, + ], + on_success: processor_chain([ + dup11, + dup47, + dup10, + dup4, + ]), +}); + +var msg58 = msg("SNMP_TRAP_SENT7", all25); + +var part92 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,false), Constant('...", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#55:SNMP_TRAP_SENT8", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name}...\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg59 = msg("SNMP_TRAP_SENT8", part92); + +var part93 = // "Pattern{Field(obj_type,true), Constant(' ( haNicsMonitorFailed = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#56:SNMP_TRAP_SENT9", "nwparser.payload", "%{obj_type->} ( haNicsMonitorFailed = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg60 = msg("SNMP_TRAP_SENT9", part93); + +var part94 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,false), Constant('haPeerSystemState = "'), Field(event_state,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#57:SNMP_TRAP_SENT10", "nwparser.payload", "%{obj_type->} ( %{space}haPeerSystemState = \"%{event_state}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg61 = msg("SNMP_TRAP_SENT10", part94); + +var part95 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(obj_name,false), Constant('", sysHealthDiskPerusage = '), Field(fld2,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#58:SNMP_TRAP_SENT11", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{obj_name}\", sysHealthDiskPerusage = %{fld2}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg62 = msg("SNMP_TRAP_SENT11", part95); + +var part96 = // "Pattern{Field(obj_type,true), Constant(' ( vsvrName = "'), Field(dclass_counter1_string,false), Constant('", vsvrRequestRate = "'), Field(dclass_counter1,false), Constant('", alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', vsvrFullName = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#59:SNMP_TRAP_SENT12", "nwparser.payload", "%{obj_type->} ( vsvrName = \"%{dclass_counter1_string}\", vsvrRequestRate = \"%{dclass_counter1}\", alarmHighThreshold = %{dclass_counter2}, vsvrFullName = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg63 = msg("SNMP_TRAP_SENT12", part96); + +var part97 = // "Pattern{Field(obj_type,true), Constant(' ( monServiceName = "'), Field(fld1,false), Constant('", monitorName = "'), Field(dclass_counter1_string,false), Constant('", responseTimeoutThreshold = '), Field(dclass_counter1,false), Constant(', alarmMonrespto = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#60:SNMP_TRAP_SENT13", "nwparser.payload", "%{obj_type->} ( monServiceName = \"%{fld1}\", monitorName = \"%{dclass_counter1_string}\", responseTimeoutThreshold = %{dclass_counter1}, alarmMonrespto = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg64 = msg("SNMP_TRAP_SENT13", part97); + +var part98 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#61:SNMP_TRAP_SENT14", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg65 = msg("SNMP_TRAP_SENT14", part98); + +var part99 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmLowThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#62:SNMP_TRAP_SENT15", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmLowThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg66 = msg("SNMP_TRAP_SENT15", part99); + +var part100 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthCounterName = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue = '), Field(dclass_counter1,false), Constant(', alarmHighThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#63:SNMP_TRAP_SENT16", "nwparser.payload", "%{obj_type->} ( sysHealthCounterName = \"%{dclass_counter1_string}\", sysHealthCounterValue = %{dclass_counter1}, alarmHighThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg67 = msg("SNMP_TRAP_SENT16", part100); + +var part101 = // "Pattern{Field(obj_type,true), Constant(' ( alarmRateLmtThresholdExceeded = "'), Field(obj_name,false), Constant(': "'), Field(info,false), Constant('...", ipAddressGathered = "'), Field(fld1,false), Constant('", stringComputed = "'), Field(fld2,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#64:SNMP_TRAP_SENT17", "nwparser.payload", "%{obj_type->} ( alarmRateLmtThresholdExceeded = \"%{obj_name}: \"%{info}...\", ipAddressGathered = \"%{fld1}\", stringComputed = \"%{fld2}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg68 = msg("SNMP_TRAP_SENT17", part101); + +var part102 = // "Pattern{Field(obj_type,true), Constant(' ( entityName = "'), Field(obj_name,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#65:SNMP_TRAP_SENT/0", "nwparser.payload", "%{obj_type->} ( entityName = \"%{obj_name->} (%{p0}"); + +var part103 = // "Pattern{Field(info,false), Constant('..." '), Field(p0,false)}" +match("MESSAGE#65:SNMP_TRAP_SENT/1_0", "nwparser.p0", "%{info}...\" %{p0}"); + +var part104 = // "Pattern{Field(info,false), Constant('" '), Field(p0,false)}" +match("MESSAGE#65:SNMP_TRAP_SENT/1_1", "nwparser.p0", "%{info}\" %{p0}"); + +var select32 = linear_select([ + part103, + part104, +]); + +var part105 = // "Pattern{Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#65:SNMP_TRAP_SENT/2", "nwparser.p0", ", sysIpAddress = %{hostip})"); + +var all26 = all_match({ + processors: [ + part102, + select32, + part105, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg69 = msg("SNMP_TRAP_SENT", all26); + +var part106 = // "Pattern{Field(obj_type,true), Constant(' ( appfwLogMsg = '), Field(obj_name,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#66:SNMP_TRAP_SENT6", "nwparser.payload", "%{obj_type->} ( appfwLogMsg = %{obj_name}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg70 = msg("SNMP_TRAP_SENT6", part106); + +var part107 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#67:SNMP_TRAP_SENT5/0", "nwparser.payload", "%{obj_type->} ( %{space->} %{p0}"); + +var part108 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', nsUserName = "'), Field(p0,false)}" +match("MESSAGE#67:SNMP_TRAP_SENT5/1_0", "nwparser.p0", "partition id = %{fld12}, nsUserName = \"%{p0}"); + +var part109 = // "Pattern{Constant('nsUserName = "'), Field(p0,false)}" +match("MESSAGE#67:SNMP_TRAP_SENT5/1_1", "nwparser.p0", "nsUserName = \"%{p0}"); + +var select33 = linear_select([ + part108, + part109, +]); + +var part110 = // "Pattern{Constant('",'), Field(username,true), Constant(' configurationCmd = "'), Field(action,false), Constant('", authorizationStatus = '), Field(event_state,false), Constant(', commandExecutionStatus = '), Field(disposition,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#67:SNMP_TRAP_SENT5/2", "nwparser.p0", "\",%{username->} configurationCmd = \"%{action}\", authorizationStatus = %{event_state}, commandExecutionStatus = %{disposition}, %{p0}"); + +var part111 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,false), Constant(')')}" +match("MESSAGE#67:SNMP_TRAP_SENT5/3_0", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip})"); + +var part112 = // "Pattern{Constant('commandFailureReason = "'), Field(result,false), Constant('", nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" +match("MESSAGE#67:SNMP_TRAP_SENT5/3_1", "nwparser.p0", "commandFailureReason = \"%{result}\", nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); + +var part113 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', nsPartitionName = '), Field(fld1,false), Constant(')')}" +match("MESSAGE#67:SNMP_TRAP_SENT5/3_2", "nwparser.p0", "nsClientIPAddr = %{saddr}, nsPartitionName = %{fld1})"); + +var part114 = // "Pattern{Constant('nsClientIPAddr = '), Field(saddr,false), Constant(', sysIpAddress ='), Field(hostip,true), Constant(' )')}" +match("MESSAGE#67:SNMP_TRAP_SENT5/3_3", "nwparser.p0", "nsClientIPAddr = %{saddr}, sysIpAddress =%{hostip->} )"); + +var part115 = // "Pattern{Constant('sysIpAddress ='), Field(hostip,false), Constant(')')}" +match("MESSAGE#67:SNMP_TRAP_SENT5/3_4", "nwparser.p0", "sysIpAddress =%{hostip})"); + +var select34 = linear_select([ + part111, + part112, + part113, + part114, + part115, +]); + +var all27 = all_match({ + processors: [ + part107, + select33, + part110, + select34, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg71 = msg("SNMP_TRAP_SENT5", all27); + +var part116 = // "Pattern{Field(obj_type,true), Constant(' ( nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#68:SNMP_TRAP_SENT1", "nwparser.payload", "%{obj_type->} ( nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + setf("obj_name","username"), + dup10, + dup4, +])); + +var msg72 = msg("SNMP_TRAP_SENT1", part116); + +var part117 = // "Pattern{Field(obj_type,true), Constant(' ( nsCPUusage = '), Field(dclass_counter1,false), Constant(', alarm '), Field(trigger_val,true), Constant(' = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#69:SNMP_TRAP_SENT2", "nwparser.payload", "%{obj_type->} ( nsCPUusage = %{dclass_counter1}, alarm %{trigger_val->} = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg73 = msg("SNMP_TRAP_SENT2", part117); + +var part118 = // "Pattern{Field(obj_type,true), Constant(' ( sysHealthDiskName = "'), Field(filename,false), Constant('", sysHealthDiskPerusage = '), Field(dclass_counter1,false), Constant(', alarmNormalThreshold = '), Field(dclass_counter2,false), Constant(', sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#70:SNMP_TRAP_SENT3", "nwparser.payload", "%{obj_type->} ( sysHealthDiskName = \"%{filename}\", sysHealthDiskPerusage = %{dclass_counter1}, alarmNormalThreshold = %{dclass_counter2}, sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg74 = msg("SNMP_TRAP_SENT3", part118); + +var part119 = // "Pattern{Field(obj_type,true), Constant(' ( sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#71:SNMP_TRAP_SENT4", "nwparser.payload", "%{obj_type->} ( sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg75 = msg("SNMP_TRAP_SENT4", part119); + +var part120 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(obj_name,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#72:SNMP_TRAP_SENT18", "nwparser.payload", "%{obj_type->} (entityName = \"%{obj_name}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg76 = msg("SNMP_TRAP_SENT18", part120); + +var part121 = // "Pattern{Field(obj_type,true), Constant(' ( '), Field(space,true), Constant(' nsUserName = "'), Field(username,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#73:SNMP_TRAP_SENT19", "nwparser.payload", "%{obj_type->} ( %{space->} nsUserName = \"%{username}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg77 = msg("SNMP_TRAP_SENT19", part121); + +var part122 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld12,false), Constant(', entityName = "'), Field(p0,false)}" +match("MESSAGE#74:SNMP_TRAP_SENT21/0", "nwparser.payload", "%{obj_type->} (partition id = %{fld12}, entityName = \"%{p0}"); + +var part123 = // "Pattern{Field(obj_name,false), Constant('('), Field(fld4,false), Constant('...", '), Field(p0,false)}" +match("MESSAGE#74:SNMP_TRAP_SENT21/1_0", "nwparser.p0", "%{obj_name}(%{fld4}...\", %{p0}"); + +var part124 = // "Pattern{Field(obj_name,false), Constant('...", '), Field(p0,false)}" +match("MESSAGE#74:SNMP_TRAP_SENT21/1_1", "nwparser.p0", "%{obj_name}...\", %{p0}"); + +var select35 = linear_select([ + part123, + part124, +]); + +var part125 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" +match("MESSAGE#74:SNMP_TRAP_SENT21/2_0", "nwparser.p0", "svcGrpMemberFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); + +var part126 = // "Pattern{Constant('vsvrFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,true), Constant(' )')}" +match("MESSAGE#74:SNMP_TRAP_SENT21/2_1", "nwparser.p0", "vsvrFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip->} )"); + +var part127 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,true), Constant(' )')}" +match("MESSAGE#74:SNMP_TRAP_SENT21/2_2", "nwparser.p0", "sysIpAddress = %{hostip->} )"); + +var select36 = linear_select([ + part125, + part126, + part127, +]); + +var all28 = all_match({ + processors: [ + part122, + select35, + select36, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg78 = msg("SNMP_TRAP_SENT21", all28); + +var part128 = // "Pattern{Field(obj_type,true), Constant(' (entityName = "'), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/0", "nwparser.payload", "%{obj_type->} (entityName = \"%{p0}"); + +var part129 = // "Pattern{Field(obj_name,false), Constant('..." '), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/1_0", "nwparser.p0", "%{obj_name}...\" %{p0}"); + +var part130 = // "Pattern{Field(obj_name,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/1_1", "nwparser.p0", "%{obj_name}\"%{p0}"); + +var select37 = linear_select([ + part129, + part130, +]); + +var part131 = // "Pattern{Constant(', '), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/2", "nwparser.p0", ", %{p0}"); + +var part132 = // "Pattern{Constant('svcGrpMemberFullName.'), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/3_0", "nwparser.p0", "svcGrpMemberFullName.%{p0}"); + +var part133 = // "Pattern{Constant('vsvrFullName.'), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/3_1", "nwparser.p0", "vsvrFullName.%{p0}"); + +var part134 = // "Pattern{Constant('svcServiceFullName.'), Field(p0,false)}" +match("MESSAGE#75:SNMP_TRAP_SENT22/3_2", "nwparser.p0", "svcServiceFullName.%{p0}"); + +var select38 = linear_select([ + part132, + part133, + part134, +]); + +var part135 = // "Pattern{Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" +match("MESSAGE#75:SNMP_TRAP_SENT22/4", "nwparser.p0", "%{fld2->} = \"%{fld3}\", nsPartitionName = %{fld1})"); + +var all29 = all_match({ + processors: [ + part128, + select37, + part131, + select38, + part135, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg79 = msg("SNMP_TRAP_SENT22", all29); + +var part136 = // "Pattern{Field(obj_type,true), Constant(' (platformRateLimitPacketDropCount = '), Field(dclass_counter1,false), Constant(', platformLicensedThroughput = '), Field(fld2,false), Constant(', nsPartitionName = '), Field(fld3,false), Constant(')')}" +match("MESSAGE#76:SNMP_TRAP_SENT23", "nwparser.payload", "%{obj_type->} (platformRateLimitPacketDropCount = %{dclass_counter1}, platformLicensedThroughput = %{fld2}, nsPartitionName = %{fld3})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg80 = msg("SNMP_TRAP_SENT23", part136); + +var part137 = // "Pattern{Field(obj_type,true), Constant(' (vsvrName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", vsvrCurSoValue = '), Field(fld4,false), Constant(', vsvrSoMethod = "'), Field(fld5,false), Constant('", vsvrSoThresh = "'), Field(info,false), Constant('", vsvrFullName.'), Field(fld6,true), Constant(' = "'), Field(fld7,false), Constant('", nsPartitionName = '), Field(fld8,false), Constant(')')}" +match("MESSAGE#77:SNMP_TRAP_SENT24", "nwparser.payload", "%{obj_type->} (vsvrName.%{fld2->} = \"%{fld3}\", vsvrCurSoValue = %{fld4}, vsvrSoMethod = \"%{fld5}\", vsvrSoThresh = \"%{info}\", vsvrFullName.%{fld6->} = \"%{fld7}\", nsPartitionName = %{fld8})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg81 = msg("SNMP_TRAP_SENT24", part137); + +var part138 = // "Pattern{Field(obj_type,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#78:SNMP_TRAP_SENT25/0", "nwparser.payload", "%{obj_type->} (%{p0}"); + +var part139 = // "Pattern{Constant('partition id = '), Field(fld12,false), Constant(', sslCertKeyName.'), Field(p0,false)}" +match("MESSAGE#78:SNMP_TRAP_SENT25/1_0", "nwparser.p0", "partition id = %{fld12}, sslCertKeyName.%{p0}"); + +var part140 = // "Pattern{Constant(' sslCertKeyName.'), Field(p0,false)}" +match("MESSAGE#78:SNMP_TRAP_SENT25/1_1", "nwparser.p0", " sslCertKeyName.%{p0}"); + +var select39 = linear_select([ + part139, + part140, +]); + +var part141 = // "Pattern{Constant('",'), Field(fld2,true), Constant(' = "'), Field(fld1,true), Constant(' sslDaysToExpire.'), Field(fld3,true), Constant(' = '), Field(dclass_counter1,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#78:SNMP_TRAP_SENT25/2", "nwparser.p0", "\",%{fld2->} = \"%{fld1->} sslDaysToExpire.%{fld3->} = %{dclass_counter1}, %{p0}"); + +var part142 = // "Pattern{Constant('nsPartitionName = '), Field(fld4,false), Constant(')')}" +match("MESSAGE#78:SNMP_TRAP_SENT25/3_0", "nwparser.p0", "nsPartitionName = %{fld4})"); + +var select40 = linear_select([ + part142, + dup46, +]); + +var all30 = all_match({ + processors: [ + part138, + select39, + part141, + select40, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg82 = msg("SNMP_TRAP_SENT25", all30); + +var part143 = // "Pattern{Field(obj_type,true), Constant(' (nsUserName = "'), Field(username,false), Constant('", nsPartitionName = '), Field(fld1,false), Constant(')')}" +match("MESSAGE#79:SNMP_TRAP_SENT26", "nwparser.payload", "%{obj_type->} (nsUserName = \"%{username}\", nsPartitionName = %{fld1})", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg83 = msg("SNMP_TRAP_SENT26", part143); + +var part144 = // "Pattern{Field(info,true), Constant(' (sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#80:SNMP_TRAP_SENT20", "nwparser.payload", "%{info->} (sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg84 = msg("SNMP_TRAP_SENT20", part144); + +var part145 = // "Pattern{Field(obj_type,false), Constant('(lldpRemLocalPortNum.'), Field(fld1,false), Constant('= "'), Field(fld5,false), Constant('", lldpRemChassisId.'), Field(fld2,false), Constant('= "'), Field(dmacaddr,false), Constant('", lldpRemPortId.'), Field(fld3,false), Constant('= "'), Field(dinterface,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" +match("MESSAGE#81:SNMP_TRAP_SENT28", "nwparser.payload", "%{obj_type}(lldpRemLocalPortNum.%{fld1}= \"%{fld5}\", lldpRemChassisId.%{fld2}= \"%{dmacaddr}\", lldpRemPortId.%{fld3}= \"%{dinterface}\", sysIpAddress =%{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg85 = msg("SNMP_TRAP_SENT28", part145); + +var part146 = // "Pattern{Field(obj_type,false), Constant('(haNicMonitorSucceeded = "'), Field(fld1,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" +match("MESSAGE#82:SNMP_TRAP_SENT29", "nwparser.payload", "%{obj_type}(haNicMonitorSucceeded = \"%{fld1}\", sysIpAddress =%{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg86 = msg("SNMP_TRAP_SENT29", part146); + +var part147 = // "Pattern{Field(fld1,false), Constant(':StatusPoll:'), Field(fld2,true), Constant(' - Device State changed to '), Field(disposition,true), Constant(' for '), Field(saddr,false)}" +match("MESSAGE#83:SNMP_TRAP_SENT:04", "nwparser.payload", "%{fld1}:StatusPoll:%{fld2->} - Device State changed to %{disposition->} for %{saddr}", processor_chain([ + dup9, + dup4, + setc("event_description","Device State changed"), +])); + +var msg87 = msg("SNMP_TRAP_SENT:04", part147); + +var msg88 = msg("SNMP_TRAP_SENT:05", dup101); + +var part148 = // "Pattern{Field(obj_type,true), Constant(' (appfwLogMsg = "'), Field(obj_name,true), Constant(' '), Field(info,false), Constant('",'), Field(p0,false)}" +match("MESSAGE#136:SNMP_TRAP_SENT:01/0", "nwparser.payload", "%{obj_type->} (appfwLogMsg = \"%{obj_name->} %{info}\",%{p0}"); + +var part149 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false)}" +match("MESSAGE#136:SNMP_TRAP_SENT:01/1_0", "nwparser.p0", "sysIpAddress = %{hostip}"); + +var part150 = // "Pattern{Constant('nsPartitionName ='), Field(fld1,false)}" +match("MESSAGE#136:SNMP_TRAP_SENT:01/1_1", "nwparser.p0", "nsPartitionName =%{fld1}"); + +var select41 = linear_select([ + part149, + part150, +]); + +var all31 = all_match({ + processors: [ + part148, + select41, + ], + on_success: processor_chain([ + dup9, + dup47, + dup10, + dup4, + ]), +}); + +var msg89 = msg("SNMP_TRAP_SENT:01", all31); + +var part151 = // "Pattern{Field(obj_type,true), Constant(' (haNicsMonitorFailed = "'), Field(fld1,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#143:SNMP_TRAP_SENT:02", "nwparser.payload", "%{obj_type->} (haNicsMonitorFailed = \"%{fld1}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg90 = msg("SNMP_TRAP_SENT:02", part151); + +var part152 = // "Pattern{Field(obj_type,true), Constant(' (partition id = '), Field(fld1,false), Constant(', entityName = "'), Field(obj_name,false), Constant('('), Field(fld31,false), Constant('", svcServiceFullName.'), Field(fld2,true), Constant(' = "'), Field(fld3,false), Constant('", sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#178:SNMP_TRAP_SENT27", "nwparser.payload", "%{obj_type->} (partition id = %{fld1}, entityName = \"%{obj_name}(%{fld31}\", svcServiceFullName.%{fld2->} = \"%{fld3}\", sysIpAddress = %{hostip})", processor_chain([ + dup9, + dup47, + dup10, + dup4, +])); + +var msg91 = msg("SNMP_TRAP_SENT27", part152); + +var part153 = // "Pattern{Field(obj_type,false), Constant('(sysHealthCounterName.PowerSupply1Status = "'), Field(dclass_counter1_string,false), Constant('", sysHealthCounterValue.PowerSupply1Status = '), Field(dclass_counter1,false), Constant(', sysHealthPowerSupplyStatus = "'), Field(result,false), Constant('", sysIpAddress ='), Field(hostip,false), Constant(')')}" +match("MESSAGE#179:SNMP_TRAP_SENT:03", "nwparser.payload", "%{obj_type}(sysHealthCounterName.PowerSupply1Status = \"%{dclass_counter1_string}\", sysHealthCounterValue.PowerSupply1Status = %{dclass_counter1}, sysHealthPowerSupplyStatus = \"%{result}\", sysIpAddress =%{hostip})", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg92 = msg("SNMP_TRAP_SENT:03", part153); + +var select42 = linear_select([ + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, +]); + +var part154 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client_security_expression "CLIENT.REG(''), Field(info,false), Constant('').VALUE == '), Field(trigger_val,true), Constant(' || '), Field(change_new,true), Constant(' - '), Field(result,false)}" +match("MESSAGE#85:SSLVPN_CLISEC_CHECK", "nwparser.payload", "User %{username->} - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client_security_expression \"CLIENT.REG('%{info}').VALUE == %{trigger_val->} || %{change_new->} - %{result}", processor_chain([ + dup9, + dup47, + dup4, +])); + +var msg93 = msg("SSLVPN_CLISEC_CHECK", part154); + +var part155 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(p0,false)}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_1", "nwparser.p0", "SPCBId %{sessionid->} - ClientIP %{p0}"); + +var select43 = linear_select([ + dup49, + part155, +]); + +var part156 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant('- ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Reason "'), Field(result,false), Constant('"')}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/2", "nwparser.p0", "%{} %{saddr}- ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Reason \"%{result}\""); + +var all32 = all_match({ + processors: [ + dup48, + select43, + part156, + ], + on_success: processor_chain([ + dup11, + dup40, + dup8, + setc("event_description","SSL Handshake failed"), + dup41, + dup4, + ]), +}); + +var msg94 = msg("SSLLOG_SSL_HANDSHAKE_FAILURE", all32); + +var part157 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' ClientIP '), Field(p0,false)}" +match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/1_0", "nwparser.p0", "SPCBId %{sessionid->} ClientIP %{p0}"); + +var select44 = linear_select([ + part157, + dup49, +]); + +var part158 = // "Pattern{Constant(''), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - Session '), Field(info,false)}" +match("MESSAGE#87:SSLLOG_SSL_HANDSHAKE_SUCCESS/2", "nwparser.p0", "%{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - Session %{info}"); + +var all33 = all_match({ + processors: [ + dup48, + select44, + part158, + ], + on_success: processor_chain([ + dup2, + dup40, + setc("ec_outcome","Success"), + setc("event_description","SSL Handshake succeeded"), + dup41, + dup4, + ]), +}); + +var msg95 = msg("SSLLOG_SSL_HANDSHAKE_SUCCESS", all33); + +var part159 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - SubjectName "'), Field(cert_subject,false), Constant('"')}" +match("MESSAGE#88:SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", "nwparser.payload", "SPCBId %{sessionid->} - SubjectName \"%{cert_subject}\"", processor_chain([ + dup9, + dup41, + dup50, +])); + +var msg96 = msg("SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", part159); + +var part160 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - IssuerName "'), Field(fld1,false), Constant('"')}" +match("MESSAGE#89:SSLLOG_SSL_HANDSHAKE_ISSUERNAME", "nwparser.payload", "SPCBId %{sessionid->} - IssuerName \"%{fld1}\"", processor_chain([ + dup9, + dup41, + dup50, +])); + +var msg97 = msg("SSLLOG_SSL_HANDSHAKE_ISSUERNAME", part160); + +var part161 = // "Pattern{Constant('Extracted_groups "'), Field(group,false), Constant('"')}" +match("MESSAGE#90:SSLVPN_AAAEXTRACTED_GROUPS", "nwparser.payload", "Extracted_groups \"%{group}\"", processor_chain([ + dup2, + setc("event_description","The groups extracted after user logs into SSLVPN"), + dup3, + dup4, +])); + +var msg98 = msg("SSLVPN_AAAEXTRACTED_GROUPS", part161); + +var part162 = // "Pattern{Constant('User '), Field(username,true), Constant(' : - Client IP '), Field(hostip,true), Constant(' - Vserver '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Client security expression CLIENT.REG(''), Field(info,false), Constant('') '), Field(p0,false)}" +match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/0", "nwparser.payload", "User %{username->} : - Client IP %{hostip->} - Vserver %{saddr}:%{sport->} - Client security expression CLIENT.REG('%{info}') %{p0}"); + +var part163 = // "Pattern{Constant('EXISTS '), Field(p0,false)}" +match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_0", "nwparser.p0", "EXISTS %{p0}"); + +var part164 = // "Pattern{Constant('.VALUE == '), Field(trigger_val,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/1_1", "nwparser.p0", ".VALUE == %{trigger_val->} %{p0}"); + +var select45 = linear_select([ + part163, + part164, +]); + +var part165 = // "Pattern{Constant('evaluated to '), Field(change_new,false), Constant('('), Field(ntype,false), Constant(')')}" +match("MESSAGE#91:SSLVPN_CLISEC_EXP_EVAL/2", "nwparser.p0", "evaluated to %{change_new}(%{ntype})"); + +var all34 = all_match({ + processors: [ + part162, + select45, + part165, + ], + on_success: processor_chain([ + dup2, + setc("event_description","SSLVPN session Client Security expression EXISTS and evaluated"), + dup3, + dup4, + ]), +}); + +var msg99 = msg("SSLVPN_CLISEC_EXP_EVAL", all34); + +var part166 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - %{p0}"); + +var part167 = // "Pattern{Constant('SessionId: '), Field(sessionid,true), Constant(' User '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_0", "nwparser.p0", "SessionId: %{sessionid->} User %{p0}"); + +var part168 = // "Pattern{Field(fld5,true), Constant(' User '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/1_1", "nwparser.p0", "%{fld5->} User %{p0}"); + +var select46 = linear_select([ + part167, + part168, +]); + +var part169 = // "Pattern{Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/2", "nwparser.p0", "%{username->} : Group(s) %{group->} : %{p0}"); + +var part170 = // "Pattern{Constant('Vserver '), Field(hostip,true), Constant(' - '), Field(fld6,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_0", "nwparser.p0", "Vserver %{hostip->} - %{fld6->} %{p0}"); + +var part171 = // "Pattern{Constant('- '), Field(fld7,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/3_1", "nwparser.p0", "- %{fld7->} %{p0}"); + +var select47 = linear_select([ + part170, + part171, +]); + +var part172 = // "Pattern{Constant('GMT '), Field(web_method,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_0", "nwparser.p0", "GMT %{web_method->} %{p0}"); + +var part173 = // "Pattern{Field(web_method,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/4_1", "nwparser.p0", "%{web_method->} %{p0}"); + +var select48 = linear_select([ + part172, + part173, +]); + +var part174 = // "Pattern{Field(url,true), Constant(' '), Field(fld8,false)}" +match("MESSAGE#92:SSLVPN_HTTPREQUEST/5", "nwparser.p0", "%{url->} %{fld8}"); + +var all35 = all_match({ + processors: [ + part166, + select46, + part169, + select47, + select48, + part174, + ], + on_success: processor_chain([ + dup2, + dup51, + setc("event_description","SSLVPN session receives a HTTP request"), + dup3, + dup4, + ]), +}); + +var msg100 = msg("SSLVPN_HTTPREQUEST", all35); + +var part175 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); + +var part176 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2}"); + +var all36 = all_match({ + processors: [ + part175, + dup102, + dup103, + part176, + ], + on_success: processor_chain([ + dup9, + dup58, + dup59, + dup60, + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg101 = msg("SSLVPN_ICAEND_CONNSTAT", all36); + +var part177 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - startTime '), Field(p0,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - startTime %{p0}"); + +var part178 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - endTime '), Field(p0,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - endTime %{p0}"); + +var part179 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - endTime '), Field(p0,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_1", "nwparser.p0", "\" %{fld10}\" - endTime %{p0}"); + +var part180 = // "Pattern{Field(fld10,true), Constant(' - endTime '), Field(p0,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/1_2", "nwparser.p0", "%{fld10->} - endTime %{p0}"); + +var select49 = linear_select([ + part178, + part179, + part180, +]); + +var part181 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/3", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} %{p0}"); + +var part182 = // "Pattern{Constant('- connectionId '), Field(connectionid,false)}" +match("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_0", "nwparser.p0", "- connectionId %{connectionid}"); + +var part183 = // "Pattern{Field(fld2,false)}" +match_copy("MESSAGE#139:SSLVPN_ICAEND_CONNSTAT:01/4_1", "nwparser.p0", "fld2"); + +var select50 = linear_select([ + part182, + part183, +]); + +var all37 = all_match({ + processors: [ + part177, + select49, + dup103, + part181, + select50, + ], + on_success: processor_chain([ + dup9, + dup58, + dup59, + dup60, + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg102 = msg("SSLVPN_ICAEND_CONNSTAT:01", all37); + +var select51 = linear_select([ + msg101, + msg102, +]); + +var part184 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(fld2,true), Constant(' - SSLVPN_client_type '), Field(info,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#94:SSLVPN_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{fld2->} - SSLVPN_client_type %{info->} - Group(s) \"%{group}\""); + +var all38 = all_match({ + processors: [ + dup48, + dup104, + dup66, + dup105, + part184, + ], + on_success: processor_chain([ + dup69, + dup6, + dup7, + setc("event_description","SSLVPN login succeeds"), + dup3, + dup4, + ]), +}); + +var msg103 = msg("SSLVPN_LOGIN", all38); + +var part185 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - NonHttp_services_accessed '), Field(fld4,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_UDP_flows '), Field(fld6,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#95:SSLVPN_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - NonHttp_services_accessed %{fld4->} - Total_TCP_connections %{fld5->} - Total_UDP_flows %{fld6->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); + +var all39 = all_match({ + processors: [ + dup48, + dup104, + dup66, + dup105, + dup70, + dup102, + dup103, + part185, + ], + on_success: processor_chain([ + dup71, + dup72, + dup7, + setc("event_description","SSLVPN session logs out"), + dup59, + dup60, + setc("event_description"," Default Event"), + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg104 = msg("SSLVPN_LOGOUT", all39); + +var part186 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Last_contact '), Field(fld2,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#96:SSLVPN_TCPCONN_TIMEDOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Last_contact %{fld2->} - Group(s) \"%{group}\""); + +var all40 = all_match({ + processors: [ + dup48, + dup104, + dup66, + dup105, + part186, + ], + on_success: processor_chain([ + setc("eventcategory","1801030100"), + dup72, + dup7, + setc("event_description","SSLVPN TCP Connection Timed Out"), + dup3, + dup4, + ]), +}); + +var msg105 = msg("SSLVPN_TCPCONN_TIMEDOUT", all40); + +var part187 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" +match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); + +var part188 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Access %{disposition->} - Group(s) \"%{group}\""); + +var all41 = all_match({ + processors: [ + dup73, + dup105, + part187, + dup102, + dup103, + part188, + ], + on_success: processor_chain([ + dup69, + setc("event_description","SSLVPN UDP Flow Statistics"), + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg106 = msg("SSLVPN_UDPFLOWSTAT", all41); + +var part189 = // "Pattern{Constant('Server port = '), Field(dport,true), Constant(' - Server server ip = '), Field(daddr,true), Constant(' - username:domain_name = '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - application name = '), Field(application,false)}" +match("MESSAGE#98:SSLVPN_ICASTART", "nwparser.payload", "Server port = %{dport->} - Server server ip = %{daddr->} - username:domain_name = %{username}:%{ddomain->} - application name = %{application}", processor_chain([ + dup69, + setc("event_description","ICA started"), + dup3, + dup4, +])); + +var msg107 = msg("SSLVPN_ICASTART", part189); + +var part190 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - username:domainname '), Field(username,false), Constant(':'), Field(ddomain,true), Constant(' - applicationName '), Field(application,true), Constant(' - startTime '), Field(p0,false)}" +match("MESSAGE#99:SSLVPN_ICASTART:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - username:domainname %{username}:%{ddomain->} - applicationName %{application->} - startTime %{p0}"); + +var part191 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - connectionId '), Field(p0,false)}" +match("MESSAGE#99:SSLVPN_ICASTART:01/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - connectionId %{p0}"); + +var part192 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - connectionId '), Field(p0,false)}" +match("MESSAGE#99:SSLVPN_ICASTART:01/1_1", "nwparser.p0", "\" %{fld10}\" - connectionId %{p0}"); + +var part193 = // "Pattern{Field(fld10,true), Constant(' - connectionId '), Field(p0,false)}" +match("MESSAGE#99:SSLVPN_ICASTART:01/1_2", "nwparser.p0", "%{fld10->} - connectionId %{p0}"); + +var select52 = linear_select([ + part191, + part192, + part193, +]); + +var part194 = // "Pattern{Field(fld5,false)}" +match_copy("MESSAGE#99:SSLVPN_ICASTART:01/2", "nwparser.p0", "fld5"); + +var all42 = all_match({ + processors: [ + part190, + select52, + part194, + ], + on_success: processor_chain([ + dup9, + dup62, + dup4, + ]), +}); + +var msg108 = msg("SSLVPN_ICASTART:01", all42); + +var select53 = linear_select([ + msg107, + msg108, +]); + +var part195 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,true), Constant(' "')}" +match("MESSAGE#100:SSLVPN_Message/1_0", "nwparser.p0", "%{action}: %{fld1->} \""); + +var part196 = // "Pattern{Field(action,true), Constant(' '), Field(fld1,false), Constant('"')}" +match("MESSAGE#100:SSLVPN_Message/1_1", "nwparser.p0", "%{action->} %{fld1}\""); + +var part197 = // "Pattern{Field(action,false), Constant(': '), Field(fld1,false)}" +match("MESSAGE#100:SSLVPN_Message/1_2", "nwparser.p0", "%{action}: %{fld1}"); + +var select54 = linear_select([ + part195, + part196, + part197, +]); + +var all43 = all_match({ + processors: [ + dup74, + select54, + ], + on_success: processor_chain([ + dup2, + setc("event_description","Message"), + dup10, + dup4, + ]), +}); + +var msg109 = msg("SSLVPN_Message", all43); + +var part198 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(stransaddr,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start_time '), Field(p0,false)}" +match("MESSAGE#101:SSLVPN_TCPCONNSTAT/2", "nwparser.p0", "%{} %{username}- Client_ip %{hostip->} - Nat_ip %{stransaddr->} - Vserver %{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Start_time %{p0}"); + +var part199 = // "Pattern{Field(duration_string,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(comp_sbytes,true), Constant(' - Total_compressedbytes_recv '), Field(comp_rbytes,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - Access '), Field(disposition,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#101:SSLVPN_TCPCONNSTAT/5", "nwparser.p0", "%{duration_string->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{comp_sbytes->} - Total_compressedbytes_recv %{comp_rbytes->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - Access %{disposition->} - Group(s) \"%{group}\""); + +var all44 = all_match({ + processors: [ + dup48, + dup104, + part198, + dup102, + dup103, + part199, + ], + on_success: processor_chain([ + dup9, + setc("event_description","TCP connection related information for a connection belonging to a SSLVPN session"), + dup59, + dup60, + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg110 = msg("SSLVPN_TCPCONNSTAT", all44); + +var all45 = all_match({ + processors: [ + dup75, + dup106, + dup78, + ], + on_success: processor_chain([ + dup2, + dup40, + dup30, + dup79, + dup3, + dup61, + dup4, + ]), +}); + +var msg111 = msg("TCP_CONN_DELINK", all45); + +var all46 = all_match({ + processors: [ + dup80, + dup107, + dup106, + dup78, + ], + on_success: processor_chain([ + dup2, + dup40, + dup28, + dup83, + dup3, + dup61, + dup62, + dup4, + ]), +}); + +var msg112 = msg("TCP_CONN_TERMINATE", all46); + +var part200 = // "Pattern{Constant('Source '), Field(saddr,false), Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" +match("MESSAGE#140:TCP_CONN_TERMINATE:01", "nwparser.payload", "Source %{saddr}Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes}", processor_chain([ + dup2, + dup40, + dup28, + dup83, + dup3, + dup4, +])); + +var msg113 = msg("TCP_CONN_TERMINATE:01", part200); + +var select55 = linear_select([ + msg112, + msg113, +]); + +var part201 = // "Pattern{Field(fld11,true), Constant(' GMT Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT Total_bytes_send %{p0}"); + +var part202 = // "Pattern{Field(fld11,true), Constant(' Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#104:TCP_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld11->} Total_bytes_send %{p0}"); + +var select56 = linear_select([ + part201, + part202, +]); + +var all47 = all_match({ + processors: [ + dup75, + select56, + dup78, + ], + on_success: processor_chain([ + dup2, + dup40, + dup30, + setc("event_description","A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler"), + dup3, + dup61, + dup4, + ]), +}); + +var msg114 = msg("TCP_OTHERCONN_DELINK", all47); + +var part203 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Start Time '), Field(p0,false)}" +match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Start Time %{p0}"); + +var part204 = // "Pattern{Field(fld10,true), Constant(' GMT - Delink Time '), Field(p0,false)}" +match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_0", "nwparser.p0", "%{fld10->} GMT - Delink Time %{p0}"); + +var part205 = // "Pattern{Field(fld10,true), Constant(' - Delink Time '), Field(p0,false)}" +match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/1_1", "nwparser.p0", "%{fld10->} - Delink Time %{p0}"); + +var select57 = linear_select([ + part204, + part205, +]); + +var part206 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - '), Field(info,false)}" +match("MESSAGE#105:TCP_NAT_OTHERCONN_DELINK/3", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes->} - %{info}"); + +var all48 = all_match({ + processors: [ + part203, + select57, + dup106, + part206, + ], + on_success: processor_chain([ + dup2, + dup40, + setc("event_description","A server side and a client side TCP connection for RNAT are delinked"), + dup3, + dup61, + dup4, + dup62, + ]), +}); + +var msg115 = msg("TCP_NAT_OTHERCONN_DELINK", all48); + +var part207 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" +match("MESSAGE#106:UI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ + dup69, + dup84, + dup3, + dup4, + dup85, + dup6, + dup86, +])); + +var msg116 = msg("UI_CMD_EXECUTED:Login", part207); + +var part208 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "ERROR:'), Field(info,false), Constant('"')}" +match("MESSAGE#107:UI_CMD_EXECUTED:LoginFail", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"ERROR:%{info}\"", processor_chain([ + dup5, + dup84, + dup3, + dup4, + setc("disposition","Error"), + dup6, + dup86, +])); + +var msg117 = msg("UI_CMD_EXECUTED:LoginFail", part208); + +var part209 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" +match("MESSAGE#108:UI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ + dup71, + dup84, + dup3, + dup4, + dup85, + dup72, + dup87, +])); + +var msg118 = msg("UI_CMD_EXECUTED:Logout", part209); + +var msg119 = msg("UI_CMD_EXECUTED", dup108); + +var part210 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('"')}" +match("MESSAGE#144:UI_CMD_EXECUTED:01_Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\"", processor_chain([ + dup69, + dup84, + dup3, + dup4, + dup6, + dup86, +])); + +var msg120 = msg("UI_CMD_EXECUTED:01_Login", part210); + +var part211 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('"')}" +match("MESSAGE#145:UI_CMD_EXECUTED:01_Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\"", processor_chain([ + dup71, + dup84, + dup3, + dup4, + dup72, + dup87, +])); + +var msg121 = msg("UI_CMD_EXECUTED:01_Logout", part211); + +var part212 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('"')}" +match("MESSAGE#146:UI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\"", processor_chain([ + dup88, + dup89, + dup3, + dup4, +])); + +var msg122 = msg("UI_CMD_EXECUTED:01", part212); + +var select58 = linear_select([ + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, +]); + +var part213 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Total_bytes_send '), Field(comp_sbytes,true), Constant(' - Total_bytes_recv '), Field(comp_rbytes,true), Constant(' - Denied_by_policy "'), Field(fld2,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#110:SSLVPN_NONHTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{daddr}:%{dport->} - Source %{saddr}:%{sport->} - Destination %{dtransaddr}:%{dtransport->} - Total_bytes_send %{comp_sbytes->} - Total_bytes_recv %{comp_rbytes->} - Denied_by_policy \"%{fld2}\" - Group(s) \"%{group}\""); + +var all49 = all_match({ + processors: [ + dup73, + dup105, + part213, + ], + on_success: processor_chain([ + dup11, + dup51, + dup8, + dup4, + ]), +}); + +var msg123 = msg("SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", all49); + +var part214 = // "Pattern{Field(fld1,true), Constant(' - State Init')}" +match("MESSAGE#111:EVENT_VRIDINIT", "nwparser.payload", "%{fld1->} - State Init", processor_chain([ + dup9, + dup4, +])); + +var msg124 = msg("EVENT_VRIDINIT", part214); + +var part215 = // "Pattern{Constant('"REC: status '), Field(info,true), Constant(' from client '), Field(fld1,true), Constant(' for ID '), Field(id,false), Constant('"')}" +match("MESSAGE#112:CLUSTERD_Message:01", "nwparser.payload", "\"REC: status %{info->} from client %{fld1->} for ID %{id}\"", processor_chain([ + dup9, + dup4, +])); + +var msg125 = msg("CLUSTERD_Message:01", part215); + +var part216 = // "Pattern{Field(info,false), Constant('('), Field(saddr,false), Constant(') port('), Field(sport,false), Constant(') msglen('), Field(fld1,false), Constant(') rcv('), Field(packets,false), Constant(') R('), Field(result,false), Constant(') " ')}" +match("MESSAGE#113:CLUSTERD_Message:02/1_0", "nwparser.p0", "%{info}(%{saddr}) port(%{sport}) msglen(%{fld1}) rcv(%{packets}) R(%{result}) \" "); + +var select59 = linear_select([ + part216, + dup90, +]); + +var all50 = all_match({ + processors: [ + dup74, + select59, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var msg126 = msg("CLUSTERD_Message:02", all50); + +var select60 = linear_select([ + msg125, + msg126, +]); + +var part217 = // "Pattern{Constant('"crypto: driver '), Field(fld1,true), Constant(' registers alg '), Field(fld2,true), Constant(' flags '), Field(fld3,true), Constant(' maxoplen '), Field(fld4,true), Constant(' "')}" +match("MESSAGE#114:IPSEC_Message/0_0", "nwparser.payload", "\"crypto: driver %{fld1->} registers alg %{fld2->} flags %{fld3->} maxoplen %{fld4->} \""); + +var part218 = // "Pattern{Constant(' "'), Field(info,true), Constant(' "')}" +match("MESSAGE#114:IPSEC_Message/0_1", "nwparser.payload", " \"%{info->} \""); + +var select61 = linear_select([ + part217, + part218, +]); + +var all51 = all_match({ + processors: [ + select61, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var msg127 = msg("IPSEC_Message", all51); + +var part219 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(info,true), Constant(' "')}" +match("MESSAGE#115:NSNETSVC_Message", "nwparser.payload", "\"%{event_type}: %{info->} \"", processor_chain([ + dup9, + dup4, +])); + +var msg128 = msg("NSNETSVC_Message", part219); + +var part220 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Remote_host '), Field(hostname,true), Constant(' - Denied_url '), Field(url,true), Constant(' - Denied_by_policy '), Field(policyname,true), Constant(' - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#116:SSLVPN_HTTP_RESOURCEACCESS_DENIED/2", "nwparser.p0", "%{} %{username}- Vserver %{daddr}:%{dport->} - Total_bytes_send %{sbytes->} - Remote_host %{hostname->} - Denied_url %{url->} - Denied_by_policy %{policyname->} - Group(s) \"%{group}\""); + +var all52 = all_match({ + processors: [ + dup48, + dup104, + part220, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var msg129 = msg("SSLVPN_HTTP_RESOURCEACCESS_DENIED", all52); + +var part221 = // "Pattern{Constant('Client '), Field(saddr,true), Constant(' - Profile '), Field(p0,false)}" +match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/0", "nwparser.payload", "Client %{saddr->} - Profile %{p0}"); + +var part222 = // "Pattern{Field(info,false), Constant(', '), Field(event_description,true), Constant(' - URL')}" +match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_0", "nwparser.p0", "%{info}, %{event_description->} - URL"); + +var part223 = // "Pattern{Field(info,true), Constant(' - '), Field(event_description,true), Constant(' - URL')}" +match("MESSAGE#117:NSNETSVC_REQ_PARSE_ERROR/1_1", "nwparser.p0", "%{info->} - %{event_description->} - URL"); + +var select62 = linear_select([ + part222, + part223, +]); + +var all53 = all_match({ + processors: [ + part221, + select62, + ], + on_success: processor_chain([ + dup2, + dup4, + ]), +}); + +var msg130 = msg("NSNETSVC_REQ_PARSE_ERROR", all53); + +var part224 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(fld11,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#118:Source:01/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{fld11->} %{p0}"); + +var part225 = // "Pattern{Constant('GMT - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" +match("MESSAGE#118:Source:01/1_0", "nwparser.p0", "GMT - Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); + +var part226 = // "Pattern{Constant('- Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" +match("MESSAGE#118:Source:01/1_1", "nwparser.p0", "- Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); + +var part227 = // "Pattern{Constant('GMT Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" +match("MESSAGE#118:Source:01/1_2", "nwparser.p0", "GMT Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); + +var part228 = // "Pattern{Constant('Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(p0,false)}" +match("MESSAGE#118:Source:01/1_3", "nwparser.p0", "Total_bytes_send %{sbytes->} - Total_bytes_recv %{p0}"); + +var select63 = linear_select([ + part225, + part226, + part227, + part228, +]); + +var part229 = // "Pattern{Field(rbytes,false)}" +match_copy("MESSAGE#118:Source:01/2", "nwparser.p0", "rbytes"); + +var all54 = all_match({ + processors: [ + part224, + select63, + part229, + ], + on_success: processor_chain([ + dup2, + dup79, + ]), +}); + +var msg131 = msg("Source:01", all54); + +var all55 = all_match({ + processors: [ + dup80, + dup107, + dup106, + dup78, + ], + on_success: processor_chain([ + dup2, + dup61, + dup62, + ]), +}); + +var msg132 = msg("Source:02", all55); + +var select64 = linear_select([ + msg131, + msg132, +]); + +var part230 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(fld1,false), Constant('" - Status "'), Field(result,false), Constant('"')}" +match("MESSAGE#120:User", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{fld1}\" - Status \"%{result}\"", processor_chain([ + dup2, +])); + +var msg133 = msg("User", part230); + +var part231 = // "Pattern{Constant('SPCBId '), Field(sessionid,true), Constant(' - ClientIP '), Field(saddr,true), Constant(' - ClientPort '), Field(sport,true), Constant(' - VserverServiceIP '), Field(daddr,true), Constant(' - VserverServicePort '), Field(dport,true), Constant(' - ClientVersion '), Field(s_sslver,true), Constant(' - CipherSuite "'), Field(s_cipher,false), Constant('" - '), Field(result,false)}" +match("MESSAGE#121:SPCBId", "nwparser.payload", "SPCBId %{sessionid->} - ClientIP %{saddr->} - ClientPort %{sport->} - VserverServiceIP %{daddr->} - VserverServicePort %{dport->} - ClientVersion %{s_sslver->} - CipherSuite \"%{s_cipher}\" - %{result}", processor_chain([ + dup11, + dup40, + dup8, + dup41, +])); + +var msg134 = msg("SPCBId", part231); + +var msg135 = msg("APPFW_COOKIE", dup109); + +var msg136 = msg("APPFW_CSRF_TAG", dup109); + +var msg137 = msg("APPFW_STARTURL", dup109); + +var msg138 = msg("APPFW_FIELDCONSISTENCY", dup109); + +var msg139 = msg("APPFW_REFERER_HEADER", dup109); + +var part232 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' cs6='), Field(fld9,true), Constant(' act='), Field(action,false)}" +match("MESSAGE#127:APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} cs6=%{fld9->} act=%{action}", processor_chain([ + dup9, + dup91, +])); + +var msg140 = msg("APPFW_SIGNATURE_MATCH", part232); + +var msg141 = msg("AF_400_RESP", dup110); + +var msg142 = msg("AF_MALFORMED_REQ_ERR", dup110); + +var part233 = tagval("MESSAGE#130:CITRIX_TVM", "nwparser.payload", tvm, { + "act": "action", + "cn1": "fld2", + "cn2": "fld3", + "cs1": "policyname", + "cs2": "fld5", + "cs4": "severity", + "cs5": "fld8", + "method": "web_method", + "msg": "info", + "request": "url", + "spt": "sport", + "src": "saddr", +}, processor_chain([ + dup11, + dup91, + setf("vid","hfld1"), + setf("msg_id","hfld1"), + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("action"), + }), + lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: field("event_cat"), + }), +])); + +var msg143 = msg("CITRIX_TVM", part233); + +var part234 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,false)}" +match("MESSAGE#131:APPFW_APPFW_POLICY_HIT", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{fld3->} %{url->} %{event_description}", processor_chain([ + dup9, + dup40, + dup3, + dup4, +])); + +var msg144 = msg("APPFW_APPFW_POLICY_HIT", part234); + +var part235 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Unknown content-type header value='), Field(fld4,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#132:APPFW_APPFW_CONTENT_TYPE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Unknown content-type header value=%{fld4->} %{info->} \u003c\u003c%{disposition}>", processor_chain([ + dup9, + dup91, + dup4, +])); + +var msg145 = msg("APPFW_APPFW_CONTENT_TYPE", part235); + +var part236 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' WSI check failed: '), Field(fld4,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#133:APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} WSI check failed: %{fld4}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ + dup9, + dup91, + dup4, +])); + +var msg146 = msg("APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE", part236); + +var part237 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Referer header check failed: referer header URL ''), Field(web_referer,false), Constant('' not in Start URL or closure list <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#134:APPFW_APPFW_REFERER_HEADER", "nwparser.payload", "%{saddr->} %{fld2->} %{fld3->} %{rule_group->} %{url->} Referer header check failed: referer header URL '%{web_referer}' not in Start URL or closure list \u003c\u003c%{disposition}>", processor_chain([ + dup9, + dup40, + dup3, + dup4, + setc("event_description","referer header URL not in Start URL or closure list"), +])); + +var msg147 = msg("APPFW_APPFW_REFERER_HEADER", part237); + +var part238 = // "Pattern{Constant('"URL'), Field(url,false), Constant('Client IP'), Field(hostip,false), Constant('Client Dest'), Field(fld1,false)}" +match("MESSAGE#141:RESPONDER_Message", "nwparser.payload", "\"URL%{url}Client IP%{hostip}Client Dest%{fld1}", processor_chain([ + dup9, + dup3, + dup4, +])); + +var msg148 = msg("RESPONDER_Message", part238); + +var part239 = // "Pattern{Constant('"NSRateLimit='), Field(filter,false), Constant(', ClientIP='), Field(saddr,false), Constant('"')}" +match("MESSAGE#142:RESPONDER_Message:01", "nwparser.payload", "\"NSRateLimit=%{filter}, ClientIP=%{saddr}\"", processor_chain([ + dup9, + dup3, + dup4, +])); + +var msg149 = msg("RESPONDER_Message:01", part239); + +var select65 = linear_select([ + msg148, + msg149, +]); + +var part240 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(event_description,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#147:APPFW_AF_MALFORMED_REQ_ERR", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{event_description->} \u003c\u003c%{disposition}>", processor_chain([ + dup11, + dup3, + dup4, +])); + +var msg150 = msg("APPFW_AF_MALFORMED_REQ_ERR", part240); + +var part241 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' - '), Field(fld2,true), Constant(' - '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' '), Field(event_description,true), Constant(' rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#148:APPFW_APPFW_SIGNATURE_MATCH", "nwparser.payload", "%{saddr->} %{fld1->} - %{fld2->} - %{rule_group->} %{url->} %{event_description->} rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ + dup9, + domain("web_domain","url"), + root("web_root","url"), + page("webpage","url"), + setf("filename","webpage"), + dup3, + dup4, +])); + +var msg151 = msg("APPFW_APPFW_SIGNATURE_MATCH", part241); + +var part242 = // "Pattern{Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(rule_group,true), Constant(' '), Field(url,true), Constant(' Signature violation rule ID '), Field(rule_uid,false), Constant(': '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#149:APPFW_APPFW_SIGNATURE_MATCH:01", "nwparser.payload", "%{saddr->} %{fld1->} %{fld2->} %{rule_group->} %{url->} Signature violation rule ID %{rule_uid}: %{info->} \u003c\u003c%{disposition}>", processor_chain([ + dup9, + dup91, + dup4, + setc("event_description","Signature violation"), +])); + +var msg152 = msg("APPFW_APPFW_SIGNATURE_MATCH:01", part242); + +var select66 = linear_select([ + msg151, + msg152, +]); + +var part243 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" -serverIP '), Field(daddr,true), Constant(' -serverPort '), Field(dport,true), Constant(' -logLevel '), Field(fld1,true), Constant(' -dateFormat '), Field(fld2,true), Constant(' -logFacility '), Field(fld3,true), Constant(' -tcp '), Field(fld4,true), Constant(' -acl '), Field(fld5,true), Constant(' -timeZone '), Field(fld6,true), Constant(' -userDefinedAuditlog '), Field(fld7,true), Constant(' -appflowExport '), Field(fld8,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" +match("MESSAGE#150:GUI_CMD_EXECUTED:01", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" -serverIP %{daddr->} -serverPort %{dport->} -logLevel %{fld1->} -dateFormat %{fld2->} -logFacility %{fld3->} -tcp %{fld4->} -acl %{fld5->} -timeZone %{fld6->} -userDefinedAuditlog %{fld7->} -appflowExport %{fld8}\" - Status \"%{disposition}\"", processor_chain([ + dup88, + dup89, + dup3, + dup4, +])); + +var msg153 = msg("GUI_CMD_EXECUTED:01", part243); + +var part244 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' -priority '), Field(fld1,true), Constant(' -devno '), Field(fld2,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" +match("MESSAGE#151:GUI_CMD_EXECUTED:02", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} -priority %{fld1->} -devno %{fld2}\" - Status \"%{disposition}\"", processor_chain([ + dup88, + dup89, + dup3, + dup4, +])); + +var msg154 = msg("GUI_CMD_EXECUTED:02", part244); + +var part245 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "login '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" +match("MESSAGE#152:GUI_CMD_EXECUTED:Login", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"login %{fld11}\" - Status \"Success%{info}\"", processor_chain([ + dup69, + dup92, + dup3, + dup4, + dup85, + dup6, + dup86, +])); + +var msg155 = msg("GUI_CMD_EXECUTED:Login", part245); + +var part246 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "logout '), Field(fld11,false), Constant('" - Status "Success'), Field(info,false), Constant('"')}" +match("MESSAGE#153:GUI_CMD_EXECUTED:Logout", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"logout %{fld11}\" - Status \"Success%{info}\"", processor_chain([ + dup71, + dup92, + dup3, + dup4, + dup85, + dup72, + dup87, +])); + +var msg156 = msg("GUI_CMD_EXECUTED:Logout", part246); + +var msg157 = msg("GUI_CMD_EXECUTED", dup108); + +var part247 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,true), Constant(' - Status "'), Field(disposition,false), Constant('" - Message "'), Field(info,false), Constant('"')}" +match("MESSAGE#155:GUI_CMD_EXECUTED:03", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action->} - Status \"%{disposition}\" - Message \"%{info}\"", processor_chain([ + dup88, + dup89, + dup4, +])); + +var msg158 = msg("GUI_CMD_EXECUTED:03", part247); + +var select67 = linear_select([ + msg153, + msg154, + msg155, + msg156, + msg157, + msg158, +]); + +var msg159 = msg("CLI_CMD_EXECUTED", dup108); + +var part248 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" +match("MESSAGE#157:API_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ + dup88, + setc("event_description","API command executed in NetScaler"), + dup3, + dup4, +])); + +var msg160 = msg("API_CMD_EXECUTED", part248); + +var part249 = // "Pattern{Field(result,true), Constant(' for user '), Field(username,true), Constant(' = '), Field(fld1,true), Constant(' "')}" +match("MESSAGE#158:AAA_Message/1_0", "nwparser.p0", "%{result->} for user %{username->} = %{fld1->} \""); + +var part250 = // "Pattern{Constant(''), Field(info,true), Constant(' "')}" +match("MESSAGE#158:AAA_Message/1_1", "nwparser.p0", "%{info->} \""); + +var select68 = linear_select([ + part249, + part250, +]); + +var all56 = all_match({ + processors: [ + dup93, + select68, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var msg161 = msg("AAA_Message", all56); + +var part251 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': created session for <<'), Field(domain,false), Constant('> with cookie: <<'), Field(web_cookie,false), Constant('>"')}" +match("MESSAGE#159:AAATM_Message:04", "nwparser.payload", "\"%{event_type}: created session for \u003c\u003c%{domain}> with cookie: \u003c\u003c%{web_cookie}>\"", processor_chain([ + dup9, + dup91, + dup4, +])); + +var msg162 = msg("AAATM_Message:04", part251); + +var part252 = // "Pattern{Field(fld1,true), Constant(' for user '), Field(username,true), Constant(' "')}" +match("MESSAGE#160:AAATM_Message/1_0", "nwparser.p0", "%{fld1->} for user %{username->} \""); + +var select69 = linear_select([ + part252, + dup90, +]); + +var all57 = all_match({ + processors: [ + dup93, + select69, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); + +var msg163 = msg("AAATM_Message", all57); + +var part253 = // "Pattern{Constant('"'), Field(fld1,true), Constant(' creating session '), Field(info,false), Constant('"')}" +match("MESSAGE#161:AAATM_Message:01", "nwparser.payload", "\"%{fld1->} creating session %{info}\"", processor_chain([ + dup9, + dup4, + setc("event_type","creating session"), +])); + +var msg164 = msg("AAATM_Message:01", part253); + +var part254 = // "Pattern{Constant('"cookie idx is '), Field(fld1,false), Constant(', '), Field(info,false), Constant('"')}" +match("MESSAGE#162:AAATM_Message:02", "nwparser.payload", "\"cookie idx is %{fld1}, %{info}\"", processor_chain([ + dup9, + dup4, + setc("event_type","cookie idx"), +])); + +var msg165 = msg("AAATM_Message:02", part254); + +var part255 = // "Pattern{Constant('"sent request to '), Field(fld1,true), Constant(' for authentication, user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant('"')}" +match("MESSAGE#163:AAATM_Message:03", "nwparser.payload", "\"sent request to %{fld1->} for authentication, user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}\"", processor_chain([ + setc("eventcategory","1304000000"), + dup4, + setc("event_type","sent request"), +])); + +var msg166 = msg("AAATM_Message:03", part255); + +var part256 = // "Pattern{Constant('"authentication succeeded for user <<'), Field(domain,false), Constant('\'), Field(username,false), Constant('>, client ip '), Field(saddr,false), Constant(', setting up session"')}" +match("MESSAGE#164:AAATM_Message:05", "nwparser.payload", "\"authentication succeeded for user \u003c\u003c%{domain}\\%{username}>, client ip %{saddr}, setting up session\"", processor_chain([ + setc("eventcategory","1302000000"), + dup4, + setc("event_type","setting up session"), +])); + +var msg167 = msg("AAATM_Message:05", part256); + +var msg168 = msg("AAATM_Message:06", dup111); + +var select70 = linear_select([ + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, +]); + +var part257 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- '), Field(event_computer,true), Constant(' User '), Field(username,true), Constant(' : Group(s) '), Field(group,true), Constant(' : Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#166:AAATM_HTTPREQUEST/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- %{event_computer->} User %{username->} : Group(s) %{group->} : Vserver %{daddr}:%{dport->} - %{fld2->} %{p0}"); + +var part258 = // "Pattern{Field(timezone,false), Constant(': SSO is '), Field(fld3,true), Constant(' : '), Field(p0,false)}" +match("MESSAGE#166:AAATM_HTTPREQUEST/1_0", "nwparser.p0", "%{timezone}: SSO is %{fld3->} : %{p0}"); + +var part259 = // "Pattern{Field(timezone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#166:AAATM_HTTPREQUEST/1_1", "nwparser.p0", "%{timezone->} %{p0}"); + +var select71 = linear_select([ + part258, + part259, +]); + +var part260 = // "Pattern{Field(web_method,true), Constant(' '), Field(url,true), Constant(' '), Field(fld4,false)}" +match("MESSAGE#166:AAATM_HTTPREQUEST/2", "nwparser.p0", "%{web_method->} %{url->} %{fld4}"); + +var all58 = all_match({ + processors: [ + part257, + select71, + part260, + ], + on_success: processor_chain([ + dup9, + dup4, + date_time({ + dest: "effective_time", + args: ["fld2"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + setc("event_description","AAATM HTTP Request"), + ]), +}); + +var msg169 = msg("AAATM_HTTPREQUEST", all58); + +var msg170 = msg("SSLVPN_REMOVE_SESSION_ERR", dup114); + +var msg171 = msg("SSLVPN_REMOVE_SESSION", dup114); + +var msg172 = msg("SSLVPN_REMOVE_SESSION_INFO", dup114); + +var part261 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - ica_rtt '), Field(fld5,true), Constant(' - clientside_rxbytes '), Field(rbytes,false), Constant('- clientside_txbytes '), Field(sbytes,true), Constant(' - clientside_packet_retransmits '), Field(fld6,true), Constant(' - serverside_packet_retransmits '), Field(fld7,true), Constant(' - clientside_rtt '), Field(fld8,true), Constant(' - serverside_rtt '), Field(fld9,true), Constant(' - clientside_jitter '), Field(fld10,true), Constant(' - serverside_jitter '), Field(fld11,false)}" +match("MESSAGE#170:ICA_NETWORK_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - ica_rtt %{fld5->} - clientside_rxbytes %{rbytes}- clientside_txbytes %{sbytes->} - clientside_packet_retransmits %{fld6->} - serverside_packet_retransmits %{fld7->} - clientside_rtt %{fld8->} - serverside_rtt %{fld9->} - clientside_jitter %{fld10->} - serverside_jitter %{fld11}", processor_chain([ + dup9, + dup4, +])); + +var msg173 = msg("ICA_NETWORK_UPDATE", part261); + +var part262 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - channel_update_begin '), Field(fld5,true), Constant(' - channel_update_end '), Field(fld6,true), Constant(' - channel_id_1 '), Field(fld7,true), Constant(' - channel_id_1_val '), Field(fld8,true), Constant(' - channel_id_2 '), Field(fld9,true), Constant(' - channel_id_2_val '), Field(fld10,true), Constant(' -channel_id_3 '), Field(fld11,true), Constant(' - channel_id_3_val '), Field(fld12,true), Constant(' - channel_id_4 '), Field(fld13,true), Constant(' - channel_id_4_val '), Field(fld14,true), Constant(' -channel_id_5 '), Field(fld15,true), Constant(' - channel_id_5_val '), Field(fld16,false)}" +match("MESSAGE#171:ICA_CHANNEL_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - channel_update_begin %{fld5->} - channel_update_end %{fld6->} - channel_id_1 %{fld7->} - channel_id_1_val %{fld8->} - channel_id_2 %{fld9->} - channel_id_2_val %{fld10->} -channel_id_3 %{fld11->} - channel_id_3_val %{fld12->} - channel_id_4 %{fld13->} - channel_id_4_val %{fld14->} -channel_id_5 %{fld15->} - channel_id_5_val %{fld16}", processor_chain([ + dup9, + date_time({ + dest: "starttime", + args: ["fld5"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + date_time({ + dest: "endtime", + args: ["fld6"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + dup4, +])); + +var msg174 = msg("ICA_CHANNEL_UPDATE", part262); + +var part263 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - nsica_session_status '), Field(fld5,true), Constant(' - nsica_session_client_ip '), Field(saddr,true), Constant(' - nsica_session_client_port '), Field(sport,true), Constant(' - nsica_session_server_ip '), Field(daddr,true), Constant(' - nsica_session_server_port '), Field(dport,true), Constant(' - nsica_session_reconnect_count '), Field(fld6,true), Constant(' - nsica_session_acr_count '), Field(fld7,true), Constant(' - connection_priority '), Field(fld8,true), Constant(' - timestamp '), Field(fld9,false)}" +match("MESSAGE#172:ICA_SESSION_UPDATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - nsica_session_status %{fld5->} - nsica_session_client_ip %{saddr->} - nsica_session_client_port %{sport->} - nsica_session_server_ip %{daddr->} - nsica_session_server_port %{dport->} - nsica_session_reconnect_count %{fld6->} - nsica_session_acr_count %{fld7->} - connection_priority %{fld8->} - timestamp %{fld9}", processor_chain([ + dup9, + dup4, +])); + +var msg175 = msg("ICA_SESSION_UPDATE", part263); + +var msg176 = msg("ICA_Message", dup111); + +var part264 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_setup_time '), Field(fld5,true), Constant(' - client_ip '), Field(saddr,true), Constant(' - client_type '), Field(fld6,true), Constant(' - client_launcher '), Field(fld7,true), Constant(' - client_version '), Field(version,true), Constant(' - client_hostname '), Field(shost,true), Constant(' - domain_name '), Field(domain,true), Constant(' - server_name '), Field(dhost,true), Constant(' - connection_priority '), Field(fld8,false)}" +match("MESSAGE#174:ICA_SESSION_SETUP", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_setup_time %{fld5->} - client_ip %{saddr->} - client_type %{fld6->} - client_launcher %{fld7->} - client_version %{version->} - client_hostname %{shost->} - domain_name %{domain->} - server_name %{dhost->} - connection_priority %{fld8}", processor_chain([ + dup9, + dup4, +])); + +var msg177 = msg("ICA_SESSION_SETUP", part264); + +var part265 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - launch_mechanism '), Field(fld5,true), Constant(' - app_launch_time '), Field(fld6,true), Constant(' - app_process_id '), Field(fld7,true), Constant(' - app_name '), Field(fld8,true), Constant(' - module_path '), Field(filename,false)}" +match("MESSAGE#175:ICA_APPLICATION_LAUNCH", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - launch_mechanism %{fld5->} - app_launch_time %{fld6->} - app_process_id %{fld7->} - app_name %{fld8->} - module_path %{filename}", processor_chain([ + dup9, + date_time({ + dest: "starttime", + args: ["fld6"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + dup4, +])); + +var msg178 = msg("ICA_APPLICATION_LAUNCH", part265); + +var part266 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - session_end_time '), Field(fld5,false)}" +match("MESSAGE#176:ICA_SESSION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - session_end_time %{fld5}", processor_chain([ + dup9, + date_time({ + dest: "endtime", + args: ["fld5"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + dup4, +])); + +var msg179 = msg("ICA_SESSION_TERMINATE", part266); + +var part267 = // "Pattern{Constant('session_guid '), Field(fld1,true), Constant(' - device_serial_number '), Field(fld2,true), Constant(' - client_cookie '), Field(fld3,true), Constant(' - flags '), Field(fld4,true), Constant(' - app_termination_type '), Field(fld5,true), Constant(' - app_process_id '), Field(fld6,true), Constant(' - app_termination_time '), Field(fld7,false)}" +match("MESSAGE#177:ICA_APPLICATION_TERMINATE", "nwparser.payload", "session_guid %{fld1->} - device_serial_number %{fld2->} - client_cookie %{fld3->} - flags %{fld4->} - app_termination_type %{fld5->} - app_process_id %{fld6->} - app_termination_time %{fld7}", processor_chain([ + dup9, + date_time({ + dest: "endtime", + args: ["fld7"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dc(":"),dH,dc(":"),dU,dc(":"),dO], + ], + }), + dup4, +])); + +var msg180 = msg("ICA_APPLICATION_TERMINATE", part267); + +var all59 = all_match({ + processors: [ + dup94, + dup112, + dup97, + ], + on_success: processor_chain([ + setc("eventcategory","1801010100"), + dup4, + ]), +}); + +var msg181 = msg("SSLVPN_REMOVE_SESSION_DEBUG", all59); + +var part268 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Browser_type '), Field(user_agent,false), Constant('- Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#181:AAATM_LOGIN/4", "nwparser.p0", "%{daddr}:%{dport->} - Browser_type %{user_agent}- Group(s) \"%{group}\""); + +var all60 = all_match({ + processors: [ + dup48, + dup104, + dup66, + dup105, + part268, + ], + on_success: processor_chain([ + dup69, + dup6, + dup7, + dup4, + ]), +}); + +var msg182 = msg("AAATM_LOGIN", all60); + +var part269 = // "Pattern{Field(duration_string,true), Constant(' - Http_resources_accessed '), Field(fld3,true), Constant(' - Total_TCP_connections '), Field(fld5,true), Constant(' - Total_policies_allowed '), Field(fld7,true), Constant(' - Total_policies_denied '), Field(fld8,true), Constant(' - Total_bytes_send '), Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,true), Constant(' - Total_compressedbytes_send '), Field(fld12,true), Constant(' - Total_compressedbytes_recv '), Field(fld13,true), Constant(' - Compression_ratio_send '), Field(dclass_ratio1,true), Constant(' - Compression_ratio_recv '), Field(dclass_ratio2,true), Constant(' - LogoutMethod "'), Field(result,false), Constant('" - Group(s) "'), Field(group,false), Constant('"')}" +match("MESSAGE#182:AAATM_LOGOUT/7", "nwparser.p0", "%{duration_string->} - Http_resources_accessed %{fld3->} - Total_TCP_connections %{fld5->} - Total_policies_allowed %{fld7->} - Total_policies_denied %{fld8->} - Total_bytes_send %{sbytes->} - Total_bytes_recv %{rbytes->} - Total_compressedbytes_send %{fld12->} - Total_compressedbytes_recv %{fld13->} - Compression_ratio_send %{dclass_ratio1->} - Compression_ratio_recv %{dclass_ratio2->} - LogoutMethod \"%{result}\" - Group(s) \"%{group}\""); + +var all61 = all_match({ + processors: [ + dup48, + dup104, + dup66, + dup105, + dup70, + dup102, + dup103, + part269, + ], + on_success: processor_chain([ + dup71, + dup72, + dup7, + dup4, + dup59, + dup60, + dup61, + dup62, + ]), +}); + +var msg183 = msg("AAATM_LOGOUT", all61); + +var msg184 = msg("EVENT_LOGINFAILURE", dup101); + +var chain1 = processor_chain([ + select2, + msgid_select({ + "AAATM_HTTPREQUEST": msg169, + "AAATM_LOGIN": msg182, + "AAATM_LOGOUT": msg183, + "AAATM_Message": select70, + "AAA_EXTRACTED_GROUPS": msg1, + "AAA_LOGIN_FAILED": msg2, + "AAA_Message": msg161, + "ACL_ACL_PKT_LOG": msg3, + "AF_400_RESP": msg141, + "AF_MALFORMED_REQ_ERR": msg142, + "API_CMD_EXECUTED": msg160, + "APPFW_AF_400_RESP": select16, + "APPFW_AF_MALFORMED_REQ_ERR": msg150, + "APPFW_AF_MEMORY_ERR": msg23, + "APPFW_APPFW_BUFFEROVERFLOW_COOKIE": msg4, + "APPFW_APPFW_BUFFEROVERFLOW_HDR": msg5, + "APPFW_APPFW_BUFFEROVERFLOW_URL": select4, + "APPFW_APPFW_CONTENT_TYPE": msg145, + "APPFW_APPFW_COOKIE": msg8, + "APPFW_APPFW_CSRF_TAG": select17, + "APPFW_APPFW_DENYURL": msg9, + "APPFW_APPFW_FIELDCONSISTENCY": msg10, + "APPFW_APPFW_FIELDFORMAT": msg11, + "APPFW_APPFW_POLICY_HIT": msg144, + "APPFW_APPFW_REFERER_HEADER": msg147, + "APPFW_APPFW_SAFECOMMERCE": msg14, + "APPFW_APPFW_SAFECOMMERCE_XFORM": msg15, + "APPFW_APPFW_SAFEOBJECT": msg20, + "APPFW_APPFW_SIGNATURE_MATCH": select66, + "APPFW_APPFW_SQL": select11, + "APPFW_APPFW_STARTURL": msg16, + "APPFW_APPFW_XSS": msg17, + "APPFW_COOKIE": msg135, + "APPFW_CSRF_TAG": msg136, + "APPFW_FIELDCONSISTENCY": msg138, + "APPFW_Message": select19, + "APPFW_REFERER_HEADER": msg139, + "APPFW_RESP_APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE": msg146, + "APPFW_SIGNATURE_MATCH": msg140, + "APPFW_STARTURL": msg137, + "CITRIX_TVM": msg143, + "CLI_CMD_EXECUTED": msg159, + "CLUSTERD_Message": select60, + "DR_HA_Message": msg27, + "EVENT_ALERTENDED": msg28, + "EVENT_ALERTSTARTED": msg29, + "EVENT_CONFIGEND": msg30, + "EVENT_CONFIGSTART": msg31, + "EVENT_DEVICEDOWN": msg32, + "EVENT_DEVICEOFS": msg33, + "EVENT_DEVICEUP": msg34, + "EVENT_LOGINFAILURE": msg184, + "EVENT_MONITORDOWN": msg35, + "EVENT_MONITORUP": msg36, + "EVENT_NICRESET": msg37, + "EVENT_ROUTEDOWN": msg38, + "EVENT_ROUTEUP": msg39, + "EVENT_STARTCPU": msg40, + "EVENT_STARTSAVECONFIG": msg41, + "EVENT_STARTSYS": msg42, + "EVENT_STATECHANGE": select22, + "EVENT_STOPSAVECONFIG": msg46, + "EVENT_STOPSYS": msg47, + "EVENT_UNKNOWN": msg48, + "EVENT_VRIDINIT": msg124, + "GUI_CMD_EXECUTED": select67, + "ICA_APPLICATION_LAUNCH": msg178, + "ICA_APPLICATION_TERMINATE": msg180, + "ICA_CHANNEL_UPDATE": msg174, + "ICA_Message": msg176, + "ICA_NETWORK_UPDATE": msg173, + "ICA_SESSION_SETUP": msg177, + "ICA_SESSION_TERMINATE": msg179, + "ICA_SESSION_UPDATE": msg175, + "IPSEC_Message": msg127, + "NSNETSVC_Message": msg128, + "NSNETSVC_REQ_PARSE_ERROR": msg130, + "PITBOSS_Message": select28, + "RESPONDER_Message": select65, + "ROUTING_Message": select29, + "ROUTING_ZEBOS_CMD_EXECUTED": msg57, + "SNMP_TRAP_SENT": select42, + "SPCBId": msg134, + "SSLLOG_SSL_HANDSHAKE_FAILURE": msg94, + "SSLLOG_SSL_HANDSHAKE_ISSUERNAME": msg97, + "SSLLOG_SSL_HANDSHAKE_SUBJECTNAME": msg96, + "SSLLOG_SSL_HANDSHAKE_SUCCESS": msg95, + "SSLVPN_AAAEXTRACTED_GROUPS": msg98, + "SSLVPN_CLISEC_CHECK": msg93, + "SSLVPN_CLISEC_EXP_EVAL": msg99, + "SSLVPN_HTTPREQUEST": msg100, + "SSLVPN_HTTP_RESOURCEACCESS_DENIED": msg129, + "SSLVPN_ICAEND_CONNSTAT": select51, + "SSLVPN_ICASTART": select53, + "SSLVPN_LOGIN": msg103, + "SSLVPN_LOGOUT": msg104, + "SSLVPN_Message": msg109, + "SSLVPN_NONHTTP_RESOURCEACCESS_DENIED": msg123, + "SSLVPN_REMOVE_SESSION": msg171, + "SSLVPN_REMOVE_SESSION_DEBUG": msg181, + "SSLVPN_REMOVE_SESSION_ERR": msg170, + "SSLVPN_REMOVE_SESSION_INFO": msg172, + "SSLVPN_TCPCONNSTAT": msg110, + "SSLVPN_TCPCONN_TIMEDOUT": msg105, + "SSLVPN_UDPFLOWSTAT": msg106, + "Source": select64, + "TCP_CONN_DELINK": msg111, + "TCP_CONN_TERMINATE": select55, + "TCP_NAT_OTHERCONN_DELINK": msg115, + "TCP_OTHERCONN_DELINK": msg114, + "UI_CMD_EXECUTED": select58, + "User": msg133, + }), +]); + +var part270 = // "Pattern{Field(saddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#6:APPFW_APPFW_COOKIE/0", "nwparser.payload", "%{saddr->} %{p0}"); + +var part271 = // "Pattern{Field(url,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#7:APPFW_APPFW_DENYURL/2", "nwparser.p0", "%{url->} \u003c\u003c%{disposition}>"); + +var part272 = // "Pattern{Field(url,true), Constant(' '), Field(info,true), Constant(' <<'), Field(disposition,false), Constant('>')}" +match("MESSAGE#8:APPFW_APPFW_FIELDCONSISTENCY/2", "nwparser.p0", "%{url->} %{info->} \u003c\u003c%{disposition}>"); + +var part273 = // "Pattern{Constant('"'), Field(p0,false)}" +match("MESSAGE#20:APPFW_Message/0", "nwparser.payload", "\"%{p0}"); + +var part274 = // "Pattern{Constant('HASTATE '), Field(p0,false)}" +match("MESSAGE#23:DR_HA_Message/1_0", "nwparser.p0", "HASTATE %{p0}"); + +var part275 = // "Pattern{Field(network_service,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#23:DR_HA_Message/1_1", "nwparser.p0", "%{network_service}: %{p0}"); + +var part276 = // "Pattern{Field(info,false), Constant('"')}" +match("MESSAGE#23:DR_HA_Message/2", "nwparser.p0", "%{info}\""); + +var part277 = // "Pattern{Constant('for '), Field(dclass_counter1,false)}" +match("MESSAGE#24:EVENT_ALERTENDED/1_0", "nwparser.p0", "for %{dclass_counter1}"); + +var part278 = // "Pattern{Field(space,false)}" +match_copy("MESSAGE#24:EVENT_ALERTENDED/1_1", "nwparser.p0", "space"); + +var part279 = // "Pattern{Field(obj_type,true), Constant(' "'), Field(obj_name,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#28:EVENT_DEVICEDOWN/0", "nwparser.payload", "%{obj_type->} \"%{obj_name}\"%{p0}"); + +var part280 = // "Pattern{Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#28:EVENT_DEVICEDOWN/1_0", "nwparser.p0", " - State %{event_state}"); + +var part281 = // "Pattern{}" +match_copy("MESSAGE#28:EVENT_DEVICEDOWN/1_1", "nwparser.p0", ""); + +var part282 = // "Pattern{Field(obj_type,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/0", "nwparser.payload", "%{obj_type->} %{p0}"); + +var part283 = // "Pattern{Field(obj_name,true), Constant(' - State '), Field(event_state,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/1_0", "nwparser.p0", "%{obj_name->} - State %{event_state}"); + +var part284 = // "Pattern{Constant(''), Field(obj_name,false)}" +match("MESSAGE#31:EVENT_MONITORDOWN/1_2", "nwparser.p0", "%{obj_name}"); + +var part285 = // "Pattern{Constant('" '), Field(p0,false)}" +match("MESSAGE#45:PITBOSS_Message1/0", "nwparser.payload", "\" %{p0}"); + +var part286 = // "Pattern{Constant(''), Field(info,false), Constant('"')}" +match("MESSAGE#45:PITBOSS_Message1/2", "nwparser.p0", "%{info}\""); + +var part287 = // "Pattern{Constant('sysIpAddress = '), Field(hostip,false), Constant(')')}" +match("MESSAGE#54:SNMP_TRAP_SENT7/3_3", "nwparser.p0", "sysIpAddress = %{hostip})"); + +var part288 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/0", "nwparser.payload", "%{} %{p0}"); + +var part289 = // "Pattern{Constant('ClientIP '), Field(p0,false)}" +match("MESSAGE#86:SSLLOG_SSL_HANDSHAKE_FAILURE/1_0", "nwparser.p0", "ClientIP %{p0}"); + +var part290 = // "Pattern{Constant('" '), Field(fld10,true), Constant(' GMT" - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_0", "nwparser.p0", "\" %{fld10->} GMT\" - End_time %{p0}"); + +var part291 = // "Pattern{Constant('" '), Field(fld10,false), Constant('" - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_1", "nwparser.p0", "\" %{fld10}\" - End_time %{p0}"); + +var part292 = // "Pattern{Field(fld10,true), Constant(' - End_time '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/1_2", "nwparser.p0", "%{fld10->} - End_time %{p0}"); + +var part293 = // "Pattern{Constant('" '), Field(fld11,true), Constant(' GMT" - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_0", "nwparser.p0", "\" %{fld11->} GMT\" - Duration %{p0}"); + +var part294 = // "Pattern{Constant('" '), Field(fld11,false), Constant('" - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_1", "nwparser.p0", "\" %{fld11}\" - Duration %{p0}"); + +var part295 = // "Pattern{Field(fld11,true), Constant(' - Duration '), Field(p0,false)}" +match("MESSAGE#93:SSLVPN_ICAEND_CONNSTAT/2_2", "nwparser.p0", "%{fld11->} - Duration %{p0}"); + +var part296 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_0", "nwparser.p0", "Context %{fld1->} - SessionId: %{sessionid}- User %{p0}"); + +var part297 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_1", "nwparser.p0", "Context %{fld1->} - User %{p0}"); + +var part298 = // "Pattern{Constant('User '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/1_2", "nwparser.p0", "User %{p0}"); + +var part299 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('- Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/2", "nwparser.p0", "%{} %{username}- Client_ip %{saddr->} - Nat_ip %{p0}"); + +var part300 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/3_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver %{p0}"); + +var part301 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver '), Field(p0,false)}" +match("MESSAGE#94:SSLVPN_LOGIN/3_1", "nwparser.p0", "%{stransaddr->} - Vserver %{p0}"); + +var part302 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start_time '), Field(p0,false)}" +match("MESSAGE#95:SSLVPN_LOGOUT/4", "nwparser.p0", "%{daddr}:%{dport->} - Start_time %{p0}"); + +var part303 = // "Pattern{Constant('Context '), Field(fld1,true), Constant(' - SessionId: '), Field(sessionid,false), Constant('- User '), Field(username,true), Constant(' - Client_ip '), Field(hostip,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#97:SSLVPN_UDPFLOWSTAT/0", "nwparser.payload", "Context %{fld1->} - SessionId: %{sessionid}- User %{username->} - Client_ip %{hostip->} - Nat_ip %{p0}"); + +var part304 = // "Pattern{Field(,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#100:SSLVPN_Message/0", "nwparser.payload", "%{}\"%{p0}"); + +var part305 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Vserver '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - NatIP '), Field(stransaddr,false), Constant(':'), Field(stransport,true), Constant(' - Destination '), Field(dtransaddr,false), Constant(':'), Field(dtransport,true), Constant(' - Delink Time '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Vserver %{daddr}:%{dport->} - NatIP %{stransaddr}:%{stransport->} - Destination %{dtransaddr}:%{dtransport->} - Delink Time %{p0}"); + +var part306 = // "Pattern{Field(fld11,true), Constant(' GMT - Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/1_0", "nwparser.p0", "%{fld11->} GMT - Total_bytes_send %{p0}"); + +var part307 = // "Pattern{Field(fld11,true), Constant(' - Total_bytes_send '), Field(p0,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/1_1", "nwparser.p0", "%{fld11->} - Total_bytes_send %{p0}"); + +var part308 = // "Pattern{Field(sbytes,true), Constant(' - Total_bytes_recv '), Field(rbytes,false)}" +match("MESSAGE#102:TCP_CONN_DELINK/2", "nwparser.p0", "%{sbytes->} - Total_bytes_recv %{rbytes}"); + +var part309 = // "Pattern{Constant('Source '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' - Destination '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' - Start Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/0", "nwparser.payload", "Source %{saddr}:%{sport->} - Destination %{daddr}:%{dport->} - Start Time %{p0}"); + +var part310 = // "Pattern{Field(fld10,true), Constant(' GMT - End Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/1_0", "nwparser.p0", "%{fld10->} GMT - End Time %{p0}"); + +var part311 = // "Pattern{Field(fld10,true), Constant(' - End Time '), Field(p0,false)}" +match("MESSAGE#103:TCP_CONN_TERMINATE/1_1", "nwparser.p0", "%{fld10->} - End Time %{p0}"); + +var part312 = // "Pattern{Field(info,true), Constant(' "')}" +match("MESSAGE#113:CLUSTERD_Message:02/1_1", "nwparser.p0", "%{info->} \""); + +var part313 = // "Pattern{Constant('"'), Field(event_type,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#158:AAA_Message/0", "nwparser.payload", "\"%{event_type}: %{p0}"); + +var part314 = // "Pattern{Constant('Sessionid '), Field(sessionid,true), Constant(' - User '), Field(username,true), Constant(' - Client_ip '), Field(saddr,true), Constant(' - Nat_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/0", "nwparser.payload", "Sessionid %{sessionid->} - User %{username->} - Client_ip %{saddr->} - Nat_ip %{p0}"); + +var part315 = // "Pattern{Constant('"'), Field(stransaddr,false), Constant('" - Vserver_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_0", "nwparser.p0", "\"%{stransaddr}\" - Vserver_ip %{p0}"); + +var part316 = // "Pattern{Field(stransaddr,true), Constant(' - Vserver_ip '), Field(p0,false)}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/1_1", "nwparser.p0", "%{stransaddr->} - Vserver_ip %{p0}"); + +var part317 = // "Pattern{Field(daddr,true), Constant(' - Errmsg " '), Field(event_description,true), Constant(' "')}" +match("MESSAGE#167:SSLVPN_REMOVE_SESSION_ERR/2", "nwparser.p0", "%{daddr->} - Errmsg \" %{event_description->} \""); + +var select72 = linear_select([ + dup21, + dup22, +]); + +var select73 = linear_select([ + dup25, + dup26, +]); + +var select74 = linear_select([ + dup32, + dup33, +]); + +var part318 = // "Pattern{Field(fld1,false), Constant(':UserLogin:'), Field(username,true), Constant(' - '), Field(event_description,true), Constant(' from client IP Address '), Field(saddr,false)}" +match("MESSAGE#84:SNMP_TRAP_SENT:05", "nwparser.payload", "%{fld1}:UserLogin:%{username->} - %{event_description->} from client IP Address %{saddr}", processor_chain([ + dup5, + dup4, +])); + +var select75 = linear_select([ + dup52, + dup53, + dup54, +]); + +var select76 = linear_select([ + dup55, + dup56, + dup57, +]); + +var select77 = linear_select([ + dup63, + dup64, + dup65, +]); + +var select78 = linear_select([ + dup67, + dup68, +]); + +var select79 = linear_select([ + dup76, + dup77, +]); + +var select80 = linear_select([ + dup81, + dup82, +]); + +var part319 = // "Pattern{Constant('User '), Field(username,true), Constant(' - Remote_ip '), Field(saddr,true), Constant(' - Command "'), Field(action,false), Constant('" - Status "'), Field(disposition,false), Constant('"')}" +match("MESSAGE#109:UI_CMD_EXECUTED", "nwparser.payload", "User %{username->} - Remote_ip %{saddr->} - Command \"%{action}\" - Status \"%{disposition}\"", processor_chain([ + dup88, + dup89, + dup3, + dup4, +])); + +var part320 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs3='), Field(fld6,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" +match("MESSAGE#122:APPFW_COOKIE", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs3=%{fld6->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ + dup9, + dup91, +])); + +var part321 = // "Pattern{Field(product,false), Constant('|'), Field(version,false), Constant('|'), Field(rule,false), Constant('|'), Field(fld1,false), Constant('|'), Field(severity,false), Constant('|src='), Field(saddr,true), Constant(' spt='), Field(sport,true), Constant(' method='), Field(web_method,true), Constant(' request='), Field(url,true), Constant(' msg='), Field(info,true), Constant(' cn1='), Field(fld2,true), Constant(' cn2='), Field(fld3,true), Constant(' cs1='), Field(policyname,true), Constant(' cs2='), Field(fld5,true), Constant(' cs4='), Field(severity,true), Constant(' cs5='), Field(fld8,true), Constant(' act='), Field(action,false)}" +match("MESSAGE#128:AF_400_RESP", "nwparser.payload", "%{product}|%{version}|%{rule}|%{fld1}|%{severity}|src=%{saddr->} spt=%{sport->} method=%{web_method->} request=%{url->} msg=%{info->} cn1=%{fld2->} cn2=%{fld3->} cs1=%{policyname->} cs2=%{fld5->} cs4=%{severity->} cs5=%{fld8->} act=%{action}", processor_chain([ + dup11, + dup91, +])); + +var part322 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#165:AAATM_Message:06", "nwparser.payload", "info", processor_chain([ + dup9, + dup4, +])); + +var select81 = linear_select([ + dup95, + dup96, +]); + +var all62 = all_match({ + processors: [ + dup20, + dup98, + dup23, + ], + on_success: processor_chain([ + dup2, + dup24, + dup3, + dup4, + ]), +}); + +var all63 = all_match({ + processors: [ + dup94, + dup112, + dup97, + ], + on_success: processor_chain([ + dup9, + dup4, + ]), +}); diff --git a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml similarity index 81% rename from x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml rename to x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml index d303dbfff86..a2f7da6f2a0 100644 --- a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml +++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml @@ -1,7 +1,11 @@ --- -description: Pipeline for F5 Firepass +description: Pipeline for Citrix NetScaler processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/citrix/virtualapps/manifest.yml b/x-pack/filebeat/module/citrix/netscaler/manifest.yml similarity index 88% rename from x-pack/filebeat/module/citrix/virtualapps/manifest.yml rename to x-pack/filebeat/module/citrix/netscaler/manifest.yml index 05766fb7f5a..4f7831e1936 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/manifest.yml +++ b/x-pack/filebeat/module/citrix/netscaler/manifest.yml @@ -3,11 +3,11 @@ module_version: "1.0" var: - name: paths - name: tags - default: ["citrix.virtualapps", "forwarded"] + default: ["citrix.netscaler", "forwarded"] - name: syslog_host default: localhost - name: syslog_port - default: 9507 + default: 9526 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log b/x-pack/filebeat/module/citrix/netscaler/test/generated.log new file mode 100644 index 00000000000..33bb1d4e168 --- /dev/null +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log @@ -0,0 +1,100 @@ +1/29/2016:06:09:59 avolupt : ICA APPLICATION_LAUNCH nnumqua:session_guid eacommod - device_serial_number rci - client_cookie olaboris - flags tur - launch_mechanism itv - app_launch_time 1/29/2016:06:09:59 - app_process_id odoco - app_name ria - module_path min +2/12/2016:13:12:33 nulapari : GUI CMD_EXECUTED mwritten:User ctetur - Remote_ip 10.102.218.31 - Command "deny -priority mipsumq -devno gnaali" - Status "enatus" +02/26/2016:20:15:08 com : SSLLOG SSL_HANDSHAKE_SUBJECTNAME eataevi:SPCBId byC - SubjectName "tinculp" +3/12/2016:03:17:42 maveniam : ACL ACL_PKT_LOG uian:Source 10.72.11.247:4780 --> Destination 10.134.175.248:4496 - Protocol udp - TimeStamp antium - Hitcount 1279 - Hit Rule lupta - Data iusmodt +APPFW_COOKIE |1.3626|uaera|sitas|medium|src=10.12.182.150 spt=7788 method=iumto request=https://www5.example.net/sun/essecill.html?saute=vel#quu msg=undeo cn1=loremip cn2=rnatura cs1=isqu cs2=uis cs3=idolore cs4=very-high cs5=llumquid act=cancel +4/9/2016:17:22:51 rehe : SSLVPN UDPFLOWSTAT :Context ume - SessionId: incidi- User picia - Client_ip 10.109.68.21 - Nat_ip 10.96.119.12 - Vserver 10.83.234.60:6178 - Source 10.156.210.168:6317 - Destination 10.21.92.218:4125 - Start_time " 4/9/2016:17:22:51 GMT" - End_time " 4/9/2016:17:22:51" - Duration agnaali - Total_bytes_send 4138 - Total_bytes_recv 3671 - Access inima - Group(s) "tlabo" +4/24/2016:00:25:25 iineavo : ICA SESSION_TERMINATE equatD:session_guid isno - device_serial_number taliq - client_cookie intoccae - flags ents - session_end_time 4/24/2016:00:25:25 +5/8/2016:07:27:59 sinto : APPFW Message :"Duplicate rule id emoeni" +5/22/2016:14:30:33 inesci : APPFW APPFW_REFERER_HEADER :10.109.157.63 mqu apariat tlabore https://www5.example.org/remi/saute.txt?ionevo=remagn#run Referer header check failed: referer header URL 'https://www.example.net/uovolup/samvolu.html?licab=eirure#conseq' not in Start URL or closure list < +6/5/2016:21:33:08 ern : SSLVPN REMOVE_SESSION_ERR :Sessionid psaquae - User ationemu - Client_ip 10.92.161.8 - Nat_ip 10.103.118.137 - Vserver_ip 10.116.193.182 - Errmsg " snostrud " +6/20/2016:04:35:42 quisnos : EVENT STARTSAVECONFIG :SAVECONFIG ite +7/4/2016:11:38:16 acc : SNMP TRAP_SENT :amc ( haPeerSystemState = "amest", sysIpAddress = 10.37.226.87) +7/18/2016:18:40:50 gel : SSLVPN ICAEND_CONNSTAT :Source 10.235.101.253:4467 - Destination 10.245.10.170:3314 - username:domainname ulapa:liqui - startTime " 7/18/2016:18:40:50 GMT" - endTime " 7/18/2016:18:40:50" - Duration quioffi - Total_bytes_send 1359 - Total_bytes_recv 1287 - Total_compressedbytes_send ncidid - Total_compressedbytes_recv quaturve - Compression_ratio_send sequa - Compression_ratio_recv aera - connectionId ate +8/2/2016:01:43:25 nsecte : EVENT ALERTENDED :inculpa.exe ended +8/16/2016:08:45:59 nisi : AAATM HTTPREQUEST :Context dant - SessionId: rroquis- aeabi User eiu : Group(s) ntiumdo : Vserver 10.162.161.83:5025 - 8/16/2016:08:45:59 PST: SSO is olupta : litse https://mail.example.com/itatio/uta.htm?sintoc=volupt#siste uiinea +8/30/2016:15:48:33 idolo : ICA APPLICATION_LAUNCH :session_guid quinesc - device_serial_number madmi - client_cookie tur - flags roi - launch_mechanism niamqui - app_launch_time 8/30/2016:15:48:33 - app_process_id orem - app_name sno - module_path atno +9/13/2016:22:51:07 ntocca : APPFW APPFW_XSS :10.26.55.33 quiavol Cross-sitehttps://internal.example.com/temquiav/equatu.txt?cons=sBon#orro script tae < +9/28/2016:05:53:42 isc : AAATM Message ullamcor:"sent request to tobea for authentication, user <, client ip 10.206.87.219" +10/12/2016:12:56:16 litessec : SNMP TRAP_SENT :itas ( entityName = "edquia (sequatu" , sysIpAddress = 10.27.58.92) +10/26/2016:19:58:50 qui : NSNETSVC Message :"tasn: Nemoenim " +11/10/2016:03:01:24 str : EVENT STOPSYS :System stopped - idolore +11/24/2016:10:03:59 illoin : APPFW APPFW_SAFEOBJECT tanimid:10.93.68.231 ctet Match found with Safe Object: ati < +12/8/2016:17:06:33 niamqui : APPFW APPFW_POLICY_HIT :10.236.120.18 adeser oin mvenia https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt ihilm +12/23/2016:00:09:07 meius : RESPONDER Message :"NSRateLimit=billo, ClientIP=10.103.127.155" +1/6/2017:07:11:41 nonp : EVENT ALERTSTARTED :labo.exe started for 267 +APPFW_COOKIE |1.2352|rQu|mco|medium|src=10.206.81.23 spt=6280 method=tincu request=https://internal.example.com/itse/umexerc.gif?intocc=amcorp#ntsunt msg=uidol cn1=litani cn2=utodita cs1=aec cs2=fdeF cs3=iquidexe cs4=low cs5=niamq act=cancel +2/3/2017:21:16:50 ipsamvo : ROUTING ZEBOS_CMD_EXECUTED onula:miu Command "accept" upt +2/18/2017:04:19:24 snost : EVENT NICRESET tpersp:llamc "nte" - State mvel +3/4/2017:11:21:59 eratvol : APPFW APPFW_SAFECOMMERCE :10.253.132.145 est uptatemU Maximum no. https://internal.example.com/tla/item.jpg?isa=niamqui#atcupid of potential credit card numbers seen < +3/18/2017:18:24:33 naaliq : AAA LOGIN_FAILED :User nte - Client_ip 10.5.67.143 - Failure_reason "unknown" +4/2/2017:01:27:07 loi : ICA SESSION_TERMINATE isc:session_guid Nequepor - device_serial_number eirure - client_cookie deserun - flags esseq - session_end_time 4/2/2017:01:27:07 +4/16/2017:08:29:41 iquamqua : SSLVPN ICASTART :Source 10.248.165.185:3436 - Destination 10.32.39.220:3589 - username:domainname exeaco:teni - applicationName dquiac - startTime " 4/16/2017:08:29:41" - connectionId itaedict +4/30/2017:15:32:16 mUten : SSLVPN REMOVE_SESSION_ERR emq:Sessionid maperi - User agnaaliq - Client_ip 10.197.6.245 - Nat_ip 10.81.45.174 - Vserver_ip 10.82.28.220 - Errmsg " mve " +5/14/2017:22:34:50 cipitl : EVENT STARTSAVECONFIG :SAVECONFIG caboNemo +5/29/2017:05:37:24 uto : SSLVPN ICASTART iuntNequ:Server port = 7202 - Server server ip = 10.18.25.125 - username:domain_name = quatD:isqua - application name = uta +6/12/2017:12:39:58 tsed : ICA CHANNEL_UPDATE :session_guid eturad - device_serial_number tiumdolo - client_cookie atuse - flags ueipsa - channel_update_begin 6/12/2017:12:39:58 - channel_update_end 6/12/2017:12:39:58 - channel_id_1 scipitl - channel_id_1_val eumi - channel_id_2 quasiarc - channel_id_2_val olli -channel_id_3 rever - channel_id_3_val ore - channel_id_4 offici - channel_id_4_val ection -channel_id_5 roquisqu - channel_id_5_val edolorin +6/26/2017:19:42:33 aspe : CLUSTERD Message imadmi: "isnis(10.230.93.243) port(1625) msglen(iatqu) rcv(6203) R(unknown) " +7/11/2017:02:45:07 liquid : APPFW APPFW_BUFFEROVERFLOW_HDR :10.13.181.73 ate mporainc xea: https://www.example.org/umdolo/ntiu.jpg?dquiaco=nibus#vitaed < +7/25/2017:09:47:41 isi : APPFW APPFW_COOKIE culpaq:10.162.97.197 ende abor Cookiehttps://internal.example.org/adol/iutal.gif?niam=pernat#rerepre validation failed for nculpaq < +User nisiu - Remote_ip 10.101.178.146 - Command "ptatem" - Status "unknown" +8/22/2017:23:52:50 onproide : APPFW APPFW_REFERER_HEADER ntmo:10.143.88.119 tNe pisc urEx https://www.example.com/tquidol/ercitat.txt?atcupi=atem#qui Referer header check failed: referer header URL 'https://mail.example.com/nim/ame.jpg?uid=equaturv#lamc' not in Start URL or closure list < +9/6/2017:06:55:24 equatDu : ROUTING ZEBOS_CMD_EXECUTED :pta Command "allow" prehe +9/20/2017:13:57:58 illoi : SSLVPN NONHTTP_RESOURCEACCESS_DENIED :Context reetdolo - SessionId: rationev- User ehender - Client_ip 10.117.94.131 - Nat_ip 10.180.83.140 - Vserver 10.45.114.111:357 - Source 10.243.226.122:3512 - Destination 10.3.23.172:7332 - Total_bytes_send emullamc - Total_bytes_recv tec - Denied_by_policy "Nemo" - Group(s) "tutlabo" +10/4/2017:21:00:32 iame : EVENT DEVICEUP laudanti:umiurer "rere" +10/19/2017:04:03:07 ori : APPFW APPFW_COOKIE uamqu:10.76.92.223 quiac sunt Cookiehttps://www5.example.org/emUte/iusmodi.htm?tura=osquirat#equat validation failed for aliquid < +11/2/2017:11:05:41 sun : AAATM Message urau:"etur: rsitvol " +11/16/2017:18:08:15 eque : SSLVPN CLISEC_CHECK eufug:User est - Client IP 10.101.172.233 - Vserver 10.211.163.7:940 - Client_security_expression "CLIENT.REG('iatnu').VALUE == writte || sitvo - failure +12/1/2017:01:10:49 llumq : DR HA_Message :"HASTATE tenim" +12/15/2017:08:13:24 itseddo : APPFW Message bore:"Setting same CustomSettings( ) to profile. ptate" +12/29/2017:15:15:58 mvenia : SSLVPN ICASTART :Source 10.29.207.55:7061 - Destination 10.61.175.217:2631 - username:domainname scip:Finibus - applicationName Utenimad - startTime 12/29/2017:15:15:58 - connectionId olupta +1/12/2018:22:18:32 fficia : SSLVPN AAAEXTRACTED_GROUPS est:Extracted_groups "ali" +1/27/2018:05:21:06 ceroi : APPFW APPFW_BUFFEROVERFLOW_URL :10.55.203.193 idunt edqu cte: https://internal.example.org/CSe/exerci.htm?eserun=pta#emu < +2/10/2018:12:23:41 orp : EVENT STATECHANGE :ender (dico) - uptatem upt +2/24/2018:19:26:15 idolo : EVENT STARTSYS reet:System started - lorem +3/11/2018:02:28:49 tmo : APPFW APPFW_SAFECOMMERCE_XFORM onofdeF:10.189.13.237 its https://www5.example.org/aliqui/datatnon.gif?nse=miurere#evit (uatu) potential credit card numbers seen in server response +3/25/2018:09:31:24 uamestqu : EVENT DEVICEUP mpor:orem "eniamqui" - State ven +4/8/2018:16:33:58 tdolorem : EVENT CONFIGEND :CONFIG qui +4/22/2018:23:36:32 deritinv : EVENT STARTSYS evelite:System started - cupidata +5/7/2018:06:39:06 emeu : ICA SESSION_TERMINATE :session_guid tatemac - device_serial_number quisn - client_cookie rem - flags ulamcola - session_end_time 5/7/2018:06:39:06 +5/21/2018:13:41:41 uisaut : APPFW APPFW_CSRF_TAG :10.23.202.99 tuser CSRF Tag validation failed: < +6/4/2018:20:44:15 sitame : EVENT ROUTEUP :oinven natu - State edqu +APPFW_FIELDCONSISTENCY |1.1396|ntutlab|rumSecti|medium|src=10.72.114.116 spt=2840 method=tesse request=https://internal.example.org/isno/oluptas.html?aeco=rinrepr#dutp msg=orem cn1=giatqu cn2=rsint cs1=rsi cs2=paq cs3=uianon cs4=high cs5=uisautem act=allow +7/3/2018:10:49:23 reprehen : ROUTING ZEBOS_CMD_EXECUTED tvol:ptat Command "allow" tdolo +7/17/2018:17:51:58 porissus : EVENT STARTCPU :CPU_started imip +8/1/2018:00:54:32 eumfu : ICA Message :docons +08/15/2018:07:57:06 turvelil : SSLLOG SSL_HANDSHAKE_SUBJECTNAME urExc:SPCBId doconse - SubjectName "audant" +8/29/2018:14:59:40 teturad : SNMP TRAP_SENT :ese (entityName = "eddoei", sysIpAddress = 10.161.68.13) +9/12/2018:22:02:15 tdolo : AAA LOGIN_FAILED :User ident - Client_ip 10.213.165.165 - Failure_reason "success" +9/27/2018:05:04:49 tetura : SSLVPN REMOVE_SESSION_ERR autemv:Sessionid sciveli - User picia - Client_ip 10.225.146.5 - Nat_ip 10.80.5.101 - Vserver_ip 10.41.65.89 - Errmsg " lapari " +10/11/2018:12:07:23 tMal : APPFW APPFW_REFERER_HEADER porin:10.241.143.145 quid aUten Duis https://www.example.org/quid/accus.html?edutpers=ctobeat#upta Referer header check failed: referer header URL 'https://mail.example.com/dictasun/psa.txt?secte=ctobeat#onsec' not in Start URL or closure list < +10/25/2018:19:09:57 ree : ROUTING Message :"itten started" +11/9/2018:02:12:32 temaccu : APPFW APPFW_SAFECOMMERCE_XFORM uamqua:10.106.34.244 eumiu https://example.com/pteurs/ercitati.html?ptat=mipsu#velillu (ecatcupi) potential credit card numbers seen in server response +11/23/2018:09:15:06 iquipex : SSLVPN REMOVE_SESSION_INFO mqu:Sessionid onorume - User abill - Client_ip 10.22.34.206 - Nat_ip "10.183.26.222" - Vserver_ip 10.33.231.173 - Errmsg " uasiarch " +12/7/2018:16:17:40 stenat : EVENT DEVICEDOWN :uianonnu "tatiset" - State quira +12/21/2018:23:20:14 samvol : EVENT MONITORUP :equa apari - State tsunt +1/5/2019:06:22:49 llo : SNMP TRAP_SENT :uames ( alarmRateLmtThresholdExceeded = "tla: "iaconseq...", ipAddressGathered = "sed", stringComputed = "sedd", sysIpAddress = 10.53.113.79) +1/19/2019:13:25:23 luptatev : EVENT ROUTEDOWN :occaeca dan - State pta +02/02/2019:20:27:57 equamni : SSLLOG SSL_HANDSHAKE_ISSUERNAME atcupi:SPCBId enima - IssuerName "uptateve" +2/17/2019:03:30:32 uiac : ICA APPLICATION_TERMINATE :session_guid tquii - device_serial_number tesse - client_cookie iamea - flags loremi - app_termination_type queporro - app_process_id tur - app_termination_time 2/17/2019:03:30:32 +3/3/2019:10:33:06 tamrema : APPFW APPFW_SAFECOMMERCE isautem:10.219.65.172 conse Maximum no. https://internal.example.net/edqui/tvolu.txt?ore=lors#saute of potential credit card numbers seen < +3/17/2019:17:35:40 dtempo : AAATM HTTPREQUEST lumqu:Context moen - SessionId: oinvento- mporin User orissusc : Group(s) utaliqui : Vserver 10.86.207.236:207 - 3/17/2019:17:35:40 CT litsed https://www.example.com/tiaec/lorem.jpg?totamr=seddo#aper entor +4/1/2019:00:38:14 ihil : ICA SESSION_UPDATE oremip:session_guid fdeFi - device_serial_number periam - client_cookie ccusa - flags billo - nsica_session_status doloremi - nsica_session_client_ip 10.197.128.162 - nsica_session_client_port 2052 - nsica_session_server_ip 10.187.86.64 - nsica_session_server_port 3325 - nsica_session_reconnect_count atatn - nsica_session_acr_count ipisc - connection_priority iatnulap - timestamp roi +4/15/2019:07:40:49 loreeu : APPFW APPFW_SIGNATURE_MATCH eprehe:10.163.217.101 empor - uptatemU - rem https://www5.example.com/iscivel/rinci.txt?atcupi=eriti#uptateve namaliqu rule ID riame: datatn < +4/29/2019:14:43:23 isu : ICA SESSION_UPDATE :session_guid moll - device_serial_number roinBCS - client_cookie odit - flags vol - nsica_session_status epteurs - nsica_session_client_ip 10.43.239.97 - nsica_session_client_port 6985 - nsica_session_server_ip 10.204.20.8 - nsica_session_server_port 2652 - nsica_session_reconnect_count ntoccae - nsica_session_acr_count iscive - connection_priority amni - timestamp etconse +5/13/2019:21:45:57 amquisn : SSLVPN NONHTTP_RESOURCEACCESS_DENIED Finibus:Context nsequat - SessionId: mvol- User asiar - Client_ip 10.8.82.22 - Nat_ip "10.148.244.55" - Vserver 10.133.153.174:7022 - Source 10.113.135.78:1646 - Destination 10.76.129.136:5259 - Total_bytes_send epteur - Total_bytes_recv onproi - Denied_by_policy "usmodit" - Group(s) "orese" +5/28/2019:04:48:31 atemacc : EVENT DEVICEOFS labore:iqua "ciunt" - State exea +APPFW_REFERER_HEADER |1.1103|citation|emquel|very-high|src=10.20.230.37 spt=5308 method=remip request=https://mail.example.com/aturExc/antiumto.htm?obe=niamqu#ull msg=aturE cn1=aaliqu cn2=tev cs1=oNemoeni cs2=luptatem cs3=pers cs4=low cs5=luptatem act=cancel +AF_MALFORMED_REQ_ERR |1.3141|etd|omnisi|high|src=10.186.166.215 spt=553 method=ati request=https://mail.example.org/tsuntinc/nis.gif?iin=uteiru#xer msg=iat cn1=orain cn2=equaturQ cs1=llu cs2=quaUt cs4=low cs5=nim act=block +7/10/2019:01:56:14 olorin : SSLVPN REMOVE_SESSION_INFO :Sessionid orisnisi - User emquiav - Client_ip 10.215.229.78 - Nat_ip 10.67.233.159 - Vserver_ip 10.213.112.186 - Errmsg " ectetur " +7/24/2019:08:58:48 sitasper : EVENT MONITORUP ncidunt:uiac squ - State litess +8/7/2019:16:01:23 scingeli : EVENT ALERTENDED :emq.exe ended for 2514 +8/21/2019:23:03:57 bor : ICA APPLICATION_LAUNCH magnido:session_guid lupta - device_serial_number utla - client_cookie nse - flags Dui - launch_mechanism gitsed - app_launch_time 8/21/2019:23:03:57 - app_process_id estla - app_name ione - module_path ecillum +9/5/2019:06:06:31 oreseos : ICA SESSION_UPDATE :session_guid agna - device_serial_number dmini - client_cookie tquid - flags giatquo - nsica_session_status iatisun - nsica_session_client_ip 10.96.104.212 - nsica_session_client_port 2372 - nsica_session_server_ip 10.73.45.19 - nsica_session_server_port 3791 - nsica_session_reconnect_count oeiusm - nsica_session_acr_count aUtenim - connection_priority ntincul - timestamp nnumquam +9/19/2019:13:09:05 inculpa : APPFW APPFW_SQL nvo:10.238.144.31 stiae icta https://mail.example.com/nvent/uepor.jpg?odiconse=nevolupt#tDui untutl < +10/3/2019:20:11:40 doei : NSNETSVC Message :"acomm: veleumi " +10/18/2019:03:14:14 sumquiad : TCP OTHERCONN_DELINK stl:Source 10.161.218.47:6184 - Vserver 10.29.202.248:4069 - NatIP 10.206.5.50:1064 - Destination 10.247.251.223:6658 - Delink Time 10/18/2019:03:14:14 GMT Total_bytes_send 6764 - Total_bytes_recv 7865 +11/1/2019:10:16:48 tate : DR HA_Message :"tutlabo: nto" +11/15/2019:17:19:22 tlabo : APPFW APPFW_BUFFEROVERFLOW_COOKIE :10.134.238.8 emu Malor amn: https://example.net/sintoc/rinci.txt?ali=Nequepor#aUten < +11/30/2019:00:21:57 adeseru : ICA SESSION_SETUP sitas:session_guid eni - device_serial_number cte - client_cookie ariatu - flags ess - session_setup_time ria - client_ip 10.111.22.134 - client_type datatno - client_launcher equepor - client_version 1.897 - client_hostname orisnis403.www.localhost - domain_name hend1170.www5.lan - server_name ptateve165.mail.corp - connection_priority ommodoco +SPCBId rita - ClientIP 10.148.72.78 - ClientPort 7584 - VserverServiceIP 10.37.99.189 - VserverServicePort 3275 - ClientVersion ugitsed - CipherSuite "ritatis" - success diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json new file mode 100644 index 00000000000..cb772d91268 --- /dev/null +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -0,0 +1,3100 @@ +[ + { + "event.code": "ICA_APPLICATION_LAUNCH", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/29/2016:06:09:59 avolupt : ICA APPLICATION_LAUNCH nnumqua:session_guid eacommod - device_serial_number rci - client_cookie olaboris - flags tur - launch_mechanism itv - app_launch_time 1/29/2016:06:09:59 - app_process_id odoco - app_name ria - module_path min", + "file.name": "min", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 0, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_APPLICATION_LAUNCH", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "APPLICATION_LAUNCH", + "rsa.time.starttime": "2016-01-29T08:09:59.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "GUI_CMD_EXECUTED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/12/2016:13:12:33 nulapari : GUI CMD_EXECUTED mwritten:User ctetur - Remote_ip 10.102.218.31 - Command \"deny -priority mipsumq -devno gnaali\" - Status \"enatus\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 262, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.102.218.31" + ], + "related.user": [ + "ctetur" + ], + "rsa.internal.event_desc": "CLI or GUI command executed in NetScaler", + "rsa.internal.messageid": "GUI_CMD_EXECUTED", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.disposition": "enatus", + "rsa.misc.msgIdPart1": "GUI", + "rsa.misc.msgIdPart2": "CMD_EXECUTED", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.102.218.31" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "ctetur" + }, + { + "event.code": "SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "02/26/2016:20:15:08 com : SSLLOG SSL_HANDSHAKE_SUBJECTNAME eataevi:SPCBId byC - SubjectName \"tinculp\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Debug", + "log.offset": 423, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.crypto.cert_subject": "tinculp", + "rsa.internal.messageid": "SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", + "rsa.misc.log_session_id": "byC", + "rsa.misc.msgIdPart1": "SSLLOG", + "rsa.misc.msgIdPart2": "SSL_HANDSHAKE_SUBJECTNAME", + "rsa.misc.severity": "Debug", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.134.175.248" + ], + "destination.port": 4496, + "event.code": "ACL_ACL_PKT_LOG", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/12/2016:03:17:42 maveniam : ACL ACL_PKT_LOG uian:Source 10.72.11.247:4780 --> Destination 10.134.175.248:4496 - Protocol udp - TimeStamp antium - Hitcount 1279 - Hit Rule lupta - Data iusmodt", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Notice", + "log.offset": 525, + "network.protocol": "udp", + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.72.11.247", + "10.134.175.248" + ], + "rsa.counters.dclass_c1": 1279, + "rsa.db.index": "antium", + "rsa.internal.event_desc": "ACL_PKT_LOG", + "rsa.internal.messageid": "ACL_ACL_PKT_LOG", + "rsa.misc.message_body": "iusmodt", + "rsa.misc.msgIdPart1": "ACL", + "rsa.misc.msgIdPart2": "ACL_PKT_LOG", + "rsa.misc.rule_name": "lupta", + "rsa.misc.severity": "Notice", + "rule.name": "lupta", + "service.type": "citrix", + "source.ip": [ + "10.72.11.247" + ], + "source.port": 4780, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "APPFW_COOKIE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "APPFW_COOKIE |1.3626|uaera|sitas|medium|src=10.12.182.150 spt=7788 method=iumto request=https://www5.example.net/sun/essecill.html?saute=vel#quu msg=undeo cn1=loremip cn2=rnatura cs1=isqu cs2=uis cs3=idolore cs4=very-high cs5=llumquid act=cancel", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "very-high", + "log.offset": 719, + "observer.product": "APPFW_COOKIE", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.3626", + "related.ip": [ + "10.12.182.150" + ], + "rsa.db.index": "undeo", + "rsa.internal.messageid": "APPFW_COOKIE", + "rsa.misc.action": [ + "iumto", + "cancel" + ], + "rsa.misc.policy_name": "isqu", + "rsa.misc.rule": "uaera", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3626", + "service.type": "citrix", + "source.ip": [ + "10.12.182.150" + ], + "source.port": 7788, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www5.example.net/sun/essecill.html?saute=vel#quu" + }, + { + "destination.bytes": 3671, + "destination.ip": [ + "10.83.234.60" + ], + "destination.nat.ip": "10.21.92.218", + "destination.nat.port": 4125, + "destination.port": 6178, + "event.code": "SSLVPN_UDPFLOWSTAT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/9/2016:17:22:51 rehe : SSLVPN UDPFLOWSTAT :Context ume - SessionId: incidi- User picia - Client_ip 10.109.68.21 - Nat_ip 10.96.119.12 - Vserver 10.83.234.60:6178 - Source 10.156.210.168:6317 - Destination 10.21.92.218:4125 - Start_time \" 4/9/2016:17:22:51 GMT\" - End_time \" 4/9/2016:17:22:51\" - Duration agnaali - Total_bytes_send 4138 - Total_bytes_recv 3671 - Access inima - Group(s) \"tlabo\"", + "fileset.name": "netscaler", + "group.name": "tlabo", + "host.ip": "10.109.68.21", + "input.type": "log", + "log.level": "Informational", + "log.offset": 965, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.96.119.12", + "10.21.92.218", + "10.83.234.60", + "10.109.68.21", + "10.156.210.168" + ], + "related.user": [ + "picia" + ], + "rsa.internal.event_desc": "SSLVPN UDP Flow Statistics", + "rsa.internal.messageid": "SSLVPN_UDPFLOWSTAT", + "rsa.misc.disposition": "inima", + "rsa.misc.group": "tlabo", + "rsa.misc.log_session_id": "incidi", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "UDPFLOWSTAT", + "rsa.misc.severity": "Informational", + "rsa.time.duration_str": "agnaali", + "rsa.time.endtime": "2016-04-09T19:22:51.000Z", + "rsa.time.starttime": "2016-04-09T19:22:51.000Z", + "service.type": "citrix", + "source.bytes": 4138, + "source.ip": [ + "10.156.210.168" + ], + "source.nat.ip": "10.96.119.12", + "source.port": 6317, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "picia" + }, + { + "event.code": "ICA_SESSION_TERMINATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/24/2016:00:25:25 iineavo : ICA SESSION_TERMINATE equatD:session_guid isno - device_serial_number taliq - client_cookie intoccae - flags ents - session_end_time 4/24/2016:00:25:25", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 1361, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_SESSION_TERMINATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_TERMINATE", + "rsa.time.endtime": "2016-04-24T02:25:25.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/8/2016:07:27:59 sinto : APPFW Message :\"Duplicate rule id emoeni\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Warning", + "log.offset": 1542, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Invalid/Duplicate Rule id", + "rsa.internal.messageid": "APPFW_Message", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "Message", + "rsa.misc.severity": "Warning", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_REFERER_HEADER", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/22/2016:14:30:33 inesci : APPFW APPFW_REFERER_HEADER :10.109.157.63 mqu apariat tlabore https://www5.example.org/remi/saute.txt?ionevo=remagn#run Referer header check failed: referer header URL 'https://www.example.net/uovolup/samvolu.html?licab=eirure#conseq' not in Start URL or closure list <", + "fileset.name": "netscaler", + "http.request.referrer": "https://www.example.net/uovolup/samvolu.html?licab=eirure#conseq", + "input.type": "log", + "log.level": "Informational", + "log.offset": 1610, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.109.157.63" + ], + "rsa.internal.event_desc": "referer header URL not in Start URL or closure list", + "rsa.internal.messageid": "APPFW_APPFW_REFERER_HEADER", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.disposition": "oidentsu", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_REFERER_HEADER", + "rsa.misc.rule_group": "tlabore", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.109.157.63" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www5.example.org/remi/saute.txt?ionevo=remagn#run" + }, + { + "destination.ip": [ + "10.116.193.182" + ], + "event.code": "SSLVPN_REMOVE_SESSION_ERR", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "6/5/2016:21:33:08 ern : SSLVPN REMOVE_SESSION_ERR :Sessionid psaquae - User ationemu - Client_ip 10.92.161.8 - Nat_ip 10.103.118.137 - Vserver_ip 10.116.193.182 - Errmsg \" snostrud \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 1918, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.92.161.8", + "10.103.118.137", + "10.116.193.182" + ], + "related.user": [ + "ationemu" + ], + "rsa.internal.event_desc": "snostrud", + "rsa.internal.messageid": "SSLVPN_REMOVE_SESSION_ERR", + "rsa.misc.log_session_id": "psaquae", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "REMOVE_SESSION_ERR", + "service.type": "citrix", + "source.ip": [ + "10.92.161.8" + ], + "source.nat.ip": "10.103.118.137", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "ationemu" + }, + { + "event.code": "EVENT_STARTSAVECONFIG", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "6/20/2016:04:35:42 quisnos : EVENT STARTSAVECONFIG :SAVECONFIG ite", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 2101, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "ite", + "rsa.internal.event_desc": "Save configuration started", + "rsa.internal.messageid": "EVENT_STARTSAVECONFIG", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STARTSAVECONFIG", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SNMP_TRAP_SENT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/4/2016:11:38:16 acc : SNMP TRAP_SENT :amc ( haPeerSystemState = \"amest\", sysIpAddress = 10.37.226.87)", + "fileset.name": "netscaler", + "host.ip": "10.37.226.87", + "input.type": "log", + "log.level": "Notice", + "log.offset": 2168, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.37.226.87" + ], + "rsa.internal.event_desc": "SNMP TRAP SENT", + "rsa.internal.messageid": "SNMP_TRAP_SENT", + "rsa.misc.event_state": "amest", + "rsa.misc.msgIdPart1": "SNMP", + "rsa.misc.msgIdPart2": "TRAP_SENT", + "rsa.misc.obj_type": "amc", + "rsa.misc.severity": "Notice", + "rsa.misc.space": "", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.bytes": 1287, + "destination.domain": "liqui", + "destination.nat.ip": "10.245.10.170", + "destination.nat.port": 3314, + "event.code": "SSLVPN_ICAEND_CONNSTAT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/18/2016:18:40:50 gel : SSLVPN ICAEND_CONNSTAT :Source 10.235.101.253:4467 - Destination 10.245.10.170:3314 - username:domainname ulapa:liqui - startTime \" 7/18/2016:18:40:50 GMT\" - endTime \" 7/18/2016:18:40:50\" - Duration quioffi - Total_bytes_send 1359 - Total_bytes_recv 1287 - Total_compressedbytes_send ncidid - Total_compressedbytes_recv quaturve - Compression_ratio_send sequa - Compression_ratio_recv aera - connectionId ate", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 2272, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.235.101.253", + "10.245.10.170" + ], + "related.user": [ + "ulapa" + ], + "rsa.counters.dclass_r1": "sequa", + "rsa.counters.dclass_r1_str": " Compression_ratio_send", + "rsa.counters.dclass_r2": "aera", + "rsa.counters.dclass_r2_str": " Compression_ratio_recv", + "rsa.internal.event_desc": "ICA connection related information for a connection belonging to a SSLVPN session", + "rsa.internal.messageid": "SSLVPN_ICAEND_CONNSTAT", + "rsa.misc.comp_rbytes": "quaturve", + "rsa.misc.comp_sbytes": "ncidid", + "rsa.misc.connection_id": "ate", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "ICAEND_CONNSTAT", + "rsa.misc.severity": "Informational", + "rsa.time.duration_str": "quioffi", + "rsa.time.endtime": "2016-07-18T20:40:50.000Z", + "rsa.time.starttime": "2016-07-18T20:40:50.000Z", + "service.type": "citrix", + "source.bytes": 1359, + "source.ip": [ + "10.235.101.253" + ], + "source.port": 4467, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "ulapa" + }, + { + "event.code": "EVENT_ALERTENDED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/2/2016:01:43:25 nsecte : EVENT ALERTENDED :inculpa.exe ended ", + "fileset.name": "netscaler", + "input.type": "log", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2706, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "EVENT_ALERTENDED", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "ALERTENDED", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.162.161.83" + ], + "destination.port": 5025, + "event.code": "AAATM_HTTPREQUEST", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/16/2016:08:45:59 nisi : AAATM HTTPREQUEST :Context dant - SessionId: rroquis- aeabi User eiu : Group(s) ntiumdo : Vserver 10.162.161.83:5025 - 8/16/2016:08:45:59 PST: SSO is olupta : litse https://mail.example.com/itatio/uta.htm?sintoc=volupt#siste uiinea", + "event.timezone": "PST", + "fileset.name": "netscaler", + "group.name": "ntiumdo", + "input.type": "log", + "log.offset": 2770, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.162.161.83" + ], + "related.user": [ + "eiu" + ], + "rsa.internal.event_desc": "AAATM HTTP Request", + "rsa.internal.messageid": "AAATM_HTTPREQUEST", + "rsa.misc.action": [ + "litse" + ], + "rsa.misc.event_computer": "aeabi", + "rsa.misc.group": "ntiumdo", + "rsa.misc.log_session_id": "rroquis", + "rsa.misc.msgIdPart1": "AAATM", + "rsa.misc.msgIdPart2": "HTTPREQUEST", + "rsa.time.effective_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "PST", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://mail.example.com/itatio/uta.htm?sintoc=volupt#siste", + "user.name": "eiu" + }, + { + "event.code": "ICA_APPLICATION_LAUNCH", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/30/2016:15:48:33 idolo : ICA APPLICATION_LAUNCH :session_guid quinesc - device_serial_number madmi - client_cookie tur - flags roi - launch_mechanism niamqui - app_launch_time 8/30/2016:15:48:33 - app_process_id orem - app_name sno - module_path atno", + "file.name": "atno", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 3028, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_APPLICATION_LAUNCH", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "APPLICATION_LAUNCH", + "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_XSS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/13/2016:22:51:07 ntocca : APPFW APPFW_XSS :10.26.55.33 quiavol Cross-sitehttps://internal.example.com/temquiav/equatu.txt?cons=sBon#orro script tae <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 3281, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.26.55.33" + ], + "rsa.db.index": "tae", + "rsa.internal.event_desc": "AppFw XSS violation", + "rsa.internal.messageid": "APPFW_APPFW_XSS", + "rsa.misc.disposition": "ccaec", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_XSS", + "rsa.misc.rule_group": "quiavol", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.26.55.33" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.com/temquiav/equatu.txt?cons=sBon#orro" + }, + { + "event.action": "sent request", + "event.code": "AAATM_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/28/2016:05:53:42 isc : AAATM Message ullamcor:\"sent request to tobea for authentication, user <, client ip 10.206.87.219\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 3440, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.hosts": [ + "tor4410.api.localhost" + ], + "related.ip": [ + "10.206.87.219" + ], + "related.user": [ + "eavolup" + ], + "rsa.internal.messageid": "AAATM_Message", + "rsa.misc.event_type": "sent request", + "rsa.misc.msgIdPart1": "AAATM", + "rsa.misc.msgIdPart2": "Message", + "rsa.network.domain": "tor4410.api.localhost", + "server.domain": "tor4410.api.localhost", + "service.type": "citrix", + "source.ip": [ + "10.206.87.219" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "eavolup" + }, + { + "event.code": "SNMP_TRAP_SENT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/12/2016:12:56:16 litessec : SNMP TRAP_SENT :itas ( entityName = \"edquia (sequatu\" , sysIpAddress = 10.27.58.92)", + "fileset.name": "netscaler", + "host.ip": "10.27.58.92", + "input.type": "log", + "log.level": "Notice", + "log.offset": 3595, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.27.58.92" + ], + "rsa.db.index": "sequatu", + "rsa.internal.event_desc": "SNMP TRAP SENT", + "rsa.internal.messageid": "SNMP_TRAP_SENT", + "rsa.misc.msgIdPart1": "SNMP", + "rsa.misc.msgIdPart2": "TRAP_SENT", + "rsa.misc.obj_name": "edquia", + "rsa.misc.obj_type": "itas", + "rsa.misc.severity": "Notice", + "rsa.misc.space": "", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "tasn", + "event.code": "NSNETSVC_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/26/2016:19:58:50 qui : NSNETSVC Message :\"tasn: Nemoenim \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 3710, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "Nemoenim", + "rsa.internal.messageid": "NSNETSVC_Message", + "rsa.misc.event_type": "tasn", + "rsa.misc.msgIdPart1": "NSNETSVC", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_STOPSYS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/10/2016:03:01:24 str : EVENT STOPSYS :System stopped - idolore", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 3772, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "idolore", + "rsa.internal.event_desc": "Netscaler Stopped", + "rsa.internal.messageid": "EVENT_STOPSYS", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STOPSYS", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SAFEOBJECT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/24/2016:10:03:59 illoin : APPFW APPFW_SAFEOBJECT tanimid:10.93.68.231 ctet Match found with Safe Object: ati <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 3838, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.93.68.231" + ], + "rsa.db.index": "ati", + "rsa.internal.event_desc": "AppFw Safe Object", + "rsa.internal.messageid": "APPFW_APPFW_SAFEOBJECT", + "rsa.misc.disposition": "uine", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SAFEOBJECT", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.93.68.231" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_POLICY_HIT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/8/2016:17:06:33 niamqui : APPFW APPFW_POLICY_HIT :10.236.120.18 adeser oin mvenia https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt ihilm", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 3958, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.236.120.18" + ], + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "APPFW_APPFW_POLICY_HIT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_POLICY_HIT", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.236.120.18" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www5.example.org/fugitsed/quam.html?luptate=persp#entsunt" + }, + { + "event.code": "RESPONDER_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/23/2016:00:09:07 meius : RESPONDER Message :\"NSRateLimit=billo, ClientIP=10.103.127.155\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 4115, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.103.127.155" + ], + "rsa.internal.messageid": "RESPONDER_Message", + "rsa.misc.filter": "billo", + "rsa.misc.msgIdPart1": "RESPONDER", + "rsa.misc.msgIdPart2": "Message", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.103.127.155" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_ALERTSTARTED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/6/2017:07:11:41 nonp : EVENT ALERTSTARTED :labo.exe started for 267", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 4207, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "process.name": "labo.exe", + "rsa.counters.dclass_c1": 267, + "rsa.internal.event_desc": "Alert process started", + "rsa.internal.messageid": "EVENT_ALERTSTARTED", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "ALERTSTARTED", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "APPFW_COOKIE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "APPFW_COOKIE |1.2352|rQu|mco|medium|src=10.206.81.23 spt=6280 method=tincu request=https://internal.example.com/itse/umexerc.gif?intocc=amcorp#ntsunt msg=uidol cn1=litani cn2=utodita cs1=aec cs2=fdeF cs3=iquidexe cs4=low cs5=niamq act=cancel", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "low", + "log.offset": 4277, + "observer.product": "APPFW_COOKIE", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.2352", + "related.ip": [ + "10.206.81.23" + ], + "rsa.db.index": "uidol", + "rsa.internal.messageid": "APPFW_COOKIE", + "rsa.misc.action": [ + "tincu", + "cancel" + ], + "rsa.misc.policy_name": "aec", + "rsa.misc.rule": "rQu", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2352", + "service.type": "citrix", + "source.ip": [ + "10.206.81.23" + ], + "source.port": 6280, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.com/itse/umexerc.gif?intocc=amcorp#ntsunt" + }, + { + "event.action": "accept", + "event.code": "ROUTING_ZEBOS_CMD_EXECUTED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/3/2017:21:16:50 ipsamvo : ROUTING ZEBOS_CMD_EXECUTED onula:miu Command \"accept\" upt", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 4519, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "upt", + "rsa.internal.event_desc": "User has executed a command in ZebOS(vtysh)", + "rsa.internal.messageid": "ROUTING_ZEBOS_CMD_EXECUTED", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.msgIdPart1": "ROUTING", + "rsa.misc.msgIdPart2": "ZEBOS_CMD_EXECUTED", + "rsa.misc.obj_type": "miu", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_NICRESET", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/18/2017:04:19:24 snost : EVENT NICRESET tpersp:llamc \"nte\" - State mvel", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 4605, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "The monitor bound to the service is up", + "rsa.internal.messageid": "EVENT_NICRESET", + "rsa.misc.event_state": "mvel", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "NICRESET", + "rsa.misc.obj_name": "nte", + "rsa.misc.obj_type": "llamc", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SAFECOMMERCE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/4/2017:11:21:59 eratvol : APPFW APPFW_SAFECOMMERCE :10.253.132.145 est uptatemU Maximum no. https://internal.example.com/tla/item.jpg?isa=niamqui#atcupid of potential credit card numbers seen <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 4679, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.253.132.145" + ], + "rsa.db.index": "quamnih", + "rsa.internal.event_desc": "AppFw SafeCommerce credit cards seen", + "rsa.internal.messageid": "APPFW_APPFW_SAFECOMMERCE", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SAFECOMMERCE", + "rsa.misc.rule_group": "uptatemU", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.253.132.145" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.com/tla/item.jpg?isa=niamqui#atcupid" + }, + { + "event.code": "AAA_LOGIN_FAILED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/18/2017:18:24:33 naaliq : AAA LOGIN_FAILED :User nte - Client_ip 10.5.67.143 - Failure_reason \"unknown\"", + "event.outcome": "failure", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Alert", + "log.offset": 4884, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.5.67.143" + ], + "related.user": [ + "nte" + ], + "rsa.internal.event_desc": "The aaa module failed to login the user", + "rsa.internal.messageid": "AAA_LOGIN_FAILED", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.msgIdPart1": "AAA", + "rsa.misc.msgIdPart2": "LOGIN_FAILED", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "Alert", + "service.type": "citrix", + "source.ip": [ + "10.5.67.143" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "nte" + }, + { + "event.code": "ICA_SESSION_TERMINATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/2/2017:01:27:07 loi : ICA SESSION_TERMINATE isc:session_guid Nequepor - device_serial_number eirure - client_cookie deserun - flags esseq - session_end_time 4/2/2017:01:27:07", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 4990, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_SESSION_TERMINATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_TERMINATE", + "rsa.time.endtime": "2017-04-02T03:27:07.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.domain": "teni", + "destination.nat.ip": "10.32.39.220", + "destination.nat.port": 3589, + "event.code": "SSLVPN_ICASTART", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/16/2017:08:29:41 iquamqua : SSLVPN ICASTART :Source 10.248.165.185:3436 - Destination 10.32.39.220:3589 - username:domainname exeaco:teni - applicationName dquiac - startTime \" 4/16/2017:08:29:41\" - connectionId itaedict", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 5167, + "network.application": "dquiac", + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.32.39.220", + "10.248.165.185" + ], + "related.user": [ + "exeaco" + ], + "rsa.internal.messageid": "SSLVPN_ICASTART", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "ICASTART", + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", + "service.type": "citrix", + "source.ip": [ + "10.248.165.185" + ], + "source.port": 3436, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "exeaco" + }, + { + "destination.ip": [ + "10.82.28.220" + ], + "event.code": "SSLVPN_REMOVE_SESSION_ERR", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/30/2017:15:32:16 mUten : SSLVPN REMOVE_SESSION_ERR emq:Sessionid maperi - User agnaaliq - Client_ip 10.197.6.245 - Nat_ip 10.81.45.174 - Vserver_ip 10.82.28.220 - Errmsg \" mve \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 5390, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.81.45.174", + "10.82.28.220", + "10.197.6.245" + ], + "related.user": [ + "agnaaliq" + ], + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "SSLVPN_REMOVE_SESSION_ERR", + "rsa.misc.log_session_id": "maperi", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "REMOVE_SESSION_ERR", + "service.type": "citrix", + "source.ip": [ + "10.197.6.245" + ], + "source.nat.ip": "10.81.45.174", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "agnaaliq" + }, + { + "event.code": "EVENT_STARTSAVECONFIG", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/14/2017:22:34:50 cipitl : EVENT STARTSAVECONFIG :SAVECONFIG caboNemo", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 5570, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "caboNemo", + "rsa.internal.event_desc": "Save configuration started", + "rsa.internal.messageid": "EVENT_STARTSAVECONFIG", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STARTSAVECONFIG", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.domain": "isqua", + "destination.ip": [ + "10.18.25.125" + ], + "destination.port": 7202, + "event.code": "SSLVPN_ICASTART", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/29/2017:05:37:24 uto : SSLVPN ICASTART iuntNequ:Server port = 7202 - Server server ip = 10.18.25.125 - username:domain_name = quatD:isqua - application name = uta", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 5641, + "network.application": "uta", + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.18.25.125" + ], + "related.user": [ + "quatD" + ], + "rsa.internal.event_desc": "ICA started", + "rsa.internal.messageid": "SSLVPN_ICASTART", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "ICASTART", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "quatD" + }, + { + "event.code": "ICA_CHANNEL_UPDATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "6/12/2017:12:39:58 tsed : ICA CHANNEL_UPDATE :session_guid eturad - device_serial_number tiumdolo - client_cookie atuse - flags ueipsa - channel_update_begin 6/12/2017:12:39:58 - channel_update_end 6/12/2017:12:39:58 - channel_id_1 scipitl - channel_id_1_val eumi - channel_id_2 quasiarc - channel_id_2_val olli -channel_id_3 rever - channel_id_3_val ore - channel_id_4 offici - channel_id_4_val ection -channel_id_5 roquisqu - channel_id_5_val edolorin", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 5806, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_CHANNEL_UPDATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "CHANNEL_UPDATE", + "rsa.time.endtime": "2017-06-12T14:39:58.000Z", + "rsa.time.starttime": "2017-06-12T14:39:58.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "CLUSTERD_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "6/26/2017:19:42:33 aspe : CLUSTERD Message imadmi: \"isnis(10.230.93.243) port(1625) msglen(iatqu) rcv(6203) R(unknown) \" ", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 6260, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "isnis(10.230.93.243) port(1625) msglen(iatqu) rcv(6203) R(unknown)", + "rsa.internal.messageid": "CLUSTERD_Message", + "rsa.misc.msgIdPart1": "CLUSTERD", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_BUFFEROVERFLOW_HDR", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/11/2017:02:45:07 liquid : APPFW APPFW_BUFFEROVERFLOW_HDR :10.13.181.73 ate mporainc xea: https://www.example.org/umdolo/ntiu.jpg?dquiaco=nibus#vitaed <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 6382, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.13.181.73" + ], + "rsa.db.index": "xea", + "rsa.internal.event_desc": "AppFw Buffer Overflow violation in HTTP Headers", + "rsa.internal.messageid": "APPFW_APPFW_BUFFEROVERFLOW_HDR", + "rsa.misc.disposition": "ser", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_BUFFEROVERFLOW_HDR", + "rsa.misc.rule_group": "mporainc", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.13.181.73" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www.example.org/umdolo/ntiu.jpg?dquiaco=nibus#vitaed" + }, + { + "event.code": "APPFW_APPFW_COOKIE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/25/2017:09:47:41 isi : APPFW APPFW_COOKIE culpaq:10.162.97.197 ende abor Cookiehttps://internal.example.org/adol/iutal.gif?niam=pernat#rerepre validation failed for nculpaq <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 6541, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.162.97.197" + ], + "rsa.internal.event_desc": "AppFw Cookie violation", + "rsa.internal.messageid": "APPFW_APPFW_COOKIE", + "rsa.misc.disposition": "culpaqui", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_COOKIE", + "rsa.misc.rule_group": "abor", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.162.97.197" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.org/adol/iutal.gif?niam=pernat#rerepre" + }, + { + "event.code": "User", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "User nisiu - Remote_ip 10.101.178.146 - Command \"ptatem\" - Status \"unknown\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 6728, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.101.178.146" + ], + "related.user": [ + "nisiu" + ], + "rsa.internal.messageid": "User", + "rsa.misc.result": "unknown", + "service.type": "citrix", + "source.ip": [ + "10.101.178.146" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "nisiu" + }, + { + "event.code": "APPFW_APPFW_REFERER_HEADER", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/22/2017:23:52:50 onproide : APPFW APPFW_REFERER_HEADER ntmo:10.143.88.119 tNe pisc urEx https://www.example.com/tquidol/ercitat.txt?atcupi=atem#qui Referer header check failed: referer header URL 'https://mail.example.com/nim/ame.jpg?uid=equaturv#lamc' not in Start URL or closure list <", + "fileset.name": "netscaler", + "http.request.referrer": "https://mail.example.com/nim/ame.jpg?uid=equaturv#lamc", + "input.type": "log", + "log.level": "Informational", + "log.offset": 6804, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.143.88.119" + ], + "rsa.internal.event_desc": "referer header URL not in Start URL or closure list", + "rsa.internal.messageid": "APPFW_APPFW_REFERER_HEADER", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.disposition": "mvolupta", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_REFERER_HEADER", + "rsa.misc.rule_group": "urEx", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.143.88.119" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www.example.com/tquidol/ercitat.txt?atcupi=atem#qui" + }, + { + "event.action": "allow", + "event.code": "ROUTING_ZEBOS_CMD_EXECUTED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/6/2017:06:55:24 equatDu : ROUTING ZEBOS_CMD_EXECUTED :pta Command \"allow\" prehe", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 7104, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "prehe", + "rsa.internal.event_desc": "User has executed a command in ZebOS(vtysh)", + "rsa.internal.messageid": "ROUTING_ZEBOS_CMD_EXECUTED", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.msgIdPart1": "ROUTING", + "rsa.misc.msgIdPart2": "ZEBOS_CMD_EXECUTED", + "rsa.misc.obj_type": "pta", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.45.114.111" + ], + "destination.nat.ip": "10.3.23.172", + "destination.nat.port": 7332, + "destination.port": 357, + "event.code": "SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/20/2017:13:57:58 illoi : SSLVPN NONHTTP_RESOURCEACCESS_DENIED :Context reetdolo - SessionId: rationev- User ehender - Client_ip 10.117.94.131 - Nat_ip 10.180.83.140 - Vserver 10.45.114.111:357 - Source 10.243.226.122:3512 - Destination 10.3.23.172:7332 - Total_bytes_send emullamc - Total_bytes_recv tec - Denied_by_policy \"Nemo\" - Group(s) \"tutlabo\"", + "event.outcome": "failure", + "fileset.name": "netscaler", + "group.name": "tutlabo", + "host.ip": "10.117.94.131", + "input.type": "log", + "log.offset": 7186, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.45.114.111", + "10.180.83.140", + "10.243.226.122", + "10.117.94.131", + "10.3.23.172" + ], + "related.user": [ + "ehender" + ], + "rsa.internal.messageid": "SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.comp_rbytes": "tec", + "rsa.misc.comp_sbytes": "emullamc", + "rsa.misc.group": "tutlabo", + "rsa.misc.log_session_id": "rationev", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "NONHTTP_RESOURCEACCESS_DENIED", + "service.type": "citrix", + "source.ip": [ + "10.243.226.122" + ], + "source.nat.ip": "10.180.83.140", + "source.port": 3512, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "ehender" + }, + { + "event.code": "EVENT_DEVICEUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/4/2017:21:00:32 iame : EVENT DEVICEUP laudanti:umiurer \"rere\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Notice", + "log.offset": 7539, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Device UP", + "rsa.internal.messageid": "EVENT_DEVICEUP", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "DEVICEUP", + "rsa.misc.obj_name": "rere", + "rsa.misc.obj_type": "umiurer", + "rsa.misc.severity": "Notice", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_COOKIE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/19/2017:04:03:07 ori : APPFW APPFW_COOKIE uamqu:10.76.92.223 quiac sunt Cookiehttps://www5.example.org/emUte/iusmodi.htm?tura=osquirat#equat validation failed for aliquid <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 7604, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.76.92.223" + ], + "rsa.internal.event_desc": "AppFw Cookie violation", + "rsa.internal.messageid": "APPFW_APPFW_COOKIE", + "rsa.misc.disposition": "usantiu", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_COOKIE", + "rsa.misc.rule_group": "sunt", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.76.92.223" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www5.example.org/emUte/iusmodi.htm?tura=osquirat#equat" + }, + { + "event.action": "etur", + "event.code": "AAATM_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/2/2017:11:05:41 sun : AAATM Message urau:\"etur: rsitvol \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 7789, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "rsitvol", + "rsa.internal.messageid": "AAATM_Message", + "rsa.misc.event_type": "etur", + "rsa.misc.msgIdPart1": "AAATM", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SSLVPN_CLISEC_CHECK", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/16/2017:18:08:15 eque : SSLVPN CLISEC_CHECK eufug:User est - Client IP 10.101.172.233 - Vserver 10.211.163.7:940 - Client_security_expression \"CLIENT.REG('iatnu').VALUE == writte || sitvo - failure", + "fileset.name": "netscaler", + "host.ip": "10.101.172.233", + "input.type": "log", + "log.offset": 7850, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.211.163.7", + "10.101.172.233" + ], + "related.user": [ + "est" + ], + "rsa.db.index": "iatnu", + "rsa.internal.event_desc": "SNMP TRAP SENT", + "rsa.internal.messageid": "SSLVPN_CLISEC_CHECK", + "rsa.misc.change_new": "sitvo", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "CLISEC_CHECK", + "rsa.misc.result": "failure", + "rsa.misc.trigger_val": "writte", + "service.type": "citrix", + "source.ip": [ + "10.211.163.7" + ], + "source.port": 940, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "est" + }, + { + "event.code": "DR_HA_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/1/2017:01:10:49 llumq : DR HA_Message :\"HASTATE tenim\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8051, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "tenim", + "rsa.internal.event_desc": "Routing details", + "rsa.internal.messageid": "DR_HA_Message", + "rsa.misc.msgIdPart1": "DR", + "rsa.misc.msgIdPart2": "HA_Message", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/15/2017:08:13:24 itseddo : APPFW Message bore:\"Setting same CustomSettings( ) to profile. ptate\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 8109, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Setting same CustomSettings( ) to profile.", + "rsa.internal.messageid": "APPFW_Message", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.domain": "Finibus", + "destination.nat.ip": "10.61.175.217", + "destination.nat.port": 2631, + "event.code": "SSLVPN_ICASTART", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/29/2017:15:15:58 mvenia : SSLVPN ICASTART :Source 10.29.207.55:7061 - Destination 10.61.175.217:2631 - username:domainname scip:Finibus - applicationName Utenimad - startTime 12/29/2017:15:15:58 - connectionId olupta", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 8209, + "network.application": "Utenimad", + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.29.207.55", + "10.61.175.217" + ], + "related.user": [ + "scip" + ], + "rsa.internal.messageid": "SSLVPN_ICASTART", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "ICASTART", + "rsa.time.starttime": "2017-12-29T17:15:58.000Z", + "service.type": "citrix", + "source.ip": [ + "10.29.207.55" + ], + "source.port": 7061, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "scip" + }, + { + "event.code": "SSLVPN_AAAEXTRACTED_GROUPS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/12/2018:22:18:32 fficia : SSLVPN AAAEXTRACTED_GROUPS est:Extracted_groups \"ali\"", + "fileset.name": "netscaler", + "group.name": "ali", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8429, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "The groups extracted after user logs into SSLVPN", + "rsa.internal.messageid": "SSLVPN_AAAEXTRACTED_GROUPS", + "rsa.misc.group": "ali", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "AAAEXTRACTED_GROUPS", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_BUFFEROVERFLOW_URL", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/27/2018:05:21:06 ceroi : APPFW APPFW_BUFFEROVERFLOW_URL :10.55.203.193 idunt edqu cte: https://internal.example.org/CSe/exerci.htm?eserun=pta#emu <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8511, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.55.203.193" + ], + "rsa.db.index": "cte", + "rsa.internal.event_desc": "AppFw Buffer Overflow violation in URL", + "rsa.internal.messageid": "APPFW_APPFW_BUFFEROVERFLOW_URL", + "rsa.misc.disposition": "orem", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_BUFFEROVERFLOW_URL", + "rsa.misc.rule_group": "edqu", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.55.203.193" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.org/CSe/exerci.htm?eserun=pta#emu" + }, + { + "event.code": "EVENT_STATECHANGE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/10/2018:12:23:41 orp : EVENT STATECHANGE :ender (dico) - uptatem upt", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8667, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "upt", + "rsa.internal.event_desc": "Heartbeat State report", + "rsa.internal.messageid": "EVENT_STATECHANGE", + "rsa.misc.event_state": "uptatem", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STATECHANGE", + "rsa.misc.obj_name": "dico", + "rsa.misc.obj_type": "ender", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_STARTSYS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/24/2018:19:26:15 idolo : EVENT STARTSYS reet:System started - lorem", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8738, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "lorem", + "rsa.internal.event_desc": "Netscaler Started", + "rsa.internal.messageid": "EVENT_STARTSYS", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STARTSYS", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SAFECOMMERCE_XFORM", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/11/2018:02:28:49 tmo : APPFW APPFW_SAFECOMMERCE_XFORM onofdeF:10.189.13.237 its https://www5.example.org/aliqui/datatnon.gif?nse=miurere#evit (uatu) potential credit card numbers seen in server response", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 8808, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.189.13.237" + ], + "rsa.db.index": "uatu", + "rsa.internal.event_desc": "AppFw SafeCommerce Transformed for credit cards seen in server repsonse", + "rsa.internal.messageid": "APPFW_APPFW_SAFECOMMERCE_XFORM", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SAFECOMMERCE_XFORM", + "rsa.misc.rule_group": "its", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.189.13.237" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www5.example.org/aliqui/datatnon.gif?nse=miurere#evit" + }, + { + "event.code": "EVENT_DEVICEUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/25/2018:09:31:24 uamestqu : EVENT DEVICEUP mpor:orem \"eniamqui\" - State ven", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Notice", + "log.offset": 9013, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Device UP", + "rsa.internal.messageid": "EVENT_DEVICEUP", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.event_state": "ven", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "DEVICEUP", + "rsa.misc.obj_name": "eniamqui", + "rsa.misc.obj_type": "orem", + "rsa.misc.severity": "Notice", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_CONFIGEND", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/8/2018:16:33:58 tdolorem : EVENT CONFIGEND :CONFIG qui", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 9091, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "qui", + "rsa.internal.event_desc": "Configuration read completed from ns.conf file during boot-up", + "rsa.internal.messageid": "EVENT_CONFIGEND", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Configuration", + "rsa.investigations.ec_theme": "Configuration", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "CONFIGEND", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_STARTSYS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/22/2018:23:36:32 deritinv : EVENT STARTSYS evelite:System started - cupidata", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 9148, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "cupidata", + "rsa.internal.event_desc": "Netscaler Started", + "rsa.internal.messageid": "EVENT_STARTSYS", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STARTSYS", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "ICA_SESSION_TERMINATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/7/2018:06:39:06 emeu : ICA SESSION_TERMINATE :session_guid tatemac - device_serial_number quisn - client_cookie rem - flags ulamcola - session_end_time 5/7/2018:06:39:06", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 9227, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_SESSION_TERMINATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_TERMINATE", + "rsa.time.endtime": "2018-05-07T08:39:06.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_CSRF_TAG", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/21/2018:13:41:41 uisaut : APPFW APPFW_CSRF_TAG :10.23.202.99 tuser CSRF Tag validation failed: <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 9399, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.23.202.99" + ], + "rsa.internal.event_desc": "AppFw CSRF Tag Validation Failed", + "rsa.internal.messageid": "APPFW_APPFW_CSRF_TAG", + "rsa.misc.disposition": "ctasu", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_CSRF_TAG", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.23.202.99" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_ROUTEUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "6/4/2018:20:44:15 sitame : EVENT ROUTEUP :oinven natu - State edqu", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Debug", + "log.offset": 9505, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Route is UP", + "rsa.internal.messageid": "EVENT_ROUTEUP", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.event_state": "edqu", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "ROUTEUP", + "rsa.misc.obj_name": "natu", + "rsa.misc.obj_type": "oinven", + "rsa.misc.severity": "Debug", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "APPFW_FIELDCONSISTENCY", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "APPFW_FIELDCONSISTENCY |1.1396|ntutlab|rumSecti|medium|src=10.72.114.116 spt=2840 method=tesse request=https://internal.example.org/isno/oluptas.html?aeco=rinrepr#dutp msg=orem cn1=giatqu cn2=rsint cs1=rsi cs2=paq cs3=uianon cs4=high cs5=uisautem act=allow", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "high", + "log.offset": 9572, + "observer.product": "APPFW_FIELDCONSISTENCY", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.1396", + "related.ip": [ + "10.72.114.116" + ], + "rsa.db.index": "orem", + "rsa.internal.messageid": "APPFW_FIELDCONSISTENCY", + "rsa.misc.action": [ + "allow", + "tesse" + ], + "rsa.misc.policy_name": "rsi", + "rsa.misc.rule": "ntutlab", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1396", + "service.type": "citrix", + "source.ip": [ + "10.72.114.116" + ], + "source.port": 2840, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.org/isno/oluptas.html?aeco=rinrepr#dutp" + }, + { + "event.action": "allow", + "event.code": "ROUTING_ZEBOS_CMD_EXECUTED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/3/2018:10:49:23 reprehen : ROUTING ZEBOS_CMD_EXECUTED tvol:ptat Command \"allow\" tdolo", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 9829, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "tdolo", + "rsa.internal.event_desc": "User has executed a command in ZebOS(vtysh)", + "rsa.internal.messageid": "ROUTING_ZEBOS_CMD_EXECUTED", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.msgIdPart1": "ROUTING", + "rsa.misc.msgIdPart2": "ZEBOS_CMD_EXECUTED", + "rsa.misc.obj_type": "ptat", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_STARTCPU", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/17/2018:17:51:58 porissus : EVENT STARTCPU :CPU_started imip", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 9917, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "imip", + "rsa.internal.event_desc": "CPU Started", + "rsa.internal.messageid": "EVENT_STARTCPU", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "STARTCPU", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "ICA_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/1/2018:00:54:32 eumfu : ICA Message :docons", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 9980, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "docons", + "rsa.internal.messageid": "ICA_Message", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "08/15/2018:07:57:06 turvelil : SSLLOG SSL_HANDSHAKE_SUBJECTNAME urExc:SPCBId doconse - SubjectName \"audant\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Debug", + "log.offset": 10026, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.crypto.cert_subject": "audant", + "rsa.internal.messageid": "SSLLOG_SSL_HANDSHAKE_SUBJECTNAME", + "rsa.misc.log_session_id": "doconse", + "rsa.misc.msgIdPart1": "SSLLOG", + "rsa.misc.msgIdPart2": "SSL_HANDSHAKE_SUBJECTNAME", + "rsa.misc.severity": "Debug", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SNMP_TRAP_SENT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/29/2018:14:59:40 teturad : SNMP TRAP_SENT :ese (entityName = \"eddoei\", sysIpAddress = 10.161.68.13)", + "fileset.name": "netscaler", + "host.ip": "10.161.68.13", + "input.type": "log", + "log.offset": 10134, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.161.68.13" + ], + "rsa.internal.event_desc": "SNMP TRAP SENT", + "rsa.internal.messageid": "SNMP_TRAP_SENT", + "rsa.misc.msgIdPart1": "SNMP", + "rsa.misc.msgIdPart2": "TRAP_SENT", + "rsa.misc.obj_name": "eddoei", + "rsa.misc.obj_type": "ese", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "AAA_LOGIN_FAILED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/12/2018:22:02:15 tdolo : AAA LOGIN_FAILED :User ident - Client_ip 10.213.165.165 - Failure_reason \"success\"", + "event.outcome": "failure", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Alert", + "log.offset": 10236, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.213.165.165" + ], + "related.user": [ + "ident" + ], + "rsa.internal.event_desc": "The aaa module failed to login the user", + "rsa.internal.messageid": "AAA_LOGIN_FAILED", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.msgIdPart1": "AAA", + "rsa.misc.msgIdPart2": "LOGIN_FAILED", + "rsa.misc.result": "success", + "rsa.misc.severity": "Alert", + "service.type": "citrix", + "source.ip": [ + "10.213.165.165" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "ident" + }, + { + "destination.ip": [ + "10.41.65.89" + ], + "event.code": "SSLVPN_REMOVE_SESSION_ERR", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/27/2018:05:04:49 tetura : SSLVPN REMOVE_SESSION_ERR autemv:Sessionid sciveli - User picia - Client_ip 10.225.146.5 - Nat_ip 10.80.5.101 - Vserver_ip 10.41.65.89 - Errmsg \" lapari \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 10346, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.225.146.5", + "10.41.65.89", + "10.80.5.101" + ], + "related.user": [ + "picia" + ], + "rsa.internal.event_desc": "lapari", + "rsa.internal.messageid": "SSLVPN_REMOVE_SESSION_ERR", + "rsa.misc.log_session_id": "sciveli", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "REMOVE_SESSION_ERR", + "service.type": "citrix", + "source.ip": [ + "10.225.146.5" + ], + "source.nat.ip": "10.80.5.101", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "picia" + }, + { + "event.code": "APPFW_APPFW_REFERER_HEADER", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/11/2018:12:07:23 tMal : APPFW APPFW_REFERER_HEADER porin:10.241.143.145 quid aUten Duis https://www.example.org/quid/accus.html?edutpers=ctobeat#upta Referer header check failed: referer header URL 'https://mail.example.com/dictasun/psa.txt?secte=ctobeat#onsec' not in Start URL or closure list <", + "fileset.name": "netscaler", + "http.request.referrer": "https://mail.example.com/dictasun/psa.txt?secte=ctobeat#onsec", + "input.type": "log", + "log.level": "Informational", + "log.offset": 10529, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.241.143.145" + ], + "rsa.internal.event_desc": "referer header URL not in Start URL or closure list", + "rsa.internal.messageid": "APPFW_APPFW_REFERER_HEADER", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.disposition": "idestl", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_REFERER_HEADER", + "rsa.misc.rule_group": "Duis", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.241.143.145" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www.example.org/quid/accus.html?edutpers=ctobeat#upta" + }, + { + "event.code": "ROUTING_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/25/2018:19:09:57 ree : ROUTING Message :\"itten started\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 10837, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ROUTING_Message", + "rsa.misc.msgIdPart1": "ROUTING", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SAFECOMMERCE_XFORM", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/9/2018:02:12:32 temaccu : APPFW APPFW_SAFECOMMERCE_XFORM uamqua:10.106.34.244 eumiu https://example.com/pteurs/ercitati.html?ptat=mipsu#velillu (ecatcupi) potential credit card numbers seen in server response", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 10896, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.106.34.244" + ], + "rsa.db.index": "ecatcupi", + "rsa.internal.event_desc": "AppFw SafeCommerce Transformed for credit cards seen in server repsonse", + "rsa.internal.messageid": "APPFW_APPFW_SAFECOMMERCE_XFORM", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SAFECOMMERCE_XFORM", + "rsa.misc.rule_group": "eumiu", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.106.34.244" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://example.com/pteurs/ercitati.html?ptat=mipsu#velillu" + }, + { + "destination.ip": [ + "10.33.231.173" + ], + "event.code": "SSLVPN_REMOVE_SESSION_INFO", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/23/2018:09:15:06 iquipex : SSLVPN REMOVE_SESSION_INFO mqu:Sessionid onorume - User abill - Client_ip 10.22.34.206 - Nat_ip \"10.183.26.222\" - Vserver_ip 10.33.231.173 - Errmsg \" uasiarch \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 11108, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.33.231.173", + "10.183.26.222", + "10.22.34.206" + ], + "related.user": [ + "abill" + ], + "rsa.internal.event_desc": "uasiarch", + "rsa.internal.messageid": "SSLVPN_REMOVE_SESSION_INFO", + "rsa.misc.log_session_id": "onorume", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "REMOVE_SESSION_INFO", + "service.type": "citrix", + "source.ip": [ + "10.22.34.206" + ], + "source.nat.ip": "10.183.26.222", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "abill" + }, + { + "event.code": "EVENT_DEVICEDOWN", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/7/2018:16:17:40 stenat : EVENT DEVICEDOWN :uianonnu \"tatiset\" - State quira", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Notice", + "log.offset": 11299, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Device Down", + "rsa.internal.messageid": "EVENT_DEVICEDOWN", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.event_state": "quira", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "DEVICEDOWN", + "rsa.misc.obj_name": "tatiset", + "rsa.misc.obj_type": "uianonnu", + "rsa.misc.severity": "Notice", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_MONITORUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "12/21/2018:23:20:14 samvol : EVENT MONITORUP :equa apari - State tsunt", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 11378, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "The monitor bound to the service is up", + "rsa.internal.messageid": "EVENT_MONITORUP", + "rsa.misc.event_state": "tsunt", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "MONITORUP", + "rsa.misc.obj_name": "apari", + "rsa.misc.obj_type": "equa", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SNMP_TRAP_SENT", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/5/2019:06:22:49 llo : SNMP TRAP_SENT :uames ( alarmRateLmtThresholdExceeded = \"tla: \"iaconseq...\", ipAddressGathered = \"sed\", stringComputed = \"sedd\", sysIpAddress = 10.53.113.79)", + "fileset.name": "netscaler", + "host.ip": "10.53.113.79", + "input.type": "log", + "log.level": "Notice", + "log.offset": 11449, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.53.113.79" + ], + "rsa.db.index": "iaconseq", + "rsa.internal.event_desc": "SNMP TRAP SENT", + "rsa.internal.messageid": "SNMP_TRAP_SENT", + "rsa.misc.msgIdPart1": "SNMP", + "rsa.misc.msgIdPart2": "TRAP_SENT", + "rsa.misc.obj_name": "tla", + "rsa.misc.obj_type": "uames", + "rsa.misc.severity": "Notice", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_ROUTEDOWN", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "1/19/2019:13:25:23 luptatev : EVENT ROUTEDOWN :occaeca dan - State pta", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 11631, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Route is Down", + "rsa.internal.messageid": "EVENT_ROUTEDOWN", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.event_state": "pta", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "ROUTEDOWN", + "rsa.misc.obj_name": "dan", + "rsa.misc.obj_type": "occaeca", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "SSLLOG_SSL_HANDSHAKE_ISSUERNAME", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "02/02/2019:20:27:57 equamni : SSLLOG SSL_HANDSHAKE_ISSUERNAME atcupi:SPCBId enima - IssuerName \"uptateve\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Debug", + "log.offset": 11702, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "SSLLOG_SSL_HANDSHAKE_ISSUERNAME", + "rsa.misc.log_session_id": "enima", + "rsa.misc.msgIdPart1": "SSLLOG", + "rsa.misc.msgIdPart2": "SSL_HANDSHAKE_ISSUERNAME", + "rsa.misc.severity": "Debug", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "ICA_APPLICATION_TERMINATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "2/17/2019:03:30:32 uiac : ICA APPLICATION_TERMINATE :session_guid tquii - device_serial_number tesse - client_cookie iamea - flags loremi - app_termination_type queporro - app_process_id tur - app_termination_time 2/17/2019:03:30:32", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 11808, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_APPLICATION_TERMINATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "APPLICATION_TERMINATE", + "rsa.time.endtime": "2019-02-17T05:30:32.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SAFECOMMERCE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/3/2019:10:33:06 tamrema : APPFW APPFW_SAFECOMMERCE isautem:10.219.65.172 conse Maximum no. https://internal.example.net/edqui/tvolu.txt?ore=lors#saute of potential credit card numbers seen <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 12041, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.219.65.172" + ], + "rsa.db.index": "ecillumd", + "rsa.internal.event_desc": "AppFw SafeCommerce credit cards seen", + "rsa.internal.messageid": "APPFW_APPFW_SAFECOMMERCE", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SAFECOMMERCE", + "rsa.misc.rule_group": "conse", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.219.65.172" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://internal.example.net/edqui/tvolu.txt?ore=lors#saute" + }, + { + "destination.ip": [ + "10.86.207.236" + ], + "destination.port": 207, + "event.code": "AAATM_HTTPREQUEST", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "3/17/2019:17:35:40 dtempo : AAATM HTTPREQUEST lumqu:Context moen - SessionId: oinvento- mporin User orissusc : Group(s) utaliqui : Vserver 10.86.207.236:207 - 3/17/2019:17:35:40 CT litsed https://www.example.com/tiaec/lorem.jpg?totamr=seddo#aper entor", + "event.timezone": "CT", + "fileset.name": "netscaler", + "group.name": "utaliqui", + "input.type": "log", + "log.offset": 12244, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.86.207.236" + ], + "related.user": [ + "orissusc" + ], + "rsa.internal.event_desc": "AAATM HTTP Request", + "rsa.internal.messageid": "AAATM_HTTPREQUEST", + "rsa.misc.action": [ + "litsed" + ], + "rsa.misc.event_computer": "mporin", + "rsa.misc.group": "utaliqui", + "rsa.misc.log_session_id": "oinvento", + "rsa.misc.msgIdPart1": "AAATM", + "rsa.misc.msgIdPart2": "HTTPREQUEST", + "rsa.time.effective_time": "2019-03-17T19:35:40.000Z", + "rsa.time.timezone": "CT", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://www.example.com/tiaec/lorem.jpg?totamr=seddo#aper", + "user.name": "orissusc" + }, + { + "destination.ip": [ + "10.187.86.64" + ], + "destination.port": 3325, + "event.code": "ICA_SESSION_UPDATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/1/2019:00:38:14 ihil : ICA SESSION_UPDATE oremip:session_guid fdeFi - device_serial_number periam - client_cookie ccusa - flags billo - nsica_session_status doloremi - nsica_session_client_ip 10.197.128.162 - nsica_session_client_port 2052 - nsica_session_server_ip 10.187.86.64 - nsica_session_server_port 3325 - nsica_session_reconnect_count atatn - nsica_session_acr_count ipisc - connection_priority iatnulap - timestamp roi", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 12496, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.197.128.162", + "10.187.86.64" + ], + "rsa.internal.messageid": "ICA_SESSION_UPDATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_UPDATE", + "service.type": "citrix", + "source.ip": [ + "10.197.128.162" + ], + "source.port": 2052, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SIGNATURE_MATCH", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/15/2019:07:40:49 loreeu : APPFW APPFW_SIGNATURE_MATCH eprehe:10.163.217.101 empor - uptatemU - rem https://www5.example.com/iscivel/rinci.txt?atcupi=eriti#uptateve namaliqu rule ID riame: datatn <", + "file.name": "rinci.txt", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 12927, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.163.217.101" + ], + "rsa.db.index": "datatn", + "rsa.internal.event_desc": "namaliqu", + "rsa.internal.messageid": "APPFW_APPFW_SIGNATURE_MATCH", + "rsa.misc.disposition": "seq", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SIGNATURE_MATCH", + "rsa.misc.rule_group": "rem", + "rsa.misc.rule_uid": "riame", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.163.217.101" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/iscivel/rinci.txt?atcupi=eriti#uptateve", + "url.path": "https://www5.example.com" + }, + { + "destination.ip": [ + "10.204.20.8" + ], + "destination.port": 2652, + "event.code": "ICA_SESSION_UPDATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "4/29/2019:14:43:23 isu : ICA SESSION_UPDATE :session_guid moll - device_serial_number roinBCS - client_cookie odit - flags vol - nsica_session_status epteurs - nsica_session_client_ip 10.43.239.97 - nsica_session_client_port 6985 - nsica_session_server_ip 10.204.20.8 - nsica_session_server_port 2652 - nsica_session_reconnect_count ntoccae - nsica_session_acr_count iscive - connection_priority amni - timestamp etconse", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 13131, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.43.239.97", + "10.204.20.8" + ], + "rsa.internal.messageid": "ICA_SESSION_UPDATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_UPDATE", + "service.type": "citrix", + "source.ip": [ + "10.43.239.97" + ], + "source.port": 6985, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.133.153.174" + ], + "destination.nat.ip": "10.76.129.136", + "destination.nat.port": 5259, + "destination.port": 7022, + "event.code": "SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/13/2019:21:45:57 amquisn : SSLVPN NONHTTP_RESOURCEACCESS_DENIED Finibus:Context nsequat - SessionId: mvol- User asiar - Client_ip 10.8.82.22 - Nat_ip \"10.148.244.55\" - Vserver 10.133.153.174:7022 - Source 10.113.135.78:1646 - Destination 10.76.129.136:5259 - Total_bytes_send epteur - Total_bytes_recv onproi - Denied_by_policy \"usmodit\" - Group(s) \"orese\"", + "event.outcome": "failure", + "fileset.name": "netscaler", + "group.name": "orese", + "host.ip": "10.8.82.22", + "input.type": "log", + "log.offset": 13552, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.148.244.55", + "10.133.153.174", + "10.8.82.22", + "10.113.135.78", + "10.76.129.136" + ], + "related.user": [ + "asiar" + ], + "rsa.internal.messageid": "SSLVPN_NONHTTP_RESOURCEACCESS_DENIED", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.comp_rbytes": "onproi", + "rsa.misc.comp_sbytes": "epteur", + "rsa.misc.group": "orese", + "rsa.misc.log_session_id": "mvol", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "NONHTTP_RESOURCEACCESS_DENIED", + "service.type": "citrix", + "source.ip": [ + "10.113.135.78" + ], + "source.nat.ip": "10.148.244.55", + "source.port": 1646, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "asiar" + }, + { + "event.code": "EVENT_DEVICEOFS", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "5/28/2019:04:48:31 atemacc : EVENT DEVICEOFS labore:iqua \"ciunt\" - State exea", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Notice", + "log.offset": 13911, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "Device Out Of Service", + "rsa.internal.messageid": "EVENT_DEVICEOFS", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_subject": "Service", + "rsa.misc.event_state": "exea", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "DEVICEOFS", + "rsa.misc.obj_name": "ciunt", + "rsa.misc.obj_type": "iqua", + "rsa.misc.severity": "Notice", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "APPFW_REFERER_HEADER", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "APPFW_REFERER_HEADER |1.1103|citation|emquel|very-high|src=10.20.230.37 spt=5308 method=remip request=https://mail.example.com/aturExc/antiumto.htm?obe=niamqu#ull msg=aturE cn1=aaliqu cn2=tev cs1=oNemoeni cs2=luptatem cs3=pers cs4=low cs5=luptatem act=cancel", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "low", + "log.offset": 13989, + "observer.product": "APPFW_REFERER_HEADER", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.1103", + "related.ip": [ + "10.20.230.37" + ], + "rsa.db.index": "aturE", + "rsa.internal.messageid": "APPFW_REFERER_HEADER", + "rsa.misc.action": [ + "remip", + "cancel" + ], + "rsa.misc.policy_name": "oNemoeni", + "rsa.misc.rule": "citation", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1103", + "service.type": "citrix", + "source.ip": [ + "10.20.230.37" + ], + "source.port": 5308, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://mail.example.com/aturExc/antiumto.htm?obe=niamqu#ull" + }, + { + "event.action": "block", + "event.code": "AF_MALFORMED_REQ_ERR", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "AF_MALFORMED_REQ_ERR |1.3141|etd|omnisi|high|src=10.186.166.215 spt=553 method=ati request=https://mail.example.org/tsuntinc/nis.gif?iin=uteiru#xer msg=iat cn1=orain cn2=equaturQ cs1=llu cs2=quaUt cs4=low cs5=nim act=block", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "low", + "log.offset": 14248, + "observer.product": "AF_MALFORMED_REQ_ERR", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.3141", + "related.ip": [ + "10.186.166.215" + ], + "rsa.db.index": "iat", + "rsa.internal.messageid": "AF_MALFORMED_REQ_ERR", + "rsa.misc.action": [ + "block", + "ati" + ], + "rsa.misc.policy_name": "llu", + "rsa.misc.rule": "etd", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3141", + "service.type": "citrix", + "source.ip": [ + "10.186.166.215" + ], + "source.port": 553, + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://mail.example.org/tsuntinc/nis.gif?iin=uteiru#xer" + }, + { + "destination.ip": [ + "10.213.112.186" + ], + "event.code": "SSLVPN_REMOVE_SESSION_INFO", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/10/2019:01:56:14 olorin : SSLVPN REMOVE_SESSION_INFO :Sessionid orisnisi - User emquiav - Client_ip 10.215.229.78 - Nat_ip 10.67.233.159 - Vserver_ip 10.213.112.186 - Errmsg \" ectetur \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 14471, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.215.229.78", + "10.67.233.159", + "10.213.112.186" + ], + "related.user": [ + "emquiav" + ], + "rsa.internal.event_desc": "ectetur", + "rsa.internal.messageid": "SSLVPN_REMOVE_SESSION_INFO", + "rsa.misc.log_session_id": "orisnisi", + "rsa.misc.msgIdPart1": "SSLVPN", + "rsa.misc.msgIdPart2": "REMOVE_SESSION_INFO", + "service.type": "citrix", + "source.ip": [ + "10.215.229.78" + ], + "source.nat.ip": "10.67.233.159", + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "user.name": "emquiav" + }, + { + "event.code": "EVENT_MONITORUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "7/24/2019:08:58:48 sitasper : EVENT MONITORUP ncidunt:uiac squ - State litess", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 14659, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.event_desc": "The monitor bound to the service is up", + "rsa.internal.messageid": "EVENT_MONITORUP", + "rsa.misc.event_state": "litess", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "MONITORUP", + "rsa.misc.obj_name": "squ", + "rsa.misc.obj_type": "uiac", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "EVENT_ALERTENDED", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/7/2019:16:01:23 scingeli : EVENT ALERTENDED :emq.exe ended for 2514", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 14737, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "process.name": "emq.exe", + "rsa.counters.dclass_c1": 2514, + "rsa.internal.event_desc": "Alert process ended", + "rsa.internal.messageid": "EVENT_ALERTENDED", + "rsa.misc.msgIdPart1": "EVENT", + "rsa.misc.msgIdPart2": "ALERTENDED", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "ICA_APPLICATION_LAUNCH", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "8/21/2019:23:03:57 bor : ICA APPLICATION_LAUNCH magnido:session_guid lupta - device_serial_number utla - client_cookie nse - flags Dui - launch_mechanism gitsed - app_launch_time 8/21/2019:23:03:57 - app_process_id estla - app_name ione - module_path ecillum", + "file.name": "ecillum", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 14807, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.internal.messageid": "ICA_APPLICATION_LAUNCH", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "APPLICATION_LAUNCH", + "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.73.45.19" + ], + "destination.port": 3791, + "event.code": "ICA_SESSION_UPDATE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/5/2019:06:06:31 oreseos : ICA SESSION_UPDATE :session_guid agna - device_serial_number dmini - client_cookie tquid - flags giatquo - nsica_session_status iatisun - nsica_session_client_ip 10.96.104.212 - nsica_session_client_port 2372 - nsica_session_server_ip 10.73.45.19 - nsica_session_server_port 3791 - nsica_session_reconnect_count oeiusm - nsica_session_acr_count aUtenim - connection_priority ntincul - timestamp nnumquam", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 15066, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.73.45.19", + "10.96.104.212" + ], + "rsa.internal.messageid": "ICA_SESSION_UPDATE", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_UPDATE", + "service.type": "citrix", + "source.ip": [ + "10.96.104.212" + ], + "source.port": 2372, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_SQL", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "9/19/2019:13:09:05 inculpa : APPFW APPFW_SQL nvo:10.238.144.31 stiae icta https://mail.example.com/nvent/uepor.jpg?odiconse=nevolupt#tDui untutl <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 15498, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.238.144.31" + ], + "rsa.db.index": "untutl", + "rsa.internal.event_desc": "AppFw SQL Injection violation", + "rsa.internal.messageid": "APPFW_APPFW_SQL", + "rsa.misc.disposition": "ugiatnul", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_SQL", + "rsa.misc.rule_group": "icta", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.238.144.31" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://mail.example.com/nvent/uepor.jpg?odiconse=nevolupt#tDui" + }, + { + "event.action": "acomm", + "event.code": "NSNETSVC_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/3/2019:20:11:40 doei : NSNETSVC Message :\"acomm: veleumi \"", + "fileset.name": "netscaler", + "input.type": "log", + "log.offset": 15655, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "veleumi", + "rsa.internal.messageid": "NSNETSVC_Message", + "rsa.misc.event_type": "acomm", + "rsa.misc.msgIdPart1": "NSNETSVC", + "rsa.misc.msgIdPart2": "Message", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.bytes": 7865, + "destination.ip": [ + "10.29.202.248" + ], + "destination.nat.ip": "10.247.251.223", + "destination.nat.port": 6658, + "destination.port": 4069, + "event.code": "TCP_OTHERCONN_DELINK", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "10/18/2019:03:14:14 sumquiad : TCP OTHERCONN_DELINK stl:Source 10.161.218.47:6184 - Vserver 10.29.202.248:4069 - NatIP 10.206.5.50:1064 - Destination 10.247.251.223:6658 - Delink Time 10/18/2019:03:14:14 GMT Total_bytes_send 6764 - Total_bytes_recv 7865", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 15717, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.29.202.248", + "10.161.218.47", + "10.247.251.223", + "10.206.5.50" + ], + "rsa.internal.event_desc": "A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler", + "rsa.internal.messageid": "TCP_OTHERCONN_DELINK", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.msgIdPart1": "TCP", + "rsa.misc.msgIdPart2": "OTHERCONN_DELINK", + "rsa.misc.severity": "Informational", + "rsa.time.endtime": "2019-10-18T05:14:14.000Z", + "service.type": "citrix", + "source.bytes": 6764, + "source.ip": [ + "10.161.218.47" + ], + "source.nat.ip": "10.206.5.50", + "source.nat.port": 1064, + "source.port": 6184, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "DR_HA_Message", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/1/2019:10:16:48 tate : DR HA_Message :\"tutlabo: nto\"", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 15971, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "rsa.db.index": "nto", + "rsa.internal.event_desc": "Routing details", + "rsa.internal.messageid": "DR_HA_Message", + "rsa.misc.msgIdPart1": "DR", + "rsa.misc.msgIdPart2": "HA_Message", + "rsa.misc.severity": "Informational", + "rsa.network.network_service": "tutlabo", + "service.type": "citrix", + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "event.code": "APPFW_APPFW_BUFFEROVERFLOW_COOKIE", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/15/2019:17:19:22 tlabo : APPFW APPFW_BUFFEROVERFLOW_COOKIE :10.134.238.8 emu Malor amn: https://example.net/sintoc/rinci.txt?ali=Nequepor#aUten <", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Informational", + "log.offset": 16027, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.134.238.8" + ], + "rsa.db.index": "amn", + "rsa.internal.event_desc": "AppFw Buffer Overflow violation in Cookie", + "rsa.internal.messageid": "APPFW_APPFW_BUFFEROVERFLOW_COOKIE", + "rsa.misc.disposition": "edutpers", + "rsa.misc.msgIdPart1": "APPFW", + "rsa.misc.msgIdPart2": "APPFW_BUFFEROVERFLOW_COOKIE", + "rsa.misc.rule_group": "Malor", + "rsa.misc.severity": "Informational", + "service.type": "citrix", + "source.ip": [ + "10.134.238.8" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ], + "url.original": "https://example.net/sintoc/rinci.txt?ali=Nequepor#aUten" + }, + { + "destination.address": "ptateve165.mail.corp", + "event.code": "ICA_SESSION_SETUP", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "11/30/2019:00:21:57 adeseru : ICA SESSION_SETUP sitas:session_guid eni - device_serial_number cte - client_cookie ariatu - flags ess - session_setup_time ria - client_ip 10.111.22.134 - client_type datatno - client_launcher equepor - client_version 1.897 - client_hostname orisnis403.www.localhost - domain_name hend1170.www5.lan - server_name ptateve165.mail.corp - connection_priority ommodoco", + "fileset.name": "netscaler", + "host.hostname": "orisnis403.www.localhost", + "input.type": "log", + "log.offset": 16186, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "observer.version": "1.897", + "related.hosts": [ + "hend1170.www5.lan" + ], + "related.ip": [ + "10.111.22.134" + ], + "rsa.internal.messageid": "ICA_SESSION_SETUP", + "rsa.misc.msgIdPart1": "ICA", + "rsa.misc.msgIdPart2": "SESSION_SETUP", + "rsa.misc.version": "1.897", + "rsa.network.domain": "hend1170.www5.lan", + "rsa.network.host_dst": "ptateve165.mail.corp", + "server.domain": "hend1170.www5.lan", + "service.type": "citrix", + "source.address": "orisnis403.www.localhost", + "source.ip": [ + "10.111.22.134" + ], + "tags": [ + "citrix.netscaler", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.37.99.189" + ], + "destination.port": 3275, + "event.code": "SPCBId", + "event.dataset": "citrix.netscaler", + "event.module": "citrix", + "event.original": "SPCBId rita - ClientIP 10.148.72.78 - ClientPort 7584 - VserverServiceIP 10.37.99.189 - VserverServicePort 3275 - ClientVersion ugitsed - CipherSuite \"ritatis\" - success", + "event.outcome": "failure", + "fileset.name": "netscaler", + "input.type": "log", + "log.level": "Debug", + "log.offset": 16582, + "observer.product": "Netscaler", + "observer.type": "Firewall", + "observer.vendor": "Citrix", + "related.ip": [ + "10.148.72.78", + "10.37.99.189" + ], + "rsa.crypto.cipher_src": "ritatis", + "rsa.crypto.ssl_ver_src": "ugitsed", + "rsa.internal.messageid": "SPCBId", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.misc.log_session_id": "rita", + "rsa.misc.result": "success", + "rsa.misc.severity": "Debug", + "service.type": "citrix", + "source.ip": [ + "10.148.72.78" + ], + "source.port": 7584, + "tags": [ + "citrix.netscaler", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/citrix/virtualapps/config/pipeline.js b/x-pack/filebeat/module/citrix/virtualapps/config/pipeline.js deleted file mode 100644 index 0017c4c3c3d..00000000000 --- a/x-pack/filebeat/module/citrix/virtualapps/config/pipeline.js +++ /dev/null @@ -1,188 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -function DeviceProcessor() { - var builder = new processor.Chain(); - builder.Add(save_flags); - builder.Add(strip_syslog_priority); - builder.Add(chain1); - builder.Add(populate_fields); - builder.Add(restore_flags); - var chain = builder.Build(); - return { - process: chain.Run, - } -} - -var map_operationtype = { - keyvaluepairs: { - "0": constant("NONE"), - "1": constant("Created"), - "2": constant("Modified"), - "3": constant("Removed"), - }, - "default": constant("0"), -}; - -var map_AdminTaskType = { - keyvaluepairs: { - "0": constant("Application"), - "1": constant("Application Isolation Environment"), - "10": constant("Server Group"), - "11": constant("User"), - "12": constant("Policy"), - "13": constant("Monitoring Profile"), - "14": constant("Load Manager"), - "15": constant("Virtual IP Farm Range"), - "16": constant("Virtual IP Server Range"), - "17": constant("Print Driver"), - "18": constant("Database"), - "19": constant("Zone"), - "2": constant("AIE Application"), - "4": constant("Farm"), - "5": constant("File Type Association"), - "6": constant("Folder"), - "7": constant("Installation Manager Application"), - "8": constant("Printer"), - "9": constant("Server"), - }, - "default": constant("0"), -}; - -var dup1 = setc("eventcategory","1612000000"); - -var dup2 = date_time({ - dest: "event_time", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup3 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ - dup1, - dup2, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%citrixxa: %{hdatetime}^^%{messageid}^^%{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdatetime"), - constant("^^"), - field("messageid"), - constant("^^"), - field("payload"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%citrixxa: %{hdatetime}^^%{msgIdPart1->} %{msgIdPart2}^^%{payload}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - ], - }), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdatetime"), - constant("^^"), - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant("^^"), - field("payload"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, -]); - -var part1 = match("MESSAGE#0:CONFIGINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{administrator}^^%{shost}^^%{hostname}^^%{operation_id}^^%{obj_type}^^%{obj_name}", processor_chain([ - dup1, - dup2, - lookup({ - dest: "nwparser.operation_id", - map: map_operationtype, - key: field("operation_id"), - }), - lookup({ - dest: "nwparser.obj_type", - map: map_AdminTaskType, - key: field("obj_type"), - }), -])); - -var msg1 = msg("CONFIGINFO", part1); - -var part2 = match("MESSAGE#1:SESSIONINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{username}^^%{hostname}^^%{saddr}^^%{application}^^%{fld4->} %{fld5}.%{fld6}", processor_chain([ - dup1, - date_time({ - dest: "starttime", - args: ["fld1","fld2"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }), - date_time({ - dest: "endtime", - args: ["fld4","fld5"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], - }), -])); - -var msg2 = msg("SESSIONINFO", part2); - -var part3 = match("MESSAGE#2:APPINFO", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{domain}^^%{group_object}^^%{hostname}^^%{application}", processor_chain([ - dup1, - dup2, -])); - -var msg3 = msg("APPINFO", part3); - -var msg4 = msg("Broker_SDK", dup3); - -var msg5 = msg("ConfigurationLogging", dup3); - -var msg6 = msg("Monitor", dup3); - -var msg7 = msg("Analytics", dup3); - -var msg8 = msg("Storefront", dup3); - -var msg9 = msg("Configuration", dup3); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "APPINFO": msg3, - "Analytics": msg7, - "Broker_SDK": msg4, - "CONFIGINFO": msg1, - "Configuration": msg9, - "ConfigurationLogging": msg5, - "Monitor": msg6, - "SESSIONINFO": msg2, - "Storefront": msg8, - }), -]); - -var part4 = match("MESSAGE#3:Broker_SDK", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3}^^%{event_type}^^%{saddr}^^%{event_description}^^%{application}", processor_chain([ - dup1, - dup2, -])); diff --git a/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml b/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml index f25d3417836..0a14b12f4c1 100644 --- a/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml +++ b/x-pack/filebeat/module/coredns/log/ingest/pipeline-entry.yml @@ -1,6 +1,9 @@ --- description: Pipeline for normalizing Kubernetes CoreDNS logs. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - pipeline: if: ctx.message.charAt(0) == (char)("{") name: '{< IngestPipeline "pipeline-json" >}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 2b32b5d270d..6d7daaf1469 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -8,7 +8,7 @@ - name: eventType type: keyword description: > - DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date @@ -36,7 +36,7 @@ Event data fields for each event and alert. type: group default_field: false - fields: + fields: - name: ProcessStartTime type: date description: > @@ -102,11 +102,16 @@ description: > Executable path with command line arguments. + - name: SHA1String + type: keyword + description: > + SHA1 sum of the executable associated with the detection. + - name: SHA256String type: keyword description: > SHA256 sum of the executable associated with the detection. - + - name: MD5String type: keyword description: > @@ -227,6 +232,11 @@ description: > Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: > + Detected executables written to disk by a process. + - name: SessionId type: keyword description: > @@ -246,3 +256,206 @@ type: date description: > End time for the remote session in UTC UNIX format. + + - name: LateralMovement + type: long + description: > + Lateral movement field for incident. + + - name: ParentImageFileName + type: keyword + description: > + Path to the parent process. + + - name: ParentCommandLine + type: keyword + description: > + Parent process command line arguments. + + - name: GrandparentImageFileName + type: keyword + description: > + Path to the grandparent process. + + - name: GrandparentCommandLine + type: keyword + description: > + Grandparent process command line arguments. + + - name: IOCType + type: keyword + description: > + CrowdStrike type for indicator of compromise. + + - name: IOCValue + type: keyword + description: > + CrowdStrike value for indicator of compromise. + + # FirewallMatchEvent + - name: CustomerId + type: keyword + description: > + Customer identifier. + + - name: DeviceId + type: keyword + description: > + Device on which the event occurred. + + - name: Ipv + type: keyword + description: > + Protocol for network request. + + - name: ConnectionDirection + type: keyword + description: > + Direction for network connection. + + - name: EventType + type: keyword + description: > + CrowdStrike provided event type. + + - name: HostName + type: keyword + description: > + Host name of the local machine. + + - name: ICMPCode + type: keyword + description: > + RFC2780 ICMP Code field. + + - name: ICMPType + type: keyword + description: > + RFC2780 ICMP Type field. + + - name: ImageFileName + type: keyword + description: > + File name of the associated process for the detection. + + - name: PID + type: long + description: > + Associated process id for the detection. + + - name: LocalAddress + type: ip + description: > + IP address of local machine. + + - name: LocalPort + type: long + description: > + Port of local machine. + + - name: RemoteAddress + type: ip + description: > + IP address of remote machine. + + - name: RemotePort + type: long + description: > + Port of remote machine. + + - name: RuleAction + type: keyword + description: > + Firewall rule action. + + - name: RuleDescription + type: keyword + description: > + Firewall rule description. + + - name: RuleFamilyID + type: keyword + description: > + Firewall rule family id. + + - name: RuleGroupName + type: keyword + description: > + Firewall rule group name. + + - name: RuleName + type: keyword + description: > + Firewall rule name. + + - name: RuleId + type: keyword + description: > + Firewall rule id. + + - name: MatchCount + type: long + description: > + Number of firewall rule matches. + + - name: MatchCountSinceLastReport + type: long + description: > + Number of firewall rule matches since the last report. + + - name: Timestamp + type: date + description: > + Firewall rule triggered timestamp. + + # Not entirely sure about the descriptions of the following fields + - name: Flags.Audit + type: boolean + description: > + CrowdStrike audit flag. + + - name: Flags.Log + type: boolean + description: > + CrowdStrike log flag. + + - name: Flags.Monitor + type: boolean + description: > + CrowdStrike monitor flag. + + - name: Protocol + type: keyword + description: > + CrowdStrike provided protocol. + + - name: NetworkProfile + type: keyword + description: > + CrowdStrike network profile. + + - name: PolicyName + type: keyword + description: > + CrowdStrike policy name. + + - name: PolicyID + type: keyword + description: > + CrowdStrike policy id. + + - name: Status + type: keyword + description: > + CrowdStrike status. + + - name: TreeID + type: keyword + description: > + CrowdStrike tree id. + + # RemoteResponseSessionEndEvent + - name: Commands + type: keyword + description: > + Commands run in a remote session. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 6ef77376175..b12309caef5 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,186 +2,429 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function() { +var crowdstrikeFalconProcessor = (function () { var processor = require("processor"); - var convertUnderscore = function(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - }; - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }); - - var dropFields = function(evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }; - - var setFields = function (evt) { - evt.Put("agent.name", "falcon"); - }; - - var convertFields = new processor.Convert({ - fields: [ - // DetectionSummaryEvent - { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" }, - { from: "crowdstrike.event.ProcessId", to: "process.pid" }, - // UserActivityAuditEvent and AuthActivityAuditEvent - { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, - ], - mode: "copy", - ignore_missing: true, - ignore_failure: true - }); - - var parseTimestamp = new processor.Timestamp({ - field: "crowdstrike.metadata.eventCreationTime", - target_field: "@timestamp", - timezone: "UTC", - layouts: ["UNIX_MS"], - ignore_missing: false, - }); - - var processEvent = function(evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") + // conversion helpers + function convertUnderscore(text) { + return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + } + + function convertToMSEpoch(evt, field) { + var timestamp = evt.Get(field); + if (timestamp) { + if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } + (new processor.Timestamp({ + field: field, + target_field: field, + timezone: "UTC", + layouts: ["UNIX_MS"] + })).Run(evt); } - else if (outcome === false) { - evt.Put("event.outcome", "failure") + } + + function convertProcess(evt) { + var commandLine = evt.Get("crowdstrike.event.CommandLine") + if (commandLine && commandLine.trim() !== "") { + var args = commandLine.split(' ').filter(function (arg) { + return arg !== ""; + }); + var executable = args[0] + + evt.Put("process.command_line", commandLine) + evt.Put("process.args", args) + evt.Put("process.executable", executable) } - else { - evt.Put("event.outcome", "unknown") + } + + function convertSourceDestination(evt) { + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) + } else { + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) } - - switch (eventType) { - case "DetectionSummaryEvent": + evt.AppendTo("related.ip", remoteAddress) + evt.AppendTo("related.ip", localAddress) + } + + function convertEventAction(evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) + } + + function convertUsername(evt) { + var username = evt.Get("crowdstrike.event.UserName") + if (!username || username === "") { + username = evt.Get("crowdstrike.event.UserId") + } + if (username && username !== "") { + evt.Put("user.name", username) + if (username.split('@').length == 2) { + evt.Put("user.email", username) + } + evt.AppendTo("related.user", username) + } + } + + // event processors by type + var eventProcessors = { + DetectionSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.LocalIP", + to: "related.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) + evt.Put("threat.technique.name", technique) evt.Put("threat.tactic.name", tactic) - - evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("event.severity", evt.Get("crowdstrike.event.Severity")) - evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) - evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - - evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) - evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) - evt.Put("agent.id", evt.Get("crowdstrike.event.SensorId")) - evt.Put("host.name", evt.Get("crowdstrike.event.ComputerName")) - evt.Put("agent.type", "falcon") - evt.Put("file.hash.sha256", evt.Get("crowdstrike.event.SHA256String")) - evt.Put("file.hash.md5", evt.Get("crowdstrike.event.MD5String")) - evt.Put("rule.name", evt.Get("crowdstrike.event.DetectName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.DetectDescription")) - - break; - - case "IncidentSummaryEvent": - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.action", "incident") - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - + convertProcess(evt) + }) + .Build(), + + IncidentSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.action": "incident", + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - - break; - - case "UserActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.OperationName")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["iam"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "AuthActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.ServiceName")) + convertProcess(evt) + }) + .Build(), + + UserActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + AuthActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["authentication"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "RemoteResponseSessionStartEvent": - case "RemoteResponseSessionEndEvent": - var username = evt.Get("crowdstrike.event.UserName") - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - - evt.Put("host.name", evt.Get("crowdstrike.event.HostnameField")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - if (eventType == "RemoteResponseSessionStartEvent") { - evt.Put("event.type", ["start"]) - evt.Put("message", "Remote response session started") - } else { - evt.Put("event.type", ["end"]) - evt.Put("message", "Remote response session ended") - } - - break; - - default: - break; - } - } - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(dropFields) - .Add(convertFields) - .Add(processEvent) - .Build(); - - return { - process: pipeline.Run, - }; + convertUsername(evt) + }) + .Build(), + + FirewallMatchEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + convertEventAction(evt) + convertProcess(evt) + convertSourceDestination(evt) + }) + .Build(), + + RemoteResponseSessionStartEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["start"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session started", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + RemoteResponseSessionEndEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["end"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session ended", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + } + + // main processor + return new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 + }) + .Add(function (evt) { + evt.Delete("message"); + evt.Delete("host.name"); + + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + + var outcome = evt.Get("crowdstrike.event.Success") + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") + } else { + evt.Put("event.outcome", "unknown") + } + + var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] + if (eventProcessor) { + eventProcessor.Run(evt) + } + }) + .Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", + ignore_missing: false, + fail_on_error: true + }) + .Build() + .Run })(); function process(evt) { - crowdstrikeFalcon.process(evt); + crowdstrikeFalconProcessor(evt); } diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml new file mode 100644 index 00000000000..3aa632ab715 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -0,0 +1,31 @@ +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index ab5f880e3a3..905124a0eab 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,3 +8,4 @@ var: default: [forwarded] input: config/falcon.yml +ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index d23985338fc..1a403c955ce 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -150,10 +150,10 @@ ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 5, + "offset": 5, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601341730, "version": "1.0" @@ -167,10 +167,10 @@ "UTCTimestamp": 1581601341730 } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 6, + "offset": 6, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601520236, "version": "1.0" @@ -183,17 +183,17 @@ "Success": true, "UTCTimestamp": 1581601520236, "AuditKeyValues": [ - { + { "Key": "target_name", "ValueString": "first.last@company.com" } ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 7, + "offset": 7, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601572362, "version": "1.0" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e515eb46583..4d21948cac7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,12 +1,11 @@ [ { - "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.StartTimestamp": 1582830734, + "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:14.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", @@ -26,6 +25,7 @@ ], "log.offset": 0, "message": "Remote response session started", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -34,13 +34,12 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.event.EndTimestamp": 1582830772, + "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830772000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:52.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", @@ -60,6 +59,7 @@ ], "log.offset": 457, "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -68,7 +68,6 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-12T21:29:10.710Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -94,11 +93,11 @@ "crowdstrike.event.OperationName": "streamStarted", "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:29:10.000Z", "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "crowdstrike.event.UserIp": "10.10.0.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581542950710, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:29:10.710Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 0, "crowdstrike.metadata.version": "1.0", @@ -120,6 +119,8 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", + "related.ip": "10.10.0.8", + "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -128,15 +129,14 @@ "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" }, { - "@timestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581543577147, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581543577147, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:39:37.147Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 1, "crowdstrike.metadata.version": "1.0", @@ -158,6 +158,8 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -167,15 +169,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581545677554, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.UserId": "bob@company.com", "crowdstrike.event.UserIp": "192.168.6.3", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581545677554, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:14:37.554Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 2, "crowdstrike.metadata.version": "1.0", @@ -197,6 +198,8 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.3", + "related.user": "bob@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -206,7 +209,6 @@ "user.name": "bob@company.com" }, { - "@timestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "group_id", @@ -219,11 +221,11 @@ ], "crowdstrike.event.OperationName": "update_group", "crowdstrike.event.ServiceName": "groups", - "crowdstrike.event.UTCTimestamp": 1581546248, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581546248000, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:24:08.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 3, "crowdstrike.metadata.version": "1.0", @@ -245,6 +247,8 @@ ], "log.offset": 3136, "message": "update_group", + "related.ip": "192.168.6.13", + "related.user": "chris@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -254,7 +258,6 @@ "user.name": "chris@company.com" }, { - "@timestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -264,11 +267,11 @@ "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601312140, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601312140, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:41:52.140Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 4, "crowdstrike.metadata.version": "1.0", @@ -290,6 +293,8 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -299,15 +304,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601341730, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:42:21.730Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", @@ -329,6 +333,8 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -338,7 +344,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -348,11 +353,11 @@ "crowdstrike.event.OperationName": "changePassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601520236, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:45:20.236Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 6, "crowdstrike.metadata.version": "1.0", @@ -372,8 +377,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5003, + "log.offset": 4999, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -383,15 +390,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.OperationName": "userAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601572362, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601572362, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:46:12.362Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 7, "crowdstrike.metadata.version": "1.0", @@ -411,8 +417,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5657, + "log.offset": 5646, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -422,15 +430,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601814754, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601814754, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:14.754Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 8, "crowdstrike.metadata.version": "1.0", @@ -450,8 +457,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6149, + "log.offset": 6134, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -461,15 +470,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601820289, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 9, "crowdstrike.metadata.version": "1.0", @@ -489,8 +497,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6642, + "log.offset": 6627, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -500,7 +510,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -521,11 +530,11 @@ ], "crowdstrike.event.OperationName": "detection_update", "crowdstrike.event.ServiceName": "detections", - "crowdstrike.event.UTCTimestamp": 1581603262, + "crowdstrike.event.UTCTimestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581603262000, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T14:14:22.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 10, "crowdstrike.metadata.version": "1.0", @@ -545,8 +554,10 @@ "log.flags": [ "multiline" ], - "log.offset": 7128, + "log.offset": 7113, "message": "detection_update", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 7842299bacf..0980bf0fb60 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -66,3 +66,29 @@ "FineScore": 1.2 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 22865, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1593186952000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1593186952 + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 3213435b88c..47c0e10f47a 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-02-19T08:30:00.000Z", "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", @@ -32,7 +31,7 @@ "crowdstrike.event.PatternDispositionValue": 16, "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, - "crowdstrike.event.ProcessStartTime": 1536846339, + "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", "crowdstrike.event.Severity": 4, @@ -41,7 +40,7 @@ "crowdstrike.event.Technique": "Ransomware", "crowdstrike.event.UserName": "alice", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582101000000, + "crowdstrike.metadata.eventCreationTime": "2020-02-19T08:30:00.000Z", "crowdstrike.metadata.eventType": "DetectionSummaryEvent", "crowdstrike.metadata.offset": 294564, "crowdstrike.metadata.version": "1.0", @@ -75,6 +74,7 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, + "related.ip": "192.168.12.51", "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -88,14 +88,13 @@ "user.name": "alice" }, { - "@timestamp": "2020-03-04T04:17:56.766Z", "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.event.FineScore": 1.2, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.IncidentStartTime": 1583295228, + "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", + "crowdstrike.event.IncidentStartTime": "2020-03-04T04:13:48.000Z", "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.eventCreationTime": "2020-03-04T04:17:56.766Z", "crowdstrike.metadata.eventType": "IncidentSummaryEvent", "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", @@ -122,5 +121,50 @@ "tags": [ "forwarded" ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 22865, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2579, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log new file mode 100644 index 00000000000..efd3b565576 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log @@ -0,0 +1,254 @@ +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70689, + "eventType": "FirewallMatchEvent", + "eventCreationTime": 1595248906000, + "version": "1.0" + }, + "event": { + "DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "Ipv": "ipv4", + "CommandLine": "", + "ConnectionDirection": "1", + "EventType": "FirewallRuleIP4Matched", + "Flags": { + "Audit": false, + "Log": false, + "Monitor": true + }, + "HostName": "TESTDEVICE01", + "ICMPCode": "", + "ICMPType": "", + "ImageFileName": "", + "LocalAddress": "10.37.60.194", + "LocalPort": "445", + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PID": "206158879910", + "PolicyName": "PROD-FW-Workstations-General", + "PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "Protocol": "6", + "RemoteAddress": "10.37.60.21", + "RemotePort": "54952", + "RuleAction": "2", + "RuleDescription": "", + "RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "RuleGroupName": "SMB Rules", + "RuleName": "Inbound SMB Block \u0026 Log Private", + "RuleId": "4877172638743447345", + "Status": "", + "Timestamp": "2020-07-20T12:41:44Z", + "TreeID": "" + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57181, + "eventType": "IncidentSummaryEvent", + "eventCreationTime": 1595005328414, + "version": "1.0" + }, + "event": { + "IncidentStartTime": 1595005316, + "IncidentEndTime": 1595005316, + "FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "State": "open", + "FineScore": 0.1, + "LateralMovement": 0 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70509, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1595247970093, + "version": "1.0" + }, + "event": { + "UserId": "first.last@company.com", + "UserIp": "165.225.220.184", + "OperationName": "saml2Assert", + "ServiceName": "Crowdstrike Authentication", + "Success": true, + "UTCTimestamp": 1595247970, + "AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70683, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1595248885000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1595248885 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57217, + "eventType": "RemoteResponseSessionStartEvent", + "eventCreationTime": 1595006093000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "StartTimestamp": 1595006093 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57269, + "eventType": "RemoteResponseSessionEndEvent", + "eventCreationTime": 1595006899000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "EndTimestamp": 1595006899, + "Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57047, + "eventType": "DetectionSummaryEvent", + "eventCreationTime": 1595002291000, + "version": "1.0" + }, + "event": { + "ProcessStartTime": 1595002290, + "ProcessEndTime": 1595002290, + "ProcessId": 663790158277, + "ParentProcessId": 627311656469, + "ComputerName": "TESTDEVICE01", + "UserName": "First.last", + "DetectName": "NGAV", + "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "Severity": 2, + "SeverityName": "Low", + "FileName": "filename.exe", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "SHA1String": "0000000000000000000000000000000000000000", + "MachineDomain": "NA", + "ExecutablesWritten": [ + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + } + ], + "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "IOCType": "hash_sha256", + "IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "LocalIP": "10.1.190.117", + "MACAddress": "54-ad-d4-d2-a8-0b", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "PatternDispositionValue": 2304, + "PatternDispositionFlags": { + "Indicator": false, + "Detect": false, + "InddetMask": false, + "SensorOnly": false, + "Rooting": false, + "KillProcess": false, + "KillSubProcess": false, + "QuarantineMachine": false, + "QuarantineFile": false, + "PolicyDisabled": true, + "KillParent": false, + "OperationBlocked": false, + "ProcessBlocked": true, + "RegistryOperationBlocked": false, + "CriticalProcessDisabled": false, + "BootupSafeguardEnabled": false, + "FsOperationBlocked": false + }, + "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe" + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json new file mode 100644 index 00000000000..e1fd5b6b0c7 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -0,0 +1,424 @@ +[ + { + "crowdstrike.event.ConnectionDirection": "1", + "crowdstrike.event.CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "crowdstrike.event.EventType": "FirewallRuleIP4Matched", + "crowdstrike.event.Flags.Audit": false, + "crowdstrike.event.Flags.Log": false, + "crowdstrike.event.Flags.Monitor": true, + "crowdstrike.event.HostName": "TESTDEVICE01", + "crowdstrike.event.Ipv": "ipv4", + "crowdstrike.event.LocalAddress": "10.37.60.194", + "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.MatchCount": 1, + "crowdstrike.event.MatchCountSinceLastReport": 1, + "crowdstrike.event.NetworkProfile": "2", + "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", + "crowdstrike.event.Protocol": "6", + "crowdstrike.event.RemoteAddress": "10.37.60.21", + "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RuleAction": "2", + "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "crowdstrike.event.RuleGroupName": "SMB Rules", + "crowdstrike.event.RuleId": "4877172638743447345", + "crowdstrike.event.RuleName": "Inbound SMB Block & Log Private", + "crowdstrike.event.Timestamp": "2020-07-20T12:41:44Z", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:46.000Z", + "crowdstrike.metadata.eventType": "FirewallMatchEvent", + "crowdstrike.metadata.offset": 70689, + "crowdstrike.metadata.version": "1.0", + "destination.ip": "10.37.60.194", + "destination.port": "445", + "event.action": "firewall_match_event", + "event.category": [ + "network" + ], + "event.code": "FirewallRuleIP4Matched", + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": [ + "unknown" + ], + "event.type": [ + "start", + "connection" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", + "network.direction": "inbound", + "network.type": "ipv4", + "process.pid": "206158879910", + "related.ip": [ + "10.37.60.21", + "10.37.60.194" + ], + "rule.category": "fec73e96a1bf4481be582c3f89b234fa", + "rule.description": "", + "rule.id": "4877172638743447345", + "rule.name": "Inbound SMB Block & Log Private", + "rule.ruleset": "SMB Rules", + "service.type": "crowdstrike", + "source.ip": "10.37.60.21", + "source.port": "54952", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "crowdstrike.event.FineScore": 0.1, + "crowdstrike.event.IncidentEndTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.IncidentStartTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.LateralMovement": 0, + "crowdstrike.event.State": "open", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:02:08.414Z", + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 57181, + "crowdstrike.metadata.version": "1.0", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1469, + "message": "Incident score 0.1", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ], + "crowdstrike.event.OperationName": "saml2Assert", + "crowdstrike.event.ServiceName": "Crowdstrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:26:10.000Z", + "crowdstrike.event.UserId": "first.last@company.com", + "crowdstrike.event.UserIp": "165.225.220.184", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:26:10.093Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 70509, + "crowdstrike.metadata.version": "1.0", + "event.action": "saml2_assert", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2041, + "message": "Crowdstrike Authentication", + "related.ip": "165.225.220.184", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "source.ip": "165.225.220.184", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:41:25.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:25.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 70683, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3219, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" + }, + { + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.StartTimestamp": "2020-07-17T17:14:53.000Z", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:14:53.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 57217, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_start_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "start" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4017, + "message": "Remote response session started", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ], + "crowdstrike.event.EndTimestamp": "2020-07-17T17:28:19.000Z", + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:28:19.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 57269, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4466, + "message": "Remote response session ended", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "crowdstrike.event.ComputerName": "TESTDEVICE01", + "crowdstrike.event.DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "crowdstrike.event.DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "crowdstrike.event.DetectName": "NGAV", + "crowdstrike.event.ExecutablesWritten": [ + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + } + ], + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.FileName": "filename.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "crowdstrike.event.GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "crowdstrike.event.GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "crowdstrike.event.IOCType": "hash_sha256", + "crowdstrike.event.IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.LocalIP": "10.1.190.117", + "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", + "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "crowdstrike.event.MachineDomain": "NA", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "crowdstrike.event.ParentProcessId": 627311656469, + "crowdstrike.event.PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled": false, + "crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled": false, + "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.FsOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, + "crowdstrike.event.PatternDispositionFlags.KillProcess": false, + "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, + "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": true, + "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": true, + "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, + "crowdstrike.event.PatternDispositionValue": 2304, + "crowdstrike.event.ProcessEndTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.ProcessId": 663790158277, + "crowdstrike.event.ProcessStartTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.SHA1String": "0000000000000000000000000000000000000000", + "crowdstrike.event.SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "crowdstrike.event.Severity": 2, + "crowdstrike.event.SeverityName": "Low", + "crowdstrike.event.Tactic": "Machine Learning", + "crowdstrike.event.Technique": "Sensor-based ML", + "crowdstrike.event.UserName": "First.last", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T16:11:31.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 57047, + "crowdstrike.metadata.version": "1.0", + "event.action": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.severity": 2, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha1": "0000000000000000000000000000000000000000", + "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "process.args": [ + "\"C:\\ProgramData\\file\\path\\filename.exe\"" + ], + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "process.name": "filename.exe", + "process.parent.command_line": "C:\\Windows\\Explorer.EXE", + "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "process.pid": 663790158277, + "related.ip": "10.1.190.117", + "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "rule.name": "NGAV", + "service.type": "crowdstrike", + "source.ip": "10.1.190.117", + "tags": [ + "forwarded" + ], + "threat.tactic.name": "machine learning", + "threat.technique.name": "sensor-based ml", + "user.domain": "NA", + "user.name": "First.last" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index e4a1224d75e..11622ad9ea7 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mc1u4zYQx+95isGeuzkU2B58KGDYDtZoshvETtvbYkyNLTYSqZIje/32BUlJUWw5lmymOQWm+OdPw/kgR5/hhfYjEEbvEstGvtANAEvOaASfJq+/froBMJQRWhrBihhvABKywsiCpVYj+P0GAOBBJ2VGsNYGhM4yEizVBlo6QFtSbG9vANaSssSO/LzPoDCnQw73x/uCRrAxuiyqXzqWdX93Xs4v3V7vDjOhVVgWUCWAGRmGBBlvq7ltkDZMTozuuWagscxDNVJNbT1wAs7bhhihNcujEoq0guMUGaQSWZmQf22PyzIny5gXt22MI6OEtddYZvzDy49gjZml1vDha7Zf1RMs9wW9Ga0XeqH9TpvkYOydV3V/U2K3/VotyjxHs5+5JX6BuRIyIcVvf32iXDM9kS20srQga91ERsPvPTBTSTU8LjkdC5Zbyftxmch6mjbwbMkcDzW4p80xMYSOfynzbrMkyIcDZ2yyTMlvKHAqbbXtWojSGEpAK+CUgFRSaKmcK8DzcgLP3+Z//3hYOG/JkW/fB9frtSXupJWKaUNmGPB3rweqzFdkgoeyQfFiPWqmhbcQ6HVA9y8kFVg2hPktLN1rSgulpQRYg995ud5DqeS/JUFS+0grLbzzdqK0rHMy8+mCjVSbeM46qZRrQtkyVCfKlozzwHgEC5FSjke6R0mJ3nhvk5G8Uw9KR2HGO/moSZaxMk+3JR+NFmStD/bIoVYEabBOOwTeJUFVEc5U8kF8TCaXKoTStZTzQ7+7IvorSZhPXe1HDkHsIr0J3HNQaEjxR6B54caClxNOdF6UTOYbntjai6LZqdVZUVQrwC4lQ2/hmux/htIVsbiETtGLA1qrhfS220lOB1kvFPmPs90wjumrcMxzTDM8lGpBWzKS9/HcvlYEK7QZbKV6dtz9OmBi+nkuVd3JjOIyOMXgzZVJWk5d5whX3oZYy2k+IqfxKJ1ac1b6SaJkXGXXBeBE5zmq5F6qiNacvbIVDtlTibASZFIRoNmUeY8T2+Lr+Ncvv8U+rQVVsGV+uTW7eR+mX2LDPky/XEfaDYoilYqmOkcZM9l5vSZU8rDKVaThAv5VW76X6iViAXu6d7V+K2l3UFOlqhY9mw6V1ebEqeQypnCtmU87LVa1IqxftldB+//Y+u7mvRaYzR/jYc0fAZPEuARdRUiqLV8XG+PJOEhGjOLxJDrnEgVLEZFxvnyaAXtVEMi00WY/9IywJJF6T4nOVQtfjPZ99Y97bhsTjTjViQPpf6NhJqOm0hbaSjfhQ06d45DKGF9IwWrfL6Eds/2J2YmdvOj4eTqHYIt3MOVdhpvuWNV+yweeBZ0aSJVIgb79HNhsL7gFH9/kr9jGv1LilEIxlVXn050GcjR7kBZ0Qco3WrTaaMeqDYhM27MXwqaNGrltsnhtldSHgIa71ZXo15KoIeN2TmZVVzwC4J1UtHC3lk60daZxoO95MQ9WQ/W42Mes8rMcZfZaqQyU7p5/ouj7Pl8fwOJD6n0XksM9VwYKMr5XFvcKGfqhtlw5jbMnR7OVIvIdthLtMEv9reAcVSnEqUPPSuuM8LBAndurkEO1cQVyV6UybUBpbn/B2KEFG9Zel9k5f1pOlvUnrUgJodF7x3TDc4P/VvQH7X0J7TaqIss0uFPhe+3+U8qODIFIUW0ocYD9dzp8/4qZOCpJlyqqY5nxn9zAVN/cwIYnzqC5i577z79nPDwn+6bBU19N6yJQ0faDbKpmTDfsKJ1voYb7YFU4Y1IeVc8ejP8FAAD//637dzY=" + return "eJy8m19v47gRwN/zKQZ3r72gXWCvRR4KGHayazTJBrG317cDQ40tNhSpI0f2+dsfSEqKbMuWZFObpyCShj8OyfnL/ALvuLsDbvQ2sWTEO94AkCCJd/DT9OOvP90AGJTILN7BGxK7AUjQciNyElrdwb9vAACedFJIhJU2wLWUyEmoNTTkAG5Qkb29AVgJlIm989/9AopleMjhfmiX4x2sjS7y8i8tw7qfBy/OD90c74FJrlUYFphKgEk0BAkjdlt+2wRpwmRIzL1XP6g181Q+KT9tvHACzusGiUHjK4+KjKclHKWMQCguiwT9tD0uiQwtsSy/bWIcKSWMvWKFpN+9+DtYMWmx8fhwms2peoLlLse9p9VA77jbapMcPDszVfczQ3LLr9WiyDJmdvduiL/BgzC4ZVI+MeJp+be54iJBRftvvmKmCV/R5lpZXKC1ThgxQ+deuFdJ+XhSUDrhJDaCdpMiEdVn2sB3i+b4UT2F0yqaGmRuTkuRtasqYXT4oENPyxT9IgOlwpZbQXNeGIMJaAWUIqBKci2U2x7wfTmF78/z//3+tHA7KGN0ex5cr1YWqZVWKMI1mmHA37w8UEX2hibsWjKMv1uPKjX3GgK9Cuh+QkKBJYMsu4Wlm6awUFhMgDT4lRerHRRK/FEgJNW+aZiKM7PjhSWdoZnPFmSEWsfbwNNSckUoGopqRdmgcTswHsGCp5ixI7lHhgr3dm9tpfymHmSiwhdnbFRtQEe1Ri9Gc7TWn/XIJy0PosE62eHcXXKmSsJ7lYzER2gyocJJupZyfrjtrjj8pUiYz1w4wCicYXfQ63PbBcUMKhoDzQuuNXg54VRneUFontmJpb3oMDtplVHk5QiwTdHgPlxt/DsonQ+LS+gkeuHArNVceN1tBaWDtBf8/ni6G8Yx+xAcM7SpHw+lWuAGjaBdvG1fSQTLtRmsperruOt1wET4Z5epehAS4zI4iWE3lyppbOrKRjjvNkRbTuYLozQepZNWh0p/Ii+IvcnrDuBUZxlTyaNQEbV5/8GWO2RPxcNIIIVCYGZdZD0CtsXXyT9ih2pOJtgii6zJxdfJp8+/jgD76fOvI+A+zT7HZn2afR4DlPFUKJzpjImYZtnLqw91Fka5ijRUD75qS49CvUd0ta+PLirZCNweeH+hykE7Dbey2pyIny5jCvnXfNaqsbKOYv2wvVzvj2Pru5qPmjM5f4mHNX8BliTGuZLyhKTa0nVnYzKdBJERT/FkGp1zyTgJHpFxvny9B/JSgTPCtTa7odHMEnnqd0p0rkrwxWjf3v7v3tvERENKdeJA+udeRGjUTNhcW+E+GCU+ngRTRuwdFbzt+hm0Y7b/MnliJS8KlE/bENbgHUz5INm6/axqv+QDo1YnDYRKBGe+dh7YbC+4BR3XHK5Yxt9SpBSDMxVlidZFAxkzOxAWdI7KV4S0WmvHqg1wqW1n6lrXeyMXeBYfRZ0qCKi5G/WTfsWTCjJujee+LOlHAHwQChcuv2pFW0nNBu49L8yDVVA9ShAxvfx9xoT88FQGCovmlNP3Bck+gPko/r4NyeF2uYEcja/qxU12Q+HWFm9ORmfkaDaCR862S6EtaqmaGl1UBeengp43rSWyQwfVtVbBhmrjHOS2NGXagNLUbLVsmQUbxl4Vsms/LafLqh8XySDU8s6obrht8E2t/+DOu9B2pSq0hINrKr4p4Hs+WzQIPGVqjYkD7L3SH6UE+5sRRNgeeVzCFxIPTBqJqoVtGMTlW4mw7y4gYVUFqPOo+J5iTBtXinRWrYwgjW9jgin7mGDDGx1oLid1v/kliYfnxO5VzaosuvJXJW0/yNrBxzwxLV5+H2r4cSl9fEzKI0d/LeMjIzRMPukNZvvtvg9MqY+KPx2YpVTISrGhLzckCAhtl3nG1hi/iOvLo2X7Jt/r7/SiGqUUetBnuqgI+sUwleQ/SnPrj9F6qq/BN4oOvxwTXabI+bdp3Gsr/u7QItwd8pdwwlFoxBJcZ7nRmbBdgdb82/R0Cns13MaJvoDu55YrOK341f2HmN6v5U5FZy3RxZUxGYJE0Aq2qeCNZKJv53WebyKeU6NJcy39SiqkrTbvYPCPAm2X5Z1qpULZZyZM+CWiliqRe2C8HrLLo8a/UNbc/LnRG5G4QC9cnevOelxgE9fCHoVKUnPnSUPA1LWHpk8vU51ExHl9mH7657/+7iWDEx1ceQ+OuMu0x7H0FrQPxzhecIwm8Mt8Fin4mhzDiGQwj+9qnOsZiMOYdlBXY8iu9igv2sSKTp2ooQzhVuh4+ijj+CEwI2hkGEUhcRLZP1RBBJhCYlml7oExSr9hn6Xxcg+gB5YJuTtxpCPQrLx8EF0G0LF8MbrIYxvAJoy/o+kH7EEzJkhPhJhh3z5A53r44Hiqi2iZ9nO4L61XsNojydxA2JXnfOAshOL4yCy9Yh7PrnTQgXWjhiiHWQLjx+7qxkYuqeyvIBmxXqPB1n+ROMh4njWByzcMyh3YwiCwN11Q6WbrQevu+EpLqbdCrY9vTzf6L5Kt7a2vtLZO8KKqdTPIZU40rCRbd3WCPMmjbr/4czWH1Ov+FE9aCdKHrdlIJFkQ3oemyqtGzj/ycpgOmueQP70YvRJypJyoytHyMEiXfrQUPPK1zz0Nefl9DH0giemBWzg67f2CGBUR79w0GayX3WUtDeJYSiCDZ1zez+f/k6qVtqwKxlRYKRFM4avj7KjV8FcAAAD//42ko/I=" } diff --git a/x-pack/filebeat/module/cyberark/README.md b/x-pack/filebeat/module/cyberark/README.md new file mode 100644 index 00000000000..80bba69debc --- /dev/null +++ b/x-pack/filebeat/module/cyberark/README.md @@ -0,0 +1,7 @@ +# cyberark module + +This is a module for Cyber-Ark logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML cyberark version 124 +at 2020-09-01 14:17:46.365057 +0000 UTC. + diff --git a/x-pack/filebeat/module/rapid7/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml similarity index 88% rename from x-pack/filebeat/module/rapid7/_meta/config.yml rename to x-pack/filebeat/module/cyberark/_meta/config.yml index 1e9d383ffe5..fa8edd7046a 100644 --- a/x-pack/filebeat/module/rapid7/_meta/config.yml +++ b/x-pack/filebeat/module/cyberark/_meta/config.yml @@ -1,11 +1,11 @@ -- module: rapid7 - nexpose: +- module: cyberark + corepas: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9517 + # var.syslog_port: 9527 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc similarity index 76% rename from x-pack/filebeat/module/rapid7/_meta/docs.asciidoc rename to x-pack/filebeat/module/cyberark/_meta/docs.asciidoc index c17f8e05826..d4beae518e8 100644 --- a/x-pack/filebeat/module/rapid7/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cyberark/_meta/docs.asciidoc @@ -1,28 +1,28 @@ [role="xpack"] -:modulename: rapid7 +:modulename: cyberark :has-dashboards: false -== Rapid7 module +== Cyberark module experimental[] -This is a module for receiving Rapid7 NeXpose logs over Syslog or a file. +This is a module for receiving Cyber-Ark logs over Syslog or a file. include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: nexpose +:fileset_ex: corepas include::../include/config-option-intro.asciidoc[] [float] -==== `nexpose` fileset settings +==== `corepas` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "nexpose" device revision 134. +NOTE: This was converted from RSA NetWitness log parser XML "cyberark" device revision 124. *`var.input`*:: @@ -36,7 +36,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9517` +The port to listen for syslog traffic. Defaults to `9527` NOTE: Ports below 1024 require Filebeat to run as root. @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/cyberark/_meta/fields.yml b/x-pack/filebeat/module/cyberark/_meta/fields.yml new file mode 100644 index 00000000000..ab0db4113c7 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: cyberark + title: Cyber-Ark + description: > + cyberark fields. + fields: diff --git a/x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml b/x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/rapid7/nexpose/_meta/fields.yml rename to x-pack/filebeat/module/cyberark/corepas/_meta/fields.yml diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml new file mode 100644 index 00000000000..4b34d80711b --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Cyberark" + product: "Core" + type: "Access" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/cyberark/corepas/config/liblogparser.js + - ${path.home}/module/cyberark/corepas/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js similarity index 95% rename from x-pack/filebeat/module/kaspersky/av/config/liblogparser.js rename to x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js index c8cf5e2ee06..6cdb48abb26 100644 --- a/x-pack/filebeat/module/kaspersky/av/config/liblogparser.js +++ b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -1975,6 +2049,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2417,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js new file mode 100644 index 00000000000..02a511984c0 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/config/pipeline.js @@ -0,0 +1,6527 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. +var tvm = { + pair_separator: ";", + kv_separator: "=", + open_quote: "\"", + close_quote: "\"", +}; + +function DeviceProcessor() { + var builder = new processor.Chain(); + builder.Add(save_flags); + builder.Add(strip_syslog_priority); + builder.Add(chain1); + builder.Add(populate_fields); + builder.Add(restore_flags); + var chain = builder.Build(); + return { + process: chain.Run, + } +} + +var dup1 = setc("eventcategory","1501040000"); + +var dup2 = setf("msg","$MSG"); + +var dup3 = setf("id","messageid"); + +var dup4 = setc("eventcategory","1605020000"); + +var dup5 = setc("eventcategory","1401030000"); + +var dup6 = setc("ec_subject","User"); + +var dup7 = setc("ec_activity","Logon"); + +var dup8 = setc("ec_theme","Authentication"); + +var dup9 = setc("ec_outcome","Failure"); + +var dup10 = setc("eventcategory","1401060000"); + +var dup11 = setc("ec_outcome","Success"); + +var dup12 = setc("eventcategory","1401070000"); + +var dup13 = setc("ec_activity","Logoff"); + +var dup14 = setc("ec_theme","Policy"); + +var dup15 = setc("eventcategory","1803000000"); + +var dup16 = setc("ec_subject","NetworkComm"); + +var dup17 = setc("ec_theme","Communication"); + +var dup18 = setc("ec_theme","AccessControl"); + +var dup19 = setc("eventcategory","1801000000"); + +var dup20 = setc("eventcategory","1801020000"); + +var dup21 = setc("eventcategory","1609000000"); + +var dup22 = setc("eventcategory","1603050000"); + +var dup23 = setc("eventcategory","1612010000"); + +var dup24 = date_time({ + dest: "event_time", + args: ["hdatetime"], + fmts: [ + [dW,dc("-"),dM,dc("-"),dD,dc("T"),dZ,dc("Z")], + ], +}); + +var dup25 = date_time({ + dest: "event_time", + args: ["hmonth","hday","htime"], + fmts: [ + [dB,dD,dZ], + ], +}); + +var dup26 = setc("eventcategory","1612000000"); + +var dup27 = setc("eventcategory","1303000000"); + +var dup28 = setc("ec_outcome","Error"); + +var dup29 = setc("ec_activity","Disable"); + +var dup30 = setc("eventcategory","1401050200"); + +var dup31 = // "Pattern{Constant('Version='), Field(p0,false)}" +match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + +var dup32 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" +match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + +var dup33 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" +match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + +var dup34 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" +match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + +var dup35 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" +match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + +var dup36 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" +match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + +var dup37 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" +match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + +var dup38 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" +match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + +var dup39 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" +match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + +var dup40 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" +match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + +var dup41 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" +match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + +var dup42 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" +match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + +var dup43 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" +match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + +var dup44 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" +match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + +var dup45 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" +match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + +var dup46 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" +match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + +var dup47 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" +match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + +var dup48 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" +match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + +var dup49 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" +match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + +var dup50 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" +match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + +var dup51 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" +match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + +var dup52 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + +var dup53 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + +var dup54 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + +var dup55 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + +var dup56 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" +match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + +var dup57 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" +match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + +var dup58 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" +match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + +var dup59 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" +match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + +var dup60 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" +match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + +var dup61 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" +match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + +var dup62 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" +match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + +var dup63 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" +match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + +var dup64 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" +match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + +var dup65 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" +match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + +var dup66 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" +match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + +var dup67 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" +match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + +var dup68 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" +match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + +var dup69 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" +match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + +var dup70 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" +match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + +var dup71 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" +match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + +var dup72 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" +match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + +var dup73 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" +match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + +var dup74 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" +match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + +var dup75 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" +match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + +var dup76 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" +match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + +var dup77 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" +match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + +var dup78 = setc("eventcategory","1502000000"); + +var dup79 = setc("eventcategory","1402040100"); + +var dup80 = setc("ec_activity","Modify"); + +var dup81 = setc("ec_theme","Password"); + +var dup82 = setc("eventcategory","1608000000"); + +var dup83 = setc("eventcategory","1501000000"); + +var dup84 = setc("eventcategory","1206000000"); + +var dup85 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + +var dup86 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + +var dup87 = // "Pattern{Constant('Message='), Field(p0,false)}" +match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + +var dup88 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + +var dup89 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + +var dup90 = // "Pattern{Constant('Issuer='), Field(p0,false)}" +match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + +var dup91 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + +var dup92 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + +var dup93 = // "Pattern{Constant('Station='), Field(p0,false)}" +match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + +var dup94 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + +var dup95 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + +var dup96 = // "Pattern{Constant('File='), Field(p0,false)}" +match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + +var dup97 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + +var dup98 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + +var dup99 = // "Pattern{Constant('Safe='), Field(p0,false)}" +match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + +var dup100 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + +var dup101 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + +var dup102 = // "Pattern{Constant('Location='), Field(p0,false)}" +match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + +var dup103 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + +var dup104 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + +var dup105 = // "Pattern{Constant('Category='), Field(p0,false)}" +match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + +var dup106 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + +var dup107 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + +var dup108 = // "Pattern{Constant('RequestId='), Field(p0,false)}" +match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + +var dup109 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + +var dup110 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + +var dup111 = // "Pattern{Constant('Reason='), Field(p0,false)}" +match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + +var dup112 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + +var dup113 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + +var dup114 = // "Pattern{Constant('Severity='), Field(p0,false)}" +match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + +var dup115 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + +var dup116 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + +var dup117 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + +var dup118 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + +var dup119 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" +match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + +var dup120 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + +var dup121 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + +var dup122 = // "Pattern{Constant('TicketID='), Field(p0,false)}" +match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + +var dup123 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + +var dup124 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + +var dup125 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" +match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + +var dup126 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + +var dup127 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + +var dup128 = // "Pattern{Constant('UserName='), Field(p0,false)}" +match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + +var dup129 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + +var dup130 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + +var dup131 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" +match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + +var dup132 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + +var dup133 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + +var dup134 = // "Pattern{Constant('Address='), Field(p0,false)}" +match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + +var dup135 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + +var dup136 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + +var dup137 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" +match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + +var dup138 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + +var dup139 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + +var dup140 = // "Pattern{Constant('Port='), Field(p0,false)}" +match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + +var dup141 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + +var dup142 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + +var dup143 = // "Pattern{Constant('Database='), Field(p0,false)}" +match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + +var dup144 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + +var dup145 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + +var dup146 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" +match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + +var dup147 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + +var dup148 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + +var dup149 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" +match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + +var dup150 = // "Pattern{Field(info,false), Constant(';')}" +match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + +var dup151 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup1, + dup2, + dup3, +])); + +var dup152 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, +])); + +var dup153 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, +])); + +var dup154 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, +])); + +var dup155 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var dup156 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var dup157 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, +])); + +var dup158 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, +])); + +var dup159 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup2, + dup3, +])); + +var dup160 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, +])); + +var dup161 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup2, + dup3, +])); + +var dup162 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, +])); + +var dup163 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, +])); + +var dup164 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, +])); + +var dup165 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup23, + dup2, + dup3, +])); + +var dup166 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, +])); + +var dup167 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup2, + dup3, +])); + +var dup168 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, +])); + +var dup169 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, +])); + +var dup170 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, +])); + +var dup171 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, +])); + +var dup172 = linear_select([ + dup32, + dup33, +]); + +var dup173 = linear_select([ + dup34, + dup35, +]); + +var dup174 = linear_select([ + dup36, + dup37, +]); + +var dup175 = linear_select([ + dup38, + dup39, +]); + +var dup176 = linear_select([ + dup40, + dup41, +]); + +var dup177 = linear_select([ + dup42, + dup43, +]); + +var dup178 = linear_select([ + dup44, + dup45, +]); + +var dup179 = linear_select([ + dup46, + dup47, +]); + +var dup180 = linear_select([ + dup48, + dup49, +]); + +var dup181 = linear_select([ + dup50, + dup51, +]); + +var dup182 = linear_select([ + dup52, + dup53, +]); + +var dup183 = linear_select([ + dup54, + dup55, +]); + +var dup184 = linear_select([ + dup56, + dup57, +]); + +var dup185 = linear_select([ + dup58, + dup59, +]); + +var dup186 = linear_select([ + dup60, + dup61, +]); + +var dup187 = linear_select([ + dup62, + dup63, +]); + +var dup188 = linear_select([ + dup64, + dup65, +]); + +var dup189 = linear_select([ + dup66, + dup67, +]); + +var dup190 = linear_select([ + dup68, + dup69, +]); + +var dup191 = linear_select([ + dup70, + dup71, +]); + +var dup192 = linear_select([ + dup72, + dup73, +]); + +var dup193 = linear_select([ + dup74, + dup75, +]); + +var dup194 = linear_select([ + dup76, + dup77, +]); + +var dup195 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, +])); + +var dup196 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, +])); + +var dup197 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup82, + dup2, + dup3, +])); + +var dup198 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, +])); + +var dup199 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup83, + dup2, + dup3, +])); + +var dup200 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, +])); + +var dup201 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" +match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, +])); + +var dup202 = linear_select([ + dup85, + dup86, +]); + +var dup203 = linear_select([ + dup88, + dup89, +]); + +var dup204 = linear_select([ + dup91, + dup92, +]); + +var dup205 = linear_select([ + dup94, + dup95, +]); + +var dup206 = linear_select([ + dup97, + dup98, +]); + +var dup207 = linear_select([ + dup100, + dup101, +]); + +var dup208 = linear_select([ + dup103, + dup104, +]); + +var dup209 = linear_select([ + dup106, + dup107, +]); + +var dup210 = linear_select([ + dup109, + dup110, +]); + +var dup211 = linear_select([ + dup112, + dup113, +]); + +var dup212 = linear_select([ + dup115, + dup116, + dup117, + dup118, +]); + +var dup213 = linear_select([ + dup120, + dup121, +]); + +var dup214 = linear_select([ + dup123, + dup124, +]); + +var dup215 = linear_select([ + dup126, + dup127, +]); + +var dup216 = linear_select([ + dup129, + dup130, +]); + +var dup217 = linear_select([ + dup132, + dup133, +]); + +var dup218 = linear_select([ + dup135, + dup136, +]); + +var dup219 = linear_select([ + dup138, + dup139, +]); + +var dup220 = linear_select([ + dup141, + dup142, +]); + +var dup221 = linear_select([ + dup144, + dup145, +]); + +var dup222 = linear_select([ + dup147, + dup148, +]); + +var hdr1 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld1,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" +match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld1}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld1"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), +])); + +var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hproduct,true), Constant(' ProductName="'), Field(hdevice,false), Constant('",ProductAccount="'), Field(hfld4,false), Constant('",ProductProcess="'), Field(process,false), Constant('",EventId="'), Field(messageid,false), Constant('", '), Field(p0,false)}" +match("HEADER#1:0005", "message", "%{hfld1->} %{hdatetime->} %{hproduct->} ProductName=\"%{hdevice}\",ProductAccount=\"%{hfld4}\",ProductProcess=\"%{process}\",EventId=\"%{messageid}\", %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdevice"), + constant("\",ProductAccount=\""), + field("hfld4"), + constant("\",ProductProcess=\""), + field("process"), + constant("\",EventId=\""), + field("messageid"), + constant("\", "), + field("p0"), + ], + }), +])); + +var hdr3 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hproduct,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" +match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hproduct->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" +match("HEADER#3:0003", "message", "%{hfld1->} %{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr5 = // "Pattern{Constant('%CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" +match("HEADER#4:0004", "message", "%CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr6 = // "Pattern{Field(hdatetime,true), Constant(' '), Field(hostname,true), Constant(' %CYBERARK: MessageID="'), Field(messageid,false), Constant('";'), Field(payload,false)}" +match("HEADER#5:0006", "message", "%{hdatetime->} %{hostname->} %CYBERARK: MessageID=\"%{messageid}\";%{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var msg1 = msg("1:01", dup151); + +var msg2 = msg("1", dup152); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var msg3 = msg("2:01", dup153); + +var msg4 = msg("2", dup154); + +var select3 = linear_select([ + msg3, + msg4, +]); + +var msg5 = msg("3:01", dup151); + +var msg6 = msg("3", dup152); + +var select4 = linear_select([ + msg5, + msg6, +]); + +var msg7 = msg("4:01", dup155); + +var msg8 = msg("4", dup156); + +var select5 = linear_select([ + msg7, + msg8, +]); + +var part1 = tagval("MESSAGE#8:7:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, + dup3, +])); + +var msg9 = msg("7:01", part1); + +var part2 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#9:7", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup11, + dup2, +])); + +var msg10 = msg("7", part2); + +var select6 = linear_select([ + msg9, + msg10, +]); + +var part3 = tagval("MESSAGE#10:8:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, + dup3, +])); + +var msg11 = msg("8:01", part3); + +var part4 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#11:8", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup12, + dup6, + dup13, + dup8, + dup11, + dup2, +])); + +var msg12 = msg("8", part4); + +var select7 = linear_select([ + msg11, + msg12, +]); + +var part5 = tagval("MESSAGE#12:9:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup1, + dup14, + dup9, + dup2, + dup3, +])); + +var msg13 = msg("9:01", part5); + +var part6 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#13:9", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup14, + dup9, + dup2, +])); + +var msg14 = msg("9", part6); + +var select8 = linear_select([ + msg13, + msg14, +]); + +var msg15 = msg("10:01", dup151); + +var msg16 = msg("10", dup152); + +var select9 = linear_select([ + msg15, + msg16, +]); + +var msg17 = msg("11:01", dup151); + +var msg18 = msg("11", dup152); + +var select10 = linear_select([ + msg17, + msg18, +]); + +var msg19 = msg("12:01", dup151); + +var msg20 = msg("12", dup152); + +var select11 = linear_select([ + msg19, + msg20, +]); + +var msg21 = msg("13:01", dup157); + +var msg22 = msg("13", dup158); + +var select12 = linear_select([ + msg21, + msg22, +]); + +var msg23 = msg("14:01", dup157); + +var msg24 = msg("14", dup158); + +var select13 = linear_select([ + msg23, + msg24, +]); + +var part7 = tagval("MESSAGE#24:15:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup18, + dup9, + dup2, + dup3, +])); + +var msg25 = msg("15:01", part7); + +var part8 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#25:15", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup18, + dup9, + dup2, +])); + +var msg26 = msg("15", part8); + +var select14 = linear_select([ + msg25, + msg26, +]); + +var msg27 = msg("16:01", dup159); + +var msg28 = msg("16", dup160); + +var select15 = linear_select([ + msg27, + msg28, +]); + +var msg29 = msg("17:01", dup151); + +var msg30 = msg("17", dup152); + +var select16 = linear_select([ + msg29, + msg30, +]); + +var msg31 = msg("18:01", dup161); + +var msg32 = msg("18", dup162); + +var select17 = linear_select([ + msg31, + msg32, +]); + +var part9 = tagval("MESSAGE#32:19:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup16, + dup11, + dup2, + dup3, +])); + +var msg33 = msg("19:01", part9); + +var part10 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#33:19", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup16, + dup11, + dup2, +])); + +var msg34 = msg("19", part10); + +var select18 = linear_select([ + msg33, + msg34, +]); + +var part11 = tagval("MESSAGE#34:20:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup16, + dup2, + dup3, +])); + +var msg35 = msg("20:01", part11); + +var part12 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#35:20", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup16, + dup2, +])); + +var msg36 = msg("20", part12); + +var select19 = linear_select([ + msg35, + msg36, +]); + +var part13 = tagval("MESSAGE#36:21:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup9, + dup2, + dup3, +])); + +var msg37 = msg("21:01", part13); + +var part14 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#37:21", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup9, + dup2, +])); + +var msg38 = msg("21", part14); + +var select20 = linear_select([ + msg37, + msg38, +]); + +var msg39 = msg("22:01", dup163); + +var msg40 = msg("22", dup164); + +var select21 = linear_select([ + msg39, + msg40, +]); + +var part15 = tagval("MESSAGE#40:23:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup22, + dup2, + dup3, +])); + +var msg41 = msg("23:01", part15); + +var part16 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#41:23", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup22, + dup2, +])); + +var msg42 = msg("23", part16); + +var select22 = linear_select([ + msg41, + msg42, +]); + +var msg43 = msg("24:01", dup163); + +var msg44 = msg("24", dup164); + +var select23 = linear_select([ + msg43, + msg44, +]); + +var msg45 = msg("25:01", dup151); + +var msg46 = msg("25", dup152); + +var select24 = linear_select([ + msg45, + msg46, +]); + +var msg47 = msg("26:01", dup151); + +var msg48 = msg("26", dup152); + +var select25 = linear_select([ + msg47, + msg48, +]); + +var msg49 = msg("27:01", dup151); + +var msg50 = msg("27", dup152); + +var select26 = linear_select([ + msg49, + msg50, +]); + +var msg51 = msg("28:01", dup163); + +var msg52 = msg("28", dup164); + +var select27 = linear_select([ + msg51, + msg52, +]); + +var msg53 = msg("29:01", dup151); + +var msg54 = msg("29", dup152); + +var select28 = linear_select([ + msg53, + msg54, +]); + +var msg55 = msg("30:01", dup151); + +var msg56 = msg("30", dup152); + +var select29 = linear_select([ + msg55, + msg56, +]); + +var msg57 = msg("31:01", dup163); + +var msg58 = msg("31", dup164); + +var select30 = linear_select([ + msg57, + msg58, +]); + +var msg59 = msg("32:01", dup163); + +var msg60 = msg("32", dup164); + +var select31 = linear_select([ + msg59, + msg60, +]); + +var msg61 = msg("33:01", dup163); + +var msg62 = msg("33", dup164); + +var select32 = linear_select([ + msg61, + msg62, +]); + +var msg63 = msg("34:01", dup151); + +var msg64 = msg("34", dup152); + +var select33 = linear_select([ + msg63, + msg64, +]); + +var msg65 = msg("35:01", dup151); + +var msg66 = msg("35", dup152); + +var select34 = linear_select([ + msg65, + msg66, +]); + +var msg67 = msg("36:01", dup163); + +var msg68 = msg("36", dup164); + +var select35 = linear_select([ + msg67, + msg68, +]); + +var msg69 = msg("37:01", dup163); + +var msg70 = msg("37", dup164); + +var select36 = linear_select([ + msg69, + msg70, +]); + +var msg71 = msg("38:01", dup165); + +var msg72 = msg("38", dup166); + +var select37 = linear_select([ + msg71, + msg72, +]); + +var msg73 = msg("39:01", dup163); + +var msg74 = msg("39", dup164); + +var select38 = linear_select([ + msg73, + msg74, +]); + +var msg75 = msg("40:01", dup151); + +var msg76 = msg("40", dup152); + +var select39 = linear_select([ + msg75, + msg76, +]); + +var msg77 = msg("41:01", dup151); + +var msg78 = msg("41", dup152); + +var select40 = linear_select([ + msg77, + msg78, +]); + +var msg79 = msg("42:01", dup151); + +var msg80 = msg("42", dup152); + +var select41 = linear_select([ + msg79, + msg80, +]); + +var msg81 = msg("43:01", dup151); + +var msg82 = msg("43", dup152); + +var select42 = linear_select([ + msg81, + msg82, +]); + +var msg83 = msg("44:01", dup151); + +var msg84 = msg("44", dup152); + +var select43 = linear_select([ + msg83, + msg84, +]); + +var msg85 = msg("45:01", dup151); + +var msg86 = msg("45", dup152); + +var select44 = linear_select([ + msg85, + msg86, +]); + +var msg87 = msg("46:01", dup151); + +var msg88 = msg("46", dup152); + +var select45 = linear_select([ + msg87, + msg88, +]); + +var msg89 = msg("47:01", dup151); + +var msg90 = msg("47", dup152); + +var select46 = linear_select([ + msg89, + msg90, +]); + +var msg91 = msg("48:01", dup151); + +var msg92 = msg("48", dup152); + +var select47 = linear_select([ + msg91, + msg92, +]); + +var msg93 = msg("49:01", dup151); + +var msg94 = msg("49", dup152); + +var select48 = linear_select([ + msg93, + msg94, +]); + +var part17 = tagval("MESSAGE#94:50:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, + dup24, + dup25, +])); + +var msg95 = msg("50:01", part17); + +var msg96 = msg("50", dup164); + +var select49 = linear_select([ + msg95, + msg96, +]); + +var msg97 = msg("51:01", dup163); + +var msg98 = msg("51", dup164); + +var select50 = linear_select([ + msg97, + msg98, +]); + +var msg99 = msg("52:01", dup163); + +var msg100 = msg("52", dup164); + +var select51 = linear_select([ + msg99, + msg100, +]); + +var msg101 = msg("53:01", dup151); + +var msg102 = msg("53", dup152); + +var select52 = linear_select([ + msg101, + msg102, +]); + +var msg103 = msg("54:01", dup151); + +var msg104 = msg("54", dup152); + +var select53 = linear_select([ + msg103, + msg104, +]); + +var msg105 = msg("55:01", dup151); + +var msg106 = msg("55", dup152); + +var select54 = linear_select([ + msg105, + msg106, +]); + +var msg107 = msg("56:01", dup151); + +var msg108 = msg("56", dup152); + +var select55 = linear_select([ + msg107, + msg108, +]); + +var msg109 = msg("57:01", dup165); + +var msg110 = msg("57", dup166); + +var select56 = linear_select([ + msg109, + msg110, +]); + +var msg111 = msg("58:01", dup163); + +var msg112 = msg("58", dup164); + +var select57 = linear_select([ + msg111, + msg112, +]); + +var msg113 = msg("59:01", dup163); + +var msg114 = msg("59", dup164); + +var select58 = linear_select([ + msg113, + msg114, +]); + +var msg115 = msg("60:01", dup165); + +var msg116 = msg("60", dup166); + +var select59 = linear_select([ + msg115, + msg116, +]); + +var msg117 = msg("61:01", dup167); + +var msg118 = msg("61", dup168); + +var select60 = linear_select([ + msg117, + msg118, +]); + +var msg119 = msg("62:01", dup163); + +var msg120 = msg("62", dup164); + +var select61 = linear_select([ + msg119, + msg120, +]); + +var msg121 = msg("63:01", dup151); + +var msg122 = msg("63", dup152); + +var select62 = linear_select([ + msg121, + msg122, +]); + +var msg123 = msg("64:01", dup167); + +var msg124 = msg("64", dup168); + +var select63 = linear_select([ + msg123, + msg124, +]); + +var msg125 = msg("65:01", dup151); + +var msg126 = msg("65", dup152); + +var select64 = linear_select([ + msg125, + msg126, +]); + +var msg127 = msg("66:01", dup169); + +var msg128 = msg("66", dup170); + +var select65 = linear_select([ + msg127, + msg128, +]); + +var msg129 = msg("67:01", dup169); + +var msg130 = msg("67", dup170); + +var select66 = linear_select([ + msg129, + msg130, +]); + +var msg131 = msg("68:01", dup169); + +var msg132 = msg("68", dup170); + +var select67 = linear_select([ + msg131, + msg132, +]); + +var msg133 = msg("69:01", dup169); + +var msg134 = msg("69", dup170); + +var select68 = linear_select([ + msg133, + msg134, +]); + +var msg135 = msg("70:01", dup151); + +var msg136 = msg("70", dup152); + +var select69 = linear_select([ + msg135, + msg136, +]); + +var msg137 = msg("71:01", dup169); + +var msg138 = msg("71", dup170); + +var select70 = linear_select([ + msg137, + msg138, +]); + +var msg139 = msg("72:01", dup151); + +var msg140 = msg("72", dup152); + +var select71 = linear_select([ + msg139, + msg140, +]); + +var msg141 = msg("73:01", dup169); + +var msg142 = msg("73", dup170); + +var select72 = linear_select([ + msg141, + msg142, +]); + +var msg143 = msg("74:01", dup151); + +var msg144 = msg("74", dup152); + +var select73 = linear_select([ + msg143, + msg144, +]); + +var msg145 = msg("75:01", dup169); + +var msg146 = msg("75", dup170); + +var select74 = linear_select([ + msg145, + msg146, +]); + +var msg147 = msg("76:01", dup151); + +var msg148 = msg("76", dup152); + +var select75 = linear_select([ + msg147, + msg148, +]); + +var msg149 = msg("77:01", dup151); + +var msg150 = msg("77", dup152); + +var select76 = linear_select([ + msg149, + msg150, +]); + +var msg151 = msg("78:01", dup151); + +var msg152 = msg("78", dup152); + +var select77 = linear_select([ + msg151, + msg152, +]); + +var msg153 = msg("79:01", dup169); + +var msg154 = msg("79", dup170); + +var select78 = linear_select([ + msg153, + msg154, +]); + +var msg155 = msg("80:01", dup169); + +var msg156 = msg("80", dup170); + +var select79 = linear_select([ + msg155, + msg156, +]); + +var msg157 = msg("81:01", dup167); + +var msg158 = msg("81", dup168); + +var select80 = linear_select([ + msg157, + msg158, +]); + +var msg159 = msg("82:01", dup151); + +var msg160 = msg("82", dup152); + +var select81 = linear_select([ + msg159, + msg160, +]); + +var msg161 = msg("83:01", dup169); + +var msg162 = msg("83", dup170); + +var select82 = linear_select([ + msg161, + msg162, +]); + +var msg163 = msg("84:01", dup169); + +var msg164 = msg("84", dup170); + +var select83 = linear_select([ + msg163, + msg164, +]); + +var msg165 = msg("85:01", dup151); + +var msg166 = msg("85", dup152); + +var select84 = linear_select([ + msg165, + msg166, +]); + +var msg167 = msg("86:01", dup159); + +var msg168 = msg("86", dup160); + +var select85 = linear_select([ + msg167, + msg168, +]); + +var msg169 = msg("87:01", dup151); + +var msg170 = msg("87", dup152); + +var select86 = linear_select([ + msg169, + msg170, +]); + +var msg171 = msg("88:01", dup169); + +var msg172 = msg("88", dup170); + +var select87 = linear_select([ + msg171, + msg172, +]); + +var msg173 = msg("89:01", dup151); + +var msg174 = msg("89", dup152); + +var select88 = linear_select([ + msg173, + msg174, +]); + +var msg175 = msg("90:01", dup151); + +var msg176 = msg("90", dup152); + +var select89 = linear_select([ + msg175, + msg176, +]); + +var msg177 = msg("91:01", dup151); + +var msg178 = msg("91", dup152); + +var select90 = linear_select([ + msg177, + msg178, +]); + +var msg179 = msg("92:01", dup151); + +var msg180 = msg("92", dup152); + +var select91 = linear_select([ + msg179, + msg180, +]); + +var msg181 = msg("93:01", dup151); + +var msg182 = msg("93", dup152); + +var select92 = linear_select([ + msg181, + msg182, +]); + +var msg183 = msg("94:01", dup169); + +var msg184 = msg("94", dup170); + +var select93 = linear_select([ + msg183, + msg184, +]); + +var msg185 = msg("95:01", dup169); + +var msg186 = msg("95", dup170); + +var select94 = linear_select([ + msg185, + msg186, +]); + +var msg187 = msg("96:01", dup151); + +var msg188 = msg("96", dup152); + +var select95 = linear_select([ + msg187, + msg188, +]); + +var msg189 = msg("97:01", dup151); + +var msg190 = msg("97", dup152); + +var select96 = linear_select([ + msg189, + msg190, +]); + +var msg191 = msg("98:01", dup171); + +var msg192 = msg("98", dup170); + +var select97 = linear_select([ + msg191, + msg192, +]); + +var msg193 = msg("99:01", dup171); + +var msg194 = msg("99", dup170); + +var select98 = linear_select([ + msg193, + msg194, +]); + +var msg195 = msg("100:01", dup151); + +var msg196 = msg("100", dup152); + +var select99 = linear_select([ + msg195, + msg196, +]); + +var msg197 = msg("101:01", dup151); + +var msg198 = msg("101", dup152); + +var select100 = linear_select([ + msg197, + msg198, +]); + +var msg199 = msg("102:01", dup155); + +var msg200 = msg("102", dup156); + +var select101 = linear_select([ + msg199, + msg200, +]); + +var part18 = tagval("MESSAGE#200:103:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, + dup3, +])); + +var msg201 = msg("103:01", part18); + +var part19 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#201:103", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup7, + dup8, + dup28, + dup2, +])); + +var msg202 = msg("103", part19); + +var select102 = linear_select([ + msg201, + msg202, +]); + +var part20 = tagval("MESSAGE#202:104:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup27, + dup6, + dup29, + dup2, + dup3, +])); + +var msg203 = msg("104:01", part20); + +var part21 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#203:104", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup27, + dup6, + dup29, + dup2, +])); + +var msg204 = msg("104", part21); + +var select103 = linear_select([ + msg203, + msg204, +]); + +var msg205 = msg("105:01", dup169); + +var msg206 = msg("105", dup170); + +var select104 = linear_select([ + msg205, + msg206, +]); + +var msg207 = msg("106:01", dup169); + +var msg208 = msg("106", dup170); + +var select105 = linear_select([ + msg207, + msg208, +]); + +var msg209 = msg("107:01", dup169); + +var msg210 = msg("107", dup170); + +var select106 = linear_select([ + msg209, + msg210, +]); + +var msg211 = msg("108:01", dup169); + +var msg212 = msg("108", dup170); + +var select107 = linear_select([ + msg211, + msg212, +]); + +var msg213 = msg("109:01", dup169); + +var msg214 = msg("109", dup170); + +var select108 = linear_select([ + msg213, + msg214, +]); + +var msg215 = msg("110:01", dup151); + +var msg216 = msg("110", dup152); + +var select109 = linear_select([ + msg215, + msg216, +]); + +var msg217 = msg("111:01", dup169); + +var msg218 = msg("111", dup170); + +var select110 = linear_select([ + msg217, + msg218, +]); + +var msg219 = msg("112:01", dup169); + +var msg220 = msg("112", dup170); + +var select111 = linear_select([ + msg219, + msg220, +]); + +var msg221 = msg("114:01", dup169); + +var msg222 = msg("114", dup170); + +var select112 = linear_select([ + msg221, + msg222, +]); + +var msg223 = msg("115:01", dup169); + +var msg224 = msg("115", dup170); + +var select113 = linear_select([ + msg223, + msg224, +]); + +var msg225 = msg("116:01", dup151); + +var msg226 = msg("116", dup152); + +var select114 = linear_select([ + msg225, + msg226, +]); + +var msg227 = msg("117:01", dup151); + +var msg228 = msg("117", dup152); + +var select115 = linear_select([ + msg227, + msg228, +]); + +var msg229 = msg("118:01", dup169); + +var msg230 = msg("118", dup170); + +var select116 = linear_select([ + msg229, + msg230, +]); + +var msg231 = msg("119:01", dup169); + +var msg232 = msg("119", dup170); + +var select117 = linear_select([ + msg231, + msg232, +]); + +var msg233 = msg("120:01", dup169); + +var msg234 = msg("120", dup170); + +var select118 = linear_select([ + msg233, + msg234, +]); + +var msg235 = msg("121:01", dup169); + +var msg236 = msg("121", dup170); + +var select119 = linear_select([ + msg235, + msg236, +]); + +var msg237 = msg("122:01", dup169); + +var msg238 = msg("122", dup170); + +var select120 = linear_select([ + msg237, + msg238, +]); + +var msg239 = msg("123:01", dup169); + +var msg240 = msg("123", dup170); + +var select121 = linear_select([ + msg239, + msg240, +]); + +var msg241 = msg("124:01", dup169); + +var msg242 = msg("124", dup170); + +var select122 = linear_select([ + msg241, + msg242, +]); + +var msg243 = msg("125:01", dup169); + +var msg244 = msg("125", dup170); + +var select123 = linear_select([ + msg243, + msg244, +]); + +var msg245 = msg("126:01", dup169); + +var msg246 = msg("126", dup170); + +var select124 = linear_select([ + msg245, + msg246, +]); + +var msg247 = msg("127:01", dup169); + +var msg248 = msg("127", dup170); + +var select125 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("128:01", dup169); + +var msg250 = msg("128", dup170); + +var select126 = linear_select([ + msg249, + msg250, +]); + +var msg251 = msg("129:01", dup169); + +var msg252 = msg("129", dup170); + +var select127 = linear_select([ + msg251, + msg252, +]); + +var msg253 = msg("130:01", dup169); + +var msg254 = msg("130", dup170); + +var select128 = linear_select([ + msg253, + msg254, +]); + +var msg255 = msg("131:01", dup151); + +var msg256 = msg("131", dup152); + +var select129 = linear_select([ + msg255, + msg256, +]); + +var msg257 = msg("132:01", dup151); + +var msg258 = msg("132", dup152); + +var select130 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("133:01", dup151); + +var msg260 = msg("133", dup152); + +var select131 = linear_select([ + msg259, + msg260, +]); + +var part22 = tagval("MESSAGE#260:134:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup30, + dup2, + dup3, +])); + +var msg261 = msg("134:01", part22); + +var part23 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#261:134", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup30, + dup2, +])); + +var msg262 = msg("134", part23); + +var select132 = linear_select([ + msg261, + msg262, +]); + +var msg263 = msg("135:01", dup151); + +var msg264 = msg("135", dup152); + +var select133 = linear_select([ + msg263, + msg264, +]); + +var msg265 = msg("136:01", dup169); + +var msg266 = msg("136", dup170); + +var select134 = linear_select([ + msg265, + msg266, +]); + +var msg267 = msg("137:01", dup169); + +var msg268 = msg("137", dup170); + +var select135 = linear_select([ + msg267, + msg268, +]); + +var msg269 = msg("138:01", dup169); + +var msg270 = msg("138", dup170); + +var select136 = linear_select([ + msg269, + msg270, +]); + +var msg271 = msg("139:01", dup169); + +var msg272 = msg("139", dup170); + +var select137 = linear_select([ + msg271, + msg272, +]); + +var msg273 = msg("140:01", dup169); + +var msg274 = msg("140", dup170); + +var select138 = linear_select([ + msg273, + msg274, +]); + +var msg275 = msg("141:01", dup169); + +var msg276 = msg("141", dup170); + +var select139 = linear_select([ + msg275, + msg276, +]); + +var msg277 = msg("142:01", dup169); + +var msg278 = msg("142", dup170); + +var select140 = linear_select([ + msg277, + msg278, +]); + +var msg279 = msg("143:01", dup169); + +var msg280 = msg("143", dup170); + +var select141 = linear_select([ + msg279, + msg280, +]); + +var msg281 = msg("144:01", dup169); + +var msg282 = msg("144", dup170); + +var select142 = linear_select([ + msg281, + msg282, +]); + +var msg283 = msg("145:01", dup169); + +var msg284 = msg("145", dup170); + +var select143 = linear_select([ + msg283, + msg284, +]); + +var msg285 = msg("146:01", dup151); + +var msg286 = msg("146", dup152); + +var select144 = linear_select([ + msg285, + msg286, +]); + +var msg287 = msg("147:01", dup151); + +var msg288 = msg("147", dup152); + +var select145 = linear_select([ + msg287, + msg288, +]); + +var msg289 = msg("148:01", dup151); + +var msg290 = msg("148", dup152); + +var select146 = linear_select([ + msg289, + msg290, +]); + +var msg291 = msg("149:01", dup151); + +var msg292 = msg("149", dup152); + +var select147 = linear_select([ + msg291, + msg292, +]); + +var msg293 = msg("150:01", dup151); + +var msg294 = msg("150", dup152); + +var select148 = linear_select([ + msg293, + msg294, +]); + +var msg295 = msg("152:01", dup151); + +var msg296 = msg("152", dup152); + +var select149 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("153:01", dup151); + +var msg298 = msg("153", dup152); + +var select150 = linear_select([ + msg297, + msg298, +]); + +var msg299 = msg("154:01", dup151); + +var msg300 = msg("154", dup152); + +var select151 = linear_select([ + msg299, + msg300, +]); + +var msg301 = msg("155:01", dup151); + +var msg302 = msg("155", dup152); + +var select152 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("156:01", dup151); + +var msg304 = msg("156", dup152); + +var select153 = linear_select([ + msg303, + msg304, +]); + +var msg305 = msg("157:01", dup151); + +var msg306 = msg("157", dup152); + +var select154 = linear_select([ + msg305, + msg306, +]); + +var msg307 = msg("158:01", dup151); + +var msg308 = msg("158", dup152); + +var select155 = linear_select([ + msg307, + msg308, +]); + +var msg309 = msg("159:01", dup151); + +var msg310 = msg("159", dup152); + +var select156 = linear_select([ + msg309, + msg310, +]); + +var msg311 = msg("160:01", dup151); + +var msg312 = msg("160", dup152); + +var select157 = linear_select([ + msg311, + msg312, +]); + +var msg313 = msg("161:01", dup151); + +var msg314 = msg("161", dup152); + +var select158 = linear_select([ + msg313, + msg314, +]); + +var msg315 = msg("162:01", dup151); + +var msg316 = msg("162", dup152); + +var select159 = linear_select([ + msg315, + msg316, +]); + +var msg317 = msg("163:01", dup151); + +var msg318 = msg("163", dup152); + +var select160 = linear_select([ + msg317, + msg318, +]); + +var msg319 = msg("164:01", dup151); + +var msg320 = msg("164", dup152); + +var select161 = linear_select([ + msg319, + msg320, +]); + +var msg321 = msg("165:01", dup151); + +var msg322 = msg("165", dup152); + +var select162 = linear_select([ + msg321, + msg322, +]); + +var msg323 = msg("166:01", dup151); + +var msg324 = msg("166", dup152); + +var select163 = linear_select([ + msg323, + msg324, +]); + +var msg325 = msg("167:01", dup151); + +var msg326 = msg("167", dup152); + +var select164 = linear_select([ + msg325, + msg326, +]); + +var msg327 = msg("168:01", dup151); + +var msg328 = msg("168", dup152); + +var select165 = linear_select([ + msg327, + msg328, +]); + +var msg329 = msg("169:01", dup151); + +var msg330 = msg("169", dup152); + +var select166 = linear_select([ + msg329, + msg330, +]); + +var msg331 = msg("170:01", dup169); + +var msg332 = msg("170", dup170); + +var select167 = linear_select([ + msg331, + msg332, +]); + +var msg333 = msg("171:01", dup151); + +var msg334 = msg("171", dup152); + +var select168 = linear_select([ + msg333, + msg334, +]); + +var msg335 = msg("172:01", dup169); + +var msg336 = msg("172", dup170); + +var select169 = linear_select([ + msg335, + msg336, +]); + +var msg337 = msg("173:01", dup151); + +var msg338 = msg("173", dup152); + +var select170 = linear_select([ + msg337, + msg338, +]); + +var msg339 = msg("174:01", dup151); + +var msg340 = msg("174", dup152); + +var select171 = linear_select([ + msg339, + msg340, +]); + +var msg341 = msg("175:01", dup151); + +var msg342 = msg("175", dup152); + +var select172 = linear_select([ + msg341, + msg342, +]); + +var msg343 = msg("176:01", dup151); + +var msg344 = msg("176", dup152); + +var select173 = linear_select([ + msg343, + msg344, +]); + +var msg345 = msg("177:01", dup151); + +var msg346 = msg("177", dup152); + +var select174 = linear_select([ + msg345, + msg346, +]); + +var msg347 = msg("178:01", dup151); + +var msg348 = msg("178", dup152); + +var select175 = linear_select([ + msg347, + msg348, +]); + +var msg349 = msg("179:01", dup169); + +var msg350 = msg("179", dup170); + +var select176 = linear_select([ + msg349, + msg350, +]); + +var msg351 = msg("180:01", dup169); + +var msg352 = msg("180", dup170); + +var select177 = linear_select([ + msg351, + msg352, +]); + +var msg353 = msg("181:01", dup169); + +var msg354 = msg("181", dup170); + +var select178 = linear_select([ + msg353, + msg354, +]); + +var msg355 = msg("182:01", dup169); + +var msg356 = msg("182", dup170); + +var select179 = linear_select([ + msg355, + msg356, +]); + +var msg357 = msg("183:01", dup169); + +var msg358 = msg("183", dup170); + +var select180 = linear_select([ + msg357, + msg358, +]); + +var msg359 = msg("184:01", dup169); + +var msg360 = msg("184", dup170); + +var select181 = linear_select([ + msg359, + msg360, +]); + +var msg361 = msg("185:01", dup169); + +var msg362 = msg("185", dup170); + +var select182 = linear_select([ + msg361, + msg362, +]); + +var msg363 = msg("186:01", dup151); + +var msg364 = msg("186", dup152); + +var select183 = linear_select([ + msg363, + msg364, +]); + +var msg365 = msg("187:01", dup169); + +var msg366 = msg("187", dup170); + +var select184 = linear_select([ + msg365, + msg366, +]); + +var msg367 = msg("188:01", dup169); + +var msg368 = msg("188", dup170); + +var select185 = linear_select([ + msg367, + msg368, +]); + +var msg369 = msg("189:01", dup169); + +var msg370 = msg("189", dup170); + +var select186 = linear_select([ + msg369, + msg370, +]); + +var msg371 = msg("191:01", dup151); + +var msg372 = msg("191", dup152); + +var select187 = linear_select([ + msg371, + msg372, +]); + +var msg373 = msg("192:01", dup169); + +var msg374 = msg("192", dup170); + +var select188 = linear_select([ + msg373, + msg374, +]); + +var msg375 = msg("193:01", dup151); + +var msg376 = msg("193", dup152); + +var select189 = linear_select([ + msg375, + msg376, +]); + +var msg377 = msg("194:01", dup169); + +var msg378 = msg("194", dup170); + +var select190 = linear_select([ + msg377, + msg378, +]); + +var msg379 = msg("195:01", dup169); + +var msg380 = msg("195", dup170); + +var select191 = linear_select([ + msg379, + msg380, +]); + +var msg381 = msg("196:01", dup151); + +var msg382 = msg("196", dup152); + +var select192 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("197:01", dup151); + +var msg384 = msg("197", dup152); + +var select193 = linear_select([ + msg383, + msg384, +]); + +var msg385 = msg("198:01", dup169); + +var msg386 = msg("198", dup170); + +var select194 = linear_select([ + msg385, + msg386, +]); + +var msg387 = msg("199:01", dup169); + +var msg388 = msg("199", dup170); + +var select195 = linear_select([ + msg387, + msg388, +]); + +var msg389 = msg("200:01", dup169); + +var msg390 = msg("200", dup170); + +var select196 = linear_select([ + msg389, + msg390, +]); + +var msg391 = msg("201:01", dup169); + +var msg392 = msg("201", dup170); + +var select197 = linear_select([ + msg391, + msg392, +]); + +var msg393 = msg("202:01", dup169); + +var msg394 = msg("202", dup170); + +var select198 = linear_select([ + msg393, + msg394, +]); + +var msg395 = msg("203:01", dup169); + +var msg396 = msg("203", dup170); + +var select199 = linear_select([ + msg395, + msg396, +]); + +var msg397 = msg("204:01", dup151); + +var msg398 = msg("204", dup152); + +var select200 = linear_select([ + msg397, + msg398, +]); + +var msg399 = msg("205:01", dup151); + +var msg400 = msg("205", dup152); + +var select201 = linear_select([ + msg399, + msg400, +]); + +var msg401 = msg("206:01", dup151); + +var msg402 = msg("206", dup152); + +var select202 = linear_select([ + msg401, + msg402, +]); + +var msg403 = msg("207:01", dup151); + +var msg404 = msg("207", dup152); + +var select203 = linear_select([ + msg403, + msg404, +]); + +var msg405 = msg("208:01", dup151); + +var msg406 = msg("208", dup152); + +var select204 = linear_select([ + msg405, + msg406, +]); + +var msg407 = msg("209:01", dup169); + +var msg408 = msg("209", dup170); + +var select205 = linear_select([ + msg407, + msg408, +]); + +var msg409 = msg("211:01", dup169); + +var msg410 = msg("211", dup170); + +var select206 = linear_select([ + msg409, + msg410, +]); + +var msg411 = msg("212:01", dup169); + +var msg412 = msg("212", dup170); + +var select207 = linear_select([ + msg411, + msg412, +]); + +var msg413 = msg("213:01", dup169); + +var msg414 = msg("213", dup170); + +var select208 = linear_select([ + msg413, + msg414, +]); + +var msg415 = msg("214:01", dup151); + +var msg416 = msg("214", dup152); + +var select209 = linear_select([ + msg415, + msg416, +]); + +var msg417 = msg("215:01", dup151); + +var msg418 = msg("215", dup152); + +var select210 = linear_select([ + msg417, + msg418, +]); + +var msg419 = msg("216:01", dup151); + +var msg420 = msg("216", dup152); + +var select211 = linear_select([ + msg419, + msg420, +]); + +var msg421 = msg("217:01", dup169); + +var msg422 = msg("217", dup170); + +var select212 = linear_select([ + msg421, + msg422, +]); + +var msg423 = msg("218:01", dup169); + +var msg424 = msg("218", dup170); + +var select213 = linear_select([ + msg423, + msg424, +]); + +var msg425 = msg("219:01", dup169); + +var msg426 = msg("219", dup170); + +var select214 = linear_select([ + msg425, + msg426, +]); + +var msg427 = msg("220:01", dup169); + +var msg428 = msg("220", dup170); + +var select215 = linear_select([ + msg427, + msg428, +]); + +var msg429 = msg("221:01", dup169); + +var msg430 = msg("221", dup170); + +var select216 = linear_select([ + msg429, + msg430, +]); + +var msg431 = msg("222:01", dup151); + +var msg432 = msg("222", dup152); + +var select217 = linear_select([ + msg431, + msg432, +]); + +var msg433 = msg("223:01", dup169); + +var msg434 = msg("223", dup170); + +var select218 = linear_select([ + msg433, + msg434, +]); + +var msg435 = msg("224:01", dup169); + +var msg436 = msg("224", dup170); + +var select219 = linear_select([ + msg435, + msg436, +]); + +var msg437 = msg("229:01", dup169); + +var msg438 = msg("229", dup170); + +var select220 = linear_select([ + msg437, + msg438, +]); + +var msg439 = msg("230:01", dup151); + +var msg440 = msg("230", dup152); + +var select221 = linear_select([ + msg439, + msg440, +]); + +var msg441 = msg("231:01", dup151); + +var msg442 = msg("231", dup152); + +var select222 = linear_select([ + msg441, + msg442, +]); + +var msg443 = msg("232:01", dup151); + +var msg444 = msg("232", dup152); + +var select223 = linear_select([ + msg443, + msg444, +]); + +var msg445 = msg("233:01", dup151); + +var msg446 = msg("233", dup152); + +var select224 = linear_select([ + msg445, + msg446, +]); + +var msg447 = msg("236:01", dup153); + +var msg448 = msg("236", dup154); + +var select225 = linear_select([ + msg447, + msg448, +]); + +var msg449 = msg("237:01", dup169); + +var msg450 = msg("237", dup170); + +var select226 = linear_select([ + msg449, + msg450, +]); + +var msg451 = msg("238:01", dup151); + +var msg452 = msg("238", dup152); + +var select227 = linear_select([ + msg451, + msg452, +]); + +var msg453 = msg("239:01", dup169); + +var msg454 = msg("239", dup170); + +var select228 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("240:01", dup169); + +var msg456 = msg("240", dup170); + +var select229 = linear_select([ + msg455, + msg456, +]); + +var msg457 = msg("241:01", dup169); + +var msg458 = msg("241", dup170); + +var select230 = linear_select([ + msg457, + msg458, +]); + +var msg459 = msg("243:01", dup151); + +var msg460 = msg("243", dup152); + +var select231 = linear_select([ + msg459, + msg460, +]); + +var msg461 = msg("244:01", dup151); + +var msg462 = msg("244", dup152); + +var select232 = linear_select([ + msg461, + msg462, +]); + +var msg463 = msg("246:01", dup169); + +var msg464 = msg("246", dup170); + +var select233 = linear_select([ + msg463, + msg464, +]); + +var msg465 = msg("247:01", dup169); + +var msg466 = msg("247", dup170); + +var select234 = linear_select([ + msg465, + msg466, +]); + +var msg467 = msg("248:01", dup151); + +var msg468 = msg("248", dup152); + +var select235 = linear_select([ + msg467, + msg468, +]); + +var msg469 = msg("249:01", dup151); + +var msg470 = msg("249", dup152); + +var select236 = linear_select([ + msg469, + msg470, +]); + +var msg471 = msg("250:01", dup151); + +var msg472 = msg("250", dup152); + +var select237 = linear_select([ + msg471, + msg472, +]); + +var msg473 = msg("251:01", dup169); + +var msg474 = msg("251", dup170); + +var select238 = linear_select([ + msg473, + msg474, +]); + +var msg475 = msg("252:01", dup169); + +var msg476 = msg("252", dup170); + +var select239 = linear_select([ + msg475, + msg476, +]); + +var msg477 = msg("253:01", dup151); + +var msg478 = msg("253", dup152); + +var select240 = linear_select([ + msg477, + msg478, +]); + +var msg479 = msg("254:01", dup169); + +var msg480 = msg("254", dup170); + +var select241 = linear_select([ + msg479, + msg480, +]); + +var msg481 = msg("255:01", dup151); + +var msg482 = msg("255", dup152); + +var select242 = linear_select([ + msg481, + msg482, +]); + +var msg483 = msg("256:01", dup169); + +var msg484 = msg("256", dup170); + +var select243 = linear_select([ + msg483, + msg484, +]); + +var msg485 = msg("257:01", dup169); + +var msg486 = msg("257", dup170); + +var select244 = linear_select([ + msg485, + msg486, +]); + +var msg487 = msg("259:01", dup169); + +var msg488 = msg("259", dup170); + +var select245 = linear_select([ + msg487, + msg488, +]); + +var msg489 = msg("260:01", dup151); + +var msg490 = msg("260", dup152); + +var select246 = linear_select([ + msg489, + msg490, +]); + +var msg491 = msg("261:01", dup151); + +var msg492 = msg("261", dup152); + +var select247 = linear_select([ + msg491, + msg492, +]); + +var msg493 = msg("262:01", dup151); + +var msg494 = msg("262", dup152); + +var select248 = linear_select([ + msg493, + msg494, +]); + +var msg495 = msg("263:01", dup151); + +var msg496 = msg("263", dup152); + +var select249 = linear_select([ + msg495, + msg496, +]); + +var msg497 = msg("264:01", dup169); + +var msg498 = msg("264", dup170); + +var select250 = linear_select([ + msg497, + msg498, +]); + +var msg499 = msg("265:01", dup169); + +var msg500 = msg("265", dup170); + +var select251 = linear_select([ + msg499, + msg500, +]); + +var msg501 = msg("266:01", dup169); + +var msg502 = msg("266", dup170); + +var select252 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("267:01", dup169); + +var msg504 = msg("267", dup170); + +var select253 = linear_select([ + msg503, + msg504, +]); + +var msg505 = msg("268:01", dup169); + +var msg506 = msg("268", dup170); + +var select254 = linear_select([ + msg505, + msg506, +]); + +var msg507 = msg("269:01", dup151); + +var msg508 = msg("269", dup152); + +var select255 = linear_select([ + msg507, + msg508, +]); + +var msg509 = msg("270:01", dup169); + +var msg510 = msg("270", dup170); + +var select256 = linear_select([ + msg509, + msg510, +]); + +var msg511 = msg("271:01", dup151); + +var msg512 = msg("271", dup152); + +var select257 = linear_select([ + msg511, + msg512, +]); + +var msg513 = msg("272:01", dup169); + +var msg514 = msg("272", dup170); + +var select258 = linear_select([ + msg513, + msg514, +]); + +var msg515 = msg("273:01", dup169); + +var msg516 = msg("273", dup170); + +var select259 = linear_select([ + msg515, + msg516, +]); + +var msg517 = msg("274:01", dup169); + +var msg518 = msg("274", dup170); + +var select260 = linear_select([ + msg517, + msg518, +]); + +var msg519 = msg("275:01", dup169); + +var msg520 = msg("275", dup170); + +var select261 = linear_select([ + msg519, + msg520, +]); + +var msg521 = msg("276:01", dup169); + +var msg522 = msg("276", dup170); + +var select262 = linear_select([ + msg521, + msg522, +]); + +var msg523 = msg("277:01", dup169); + +var msg524 = msg("277", dup170); + +var select263 = linear_select([ + msg523, + msg524, +]); + +var msg525 = msg("278:01", dup169); + +var msg526 = msg("278", dup170); + +var select264 = linear_select([ + msg525, + msg526, +]); + +var msg527 = msg("279:01", dup169); + +var msg528 = msg("279", dup170); + +var select265 = linear_select([ + msg527, + msg528, +]); + +var msg529 = msg("280:01", dup151); + +var msg530 = msg("280", dup152); + +var select266 = linear_select([ + msg529, + msg530, +]); + +var msg531 = msg("281:01", dup151); + +var msg532 = msg("281", dup152); + +var select267 = linear_select([ + msg531, + msg532, +]); + +var msg533 = msg("282:01", dup169); + +var msg534 = msg("282", dup170); + +var select268 = linear_select([ + msg533, + msg534, +]); + +var msg535 = msg("283:01", dup169); + +var msg536 = msg("283", dup170); + +var select269 = linear_select([ + msg535, + msg536, +]); + +var msg537 = msg("284:01", dup151); + +var msg538 = msg("284", dup152); + +var select270 = linear_select([ + msg537, + msg538, +]); + +var msg539 = msg("285:01", dup159); + +var msg540 = msg("285", dup160); + +var select271 = linear_select([ + msg539, + msg540, +]); + +var msg541 = msg("286:01", dup169); + +var msg542 = msg("286", dup170); + +var select272 = linear_select([ + msg541, + msg542, +]); + +var msg543 = msg("287:01", dup169); + +var msg544 = msg("287", dup170); + +var select273 = linear_select([ + msg543, + msg544, +]); + +var msg545 = msg("288:01", dup169); + +var msg546 = msg("288", dup170); + +var select274 = linear_select([ + msg545, + msg546, +]); + +var msg547 = msg("289:01", dup169); + +var msg548 = msg("289", dup170); + +var select275 = linear_select([ + msg547, + msg548, +]); + +var msg549 = msg("290:01", dup169); + +var msg550 = msg("290", dup170); + +var select276 = linear_select([ + msg549, + msg550, +]); + +var msg551 = msg("291:01", dup169); + +var msg552 = msg("291", dup170); + +var select277 = linear_select([ + msg551, + msg552, +]); + +var msg553 = msg("292:01", dup169); + +var msg554 = msg("292", dup170); + +var select278 = linear_select([ + msg553, + msg554, +]); + +var msg555 = msg("293:01", dup169); + +var msg556 = msg("293", dup170); + +var select279 = linear_select([ + msg555, + msg556, +]); + +var msg557 = msg("294:01", dup169); + +var msg558 = msg("294", dup170); + +var select280 = linear_select([ + msg557, + msg558, +]); + +var msg559 = msg("295:01", dup169); + +var msg560 = msg("295", dup170); + +var select281 = linear_select([ + msg559, + msg560, +]); + +var msg561 = msg("296:01", dup169); + +var msg562 = msg("296", dup170); + +var select282 = linear_select([ + msg561, + msg562, +]); + +var msg563 = msg("297:01", dup151); + +var msg564 = msg("297", dup152); + +var select283 = linear_select([ + msg563, + msg564, +]); + +var msg565 = msg("298:01", dup151); + +var msg566 = msg("298", dup152); + +var select284 = linear_select([ + msg565, + msg566, +]); + +var msg567 = msg("299:01", dup169); + +var msg568 = msg("299", dup170); + +var select285 = linear_select([ + msg567, + msg568, +]); + +var part24 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" +match("MESSAGE#568:300:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all1 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part24, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), +}); + +var msg569 = msg("300:02", all1); + +var part25 = tagval("MESSAGE#569:300:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, + dup24, +])); + +var msg570 = msg("300:01", part25); + +var msg571 = msg("300", dup154); + +var select286 = linear_select([ + msg569, + msg570, + msg571, +]); + +var msg572 = msg("301:01", dup163); + +var msg573 = msg("301", dup164); + +var select287 = linear_select([ + msg572, + msg573, +]); + +var part26 = // "Pattern{Field(application,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld12,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" +match("MESSAGE#573:302:02/24", "nwparser.p0", "%{application};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld12};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all2 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + dup194, + part26, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + dup24, + ]), +}); + +var msg574 = msg("302:02", all2); + +var msg575 = msg("302:01", dup163); + +var msg576 = msg("302", dup164); + +var select288 = linear_select([ + msg574, + msg575, + msg576, +]); + +var msg577 = msg("303:01", dup163); + +var msg578 = msg("303", dup164); + +var select289 = linear_select([ + msg577, + msg578, +]); + +var part27 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="DstHost='), Field(p0,false)}" +match("MESSAGE#578:304:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"DstHost=%{p0}"); + +var part28 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="DstHost='), Field(p0,false)}" +match("MESSAGE#578:304:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"DstHost=%{p0}"); + +var select290 = linear_select([ + part27, + part28, +]); + +var part29 = // "Pattern{Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld10,false), Constant(';SessionDuration='), Field(duration_string,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';"')}" +match("MESSAGE#578:304:02/24", "nwparser.p0", "%{dhost};Protocol=%{protocol};PSMID=%{fld10};SessionDuration=%{duration_string};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};\""); + +var all3 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + dup188, + dup189, + dup190, + dup191, + dup192, + dup193, + select290, + part29, + ], + on_success: processor_chain([ + dup26, + dup2, + dup3, + dup24, + ]), +}); + +var msg579 = msg("304:02", all3); + +var msg580 = msg("304:01", dup169); + +var msg581 = msg("304", dup170); + +var select291 = linear_select([ + msg579, + msg580, + msg581, +]); + +var msg582 = msg("305:01", dup169); + +var msg583 = msg("305", dup170); + +var select292 = linear_select([ + msg582, + msg583, +]); + +var msg584 = msg("306:01", dup151); + +var msg585 = msg("306", dup152); + +var select293 = linear_select([ + msg584, + msg585, +]); + +var msg586 = msg("307:01", dup151); + +var msg587 = msg("307", dup152); + +var select294 = linear_select([ + msg586, + msg587, +]); + +var part30 = tagval("MESSAGE#587:308:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup78, + dup2, + dup3, +])); + +var msg588 = msg("308:01", part30); + +var part31 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#588:308", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup78, + dup2, +])); + +var msg589 = msg("308", part31); + +var select295 = linear_select([ + msg588, + msg589, +]); + +var part32 = tagval("MESSAGE#589:309:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var msg590 = msg("309:01", part32); + +var part33 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#590:309", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup10, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var msg591 = msg("309", part33); + +var select296 = linear_select([ + msg590, + msg591, +]); + +var msg592 = msg("317:01", dup195); + +var msg593 = msg("317", dup196); + +var select297 = linear_select([ + msg592, + msg593, +]); + +var msg594 = msg("316:01", dup195); + +var msg595 = msg("316", dup196); + +var select298 = linear_select([ + msg594, + msg595, +]); + +var msg596 = msg("355:01", dup197); + +var msg597 = msg("355", dup198); + +var select299 = linear_select([ + msg596, + msg597, +]); + +var msg598 = msg("356:01", dup197); + +var msg599 = msg("356", dup198); + +var select300 = linear_select([ + msg598, + msg599, +]); + +var msg600 = msg("357:01", dup199); + +var msg601 = msg("357", dup200); + +var select301 = linear_select([ + msg600, + msg601, +]); + +var msg602 = msg("358:01", dup199); + +var msg603 = msg("358", dup200); + +var select302 = linear_select([ + msg602, + msg603, +]); + +var part34 = tagval("MESSAGE#603:190:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup84, + dup2, + dup3, +])); + +var msg604 = msg("190:01", part34); + +var part35 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#604:190", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup84, + dup2, +])); + +var msg605 = msg("190", part35); + +var select303 = linear_select([ + msg604, + msg605, +]); + +var msg606 = msg("5:01", dup161); + +var msg607 = msg("5", dup162); + +var select304 = linear_select([ + msg606, + msg607, +]); + +var msg608 = msg("310:01", dup153); + +var msg609 = msg("310", dup154); + +var select305 = linear_select([ + msg608, + msg609, +]); + +var msg610 = msg("311:01", dup153); + +var msg611 = msg("311", dup154); + +var select306 = linear_select([ + msg610, + msg611, +]); + +var msg612 = msg("312:01", dup153); + +var msg613 = msg("312", dup154); + +var select307 = linear_select([ + msg612, + msg613, +]); + +var msg614 = msg("313:01", dup153); + +var msg615 = msg("313", dup154); + +var select308 = linear_select([ + msg614, + msg615, +]); + +var msg616 = msg("359:01", dup153); + +var msg617 = msg("359", dup154); + +var select309 = linear_select([ + msg616, + msg617, +]); + +var msg618 = msg("372", dup201); + +var msg619 = msg("374", dup201); + +var msg620 = msg("376", dup201); + +var part36 = // "Pattern{Constant('"'), Field(fld89,false), Constant('";LogonDomain='), Field(p0,false)}" +match("MESSAGE#620:411:01/17_0", "nwparser.p0", "\"%{fld89}\";LogonDomain=%{p0}"); + +var part37 = // "Pattern{Field(fld89,false), Constant(';LogonDomain='), Field(p0,false)}" +match("MESSAGE#620:411:01/17_1", "nwparser.p0", "%{fld89};LogonDomain=%{p0}"); + +var select310 = linear_select([ + part36, + part37, +]); + +var part38 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="Command='), Field(p0,false)}" +match("MESSAGE#620:411:01/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"Command=%{p0}"); + +var part39 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="Command='), Field(p0,false)}" +match("MESSAGE#620:411:01/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"Command=%{p0}"); + +var select311 = linear_select([ + part38, + part39, +]); + +var part40 = // "Pattern{Field(param,false), Constant(';ConnectionComponentId='), Field(fld67,false), Constant(';DstHost='), Field(dhost,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld11,false), Constant(';RDPOffset='), Field(fld12,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(c_username,false), Constant(';VIDOffset='), Field(fld13,false), Constant(';')}" +match("MESSAGE#620:411:01/24", "nwparser.p0", "%{param};ConnectionComponentId=%{fld67};DstHost=%{dhost};Protocol=%{protocol};PSMID=%{fld11};RDPOffset=%{fld12};SessionID=%{sessionid};SrcHost=%{shost};User=%{c_username};VIDOffset=%{fld13};"); + +var all4 = all_match({ + processors: [ + dup31, + dup172, + dup173, + dup174, + dup175, + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, + dup185, + dup186, + dup187, + select310, + dup189, + dup190, + dup191, + dup192, + dup193, + select311, + part40, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + dup24, + ]), +}); + +var msg621 = msg("411:01", all4); + +var part41 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';ProcessId='), Field(process_id,false), Constant(';ProcessName='), Field(process,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';RDPOffset='), Field(fld4,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" +match("MESSAGE#621:411/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};ProcessId=%{process_id};ProcessName=%{process};Protocol=%{protocol};PSMID=%{fld3};RDPOffset=%{fld4};SessionID=%{sessionid};SrcHost=%{shost};User=%{fld5};VIDOffset=%{fld6};\""); + +var select312 = linear_select([ + part41, + dup150, +]); + +var all5 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select312, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg622 = msg("411", all5); + +var select313 = linear_select([ + msg621, + msg622, +]); + +var part42 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location="'), Field(directory,false), Constant('";Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false)}" +match("MESSAGE#622:385", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=\"%{directory}\";Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info}", processor_chain([ + dup4, + dup2, + dup3, +])); + +var msg623 = msg("385", part42); + +var part43 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';SSHOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" +match("MESSAGE#623:361/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};SSHOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + +var select314 = linear_select([ + part43, + dup150, +]); + +var all6 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select314, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg624 = msg("361", all6); + +var part44 = // "Pattern{Constant('"Command='), Field(param,false), Constant(';ConnectionComponentId='), Field(fld1,false), Constant(';DstHost='), Field(fld2,false), Constant(';Protocol='), Field(protocol,false), Constant(';PSMID='), Field(fld3,false), Constant(';SessionID='), Field(sessionid,false), Constant(';SrcHost='), Field(shost,false), Constant(';TXTOffset='), Field(fld4,false), Constant(';User='), Field(fld5,false), Constant(';VIDOffset='), Field(fld6,false), Constant(';"')}" +match("MESSAGE#624:412/43_0", "nwparser.p0", "\"Command=%{param};ConnectionComponentId=%{fld1};DstHost=%{fld2};Protocol=%{protocol};PSMID=%{fld3};SessionID=%{sessionid};SrcHost=%{shost};TXTOffset=%{fld4};User=%{fld5};VIDOffset=%{fld6};\""); + +var select315 = linear_select([ + part44, + dup150, +]); + +var all7 = all_match({ + processors: [ + dup31, + dup202, + dup87, + dup203, + dup90, + dup204, + dup93, + dup205, + dup96, + dup206, + dup99, + dup207, + dup102, + dup208, + dup105, + dup209, + dup108, + dup210, + dup111, + dup211, + dup114, + dup212, + dup119, + dup213, + dup122, + dup214, + dup125, + dup215, + dup128, + dup216, + dup131, + dup217, + dup134, + dup218, + dup137, + dup219, + dup140, + dup220, + dup143, + dup221, + dup146, + dup222, + dup149, + select315, + ], + on_success: processor_chain([ + dup4, + dup2, + dup3, + ]), +}); + +var msg625 = msg("412", all7); + +var msg626 = msg("378", dup153); + +var msg627 = msg("321", dup153); + +var msg628 = msg("322", dup153); + +var msg629 = msg("323", dup153); + +var msg630 = msg("318", dup153); + +var msg631 = msg("380", dup153); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "1": select2, + "10": select9, + "100": select99, + "101": select100, + "102": select101, + "103": select102, + "104": select103, + "105": select104, + "106": select105, + "107": select106, + "108": select107, + "109": select108, + "11": select10, + "110": select109, + "111": select110, + "112": select111, + "114": select112, + "115": select113, + "116": select114, + "117": select115, + "118": select116, + "119": select117, + "12": select11, + "120": select118, + "121": select119, + "122": select120, + "123": select121, + "124": select122, + "125": select123, + "126": select124, + "127": select125, + "128": select126, + "129": select127, + "13": select12, + "130": select128, + "131": select129, + "132": select130, + "133": select131, + "134": select132, + "135": select133, + "136": select134, + "137": select135, + "138": select136, + "139": select137, + "14": select13, + "140": select138, + "141": select139, + "142": select140, + "143": select141, + "144": select142, + "145": select143, + "146": select144, + "147": select145, + "148": select146, + "149": select147, + "15": select14, + "150": select148, + "152": select149, + "153": select150, + "154": select151, + "155": select152, + "156": select153, + "157": select154, + "158": select155, + "159": select156, + "16": select15, + "160": select157, + "161": select158, + "162": select159, + "163": select160, + "164": select161, + "165": select162, + "166": select163, + "167": select164, + "168": select165, + "169": select166, + "17": select16, + "170": select167, + "171": select168, + "172": select169, + "173": select170, + "174": select171, + "175": select172, + "176": select173, + "177": select174, + "178": select175, + "179": select176, + "18": select17, + "180": select177, + "181": select178, + "182": select179, + "183": select180, + "184": select181, + "185": select182, + "186": select183, + "187": select184, + "188": select185, + "189": select186, + "19": select18, + "190": select303, + "191": select187, + "192": select188, + "193": select189, + "194": select190, + "195": select191, + "196": select192, + "197": select193, + "198": select194, + "199": select195, + "2": select3, + "20": select19, + "200": select196, + "201": select197, + "202": select198, + "203": select199, + "204": select200, + "205": select201, + "206": select202, + "207": select203, + "208": select204, + "209": select205, + "21": select20, + "211": select206, + "212": select207, + "213": select208, + "214": select209, + "215": select210, + "216": select211, + "217": select212, + "218": select213, + "219": select214, + "22": select21, + "220": select215, + "221": select216, + "222": select217, + "223": select218, + "224": select219, + "229": select220, + "23": select22, + "230": select221, + "231": select222, + "232": select223, + "233": select224, + "236": select225, + "237": select226, + "238": select227, + "239": select228, + "24": select23, + "240": select229, + "241": select230, + "243": select231, + "244": select232, + "246": select233, + "247": select234, + "248": select235, + "249": select236, + "25": select24, + "250": select237, + "251": select238, + "252": select239, + "253": select240, + "254": select241, + "255": select242, + "256": select243, + "257": select244, + "259": select245, + "26": select25, + "260": select246, + "261": select247, + "262": select248, + "263": select249, + "264": select250, + "265": select251, + "266": select252, + "267": select253, + "268": select254, + "269": select255, + "27": select26, + "270": select256, + "271": select257, + "272": select258, + "273": select259, + "274": select260, + "275": select261, + "276": select262, + "277": select263, + "278": select264, + "279": select265, + "28": select27, + "280": select266, + "281": select267, + "282": select268, + "283": select269, + "284": select270, + "285": select271, + "286": select272, + "287": select273, + "288": select274, + "289": select275, + "29": select28, + "290": select276, + "291": select277, + "292": select278, + "293": select279, + "294": select280, + "295": select281, + "296": select282, + "297": select283, + "298": select284, + "299": select285, + "3": select4, + "30": select29, + "300": select286, + "301": select287, + "302": select288, + "303": select289, + "304": select291, + "305": select292, + "306": select293, + "307": select294, + "308": select295, + "309": select296, + "31": select30, + "310": select305, + "311": select306, + "312": select307, + "313": select308, + "316": select298, + "317": select297, + "318": msg630, + "32": select31, + "321": msg627, + "322": msg628, + "323": msg629, + "33": select32, + "34": select33, + "35": select34, + "355": select299, + "356": select300, + "357": select301, + "358": select302, + "359": select309, + "36": select35, + "361": msg624, + "37": select36, + "372": msg618, + "374": msg619, + "376": msg620, + "378": msg626, + "38": select37, + "380": msg631, + "385": msg623, + "39": select38, + "4": select5, + "40": select39, + "41": select40, + "411": select313, + "412": msg625, + "42": select41, + "43": select42, + "44": select43, + "45": select44, + "46": select45, + "47": select46, + "48": select47, + "49": select48, + "5": select304, + "50": select49, + "51": select50, + "52": select51, + "53": select52, + "54": select53, + "55": select54, + "56": select55, + "57": select56, + "58": select57, + "59": select58, + "60": select59, + "61": select60, + "62": select61, + "63": select62, + "64": select63, + "65": select64, + "66": select65, + "67": select66, + "68": select67, + "69": select68, + "7": select6, + "70": select69, + "71": select70, + "72": select71, + "73": select72, + "74": select73, + "75": select74, + "76": select75, + "77": select76, + "78": select77, + "79": select78, + "8": select7, + "80": select79, + "81": select80, + "82": select81, + "83": select82, + "84": select83, + "85": select84, + "86": select85, + "87": select86, + "88": select87, + "89": select88, + "9": select8, + "90": select89, + "91": select90, + "92": select91, + "93": select92, + "94": select93, + "95": select94, + "96": select95, + "97": select96, + "98": select97, + "99": select98, + }), +]); + +var part45 = // "Pattern{Constant('Version='), Field(p0,false)}" +match("MESSAGE#568:300:02/0", "nwparser.payload", "Version=%{p0}"); + +var part46 = // "Pattern{Constant('"'), Field(version,false), Constant('";Message='), Field(p0,false)}" +match("MESSAGE#568:300:02/1_0", "nwparser.p0", "\"%{version}\";Message=%{p0}"); + +var part47 = // "Pattern{Field(version,false), Constant(';Message='), Field(p0,false)}" +match("MESSAGE#568:300:02/1_1", "nwparser.p0", "%{version};Message=%{p0}"); + +var part48 = // "Pattern{Constant('"'), Field(action,false), Constant('";Issuer='), Field(p0,false)}" +match("MESSAGE#568:300:02/2_0", "nwparser.p0", "\"%{action}\";Issuer=%{p0}"); + +var part49 = // "Pattern{Field(action,false), Constant(';Issuer='), Field(p0,false)}" +match("MESSAGE#568:300:02/2_1", "nwparser.p0", "%{action};Issuer=%{p0}"); + +var part50 = // "Pattern{Constant('"'), Field(username,false), Constant('";Station='), Field(p0,false)}" +match("MESSAGE#568:300:02/3_0", "nwparser.p0", "\"%{username}\";Station=%{p0}"); + +var part51 = // "Pattern{Field(username,false), Constant(';Station='), Field(p0,false)}" +match("MESSAGE#568:300:02/3_1", "nwparser.p0", "%{username};Station=%{p0}"); + +var part52 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";File='), Field(p0,false)}" +match("MESSAGE#568:300:02/4_0", "nwparser.p0", "\"%{hostip}\";File=%{p0}"); + +var part53 = // "Pattern{Field(hostip,false), Constant(';File='), Field(p0,false)}" +match("MESSAGE#568:300:02/4_1", "nwparser.p0", "%{hostip};File=%{p0}"); + +var part54 = // "Pattern{Constant('"'), Field(filename,false), Constant('";Safe='), Field(p0,false)}" +match("MESSAGE#568:300:02/5_0", "nwparser.p0", "\"%{filename}\";Safe=%{p0}"); + +var part55 = // "Pattern{Field(filename,false), Constant(';Safe='), Field(p0,false)}" +match("MESSAGE#568:300:02/5_1", "nwparser.p0", "%{filename};Safe=%{p0}"); + +var part56 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";Location='), Field(p0,false)}" +match("MESSAGE#568:300:02/6_0", "nwparser.p0", "\"%{group_object}\";Location=%{p0}"); + +var part57 = // "Pattern{Field(group_object,false), Constant(';Location='), Field(p0,false)}" +match("MESSAGE#568:300:02/6_1", "nwparser.p0", "%{group_object};Location=%{p0}"); + +var part58 = // "Pattern{Constant('"'), Field(directory,false), Constant('";Category='), Field(p0,false)}" +match("MESSAGE#568:300:02/7_0", "nwparser.p0", "\"%{directory}\";Category=%{p0}"); + +var part59 = // "Pattern{Field(directory,false), Constant(';Category='), Field(p0,false)}" +match("MESSAGE#568:300:02/7_1", "nwparser.p0", "%{directory};Category=%{p0}"); + +var part60 = // "Pattern{Constant('"'), Field(category,false), Constant('";RequestId='), Field(p0,false)}" +match("MESSAGE#568:300:02/8_0", "nwparser.p0", "\"%{category}\";RequestId=%{p0}"); + +var part61 = // "Pattern{Field(category,false), Constant(';RequestId='), Field(p0,false)}" +match("MESSAGE#568:300:02/8_1", "nwparser.p0", "%{category};RequestId=%{p0}"); + +var part62 = // "Pattern{Constant('"'), Field(id1,false), Constant('";Reason='), Field(p0,false)}" +match("MESSAGE#568:300:02/9_0", "nwparser.p0", "\"%{id1}\";Reason=%{p0}"); + +var part63 = // "Pattern{Field(id1,false), Constant(';Reason='), Field(p0,false)}" +match("MESSAGE#568:300:02/9_1", "nwparser.p0", "%{id1};Reason=%{p0}"); + +var part64 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";Severity='), Field(p0,false)}" +match("MESSAGE#568:300:02/10_0", "nwparser.p0", "\"%{event_description}\";Severity=%{p0}"); + +var part65 = // "Pattern{Field(event_description,false), Constant(';Severity='), Field(p0,false)}" +match("MESSAGE#568:300:02/10_1", "nwparser.p0", "%{event_description};Severity=%{p0}"); + +var part66 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/11_0", "nwparser.p0", "\"%{severity}\";SourceUser=%{p0}"); + +var part67 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/11_1", "nwparser.p0", "%{severity};SourceUser=%{p0}"); + +var part68 = // "Pattern{Constant('"'), Field(group,false), Constant('";TargetUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/12_0", "nwparser.p0", "\"%{group}\";TargetUser=%{p0}"); + +var part69 = // "Pattern{Field(group,false), Constant(';TargetUser='), Field(p0,false)}" +match("MESSAGE#568:300:02/12_1", "nwparser.p0", "%{group};TargetUser=%{p0}"); + +var part70 = // "Pattern{Constant('"'), Field(uid,false), Constant('";GatewayStation='), Field(p0,false)}" +match("MESSAGE#568:300:02/13_0", "nwparser.p0", "\"%{uid}\";GatewayStation=%{p0}"); + +var part71 = // "Pattern{Field(uid,false), Constant(';GatewayStation='), Field(p0,false)}" +match("MESSAGE#568:300:02/13_1", "nwparser.p0", "%{uid};GatewayStation=%{p0}"); + +var part72 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";TicketID='), Field(p0,false)}" +match("MESSAGE#568:300:02/14_0", "nwparser.p0", "\"%{saddr}\";TicketID=%{p0}"); + +var part73 = // "Pattern{Field(saddr,false), Constant(';TicketID='), Field(p0,false)}" +match("MESSAGE#568:300:02/14_1", "nwparser.p0", "%{saddr};TicketID=%{p0}"); + +var part74 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";PolicyID='), Field(p0,false)}" +match("MESSAGE#568:300:02/15_0", "nwparser.p0", "\"%{operation_id}\";PolicyID=%{p0}"); + +var part75 = // "Pattern{Field(operation_id,false), Constant(';PolicyID='), Field(p0,false)}" +match("MESSAGE#568:300:02/15_1", "nwparser.p0", "%{operation_id};PolicyID=%{p0}"); + +var part76 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";UserName='), Field(p0,false)}" +match("MESSAGE#568:300:02/16_0", "nwparser.p0", "\"%{policyname}\";UserName=%{p0}"); + +var part77 = // "Pattern{Field(policyname,false), Constant(';UserName='), Field(p0,false)}" +match("MESSAGE#568:300:02/16_1", "nwparser.p0", "%{policyname};UserName=%{p0}"); + +var part78 = // "Pattern{Constant('"'), Field(fld11,false), Constant('";LogonDomain='), Field(p0,false)}" +match("MESSAGE#568:300:02/17_0", "nwparser.p0", "\"%{fld11}\";LogonDomain=%{p0}"); + +var part79 = // "Pattern{Field(fld11,false), Constant(';LogonDomain='), Field(p0,false)}" +match("MESSAGE#568:300:02/17_1", "nwparser.p0", "%{fld11};LogonDomain=%{p0}"); + +var part80 = // "Pattern{Constant('"'), Field(domain,false), Constant('";Address='), Field(p0,false)}" +match("MESSAGE#568:300:02/18_0", "nwparser.p0", "\"%{domain}\";Address=%{p0}"); + +var part81 = // "Pattern{Field(domain,false), Constant(';Address='), Field(p0,false)}" +match("MESSAGE#568:300:02/18_1", "nwparser.p0", "%{domain};Address=%{p0}"); + +var part82 = // "Pattern{Constant('"'), Field(fld14,false), Constant('";CPMStatus='), Field(p0,false)}" +match("MESSAGE#568:300:02/19_0", "nwparser.p0", "\"%{fld14}\";CPMStatus=%{p0}"); + +var part83 = // "Pattern{Field(fld14,false), Constant(';CPMStatus='), Field(p0,false)}" +match("MESSAGE#568:300:02/19_1", "nwparser.p0", "%{fld14};CPMStatus=%{p0}"); + +var part84 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";Port='), Field(p0,false)}" +match("MESSAGE#568:300:02/20_0", "nwparser.p0", "\"%{disposition}\";Port=%{p0}"); + +var part85 = // "Pattern{Field(disposition,false), Constant(';Port='), Field(p0,false)}" +match("MESSAGE#568:300:02/20_1", "nwparser.p0", "%{disposition};Port=%{p0}"); + +var part86 = // "Pattern{Constant('"'), Field(dport,false), Constant('";Database='), Field(p0,false)}" +match("MESSAGE#568:300:02/21_0", "nwparser.p0", "\"%{dport}\";Database=%{p0}"); + +var part87 = // "Pattern{Field(dport,false), Constant(';Database='), Field(p0,false)}" +match("MESSAGE#568:300:02/21_1", "nwparser.p0", "%{dport};Database=%{p0}"); + +var part88 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";DeviceType='), Field(p0,false)}" +match("MESSAGE#568:300:02/22_0", "nwparser.p0", "\"%{db_name}\";DeviceType=%{p0}"); + +var part89 = // "Pattern{Field(db_name,false), Constant(';DeviceType='), Field(p0,false)}" +match("MESSAGE#568:300:02/22_1", "nwparser.p0", "%{db_name};DeviceType=%{p0}"); + +var part90 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";ExtraDetails="ApplicationType='), Field(p0,false)}" +match("MESSAGE#568:300:02/23_0", "nwparser.p0", "\"%{obj_type}\";ExtraDetails=\"ApplicationType=%{p0}"); + +var part91 = // "Pattern{Field(obj_type,false), Constant(';ExtraDetails="ApplicationType='), Field(p0,false)}" +match("MESSAGE#568:300:02/23_1", "nwparser.p0", "%{obj_type};ExtraDetails=\"ApplicationType=%{p0}"); + +var part92 = // "Pattern{Constant('"'), Field(version,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/1_0", "nwparser.p0", "\"%{version}\";%{p0}"); + +var part93 = // "Pattern{Field(version,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/1_1", "nwparser.p0", "%{version};%{p0}"); + +var part94 = // "Pattern{Constant('Message='), Field(p0,false)}" +match("MESSAGE#621:411/2", "nwparser.p0", "Message=%{p0}"); + +var part95 = // "Pattern{Constant('"'), Field(action,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/3_0", "nwparser.p0", "\"%{action}\";%{p0}"); + +var part96 = // "Pattern{Field(action,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/3_1", "nwparser.p0", "%{action};%{p0}"); + +var part97 = // "Pattern{Constant('Issuer='), Field(p0,false)}" +match("MESSAGE#621:411/4", "nwparser.p0", "Issuer=%{p0}"); + +var part98 = // "Pattern{Constant('"'), Field(username,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/5_0", "nwparser.p0", "\"%{username}\";%{p0}"); + +var part99 = // "Pattern{Field(username,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/5_1", "nwparser.p0", "%{username};%{p0}"); + +var part100 = // "Pattern{Constant('Station='), Field(p0,false)}" +match("MESSAGE#621:411/6", "nwparser.p0", "Station=%{p0}"); + +var part101 = // "Pattern{Constant('"'), Field(hostip,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/7_0", "nwparser.p0", "\"%{hostip}\";%{p0}"); + +var part102 = // "Pattern{Field(hostip,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/7_1", "nwparser.p0", "%{hostip};%{p0}"); + +var part103 = // "Pattern{Constant('File='), Field(p0,false)}" +match("MESSAGE#621:411/8", "nwparser.p0", "File=%{p0}"); + +var part104 = // "Pattern{Constant('"'), Field(filename,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/9_0", "nwparser.p0", "\"%{filename}\";%{p0}"); + +var part105 = // "Pattern{Field(filename,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/9_1", "nwparser.p0", "%{filename};%{p0}"); + +var part106 = // "Pattern{Constant('Safe='), Field(p0,false)}" +match("MESSAGE#621:411/10", "nwparser.p0", "Safe=%{p0}"); + +var part107 = // "Pattern{Constant('"'), Field(group_object,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/11_0", "nwparser.p0", "\"%{group_object}\";%{p0}"); + +var part108 = // "Pattern{Field(group_object,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/11_1", "nwparser.p0", "%{group_object};%{p0}"); + +var part109 = // "Pattern{Constant('Location='), Field(p0,false)}" +match("MESSAGE#621:411/12", "nwparser.p0", "Location=%{p0}"); + +var part110 = // "Pattern{Constant('"'), Field(directory,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/13_0", "nwparser.p0", "\"%{directory}\";%{p0}"); + +var part111 = // "Pattern{Field(directory,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/13_1", "nwparser.p0", "%{directory};%{p0}"); + +var part112 = // "Pattern{Constant('Category='), Field(p0,false)}" +match("MESSAGE#621:411/14", "nwparser.p0", "Category=%{p0}"); + +var part113 = // "Pattern{Constant('"'), Field(category,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/15_0", "nwparser.p0", "\"%{category}\";%{p0}"); + +var part114 = // "Pattern{Field(category,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/15_1", "nwparser.p0", "%{category};%{p0}"); + +var part115 = // "Pattern{Constant('RequestId='), Field(p0,false)}" +match("MESSAGE#621:411/16", "nwparser.p0", "RequestId=%{p0}"); + +var part116 = // "Pattern{Constant('"'), Field(id1,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/17_0", "nwparser.p0", "\"%{id1}\";%{p0}"); + +var part117 = // "Pattern{Field(id1,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/17_1", "nwparser.p0", "%{id1};%{p0}"); + +var part118 = // "Pattern{Constant('Reason='), Field(p0,false)}" +match("MESSAGE#621:411/18", "nwparser.p0", "Reason=%{p0}"); + +var part119 = // "Pattern{Constant('"'), Field(event_description,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/19_0", "nwparser.p0", "\"%{event_description}\";%{p0}"); + +var part120 = // "Pattern{Field(event_description,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/19_1", "nwparser.p0", "%{event_description};%{p0}"); + +var part121 = // "Pattern{Constant('Severity='), Field(p0,false)}" +match("MESSAGE#621:411/20", "nwparser.p0", "Severity=%{p0}"); + +var part122 = // "Pattern{Constant('"'), Field(severity,false), Constant('";SourceUser="'), Field(group,false), Constant('";TargetUser="'), Field(uid,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/21_0", "nwparser.p0", "\"%{severity}\";SourceUser=\"%{group}\";TargetUser=\"%{uid}\";%{p0}"); + +var part123 = // "Pattern{Field(severity,false), Constant(';SourceUser='), Field(group,false), Constant(';TargetUser='), Field(uid,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/21_1", "nwparser.p0", "%{severity};SourceUser=%{group};TargetUser=%{uid};%{p0}"); + +var part124 = // "Pattern{Constant('"'), Field(severity,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/21_2", "nwparser.p0", "\"%{severity}\";%{p0}"); + +var part125 = // "Pattern{Field(severity,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/21_3", "nwparser.p0", "%{severity};%{p0}"); + +var part126 = // "Pattern{Constant('GatewayStation='), Field(p0,false)}" +match("MESSAGE#621:411/22", "nwparser.p0", "GatewayStation=%{p0}"); + +var part127 = // "Pattern{Constant('"'), Field(saddr,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/23_0", "nwparser.p0", "\"%{saddr}\";%{p0}"); + +var part128 = // "Pattern{Field(saddr,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/23_1", "nwparser.p0", "%{saddr};%{p0}"); + +var part129 = // "Pattern{Constant('TicketID='), Field(p0,false)}" +match("MESSAGE#621:411/24", "nwparser.p0", "TicketID=%{p0}"); + +var part130 = // "Pattern{Constant('"'), Field(operation_id,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/25_0", "nwparser.p0", "\"%{operation_id}\";%{p0}"); + +var part131 = // "Pattern{Field(operation_id,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/25_1", "nwparser.p0", "%{operation_id};%{p0}"); + +var part132 = // "Pattern{Constant('PolicyID='), Field(p0,false)}" +match("MESSAGE#621:411/26", "nwparser.p0", "PolicyID=%{p0}"); + +var part133 = // "Pattern{Constant('"'), Field(policyname,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/27_0", "nwparser.p0", "\"%{policyname}\";%{p0}"); + +var part134 = // "Pattern{Field(policyname,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/27_1", "nwparser.p0", "%{policyname};%{p0}"); + +var part135 = // "Pattern{Constant('UserName='), Field(p0,false)}" +match("MESSAGE#621:411/28", "nwparser.p0", "UserName=%{p0}"); + +var part136 = // "Pattern{Constant('"'), Field(c_username,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/29_0", "nwparser.p0", "\"%{c_username}\";%{p0}"); + +var part137 = // "Pattern{Field(c_username,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/29_1", "nwparser.p0", "%{c_username};%{p0}"); + +var part138 = // "Pattern{Constant('LogonDomain='), Field(p0,false)}" +match("MESSAGE#621:411/30", "nwparser.p0", "LogonDomain=%{p0}"); + +var part139 = // "Pattern{Constant('"'), Field(domain,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/31_0", "nwparser.p0", "\"%{domain}\";%{p0}"); + +var part140 = // "Pattern{Field(domain,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/31_1", "nwparser.p0", "%{domain};%{p0}"); + +var part141 = // "Pattern{Constant('Address='), Field(p0,false)}" +match("MESSAGE#621:411/32", "nwparser.p0", "Address=%{p0}"); + +var part142 = // "Pattern{Constant('"'), Field(dhost,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/33_0", "nwparser.p0", "\"%{dhost}\";%{p0}"); + +var part143 = // "Pattern{Field(dhost,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/33_1", "nwparser.p0", "%{dhost};%{p0}"); + +var part144 = // "Pattern{Constant('CPMStatus='), Field(p0,false)}" +match("MESSAGE#621:411/34", "nwparser.p0", "CPMStatus=%{p0}"); + +var part145 = // "Pattern{Constant('"'), Field(disposition,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/35_0", "nwparser.p0", "\"%{disposition}\";%{p0}"); + +var part146 = // "Pattern{Field(disposition,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/35_1", "nwparser.p0", "%{disposition};%{p0}"); + +var part147 = // "Pattern{Constant('Port='), Field(p0,false)}" +match("MESSAGE#621:411/36", "nwparser.p0", "Port=%{p0}"); + +var part148 = // "Pattern{Constant('"'), Field(dport,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/37_0", "nwparser.p0", "\"%{dport}\";%{p0}"); + +var part149 = // "Pattern{Field(dport,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/37_1", "nwparser.p0", "%{dport};%{p0}"); + +var part150 = // "Pattern{Constant('Database='), Field(p0,false)}" +match("MESSAGE#621:411/38", "nwparser.p0", "Database=%{p0}"); + +var part151 = // "Pattern{Constant('"'), Field(db_name,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/39_0", "nwparser.p0", "\"%{db_name}\";%{p0}"); + +var part152 = // "Pattern{Field(db_name,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/39_1", "nwparser.p0", "%{db_name};%{p0}"); + +var part153 = // "Pattern{Constant('DeviceType='), Field(p0,false)}" +match("MESSAGE#621:411/40", "nwparser.p0", "DeviceType=%{p0}"); + +var part154 = // "Pattern{Constant('"'), Field(obj_type,false), Constant('";'), Field(p0,false)}" +match("MESSAGE#621:411/41_0", "nwparser.p0", "\"%{obj_type}\";%{p0}"); + +var part155 = // "Pattern{Field(obj_type,false), Constant(';'), Field(p0,false)}" +match("MESSAGE#621:411/41_1", "nwparser.p0", "%{obj_type};%{p0}"); + +var part156 = // "Pattern{Constant('ExtraDetails='), Field(p0,false)}" +match("MESSAGE#621:411/42", "nwparser.p0", "ExtraDetails=%{p0}"); + +var part157 = // "Pattern{Field(info,false), Constant(';')}" +match("MESSAGE#621:411/43_1", "nwparser.p0", "%{info};"); + +var part158 = tagval("MESSAGE#0:1:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup1, + dup2, + dup3, +])); + +var part159 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#1:1", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup1, + dup2, +])); + +var part160 = tagval("MESSAGE#2:2:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup4, + dup2, + dup3, +])); + +var part161 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#3:2", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup4, + dup2, +])); + +var part162 = tagval("MESSAGE#6:4:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, + dup3, +])); + +var part163 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#7:4", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup5, + dup6, + dup7, + dup8, + dup9, + dup2, +])); + +var part164 = tagval("MESSAGE#20:13:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, + dup3, +])); + +var part165 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#21:13", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup16, + dup17, + dup9, + dup2, +])); + +var part166 = tagval("MESSAGE#26:16:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup19, + dup2, + dup3, +])); + +var part167 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#27:16", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup19, + dup2, +])); + +var part168 = tagval("MESSAGE#30:18:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup15, + dup2, + dup3, +])); + +var part169 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#31:18", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup15, + dup2, +])); + +var part170 = tagval("MESSAGE#38:22:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup21, + dup2, + dup3, +])); + +var part171 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#39:22", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup21, + dup2, +])); + +var part172 = tagval("MESSAGE#70:38:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup23, + dup2, + dup3, +])); + +var part173 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#71:38", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup23, + dup2, +])); + +var part174 = tagval("MESSAGE#116:61:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup20, + dup2, + dup3, +])); + +var part175 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#117:61", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup20, + dup2, +])); + +var part176 = tagval("MESSAGE#126:66:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, +])); + +var part177 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#127:66", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup26, + dup2, +])); + +var part178 = tagval("MESSAGE#190:98:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup26, + dup2, + dup3, + dup24, + dup25, +])); + +var select316 = linear_select([ + dup32, + dup33, +]); + +var select317 = linear_select([ + dup34, + dup35, +]); + +var select318 = linear_select([ + dup36, + dup37, +]); + +var select319 = linear_select([ + dup38, + dup39, +]); + +var select320 = linear_select([ + dup40, + dup41, +]); + +var select321 = linear_select([ + dup42, + dup43, +]); + +var select322 = linear_select([ + dup44, + dup45, +]); + +var select323 = linear_select([ + dup46, + dup47, +]); + +var select324 = linear_select([ + dup48, + dup49, +]); + +var select325 = linear_select([ + dup50, + dup51, +]); + +var select326 = linear_select([ + dup52, + dup53, +]); + +var select327 = linear_select([ + dup54, + dup55, +]); + +var select328 = linear_select([ + dup56, + dup57, +]); + +var select329 = linear_select([ + dup58, + dup59, +]); + +var select330 = linear_select([ + dup60, + dup61, +]); + +var select331 = linear_select([ + dup62, + dup63, +]); + +var select332 = linear_select([ + dup64, + dup65, +]); + +var select333 = linear_select([ + dup66, + dup67, +]); + +var select334 = linear_select([ + dup68, + dup69, +]); + +var select335 = linear_select([ + dup70, + dup71, +]); + +var select336 = linear_select([ + dup72, + dup73, +]); + +var select337 = linear_select([ + dup74, + dup75, +]); + +var select338 = linear_select([ + dup76, + dup77, +]); + +var part179 = tagval("MESSAGE#591:317:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup79, + dup80, + dup81, + dup2, + dup3, +])); + +var part180 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#592:317", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup79, + dup80, + dup81, + dup2, +])); + +var part181 = tagval("MESSAGE#595:355:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup82, + dup2, + dup3, +])); + +var part182 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#596:355", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup82, + dup2, +])); + +var part183 = tagval("MESSAGE#599:357:01", "nwparser.payload", tvm, { + "Address": "dhost", + "CPMStatus": "disposition", + "Category": "category", + "Database": "db_name", + "DeviceType": "obj_type", + "ExtraDetails": "info", + "File": "filename", + "GatewayStation": "saddr", + "Issuer": "username", + "Location": "directory", + "LogonDomain": "domain", + "Message": "action", + "PolicyID": "policyname", + "Port": "dport", + "Reason": "event_description", + "RequestId": "id1", + "Safe": "group_object", + "Severity": "severity", + "SourceUser": "group", + "Station": "hostip", + "TargetUser": "uid", + "TicketID": "operation_id", + "UserName": "c_username", + "Version": "version", +}, processor_chain([ + dup83, + dup2, + dup3, +])); + +var part184 = // "Pattern{Field(product,true), Constant(' '), Field(version,false), Constant('",ProductAccount="'), Field(service_account,false), Constant('",ProductProcess="'), Field(fld2,false), Constant('",EventId="'), Field(id,false), Constant('",EventClass="'), Field(fld3,false), Constant('",EventSeverity="'), Field(severity,false), Constant('",EventMessage="'), Field(action,false), Constant('",ActingUserName="'), Field(username,false), Constant('",ActingAddress="'), Field(hostip,false), Constant('",ActionSourceUser="'), Field(fld4,false), Constant('",ActionTargetUser="'), Field(c_username,false), Constant('",ActionObject="'), Field(filename,false), Constant('",ActionSafe="'), Field(group_object,false), Constant('",ActionLocation="'), Field(directory,false), Constant('",ActionCategory="'), Field(category,false), Constant('",ActionRequestId="'), Field(id1,false), Constant('",ActionReason="'), Field(event_description,false), Constant('",ActionExtraDetails="'), Field(info,false), Constant('"')}" +match("MESSAGE#600:357", "nwparser.payload", "%{product->} %{version}\",ProductAccount=\"%{service_account}\",ProductProcess=\"%{fld2}\",EventId=\"%{id}\",EventClass=\"%{fld3}\",EventSeverity=\"%{severity}\",EventMessage=\"%{action}\",ActingUserName=\"%{username}\",ActingAddress=\"%{hostip}\",ActionSourceUser=\"%{fld4}\",ActionTargetUser=\"%{c_username}\",ActionObject=\"%{filename}\",ActionSafe=\"%{group_object}\",ActionLocation=\"%{directory}\",ActionCategory=\"%{category}\",ActionRequestId=\"%{id1}\",ActionReason=\"%{event_description}\",ActionExtraDetails=\"%{info}\"", processor_chain([ + dup83, + dup2, +])); + +var part185 = // "Pattern{Constant('Version='), Field(version,false), Constant(';Message='), Field(action,false), Constant(';Issuer='), Field(username,false), Constant(';Station='), Field(hostip,false), Constant(';File='), Field(filename,false), Constant(';Safe='), Field(group_object,false), Constant(';Location='), Field(directory,false), Constant(';Category='), Field(category,false), Constant(';RequestId='), Field(id1,false), Constant(';Reason='), Field(event_description,false), Constant(';Severity='), Field(severity,false), Constant(';GatewayStation='), Field(saddr,false), Constant(';TicketID='), Field(operation_id,false), Constant(';PolicyID='), Field(policyname,false), Constant(';UserName='), Field(c_username,false), Constant(';LogonDomain='), Field(domain,false), Constant(';Address='), Field(dhost,false), Constant(';CPMStatus='), Field(disposition,false), Constant(';Port="'), Field(dport,false), Constant('";Database='), Field(db_name,false), Constant(';DeviceType='), Field(obj_type,false), Constant(';ExtraDetails='), Field(info,false), Constant(';')}" +match("MESSAGE#617:372", "nwparser.payload", "Version=%{version};Message=%{action};Issuer=%{username};Station=%{hostip};File=%{filename};Safe=%{group_object};Location=%{directory};Category=%{category};RequestId=%{id1};Reason=%{event_description};Severity=%{severity};GatewayStation=%{saddr};TicketID=%{operation_id};PolicyID=%{policyname};UserName=%{c_username};LogonDomain=%{domain};Address=%{dhost};CPMStatus=%{disposition};Port=\"%{dport}\";Database=%{db_name};DeviceType=%{obj_type};ExtraDetails=%{info};", processor_chain([ + dup4, + dup2, + dup3, +])); + +var select339 = linear_select([ + dup85, + dup86, +]); + +var select340 = linear_select([ + dup88, + dup89, +]); + +var select341 = linear_select([ + dup91, + dup92, +]); + +var select342 = linear_select([ + dup94, + dup95, +]); + +var select343 = linear_select([ + dup97, + dup98, +]); + +var select344 = linear_select([ + dup100, + dup101, +]); + +var select345 = linear_select([ + dup103, + dup104, +]); + +var select346 = linear_select([ + dup106, + dup107, +]); + +var select347 = linear_select([ + dup109, + dup110, +]); + +var select348 = linear_select([ + dup112, + dup113, +]); + +var select349 = linear_select([ + dup115, + dup116, + dup117, + dup118, +]); + +var select350 = linear_select([ + dup120, + dup121, +]); + +var select351 = linear_select([ + dup123, + dup124, +]); + +var select352 = linear_select([ + dup126, + dup127, +]); + +var select353 = linear_select([ + dup129, + dup130, +]); + +var select354 = linear_select([ + dup132, + dup133, +]); + +var select355 = linear_select([ + dup135, + dup136, +]); + +var select356 = linear_select([ + dup138, + dup139, +]); + +var select357 = linear_select([ + dup141, + dup142, +]); + +var select358 = linear_select([ + dup144, + dup145, +]); + +var select359 = linear_select([ + dup147, + dup148, +]); diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml new file mode 100644 index 00000000000..ffe90e79f85 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Cyber-Ark + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname server.domain}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/cyberark/corepas/manifest.yml b/x-pack/filebeat/module/cyberark/corepas/manifest.yml new file mode 100644 index 00000000000..76d15f7b9d3 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["cyberark.corepas", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9527 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log b/x-pack/filebeat/module/cyberark/corepas/test/generated.log new file mode 100644 index 00000000000..29dd49e5dab --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log @@ -0,0 +1,100 @@ +2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID="188";exercita 1.1332",ProductAccount="itv",ProductProcess="odoco",EventId="ria",EventClass="min",EventSeverity="low",EventMessage="allow",ActingUserName="utl",ActingAddress="10.208.15.216",ActionSourceUser="tation",ActionTargetUser="quasiarc",ActionObject="liqua",ActionSafe="ciade",ActionLocation="turadipi",ActionCategory="aeca",ActionRequestId="idi",ActionReason="pexe",ActionExtraDetails="nes" +%CYBERARK: MessageID="168";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol; +nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID="26";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur; +2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID="184";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd; +%CYBERARK: MessageID="161";emaper 1.2638",ProductAccount="eos",ProductProcess="enimad",EventId="rmagni",EventClass="sit",EventSeverity="medium",EventMessage="cancel",ActingUserName="oremips",ActingAddress="10.81.199.122",ActionSourceUser="aquaeabi",ActionTargetUser="giatq",ActionObject="quid",ActionSafe="fug",ActionLocation="uatDuis",ActionCategory="ude",ActionRequestId="maveniam",ActionReason="uian",ActionExtraDetails="tempo" +eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID="139";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu; +%CYBERARK: MessageID="106";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor; +inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID="74";tae 1.1382",ProductAccount="animi",ProductProcess="oluptate",EventId="ofdeF",EventClass="tion",EventSeverity="very-high",EventMessage="deny",ActingUserName="quiratio",ActingAddress="10.116.120.216",ActionSourceUser="qua",ActionTargetUser="umdo",ActionObject="sed",ActionSafe="apariat",ActionLocation="mol",ActionCategory="pteursi",ActionRequestId="onse",ActionReason="rumet",ActionExtraDetails="oll" +Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID="144";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn; +ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID="240";nsect 1.6476",ProductAccount="tnon",ProductProcess="ionul",EventId="nibus",EventClass="edquiano",EventSeverity="medium",EventMessage="cancel",ActingUserName="ema",ActingAddress="10.74.237.180",ActionSourceUser="nsequu",ActionTargetUser="cup",ActionObject="boNemoen",ActionSafe="uid",ActionLocation="rors",ActionCategory="onofd",ActionRequestId="taed",ActionReason="lup",ActionExtraDetails="remeumf" +2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID="61";edqui 1.7780",ProductAccount="lor",ProductProcess="fugit",EventId="ido",EventClass="paqu",EventSeverity="high",EventMessage="allow",ActingUserName="remeum",ActingAddress="10.18.165.35",ActionSourceUser="admi",ActionTargetUser="modocons",ActionObject="elaudant",ActionSafe="tinvol",ActionLocation="dolore",ActionCategory="abor",ActionRequestId="iqui",ActionReason="etc",ActionExtraDetails="etM" +2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID="90";ostr 1.4979",ProductAccount="onproide",ProductProcess="luptat",EventId="itaut",EventClass="imaven",EventSeverity="high",EventMessage="deny",ActingUserName="tema",ActingAddress="10.74.253.127",ActionSourceUser="tfug",ActionTargetUser="icab",ActionObject="mwr",ActionSafe="fugi",ActionLocation="inculpaq",ActionCategory="agna",ActionRequestId="tionemu",ActionReason="eomnisis",ActionExtraDetails="mqui" +errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID="385";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location="tinvol";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port="3075";Database=uines;DeviceType=nsec;ExtraDetails=onse +August 2 01:43:25 tat %CYBERARK: MessageID="190";tion 1.1761",ProductAccount="upt",ProductProcess="uiineavo",EventId="tisetq",EventClass="irati",EventSeverity="low",EventMessage="accept",ActingUserName="giatquov",ActingAddress="10.21.78.128",ActionSourceUser="riat",ActionTargetUser="taut",ActionObject="oreseos",ActionSafe="uames",ActionLocation="tati",ActionCategory="utaliqu",ActionRequestId="oriosamn",ActionReason="deFinibu",ActionExtraDetails="iadese" +%CYBERARK: MessageID="256";eporroqu 1.4200",ProductAccount="hil",ProductProcess="atquovo",EventId="suntinc",EventClass="xeac",EventSeverity="medium",EventMessage="deny",ActingUserName="tatn",ActingAddress="10.18.109.121",ActionSourceUser="ents",ActionTargetUser="pida",ActionObject="nse",ActionSafe="sinto",ActionLocation="emoeni",ActionCategory="oenimips",ActionRequestId="utlabore",ActionReason="ecillu",ActionExtraDetails="quip" +%CYBERARK: MessageID="105";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd; +remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID="105";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex; +adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID="376";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port="4147";Database=itame;DeviceType=intoc;ExtraDetails=oluptas; +2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID="24";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia; +orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID="197";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte; +November 10 03:01:24 edo %CYBERARK: MessageID="411";Version=1.5071;Message=allow;Issuer=econs;Station="10.98.182.220";File="untex";Safe="quiratio";Location="boree";Category="eco";RequestId=Utenimad;Reason=orpor;Severity="low";GatewayStation="10.167.85.181";TicketID=emvel;PolicyID="tmollita";UserName=fde;LogonDomain="nsecte3304.mail.corp";Address="eroi176.example";CPMStatus="non";Port="3341";Database=equat;DeviceType=derit;ExtraDetails="Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;" +November 24 10:03:59 aeabi %CYBERARK: MessageID="111";eiu 1.4456",ProductAccount="iciadese",ProductProcess="quidolor",EventId="tessec",EventClass="olupta",EventSeverity="high",EventMessage="block",ActingUserName="icabo",ActingAddress="10.89.208.95",ActionSourceUser="eleum",ActionTargetUser="sintoc",ActionObject="volupt",ActionSafe="siste",ActionLocation="uiinea",ActionCategory="Utenima",ActionRequestId="volupta",ActionReason="rcitati",ActionExtraDetails="eni" +Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID="81";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae; +%CYBERARK: MessageID="168";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati; +nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID="90";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic; +%CYBERARK: MessageID="376";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port="725";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios; +2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID="3";npr 1.4414",ProductAccount="niamqui",ProductProcess="boNem",EventId="ess",EventClass="ipisci",EventSeverity="medium",EventMessage="deny",ActingUserName="tqu",ActingAddress="10.143.193.199",ActionSourceUser="quam",ActionTargetUser="quid",ActionObject="fugiat",ActionSafe="atisun",ActionLocation="esci",ActionCategory="epre",ActionRequestId="tobeata",ActionReason="eroinBCS",ActionExtraDetails="inci" +February 18 04:19:24 rnatur %CYBERARK: MessageID="140";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev; +%CYBERARK: MessageID="87";tutlab 1.792",ProductAccount="tatn",ProductProcess="dolorsit",EventId="sau",EventClass="aperia",EventSeverity="very-high",EventMessage="accept",ActingUserName="umdolo",ActingAddress="10.205.72.243",ActionSourceUser="stenatu",ActionTargetUser="isiuta",ActionObject="orsitam",ActionSafe="siutaliq",ActionLocation="dutp",ActionCategory="psaquaea",ActionRequestId="taevita",ActionReason="ameiusm",ActionExtraDetails="proide" +2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID="45";nre 1.7231",ProductAccount="sit",ProductProcess="olab",EventId="eumiure",EventClass="ersp",EventSeverity="medium",EventMessage="allow",ActingUserName="mquisno",ActingAddress="10.107.9.163",ActionSourceUser="uptate",ActionTargetUser="mac",ActionObject="iumdol",ActionSafe="tpersp",ActionLocation="stla",ActionCategory="uptatema",ActionRequestId="oeni",ActionReason="tdol",ActionExtraDetails="sit" +April 2 01:27:07 psum %CYBERARK: MessageID="132";tasnulap 1.7220",ProductAccount="umSe",ProductProcess="xeacomm",EventId="cinge",EventClass="itla",EventSeverity="high",EventMessage="deny",ActingUserName="asiarc",ActingAddress="10.80.101.72",ActionSourceUser="uptate",ActionTargetUser="quidexea",ActionObject="ect",ActionSafe="modocons",ActionLocation="gitsed",ActionCategory="fugia",ActionRequestId="oditautf",ActionReason="quatu",ActionExtraDetails="veli" +April 16 08:29:41 labo %CYBERARK: MessageID="200";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem; +April 30 15:32:16 ationev %CYBERARK: MessageID="233";umdolor 1.4389",ProductAccount="itation",ProductProcess="paquioff",EventId="nci",EventClass="isau",EventSeverity="low",EventMessage="cancel",ActingUserName="ibusBon",ActingAddress="10.96.224.19",ActionSourceUser="nsequat",ActionTargetUser="doloreme",ActionObject="dun",ActionSafe="reprehe",ActionLocation="tincu",ActionCategory="suntin",ActionRequestId="itse",ActionReason="umexerc",ActionExtraDetails="oremipsu" +2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID="170";olo 1.237",ProductAccount="aec",ProductProcess="fdeF",EventId="iquidexe",EventClass="diconse",EventSeverity="medium",EventMessage="cancel",ActingUserName="reseo",ActingAddress="10.71.238.250",ActionSourceUser="consequa",ActionTargetUser="moenimi",ActionObject="olupt",ActionSafe="oconsequ",ActionLocation="edquiac",ActionCategory="urerepr",ActionRequestId="eseru",ActionReason="quamest",ActionExtraDetails="mac" +%CYBERARK: MessageID="294";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam; +June 12 12:39:58 licabo %CYBERARK: MessageID="13";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd; +%CYBERARK: MessageID="358";ilmol 1.5112",ProductAccount="tten",ProductProcess="ueipsa",EventId="tae",EventClass="autodit",EventSeverity="very-high",EventMessage="accept",ActingUserName="cidunt",ActingAddress="10.70.147.120",ActionSourceUser="exeaco",ActionTargetUser="emqu",ActionObject="nderi",ActionSafe="acommod",ActionLocation="itsedd",ActionCategory="leumiur",ActionRequestId="eratvol",ActionReason="quidol",ActionExtraDetails="eaqu" +luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID="160";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor; +2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID="67";orroq 1.6677",ProductAccount="ritati",ProductProcess="orisni",EventId="ons",EventClass="remagn",EventSeverity="very-high",EventMessage="deny",ActingUserName="mmodoc",ActingAddress="10.211.179.168",ActionSourceUser="atu",ActionTargetUser="untincul",ActionObject="ssecil",ActionSafe="commodi",ActionLocation="emporain",ActionCategory="ntiumto",ActionRequestId="umetMalo",ActionReason="oluptas",ActionExtraDetails="emvele" +Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID="141";iquamqua 1.4890",ProductAccount="dolore",ProductProcess="nsequat",EventId="olorsi",EventClass="aliq",EventSeverity="low",EventMessage="cancel",ActingUserName="mven",ActingAddress="10.30.243.163",ActionSourceUser="oremag",ActionTargetUser="illu",ActionObject="ruredo",ActionSafe="mac",ActionLocation="temUt",ActionCategory="ptassita",ActionRequestId="its",ActionReason="lore",ActionExtraDetails="idol" +2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID="26";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono; +onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID="150";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu; +dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID="292";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit; +October 4 21:00:32 asnu %CYBERARK: MessageID="38";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo; +udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID="119";itanim 1.4024",ProductAccount="olorema",ProductProcess="mollita",EventId="tatem",EventClass="iae",EventSeverity="low",EventMessage="allow",ActingUserName="emip",ActingAddress="10.199.5.49",ActionSourceUser="stquid",ActionTargetUser="turadipi",ActionObject="usmodi",ActionSafe="ree",ActionLocation="saquaea",ActionCategory="ation",ActionRequestId="luptas",ActionReason="minim",ActionExtraDetails="ataevi" +%CYBERARK: MessageID="156";plic 1.7053",ProductAccount="utlabo",ProductProcess="tetur",EventId="tionula",EventClass="ritqu",EventSeverity="very-high",EventMessage="allow",ActingUserName="uamei",ActingAddress="10.193.219.34",ActionSourceUser="onse",ActionTargetUser="olorem",ActionObject="turvel",ActionSafe="eratv",ActionLocation="ipsa",ActionCategory="asuntexp",ActionRequestId="adminim",ActionReason="orisni",ActionExtraDetails="nse" +November 16 18:08:15 nderi %CYBERARK: MessageID="202";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo; +%CYBERARK: MessageID="133";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser; +2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID="104";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF; +rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID="316";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol; +January 12 22:18:32 niam %CYBERARK: MessageID="266";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa; +January 27 05:21:06 lapar %CYBERARK: MessageID="311";ritati 1.3219",ProductAccount="qui",ProductProcess="otamr",EventId="nim",EventClass="ame",EventSeverity="very-high",EventMessage="cancel",ActingUserName="mip",ActingAddress="10.45.35.180",ActionSourceUser="mvolupta",ActionTargetUser="Utenima",ActionObject="iqua",ActionSafe="luptat",ActionLocation="deriti",ActionCategory="sintocc",ActionRequestId="cididu",ActionReason="uteir",ActionExtraDetails="boree" +February 10 12:23:41 diduntu %CYBERARK: MessageID="285";eiusmod 1.7546",ProductAccount="ess",ProductProcess="uide",EventId="scivel",EventClass="henderi",EventSeverity="low",EventMessage="accept",ActingUserName="enim",ActingAddress="10.141.200.133",ActionSourceUser="ersp",ActionTargetUser="iame",ActionObject="orroquis",ActionSafe="aquio",ActionLocation="riatu",ActionCategory="loinve",ActionRequestId="tanimid",ActionReason="isnostru",ActionExtraDetails="nofdeFi" +%CYBERARK: MessageID="155";ulap 1.3765",ProductAccount="illoi",ProductProcess="reetdolo",EventId="rationev",EventClass="ehender",EventSeverity="medium",EventMessage="accept",ActingUserName="ugi",ActingAddress="10.83.238.145",ActionSourceUser="ptatems",ActionTargetUser="runtmo",ActionObject="ore",ActionSafe="isund",ActionLocation="exerci",ActionCategory="tas",ActionRequestId="oraincid",ActionReason="quaer",ActionExtraDetails="eetdo" +2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID="48";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse; +isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID="378";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi; +2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID="269";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt; +%CYBERARK: MessageID="176";atnula 1.5038",ProductAccount="lmo",ProductProcess="iquidex",EventId="olup",EventClass="remipsu",EventSeverity="low",EventMessage="accept",ActingUserName="quiac",ActingAddress="10.123.154.17",ActionSourceUser="etdol",ActionTargetUser="dolorsi",ActionObject="nturmag",ActionSafe="tura",ActionLocation="osquirat",ActionCategory="equat",ActionRequestId="aliquid",ActionReason="usantiu",ActionExtraDetails="idunt" +%CYBERARK: MessageID="4";min 1.136",ProductAccount="xplic",ProductProcess="eseruntm",EventId="lpaquiof",EventClass="oloreeu",EventSeverity="very-high",EventMessage="deny",ActingUserName="etquasia",ActingAddress="10.169.123.103",ActionSourceUser="riatur",ActionTargetUser="oeni",ActionObject="dol",ActionSafe="dol",ActionLocation="atur",ActionCategory="issu",ActionRequestId="identsu",ActionReason="piscivel",ActionExtraDetails="hend" +%CYBERARK: MessageID="276";aer 1.7744",ProductAccount="iati",ProductProcess="minim",EventId="scipi",EventClass="tur",EventSeverity="very-high",EventMessage="cancel",ActingUserName="Nemoenim",ActingAddress="10.126.205.76",ActionSourceUser="etur",ActionTargetUser="rsitvol",ActionObject="utali",ActionSafe="sed",ActionLocation="xeac",ActionCategory="umdolors",ActionRequestId="lumdo",ActionReason="acom",ActionExtraDetails="eFini" +June 4 20:44:15 uovol %CYBERARK: MessageID="38";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini; +amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID="79";isau 1.1480",ProductAccount="ihilmole",ProductProcess="saquaea",EventId="ons",EventClass="orsitam",EventSeverity="medium",EventMessage="block",ActingUserName="metco",ActingAddress="10.70.83.200",ActionSourceUser="riame",ActionTargetUser="riat",ActionObject="sseq",ActionSafe="eriam",ActionLocation="pernat",ActionCategory="udan",ActionRequestId="archi",ActionReason="iutaliq",ActionExtraDetails="urQuis" +July 3 10:49:23 orum %CYBERARK: MessageID="53";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul; +2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID="75";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati; +dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID="89";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn; +August 15 07:57:06 volup %CYBERARK: MessageID="261";ptate 1.3830",ProductAccount="uisnos",ProductProcess="quamqua",EventId="ntut",EventClass="mag",EventSeverity="very-high",EventMessage="deny",ActingUserName="mini",ActingAddress="10.150.30.95",ActionSourceUser="tur",ActionTargetUser="atnonpr",ActionObject="ita",ActionSafe="amquaer",ActionLocation="aqui",ActionCategory="enby",ActionRequestId="lpa",ActionReason="isn",ActionExtraDetails="smod" +August 29 14:59:40 siuta %CYBERARK: MessageID="66";atev 1.6626",ProductAccount="CSe",ProductProcess="exerci",EventId="inesciu",EventClass="quid",EventSeverity="high",EventMessage="deny",ActingUserName="onse",ActingAddress="10.98.71.45",ActionSourceUser="destla",ActionTargetUser="fugitse",ActionObject="minimve",ActionSafe="serrorsi",ActionLocation="tametco",ActionCategory="mquisnos",ActionRequestId="lore",ActionReason="isci",ActionExtraDetails="Dui" +lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID="168";userror 1.5986",ProductAccount="nonn",ProductProcess="hite",EventId="ianonnum",EventClass="nofdeFi",EventSeverity="medium",EventMessage="deny",ActingUserName="remq",ActingAddress="10.252.251.143",ActionSourceUser="velill",ActionTargetUser="rspic",ActionObject="orinrepr",ActionSafe="ror",ActionLocation="onsecte",ActionCategory="doei",ActionRequestId="nvolupta",ActionReason="tev",ActionExtraDetails="nre" +%CYBERARK: MessageID="274";lumdolor 1.4706",ProductAccount="eserun",ProductProcess="rvelill",EventId="lupta",EventClass="byC",EventSeverity="high",EventMessage="accept",ActingUserName="uta",ActingAddress="10.197.203.167",ActionSourceUser="ulapa",ActionTargetUser="iumdo",ActionObject="iusmodit",ActionSafe="aturv",ActionLocation="ectetura",ActionCategory="obeataev",ActionRequestId="umf",ActionReason="olesti",ActionExtraDetails="smo" +tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID="96";inim 1.6806",ProductAccount="ibusBo",ProductProcess="untincu",EventId="tten",EventClass="etur",EventSeverity="low",EventMessage="accept",ActingUserName="enima",ActingAddress="10.187.170.23",ActionSourceUser="sequ",ActionTargetUser="sectetu",ActionObject="evi",ActionSafe="tionula",ActionLocation="accus",ActionCategory="uatu",ActionRequestId="mquis",ActionReason="lab",ActionExtraDetails="uido" +2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID="61";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos; +scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID="372";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port="864";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF; +its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID="232";ostrudex 1.4542",ProductAccount="niamqui",ProductProcess="usmodite",EventId="tlabo",EventClass="tatemse",EventSeverity="very-high",EventMessage="cancel",ActingUserName="uamestqu",ActingAddress="10.193.33.201",ActionSourceUser="hender",ActionTargetUser="ptatemU",ActionObject="seq",ActionSafe="rumSe",ActionLocation="tatnonp",ActionCategory="ommo",ActionRequestId="adeser",ActionReason="uasiarc",ActionExtraDetails="doeiu" +2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID="24";upta 1.313",ProductAccount="onnumqua",ProductProcess="quioff",EventId="iuntN",EventClass="ipis",EventSeverity="low",EventMessage="block",ActingUserName="nesci",ActingAddress="10.154.172.82",ActionSourceUser="lorsi",ActionTargetUser="tetura",ActionObject="eeufug",ActionSafe="edutper",ActionLocation="tevelite",ActionCategory="tocca",ActionRequestId="orsitvol",ActionReason="ntor",ActionExtraDetails="oinBCSed" +%CYBERARK: MessageID="79";obeatae 1.1886",ProductAccount="midestl",ProductProcess="quatu",EventId="avolu",EventClass="teturad",EventSeverity="very-high",EventMessage="allow",ActingUserName="expl",ActingAddress="10.47.63.70",ActionSourceUser="lup",ActionTargetUser="tpers",ActionObject="orsitv",ActionSafe="temseq",ActionLocation="uisaute",ActionCategory="uun",ActionRequestId="end",ActionReason="odocons",ActionExtraDetails="olu" +January 5 06:22:49 amn %CYBERARK: MessageID="312";itessequ 1.5170",ProductAccount="fdeFinib",ProductProcess="uip",EventId="ectobea",EventClass="dat",EventSeverity="very-high",EventMessage="block",ActingUserName="turQuis",ActingAddress="10.178.160.245",ActionSourceUser="deomnisi",ActionTargetUser="olupta",ActionObject="oll",ActionSafe="laboree",ActionLocation="udantiu",ActionCategory="itametco",ActionRequestId="iav",ActionReason="odico",ActionExtraDetails="rsint" +January 19 13:25:23 quiav %CYBERARK: MessageID="77";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua; +2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID="308";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup; +rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID="54";iarchite 1.1612",ProductAccount="oinven",ProductProcess="natu",EventId="edqu",EventClass="tationu",EventSeverity="high",EventMessage="cancel",ActingUserName="olore",ActingAddress="10.16.181.60",ActionSourceUser="ameaquei",ActionTargetUser="gnama",ActionObject="esciun",ActionSafe="tesse",ActionLocation="olupta",ActionCategory="isno",ActionRequestId="oluptas",ActionReason="nderiti",ActionExtraDetails="uatu" +orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID="208";oreseosq 1.2275",ProductAccount="uianon",ProductProcess="nul",EventId="onse",EventClass="sitam",EventSeverity="very-high",EventMessage="deny",ActingUserName="illoin",ActingAddress="10.91.213.82",ActionSourceUser="uid",ActionTargetUser="amnis",ActionObject="rvelil",ActionSafe="adese",ActionLocation="olorsi",ActionCategory="caboNemo",ActionRequestId="uptas",ActionReason="temaccus",ActionExtraDetails="ons" +2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID="48";tis 1.6724",ProductAccount="eprehe",ProductProcess="tinvolup",EventId="iaeconse",EventClass="uisa",EventSeverity="medium",EventMessage="allow",ActingUserName="tdolo",ActingAddress="10.204.214.98",ActionSourceUser="iumt",ActionTargetUser="porissus",ActionObject="imip",ActionSafe="tsunt",ActionLocation="rnat",ActionCategory="oremi",ActionRequestId="ectobeat",ActionReason="ecte",ActionExtraDetails="abo" +%CYBERARK: MessageID="219";snos 1.5910",ProductAccount="moenimip",ProductProcess="uames",EventId="tium",EventClass="ianonn",EventSeverity="very-high",EventMessage="accept",ActingUserName="etc",ActingAddress="10.223.178.192",ActionSourceUser="atquovol",ActionTargetUser="evel",ActionObject="edol",ActionSafe="sequuntu",ActionLocation="quameius",ActionCategory="litse",ActionRequestId="san",ActionReason="apari",ActionExtraDetails="iarchit" +2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID="183";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni; +April 29 14:43:23 num %CYBERARK: MessageID="41";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu; +velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID="270";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau; +May 28 04:48:31 boreetd %CYBERARK: MessageID="309";tNe 1.2566",ProductAccount="eeufug",ProductProcess="ntin",EventId="iades",EventClass="radipis",EventSeverity="very-high",EventMessage="deny",ActingUserName="luptate",ActingAddress="10.87.92.17",ActionSourceUser="utlabore",ActionTargetUser="tamr",ActionObject="serr",ActionSafe="usci",ActionLocation="unturmag",ActionCategory="dexeaco",ActionRequestId="lupta",ActionReason="ura",ActionExtraDetails="oreeufug" +June 11 11:51:06 dolo %CYBERARK: MessageID="295";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch; +June 25 18:53:40 dipisciv %CYBERARK: MessageID="148";uam 1.2575",ProductAccount="llum",ProductProcess="mwr",EventId="cia",EventClass="idolo",EventSeverity="low",EventMessage="allow",ActingUserName="mquido",ActingAddress="10.51.17.32",ActionSourceUser="ree",ActionTargetUser="itten",ActionObject="quipexea",ActionSafe="orsitv",ActionLocation="dunt",ActionCategory="int",ActionRequestId="ionevo",ActionReason="llitani",ActionExtraDetails="uscipit" +etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID="260";isnostru 1.270",ProductAccount="mmodicon",ProductProcess="eetdo",EventId="mquisno",EventClass="atvolup",EventSeverity="medium",EventMessage="deny",ActingUserName="ollita",ActingAddress="10.108.123.148",ActionSourceUser="cto",ActionTargetUser="cusa",ActionObject="nderi",ActionSafe="tem",ActionLocation="tcu",ActionCategory="eumiu",ActionRequestId="nim",ActionReason="pteurs",ActionExtraDetails="ercitati" +July 24 08:58:48 eturadip %CYBERARK: MessageID="8";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer; +onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID="89";mini 1.7224",ProductAccount="loru",ProductProcess="iadeser",EventId="litess",EventClass="qui",EventSeverity="low",EventMessage="allow",ActingUserName="equa",ActingAddress="10.61.140.120",ActionSourceUser="olorsit",ActionTargetUser="naaliq",ActionObject="plica",ActionSafe="asiarc",ActionLocation="lor",ActionCategory="nvolupt",ActionRequestId="dquia",ActionReason="ora",ActionExtraDetails="umfugiat" +%CYBERARK: MessageID="36";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu; +September 5 06:06:31 inrepreh %CYBERARK: MessageID="39";rit 1.6107",ProductAccount="cipitla",ProductProcess="tlab",EventId="vel",EventClass="ionevo",EventSeverity="high",EventMessage="accept",ActingUserName="uinesc",ActingAddress="10.101.45.225",ActionSourceUser="utla",ActionTargetUser="emi",ActionObject="uaerat",ActionSafe="iduntu",ActionLocation="samvol",ActionCategory="equa",ActionRequestId="apari",ActionReason="tsunt",ActionExtraDetails="caecat" +qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID="8";catcupid 1.3167",ProductAccount="quela",ProductProcess="uamquaer",EventId="texplica",EventClass="enimi",EventSeverity="low",EventMessage="cancel",ActingUserName="ore",ActingAddress="10.2.204.161",ActionSourceUser="iquamqu",ActionTargetUser="eumfugia",ActionObject="reeufugi",ActionSafe="sequines",ActionLocation="minimve",ActionCategory="texplica",ActionRequestId="entorev",ActionReason="quuntur",ActionExtraDetails="olup" +les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID="89";temp 1.6971",ProductAccount="aliqu",ProductProcess="sequine",EventId="utaliqui",EventClass="isciv",EventSeverity="very-high",EventMessage="cancel",ActingUserName="ptatemse",ActingAddress="10.33.112.100",ActionSourceUser="catcup",ActionTargetUser="enimad",ActionObject="magnaali",ActionSafe="velillum",ActionLocation="ionev",ActionCategory="vitaedi",ActionRequestId="rna",ActionReason="cons",ActionExtraDetails="Except" +%CYBERARK: MessageID="95";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull; +mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID="179";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu; +%CYBERARK: MessageID="83";tvolu 1.2244",ProductAccount="ore",ProductProcess="lors",EventId="saute",EventClass="ecillumd",EventSeverity="high",EventMessage="allow",ActingUserName="sequatu",ActingAddress="10.128.102.130",ActionSourceUser="mdoloree",ActionTargetUser="que",ActionObject="inBCSed",ActionSafe="cteturad",ActionLocation="umq",ActionCategory="ita",ActionRequestId="ipsaquae",ActionReason="olu",ActionExtraDetails="exerci" +2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID="150";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura; +%CYBERARK: MessageID="166";cul 1.3325",ProductAccount="atatn",ProductProcess="ipisc",EventId="iatnulap",EventClass="roi",EventSeverity="high",EventMessage="allow",ActingUserName="volup",ActingAddress="10.103.215.159",ActionSourceUser="ddoeiusm",ActionTargetUser="apa",ActionObject="archite",ActionSafe="tur",ActionLocation="ddo",ActionCategory="emp",ActionRequestId="inBC",ActionReason="did",ActionExtraDetails="atcupi" diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json new file mode 100644 index 00000000000..2bf31b06a52 --- /dev/null +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -0,0 +1,5391 @@ +[ + { + "event.action": "allow", + "event.code": "ria", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-01-29 06:09:59.732538723 +0000 UTC eacommod1428.lan %CYBERARK: MessageID=\"188\";exercita 1.1332\",ProductAccount=\"itv\",ProductProcess=\"odoco\",EventId=\"ria\",EventClass=\"min\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"utl\",ActingAddress=\"10.208.15.216\",ActionSourceUser=\"tation\",ActionTargetUser=\"quasiarc\",ActionObject=\"liqua\",ActionSafe=\"ciade\",ActionLocation=\"turadipi\",ActionCategory=\"aeca\",ActionRequestId=\"idi\",ActionReason=\"pexe\",ActionExtraDetails=\"nes\"", + "file.directory": "turadipi", + "file.name": "liqua", + "fileset.name": "corepas", + "host.ip": "10.208.15.216", + "input.type": "log", + "log.level": "low", + "log.offset": 0, + "observer.product": "exercita", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1332", + "related.ip": [ + "10.208.15.216" + ], + "related.user": [ + "quasiarc", + "itv", + "utl" + ], + "rsa.db.index": "nes", + "rsa.internal.event_desc": "pexe", + "rsa.internal.messageid": "188", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aeca", + "rsa.misc.group_object": "ciade", + "rsa.misc.reference_id": "ria", + "rsa.misc.reference_id1": "idi", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1332", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "utl" + }, + { + "destination.address": "volup208.invalid", + "destination.port": 5191, + "event.action": "block", + "event.code": "168", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"168\";Version=1.259;Message=block;Issuer=dolore;Station=10.92.136.230;File=ritquiin;Safe=umqui;Location=reeufugi;Category=mdolo;RequestId=mqui;Reason=nci;Severity=very-high;SourceUser=litesse;TargetUser=orev;GatewayStation=10.175.75.18;TicketID=deF;PolicyID=sist;UserName=nnumqu;LogonDomain=iatnu3810.mail.localdomain;Address=volup208.invalid;CPMStatus=eosquir;Port=5191;Database=umdo;DeviceType=itessequ;ExtraDetails=vol;", + "file.directory": "reeufugi", + "file.name": "ritquiin", + "fileset.name": "corepas", + "group.name": "litesse", + "host.ip": "10.92.136.230", + "input.type": "log", + "log.level": "very-high", + "log.offset": 477, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.259", + "related.hosts": [ + "iatnu3810.mail.localdomain" + ], + "related.ip": [ + "10.92.136.230", + "10.175.75.18" + ], + "related.user": [ + "nnumqu", + "orev", + "dolore" + ], + "rsa.db.database": "umdo", + "rsa.db.index": "vol", + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "mdolo", + "rsa.misc.disposition": "eosquir", + "rsa.misc.group": "litesse", + "rsa.misc.group_object": "umqui", + "rsa.misc.obj_type": "itessequ", + "rsa.misc.operation_id": "deF", + "rsa.misc.policy_name": "sist", + "rsa.misc.reference_id": "168", + "rsa.misc.reference_id1": "mqui", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.259", + "rsa.network.domain": "iatnu3810.mail.localdomain", + "rsa.network.host_dst": "volup208.invalid", + "server.domain": "iatnu3810.mail.localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.175.75.18" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "dolore" + }, + { + "destination.address": "tetu5280.www5.invalid", + "destination.port": 2548, + "event.action": "accept", + "event.code": "26", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "nibus 2016-02-26 20:15:08.252538723 +0000 UTC mipsumq3879.internal.localdomain %CYBERARK: MessageID=\"26\";Version=1.7269;Message=accept;Issuer=incid;Station=10.51.132.10;File=utper;Safe=squame;Location=ntex;Category=eius;RequestId=luptat;Reason=emape;Severity=low;SourceUser=incidi;TargetUser=nse;GatewayStation=10.46.185.46;TicketID=temvel;PolicyID=iatu;UserName=serror;LogonDomain=anti4454.api.example;Address=tetu5280.www5.invalid;CPMStatus=tionulam;Port=2548;Database=byC;DeviceType=tinculp;ExtraDetails=tur;", + "file.directory": "ntex", + "file.name": "utper", + "fileset.name": "corepas", + "group.name": "incidi", + "host.ip": "10.51.132.10", + "input.type": "log", + "log.level": "low", + "log.offset": 921, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7269", + "related.hosts": [ + "anti4454.api.example" + ], + "related.ip": [ + "10.51.132.10", + "10.46.185.46" + ], + "related.user": [ + "incid", + "nse", + "serror" + ], + "rsa.db.database": "byC", + "rsa.db.index": "tur", + "rsa.internal.event_desc": "emape", + "rsa.internal.messageid": "26", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "eius", + "rsa.misc.disposition": "tionulam", + "rsa.misc.group": "incidi", + "rsa.misc.group_object": "squame", + "rsa.misc.obj_type": "tinculp", + "rsa.misc.operation_id": "temvel", + "rsa.misc.policy_name": "iatu", + "rsa.misc.reference_id": "26", + "rsa.misc.reference_id1": "luptat", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7269", + "rsa.network.domain": "anti4454.api.example", + "rsa.network.host_dst": "tetu5280.www5.invalid", + "server.domain": "anti4454.api.example", + "service.type": "cyberark", + "source.ip": [ + "10.46.185.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "incid" + }, + { + "destination.address": "llu4762.mail.localdomain", + "destination.port": 5695, + "event.action": "deny", + "event.code": "184", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-03-12 03:17:42.512538723 +0000 UTC minim7868.www5.localdomain %CYBERARK: MessageID=\"184\";Version=1.6713;Message=deny;Issuer=psumquia;Station=10.53.192.140;File=con;Safe=uia;Location=quiavo;Category=issusci;RequestId=mol;Reason=taspe;Severity=high;SourceUser=psumq;TargetUser=atcup;GatewayStation=10.155.236.240;TicketID=tatno;PolicyID=dquiac;UserName=ptass;LogonDomain=uam6303.api.lan;Address=llu4762.mail.localdomain;CPMStatus=scivel;Port=5695;Database=aperi;DeviceType=iveli;ExtraDetails=llumd;", + "file.directory": "quiavo", + "file.name": "con", + "fileset.name": "corepas", + "group.name": "psumq", + "host.ip": "10.53.192.140", + "input.type": "log", + "log.level": "high", + "log.offset": 1433, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6713", + "related.hosts": [ + "uam6303.api.lan" + ], + "related.ip": [ + "10.155.236.240", + "10.53.192.140" + ], + "related.user": [ + "psumquia", + "ptass", + "atcup" + ], + "rsa.db.database": "aperi", + "rsa.db.index": "llumd", + "rsa.internal.event_desc": "taspe", + "rsa.internal.messageid": "184", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "issusci", + "rsa.misc.disposition": "scivel", + "rsa.misc.group": "psumq", + "rsa.misc.group_object": "uia", + "rsa.misc.obj_type": "iveli", + "rsa.misc.operation_id": "tatno", + "rsa.misc.policy_name": "dquiac", + "rsa.misc.reference_id": "184", + "rsa.misc.reference_id1": "mol", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6713", + "rsa.network.domain": "uam6303.api.lan", + "rsa.network.host_dst": "llu4762.mail.localdomain", + "server.domain": "uam6303.api.lan", + "service.type": "cyberark", + "source.ip": [ + "10.155.236.240" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "psumquia" + }, + { + "event.action": "cancel", + "event.code": "rmagni", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"161\";emaper 1.2638\",ProductAccount=\"eos\",ProductProcess=\"enimad\",EventId=\"rmagni\",EventClass=\"sit\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"oremips\",ActingAddress=\"10.81.199.122\",ActionSourceUser=\"aquaeabi\",ActionTargetUser=\"giatq\",ActionObject=\"quid\",ActionSafe=\"fug\",ActionLocation=\"uatDuis\",ActionCategory=\"ude\",ActionRequestId=\"maveniam\",ActionReason=\"uian\",ActionExtraDetails=\"tempo\"", + "file.directory": "uatDuis", + "file.name": "quid", + "fileset.name": "corepas", + "host.ip": "10.81.199.122", + "input.type": "log", + "log.level": "medium", + "log.offset": 1935, + "observer.product": "emaper", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2638", + "related.ip": [ + "10.81.199.122" + ], + "related.user": [ + "oremips", + "giatq", + "eos" + ], + "rsa.db.index": "tempo", + "rsa.internal.event_desc": "uian", + "rsa.internal.messageid": "161", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ude", + "rsa.misc.group_object": "fug", + "rsa.misc.reference_id": "rmagni", + "rsa.misc.reference_id1": "maveniam", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.2638", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "oremips" + }, + { + "destination.address": "aquaeab2275.www5.domain", + "destination.port": 4091, + "event.action": "deny", + "event.code": "139", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "eetd 2016-04-09 17:22:51.032538723 +0000 UTC eip1448.internal.local %CYBERARK: MessageID=\"139\";Version=1.3491;Message=deny;Issuer=tcupida;Station=10.139.186.201;File=ect;Safe=reetdolo;Location=nrepreh;Category=obeataev;RequestId=lor;Reason=uidexea;Severity=medium;SourceUser=natura;TargetUser=aboris;GatewayStation=10.172.14.142;TicketID=ssitaspe;PolicyID=gitsedqu;UserName=uam;LogonDomain=temq1198.internal.example;Address=aquaeab2275.www5.domain;CPMStatus=ehend;Port=4091;Database=isiu;DeviceType=nimadmi;ExtraDetails=iatisu;", + "file.directory": "nrepreh", + "file.name": "ect", + "fileset.name": "corepas", + "group.name": "natura", + "host.ip": "10.139.186.201", + "input.type": "log", + "log.level": "medium", + "log.offset": 2366, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3491", + "related.hosts": [ + "temq1198.internal.example" + ], + "related.ip": [ + "10.139.186.201", + "10.172.14.142" + ], + "related.user": [ + "tcupida", + "aboris", + "uam" + ], + "rsa.db.database": "isiu", + "rsa.db.index": "iatisu", + "rsa.internal.event_desc": "uidexea", + "rsa.internal.messageid": "139", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "obeataev", + "rsa.misc.disposition": "ehend", + "rsa.misc.group": "natura", + "rsa.misc.group_object": "reetdolo", + "rsa.misc.obj_type": "nimadmi", + "rsa.misc.operation_id": "ssitaspe", + "rsa.misc.policy_name": "gitsedqu", + "rsa.misc.reference_id": "139", + "rsa.misc.reference_id1": "lor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3491", + "rsa.network.domain": "temq1198.internal.example", + "rsa.network.host_dst": "aquaeab2275.www5.domain", + "server.domain": "temq1198.internal.example", + "service.type": "cyberark", + "source.ip": [ + "10.172.14.142" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tcupida" + }, + { + "destination.address": "amquisno3338.www5.lan", + "destination.port": 776, + "event.action": "accept", + "event.code": "106", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"106\";Version=1.6875;Message=accept;Issuer=ipis;Station=10.47.76.251;File=eataevit;Safe=uptatev;Location=uovol;Category=dmi;RequestId=olab;Reason=mquisnos;Severity=medium;SourceUser=ore;TargetUser=etconsec;GatewayStation=10.104.111.129;TicketID=mUt;PolicyID=usmodte;UserName=ele;LogonDomain=tenbyCic5882.api.home;Address=amquisno3338.www5.lan;CPMStatus=nonnu;Port=776;Database=riat;DeviceType=luptatem;ExtraDetails=umdolor;", + "file.directory": "uovol", + "file.name": "eataevit", + "fileset.name": "corepas", + "group.name": "ore", + "host.ip": "10.47.76.251", + "input.type": "log", + "log.level": "medium", + "log.offset": 2894, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6875", + "related.hosts": [ + "tenbyCic5882.api.home" + ], + "related.ip": [ + "10.104.111.129", + "10.47.76.251" + ], + "related.user": [ + "ele", + "etconsec", + "ipis" + ], + "rsa.db.database": "riat", + "rsa.db.index": "umdolor", + "rsa.internal.event_desc": "mquisnos", + "rsa.internal.messageid": "106", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "dmi", + "rsa.misc.disposition": "nonnu", + "rsa.misc.group": "ore", + "rsa.misc.group_object": "uptatev", + "rsa.misc.obj_type": "luptatem", + "rsa.misc.operation_id": "mUt", + "rsa.misc.policy_name": "usmodte", + "rsa.misc.reference_id": "106", + "rsa.misc.reference_id1": "olab", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6875", + "rsa.network.domain": "tenbyCic5882.api.home", + "rsa.network.host_dst": "amquisno3338.www5.lan", + "server.domain": "tenbyCic5882.api.home", + "service.type": "cyberark", + "source.ip": [ + "10.104.111.129" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ipis" + }, + { + "event.action": "deny", + "event.code": "ofdeF", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "inB 2016-05-08 07:27:59.552538723 +0000 UTC deomni124.www.example %CYBERARK: MessageID=\"74\";tae 1.1382\",ProductAccount=\"animi\",ProductProcess=\"oluptate\",EventId=\"ofdeF\",EventClass=\"tion\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"quiratio\",ActingAddress=\"10.116.120.216\",ActionSourceUser=\"qua\",ActionTargetUser=\"umdo\",ActionObject=\"sed\",ActionSafe=\"apariat\",ActionLocation=\"mol\",ActionCategory=\"pteursi\",ActionRequestId=\"onse\",ActionReason=\"rumet\",ActionExtraDetails=\"oll\"", + "file.directory": "mol", + "file.name": "sed", + "fileset.name": "corepas", + "host.ip": "10.116.120.216", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3339, + "observer.product": "tae", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1382", + "related.ip": [ + "10.116.120.216" + ], + "related.user": [ + "umdo", + "animi", + "quiratio" + ], + "rsa.db.index": "oll", + "rsa.internal.event_desc": "rumet", + "rsa.internal.messageid": "74", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "pteursi", + "rsa.misc.group_object": "apariat", + "rsa.misc.reference_id": "ofdeF", + "rsa.misc.reference_id1": "onse", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1382", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quiratio" + }, + { + "destination.address": "idolores3839.localdomain", + "destination.port": 2424, + "event.action": "cancel", + "event.code": "144", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Ciceroi 2016-05-22 14:30:33.812538723 +0000 UTC aveniam1436.www.test %CYBERARK: MessageID=\"144\";Version=1.5529;Message=cancel;Issuer=taevi;Station=10.62.54.220;File=ehenderi;Safe=pidatat;Location=gni;Category=tquiinea;RequestId=mquaera;Reason=dun;Severity=medium;SourceUser=Duisau;TargetUser=psum;GatewayStation=10.57.40.29;TicketID=undeo;PolicyID=loremip;UserName=rnatura;LogonDomain=isqu7224.localdomain;Address=idolores3839.localdomain;CPMStatus=metcon;Port=2424;Database=emeumfug;DeviceType=upta;ExtraDetails=omn;", + "file.directory": "gni", + "file.name": "ehenderi", + "fileset.name": "corepas", + "group.name": "Duisau", + "host.ip": "10.62.54.220", + "input.type": "log", + "log.level": "medium", + "log.offset": 3831, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5529", + "related.hosts": [ + "isqu7224.localdomain" + ], + "related.ip": [ + "10.57.40.29", + "10.62.54.220" + ], + "related.user": [ + "taevi", + "psum", + "rnatura" + ], + "rsa.db.database": "emeumfug", + "rsa.db.index": "omn", + "rsa.internal.event_desc": "dun", + "rsa.internal.messageid": "144", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "tquiinea", + "rsa.misc.disposition": "metcon", + "rsa.misc.group": "Duisau", + "rsa.misc.group_object": "pidatat", + "rsa.misc.obj_type": "upta", + "rsa.misc.operation_id": "undeo", + "rsa.misc.policy_name": "loremip", + "rsa.misc.reference_id": "144", + "rsa.misc.reference_id1": "mquaera", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5529", + "rsa.network.domain": "isqu7224.localdomain", + "rsa.network.host_dst": "idolores3839.localdomain", + "server.domain": "isqu7224.localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.57.40.29" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "taevi" + }, + { + "event.action": "cancel", + "event.code": "nibus", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "ons 2016-06-05 21:33:08.072538723 +0000 UTC tessec3539.home %CYBERARK: MessageID=\"240\";nsect 1.6476\",ProductAccount=\"tnon\",ProductProcess=\"ionul\",EventId=\"nibus\",EventClass=\"edquiano\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"ema\",ActingAddress=\"10.74.237.180\",ActionSourceUser=\"nsequu\",ActionTargetUser=\"cup\",ActionObject=\"boNemoen\",ActionSafe=\"uid\",ActionLocation=\"rors\",ActionCategory=\"onofd\",ActionRequestId=\"taed\",ActionReason=\"lup\",ActionExtraDetails=\"remeumf\"", + "file.directory": "rors", + "file.name": "boNemoen", + "fileset.name": "corepas", + "host.ip": "10.74.237.180", + "input.type": "log", + "log.level": "medium", + "log.offset": 4349, + "observer.product": "nsect", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6476", + "related.ip": [ + "10.74.237.180" + ], + "related.user": [ + "tnon", + "ema", + "cup" + ], + "rsa.db.index": "remeumf", + "rsa.internal.event_desc": "lup", + "rsa.internal.messageid": "240", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "onofd", + "rsa.misc.group_object": "uid", + "rsa.misc.reference_id": "nibus", + "rsa.misc.reference_id1": "taed", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6476", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ema" + }, + { + "event.action": "allow", + "event.code": "ido", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-06-20 04:35:42.332538723 +0000 UTC sectetur3333.mail.example %CYBERARK: MessageID=\"61\";edqui 1.7780\",ProductAccount=\"lor\",ProductProcess=\"fugit\",EventId=\"ido\",EventClass=\"paqu\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"remeum\",ActingAddress=\"10.18.165.35\",ActionSourceUser=\"admi\",ActionTargetUser=\"modocons\",ActionObject=\"elaudant\",ActionSafe=\"tinvol\",ActionLocation=\"dolore\",ActionCategory=\"abor\",ActionRequestId=\"iqui\",ActionReason=\"etc\",ActionExtraDetails=\"etM\"", + "file.directory": "dolore", + "file.name": "elaudant", + "fileset.name": "corepas", + "host.ip": "10.18.165.35", + "input.type": "log", + "log.level": "high", + "log.offset": 4835, + "observer.product": "edqui", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7780", + "related.ip": [ + "10.18.165.35" + ], + "related.user": [ + "modocons", + "remeum", + "lor" + ], + "rsa.db.index": "etM", + "rsa.internal.event_desc": "etc", + "rsa.internal.messageid": "61", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "abor", + "rsa.misc.group_object": "tinvol", + "rsa.misc.reference_id": "ido", + "rsa.misc.reference_id1": "iqui", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7780", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "remeum" + }, + { + "event.action": "deny", + "event.code": "itaut", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-07-04 11:38:16.592538723 +0000 UTC xercitat4824.local %CYBERARK: MessageID=\"90\";ostr 1.4979\",ProductAccount=\"onproide\",ProductProcess=\"luptat\",EventId=\"itaut\",EventClass=\"imaven\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"tema\",ActingAddress=\"10.74.253.127\",ActionSourceUser=\"tfug\",ActionTargetUser=\"icab\",ActionObject=\"mwr\",ActionSafe=\"fugi\",ActionLocation=\"inculpaq\",ActionCategory=\"agna\",ActionRequestId=\"tionemu\",ActionReason=\"eomnisis\",ActionExtraDetails=\"mqui\"", + "file.directory": "inculpaq", + "file.name": "mwr", + "fileset.name": "corepas", + "host.ip": "10.74.253.127", + "input.type": "log", + "log.level": "high", + "log.offset": 5321, + "observer.product": "ostr", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4979", + "related.ip": [ + "10.74.253.127" + ], + "related.user": [ + "icab", + "tema", + "onproide" + ], + "rsa.db.index": "mqui", + "rsa.internal.event_desc": "eomnisis", + "rsa.internal.messageid": "90", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "agna", + "rsa.misc.group_object": "fugi", + "rsa.misc.reference_id": "itaut", + "rsa.misc.reference_id1": "tionemu", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4979", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tema" + }, + { + "destination.address": "Lor5841.internal.example", + "destination.port": 3075, + "event.action": "block", + "event.code": "385", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "errorsi 2016-07-18 18:40:50.852538723 +0000 UTC des5377.lan %CYBERARK: MessageID=\"385\";Version=1.1697;Message=block;Issuer=ono;Station=10.189.109.245;File=emaperi;Safe=tame;Location=\"tinvol\";Category=tectobe;RequestId=colabor;Reason=iusmodt;Severity=medium;GatewayStation=10.92.8.15;TicketID=agnaali;PolicyID=llitani;UserName=inima;LogonDomain=tlabo6088.www.localdomain;Address=Lor5841.internal.example;CPMStatus=sunt;Port=\"3075\";Database=uines;DeviceType=nsec;ExtraDetails=onse", + "file.directory": "tinvol", + "file.name": "emaperi", + "fileset.name": "corepas", + "host.ip": "10.189.109.245", + "input.type": "log", + "log.level": "medium", + "log.offset": 5807, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1697", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], + "related.ip": [ + "10.92.8.15", + "10.189.109.245" + ], + "related.user": [ + "inima", + "ono" + ], + "rsa.db.database": "uines", + "rsa.db.index": "onse", + "rsa.internal.event_desc": "iusmodt", + "rsa.internal.messageid": "385", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tectobe", + "rsa.misc.disposition": "sunt", + "rsa.misc.group_object": "tame", + "rsa.misc.obj_type": "nsec", + "rsa.misc.operation_id": "agnaali", + "rsa.misc.policy_name": "llitani", + "rsa.misc.reference_id": "385", + "rsa.misc.reference_id1": "colabor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1697", + "rsa.network.domain": "tlabo6088.www.localdomain", + "rsa.network.host_dst": "Lor5841.internal.example", + "server.domain": "tlabo6088.www.localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.92.8.15" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ono" + }, + { + "event.action": "accept", + "event.code": "tisetq", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 2 01:43:25 tat %CYBERARK: MessageID=\"190\";tion 1.1761\",ProductAccount=\"upt\",ProductProcess=\"uiineavo\",EventId=\"tisetq\",EventClass=\"irati\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"giatquov\",ActingAddress=\"10.21.78.128\",ActionSourceUser=\"riat\",ActionTargetUser=\"taut\",ActionObject=\"oreseos\",ActionSafe=\"uames\",ActionLocation=\"tati\",ActionCategory=\"utaliqu\",ActionRequestId=\"oriosamn\",ActionReason=\"deFinibu\",ActionExtraDetails=\"iadese\"", + "file.directory": "tati", + "file.name": "oreseos", + "fileset.name": "corepas", + "host.ip": "10.21.78.128", + "input.type": "log", + "log.level": "low", + "log.offset": 6286, + "observer.product": "tion", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1761", + "related.ip": [ + "10.21.78.128" + ], + "related.user": [ + "upt", + "taut", + "giatquov" + ], + "rsa.db.index": "iadese", + "rsa.internal.event_desc": "deFinibu", + "rsa.internal.messageid": "190", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "utaliqu", + "rsa.misc.group_object": "uames", + "rsa.misc.reference_id": "tisetq", + "rsa.misc.reference_id1": "oriosamn", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1761", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "giatquov" + }, + { + "event.action": "deny", + "event.code": "suntinc", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"256\";eporroqu 1.4200\",ProductAccount=\"hil\",ProductProcess=\"atquovo\",EventId=\"suntinc\",EventClass=\"xeac\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tatn\",ActingAddress=\"10.18.109.121\",ActionSourceUser=\"ents\",ActionTargetUser=\"pida\",ActionObject=\"nse\",ActionSafe=\"sinto\",ActionLocation=\"emoeni\",ActionCategory=\"oenimips\",ActionRequestId=\"utlabore\",ActionReason=\"ecillu\",ActionExtraDetails=\"quip\"", + "file.directory": "emoeni", + "file.name": "nse", + "fileset.name": "corepas", + "host.ip": "10.18.109.121", + "input.type": "log", + "log.level": "medium", + "log.offset": 6744, + "observer.product": "eporroqu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4200", + "related.ip": [ + "10.18.109.121" + ], + "related.user": [ + "pida", + "hil", + "tatn" + ], + "rsa.db.index": "quip", + "rsa.internal.event_desc": "ecillu", + "rsa.internal.messageid": "256", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "oenimips", + "rsa.misc.group_object": "sinto", + "rsa.misc.reference_id": "suntinc", + "rsa.misc.reference_id1": "utlabore", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4200", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tatn" + }, + { + "destination.address": "rpo79.mail.example", + "destination.port": 2289, + "event.action": "cancel", + "event.code": "105", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"105\";Version=1.3727;Message=cancel;Issuer=iunt;Station=10.63.37.192;File=tio;Safe=orinrepr;Location=conse;Category=rumetM;RequestId=equi;Reason=agnaali;Severity=medium;SourceUser=sitvolup;TargetUser=reetd;GatewayStation=10.225.115.13;TicketID=maccusa;PolicyID=uptat;UserName=equep;LogonDomain=iavolu5352.localhost;Address=rpo79.mail.example;CPMStatus=siarchi;Port=2289;Database=aliqu;DeviceType=olupta;ExtraDetails=mipsumd;", + "file.directory": "conse", + "file.name": "tio", + "fileset.name": "corepas", + "group.name": "sitvolup", + "host.ip": "10.63.37.192", + "input.type": "log", + "log.level": "medium", + "log.offset": 7176, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3727", + "related.hosts": [ + "iavolu5352.localhost" + ], + "related.ip": [ + "10.63.37.192", + "10.225.115.13" + ], + "related.user": [ + "iunt", + "reetd", + "equep" + ], + "rsa.db.database": "aliqu", + "rsa.db.index": "mipsumd", + "rsa.internal.event_desc": "agnaali", + "rsa.internal.messageid": "105", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "rumetM", + "rsa.misc.disposition": "siarchi", + "rsa.misc.group": "sitvolup", + "rsa.misc.group_object": "orinrepr", + "rsa.misc.obj_type": "olupta", + "rsa.misc.operation_id": "maccusa", + "rsa.misc.policy_name": "uptat", + "rsa.misc.reference_id": "105", + "rsa.misc.reference_id1": "equi", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3727", + "rsa.network.domain": "iavolu5352.localhost", + "rsa.network.host_dst": "rpo79.mail.example", + "server.domain": "iavolu5352.localhost", + "service.type": "cyberark", + "source.ip": [ + "10.225.115.13" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iunt" + }, + { + "destination.address": "tionof7613.domain", + "destination.port": 2335, + "event.action": "deny", + "event.code": "105", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "remi 2016-09-13 22:51:07.892538723 +0000 UTC saute7154.internal.lan %CYBERARK: MessageID=\"105\";Version=1.3219;Message=deny;Issuer=run;Station=10.47.202.102;File=quirat;Safe=llu;Location=licab;Category=eirure;RequestId=conseq;Reason=oidentsu;Severity=medium;SourceUser=aaliquaU;TargetUser=ntor;GatewayStation=10.95.64.124;TicketID=psaquae;PolicyID=ationemu;UserName=ice;LogonDomain=estiae3750.api.corp;Address=tionof7613.domain;CPMStatus=lapari;Port=2335;Database=ite;DeviceType=ationul;ExtraDetails=iquipex;", + "file.directory": "licab", + "file.name": "quirat", + "fileset.name": "corepas", + "group.name": "aaliquaU", + "host.ip": "10.47.202.102", + "input.type": "log", + "log.level": "medium", + "log.offset": 7622, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3219", + "related.hosts": [ + "estiae3750.api.corp" + ], + "related.ip": [ + "10.47.202.102", + "10.95.64.124" + ], + "related.user": [ + "run", + "ice", + "ntor" + ], + "rsa.db.database": "ite", + "rsa.db.index": "iquipex", + "rsa.internal.event_desc": "oidentsu", + "rsa.internal.messageid": "105", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "eirure", + "rsa.misc.disposition": "lapari", + "rsa.misc.group": "aaliquaU", + "rsa.misc.group_object": "llu", + "rsa.misc.obj_type": "ationul", + "rsa.misc.operation_id": "psaquae", + "rsa.misc.policy_name": "ationemu", + "rsa.misc.reference_id": "105", + "rsa.misc.reference_id1": "conseq", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3219", + "rsa.network.domain": "estiae3750.api.corp", + "rsa.network.host_dst": "tionof7613.domain", + "server.domain": "estiae3750.api.corp", + "service.type": "cyberark", + "source.ip": [ + "10.95.64.124" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "run" + }, + { + "destination.address": "acc7692.home", + "destination.port": 4147, + "event.action": "block", + "event.code": "376", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "adol 2016-09-28 05:53:42.152538723 +0000 UTC doloremi7402.www.test %CYBERARK: MessageID=\"376\";Version=1.6371;Message=block;Issuer=itquiin;Station=10.106.239.55;File=taevit;Safe=rinrepre;Location=etconse;Category=tincu;RequestId=ari;Reason=exercit;Severity=low;GatewayStation=10.244.114.61;TicketID=oluptate;PolicyID=onseq;UserName=serunt;LogonDomain=aquaeabi7735.internal.lan;Address=acc7692.home;CPMStatus=amest;Port=\"4147\";Database=itame;DeviceType=intoc;ExtraDetails=oluptas;", + "file.directory": "etconse", + "file.name": "taevit", + "fileset.name": "corepas", + "host.ip": "10.106.239.55", + "input.type": "log", + "log.level": "low", + "log.offset": 8130, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6371", + "related.hosts": [ + "aquaeabi7735.internal.lan" + ], + "related.ip": [ + "10.244.114.61", + "10.106.239.55" + ], + "related.user": [ + "itquiin", + "serunt" + ], + "rsa.db.database": "itame", + "rsa.db.index": "oluptas", + "rsa.internal.event_desc": "exercit", + "rsa.internal.messageid": "376", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tincu", + "rsa.misc.disposition": "amest", + "rsa.misc.group_object": "rinrepre", + "rsa.misc.obj_type": "intoc", + "rsa.misc.operation_id": "oluptate", + "rsa.misc.policy_name": "onseq", + "rsa.misc.reference_id": "376", + "rsa.misc.reference_id1": "ari", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6371", + "rsa.network.domain": "aquaeabi7735.internal.lan", + "rsa.network.host_dst": "acc7692.home", + "server.domain": "aquaeabi7735.internal.lan", + "service.type": "cyberark", + "source.ip": [ + "10.244.114.61" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itquiin" + }, + { + "destination.address": "quatD4191.local", + "destination.port": 5685, + "event.action": "allow", + "event.code": "24", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2016-10-12 12:56:16.412538723 +0000 UTC luptasn2126.mail.home %CYBERARK: MessageID=\"24\";Version=1.821;Message=allow;Issuer=ione;Station=10.125.160.129;File=suntexp;Safe=duntut;Location=magni;Category=pisciv;RequestId=iquidex;Reason=radipisc;Severity=low;SourceUser=nti;TargetUser=abi;GatewayStation=10.53.168.235;TicketID=fugitse;PolicyID=veniamq;UserName=one;LogonDomain=etMalor4236.www5.host;Address=quatD4191.local;CPMStatus=tenima;Port=5685;Database=sperna;DeviceType=eabilloi;ExtraDetails=estia;", + "file.directory": "magni", + "file.name": "suntexp", + "fileset.name": "corepas", + "group.name": "nti", + "host.ip": "10.125.160.129", + "input.type": "log", + "log.level": "low", + "log.offset": 8609, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.821", + "related.hosts": [ + "etMalor4236.www5.host" + ], + "related.ip": [ + "10.53.168.235", + "10.125.160.129" + ], + "related.user": [ + "abi", + "one", + "ione" + ], + "rsa.db.database": "sperna", + "rsa.db.index": "estia", + "rsa.internal.event_desc": "radipisc", + "rsa.internal.messageid": "24", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "pisciv", + "rsa.misc.disposition": "tenima", + "rsa.misc.group": "nti", + "rsa.misc.group_object": "duntut", + "rsa.misc.obj_type": "eabilloi", + "rsa.misc.operation_id": "fugitse", + "rsa.misc.policy_name": "veniamq", + "rsa.misc.reference_id": "24", + "rsa.misc.reference_id1": "iquidex", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.821", + "rsa.network.domain": "etMalor4236.www5.host", + "rsa.network.host_dst": "quatD4191.local", + "server.domain": "etMalor4236.www5.host", + "service.type": "cyberark", + "source.ip": [ + "10.53.168.235" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ione" + }, + { + "destination.address": "eturadi6608.mail.host", + "destination.port": 3366, + "event.action": "allow", + "event.code": "197", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "orem 2016-10-26 19:58:50.672538723 +0000 UTC beata6448.mail.test %CYBERARK: MessageID=\"197\";Version=1.1123;Message=allow;Issuer=tasuntex;Station=10.227.177.121;File=boN;Safe=eprehend;Location=aevit;Category=aboN;RequestId=ihilmo;Reason=radi;Severity=low;SourceUser=uames;TargetUser=iduntu;GatewayStation=10.33.245.220;TicketID=giatnu;PolicyID=ulapa;UserName=liqui;LogonDomain=quioffi1359.internal.lan;Address=eturadi6608.mail.host;CPMStatus=aera;Port=3366;Database=rvel;DeviceType=uid;ExtraDetails=onsecte;", + "file.directory": "aevit", + "file.name": "boN", + "fileset.name": "corepas", + "group.name": "uames", + "host.ip": "10.227.177.121", + "input.type": "log", + "log.level": "low", + "log.offset": 9110, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1123", + "related.hosts": [ + "quioffi1359.internal.lan" + ], + "related.ip": [ + "10.33.245.220", + "10.227.177.121" + ], + "related.user": [ + "iduntu", + "liqui", + "tasuntex" + ], + "rsa.db.database": "rvel", + "rsa.db.index": "onsecte", + "rsa.internal.event_desc": "radi", + "rsa.internal.messageid": "197", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aboN", + "rsa.misc.disposition": "aera", + "rsa.misc.group": "uames", + "rsa.misc.group_object": "eprehend", + "rsa.misc.obj_type": "uid", + "rsa.misc.operation_id": "giatnu", + "rsa.misc.policy_name": "ulapa", + "rsa.misc.reference_id": "197", + "rsa.misc.reference_id1": "ihilmo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1123", + "rsa.network.domain": "quioffi1359.internal.lan", + "rsa.network.host_dst": "eturadi6608.mail.host", + "server.domain": "quioffi1359.internal.lan", + "service.type": "cyberark", + "source.ip": [ + "10.33.245.220" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tasuntex" + }, + { + "destination.address": "eroi176.example", + "destination.port": 3341, + "event.action": "allow", + "event.code": "411", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 10 03:01:24 edo %CYBERARK: MessageID=\"411\";Version=1.5071;Message=allow;Issuer=econs;Station=\"10.98.182.220\";File=\"untex\";Safe=\"quiratio\";Location=\"boree\";Category=\"eco\";RequestId=Utenimad;Reason=orpor;Severity=\"low\";GatewayStation=\"10.167.85.181\";TicketID=emvel;PolicyID=\"tmollita\";UserName=fde;LogonDomain=\"nsecte3304.mail.corp\";Address=\"eroi176.example\";CPMStatus=\"non\";Port=\"3341\";Database=equat;DeviceType=derit;ExtraDetails=\"Command=dexea;ConnectionComponentId=atcu;DstHost=labor;ProcessId=6501;ProcessName=laboree.exe;Protocol=tcp;PSMID=intocc;RDPOffset=liqu;SessionID=eporr;SrcHost=xeacomm6855.api.corp;User=utlabor;VIDOffset=rau;\"", + "file.directory": "boree", + "file.name": "untex", + "fileset.name": "corepas", + "host.hostname": "xeacomm6855.api.corp", + "host.ip": "10.98.182.220", + "input.type": "log", + "log.level": "low", + "log.offset": 9617, + "network.protocol": "tcp", + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5071", + "process.name": "laboree.exe", + "process.pid": 6501, + "related.hosts": [ + "", + "nsecte3304.mail.corp" + ], + "related.ip": [ + "10.98.182.220", + "10.167.85.181" + ], + "related.user": [ + "fde", + "econs" + ], + "rsa.db.database": "equat", + "rsa.internal.event_desc": "orpor", + "rsa.internal.messageid": "411", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eco", + "rsa.misc.disposition": "non", + "rsa.misc.group_object": "quiratio", + "rsa.misc.log_session_id": "eporr", + "rsa.misc.obj_type": "derit", + "rsa.misc.operation_id": "emvel", + "rsa.misc.param": "dexea", + "rsa.misc.policy_name": "tmollita", + "rsa.misc.reference_id": "411", + "rsa.misc.reference_id1": "Utenimad", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5071", + "rsa.network.domain": "nsecte3304.mail.corp", + "rsa.network.host_dst": "eroi176.example", + "server.domain": "nsecte3304.mail.corp", + "service.type": "cyberark", + "source.address": "xeacomm6855.api.corp", + "source.ip": [ + "10.167.85.181" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "econs" + }, + { + "event.action": "block", + "event.code": "tessec", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 24 10:03:59 aeabi %CYBERARK: MessageID=\"111\";eiu 1.4456\",ProductAccount=\"iciadese\",ProductProcess=\"quidolor\",EventId=\"tessec\",EventClass=\"olupta\",EventSeverity=\"high\",EventMessage=\"block\",ActingUserName=\"icabo\",ActingAddress=\"10.89.208.95\",ActionSourceUser=\"eleum\",ActionTargetUser=\"sintoc\",ActionObject=\"volupt\",ActionSafe=\"siste\",ActionLocation=\"uiinea\",ActionCategory=\"Utenima\",ActionRequestId=\"volupta\",ActionReason=\"rcitati\",ActionExtraDetails=\"eni\"", + "file.directory": "uiinea", + "file.name": "volupt", + "fileset.name": "corepas", + "host.ip": "10.89.208.95", + "input.type": "log", + "log.level": "high", + "log.offset": 10266, + "observer.product": "eiu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4456", + "related.ip": [ + "10.89.208.95" + ], + "related.user": [ + "icabo", + "sintoc", + "iciadese" + ], + "rsa.db.index": "eni", + "rsa.internal.event_desc": "rcitati", + "rsa.internal.messageid": "111", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "Utenima", + "rsa.misc.group_object": "siste", + "rsa.misc.reference_id": "tessec", + "rsa.misc.reference_id1": "volupta", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4456", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "icabo" + }, + { + "destination.address": "reetdolo6852.www.test", + "destination.port": 5428, + "event.action": "accept", + "event.code": "81", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Ute 2016-12-08 17:06:33.452538723 +0000 UTC sperna5368.mail.invalid %CYBERARK: MessageID=\"81\";Version=1.509;Message=accept;Issuer=tDuisaut;Station=10.214.191.180;File=imvenia;Safe=spi;Location=stquido;Category=ommodico;RequestId=ptas;Reason=pta;Severity=medium;SourceUser=ptatemq;TargetUser=luptatev;GatewayStation=10.72.148.32;TicketID=ipsumd;PolicyID=ntocc;UserName=uteirure;LogonDomain=nevo4284.internal.local;Address=reetdolo6852.www.test;CPMStatus=nnum;Port=5428;Database=uamest;DeviceType=tco;ExtraDetails=uae;", + "file.directory": "stquido", + "file.name": "imvenia", + "fileset.name": "corepas", + "group.name": "ptatemq", + "host.ip": "10.214.191.180", + "input.type": "log", + "log.level": "medium", + "log.offset": 10730, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.509", + "related.hosts": [ + "nevo4284.internal.local" + ], + "related.ip": [ + "10.72.148.32", + "10.214.191.180" + ], + "related.user": [ + "tDuisaut", + "luptatev", + "uteirure" + ], + "rsa.db.database": "uamest", + "rsa.db.index": "uae", + "rsa.internal.event_desc": "pta", + "rsa.internal.messageid": "81", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "ommodico", + "rsa.misc.disposition": "nnum", + "rsa.misc.group": "ptatemq", + "rsa.misc.group_object": "spi", + "rsa.misc.obj_type": "tco", + "rsa.misc.operation_id": "ipsumd", + "rsa.misc.policy_name": "ntocc", + "rsa.misc.reference_id": "81", + "rsa.misc.reference_id1": "ptas", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.509", + "rsa.network.domain": "nevo4284.internal.local", + "rsa.network.host_dst": "reetdolo6852.www.test", + "server.domain": "nevo4284.internal.local", + "service.type": "cyberark", + "source.ip": [ + "10.72.148.32" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tDuisaut" + }, + { + "destination.address": "mporin6932.api.localdomain", + "destination.port": 6604, + "event.action": "block", + "event.code": "168", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"168\";Version=1.3599;Message=block;Issuer=ipsumd;Station=10.136.190.236;File=evolu;Safe=ersp;Location=tquov;Category=diconseq;RequestId=inven;Reason=osquira;Severity=low;SourceUser=ataevi;TargetUser=com;GatewayStation=10.252.124.150;TicketID=trud;PolicyID=eriti;UserName=litessec;LogonDomain=itas981.mail.domain;Address=mporin6932.api.localdomain;CPMStatus=roid;Port=6604;Database=tasn;DeviceType=Nemoenim;ExtraDetails=squirati;", + "file.directory": "tquov", + "file.name": "evolu", + "fileset.name": "corepas", + "group.name": "ataevi", + "host.ip": "10.136.190.236", + "input.type": "log", + "log.level": "low", + "log.offset": 11247, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3599", + "related.hosts": [ + "itas981.mail.domain" + ], + "related.ip": [ + "10.252.124.150", + "10.136.190.236" + ], + "related.user": [ + "ipsumd", + "litessec", + "com" + ], + "rsa.db.database": "tasn", + "rsa.db.index": "squirati", + "rsa.internal.event_desc": "osquira", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "diconseq", + "rsa.misc.disposition": "roid", + "rsa.misc.group": "ataevi", + "rsa.misc.group_object": "ersp", + "rsa.misc.obj_type": "Nemoenim", + "rsa.misc.operation_id": "trud", + "rsa.misc.policy_name": "eriti", + "rsa.misc.reference_id": "168", + "rsa.misc.reference_id1": "inven", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3599", + "rsa.network.domain": "itas981.mail.domain", + "rsa.network.host_dst": "mporin6932.api.localdomain", + "server.domain": "itas981.mail.domain", + "service.type": "cyberark", + "source.ip": [ + "10.252.124.150" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ipsumd" + }, + { + "destination.address": "illoin2914.mail.lan", + "destination.port": 6895, + "event.action": "accept", + "event.code": "90", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "nbyCic 2017-01-06 07:11:41.972538723 +0000 UTC utlabor6305.internal.corp %CYBERARK: MessageID=\"90\";Version=1.5649;Message=accept;Issuer=iquipe;Station=10.192.34.76;File=modtemp;Safe=quovol;Location=nve;Category=remag;RequestId=uredol;Reason=ccaecat;Severity=medium;SourceUser=onsequ;TargetUser=temqu;GatewayStation=10.213.144.249;TicketID=udexerci;PolicyID=naal;UserName=lore;LogonDomain=tnonpro7635.localdomain;Address=illoin2914.mail.lan;CPMStatus=uamni;Port=6895;Database=gnamal;DeviceType=metMalo;ExtraDetails=ntexplic;", + "file.directory": "nve", + "file.name": "modtemp", + "fileset.name": "corepas", + "group.name": "onsequ", + "host.ip": "10.192.34.76", + "input.type": "log", + "log.level": "medium", + "log.offset": 11697, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5649", + "related.hosts": [ + "tnonpro7635.localdomain" + ], + "related.ip": [ + "10.192.34.76", + "10.213.144.249" + ], + "related.user": [ + "lore", + "temqu", + "iquipe" + ], + "rsa.db.database": "gnamal", + "rsa.db.index": "ntexplic", + "rsa.internal.event_desc": "ccaecat", + "rsa.internal.messageid": "90", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "remag", + "rsa.misc.disposition": "uamni", + "rsa.misc.group": "onsequ", + "rsa.misc.group_object": "quovol", + "rsa.misc.obj_type": "metMalo", + "rsa.misc.operation_id": "udexerci", + "rsa.misc.policy_name": "naal", + "rsa.misc.reference_id": "90", + "rsa.misc.reference_id1": "uredol", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5649", + "rsa.network.domain": "tnonpro7635.localdomain", + "rsa.network.host_dst": "illoin2914.mail.lan", + "server.domain": "tnonpro7635.localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.213.144.249" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iquipe" + }, + { + "destination.address": "evit5780.www.corp", + "destination.port": 725, + "event.action": "accept", + "event.code": "376", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"376\";Version=1.2217;Message=accept;Issuer=untu;Station=10.154.4.197;File=con;Safe=nisist;Location=usmodte;Category=msequi;RequestId=tau;Reason=exercita;Severity=low;GatewayStation=10.216.84.30;TicketID=orumSe;PolicyID=boree;UserName=intoc;LogonDomain=rQuisau5300.www5.example;Address=evit5780.www.corp;CPMStatus=onev;Port=\"725\";Database=oditem;DeviceType=gitsedqu;ExtraDetails=borios;", + "file.directory": "usmodte", + "file.name": "con", + "fileset.name": "corepas", + "host.ip": "10.154.4.197", + "input.type": "log", + "log.level": "low", + "log.offset": 12221, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2217", + "related.hosts": [ + "rQuisau5300.www5.example" + ], + "related.ip": [ + "10.154.4.197", + "10.216.84.30" + ], + "related.user": [ + "untu", + "intoc" + ], + "rsa.db.database": "oditem", + "rsa.db.index": "borios", + "rsa.internal.event_desc": "exercita", + "rsa.internal.messageid": "376", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "msequi", + "rsa.misc.disposition": "onev", + "rsa.misc.group_object": "nisist", + "rsa.misc.obj_type": "gitsedqu", + "rsa.misc.operation_id": "orumSe", + "rsa.misc.policy_name": "boree", + "rsa.misc.reference_id": "376", + "rsa.misc.reference_id1": "tau", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2217", + "rsa.network.domain": "rQuisau5300.www5.example", + "rsa.network.host_dst": "evit5780.www.corp", + "server.domain": "rQuisau5300.www5.example", + "service.type": "cyberark", + "source.ip": [ + "10.216.84.30" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "untu" + }, + { + "event.action": "deny", + "event.code": "ess", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-02-03 21:16:50.492538723 +0000 UTC temUt631.www5.example %CYBERARK: MessageID=\"3\";npr 1.4414\",ProductAccount=\"niamqui\",ProductProcess=\"boNem\",EventId=\"ess\",EventClass=\"ipisci\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"tqu\",ActingAddress=\"10.143.193.199\",ActionSourceUser=\"quam\",ActionTargetUser=\"quid\",ActionObject=\"fugiat\",ActionSafe=\"atisun\",ActionLocation=\"esci\",ActionCategory=\"epre\",ActionRequestId=\"tobeata\",ActionReason=\"eroinBCS\",ActionExtraDetails=\"inci\"", + "file.directory": "esci", + "file.name": "fugiat", + "fileset.name": "corepas", + "host.ip": "10.143.193.199", + "input.type": "log", + "log.level": "medium", + "log.offset": 12628, + "observer.product": "npr", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4414", + "related.ip": [ + "10.143.193.199" + ], + "related.user": [ + "tqu", + "quid", + "niamqui" + ], + "rsa.db.index": "inci", + "rsa.internal.event_desc": "eroinBCS", + "rsa.internal.messageid": "3", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "epre", + "rsa.misc.group_object": "atisun", + "rsa.misc.reference_id": "ess", + "rsa.misc.reference_id1": "tobeata", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4414", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tqu" + }, + { + "destination.address": "uisa5736.internal.local", + "destination.port": 302, + "event.action": "deny", + "event.code": "140", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "February 18 04:19:24 rnatur %CYBERARK: MessageID=\"140\";Version=1.5632;Message=deny;Issuer=essequam;Station=10.193.83.81;File=isisten;Safe=cusant;Location=atemq;Category=rinre;RequestId=naal;Reason=borios;Severity=high;SourceUser=isnostr;TargetUser=umqu;GatewayStation=10.65.175.9;TicketID=inesci;PolicyID=isnisi;UserName=ritatise;LogonDomain=uamei2389.internal.example;Address=uisa5736.internal.local;CPMStatus=cusant;Port=302;Database=ender;DeviceType=riamea;ExtraDetails=entorev;", + "file.directory": "atemq", + "file.name": "isisten", + "fileset.name": "corepas", + "group.name": "isnostr", + "host.ip": "10.193.83.81", + "input.type": "log", + "log.level": "high", + "log.offset": 13114, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5632", + "related.hosts": [ + "uamei2389.internal.example" + ], + "related.ip": [ + "10.65.175.9", + "10.193.83.81" + ], + "related.user": [ + "umqu", + "ritatise", + "essequam" + ], + "rsa.db.database": "ender", + "rsa.db.index": "entorev", + "rsa.internal.event_desc": "borios", + "rsa.internal.messageid": "140", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "rinre", + "rsa.misc.disposition": "cusant", + "rsa.misc.group": "isnostr", + "rsa.misc.group_object": "cusant", + "rsa.misc.obj_type": "riamea", + "rsa.misc.operation_id": "inesci", + "rsa.misc.policy_name": "isnisi", + "rsa.misc.reference_id": "140", + "rsa.misc.reference_id1": "naal", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5632", + "rsa.network.domain": "uamei2389.internal.example", + "rsa.network.host_dst": "uisa5736.internal.local", + "server.domain": "uamei2389.internal.example", + "service.type": "cyberark", + "source.ip": [ + "10.65.175.9" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "essequam" + }, + { + "event.action": "accept", + "event.code": "sau", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"87\";tutlab 1.792\",ProductAccount=\"tatn\",ProductProcess=\"dolorsit\",EventId=\"sau\",EventClass=\"aperia\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"umdolo\",ActingAddress=\"10.205.72.243\",ActionSourceUser=\"stenatu\",ActionTargetUser=\"isiuta\",ActionObject=\"orsitam\",ActionSafe=\"siutaliq\",ActionLocation=\"dutp\",ActionCategory=\"psaquaea\",ActionRequestId=\"taevita\",ActionReason=\"ameiusm\",ActionExtraDetails=\"proide\"", + "file.directory": "dutp", + "file.name": "orsitam", + "fileset.name": "corepas", + "host.ip": "10.205.72.243", + "input.type": "log", + "log.level": "very-high", + "log.offset": 13596, + "observer.product": "tutlab", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.792", + "related.ip": [ + "10.205.72.243" + ], + "related.user": [ + "umdolo", + "isiuta", + "tatn" + ], + "rsa.db.index": "proide", + "rsa.internal.event_desc": "ameiusm", + "rsa.internal.messageid": "87", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "psaquaea", + "rsa.misc.group_object": "siutaliq", + "rsa.misc.reference_id": "sau", + "rsa.misc.reference_id1": "taevita", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.792", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "umdolo" + }, + { + "event.action": "allow", + "event.code": "eumiure", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-03-18 18:24:33.272538723 +0000 UTC velitess7586.mail.example %CYBERARK: MessageID=\"45\";nre 1.7231\",ProductAccount=\"sit\",ProductProcess=\"olab\",EventId=\"eumiure\",EventClass=\"ersp\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"mquisno\",ActingAddress=\"10.107.9.163\",ActionSourceUser=\"uptate\",ActionTargetUser=\"mac\",ActionObject=\"iumdol\",ActionSafe=\"tpersp\",ActionLocation=\"stla\",ActionCategory=\"uptatema\",ActionRequestId=\"oeni\",ActionReason=\"tdol\",ActionExtraDetails=\"sit\"", + "file.directory": "stla", + "file.name": "iumdol", + "fileset.name": "corepas", + "host.ip": "10.107.9.163", + "input.type": "log", + "log.level": "medium", + "log.offset": 14043, + "observer.product": "nre", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7231", + "related.ip": [ + "10.107.9.163" + ], + "related.user": [ + "mquisno", + "sit", + "mac" + ], + "rsa.db.index": "sit", + "rsa.internal.event_desc": "tdol", + "rsa.internal.messageid": "45", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "uptatema", + "rsa.misc.group_object": "tpersp", + "rsa.misc.reference_id": "eumiure", + "rsa.misc.reference_id1": "oeni", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7231", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mquisno" + }, + { + "event.action": "deny", + "event.code": "cinge", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 2 01:27:07 psum %CYBERARK: MessageID=\"132\";tasnulap 1.7220\",ProductAccount=\"umSe\",ProductProcess=\"xeacomm\",EventId=\"cinge\",EventClass=\"itla\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"asiarc\",ActingAddress=\"10.80.101.72\",ActionSourceUser=\"uptate\",ActionTargetUser=\"quidexea\",ActionObject=\"ect\",ActionSafe=\"modocons\",ActionLocation=\"gitsed\",ActionCategory=\"fugia\",ActionRequestId=\"oditautf\",ActionReason=\"quatu\",ActionExtraDetails=\"veli\"", + "file.directory": "gitsed", + "file.name": "ect", + "fileset.name": "corepas", + "host.ip": "10.80.101.72", + "input.type": "log", + "log.level": "high", + "log.offset": 14531, + "observer.product": "tasnulap", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7220", + "related.ip": [ + "10.80.101.72" + ], + "related.user": [ + "asiarc", + "quidexea", + "umSe" + ], + "rsa.db.index": "veli", + "rsa.internal.event_desc": "quatu", + "rsa.internal.messageid": "132", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "fugia", + "rsa.misc.group_object": "modocons", + "rsa.misc.reference_id": "cinge", + "rsa.misc.reference_id1": "oditautf", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7220", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "asiarc" + }, + { + "destination.address": "utlab3706.api.host", + "destination.port": 246, + "event.action": "accept", + "event.code": "200", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 16 08:29:41 labo %CYBERARK: MessageID=\"200\";Version=1.267;Message=accept;Issuer=aboreetd;Station=10.235.136.109;File=lorin;Safe=pitl;Location=por;Category=quidexea;RequestId=nimid;Reason=runtmol;Severity=very-high;SourceUser=odi;TargetUser=ptass;GatewayStation=10.39.10.155;TicketID=dol;PolicyID=proiden;UserName=urExcept;LogonDomain=miurerep1152.internal.domain;Address=utlab3706.api.host;CPMStatus=dantium;Port=246;Database=teirured;DeviceType=onemulla;ExtraDetails=dolorem;", + "file.directory": "por", + "file.name": "lorin", + "fileset.name": "corepas", + "group.name": "odi", + "host.ip": "10.235.136.109", + "input.type": "log", + "log.level": "very-high", + "log.offset": 14988, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.267", + "related.hosts": [ + "miurerep1152.internal.domain" + ], + "related.ip": [ + "10.235.136.109", + "10.39.10.155" + ], + "related.user": [ + "aboreetd", + "urExcept", + "ptass" + ], + "rsa.db.database": "teirured", + "rsa.db.index": "dolorem", + "rsa.internal.event_desc": "runtmol", + "rsa.internal.messageid": "200", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "quidexea", + "rsa.misc.disposition": "dantium", + "rsa.misc.group": "odi", + "rsa.misc.group_object": "pitl", + "rsa.misc.obj_type": "onemulla", + "rsa.misc.operation_id": "dol", + "rsa.misc.policy_name": "proiden", + "rsa.misc.reference_id": "200", + "rsa.misc.reference_id1": "nimid", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.267", + "rsa.network.domain": "miurerep1152.internal.domain", + "rsa.network.host_dst": "utlab3706.api.host", + "server.domain": "miurerep1152.internal.domain", + "service.type": "cyberark", + "source.ip": [ + "10.39.10.155" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "aboreetd" + }, + { + "event.action": "cancel", + "event.code": "nci", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 30 15:32:16 ationev %CYBERARK: MessageID=\"233\";umdolor 1.4389\",ProductAccount=\"itation\",ProductProcess=\"paquioff\",EventId=\"nci\",EventClass=\"isau\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ibusBon\",ActingAddress=\"10.96.224.19\",ActionSourceUser=\"nsequat\",ActionTargetUser=\"doloreme\",ActionObject=\"dun\",ActionSafe=\"reprehe\",ActionLocation=\"tincu\",ActionCategory=\"suntin\",ActionRequestId=\"itse\",ActionReason=\"umexerc\",ActionExtraDetails=\"oremipsu\"", + "file.directory": "tincu", + "file.name": "dun", + "fileset.name": "corepas", + "host.ip": "10.96.224.19", + "input.type": "log", + "log.level": "low", + "log.offset": 15471, + "observer.product": "umdolor", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4389", + "related.ip": [ + "10.96.224.19" + ], + "related.user": [ + "itation", + "ibusBon", + "doloreme" + ], + "rsa.db.index": "oremipsu", + "rsa.internal.event_desc": "umexerc", + "rsa.internal.messageid": "233", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "suntin", + "rsa.misc.group_object": "reprehe", + "rsa.misc.reference_id": "nci", + "rsa.misc.reference_id1": "itse", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4389", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ibusBon" + }, + { + "event.action": "cancel", + "event.code": "iquidexe", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-05-14 22:34:50.312538723 +0000 UTC ntsunt4826.mail.corp %CYBERARK: MessageID=\"170\";olo 1.237\",ProductAccount=\"aec\",ProductProcess=\"fdeF\",EventId=\"iquidexe\",EventClass=\"diconse\",EventSeverity=\"medium\",EventMessage=\"cancel\",ActingUserName=\"reseo\",ActingAddress=\"10.71.238.250\",ActionSourceUser=\"consequa\",ActionTargetUser=\"moenimi\",ActionObject=\"olupt\",ActionSafe=\"oconsequ\",ActionLocation=\"edquiac\",ActionCategory=\"urerepr\",ActionRequestId=\"eseru\",ActionReason=\"quamest\",ActionExtraDetails=\"mac\"", + "file.directory": "edquiac", + "file.name": "olupt", + "fileset.name": "corepas", + "host.ip": "10.71.238.250", + "input.type": "log", + "log.level": "medium", + "log.offset": 15937, + "observer.product": "olo", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.237", + "related.ip": [ + "10.71.238.250" + ], + "related.user": [ + "reseo", + "aec", + "moenimi" + ], + "rsa.db.index": "mac", + "rsa.internal.event_desc": "quamest", + "rsa.internal.messageid": "170", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "urerepr", + "rsa.misc.group_object": "oconsequ", + "rsa.misc.reference_id": "iquidexe", + "rsa.misc.reference_id1": "eseru", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.237", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "reseo" + }, + { + "destination.address": "mvel1188.internal.localdomain", + "destination.port": 2694, + "event.action": "deny", + "event.code": "294", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"294\";Version=1.3804;Message=deny;Issuer=rationev;Station=10.226.20.199;File=tatem;Safe=untutlab;Location=amcor;Category=ica;RequestId=lillum;Reason=remips;Severity=low;SourceUser=taedicta;TargetUser=ritt;GatewayStation=10.226.101.180;TicketID=itesseq;PolicyID=dictasun;UserName=veniamqu;LogonDomain=rum5798.home;Address=mvel1188.internal.localdomain;CPMStatus=tetur;Port=2694;Database=conse;DeviceType=ipi;ExtraDetails=imveniam;", + "file.directory": "amcor", + "file.name": "tatem", + "fileset.name": "corepas", + "group.name": "taedicta", + "host.ip": "10.226.20.199", + "input.type": "log", + "log.level": "low", + "log.offset": 16437, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3804", + "related.hosts": [ + "rum5798.home" + ], + "related.ip": [ + "10.226.101.180", + "10.226.20.199" + ], + "related.user": [ + "rationev", + "veniamqu", + "ritt" + ], + "rsa.db.database": "conse", + "rsa.db.index": "imveniam", + "rsa.internal.event_desc": "remips", + "rsa.internal.messageid": "294", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ica", + "rsa.misc.disposition": "tetur", + "rsa.misc.group": "taedicta", + "rsa.misc.group_object": "untutlab", + "rsa.misc.obj_type": "ipi", + "rsa.misc.operation_id": "itesseq", + "rsa.misc.policy_name": "dictasun", + "rsa.misc.reference_id": "294", + "rsa.misc.reference_id1": "lillum", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3804", + "rsa.network.domain": "rum5798.home", + "rsa.network.host_dst": "mvel1188.internal.localdomain", + "server.domain": "rum5798.home", + "service.type": "cyberark", + "source.ip": [ + "10.226.101.180" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rationev" + }, + { + "destination.address": "perspici5680.domain", + "destination.port": 2039, + "event.action": "cancel", + "event.code": "13", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 12 12:39:58 licabo %CYBERARK: MessageID=\"13\";Version=1.1493;Message=cancel;Issuer=utaliqu;Station=10.86.22.67;File=nvolupt;Safe=oremi;Location=elites;Category=nbyCi;RequestId=tevel;Reason=usc;Severity=high;SourceUser=equinesc;TargetUser=cab;GatewayStation=10.134.65.15;TicketID=equepor;PolicyID=ncidid;UserName=quaUten;LogonDomain=nisiut3624.api.example;Address=perspici5680.domain;CPMStatus=iconseq;Port=2039;Database=isciv;DeviceType=rroqu;ExtraDetails=nofd;", + "event.outcome": "failure", + "file.directory": "elites", + "file.name": "nvolupt", + "fileset.name": "corepas", + "group.name": "equinesc", + "host.ip": "10.86.22.67", + "input.type": "log", + "log.level": "high", + "log.offset": 16888, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1493", + "related.hosts": [ + "nisiut3624.api.example" + ], + "related.ip": [ + "10.86.22.67", + "10.134.65.15" + ], + "related.user": [ + "quaUten", + "cab", + "utaliqu" + ], + "rsa.db.database": "isciv", + "rsa.db.index": "nofd", + "rsa.internal.event_desc": "usc", + "rsa.internal.messageid": "13", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "nbyCi", + "rsa.misc.disposition": "iconseq", + "rsa.misc.group": "equinesc", + "rsa.misc.group_object": "oremi", + "rsa.misc.obj_type": "rroqu", + "rsa.misc.operation_id": "equepor", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.reference_id": "13", + "rsa.misc.reference_id1": "tevel", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1493", + "rsa.network.domain": "nisiut3624.api.example", + "rsa.network.host_dst": "perspici5680.domain", + "server.domain": "nisiut3624.api.example", + "service.type": "cyberark", + "source.ip": [ + "10.134.65.15" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "utaliqu" + }, + { + "event.action": "accept", + "event.code": "tae", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"358\";ilmol 1.5112\",ProductAccount=\"tten\",ProductProcess=\"ueipsa\",EventId=\"tae\",EventClass=\"autodit\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"cidunt\",ActingAddress=\"10.70.147.120\",ActionSourceUser=\"exeaco\",ActionTargetUser=\"emqu\",ActionObject=\"nderi\",ActionSafe=\"acommod\",ActionLocation=\"itsedd\",ActionCategory=\"leumiur\",ActionRequestId=\"eratvol\",ActionReason=\"quidol\",ActionExtraDetails=\"eaqu\"", + "file.directory": "itsedd", + "file.name": "nderi", + "fileset.name": "corepas", + "host.ip": "10.70.147.120", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17354, + "observer.product": "ilmol", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5112", + "related.ip": [ + "10.70.147.120" + ], + "related.user": [ + "tten", + "emqu", + "cidunt" + ], + "rsa.db.index": "eaqu", + "rsa.internal.event_desc": "quidol", + "rsa.internal.messageid": "358", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "leumiur", + "rsa.misc.group_object": "acommod", + "rsa.misc.reference_id": "tae", + "rsa.misc.reference_id1": "eratvol", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5112", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "cidunt" + }, + { + "destination.address": "ptateve6909.www5.lan", + "destination.port": 7645, + "event.action": "cancel", + "event.code": "160", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "luptatem 2017-07-11 02:45:07.352538723 +0000 UTC uaeratv3432.invalid %CYBERARK: MessageID=\"160\";Version=1.6255;Message=cancel;Issuer=dqu;Station=10.178.242.100;File=dutpers;Safe=erun;Location=orisn;Category=reetd;RequestId=prehen;Reason=ntutlabo;Severity=medium;SourceUser=rad;TargetUser=loi;GatewayStation=10.24.111.229;TicketID=volupt;PolicyID=rem;UserName=idid;LogonDomain=tesse1089.www.host;Address=ptateve6909.www5.lan;CPMStatus=toccaec;Port=7645;Database=tenatuse;DeviceType=psaqua;ExtraDetails=ullamcor;", + "file.directory": "orisn", + "file.name": "dutpers", + "fileset.name": "corepas", + "group.name": "rad", + "host.ip": "10.178.242.100", + "input.type": "log", + "log.level": "medium", + "log.offset": 17793, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6255", + "related.hosts": [ + "tesse1089.www.host" + ], + "related.ip": [ + "10.178.242.100", + "10.24.111.229" + ], + "related.user": [ + "loi", + "dqu", + "idid" + ], + "rsa.db.database": "tenatuse", + "rsa.db.index": "ullamcor", + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "160", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "reetd", + "rsa.misc.disposition": "toccaec", + "rsa.misc.group": "rad", + "rsa.misc.group_object": "erun", + "rsa.misc.obj_type": "psaqua", + "rsa.misc.operation_id": "volupt", + "rsa.misc.policy_name": "rem", + "rsa.misc.reference_id": "160", + "rsa.misc.reference_id1": "prehen", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6255", + "rsa.network.domain": "tesse1089.www.host", + "rsa.network.host_dst": "ptateve6909.www5.lan", + "server.domain": "tesse1089.www.host", + "service.type": "cyberark", + "source.ip": [ + "10.24.111.229" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "dqu" + }, + { + "event.action": "deny", + "event.code": "ons", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-07-25 09:47:41.612538723 +0000 UTC cupi1867.www5.test %CYBERARK: MessageID=\"67\";orroq 1.6677\",ProductAccount=\"ritati\",ProductProcess=\"orisni\",EventId=\"ons\",EventClass=\"remagn\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mmodoc\",ActingAddress=\"10.211.179.168\",ActionSourceUser=\"atu\",ActionTargetUser=\"untincul\",ActionObject=\"ssecil\",ActionSafe=\"commodi\",ActionLocation=\"emporain\",ActionCategory=\"ntiumto\",ActionRequestId=\"umetMalo\",ActionReason=\"oluptas\",ActionExtraDetails=\"emvele\"", + "file.directory": "emporain", + "file.name": "ssecil", + "fileset.name": "corepas", + "host.ip": "10.211.179.168", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18304, + "observer.product": "orroq", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6677", + "related.ip": [ + "10.211.179.168" + ], + "related.user": [ + "ritati", + "mmodoc", + "untincul" + ], + "rsa.db.index": "emvele", + "rsa.internal.event_desc": "oluptas", + "rsa.internal.messageid": "67", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ntiumto", + "rsa.misc.group_object": "commodi", + "rsa.misc.reference_id": "ons", + "rsa.misc.reference_id1": "umetMalo", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6677", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mmodoc" + }, + { + "event.action": "cancel", + "event.code": "olorsi", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "Sedut 2017-08-08 16:50:15.872538723 +0000 UTC yCiceroi2786.www.test %CYBERARK: MessageID=\"141\";iquamqua 1.4890\",ProductAccount=\"dolore\",ProductProcess=\"nsequat\",EventId=\"olorsi\",EventClass=\"aliq\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"mven\",ActingAddress=\"10.30.243.163\",ActionSourceUser=\"oremag\",ActionTargetUser=\"illu\",ActionObject=\"ruredo\",ActionSafe=\"mac\",ActionLocation=\"temUt\",ActionCategory=\"ptassita\",ActionRequestId=\"its\",ActionReason=\"lore\",ActionExtraDetails=\"idol\"", + "file.directory": "temUt", + "file.name": "ruredo", + "fileset.name": "corepas", + "host.ip": "10.30.243.163", + "input.type": "log", + "log.level": "low", + "log.offset": 18809, + "observer.product": "iquamqua", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4890", + "related.ip": [ + "10.30.243.163" + ], + "related.user": [ + "mven", + "dolore", + "illu" + ], + "rsa.db.index": "idol", + "rsa.internal.event_desc": "lore", + "rsa.internal.messageid": "141", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ptassita", + "rsa.misc.group_object": "mac", + "rsa.misc.reference_id": "olorsi", + "rsa.misc.reference_id1": "its", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4890", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mven" + }, + { + "destination.address": "modocon5089.mail.example", + "destination.port": 5112, + "event.action": "cancel", + "event.code": "26", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-08-22 23:52:50.132538723 +0000 UTC urmag7650.api.invalid %CYBERARK: MessageID=\"26\";Version=1.1844;Message=cancel;Issuer=amvo;Station=10.6.79.159;File=ommodo;Safe=uptat;Location=idex;Category=ptateve;RequestId=cons;Reason=olorese;Severity=high;SourceUser=ore;TargetUser=quid;GatewayStation=10.212.214.4;TicketID=ddoeius;PolicyID=ugiatn;UserName=midestl;LogonDomain=dictasun3878.internal.localhost;Address=modocon5089.mail.example;CPMStatus=lupta;Port=5112;Database=urExce;DeviceType=asi;ExtraDetails=ectiono;", + "file.directory": "idex", + "file.name": "ommodo", + "fileset.name": "corepas", + "group.name": "ore", + "host.ip": "10.6.79.159", + "input.type": "log", + "log.level": "high", + "log.offset": 19305, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1844", + "related.hosts": [ + "dictasun3878.internal.localhost" + ], + "related.ip": [ + "10.212.214.4", + "10.6.79.159" + ], + "related.user": [ + "midestl", + "quid", + "amvo" + ], + "rsa.db.database": "urExce", + "rsa.db.index": "ectiono", + "rsa.internal.event_desc": "olorese", + "rsa.internal.messageid": "26", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ptateve", + "rsa.misc.disposition": "lupta", + "rsa.misc.group": "ore", + "rsa.misc.group_object": "uptat", + "rsa.misc.obj_type": "asi", + "rsa.misc.operation_id": "ddoeius", + "rsa.misc.policy_name": "ugiatn", + "rsa.misc.reference_id": "26", + "rsa.misc.reference_id1": "cons", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1844", + "rsa.network.domain": "dictasun3878.internal.localhost", + "rsa.network.host_dst": "modocon5089.mail.example", + "server.domain": "dictasun3878.internal.localhost", + "service.type": "cyberark", + "source.ip": [ + "10.212.214.4" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "amvo" + }, + { + "destination.address": "tempor1282.www5.localhost", + "destination.port": 7699, + "event.action": "deny", + "event.code": "150", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "onu 2017-09-06 06:55:24.392538723 +0000 UTC liquaUte6729.api.localhost %CYBERARK: MessageID=\"150\";Version=1.3546;Message=deny;Issuer=atDu;Station=10.237.170.202;File=maperi;Safe=agnaaliq;Location=tlaboree;Category=norumet;RequestId=dtempo;Reason=tin;Severity=low;SourceUser=mve;TargetUser=liquide;GatewayStation=10.70.147.46;TicketID=inv;PolicyID=rroq;UserName=rcit;LogonDomain=aecatcup2241.www5.test;Address=tempor1282.www5.localhost;CPMStatus=incidid;Port=7699;Database=taedict;DeviceType=edquian;ExtraDetails=loremeu;", + "file.directory": "tlaboree", + "file.name": "maperi", + "fileset.name": "corepas", + "group.name": "mve", + "host.ip": "10.237.170.202", + "input.type": "log", + "log.level": "low", + "log.offset": 19818, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3546", + "related.hosts": [ + "aecatcup2241.www5.test" + ], + "related.ip": [ + "10.237.170.202", + "10.70.147.46" + ], + "related.user": [ + "liquide", + "atDu", + "rcit" + ], + "rsa.db.database": "taedict", + "rsa.db.index": "loremeu", + "rsa.internal.event_desc": "tin", + "rsa.internal.messageid": "150", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "norumet", + "rsa.misc.disposition": "incidid", + "rsa.misc.group": "mve", + "rsa.misc.group_object": "agnaaliq", + "rsa.misc.obj_type": "edquian", + "rsa.misc.operation_id": "inv", + "rsa.misc.policy_name": "rroq", + "rsa.misc.reference_id": "150", + "rsa.misc.reference_id1": "dtempo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3546", + "rsa.network.domain": "aecatcup2241.www5.test", + "rsa.network.host_dst": "tempor1282.www5.localhost", + "server.domain": "aecatcup2241.www5.test", + "service.type": "cyberark", + "source.ip": [ + "10.70.147.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "atDu" + }, + { + "destination.address": "mipsum2964.invalid", + "destination.port": 6825, + "event.action": "allow", + "event.code": "292", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "dmi 2017-09-20 13:57:58.652538723 +0000 UTC untexpl2847.www5.local %CYBERARK: MessageID=\"292\";Version=1.4282;Message=allow;Issuer=emoe;Station=10.179.50.138;File=ehende;Safe=eaqueip;Location=eum;Category=lamc;RequestId=umetMal;Reason=asper;Severity=high;SourceUser=metcons;TargetUser=itasper;GatewayStation=10.228.118.81;TicketID=temquiav;PolicyID=obeata;UserName=tatemU;LogonDomain=mad5185.www5.localhost;Address=mipsum2964.invalid;CPMStatus=doei;Port=6825;Database=toditaut;DeviceType=voluptat;ExtraDetails=ugit;", + "file.directory": "eum", + "file.name": "ehende", + "fileset.name": "corepas", + "group.name": "metcons", + "host.ip": "10.179.50.138", + "input.type": "log", + "log.level": "high", + "log.offset": 20339, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4282", + "related.hosts": [ + "mad5185.www5.localhost" + ], + "related.ip": [ + "10.228.118.81", + "10.179.50.138" + ], + "related.user": [ + "emoe", + "itasper", + "tatemU" + ], + "rsa.db.database": "toditaut", + "rsa.db.index": "ugit", + "rsa.internal.event_desc": "asper", + "rsa.internal.messageid": "292", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "lamc", + "rsa.misc.disposition": "doei", + "rsa.misc.group": "metcons", + "rsa.misc.group_object": "eaqueip", + "rsa.misc.obj_type": "voluptat", + "rsa.misc.operation_id": "temquiav", + "rsa.misc.policy_name": "obeata", + "rsa.misc.reference_id": "292", + "rsa.misc.reference_id1": "umetMal", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4282", + "rsa.network.domain": "mad5185.www5.localhost", + "rsa.network.host_dst": "mipsum2964.invalid", + "server.domain": "mad5185.www5.localhost", + "service.type": "cyberark", + "source.ip": [ + "10.228.118.81" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "emoe" + }, + { + "destination.address": "veniamq1236.invalid", + "destination.port": 1458, + "event.action": "cancel", + "event.code": "38", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "October 4 21:00:32 asnu %CYBERARK: MessageID=\"38\";Version=1.3806;Message=cancel;Issuer=henderit;Station=10.49.71.118;File=ationul;Safe=mquisn;Location=queips;Category=midest;RequestId=dex;Reason=ccae;Severity=medium;SourceUser=eavolup;TargetUser=emip;GatewayStation=10.234.165.130;TicketID=ntexplic;PolicyID=uto;UserName=iuntNequ;LogonDomain=esseq7889.www.invalid;Address=veniamq1236.invalid;CPMStatus=emo;Port=1458;Database=veniamqu;DeviceType=licaboN;ExtraDetails=atquo;", + "file.directory": "queips", + "file.name": "ationul", + "fileset.name": "corepas", + "group.name": "eavolup", + "host.ip": "10.49.71.118", + "input.type": "log", + "log.level": "medium", + "log.offset": 20854, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3806", + "related.hosts": [ + "esseq7889.www.invalid" + ], + "related.ip": [ + "10.49.71.118", + "10.234.165.130" + ], + "related.user": [ + "emip", + "iuntNequ", + "henderit" + ], + "rsa.db.database": "veniamqu", + "rsa.db.index": "atquo", + "rsa.internal.event_desc": "ccae", + "rsa.internal.messageid": "38", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "midest", + "rsa.misc.disposition": "emo", + "rsa.misc.group": "eavolup", + "rsa.misc.group_object": "mquisn", + "rsa.misc.obj_type": "licaboN", + "rsa.misc.operation_id": "ntexplic", + "rsa.misc.policy_name": "uto", + "rsa.misc.reference_id": "38", + "rsa.misc.reference_id1": "dex", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3806", + "rsa.network.domain": "esseq7889.www.invalid", + "rsa.network.host_dst": "veniamq1236.invalid", + "server.domain": "esseq7889.www.invalid", + "service.type": "cyberark", + "source.ip": [ + "10.234.165.130" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "henderit" + }, + { + "event.action": "allow", + "event.code": "tatem", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "udan 2017-10-19 04:03:07.172538723 +0000 UTC yCic5749.www.localhost %CYBERARK: MessageID=\"119\";itanim 1.4024\",ProductAccount=\"olorema\",ProductProcess=\"mollita\",EventId=\"tatem\",EventClass=\"iae\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"emip\",ActingAddress=\"10.199.5.49\",ActionSourceUser=\"stquid\",ActionTargetUser=\"turadipi\",ActionObject=\"usmodi\",ActionSafe=\"ree\",ActionLocation=\"saquaea\",ActionCategory=\"ation\",ActionRequestId=\"luptas\",ActionReason=\"minim\",ActionExtraDetails=\"ataevi\"", + "file.directory": "saquaea", + "file.name": "usmodi", + "fileset.name": "corepas", + "host.ip": "10.199.5.49", + "input.type": "log", + "log.level": "low", + "log.offset": 21327, + "observer.product": "itanim", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4024", + "related.ip": [ + "10.199.5.49" + ], + "related.user": [ + "turadipi", + "emip", + "olorema" + ], + "rsa.db.index": "ataevi", + "rsa.internal.event_desc": "minim", + "rsa.internal.messageid": "119", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ation", + "rsa.misc.group_object": "ree", + "rsa.misc.reference_id": "tatem", + "rsa.misc.reference_id1": "luptas", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4024", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "emip" + }, + { + "event.action": "allow", + "event.code": "tionula", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"156\";plic 1.7053\",ProductAccount=\"utlabo\",ProductProcess=\"tetur\",EventId=\"tionula\",EventClass=\"ritqu\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"uamei\",ActingAddress=\"10.193.219.34\",ActionSourceUser=\"onse\",ActionTargetUser=\"olorem\",ActionObject=\"turvel\",ActionSafe=\"eratv\",ActionLocation=\"ipsa\",ActionCategory=\"asuntexp\",ActionRequestId=\"adminim\",ActionReason=\"orisni\",ActionExtraDetails=\"nse\"", + "file.directory": "ipsa", + "file.name": "turvel", + "fileset.name": "corepas", + "host.ip": "10.193.219.34", + "input.type": "log", + "log.level": "very-high", + "log.offset": 21826, + "observer.product": "plic", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7053", + "related.ip": [ + "10.193.219.34" + ], + "related.user": [ + "uamei", + "utlabo", + "olorem" + ], + "rsa.db.index": "nse", + "rsa.internal.event_desc": "orisni", + "rsa.internal.messageid": "156", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "asuntexp", + "rsa.misc.group_object": "eratv", + "rsa.misc.reference_id": "tionula", + "rsa.misc.reference_id1": "adminim", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7053", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uamei" + }, + { + "destination.address": "taliqui5348.mail.localdomain", + "destination.port": 6816, + "event.action": "allow", + "event.code": "202", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "November 16 18:08:15 nderi %CYBERARK: MessageID=\"202\";Version=1.7083;Message=allow;Issuer=animid;Station=10.120.167.217;File=atuse;Safe=ueipsa;Location=scipitl;Category=eumi;RequestId=quasiarc;Reason=olli;Severity=low;SourceUser=tetura;TargetUser=rsp;GatewayStation=10.174.185.109;TicketID=roquisqu;PolicyID=edolorin;UserName=dolorem;LogonDomain=tem6815.home;Address=taliqui5348.mail.localdomain;CPMStatus=loremag;Port=6816;Database=tsuntinc;DeviceType=inrepreh;ExtraDetails=quovo;", + "file.directory": "scipitl", + "file.name": "atuse", + "fileset.name": "corepas", + "group.name": "tetura", + "host.ip": "10.120.167.217", + "input.type": "log", + "log.level": "low", + "log.offset": 22262, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7083", + "related.hosts": [ + "tem6815.home" + ], + "related.ip": [ + "10.174.185.109", + "10.120.167.217" + ], + "related.user": [ + "animid", + "dolorem", + "rsp" + ], + "rsa.db.database": "tsuntinc", + "rsa.db.index": "quovo", + "rsa.internal.event_desc": "olli", + "rsa.internal.messageid": "202", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eumi", + "rsa.misc.disposition": "loremag", + "rsa.misc.group": "tetura", + "rsa.misc.group_object": "ueipsa", + "rsa.misc.obj_type": "inrepreh", + "rsa.misc.operation_id": "roquisqu", + "rsa.misc.policy_name": "edolorin", + "rsa.misc.reference_id": "202", + "rsa.misc.reference_id1": "quasiarc", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7083", + "rsa.network.domain": "tem6815.home", + "rsa.network.host_dst": "taliqui5348.mail.localdomain", + "server.domain": "tem6815.home", + "service.type": "cyberark", + "source.ip": [ + "10.174.185.109" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "animid" + }, + { + "destination.address": "atnulapa3548.www.domain", + "destination.port": 5347, + "event.action": "cancel", + "event.code": "133", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"133\";Version=1.1432;Message=cancel;Issuer=atev;Station=10.117.137.159;File=acommodi;Safe=essecill;Location=billoi;Category=moles;RequestId=dipiscin;Reason=olup;Severity=high;SourceUser=undeomni;TargetUser=accusa;GatewayStation=10.141.213.219;TicketID=itat;PolicyID=stlaboru;UserName=ate;LogonDomain=mporainc2064.home;Address=atnulapa3548.www.domain;CPMStatus=radipisc;Port=5347;Database=nibus;DeviceType=vitaed;ExtraDetails=ser;", + "file.directory": "billoi", + "file.name": "acommodi", + "fileset.name": "corepas", + "group.name": "undeomni", + "host.ip": "10.117.137.159", + "input.type": "log", + "log.level": "high", + "log.offset": 22744, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1432", + "related.hosts": [ + "mporainc2064.home" + ], + "related.ip": [ + "10.117.137.159", + "10.141.213.219" + ], + "related.user": [ + "accusa", + "ate", + "atev" + ], + "rsa.db.database": "nibus", + "rsa.db.index": "ser", + "rsa.internal.event_desc": "olup", + "rsa.internal.messageid": "133", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "moles", + "rsa.misc.disposition": "radipisc", + "rsa.misc.group": "undeomni", + "rsa.misc.group_object": "essecill", + "rsa.misc.obj_type": "vitaed", + "rsa.misc.operation_id": "itat", + "rsa.misc.policy_name": "stlaboru", + "rsa.misc.reference_id": "133", + "rsa.misc.reference_id1": "dipiscin", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1432", + "rsa.network.domain": "mporainc2064.home", + "rsa.network.host_dst": "atnulapa3548.www.domain", + "server.domain": "mporainc2064.home", + "service.type": "cyberark", + "source.ip": [ + "10.141.213.219" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "atev" + }, + { + "destination.address": "litesseq6785.host", + "destination.port": 7390, + "event.action": "cancel", + "event.code": "104", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2017-12-15 08:13:24.212538723 +0000 UTC ill6772.www.invalid %CYBERARK: MessageID=\"104\";Version=1.4043;Message=cancel;Issuer=rem;Station=10.166.90.130;File=mdolore;Safe=eosquira;Location=pta;Category=snos;RequestId=orsi;Reason=tetura;Severity=very-high;SourceUser=lorsita;TargetUser=eavol;GatewayStation=10.94.224.229;TicketID=lupta;PolicyID=npr;UserName=etconsec;LogonDomain=caboNem1043.internal.home;Address=litesseq6785.host;CPMStatus=tob;Port=7390;Database=oditempo;DeviceType=doeiu;ExtraDetails=deF;", + "file.directory": "pta", + "file.name": "mdolore", + "fileset.name": "corepas", + "group.name": "lorsita", + "host.ip": "10.166.90.130", + "input.type": "log", + "log.level": "very-high", + "log.offset": 23195, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4043", + "related.hosts": [ + "caboNem1043.internal.home" + ], + "related.ip": [ + "10.166.90.130", + "10.94.224.229" + ], + "related.user": [ + "eavol", + "rem", + "etconsec" + ], + "rsa.db.database": "oditempo", + "rsa.db.index": "deF", + "rsa.internal.event_desc": "tetura", + "rsa.internal.messageid": "104", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "User", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "snos", + "rsa.misc.disposition": "tob", + "rsa.misc.group": "lorsita", + "rsa.misc.group_object": "eosquira", + "rsa.misc.obj_type": "doeiu", + "rsa.misc.operation_id": "lupta", + "rsa.misc.policy_name": "npr", + "rsa.misc.reference_id": "104", + "rsa.misc.reference_id1": "orsi", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4043", + "rsa.network.domain": "caboNem1043.internal.home", + "rsa.network.host_dst": "litesseq6785.host", + "server.domain": "caboNem1043.internal.home", + "service.type": "cyberark", + "source.ip": [ + "10.94.224.229" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rem" + }, + { + "destination.address": "onnu2272.mail.corp", + "destination.port": 6064, + "event.action": "deny", + "event.code": "316", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "rcitat 2017-12-29 15:15:58.472538723 +0000 UTC dolorema2984.www.home %CYBERARK: MessageID=\"316\";Version=1.2456;Message=deny;Issuer=tiumto;Station=10.38.28.151;File=nrepreh;Safe=ratv;Location=alorum;Category=mquisn;RequestId=atq;Reason=erspi;Severity=low;SourceUser=ugiatquo;TargetUser=incidid;GatewayStation=10.201.81.46;TicketID=sBonor;PolicyID=fugits;UserName=mipsumqu;LogonDomain=tatio6513.www.invalid;Address=onnu2272.mail.corp;CPMStatus=atatnon;Port=6064;Database=abor;DeviceType=magnid;ExtraDetails=adol;", + "file.directory": "alorum", + "file.name": "nrepreh", + "fileset.name": "corepas", + "group.name": "ugiatquo", + "host.ip": "10.38.28.151", + "input.type": "log", + "log.level": "low", + "log.offset": 23699, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2456", + "related.hosts": [ + "tatio6513.www.invalid" + ], + "related.ip": [ + "10.201.81.46", + "10.38.28.151" + ], + "related.user": [ + "tiumto", + "incidid", + "mipsumqu" + ], + "rsa.db.database": "abor", + "rsa.db.index": "adol", + "rsa.internal.event_desc": "erspi", + "rsa.internal.messageid": "316", + "rsa.investigations.ec_activity": "Modify", + "rsa.investigations.ec_theme": "Password", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "mquisn", + "rsa.misc.disposition": "atatnon", + "rsa.misc.group": "ugiatquo", + "rsa.misc.group_object": "ratv", + "rsa.misc.obj_type": "magnid", + "rsa.misc.operation_id": "sBonor", + "rsa.misc.policy_name": "fugits", + "rsa.misc.reference_id": "316", + "rsa.misc.reference_id1": "atq", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2456", + "rsa.network.domain": "tatio6513.www.invalid", + "rsa.network.host_dst": "onnu2272.mail.corp", + "server.domain": "tatio6513.www.invalid", + "service.type": "cyberark", + "source.ip": [ + "10.201.81.46" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tiumto" + }, + { + "destination.address": "llit958.www.domain", + "destination.port": 2957, + "event.action": "deny", + "event.code": "266", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 12 22:18:32 niam %CYBERARK: MessageID=\"266\";Version=1.2721;Message=deny;Issuer=rerepre;Station=10.214.245.95;File=quiineav;Safe=billoinv;Location=sci;Category=col;RequestId=obea;Reason=emp;Severity=medium;SourceUser=luptas;TargetUser=uptatem;GatewayStation=10.255.28.56;TicketID=inrepr;PolicyID=mol;UserName=umdolors;LogonDomain=dolori6232.api.invalid;Address=llit958.www.domain;CPMStatus=tat;Port=2957;Database=odt;DeviceType=cillumd;ExtraDetails=riosa;", + "file.directory": "sci", + "file.name": "quiineav", + "fileset.name": "corepas", + "group.name": "luptas", + "host.ip": "10.214.245.95", + "input.type": "log", + "log.level": "medium", + "log.offset": 24210, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2721", + "related.hosts": [ + "dolori6232.api.invalid" + ], + "related.ip": [ + "10.255.28.56", + "10.214.245.95" + ], + "related.user": [ + "umdolors", + "uptatem", + "rerepre" + ], + "rsa.db.database": "odt", + "rsa.db.index": "riosa", + "rsa.internal.event_desc": "emp", + "rsa.internal.messageid": "266", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "col", + "rsa.misc.disposition": "tat", + "rsa.misc.group": "luptas", + "rsa.misc.group_object": "billoinv", + "rsa.misc.obj_type": "cillumd", + "rsa.misc.operation_id": "inrepr", + "rsa.misc.policy_name": "mol", + "rsa.misc.reference_id": "266", + "rsa.misc.reference_id1": "obea", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.2721", + "rsa.network.domain": "dolori6232.api.invalid", + "rsa.network.host_dst": "llit958.www.domain", + "server.domain": "dolori6232.api.invalid", + "service.type": "cyberark", + "source.ip": [ + "10.255.28.56" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rerepre" + }, + { + "event.action": "cancel", + "event.code": "nim", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 27 05:21:06 lapar %CYBERARK: MessageID=\"311\";ritati 1.3219\",ProductAccount=\"qui\",ProductProcess=\"otamr\",EventId=\"nim\",EventClass=\"ame\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"mip\",ActingAddress=\"10.45.35.180\",ActionSourceUser=\"mvolupta\",ActionTargetUser=\"Utenima\",ActionObject=\"iqua\",ActionSafe=\"luptat\",ActionLocation=\"deriti\",ActionCategory=\"sintocc\",ActionRequestId=\"cididu\",ActionReason=\"uteir\",ActionExtraDetails=\"boree\"", + "file.directory": "deriti", + "file.name": "iqua", + "fileset.name": "corepas", + "host.ip": "10.45.35.180", + "input.type": "log", + "log.level": "very-high", + "log.offset": 24673, + "observer.product": "ritati", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3219", + "related.ip": [ + "10.45.35.180" + ], + "related.user": [ + "mip", + "Utenima", + "qui" + ], + "rsa.db.index": "boree", + "rsa.internal.event_desc": "uteir", + "rsa.internal.messageid": "311", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "sintocc", + "rsa.misc.group_object": "luptat", + "rsa.misc.reference_id": "nim", + "rsa.misc.reference_id1": "cididu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3219", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mip" + }, + { + "event.action": "accept", + "event.code": "scivel", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "February 10 12:23:41 diduntu %CYBERARK: MessageID=\"285\";eiusmod 1.7546\",ProductAccount=\"ess\",ProductProcess=\"uide\",EventId=\"scivel\",EventClass=\"henderi\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enim\",ActingAddress=\"10.141.200.133\",ActionSourceUser=\"ersp\",ActionTargetUser=\"iame\",ActionObject=\"orroquis\",ActionSafe=\"aquio\",ActionLocation=\"riatu\",ActionCategory=\"loinve\",ActionRequestId=\"tanimid\",ActionReason=\"isnostru\",ActionExtraDetails=\"nofdeFi\"", + "file.directory": "riatu", + "file.name": "orroquis", + "fileset.name": "corepas", + "host.ip": "10.141.200.133", + "input.type": "log", + "log.level": "low", + "log.offset": 25131, + "observer.product": "eiusmod", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7546", + "related.ip": [ + "10.141.200.133" + ], + "related.user": [ + "enim", + "iame", + "ess" + ], + "rsa.db.index": "nofdeFi", + "rsa.internal.event_desc": "isnostru", + "rsa.internal.messageid": "285", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "loinve", + "rsa.misc.group_object": "aquio", + "rsa.misc.reference_id": "scivel", + "rsa.misc.reference_id1": "tanimid", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7546", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "enim" + }, + { + "event.action": "accept", + "event.code": "rationev", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"155\";ulap 1.3765\",ProductAccount=\"illoi\",ProductProcess=\"reetdolo\",EventId=\"rationev\",EventClass=\"ehender\",EventSeverity=\"medium\",EventMessage=\"accept\",ActingUserName=\"ugi\",ActingAddress=\"10.83.238.145\",ActionSourceUser=\"ptatems\",ActionTargetUser=\"runtmo\",ActionObject=\"ore\",ActionSafe=\"isund\",ActionLocation=\"exerci\",ActionCategory=\"tas\",ActionRequestId=\"oraincid\",ActionReason=\"quaer\",ActionExtraDetails=\"eetdo\"", + "file.directory": "exerci", + "file.name": "ore", + "fileset.name": "corepas", + "host.ip": "10.83.238.145", + "input.type": "log", + "log.level": "medium", + "log.offset": 25596, + "observer.product": "ulap", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3765", + "related.ip": [ + "10.83.238.145" + ], + "related.user": [ + "ugi", + "illoi", + "runtmo" + ], + "rsa.db.index": "eetdo", + "rsa.internal.event_desc": "quaer", + "rsa.internal.messageid": "155", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tas", + "rsa.misc.group_object": "isund", + "rsa.misc.reference_id": "rationev", + "rsa.misc.reference_id1": "oraincid", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3765", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ugi" + }, + { + "destination.address": "llamc6724.www.lan", + "destination.port": 4020, + "event.action": "block", + "event.code": "48", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-03-11 02:28:49.772538723 +0000 UTC aali6869.api.localdomain %CYBERARK: MessageID=\"48\";Version=1.3147;Message=block;Issuer=sedquiac;Station=10.39.143.155;File=ipsaqu;Safe=nisiut;Location=rumwri;Category=velill;RequestId=ore;Reason=tation;Severity=very-high;SourceUser=porincid;TargetUser=tperspic;GatewayStation=10.41.89.217;TicketID=ict;PolicyID=squirati;UserName=tem;LogonDomain=mestq2106.api.host;Address=llamc6724.www.lan;CPMStatus=tesseci;Port=4020;Database=radipis;DeviceType=cive;ExtraDetails=nse;", + "file.directory": "rumwri", + "file.name": "ipsaqu", + "fileset.name": "corepas", + "group.name": "porincid", + "host.ip": "10.39.143.155", + "input.type": "log", + "log.level": "very-high", + "log.offset": 26032, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3147", + "related.hosts": [ + "mestq2106.api.host" + ], + "related.ip": [ + "10.41.89.217", + "10.39.143.155" + ], + "related.user": [ + "tem", + "tperspic", + "sedquiac" + ], + "rsa.db.database": "radipis", + "rsa.db.index": "nse", + "rsa.internal.event_desc": "tation", + "rsa.internal.messageid": "48", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "velill", + "rsa.misc.disposition": "tesseci", + "rsa.misc.group": "porincid", + "rsa.misc.group_object": "nisiut", + "rsa.misc.obj_type": "cive", + "rsa.misc.operation_id": "ict", + "rsa.misc.policy_name": "squirati", + "rsa.misc.reference_id": "48", + "rsa.misc.reference_id1": "ore", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3147", + "rsa.network.domain": "mestq2106.api.host", + "rsa.network.host_dst": "llamc6724.www.lan", + "server.domain": "mestq2106.api.host", + "service.type": "cyberark", + "source.ip": [ + "10.41.89.217" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "sedquiac" + }, + { + "destination.address": "reseosqu1629.mail.lan", + "destination.port": 5325, + "event.action": "accept", + "event.code": "378", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "isnisiu 2018-03-25 09:31:24.032538723 +0000 UTC suntincu2940.www5.domain %CYBERARK: MessageID=\"378\";Version=1.6382;Message=accept;Issuer=minim;Station=10.5.5.1;File=reseosq;Safe=gna;Location=isiutali;Category=lumqu;RequestId=onulamco;Reason=ons;Severity=low;SourceUser=uptat;TargetUser=unt;GatewayStation=10.153.123.20;TicketID=tla;PolicyID=mquiad;UserName=CSe;LogonDomain=lors7553.api.local;Address=reseosqu1629.mail.lan;CPMStatus=utemvel;Port=5325;Database=atu;DeviceType=iusm;ExtraDetails=roi;", + "file.directory": "isiutali", + "file.name": "reseosq", + "fileset.name": "corepas", + "group.name": "uptat", + "host.ip": "10.5.5.1", + "input.type": "log", + "log.level": "low", + "log.offset": 26541, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6382", + "related.hosts": [ + "lors7553.api.local" + ], + "related.ip": [ + "10.153.123.20", + "10.5.5.1" + ], + "related.user": [ + "minim", + "unt", + "CSe" + ], + "rsa.db.database": "atu", + "rsa.db.index": "roi", + "rsa.internal.event_desc": "ons", + "rsa.internal.messageid": "378", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "lumqu", + "rsa.misc.disposition": "utemvel", + "rsa.misc.group": "uptat", + "rsa.misc.group_object": "gna", + "rsa.misc.obj_type": "iusm", + "rsa.misc.operation_id": "tla", + "rsa.misc.policy_name": "mquiad", + "rsa.misc.reference_id": "378", + "rsa.misc.reference_id1": "onulamco", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6382", + "rsa.network.domain": "lors7553.api.local", + "rsa.network.host_dst": "reseosqu1629.mail.lan", + "server.domain": "lors7553.api.local", + "service.type": "cyberark", + "source.ip": [ + "10.153.123.20" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "minim" + }, + { + "destination.address": "orumSe4514.www.corp", + "destination.port": 80, + "event.action": "deny", + "event.code": "269", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-04-08 16:33:58.292538723 +0000 UTC rere5274.mail.domain %CYBERARK: MessageID=\"269\";Version=1.3193;Message=deny;Issuer=iamea;Station=10.210.61.109;File=tiumto;Safe=cor;Location=odoco;Category=oin;RequestId=itseddoe;Reason=elites;Severity=low;SourceUser=uamei;TargetUser=eursinto;GatewayStation=10.168.132.175;TicketID=licaboNe;PolicyID=tautfug;UserName=giatquov;LogonDomain=olu5333.www.domain;Address=orumSe4514.www.corp;CPMStatus=umquam;Port=80;Database=ici;DeviceType=nisiuta;ExtraDetails=iquaUt;", + "file.directory": "odoco", + "file.name": "tiumto", + "fileset.name": "corepas", + "group.name": "uamei", + "host.ip": "10.210.61.109", + "input.type": "log", + "log.level": "low", + "log.offset": 27038, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3193", + "related.hosts": [ + "olu5333.www.domain" + ], + "related.ip": [ + "10.168.132.175", + "10.210.61.109" + ], + "related.user": [ + "giatquov", + "iamea", + "eursinto" + ], + "rsa.db.database": "ici", + "rsa.db.index": "iquaUt", + "rsa.internal.event_desc": "elites", + "rsa.internal.messageid": "269", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "oin", + "rsa.misc.disposition": "umquam", + "rsa.misc.group": "uamei", + "rsa.misc.group_object": "cor", + "rsa.misc.obj_type": "nisiuta", + "rsa.misc.operation_id": "licaboNe", + "rsa.misc.policy_name": "tautfug", + "rsa.misc.reference_id": "269", + "rsa.misc.reference_id1": "itseddoe", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3193", + "rsa.network.domain": "olu5333.www.domain", + "rsa.network.host_dst": "orumSe4514.www.corp", + "server.domain": "olu5333.www.domain", + "service.type": "cyberark", + "source.ip": [ + "10.168.132.175" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "iamea" + }, + { + "event.action": "accept", + "event.code": "olup", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"176\";atnula 1.5038\",ProductAccount=\"lmo\",ProductProcess=\"iquidex\",EventId=\"olup\",EventClass=\"remipsu\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"quiac\",ActingAddress=\"10.123.154.17\",ActionSourceUser=\"etdol\",ActionTargetUser=\"dolorsi\",ActionObject=\"nturmag\",ActionSafe=\"tura\",ActionLocation=\"osquirat\",ActionCategory=\"equat\",ActionRequestId=\"aliquid\",ActionReason=\"usantiu\",ActionExtraDetails=\"idunt\"", + "file.directory": "osquirat", + "file.name": "nturmag", + "fileset.name": "corepas", + "host.ip": "10.123.154.17", + "input.type": "log", + "log.level": "low", + "log.offset": 27541, + "observer.product": "atnula", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5038", + "related.ip": [ + "10.123.154.17" + ], + "related.user": [ + "dolorsi", + "lmo", + "quiac" + ], + "rsa.db.index": "idunt", + "rsa.internal.event_desc": "usantiu", + "rsa.internal.messageid": "176", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "equat", + "rsa.misc.group_object": "tura", + "rsa.misc.reference_id": "olup", + "rsa.misc.reference_id1": "aliquid", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5038", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quiac" + }, + { + "event.action": "deny", + "event.code": "lpaquiof", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"4\";min 1.136\",ProductAccount=\"xplic\",ProductProcess=\"eseruntm\",EventId=\"lpaquiof\",EventClass=\"oloreeu\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"etquasia\",ActingAddress=\"10.169.123.103\",ActionSourceUser=\"riatur\",ActionTargetUser=\"oeni\",ActionObject=\"dol\",ActionSafe=\"dol\",ActionLocation=\"atur\",ActionCategory=\"issu\",ActionRequestId=\"identsu\",ActionReason=\"piscivel\",ActionExtraDetails=\"hend\"", + "event.outcome": "failure", + "file.directory": "atur", + "file.name": "dol", + "fileset.name": "corepas", + "host.ip": "10.169.123.103", + "input.type": "log", + "log.level": "very-high", + "log.offset": 27978, + "observer.product": "min", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.136", + "related.ip": [ + "10.169.123.103" + ], + "related.user": [ + "oeni", + "etquasia", + "xplic" + ], + "rsa.db.index": "hend", + "rsa.internal.event_desc": "piscivel", + "rsa.internal.messageid": "4", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "issu", + "rsa.misc.group_object": "dol", + "rsa.misc.reference_id": "lpaquiof", + "rsa.misc.reference_id1": "identsu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.136", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "etquasia" + }, + { + "event.action": "cancel", + "event.code": "scipi", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"276\";aer 1.7744\",ProductAccount=\"iati\",ProductProcess=\"minim\",EventId=\"scipi\",EventClass=\"tur\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"Nemoenim\",ActingAddress=\"10.126.205.76\",ActionSourceUser=\"etur\",ActionTargetUser=\"rsitvol\",ActionObject=\"utali\",ActionSafe=\"sed\",ActionLocation=\"xeac\",ActionCategory=\"umdolors\",ActionRequestId=\"lumdo\",ActionReason=\"acom\",ActionExtraDetails=\"eFini\"", + "file.directory": "xeac", + "file.name": "utali", + "fileset.name": "corepas", + "host.ip": "10.126.205.76", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28412, + "observer.product": "aer", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7744", + "related.ip": [ + "10.126.205.76" + ], + "related.user": [ + "rsitvol", + "iati", + "Nemoenim" + ], + "rsa.db.index": "eFini", + "rsa.internal.event_desc": "acom", + "rsa.internal.messageid": "276", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "umdolors", + "rsa.misc.group_object": "sed", + "rsa.misc.reference_id": "scipi", + "rsa.misc.reference_id1": "lumdo", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7744", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Nemoenim" + }, + { + "destination.address": "mmodoco2581.www5.host", + "destination.port": 3575, + "event.action": "accept", + "event.code": "38", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 4 20:44:15 uovol %CYBERARK: MessageID=\"38\";Version=1.3184;Message=accept;Issuer=eufug;Station=10.164.66.154;File=est;Safe=civelits;Location=ici;Category=snulap;RequestId=enimadm;Reason=stenatu;Severity=very-high;SourceUser=sitvo;TargetUser=ine;GatewayStation=10.169.101.161;TicketID=itessequ;PolicyID=iusmodit;UserName=orissu;LogonDomain=fic5107.home;Address=mmodoco2581.www5.host;CPMStatus=isiutali;Port=3575;Database=stquidol;DeviceType=Nemoenim;ExtraDetails=imadmini;", + "file.directory": "ici", + "file.name": "est", + "fileset.name": "corepas", + "group.name": "sitvo", + "host.ip": "10.164.66.154", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28841, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3184", + "related.hosts": [ + "fic5107.home" + ], + "related.ip": [ + "10.169.101.161", + "10.164.66.154" + ], + "related.user": [ + "orissu", + "eufug", + "ine" + ], + "rsa.db.database": "stquidol", + "rsa.db.index": "imadmini", + "rsa.internal.event_desc": "stenatu", + "rsa.internal.messageid": "38", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "snulap", + "rsa.misc.disposition": "isiutali", + "rsa.misc.group": "sitvo", + "rsa.misc.group_object": "civelits", + "rsa.misc.obj_type": "Nemoenim", + "rsa.misc.operation_id": "itessequ", + "rsa.misc.policy_name": "iusmodit", + "rsa.misc.reference_id": "38", + "rsa.misc.reference_id1": "enimadm", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3184", + "rsa.network.domain": "fic5107.home", + "rsa.network.host_dst": "mmodoco2581.www5.host", + "server.domain": "fic5107.home", + "service.type": "cyberark", + "source.ip": [ + "10.169.101.161" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "eufug" + }, + { + "event.action": "block", + "event.code": "ons", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "amvo 2018-06-19 03:46:49.592538723 +0000 UTC tnul6235.www5.lan %CYBERARK: MessageID=\"79\";isau 1.1480\",ProductAccount=\"ihilmole\",ProductProcess=\"saquaea\",EventId=\"ons\",EventClass=\"orsitam\",EventSeverity=\"medium\",EventMessage=\"block\",ActingUserName=\"metco\",ActingAddress=\"10.70.83.200\",ActionSourceUser=\"riame\",ActionTargetUser=\"riat\",ActionObject=\"sseq\",ActionSafe=\"eriam\",ActionLocation=\"pernat\",ActionCategory=\"udan\",ActionRequestId=\"archi\",ActionReason=\"iutaliq\",ActionExtraDetails=\"urQuis\"", + "file.directory": "pernat", + "file.name": "sseq", + "fileset.name": "corepas", + "host.ip": "10.70.83.200", + "input.type": "log", + "log.level": "medium", + "log.offset": 29317, + "observer.product": "isau", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1480", + "related.ip": [ + "10.70.83.200" + ], + "related.user": [ + "ihilmole", + "riat", + "metco" + ], + "rsa.db.index": "urQuis", + "rsa.internal.event_desc": "iutaliq", + "rsa.internal.messageid": "79", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "udan", + "rsa.misc.group_object": "eriam", + "rsa.misc.reference_id": "ons", + "rsa.misc.reference_id1": "archi", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1480", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "metco" + }, + { + "destination.address": "oremqu7663.local", + "destination.port": 5816, + "event.action": "block", + "event.code": "53", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "July 3 10:49:23 orum %CYBERARK: MessageID=\"53\";Version=1.4887;Message=block;Issuer=madminim;Station=10.207.97.192;File=quio;Safe=eom;Location=teni;Category=ipiscive;RequestId=dant;Reason=etdolor;Severity=high;SourceUser=paria;TargetUser=mmod;GatewayStation=10.134.55.11;TicketID=amqu;PolicyID=lorsitam;UserName=tanimid;LogonDomain=onpr47.api.home;Address=oremqu7663.local;CPMStatus=llumq;Port=5816;Database=tetura;DeviceType=rumet;ExtraDetails=uptasnul;", + "file.directory": "teni", + "file.name": "quio", + "fileset.name": "corepas", + "group.name": "paria", + "host.ip": "10.207.97.192", + "input.type": "log", + "log.level": "high", + "log.offset": 29810, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4887", + "related.hosts": [ + "onpr47.api.home" + ], + "related.ip": [ + "10.207.97.192", + "10.134.55.11" + ], + "related.user": [ + "tanimid", + "mmod", + "madminim" + ], + "rsa.db.database": "tetura", + "rsa.db.index": "uptasnul", + "rsa.internal.event_desc": "etdolor", + "rsa.internal.messageid": "53", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "ipiscive", + "rsa.misc.disposition": "llumq", + "rsa.misc.group": "paria", + "rsa.misc.group_object": "eom", + "rsa.misc.obj_type": "rumet", + "rsa.misc.operation_id": "amqu", + "rsa.misc.policy_name": "lorsitam", + "rsa.misc.reference_id": "53", + "rsa.misc.reference_id1": "dant", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4887", + "rsa.network.domain": "onpr47.api.home", + "rsa.network.host_dst": "oremqu7663.local", + "server.domain": "onpr47.api.home", + "service.type": "cyberark", + "source.ip": [ + "10.134.55.11" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "madminim" + }, + { + "destination.address": "eve234.www5.local", + "destination.port": 2783, + "event.action": "cancel", + "event.code": "75", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-07-17 17:51:58.112538723 +0000 UTC nde2358.mail.corp %CYBERARK: MessageID=\"75\";Version=1.3601;Message=cancel;Issuer=texplica;Station=10.52.150.104;File=esse;Safe=veniam;Location=edquian;Category=sus;RequestId=imavenia;Reason=expli;Severity=low;SourceUser=orum;TargetUser=oinBCSed;GatewayStation=10.31.187.19;TicketID=ilm;PolicyID=mvel;UserName=eritq;LogonDomain=rehen4859.api.host;Address=eve234.www5.local;CPMStatus=nula;Port=2783;Database=lit;DeviceType=santi;ExtraDetails=ritati;", + "file.directory": "edquian", + "file.name": "esse", + "fileset.name": "corepas", + "group.name": "orum", + "host.ip": "10.52.150.104", + "input.type": "log", + "log.level": "low", + "log.offset": 30264, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3601", + "related.hosts": [ + "rehen4859.api.host" + ], + "related.ip": [ + "10.31.187.19", + "10.52.150.104" + ], + "related.user": [ + "texplica", + "eritq", + "oinBCSed" + ], + "rsa.db.database": "lit", + "rsa.db.index": "ritati", + "rsa.internal.event_desc": "expli", + "rsa.internal.messageid": "75", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "sus", + "rsa.misc.disposition": "nula", + "rsa.misc.group": "orum", + "rsa.misc.group_object": "veniam", + "rsa.misc.obj_type": "santi", + "rsa.misc.operation_id": "ilm", + "rsa.misc.policy_name": "mvel", + "rsa.misc.reference_id": "75", + "rsa.misc.reference_id1": "imavenia", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3601", + "rsa.network.domain": "rehen4859.api.host", + "rsa.network.host_dst": "eve234.www5.local", + "server.domain": "rehen4859.api.host", + "service.type": "cyberark", + "source.ip": [ + "10.31.187.19" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "texplica" + }, + { + "destination.address": "fficia2304.www5.home", + "destination.port": 2396, + "event.action": "allow", + "event.code": "89", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "dip 2018-08-01 00:54:32.372538723 +0000 UTC idolo5292.local %CYBERARK: MessageID=\"89\";Version=1.3175;Message=allow;Issuer=runtm;Station=10.41.232.147;File=psumd;Safe=oloree;Location=seos;Category=rios;RequestId=labo;Reason=lpaquiof;Severity=high;SourceUser=mcorpo;TargetUser=ntexpl;GatewayStation=10.61.175.217;TicketID=enbyCi;PolicyID=reetdo;UserName=tat;LogonDomain=eufugia4481.corp;Address=fficia2304.www5.home;CPMStatus=vel;Port=2396;Database=rere;DeviceType=pta;ExtraDetails=nonn;", + "file.directory": "seos", + "file.name": "psumd", + "fileset.name": "corepas", + "group.name": "mcorpo", + "host.ip": "10.41.232.147", + "input.type": "log", + "log.level": "high", + "log.offset": 30752, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3175", + "related.hosts": [ + "eufugia4481.corp" + ], + "related.ip": [ + "10.41.232.147", + "10.61.175.217" + ], + "related.user": [ + "ntexpl", + "tat", + "runtm" + ], + "rsa.db.database": "rere", + "rsa.db.index": "nonn", + "rsa.internal.event_desc": "lpaquiof", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "rios", + "rsa.misc.disposition": "vel", + "rsa.misc.group": "mcorpo", + "rsa.misc.group_object": "oloree", + "rsa.misc.obj_type": "pta", + "rsa.misc.operation_id": "enbyCi", + "rsa.misc.policy_name": "reetdo", + "rsa.misc.reference_id": "89", + "rsa.misc.reference_id1": "labo", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3175", + "rsa.network.domain": "eufugia4481.corp", + "rsa.network.host_dst": "fficia2304.www5.home", + "server.domain": "eufugia4481.corp", + "service.type": "cyberark", + "source.ip": [ + "10.61.175.217" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "runtm" + }, + { + "event.action": "deny", + "event.code": "ntut", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 15 07:57:06 volup %CYBERARK: MessageID=\"261\";ptate 1.3830\",ProductAccount=\"uisnos\",ProductProcess=\"quamqua\",EventId=\"ntut\",EventClass=\"mag\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"mini\",ActingAddress=\"10.150.30.95\",ActionSourceUser=\"tur\",ActionTargetUser=\"atnonpr\",ActionObject=\"ita\",ActionSafe=\"amquaer\",ActionLocation=\"aqui\",ActionCategory=\"enby\",ActionRequestId=\"lpa\",ActionReason=\"isn\",ActionExtraDetails=\"smod\"", + "file.directory": "aqui", + "file.name": "ita", + "fileset.name": "corepas", + "host.ip": "10.150.30.95", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31238, + "observer.product": "ptate", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3830", + "related.ip": [ + "10.150.30.95" + ], + "related.user": [ + "atnonpr", + "uisnos", + "mini" + ], + "rsa.db.index": "smod", + "rsa.internal.event_desc": "isn", + "rsa.internal.messageid": "261", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "enby", + "rsa.misc.group_object": "amquaer", + "rsa.misc.reference_id": "ntut", + "rsa.misc.reference_id1": "lpa", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3830", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mini" + }, + { + "event.action": "deny", + "event.code": "inesciu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "August 29 14:59:40 siuta %CYBERARK: MessageID=\"66\";atev 1.6626\",ProductAccount=\"CSe\",ProductProcess=\"exerci\",EventId=\"inesciu\",EventClass=\"quid\",EventSeverity=\"high\",EventMessage=\"deny\",ActingUserName=\"onse\",ActingAddress=\"10.98.71.45\",ActionSourceUser=\"destla\",ActionTargetUser=\"fugitse\",ActionObject=\"minimve\",ActionSafe=\"serrorsi\",ActionLocation=\"tametco\",ActionCategory=\"mquisnos\",ActionRequestId=\"lore\",ActionReason=\"isci\",ActionExtraDetails=\"Dui\"", + "file.directory": "tametco", + "file.name": "minimve", + "fileset.name": "corepas", + "host.ip": "10.98.71.45", + "input.type": "log", + "log.level": "high", + "log.offset": 31683, + "observer.product": "atev", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6626", + "related.ip": [ + "10.98.71.45" + ], + "related.user": [ + "CSe", + "fugitse", + "onse" + ], + "rsa.db.index": "Dui", + "rsa.internal.event_desc": "isci", + "rsa.internal.messageid": "66", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "mquisnos", + "rsa.misc.group_object": "serrorsi", + "rsa.misc.reference_id": "inesciu", + "rsa.misc.reference_id1": "lore", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6626", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "onse" + }, + { + "event.action": "deny", + "event.code": "ianonnum", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "lup 2018-09-12 22:02:15.152538723 +0000 UTC iumtotam1010.www5.corp %CYBERARK: MessageID=\"168\";userror 1.5986\",ProductAccount=\"nonn\",ProductProcess=\"hite\",EventId=\"ianonnum\",EventClass=\"nofdeFi\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"remq\",ActingAddress=\"10.252.251.143\",ActionSourceUser=\"velill\",ActionTargetUser=\"rspic\",ActionObject=\"orinrepr\",ActionSafe=\"ror\",ActionLocation=\"onsecte\",ActionCategory=\"doei\",ActionRequestId=\"nvolupta\",ActionReason=\"tev\",ActionExtraDetails=\"nre\"", + "file.directory": "onsecte", + "file.name": "orinrepr", + "fileset.name": "corepas", + "host.ip": "10.252.251.143", + "input.type": "log", + "log.level": "medium", + "log.offset": 32136, + "observer.product": "userror", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5986", + "related.ip": [ + "10.252.251.143" + ], + "related.user": [ + "remq", + "rspic", + "nonn" + ], + "rsa.db.index": "nre", + "rsa.internal.event_desc": "tev", + "rsa.internal.messageid": "168", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "doei", + "rsa.misc.group_object": "ror", + "rsa.misc.reference_id": "ianonnum", + "rsa.misc.reference_id1": "nvolupta", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5986", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "remq" + }, + { + "event.action": "accept", + "event.code": "lupta", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"274\";lumdolor 1.4706\",ProductAccount=\"eserun\",ProductProcess=\"rvelill\",EventId=\"lupta\",EventClass=\"byC\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uta\",ActingAddress=\"10.197.203.167\",ActionSourceUser=\"ulapa\",ActionTargetUser=\"iumdo\",ActionObject=\"iusmodit\",ActionSafe=\"aturv\",ActionLocation=\"ectetura\",ActionCategory=\"obeataev\",ActionRequestId=\"umf\",ActionReason=\"olesti\",ActionExtraDetails=\"smo\"", + "file.directory": "ectetura", + "file.name": "iusmodit", + "fileset.name": "corepas", + "host.ip": "10.197.203.167", + "input.type": "log", + "log.level": "high", + "log.offset": 32636, + "observer.product": "lumdolor", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4706", + "related.ip": [ + "10.197.203.167" + ], + "related.user": [ + "uta", + "iumdo", + "eserun" + ], + "rsa.db.index": "smo", + "rsa.internal.event_desc": "olesti", + "rsa.internal.messageid": "274", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "obeataev", + "rsa.misc.group_object": "aturv", + "rsa.misc.reference_id": "lupta", + "rsa.misc.reference_id1": "umf", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4706", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uta" + }, + { + "event.action": "accept", + "event.code": "tten", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "tDuis 2018-10-11 12:07:23.672538723 +0000 UTC iqu1643.www.host %CYBERARK: MessageID=\"96\";inim 1.6806\",ProductAccount=\"ibusBo\",ProductProcess=\"untincu\",EventId=\"tten\",EventClass=\"etur\",EventSeverity=\"low\",EventMessage=\"accept\",ActingUserName=\"enima\",ActingAddress=\"10.187.170.23\",ActionSourceUser=\"sequ\",ActionTargetUser=\"sectetu\",ActionObject=\"evi\",ActionSafe=\"tionula\",ActionLocation=\"accus\",ActionCategory=\"uatu\",ActionRequestId=\"mquis\",ActionReason=\"lab\",ActionExtraDetails=\"uido\"", + "file.directory": "accus", + "file.name": "evi", + "fileset.name": "corepas", + "host.ip": "10.187.170.23", + "input.type": "log", + "log.level": "low", + "log.offset": 33071, + "observer.product": "inim", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6806", + "related.ip": [ + "10.187.170.23" + ], + "related.user": [ + "sectetu", + "enima", + "ibusBo" + ], + "rsa.db.index": "uido", + "rsa.internal.event_desc": "lab", + "rsa.internal.messageid": "96", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "uatu", + "rsa.misc.group_object": "tionula", + "rsa.misc.reference_id": "tten", + "rsa.misc.reference_id1": "mquis", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6806", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "enima" + }, + { + "destination.address": "udexerc2708.api.test", + "destination.port": 505, + "event.action": "allow", + "event.code": "61", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-10-25 19:09:57.932538723 +0000 UTC nimadmin5577.corp %CYBERARK: MessageID=\"61\";Version=1.3824;Message=allow;Issuer=tinculpa;Station=10.123.62.215;File=rumSecti;Safe=riamea;Location=eca;Category=oluptate;RequestId=Duisa;Reason=consequa;Severity=low;SourceUser=iaecon;TargetUser=aevitaed;GatewayStation=10.250.248.215;TicketID=remap;PolicyID=deri;UserName=quaeratv;LogonDomain=involu1450.www.localhost;Address=udexerc2708.api.test;CPMStatus=odic;Port=505;Database=lica;DeviceType=secil;ExtraDetails=uisnos;", + "file.directory": "eca", + "file.name": "rumSecti", + "fileset.name": "corepas", + "group.name": "iaecon", + "host.ip": "10.123.62.215", + "input.type": "log", + "log.level": "low", + "log.offset": 33555, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3824", + "related.hosts": [ + "involu1450.www.localhost" + ], + "related.ip": [ + "10.250.248.215", + "10.123.62.215" + ], + "related.user": [ + "aevitaed", + "quaeratv", + "tinculpa" + ], + "rsa.db.database": "lica", + "rsa.db.index": "uisnos", + "rsa.internal.event_desc": "consequa", + "rsa.internal.messageid": "61", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "oluptate", + "rsa.misc.disposition": "odic", + "rsa.misc.group": "iaecon", + "rsa.misc.group_object": "riamea", + "rsa.misc.obj_type": "secil", + "rsa.misc.operation_id": "remap", + "rsa.misc.policy_name": "deri", + "rsa.misc.reference_id": "61", + "rsa.misc.reference_id1": "Duisa", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3824", + "rsa.network.domain": "involu1450.www.localhost", + "rsa.network.host_dst": "udexerc2708.api.test", + "server.domain": "involu1450.www.localhost", + "service.type": "cyberark", + "source.ip": [ + "10.250.248.215" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tinculpa" + }, + { + "destination.address": "temvele5776.www.test", + "destination.port": 864, + "event.action": "block", + "event.code": "372", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "scipit 2018-11-09 02:12:32.192538723 +0000 UTC lloinve551.internal.local %CYBERARK: MessageID=\"372\";Version=1.3759;Message=block;Issuer=isiutali;Station=10.146.57.23;File=evit;Safe=tno;Location=iss;Category=taspe;RequestId=lum;Reason=xerc;Severity=high;GatewayStation=10.147.154.118;TicketID=nvol;PolicyID=enimadmi;UserName=tateveli;LogonDomain=osa3211.www5.example;Address=temvele5776.www.test;CPMStatus=inimve;Port=\"864\";Database=cin;DeviceType=tmo;ExtraDetails=onofdeF;", + "file.directory": "iss", + "file.name": "evit", + "fileset.name": "corepas", + "host.ip": "10.146.57.23", + "input.type": "log", + "log.level": "high", + "log.offset": 34065, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3759", + "related.hosts": [ + "osa3211.www5.example" + ], + "related.ip": [ + "10.147.154.118", + "10.146.57.23" + ], + "related.user": [ + "tateveli", + "isiutali" + ], + "rsa.db.database": "cin", + "rsa.db.index": "onofdeF", + "rsa.internal.event_desc": "xerc", + "rsa.internal.messageid": "372", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "taspe", + "rsa.misc.disposition": "inimve", + "rsa.misc.group_object": "tno", + "rsa.misc.obj_type": "tmo", + "rsa.misc.operation_id": "nvol", + "rsa.misc.policy_name": "enimadmi", + "rsa.misc.reference_id": "372", + "rsa.misc.reference_id1": "lum", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3759", + "rsa.network.domain": "osa3211.www5.example", + "rsa.network.host_dst": "temvele5776.www.test", + "server.domain": "osa3211.www5.example", + "service.type": "cyberark", + "source.ip": [ + "10.147.154.118" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "isiutali" + }, + { + "event.action": "cancel", + "event.code": "tlabo", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "its 2018-11-23 09:15:06.452538723 +0000 UTC uptasnul2751.www5.corp %CYBERARK: MessageID=\"232\";ostrudex 1.4542\",ProductAccount=\"niamqui\",ProductProcess=\"usmodite\",EventId=\"tlabo\",EventClass=\"tatemse\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"uamestqu\",ActingAddress=\"10.193.33.201\",ActionSourceUser=\"hender\",ActionTargetUser=\"ptatemU\",ActionObject=\"seq\",ActionSafe=\"rumSe\",ActionLocation=\"tatnonp\",ActionCategory=\"ommo\",ActionRequestId=\"adeser\",ActionReason=\"uasiarc\",ActionExtraDetails=\"doeiu\"", + "file.directory": "tatnonp", + "file.name": "seq", + "fileset.name": "corepas", + "host.ip": "10.193.33.201", + "input.type": "log", + "log.level": "very-high", + "log.offset": 34538, + "observer.product": "ostrudex", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4542", + "related.ip": [ + "10.193.33.201" + ], + "related.user": [ + "niamqui", + "uamestqu", + "ptatemU" + ], + "rsa.db.index": "doeiu", + "rsa.internal.event_desc": "uasiarc", + "rsa.internal.messageid": "232", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "ommo", + "rsa.misc.group_object": "rumSe", + "rsa.misc.reference_id": "tlabo", + "rsa.misc.reference_id1": "adeser", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4542", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uamestqu" + }, + { + "event.action": "block", + "event.code": "iuntN", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2018-12-07 16:17:40.712538723 +0000 UTC atuserro6791.internal.host %CYBERARK: MessageID=\"24\";upta 1.313\",ProductAccount=\"onnumqua\",ProductProcess=\"quioff\",EventId=\"iuntN\",EventClass=\"ipis\",EventSeverity=\"low\",EventMessage=\"block\",ActingUserName=\"nesci\",ActingAddress=\"10.154.172.82\",ActionSourceUser=\"lorsi\",ActionTargetUser=\"tetura\",ActionObject=\"eeufug\",ActionSafe=\"edutper\",ActionLocation=\"tevelite\",ActionCategory=\"tocca\",ActionRequestId=\"orsitvol\",ActionReason=\"ntor\",ActionExtraDetails=\"oinBCSed\"", + "file.directory": "tevelite", + "file.name": "eeufug", + "fileset.name": "corepas", + "host.ip": "10.154.172.82", + "input.type": "log", + "log.level": "low", + "log.offset": 35054, + "observer.product": "upta", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.313", + "related.ip": [ + "10.154.172.82" + ], + "related.user": [ + "nesci", + "tetura", + "onnumqua" + ], + "rsa.db.index": "oinBCSed", + "rsa.internal.event_desc": "ntor", + "rsa.internal.messageid": "24", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tocca", + "rsa.misc.group_object": "edutper", + "rsa.misc.reference_id": "iuntN", + "rsa.misc.reference_id1": "orsitvol", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.313", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "nesci" + }, + { + "event.action": "allow", + "event.code": "avolu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"79\";obeatae 1.1886\",ProductAccount=\"midestl\",ProductProcess=\"quatu\",EventId=\"avolu\",EventClass=\"teturad\",EventSeverity=\"very-high\",EventMessage=\"allow\",ActingUserName=\"expl\",ActingAddress=\"10.47.63.70\",ActionSourceUser=\"lup\",ActionTargetUser=\"tpers\",ActionObject=\"orsitv\",ActionSafe=\"temseq\",ActionLocation=\"uisaute\",ActionCategory=\"uun\",ActionRequestId=\"end\",ActionReason=\"odocons\",ActionExtraDetails=\"olu\"", + "file.directory": "uisaute", + "file.name": "orsitv", + "fileset.name": "corepas", + "host.ip": "10.47.63.70", + "input.type": "log", + "log.level": "very-high", + "log.offset": 35557, + "observer.product": "obeatae", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1886", + "related.ip": [ + "10.47.63.70" + ], + "related.user": [ + "expl", + "tpers", + "midestl" + ], + "rsa.db.index": "olu", + "rsa.internal.event_desc": "odocons", + "rsa.internal.messageid": "79", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "uun", + "rsa.misc.group_object": "temseq", + "rsa.misc.reference_id": "avolu", + "rsa.misc.reference_id1": "end", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1886", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "expl" + }, + { + "event.action": "block", + "event.code": "ectobea", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 5 06:22:49 amn %CYBERARK: MessageID=\"312\";itessequ 1.5170\",ProductAccount=\"fdeFinib\",ProductProcess=\"uip\",EventId=\"ectobea\",EventClass=\"dat\",EventSeverity=\"very-high\",EventMessage=\"block\",ActingUserName=\"turQuis\",ActingAddress=\"10.178.160.245\",ActionSourceUser=\"deomnisi\",ActionTargetUser=\"olupta\",ActionObject=\"oll\",ActionSafe=\"laboree\",ActionLocation=\"udantiu\",ActionCategory=\"itametco\",ActionRequestId=\"iav\",ActionReason=\"odico\",ActionExtraDetails=\"rsint\"", + "file.directory": "udantiu", + "file.name": "oll", + "fileset.name": "corepas", + "host.ip": "10.178.160.245", + "input.type": "log", + "log.level": "very-high", + "log.offset": 35987, + "observer.product": "itessequ", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5170", + "related.ip": [ + "10.178.160.245" + ], + "related.user": [ + "turQuis", + "olupta", + "fdeFinib" + ], + "rsa.db.index": "rsint", + "rsa.internal.event_desc": "odico", + "rsa.internal.messageid": "312", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "itametco", + "rsa.misc.group_object": "laboree", + "rsa.misc.reference_id": "ectobea", + "rsa.misc.reference_id1": "iav", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5170", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "turQuis" + }, + { + "destination.address": "teursint1321.www5.example", + "destination.port": 7024, + "event.action": "block", + "event.code": "77", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "January 19 13:25:23 quiav %CYBERARK: MessageID=\"77\";Version=1.6648;Message=block;Issuer=Nem;Station=10.85.13.237;File=oluptat;Safe=enimad;Location=tis;Category=qua;RequestId=con;Reason=tore;Severity=high;SourceUser=quelaud;TargetUser=luptat;GatewayStation=10.89.154.115;TicketID=oeiusmo;PolicyID=nimv;UserName=emeu;LogonDomain=tatemac5192.www5.test;Address=teursint1321.www5.example;CPMStatus=lamcolab;Port=7024;Database=nturmag;DeviceType=uredol;ExtraDetails=maliqua;", + "file.directory": "tis", + "file.name": "oluptat", + "fileset.name": "corepas", + "group.name": "quelaud", + "host.ip": "10.85.13.237", + "input.type": "log", + "log.level": "high", + "log.offset": 36454, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6648", + "related.hosts": [ + "tatemac5192.www5.test" + ], + "related.ip": [ + "10.85.13.237", + "10.89.154.115" + ], + "related.user": [ + "emeu", + "Nem", + "luptat" + ], + "rsa.db.database": "nturmag", + "rsa.db.index": "maliqua", + "rsa.internal.event_desc": "tore", + "rsa.internal.messageid": "77", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "qua", + "rsa.misc.disposition": "lamcolab", + "rsa.misc.group": "quelaud", + "rsa.misc.group_object": "enimad", + "rsa.misc.obj_type": "uredol", + "rsa.misc.operation_id": "oeiusmo", + "rsa.misc.policy_name": "nimv", + "rsa.misc.reference_id": "77", + "rsa.misc.reference_id1": "con", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6648", + "rsa.network.domain": "tatemac5192.www5.test", + "rsa.network.host_dst": "teursint1321.www5.example", + "server.domain": "tatemac5192.www5.test", + "service.type": "cyberark", + "source.ip": [ + "10.89.154.115" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Nem" + }, + { + "destination.address": "boreet2051.internal.localdomain", + "destination.port": 1644, + "event.action": "allow", + "event.code": "308", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-02-02 20:27:57.752538723 +0000 UTC omnisi5530.mail.example %CYBERARK: MessageID=\"308\";Version=1.3387;Message=allow;Issuer=itame;Station=10.222.32.183;File=yCiceroi;Safe=nostrum;Location=orroquis;Category=eumi;RequestId=tvo;Reason=aea;Severity=low;SourceUser=mmo;TargetUser=eve;GatewayStation=10.65.207.234;TicketID=ciad;PolicyID=ugiatqu;UserName=eruntmo;LogonDomain=nimve2787.mail.test;Address=boreet2051.internal.localdomain;CPMStatus=iavo;Port=1644;Database=udexerc;DeviceType=ovolupta;ExtraDetails=volup;", + "file.directory": "orroquis", + "file.name": "yCiceroi", + "fileset.name": "corepas", + "group.name": "mmo", + "host.ip": "10.222.32.183", + "input.type": "log", + "log.level": "low", + "log.offset": 36923, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3387", + "related.hosts": [ + "nimve2787.mail.test" + ], + "related.ip": [ + "10.222.32.183", + "10.65.207.234" + ], + "related.user": [ + "itame", + "eruntmo", + "eve" + ], + "rsa.db.database": "udexerc", + "rsa.db.index": "volup", + "rsa.internal.event_desc": "aea", + "rsa.internal.messageid": "308", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "eumi", + "rsa.misc.disposition": "iavo", + "rsa.misc.group": "mmo", + "rsa.misc.group_object": "nostrum", + "rsa.misc.obj_type": "ovolupta", + "rsa.misc.operation_id": "ciad", + "rsa.misc.policy_name": "ugiatqu", + "rsa.misc.reference_id": "308", + "rsa.misc.reference_id1": "tvo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3387", + "rsa.network.domain": "nimve2787.mail.test", + "rsa.network.host_dst": "boreet2051.internal.localdomain", + "server.domain": "nimve2787.mail.test", + "service.type": "cyberark", + "source.ip": [ + "10.65.207.234" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itame" + }, + { + "event.action": "cancel", + "event.code": "edqu", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "rro 2019-02-17 03:30:32.012538723 +0000 UTC tuser6944.local %CYBERARK: MessageID=\"54\";iarchite 1.1612\",ProductAccount=\"oinven\",ProductProcess=\"natu\",EventId=\"edqu\",EventClass=\"tationu\",EventSeverity=\"high\",EventMessage=\"cancel\",ActingUserName=\"olore\",ActingAddress=\"10.16.181.60\",ActionSourceUser=\"ameaquei\",ActionTargetUser=\"gnama\",ActionObject=\"esciun\",ActionSafe=\"tesse\",ActionLocation=\"olupta\",ActionCategory=\"isno\",ActionRequestId=\"oluptas\",ActionReason=\"nderiti\",ActionExtraDetails=\"uatu\"", + "file.directory": "olupta", + "file.name": "esciun", + "fileset.name": "corepas", + "host.ip": "10.16.181.60", + "input.type": "log", + "log.level": "high", + "log.offset": 37436, + "observer.product": "iarchite", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1612", + "related.ip": [ + "10.16.181.60" + ], + "related.user": [ + "oinven", + "gnama", + "olore" + ], + "rsa.db.index": "uatu", + "rsa.internal.event_desc": "nderiti", + "rsa.internal.messageid": "54", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "isno", + "rsa.misc.group_object": "tesse", + "rsa.misc.reference_id": "edqu", + "rsa.misc.reference_id1": "oluptas", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1612", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "olore" + }, + { + "event.action": "deny", + "event.code": "onse", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "orem 2019-03-03 10:33:06.272538723 +0000 UTC giatqu1484.internal.corp %CYBERARK: MessageID=\"208\";oreseosq 1.2275\",ProductAccount=\"uianon\",ProductProcess=\"nul\",EventId=\"onse\",EventClass=\"sitam\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"illoin\",ActingAddress=\"10.91.213.82\",ActionSourceUser=\"uid\",ActionTargetUser=\"amnis\",ActionObject=\"rvelil\",ActionSafe=\"adese\",ActionLocation=\"olorsi\",ActionCategory=\"caboNemo\",ActionRequestId=\"uptas\",ActionReason=\"temaccus\",ActionExtraDetails=\"ons\"", + "file.directory": "olorsi", + "file.name": "rvelil", + "fileset.name": "corepas", + "host.ip": "10.91.213.82", + "input.type": "log", + "log.level": "very-high", + "log.offset": 37931, + "observer.product": "oreseosq", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2275", + "related.ip": [ + "10.91.213.82" + ], + "related.user": [ + "illoin", + "amnis", + "uianon" + ], + "rsa.db.index": "ons", + "rsa.internal.event_desc": "temaccus", + "rsa.internal.messageid": "208", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "caboNemo", + "rsa.misc.group_object": "adese", + "rsa.misc.reference_id": "onse", + "rsa.misc.reference_id1": "uptas", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2275", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "illoin" + }, + { + "event.action": "allow", + "event.code": "iaeconse", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-03-17 17:35:40.532538723 +0000 UTC oreeu3666.invalid %CYBERARK: MessageID=\"48\";tis 1.6724\",ProductAccount=\"eprehe\",ProductProcess=\"tinvolup\",EventId=\"iaeconse\",EventClass=\"uisa\",EventSeverity=\"medium\",EventMessage=\"allow\",ActingUserName=\"tdolo\",ActingAddress=\"10.204.214.98\",ActionSourceUser=\"iumt\",ActionTargetUser=\"porissus\",ActionObject=\"imip\",ActionSafe=\"tsunt\",ActionLocation=\"rnat\",ActionCategory=\"oremi\",ActionRequestId=\"ectobeat\",ActionReason=\"ecte\",ActionExtraDetails=\"abo\"", + "file.directory": "rnat", + "file.name": "imip", + "fileset.name": "corepas", + "host.ip": "10.204.214.98", + "input.type": "log", + "log.level": "medium", + "log.offset": 38435, + "observer.product": "tis", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6724", + "related.ip": [ + "10.204.214.98" + ], + "related.user": [ + "tdolo", + "eprehe", + "porissus" + ], + "rsa.db.index": "abo", + "rsa.internal.event_desc": "ecte", + "rsa.internal.messageid": "48", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "oremi", + "rsa.misc.group_object": "tsunt", + "rsa.misc.reference_id": "iaeconse", + "rsa.misc.reference_id1": "ectobeat", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6724", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "tdolo" + }, + { + "event.action": "accept", + "event.code": "tium", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"219\";snos 1.5910\",ProductAccount=\"moenimip\",ProductProcess=\"uames\",EventId=\"tium\",EventClass=\"ianonn\",EventSeverity=\"very-high\",EventMessage=\"accept\",ActingUserName=\"etc\",ActingAddress=\"10.223.178.192\",ActionSourceUser=\"atquovol\",ActionTargetUser=\"evel\",ActionObject=\"edol\",ActionSafe=\"sequuntu\",ActionLocation=\"quameius\",ActionCategory=\"litse\",ActionRequestId=\"san\",ActionReason=\"apari\",ActionExtraDetails=\"iarchit\"", + "file.directory": "quameius", + "file.name": "edol", + "fileset.name": "corepas", + "host.ip": "10.223.178.192", + "input.type": "log", + "log.level": "very-high", + "log.offset": 38923, + "observer.product": "snos", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5910", + "related.ip": [ + "10.223.178.192" + ], + "related.user": [ + "etc", + "moenimip", + "evel" + ], + "rsa.db.index": "iarchit", + "rsa.internal.event_desc": "apari", + "rsa.internal.messageid": "219", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "litse", + "rsa.misc.group_object": "sequuntu", + "rsa.misc.reference_id": "tium", + "rsa.misc.reference_id1": "san", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5910", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "etc" + }, + { + "destination.address": "umto3015.mail.lan", + "destination.port": 4667, + "event.action": "cancel", + "event.code": "183", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-04-15 07:40:49.052538723 +0000 UTC nsequat6724.www.invalid %CYBERARK: MessageID=\"183\";Version=1.801;Message=cancel;Issuer=ati;Station=10.26.137.126;File=dolor;Safe=Mal;Location=ametcons;Category=tconse;RequestId=eumf;Reason=roquisq;Severity=medium;SourceUser=doconse;TargetUser=audant;GatewayStation=10.26.33.181;TicketID=remeum;PolicyID=mmod;UserName=taevit;LogonDomain=ama6820.mail.example;Address=umto3015.mail.lan;CPMStatus=sitv;Port=4667;Database=com;DeviceType=rep;ExtraDetails=mveni;", + "file.directory": "ametcons", + "file.name": "dolor", + "fileset.name": "corepas", + "group.name": "doconse", + "host.ip": "10.26.137.126", + "input.type": "log", + "log.level": "medium", + "log.offset": 39362, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.801", + "related.hosts": [ + "ama6820.mail.example" + ], + "related.ip": [ + "10.26.33.181", + "10.26.137.126" + ], + "related.user": [ + "audant", + "ati", + "taevit" + ], + "rsa.db.database": "com", + "rsa.db.index": "mveni", + "rsa.internal.event_desc": "roquisq", + "rsa.internal.messageid": "183", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "tconse", + "rsa.misc.disposition": "sitv", + "rsa.misc.group": "doconse", + "rsa.misc.group_object": "Mal", + "rsa.misc.obj_type": "rep", + "rsa.misc.operation_id": "remeum", + "rsa.misc.policy_name": "mmod", + "rsa.misc.reference_id": "183", + "rsa.misc.reference_id1": "eumf", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.801", + "rsa.network.domain": "ama6820.mail.example", + "rsa.network.host_dst": "umto3015.mail.lan", + "server.domain": "ama6820.mail.example", + "service.type": "cyberark", + "source.ip": [ + "10.26.33.181" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ati" + }, + { + "destination.address": "etquasia1800.www.host", + "destination.port": 7612, + "event.action": "accept", + "event.code": "41", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "April 29 14:43:23 num %CYBERARK: MessageID=\"41\";Version=1.10;Message=accept;Issuer=quaerat;Station=10.148.195.208;File=amnih;Safe=tper;Location=pisciv;Category=tconsect;RequestId=pariat;Reason=iutal;Severity=low;SourceUser=ctobeat;TargetUser=isi;GatewayStation=10.142.161.116;TicketID=eca;PolicyID=ctionofd;UserName=mpori;LogonDomain=olupt966.www5.corp;Address=etquasia1800.www.host;CPMStatus=nimip;Port=7612;Database=squamest;DeviceType=quisn;ExtraDetails=pteu;", + "file.directory": "pisciv", + "file.name": "amnih", + "fileset.name": "corepas", + "group.name": "ctobeat", + "host.ip": "10.148.195.208", + "input.type": "log", + "log.level": "low", + "log.offset": 39858, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.10", + "related.hosts": [ + "olupt966.www5.corp" + ], + "related.ip": [ + "10.142.161.116", + "10.148.195.208" + ], + "related.user": [ + "mpori", + "isi", + "quaerat" + ], + "rsa.db.database": "squamest", + "rsa.db.index": "pteu", + "rsa.internal.event_desc": "iutal", + "rsa.internal.messageid": "41", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tconsect", + "rsa.misc.disposition": "nimip", + "rsa.misc.group": "ctobeat", + "rsa.misc.group_object": "tper", + "rsa.misc.obj_type": "quisn", + "rsa.misc.operation_id": "eca", + "rsa.misc.policy_name": "ctionofd", + "rsa.misc.reference_id": "41", + "rsa.misc.reference_id1": "pariat", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.10", + "rsa.network.domain": "olupt966.www5.corp", + "rsa.network.host_dst": "etquasia1800.www.host", + "server.domain": "olupt966.www5.corp", + "service.type": "cyberark", + "source.ip": [ + "10.142.161.116" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "quaerat" + }, + { + "destination.address": "quisquam2153.mail.host", + "destination.port": 2717, + "event.action": "block", + "event.code": "270", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "velillum 2019-05-13 21:45:57.572538723 +0000 UTC ntNequ7639.internal.localdomain %CYBERARK: MessageID=\"270\";Version=1.1026;Message=block;Issuer=itinvo;Station=10.107.24.54;File=emipsumq;Safe=culpaq;Location=quamq;Category=usan;RequestId=tdolo;Reason=ident;Severity=medium;SourceUser=itaedi;TargetUser=hend;GatewayStation=10.10.174.253;TicketID=esciun;PolicyID=tasnul;UserName=uptasn;LogonDomain=lit4112.www.localhost;Address=quisquam2153.mail.host;CPMStatus=dit;Port=2717;Database=lup;DeviceType=aeca;ExtraDetails=isau;", + "file.directory": "quamq", + "file.name": "emipsumq", + "fileset.name": "corepas", + "group.name": "itaedi", + "host.ip": "10.107.24.54", + "input.type": "log", + "log.level": "medium", + "log.offset": 40321, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.1026", + "related.hosts": [ + "lit4112.www.localhost" + ], + "related.ip": [ + "10.10.174.253", + "10.107.24.54" + ], + "related.user": [ + "hend", + "uptasn", + "itinvo" + ], + "rsa.db.database": "lup", + "rsa.db.index": "isau", + "rsa.internal.event_desc": "ident", + "rsa.internal.messageid": "270", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "usan", + "rsa.misc.disposition": "dit", + "rsa.misc.group": "itaedi", + "rsa.misc.group_object": "culpaq", + "rsa.misc.obj_type": "aeca", + "rsa.misc.operation_id": "esciun", + "rsa.misc.policy_name": "tasnul", + "rsa.misc.reference_id": "270", + "rsa.misc.reference_id1": "tdolo", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1026", + "rsa.network.domain": "lit4112.www.localhost", + "rsa.network.host_dst": "quisquam2153.mail.host", + "server.domain": "lit4112.www.localhost", + "service.type": "cyberark", + "source.ip": [ + "10.10.174.253" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "itinvo" + }, + { + "event.action": "deny", + "event.code": "iades", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "May 28 04:48:31 boreetd %CYBERARK: MessageID=\"309\";tNe 1.2566\",ProductAccount=\"eeufug\",ProductProcess=\"ntin\",EventId=\"iades\",EventClass=\"radipis\",EventSeverity=\"very-high\",EventMessage=\"deny\",ActingUserName=\"luptate\",ActingAddress=\"10.87.92.17\",ActionSourceUser=\"utlabore\",ActionTargetUser=\"tamr\",ActionObject=\"serr\",ActionSafe=\"usci\",ActionLocation=\"unturmag\",ActionCategory=\"dexeaco\",ActionRequestId=\"lupta\",ActionReason=\"ura\",ActionExtraDetails=\"oreeufug\"", + "event.outcome": "failure", + "file.directory": "unturmag", + "file.name": "serr", + "fileset.name": "corepas", + "host.ip": "10.87.92.17", + "input.type": "log", + "log.level": "very-high", + "log.offset": 40841, + "observer.product": "tNe", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2566", + "related.ip": [ + "10.87.92.17" + ], + "related.user": [ + "tamr", + "luptate", + "eeufug" + ], + "rsa.db.index": "oreeufug", + "rsa.internal.event_desc": "ura", + "rsa.internal.messageid": "309", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "dexeaco", + "rsa.misc.group_object": "usci", + "rsa.misc.reference_id": "iades", + "rsa.misc.reference_id1": "lupta", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2566", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "luptate" + }, + { + "destination.address": "secte1774.localhost", + "destination.port": 5200, + "event.action": "deny", + "event.code": "295", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 11 11:51:06 dolo %CYBERARK: MessageID=\"295\";Version=1.5649;Message=deny;Issuer=Finibus;Station=10.161.51.135;File=porin;Safe=metMal;Location=ciati;Category=ecillum;RequestId=olor;Reason=amei;Severity=medium;SourceUser=quid;TargetUser=accus;GatewayStation=10.231.51.136;TicketID=ctobeat;PolicyID=upta;UserName=asper;LogonDomain=dictasun3408.internal.invalid;Address=secte1774.localhost;CPMStatus=iqui;Port=5200;Database=litani;DeviceType=emp;ExtraDetails=arch;", + "file.directory": "ciati", + "file.name": "porin", + "fileset.name": "corepas", + "group.name": "quid", + "host.ip": "10.161.51.135", + "input.type": "log", + "log.level": "medium", + "log.offset": 41300, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.5649", + "related.hosts": [ + "dictasun3408.internal.invalid" + ], + "related.ip": [ + "10.161.51.135", + "10.231.51.136" + ], + "related.user": [ + "Finibus", + "asper", + "accus" + ], + "rsa.db.database": "litani", + "rsa.db.index": "arch", + "rsa.internal.event_desc": "amei", + "rsa.internal.messageid": "295", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ecillum", + "rsa.misc.disposition": "iqui", + "rsa.misc.group": "quid", + "rsa.misc.group_object": "metMal", + "rsa.misc.obj_type": "emp", + "rsa.misc.operation_id": "ctobeat", + "rsa.misc.policy_name": "upta", + "rsa.misc.reference_id": "295", + "rsa.misc.reference_id1": "olor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5649", + "rsa.network.domain": "dictasun3408.internal.invalid", + "rsa.network.host_dst": "secte1774.localhost", + "server.domain": "dictasun3408.internal.invalid", + "service.type": "cyberark", + "source.ip": [ + "10.231.51.136" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "Finibus" + }, + { + "event.action": "allow", + "event.code": "cia", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "June 25 18:53:40 dipisciv %CYBERARK: MessageID=\"148\";uam 1.2575\",ProductAccount=\"llum\",ProductProcess=\"mwr\",EventId=\"cia\",EventClass=\"idolo\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"mquido\",ActingAddress=\"10.51.17.32\",ActionSourceUser=\"ree\",ActionTargetUser=\"itten\",ActionObject=\"quipexea\",ActionSafe=\"orsitv\",ActionLocation=\"dunt\",ActionCategory=\"int\",ActionRequestId=\"ionevo\",ActionReason=\"llitani\",ActionExtraDetails=\"uscipit\"", + "file.directory": "dunt", + "file.name": "quipexea", + "fileset.name": "corepas", + "host.ip": "10.51.17.32", + "input.type": "log", + "log.level": "low", + "log.offset": 41765, + "observer.product": "uam", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2575", + "related.ip": [ + "10.51.17.32" + ], + "related.user": [ + "mquido", + "llum", + "itten" + ], + "rsa.db.index": "uscipit", + "rsa.internal.event_desc": "llitani", + "rsa.internal.messageid": "148", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "int", + "rsa.misc.group_object": "orsitv", + "rsa.misc.reference_id": "cia", + "rsa.misc.reference_id1": "ionevo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2575", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "mquido" + }, + { + "event.action": "deny", + "event.code": "mquisno", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "etco 2019-07-10 01:56:14.612538723 +0000 UTC iuntN4077.www.invalid %CYBERARK: MessageID=\"260\";isnostru 1.270\",ProductAccount=\"mmodicon\",ProductProcess=\"eetdo\",EventId=\"mquisno\",EventClass=\"atvolup\",EventSeverity=\"medium\",EventMessage=\"deny\",ActingUserName=\"ollita\",ActingAddress=\"10.108.123.148\",ActionSourceUser=\"cto\",ActionTargetUser=\"cusa\",ActionObject=\"nderi\",ActionSafe=\"tem\",ActionLocation=\"tcu\",ActionCategory=\"eumiu\",ActionRequestId=\"nim\",ActionReason=\"pteurs\",ActionExtraDetails=\"ercitati\"", + "file.directory": "tcu", + "file.name": "nderi", + "fileset.name": "corepas", + "host.ip": "10.108.123.148", + "input.type": "log", + "log.level": "medium", + "log.offset": 42211, + "observer.product": "isnostru", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.270", + "related.ip": [ + "10.108.123.148" + ], + "related.user": [ + "cusa", + "mmodicon", + "ollita" + ], + "rsa.db.index": "ercitati", + "rsa.internal.event_desc": "pteurs", + "rsa.internal.messageid": "260", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "eumiu", + "rsa.misc.group_object": "tem", + "rsa.misc.reference_id": "mquisno", + "rsa.misc.reference_id1": "nim", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.270", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ollita" + }, + { + "destination.address": "uido2773.www5.test", + "destination.port": 3820, + "event.action": "accept", + "event.code": "8", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "July 24 08:58:48 eturadip %CYBERARK: MessageID=\"8\";Version=1.425;Message=accept;Issuer=rsitamet;Station=10.114.0.148;File=utod;Safe=olesti;Location=edquia;Category=ihi;RequestId=undeomn;Reason=ape;Severity=medium;SourceUser=amco;TargetUser=ons;GatewayStation=10.198.187.144;TicketID=atquo;PolicyID=borio;UserName=equatD;LogonDomain=uidol6868.mail.localdomain;Address=uido2773.www5.test;CPMStatus=acons;Port=3820;Database=periam;DeviceType=ain;ExtraDetails=umiurer;", + "event.outcome": "success", + "file.directory": "edquia", + "file.name": "utod", + "fileset.name": "corepas", + "group.name": "amco", + "host.ip": "10.114.0.148", + "input.type": "log", + "log.level": "medium", + "log.offset": 42710, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.425", + "related.hosts": [ + "uidol6868.mail.localdomain" + ], + "related.ip": [ + "10.114.0.148", + "10.198.187.144" + ], + "related.user": [ + "rsitamet", + "equatD", + "ons" + ], + "rsa.db.database": "periam", + "rsa.db.index": "umiurer", + "rsa.internal.event_desc": "ape", + "rsa.internal.messageid": "8", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "ihi", + "rsa.misc.disposition": "acons", + "rsa.misc.group": "amco", + "rsa.misc.group_object": "olesti", + "rsa.misc.obj_type": "ain", + "rsa.misc.operation_id": "atquo", + "rsa.misc.policy_name": "borio", + "rsa.misc.reference_id": "8", + "rsa.misc.reference_id1": "undeomn", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.425", + "rsa.network.domain": "uidol6868.mail.localdomain", + "rsa.network.host_dst": "uido2773.www5.test", + "server.domain": "uidol6868.mail.localdomain", + "service.type": "cyberark", + "source.ip": [ + "10.198.187.144" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "rsitamet" + }, + { + "event.action": "allow", + "event.code": "litess", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "onorume 2019-08-07 16:01:23.132538723 +0000 UTC abill5290.lan %CYBERARK: MessageID=\"89\";mini 1.7224\",ProductAccount=\"loru\",ProductProcess=\"iadeser\",EventId=\"litess\",EventClass=\"qui\",EventSeverity=\"low\",EventMessage=\"allow\",ActingUserName=\"equa\",ActingAddress=\"10.61.140.120\",ActionSourceUser=\"olorsit\",ActionTargetUser=\"naaliq\",ActionObject=\"plica\",ActionSafe=\"asiarc\",ActionLocation=\"lor\",ActionCategory=\"nvolupt\",ActionRequestId=\"dquia\",ActionReason=\"ora\",ActionExtraDetails=\"umfugiat\"", + "file.directory": "lor", + "file.name": "plica", + "fileset.name": "corepas", + "host.ip": "10.61.140.120", + "input.type": "log", + "log.level": "low", + "log.offset": 43175, + "observer.product": "mini", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7224", + "related.ip": [ + "10.61.140.120" + ], + "related.user": [ + "naaliq", + "loru", + "equa" + ], + "rsa.db.index": "umfugiat", + "rsa.internal.event_desc": "ora", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "nvolupt", + "rsa.misc.group_object": "asiarc", + "rsa.misc.reference_id": "litess", + "rsa.misc.reference_id1": "dquia", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7224", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "equa" + }, + { + "destination.address": "quame1852.www.test", + "destination.port": 4512, + "event.action": "deny", + "event.code": "36", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"36\";Version=1.6988;Message=deny;Issuer=ite;Station=10.93.24.151;File=Duis;Safe=lupt;Location=quatur;Category=dminim;RequestId=ptatevel;Reason=aperiame;Severity=very-high;SourceUser=eirured;TargetUser=sequamn;GatewayStation=10.149.238.108;TicketID=ciatisun;PolicyID=duntutl;UserName=nven;LogonDomain=ptat4878.lan;Address=quame1852.www.test;CPMStatus=deomni;Port=4512;Database=fugi;DeviceType=nse;ExtraDetails=nesciu;", + "file.directory": "quatur", + "file.name": "Duis", + "fileset.name": "corepas", + "group.name": "eirured", + "host.ip": "10.93.24.151", + "input.type": "log", + "log.level": "very-high", + "log.offset": 43663, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6988", + "related.hosts": [ + "ptat4878.lan" + ], + "related.ip": [ + "10.149.238.108", + "10.93.24.151" + ], + "related.user": [ + "sequamn", + "ite", + "nven" + ], + "rsa.db.database": "fugi", + "rsa.db.index": "nesciu", + "rsa.internal.event_desc": "aperiame", + "rsa.internal.messageid": "36", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "dminim", + "rsa.misc.disposition": "deomni", + "rsa.misc.group": "eirured", + "rsa.misc.group_object": "lupt", + "rsa.misc.obj_type": "nse", + "rsa.misc.operation_id": "ciatisun", + "rsa.misc.policy_name": "duntutl", + "rsa.misc.reference_id": "36", + "rsa.misc.reference_id1": "ptatevel", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6988", + "rsa.network.domain": "ptat4878.lan", + "rsa.network.host_dst": "quame1852.www.test", + "server.domain": "ptat4878.lan", + "service.type": "cyberark", + "source.ip": [ + "10.149.238.108" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ite" + }, + { + "event.action": "accept", + "event.code": "vel", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "September 5 06:06:31 inrepreh %CYBERARK: MessageID=\"39\";rit 1.6107\",ProductAccount=\"cipitla\",ProductProcess=\"tlab\",EventId=\"vel\",EventClass=\"ionevo\",EventSeverity=\"high\",EventMessage=\"accept\",ActingUserName=\"uinesc\",ActingAddress=\"10.101.45.225\",ActionSourceUser=\"utla\",ActionTargetUser=\"emi\",ActionObject=\"uaerat\",ActionSafe=\"iduntu\",ActionLocation=\"samvol\",ActionCategory=\"equa\",ActionRequestId=\"apari\",ActionReason=\"tsunt\",ActionExtraDetails=\"caecat\"", + "file.directory": "samvol", + "file.name": "uaerat", + "fileset.name": "corepas", + "host.ip": "10.101.45.225", + "input.type": "log", + "log.level": "high", + "log.offset": 44101, + "observer.product": "rit", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6107", + "related.ip": [ + "10.101.45.225" + ], + "related.user": [ + "cipitla", + "emi", + "uinesc" + ], + "rsa.db.index": "caecat", + "rsa.internal.event_desc": "tsunt", + "rsa.internal.messageid": "39", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "equa", + "rsa.misc.group_object": "iduntu", + "rsa.misc.reference_id": "vel", + "rsa.misc.reference_id1": "apari", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6107", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "uinesc" + }, + { + "event.action": "cancel", + "event.code": "texplica", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "qui 2019-09-19 13:09:05.912538723 +0000 UTC caboN3124.mail.home %CYBERARK: MessageID=\"8\";catcupid 1.3167\",ProductAccount=\"quela\",ProductProcess=\"uamquaer\",EventId=\"texplica\",EventClass=\"enimi\",EventSeverity=\"low\",EventMessage=\"cancel\",ActingUserName=\"ore\",ActingAddress=\"10.2.204.161\",ActionSourceUser=\"iquamqu\",ActionTargetUser=\"eumfugia\",ActionObject=\"reeufugi\",ActionSafe=\"sequines\",ActionLocation=\"minimve\",ActionCategory=\"texplica\",ActionRequestId=\"entorev\",ActionReason=\"quuntur\",ActionExtraDetails=\"olup\"", + "event.outcome": "success", + "file.directory": "minimve", + "file.name": "reeufugi", + "fileset.name": "corepas", + "host.ip": "10.2.204.161", + "input.type": "log", + "log.level": "low", + "log.offset": 44555, + "observer.product": "catcupid", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3167", + "related.ip": [ + "10.2.204.161" + ], + "related.user": [ + "quela", + "ore", + "eumfugia" + ], + "rsa.db.index": "olup", + "rsa.internal.event_desc": "quuntur", + "rsa.internal.messageid": "8", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "texplica", + "rsa.misc.group_object": "sequines", + "rsa.misc.reference_id": "texplica", + "rsa.misc.reference_id1": "entorev", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3167", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ore" + }, + { + "event.action": "cancel", + "event.code": "utaliqui", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "les 2019-10-03 20:11:40.172538723 +0000 UTC norumet2571.internal.example %CYBERARK: MessageID=\"89\";temp 1.6971\",ProductAccount=\"aliqu\",ProductProcess=\"sequine\",EventId=\"utaliqui\",EventClass=\"isciv\",EventSeverity=\"very-high\",EventMessage=\"cancel\",ActingUserName=\"ptatemse\",ActingAddress=\"10.33.112.100\",ActionSourceUser=\"catcup\",ActionTargetUser=\"enimad\",ActionObject=\"magnaali\",ActionSafe=\"velillum\",ActionLocation=\"ionev\",ActionCategory=\"vitaedi\",ActionRequestId=\"rna\",ActionReason=\"cons\",ActionExtraDetails=\"Except\"", + "file.directory": "ionev", + "file.name": "magnaali", + "fileset.name": "corepas", + "host.ip": "10.33.112.100", + "input.type": "log", + "log.level": "very-high", + "log.offset": 45067, + "observer.product": "temp", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.6971", + "related.ip": [ + "10.33.112.100" + ], + "related.user": [ + "ptatemse", + "aliqu", + "enimad" + ], + "rsa.db.index": "Except", + "rsa.internal.event_desc": "cons", + "rsa.internal.messageid": "89", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "vitaedi", + "rsa.misc.group_object": "velillum", + "rsa.misc.reference_id": "utaliqui", + "rsa.misc.reference_id1": "rna", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6971", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "ptatemse" + }, + { + "destination.address": "lla5407.lan", + "destination.port": 4762, + "event.action": "block", + "event.code": "95", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"95\";Version=1.3175;Message=block;Issuer=neavol;Station=10.94.152.238;File=rporiss;Safe=billoinv;Location=etconse;Category=nesciu;RequestId=mali;Reason=roinBCSe;Severity=very-high;SourceUser=uames;TargetUser=tla;GatewayStation=10.151.110.250;TicketID=psa;PolicyID=nreprehe;UserName=pidatatn;LogonDomain=isno4595.local;Address=lla5407.lan;CPMStatus=upt;Port=4762;Database=itaedict;DeviceType=eroi;ExtraDetails=onemull;", + "file.directory": "etconse", + "file.name": "rporiss", + "fileset.name": "corepas", + "group.name": "uames", + "host.ip": "10.94.152.238", + "input.type": "log", + "log.level": "very-high", + "log.offset": 45585, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3175", + "related.hosts": [ + "isno4595.local" + ], + "related.ip": [ + "10.151.110.250", + "10.94.152.238" + ], + "related.user": [ + "tla", + "neavol", + "pidatatn" + ], + "rsa.db.database": "itaedict", + "rsa.db.index": "onemull", + "rsa.internal.event_desc": "roinBCSe", + "rsa.internal.messageid": "95", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "nesciu", + "rsa.misc.disposition": "upt", + "rsa.misc.group": "uames", + "rsa.misc.group_object": "billoinv", + "rsa.misc.obj_type": "eroi", + "rsa.misc.operation_id": "psa", + "rsa.misc.policy_name": "nreprehe", + "rsa.misc.reference_id": "95", + "rsa.misc.reference_id1": "mali", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3175", + "rsa.network.domain": "isno4595.local", + "rsa.network.host_dst": "lla5407.lan", + "server.domain": "isno4595.local", + "service.type": "cyberark", + "source.ip": [ + "10.151.110.250" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "neavol" + }, + { + "destination.address": "iquipexe4708.api.localhost", + "destination.port": 5473, + "event.action": "allow", + "event.code": "179", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "mporain 2019-11-01 10:16:48.692538723 +0000 UTC eratvo7756.localdomain %CYBERARK: MessageID=\"179\";Version=1.4965;Message=allow;Issuer=alorumwr;Station=10.146.61.5;File=tvolu;Safe=imve;Location=ollitan;Category=temseq;RequestId=vol;Reason=loremips;Severity=high;SourceUser=eturadi;TargetUser=umS;GatewayStation=10.77.9.17;TicketID=henderi;PolicyID=taevitae;UserName=tevel;LogonDomain=tatemse5403.home;Address=iquipexe4708.api.localhost;CPMStatus=quuntur;Port=5473;Database=amremap;DeviceType=oremagna;ExtraDetails=aqu;", + "file.directory": "ollitan", + "file.name": "tvolu", + "fileset.name": "corepas", + "group.name": "eturadi", + "host.ip": "10.146.61.5", + "input.type": "log", + "log.level": "high", + "log.offset": 46024, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.4965", + "related.hosts": [ + "tatemse5403.home" + ], + "related.ip": [ + "10.146.61.5", + "10.77.9.17" + ], + "related.user": [ + "tevel", + "umS", + "alorumwr" + ], + "rsa.db.database": "amremap", + "rsa.db.index": "aqu", + "rsa.internal.event_desc": "loremips", + "rsa.internal.messageid": "179", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "temseq", + "rsa.misc.disposition": "quuntur", + "rsa.misc.group": "eturadi", + "rsa.misc.group_object": "imve", + "rsa.misc.obj_type": "oremagna", + "rsa.misc.operation_id": "henderi", + "rsa.misc.policy_name": "taevitae", + "rsa.misc.reference_id": "179", + "rsa.misc.reference_id1": "vol", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4965", + "rsa.network.domain": "tatemse5403.home", + "rsa.network.host_dst": "iquipexe4708.api.localhost", + "server.domain": "tatemse5403.home", + "service.type": "cyberark", + "source.ip": [ + "10.77.9.17" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "alorumwr" + }, + { + "event.action": "allow", + "event.code": "saute", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"83\";tvolu 1.2244\",ProductAccount=\"ore\",ProductProcess=\"lors\",EventId=\"saute\",EventClass=\"ecillumd\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"sequatu\",ActingAddress=\"10.128.102.130\",ActionSourceUser=\"mdoloree\",ActionTargetUser=\"que\",ActionObject=\"inBCSed\",ActionSafe=\"cteturad\",ActionLocation=\"umq\",ActionCategory=\"ita\",ActionRequestId=\"ipsaquae\",ActionReason=\"olu\",ActionExtraDetails=\"exerci\"", + "file.directory": "umq", + "file.name": "inBCSed", + "fileset.name": "corepas", + "host.ip": "10.128.102.130", + "input.type": "log", + "log.level": "high", + "log.offset": 46542, + "observer.product": "tvolu", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.2244", + "related.ip": [ + "10.128.102.130" + ], + "related.user": [ + "que", + "ore", + "sequatu" + ], + "rsa.db.index": "exerci", + "rsa.internal.event_desc": "olu", + "rsa.internal.messageid": "83", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ita", + "rsa.misc.group_object": "cteturad", + "rsa.misc.reference_id": "saute", + "rsa.misc.reference_id1": "ipsaquae", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2244", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "sequatu" + }, + { + "destination.address": "oremip4070.www5.invalid", + "destination.port": 1704, + "event.action": "cancel", + "event.code": "150", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "2019-11-30 00:21:57.212538723 +0000 UTC moen6809.internal.example %CYBERARK: MessageID=\"150\";Version=1.7701;Message=cancel;Issuer=reseo;Station=10.31.86.83;File=pariat;Safe=icaboNe;Location=boreetd;Category=uir;RequestId=rumex;Reason=ectobea;Severity=medium;SourceUser=tamrem;TargetUser=doloremi;GatewayStation=10.200.162.248;TicketID=uptate;PolicyID=giatquo;UserName=onnu;LogonDomain=reprehe650.www.corp;Address=oremip4070.www5.invalid;CPMStatus=turad;Port=1704;Database=billo;DeviceType=doloremi;ExtraDetails=ectetura;", + "file.directory": "boreetd", + "file.name": "pariat", + "fileset.name": "corepas", + "group.name": "tamrem", + "host.ip": "10.31.86.83", + "input.type": "log", + "log.level": "medium", + "log.offset": 46973, + "observer.product": "Core", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.7701", + "related.hosts": [ + "reprehe650.www.corp" + ], + "related.ip": [ + "10.200.162.248", + "10.31.86.83" + ], + "related.user": [ + "onnu", + "reseo", + "doloremi" + ], + "rsa.db.database": "billo", + "rsa.db.index": "ectetura", + "rsa.internal.event_desc": "ectobea", + "rsa.internal.messageid": "150", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "uir", + "rsa.misc.disposition": "turad", + "rsa.misc.group": "tamrem", + "rsa.misc.group_object": "icaboNe", + "rsa.misc.obj_type": "doloremi", + "rsa.misc.operation_id": "uptate", + "rsa.misc.policy_name": "giatquo", + "rsa.misc.reference_id": "150", + "rsa.misc.reference_id1": "rumex", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7701", + "rsa.network.domain": "reprehe650.www.corp", + "rsa.network.host_dst": "oremip4070.www5.invalid", + "server.domain": "reprehe650.www.corp", + "service.type": "cyberark", + "source.ip": [ + "10.200.162.248" + ], + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "reseo" + }, + { + "event.action": "allow", + "event.code": "iatnulap", + "event.dataset": "cyberark.corepas", + "event.module": "cyberark", + "event.original": "%CYBERARK: MessageID=\"166\";cul 1.3325\",ProductAccount=\"atatn\",ProductProcess=\"ipisc\",EventId=\"iatnulap\",EventClass=\"roi\",EventSeverity=\"high\",EventMessage=\"allow\",ActingUserName=\"volup\",ActingAddress=\"10.103.215.159\",ActionSourceUser=\"ddoeiusm\",ActionTargetUser=\"apa\",ActionObject=\"archite\",ActionSafe=\"tur\",ActionLocation=\"ddo\",ActionCategory=\"emp\",ActionRequestId=\"inBC\",ActionReason=\"did\",ActionExtraDetails=\"atcupi\"", + "file.directory": "ddo", + "file.name": "archite", + "fileset.name": "corepas", + "host.ip": "10.103.215.159", + "input.type": "log", + "log.level": "high", + "log.offset": 47494, + "observer.product": "cul", + "observer.type": "Access", + "observer.vendor": "Cyberark", + "observer.version": "1.3325", + "related.ip": [ + "10.103.215.159" + ], + "related.user": [ + "volup", + "apa", + "atatn" + ], + "rsa.db.index": "atcupi", + "rsa.internal.event_desc": "did", + "rsa.internal.messageid": "166", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "emp", + "rsa.misc.group_object": "tur", + "rsa.misc.reference_id": "iatnulap", + "rsa.misc.reference_id1": "inBC", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3325", + "service.type": "cyberark", + "tags": [ + "cyberark.corepas", + "forwarded" + ], + "user.name": "volup" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cyberark/fields.go b/x-pack/filebeat/module/cyberark/fields.go new file mode 100644 index 00000000000..4175ce8751b --- /dev/null +++ b/x-pack/filebeat/module/cyberark/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package cyberark + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "cyberark", asset.ModuleFieldsPri, AssetCyberark); err != nil { + panic(err) + } +} + +// AssetCyberark returns asset data. +// This is the base64 encoded gzipped contents of module/cyberark. +func AssetCyberark() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q8JW09BU331F0IstwJekxP3l+/e4J9KMEzz2nIlX5N/+wshpPsBmXEQpZn8hYT/eo0fu/99RySt4DWRYFdKX024tKBnlMHE/b37GiFqCXqluYXXxOqm/4ld1/DaYbhSuuz9vYQZbYQtcMnXZEaFga2PB/i2/3tPKyBqRuwCWsRIhxhZLUADfmY1nc04IwtqyBRAEjU1oJdQTgb0aUPvQMxcq6a+PSm7TN0si1hLKrbIG199bP3YEptFKjPf+vv+FcY3bLArHxfcuO8RbkhjoCRWEUZr2wT+a7oiFRhD5+7f1BKmKjCOaOU+3wFNyFs1J6fAVAk6ToiHxXeROpScFi4sQdrCkZYYcEA4M/cDyw3ynClpQVrj7geXxlJpWzRMFEfLq0MQLKnd/WCIHfc4uSUItWS14GxBKDFgDFeSLLg1hJL3YH/nVoIx7e5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/KJCQ3W15NNgt6SFCLztqGoxqNMv09t6fbbnu//0wM5ZaqEDax4gcbUpuCybozh1+JOiBtHr9GBFbOJ3qMSLG5WGI5dWYWsnxeE9aCfQQ6ZGXbTOAMqUNNaLXxOzM3hdbt4DDZqCHDJSE+1kRO3rIAPoNVsQ4F3dcK0fioux5VaLs8+wakJmIfSTCwTuzjx1DrW4k/9LARo3WHf3hT+tto/ZESeYeB2rVY7dsR8TNkucVh33unrhl+Iwz2r/Pb9WcnC1BWnKJwpk0sgTtTBANQVANSJ/xayiJAeuAbP14ew0zbrC0mzCAfW+DpduEAeg7bcrQE5jev3TYwRzQdQee3I0HC2Uy6av9c/mrMrYvIsXuiTQgSy7n7Ycmdmx6PqSvh7/8kAM2+NEoY88vlj8RWpbaycqx677L3AH1Vn2tzF2+ys3eV//vstdxK79s2JUL3pHW95aVhJI5X4LsnGRfryLgWHSY/yKvBVI+RuXv64hojDo0VL0uNHzJsNf94CFuMNI9XSOXz/zS5AIv0vPgzbaUfFzXQBgdSpApEOB2AZp8Opf2h1dEafKLUNT++JJMqcFT1AbIZnzeaFT9bqD7EHX3K6Ybw6D5jM8E/gX367nK5WbbZx23K3/1DgalV1SX2ZS6nkTrkd3n5PnF5y19jxINgu5uKSFmbSxU4RENaDtoC/An1XjmuX8rzedcUtH+ZltbuYEPufSvPYkR5xefX0VYENAfcOL+LOgwGnI5xeuzOahDxfHQ12cBtAR9lNj1r7gUOT+9T5TU49sPliKYw2Klj9rJJliR3c9GW0XrfKNo4UVxpsuJEgKYVfprFMCOew+Qc+POHDeEedZB6TDdUlTfql21hexh9CO0+Co2fSyqaqUMJrtVSpLperBphGj40oCxDqDhVS3WYZ/cl52gJ0DZghheAnn6PbEL3ZCXP//8jKyoIQZAdqvs4cSjUF5vwQlTK2kgHyvYV3MqmGqk7XwKTTX1Qs9dZROFQJ7SqVpCjxlcRjMrW/FmrAZajd4f9tUcmwdmFZS82dXTUjDqm5jm2DkW+Ixw+8/m5fc//NV4kf6iRgHaIv3PATX/dPbgW7oGTV6SM8lobRrhIyvOpLyTXI9Bv2fwI5JbGVvlx5fkXx25z8mPP5J/JUxppy8jFWHR5+S/C/s/3Re5IdtM+Sa6hVKV8GhtXbmCglEhppRd5dWAPXJSWbw21Hq7wjERZFkrLi2aJhbiCc54OArQWmXKT9vog6YGxqlAjBFTY5V2mrVce63DfbCkgpf+YMSQImSmGlm6F0YAIs/lPChHNyYvbt+IAeQUscBwHfaEjUZ2YS0ULR/LOxfQIYb/CaQCqzmLWB3BFO5/GW1h/9y3Qtg9+9RuNFo1a7dtQn5VK7c1Q5uTS6K0M8asIlcA9Q1MexQv3lfCNK0YGFMseVmUuaKuZ63kmYMETS1e8tJxsGcXLrm2DRXOaN/yvcuIi4NX3JndGCtHZngqwlU/PyXaSWuDDhVkGtVzsN3XbuSE0ZmSnh6cEz4Tbj8ndJZQ0FDwn5+2vtcPUCkL5DKcd6YBH9rpekxQuv+1gZivIPASVipMLXjOzIZHbc4bPlD7H4Vu5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuMiweI0btVnXF0cfLmIui+jErHHl7VSu9qvASfyK8uDaJ5HO6PT/6pQkMcTfeYK3XblG82P9kY7F7PQct8Ql7+/IqskO8VUEmoEHFfATr1UU3a+I/ICjR4sNQSAdRYouROucg2Ex9cTfy6mRi5qznCtoF3vytdIuMwqwnYQiqh5uvdQNyM64EWS8jPhC2opsx6JrpLvUb80WkuSSNDTo/Y8pmPVtSmLuj2gfqcQYQ9sUu0KCqnZCrZhhE0XY3KNJSsO2olZaix+hiFDD4HxVijW4jGUllSXRKpdEUF/zOW36t0FeVPGbIcDmaRaqaDJ+lOTNpg3SHzQvAZIMURA98AU7IcUbA3210Ym9PPsocgLpmqagE2egBGnagUFXir+Y4Y7NWbaftAB/nSrR09zmNHeftkjh6/Skm7SLRNm/rUVDkvmyyn8oEYfybLHGx3IP9UMne3hT1i0a3eqpg+vfbjLocHIirbjX5DLFzbcPnIErTplVOU+/LAIvt738O2BpqKzE2ZHlO6hDLfOxiSbMIzZboVWx2jzbTpvtiPrw9fK62qCUJtsCjfMJBUc+XV+qoRln9nOWhC61q01S+bXjYVlXQeK80lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/eMBute0oV01/QNY3I52iOWvBR+w20nQ/Yh5SZ+zV903wwsZqv6DmAlergXtcoulsoSSReh4EU+gFWpetIkqDyLU24N4Z6F+jJ4pW7Lv75huhV2rUXzEFX8lOFvnvj175MIFIhCaa0uxHpHLjciZNx1n4IdGACIWF6dKWrjOrbF2CJ1L76/b9EOlZWnc/+GjSkWLUKwBzA2PM1tQOYdCwiq3LBgLXMKqF+pHJcRazaeNhZ6EGOboG4+609b7z19cdJiaJhN2HecEz9a2ch/T0BDczS/yyPT1t4hxixVgjmFtw0GzyfnSS9ATcgl+UxoDekLngK28Q6b7TOkWhwHsFozX2xn+nvjf9/pWKE2mWq3cZ+1fg67pza7RftLn5QXVNrWbrgOc2qMS7pQaVIce604pUXZqY64rpWoIAcVcb/EbSagAbbvsIr1ZNPzNh7eC+Og1AcAkpIjCXBKp5HcaakBLZl/2A5oNx3xyWKO1uzCdvYI7iXrcC+4jbG34Z0DZittFUJa9rCenuOAUq00kUfK7uXL/veclQCWliCiOGemmvWDgC0TAIalmxEkHy8FMyOVGpuwONuhXVuXB+MSX8zXGGTG+ZNQn25RB/AbGU8JEY2x7IMM/BtuEP+HG7WSoiQ7+Daf44qfjKtDRtR9/w+IWvW/LlE8pe3KT4eWwPEUsCDVGMY7+UrcbUXsSN+wtv4LXhJJ6sTacUUFKbq6ek1rjTJTnBCx7EleUqaaH1F7e8aH3dTaaVmBBG1JTg128DDZy8L0ImKoqJ8XUVtB+WFoDlu1V9/x78FAaX28PMzxMXnwzVdXN8A5m2DZKVlyWahXyaZmSDGr7vMukGGXGgMxZI8SafGmo8M7PUlWUyyA1ZG8hoUaerr7XM5W6tId0pxK+5fIKylAL1CaiU4PeqWCguE++6VCb8HLfxolBV4isoq4/2cm7JXYRaNH77fKh8PqtDp5Xcjls19MFnUFXfHewU24Xa1gTsfXnf7+m/WNiTXvGRf473pH8C67WXWMNZcOAtJEjiLvbDGhORRF5TbM9Ipe4ZKs2776PvQfQvTCjfgFgV+aglgMpPMZhdffQLahZdDfUqYWRKsOGLXzmb1tj05UZnrSQdlqEOUK6ZSZGM/er7t/DSlPi5LkkHHPuGskEUO3+hI3wNqiFAsLg7dRtYefN0Qcv/Jphn6dH/WIxVU257Ppm9x+sUDaq7/B6LbluzLE9fX1tBBEY9/gdJ0AauRInfnXfk3HcU+otuOyu8Y593st8fkree0nzNDRuIH7aXij6dbg9i+vV3gH9EL78nvv5/BRZGkreOjEx9B5sR+R8GqAnYeIPkZMFK27iRurSrHP2st+O6oYCba8u7PVjS298H/HUONafdAuT89MbNdlU/rkbNFmH2EtZbjTaCTnx9Zmh36nwH+zXZhFBvf2NH74J7rhpY7vKTWW7x6iRAoznjPIPykqRJdWcTsWgCtA3ZeCS1IKOCAID0mTtj7K1oX1V1a88cZLKaRhtfSF3+3z54vxiV4cmoWWs9yiM1WUfOFDw1rWQm0iLR5KcS0su+VxSFBYjR7RWOmfz2icD+eUO6UWruyns6oj/6RDp3WU8ZaWKHJz3v30kXDLRlODEWRhk634+IU/PrmlVC3hNLrxDxINF6T2J+0UwMnf02CY6pzZPSxwzbq6cyn0AXncoxeu5Md+Hp+EDN1d7Qq5W8/kcdL4RdnGWfe7HAgIOqJ0uNJiFEqU7Pd5WH5k0uhV6P4JnYRh7D1L56QevYzzrmnGcn8bLSG4dnWeqqosj513hroTcKxzj6v17ppl+59BREutTZzhuRpUNG7PSglr6QFljfcw7aak0dh5wcr3Fb2RKHNXliuqHydAbdtV30pWGh8gRMdIa+akTopS8o6ztpxxXbp0IOqodo+R3rYKq90shb2smH2qtgZrkucHGUtukUpw7fxTl4sHMDrf4VF0TXr4Yf7/cy9ocA0OH0adB42N/FxwW8avbvmOZp+8NDvnpcO7eIc8Zl6pJFePs1ZGYefI75SRpSqfDwCP7U2LAuTszbh2JN0I4uUdMwxgYM2sEOXPrE6ZKMO5ItM1+45YFlyVcJ2aA4MYepnneU7bgwmiK6RaJKWiMb1ZUc4EZPBEPno+/yzmhyMTv3G+jlMkM51BNfXOhB9KIw+rkaZfPWYM2dSi69RJmwLKgImwS4tsOT89Gigy9m2v4HudOKPHKV5fkFXxV/tvuQ8qlISVYykXEyTBVje39boQ0JY6em9l6bGmXx4Z4jD+kFqpaZMvmeUNKmNEQAgqdL9sYfsjWdFrxErSgayzksio8ruRp5Ea6D9DqDr+GWVsF7n31xnLbYGNGEiVsYxsMGzbd97omjWL1/DuMpsY0g6xiqqrcfcpzjE48dMJ7yb61Vkteev9Z20WuAjOaCFUqdnig8e7esl+42GiNrJ+XF1cNrmtMenoYWd+unlfW/6GmB/qdDibvf6tpCMDEb1fN8zXOPcWEYr/zlxfn5HygUPXRyNa1NlSX7McgYWFXVw07T2pI38UfFnKr48q9FxHFVJW5K74GFXe7SkfAhThcRtSjRfpuCT5kcITK854LOJQO+wTaLh7C57zsQjkjTrwqtdU4KANP8PKnU/I6uusm5zPVTve++OS757SBKEzWuAbW9L0IPvVrCrHy1rYL077EjSM4QqJe8XLbIdJVV9Il5YIOAxmkc4UTrK+cgdYjkxb8HTrE158u7haMlSo0gPIB2AFJId3A8PlkRCLyqpg2ZblO7p/hVZG0DqgHtzFwWKPzvV6q9BA1Vwm7HOyU2BWmOUZBAjf97FXfc5U2JbddZd2mL1rAKDbYblOx4UXJJrywn0ifJZaag8ujWeUnn8/I01Ar8bkRTleecoEFHJgHdnZdK+O++Yx8N3Q0yN0ozJVUK7llCBlgDTazWG5DH5m0yegRXHC7aaEnbZX7+1Ca9BbmlK3Jp1FzTfCppg9RlB8W3mIxl6SiXM40rWBvOkZNNU7tzd8nYUu5vMBlyXtV+uToTVvAXtZZBClyg/aFqQKOEbkspO2+ce9hRX5tJJqS71QJgjzlcjn59jnhij0nU/d/4P6PSirWhpvJt/H4omV1MRN0MDk/tQ61reGfXBBcFH1dKCfX7fArNdvbqMGqrJj6v04Dnm0bBAPaHeQoQssqrdzdwezzu9+pBvLRJwB/++3nd7+/+XD27bc+53ZJNeWjZ3Kl9FXKkuUbL9jv7YL9CNuoE4zK1EpEqNlJ26Wkew4oc8/FOoMJM1MapOEspQDpuZIyYFyl94JE4gOpgBYryofDie/tHcDe56mBuuuTukTdNNNMl8JOS2N16sp3rNfO5hDrv6XJ3tG25iOfk/TQYpfNYLCBShOKTTZ1L6HexYGY8VFHU0tqNkfsoaRGuxFFyNwt74kL5YP7Cd7dceGQD/r/h+GqG5XZT/57kCNW9nz0AZG9SD7I4WjjuPvwU+oISVtbO9uzS5/aLqO9zbLDPpnP0O02OLk3R6bbltX8GPEwLPqaUS4cr9tmLhdBZpyf9mvbsBOXMwctzCMtDMazCtuc68KpiAfQc0jiNaZbh+qjE1VVjdz1RA2wk4c1brovdu/h2v4d4jp1h5s5TLO+L26XVJb/ruJRsw1ullp+iGS4N3bDhbeQM42pOeMqWZbosSx4xH5FtRwGHR476kZWdaFyCePL9+8uyG/ej7pJSo0j8uWoqQSX//GWfGlAj/RubYQsNOx26syb3NBziK7Jh7boLJrW1WnpLOFD2geqUo8RcEDrgxxHN0G1keDYveGW6Qc0UEF1lWG3HNgM7gVaJyxA7oA2ZbKptFsw03a72gJdUrurFd4X7hQkW1RUpyor6eCuazoYX3zv6BNlg3SqJDCLRfKzwGCWtoCqAzybY6ulDGDV9I8MUGuafBKG7ziV/Hhh0L3gqR+c0LmtAqd6JkdaFpThYJT05ScOtpEJjfce4Om8Xv4kr+0i+fvOZMGsLkqTtO96D7qDfFjk6RaAl4ImlxiyADnnMmFR5BB0jtxoWcwKs+KWJZcfspgJtTK0Sp+70oct7TIf9AxRFyYLLnOKEy5r0NV0nSzhfQC7Zld5gC+pyHFWeF3UWllVpA9JIfTlTwV6HNPDFtnuplDzoszBbAc4ff4bk0VFrwtrU7kNtgG7Ey0gw6NQcZkJaS7zIV0LU4ipKFKHRbdgf58RePLO4D3YqXsh9mGnrurtw/45I+xXGWH/S0bY/yMj7L/mgW1VLegUcoiUDnp680wWVSNQ+Z6uM7yTLfD6KoNeUjWCz6s6j/bttEwq5qmTkAJknkMpMfCFpfeNyML4hMQMO2g0y2NNOsB5rEmzNk2dYRYpk11ZdRZT1SrrTA+4ziBCrLLOMMsFG82aLMAbya8llcoAy3AIl68cVzI9CstXqrYLoGUGt5qq6oKJDD5sBzhDkATh6unapneLOsgmC+S6KTLENJjmljMqMhQQmYLOQbJ1wqyrPmxJxfpPKKc58F4W2AY0C2TfDiYP1j6xNgv06bxevsrjgzbFlNu/Zmk0xkyRdlbcDmCtkotqk+WaI1RgOn2Vm/E+/mSztnqAwS68nz+9c8QDR7UvC3DfTT5dB7ke7BkXkMOGMcUsxybyWcri7G3AOXQDU/AakxSLLKKO18ufSmPrQTP/RLCNZllgCz6DHGaMQUdzBSVPVjC6DZvLPKekUmUjwDCVg9sBOJ9nkE2qNitqk87870GPZZAnAaxhzo3VNL0nZAM7g8anoc7Fap2N1wY7ketM8tVn5vsjngG61UCrDIqkLwXKhXY+5Xq1UNwUfsJseuhrqmmWA16OFMKmgLz08+1Tw+XGUpl8znFp7LTRqYYFtlDBzwrKAbVJjmt6PbqtSU4NFic3zNIPuz6008A+mHNalqnvAC9Th1Xb1kEZ3iJeFUwrVWXpSuQAZzDTeFXkSY4MHY9ysLm+St6eqTbpW5by2tSaJwYqqOW2SZ59JriEdC12NlBN0ok6HVwsvk3v1hLKdz0tZkIlf8474BlS/p3Nm1zqOKAZJI6zoTOgmjw3Qah5lqMr51kucK10agFWTZt5jmtWccNyiIXKZDmwOeZASLDYXCk53OQy3DeATp3x56GmTseTq1VqCyRLRZnyA6CTW6IqvWakNJ8XkXlc94a7kqDTv1l14YfyJgebdDL1Bqwf8ZrlkGUo3AwzcVILgwA2tTSoC+9ISo4uNcZ9WLBFqjr/AWi4rnnyQEANupprKu2g524KyKssgNM/vb4T2adPO1NAEwDWal5QUyccGNAHrWlqqBqoyKHfaWDIB991NBPw9Ex2kNO2cO1BVrrMgHF6R6bJ4Bs23jecIR/AQOpEAD/wOINxYuBL+gMQa9CaDGoGU8rweQbBa+rUXjajWY57oFmZXJE2msW64iYAbNON2OrDbEzyrppLJlMXSkSnxd4XqG/SmZp8O7fpj5UHmj6i1830TA13XSfv1tqU0yx56I0WGd7CxoAuSp666j3L2Io2MpSDDZYZS6vU3uBlwaWxdJZBM1hybXOo4ctaZmjdZJVuZEo3a6wtWqSj6JvGKvKhkWSwdJc9knFY3mcqeElONJTckhOqy9DN0GD79zg6fnJWRi6NTQhFMDhEn2B/A6YEiZXqdPkQXObj3FlVC7WGwWDBG/k3U02ypt63PGOOh95nhPPONMzhmlR0t9HCJhYr583uMJDsSApucDhDu3rYemygRExT10pbMmw8SshqQS3hltQaZmNH4R5puXcZQhFjfLA6OhQIl6Gz+0hfaMFl7on8PVTdan08DbFqDnYBerL5vlmoZvCiESJhCbobR2QVqak2QN6BpTgR3N9V2rHg6Vs1Ny8ufNnrM3IaRnw9J3YRmVKEzYA/QBh9jGhL8h7s79xKMPF9Hh7qLMyb4cju7hbh4p5YA1SzxYRLHsUPZ+4eob/2jvjEWRiYDPFC0EbirN95g3Nc2ybu8QbuO/3a99CUvx13R1PXhDvMLx4x9t1GFAlrmm7XeRWXJR/h2uKtGHMXHGMa9YhA2gyue48TqqUYmXiJ3XMzjgPH/rkGLNHwpQFj9zTtPjxb+e698r3KgGN5/KpeYu96pLq80213yj6cPEYYG9v6O3ZoN6+jlKec/X/zfEO32PlpKxRw7fjZQKshXRLvHY+we1ym1ADx6dodNmRwq7pdCr94GHxlNwq+w1xp374+ykZCqCEGAMed0f3zqjSVhrIjjPcddJj2S0tUezeHhjUaJ6DtQ7oGXXGvbhwL6c2SfjAHX3IBcyACliAINYbPpd+4zbz++NHHlswPKL9x/T0nffogk54dZo3kXxrYHZNI45evh+9hHRMPm4LSajS89BeSKSkBcyvIitvFmKAgJFIZ0mnsGg4qL7qzaeHYifKke6KEmnNGBXEYjJg+iMXDYodLjYxpfDje1Yu1iaPXS2dbqZ2s1tQPPBWcmmKhstsE3ojrzDWcpbIZauSkYn8ET7wfAPGXxmGLb1oYxMIEUD15I4xyhvjWfTvFYDn5NfxiQt7IdfevAXSLtryRltBywlRVNxZ0XAxnceM7wvKZZ9/s7gXOWNzaEG7/2bz8/oe/Otv3tLcdLce+iaIdzmmRNmJ2W8cNXYMm/9L55MyLgAYiF7/1qet/8p95ucF569Tv3Y8Dk5dvkm1PdgemuHUm5P1vH88c7aDBO0/QX1pywzTUVLK10yqDeiZ2c0EIcug5+fjuNTmX9seXz8n5+9Oz/3xNPp1L++on8nS1WBMJ3C5AE7ZQJoxKU1oDs/itH179r//27EmUI2AXGWXcLj9Qpk4qGh/HYzKfvjte80t/Fs9bpOJXvHxcSPdl0w2YH9gw7tYPfAzfHcV0Y5185to2VJC3b95Hkf1TScjnyzrsZPwfJWES561D96sRoUjIzcITt+AxvsF79mFOLazoA4xIx9N9Qd6UpUY/rT/lMXS6p5dV9aFxzvvGQs5P3l34V2k0PFZRc8Tox5ZTyWuq4e0m5xcOlRHvl+PhgZMgkvDQrT3Ow1YTK/x0reMKiB66tCy5+zIVm4Btb5Z//J074gFwJiFecBVu+On2ERigssm1zqLX3fZJo+R9wPBCaduJ5IHQLTHAhhvA7fpmyWuOzHtPD5fz9jFpyXo3xngJMbvxWF7cgB1avtQYxbhTOb3faKDjECeXNZVzmHSmE1NyxueNhpJM1wgTZIlZQ3E5Ux/YemBQNDqiLUcXnWXodyAS6v79Eq7kDgANlbJQhMzu9HlG6VlbSlPQwqfiZwBdW50H+CzDkZhlqBYWOa5Drv4ndQam0rJoPXH51PJdC97RMdldre9MeAAN9swuQEuw5OO6hufkU/uMvUUH2I/konWADV6C38Y0tXZUzxGUiRHTuEU6+MWfEypEVJmoN1/EBDeqMTFvCdq9gVxaRYzFx5xL8ul8VKAwTJDNJq+Si2wHVNUZxr45wBpM6oxeBzZDiYt/EVOnoqO/PQO2frRCIUDOk0+KRJyd8pFRCx3RQL3KQ0UvACMJw3SCGaHkF6VXVJfDOd2EvJljspcm1N34a8ylm4JdAci46pm4a+JdY9zKUtEP1XlkCLaMx8yIAYVchjxXTEuouHViKYzYiJO4FFQeI45/CwdlmyDSc1EOCNx2WW4iKUtnwc7RgN1+eVJHKoFhF4Jlun5wt4vYU205awTVBPtFkxaJp2fXr9+quZrN4tPfgRV2Adm3dwvZj25Bfxt7eJ85vB26bxq7AGlDsvgo2qZJ2Tnhdgk9fslx1D8Z0KMIq8YydVxOhyXHEb5sGANjRnDGzuOHNUc7LPEE8SJOxZ0rvSaRwoQBbscQTls4wg6OTiphgM/USrp3xcmtmHLY/ZAMFKVtqpbp+tGNvJuU+K6lWDMgOJQdPcEPs6MPc0kMt01EfhIsLoAgogPUBTWElqp2r4tdANdEreRmyzzjLL1WUlUjebU4k8Nw36L+uEqEU+65LJ38Udp0DKDkFy6AvAmITQZsuI2zV3aE+Ts5mjDe0f8g6QqjLLgMWQtpuRCjMcKIlPXu92CEz9e7DPUaqTkxnhA6VTmrByLET2FBl1w1qF0yVdVaVXwkQxGOjdyZpFOBRWQzcrIfNy6XndjJiOQuhltaJ4kisIVh0uEyByAYWb/DL/fu9l7ZzX0bPXabMstG2t1yttQafYll4AU7xKy/lRaE7/EcJGjOWpKQIZjot5tawO0Cn9rYbDcSkJ2wHybG6vHgZ0vTIW23Hoyml/tpCuqFXysjXVHTtDPCLa/AOLnutT0NNYwGkcIuJGsKceNGYOPBe26DvuXROqR394MdrR9vR9MPhUk25PTWpAWH8U0UDmhDijcC4RbC4Oul7uWN1Omj7p2/aElo0zfvXLJeqscRIDfI8U6AfL3H8cebtyzVaIPjbNnt5KM+qgRJecduIT+OehxT0jY4jJ1SjyVoO37q5JU7jV0UFdiFeoAoCd3yJBOPRvja6IZjLyWtsnqd9kR1PigR/LUOkT3nMpMn5D8nP3//PXn69vTNxTNyyo3lct5ws4ASS+GjuAg1V9n7Au2LhGG27MzjEbYZvziSMaZVZq/ivvpPt6sxDLobgx75ZEOf73JdGKb9d3W/Pccf4hSLmVIZa5O+yRSjIlV3uh1CPtCSN8avQJQmhldcUO3FkxOb7g4xfNfj5VV4zw0vj9lppJ8p/8kdhNaLuNMXc3PJ89VZvJH77jqGNUKlYc//G5xE+MngLATHDfTKMsq4K1PpnIkBg5ANslrpOZX8zz1Z1TLfUbgtsw/gdP9MjbB7xnW0ljRT159f3HL4WvgWX7530VZW869AhV0wqoHUGkpVcUmjBXc98XRBLQdpzY3p8YIek9q39EGJ9a0foc50cN3VeeIEV021xWZIG1L3i9UjNjsKwuY2EnUGJWhqoSySJZXtOR9O+PzSrtgFzy60WvKyax4WvkfrWgRNdXAwQvMf96xt67RxBWdDJC+PRGW3ZOj1Z9cjZEaHh2Lm5JL76PliV3EfaQHXKZ0ph4LfVfOEa9SZej/qVULPI4R6HRU1VmqIsUp7ie+gVWAprvYEvzVx33oSp77iZSngeFLuHa53WzkX2d6e3DtIzrXjMY5D7kVYrddhSK7b6OxzUgvqtsy9z0oTkEyv6zEvP6ZCHsGevEUGne5sy1+VseQdZQsuR0y6kmaSHN/s8vqTxEz/WoMTH04/8k3OzIS8LWlNPuM/vH5UKunrTv85fDzJgi7BaU4CqCZfGtBrgj0ITa2kgVajihenOnoL/M1x5GXogcccZM3bLpDSk+/78o3j2ZJ0BFQ3B+hDaI56W0xxylNeh9nuGW9bS281MXK2YXh4uSG6kTJqx5rn3cvjI8++jdRIjV2AWAQLM/9GULLislQrQ0wNjM84c588j9UJhjzZ4QVx5Hl8Nzk35Cl2hAXJNs8Qhi6f9bhFGonv+FuYU7Ymn8x249suAlvtFtImz651KxzBYB957fumFqKCtWp4yNyLOOB41wcgUv2/VWmK5TxD9m2TnV+hHuvO69XrCMVIYfSghd8cQOxx8nrHSA0ZvsH13sq6MyR9vAvokJrjOOy6gMH23mwSMv02DHYo3pDi5uJnLBtIORJwtMINSS5hxmXw1aNwwq5+Fa1Hmg4idgcVimXCbeOA2VH/UgvGzmebm/bQS2mkN2Xnw7aWskV15Bb4m1WR4WRgHfW3I8uQlymX6SaIJb0bjmQsKsz7eEaEVL9sB7fFt9HelPdHpnYOsM779t2AdU11e6bcn59vSFkt+KCVOnG3w9myPvn9VuTZ5DNLfFsLpdf5Nvxvpqby327sGNMist1FvVXPY0+TY8vfXiD0G2h7MJVoQFXbb30/VaOnoABptaoPER2laqYD58KtznhY01nbcEM5AuLoqzuOew9PVFVTue7uI147HKfv7ZUlaPcMFVzOVFwpoOYqd43QDfJjx4psMVtB3q7osy+5cgR+aYRYk/9oqOAzDiU5xbpn7xyMorKCacGUuuIPFHT/HabEr7+xn6kY0+aTd5vdhMPrxqLKfeAI05vv+oduiTBlJ7ijvU9+Qj6ua0/6xnPgmON3cHzzNMyKpM1kd9B2OHhHhH5iYm1rd5E5hquuUy63sfOexVrp1tuPIeYPb0e2vNcrJ/FxanlR551DtIcVbuUbPfctmlqpTJrINlJuHbcfpKY27ppksqAmZbS/B1iHcvrEkBstEm5zD2rCXemM0aLRqbwhPZgGdEHn6WzKDejkz9M26KTpj9ugw6nPIFjg2oJE1Sq9ceLgJzvNnaK30LCTKpNao/JLHKOWcEvmfsRlUb16Ef77JKDwIvxHyGuKuf2pAB3PzgvkPGD03BPTD56jx7U3am1AThkGojmTissZaD0Sdx3SfRS6+or/jayPumePgGTbl3jW24bIlcKwtsp6pSJLHO34nfm4vTt2HzGDWPf/9A8YJmiND/zk9QL0cfwRTmcPGU9PT3D04zNyguvHUQNtj9QsZYTPJ6DD8E/YysLc05wXsoaOe4zsbbhb9InpdYreu9P8z0O9kndvjRLfbXLJ/4x7a/hVJply/o8zImGuLPcbWC+oGZkAZdix2wr1ttIvPj5c0G11tglQgwSXnTPWNk5v62/iCSmGz49RUbHd36ibevhxdNCykybcmCa50omQMVkqn7fufjEUxBC0zuoDHWxKX3qeucXJJQan90mno2RIdJ3BQxT56SWmdu5/jHrS8zAk7y499+A4LkKNEcUy54u+G1INjuwoMmXhjh5tkrdpNLkA8ysIFnWm5gbfbMaV9B8klK0/EYPxOqXJ+eWbf7y7IBfunSK/yZHpKxtsM1VSH4Ltx5WKY4tiiC2AXZmDnMi3E8J5e5DFhs51/Tq7FmGYBhpGEG6k4B4tFzQfNIV8ACXX49F1BRk1GhBnS21ztAmffSyXVPDSH8QIEruC8GhdrfcJQuTYFazNrthOdPLbBNLEsBfW1qbgOIM2C2jcyhwMYfQR3CY+l23li9Lcrm+4UUxVVdY+cbfE2+MRHELxEvwV1yB2Lc3ULpaVoLIw5qEG3rqVvQz/PVDb1mhFsfWlxkWt+DHSqmMIewwIYoBIxa0BZCtbUCkHjTNyt5sKqyIiIzHbI7Vt7h6WMPPw97dv3od378XO8t2DYpXe9f0n79nGzVWxVKLJxYA37RxnGebcdJOx23G+jeTWkKceCfMMu3VgYW87UXcHPEGko9SIJpM0extw/SS5DekCk+2igyVozBSYNYIwJRnU1hnKl34PR9orrFY5pa9nvDPY2xHaDtFaaUuU4++v//4mloIbZXvqc6f0/PgJlrsFBlsu1in1zU6ijWL+fvbbxfkFeUevKy7Lbqx3fFsdbUdPw9waojhCViBjQN0+sjr1KV6ymDw921c5FrPjFWw+dBF+S3J2tWPLWRak8vlp6NIbsNiLoTjepjxwr4CW4uq/fN1wV5gjy6Emmfp2o7/EmdAPlN0YxlWjFd8FdStf3PucmCaSok4N+ZuxWsn5v00FZVeCGwvl316Evz3vPuVyBiz+0YxrWFERVWToVPR+Q6gsiVFk5FhqmHNj9dpZ9scUFjW1i9Csv8OB7OIwQBKdUsdC0xdC+3otpnSvC3mnT3aYg7R6/Zf/GwAA//+GnLko" +} diff --git a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc index ffb6b412573..4724e1231e4 100644 --- a/x-pack/filebeat/module/cylance/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cylance/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index fc90f92344c..28123fafd35 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml index d6bca1e8c47..72aa57c217a 100644 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for CylanceProtect processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index abf3264f09f..4f73edba010 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2016-01-29T08:09:59.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -13,6 +12,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nostrud4819.mail.test" + ], "rsa.identity.firstname": "uii", "rsa.identity.lastname": "umexe", "rsa.internal.messageid": "CylancePROTECT", @@ -26,7 +28,6 @@ "rsa.network.alias_host": [ "nostrud4819.mail.test" ], - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -34,7 +35,6 @@ ] }, { - "@timestamp": "2016-02-12T03:12:33.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -47,6 +47,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volup208.invalid" + ], "rsa.identity.firstname": "luptat", "rsa.identity.lastname": "isiutal", "rsa.internal.messageid": "CylancePROTECT", @@ -59,7 +62,6 @@ "rsa.network.alias_host": [ "volup208.invalid" ], - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -67,7 +69,6 @@ ] }, { - "@timestamp": "2020-02-26T10:15:08.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -80,6 +81,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eius6159.www5.localhost" + ], "rsa.db.index": "temvel", "rsa.identity.firstname": "lupt", "rsa.identity.lastname": "tia", @@ -92,7 +96,6 @@ "rsa.network.alias_host": [ "eius6159.www5.localhost" ], - "rsa.time.event_time": "2020-02-26T10:15:08.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -100,7 +103,6 @@ ] }, { - "@timestamp": "2016-03-12T05:17:42.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -113,6 +115,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ratvolup497.www.corp" + ], "rsa.db.index": "ommodic", "rsa.identity.firstname": "mipsu", "rsa.identity.lastname": "consec", @@ -125,7 +130,6 @@ "rsa.network.alias_host": [ "ratvolup497.www.corp" ], - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -133,7 +137,6 @@ ] }, { - "@timestamp": "2016-03-26T12:20:16.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -146,6 +149,9 @@ "observer.product": "taliqu", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatno5625.api.local" + ], "rsa.identity.firstname": "tur", "rsa.identity.lastname": "aperi", "rsa.internal.messageid": "CylancePROTECT", @@ -159,7 +165,6 @@ "rsa.network.alias_host": [ "tatno5625.api.local" ], - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -167,7 +172,6 @@ ] }, { - "@timestamp": "2016-04-09T07:22:51.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -181,6 +185,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "maveniam1399.mail.lan" + ], "related.ip": [ "10.124.61.119" ], @@ -199,7 +206,6 @@ "maveniam1399.mail.lan" ], "rsa.network.eth_host": "01:00:5e:dc:bb:8b", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", "service.type": "cylance", "source.ip": [ "10.124.61.119" @@ -211,7 +217,6 @@ "user.name": "occ" }, { - "@timestamp": "2020-04-24T14:25:25.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -224,6 +229,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nimadmin6499.local" + ], "rsa.db.index": "lorem", "rsa.identity.firstname": "urerep", "rsa.identity.lastname": "aquaeab", @@ -236,7 +244,6 @@ "rsa.network.alias_host": [ "nimadmin6499.local" ], - "rsa.time.event_time": "2020-04-24T14:25:25.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -244,7 +251,6 @@ ] }, { - "@timestamp": "2016-05-08T09:27:59.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -257,6 +263,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "suntinc4934.www5.test" + ], "rsa.identity.firstname": "dmi", "rsa.identity.lastname": "olab", "rsa.internal.messageid": "CylancePROTECT", @@ -270,7 +279,6 @@ "rsa.network.alias_host": [ "suntinc4934.www5.test" ], - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -278,7 +286,6 @@ ] }, { - "@timestamp": "2016-05-22T04:30:33.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -294,6 +301,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2344", + "related.hosts": [ + "reetdolo2451.www.example" + ], "related.user": [ "usan" ], @@ -307,7 +317,6 @@ "rsa.network.alias_host": [ "reetdolo2451.www.example" ], - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -316,7 +325,6 @@ "user.name": "usan" }, { - "@timestamp": "2016-06-05T11:33:08.000Z", "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -329,6 +337,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "uis7612.www5.domain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", @@ -337,7 +348,6 @@ "rsa.network.alias_host": [ "uis7612.www5.domain" ], - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -345,7 +355,6 @@ ] }, { - "@timestamp": "2020-06-20T06:35:42.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -358,6 +367,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "admi3749.api.lan" + ], "rsa.db.index": "nimadmin", "rsa.identity.firstname": "iqui", "rsa.identity.lastname": "etc", @@ -370,7 +382,6 @@ "rsa.network.alias_host": [ "admi3749.api.lan" ], - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -378,7 +389,6 @@ ] }, { - "@timestamp": "2016-07-04T13:38:16.000Z", "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -394,6 +404,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.5383", + "related.hosts": [ + "rudexerc703.internal.host" + ], "related.user": [ "isaute" ], @@ -408,7 +421,6 @@ "rsa.network.alias_host": [ "rudexerc703.internal.host" ], - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -417,7 +429,6 @@ "user.name": "isaute" }, { - "@timestamp": "2016-07-18T20:40:00.000Z", "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -444,7 +455,6 @@ "rsa.misc.checksum": "itecto", "rsa.misc.event_type": "threat_found", "rsa.misc.node": "sequatur", - "rsa.time.event_time": "2016-07-18T20:40:00.000Z", "service.type": "cylance", "source.ip": [ "10.199.98.186" @@ -455,7 +465,6 @@ ] }, { - "@timestamp": "2016-08-02T03:43:25.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -471,6 +480,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "estqu1709.internal.example" + ], "related.ip": [ "10.64.70.5" ], @@ -487,7 +499,6 @@ "rsa.network.alias_host": [ "estqu1709.internal.example" ], - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "rsa.web.reputation_num": 145.898, "service.type": "cylance", "source.ip": [ @@ -499,7 +510,6 @@ ] }, { - "@timestamp": "2016-08-16T10:45:59.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -513,6 +523,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "xeac7155.www.localdomain" + ], "related.ip": [ "10.143.239.210" ], @@ -531,7 +544,6 @@ "xeac7155.www.localdomain" ], "rsa.network.eth_host": "01:00:5e:93:1c:9f", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "cylance", "source.ip": [ "10.143.239.210" @@ -543,7 +555,6 @@ "user.name": "oinBCSe" }, { - "@timestamp": "2016-08-30T05:48:33.000Z", "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -558,6 +569,9 @@ "observer.vendor": "Cylance", "process.name": "aliqu.exe", "process.pid": 2289, + "related.hosts": [ + "maccusa5126.api.domain" + ], "related.ip": [ "10.32.143.134" ], @@ -578,7 +592,6 @@ "rsa.network.alias_host": [ "maccusa5126.api.domain" ], - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "cylance", "source.ip": [ "10.32.143.134" @@ -590,7 +603,6 @@ "user.name": "olupta" }, { - "@timestamp": "2019-09-13T12:51:07.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -603,6 +615,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "llu4718.localhost" + ], "rsa.db.index": "psaquae", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -614,7 +629,6 @@ "rsa.network.alias_host": [ "llu4718.localhost" ], - "rsa.time.event_time": "2019-09-13T12:51:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -622,7 +636,6 @@ ] }, { - "@timestamp": "2019-09-28T07:53:42.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -645,7 +658,6 @@ "rsa.misc.event_type": "DeviceRemove", "rsa.misc.mail_id": "tincu", "rsa.misc.policy_name": "taevit", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -653,7 +665,6 @@ ] }, { - "@timestamp": "2016-10-12T14:56:16.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -666,6 +677,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eaq908.api.home" + ], "rsa.db.index": "equat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -676,7 +690,6 @@ "rsa.network.alias_host": [ "eaq908.api.home" ], - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -684,7 +697,6 @@ ] }, { - "@timestamp": "2016-10-26T09:58:50.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -700,6 +712,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.4129", + "related.hosts": [ + "mcolab379.internal.home" + ], "related.user": [ "fdeFi" ], @@ -714,7 +729,6 @@ "rsa.network.alias_host": [ "mcolab379.internal.home" ], - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -723,7 +737,6 @@ "user.name": "fdeFi" }, { - "@timestamp": "2019-11-10T05:01:24.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -751,7 +764,6 @@ "rsa.misc.event_type": "threat_quarantined", "rsa.misc.node": "ectio", "rsa.network.eth_host": "01:00:5e:3f:c4:6c", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "service.type": "cylance", "source.ip": [ "10.237.205.140" @@ -763,7 +775,6 @@ "user.name": "uames" }, { - "@timestamp": "2019-11-24T12:03:59.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -776,6 +787,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sciun4694.api.lan" + ], "rsa.db.index": "enderit", "rsa.identity.firstname": "idata", "rsa.identity.lastname": "rumwritt", @@ -788,7 +802,6 @@ "rsa.network.alias_host": [ "sciun4694.api.lan" ], - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -796,7 +809,6 @@ ] }, { - "@timestamp": "2019-12-08T07:06:33.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -809,6 +821,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "mni7200.mail.localdomain" + ], "rsa.db.index": "uisau", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -818,7 +833,6 @@ "rsa.network.alias_host": [ "mni7200.mail.localdomain" ], - "rsa.time.event_time": "2019-12-08T07:06:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -826,7 +840,6 @@ ] }, { - "@timestamp": "2019-12-23T14:09:07.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -846,7 +859,6 @@ "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "quinesc", "rsa.network.zone": "madmi", - "rsa.time.event_time": "2019-12-23T14:09:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -854,7 +866,6 @@ ] }, { - "@timestamp": "2017-01-06T09:11:41.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -870,6 +881,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3212", + "related.hosts": [ + "ntoccae1705.internal.invalid" + ], "related.user": [ "aperiame" ], @@ -883,7 +897,6 @@ "rsa.network.alias_host": [ "ntoccae1705.internal.invalid" ], - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -892,7 +905,6 @@ "user.name": "aperiame" }, { - "@timestamp": "2020-01-20T04:14:16.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -905,6 +917,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "etconsec6708.internal.invalid" + ], "rsa.db.index": "mquame", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502030000, @@ -916,7 +931,6 @@ "rsa.network.alias_host": [ "etconsec6708.internal.invalid" ], - "rsa.time.event_time": "2020-01-20T04:14:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -924,7 +938,6 @@ ] }, { - "@timestamp": "2017-02-03T11:16:50.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -937,6 +950,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Sedutp7428.internal.home" + ], "rsa.db.index": "iquipe", "rsa.identity.firstname": "upida", "rsa.identity.lastname": "tvolupt", @@ -950,7 +966,6 @@ "rsa.network.alias_host": [ "Sedutp7428.internal.home" ], - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -958,7 +973,6 @@ ] }, { - "@timestamp": "2017-02-18T06:19:24.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -971,6 +985,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ati4639.www5.home" + ], "rsa.identity.firstname": "con", "rsa.identity.lastname": "nisist", "rsa.internal.messageid": "CylancePROTECT", @@ -983,7 +1000,6 @@ "rsa.network.alias_host": [ "ati4639.www5.home" ], - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -991,7 +1007,6 @@ ] }, { - "@timestamp": "2017-03-04T13:21:59.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1004,6 +1019,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "torever662.www5.home" + ], "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", "rsa.identity.firstname": "amcol", "rsa.identity.lastname": "adeser", @@ -1016,7 +1034,6 @@ "rsa.network.alias_host": [ "torever662.www5.home" ], - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1024,7 +1041,6 @@ ] }, { - "@timestamp": "2017-03-18T08:24:33.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1037,6 +1053,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "emeumfug4387.internal.lan" + ], "rsa.identity.firstname": "ccaeca", "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", @@ -1050,7 +1069,6 @@ "rsa.network.alias_host": [ "emeumfug4387.internal.lan" ], - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1058,7 +1076,6 @@ ] }, { - "@timestamp": "2017-04-02T03:27:07.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1071,6 +1088,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "rumwrit764.www5.local" + ], "rsa.db.index": "miu", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, @@ -1082,7 +1102,6 @@ "rsa.network.alias_host": [ "rumwrit764.www5.local" ], - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1090,7 +1109,6 @@ ] }, { - "@timestamp": "2020-04-16T10:29:41.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1113,7 +1131,6 @@ "rsa.investigations.event_vcat": "luptat", "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.mail_id": "ritt", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "cylance", "source.ip": [ "10.13.66.97" @@ -1124,7 +1141,6 @@ ] }, { - "@timestamp": "2017-04-30T05:32:16.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1137,6 +1153,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oremi1485.api.localhost" + ], "rsa.identity.firstname": "atisund", "rsa.identity.lastname": "xea", "rsa.internal.messageid": "CylancePROTECT", @@ -1150,7 +1169,6 @@ "rsa.network.alias_host": [ "oremi1485.api.localhost" ], - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1158,7 +1176,6 @@ ] }, { - "@timestamp": "2020-05-14T12:34:50.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1171,6 +1188,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "periam126.api.host" + ], "rsa.crypto.sig_type": "rExc", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1180,7 +1200,6 @@ "rsa.network.alias_host": [ "periam126.api.host" ], - "rsa.time.event_time": "2020-05-14T12:34:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1188,7 +1207,6 @@ ] }, { - "@timestamp": "2017-05-29T07:37:24.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1204,6 +1222,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tate6578.api.localdomain" + ], "related.ip": [ "10.252.165.146" ], @@ -1220,7 +1241,6 @@ "rsa.network.alias_host": [ "tate6578.api.localdomain" ], - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "rsa.web.reputation_num": 51.523, "service.type": "cylance", "source.ip": [ @@ -1232,7 +1252,6 @@ ] }, { - "@timestamp": "2017-06-12T14:39:58.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1246,6 +1265,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "midestl1919.host" + ], "related.ip": [ "10.124.88.222" ], @@ -1263,7 +1285,6 @@ "midestl1919.host" ], "rsa.network.eth_host": "01:00:5e:f9:78:c2", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "cylance", "source.ip": [ "10.124.88.222" @@ -1275,7 +1296,6 @@ "user.name": "onu" }, { - "@timestamp": "2017-06-26T09:42:33.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1288,6 +1308,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eiusmod3517.internal.invalid" + ], "rsa.identity.firstname": "dol", "rsa.identity.lastname": "sciun", "rsa.internal.messageid": "CylancePROTECT", @@ -1301,7 +1324,6 @@ "rsa.network.alias_host": [ "eiusmod3517.internal.invalid" ], - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1309,7 +1331,6 @@ ] }, { - "@timestamp": "2017-07-11T04:45:07.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1323,6 +1344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntexpl3889.www.home" + ], "related.ip": [ "10.156.34.19" ], @@ -1341,7 +1365,6 @@ "ntexpl3889.www.home" ], "rsa.network.eth_host": "01:00:5e:54:ab:3f", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "cylance", "source.ip": [ "10.156.34.19" @@ -1353,7 +1376,6 @@ "user.name": "imveni" }, { - "@timestamp": "2019-07-25T11:47:41.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1367,6 +1389,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntium4450.www5.localdomain" + ], "related.ip": [ "10.22.94.10" ], @@ -1384,7 +1409,6 @@ "ntium4450.www5.localdomain" ], "rsa.network.eth_host": "01:00:5e:ee:e8:77", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "service.type": "cylance", "source.ip": [ "10.22.94.10" @@ -1396,7 +1420,6 @@ "user.name": "ssusci" }, { - "@timestamp": "2017-08-08T06:50:15.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1409,6 +1432,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "erspi5757.local" + ], "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -1420,7 +1446,6 @@ "rsa.network.alias_host": [ "erspi5757.local" ], - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1428,7 +1453,6 @@ ] }, { - "@timestamp": "2019-08-22T13:52:50.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1450,7 +1474,6 @@ "rsa.misc.device_name": "edolo", "rsa.misc.event_type": "threat_found", "rsa.misc.mail_id": "econs", - "rsa.time.event_time": "2019-08-22T13:52:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1458,7 +1481,6 @@ ] }, { - "@timestamp": "2017-09-06T08:55:00.000Z", "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1485,7 +1507,6 @@ "rsa.misc.checksum": "culpaq", "rsa.misc.event_type": "PolicyAdd", "rsa.misc.node": "fugits", - "rsa.time.event_time": "2017-09-06T08:55:00.000Z", "service.type": "cylance", "source.ip": [ "10.153.34.43" @@ -1496,7 +1517,6 @@ ] }, { - "@timestamp": "2017-09-20T03:57:58.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1509,6 +1529,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "magnid3343.home" + ], "rsa.db.index": "obea", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1520,7 +1543,6 @@ "rsa.network.alias_host": [ "magnid3343.home" ], - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1528,7 +1550,6 @@ ] }, { - "@timestamp": "2019-10-04T11:00:32.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1541,6 +1562,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asperna7623.www.home" + ], "rsa.identity.firstname": "onproide", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1551,7 +1575,6 @@ "asperna7623.www.home" ], "rsa.network.zone": "tat", - "rsa.time.event_time": "2019-10-04T11:00:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1559,7 +1582,6 @@ ] }, { - "@timestamp": "2017-10-19T06:03:07.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1575,6 +1597,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3421", + "related.hosts": [ + "undeom845.www5.example" + ], "related.user": [ "tassita" ], @@ -1588,7 +1613,6 @@ "rsa.network.alias_host": [ "undeom845.www5.example" ], - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1597,7 +1621,6 @@ "user.name": "tassita" }, { - "@timestamp": "2019-11-02T13:05:41.000Z", "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1617,7 +1640,6 @@ "rsa.misc.event_type": "threat_changed", "rsa.misc.node": "quira", "rsa.network.zone": "rror", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1625,7 +1647,6 @@ ] }, { - "@timestamp": "2017-11-16T08:08:15.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1641,6 +1662,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ons5050.mail.test" + ], "related.ip": [ "10.48.209.115" ], @@ -1657,7 +1681,6 @@ "rsa.network.alias_host": [ "ons5050.mail.test" ], - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", "rsa.web.reputation_num": 75.498, "service.type": "cylance", "source.ip": [ @@ -1669,7 +1692,6 @@ ] }, { - "@timestamp": "2019-12-01T03:10:49.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1683,6 +1705,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oloreeu7597.mail.home" + ], "related.ip": [ "10.7.99.47" ], @@ -1700,7 +1725,6 @@ "oloreeu7597.mail.home" ], "rsa.network.eth_host": "01:00:5e:e8:41:ae", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "cylance", "source.ip": [ "10.7.99.47" @@ -1712,7 +1736,6 @@ "user.name": "evolupta" }, { - "@timestamp": "2017-12-15T10:13:24.000Z", "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1725,6 +1748,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ueip5847.api.test" + ], "rsa.crypto.sig_type": "Nemoenim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, @@ -1735,7 +1761,6 @@ "rsa.network.alias_host": [ "ueip5847.api.test" ], - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1743,7 +1768,6 @@ ] }, { - "@timestamp": "2017-12-29T05:15:58.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1759,6 +1783,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.989", + "related.hosts": [ + "uid3520.www.home" + ], "related.user": [ "ici" ], @@ -1773,7 +1800,6 @@ "rsa.network.alias_host": [ "uid3520.www.home" ], - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1782,7 +1808,6 @@ "user.name": "ici" }, { - "@timestamp": "2020-01-12T12:18:32.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1801,7 +1826,6 @@ "rsa.investigations.event_vcat": "iduntu", "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "inibusB", - "rsa.time.event_time": "2020-01-12T12:18:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1809,7 +1833,6 @@ ] }, { - "@timestamp": "2020-01-27T07:21:06.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1829,7 +1852,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "imavenia", "rsa.network.zone": "expli", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1837,7 +1859,6 @@ ] }, { - "@timestamp": "2018-02-10T14:23:41.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1850,6 +1871,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "rsa.identity.firstname": "scip", "rsa.identity.lastname": "Finibus", "rsa.internal.messageid": "CylancePROTECT", @@ -1862,7 +1886,6 @@ "rsa.network.alias_host": [ "teir7585.www5.localdomain" ], - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1870,7 +1893,6 @@ ] }, { - "@timestamp": "2020-02-24T09:26:15.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1891,7 +1913,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "quunt", "rsa.misc.serial_number": "volup", - "rsa.time.event_time": "2020-02-24T09:26:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1899,7 +1920,6 @@ ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1921,7 +1941,6 @@ "rsa.misc.device_name": "oreeu", "rsa.misc.event_type": "Alert", "rsa.misc.mail_id": "tassita", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1929,7 +1948,6 @@ ] }, { - "@timestamp": "2018-03-25T11:31:24.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1942,6 +1960,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "serrorsi1096.www5.localdomain" + ], "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1952,7 +1973,6 @@ "rsa.network.alias_host": [ "serrorsi1096.www5.localdomain" ], - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1960,7 +1980,6 @@ ] }, { - "@timestamp": "2018-04-08T06:33:58.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1973,6 +1992,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "prehen4807.mail.invalid" + ], "rsa.db.index": "meum", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, @@ -1984,7 +2006,6 @@ "rsa.network.alias_host": [ "prehen4807.mail.invalid" ], - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1992,7 +2013,6 @@ ] }, { - "@timestamp": "2018-04-22T13:36:32.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2005,6 +2025,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sit1400.www.lan" + ], "rsa.db.index": "ntsunti", "rsa.identity.firstname": "uid", "rsa.identity.lastname": "idatat", @@ -2018,7 +2041,6 @@ "rsa.network.alias_host": [ "sit1400.www.lan" ], - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2026,7 +2048,6 @@ ] }, { - "@timestamp": "2018-05-07T08:39:06.000Z", "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2039,6 +2060,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sectetu7182.localdomain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, "rsa.investigations.event_cat_name": "Network.Devices.Additions", @@ -2047,7 +2071,6 @@ "rsa.network.alias_host": [ "sectetu7182.localdomain" ], - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2055,7 +2078,6 @@ ] }, { - "@timestamp": "2018-05-21T03:41:41.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2068,6 +2090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "officiad4982.www5.domain" + ], "rsa.identity.firstname": "etdolore", "rsa.identity.lastname": "magnaa", "rsa.internal.messageid": "CylancePROTECT", @@ -2080,7 +2105,6 @@ "rsa.network.alias_host": [ "officiad4982.www5.domain" ], - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2088,7 +2112,6 @@ ] }, { - "@timestamp": "2018-06-04T10:44:15.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2101,6 +2124,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "consequa1486.internal.localdomain" + ], "rsa.crypto.sig_type": "quaeratv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2111,7 +2137,6 @@ "rsa.network.alias_host": [ "consequa1486.internal.localdomain" ], - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2119,7 +2144,6 @@ ] }, { - "@timestamp": "2018-06-19T05:46:49.000Z", "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2133,6 +2157,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "its6443.mail.example" + ], "related.ip": [ "10.139.80.71" ], @@ -2150,7 +2177,6 @@ "its6443.mail.example" ], "rsa.network.eth_host": "01:00:5e:bc:c1:21", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "cylance", "source.ip": [ "10.139.80.71" @@ -2162,7 +2188,6 @@ "user.name": "orem" }, { - "@timestamp": "2018-07-03T12:49:23.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2178,6 +2203,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tconsec7604.corp" + ], "related.ip": [ "10.223.246.244" ], @@ -2194,7 +2222,6 @@ "rsa.network.alias_host": [ "tconsec7604.corp" ], - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "rsa.web.reputation_num": 105.845, "service.type": "cylance", "source.ip": [ @@ -2206,7 +2233,6 @@ ] }, { - "@timestamp": "2018-07-17T07:51:58.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2219,6 +2245,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tuser2694.internal.invalid" + ], "rsa.identity.firstname": "natus", "rsa.identity.lastname": "boreet", "rsa.internal.messageid": "CylancePROTECT", @@ -2232,7 +2261,6 @@ "rsa.network.alias_host": [ "tuser2694.internal.invalid" ], - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2240,7 +2268,6 @@ ] }, { - "@timestamp": "2018-08-01T14:54:32.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2253,6 +2280,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "gnaaliq5240.api.test" + ], "rsa.crypto.sig_type": "ratvo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2263,7 +2293,6 @@ "rsa.network.alias_host": [ "gnaaliq5240.api.test" ], - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2271,7 +2300,6 @@ ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2284,6 +2312,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "illum2625.test" + ], "rsa.crypto.sig_type": "iaeconse", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2293,7 +2324,6 @@ "rsa.network.alias_host": [ "illum2625.test" ], - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2301,7 +2331,6 @@ ] }, { - "@timestamp": "2018-08-29T16:59:40.000Z", "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2315,6 +2344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nulamc5617.mail.host" + ], "related.ip": [ "10.134.137.205" ], @@ -2332,7 +2364,6 @@ "rsa.network.alias_host": [ "nulamc5617.mail.host" ], - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "cylance", "source.ip": [ "10.134.137.205" @@ -2343,7 +2374,6 @@ ] }, { - "@timestamp": "2018-09-12T12:02:15.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2356,6 +2386,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatem4713.internal.host" + ], "rsa.db.index": "usci", "rsa.identity.firstname": "lupta", "rsa.identity.lastname": "ura", @@ -2369,7 +2402,6 @@ "rsa.network.alias_host": [ "tatem4713.internal.host" ], - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2377,7 +2409,6 @@ ] }, { - "@timestamp": "2018-09-27T07:04:49.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2391,6 +2422,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ugits5961.www5.local" + ], "related.ip": [ "10.91.2.225" ], @@ -2409,7 +2443,6 @@ "ugits5961.www5.local" ], "rsa.network.eth_host": "01:00:5e:42:41:00", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "cylance", "source.ip": [ "10.91.2.225" @@ -2421,7 +2454,6 @@ "user.name": "rsp" }, { - "@timestamp": "2018-10-11T14:07:23.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2436,6 +2468,9 @@ "observer.vendor": "Cylance", "process.name": "nimadmi.exe", "process.pid": 601, + "related.hosts": [ + "prehende5460.mail.localdomain" + ], "related.ip": [ "10.191.99.14" ], @@ -2456,7 +2491,6 @@ "rsa.network.alias_host": [ "prehende5460.mail.localdomain" ], - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "cylance", "source.ip": [ "10.191.99.14" @@ -2468,7 +2502,6 @@ "user.name": "lapa" }, { - "@timestamp": "2019-10-25T09:09:57.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2481,6 +2514,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "velites1745.api.corp" + ], "rsa.db.index": "lor", "rsa.identity.firstname": "naaliq", "rsa.identity.lastname": "plica", @@ -2495,7 +2531,6 @@ "rsa.network.alias_host": [ "velites1745.api.corp" ], - "rsa.time.event_time": "2019-10-25T09:09:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2503,7 +2538,6 @@ ] }, { - "@timestamp": "2019-11-09T04:12:32.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2516,6 +2550,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Duis583.api.local" + ], "rsa.crypto.sig_type": "dminim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2525,7 +2562,6 @@ "rsa.network.alias_host": [ "Duis583.api.local" ], - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2533,7 +2569,6 @@ ] }, { - "@timestamp": "2018-11-23T11:15:06.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2549,6 +2584,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2478", + "related.hosts": [ + "velitess2401.www.lan" + ], "rsa.db.index": "dolo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2560,7 +2598,6 @@ "rsa.network.alias_host": [ "velitess2401.www.lan" ], - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2568,7 +2605,6 @@ ] }, { - "@timestamp": "2018-12-07T06:17:40.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2581,6 +2617,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sequines3991.mail.local" + ], "rsa.identity.firstname": "sequines", "rsa.identity.lastname": "minimve", "rsa.internal.messageid": "CylancePROTECT", @@ -2595,7 +2634,6 @@ "rsa.network.alias_host": [ "sequines3991.mail.local" ], - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2603,7 +2641,6 @@ ] }, { - "@timestamp": "2018-12-21T13:20:14.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2619,6 +2656,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "iatquo2815.mail.host" + ], "related.ip": [ "10.181.215.164" ], @@ -2635,7 +2675,6 @@ "rsa.network.alias_host": [ "iatquo2815.mail.host" ], - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", "rsa.web.reputation_num": 38.593, "service.type": "cylance", "source.ip": [ @@ -2647,7 +2686,6 @@ ] }, { - "@timestamp": "2020-01-05T08:22:49.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2669,7 +2707,6 @@ "rsa.misc.device_name": "atevelit", "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.mail_id": "uptate", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2677,7 +2714,6 @@ ] }, { - "@timestamp": "2020-01-19T03:25:23.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2690,6 +2726,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "issusci7005.mail.host" + ], "rsa.db.index": "tiumtot", "rsa.identity.firstname": "ecillumd", "rsa.identity.lastname": "iumto", @@ -2704,7 +2743,6 @@ "rsa.network.alias_host": [ "issusci7005.mail.host" ], - "rsa.time.event_time": "2020-01-19T03:25:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2712,7 +2750,6 @@ ] }, { - "@timestamp": "2019-02-02T22:27:57.000Z", "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2726,6 +2763,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umq7428.invalid" + ], "related.ip": [ "10.164.59.219" ], @@ -2743,7 +2783,6 @@ "rsa.network.alias_host": [ "umq7428.invalid" ], - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "cylance", "source.ip": [ "10.164.59.219" @@ -2754,7 +2793,6 @@ ] }, { - "@timestamp": "2020-02-17T05:30:32.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2776,7 +2814,6 @@ "rsa.misc.device_name": "rem", "rsa.misc.event_type": "PolicyAdd", "rsa.misc.mail_id": "rinci", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2784,7 +2821,6 @@ ] }, { - "@timestamp": "2019-03-03T12:33:06.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2798,6 +2834,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "epteurs5503.www5.home" + ], "related.ip": [ "10.1.193.187" ], @@ -2815,7 +2854,6 @@ "rsa.network.alias_host": [ "epteurs5503.www5.home" ], - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "cylance", "source.ip": [ "10.1.193.187" @@ -2826,7 +2864,6 @@ ] }, { - "@timestamp": "2020-03-17T07:35:40.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2849,7 +2886,6 @@ "rsa.misc.event_type": "DeviceRemove", "rsa.misc.mail_id": "riat", "rsa.misc.policy_name": "umdo", - "rsa.time.event_time": "2020-03-17T07:35:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2857,7 +2893,6 @@ ] }, { - "@timestamp": "2020-04-01T14:38:14.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2870,6 +2905,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "omnisis5339.www5.local" + ], "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2881,7 +2919,6 @@ "rsa.network.alias_host": [ "omnisis5339.www5.local" ], - "rsa.time.event_time": "2020-04-01T14:38:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2889,7 +2926,6 @@ ] }, { - "@timestamp": "2019-04-15T09:40:49.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2902,6 +2938,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ction491.www5.local" + ], "rsa.identity.firstname": "imveniam", "rsa.identity.lastname": "sunte", "rsa.internal.messageid": "CylancePROTECT", @@ -2914,7 +2953,6 @@ "rsa.network.alias_host": [ "ction491.www5.local" ], - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2922,7 +2960,6 @@ ] }, { - "@timestamp": "2019-04-29T04:43:23.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2936,6 +2973,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "undeom7847.api.corp" + ], "related.ip": [ "10.146.228.234" ], @@ -2954,7 +2994,6 @@ "undeom7847.api.corp" ], "rsa.network.eth_host": "01:00:5e:9a:f3:b9", - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "cylance", "source.ip": [ "10.146.228.234" @@ -2966,7 +3005,6 @@ "user.name": "susc" }, { - "@timestamp": "2019-05-13T11:45:57.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2979,6 +3017,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "dolo6230.mail.invalid" + ], "related.ip": [ "10.59.232.97" ], @@ -2992,7 +3033,6 @@ "rsa.network.alias_host": [ "dolo6230.mail.invalid" ], - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "cylance", "source.ip": [ "10.59.232.97" @@ -3003,7 +3043,6 @@ ] }, { - "@timestamp": "2019-05-28T06:48:31.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3016,6 +3055,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nvolup6280.api.home" + ], "rsa.identity.firstname": "dantium", "rsa.identity.lastname": "ors", "rsa.internal.messageid": "CylancePROTECT", @@ -3029,7 +3071,6 @@ "rsa.network.alias_host": [ "nvolup6280.api.home" ], - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3037,7 +3078,6 @@ ] }, { - "@timestamp": "2019-06-11T13:51:06.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3050,6 +3090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "urautodi3892.www5.example" + ], "rsa.db.index": "nibu", "rsa.identity.firstname": "mdolo", "rsa.identity.lastname": "nof", @@ -3063,7 +3106,6 @@ "rsa.network.alias_host": [ "urautodi3892.www5.example" ], - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3071,7 +3113,6 @@ ] }, { - "@timestamp": "2020-06-25T08:53:40.000Z", "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3102,7 +3143,6 @@ "rsa.misc.device_name": "isciveli", "rsa.misc.event_type": "Alert", "rsa.misc.policy_name": "ing", - "rsa.time.event_time": "2020-06-25T08:53:40.000Z", "service.type": "cylance", "source.ip": [ "10.36.18.24" @@ -3114,7 +3154,6 @@ "user.name": "nsequ" }, { - "@timestamp": "2019-07-10T03:56:14.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3129,6 +3168,9 @@ "observer.vendor": "Cylance", "process.name": "oluptat.exe", "process.pid": 4608, + "related.hosts": [ + "uraut3756.www5.test" + ], "related.ip": [ "10.127.30.119" ], @@ -3149,7 +3191,6 @@ "rsa.network.alias_host": [ "uraut3756.www5.test" ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "cylance", "source.ip": [ "10.127.30.119" @@ -3161,7 +3202,6 @@ "user.name": "stenatus" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3174,6 +3214,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "squ2213.www.test" + ], "rsa.db.index": "rExce", "rsa.identity.firstname": "rinc", "rsa.identity.lastname": "tno", @@ -3186,7 +3229,6 @@ "rsa.network.alias_host": [ "squ2213.www.test" ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3194,7 +3236,6 @@ ] }, { - "@timestamp": "2019-08-07T06:01:23.000Z", "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3216,7 +3257,6 @@ "rsa.misc.device_name": "utod", "rsa.misc.event_type": "threat_changed", "rsa.misc.mail_id": "orinrep", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3224,7 +3264,6 @@ ] }, { - "@timestamp": "2019-08-21T13:03:57.000Z", "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3239,6 +3278,9 @@ "observer.vendor": "Cylance", "process.name": "ngelitse.exe", "process.pid": 4190, + "related.hosts": [ + "umet5891.api.localdomain" + ], "related.ip": [ "10.8.150.213" ], @@ -3259,7 +3301,6 @@ "rsa.network.alias_host": [ "umet5891.api.localdomain" ], - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "cylance", "source.ip": [ "10.8.150.213" @@ -3271,7 +3312,6 @@ "user.name": "ugiatnul" }, { - "@timestamp": "2019-09-05T08:06:31.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3284,6 +3324,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umquam5574.internal.test" + ], "related.ip": [ "10.108.59.10" ], @@ -3297,7 +3340,6 @@ "rsa.network.alias_host": [ "umquam5574.internal.test" ], - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "cylance", "source.ip": [ "10.108.59.10" @@ -3308,7 +3350,6 @@ ] }, { - "@timestamp": "2019-09-19T03:09:05.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3321,6 +3362,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volupt6822.api.invalid" + ], "rsa.identity.firstname": "qui", "rsa.identity.lastname": "epteurs", "rsa.internal.messageid": "CylancePROTECT", @@ -3335,7 +3379,6 @@ "rsa.network.alias_host": [ "volupt6822.api.invalid" ], - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3343,7 +3386,6 @@ ] }, { - "@timestamp": "2019-10-03T10:11:40.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3364,7 +3406,6 @@ "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "stl", "rsa.misc.serial_number": "eumfugi", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3372,7 +3413,6 @@ ] }, { - "@timestamp": "2019-10-18T05:14:14.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3393,7 +3433,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "tutlabo", "rsa.misc.serial_number": "ateveli", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3401,7 +3440,6 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3417,6 +3455,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3237", + "related.hosts": [ + "amvol4075.mail.localhost" + ], "related.user": [ "pta" ], @@ -3430,7 +3471,6 @@ "rsa.network.alias_host": [ "amvol4075.mail.localhost" ], - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3439,7 +3479,6 @@ "user.name": "pta" }, { - "@timestamp": "2019-11-15T07:19:22.000Z", "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3452,6 +3491,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asi4651.api.test" + ], "rsa.db.index": "ssecill", "rsa.identity.firstname": "officiad", "rsa.identity.lastname": "veniam", @@ -3464,7 +3506,6 @@ "rsa.network.alias_host": [ "asi4651.api.test" ], - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3472,7 +3513,6 @@ ] }, { - "@timestamp": "2019-11-30T14:21:57.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3485,6 +3525,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "perna6751.internal.home" + ], "related.ip": [ "10.138.85.233" ], @@ -3498,7 +3541,6 @@ "rsa.network.alias_host": [ "perna6751.internal.home" ], - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "cylance", "source.ip": [ "10.138.85.233" @@ -3509,7 +3551,6 @@ ] }, { - "@timestamp": "2019-12-14T09:24:31.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3522,6 +3563,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "evolupta7790.internal.local" + ], "rsa.db.index": "rehe", "rsa.identity.firstname": "tam", "rsa.identity.lastname": "deser", @@ -3535,7 +3579,6 @@ "rsa.network.alias_host": [ "evolupta7790.internal.local" ], - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", diff --git a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml index 2bc7e14fb4f..296d932f2ce 100644 --- a/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml +++ b/x-pack/filebeat/module/envoyproxy/log/ingest/pipeline-entry.yml @@ -1,5 +1,8 @@ description: Pipeline for normalizing envoyproxy logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - pipeline: if: ctx.message.charAt(0) != (char)("{") name: '{< IngestPipeline "pipeline-plaintext" >}' diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index a40427c7730..a939fc021f8 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -18,13 +18,13 @@ # "+02:00" for GMT+02:00 # var.tz_offset: local - firepass: + bigipafm: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9509 + # var.syslog_port: 9528 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc index 058a7aa3ea9..a3cdd1c2523 100644 --- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -7,7 +7,11 @@ experimental[] -This is a module for receiving Big-IP Access Policy Manager logs over Syslog or a file. +This is a module for F5 network device's logs. It includes the following +filesets for receiving logs over syslog or read from a file: + +- `bigipapm` fileset: supports F5 Big-IP Access Policy Manager. +- `bigipafm` fileset: supports F5 Big-IP Advanced Firewall Manager. include::../include/gs-link.asciidoc[] @@ -51,7 +55,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: @@ -63,11 +67,11 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: [float] -==== `firepass` fileset settings +==== `bigipafm` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. +NOTE: This was converted from RSA NetWitness log parser XML "bigipafm" device revision 121. *`var.input`*:: @@ -81,7 +85,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9509` +The port to listen for syslog traffic. Defaults to `9528` NOTE: Ports below 1024 require Filebeat to run as root. @@ -96,7 +100,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml b/x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml similarity index 100% rename from x-pack/filebeat/module/tenable/nessus_security/_meta/fields.yml rename to x-pack/filebeat/module/f5/bigipafm/_meta/fields.yml diff --git a/x-pack/filebeat/module/f5/firepass/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml similarity index 77% rename from x-pack/filebeat/module/f5/firepass/config/input.yml rename to x-pack/filebeat/module/f5/bigipafm/config/input.yml index 467922155dc..e4c79ac07c5 100644 --- a/x-pack/filebeat/module/f5/firepass/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -21,8 +21,8 @@ fields_under_root: true fields: observer: vendor: "F5" - product: "FirePass" - type: "VPN" + product: "Big-IP" + type: "Firewall" processors: - script: @@ -34,12 +34,12 @@ processors: keep_raw: {{.keep_raw_fields}} debug: {{.debug}} files: - - ${path.home}/module/f5/firepass/config/liblogparser.js - - ${path.home}/module/f5/firepass/config/pipeline.js + - ${path.home}/module/f5/bigipafm/config/liblogparser.js + - ${path.home}/module/f5/bigipafm/config/pipeline.js {{ if .community_id }} - community_id: ~ {{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{hfld2->} %{hhostname->} %{hfld3->} %{hfld4->} %{hfld5->} [F5@%{hfld6->} %{payload}", processor_chain([ + setc("header_id","0001"), + setc("messageid","BIGIP_AFM"), +])); + +var select1 = linear_select([ + hdr1, +]); + +var part1 = tagval("MESSAGE#0:BIGIP_AFM", "nwparser.payload", tvm, { + "acl_policy_name": "policyname", + "acl_policy_type": "fld1", + "acl_rule_name": "rulename", + "action": "action", + "bigip_mgmt_ip": "hostip", + "context_name": "context", + "context_type": "fld2", + "date_time": "event_time_string", + "dest_ip": "daddr", + "dest_port": "dport", + "device_product": "product", + "device_vendor": "fld3", + "device_version": "version", + "drop_reason": "fld4", + "dst_geo": "location_dst", + "errdefs_msg_name": "event_type", + "errdefs_msgno": "id", + "flow_id": "fld5", + "hostname": "hostname", + "ip_protocol": "protocol", + "partition_name": "fld6", + "route_domain": "fld7", + "sa_translation_pool": "fld8", + "sa_translation_type": "fld9", + "severity": "severity", + "source_ip": "saddr", + "source_port": "sport", + "source_user": "username", + "src_geo": "location_src", + "translated_dest_ip": "dtransaddr", + "translated_dest_port": "dtransport", + "translated_ip_protocol": "fld10", + "translated_route_domain": "fld11", + "translated_source_ip": "stransaddr", + "translated_source_port": "stransport", + "translated_vlan": "fld12", + "vlan": "vlan", +}, processor_chain([ + setc("eventcategory","1801000000"), + setf("msg","$MSG"), + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dD,dW,dZ], + ], + }), + setc("ec_subject","NetworkComm"), + setc("ec_theme","Communication"), + lookup({ + dest: "nwparser.ec_activity", + map: map_getEventCategoryActivity, + key: field("action"), + }), + setf("obj_name","hfld6"), +])); + +var msg1 = msg("BIGIP_AFM", part1); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "BIGIP_AFM": msg1, + }), +]); diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml new file mode 100644 index 00000000000..39579462593 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml @@ -0,0 +1,64 @@ +--- +description: Pipeline for Big-IP Advanced Firewall Manager + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/firepass/manifest.yml b/x-pack/filebeat/module/f5/bigipafm/manifest.yml similarity index 89% rename from x-pack/filebeat/module/f5/firepass/manifest.yml rename to x-pack/filebeat/module/f5/bigipafm/manifest.yml index becd0eb7cd1..5c8ad517aa4 100644 --- a/x-pack/filebeat/module/f5/firepass/manifest.yml +++ b/x-pack/filebeat/module/f5/bigipafm/manifest.yml @@ -3,11 +3,11 @@ module_version: "1.0" var: - name: paths - name: tags - default: ["f5.firepass", "forwarded"] + default: ["f5.bigipafm", "forwarded"] - name: syslog_host default: localhost - name: syslog_port - default: 9509 + default: 9528 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log b/x-pack/filebeat/module/f5/bigipafm/test/generated.log new file mode 100644 index 00000000000..6bf7146dfe9 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log @@ -0,0 +1,100 @@ +iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810 +eporr quipexe alo4540.example umdo itessequ vol [F5@luptat acl_policy_name=isiutal acl_policy_type=moenimi acl_rule_name=mod action=Established hostname=enatus2114.mail.home bigip_mgmt_ip=10.51.132.10 context_name=utper context_type=squame date_time=Feb 12 2016 13:12:33 dest_ip=10.173.116.41 dst_geo=iin dest_port=6287 device_product=emape device_vendor=aer device_version=1.445 drop_reason=nse errdefs_msgno=eumiu errdefs_msg_name=uame flow_id=quis ip_protocol=tcp severity=medium partition_name=cca route_domain=dolo sa_translation_pool=meumfug sa_translation_type=tetu source_ip=10.162.9.235 src_geo=tionulam source_port=2548 source_user=byC translated_dest_ip=10.94.67.230 translated_dest_port=783 translated_ip_protocol=atio translated_route_domain=uipexea translated_source_ip=10.92.202.200 translated_source_port=6772 translated_vlan=eFini vlan=859 +exe iatu ionofde2424.api.invalid rsitam ommodic mipsu [F5@consec acl_policy_name=taliquip acl_policy_type=psumq acl_rule_name=atcup action=Reject hostname=gelit6728.api.invalid bigip_mgmt_ip=10.122.116.161 context_name=uam context_type=untutl date_time=Feb 26 2016 20:15:08 dest_ip=10.40.68.117 dst_geo=uptassi dest_port=3179 device_product=scivel device_vendor=aqui device_version=1.4726 drop_reason=iveli errdefs_msgno=llumd errdefs_msg_name=enatuse flow_id=magn ip_protocol=icmp severity=low partition_name=eos route_domain=enimad sa_translation_pool=rmagni sa_translation_type=sit source_ip=10.209.155.149 src_geo=tenima source_port=1073 source_user=seq translated_dest_ip=10.82.56.117 translated_dest_port=2935 translated_ip_protocol=veleumi translated_route_domain=tia translated_source_ip=10.191.68.244 translated_source_port=6905 translated_vlan=veri vlan=5990 +siutaliq exercit tempor4496.www.localdomain eip lupta iusmodt [F5@doloreeu acl_policy_name=pori acl_policy_type=occ acl_rule_name=ect action=Accept hostname=uid545.www5.localhost bigip_mgmt_ip=10.12.44.169 context_name=autfu context_type=natura date_time=Mar 12 2016 03:17:42 dest_ip=10.163.217.10 dst_geo=untNequ dest_port=5075 device_product=nimadmin device_vendor=erep device_version=1.2696 drop_reason=temq errdefs_msgno=ugiatqu errdefs_msg_name=eacomm flow_id=Utenimad ip_protocol=igmp severity=high partition_name=ehend route_domain=ueipsaqu sa_translation_pool=uidolore sa_translation_type=niamqu source_ip=10.202.66.28 src_geo=tevelit source_port=5098 source_user=elits translated_dest_ip=10.131.233.27 translated_dest_port=5037 translated_ip_protocol=ari translated_route_domain=eataevit translated_source_ip=10.50.112.141 translated_source_port=7303 translated_vlan=dmi vlan=499 +mquisnos loremagn iciade3433.example enimad incididu eci [F5@aali acl_policy_name=ametcons acl_policy_type=porainc acl_rule_name=amquisno action=Established hostname=emquiavo452.internal.localhost bigip_mgmt_ip=10.151.111.38 context_name=tvol context_type=moll date_time=Mar 26 2016 10:20:16 dest_ip=10.228.149.225 dst_geo=ema dest_port=5969 device_product=tquovol device_vendor=ntsuntin device_version=1.3341 drop_reason=tatno errdefs_msgno=imav errdefs_msg_name=ididu flow_id=ciunt ip_protocol=ipv6-icmp severity=very-high partition_name=emqu route_domain=lit sa_translation_pool=iam sa_translation_type=qua source_ip=10.159.182.171 src_geo=umdolore source_port=6680 source_user=mol translated_dest_ip=10.96.35.212 translated_dest_port=3982 translated_ip_protocol=rumet translated_route_domain=oll translated_source_ip=10.206.197.113 translated_source_port=4075 translated_vlan=temUten vlan=4125 +iqu ollit usan6343.www5.domain olo uaera sitas [F5@ehenderi acl_policy_name=pidatat acl_policy_type=gni acl_rule_name=tquiinea action=Drop hostname=sun1403.www.invalid bigip_mgmt_ip=10.126.177.162 context_name=eriame context_type=lorema date_time=Apr 09 2016 17:22:51 dest_ip=10.213.82.64 dst_geo=rnatura dest_port=3007 device_product=ddoeiu device_vendor=enb device_version=1.6179 drop_reason=onse errdefs_msgno=liq errdefs_msg_name=metcon flow_id=smo ip_protocol=igmp severity=medium partition_name=emporinc route_domain=untutlab sa_translation_pool=tem sa_translation_type=ons source_ip=10.213.113.28 src_geo=ali source_port=6446 source_user=ist translated_dest_ip=10.169.144.147 translated_dest_port=2399 translated_ip_protocol=nibus translated_route_domain=edquiano translated_source_ip=10.89.163.114 translated_source_port=5166 translated_vlan=par vlan=686 +rveli rsint omm4276.www.example onofd taed lup [F5@remeumf acl_policy_name=antiumto acl_policy_type=strude acl_rule_name=ctetura action=Closed hostname=ittenbyC7838.api.localdomain bigip_mgmt_ip=10.18.124.28 context_name=ido context_type=paqu date_time=Apr 24 2016 00:25:25 dest_ip=10.158.194.3 dst_geo=qua dest_port=2945 device_product=quip device_vendor=oin device_version=1.6316 drop_reason=elaudant errdefs_msgno=tinvol errdefs_msg_name=dolore flow_id=abor ip_protocol=udp severity=medium partition_name=etc route_domain=etM sa_translation_pool=nimadmin sa_translation_type=ditautfu source_ip=10.146.88.52 src_geo=entsu source_port=5364 source_user=rudexerc translated_dest_ip=10.101.223.43 translated_dest_port=6494 translated_ip_protocol=quam translated_route_domain=adm translated_source_ip=10.103.107.47 translated_source_port=6094 translated_vlan=Nemoen vlan=2827 +icab mwr fugi4637.www.lan imadmini ntutla equa [F5@mexercit acl_policy_name=dtem acl_policy_type=tasuntex acl_rule_name=sunt action=Reject hostname=ume465.corp bigip_mgmt_ip=10.189.109.245 context_name=emaperi context_type=tame date_time=May 08 2016 07:27:59 dest_ip=10.83.234.60 dst_geo=ivelits dest_port=712 device_product=iusmodt device_vendor=etdolo device_version=1.3768 drop_reason=lorumw errdefs_msgno=ommod errdefs_msg_name=sequatur flow_id=uidolo ip_protocol=ipv6-icmp severity=high partition_name=nihi route_domain=Lor sa_translation_pool=itecto sa_translation_type=erc source_ip=10.69.57.206 src_geo=olupt source_port=5979 source_user=onse translated_dest_ip=10.110.99.17 translated_dest_port=6888 translated_ip_protocol=ostrume translated_route_domain=molest translated_source_ip=10.150.220.75 translated_source_port=1298 translated_vlan=tisetq vlan=5372 +ici giatquov eritquii3561.www.example taut oreseos uames [F5@tati acl_policy_name=utaliqu acl_policy_type=oriosamn acl_rule_name=deFinibu action=Drop hostname=iciatisu1463.www5.localdomain bigip_mgmt_ip=10.153.136.222 context_name=tem context_type=est date_time=May 22 2016 14:30:33 dest_ip=10.176.205.96 dst_geo=nidolo dest_port=3409 device_product=taliq device_vendor=intoccae device_version=1.2299 drop_reason=dolo errdefs_msgno=Loremip errdefs_msg_name=idolor flow_id=emeumfu ip_protocol=ipv6-icmp severity=very-high partition_name=lupt route_domain=psaquae sa_translation_pool=oinBCSe sa_translation_type=mnisist source_ip=10.199.34.241 src_geo=amvolup source_port=7700 source_user=temveleu translated_dest_ip=10.19.194.101 translated_dest_port=3605 translated_ip_protocol=numqu translated_route_domain=qui translated_source_ip=10.121.219.204 translated_source_port=3496 translated_vlan=utali vlan=3611 +reetd lumqui itinvo7084.mail.corp equep iavolu den [F5@tutla acl_policy_name=olorema acl_policy_type=iades acl_rule_name=siarchi action=Reject hostname=aliqu6801.api.localdomain bigip_mgmt_ip=10.46.27.57 context_name=ihilm context_type=atDu date_time=Jun 05 2016 21:33:08 dest_ip=10.128.232.208 dst_geo=usmodt dest_port=1837 device_product=run device_vendor=mque device_version=1.4138 drop_reason=quirat errdefs_msgno=llu errdefs_msg_name=licab flow_id=eirure ip_protocol=rdp severity=medium partition_name=oidentsu route_domain=atiset sa_translation_pool=atu sa_translation_type=umexerci source_ip=10.64.141.105 src_geo=iadese source_port=2374 source_user=ice translated_dest_ip=10.57.103.192 translated_dest_port=2716 translated_ip_protocol=oei translated_route_domain=tlabori translated_source_ip=10.182.199.231 translated_source_port=1426 translated_vlan=data vlan=4478 +nnum eritqu uradip7152.www5.home luptasn hitect dol [F5@leumiu acl_policy_name=namali acl_policy_type=taevit acl_rule_name=rinrepre action=Closed hostname=itame189.domain bigip_mgmt_ip=10.32.67.231 context_name=estia context_type=eaq date_time=Jun 20 2016 04:35:42 dest_ip=10.66.80.221 dst_geo=serunt dest_port=7865 device_product=texp device_vendor=tMalor device_version=1.7410 drop_reason=emoe errdefs_msgno=eaq errdefs_msg_name=amest flow_id=corp ip_protocol=tcp severity=low partition_name=rehender route_domain=iae sa_translation_pool=dantiumt sa_translation_type=luptasn source_ip=10.164.6.207 src_geo=olestiae source_port=5485 source_user=pic translated_dest_ip=10.160.210.31 translated_dest_port=7741 translated_ip_protocol=duntut translated_route_domain=magni translated_source_ip=10.3.134.237 translated_source_port=3156 translated_vlan=radipisc vlan=7020 +fficiade uscipit vitaedi1318.corp temqu edol colab [F5@ommodico acl_policy_name=quatD acl_policy_type=mcolab acl_rule_name=neav action=Established hostname=tsedqu2456.www5.invalid bigip_mgmt_ip=10.182.178.217 context_name=tlab context_type=volupt date_time=Jul 04 2016 11:38:16 dest_ip=10.188.169.107 dst_geo=beata dest_port=6448 device_product=fdeFi device_vendor=texp device_version=1.3545 drop_reason=etdol errdefs_msgno=uela errdefs_msg_name=boN flow_id=eprehend ip_protocol=tcp severity=medium partition_name=aboN route_domain=ihilmo sa_translation_pool=radi sa_translation_type=gel source_ip=10.235.101.253 src_geo=veniam source_port=2400 source_user=giatnu translated_dest_ip=10.42.138.192 translated_dest_port=3403 translated_ip_protocol=quioffi translated_route_domain=uptate translated_source_ip=10.201.6.10 translated_source_port=6608 translated_vlan=sequa vlan=2851 +ate aliquam nimid893.mail.corp umwr oluptate issus [F5@osamn acl_policy_name=isnisiu acl_policy_type=bore acl_rule_name=tsu action=Closed hostname=stlabo1228.mail.host bigip_mgmt_ip=10.151.161.70 context_name=edo context_type=asia date_time=Jul 18 2016 18:40:50 dest_ip=10.108.167.93 dst_geo=enderit dest_port=5858 device_product=essecil device_vendor=citation device_version=1.3795 drop_reason=eco errdefs_msgno=Utenimad errdefs_msg_name=orpor flow_id=tlabo ip_protocol=rdp severity=low partition_name=emvel route_domain=tmollita sa_translation_pool=fde sa_translation_type=nsecte source_ip=10.22.102.198 src_geo=eroi source_port=176 source_user=nse translated_dest_ip=10.194.247.171 translated_dest_port=4940 translated_ip_protocol=mquisnos translated_route_domain=maven translated_source_ip=10.86.101.235 translated_source_port=3266 translated_vlan=lapar vlan=1024 +tfu udan orema6040.api.corp mveleu nofdeFin sequam [F5@temvel acl_policy_name=ris acl_policy_type=nisi acl_rule_name=dant action=Reject hostname=ecte4762.local bigip_mgmt_ip=10.204.35.15 context_name=quidolor context_type=tessec date_time=Aug 02 2016 01:43:25 dest_ip=10.135.160.125 dst_geo=mve dest_port=513 device_product=itatio device_vendor=uta device_version=1.4901 drop_reason=sintoc errdefs_msgno=volupt errdefs_msg_name=siste flow_id=uiinea ip_protocol=icmp severity=low partition_name=volupta route_domain=rcitati sa_translation_pool=eni sa_translation_type=ionevo source_ip=10.174.252.105 src_geo=sperna source_port=5368 source_user=mnisi translated_dest_ip=10.107.168.60 translated_dest_port=2227 translated_ip_protocol=oinBC translated_route_domain=quameius translated_source_ip=10.167.172.155 translated_source_port=3544 translated_vlan=etdo vlan=706 +ese isaute ptatemq95.api.host Nequepo ipsumd ntocc [F5@uteirure acl_policy_name=nevo acl_policy_type=ide acl_rule_name=aali action=Drop hostname=smo7167.www.test bigip_mgmt_ip=10.214.249.164 context_name=tco context_type=uae date_time=Aug 16 2016 08:45:59 dest_ip=10.187.20.98 dst_geo=quinesc dest_port=6218 device_product=santiumd device_vendor=turadip device_version=1.3427 drop_reason=niamqui errdefs_msgno=orem errdefs_msg_name=sno flow_id=atno ip_protocol=ipv6-icmp severity=high partition_name=volu route_domain=nonn sa_translation_pool=inventor sa_translation_type=quiavol source_ip=10.99.249.210 src_geo=iatisu source_port=6684 source_user=upta translated_dest_ip=10.182.191.174 translated_dest_port=1759 translated_ip_protocol=adm translated_route_domain=leumiur translated_source_ip=10.81.26.208 translated_source_port=7651 translated_vlan=isc vlan=5933 +tobea tor qui4499.api.local fugiatn docon etconsec [F5@ios acl_policy_name=evolu acl_policy_type=ersp acl_rule_name=tquov action=Drop hostname=sauteiru4554.api.domain bigip_mgmt_ip=10.220.5.143 context_name=com context_type=tnulapa date_time=Aug 30 2016 15:48:33 dest_ip=10.108.85.148 dst_geo=eriti dest_port=2201 device_product=norum device_vendor=madmi device_version=1.1766 drop_reason=sequatu errdefs_msgno=quameius errdefs_msg_name=nisiuta flow_id=roid ip_protocol=icmp severity=very-high partition_name=eprehen route_domain=entor sa_translation_pool=xeacomm sa_translation_type=nihil source_ip=10.101.226.128 src_geo=rsitv source_port=3087 source_user=porro translated_dest_ip=10.88.101.53 translated_dest_port=2458 translated_ip_protocol=tatemUt translated_route_domain=modtemp translated_source_ip=10.201.238.90 translated_source_port=2715 translated_vlan=remag vlan=3759 +ccaecat tquiin tse4198.www.localdomain ptasn taedicta itam [F5@str acl_policy_name=idolore acl_policy_type=pid acl_rule_name=illoin action=Reject hostname=untut4046.internal.domain bigip_mgmt_ip=10.217.150.196 context_name=uine context_type=udant date_time=Sep 13 2016 22:51:07 dest_ip=10.183.59.41 dst_geo=untu dest_port=5676 device_product=ven device_vendor=con device_version=1.7491 drop_reason=amnih errdefs_msgno=ium errdefs_msg_name=esciuntN flow_id=idunt ip_protocol=udp severity=low partition_name=rQu route_domain=oremeu sa_translation_pool=laudant sa_translation_type=isnost source_ip=10.157.18.252 src_geo=itess source_port=52 source_user=evit translated_dest_ip=10.30.133.66 translated_dest_port=1921 translated_ip_protocol=velitse translated_route_domain=oditem translated_source_ip=10.243.218.215 translated_source_port=662 translated_vlan=rsitvolu vlan=3751 +sumdolor meaqueip npr4414.api.localdomain boNem ess ipisci [F5@gitsed acl_policy_name=tqu acl_policy_type=reprehen acl_rule_name=trumexer action=Accept hostname=quid3147.mail.home bigip_mgmt_ip=10.66.181.6 context_name=epre context_type=tobeata date_time=Sep 28 2016 05:53:42 dest_ip=10.181.53.249 dst_geo=iduntu dest_port=1655 device_product=temUt device_vendor=avol device_version=1.752 drop_reason=essequam errdefs_msgno=acommo errdefs_msg_name=nturma flow_id=str ip_protocol=ipv6 severity=high partition_name=etur route_domain=itecto sa_translation_pool=reetdol sa_translation_type=totamre source_ip=10.148.161.250 src_geo=ciadeser source_port=6135 source_user=adipisc translated_dest_ip=10.181.133.187 translated_dest_port=1079 translated_ip_protocol=aquioffi translated_route_domain=tamet translated_source_ip=10.167.227.44 translated_source_port=6595 translated_vlan=eFi vlan=6733 +its ender riamea1540.www.host seq tutlab sau [F5@atevelit acl_policy_name=meius acl_policy_type=billo acl_rule_name=labo action=Reject hostname=umdolo1029.mail.localhost bigip_mgmt_ip=10.54.17.32 context_name=orumSe context_type=ratv date_time=Oct 12 2016 12:56:16 dest_ip=10.119.81.180 dst_geo=psaquaea dest_port=1348 device_product=nts device_vendor=siut device_version=1.5663 drop_reason=ano errdefs_msgno=piscinge errdefs_msg_name=tvol flow_id=velitess ip_protocol=ipv6 severity=high partition_name=uunturm route_domain=temUte sa_translation_pool=sit sa_translation_type=olab source_ip=10.84.163.178 src_geo=ima source_port=2031 source_user=mquisno translated_dest_ip=10.107.9.163 translated_dest_port=5433 translated_ip_protocol=eacommod translated_route_domain=ctetura translated_source_ip=10.74.11.43 translated_source_port=55 translated_vlan=seosqui vlan=6797 +uradi tot llamco7206.www.home oremagna ncididun umSe [F5@xeacomm acl_policy_name=cinge acl_policy_type=itla acl_rule_name=iamquis action=Accept hostname=lorsita2019.internal.home bigip_mgmt_ip=10.192.229.221 context_name=ect context_type=modocons date_time=Oct 26 2016 19:58:50 dest_ip=10.199.194.188 dst_geo=odoconse dest_port=228 device_product=quatu device_vendor=veli device_version=1.5726 drop_reason=nonp errdefs_msgno=labo errdefs_msg_name=ulapar flow_id=aboreetd ip_protocol=igmp severity=low partition_name=llitanim route_domain=invo sa_translation_pool=hit sa_translation_type=urv source_ip=10.112.32.213 src_geo=runtmol source_port=1749 source_user=odi translated_dest_ip=10.184.73.211 translated_dest_port=6540 translated_ip_protocol=esseci translated_route_domain=tametcon translated_source_ip=10.230.129.252 translated_source_port=3947 translated_vlan=isis vlan=4917 +utlab emUteni rum959.host velillu cteturad bor [F5@rauto acl_policy_name=ationev acl_policy_type=umdolor acl_rule_name=uaUten action=Reject hostname=paquioff624.mail.invalid bigip_mgmt_ip=10.161.148.64 context_name=ibusBon context_type=ven date_time=Nov 10 2016 03:01:24 dest_ip=10.162.114.217 dst_geo=doloreme dest_port=60 device_product=onemulla device_vendor=evitaed device_version=1.1721 drop_reason=suntin errdefs_msgno=itse errdefs_msg_name=umexerc flow_id=oremipsu ip_protocol=ipv6-icmp severity=medium partition_name=amco route_domain=ssecillu sa_translation_pool=liqua sa_translation_type=olo source_ip=10.199.216.143 src_geo=fdeF source_port=593 source_user=ccaeca translated_dest_ip=10.198.213.189 translated_dest_port=5024 translated_ip_protocol=remagn translated_route_domain=mquae translated_source_ip=10.7.200.140 translated_source_port=3298 translated_vlan=olupt vlan=2189 +edquiac urerepr eseru4234.mail.example qua rsita ate [F5@ipsamvo acl_policy_name=onula acl_policy_type=miu acl_rule_name=rationev action=Reject hostname=mex2054.mail.corp bigip_mgmt_ip=10.65.232.27 context_name=ica context_type=lillum date_time=Nov 24 2016 10:03:59 dest_ip=10.199.40.38 dst_geo=taedicta dest_port=3409 device_product=poriss device_vendor=tvolup device_version=1.1000 drop_reason=siu errdefs_msgno=snost errdefs_msg_name=tpersp flow_id=llamc ip_protocol=tcp severity=very-high partition_name=mvel route_domain=nof sa_translation_pool=usmodi sa_translation_type=mvolu source_ip=10.206.96.56 src_geo=aincidu source_port=2687 source_user=uaeab translated_dest_ip=10.128.157.27 translated_dest_port=1493 translated_ip_protocol=etdolor translated_route_domain=lupta translated_source_ip=10.22.187.69 translated_source_port=3590 translated_vlan=oremi vlan=1485 +nbyCi tevel usc5760.www5.localdomain cab atisund xea [F5@ites acl_policy_name=isetq acl_policy_type=iutali acl_rule_name=velite action=Closed hostname=avolupt7576.api.corp bigip_mgmt_ip=10.194.210.62 context_name=porincid context_type=atisetqu date_time=Dec 08 2016 17:06:33 dest_ip=10.51.213.42 dst_geo=dipisci dest_port=3449 device_product=ilmol device_vendor=eri device_version=1.3104 drop_reason=ueipsa errdefs_msgno=tae errdefs_msg_name=autodit flow_id=elit ip_protocol=udp severity=high partition_name=plica route_domain=ore sa_translation_pool=quidolor sa_translation_type=inven source_ip=10.71.114.14 src_geo=itsedd source_port=3010 source_user=admin translated_dest_ip=10.68.253.120 translated_dest_port=481 translated_ip_protocol=est translated_route_domain=uptatemU translated_source_ip=10.183.130.225 translated_source_port=5693 translated_vlan=item vlan=2738 +dat periam dqu6144.api.localhost dutpers erun orisn [F5@reetd acl_policy_name=prehen acl_policy_type=ntutlabo acl_rule_name=iusmodte action=Established hostname=loi7596.www5.home bigip_mgmt_ip=10.31.177.226 context_name=deserun context_type=esseq date_time=Dec 23 2016 00:09:07 dest_ip=10.209.157.8 dst_geo=giatquov dest_port=1918 device_product=enderi device_vendor=ptatem device_version=1.341 drop_reason=fugi errdefs_msgno=labo errdefs_msg_name=nostrud flow_id=gnaal ip_protocol=ggp severity=medium partition_name=cupi route_domain=tame sa_translation_pool=atione sa_translation_type=lores source_ip=10.45.253.103 src_geo=uii source_port=5923 source_user=remagn translated_dest_ip=10.47.255.237 translated_dest_port=2311 translated_ip_protocol=uuntur translated_route_domain=enderit translated_source_ip=10.107.45.175 translated_source_port=4185 translated_vlan=rumSecti vlan=4593 +atise tate onevo4326.internal.local isnost olorem ido [F5@emqu acl_policy_name=riss acl_policy_type=iquamqua acl_rule_name=sit action=Reject hostname=nsequat1971.internal.invalid bigip_mgmt_ip=10.225.212.189 context_name=mven context_type=olorsit date_time=Jan 06 2017 07:11:41 dest_ip=10.121.239.183 dst_geo=illu dest_port=4875 device_product=turadip device_vendor=tatevel device_version=1.1607 drop_reason=ptassita errdefs_msgno=its errdefs_msg_name=lore flow_id=idol ip_protocol=igmp severity=high partition_name=isn route_domain=sBono sa_translation_pool=loremqu sa_translation_type=tetur source_ip=10.213.94.135 src_geo=tMal source_port=2607 source_user=dquia translated_dest_ip=10.55.105.113 translated_dest_port=3214 translated_ip_protocol=tatione translated_route_domain=nimveni translated_source_ip=10.44.58.106 translated_source_port=1241 translated_vlan=quid vlan=4814 +eporroq ulla iqu4614.www5.example abore squ uiadol [F5@Duisa acl_policy_name=lupta acl_policy_type=aUt acl_rule_name=boNem action=Reject hostname=ectiono2241.lan bigip_mgmt_ip=10.2.114.9 context_name=rehende context_type=velillu date_time=Jan 20 2017 14:14:16 dest_ip=10.94.139.127 dst_geo=mUten dest_port=1812 device_product=quidolor device_vendor=oqu device_version=1.51 drop_reason=tlaboree errdefs_msgno=norumet errdefs_msg_name=dtempo flow_id=tin ip_protocol=tcp severity=high partition_name=imad route_domain=tinvolup sa_translation_pool=tsed sa_translation_type=inv source_ip=10.163.209.70 src_geo=atu source_port=4718 source_user=olabor translated_dest_ip=10.69.161.78 translated_dest_port=1282 translated_ip_protocol=iruredol translated_route_domain=incidid translated_source_ip=10.255.74.136 translated_source_port=5902 translated_vlan=eaqueips vlan=6396 +volupta dmi untexpl2847.www5.local eiusmod emoe uiinea [F5@mnisiut acl_policy_name=avolu acl_policy_type=Except acl_rule_name=olup action=Closed hostname=umetMal1664.mail.lan bigip_mgmt_ip=10.46.115.216 context_name=equun context_type=sitvo date_time=Feb 03 2017 21:16:50 dest_ip=10.223.198.146 dst_geo=iciad dest_port=7874 device_product=mad device_vendor=onse device_version=1.380 drop_reason=mipsum errdefs_msgno=lmo errdefs_msg_name=aliquamq flow_id=dtempori ip_protocol=rdp severity=medium partition_name=voluptat route_domain=ugit sa_translation_pool=tatem sa_translation_type=metcons source_ip=10.252.102.110 src_geo=henderit source_port=7829 source_user=perspici translated_dest_ip=10.184.59.148 translated_dest_port=6933 translated_ip_protocol=queips translated_route_domain=midest translated_source_ip=10.12.129.137 translated_source_port=721 translated_vlan=orroqu vlan=472 +labore uela ntexplic4824.internal.localhost dolorsit archite remq [F5@veniamq acl_policy_name=occ acl_policy_type=oloreseo acl_rule_name=iruredol action=Established hostname=derit5270.mail.local bigip_mgmt_ip=10.105.52.140 context_name=ntexpl context_type=dunt date_time=Feb 18 2017 04:19:24 dest_ip=10.20.55.199 dst_geo=nder dest_port=3238 device_product=itanim device_vendor=nesciun device_version=1.1729 drop_reason=mollita errdefs_msgno=tatem errdefs_msg_name=iae flow_id=quido ip_protocol=ipv6-icmp severity=very-high partition_name=inBC route_domain=mol sa_translation_pool=tur sa_translation_type=ictas source_ip=10.81.184.7 src_geo=saquaea source_port=6344 source_user=eetd translated_dest_ip=10.155.204.243 translated_dest_port=459 translated_ip_protocol=lorsi translated_route_domain=repreh translated_source_ip=10.199.194.79 translated_source_port=7713 translated_vlan=illumqui vlan=3414 +amali ate idolor3916.www5.home tas autfugi tasun [F5@duntutla acl_policy_name=ntium acl_policy_type=iration acl_rule_name=umwritte action=Closed hostname=orisni5238.mail.lan bigip_mgmt_ip=10.177.238.45 context_name=iumt context_type=tsed date_time=Mar 04 2017 11:21:59 dest_ip=10.249.120.78 dst_geo=unte dest_port=893 device_product=ueipsa device_vendor=scipitl device_version=1.1453 drop_reason=aparia errdefs_msgno=tatnon errdefs_msg_name=leumiur flow_id=tetura ip_protocol=ggp severity=very-high partition_name=oluptat route_domain=metco sa_translation_pool=acom sa_translation_type=ceroinB source_ip=10.110.2.166 src_geo=exeacomm source_port=79 source_user=taliqui translated_dest_ip=10.18.226.72 translated_dest_port=5140 translated_ip_protocol=olupta translated_route_domain=tsuntinc translated_source_ip=10.251.231.142 translated_source_port=872 translated_vlan=urExcep vlan=102 +suntex iacons occaec7487.corp quaeab fici imve [F5@quide acl_policy_name=quaU acl_policy_type=undeomni acl_rule_name=accusa action=Established hostname=iutali7297.www.domain bigip_mgmt_ip=10.190.122.27 context_name=mporainc context_type=xea date_time=Mar 18 2017 18:24:33 dest_ip=10.123.113.152 dst_geo=billo dest_port=2618 device_product=radipisc device_vendor=Cice device_version=1.6332 drop_reason=vitaed errdefs_msgno=ser errdefs_msg_name=etconsec flow_id=elillum ip_protocol=tcp severity=high partition_name=rnat route_domain=eprehend sa_translation_pool=rem sa_translation_type=edolo source_ip=10.99.202.229 src_geo=eosquira source_port=4392 source_user=lloinven translated_dest_ip=10.100.199.226 translated_dest_port=7617 translated_ip_protocol=apariatu translated_route_domain=lorsita translated_source_ip=10.192.98.247 translated_source_port=4308 translated_vlan=temaccu vlan=5302 +uptassit ncidi tlabori4803.www5.local oconse mag tob [F5@dolores acl_policy_name=equamnih acl_policy_type=taliqui acl_rule_name=eiu action=Drop hostname=orumw5960.www5.home bigip_mgmt_ip=10.248.111.207 context_name=dolor context_type=tiumto date_time=Apr 02 2017 01:27:07 dest_ip=10.38.28.151 dst_geo=nrepreh dest_port=5251 device_product=equep device_vendor=ever device_version=1.6463 drop_reason=atq errdefs_msgno=erspi errdefs_msg_name=iqu flow_id=niamqu ip_protocol=rdp severity=medium partition_name=icab route_domain=sBonor sa_translation_pool=fugits sa_translation_type=mipsumqu source_ip=10.172.154.97 src_geo=admi source_port=7165 source_user=culpaq translated_dest_ip=10.162.97.197 translated_dest_port=4357 translated_ip_protocol=tcupida translated_route_domain=isa translated_source_ip=10.37.193.70 translated_source_port=170 translated_vlan=tesseq vlan=7693 +pernat rerepre nculpaq3821.www5.invalid billoinv sci col [F5@obea acl_policy_name=emp acl_policy_type=agnaaliq acl_rule_name=est action=Reject hostname=oinv5493.internal.domain bigip_mgmt_ip=10.36.63.31 context_name=nisiu context_type=imad date_time=Apr 16 2017 08:29:41 dest_ip=10.30.101.79 dst_geo=itasp dest_port=4927 device_product=sitametc device_vendor=onsequa device_version=1.3912 drop_reason=ntmo errdefs_msgno=loreeu errdefs_msg_name=temse flow_id=aspernat ip_protocol=ipv6 severity=very-high partition_name=caecat route_domain=rautod sa_translation_pool=olest sa_translation_type=eataev source_ip=10.171.221.230 src_geo=edquia source_port=1977 source_user=otamr translated_dest_ip=10.222.165.250 translated_dest_port=2757 translated_ip_protocol=amvolu translated_route_domain=mip translated_source_ip=10.45.35.180 translated_source_port=653 translated_vlan=maccusa vlan=7248 +nimad ataevita oremqu542.internal.localhost uteir boree isn [F5@ulla acl_policy_name=equatDu acl_policy_type=pta acl_rule_name=enbyCi action=Reject hostname=tnonproi195.api.home bigip_mgmt_ip=10.238.4.219 context_name=uide context_type=scivel date_time=Apr 30 2017 15:32:16 dest_ip=10.150.9.246 dst_geo=meumfugi dest_port=7010 device_product=emaperia device_vendor=Section device_version=1.4329 drop_reason=iame errdefs_msgno=orroquis errdefs_msg_name=aquio flow_id=riatu ip_protocol=udp severity=low partition_name=tanimid route_domain=isnostru sa_translation_pool=nofdeFi sa_translation_type=aquioff source_ip=10.1.171.61 src_geo=amnisi source_port=7258 source_user=reetdolo translated_dest_ip=10.199.127.211 translated_dest_port=3598 translated_ip_protocol=ilmole translated_route_domain=ugi translated_source_ip=10.83.238.145 translated_source_port=5392 translated_vlan=emveleum vlan=3661 +nde abillo undeom845.www5.example quaer eetdo tlab [F5@spernatu acl_policy_name=exercita acl_policy_type=sBonorum acl_rule_name=atems action=Drop hostname=edictasu5362.internal.localhost bigip_mgmt_ip=10.65.141.244 context_name=turmag context_type=ipsaqu date_time=May 14 2017 22:34:50 dest_ip=10.203.69.36 dst_geo=quira dest_port=3091 device_product=ore device_vendor=tation device_version=1.3789 drop_reason=porincid errdefs_msgno=tperspic errdefs_msg_name=equu flow_id=sintoc ip_protocol=rdp severity=very-high partition_name=tetura route_domain=riosamni sa_translation_pool=icta sa_translation_type=luptate source_ip=10.170.252.219 src_geo=iqui source_port=1978 source_user=Nequepo translated_dest_ip=10.44.226.104 translated_dest_port=7020 translated_ip_protocol=nse translated_route_domain=veniam translated_source_ip=10.74.213.42 translated_source_port=5922 translated_vlan=sse vlan=2498 +inBCSe otamrem tutlabor4180.internal.host consecte pteurs catcupi [F5@autf acl_policy_name=saqu acl_policy_type=uptat acl_rule_name=unt action=Reject hostname=uido492.www5.home bigip_mgmt_ip=10.180.48.221 context_name=lors context_type=aconsequ date_time=May 29 2017 05:37:24 dest_ip=10.33.195.166 dst_geo=sequat dest_port=4596 device_product=utemvel device_vendor=epteur device_version=1.2965 drop_reason=iusm errdefs_msgno=roi errdefs_msg_name=busBonor flow_id=stquido ip_protocol=igmp severity=high partition_name=mnisi route_domain=usmo sa_translation_pool=iamea sa_translation_type=imaveni source_ip=10.183.223.149 src_geo=cor source_port=2648 source_user=nihil translated_dest_ip=10.225.255.211 translated_dest_port=5595 translated_ip_protocol=citati translated_route_domain=uamei translated_source_ip=10.225.141.172 translated_source_port=956 translated_vlan=fugiatn vlan=3309 +aaliq nat uovolupt307.internal.host serror onse umquam [F5@emagn acl_policy_name=emulla acl_policy_type=mips acl_rule_name=itae action=Established hostname=redo6311.api.invalid bigip_mgmt_ip=10.176.64.28 context_name=olup context_type=remipsu date_time=Jun 12 2017 12:39:58 dest_ip=10.92.6.176 dst_geo=mcorpor dest_port=7420 device_product=autfugit device_vendor=emUte device_version=1.7612 drop_reason=nturmag errdefs_msgno=tura errdefs_msg_name=osquirat flow_id=equat ip_protocol=tcp severity=high partition_name=usantiu route_domain=idunt sa_translation_pool=atqu sa_translation_type=naturau source_ip=10.97.138.181 src_geo=oluptat source_port=7128 source_user=eseruntm translated_dest_ip=10.205.174.181 translated_dest_port=766 translated_ip_protocol=olor translated_route_domain=etquasia translated_source_ip=10.169.123.103 translated_source_port=519 translated_vlan=uisa vlan=6863 +Cicero evolupta teturadi4718.api.local piscivel hend eacommo [F5@ueip acl_policy_name=maliqu acl_policy_type=iati acl_rule_name=minim action=Established hostname=dolorem1698.www.domain bigip_mgmt_ip=10.75.120.11 context_name=urau context_type=etur date_time=Jun 26 2017 19:42:33 dest_ip=10.20.73.247 dst_geo=laborum dest_port=5749 device_product=xeac device_vendor=umdolors device_version=1.4226 drop_reason=uiadolo errdefs_msgno=empor errdefs_msg_name=umexerci flow_id=duntut ip_protocol=ggp severity=very-high partition_name=prehend route_domain=eufug sa_translation_pool=roquisq sa_translation_type=temporai source_ip=10.53.101.131 src_geo=ici source_port=5097 source_user=tquo translated_dest_ip=10.204.4.40 translated_dest_port=271 translated_ip_protocol=sitvo translated_route_domain=ine translated_source_ip=10.169.101.161 translated_source_port=4577 translated_vlan=ipi vlan=4211 +exerci idata ese4384.mail.domain rumexerc isiutali iquidexe [F5@illumq acl_policy_name=luptatem acl_policy_type=ite acl_rule_name=tasnul action=Reject hostname=evitae7333.www.lan bigip_mgmt_ip=10.28.51.219 context_name=ess context_type=quiad date_time=Jul 11 2017 02:45:07 dest_ip=10.43.210.236 dst_geo=litanim dest_port=2135 device_product=orsitam device_vendor=modico device_version=1.2990 drop_reason=itatio errdefs_msgno=porinc errdefs_msg_name=riame flow_id=riat ip_protocol=udp severity=very-high partition_name=eriam route_domain=pernat sa_translation_pool=udan sa_translation_type=archi source_ip=10.6.222.112 src_geo=aliqu source_port=780 source_user=onsequu translated_dest_ip=10.156.117.169 translated_dest_port=2939 translated_ip_protocol=agnamal translated_route_domain=quei translated_source_ip=10.87.120.87 translated_source_port=1636 translated_vlan=teni vlan=4967 +dant etdolor uat7787.www.host iti nimadm nculp [F5@asp acl_policy_name=eacom acl_policy_type=mag acl_rule_name=gelitse action=Drop hostname=arc2412.mail.lan bigip_mgmt_ip=10.247.44.59 context_name=eiusmo context_type=ainc date_time=Jul 25 2017 09:47:41 dest_ip=10.173.129.72 dst_geo=ecill dest_port=6831 device_product=snu device_vendor=inibusB device_version=1.388 drop_reason=texplica errdefs_msgno=oco errdefs_msg_name=aboree flow_id=ainci ip_protocol=udp severity=high partition_name=pariatur route_domain=uames sa_translation_pool=umtotamr sa_translation_type=mquido source_ip=10.57.89.155 src_geo=rur source_port=3553 source_user=ntorever translated_dest_ip=10.253.167.17 translated_dest_port=2990 translated_ip_protocol=seos translated_route_domain=exercita translated_source_ip=10.4.126.103 translated_source_port=892 translated_vlan=tco vlan=3607 +oluptate lit santi837.api.domain turadip dip idolo [F5@Ute acl_policy_name=ptassita acl_policy_type=caecatcu acl_rule_name=inBC action=Established hostname=olorsi2746.internal.localhost bigip_mgmt_ip=10.15.240.220 context_name=teir context_type=quep date_time=Aug 08 2017 16:50:15 dest_ip=10.63.78.66 dst_geo=xeac dest_port=7061 device_product=abor device_vendor=oreverit device_version=1.6451 drop_reason=reetdo errdefs_msgno=tat errdefs_msg_name=eufugia flow_id=ncididun ip_protocol=tcp severity=medium partition_name=periamea route_domain=itametco sa_translation_pool=vel sa_translation_type=quunt source_ip=10.248.206.210 src_geo=nonn source_port=4478 source_user=met translated_dest_ip=10.36.69.125 translated_dest_port=7157 translated_ip_protocol=entsu translated_route_domain=conse translated_source_ip=10.143.183.208 translated_source_port=5214 translated_vlan=umwri vlan=4057 +atura tur tur5914.internal.invalid tassita colabori imidestl [F5@piscing acl_policy_name=ceroi acl_policy_type=iconsequ acl_rule_name=iat action=Established hostname=edqu2208.www.localhost bigip_mgmt_ip=10.6.32.7 context_name=exerci context_type=inesciu date_time=Aug 22 2017 23:52:50 dest_ip=10.141.216.14 dst_geo=emu dest_port=5311 device_product=psa device_vendor=ate device_version=1.4386 drop_reason=fugitse errdefs_msgno=minimve errdefs_msg_name=serrorsi flow_id=tametco ip_protocol=ipv6-icmp severity=high partition_name=lore route_domain=isci sa_translation_pool=Dui sa_translation_type=reetdo source_ip=10.69.170.107 src_geo=iumtotam source_port=1010 source_user=ipitlabo translated_dest_ip=10.34.133.2 translated_dest_port=4807 translated_ip_protocol=nderi translated_route_domain=liqua translated_source_ip=10.142.186.43 translated_source_port=4691 translated_vlan=sautei vlan=2363 +voluptas velill rspic5453.www.local meum borumSec aecatcup [F5@snisiut acl_policy_name=siar acl_policy_type=quas acl_rule_name=occaeca action=Closed hostname=ender5647.www5.example bigip_mgmt_ip=10.142.22.24 context_name=ulamc context_type=cept date_time=Sep 06 2017 06:55:24 dest_ip=10.93.88.228 dst_geo=rchitect dest_port=3402 device_product=gna device_vendor=ici device_version=1.2026 drop_reason=olu errdefs_msgno=iameaque errdefs_msg_name=identsun flow_id=ender ip_protocol=ipv6 severity=low partition_name=tect route_domain=uiad sa_translation_pool=doconse sa_translation_type=eni source_ip=10.121.153.197 src_geo=smoditem source_port=6593 source_user=borumSec translated_dest_ip=10.59.103.10 translated_dest_port=768 translated_ip_protocol=oquisq translated_route_domain=abori translated_source_ip=10.170.165.164 translated_source_port=505 translated_vlan=uiineavo vlan=5554 +uidexeac sequa ntsunti2313.internal.invalid uinesc cid emi [F5@Bonorum acl_policy_name=lesti acl_policy_type=oreseo acl_rule_name=reprehen action=Established hostname=sis3986.internal.lan bigip_mgmt_ip=10.133.10.122 context_name=texplic context_type=edutp date_time=Sep 20 2017 13:57:58 dest_ip=10.93.59.189 dst_geo=eserun dest_port=3034 device_product=eniamqu device_vendor=inimav device_version=1.1576 drop_reason=imadm errdefs_msgno=uta errdefs_msg_name=tisu flow_id=remagnam ip_protocol=icmp severity=low partition_name=meiusm route_domain=nidolo sa_translation_pool=atquovol sa_translation_type=quunt source_ip=10.247.114.30 src_geo=olesti source_port=7584 source_user=quaeabil translated_dest_ip=10.19.99.129 translated_dest_port=956 translated_ip_protocol=itesse translated_route_domain=iamqui translated_source_ip=10.176.83.7 translated_source_port=5908 translated_vlan=inim vlan=6806 +Sed oremeumf lesti5921.api.localhost enima tnulapar ico [F5@giatquo acl_policy_name=lors acl_policy_type=its acl_rule_name=dolor action=Drop hostname=uatu2894.api.lan bigip_mgmt_ip=10.64.139.17 context_name=pro context_type=ice date_time=Oct 04 2017 21:00:32 dest_ip=10.87.238.169 dst_geo=conse dest_port=5351 device_product=mcol device_vendor=lup device_version=1.3824 drop_reason=upta errdefs_msgno=sedquian errdefs_msg_name=cti flow_id=rumSecti ip_protocol=rdp severity=medium partition_name=eca route_domain=oluptate sa_translation_pool=Duisa sa_translation_type=consequa source_ip=10.40.177.138 src_geo=aevitaed source_port=1082 source_user=rep translated_dest_ip=10.8.29.219 translated_dest_port=6890 translated_ip_protocol=quaeratv translated_route_domain=involu translated_source_ip=10.70.7.23 translated_source_port=2758 translated_vlan=amcolab vlan=4306 +odic iuta liquaUte209.internal.test olores scipit lloinve [F5@borisnis acl_policy_name=onorumet acl_policy_type=ptatema acl_rule_name=eavolup action=Closed hostname=rmagnido5483.local bigip_mgmt_ip=10.180.62.222 context_name=ptatev context_type=atu date_time=Oct 19 2017 04:03:07 dest_ip=10.234.26.132 dst_geo=msequ dest_port=2383 device_product=mwritten device_vendor=tat device_version=1.6066 drop_reason=osa errdefs_msgno=mini errdefs_msg_name=rors flow_id=ssusci ip_protocol=udp severity=medium partition_name=inimve route_domain=uio sa_translation_pool=mexercit sa_translation_type=byC source_ip=10.2.189.20 src_geo=orin source_port=535 source_user=uptasnul translated_dest_ip=10.67.221.220 translated_dest_port=239 translated_ip_protocol=aedict translated_route_domain=niamqui translated_source_ip=10.67.173.228 translated_source_port=5767 translated_vlan=tatemse vlan=4493 +uamestqu mpor orem6479.api.host seq rumSe tatnonp [F5@ommo acl_policy_name=adeser acl_policy_type=uasiarc acl_rule_name=doeiu action=Reject hostname=uian521.www.example bigip_mgmt_ip=10.209.52.47 context_name=imven context_type=onnumqua date_time=Nov 02 2017 11:05:41 dest_ip=10.141.201.173 dst_geo=upt dest_port=6017 device_product=itautfu device_vendor=nesci device_version=1.5040 drop_reason=mquis errdefs_msgno=lorsi errdefs_msg_name=tetura flow_id=eeufug ip_protocol=ipv6 severity=medium partition_name=tevelite route_domain=tocca sa_translation_pool=orsitvol sa_translation_type=ntor source_ip=10.147.127.181 src_geo=minimav source_port=6994 source_user=tasu translated_dest_ip=10.56.134.118 translated_dest_port=358 translated_ip_protocol=evo translated_route_domain=mcorpori translated_source_ip=10.196.176.243 translated_source_port=3465 translated_vlan=orsitam vlan=4991 +prehende lup tpers2217.internal.lan nula tdolorem qui [F5@olupt acl_policy_name=nemulla acl_policy_type=asp acl_rule_name=dexercit action=Closed hostname=taliq5213.api.corp bigip_mgmt_ip=10.226.24.84 context_name=ectobea context_type=dat date_time=Nov 16 2017 18:08:15 dest_ip=10.91.18.221 dst_geo=aut dest_port=5596 device_product=uames device_vendor=tconsec device_version=1.7604 drop_reason=oll errdefs_msgno=laboree errdefs_msg_name=udantiu flow_id=itametco ip_protocol=ipv6 severity=very-high partition_name=odico route_domain=rsint sa_translation_pool=itl sa_translation_type=ttenb source_ip=10.231.18.90 src_geo=lapa source_port=4860 source_user=Nem translated_dest_ip=10.85.13.237 translated_dest_port=4072 translated_ip_protocol=upidata translated_route_domain=ici translated_source_ip=10.248.140.59 translated_source_port=5760 translated_vlan=ident vlan=4293 +quelaud luptat rinrep6482.api.lan nimv emeu tatemac [F5@quisn acl_policy_name=rem acl_policy_type=ulamcola acl_rule_name=remagnaa action=Accept hostname=ntsunt4894.mail.domain bigip_mgmt_ip=10.203.46.215 context_name=mcorpori context_type=orisn date_time=Dec 01 2017 01:10:49 dest_ip=10.88.194.242 dst_geo=mco dest_port=6246 device_product=itame device_vendor=tenat device_version=1.5407 drop_reason=yCiceroi errdefs_msgno=nostrum errdefs_msg_name=orroquis flow_id=eumi ip_protocol=icmp severity=low partition_name=aea route_domain=tvolu sa_translation_pool=dutper sa_translation_type=tlaboru source_ip=10.207.183.204 src_geo=equuntu source_port=2673 source_user=eruntmo translated_dest_ip=10.8.224.72 translated_dest_port=6506 translated_ip_protocol=ion translated_route_domain=rured translated_source_ip=10.59.215.207 translated_source_port=6195 translated_vlan=ore vlan=5842 +xerc Nequep ametcon7485.www.test rro tuser ctasu [F5@irat acl_policy_name=sitame acl_policy_type=oinven acl_rule_name=natu action=Drop hostname=mexer3864.api.corp bigip_mgmt_ip=10.98.154.146 context_name=nula context_type=ameaquei date_time=Dec 15 2017 08:13:24 dest_ip=10.72.114.116 dst_geo=mquis dest_port=7760 device_product=olupta device_vendor=isno device_version=1.6814 drop_reason=ine errdefs_msgno=aeco errdefs_msg_name=rinrepr flow_id=dutp ip_protocol=ipv6-icmp severity=very-high partition_name=giatqu route_domain=rsint sa_translation_pool=rsi sa_translation_type=paq source_ip=10.73.84.95 src_geo=uisautem source_port=6701 source_user=sitam translated_dest_ip=10.255.145.22 translated_dest_port=6949 translated_ip_protocol=emUtenim translated_route_domain=ende translated_source_ip=10.230.38.148 translated_source_port=3213 translated_vlan=sse vlan=368 +incidi aedictas rumetMa2554.domain unt liq abore [F5@iumdo acl_policy_name=oreeu acl_policy_type=mea acl_rule_name=ssec action=Accept hostname=oluptat6960.www5.test bigip_mgmt_ip=10.211.29.187 context_name=ptat context_type=meaquei date_time=Dec 29 2017 15:15:58 dest_ip=10.228.204.249 dst_geo=eleumi dest_port=4584 device_product=porissus device_vendor=imip device_version=1.7160 drop_reason=ddoe errdefs_msgno=uptateve errdefs_msg_name=ured flow_id=ctetu ip_protocol=tcp severity=low partition_name=uasiarch route_domain=Malor sa_translation_pool=boriosa sa_translation_type=cillumdo source_ip=10.166.142.198 src_geo=oremipsu source_port=465 source_user=tium translated_dest_ip=10.105.120.162 translated_dest_port=2984 translated_ip_protocol=etc translated_route_domain=eturadip translated_source_ip=10.175.181.138 translated_source_port=3787 translated_vlan=tassitas vlan=1495 +velite maccus nima5813.mail.example iarchit sBonorum moenimi [F5@lor acl_policy_name=auto acl_policy_type=rsinto acl_rule_name=ati action=Established hostname=fugiatnu2498.www.localhost bigip_mgmt_ip=10.182.213.195 context_name=tconse context_type=eumf date_time=Jan 12 2018 22:18:32 dest_ip=10.200.94.145 dst_geo=doconse dest_port=5211 device_product=uis device_vendor=lill device_version=1.6057 drop_reason=imi errdefs_msgno=animi errdefs_msg_name=edutpers flow_id=pisci ip_protocol=tcp severity=very-high partition_name=umto route_domain=xercit sa_translation_pool=lam sa_translation_type=asnu source_ip=10.122.133.162 src_geo=eriam source_port=4838 source_user=aquae translated_dest_ip=10.220.202.102 translated_dest_port=10 translated_ip_protocol=iaturE translated_route_domain=epor translated_source_ip=10.195.139.25 translated_source_port=5566 translated_vlan=tper vlan=4341 +tconsect pariat iutal3376.api.corp isi idexeac ntu [F5@tdolo acl_policy_name=nimve acl_policy_type=duntut acl_rule_name=emporin action=Reject hostname=ptat3230.domain bigip_mgmt_ip=10.156.208.5 context_name=tlaboru context_type=tec date_time=Jan 27 2018 05:21:06 dest_ip=10.9.69.13 dst_geo=uatD dest_port=6508 device_product=antium device_vendor=remaper device_version=1.3297 drop_reason=ntNequ errdefs_msgno=anim errdefs_msg_name=uae flow_id=ata ip_protocol=tcp severity=very-high partition_name=paq route_domain=emipsumq sa_translation_pool=culpaq sa_translation_type=quamq source_ip=10.53.72.161 src_geo=pta source_port=4723 source_user=scip translated_dest_ip=10.33.143.163 translated_dest_port=5404 translated_ip_protocol=iusmodi translated_route_domain=esciun translated_source_ip=10.247.144.9 translated_source_port=2494 translated_vlan=lit vlan=4112 +oidentsu oditau onsec1632.internal.lan lup aeca isau [F5@giat acl_policy_name=ttenb acl_policy_type=eirure acl_rule_name=boreetd action=Closed hostname=exer447.internal.localhost bigip_mgmt_ip=10.35.190.164 context_name=radipis context_type=lore date_time=Feb 10 2018 12:23:41 dest_ip=10.76.99.144 dst_geo=eufugia dest_port=2345 device_product=pariat device_vendor=nimip device_version=1.2476 drop_reason=usci errdefs_msgno=unturmag errdefs_msg_name=dexeaco flow_id=lupta ip_protocol=ggp severity=very-high partition_name=oreeufug route_domain=Quisa sa_translation_pool=quiav sa_translation_type=ctionofd source_ip=10.21.58.162 src_geo=uisautei source_port=7881 source_user=porin translated_dest_ip=10.241.143.145 translated_dest_port=6151 translated_ip_protocol=ecillum translated_route_domain=olor translated_source_ip=10.113.65.192 translated_source_port=7807 translated_vlan=conseq vlan=6079 +edutpers ctobeat upta4358.home orem inibus secte [F5@ctobeat acl_policy_name=onsec acl_policy_type=idestl acl_rule_name=litani action=Closed hostname=itanimi1934.home bigip_mgmt_ip=10.19.154.103 context_name=ittenb context_type=tobeatae date_time=Feb 24 2018 19:26:15 dest_ip=10.235.51.61 dst_geo=exe dest_port=1872 device_product=cia device_vendor=idolo device_version=1.768 drop_reason=pitlabo errdefs_msgno=tas errdefs_msg_name=rcitat flow_id=ree ip_protocol=tcp severity=very-high partition_name=quipexea route_domain=orsitv sa_translation_pool=dunt sa_translation_type=int source_ip=10.53.27.253 src_geo=temveleu source_port=3599 source_user=luptat translated_dest_ip=10.75.113.240 translated_dest_port=1874 translated_ip_protocol=ionulam translated_route_domain=auto translated_source_ip=10.129.16.166 translated_source_port=5141 translated_vlan=ntocca vlan=5439 +tvol lup mipsamv161.local ionula pexeaco temaccu [F5@uamqua acl_policy_name=Neq acl_policy_type=runt acl_rule_name=xcep action=Established hostname=pteurs1031.mail.corp bigip_mgmt_ip=10.125.150.220 context_name=lumquid context_type=eturadip date_time=Mar 11 2018 02:28:49 dest_ip=10.241.228.95 dst_geo=equ dest_port=7256 device_product=ssequamn device_vendor=ave device_version=1.5812 drop_reason=edquia errdefs_msgno=ihi errdefs_msg_name=undeomn flow_id=ape ip_protocol=rdp severity=medium partition_name=ari route_domain=umtot sa_translation_pool=onemulla sa_translation_type=atquo source_ip=10.120.50.13 src_geo=issu source_port=4426 source_user=inculpa translated_dest_ip=10.150.153.61 translated_dest_port=2773 translated_ip_protocol=loremagn translated_route_domain=acons translated_source_ip=10.22.213.196 translated_source_port=7230 translated_vlan=emoenimi vlan=1864 +mqu onorume abill5290.lan mini mve tionev [F5@uasiarch acl_policy_name=velites acl_policy_type=uredolor acl_rule_name=epreh action=Accept hostname=edquiaco6562.api.lan bigip_mgmt_ip=10.113.2.13 context_name=rudexerc context_type=nturm date_time=Mar 25 2018 09:31:24 dest_ip=10.182.134.109 dst_geo=dquia dest_port=5334 device_product=bori device_vendor=dipi device_version=1.7232 drop_reason=utf errdefs_msgno=dolor errdefs_msg_name=dexe flow_id=nemul ip_protocol=igmp severity=low partition_name=lupt route_domain=quatur sa_translation_pool=dminim sa_translation_type=ptatevel source_ip=10.85.52.249 src_geo=eirured source_port=3772 source_user=tatiset translated_dest_ip=10.238.171.184 translated_dest_port=2574 translated_ip_protocol=duntutl translated_route_domain=nven translated_source_ip=10.229.155.171 translated_source_port=6978 translated_vlan=asiarch vlan=7121 +utla deomni tse7542.test nesciu todit utaliqui [F5@emse acl_policy_name=emqui acl_policy_type=cipitla acl_rule_name=tlab action=Accept hostname=tatis7315.mail.home bigip_mgmt_ip=10.249.174.35 context_name=umfu context_type=utla date_time=Apr 08 2018 16:33:58 dest_ip=10.136.53.201 dst_geo=dolo dest_port=6418 device_product=samvol device_vendor=equa device_version=1.536 drop_reason=strumex errdefs_msgno=tessecil errdefs_msg_name=ugia flow_id=reprehe ip_protocol=udp severity=medium partition_name=umq route_domain=sistena sa_translation_pool=qui sa_translation_type=caboN source_ip=10.198.150.185 src_geo=catcupid source_port=3167 source_user=quela translated_dest_ip=10.51.245.225 translated_dest_port=3991 translated_ip_protocol=enimi translated_route_domain=illum translated_source_ip=10.220.1.249 translated_source_port=4200 translated_vlan=Sedut vlan=7832 +audant obeata uredol2348.www5.host entorev quuntur olup [F5@aeab acl_policy_name=uradipis acl_policy_type=aerat acl_rule_name=les action=Drop hostname=eosqui3723.api.localdomain bigip_mgmt_ip=10.152.157.32 context_name=ali context_type=udexerci date_time=Apr 22 2018 23:36:32 dest_ip=10.76.232.245 dst_geo=osqu dest_port=4859 device_product=aborio device_vendor=rve device_version=1.219 drop_reason=nbyCi errdefs_msgno=runtmoll errdefs_msg_name=busBon flow_id=norumetM ip_protocol=udp severity=low partition_name=usBono route_domain=ameaq sa_translation_pool=Quis sa_translation_type=lupta source_ip=10.251.82.195 src_geo=umiure source_port=5186 source_user=olorese translated_dest_ip=10.190.96.181 translated_dest_port=2153 translated_ip_protocol=culp translated_route_domain=deomn translated_source_ip=10.38.185.31 translated_source_port=1085 translated_vlan=llo vlan=1106 +tla iaconseq sed3235.www5.localhost pidatatn isno luptatev [F5@occaeca acl_policy_name=dan acl_policy_type=pta acl_rule_name=upt action=Drop hostname=itaedict199.mail.corp bigip_mgmt_ip=10.103.102.242 context_name=labore context_type=lorem date_time=May 07 2018 06:39:06 dest_ip=10.68.159.207 dst_geo=eratv dest_port=7206 device_product=estq device_vendor=quasiarc device_version=1.6526 drop_reason=liq errdefs_msgno=xerc errdefs_msg_name=atisetqu flow_id=squir ip_protocol=icmp severity=very-high partition_name=quam route_domain=deriti sa_translation_pool=edictasu sa_translation_type=eturadi source_ip=10.190.247.194 src_geo=mSecti source_port=4210 source_user=tDuisaut translated_dest_ip=10.230.112.179 translated_dest_port=5926 translated_ip_protocol=vol translated_route_domain=ita translated_source_ip=10.211.198.50 translated_source_port=7510 translated_vlan=nibusB vlan=5555 +amremap oremagna aqu4475.mail.invalid serrorsi tsedquia rsit [F5@quis acl_policy_name=upidatat acl_policy_type=mod acl_rule_name=niamqui action=Closed hostname=xeaco7887.www.localdomain bigip_mgmt_ip=10.47.223.155 context_name=ugitsed context_type=dminimve date_time=May 21 2018 13:41:41 dest_ip=10.111.137.84 dst_geo=uiac dest_port=7838 device_product=tot device_vendor=reme device_version=1.7750 drop_reason=loremi errdefs_msgno=queporro errdefs_msg_name=tur flow_id=eFi ip_protocol=ipv6-icmp severity=medium partition_name=ulapari route_domain=eporroq sa_translation_pool=uunturm sa_translation_type=iatn source_ip=10.219.83.199 src_geo=diduntut source_port=1321 source_user=ectetur translated_dest_ip=10.101.13.122 translated_dest_port=6737 translated_ip_protocol=nibusBo translated_route_domain=volup translated_source_ip=10.251.101.61 translated_source_port=5153 translated_vlan=scipit vlan=6495 +tore isni tamrema736.www5.lan ntiumdol conse aturve [F5@edqui acl_policy_name=tvolu acl_policy_type=psu acl_rule_name=strud action=Closed hostname=saute7421.www.invalid bigip_mgmt_ip=10.21.80.157 context_name=tiumtot context_type=tate date_time=Jun 04 2018 20:44:15 dest_ip=10.13.222.177 dst_geo=inBCSed dest_port=6353 device_product=Loremip device_vendor=taliqui device_version=1.5568 drop_reason=ipsaquae errdefs_msgno=olu errdefs_msg_name=exerci flow_id=isnostru ip_protocol=tcp severity=very-high partition_name=ngelits route_domain=volupt sa_translation_pool=billoi sa_translation_type=reseo source_ip=10.31.86.83 src_geo=pariat source_port=6646 source_user=litsed translated_dest_ip=10.21.30.43 translated_dest_port=4754 translated_ip_protocol=lorem translated_route_domain=iamquisn translated_source_ip=10.83.136.233 translated_source_port=6643 translated_vlan=imadm vlan=3187 +lumdol edutper utemve6966.mail.local emoen ptate mipsumqu [F5@turad acl_policy_name=dol acl_policy_type=ntutla acl_rule_name=des action=Accept hostname=oluptas1637.home bigip_mgmt_ip=10.195.90.73 context_name=ipisc context_type=iatnulap date_time=Jun 19 2018 03:46:49 dest_ip=10.170.155.137 dst_geo=uine dest_port=1815 device_product=veniamqu device_vendor=iconsequ device_version=1.5445 drop_reason=apa errdefs_msgno=archite errdefs_msg_name=tur flow_id=ddo ip_protocol=ipv6 severity=high partition_name=inBC route_domain=did sa_translation_pool=atcupi sa_translation_type=eriti source_ip=10.45.152.205 src_geo=rema source_port=5107 source_user=datatn translated_dest_ip=10.194.197.107 translated_dest_port=2524 translated_ip_protocol=tur translated_route_domain=itation translated_source_ip=10.27.181.27 translated_source_port=5509 translated_vlan=uredo vlan=2155 +use catcu quame922.internal.host eursi liquid ulapari [F5@ibus acl_policy_name=isu acl_policy_type=moll acl_rule_name=roinBCS action=Drop hostname=ididu5505.api.localdomain bigip_mgmt_ip=10.43.239.97 context_name=modi context_type=cip date_time=Jul 03 2018 10:49:23 dest_ip=10.60.60.164 dst_geo=iscive dest_port=5527 device_product=incididu device_vendor=yCice device_version=1.508 drop_reason=ionem errdefs_msgno=taevitae errdefs_msg_name=dminimv flow_id=quam ip_protocol=tcp severity=low partition_name=umdol route_domain=rerepr sa_translation_pool=ipiscin sa_translation_type=trudexe source_ip=10.222.2.132 src_geo=umdo source_port=6187 source_user=aedicta translated_dest_ip=10.129.161.18 translated_dest_port=782 translated_ip_protocol=umquiad translated_route_domain=porinc translated_source_ip=10.183.90.25 translated_source_port=5038 translated_vlan=conse vlan=2563 +dolo reeufu umexe5208.local suntex uptatema uteiru [F5@rcitati acl_policy_name=siutali acl_policy_type=uiratio acl_rule_name=ficia action=Closed hostname=mqui1099.api.corp bigip_mgmt_ip=10.231.167.171 context_name=onorumet context_type=illoinve date_time=Jul 17 2018 17:51:58 dest_ip=10.188.254.168 dst_geo=nevolup dest_port=3706 device_product=lor device_vendor=ica device_version=1.4479 drop_reason=sumd errdefs_msgno=elitse errdefs_msg_name=olu flow_id=temqu ip_protocol=rdp severity=very-high partition_name=nesci route_domain=meaquei sa_translation_pool=snisiu sa_translation_type=atem source_ip=10.189.162.131 src_geo=litsed source_port=6019 source_user=sedquia translated_dest_ip=10.67.129.100 translated_dest_port=7106 translated_ip_protocol=mmodicon translated_route_domain=eosquir translated_source_ip=10.248.156.138 translated_source_port=2125 translated_vlan=smodit vlan=3090 +dun xce dol5403.www.localhost asiar eiu maliquam [F5@gnama acl_policy_name=ursintoc acl_policy_type=minimve acl_rule_name=eprehe action=Reject hostname=siuta2155.lan bigip_mgmt_ip=10.63.103.30 context_name=ill context_type=imveniam date_time=Aug 01 2018 00:54:32 dest_ip=10.36.29.127 dst_geo=umqui dest_port=1757 device_product=sci device_vendor=isquames device_version=1.2927 drop_reason=tlabor errdefs_msgno=itecto errdefs_msg_name=loreeuf flow_id=orainci ip_protocol=icmp severity=low partition_name=aev route_domain=uelaudan sa_translation_pool=lab sa_translation_type=sequa source_ip=10.6.146.184 src_geo=rrorsi source_port=7247 source_user=sequu translated_dest_ip=10.185.107.27 translated_dest_port=2257 translated_ip_protocol=mips translated_route_domain=iduntutl translated_source_ip=10.142.106.66 translated_source_port=3790 translated_vlan=quelauda vlan=289 +dolo ulamc doe344.www5.local toreve squirat llum [F5@dol acl_policy_name=niam acl_policy_type=atio acl_rule_name=sno action=Established hostname=tatiset4191.localdomain bigip_mgmt_ip=10.214.93.200 context_name=dtempor context_type=rroquisq date_time=Aug 15 2018 07:57:06 dest_ip=10.215.63.248 dst_geo=uidex dest_port=1203 device_product=lloi device_vendor=nseq device_version=1.4023 drop_reason=isetqua errdefs_msgno=ianonn errdefs_msg_name=oluptas flow_id=doe ip_protocol=udp severity=very-high partition_name=rchitect route_domain=orsitame sa_translation_pool=tasn sa_translation_type=exeaco source_ip=10.93.39.237 src_geo=aincidu source_port=232 source_user=tionofd translated_dest_ip=10.0.202.9 translated_dest_port=7451 translated_ip_protocol=nvolup translated_route_domain=ommodic translated_source_ip=10.119.179.182 translated_source_port=7255 translated_vlan=undeo vlan=7696 +uiinea uianonn eavolupt784.www5.example liquam sinto edi [F5@eumiure acl_policy_name=ore acl_policy_type=adeser acl_rule_name=mSe action=Drop hostname=aute2433.mail.lan bigip_mgmt_ip=10.252.204.162 context_name=tiae context_type=giat date_time=Aug 29 2018 14:59:40 dest_ip=10.115.77.51 dst_geo=mcorpor dest_port=2433 device_product=ostru device_vendor=mea device_version=1.5939 drop_reason=iquipex errdefs_msgno=byCice errdefs_msg_name=deritq flow_id=boreetdo ip_protocol=ipv6-icmp severity=medium partition_name=iin route_domain=nostr sa_translation_pool=luptatem sa_translation_type=tNequepo source_ip=10.28.145.163 src_geo=sper source_port=72 source_user=imadmin translated_dest_ip=10.123.154.140 translated_dest_port=2551 translated_ip_protocol=mSect translated_route_domain=iure translated_source_ip=10.30.189.166 translated_source_port=2749 translated_vlan=aer vlan=3422 +roquis mremape ude2977.www.corp rmagnido exeaco dqu [F5@ccaec acl_policy_name=repreh acl_policy_type=imven acl_rule_name=usan action=Accept hostname=idolo6535.internal.example bigip_mgmt_ip=10.46.162.198 context_name=snulap context_type=onsequat date_time=Sep 12 2018 22:02:15 dest_ip=10.166.128.248 dst_geo=pariatur dest_port=7435 device_product=tura device_vendor=equuntur device_version=1.6564 drop_reason=uaera errdefs_msgno=mqua errdefs_msg_name=xer flow_id=utlabore ip_protocol=ipv6-icmp severity=very-high partition_name=beataevi route_domain=amquisn sa_translation_pool=itquii sa_translation_type=imaven source_ip=10.145.128.250 src_geo=nder source_port=5641 source_user=eni translated_dest_ip=10.79.49.3 translated_dest_port=7794 translated_ip_protocol=psamvolu translated_route_domain=teturad translated_source_ip=10.29.122.183 translated_source_port=6166 translated_vlan=tla vlan=6146 +modtempo edict nost3250.internal.localdomain nibu quatur isiutali [F5@mdolo acl_policy_name=nof acl_policy_type=usantiu acl_rule_name=periam action=Closed hostname=one7728.api.localdomain bigip_mgmt_ip=10.177.232.136 context_name=obe context_type=niamqu date_time=Sep 27 2018 05:04:49 dest_ip=10.140.59.161 dst_geo=smoditem dest_port=575 device_product=tev device_vendor=oNemoeni device_version=1.3341 drop_reason=elillumq errdefs_msgno=loremeum errdefs_msg_name=luptatem flow_id=ing ip_protocol=tcp severity=very-high partition_name=riameaqu route_domain=etd sa_translation_pool=omnisi sa_translation_type=dolor source_ip=10.166.169.167 src_geo=ati source_port=1544 source_user=olors translated_dest_ip=10.65.174.196 translated_dest_port=472 translated_ip_protocol=iin translated_route_domain=uteiru translated_source_ip=10.142.235.217 translated_source_port=5846 translated_vlan=orain vlan=2663 +llu quaUt labor7147.internal.host ten vitae tse [F5@gni acl_policy_name=per acl_policy_type=tione acl_rule_name=nibus action=Established hostname=uptatem4446.internal.localhost bigip_mgmt_ip=10.29.217.44 context_name=eacommod context_type=tali date_time=Oct 11 2018 12:07:23 dest_ip=10.131.223.198 dst_geo=orisnisi dest_port=4342 device_product=eritquii device_vendor=atevelit device_version=1.325 drop_reason=enat errdefs_msgno=ionula errdefs_msg_name=itaed flow_id=invol ip_protocol=rdp severity=low partition_name=cidun route_domain=tassitas sa_translation_pool=nimadmi sa_translation_type=dipisci source_ip=10.215.184.154 src_geo=nor source_port=3306 source_user=iarc translated_dest_ip=10.191.78.86 translated_dest_port=6355 translated_ip_protocol=uiac translated_route_domain=squ translated_source_ip=10.53.188.140 translated_source_port=6455 translated_vlan=ten vlan=2937 +isciveli ntutlab sitamet452.domain nsequ ing ollita [F5@dipisci acl_policy_name=amnisiu acl_policy_type=ptat acl_rule_name=epr action=Drop hostname=emq2514.api.localhost bigip_mgmt_ip=10.135.77.156 context_name=uraut context_type=non date_time=Oct 25 2018 19:09:57 dest_ip=10.248.182.188 dst_geo=turad dest_port=2537 device_product=nBCSe device_vendor=ollita device_version=1.3567 drop_reason=eni errdefs_msgno=quipe errdefs_msg_name=oluptat flow_id=stenatus ip_protocol=ggp severity=very-high partition_name=iaecon route_domain=ect sa_translation_pool=tquid sa_translation_type=seru source_ip=10.76.148.147 src_geo=remagna source_port=1121 source_user=urve translated_dest_ip=10.46.222.149 translated_dest_port=3304 translated_ip_protocol=squ translated_route_domain=emagnaal translated_source_ip=10.74.74.129 translated_source_port=5904 translated_vlan=itati vlan=3497 +rinc tno meumf4052.invalid pitlabo riamea Malorumw [F5@consect acl_policy_name=issu acl_policy_type=tconsect acl_rule_name=tationem action=Drop hostname=agna5654.www.corp bigip_mgmt_ip=10.96.200.223 context_name=iatisun context_type=cto date_time=Nov 09 2018 02:12:32 dest_ip=10.3.228.220 dst_geo=imadmini dest_port=3791 device_product=oeiusm device_vendor=aUtenim device_version=1.1186 drop_reason=isu errdefs_msgno=ute errdefs_msg_name=tdolore flow_id=madminim ip_protocol=igmp severity=very-high partition_name=prehen route_domain=ate sa_translation_pool=ull sa_translation_type=enimipsa source_ip=10.130.203.37 src_geo=quisnos source_port=2132 source_user=mvele translated_dest_ip=10.11.146.253 translated_dest_port=3581 translated_ip_protocol=remeum translated_route_domain=temseq translated_source_ip=10.145.49.29 translated_source_port=2464 translated_vlan=sedquia vlan=4912 +ntmo aliqu iqu4429.www5.lan doconse volupta ptat [F5@oreverit acl_policy_name=nimides acl_policy_type=remipsum acl_rule_name=elit action=Drop hostname=ipi4827.mail.lan bigip_mgmt_ip=10.162.78.48 context_name=lab context_type=sedqui date_time=Nov 23 2018 09:15:06 dest_ip=10.243.157.94 dst_geo=epteu dest_port=5744 device_product=tura device_vendor=mquiavol device_version=1.6845 drop_reason=eabil errdefs_msgno=ibusB errdefs_msg_name=rporis flow_id=etco ip_protocol=ipv6 severity=very-high partition_name=ereprehe route_domain=olu sa_translation_pool=nofdeF sa_translation_type=riaturEx source_ip=10.24.23.209 src_geo=itautfu source_port=1503 source_user=rumwr translated_dest_ip=10.162.2.180 translated_dest_port=3889 translated_ip_protocol=mporain translated_route_domain=ectetur translated_source_ip=10.48.75.140 translated_source_port=1837 translated_vlan=ineavol vlan=5182 +onproid sitv equam3114.test mcorp uelaud aperiam [F5@ngelit acl_policy_name=quiano acl_policy_type=sund acl_rule_name=iaconse action=Drop hostname=sequatD163.internal.example bigip_mgmt_ip=10.151.206.38 context_name=oloremi context_type=luptate date_time=Dec 07 2018 16:17:40 dest_ip=10.38.57.217 dst_geo=rur dest_port=5543 device_product=imidest device_vendor=oeiusmod device_version=1.419 drop_reason=psumqui errdefs_msgno=eddoeiu errdefs_msg_name=oinvento flow_id=mips ip_protocol=udp severity=medium partition_name=corpor route_domain=amvolu sa_translation_pool=ent sa_translation_type=ionemu source_ip=10.66.92.83 src_geo=orinrep source_port=2549 source_user=nproide translated_dest_ip=10.119.12.186 translated_dest_port=5674 translated_ip_protocol=qui translated_route_domain=nemullam translated_source_ip=10.97.105.115 translated_source_port=3576 translated_vlan=squir vlan=3987 +umqu umet psaquaea5284.internal.example upt giatquo toccaec [F5@nihilmo acl_policy_name=atquo acl_policy_type=umetMa acl_rule_name=ngelitse action=Accept hostname=itamet1303.invalid bigip_mgmt_ip=10.12.148.73 context_name=eius context_type=evo date_time=Dec 21 2018 23:20:14 dest_ip=10.10.44.34 dst_geo=volupt dest_port=61 device_product=eosqu device_vendor=reetdolo device_version=1.7551 drop_reason=sten errdefs_msgno=enderi errdefs_msg_name=labore flow_id=uasiarch ip_protocol=igmp severity=very-high partition_name=magnama route_domain=reprehe sa_translation_pool=citatio sa_translation_type=dolo source_ip=10.201.132.114 src_geo=eetd source_port=6058 source_user=borisnis translated_dest_ip=10.64.76.142 translated_dest_port=7083 translated_ip_protocol=temse translated_route_domain=samvo translated_source_ip=10.169.139.250 translated_source_port=1374 translated_vlan=nostrume vlan=5035 +tatevel itin tam942.api.host iut leumiur deser [F5@boris acl_policy_name=ris acl_policy_type=nisiuta acl_rule_name=utper action=Drop hostname=epr3512.internal.domain bigip_mgmt_ip=10.9.236.18 context_name=iumdo context_type=exe date_time=Jan 05 2019 06:22:49 dest_ip=10.152.7.48 dst_geo=giatnula dest_port=71 device_product=enimadmi device_vendor=qui device_version=1.5292 drop_reason=aecon errdefs_msgno=sedq errdefs_msg_name=olo flow_id=sperna ip_protocol=udp severity=very-high partition_name=conseq route_domain=upta sa_translation_pool=eturadi sa_translation_type=cinge source_ip=10.111.128.11 src_geo=niamq source_port=5336 source_user=umfug translated_dest_ip=10.35.38.185 translated_dest_port=7077 translated_ip_protocol=labor translated_route_domain=Sec translated_source_ip=10.200.116.191 translated_source_port=3068 translated_vlan=nsecte vlan=5790 +uianonnu por nve894.lan turadip ataev eFinib [F5@atione acl_policy_name=xcepte acl_policy_type=gnaa acl_rule_name=tio action=Reject hostname=uredol2174.home bigip_mgmt_ip=10.191.27.182 context_name=tMalo context_type=urautod date_time=Jan 19 2019 13:25:23 dest_ip=10.114.60.159 dst_geo=rese dest_port=5302 device_product=rissusci device_vendor=quaturve device_version=1.5991 drop_reason=tisunde errdefs_msgno=ende errdefs_msg_name=quidolor flow_id=lloin ip_protocol=igmp severity=high partition_name=proiden route_domain=moenimip sa_translation_pool=tat sa_translation_type=tate source_ip=10.236.67.227 src_geo=ern source_port=881 source_user=tlabo translated_dest_ip=10.134.238.8 translated_dest_port=2976 translated_ip_protocol=aqua translated_route_domain=edquiac translated_source_ip=10.240.62.238 translated_source_port=1251 translated_vlan=olo vlan=5926 +ali Nequepor aUten4127.internal.lan apariatu mnisis onsequa [F5@sunt acl_policy_name=orumSe acl_policy_type=olupta acl_rule_name=emveleum action=Drop hostname=ididunt7607.mail.localhost bigip_mgmt_ip=10.165.66.92 context_name=isq context_type=eacommo date_time=Feb 02 2019 20:27:57 dest_ip=10.244.171.198 dst_geo=nimad dest_port=7814 device_product=asi device_vendor=tobe device_version=1.6837 drop_reason=Lore errdefs_msgno=oin errdefs_msg_name=eritquii flow_id=taliqui ip_protocol=ipv6-icmp severity=very-high partition_name=entoreve route_domain=ion sa_translation_pool=exeaco sa_translation_type=tate source_ip=10.109.14.142 src_geo=sitas source_port=6036 source_user=perna translated_dest_ip=10.65.35.64 translated_dest_port=2748 translated_ip_protocol=irur translated_route_domain=risnisiu translated_source_ip=10.22.231.91 translated_source_port=2652 translated_vlan=equepor vlan=897 +ugiatn utpe hend1170.www5.lan ptateve aliqua officiad [F5@nimadmin acl_policy_name=iavol acl_policy_type=roq acl_rule_name=iumtota action=Reject hostname=inimav5557.www5.test bigip_mgmt_ip=10.71.112.86 context_name=olor context_type=emoenim date_time=Feb 17 2019 03:30:32 dest_ip=10.57.64.102 dst_geo=rume dest_port=7667 device_product=inibusBo device_vendor=tqui device_version=1.99 drop_reason=citat errdefs_msgno=prehende errdefs_msg_name=vitaedic flow_id=remip ip_protocol=ggp severity=high partition_name=rehe route_domain=aper sa_translation_pool=gnaa sa_translation_type=tam source_ip=10.64.161.215 src_geo=modi source_port=4869 source_user=rnatur translated_dest_ip=10.29.230.203 translated_dest_port=6579 translated_ip_protocol=abi translated_route_domain=inimaven translated_source_ip=10.89.221.90 translated_source_port=5835 translated_vlan=entoreve vlan=4612 +roqu dquia ommod142.www.home ptate oloreeu imipsa [F5@iscinge acl_policy_name=ora acl_policy_type=meumfug acl_rule_name=inimve action=Closed hostname=nonn1650.www.test bigip_mgmt_ip=10.88.226.76 context_name=ptas context_type=iadolo date_time=Mar 03 2019 10:33:06 dest_ip=10.217.197.29 dst_geo=aliquide dest_port=7187 device_product=tinv device_vendor=iar device_version=1.5232 drop_reason=mquela errdefs_msgno=urm errdefs_msg_name=con flow_id=aeabil ip_protocol=udp severity=low partition_name=edicta route_domain=itaspern sa_translation_pool=tau sa_translation_type=rcit source_ip=10.79.208.135 src_geo=rehende source_port=3688 source_user=erspic translated_dest_ip=10.221.199.137 translated_dest_port=6430 translated_ip_protocol=quipe translated_route_domain=evita translated_source_ip=10.140.118.182 translated_source_port=4566 translated_vlan=nia vlan=7548 +npro boriosa sundeo3076.internal.test Nequepor turQ tod [F5@rsitame acl_policy_name=nsectetu acl_policy_type=untexpli acl_rule_name=smo action=Reject hostname=acons3940.api.lan bigip_mgmt_ip=10.133.48.55 context_name=lab context_type=ela date_time=Mar 17 2019 17:35:40 dest_ip=10.134.141.37 dst_geo=oreve dest_port=2538 device_product=tali device_vendor=quamnih device_version=1.2492 drop_reason=reprehen errdefs_msgno=Exce errdefs_msg_name=tocca flow_id=tinvolu ip_protocol=ipv6 severity=low partition_name=iumt route_domain=mad sa_translation_pool=mpor sa_translation_type=eddoei source_ip=10.35.73.208 src_geo=dolo source_port=6552 source_user=tia translated_dest_ip=10.126.61.230 translated_dest_port=2068 translated_ip_protocol=dolor translated_route_domain=emUteni translated_source_ip=10.189.244.22 translated_source_port=734 translated_vlan=rinre vlan=6425 +ident uatur dquiaco2756.home uiine mve dolorema [F5@ditautf acl_policy_name=uisnostr acl_policy_type=oditautf acl_rule_name=nula action=Established hostname=suscipit587.www.localhost bigip_mgmt_ip=10.81.154.115 context_name=ita context_type=aeratvol date_time=Apr 01 2019 00:38:14 dest_ip=10.194.94.1 dst_geo=ostr dest_port=575 device_product=boreetd device_vendor=ueporro device_version=1.4044 drop_reason=oluptat errdefs_msgno=olors errdefs_msg_name=mSecti flow_id=ius ip_protocol=icmp severity=very-high partition_name=xerci route_domain=qua sa_translation_pool=iaecons sa_translation_type=pteurs source_ip=10.35.65.72 src_geo=veni source_port=3387 source_user=reseo translated_dest_ip=10.239.194.105 translated_dest_port=3629 translated_ip_protocol=isnos translated_route_domain=ntin translated_source_ip=10.240.94.109 translated_source_port=5437 translated_vlan=ono vlan=573 +consequ ine hend3901.www.localdomain nsecte miurere tat [F5@pitlabor acl_policy_name=upi acl_policy_type=olupta acl_rule_name=ape action=Established hostname=mnisiut6146.internal.local bigip_mgmt_ip=10.52.70.192 context_name=empor context_type=ate date_time=Apr 15 2019 07:40:49 dest_ip=10.234.254.96 dst_geo=obeatae dest_port=2042 device_product=orem device_vendor=dquian device_version=1.2307 drop_reason=uis errdefs_msgno=emagnaal errdefs_msg_name=uunturm flow_id=nonnumq ip_protocol=ggp severity=very-high partition_name=ntocca route_domain=emquelau sa_translation_pool=adolorsi sa_translation_type=lupt source_ip=10.38.253.213 src_geo=ncidu source_port=3369 source_user=ionem translated_dest_ip=10.248.72.104 translated_dest_port=7485 translated_ip_protocol=cusan translated_route_domain=ivelit translated_source_ip=10.150.56.227 translated_source_port=4686 translated_vlan=isnost vlan=4697 +urQu idol fici312.api.host eri pitlab riosamn [F5@Malo acl_policy_name=onse acl_policy_type=enatuse acl_rule_name=veritat action=Reject hostname=borios1067.www5.home bigip_mgmt_ip=10.218.15.164 context_name=ntNeque context_type=magnidol date_time=Apr 29 2019 14:43:23 dest_ip=10.56.60.3 dst_geo=aaliq dest_port=2143 device_product=gel device_vendor=modt device_version=1.2031 drop_reason=mvolu errdefs_msgno=agn errdefs_msg_name=eritinvo flow_id=aliq ip_protocol=rdp severity=very-high partition_name=uisautei route_domain=labor sa_translation_pool=ihilmol sa_translation_type=scinge source_ip=10.62.218.239 src_geo=yCiceroi source_port=166 source_user=reh translated_dest_ip=10.73.172.186 translated_dest_port=3510 translated_ip_protocol=itte translated_route_domain=niamquis translated_source_ip=10.203.193.134 translated_source_port=6251 translated_vlan=riosa vlan=7445 +ore ptatema poriss2289.localdomain luptat ficiad saquaea [F5@archi acl_policy_name=caboNe acl_policy_type=ptate acl_rule_name=enimips action=Established hostname=msequ323.www.example bigip_mgmt_ip=10.60.20.76 context_name=seq context_type=uae date_time=May 13 2019 21:45:57 dest_ip=10.244.241.67 dst_geo=quaeabi dest_port=5701 device_product=ost device_vendor=mave device_version=1.2555 drop_reason=aev errdefs_msgno=uovolup errdefs_msg_name=tMaloru flow_id=rum ip_protocol=ipv6-icmp severity=very-high partition_name=ptassita route_domain=ionemul sa_translation_pool=orema sa_translation_type=its source_ip=10.10.46.43 src_geo=stiaec source_port=7346 source_user=nev translated_dest_ip=10.136.211.234 translated_dest_port=4126 translated_ip_protocol=lamcor translated_route_domain=rorsitv translated_source_ip=10.131.127.113 translated_source_port=853 translated_vlan=iamqu vlan=1324 +mwrit dminimve madminim5473.mail.example reeuf orinrepr tinvo [F5@oru acl_policy_name=ainc acl_policy_type=aeab acl_rule_name=iat action=Closed hostname=tdolorem813.internal.host bigip_mgmt_ip=10.50.177.151 context_name=rsitam context_type=aliqui date_time=May 28 2019 04:48:31 dest_ip=10.206.65.159 dst_geo=fdeFini dest_port=1295 device_product=eetdolo device_vendor=issuscip device_version=1.3291 drop_reason=tqu errdefs_msgno=rinc errdefs_msg_name=hender flow_id=sBonor ip_protocol=rdp severity=high partition_name=ercitati route_domain=lapa sa_translation_pool=enia sa_translation_type=atis source_ip=10.233.181.250 src_geo=isiuta source_port=2868 source_user=ugiatq translated_dest_ip=10.187.237.220 translated_dest_port=7744 translated_ip_protocol=eumfu translated_route_domain=remap translated_source_ip=10.248.0.74 translated_source_port=6349 translated_vlan=tru vlan=2520 +isautem eiusm assit1598.www5.invalid archite eruntm iades [F5@mremape acl_policy_name=nimad acl_policy_type=ionemu acl_rule_name=nul action=Established hostname=volupt4626.internal.test bigip_mgmt_ip=10.189.43.11 context_name=asper context_type=eeu date_time=Jun 11 2019 11:51:06 dest_ip=10.193.169.102 dst_geo=olab dest_port=629 device_product=olore device_vendor=mSecti device_version=1.2859 drop_reason=idid errdefs_msgno=ela errdefs_msg_name=fugits flow_id=litseddo ip_protocol=igmp severity=medium partition_name=ptasn route_domain=amrem sa_translation_pool=umdolor sa_translation_type=iamq source_ip=10.248.248.120 src_geo=ationemu source_port=1282 source_user=iatn translated_dest_ip=10.96.223.46 translated_dest_port=3654 translated_ip_protocol=pern translated_route_domain=ptasn translated_source_ip=10.80.129.81 translated_source_port=4827 translated_vlan=tat vlan=5084 +eruntmo lumdolo urmagnid2749.api.host imip taspe siutaliq [F5@turadipi acl_policy_name=tMalo acl_policy_type=veni acl_rule_name=rspi action=Closed hostname=ntium5103.www5.localhost bigip_mgmt_ip=10.66.106.186 context_name=uatD context_type=reh date_time=Jun 25 2019 18:53:40 dest_ip=10.36.14.238 dst_geo=metco dest_port=4740 device_product=ilmoles device_vendor=xeaco device_version=1.1910 drop_reason=ccaecat errdefs_msgno=radip errdefs_msg_name=secil flow_id=totamr ip_protocol=udp severity=very-high partition_name=iciat route_domain=uira sa_translation_pool=orio sa_translation_type=mseq source_ip=10.102.109.199 src_geo=iono source_port=2061 source_user=tNequ translated_dest_ip=10.173.114.63 translated_dest_port=5877 translated_ip_protocol=tatisetq translated_route_domain=eabilloi translated_source_ip=10.91.115.139 translated_source_port=412 translated_vlan=eroi vlan=2077 +riatur amrema illum2978.internal.home rumetMa entor urere [F5@involu acl_policy_name=qui acl_policy_type=aliqu acl_rule_name=sita action=Drop hostname=orpori3334.www.local bigip_mgmt_ip=10.198.157.122 context_name=ncu context_type=quatu date_time=Jul 10 2019 01:56:14 dest_ip=10.239.90.72 dst_geo=iratio dest_port=7700 device_product=its device_vendor=agn device_version=1.3690 drop_reason=ntmo errdefs_msgno=iur errdefs_msg_name=aboNemo flow_id=tsedquia ip_protocol=udp severity=very-high partition_name=tatiset route_domain=enim sa_translation_pool=gnido sa_translation_type=iamq source_ip=10.159.155.88 src_geo=uisa source_port=7034 source_user=iquipex translated_dest_ip=10.0.175.17 translated_dest_port=5236 translated_ip_protocol=tempori translated_route_domain=sedquian translated_source_ip=10.221.223.127 translated_source_port=2687 translated_vlan=ira vlan=3007 +idolor umdo sequatu7142.internal.corp ipsaqu asun rsitam [F5@magn acl_policy_name=amcola acl_policy_type=eumiurer acl_rule_name=umf action=Established hostname=equu7361.www5.localdomain bigip_mgmt_ip=10.30.20.187 context_name=rsinto context_type=nonnumqu date_time=Jul 24 2019 08:58:48 dest_ip=10.103.47.100 dst_geo=chitect dest_port=5316 device_product=fug device_vendor=ulpaq device_version=1.6302 drop_reason=piscivel errdefs_msgno=ueporr errdefs_msg_name=udex flow_id=ipexeac ip_protocol=tcp severity=low partition_name=isci route_domain=archi sa_translation_pool=rsitame sa_translation_type=qui source_ip=10.7.212.201 src_geo=ion source_port=949 source_user=ugiat translated_dest_ip=10.252.136.130 translated_dest_port=5601 translated_ip_protocol=expl translated_route_domain=animi translated_source_ip=10.189.70.237 translated_source_port=1457 translated_vlan=tnul vlan=24 +radip amremap dolorsit64.www.local uredo uamni nisi [F5@onsecte acl_policy_name=iono acl_policy_type=secillum acl_rule_name=sequatD action=Established hostname=tse2979.internal.localhost bigip_mgmt_ip=10.242.121.165 context_name=aut context_type=eriti date_time=Aug 07 2019 16:01:23 dest_ip=10.88.229.78 dst_geo=imadmi dest_port=2642 device_product=tevelite device_vendor=cto device_version=1.2037 drop_reason=mquiado errdefs_msgno=agn errdefs_msg_name=dip flow_id=urmag ip_protocol=tcp severity=high partition_name=laboreet route_domain=tutlabo sa_translation_pool=incid sa_translation_type=der source_ip=10.83.105.69 src_geo=usm source_port=2153 source_user=mni translated_dest_ip=10.102.109.194 translated_dest_port=2324 translated_ip_protocol=nor translated_route_domain=saut translated_source_ip=10.60.224.93 translated_source_port=1508 translated_vlan=deomnis vlan=354 +tla nimve edutpe1255.internal.lan nimadm cepte paquioff [F5@ictasun acl_policy_name=iumto acl_policy_type=ciun acl_rule_name=prehe action=Accept hostname=uisnostr2390.mail.domain bigip_mgmt_ip=10.251.167.219 context_name=eaco context_type=oremeu date_time=Aug 21 2019 23:03:57 dest_ip=10.14.251.18 dst_geo=tenbyCi dest_port=4371 device_product=citation device_vendor=spernatu device_version=1.7314 drop_reason=giatq errdefs_msgno=tion errdefs_msg_name=tNeque flow_id=uidolore ip_protocol=rdp severity=medium partition_name=usB route_domain=magnaali sa_translation_pool=istenatu sa_translation_type=roqui source_ip=10.17.20.93 src_geo=eritqu source_port=4368 source_user=Uteni translated_dest_ip=10.181.134.69 translated_dest_port=551 translated_ip_protocol=norum translated_route_domain=emUten translated_source_ip=10.219.174.45 translated_source_port=4055 translated_vlan=idolo vlan=968 +mmodicon nisis edquia4523.www.host remap ntium veniamqu [F5@equat acl_policy_name=reeu acl_policy_type=atemacc acl_rule_name=rsitvolu action=Accept hostname=luptate4811.mail.example bigip_mgmt_ip=10.30.117.82 context_name=destlabo context_type=fficia date_time=Sep 05 2019 06:06:31 dest_ip=10.245.75.229 dst_geo=elaud dest_port=4916 device_product=eaqueip device_vendor=emUten device_version=1.596 drop_reason=itseddoe errdefs_msgno=iti errdefs_msg_name=evitaedi flow_id=ionulamc ip_protocol=tcp severity=high partition_name=culp route_domain=Ciceroin sa_translation_pool=aeco sa_translation_type=olores source_ip=10.223.99.90 src_geo=adminim source_port=4324 source_user=numqua translated_dest_ip=10.28.233.253 translated_dest_port=1159 translated_ip_protocol=mUten translated_route_domain=eursint translated_source_ip=10.37.14.20 translated_source_port=6531 translated_vlan=teurs vlan=4919 +aaliq nos uaUteni562.www.test deF dutpe tseddoei [F5@byCi acl_policy_name=odic acl_policy_type=chitecto acl_rule_name=nimadm action=Closed hostname=lites1614.www.corp bigip_mgmt_ip=10.125.20.22 context_name=olu context_type=ectet date_time=Sep 19 2019 13:09:05 dest_ip=10.121.189.113 dst_geo=tess dest_port=4686 device_product=xeacom device_vendor=adminim device_version=1.95 drop_reason=henderi errdefs_msgno=rainc errdefs_msg_name=dminim flow_id=sse ip_protocol=tcp severity=high partition_name=umexe route_domain=Sedu sa_translation_pool=tetur sa_translation_type=ern source_ip=10.50.61.114 src_geo=nvento source_port=649 source_user=qua translated_dest_ip=10.57.85.113 translated_dest_port=1024 translated_ip_protocol=itquii translated_route_domain=psu translated_source_ip=10.8.32.17 translated_source_port=3788 translated_vlan=nem vlan=5883 +sitasper agni ivelit1640.internal.lan iscive prehende volup [F5@nimi acl_policy_name=niamqu acl_policy_type=uioffi acl_rule_name=suntin action=Closed hostname=lorinrep7686.mail.corp bigip_mgmt_ip=10.200.28.55 context_name=ineavol context_type=abor date_time=Oct 03 2019 20:11:40 dest_ip=10.232.122.152 dst_geo=voluptat dest_port=1549 device_product=ipi device_vendor=lamcor device_version=1.3064 drop_reason=litesse errdefs_msgno=tam errdefs_msg_name=uovo flow_id=scivelit ip_protocol=icmp severity=low partition_name=empo route_domain=apa sa_translation_pool=colab sa_translation_type=sistenat source_ip=10.215.224.27 src_geo=Sedutper source_port=6726 source_user=ficiade translated_dest_ip=10.113.78.101 translated_dest_port=2707 translated_ip_protocol=amqua translated_route_domain=nsequatu translated_source_ip=10.181.63.82 translated_source_port=168 translated_vlan=tse vlan=4029 +ueip amvo dolorsi306.www5.local tten erit asiarch [F5@tob acl_policy_name=tiae acl_policy_type=imipsamv acl_rule_name=doeiu action=Established hostname=nderit6272.mail.example bigip_mgmt_ip=10.177.14.106 context_name=natuser context_type=olupt date_time=Oct 18 2019 03:14:14 dest_ip=10.239.142.115 dst_geo=nsec dest_port=6720 device_product=siarchi device_vendor=etq device_version=1.4522 drop_reason=archit errdefs_msgno=nde errdefs_msg_name=tNequepo flow_id=byCicer ip_protocol=ipv6 severity=medium partition_name=ipit route_domain=tdolorem sa_translation_pool=nderitin sa_translation_type=mquiado source_ip=10.169.95.128 src_geo=reeufugi source_port=7737 source_user=ofd translated_dest_ip=10.139.20.223 translated_dest_port=114 translated_ip_protocol=porincid translated_route_domain=tisetqu translated_source_ip=10.243.43.168 translated_source_port=2110 translated_vlan=ehenderi vlan=2215 +ipsu iden oreseo1541.mail.domain boriosam lites col [F5@litsedd acl_policy_name=mnis acl_policy_type=ainci acl_rule_name=aturve action=Established hostname=ntu1279.mail.lan bigip_mgmt_ip=10.92.168.198 context_name=rume context_type=uptate date_time=Nov 01 2019 10:16:48 dest_ip=10.115.225.57 dst_geo=orsit dest_port=3315 device_product=mnis device_vendor=tametco device_version=1.7456 drop_reason=inc errdefs_msgno=rroqui errdefs_msg_name=amr flow_id=mfug ip_protocol=tcp severity=low partition_name=mid route_domain=henderi sa_translation_pool=consec sa_translation_type=dquia source_ip=10.90.93.4 src_geo=rehe source_port=3382 source_user=adminima translated_dest_ip=10.39.100.88 translated_dest_port=5195 translated_ip_protocol=lup translated_route_domain=rsi translated_source_ip=10.18.176.44 translated_source_port=7284 translated_vlan=Utenimad vlan=4305 +Bon amquisno mullam6505.www.localhost siarch oloremi ididu [F5@uov acl_policy_name=ncidid acl_policy_type=audantiu acl_rule_name=lmolest action=Reject hostname=essequam1161.domain bigip_mgmt_ip=10.49.68.8 context_name=temUte context_type=idest date_time=Nov 15 2019 17:19:22 dest_ip=10.8.247.249 dst_geo=enimip dest_port=3957 device_product=ataevit device_vendor=ficiad device_version=1.2909 drop_reason=taspe errdefs_msgno=empori errdefs_msg_name=mipsum flow_id=tium ip_protocol=tcp severity=very-high partition_name=ota route_domain=boriosa sa_translation_pool=eprehen sa_translation_type=rehen source_ip=10.163.203.191 src_geo=exeacom source_port=2599 source_user=tlab translated_dest_ip=10.193.43.135 translated_dest_port=4650 translated_ip_protocol=iaeconse translated_route_domain=onevol translated_source_ip=10.173.13.179 translated_source_port=1211 translated_vlan=ptasn vlan=3791 +ctetur amqui itatise2264.invalid lup cipitla niam [F5@mullamc acl_policy_name=umtota acl_policy_type=ssecil acl_rule_name=xplic action=Closed hostname=cipitl2184.localdomain bigip_mgmt_ip=10.240.47.113 context_name=uisnost context_type=snul date_time=Nov 30 2019 00:21:57 dest_ip=10.191.241.249 dst_geo=Loremips dest_port=4361 device_product=tiset device_vendor=ciade device_version=1.7726 drop_reason=equ errdefs_msgno=rror errdefs_msg_name=Exce flow_id=uae ip_protocol=ggp severity=high partition_name=umdol route_domain=nseq sa_translation_pool=autodita sa_translation_type=loreme source_ip=10.84.64.28 src_geo=par source_port=3938 source_user=ull translated_dest_ip=10.209.226.7 translated_dest_port=7745 translated_ip_protocol=aeabi translated_route_domain=ore translated_source_ip=10.31.147.51 translated_source_port=7780 translated_vlan=ptate vlan=3154 +fugit dantiu ntutla1447.invalid strude rautodi Loremips [F5@mestqui acl_policy_name=tect acl_policy_type=odtem acl_rule_name=ite action=Closed hostname=item3647.home bigip_mgmt_ip=10.32.20.4 context_name=olupta context_type=dents date_time=Dec 14 2019 07:24:31 dest_ip=10.166.40.137 dst_geo=oremipsu dest_port=5644 device_product=idolor device_vendor=tionem device_version=1.292 drop_reason=oinB errdefs_msgno=tateve errdefs_msg_name=rsitvo flow_id=enatuser ip_protocol=tcp severity=high partition_name=sistena route_domain=reetdolo sa_translation_pool=psam sa_translation_type=litseddo source_ip=10.225.189.229 src_geo=odtem source_port=2287 source_user=odtemp translated_dest_ip=10.86.1.244 translated_dest_port=7101 translated_ip_protocol=rinci translated_route_domain=uamestqu translated_source_ip=10.52.13.192 translated_source_port=4714 translated_vlan=remagna vlan=439 diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json new file mode 100644 index 00000000000..d1729062282 --- /dev/null +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -0,0 +1,6760 @@ +[ + { + "destination.geo.country_name": "umq", + "destination.nat.ip": "10.165.201.71", + "destination.nat.port": 6153, + "destination.port": 2288, + "event.action": "Closed", + "event.code": "boNemoe", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "iusm modtempo olab6078.home olaboris tur itv [F5@odoco acl_policy_name=ria acl_policy_type=min acl_rule_name=ite action=Closed hostname=tatemac3541.api.corp bigip_mgmt_ip=10.228.193.207 context_name=liqua context_type=ciade date_time=Jan 29 2016 06:09:59 dest_ip=10.125.114.51 dst_geo=umq dest_port=2288 device_product=pexe device_vendor=nes device_version=1.2262 drop_reason=reveri errdefs_msgno=boNemoe errdefs_msg_name=equepor flow_id=eni ip_protocol=ipv6 severity=low partition_name=ehend route_domain=ritquiin sa_translation_pool=umqui sa_translation_type=reeufugi source_ip=10.208.121.85 src_geo=sperna source_port=884 source_user=billoi translated_dest_ip=10.165.201.71 translated_dest_port=6153 translated_ip_protocol=tatemU translated_route_domain=deF translated_source_ip=10.11.196.142 translated_source_port=5222 translated_vlan=iatnu vlan=3810", + "fileset.name": "bigipafm", + "host.ip": "10.228.193.207", + "host.name": "tatemac3541.api.corp", + "input.type": "log", + "log.level": "low", + "log.offset": 0, + "network.protocol": "ipv6", + "observer.product": "pexe", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2262", + "related.hosts": [ + "tatemac3541.api.corp" + ], + "related.ip": [ + "10.165.201.71", + "10.228.193.207", + "10.11.196.142", + "10.208.121.85" + ], + "related.user": [ + "billoi" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "liqua", + "rsa.misc.event_type": "equepor", + "rsa.misc.obj_name": "odoco", + "rsa.misc.policy_name": "ria", + "rsa.misc.reference_id": "boNemoe", + "rsa.misc.rule_name": "ite", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2262", + "rsa.network.alias_host": [ + "tatemac3541.api.corp" + ], + "rsa.network.vlan": 3810, + "rsa.time.event_time_str": "Jan", + "rule.name": "ite", + "service.type": "f5", + "source.geo.country_name": "sperna", + "source.ip": [ + "10.208.121.85" + ], + "source.nat.ip": "10.11.196.142", + "source.nat.port": 5222, + "source.port": 884, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "billoi" + }, + { + "destination.geo.country_name": "iin", + "destination.nat.ip": "10.94.67.230", + "destination.nat.port": 783, + "destination.port": 6287, + "event.action": "Established", + "event.code": "eumiu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "eporr quipexe alo4540.example umdo itessequ vol [F5@luptat acl_policy_name=isiutal acl_policy_type=moenimi acl_rule_name=mod action=Established hostname=enatus2114.mail.home bigip_mgmt_ip=10.51.132.10 context_name=utper context_type=squame date_time=Feb 12 2016 13:12:33 dest_ip=10.173.116.41 dst_geo=iin dest_port=6287 device_product=emape device_vendor=aer device_version=1.445 drop_reason=nse errdefs_msgno=eumiu errdefs_msg_name=uame flow_id=quis ip_protocol=tcp severity=medium partition_name=cca route_domain=dolo sa_translation_pool=meumfug sa_translation_type=tetu source_ip=10.162.9.235 src_geo=tionulam source_port=2548 source_user=byC translated_dest_ip=10.94.67.230 translated_dest_port=783 translated_ip_protocol=atio translated_route_domain=uipexea translated_source_ip=10.92.202.200 translated_source_port=6772 translated_vlan=eFini vlan=859", + "fileset.name": "bigipafm", + "host.ip": "10.51.132.10", + "host.name": "enatus2114.mail.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 856, + "network.protocol": "tcp", + "observer.product": "emape", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.445", + "related.hosts": [ + "enatus2114.mail.home" + ], + "related.ip": [ + "10.51.132.10", + "10.162.9.235", + "10.94.67.230", + "10.92.202.200" + ], + "related.user": [ + "byC" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "utper", + "rsa.misc.event_type": "uame", + "rsa.misc.obj_name": "luptat", + "rsa.misc.policy_name": "isiutal", + "rsa.misc.reference_id": "eumiu", + "rsa.misc.rule_name": "mod", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.445", + "rsa.network.alias_host": [ + "enatus2114.mail.home" + ], + "rsa.network.vlan": 859, + "rsa.time.event_time_str": "Feb", + "rule.name": "mod", + "service.type": "f5", + "source.geo.country_name": "tionulam", + "source.ip": [ + "10.162.9.235" + ], + "source.nat.ip": "10.92.202.200", + "source.nat.port": 6772, + "source.port": 2548, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "byC" + }, + { + "destination.geo.country_name": "uptassi", + "destination.nat.ip": "10.82.56.117", + "destination.nat.port": 2935, + "destination.port": 3179, + "event.action": "Reject", + "event.code": "llumd", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "exe iatu ionofde2424.api.invalid rsitam ommodic mipsu [F5@consec acl_policy_name=taliquip acl_policy_type=psumq acl_rule_name=atcup action=Reject hostname=gelit6728.api.invalid bigip_mgmt_ip=10.122.116.161 context_name=uam context_type=untutl date_time=Feb 26 2016 20:15:08 dest_ip=10.40.68.117 dst_geo=uptassi dest_port=3179 device_product=scivel device_vendor=aqui device_version=1.4726 drop_reason=iveli errdefs_msgno=llumd errdefs_msg_name=enatuse flow_id=magn ip_protocol=icmp severity=low partition_name=eos route_domain=enimad sa_translation_pool=rmagni sa_translation_type=sit source_ip=10.209.155.149 src_geo=tenima source_port=1073 source_user=seq translated_dest_ip=10.82.56.117 translated_dest_port=2935 translated_ip_protocol=veleumi translated_route_domain=tia translated_source_ip=10.191.68.244 translated_source_port=6905 translated_vlan=veri vlan=5990", + "fileset.name": "bigipafm", + "host.ip": "10.122.116.161", + "host.name": "gelit6728.api.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 1713, + "network.protocol": "icmp", + "observer.product": "scivel", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4726", + "related.hosts": [ + "gelit6728.api.invalid" + ], + "related.ip": [ + "10.122.116.161", + "10.209.155.149", + "10.82.56.117", + "10.191.68.244" + ], + "related.user": [ + "seq" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "uam", + "rsa.misc.event_type": "enatuse", + "rsa.misc.obj_name": "consec", + "rsa.misc.policy_name": "taliquip", + "rsa.misc.reference_id": "llumd", + "rsa.misc.rule_name": "atcup", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4726", + "rsa.network.alias_host": [ + "gelit6728.api.invalid" + ], + "rsa.network.vlan": 5990, + "rsa.time.event_time_str": "Feb", + "rule.name": "atcup", + "service.type": "f5", + "source.geo.country_name": "tenima", + "source.ip": [ + "10.209.155.149" + ], + "source.nat.ip": "10.191.68.244", + "source.nat.port": 6905, + "source.port": 1073, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "seq" + }, + { + "destination.geo.country_name": "untNequ", + "destination.nat.ip": "10.131.233.27", + "destination.nat.port": 5037, + "destination.port": 5075, + "event.action": "Accept", + "event.code": "ugiatqu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "siutaliq exercit tempor4496.www.localdomain eip lupta iusmodt [F5@doloreeu acl_policy_name=pori acl_policy_type=occ acl_rule_name=ect action=Accept hostname=uid545.www5.localhost bigip_mgmt_ip=10.12.44.169 context_name=autfu context_type=natura date_time=Mar 12 2016 03:17:42 dest_ip=10.163.217.10 dst_geo=untNequ dest_port=5075 device_product=nimadmin device_vendor=erep device_version=1.2696 drop_reason=temq errdefs_msgno=ugiatqu errdefs_msg_name=eacomm flow_id=Utenimad ip_protocol=igmp severity=high partition_name=ehend route_domain=ueipsaqu sa_translation_pool=uidolore sa_translation_type=niamqu source_ip=10.202.66.28 src_geo=tevelit source_port=5098 source_user=elits translated_dest_ip=10.131.233.27 translated_dest_port=5037 translated_ip_protocol=ari translated_route_domain=eataevit translated_source_ip=10.50.112.141 translated_source_port=7303 translated_vlan=dmi vlan=499", + "fileset.name": "bigipafm", + "host.ip": "10.12.44.169", + "host.name": "uid545.www5.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 2582, + "network.protocol": "igmp", + "observer.product": "nimadmin", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2696", + "related.hosts": [ + "uid545.www5.localhost" + ], + "related.ip": [ + "10.12.44.169", + "10.202.66.28", + "10.50.112.141", + "10.131.233.27" + ], + "related.user": [ + "elits" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "autfu", + "rsa.misc.event_type": "eacomm", + "rsa.misc.obj_name": "doloreeu", + "rsa.misc.policy_name": "pori", + "rsa.misc.reference_id": "ugiatqu", + "rsa.misc.rule_name": "ect", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2696", + "rsa.network.alias_host": [ + "uid545.www5.localhost" + ], + "rsa.network.vlan": 499, + "rsa.time.event_time_str": "Mar", + "rule.name": "ect", + "service.type": "f5", + "source.geo.country_name": "tevelit", + "source.ip": [ + "10.202.66.28" + ], + "source.nat.ip": "10.50.112.141", + "source.nat.port": 7303, + "source.port": 5098, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "elits" + }, + { + "destination.geo.country_name": "ema", + "destination.nat.ip": "10.96.35.212", + "destination.nat.port": 3982, + "destination.port": 5969, + "event.action": "Established", + "event.code": "imav", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "mquisnos loremagn iciade3433.example enimad incididu eci [F5@aali acl_policy_name=ametcons acl_policy_type=porainc acl_rule_name=amquisno action=Established hostname=emquiavo452.internal.localhost bigip_mgmt_ip=10.151.111.38 context_name=tvol context_type=moll date_time=Mar 26 2016 10:20:16 dest_ip=10.228.149.225 dst_geo=ema dest_port=5969 device_product=tquovol device_vendor=ntsuntin device_version=1.3341 drop_reason=tatno errdefs_msgno=imav errdefs_msg_name=ididu flow_id=ciunt ip_protocol=ipv6-icmp severity=very-high partition_name=emqu route_domain=lit sa_translation_pool=iam sa_translation_type=qua source_ip=10.159.182.171 src_geo=umdolore source_port=6680 source_user=mol translated_dest_ip=10.96.35.212 translated_dest_port=3982 translated_ip_protocol=rumet translated_route_domain=oll translated_source_ip=10.206.197.113 translated_source_port=4075 translated_vlan=temUten vlan=4125", + "fileset.name": "bigipafm", + "host.ip": "10.151.111.38", + "host.name": "emquiavo452.internal.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3471, + "network.protocol": "ipv6-icmp", + "observer.product": "tquovol", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3341", + "related.hosts": [ + "emquiavo452.internal.localhost" + ], + "related.ip": [ + "10.159.182.171", + "10.151.111.38", + "10.96.35.212", + "10.206.197.113" + ], + "related.user": [ + "mol" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "tvol", + "rsa.misc.event_type": "ididu", + "rsa.misc.obj_name": "aali", + "rsa.misc.policy_name": "ametcons", + "rsa.misc.reference_id": "imav", + "rsa.misc.rule_name": "amquisno", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3341", + "rsa.network.alias_host": [ + "emquiavo452.internal.localhost" + ], + "rsa.network.vlan": 4125, + "rsa.time.event_time_str": "Mar", + "rule.name": "amquisno", + "service.type": "f5", + "source.geo.country_name": "umdolore", + "source.ip": [ + "10.159.182.171" + ], + "source.nat.ip": "10.206.197.113", + "source.nat.port": 4075, + "source.port": 6680, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "mol" + }, + { + "destination.geo.country_name": "rnatura", + "destination.nat.ip": "10.169.144.147", + "destination.nat.port": 2399, + "destination.port": 3007, + "event.action": "Drop", + "event.code": "liq", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "iqu ollit usan6343.www5.domain olo uaera sitas [F5@ehenderi acl_policy_name=pidatat acl_policy_type=gni acl_rule_name=tquiinea action=Drop hostname=sun1403.www.invalid bigip_mgmt_ip=10.126.177.162 context_name=eriame context_type=lorema date_time=Apr 09 2016 17:22:51 dest_ip=10.213.82.64 dst_geo=rnatura dest_port=3007 device_product=ddoeiu device_vendor=enb device_version=1.6179 drop_reason=onse errdefs_msgno=liq errdefs_msg_name=metcon flow_id=smo ip_protocol=igmp severity=medium partition_name=emporinc route_domain=untutlab sa_translation_pool=tem sa_translation_type=ons source_ip=10.213.113.28 src_geo=ali source_port=6446 source_user=ist translated_dest_ip=10.169.144.147 translated_dest_port=2399 translated_ip_protocol=nibus translated_route_domain=edquiano translated_source_ip=10.89.163.114 translated_source_port=5166 translated_vlan=par vlan=686", + "fileset.name": "bigipafm", + "host.ip": "10.126.177.162", + "host.name": "sun1403.www.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 4369, + "network.protocol": "igmp", + "observer.product": "ddoeiu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6179", + "related.hosts": [ + "sun1403.www.invalid" + ], + "related.ip": [ + "10.126.177.162", + "10.213.113.28", + "10.169.144.147", + "10.89.163.114" + ], + "related.user": [ + "ist" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "eriame", + "rsa.misc.event_type": "metcon", + "rsa.misc.obj_name": "ehenderi", + "rsa.misc.policy_name": "pidatat", + "rsa.misc.reference_id": "liq", + "rsa.misc.rule_name": "tquiinea", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6179", + "rsa.network.alias_host": [ + "sun1403.www.invalid" + ], + "rsa.network.vlan": 686, + "rsa.time.event_time_str": "Apr", + "rule.name": "tquiinea", + "service.type": "f5", + "source.geo.country_name": "ali", + "source.ip": [ + "10.213.113.28" + ], + "source.nat.ip": "10.89.163.114", + "source.nat.port": 5166, + "source.port": 6446, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ist" + }, + { + "destination.geo.country_name": "qua", + "destination.nat.ip": "10.101.223.43", + "destination.nat.port": 6494, + "destination.port": 2945, + "event.action": "Closed", + "event.code": "tinvol", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "rveli rsint omm4276.www.example onofd taed lup [F5@remeumf acl_policy_name=antiumto acl_policy_type=strude acl_rule_name=ctetura action=Closed hostname=ittenbyC7838.api.localdomain bigip_mgmt_ip=10.18.124.28 context_name=ido context_type=paqu date_time=Apr 24 2016 00:25:25 dest_ip=10.158.194.3 dst_geo=qua dest_port=2945 device_product=quip device_vendor=oin device_version=1.6316 drop_reason=elaudant errdefs_msgno=tinvol errdefs_msg_name=dolore flow_id=abor ip_protocol=udp severity=medium partition_name=etc route_domain=etM sa_translation_pool=nimadmin sa_translation_type=ditautfu source_ip=10.146.88.52 src_geo=entsu source_port=5364 source_user=rudexerc translated_dest_ip=10.101.223.43 translated_dest_port=6494 translated_ip_protocol=quam translated_route_domain=adm translated_source_ip=10.103.107.47 translated_source_port=6094 translated_vlan=Nemoen vlan=2827", + "fileset.name": "bigipafm", + "host.ip": "10.18.124.28", + "host.name": "ittenbyC7838.api.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 5232, + "network.protocol": "udp", + "observer.product": "quip", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6316", + "related.hosts": [ + "ittenbyC7838.api.localdomain" + ], + "related.ip": [ + "10.101.223.43", + "10.18.124.28", + "10.103.107.47", + "10.146.88.52" + ], + "related.user": [ + "rudexerc" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ido", + "rsa.misc.event_type": "dolore", + "rsa.misc.obj_name": "remeumf", + "rsa.misc.policy_name": "antiumto", + "rsa.misc.reference_id": "tinvol", + "rsa.misc.rule_name": "ctetura", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6316", + "rsa.network.alias_host": [ + "ittenbyC7838.api.localdomain" + ], + "rsa.network.vlan": 2827, + "rsa.time.event_time_str": "Apr", + "rule.name": "ctetura", + "service.type": "f5", + "source.geo.country_name": "entsu", + "source.ip": [ + "10.146.88.52" + ], + "source.nat.ip": "10.103.107.47", + "source.nat.port": 6094, + "source.port": 5364, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "rudexerc" + }, + { + "destination.geo.country_name": "ivelits", + "destination.nat.ip": "10.110.99.17", + "destination.nat.port": 6888, + "destination.port": 712, + "event.action": "Reject", + "event.code": "ommod", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "icab mwr fugi4637.www.lan imadmini ntutla equa [F5@mexercit acl_policy_name=dtem acl_policy_type=tasuntex acl_rule_name=sunt action=Reject hostname=ume465.corp bigip_mgmt_ip=10.189.109.245 context_name=emaperi context_type=tame date_time=May 08 2016 07:27:59 dest_ip=10.83.234.60 dst_geo=ivelits dest_port=712 device_product=iusmodt device_vendor=etdolo device_version=1.3768 drop_reason=lorumw errdefs_msgno=ommod errdefs_msg_name=sequatur flow_id=uidolo ip_protocol=ipv6-icmp severity=high partition_name=nihi route_domain=Lor sa_translation_pool=itecto sa_translation_type=erc source_ip=10.69.57.206 src_geo=olupt source_port=5979 source_user=onse translated_dest_ip=10.110.99.17 translated_dest_port=6888 translated_ip_protocol=ostrume translated_route_domain=molest translated_source_ip=10.150.220.75 translated_source_port=1298 translated_vlan=tisetq vlan=5372", + "fileset.name": "bigipafm", + "host.ip": "10.189.109.245", + "host.name": "ume465.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 6105, + "network.protocol": "ipv6-icmp", + "observer.product": "iusmodt", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3768", + "related.hosts": [ + "ume465.corp" + ], + "related.ip": [ + "10.150.220.75", + "10.189.109.245", + "10.69.57.206", + "10.110.99.17" + ], + "related.user": [ + "onse" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "emaperi", + "rsa.misc.event_type": "sequatur", + "rsa.misc.obj_name": "mexercit", + "rsa.misc.policy_name": "dtem", + "rsa.misc.reference_id": "ommod", + "rsa.misc.rule_name": "sunt", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3768", + "rsa.network.alias_host": [ + "ume465.corp" + ], + "rsa.network.vlan": 5372, + "rsa.time.event_time_str": "May", + "rule.name": "sunt", + "service.type": "f5", + "source.geo.country_name": "olupt", + "source.ip": [ + "10.69.57.206" + ], + "source.nat.ip": "10.150.220.75", + "source.nat.port": 1298, + "source.port": 5979, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "onse" + }, + { + "destination.geo.country_name": "nidolo", + "destination.nat.ip": "10.19.194.101", + "destination.nat.port": 3605, + "destination.port": 3409, + "event.action": "Drop", + "event.code": "Loremip", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ici giatquov eritquii3561.www.example taut oreseos uames [F5@tati acl_policy_name=utaliqu acl_policy_type=oriosamn acl_rule_name=deFinibu action=Drop hostname=iciatisu1463.www5.localdomain bigip_mgmt_ip=10.153.136.222 context_name=tem context_type=est date_time=May 22 2016 14:30:33 dest_ip=10.176.205.96 dst_geo=nidolo dest_port=3409 device_product=taliq device_vendor=intoccae device_version=1.2299 drop_reason=dolo errdefs_msgno=Loremip errdefs_msg_name=idolor flow_id=emeumfu ip_protocol=ipv6-icmp severity=very-high partition_name=lupt route_domain=psaquae sa_translation_pool=oinBCSe sa_translation_type=mnisist source_ip=10.199.34.241 src_geo=amvolup source_port=7700 source_user=temveleu translated_dest_ip=10.19.194.101 translated_dest_port=3605 translated_ip_protocol=numqu translated_route_domain=qui translated_source_ip=10.121.219.204 translated_source_port=3496 translated_vlan=utali vlan=3611", + "fileset.name": "bigipafm", + "host.ip": "10.153.136.222", + "host.name": "iciatisu1463.www5.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6972, + "network.protocol": "ipv6-icmp", + "observer.product": "taliq", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2299", + "related.hosts": [ + "iciatisu1463.www5.localdomain" + ], + "related.ip": [ + "10.199.34.241", + "10.121.219.204", + "10.153.136.222", + "10.19.194.101" + ], + "related.user": [ + "temveleu" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "tem", + "rsa.misc.event_type": "idolor", + "rsa.misc.obj_name": "tati", + "rsa.misc.policy_name": "utaliqu", + "rsa.misc.reference_id": "Loremip", + "rsa.misc.rule_name": "deFinibu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2299", + "rsa.network.alias_host": [ + "iciatisu1463.www5.localdomain" + ], + "rsa.network.vlan": 3611, + "rsa.time.event_time_str": "May", + "rule.name": "deFinibu", + "service.type": "f5", + "source.geo.country_name": "amvolup", + "source.ip": [ + "10.199.34.241" + ], + "source.nat.ip": "10.121.219.204", + "source.nat.port": 3496, + "source.port": 7700, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "temveleu" + }, + { + "destination.geo.country_name": "usmodt", + "destination.nat.ip": "10.57.103.192", + "destination.nat.port": 2716, + "destination.port": 1837, + "event.action": "Reject", + "event.code": "llu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "reetd lumqui itinvo7084.mail.corp equep iavolu den [F5@tutla acl_policy_name=olorema acl_policy_type=iades acl_rule_name=siarchi action=Reject hostname=aliqu6801.api.localdomain bigip_mgmt_ip=10.46.27.57 context_name=ihilm context_type=atDu date_time=Jun 05 2016 21:33:08 dest_ip=10.128.232.208 dst_geo=usmodt dest_port=1837 device_product=run device_vendor=mque device_version=1.4138 drop_reason=quirat errdefs_msgno=llu errdefs_msg_name=licab flow_id=eirure ip_protocol=rdp severity=medium partition_name=oidentsu route_domain=atiset sa_translation_pool=atu sa_translation_type=umexerci source_ip=10.64.141.105 src_geo=iadese source_port=2374 source_user=ice translated_dest_ip=10.57.103.192 translated_dest_port=2716 translated_ip_protocol=oei translated_route_domain=tlabori translated_source_ip=10.182.199.231 translated_source_port=1426 translated_vlan=data vlan=4478", + "fileset.name": "bigipafm", + "host.ip": "10.46.27.57", + "host.name": "aliqu6801.api.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 7880, + "network.protocol": "rdp", + "observer.product": "run", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4138", + "related.hosts": [ + "aliqu6801.api.localdomain" + ], + "related.ip": [ + "10.57.103.192", + "10.64.141.105", + "10.46.27.57", + "10.182.199.231" + ], + "related.user": [ + "ice" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ihilm", + "rsa.misc.event_type": "licab", + "rsa.misc.obj_name": "tutla", + "rsa.misc.policy_name": "olorema", + "rsa.misc.reference_id": "llu", + "rsa.misc.rule_name": "siarchi", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4138", + "rsa.network.alias_host": [ + "aliqu6801.api.localdomain" + ], + "rsa.network.vlan": 4478, + "rsa.time.event_time_str": "Jun", + "rule.name": "siarchi", + "service.type": "f5", + "source.geo.country_name": "iadese", + "source.ip": [ + "10.64.141.105" + ], + "source.nat.ip": "10.182.199.231", + "source.nat.port": 1426, + "source.port": 2374, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ice" + }, + { + "destination.geo.country_name": "serunt", + "destination.nat.ip": "10.160.210.31", + "destination.nat.port": 7741, + "destination.port": 7865, + "event.action": "Closed", + "event.code": "eaq", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "nnum eritqu uradip7152.www5.home luptasn hitect dol [F5@leumiu acl_policy_name=namali acl_policy_type=taevit acl_rule_name=rinrepre action=Closed hostname=itame189.domain bigip_mgmt_ip=10.32.67.231 context_name=estia context_type=eaq date_time=Jun 20 2016 04:35:42 dest_ip=10.66.80.221 dst_geo=serunt dest_port=7865 device_product=texp device_vendor=tMalor device_version=1.7410 drop_reason=emoe errdefs_msgno=eaq errdefs_msg_name=amest flow_id=corp ip_protocol=tcp severity=low partition_name=rehender route_domain=iae sa_translation_pool=dantiumt sa_translation_type=luptasn source_ip=10.164.6.207 src_geo=olestiae source_port=5485 source_user=pic translated_dest_ip=10.160.210.31 translated_dest_port=7741 translated_ip_protocol=duntut translated_route_domain=magni translated_source_ip=10.3.134.237 translated_source_port=3156 translated_vlan=radipisc vlan=7020", + "fileset.name": "bigipafm", + "host.ip": "10.32.67.231", + "host.name": "itame189.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 8754, + "network.protocol": "tcp", + "observer.product": "texp", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7410", + "related.hosts": [ + "itame189.domain" + ], + "related.ip": [ + "10.32.67.231", + "10.3.134.237", + "10.160.210.31", + "10.164.6.207" + ], + "related.user": [ + "pic" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "estia", + "rsa.misc.event_type": "amest", + "rsa.misc.obj_name": "leumiu", + "rsa.misc.policy_name": "namali", + "rsa.misc.reference_id": "eaq", + "rsa.misc.rule_name": "rinrepre", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7410", + "rsa.network.alias_host": [ + "itame189.domain" + ], + "rsa.network.vlan": 7020, + "rsa.time.event_time_str": "Jun", + "rule.name": "rinrepre", + "service.type": "f5", + "source.geo.country_name": "olestiae", + "source.ip": [ + "10.164.6.207" + ], + "source.nat.ip": "10.3.134.237", + "source.nat.port": 3156, + "source.port": 5485, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "pic" + }, + { + "destination.geo.country_name": "beata", + "destination.nat.ip": "10.42.138.192", + "destination.nat.port": 3403, + "destination.port": 6448, + "event.action": "Established", + "event.code": "uela", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "fficiade uscipit vitaedi1318.corp temqu edol colab [F5@ommodico acl_policy_name=quatD acl_policy_type=mcolab acl_rule_name=neav action=Established hostname=tsedqu2456.www5.invalid bigip_mgmt_ip=10.182.178.217 context_name=tlab context_type=volupt date_time=Jul 04 2016 11:38:16 dest_ip=10.188.169.107 dst_geo=beata dest_port=6448 device_product=fdeFi device_vendor=texp device_version=1.3545 drop_reason=etdol errdefs_msgno=uela errdefs_msg_name=boN flow_id=eprehend ip_protocol=tcp severity=medium partition_name=aboN route_domain=ihilmo sa_translation_pool=radi sa_translation_type=gel source_ip=10.235.101.253 src_geo=veniam source_port=2400 source_user=giatnu translated_dest_ip=10.42.138.192 translated_dest_port=3403 translated_ip_protocol=quioffi translated_route_domain=uptate translated_source_ip=10.201.6.10 translated_source_port=6608 translated_vlan=sequa vlan=2851", + "fileset.name": "bigipafm", + "host.ip": "10.182.178.217", + "host.name": "tsedqu2456.www5.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 9620, + "network.protocol": "tcp", + "observer.product": "fdeFi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3545", + "related.hosts": [ + "tsedqu2456.www5.invalid" + ], + "related.ip": [ + "10.42.138.192", + "10.201.6.10", + "10.235.101.253", + "10.182.178.217" + ], + "related.user": [ + "giatnu" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "tlab", + "rsa.misc.event_type": "boN", + "rsa.misc.obj_name": "ommodico", + "rsa.misc.policy_name": "quatD", + "rsa.misc.reference_id": "uela", + "rsa.misc.rule_name": "neav", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3545", + "rsa.network.alias_host": [ + "tsedqu2456.www5.invalid" + ], + "rsa.network.vlan": 2851, + "rsa.time.event_time_str": "Jul", + "rule.name": "neav", + "service.type": "f5", + "source.geo.country_name": "veniam", + "source.ip": [ + "10.235.101.253" + ], + "source.nat.ip": "10.201.6.10", + "source.nat.port": 6608, + "source.port": 2400, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "giatnu" + }, + { + "destination.geo.country_name": "enderit", + "destination.nat.ip": "10.194.247.171", + "destination.nat.port": 4940, + "destination.port": 5858, + "event.action": "Closed", + "event.code": "Utenimad", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ate aliquam nimid893.mail.corp umwr oluptate issus [F5@osamn acl_policy_name=isnisiu acl_policy_type=bore acl_rule_name=tsu action=Closed hostname=stlabo1228.mail.host bigip_mgmt_ip=10.151.161.70 context_name=edo context_type=asia date_time=Jul 18 2016 18:40:50 dest_ip=10.108.167.93 dst_geo=enderit dest_port=5858 device_product=essecil device_vendor=citation device_version=1.3795 drop_reason=eco errdefs_msgno=Utenimad errdefs_msg_name=orpor flow_id=tlabo ip_protocol=rdp severity=low partition_name=emvel route_domain=tmollita sa_translation_pool=fde sa_translation_type=nsecte source_ip=10.22.102.198 src_geo=eroi source_port=176 source_user=nse translated_dest_ip=10.194.247.171 translated_dest_port=4940 translated_ip_protocol=mquisnos translated_route_domain=maven translated_source_ip=10.86.101.235 translated_source_port=3266 translated_vlan=lapar vlan=1024", + "fileset.name": "bigipafm", + "host.ip": "10.151.161.70", + "host.name": "stlabo1228.mail.host", + "input.type": "log", + "log.level": "low", + "log.offset": 10498, + "network.protocol": "rdp", + "observer.product": "essecil", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3795", + "related.hosts": [ + "stlabo1228.mail.host" + ], + "related.ip": [ + "10.86.101.235", + "10.194.247.171", + "10.151.161.70", + "10.22.102.198" + ], + "related.user": [ + "nse" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "edo", + "rsa.misc.event_type": "orpor", + "rsa.misc.obj_name": "osamn", + "rsa.misc.policy_name": "isnisiu", + "rsa.misc.reference_id": "Utenimad", + "rsa.misc.rule_name": "tsu", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3795", + "rsa.network.alias_host": [ + "stlabo1228.mail.host" + ], + "rsa.network.vlan": 1024, + "rsa.time.event_time_str": "Jul", + "rule.name": "tsu", + "service.type": "f5", + "source.geo.country_name": "eroi", + "source.ip": [ + "10.22.102.198" + ], + "source.nat.ip": "10.86.101.235", + "source.nat.port": 3266, + "source.port": 176, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "nse" + }, + { + "destination.geo.country_name": "mve", + "destination.nat.ip": "10.107.168.60", + "destination.nat.port": 2227, + "destination.port": 513, + "event.action": "Reject", + "event.code": "volupt", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tfu udan orema6040.api.corp mveleu nofdeFin sequam [F5@temvel acl_policy_name=ris acl_policy_type=nisi acl_rule_name=dant action=Reject hostname=ecte4762.local bigip_mgmt_ip=10.204.35.15 context_name=quidolor context_type=tessec date_time=Aug 02 2016 01:43:25 dest_ip=10.135.160.125 dst_geo=mve dest_port=513 device_product=itatio device_vendor=uta device_version=1.4901 drop_reason=sintoc errdefs_msgno=volupt errdefs_msg_name=siste flow_id=uiinea ip_protocol=icmp severity=low partition_name=volupta route_domain=rcitati sa_translation_pool=eni sa_translation_type=ionevo source_ip=10.174.252.105 src_geo=sperna source_port=5368 source_user=mnisi translated_dest_ip=10.107.168.60 translated_dest_port=2227 translated_ip_protocol=oinBC translated_route_domain=quameius translated_source_ip=10.167.172.155 translated_source_port=3544 translated_vlan=etdo vlan=706", + "fileset.name": "bigipafm", + "host.ip": "10.204.35.15", + "host.name": "ecte4762.local", + "input.type": "log", + "log.level": "low", + "log.offset": 11366, + "network.protocol": "icmp", + "observer.product": "itatio", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4901", + "related.hosts": [ + "ecte4762.local" + ], + "related.ip": [ + "10.174.252.105", + "10.204.35.15", + "10.107.168.60", + "10.167.172.155" + ], + "related.user": [ + "mnisi" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "quidolor", + "rsa.misc.event_type": "siste", + "rsa.misc.obj_name": "temvel", + "rsa.misc.policy_name": "ris", + "rsa.misc.reference_id": "volupt", + "rsa.misc.rule_name": "dant", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4901", + "rsa.network.alias_host": [ + "ecte4762.local" + ], + "rsa.network.vlan": 706, + "rsa.time.event_time_str": "Aug", + "rule.name": "dant", + "service.type": "f5", + "source.geo.country_name": "sperna", + "source.ip": [ + "10.174.252.105" + ], + "source.nat.ip": "10.167.172.155", + "source.nat.port": 3544, + "source.port": 5368, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "mnisi" + }, + { + "destination.geo.country_name": "quinesc", + "destination.nat.ip": "10.182.191.174", + "destination.nat.port": 1759, + "destination.port": 6218, + "event.action": "Drop", + "event.code": "orem", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ese isaute ptatemq95.api.host Nequepo ipsumd ntocc [F5@uteirure acl_policy_name=nevo acl_policy_type=ide acl_rule_name=aali action=Drop hostname=smo7167.www.test bigip_mgmt_ip=10.214.249.164 context_name=tco context_type=uae date_time=Aug 16 2016 08:45:59 dest_ip=10.187.20.98 dst_geo=quinesc dest_port=6218 device_product=santiumd device_vendor=turadip device_version=1.3427 drop_reason=niamqui errdefs_msgno=orem errdefs_msg_name=sno flow_id=atno ip_protocol=ipv6-icmp severity=high partition_name=volu route_domain=nonn sa_translation_pool=inventor sa_translation_type=quiavol source_ip=10.99.249.210 src_geo=iatisu source_port=6684 source_user=upta translated_dest_ip=10.182.191.174 translated_dest_port=1759 translated_ip_protocol=adm translated_route_domain=leumiur translated_source_ip=10.81.26.208 translated_source_port=7651 translated_vlan=isc vlan=5933", + "fileset.name": "bigipafm", + "host.ip": "10.214.249.164", + "host.name": "smo7167.www.test", + "input.type": "log", + "log.level": "high", + "log.offset": 12230, + "network.protocol": "ipv6-icmp", + "observer.product": "santiumd", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3427", + "related.hosts": [ + "smo7167.www.test" + ], + "related.ip": [ + "10.99.249.210", + "10.182.191.174", + "10.81.26.208", + "10.214.249.164" + ], + "related.user": [ + "upta" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "tco", + "rsa.misc.event_type": "sno", + "rsa.misc.obj_name": "uteirure", + "rsa.misc.policy_name": "nevo", + "rsa.misc.reference_id": "orem", + "rsa.misc.rule_name": "aali", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3427", + "rsa.network.alias_host": [ + "smo7167.www.test" + ], + "rsa.network.vlan": 5933, + "rsa.time.event_time_str": "Aug", + "rule.name": "aali", + "service.type": "f5", + "source.geo.country_name": "iatisu", + "source.ip": [ + "10.99.249.210" + ], + "source.nat.ip": "10.81.26.208", + "source.nat.port": 7651, + "source.port": 6684, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "upta" + }, + { + "destination.geo.country_name": "eriti", + "destination.nat.ip": "10.88.101.53", + "destination.nat.port": 2458, + "destination.port": 2201, + "event.action": "Drop", + "event.code": "quameius", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tobea tor qui4499.api.local fugiatn docon etconsec [F5@ios acl_policy_name=evolu acl_policy_type=ersp acl_rule_name=tquov action=Drop hostname=sauteiru4554.api.domain bigip_mgmt_ip=10.220.5.143 context_name=com context_type=tnulapa date_time=Aug 30 2016 15:48:33 dest_ip=10.108.85.148 dst_geo=eriti dest_port=2201 device_product=norum device_vendor=madmi device_version=1.1766 drop_reason=sequatu errdefs_msgno=quameius errdefs_msg_name=nisiuta flow_id=roid ip_protocol=icmp severity=very-high partition_name=eprehen route_domain=entor sa_translation_pool=xeacomm sa_translation_type=nihil source_ip=10.101.226.128 src_geo=rsitv source_port=3087 source_user=porro translated_dest_ip=10.88.101.53 translated_dest_port=2458 translated_ip_protocol=tatemUt translated_route_domain=modtemp translated_source_ip=10.201.238.90 translated_source_port=2715 translated_vlan=remag vlan=3759", + "fileset.name": "bigipafm", + "host.ip": "10.220.5.143", + "host.name": "sauteiru4554.api.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 13094, + "network.protocol": "icmp", + "observer.product": "norum", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1766", + "related.hosts": [ + "sauteiru4554.api.domain" + ], + "related.ip": [ + "10.88.101.53", + "10.201.238.90", + "10.220.5.143", + "10.101.226.128" + ], + "related.user": [ + "porro" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "com", + "rsa.misc.event_type": "nisiuta", + "rsa.misc.obj_name": "ios", + "rsa.misc.policy_name": "evolu", + "rsa.misc.reference_id": "quameius", + "rsa.misc.rule_name": "tquov", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1766", + "rsa.network.alias_host": [ + "sauteiru4554.api.domain" + ], + "rsa.network.vlan": 3759, + "rsa.time.event_time_str": "Aug", + "rule.name": "tquov", + "service.type": "f5", + "source.geo.country_name": "rsitv", + "source.ip": [ + "10.101.226.128" + ], + "source.nat.ip": "10.201.238.90", + "source.nat.port": 2715, + "source.port": 3087, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "porro" + }, + { + "destination.geo.country_name": "untu", + "destination.nat.ip": "10.30.133.66", + "destination.nat.port": 1921, + "destination.port": 5676, + "event.action": "Reject", + "event.code": "ium", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ccaecat tquiin tse4198.www.localdomain ptasn taedicta itam [F5@str acl_policy_name=idolore acl_policy_type=pid acl_rule_name=illoin action=Reject hostname=untut4046.internal.domain bigip_mgmt_ip=10.217.150.196 context_name=uine context_type=udant date_time=Sep 13 2016 22:51:07 dest_ip=10.183.59.41 dst_geo=untu dest_port=5676 device_product=ven device_vendor=con device_version=1.7491 drop_reason=amnih errdefs_msgno=ium errdefs_msg_name=esciuntN flow_id=idunt ip_protocol=udp severity=low partition_name=rQu route_domain=oremeu sa_translation_pool=laudant sa_translation_type=isnost source_ip=10.157.18.252 src_geo=itess source_port=52 source_user=evit translated_dest_ip=10.30.133.66 translated_dest_port=1921 translated_ip_protocol=velitse translated_route_domain=oditem translated_source_ip=10.243.218.215 translated_source_port=662 translated_vlan=rsitvolu vlan=3751", + "fileset.name": "bigipafm", + "host.ip": "10.217.150.196", + "host.name": "untut4046.internal.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 13974, + "network.protocol": "udp", + "observer.product": "ven", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7491", + "related.hosts": [ + "untut4046.internal.domain" + ], + "related.ip": [ + "10.243.218.215", + "10.217.150.196", + "10.157.18.252", + "10.30.133.66" + ], + "related.user": [ + "evit" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "uine", + "rsa.misc.event_type": "esciuntN", + "rsa.misc.obj_name": "str", + "rsa.misc.policy_name": "idolore", + "rsa.misc.reference_id": "ium", + "rsa.misc.rule_name": "illoin", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7491", + "rsa.network.alias_host": [ + "untut4046.internal.domain" + ], + "rsa.network.vlan": 3751, + "rsa.time.event_time_str": "Sep", + "rule.name": "illoin", + "service.type": "f5", + "source.geo.country_name": "itess", + "source.ip": [ + "10.157.18.252" + ], + "source.nat.ip": "10.243.218.215", + "source.nat.port": 662, + "source.port": 52, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "evit" + }, + { + "destination.geo.country_name": "iduntu", + "destination.nat.ip": "10.181.133.187", + "destination.nat.port": 1079, + "destination.port": 1655, + "event.action": "Accept", + "event.code": "acommo", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "sumdolor meaqueip npr4414.api.localdomain boNem ess ipisci [F5@gitsed acl_policy_name=tqu acl_policy_type=reprehen acl_rule_name=trumexer action=Accept hostname=quid3147.mail.home bigip_mgmt_ip=10.66.181.6 context_name=epre context_type=tobeata date_time=Sep 28 2016 05:53:42 dest_ip=10.181.53.249 dst_geo=iduntu dest_port=1655 device_product=temUt device_vendor=avol device_version=1.752 drop_reason=essequam errdefs_msgno=acommo errdefs_msg_name=nturma flow_id=str ip_protocol=ipv6 severity=high partition_name=etur route_domain=itecto sa_translation_pool=reetdol sa_translation_type=totamre source_ip=10.148.161.250 src_geo=ciadeser source_port=6135 source_user=adipisc translated_dest_ip=10.181.133.187 translated_dest_port=1079 translated_ip_protocol=aquioffi translated_route_domain=tamet translated_source_ip=10.167.227.44 translated_source_port=6595 translated_vlan=eFi vlan=6733", + "fileset.name": "bigipafm", + "host.ip": "10.66.181.6", + "host.name": "quid3147.mail.home", + "input.type": "log", + "log.level": "high", + "log.offset": 14847, + "network.protocol": "ipv6", + "observer.product": "temUt", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.752", + "related.hosts": [ + "quid3147.mail.home" + ], + "related.ip": [ + "10.167.227.44", + "10.181.133.187", + "10.148.161.250", + "10.66.181.6" + ], + "related.user": [ + "adipisc" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "epre", + "rsa.misc.event_type": "nturma", + "rsa.misc.obj_name": "gitsed", + "rsa.misc.policy_name": "tqu", + "rsa.misc.reference_id": "acommo", + "rsa.misc.rule_name": "trumexer", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.752", + "rsa.network.alias_host": [ + "quid3147.mail.home" + ], + "rsa.network.vlan": 6733, + "rsa.time.event_time_str": "Sep", + "rule.name": "trumexer", + "service.type": "f5", + "source.geo.country_name": "ciadeser", + "source.ip": [ + "10.148.161.250" + ], + "source.nat.ip": "10.167.227.44", + "source.nat.port": 6595, + "source.port": 6135, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "adipisc" + }, + { + "destination.geo.country_name": "psaquaea", + "destination.nat.ip": "10.107.9.163", + "destination.nat.port": 5433, + "destination.port": 1348, + "event.action": "Reject", + "event.code": "piscinge", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "its ender riamea1540.www.host seq tutlab sau [F5@atevelit acl_policy_name=meius acl_policy_type=billo acl_rule_name=labo action=Reject hostname=umdolo1029.mail.localhost bigip_mgmt_ip=10.54.17.32 context_name=orumSe context_type=ratv date_time=Oct 12 2016 12:56:16 dest_ip=10.119.81.180 dst_geo=psaquaea dest_port=1348 device_product=nts device_vendor=siut device_version=1.5663 drop_reason=ano errdefs_msgno=piscinge errdefs_msg_name=tvol flow_id=velitess ip_protocol=ipv6 severity=high partition_name=uunturm route_domain=temUte sa_translation_pool=sit sa_translation_type=olab source_ip=10.84.163.178 src_geo=ima source_port=2031 source_user=mquisno translated_dest_ip=10.107.9.163 translated_dest_port=5433 translated_ip_protocol=eacommod translated_route_domain=ctetura translated_source_ip=10.74.11.43 translated_source_port=55 translated_vlan=seosqui vlan=6797", + "fileset.name": "bigipafm", + "host.ip": "10.54.17.32", + "host.name": "umdolo1029.mail.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 15735, + "network.protocol": "ipv6", + "observer.product": "nts", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5663", + "related.hosts": [ + "umdolo1029.mail.localhost" + ], + "related.ip": [ + "10.74.11.43", + "10.54.17.32", + "10.84.163.178", + "10.107.9.163" + ], + "related.user": [ + "mquisno" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "orumSe", + "rsa.misc.event_type": "tvol", + "rsa.misc.obj_name": "atevelit", + "rsa.misc.policy_name": "meius", + "rsa.misc.reference_id": "piscinge", + "rsa.misc.rule_name": "labo", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5663", + "rsa.network.alias_host": [ + "umdolo1029.mail.localhost" + ], + "rsa.network.vlan": 6797, + "rsa.time.event_time_str": "Oct", + "rule.name": "labo", + "service.type": "f5", + "source.geo.country_name": "ima", + "source.ip": [ + "10.84.163.178" + ], + "source.nat.ip": "10.74.11.43", + "source.nat.port": 55, + "source.port": 2031, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "mquisno" + }, + { + "destination.geo.country_name": "odoconse", + "destination.nat.ip": "10.184.73.211", + "destination.nat.port": 6540, + "destination.port": 228, + "event.action": "Accept", + "event.code": "labo", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uradi tot llamco7206.www.home oremagna ncididun umSe [F5@xeacomm acl_policy_name=cinge acl_policy_type=itla acl_rule_name=iamquis action=Accept hostname=lorsita2019.internal.home bigip_mgmt_ip=10.192.229.221 context_name=ect context_type=modocons date_time=Oct 26 2016 19:58:50 dest_ip=10.199.194.188 dst_geo=odoconse dest_port=228 device_product=quatu device_vendor=veli device_version=1.5726 drop_reason=nonp errdefs_msgno=labo errdefs_msg_name=ulapar flow_id=aboreetd ip_protocol=igmp severity=low partition_name=llitanim route_domain=invo sa_translation_pool=hit sa_translation_type=urv source_ip=10.112.32.213 src_geo=runtmol source_port=1749 source_user=odi translated_dest_ip=10.184.73.211 translated_dest_port=6540 translated_ip_protocol=esseci translated_route_domain=tametcon translated_source_ip=10.230.129.252 translated_source_port=3947 translated_vlan=isis vlan=4917", + "fileset.name": "bigipafm", + "host.ip": "10.192.229.221", + "host.name": "lorsita2019.internal.home", + "input.type": "log", + "log.level": "low", + "log.offset": 16603, + "network.protocol": "igmp", + "observer.product": "quatu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5726", + "related.hosts": [ + "lorsita2019.internal.home" + ], + "related.ip": [ + "10.230.129.252", + "10.184.73.211", + "10.192.229.221", + "10.112.32.213" + ], + "related.user": [ + "odi" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "ect", + "rsa.misc.event_type": "ulapar", + "rsa.misc.obj_name": "xeacomm", + "rsa.misc.policy_name": "cinge", + "rsa.misc.reference_id": "labo", + "rsa.misc.rule_name": "iamquis", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5726", + "rsa.network.alias_host": [ + "lorsita2019.internal.home" + ], + "rsa.network.vlan": 4917, + "rsa.time.event_time_str": "Oct", + "rule.name": "iamquis", + "service.type": "f5", + "source.geo.country_name": "runtmol", + "source.ip": [ + "10.112.32.213" + ], + "source.nat.ip": "10.230.129.252", + "source.nat.port": 3947, + "source.port": 1749, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "odi" + }, + { + "destination.geo.country_name": "doloreme", + "destination.nat.ip": "10.198.213.189", + "destination.nat.port": 5024, + "destination.port": 60, + "event.action": "Reject", + "event.code": "itse", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "utlab emUteni rum959.host velillu cteturad bor [F5@rauto acl_policy_name=ationev acl_policy_type=umdolor acl_rule_name=uaUten action=Reject hostname=paquioff624.mail.invalid bigip_mgmt_ip=10.161.148.64 context_name=ibusBon context_type=ven date_time=Nov 10 2016 03:01:24 dest_ip=10.162.114.217 dst_geo=doloreme dest_port=60 device_product=onemulla device_vendor=evitaed device_version=1.1721 drop_reason=suntin errdefs_msgno=itse errdefs_msg_name=umexerc flow_id=oremipsu ip_protocol=ipv6-icmp severity=medium partition_name=amco route_domain=ssecillu sa_translation_pool=liqua sa_translation_type=olo source_ip=10.199.216.143 src_geo=fdeF source_port=593 source_user=ccaeca translated_dest_ip=10.198.213.189 translated_dest_port=5024 translated_ip_protocol=remagn translated_route_domain=mquae translated_source_ip=10.7.200.140 translated_source_port=3298 translated_vlan=olupt vlan=2189", + "fileset.name": "bigipafm", + "host.ip": "10.161.148.64", + "host.name": "paquioff624.mail.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 17484, + "network.protocol": "ipv6-icmp", + "observer.product": "onemulla", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1721", + "related.hosts": [ + "paquioff624.mail.invalid" + ], + "related.ip": [ + "10.161.148.64", + "10.199.216.143", + "10.7.200.140", + "10.198.213.189" + ], + "related.user": [ + "ccaeca" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ibusBon", + "rsa.misc.event_type": "umexerc", + "rsa.misc.obj_name": "rauto", + "rsa.misc.policy_name": "ationev", + "rsa.misc.reference_id": "itse", + "rsa.misc.rule_name": "uaUten", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.1721", + "rsa.network.alias_host": [ + "paquioff624.mail.invalid" + ], + "rsa.network.vlan": 2189, + "rsa.time.event_time_str": "Nov", + "rule.name": "uaUten", + "service.type": "f5", + "source.geo.country_name": "fdeF", + "source.ip": [ + "10.199.216.143" + ], + "source.nat.ip": "10.7.200.140", + "source.nat.port": 3298, + "source.port": 593, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ccaeca" + }, + { + "destination.geo.country_name": "taedicta", + "destination.nat.ip": "10.128.157.27", + "destination.nat.port": 1493, + "destination.port": 3409, + "event.action": "Reject", + "event.code": "snost", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "edquiac urerepr eseru4234.mail.example qua rsita ate [F5@ipsamvo acl_policy_name=onula acl_policy_type=miu acl_rule_name=rationev action=Reject hostname=mex2054.mail.corp bigip_mgmt_ip=10.65.232.27 context_name=ica context_type=lillum date_time=Nov 24 2016 10:03:59 dest_ip=10.199.40.38 dst_geo=taedicta dest_port=3409 device_product=poriss device_vendor=tvolup device_version=1.1000 drop_reason=siu errdefs_msgno=snost errdefs_msg_name=tpersp flow_id=llamc ip_protocol=tcp severity=very-high partition_name=mvel route_domain=nof sa_translation_pool=usmodi sa_translation_type=mvolu source_ip=10.206.96.56 src_geo=aincidu source_port=2687 source_user=uaeab translated_dest_ip=10.128.157.27 translated_dest_port=1493 translated_ip_protocol=etdolor translated_route_domain=lupta translated_source_ip=10.22.187.69 translated_source_port=3590 translated_vlan=oremi vlan=1485", + "fileset.name": "bigipafm", + "host.ip": "10.65.232.27", + "host.name": "mex2054.mail.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18373, + "network.protocol": "tcp", + "observer.product": "poriss", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1000", + "related.hosts": [ + "mex2054.mail.corp" + ], + "related.ip": [ + "10.206.96.56", + "10.22.187.69", + "10.128.157.27", + "10.65.232.27" + ], + "related.user": [ + "uaeab" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ica", + "rsa.misc.event_type": "tpersp", + "rsa.misc.obj_name": "ipsamvo", + "rsa.misc.policy_name": "onula", + "rsa.misc.reference_id": "snost", + "rsa.misc.rule_name": "rationev", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1000", + "rsa.network.alias_host": [ + "mex2054.mail.corp" + ], + "rsa.network.vlan": 1485, + "rsa.time.event_time_str": "Nov", + "rule.name": "rationev", + "service.type": "f5", + "source.geo.country_name": "aincidu", + "source.ip": [ + "10.206.96.56" + ], + "source.nat.ip": "10.22.187.69", + "source.nat.port": 3590, + "source.port": 2687, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "uaeab" + }, + { + "destination.geo.country_name": "dipisci", + "destination.nat.ip": "10.68.253.120", + "destination.nat.port": 481, + "destination.port": 3449, + "event.action": "Closed", + "event.code": "tae", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "nbyCi tevel usc5760.www5.localdomain cab atisund xea [F5@ites acl_policy_name=isetq acl_policy_type=iutali acl_rule_name=velite action=Closed hostname=avolupt7576.api.corp bigip_mgmt_ip=10.194.210.62 context_name=porincid context_type=atisetqu date_time=Dec 08 2016 17:06:33 dest_ip=10.51.213.42 dst_geo=dipisci dest_port=3449 device_product=ilmol device_vendor=eri device_version=1.3104 drop_reason=ueipsa errdefs_msgno=tae errdefs_msg_name=autodit flow_id=elit ip_protocol=udp severity=high partition_name=plica route_domain=ore sa_translation_pool=quidolor sa_translation_type=inven source_ip=10.71.114.14 src_geo=itsedd source_port=3010 source_user=admin translated_dest_ip=10.68.253.120 translated_dest_port=481 translated_ip_protocol=est translated_route_domain=uptatemU translated_source_ip=10.183.130.225 translated_source_port=5693 translated_vlan=item vlan=2738", + "fileset.name": "bigipafm", + "host.ip": "10.194.210.62", + "host.name": "avolupt7576.api.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 19244, + "network.protocol": "udp", + "observer.product": "ilmol", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3104", + "related.hosts": [ + "avolupt7576.api.corp" + ], + "related.ip": [ + "10.194.210.62", + "10.68.253.120", + "10.183.130.225", + "10.71.114.14" + ], + "related.user": [ + "admin" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "porincid", + "rsa.misc.event_type": "autodit", + "rsa.misc.obj_name": "ites", + "rsa.misc.policy_name": "isetq", + "rsa.misc.reference_id": "tae", + "rsa.misc.rule_name": "velite", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3104", + "rsa.network.alias_host": [ + "avolupt7576.api.corp" + ], + "rsa.network.vlan": 2738, + "rsa.time.event_time_str": "Dec", + "rule.name": "velite", + "service.type": "f5", + "source.geo.country_name": "itsedd", + "source.ip": [ + "10.71.114.14" + ], + "source.nat.ip": "10.183.130.225", + "source.nat.port": 5693, + "source.port": 3010, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "admin" + }, + { + "destination.geo.country_name": "giatquov", + "destination.nat.ip": "10.47.255.237", + "destination.nat.port": 2311, + "destination.port": 1918, + "event.action": "Established", + "event.code": "labo", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "dat periam dqu6144.api.localhost dutpers erun orisn [F5@reetd acl_policy_name=prehen acl_policy_type=ntutlabo acl_rule_name=iusmodte action=Established hostname=loi7596.www5.home bigip_mgmt_ip=10.31.177.226 context_name=deserun context_type=esseq date_time=Dec 23 2016 00:09:07 dest_ip=10.209.157.8 dst_geo=giatquov dest_port=1918 device_product=enderi device_vendor=ptatem device_version=1.341 drop_reason=fugi errdefs_msgno=labo errdefs_msg_name=nostrud flow_id=gnaal ip_protocol=ggp severity=medium partition_name=cupi route_domain=tame sa_translation_pool=atione sa_translation_type=lores source_ip=10.45.253.103 src_geo=uii source_port=5923 source_user=remagn translated_dest_ip=10.47.255.237 translated_dest_port=2311 translated_ip_protocol=uuntur translated_route_domain=enderit translated_source_ip=10.107.45.175 translated_source_port=4185 translated_vlan=rumSecti vlan=4593", + "fileset.name": "bigipafm", + "host.ip": "10.31.177.226", + "host.name": "loi7596.www5.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 20116, + "network.protocol": "ggp", + "observer.product": "enderi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.341", + "related.hosts": [ + "loi7596.www5.home" + ], + "related.ip": [ + "10.47.255.237", + "10.45.253.103", + "10.107.45.175", + "10.31.177.226" + ], + "related.user": [ + "remagn" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "deserun", + "rsa.misc.event_type": "nostrud", + "rsa.misc.obj_name": "reetd", + "rsa.misc.policy_name": "prehen", + "rsa.misc.reference_id": "labo", + "rsa.misc.rule_name": "iusmodte", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.341", + "rsa.network.alias_host": [ + "loi7596.www5.home" + ], + "rsa.network.vlan": 4593, + "rsa.time.event_time_str": "Dec", + "rule.name": "iusmodte", + "service.type": "f5", + "source.geo.country_name": "uii", + "source.ip": [ + "10.45.253.103" + ], + "source.nat.ip": "10.107.45.175", + "source.nat.port": 4185, + "source.port": 5923, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "remagn" + }, + { + "destination.geo.country_name": "illu", + "destination.nat.ip": "10.55.105.113", + "destination.nat.port": 3214, + "destination.port": 4875, + "event.action": "Reject", + "event.code": "its", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "atise tate onevo4326.internal.local isnost olorem ido [F5@emqu acl_policy_name=riss acl_policy_type=iquamqua acl_rule_name=sit action=Reject hostname=nsequat1971.internal.invalid bigip_mgmt_ip=10.225.212.189 context_name=mven context_type=olorsit date_time=Jan 06 2017 07:11:41 dest_ip=10.121.239.183 dst_geo=illu dest_port=4875 device_product=turadip device_vendor=tatevel device_version=1.1607 drop_reason=ptassita errdefs_msgno=its errdefs_msg_name=lore flow_id=idol ip_protocol=igmp severity=high partition_name=isn route_domain=sBono sa_translation_pool=loremqu sa_translation_type=tetur source_ip=10.213.94.135 src_geo=tMal source_port=2607 source_user=dquia translated_dest_ip=10.55.105.113 translated_dest_port=3214 translated_ip_protocol=tatione translated_route_domain=nimveni translated_source_ip=10.44.58.106 translated_source_port=1241 translated_vlan=quid vlan=4814", + "fileset.name": "bigipafm", + "host.ip": "10.225.212.189", + "host.name": "nsequat1971.internal.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 21000, + "network.protocol": "igmp", + "observer.product": "turadip", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1607", + "related.hosts": [ + "nsequat1971.internal.invalid" + ], + "related.ip": [ + "10.44.58.106", + "10.55.105.113", + "10.213.94.135", + "10.225.212.189" + ], + "related.user": [ + "dquia" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "mven", + "rsa.misc.event_type": "lore", + "rsa.misc.obj_name": "emqu", + "rsa.misc.policy_name": "riss", + "rsa.misc.reference_id": "its", + "rsa.misc.rule_name": "sit", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.1607", + "rsa.network.alias_host": [ + "nsequat1971.internal.invalid" + ], + "rsa.network.vlan": 4814, + "rsa.time.event_time_str": "Jan", + "rule.name": "sit", + "service.type": "f5", + "source.geo.country_name": "tMal", + "source.ip": [ + "10.213.94.135" + ], + "source.nat.ip": "10.44.58.106", + "source.nat.port": 1241, + "source.port": 2607, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "dquia" + }, + { + "destination.geo.country_name": "mUten", + "destination.nat.ip": "10.69.161.78", + "destination.nat.port": 1282, + "destination.port": 1812, + "event.action": "Reject", + "event.code": "norumet", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "eporroq ulla iqu4614.www5.example abore squ uiadol [F5@Duisa acl_policy_name=lupta acl_policy_type=aUt acl_rule_name=boNem action=Reject hostname=ectiono2241.lan bigip_mgmt_ip=10.2.114.9 context_name=rehende context_type=velillu date_time=Jan 20 2017 14:14:16 dest_ip=10.94.139.127 dst_geo=mUten dest_port=1812 device_product=quidolor device_vendor=oqu device_version=1.51 drop_reason=tlaboree errdefs_msgno=norumet errdefs_msg_name=dtempo flow_id=tin ip_protocol=tcp severity=high partition_name=imad route_domain=tinvolup sa_translation_pool=tsed sa_translation_type=inv source_ip=10.163.209.70 src_geo=atu source_port=4718 source_user=olabor translated_dest_ip=10.69.161.78 translated_dest_port=1282 translated_ip_protocol=iruredol translated_route_domain=incidid translated_source_ip=10.255.74.136 translated_source_port=5902 translated_vlan=eaqueips vlan=6396", + "fileset.name": "bigipafm", + "host.ip": "10.2.114.9", + "host.name": "ectiono2241.lan", + "input.type": "log", + "log.level": "high", + "log.offset": 21880, + "network.protocol": "tcp", + "observer.product": "quidolor", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.51", + "related.hosts": [ + "ectiono2241.lan" + ], + "related.ip": [ + "10.255.74.136", + "10.69.161.78", + "10.163.209.70", + "10.2.114.9" + ], + "related.user": [ + "olabor" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "rehende", + "rsa.misc.event_type": "dtempo", + "rsa.misc.obj_name": "Duisa", + "rsa.misc.policy_name": "lupta", + "rsa.misc.reference_id": "norumet", + "rsa.misc.rule_name": "boNem", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.51", + "rsa.network.alias_host": [ + "ectiono2241.lan" + ], + "rsa.network.vlan": 6396, + "rsa.time.event_time_str": "Jan", + "rule.name": "boNem", + "service.type": "f5", + "source.geo.country_name": "atu", + "source.ip": [ + "10.163.209.70" + ], + "source.nat.ip": "10.255.74.136", + "source.nat.port": 5902, + "source.port": 4718, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "olabor" + }, + { + "destination.geo.country_name": "iciad", + "destination.nat.ip": "10.184.59.148", + "destination.nat.port": 6933, + "destination.port": 7874, + "event.action": "Closed", + "event.code": "lmo", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "volupta dmi untexpl2847.www5.local eiusmod emoe uiinea [F5@mnisiut acl_policy_name=avolu acl_policy_type=Except acl_rule_name=olup action=Closed hostname=umetMal1664.mail.lan bigip_mgmt_ip=10.46.115.216 context_name=equun context_type=sitvo date_time=Feb 03 2017 21:16:50 dest_ip=10.223.198.146 dst_geo=iciad dest_port=7874 device_product=mad device_vendor=onse device_version=1.380 drop_reason=mipsum errdefs_msgno=lmo errdefs_msg_name=aliquamq flow_id=dtempori ip_protocol=rdp severity=medium partition_name=voluptat route_domain=ugit sa_translation_pool=tatem sa_translation_type=metcons source_ip=10.252.102.110 src_geo=henderit source_port=7829 source_user=perspici translated_dest_ip=10.184.59.148 translated_dest_port=6933 translated_ip_protocol=queips translated_route_domain=midest translated_source_ip=10.12.129.137 translated_source_port=721 translated_vlan=orroqu vlan=472", + "fileset.name": "bigipafm", + "host.ip": "10.46.115.216", + "host.name": "umetMal1664.mail.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 22745, + "network.protocol": "rdp", + "observer.product": "mad", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.380", + "related.hosts": [ + "umetMal1664.mail.lan" + ], + "related.ip": [ + "10.46.115.216", + "10.252.102.110", + "10.12.129.137", + "10.184.59.148" + ], + "related.user": [ + "perspici" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "equun", + "rsa.misc.event_type": "aliquamq", + "rsa.misc.obj_name": "mnisiut", + "rsa.misc.policy_name": "avolu", + "rsa.misc.reference_id": "lmo", + "rsa.misc.rule_name": "olup", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.380", + "rsa.network.alias_host": [ + "umetMal1664.mail.lan" + ], + "rsa.network.vlan": 472, + "rsa.time.event_time_str": "Feb", + "rule.name": "olup", + "service.type": "f5", + "source.geo.country_name": "henderit", + "source.ip": [ + "10.252.102.110" + ], + "source.nat.ip": "10.12.129.137", + "source.nat.port": 721, + "source.port": 7829, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "perspici" + }, + { + "destination.geo.country_name": "nder", + "destination.nat.ip": "10.155.204.243", + "destination.nat.port": 459, + "destination.port": 3238, + "event.action": "Established", + "event.code": "tatem", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "labore uela ntexplic4824.internal.localhost dolorsit archite remq [F5@veniamq acl_policy_name=occ acl_policy_type=oloreseo acl_rule_name=iruredol action=Established hostname=derit5270.mail.local bigip_mgmt_ip=10.105.52.140 context_name=ntexpl context_type=dunt date_time=Feb 18 2017 04:19:24 dest_ip=10.20.55.199 dst_geo=nder dest_port=3238 device_product=itanim device_vendor=nesciun device_version=1.1729 drop_reason=mollita errdefs_msgno=tatem errdefs_msg_name=iae flow_id=quido ip_protocol=ipv6-icmp severity=very-high partition_name=inBC route_domain=mol sa_translation_pool=tur sa_translation_type=ictas source_ip=10.81.184.7 src_geo=saquaea source_port=6344 source_user=eetd translated_dest_ip=10.155.204.243 translated_dest_port=459 translated_ip_protocol=lorsi translated_route_domain=repreh translated_source_ip=10.199.194.79 translated_source_port=7713 translated_vlan=illumqui vlan=3414", + "fileset.name": "bigipafm", + "host.ip": "10.105.52.140", + "host.name": "derit5270.mail.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 23630, + "network.protocol": "ipv6-icmp", + "observer.product": "itanim", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1729", + "related.hosts": [ + "derit5270.mail.local" + ], + "related.ip": [ + "10.81.184.7", + "10.199.194.79", + "10.155.204.243", + "10.105.52.140" + ], + "related.user": [ + "eetd" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "ntexpl", + "rsa.misc.event_type": "iae", + "rsa.misc.obj_name": "veniamq", + "rsa.misc.policy_name": "occ", + "rsa.misc.reference_id": "tatem", + "rsa.misc.rule_name": "iruredol", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1729", + "rsa.network.alias_host": [ + "derit5270.mail.local" + ], + "rsa.network.vlan": 3414, + "rsa.time.event_time_str": "Feb", + "rule.name": "iruredol", + "service.type": "f5", + "source.geo.country_name": "saquaea", + "source.ip": [ + "10.81.184.7" + ], + "source.nat.ip": "10.199.194.79", + "source.nat.port": 7713, + "source.port": 6344, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "eetd" + }, + { + "destination.geo.country_name": "unte", + "destination.nat.ip": "10.18.226.72", + "destination.nat.port": 5140, + "destination.port": 893, + "event.action": "Closed", + "event.code": "tatnon", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "amali ate idolor3916.www5.home tas autfugi tasun [F5@duntutla acl_policy_name=ntium acl_policy_type=iration acl_rule_name=umwritte action=Closed hostname=orisni5238.mail.lan bigip_mgmt_ip=10.177.238.45 context_name=iumt context_type=tsed date_time=Mar 04 2017 11:21:59 dest_ip=10.249.120.78 dst_geo=unte dest_port=893 device_product=ueipsa device_vendor=scipitl device_version=1.1453 drop_reason=aparia errdefs_msgno=tatnon errdefs_msg_name=leumiur flow_id=tetura ip_protocol=ggp severity=very-high partition_name=oluptat route_domain=metco sa_translation_pool=acom sa_translation_type=ceroinB source_ip=10.110.2.166 src_geo=exeacomm source_port=79 source_user=taliqui translated_dest_ip=10.18.226.72 translated_dest_port=5140 translated_ip_protocol=olupta translated_route_domain=tsuntinc translated_source_ip=10.251.231.142 translated_source_port=872 translated_vlan=urExcep vlan=102", + "fileset.name": "bigipafm", + "host.ip": "10.177.238.45", + "host.name": "orisni5238.mail.lan", + "input.type": "log", + "log.level": "very-high", + "log.offset": 24529, + "network.protocol": "ggp", + "observer.product": "ueipsa", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1453", + "related.hosts": [ + "orisni5238.mail.lan" + ], + "related.ip": [ + "10.251.231.142", + "10.177.238.45", + "10.18.226.72", + "10.110.2.166" + ], + "related.user": [ + "taliqui" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "iumt", + "rsa.misc.event_type": "leumiur", + "rsa.misc.obj_name": "duntutla", + "rsa.misc.policy_name": "ntium", + "rsa.misc.reference_id": "tatnon", + "rsa.misc.rule_name": "umwritte", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1453", + "rsa.network.alias_host": [ + "orisni5238.mail.lan" + ], + "rsa.network.vlan": 102, + "rsa.time.event_time_str": "Mar", + "rule.name": "umwritte", + "service.type": "f5", + "source.geo.country_name": "exeacomm", + "source.ip": [ + "10.110.2.166" + ], + "source.nat.ip": "10.251.231.142", + "source.nat.port": 872, + "source.port": 79, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "taliqui" + }, + { + "destination.geo.country_name": "billo", + "destination.nat.ip": "10.100.199.226", + "destination.nat.port": 7617, + "destination.port": 2618, + "event.action": "Established", + "event.code": "ser", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "suntex iacons occaec7487.corp quaeab fici imve [F5@quide acl_policy_name=quaU acl_policy_type=undeomni acl_rule_name=accusa action=Established hostname=iutali7297.www.domain bigip_mgmt_ip=10.190.122.27 context_name=mporainc context_type=xea date_time=Mar 18 2017 18:24:33 dest_ip=10.123.113.152 dst_geo=billo dest_port=2618 device_product=radipisc device_vendor=Cice device_version=1.6332 drop_reason=vitaed errdefs_msgno=ser errdefs_msg_name=etconsec flow_id=elillum ip_protocol=tcp severity=high partition_name=rnat route_domain=eprehend sa_translation_pool=rem sa_translation_type=edolo source_ip=10.99.202.229 src_geo=eosquira source_port=4392 source_user=lloinven translated_dest_ip=10.100.199.226 translated_dest_port=7617 translated_ip_protocol=apariatu translated_route_domain=lorsita translated_source_ip=10.192.98.247 translated_source_port=4308 translated_vlan=temaccu vlan=5302", + "fileset.name": "bigipafm", + "host.ip": "10.190.122.27", + "host.name": "iutali7297.www.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 25415, + "network.protocol": "tcp", + "observer.product": "radipisc", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6332", + "related.hosts": [ + "iutali7297.www.domain" + ], + "related.ip": [ + "10.99.202.229", + "10.100.199.226", + "10.190.122.27", + "10.192.98.247" + ], + "related.user": [ + "lloinven" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "mporainc", + "rsa.misc.event_type": "etconsec", + "rsa.misc.obj_name": "quide", + "rsa.misc.policy_name": "quaU", + "rsa.misc.reference_id": "ser", + "rsa.misc.rule_name": "accusa", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.6332", + "rsa.network.alias_host": [ + "iutali7297.www.domain" + ], + "rsa.network.vlan": 5302, + "rsa.time.event_time_str": "Mar", + "rule.name": "accusa", + "service.type": "f5", + "source.geo.country_name": "eosquira", + "source.ip": [ + "10.99.202.229" + ], + "source.nat.ip": "10.192.98.247", + "source.nat.port": 4308, + "source.port": 4392, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "lloinven" + }, + { + "destination.geo.country_name": "nrepreh", + "destination.nat.ip": "10.162.97.197", + "destination.nat.port": 4357, + "destination.port": 5251, + "event.action": "Drop", + "event.code": "erspi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uptassit ncidi tlabori4803.www5.local oconse mag tob [F5@dolores acl_policy_name=equamnih acl_policy_type=taliqui acl_rule_name=eiu action=Drop hostname=orumw5960.www5.home bigip_mgmt_ip=10.248.111.207 context_name=dolor context_type=tiumto date_time=Apr 02 2017 01:27:07 dest_ip=10.38.28.151 dst_geo=nrepreh dest_port=5251 device_product=equep device_vendor=ever device_version=1.6463 drop_reason=atq errdefs_msgno=erspi errdefs_msg_name=iqu flow_id=niamqu ip_protocol=rdp severity=medium partition_name=icab route_domain=sBonor sa_translation_pool=fugits sa_translation_type=mipsumqu source_ip=10.172.154.97 src_geo=admi source_port=7165 source_user=culpaq translated_dest_ip=10.162.97.197 translated_dest_port=4357 translated_ip_protocol=tcupida translated_route_domain=isa translated_source_ip=10.37.193.70 translated_source_port=170 translated_vlan=tesseq vlan=7693", + "fileset.name": "bigipafm", + "host.ip": "10.248.111.207", + "host.name": "orumw5960.www5.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 26305, + "network.protocol": "rdp", + "observer.product": "equep", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6463", + "related.hosts": [ + "orumw5960.www5.home" + ], + "related.ip": [ + "10.248.111.207", + "10.162.97.197", + "10.37.193.70", + "10.172.154.97" + ], + "related.user": [ + "culpaq" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "dolor", + "rsa.misc.event_type": "iqu", + "rsa.misc.obj_name": "dolores", + "rsa.misc.policy_name": "equamnih", + "rsa.misc.reference_id": "erspi", + "rsa.misc.rule_name": "eiu", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6463", + "rsa.network.alias_host": [ + "orumw5960.www5.home" + ], + "rsa.network.vlan": 7693, + "rsa.time.event_time_str": "Apr", + "rule.name": "eiu", + "service.type": "f5", + "source.geo.country_name": "admi", + "source.ip": [ + "10.172.154.97" + ], + "source.nat.ip": "10.37.193.70", + "source.nat.port": 170, + "source.port": 7165, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "culpaq" + }, + { + "destination.geo.country_name": "itasp", + "destination.nat.ip": "10.222.165.250", + "destination.nat.port": 2757, + "destination.port": 4927, + "event.action": "Reject", + "event.code": "loreeu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "pernat rerepre nculpaq3821.www5.invalid billoinv sci col [F5@obea acl_policy_name=emp acl_policy_type=agnaaliq acl_rule_name=est action=Reject hostname=oinv5493.internal.domain bigip_mgmt_ip=10.36.63.31 context_name=nisiu context_type=imad date_time=Apr 16 2017 08:29:41 dest_ip=10.30.101.79 dst_geo=itasp dest_port=4927 device_product=sitametc device_vendor=onsequa device_version=1.3912 drop_reason=ntmo errdefs_msgno=loreeu errdefs_msg_name=temse flow_id=aspernat ip_protocol=ipv6 severity=very-high partition_name=caecat route_domain=rautod sa_translation_pool=olest sa_translation_type=eataev source_ip=10.171.221.230 src_geo=edquia source_port=1977 source_user=otamr translated_dest_ip=10.222.165.250 translated_dest_port=2757 translated_ip_protocol=amvolu translated_route_domain=mip translated_source_ip=10.45.35.180 translated_source_port=653 translated_vlan=maccusa vlan=7248", + "fileset.name": "bigipafm", + "host.ip": "10.36.63.31", + "host.name": "oinv5493.internal.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 27176, + "network.protocol": "ipv6", + "observer.product": "sitametc", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3912", + "related.hosts": [ + "oinv5493.internal.domain" + ], + "related.ip": [ + "10.171.221.230", + "10.222.165.250", + "10.45.35.180", + "10.36.63.31" + ], + "related.user": [ + "otamr" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "nisiu", + "rsa.misc.event_type": "temse", + "rsa.misc.obj_name": "obea", + "rsa.misc.policy_name": "emp", + "rsa.misc.reference_id": "loreeu", + "rsa.misc.rule_name": "est", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3912", + "rsa.network.alias_host": [ + "oinv5493.internal.domain" + ], + "rsa.network.vlan": 7248, + "rsa.time.event_time_str": "Apr", + "rule.name": "est", + "service.type": "f5", + "source.geo.country_name": "edquia", + "source.ip": [ + "10.171.221.230" + ], + "source.nat.ip": "10.45.35.180", + "source.nat.port": 653, + "source.port": 1977, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "otamr" + }, + { + "destination.geo.country_name": "meumfugi", + "destination.nat.ip": "10.199.127.211", + "destination.nat.port": 3598, + "destination.port": 7010, + "event.action": "Reject", + "event.code": "orroquis", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "nimad ataevita oremqu542.internal.localhost uteir boree isn [F5@ulla acl_policy_name=equatDu acl_policy_type=pta acl_rule_name=enbyCi action=Reject hostname=tnonproi195.api.home bigip_mgmt_ip=10.238.4.219 context_name=uide context_type=scivel date_time=Apr 30 2017 15:32:16 dest_ip=10.150.9.246 dst_geo=meumfugi dest_port=7010 device_product=emaperia device_vendor=Section device_version=1.4329 drop_reason=iame errdefs_msgno=orroquis errdefs_msg_name=aquio flow_id=riatu ip_protocol=udp severity=low partition_name=tanimid route_domain=isnostru sa_translation_pool=nofdeFi sa_translation_type=aquioff source_ip=10.1.171.61 src_geo=amnisi source_port=7258 source_user=reetdolo translated_dest_ip=10.199.127.211 translated_dest_port=3598 translated_ip_protocol=ilmole translated_route_domain=ugi translated_source_ip=10.83.238.145 translated_source_port=5392 translated_vlan=emveleum vlan=3661", + "fileset.name": "bigipafm", + "host.ip": "10.238.4.219", + "host.name": "tnonproi195.api.home", + "input.type": "log", + "log.level": "low", + "log.offset": 28062, + "network.protocol": "udp", + "observer.product": "emaperia", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4329", + "related.hosts": [ + "tnonproi195.api.home" + ], + "related.ip": [ + "10.1.171.61", + "10.199.127.211", + "10.83.238.145", + "10.238.4.219" + ], + "related.user": [ + "reetdolo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "uide", + "rsa.misc.event_type": "aquio", + "rsa.misc.obj_name": "ulla", + "rsa.misc.policy_name": "equatDu", + "rsa.misc.reference_id": "orroquis", + "rsa.misc.rule_name": "enbyCi", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4329", + "rsa.network.alias_host": [ + "tnonproi195.api.home" + ], + "rsa.network.vlan": 3661, + "rsa.time.event_time_str": "Apr", + "rule.name": "enbyCi", + "service.type": "f5", + "source.geo.country_name": "amnisi", + "source.ip": [ + "10.1.171.61" + ], + "source.nat.ip": "10.83.238.145", + "source.nat.port": 5392, + "source.port": 7258, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "reetdolo" + }, + { + "destination.geo.country_name": "quira", + "destination.nat.ip": "10.44.226.104", + "destination.nat.port": 7020, + "destination.port": 3091, + "event.action": "Drop", + "event.code": "tperspic", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "nde abillo undeom845.www5.example quaer eetdo tlab [F5@spernatu acl_policy_name=exercita acl_policy_type=sBonorum acl_rule_name=atems action=Drop hostname=edictasu5362.internal.localhost bigip_mgmt_ip=10.65.141.244 context_name=turmag context_type=ipsaqu date_time=May 14 2017 22:34:50 dest_ip=10.203.69.36 dst_geo=quira dest_port=3091 device_product=ore device_vendor=tation device_version=1.3789 drop_reason=porincid errdefs_msgno=tperspic errdefs_msg_name=equu flow_id=sintoc ip_protocol=rdp severity=very-high partition_name=tetura route_domain=riosamni sa_translation_pool=icta sa_translation_type=luptate source_ip=10.170.252.219 src_geo=iqui source_port=1978 source_user=Nequepo translated_dest_ip=10.44.226.104 translated_dest_port=7020 translated_ip_protocol=nse translated_route_domain=veniam translated_source_ip=10.74.213.42 translated_source_port=5922 translated_vlan=sse vlan=2498", + "fileset.name": "bigipafm", + "host.ip": "10.65.141.244", + "host.name": "edictasu5362.internal.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 28955, + "network.protocol": "rdp", + "observer.product": "ore", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3789", + "related.hosts": [ + "edictasu5362.internal.localhost" + ], + "related.ip": [ + "10.170.252.219", + "10.65.141.244", + "10.74.213.42", + "10.44.226.104" + ], + "related.user": [ + "Nequepo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "turmag", + "rsa.misc.event_type": "equu", + "rsa.misc.obj_name": "spernatu", + "rsa.misc.policy_name": "exercita", + "rsa.misc.reference_id": "tperspic", + "rsa.misc.rule_name": "atems", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3789", + "rsa.network.alias_host": [ + "edictasu5362.internal.localhost" + ], + "rsa.network.vlan": 2498, + "rsa.time.event_time_str": "May", + "rule.name": "atems", + "service.type": "f5", + "source.geo.country_name": "iqui", + "source.ip": [ + "10.170.252.219" + ], + "source.nat.ip": "10.74.213.42", + "source.nat.port": 5922, + "source.port": 1978, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "Nequepo" + }, + { + "destination.geo.country_name": "sequat", + "destination.nat.ip": "10.225.255.211", + "destination.nat.port": 5595, + "destination.port": 4596, + "event.action": "Reject", + "event.code": "roi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "inBCSe otamrem tutlabor4180.internal.host consecte pteurs catcupi [F5@autf acl_policy_name=saqu acl_policy_type=uptat acl_rule_name=unt action=Reject hostname=uido492.www5.home bigip_mgmt_ip=10.180.48.221 context_name=lors context_type=aconsequ date_time=May 29 2017 05:37:24 dest_ip=10.33.195.166 dst_geo=sequat dest_port=4596 device_product=utemvel device_vendor=epteur device_version=1.2965 drop_reason=iusm errdefs_msgno=roi errdefs_msg_name=busBonor flow_id=stquido ip_protocol=igmp severity=high partition_name=mnisi route_domain=usmo sa_translation_pool=iamea sa_translation_type=imaveni source_ip=10.183.223.149 src_geo=cor source_port=2648 source_user=nihil translated_dest_ip=10.225.255.211 translated_dest_port=5595 translated_ip_protocol=citati translated_route_domain=uamei translated_source_ip=10.225.141.172 translated_source_port=956 translated_vlan=fugiatn vlan=3309", + "fileset.name": "bigipafm", + "host.ip": "10.180.48.221", + "host.name": "uido492.www5.home", + "input.type": "log", + "log.level": "high", + "log.offset": 29850, + "network.protocol": "igmp", + "observer.product": "utemvel", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2965", + "related.hosts": [ + "uido492.www5.home" + ], + "related.ip": [ + "10.180.48.221", + "10.225.255.211", + "10.183.223.149", + "10.225.141.172" + ], + "related.user": [ + "nihil" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "lors", + "rsa.misc.event_type": "busBonor", + "rsa.misc.obj_name": "autf", + "rsa.misc.policy_name": "saqu", + "rsa.misc.reference_id": "roi", + "rsa.misc.rule_name": "unt", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2965", + "rsa.network.alias_host": [ + "uido492.www5.home" + ], + "rsa.network.vlan": 3309, + "rsa.time.event_time_str": "May", + "rule.name": "unt", + "service.type": "f5", + "source.geo.country_name": "cor", + "source.ip": [ + "10.183.223.149" + ], + "source.nat.ip": "10.225.141.172", + "source.nat.port": 956, + "source.port": 2648, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "nihil" + }, + { + "destination.geo.country_name": "mcorpor", + "destination.nat.ip": "10.205.174.181", + "destination.nat.port": 766, + "destination.port": 7420, + "event.action": "Established", + "event.code": "tura", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "aaliq nat uovolupt307.internal.host serror onse umquam [F5@emagn acl_policy_name=emulla acl_policy_type=mips acl_rule_name=itae action=Established hostname=redo6311.api.invalid bigip_mgmt_ip=10.176.64.28 context_name=olup context_type=remipsu date_time=Jun 12 2017 12:39:58 dest_ip=10.92.6.176 dst_geo=mcorpor dest_port=7420 device_product=autfugit device_vendor=emUte device_version=1.7612 drop_reason=nturmag errdefs_msgno=tura errdefs_msg_name=osquirat flow_id=equat ip_protocol=tcp severity=high partition_name=usantiu route_domain=idunt sa_translation_pool=atqu sa_translation_type=naturau source_ip=10.97.138.181 src_geo=oluptat source_port=7128 source_user=eseruntm translated_dest_ip=10.205.174.181 translated_dest_port=766 translated_ip_protocol=olor translated_route_domain=etquasia translated_source_ip=10.169.123.103 translated_source_port=519 translated_vlan=uisa vlan=6863", + "fileset.name": "bigipafm", + "host.ip": "10.176.64.28", + "host.name": "redo6311.api.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 30734, + "network.protocol": "tcp", + "observer.product": "autfugit", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7612", + "related.hosts": [ + "redo6311.api.invalid" + ], + "related.ip": [ + "10.176.64.28", + "10.97.138.181", + "10.205.174.181", + "10.169.123.103" + ], + "related.user": [ + "eseruntm" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "olup", + "rsa.misc.event_type": "osquirat", + "rsa.misc.obj_name": "emagn", + "rsa.misc.policy_name": "emulla", + "rsa.misc.reference_id": "tura", + "rsa.misc.rule_name": "itae", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7612", + "rsa.network.alias_host": [ + "redo6311.api.invalid" + ], + "rsa.network.vlan": 6863, + "rsa.time.event_time_str": "Jun", + "rule.name": "itae", + "service.type": "f5", + "source.geo.country_name": "oluptat", + "source.ip": [ + "10.97.138.181" + ], + "source.nat.ip": "10.169.123.103", + "source.nat.port": 519, + "source.port": 7128, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "eseruntm" + }, + { + "destination.geo.country_name": "laborum", + "destination.nat.ip": "10.204.4.40", + "destination.nat.port": 271, + "destination.port": 5749, + "event.action": "Established", + "event.code": "empor", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "Cicero evolupta teturadi4718.api.local piscivel hend eacommo [F5@ueip acl_policy_name=maliqu acl_policy_type=iati acl_rule_name=minim action=Established hostname=dolorem1698.www.domain bigip_mgmt_ip=10.75.120.11 context_name=urau context_type=etur date_time=Jun 26 2017 19:42:33 dest_ip=10.20.73.247 dst_geo=laborum dest_port=5749 device_product=xeac device_vendor=umdolors device_version=1.4226 drop_reason=uiadolo errdefs_msgno=empor errdefs_msg_name=umexerci flow_id=duntut ip_protocol=ggp severity=very-high partition_name=prehend route_domain=eufug sa_translation_pool=roquisq sa_translation_type=temporai source_ip=10.53.101.131 src_geo=ici source_port=5097 source_user=tquo translated_dest_ip=10.204.4.40 translated_dest_port=271 translated_ip_protocol=sitvo translated_route_domain=ine translated_source_ip=10.169.101.161 translated_source_port=4577 translated_vlan=ipi vlan=4211", + "fileset.name": "bigipafm", + "host.ip": "10.75.120.11", + "host.name": "dolorem1698.www.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31621, + "network.protocol": "ggp", + "observer.product": "xeac", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4226", + "related.hosts": [ + "dolorem1698.www.domain" + ], + "related.ip": [ + "10.75.120.11", + "10.169.101.161", + "10.53.101.131", + "10.204.4.40" + ], + "related.user": [ + "tquo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "urau", + "rsa.misc.event_type": "umexerci", + "rsa.misc.obj_name": "ueip", + "rsa.misc.policy_name": "maliqu", + "rsa.misc.reference_id": "empor", + "rsa.misc.rule_name": "minim", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4226", + "rsa.network.alias_host": [ + "dolorem1698.www.domain" + ], + "rsa.network.vlan": 4211, + "rsa.time.event_time_str": "Jun", + "rule.name": "minim", + "service.type": "f5", + "source.geo.country_name": "ici", + "source.ip": [ + "10.53.101.131" + ], + "source.nat.ip": "10.169.101.161", + "source.nat.port": 4577, + "source.port": 5097, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tquo" + }, + { + "destination.geo.country_name": "litanim", + "destination.nat.ip": "10.156.117.169", + "destination.nat.port": 2939, + "destination.port": 2135, + "event.action": "Reject", + "event.code": "porinc", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "exerci idata ese4384.mail.domain rumexerc isiutali iquidexe [F5@illumq acl_policy_name=luptatem acl_policy_type=ite acl_rule_name=tasnul action=Reject hostname=evitae7333.www.lan bigip_mgmt_ip=10.28.51.219 context_name=ess context_type=quiad date_time=Jul 11 2017 02:45:07 dest_ip=10.43.210.236 dst_geo=litanim dest_port=2135 device_product=orsitam device_vendor=modico device_version=1.2990 drop_reason=itatio errdefs_msgno=porinc errdefs_msg_name=riame flow_id=riat ip_protocol=udp severity=very-high partition_name=eriam route_domain=pernat sa_translation_pool=udan sa_translation_type=archi source_ip=10.6.222.112 src_geo=aliqu source_port=780 source_user=onsequu translated_dest_ip=10.156.117.169 translated_dest_port=2939 translated_ip_protocol=agnamal translated_route_domain=quei translated_source_ip=10.87.120.87 translated_source_port=1636 translated_vlan=teni vlan=4967", + "fileset.name": "bigipafm", + "host.ip": "10.28.51.219", + "host.name": "evitae7333.www.lan", + "input.type": "log", + "log.level": "very-high", + "log.offset": 32509, + "network.protocol": "udp", + "observer.product": "orsitam", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2990", + "related.hosts": [ + "evitae7333.www.lan" + ], + "related.ip": [ + "10.156.117.169", + "10.28.51.219", + "10.6.222.112", + "10.87.120.87" + ], + "related.user": [ + "onsequu" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ess", + "rsa.misc.event_type": "riame", + "rsa.misc.obj_name": "illumq", + "rsa.misc.policy_name": "luptatem", + "rsa.misc.reference_id": "porinc", + "rsa.misc.rule_name": "tasnul", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2990", + "rsa.network.alias_host": [ + "evitae7333.www.lan" + ], + "rsa.network.vlan": 4967, + "rsa.time.event_time_str": "Jul", + "rule.name": "tasnul", + "service.type": "f5", + "source.geo.country_name": "aliqu", + "source.ip": [ + "10.6.222.112" + ], + "source.nat.ip": "10.87.120.87", + "source.nat.port": 1636, + "source.port": 780, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "onsequu" + }, + { + "destination.geo.country_name": "ecill", + "destination.nat.ip": "10.253.167.17", + "destination.nat.port": 2990, + "destination.port": 6831, + "event.action": "Drop", + "event.code": "oco", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "dant etdolor uat7787.www.host iti nimadm nculp [F5@asp acl_policy_name=eacom acl_policy_type=mag acl_rule_name=gelitse action=Drop hostname=arc2412.mail.lan bigip_mgmt_ip=10.247.44.59 context_name=eiusmo context_type=ainc date_time=Jul 25 2017 09:47:41 dest_ip=10.173.129.72 dst_geo=ecill dest_port=6831 device_product=snu device_vendor=inibusB device_version=1.388 drop_reason=texplica errdefs_msgno=oco errdefs_msg_name=aboree flow_id=ainci ip_protocol=udp severity=high partition_name=pariatur route_domain=uames sa_translation_pool=umtotamr sa_translation_type=mquido source_ip=10.57.89.155 src_geo=rur source_port=3553 source_user=ntorever translated_dest_ip=10.253.167.17 translated_dest_port=2990 translated_ip_protocol=seos translated_route_domain=exercita translated_source_ip=10.4.126.103 translated_source_port=892 translated_vlan=tco vlan=3607", + "fileset.name": "bigipafm", + "host.ip": "10.247.44.59", + "host.name": "arc2412.mail.lan", + "input.type": "log", + "log.level": "high", + "log.offset": 33390, + "network.protocol": "udp", + "observer.product": "snu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.388", + "related.hosts": [ + "arc2412.mail.lan" + ], + "related.ip": [ + "10.247.44.59", + "10.57.89.155", + "10.253.167.17", + "10.4.126.103" + ], + "related.user": [ + "ntorever" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "eiusmo", + "rsa.misc.event_type": "aboree", + "rsa.misc.obj_name": "asp", + "rsa.misc.policy_name": "eacom", + "rsa.misc.reference_id": "oco", + "rsa.misc.rule_name": "gelitse", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.388", + "rsa.network.alias_host": [ + "arc2412.mail.lan" + ], + "rsa.network.vlan": 3607, + "rsa.time.event_time_str": "Jul", + "rule.name": "gelitse", + "service.type": "f5", + "source.geo.country_name": "rur", + "source.ip": [ + "10.57.89.155" + ], + "source.nat.ip": "10.4.126.103", + "source.nat.port": 892, + "source.port": 3553, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ntorever" + }, + { + "destination.geo.country_name": "xeac", + "destination.nat.ip": "10.36.69.125", + "destination.nat.port": 7157, + "destination.port": 7061, + "event.action": "Established", + "event.code": "tat", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "oluptate lit santi837.api.domain turadip dip idolo [F5@Ute acl_policy_name=ptassita acl_policy_type=caecatcu acl_rule_name=inBC action=Established hostname=olorsi2746.internal.localhost bigip_mgmt_ip=10.15.240.220 context_name=teir context_type=quep date_time=Aug 08 2017 16:50:15 dest_ip=10.63.78.66 dst_geo=xeac dest_port=7061 device_product=abor device_vendor=oreverit device_version=1.6451 drop_reason=reetdo errdefs_msgno=tat errdefs_msg_name=eufugia flow_id=ncididun ip_protocol=tcp severity=medium partition_name=periamea route_domain=itametco sa_translation_pool=vel sa_translation_type=quunt source_ip=10.248.206.210 src_geo=nonn source_port=4478 source_user=met translated_dest_ip=10.36.69.125 translated_dest_port=7157 translated_ip_protocol=entsu translated_route_domain=conse translated_source_ip=10.143.183.208 translated_source_port=5214 translated_vlan=umwri vlan=4057", + "fileset.name": "bigipafm", + "host.ip": "10.15.240.220", + "host.name": "olorsi2746.internal.localhost", + "input.type": "log", + "log.level": "medium", + "log.offset": 34246, + "network.protocol": "tcp", + "observer.product": "abor", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6451", + "related.hosts": [ + "olorsi2746.internal.localhost" + ], + "related.ip": [ + "10.36.69.125", + "10.15.240.220", + "10.248.206.210", + "10.143.183.208" + ], + "related.user": [ + "met" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "teir", + "rsa.misc.event_type": "eufugia", + "rsa.misc.obj_name": "Ute", + "rsa.misc.policy_name": "ptassita", + "rsa.misc.reference_id": "tat", + "rsa.misc.rule_name": "inBC", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6451", + "rsa.network.alias_host": [ + "olorsi2746.internal.localhost" + ], + "rsa.network.vlan": 4057, + "rsa.time.event_time_str": "Aug", + "rule.name": "inBC", + "service.type": "f5", + "source.geo.country_name": "nonn", + "source.ip": [ + "10.248.206.210" + ], + "source.nat.ip": "10.143.183.208", + "source.nat.port": 5214, + "source.port": 4478, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "met" + }, + { + "destination.geo.country_name": "emu", + "destination.nat.ip": "10.34.133.2", + "destination.nat.port": 4807, + "destination.port": 5311, + "event.action": "Established", + "event.code": "minimve", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "atura tur tur5914.internal.invalid tassita colabori imidestl [F5@piscing acl_policy_name=ceroi acl_policy_type=iconsequ acl_rule_name=iat action=Established hostname=edqu2208.www.localhost bigip_mgmt_ip=10.6.32.7 context_name=exerci context_type=inesciu date_time=Aug 22 2017 23:52:50 dest_ip=10.141.216.14 dst_geo=emu dest_port=5311 device_product=psa device_vendor=ate device_version=1.4386 drop_reason=fugitse errdefs_msgno=minimve errdefs_msg_name=serrorsi flow_id=tametco ip_protocol=ipv6-icmp severity=high partition_name=lore route_domain=isci sa_translation_pool=Dui sa_translation_type=reetdo source_ip=10.69.170.107 src_geo=iumtotam source_port=1010 source_user=ipitlabo translated_dest_ip=10.34.133.2 translated_dest_port=4807 translated_ip_protocol=nderi translated_route_domain=liqua translated_source_ip=10.142.186.43 translated_source_port=4691 translated_vlan=sautei vlan=2363", + "fileset.name": "bigipafm", + "host.ip": "10.6.32.7", + "host.name": "edqu2208.www.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 35131, + "network.protocol": "ipv6-icmp", + "observer.product": "psa", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4386", + "related.hosts": [ + "edqu2208.www.localhost" + ], + "related.ip": [ + "10.69.170.107", + "10.6.32.7", + "10.34.133.2", + "10.142.186.43" + ], + "related.user": [ + "ipitlabo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "exerci", + "rsa.misc.event_type": "serrorsi", + "rsa.misc.obj_name": "piscing", + "rsa.misc.policy_name": "ceroi", + "rsa.misc.reference_id": "minimve", + "rsa.misc.rule_name": "iat", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.4386", + "rsa.network.alias_host": [ + "edqu2208.www.localhost" + ], + "rsa.network.vlan": 2363, + "rsa.time.event_time_str": "Aug", + "rule.name": "iat", + "service.type": "f5", + "source.geo.country_name": "iumtotam", + "source.ip": [ + "10.69.170.107" + ], + "source.nat.ip": "10.142.186.43", + "source.nat.port": 4691, + "source.port": 1010, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ipitlabo" + }, + { + "destination.geo.country_name": "rchitect", + "destination.nat.ip": "10.59.103.10", + "destination.nat.port": 768, + "destination.port": 3402, + "event.action": "Closed", + "event.code": "iameaque", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "voluptas velill rspic5453.www.local meum borumSec aecatcup [F5@snisiut acl_policy_name=siar acl_policy_type=quas acl_rule_name=occaeca action=Closed hostname=ender5647.www5.example bigip_mgmt_ip=10.142.22.24 context_name=ulamc context_type=cept date_time=Sep 06 2017 06:55:24 dest_ip=10.93.88.228 dst_geo=rchitect dest_port=3402 device_product=gna device_vendor=ici device_version=1.2026 drop_reason=olu errdefs_msgno=iameaque errdefs_msg_name=identsun flow_id=ender ip_protocol=ipv6 severity=low partition_name=tect route_domain=uiad sa_translation_pool=doconse sa_translation_type=eni source_ip=10.121.153.197 src_geo=smoditem source_port=6593 source_user=borumSec translated_dest_ip=10.59.103.10 translated_dest_port=768 translated_ip_protocol=oquisq translated_route_domain=abori translated_source_ip=10.170.165.164 translated_source_port=505 translated_vlan=uiineavo vlan=5554", + "fileset.name": "bigipafm", + "host.ip": "10.142.22.24", + "host.name": "ender5647.www5.example", + "input.type": "log", + "log.level": "low", + "log.offset": 36024, + "network.protocol": "ipv6", + "observer.product": "gna", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2026", + "related.hosts": [ + "ender5647.www5.example" + ], + "related.ip": [ + "10.59.103.10", + "10.170.165.164", + "10.121.153.197", + "10.142.22.24" + ], + "related.user": [ + "borumSec" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ulamc", + "rsa.misc.event_type": "identsun", + "rsa.misc.obj_name": "snisiut", + "rsa.misc.policy_name": "siar", + "rsa.misc.reference_id": "iameaque", + "rsa.misc.rule_name": "occaeca", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2026", + "rsa.network.alias_host": [ + "ender5647.www5.example" + ], + "rsa.network.vlan": 5554, + "rsa.time.event_time_str": "Sep", + "rule.name": "occaeca", + "service.type": "f5", + "source.geo.country_name": "smoditem", + "source.ip": [ + "10.121.153.197" + ], + "source.nat.ip": "10.170.165.164", + "source.nat.port": 505, + "source.port": 6593, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "borumSec" + }, + { + "destination.geo.country_name": "eserun", + "destination.nat.ip": "10.19.99.129", + "destination.nat.port": 956, + "destination.port": 3034, + "event.action": "Established", + "event.code": "uta", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uidexeac sequa ntsunti2313.internal.invalid uinesc cid emi [F5@Bonorum acl_policy_name=lesti acl_policy_type=oreseo acl_rule_name=reprehen action=Established hostname=sis3986.internal.lan bigip_mgmt_ip=10.133.10.122 context_name=texplic context_type=edutp date_time=Sep 20 2017 13:57:58 dest_ip=10.93.59.189 dst_geo=eserun dest_port=3034 device_product=eniamqu device_vendor=inimav device_version=1.1576 drop_reason=imadm errdefs_msgno=uta errdefs_msg_name=tisu flow_id=remagnam ip_protocol=icmp severity=low partition_name=meiusm route_domain=nidolo sa_translation_pool=atquovol sa_translation_type=quunt source_ip=10.247.114.30 src_geo=olesti source_port=7584 source_user=quaeabil translated_dest_ip=10.19.99.129 translated_dest_port=956 translated_ip_protocol=itesse translated_route_domain=iamqui translated_source_ip=10.176.83.7 translated_source_port=5908 translated_vlan=inim vlan=6806", + "fileset.name": "bigipafm", + "host.ip": "10.133.10.122", + "host.name": "sis3986.internal.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 36906, + "network.protocol": "icmp", + "observer.product": "eniamqu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1576", + "related.hosts": [ + "sis3986.internal.lan" + ], + "related.ip": [ + "10.19.99.129", + "10.247.114.30", + "10.176.83.7", + "10.133.10.122" + ], + "related.user": [ + "quaeabil" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "texplic", + "rsa.misc.event_type": "tisu", + "rsa.misc.obj_name": "Bonorum", + "rsa.misc.policy_name": "lesti", + "rsa.misc.reference_id": "uta", + "rsa.misc.rule_name": "reprehen", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.1576", + "rsa.network.alias_host": [ + "sis3986.internal.lan" + ], + "rsa.network.vlan": 6806, + "rsa.time.event_time_str": "Sep", + "rule.name": "reprehen", + "service.type": "f5", + "source.geo.country_name": "olesti", + "source.ip": [ + "10.247.114.30" + ], + "source.nat.ip": "10.176.83.7", + "source.nat.port": 5908, + "source.port": 7584, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "quaeabil" + }, + { + "destination.geo.country_name": "conse", + "destination.nat.ip": "10.8.29.219", + "destination.nat.port": 6890, + "destination.port": 5351, + "event.action": "Drop", + "event.code": "sedquian", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "Sed oremeumf lesti5921.api.localhost enima tnulapar ico [F5@giatquo acl_policy_name=lors acl_policy_type=its acl_rule_name=dolor action=Drop hostname=uatu2894.api.lan bigip_mgmt_ip=10.64.139.17 context_name=pro context_type=ice date_time=Oct 04 2017 21:00:32 dest_ip=10.87.238.169 dst_geo=conse dest_port=5351 device_product=mcol device_vendor=lup device_version=1.3824 drop_reason=upta errdefs_msgno=sedquian errdefs_msg_name=cti flow_id=rumSecti ip_protocol=rdp severity=medium partition_name=eca route_domain=oluptate sa_translation_pool=Duisa sa_translation_type=consequa source_ip=10.40.177.138 src_geo=aevitaed source_port=1082 source_user=rep translated_dest_ip=10.8.29.219 translated_dest_port=6890 translated_ip_protocol=quaeratv translated_route_domain=involu translated_source_ip=10.70.7.23 translated_source_port=2758 translated_vlan=amcolab vlan=4306", + "fileset.name": "bigipafm", + "host.ip": "10.64.139.17", + "host.name": "uatu2894.api.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 37799, + "network.protocol": "rdp", + "observer.product": "mcol", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3824", + "related.hosts": [ + "uatu2894.api.lan" + ], + "related.ip": [ + "10.70.7.23", + "10.40.177.138", + "10.8.29.219", + "10.64.139.17" + ], + "related.user": [ + "rep" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "pro", + "rsa.misc.event_type": "cti", + "rsa.misc.obj_name": "giatquo", + "rsa.misc.policy_name": "lors", + "rsa.misc.reference_id": "sedquian", + "rsa.misc.rule_name": "dolor", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3824", + "rsa.network.alias_host": [ + "uatu2894.api.lan" + ], + "rsa.network.vlan": 4306, + "rsa.time.event_time_str": "Oct", + "rule.name": "dolor", + "service.type": "f5", + "source.geo.country_name": "aevitaed", + "source.ip": [ + "10.40.177.138" + ], + "source.nat.ip": "10.70.7.23", + "source.nat.port": 2758, + "source.port": 1082, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "rep" + }, + { + "destination.geo.country_name": "msequ", + "destination.nat.ip": "10.67.221.220", + "destination.nat.port": 239, + "destination.port": 2383, + "event.action": "Closed", + "event.code": "mini", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "odic iuta liquaUte209.internal.test olores scipit lloinve [F5@borisnis acl_policy_name=onorumet acl_policy_type=ptatema acl_rule_name=eavolup action=Closed hostname=rmagnido5483.local bigip_mgmt_ip=10.180.62.222 context_name=ptatev context_type=atu date_time=Oct 19 2017 04:03:07 dest_ip=10.234.26.132 dst_geo=msequ dest_port=2383 device_product=mwritten device_vendor=tat device_version=1.6066 drop_reason=osa errdefs_msgno=mini errdefs_msg_name=rors flow_id=ssusci ip_protocol=udp severity=medium partition_name=inimve route_domain=uio sa_translation_pool=mexercit sa_translation_type=byC source_ip=10.2.189.20 src_geo=orin source_port=535 source_user=uptasnul translated_dest_ip=10.67.221.220 translated_dest_port=239 translated_ip_protocol=aedict translated_route_domain=niamqui translated_source_ip=10.67.173.228 translated_source_port=5767 translated_vlan=tatemse vlan=4493", + "fileset.name": "bigipafm", + "host.ip": "10.180.62.222", + "host.name": "rmagnido5483.local", + "input.type": "log", + "log.level": "medium", + "log.offset": 38663, + "network.protocol": "udp", + "observer.product": "mwritten", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6066", + "related.hosts": [ + "rmagnido5483.local" + ], + "related.ip": [ + "10.2.189.20", + "10.67.221.220", + "10.67.173.228", + "10.180.62.222" + ], + "related.user": [ + "uptasnul" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ptatev", + "rsa.misc.event_type": "rors", + "rsa.misc.obj_name": "borisnis", + "rsa.misc.policy_name": "onorumet", + "rsa.misc.reference_id": "mini", + "rsa.misc.rule_name": "eavolup", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.6066", + "rsa.network.alias_host": [ + "rmagnido5483.local" + ], + "rsa.network.vlan": 4493, + "rsa.time.event_time_str": "Oct", + "rule.name": "eavolup", + "service.type": "f5", + "source.geo.country_name": "orin", + "source.ip": [ + "10.2.189.20" + ], + "source.nat.ip": "10.67.173.228", + "source.nat.port": 5767, + "source.port": 535, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "uptasnul" + }, + { + "destination.geo.country_name": "upt", + "destination.nat.ip": "10.56.134.118", + "destination.nat.port": 358, + "destination.port": 6017, + "event.action": "Reject", + "event.code": "lorsi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uamestqu mpor orem6479.api.host seq rumSe tatnonp [F5@ommo acl_policy_name=adeser acl_policy_type=uasiarc acl_rule_name=doeiu action=Reject hostname=uian521.www.example bigip_mgmt_ip=10.209.52.47 context_name=imven context_type=onnumqua date_time=Nov 02 2017 11:05:41 dest_ip=10.141.201.173 dst_geo=upt dest_port=6017 device_product=itautfu device_vendor=nesci device_version=1.5040 drop_reason=mquis errdefs_msgno=lorsi errdefs_msg_name=tetura flow_id=eeufug ip_protocol=ipv6 severity=medium partition_name=tevelite route_domain=tocca sa_translation_pool=orsitvol sa_translation_type=ntor source_ip=10.147.127.181 src_geo=minimav source_port=6994 source_user=tasu translated_dest_ip=10.56.134.118 translated_dest_port=358 translated_ip_protocol=evo translated_route_domain=mcorpori translated_source_ip=10.196.176.243 translated_source_port=3465 translated_vlan=orsitam vlan=4991", + "fileset.name": "bigipafm", + "host.ip": "10.209.52.47", + "host.name": "uian521.www.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 39543, + "network.protocol": "ipv6", + "observer.product": "itautfu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5040", + "related.hosts": [ + "uian521.www.example" + ], + "related.ip": [ + "10.147.127.181", + "10.209.52.47", + "10.56.134.118", + "10.196.176.243" + ], + "related.user": [ + "tasu" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "imven", + "rsa.misc.event_type": "tetura", + "rsa.misc.obj_name": "ommo", + "rsa.misc.policy_name": "adeser", + "rsa.misc.reference_id": "lorsi", + "rsa.misc.rule_name": "doeiu", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5040", + "rsa.network.alias_host": [ + "uian521.www.example" + ], + "rsa.network.vlan": 4991, + "rsa.time.event_time_str": "Nov", + "rule.name": "doeiu", + "service.type": "f5", + "source.geo.country_name": "minimav", + "source.ip": [ + "10.147.127.181" + ], + "source.nat.ip": "10.196.176.243", + "source.nat.port": 3465, + "source.port": 6994, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tasu" + }, + { + "destination.geo.country_name": "aut", + "destination.nat.ip": "10.85.13.237", + "destination.nat.port": 4072, + "destination.port": 5596, + "event.action": "Closed", + "event.code": "laboree", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "prehende lup tpers2217.internal.lan nula tdolorem qui [F5@olupt acl_policy_name=nemulla acl_policy_type=asp acl_rule_name=dexercit action=Closed hostname=taliq5213.api.corp bigip_mgmt_ip=10.226.24.84 context_name=ectobea context_type=dat date_time=Nov 16 2017 18:08:15 dest_ip=10.91.18.221 dst_geo=aut dest_port=5596 device_product=uames device_vendor=tconsec device_version=1.7604 drop_reason=oll errdefs_msgno=laboree errdefs_msg_name=udantiu flow_id=itametco ip_protocol=ipv6 severity=very-high partition_name=odico route_domain=rsint sa_translation_pool=itl sa_translation_type=ttenb source_ip=10.231.18.90 src_geo=lapa source_port=4860 source_user=Nem translated_dest_ip=10.85.13.237 translated_dest_port=4072 translated_ip_protocol=upidata translated_route_domain=ici translated_source_ip=10.248.140.59 translated_source_port=5760 translated_vlan=ident vlan=4293", + "fileset.name": "bigipafm", + "host.ip": "10.226.24.84", + "host.name": "taliq5213.api.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 40424, + "network.protocol": "ipv6", + "observer.product": "uames", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7604", + "related.hosts": [ + "taliq5213.api.corp" + ], + "related.ip": [ + "10.226.24.84", + "10.248.140.59", + "10.231.18.90", + "10.85.13.237" + ], + "related.user": [ + "Nem" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ectobea", + "rsa.misc.event_type": "udantiu", + "rsa.misc.obj_name": "olupt", + "rsa.misc.policy_name": "nemulla", + "rsa.misc.reference_id": "laboree", + "rsa.misc.rule_name": "dexercit", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7604", + "rsa.network.alias_host": [ + "taliq5213.api.corp" + ], + "rsa.network.vlan": 4293, + "rsa.time.event_time_str": "Nov", + "rule.name": "dexercit", + "service.type": "f5", + "source.geo.country_name": "lapa", + "source.ip": [ + "10.231.18.90" + ], + "source.nat.ip": "10.248.140.59", + "source.nat.port": 5760, + "source.port": 4860, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "Nem" + }, + { + "destination.geo.country_name": "mco", + "destination.nat.ip": "10.8.224.72", + "destination.nat.port": 6506, + "destination.port": 6246, + "event.action": "Accept", + "event.code": "nostrum", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "quelaud luptat rinrep6482.api.lan nimv emeu tatemac [F5@quisn acl_policy_name=rem acl_policy_type=ulamcola acl_rule_name=remagnaa action=Accept hostname=ntsunt4894.mail.domain bigip_mgmt_ip=10.203.46.215 context_name=mcorpori context_type=orisn date_time=Dec 01 2017 01:10:49 dest_ip=10.88.194.242 dst_geo=mco dest_port=6246 device_product=itame device_vendor=tenat device_version=1.5407 drop_reason=yCiceroi errdefs_msgno=nostrum errdefs_msg_name=orroquis flow_id=eumi ip_protocol=icmp severity=low partition_name=aea route_domain=tvolu sa_translation_pool=dutper sa_translation_type=tlaboru source_ip=10.207.183.204 src_geo=equuntu source_port=2673 source_user=eruntmo translated_dest_ip=10.8.224.72 translated_dest_port=6506 translated_ip_protocol=ion translated_route_domain=rured translated_source_ip=10.59.215.207 translated_source_port=6195 translated_vlan=ore vlan=5842", + "fileset.name": "bigipafm", + "host.ip": "10.203.46.215", + "host.name": "ntsunt4894.mail.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 41293, + "network.protocol": "icmp", + "observer.product": "itame", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5407", + "related.hosts": [ + "ntsunt4894.mail.domain" + ], + "related.ip": [ + "10.59.215.207", + "10.207.183.204", + "10.8.224.72", + "10.203.46.215" + ], + "related.user": [ + "eruntmo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "mcorpori", + "rsa.misc.event_type": "orroquis", + "rsa.misc.obj_name": "quisn", + "rsa.misc.policy_name": "rem", + "rsa.misc.reference_id": "nostrum", + "rsa.misc.rule_name": "remagnaa", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5407", + "rsa.network.alias_host": [ + "ntsunt4894.mail.domain" + ], + "rsa.network.vlan": 5842, + "rsa.time.event_time_str": "Dec", + "rule.name": "remagnaa", + "service.type": "f5", + "source.geo.country_name": "equuntu", + "source.ip": [ + "10.207.183.204" + ], + "source.nat.ip": "10.59.215.207", + "source.nat.port": 6195, + "source.port": 2673, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "eruntmo" + }, + { + "destination.geo.country_name": "mquis", + "destination.nat.ip": "10.255.145.22", + "destination.nat.port": 6949, + "destination.port": 7760, + "event.action": "Drop", + "event.code": "aeco", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "xerc Nequep ametcon7485.www.test rro tuser ctasu [F5@irat acl_policy_name=sitame acl_policy_type=oinven acl_rule_name=natu action=Drop hostname=mexer3864.api.corp bigip_mgmt_ip=10.98.154.146 context_name=nula context_type=ameaquei date_time=Dec 15 2017 08:13:24 dest_ip=10.72.114.116 dst_geo=mquis dest_port=7760 device_product=olupta device_vendor=isno device_version=1.6814 drop_reason=ine errdefs_msgno=aeco errdefs_msg_name=rinrepr flow_id=dutp ip_protocol=ipv6-icmp severity=very-high partition_name=giatqu route_domain=rsint sa_translation_pool=rsi sa_translation_type=paq source_ip=10.73.84.95 src_geo=uisautem source_port=6701 source_user=sitam translated_dest_ip=10.255.145.22 translated_dest_port=6949 translated_ip_protocol=emUtenim translated_route_domain=ende translated_source_ip=10.230.38.148 translated_source_port=3213 translated_vlan=sse vlan=368", + "fileset.name": "bigipafm", + "host.ip": "10.98.154.146", + "host.name": "mexer3864.api.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 42171, + "network.protocol": "ipv6-icmp", + "observer.product": "olupta", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6814", + "related.hosts": [ + "mexer3864.api.corp" + ], + "related.ip": [ + "10.98.154.146", + "10.73.84.95", + "10.230.38.148", + "10.255.145.22" + ], + "related.user": [ + "sitam" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "nula", + "rsa.misc.event_type": "rinrepr", + "rsa.misc.obj_name": "irat", + "rsa.misc.policy_name": "sitame", + "rsa.misc.reference_id": "aeco", + "rsa.misc.rule_name": "natu", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6814", + "rsa.network.alias_host": [ + "mexer3864.api.corp" + ], + "rsa.network.vlan": 368, + "rsa.time.event_time_str": "Dec", + "rule.name": "natu", + "service.type": "f5", + "source.geo.country_name": "uisautem", + "source.ip": [ + "10.73.84.95" + ], + "source.nat.ip": "10.230.38.148", + "source.nat.port": 3213, + "source.port": 6701, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "sitam" + }, + { + "destination.geo.country_name": "eleumi", + "destination.nat.ip": "10.105.120.162", + "destination.nat.port": 2984, + "destination.port": 4584, + "event.action": "Accept", + "event.code": "uptateve", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "incidi aedictas rumetMa2554.domain unt liq abore [F5@iumdo acl_policy_name=oreeu acl_policy_type=mea acl_rule_name=ssec action=Accept hostname=oluptat6960.www5.test bigip_mgmt_ip=10.211.29.187 context_name=ptat context_type=meaquei date_time=Dec 29 2017 15:15:58 dest_ip=10.228.204.249 dst_geo=eleumi dest_port=4584 device_product=porissus device_vendor=imip device_version=1.7160 drop_reason=ddoe errdefs_msgno=uptateve errdefs_msg_name=ured flow_id=ctetu ip_protocol=tcp severity=low partition_name=uasiarch route_domain=Malor sa_translation_pool=boriosa sa_translation_type=cillumdo source_ip=10.166.142.198 src_geo=oremipsu source_port=465 source_user=tium translated_dest_ip=10.105.120.162 translated_dest_port=2984 translated_ip_protocol=etc translated_route_domain=eturadip translated_source_ip=10.175.181.138 translated_source_port=3787 translated_vlan=tassitas vlan=1495", + "fileset.name": "bigipafm", + "host.ip": "10.211.29.187", + "host.name": "oluptat6960.www5.test", + "input.type": "log", + "log.level": "low", + "log.offset": 43036, + "network.protocol": "tcp", + "observer.product": "porissus", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7160", + "related.hosts": [ + "oluptat6960.www5.test" + ], + "related.ip": [ + "10.166.142.198", + "10.105.120.162", + "10.175.181.138", + "10.211.29.187" + ], + "related.user": [ + "tium" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "ptat", + "rsa.misc.event_type": "ured", + "rsa.misc.obj_name": "iumdo", + "rsa.misc.policy_name": "oreeu", + "rsa.misc.reference_id": "uptateve", + "rsa.misc.rule_name": "ssec", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7160", + "rsa.network.alias_host": [ + "oluptat6960.www5.test" + ], + "rsa.network.vlan": 1495, + "rsa.time.event_time_str": "Dec", + "rule.name": "ssec", + "service.type": "f5", + "source.geo.country_name": "oremipsu", + "source.ip": [ + "10.166.142.198" + ], + "source.nat.ip": "10.175.181.138", + "source.nat.port": 3787, + "source.port": 465, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tium" + }, + { + "destination.geo.country_name": "doconse", + "destination.nat.ip": "10.220.202.102", + "destination.nat.port": 10, + "destination.port": 5211, + "event.action": "Established", + "event.code": "animi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "velite maccus nima5813.mail.example iarchit sBonorum moenimi [F5@lor acl_policy_name=auto acl_policy_type=rsinto acl_rule_name=ati action=Established hostname=fugiatnu2498.www.localhost bigip_mgmt_ip=10.182.213.195 context_name=tconse context_type=eumf date_time=Jan 12 2018 22:18:32 dest_ip=10.200.94.145 dst_geo=doconse dest_port=5211 device_product=uis device_vendor=lill device_version=1.6057 drop_reason=imi errdefs_msgno=animi errdefs_msg_name=edutpers flow_id=pisci ip_protocol=tcp severity=very-high partition_name=umto route_domain=xercit sa_translation_pool=lam sa_translation_type=asnu source_ip=10.122.133.162 src_geo=eriam source_port=4838 source_user=aquae translated_dest_ip=10.220.202.102 translated_dest_port=10 translated_ip_protocol=iaturE translated_route_domain=epor translated_source_ip=10.195.139.25 translated_source_port=5566 translated_vlan=tper vlan=4341", + "fileset.name": "bigipafm", + "host.ip": "10.182.213.195", + "host.name": "fugiatnu2498.www.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 43916, + "network.protocol": "tcp", + "observer.product": "uis", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6057", + "related.hosts": [ + "fugiatnu2498.www.localhost" + ], + "related.ip": [ + "10.182.213.195", + "10.195.139.25", + "10.122.133.162", + "10.220.202.102" + ], + "related.user": [ + "aquae" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "tconse", + "rsa.misc.event_type": "edutpers", + "rsa.misc.obj_name": "lor", + "rsa.misc.policy_name": "auto", + "rsa.misc.reference_id": "animi", + "rsa.misc.rule_name": "ati", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6057", + "rsa.network.alias_host": [ + "fugiatnu2498.www.localhost" + ], + "rsa.network.vlan": 4341, + "rsa.time.event_time_str": "Jan", + "rule.name": "ati", + "service.type": "f5", + "source.geo.country_name": "eriam", + "source.ip": [ + "10.122.133.162" + ], + "source.nat.ip": "10.195.139.25", + "source.nat.port": 5566, + "source.port": 4838, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "aquae" + }, + { + "destination.geo.country_name": "uatD", + "destination.nat.ip": "10.33.143.163", + "destination.nat.port": 5404, + "destination.port": 6508, + "event.action": "Reject", + "event.code": "anim", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tconsect pariat iutal3376.api.corp isi idexeac ntu [F5@tdolo acl_policy_name=nimve acl_policy_type=duntut acl_rule_name=emporin action=Reject hostname=ptat3230.domain bigip_mgmt_ip=10.156.208.5 context_name=tlaboru context_type=tec date_time=Jan 27 2018 05:21:06 dest_ip=10.9.69.13 dst_geo=uatD dest_port=6508 device_product=antium device_vendor=remaper device_version=1.3297 drop_reason=ntNequ errdefs_msgno=anim errdefs_msg_name=uae flow_id=ata ip_protocol=tcp severity=very-high partition_name=paq route_domain=emipsumq sa_translation_pool=culpaq sa_translation_type=quamq source_ip=10.53.72.161 src_geo=pta source_port=4723 source_user=scip translated_dest_ip=10.33.143.163 translated_dest_port=5404 translated_ip_protocol=iusmodi translated_route_domain=esciun translated_source_ip=10.247.144.9 translated_source_port=2494 translated_vlan=lit vlan=4112", + "fileset.name": "bigipafm", + "host.ip": "10.156.208.5", + "host.name": "ptat3230.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 44798, + "network.protocol": "tcp", + "observer.product": "antium", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3297", + "related.hosts": [ + "ptat3230.domain" + ], + "related.ip": [ + "10.33.143.163", + "10.247.144.9", + "10.156.208.5", + "10.53.72.161" + ], + "related.user": [ + "scip" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "tlaboru", + "rsa.misc.event_type": "uae", + "rsa.misc.obj_name": "tdolo", + "rsa.misc.policy_name": "nimve", + "rsa.misc.reference_id": "anim", + "rsa.misc.rule_name": "emporin", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3297", + "rsa.network.alias_host": [ + "ptat3230.domain" + ], + "rsa.network.vlan": 4112, + "rsa.time.event_time_str": "Jan", + "rule.name": "emporin", + "service.type": "f5", + "source.geo.country_name": "pta", + "source.ip": [ + "10.53.72.161" + ], + "source.nat.ip": "10.247.144.9", + "source.nat.port": 2494, + "source.port": 4723, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "scip" + }, + { + "destination.geo.country_name": "eufugia", + "destination.nat.ip": "10.241.143.145", + "destination.nat.port": 6151, + "destination.port": 2345, + "event.action": "Closed", + "event.code": "unturmag", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "oidentsu oditau onsec1632.internal.lan lup aeca isau [F5@giat acl_policy_name=ttenb acl_policy_type=eirure acl_rule_name=boreetd action=Closed hostname=exer447.internal.localhost bigip_mgmt_ip=10.35.190.164 context_name=radipis context_type=lore date_time=Feb 10 2018 12:23:41 dest_ip=10.76.99.144 dst_geo=eufugia dest_port=2345 device_product=pariat device_vendor=nimip device_version=1.2476 drop_reason=usci errdefs_msgno=unturmag errdefs_msg_name=dexeaco flow_id=lupta ip_protocol=ggp severity=very-high partition_name=oreeufug route_domain=Quisa sa_translation_pool=quiav sa_translation_type=ctionofd source_ip=10.21.58.162 src_geo=uisautei source_port=7881 source_user=porin translated_dest_ip=10.241.143.145 translated_dest_port=6151 translated_ip_protocol=ecillum translated_route_domain=olor translated_source_ip=10.113.65.192 translated_source_port=7807 translated_vlan=conseq vlan=6079", + "fileset.name": "bigipafm", + "host.ip": "10.35.190.164", + "host.name": "exer447.internal.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 45656, + "network.protocol": "ggp", + "observer.product": "pariat", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2476", + "related.hosts": [ + "exer447.internal.localhost" + ], + "related.ip": [ + "10.241.143.145", + "10.35.190.164", + "10.21.58.162", + "10.113.65.192" + ], + "related.user": [ + "porin" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "radipis", + "rsa.misc.event_type": "dexeaco", + "rsa.misc.obj_name": "giat", + "rsa.misc.policy_name": "ttenb", + "rsa.misc.reference_id": "unturmag", + "rsa.misc.rule_name": "boreetd", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2476", + "rsa.network.alias_host": [ + "exer447.internal.localhost" + ], + "rsa.network.vlan": 6079, + "rsa.time.event_time_str": "Feb", + "rule.name": "boreetd", + "service.type": "f5", + "source.geo.country_name": "uisautei", + "source.ip": [ + "10.21.58.162" + ], + "source.nat.ip": "10.113.65.192", + "source.nat.port": 7807, + "source.port": 7881, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "porin" + }, + { + "destination.geo.country_name": "exe", + "destination.nat.ip": "10.75.113.240", + "destination.nat.port": 1874, + "destination.port": 1872, + "event.action": "Closed", + "event.code": "tas", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "edutpers ctobeat upta4358.home orem inibus secte [F5@ctobeat acl_policy_name=onsec acl_policy_type=idestl acl_rule_name=litani action=Closed hostname=itanimi1934.home bigip_mgmt_ip=10.19.154.103 context_name=ittenb context_type=tobeatae date_time=Feb 24 2018 19:26:15 dest_ip=10.235.51.61 dst_geo=exe dest_port=1872 device_product=cia device_vendor=idolo device_version=1.768 drop_reason=pitlabo errdefs_msgno=tas errdefs_msg_name=rcitat flow_id=ree ip_protocol=tcp severity=very-high partition_name=quipexea route_domain=orsitv sa_translation_pool=dunt sa_translation_type=int source_ip=10.53.27.253 src_geo=temveleu source_port=3599 source_user=luptat translated_dest_ip=10.75.113.240 translated_dest_port=1874 translated_ip_protocol=ionulam translated_route_domain=auto translated_source_ip=10.129.16.166 translated_source_port=5141 translated_vlan=ntocca vlan=5439", + "fileset.name": "bigipafm", + "host.ip": "10.19.154.103", + "host.name": "itanimi1934.home", + "input.type": "log", + "log.level": "very-high", + "log.offset": 46552, + "network.protocol": "tcp", + "observer.product": "cia", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.768", + "related.hosts": [ + "itanimi1934.home" + ], + "related.ip": [ + "10.129.16.166", + "10.75.113.240", + "10.19.154.103", + "10.53.27.253" + ], + "related.user": [ + "luptat" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ittenb", + "rsa.misc.event_type": "rcitat", + "rsa.misc.obj_name": "ctobeat", + "rsa.misc.policy_name": "onsec", + "rsa.misc.reference_id": "tas", + "rsa.misc.rule_name": "litani", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.768", + "rsa.network.alias_host": [ + "itanimi1934.home" + ], + "rsa.network.vlan": 5439, + "rsa.time.event_time_str": "Feb", + "rule.name": "litani", + "service.type": "f5", + "source.geo.country_name": "temveleu", + "source.ip": [ + "10.53.27.253" + ], + "source.nat.ip": "10.129.16.166", + "source.nat.port": 5141, + "source.port": 3599, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "luptat" + }, + { + "destination.geo.country_name": "equ", + "destination.nat.ip": "10.150.153.61", + "destination.nat.port": 2773, + "destination.port": 7256, + "event.action": "Established", + "event.code": "ihi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tvol lup mipsamv161.local ionula pexeaco temaccu [F5@uamqua acl_policy_name=Neq acl_policy_type=runt acl_rule_name=xcep action=Established hostname=pteurs1031.mail.corp bigip_mgmt_ip=10.125.150.220 context_name=lumquid context_type=eturadip date_time=Mar 11 2018 02:28:49 dest_ip=10.241.228.95 dst_geo=equ dest_port=7256 device_product=ssequamn device_vendor=ave device_version=1.5812 drop_reason=edquia errdefs_msgno=ihi errdefs_msg_name=undeomn flow_id=ape ip_protocol=rdp severity=medium partition_name=ari route_domain=umtot sa_translation_pool=onemulla sa_translation_type=atquo source_ip=10.120.50.13 src_geo=issu source_port=4426 source_user=inculpa translated_dest_ip=10.150.153.61 translated_dest_port=2773 translated_ip_protocol=loremagn translated_route_domain=acons translated_source_ip=10.22.213.196 translated_source_port=7230 translated_vlan=emoenimi vlan=1864", + "fileset.name": "bigipafm", + "host.ip": "10.125.150.220", + "host.name": "pteurs1031.mail.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 47421, + "network.protocol": "rdp", + "observer.product": "ssequamn", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5812", + "related.hosts": [ + "pteurs1031.mail.corp" + ], + "related.ip": [ + "10.150.153.61", + "10.22.213.196", + "10.120.50.13", + "10.125.150.220" + ], + "related.user": [ + "inculpa" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "lumquid", + "rsa.misc.event_type": "undeomn", + "rsa.misc.obj_name": "uamqua", + "rsa.misc.policy_name": "Neq", + "rsa.misc.reference_id": "ihi", + "rsa.misc.rule_name": "xcep", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5812", + "rsa.network.alias_host": [ + "pteurs1031.mail.corp" + ], + "rsa.network.vlan": 1864, + "rsa.time.event_time_str": "Mar", + "rule.name": "xcep", + "service.type": "f5", + "source.geo.country_name": "issu", + "source.ip": [ + "10.120.50.13" + ], + "source.nat.ip": "10.22.213.196", + "source.nat.port": 7230, + "source.port": 4426, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "inculpa" + }, + { + "destination.geo.country_name": "dquia", + "destination.nat.ip": "10.238.171.184", + "destination.nat.port": 2574, + "destination.port": 5334, + "event.action": "Accept", + "event.code": "dolor", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "mqu onorume abill5290.lan mini mve tionev [F5@uasiarch acl_policy_name=velites acl_policy_type=uredolor acl_rule_name=epreh action=Accept hostname=edquiaco6562.api.lan bigip_mgmt_ip=10.113.2.13 context_name=rudexerc context_type=nturm date_time=Mar 25 2018 09:31:24 dest_ip=10.182.134.109 dst_geo=dquia dest_port=5334 device_product=bori device_vendor=dipi device_version=1.7232 drop_reason=utf errdefs_msgno=dolor errdefs_msg_name=dexe flow_id=nemul ip_protocol=igmp severity=low partition_name=lupt route_domain=quatur sa_translation_pool=dminim sa_translation_type=ptatevel source_ip=10.85.52.249 src_geo=eirured source_port=3772 source_user=tatiset translated_dest_ip=10.238.171.184 translated_dest_port=2574 translated_ip_protocol=duntutl translated_route_domain=nven translated_source_ip=10.229.155.171 translated_source_port=6978 translated_vlan=asiarch vlan=7121", + "fileset.name": "bigipafm", + "host.ip": "10.113.2.13", + "host.name": "edquiaco6562.api.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 48297, + "network.protocol": "igmp", + "observer.product": "bori", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7232", + "related.hosts": [ + "edquiaco6562.api.lan" + ], + "related.ip": [ + "10.85.52.249", + "10.229.155.171", + "10.238.171.184", + "10.113.2.13" + ], + "related.user": [ + "tatiset" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "rudexerc", + "rsa.misc.event_type": "dexe", + "rsa.misc.obj_name": "uasiarch", + "rsa.misc.policy_name": "velites", + "rsa.misc.reference_id": "dolor", + "rsa.misc.rule_name": "epreh", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7232", + "rsa.network.alias_host": [ + "edquiaco6562.api.lan" + ], + "rsa.network.vlan": 7121, + "rsa.time.event_time_str": "Mar", + "rule.name": "epreh", + "service.type": "f5", + "source.geo.country_name": "eirured", + "source.ip": [ + "10.85.52.249" + ], + "source.nat.ip": "10.229.155.171", + "source.nat.port": 6978, + "source.port": 3772, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tatiset" + }, + { + "destination.geo.country_name": "dolo", + "destination.nat.ip": "10.51.245.225", + "destination.nat.port": 3991, + "destination.port": 6418, + "event.action": "Accept", + "event.code": "tessecil", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "utla deomni tse7542.test nesciu todit utaliqui [F5@emse acl_policy_name=emqui acl_policy_type=cipitla acl_rule_name=tlab action=Accept hostname=tatis7315.mail.home bigip_mgmt_ip=10.249.174.35 context_name=umfu context_type=utla date_time=Apr 08 2018 16:33:58 dest_ip=10.136.53.201 dst_geo=dolo dest_port=6418 device_product=samvol device_vendor=equa device_version=1.536 drop_reason=strumex errdefs_msgno=tessecil errdefs_msg_name=ugia flow_id=reprehe ip_protocol=udp severity=medium partition_name=umq route_domain=sistena sa_translation_pool=qui sa_translation_type=caboN source_ip=10.198.150.185 src_geo=catcupid source_port=3167 source_user=quela translated_dest_ip=10.51.245.225 translated_dest_port=3991 translated_ip_protocol=enimi translated_route_domain=illum translated_source_ip=10.220.1.249 translated_source_port=4200 translated_vlan=Sedut vlan=7832", + "fileset.name": "bigipafm", + "host.ip": "10.249.174.35", + "host.name": "tatis7315.mail.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 49168, + "network.protocol": "udp", + "observer.product": "samvol", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.536", + "related.hosts": [ + "tatis7315.mail.home" + ], + "related.ip": [ + "10.249.174.35", + "10.51.245.225", + "10.220.1.249", + "10.198.150.185" + ], + "related.user": [ + "quela" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "umfu", + "rsa.misc.event_type": "ugia", + "rsa.misc.obj_name": "emse", + "rsa.misc.policy_name": "emqui", + "rsa.misc.reference_id": "tessecil", + "rsa.misc.rule_name": "tlab", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.536", + "rsa.network.alias_host": [ + "tatis7315.mail.home" + ], + "rsa.network.vlan": 7832, + "rsa.time.event_time_str": "Apr", + "rule.name": "tlab", + "service.type": "f5", + "source.geo.country_name": "catcupid", + "source.ip": [ + "10.198.150.185" + ], + "source.nat.ip": "10.220.1.249", + "source.nat.port": 4200, + "source.port": 3167, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "quela" + }, + { + "destination.geo.country_name": "osqu", + "destination.nat.ip": "10.190.96.181", + "destination.nat.port": 2153, + "destination.port": 4859, + "event.action": "Drop", + "event.code": "runtmoll", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "audant obeata uredol2348.www5.host entorev quuntur olup [F5@aeab acl_policy_name=uradipis acl_policy_type=aerat acl_rule_name=les action=Drop hostname=eosqui3723.api.localdomain bigip_mgmt_ip=10.152.157.32 context_name=ali context_type=udexerci date_time=Apr 22 2018 23:36:32 dest_ip=10.76.232.245 dst_geo=osqu dest_port=4859 device_product=aborio device_vendor=rve device_version=1.219 drop_reason=nbyCi errdefs_msgno=runtmoll errdefs_msg_name=busBon flow_id=norumetM ip_protocol=udp severity=low partition_name=usBono route_domain=ameaq sa_translation_pool=Quis sa_translation_type=lupta source_ip=10.251.82.195 src_geo=umiure source_port=5186 source_user=olorese translated_dest_ip=10.190.96.181 translated_dest_port=2153 translated_ip_protocol=culp translated_route_domain=deomn translated_source_ip=10.38.185.31 translated_source_port=1085 translated_vlan=llo vlan=1106", + "fileset.name": "bigipafm", + "host.ip": "10.152.157.32", + "host.name": "eosqui3723.api.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 50031, + "network.protocol": "udp", + "observer.product": "aborio", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.219", + "related.hosts": [ + "eosqui3723.api.localdomain" + ], + "related.ip": [ + "10.38.185.31", + "10.251.82.195", + "10.190.96.181", + "10.152.157.32" + ], + "related.user": [ + "olorese" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "ali", + "rsa.misc.event_type": "busBon", + "rsa.misc.obj_name": "aeab", + "rsa.misc.policy_name": "uradipis", + "rsa.misc.reference_id": "runtmoll", + "rsa.misc.rule_name": "les", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.219", + "rsa.network.alias_host": [ + "eosqui3723.api.localdomain" + ], + "rsa.network.vlan": 1106, + "rsa.time.event_time_str": "Apr", + "rule.name": "les", + "service.type": "f5", + "source.geo.country_name": "umiure", + "source.ip": [ + "10.251.82.195" + ], + "source.nat.ip": "10.38.185.31", + "source.nat.port": 1085, + "source.port": 5186, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "olorese" + }, + { + "destination.geo.country_name": "eratv", + "destination.nat.ip": "10.230.112.179", + "destination.nat.port": 5926, + "destination.port": 7206, + "event.action": "Drop", + "event.code": "xerc", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tla iaconseq sed3235.www5.localhost pidatatn isno luptatev [F5@occaeca acl_policy_name=dan acl_policy_type=pta acl_rule_name=upt action=Drop hostname=itaedict199.mail.corp bigip_mgmt_ip=10.103.102.242 context_name=labore context_type=lorem date_time=May 07 2018 06:39:06 dest_ip=10.68.159.207 dst_geo=eratv dest_port=7206 device_product=estq device_vendor=quasiarc device_version=1.6526 drop_reason=liq errdefs_msgno=xerc errdefs_msg_name=atisetqu flow_id=squir ip_protocol=icmp severity=very-high partition_name=quam route_domain=deriti sa_translation_pool=edictasu sa_translation_type=eturadi source_ip=10.190.247.194 src_geo=mSecti source_port=4210 source_user=tDuisaut translated_dest_ip=10.230.112.179 translated_dest_port=5926 translated_ip_protocol=vol translated_route_domain=ita translated_source_ip=10.211.198.50 translated_source_port=7510 translated_vlan=nibusB vlan=5555", + "fileset.name": "bigipafm", + "host.ip": "10.103.102.242", + "host.name": "itaedict199.mail.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 50906, + "network.protocol": "icmp", + "observer.product": "estq", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6526", + "related.hosts": [ + "itaedict199.mail.corp" + ], + "related.ip": [ + "10.103.102.242", + "10.190.247.194", + "10.230.112.179", + "10.211.198.50" + ], + "related.user": [ + "tDuisaut" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "labore", + "rsa.misc.event_type": "atisetqu", + "rsa.misc.obj_name": "occaeca", + "rsa.misc.policy_name": "dan", + "rsa.misc.reference_id": "xerc", + "rsa.misc.rule_name": "upt", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6526", + "rsa.network.alias_host": [ + "itaedict199.mail.corp" + ], + "rsa.network.vlan": 5555, + "rsa.time.event_time_str": "May", + "rule.name": "upt", + "service.type": "f5", + "source.geo.country_name": "mSecti", + "source.ip": [ + "10.190.247.194" + ], + "source.nat.ip": "10.211.198.50", + "source.nat.port": 7510, + "source.port": 4210, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tDuisaut" + }, + { + "destination.geo.country_name": "uiac", + "destination.nat.ip": "10.101.13.122", + "destination.nat.port": 6737, + "destination.port": 7838, + "event.action": "Closed", + "event.code": "queporro", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "amremap oremagna aqu4475.mail.invalid serrorsi tsedquia rsit [F5@quis acl_policy_name=upidatat acl_policy_type=mod acl_rule_name=niamqui action=Closed hostname=xeaco7887.www.localdomain bigip_mgmt_ip=10.47.223.155 context_name=ugitsed context_type=dminimve date_time=May 21 2018 13:41:41 dest_ip=10.111.137.84 dst_geo=uiac dest_port=7838 device_product=tot device_vendor=reme device_version=1.7750 drop_reason=loremi errdefs_msgno=queporro errdefs_msg_name=tur flow_id=eFi ip_protocol=ipv6-icmp severity=medium partition_name=ulapari route_domain=eporroq sa_translation_pool=uunturm sa_translation_type=iatn source_ip=10.219.83.199 src_geo=diduntut source_port=1321 source_user=ectetur translated_dest_ip=10.101.13.122 translated_dest_port=6737 translated_ip_protocol=nibusBo translated_route_domain=volup translated_source_ip=10.251.101.61 translated_source_port=5153 translated_vlan=scipit vlan=6495", + "fileset.name": "bigipafm", + "host.ip": "10.47.223.155", + "host.name": "xeaco7887.www.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 51790, + "network.protocol": "ipv6-icmp", + "observer.product": "tot", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7750", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], + "related.ip": [ + "10.219.83.199", + "10.47.223.155", + "10.101.13.122", + "10.251.101.61" + ], + "related.user": [ + "ectetur" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ugitsed", + "rsa.misc.event_type": "tur", + "rsa.misc.obj_name": "quis", + "rsa.misc.policy_name": "upidatat", + "rsa.misc.reference_id": "queporro", + "rsa.misc.rule_name": "niamqui", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7750", + "rsa.network.alias_host": [ + "xeaco7887.www.localdomain" + ], + "rsa.network.vlan": 6495, + "rsa.time.event_time_str": "May", + "rule.name": "niamqui", + "service.type": "f5", + "source.geo.country_name": "diduntut", + "source.ip": [ + "10.219.83.199" + ], + "source.nat.ip": "10.251.101.61", + "source.nat.port": 5153, + "source.port": 1321, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ectetur" + }, + { + "destination.geo.country_name": "inBCSed", + "destination.nat.ip": "10.21.30.43", + "destination.nat.port": 4754, + "destination.port": 6353, + "event.action": "Closed", + "event.code": "olu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tore isni tamrema736.www5.lan ntiumdol conse aturve [F5@edqui acl_policy_name=tvolu acl_policy_type=psu acl_rule_name=strud action=Closed hostname=saute7421.www.invalid bigip_mgmt_ip=10.21.80.157 context_name=tiumtot context_type=tate date_time=Jun 04 2018 20:44:15 dest_ip=10.13.222.177 dst_geo=inBCSed dest_port=6353 device_product=Loremip device_vendor=taliqui device_version=1.5568 drop_reason=ipsaquae errdefs_msgno=olu errdefs_msg_name=exerci flow_id=isnostru ip_protocol=tcp severity=very-high partition_name=ngelits route_domain=volupt sa_translation_pool=billoi sa_translation_type=reseo source_ip=10.31.86.83 src_geo=pariat source_port=6646 source_user=litsed translated_dest_ip=10.21.30.43 translated_dest_port=4754 translated_ip_protocol=lorem translated_route_domain=iamquisn translated_source_ip=10.83.136.233 translated_source_port=6643 translated_vlan=imadm vlan=3187", + "fileset.name": "bigipafm", + "host.ip": "10.21.80.157", + "host.name": "saute7421.www.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 52692, + "network.protocol": "tcp", + "observer.product": "Loremip", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5568", + "related.hosts": [ + "saute7421.www.invalid" + ], + "related.ip": [ + "10.31.86.83", + "10.21.30.43", + "10.21.80.157", + "10.83.136.233" + ], + "related.user": [ + "litsed" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "tiumtot", + "rsa.misc.event_type": "exerci", + "rsa.misc.obj_name": "edqui", + "rsa.misc.policy_name": "tvolu", + "rsa.misc.reference_id": "olu", + "rsa.misc.rule_name": "strud", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5568", + "rsa.network.alias_host": [ + "saute7421.www.invalid" + ], + "rsa.network.vlan": 3187, + "rsa.time.event_time_str": "Jun", + "rule.name": "strud", + "service.type": "f5", + "source.geo.country_name": "pariat", + "source.ip": [ + "10.31.86.83" + ], + "source.nat.ip": "10.83.136.233", + "source.nat.port": 6643, + "source.port": 6646, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "litsed" + }, + { + "destination.geo.country_name": "uine", + "destination.nat.ip": "10.194.197.107", + "destination.nat.port": 2524, + "destination.port": 1815, + "event.action": "Accept", + "event.code": "archite", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "lumdol edutper utemve6966.mail.local emoen ptate mipsumqu [F5@turad acl_policy_name=dol acl_policy_type=ntutla acl_rule_name=des action=Accept hostname=oluptas1637.home bigip_mgmt_ip=10.195.90.73 context_name=ipisc context_type=iatnulap date_time=Jun 19 2018 03:46:49 dest_ip=10.170.155.137 dst_geo=uine dest_port=1815 device_product=veniamqu device_vendor=iconsequ device_version=1.5445 drop_reason=apa errdefs_msgno=archite errdefs_msg_name=tur flow_id=ddo ip_protocol=ipv6 severity=high partition_name=inBC route_domain=did sa_translation_pool=atcupi sa_translation_type=eriti source_ip=10.45.152.205 src_geo=rema source_port=5107 source_user=datatn translated_dest_ip=10.194.197.107 translated_dest_port=2524 translated_ip_protocol=tur translated_route_domain=itation translated_source_ip=10.27.181.27 translated_source_port=5509 translated_vlan=uredo vlan=2155", + "fileset.name": "bigipafm", + "host.ip": "10.195.90.73", + "host.name": "oluptas1637.home", + "input.type": "log", + "log.level": "high", + "log.offset": 53576, + "network.protocol": "ipv6", + "observer.product": "veniamqu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5445", + "related.hosts": [ + "oluptas1637.home" + ], + "related.ip": [ + "10.27.181.27", + "10.45.152.205", + "10.194.197.107", + "10.195.90.73" + ], + "related.user": [ + "datatn" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "ipisc", + "rsa.misc.event_type": "tur", + "rsa.misc.obj_name": "turad", + "rsa.misc.policy_name": "dol", + "rsa.misc.reference_id": "archite", + "rsa.misc.rule_name": "des", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5445", + "rsa.network.alias_host": [ + "oluptas1637.home" + ], + "rsa.network.vlan": 2155, + "rsa.time.event_time_str": "Jun", + "rule.name": "des", + "service.type": "f5", + "source.geo.country_name": "rema", + "source.ip": [ + "10.45.152.205" + ], + "source.nat.ip": "10.27.181.27", + "source.nat.port": 5509, + "source.port": 5107, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "datatn" + }, + { + "destination.geo.country_name": "iscive", + "destination.nat.ip": "10.129.161.18", + "destination.nat.port": 782, + "destination.port": 5527, + "event.action": "Drop", + "event.code": "taevitae", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "use catcu quame922.internal.host eursi liquid ulapari [F5@ibus acl_policy_name=isu acl_policy_type=moll acl_rule_name=roinBCS action=Drop hostname=ididu5505.api.localdomain bigip_mgmt_ip=10.43.239.97 context_name=modi context_type=cip date_time=Jul 03 2018 10:49:23 dest_ip=10.60.60.164 dst_geo=iscive dest_port=5527 device_product=incididu device_vendor=yCice device_version=1.508 drop_reason=ionem errdefs_msgno=taevitae errdefs_msg_name=dminimv flow_id=quam ip_protocol=tcp severity=low partition_name=umdol route_domain=rerepr sa_translation_pool=ipiscin sa_translation_type=trudexe source_ip=10.222.2.132 src_geo=umdo source_port=6187 source_user=aedicta translated_dest_ip=10.129.161.18 translated_dest_port=782 translated_ip_protocol=umquiad translated_route_domain=porinc translated_source_ip=10.183.90.25 translated_source_port=5038 translated_vlan=conse vlan=2563", + "fileset.name": "bigipafm", + "host.ip": "10.43.239.97", + "host.name": "ididu5505.api.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 54442, + "network.protocol": "tcp", + "observer.product": "incididu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.508", + "related.hosts": [ + "ididu5505.api.localdomain" + ], + "related.ip": [ + "10.222.2.132", + "10.183.90.25", + "10.43.239.97", + "10.129.161.18" + ], + "related.user": [ + "aedicta" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "modi", + "rsa.misc.event_type": "dminimv", + "rsa.misc.obj_name": "ibus", + "rsa.misc.policy_name": "isu", + "rsa.misc.reference_id": "taevitae", + "rsa.misc.rule_name": "roinBCS", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.508", + "rsa.network.alias_host": [ + "ididu5505.api.localdomain" + ], + "rsa.network.vlan": 2563, + "rsa.time.event_time_str": "Jul", + "rule.name": "roinBCS", + "service.type": "f5", + "source.geo.country_name": "umdo", + "source.ip": [ + "10.222.2.132" + ], + "source.nat.ip": "10.183.90.25", + "source.nat.port": 5038, + "source.port": 6187, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "aedicta" + }, + { + "destination.geo.country_name": "nevolup", + "destination.nat.ip": "10.67.129.100", + "destination.nat.port": 7106, + "destination.port": 3706, + "event.action": "Closed", + "event.code": "elitse", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "dolo reeufu umexe5208.local suntex uptatema uteiru [F5@rcitati acl_policy_name=siutali acl_policy_type=uiratio acl_rule_name=ficia action=Closed hostname=mqui1099.api.corp bigip_mgmt_ip=10.231.167.171 context_name=onorumet context_type=illoinve date_time=Jul 17 2018 17:51:58 dest_ip=10.188.254.168 dst_geo=nevolup dest_port=3706 device_product=lor device_vendor=ica device_version=1.4479 drop_reason=sumd errdefs_msgno=elitse errdefs_msg_name=olu flow_id=temqu ip_protocol=rdp severity=very-high partition_name=nesci route_domain=meaquei sa_translation_pool=snisiu sa_translation_type=atem source_ip=10.189.162.131 src_geo=litsed source_port=6019 source_user=sedquia translated_dest_ip=10.67.129.100 translated_dest_port=7106 translated_ip_protocol=mmodicon translated_route_domain=eosquir translated_source_ip=10.248.156.138 translated_source_port=2125 translated_vlan=smodit vlan=3090", + "fileset.name": "bigipafm", + "host.ip": "10.231.167.171", + "host.name": "mqui1099.api.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 55316, + "network.protocol": "rdp", + "observer.product": "lor", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4479", + "related.hosts": [ + "mqui1099.api.corp" + ], + "related.ip": [ + "10.67.129.100", + "10.231.167.171", + "10.189.162.131", + "10.248.156.138" + ], + "related.user": [ + "sedquia" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "onorumet", + "rsa.misc.event_type": "olu", + "rsa.misc.obj_name": "rcitati", + "rsa.misc.policy_name": "siutali", + "rsa.misc.reference_id": "elitse", + "rsa.misc.rule_name": "ficia", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4479", + "rsa.network.alias_host": [ + "mqui1099.api.corp" + ], + "rsa.network.vlan": 3090, + "rsa.time.event_time_str": "Jul", + "rule.name": "ficia", + "service.type": "f5", + "source.geo.country_name": "litsed", + "source.ip": [ + "10.189.162.131" + ], + "source.nat.ip": "10.248.156.138", + "source.nat.port": 2125, + "source.port": 6019, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "sedquia" + }, + { + "destination.geo.country_name": "umqui", + "destination.nat.ip": "10.185.107.27", + "destination.nat.port": 2257, + "destination.port": 1757, + "event.action": "Reject", + "event.code": "itecto", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "dun xce dol5403.www.localhost asiar eiu maliquam [F5@gnama acl_policy_name=ursintoc acl_policy_type=minimve acl_rule_name=eprehe action=Reject hostname=siuta2155.lan bigip_mgmt_ip=10.63.103.30 context_name=ill context_type=imveniam date_time=Aug 01 2018 00:54:32 dest_ip=10.36.29.127 dst_geo=umqui dest_port=1757 device_product=sci device_vendor=isquames device_version=1.2927 drop_reason=tlabor errdefs_msgno=itecto errdefs_msg_name=loreeuf flow_id=orainci ip_protocol=icmp severity=low partition_name=aev route_domain=uelaudan sa_translation_pool=lab sa_translation_type=sequa source_ip=10.6.146.184 src_geo=rrorsi source_port=7247 source_user=sequu translated_dest_ip=10.185.107.27 translated_dest_port=2257 translated_ip_protocol=mips translated_route_domain=iduntutl translated_source_ip=10.142.106.66 translated_source_port=3790 translated_vlan=quelauda vlan=289", + "fileset.name": "bigipafm", + "host.ip": "10.63.103.30", + "host.name": "siuta2155.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 56204, + "network.protocol": "icmp", + "observer.product": "sci", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2927", + "related.hosts": [ + "siuta2155.lan" + ], + "related.ip": [ + "10.6.146.184", + "10.185.107.27", + "10.63.103.30", + "10.142.106.66" + ], + "related.user": [ + "sequu" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ill", + "rsa.misc.event_type": "loreeuf", + "rsa.misc.obj_name": "gnama", + "rsa.misc.policy_name": "ursintoc", + "rsa.misc.reference_id": "itecto", + "rsa.misc.rule_name": "eprehe", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2927", + "rsa.network.alias_host": [ + "siuta2155.lan" + ], + "rsa.network.vlan": 289, + "rsa.time.event_time_str": "Aug", + "rule.name": "eprehe", + "service.type": "f5", + "source.geo.country_name": "rrorsi", + "source.ip": [ + "10.6.146.184" + ], + "source.nat.ip": "10.142.106.66", + "source.nat.port": 3790, + "source.port": 7247, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "sequu" + }, + { + "destination.geo.country_name": "uidex", + "destination.nat.ip": "10.0.202.9", + "destination.nat.port": 7451, + "destination.port": 1203, + "event.action": "Established", + "event.code": "ianonn", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "dolo ulamc doe344.www5.local toreve squirat llum [F5@dol acl_policy_name=niam acl_policy_type=atio acl_rule_name=sno action=Established hostname=tatiset4191.localdomain bigip_mgmt_ip=10.214.93.200 context_name=dtempor context_type=rroquisq date_time=Aug 15 2018 07:57:06 dest_ip=10.215.63.248 dst_geo=uidex dest_port=1203 device_product=lloi device_vendor=nseq device_version=1.4023 drop_reason=isetqua errdefs_msgno=ianonn errdefs_msg_name=oluptas flow_id=doe ip_protocol=udp severity=very-high partition_name=rchitect route_domain=orsitame sa_translation_pool=tasn sa_translation_type=exeaco source_ip=10.93.39.237 src_geo=aincidu source_port=232 source_user=tionofd translated_dest_ip=10.0.202.9 translated_dest_port=7451 translated_ip_protocol=nvolup translated_route_domain=ommodic translated_source_ip=10.119.179.182 translated_source_port=7255 translated_vlan=undeo vlan=7696", + "fileset.name": "bigipafm", + "host.ip": "10.214.93.200", + "host.name": "tatiset4191.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 57073, + "network.protocol": "udp", + "observer.product": "lloi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4023", + "related.hosts": [ + "tatiset4191.localdomain" + ], + "related.ip": [ + "10.93.39.237", + "10.119.179.182", + "10.0.202.9", + "10.214.93.200" + ], + "related.user": [ + "tionofd" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "dtempor", + "rsa.misc.event_type": "oluptas", + "rsa.misc.obj_name": "dol", + "rsa.misc.policy_name": "niam", + "rsa.misc.reference_id": "ianonn", + "rsa.misc.rule_name": "sno", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4023", + "rsa.network.alias_host": [ + "tatiset4191.localdomain" + ], + "rsa.network.vlan": 7696, + "rsa.time.event_time_str": "Aug", + "rule.name": "sno", + "service.type": "f5", + "source.geo.country_name": "aincidu", + "source.ip": [ + "10.93.39.237" + ], + "source.nat.ip": "10.119.179.182", + "source.nat.port": 7255, + "source.port": 232, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tionofd" + }, + { + "destination.geo.country_name": "mcorpor", + "destination.nat.ip": "10.123.154.140", + "destination.nat.port": 2551, + "destination.port": 2433, + "event.action": "Drop", + "event.code": "byCice", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uiinea uianonn eavolupt784.www5.example liquam sinto edi [F5@eumiure acl_policy_name=ore acl_policy_type=adeser acl_rule_name=mSe action=Drop hostname=aute2433.mail.lan bigip_mgmt_ip=10.252.204.162 context_name=tiae context_type=giat date_time=Aug 29 2018 14:59:40 dest_ip=10.115.77.51 dst_geo=mcorpor dest_port=2433 device_product=ostru device_vendor=mea device_version=1.5939 drop_reason=iquipex errdefs_msgno=byCice errdefs_msg_name=deritq flow_id=boreetdo ip_protocol=ipv6-icmp severity=medium partition_name=iin route_domain=nostr sa_translation_pool=luptatem sa_translation_type=tNequepo source_ip=10.28.145.163 src_geo=sper source_port=72 source_user=imadmin translated_dest_ip=10.123.154.140 translated_dest_port=2551 translated_ip_protocol=mSect translated_route_domain=iure translated_source_ip=10.30.189.166 translated_source_port=2749 translated_vlan=aer vlan=3422", + "fileset.name": "bigipafm", + "host.ip": "10.252.204.162", + "host.name": "aute2433.mail.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 57956, + "network.protocol": "ipv6-icmp", + "observer.product": "ostru", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5939", + "related.hosts": [ + "aute2433.mail.lan" + ], + "related.ip": [ + "10.28.145.163", + "10.252.204.162", + "10.123.154.140", + "10.30.189.166" + ], + "related.user": [ + "imadmin" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "tiae", + "rsa.misc.event_type": "deritq", + "rsa.misc.obj_name": "eumiure", + "rsa.misc.policy_name": "ore", + "rsa.misc.reference_id": "byCice", + "rsa.misc.rule_name": "mSe", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5939", + "rsa.network.alias_host": [ + "aute2433.mail.lan" + ], + "rsa.network.vlan": 3422, + "rsa.time.event_time_str": "Aug", + "rule.name": "mSe", + "service.type": "f5", + "source.geo.country_name": "sper", + "source.ip": [ + "10.28.145.163" + ], + "source.nat.ip": "10.30.189.166", + "source.nat.port": 2749, + "source.port": 72, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "imadmin" + }, + { + "destination.geo.country_name": "pariatur", + "destination.nat.ip": "10.79.49.3", + "destination.nat.port": 7794, + "destination.port": 7435, + "event.action": "Accept", + "event.code": "mqua", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "roquis mremape ude2977.www.corp rmagnido exeaco dqu [F5@ccaec acl_policy_name=repreh acl_policy_type=imven acl_rule_name=usan action=Accept hostname=idolo6535.internal.example bigip_mgmt_ip=10.46.162.198 context_name=snulap context_type=onsequat date_time=Sep 12 2018 22:02:15 dest_ip=10.166.128.248 dst_geo=pariatur dest_port=7435 device_product=tura device_vendor=equuntur device_version=1.6564 drop_reason=uaera errdefs_msgno=mqua errdefs_msg_name=xer flow_id=utlabore ip_protocol=ipv6-icmp severity=very-high partition_name=beataevi route_domain=amquisn sa_translation_pool=itquii sa_translation_type=imaven source_ip=10.145.128.250 src_geo=nder source_port=5641 source_user=eni translated_dest_ip=10.79.49.3 translated_dest_port=7794 translated_ip_protocol=psamvolu translated_route_domain=teturad translated_source_ip=10.29.122.183 translated_source_port=6166 translated_vlan=tla vlan=6146", + "fileset.name": "bigipafm", + "host.ip": "10.46.162.198", + "host.name": "idolo6535.internal.example", + "input.type": "log", + "log.level": "very-high", + "log.offset": 58833, + "network.protocol": "ipv6-icmp", + "observer.product": "tura", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6564", + "related.hosts": [ + "idolo6535.internal.example" + ], + "related.ip": [ + "10.145.128.250", + "10.79.49.3", + "10.46.162.198", + "10.29.122.183" + ], + "related.user": [ + "eni" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "snulap", + "rsa.misc.event_type": "xer", + "rsa.misc.obj_name": "ccaec", + "rsa.misc.policy_name": "repreh", + "rsa.misc.reference_id": "mqua", + "rsa.misc.rule_name": "usan", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6564", + "rsa.network.alias_host": [ + "idolo6535.internal.example" + ], + "rsa.network.vlan": 6146, + "rsa.time.event_time_str": "Sep", + "rule.name": "usan", + "service.type": "f5", + "source.geo.country_name": "nder", + "source.ip": [ + "10.145.128.250" + ], + "source.nat.ip": "10.29.122.183", + "source.nat.port": 6166, + "source.port": 5641, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "eni" + }, + { + "destination.geo.country_name": "smoditem", + "destination.nat.ip": "10.65.174.196", + "destination.nat.port": 472, + "destination.port": 575, + "event.action": "Closed", + "event.code": "loremeum", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "modtempo edict nost3250.internal.localdomain nibu quatur isiutali [F5@mdolo acl_policy_name=nof acl_policy_type=usantiu acl_rule_name=periam action=Closed hostname=one7728.api.localdomain bigip_mgmt_ip=10.177.232.136 context_name=obe context_type=niamqu date_time=Sep 27 2018 05:04:49 dest_ip=10.140.59.161 dst_geo=smoditem dest_port=575 device_product=tev device_vendor=oNemoeni device_version=1.3341 drop_reason=elillumq errdefs_msgno=loremeum errdefs_msg_name=luptatem flow_id=ing ip_protocol=tcp severity=very-high partition_name=riameaqu route_domain=etd sa_translation_pool=omnisi sa_translation_type=dolor source_ip=10.166.169.167 src_geo=ati source_port=1544 source_user=olors translated_dest_ip=10.65.174.196 translated_dest_port=472 translated_ip_protocol=iin translated_route_domain=uteiru translated_source_ip=10.142.235.217 translated_source_port=5846 translated_vlan=orain vlan=2663", + "fileset.name": "bigipafm", + "host.ip": "10.177.232.136", + "host.name": "one7728.api.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 59729, + "network.protocol": "tcp", + "observer.product": "tev", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3341", + "related.hosts": [ + "one7728.api.localdomain" + ], + "related.ip": [ + "10.166.169.167", + "10.65.174.196", + "10.177.232.136", + "10.142.235.217" + ], + "related.user": [ + "olors" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "obe", + "rsa.misc.event_type": "luptatem", + "rsa.misc.obj_name": "mdolo", + "rsa.misc.policy_name": "nof", + "rsa.misc.reference_id": "loremeum", + "rsa.misc.rule_name": "periam", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3341", + "rsa.network.alias_host": [ + "one7728.api.localdomain" + ], + "rsa.network.vlan": 2663, + "rsa.time.event_time_str": "Sep", + "rule.name": "periam", + "service.type": "f5", + "source.geo.country_name": "ati", + "source.ip": [ + "10.166.169.167" + ], + "source.nat.ip": "10.142.235.217", + "source.nat.port": 5846, + "source.port": 1544, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "olors" + }, + { + "destination.geo.country_name": "orisnisi", + "destination.nat.ip": "10.191.78.86", + "destination.nat.port": 6355, + "destination.port": 4342, + "event.action": "Established", + "event.code": "ionula", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "llu quaUt labor7147.internal.host ten vitae tse [F5@gni acl_policy_name=per acl_policy_type=tione acl_rule_name=nibus action=Established hostname=uptatem4446.internal.localhost bigip_mgmt_ip=10.29.217.44 context_name=eacommod context_type=tali date_time=Oct 11 2018 12:07:23 dest_ip=10.131.223.198 dst_geo=orisnisi dest_port=4342 device_product=eritquii device_vendor=atevelit device_version=1.325 drop_reason=enat errdefs_msgno=ionula errdefs_msg_name=itaed flow_id=invol ip_protocol=rdp severity=low partition_name=cidun route_domain=tassitas sa_translation_pool=nimadmi sa_translation_type=dipisci source_ip=10.215.184.154 src_geo=nor source_port=3306 source_user=iarc translated_dest_ip=10.191.78.86 translated_dest_port=6355 translated_ip_protocol=uiac translated_route_domain=squ translated_source_ip=10.53.188.140 translated_source_port=6455 translated_vlan=ten vlan=2937", + "fileset.name": "bigipafm", + "host.ip": "10.29.217.44", + "host.name": "uptatem4446.internal.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 60626, + "network.protocol": "rdp", + "observer.product": "eritquii", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.325", + "related.hosts": [ + "uptatem4446.internal.localhost" + ], + "related.ip": [ + "10.29.217.44", + "10.215.184.154", + "10.191.78.86", + "10.53.188.140" + ], + "related.user": [ + "iarc" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "eacommod", + "rsa.misc.event_type": "itaed", + "rsa.misc.obj_name": "gni", + "rsa.misc.policy_name": "per", + "rsa.misc.reference_id": "ionula", + "rsa.misc.rule_name": "nibus", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.325", + "rsa.network.alias_host": [ + "uptatem4446.internal.localhost" + ], + "rsa.network.vlan": 2937, + "rsa.time.event_time_str": "Oct", + "rule.name": "nibus", + "service.type": "f5", + "source.geo.country_name": "nor", + "source.ip": [ + "10.215.184.154" + ], + "source.nat.ip": "10.53.188.140", + "source.nat.port": 6455, + "source.port": 3306, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "iarc" + }, + { + "destination.geo.country_name": "turad", + "destination.nat.ip": "10.46.222.149", + "destination.nat.port": 3304, + "destination.port": 2537, + "event.action": "Drop", + "event.code": "quipe", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "isciveli ntutlab sitamet452.domain nsequ ing ollita [F5@dipisci acl_policy_name=amnisiu acl_policy_type=ptat acl_rule_name=epr action=Drop hostname=emq2514.api.localhost bigip_mgmt_ip=10.135.77.156 context_name=uraut context_type=non date_time=Oct 25 2018 19:09:57 dest_ip=10.248.182.188 dst_geo=turad dest_port=2537 device_product=nBCSe device_vendor=ollita device_version=1.3567 drop_reason=eni errdefs_msgno=quipe errdefs_msg_name=oluptat flow_id=stenatus ip_protocol=ggp severity=very-high partition_name=iaecon route_domain=ect sa_translation_pool=tquid sa_translation_type=seru source_ip=10.76.148.147 src_geo=remagna source_port=1121 source_user=urve translated_dest_ip=10.46.222.149 translated_dest_port=3304 translated_ip_protocol=squ translated_route_domain=emagnaal translated_source_ip=10.74.74.129 translated_source_port=5904 translated_vlan=itati vlan=3497", + "fileset.name": "bigipafm", + "host.ip": "10.135.77.156", + "host.name": "emq2514.api.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 61505, + "network.protocol": "ggp", + "observer.product": "nBCSe", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3567", + "related.hosts": [ + "emq2514.api.localhost" + ], + "related.ip": [ + "10.135.77.156", + "10.46.222.149", + "10.76.148.147", + "10.74.74.129" + ], + "related.user": [ + "urve" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "uraut", + "rsa.misc.event_type": "oluptat", + "rsa.misc.obj_name": "dipisci", + "rsa.misc.policy_name": "amnisiu", + "rsa.misc.reference_id": "quipe", + "rsa.misc.rule_name": "epr", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3567", + "rsa.network.alias_host": [ + "emq2514.api.localhost" + ], + "rsa.network.vlan": 3497, + "rsa.time.event_time_str": "Oct", + "rule.name": "epr", + "service.type": "f5", + "source.geo.country_name": "remagna", + "source.ip": [ + "10.76.148.147" + ], + "source.nat.ip": "10.74.74.129", + "source.nat.port": 5904, + "source.port": 1121, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "urve" + }, + { + "destination.geo.country_name": "imadmini", + "destination.nat.ip": "10.11.146.253", + "destination.nat.port": 3581, + "destination.port": 3791, + "event.action": "Drop", + "event.code": "ute", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "rinc tno meumf4052.invalid pitlabo riamea Malorumw [F5@consect acl_policy_name=issu acl_policy_type=tconsect acl_rule_name=tationem action=Drop hostname=agna5654.www.corp bigip_mgmt_ip=10.96.200.223 context_name=iatisun context_type=cto date_time=Nov 09 2018 02:12:32 dest_ip=10.3.228.220 dst_geo=imadmini dest_port=3791 device_product=oeiusm device_vendor=aUtenim device_version=1.1186 drop_reason=isu errdefs_msgno=ute errdefs_msg_name=tdolore flow_id=madminim ip_protocol=igmp severity=very-high partition_name=prehen route_domain=ate sa_translation_pool=ull sa_translation_type=enimipsa source_ip=10.130.203.37 src_geo=quisnos source_port=2132 source_user=mvele translated_dest_ip=10.11.146.253 translated_dest_port=3581 translated_ip_protocol=remeum translated_route_domain=temseq translated_source_ip=10.145.49.29 translated_source_port=2464 translated_vlan=sedquia vlan=4912", + "fileset.name": "bigipafm", + "host.ip": "10.96.200.223", + "host.name": "agna5654.www.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 62376, + "network.protocol": "igmp", + "observer.product": "oeiusm", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1186", + "related.hosts": [ + "agna5654.www.corp" + ], + "related.ip": [ + "10.145.49.29", + "10.96.200.223", + "10.11.146.253", + "10.130.203.37" + ], + "related.user": [ + "mvele" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "iatisun", + "rsa.misc.event_type": "tdolore", + "rsa.misc.obj_name": "consect", + "rsa.misc.policy_name": "issu", + "rsa.misc.reference_id": "ute", + "rsa.misc.rule_name": "tationem", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1186", + "rsa.network.alias_host": [ + "agna5654.www.corp" + ], + "rsa.network.vlan": 4912, + "rsa.time.event_time_str": "Nov", + "rule.name": "tationem", + "service.type": "f5", + "source.geo.country_name": "quisnos", + "source.ip": [ + "10.130.203.37" + ], + "source.nat.ip": "10.145.49.29", + "source.nat.port": 2464, + "source.port": 2132, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "mvele" + }, + { + "destination.geo.country_name": "epteu", + "destination.nat.ip": "10.162.2.180", + "destination.nat.port": 3889, + "destination.port": 5744, + "event.action": "Drop", + "event.code": "ibusB", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ntmo aliqu iqu4429.www5.lan doconse volupta ptat [F5@oreverit acl_policy_name=nimides acl_policy_type=remipsum acl_rule_name=elit action=Drop hostname=ipi4827.mail.lan bigip_mgmt_ip=10.162.78.48 context_name=lab context_type=sedqui date_time=Nov 23 2018 09:15:06 dest_ip=10.243.157.94 dst_geo=epteu dest_port=5744 device_product=tura device_vendor=mquiavol device_version=1.6845 drop_reason=eabil errdefs_msgno=ibusB errdefs_msg_name=rporis flow_id=etco ip_protocol=ipv6 severity=very-high partition_name=ereprehe route_domain=olu sa_translation_pool=nofdeF sa_translation_type=riaturEx source_ip=10.24.23.209 src_geo=itautfu source_port=1503 source_user=rumwr translated_dest_ip=10.162.2.180 translated_dest_port=3889 translated_ip_protocol=mporain translated_route_domain=ectetur translated_source_ip=10.48.75.140 translated_source_port=1837 translated_vlan=ineavol vlan=5182", + "fileset.name": "bigipafm", + "host.ip": "10.162.78.48", + "host.name": "ipi4827.mail.lan", + "input.type": "log", + "log.level": "very-high", + "log.offset": 63258, + "network.protocol": "ipv6", + "observer.product": "tura", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6845", + "related.hosts": [ + "ipi4827.mail.lan" + ], + "related.ip": [ + "10.24.23.209", + "10.162.78.48", + "10.48.75.140", + "10.162.2.180" + ], + "related.user": [ + "rumwr" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "lab", + "rsa.misc.event_type": "rporis", + "rsa.misc.obj_name": "oreverit", + "rsa.misc.policy_name": "nimides", + "rsa.misc.reference_id": "ibusB", + "rsa.misc.rule_name": "elit", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6845", + "rsa.network.alias_host": [ + "ipi4827.mail.lan" + ], + "rsa.network.vlan": 5182, + "rsa.time.event_time_str": "Nov", + "rule.name": "elit", + "service.type": "f5", + "source.geo.country_name": "itautfu", + "source.ip": [ + "10.24.23.209" + ], + "source.nat.ip": "10.48.75.140", + "source.nat.port": 1837, + "source.port": 1503, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "rumwr" + }, + { + "destination.geo.country_name": "rur", + "destination.nat.ip": "10.119.12.186", + "destination.nat.port": 5674, + "destination.port": 5543, + "event.action": "Drop", + "event.code": "eddoeiu", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "onproid sitv equam3114.test mcorp uelaud aperiam [F5@ngelit acl_policy_name=quiano acl_policy_type=sund acl_rule_name=iaconse action=Drop hostname=sequatD163.internal.example bigip_mgmt_ip=10.151.206.38 context_name=oloremi context_type=luptate date_time=Dec 07 2018 16:17:40 dest_ip=10.38.57.217 dst_geo=rur dest_port=5543 device_product=imidest device_vendor=oeiusmod device_version=1.419 drop_reason=psumqui errdefs_msgno=eddoeiu errdefs_msg_name=oinvento flow_id=mips ip_protocol=udp severity=medium partition_name=corpor route_domain=amvolu sa_translation_pool=ent sa_translation_type=ionemu source_ip=10.66.92.83 src_geo=orinrep source_port=2549 source_user=nproide translated_dest_ip=10.119.12.186 translated_dest_port=5674 translated_ip_protocol=qui translated_route_domain=nemullam translated_source_ip=10.97.105.115 translated_source_port=3576 translated_vlan=squir vlan=3987", + "fileset.name": "bigipafm", + "host.ip": "10.151.206.38", + "host.name": "sequatD163.internal.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 64136, + "network.protocol": "udp", + "observer.product": "imidest", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.419", + "related.hosts": [ + "sequatD163.internal.example" + ], + "related.ip": [ + "10.151.206.38", + "10.66.92.83", + "10.119.12.186", + "10.97.105.115" + ], + "related.user": [ + "nproide" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "oloremi", + "rsa.misc.event_type": "oinvento", + "rsa.misc.obj_name": "ngelit", + "rsa.misc.policy_name": "quiano", + "rsa.misc.reference_id": "eddoeiu", + "rsa.misc.rule_name": "iaconse", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.419", + "rsa.network.alias_host": [ + "sequatD163.internal.example" + ], + "rsa.network.vlan": 3987, + "rsa.time.event_time_str": "Dec", + "rule.name": "iaconse", + "service.type": "f5", + "source.geo.country_name": "orinrep", + "source.ip": [ + "10.66.92.83" + ], + "source.nat.ip": "10.97.105.115", + "source.nat.port": 3576, + "source.port": 2549, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "nproide" + }, + { + "destination.geo.country_name": "volupt", + "destination.nat.ip": "10.64.76.142", + "destination.nat.port": 7083, + "destination.port": 61, + "event.action": "Accept", + "event.code": "enderi", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "umqu umet psaquaea5284.internal.example upt giatquo toccaec [F5@nihilmo acl_policy_name=atquo acl_policy_type=umetMa acl_rule_name=ngelitse action=Accept hostname=itamet1303.invalid bigip_mgmt_ip=10.12.148.73 context_name=eius context_type=evo date_time=Dec 21 2018 23:20:14 dest_ip=10.10.44.34 dst_geo=volupt dest_port=61 device_product=eosqu device_vendor=reetdolo device_version=1.7551 drop_reason=sten errdefs_msgno=enderi errdefs_msg_name=labore flow_id=uasiarch ip_protocol=igmp severity=very-high partition_name=magnama route_domain=reprehe sa_translation_pool=citatio sa_translation_type=dolo source_ip=10.201.132.114 src_geo=eetd source_port=6058 source_user=borisnis translated_dest_ip=10.64.76.142 translated_dest_port=7083 translated_ip_protocol=temse translated_route_domain=samvo translated_source_ip=10.169.139.250 translated_source_port=1374 translated_vlan=nostrume vlan=5035", + "fileset.name": "bigipafm", + "host.ip": "10.12.148.73", + "host.name": "itamet1303.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 65022, + "network.protocol": "igmp", + "observer.product": "eosqu", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7551", + "related.hosts": [ + "itamet1303.invalid" + ], + "related.ip": [ + "10.64.76.142", + "10.169.139.250", + "10.12.148.73", + "10.201.132.114" + ], + "related.user": [ + "borisnis" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "eius", + "rsa.misc.event_type": "labore", + "rsa.misc.obj_name": "nihilmo", + "rsa.misc.policy_name": "atquo", + "rsa.misc.reference_id": "enderi", + "rsa.misc.rule_name": "ngelitse", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7551", + "rsa.network.alias_host": [ + "itamet1303.invalid" + ], + "rsa.network.vlan": 5035, + "rsa.time.event_time_str": "Dec", + "rule.name": "ngelitse", + "service.type": "f5", + "source.geo.country_name": "eetd", + "source.ip": [ + "10.201.132.114" + ], + "source.nat.ip": "10.169.139.250", + "source.nat.port": 1374, + "source.port": 6058, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "borisnis" + }, + { + "destination.geo.country_name": "giatnula", + "destination.nat.ip": "10.35.38.185", + "destination.nat.port": 7077, + "destination.port": 71, + "event.action": "Drop", + "event.code": "sedq", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tatevel itin tam942.api.host iut leumiur deser [F5@boris acl_policy_name=ris acl_policy_type=nisiuta acl_rule_name=utper action=Drop hostname=epr3512.internal.domain bigip_mgmt_ip=10.9.236.18 context_name=iumdo context_type=exe date_time=Jan 05 2019 06:22:49 dest_ip=10.152.7.48 dst_geo=giatnula dest_port=71 device_product=enimadmi device_vendor=qui device_version=1.5292 drop_reason=aecon errdefs_msgno=sedq errdefs_msg_name=olo flow_id=sperna ip_protocol=udp severity=very-high partition_name=conseq route_domain=upta sa_translation_pool=eturadi sa_translation_type=cinge source_ip=10.111.128.11 src_geo=niamq source_port=5336 source_user=umfug translated_dest_ip=10.35.38.185 translated_dest_port=7077 translated_ip_protocol=labor translated_route_domain=Sec translated_source_ip=10.200.116.191 translated_source_port=3068 translated_vlan=nsecte vlan=5790", + "fileset.name": "bigipafm", + "host.ip": "10.9.236.18", + "host.name": "epr3512.internal.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 65915, + "network.protocol": "udp", + "observer.product": "enimadmi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5292", + "related.hosts": [ + "epr3512.internal.domain" + ], + "related.ip": [ + "10.111.128.11", + "10.9.236.18", + "10.35.38.185", + "10.200.116.191" + ], + "related.user": [ + "umfug" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "iumdo", + "rsa.misc.event_type": "olo", + "rsa.misc.obj_name": "boris", + "rsa.misc.policy_name": "ris", + "rsa.misc.reference_id": "sedq", + "rsa.misc.rule_name": "utper", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.5292", + "rsa.network.alias_host": [ + "epr3512.internal.domain" + ], + "rsa.network.vlan": 5790, + "rsa.time.event_time_str": "Jan", + "rule.name": "utper", + "service.type": "f5", + "source.geo.country_name": "niamq", + "source.ip": [ + "10.111.128.11" + ], + "source.nat.ip": "10.200.116.191", + "source.nat.port": 3068, + "source.port": 5336, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "umfug" + }, + { + "destination.geo.country_name": "rese", + "destination.nat.ip": "10.134.238.8", + "destination.nat.port": 2976, + "destination.port": 5302, + "event.action": "Reject", + "event.code": "ende", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "uianonnu por nve894.lan turadip ataev eFinib [F5@atione acl_policy_name=xcepte acl_policy_type=gnaa acl_rule_name=tio action=Reject hostname=uredol2174.home bigip_mgmt_ip=10.191.27.182 context_name=tMalo context_type=urautod date_time=Jan 19 2019 13:25:23 dest_ip=10.114.60.159 dst_geo=rese dest_port=5302 device_product=rissusci device_vendor=quaturve device_version=1.5991 drop_reason=tisunde errdefs_msgno=ende errdefs_msg_name=quidolor flow_id=lloin ip_protocol=igmp severity=high partition_name=proiden route_domain=moenimip sa_translation_pool=tat sa_translation_type=tate source_ip=10.236.67.227 src_geo=ern source_port=881 source_user=tlabo translated_dest_ip=10.134.238.8 translated_dest_port=2976 translated_ip_protocol=aqua translated_route_domain=edquiac translated_source_ip=10.240.62.238 translated_source_port=1251 translated_vlan=olo vlan=5926", + "fileset.name": "bigipafm", + "host.ip": "10.191.27.182", + "host.name": "uredol2174.home", + "input.type": "log", + "log.level": "high", + "log.offset": 66775, + "network.protocol": "igmp", + "observer.product": "rissusci", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5991", + "related.hosts": [ + "uredol2174.home" + ], + "related.ip": [ + "10.134.238.8", + "10.191.27.182", + "10.236.67.227", + "10.240.62.238" + ], + "related.user": [ + "tlabo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "tMalo", + "rsa.misc.event_type": "quidolor", + "rsa.misc.obj_name": "atione", + "rsa.misc.policy_name": "xcepte", + "rsa.misc.reference_id": "ende", + "rsa.misc.rule_name": "tio", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5991", + "rsa.network.alias_host": [ + "uredol2174.home" + ], + "rsa.network.vlan": 5926, + "rsa.time.event_time_str": "Jan", + "rule.name": "tio", + "service.type": "f5", + "source.geo.country_name": "ern", + "source.ip": [ + "10.236.67.227" + ], + "source.nat.ip": "10.240.62.238", + "source.nat.port": 1251, + "source.port": 881, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tlabo" + }, + { + "destination.geo.country_name": "nimad", + "destination.nat.ip": "10.65.35.64", + "destination.nat.port": 2748, + "destination.port": 7814, + "event.action": "Drop", + "event.code": "oin", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ali Nequepor aUten4127.internal.lan apariatu mnisis onsequa [F5@sunt acl_policy_name=orumSe acl_policy_type=olupta acl_rule_name=emveleum action=Drop hostname=ididunt7607.mail.localhost bigip_mgmt_ip=10.165.66.92 context_name=isq context_type=eacommo date_time=Feb 02 2019 20:27:57 dest_ip=10.244.171.198 dst_geo=nimad dest_port=7814 device_product=asi device_vendor=tobe device_version=1.6837 drop_reason=Lore errdefs_msgno=oin errdefs_msg_name=eritquii flow_id=taliqui ip_protocol=ipv6-icmp severity=very-high partition_name=entoreve route_domain=ion sa_translation_pool=exeaco sa_translation_type=tate source_ip=10.109.14.142 src_geo=sitas source_port=6036 source_user=perna translated_dest_ip=10.65.35.64 translated_dest_port=2748 translated_ip_protocol=irur translated_route_domain=risnisiu translated_source_ip=10.22.231.91 translated_source_port=2652 translated_vlan=equepor vlan=897", + "fileset.name": "bigipafm", + "host.ip": "10.165.66.92", + "host.name": "ididunt7607.mail.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 67635, + "network.protocol": "ipv6-icmp", + "observer.product": "asi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6837", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], + "related.ip": [ + "10.109.14.142", + "10.22.231.91", + "10.65.35.64", + "10.165.66.92" + ], + "related.user": [ + "perna" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "isq", + "rsa.misc.event_type": "eritquii", + "rsa.misc.obj_name": "sunt", + "rsa.misc.policy_name": "orumSe", + "rsa.misc.reference_id": "oin", + "rsa.misc.rule_name": "emveleum", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.6837", + "rsa.network.alias_host": [ + "ididunt7607.mail.localhost" + ], + "rsa.network.vlan": 897, + "rsa.time.event_time_str": "Feb", + "rule.name": "emveleum", + "service.type": "f5", + "source.geo.country_name": "sitas", + "source.ip": [ + "10.109.14.142" + ], + "source.nat.ip": "10.22.231.91", + "source.nat.port": 2652, + "source.port": 6036, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "perna" + }, + { + "destination.geo.country_name": "rume", + "destination.nat.ip": "10.29.230.203", + "destination.nat.port": 6579, + "destination.port": 7667, + "event.action": "Reject", + "event.code": "prehende", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ugiatn utpe hend1170.www5.lan ptateve aliqua officiad [F5@nimadmin acl_policy_name=iavol acl_policy_type=roq acl_rule_name=iumtota action=Reject hostname=inimav5557.www5.test bigip_mgmt_ip=10.71.112.86 context_name=olor context_type=emoenim date_time=Feb 17 2019 03:30:32 dest_ip=10.57.64.102 dst_geo=rume dest_port=7667 device_product=inibusBo device_vendor=tqui device_version=1.99 drop_reason=citat errdefs_msgno=prehende errdefs_msg_name=vitaedic flow_id=remip ip_protocol=ggp severity=high partition_name=rehe route_domain=aper sa_translation_pool=gnaa sa_translation_type=tam source_ip=10.64.161.215 src_geo=modi source_port=4869 source_user=rnatur translated_dest_ip=10.29.230.203 translated_dest_port=6579 translated_ip_protocol=abi translated_route_domain=inimaven translated_source_ip=10.89.221.90 translated_source_port=5835 translated_vlan=entoreve vlan=4612", + "fileset.name": "bigipafm", + "host.ip": "10.71.112.86", + "host.name": "inimav5557.www5.test", + "input.type": "log", + "log.level": "high", + "log.offset": 68526, + "network.protocol": "ggp", + "observer.product": "inibusBo", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.99", + "related.hosts": [ + "inimav5557.www5.test" + ], + "related.ip": [ + "10.64.161.215", + "10.71.112.86", + "10.89.221.90", + "10.29.230.203" + ], + "related.user": [ + "rnatur" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "olor", + "rsa.misc.event_type": "vitaedic", + "rsa.misc.obj_name": "nimadmin", + "rsa.misc.policy_name": "iavol", + "rsa.misc.reference_id": "prehende", + "rsa.misc.rule_name": "iumtota", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.99", + "rsa.network.alias_host": [ + "inimav5557.www5.test" + ], + "rsa.network.vlan": 4612, + "rsa.time.event_time_str": "Feb", + "rule.name": "iumtota", + "service.type": "f5", + "source.geo.country_name": "modi", + "source.ip": [ + "10.64.161.215" + ], + "source.nat.ip": "10.89.221.90", + "source.nat.port": 5835, + "source.port": 4869, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "rnatur" + }, + { + "destination.geo.country_name": "aliquide", + "destination.nat.ip": "10.221.199.137", + "destination.nat.port": 6430, + "destination.port": 7187, + "event.action": "Closed", + "event.code": "urm", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "roqu dquia ommod142.www.home ptate oloreeu imipsa [F5@iscinge acl_policy_name=ora acl_policy_type=meumfug acl_rule_name=inimve action=Closed hostname=nonn1650.www.test bigip_mgmt_ip=10.88.226.76 context_name=ptas context_type=iadolo date_time=Mar 03 2019 10:33:06 dest_ip=10.217.197.29 dst_geo=aliquide dest_port=7187 device_product=tinv device_vendor=iar device_version=1.5232 drop_reason=mquela errdefs_msgno=urm errdefs_msg_name=con flow_id=aeabil ip_protocol=udp severity=low partition_name=edicta route_domain=itaspern sa_translation_pool=tau sa_translation_type=rcit source_ip=10.79.208.135 src_geo=rehende source_port=3688 source_user=erspic translated_dest_ip=10.221.199.137 translated_dest_port=6430 translated_ip_protocol=quipe translated_route_domain=evita translated_source_ip=10.140.118.182 translated_source_port=4566 translated_vlan=nia vlan=7548", + "fileset.name": "bigipafm", + "host.ip": "10.88.226.76", + "host.name": "nonn1650.www.test", + "input.type": "log", + "log.level": "low", + "log.offset": 69397, + "network.protocol": "udp", + "observer.product": "tinv", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.5232", + "related.hosts": [ + "nonn1650.www.test" + ], + "related.ip": [ + "10.221.199.137", + "10.88.226.76", + "10.79.208.135", + "10.140.118.182" + ], + "related.user": [ + "erspic" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ptas", + "rsa.misc.event_type": "con", + "rsa.misc.obj_name": "iscinge", + "rsa.misc.policy_name": "ora", + "rsa.misc.reference_id": "urm", + "rsa.misc.rule_name": "inimve", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.5232", + "rsa.network.alias_host": [ + "nonn1650.www.test" + ], + "rsa.network.vlan": 7548, + "rsa.time.event_time_str": "Mar", + "rule.name": "inimve", + "service.type": "f5", + "source.geo.country_name": "rehende", + "source.ip": [ + "10.79.208.135" + ], + "source.nat.ip": "10.140.118.182", + "source.nat.port": 4566, + "source.port": 3688, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "erspic" + }, + { + "destination.geo.country_name": "oreve", + "destination.nat.ip": "10.126.61.230", + "destination.nat.port": 2068, + "destination.port": 2538, + "event.action": "Reject", + "event.code": "Exce", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "npro boriosa sundeo3076.internal.test Nequepor turQ tod [F5@rsitame acl_policy_name=nsectetu acl_policy_type=untexpli acl_rule_name=smo action=Reject hostname=acons3940.api.lan bigip_mgmt_ip=10.133.48.55 context_name=lab context_type=ela date_time=Mar 17 2019 17:35:40 dest_ip=10.134.141.37 dst_geo=oreve dest_port=2538 device_product=tali device_vendor=quamnih device_version=1.2492 drop_reason=reprehen errdefs_msgno=Exce errdefs_msg_name=tocca flow_id=tinvolu ip_protocol=ipv6 severity=low partition_name=iumt route_domain=mad sa_translation_pool=mpor sa_translation_type=eddoei source_ip=10.35.73.208 src_geo=dolo source_port=6552 source_user=tia translated_dest_ip=10.126.61.230 translated_dest_port=2068 translated_ip_protocol=dolor translated_route_domain=emUteni translated_source_ip=10.189.244.22 translated_source_port=734 translated_vlan=rinre vlan=6425", + "fileset.name": "bigipafm", + "host.ip": "10.133.48.55", + "host.name": "acons3940.api.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 70259, + "network.protocol": "ipv6", + "observer.product": "tali", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2492", + "related.hosts": [ + "acons3940.api.lan" + ], + "related.ip": [ + "10.35.73.208", + "10.126.61.230", + "10.189.244.22", + "10.133.48.55" + ], + "related.user": [ + "tia" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "lab", + "rsa.misc.event_type": "tocca", + "rsa.misc.obj_name": "rsitame", + "rsa.misc.policy_name": "nsectetu", + "rsa.misc.reference_id": "Exce", + "rsa.misc.rule_name": "smo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.2492", + "rsa.network.alias_host": [ + "acons3940.api.lan" + ], + "rsa.network.vlan": 6425, + "rsa.time.event_time_str": "Mar", + "rule.name": "smo", + "service.type": "f5", + "source.geo.country_name": "dolo", + "source.ip": [ + "10.35.73.208" + ], + "source.nat.ip": "10.189.244.22", + "source.nat.port": 734, + "source.port": 6552, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tia" + }, + { + "destination.geo.country_name": "ostr", + "destination.nat.ip": "10.239.194.105", + "destination.nat.port": 3629, + "destination.port": 575, + "event.action": "Established", + "event.code": "olors", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ident uatur dquiaco2756.home uiine mve dolorema [F5@ditautf acl_policy_name=uisnostr acl_policy_type=oditautf acl_rule_name=nula action=Established hostname=suscipit587.www.localhost bigip_mgmt_ip=10.81.154.115 context_name=ita context_type=aeratvol date_time=Apr 01 2019 00:38:14 dest_ip=10.194.94.1 dst_geo=ostr dest_port=575 device_product=boreetd device_vendor=ueporro device_version=1.4044 drop_reason=oluptat errdefs_msgno=olors errdefs_msg_name=mSecti flow_id=ius ip_protocol=icmp severity=very-high partition_name=xerci route_domain=qua sa_translation_pool=iaecons sa_translation_type=pteurs source_ip=10.35.65.72 src_geo=veni source_port=3387 source_user=reseo translated_dest_ip=10.239.194.105 translated_dest_port=3629 translated_ip_protocol=isnos translated_route_domain=ntin translated_source_ip=10.240.94.109 translated_source_port=5437 translated_vlan=ono vlan=573", + "fileset.name": "bigipafm", + "host.ip": "10.81.154.115", + "host.name": "suscipit587.www.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 71124, + "network.protocol": "icmp", + "observer.product": "boreetd", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4044", + "related.hosts": [ + "suscipit587.www.localhost" + ], + "related.ip": [ + "10.240.94.109", + "10.239.194.105", + "10.81.154.115", + "10.35.65.72" + ], + "related.user": [ + "reseo" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "ita", + "rsa.misc.event_type": "mSecti", + "rsa.misc.obj_name": "ditautf", + "rsa.misc.policy_name": "uisnostr", + "rsa.misc.reference_id": "olors", + "rsa.misc.rule_name": "nula", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.4044", + "rsa.network.alias_host": [ + "suscipit587.www.localhost" + ], + "rsa.network.vlan": 573, + "rsa.time.event_time_str": "Apr", + "rule.name": "nula", + "service.type": "f5", + "source.geo.country_name": "veni", + "source.ip": [ + "10.35.65.72" + ], + "source.nat.ip": "10.240.94.109", + "source.nat.port": 5437, + "source.port": 3387, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "reseo" + }, + { + "destination.geo.country_name": "obeatae", + "destination.nat.ip": "10.248.72.104", + "destination.nat.port": 7485, + "destination.port": 2042, + "event.action": "Established", + "event.code": "emagnaal", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "consequ ine hend3901.www.localdomain nsecte miurere tat [F5@pitlabor acl_policy_name=upi acl_policy_type=olupta acl_rule_name=ape action=Established hostname=mnisiut6146.internal.local bigip_mgmt_ip=10.52.70.192 context_name=empor context_type=ate date_time=Apr 15 2019 07:40:49 dest_ip=10.234.254.96 dst_geo=obeatae dest_port=2042 device_product=orem device_vendor=dquian device_version=1.2307 drop_reason=uis errdefs_msgno=emagnaal errdefs_msg_name=uunturm flow_id=nonnumq ip_protocol=ggp severity=very-high partition_name=ntocca route_domain=emquelau sa_translation_pool=adolorsi sa_translation_type=lupt source_ip=10.38.253.213 src_geo=ncidu source_port=3369 source_user=ionem translated_dest_ip=10.248.72.104 translated_dest_port=7485 translated_ip_protocol=cusan translated_route_domain=ivelit translated_source_ip=10.150.56.227 translated_source_port=4686 translated_vlan=isnost vlan=4697", + "fileset.name": "bigipafm", + "host.ip": "10.52.70.192", + "host.name": "mnisiut6146.internal.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 72004, + "network.protocol": "ggp", + "observer.product": "orem", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2307", + "related.hosts": [ + "mnisiut6146.internal.local" + ], + "related.ip": [ + "10.150.56.227", + "10.52.70.192", + "10.248.72.104", + "10.38.253.213" + ], + "related.user": [ + "ionem" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "empor", + "rsa.misc.event_type": "uunturm", + "rsa.misc.obj_name": "pitlabor", + "rsa.misc.policy_name": "upi", + "rsa.misc.reference_id": "emagnaal", + "rsa.misc.rule_name": "ape", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2307", + "rsa.network.alias_host": [ + "mnisiut6146.internal.local" + ], + "rsa.network.vlan": 4697, + "rsa.time.event_time_str": "Apr", + "rule.name": "ape", + "service.type": "f5", + "source.geo.country_name": "ncidu", + "source.ip": [ + "10.38.253.213" + ], + "source.nat.ip": "10.150.56.227", + "source.nat.port": 4686, + "source.port": 3369, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ionem" + }, + { + "destination.geo.country_name": "aaliq", + "destination.nat.ip": "10.73.172.186", + "destination.nat.port": 3510, + "destination.port": 2143, + "event.action": "Reject", + "event.code": "agn", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "urQu idol fici312.api.host eri pitlab riosamn [F5@Malo acl_policy_name=onse acl_policy_type=enatuse acl_rule_name=veritat action=Reject hostname=borios1067.www5.home bigip_mgmt_ip=10.218.15.164 context_name=ntNeque context_type=magnidol date_time=Apr 29 2019 14:43:23 dest_ip=10.56.60.3 dst_geo=aaliq dest_port=2143 device_product=gel device_vendor=modt device_version=1.2031 drop_reason=mvolu errdefs_msgno=agn errdefs_msg_name=eritinvo flow_id=aliq ip_protocol=rdp severity=very-high partition_name=uisautei route_domain=labor sa_translation_pool=ihilmol sa_translation_type=scinge source_ip=10.62.218.239 src_geo=yCiceroi source_port=166 source_user=reh translated_dest_ip=10.73.172.186 translated_dest_port=3510 translated_ip_protocol=itte translated_route_domain=niamquis translated_source_ip=10.203.193.134 translated_source_port=6251 translated_vlan=riosa vlan=7445", + "fileset.name": "bigipafm", + "host.ip": "10.218.15.164", + "host.name": "borios1067.www5.home", + "input.type": "log", + "log.level": "very-high", + "log.offset": 72900, + "network.protocol": "rdp", + "observer.product": "gel", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2031", + "related.hosts": [ + "borios1067.www5.home" + ], + "related.ip": [ + "10.218.15.164", + "10.62.218.239", + "10.73.172.186", + "10.203.193.134" + ], + "related.user": [ + "reh" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "ntNeque", + "rsa.misc.event_type": "eritinvo", + "rsa.misc.obj_name": "Malo", + "rsa.misc.policy_name": "onse", + "rsa.misc.reference_id": "agn", + "rsa.misc.rule_name": "veritat", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2031", + "rsa.network.alias_host": [ + "borios1067.www5.home" + ], + "rsa.network.vlan": 7445, + "rsa.time.event_time_str": "Apr", + "rule.name": "veritat", + "service.type": "f5", + "source.geo.country_name": "yCiceroi", + "source.ip": [ + "10.62.218.239" + ], + "source.nat.ip": "10.203.193.134", + "source.nat.port": 6251, + "source.port": 166, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "reh" + }, + { + "destination.geo.country_name": "quaeabi", + "destination.nat.ip": "10.136.211.234", + "destination.nat.port": 4126, + "destination.port": 5701, + "event.action": "Established", + "event.code": "uovolup", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ore ptatema poriss2289.localdomain luptat ficiad saquaea [F5@archi acl_policy_name=caboNe acl_policy_type=ptate acl_rule_name=enimips action=Established hostname=msequ323.www.example bigip_mgmt_ip=10.60.20.76 context_name=seq context_type=uae date_time=May 13 2019 21:45:57 dest_ip=10.244.241.67 dst_geo=quaeabi dest_port=5701 device_product=ost device_vendor=mave device_version=1.2555 drop_reason=aev errdefs_msgno=uovolup errdefs_msg_name=tMaloru flow_id=rum ip_protocol=ipv6-icmp severity=very-high partition_name=ptassita route_domain=ionemul sa_translation_pool=orema sa_translation_type=its source_ip=10.10.46.43 src_geo=stiaec source_port=7346 source_user=nev translated_dest_ip=10.136.211.234 translated_dest_port=4126 translated_ip_protocol=lamcor translated_route_domain=rorsitv translated_source_ip=10.131.127.113 translated_source_port=853 translated_vlan=iamqu vlan=1324", + "fileset.name": "bigipafm", + "host.ip": "10.60.20.76", + "host.name": "msequ323.www.example", + "input.type": "log", + "log.level": "very-high", + "log.offset": 73773, + "network.protocol": "ipv6-icmp", + "observer.product": "ost", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2555", + "related.hosts": [ + "msequ323.www.example" + ], + "related.ip": [ + "10.10.46.43", + "10.131.127.113", + "10.60.20.76", + "10.136.211.234" + ], + "related.user": [ + "nev" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "seq", + "rsa.misc.event_type": "tMaloru", + "rsa.misc.obj_name": "archi", + "rsa.misc.policy_name": "caboNe", + "rsa.misc.reference_id": "uovolup", + "rsa.misc.rule_name": "enimips", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2555", + "rsa.network.alias_host": [ + "msequ323.www.example" + ], + "rsa.network.vlan": 1324, + "rsa.time.event_time_str": "May", + "rule.name": "enimips", + "service.type": "f5", + "source.geo.country_name": "stiaec", + "source.ip": [ + "10.10.46.43" + ], + "source.nat.ip": "10.131.127.113", + "source.nat.port": 853, + "source.port": 7346, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "nev" + }, + { + "destination.geo.country_name": "fdeFini", + "destination.nat.ip": "10.187.237.220", + "destination.nat.port": 7744, + "destination.port": 1295, + "event.action": "Closed", + "event.code": "rinc", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "mwrit dminimve madminim5473.mail.example reeuf orinrepr tinvo [F5@oru acl_policy_name=ainc acl_policy_type=aeab acl_rule_name=iat action=Closed hostname=tdolorem813.internal.host bigip_mgmt_ip=10.50.177.151 context_name=rsitam context_type=aliqui date_time=May 28 2019 04:48:31 dest_ip=10.206.65.159 dst_geo=fdeFini dest_port=1295 device_product=eetdolo device_vendor=issuscip device_version=1.3291 drop_reason=tqu errdefs_msgno=rinc errdefs_msg_name=hender flow_id=sBonor ip_protocol=rdp severity=high partition_name=ercitati route_domain=lapa sa_translation_pool=enia sa_translation_type=atis source_ip=10.233.181.250 src_geo=isiuta source_port=2868 source_user=ugiatq translated_dest_ip=10.187.237.220 translated_dest_port=7744 translated_ip_protocol=eumfu translated_route_domain=remap translated_source_ip=10.248.0.74 translated_source_port=6349 translated_vlan=tru vlan=2520", + "fileset.name": "bigipafm", + "host.ip": "10.50.177.151", + "host.name": "tdolorem813.internal.host", + "input.type": "log", + "log.level": "high", + "log.offset": 74658, + "network.protocol": "rdp", + "observer.product": "eetdolo", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3291", + "related.hosts": [ + "tdolorem813.internal.host" + ], + "related.ip": [ + "10.248.0.74", + "10.233.181.250", + "10.187.237.220", + "10.50.177.151" + ], + "related.user": [ + "ugiatq" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "rsitam", + "rsa.misc.event_type": "hender", + "rsa.misc.obj_name": "oru", + "rsa.misc.policy_name": "ainc", + "rsa.misc.reference_id": "rinc", + "rsa.misc.rule_name": "iat", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.3291", + "rsa.network.alias_host": [ + "tdolorem813.internal.host" + ], + "rsa.network.vlan": 2520, + "rsa.time.event_time_str": "May", + "rule.name": "iat", + "service.type": "f5", + "source.geo.country_name": "isiuta", + "source.ip": [ + "10.233.181.250" + ], + "source.nat.ip": "10.248.0.74", + "source.nat.port": 6349, + "source.port": 2868, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ugiatq" + }, + { + "destination.geo.country_name": "olab", + "destination.nat.ip": "10.96.223.46", + "destination.nat.port": 3654, + "destination.port": 629, + "event.action": "Established", + "event.code": "ela", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "isautem eiusm assit1598.www5.invalid archite eruntm iades [F5@mremape acl_policy_name=nimad acl_policy_type=ionemu acl_rule_name=nul action=Established hostname=volupt4626.internal.test bigip_mgmt_ip=10.189.43.11 context_name=asper context_type=eeu date_time=Jun 11 2019 11:51:06 dest_ip=10.193.169.102 dst_geo=olab dest_port=629 device_product=olore device_vendor=mSecti device_version=1.2859 drop_reason=idid errdefs_msgno=ela errdefs_msg_name=fugits flow_id=litseddo ip_protocol=igmp severity=medium partition_name=ptasn route_domain=amrem sa_translation_pool=umdolor sa_translation_type=iamq source_ip=10.248.248.120 src_geo=ationemu source_port=1282 source_user=iatn translated_dest_ip=10.96.223.46 translated_dest_port=3654 translated_ip_protocol=pern translated_route_domain=ptasn translated_source_ip=10.80.129.81 translated_source_port=4827 translated_vlan=tat vlan=5084", + "fileset.name": "bigipafm", + "host.ip": "10.189.43.11", + "host.name": "volupt4626.internal.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 75539, + "network.protocol": "igmp", + "observer.product": "olore", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2859", + "related.hosts": [ + "volupt4626.internal.test" + ], + "related.ip": [ + "10.96.223.46", + "10.80.129.81", + "10.189.43.11", + "10.248.248.120" + ], + "related.user": [ + "iatn" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "asper", + "rsa.misc.event_type": "fugits", + "rsa.misc.obj_name": "mremape", + "rsa.misc.policy_name": "nimad", + "rsa.misc.reference_id": "ela", + "rsa.misc.rule_name": "nul", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.2859", + "rsa.network.alias_host": [ + "volupt4626.internal.test" + ], + "rsa.network.vlan": 5084, + "rsa.time.event_time_str": "Jun", + "rule.name": "nul", + "service.type": "f5", + "source.geo.country_name": "ationemu", + "source.ip": [ + "10.248.248.120" + ], + "source.nat.ip": "10.80.129.81", + "source.nat.port": 4827, + "source.port": 1282, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "iatn" + }, + { + "destination.geo.country_name": "metco", + "destination.nat.ip": "10.173.114.63", + "destination.nat.port": 5877, + "destination.port": 4740, + "event.action": "Closed", + "event.code": "radip", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "eruntmo lumdolo urmagnid2749.api.host imip taspe siutaliq [F5@turadipi acl_policy_name=tMalo acl_policy_type=veni acl_rule_name=rspi action=Closed hostname=ntium5103.www5.localhost bigip_mgmt_ip=10.66.106.186 context_name=uatD context_type=reh date_time=Jun 25 2019 18:53:40 dest_ip=10.36.14.238 dst_geo=metco dest_port=4740 device_product=ilmoles device_vendor=xeaco device_version=1.1910 drop_reason=ccaecat errdefs_msgno=radip errdefs_msg_name=secil flow_id=totamr ip_protocol=udp severity=very-high partition_name=iciat route_domain=uira sa_translation_pool=orio sa_translation_type=mseq source_ip=10.102.109.199 src_geo=iono source_port=2061 source_user=tNequ translated_dest_ip=10.173.114.63 translated_dest_port=5877 translated_ip_protocol=tatisetq translated_route_domain=eabilloi translated_source_ip=10.91.115.139 translated_source_port=412 translated_vlan=eroi vlan=2077", + "fileset.name": "bigipafm", + "host.ip": "10.66.106.186", + "host.name": "ntium5103.www5.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 76419, + "network.protocol": "udp", + "observer.product": "ilmoles", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.1910", + "related.hosts": [ + "ntium5103.www5.localhost" + ], + "related.ip": [ + "10.91.115.139", + "10.102.109.199", + "10.173.114.63", + "10.66.106.186" + ], + "related.user": [ + "tNequ" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "uatD", + "rsa.misc.event_type": "secil", + "rsa.misc.obj_name": "turadipi", + "rsa.misc.policy_name": "tMalo", + "rsa.misc.reference_id": "radip", + "rsa.misc.rule_name": "rspi", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.1910", + "rsa.network.alias_host": [ + "ntium5103.www5.localhost" + ], + "rsa.network.vlan": 2077, + "rsa.time.event_time_str": "Jun", + "rule.name": "rspi", + "service.type": "f5", + "source.geo.country_name": "iono", + "source.ip": [ + "10.102.109.199" + ], + "source.nat.ip": "10.91.115.139", + "source.nat.port": 412, + "source.port": 2061, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tNequ" + }, + { + "destination.geo.country_name": "iratio", + "destination.nat.ip": "10.0.175.17", + "destination.nat.port": 5236, + "destination.port": 7700, + "event.action": "Drop", + "event.code": "iur", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "riatur amrema illum2978.internal.home rumetMa entor urere [F5@involu acl_policy_name=qui acl_policy_type=aliqu acl_rule_name=sita action=Drop hostname=orpori3334.www.local bigip_mgmt_ip=10.198.157.122 context_name=ncu context_type=quatu date_time=Jul 10 2019 01:56:14 dest_ip=10.239.90.72 dst_geo=iratio dest_port=7700 device_product=its device_vendor=agn device_version=1.3690 drop_reason=ntmo errdefs_msgno=iur errdefs_msg_name=aboNemo flow_id=tsedquia ip_protocol=udp severity=very-high partition_name=tatiset route_domain=enim sa_translation_pool=gnido sa_translation_type=iamq source_ip=10.159.155.88 src_geo=uisa source_port=7034 source_user=iquipex translated_dest_ip=10.0.175.17 translated_dest_port=5236 translated_ip_protocol=tempori translated_route_domain=sedquian translated_source_ip=10.221.223.127 translated_source_port=2687 translated_vlan=ira vlan=3007", + "fileset.name": "bigipafm", + "host.ip": "10.198.157.122", + "host.name": "orpori3334.www.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 77301, + "network.protocol": "udp", + "observer.product": "its", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3690", + "related.hosts": [ + "orpori3334.www.local" + ], + "related.ip": [ + "10.0.175.17", + "10.198.157.122", + "10.159.155.88", + "10.221.223.127" + ], + "related.user": [ + "iquipex" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Drop" + ], + "rsa.misc.context": "ncu", + "rsa.misc.event_type": "aboNemo", + "rsa.misc.obj_name": "involu", + "rsa.misc.policy_name": "qui", + "rsa.misc.reference_id": "iur", + "rsa.misc.rule_name": "sita", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3690", + "rsa.network.alias_host": [ + "orpori3334.www.local" + ], + "rsa.network.vlan": 3007, + "rsa.time.event_time_str": "Jul", + "rule.name": "sita", + "service.type": "f5", + "source.geo.country_name": "uisa", + "source.ip": [ + "10.159.155.88" + ], + "source.nat.ip": "10.221.223.127", + "source.nat.port": 2687, + "source.port": 7034, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "iquipex" + }, + { + "destination.geo.country_name": "chitect", + "destination.nat.ip": "10.252.136.130", + "destination.nat.port": 5601, + "destination.port": 5316, + "event.action": "Established", + "event.code": "ueporr", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "idolor umdo sequatu7142.internal.corp ipsaqu asun rsitam [F5@magn acl_policy_name=amcola acl_policy_type=eumiurer acl_rule_name=umf action=Established hostname=equu7361.www5.localdomain bigip_mgmt_ip=10.30.20.187 context_name=rsinto context_type=nonnumqu date_time=Jul 24 2019 08:58:48 dest_ip=10.103.47.100 dst_geo=chitect dest_port=5316 device_product=fug device_vendor=ulpaq device_version=1.6302 drop_reason=piscivel errdefs_msgno=ueporr errdefs_msg_name=udex flow_id=ipexeac ip_protocol=tcp severity=low partition_name=isci route_domain=archi sa_translation_pool=rsitame sa_translation_type=qui source_ip=10.7.212.201 src_geo=ion source_port=949 source_user=ugiat translated_dest_ip=10.252.136.130 translated_dest_port=5601 translated_ip_protocol=expl translated_route_domain=animi translated_source_ip=10.189.70.237 translated_source_port=1457 translated_vlan=tnul vlan=24", + "fileset.name": "bigipafm", + "host.ip": "10.30.20.187", + "host.name": "equu7361.www5.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 78172, + "network.protocol": "tcp", + "observer.product": "fug", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.6302", + "related.hosts": [ + "equu7361.www5.localdomain" + ], + "related.ip": [ + "10.252.136.130", + "10.189.70.237", + "10.30.20.187", + "10.7.212.201" + ], + "related.user": [ + "ugiat" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "rsinto", + "rsa.misc.event_type": "udex", + "rsa.misc.obj_name": "magn", + "rsa.misc.policy_name": "amcola", + "rsa.misc.reference_id": "ueporr", + "rsa.misc.rule_name": "umf", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6302", + "rsa.network.alias_host": [ + "equu7361.www5.localdomain" + ], + "rsa.network.vlan": 24, + "rsa.time.event_time_str": "Jul", + "rule.name": "umf", + "service.type": "f5", + "source.geo.country_name": "ion", + "source.ip": [ + "10.7.212.201" + ], + "source.nat.ip": "10.189.70.237", + "source.nat.port": 1457, + "source.port": 949, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ugiat" + }, + { + "destination.geo.country_name": "imadmi", + "destination.nat.ip": "10.102.109.194", + "destination.nat.port": 2324, + "destination.port": 2642, + "event.action": "Established", + "event.code": "agn", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "radip amremap dolorsit64.www.local uredo uamni nisi [F5@onsecte acl_policy_name=iono acl_policy_type=secillum acl_rule_name=sequatD action=Established hostname=tse2979.internal.localhost bigip_mgmt_ip=10.242.121.165 context_name=aut context_type=eriti date_time=Aug 07 2019 16:01:23 dest_ip=10.88.229.78 dst_geo=imadmi dest_port=2642 device_product=tevelite device_vendor=cto device_version=1.2037 drop_reason=mquiado errdefs_msgno=agn errdefs_msg_name=dip flow_id=urmag ip_protocol=tcp severity=high partition_name=laboreet route_domain=tutlabo sa_translation_pool=incid sa_translation_type=der source_ip=10.83.105.69 src_geo=usm source_port=2153 source_user=mni translated_dest_ip=10.102.109.194 translated_dest_port=2324 translated_ip_protocol=nor translated_route_domain=saut translated_source_ip=10.60.224.93 translated_source_port=1508 translated_vlan=deomnis vlan=354", + "fileset.name": "bigipafm", + "host.ip": "10.242.121.165", + "host.name": "tse2979.internal.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 79051, + "network.protocol": "tcp", + "observer.product": "tevelite", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2037", + "related.hosts": [ + "tse2979.internal.localhost" + ], + "related.ip": [ + "10.60.224.93", + "10.242.121.165", + "10.83.105.69", + "10.102.109.194" + ], + "related.user": [ + "mni" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "aut", + "rsa.misc.event_type": "dip", + "rsa.misc.obj_name": "onsecte", + "rsa.misc.policy_name": "iono", + "rsa.misc.reference_id": "agn", + "rsa.misc.rule_name": "sequatD", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2037", + "rsa.network.alias_host": [ + "tse2979.internal.localhost" + ], + "rsa.network.vlan": 354, + "rsa.time.event_time_str": "Aug", + "rule.name": "sequatD", + "service.type": "f5", + "source.geo.country_name": "usm", + "source.ip": [ + "10.83.105.69" + ], + "source.nat.ip": "10.60.224.93", + "source.nat.port": 1508, + "source.port": 2153, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "mni" + }, + { + "destination.geo.country_name": "tenbyCi", + "destination.nat.ip": "10.181.134.69", + "destination.nat.port": 551, + "destination.port": 4371, + "event.action": "Accept", + "event.code": "tion", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "tla nimve edutpe1255.internal.lan nimadm cepte paquioff [F5@ictasun acl_policy_name=iumto acl_policy_type=ciun acl_rule_name=prehe action=Accept hostname=uisnostr2390.mail.domain bigip_mgmt_ip=10.251.167.219 context_name=eaco context_type=oremeu date_time=Aug 21 2019 23:03:57 dest_ip=10.14.251.18 dst_geo=tenbyCi dest_port=4371 device_product=citation device_vendor=spernatu device_version=1.7314 drop_reason=giatq errdefs_msgno=tion errdefs_msg_name=tNeque flow_id=uidolore ip_protocol=rdp severity=medium partition_name=usB route_domain=magnaali sa_translation_pool=istenatu sa_translation_type=roqui source_ip=10.17.20.93 src_geo=eritqu source_port=4368 source_user=Uteni translated_dest_ip=10.181.134.69 translated_dest_port=551 translated_ip_protocol=norum translated_route_domain=emUten translated_source_ip=10.219.174.45 translated_source_port=4055 translated_vlan=idolo vlan=968", + "fileset.name": "bigipafm", + "host.ip": "10.251.167.219", + "host.name": "uisnostr2390.mail.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 79926, + "network.protocol": "rdp", + "observer.product": "citation", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7314", + "related.hosts": [ + "uisnostr2390.mail.domain" + ], + "related.ip": [ + "10.219.174.45", + "10.181.134.69", + "10.251.167.219", + "10.17.20.93" + ], + "related.user": [ + "Uteni" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "eaco", + "rsa.misc.event_type": "tNeque", + "rsa.misc.obj_name": "ictasun", + "rsa.misc.policy_name": "iumto", + "rsa.misc.reference_id": "tion", + "rsa.misc.rule_name": "prehe", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7314", + "rsa.network.alias_host": [ + "uisnostr2390.mail.domain" + ], + "rsa.network.vlan": 968, + "rsa.time.event_time_str": "Aug", + "rule.name": "prehe", + "service.type": "f5", + "source.geo.country_name": "eritqu", + "source.ip": [ + "10.17.20.93" + ], + "source.nat.ip": "10.219.174.45", + "source.nat.port": 4055, + "source.port": 4368, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "Uteni" + }, + { + "destination.geo.country_name": "elaud", + "destination.nat.ip": "10.28.233.253", + "destination.nat.port": 1159, + "destination.port": 4916, + "event.action": "Accept", + "event.code": "iti", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "mmodicon nisis edquia4523.www.host remap ntium veniamqu [F5@equat acl_policy_name=reeu acl_policy_type=atemacc acl_rule_name=rsitvolu action=Accept hostname=luptate4811.mail.example bigip_mgmt_ip=10.30.117.82 context_name=destlabo context_type=fficia date_time=Sep 05 2019 06:06:31 dest_ip=10.245.75.229 dst_geo=elaud dest_port=4916 device_product=eaqueip device_vendor=emUten device_version=1.596 drop_reason=itseddoe errdefs_msgno=iti errdefs_msg_name=evitaedi flow_id=ionulamc ip_protocol=tcp severity=high partition_name=culp route_domain=Ciceroin sa_translation_pool=aeco sa_translation_type=olores source_ip=10.223.99.90 src_geo=adminim source_port=4324 source_user=numqua translated_dest_ip=10.28.233.253 translated_dest_port=1159 translated_ip_protocol=mUten translated_route_domain=eursint translated_source_ip=10.37.14.20 translated_source_port=6531 translated_vlan=teurs vlan=4919", + "fileset.name": "bigipafm", + "host.ip": "10.30.117.82", + "host.name": "luptate4811.mail.example", + "input.type": "log", + "log.level": "high", + "log.offset": 80814, + "network.protocol": "tcp", + "observer.product": "eaqueip", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.596", + "related.hosts": [ + "luptate4811.mail.example" + ], + "related.ip": [ + "10.28.233.253", + "10.37.14.20", + "10.30.117.82", + "10.223.99.90" + ], + "related.user": [ + "numqua" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Permit", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Accept" + ], + "rsa.misc.context": "destlabo", + "rsa.misc.event_type": "evitaedi", + "rsa.misc.obj_name": "equat", + "rsa.misc.policy_name": "reeu", + "rsa.misc.reference_id": "iti", + "rsa.misc.rule_name": "rsitvolu", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.596", + "rsa.network.alias_host": [ + "luptate4811.mail.example" + ], + "rsa.network.vlan": 4919, + "rsa.time.event_time_str": "Sep", + "rule.name": "rsitvolu", + "service.type": "f5", + "source.geo.country_name": "adminim", + "source.ip": [ + "10.223.99.90" + ], + "source.nat.ip": "10.37.14.20", + "source.nat.port": 6531, + "source.port": 4324, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "numqua" + }, + { + "destination.geo.country_name": "tess", + "destination.nat.ip": "10.57.85.113", + "destination.nat.port": 1024, + "destination.port": 4686, + "event.action": "Closed", + "event.code": "rainc", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "aaliq nos uaUteni562.www.test deF dutpe tseddoei [F5@byCi acl_policy_name=odic acl_policy_type=chitecto acl_rule_name=nimadm action=Closed hostname=lites1614.www.corp bigip_mgmt_ip=10.125.20.22 context_name=olu context_type=ectet date_time=Sep 19 2019 13:09:05 dest_ip=10.121.189.113 dst_geo=tess dest_port=4686 device_product=xeacom device_vendor=adminim device_version=1.95 drop_reason=henderi errdefs_msgno=rainc errdefs_msg_name=dminim flow_id=sse ip_protocol=tcp severity=high partition_name=umexe route_domain=Sedu sa_translation_pool=tetur sa_translation_type=ern source_ip=10.50.61.114 src_geo=nvento source_port=649 source_user=qua translated_dest_ip=10.57.85.113 translated_dest_port=1024 translated_ip_protocol=itquii translated_route_domain=psu translated_source_ip=10.8.32.17 translated_source_port=3788 translated_vlan=nem vlan=5883", + "fileset.name": "bigipafm", + "host.ip": "10.125.20.22", + "host.name": "lites1614.www.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 81706, + "network.protocol": "tcp", + "observer.product": "xeacom", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.95", + "related.hosts": [ + "lites1614.www.corp" + ], + "related.ip": [ + "10.57.85.113", + "10.8.32.17", + "10.50.61.114", + "10.125.20.22" + ], + "related.user": [ + "qua" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "olu", + "rsa.misc.event_type": "dminim", + "rsa.misc.obj_name": "byCi", + "rsa.misc.policy_name": "odic", + "rsa.misc.reference_id": "rainc", + "rsa.misc.rule_name": "nimadm", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.95", + "rsa.network.alias_host": [ + "lites1614.www.corp" + ], + "rsa.network.vlan": 5883, + "rsa.time.event_time_str": "Sep", + "rule.name": "nimadm", + "service.type": "f5", + "source.geo.country_name": "nvento", + "source.ip": [ + "10.50.61.114" + ], + "source.nat.ip": "10.8.32.17", + "source.nat.port": 3788, + "source.port": 649, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "qua" + }, + { + "destination.geo.country_name": "voluptat", + "destination.nat.ip": "10.113.78.101", + "destination.nat.port": 2707, + "destination.port": 1549, + "event.action": "Closed", + "event.code": "tam", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "sitasper agni ivelit1640.internal.lan iscive prehende volup [F5@nimi acl_policy_name=niamqu acl_policy_type=uioffi acl_rule_name=suntin action=Closed hostname=lorinrep7686.mail.corp bigip_mgmt_ip=10.200.28.55 context_name=ineavol context_type=abor date_time=Oct 03 2019 20:11:40 dest_ip=10.232.122.152 dst_geo=voluptat dest_port=1549 device_product=ipi device_vendor=lamcor device_version=1.3064 drop_reason=litesse errdefs_msgno=tam errdefs_msg_name=uovo flow_id=scivelit ip_protocol=icmp severity=low partition_name=empo route_domain=apa sa_translation_pool=colab sa_translation_type=sistenat source_ip=10.215.224.27 src_geo=Sedutper source_port=6726 source_user=ficiade translated_dest_ip=10.113.78.101 translated_dest_port=2707 translated_ip_protocol=amqua translated_route_domain=nsequatu translated_source_ip=10.181.63.82 translated_source_port=168 translated_vlan=tse vlan=4029", + "fileset.name": "bigipafm", + "host.ip": "10.200.28.55", + "host.name": "lorinrep7686.mail.corp", + "input.type": "log", + "log.level": "low", + "log.offset": 82553, + "network.protocol": "icmp", + "observer.product": "ipi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.3064", + "related.hosts": [ + "lorinrep7686.mail.corp" + ], + "related.ip": [ + "10.200.28.55", + "10.215.224.27", + "10.113.78.101", + "10.181.63.82" + ], + "related.user": [ + "ficiade" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "ineavol", + "rsa.misc.event_type": "uovo", + "rsa.misc.obj_name": "nimi", + "rsa.misc.policy_name": "niamqu", + "rsa.misc.reference_id": "tam", + "rsa.misc.rule_name": "suntin", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3064", + "rsa.network.alias_host": [ + "lorinrep7686.mail.corp" + ], + "rsa.network.vlan": 4029, + "rsa.time.event_time_str": "Oct", + "rule.name": "suntin", + "service.type": "f5", + "source.geo.country_name": "Sedutper", + "source.ip": [ + "10.215.224.27" + ], + "source.nat.ip": "10.181.63.82", + "source.nat.port": 168, + "source.port": 6726, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ficiade" + }, + { + "destination.geo.country_name": "nsec", + "destination.nat.ip": "10.139.20.223", + "destination.nat.port": 114, + "destination.port": 6720, + "event.action": "Established", + "event.code": "nde", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ueip amvo dolorsi306.www5.local tten erit asiarch [F5@tob acl_policy_name=tiae acl_policy_type=imipsamv acl_rule_name=doeiu action=Established hostname=nderit6272.mail.example bigip_mgmt_ip=10.177.14.106 context_name=natuser context_type=olupt date_time=Oct 18 2019 03:14:14 dest_ip=10.239.142.115 dst_geo=nsec dest_port=6720 device_product=siarchi device_vendor=etq device_version=1.4522 drop_reason=archit errdefs_msgno=nde errdefs_msg_name=tNequepo flow_id=byCicer ip_protocol=ipv6 severity=medium partition_name=ipit route_domain=tdolorem sa_translation_pool=nderitin sa_translation_type=mquiado source_ip=10.169.95.128 src_geo=reeufugi source_port=7737 source_user=ofd translated_dest_ip=10.139.20.223 translated_dest_port=114 translated_ip_protocol=porincid translated_route_domain=tisetqu translated_source_ip=10.243.43.168 translated_source_port=2110 translated_vlan=ehenderi vlan=2215", + "fileset.name": "bigipafm", + "host.ip": "10.177.14.106", + "host.name": "nderit6272.mail.example", + "input.type": "log", + "log.level": "medium", + "log.offset": 83438, + "network.protocol": "ipv6", + "observer.product": "siarchi", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.4522", + "related.hosts": [ + "nderit6272.mail.example" + ], + "related.ip": [ + "10.243.43.168", + "10.177.14.106", + "10.139.20.223", + "10.169.95.128" + ], + "related.user": [ + "ofd" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "natuser", + "rsa.misc.event_type": "tNequepo", + "rsa.misc.obj_name": "tob", + "rsa.misc.policy_name": "tiae", + "rsa.misc.reference_id": "nde", + "rsa.misc.rule_name": "doeiu", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.4522", + "rsa.network.alias_host": [ + "nderit6272.mail.example" + ], + "rsa.network.vlan": 2215, + "rsa.time.event_time_str": "Oct", + "rule.name": "doeiu", + "service.type": "f5", + "source.geo.country_name": "reeufugi", + "source.ip": [ + "10.169.95.128" + ], + "source.nat.ip": "10.243.43.168", + "source.nat.port": 2110, + "source.port": 7737, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ofd" + }, + { + "destination.geo.country_name": "orsit", + "destination.nat.ip": "10.39.100.88", + "destination.nat.port": 5195, + "destination.port": 3315, + "event.action": "Established", + "event.code": "rroqui", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ipsu iden oreseo1541.mail.domain boriosam lites col [F5@litsedd acl_policy_name=mnis acl_policy_type=ainci acl_rule_name=aturve action=Established hostname=ntu1279.mail.lan bigip_mgmt_ip=10.92.168.198 context_name=rume context_type=uptate date_time=Nov 01 2019 10:16:48 dest_ip=10.115.225.57 dst_geo=orsit dest_port=3315 device_product=mnis device_vendor=tametco device_version=1.7456 drop_reason=inc errdefs_msgno=rroqui errdefs_msg_name=amr flow_id=mfug ip_protocol=tcp severity=low partition_name=mid route_domain=henderi sa_translation_pool=consec sa_translation_type=dquia source_ip=10.90.93.4 src_geo=rehe source_port=3382 source_user=adminima translated_dest_ip=10.39.100.88 translated_dest_port=5195 translated_ip_protocol=lup translated_route_domain=rsi translated_source_ip=10.18.176.44 translated_source_port=7284 translated_vlan=Utenimad vlan=4305", + "fileset.name": "bigipafm", + "host.ip": "10.92.168.198", + "host.name": "ntu1279.mail.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 84332, + "network.protocol": "tcp", + "observer.product": "mnis", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7456", + "related.hosts": [ + "ntu1279.mail.lan" + ], + "related.ip": [ + "10.92.168.198", + "10.90.93.4", + "10.39.100.88", + "10.18.176.44" + ], + "related.user": [ + "adminima" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Enable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Established" + ], + "rsa.misc.context": "rume", + "rsa.misc.event_type": "amr", + "rsa.misc.obj_name": "litsedd", + "rsa.misc.policy_name": "mnis", + "rsa.misc.reference_id": "rroqui", + "rsa.misc.rule_name": "aturve", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7456", + "rsa.network.alias_host": [ + "ntu1279.mail.lan" + ], + "rsa.network.vlan": 4305, + "rsa.time.event_time_str": "Nov", + "rule.name": "aturve", + "service.type": "f5", + "source.geo.country_name": "rehe", + "source.ip": [ + "10.90.93.4" + ], + "source.nat.ip": "10.18.176.44", + "source.nat.port": 7284, + "source.port": 3382, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "adminima" + }, + { + "destination.geo.country_name": "enimip", + "destination.nat.ip": "10.193.43.135", + "destination.nat.port": 4650, + "destination.port": 3957, + "event.action": "Reject", + "event.code": "empori", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "Bon amquisno mullam6505.www.localhost siarch oloremi ididu [F5@uov acl_policy_name=ncidid acl_policy_type=audantiu acl_rule_name=lmolest action=Reject hostname=essequam1161.domain bigip_mgmt_ip=10.49.68.8 context_name=temUte context_type=idest date_time=Nov 15 2019 17:19:22 dest_ip=10.8.247.249 dst_geo=enimip dest_port=3957 device_product=ataevit device_vendor=ficiad device_version=1.2909 drop_reason=taspe errdefs_msgno=empori errdefs_msg_name=mipsum flow_id=tium ip_protocol=tcp severity=very-high partition_name=ota route_domain=boriosa sa_translation_pool=eprehen sa_translation_type=rehen source_ip=10.163.203.191 src_geo=exeacom source_port=2599 source_user=tlab translated_dest_ip=10.193.43.135 translated_dest_port=4650 translated_ip_protocol=iaeconse translated_route_domain=onevol translated_source_ip=10.173.13.179 translated_source_port=1211 translated_vlan=ptasn vlan=3791", + "fileset.name": "bigipafm", + "host.ip": "10.49.68.8", + "host.name": "essequam1161.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 85192, + "network.protocol": "tcp", + "observer.product": "ataevit", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.2909", + "related.hosts": [ + "essequam1161.domain" + ], + "related.ip": [ + "10.163.203.191", + "10.193.43.135", + "10.49.68.8", + "10.173.13.179" + ], + "related.user": [ + "tlab" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Reject" + ], + "rsa.misc.context": "temUte", + "rsa.misc.event_type": "mipsum", + "rsa.misc.obj_name": "uov", + "rsa.misc.policy_name": "ncidid", + "rsa.misc.reference_id": "empori", + "rsa.misc.rule_name": "lmolest", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.2909", + "rsa.network.alias_host": [ + "essequam1161.domain" + ], + "rsa.network.vlan": 3791, + "rsa.time.event_time_str": "Nov", + "rule.name": "lmolest", + "service.type": "f5", + "source.geo.country_name": "exeacom", + "source.ip": [ + "10.163.203.191" + ], + "source.nat.ip": "10.173.13.179", + "source.nat.port": 1211, + "source.port": 2599, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "tlab" + }, + { + "destination.geo.country_name": "Loremips", + "destination.nat.ip": "10.209.226.7", + "destination.nat.port": 7745, + "destination.port": 4361, + "event.action": "Closed", + "event.code": "rror", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "ctetur amqui itatise2264.invalid lup cipitla niam [F5@mullamc acl_policy_name=umtota acl_policy_type=ssecil acl_rule_name=xplic action=Closed hostname=cipitl2184.localdomain bigip_mgmt_ip=10.240.47.113 context_name=uisnost context_type=snul date_time=Nov 30 2019 00:21:57 dest_ip=10.191.241.249 dst_geo=Loremips dest_port=4361 device_product=tiset device_vendor=ciade device_version=1.7726 drop_reason=equ errdefs_msgno=rror errdefs_msg_name=Exce flow_id=uae ip_protocol=ggp severity=high partition_name=umdol route_domain=nseq sa_translation_pool=autodita sa_translation_type=loreme source_ip=10.84.64.28 src_geo=par source_port=3938 source_user=ull translated_dest_ip=10.209.226.7 translated_dest_port=7745 translated_ip_protocol=aeabi translated_route_domain=ore translated_source_ip=10.31.147.51 translated_source_port=7780 translated_vlan=ptate vlan=3154", + "fileset.name": "bigipafm", + "host.ip": "10.240.47.113", + "host.name": "cipitl2184.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 86081, + "network.protocol": "ggp", + "observer.product": "tiset", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.7726", + "related.hosts": [ + "cipitl2184.localdomain" + ], + "related.ip": [ + "10.240.47.113", + "10.209.226.7", + "10.31.147.51", + "10.84.64.28" + ], + "related.user": [ + "ull" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "uisnost", + "rsa.misc.event_type": "Exce", + "rsa.misc.obj_name": "mullamc", + "rsa.misc.policy_name": "umtota", + "rsa.misc.reference_id": "rror", + "rsa.misc.rule_name": "xplic", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.7726", + "rsa.network.alias_host": [ + "cipitl2184.localdomain" + ], + "rsa.network.vlan": 3154, + "rsa.time.event_time_str": "Nov", + "rule.name": "xplic", + "service.type": "f5", + "source.geo.country_name": "par", + "source.ip": [ + "10.84.64.28" + ], + "source.nat.ip": "10.31.147.51", + "source.nat.port": 7780, + "source.port": 3938, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "ull" + }, + { + "destination.geo.country_name": "oremipsu", + "destination.nat.ip": "10.86.1.244", + "destination.nat.port": 7101, + "destination.port": 5644, + "event.action": "Closed", + "event.code": "tateve", + "event.dataset": "f5.bigipafm", + "event.module": "f5", + "event.original": "fugit dantiu ntutla1447.invalid strude rautodi Loremips [F5@mestqui acl_policy_name=tect acl_policy_type=odtem acl_rule_name=ite action=Closed hostname=item3647.home bigip_mgmt_ip=10.32.20.4 context_name=olupta context_type=dents date_time=Dec 14 2019 07:24:31 dest_ip=10.166.40.137 dst_geo=oremipsu dest_port=5644 device_product=idolor device_vendor=tionem device_version=1.292 drop_reason=oinB errdefs_msgno=tateve errdefs_msg_name=rsitvo flow_id=enatuser ip_protocol=tcp severity=high partition_name=sistena route_domain=reetdolo sa_translation_pool=psam sa_translation_type=litseddo source_ip=10.225.189.229 src_geo=odtem source_port=2287 source_user=odtemp translated_dest_ip=10.86.1.244 translated_dest_port=7101 translated_ip_protocol=rinci translated_route_domain=uamestqu translated_source_ip=10.52.13.192 translated_source_port=4714 translated_vlan=remagna vlan=439", + "fileset.name": "bigipafm", + "host.ip": "10.32.20.4", + "host.name": "item3647.home", + "input.type": "log", + "log.level": "high", + "log.offset": 86941, + "network.protocol": "tcp", + "observer.product": "idolor", + "observer.type": "Firewall", + "observer.vendor": "F5", + "observer.version": "1.292", + "related.hosts": [ + "item3647.home" + ], + "related.ip": [ + "10.225.189.229", + "10.86.1.244", + "10.52.13.192", + "10.32.20.4" + ], + "related.user": [ + "odtemp" + ], + "rsa.internal.messageid": "BIGIP_AFM", + "rsa.investigations.ec_activity": "Disable", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.action": [ + "Closed" + ], + "rsa.misc.context": "olupta", + "rsa.misc.event_type": "rsitvo", + "rsa.misc.obj_name": "mestqui", + "rsa.misc.policy_name": "tect", + "rsa.misc.reference_id": "tateve", + "rsa.misc.rule_name": "ite", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.292", + "rsa.network.alias_host": [ + "item3647.home" + ], + "rsa.network.vlan": 439, + "rsa.time.event_time_str": "Dec", + "rule.name": "ite", + "service.type": "f5", + "source.geo.country_name": "odtem", + "source.ip": [ + "10.225.189.229" + ], + "source.nat.ip": "10.52.13.192", + "source.nat.port": 4714, + "source.port": 2287, + "tags": [ + "f5.bigipafm", + "forwarded" + ], + "user.name": "odtemp" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index 2cfda9d24b5..72e7af4e030 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml index 0ea72c6ba4d..8dbd2e2e6cb 100644 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Big-IP Access Policy Manager processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b06452aca74..fe5ce75e182 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -42,6 +42,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 6153, + "related.hosts": [ + "sist1803.mail.local" + ], "rsa.internal.messageid": "01490504", "rsa.misc.log_session_id": "deF", "rsa.misc.severity": "medium", @@ -809,6 +812,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 7589, + "related.hosts": [ + "dolores2519.mail.host" + ], "related.user": [ "tob" ], @@ -839,6 +845,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5899, + "related.hosts": [ + "luptat2979.internal.local" + ], "related.user": [ "iqua" ], @@ -974,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.122.204.151", - "10.169.101.161" + "10.169.101.161", + "10.122.204.151" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", diff --git a/x-pack/filebeat/module/f5/firepass/config/pipeline.js b/x-pack/filebeat/module/f5/firepass/config/pipeline.js deleted file mode 100644 index 7f8774ae3d1..00000000000 --- a/x-pack/filebeat/module/f5/firepass/config/pipeline.js +++ /dev/null @@ -1,892 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -function DeviceProcessor() { - var builder = new processor.Chain(); - builder.Add(save_flags); - builder.Add(strip_syslog_priority); - builder.Add(chain1); - builder.Add(populate_fields); - builder.Add(restore_flags); - var chain = builder.Build(); - return { - process: chain.Run, - } -} - -var dup1 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("payload"), - ], -}); - -var dup2 = setc("eventcategory","1401040000"); - -var dup3 = setf("msg","$MSG"); - -var dup4 = setf("username","husername"); - -var dup5 = setc("ec_subject","User"); - -var dup6 = setc("ec_activity","Logoff"); - -var dup7 = setc("eventcategory","1801020000"); - -var dup8 = setc("eventcategory","1605000000"); - -var dup9 = setc("ec_subject","Service"); - -var dup10 = setc("eventcategory","1801030000"); - -var dup11 = setc("eventcategory","1603110000"); - -var dup12 = setc("ec_subject","NetworkComm"); - -var dup13 = setc("ec_theme","Communication"); - -var dup14 = setc("ec_activity","Logon"); - -var dup15 = setc("ec_theme","Authentication"); - -var dup16 = setc("eventcategory","1401030000"); - -var dup17 = setc("ec_outcome","Failure"); - -var dup18 = setc("eventcategory","1501000000"); - -var dup19 = setc("eventcategory","1401000000"); - -var dup20 = setc("eventcategory","1603060000"); - -var hdr1 = match("HEADER#0:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr2 = match("HEADER#1:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var hdr3 = match("HEADER#2:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: %{payload}", processor_chain([ - setc("header_id","0007"), -])); - -var hdr4 = match("HEADER#3:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0008"), - dup1, -])); - -var hdr5 = match("HEADER#4:0001", "message", "%{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr6 = match("HEADER#5:0002", "message", "%{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr7 = match("HEADER#6:0003", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr8 = match("HEADER#7:0004", "message", "%{messageid}: %{payload}", processor_chain([ - setc("header_id","0004"), - dup1, -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, -]); - -var part1 = match("MESSAGE#0:firepass:01", "nwparser.payload", "Entered %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg1 = msg("firepass:01", part1); - -var part2 = match("MESSAGE#1:firepass:02", "nwparser.payload", "Logged out%{}", processor_chain([ - setc("eventcategory","1401070000"), - dup5, - dup6, - dup3, - dup4, -])); - -var msg2 = msg("firepass:02", part2); - -var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg3 = msg("firepass:03", part3); - -var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2->} to Remote Host:%{dhost}", processor_chain([ - dup7, - dup3, - dup4, -])); - -var msg4 = msg("firepass:04", part4); - -var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1->} = %{fld2}", processor_chain([ - setc("eventcategory","1701020000"), - dup3, - dup4, -])); - -var msg5 = msg("firepass:05", part5); - -var part6 = match("MESSAGE#5:firepass:06", "nwparser.payload", "Access menu %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg6 = msg("firepass:06", part6); - -var part7 = match("MESSAGE#6:firepass:07", "nwparser.payload", "Accessing %{url}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg7 = msg("firepass:07", part7); - -var part8 = match("MESSAGE#7:firepass:08", "nwparser.payload", "Network Access: dialing Click to connect to Network Access%{}", processor_chain([ - setc("eventcategory","1801000000"), - dup3, - dup4, -])); - -var msg8 = msg("firepass:08", part8); - -var part9 = match("MESSAGE#8:firepass:09", "nwparser.payload", "FirePass service stopped on %{hostname}", processor_chain([ - dup8, - dup9, - setc("ec_activity","Stop"), - dup3, - dup4, -])); - -var msg9 = msg("firepass:09", part9); - -var part10 = match("MESSAGE#9:firepass:10", "nwparser.payload", "FirePass service started on %{hostname}", processor_chain([ - dup8, - dup9, - setc("ec_activity","Start"), - dup3, - dup4, -])); - -var msg10 = msg("firepass:10", part10); - -var part11 = match("MESSAGE#10:firepass:11", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ - setc("eventcategory","1606000000"), - dup3, - setc("event_description","shutting down for system reboot"), -])); - -var msg11 = msg("firepass:11", part11); - -var part12 = match("MESSAGE#11:firepass:12", "nwparser.payload", "%{event_description}", processor_chain([ - dup8, - dup3, -])); - -var msg12 = msg("firepass:12", part12); - -var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, -]); - -var part13 = match("MESSAGE#12:GarbageCollection:01", "nwparser.payload", "User: '%{username}' session expired due to inactivity. %{result}.", processor_chain([ - dup10, - dup3, -])); - -var msg13 = msg("GarbageCollection:01", part13); - -var part14 = match("MESSAGE#13:GarbageCollection:02", "nwparser.payload", "User: '%{username}' session was terminated.", processor_chain([ - dup10, - dup3, -])); - -var msg14 = msg("GarbageCollection:02", part14); - -var part15 = match("MESSAGE#14:GarbageCollection:03", "nwparser.payload", "session '%{sessionid}' is expired due to inactivity. %{result}.", processor_chain([ - dup10, - dup3, -])); - -var msg15 = msg("GarbageCollection:03", part15); - -var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apache server is not running. start it%{}", processor_chain([ - dup8, - dup3, -])); - -var msg16 = msg("GarbageCollection:04", part16); - -var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2->} already started with pid %{process_id}", processor_chain([ - dup8, - dup3, -])); - -var msg17 = msg("GarbageCollection:05", part17); - -var part18 = match("MESSAGE#17:GarbageCollection:06", "nwparser.payload", "no servers defined for Radius Accounting%{}", processor_chain([ - dup11, - dup3, -])); - -var msg18 = msg("GarbageCollection:06", part18); - -var part19 = match("MESSAGE#18:GarbageCollection:07", "nwparser.payload", "DHCP Agent is not running... Restarting it.%{}", processor_chain([ - dup11, - dup3, -])); - -var msg19 = msg("GarbageCollection:07", part19); - -var part20 = match("MESSAGE#19:GarbageCollection:08", "nwparser.payload", "session '%{sessionid}' is terminated.", processor_chain([ - dup11, - dup3, -])); - -var msg20 = msg("GarbageCollection:08", part20); - -var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can not connect to database %{fld1}", processor_chain([ - dup11, - dup3, - setc("event_description","can not connect to database"), -])); - -var msg21 = msg("GarbageCollection:09", part21); - -var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1->} services", processor_chain([ - dup11, - dup3, - setc("event_description","timeout happened. restarting services"), -])); - -var msg22 = msg("GarbageCollection:10", part22); - -var select3 = linear_select([ - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, -]); - -var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info->} Server returned:%{result}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg23 = msg("maintenance:01", part23); - -var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid}", processor_chain([ - dup8, - dup12, - dup6, - dup13, - dup3, - dup4, -])); - -var msg24 = msg("maintenance:02", part24); - -var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg25 = msg("maintenance:03", part25); - -var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg26 = msg("maintenance:04", part26); - -var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg27 = msg("maintenance:05", part27); - -var select4 = linear_select([ - msg23, - msg24, - msg25, - msg26, - msg27, -]); - -var part28 = match("MESSAGE#27:NetworkAccess:01", "nwparser.payload", "\u003c\u003c%{sessionid}> Open Network Access Connection using remote IP address %{daddr}", processor_chain([ - dup7, - dup12, - dup13, - dup3, - dup4, -])); - -var msg28 = msg("NetworkAccess:01", part28); - -var part29 = match("MESSAGE#28:NetworkAccess:02", "nwparser.payload", "\u003c\u003c%{sessionid}> Network Access Connection terminated", processor_chain([ - dup10, - dup12, - dup13, - dup3, - dup4, -])); - -var msg29 = msg("NetworkAccess:02", part29); - -var part30 = match("MESSAGE#29:NetworkAccess:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - %{info}", processor_chain([ - setc("eventcategory","1801010000"), - dup12, - dup13, - dup3, - dup4, -])); - -var msg30 = msg("NetworkAccess:03", part30); - -var select5 = linear_select([ - msg28, - msg29, - msg30, -]); - -var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username->} logged on from %{p0}"); - -var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} "); - -var part33 = match("MESSAGE#30:security:01/1_1", "nwparser.p0", "%{saddr->} Sid = %{sessionid->} "); - -var part34 = match("MESSAGE#30:security:01/1_2", "nwparser.p0", "%{saddr->} "); - -var select6 = linear_select([ - part32, - part33, - part34, -]); - -var all1 = all_match({ - processors: [ - part31, - select6, - ], - on_success: processor_chain([ - setc("eventcategory","1401060000"), - dup5, - dup14, - dup15, - dup3, - ]), -}); - -var msg31 = msg("security:01", all1); - -var part35 = match("MESSAGE#31:security:02/0", "nwparser.payload", "%{} %{p0}"); - -var part36 = match("MESSAGE#31:security:02/1_0", "nwparser.p0", "Invalid %{p0}"); - -var part37 = match("MESSAGE#31:security:02/1_1", "nwparser.p0", "Valid %{p0}"); - -var select7 = linear_select([ - part36, - part37, -]); - -var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username->} failed to log on from %{saddr}"); - -var all2 = all_match({ - processors: [ - part35, - select7, - part38, - ], - on_success: processor_chain([ - dup16, - dup5, - dup14, - dup15, - dup17, - dup3, - ]), -}); - -var msg32 = msg("security:02", all2); - -var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username}", processor_chain([ - setc("eventcategory","1402040100"), - setc("ec_activity","Modify"), - setc("ec_theme","Password"), - setc("ec_outcome","Success"), - dup3, -])); - -var msg33 = msg("security:03", part39); - -var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1->} consecutive authentication failures happened within %{fld2->} min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ - dup16, - dup14, - dup15, - dup17, - dup3, -])); - -var msg34 = msg("security:04", part40); - -var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action}] logon from %{saddr}", processor_chain([ - dup18, - dup5, - dup14, - dup15, - setc("ec_outcome","Error"), - dup3, -])); - -var msg35 = msg("security:05", part41); - -var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username->} attempted to access admin account", processor_chain([ - dup18, - dup5, - dup14, - setc("ec_theme","Policy"), - dup17, - dup3, -])); - -var msg36 = msg("security:06", part42); - -var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username->} exceeded the allowed number of concurrent logons", processor_chain([ - dup16, - dup5, - dup14, - dup15, - dup17, - dup3, - setc("event_description","user exceeded the allowed number of concurrent logons"), -])); - -var msg37 = msg("security:07", part43); - -var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username->} from %{saddr->} presented with challenge", processor_chain([ - dup19, - dup5, - dup3, - setc("event_description","user presented with challenge"), -])); - -var msg38 = msg("security:08", part44); - -var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1->} from source IP address %{saddr->} for URI=[%{fld2}]%{info}", processor_chain([ - dup19, - dup5, - dup3, - setc("event_description","Possible intrusion attempt detected"), -])); - -var msg39 = msg("security:09", part45); - -var select8 = linear_select([ - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, -]); - -var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg40 = msg("httpd", part46); - -var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1->} is not exceeded", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg41 = msg("Miscellaneous:01", part47); - -var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1->} logon records", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg42 = msg("Miscellaneous:02", part48); - -var part49 = match("MESSAGE#42:Miscellaneous:03", "nwparser.payload", "Purge logs: auto started%{}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg43 = msg("Miscellaneous:03", part49); - -var part50 = match("MESSAGE#43:Miscellaneous:04", "nwparser.payload", "Database error detected, dump: %{info}", processor_chain([ - setc("eventcategory","1603000000"), - dup3, - dup4, -])); - -var msg44 = msg("Miscellaneous:04", part50); - -var part51 = match("MESSAGE#44:Miscellaneous:05", "nwparser.payload", "Recovered database successfully%{}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg45 = msg("Miscellaneous:05", part51); - -var select9 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, -]); - -var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ - dup8, - dup3, -])); - -var msg46 = msg("kernel:07", part52); - -var part53 = match("MESSAGE#46:kernel:01", "nwparser.payload", "kernel: Marketing_resource: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg47 = msg("kernel:01", part53); - -var part54 = match("MESSAGE#47:kernel:02", "nwparser.payload", "kernel: CSLIP: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg48 = msg("kernel:02", part54); - -var part55 = match("MESSAGE#48:kernel:03", "nwparser.payload", "kernel: PPP %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg49 = msg("kernel:03", part55); - -var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: open failed.%{}", processor_chain([ - dup8, - dup3, -])); - -var msg50 = msg("kernel:04", part56); - -var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ - dup8, - dup3, -])); - -var msg51 = msg("kernel:06", part57); - -var part58 = match("MESSAGE#51:kernel:05", "nwparser.payload", "kernel: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg52 = msg("kernel:05", part58); - -var select10 = linear_select([ - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, -]); - -var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username->} from %{saddr->} port %{sport->} %{fld2}", processor_chain([ - setc("eventcategory","1401050100"), - dup3, -])); - -var msg53 = msg("sshd", part59); - -var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1->} PPM from %{fld2}", processor_chain([ - dup8, - dup3, -])); - -var msg54 = msg("ntpd:01", part60); - -var part61 = match("MESSAGE#54:ntpd:02", "nwparser.payload", "kernel time sync status %{resultcode}", processor_chain([ - dup8, - dup3, -])); - -var msg55 = msg("ntpd:02", part61); - -var part62 = match("MESSAGE#55:ntpd:03", "nwparser.payload", "Listening on interface %{interface}, %{hostip}#%{network_port}", processor_chain([ - dup8, - dup3, -])); - -var msg56 = msg("ntpd:03", part62); - -var part63 = match("MESSAGE#56:ntpd:04", "nwparser.payload", "precision = %{duration_string}", processor_chain([ - dup8, - dup3, -])); - -var msg57 = msg("ntpd:04", part63); - -var part64 = match("MESSAGE#57:ntpd:05", "nwparser.payload", "ntpd %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg58 = msg("ntpd:05", part64); - -var select11 = linear_select([ - msg54, - msg55, - msg56, - msg57, - msg58, -]); - -var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport->} terminated", processor_chain([ - dup10, - dup12, - dup13, - dup3, - dup4, -])); - -var msg59 = msg("AppTunnel:01", part65); - -var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ - dup7, - dup12, - dup13, - dup3, - dup4, -])); - -var msg60 = msg("AppTunnel:02", part66); - -var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Connection timed out", processor_chain([ - dup7, - dup12, - dup13, - dup17, - dup3, - dup4, -])); - -var msg61 = msg("AppTunnel:03", part67); - -var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr->} port %{dport->} failed", processor_chain([ - dup7, - dup12, - dup13, - dup17, - dup3, - dup4, -])); - -var msg62 = msg("AppTunnel:04", part68); - -var part69 = match("MESSAGE#62:AppTunnel:05", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Invalid session id", processor_chain([ - dup7, - dup12, - dup13, - dup3, -])); - -var msg63 = msg("AppTunnel:05", part69); - -var select12 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, -]); - -var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} returned %{resultcode}", processor_chain([ - dup8, - dup3, -])); - -var msg64 = msg("run-crons", part70); - -var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action})", processor_chain([ - dup2, - dup3, -])); - -var msg65 = msg("/USR/SBIN/CRON", part71); - -var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr->} offset %{duration_string}", processor_chain([ - setc("eventcategory","1605030000"), - dup3, -])); - -var msg66 = msg("ntpdate", part72); - -var part73 = match("MESSAGE#66:heartbeat", "nwparser.payload", "info: %{info}", processor_chain([ - setc("eventcategory","1604000000"), - dup3, -])); - -var msg67 = msg("heartbeat", part73); - -var part74 = match("MESSAGE#67:mailer", "nwparser.payload", "Failed to send \\'%{subject}\\' to \\'%{to}\\'", processor_chain([ - setc("eventcategory","1207010200"), - setc("ec_subject","Message"), - setc("ec_activity","Send"), - dup13, - dup17, - dup3, -])); - -var msg68 = msg("mailer", part74); - -var part75 = match("MESSAGE#68:EndpointSecurity/0", "nwparser.payload", "id[%{fld1}]: \"%{p0}"); - -var part76 = match("MESSAGE#68:EndpointSecurity/1_0", "nwparser.p0", "%{fld2->} - Connected%{p0}"); - -var part77 = match("MESSAGE#68:EndpointSecurity/1_1", "nwparser.p0", "Connected%{p0}"); - -var select13 = linear_select([ - part76, - part77, -]); - -var part78 = match("MESSAGE#68:EndpointSecurity/2", "nwparser.p0", "%{}from %{saddr->} %{info}\""); - -var all3 = all_match({ - processors: [ - part75, - select13, - part78, - ], - on_success: processor_chain([ - dup20, - dup13, - dup3, - ]), -}); - -var msg69 = msg("EndpointSecurity", all3); - -var part79 = match("MESSAGE#69:EndpointSecurity:01", "nwparser.payload", "id[%{fld1}]: %{event_description}", processor_chain([ - dup20, - dup13, - dup3, -])); - -var msg70 = msg("EndpointSecurity:01", part79); - -var select14 = linear_select([ - msg69, - msg70, -]); - -var part80 = match("MESSAGE#70:snmp", "nwparser.payload", "SNMP handler started%{}", processor_chain([ - dup20, - dup3, - setc("event_description","SNMP handler started"), - setc("action","started"), - setc("protocol","SNMP"), -])); - -var msg71 = msg("snmp", part80); - -var part81 = match("MESSAGE#71:snmp:01", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup3, -])); - -var msg72 = msg("snmp:01", part81); - -var select15 = linear_select([ - msg71, - msg72, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "/USR/SBIN/CRON": msg65, - "AppTunnel": select12, - "EndpointSecurity": select14, - "GarbageCollection": select3, - "Miscellaneous": select9, - "NetworkAccess": select5, - "firepass": select2, - "heartbeat": msg67, - "httpd": msg40, - "kernel": select10, - "mailer": msg68, - "maintenance": select4, - "ntpd": select11, - "ntpdate": msg66, - "run-crons": msg64, - "security": select8, - "snmp": select15, - "sshd": msg53, - }), -]); diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log deleted file mode 100644 index dcd42eb4778..00000000000 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur -February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819 -February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu -firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example -NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105 -April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape -GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting -May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS -May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat -June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic" -/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) -/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) -/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) -August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev -maintenance[giatq]: [quid] [fug] uatDuis -firepass[veri]: [rsita] [siutaliq] exercit -September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu -September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\' -October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua" -sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci -November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\' -heartbeat[umdolor]: [osquir] info: inim -December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services -December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol" -January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan -January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records -snmp[gni]: [tquiinea] [mquaera] SNMP handler started -February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb -March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it -sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus -April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm -ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup -April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' -run-crons[luptatev]: admi returned modocons -May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam -June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 -June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem -firepass[rehe]: [ume] Logged out -July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) -August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc -kernel[olupt]: [modoco] kernel: cdrom: open failed. -September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia -September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames -Miscellaneous[iciatisu]: [rehender] Purge logs: auto started -October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 -heartbeat[dolo]: [Loremip] [idolor] info: emeumfu -November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio -EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" -httpd[rpo]: [uipe] [inesci] scr_monitor: serror -ntpd[apariat]: kernel time sync status tlabore -January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) -snmp[ationemu]: [ice] estiae -February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect -maintenance[etconse]: [tincu] ari -March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp -Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded -EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" -/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) -May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' -May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' -June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor -June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex -/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) -run-crons: returned gel -August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate -August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started -mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' -mailer[udantium]: Failed to send \'pre\' to \'xeacom\' -httpd[dictasu]: [lorinre] scr_monitor: olorsita -ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide -October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc -ntpd[aturQui]: frequency initialized utlabor PPM from rau -firepass[nisi]: [dant] shutting down for system reboot -AppTunnel[tinvolu]: < Error - Invalid session id -December 21 23:20:14 quidolor5025.home run-crons: returned rem -run-crons[idolor]: [uisau] [eleum] sintoc returned volupt -heartbeat[uiinea]: info: Utenima -February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese -February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc -kernel: ionofdeF -March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte -AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id -/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) -April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 -heartbeat[exe]: [imadmini] [sauteiru] info: mod -/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) -httpd[eriti]: [litessec] scr_monitor: itas -June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor -July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host -mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' -August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist -August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) -kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm -September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi -October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau -October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo -November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account -heartbeat[iduntu]: [idestlab] info: rnatur -run-crons[essequam]: acommo returned nturma -December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json deleted file mode 100644 index e783667b492..00000000000 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ /dev/null @@ -1,2321 +0,0 @@ -[ - { - "destination.ip": [ - "10.232.59.7" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 0, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.232.59.7" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "tur", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819", - "fileset.name": "firepass", - "host.ip": "10.58.254.89", - "input.type": "log", - "log.offset": 100, - "network.interface.name": "lo4377", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.58.254.89" - ], - "rsa.internal.messageid": "ntpd", - "rsa.network.interface": "lo4377", - "rsa.network.network_port": 4819, - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 216, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.36.11.87" - ], - "related.user": [ - "uii" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.36.11.87" - ], - "source.port": 1803, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uii" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example", - "fileset.name": "firepass", - "host.name": "eosquir5191.www.example", - "input.type": "log", - "log.offset": 347, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "quipexe" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_subject": "Service", - "rsa.network.alias_host": [ - "eosquir5191.www.example" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "quipexe" - }, - { - "destination.ip": [ - "10.194.156.105" - ], - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 432, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.194.156.105" - ], - "related.user": [ - "uidolor" - ], - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "nibus", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uidolor" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 544, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "emape", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 640, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 720, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "roinBCS", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 795, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "equat", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 869, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.38.189.242" - ], - "rsa.db.index": "ommodic", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.38.189.242" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 996, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "atcup" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "accept" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "atcup" - }, - { - "event.action": "accept", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1060, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "uptassi" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "accept" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uptassi" - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1104, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "isetq" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "isetq" - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1155, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.175.6.112" - ], - "related.user": [ - "sum" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.175.6.112" - ], - "source.port": 5509, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "sum" - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "maintenance[giatq]: [quid] [fug] uatDuis", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1267, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "quid" - ], - "rsa.db.index": "uatDuis", - "rsa.internal.messageid": "maintenance", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "quid" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1308, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "exercit", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.230.12.79" - ], - "destination.port": 340, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1351, - "network.protocol": "ggp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.18.220.102", - "10.230.12.79" - ], - "rsa.db.index": "obeataev", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.18.220.102" - ], - "source.port": 5000, - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1524, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "temq", - "rsa.email.subject": "uam", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1630, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.50.112.141" - ], - "rsa.db.index": "mqua", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.50.112.141" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1754, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.61.78.108" - ], - "related.user": [ - "err" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.61.78.108" - ], - "source.port": 2398, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "err" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1842, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "riat", - "rsa.email.subject": "idexea", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[umdolor]: [osquir] info: inim", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1935, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "inim", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1975, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "timeout happened. restarting services", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2080, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.243.206.225" - ], - "rsa.db.index": "mol", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.243.206.225" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2210, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ccusan", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2293, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "taevi" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "taevi" - }, - { - "event.action": "started", - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2426, - "network.protocol": "SNMP", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "SNMP handler started", - "rsa.internal.messageid": "snmp", - "rsa.misc.action": [ - "started" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2479, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.0.3.58" - ], - "related.user": [ - "labor" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.0.3.58" - ], - "source.port": 7224, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "labor" - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2605, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2732, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.169.144.147" - ], - "related.user": [ - "ist" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.169.144.147" - ], - "source.port": 2399, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ist" - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2826, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "omm", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.196.105.137" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2921, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.196.105.137" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "lup", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2984, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "xea", - "rsa.email.subject": "lupt", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[luptatev]: admi returned modocons", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3068, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "modocons", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.46.158.31" - ], - "destination.port": 3369, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3112, - "network.protocol": "rdp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.117.146.33", - "10.46.158.31" - ], - "rsa.db.index": "dun", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.117.146.33" - ], - "source.port": 703, - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "security", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", - "event.outcome": "unknown", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3287, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.196.136.214" - ], - "rsa.internal.messageid": "security", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Error", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "service.type": "f5", - "source.ip": [ - "10.196.136.214" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3385, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "mexercit" - ], - "rsa.internal.messageid": "maintenance", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "dtem", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "mexercit" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[rehe]: [ume] Logged out", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3477, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ume" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_subject": "User", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ume" - }, - { - "event.action": "cancel", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3510, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "dexeaco" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "cancel" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "dexeaco" - }, - { - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3602, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "erc", - "rsa.internal.messageid": "snmp", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3670, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3722, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "uasia", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3808, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "uames", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3898, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "rehender" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "rehender" - }, - { - "destination.ip": [ - "10.192.18.42" - ], - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3959, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.192.18.42" - ], - "related.user": [ - "equatD" - ], - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "isno", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "equatD" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4103, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "emeumfu", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4153, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.86.63.253" - ], - "related.user": [ - "amvolup" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.86.63.253" - ], - "source.port": 2133, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "amvolup" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4288, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.26.236.35" - ], - "rsa.db.index": "lumqui", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.26.236.35" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4378, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "uipe" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uipe" - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpd[apariat]: kernel time sync status tlabore", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4426, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.misc.result_code": "tlabore", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4473, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "isc" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "isc" - }, - { - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "snmp[ationemu]: [ice] estiae", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4569, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "estiae", - "rsa.internal.messageid": "snmp", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.170.148.40" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4598, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.170.148.40" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "hitect", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "maintenance[etconse]: [tincu] ari", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4706, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tincu" - ], - "rsa.db.index": "ari", - "rsa.internal.messageid": "maintenance", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tincu" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4740, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "texp", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4819, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "eaq" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "eaq" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4919, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.164.6.207" - ], - "rsa.db.index": "olestiae", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.164.6.207" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5016, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "amre" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "allow" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "amre" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5071, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "uioffi", - "rsa.email.subject": "sectetur", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5170, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "pariatu", - "rsa.email.subject": "reseos", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5259, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "olor", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5350, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "tasuntex", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5430, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "lamcolab" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "lamcolab" - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons: returned gel", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5494, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "gel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5519, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "uptate", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5599, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "aliquam" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "aliquam" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5692, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "acommod", - "rsa.email.subject": "reme", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5766, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "xeacom", - "rsa.email.subject": "pre", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5821, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "lorinre" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "lorinre" - }, - { - "destination.ip": [ - "10.105.76.230" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5869, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.105.76.230" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "aliquide", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5942, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "intocc", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6036, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[nisi]: [dant] shutting down for system reboot", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6094, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "shutting down for system reboot", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "AppTunnel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6149, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "AppTunnel", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "iurer", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6205, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "rem", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6269, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "volupt", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[uiinea]: info: Utenima", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6327, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "Utenima", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.25.52.65" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6360, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.25.52.65" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "ese", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6466, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ntocc", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel: ionofdeF", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6547, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ionofdeF", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6564, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.time.duration_str": "epte", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "AppTunnel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6636, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "AppTunnel", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "uatD", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6709, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ntocca" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ntocca" - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6764, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ntmollit" - ], - "rsa.internal.messageid": "maintenance", - "rsa.network.network_port": 6980, - "rsa.web.fqdn": "ipsumd6116.local", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ntmollit" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6886, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "mod", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6934, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tnulapa" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tnulapa" - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6985, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "litessec" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "litessec" - }, - { - "destination.ip": [ - "10.186.101.163" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7028, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.186.101.163" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "utlabor", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", - "fileset.name": "firepass", - "host.name": "eufugi2923.internal.host", - "input.type": "log", - "log.offset": 7151, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tvolupt" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_subject": "Service", - "rsa.network.alias_host": [ - "eufugi2923.internal.host" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tvolupt" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7270, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "ati", - "rsa.email.subject": "ctet", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7328, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ven" - ], - "rsa.db.index": "nisist", - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "con", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ven" - }, - { - "event.action": "cancel", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7416, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "laudant" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "cancel" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "laudant" - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7518, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "runtm", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7569, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "oremi", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7646, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "mquelau", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7717, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "idolo", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "security", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7821, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "fugi" - ], - "rsa.internal.messageid": "security", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Policy", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "fugi" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7948, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "rnatur", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[essequam]: acommo returned nturma", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7991, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "nturma", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.225.181.30" - ], - "destination.port": 5390, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 8035, - "network.protocol": "udp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.65.175.9", - "10.225.181.30" - ], - "rsa.db.index": "uia", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.65.175.9" - ], - "source.port": 4412, - "tags": [ - "f5.firepass", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 0b2eb336295..0754f27de13 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -30,3 +30,41 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + fortimail: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9529 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimanager: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9530 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc index ee6448f4cdd..acf35ecacc9 100644 --- a/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/fortinet/_meta/docs.asciidoc @@ -5,7 +5,13 @@ == Fortinet module -This is a module for Fortinet FortiOS logs sent in the syslog format. +This is a module for Fortinet logs sent in the syslog format. It supports the +following devices: + +- `firewall` fileset: Supports FortiOS Firewall logs. +- `clientendpoint` fileset: Supports FortiClient Endpoint Protection logs. +- `fortimail` fileset: Supports FortiMail logs. +- `fortimanager` fileset: Supports FortiManager logs. To configure a remote syslog destination, please reference the https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/260508/log-syslogd-syslogd2-syslogd3-syslogd4-setting[Fortigate/FortiOS Documentation]. @@ -95,7 +101,97 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `fortimail` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "fortinetfortimail" device revision 131. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9529` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `fortimanager` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "fortinetmgr" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9530` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/fortinet/_meta/fields.yml b/x-pack/filebeat/module/fortinet/_meta/fields.yml index 21a001384ef..6cfa7a7a609 100644 --- a/x-pack/filebeat/module/fortinet/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/_meta/fields.yml @@ -3,12 +3,3 @@ description: > fortinet Module fields: - - name: fortinet - type: group - description: > - Fields from fortinet FortiOS - fields: - - name: file.hash.crc32 - type: keyword - description: > - CRC32 Hash of file \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index 2792f46aafd..40b42e4e527 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml index 1897a785e50..28bbbd0e58e 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Fortinet FortiClient Endpoint Security processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 70dc501501d..69eab97fe35 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-01-29T08:09:59.000Z", "destination.ip": [ "10.102.123.34" ], @@ -21,6 +20,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7880, + "related.hosts": [ + "boNemoe4402.www.invalid", + "litesse6379.api.domain" + ], "related.ip": [ "10.150.92.220", "10.102.123.34" @@ -43,7 +46,6 @@ ], "rsa.network.domain": "litesse6379.api.domain", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-01-29T08:09:59.000Z", "server.domain": "litesse6379.api.domain", "service.type": "fortinet", "source.ip": [ @@ -57,7 +59,6 @@ "user.name": "sumdo" }, { - "@timestamp": "2020-02-12T15:12:33.000Z", "destination.ip": [ "10.149.203.46" ], @@ -78,9 +79,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4539, + "related.hosts": [ + "olupt4880.api.home", + "gnaali6189.internal.localhost" + ], "related.ip": [ - "10.149.203.46", - "10.33.212.159" + "10.33.212.159", + "10.149.203.46" ], "related.user": [ "mipsumq" @@ -100,7 +105,6 @@ ], "rsa.network.domain": "gnaali6189.internal.localhost", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-02-12T15:12:33.000Z", "server.domain": "gnaali6189.internal.localhost", "service.type": "fortinet", "source.ip": [ @@ -114,7 +118,6 @@ "user.name": "mipsumq" }, { - "@timestamp": "2020-02-26T22:15:08.000Z", "destination.ip": [ "10.118.175.9" ], @@ -135,9 +138,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 445, + "related.hosts": [ + "aqu1628.internal.domain", + "quis1130.internal.corp" + ], "related.ip": [ - "10.173.116.41", - "10.118.175.9" + "10.118.175.9", + "10.173.116.41" ], "related.user": [ "uame" @@ -157,7 +164,6 @@ ], "rsa.network.domain": "quis1130.internal.corp", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-02-26T22:15:08.000Z", "server.domain": "quis1130.internal.corp", "service.type": "fortinet", "source.ip": [ @@ -171,7 +177,6 @@ "user.name": "uame" }, { - "@timestamp": "2020-03-12T05:17:42.000Z", "destination.ip": [ "10.202.204.154" ], @@ -192,9 +197,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5712, + "related.hosts": [ + "tinculp2940.internal.local", + "reprehe189.internal.home" + ], "related.ip": [ - "10.202.204.154", - "10.134.137.177" + "10.134.137.177", + "10.202.204.154" ], "related.user": [ "orsitame" @@ -214,7 +223,6 @@ ], "rsa.network.domain": "reprehe189.internal.home", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-03-12T05:17:42.000Z", "server.domain": "reprehe189.internal.home", "service.type": "fortinet", "source.ip": [ @@ -228,7 +236,6 @@ "user.name": "orsitame" }, { - "@timestamp": "2020-03-26T12:20:16.000Z", "destination.ip": [ "10.70.0.60" ], @@ -249,6 +256,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6557, + "related.hosts": [ + "rad2103.api.domain", + "enimad2283.internal.domain" + ], "related.ip": [ "10.245.142.250", "10.70.0.60" @@ -271,7 +282,6 @@ ], "rsa.network.domain": "enimad2283.internal.domain", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-03-26T12:20:16.000Z", "server.domain": "enimad2283.internal.domain", "service.type": "fortinet", "source.ip": [ @@ -285,7 +295,6 @@ "user.name": "eos" }, { - "@timestamp": "2020-04-09T19:22:51.000Z", "destination.ip": [ "10.200.188.142" ], @@ -306,6 +315,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2061, + "related.hosts": [ + "enim5316.www5.local", + "doloreeu3553.www5.home" + ], "related.ip": [ "10.200.188.142", "10.202.72.124" @@ -328,7 +341,6 @@ ], "rsa.network.domain": "doloreeu3553.www5.home", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "server.domain": "doloreeu3553.www5.home", "service.type": "fortinet", "source.ip": [ @@ -342,7 +354,6 @@ "user.name": "iusmodt" }, { - "@timestamp": "2020-04-24T02:25:25.000Z", "destination.ip": [ "10.214.225.125" ], @@ -363,6 +374,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5722, + "related.hosts": [ + "reetdolo2770.www5.local", + "iutal13.api.localdomain" + ], "related.ip": [ "10.12.44.169", "10.214.225.125" @@ -385,7 +400,6 @@ ], "rsa.network.domain": "iutal13.api.localdomain", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-04-24T02:25:25.000Z", "server.domain": "iutal13.api.localdomain", "service.type": "fortinet", "source.ip": [ @@ -399,7 +413,6 @@ "user.name": "erep" }, { - "@timestamp": "2020-05-08T09:27:59.000Z", "destination.ip": [ "10.198.136.50" ], @@ -420,9 +433,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5037, + "related.hosts": [ + "isiu1114.internal.corp", + "uovol492.www.localhost" + ], "related.ip": [ - "10.66.108.11", - "10.198.136.50" + "10.198.136.50", + "10.66.108.11" ], "related.user": [ "uptatev" @@ -442,7 +459,6 @@ ], "rsa.network.domain": "uovol492.www.localhost", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-05-08T09:27:59.000Z", "server.domain": "uovol492.www.localhost", "service.type": "fortinet", "source.ip": [ @@ -456,7 +472,6 @@ "user.name": "uptatev" }, { - "@timestamp": "2020-05-22T16:30:33.000Z", "destination.ip": [ "10.69.20.77" ], @@ -477,9 +492,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 776, + "related.hosts": [ + "usmodte1296.www.corp", + "osquir6997.corp" + ], "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "related.user": [ "umdolor" @@ -499,7 +518,6 @@ ], "rsa.network.domain": "osquir6997.corp", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-05-22T16:30:33.000Z", "server.domain": "osquir6997.corp", "service.type": "fortinet", "source.ip": [ @@ -513,7 +531,6 @@ "user.name": "umdolor" }, { - "@timestamp": "2020-06-05T23:33:08.000Z", "destination.ip": [ "10.203.5.162" ], @@ -534,6 +551,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6096, + "related.hosts": [ + "tatno4987.www5.localhost", + "eniam7007.api.invalid" + ], "related.ip": [ "10.54.231.100", "10.203.5.162" @@ -556,7 +577,6 @@ ], "rsa.network.domain": "eniam7007.api.invalid", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", "server.domain": "eniam7007.api.invalid", "service.type": "fortinet", "source.ip": [ @@ -570,7 +590,6 @@ "user.name": "umdolore" }, { - "@timestamp": "2020-06-20T06:35:42.000Z", "destination.ip": [ "10.136.252.240" ], @@ -591,6 +610,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7307, + "related.hosts": [ + "tatno6787.internal.localhost", + "snulapar3794.api.domain" + ], "related.ip": [ "10.65.83.160", "10.136.252.240" @@ -613,7 +636,6 @@ ], "rsa.network.domain": "snulapar3794.api.domain", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "server.domain": "snulapar3794.api.domain", "service.type": "fortinet", "source.ip": [ @@ -627,7 +649,6 @@ "user.name": "ender" }, { - "@timestamp": "2020-07-04T13:38:16.000Z", "destination.ip": [ "10.210.213.18" ], @@ -648,6 +669,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2703, + "related.hosts": [ + "essecill2595.mail.local", + "liq5883.localdomain" + ], "related.ip": [ "10.210.213.18", "10.57.40.29" @@ -670,7 +695,6 @@ ], "rsa.network.domain": "liq5883.localdomain", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-07-04T13:38:16.000Z", "server.domain": "liq5883.localdomain", "service.type": "fortinet", "source.ip": [ @@ -684,7 +708,6 @@ "user.name": "onse" }, { - "@timestamp": "2019-07-18T20:40:50.000Z", "destination.ip": [ "10.200.156.102" ], @@ -705,9 +728,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5166, + "related.hosts": [ + "ali6446.localhost", + "rsint7026.test" + ], "related.ip": [ - "10.200.156.102", - "10.144.82.69" + "10.144.82.69", + "10.200.156.102" ], "related.user": [ "rveli" @@ -727,7 +754,6 @@ ], "rsa.network.domain": "rsint7026.test", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "server.domain": "rsint7026.test", "service.type": "fortinet", "source.ip": [ @@ -741,7 +767,6 @@ "user.name": "rveli" }, { - "@timestamp": "2019-08-02T03:43:25.000Z", "destination.ip": [ "10.72.58.135" ], @@ -762,6 +787,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7668, + "related.hosts": [ + "torev7118.internal.domain", + "qua2945.www.local" + ], "related.ip": [ "10.109.232.112", "10.72.58.135" @@ -784,7 +813,6 @@ ], "rsa.network.domain": "qua2945.www.local", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "server.domain": "qua2945.www.local", "service.type": "fortinet", "source.ip": [ @@ -798,7 +826,6 @@ "user.name": "xea" }, { - "@timestamp": "2019-08-16T10:45:59.000Z", "destination.ip": [ "10.72.29.73" ], @@ -819,9 +846,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1044, + "related.hosts": [ + "dolore6103.www5.example", + "luptat6494.www.example" + ], "related.ip": [ - "10.38.22.45", - "10.72.29.73" + "10.72.29.73", + "10.38.22.45" ], "related.user": [ "onproide" @@ -841,7 +872,6 @@ ], "rsa.network.domain": "luptat6494.www.example", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", "server.domain": "luptat6494.www.example", "service.type": "fortinet", "source.ip": [ @@ -855,7 +885,6 @@ "user.name": "onproide" }, { - "@timestamp": "2019-08-30T17:48:33.000Z", "destination.ip": [ "10.76.72.111" ], @@ -876,6 +905,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7183, + "related.hosts": [ + "errorsi6996.www.domain", + "moenimi6317.internal.invalid" + ], "related.ip": [ "10.70.95.74", "10.76.72.111" @@ -898,7 +931,6 @@ ], "rsa.network.domain": "moenimi6317.internal.invalid", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-08-30T17:48:33.000Z", "server.domain": "moenimi6317.internal.invalid", "service.type": "fortinet", "source.ip": [ @@ -912,7 +944,6 @@ "user.name": "ivelits" }, { - "@timestamp": "2019-09-14T00:51:07.000Z", "destination.ip": [ "10.73.69.75" ], @@ -933,6 +964,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6907, + "related.hosts": [ + "lumquido5839.api.corp", + "tion1761.home" + ], "related.ip": [ "10.73.69.75", "10.19.201.13" @@ -955,7 +990,6 @@ ], "rsa.network.domain": "tion1761.home", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", "server.domain": "tion1761.home", "service.type": "fortinet", "source.ip": [ @@ -969,7 +1003,6 @@ "user.name": "tat" }, { - "@timestamp": "2019-09-28T07:53:42.000Z", "destination.ip": [ "10.84.105.75" ], @@ -990,6 +1023,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 499, + "related.hosts": [ + "aperia4409.www5.invalid", + "santium4235.api.local" + ], "related.ip": [ "10.84.105.75", "10.78.151.178" @@ -1012,7 +1049,6 @@ ], "rsa.network.domain": "santium4235.api.local", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "server.domain": "santium4235.api.local", "service.type": "fortinet", "source.ip": [ @@ -1026,7 +1062,6 @@ "user.name": "iquaUten" }, { - "@timestamp": "2019-10-12T14:56:16.000Z", "destination.ip": [ "10.25.192.202" ], @@ -1047,9 +1082,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1531, + "related.hosts": [ + "tem2496.api.lan", + "CSed2857.www5.example" + ], "related.ip": [ - "10.135.233.146", - "10.25.192.202" + "10.25.192.202", + "10.135.233.146" ], "related.user": [ "emeumfu" @@ -1069,7 +1108,6 @@ ], "rsa.network.domain": "CSed2857.www5.example", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "server.domain": "CSed2857.www5.example", "service.type": "fortinet", "source.ip": [ @@ -1083,7 +1121,6 @@ "user.name": "emeumfu" }, { - "@timestamp": "2019-10-26T21:58:50.000Z", "destination.ip": [ "10.104.134.200" ], @@ -1104,6 +1141,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6051, + "related.hosts": [ + "eme6710.mail.invalid", + "equep5085.mail.domain" + ], "related.ip": [ "10.104.134.200", "10.121.219.204" @@ -1126,7 +1167,6 @@ ], "rsa.network.domain": "equep5085.mail.domain", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-10-26T21:58:50.000Z", "server.domain": "equep5085.mail.domain", "service.type": "fortinet", "source.ip": [ @@ -1140,7 +1180,6 @@ "user.name": "uptat" }, { - "@timestamp": "2019-11-10T05:01:24.000Z", "destination.ip": [ "10.225.160.182" ], @@ -1161,6 +1200,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6994, + "related.hosts": [ + "ihilm1669.mail.invalid", + "conseq557.mail.lan" + ], "related.ip": [ "10.225.160.182", "10.191.105.82" @@ -1183,7 +1226,6 @@ ], "rsa.network.domain": "conseq557.mail.lan", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "server.domain": "conseq557.mail.lan", "service.type": "fortinet", "source.ip": [ @@ -1197,7 +1239,6 @@ "user.name": "eirure" }, { - "@timestamp": "2019-11-24T12:03:59.000Z", "destination.ip": [ "10.161.57.8" ], @@ -1218,6 +1259,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5200, + "related.hosts": [ + "umexerci1284.internal.localdomain", + "ite2026.www.invalid" + ], "related.ip": [ "10.141.44.153", "10.161.57.8" @@ -1240,7 +1285,6 @@ ], "rsa.network.domain": "ite2026.www.invalid", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "server.domain": "ite2026.www.invalid", "service.type": "fortinet", "source.ip": [ @@ -1254,7 +1298,6 @@ "user.name": "quisnos" }, { - "@timestamp": "2019-12-08T19:06:33.000Z", "destination.ip": [ "10.6.167.7" ], @@ -1275,9 +1318,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3365, + "related.hosts": [ + "adol485.example", + "lit5929.test" + ], "related.ip": [ - "10.6.167.7", - "10.153.111.103" + "10.153.111.103", + "10.6.167.7" ], "related.user": [ "eumfug" @@ -1297,7 +1344,6 @@ ], "rsa.network.domain": "lit5929.test", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", "server.domain": "lit5929.test", "service.type": "fortinet", "source.ip": [ @@ -1311,7 +1357,6 @@ "user.name": "eumfug" }, { - "@timestamp": "2019-12-23T02:09:07.000Z", "destination.ip": [ "10.134.148.219" ], @@ -1332,9 +1377,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1835, + "related.hosts": [ + "evita5008.www.localdomain", + "oru6938.invalid" + ], "related.ip": [ - "10.134.148.219", - "10.248.204.182" + "10.248.204.182", + "10.134.148.219" ], "related.user": [ "uioffi" @@ -1354,7 +1403,6 @@ ], "rsa.network.domain": "oru6938.invalid", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "server.domain": "oru6938.invalid", "service.type": "fortinet", "source.ip": [ @@ -1368,7 +1416,6 @@ "user.name": "uioffi" }, { - "@timestamp": "2020-01-06T09:11:41.000Z", "destination.ip": [ "10.163.5.243" ], @@ -1389,6 +1436,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2019, + "related.hosts": [ + "tsedqu2456.www5.invalid", + "etdol5473.local" + ], "related.ip": [ "10.163.5.243", "10.178.77.231" @@ -1411,7 +1462,6 @@ ], "rsa.network.domain": "etdol5473.local", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", "server.domain": "etdol5473.local", "service.type": "fortinet", "source.ip": [ @@ -1425,7 +1475,6 @@ "user.name": "liquide" }, { - "@timestamp": "2020-01-20T16:14:16.000Z", "destination.ip": [ "10.221.89.228" ], @@ -1446,6 +1495,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2493, + "related.hosts": [ + "ris3314.mail.invalid", + "nimid893.mail.corp" + ], "related.ip": [ "10.221.89.228", "10.177.194.18" @@ -1468,7 +1521,6 @@ ], "rsa.network.domain": "nimid893.mail.corp", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "server.domain": "nimid893.mail.corp", "service.type": "fortinet", "source.ip": [ @@ -1482,7 +1534,6 @@ "user.name": "aliquam" }, { - "@timestamp": "2020-02-03T23:16:50.000Z", "destination.ip": [ "10.32.239.1" ], @@ -1503,9 +1554,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3022, + "related.hosts": [ + "reme622.mail.example", + "rumwritt6003.host" + ], "related.ip": [ - "10.241.65.49", - "10.32.239.1" + "10.32.239.1", + "10.241.65.49" ], "related.user": [ "idata" @@ -1525,7 +1580,6 @@ ], "rsa.network.domain": "rumwritt6003.host", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "server.domain": "rumwritt6003.host", "service.type": "fortinet", "source.ip": [ @@ -1539,7 +1593,6 @@ "user.name": "idata" }, { - "@timestamp": "2020-02-18T06:19:24.000Z", "destination.ip": [ "10.101.57.120" ], @@ -1560,6 +1613,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2328, + "related.hosts": [ + "non3341.mail.invalid", + "xeacomm6855.api.corp" + ], "related.ip": [ "10.168.90.81", "10.101.57.120" @@ -1582,7 +1639,6 @@ ], "rsa.network.domain": "xeacomm6855.api.corp", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", "server.domain": "xeacomm6855.api.corp", "service.type": "fortinet", "source.ip": [ @@ -1596,7 +1652,6 @@ "user.name": "eporr" }, { - "@timestamp": "2020-03-04T13:21:59.000Z", "destination.ip": [ "10.130.14.60" ], @@ -1617,6 +1672,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1156, + "related.hosts": [ + "ris727.api.local", + "icabo4125.mail.domain" + ], "related.ip": [ "10.130.14.60", "10.14.211.43" @@ -1639,7 +1698,6 @@ ], "rsa.network.domain": "icabo4125.mail.domain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "server.domain": "icabo4125.mail.domain", "service.type": "fortinet", "source.ip": [ @@ -1653,7 +1711,6 @@ "user.name": "litse" }, { - "@timestamp": "2020-03-18T20:24:33.000Z", "destination.ip": [ "10.248.101.25" ], @@ -1674,9 +1731,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6003, + "related.hosts": [ + "stquido5705.api.host", + "ionofdeF5643.www.localhost" + ], "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "related.user": [ "evolup" @@ -1696,7 +1757,6 @@ ], "rsa.network.domain": "ionofdeF5643.www.localhost", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-03-18T20:24:33.000Z", "server.domain": "ionofdeF5643.www.localhost", "service.type": "fortinet", "source.ip": [ @@ -1710,7 +1770,6 @@ "user.name": "evolup" }, { - "@timestamp": "2020-04-02T03:27:07.000Z", "destination.ip": [ "10.111.187.12" ], @@ -1731,6 +1790,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5651, + "related.hosts": [ + "etcons7378.api.lan", + "orem6702.invalid" + ], "related.ip": [ "10.111.187.12", "10.72.93.28" @@ -1753,7 +1816,6 @@ ], "rsa.network.domain": "orem6702.invalid", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "server.domain": "orem6702.invalid", "service.type": "fortinet", "source.ip": [ @@ -1767,7 +1829,6 @@ "user.name": "niamqui" }, { - "@timestamp": "2020-04-16T10:29:41.000Z", "destination.ip": [ "10.66.2.232" ], @@ -1788,9 +1849,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3470, + "related.hosts": [ + "vita2681.www5.local", + "oin6780.mail.domain" + ], "related.ip": [ - "10.66.2.232", - "10.27.14.168" + "10.27.14.168", + "10.66.2.232" ], "related.user": [ "uirati" @@ -1810,7 +1875,6 @@ ], "rsa.network.domain": "oin6780.mail.domain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "server.domain": "oin6780.mail.domain", "service.type": "fortinet", "source.ip": [ @@ -1824,7 +1888,6 @@ "user.name": "uirati" }, { - "@timestamp": "2020-04-30T17:32:16.000Z", "destination.ip": [ "10.195.2.130" ], @@ -1845,9 +1908,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6932, + "related.hosts": [ + "tnulapa7592.www.local", + "eprehen3224.www5.localdomain" + ], "related.ip": [ - "10.75.99.127", - "10.195.2.130" + "10.195.2.130", + "10.75.99.127" ], "related.user": [ "inibusB" @@ -1867,7 +1934,6 @@ ], "rsa.network.domain": "eprehen3224.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "server.domain": "eprehen3224.www5.localdomain", "service.type": "fortinet", "source.ip": [ @@ -1881,7 +1947,6 @@ "user.name": "inibusB" }, { - "@timestamp": "2020-05-15T00:34:50.000Z", "destination.ip": [ "10.245.104.182" ], @@ -1902,9 +1967,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6945, + "related.hosts": [ + "lup2134.www.localhost", + "ptasn6599.www.localhost" + ], "related.ip": [ - "10.245.104.182", - "10.201.238.90" + "10.201.238.90", + "10.245.104.182" ], "related.user": [ "ovol" @@ -1924,7 +1993,6 @@ ], "rsa.network.domain": "ptasn6599.www.localhost", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "server.domain": "ptasn6599.www.localhost", "service.type": "fortinet", "source.ip": [ @@ -1938,7 +2006,6 @@ "user.name": "ovol" }, { - "@timestamp": "2020-05-29T07:37:24.000Z", "destination.ip": [ "10.105.91.31" ], @@ -1959,6 +2026,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 853, + "related.hosts": [ + "tanimid3337.mail.corp", + "nisist2752.home" + ], "related.ip": [ "10.217.150.196", "10.105.91.31" @@ -1981,7 +2052,6 @@ ], "rsa.network.domain": "nisist2752.home", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "server.domain": "nisist2752.home", "service.type": "fortinet", "source.ip": [ @@ -1995,7 +2065,6 @@ "user.name": "con" }, { - "@timestamp": "2020-06-12T14:39:58.000Z", "destination.ip": [ "10.184.18.202" ], @@ -2016,9 +2085,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4153, + "related.hosts": [ + "eumiu765.api.lan", + "gitsedqu2649.mail.lan" + ], "related.ip": [ - "10.4.157.1", - "10.184.18.202" + "10.184.18.202", + "10.4.157.1" ], "related.user": [ "oditem" @@ -2038,7 +2111,6 @@ ], "rsa.network.domain": "gitsedqu2649.mail.lan", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "server.domain": "gitsedqu2649.mail.lan", "service.type": "fortinet", "source.ip": [ @@ -2052,7 +2124,6 @@ "user.name": "oditem" }, { - "@timestamp": "2020-06-26T21:42:33.000Z", "destination.ip": [ "10.113.95.59" ], @@ -2073,6 +2144,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1693, + "related.hosts": [ + "mquelau5326.mail.lan", + "entsunt3962.www.example" + ], "related.ip": [ "10.113.95.59", "10.255.39.252" @@ -2095,7 +2170,6 @@ ], "rsa.network.domain": "entsunt3962.www.example", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "server.domain": "entsunt3962.www.example", "service.type": "fortinet", "source.ip": [ @@ -2109,7 +2183,6 @@ "user.name": "persp" }, { - "@timestamp": "2020-07-11T04:45:07.000Z", "destination.ip": [ "10.83.177.2" ], @@ -2130,6 +2203,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 337, + "related.hosts": [ + "idestlab2631.www.lan", + "tut2703.www.host" + ], "related.ip": [ "10.27.16.118", "10.83.177.2" @@ -2152,7 +2229,6 @@ ], "rsa.network.domain": "tut2703.www.host", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-07-11T04:45:07.000Z", "server.domain": "tut2703.www.host", "service.type": "fortinet", "source.ip": [ @@ -2166,7 +2242,6 @@ "user.name": "borios" }, { - "@timestamp": "2019-07-25T11:47:41.000Z", "destination.ip": [ "10.167.227.44" ], @@ -2187,9 +2262,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7041, + "related.hosts": [ + "inesci6789.test", + "entorev160.test" + ], "related.ip": [ - "10.38.54.72", - "10.167.227.44" + "10.167.227.44", + "10.38.54.72" ], "related.user": [ "riamea" @@ -2209,7 +2288,6 @@ ], "rsa.network.domain": "entorev160.test", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "server.domain": "entorev160.test", "service.type": "fortinet", "source.ip": [ @@ -2223,7 +2301,6 @@ "user.name": "riamea" }, { - "@timestamp": "2019-08-08T18:50:15.000Z", "destination.ip": [ "10.215.205.216" ], @@ -2244,9 +2321,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3854, + "related.hosts": [ + "ccaeca7077.internal.corp", + "proide3714.mail.localdomain" + ], "related.ip": [ - "10.216.54.184", - "10.215.205.216" + "10.215.205.216", + "10.216.54.184" ], "related.user": [ "ameiusm" @@ -2266,7 +2347,6 @@ ], "rsa.network.domain": "proide3714.mail.localdomain", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "server.domain": "proide3714.mail.localdomain", "service.type": "fortinet", "source.ip": [ @@ -2280,7 +2360,6 @@ "user.name": "ameiusm" }, { - "@timestamp": "2019-08-23T01:52:50.000Z", "destination.ip": [ "10.9.18.237" ], @@ -2301,6 +2380,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 55, + "related.hosts": [ + "ima2031.api.corp", + "tot5313.mail.invalid" + ], "related.ip": [ "10.9.18.237", "10.9.12.248" @@ -2323,7 +2406,6 @@ ], "rsa.network.domain": "tot5313.mail.invalid", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "server.domain": "tot5313.mail.invalid", "service.type": "fortinet", "source.ip": [ @@ -2337,7 +2419,6 @@ "user.name": "uradi" }, { - "@timestamp": "2019-09-06T08:55:24.000Z", "destination.ip": [ "10.41.123.102" ], @@ -2358,9 +2439,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 228, + "related.hosts": [ + "ian867.internal.corp", + "rumet3801.internal.domain" + ], "related.ip": [ - "10.83.130.226", - "10.41.123.102" + "10.41.123.102", + "10.83.130.226" ], "related.user": [ "tenim" @@ -2380,7 +2465,6 @@ ], "rsa.network.domain": "rumet3801.internal.domain", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", "server.domain": "rumet3801.internal.domain", "service.type": "fortinet", "source.ip": [ @@ -2394,7 +2478,6 @@ "user.name": "tenim" }, { - "@timestamp": "2019-09-20T15:57:58.000Z", "destination.ip": [ "10.80.152.108" ], @@ -2415,6 +2498,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4253, + "related.hosts": [ + "lorin4249.corp", + "liqua2834.www5.lan" + ], "related.ip": [ "10.175.112.197", "10.80.152.108" @@ -2437,7 +2524,6 @@ ], "rsa.network.domain": "liqua2834.www5.lan", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "server.domain": "liqua2834.www5.lan", "service.type": "fortinet", "source.ip": [ @@ -2451,7 +2537,6 @@ "user.name": "tametcon" }, { - "@timestamp": "2019-10-04T23:00:32.000Z", "destination.ip": [ "10.142.25.100" ], @@ -2472,9 +2557,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2200, + "related.hosts": [ + "gnaaliqu3935.api.test", + "sequat7273.api.host" + ], "related.ip": [ - "10.142.25.100", - "10.134.18.114" + "10.134.18.114", + "10.142.25.100" ], "related.user": [ "osqui" @@ -2494,7 +2583,6 @@ ], "rsa.network.domain": "sequat7273.api.host", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-10-04T23:00:32.000Z", "server.domain": "sequat7273.api.host", "service.type": "fortinet", "source.ip": [ @@ -2508,7 +2596,6 @@ "user.name": "osqui" }, { - "@timestamp": "2019-10-19T06:03:07.000Z", "destination.ip": [ "10.223.119.218" ], @@ -2529,6 +2616,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5717, + "related.hosts": [ + "nsequat1859.internal.localhost", + "uidol4575.localhost" + ], "related.ip": [ "10.28.118.160", "10.223.119.218" @@ -2551,7 +2642,6 @@ ], "rsa.network.domain": "uidol4575.localhost", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "server.domain": "uidol4575.localhost", "service.type": "fortinet", "source.ip": [ @@ -2565,7 +2655,6 @@ "user.name": "ntsunt" }, { - "@timestamp": "2019-11-02T13:05:41.000Z", "destination.ip": [ "10.47.28.48" ], @@ -2586,9 +2675,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4469, + "related.hosts": [ + "ritin2495.api.corp", + "oremq2000.api.corp" + ], "related.ip": [ - "10.110.114.175", - "10.47.28.48" + "10.47.28.48", + "10.110.114.175" ], "related.user": [ "plicab" @@ -2608,7 +2701,6 @@ ], "rsa.network.domain": "oremq2000.api.corp", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "server.domain": "oremq2000.api.corp", "service.type": "fortinet", "source.ip": [ @@ -2622,7 +2714,6 @@ "user.name": "plicab" }, { - "@timestamp": "2019-11-16T20:08:15.000Z", "destination.ip": [ "10.90.33.138" ], @@ -2643,6 +2734,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5524, + "related.hosts": [ + "tetur2694.mail.local", + "oremi1485.api.localhost" + ], "related.ip": [ "10.40.251.202", "10.90.33.138" @@ -2665,7 +2760,6 @@ ], "rsa.network.domain": "oremi1485.api.localhost", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", "server.domain": "oremi1485.api.localhost", "service.type": "fortinet", "source.ip": [ @@ -2679,7 +2773,6 @@ "user.name": "nvolupt" }, { - "@timestamp": "2019-12-01T03:10:49.000Z", "destination.ip": [ "10.227.173.252" ], @@ -2700,6 +2793,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3624, + "related.hosts": [ + "rem7043.localhost", + "sequatD5469.www5.lan" + ], "related.ip": [ "10.65.2.106", "10.227.173.252" @@ -2722,7 +2819,6 @@ ], "rsa.network.domain": "sequatD5469.www5.lan", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "server.domain": "sequatD5469.www5.lan", "service.type": "fortinet", "source.ip": [ @@ -2736,7 +2832,6 @@ "user.name": "itation" }, { - "@timestamp": "2019-12-15T10:13:24.000Z", "destination.ip": [ "10.28.84.106" ], @@ -2757,9 +2852,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1609, + "related.hosts": [ + "emqu2846.internal.home", + "item2738.test" + ], "related.ip": [ - "10.193.233.229", - "10.28.84.106" + "10.28.84.106", + "10.193.233.229" ], "related.user": [ "tla" @@ -2779,7 +2878,6 @@ ], "rsa.network.domain": "item2738.test", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "server.domain": "item2738.test", "service.type": "fortinet", "source.ip": [ @@ -2793,7 +2891,6 @@ "user.name": "tla" }, { - "@timestamp": "2019-12-29T17:15:58.000Z", "destination.ip": [ "10.210.89.183" ], @@ -2814,9 +2911,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6248, + "related.hosts": [ + "dqu6144.api.localhost", + "iosamnis1047.internal.localdomain" + ], "related.ip": [ - "10.150.245.88", - "10.210.89.183" + "10.210.89.183", + "10.150.245.88" ], "related.user": [ "sequa" @@ -2836,7 +2937,6 @@ ], "rsa.network.domain": "iosamnis1047.internal.localdomain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-12-29T17:15:58.000Z", "server.domain": "iosamnis1047.internal.localdomain", "service.type": "fortinet", "source.ip": [ @@ -2850,7 +2950,6 @@ "user.name": "sequa" }, { - "@timestamp": "2020-01-13T00:18:32.000Z", "destination.ip": [ "10.85.185.13" ], @@ -2871,6 +2970,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7224, + "related.hosts": [ + "giatquov1918.internal.example", + "orroq6677.internal.example" + ], "related.ip": [ "10.85.185.13", "10.180.195.43" @@ -2893,7 +2996,6 @@ ], "rsa.network.domain": "orroq6677.internal.example", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "server.domain": "orroq6677.internal.example", "service.type": "fortinet", "source.ip": [ @@ -2907,7 +3009,6 @@ "user.name": "voluptas" }, { - "@timestamp": "2020-01-27T07:21:06.000Z", "destination.ip": [ "10.210.28.247" ], @@ -2928,9 +3029,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 430, + "related.hosts": [ + "estl5804.internal.local", + "onevo4326.internal.local" + ], "related.ip": [ - "10.207.211.230", - "10.210.28.247" + "10.210.28.247", + "10.207.211.230" ], "related.user": [ "tate" @@ -2950,7 +3055,6 @@ ], "rsa.network.domain": "onevo4326.internal.local", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "server.domain": "onevo4326.internal.local", "service.type": "fortinet", "source.ip": [ @@ -2964,7 +3068,6 @@ "user.name": "tate" }, { - "@timestamp": "2020-02-10T14:23:41.000Z", "destination.ip": [ "10.248.165.185" ], @@ -2985,6 +3088,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3589, + "related.hosts": [ + "Sedut1775.www.domain", + "itaedict7233.mail.localdomain" + ], "related.ip": [ "10.86.11.48", "10.248.165.185" @@ -3007,7 +3114,6 @@ ], "rsa.network.domain": "itaedict7233.mail.localdomain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "server.domain": "itaedict7233.mail.localdomain", "service.type": "fortinet", "source.ip": [ @@ -3021,7 +3127,6 @@ "user.name": "dquiac" }, { - "@timestamp": "2020-02-24T21:26:15.000Z", "destination.ip": [ "10.47.125.38" ], @@ -3042,9 +3147,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4814, + "related.hosts": [ + "mac7484.www5.test", + "numquam5869.internal.example" + ], "related.ip": [ - "10.47.125.38", - "10.118.6.177" + "10.118.6.177", + "10.47.125.38" ], "related.user": [ "quunt" @@ -3064,7 +3173,6 @@ ], "rsa.network.domain": "numquam5869.internal.example", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-02-24T21:26:15.000Z", "server.domain": "numquam5869.internal.example", "service.type": "fortinet", "source.ip": [ @@ -3078,7 +3186,6 @@ "user.name": "quunt" }, { - "@timestamp": "2020-03-11T04:28:49.000Z", "destination.ip": [ "10.60.142.127" ], @@ -3099,6 +3206,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 276, + "related.hosts": [ + "oin1140.mail.localhost", + "onu6137.api.home" + ], "related.ip": [ "10.60.142.127", "10.50.233.155" @@ -3121,7 +3232,6 @@ ], "rsa.network.domain": "onu6137.api.home", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "server.domain": "onu6137.api.home", "service.type": "fortinet", "source.ip": [ @@ -3135,7 +3245,6 @@ "user.name": "atv" }, { - "@timestamp": "2020-03-25T11:31:24.000Z", "destination.ip": [ "10.120.10.211" ], @@ -3156,9 +3265,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2452, + "related.hosts": [ + "naaliq3710.api.local", + "aecatcup2241.www5.test" + ], "related.ip": [ - "10.120.10.211", - "10.28.82.189" + "10.28.82.189", + "10.120.10.211" ], "related.user": [ "rcit" @@ -3178,7 +3291,6 @@ ], "rsa.network.domain": "aecatcup2241.www5.test", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "server.domain": "aecatcup2241.www5.test", "service.type": "fortinet", "source.ip": [ @@ -3192,7 +3304,6 @@ "user.name": "rcit" }, { - "@timestamp": "2020-04-08T18:33:58.000Z", "destination.ip": [ "10.6.38.163" ], @@ -3213,6 +3324,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3453, + "related.hosts": [ + "volupta3552.internal.localhost", + "labor6360.mail.local" + ], "related.ip": [ "10.31.237.225", "10.6.38.163" @@ -3235,7 +3350,6 @@ ], "rsa.network.domain": "labor6360.mail.local", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "server.domain": "labor6360.mail.local", "service.type": "fortinet", "source.ip": [ @@ -3249,7 +3363,6 @@ "user.name": "olup" }, { - "@timestamp": "2020-04-23T01:36:32.000Z", "destination.ip": [ "10.125.165.144" ], @@ -3270,6 +3383,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2302, + "related.hosts": [ + "onse380.internal.localdomain", + "mveleum4322.www5.host" + ], "related.ip": [ "10.226.5.189", "10.125.165.144" @@ -3292,7 +3409,6 @@ ], "rsa.network.domain": "mveleum4322.www5.host", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "server.domain": "mveleum4322.www5.host", "service.type": "fortinet", "source.ip": [ @@ -3306,7 +3422,6 @@ "user.name": "mvolu" }, { - "@timestamp": "2020-05-07T08:39:06.000Z", "destination.ip": [ "10.46.56.204" ], @@ -3327,9 +3442,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7079, + "related.hosts": [ + "queips4947.mail.example", + "archite1843.mail.home" + ], "related.ip": [ - "10.97.149.97", - "10.46.56.204" + "10.46.56.204", + "10.97.149.97" ], "related.user": [ "dolorsit" @@ -3349,7 +3468,6 @@ ], "rsa.network.domain": "archite1843.mail.home", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "server.domain": "archite1843.mail.home", "service.type": "fortinet", "source.ip": [ @@ -3363,7 +3481,6 @@ "user.name": "dolorsit" }, { - "@timestamp": "2020-05-21T15:41:41.000Z", "destination.ip": [ "10.28.105.124" ], @@ -3384,9 +3501,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5773, + "related.hosts": [ + "oloreseo5039.test", + "itanim4024.api.example" + ], "related.ip": [ - "10.218.0.197", - "10.28.105.124" + "10.28.105.124", + "10.218.0.197" ], "related.user": [ "ntNe" @@ -3406,7 +3527,6 @@ ], "rsa.network.domain": "itanim4024.api.example", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", "server.domain": "itanim4024.api.example", "service.type": "fortinet", "source.ip": [ @@ -3420,7 +3540,6 @@ "user.name": "ntNe" }, { - "@timestamp": "2020-06-04T22:44:15.000Z", "destination.ip": [ "10.17.87.79" ], @@ -3441,6 +3560,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1586, + "related.hosts": [ + "minim459.mail.local", + "nreprehe715.api.home" + ], "related.ip": [ "10.17.87.79", "10.123.199.198" @@ -3463,7 +3586,6 @@ ], "rsa.network.domain": "nreprehe715.api.home", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", "server.domain": "nreprehe715.api.home", "service.type": "fortinet", "source.ip": [ @@ -3477,7 +3599,6 @@ "user.name": "ratvolu" }, { - "@timestamp": "2020-06-19T05:46:49.000Z", "destination.ip": [ "10.115.68.40" ], @@ -3498,9 +3619,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5137, + "related.hosts": [ + "eratv211.api.host", + "unte893.internal.host" + ], "related.ip": [ - "10.115.68.40", - "10.38.86.177" + "10.38.86.177", + "10.115.68.40" ], "related.user": [ "mpo" @@ -3520,7 +3645,6 @@ ], "rsa.network.domain": "unte893.internal.host", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "server.domain": "unte893.internal.host", "service.type": "fortinet", "source.ip": [ @@ -3534,7 +3658,6 @@ "user.name": "mpo" }, { - "@timestamp": "2020-07-03T12:49:23.000Z", "destination.ip": [ "10.115.174.107" ], @@ -3555,6 +3678,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5704, + "related.hosts": [ + "aparia1179.www.localdomain", + "aspe951.mail.domain" + ], "related.ip": [ "10.115.174.107", "10.193.118.163" @@ -3577,7 +3704,6 @@ ], "rsa.network.domain": "aspe951.mail.domain", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "server.domain": "aspe951.mail.domain", "service.type": "fortinet", "source.ip": [ @@ -3591,7 +3717,6 @@ "user.name": "exeacomm" }, { - "@timestamp": "2019-07-17T19:51:58.000Z", "destination.ip": [ "10.77.77.208" ], @@ -3612,6 +3737,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2310, + "related.hosts": [ + "iatqu6203.mail.corp", + "dipiscin4957.www.home" + ], "related.ip": [ "10.77.77.208", "10.37.128.49" @@ -3634,7 +3763,6 @@ ], "rsa.network.domain": "dipiscin4957.www.home", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-07-17T19:51:58.000Z", "server.domain": "dipiscin4957.www.home", "service.type": "fortinet", "source.ip": [ @@ -3648,7 +3776,6 @@ "user.name": "moles" }, { - "@timestamp": "2019-08-01T02:54:32.000Z", "destination.ip": [ "10.1.96.93" ], @@ -3669,9 +3796,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5398, + "related.hosts": [ + "ptasnula6576.api.invalid", + "econs2687.internal.localdomain" + ], "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.54.73.158", + "10.1.96.93" ], "related.user": [ "lloinven" @@ -3691,7 +3822,6 @@ ], "rsa.network.domain": "econs2687.internal.localdomain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", "server.domain": "econs2687.internal.localdomain", "service.type": "fortinet", "source.ip": [ @@ -3705,7 +3835,6 @@ "user.name": "lloinven" }, { - "@timestamp": "2019-08-15T09:57:06.000Z", "destination.ip": [ "10.182.152.242" ], @@ -3726,9 +3855,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2465, + "related.hosts": [ + "mag1506.internal.domain", + "tiumto5834.api.lan" + ], "related.ip": [ - "10.131.126.109", - "10.182.152.242" + "10.182.152.242", + "10.131.126.109" ], "related.user": [ "dolor" @@ -3748,7 +3881,6 @@ ], "rsa.network.domain": "tiumto5834.api.lan", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "server.domain": "tiumto5834.api.lan", "service.type": "fortinet", "source.ip": [ @@ -3762,7 +3894,6 @@ "user.name": "dolor" }, { - "@timestamp": "2019-08-29T16:59:40.000Z", "destination.ip": [ "10.77.229.168" ], @@ -3783,6 +3914,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6064, + "related.hosts": [ + "fugits1163.host", + "iutal6032.www.test" + ], "related.ip": [ "10.181.247.224", "10.77.229.168" @@ -3805,7 +3940,6 @@ ], "rsa.network.domain": "iutal6032.www.test", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-08-29T16:59:40.000Z", "server.domain": "iutal6032.www.test", "service.type": "fortinet", "source.ip": [ @@ -3819,7 +3953,6 @@ "user.name": "adol" }, { - "@timestamp": "2019-09-13T00:02:15.000Z", "destination.ip": [ "10.72.162.6" ], @@ -3840,9 +3973,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2861, + "related.hosts": [ + "gitse2463.www5.invalid", + "inculp2078.host" + ], "related.ip": [ - "10.72.162.6", - "10.235.116.121" + "10.235.116.121", + "10.72.162.6" ], "related.user": [ "oinv" @@ -3862,7 +3999,6 @@ ], "rsa.network.domain": "inculp2078.host", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "server.domain": "inculp2078.host", "service.type": "fortinet", "source.ip": [ @@ -3876,7 +4012,6 @@ "user.name": "oinv" }, { - "@timestamp": "2019-09-27T07:04:49.000Z", "destination.ip": [ "10.28.124.236" ], @@ -3897,9 +4032,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3559, + "related.hosts": [ + "temse6953.www.example", + "mexerc2757.internal.home" + ], "related.ip": [ - "10.149.193.117", - "10.28.124.236" + "10.28.124.236", + "10.149.193.117" ], "related.user": [ "mullam" @@ -3919,7 +4058,6 @@ ], "rsa.network.domain": "mexerc2757.internal.home", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", "server.domain": "mexerc2757.internal.home", "service.type": "fortinet", "source.ip": [ @@ -3933,7 +4071,6 @@ "user.name": "mullam" }, { - "@timestamp": "2019-10-11T14:07:23.000Z", "destination.ip": [ "10.196.96.162" ], @@ -3954,6 +4091,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1710, + "related.hosts": [ + "deriti6952.mail.domain", + "squira4455.api.domain" + ], "related.ip": [ "10.196.96.162", "10.34.131.224" @@ -3976,7 +4117,6 @@ ], "rsa.network.domain": "squira4455.api.domain", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-10-11T14:07:23.000Z", "server.domain": "squira4455.api.domain", "service.type": "fortinet", "source.ip": [ @@ -3990,7 +4130,6 @@ "user.name": "tnonproi" }, { - "@timestamp": "2019-10-25T21:09:57.000Z", "destination.ip": [ "10.77.78.180" ], @@ -4011,6 +4150,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4984, + "related.hosts": [ + "abor1370.www.domain", + "emveleum3661.localhost" + ], "related.ip": [ "10.97.236.123", "10.77.78.180" @@ -4033,7 +4176,6 @@ ], "rsa.network.domain": "emveleum3661.localhost", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-10-25T21:09:57.000Z", "server.domain": "emveleum3661.localhost", "service.type": "fortinet", "source.ip": [ @@ -4047,7 +4189,6 @@ "user.name": "nisi" }, { - "@timestamp": "2019-11-09T04:12:32.000Z", "destination.ip": [ "10.45.54.107" ], @@ -4068,6 +4209,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3421, + "related.hosts": [ + "emullamc5418.mail.test", + "sedquiac6517.internal.localhost" + ], "related.ip": [ "10.82.133.66", "10.45.54.107" @@ -4090,7 +4235,6 @@ ], "rsa.network.domain": "sedquiac6517.internal.localhost", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "server.domain": "sedquiac6517.internal.localhost", "service.type": "fortinet", "source.ip": [ @@ -4104,7 +4248,6 @@ "user.name": "olorem" }, { - "@timestamp": "2019-11-23T11:15:06.000Z", "destination.ip": [ "10.170.252.219" ], @@ -4125,9 +4268,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4020, + "related.hosts": [ + "squirati7050.www5.lan", + "veniam3148.www5.home" + ], "related.ip": [ - "10.180.180.230", - "10.170.252.219" + "10.170.252.219", + "10.180.180.230" ], "related.user": [ "nse" @@ -4147,7 +4294,6 @@ ], "rsa.network.domain": "veniam3148.www5.home", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-11-23T11:15:06.000Z", "server.domain": "veniam3148.www5.home", "service.type": "fortinet", "source.ip": [ @@ -4161,7 +4307,6 @@ "user.name": "nse" }, { - "@timestamp": "2019-12-07T18:17:40.000Z", "destination.ip": [ "10.65.144.51" ], @@ -4182,6 +4327,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 617, + "related.hosts": [ + "venia2079.mail.example", + "unt3559.www.home" + ], "related.ip": [ "10.5.11.205", "10.65.144.51" @@ -4204,7 +4353,6 @@ ], "rsa.network.domain": "unt3559.www.home", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-12-07T18:17:40.000Z", "server.domain": "unt3559.www.home", "service.type": "fortinet", "source.ip": [ @@ -4218,7 +4366,6 @@ "user.name": "uptat" }, { - "@timestamp": "2019-12-22T01:20:14.000Z", "destination.ip": [ "10.76.122.196" ], @@ -4239,6 +4386,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 487, + "related.hosts": [ + "snostrum3450.www5.localhost", + "rere5274.mail.domain" + ], "related.ip": [ "10.76.122.196", "10.195.223.82" @@ -4261,7 +4412,6 @@ ], "rsa.network.domain": "rere5274.mail.domain", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "server.domain": "rere5274.mail.domain", "service.type": "fortinet", "source.ip": [ @@ -4275,7 +4425,6 @@ "user.name": "umiurer" }, { - "@timestamp": "2020-01-05T08:22:49.000Z", "destination.ip": [ "10.225.255.211" ], @@ -4296,9 +4445,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2442, + "related.hosts": [ + "gelitsed3249.corp", + "uaeabi3728.www5.invalid" + ], "related.ip": [ - "10.138.210.116", - "10.225.255.211" + "10.225.255.211", + "10.138.210.116" ], "related.user": [ "fugiatn" @@ -4318,7 +4471,6 @@ ], "rsa.network.domain": "uaeabi3728.www5.invalid", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "server.domain": "uaeabi3728.www5.invalid", "service.type": "fortinet", "source.ip": [ @@ -4332,7 +4484,6 @@ "user.name": "fugiatn" }, { - "@timestamp": "2020-01-19T15:25:23.000Z", "destination.ip": [ "10.219.1.151" ], @@ -4353,6 +4504,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6311, + "related.hosts": [ + "dolor7082.internal.localhost", + "uamqu2804.test" + ], "related.ip": [ "10.250.81.189", "10.219.1.151" @@ -4375,7 +4530,6 @@ ], "rsa.network.domain": "uamqu2804.test", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-01-19T15:25:23.000Z", "server.domain": "uamqu2804.test", "service.type": "fortinet", "source.ip": [ @@ -4389,7 +4543,6 @@ "user.name": "ori" }, { - "@timestamp": "2020-02-02T22:27:57.000Z", "destination.ip": [ "10.76.125.70" ], @@ -4410,6 +4563,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7128, + "related.hosts": [ + "totam6886.api.localhost", + "olor5201.host" + ], "related.ip": [ "10.54.23.133", "10.76.125.70" @@ -4432,7 +4589,6 @@ ], "rsa.network.domain": "olor5201.host", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "server.domain": "olor5201.host", "service.type": "fortinet", "source.ip": [ @@ -4446,7 +4602,6 @@ "user.name": "oloreeu" }, { - "@timestamp": "2020-02-17T05:30:32.000Z", "destination.ip": [ "10.189.42.62" ], @@ -4467,6 +4622,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2780, + "related.hosts": [ + "laborum5749.www.example", + "eufug3348.www.lan" + ], "related.ip": [ "10.189.42.62", "10.36.110.69" @@ -4489,7 +4648,6 @@ ], "rsa.network.domain": "eufug3348.www.lan", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "server.domain": "eufug3348.www.lan", "service.type": "fortinet", "source.ip": [ @@ -4503,7 +4661,6 @@ "user.name": "eque" }, { - "@timestamp": "2020-03-03T12:33:06.000Z", "destination.ip": [ "10.183.202.82" ], @@ -4524,9 +4681,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3284, + "related.hosts": [ + "lup3313.api.home", + "stquidol239.www5.invalid" + ], "related.ip": [ - "10.183.202.82", - "10.47.179.68" + "10.47.179.68", + "10.183.202.82" ], "related.user": [ "umfugi" @@ -4546,7 +4707,6 @@ ], "rsa.network.domain": "stquidol239.www5.invalid", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-03-03T12:33:06.000Z", "server.domain": "stquidol239.www5.invalid", "service.type": "fortinet", "source.ip": [ @@ -4560,7 +4720,6 @@ "user.name": "umfugi" }, { - "@timestamp": "2020-03-17T19:35:40.000Z", "destination.ip": [ "10.221.206.74" ], @@ -4581,9 +4740,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2314, + "related.hosts": [ + "edq5397.www.test", + "gia6531.mail.invalid" + ], "related.ip": [ - "10.221.206.74", - "10.73.28.165" + "10.73.28.165", + "10.221.206.74" ], "related.user": [ "quas" @@ -4603,7 +4766,6 @@ ], "rsa.network.domain": "gia6531.mail.invalid", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "server.domain": "gia6531.mail.invalid", "service.type": "fortinet", "source.ip": [ @@ -4617,7 +4779,6 @@ "user.name": "quas" }, { - "@timestamp": "2020-04-01T02:38:14.000Z", "destination.ip": [ "10.14.204.36" ], @@ -4638,6 +4799,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5284, + "related.hosts": [ + "udan6536.www5.test", + "lamcola4879.www5.localdomain" + ], "related.ip": [ "10.14.204.36", "10.85.104.146" @@ -4660,7 +4825,6 @@ ], "rsa.network.domain": "lamcola4879.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2020-04-01T02:38:14.000Z", "server.domain": "lamcola4879.www5.localdomain", "service.type": "fortinet", "source.ip": [ @@ -4674,7 +4838,6 @@ "user.name": "emp" }, { - "@timestamp": "2020-04-15T09:40:49.000Z", "destination.ip": [ "10.30.246.132" ], @@ -4695,9 +4858,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3990, + "related.hosts": [ + "rumet6923.www5.lan", + "edquian330.mail.local" + ], "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ "veniam" @@ -4717,7 +4884,6 @@ ], "rsa.network.domain": "edquian330.mail.local", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "server.domain": "edquian330.mail.local", "service.type": "fortinet", "source.ip": [ @@ -4731,7 +4897,6 @@ "user.name": "veniam" }, { - "@timestamp": "2020-04-29T16:43:23.000Z", "destination.ip": [ "10.19.119.17" ], @@ -4752,9 +4917,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4337, + "related.hosts": [ + "itse522.internal.localdomain", + "santi837.api.domain" + ], "related.ip": [ - "10.106.249.91", - "10.19.119.17" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ "lit" @@ -4774,7 +4943,6 @@ ], "rsa.network.domain": "santi837.api.domain", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2020-04-29T16:43:23.000Z", "server.domain": "santi837.api.domain", "service.type": "fortinet", "source.ip": [ @@ -4788,7 +4956,6 @@ "user.name": "lit" }, { - "@timestamp": "2020-05-13T23:45:57.000Z", "destination.ip": [ "10.181.41.154" ], @@ -4809,6 +4976,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5275, + "related.hosts": [ + "amc3059.local", + "lpaquiof804.internal.invalid" + ], "related.ip": [ "10.29.109.126", "10.181.41.154" @@ -4831,7 +5002,6 @@ ], "rsa.network.domain": "lpaquiof804.internal.invalid", "rsa.network.network_service": "http", - "rsa.time.event_time": "2020-05-13T23:45:57.000Z", "server.domain": "lpaquiof804.internal.invalid", "service.type": "fortinet", "source.ip": [ @@ -4845,7 +5015,6 @@ "user.name": "labo" }, { - "@timestamp": "2020-05-28T06:48:31.000Z", "destination.ip": [ "10.164.120.197" ], @@ -4866,6 +5035,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2286, + "related.hosts": [ + "enbyCi3813.api.domain", + "nonn4478.host" + ], "related.ip": [ "10.164.207.42", "10.164.120.197" @@ -4888,7 +5061,6 @@ ], "rsa.network.domain": "nonn4478.host", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "server.domain": "nonn4478.host", "service.type": "fortinet", "source.ip": [ @@ -4902,7 +5074,6 @@ "user.name": "pta" }, { - "@timestamp": "2020-06-11T13:51:06.000Z", "destination.ip": [ "10.154.191.225" ], @@ -4923,9 +5094,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2990, + "related.hosts": [ + "liquipex1155.mail.corp", + "amquaer3985.www5.example" + ], "related.ip": [ - "10.154.191.225", - "10.183.189.133" + "10.183.189.133", + "10.154.191.225" ], "related.user": [ "ita" @@ -4945,7 +5120,6 @@ ], "rsa.network.domain": "amquaer3985.www5.example", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-06-11T13:51:06.000Z", "server.domain": "amquaer3985.www5.example", "service.type": "fortinet", "source.ip": [ @@ -4959,7 +5133,6 @@ "user.name": "ita" }, { - "@timestamp": "2020-06-25T20:53:40.000Z", "destination.ip": [ "10.103.189.199" ], @@ -4980,6 +5153,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 226, + "related.hosts": [ + "isn3991.local", + "orem6317.local" + ], "related.ip": [ "10.103.189.199", "10.29.120.226" @@ -5002,7 +5179,6 @@ ], "rsa.network.domain": "orem6317.local", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "server.domain": "orem6317.local", "service.type": "fortinet", "source.ip": [ @@ -5016,7 +5192,6 @@ "user.name": "emu" }, { - "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ "10.210.153.7" ], @@ -5037,9 +5212,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4691, + "related.hosts": [ + "iumtotam1010.www5.corp", + "velill3230.www.corp" + ], "related.ip": [ - "10.210.153.7", - "10.133.254.23" + "10.133.254.23", + "10.210.153.7" ], "related.user": [ "voluptas" @@ -5059,7 +5238,6 @@ ], "rsa.network.domain": "velill3230.www.corp", "rsa.network.network_service": "https", - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "server.domain": "velill3230.www.corp", "service.type": "fortinet", "source.ip": [ @@ -5073,7 +5251,6 @@ "user.name": "voluptas" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", "destination.ip": [ "10.91.2.135" ], @@ -5094,6 +5271,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5647, + "related.hosts": [ + "onsecte91.www5.localdomain", + "orumS757.www5.corp" + ], "related.ip": [ "10.91.2.135", "10.126.245.73" @@ -5116,7 +5297,6 @@ ], "rsa.network.domain": "orumS757.www5.corp", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "server.domain": "orumS757.www5.corp", "service.type": "fortinet", "source.ip": [ @@ -5130,7 +5310,6 @@ "user.name": "olore" }, { - "@timestamp": "2019-08-07T18:01:23.000Z", "destination.ip": [ "10.137.85.123" ], @@ -5151,9 +5330,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2313, + "related.hosts": [ + "abori7686.internal.host", + "emi4534.www.localdomain" + ], "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.137.85.123", + "10.183.243.246" ], "related.user": [ "cid" @@ -5173,7 +5356,6 @@ ], "rsa.network.domain": "emi4534.www.localdomain", "rsa.network.network_service": "https", - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "server.domain": "emi4534.www.localdomain", "service.type": "fortinet", "source.ip": [ @@ -5187,7 +5369,6 @@ "user.name": "cid" }, { - "@timestamp": "2019-08-22T01:03:57.000Z", "destination.ip": [ "10.10.86.55" ], @@ -5208,9 +5389,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1585, + "related.hosts": [ + "reprehen3513.test", + "inimav1576.mail.example" + ], "related.ip": [ - "10.10.86.55", - "10.61.225.196" + "10.61.225.196", + "10.10.86.55" ], "related.user": [ "eniamqu" @@ -5230,7 +5415,6 @@ ], "rsa.network.domain": "inimav1576.mail.example", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "server.domain": "inimav1576.mail.example", "service.type": "fortinet", "source.ip": [ @@ -5244,7 +5428,6 @@ "user.name": "eniamqu" }, { - "@timestamp": "2019-09-05T08:06:31.000Z", "destination.ip": [ "10.79.73.195" ], @@ -5265,6 +5448,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3141, + "related.hosts": [ + "orroquis284.api.domain", + "aturQu7083.mail.host" + ], "related.ip": [ "10.79.73.195", "10.125.143.153" @@ -5287,7 +5474,6 @@ ], "rsa.network.domain": "aturQu7083.mail.host", "rsa.network.network_service": "http", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "server.domain": "aturQu7083.mail.host", "service.type": "fortinet", "source.ip": [ @@ -5301,7 +5487,6 @@ "user.name": "emip" }, { - "@timestamp": "2019-09-19T15:09:05.000Z", "destination.ip": [ "10.64.139.17" ], @@ -5322,9 +5507,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6331, + "related.hosts": [ + "tionula2060.www5.localhost", + "lumqui7769.mail.local" + ], "related.ip": [ - "10.240.216.85", - "10.64.139.17" + "10.64.139.17", + "10.240.216.85" ], "related.user": [ "nimadmin" @@ -5344,7 +5533,6 @@ ], "rsa.network.domain": "lumqui7769.mail.local", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "server.domain": "lumqui7769.mail.local", "service.type": "fortinet", "source.ip": [ @@ -5358,7 +5546,6 @@ "user.name": "nimadmin" }, { - "@timestamp": "2019-10-03T22:11:40.000Z", "destination.ip": [ "10.222.245.80" ], @@ -5379,6 +5566,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4474, + "related.hosts": [ + "rumSecti111.www5.domain", + "siarc6339.internal.corp" + ], "related.ip": [ "10.222.245.80", "10.87.90.49" @@ -5401,7 +5592,6 @@ ], "rsa.network.domain": "siarc6339.internal.corp", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "server.domain": "siarc6339.internal.corp", "service.type": "fortinet", "source.ip": [ @@ -5415,7 +5605,6 @@ "user.name": "ptatemse" }, { - "@timestamp": "2019-10-18T05:14:14.000Z", "destination.ip": [ "10.87.144.208" ], @@ -5436,6 +5625,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4855, + "related.hosts": [ + "olores7881.local", + "ptatev6552.www.test" + ], "related.ip": [ "10.87.144.208", "10.143.53.214" @@ -5458,7 +5651,6 @@ ], "rsa.network.domain": "ptatev6552.www.test", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "server.domain": "ptatev6552.www.test", "service.type": "fortinet", "source.ip": [ @@ -5472,7 +5664,6 @@ "user.name": "psumq" }, { - "@timestamp": "2019-11-01T12:16:48.000Z", "destination.ip": [ "10.105.97.134" ], @@ -5493,6 +5684,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1729, + "related.hosts": [ + "tDuis3281.www5.localdomain", + "byC5766.internal.home" + ], "related.ip": [ "10.105.97.134", "10.204.178.19" @@ -5515,7 +5710,6 @@ ], "rsa.network.domain": "byC5766.internal.home", "rsa.network.network_service": "pop3", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "server.domain": "byC5766.internal.home", "service.type": "fortinet", "source.ip": [ @@ -5529,7 +5723,6 @@ "user.name": "mexercit" }, { - "@timestamp": "2019-11-15T19:19:22.000Z", "destination.ip": [ "10.194.67.223" ], @@ -5550,9 +5743,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4493, + "related.hosts": [ + "uptasnul2751.www5.corp", + "hender6628.local" + ], "related.ip": [ - "10.161.64.168", - "10.194.67.223" + "10.194.67.223", + "10.161.64.168" ], "related.user": [ "tion" @@ -5572,7 +5769,6 @@ ], "rsa.network.domain": "hender6628.local", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "server.domain": "hender6628.local", "service.type": "fortinet", "source.ip": [ @@ -5586,7 +5782,6 @@ "user.name": "tion" }, { - "@timestamp": "2019-11-30T02:21:57.000Z", "destination.ip": [ "10.120.148.241" ], @@ -5607,9 +5802,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6094, + "related.hosts": [ + "upt6017.api.localdomain", + "xercit7649.www5.home" + ], "related.ip": [ - "10.100.154.220", - "10.120.148.241" + "10.120.148.241", + "10.100.154.220" ], "related.user": [ "rsitam" @@ -5629,7 +5828,6 @@ ], "rsa.network.domain": "xercit7649.www5.home", "rsa.network.network_service": "smtp", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "server.domain": "xercit7649.www5.home", "service.type": "fortinet", "source.ip": [ @@ -5643,7 +5841,6 @@ "user.name": "rsitam" }, { - "@timestamp": "2019-12-14T09:24:31.000Z", "destination.ip": [ "10.180.90.112" ], @@ -5664,6 +5861,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5012, + "related.hosts": [ + "tpers2217.internal.lan", + "porissu1470.domain" + ], "related.ip": [ "10.180.90.112", "10.116.153.19" @@ -5686,7 +5887,6 @@ ], "rsa.network.domain": "porissu1470.domain", "rsa.network.network_service": "ms-wbt-server", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "server.domain": "porissu1470.domain", "service.type": "fortinet", "source.ip": [ diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 535e8089827..60f2d21f39d 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzsveuT2ziWL/h9/gpsfdhyddjpLld33Tu1M7ORk2m3cyczrbb8mNjoCAVEHknoJAEaAKVU/fUbeJAiRVBkSgdK193bHzrKKemcH14HB+f5ijzA9jeyEFIzDvpfCNFMZ/Abebf7SwoqkazQTPDfyH/8CyGk/j65E2mZwb8QsmCQpeo3++krwmkOLarmf3pbwG9kKUVZ+L8EKJv/vbO0yEKKfMfJAvow9V9qsmuxZBlcrKhaXSQy+eVN/XnF/QG2GyHTxt97MJj/XX28+uUNeU/VioiFJd3hx0FvhHy4YFyDXNAELszfG1TEGuRGMg2/ES1LGAVoQctMz+wQfyMLmikYh/ee5mCQ6hVUwEgNjGxWIMF+piVdLFhCVlSROQAnYq5AriG96IxPKvqEwTTXdsRQ9hdxx9ai5jRrDa+fex//EIsdk1wtW38/zKF/wTqr8mnFlPkeYYqUClKiBUlooUs//5JuSA5K0aX5N9UkETkoM2hhPt8jTcitWJJrSEQKMjwQR4vtgzp2OBVdWAPXMzM0ZMIecOTZ91Ou7JwngmvgWpnzwbjSlOsKhgpi1Cw/BmBK9f4HXXTMYTIsCNVks2LJilCiQCkmOFkxrQgl96C/Ms1BqWr1Lzpbox6sWokySwmHNUgyh3rfFVQqIHegqYFGnVDdsXpxK5bq9YQmD6DVTx3y10xCorPtS6I9bko+ghMWbofzBsyL4ERmsIbsiJnMBN8/n62ZvIZCQkK1R5LCgnFIieCZhaXpPAOS0yKMKlfLGdqBObDGd/6c31z/TNY0K/2JZylwzRbM7054pIkmmVi69ZKdhbCjY4a83y32e2Y5Cio1S8qMSvt7v7AXvTujQ/qonRLaGR3K/Tuld0nW512TN/97TQ6vieEaZ0FOO75i/s+ZHcj+snw36Nb0GKEXHZoEJUqZRLp7T5+2WOf/NGRKUw05cP09gqNlyvQsyejeGf5O4AHXcvs9AlsZnep7BMb4ccDiakyV5Ph+d1oK9BjpEXfaFgAp5huqR68JvTMbX6zMAgZNRw/pKAmnvSL29JAO9YFXRP8s7plWzjSLvGFVCU6fm67OMJGmjwRm8MnTl5xDrS45+1bCTo2W9fj9n7btR+2V4Im5HKgW3/vLtkfcrFlccdic3SvDhi1YQpvn+VYsyds1cE2mVjiTkqcgzRNEghdUnaEv2COkRIE2RFo/bvNQ/Q+WahE6tE9+sNSL0CH9pEXpWgLx7UvHbczOuJ4wJ0+bg5VQkfTV5r58L5Ruishsf0cq4Cnjy+pDFdo2DRvSH2d+2TEbrPOj3om9maz/QmiaSiMr+477/uR2Rq/FH3Vy17/Gnt5f//87vWa24suGfbngDGlNa1lKKFmyNfDaSPbHVQTMFB1nv4j7Akm/R+Xvj+HR6DVoiGI7k/Atwlo3nYd2ge2451s7y28dazKxB+mlt2ZrSj5tCyAJ7UqQORBgegWSfL7h+udfiZDkXSao/uUNmVNld1HlIFuwZSmt6jcw7mPU3T/wuK0bNN7jE8G+YH69FLHMbIdexxXnP7yBQcgNlWk0pa4h0RrDbs7kzeRLS9+jREJG95eUELVVGnJ/iXrYhtoK3E71gTPm30KyJeM0q37T1lYG5iGW/nUgMOJm8uXXwBR4+J2ZOH0KakTdWca4fXYbtas4Hnv7rICmIM/iu35vWZGb61O8pA5v01lqyRznK/2ujWxZMotuZ6OVonWzU7TsQTFPlyuRZZBoIf+IAtjM3jPE3Jg9xxRJ3NRBapC2FNVbsa+2kAMT/R2++PJk/r2oqrlQNtgtF5zMt51FI0TCtxKUNgQVy4ts69fJfNkIegI0WRHFUiAv/kz0SpbkzV//+hPZUEUUAK+5HJiJ70J5HTETqhBcQbypSP4wuyIRJde1TaHM507omaOsghTICzoXa2hMBuPByMpKvCktgea95yf5w2ybZ54qSFm5r6dhTNQPIc2xNiywBWH6H+WbP//8r8qJ9NeFFaAV6H90RvMP8x68pVuQ5A15yxNaqDJznhXzpHySXA9RP9H5EYitDHH55Q35dzPcl+SXX8i/k0RIoy/bUXimL8n/men/y3yRKdKelB+CS8hFCt/tW5dvYJbQLJvT5CGuBuzAcaHtsaHavSvMJAJPC8G4tk8TDeEAZ7s5ZiCliBSfttMHVQEJo5lFbJEqLaTRrPnWaR3mgzXNWOo2RggUIQtR8tTcMBlY8IwvvXI0GLzYPhEdyhi+QH8cDriNelZhmwmafi/3nIdDFPsdSA5asiTw6vBP4eaX7VvYXfeVEDbXPtU7jVYsqmW7IO/FxixN983JOBHSPMa0IA8AxcCkfRc33h9k0qRIQKnZmqWzNJbX9W0leZbAQVJtD3lqZrDxLlwzqUuamUd7y/bOAyYOljPz7La+cjsZbhT+qN9cE2mktbIGFTtpVC5B118bnAklIwU9PftMuEi4wzMho7iCuoL/5rqyvX6EXGggU7/fEwn2op1v+wSl+V/liPkDOF48p5kqMhYzsuG7fs4r1lH7vwvdzMjciPvdnjpzB/i9Xu266tXir5D/NTyMTry0Ek5RV/qQj95wNY+jydXlxOu+CeVmelheCLmv8RJ7Rf7hwiDK78P88dldVfYhbp/uIVNq+ylf7n6ye7A7Pce+zC/Im7/+SjZ23nOgnNAsC9sKrFHfqkk7+xHZgARHlmqSAVWaCL6XLtKexGdXE//Ykxg4qzHctn7uvgqZ2omzUU2QrLjIxHK774hbMNnRYgn5K0lWVNJEu0k0h3pr8VujOScl9zE9Wctm3ptRi53Q7Rz1MZ0IB3yX9kWRGyVT8MqNIOmmV6ZZybqnVtLEaqzOR8G9zUEkSSkrikpTnlKZEi5kTjP2eyi+V8g8OD+pj3I4eopEOe9cSU+apB3qGszrjC3AjjjwwFeQCJ72KNi75Z4pHdPOcmBAjCciLzLQwQ3Qa0SlVoHXku2JwUa+mdTPtJGnhndwO/dt5fbO7N1+ueB6hbRMu/xUrJiXXZRT+kwT/5anMabdkPxd8NjVFg6IRcO9UjFdeO2n/RnuiKhoJ/qSaHjU/vCRNUjVSKdID8WBBdb31M22BYo1zF2aXiJkCmm8e9AH2fhrStUcKx2jirSpv9j0r3dvKynyC0u1tEn5KgFOJRNOrc/LTLNXmoEktCiyKvtlV8smp5wuQ6m5hGTWvVO9Fx0oh1URpn9URGy484xpmhf7lkGP2HAzELunTyuSrJh53YgU1AW5K5W2z6QmUXMqqe6Jy6UajlykgwJssTC413AOTcgucsXQzZ2EBUjgidsQ1KjWKVuz1Gg2dj+EBdm0EmSf9iYvPMjHgsmzjXC3ns4X9Gh2ItPZ1g1WGaFn9DUDym7Qw7ZRxEXvNeG8NNK4lmcXHZZ1OJkosSVQ3lHkTqVYzz/2UbEa5LcSyrNtJbO73S7ayccNVcSCSHv2jQX3M/akIioFrQmNINOWuY5w+y7zGFiLWQSoxSyG9lxgiqI20TfoVCPoSo1b5HmekHvPx+Ad07kun3TnHCs2h+TaMc6C3QWxVw0B2xBEk44Sj6FYqzKL7XbqeUWJUicih9cOQ/14sVHZYtHZIZT7KWg9IHs2CKxBMh0zdeTAwCruPgmw4dk5ZPKJm7zYqR3obuk608VQs36nAhK2YLuHT1i7dc6cvpoqXleOH80UWIDaxMjSXcJEZaJKvZMliNs/m8+1CF/ar/TmS1BI8mHqQ2OZqgIC9u1qln+1Qn1ZkqoQiiEKjlF7yz6neeoqTNlQ/urs9lbhKTM9i1e66ImiiJc5SJY8VRYFx3aGLLYDA2tmstUnw4kld747Q1sDT4X0AbMHRybm/3yG6jWVa1fM/wlJ+B1tgMXPBe9Mt5Ggh4E5SR+zVt0P3QPps/69mPFWrhWtY4u50ISSla94EQ6gzcRyVgWqPItQrzbik4X6OWqmtGTf32y4la1abcVHWPEXGUu2sU/PAbkwsQB8cW2ebXvkcpnFjJsOT+DHMgMLLCxOBdfwGFtjrQHdcGev29VDpWmqzP/ZS5VmFaBQAZiByzlZUb6EGYdNbFnQ57iETcPVb5UQrSWblxoaEqIbo68cdKOtN6+/sOhQBUUTdvXMZSxa2cpDk2YfgvvxRQ5MU38LPG5tBpiZsKrgoNrFfMk1yAsyBbcopQJ5QZdgS3n7SPeFkBWGDu2KjNPbE/t74n7fqFshJJlLsTGfVX/1uqZ7dvXWk75JJ1RqbDNdTRjbouLPlOhkh57rTIksrdXGWEdKFOAdirHu4ktOaAZS19FFcsfU/825t7z4aBQBsEFIAYU5JVzwVxIKsC+ZQ9EP9tlwzisnKaU0B6Z+r9iVtHrca+Y8bJX7pzOyDdMrryw7WU+uLcO5zTbhRPBXS2H++8BNYJWUWUBxjDhu2nAGvrYADEixIEY6aAbqgkx3MmW/sUEzsyoO4iuXzlcq84hxKaMu2Cb14tdPPCVJVipdbUj/j84y2Z8wZVbS50R7+4ZRfO2n/SrQ2bUfd8LCL3pXlimeUvbj0MPLoLy2KAhVSiTM2kvNagTfk3bBbtkD/EYoKVZbxRKakZSph5ekkLYnyksCOvkxrChTSY/JvXziRe/ybCTNQYNUpKDKVvFStpCDq0WQiDw3Uky0nPbd1BrQyUF1z90Hz6XxNdYwwsXkxHci8qLsnsEIy0bJhvFUbHw8bSJ4AoV+WUdS9E5GZ5iLMsu25FtJM2f8TEVOGfdSgzcYZaLn6mpaPbHUpQNDNyrhLeMPkPpcoCoQnSprnfIPFPPJDzW0C5YeWrisUxUiqqhrdnZyZol9ABW8ukPW2XF9KLzllUy75XpqpzPInO03doptYvU8LVq3/w9r2r8ga9oLlsU/4/WQ31lu9TGWkJYJkMpzBGFzmwLJaDYL3KbRLpGpZVmpzfv3Y+MCNDdMr10Akgd1VMkBDIux524uupXvEmdPqFELA1mGZbJykb9Vjk2dZnhVUdorEWYGUrO5UDIxv6r/3c00JUaec8JszF3JkwyoNH+yhfB20HwCobd2yiqxc9j74IRf2a3z9F3fWInI54zXdbObF5ZPG5VPuL3WTJbq3Ja+pjZiAfRb/M7jIA0ciSvH3dVk7LeUuhdcdNN4PX3OynxzTe6dpHnhCzcQ123PJ/0abD+F9WpngH4OW37D/HxzbafUp7zVYqJrPWh75FwYoBvChdtERhZsmAo/UtdqG7OWfdur6xO0nbpw0I7N3eP7jLvGTP1VzZjcXA9qslj2uQFN1gB7w9OdRntBrlx+pq93mrkPDmuzFqBsf+PnH7w5bl7qOnNT6PoyKnkGys2McBfKRpA1lYzOs04WoCvKwDgpMtojCBRwFbU+SmtBm6qq43xhJJXRMKr8QmbWefr6ZrKvQxNfMtZZFPryso9sKDg6F3LnaXEgyQ3XZMqWnFph0bNFCyFjFq/9sSO/zCadVLqbsFUd7X8aII2zbHdZKgIb5/7DJ8J4kpUpGHHmG9man1+QF28faV5k8BuZOIOII2ul90XYLmI9c2f3bVrj1O5qCSNj6sGo3EfgekIqXsOMee+vho9MPRxwuWrJlkuQ8VrYhafsS9MX4DFY7XQlQa1Elprd497qPZ1GW673M1gWur53L5VffHQ6xk91MY6b63AayWjvfCLyYnbmuCu7Kj72yrZxdfY9Vc5fGTiC2/zUhW03I9Iy6XulebX0maLGmshraSmkrTxg5HqFr6dLHJXphsrnidDrVtU30pX6i8gMoqc08gsjRCm5o0lVTzms3BoRdNZ3jOCvKgVVHpZC7q2J3tRaAlXoscFKU11iKc61PYqy7NmeHYb5XDwSlr7uv7/MzVqeA6FB9LlT+NidBYMifHSreyxy973OJr/u9t075jpjXJRYPs5GHolaop8pI0kxjQ4di+xfkAnHrszY2hKXWWbkHlFlkoBSizIjbw1/kogUlNkSVbHf8MuC8RQekScgY0ofp3meKFssY/sUkxWIOUjr38ypZJmN4AlY8Jz/nS8JtZP4yvw2ODIeYR+KuSsu9EwasedOXtTxnAVIVfikWydhOlPmVYRdQHxV4emnniRDZ+bq3sexA0qc8lUHeXlblfu2+ZAyrkgKmrIsYGSYi1I3ftczNJGdPTazstjSOo7N4ui/SDXkRRYtmueSpLCg3gXkK19WPnwfrWm04jXIjG5tIpcW/nIlLwIn0nxgX93+17CossCdrV5ppktbmJEEB7Z7G3QLNp16XFG9WA37TkKxkUaQVYnIc3Oe4myjK0edsEawbyHFmqXOflZVkctB9QZCpSI53tH4dGvZO5bttMakGZcXVg0eCxv09DyyvuIeV9b/U8yPtDsdPbz/R8y9AyZ8ugoWr3DutQ0odis/ndyQm45C1YQRrWqtzy45jAAxsavOhl2iPqSfYg/zsdVh5d6JiNlcpLEzvjoZd/tKh8dCDJYe9WiFXy3BuQzOkHneMAH71GEXQFv7Q9iSpbUrp8eIl2O/Gjtp4Ag3P56SV4+7KGNeU1V378lnVz2nckTZYI1HSMqmFcGFfs0hlN5aVWE6FLhxBkNI0Cqetg0idXYlXVOW0a4jg9SmcGLzKxcgZU+nBXeGjrH14/nd/GMl9wWgnAO2MyQfbqDY8qJHIrJ8Ni/TdItun2H5DDUPqEG3VHBcofODVip8ipIJxCoHeyl2M1WeIyGBqWb0qqu5SsuU6TqzblcXzSMKNbbbZWw4UbJzLxwepIsSw57B9dle5Vdf3pIXPlfiS5kZXXnOMpvAYePA3j4WQplv/kRedQ0NfN8L88DFhrceQgqS0hazWLep93TaTOgZTHD7YaFXVZb7vU9NuoUlTbbkc+9zLWNzSZ8jKd8zbk0x4ySnjC8kzeFgOEZBpe3aG79OQku5nFi25F6kLjh6VxawEXUWAEUGtC8bKmAmItYLqV037h425H3J7VPyTqSQkReMry/+9JIwkbwkc/N/YP6PcpptFVMXfwr7F3VSzBYZ7XTOx9ah2hr+1YRYptbWZeXktmp+JRYHCzVoERWp++vc46zKICiQZiMHAa1zXLm7h+zL3VcqgXxyAcB/+tOXu6+XH9/+6U8u5nZNJWW9e3Ij5ANmyvLgAftaMWx62HqNYJRjKxE+Zwe3Skl9HdDEXBfbCE+YhZDAFUswBUjDlBQBcY5vBQn4B7CIzjaUdZsTn2wdsLXPsYma44Odoq7KeaRDoeep0hI7893ma0cziDXvUrR7tMr5iGckPTbZZdcYrKPS+GSTXd6Lz3cxJBas19BUDTWaIfbYoQarEQWGuZ/eExbKR9cTfLrhwoD3+v/HLtedyuw6/z3LFksbNnoP5CDIZ9kclR/3ED4hzhC01VrZxrv0ha4j2qsoO1sn8ydrduvs3GHPdFWymp3DH2aTvhaUZWauq2IuEy8zbq6buW22Epd5DmpYBkoY9EcVVjHXM6MiHjGeYwKvbbi1zz66Enle8n1LVAcdP65w06no7uFR/w3COnWNTR2nWZ+KbUp5+p8i7DXbYdNUs2Mkw8nouoxb4FSpCpYwgRYleq4XvEW/oZJ3nQ7fO3TF82ImYgnj6f3dhHxwdtRdUGoYyLezhhJM/35LvpUge2q3lhmfSdiv1Bk3uKFhEN2Sj1XSWTCsq9bSE8SLtElUYLcRMESLowxHQ1R1wDl2Mt0Uv0EDzajMI6yWIRvBvEALxATkmmiZonWlbdHErXbVIp1Sva8Vnkp3DjxZ5VRipZXUdLcF7bQvPtn7RJNOOBUKzdkKfS8ksMBNoKoJL5a21FIEsmL+zwhUC4reCcNVnELfXtbpPmPYF46v3JaDUT3RQfMZTWxjFPz0E0NbccTHe4PwfFms/8If9Qr9fk/4LNFylirUuusN6obycZ6nEYTXGUWXGHwGfMk4YlJkl3SM2Gg+W8zUhukEXX7w2SITG0Vz/NiVJm2u1/GoR/C6JHzGeExxwngBMp9v0QLeO7SL5CEO8TXNYuwVVswKKbSY4bukLPX1X2bW4ohPO4t2NjOxnKUxJtsQxo9/S/gsp48zrbHMBm3CZkdnEOFSyBmPBJrxeKCLTM2yeTbDdou2aP85InH0yuAN2ti1EJu0sbN6m7T/GpH2rxFp/4+ItP9nRNr/Goe2FkVG5xBDpNTU8Z9nfJaXmVW+59sI92RFvHiIoJfkZcaWeRFH+zZaJs2W2EFInjKLoZQo+Jbg20b4TLmAxAgrqGQS5zVpCMd5TaqtKosIvUgTXqdVR3mqaqHN0wMeI4gQLbR5mMWibZ81UYiXnD1yyoWCJMImXP9qZiXSpbD+VRR6BTSNYFYTeTFLsgg2bEM4gpPE0pXzrcY3ixrKKgrlopxF8GkkkmmW0CxCApGa0SXwZIsYddWkzWm2/R3SeQzc65ktAxqFsisHEwe1C6yNQn2+LNa/xrFBq9mc6X+NUmgsUTPcXnF7hKVAF9UqyjG3VCGR+Fluytn40XptNQiDXjk7P75xxBG3al8U4q6aPF4FuQbtBcsgxhtGzRYxFpEtMJOz24Rj6AZqxgobpDiLIupYsf5LqnTRKeaPRFvJJArtjC0gxjNGWUNzDilDSxht02Y8zi7JRVpmoBIRY7Y9cbaMIJtEoTZUo/b8b1APRZCjEJawZEpLim8J2dGOoPFJKGJNtYw218pWIpeR5KuLzHdbPAJ1LYHmERRJlwoUC3Y85XqzEkzNXIdZfOpbKmmUDZ72JMJiUF67/vbYdJnSlKP3OU6VnpcSq1lgRRVcr6AYVEt0rPh6dJWTjE3Wdm5Y4De7PrbSwCGaS5qm2GeApdhu1ap0UIS7iOWzRAqRR6lKZAhHeKaxfBYnONJXPIoxzcUDenmmQuGXLGWFKiRDJppRzXSJHn2WMQ54JXZ2VBVqR52ark2+xTdrZcJVPZ0tMoF+ndfEI4T8mzcvutQxRCNIHPOGjgAVPTYhE8soW5cvoxzgQkhsAZbPy2WMY5YzlcQQC7mKsmFj9IHgoG1xJXS66DLcFYDGjvhzVLHD8fhmg/0CiZJRJlwDaPSXqMDXjIRky1mgH9fJdDccJP6dVcxcU150sqidqXdkXYvXKJssQuKm74mDLQw8WWxpUMycIQkdLlXKfDhLVlh5/h3S8FgwdEdAATJfSsp1p+YuBuVNFML4V6+rRPb5814XUATCUixnVBWIDQOapCXFpiqBZjH0OwmJnQdXdTQScfxJNpRxS7g2KAuZRkCMb8hUEWzDytmGI8QDKMAOBHANjyM8ThR8w98AoQKtaFQjPKUUW0YQvKrAtrIpmcQ4BzJJ0RVpJZNQVVwEwhqvxVaTZqnQq2quE46dKBHsFnsqUVekE3v4eqnxt5Ujiu/Rq3t6YtPdFujVWst0HiUOvZRZhLuwVCBnKcPOeo/StqLyDMWYBp0oTXNsa/B6xrjSdBFBM1gzqWOo4euCRyjdpIUsOaaZNVQWLVBR9LLUgnwsOemwrqNHIjbL+0IzlpIrCSnT5IrK1FczVLb8exiO65wVcZb6OoRaMraJPrH1DRKRkVCqTh0PwXi8mXubF5nYQqex4OD8LUSJVtR75B4zc+hsRrbfmYQlPJKc7hda2Pli+bLcbwYSHWTGlG3OUHH3S28LKBFVFoWQmnQLjxKyWVFNmCaFhEXfVjghLPcpTShCE+9fHTUEwriv7N5TFzpjPHZH/gZUw62JUxEtlqBXIC9231crUXZuNEI4rEHW7Yi0IAWVCsgdaGo7gruzSuspeHErlur1xKW9/kSufYuvl0SvAl2KbDHgj+BbH1vYnNyD/so0BxVe5+6mjjJ5C9uyuz5FlrkbrAIqk9UF4yyIz/bcPUN97T3xaXth2GCI1xktue31uyxtH9eqiHu4gPtevfYDY4pfjrseU12E2/cv7nnsm4WYIeY0jau8atmST/Co7anoMxecoxt1j0DaNa67tx2qedbT8dJWz43YDtzWz1WgiYRvJSh9oGj38dHKT6+V71QG25bHcXUSe98iVcedts0phzA5RNY31vq7rdCufguOHLP3/3B/Q8Ps5roSCpZ3eG/YVwNeEO8Tt7C5XOZUAXHh2jUa0jlV9Sr5XzwPXl63gq+RC+nK1wenkRCqiAKw7c7o4X5VknJFkzO09+1UmHasuVV7d5smKaXtgHYIdAEyZ07dOBfoHUvXmIOtWQZLIBmsISNUKbbkbuF2/frDW9+WZH5G+W35H9jp82fp9GyQlZx9K2G/TSINH74G3uMqJh7XBaXSaFjqDmQiOAcbW0E2TK/6BAUhgcyQWmOXcFR60ZOfFmY6rTypr6hMLFlCM2IQ9Dx9LIrnRWdZ9bRpfL65K1ZbFYbXCGfbiL2oVuwLnmaMqtlKRH8TuEdc/VyzvVR2TY2MVGy24AnXAyDu0Bi09k7zjViSDKi8uMyUMA/x1nm7ts5y8t7/4oJc8m39rw51bd/yimtC04tE5EWpQYbFcBQzvhlYvOfZD/trYXssthaE6X+Ub/7887+at+91YzmqGfshCNvv0xmux2ys4YZuQZL/Udvk1GsPw4ILn3rs/J/4e57vMLd2/cH1ODJ4eUi2/bjfMMXwuSD3Hz69NWMHCc54Yu2lKVOJhILyZGu0Sq+eZfuxIMTO0Evy6e43csP1L29ekpv767f//Rv5fMP1r38hLzarLeHA9AokSVZC+VZpQkpItP3Wz7/+3//HTz8GZwT0KqKM258PK1Mvchpux6Mi774nHvOp24s3FajwEU+/L9BN2TSA/MiCcaMv+BDePcV09zr5wqQuaUZuL++DYH8XHOLZso7bGf+v4HARnlsD9w8jQu1AhoWnXYLv8Q4+sA5LqmFDn6FFut3dE3KZptLaad0uD8Gpr94kL471c57qC7m5upu4W6nXPZZTdUbvR8uo5DRVf3eTm4mB0mP9MnN4ZCcIlDk0vPvnsNLEZq671nkFRAMuTVNmvkyzncO20cs/fM+dcQOYJ6E94MKf8Ov2FuhA2cVaR9Hrxl5plNx7hBMhdS2SO0I3tQ42uwBMb4clrzrz3LvxML6sLpNqWHd9E88h9G48lxXXo7MvX6qUSJhROZ3dqKPjECOXJeVLuKifTongC7YsJaRkvrU0gac2aigsZ4ojSw90kkZ7tOUg00WEegcZou7fTOFCNwBIyIWGmY/sxo8zwp/alKsZnblQ/AikCy3jEF9E2BKLCNnCWYzjEKv+SRFhUmk6qyxx8dTy/Re8GcfFPremMeEZNNi3egWSgyaftgW8JJ+ra+zWGsB+IZPKANa5CT70aWpVq54zKBM9T+MKtLeLvyQ0y4LKRLH7og1wo9IG5q1BmjuQcS2I0vYyZ5x8vukVKIkNkI0mr9BFtiEqight3wxhCQo7oteQjZDi4m5E7FB0a2+PgNa1VphlwJfonSItZqN8RNRCezRQp/LQrOGA4SSx4QQLQsk7ITdUpt0+3YRcLm2wlyTUnPhHG0s3B70B4GHVE7lq4lN93ELTrOmqc2CILRlvIyM6I2Tcx7nasIScaSOWfIuN8BDXGeXn8OOPMFBWASINE2VngG2T5c6TsjYv2KV9wLZvHmxPJSS2CsEarx7cOI89lZolZUYlsfWiSQXixdvH327FUiwW4e7vkMz0CqIvbwvsJ8PQncYG7rcGt4F7WeoVcO2DxXthqxKzcsK4gB7Hsh/6ZwWyF7AodSLOO9OeZT/gaZkkoFQPZlt5/LjiaMcFnlhcxKi4SyG3JJCY0MF2DuHUwgh7GI1Usg4+VQhu7hUjt0LKYf1D0lGU2qNa49Wj67k3KXFVS23OQMYgrcfj7TB7+jDjRDFdBuQnsckF4EW0p7qiitBUFOZ20StgkogN3y2ZmzhNHwUXeU9cre3JoZgrUX9eJcIo94ynRv4IqeoJoOQdy4BcemAXnWkYY+zl9cDcmewNGK/H/yzhCr1TMPVRC7izEBpjYCIw891PmAgXrzf1+RrYM9EfEDoXMbMHAoOfw4qumSitdpmIvJAiZz0RinBucG85nWc2iWxBrg5jY3xdi52IIPcRtrROEgTQQojaXOYIgAH+Nb7Yq9u4ZXfnrXfb7dIsS67309mwNfrUpoHPkmOe9aO0IHsfL4GDZEk1JDshNtBvP7SA6ZW9akO93YgHe5H8fKG07Hd+VmM6puzWs43pzeExefXC8Yo4ruDTtH6Ea5aDMnLdaXsSCuh1IvlVQCsKMbgQtvDgicsgR26tY2p3P9vW+mXcmH6eKbQmp6OH5g3GQyPsjM2OeCcQRgiDP+7o3gyOTp517dxBQxmbHF45tFqq5xEgA3K8FiB/3O34y/CSYbU2OM+SjZOP8qwSBPOMjZAfZ92OmGPrbMZaqbcpaHt2avTMnVKvZjnolXgGLwltWZKJg+G/1rvgtpaSFFGtTge8Oh9F5u21BsiBfRnJEvLfF3/985/Ji9vry8lP5JopzfiyZGoFqU2FD2LJxFJErwt0yBNmo2UXDodfZvvFnogxKSJbFQ/lf5pVDSGoT4y1yKM1fX7KcUls2H+d99sw/FlMIZ8p5aEy6btIMZphVafbG8hHmrJSOQ5ESKJYzjIqnXgyYtOcocTe6+H0KnvOFUvPWWmkGSn/2WyEyoq4Vxdzd8jj5Vlc8kNn3bo1fKZhw/7rjUT2k85e8IYbaKRlpGFTppAxAwM6Lhs71UIuKWe/H4iq5vG2wtjJPmKmm3uqZ7oXTAZzSSNV/Xln2NnbwpX4crWLWlHN74FmepVQCaSQkIqccRpMuGuIpwnVDLhWg+HxGT3naG/psw7WlX6EItLGNUfnRyO4Ciq1LYa0G+phsXrGYkde2IyRqAtIQVIN6QwtqOzA/jDC513FsXaeTaRYs7QuHua/R4si85pqZ2P44j/mWmvrtGEFZzdIlp5plDVLX+tPb3uGGWweaiMn18x5z1f7intPCbha6cRsCv5UzRMerc7U+FEjE3oZGKjTUa3GShVRWkgn8Q21HDS13H6037ow3/oxPPqcpWkG55Nyd5bfWDkXWN6G3DtKzlXtMc4z3Inn1qgwxLeVd/YlKTJqlszcz0IS4IncFn1WfhsKeYb35IgIOlm/Ld8LpckdTVaM9zzpUhpJcvywP9efuY30LyQY8WH0I1fkTF2Q25QW5Iv9h9OPUsFd3uk/upcnWdE1GM0pAyrJtxLkltgahKoQXEGlUYWTU814Z/Y355GXvgZeYihLVlWB5G74ri5fP85qSGeAuttAH31x1LFIbZenuAaz/T1elZZuFTEyb0N/8TJFZMl58B2rXtY3j/M8uzJSPTl2nuLMvzDjLwQlG8ZTsVFEFZCwBUvMJy9DeYI+TrZ7QMzwHN5dzA15YSvCAk9215B1Xf7UmC1ScnuP38KSJlvyWbUL39Ye2Hw/kRY9utZwOMODvee2bz61LBSbq2Y3mbkROzNe1wEIZP+3Mk1tOk93+trDjq9Q91Xndep1YMR2hMGN5n9zxGDPE9fbN1Qf4etN75Wse2uH3l8FtDua8xjsaodBe212AZluGTorFC5IMZz8bNMGMFsC9ma42SGnsGDc2+qtcLJV/XJa9BQdtOiOShSLhG1ngNlT/7AFY22zjT12X0uppzZlbcPWmiar/Mwl8Hdc7YSTzuuouRxRmrzMGcfrIIZ6NsyQbVJh3MszIKSaaTt2WVwZ7V16f6BrZwd13LtvAHVBZbWnzJ9f7oayWbFOKXViTod5y7rg91HD0+g9S1xZCyG38Rb831RB+X8MVoypgLSrqFfqeehqMtPyb68t9YGxPZtK1BlVVW/98Kh6d8EMuJaiOEZ0pKKcd4wLo/a452le2zCQjmAxuuyO857DK5EXlG/r82iPnW2n794ra5DmGpoxvhBhpYCqh9g5QgPyY+8VWSHbQNyq6ItvsWIE3pVZtiV/L2nGFgxScm3znp1xMAhlA/NZIsQDeyan+1eYE8d/936mWZ82j15tducOL0ptVe4jW5gOn/WPNQvfZcebo51N/oJ82hZu6DvLgZkct4L9iydhMUMtJrsH22Bwhgj5owqVrd0Hcw5TXa1cttE5y2IhZGXtty7mj7c9S96olYO8naq5KOL2ITowFYbzoOW+gimFiKSJtEEZPmY9SEF12DSZ8BlVmN7+BmHp0+mRKZcyQ1zmBlXEVakfo7NSYllDGjQVyBld4r0pd6TRr6c2adTwxzZpv+sjCBZ41MCtaoX/ODH00XZzreitJOyFymBrVI7FOXIJWzL3k2Vr1avX/r+vPITX/j98XFPI7E8zkOHoPD+cZ/Seu8E0nefW4tpotdYZTuobopknFeMLkLLH79od91nG1VT8B6c+aJ49A8iqLvGisQyBI2Xd2iLqkQqwONv2e+v89mbbfbIRxLL5p/+CboBWf8NPVqxAnsceYXR2H/H04sq2fvyJXFn+YWgg9ZmKpfTM8xVI3/wTWlGYB4rzQlTXcWMiGwtumP6oGpWiD640+/1Yq+TTS6OEV5tM2e9haw17iCRTbv7rLeGwFJq5BSxWVPV0gFLJucsKNZbSMe9vLmiWOloHqE6Ay94eqwqnV/k34YAUxZbnyKho1zequx5+6m20bKQJU6pEVzotZRssFc9ad5oPxSIEKaPaQDuL0pSebw1zMrXO6UPS6SwREnVlcO9FfjG1oZ2HL6OG9DwO5NOl5wGM/SJUqWy2jnmj77tUvSE7CCadma1HS/QyjSoWYfYA/kUdqbjBD7t2Jc0LycrWvxBl/XVCkpvp5X/dTcjE3FPkA+/pvrJDGymT+hi0nzYijNaKoWQFyYM6yog8TgjHrUEWajpX1+usS4TZMFDfgnAnBQ9ouSBZpyjkMyi5DkddFaT30WAxa6rLs3X4bKJc04ylbiMGQOwLwrNVtT4kCO2MPcBW7YttpJ1fBZAi015pXagZsz1oo5C2SxljQhL6HZwmtuRV5ouQTG8HTlQi8jxqnbiRuB0ObxAKp+BvmIRs/6WJbWLZZJTPlHquhreGs5PhX/1oqxytIFqXajwrBDtHWHUIsENALAILKvwasNOarCjnncIZsctNea4WSI/P9kxlm+uLxfc8/Hp7ee/vvdd77OsLRQu5b/tHr9nG1MNsLbIy1gRcVn2cue9zU3fGrtr5lpxpRV44EOonW63DJvZWHXX3yBMLOjiarIwkzW491s+caR8ucNFOOliDtJECizIjieAJFNo8lKduDXvKK2w2MaWvm3jzYK9aaBughZCaCDO/7//zMhSCG5x27H0n5PL8AZb7CQYtE+ucumInwUIxf3v7YXIzIXf0MWc8rdt6h5fVjO3sYZitJoo9w/LD6Izu0LBq9Smcsogenu2yHGeL8yVsPncSfjXk6GpHy1jmpfLNta/S61EcRJidb1GeuVZANeL8f/m84Toxh6ddTRL7dFt7iXlCP1N0o29XbV/xtVM3d8m9L4kqAyHqVJF/U1oKvvyPeUaTh4wpDem/vfZ/e1l/yvgCkvBHCyZhQ7OgIkPnWeM3hPKUKEF6tqWEJVNabs3L/pzCoqB65Yv11xjIPoYOSGuUOhdMlwjt8rUSIRtVyGt9skYOXDdiUhq1X/ZXKbzHzduMKviNzEE3X/0pLGiZ6Zk9Ab+RBc1aicetAbTj9e9EWmZgj3hBpTJv+HdCasZBE7VVmVg2r+SDVeSSxJ2wY2f2Pzqb9NJlwtrGmvbcvPh4eX3zebprhdGD5EGzjvA8BUdGZU4ukwcuNhmkSyCfmvR7QKBOREt29jHsxuKcwHNq7Y117sSeOaAXQqCrzgkg3l/WREkOqpXUHIbQbXLo2B9uJdrlHAgx6GUYcgKfsto+RbTl4O1lvpT7I0Ng/beW4Onh3b2BT+N97di2axj28M47kdonjTpnrtjbANtOOKTfW8E6MgNMjQixTVsgETxV5JWtS25rqEBKFOMJ2CpZ7S5hfbg6hrgTpsPWaLI0ySsCywv33//+w534nWUZff3Xiz//MADICMzOq+KEyXISuFEvqodtN5zwJLHfJBfmyGm21SxRIUffCaw/WQuicx+2EjNVOfct4ezjqWI/EqX7NS7MRUaXbTAOpCvxNQAMU3w4k/Ck9ZTo4Vq8ejaJXRSomsEnezcnpfW5OBXAV0QoClszQIpsEBHqSd2VSBs+r+a7HVPcKevQYH7lBt+p49qHRO6bdtGQfGTqgdzCGgZXQiWd9usn7o1mqPPl5KXLhiaGD4fUvvlS0Pb16KtPLUvzxUGgmLfvEw5u0BOPxHvfw94DAVlyNAHoYfHhvRgoKu5l5RIZrevaH3TYnIt7X8EKrAvMF2ixbKDFpx8Ppsiw9MZov/aL4V5UJ86Flmy5BEkKqjVIrqyEcHaY5AF0SjV1Ne3nVMGvfyHAE9Hq0zsMuOeyOWXK6to4KXntWu6OwYN66zkggxdembK+CRhyNgeYGmrjeKpEdCy3J24Vx33aItwPoNcg8/Rh233KGhk8hv4QBL3CfSe7OBfv6RrzWi71CnXnt9smDG8CvQo16D9xD9S99F0Vcs40o5Uq0a4POwwvWHQWb4b2yAdhzClPNyztRNqegOI/OyT7OHNIZ7LsVA44gff95RX5VlJJuWYcDBRz3X4sva9nFKKuNxkdkM+cuRlQOueUBzietjSGfeuHYc5Cc9DB8gCnsLdUm3U5xqBAUr4887Gq1zwQmnaKadnXtZzC8PWV0CzrOqhPYH5FswzkCL5SMpAzQLw1jMi03pUPU3Ll6BPg6SsXxlbFyowRmN3I7xOUl+v76S6ee3hegonVeIK6wyAMA1EsXV354pGjzkKSSqtvYj5Drro0w7yBa0kzTvuUyKPW/8pRJfeXn4aXH9XCehXIGOhli2yza4YBDz+8DYAVVYiaQZN/i3KY/2JJdae52SnsBV+wZSndoTO02bwcXIbFUsz/GQvEXpOiPgSdkjGIEFq0+wCgPmHb/G15VG/GHTyKi6V+LMSmR2k+ThS00Hz6b9KmH8YRjK8+AUQdg361R/kQe1zhMJ2+ryO4RwiHFVWK9alIxy2EIzm8CcI5Zsiup8pePGxIT1bLFdB0v+H3aUEAnz5NyPs9qmHuWSrm/0Q+ntxWkfTSaXhBbP7/rDcO4SgUX9mCecpVAekhFKJMsSNCrgzRUbEoln2pMJ/zjvmwjz4RWZmHB33UQfzy4WZCrtpEexjnOeWYW+/2hlztEe3lXHLUuJvp/d3EMm/T7WFv7gwbqYX5LGhfRfvk+5CYw8rCjS5PwGIfba6yRyURqoo0g4is4QkRSuWtqEiTXKQjUGhJu9lap4iky3c2sXFnA5SgtGR2Zoakk3vrpExRmfc4s44C5Z5x1W017knlvoT8tnBEXcki6463d5i7GYfw2BKoeFi+TO7JVbtwXg/jbpOUkzTJkmvlOnw61XbEYSm5pkWPhesYELvyqpdFQa60zEgmlopQpUTiTNV1d+1REY4O4joKwi8Y2BK2CO+dE9Fd3bybYuBLsyjLe307QUHHo0ze9T3K3IU6mKDgc45vBISL/dKGKPAWCwxsrIiytjcTlLVVPaalE9GZdywKuij7bjq9xUC3oVG2ndFwMNDtlZDHQgdz8xzXIE8FWZSIt/7k817rsTBPeeBtehxjp5w3SquPeqdKpllCM2TdZ7dKFQNinjF8OaQXd0oyn/Rg3p+RESGIicxaX3ouFP3xKkctyFTk0PzOAPs1oJqQvrwdtBqlFLr1UE7geW3pET7oVU6pppLynsSGI3lrSixN+06VUAipB3Z+2k3MPA3B0LBTrg4EnDzVnX5tNLwxESZpt47zKeMcu6NdjC8TPFjm/CQEnjDZo9wDY43vPr4GG0swzm2cwppxHUrxPy1JLXUgbrgGuaDJmACbFNa4Rgc/EcPv7HSVFLNc7YfdncL6/dWE3I3Jz0vN9KOegLqmBqsmfwgBapy/UkJ5vatFuZd3JpayT9o9PRjymqkHowAuGV8SOSz3sgIetdyvGHbKCtxOiCUZzPIPgxBJsKj6iSgWjC9BFpJxbViUtsngHqMePDllPNEys3GIgSIBpyimN++mnoMNcyRt+iMA9UoJHDwj5EUNBzsGrgNmj8EAHKRgOIvCx+ENRSHumOPeIU0MI7S2GkVlfY+wSTyanVOlNvWPBddTqhFpmjrUD6BxL2WWPuLNkUfh3+CDCn4DBm7OWxvHiAlB9C1c20YfZmtYm0PKlAsjsgHXtnnrQAJoqvQM1S11jEJgfqEXUmDGXgdxkBaPPjDontTrVhvpEX7UVOlIqvoOSPoktd0CwlaXO2BGXIVKL2jOOrWekHB8mJI98n0oVptgp08kHO+/kj3yh3B0awHjApHDRkx7hkGrNe7rOnCElYtdH4QjFO7Nt7dNxsh5LVTUxfkwHb04h2wtR12+DRij7C5K46YwNAFMp4O3v9Iq7kFRYqE3VHZLc/fhKblRuI0Ohf4Wa8ByXHx0P6TjnmNKlyXmWn3+vCvt3wR3MxkXTJeiorG2ks9DOwZoIbIE0ynx9nLy4dbn8To1YEA3sxBw79wWhuHbFlxTHrw5+LoCWwJ5l9FMmKrYQEqEJFwMzkvdKghxYnbth8YYUqEQnYKBp2wNQ25X69G27mZ8OSLcF1QR6ExyykRMJ3sJQYMAbMz8QkjEGGiD4lOHbBjAY89KHMX4jrKMvH1MVpQvQbnQsev7KZGgCsEVEMrVBiRRMMK7CZ7OdwuvsIVHVNXRCnH9PGkbYdCl3weHYT52bMzo30oqU1t6UrIUPA+bva40zYsBSbOguZoVtFSIpp26uuMlp9lWMVfi4Y5yurQ1L+rkzEmLbw++33Gt2RacBfY7SHLrzdofBw2mi0RDrjCL0jQjft/6ArVkOr0fxIGqKzRRDKoMtjgnHu/7TxNfEWePcg/zDJwJCg/BJ1f0TIOsS+r6HNmtqzCwcHVvR9xT5hsrqlao6ezvPNFRWq0bSF/e7glODzs/48woMaygOwzD+9N8DflVfDshssxgxHvYsUe2Ie1GP6zNLsxhXpoLwVyXeCAuuWaqoLnVWtqVj/twbKhMIV1gmo9c6L1/T+14DED5lmLK7L9fD8lnSXPA3QJ1smKXdg8EgJSph1CLldMudglgHcydn/fgEIgK8zujCUJzCwxzn62TrFR9N8aRcV62lMiaSV3SjHj6vtnNACJF1yBThlmc8d30kuwTDTPfOCNWqB3QKXsT5qSQ4nHrbWQjpOSSatjQsBr8VL/q3xwtwoqmXCCTyUS8rVQLFx02gEk2K+CePCt3kAu5HVXtz1Y4xkzrtaV1XZXjoetyRV8VkoULNh3F+/0lmUhmu7MNcZ4hl3Z+fzmmRtaKznCdcO8vycdBj9uK8lStaKcd9ynZk9Nb8r5Dtoc7Zk2J90YbrTtypmLDM0HTURryap7ymQSqMM1a74FKPQeqLRayRz6Mgy1XyOHY7yuSZEHnkiVElXlOh5TllcD00r/3jVMP82QU29K8/pWwASWMJXmRNHNIT2fcMLJPbNMvZ3y/ubqbjCvjbzChVpxyikFxNBhcpdGWMNwW9pQ+AUfVTA1RY7oHvRHygWhJFwuWhHiEsfCZKhjejNxMpm+vCONzUfKUTCc3Q+wTi9R18eWIt+SNp9xuEDyExhkiMFF408bd3XQcbyPh+3M3jn7bV+Rd9flsOHejEQWK7Vi82ZEeZXJhHLPWfbVDmS0UPXhWXS1MzBf2B8mWjFObqOnD3ywz10quNi7U1uYhgPvBUScD/AiZdfKOjLvCjQR/MnPbjzmniPZAI9XvLq/qx46NifOMyIfPQyINJ5i1moehQFaGfKXt+I4whYU5nMD9v9yPdj5MBVQmA6W8HhhmuRZbKKZFMsg0o7wngvrp7pLby3tzE4qc8eXuBudkvtUw8LLNKBdlWDoeh0OU2t3dT8QBFNO7ZYMr2jTDbFkCXMEsY6j9UO7oI8vLvJEA2vDgOOuHUT1vHfchiH3Qjqtj5G1iPlz4I/iWrbctNj1IOKKgsOekRbKHaU/VHIxmSwOsRbf183HC+NZQMiLRdTqdTCbXjfpBQygQE7RuxXLcG8PqFnh8ff2BoZSOTGyQ3/zv3Eu/QzjIHlULsCIop8k4Q3hOM6PUzlKqw0lZxxct86TBdVceCQM1PzUAY3wWdk55iagf3hlyNNGlHGUHz6nSIFOlUffGnaXa3B1eMqyE0k5fzMtMsyIDwv3LvFZoB3eSoa1kgq7TOsot1baB2pb+X1F1AnJIWZnHEQCONhkjBADRH+Z9DKURuFUmjNJUMzXcrS0HtcpR7XG1j9KQHlEvzt8UyEX0nDRwpEe8EbBT1W0FtjHBlfky16iRt7YPV60RupBoIdnvkFY1PReZsG10jNCzcVjauZOHdgrqLnEGjhG7w7YMxuM7ubp5dT2d7tPt4c2ZFvIVrp/UNTcnd474iNz9CgbuAdmDMVxdMi8wU9lrKXE3mf7XAGO1RO4m44sHkElVTfJ+hN0114ili+7oo4v5rVpXfuZMky/D8TS4e3F483HMGDJb839kFxAO2JXPfWnle9BD3nAOmxl287972FRhCMLbU/cCpnuhhBrMn4hk74E+Yh/ABr30ugHiq66POoEOA3bxc49iVAF0DhuVCcziXbAh00zokeN/1L0970+xVGiQa5o1+0NXxiPDsqFLXgwAXCBrcfdi16NmxBXFBcO079lC6PctmkG2IkvRxUXtf5mOiBwyAJCFRM1/T1IMP2ZFlqJLihrNPuUDCLDlRI2hEhZjjqzIUlyBsdsXY6WGgYBoZPuQpWQ63lstsnRTSIFoWzEAvsKcvHOh0JMxHZcF3zDMlJ9L18dVC8J46rrqsKrtMWHK8/MZfgPQCpDoRRg+FOBqQLrK2EPRRwYDeneXHYZxnV2wc9h3/KfOJDJCdOGnsHdQjEqZFqXGjXj5UOrhOBdRalw3ueE60kVeUKUgjWOWc7THmOXMNzeYrw6r4adO3bfEhUzH1y7DbT41oXpFxIJkQhSuYUGj5YVzY/vW/i5ycQAbYGZffb28J6LQLK+63LbI9wKYcaMg4sH4Mrm3dAkXY5sjFiuq4A1yLL3FYQmPkFrFSqC7TCctmmG2mMrVRArbmn7oAVaIjCVb3EfGxNIc8bwohEAuxGZmWohszCKLnlaIR033rViSssgETQlIKSQZzosw35hDn7/2uLhDP3obKOtt1lqQNpdeMNATT4MJBYYCbAop5oBsnbxl/KG2y04Mg9pQOQgmadrVTkby+eNtpWbv0z4EoLf9+kmiwXZhH13judh7Fpw8F/6dMcJU5lnP1pjxXk+113kQyKk11SS4pKLRKJDltQcxLLC/GS7rvvCaY7sXfytB6arJ0Jgc2G8lleqhJ+TyqCn4+66vuSFM4LHIKB+hrXwrhabwmACkmK2wbhaOsnXNzwE46fDoh5PTcIr400MDq4g4h4VmmdhASl41DZvmmc5yeDWnqvrIBg7aD1wwoftsBHDcbf13C3rYVW1Zl6pn+Z4+aY5vqY6YKfvRT4fhSpoyMUftVfjRkCTzwVaFljWmluoYD+monm2SCQU9WV0ncSdG9DhTk+dh/ynFsjR/HAXO1ejHTCIJoNusWLIiFasngcRs0FC7mh1zQ3yM1JZ00xsnd+S23biotPHMMT2gNfvB/Zus0xQy1KFDAmwNqZcgbephEMjJoZcZSD0qJ1R6rHhHY+ry4R9gW1fJ6nI5iCVC1apDoMZWsZKYOoSPYmsYx8yVI4enaAFS0qzEbGfU6HcVot8DJBd9tfyfnFZjSJHJZDK6bKTjvtFF7+PryINrkVhPqJHwpSK0VTCPtPj1QDPvNewEIPtSH9aWJHzD5mz1/3GszTexTYMfbiYV6RF2IwmqzBBDeGrL5D7lMHfUCguG98TyfjOiuLlUKuxAOU69aYnGjCgtgS9typ11AA5Vr5ZKidkDIPr4Pl5e33yekun0A6HaVcIfp9eUGSArNmUGI8L+DWPks2gYDx9E36IZbzM0mkr67s93d9MBAW1A9Mrmp7/aKsbD4lclAr07uas0+aGqNDltsQij8L6laGp9h0EPDK6YZmvc/vU7otZAWfcDajQJGoaFmb19f3llUY2KL1bANbK+PzWjH63rK/iGyfpbCTyBUdEpruwC4p6s3ZiqLhffZHAARE9ZiWN1+7HxOQdq5R/3zrquyn+9+/v1PRFyMDfc942doVZgcTQHn7qeN6aN6Ovl9RPY67JArGhb8Z0auiMq2SpYA65Qnu5TDPNd0QJkKkUhk3Vq5EQERc2LHymKwv7Lcx2LzEhFXGRNoXgMqgIkK8wvcWFd11gMsgLMiT0CGO4r55PP63cMLDfywmEbsDe7X5h9FR+R80b6/eZt4mPQmb11HnSGU10kYRga40sXYYEpEfewOQbDstG+sxDlcltdvJzc7LPogfE7lnR2RWsNwZHlKnAjh23A8CiVADMlvx1S9pQ6V4of8qAch+a+qsfW9J2IJ3gmFD/oOTkd1dE+E8VzUKuCSsDscLfDZrN598iHgeBXahuMXFUywe3s50v4jQxeVTLBb+q3D2GEyUvJBD2U3MMY1cpPyQS7YZ1nP6ZRnZIJfqM6z39FZeo7Xg13qvNAkCPJu0hGBJLbnYncqq6zMUd1qVMywVV5PIxhE7iSCXZHOM97TDM4wx21GZznPdwHznCOtg2f1gJOyQS3y5pH8XmwT4lS2NtuejVmz6Eu+X9SBXWrnCnoYeVZZbRd9Qlh3LfkckQlKaWy/pJWRxrVri33Ntk+5gfcsCdx36MbZq8pcgbLztNgk3AFV69dFY+hp4Pua/dwgho2ohKp0hS1ItD//PObi58fq8G3amf18cdc/Ms0Z9yXQB3RSh87CXhM7q/STGM2hbsstajK3lrSREu2XMJgIIYq5/8EzIYW/r28R7aPN3ahmKtWetS0nL+6sxzGOFTK+b5KdDKcyy8hsn3scd2st2LZIdrDWRUsYaLnDJzqa62pj3G3bszeRc7MqOvF+Hip0Yl8assT9BIBn1ZgCVdlRWxFN12XUBuBCHeb1HhsXPwT0agSOXLJp9vukQ1yR76z9F5lZrGoSv1oDfIlYQvCBYeX5ou88lcMTJBeSaDIMVRfb66nnvCIIArc1bGFR7xlCdaDNiXMQ+yuFS3GNBrUIkLfqLTRsOKY5lFaaEzD+CdDjuQ2+nIEY+8yxebfEPOOgRpwV2hJE4jiNE4yqlaO/uBDS0vKU4bZYO/+8pOlqjJaJxkNY0CtdGKLF1qq7hE5ahY8XtSWMvfTuuGhRZONRGP11TOoxEM4SkgyrpFq7b9jGeymo4SqnONQfIUuOYcMc3+416CjO7wajj3OHLQ5jxo47p3ZAjDiaKIy9w+QYbYlogfGPYH3gr4/34xBYWuPlgokdm+Wz7yBpyqvMaZJS9nXpOW4zGRh24+XRZFt26TDzGUWoSfu54+3Y3vi1gAyhulVbSBoEe7DgL4bdvxH7QGJLBMa/Eccir7EzRMfx5+VbYcy8Co23GcLIftffkfB2HUZqAsHjpgJnaPbqKtoA6+3FCB9Nfj5lnz+dHcY0JoiqnFVwv6Q235NC9zCyjvGI6or4z9u9h80Q/0AKwSzHFovn5OBfNkDskf/MBhkM/I+lhGm5GctHoEdO/d0ANbLjprS96XMOEg6Z5kRECqh3HMZ4c1Dd6J+GeM0XWNWjKiWYEhpXjOJaaP8YsiNmWHzPcw3imN8c01elJx9K8FxaHScHAgjXQtWzJDNxzZ1rxhVymddYO62yX3zK4Oc3fMGj//NREFCvhScfHIPpxECoOD4xmntm6Aa/cTMyd44w0BkuLzccZvy47tRFr51mfEEs/B6W/hdUQ3LQWufAYF6IlsYht4qhjvyJdTiP0IkbVCNJl++3g4PepN9K2mGmpFh+O4T7WOO7rU0zEf5LNebYp1R3P32dUK+3F7eD876BrFJ4tfjmyRuKBeFpgVyq0yD6EOzsuZlUWR18v7gK22D2brxq2vduBRHzA7Qhw0UbI04M0AfyFcoyI1rn2sm5IvtEXEYyiMt9Qq5sNp/X5Z6Nbqs2mNlWMMG8FnBmIzRR9SEuSox47+DJ3X3H/9fAAAA///IryL4" + return "eJzsvetzG7eWL/p9/grcfDhxUra84zxmds7M3NJI9rbOyDK35cfUrV3FArsXSURooA2gSTF//S08utlvtSgsSp45+ZBKRHLhh9fCeq8X5AZ2v5OlVIYJMP9EiGGGw+/kzf4vKehEsdwwKX4n//5PhJDq++SdTAsO/0TIkgFP9e/uU/vPCyJoBr8TAWYr1c0JEwbUkiZwYv9efY0QuQG1VczA78Soov6J2eXwu8W3lSqt/T2FJS24mbshfydLyjU0Pu7ALf+5ohkQuSRmDSUwUgEj2zUocJ8ZRZdLlpA11WQBIIhcaFAbSE8681Oa3mMyKyWLfPpU2ou6H9ahFpQ3pjc8+tD4fUPsB8n0qvH38RGGN6yzKx/XTNvvEaZJoSElRpKE5qYI66/olmSgNV3Z/6eGJDIDbSct7ect0oRcyhU5h0SmoPon4mmxNqhDp1PShQ0IM7dTi0w4AEZe/bDk2q15IoUBYbS9H0xoQ4UpYehejIZlhwBMqWl/0EXHPCY7BKGGbNcsWRNKNGjNpCBrZjSh5ArMF2YEaF3u/knnaFST1WtZ8JQI2IAiC6jOXU6VBvIODLXQKFkqmdWGenYpV/rljCY3YPQPHfLnTEFi+O45MQE3JR/AMwt/wkUN5knvQnLYAD9gJbkU7fvZWMlzyBUk1AQkKSyZgJRIwR0sQxccSEbzflSZXs2jXZiRPX4X7vnF+U9kQ3kRbjxLQRi2ZOF0wi1NDOFy5fdLdTbCzY5Z8uG0uO/Z7cipMiwpOFXu92FjTwZPRof0QSel72R0KA+flMEt2Rx3T1793z0Z3xM7Ks6GPOz6ysUfczeR9rY8GXQbegjTQ4emQMtCJUhv78OXDev+PwyZNtRABsI8RXC0SJmZJ5y27vATgQfCqN1TBLa2MtVTBMbEYcBwJaaSczzdk5YCPYR74C7bEiCNqUMNyDV9embti6VZwKLpyCEdIeFhWkRLDulQv0OLGF7FlmnlSKsoalaV3uXzy9WZZqTlIz0reO/lS44hVheCfS1gL0arav7hT7umUnsmRWIfB2rkU9dsB9jNhuGyw/rqntlh2JIltH6fL+WKvN6AMOTaMWdSiBSUVUEUBEbVmfqS3UJKNBhLpPHj5hh6WGEpN6FD+8EKS7UJHdL32pSuJTC+femwg9mZ1z3W5H5rsJYaSV6tn8u3Ups6i+TtE6lBpEysyg9137Gp2ZC+nfVlhxywzo8GF/ZitvmF0DRVllcOXff24nZmb+S3urib37CX97f/uctrVwufN7T5gjek1a1lKaFkxTYgKiPZtysI2CU6zH6Bq4GkT1H4+zY8GoMGDZnv5gq+Iux13XnoNtjNe7Fzq/zaD01m7iI9D9ZsQ8nHXQ4koV0OsgACzKxBkU8Xwvz0G5GKvOGSmp9fkQXV7hSVDrIlWxXKiX53zPsQcfcbnrdzg+IpnxHsC/bXK4llZhvTjsuRv3kDg1RbqlI0oa7G0WrTrq/kxexzQ96jRAGn7S0lRO+0gSw8ogG2pbYGf1K1Xzz7/1KxFROUl79pSit3rAOW/DUSGHEx+/xbzxIE+J2VePgSVIi6qxzj9dkf1K7geOjrswaagjqK7/qtG4pcnD/ES+rx1p2ljsxhvtInbWTjyRzdzkZLQetiL2i5i2JVlzPJOSRGqm+RAdvVe4SYG3vmmCaJXzpILdKGoHop22ILGVnoJ6jxZcniqYiqmdQu2C2Tgix2nU0jRMHXArSxBDXLcr4L+2S/bBk9AZqsiWYpkGd/IWatCvLq119/IFuqiQYQ1SgjK/EkhNcJK6FzKTTgLUXyzZyKRBbCVDaFIlt4pmevsu6lQJ7RhdxAbTGY6I2sLNmbNgpoNnh/km/m2DzyUkHKiracFmOhvuuTHCvDAlsSZv5RvPrLT3/VnqW/zB0DLUH/ozObf1h98JLuQJFX5LVIaK4L7j0rVqW8F1/vo/5A50dPbGXfKD+/Iv9mp/uc/Pwz+TeSSGXlZTeLMOhz8r+4+d/2i0yT5qJ817uFQqbwZHVdsYV5Qjlf0OQGVwL24IQ07tpQ4/UKu4gg0lwyYZxqYqA/wNkdjjkoJZHi0/byoM4hYZQ7xA6pNlJZyVrsvNRhP9hQzlJ/MPpAEbKUhUjtC8PBgWdiFYSjO4MXmzeiQzmGLzBchxG30cAu7Lik6VN55wIcotmfQDIwiiU9WkdQhetfdrqwf+5LJmyffWr2Eq1cltt2Qt7Krd2ars7JBJHKKmNGkhuA/I5FexIv3jeyaEomoPV8w9J5iuV1fV1ynhUIUNS4S57aFazphRumTEG5VdobtnfRY+JgGbNqt/OVu8XwswhX/eKcKMuttTOouEWjagWm+tqdK6EVUtDTo6+Ej4QbXwmF4grqMv6L89L2+gEyaYBch/OeKHAP7WI3xCjtP6Uj5htwvISR5jrnDDOy4Umr85p1xP4nIZtZnot43t2ts29AOOvlqSu1lvCE/PfwMHr2smT8EXz0dlSrHM3OTmdB9k2osMvDslyqtsRL3BP5zYVBFE/D/PHJP1VOEXeqe58ptanKF/uf7BV2L+c4zfyEvPr1N7J1654BFYRy3m8rcEZ9Jybt7UdkCwo8WWoIB6oNkaKVLtJcxEcXE7/tRey5qxhu27B2X6RK3cK5qCZI1kJyudq1HXFLpjpSLCG/kmRNFU2MX0R7qXcOvzOaC1KIENPDGzbzwYza2And3lGP6UQY8V06jSKzQqYUpRtB0e0gT3OctSVW0sRJrN5HIYLNQSZJoUqK2lCRUpUSIVVGOfuzL75Xqqx3fdIQ5XDwEsli0XmS7rVIe9QVmJecLcHNuEfB15BIkQ4I2PvtnmuDaWcZmRATicxyDqb3AAwaUakT4I1iLTZYyzdT5pEO8rUdu/c4Dx3l5skcPH6ZFGYdaZv2+amxYl72UU7pIy38a5FiLLsl+acU2NUWRtiiHb0UMX147cf2CndYFNqNPiUGbk24fGQDStfSKdKxOLCe/X3oYdsBjTXNfZpeIlUKKd47GIJswjOlqxFLGaOMtKm+WPevd18rJbMTR7VwSfk6AUEVk16szwpu2AvDQBGa57zMftnXssmooKu+1FxCuHPvlPqiB+WxasLM95rIrfCeMUOzvG0ZDIjtaBZi9/YZTZI1s9qNTEGfkHeFNk5NqhO1t5KagbhcauDATRplYMulxb2BY0hCbpPLAf3aKViCApH4A0GtaJ2yDUutZOPOQz8juy4Z2cfW4vVP8jZn6mgz3O+n9wXd2pPIDN/5yWrL9Ky8ZkG5AzpuG4246YMmnOeWG1f87KQzZBVOJovYHCjrCHIPpVitf+yr4iTIrwUURztK9nT7U7Tnj1uqiQORDpwbB+6n2IsaUShoLCgCT1tlBuH1XWUYWPM5AtR8jiE95zFZUZPoq+hUEWSl2ivyOCpkS33sfWM6z+W93pxD2eZdfO0QZ8H+gWhVQ4htCKJJR4iPIVjrgmO7nQa0KFmYRGbw0mOolBcXlS2XnRNCRViChgI5cEBgA4oZzNSRkYmVo4ckwJpnZ8zkg5u82Kkd6F/pKtPFUnN+pxwStmR7xadfuvXOnKGaKkFWxo9m6tmAysTI0n3CRGmiSoOTpRd3UJuPtQmfm1p6XROUiry/DqGxTJcBAW27mhu/3KGhLEmdS80iMo5JZ8up0yL1FaZcKH95dwer8BTczPFKF92TFYkiA8WS+/Ki3rkdIYttZGL1TLbqZni25O93Z2obEKlUIWB2dGZy8ccjVK8pXbty8Qck/Xq0BYafC95ZbstBx4F5To9Zq+677oUMWf+BzQQr15pWscVCGkLJOlS86A+g5XI1LwNVHoWplwfx3kz9GDVTGrzvby7cylWtduyjX/CXnCU77NszwhdmDkAori34boAvFxwzbrp/AT8UHBywfnYqhYFbbIm1AnQhvL1uXw+Vpqm2/3KPKuUloL4CMHc8zsmaihXMBWyxecGQ4xK2NVe/E0KMUWxRGKhxiG6MvvbQrbRef/76WYfOaTRmV60cZ2hlK8cWzSmC7fgiD6Yuv/Uoty4DzC5YWXBQ72O+1AbUCbkGvymFBnVCV+BKeYdI96VUJYYO7ZKMl9sT93vif1+rWyEVWSi5tZ+Vfw2yple7ButJX6QzqkxsM11FOLZFJdwp2ckOPdadkjytxEasKyVzCA5FrLf4VBDKQZkqukjtBw1/8+6twD5qRQBcEFKPwJwSIcULBTk4TWYs+sGpDcd8cpJCKXthKn3F7aST414y72Er3T+dmW2ZWQdh2fN6cu4GXLhsE0GkeLGS9r9HXgInpMx7BEfEedOaM/ClA2BByiWx3MEw0Cfkes9T2o0N6plVOIjPfDpfoa0S41NGfbBNGthvWHhKEl5oUx7I8D+dbXI/YdruZMiJDvYNK/i6T4dFoKNLP/6G9Wv0viwTnlD2/V2Kl0V57lAQqrVMmLOX2t3o1Sfdhl2yG/idUJKvd5ollJOU6ZvnJFeuJ8pzAib5vl9Qpooeknt5z4fe59komoEBpUlOtavipV0hB1+LIJFZZrmYbDjtu6k1YJJRcc+/B48l8dX2EOFh8uw7kVledO8gwrZRsmUildsQT5tIkUBunleRFIOL0ZnmsuB8R74WlHvjZyozykTgGqI2EJcDT1fd6hlLXBqZuhUJL5m4gTTkApWB6FQ761RQUOwn31XQTlg6tnG8UxUCldXVOzt5s0QbQAnv/fVj4XqfB8srue6W66mczqAy1m7shG1iDWM6tP78j0vaP0eWtJeM49/xaspv3GjVNVaQFgmQ0nME/eY2DYpRPu95TdEekWs3ZCk2t9/H2gNoX5hBuwAkN/qgkgMxLMZhdPvQraleVzfUioU9WYZFsvaRv2WOTZVmeFZSapUIsxOphjnRKrG/qv6/m2lKLD8XhLmYu0IkHKiyf3KF8PbQQgJhsHaqMrHzbu+DZ35Ft87Tk36xEpktmKjqZtcfrJA2qu7xem2YKvSxLX11acQBGLb4HcdB2nMlzvzovibjsKXUa3DopvFq+byV+eKcXHlO8ywUbiC+215I+rXYfuiXq70B+jFs+TXz88W5W9KQ8laxia71oOmR82GAfgon/hBZXrBlul9J3egdZi37plc3JGh7cWHUji288n3EU2OX/qwamFyc3ynJxrLP3SHJWmCvRLqXaE/Imc/PDPVOuf9gXJp1AFXzGz99F8xxi8JUmZvSVI9RIThovzLSPyhbSTZUMbrgnSxAX5SBCZJzOsAINAiNWh+lsaF1UdWPfGI5lZUwyvxCZvf5+uXFrC1Dk1Ay1lsUhvKyD2woODkXcu9p8SDJhTDkmq0Edcxi4IjmUmEWr/2+w7/sIZ2Vspt0VR3df1ogtbvsTlkqew7O1fuPhImEFylYdhYa2dqfn5Bnr29plnP4ncy8QcSTddz7pN8u4jxzR/dtOuPU/mnpR8b0jRW5D8B1j1S8mhnzKjwNH5i+GXG5GsVWK1B4Lez6l+xz3RcQMDjpdK1AryVP7enxuvpAp9GG6/0IloWu7z1w5WcfvIzxQ1WM4+K8P41ksnc+kVk+P3LclduVEHvl2rh6+54uFi8sHClcfurStZuRaZEMaWlBLH2kqLE68opbSuUqD1i+XuIb6BJHVbql6nEi9LpV9S13peEhspMYKI38zDJRSt7RpKyn3C/cWhZ0VD1GihelgKrGuZDXNaM3tVZAdfTYYG2oKWIJzpU9ijL+aGqHHXwhbwlLXw6/X/ZlLY6B0CL61Cl87O+CRdF/dct3DLn7XueQn3f77h3ynDEhi1g+zloeiV5Fv1OWk8Y0OnQssr9EJoxdmbFxJE45t3yP6CJJQOtlwclrOz5JZAraHomy2G+/ZsFECreRF4AzbQ6TPB/IW9zAThVTJYgFKOffzKhi3EXw9FjwvP9drAh1i/jC/rZ3ZgLhHMqFLy70SBJxGJ08q+I5c1A6D0m3nsN0liyICPuA+LLC0w8DSYbezNV9j7EDSrzwVQV5BVuV/7b9kDKhSQqGMt5jZFjIwtR+NzA1yY8em1labGkVx+ZwDD+kBrKco0XznJIUljS4gELly9KHH6I1rVS8AcXpziVyGRkeV/Ks50baD5zWHX4NyzIL3NvqtWGmcIUZSe/E9rpBt2DTQ69rVC9Wzb6T0NhIEXhVIrPM3iecY3TmqRNWC/bNldyw1NvPyipyGejBQKhUJoc7Gu9vLXvD+F5qTOpxef2iwW3ugp4eh9eXo+Py+j/k4kC708HT+z9yERww/bcrZ3iFc89dQLHf+evZBbnoCFR1GGhVa0N2yTiCiIldVTbsKqoifR97WIit7hfuPYuYL2SKnfHVybhrCx0BC7FYBsSjdfxqCd5lcITM85oJOKQO+wDayh/CViytXDkDRrwsttbYSQOP8PLHE/KqeecF5jNVdveeffLVc0pHlAvWuIWkqFsRfOjXAvrSW8sqTGOBG0cwhPRaxdOmQaTKrqQbyjjtOjJIZQonLr9yCUoNdFrwd+gQW388v1tQVrJQAMo7YDtTCuEGmq1OBjgiy+aLIk130e0zLJtHzQOq0S00HFbofNRKFZ+iYjJilYNWit1cF8dISGC6Hr3qa67SImWmyqzb10ULiPoa2+0zNjwr2bsXxifpo8Rir+DmaFr52efX5FnIlfhccCsrLxh3CRwuDuz1bS61/eYP5EXX0CDaXpgbIbeioQhpSApXzGLTpD7QaTOhRzDBtcNCz8os96uQmnQJK5rsyKdBdY2zhaKPkZQfBm4sMRMko0wsFc1gNBwjp8p17cWvk9AQLmduWHIlUx8cvS8LWIs66wFF7pC+XKiAXQgsDalZN+4KtuRtIZwq+U6mwMkzJjYnPz4nTCbPycL+C+y/qKB8p5k++bHfv2iSfL7ktNM5P7YM1ZTwz2bEDepsXY5P7srmV3I5WqjBSFSk/q+LgLMsg6BB2YPcC2iTxeW7LWSf332hCshHHwD844+f3305/fD6xx99zO2GKsoGz+RWqpuYKct3XrAv5YB1D9ugEYyK2EJEyNmJW6Wkeg5oYp+LHYIKs5QKhGZJTAZSMyUhIM7iW0F6/AOxiM63lHWbEz/YOuBqn8cmaq9P7BR1XSyQLoVZpNqo2JnvLl8bzSBWf0ujvaNlzgeekfTQZJd9Y7COSBOSTfZ5LyHfxZJYskFDUzlVNEPsoVPtrUbUM812ek8/Uz64nuD9DRcWfJD/P3RH3YvMvvPfoxyxtGajD0BGQT7K4Sj9uGP4pDxC0FZjZ2t66TNTRbSXUXauTuYPzuzWObl3e6bLktXsGP4wl/S1pIzbtS6LucwCz7g4r+e2uUpcVh00sOopYTAcVVjGXM+tiHjAfA4JvHbh1iH76ExmWSHalqgOOnFY4aaHoruCW/M36JepK2z6MMn6odiuqUj/Q/Z7zfbYDDXsEM7wYHTdgRvgdKFzljAZLUr0WBq8Q7+lSnSdDk8duhZZPpdYzPj66t2MvPd21H1Qaj+Qr0cNJbj++yX5WoAaqN1acDFX0K7UiRvcUDOI7siHMumsN6yrktKTiA9pnaiM3UbAEs0PMhzdRdX0OMceTDeN36CBcqoyhN2yZBHMCzSPmIBcES3SaF1pGzTjVrtqkE6paUuFD6W7AJGsM6pipZVUdHc57bQvfrD3iSadcKooNOfr6GchgWXcBKqK8HLlSi0hkJWLPxCo5jR6JwxfcSr68XJO9zmL/eCEym0ZWNEzOmgxp4lrjBI//cTS1iKi8l4jvFjlm1/ErVlHf98TMU+Mmqc6at31GnVL+TDP0wTCG06jcwwxB7FiImJSZJc0Rmy0mC/nestMEp1/iPmSy62mWfzYlTptYTZ41BG8LomYM4HJTpjIQWWLXbSA9w7tPLnBIb6hHOOssHyeK2nkPL5LylHf/DJ3Fsf4tDna3eRyNU8xFtsSjh//loh5Rm/nxsQyGzQJ2xPNAeFRyJhAAs0EHuic6zlf8Hlst2iD9l8QiUevDF6jHbsWYp127KzeOu1fEWn/hkj7nxFp/wsi7b/i0DYy53QBGCyloh5fPRPzrOBO+F7sEN7Jknh+gyCXZAVnqyzHkb6tlEn5KnYQUqDMMIQSDV+T+LYRMdc+IBFhB7VKcLRJSxhHm9Q7XeQIvUgTUaVVo6iqRhqresAtAgsx0ljFDIu2U2tQiBeC3QoqpIYE4RBufrOrgvQobH6TuVkDTRHMajLL5wlHsGFbwghOEkdXLXYmvlnUUtYolPNijuDTSBQzLKEcIYFIz+kKRLKLGHVVpy0o3/0J6QID92buyoCiUPblYHBQ+8BaFOqLVb75DccGrecLZv6KUmgs0fO4veJahJWMzqo1yjV3VCFR8bPctLfxR+u1VSMMZu3t/PGNI564E/tQiPtq8vEqyNVoLxkHDB1Gz5cYm8iWMZOzm4QxZAM9Z7kLUpyjsDqWb35Jtck7xfwj0dYqQaHN2RIw1BjtDM0ZpCxawmiTNhM4pySTacFBJxJjtQNxtkLgTTLXW2qi9vyvUe+LII9CWMGKaaNofEvInjaCxKcgx1pqhbbW2lUiV0j81Ufm+yOOQN0ooBmCIOlTgbBg4wnX27Vkeu47zManvqOKohzwdCARNgblje9vH5su04aK6H2OU20WhYrVLLCkCr5XEAbVIjrW+HJ0mZMcm6zr3LCM3+z60EoDYzRXNE1j3wGWxnarlqWDEN4ils0TJWWGUpXIEkZQ01g2xwmODBWPMJY5v4leninX8UuWslznikUmyqlhpogefcaZgHgldvZUddSOOhVdl3wb36zFpa96Ol9yGf05r4gjhPxbnTc617FEETiO1aERoEaPTeByhXJ0xQrlAudSxWZg2aJYYVyzjOkEgy1kGuXAYvSBEGBccaXodKPzcF8AOnbEn6caOxxPbLexNRCUjDLpG0BH10RlfMlIKraa9/TjejDdrQAV/83K574pb3SyUTtT78n6Fq8ohwwhcTP0xInNDALZ2Nwgn3tDUnS4VGv74TxZx8rz75CG25xFdwTkoLKVosJ0au7GoLxFIRz/6fWVyD59anUBjUBYydWc6jxiw4A6aUVjU1VAOYZ8pyBx6+CrjiIRj7/IlnLcEq41ylKlCIjjGzI1gm1Ye9swQjyAhtiBAL7hMYJyouFr/APQV6A1GlUEVUqzFQLj1XlsK5tWCcY9UEkaXZDWKumrihuBsInXYqtOs9DRq2puEhE7UaK3W+xDifoinbGnb1Ym/rHyRON79KqenrHp7vLo1VqLdIESh14ojvAWFhrUPGWxs95R2laUniGMZTCJNjSLbQ3ezJnQhi4RJIMNUwZDDN/kAqF0k5GqEDHNrH1l0Xoqip4WRpIPhSCdoavoEcRmeZ8pZyk5U5AyQ86oSkM1Q+3Kv/fD8Z2zEFdpqEOoI+Oa6BNX3yCRnPSl6lTxEEzgrdzrLOdyB53Ggneu31IW0Yp6Tzxjdg29zcj1O1OwgluS0Xahhb0vVqyKdjMQdJCcadecoRw9bL0roER0kedSGdItPErIdk0NYYbkCpZDR+EBYbn3aULRt/BB66ggECZCZfeButCcCeyO/DWodrQ6Tk2MXIFZgzrZf1+vZdF50QgRsAFVtSMykuRUaSDvwFDXEdzfVVotwbNLudIvZz7t9QdyHlp8PSdm3dOlyBUD/gCh9bGDLcgVmC/MCND9+9w91CiLt3Qtu6tb5Ab3k9VAVbI+YYL14nM9d49QX7vFPl0vDBcM8ZLTQrhev6vC9XEti7j3F3Bv1WsfmRN+Oe5qTlUR7tC/eEDZtxsxj5jTNK3yqhuWfIRb427FkLngGN2oBxjSvnHdletQLfhAx0tXPRexHbirn6vBEAVfC9BmpGj34dHK96+V70UG15bHj+o5dtsiVcWdNs0pY5g8Iucba/zdVWjXv/fOPGbv/7v7G9rBLs5LpuDG7j8bTmuIF8R7zyNsH5cF1UB8uHaFhnRuVbVL4RePg1dUreAr5FL58vW9y0gI1UQDuHZndLxflaJC0+QI7X07Fab90MKJvftDkxTKdUAbA52DypgXN44Fej+kb8zBNozDCgiHDXBCtWYr4Tdu36+//+i7ksyPyL/d+CMnffEonZ4tskKwrwW02yTS/stXw3tYxcTDuqCUEg1L/YVMpBDgYivIlpn1EKMgpCczpJLYFRyUXnRv1cIup+Mn1RPF5YollBOLYED1cSgeF50baqBN4+OtXb7e6X54tXC2rWxFtcZ+4ClnVM/XEl0n8Epcpa65Xir7pkaWK9Zb8PTXAyD+0li07k0LjVgSDlSdnHItrSLeuG/nzllO3oZfnJBTsav+r0PdOF1eC0NoepLILC8MqH42jGLGtxPDU8++a++F67HY2BBm/lG8+stPf7W673ltO8oV+64Xdjin87ges6mGG7oDRf65ssnplwGGA9d/62Pn/+CfebHH3Dj1o/txYPDyXbzt+3bDFDvOCbl6//G1nTso8MYTZy9NmU4U5FQkOytVBvGMt2NBiFuh5+Tju9/JhTA/v3pOLq7OX//X7+TThTC//UKebdc7IoCZNSiSrKUOrdKkUpAY962ffvt//58fvu9dETBrRB7XXg/HU08y2t+ORyOfvnte82t/Fi9KUP1XPH1aoOu86Q7kBxaMm/zA9+FtCaZ77eQzU6agnFyeXvWC/VMKwLNlHXYy/j8p4KR/bS3cb4aFuonczTzdFjzFN3hkH1bUwJY+Qot0d7pn5DRNlbPT+lPeB6d6epMsP9TP+VBfyMXZu5l/lQbdYxnVR/R+NIxKXlINbze5mFkoA9Yvu4YHdoKIsoZ27OE1LCWxue+udVwGUYNL05TZL1O+d9jWevn3v3NHPABWJXQXXIYbft48Ah0o+1hrFLlu6pNGyVVAOJPKVCy5w3RT52BzG8DM7m7Oq4+89n4+TKzKx6Sc1ruhhRfQpzcey4ob0DnNl2otE2ZFTm836sg4xPJlRcUKTirVKZFiyVaFgpQsdo4miNRFDfXzmfzA0gOdpNEBabl30CVCvQMeUfavp3BFNwAoyKSBeYjsjh9nFH9pU6HndO5D8RFI50bhEF8iHIklQrYwx7gOWPVPcoRFpem8tMThieVtDd7O46Q9Wt2Y8AgS7GuzBiXAkI+7HJ6TT+UzdukMYD+TWWkA67wE74cktbJVzxGEiQHVuAQd7OLPCeW8V5jI9190AW5UucC8DSj7BjJhJNHGPeZMkE8XgwwlcQGyaPwqOsu2RGWO0PbNElagY0f0WrIIKS7+RYwdiu7s7QhofWuFOQexit4p0mG2wgeiFDoggXqRh/KaA0aQxIUTLAklb6TaUpV2+3QTcrpywV6KUHvjb10s3QLMFkD0i56Rqybe18ctDeV1V50HQ1zJeBcZ0ZkhEyHO1YUlZMxYthRabPRPccOpOIYff4KBsgwQqZkoOxNsmiz3npSN1WBXToFtvjyxPZWQuCoEm3j14KZ57KkyLCk4VcTViyYliGevb3+/lCu5XPZ3f4dkbtaAvr0NsB/tgP421nC/trgt3NPCrEGYECw+CFsXMSsnTAvo8UMOQ/+kQQ0CloVJ5HFXOgw5DPi6SBLQegCzqzx+WHG0wwJPHC5iRdyVVDvSk5jQwXYM5tTACC2Mlis5B5/OpbDviuVbfcJh9UPSEZSas9rEq0c38G5S4quWupwBziCt5hPsMC15mAmimSl6+CdxyQUQWHSguqaa0FTm9nUxa2CKyK3Yb5lfOENvpZDZQFyt68mhmS9Rf1whwgr3TKSW/0ilqwWg5A3jQE4DsJPOMkwx9opqYv5ODgaMV/N/lHCFwSW4DlELcVehb449CxEz3/0BC+Hj9a5DvkbslRgOCF1IzOyBnskvYE03TBZOukxkliuZsYEIRTg2uNeCLrhLIluSs3FsTGwqtoMIso2wIXWSXgANhFGbyxwAsGf8Ch/27tZe2f19Gzx2+zTLQph2OltsiT51aeDz5BC1fpIU5N7jFQhQLCmn5BbEBfq1QwuYWbuntq+3GwlgT5KfTrRRw87Pck6HlN16tDm9Gp9TEC/8WIjz6lVNKyXcsAy05ete2lOQw6ATKexCtKIQd26EKzz4wG1QE4/WIbW7H+1o/TxtTj/NdbQmp5OnFgzGd82wMzc34z1DmMAMvt3Zvbpzduqoe+cvWpS5qbt3Llot1eMwkDv4eMVAvt3j+PPdWxartcFxtmwaf1RH5SAx79gE/nHU4xhzbp3DWAn1LgWtZaeOnrlTmPU8A7OWj+AloQ1LMvEwwtcGN9zVUlIS1eo04tX5IHmw11ogI+cSyRLyXye//uUv5Nnl+ensB3LOtGFiVTC9htSlwvdi4XIl0esCjXnCXLTs0uMI2+y+OBAxpiSyVXEs/9Puah+C6sY4i3y0ps/3uS6JC/uv8n5rhj+Hqc9nSkVfmfR9pBjlsarTtSbygaas0H4EIhXRLGOcKs+eLNu0dyhx73p/epW755qlx6w0Uo+U/2QPQmlFbNXF3F9yvDyLUzF2151bI2Qa1uy/wUjkPumchWC4gVpaRtpvypQKMzCg47JxSy3Vigr250hUtcA7ClMX+4CVrp+pgeVeMtWbS4pU9eeNHc69Fr7El69d1IhqfguUm3VCFZBcQSozJmhvwl2NPc2oYSCMvjM8ntNjzvaSPupkfelHyJEOrr0631vGlVNlXDGk/VTH2eoRix0FZjOFoy4hBUUNpPNoQWUj58MynzfliJXzbKbkhqVV8bDwPZrnPEiqnYMRiv/YZ60p0/YLOPtJsvRIs6yGDLX+zG5gmr3NQ13k5IZ57/m6LbgPlICrhM6YTcHvK3nCrZOZaj+qZUKveibqZVQnsVJNtJHKc3xLLQND3Wjfu2+d2G993z/7jKUph+NxuXduvKl8rmd7a3zvID5Xtsc4znRnYbRahSGxK72zz0nOqd0y+z5LRUAkapcPWfldKOQR9MkJEXSq0i3fSm3IO5qsmRhQ6VKKxDm+a6/1J+Ei/XMFln1Y+cgXOdMn5DKlOfns/sfLR6kUPu/0H93Hk6zpBqzkxIEq8rUAtSOuBqHOpdBQSlT9yal2vnP3m+Pwy1ADL7GUFSurQAo/fV+XbxhnOaUjQN0foA+hOOpUpK7LE67BrH3Gy9LSjSJGVjcMDy/TRBVC9Oqx+nn18njPsy8jNZBjFyjOg4aJvxGUbJlI5VYTnUPCliyxnzzvyxMMcbLdC2Kn5/HuY27IM1cRFkSyf4ac6/KH2mqRQrh3/BJWNNmRT7pZ+LbywGbtRNro0bV2hCMo7AOvfV3VclBcrpo7ZPZF7Kx4VQegJ/u/kWnq0nm6y9ecNr5APVSd14vXPTN2M+w9aOE3B0z2OHG9Q1MNEb7B9F7yutdu6sNVQLuzOY7BrnIYNPdmH5Dpt6GzQ/0FKe5OfnZpAzFbAg5muLkpp7BkItjqHXNyVf0ymg8UHXToDkoUQ8K2N8C0xL/YjLGy2WLPPdRSGqhNWdmwjaHJOjtyCfz9qG7BSUc7qm8HSpOXBRPxOohFvRt2yi6pEPfx7GFS9bQdty2+jPY+vb+na2cHNe7bdwfqnKryTNk/P99PZbtmnVLqxN4Oq8v64PdJ0zPRe5b4shZS7fA2/F91TsW/31kxpgTSrKJeiud9T5Ndln996ajfMbdHE4k6syrrrY/PavAUzEEYJfNDWEcqi0XHuDDpjIcxrbYNd6QjOIw+u+O49/BMZjkVu+o+umvn2ul7fWUDyj5DcyaWsl8ooPoGO0foDv7R0iJLZFvArYq+/IoVI/Cm4HxH/l5QzpYMUnLu8p69cbAXyhYW80TKG/ZITvcvsCB+/L3+TPmQNB+92uzeHZ4XxoncB7Ywvfuuf6iGCF12gjna2+RPyMdd7qe+txzYxfE7OLx5CpbzqMVkW7AtBm+IUN/rvrK1bTDHMNVVwmUTnbcs5lKV1n7nYv5wObDltVo5kY9TuRY5bh+ikaWwI99puS9hKimRJJEmKDuO3Q+SU9NvmkzEnOqY3v4aYRXS6SNTLhSPuM01qhF3pVJG54WKZQ2p0dSg5nQVT6fck47+PDVJRw1/bJIOpx6BscCtAeFEq/jKiaUf7TRXgt5aQStUJrZE5Yc4Ri5hg+d+dMM68epl+O+zAOFl+I8Q19Rn9qccVH90XpjOI3rP/WTqznNnca21WutMJw0N0axKxcQSlBrwu3bnfZR51QX/O5e+1zx7BJBlXeJlbRt6rpRza0vUK9UzxNGO32vvt7fH7qOLIFb1P/0ndAO0hht+snwN6jj2CCuzh4inZ2eu9eMP5MyN3w8NlDlSsZSBdT4DFZp/QiMKc6Q4L6C6jmsLWdtwO+j3ulYpenSn2Z+HWiXvXxqlf7fJNfuz31rDbpB4ysV/viYCVtIwv4H5muqBDlA6OXZZodpW+sGHmwvarUbrANUJcGmdsbJwepl/0x+QotnqGBkVzfpGVdfDj4ONli03YVoX0YVOR9kFS+FZ6x7mQ3EIQSlUG2hnU+rc87UdnFw75/QYdzpKhERVGTx4kZ9du9DO8ceoxj0PA3l/7jmCcZiFas3nG8wXve1SDYbsXjDp3B49WkQv06ixCLMbCBo1UnGD7/btSuoPkuOtvxDt/HVSkYvr0/98NyMz+06R92Kg+8oeLVIm9SFoP25lP1rHhpI1JDf6ICPyNCaMW4Osr+lcVa+zKhHmwkBDC8I9FxyRckGxTlHIRxByPY6qKsig0uAwG2qKo3X4rKPcUM5SfxB7QLQZ4dGqWo8xQrdiN7DTbbYd6eSXAaSRaa+NyfWcuR60KKTdVmIsSEKfwG1iK1FmvkjFzO6OG5XILEOtEzcRt8cRDEL9KfhbpoC3Nc3YJpYtp2Ku9WM1vLUjex7+Jcy2zNHqRetTjee5ZMcIq+4D7BEQh8CB6tcG3LImaypEp3AGdrmpMKoDMuCzPVLZ5uphCT0Pv1yeXoV372Vr+OpBMVK1bf/Ra7YxfTPfSF5gLcBp2cdZhD43VWfssp1vIZjR5JkHoX9w1TpcYm/ZUbdFnjjQvbPhBRI3uwxYPwlmQrjASTPpYAPKRQosC04SKRLIjVWUr/0eDpRX2G4xua9feKuwly20LdBcKkOkXd+3/3HaF4Lbu+yxz51Uq+MHWLYTDBom1gX1xU56C8X87fX72cWMvKO3GRNp1da7f1vt3I4ehtloojgwrTCNzuzGplWJT/0pi9HDs32W43x5vITNx07CL6eMLnY0jGWBK1+chyq9AcUoQn68TXnkWgHljLP/9nnDVWKOSLuSZOzb7ewlVoV+pOjG0K7aafGVUzfzyb3PiS56QtSpJv+qjZJi9e8LTpMbzrSB9F9fhr89rz5lYglJ/0dLpmBLea8gQxe89htCRUq0JAPHUsGKaaN2VrM/JrPIqVmHYv0VBtLG0AHpjFLHgukToX2+ViJVrQp5JU9WyEGYWkxKFQUslWEC6jeg/4w3kDQD79+4w+9jM0p65I39j/fXtS+270jvOi4Zh5M11euTRCU/t+2tk5fq3zun7uzD2c+vyFuq12Wc+F1Aeo/vEAMgxCqvVMPvZAGmbRZJYUkLbuZuCX4nS8o72dl3wH8n04KD44c5VZqJlV9hu9R6p7lctSvM97Ek0tSkPVvqfGN8nSeAtf+c+lRi15nUMZ5nH07PLz5d/9C/7E1kN4Z1XqBYuDhVGTlNboTcckhXQD7WxxoBhbZQjcdpDEBfwFMUDNfOwFslq7TsL6OQeloZRQL19rQagGSgG1nlw5C6nSb3cDo9XSci6Yn5GAXQ55knkU5LyOFteOBHwaxU36wjQvlbgxmOYOnjmrGwnHsYzSKUI1iyTrh9LCSWtKs1NQFGJ8Z1D2KoQNAkEJalua48kEiRavLCFZ53RXIgJZqJBFwZtGYbuDGcHWsribNcriiXo09eEFid+P/+t+/eyT8Z5/Tlryd/+W4CQMvUO6okibOY/sWoFQwbgdGNKSWxnq066WEEgvKdYYnu8/5GgvLRmZi9f7mRuauLRegZ6LTrEso9UHsKeLCXnK6a4Dzoqe8dFvfyLoVZQxUdQZG/eDIPTJ6jCUYfnSiSFM6n56WfUHEjz11NCiX5JIRojGFfkm8ae7Df75h/SaR9q4E584vTqSM8hky13QsoyD4wfUMuYQOTdk4nFOmV/thqGHo6e+6z9YkdU0DqbBIpGGfdCNXRVoX94iTgWMLFPRlFb/QIApZ2hMgIJETOVQdkprGv4JmLrjGcli6/e6kO7ke9Qz4GmqEiLQThPQ4FityQ0BhzHB8Wy3K0pyoT7sv9/dki4bFrZRRbrUCRnBoDSmjHobydMrkBk1JDfc+HBdXw2y8ERCIbfaynTWDksYyxpFUtqZS89C2qp+JDe8U9sEkPeJGysQXqCdqYCsJSno5BJ7LHGxLtqHk0141BxgGN2usOXxZ37lktY86ONQWSWeOZPXycWfA0TzV+FGaNdrOabUymHSKzzpXsZNZFQvTR19c0MpE8dAkQzDBailLN+s3T4A4UhsZYwdZQg7AWVKRblnai4yOh+o8O+TEkAtK5KjrVPyJhuTo9I18LqqgwTICFZsWJD0Xw3U5G2I0QQQUYMuMuJgjtCyoGRo+zlRZOg8AwEmkEmN6SILHguBHqdXmmokIQTgOY+4imi55wVRLJExLq3l7DtOc4oZx3g1gigTmjnIOaiEMpBmoOSK+eZenBpUvO/FgERPrCh8GWsXZTGXo3e4TEEebOr673+SHT1q23WANBeVg6gw3DQmKTZ2ehWO3ku5akysnsWGrgWZf+MBYQRlEu6JgQ/qDzc+ZHIFenH6cdHzSD/1lPRtMoDESbcD1tYZphxQJaU40kGdXxNEYZxrNcUdNp0BgLjhRLtiqUv+R2HLYoJm3bciUXfxwDVKsJ2xiiTlksJEiNccYAoZkkmnhceejgZph09Zcrc5vL7YhS8jBW1ED38b9Ic6xhXL05J5FAVTk6Z61R7oKDx5yur99WGS8TmdOaas3GRMiHbZwnP+0Q9efpEjxPbenfmOYYStarNdAUFJIT4e3HjzPytjXCMBqeysUfiOxAuKq9gVtO20BXc2U+Gnb0IFRf2JKFUcoC/lNQySLFDBg7swNMDl1zcAqNZb7xYKaF3CSSF9nwojzo4n9+fzEjZ80BRoBkGRVYR/nygpy1BhhFUgi0ML7rq3czB6Y5xggc++654FEstaz5tLaHGkNmGQTrb2YcCZtTsn0lp5IjlRXIJiF0xkskaKW3rhyGZDKdiMoo2s3YjYTry+kbl+i+tzkr0EYxt3JTuKXXP1OmqcpGnMEPAunV7vL1na7y+i8i6nZ+AF/izoXXuDfZv/pT8Lmy2TjYPs+uyFmz8OoIkG6jLRJLEi+E0b5jtFcVJl7GQhiaj1hMHwJqX777NM/JmVGccLnShGotE+9qcd7gewV0e8gbdMSfY2FN2HL47EVCe3bx5joW3pSjH4fzy1k0tAJ9cc+voq1tX5et6Hh9oEokxMtuOd7IcJfLWFhZjn4WLmbRzoIeMT1GQnt9/TYeWvRze319GQvtlqIfWyvRxULbaqOCgRYWZMm4ARUDdF4gSTGzT63WnMMY1B22g4cB8cpNrRXJZDuCYoYllCPKevtdLQcjVk0Uqyl6RKetAYll4Giv2MQQ6kTxxhefCqrx+LUHbeC1zKD+vQlwNoBmUvz8epIVMaXQrUkWCcO5o03EpCiPlBqqqBjJS3sgFkOJo+/sCApyqcyEm5V2iyfEQzRlWVKh7whAOzT85dxKwFMjztJuLwYSaR3uc2N8XgSTord1STREYRDSGmUE1gY3nOMcXGzQ9DCOFDZMmL6yPpEQvT11YyRALoQBtaTJ1IC8FDZ4RqWwUNPsJOk6yeeZ7gsRjgHl7dmMvJuaPp7a7UK7YVUNLlZu1hREaHlZWksd5NTGKKNYuFypMW58eLD3OdM3VoBeMbEiahpf5jncGtUut0Ei7djljDjyvVWEhkHJZKCvdjRUSyZWoHLFhLHDFa6pcWvQEXwZZSIxiru46p7CRCSSoH/x5jqM5kK4SXOsiQBHuVRcfBP5VQUPM0a3A6412AR4CMG6DlWIG54SVb0Hg/cG1jFNlHIrVKXHCPmQBXR7B2LlqroP2IHy0yT+MnZGugOdt36w9BZnDQOqYGOZpFDVYOHlXDdxTVwwJF/ZuWt8Zo+WszmlTPswRJfQ0mxmP4LNzNG8tIfKP/ZXZqkkVmpLLy7SGG8MHGqgQh3b5DCFVJsjaEJ7YOm9tSIHEFP76ICb+LJrs6QZ6ymnGR3X+2vSGmoM1Xrb21wdAdfbL6Q11F24uu0Y8ICpaTZ0xzPA6A2esaSHZWifOjQJntR4D3nrmE19lozUR9vM99f32sy7TG8Pki1qsCab4bTBy0CrA7q+niTsaKOPdxG1XJotVd1OLGP4CmF1GCtWoqrGNZh+xJB8Bel07VibosDa20+f9p2e6mAvZtNje1M0dM5U9mnKiQOaS55g+eBen87eX4ayFq24rnFEeCJFA9I0YQJ8W0ecJfqyBtdQY1//gzBdDgkpkYoIOWXZqt6TSOu272051YoPueypSB3nYFnS+8LiXCbOtTsxFwJ03tMKj0RaqOtZK1t0EiCXtLSUCimBxKL62BliGNDtyM49CMg7yjh5fZusqVhBKDV9fnVNFOhcCg2ECr0FRTRMDCWAQOubgZu7SmS6bMGKtN9hGBcu1B1rDB7DUjVdQPzfCqpSV0ddsRTCeK40jDY0m1CAZUkzPc9p0am7TeKwlqoY96mgfKeZL8/0jgq6cvWsqsICswaGEbx/4nlaHFgH9E9Q5DK4XD5MMs4vEwOZxipwV89+eB2aM5Dr66tJuNAEozqqSfKRq72Og+Xq4yxU22uNMgKGgzdR4iD66Ou/GlBV+4lQD2Lnq/0sfY+Iic+s/daa6jVaqZg3YYDJKoGf3FjNiggOPbd+021o2Bb3PaZp591+FdGkcTkjquAw0Zjh4SAaGPerM00XcF0xVvYNsxIADqhTYZjOaeaEtmYXkjFcW6pSSJdYtkWf9hSU2/14E6B9TbHemL+fT3lPFM0A7whVifTdcUYgAaRM3/S1SKwDe5ggowBcoEeHzAguiaR/vLGCM9SP0DQ0803CCz324j0wxtSVFdswZQrKSRgrNLacgFDTDaiUYRXOfnN9StoDDIPZeqtnXzvQSHi+wILkSt7ugoF1IhdfUQNbOqxVHBrD8DdPl7C8zpfIbDaTr0vRykemTsCo6g0U2ggfpkNCJtVucmVl11wDq6SF69LgG2xMEQfW9EWu2HBxyQdheXtKZoq5Ts9TkMwRu468PZ1a/3NN53ge7Len5MMkd/WailSv6Q1aJZZL8rYzxAgarPpQrsuXE4GIXJJUbgWXNJ2sgawXqZgroBrLKvoWqDILoMZhI62hhnGx1Rox9eVtSZ4s6UKxhOgiy+gUZWQtsSJs3kptpr0WjGK6RTa/ETZBaGVJlif1mghxgdQ8RjPX0Nh7ki7O3s2md8iyGNGqZ3rBKH8QODyh25WT3uWOK9wTV9lMGkmivAKzleqGGEWXS5b0jTeMTcx1znBW7GJ2/fqMMLGQhUjJ9exiCpzEodegGOUCSQq4CKMQP8xk2btsWIqFKpi63r27no7FvkrjeXoPtuWUQ/lGTXxanl4t6h3Ta3+xH2aySY4JrDZR5YlnrqnJJN7ga5tjWVDeK7ZigrqiAyE01w3s23hXhqXKOTIFcDv6MirgD8BdxMU9gjzxsm4OArOhnKUZRbI/21fo3elZpXy6eN0wKHn/aQqLjR/YX67TlKB+hvhE73FMNK0OjxYBzX/6H+9DBjRQlUwoW3rDsEq7uSJzDfKDIDgVI9kph7sPL0+v7CsvMyZWe4lFkMXOwARLBadCFsPc+2G4ZGG8rHIALqBY3mEXWdWkPwyDJSA0zDlDa4X4jt6yrMhqxQ5qHk5vDbOi+6VHMgXyGNSH1VQMNtaQavEBvIRALhtDjiATSIzK3cMG+REQIxX5YvZ5nQBFJnREzDzw8bi0VC3Ldq01yWw2O6/VLpyCCin591Kuput4Tr7CwRFqBU1J3+Nyi2jjeeMtO51BBuGgSUGOJWY0me7YySi3isI8pZ3++iQSs7F3OgwDKWkMdDcstNoMPbDuV+Eko6JAkq/fWdI0MYWa7NfJqDagUm3QztY7N0L9dAXOtJbaeHk7K7hhOQciguWlUhAmnURLX6sEVUfwozRUhdosXFutNdUPnAmkrMjwGY4fZ2owdwbD/uQHoQk+tcI+CCEr0jnYmJ7WqDoDvc7Q7LtVTIAdZmJt3fC6IRYk9tzHDzNRJ8MsC+Oq006NJc9WmUFLU3A9hCsJ2uebSMX+hLSs177k0rXgtAzYxYEaH+4x5aShnTJv4Jp4umSK1lJudnbx4vz6uj3GCBbBjFQv8OIU3gLlZk3e+YEm1tEpYeFdwBasaZXAsxyrbEzFpd7Nrv9zAhC9Quw0GQr7kFlZ+ftqoh8gM0hlFt/RW58ykTFX8ZF8EsyQz9Pi8fDO9rTDLLBiXF0/rXt0+BOA2fUntPm4AjMlmkXAdo7ZSP0KtmXYkQz2/VZuyii0ZqhndGQtA8zEcwRb1DZEFljoQDT5xntMmI1/AqrJzX8EbDWXWIVMYUuuuTT3WJ9bY48hkrDkLVUG1IbymsmqMjba4Wuy+MkEwEtEqfdK7vtZTnxyhWRY9mPXBOiqQX8QhuQpKruq/JHXEyMTLSBEJlXhaXGqacYIyVNUTlWha49yByJMPlVhKpnVVBYheYrHsPbn6j5cy0JCMtq+5ym5vl90ieTpNlcSydZmAX2BBXnjU09mSk6LZ5Riy7AyRk/JktOVy/kSqe/IyXzg1+mMMB3GnpyPLnNQqBWV3ufg63n7ri5TohstJtROj3tM07s8YhaQ2eO59iayiawUt35MB9Xk+iOyMHgRcu8LMy0uThYGL8zForhHiEtOtYYU3+zrx5lq9rXf3mJpfU6jSr165QaSKr1fXVe8xrgzatZELgmXMvfNwWrt6XzYSVIoZnYhMnsCVsDK9v1yekVkbljG/gx9fGEKv7LfmgsrVOPA+jy7cmMQIe/TiD5fUw2vEHOfHC43yEQumq8lasjCrEF/GAaW8DlTMgE9TUHOJWfJDk/Jmzn6E9W7XErEIrZ2Z6TkUw+JHGk7/6DtuZQrUuRc0pSAUlKRaXlw9lsLGIufeFhcdVgdl1gQfC5GkuaIo+BgJB4PAxpMCdDLlVwAonX8kombym8ws4NVhvJJ4JK6rTYqsk8fLks1pj3OXYAMG7mDUViTHeF+/UnylirWhvUwLuWJTzS9BijzDVb86SH24AAKMRWzXCSfpHovVIjvSwA17YH5akfcjIXnPSgE9eqafC1Am7KB6dQaEV8LqvTNSMj5g5bo7wVVVBgmgNhBCNzmnIqJ0tvXQhoKtwlAitW292LpR3GhNgsAQTrjjcPL6HCJlsNDncsIXo+Nci63kJIXdcM6WzpG9mJBdfmRC4R2H/jgaP/ZxIngXZO/u0lMCy1xUAo9st2HL6rHUegDVtJ99MPd8BVNmVyg9X3/YMmTxaS27w4KlpTvgUyR8QOMhEsNI1nEUdAQy/q8aTKM5/5XyVVh/zgZrO9/hZVE2IN2u2bJmpTD3hs0VvO0KhTEg7EDTX1VFN2OxvE+8BpsfZTs/cBgRRxUcCbdh2STpsDRlgYSYBtIAwdrjjQMCrEYwikHZSbXQFABP87Vu/b1aW5gVxUI7Y54JzbkIp1jIO9TtFNhyUwhyrZmXLVPppq2hEtQivICq5VqrVdv31gjwDI51ifr4LRLS5bMZrN71QD3aLYmH1WGH8goHDIXeWBfpEIT2qhPTBpjj0C1OjRmwqizvEyTHhV8xUTi9KvpUOy3MU3P7y9m5TAT7YoKdMGRQgArS3h7lGE0aBWTLJaZw/JqYqcfpfWwA/Fh4l6DdXOijQKxcinhzqE+pRWL0lrObwDJZ/7h9Pzi0zW5vn5PqPFdpabLeQUHREGv4DAxTcsCQbz7Fsi0i68TKgSWAFNr+O+HIe/eXU94UCyo0bfkcK26BDLtudCJxNqjWiHx92Uh8evGcMOogv/1KGpUZ7ARWEIzwzZoyK73AziDeNVrtNaAdBpMrOooV6dnDuXkfA0NwiDqV9d2de6lW2n4igXlawEigcnRa76UEtIZr8IGdNVrqT7YHaBGykg9VJe6T3zfHY2oHqYHn5flUd/8/fyKSDWpFosGl2UyR6vo5ulPMl0ELFg2xS+n5/eEY4ocqYNCiePajjGxc4KGDeA9Itdt6sM41jQHlSqZq2STWl6FLNgGdqhknrv/Cwjug9RybTykdaZ9KMocFMvtr/FgnlfYLNIcLIc4ECie1vkx1N3xg7mRyTOPdYJ/xP/KnsvjIvTe/nBeg09nKlp7No+P1o56P6RMrHxAFRaDbkH1g01j1U71RXo2mtL16eyiPdwIrD8xHg/fE8ESv0d1KrzEC5dvMVkCwqqQ04xwvW9ZTy3uciA+DN1VWc627jqU93TEaXGn4zAeyge5DLXIQK9zqgCrG/geqyt20RpqGBhuodtJgfxaJXhd0kMF5XvE8muV4DZIb0OaaDHVKkHN5AmwJrdF1yrBbO4d4Ext6q1VgtvUO+BZU5WGbr3TunoHYIiJPF1kE/N43ElHbOvdOeiTO3prleBJgAHWNA+OVglmt+yAZWqjbIsGrVF2wDKtR7ZFcpRjff/22FoleB2nA6pPk9oWao15jK/Ppp5htCPzH1RD1YnzGsw05URz2ixkGRXT9fUlOZ1YKFNrPl7B84E22nOHpjnEGJg7oiKioGmNMQzHUMSExr1jzdWokEK/9EW+pqhuZqxbWwSxdWKhem0oWsHCf/nLq5OfbsvFaZQNHcODdXhO04yJUDG/OcwoGqyaGVNLZWjDDFYL7dPCyLLLghuGGMVWK5gUl6WLxR+A1a8u2ENaQ4xhwaxLd9bIvr0uFi/eudGm+heLRVtsjArv9HPfEGNw8KIeLuWqM8AIEp2zhMmROxYr9KEaaWr0w9beB8REvKo8XQjXvFfeud6JBLWiz8c1uEHKKmSuQK6pKtBORIh3zCp8Lm3pAHS6QAyUDNUoWkMMokF8g02rsYhclpUIjQH1nLAlEVLAc/tFUbrnJiygWSugiCGcXy7Or8MgE2Oo8HbT1SkLlknYTLJJYjEN/ywaObXPu5HIbW/TWv+5Q3vfGmmwHD0fLWmSueDziUBCxAImntqz5Aeb8B4ZRRNAD+lIONVrP9YkPdgoKlKG1b786vSjG0FzWqWoTsOEVifNlZp2I3j9f/IqhTmgNaS8uq7azzt0/B7onMh/ZA1jCq4CEi4MQmerN4zDfrkKKItzT4muMoUQwLHOl1fe/RjTds/Dib9GTSSTFwZPJGgAmsgK0MAE/W8ajALJQektGq0UnE8XU1G56vSFBoXZyfGTqOEri21NbelYjLV0fFhdD7m1OIo857vmMMNgFPcsg6XD6fsPa6n+4bLkSlOufgWIM6wghxqixiBjmFBP0x7P5DOkEHlSDc/ESzdWpiCSreOTds0SJwiVFs18KdW4ov4gWPueX1VZ54krZTJUF0sZXBTkuBxU6KW02JFPH9/dDXBDkcTespzOlKicDc3x2oLsgUzsDYKra7b1yynd10tE8wwaymhUYJ9bwFpj3Q0O0evRxjbR8/GkSkVhRv4eBsgFzqAlpH8uuABFF4xbBqUTKsKIE53lqDENn6fGMGyw6kOVWzZFKdkwhWUi/2xJT90R+10sndEDuTgnzwrBvhbgRyOuFz5bMlATguw3kuVzRG+HSzzPJxca3ORYp3d2Vf/aJCRe5cTBczHTkJDPuSAfvWI7kQHlAte34twqweZt16y1BsPA1HAx34cd8g9vJhuUNwUXCVbboiZzPqMGVpOMyxYUGgdoYJqiO1o0iI9qA89EFrlFM6p9/nI5bVG2/GtBOVo+nsXRHmAMDGrQgAUzOWRgs803nOKd3y8z8vny9GrSLm2RWth/eVgL+y0VMjc0zxGdoqdX5H29zvppnvOq9M4krXqL1Wj/i2+0v5IHrh7Qmy3kbIO0ckBvyBfIyYVghvkF++w6vt0N7ZYWZo1Ypva/TguzvleR2tvScIsJ6JOGqfUTbtHSu8s8vf/q5Qzd/ygRhb7HJ1Xc/knrsZMbUFvFTPAz/VMbdncBU1jSgpu587z/TpaUNzp7jczGLmIpS3UaMpPtGhR4u1i4NVVZWeliuiA96cxPaXqPybQP7x1TcX/Wv9f+Ug7rULezModHHxq/b4j9IJlus6CxEcZPfGNXPq6ZdiXymPYVXY0kCc1NEdZf0e2+qfGaGpLIDLSdtMvq65zQS7ki55DItHW8q4l4Wp3Lceh0SrouBqWvt/xDCQfAyKsflly7NU+kMCCMC0xiQhsqTAlD92LsCfOZAjDtGti66JjH5Gq9UxPSJWlZw4KsmdGEkiswX5gRli2F3T/pHI1qsnotC54SARtQZAHVucup0kDegaG+DOhSyaw21LNLudIvZzS5AaN/6JA/ZwoSw3fPiQm4KfkAnln4Ey5qME96F5LDpqPUTlnJHhGhsZLnkCvwvj6LJIUlE5ASKbiDZeiCA8lo3o8q06tukEvMExj2uGwSfHH+ky9b5m98ZTPx34JbmhjC5crvV/cVc7NjTpzwp8V9z25HTpVhScGpcr8PG3syeDI6pA86KX0no0N5+KQMbsnmuHvy6v/uyfie9JTPi7QhD7u+cvHHvDfX8Mmg6zZTeBLQFPS6zZ8ENrtsWPf/YcicMyvrFiR4EuBokTIzTzjtNMx5EvCgJw3/SQBbJ12H9pMAxsRhwHAlppJzPN2TlgI9hHvgLtsSII2pQw3INX16Zu2LpVnAounIIR0h4WFaREsO6VC/Q4sYXsUeP8IRVlHUrCq9y+eXqzPNSMtHelbw3suXHEOsDk7hvTu4mn/4066p1J5JkdjHgRr51DXbAXazYbjssL66Z3aYqrtoeSAv5Yq83oAwZbGFQqSgrAqiIDCqztSX7BZSosFYIo0fN8fQwwpLuQkd2g9WWKpN6JC+16b0mdFj25cOO5ided1jTe63BmvZidZFOJdvpTZ1FsnbJ1KDSJ2vxn+o+45NzYb07axvJ+xoyup2fjS4sBezzS/1dMre695e3M7sjfxWF3fzG/by/vY/d3l7fMcIvKHNF7whrW4tSwklK7YBURnJvl1BwC7RYfYLXA0kfYrC37fh0Rg0aMh8N1ed4vkx9rruPHQb7Oa92LlVfu2HJjN3kZ4Ha7ahrssrSWiXgyyAADNrUOTThTA//UakIm+4pObnV8T3lAyd/hqN/++Y9yHi7jc8b+cGxVM+I9gXknZ0YFSAY9pxOfI3b2CQaktViibU1Thabdr1lbyYfW7Ie5Qo4LQbIah9zQ//iAbYociuO6naL579f6nYirm+Tv43TWnljnXAkr9GAiMuZp9/61mCAL+zEg9fggpRd5VjvD77g9oVHA99fdZAU1BH8V2/dUORi/OHeEk93rqz1JE5zFf6pI1sPJmj29loKWhd7AUtd1Gs6nImOXexht8iA7ar9wgxN/bMMU0Sv3SQWqQNQfVSdgNVhxf6CWp8WbJ4KqJqJrULdsukj9ftzL7sGMk00SzL+S7sk/2yS+sFmqyJZimQZ38hZq0K8urXX38gW6qJBhDVKCMr8SSE1wkroXMpNOAtRfLNnApXWrWyKVTp5/Yq614K5BldyA3UFoOJ3sjKkr1po4Bmg/cn+WaOzSMvFaSsaMtpMRbquz7JsTIssCVh5h/Fq7/89FftWfrL3DHQEvQ/OrP5h9UHL+kOFHlFXouE5roIxZ+sSnkvvt5H/YHOj57Yyr5Rfn5F/s1O9zn5+WfybySRysrLvgiSH/Q5+V/c/G/7RaZJc1G+691CIVN4srqu2MI8oZwvaHKDKwF7cEIad22o8XqFXUQQaS6ZME41abdTKYG6wzEHpTodFqLLgzqHhFHuEDuk2khlJWux81KH/WBDOUv9wegDRchSFiK1LwwHB56JVRCO7gxebN6IDuUYvsBwHUbcRgO7sOOSpk/lnQtwfPOlDIxiSY/WEVTh+pedLuyf+5IJ22efmr1EK5fltp2Qt3Jrt6arczJBpLLKmJHkBiC/Y9GexIv3jSyakgloPd+wdJ5ieV1fl5xnBQIUNe6Su0JXNb2wrF1ycd60vYseEwfLmFW7na/cLYafRbjqF+dEWW6tnUHFLRpVKzDV1+5cCa2Qgp4efSV8JNz4SigUV1CX8V+cl7bXD65bwb7GpgL30C52Q4zS/lM6Yr4Bx0vZb1bnvFOu7X9McIdmHbH/SchmPf0KY553d+vsGxDOennqSq0lPCH/PTyMnr0sWafNwBF89HZUqxzNzk5nQfZNqLDLw7Jcqr4Ggi5x8dsKgyiehvnjk3+qnCLe30Cmo8oX+5/sFXYv5zjN/IS8+vU3snXrngEVhHLebytwRn0nJu3tR2QLCjxZaggHqg2RopUu0lzERxcTv+1F7LmrGG7bsHZfpErdwrmoJkjWQnK52rUdcUumeip9/kqSNVU0MX4R7aXeOfzOaC5IIUJMD2/YzAczamMndHtHPaYTYcR36TSKzAqZUpRuBEW3gzzNcdaWWEkTJ7F6H4UINgeZJIUqKWpDRUpVSoRUGeXsz774Xqmy3vVJQ5TDwUski0XnSbrXIu1RV2BecrYEN+MeBV9DIkU6IGDvt3uuDaadZWRCro5LzsH0HoBBIyp1ArxRrMUGa/lmyjzSQb62Y/ce56Gj3DyZg8cvk8K0+0s9tJJA2gmQeHDRA5E+0sK/FinGsluSf0qBXW1hhC3a0UsR04fXfmyvcIdFod3oU2Lg1oTLV1awLNGlY3FgPfv70MO2Axprmvs0vUSqFFK8dzAE2YRnSlcjljJGGWlTfbHuX+++VkpmJ45q4ZLydQKCKia9WJ8V3LAXhoEitFaDal/LJqOCrvpScwnhzr1T6oselMeqCTPfayK3wnvGDM3ytmUwIHb1pJXsBh8xo0myZla7kSnoE/Ku0MapSXWivtXWQFwuNXDgJo0ysOXS4t7AMSQht8nlgH7tFCxBgUj8gaBWtE7ZhqVWsml2NaqW0jKy65KRfWwtXv8kb3OmjjbD/X56X9CtPYnM8J2frLZMz8prFpQ7oOO20YibPmjCeW65ccXPTjpDVuFksojNgbKOIPdQitX6x74qToL8WkBxtKPkeny5U7Tnj1uqiQORDpwbB+6n2IsaUShoLCgCT1tlBuH1XWUYWPM5AtR8jiE95zFZUZPoq+hUEWSl2ivyOCpkS33sfWM6z+W93pxD2eZdfO0QZ8H+gWhVQ4htCOrt5/FwwVoXHNvtNKBFycIkMoOXHkOlvLiobNkthE1F2W2krkAOHBDYgOpWIj7SxMrRQxJgzbMzZvLBTV7s1A70r3SV6eJKllPtHbBLtld8+qVb78wZqqkSZGX8aKaeDahMjCzdJ0yUJqo0OFl6cfc3fkDbhM9NLb2uCUpF3l+H0Fimy4CAtl3NjV/u0FCWpM6lZhEZx6Sz5dRpkfoKUy6Uv7y7g1V4Cm7meKWL7smKRJGBYsl9eVHv3I6QxTYysXomW3UzPFvy97sztdArhd3Nt+Tij0eoXlO6dmW3f34dGH4ueGe5Q9OHEWCe02PWqvuueyFD1n+9BbOTxsrYYiENoWQdKl70B9ByuZqXgSqPwtTLg3hvpn6MmikN3rcvRe7ZR7/gLzlLdti3Z4QvzByAUFxb8N0AXy44Ztx0/wJ+KDg0S6fXIbmSx7fYEmsF6EJ4e92+HipNU23/5R5VyktAfQVg7nickzUVK5gL2GLzgiHHJWxrrn4nhBij2KIwUOMQ3Rh97aFbab3+/PWzDp3TaMyuWjnXcPj4N8cpgu34otD9uCa/9Si3LgPMLlhZcFDvY77UBtQJuQa/KYUGdUJX4Ep5h0j3pVQlhg7tkoyX2xPfItb/vla3QiqyUHKrXeM//9ekbCxt1a7BetIX6YwqE9tMVxGObVEJd0p2skOPdackTyuxEetKyRyCQxHrLT4VhHJQpoouUvtBw9+8eyuwj1oRABeE1CMwp0RI8UJBDk6TGYt+6GvoiFtHv1DKXphKX3E76eS4l8x72Er3T2dmW2bWQVj2vJ6cuwEXLttEECle+LYuIy+BE1LmPYIj4rxpzRn40gGwIOWSWO5gGOgTcr3nKe3GBvXMKhzEZz6dr9BWifEpoz7YJg3sNyw8LZtz+gM51EPV/YRpu5MhJzrYN6zg6z4dFoGOLv20WrWRblkmPKHs+7sUL4vy3KEgVGuZMGcvtbvRq0+6DbtkN/A7oSRf7zRLKCcp0zfPSa5cT5TnBEzyfb+gTBU9JPfyng+9z7NRNAMDSpOcalfFS7tCDr4WQSKzzHIx2XDad1NrwCSj4p5/Dx5L4qvtIcLD5Nl3IrO86N5BhG2jZMtEKrchnjaRIoHcPK8iKQYXozPNZcH5zreXc8bP1De09VxD1AbicuDpqls9Y4lLI1O3IuElEzeQhlygMhCdamedCgqK/eS7CtoJS8c2jneqQqCyunpnJ2+WaAMo4b2/fixc7/NgeSXX3XI9ldMZVMbajZ2wTaxhTIfWn/9xSfvnyJK2b9x/rCm/caNV11hBWiRASs8R9JvbNChG+bznNUV7RK7dkKXY3H4faw+gfWEG7QKQ3OiDSg7EsBiH0e1Dt6Z6Xd1QKxb2ZBkWydpH/pY5NlWa4VlJqVUizE6kGuZEq8T+qvr/bqYpsfxcEOZi7gqRcKDK/skVwttDCwmEwdqpysTOu70Pnvn1dAR80i9WIrMFE1Xd7PqDFdJG1T1eL9f0+tiWvro00m013rD4HcdB2nMlzvzovibjsKXUa3DopvFq+byV+eKcXHlO8ywUbiC+215I+rXYfuiXq70B+jFs+TXz88W5W9KQ8laxia71oOmR82GAfgon/hBZXrBlul9J3egdZi37plc3JGh7cWHUji288n3EU2OX/qwauN4VlAxIsrHsc3dIshbYK5HuJdoTcubzM0O9U+4/GJdmHUDV/MZP3wVz3KIwVeamNNVjVAjXItUZfPyDspVkQxWjC97JAvRFGZggOacDjECD0Kj1URobWhdV/cgnllNZCaPML2R2n69fXszaMjQJJWO9RWEoL/vAhoKTcyH3nhYPklwIQ67ZSlDHLAaOaC4VZvHa7zv8yx7SWSm7SVfV0f2nBVK7y+6UpbLn4Fy9/0iYSHiRgmVnoZGt/fkJefb6lmY5h9/JzBtEPFnHvU/67SLOM3d036YzTu2fln5kTN9YkfsAXPdIxauZMa/C0/CB6ZsRl6tRbLUChdfCrn/JPtd9AQGDk07XCvRa8tSeHq+rD3Qabbjej2BZ6PreA1d+9sHLGD9UxTguzvvTSCZ75xOZ5fMjx125XQmxV66Nq7fv6WLxwsKRwuWnLl27GZkWyZCWFsTSR4oaqyOvuKVUrvKA5eslvoEucVSlW6oeJ0KvW1XfclcaHiI7iYHSyM8sE6XkHU3Kesr9wq1lQUfVY6R4UQqoapwLeV0zelNrBVRHjw3WhpoiluBc2aMo44+mdtjBF/KWsPTl8PtlX9biGAgtok+dwsf+LlgU/Ve3fMeQu+91Dvl5t+/eIc8ZE7KI5eOs5ZHoVfQ7ZTlpTKNDxyL7S2TC2JUZG0filHPL94gukgS0XhacvLbjk0SmoO2RKIv99msWTKRwG3kBONPmMMnzgbzFDexUMVWCWIBy/s2MKsZdBE+PBc/738WKULeIL+xve2cmEM6hXPjiQo8kEYfRybMqnjMHpfOQdOs5TGfJgoiwD4gvKzz9MJBk6M1c3fcYO6DEC19VkFewVflv2w8pE5qkYCjjPUaGhSxM7XcDU5P86LGZpcWWVnFsDsfwQ2ogyzlaNM8pSWFJgwsoVL4sffghWtNKxRtQnO5cIpeR4XElz3pupP3Aad3h17Ass8C9rV4bZgpXmJH0TmyvG3QLNj30ukb1YtXsOwmNjRSBVyUyy+x9wjlGZ546YbVg31zJDUu9/aysIpeBHgyESmVyuKPx/tayN4zvpcakHpfXLxrc5i7o6XF4fTk6Lq//Qy4OtDsdPL3/IxfBAdN/u3KGVzj33AUU+52/nl2Qi45AVYeBVrU2ZJeMI4iY2FVlw66iKtL3sYeF2Op+4d6ziPlCptgZX52Mu7bQEbAQi2VAPFrHr5bgXQZHyDyvmYBD6rAPoK38IWzF0sqVM2DEy2JrjZ008Agvfzwhr5p3XmA+U2V379knXz2ndES5YI1bSIq6FcGHfi2gL721rMI0FrhxBENIr1U8bRpEquxKuqGM064jg1SmcOLyK5eg1ECnBX+HDrH1x/O7BWUlCwWgvAO2M6UQbqDZ6mSAI7JsvijSdBfdPsOyedQ8oBrdQsNhhc5HrVTxKSomI1Y5aKXYzXVxjIQEpuvRq77mKi1SZqrMun1dtICor7HdPmPDs5K9e2F8kj5KLPYKbo6mlZ99fk2ehVyJzwW3svKCcZfA4eLAXt/mUttv/kBedA0Nou2FuRFyKxqKkIakcMUsNk3qA502E3oEE1w7LPSszHK/CqlJl7CiyY58GlTXOFso+hhJ+WHgxhIzQTLKxFLRDEbDMXKqXNde/DoJDeFy5oYlVzL1wdH7soC1qLMeUOQO6cuFCtiFwNKQmnXjrmBL3hbCqZLvZAqcPGNic/Ljc8Jk8pws7L/A/osKynea6ZMf+/2LJsnnS047nfNjy1BNCf9sRtygztbl+OSubH4ll6OFGoxERer/ugg4yzIIGpQ9yL2ANllcvttC9vndF6qAfPQBwD/++Pndl9MPr3/80cfcbqiibPBMbqW6iZmyfOcF+1IOWPewDRrBqIgtRIScnbhVSqrngCb2udghqDBLqUBolsRkIDVTEgLiLL4VpMc/EIvofEtZtznxg60DrvZ5bKL2+sROUdfFAulSmEWqjYqd+e7ytdEMYvW3NNo7WuZ84BlJD0122TcG64g0Idlkn/cS8l0siSUbNDSVU0UzxB461d5qRD3TbKf39DPlg+sJ3t9wYcEH+f9Dd9S9yOw7/z3KEUtrNvoAZBTkoxyO0o87hk/KIwRtNXa2ppc+M1VEexll5+pk/uDMbp2Te7dnuixZzY7hD3NJX0vKuF3rspjLLPCMi/N6bpurxGXVQQOrnhIGw1GFZcz13IqIB8znkMBrF24dso/OZJYVom2J6qAThxVueii6K7g1f4N+mbrCpg+TrB+K7ZqK9D9kv9dsj81Qww7hDA9G1x24AU4XOmcJk9GiRI+lwTv0W6pE1+nw1KFrkeVzicWMr6/ezch7b0fdB6X2A/l61FCC679fkq8FqIHarQUXcwXtSp24wQ01g+iOfCiTznrDuiopPYn4kNaJythtBCzR/CDD0V1UTY9z7MF00/gNGiinKkPYLUsWwbxA84gJyBXRIo3WlbZBM261qwbplJq2VPhQugsQyTqjKlZaSUV3l9NO++IHe59o0gmnikJzvo5+FhJYxk2gqggvV67UEgJZufgDgWpOo3fC8BWnoh8v53Sfs9gPTqjcloEVPaODFnOauMYo8dNPLG0tIirvNcKLVb75RdyadfT3PRHzxKh5qqPWXa9Rt5QP8zxNILzhNDrHEHMQKyYiJkV2SWPERov5cq63zCTR+YeYL7ncaprFj12p0xZmg0cdweuSiDkTmOyEiRxUtthFC3jv0M6TGxziG8oxzgrL57mSRs7ju6Qc9c0vc2dxjE+bo91NLlfzFGOxLeH48W+JmGf0dm5MLLNBk7A90RwQHoWMCSTQTOCBzrme8wWfx3aLNmj/BZF49MrgNdqxayHWacfO6q3T/hWR9m+ItP8Zkfa/INL+Kw5tI3NOF4DBUirq8dUzMc8K7oTvxQ7hnSyJ5zcIcklWcLbKchzp20qZlK9iByEFygxDKNHwNYlvGxFz7QMSEXZQqwRHm7SEcbRJvdNFjtCLNBFVWjWKqmqksaoH3CKwECONVcywaDu1BoV4IditoEJqSBAO4eY3uypIj8LmN5mbNdAUwawms3yecAQbtiWM4CRxdNViZ+KbRS1ljUI5L+YIPo1EMcMSyhESiPScrkAku4hRV3XagvLdn5AuMHBv5q4MKAplXw4GB7UPrEWhvljlm99wbNB6vmDmryiFxhI9j9srrkVYyeisWqNcc0cVEhU/y017G3+0Xls1wmDW3s4f3zjiiTuxD4W4ryYfr4JcjfaSccDQYfR8ibGJbBkzObtJGEM20HOWuyDFOQqrY/nml1SbvFPMPxJtrRIU2pwtAUON0c7QnEHKoiWMNmkzgXNKMpkWHHQiMVY7EGcrBN4kc72lJmrP/xr1vgjyKIQVrJg2isa3hOxpI0h8CnKspVZoa61dJXKFxF99ZL4/4gjUjQKaIQiSPhUICzaecL1dS6bnvsNsfOo7qijKAU8HEmFjUN74/vax6TJtqIje5zjVZlGoWM0CS6rgewVhUC2iY40vR5c5ybHJus4Ny/jNrg+tNDBGc0XTNPYdYGlst2pZOgjhLWLZPFFSZihViSxhBDWNZXOc4MhQ8QhjmfOb6OWZch2/ZCnLda5YZKKcGmaK6NFnnAmIV2JnT1VH7ahT0XXJt/HNWlz6qqfzJZfRn/OKOELIv9V5o3MdSxSB41gdGgFq9NgELlcoR1esUC5wLv9/9r7uyY0byfP9/gqsH07ShIayZY/3xuedjd7u9rhvWnKvWrInNiaiAqwCixihgBKAIpv+6y+QQH2jSDYbKEp7Nw8TVpNMJL4S+flLGVqAFcsqj3HNCqrSGGKhUFEObIw+EJxoAFcKTje4DLcA0KEz/izV0Ol4fLsNbYFEqSgTtgF0cEtUhNeMhKR54unH9WS6W05k+DerTGxT3uBkg3ambsnaFq9RDlmEwk3XEye0MHBkQ0uDMrGOpODsYqXMh0m6DlXnPyJNHkoaPBBQElnkEnM9wtwNQXkbhXD4p9cikX34MOgCGoCwFHmCVRmwYUCXtMShqUqCWQz9TpIU1sGijkYiHn6RDeWwEK4dykJmETgO78hUEXzDyvqGI+QDKBI6EcA2PI5gnCjyKfwB8AG0BqMawZRSNI8geFUZ2sumZBrjHsg0C65IK5n6UHEDENbhWmx1aVYqOKrmJuWhCyW83WKfStSCdIaevs51+GNliYaP6DU9PUPT3ZXB0VqrbBklD72SLMJbWCkik4yGrnqP0raijgzFWAadKo2L0N7gTUK50ngVQTPYUKljqOGbkkeAbtJCVjykm9UHi+ZBFL2otEDvKo5GQzfZIxGb5f2KGc3QpSQZ1egSy8yhGSqAf/ezYztnRVylqQ6hQAaa6CPAN0gFQ75SnSYfgvJ4K3ddlEzsyKix4MH1W4kqGKj3kWfMrKH1GUG/M0ly8oAKPARaaGOxPK+GzUCiM8moguYM9ehu6wFACamqLIXUaAw8itB2jTWiGpWSrKaOwhPSch/ThMK38M7qaFhAlDtk9wlcaEZ57I78HVbNaF0+FdIiJ3pN5KL9vlqLavSiIcTJhsimHZEWqMRSEfSGaAwdwe1dxc0SPL8VuXp1Z8teX6Ar1+LrJdJrT5ciAAN+R1zrY2Cbo7dE/0Y1J8q/z+NDHWXxVtCyu7lFMLidrCJYpusF5dTLH/TcnQFfeyA+oRcGJEO8Yrji0Os3r6CPaw3i7gdwH+C175lTfDjuZk4NCLfrXzxh7JuNSALWNB2HvArDovfkQcOtmHIXzNGNekIgtY3r3kKHas4mOl4Cem7EduCAn6uIRpJ8qojSe0C7T89WfjxWvlUZoC2PHdVK7KFHqsk77btT9vFkOYLYWO/vgNCufvDOPGTv/8P9Dc1gN1e1UICx/WcDrIZwSbyPPMLmcVliRZBN1264QaNb1eyS+8V5+OVNK/iGcyEtfL13GRHCCilCoN0Z3t+vSmKucDpDe98RwrQdmoPa2x6atJLQAW0f0yWRBbXqxlxMt0Paxhx0QxnJCWJkQxjCStGc241r+/X7jz5AMp9RfsP4e0768iydng1nFaefKjJsk4j9l6/D72mIiad1Qak1GprZC5kKzgnkVqAt1espQYGQpzKk0dglOam86NGmhVlOkCfNE8VETlPMkOFgwvQBLs7LHQw10abxfGtXrnfKz14nnW0rBlmtoR94zChWyVpEtwmsEdeYa9BLpW1qZKRitwWPHw8A2UtjuIU3zTViSRnBcnHBlDCGeO++XUGwHP3sfrFAF3zX/GtEXYMtr7hGOFukoigrTaRfDEdx45uJxTPPvhruBfRY7G0I1f+oXn/9zZ+N7XvV2Y56xb7ysu3OaRI2Ynas4wbviET/2vjk1CvHBjDnv/Wh63/in3ne8tw79Xv348Tk5UOy7dmwYYoZZ4He/vL+2sydSGKdJ+AvzahKJSkxT3dGq3TqGRvmgiBYoZfo/Zsf0A3X375+iW7eXl3//Qf04Ybr779Dz7frHeKE6jWRKF0L5VqlCSlJquFb33z/7//y4pl3RYheR5Rxw/UAmboosL8dj4p8+h55ze/tWbypmfJf8ezzYrormw5wfiJg3NEPvI/fgWLaWie/UqkrzNDtxVsvs78LTuL5sk47Gf8lOFn419aw+8WIUJjIYeEJW/A5vsF79iHHmmzxGVqkw+m+QxdZJsFPa0+5j53m6U2L8tQ451NjITeXb+7sqzQZHiuwmjH60XMqWU3Vvd3o5s6wMuH9Mmt4YieIIGtoxp5ew1oTS2x3rXkFRIddnGXUfBmzNmDb6eXvf+dmPADGJIQLLtwNv+ofgRErba51FL3u2CcNo7eOwzshdSOSR0I3gwAbbADVu8OSV8289nY+lOf1Y1JP683UwnPisxvn8uI67sDyxUqJlBqV0/qNRjoOMnJZYp6TRWM6pYKvaF5JkqHlDmgSnkHWkF/OlCdCD4yKRie0Ze+gqwh4Byyg7t8t4QruAJCkEJokLrM7fJ5R+KXNuEpwYlPxI5AutYxDfBXhSKwiVAuzGNchFv5JGWFRcZbUnrh4avnQgjfzWAxH6zoTzqDBXus1kZxo9H5XkpfoQ/2M3YID7Ft0VzvARi/BL1OaWt2qZwZlYsI0rpl2fvGXCDPmVSbK9ouQ4IYlJOZtiDRvIOVaIKXhMaccfbiZFCgpJMhGk1fBRbYhKsoIbd8MYUlU6IxeQzZCiYt9EUOnooO/PQK3trVCwgjPg3eKBJ6N8hFRC53QQK3Kg1knAMNRCukEK4TRT0JusczGfboRusgh2UsibG78A+TSLYneEsL9qmdg1MTHxriFxqwbqrPMIICMh8yI0Qwpd3mukJZQUG3Ekmux4Z/ihmE+Rxz/CAdlnSDScVGOJth3WbaRlI2xYHMwYPsvT+hIJUkBhWATDg/uuIg9lpqmFcMSAV40qpl4fv3ww63IxWrl7/5O0kSvSfTt7TH73gxob2OH72vDt2H3otJrwrVLFp9kW1UhkROOS+ixQ06z/kEROcmwqHQq5l1pN+Q0w/dVmhKlJngG5PHTwNFOSzwBvpBRcXMhd8hTmDDibQ7h1OORDHg0UgkCfKoU3LwrRm75lMPmh2ikKPVntQmHRzfxbmJkUUuhZoBRkjXzcX6YgT5MOVJUVx75iaC4gDgR7aiusUI4E6V5XfSaUInElrdbZhdO4wfBRTGRVws9ORS1EPXzKhFGuac8M/JHSNUsAEY/UUbQhWNsMVqGY5y9vJmYvZOTCePN/M+SrjC5BPcuayHsKvjm6FmIkPXuT1gIm6937+o1Qq/EdELoUsSsHvBMfknWeENFBdplKopSioJOZCiSuZm75njJoIhshS7380b5phE7EZkcctjTOpGXgR6HQZvLnMCgZ/yGv9i723ll2/s2eezaMsuK62E5W2iNPoMy8CQ9xaw/SguC9zgnnEia1lOCBYFEv2FqAdVreGp9vd2QY3aRfrNQWk4HP+s5nQK7dbY5vd4/J6de2LEizstrmjZGuKYFUUauW21PkpJMBpHcLgQDhTi4EQA8+MRtkEcerVOwu892tL49bk7fJCpYk9Ojp+YcxodmOJobzLgVCEcIgy93dq8Pzk7Ounf2ogWZmzy8c8GwVOcRIAfkeCNAvtzj+O3hLQvV2mCeLTtOPspZJUjIO3aE/Jj1OIac2+gwNko9lKAN/NTBK3cqvU4KotfiDFES3PMkI8uG+9rkhgOWkhRRvU57ojrvBHP+WsPInnMZyRPy98Wfvv4aPb+9urh7ga6o0pTnFVVrkkEpvJcXJnIRHRdoXyQMsmVXlg+3zfDFiYwxKSJ7FffVf5pd9XHQ3BjwyAdr+vyY65JC2n9T99tx/AFPvpgp5j6Y9DZTDLNQ6HSDibzDGa2UHQEJiRQtKMPSiicjNs0dSuFd95dXwT1XNJsTaaSbKf/BHITaizjAxWwvebw6iwu+765DWMNVGnb8v85JBJ+MzoJz3JBOWUbmd2UKGTMxYBSygaUWMsec/r4nq5rHOwrHLvYJK909UxPLvaLSW0saCfXnJzMcvBYW4stiF/Wymn8mmOl1iiVBpSSZKCjH3oK7jni6w5oSrtXB9HiG55ztLT7rZC30IykjHVxzdZ4ZwVViqQEMqZ3qfrE6I9iREzbHSNQVyYjEmmRJsKSyPefDCJ+f6hGb4NmdFBuaNeBh7nu4LJnTVEcHw4H/mGetr9P6FZx2kjSbaZbNkA7rT+8mpultHgqZkxtqo+froeI+AQHXKJ0hm4I/VvMkD6AzdX7UqYTOPRO1OiporFghpYW0Et9QK4jGMNoz+NbCfOuZf/YFzTJG5pNyb2C8Y+WcZ3s7cu8kOVe3x5hnundutA7CEN/V0dmXqGTYbJl5n4VEhKdyV055+SEVcgZ78ogMOtnYlj8LpdEbnK4pnzDpMhxJcnw1XOsPHDL9S0mM+DD6kQU5Uwt0m+ES/Qr/sPpRJritO/3H+PFEa7whRnNiBEv0qSJyhwCDUJWCK1JrVP7iVDPfBH4zj7x0GHipoSxpjQLJ7fQtLt80n/WUZmC1PUDvHDjqsZxCl6e4DrPhGa+hpXsgRsY2dA8vVUhWnHvtWPWyeXls5NnCSE3U2DmKibMw428ERlvKM7FVSJUkpSuamk9e+uoEXZ7s+IKY6Vl+25wb9BwQYQlP22cIQpcvOquFKg7v+C3JcbpDH1Qf+LaJwBbDQtrg2bVmhBkM9onXvmtqAStQqwaHzLyIoxVvcAA81f+9SlMo5xkvX3/a8RXqKXReq157Zgwz9B4095sTJjtPXu/UVF2Gr3O917LuGqY+jQI6ns08DrsmYNDfmzYh027DaIf8gBSHi5+hbCBkS8DJCjeYckZWlDtfPQgnQPUrcDkBOgjcnVQoFom31gEzUP9CC8bGZxt77g5LaQKbsvFha43TdTEzBH47Kiw4GllH3e2I0uRlSXm4DmJB74aZMhQVxn08PUKqW7YD22JhtNvyfk/XzhHXcd++A1yXWNZnyvz5ZTuV7ZqOoNSRuR3GlrXJ70dNTwfvWWJhLYTcxdvwH1WJ+V8OIsbUjPRR1Gv13Pc0mWX58RVQPzC3s6lEo1nVeOv7ZzV5ChLCtRTlKaIjE9Vy5Fw46oy7MY21TQ6UIwCPtrpj3nt4KYoS811zH+HaQTt9a69siDTPUEL5SviVAqw+xq4ROiA/BlZkzdmWxEVFX32KlSPwU8XYDv1nhRldUZKhK6h7ts5BLytbskxSIT7SMwXdfyNLZMdv7WfMprT54GizbTi8rDSo3Ce2MD181981Q7guO84dbX3yC/R+V9qpt54Dszh2B6c3T5JVEhRMdsC24cE6IuQz5YOtHTIzh6uuUS773FnPYilk7e2HEPO724kt72DlBD5O9VqUcfsQ7VkKM/JBz33NphQikibSZ8qMY/YDlVj7XZMpT7AKGe3vEJaunD4w5UqygNvcoRpwVxpjNKlkKG9Ih6YiMsF5OJuyJR38eeqTDpr+2CftTn0EwUIeNOGgWoU3Tgz9YKe5UfTWkgxSZUJrVHaIOWoJezL3PQwL6tUr99+XjoVX7j9cXpPP7Y8Zkf7sPDedM0bP7WS6wXPwuHZarY2mk7mGaMakonxFpJyIu47nPcu8uor/waX3umdnYLLGJV51tsFzpSCsLaJeKc8Qsx2/axu3N8fuPWQQy+6f/kbGCVrTDT9puSZyHn+E0dldxtPzS2j9+AJdwvh+1ojUM4GlTKzzJZGu+SfpZWHuAeclUUPHnYXsbLgZ9JnqIEXv3Wn6+6leycdDo/h3G93T3/3eGvoxkky5+ds14iQXmtoNLNdYTXSAUuncsEKdrbSDTzcXNFsdrQPUKMFlcMZq4PS6/safkKJoPkdFRR/fqOl6+H6y0bKRJlSpKrjSCZQhWSqet+5pMRTgkEgZ1Qc62pSu9Lw2g6N7CE7vk06zZEg0yOAuivz8HlI79z9GHel5GpOPl557eJwWoUqxZBPzRR+GVJ0j28tMlpijh6vgMI0qFmH6kTiLOhK4wVdtu5LugwSy9TukIF4nJLq5v/jbmzt0Z94p9Auf6L7SchupkvoUbt9vhZ9bEEPpmqQf1UlO5OOEcFwMMl/TuQavs4EIgzRQ14KwlYJ7tFwi6QgU8gxKruWjQQWZNBqAZ411NVuHzy6XG8xoZg+ih4mhIJwN1XqfIIQV+0h2aii2A538OoE0MO211qVKKPSgjUIatjLGgqT4M7hNNOd15YuQVO8O3KhUFEVUnLgj+bZ8OIeQvwR/SyVhQ0sztItlyzBPlDpXw1szspXhv7nZ1jVaXm5tqXFSCjpHWrWPYcsBAg6AKb81AMuarjHnI+CM2HBTblRgZCJmOxNsc/OwuJ6Hv91evHXv3qvB8M2DooUc+v6DY7ZR9THZCFbFWoCLuo8zd31ums7YdTvfilOt0HPLhHoBaB1Q2Ft31B2QR8C0dzasiiTNbh2vHzjVLl1g0S862BAJmQKriqFU8JSU2hjK93YPJ+AVttuY0tcuvDHY6xbahtFSSI2EWd+f/+PCl4LrXfbQ507IfP4Ey2GBQc/FusQW7MQLFPPX61/ubu7QG/xQUJ41bb3922rmNnsaZq+J4sS03DRGs9s3rUZ98pcsBk/PtlWOyWq+gs1zF+HXU46udvScZU4q31w5lF7HxV4O2XybcmasgHrGxX/7uuGmMIdnY00y9O0Gf4kxoc+U3ejaVYMV3wR1C1vc+xKpypOijhX6UWkpeP6XJcPpR0aVJtmPr9zfXjafUr4iqf+jFZVki5lXkcFL1vkNwjxDSqCJYylJTpWWO2PZzyksSqzXDqy/4QENeRgxCU6pudi0hdC2XisVsoNC3uiTDeeE605OSs23a8i4aLqpLQaXf5r3Kb4zssIV0wnciR/QCrNeKXJvSv0M/red5Ii6U2TbMr4tW9MSr1Y0hUYCS0I4EkvAjegAejX7ovAjJjO82AemMr71jcvYcM0jq5OFig2TNCFRJN6igiiFc4dLlAojv6GBmU+RvBU5uiKpyCbCPo5WcB+VxXwOmMA0YHhOaQRFmOZFEytEudKY65oNv42v6UmPeDZ+p7yqONxDaqxbbeuc2vYEaG1sW+iw+xvVnChV7/7hLgicbIjsAlSUWCqC3hCNQVN3NbfNUM9vRa5e3dmk2hcj8lcuHaxVKzB6R6ywsCecd9icQJIhmygunKdFmwuVx1We3R6/cff85uobF3CxsG+tdQ2YAA841YiJ3O7XGNcGZgedrN1pge+pft8h83u3sYvJkzEifdJJ8Z2MEeXpkzK5JZt59+T1/9+T/XtiRo2zIU+7vmL5z8SLdfXZcLeJFSp9GmuSxMyKffqyxbr/T+MMbL94BfdPYw5XGdUJ4FF/juz1DafPiLF1wI66QRmj/DTG4mpMteT4fE9aRk5qFht32VaEZLGLQKbDFl3YRAskSbKRHjJSEp5mRQz0kBH1A1bE9CrOX2c+bIzrXT67XKNpBlo+5FnBRy9fOoda7aIDjRotm/m7P+36Ru2l4Kl5HLAWn7tlOyFuAKQuojjsru6lGcYmv3Tu863IXVtXV8UAWHLGBJHECarR1Ff0gWRIEei02/txfww1bbDUmzCi/WSDpdmEEelHbcrYExjev3TawRzN6xFr8rg1CAixsOdc/lznlboTyYYnUhHeIA8zkSvfsen4kL6c9aWnHLDRjyYX9uZu812LBzhx3YeLO5q9Fl/q4m6+j7283/+/u7yRa5/cGg/lgnWkdb1lGcIopxvCGyfZl6sImCU6zX8R1wLJPkfl78uIaEw6NES5SyT5FGGvu8FD2GCYtwPzu3aYYndwkV46b7bGtsI6xWMJsiR18uiHG66/+R4JiX5iAutvX/fTvFLBVzSv5HR+SzvvU9TdL3jeEAb9XMsmwTKeATNjKjumrib60h0MQm6xzKIpdfs71VuF5NeevoeRJAyPU9MstKp7RB3bDgwTTqpqUT6EpDnlmNW/6WsrB9Yhlv61JzHi5u7X7z1LgLxosijAEjQcjVc5xOvTHtSx4njq67MmOItYXt8z7WAodHP1lCip5bcbLAUyp8VKP2snG0uT6H423OTgtooWXBRjulwKxgA39UsUwGb1zpBzY84cVSi1S1e3h+soqrdi3M5ieqE/Q4uvSJefi6paCKXrwr3lbrRpTScuQ1DRomQ7t0/my5DMTHC6RopmBD3/Gum1rNDrP/3pBdpi10qoHmXPSnwWyusRK+H66kRbivSLORW2qUrtU2hwV81VVl4K6Dleig3pLAb1l+jU4k1pSXAxeX/SL+bYnHmpSEZPAk04tFBf+TTHxrFAV4jqGvcHRPorCxNaMz1uZ/UPBPUiOyLRa3TNU1yqiuEGrOxRct1H/YnBD09upW+Ub1+jfzPTfYm+/Rb9G0qFNPqyxRyom6n9T6b/t/kiVai/KH74Cy4y8tnaunxLkhQztsTpx/ilTxnhQtet0cCuMItY17yAaTLVlQ4OR3QwIzgyALiNGXBs+9hrIY1mzXdW6zAfdMAofEwhtBIVz8wLw6AhgwJEgOOSF/s3YkQ5RCzQXYc9YaOJXdgxgbPP5Z1z7CBFf4dmlJKmHqvDmcLdL4MtbJ/7WgibZx/rVqMVq3rbFuhnsTVbM7Y5KUdCGmNMC/SRkPLAon0WL94Xsmi2MUWyidnw/LqWPNCWyvan5tCJv2MXbqiElqk3V33fO/e4OLo93WEx7CzcVb+5QtJIawUOlXFvkcnu/81KRKtnPvtK9PuRTOTLRQkFjQV/C371DtDwmx7NqSTYNQKaEJTmf3Ug5gsIvLiRElUyGhu95LM15xWNVQj7xBTp00Cjjj3vcOvMG1B3BHKnrrZa3BPy3yPCaMXLqF3QLDF6aAEkJLq7vLhzum+KuVkeWpRCDjVeBE/kF5cGUX0e7o8P9qkCQ9zX6haNTfmq/UlrsFs9ByzzBXr9p+/RFta9IJgjzJjfV1BXP69Q6z9CWyKJJYs1YgQrjQQflIv0F/HsauKXvYieuxojbOvW7jchM1g4yGoi6ZoLJvLdMBC3onKkxSL0J5SuscSptotIAL7IcGE7uKOKu5we1vOZT1bUhi7otoH6mEGEfd0WjEVRGCVT8DqMIPF2UqaBZB2olTgFjdXGKLjzOYg0rWRNUWnMMywzxIUsMKO/+/J7hSy865O5LIeTl+i4Xnh7FqnlumHmFaMrAjP2GPiKpIJnEwp2u92J0jMA2vsmRHkqipIR7T0Ak05UDAr8NNC00ljqMx3kezO29zhPHeX+yZw8foXgwZGQs1GCxJNBD3h2poW/5lmMZTckfxf8TOg59ei1imnTa98PV3gkoqLd6AsEzbhdC3IHh1tzl+3LA/Ps71MP227YCvzpJCVJhcxIFu8ddEk27plSzYi1jlFn2jRf7MbXx6+VFMUCqFZQlK9SwrGkwqr1RcU0/aOmRCJclqyufmmxbArMce4rzUWIQXinthctU5ZXhah+ppDYchsZ07goh55Bx3HdNWl8+7RC6Zoa60ZkRC3Qm0ppMJO6RC161kReLtbkxE3aK8BWK8P3hsyhCcEm1wPatbNN03hqDwQ2qnVGNzQzmg2cB78gu68F2fvB4vkn+VBSOdsM2/20saAHcxKpZjs7WWWEntHXDFNwQPf7RgNu+gG071qeLUZDtuhqVWgJVARvxdmsf+irAhrkp4pUsx0lc7rtKWrl4xZD29OqC8DVZbME5kK1emgWNaBS0FvQCDItL3SE1zcvYvBaJhFYLZMY2nMZUhT1iYZq9dFSjaArdV6R85iQA/PR+8aMnstHvTmnis1Dcu2UYEH7QAzQEEI7gnA6UuJDKNaqYmcCzReVTkVBXlkeGuPFNXAZnRDM3RL0DMiJA0I2RFIdGxp0Cn3aje6KAKdakw5cPjM3brOvdFPpYqhB3Mm2um8NH792a4M5U5gqTleOn83k2YDGxUizUWfYphOsl29fF5mIm/Br30rvWoJCol/uXWosVXVCwNCvBuPXOzRVJalKoWhAwXHU2QJzmmctunBzdydReCqmk3jQRY8URbwqiKTpY2WRd24zdX4+opKtuRlWLNn7PZrahvAM+iQflFti+c8zoNfUoV0x7k7bZSx+LfhouaEf8F7GrKSPiVX31WQnWCdmnJdrjZvcYi40wk0nNX8CLRN5UieqnEWo1wfx0UJ9DsyUnuz7K6RbAWr1GPa7UfwFo+lujm47E3LhDhhw4Nqc7SbkcsVi5k37F/Bd5cD//eJUcE0eYmusDUM3bauAuroqy5T5P3hUMasZ8gHAHHic0zXmOUk42caWBVOBS7LthPpBCdFa0mWlSUdCjHP0lWXdaOvd52+iKXGJgwm7ZuXYqEPHLDcHDMFhfpFlpqu/eYxbqAAzC1YDDqo250tuiFyge2I3pVJELnBOAMrbZbqvhKx5GNGuyVi9PYXfI/v7Dm6FkGgpxdZ8Vv81rfs4GrNrEk/6JrvDUod20zWEQ3tU3J0So+rQue6UYFnbgzTSlRIlcQHFWG/xBUeYEamb7CLZDur+ZsNbTnx0QAAgCcmjMGeIC/5HSUoClsy+7Ic5+qL0cfR93VCsHveK2ghbHf4Zzcw11WhlPbqCAZdQbcKR4H/MhfnvPS8BKCmJR3GMOG/cCQa+AgYMk2KFoMM8JWqB7luZMmxs0K2sisPxpS3nq5QxYmzJqE22yZz4bbqZpKxSuj6Q7h+jbYKfUGV20tVEO/+GUXzh02kVaHbtx94wv0VvYZniKWXPDhlehssr4AJhpURKwV9qdsNrT8KG3dKP5IdOI0NoXPgSlRJ6orxERKfP/IoyljhUw+oDQSwYimgiFSqxAhQvBUAOrpu0KAojxUQvaD8urSE63avu2ffgXBpfZw8jPExWfKeiKKvxHYywbRhtKc/E1uXTum6TL5tMisnFGE1zVTG2Q58qzKzzMxMFpq4RL8y7HoiJiaer6/WM1MB+1BqO8o8kc7VAdSI6VuCdcgaK+eSrhrUFzfZtHBuhQkQVdd3OTtYtMWSgZu+X+3Px9UvpPK/ofgzX0wSdiSzosLFTbBerG7PTJm+/pv1tYE17RVn8O95M+ScYrbnGkmRVSlAdOSJ+d5vtqZ94XtNoj8h9r43/8H3sPIDmhZn0C5D0ozoJciCEx9iNbh66NVbr5oYatdBTZVila5v5W9fYNGWGlzWlAUSYmUgzzELJ1Pyq+fe40hQZec4RhZy7iqeMYGn+BEB4LWuugLDu/FoXdh6OPljhV41xnj7rFysVxbJp37vqPViubFQ+4vXaUFmpuT19XW0EGJj2+M0TIPVciUs7usVknPaUWgtuvsa11st8c+VacKPnDrih7k1pi34Nby/8erV1QJ+rwb9zP99cdfu7NmJi7D3oR+RsGqCdwsIeIiMLtlT5jdSN2sXEsu9HdV2BtlUX9vqxuTW+Z253fNkMjG6uDmqyofxzBzRZw9hrnrUa7QJd2vpMh3fK7Af7tVlgUPa/8c1Xzh23rHRTuSl08xhVnBFlV0bYB2Ur0AZLipdsVAVoQRkoRyXDE4JAEa6i4qP0NrSrqtqRF0ZSGQ2jri+kZp/vX93cDXVo5CBjrUdhqi77xIaCR9dCtpEWyyS64Rrd05xjEBYTR7QUMiZ47bOR/DKH9K7W3QSgOsJ/GkY6dxlOWSY8B+ftL+8R5SmrMmLEmWtka36+QM+vH3BRMvIDurMOEUsWpPfC7xeByNzssU1wTrVPi58zqj4alfsEvh5RitdxY751T8M7qj7uCblqSfOcyHgt7PxL9ms3FuB4AO10LYlaC5aZ02Nt9YlOo73Q+wyehXHs3Unl5++sjvGiAeO4ufKXkRwdnU9FUSYz513BrrjcK2jjav17qlr+0bAjONSnrqDdjMiqdMpKc2rpmbLGupw30lJIQB4wcr3mb6JLHJbZFsvzZOiNUfWNdMXuITKTmIBGfm6EKEZvcFrjKfuVWyOCZrVjBP9jraDK/VLI2prBm1pLglXw3GClsa5CKc6NPwpTdjazwwy+FA+IZq+m3y/zslZzcGg4+jACPrZ3wXDhv7r1Oxa5+97okF+N++6d8pxRLqpQMc5OHYnKg98pI0lDOh1GHtnvAhOOjczYOxIXjBm5h1SVpkSpVcXQtRkfpSIjyhyJGuzXb1lQnpGHwAvAqNKnaZ5PlC0wMJhismZiSSTENwssKYMMHo8Hz8bfeY4wLOIfzW+9M+MRzqFYWnChM2nEbnT0vMnnLIlUpSu6tRJmtGRORWgT4muEpxcTRYbWzTV+j2MnlFjlq0nycr4q+23zIaZcoYxoTJnHybAUle78bmJqgs2em1l7bHGTxwZ8TD+kmhQli5bNc4EyssIuBOSQL+sYvsvWNFrxhkiGd1DIpYV7XNFzz400H4DV7X5NVnUVuPXVK011BcCMyDux1jYYAzY99boGjWJ1/DspDs1pBFmViqIw9ynOMbq01BHtJPuWUmxoZv1nNYpcQdRkIlQm0tMDjY/3lv1EWas1pt28PL9q8FBC0tN5ZH09elxZ/0+xPNHvdPL0/o9YugCM/3aVNB5w7hUkFNudv7+7QTcjharLRjTUWlddsp+DgIVdTTVsHtSQfow/zOVW+5V7KyKSpchiV3yNKu6GSofjBRleJtSjdXi0BBsymKHyvOMCdqXDNoG2iYfQnGZNKGfCiVeEthpHZeABXv5wSl4z77KK+UzV3b3vPlj0nDoQBckaDyStul4Em/q1JL7y1hqFaV/ixgyOEK9XPOs7RJrqSrzBlOFxIAM1rnAE9ZUrIuVEpwV7h07x9YeLuzljpXAAUDYAO5qSSzdQNF9MSERaJMsqy3bB/TO0SILWAXXoVoqcBnS+10sVnqKkIiDKwaDELlHVHAUJVHWzVy3mKq4yqpvKuhYXzXHka2zXVmxYUdKGF/ZP0maJhV7BzWxW+eWv1+i5q5X4tWJGV15SBgUckAd2/VAKZb75Av1x7GjgwyjMRy62vGcIKZJWAGax6VOf6LSZ4hlccMO00Mu6yv2tK026JTlOd+jDpLnG6FLicxTlu4F7S0w5KjDlK4kLsjcdo8QSuvbGx0noKZd3MCx6KzKbHN3CAnayzjxMoQPaF6QKmIWIZSH1cePeki36ueJgSr4RGWHoOeWbxR9eIirSl2hp/o+Y/8Mcs52iavEHf3xRp2WyYnjUOT+0DtXX8C/vEAwKvi6Qk7u6+ZVY7QVq0CIqp/avS8dnDYOgiDQH2cvQpggrdwec/frmNywJem8TgP/wh1/f/Hbx7voPf7A5txssMZ08k1shP4YsWT54wX6rB+xG2CadYJiHViJczU5YlJLmOcCpeS52EUyYlZCEK5qGFCAdV1IEjovwXhBPfCAU0WSL6bg58ZO9A4B9HpqouT6hS9RVtYx0KfQyU1qGrnyHeu1oDrHuWxrsHa1rPuI5SU8tdmkbg41UGlds0ta9uHoXQ2JFJx1N9VSjOWJPnaoXjcgzzWF5j18on4wn+HjHhWHe6f/vxqO2KrPt/HeWI5Z1fPSOkb1MnuVw1HHcffwJMUPSVm9nO3bpc91ktNdZdoCT+QLcbqOTezgyXUNW0zniYVD0tcKUmbWuwVzunMy4uerWtgESlzEHNck9EAbTWYV1znViVMQT5nNK4jWkW7vqo0tRFBUfeqJG3PHTgJueyt1b8qD/Svw6dcObOk2zfipv95hn/yH8UbOWN401PUUyPJm78cA95lSlSppSESxLdC4LHrjfYsnHQYfPnXXFizIRsYTx/ds3d+gX60dtk1L9jHyaNZXg/j9v0aeKyAns1orxRJIhUmfc5IaOQ3SH3tVFZ960rkZLTwM+pF2iInQbAUO0PMlxdIiq9gTHnkw3C9+gATMsiwi7ZchGcC/gMmABckO0yoJ1pe3RDIt21SOdYT3UCp9Kd0l4ui6wDFVW0tDdlXjUvvjJ0SecjtKpgtBM1sHPQkpWYQuoGsKrHKCWIpAVy39GoFri4J0wLOJU8OMFQfeEhn5wHHJbQYzqGZxpnuAUGqOELz8xtBUPaLx3CC/zcvMdf9Dr4O97ypNUyyRTQXHXO9QN5dMiT0cQ3jAcXGLwhPCc8oBFkWPSMXKjebJK1JbqNLj84MmKia3CRfjclS5trjfxqEeIuqQ8oTymOKG8JLJY7oIlvI9ol+nHOMQ3mMU4K7RMSim0SMKHpID65rsEPI7habNod5OJPMliLLYhHD7/LeVJgR8SrUO5DfqEzYlmJMKjUFAeiWnK4zFdMpWwJUtCh0V7tL+OSDw4MniHdmgsxC7t0FW9Xdp/ikj7+4i0/zUi7f8Vkfaf49DWomR4SWKIlIZ6ePOMJ0XFQPle7iK8kzXx8mMEvaSoGM2LMo72bbRMzPLQSUiOMo2hlCjyKQ3vG+GJsgmJEXZQyTSONWkIx7Em1U5VZYRepClvyqqjmKpaaGN6kIcIIkQLbQyzWLTBrIlCvOL0gWMuFEkjHMLN92ZVIj0Km+9FqdcEZxHcaqIok5RF8GEbwhGCJEBXLnc6vFvUUFZRKJdVEiGmkUqqaYpZhAIileCc8HQXMOuqS5tjtvudZMsYfG8SgAGNQtnCwcTh2ibWRqG+zMvN93F80CpZUv3nKEBjqUrC9oobEJYiuKhWUa45UCWpDF/lpqyPP1ivrQ5hotfWzx/eOWKJg9oXhbhFkw+HINehvaKMxLBhVLKKsYl0FbI4u084hm6gElpCkmISRdTRcvNdpnQ5AvMPRFvJNAptRlckhhmjwNFckIwGKxjt06Y8zikpRFYxolIRY7UdcZpHkE2iVFusg/b871D3ZZAHISxJTpWWOLwnpKUdQeOTpIy11DLaWitAIpeR5KvNzLdHPAJ1LQkuIiiSthQoFtvxlOvtWlCV2A6z4anvsMRRDng2UQgbgvLG9rcPTZcqjXnwPseZ0stKhmoWWFMltldQDKpVcF7D69F1TXJostC5YRW+2fWpSAP7aOY4y0LfAZqFDqvW0EER3iJaJKkUooiCSmQIRzDTaJHESY50iEcxlrn8GByeqVThIUtpqUpJAxNlWFNdBc8+Y5STcBA7LVUVtKNOQxeKb8O7tZiwqKfJiongz3lDPELKv7F5g0sdQzSCxDE2dARWg+cmMJFHObo8j3KBSyFDC7BiWeUxrllBVRpDLBQqyoGN0QeCEw3gSsHpBpfhFgA6dMafpRo6HY9vt6EtkCgVZcI2gA5uiYrwmpGQNE88/bieTHfLiQz/ZpWJbcobnGzQztQtWdviNcohi1C46XrihBYGjmxoaVAm1pEUnF2slPkwSdeh6vxHpMlDSYMHAkoii1xirkeYuyEob6MQDv/0WiSyDx8GXUADEJYiT7AqAzYM6JKWODRVSTCLod9JksI6WNTRSMTDL7KhHBbCtUNZyCwCx+EdmSqCb1hZ33CEfABFQicC2IbHEYwTRT6FPwA+gNZgVCOYUormEQSvKkN72ZRMY9wDmWbBFWklUx8qbgDCOlyLrS7NSgVH1dykPHShhLdb7FOJWpDO0NPXuQ5/rCzR8BG9pqdnaLq7Mjhaa5Uto+ShV5JFeAsrRWSS0dBV71HaVtSRoRjLoFOlcRHaG7xJKFcaryJoBhsqdQw1fFPyCNBNWsiKh3Sz+mDRPIiiF5UW6F3F0WjoJnskYrO8XzGjGbqUJKMaXWKZOTRDBfDvfnZs56yIqzTVIRTIQBN9BPgGqWDIV6rT5ENQHm/lrouSiR0ZNRY8uH4rUQUD9T7yjJk1tD4j6HcmSU4eUIGHQAttLJbn1bAZSHQmGVXQnKEe3W09ACghVZWlkBqNgUcR2q6xRlSjUpLV1FF4QlruY5pQ+BbeWR0NC4hyh+w+gQvNKI/dkb/Dqhmty6dCWuREr4lctN9Xa1GNXjSEONkQ2bQj0gKVWCqC3hCNoSO4vau4WYLntyJXr+5s2esLdOVafL1Eeu3pUgRgwO+Ia30MbHP0lujfqOZE+fd5fKijLN4KWnY3twgGt5NVBMt0vaCcevmDnrsz4GsPxCf0woBkiFcMVxx6/eYV9HGtQdz9AO4DvPY9c4oPx93MqQHhdv2LJ4x9sxFJwJqm45BXYVj0njxouBVT7oI5ulFPCKS2cd1b6FDN2UTHS0DPjdgOHPBzFdFIkk8VUXoPaPfp2cqPx8q3KgO05bGjWok99Eg1ead9d8o+nixHEBvr/R0Q2tUP3pmH7P1/uL+hGezmqhYKMLb/bIDVEC6J95FH2DwuS6wIsunaDTdodKuaXXK/OA+/vGkF33AupIWv9y4jQlghRQi0O8P7+1VJzBVOZ2jvO0KYtkNzUHvbQ5NWEjqg7WO6JLKgVt2Yi+l2SNuYg24oIzlBjGwIQ1gpmnO7cW2/fv/RB0jmM8pvGH/PSV+epdOz4azi9FNFhm0Ssf/ydfg9DTHxtC4otUZDM3shU8E5gdwKtKV6PSUoEPJUhjQauyQnlRc92rQwywnypHmimMhpihkyHEyYPsDFebmDoSbaNJ5v7cr1TvnZ66SzbcUgqzX0A48ZxSpZi+g2gTXiGnMNeqm0TY2MVOy24PHjASB7aQy38Ka5RiwpI1guLpgSxhDv3bcrCJajn90vFuiC75p/jahrsOUV1whni1QUZaWJ9IvhKG58M7F45tlXw72AHou9DaH6H9Xrr7/5s7F9rzrbUa/YV1623TlNwkbMjnXc4B2R6F8bn5x65dgA5vy3PnT9T/wzz1uee6d+736cmLx8SLY9GzZMMeMs0Ntf3l+buRNJrPME/KUZVakkJebpzmiVTj1jw1wQBCv0Er1/8wO64frb1y/Rzdur67//gD7ccP39d+j5dr1DnFC9JhKla6FcqzQhJUk1fOub7//9X148864I0euIMm64HiBTFwX2t+NRkU/fI6/5vT2LNzVT/iuefV5Md2XTAc5PBIw7+oH38TtQTFvr5FcqdYUZur1462X2d8FJPF/WaSfjvwQnC//aGna/GBEKEzksPGELPsc3eM8+5FiTLT5Di3Q43XfoIssk+GntKfex0zy9aVGeGud8aizk5vLNnX2VJsNjBVYzRj96TiWrqbq3G93cGVYmvF9mDU/sBBFkDc3Y02tYa2KJ7a41r4DosIuzjJovY9YGbDu9/P3v3IwHwJiEcMGFu+FX/SMwYqXNtY6i1x37pGH01nF4J6RuRPJI6GYQYIMNoHp3WPKqmdfezofyvH5M6mm9mVp4Tnx241xeXMcdWL5YKZFSo3Jav9FIx0FGLkvMc7JoTKdU8BXNK0kytNwBTcIzyBryy5nyROiBUdHohLbsHXQVAe+ABdT9uyVcwR0AkhRCk8RldofPMwq/tBlXCU5sKn4E0qWWcYivIhyJVYRqYRbjOsTCPykjLCrOktoTF08tH1rwZh6L4WhdZ8IZNNhrvSaSE43e70ryEn2on7FbcIB9i+5qB9joJfhlSlOrW/XMoExMmMY1084v/hJhxrzKRNl+ERLcsITEvA2R5g2kXAukNDzmlKMPN5MCJYUE2WjyKrjINkRFGaHtmyEsiQqd0WvIRihxsS9i6FR08LdH4Na2VkgY4XnwTpHAs1E+ImqhExqoVXkw6wRgOEohnWCFMPpJyC2W2bhPN0IXOSR7SYTNjX+AXLol0VtCuF/1DIya+NgYt9CYdUN1lhkEkPGQGTGaIeUuzxXSEgqqjVhyLTb8U9wwzOeI4x/hoKwTRDouytEE+y7LNpKyMRZsDgZs/+UJHakkKaAQbMLhwR0XscdS07RiWCLAi0Y1E8+vH364FblYrfzd30ma6DWJvr09Zt+bAe1t7PB9bfg27F5Uek24dsnik2yrKiRywnEJPXbIadY/KCInGRaVTsW8K+2GnGb4vkpTotQEz4A8fho42mmJJ8AXMipuLuQOeQoTRrzNIZx6PJIBj0YqQYBPlYKbd8XILZ9y2PwQjRSl/qw24fDoJt5NjCxqKdQMMEqyZj7ODzPQhylHiurKIz8RFBcQJ6Id1TVWCGeiNK+LXhMqkdjydsvswmn8ILgoJvJqoSeHohaifl4lwij3lGdG/gipmgXA6CfKCLpwjC1Gy3CMs5c3E7N3cjJhvJn/WdIVJpfg3mUthF0F3xw9CxGy3v0JC2Hz9e5dvUbolZhOCF2KmNUDnskvyRpvqKhAu0xFUUpR0IkMRTI3c9ccLxkUka3Q5X7eKN80Yicik0MOe1on8jLQ4zBoc5kTGPSM3/AXe3c7r2x73yaPXVtmWXE9LGcLrdFnUAaepKeY9UdpQfAe54QTSdN6SrAgkOg3TC2geg1Pra+3G3LMLtJvFkrL6eBnPadTYLfONqfX++fk1As7VsR5eU3TxgjXtCDKyHWr7UlSkskgktuFYKAQBzcCgAefuA3yyKN1Cnb32Y7Wt8fN6ZtEBWtyevTUnMP40AxHc4MZtwLhCGHw5c7u9cHZyVn3zl60IHOTh3cuGJbqPALkgBxvBMiXexy/PbxloVobzLNlx8lHOasECXnHjpAfsx7HkHMbHcZGqYcStIGfOnjlTqXXSUH0WpwhSoJ7nmRk2XBfm9xwwFKSIqrXaU9U551gzl9rGNlzLiN5Qv6++NPXX6Pnt1cXdy/QFVWa8ryiak0yKIX38sJELqLjAu2LhEG27Mry4bYZvjiRMSZFZK/ivvpPs6s+DpobAx75YE2fH3NdUkj7b+p+O44/4MkXM8XcB5PeZophFgqdbjCRdzijlbIjICGRogVlWFrxZMSmuUMpvOv+8iq454pmcyKNdDPlP5iDUHsRB7iY7SWPV2dxwffddQhruErDjv/XOYngk9FZcI4b0inLyPyuTCFjJgaMQjaw1ELmmNPf92RV83hH4djFPmGlu2dqYrlXVHprSSOh/vxkhoPXwkJ8WeyiXlbzzwQzvU6xJKiUJBMF5dhbcNcRT3dYU8K1Opgez/Ccs73FZ52shX4kZaSDa67OMyO4Siw1gCG1U90vVmcEO3LC5hiJuiIZkViTLAmWVLbnfBjh81M9YhM8u5NiQ7MGPMx9D5clc5rq6GA48B/zrPV1Wr+C006SZjPNshnSYf3p3cQ0vc1DIXNyQ230fD1U3Ccg4BqlM2RT8MdqnuQBdKbOjzqV0LlnolZHBY0VK6S0kFbiG2oF0RhGewbfWphvPfPPvqBZxsh8Uu4NjHesnPNsb0funSTn6vYY80z3zo3WQRjiuzo6+xKVDJstM++zkIjwVO7KKS8/pELOYE8ekUEnG9vyZ6E0eoPTNeUTJl2GI0mOr4Zr/YFDpn8piREfRj+yIGdqgW4zXKJf4R9WP8oEt3Wn/xg/nmiNN8RoToxgiT5VRO4QYBCqUnBFao3KX5xq5pvAb+aRlw4DLzWUJa1RILmdvsXlm+azntIMrLYH6J0DRz2WU+jyFNdhNjzjNbR0D8TI2Ibu4aUKyYpzrx2rXjYvj408WxipiRo7RzFxFmb8jcBoS3kmtgqpkqR0RVPzyUtfnaDLkx1fEDM9y2+bc4OeAyIs4Wn7DEHo8kVntVDF4R2/JTlOd+iD6gPfNhHYYlhIGzy71owwg8E+8dp3TS1gBWrV4JCZF3G04g0OgKf6v1dpCuU84+XrTzu+Qj2FzmvVa8+MYYbeg+Z+c8Jk58nrnZqqy/B1rvda1l3D1KdRQMezmcdh1wQM+nvTJmTabRjtkB+Q4nDxM5QNhGwJOFnhBlPOyIpy56sH4QSofgUuJ0AHgbuTCsUi8dY6YAbqX2jB2PhsY8/dYSlNYFM2PmytcbouZobAb0eFBUcj66i7HVGavCwpD9dBLOjdMFOGosK4j6dHSHXLdmBbLIx2W97v6do54jru23eA6xLL+kyZP79sp7Jd0xGUOjK3w9iyNvn9qOnp4D1LLKyFkLt4G/6jKjH/y0HEmJqRPop6rZ77niazLD++AuoH5nY2lWg0qxpvff+sJk9BQriWojxFdGSiWo6cC0edcTemsbbJgXIE4NFWd8x7Dy9FUWK+a+4jXDtop2/tlQ2R5hlKKF8Jv1KA1cfYNUIH5MfAiqw525K4qOirT7FyBH6qGNuh/6wwoytKMnQFdc/WOehlZUuWSSrER3qmoPtvZIns+K39jNmUNh8cbbYNh5eVBpX7xBamh+/6u2YI12XHuaOtT36B3u9KO/XWc2AWx+7g9OZJskqCgskO2DY8WEeEfKZ8sLVDZuZw1TXKZZ8761kshay9/RBifnc7seUdrJzAx6leizJuH6I9S2FGPui5r9mUQkTSRPpMmXHMfqASa79rMuUJViGj/R3C0pXTB6ZcSRZwmztUA+5KY4wmlQzlDenQVEQmOA9nU7akgz9PfdJB0x/7pN2pjyBYyIMmHFSr8MaJoR/sNDeK3lqSQapMaI3KDjFHLWFP5r6HYUG9euX++9Kx8Mr9h8tr8rn9MSPSn53npnPG6LmdTDd4Dh7XTqu10XQy1xDNmFSUr4iUE3HX8bxnmVdX8T+49F737AxM1rjEq842eK4UhLVF1CvlGWK243dt4/bm2L2HDGLZ/dPfyDhBa7rhJy3XRM7jjzA6u8t4en4JrR9foEsY388akXomsJSJdb4k0jX/JL0szD3gvCRq6LizkJ0NN4M+Ux2k6L07TX8/1Sv5eGgU/26je/q731tDP0aSKTd/u0ac5EJTu4HlGquJDlAqnRtWqLOVdvDp5oJmq6N1gBoluAzOWA2cXtff+BNSFM3nqKjo4xs1XQ/fTzZaNtKEKlUFVzqBMiRLxfPWPS2GAhwSKaP6QEeb0pWe12ZwdA/B6X3SaZYMiQYZ3EWRn99Dauf+x6gjPU9j8vHScw+P0yJUKZZsYr7ow5Cqc2R7mckSc/RwFRymUcUiTD8SZ1FHAjf4qm1X0n2QQLZ+hxTE64REN/cXf3tzh+7MO4V+4RPdV1puI1VSn8Lt+63wcwtiKF2T9KM6yYl8nBCOi0HmazrX4HU2EGGQBupaELZScI+WSyQdgUKeQcm1fDSoIJNGA/Cssa5m6/DZ5XKDGc3sQfQwMRSEs6Fa7xOEsGIfyU4NxXagk18nkAamvda6VAmFHrRRSMNWxliQFH8Gt4nmvK58EZLq3YEblYqiiIoTdyTflg/nEPKX4G+pJGxoaYZ2sWwZ5olS52p4a0a2Mvw3N9u6RsvLrS01TkpB50ir9jFsOUDAATDltwZgWdM15nwEnBEbbsqNCoxMxGxngm1uHhbX8/C324u37t17NRi+eVC0kEPff3DMNqo+JhvBqlgLcFH3ceauz03TGbtu51txqhV6bplQLwCtAwp76466A/IImPbOhlWRpNmt4/UDp9qlCyz6RQcbIiFTYFUxlAqeklIbQ/ne7uEEvMJ2G1P62oU3BnvdQtswWgqpkTDr+/N/XPhScL3LHvrcCZnPn2A5LDDouViX2IKdeIFi/nr9y93NHXqDHwrKs6att39bzdxmT8PsNVGcmJabxmh2+6bVqE/+ksXg6dm2yjFZzVewee4i/HrK0dWOnrPMSeWbK4fS67jYyyGbb1POjBVQz7j4b1833BTm8GysSYa+3eAvMSb0mbIbXbtqsOKboG5hi3tfIlV5UtSxQj8qLQXP/7JkOP3IqNIk+/GV+9vL5lPKVyT1f7Sikmwx8yoyeMk6v0GYZ0gJNHEsJcmp0nJnLPs5hUWJ9dqB9Tc8oCEPIybBKTUXm7YQ2tZrpUJ2UMgbfbLhnHAtd//j/wYAAP//M4fDsw==" } diff --git a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml index 2ac3946889f..aa1ec9eb99c 100644 --- a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml @@ -1,2154 +1,2165 @@ -- name: firewall +- name: fortinet type: group - release: beta - default_field: false description: > - Module for parsing Fortinet syslog. + Fields from fortinet FortiOS fields: - - name: acct_stat - type: keyword - description: > - Accounting state (RADIUS) - - - name: acktime - type: keyword - description: > - Alarm Acknowledge Time - - - name: act - type: keyword - description: > - Action - - - name: action - type: keyword - description: > - Status of the session - - - name: activity - type: keyword - description: > - HA activity message - - - name: addr - type: ip - description: > - IP Address - - - name: addr_type - type: keyword - description: > - Address Type - - - name: addrgrp - type: keyword - description: > - Address Group - - - name: adgroup - type: keyword - description: > - AD Group Name - - - name: admin - type: keyword - description: > - Admin User - - - name: age - type: integer - description: > - Time in seconds - time passed since last seen - - - name: agent - type: keyword - description: > - User agent - eg. agent="Mozilla/5.0" - - - name: alarmid - type: integer - description: > - Alarm ID - - - name: alert - type: keyword - description: > - Alert - - - name: analyticscksum - type: keyword - description: > - The checksum of the file submitted for analytics - - - name: analyticssubmit - type: keyword - description: > - The flag for analytics submission - - - name: ap - type: keyword - description: > - Access Point - - - name: app-type - type: keyword - description: > - Address Type - - - name: appact - type: keyword - description: > - The security action from app control - - - name: appid - type: integer - description: > - Application ID - - - name: applist - type: keyword - description: > - Application Control profile - - - name: apprisk - type: keyword - description: > - Application Risk Level - - - name: apscan - type: keyword - description: > - The name of the AP, which scanned and detected the rogue AP - - - name: apsn - type: keyword - description: > - Access Point - - - name: apstatus - type: keyword - description: > - Access Point status - - - name: aptype - type: keyword - description: > - Access Point type - - - name: assigned - type: ip - description: > - Assigned IP Address - - - name: assignip - type: ip - description: > - Assigned IP Address - - - name: attachment - type: keyword - description: > - The flag for email attachement - - - name: attack - type: keyword - description: > - Attack Name - - - name: attackcontext - type: keyword - description: > - The trigger patterns and the packetdata with base64 encoding - - - name: attackcontextid - type: keyword - description: > - Attack context id / total - - - name: attackid - type: integer - description: > - Attack ID - - - name: auditid - type: long - description: > - Audit ID - - - name: auditscore - type: keyword - description: > - The Audit Score - - - name: audittime - type: long - description: > - The time of the audit - - - name: authgrp - type: keyword - description: > - Authorization Group - - - name: authid - type: keyword - description: > - Authentication ID - - - name: authproto - type: keyword - description: > - The protocol that initiated the authentication - - - name: authserver - type: keyword - description: > - Authentication server - - - name: bandwidth - type: keyword - description: > - Bandwidth - - - name: banned_rule - type: keyword - description: > - NAC quarantine Banned Rule Name - - - name: banned_src - type: keyword - description: > - NAC quarantine Banned Source IP - - - name: banword - type: keyword - description: > - Banned word - - - name: botnetdomain - type: keyword - description: > - Botnet Domain Name - - - name: botnetip - type: ip - description: > - Botnet IP Address - - - name: bssid - type: keyword - description: > - Service Set ID - - - name: call_id - type: keyword - description: > - Caller ID - - - name: carrier_ep - type: keyword - description: > - The FortiOS Carrier end-point identification - - - name: cat - type: integer - description: > - DNS category ID - - - name: category - type: keyword - description: > - Authentication category - - - name: cc - type: keyword - description: > - CC Email Address - - - name: cdrcontent - type: keyword - description: > - Cdrcontent - - - name: centralnatid - type: integer - description: > - Central NAT ID - - - name: cert - type: keyword - description: > - Certificate - - - name: cert-type - type: keyword - description: > - Certificate type - - - name: certhash - type: keyword - description: > - Certificate hash - - - name: cfgattr - type: keyword - description: > - Configuration attribute - - - name: cfgobj - type: keyword - description: > - Configuration object - - - name: cfgpath - type: keyword - description: > - Configuration path - - - name: cfgtid - type: keyword - description: > - Configuration transaction ID - - - name: cfgtxpower - type: integer - description: > - Configuration TX power - - - name: channel - type: integer - description: > - Wireless Channel - - - name: channeltype - type: keyword - description: > - SSH channel type - - - name: chassisid - type: integer - description: > - Chassis ID - - - name: checksum - type: keyword - description: > - The checksum of the scanned file - - - name: chgheaders - type: keyword - description: > - HTTP Headers - - - name: cldobjid - type: keyword - description: > - Connector object ID - - - name: client_addr - type: keyword - description: > - Wifi client address - - - name: cloudaction - type: keyword - description: > - Cloud Action - - - name: clouduser - type: keyword - description: > - Cloud User - - - name: column - type: integer - description: > - VOIP Column - - - name: command - type: keyword - description: > - CLI Command - - - name: community - type: keyword - description: > - SNMP Community - - - name: configcountry - type: keyword - description: > - Configuration country - - - name: connection_type - type: keyword - description: > - FortiClient Connection Type - - - name: conserve - type: keyword - description: > - Flag for conserve mode - - - name: constraint - type: keyword - description: > - WAF http protocol restrictions - - - name: contentdisarmed - type: keyword - description: > - Email scanned content - - - name: contenttype - type: keyword - description: > - Content Type from HTTP header - - - name: cookies - type: keyword - description: > - VPN Cookie - - - name: count - type: integer - description: > - Counts of action type - - - name: countapp - type: integer - description: > - Number of App Ctrl logs associated with the session - - - name: countav - type: integer - description: > - Number of AV logs associated with the session - - - name: countcifs - type: integer - description: > - Number of CIFS logs associated with the session - - - name: countdlp - type: integer - description: > - Number of DLP logs associated with the session - - - name: countdns - type: integer - description: > - Number of DNS logs associated with the session - - - name: countemail - type: integer - description: > - Number of email logs associated with the session - - - name: countff - type: integer - description: > - Number of ff logs associated with the session - - - name: countips - type: integer - description: > - Number of IPS logs associated with the session - - - name: countssh - type: integer - description: > - Number of SSH logs associated with the session - - - name: countssl - type: integer - description: > - Number of SSL logs associated with the session - - - name: countwaf - type: integer - description: > - Number of WAF logs associated with the session - - - name: countweb - type: integer - description: > - Number of Web filter logs associated with the session - - - name: cpu - type: integer - description: > - CPU Usage - - - name: craction - type: integer - description: > - Client Reputation Action - - - name: criticalcount - type: integer - description: > - Number of critical ratings - - - name: crl - type: keyword - description: > - Client Reputation Level - - - name: crlevel - type: keyword - description: > - Client Reputation Level - - - name: crscore - type: integer - description: > - Some description - - - name: cveid - type: keyword - description: > - CVE ID - - - name: daemon - type: keyword - description: > - Daemon name - - - name: datarange - type: keyword - description: > - Data range for reports - - - name: date - type: keyword - description: > - Date - - - name: ddnsserver - type: ip - description: > - DDNS server - - - name: desc - type: keyword - description: > - Description - - - name: detectionmethod - type: keyword - description: > - Detection method - - - name: devcategory - type: keyword - description: > - Device category - - - name: devintfname - type: keyword - description: > - HA device Interface Name - - - name: devtype - type: keyword - description: > - Device type - - - name: dhcp_msg - type: keyword - description: > - DHCP Message - - - name: dintf - type: keyword - description: > - Destination interface - - - name: disk - type: keyword - description: > - Assosciated disk - - - name: disklograte - type: long - description: > - Disk logging rate - - - name: dlpextra - type: keyword - description: > - DLP extra information - - - name: docsource - type: keyword - description: > - DLP fingerprint document source - - - name: domainctrlauthstate - type: integer - description: > - CIFS domain auth state - - - name: domainctrlauthtype - type: integer - description: > - CIFS domain auth type - - - name: domainctrldomain - type: keyword - description: > - CIFS domain auth domain - - - name: domainctrlip - type: ip - description: > - CIFS Domain IP - - - name: domainctrlname - type: keyword - description: > - CIFS Domain name - - - name: domainctrlprotocoltype - type: integer - description: > - CIFS Domain connection protocol - - - name: domainctrlusername - type: keyword - description: > - CIFS Domain username - - - name: domainfilteridx - type: integer - description: > - Domain filter ID - - - name: domainfilterlist - type: keyword - description: > - Domain filter name - - - name: ds - type: keyword - description: > - Direction with distribution system - - - name: dst_int - type: keyword - description: > - Destination interface - - - name: dstintfrole - type: keyword - description: > - Destination interface role - - - name: dstcountry - type: keyword - description: > - Destination country - - - name: dstdevcategory - type: keyword - description: > - Destination device category - - - name: dstdevtype - type: keyword - description: > - Destination device type - - - name: dstfamily - type: keyword - description: > - Destination OS family - - - name: dsthwvendor - type: keyword - description: > - Destination HW vendor - - - name: dsthwversion - type: keyword - description: > - Destination HW version - - - name: dstinetsvc - type: keyword - description: > - Destination interface service - - - name: dstosname - type: keyword - description: > - Destination OS name - - - name: dstosversion - type: keyword - description: > - Destination OS version - - - name: dstserver - type: integer - description: > - Destination server - - - name: dstssid - type: keyword - description: > - Destination SSID - - - name: dstswversion - type: keyword - description: > - Destination software version - - - name: dstunauthusersource - type: keyword - description: > - Destination unauthenticated source - - - name: dstuuid - type: keyword - description: > - UUID of the Destination IP address - - - name: duid - type: keyword - description: > - DHCP UID - - - name: eapolcnt - type: integer - description: > - EAPOL packet count - - - name: eapoltype - type: keyword - description: > - EAPOL packet type - - - name: encrypt - type: integer - description: > - Whether the packet is encrypted or not - - - name: encryption - type: keyword - description: > - Encryption method - - - name: epoch - type: integer - description: > - Epoch used for locating file - - - name: espauth - type: keyword - description: > - ESP Authentication - - - name: esptransform - type: keyword - description: > - ESP Transform - - - name: exch - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: exchange - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: expectedsignature - type: keyword - description: > - Expected SSL signature - - - name: expiry - type: keyword - description: > - FortiGuard override expiry timestamp - - - name: fams_pause - type: integer - description: > - Fortinet Analysis and Management Service Pause - - - name: fazlograte - type: long - description: > - FortiAnalyzer Logging Rate - - - name: fctemssn - type: keyword - description: > - FortiClient Endpoint SSN - - - name: fctuid - type: keyword - description: > - FortiClient UID - - - name: field - type: keyword - description: > - NTP status field - - - name: filefilter - type: keyword - description: > - The filter used to identify the affected file - - - name: filehashsrc - type: keyword - description: > - Filehash source - - - name: filtercat - type: keyword - description: > - DLP filter category - - - name: filteridx - type: integer - description: > - DLP filter ID - - - name: filtername - type: keyword - description: > - DLP rule name - - - name: filtertype - type: keyword - description: > - DLP filter type - - - name: fortiguardresp - type: keyword - description: > - Antispam ESP value - - - name: forwardedfor - type: keyword - description: > - Email address forwarded - - - name: fqdn - type: keyword - description: > - FQDN - - - name: frametype - type: keyword - description: > - Wireless frametype - - - name: freediskstorage - type: integer - description: > - Free disk integer - - - name: from - type: keyword - description: > - From email address - - - name: from_vcluster - type: integer - description: > - Source virtual cluster number - - - name: fsaverdict - type: keyword - description: > - FSA verdict - - - name: fwserver_name - type: keyword - description: > - Web proxy server name - - - name: gateway - type: ip - description: > - Gateway ip address for PPPoE status report - - - name: green - type: keyword - description: > - Memory status - - - name: groupid - type: integer - description: > - User Group ID - - - name: ha-prio - type: integer - description: > - HA Priority - - - name: ha_group - type: keyword - description: > - HA Group - - - name: ha_role - type: keyword - description: > - HA Role - - - name: handshake - type: keyword - description: > - SSL Handshake - - - name: hash - type: keyword - description: > - Hash value of downloaded file - - - name: hbdn_reason - type: keyword - description: > - Heartbeat down reason - - - name: highcount - type: integer - description: > - Highcount fabric summary - - - name: host - type: keyword - description: > - Hostname - - - name: iaid - type: keyword - description: > - DHCPv6 id - - - name: icmpcode - type: keyword - description: > - Destination Port of the ICMP message - - - name: icmpid - type: keyword - description: > - Source port of the ICMP message - - - name: icmptype - type: keyword - description: > - The type of ICMP message - - - name: identifier - type: integer - description: > - Network traffic identifier - - - name: in_spi - type: keyword - description: > - IPSEC inbound SPI - - - name: incidentserialno - type: integer - description: > - Incident serial number - - - name: infected - type: integer - description: > - Infected MMS - - - name: infectedfilelevel - type: integer - description: > - DLP infected file level - - - name: informationsource - type: keyword - description: > - Information source - - - name: init - type: keyword - description: > - IPSEC init stage - - - name: initiator - type: keyword - description: > - Original login user name for Fortiguard override - - - name: interface - type: keyword - description: > - Related interface - - - name: intf - type: keyword - description: > - Related interface - - - name: invalidmac - type: keyword - description: > - The MAC address with invalid OUI - - - name: ip - type: ip - description: > - Related IP - - - name: iptype - type: keyword - description: > - Related IP type - - - name: keyword - type: keyword - description: > - Keyword used for search - - - name: kind - type: keyword - description: > - VOIP kind - - - name: lanin - type: long - description: > - LAN incoming traffic in bytes - - - name: lanout - type: long - description: > - LAN outbound traffic in bytes - - - name: lease - type: integer - description: > - DHCP lease - - - name: license_limit - type: keyword - description: > - Maximum Number of FortiClients for the License - - - name: limit - type: integer - description: > - Virtual Domain Resource Limit - - - name: line - type: keyword - description: > - VOIP line - - - name: live - type: integer - description: > - Time in seconds - - - name: local - type: ip - description: > - Local IP for a PPPD Connection - - - name: log - type: keyword - description: > - Log message - - - name: login - type: keyword - description: > - SSH login - - - name: lowcount - type: integer - description: > - Fabric lowcount - - - name: mac - type: keyword - description: > - DHCP mac address - - - name: malform_data - type: integer - description: > - VOIP malformed data - - - name: malform_desc - type: keyword - description: > - VOIP malformed data description - - - name: manuf - type: keyword - description: > - Manufacturer name - - - name: masterdstmac - type: keyword - description: > - Master mac address for a host with multiple network interfaces - - - name: mastersrcmac - type: keyword - description: > - The master MAC address for a host that has multiple network interfaces - - - name: mediumcount - type: integer - description: > - Fabric medium count - - - name: mem - type: keyword - description: > - Memory usage system statistics - - - name: meshmode - type: keyword - description: > - Wireless mesh mode - - - name: message_type - type: keyword - description: > - VOIP message type - - - name: method - type: keyword - description: > - HTTP method - - - name: mgmtcnt - type: integer - description: > - The number of unauthorized client flooding managemet frames - - - name: mode - type: keyword - description: > - IPSEC mode - - - name: module - type: keyword - description: > - PCI-DSS module - - - name: monitor-name - type: keyword - description: > - Health Monitor Name - - - name: monitor-type - type: keyword - description: > - Health Monitor Type - - - name: mpsk - type: keyword - description: > - Wireless MPSK - - - name: msgproto - type: keyword - description: > - Message Protocol Number - - - name: mtu - type: integer - description: > - Max Transmission Unit Value - - - name: name - type: keyword - description: > - Name - - - name: nat - type: keyword - description: > - NAT IP Address - - - name: netid - type: keyword - description: > - Connector NetID - - - name: new_status - type: keyword - description: > - New status on user change - - - name: new_value - type: keyword - description: > - New Virtual Domain Name - - - name: newchannel - type: integer - description: > - New Channel Number - - - name: newchassisid - type: integer - description: > - New Chassis ID - - - name: newslot - type: integer - description: > - New Slot Number - - - name: nextstat - type: integer - description: > - Time interval in seconds for the next statistics. - - - name: nf_type - type: keyword - description: > - Notification Type - - - name: noise - type: integer - description: > - Wifi Noise - - - name: old_status - type: keyword - description: > - Original Status - - - name: old_value - type: keyword - description: > - Original Virtual Domain name - - - name: oldchannel - type: integer - description: > - Original channel - - - name: oldchassisid - type: integer - description: > - Original Chassis Number - - - name: oldslot - type: integer - description: > - Original Slot Number - - - name: oldsn - type: keyword - description: > - Old Serial number - - - name: oldwprof - type: keyword - description: > - Old Web Filter Profile - - - name: onwire - type: keyword - description: > - A flag to indicate if the AP is onwire or not - - - name: opercountry - type: keyword - description: > - Operating Country - - - name: opertxpower - type: integer - description: > - Operating TX power - - - name: osname - type: keyword - description: > - Operating System name - - - name: osversion - type: keyword - description: > - Operating System version - - - name: out_spi - type: keyword - description: > - Out SPI - - - name: outintf - type: keyword - description: > - Out interface - - - name: passedcount - type: integer - description: > - Fabric passed count - - - name: passwd - type: keyword - description: > - Changed user password information - - - name: path - type: keyword - description: > - Path of looped configuration for security fabric - - - name: peer - type: keyword - description: > - WAN optimization peer - - - name: peer_notif - type: keyword - description: > - VPN peer notification - - - name: phase2_name - type: keyword - description: > - VPN phase2 name - - - name: phone - type: keyword - description: > - VOIP Phone - - - name: pid - type: integer - description: > - Process ID - - - name: policytype - type: keyword - description: > - Policy Type - - - name: poolname - type: keyword - description: > - IP Pool name - - - name: port - type: integer - description: > - Log upload error port - - - name: portbegin - type: integer - description: > - IP Pool port number to begin - - - name: portend - type: integer - description: > - IP Pool port number to end - - - name: probeproto - type: keyword - description: > - Link Monitor Probe Protocol - - - name: process - type: keyword - description: > - URL Filter process - - - name: processtime - type: integer - description: > - Process time for reports - - - name: profile - type: keyword - description: > - Profile Name - - - name: profile_vd - type: keyword - description: > - Virtual Domain Name - - - name: profilegroup - type: keyword - description: > - Profile Group Name - - - name: profiletype - type: keyword - description: > - Profile Type - - - name: qtypeval - type: integer - description: > - DNS question type value - - - name: quarskip - type: keyword - description: > - Quarantine skip explanation - - - name: quotaexceeded - type: keyword - description: > - If quota has been exceeded - - - name: quotamax - type: long - description: > - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - - name: quotatype - type: keyword - description: > - Quota type - - - name: quotaused - type: long - description: > - Quota used - in seconds if time-based - in bytes if trafficbased) - - - name: radioband - type: keyword - description: > - Radio band - - - name: radioid - type: integer - description: > - Radio ID - - - name: radioidclosest - type: integer - description: > - Radio ID on the AP closest the rogue AP - - - name: radioiddetected - type: integer - description: > - Radio ID on the AP which detected the rogue AP - - - name: rate - type: keyword - description: > - Wireless rogue rate value - - - name: rawdata - type: keyword - description: > - Raw data value - - - name: rawdataid - type: keyword - description: > - Raw data ID - - - name: rcvddelta - type: keyword - description: > - Received bytes delta - - - name: reason - type: keyword - description: > - Alert reason - - - name: received - type: integer - description: > - Server key exchange received - - - name: receivedsignature - type: keyword - description: > - Server key exchange received signature - - - name: red - type: keyword - description: > - Memory information in red - - - name: referralurl - type: keyword - description: > - Web filter referralurl - - - name: remote - type: ip - description: > - Remote PPP IP address - - - name: remotewtptime - type: keyword - description: > - Remote Wifi Radius authentication time - - - name: reporttype - type: keyword - description: > - Report type - - - name: reqtype - type: keyword - description: > - Request type - - - name: request_name - type: keyword - description: > - VOIP request name - - - name: result - type: keyword - description: > - VPN phase result - - - name: role - type: keyword - description: > - VPN Phase 2 role - - - name: rssi - type: integer - description: > - Received signal strength indicator - - - name: rsso_key - type: keyword - description: > - RADIUS SSO attribute value - - - name: ruledata - type: keyword - description: > - Rule data - - - name: ruletype - type: keyword - description: > - Rule type - - - name: scanned - type: integer - description: > - Number of Scanned MMSs - - - name: scantime - type: long - description: > - Scanned time - - - name: scope - type: keyword - description: > - FortiGuard Override Scope - - - name: security - type: keyword - description: > - Wireless rogue security - - - name: sensitivity - type: keyword - description: > - Sensitivity for document fingerprint - - - name: sensor - type: keyword - description: > - NAC Sensor Name - - - name: sentdelta - type: keyword - description: > - Sent bytes delta - - - name: seq - type: keyword - description: > - Sequence number - - - name: serial - type: keyword - description: > - WAN optimisation serial - - - name: serialno - type: keyword - description: > - Serial number - - - name: server - type: keyword - description: > - AD server FQDN or IP - - - name: session_id - type: keyword - description: > - Session ID - - - name: sessionid - type: integer - description: > - WAD Session ID - - - name: setuprate - type: long - description: > - Session Setup Rate - - - name: severity - type: keyword - description: > - Severity - - - name: shaperdroprcvdbyte - type: integer - description: > - Received bytes dropped by shaper - - - name: shaperdropsentbyte - type: integer - description: > - Sent bytes dropped by shaper - - - name: shaperperipdropbyte - type: integer - description: > - Dropped bytes per IP by shaper - - - name: shaperperipname - type: keyword - description: > - Traffic shaper name (per IP) - - - name: shaperrcvdname - type: keyword - description: > - Traffic shaper name for received traffic - - - name: shapersentname - type: keyword - description: > - Traffic shaper name for sent traffic - - - name: shapingpolicyid - type: integer - description: > - Traffic shaper policy ID - - - name: signal - type: integer - description: > - Wireless rogue API signal - - - name: size - type: long - description: > - Email size in bytes - - - name: slot - type: integer - description: > - Slot number - - - name: sn - type: keyword - description: > - Security fabric serial number - - - name: snclosest - type: keyword - description: > - SN of the AP closest to the rogue AP - - - name: sndetected - type: keyword - description: > - SN of the AP which detected the rogue AP - - - name: snmeshparent - type: keyword - description: > - SN of the mesh parent - - - name: spi - type: keyword - description: > - IPSEC SPI - - - name: src_int - type: keyword - description: > - Source interface - - - name: srcintfrole - type: keyword - description: > - Source interface role - - - name: srccountry - type: keyword - description: > - Source country - - - name: srcfamily - type: keyword - description: > - Source family - - - name: srchwvendor - type: keyword - description: > - Source hardware vendor - - - name: srchwversion - type: keyword - description: > - Source hardware version - - - name: srcinetsvc - type: keyword - description: > - Source interface service - - - name: srcname - type: keyword - description: > - Source name - - - name: srcserver - type: integer - description: > - Source server - - - name: srcssid - type: keyword - description: > - Source SSID - - - name: srcswversion - type: keyword - description: > - Source software version - - - name: srcuuid - type: keyword - description: > - Source UUID - - - name: sscname - type: keyword - description: > - SSC name - - - name: ssid - type: keyword - description: > - Base Service Set ID - - - name: sslaction - type: keyword - description: > - SSL Action - - - name: ssllocal - type: keyword - description: > - WAD SSL local - - - name: sslremote - type: keyword - description: > - WAD SSL remote - - - name: stacount - type: integer - description: > - Number of stations/clients - - - name: stage - type: keyword - description: > - IPSEC stage - - - name: stamac - type: keyword - description: > - 802.1x station mac - - - name: state - type: keyword - description: > - Admin login state - - - name: status - type: keyword - description: > - Status - - - name: stitch - type: keyword - description: > - Automation stitch triggered - - - name: subject - type: keyword - description: > - Email subject - - - name: submodule - type: keyword - description: > - Configuration Sub-Module Name - - - name: subservice - type: keyword - description: > - AV subservice - - - name: subtype - type: keyword - description: > - Log subtype - - - name: suspicious - type: integer - description: > - Number of Suspicious MMSs - - - name: switchproto - type: keyword - description: > - Protocol change information - - - name: sync_status - type: keyword - description: > - The sync status with the master - - - name: sync_type - type: keyword - description: > - The sync type with the master - - - name: sysuptime - type: keyword - description: > - System uptime - - - name: tamac - type: keyword - description: > - the MAC address of Transmitter, if none, then Receiver - - - name: threattype - type: keyword - description: > - WIDS threat type - - - name: time - type: keyword - description: > - Time of the event - - - name: to - type: keyword - description: > - Email to field - - - name: to_vcluster - type: integer - description: > - destination virtual cluster number - - - name: total - type: integer - description: > - Total memory - - - name: totalsession - type: integer - description: > - Total Number of Sessions - - - name: trace_id - type: keyword - description: > - Session clash trace ID - - - name: trandisp - type: keyword - description: > - NAT translation type - - name: transid - type: integer - description: > - HTTP transaction ID - - - name: translationid - type: keyword - description: > - DNS filter transaltion ID - - - name: trigger - type: keyword - description: > - Automation stitch trigger - - - name: trueclntip - type: ip - description: > - File filter true client IP - - - name: tunnelid - type: integer - description: > - IPSEC tunnel ID - - - name: tunnelip - type: ip - description: > - IPSEC tunnel IP - - - name: tunneltype - type: keyword - description: > - IPSEC tunnel type - - - name: type - type: keyword - description: > - Module type - - - name: ui - type: keyword - description: > - Admin authentication UI type - - - name: unauthusersource - type: keyword - description: > - Unauthenticated user source - - - name: unit - type: integer - description: > - Power supply unit - - - name: urlfilteridx - type: integer - description: > - URL filter ID - - - name: urlfilterlist - type: keyword - description: > - URL filter list - - - name: urlsource - type: keyword - description: > - URL filter source - - - name: urltype - type: keyword - description: > - URL filter type - - - name: used - type: integer - description: > - Number of Used IPs - - - name: used_for_type - type: integer - description: > - Connection for the type - - - name: utmaction - type: keyword - description: > - Security action performed by UTM - - - name: vap - type: keyword - description: > - Virtual AP - - - name: vapmode - type: keyword - description: > - Virtual AP mode - - - name: vcluster - type: integer - description: > - virtual cluster id - - - name: vcluster_member - type: integer - description: > - Virtual cluster member - - - name: vcluster_state - type: keyword - description: > - Virtual cluster state - - - name: vd - type: keyword - description: > - Virtual Domain Name - - - name: vdname - type: keyword - description: > - Virtual Domain Name - - - name: vendorurl - type: keyword - description: > - Vulnerability scan vendor name - - - name: version - type: keyword - description: > - Version - - - name: vip - type: keyword - description: > - Virtual IP - - - name: virus - type: keyword - description: > - Virus name - - - name: virusid - type: integer - description: > - Virus ID (unique virus identifier) - - - name: voip_proto - type: keyword - description: > - VOIP protocol - - - name: vpn - type: keyword - description: > - VPN description - - - name: vpntunnel - type: keyword - description: > - IPsec Vpn Tunnel Name - - - name: vpntype - type: keyword - description: > - The type of the VPN tunnel - - - name: vrf - type: integer - description: > - VRF number - - - name: vulncat - type: keyword - description: > - Vulnerability Category - - - name: vulnid - type: integer - description: > - Vulnerability ID - - - name: vulnname - type: keyword - description: > - Vulnerability name - - - name: vwlid - type: integer - description: > - VWL ID - - - name: vwlquality - type: keyword - description: > - VWL quality - - - name: vwlservice - type: keyword - description: > - VWL service - - - name: vwpvlanid - type: integer - description: > - VWP VLAN ID - - - name: wanin - type: long - description: > - WAN incoming traffic in bytes - - - name: wanoptapptype - type: keyword - description: > - WAN Optimization Application type - - - name: wanout - type: long - description: > - WAN outgoing traffic in bytes - - - name: weakwepiv - type: keyword - description: > - Weak Wep Initiation Vector - - - name: xauthgroup - type: keyword - description: > - XAuth Group Name - - - name: xauthuser - type: keyword - description: > - XAuth User Name - - - name: xid - type: integer - description: > - Wireless X ID + - name: file.hash.crc32 + type: keyword + description: > + CRC32 Hash of file + + - name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing Fortinet syslog. + fields: + - name: acct_stat + type: keyword + description: > + Accounting state (RADIUS) + + - name: acktime + type: keyword + description: > + Alarm Acknowledge Time + + - name: act + type: keyword + description: > + Action + + - name: action + type: keyword + description: > + Status of the session + + - name: activity + type: keyword + description: > + HA activity message + + - name: addr + type: ip + description: > + IP Address + + - name: addr_type + type: keyword + description: > + Address Type + + - name: addrgrp + type: keyword + description: > + Address Group + + - name: adgroup + type: keyword + description: > + AD Group Name + + - name: admin + type: keyword + description: > + Admin User + + - name: age + type: integer + description: > + Time in seconds - time passed since last seen + + - name: agent + type: keyword + description: > + User agent - eg. agent="Mozilla/5.0" + + - name: alarmid + type: integer + description: > + Alarm ID + + - name: alert + type: keyword + description: > + Alert + + - name: analyticscksum + type: keyword + description: > + The checksum of the file submitted for analytics + + - name: analyticssubmit + type: keyword + description: > + The flag for analytics submission + + - name: ap + type: keyword + description: > + Access Point + + - name: app-type + type: keyword + description: > + Address Type + + - name: appact + type: keyword + description: > + The security action from app control + + - name: appid + type: integer + description: > + Application ID + + - name: applist + type: keyword + description: > + Application Control profile + + - name: apprisk + type: keyword + description: > + Application Risk Level + + - name: apscan + type: keyword + description: > + The name of the AP, which scanned and detected the rogue AP + + - name: apsn + type: keyword + description: > + Access Point + + - name: apstatus + type: keyword + description: > + Access Point status + + - name: aptype + type: keyword + description: > + Access Point type + + - name: assigned + type: ip + description: > + Assigned IP Address + + - name: assignip + type: ip + description: > + Assigned IP Address + + - name: attachment + type: keyword + description: > + The flag for email attachement + + - name: attack + type: keyword + description: > + Attack Name + + - name: attackcontext + type: keyword + description: > + The trigger patterns and the packetdata with base64 encoding + + - name: attackcontextid + type: keyword + description: > + Attack context id / total + + - name: attackid + type: integer + description: > + Attack ID + + - name: auditid + type: long + description: > + Audit ID + + - name: auditscore + type: keyword + description: > + The Audit Score + + - name: audittime + type: long + description: > + The time of the audit + + - name: authgrp + type: keyword + description: > + Authorization Group + + - name: authid + type: keyword + description: > + Authentication ID + + - name: authproto + type: keyword + description: > + The protocol that initiated the authentication + + - name: authserver + type: keyword + description: > + Authentication server + + - name: bandwidth + type: keyword + description: > + Bandwidth + + - name: banned_rule + type: keyword + description: > + NAC quarantine Banned Rule Name + + - name: banned_src + type: keyword + description: > + NAC quarantine Banned Source IP + + - name: banword + type: keyword + description: > + Banned word + + - name: botnetdomain + type: keyword + description: > + Botnet Domain Name + + - name: botnetip + type: ip + description: > + Botnet IP Address + + - name: bssid + type: keyword + description: > + Service Set ID + + - name: call_id + type: keyword + description: > + Caller ID + + - name: carrier_ep + type: keyword + description: > + The FortiOS Carrier end-point identification + + - name: cat + type: integer + description: > + DNS category ID + + - name: category + type: keyword + description: > + Authentication category + + - name: cc + type: keyword + description: > + CC Email Address + + - name: cdrcontent + type: keyword + description: > + Cdrcontent + + - name: centralnatid + type: integer + description: > + Central NAT ID + + - name: cert + type: keyword + description: > + Certificate + + - name: cert-type + type: keyword + description: > + Certificate type + + - name: certhash + type: keyword + description: > + Certificate hash + + - name: cfgattr + type: keyword + description: > + Configuration attribute + + - name: cfgobj + type: keyword + description: > + Configuration object + + - name: cfgpath + type: keyword + description: > + Configuration path + + - name: cfgtid + type: keyword + description: > + Configuration transaction ID + + - name: cfgtxpower + type: integer + description: > + Configuration TX power + + - name: channel + type: integer + description: > + Wireless Channel + + - name: channeltype + type: keyword + description: > + SSH channel type + + - name: chassisid + type: integer + description: > + Chassis ID + + - name: checksum + type: keyword + description: > + The checksum of the scanned file + + - name: chgheaders + type: keyword + description: > + HTTP Headers + + - name: cldobjid + type: keyword + description: > + Connector object ID + + - name: client_addr + type: keyword + description: > + Wifi client address + + - name: cloudaction + type: keyword + description: > + Cloud Action + + - name: clouduser + type: keyword + description: > + Cloud User + + - name: column + type: integer + description: > + VOIP Column + + - name: command + type: keyword + description: > + CLI Command + + - name: community + type: keyword + description: > + SNMP Community + + - name: configcountry + type: keyword + description: > + Configuration country + + - name: connection_type + type: keyword + description: > + FortiClient Connection Type + + - name: conserve + type: keyword + description: > + Flag for conserve mode + + - name: constraint + type: keyword + description: > + WAF http protocol restrictions + + - name: contentdisarmed + type: keyword + description: > + Email scanned content + + - name: contenttype + type: keyword + description: > + Content Type from HTTP header + + - name: cookies + type: keyword + description: > + VPN Cookie + + - name: count + type: integer + description: > + Counts of action type + + - name: countapp + type: integer + description: > + Number of App Ctrl logs associated with the session + + - name: countav + type: integer + description: > + Number of AV logs associated with the session + + - name: countcifs + type: integer + description: > + Number of CIFS logs associated with the session + + - name: countdlp + type: integer + description: > + Number of DLP logs associated with the session + + - name: countdns + type: integer + description: > + Number of DNS logs associated with the session + + - name: countemail + type: integer + description: > + Number of email logs associated with the session + + - name: countff + type: integer + description: > + Number of ff logs associated with the session + + - name: countips + type: integer + description: > + Number of IPS logs associated with the session + + - name: countssh + type: integer + description: > + Number of SSH logs associated with the session + + - name: countssl + type: integer + description: > + Number of SSL logs associated with the session + + - name: countwaf + type: integer + description: > + Number of WAF logs associated with the session + + - name: countweb + type: integer + description: > + Number of Web filter logs associated with the session + + - name: cpu + type: integer + description: > + CPU Usage + + - name: craction + type: integer + description: > + Client Reputation Action + + - name: criticalcount + type: integer + description: > + Number of critical ratings + + - name: crl + type: keyword + description: > + Client Reputation Level + + - name: crlevel + type: keyword + description: > + Client Reputation Level + + - name: crscore + type: integer + description: > + Some description + + - name: cveid + type: keyword + description: > + CVE ID + + - name: daemon + type: keyword + description: > + Daemon name + + - name: datarange + type: keyword + description: > + Data range for reports + + - name: date + type: keyword + description: > + Date + + - name: ddnsserver + type: ip + description: > + DDNS server + + - name: desc + type: keyword + description: > + Description + + - name: detectionmethod + type: keyword + description: > + Detection method + + - name: devcategory + type: keyword + description: > + Device category + + - name: devintfname + type: keyword + description: > + HA device Interface Name + + - name: devtype + type: keyword + description: > + Device type + + - name: dhcp_msg + type: keyword + description: > + DHCP Message + + - name: dintf + type: keyword + description: > + Destination interface + + - name: disk + type: keyword + description: > + Assosciated disk + + - name: disklograte + type: long + description: > + Disk logging rate + + - name: dlpextra + type: keyword + description: > + DLP extra information + + - name: docsource + type: keyword + description: > + DLP fingerprint document source + + - name: domainctrlauthstate + type: integer + description: > + CIFS domain auth state + + - name: domainctrlauthtype + type: integer + description: > + CIFS domain auth type + + - name: domainctrldomain + type: keyword + description: > + CIFS domain auth domain + + - name: domainctrlip + type: ip + description: > + CIFS Domain IP + + - name: domainctrlname + type: keyword + description: > + CIFS Domain name + + - name: domainctrlprotocoltype + type: integer + description: > + CIFS Domain connection protocol + + - name: domainctrlusername + type: keyword + description: > + CIFS Domain username + + - name: domainfilteridx + type: integer + description: > + Domain filter ID + + - name: domainfilterlist + type: keyword + description: > + Domain filter name + + - name: ds + type: keyword + description: > + Direction with distribution system + + - name: dst_int + type: keyword + description: > + Destination interface + + - name: dstintfrole + type: keyword + description: > + Destination interface role + + - name: dstcountry + type: keyword + description: > + Destination country + + - name: dstdevcategory + type: keyword + description: > + Destination device category + + - name: dstdevtype + type: keyword + description: > + Destination device type + + - name: dstfamily + type: keyword + description: > + Destination OS family + + - name: dsthwvendor + type: keyword + description: > + Destination HW vendor + + - name: dsthwversion + type: keyword + description: > + Destination HW version + + - name: dstinetsvc + type: keyword + description: > + Destination interface service + + - name: dstosname + type: keyword + description: > + Destination OS name + + - name: dstosversion + type: keyword + description: > + Destination OS version + + - name: dstserver + type: integer + description: > + Destination server + + - name: dstssid + type: keyword + description: > + Destination SSID + + - name: dstswversion + type: keyword + description: > + Destination software version + + - name: dstunauthusersource + type: keyword + description: > + Destination unauthenticated source + + - name: dstuuid + type: keyword + description: > + UUID of the Destination IP address + + - name: duid + type: keyword + description: > + DHCP UID + + - name: eapolcnt + type: integer + description: > + EAPOL packet count + + - name: eapoltype + type: keyword + description: > + EAPOL packet type + + - name: encrypt + type: integer + description: > + Whether the packet is encrypted or not + + - name: encryption + type: keyword + description: > + Encryption method + + - name: epoch + type: integer + description: > + Epoch used for locating file + + - name: espauth + type: keyword + description: > + ESP Authentication + + - name: esptransform + type: keyword + description: > + ESP Transform + + - name: exch + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: exchange + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: expectedsignature + type: keyword + description: > + Expected SSL signature + + - name: expiry + type: keyword + description: > + FortiGuard override expiry timestamp + + - name: fams_pause + type: integer + description: > + Fortinet Analysis and Management Service Pause + + - name: fazlograte + type: long + description: > + FortiAnalyzer Logging Rate + + - name: fctemssn + type: keyword + description: > + FortiClient Endpoint SSN + + - name: fctuid + type: keyword + description: > + FortiClient UID + + - name: field + type: keyword + description: > + NTP status field + + - name: filefilter + type: keyword + description: > + The filter used to identify the affected file + + - name: filehashsrc + type: keyword + description: > + Filehash source + + - name: filtercat + type: keyword + description: > + DLP filter category + + - name: filteridx + type: integer + description: > + DLP filter ID + + - name: filtername + type: keyword + description: > + DLP rule name + + - name: filtertype + type: keyword + description: > + DLP filter type + + - name: fortiguardresp + type: keyword + description: > + Antispam ESP value + + - name: forwardedfor + type: keyword + description: > + Email address forwarded + + - name: fqdn + type: keyword + description: > + FQDN + + - name: frametype + type: keyword + description: > + Wireless frametype + + - name: freediskstorage + type: integer + description: > + Free disk integer + + - name: from + type: keyword + description: > + From email address + + - name: from_vcluster + type: integer + description: > + Source virtual cluster number + + - name: fsaverdict + type: keyword + description: > + FSA verdict + + - name: fwserver_name + type: keyword + description: > + Web proxy server name + + - name: gateway + type: ip + description: > + Gateway ip address for PPPoE status report + + - name: green + type: keyword + description: > + Memory status + + - name: groupid + type: integer + description: > + User Group ID + + - name: ha-prio + type: integer + description: > + HA Priority + + - name: ha_group + type: keyword + description: > + HA Group + + - name: ha_role + type: keyword + description: > + HA Role + + - name: handshake + type: keyword + description: > + SSL Handshake + + - name: hash + type: keyword + description: > + Hash value of downloaded file + + - name: hbdn_reason + type: keyword + description: > + Heartbeat down reason + + - name: highcount + type: integer + description: > + Highcount fabric summary + + - name: host + type: keyword + description: > + Hostname + + - name: iaid + type: keyword + description: > + DHCPv6 id + + - name: icmpcode + type: keyword + description: > + Destination Port of the ICMP message + + - name: icmpid + type: keyword + description: > + Source port of the ICMP message + + - name: icmptype + type: keyword + description: > + The type of ICMP message + + - name: identifier + type: integer + description: > + Network traffic identifier + + - name: in_spi + type: keyword + description: > + IPSEC inbound SPI + + - name: incidentserialno + type: integer + description: > + Incident serial number + + - name: infected + type: integer + description: > + Infected MMS + + - name: infectedfilelevel + type: integer + description: > + DLP infected file level + + - name: informationsource + type: keyword + description: > + Information source + + - name: init + type: keyword + description: > + IPSEC init stage + + - name: initiator + type: keyword + description: > + Original login user name for Fortiguard override + + - name: interface + type: keyword + description: > + Related interface + + - name: intf + type: keyword + description: > + Related interface + + - name: invalidmac + type: keyword + description: > + The MAC address with invalid OUI + + - name: ip + type: ip + description: > + Related IP + + - name: iptype + type: keyword + description: > + Related IP type + + - name: keyword + type: keyword + description: > + Keyword used for search + + - name: kind + type: keyword + description: > + VOIP kind + + - name: lanin + type: long + description: > + LAN incoming traffic in bytes + + - name: lanout + type: long + description: > + LAN outbound traffic in bytes + + - name: lease + type: integer + description: > + DHCP lease + + - name: license_limit + type: keyword + description: > + Maximum Number of FortiClients for the License + + - name: limit + type: integer + description: > + Virtual Domain Resource Limit + + - name: line + type: keyword + description: > + VOIP line + + - name: live + type: integer + description: > + Time in seconds + + - name: local + type: ip + description: > + Local IP for a PPPD Connection + + - name: log + type: keyword + description: > + Log message + + - name: login + type: keyword + description: > + SSH login + + - name: lowcount + type: integer + description: > + Fabric lowcount + + - name: mac + type: keyword + description: > + DHCP mac address + + - name: malform_data + type: integer + description: > + VOIP malformed data + + - name: malform_desc + type: keyword + description: > + VOIP malformed data description + + - name: manuf + type: keyword + description: > + Manufacturer name + + - name: masterdstmac + type: keyword + description: > + Master mac address for a host with multiple network interfaces + + - name: mastersrcmac + type: keyword + description: > + The master MAC address for a host that has multiple network interfaces + + - name: mediumcount + type: integer + description: > + Fabric medium count + + - name: mem + type: integer + description: > + Memory usage system statistics + + - name: meshmode + type: keyword + description: > + Wireless mesh mode + + - name: message_type + type: keyword + description: > + VOIP message type + + - name: method + type: keyword + description: > + HTTP method + + - name: mgmtcnt + type: integer + description: > + The number of unauthorized client flooding managemet frames + + - name: mode + type: keyword + description: > + IPSEC mode + + - name: module + type: keyword + description: > + PCI-DSS module + + - name: monitor-name + type: keyword + description: > + Health Monitor Name + + - name: monitor-type + type: keyword + description: > + Health Monitor Type + + - name: mpsk + type: keyword + description: > + Wireless MPSK + + - name: msgproto + type: keyword + description: > + Message Protocol Number + + - name: mtu + type: integer + description: > + Max Transmission Unit Value + + - name: name + type: keyword + description: > + Name + + - name: nat + type: keyword + description: > + NAT IP Address + + - name: netid + type: keyword + description: > + Connector NetID + + - name: new_status + type: keyword + description: > + New status on user change + + - name: new_value + type: keyword + description: > + New Virtual Domain Name + + - name: newchannel + type: integer + description: > + New Channel Number + + - name: newchassisid + type: integer + description: > + New Chassis ID + + - name: newslot + type: integer + description: > + New Slot Number + + - name: nextstat + type: integer + description: > + Time interval in seconds for the next statistics. + + - name: nf_type + type: keyword + description: > + Notification Type + + - name: noise + type: integer + description: > + Wifi Noise + + - name: old_status + type: keyword + description: > + Original Status + + - name: old_value + type: keyword + description: > + Original Virtual Domain name + + - name: oldchannel + type: integer + description: > + Original channel + + - name: oldchassisid + type: integer + description: > + Original Chassis Number + + - name: oldslot + type: integer + description: > + Original Slot Number + + - name: oldsn + type: keyword + description: > + Old Serial number + + - name: oldwprof + type: keyword + description: > + Old Web Filter Profile + + - name: onwire + type: keyword + description: > + A flag to indicate if the AP is onwire or not + + - name: opercountry + type: keyword + description: > + Operating Country + + - name: opertxpower + type: integer + description: > + Operating TX power + + - name: osname + type: keyword + description: > + Operating System name + + - name: osversion + type: keyword + description: > + Operating System version + + - name: out_spi + type: keyword + description: > + Out SPI + + - name: outintf + type: keyword + description: > + Out interface + + - name: passedcount + type: integer + description: > + Fabric passed count + + - name: passwd + type: keyword + description: > + Changed user password information + + - name: path + type: keyword + description: > + Path of looped configuration for security fabric + + - name: peer + type: keyword + description: > + WAN optimization peer + + - name: peer_notif + type: keyword + description: > + VPN peer notification + + - name: phase2_name + type: keyword + description: > + VPN phase2 name + + - name: phone + type: keyword + description: > + VOIP Phone + + - name: pid + type: integer + description: > + Process ID + + - name: policytype + type: keyword + description: > + Policy Type + + - name: poolname + type: keyword + description: > + IP Pool name + + - name: port + type: integer + description: > + Log upload error port + + - name: portbegin + type: integer + description: > + IP Pool port number to begin + + - name: portend + type: integer + description: > + IP Pool port number to end + + - name: probeproto + type: keyword + description: > + Link Monitor Probe Protocol + + - name: process + type: keyword + description: > + URL Filter process + + - name: processtime + type: integer + description: > + Process time for reports + + - name: profile + type: keyword + description: > + Profile Name + + - name: profile_vd + type: keyword + description: > + Virtual Domain Name + + - name: profilegroup + type: keyword + description: > + Profile Group Name + + - name: profiletype + type: keyword + description: > + Profile Type + + - name: qtypeval + type: integer + description: > + DNS question type value + + - name: quarskip + type: keyword + description: > + Quarantine skip explanation + + - name: quotaexceeded + type: keyword + description: > + If quota has been exceeded + + - name: quotamax + type: long + description: > + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + - name: quotatype + type: keyword + description: > + Quota type + + - name: quotaused + type: long + description: > + Quota used - in seconds if time-based - in bytes if trafficbased) + + - name: radioband + type: keyword + description: > + Radio band + + - name: radioid + type: integer + description: > + Radio ID + + - name: radioidclosest + type: integer + description: > + Radio ID on the AP closest the rogue AP + + - name: radioiddetected + type: integer + description: > + Radio ID on the AP which detected the rogue AP + + - name: rate + type: keyword + description: > + Wireless rogue rate value + + - name: rawdata + type: keyword + description: > + Raw data value + + - name: rawdataid + type: keyword + description: > + Raw data ID + + - name: rcvddelta + type: keyword + description: > + Received bytes delta + + - name: reason + type: keyword + description: > + Alert reason + + - name: received + type: integer + description: > + Server key exchange received + + - name: receivedsignature + type: keyword + description: > + Server key exchange received signature + + - name: red + type: keyword + description: > + Memory information in red + + - name: referralurl + type: keyword + description: > + Web filter referralurl + + - name: remote + type: ip + description: > + Remote PPP IP address + + - name: remotewtptime + type: keyword + description: > + Remote Wifi Radius authentication time + + - name: reporttype + type: keyword + description: > + Report type + + - name: reqtype + type: keyword + description: > + Request type + + - name: request_name + type: keyword + description: > + VOIP request name + + - name: result + type: keyword + description: > + VPN phase result + + - name: role + type: keyword + description: > + VPN Phase 2 role + + - name: rssi + type: integer + description: > + Received signal strength indicator + + - name: rsso_key + type: keyword + description: > + RADIUS SSO attribute value + + - name: ruledata + type: keyword + description: > + Rule data + + - name: ruletype + type: keyword + description: > + Rule type + + - name: scanned + type: integer + description: > + Number of Scanned MMSs + + - name: scantime + type: long + description: > + Scanned time + + - name: scope + type: keyword + description: > + FortiGuard Override Scope + + - name: security + type: keyword + description: > + Wireless rogue security + + - name: sensitivity + type: keyword + description: > + Sensitivity for document fingerprint + + - name: sensor + type: keyword + description: > + NAC Sensor Name + + - name: sentdelta + type: keyword + description: > + Sent bytes delta + + - name: seq + type: keyword + description: > + Sequence number + + - name: serial + type: keyword + description: > + WAN optimisation serial + + - name: serialno + type: keyword + description: > + Serial number + + - name: server + type: keyword + description: > + AD server FQDN or IP + + - name: session_id + type: keyword + description: > + Session ID + + - name: sessionid + type: integer + description: > + WAD Session ID + + - name: setuprate + type: long + description: > + Session Setup Rate + + - name: severity + type: keyword + description: > + Severity + + - name: shaperdroprcvdbyte + type: integer + description: > + Received bytes dropped by shaper + + - name: shaperdropsentbyte + type: integer + description: > + Sent bytes dropped by shaper + + - name: shaperperipdropbyte + type: integer + description: > + Dropped bytes per IP by shaper + + - name: shaperperipname + type: keyword + description: > + Traffic shaper name (per IP) + + - name: shaperrcvdname + type: keyword + description: > + Traffic shaper name for received traffic + + - name: shapersentname + type: keyword + description: > + Traffic shaper name for sent traffic + + - name: shapingpolicyid + type: integer + description: > + Traffic shaper policy ID + + - name: signal + type: integer + description: > + Wireless rogue API signal + + - name: size + type: long + description: > + Email size in bytes + + - name: slot + type: integer + description: > + Slot number + + - name: sn + type: keyword + description: > + Security fabric serial number + + - name: snclosest + type: keyword + description: > + SN of the AP closest to the rogue AP + + - name: sndetected + type: keyword + description: > + SN of the AP which detected the rogue AP + + - name: snmeshparent + type: keyword + description: > + SN of the mesh parent + + - name: spi + type: keyword + description: > + IPSEC SPI + + - name: src_int + type: keyword + description: > + Source interface + + - name: srcintfrole + type: keyword + description: > + Source interface role + + - name: srccountry + type: keyword + description: > + Source country + + - name: srcfamily + type: keyword + description: > + Source family + + - name: srchwvendor + type: keyword + description: > + Source hardware vendor + + - name: srchwversion + type: keyword + description: > + Source hardware version + + - name: srcinetsvc + type: keyword + description: > + Source interface service + + - name: srcname + type: keyword + description: > + Source name + + - name: srcserver + type: integer + description: > + Source server + + - name: srcssid + type: keyword + description: > + Source SSID + + - name: srcswversion + type: keyword + description: > + Source software version + + - name: srcuuid + type: keyword + description: > + Source UUID + + - name: sscname + type: keyword + description: > + SSC name + + - name: ssid + type: keyword + description: > + Base Service Set ID + + - name: sslaction + type: keyword + description: > + SSL Action + + - name: ssllocal + type: keyword + description: > + WAD SSL local + + - name: sslremote + type: keyword + description: > + WAD SSL remote + + - name: stacount + type: integer + description: > + Number of stations/clients + + - name: stage + type: keyword + description: > + IPSEC stage + + - name: stamac + type: keyword + description: > + 802.1x station mac + + - name: state + type: keyword + description: > + Admin login state + + - name: status + type: keyword + description: > + Status + + - name: stitch + type: keyword + description: > + Automation stitch triggered + + - name: subject + type: keyword + description: > + Email subject + + - name: submodule + type: keyword + description: > + Configuration Sub-Module Name + + - name: subservice + type: keyword + description: > + AV subservice + + - name: subtype + type: keyword + description: > + Log subtype + + - name: suspicious + type: integer + description: > + Number of Suspicious MMSs + + - name: switchproto + type: keyword + description: > + Protocol change information + + - name: sync_status + type: keyword + description: > + The sync status with the master + + - name: sync_type + type: keyword + description: > + The sync type with the master + + - name: sysuptime + type: keyword + description: > + System uptime + + - name: tamac + type: keyword + description: > + the MAC address of Transmitter, if none, then Receiver + + - name: threattype + type: keyword + description: > + WIDS threat type + + - name: time + type: keyword + description: > + Time of the event + + - name: to + type: keyword + description: > + Email to field + + - name: to_vcluster + type: integer + description: > + destination virtual cluster number + + - name: total + type: integer + description: > + Total memory + + - name: totalsession + type: integer + description: > + Total Number of Sessions + + - name: trace_id + type: keyword + description: > + Session clash trace ID + + - name: trandisp + type: keyword + description: > + NAT translation type + + - name: transid + type: integer + description: > + HTTP transaction ID + + - name: translationid + type: keyword + description: > + DNS filter transaltion ID + + - name: trigger + type: keyword + description: > + Automation stitch trigger + + - name: trueclntip + type: ip + description: > + File filter true client IP + + - name: tunnelid + type: integer + description: > + IPSEC tunnel ID + + - name: tunnelip + type: ip + description: > + IPSEC tunnel IP + + - name: tunneltype + type: keyword + description: > + IPSEC tunnel type + + - name: type + type: keyword + description: > + Module type + + - name: ui + type: keyword + description: > + Admin authentication UI type + + - name: unauthusersource + type: keyword + description: > + Unauthenticated user source + + - name: unit + type: integer + description: > + Power supply unit + + - name: urlfilteridx + type: integer + description: > + URL filter ID + + - name: urlfilterlist + type: keyword + description: > + URL filter list + + - name: urlsource + type: keyword + description: > + URL filter source + + - name: urltype + type: keyword + description: > + URL filter type + + - name: used + type: integer + description: > + Number of Used IPs + + - name: used_for_type + type: integer + description: > + Connection for the type + + - name: utmaction + type: keyword + description: > + Security action performed by UTM + + - name: vap + type: keyword + description: > + Virtual AP + + - name: vapmode + type: keyword + description: > + Virtual AP mode + + - name: vcluster + type: integer + description: > + virtual cluster id + + - name: vcluster_member + type: integer + description: > + Virtual cluster member + + - name: vcluster_state + type: keyword + description: > + Virtual cluster state + + - name: vd + type: keyword + description: > + Virtual Domain Name + + - name: vdname + type: keyword + description: > + Virtual Domain Name + + - name: vendorurl + type: keyword + description: > + Vulnerability scan vendor name + + - name: version + type: keyword + description: > + Version + + - name: vip + type: keyword + description: > + Virtual IP + + - name: virus + type: keyword + description: > + Virus name + + - name: virusid + type: integer + description: > + Virus ID (unique virus identifier) + + - name: voip_proto + type: keyword + description: > + VOIP protocol + + - name: vpn + type: keyword + description: > + VPN description + + - name: vpntunnel + type: keyword + description: > + IPsec Vpn Tunnel Name + + - name: vpntype + type: keyword + description: > + The type of the VPN tunnel + + - name: vrf + type: integer + description: > + VRF number + + - name: vulncat + type: keyword + description: > + Vulnerability Category + + - name: vulnid + type: integer + description: > + Vulnerability ID + + - name: vulnname + type: keyword + description: > + Vulnerability name + + - name: vwlid + type: integer + description: > + VWL ID + + - name: vwlquality + type: keyword + description: > + VWL quality + + - name: vwlservice + type: keyword + description: > + VWL service + + - name: vwpvlanid + type: integer + description: > + VWP VLAN ID + + - name: wanin + type: long + description: > + WAN incoming traffic in bytes + + - name: wanoptapptype + type: keyword + description: > + WAN Optimization Application type + + - name: wanout + type: long + description: > + WAN outgoing traffic in bytes + + - name: weakwepiv + type: keyword + description: > + Weak Wep Initiation Vector + + - name: xauthgroup + type: keyword + description: > + XAuth Group Name + + - name: xauthuser + type: keyword + description: > + XAuth User Name + + - name: xid + type: integer + description: > + Wireless X ID diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index 6af16945317..e0786f595a4 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -24,8 +24,7 @@ tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - - add_locale: ~ - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml index 30b32592d25..d75ed9a8697 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml @@ -218,6 +218,11 @@ processors: ignore_failure: true ignore_missing: true if: "ctx.event?.duration == null" +- convert: + field: fortinet.firewall.mem + type: integer + ignore_failure: true + ignore_missing: true - geoip: field: source.ip target_field: source.geo diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index ba6c2d810ff..eeb5368db55 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing fortinet firewall logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: @@ -69,13 +72,26 @@ processors: formats: - UNIX_MS timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + timezone: "{{fortinet.firewall.tz}}" + if: "ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS - if: "ctx.fortinet?.firewall?.tz == null" + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" +- date: + field: fortinet.firewall.eventtime + target_field: event.start + formats: + - UNIX + if: "ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - rename: field: fortinet.firewall.devname target_field: observer.name @@ -165,4 +181,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml index 91e6726932b..d847f347d63 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml @@ -30,7 +30,7 @@ processors: field: fortinet.firewall.remip target_field: destination.ip ignore_missing: true - if: "ctx.destination?.ip == null" + if: "ctx.destination?.ip == null" - convert: field: fortinet.firewall.dst_port target_field: destination.port @@ -295,16 +295,24 @@ processors: ignore_missing: true - rename: field: fortinet.firewall.scertcname - target_field: tls.client.server_name + target_field: tls.server.x509.subject.common_name ignore_missing: true - rename: field: fortinet.firewall.scertissuer target_field: tls.server.issuer ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: "{{tls.server.issuer}}" + ignore_empty_value: true - rename: field: fortinet.firewall.ccertissuer target_field: tls.client.issuer ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: "{{tls.client.issuer}}" + ignore_empty_value: true - rename: field: fortinet.firewall.sender target_field: tls.server.issuer @@ -427,4 +435,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log index 01fc2444606..410daa4405b 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log @@ -27,4 +27,5 @@ <189>date=2020-04-23 time=12:11:48 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229908751434997 tz="-0500" srcip=2001:4860:4860::8888 identifier=0 srcintf="port1" srcintfrole="lan" dstip=2001:4860:4860::8888 dstintf="unknown0" dstintfrole="undefined" sessionid=6542345 proto=58 action="accept" policyid=0 policytype="someotherpolicy" service="icmp6/1/0" trandisp="noop" app="icmp6/25/0" duration=42 sentbyte=3014 rcvdbyte=20 sentpkt=4 rcvdpkt=0 appcat="unscanned" <189>date=2020-04-23 time=13:10:57 devname="newfirewall" devid="newrouterid" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1587229857509058693 tz="-0400" srcip=9.7.7.7 identifier=61 srcintf="wan1" srcintfrole="wan" dstip=8.8.8.8 dstintf="unknown0" dstintfrole="undefined" sessionid=123 proto=1 action="accept" policyid=0 policytype="rulepolicy" service="PING" dstcountry="Norway" srccountry="Netherlands" trandisp="noop" app="PING" duration=20 sentbyte=0 rcvdbyte=10 sentpkt=0 rcvdpkt=40 appcat="unscanned" <188>date=2020-04-23 time=12:14:39 devname="firewall3" devid="oldfwid" logid="0000000011" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1587230079841464445 tz="-0500" srcip=192.168.1.1 srcport=62493 srcintf="port1" srcintfrole="lan" dstip=192.168.100.100 dstport=1235 dstintf="newinterface" dstintfrole="undefined" sessionid=54234 proto=17 action="ip-conn" policyid=49 policytype="policy" poluuid="654cc-b6542-53467u8-e45234-1566casd35f7836" policyname="oldpolicyname" user="elasticsuper" authserver="FSSO_newfsso" service="udp/12302" dstcountry="Reserved" srccountry="Reserved" appcat="unscanned" crscore=5 craction=63332144 crlevel="low" -<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" \ No newline at end of file +<189>date=2020-04-23 time=12:14:28 devname="firewall3" devid="oldfwid" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1587230069291463928 tz="-0500" srcip=192.168.50.50 srcport=56603 srcintf="port1" srcintfrole="lan" dstip=8.8.8.8 dstport=442 dstintf="wan1" dstintfrole="wan" sessionid=2345 proto=6 action="close" policyid=2365 policytype="policy" poluuid="654644c-b064-fdgdf3425-f003-1234ghdf682e05f" policyname="someoldpolicyname" user="elasticuser" group="testgroup" authserver="FSSO_something" service="HTTPS" dstcountry="Netherlands" srccountry="Reserved" trandisp="snat" transip=23.23.23.23 transport=603 appid=43540 app="Skype.Portals" appcat="Collaboration" apprisk="elevated" applist="someapplist" appact="detected" duration=126 sentbyte=923 rcvdbyte=77654 sentpkt=113 rcvdpkt=70 vwlid=4 vwlquality="Seq_num(3), alive, selected" wanin=1130 wanout=6671 lanin=1406 lanout=146506 utmaction="block" countweb=1 countapp=1 crscore=5 craction=6144 crlevel="low" +<190>date=2019-05-15 time=18:03:36 logid="1059028704" type="utm" subtype="app-ctrl" eventtype="app-ctrl-all" level="information" vd="root" eventtime=1557968615 appid=40568 srcip=10.1.100.22 dstip=195.8.215.136 srcport=50798 dstport=443 srcintf="port10" srcintfrole="lan" dstintf="port9" dstintfrole="wan" proto=6 service="HTTPS" direction="outgoing" policyid=1 sessionid=4414 applist="block-social.media" appcat="Web.Client" app="HTTPS.BROWSER" action="pass" hostname="www.dailymotion.com" incidentserialno=1962906680 url="/" msg="Web.Client: HTTPS.BROWSER," apprisk="medium" scertcname="*.dailymotion.com" scertissuer="DigiCert SHA2 High Assurance Server CA" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 355c77d03be..367d81f9868 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -95,8 +95,7 @@ "event.kind": "event", "event.module": "fortinet", "event.outcome": "success", - "event.start": "1970-01-19T10:29:21.368Z", - "event.timezone": "-02:00", + "event.start": "2020-06-24T01:16:08.000Z", "event.type": [ "connection", "end" @@ -290,7 +289,7 @@ "fortinet-firewall", "forwarded" ], - "tls.client.server_name": "test.elastic.co", + "tls.server.x509.subject.common_name": "test.elastic.co", "url.domain": "elastic.co", "url.path": "/" }, @@ -313,7 +312,7 @@ "event.kind": "event", "event.module": "fortinet", "event.outcome": "success", - "event.start": "1970-01-19T06:09:48.391-04:00", + "event.start": "2020-06-10T07:26:31.000-04:00", "event.timezone": "-0400", "event.type": [ "allowed" @@ -364,7 +363,7 @@ "fortinet-firewall", "forwarded" ], - "tls.client.server_name": "test.elastic.co", + "tls.server.x509.subject.common_name": "test.elastic.co", "url.domain": "elastic.co", "url.path": "/" }, @@ -974,7 +973,7 @@ "fortinet.firewall.disklograte": "0", "fortinet.firewall.fazlograte": "0", "fortinet.firewall.freediskstorage": "331", - "fortinet.firewall.mem": "10", + "fortinet.firewall.mem": 10, "fortinet.firewall.setuprate": "0", "fortinet.firewall.subtype": "system", "fortinet.firewall.sysuptime": "25170", @@ -1765,5 +1764,180 @@ "fortinet-firewall", "forwarded" ] + }, + { + "@timestamp": "2020-04-23T12:14:28.000-05:00", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 77654, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 70, + "destination.port": 442, + "event.action": "close", + "event.category": [ + "network" + ], + "event.code": "0000000013", + "event.dataset": "fortinet.firewall", + "event.duration": 126000000000, + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2020-04-18T12:14:29.291-05:00", + "event.timezone": "-0500", + "event.type": [ + "connection", + "end", + "protocol", + "denied" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "close", + "fortinet.firewall.appact": "detected", + "fortinet.firewall.appid": "43540", + "fortinet.firewall.applist": "someapplist", + "fortinet.firewall.apprisk": "elevated", + "fortinet.firewall.authserver": "FSSO_something", + "fortinet.firewall.countapp": "1", + "fortinet.firewall.countweb": "1", + "fortinet.firewall.craction": "6144", + "fortinet.firewall.crlevel": "low", + "fortinet.firewall.crscore": "5", + "fortinet.firewall.dstcountry": "Netherlands", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.lanin": "1406", + "fortinet.firewall.lanout": "146506", + "fortinet.firewall.sessionid": "2345", + "fortinet.firewall.srccountry": "Reserved", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "forward", + "fortinet.firewall.trandisp": "snat", + "fortinet.firewall.type": "traffic", + "fortinet.firewall.utmaction": "block", + "fortinet.firewall.vd": "root", + "fortinet.firewall.vwlid": "4", + "fortinet.firewall.vwlquality": "Seq_num(3), alive, selected", + "fortinet.firewall.wanin": "1130", + "fortinet.firewall.wanout": "6671", + "input.type": "log", + "log.level": "notice", + "log.offset": 15459, + "network.application": "Skype.Portals", + "network.bytes": 78577, + "network.iana_number": "6", + "network.packets": 183, + "network.protocol": "https", + "observer.egress.interface.name": "wan1", + "observer.ingress.interface.name": "port1", + "observer.name": "firewall3", + "observer.product": "Fortigate", + "observer.serial_number": "oldfwid", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "192.168.50.50", + "8.8.8.8" + ], + "related.user": [ + "elasticuser" + ], + "rule.category": "Collaboration", + "rule.id": "2365", + "rule.name": "someoldpolicyname", + "rule.ruleset": "policy", + "rule.uuid": "654644c-b064-fdgdf3425-f003-1234ghdf682e05f", + "service.type": "fortinet", + "source.as.number": 14618, + "source.as.organization.name": "Amazon.com, Inc.", + "source.bytes": 923, + "source.geo.city_name": "Ashburn", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 39.0481, + "source.geo.location.lon": -77.4728, + "source.geo.region_iso_code": "US-VA", + "source.geo.region_name": "Virginia", + "source.ip": "192.168.50.50", + "source.nat.ip": "23.23.23.23", + "source.nat.port": 603, + "source.packets": 113, + "source.port": 56603, + "source.user.group.name": "testgroup", + "source.user.name": "elasticuser", + "tags": [ + "fortinet-firewall", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-15T18:03:36.000Z", + "destination.as.number": 41690, + "destination.as.organization.name": "Dailymotion S.A.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 48.8582, + "destination.geo.location.lon": 2.3387, + "destination.ip": "195.8.215.136", + "destination.port": 443, + "event.action": "app-ctrl-all", + "event.category": [ + "network" + ], + "event.code": "1059028704", + "event.dataset": "fortinet.firewall", + "event.kind": "event", + "event.module": "fortinet", + "event.outcome": "success", + "event.start": "2019-05-16T01:03:35.000Z", + "event.type": [ + "allowed" + ], + "fileset.name": "firewall", + "fortinet.firewall.action": "pass", + "fortinet.firewall.appid": "40568", + "fortinet.firewall.apprisk": "medium", + "fortinet.firewall.dstintfrole": "wan", + "fortinet.firewall.incidentserialno": "1962906680", + "fortinet.firewall.sessionid": "4414", + "fortinet.firewall.srcintfrole": "lan", + "fortinet.firewall.subtype": "app-ctrl", + "fortinet.firewall.type": "utm", + "fortinet.firewall.vd": "root", + "input.type": "log", + "log.level": "information", + "log.offset": 16463, + "message": "Web.Client: HTTPS.BROWSER,", + "network.application": "HTTPS.BROWSER", + "network.direction": "outgoing", + "network.iana_number": "6", + "network.protocol": "https", + "observer.egress.interface.name": "port9", + "observer.ingress.interface.name": "port10", + "observer.product": "Fortigate", + "observer.type": "firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.1.100.22", + "195.8.215.136" + ], + "rule.category": "Web-Client", + "rule.id": "1", + "rule.ruleset": "block-social.media", + "service.type": "fortinet", + "source.ip": "10.1.100.22", + "source.port": 50798, + "tags": [ + "fortinet-firewall", + "forwarded" + ], + "tls.server.issuer": "DigiCert SHA2 High Assurance Server CA", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 High Assurance Server CA", + "tls.server.x509.subject.common_name": "*.dailymotion.com", + "url.domain": "www.dailymotion.com", + "url.path": "/" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml b/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml new file mode 100644 index 00000000000..ccee80408a8 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiMail" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/fortinet/fortimail/config/liblogparser.js + - ${path.home}/module/fortinet/fortimail/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} client_name=\"%{p0}"); + +var dup42 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + +var dup43 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + +var dup44 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + +var dup45 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" +match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + +var dup46 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" +match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + +var dup47 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" +match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + +var dup48 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + +var dup49 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" +match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + +var dup50 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" +match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + +var dup51 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" +match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + +var dup52 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" +match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + +var dup53 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" +match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + +var dup54 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" +match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + +var dup55 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" +match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + +var dup56 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" +match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + +var dup57 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" +match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + +var dup58 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" +match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + +var dup59 = // "Pattern{Field(subject,false)}" +match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + +var dup60 = setc("eventcategory","1207000000"); + +var dup61 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" +match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + +var dup62 = setc("eventcategory","1207040000"); + +var dup63 = linear_select([ + dup3, + dup4, +]); + +var dup64 = linear_select([ + dup5, + dup6, +]); + +var dup65 = linear_select([ + dup19, + dup20, +]); + +var dup66 = linear_select([ + dup22, + dup23, +]); + +var dup67 = linear_select([ + dup3, + dup20, +]); + +var dup68 = linear_select([ + dup24, + dup25, +]); + +var dup69 = linear_select([ + dup27, + dup28, +]); + +var dup70 = linear_select([ + dup29, + dup30, +]); + +var dup71 = linear_select([ + dup36, + dup37, +]); + +var dup72 = linear_select([ + dup38, + dup39, +]); + +var dup73 = linear_select([ + dup40, + dup41, +]); + +var dup74 = linear_select([ + dup42, + dup43, + dup44, +]); + +var dup75 = linear_select([ + dup45, + dup46, +]); + +var dup76 = linear_select([ + dup47, + dup48, +]); + +var dup77 = linear_select([ + dup49, + dup50, +]); + +var dup78 = linear_select([ + dup52, + dup53, +]); + +var dup79 = linear_select([ + dup54, + dup55, +]); + +var dup80 = linear_select([ + dup56, + dup57, +]); + +var dup81 = linear_select([ + dup58, + dup59, +]); + +var dup82 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var hdr1 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" +match("HEADER#0:0001", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + dup1, +])); + +var hdr2 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' log_part='), Field(hfld3,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" +match("HEADER#1:0002", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} log_part=%{hfld3->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(msgIdPart1,true), Constant(' subtype='), Field(msgIdPart2,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" +match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{msgIdPart1->} subtype=%{msgIdPart2->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' device_id='), Field(hfld1,true), Constant(' log_id='), Field(hfld2,true), Constant(' type='), Field(messageid,true), Constant(' pri='), Field(hseverity,true), Constant(' '), Field(payload,false)}" +match("HEADER#3:0004", "message", "date=%{hdate->} time=%{htime->} device_id=%{hfld1->} log_id=%{hfld2->} type=%{messageid->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, +]); + +var part1 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' reason='), Field(result,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#0:event_admin/2", "nwparser.p0", "%{action->} status=%{event_state->} reason=%{result->} msg=%{p0}"); + +var all1 = all_match({ + processors: [ + dup2, + dup63, + part1, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg1 = msg("event_admin", all1); + +var msg2 = msg("event_pop3", dup82); + +var all2 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup7, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg3 = msg("event_webmail", all2); + +var msg4 = msg("event_system", dup82); + +var msg5 = msg("event_imap", dup82); + +var part2 = // "Pattern{Field(fld1,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/4", "nwparser.p0", "%{fld1}, relay=%{p0}"); + +var part3 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('], version='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/5_0", "nwparser.p0", "%{shost}[%{saddr}], version=%{p0}"); + +var part4 = // "Pattern{Field(shost,false), Constant(', version='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/5_1", "nwparser.p0", "%{shost}, version=%{p0}"); + +var select2 = linear_select([ + part3, + part4, +]); + +var part5 = // "Pattern{Field(version,false), Constant(', verify='), Field(fld2,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld3,false), Constant('"')}" +match("MESSAGE#5:event_smtp:01/6", "nwparser.p0", "%{version}, verify=%{fld2}, cipher=%{s_cipher}, bits=%{fld3}\""); + +var all3 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part2, + select2, + part5, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg6 = msg("event_smtp:01", all3); + +var part6 = // "Pattern{Field(fld1,false), Constant(', cert-subject='), Field(cert_subject,false), Constant(', cert-issuer='), Field(fld2,false), Constant(', verifymsg='), Field(fld3,false), Constant('"')}" +match("MESSAGE#6:event_smtp:02/4", "nwparser.p0", "%{fld1}, cert-subject=%{cert_subject}, cert-issuer=%{fld2}, verifymsg=%{fld3}\""); + +var all4 = all_match({ + processors: [ + dup18, + dup65, + dup21, + dup66, + part6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg7 = msg("event_smtp:02", all4); + +var part7 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="to=<<'), Field(to,false), Constant('>, delay='), Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('['), Field(saddr,false), Constant('], dsn='), Field(fld4,false), Constant(', stat='), Field(fld5,false), Constant('"')}" +match("MESSAGE#7:event_smtp:03/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"to=\u003c\u003c%{to}>, delay=%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}[%{saddr}], dsn=%{fld4}, stat=%{fld5}\""); + +var all5 = all_match({ + processors: [ + dup18, + dup65, + part7, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg8 = msg("event_smtp:03", all5); + +var part8 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(network_service,false), Constant('action='), Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="from=<<'), Field(from,false), Constant('>, size='), Field(bytes,false), Constant(', class='), Field(fld2,false), Constant(', nrcpts='), Field(p0,false)}" +match("MESSAGE#8:event_smtp:04/0", "nwparser.payload", "user=%{username}ui=%{network_service}action=%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"from=\u003c\u003c%{from}>, size=%{bytes}, class=%{fld2}, nrcpts=%{p0}"); + +var part9 = // "Pattern{Field(fld3,false), Constant(', msgid=<<'), Field(fld4,false), Constant('>, proto='), Field(p0,false)}" +match("MESSAGE#8:event_smtp:04/1_0", "nwparser.p0", "%{fld3}, msgid=\u003c\u003c%{fld4}>, proto=%{p0}"); + +var part10 = // "Pattern{Field(fld3,false), Constant(', proto='), Field(p0,false)}" +match("MESSAGE#8:event_smtp:04/1_1", "nwparser.p0", "%{fld3}, proto=%{p0}"); + +var select3 = linear_select([ + part9, + part10, +]); + +var part11 = // "Pattern{Field(protocol,false), Constant(', daemon='), Field(process,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#8:event_smtp:04/2", "nwparser.p0", "%{protocol}, daemon=%{process}, relay=%{p0}"); + +var part12 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"')}" +match("MESSAGE#8:event_smtp:04/3_0", "nwparser.p0", "%{shost}[%{saddr}] (may be forged)\""); + +var part13 = // "Pattern{Field(shost,false), Constant('['), Field(saddr,false), Constant(']"')}" +match("MESSAGE#8:event_smtp:04/3_1", "nwparser.p0", "%{shost}[%{saddr}]\""); + +var part14 = // "Pattern{Field(shost,false), Constant('"')}" +match("MESSAGE#8:event_smtp:04/3_2", "nwparser.p0", "%{shost}\""); + +var select4 = linear_select([ + part12, + part13, + part14, +]); + +var all6 = all_match({ + processors: [ + part8, + select3, + part11, + select4, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg9 = msg("event_smtp:04", all6); + +var part15 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="Milter: to=<<'), Field(to,false), Constant('>, reject='), Field(fld1,false), Constant('"')}" +match("MESSAGE#9:event_smtp:05/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"Milter: to=\u003c\u003c%{to}>, reject=%{fld1}\""); + +var all7 = all_match({ + processors: [ + dup18, + dup67, + part15, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg10 = msg("event_smtp:05", all7); + +var part16 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="timeout waiting for input from'), Field(p0,false)}" +match("MESSAGE#10:event_smtp:06/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"timeout waiting for input from%{p0}"); + +var part17 = // "Pattern{Constant('['), Field(saddr,false), Constant(']during server cmd'), Field(p0,false)}" +match("MESSAGE#10:event_smtp:06/3_0", "nwparser.p0", "[%{saddr}]during server cmd%{p0}"); + +var part18 = // "Pattern{Field(saddr,false), Constant('during server cmd'), Field(p0,false)}" +match("MESSAGE#10:event_smtp:06/3_1", "nwparser.p0", "%{saddr}during server cmd%{p0}"); + +var select5 = linear_select([ + part17, + part18, +]); + +var part19 = // "Pattern{Field(fld5,false), Constant('"')}" +match("MESSAGE#10:event_smtp:06/4", "nwparser.p0", "%{fld5}\""); + +var all8 = all_match({ + processors: [ + dup18, + dup65, + part16, + select5, + part19, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg11 = msg("event_smtp:06", all8); + +var part20 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="collect:'), Field(fld1,false), Constant('timeout on connection from'), Field(shost,false), Constant(', from=<<'), Field(from,false), Constant('>"')}" +match("MESSAGE#11:event_smtp:07/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"collect:%{fld1}timeout on connection from%{shost}, from=\u003c\u003c%{from}>\""); + +var all9 = all_match({ + processors: [ + dup18, + dup67, + part20, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg12 = msg("event_smtp:07", all9); + +var part21 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="DSN: to <<'), Field(to,false), Constant('>; reason:'), Field(result,false), Constant('; sessionid:'), Field(fld5,false), Constant('"')}" +match("MESSAGE#12:event_smtp:08/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"DSN: to \u003c\u003c%{to}>; reason:%{result}; sessionid:%{fld5}\""); + +var all10 = all_match({ + processors: [ + dup18, + dup67, + part21, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg13 = msg("event_smtp:08", all10); + +var part22 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="lost input channel from'), Field(shost,false), Constant('['), Field(saddr,false), Constant('] (may be forged) to SMTP_MTA after rcpt"')}" +match("MESSAGE#13:event_smtp:09/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"lost input channel from%{shost}[%{saddr}] (may be forged) to SMTP_MTA after rcpt\""); + +var all11 = all_match({ + processors: [ + dup18, + dup65, + part22, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg14 = msg("event_smtp:09", all11); + +var part23 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" msg="'), Field(shost,false), Constant('['), Field(saddr,false), Constant(']: possible SMTP attack: command='), Field(fld1,false), Constant(', count='), Field(dclass_counter1,false), Constant('"')}" +match("MESSAGE#14:event_smtp:10/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" msg=\"%{shost}[%{saddr}]: possible SMTP attack: command=%{fld1}, count=%{dclass_counter1}\""); + +var all12 = all_match({ + processors: [ + dup18, + dup65, + part23, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + setc("dclass_counter1_string","count"), + ]), +}); + +var msg15 = msg("event_smtp:10", all12); + +var part24 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id="'), Field(sessionid,false), Constant('" log_part='), Field(id1,true), Constant(' msg="to=<<'), Field(to,false), Constant(', delay='), Field(p0,false)}" +match("MESSAGE#15:event_smtp:11/2", "nwparser.p0", "%{action}status=%{event_state}session_id=\"%{sessionid}\" log_part=%{id1->} msg=\"to=\u003c\u003c%{to}, delay=%{p0}"); + +var part25 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant(', relay='), Field(shost,false), Constant('"')}" +match("MESSAGE#15:event_smtp:11/3_0", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}, relay=%{shost}\""); + +var part26 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant(', pri='), Field(fld3,false), Constant('"')}" +match("MESSAGE#15:event_smtp:11/3_1", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}, pri=%{fld3}\""); + +var part27 = // "Pattern{Field(fld1,false), Constant(', xdelay='), Field(fld2,false), Constant(', mailer='), Field(protocol,false), Constant('"')}" +match("MESSAGE#15:event_smtp:11/3_2", "nwparser.p0", "%{fld1}, xdelay=%{fld2}, mailer=%{protocol}\""); + +var part28 = // "Pattern{Field(fld1,false), Constant('"')}" +match("MESSAGE#15:event_smtp:11/3_3", "nwparser.p0", "%{fld1}\""); + +var select6 = linear_select([ + part25, + part26, + part27, + part28, +]); + +var all13 = all_match({ + processors: [ + dup18, + dup65, + part24, + select6, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg16 = msg("event_smtp:11", all13); + +var part29 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' session_id='), Field(p0,false)}" +match("MESSAGE#16:event_smtp/2", "nwparser.p0", "%{action->} status=%{event_state->} session_id=%{p0}"); + +var all14 = all_match({ + processors: [ + dup2, + dup63, + part29, + dup68, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg17 = msg("event_smtp", all14); + +var part30 = tagval("MESSAGE#17:event_smtp:12", "nwparser.payload", tvm, { + "action": "action", + "log_part": "id1", + "msg": "info", + "session_id": "sessionid", + "status": "event_state", + "ui": "network_service", + "user": "username", +}, processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, +])); + +var msg18 = msg("event_smtp:12", part30); + +var select7 = linear_select([ + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, +]); + +var part31 = // "Pattern{Constant('msg='), Field(p0,false)}" +match("MESSAGE#18:event_update/0", "nwparser.payload", "msg=%{p0}"); + +var all15 = all_match({ + processors: [ + part31, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg19 = msg("event_update", all15); + +var part32 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') module='), Field(p0,false)}" +match("MESSAGE#19:event_config/1_0", "nwparser.p0", "%{network_service}(%{saddr}) module=%{p0}"); + +var part33 = // "Pattern{Field(network_service,true), Constant(' module='), Field(p0,false)}" +match("MESSAGE#19:event_config/1_1", "nwparser.p0", "%{network_service->} module=%{p0}"); + +var select8 = linear_select([ + part32, + part33, +]); + +var part34 = // "Pattern{Field(fld1,true), Constant(' submodule='), Field(fld2,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#19:event_config/2", "nwparser.p0", "%{fld1->} submodule=%{fld2->} msg=%{p0}"); + +var all16 = all_match({ + processors: [ + dup2, + select8, + part34, + dup64, + ], + on_success: processor_chain([ + setc("eventcategory","1701000000"), + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); + +var msg20 = msg("event_config", all16); + +var select9 = linear_select([ + dup31, + dup32, +]); + +var all17 = all_match({ + processors: [ + dup26, + dup69, + dup70, + select9, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg21 = msg("virus", all17); + +var part35 = // "Pattern{Constant('"'), Field(to,false), Constant('" client_name="'), Field(p0,false)}" +match("MESSAGE#21:virus_infected/2_0", "nwparser.p0", "\"%{to}\" client_name=\"%{p0}"); + +var part36 = // "Pattern{Field(to,true), Constant(' client_name="'), Field(p0,false)}" +match("MESSAGE#21:virus_infected/2_1", "nwparser.p0", "%{to->} client_name=\"%{p0}"); + +var select10 = linear_select([ + part35, + part36, +]); + +var part37 = // "Pattern{Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" +match("MESSAGE#21:virus_infected/3", "nwparser.p0", "%{fqdn}\" client_ip=\"%{saddr}\" session_id=%{p0}"); + +var all18 = all_match({ + processors: [ + dup26, + dup69, + select10, + part37, + dup68, + dup64, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup15, + ]), +}); + +var msg22 = msg("virus_infected", all18); + +var part38 = // "Pattern{Constant('from="'), Field(from,false), Constant('" to='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/0_0", "nwparser.payload", "from=\"%{from}\" to=%{p0}"); + +var part39 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/0_1", "nwparser.payload", "%{from->} to=%{p0}"); + +var select11 = linear_select([ + part38, + part39, +]); + +var part40 = // "Pattern{Constant('"'), Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/2_0", "nwparser.p0", "\"%{sdomain->} [%{saddr}]\" session_id=%{p0}"); + +var part41 = // "Pattern{Field(sdomain,true), Constant(' ['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/2_1", "nwparser.p0", "%{sdomain->} [%{saddr}] session_id=%{p0}"); + +var part42 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']" session_id='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/2_2", "nwparser.p0", "\"[%{saddr}]\" session_id=%{p0}"); + +var part43 = // "Pattern{Constant('['), Field(saddr,false), Constant('] session_id='), Field(p0,false)}" +match("MESSAGE#22:virus_file-signature/2_3", "nwparser.p0", "[%{saddr}] session_id=%{p0}"); + +var select12 = linear_select([ + part40, + part41, + part42, + part43, + dup31, + dup32, +]); + +var part44 = // "Pattern{Constant('"Attachment file ('), Field(filename,false), Constant(') has sha1 hash value: '), Field(checksum,false), Constant('"')}" +match("MESSAGE#22:virus_file-signature/4_0", "nwparser.p0", "\"Attachment file (%{filename}) has sha1 hash value: %{checksum}\""); + +var select13 = linear_select([ + part44, + dup5, + dup6, +]); + +var all19 = all_match({ + processors: [ + select11, + dup70, + select12, + dup68, + select13, + ], + on_success: processor_chain([ + dup33, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg23 = msg("virus_file-signature", all19); + +var part45 = // "Pattern{Field(,false), Constant('MSISDN='), Field(fld3,true), Constant(' resolved='), Field(p0,false)}" +match("MESSAGE#23:statistics/5", "nwparser.p0", "%{}MSISDN=%{fld3->} resolved=%{p0}"); + +var all20 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + part45, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg24 = msg("statistics", all20); + +var all21 = all_match({ + processors: [ + dup35, + dup71, + dup72, + dup73, + dup74, + dup61, + dup75, + dup76, + dup77, + dup51, + dup78, + dup79, + dup80, + dup81, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg25 = msg("statistics:01", all21); + +var part46 = // "Pattern{Constant('"'), Field(direction,false), Constant('" subject='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/4_0", "nwparser.p0", "\"%{direction}\" subject=%{p0}"); + +var part47 = // "Pattern{Field(direction,true), Constant(' subject='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/4_1", "nwparser.p0", "%{direction->} subject=%{p0}"); + +var select14 = linear_select([ + part46, + part47, +]); + +var part48 = // "Pattern{Constant('"'), Field(subject,false), Constant('" classifier='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/5_0", "nwparser.p0", "\"%{subject}\" classifier=%{p0}"); + +var part49 = // "Pattern{Field(subject,true), Constant(' classifier='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/5_1", "nwparser.p0", "%{subject->} classifier=%{p0}"); + +var select15 = linear_select([ + part48, + part49, +]); + +var part50 = // "Pattern{Constant('"'), Field(filter,false), Constant('" disposition='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/6_0", "nwparser.p0", "\"%{filter}\" disposition=%{p0}"); + +var part51 = // "Pattern{Field(filter,true), Constant(' disposition='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/6_1", "nwparser.p0", "%{filter->} disposition=%{p0}"); + +var select16 = linear_select([ + part50, + part51, +]); + +var part52 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" client_name="'), Field(p0,false)}" +match("MESSAGE#25:statistics:02/7_0", "nwparser.p0", "\"%{disposition}\" client_name=\"%{p0}"); + +var part53 = // "Pattern{Field(disposition,true), Constant(' client_name="'), Field(p0,false)}" +match("MESSAGE#25:statistics:02/7_1", "nwparser.p0", "%{disposition->} client_name=\"%{p0}"); + +var select17 = linear_select([ + part52, + part53, +]); + +var part54 = // "Pattern{Constant('"'), Field(context,false), Constant('" virus='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/10_0", "nwparser.p0", "\"%{context}\" virus=%{p0}"); + +var part55 = // "Pattern{Field(context,true), Constant(' virus='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/10_1", "nwparser.p0", "%{context->} virus=%{p0}"); + +var select18 = linear_select([ + part54, + part55, +]); + +var part56 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" message_length='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/11_0", "nwparser.p0", "\"%{virusname}\" message_length=%{p0}"); + +var part57 = // "Pattern{Field(virusname,true), Constant(' message_length='), Field(p0,false)}" +match("MESSAGE#25:statistics:02/11_1", "nwparser.p0", "%{virusname->} message_length=%{p0}"); + +var select19 = linear_select([ + part56, + part57, +]); + +var part58 = // "Pattern{Field(fld4,false)}" +match_copy("MESSAGE#25:statistics:02/12", "nwparser.p0", "fld4"); + +var all22 = all_match({ + processors: [ + dup35, + dup71, + dup69, + dup76, + select14, + select15, + select16, + select17, + dup74, + dup61, + select18, + select19, + part58, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg26 = msg("statistics:02", all22); + +var part59 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{p0}"); + +var part60 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant('] (may be forged)"'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/1_0", "nwparser.p0", "%{fqdn}[%{saddr}] (may be forged)\"%{p0}"); + +var part61 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/1_1", "nwparser.p0", "%{fqdn}[%{saddr}]\"%{p0}"); + +var part62 = // "Pattern{Constant('['), Field(saddr,false), Constant(']"'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/1_2", "nwparser.p0", "[%{saddr}]\"%{p0}"); + +var select20 = linear_select([ + part60, + part61, + part62, +]); + +var part63 = // "Pattern{Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/2", "nwparser.p0", "dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\"%{p0}"); + +var part64 = // "Pattern{Constant(' polid="'), Field(fld5,false), Constant('" domain="'), Field(domain,false), Constant('" subject="'), Field(subject,false), Constant('" mailer="'), Field(agent,false), Constant('" resolved="'), Field(context,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#26:statistics:03/3_0", "nwparser.p0", " polid=\"%{fld5}\" domain=\"%{domain}\" subject=\"%{subject}\" mailer=\"%{agent}\" resolved=\"%{context}\"%{p0}"); + +var part65 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#26:statistics:03/3_1", "nwparser.p0", "p0"); + +var select21 = linear_select([ + part64, + part65, +]); + +var part66 = // "Pattern{Field(,false), Constant('direction="'), Field(direction,false), Constant('" virus="'), Field(virusname,false), Constant('" disposition="'), Field(disposition,false), Constant('" classifier="'), Field(filter,false), Constant('" message_length='), Field(fld4,false)}" +match("MESSAGE#26:statistics:03/4", "nwparser.p0", "%{}direction=\"%{direction}\" virus=\"%{virusname}\" disposition=\"%{disposition}\" classifier=\"%{filter}\" message_length=%{fld4}"); + +var all23 = all_match({ + processors: [ + part59, + select20, + part63, + select21, + part66, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg27 = msg("statistics:03", all23); + +var part67 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=%{p0}"); + +var part68 = // "Pattern{Field(sessionid,true), Constant(' client_name='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/1_1", "nwparser.p0", "%{sessionid->} client_name=%{p0}"); + +var select22 = linear_select([ + part67, + part68, +]); + +var part69 = // "Pattern{Constant('"'), Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_0", "nwparser.p0", "\"%{fqdn}[%{saddr}]\"dst_ip=%{p0}"); + +var part70 = // "Pattern{Field(fqdn,false), Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_1", "nwparser.p0", "%{fqdn}[%{saddr}]dst_ip=%{p0}"); + +var part71 = // "Pattern{Constant('"['), Field(saddr,false), Constant(']"dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_2", "nwparser.p0", "\"[%{saddr}]\"dst_ip=%{p0}"); + +var part72 = // "Pattern{Constant('['), Field(saddr,false), Constant(']dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_3", "nwparser.p0", "[%{saddr}]dst_ip=%{p0}"); + +var part73 = // "Pattern{Constant('"'), Field(saddr,false), Constant('"dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_4", "nwparser.p0", "\"%{saddr}\"dst_ip=%{p0}"); + +var part74 = // "Pattern{Field(saddr,false), Constant('dst_ip='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/2_5", "nwparser.p0", "%{saddr}dst_ip=%{p0}"); + +var select23 = linear_select([ + part69, + part70, + part71, + part72, + part73, + part74, +]); + +var part75 = // "Pattern{Constant('"'), Field(daddr,false), Constant('" from='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/3_0", "nwparser.p0", "\"%{daddr}\" from=%{p0}"); + +var part76 = // "Pattern{Field(daddr,true), Constant(' from='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/3_1", "nwparser.p0", "%{daddr->} from=%{p0}"); + +var select24 = linear_select([ + part75, + part76, +]); + +var part77 = // "Pattern{Constant('"'), Field(from,false), Constant('" hfrom='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/4_0", "nwparser.p0", "\"%{from}\" hfrom=%{p0}"); + +var part78 = // "Pattern{Field(from,true), Constant(' hfrom='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/4_1", "nwparser.p0", "%{from->} hfrom=%{p0}"); + +var select25 = linear_select([ + part77, + part78, +]); + +var part79 = // "Pattern{Constant('"'), Field(fld3,false), Constant('" to='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/5_0", "nwparser.p0", "\"%{fld3}\" to=%{p0}"); + +var part80 = // "Pattern{Field(fld3,true), Constant(' to='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/5_1", "nwparser.p0", "%{fld3->} to=%{p0}"); + +var select26 = linear_select([ + part79, + part80, +]); + +var part81 = // "Pattern{Constant('"'), Field(to,false), Constant('" polid='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/6_0", "nwparser.p0", "\"%{to}\" polid=%{p0}"); + +var part82 = // "Pattern{Field(to,true), Constant(' polid='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/6_1", "nwparser.p0", "%{to->} polid=%{p0}"); + +var select27 = linear_select([ + part81, + part82, +]); + +var part83 = // "Pattern{Constant('"'), Field(fld5,false), Constant('" domain='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/7_0", "nwparser.p0", "\"%{fld5}\" domain=%{p0}"); + +var part84 = // "Pattern{Field(fld5,true), Constant(' domain='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/7_1", "nwparser.p0", "%{fld5->} domain=%{p0}"); + +var select28 = linear_select([ + part83, + part84, +]); + +var part85 = // "Pattern{Constant('"'), Field(domain,false), Constant('" subject='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/8_0", "nwparser.p0", "\"%{domain}\" subject=%{p0}"); + +var part86 = // "Pattern{Field(domain,true), Constant(' subject='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/8_1", "nwparser.p0", "%{domain->} subject=%{p0}"); + +var select29 = linear_select([ + part85, + part86, +]); + +var part87 = // "Pattern{Constant('"'), Field(subject,false), Constant('" mailer='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/9_0", "nwparser.p0", "\"%{subject}\" mailer=%{p0}"); + +var part88 = // "Pattern{Field(subject,true), Constant(' mailer='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/9_1", "nwparser.p0", "%{subject->} mailer=%{p0}"); + +var select30 = linear_select([ + part87, + part88, +]); + +var part89 = // "Pattern{Constant('"'), Field(agent,false), Constant('" resolved='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/10_0", "nwparser.p0", "\"%{agent}\" resolved=%{p0}"); + +var part90 = // "Pattern{Field(agent,true), Constant(' resolved='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/10_1", "nwparser.p0", "%{agent->} resolved=%{p0}"); + +var select31 = linear_select([ + part89, + part90, +]); + +var part91 = // "Pattern{Constant('"'), Field(context,false), Constant('" direction='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/11_0", "nwparser.p0", "\"%{context}\" direction=%{p0}"); + +var part92 = // "Pattern{Field(context,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/11_1", "nwparser.p0", "%{context->} direction=%{p0}"); + +var select32 = linear_select([ + part91, + part92, +]); + +var part93 = // "Pattern{Constant('"'), Field(direction,false), Constant('" virus='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/12_0", "nwparser.p0", "\"%{direction}\" virus=%{p0}"); + +var part94 = // "Pattern{Field(direction,true), Constant(' virus='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/12_1", "nwparser.p0", "%{direction->} virus=%{p0}"); + +var select33 = linear_select([ + part93, + part94, +]); + +var part95 = // "Pattern{Constant('"'), Field(filter,false), Constant('" message_length='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/15_0", "nwparser.p0", "\"%{filter}\" message_length=%{p0}"); + +var part96 = // "Pattern{Field(filter,true), Constant(' message_length='), Field(p0,false)}" +match("MESSAGE#27:statistics:04/15_1", "nwparser.p0", "%{filter->} message_length=%{p0}"); + +var select34 = linear_select([ + part95, + part96, +]); + +var part97 = // "Pattern{Constant('"'), Field(fld6,false), Constant('"')}" +match("MESSAGE#27:statistics:04/16_0", "nwparser.p0", "\"%{fld6}\""); + +var part98 = // "Pattern{Field(fld6,false)}" +match_copy("MESSAGE#27:statistics:04/16_1", "nwparser.p0", "fld6"); + +var select35 = linear_select([ + part97, + part98, +]); + +var all24 = all_match({ + processors: [ + dup35, + select22, + select23, + select24, + select25, + select26, + select27, + select28, + select29, + select30, + select31, + select32, + select33, + dup78, + dup79, + select34, + select35, + ], + on_success: processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg28 = msg("statistics:04", all24); + +var part99 = tagval("MESSAGE#28:statistics:05", "nwparser.payload", tvm, { + "classifier": "filter", + "client_ip": "saddr", + "client_name": "fqdn", + "direction": "direction", + "disposition": "disposition", + "domain": "domain", + "dst_ip": "daddr", + "from": "from", + "hfrom": "fld3", + "mailer": "agent", + "message_length": "fld6", + "polid": "fld5", + "resolved": "context", + "session_id": "sessionid", + "src_type": "fld7", + "subject": "subject", + "to": "to", + "virus": "virusname", +}, processor_chain([ + dup60, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, +])); + +var msg29 = msg("statistics:05", part99); + +var select36 = linear_select([ + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, +]); + +var part100 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" client_name="'), Field(p0,false)}" +match("MESSAGE#29:spam/1_0", "nwparser.p0", "\"%{sessionid}\" client_name=\"%{p0}"); + +var part101 = // "Pattern{Field(sessionid,true), Constant(' client_name="'), Field(p0,false)}" +match("MESSAGE#29:spam/1_1", "nwparser.p0", "%{sessionid->} client_name=\"%{p0}"); + +var select37 = linear_select([ + part100, + part101, +]); + +var part102 = // "Pattern{Field(,false), Constant('from='), Field(p0,false)}" +match("MESSAGE#29:spam/3", "nwparser.p0", "%{}from=%{p0}"); + +var part103 = // "Pattern{Constant('"'), Field(to,false), Constant('" subject='), Field(p0,false)}" +match("MESSAGE#29:spam/5_0", "nwparser.p0", "\"%{to}\" subject=%{p0}"); + +var part104 = // "Pattern{Field(to,true), Constant(' subject='), Field(p0,false)}" +match("MESSAGE#29:spam/5_1", "nwparser.p0", "%{to->} subject=%{p0}"); + +var select38 = linear_select([ + part103, + part104, +]); + +var part105 = // "Pattern{Constant('"'), Field(subject,false), Constant('" msg='), Field(p0,false)}" +match("MESSAGE#29:spam/6_0", "nwparser.p0", "\"%{subject}\" msg=%{p0}"); + +var part106 = // "Pattern{Field(subject,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#29:spam/6_1", "nwparser.p0", "%{subject->} msg=%{p0}"); + +var select39 = linear_select([ + part105, + part106, +]); + +var all25 = all_match({ + processors: [ + dup35, + select37, + dup74, + part102, + dup69, + select38, + select39, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg30 = msg("spam", all25); + +var part107 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name="'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(fld2,false), Constant(')" dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" +match("MESSAGE#30:spam:04", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=\"%{fqdn->} [%{saddr}] (%{fld2})\" dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, +])); + +var msg31 = msg("spam:04", part107); + +var part108 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" client_name='), Field(p0,false)}" +match("MESSAGE#31:spam:03/0", "nwparser.payload", "session_id=\"%{sessionid}\" client_name=%{p0}"); + +var part109 = // "Pattern{Constant('"'), Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']" '), Field(p0,false)}" +match("MESSAGE#31:spam:03/1_0", "nwparser.p0", "\"%{fqdn->} [%{saddr}]\" %{p0}"); + +var part110 = // "Pattern{Constant(' "'), Field(fqdn,false), Constant('" client_ip="'), Field(saddr,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#31:spam:03/1_1", "nwparser.p0", " \"%{fqdn}\" client_ip=\"%{saddr}\"%{p0}"); + +var select40 = linear_select([ + part109, + part110, +]); + +var part111 = // "Pattern{Field(,false), Constant('dst_ip="'), Field(daddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" +match("MESSAGE#31:spam:03/2", "nwparser.p0", "%{}dst_ip=\"%{daddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\""); + +var all26 = all_match({ + processors: [ + part108, + select40, + part111, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg32 = msg("spam:03", all26); + +var part112 = // "Pattern{Constant('session_id="'), Field(sessionid,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" msg="'), Field(event_description,false), Constant('"')}" +match("MESSAGE#32:spam:02", "nwparser.payload", "session_id=\"%{sessionid}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" msg=\"%{event_description}\"", processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, +])); + +var msg33 = msg("spam:02", part112); + +var part113 = // "Pattern{Constant('"'), Field(to,false), Constant('" msg='), Field(p0,false)}" +match("MESSAGE#33:spam:01/3_0", "nwparser.p0", "\"%{to}\" msg=%{p0}"); + +var part114 = // "Pattern{Field(to,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#33:spam:01/3_1", "nwparser.p0", "%{to->} msg=%{p0}"); + +var select41 = linear_select([ + part113, + part114, +]); + +var all27 = all_match({ + processors: [ + dup35, + dup71, + dup69, + select41, + dup64, + ], + on_success: processor_chain([ + dup62, + dup8, + dup9, + dup10, + dup11, + dup12, + dup34, + dup15, + ]), +}); + +var msg34 = msg("spam:01", all27); + +var select42 = linear_select([ + msg30, + msg31, + msg32, + msg33, + msg34, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "event_admin": msg1, + "event_config": msg20, + "event_imap": msg5, + "event_pop3": msg2, + "event_smtp": select7, + "event_system": msg4, + "event_update": msg19, + "event_webmail": msg3, + "spam": select42, + "statistics": select36, + "virus": msg21, + "virus_file-signature": msg23, + "virus_infected": msg22, + }), +]); + +var part115 = // "Pattern{Constant('user='), Field(username,true), Constant(' ui='), Field(p0,false)}" +match("MESSAGE#0:event_admin/0", "nwparser.payload", "user=%{username->} ui=%{p0}"); + +var part116 = // "Pattern{Field(network_service,false), Constant('('), Field(saddr,false), Constant(') action='), Field(p0,false)}" +match("MESSAGE#0:event_admin/1_0", "nwparser.p0", "%{network_service}(%{saddr}) action=%{p0}"); + +var part117 = // "Pattern{Field(network_service,true), Constant(' action='), Field(p0,false)}" +match("MESSAGE#0:event_admin/1_1", "nwparser.p0", "%{network_service->} action=%{p0}"); + +var part118 = // "Pattern{Constant('"'), Field(event_description,false), Constant('"')}" +match("MESSAGE#0:event_admin/3_0", "nwparser.p0", "\"%{event_description}\""); + +var part119 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#0:event_admin/3_1", "nwparser.p0", "event_description"); + +var part120 = // "Pattern{Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#1:event_pop3/2", "nwparser.p0", "%{action->} status=%{event_state->} msg=%{p0}"); + +var part121 = // "Pattern{Constant('user='), Field(username,false), Constant('ui='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/0", "nwparser.payload", "user=%{username}ui=%{p0}"); + +var part122 = // "Pattern{Field(network_service,false), Constant('('), Field(hostip,false), Constant(') action='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/1_0", "nwparser.p0", "%{network_service}(%{hostip}) action=%{p0}"); + +var part123 = // "Pattern{Field(network_service,false), Constant('action='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/1_1", "nwparser.p0", "%{network_service}action=%{p0}"); + +var part124 = // "Pattern{Field(action,false), Constant('status='), Field(event_state,false), Constant('session_id='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/2", "nwparser.p0", "%{action}status=%{event_state}session_id=%{p0}"); + +var part125 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('"msg="STARTTLS='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/3_0", "nwparser.p0", "\"%{sessionid}\"msg=\"STARTTLS=%{p0}"); + +var part126 = // "Pattern{Field(sessionid,false), Constant('msg="STARTTLS='), Field(p0,false)}" +match("MESSAGE#5:event_smtp:01/3_1", "nwparser.p0", "%{sessionid}msg=\"STARTTLS=%{p0}"); + +var part127 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" msg='), Field(p0,false)}" +match("MESSAGE#16:event_smtp/3_0", "nwparser.p0", "\"%{sessionid}\" msg=%{p0}"); + +var part128 = // "Pattern{Field(sessionid,true), Constant(' msg='), Field(p0,false)}" +match("MESSAGE#16:event_smtp/3_1", "nwparser.p0", "%{sessionid->} msg=%{p0}"); + +var part129 = // "Pattern{Constant('from='), Field(p0,false)}" +match("MESSAGE#20:virus/0", "nwparser.payload", "from=%{p0}"); + +var part130 = // "Pattern{Constant('"'), Field(from,false), Constant('" to='), Field(p0,false)}" +match("MESSAGE#20:virus/1_0", "nwparser.p0", "\"%{from}\" to=%{p0}"); + +var part131 = // "Pattern{Field(from,true), Constant(' to='), Field(p0,false)}" +match("MESSAGE#20:virus/1_1", "nwparser.p0", "%{from->} to=%{p0}"); + +var part132 = // "Pattern{Constant('"'), Field(to,false), Constant('" src='), Field(p0,false)}" +match("MESSAGE#20:virus/2_0", "nwparser.p0", "\"%{to}\" src=%{p0}"); + +var part133 = // "Pattern{Field(to,true), Constant(' src='), Field(p0,false)}" +match("MESSAGE#20:virus/2_1", "nwparser.p0", "%{to->} src=%{p0}"); + +var part134 = // "Pattern{Constant('"'), Field(saddr,false), Constant('" session_id='), Field(p0,false)}" +match("MESSAGE#20:virus/3_0", "nwparser.p0", "\"%{saddr}\" session_id=%{p0}"); + +var part135 = // "Pattern{Field(saddr,true), Constant(' session_id='), Field(p0,false)}" +match("MESSAGE#20:virus/3_1", "nwparser.p0", "%{saddr->} session_id=%{p0}"); + +var part136 = // "Pattern{Constant('session_id='), Field(p0,false)}" +match("MESSAGE#23:statistics/0", "nwparser.payload", "session_id=%{p0}"); + +var part137 = // "Pattern{Constant('"'), Field(sessionid,false), Constant('" from='), Field(p0,false)}" +match("MESSAGE#23:statistics/1_0", "nwparser.p0", "\"%{sessionid}\" from=%{p0}"); + +var part138 = // "Pattern{Field(sessionid,true), Constant(' from='), Field(p0,false)}" +match("MESSAGE#23:statistics/1_1", "nwparser.p0", "%{sessionid->} from=%{p0}"); + +var part139 = // "Pattern{Constant('"'), Field(from,false), Constant('" mailer='), Field(p0,false)}" +match("MESSAGE#23:statistics/2_0", "nwparser.p0", "\"%{from}\" mailer=%{p0}"); + +var part140 = // "Pattern{Field(from,true), Constant(' mailer='), Field(p0,false)}" +match("MESSAGE#23:statistics/2_1", "nwparser.p0", "%{from->} mailer=%{p0}"); + +var part141 = // "Pattern{Constant('"'), Field(agent,false), Constant('" client_name="'), Field(p0,false)}" +match("MESSAGE#23:statistics/3_0", "nwparser.p0", "\"%{agent}\" client_name=\"%{p0}"); + +var part142 = // "Pattern{Field(agent,true), Constant(' client_name="'), Field(p0,false)}" +match("MESSAGE#23:statistics/3_1", "nwparser.p0", "%{agent->} client_name=\"%{p0}"); + +var part143 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant('] ('), Field(info,false), Constant(')"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_0", "nwparser.p0", "%{fqdn->} [%{saddr}] (%{info})\"%{p0}"); + +var part144 = // "Pattern{Field(fqdn,true), Constant(' ['), Field(saddr,false), Constant(']"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_1", "nwparser.p0", "%{fqdn->} [%{saddr}]\"%{p0}"); + +var part145 = // "Pattern{Field(saddr,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#23:statistics/4_2", "nwparser.p0", "%{saddr}\"%{p0}"); + +var part146 = // "Pattern{Constant('"'), Field(context,false), Constant('" to='), Field(p0,false)}" +match("MESSAGE#23:statistics/6_0", "nwparser.p0", "\"%{context}\" to=%{p0}"); + +var part147 = // "Pattern{Field(context,true), Constant(' to='), Field(p0,false)}" +match("MESSAGE#23:statistics/6_1", "nwparser.p0", "%{context->} to=%{p0}"); + +var part148 = // "Pattern{Constant('"'), Field(to,false), Constant('" direction='), Field(p0,false)}" +match("MESSAGE#23:statistics/7_0", "nwparser.p0", "\"%{to}\" direction=%{p0}"); + +var part149 = // "Pattern{Field(to,true), Constant(' direction='), Field(p0,false)}" +match("MESSAGE#23:statistics/7_1", "nwparser.p0", "%{to->} direction=%{p0}"); + +var part150 = // "Pattern{Constant('"'), Field(direction,false), Constant('" message_length='), Field(p0,false)}" +match("MESSAGE#23:statistics/8_0", "nwparser.p0", "\"%{direction}\" message_length=%{p0}"); + +var part151 = // "Pattern{Field(direction,true), Constant(' message_length='), Field(p0,false)}" +match("MESSAGE#23:statistics/8_1", "nwparser.p0", "%{direction->} message_length=%{p0}"); + +var part152 = // "Pattern{Field(fld4,true), Constant(' virus='), Field(p0,false)}" +match("MESSAGE#23:statistics/9", "nwparser.p0", "%{fld4->} virus=%{p0}"); + +var part153 = // "Pattern{Constant('"'), Field(virusname,false), Constant('" disposition='), Field(p0,false)}" +match("MESSAGE#23:statistics/10_0", "nwparser.p0", "\"%{virusname}\" disposition=%{p0}"); + +var part154 = // "Pattern{Field(virusname,true), Constant(' disposition='), Field(p0,false)}" +match("MESSAGE#23:statistics/10_1", "nwparser.p0", "%{virusname->} disposition=%{p0}"); + +var part155 = // "Pattern{Constant('"'), Field(disposition,false), Constant('" classifier='), Field(p0,false)}" +match("MESSAGE#23:statistics/11_0", "nwparser.p0", "\"%{disposition}\" classifier=%{p0}"); + +var part156 = // "Pattern{Field(disposition,true), Constant(' classifier='), Field(p0,false)}" +match("MESSAGE#23:statistics/11_1", "nwparser.p0", "%{disposition->} classifier=%{p0}"); + +var part157 = // "Pattern{Constant('"'), Field(filter,false), Constant('" subject='), Field(p0,false)}" +match("MESSAGE#23:statistics/12_0", "nwparser.p0", "\"%{filter}\" subject=%{p0}"); + +var part158 = // "Pattern{Field(filter,true), Constant(' subject='), Field(p0,false)}" +match("MESSAGE#23:statistics/12_1", "nwparser.p0", "%{filter->} subject=%{p0}"); + +var part159 = // "Pattern{Constant('"'), Field(subject,false), Constant('"')}" +match("MESSAGE#23:statistics/13_0", "nwparser.p0", "\"%{subject}\""); + +var part160 = // "Pattern{Field(subject,false)}" +match_copy("MESSAGE#23:statistics/13_1", "nwparser.p0", "subject"); + +var part161 = // "Pattern{Field(,false), Constant('resolved='), Field(p0,false)}" +match("MESSAGE#24:statistics:01/5", "nwparser.p0", "%{}resolved=%{p0}"); + +var select43 = linear_select([ + dup3, + dup4, +]); + +var select44 = linear_select([ + dup5, + dup6, +]); + +var select45 = linear_select([ + dup19, + dup20, +]); + +var select46 = linear_select([ + dup22, + dup23, +]); + +var select47 = linear_select([ + dup3, + dup20, +]); + +var select48 = linear_select([ + dup24, + dup25, +]); + +var select49 = linear_select([ + dup27, + dup28, +]); + +var select50 = linear_select([ + dup29, + dup30, +]); + +var select51 = linear_select([ + dup36, + dup37, +]); + +var select52 = linear_select([ + dup38, + dup39, +]); + +var select53 = linear_select([ + dup40, + dup41, +]); + +var select54 = linear_select([ + dup42, + dup43, + dup44, +]); + +var select55 = linear_select([ + dup45, + dup46, +]); + +var select56 = linear_select([ + dup47, + dup48, +]); + +var select57 = linear_select([ + dup49, + dup50, +]); + +var select58 = linear_select([ + dup52, + dup53, +]); + +var select59 = linear_select([ + dup54, + dup55, +]); + +var select60 = linear_select([ + dup56, + dup57, +]); + +var select61 = linear_select([ + dup58, + dup59, +]); + +var all28 = all_match({ + processors: [ + dup2, + dup63, + dup16, + dup64, + ], + on_success: processor_chain([ + dup17, + dup8, + dup9, + dup10, + dup11, + dup12, + dup13, + dup14, + dup15, + ]), +}); diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml new file mode 100644 index 00000000000..f142da3fcfb --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml @@ -0,0 +1,64 @@ +--- +description: Pipeline for Fortinet FortiMail + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/fortinet/fortimail/manifest.yml b/x-pack/filebeat/module/fortinet/fortimail/manifest.yml new file mode 100644 index 00000000000..321a6ff308a --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["fortinet.fortimail", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9529 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log new file mode 100644 index 00000000000..0e5a02242a5 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log @@ -0,0 +1,100 @@ +date=2016-1-29 time=06:09:59 device_id=pexe log_id=nes log_part=eab type=event subtype=update pri=high msg="boNemoe" +date=2016-2-12 time=13:12:33 device_id=ehend log_id=ritquiin log_part=umqui type=virus subtype=infected pri=very-high from="mest" to=enderitq client_name="sperna884.internal.domain" client_ip="10.165.201.71" session_id="pisciv" msg="uii" +date=2016-2-26 time=20:15:08 device_id=doeiu log_id=nia log_part=olupt type=event subtype=config pri=low user=quipexe ui=alo(10.212.18.145) module=umdo submodule=itessequ msg=vol +date=2016-3-12 time=03:17:42 device_id=uipexea log_id=tatio log_part=minim type=event subtype=pop3 pri=high user=ceroinBC ui=ratvolup action=deny status=iatu msg="ionofde" +date=2016-3-26 time=10:20:16 device_id=itati log_id=mfu log_part=uid type=event subtype=pop3 pri=very-high user=obeataev ui=lor action=block status=autfu msg="natura" +date=2016-4-9 time=17:22:51 device_id=llamcorp log_id=ari log_part=eataevit type=event subtype=system pri=high user=iam ui=mqua action=allow status=olab msg=mquisnos +date=2016-4-24 time=00:25:25 device_id=enimad log_id=incididu log_part=eci type=virus pri=very-high from=tenbyCic to=boree src=10.98.69.43 session_id="iinea" msg=ipit +date=2016-5-8 time=07:27:59 device_id=taliqu log_id=temUten log_part=ccusan type=virus subtype=infected pri=low from="Ciceroi" to="aveniam" client_name="uradi7307.internal.corp" client_ip="10.118.96.139" session_id="sitas" msg=ehenderi +date=2016-5-22 time=14:30:33 device_id=smo log_id=litessec log_part=emporinc type=event subtype=pop3 pri=very-high user=ipsumq ui=atcu action=allow status=tessec msg="remipsum" +date=2016-6-5 time=21:33:08 device_id=ntutl log_id=caecatc log_part=onsequat type=event subtype=update pri=low msg="edquiano" +date=2016-6-20 time=04:35:42 device_id=idestla log_id=Nemoeni log_part=uradi type=statistics pri=very-high session_id="lup" from="remeumf" mailer=antiumto client_name="10.241.165.37" MSISDN=aUteni resolved=ittenbyC to="aperi" direction="inbound" message_length=ita virus="ipi" disposition=rsitamet classifier="lupt" subject="xea" +date=2016-7-4 time=11:38:16 device_id=amvolup log_id=sequi log_part=rehend type=event subtype=webmail pri=high user=eme ui=numqu(10.232.149.140) action=allow status=lum msg=utali +date=2016-7-18 time=18:40:50 device_id=estiae log_id=sci log_part=oei type=virus_file-signature pri=low snostrud to=nama src="10.24.67.250" session_id="dolor" msg="nnum" +date=2016-8-2 time=01:43:25 device_id=oluptas log_id=tNequepo log_part=lup type=event subtype=update pri=medium msg=equat +date=2016-8-16 time=08:45:59 device_id=abi log_id=sectetur log_part=uioffi type=event subtype=update pri=high msg=veniamq +date=2016-8-30 time=15:48:33 device_id=orem log_id=beata log_part=hitecto type=statistics pri=very-high session_id="texp" client_name="[10.179.124.125]"dst_ip="10.177.36.38" from="sequine" to="ectio" polid="dutper" domain="lamcolab3252.www.invalid" subject="gel" mailer="lorsitam" resolved="mpo" direction="inbound" virus="ris" disposition="uamqu" classifier="lor" message_length=oide +date=2016-9-13 time=22:51:07 device_id=didunt log_id=uptatema log_part=intocc type=virus subtype=file-signature pri=very-high from="orema" to=invento src=[10.164.39.248] session_id="nofdeFin" msg=sequam +date=2016-9-28 time=05:53:42 device_id=tvolu log_id=ecte log_part=tinvolu type=virus_file-signature pri=high from="ntiumdo" to="autfu" src=gnaaliq [10.52.135.156] session_id="litse" msg="icabo" +date=2016-10-12 time=12:56:16 device_id=stru log_id=tectobe log_part=Nequepo type=event subtype=config pri=very-high user=pora ui=boree module=evolup submodule=ionofdeF msg="evelit" +date=2016-10-26 time=19:58:50 device_id=uatD log_id=ariatu log_part=edquiac type=event subtype=smtp pri=high user=atno ui=tani action=allow status=ntocca session_id=ostru log_part=ntoccae msg=autf +date=2016-11-10 time=03:01:24 device_id=tenimad log_id=minimav log_part=udexerci type=spam pri=very-high session_id="itam" client_name="str976.internal.localhost [10.166.225.26]" from=tanimid to=umdo subject="natuse" msg="gnamal" +date=2016-11-24 time=10:03:59 device_id=intoc log_id=rQuisau log_part=itess type=virus subtype=infected pri=high from=evit to="runtm" client_name="molli4306.www5.home" client_ip="10.218.243.47" session_id="borios" msg=rsitvolu +date=2016-12-8 time=17:06:33 device_id=quamqua log_id=eacommod log_part=ctetura type=event subtype=imap pri=high user=tpersp ui=stla action=allow status=sequamni msg=uradi +date=2016-12-23 time=00:09:07 device_id=dolore log_id=onsecte log_part=nBCSedut type=virus subtype=file-signature pri=high from="modocons" to=gitsed src="10.16.177.212" session_id="emp" msg="Attachment file (pisciv) has sha1 hash value: lumdolor" +date=2017-1-6 time=07:11:41 device_id=uaUten log_id=nby log_part=mve type=event subtype=config pri=low user=isau ui=rautodi(10.96.97.81) module=pis submodule=nsequat msg=doloreme +date=2017-1-20 time=14:14:16 device_id=aec log_id=fdeF log_part=iquidexe type=spam pri=low session_id="niamq" client_name= "lapariat7287.internal.host" client_ip="10.140.7.83" dst_ip="10.68.246.187" from="icabo" to="gna" subject="con" msg="preh" +date=2017-2-3 time=21:16:50 device_id=amcor log_id=ica log_part=lillum type=event subtype=admin pri=very-high user=dicta ui=taedicta action=accept status=poriss reason=failure msg=equaturv +date=2017-2-18 time=04:19:24 device_id=tpersp log_id=llamc log_part=nte type=event subtype=pop3 pri=very-high user=utali ui=porinc(10.48.204.44) action=accept status=dat msg=aincidu +date=2017-3-4 time=11:21:59 device_id=dipisci log_id=spernatu log_part=admi type=event subtype=pop3 pri=very-high user=quunt ui=olori action=allow status=autodit msg=elit +date=2017-3-18 time=18:24:33 device_id=nte log_id=ulpa log_part=sitam type=virus subtype=file-signature pri=low enderit to=sequa src="[10.111.233.194]" session_id=eirure msg=deserun +date=2017-4-2 time=01:27:07 device_id=ptateve log_id=enderi log_part=ptatem type=event subtype=smtp pri=very-high user=fugi ui=labo action=block status=ullamcor session_id=itationu msg=proident +date=2017-4-16 time=08:29:41 device_id=atione log_id=lores log_part=ritati type=statistics pri=very-high session_id=uii client_name=estl5804.internal.local client_ip=10.73.207.70 dst_ip=10.179.210.218 from=taut hfrom=tanimi to=rumSecti polid=iuntNe domain=atise3421.www5.localdomain mailer=oluptas resolved=emvele src_type=isnost direction=inbound virus=Sedut disposition=yCiceroi classifier=quunt message_length=acommod subject=sitvol +date=2017-4-30 time=15:32:16 device_id=liquide log_id=odt log_part=Sedutpe type=event subtype=admin pri=medium user=rroq ui=rcit(10.43.62.246) action=accept status=estl reason=success msg=citatio +date=2017-5-14 time=22:34:50 device_id=taedict log_id=edquian log_part=loremeu type=event subtype=admin pri=very-high user=volupta ui=dmi action=allow status=aaliq reason=unknown msg=lupta +date=2017-5-29 time=05:37:24 device_id=occ log_id=oloreseo log_part=iruredol type=virus subtype=file-signature pri=very-high derit to=orese src="[10.28.105.124]" session_id="strude" msg=eritin +date=2017-6-12 time=12:39:58 device_id=temUten log_id=dutper log_part=sitamet type=event subtype=admin pri=very-high user=illumqui ui=saq action=block status=ritqu reason=unknown msg="idolor" +date=2017-6-26 time=19:42:33 device_id=quide log_id=quaU log_part=undeomni type=virus_file-signature pri=medium acomm to=iutali src="[10.219.13.150]" session_id=Finibus msg=radi +date=2017-7-11 time=02:45:07 device_id=inrepr log_id=mol log_part=umdolors type=event subtype=pop3 pri=medium user=imad ui=oriosam(10.163.114.215) action=deny status=sitametc msg=onsequa +date=2017-7-25 time=09:47:41 device_id=riosa log_id=tNe log_part=pisc type=event subtype=webmail pri=very-high user=caecat ui=rautod(10.124.32.120) action=accept status=atcupi msg=atem +date=2017-8-8 time=16:50:15 device_id=undeom log_id=emullamc log_part=tec type=event subtype=imap pri=medium user=eetdo ui=tlab action=cancel status=liq msg=seddoeiu +date=2017-8-22 time=23:52:50 device_id=edictasu log_id=mdolors log_part=oremi type=event subtype=imap pri=medium user=atis ui=atDuis action=accept status=nisiut msg="rumwri" +date=2017-9-6 time=06:55:24 device_id=lumqu log_id=onulamco log_part=ons type=event subtype=pop3 pri=low user=uptat ui=unt action=accept status=uido msg=tla +date=2017-9-20 time=13:57:58 device_id=uamqu log_id=olori log_part=ido type=spam pri=low session_id="sunt" from="autfugit" to="emUte" msg=iusmodi +date=2017-10-4 time=21:00:32 device_id=umS log_id=iciadese log_part=riatur type=event subtype=webmail pri=very-high user=xeacommo ui=Cicero(10.247.53.179) action=cancel status=ditau msg=atemaccu +date=2017-10-19 time=04:03:07 device_id=urau log_id=etur log_part=rsitvol type=event subtype=config pri=low user=laborum ui=ostr(10.70.91.185) module=lumdo submodule=acom msg="eFini" +date=2017-11-2 time=11:05:41 device_id=upta log_id=itessequ log_part=iusmodit type=event subtype=update pri=very-high msg=exerci +date=2017-11-16 time=18:08:15 device_id=mmodoco log_id=amni log_part=atnul type=event subtype=webmail pri=medium user=iquidexe ui=illumq(10.215.65.52) action=accept status=tasnul msg="tuserr" +date=2017-12-1 time=01:10:49 device_id=porinc log_id=riame log_part=riat type=event subtype=admin pri=medium user=rumSec ui=orp action=deny status=udan reason=unknown msg="essequam" +date=2017-12-15 time=08:13:24 device_id=itse log_id=ilm log_part=mvel type=virus subtype=infected pri=high from=seos to=exercita client_name="edolori3822.api.home" client_ip="10.63.177.46" session_id="oluptate" msg=lit +date=2017-12-29 time=15:15:58 device_id=iciade log_id=uis log_part=amc type=event subtype=webmail pri=medium user=Ute ui=ptassita action=allow status=runtm msg="eturadip" +date=2018-1-12 time=22:18:32 device_id=colabori log_id=imidestl log_part=piscing type=virus subtype=file-signature pri=high from="isn" to=smod src="idunt [10.29.120.226]" session_id="atev" msg="ectio" +date=2018-1-27 time=05:21:06 device_id=atcupid log_id=onse log_part=psa type=virus_file-signature pri=high destla to="fugitse" src=[10.12.86.130] session_id=dese msg="Attachment file (duntutla) has sha1 hash value: lamco" +date=2018-2-10 time=12:23:41 device_id=gna log_id=ici log_part=quamnih type=event subtype=pop3 pri=low user=iameaque ui=identsun action=deny status=aquio msg="rspicia" +date=2018-2-24 time=19:26:15 device_id=uiineavo log_id=sistena log_part=uidexeac type=virus subtype=infected pri=high from="amquisno" to=modoc client_name="magnam3267.corp" client_ip="10.95.32.86" session_id="Bonorum" msg=lesti +date=2018-3-11 time=02:28:49 device_id=lupta log_id=byC log_part=imadm type=spam pri=low session_id="nci" from="orroquis" to="ulapa" subject="iumdo" msg="iusmodit" +date=2018-3-25 time=09:31:24 device_id=obeataev log_id=umf log_part=olesti type=event subtype=config pri=low user=quaeabil ui=emip module=aturQu submodule=itesse msg="iamqui" +date=2018-4-8 time=16:33:58 device_id=inim log_id=etdol log_part=Sed type=event subtype=pop3 pri=very-high user=tten ui=etur action=allow status=mipsumqu msg="eprehen" +date=2018-4-22 time=23:36:32 device_id=itaedict log_id=olorema log_part=rep type=event subtype=update pri=low msg=ptatemse +date=2018-5-7 time=06:39:06 device_id=eleumi log_id=edic log_part=udexerc type=event subtype=pop3 pri=low user=olabori ui=odic action=block status=lica msg=secil +date=2018-5-21 time=13:41:41 device_id=nimadmin log_id=midest log_part=modt type=event subtype=update pri=very-high msg=tocca +date=2018-6-4 time=20:44:15 device_id=usant log_id=mipsumq log_part=ident type=event subtype=config pri=very-high user=sequatD ui=ercitati(10.40.89.185) module=temse submodule=caecat msg="cusanti" +date=2018-6-19 time=03:46:49 device_id=conseq log_id=itame log_part=tenat type=virus subtype=infected pri=very-high from="yCiceroi" to="nostrum" client_name="orroquis5179.local" client_ip="10.252.96.71" session_id="tvolu" msg="dutper" +date=2018-7-3 time=10:49:23 device_id=ugiatqu log_id=eruntmo log_part=nimve type=virus subtype=infected pri=very-high from=natus to=boreet client_name="luptasnu757.www.home" client_ip="10.174.210.232" session_id=ovolupta msg="volup" +date=2018-7-17 time=17:51:58 device_id=Bonoru log_id=rcitati log_part=nula type=event subtype=imap pri=medium user=deomni ui=adipi(10.120.232.62) action=block status=ntutl msg="volupt" +date=2018-8-1 time=00:54:32 device_id=mquameiu log_id=loremq log_part=turmagni type=event subtype=imap pri=very-high user=emUtenim ui=ende action=block status=amnis msg=rvelil +date=2018-8-15 time=07:57:06 device_id=rumetMa log_id=mexerci log_part=urEx type=virus subtype=file-signature pri=medium liq to=abore src=10.200.225.45 session_id=dol msg=exe +date=2018-8-29 time=14:59:40 device_id=audant log_id=rspicia log_part=pitl type=statistics pri=high session_id=mmod client_name=taevit4968.mail.local client_ip=10.144.111.42 dst_ip=10.62.61.1 from=lam hfrom=asnu to=com polid=rep domain=mveni5084.internal.local mailer=num resolved=ctetura src_type=quaerat direction=inbound virus=umexer disposition=amnih classifier=tper message_length=pisciv subject=tconsect +date=2018-9-12 time=22:02:15 device_id=emipsumq log_id=culpaq log_part=quamq type=event subtype=pop3 pri=medium user=emvel ui=pta(10.183.213.223) action=block status=hend msg=remagna +date=2018-9-27 time=05:04:49 device_id=lauda log_id=plicaboN log_part=dolo type=virus subtype=file-signature pri=medium from="elit" to=sam src="tMal [10.52.190.18]" session_id=isni msg=quid +date=2018-10-11 time=12:07:23 device_id=inibus log_id=secte log_part=ctobeat type=event subtype=config pri=low user=iqui ui=animide module=pid submodule=itanimi msg="onoru" +date=2018-10-25 time=19:09:57 device_id=naaliq log_id=plica log_part=asiarc type=event subtype=imap pri=low user=seq ui=snula(10.203.110.206) action=deny status=dipi msg=ecatc +date=2018-11-9 time=02:12:32 device_id=dolo log_id=velites log_part=oloremi type=virus_file-signature pri=high apari to=tsunt src="caecat [10.108.10.197]" session_id=enim msg="Attachment file (umq) has sha1 hash value: sistena" +date=2018-11-23 time=09:15:06 device_id=imipsam log_id=eumiu log_part=tatevel type=event subtype=smtp pri=high user=quisnostui=sequines(10.115.154.104) action=cancelstatus=lorumsession_id="suntexpl" msg="DSN: to <; reason:success; sessionid:tatis" +date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id="ionev" msg="to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia" +date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from="onse" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg="inBCSedu" +date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id="mcol"msg="STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici" +date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id="cteturad" client_name="modi6930.internal.test[10.60.164.100]"dst_ip="10.161.1.146" from="etconse" to="nproiden" polid="ionem" domain="taevitae6868.www.corp" subject="ehende" mailer="rep" resolved="nostru" direction="internal" virus="ipiscin" disposition="trudexe" classifier="qua" message_length=modit +date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg="erspici" +date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat +date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg="dolor" +date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco +date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src="imadmin [10.123.154.140]" session_id=liqu msg=dolor +date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido +date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg="beataevi" +date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu +date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg="luptatem" +date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg="xer" +date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg="labor" +date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg="nostru" +date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers +date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from="utla" to=nse src=10.160.236.78 session_id=nostrude msg="Attachment file (rinc) has sha1 hash value: tno" +date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg="tdolore" +date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul +date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id="iacon" client_name= "ncu3839.www.localhost" client_ip="10.201.105.58" dst_ip="10.251.183.113" from="ent" to="ionemu" subject="eseosqu" msg="uptatem" +date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id="citatio" client_name="[10.209.203.156]"dst_ip="10.132.139.98" from="pariat" to="borisnis" direction="unknown" virus="oremagn" disposition="emagna" classifier="uidolor" message_length=remag +date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg="iadeseru" +date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from="oree" to="nimadmi" src="utaliq [10.78.38.143]" session_id=qui msg="Attachment file (epteurs) has sha1 hash value: did" +date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta +date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id="ssequa" log_part=emp msg="to=<; reason:success; sessionid:tatis\"", + "fileset.name": "fortimail", + "host.ip": "10.115.154.104", + "input.type": "log", + "log.level": "high", + "log.offset": 14016, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.115.154.104" + ], + "related.user": [ + "quisnost" + ], + "rsa.email.email_dst": "iqu", + "rsa.internal.messageid": "event_smtp", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "smtp", + "rsa.misc.event_state": "lorum", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "imipsam", + "rsa.misc.log_session_id": "suntexpl", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "smtp", + "rsa.misc.reference_id": "eumiu", + "rsa.misc.reference_id1": "tatevel", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.network.network_service": "sequines", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.115.154.104" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "quisnost" + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.action": "block", + "event.code": "aborio", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2018-12-7 time=16:17:40 device_id=econ log_id=aborio log_part=rve type=event subtype=smtp pri=medium user=nbyCiui=runtmollaction=blockstatus=velillumsession_id=\"ionev\" msg=\"to=<, delay=rna, xdelay=cons, mailer=ipv6-icmp, pri=lupta, relay=olaboris3175.internal.home[10.250.94.95], dsn=tno, stat=imvenia\"", + "fileset.name": "fortimail", + "host.hostname": "olaboris3175.internal.home", + "input.type": "log", + "log.level": "medium", + "log.offset": 14269, + "network.protocol": "ipv6-icmp", + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.250.94.95" + ], + "related.user": [ + "nbyCi" + ], + "rsa.email.email_dst": "vitaedi", + "rsa.internal.messageid": "event_smtp", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "smtp", + "rsa.misc.event_state": "velillum", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "econ", + "rsa.misc.log_session_id": "ionev", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "smtp", + "rsa.misc.reference_id": "aborio", + "rsa.misc.reference_id1": "rve", + "rsa.misc.severity": "medium", + "rsa.network.network_service": "runtmoll", + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.type": "fortinet", + "source.address": "olaboris3175.internal.home", + "source.ip": [ + "10.250.94.95" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "nbyCi" + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.action": "virus_file-signature", + "event.code": "ugitsed", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2018-12-21 time=23:20:14 device_id=atevelit log_id=ugitsed log_part=dminimve type=virus subtype=file-signature pri=very-high from=\"onse\" to=uiac src=tquii [10.164.49.95] session_id=emeumfu msg=\"inBCSedu\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 14586, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.164.49.95" + ], + "rsa.email.email_dst": "uiac", + "rsa.email.email_src": "onse", + "rsa.internal.event_desc": "inBCSedu", + "rsa.internal.messageid": "virus_file-signature", + "rsa.misc.event_type": "virus_file-signature", + "rsa.misc.hardware_id": "atevelit", + "rsa.misc.log_session_id": "emeumfu", + "rsa.misc.msgIdPart1": "virus", + "rsa.misc.msgIdPart2": "file-signature", + "rsa.misc.reference_id": "ugitsed", + "rsa.misc.reference_id1": "dminimve", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "fortinet", + "source.domain": "tquii", + "source.ip": [ + "10.164.49.95" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.action": "allow", + "event.code": "emp", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-1-5 time=06:22:49 device_id=ddo log_id=emp log_part=inBC type=event subtype=smtp pri=low user=eacommui=aboNem(10.11.45.141) action=allowstatus=remasession_id=\"mcol\"msg=\"STARTTLS=tion, cert-subject=umquia, cert-issuer=lorsita, verifymsg=spici\"", + "fileset.name": "fortimail", + "host.ip": "10.11.45.141", + "input.type": "log", + "log.level": "low", + "log.offset": 14795, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.11.45.141" + ], + "related.user": [ + "eacomm" + ], + "rsa.crypto.cert_subject": "umquia", + "rsa.internal.messageid": "event_smtp", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "smtp", + "rsa.misc.event_state": "rema", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "ddo", + "rsa.misc.log_session_id": "mcol", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "smtp", + "rsa.misc.reference_id": "emp", + "rsa.misc.reference_id1": "inBC", + "rsa.misc.severity": "low", + "rsa.network.network_service": "aboNem", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "eacomm" + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "destination.ip": [ + "10.161.1.146" + ], + "event.action": "statistics", + "event.code": "vol", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-1-19 time=13:25:23 device_id=odit log_id=vol log_part=epteurs type=statistics pri=very-high session_id=\"cteturad\" client_name=\"modi6930.internal.test[10.60.164.100]\"dst_ip=\"10.161.1.146\" from=\"etconse\" to=\"nproiden\" polid=\"ionem\" domain=\"taevitae6868.www.corp\" subject=\"ehende\" mailer=\"rep\" resolved=\"nostru\" direction=\"internal\" virus=\"ipiscin\" disposition=\"trudexe\" classifier=\"qua\" message_length=modit", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 15048, + "network.direction": "internal", + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.hosts": [ + "taevitae6868.www.corp" + ], + "related.ip": [ + "10.60.164.100", + "10.161.1.146" + ], + "rsa.email.email_dst": "nproiden", + "rsa.email.email_src": "etconse", + "rsa.email.subject": "ehende", + "rsa.internal.messageid": "statistics", + "rsa.misc.client": "rep", + "rsa.misc.context": "nostru", + "rsa.misc.disposition": "trudexe", + "rsa.misc.event_type": "statistics", + "rsa.misc.filter": "qua", + "rsa.misc.hardware_id": "odit", + "rsa.misc.log_session_id": "cteturad", + "rsa.misc.reference_id": "vol", + "rsa.misc.reference_id1": "epteurs", + "rsa.misc.severity": "very-high", + "rsa.misc.virusname": "ipiscin", + "rsa.network.domain": "taevitae6868.www.corp", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "rsa.web.fqdn": "modi6930.internal.test", + "server.domain": "taevitae6868.www.corp", + "service.type": "fortinet", + "source.ip": [ + "10.60.164.100" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.action": "cancel", + "event.code": "deFinibu", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-2-2 time=20:27:57 device_id=orsit log_id=deFinibu log_part=iaecons type=event subtype=admin pri=very-high user=rautod ui=onorumet(10.157.118.41) action=cancel status=chit reason=unknown msg=\"erspici\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 15464, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.157.118.41" + ], + "related.user": [ + "rautod" + ], + "rsa.internal.event_desc": "erspici", + "rsa.internal.messageid": "event_admin", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "admin", + "rsa.misc.event_state": "chit", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "orsit", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "admin", + "rsa.misc.reference_id": "deFinibu", + "rsa.misc.reference_id1": "iaecons", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.network.network_service": "onorumet", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.157.118.41" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "rautod" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.ip": [ + "10.93.239.216" + ], + "event.action": "statistics", + "event.code": "tinv", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-2-17 time=03:30:32 device_id=quidol log_id=tinv log_part=Utenima type=statistics pri=high session_id=temqu client_name=uradip7802.mail.example client_ip=10.44.35.57 dst_ip=10.93.239.216 from=vento hfrom=litsed to=ciun polid=rehender domain=tetura7106.www5.corp mailer=eosquir resolved=tqu src_type=emips direction=internal virus=tinvolu disposition=ptat classifier=amquisn message_length=Finibus subject=nsequat", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 15674, + "network.direction": "internal", + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.hosts": [ + "tetura7106.www5.corp" + ], + "related.ip": [ + "10.93.239.216", + "10.44.35.57" + ], + "rsa.email.email_dst": "ciun", + "rsa.email.email_src": "vento", + "rsa.email.subject": "nsequat", + "rsa.internal.messageid": "statistics", + "rsa.misc.client": "eosquir", + "rsa.misc.context": "tqu", + "rsa.misc.disposition": "ptat", + "rsa.misc.event_type": "statistics", + "rsa.misc.filter": "amquisn", + "rsa.misc.hardware_id": "quidol", + "rsa.misc.log_session_id": "temqu", + "rsa.misc.reference_id": "tinv", + "rsa.misc.reference_id1": "Utenima", + "rsa.misc.severity": "high", + "rsa.misc.virusname": "tinvolu", + "rsa.network.domain": "tetura7106.www5.corp", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.web.fqdn": "uradip7802.mail.example", + "server.domain": "tetura7106.www5.corp", + "service.type": "fortinet", + "source.ip": [ + "10.44.35.57" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "event.action": "event", + "event.code": "remquela", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-3-3 time=10:33:06 device_id=evelite log_id=remquela log_part=toreve type=event subtype=update pri=high msg=\"dolor\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 16096, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "event_update", + "rsa.misc.category": "update", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "evelite", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "update", + "rsa.misc.reference_id": "remquela", + "rsa.misc.reference_id1": "toreve", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.action": "event", + "event.code": "lapari", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-3-17 time=17:35:40 device_id=itse log_id=lapari log_part=Bonor type=event subtype=update pri=medium msg=exeaco", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 16221, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "rsa.internal.event_desc": "exeaco", + "rsa.internal.messageid": "event_update", + "rsa.misc.category": "update", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "itse", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "update", + "rsa.misc.reference_id": "lapari", + "rsa.misc.reference_id1": "Bonor", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.action": "virus_file-signature", + "event.code": "tNeq", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-4-1 time=00:38:14 device_id=emvele log_id=tNeq log_part=olorsita type=virus_file-signature pri=medium eleumiu to=etdol src=\"imadmin [10.123.154.140]\" session_id=liqu msg=dolor", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 16342, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.123.154.140" + ], + "rsa.email.email_dst": "etdol", + "rsa.email.email_src": "eleumiu", + "rsa.internal.event_desc": "dolor", + "rsa.internal.messageid": "virus_file-signature", + "rsa.misc.event_type": "virus_file-signature", + "rsa.misc.hardware_id": "emvele", + "rsa.misc.log_session_id": "liqu", + "rsa.misc.reference_id": "tNeq", + "rsa.misc.reference_id1": "olorsita", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "fortinet", + "source.domain": "imadmin", + "source.ip": [ + "10.123.154.140" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.action": "deny", + "event.code": "utem", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-4-15 time=07:40:49 device_id=aliq log_id=utem log_part=oreetd type=event subtype=imap pri=very-high user=mremape ui=ude action=deny status=emac msg=rmagnido", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 16528, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.user": [ + "mremape" + ], + "rsa.internal.event_desc": "rmagnido", + "rsa.internal.messageid": "event_imap", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "imap", + "rsa.misc.event_state": "emac", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "aliq", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "imap", + "rsa.misc.reference_id": "utem", + "rsa.misc.reference_id1": "oreetd", + "rsa.misc.severity": "very-high", + "rsa.network.network_service": "ude", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "mremape" + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "event.action": "deny", + "event.code": "cita", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-4-29 time=14:43:23 device_id=pariatur log_id=cita log_part=tvo type=event subtype=admin pri=high user=rve ui=atemacc(10.141.108.1) action=deny status=ciunt reason=success msg=\"beataevi\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 16695, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.141.108.1" + ], + "related.user": [ + "rve" + ], + "rsa.internal.event_desc": "beataevi", + "rsa.internal.messageid": "event_admin", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "admin", + "rsa.misc.event_state": "ciunt", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "pariatur", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "admin", + "rsa.misc.reference_id": "cita", + "rsa.misc.reference_id1": "tvo", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.network.network_service": "atemacc", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.141.108.1" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "rve" + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.action": "cancel", + "event.code": "dmin", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-5-13 time=21:45:57 device_id=imaven log_id=dmin log_part=sum type=event subtype=system pri=low user=lore ui=nim action=cancel status=edquiac msg=psamvolu", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "low", + "log.offset": 16891, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.user": [ + "lore" + ], + "rsa.internal.event_desc": "psamvolu", + "rsa.internal.messageid": "event_system", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "system", + "rsa.misc.event_state": "edquiac", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "imaven", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "system", + "rsa.misc.reference_id": "dmin", + "rsa.misc.reference_id1": "sum", + "rsa.misc.severity": "low", + "rsa.network.network_service": "nim", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "lore" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.action": "deny", + "event.code": "tae", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-5-28 time=04:48:31 device_id=iade log_id=tae log_part=obe type=event subtype=admin pri=medium user=ulapari ui=rittenby(10.31.31.193) action=deny status=nvol reason=unknown msg=\"luptatem\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 17055, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.31.31.193" + ], + "related.user": [ + "ulapari" + ], + "rsa.internal.event_desc": "luptatem", + "rsa.internal.messageid": "event_admin", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "admin", + "rsa.misc.event_state": "nvol", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "iade", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "admin", + "rsa.misc.reference_id": "tae", + "rsa.misc.reference_id1": "obe", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "medium", + "rsa.network.network_service": "rittenby", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.31.31.193" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "ulapari" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.action": "block", + "event.code": "ruredolo", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-6-11 time=11:51:06 device_id=conse log_id=ruredolo log_part=ati type=event subtype=system pri=low user=olors ui=roid(10.234.156.8) action=block status=uteiru msg=\"xer\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "low", + "log.offset": 17252, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.234.156.8" + ], + "related.user": [ + "olors" + ], + "rsa.internal.event_desc": "xer", + "rsa.internal.messageid": "event_system", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "system", + "rsa.misc.event_state": "uteiru", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "conse", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "system", + "rsa.misc.reference_id": "ruredolo", + "rsa.misc.reference_id1": "ati", + "rsa.misc.severity": "low", + "rsa.network.network_service": "roid", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.234.156.8" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "olors" + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.action": "event", + "event.code": "uame", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-6-25 time=18:53:40 device_id=nvol log_id=uame log_part=quia type=event subtype=update pri=very-high msg=\"labor\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17430, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "rsa.internal.event_desc": "labor", + "rsa.internal.messageid": "event_update", + "rsa.misc.category": "update", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "nvol", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "update", + "rsa.misc.reference_id": "uame", + "rsa.misc.reference_id1": "quia", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.action": "event", + "event.code": "modit", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-7-10 time=01:56:14 device_id=mwritte log_id=modit log_part=quamnih type=event subtype=config pri=medium user=itanimid ui=uiin module=nibusBo submodule=iusm msg=\"nostru\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 17552, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.user": [ + "itanimid" + ], + "rsa.internal.event_desc": "nostru", + "rsa.internal.messageid": "event_config", + "rsa.misc.category": "config", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "mwritte", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "config", + "rsa.misc.reference_id": "modit", + "rsa.misc.reference_id1": "quamnih", + "rsa.misc.severity": "medium", + "rsa.network.network_service": "uiin", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "itanimid" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.action": "event", + "event.code": "preh", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-7-24 time=08:58:48 device_id=vel log_id=preh log_part=madmini type=event subtype=update pri=high msg=edutpers", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 17731, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "rsa.internal.event_desc": "edutpers", + "rsa.internal.messageid": "event_update", + "rsa.misc.category": "update", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "vel", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "update", + "rsa.misc.reference_id": "preh", + "rsa.misc.reference_id1": "madmini", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "event.action": "virus_file-signature", + "event.code": "everi", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-8-7 time=16:01:23 device_id=sBonoru log_id=everi log_part=squ type=virus subtype=file-signature pri=medium from=\"utla\" to=nse src=10.160.236.78 session_id=nostrude msg=\"Attachment file (rinc) has sha1 hash value: tno\"", + "file.name": "rinc", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 17851, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.160.236.78" + ], + "rsa.email.email_dst": "nse", + "rsa.email.email_src": "utla", + "rsa.internal.messageid": "virus_file-signature", + "rsa.misc.checksum": "tno", + "rsa.misc.event_type": "virus_file-signature", + "rsa.misc.hardware_id": "sBonoru", + "rsa.misc.log_session_id": "nostrude", + "rsa.misc.msgIdPart1": "virus", + "rsa.misc.msgIdPart2": "file-signature", + "rsa.misc.reference_id": "everi", + "rsa.misc.reference_id1": "squ", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.160.236.78" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.action": "accept", + "event.code": "nonproi", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-8-21 time=23:03:57 device_id=cid log_id=nonproi log_part=dolor type=event subtype=admin pri=medium user=molli ui=oeiusm(10.244.19.62) action=accept status=nnumquam reason=unknown msg=\"tdolore\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 18079, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.244.19.62" + ], + "related.user": [ + "molli" + ], + "rsa.internal.event_desc": "tdolore", + "rsa.internal.messageid": "event_admin", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "admin", + "rsa.misc.event_state": "nnumquam", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "cid", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "admin", + "rsa.misc.reference_id": "nonproi", + "rsa.misc.reference_id1": "dolor", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "medium", + "rsa.network.network_service": "oeiusm", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.244.19.62" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "molli" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "event.action": "allow", + "event.code": "epteu", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-9-5 time=06:06:31 device_id=icta log_id=epteu log_part=nvent type=event subtype=webmail pri=high user=mquiavol ui=odiconse(10.147.52.164) action=allow status=untutl msg=ugiatnul", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 18282, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.147.52.164" + ], + "related.user": [ + "mquiavol" + ], + "rsa.internal.event_desc": "ugiatnul", + "rsa.internal.messageid": "event_webmail", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "webmail", + "rsa.misc.event_state": "untutl", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "icta", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "webmail", + "rsa.misc.reference_id": "epteu", + "rsa.misc.reference_id1": "nvent", + "rsa.misc.severity": "high", + "rsa.network.network_service": "odiconse", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.147.52.164" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "mquiavol" + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "destination.ip": [ + "10.251.183.113" + ], + "event.action": "spam", + "event.code": "elaudant", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-9-19 time=13:09:05 device_id=quaturve log_id=elaudant log_part=olup type=spam pri=high session_id=\"iacon\" client_name= \"ncu3839.www.localhost\" client_ip=\"10.201.105.58\" dst_ip=\"10.251.183.113\" from=\"ent\" to=\"ionemu\" subject=\"eseosqu\" msg=\"uptatem\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "high", + "log.offset": 18470, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.251.183.113", + "10.201.105.58" + ], + "rsa.email.email_dst": "ionemu", + "rsa.email.email_src": "ent", + "rsa.email.subject": "eseosqu", + "rsa.internal.event_desc": "uptatem", + "rsa.internal.messageid": "spam", + "rsa.misc.event_type": "spam", + "rsa.misc.hardware_id": "quaturve", + "rsa.misc.log_session_id": "iacon", + "rsa.misc.reference_id": "elaudant", + "rsa.misc.reference_id1": "olup", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "rsa.web.fqdn": "ncu3839.www.localhost", + "service.type": "fortinet", + "source.ip": [ + "10.201.105.58" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "destination.ip": [ + "10.132.139.98" + ], + "event.action": "statistics", + "event.code": "oinB", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-10-3 time=20:11:40 device_id=eprehen log_id=oinB log_part=lor type=statistics pri=low session_id=\"citatio\" client_name=\"[10.209.203.156]\"dst_ip=\"10.132.139.98\" from=\"pariat\" to=\"borisnis\" direction=\"unknown\" virus=\"oremagn\" disposition=\"emagna\" classifier=\"uidolor\" message_length=remag", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "low", + "log.offset": 18728, + "network.direction": "unknown", + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.209.203.156", + "10.132.139.98" + ], + "rsa.email.email_dst": "borisnis", + "rsa.email.email_src": "pariat", + "rsa.internal.messageid": "statistics", + "rsa.misc.disposition": "emagna", + "rsa.misc.event_type": "statistics", + "rsa.misc.filter": "uidolor", + "rsa.misc.hardware_id": "eprehen", + "rsa.misc.log_session_id": "citatio", + "rsa.misc.reference_id": "oinB", + "rsa.misc.reference_id1": "lor", + "rsa.misc.severity": "low", + "rsa.misc.virusname": "oremagn", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "rsa.web.fqdn": "", + "service.type": "fortinet", + "source.ip": [ + "10.209.203.156" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.action": "block", + "event.code": "ulamcola", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-10-18 time=03:14:14 device_id=tiumtot log_id=ulamcola log_part=epr type=event subtype=admin pri=low user=nculpa ui=enbyCice(10.152.196.145) action=block status=uptas reason=success msg=\"iadeseru\"", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "low", + "log.offset": 19025, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.152.196.145" + ], + "related.user": [ + "nculpa" + ], + "rsa.internal.event_desc": "iadeseru", + "rsa.internal.messageid": "event_admin", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "admin", + "rsa.misc.event_state": "uptas", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "tiumtot", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "admin", + "rsa.misc.reference_id": "ulamcola", + "rsa.misc.reference_id1": "epr", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "rsa.network.network_service": "enbyCice", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "fortinet", + "source.ip": [ + "10.152.196.145" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ], + "user.name": "nculpa" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.action": "virus_file-signature", + "event.code": "turadip", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-11-1 time=10:16:48 device_id=equ log_id=turadip log_part=ataev type=virus_file-signature pri=medium from=\"oree\" to=\"nimadmi\" src=\"utaliq [10.78.38.143]\" session_id=qui msg=\"Attachment file (epteurs) has sha1 hash value: did\"", + "file.name": "epteurs", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "medium", + "log.offset": 19231, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.78.38.143" + ], + "rsa.email.email_dst": "nimadmi", + "rsa.email.email_src": "oree", + "rsa.internal.messageid": "virus_file-signature", + "rsa.misc.checksum": "did", + "rsa.misc.event_type": "virus_file-signature", + "rsa.misc.hardware_id": "equ", + "rsa.misc.log_session_id": "qui", + "rsa.misc.reference_id": "turadip", + "rsa.misc.reference_id1": "ataev", + "rsa.misc.severity": "medium", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.type": "fortinet", + "source.domain": "utaliq", + "source.ip": [ + "10.78.38.143" + ], + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.action": "event", + "event.code": "orumSe", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-11-15 time=17:19:22 device_id=sunt log_id=orumSe log_part=olupta type=event subtype=update pri=very-high msg=pta", + "fileset.name": "fortimail", + "input.type": "log", + "log.level": "very-high", + "log.offset": 19466, + "observer.product": "FortiMail", + "observer.type": "Firewall", + "observer.vendor": "Fortinet", + "rsa.internal.event_desc": "pta", + "rsa.internal.messageid": "event_update", + "rsa.misc.category": "update", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "sunt", + "rsa.misc.msgIdPart1": "event", + "rsa.misc.msgIdPart2": "update", + "rsa.misc.reference_id": "orumSe", + "rsa.misc.reference_id1": "olupta", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimail", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.action": "allow", + "event.code": "leumiure", + "event.dataset": "fortinet.fortimail", + "event.module": "fortinet", + "event.original": "date=2019-11-30 time=00:21:57 device_id=ntutlabo log_id=leumiure log_part=tasnu type=event subtype=smtp pri=high user=amquaui=tionevol(10.209.124.81) action=allowstatus=tobesession_id=\"ssequa\" log_part=emp msg=\"to=< + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml new file mode 100644 index 00000000000..735db765ff8 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Fortinet" + product: "FortiManager" + type: "Configuration" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/fortinet/fortimanager/config/liblogparser.js + - ${path.home}/module/fortinet/fortimanager/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} time=%{htime->} devname=%{hdevice->} device_id=%{hfld1->} log_id=%{id->} type=%{hfld2->} subtype=%{hfld3->} pri=%{hseverity->} %{payload}", processor_chain([ + setc("header_id","0001"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("hfld2"), + constant("_fortinetmgr"), + ], + }), +])); + +var hdr2 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" +match("HEADER#1:0002", "message", "logver=%{hfld1->} date=%{hdate->} time=%{htime->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = // "Pattern{Constant('date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' logver='), Field(fld1,true), Constant(' '), Field(payload,false)}" +match("HEADER#2:0003", "message", "date=%{hdate->} time=%{htime->} logver=%{fld1->} %{payload}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' dtime='), Field(hdatetime,true), Constant(' devid='), Field(hfld2,true), Constant(' devname='), Field(hdevice,true), Constant(' '), Field(payload,false)}" +match("HEADER#3:0004", "message", "logver=%{hfld1->} dtime=%{hdatetime->} devid=%{hfld2->} devname=%{hdevice->} %{payload}", processor_chain([ + setc("header_id","0004"), + dup2, +])); + +var hdr5 = // "Pattern{Constant('logver='), Field(hfld1,true), Constant(' devname="'), Field(hdevice,false), Constant('" devid="'), Field(hfld2,false), Constant('" '), Field(payload,false)}" +match("HEADER#4:0005", "message", "logver=%{hfld1->} devname=\"%{hdevice}\" devid=\"%{hfld2}\" %{payload}", processor_chain([ + setc("header_id","0005"), + dup2, +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, +]); + +var part1 = // "Pattern{Constant('user='), Field(fld1,true), Constant(' adom='), Field(domain,true), Constant(' user='), Field(username,true), Constant(' ui='), Field(fld2,true), Constant(' action='), Field(action,true), Constant(' status='), Field(event_state,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" +match("MESSAGE#0:fortinetmgr:01", "nwparser.payload", "user=%{fld1->} adom=%{domain->} user=%{username->} ui=%{fld2->} action=%{action->} status=%{event_state->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, +])); + +var msg1 = msg("fortinetmgr:01", part1); + +var part2 = // "Pattern{Constant('user='), Field(username,true), Constant(' adom='), Field(domain,true), Constant(' msg="'), Field(event_description,false), Constant('"')}" +match("MESSAGE#1:fortinetmgr", "nwparser.payload", "user=%{username->} adom=%{domain->} msg=\"%{event_description}\"", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, +])); + +var msg2 = msg("fortinetmgr", part2); + +var part3 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom='), Field(fld7,true), Constant(' msg="'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/0", "nwparser.payload", "user=\"%{username}\" userfrom=%{fld7->} msg=\"%{p0}"); + +var part4 = // "Pattern{Constant('User'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/1_0", "nwparser.p0", "User%{p0}"); + +var part5 = // "Pattern{Constant('user'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/1_1", "nwparser.p0", "user%{p0}"); + +var select2 = linear_select([ + part4, + part5, +]); + +var part6 = // "Pattern{Field(,false), Constant('''), Field(fld3,false), Constant('' with profile ''), Field(fld4,false), Constant('' '), Field(fld5,true), Constant(' from '), Field(fld6,false), Constant('('), Field(hostip,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/2", "nwparser.p0", "%{}'%{fld3}' with profile '%{fld4}' %{fld5->} from %{fld6}(%{hostip})%{p0}"); + +var part7 = // "Pattern{Constant('."'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/3_0", "nwparser.p0", ".\"%{p0}"); + +var part8 = // "Pattern{Constant('"'), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/3_1", "nwparser.p0", "\"%{p0}"); + +var select3 = linear_select([ + part7, + part8, +]); + +var part9 = // "Pattern{Field(,false), Constant('adminprof='), Field(p0,false)}" +match("MESSAGE#2:fortinetmgr:04/4", "nwparser.p0", "%{}adminprof=%{p0}"); + +var part10 = // "Pattern{Field(fld2,true), Constant(' sid='), Field(sid,true), Constant(' user_type="'), Field(profile,false), Constant('"')}" +match("MESSAGE#2:fortinetmgr:04/5_0", "nwparser.p0", "%{fld2->} sid=%{sid->} user_type=\"%{profile}\""); + +var part11 = // "Pattern{Field(fld2,false)}" +match_copy("MESSAGE#2:fortinetmgr:04/5_1", "nwparser.p0", "fld2"); + +var select4 = linear_select([ + part10, + part11, +]); + +var all1 = all_match({ + processors: [ + part3, + select2, + part6, + select3, + part9, + select4, + ], + on_success: processor_chain([ + dup11, + dup4, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("fld5"), + }), + dup22, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), +}); + +var msg3 = msg("fortinetmgr:04", all1); + +var part12 = // "Pattern{Constant('user='), Field(username,true), Constant(' userfrom='), Field(fld4,true), Constant(' msg="'), Field(event_description,false), Constant('" adminprof='), Field(fld2,false)}" +match("MESSAGE#3:fortinetmgr:02", "nwparser.payload", "user=%{username->} userfrom=%{fld4->} msg=\"%{event_description}\" adminprof=%{fld2}", processor_chain([ + dup3, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, +])); + +var msg4 = msg("fortinetmgr:02", part12); + +var part13 = // "Pattern{Constant('user="'), Field(username,false), Constant('" msg="Login from ssh:'), Field(fld1,true), Constant(' for '), Field(fld2,true), Constant(' from '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('" remote_ip="'), Field(daddr,false), Constant('" remote_port='), Field(dport,true), Constant(' valid='), Field(fld3,true), Constant(' authmsg="'), Field(result,false), Constant('" extrainfo='), Field(fld5,false)}" +match("MESSAGE#4:fortinetmgr:03", "nwparser.payload", "user=\"%{username}\" msg=\"Login from ssh:%{fld1->} for %{fld2->} from %{saddr->} port %{sport}\" remote_ip=\"%{daddr}\" remote_port=%{dport->} valid=%{fld3->} authmsg=\"%{result}\" extrainfo=%{fld5}", processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("result"), + }), + dup22, +])); + +var msg5 = msg("fortinetmgr:03", part13); + +var part14 = // "Pattern{Constant('user="'), Field(username,false), Constant('" userfrom="'), Field(fld1,false), Constant('"msg="'), Field(p0,false)}" +match("MESSAGE#5:fortinetmgr:05/0", "nwparser.payload", "user=\"%{username}\" userfrom=\"%{fld1}\"msg=\"%{p0}"); + +var part15 = // "Pattern{Constant('dev='), Field(fld2,false), Constant(',vdom='), Field(fld3,false), Constant(',type='), Field(fld4,false), Constant(',key='), Field(fld5,false), Constant(',act='), Field(action,false), Constant(',pkgname='), Field(fld7,false), Constant(',allowaccess='), Field(fld8,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#5:fortinetmgr:05/1_0", "nwparser.p0", "dev=%{fld2},vdom=%{fld3},type=%{fld4},key=%{fld5},act=%{action},pkgname=%{fld7},allowaccess=%{fld8}\"%{p0}"); + +var part16 = // "Pattern{Field(event_description,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#5:fortinetmgr:05/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); + +var select5 = linear_select([ + part15, + part16, +]); + +var part17 = // "Pattern{Field(domain,false), Constant('" adom="')}" +match("MESSAGE#5:fortinetmgr:05/2", "nwparser.p0", "%{domain}\" adom=\""); + +var all2 = all_match({ + processors: [ + part14, + select5, + part17, + ], + on_success: processor_chain([ + dup13, + dup4, + dup5, + dup6, + dup7, + dup8, + dup9, + dup10, + ]), +}); + +var msg6 = msg("fortinetmgr:05", all2); + +var part18 = tagval("MESSAGE#6:event_fortinetmgr_tvm", "nwparser.payload", tvm, { + "action": "action", + "adom": "domain", + "desc": "event_description", + "msg": "info", + "session_id": "sessionid", + "user": "username", + "userfrom": "fld1", +}, processor_chain([ + dup11, + dup4, + dup5, + dup6, + dup7, + setf("event_type","hfld2"), + dup9, + dup10, +])); + +var msg7 = msg("event_fortinetmgr_tvm", part18); + +var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, +]); + +var part19 = tagval("MESSAGE#7:generic_fortinetmgr", "nwparser.payload", tvm, { + "action": "action", + "adminprof": "fld13", + "cat": "fcatnum", + "catdesc": "filter", + "cipher_suite": "fld24", + "content_switch_name": "fld15", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "dev_id": "fld100", + "device_id": "hardware_id", + "devid": "hardware_id", + "devname": "event_source", + "devtype": "fld7", + "direction": "direction", + "dst": "daddr", + "dst_port": "dport", + "dstintf": "dinterface", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtype": "vendor_event_cat", + "false_positive_mitigation": "fld17", + "ftp_cmd": "fld23", + "ftp_mode": "fld22", + "history_threat_weight": "fld21", + "hostname": "hostname", + "http_agent": "agent", + "http_host": "web_ref_domain", + "http_method": "web_method", + "http_refer": "web_referer", + "http_session_id": "sessionid", + "http_url": "web_query", + "http_version": "fld19", + "level": "severity", + "log_id": "id", + "logid": "id", + "main_type": "fld37", + "mastersrcmac": "fld8", + "method": "fld12", + "monitor_status": "fld18", + "msg": "event_description", + "msg_id": "fld25", + "osname": "os", + "osversion": "version", + "policy": "policyname", + "policyid": "policy_id", + "poluuid": "fld5", + "pri": "severity", + "profile": "rulename", + "proto": "fld6", + "rcvdbyte": "rbytes", + "reqtype": "fld11", + "sentbyte": "sbytes", + "server_pool_name": "fld16", + "service": "network_service", + "sessionid": "sessionid", + "severity_level": "fld101", + "signature_id": "sigid", + "signature_subclass": "fld14", + "src": "saddr", + "src_port": "sport", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub_type": "category", + "subtype": "category", + "threat_level": "threat_val", + "threat_weight": "fld20", + "timezone": "timezone", + "trandisp": "context", + "trigger_policy": "fld39", + "type": "event_type", + "url": "url", + "user": "username", + "user_name": "username", + "userfrom": "fld30", + "vd": "vsys", +}, processor_chain([ + dup13, + dup4, + dup5, + dup14, + dup23, +])); + +var msg8 = msg("generic_fortinetmgr", part19); + +var part20 = tagval("MESSAGE#8:generic_fortinetmgr_1", "nwparser.payload", tvm, { + "action": "action", + "app": "obj_name", + "appcat": "fld33", + "craction": "fld9", + "crlevel": "fld10", + "crscore": "reputation_num", + "date": "fld1", + "dstcountry": "location_dst", + "dstintf": "dinterface", + "dstintfrole": "fld31", + "dstip": "daddr", + "dstport": "dport", + "duration": "duration", + "eventtime": "event_time_string", + "level": "severity", + "logid": "id", + "logtime": "fld35", + "policyid": "policy_id", + "policytype": "fld34", + "poluuid": "fld5", + "proto": "fld6", + "rcvdbyte": "rbytes", + "sentbyte": "sbytes", + "sentpkt": "fld15", + "service": "network_service", + "sessionid": "sessionid", + "srccountry": "location_src", + "srcintf": "sinterface", + "srcintfrole": "fld30", + "srcip": "saddr", + "srcport": "sport", + "subtype": "category", + "time": "fld2", + "trandisp": "context", + "tranip": "dtransaddr", + "tranport": "dtransport", + "type": "event_type", + "vd": "vsys", +}, processor_chain([ + dup13, + dup4, + date_time({ + dest: "event_time", + args: ["fld1","fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup6, + setf("hardware_id","hfld2"), + dup14, + dup23, +])); + +var msg9 = msg("generic_fortinetmgr_1", part20); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "event_fortinetmgr": select6, + "generic_fortinetmgr": msg8, + "generic_fortinetmgr_1": msg9, + }), +]); diff --git a/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml similarity index 81% rename from x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml rename to x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml index 9b7b503ea67..79b9a885628 100644 --- a/x-pack/filebeat/module/citrix/virtualapps/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml @@ -1,7 +1,11 @@ --- -description: Pipeline for Citrix XenApp +description: Pipeline for Fortinet Manager/Analyzer processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml b/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml new file mode 100644 index 00000000000..f5759fce05e --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["fortinet.fortimanager", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9530 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log new file mode 100644 index 00000000000..7da64dddce2 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log @@ -0,0 +1,100 @@ +logver=iusm devname="modtempo" devid="olab" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci +date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima +logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm +logver=liqu devname="lorem" devid="emq" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll +date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet +date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem +logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih +logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos +logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris +date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati +logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor +logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit +date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac +logver=dolore devname="onsecte" devid="nBCSedut" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor +date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem +logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol +logver=leumiu devname="tla" devid="item" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione +date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt +date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol +logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo +date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod +logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq +logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu +logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors +logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt +date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese +logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam +logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque +logver=inimve devname="uio" devid="mexercit" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd +logver=ipis devname="itautfu" devid="nesci" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide +date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven +logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas +logver=temaccus devname="ons" devid="unt" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor +logver=etc devname="eturadip" devid="nost" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto +logver=pariat devname="iutal" devid="teturad" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip +date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi +logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven +date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor +date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu +logver=ore devname="lors" devid="saute" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol +logver=onnu devname="reprehe" devid="metMa" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion +date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu +date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto +date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama +logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip +logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation +logver=nof devname="usantiu" devid="periam" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol +date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati +date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd +logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem +logver=uamnihil devname="nisi" devid="imadm" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim +date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende +date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm +date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen +date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute +logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu +logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu +logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD +logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu +logver=tem devname="litsedq" devid="amre" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu +date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam +date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs +logver=untutl devname="cons" devid="vel" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento +logver=qua devname="llumdo" devid="tot" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo +logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu +date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali +date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore +date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr +logver=ctetura devname="reseosqu" devid="ittenbyC" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt +logver=tnulapa devname="caecatcu" devid="xcepte" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ +date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive +logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem +date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium +logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata +logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur +date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui +logver=tesseq devname="nimides" devid="iusmodte" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate +logver=rur devname="edut" devid="sitametc" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos +date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid +logver=equamn devname="mes" devid="itatio" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam +logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo +logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta +logver=itseddo devname="tasu" devid="mquae" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq +date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc +logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu +logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi +logver=lorsita devname="oeius" devid="trud" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate +logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit +logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation +logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup +logver=olores devname="ineavol" devid="bori" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui +date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo +logver=nrepr devname="uipex" devid="alorumw" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli +logver=temsequi devname="aturvel" devid="elaudan" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites +logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips +logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ +logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD +date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu +logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin +date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json new file mode 100644 index 00000000000..78030aa2c53 --- /dev/null +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -0,0 +1,7714 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.bytes": 449, + "destination.geo.country_name": "sequa", + "destination.ip": [ + "10.44.173.44" + ], + "destination.nat.ip": "10.189.58.145", + "destination.nat.port": 5273, + "destination.port": 6125, + "event.action": "allow", + "event.code": "sse", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=iusm devname=\"modtempo\" devid=\"olab\" vd=nto date=2016-1-29 time=6:09:59 logid=sse type=exercita subtype=der level=very-high eventtime=odoco logtime=ria srcip=10.20.234.169 srcport=1001 srcintf=eth5722 srcintfrole=vol dstip=10.44.173.44 dstport=6125 dstintf=enp0s3068 dstintfrole=nseq poluuid=itinvol sessionid=psa proto=21 action=allow policyid=ntium policytype=psaq crscore=13.800000 craction=eab crlevel=aliqu appcat=Ute service=lupt srccountry=dolore dstcountry=sequa trandisp=abo tranip=10.189.58.145 tranport=5273 duration=14.119000 sentbyte=7880 rcvdbyte=449 sentpkt=mqui app=nci", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 0, + "network.bytes": 8329, + "observer.egress.interface.name": "enp0s3068", + "observer.ingress.interface.name": "eth5722", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.44.173.44", + "10.20.234.169", + "10.189.58.145" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "der", + "rsa.misc.context": "abo", + "rsa.misc.event_source": "modtempo", + "rsa.misc.event_type": "exercita", + "rsa.misc.hardware_id": "olab", + "rsa.misc.log_session_id": "psa", + "rsa.misc.obj_name": "nci", + "rsa.misc.policy_id": "ntium", + "rsa.misc.reference_id": "sse", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "nto", + "rsa.network.dinterface": "enp0s3068", + "rsa.network.network_service": "lupt", + "rsa.network.sinterface": "eth5722", + "rsa.time.duration_time": 14.119, + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.event_time_str": "odoco", + "rsa.web.reputation_num": 13.8, + "service.type": "fortinet", + "source.bytes": 7880, + "source.geo.country_name": "dolore", + "source.ip": [ + "10.20.234.169" + ], + "source.port": 1001, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "destination.bytes": 3879, + "destination.ip": [ + "10.171.204.166" + ], + "destination.port": 6668, + "event.action": "accept", + "event.code": "atio", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-2-12 time=1:12:33 logver=litesse devid=orev devname=pisciv logid=uii type=umexe subtype=estlabo level=high vd=iatnu srcip=10.182.84.248 srcport=4880 srcintf=enp0s208 dstip=10.162.33.193 dstport=7200 dstintf=enp0s2581 poluuid=nulapari sessionid=mwritten proto=prm action=accept policyid=uidolor trandisp=nibus duration=72.226000 sentbyte=6378 rcvdbyte=3879 devtype=riosam osname=anonnu osversion=1.410 mastersrcmac=ameaqu srcmac=01:00:5e:84:66:6c crscore=145.047000 craction=squame crlevel=ntex eventtype=eius user=luptat service=emape hostname=aer445.host profile=eumiu reqtype=uame url=https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS direction=external msg=com method=eataevi cat=byC catdesc=tinculp device_id=tur log_id=atio pri=high userfrom=atemsequ adminprof=nci timezone=CEST main_type=eFini trigger_policy=amco sub_type=exe severity_level=iatu policy=ionofde src=10.62.4.246 src_port=189 dst=10.171.204.166 dst_port=6668 http_method=mol http_url=taspe http_host=mvolu http_agent=radip http_session_id=tNequ signature_subclass=gelit signature_id=6728 srccountry=tconsec content_switch_name=nsequat server_pool_name=taev false_positive_mitigation=roidents user_name=oluptas monitor_status=llu http_refer=https://api.example.org/tamremap/tur.html?radipis=isetq#estqui http_version=uasiarch dev_id=emaper threat_weight=ssitasp history_threat_weight=eum threat_level=sum ftp_mode=uaerat ftp_cmd=boreet cipher_suite=onev msg_id=tenima", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "aer445.host", + "http.request.referrer": "https://api.example.org/tamremap/tur.html?radipis=isetq#estqui", + "input.type": "log", + "log.level": "high", + "log.offset": 593, + "network.bytes": 10257, + "network.direction": "external", + "observer.egress.interface.name": "enp0s2581", + "observer.ingress.interface.name": "enp0s208", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.410", + "related.hosts": [ + "aer445.host" + ], + "related.ip": [ + "10.171.204.166", + "10.62.4.246" + ], + "related.user": [ + "oluptas" + ], + "rsa.internal.event_desc": "com", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "eius", + "rsa.misc.OS": "anonnu", + "rsa.misc.action": [ + "accept", + "mol" + ], + "rsa.misc.category": "exe", + "rsa.misc.client": "radip", + "rsa.misc.context": "nibus", + "rsa.misc.event_source": "pisciv", + "rsa.misc.event_type": "umexe", + "rsa.misc.fcatnum": "byC", + "rsa.misc.filter": "tinculp", + "rsa.misc.hardware_id": "tur", + "rsa.misc.log_session_id": "tNequ", + "rsa.misc.policy_id": "uidolor", + "rsa.misc.policy_name": "ionofde", + "rsa.misc.reference_id": "atio", + "rsa.misc.rule_name": "eumiu", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 6728, + "rsa.misc.version": "1.410", + "rsa.misc.vsys": "iatnu", + "rsa.network.alias_host": [ + "aer445.host" + ], + "rsa.network.dinterface": "enp0s2581", + "rsa.network.network_service": "emape", + "rsa.network.sinterface": "enp0s208", + "rsa.threat.threat_desc": "sum", + "rsa.time.duration_time": 72.226, + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 145.047, + "rsa.web.web_ref_domain": "mvolu", + "rule.name": "eumiu", + "service.type": "fortinet", + "source.bytes": 6378, + "source.geo.country_name": "tconsec", + "source.ip": [ + "10.62.4.246" + ], + "source.mac": "01:00:5e:84:66:6c", + "source.port": 189, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.net/orisn/cca.htm?ofdeF=metcons#roinBCS", + "url.query": "taspe", + "user.name": "oluptas" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.bytes": 13, + "destination.geo.country_name": "ima", + "destination.ip": [ + "10.94.103.117" + ], + "destination.nat.ip": "10.15.159.80", + "destination.nat.port": 6378, + "destination.port": 513, + "event.action": "allow", + "event.code": "tia", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=seq dtime=2016-02-26 20:15:08.252538723 +0000 UTC devid=olorema devname=ccaecat vd=veleumi date=2016-2-26 time=8:15:08 logid=tia type=enim subtype=dqu level=medium eventtime=uian logtime=tempo srcip=10.200.188.142 srcport=4665 srcintf=eth4496 srcintfrole=eetd dstip=10.94.103.117 dstport=513 dstintf=enp0s3491 dstintfrole=doloreeu poluuid=pori sessionid=occ proto=icmp action=allow policyid=reetdolo policytype=nrepreh crscore=18.839000 craction=uiano crlevel=mrema appcat=autfu service=natura srccountry=aboris dstcountry=ima trandisp=tanimi tranip=10.15.159.80 tranport=6378 duration=121.916000 sentbyte=6517 rcvdbyte=13 sentpkt=ugiatqu app=eacomm", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 2051, + "network.bytes": 6530, + "observer.egress.interface.name": "enp0s3491", + "observer.ingress.interface.name": "eth4496", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.94.103.117", + "10.15.159.80", + "10.200.188.142" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "dqu", + "rsa.misc.context": "tanimi", + "rsa.misc.event_source": "ccaecat", + "rsa.misc.event_type": "enim", + "rsa.misc.hardware_id": "olorema", + "rsa.misc.log_session_id": "occ", + "rsa.misc.obj_name": "eacomm", + "rsa.misc.policy_id": "reetdolo", + "rsa.misc.reference_id": "tia", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "veleumi", + "rsa.network.dinterface": "enp0s3491", + "rsa.network.network_service": "natura", + "rsa.network.sinterface": "eth4496", + "rsa.time.duration_time": 121.916, + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.event_time_str": "uian", + "rsa.web.reputation_num": 18.839, + "service.type": "fortinet", + "source.bytes": 6517, + "source.geo.country_name": "aboris", + "source.ip": [ + "10.200.188.142" + ], + "source.port": 4665, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.bytes": 3269, + "destination.geo.country_name": "amquisno", + "destination.ip": [ + "10.50.112.141" + ], + "destination.nat.ip": "10.27.88.95", + "destination.nat.port": 776, + "destination.port": 7303, + "event.action": "cancel", + "event.code": "nimadmi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=liqu devname=\"lorem\" devid=\"emq\" vd=isiu date=2016-3-12 time=3:17:42 logid=nimadmi type=iatisu subtype=iat level=low eventtime=suntinc logtime=elits srcip=10.131.233.27 srcport=5037 srcintf=eth3676 srcintfrole=eataevit dstip=10.50.112.141 dstport=7303 dstintf=eth3391 dstintfrole=olab poluuid=mquisnos sessionid=loremagn proto=1 action=cancel policyid=tsed policytype=orai crscore=61.614000 craction=incididu crlevel=eci appcat=aali service=ametcons srccountry=porainc dstcountry=amquisno trandisp=iinea tranip=10.27.88.95 tranport=776 duration=5.911000 sentbyte=1147 rcvdbyte=3269 sentpkt=tvol app=moll", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 2708, + "network.bytes": 4416, + "observer.egress.interface.name": "eth3391", + "observer.ingress.interface.name": "eth3676", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.131.233.27", + "10.27.88.95", + "10.50.112.141" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "iat", + "rsa.misc.context": "iinea", + "rsa.misc.event_source": "lorem", + "rsa.misc.event_type": "iatisu", + "rsa.misc.hardware_id": "emq", + "rsa.misc.log_session_id": "loremagn", + "rsa.misc.obj_name": "moll", + "rsa.misc.policy_id": "tsed", + "rsa.misc.reference_id": "nimadmi", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "isiu", + "rsa.network.dinterface": "eth3391", + "rsa.network.network_service": "ametcons", + "rsa.network.sinterface": "eth3676", + "rsa.time.duration_time": 5.911, + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.event_time_str": "suntinc", + "rsa.web.reputation_num": 61.614, + "service.type": "fortinet", + "source.bytes": 1147, + "source.geo.country_name": "porainc", + "source.ip": [ + "10.131.233.27" + ], + "source.port": 5037, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.bytes": 3982, + "destination.ip": [ + "10.157.213.15" + ], + "destination.port": 3539, + "event.action": "allow", + "event.code": "ddoeiu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-3-26 time=10:20:16 logver=inim devid=ema devname=roinBCSe logid=onse type=tae subtype=tatno level=very-high vd=oluptate srcip=10.52.54.178 srcport=4427 srcintf=lo1567 dstip=10.37.58.155 dstport=2430 dstintf=eth6096 poluuid=ciati sessionid=ercit proto=3 action=allow policyid=eniam trandisp=reetdolo duration=165.411000 sentbyte=7651 rcvdbyte=3982 devtype=rumet osname=oll osversion=1.5670 mastersrcmac=nido srcmac=01:00:5e:c3:0a:41 crscore=71.955000 craction=itlabori crlevel=Ciceroi eventtype=aveniam user=uradi service=nimadmin hostname=olo7148.mail.home profile=snulapar reqtype=aedic url=https://api.example.com/iumto/aboreetd.gif?dun=enim#saute direction=internal msg=eriame method=lorema cat=avol catdesc=labor device_id=atuse log_id=ddoeiu pri=high userfrom=idolore adminprof=onse timezone=PST main_type=tation trigger_policy=ips sub_type=emeumfug severity_level=upta policy=omn src=10.87.212.179 src_port=1758 dst=10.157.213.15 dst_port=3539 http_method=ali http_url=nsect http_host=ntutl http_agent=caecatc http_session_id=onsequat signature_subclass=siuta signature_id=2896 srccountry=loru content_switch_name=ema server_pool_name=par false_positive_mitigation=itaut user_name=rveli monitor_status=rsint http_refer=https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf http_version=antiumto dev_id=strude threat_weight=ctetura history_threat_weight=usmod threat_level=edqui ftp_mode=mquidol ftp_cmd=ita cipher_suite=ipi msg_id=rsitamet", + "event.timezone": "PST", + "fileset.name": "fortimanager", + "host.name": "olo7148.mail.home", + "http.request.referrer": "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "input.type": "log", + "log.level": "high", + "log.offset": 3319, + "network.bytes": 11633, + "network.direction": "internal", + "network.protocol": "GGP", + "observer.egress.interface.name": "eth6096", + "observer.ingress.interface.name": "lo1567", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.5670", + "related.hosts": [ + "olo7148.mail.home" + ], + "related.ip": [ + "10.87.212.179", + "10.157.213.15" + ], + "related.user": [ + "rveli" + ], + "rsa.internal.event_desc": "eriame", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "aveniam", + "rsa.misc.OS": "oll", + "rsa.misc.action": [ + "ali", + "allow" + ], + "rsa.misc.category": "emeumfug", + "rsa.misc.client": "caecatc", + "rsa.misc.context": "reetdolo", + "rsa.misc.event_source": "roinBCSe", + "rsa.misc.event_type": "tae", + "rsa.misc.fcatnum": "avol", + "rsa.misc.filter": "labor", + "rsa.misc.hardware_id": "atuse", + "rsa.misc.log_session_id": "onsequat", + "rsa.misc.policy_id": "eniam", + "rsa.misc.policy_name": "omn", + "rsa.misc.reference_id": "ddoeiu", + "rsa.misc.rule_name": "snulapar", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 2896, + "rsa.misc.version": "1.5670", + "rsa.misc.vsys": "oluptate", + "rsa.network.alias_host": [ + "olo7148.mail.home" + ], + "rsa.network.dinterface": "eth6096", + "rsa.network.network_service": "nimadmin", + "rsa.network.sinterface": "lo1567", + "rsa.threat.threat_desc": "edqui", + "rsa.time.duration_time": 165.411, + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.reputation_num": 71.955, + "rsa.web.web_ref_domain": "ntutl", + "rule.name": "snulapar", + "service.type": "fortinet", + "source.bytes": 7651, + "source.geo.country_name": "loru", + "source.ip": [ + "10.87.212.179" + ], + "source.mac": "01:00:5e:c3:0a:41", + "source.port": 1758, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.com/iumto/aboreetd.gif?dun=enim#saute", + "url.query": "nsect", + "user.name": "rveli" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "destination.bytes": 927, + "destination.ip": [ + "10.76.73.140" + ], + "destination.port": 3075, + "event.action": "accept", + "event.code": "moenimi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-4-9 time=5:22:51 logver=eseru devid=remeum devname=orain logid=quip type=oin subtype=uisquam level=high vd=tinvol srcip=10.19.68.92 srcport=1409 srcintf=enp0s33 dstip=10.38.22.45 dstport=7036 dstintf=lo1120 poluuid=ditautfu sessionid=piscing proto=icmp action=accept policyid=ostr trandisp=rudexerc duration=135.013000 sentbyte=3369 rcvdbyte=927 devtype=itaut osname=imaven osversion=1.152 mastersrcmac=umdolo srcmac=01:00:5e:f7:4a:fd crscore=169.252000 craction=tfug crlevel=icab eventtype=mwr user=fugi service=inculpaq hostname=agna7678.internal.host profile=equa reqtype=mexercit url=https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia direction=unknown msg=olupt method=dit cat=sumquiad catdesc=dexeaco device_id=ivelits log_id=moenimi pri=medium userfrom=etdolo adminprof=inv timezone=CEST main_type=ommod trigger_policy=sequatur sub_type=uidolo severity_level=lumquido policy=nihi src=10.114.150.67 src_port=1407 dst=10.76.73.140 dst_port=3075 http_method=uines http_url=nsec http_host=onse http_agent=emips http_session_id=imadmi signature_subclass=ostrume signature_id=6051 srccountry=eataev content_switch_name=liquide server_pool_name=uasia false_positive_mitigation=emp user_name=aperia monitor_status=ofdeFini http_refer=https://example.org/vol/riat.htm?atvol=umiur#imad http_version=msequi dev_id=isnostru threat_weight=iquaUten history_threat_weight=santium threat_level=iciatisu ftp_mode=rehender ftp_cmd=eporroqu cipher_suite=uat msg_id=tem", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "agna7678.internal.host", + "http.request.referrer": "https://example.org/vol/riat.htm?atvol=umiur#imad", + "input.type": "log", + "log.level": "medium", + "log.offset": 4778, + "network.bytes": 4296, + "network.direction": "unknown", + "observer.egress.interface.name": "lo1120", + "observer.ingress.interface.name": "enp0s33", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.152", + "related.hosts": [ + "agna7678.internal.host" + ], + "related.ip": [ + "10.76.73.140", + "10.114.150.67" + ], + "related.user": [ + "aperia" + ], + "rsa.internal.event_desc": "olupt", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "mwr", + "rsa.misc.OS": "imaven", + "rsa.misc.action": [ + "uines", + "accept" + ], + "rsa.misc.category": "uidolo", + "rsa.misc.client": "emips", + "rsa.misc.context": "rudexerc", + "rsa.misc.event_source": "orain", + "rsa.misc.event_type": "oin", + "rsa.misc.fcatnum": "sumquiad", + "rsa.misc.filter": "dexeaco", + "rsa.misc.hardware_id": "ivelits", + "rsa.misc.log_session_id": "imadmi", + "rsa.misc.policy_id": "ostr", + "rsa.misc.policy_name": "nihi", + "rsa.misc.reference_id": "moenimi", + "rsa.misc.rule_name": "equa", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 6051, + "rsa.misc.version": "1.152", + "rsa.misc.vsys": "tinvol", + "rsa.network.alias_host": [ + "agna7678.internal.host" + ], + "rsa.network.dinterface": "lo1120", + "rsa.network.network_service": "inculpaq", + "rsa.network.sinterface": "enp0s33", + "rsa.threat.threat_desc": "iciatisu", + "rsa.time.duration_time": 135.013, + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 169.252, + "rsa.web.web_ref_domain": "onse", + "rule.name": "equa", + "service.type": "fortinet", + "source.bytes": 3369, + "source.geo.country_name": "eataev", + "source.ip": [ + "10.114.150.67" + ], + "source.mac": "01:00:5e:f7:4a:fd", + "source.port": 1407, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.net/tasuntex/sunt.txt?ume=incidi#picia", + "url.query": "nsec", + "user.name": "aperia" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.bytes": 3605, + "destination.ip": [ + "10.95.64.124" + ], + "destination.port": 7042, + "event.action": "accept", + "event.code": "run", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=suntinc date=2016-4-24 time=12:25:25 log_id=xeac devid=nidolo devname=tatn logid=eli type=nnu subtype=dolo level=low vd=nse srcip=10.202.204.239 srcport=7783 srcintf=lo2857 dstip=10.147.28.176 dstport=7432 dstintf=enp0s1462 poluuid=mporain sessionid=icons proto=0 action=accept policyid=sequi trandisp=rehend duration=3.138000 sentbyte=6354 rcvdbyte=3605 devtype=numqu osname=qui osversion=1.4059 mastersrcmac=equi srcmac=01:00:5e:68:86:a1 crscore=72.701000 craction=tat crlevel=ipitla eventtype=quae user=maccusa service=uptat hostname=equep5085.mail.domain profile=aqu reqtype=rpo url=https://www.example.org/inesci/serror.html?mqu=apariat#tlabore direction=internal msg=ihilm method=atDu cat=eav catdesc=ionevo device_id=remagn log_id=run pri=very-high userfrom=iamquis adminprof=quirat timezone=CET main_type=ittenbyC trigger_policy=isc sub_type=aturve severity_level=emulla policy=mpori src=10.195.36.51 src_port=3905 dst=10.95.64.124 dst_port=7042 http_method=iadese http_url=nsectet http_host=utla http_agent=utei http_session_id=laborum signature_subclass=tionof signature_id=7613 srccountry=oin content_switch_name=lapari server_pool_name=data false_positive_mitigation=dolor user_name=nnum monitor_status=eritqu http_refer=https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu http_version=namali dev_id=taevit threat_weight=rinrepre history_threat_weight=etconse threat_level=tincu ftp_mode=ari ftp_cmd=exercit cipher_suite=sci msg_id=quamnih", + "event.timezone": "CET", + "fileset.name": "fortimanager", + "host.name": "equep5085.mail.domain", + "http.request.referrer": "https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6253, + "network.bytes": 9959, + "network.direction": "internal", + "observer.egress.interface.name": "enp0s1462", + "observer.ingress.interface.name": "lo2857", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4059", + "related.hosts": [ + "equep5085.mail.domain" + ], + "related.ip": [ + "10.95.64.124", + "10.195.36.51" + ], + "related.user": [ + "nnum" + ], + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "quae", + "rsa.misc.OS": "qui", + "rsa.misc.action": [ + "accept", + "iadese" + ], + "rsa.misc.category": "aturve", + "rsa.misc.client": "utei", + "rsa.misc.context": "rehend", + "rsa.misc.event_source": "tatn", + "rsa.misc.event_type": "nnu", + "rsa.misc.fcatnum": "eav", + "rsa.misc.filter": "ionevo", + "rsa.misc.hardware_id": "remagn", + "rsa.misc.log_session_id": "laborum", + "rsa.misc.policy_id": "sequi", + "rsa.misc.policy_name": "mpori", + "rsa.misc.reference_id": "run", + "rsa.misc.rule_name": "aqu", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 7613, + "rsa.misc.version": "1.4059", + "rsa.misc.vsys": "nse", + "rsa.network.alias_host": [ + "equep5085.mail.domain" + ], + "rsa.network.dinterface": "enp0s1462", + "rsa.network.network_service": "uptat", + "rsa.network.sinterface": "lo2857", + "rsa.threat.threat_desc": "tincu", + "rsa.time.duration_time": 3.138, + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.time.timezone": "CET", + "rsa.web.reputation_num": 72.701, + "rsa.web.web_ref_domain": "utla", + "rule.name": "aqu", + "service.type": "fortinet", + "source.bytes": 6354, + "source.geo.country_name": "oin", + "source.ip": [ + "10.195.36.51" + ], + "source.mac": "01:00:5e:68:86:a1", + "source.port": 3905, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.org/inesci/serror.html?mqu=apariat#tlabore", + "url.query": "nsectet", + "user.name": "nnum" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.bytes": 3818, + "destination.geo.country_name": "sectetur", + "destination.ip": [ + "10.186.85.3" + ], + "destination.nat.ip": "10.114.16.155", + "destination.nat.port": 1608, + "destination.port": 5366, + "event.action": "allow", + "event.code": "tMalor", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=occae dtime=2016-05-08 07:27:59.552538723 +0000 UTC devid=ctetura devname=labore vd=texp date=2016-5-8 time=7:27:59 logid=tMalor type=acc subtype=amc level=very-high eventtime=amest logtime=corp srcip=10.176.216.90 srcport=2428 srcintf=eth2591 srcintfrole=dantiumt dstip=10.186.85.3 dstport=5366 dstintf=lo821 dstintfrole=ento poluuid=pic sessionid=evita proto=prm action=allow policyid=duntut policytype=magni crscore=102.339000 craction=uptat crlevel=uam appcat=boris service=nti srccountry=abi dstcountry=sectetur trandisp=uioffi tranip=10.114.16.155 tranport=1608 duration=62.941000 sentbyte=5110 rcvdbyte=3818 sentpkt=ipi app=reseos", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 7719, + "network.bytes": 8928, + "observer.egress.interface.name": "lo821", + "observer.ingress.interface.name": "eth2591", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.114.16.155", + "10.176.216.90", + "10.186.85.3" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "amc", + "rsa.misc.context": "uioffi", + "rsa.misc.event_source": "labore", + "rsa.misc.event_type": "acc", + "rsa.misc.hardware_id": "ctetura", + "rsa.misc.log_session_id": "evita", + "rsa.misc.obj_name": "reseos", + "rsa.misc.policy_id": "duntut", + "rsa.misc.reference_id": "tMalor", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "texp", + "rsa.network.dinterface": "lo821", + "rsa.network.network_service": "nti", + "rsa.network.sinterface": "eth2591", + "rsa.time.duration_time": 62.941, + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.event_time_str": "amest", + "rsa.web.reputation_num": 102.339, + "service.type": "fortinet", + "source.bytes": 5110, + "source.geo.country_name": "abi", + "source.ip": [ + "10.176.216.90" + ], + "source.port": 2428, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "destination.bytes": 3252, + "destination.ip": [ + "10.61.163.4" + ], + "destination.port": 1232, + "event.action": "cancel", + "event.code": "dictasu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=mcolab date=2016-5-22 time=2:30:33 log_id=neav devid=oquisqu devname=sperna logid=eabilloi type=estia subtype=tper level=very-high vd=volupt srcip=10.188.169.107 srcport=2138 srcintf=eth6448 dstip=10.214.7.83 dstport=1696 dstintf=lo1616 poluuid=tenatu sessionid=uun proto=HOPOPT action=cancel policyid=ectio trandisp=dutper duration=4.781000 sentbyte=3423 rcvdbyte=3252 devtype=radi osname=gel osversion=1.3917 mastersrcmac=iduntu srcmac=01:00:5e:21:f5:0a crscore=57.435000 craction=uamqu crlevel=lor eventtype=oide user=dolore service=amvolu hostname=eturadi6608.mail.host profile=aera reqtype=ate url=https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus direction=inbound msg=uaUteni method=udantium cat=pre catdesc=xeacom device_id=stlabo log_id=dictasu pri=low userfrom=catc adminprof=nsect timezone=GMT-07:00 main_type=asia trigger_policy=econs sub_type=uir severity_level=dol policy=essecil src=10.23.62.94 src_port=4368 dst=10.61.163.4 dst_port=1232 http_method=luptatem http_url=atem http_host=gnido http_agent=ratvolu http_session_id=olup signature_subclass=numqua signature_id=1411 srccountry=inculpa content_switch_name=abo server_pool_name=veniamqu false_positive_mitigation=nse user_name=non monitor_status=paquioff http_refer=https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema http_version=intocc dev_id=liqu threat_weight=eporr history_threat_weight=xeacomm threat_level=mveleu ftp_mode=nofdeFin ftp_cmd=sequam cipher_suite=temvel msg_id=ris", + "event.timezone": "GMT-07:00", + "fileset.name": "fortimanager", + "host.name": "eturadi6608.mail.host", + "http.request.referrer": "https://www5.example.org/maven/hende.jpg?labor=didunt#uptatema", + "input.type": "log", + "log.level": "low", + "log.offset": 8364, + "network.bytes": 6675, + "network.direction": "inbound", + "observer.egress.interface.name": "lo1616", + "observer.ingress.interface.name": "eth6448", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.3917", + "related.hosts": [ + "eturadi6608.mail.host" + ], + "related.ip": [ + "10.61.163.4", + "10.23.62.94" + ], + "related.user": [ + "non" + ], + "rsa.internal.event_desc": "uaUteni", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "oide", + "rsa.misc.OS": "gel", + "rsa.misc.action": [ + "luptatem", + "cancel" + ], + "rsa.misc.category": "uir", + "rsa.misc.client": "ratvolu", + "rsa.misc.context": "dutper", + "rsa.misc.event_source": "sperna", + "rsa.misc.event_type": "estia", + "rsa.misc.fcatnum": "pre", + "rsa.misc.filter": "xeacom", + "rsa.misc.hardware_id": "stlabo", + "rsa.misc.log_session_id": "olup", + "rsa.misc.policy_id": "ectio", + "rsa.misc.policy_name": "essecil", + "rsa.misc.reference_id": "dictasu", + "rsa.misc.rule_name": "aera", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 1411, + "rsa.misc.version": "1.3917", + "rsa.misc.vsys": "volupt", + "rsa.network.alias_host": [ + "eturadi6608.mail.host" + ], + "rsa.network.dinterface": "lo1616", + "rsa.network.network_service": "amvolu", + "rsa.network.sinterface": "eth6448", + "rsa.threat.threat_desc": "mveleu", + "rsa.time.duration_time": 4.781, + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.reputation_num": 57.435, + "rsa.web.web_ref_domain": "gnido", + "rule.name": "aera", + "service.type": "fortinet", + "source.bytes": 3423, + "source.geo.country_name": "inculpa", + "source.ip": [ + "10.23.62.94" + ], + "source.mac": "01:00:5e:21:f5:0a", + "source.port": 4368, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.com/nimid/itatione.htm?umwr=oluptate#issus", + "url.query": "atem", + "user.name": "non" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "destination.bytes": 5074, + "destination.ip": [ + "10.106.31.86" + ], + "destination.port": 4198, + "event.action": "deny", + "event.code": "tium", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-6-5 time=9:33:08 logver=nisiuta devid=tvolu devname=ecte logid=tinvolu type=iurer subtype=iciadese level=medium vd=gnaaliq srcip=10.52.135.156 srcport=2660 srcintf=eth4502 dstip=10.133.89.11 dstport=1098 dstintf=lo4901 poluuid=sintoc sessionid=volupt proto=1 action=deny policyid=uiinea trandisp=Utenima duration=111.502000 sentbyte=1871 rcvdbyte=5074 devtype=ptatem osname=Nequepor osversion=1.2580 mastersrcmac=ugiatnu srcmac=01:00:5e:4a:7f:b8 crscore=103.738000 craction=mnisi crlevel=scivelit eventtype=tDuisaut user=oinBC service=quameius hostname=ipsumdol4488.api.localdomain profile=ommodico reqtype=ptas url=https://example.com/tetu/stru.htm?tlabore=Exc#pora direction=unknown msg=uteirure method=nevo cat=ide catdesc=aali device_id=adip log_id=tium pri=very-high userfrom=iusmodi adminprof=uamest timezone=PST main_type=uiac trigger_policy=epte sub_type=idolo severity_level=quinesc policy=madmi src=10.28.76.42 src_port=3427 dst=10.106.31.86 dst_port=4198 http_method=sno http_url=atno http_host=tani http_agent=volu http_session_id=nonn signature_subclass=inventor signature_id=6088 srccountry=autf content_switch_name=quamni server_pool_name=iatisu false_positive_mitigation=sec user_name=cons monitor_status=sBon http_refer=https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor http_version=tobea dev_id=tor threat_weight=qui history_threat_weight=ntmollit threat_level=tenatus ftp_mode=cipitlab ftp_cmd=ipsumd cipher_suite=antiu msg_id=uirati", + "event.timezone": "PST", + "fileset.name": "fortimanager", + "host.name": "ipsumdol4488.api.localdomain", + "http.request.referrer": "https://www.example.com/tae/ccaec.htm?aperiame=isc#ullamcor", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9850, + "network.bytes": 6945, + "network.direction": "unknown", + "observer.egress.interface.name": "lo4901", + "observer.ingress.interface.name": "eth4502", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2580", + "related.hosts": [ + "ipsumdol4488.api.localdomain" + ], + "related.ip": [ + "10.106.31.86", + "10.28.76.42" + ], + "related.user": [ + "cons" + ], + "rsa.internal.event_desc": "uteirure", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "tDuisaut", + "rsa.misc.OS": "Nequepor", + "rsa.misc.action": [ + "sno", + "deny" + ], + "rsa.misc.category": "idolo", + "rsa.misc.client": "volu", + "rsa.misc.context": "Utenima", + "rsa.misc.event_source": "ecte", + "rsa.misc.event_type": "iurer", + "rsa.misc.fcatnum": "ide", + "rsa.misc.filter": "aali", + "rsa.misc.hardware_id": "adip", + "rsa.misc.log_session_id": "nonn", + "rsa.misc.policy_id": "uiinea", + "rsa.misc.policy_name": "madmi", + "rsa.misc.reference_id": "tium", + "rsa.misc.rule_name": "ommodico", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 6088, + "rsa.misc.version": "1.2580", + "rsa.misc.vsys": "gnaaliq", + "rsa.network.alias_host": [ + "ipsumdol4488.api.localdomain" + ], + "rsa.network.dinterface": "lo4901", + "rsa.network.network_service": "quameius", + "rsa.network.sinterface": "eth4502", + "rsa.threat.threat_desc": "tenatus", + "rsa.time.duration_time": 111.502, + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.time.timezone": "PST", + "rsa.web.reputation_num": 103.738, + "rsa.web.web_ref_domain": "tani", + "rule.name": "ommodico", + "service.type": "fortinet", + "source.bytes": 1871, + "source.geo.country_name": "autf", + "source.ip": [ + "10.28.76.42" + ], + "source.mac": "01:00:5e:4a:7f:b8", + "source.port": 3427, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.com/tetu/stru.htm?tlabore=Exc#pora", + "url.query": "atno", + "user.name": "cons" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.bytes": 7130, + "destination.geo.country_name": "lup", + "destination.ip": [ + "10.106.162.153" + ], + "destination.nat.ip": "10.58.214.16", + "destination.nat.port": 508, + "destination.port": 341, + "event.action": "accept", + "event.code": "osquira", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ersp dtime=2016-06-20 04:35:42.332538723 +0000 UTC devid=tquov devname=diconseq vd=inven date=2016-6-20 time=4:35:42 logid=osquira type=tes subtype=mquame level=medium eventtime=tnulapa logtime=orain srcip=10.238.164.74 srcport=2201 srcintf=lo4249 srcintfrole=madmi dstip=10.106.162.153 dstport=341 dstintf=lo7114 dstintfrole=amvo poluuid=qui sessionid=tasn proto=1 action=accept policyid=squirati policytype=Sedutp crscore=92.058000 craction=nbyCic crlevel=utlabor appcat=itessequ service=porro srccountry=ine dstcountry=lup trandisp=tatemUt tranip=10.58.214.16 tranport=508 duration=166.566000 sentbyte=2715 rcvdbyte=7130 sentpkt=pici app=abor", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 11323, + "network.bytes": 9845, + "observer.egress.interface.name": "lo7114", + "observer.ingress.interface.name": "lo4249", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.238.164.74", + "10.106.162.153", + "10.58.214.16" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "mquame", + "rsa.misc.context": "tatemUt", + "rsa.misc.event_source": "diconseq", + "rsa.misc.event_type": "tes", + "rsa.misc.hardware_id": "tquov", + "rsa.misc.log_session_id": "tasn", + "rsa.misc.obj_name": "abor", + "rsa.misc.policy_id": "squirati", + "rsa.misc.reference_id": "osquira", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "inven", + "rsa.network.dinterface": "lo7114", + "rsa.network.network_service": "porro", + "rsa.network.sinterface": "lo4249", + "rsa.time.duration_time": 166.566, + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.event_time_str": "tnulapa", + "rsa.web.reputation_num": 92.058, + "service.type": "fortinet", + "source.bytes": 2715, + "source.geo.country_name": "ine", + "source.ip": [ + "10.238.164.74" + ], + "source.port": 2201, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "destination.bytes": 5300, + "destination.geo.country_name": "eumiu", + "destination.ip": [ + "10.217.150.196" + ], + "destination.nat.ip": "10.110.31.190", + "destination.nat.port": 945, + "destination.port": 4639, + "event.action": "cancel", + "event.code": "udexerci", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=tquiin dtime=2016-07-04 11:38:16.592538723 +0000 UTC devid=tse devname=tenimad vd=minimav date=2016-7-4 time=11:38:16 logid=udexerci type=naal subtype=lore level=high eventtime=idolore logtime=pid srcip=10.225.141.20 srcport=2282 srcintf=enp0s4046 srcintfrole=natuse dstip=10.217.150.196 dstport=4639 dstintf=lo2438 dstintfrole=archite poluuid=loreme sessionid=untu proto=6 action=cancel policyid=datatno policytype=siutali crscore=49.988000 craction=usmodte crlevel=msequi appcat=tau service=exercita srccountry=ris dstcountry=eumiu trandisp=orumSe tranip=10.110.31.190 tranport=945 duration=12.946000 sentbyte=248 rcvdbyte=5300 sentpkt=eeufugia app=evit", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 11976, + "network.bytes": 5548, + "observer.egress.interface.name": "lo2438", + "observer.ingress.interface.name": "enp0s4046", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.110.31.190", + "10.217.150.196", + "10.225.141.20" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "lore", + "rsa.misc.context": "orumSe", + "rsa.misc.event_source": "tenimad", + "rsa.misc.event_type": "naal", + "rsa.misc.hardware_id": "tse", + "rsa.misc.log_session_id": "untu", + "rsa.misc.obj_name": "evit", + "rsa.misc.policy_id": "datatno", + "rsa.misc.reference_id": "udexerci", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "minimav", + "rsa.network.dinterface": "lo2438", + "rsa.network.network_service": "exercita", + "rsa.network.sinterface": "enp0s4046", + "rsa.time.duration_time": 12.946, + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.event_time_str": "idolore", + "rsa.web.reputation_num": 49.988, + "service.type": "fortinet", + "source.bytes": 248, + "source.geo.country_name": "ris", + "source.ip": [ + "10.225.141.20" + ], + "source.port": 2282, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "destination.bytes": 7741, + "destination.ip": [ + "10.69.103.176" + ], + "destination.port": 1229, + "event.action": "deny", + "event.code": "mexe", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-7-18 time=6:40:50 devname=molli device_id=velitse log_id=oditem type=generic subtype=gitsedqu pri=very-high devid=oremi devname=mestq logid=temUt type=olor subtype=ineavo level=very-high vd=mquelau srcip=10.168.236.85 srcport=6846 srcintf=eth651 dstip=10.140.113.244 dstport=4374 dstintf=lo4367 poluuid=fugitsed sessionid=quam proto=tcp action=deny policyid=fugiat trandisp=atisun duration=101.653000 sentbyte=3962 rcvdbyte=7741 devtype=dmin osname=fugi osversion=1.3319 mastersrcmac=inci srcmac=01:00:5e:e6:ad:ae crscore=39.291000 craction=avol crlevel=icero eventtype=xer user=emipsumd service=isisten hostname=cusant4946.www.domain profile=itecto reqtype=reetdol url=https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi direction=unknown msg=aquioffi method=tamet cat=quatur catdesc=uisa device_id=eFi log_id=mexe pri=high userfrom=rpori adminprof=ice timezone=GMT+02:00 main_type=entorev trigger_policy=commodo sub_type=conseq severity_level=ame policy=tatn src=10.137.56.173 src_port=3932 dst=10.69.103.176 dst_port=1229 http_method=umdolo http_url=uptate http_host=amc http_agent=cusant http_session_id=orumSe signature_subclass=ratv signature_id=5227 srccountry=dutp content_switch_name=psaquaea server_pool_name=taevita false_positive_mitigation=ameiusm user_name=proide monitor_status=ano http_refer=https://www5.example.org/tvol/velitess.htm?edqui=nre#veli http_version=volupta dev_id=rnatu threat_weight=elitse history_threat_weight=ima threat_level=quasia ftp_mode=adi ftp_cmd=umwrit cipher_suite=uptate msg_id=mac", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "cusant4946.www.domain", + "http.request.referrer": "https://www5.example.org/tvol/velitess.htm?edqui=nre#veli", + "input.type": "log", + "log.level": "high", + "log.offset": 12639, + "network.bytes": 11703, + "network.direction": "unknown", + "observer.egress.interface.name": "lo4367", + "observer.ingress.interface.name": "eth651", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.3319", + "related.hosts": [ + "cusant4946.www.domain" + ], + "related.ip": [ + "10.69.103.176", + "10.137.56.173" + ], + "related.user": [ + "proide" + ], + "rsa.internal.event_desc": "aquioffi", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "xer", + "rsa.misc.OS": "fugi", + "rsa.misc.action": [ + "umdolo", + "deny" + ], + "rsa.misc.category": "conseq", + "rsa.misc.client": "cusant", + "rsa.misc.context": "atisun", + "rsa.misc.event_source": "mestq", + "rsa.misc.event_type": "olor", + "rsa.misc.fcatnum": "quatur", + "rsa.misc.filter": "uisa", + "rsa.misc.hardware_id": "eFi", + "rsa.misc.log_session_id": "orumSe", + "rsa.misc.policy_id": "fugiat", + "rsa.misc.policy_name": "tatn", + "rsa.misc.reference_id": "mexe", + "rsa.misc.rule_name": "itecto", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 5227, + "rsa.misc.version": "1.3319", + "rsa.misc.vsys": "mquelau", + "rsa.network.alias_host": [ + "cusant4946.www.domain" + ], + "rsa.network.dinterface": "lo4367", + "rsa.network.network_service": "isisten", + "rsa.network.sinterface": "eth651", + "rsa.threat.threat_desc": "quasia", + "rsa.time.duration_time": 101.653, + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 39.291, + "rsa.web.web_ref_domain": "amc", + "rule.name": "itecto", + "service.type": "fortinet", + "source.bytes": 3962, + "source.geo.country_name": "dutp", + "source.ip": [ + "10.137.56.173" + ], + "source.mac": "01:00:5e:e6:ad:ae", + "source.port": 3932, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.com/isnostr/umqu.htm?emquia=inesci#isnisi", + "url.query": "uptate", + "user.name": "proide" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.bytes": 7122, + "destination.geo.country_name": "mvele", + "destination.ip": [ + "10.5.235.217" + ], + "destination.nat.ip": "10.25.212.118", + "destination.nat.port": 1190, + "destination.port": 3689, + "event.action": "deny", + "event.code": "onulam", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=dolore devname=\"onsecte\" devid=\"nBCSedut\" vd=ugiat date=2016-8-2 time=1:43:25 logid=onulam type=ate subtype=odoconse level=high eventtime=quatu logtime=veli srcip=10.30.47.165 srcport=631 srcintf=eth267 srcintfrole=sectet dstip=10.5.235.217 dstport=3689 dstintf=lo5047 dstintfrole=pitl poluuid=por sessionid=quidexea proto=tcp action=deny policyid=runtmol policytype=texpli crscore=57.772000 craction=ptass crlevel=rita appcat=esseci service=tametcon srccountry=liqua dstcountry=mvele trandisp=isis tranip=10.25.212.118 tranport=1190 duration=179.686000 sentbyte=238 rcvdbyte=7122 sentpkt=dantium app=lor", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 14185, + "network.bytes": 7360, + "observer.egress.interface.name": "lo5047", + "observer.ingress.interface.name": "eth267", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.5.235.217", + "10.25.212.118", + "10.30.47.165" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "odoconse", + "rsa.misc.context": "isis", + "rsa.misc.event_source": "onsecte", + "rsa.misc.event_type": "ate", + "rsa.misc.hardware_id": "nBCSedut", + "rsa.misc.log_session_id": "quidexea", + "rsa.misc.obj_name": "lor", + "rsa.misc.policy_id": "runtmol", + "rsa.misc.reference_id": "onulam", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ugiat", + "rsa.network.dinterface": "lo5047", + "rsa.network.network_service": "tametcon", + "rsa.network.sinterface": "eth267", + "rsa.time.duration_time": 179.686, + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.event_time_str": "quatu", + "rsa.web.reputation_num": 57.772, + "service.type": "fortinet", + "source.bytes": 238, + "source.geo.country_name": "liqua", + "source.ip": [ + "10.30.47.165" + ], + "source.port": 631, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "destination.bytes": 6247, + "destination.ip": [ + "10.40.152.253" + ], + "destination.port": 1478, + "event.action": "deny", + "event.code": "ipsamvo", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-8-16 time=8:45:59 logver=onemulla devid=dolorem devname=tvolu logid=nreprehe type=tetu subtype=mdol level=high vd=nby srcip=10.20.26.210 srcport=2791 srcintf=eth5968 dstip=10.85.96.153 dstport=5286 dstintf=eth4392 poluuid=nsequat sessionid=doloreme proto=0 action=deny policyid=reprehe trandisp=tincu duration=93.111000 sentbyte=2826 rcvdbyte=6247 devtype=lor osname=oraincid osversion=1.225 mastersrcmac=emeumfug srcmac=01:00:5e:1d:39:39 crscore=114.626000 craction=liqua crlevel=olo eventtype=psumqu user=untincul service=iduntu hostname=ccaeca5504.internal.example profile=reseo reqtype=oreetd url=https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr direction=external msg=ercit method=etMal cat=qua catdesc=rsita device_id=ate log_id=ipsamvo pri=low userfrom=adeseru adminprof=tdol timezone=CET main_type=rem trigger_policy=asper sub_type=idunt severity_level=luptat policy=eveli src=10.149.13.76 src_port=7809 dst=10.40.152.253 dst_port=1478 http_method=ritt http_url=iaeco http_host=equaturv http_agent=siu http_session_id=snost signature_subclass=tpersp signature_id=2624 srccountry=quaea content_switch_name=ametcons server_pool_name=utali false_positive_mitigation=porinc user_name=tetur monitor_status=xce http_refer=https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor http_version=lupta dev_id=xeaco threat_weight=nvolupt history_threat_weight=oremi threat_level=elites ftp_mode=nbyCi ftp_cmd=tevel cipher_suite=usc msg_id=rem", + "event.timezone": "CET", + "fileset.name": "fortimanager", + "host.name": "ccaeca5504.internal.example", + "http.request.referrer": "https://example.com/aincidu/nimadmin.jpg?itinv=eumfugi#etdolor", + "input.type": "log", + "log.level": "low", + "log.offset": 14797, + "network.bytes": 9073, + "network.direction": "external", + "observer.egress.interface.name": "eth4392", + "observer.ingress.interface.name": "eth5968", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.225", + "related.hosts": [ + "ccaeca5504.internal.example" + ], + "related.ip": [ + "10.149.13.76", + "10.40.152.253" + ], + "related.user": [ + "tetur" + ], + "rsa.internal.event_desc": "ercit", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "psumqu", + "rsa.misc.OS": "oraincid", + "rsa.misc.action": [ + "ritt", + "deny" + ], + "rsa.misc.category": "idunt", + "rsa.misc.client": "siu", + "rsa.misc.context": "tincu", + "rsa.misc.event_source": "tvolu", + "rsa.misc.event_type": "tetu", + "rsa.misc.fcatnum": "qua", + "rsa.misc.filter": "rsita", + "rsa.misc.hardware_id": "ate", + "rsa.misc.log_session_id": "snost", + "rsa.misc.policy_id": "reprehe", + "rsa.misc.policy_name": "eveli", + "rsa.misc.reference_id": "ipsamvo", + "rsa.misc.rule_name": "reseo", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 2624, + "rsa.misc.version": "1.225", + "rsa.misc.vsys": "nby", + "rsa.network.alias_host": [ + "ccaeca5504.internal.example" + ], + "rsa.network.dinterface": "eth4392", + "rsa.network.network_service": "iduntu", + "rsa.network.sinterface": "eth5968", + "rsa.threat.threat_desc": "elites", + "rsa.time.duration_time": 93.111, + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.timezone": "CET", + "rsa.web.reputation_num": 114.626, + "rsa.web.web_ref_domain": "equaturv", + "rule.name": "reseo", + "service.type": "fortinet", + "source.bytes": 2826, + "source.geo.country_name": "quaea", + "source.ip": [ + "10.149.13.76" + ], + "source.mac": "01:00:5e:1d:39:39", + "source.port": 7809, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.org/tiaec/rumwrit.txt?oconsequ=edquiac#urerepr", + "url.query": "iaeco", + "user.name": "tetur" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "destination.bytes": 4844, + "destination.geo.country_name": "eufugi", + "destination.ip": [ + "10.51.213.42" + ], + "destination.nat.ip": "10.233.120.207", + "destination.nat.port": 136, + "destination.port": 988, + "event.action": "deny", + "event.code": "isetq", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=cab dtime=2016-08-30 15:48:33.632538723 +0000 UTC devid=atisund devname=xea vd=ites date=2016-8-30 time=3:48:33 logid=isetq type=iutali subtype=velite level=high eventtime=avolupt logtime=ariatur srcip=10.98.194.212 srcport=5469 srcintf=lo1208 srcintfrole=atisetqu dstip=10.51.213.42 dstport=988 dstintf=enp0s3449 dstintfrole=ilmol poluuid=eri sessionid=quunt proto=HOPOPT action=deny policyid=mquae policytype=eriti crscore=96.729000 craction=cidunt crlevel=plica appcat=ore service=quidolor srccountry=inven dstcountry=eufugi trandisp=accusant tranip=10.233.120.207 tranport=136 duration=171.844000 sentbyte=2859 rcvdbyte=4844 sentpkt=eaqu app=nvol", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 16267, + "network.bytes": 7703, + "observer.egress.interface.name": "enp0s3449", + "observer.ingress.interface.name": "lo1208", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.98.194.212", + "10.51.213.42", + "10.233.120.207" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "velite", + "rsa.misc.context": "accusant", + "rsa.misc.event_source": "xea", + "rsa.misc.event_type": "iutali", + "rsa.misc.hardware_id": "atisund", + "rsa.misc.log_session_id": "quunt", + "rsa.misc.obj_name": "nvol", + "rsa.misc.policy_id": "mquae", + "rsa.misc.reference_id": "isetq", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ites", + "rsa.network.dinterface": "enp0s3449", + "rsa.network.network_service": "quidolor", + "rsa.network.sinterface": "lo1208", + "rsa.time.duration_time": 171.844, + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.time.event_time_str": "avolupt", + "rsa.web.reputation_num": 96.729, + "service.type": "fortinet", + "source.bytes": 2859, + "source.geo.country_name": "inven", + "source.ip": [ + "10.98.194.212" + ], + "source.port": 5469, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "destination.bytes": 7301, + "destination.geo.country_name": "tenatuse", + "destination.ip": [ + "10.67.132.242" + ], + "destination.nat.ip": "10.241.132.176", + "destination.nat.port": 7224, + "destination.port": 2340, + "event.action": "allow", + "event.code": "dat", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=leumiu devname=\"tla\" devid=\"item\" vd=nimid date=2016-9-13 time=10:51:07 logid=dat type=periam subtype=dqu level=high eventtime=dminima logtime=dutpers srcip=10.245.187.229 srcport=4953 srcintf=lo3642 srcintfrole=prehen dstip=10.67.132.242 dstport=2340 dstintf=enp0s2700 dstintfrole=sequa poluuid=iosamnis sessionid=volupt proto=6 action=allow policyid=idid policytype=tesse crscore=64.509000 craction=boru crlevel=ptateve appcat=enderi service=ptatem srccountry=ptatevel dstcountry=tenatuse trandisp=psaqua tranip=10.241.132.176 tranport=7224 duration=167.705000 sentbyte=6595 rcvdbyte=7301 sentpkt=tame app=atione", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 16925, + "network.bytes": 13896, + "observer.egress.interface.name": "enp0s2700", + "observer.ingress.interface.name": "lo3642", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.67.132.242", + "10.241.132.176", + "10.245.187.229" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "dqu", + "rsa.misc.context": "psaqua", + "rsa.misc.event_source": "tla", + "rsa.misc.event_type": "periam", + "rsa.misc.hardware_id": "item", + "rsa.misc.log_session_id": "volupt", + "rsa.misc.obj_name": "atione", + "rsa.misc.policy_id": "idid", + "rsa.misc.reference_id": "dat", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "nimid", + "rsa.network.dinterface": "enp0s2700", + "rsa.network.network_service": "ptatem", + "rsa.network.sinterface": "lo3642", + "rsa.time.duration_time": 167.705, + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.time.event_time_str": "dminima", + "rsa.web.reputation_num": 64.509, + "service.type": "fortinet", + "source.bytes": 6595, + "source.geo.country_name": "ptatevel", + "source.ip": [ + "10.245.187.229" + ], + "source.port": 4953, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.bytes": 1775, + "destination.ip": [ + "10.199.47.220" + ], + "destination.port": 4084, + "event.action": "allow", + "event.code": "urmagn", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-9-28 time=5:53:42 logver=vitaedic devid=orin devname=uii logid=estl type=sitam subtype=orem level=very-high vd=uuntur srcip=10.210.28.247 srcport=3449 srcintf=eth4185 dstip=10.237.180.17 dstport=3023 dstintf=lo7672 poluuid=tate sessionid=onevo proto=6 action=allow policyid=aeconseq trandisp=lor duration=96.560000 sentbyte=2760 rcvdbyte=1775 devtype=emqu osname=riss osversion=1.1847 mastersrcmac=sitvol srcmac=01:00:5e:a5:5a:54 crscore=129.120000 craction=olorsi crlevel=aliq eventtype=mes user=mven service=olorsit hostname=tore7088.www.invalid profile=ruredo reqtype=mac url=https://mail.example.org/ptassita/its.gif?risnis=uov#itlab direction=outbound msg=sBono method=loremqu cat=tetur catdesc=amvo device_id=siuta log_id=urmagn pri=low userfrom=uptat adminprof=idex timezone=GMT+02:00 main_type=tatione trigger_policy=nimveni sub_type=idi severity_level=ore policy=quid src=10.212.214.4 src_port=6040 dst=10.199.47.220 dst_port=4084 http_method=oin http_url=hil http_host=cingel http_agent=modocon http_session_id=ipsu signature_subclass=ntNeq signature_id=1081 srccountry=aUt content_switch_name=boNem server_pool_name=nturm false_positive_mitigation=emips user_name=atv monitor_status=onu http_refer=https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor http_version=oqu dev_id=naaliq threat_weight=remeu history_threat_weight=osquir threat_level=mod ftp_mode=col ftp_cmd=mve cipher_suite=liquide msg_id=odt", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "tore7088.www.invalid", + "http.request.referrer": "https://www5.example.net/alorum/obeataev.gif?atDu=nsec#quidolor", + "input.type": "log", + "log.level": "low", + "log.offset": 17547, + "network.bytes": 4535, + "network.direction": "outbound", + "observer.egress.interface.name": "lo7672", + "observer.ingress.interface.name": "eth4185", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1847", + "related.hosts": [ + "tore7088.www.invalid" + ], + "related.ip": [ + "10.199.47.220", + "10.212.214.4" + ], + "related.user": [ + "atv" + ], + "rsa.internal.event_desc": "sBono", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "mes", + "rsa.misc.OS": "riss", + "rsa.misc.action": [ + "allow", + "oin" + ], + "rsa.misc.category": "idi", + "rsa.misc.client": "modocon", + "rsa.misc.context": "lor", + "rsa.misc.event_source": "uii", + "rsa.misc.event_type": "sitam", + "rsa.misc.fcatnum": "tetur", + "rsa.misc.filter": "amvo", + "rsa.misc.hardware_id": "siuta", + "rsa.misc.log_session_id": "ipsu", + "rsa.misc.policy_id": "aeconseq", + "rsa.misc.policy_name": "quid", + "rsa.misc.reference_id": "urmagn", + "rsa.misc.rule_name": "ruredo", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 1081, + "rsa.misc.version": "1.1847", + "rsa.misc.vsys": "uuntur", + "rsa.network.alias_host": [ + "tore7088.www.invalid" + ], + "rsa.network.dinterface": "lo7672", + "rsa.network.network_service": "olorsit", + "rsa.network.sinterface": "eth4185", + "rsa.threat.threat_desc": "mod", + "rsa.time.duration_time": 96.56, + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 129.12, + "rsa.web.web_ref_domain": "cingel", + "rule.name": "ruredo", + "service.type": "fortinet", + "source.bytes": 2760, + "source.geo.country_name": "aUt", + "source.ip": [ + "10.212.214.4" + ], + "source.mac": "01:00:5e:a5:5a:54", + "source.port": 6040, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/ptassita/its.gif?risnis=uov#itlab", + "url.query": "hil", + "user.name": "atv" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.bytes": 4059, + "destination.ip": [ + "10.234.165.130" + ], + "destination.port": 7079, + "event.action": "deny", + "event.code": "henderit", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-10-12 time=12:56:16 logver=inv devid=rroq devname=rcit logid=aecatcup type=olabor subtype=estl level=very-high vd=citatio srcip=10.168.40.197 srcport=7699 srcintf=enp0s3071 dstip=10.206.69.135 dstport=6396 dstintf=eth3862 poluuid=utfug sessionid=aturQu proto=udp action=deny policyid=mipsamvo trandisp=eiusmod duration=91.147000 sentbyte=6153 rcvdbyte=4059 devtype=oreveri osname=ehende osversion=1.760 mastersrcmac=Except srcmac=01:00:5e:bf:07:ee crscore=45.760000 craction=dol crlevel=sciun eventtype=metcons user=itasper service=uae hostname=mve1890.internal.home profile=tatemU reqtype=mad url=https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut direction=unknown msg=dexerc method=strumex cat=eprehend catdesc=asnu device_id=hitec log_id=henderit pri=medium userfrom=perspici adminprof=ationul timezone=PST main_type=itsedq trigger_policy=uto sub_type=emUte severity_level=molestia policy=quir src=10.46.56.204 src_port=2463 dst=10.234.165.130 dst_port=7079 http_method=umf http_url=quames http_host=dolorsit http_agent=archite http_session_id=remq signature_subclass=veniamq signature_id=1236 srccountry=uta content_switch_name=emo server_pool_name=itq false_positive_mitigation=derit user_name=orese monitor_status=dolor http_refer=https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore http_version=Cic dev_id=olorema threat_weight=mollita history_threat_weight=tatem threat_level=iae ftp_mode=quido ftp_cmd=emip cipher_suite=inBC msg_id=mol", + "event.timezone": "PST", + "fileset.name": "fortimanager", + "host.name": "mve1890.internal.home", + "http.request.referrer": "https://mail.example.com/ntexpl/dunt.jpg?yCic=nder#mdolore", + "input.type": "log", + "log.level": "medium", + "log.offset": 18984, + "network.bytes": 10212, + "network.direction": "unknown", + "observer.egress.interface.name": "eth3862", + "observer.ingress.interface.name": "enp0s3071", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.760", + "related.hosts": [ + "mve1890.internal.home" + ], + "related.ip": [ + "10.46.56.204", + "10.234.165.130" + ], + "related.user": [ + "orese" + ], + "rsa.internal.event_desc": "dexerc", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "metcons", + "rsa.misc.OS": "ehende", + "rsa.misc.action": [ + "deny", + "umf" + ], + "rsa.misc.category": "emUte", + "rsa.misc.client": "archite", + "rsa.misc.context": "eiusmod", + "rsa.misc.event_source": "rcit", + "rsa.misc.event_type": "olabor", + "rsa.misc.fcatnum": "eprehend", + "rsa.misc.filter": "asnu", + "rsa.misc.hardware_id": "hitec", + "rsa.misc.log_session_id": "remq", + "rsa.misc.policy_id": "mipsamvo", + "rsa.misc.policy_name": "quir", + "rsa.misc.reference_id": "henderit", + "rsa.misc.rule_name": "tatemU", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 1236, + "rsa.misc.version": "1.760", + "rsa.misc.vsys": "citatio", + "rsa.network.alias_host": [ + "mve1890.internal.home" + ], + "rsa.network.dinterface": "eth3862", + "rsa.network.network_service": "uae", + "rsa.network.sinterface": "enp0s3071", + "rsa.threat.threat_desc": "iae", + "rsa.time.duration_time": 91.147, + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.timezone": "PST", + "rsa.web.reputation_num": 45.76, + "rsa.web.web_ref_domain": "dolorsit", + "rule.name": "tatemU", + "service.type": "fortinet", + "source.bytes": 6153, + "source.geo.country_name": "uta", + "source.ip": [ + "10.46.56.204" + ], + "source.mac": "01:00:5e:bf:07:ee", + "source.port": 2463, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.org/redol/gnaa.htm?aliquamq=dtempori#toditaut", + "url.query": "quames", + "user.name": "orese" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "destination.bytes": 4527, + "destination.ip": [ + "10.95.117.134" + ], + "destination.port": 1723, + "event.action": "block", + "event.code": "rsi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=turadipi date=2016-10-26 time=7:58:50 log_id=usmodi devid=ree devname=saquaea logid=ation type=luptas subtype=minim level=very-high vd=lorsi srcip=10.61.123.159 srcport=754 srcintf=eth7713 dstip=10.141.158.225 dstport=4690 dstintf=lo1586 poluuid=ate sessionid=idolor proto=1 action=block policyid=nreprehe trandisp=onse duration=71.505000 sentbyte=4010 rcvdbyte=4527 devtype=duntutla osname=ntium osversion=1.4450 mastersrcmac=asuntexp srcmac=01:00:5e:26:56:73 crscore=5.843000 craction=nse crlevel=modoc eventtype=boNem user=iumt service=tsed hostname=eturad6143.www.home profile=uamnihil reqtype=llam url=https://example.net/aparia/tatnon.jpg?rever=ore#offici direction=outbound msg=metco method=acom cat=ceroinB catdesc=nim device_id=utaliqu log_id=rsi pri=high userfrom=imadmi adminprof=isnis timezone=CEST main_type=olupta trigger_policy=tsuntinc sub_type=inrepreh severity_level=quovo policy=urExcep src=10.128.46.70 src_port=5269 dst=10.95.117.134 dst_port=1723 http_method=acommodi http_url=essecill http_host=billoi http_agent=moles http_session_id=dipiscin signature_subclass=olup signature_id=5976 srccountry=undeomni content_switch_name=accusa server_pool_name=natu false_positive_mitigation=liquid user_name=enim monitor_status=Finibus http_refer=https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc http_version=Cice dev_id=taedi threat_weight=tquido history_threat_weight=ptasnula threat_level=oru ftp_mode=ill ftp_cmd=mporinc cipher_suite=onsectet msg_id=idolo", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "eturad6143.www.home", + "http.request.referrer": "https://www.example.org/xeacom/des.gif?umdolo=ntiu#radipisc", + "input.type": "log", + "log.level": "high", + "log.offset": 20462, + "network.bytes": 8537, + "network.direction": "outbound", + "observer.egress.interface.name": "lo1586", + "observer.ingress.interface.name": "eth7713", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4450", + "related.hosts": [ + "eturad6143.www.home" + ], + "related.ip": [ + "10.128.46.70", + "10.95.117.134" + ], + "related.user": [ + "enim" + ], + "rsa.internal.event_desc": "metco", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "boNem", + "rsa.misc.OS": "ntium", + "rsa.misc.action": [ + "block", + "acommodi" + ], + "rsa.misc.category": "inrepreh", + "rsa.misc.client": "moles", + "rsa.misc.context": "onse", + "rsa.misc.event_source": "saquaea", + "rsa.misc.event_type": "luptas", + "rsa.misc.fcatnum": "ceroinB", + "rsa.misc.filter": "nim", + "rsa.misc.hardware_id": "utaliqu", + "rsa.misc.log_session_id": "dipiscin", + "rsa.misc.policy_id": "nreprehe", + "rsa.misc.policy_name": "urExcep", + "rsa.misc.reference_id": "rsi", + "rsa.misc.rule_name": "uamnihil", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 5976, + "rsa.misc.version": "1.4450", + "rsa.misc.vsys": "lorsi", + "rsa.network.alias_host": [ + "eturad6143.www.home" + ], + "rsa.network.dinterface": "lo1586", + "rsa.network.network_service": "tsed", + "rsa.network.sinterface": "eth7713", + "rsa.threat.threat_desc": "oru", + "rsa.time.duration_time": 71.505, + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 5.843, + "rsa.web.web_ref_domain": "billoi", + "rule.name": "uamnihil", + "service.type": "fortinet", + "source.bytes": 4010, + "source.geo.country_name": "undeomni", + "source.ip": [ + "10.128.46.70" + ], + "source.mac": "01:00:5e:26:56:73", + "source.port": 5269, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.net/aparia/tatnon.jpg?rever=ore#offici", + "url.query": "essecill", + "user.name": "enim" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.bytes": 1506, + "destination.ip": [ + "10.253.228.140" + ], + "destination.port": 6748, + "event.action": "cancel", + "event.code": "admi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2016-11-10 time=3:01:24 logver=edolo devid=ugiatquo devname=ntium logid=uptate type=lloinven subtype=econs level=medium vd=tetura srcip=10.135.106.42 srcport=6602 srcintf=lo154 dstip=10.224.30.160 dstport=5302 dstintf=eth1247 poluuid=etconsec sessionid=caboNem proto=21 action=cancel policyid=rumetMal trandisp=oconse duration=2.970000 sentbyte=7685 rcvdbyte=1506 devtype=sequam osname=oditempo osversion=1.7544 mastersrcmac=taliqui srcmac=01:00:5e:98:79:a3 crscore=78.248000 craction=rcitat crlevel=dolorema eventtype=emagn user=radipis service=ctetu hostname=orinrep5386.www.corp profile=stenatus reqtype=equep url=https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih direction=inbound msg=autemv method=emq cat=plicaboN catdesc=amc device_id=vol log_id=admi pri=medium userfrom=culpaq adminprof=saute timezone=GMT+02:00 main_type=ende trigger_policy=abor sub_type=magnid severity_level=adol policy=iutal src=10.208.21.135 src_port=2721 dst=10.253.228.140 dst_port=6748 http_method=ugitse http_url=quiineav http_host=billoinv http_agent=sci http_session_id=col signature_subclass=obea signature_id=5700 srccountry=tatev content_switch_name=luptas server_pool_name=uptatem false_positive_mitigation=oinv user_name=inculp monitor_status=onofd http_refer=https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe http_version=tat dev_id=onproide threat_weight=ntmo history_threat_weight=loreeu threat_level=temse ftp_mode=aspernat ftp_cmd=ume cipher_suite=caecat msg_id=rautod", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "orinrep5386.www.corp", + "http.request.referrer": "https://internal.example.org/nisiu/imad.html?ptatem=itasp#dexe", + "input.type": "log", + "log.level": "medium", + "log.offset": 21953, + "network.bytes": 9191, + "network.direction": "inbound", + "observer.egress.interface.name": "eth1247", + "observer.ingress.interface.name": "lo154", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.7544", + "related.hosts": [ + "orinrep5386.www.corp" + ], + "related.ip": [ + "10.253.228.140", + "10.208.21.135" + ], + "related.user": [ + "inculp" + ], + "rsa.internal.event_desc": "autemv", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "emagn", + "rsa.misc.OS": "oditempo", + "rsa.misc.action": [ + "ugitse", + "cancel" + ], + "rsa.misc.category": "magnid", + "rsa.misc.client": "sci", + "rsa.misc.context": "oconse", + "rsa.misc.event_source": "ntium", + "rsa.misc.event_type": "lloinven", + "rsa.misc.fcatnum": "plicaboN", + "rsa.misc.filter": "amc", + "rsa.misc.hardware_id": "vol", + "rsa.misc.log_session_id": "col", + "rsa.misc.policy_id": "rumetMal", + "rsa.misc.policy_name": "iutal", + "rsa.misc.reference_id": "admi", + "rsa.misc.rule_name": "stenatus", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5700, + "rsa.misc.version": "1.7544", + "rsa.misc.vsys": "tetura", + "rsa.network.alias_host": [ + "orinrep5386.www.corp" + ], + "rsa.network.dinterface": "eth1247", + "rsa.network.network_service": "ctetu", + "rsa.network.sinterface": "lo154", + "rsa.threat.threat_desc": "temse", + "rsa.time.duration_time": 2.97, + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 78.248, + "rsa.web.web_ref_domain": "billoinv", + "rule.name": "stenatus", + "service.type": "fortinet", + "source.bytes": 7685, + "source.geo.country_name": "tatev", + "source.ip": [ + "10.208.21.135" + ], + "source.mac": "01:00:5e:98:79:a3", + "source.port": 2721, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.com/tali/BCS.txt?iqu=niamqu#equamnih", + "url.query": "quiineav", + "user.name": "inculp" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.bytes": 4009, + "destination.ip": [ + "10.3.23.172" + ], + "destination.port": 7332, + "event.action": "cancel", + "event.code": "illoi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ercitat date=2016-11-24 time=10:03:59 log_id=lapar devid=ritati devname=edquia logid=itesse type=mullam subtype=mexerc level=medium vd=amvolu srcip=10.120.231.161 srcport=1129 srcintf=lo653 dstip=10.210.62.203 dstport=4381 dstintf=lo3057 poluuid=ataevita sessionid=oremqu proto=6 action=cancel policyid=velitsed trandisp=magnaali duration=92.900000 sentbyte=3984 rcvdbyte=4009 devtype=ulla osname=equatDu osversion=1.1710 mastersrcmac=aconse srcmac=01:00:5e:92:c2:23 crscore=20.350000 craction=squira crlevel=aliqui eventtype=ess user=uide service=scivel hostname=henderi724.www5.home profile=tquas reqtype=aquio url=https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer direction=internal msg=isnostru method=nofdeFi cat=aquioff catdesc=saqu device_id=remips log_id=illoi pri=medium userfrom=abori adminprof=uisnostr timezone=GMT+02:00 main_type=ilmole trigger_policy=ugi sub_type=niamquis severity_level=nisi policy=emveleum src=10.243.226.122 src_port=3512 dst=10.3.23.172 dst_port=7332 http_method=emullamc http_url=tec http_host=Nemo http_agent=tutlabo http_session_id=mveleum signature_subclass=liq signature_id=7229 srccountry=sBonorum content_switch_name=atems server_pool_name=quira false_positive_mitigation=tassita user_name=olorem monitor_status=sedquiac http_refer=https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore http_version=tation dev_id=loinve threat_weight=tatevel history_threat_weight=iumdolo threat_level=untu ftp_mode=ict ftp_cmd=squirati cipher_suite=tem msg_id=mestq", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "henderi724.www5.home", + "http.request.referrer": "https://www.example.com/atDuis/asnulapa.html?rumwri=velill#ore", + "input.type": "log", + "log.level": "medium", + "log.offset": 23443, + "network.bytes": 7993, + "network.direction": "internal", + "observer.egress.interface.name": "lo3057", + "observer.ingress.interface.name": "lo653", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1710", + "related.hosts": [ + "henderi724.www5.home" + ], + "related.ip": [ + "10.3.23.172", + "10.243.226.122" + ], + "related.user": [ + "olorem" + ], + "rsa.internal.event_desc": "isnostru", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "ess", + "rsa.misc.OS": "equatDu", + "rsa.misc.action": [ + "cancel", + "emullamc" + ], + "rsa.misc.category": "niamquis", + "rsa.misc.client": "tutlabo", + "rsa.misc.context": "magnaali", + "rsa.misc.event_source": "edquia", + "rsa.misc.event_type": "mullam", + "rsa.misc.fcatnum": "aquioff", + "rsa.misc.filter": "saqu", + "rsa.misc.hardware_id": "remips", + "rsa.misc.log_session_id": "mveleum", + "rsa.misc.policy_id": "velitsed", + "rsa.misc.policy_name": "emveleum", + "rsa.misc.reference_id": "illoi", + "rsa.misc.rule_name": "tquas", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 7229, + "rsa.misc.version": "1.1710", + "rsa.misc.vsys": "amvolu", + "rsa.network.alias_host": [ + "henderi724.www5.home" + ], + "rsa.network.dinterface": "lo3057", + "rsa.network.network_service": "scivel", + "rsa.network.sinterface": "lo653", + "rsa.threat.threat_desc": "untu", + "rsa.time.duration_time": 92.9, + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 20.35, + "rsa.web.web_ref_domain": "Nemo", + "rule.name": "tquas", + "service.type": "fortinet", + "source.bytes": 3984, + "source.geo.country_name": "sBonorum", + "source.ip": [ + "10.243.226.122" + ], + "source.mac": "01:00:5e:92:c2:23", + "source.port": 3512, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.com/iame/orroquis.htm?tiumd=ntmoll#mexer", + "url.query": "tec", + "user.name": "olorem" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "destination.bytes": 1651, + "destination.ip": [ + "10.106.85.174" + ], + "destination.port": 307, + "event.action": "cancel", + "event.code": "odoco", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=luptate date=2016-12-8 time=5:06:33 log_id=llamc devid=eleumiu devname=uei logid=Nequepo type=radipis subtype=cive level=low vd=orumSec srcip=10.56.74.7 srcport=6149 srcintf=eth2940 dstip=10.73.10.215 dstport=2079 dstintf=lo3472 poluuid=oeni sessionid=untutlab proto=0 action=cancel policyid=consecte trandisp=pteurs duration=26.872000 sentbyte=617 rcvdbyte=1651 devtype=ons osname=tiaecon osversion=1.5380 mastersrcmac=unt srcmac=01:00:5e:99:7b:4a crscore=124.392000 craction=queporro crlevel=uid eventtype=snostrum user=psa service=nculpaq hostname=reseosqu1629.mail.lan profile=utemvel reqtype=epteur url=https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi direction=external msg=uameiusm method=adm cat=gelitsed catdesc=tiumto device_id=cor log_id=odoco pri=high userfrom=labore adminprof=ianonnu timezone=PST main_type=rum trigger_policy=erc sub_type=ehende severity_level=tutla policy=licaboNe src=10.94.242.80 src_port=2724 dst=10.106.85.174 dst_port=307 http_method=atiset http_url=serror http_host=onse http_agent=umquam http_session_id=emagn signature_subclass=emulla signature_id=1963 srccountry=iquaUt content_switch_name=mnihilm server_pool_name=redo false_positive_mitigation=etMaloru user_name=lmo monitor_status=iquidex http_refer=https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol http_version=dolorsi dev_id=nturmag threat_weight=tura history_threat_weight=osquirat threat_level=equat ftp_mode=aliquid ftp_cmd=usantiu cipher_suite=idunt msg_id=atqu", + "event.timezone": "PST", + "fileset.name": "fortimanager", + "host.name": "reseosqu1629.mail.lan", + "http.request.referrer": "https://www.example.org/remipsu/tan.html?mcorpor=doconse#etdol", + "input.type": "log", + "log.level": "high", + "log.offset": 24962, + "network.bytes": 2268, + "network.direction": "external", + "observer.egress.interface.name": "lo3472", + "observer.ingress.interface.name": "eth2940", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.5380", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], + "related.ip": [ + "10.106.85.174", + "10.94.242.80" + ], + "related.user": [ + "lmo" + ], + "rsa.internal.event_desc": "uameiusm", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "snostrum", + "rsa.misc.OS": "tiaecon", + "rsa.misc.action": [ + "cancel", + "atiset" + ], + "rsa.misc.category": "ehende", + "rsa.misc.client": "umquam", + "rsa.misc.context": "pteurs", + "rsa.misc.event_source": "uei", + "rsa.misc.event_type": "radipis", + "rsa.misc.fcatnum": "gelitsed", + "rsa.misc.filter": "tiumto", + "rsa.misc.hardware_id": "cor", + "rsa.misc.log_session_id": "emagn", + "rsa.misc.policy_id": "consecte", + "rsa.misc.policy_name": "licaboNe", + "rsa.misc.reference_id": "odoco", + "rsa.misc.rule_name": "utemvel", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 1963, + "rsa.misc.version": "1.5380", + "rsa.misc.vsys": "orumSec", + "rsa.network.alias_host": [ + "reseosqu1629.mail.lan" + ], + "rsa.network.dinterface": "lo3472", + "rsa.network.network_service": "nculpaq", + "rsa.network.sinterface": "eth2940", + "rsa.threat.threat_desc": "equat", + "rsa.time.duration_time": 26.872, + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.time.timezone": "PST", + "rsa.web.reputation_num": 124.392, + "rsa.web.web_ref_domain": "onse", + "rule.name": "utemvel", + "service.type": "fortinet", + "source.bytes": 617, + "source.geo.country_name": "iquaUt", + "source.ip": [ + "10.94.242.80" + ], + "source.mac": "01:00:5e:99:7b:4a", + "source.port": 2724, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.net/iame/laudanti.htm?stquido=rsitvolu#mnisi", + "url.query": "serror", + "user.name": "lmo" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "destination.bytes": 5749, + "destination.geo.country_name": "usm", + "destination.ip": [ + "10.247.53.179" + ], + "destination.nat.ip": "10.168.20.20", + "destination.nat.port": 68, + "destination.port": 6493, + "event.action": "block", + "event.code": "rspici", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=liquam dtime=2016-12-23 00:09:07.712538723 +0000 UTC devid=min devname=oluptat vd=odt date=2016-12-23 time=12:09:07 logid=rspici type=snisi subtype=magnaal level=low eventtime=etquasia logtime=nula srcip=10.117.63.181 srcport=5299 srcintf=lo7416 srcintfrole=Cicero dstip=10.247.53.179 dstport=6493 dstintf=lo3706 dstintfrole=atemaccu poluuid=veritat sessionid=aliquipe proto=3 action=block policyid=aer policytype=osquira crscore=171.144000 craction=minim crlevel=scipi appcat=tur service=acon srccountry=Nemoenim dstcountry=usm trandisp=labori tranip=10.168.20.20 tranport=68 duration=167.038000 sentbyte=7188 rcvdbyte=5749 sentpkt=xeac app=umdolors", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 26461, + "network.bytes": 12937, + "network.protocol": "GGP", + "observer.egress.interface.name": "lo3706", + "observer.ingress.interface.name": "lo7416", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.117.63.181", + "10.247.53.179", + "10.168.20.20" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "magnaal", + "rsa.misc.context": "labori", + "rsa.misc.event_source": "oluptat", + "rsa.misc.event_type": "snisi", + "rsa.misc.hardware_id": "min", + "rsa.misc.log_session_id": "aliquipe", + "rsa.misc.obj_name": "umdolors", + "rsa.misc.policy_id": "aer", + "rsa.misc.reference_id": "rspici", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "odt", + "rsa.network.dinterface": "lo3706", + "rsa.network.network_service": "acon", + "rsa.network.sinterface": "lo7416", + "rsa.time.duration_time": 167.038, + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.time.event_time_str": "etquasia", + "rsa.web.reputation_num": 171.144, + "service.type": "fortinet", + "source.bytes": 7188, + "source.geo.country_name": "Nemoenim", + "source.ip": [ + "10.117.63.181" + ], + "source.port": 5299, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.bytes": 405, + "destination.ip": [ + "10.53.168.187" + ], + "destination.port": 73, + "event.action": "block", + "event.code": "rsin", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=uiadolo date=2017-1-6 time=7:11:41 log_id=empor devid=umexerci devname=duntut logid=uovol type=prehend subtype=eufug level=low vd=eufug srcip=10.100.53.8 srcport=4318 srcintf=eth5767 dstip=10.163.17.172 dstport=854 dstintf=enp0s3903 poluuid=upta sessionid=atc proto=3 action=block policyid=upta trandisp=itessequ duration=165.935000 sentbyte=4211 rcvdbyte=405 devtype=exerci osname=idata osversion=1.2208 mastersrcmac=usmod srcmac=01:00:5e:c0:47:f3 crscore=135.374000 craction=isiutali crlevel=iquidexe eventtype=illumq user=luptatem service=ite hostname=tasnul4179.internal.host profile=amvo reqtype=tnul url=https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut direction=inbound msg=modico method=metco cat=cillu catdesc=iuntNeq device_id=eddoei log_id=rsin pri=very-high userfrom=eriam adminprof=pernat timezone=CEST main_type=imve trigger_policy=essequam sub_type=ueporro severity_level=aliqu policy=upt src=10.141.156.217 src_port=2700 dst=10.53.168.187 dst_port=73 http_method=emacc http_url=emp http_host=lamcola http_agent=veli http_session_id=venia signature_subclass=risni signature_id=1535 srccountry=uat content_switch_name=onemulla server_pool_name=riaturEx false_positive_mitigation=deri user_name=amqu monitor_status=lorsitam http_refer=https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip http_version=upta dev_id=tetura threat_weight=rumet history_threat_weight=uptasnul threat_level=antiumdo ftp_mode=ecill ftp_cmd=iduntu cipher_suite=pisci msg_id=sunt", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "tasnul4179.internal.host", + "http.request.referrer": "https://api.example.org/onpr/litseddo.gif?oremqu=idex#radip", + "input.type": "log", + "log.level": "very-high", + "log.offset": 27119, + "network.bytes": 4616, + "network.direction": "inbound", + "network.protocol": "GGP", + "observer.egress.interface.name": "enp0s3903", + "observer.ingress.interface.name": "eth5767", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2208", + "related.hosts": [ + "tasnul4179.internal.host" + ], + "related.ip": [ + "10.141.156.217", + "10.53.168.187" + ], + "related.user": [ + "amqu" + ], + "rsa.internal.event_desc": "modico", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "illumq", + "rsa.misc.OS": "idata", + "rsa.misc.action": [ + "emacc", + "block" + ], + "rsa.misc.category": "ueporro", + "rsa.misc.client": "veli", + "rsa.misc.context": "itessequ", + "rsa.misc.event_source": "duntut", + "rsa.misc.event_type": "prehend", + "rsa.misc.fcatnum": "cillu", + "rsa.misc.filter": "iuntNeq", + "rsa.misc.hardware_id": "eddoei", + "rsa.misc.log_session_id": "venia", + "rsa.misc.policy_id": "upta", + "rsa.misc.policy_name": "upt", + "rsa.misc.reference_id": "rsin", + "rsa.misc.rule_name": "amvo", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 1535, + "rsa.misc.version": "1.2208", + "rsa.misc.vsys": "eufug", + "rsa.network.alias_host": [ + "tasnul4179.internal.host" + ], + "rsa.network.dinterface": "enp0s3903", + "rsa.network.network_service": "ite", + "rsa.network.sinterface": "eth5767", + "rsa.threat.threat_desc": "antiumdo", + "rsa.time.duration_time": 165.935, + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 135.374, + "rsa.web.web_ref_domain": "lamcola", + "rule.name": "amvo", + "service.type": "fortinet", + "source.bytes": 4211, + "source.geo.country_name": "uat", + "source.ip": [ + "10.141.156.217" + ], + "source.mac": "01:00:5e:c0:47:f3", + "source.port": 2700, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.org/ess/quiad.jpg?ten=litanim#rQuisaut", + "url.query": "emp", + "user.name": "amqu" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "destination.bytes": 837, + "destination.ip": [ + "10.189.82.19" + ], + "destination.port": 4267, + "event.action": "accept", + "event.code": "vel", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-1-20 time=2:14:16 devname=oco device_id=aboree log_id=ainci type=generic subtype=osqu pri=very-high devid=sus devname=imavenia logid=expli type=ugiat subtype=rnat level=low vd=orem srcip=10.37.174.58 srcport=3193 srcintf=lo2990 dstip=10.249.60.66 dstport=4859 dstintf=enp0s1732 poluuid=eve sessionid=tco proto=3 action=accept policyid=oluptate trandisp=lit duration=70.988000 sentbyte=6327 rcvdbyte=837 devtype=oquisqu osname=turadip osversion=1.3402 mastersrcmac=amc srcmac=01:00:5e:dd:dc:44 crscore=160.379000 craction=apar crlevel=runtm eventtype=eturadip user=olorsi service=itseddo hostname=bore5546.www.local profile=labo reqtype=lpaquiof url=https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus direction=inbound msg=eufugia method=ncididun cat=hen catdesc=periamea device_id=itametco log_id=vel pri=high userfrom=rere adminprof=pta timezone=CEST main_type=equeporr trigger_policy=met sub_type=volup severity_level=ptate policy=entsu src=10.44.198.184 src_port=5695 dst=10.189.82.19 dst_port=4267 http_method=odoc http_url=atura http_host=tur http_agent=tur http_session_id=atnonpr signature_subclass=ita signature_id=7570 srccountry=colabori content_switch_name=imidestl server_pool_name=piscing false_positive_mitigation=ceroi user_name=iconsequ monitor_status=iat http_refer=https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu http_version=quid dev_id=atcupid threat_weight=onse history_threat_weight=psa threat_level=ate ftp_mode=con ftp_cmd=tqu cipher_suite=eirur msg_id=dese", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "bore5546.www.local", + "http.request.referrer": "https://www.example.net/siuta/atev.htm?CSe=exerci#inesciu", + "input.type": "log", + "log.level": "high", + "log.offset": 28610, + "network.bytes": 7164, + "network.direction": "inbound", + "network.protocol": "GGP", + "observer.egress.interface.name": "enp0s1732", + "observer.ingress.interface.name": "lo2990", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.3402", + "related.hosts": [ + "bore5546.www.local" + ], + "related.ip": [ + "10.44.198.184", + "10.189.82.19" + ], + "related.user": [ + "iconsequ" + ], + "rsa.internal.event_desc": "eufugia", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "eturadip", + "rsa.misc.OS": "turadip", + "rsa.misc.action": [ + "accept", + "odoc" + ], + "rsa.misc.category": "volup", + "rsa.misc.client": "tur", + "rsa.misc.context": "lit", + "rsa.misc.event_source": "imavenia", + "rsa.misc.event_type": "ugiat", + "rsa.misc.fcatnum": "hen", + "rsa.misc.filter": "periamea", + "rsa.misc.hardware_id": "itametco", + "rsa.misc.log_session_id": "atnonpr", + "rsa.misc.policy_id": "oluptate", + "rsa.misc.policy_name": "entsu", + "rsa.misc.reference_id": "vel", + "rsa.misc.rule_name": "labo", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 7570, + "rsa.misc.version": "1.3402", + "rsa.misc.vsys": "orem", + "rsa.network.alias_host": [ + "bore5546.www.local" + ], + "rsa.network.dinterface": "enp0s1732", + "rsa.network.network_service": "itseddo", + "rsa.network.sinterface": "lo2990", + "rsa.threat.threat_desc": "ate", + "rsa.time.duration_time": 70.988, + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 160.379, + "rsa.web.web_ref_domain": "tur", + "rule.name": "labo", + "service.type": "fortinet", + "source.bytes": 6327, + "source.geo.country_name": "colabori", + "source.ip": [ + "10.44.198.184" + ], + "source.mac": "01:00:5e:dd:dc:44", + "source.port": 5695, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.com/xeac/llitanim.txt?oreverit=scip#Finibus", + "url.query": "atura", + "user.name": "iconsequ" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "destination.bytes": 3097, + "destination.ip": [ + "10.181.183.104" + ], + "destination.port": 5554, + "event.action": "cancel", + "event.code": "roinBCSe", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=mquisnos date=2017-2-3 time=9:16:50 log_id=lore devid=isci devname=Dui logid=reetdo type=ever subtype=civelits level=high vd=quiav srcip=10.154.34.15 srcport=5986 srcintf=enp0s4064 dstip=10.153.172.249 dstport=7030 dstintf=enp0s3067 poluuid=henderit sessionid=remq proto=21 action=cancel policyid=tla trandisp=arch duration=52.795000 sentbyte=5453 rcvdbyte=3097 devtype=ror osname=onsecte osversion=1.91 mastersrcmac=aecatcup srcmac=01:00:5e:58:7e:f5 crscore=133.560000 craction=quas crlevel=occaeca eventtype=eturadip user=ent service=rumSecti hostname=Utenima260.mail.invalid profile=cept reqtype=aedictas url=https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque direction=external msg=essequa method=aquio cat=rspicia catdesc=deom device_id=oluptat log_id=roinBCSe pri=medium userfrom=onproide adminprof=uamnih timezone=GMT+02:00 main_type=tatisetq trigger_policy=uidolo sub_type=umdolore severity_level=dmi policy=tam src=10.151.170.207 src_port=1400 dst=10.181.183.104 dst_port=5554 http_method=amni http_url=tatio http_host=amquisno http_agent=modoc http_session_id=magnam signature_subclass=uinesc signature_id=4248 srccountry=idatat content_switch_name=onev server_pool_name=orsi false_positive_mitigation=ntsunt user_name=iosamni monitor_status=idu http_refer=https://example.net/idolo/reet.txt?its=umdolor#isiu http_version=assi dev_id=eserun threat_weight=rvelill history_threat_weight=lupta threat_level=byC ftp_mode=imadm ftp_cmd=uta cipher_suite=tisu msg_id=remagnam", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "Utenima260.mail.invalid", + "http.request.referrer": "https://example.net/idolo/reet.txt?its=umdolor#isiu", + "input.type": "log", + "log.level": "medium", + "log.offset": 30121, + "network.bytes": 8550, + "network.direction": "external", + "observer.egress.interface.name": "enp0s3067", + "observer.ingress.interface.name": "enp0s4064", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.91", + "related.hosts": [ + "Utenima260.mail.invalid" + ], + "related.ip": [ + "10.151.170.207", + "10.181.183.104" + ], + "related.user": [ + "iosamni" + ], + "rsa.internal.event_desc": "essequa", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "eturadip", + "rsa.misc.OS": "onsecte", + "rsa.misc.action": [ + "cancel", + "amni" + ], + "rsa.misc.category": "umdolore", + "rsa.misc.client": "modoc", + "rsa.misc.context": "arch", + "rsa.misc.event_source": "Dui", + "rsa.misc.event_type": "ever", + "rsa.misc.fcatnum": "rspicia", + "rsa.misc.filter": "deom", + "rsa.misc.hardware_id": "oluptat", + "rsa.misc.log_session_id": "magnam", + "rsa.misc.policy_id": "tla", + "rsa.misc.policy_name": "tam", + "rsa.misc.reference_id": "roinBCSe", + "rsa.misc.rule_name": "cept", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 4248, + "rsa.misc.version": "1.91", + "rsa.misc.vsys": "quiav", + "rsa.network.alias_host": [ + "Utenima260.mail.invalid" + ], + "rsa.network.dinterface": "enp0s3067", + "rsa.network.network_service": "rumSecti", + "rsa.network.sinterface": "enp0s4064", + "rsa.threat.threat_desc": "byC", + "rsa.time.duration_time": 52.795, + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 133.56, + "rsa.web.web_ref_domain": "amquisno", + "rule.name": "cept", + "service.type": "fortinet", + "source.bytes": 5453, + "source.geo.country_name": "idatat", + "source.ip": [ + "10.151.170.207" + ], + "source.mac": "01:00:5e:58:7e:f5", + "source.port": 1400, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.org/orio/gna.gif?aaliquaU=olu#iameaque", + "url.query": "tatio", + "user.name": "iosamni" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.bytes": 6209, + "destination.ip": [ + "10.130.240.11" + ], + "destination.port": 6515, + "event.action": "deny", + "event.code": "consequa", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=iumdo date=2017-2-18 time=4:19:24 log_id=iusmodit devid=aturv devname=ectetura logid=obeataev type=umf subtype=olesti level=low vd=quaeabil srcip=10.19.99.129 srcport=956 srcintf=eth62 dstip=10.205.132.218 dstport=1643 dstintf=enp0s5908 poluuid=inim sessionid=etdol proto=17 action=deny policyid=oremeumf trandisp=lesti duration=49.961000 sentbyte=3376 rcvdbyte=6209 devtype=enima osname=tnulapar osversion=1.7278 mastersrcmac=sequ srcmac=01:00:5e:4a:1d:f8 crscore=84.522000 craction=tionula crlevel=accus eventtype=uatu user=mquis service=lab hostname=uido2046.mail.lan profile=tena reqtype=aal url=https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota direction=external msg=rumSecti method=riamea cat=eca catdesc=oluptate device_id=Duisa log_id=consequa pri=low userfrom=iaecon adminprof=aevitaed timezone=PT main_type=rep trigger_policy=remap sub_type=deri severity_level=quaeratv policy=involu src=10.70.7.23 src_port=2758 dst=10.130.240.11 dst_port=6515 http_method=odic http_url=iuta http_host=liquaUte http_agent=scivelit http_session_id=Nequ signature_subclass=quid signature_id=1044 srccountry=lloinve content_switch_name=borisnis server_pool_name=onorumet false_positive_mitigation=ptatema user_name=eavolup monitor_status=ipsumq http_refer=https://www.example.org/tno/iss.gif?ptatev=atu#teturad http_version=eturad dev_id=tDuis threat_weight=mwritten history_threat_weight=tat threat_level=equ ftp_mode=sumdolo ftp_cmd=idolorem cipher_suite=temvele msg_id=oremque", + "event.timezone": "PT", + "fileset.name": "fortimanager", + "host.name": "uido2046.mail.lan", + "http.request.referrer": "https://www.example.org/tno/iss.gif?ptatev=atu#teturad", + "input.type": "log", + "log.level": "low", + "log.offset": 31615, + "network.bytes": 9585, + "network.direction": "external", + "observer.egress.interface.name": "enp0s5908", + "observer.ingress.interface.name": "eth62", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.7278", + "related.hosts": [ + "uido2046.mail.lan" + ], + "related.ip": [ + "10.70.7.23", + "10.130.240.11" + ], + "related.user": [ + "eavolup" + ], + "rsa.internal.event_desc": "rumSecti", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "uatu", + "rsa.misc.OS": "tnulapar", + "rsa.misc.action": [ + "deny", + "odic" + ], + "rsa.misc.category": "deri", + "rsa.misc.client": "scivelit", + "rsa.misc.context": "lesti", + "rsa.misc.event_source": "ectetura", + "rsa.misc.event_type": "umf", + "rsa.misc.fcatnum": "eca", + "rsa.misc.filter": "oluptate", + "rsa.misc.hardware_id": "Duisa", + "rsa.misc.log_session_id": "Nequ", + "rsa.misc.policy_id": "oremeumf", + "rsa.misc.policy_name": "involu", + "rsa.misc.reference_id": "consequa", + "rsa.misc.rule_name": "tena", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 1044, + "rsa.misc.version": "1.7278", + "rsa.misc.vsys": "quaeabil", + "rsa.network.alias_host": [ + "uido2046.mail.lan" + ], + "rsa.network.dinterface": "enp0s5908", + "rsa.network.network_service": "lab", + "rsa.network.sinterface": "eth62", + "rsa.threat.threat_desc": "equ", + "rsa.time.duration_time": 49.961, + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.time.timezone": "PT", + "rsa.web.reputation_num": 84.522, + "rsa.web.web_ref_domain": "liquaUte", + "rule.name": "tena", + "service.type": "fortinet", + "source.bytes": 3376, + "source.geo.country_name": "lloinve", + "source.ip": [ + "10.70.7.23" + ], + "source.mac": "01:00:5e:4a:1d:f8", + "source.port": 2758, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/nimadmin/lumqui.txt?iquip=tinculpa#umtota", + "url.query": "iuta", + "user.name": "eavolup" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.bytes": 6509, + "destination.geo.country_name": "uian", + "destination.ip": [ + "10.111.182.212" + ], + "destination.nat.ip": "10.17.209.252", + "destination.nat.port": 2119, + "destination.port": 4493, + "event.action": "deny", + "event.code": "uae", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=inimve devname=\"uio\" devid=\"mexercit\" vd=byC date=2017-3-4 time=11:21:59 logid=uae type=oremip subtype=its level=very-high eventtime=iavol logtime=natuserr srcip=10.37.161.101 srcport=1552 srcintf=enp0s6659 srcintfrole=evit dstip=10.111.182.212 dstport=4493 dstintf=lo6533 dstintfrole=lamco poluuid=tion sessionid=hender proto=icmp action=deny policyid=seq policytype=rumSe crscore=88.660000 craction=madmi crlevel=tlabore appcat=idunt service=expl srccountry=olore dstcountry=uian trandisp=atuserro tranip=10.17.209.252 tranport=2119 duration=135.770000 sentbyte=313 rcvdbyte=6509 sentpkt=oinBCS app=itsedd", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 33111, + "network.bytes": 6822, + "observer.egress.interface.name": "lo6533", + "observer.ingress.interface.name": "enp0s6659", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.37.161.101", + "10.111.182.212", + "10.17.209.252" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "its", + "rsa.misc.context": "atuserro", + "rsa.misc.event_source": "uio", + "rsa.misc.event_type": "oremip", + "rsa.misc.hardware_id": "mexercit", + "rsa.misc.log_session_id": "hender", + "rsa.misc.obj_name": "itsedd", + "rsa.misc.policy_id": "seq", + "rsa.misc.reference_id": "uae", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "byC", + "rsa.network.dinterface": "lo6533", + "rsa.network.network_service": "expl", + "rsa.network.sinterface": "enp0s6659", + "rsa.time.duration_time": 135.77, + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.time.event_time_str": "iavol", + "rsa.web.reputation_num": 88.66, + "service.type": "fortinet", + "source.bytes": 313, + "source.geo.country_name": "olore", + "source.ip": [ + "10.37.161.101" + ], + "source.port": 1552, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.bytes": 1936, + "destination.geo.country_name": "nonpro", + "destination.ip": [ + "10.170.196.181" + ], + "destination.nat.ip": "10.153.166.133", + "destination.nat.port": 4638, + "destination.port": 6994, + "event.action": "allow", + "event.code": "sin", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ipis devname=\"itautfu\" devid=\"nesci\" vd=tam date=2017-3-18 time=6:24:33 logid=sin type=idexeac subtype=nimadmin level=medium eventtime=edutper logtime=tevelite srcip=10.158.175.98 srcport=1491 srcintf=enp0s7649 srcintfrole=oinBCSed dstip=10.170.196.181 dstport=6994 dstintf=enp0s5873 dstintfrole=obeatae poluuid=iquid sessionid=evo proto=udp action=allow policyid=mqu policytype=pteursi crscore=98.596000 craction=expl crlevel=essecill appcat=totamre service=rpo srccountry=velites dstcountry=nonpro trandisp=nula tranip=10.153.166.133 tranport=4638 duration=39.506000 sentbyte=6610 rcvdbyte=1936 sentpkt=olu app=imide", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 33726, + "network.bytes": 8546, + "observer.egress.interface.name": "enp0s5873", + "observer.ingress.interface.name": "enp0s7649", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.170.196.181", + "10.158.175.98", + "10.153.166.133" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "nimadmin", + "rsa.misc.context": "nula", + "rsa.misc.event_source": "itautfu", + "rsa.misc.event_type": "idexeac", + "rsa.misc.hardware_id": "nesci", + "rsa.misc.log_session_id": "evo", + "rsa.misc.obj_name": "imide", + "rsa.misc.policy_id": "mqu", + "rsa.misc.reference_id": "sin", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "tam", + "rsa.network.dinterface": "enp0s5873", + "rsa.network.network_service": "rpo", + "rsa.network.sinterface": "enp0s7649", + "rsa.time.duration_time": 39.506, + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.time.event_time_str": "edutper", + "rsa.web.reputation_num": 98.596, + "service.type": "fortinet", + "source.bytes": 6610, + "source.geo.country_name": "velites", + "source.ip": [ + "10.158.175.98" + ], + "source.port": 1491, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.bytes": 5360, + "destination.ip": [ + "10.48.25.200" + ], + "destination.port": 5179, + "event.action": "accept", + "event.code": "uredol", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-4-2 time=1:27:07 logver=amn devid=itessequ devname=porissu logid=umd type=sumd subtype=sectetur level=low vd=aUtenima srcip=10.62.10.137 srcport=5596 srcintf=lo6539 dstip=10.138.249.251 dstport=630 dstintf=eth1576 poluuid=deritinv sessionid=evelite proto=6 action=accept policyid=stiaecon trandisp=usBono duration=155.835000 sentbyte=3942 rcvdbyte=5360 devtype=ttenb osname=olor osversion=1.5978 mastersrcmac=lapa srcmac=01:00:5e:b0:3e:44 crscore=105.845000 craction=lors crlevel=oluptat eventtype=enimad user=tis service=qua hostname=con6049.internal.lan profile=quelaud reqtype=luptat url=https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn direction=inbound msg=teursint method=etMa cat=llita catdesc=ntsunt device_id=nturmag log_id=uredol pri=high userfrom=temsequi adminprof=mquia timezone=ET main_type=enbyCic trigger_policy=iveli sub_type=conseq severity_level=itame policy=tenat src=10.63.171.91 src_port=4396 dst=10.48.25.200 dst_port=5179 http_method=nse http_url=mveniam http_host=tuser http_agent=mmo http_session_id=eve signature_subclass=nbyCicer signature_id=6129 srccountry=ciad content_switch_name=ugiatqu server_pool_name=eruntmo false_positive_mitigation=nimve user_name=usanti monitor_status=ion http_refer=https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup http_version=macc dev_id=ria threat_weight=beat history_threat_weight=rro threat_level=tuser ftp_mode=ctasu ftp_cmd=irat cipher_suite=sitame msg_id=oinven", + "event.timezone": "ET", + "fileset.name": "fortimanager", + "host.name": "con6049.internal.lan", + "http.request.referrer": "https://mail.example.org/gelits/iavo.txt?udexerc=ovolupta#volup", + "input.type": "log", + "log.level": "high", + "log.offset": 34352, + "network.bytes": 9302, + "network.direction": "inbound", + "observer.egress.interface.name": "eth1576", + "observer.ingress.interface.name": "lo6539", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.5978", + "related.hosts": [ + "con6049.internal.lan" + ], + "related.ip": [ + "10.48.25.200", + "10.63.171.91" + ], + "related.user": [ + "usanti" + ], + "rsa.internal.event_desc": "teursint", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "enimad", + "rsa.misc.OS": "olor", + "rsa.misc.action": [ + "accept", + "nse" + ], + "rsa.misc.category": "conseq", + "rsa.misc.client": "mmo", + "rsa.misc.context": "usBono", + "rsa.misc.event_source": "porissu", + "rsa.misc.event_type": "sumd", + "rsa.misc.fcatnum": "llita", + "rsa.misc.filter": "ntsunt", + "rsa.misc.hardware_id": "nturmag", + "rsa.misc.log_session_id": "eve", + "rsa.misc.policy_id": "stiaecon", + "rsa.misc.policy_name": "tenat", + "rsa.misc.reference_id": "uredol", + "rsa.misc.rule_name": "quelaud", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 6129, + "rsa.misc.version": "1.5978", + "rsa.misc.vsys": "aUtenima", + "rsa.network.alias_host": [ + "con6049.internal.lan" + ], + "rsa.network.dinterface": "eth1576", + "rsa.network.network_service": "qua", + "rsa.network.sinterface": "lo6539", + "rsa.threat.threat_desc": "tuser", + "rsa.time.duration_time": 155.835, + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.time.timezone": "ET", + "rsa.web.reputation_num": 105.845, + "rsa.web.web_ref_domain": "tuser", + "rule.name": "quelaud", + "service.type": "fortinet", + "source.bytes": 3942, + "source.geo.country_name": "ciad", + "source.ip": [ + "10.63.171.91" + ], + "source.mac": "01:00:5e:b0:3e:44", + "source.port": 4396, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.com/temse/caecat.jpg?emeu=tatemac#quisn", + "url.query": "mveniam", + "user.name": "usanti" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.bytes": 7791, + "destination.geo.country_name": "ddoe", + "destination.ip": [ + "10.77.105.81" + ], + "destination.nat.ip": "10.38.168.190", + "destination.nat.port": 7260, + "destination.port": 4455, + "event.action": "allow", + "event.code": "rcitati", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ute dtime=2017-04-16 08:29:41.792538723 +0000 UTC devid=mexer devname=iam vd=Bonoru date=2017-4-16 time=8:29:41 logid=rcitati type=nula subtype=ameaquei level=low eventtime=adipi logtime=mquis srcip=10.174.17.46 srcport=2743 srcintf=eth6814 srcintfrole=ine dstip=10.77.105.81 dstport=4455 dstintf=enp0s7799 dstintfrole=orem poluuid=giatqu sessionid=rsint proto=udp action=allow policyid=paq policytype=uianon crscore=60.762000 craction=uisautem crlevel=mquameiu appcat=loremq service=turmagni srccountry=ores dstcountry=ddoe trandisp=uid tranip=10.38.168.190 tranport=7260 duration=129.140000 sentbyte=368 rcvdbyte=7791 sentpkt=incidi app=aedictas", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 35821, + "network.bytes": 8159, + "observer.egress.interface.name": "enp0s7799", + "observer.ingress.interface.name": "eth6814", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.174.17.46", + "10.77.105.81", + "10.38.168.190" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ameaquei", + "rsa.misc.context": "uid", + "rsa.misc.event_source": "iam", + "rsa.misc.event_type": "nula", + "rsa.misc.hardware_id": "mexer", + "rsa.misc.log_session_id": "rsint", + "rsa.misc.obj_name": "aedictas", + "rsa.misc.policy_id": "paq", + "rsa.misc.reference_id": "rcitati", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "Bonoru", + "rsa.network.dinterface": "enp0s7799", + "rsa.network.network_service": "turmagni", + "rsa.network.sinterface": "eth6814", + "rsa.time.duration_time": 129.14, + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.time.event_time_str": "adipi", + "rsa.web.reputation_num": 60.762, + "service.type": "fortinet", + "source.bytes": 368, + "source.geo.country_name": "ores", + "source.ip": [ + "10.174.17.46" + ], + "source.port": 2743, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "destination.bytes": 7663, + "destination.geo.country_name": "boriosa", + "destination.ip": [ + "10.225.37.73" + ], + "destination.nat.ip": "10.166.142.198", + "destination.nat.port": 4151, + "destination.port": 5630, + "event.action": "cancel", + "event.code": "abore", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=temaccus devname=\"ons\" devid=\"unt\" vd=liq date=2017-4-30 time=3:32:16 logid=abore type=iumdo subtype=oreeu level=high eventtime=exe logtime=tis srcip=10.36.99.207 srcport=4829 srcintf=lo497 srcintfrole=tvol dstip=10.225.37.73 dstport=5630 dstintf=eth1882 dstintfrole=eniamqu poluuid=iumt sessionid=porissus proto=udp action=cancel policyid=tsunt policytype=rnat crscore=88.508000 craction=ured crlevel=ctetu appcat=oreeu service=uasiarch srccountry=Malor dstcountry=boriosa trandisp=cillumdo tranip=10.166.142.198 tranport=4151 duration=1.040000 sentbyte=465 rcvdbyte=7663 sentpkt=oreetd app=lor", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 36476, + "network.bytes": 8128, + "observer.egress.interface.name": "eth1882", + "observer.ingress.interface.name": "lo497", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.166.142.198", + "10.36.99.207", + "10.225.37.73" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "oreeu", + "rsa.misc.context": "cillumdo", + "rsa.misc.event_source": "ons", + "rsa.misc.event_type": "iumdo", + "rsa.misc.hardware_id": "unt", + "rsa.misc.log_session_id": "porissus", + "rsa.misc.obj_name": "lor", + "rsa.misc.policy_id": "tsunt", + "rsa.misc.reference_id": "abore", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "liq", + "rsa.network.dinterface": "eth1882", + "rsa.network.network_service": "uasiarch", + "rsa.network.sinterface": "lo497", + "rsa.time.duration_time": 1.04, + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.time.event_time_str": "exe", + "rsa.web.reputation_num": 88.508, + "service.type": "fortinet", + "source.bytes": 465, + "source.geo.country_name": "Malor", + "source.ip": [ + "10.36.99.207" + ], + "source.port": 4829, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "destination.bytes": 6820, + "destination.geo.country_name": "lill", + "destination.ip": [ + "10.214.156.161" + ], + "destination.nat.ip": "10.145.194.12", + "destination.nat.port": 1001, + "destination.port": 3854, + "event.action": "block", + "event.code": "tassitas", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=etc devname=\"eturadip\" devid=\"nost\" vd=atus date=2017-5-14 time=10:34:50 logid=tassitas type=obea subtype=velite level=medium eventtime=litse logtime=san srcip=10.66.90.225 srcport=4846 srcintf=lo4891 srcintfrole=moenimi dstip=10.214.156.161 dstport=3854 dstintf=eth1188 dstintfrole=ati poluuid=rauto sessionid=doloreeu proto=6 action=block policyid=eumfu policytype=docons crscore=3.408000 craction=eumf crlevel=roquisq appcat=uasi service=maveniam srccountry=uis dstcountry=lill trandisp=remeum tranip=10.145.194.12 tranport=1001 duration=25.398000 sentbyte=6452 rcvdbyte=6820 sentpkt=aturE app=umto", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 37079, + "network.bytes": 13272, + "observer.egress.interface.name": "eth1188", + "observer.ingress.interface.name": "lo4891", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.214.156.161", + "10.145.194.12", + "10.66.90.225" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "velite", + "rsa.misc.context": "remeum", + "rsa.misc.event_source": "eturadip", + "rsa.misc.event_type": "obea", + "rsa.misc.hardware_id": "nost", + "rsa.misc.log_session_id": "doloreeu", + "rsa.misc.obj_name": "umto", + "rsa.misc.policy_id": "eumfu", + "rsa.misc.reference_id": "tassitas", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "atus", + "rsa.network.dinterface": "eth1188", + "rsa.network.network_service": "maveniam", + "rsa.network.sinterface": "lo4891", + "rsa.time.duration_time": 25.398, + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.time.event_time_str": "litse", + "rsa.web.reputation_num": 3.408, + "service.type": "fortinet", + "source.bytes": 6452, + "source.geo.country_name": "uis", + "source.ip": [ + "10.66.90.225" + ], + "source.port": 4846, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "destination.bytes": 4638, + "destination.geo.country_name": "cidu", + "destination.ip": [ + "10.156.208.5" + ], + "destination.nat.ip": "10.163.36.101", + "destination.nat.port": 253, + "destination.port": 7612, + "event.action": "cancel", + "event.code": "eddoei", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=pariat devname=\"iutal\" devid=\"teturad\" vd=ese date=2017-5-29 time=5:37:24 logid=eddoei type=lorumw subtype=eca level=medium eventtime=nimve logtime=duntut srcip=10.6.242.108 srcport=3373 srcintf=lo3230 srcintfrole=qua dstip=10.156.208.5 dstport=7612 dstintf=lo1800 dstintfrole=quisn poluuid=pteu sessionid=uatD proto=0 action=cancel policyid=antiu policytype=velillum crscore=166.389000 craction=iatquovo crlevel=lapari appcat=Mal service=itinvo srccountry=snulap dstcountry=cidu trandisp=hilmol tranip=10.163.36.101 tranport=253 duration=72.488000 sentbyte=1880 rcvdbyte=4638 sentpkt=ident app=scip", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 37688, + "network.bytes": 6518, + "observer.egress.interface.name": "lo1800", + "observer.ingress.interface.name": "lo3230", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.156.208.5", + "10.163.36.101", + "10.6.242.108" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "eca", + "rsa.misc.context": "hilmol", + "rsa.misc.event_source": "iutal", + "rsa.misc.event_type": "lorumw", + "rsa.misc.hardware_id": "teturad", + "rsa.misc.log_session_id": "uatD", + "rsa.misc.obj_name": "scip", + "rsa.misc.policy_id": "antiu", + "rsa.misc.reference_id": "eddoei", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ese", + "rsa.network.dinterface": "lo1800", + "rsa.network.network_service": "itinvo", + "rsa.network.sinterface": "lo3230", + "rsa.time.duration_time": 72.488, + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.time.event_time_str": "nimve", + "rsa.web.reputation_num": 166.389, + "service.type": "fortinet", + "source.bytes": 1880, + "source.geo.country_name": "snulap", + "source.ip": [ + "10.6.242.108" + ], + "source.port": 3373, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.bytes": 1048, + "destination.ip": [ + "10.68.233.163" + ], + "destination.port": 3126, + "event.action": "allow", + "event.code": "emve", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-6-12 time=12:39:58 devname=uamqu device_id=iusmodi log_id=esciun type=generic subtype=tasnul pri=medium devid=ccusant devname=epteurs logid=rmag type=quisquam subtype=eporroqu level=very-high vd=dit srcip=10.25.134.171 srcport=7867 srcintf=eth4543 dstip=10.43.235.230 dstport=2198 dstintf=lo4581 poluuid=BCSe sessionid=rem proto=0 action=allow policyid=eeufug trandisp=ntin duration=6.686000 sentbyte=5763 rcvdbyte=1048 devtype=cinge osname=tatem osversion=1.4713 mastersrcmac=eritqu srcmac=01:00:5e:ed:6b:57 crscore=10.603000 craction=nimip crlevel=iutaliq eventtype=olore user=onemul service=trudexe hostname=remeum2641.www5.corp profile=Quisa reqtype=quiav url=https://www5.example.com/elit/sam.htm?nevolu=unt#isni direction=outbound msg=ecillum method=olor cat=amei catdesc=doconseq device_id=conseq log_id=emve pri=very-high userfrom=tiu adminprof=wri timezone=GMT-07:00 main_type=asper trigger_policy=dictasun sub_type=psa severity_level=lorese policy=olupta src=10.220.148.127 src_port=6681 dst=10.68.233.163 dst_port=3126 http_method=itanimi http_url=onoru http_host=data http_agent=ugits http_session_id=ittenb signature_subclass=tobeatae signature_id=5617 srccountry=quis content_switch_name=exe server_pool_name=naa false_positive_mitigation=equat user_name=estiaec monitor_status=pitlabo http_refer=https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa http_version=nostrum dev_id=autodita threat_weight=ntut history_threat_weight=temveleu threat_level=itametco ftp_mode=etcons ftp_cmd=etco cipher_suite=iuntN msg_id=utfugi", + "event.timezone": "GMT-07:00", + "fileset.name": "fortimanager", + "host.name": "remeum2641.www5.corp", + "http.request.referrer": "https://example.net/rcitat/ree.htm?ionofdeF=rsp#imipsa", + "input.type": "log", + "log.level": "very-high", + "log.offset": 38295, + "network.bytes": 6811, + "network.direction": "outbound", + "observer.egress.interface.name": "lo4581", + "observer.ingress.interface.name": "eth4543", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4713", + "related.hosts": [ + "remeum2641.www5.corp" + ], + "related.ip": [ + "10.68.233.163", + "10.220.148.127" + ], + "related.user": [ + "estiaec" + ], + "rsa.internal.event_desc": "ecillum", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "olore", + "rsa.misc.OS": "tatem", + "rsa.misc.action": [ + "allow", + "itanimi" + ], + "rsa.misc.category": "psa", + "rsa.misc.client": "ugits", + "rsa.misc.context": "ntin", + "rsa.misc.event_source": "epteurs", + "rsa.misc.event_type": "quisquam", + "rsa.misc.fcatnum": "amei", + "rsa.misc.filter": "doconseq", + "rsa.misc.hardware_id": "conseq", + "rsa.misc.log_session_id": "ittenb", + "rsa.misc.policy_id": "eeufug", + "rsa.misc.policy_name": "olupta", + "rsa.misc.reference_id": "emve", + "rsa.misc.rule_name": "Quisa", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 5617, + "rsa.misc.version": "1.4713", + "rsa.misc.vsys": "dit", + "rsa.network.alias_host": [ + "remeum2641.www5.corp" + ], + "rsa.network.dinterface": "lo4581", + "rsa.network.network_service": "trudexe", + "rsa.network.sinterface": "eth4543", + "rsa.threat.threat_desc": "itametco", + "rsa.time.duration_time": 6.686, + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.reputation_num": 10.603, + "rsa.web.web_ref_domain": "data", + "rule.name": "Quisa", + "service.type": "fortinet", + "source.bytes": 5763, + "source.geo.country_name": "quis", + "source.ip": [ + "10.220.148.127" + ], + "source.mac": "01:00:5e:ed:6b:57", + "source.port": 6681, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.com/elit/sam.htm?nevolu=unt#isni", + "url.query": "onoru", + "user.name": "estiaec" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "destination.bytes": 6196, + "destination.ip": [ + "10.94.177.125" + ], + "destination.port": 6683, + "event.action": "allow", + "event.code": "mquido", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=isnostru date=2017-6-26 time=7:42:33 log_id=nul devid=ntocca devname=trudex logid=tvol type=lup subtype=mipsamv level=medium vd=qua srcip=10.249.194.7 srcport=4987 srcintf=enp0s2282 dstip=10.57.116.17 dstport=90 dstintf=enp0s7442 poluuid=xcep sessionid=gnidol proto=0 action=allow policyid=uaeab trandisp=ptat duration=136.310000 sentbyte=1078 rcvdbyte=6196 devtype=eturadip osname=amquaera osversion=1.4481 mastersrcmac=equ srcmac=01:00:5e:00:fd:79 crscore=18.750000 craction=olesti crlevel=edquia eventtype=ihi user=undeomn service=ape hostname=itaspe3216.localdomain profile=onsecte reqtype=prehende url=https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru direction=unknown msg=numq method=quae cat=periam catdesc=ain device_id=umiurer log_id=mquido pri=very-high userfrom=onorume adminprof=abill timezone=GMT+02:00 main_type=uov trigger_policy=mini sub_type=mve severity_level=tionev policy=uasiarch src=10.116.82.108 src_port=7276 dst=10.94.177.125 dst_port=6683 http_method=nimides http_url=olorsit http_host=naaliq http_agent=plica http_session_id=asiarc signature_subclass=lor signature_id=5152 srccountry=snula content_switch_name=pici server_pool_name=bori false_positive_mitigation=dipi user_name=ecatc monitor_status=quovolu http_refer=https://example.net/itse/sse.gif?lupt=quatur#dminim http_version=ptatevel dev_id=aperiame threat_weight=stenat history_threat_weight=uianonnu threat_level=tatiset ftp_mode=quira ftp_cmd=ciatisun cipher_suite=duntutl msg_id=nven", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "itaspe3216.localdomain", + "http.request.referrer": "https://example.net/itse/sse.gif?lupt=quatur#dminim", + "input.type": "log", + "log.level": "very-high", + "log.offset": 39842, + "network.bytes": 7274, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s7442", + "observer.ingress.interface.name": "enp0s2282", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4481", + "related.hosts": [ + "itaspe3216.localdomain" + ], + "related.ip": [ + "10.116.82.108", + "10.94.177.125" + ], + "related.user": [ + "ecatc" + ], + "rsa.internal.event_desc": "numq", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "ihi", + "rsa.misc.OS": "amquaera", + "rsa.misc.action": [ + "allow", + "nimides" + ], + "rsa.misc.category": "mve", + "rsa.misc.client": "plica", + "rsa.misc.context": "ptat", + "rsa.misc.event_source": "trudex", + "rsa.misc.event_type": "lup", + "rsa.misc.fcatnum": "periam", + "rsa.misc.filter": "ain", + "rsa.misc.hardware_id": "umiurer", + "rsa.misc.log_session_id": "asiarc", + "rsa.misc.policy_id": "uaeab", + "rsa.misc.policy_name": "uasiarch", + "rsa.misc.reference_id": "mquido", + "rsa.misc.rule_name": "onsecte", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 5152, + "rsa.misc.version": "1.4481", + "rsa.misc.vsys": "qua", + "rsa.network.alias_host": [ + "itaspe3216.localdomain" + ], + "rsa.network.dinterface": "enp0s7442", + "rsa.network.network_service": "ape", + "rsa.network.sinterface": "enp0s2282", + "rsa.threat.threat_desc": "tatiset", + "rsa.time.duration_time": 136.31, + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 18.75, + "rsa.web.web_ref_domain": "naaliq", + "rule.name": "onsecte", + "service.type": "fortinet", + "source.bytes": 1078, + "source.geo.country_name": "snula", + "source.ip": [ + "10.116.82.108" + ], + "source.mac": "01:00:5e:00:fd:79", + "source.port": 7276, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.org/porro/issu.htm?inculpa=ruredol#iadeseru", + "url.query": "olorsit", + "user.name": "ecatc" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.bytes": 7131, + "destination.ip": [ + "10.113.152.241" + ], + "destination.port": 2330, + "event.action": "cancel", + "event.code": "uptat", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-7-11 time=2:45:07 devname=saq device_id=asiarch log_id=ssuscipi type=generic subtype=utla pri=medium devid=tquovo devname=fugi logid=nse type=nesciu subtype=todit level=very-high vd=inrepreh srcip=10.14.192.162 srcport=2536 srcintf=enp0s4429 dstip=10.179.128.6 dstport=3375 dstintf=enp0s4580 poluuid=ptate sessionid=volupta proto=3 action=cancel policyid=utla trandisp=emi duration=171.651000 sentbyte=3313 rcvdbyte=7131 devtype=velites osname=oloremi osversion=1.4442 mastersrcmac=apari srcmac=01:00:5e:0c:fb:2b crscore=140.065000 craction=uel crlevel=fficiad eventtype=teirured user=nostru service=rcit hostname=mea6298.api.example profile=eumiu reqtype=tatevel url=https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl direction=inbound msg=Sedut method=tatis cat=audant catdesc=obeata device_id=uredol log_id=uptat pri=low userfrom=entorev adminprof=quuntur timezone=GMT+02:00 main_type=exercit trigger_policy=dexer sub_type=idolor severity_level=onpr policy=uira src=10.115.121.243 src_port=550 dst=10.113.152.241 dst_port=2330 http_method=ali http_url=udexerci http_host=uae http_agent=imveni http_session_id=econ signature_subclass=aborio signature_id=1122 srccountry=setquas content_switch_name=nbyCi server_pool_name=runtmoll false_positive_mitigation=busBon user_name=norumetM monitor_status=isno http_refer=https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure http_version=isiut dev_id=tin threat_weight=rporiss history_threat_weight=billoinv threat_level=etconse ftp_mode=nesciu ftp_cmd=mali cipher_suite=roinBCSe msg_id=eetdolor", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "mea6298.api.example", + "http.request.referrer": "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure", + "input.type": "log", + "log.level": "low", + "log.offset": 41333, + "network.bytes": 10444, + "network.direction": "inbound", + "network.protocol": "GGP", + "observer.egress.interface.name": "enp0s4580", + "observer.ingress.interface.name": "enp0s4429", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4442", + "related.hosts": [ + "mea6298.api.example" + ], + "related.ip": [ + "10.113.152.241", + "10.115.121.243" + ], + "related.user": [ + "norumetM" + ], + "rsa.internal.event_desc": "Sedut", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "teirured", + "rsa.misc.OS": "oloremi", + "rsa.misc.action": [ + "cancel", + "ali" + ], + "rsa.misc.category": "idolor", + "rsa.misc.client": "imveni", + "rsa.misc.context": "emi", + "rsa.misc.event_source": "fugi", + "rsa.misc.event_type": "nesciu", + "rsa.misc.fcatnum": "audant", + "rsa.misc.filter": "obeata", + "rsa.misc.hardware_id": "uredol", + "rsa.misc.log_session_id": "econ", + "rsa.misc.policy_id": "utla", + "rsa.misc.policy_name": "uira", + "rsa.misc.reference_id": "uptat", + "rsa.misc.rule_name": "eumiu", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 1122, + "rsa.misc.version": "1.4442", + "rsa.misc.vsys": "inrepreh", + "rsa.network.alias_host": [ + "mea6298.api.example" + ], + "rsa.network.dinterface": "enp0s4580", + "rsa.network.network_service": "rcit", + "rsa.network.sinterface": "enp0s4429", + "rsa.threat.threat_desc": "etconse", + "rsa.time.duration_time": 171.651, + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 140.065, + "rsa.web.web_ref_domain": "uae", + "rule.name": "eumiu", + "service.type": "fortinet", + "source.bytes": 3313, + "source.geo.country_name": "setquas", + "source.ip": [ + "10.115.121.243" + ], + "source.mac": "01:00:5e:0c:fb:2b", + "source.port": 550, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/uamquaer/texplica.gif?sequa=lorum#suntexpl", + "url.query": "udexerci", + "user.name": "norumetM" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.bytes": 6863, + "destination.ip": [ + "10.179.153.97" + ], + "destination.port": 1908, + "event.action": "accept", + "event.code": "taliqu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-7-25 time=9:47:41 logver=upt devid=equamni devname=atcupi logid=enima type=uptateve subtype=fugitsed level=medium vd=lorem srcip=10.68.159.207 srcport=3320 srcintf=enp0s7206 dstip=10.139.195.188 dstport=893 dstintf=enp0s6960 poluuid=lits sessionid=tvolu proto=17 action=accept policyid=ollitan trandisp=temseq duration=0.684000 sentbyte=3045 rcvdbyte=6863 devtype=edictasu osname=eturadi osversion=1.3804 mastersrcmac=edquiano srcmac=01:00:5e:09:79:f2 crscore=11.231000 craction=taevitae crlevel=tevel eventtype=tatemse user=gitsed service=agn hostname=iqu7510.internal.corp profile=equeporr reqtype=amremap url=https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit direction=unknown msg=ntutlabo method=idex cat=nihilmo catdesc=reetdo device_id=xeaco log_id=taliqu pri=medium userfrom=hite adminprof=umfugi timezone=CT main_type=dminimve trigger_policy=remips sub_type=laboreet severity_level=uptate policy=tot src=10.49.82.45 src_port=435 dst=10.179.153.97 dst_port=1908 http_method=ade http_url=nihilmol http_host=nder http_agent=ano http_session_id=rumexer signature_subclass=eab signature_id=2387 srccountry=saquaeab content_switch_name=eli server_pool_name=rissusci false_positive_mitigation=ectetur user_name=dictasun monitor_status=inimv http_refer=https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium http_version=ide dev_id=quunturm threat_weight=quovo history_threat_weight=quaturve threat_level=ntiumdol ftp_mode=conse ftp_cmd=aturve cipher_suite=edqui msg_id=tvolu", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "iqu7510.internal.corp", + "http.request.referrer": "https://api.example.org/volup/untNeq.htm?mremaper=uteirur#ntium", + "input.type": "log", + "log.level": "medium", + "log.offset": 42910, + "network.bytes": 9908, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s6960", + "observer.ingress.interface.name": "enp0s7206", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.3804", + "related.hosts": [ + "iqu7510.internal.corp" + ], + "related.ip": [ + "10.49.82.45", + "10.179.153.97" + ], + "related.user": [ + "dictasun" + ], + "rsa.internal.event_desc": "ntutlabo", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "tatemse", + "rsa.misc.OS": "eturadi", + "rsa.misc.action": [ + "ade", + "accept" + ], + "rsa.misc.category": "laboreet", + "rsa.misc.client": "ano", + "rsa.misc.context": "temseq", + "rsa.misc.event_source": "atcupi", + "rsa.misc.event_type": "uptateve", + "rsa.misc.fcatnum": "nihilmo", + "rsa.misc.filter": "reetdo", + "rsa.misc.hardware_id": "xeaco", + "rsa.misc.log_session_id": "rumexer", + "rsa.misc.policy_id": "ollitan", + "rsa.misc.policy_name": "tot", + "rsa.misc.reference_id": "taliqu", + "rsa.misc.rule_name": "equeporr", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 2387, + "rsa.misc.version": "1.3804", + "rsa.misc.vsys": "lorem", + "rsa.network.alias_host": [ + "iqu7510.internal.corp" + ], + "rsa.network.dinterface": "enp0s6960", + "rsa.network.network_service": "agn", + "rsa.network.sinterface": "enp0s7206", + "rsa.threat.threat_desc": "ntiumdol", + "rsa.time.duration_time": 0.684, + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 11.231, + "rsa.web.web_ref_domain": "nder", + "rule.name": "equeporr", + "service.type": "fortinet", + "source.bytes": 3045, + "source.geo.country_name": "saquaeab", + "source.ip": [ + "10.49.82.45" + ], + "source.mac": "01:00:5e:09:79:f2", + "source.port": 435, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.org/aqu/utemvele.gif?serrorsi=tsedquia#rsit", + "url.query": "nihilmol", + "user.name": "dictasun" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "destination.bytes": 722, + "destination.geo.country_name": "rumex", + "destination.ip": [ + "10.99.55.115" + ], + "destination.nat.ip": "10.205.83.138", + "destination.nat.port": 6239, + "destination.port": 1537, + "event.action": "accept", + "event.code": "iumto", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ore devname=\"lors\" devid=\"saute\" vd=ecillumd date=2017-8-8 time=4:50:15 logid=iumto type=sequatu subtype=tiumtot level=medium eventtime=mdoloree logtime=que srcip=10.98.52.184 srcport=7402 srcintf=eth3784 srcintfrole=ita dstip=10.99.55.115 dstport=1537 dstintf=eth855 dstintfrole=isnostru poluuid=iad sessionid=ngelits proto=tcp action=accept policyid=billoi policytype=reseo crscore=158.047000 craction=uov crlevel=pariat appcat=icaboNe service=boreetd srccountry=uir dstcountry=rumex trandisp=ectobea tranip=10.205.83.138 tranport=6239 duration=170.113000 sentbyte=3290 rcvdbyte=722 sentpkt=ibus app=lumdol", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 44420, + "network.bytes": 4012, + "observer.egress.interface.name": "eth855", + "observer.ingress.interface.name": "eth3784", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.205.83.138", + "10.98.52.184", + "10.99.55.115" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tiumtot", + "rsa.misc.context": "ectobea", + "rsa.misc.event_source": "lors", + "rsa.misc.event_type": "sequatu", + "rsa.misc.hardware_id": "saute", + "rsa.misc.log_session_id": "ngelits", + "rsa.misc.obj_name": "lumdol", + "rsa.misc.policy_id": "billoi", + "rsa.misc.reference_id": "iumto", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ecillumd", + "rsa.network.dinterface": "eth855", + "rsa.network.network_service": "boreetd", + "rsa.network.sinterface": "eth3784", + "rsa.time.duration_time": 170.113, + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.time.event_time_str": "mdoloree", + "rsa.web.reputation_num": 158.047, + "service.type": "fortinet", + "source.bytes": 3290, + "source.geo.country_name": "uir", + "source.ip": [ + "10.98.52.184" + ], + "source.port": 7402, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "destination.bytes": 422, + "destination.geo.country_name": "did", + "destination.ip": [ + "10.90.189.248" + ], + "destination.nat.ip": "10.228.11.50", + "destination.nat.port": 984, + "destination.port": 1293, + "event.action": "allow", + "event.code": "ptate", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=onnu devname=\"reprehe\" devid=\"metMa\" vd=emoen date=2017-8-22 time=11:52:50 logid=ptate type=mipsumqu subtype=turad level=high eventtime=billo logtime=doloremi srcip=10.197.128.162 srcport=2052 srcintf=lo6750 srcintfrole=ionof dstip=10.90.189.248 dstport=1293 dstintf=lo2402 dstintfrole=roi poluuid=reh sessionid=volup proto=prm action=allow policyid=iconsequ policytype=ueporr crscore=127.832000 craction=archite crlevel=tur appcat=ddo service=emp srccountry=inBC dstcountry=did trandisp=atcupi tranip=10.228.11.50 tranport=984 duration=3.401000 sentbyte=6907 rcvdbyte=422 sentpkt=mcol app=tion", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 45036, + "network.bytes": 7329, + "observer.egress.interface.name": "lo2402", + "observer.ingress.interface.name": "lo6750", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.197.128.162", + "10.228.11.50", + "10.90.189.248" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "turad", + "rsa.misc.context": "atcupi", + "rsa.misc.event_source": "reprehe", + "rsa.misc.event_type": "mipsumqu", + "rsa.misc.hardware_id": "metMa", + "rsa.misc.log_session_id": "volup", + "rsa.misc.obj_name": "tion", + "rsa.misc.policy_id": "iconsequ", + "rsa.misc.reference_id": "ptate", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "emoen", + "rsa.network.dinterface": "lo2402", + "rsa.network.network_service": "emp", + "rsa.network.sinterface": "lo6750", + "rsa.time.duration_time": 3.401, + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.time.event_time_str": "billo", + "rsa.web.reputation_num": 127.832, + "service.type": "fortinet", + "source.bytes": 6907, + "source.geo.country_name": "inBC", + "source.ip": [ + "10.197.128.162" + ], + "source.port": 2052, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.action": "deny", + "event.code": "odit", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-9-6 time=6:55:24 devname=moll device_id=roinBCS log_id=odit type=event subtype=vol pri=low desc=aloru user=cteturad userfrom=modi msg=cip action=deny adom=ntoccae2859.www.test session_id=incididu", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 45638, + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.user": [ + "cteturad" + ], + "rsa.db.index": "cip", + "rsa.internal.event_desc": "aloru", + "rsa.internal.messageid": "event_fortinetmgr", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "vol", + "rsa.misc.event_source": "moll", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "roinBCS", + "rsa.misc.log_session_id": "incididu", + "rsa.misc.reference_id": "odit", + "rsa.misc.severity": "low", + "rsa.network.domain": "ntoccae2859.www.test", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "server.domain": "ntoccae2859.www.test", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "user.name": "cteturad" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "destination.bytes": 6283, + "destination.ip": [ + "10.22.248.52" + ], + "destination.port": 6566, + "event.action": "cancel", + "event.code": "oreve", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-9-20 time=1:57:58 devname=uinesci device_id=otamr log_id=tsed type=generic subtype=rExc pri=medium devid=saute devname=umdol logid=rerepr type=ipiscin subtype=trudexe level=high vd=ineavol srcip=10.29.34.211 srcport=5638 srcintf=eth1805 dstip=10.161.15.82 dstport=6598 dstintf=enp0s5799 poluuid=aco sessionid=eFini proto=17 action=cancel policyid=mipsa trandisp=uas duration=118.122000 sentbyte=1737 rcvdbyte=6283 devtype=umexe osname=xce osversion=1.7318 mastersrcmac=suntex srcmac=01:00:5e:5b:68:89 crscore=29.865000 craction=rcitati crlevel=siutali eventtype=uiratio user=ficia service=orsit hostname=deFinibu3940.internal.lan profile=rautod reqtype=onorumet url=https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun direction=unknown msg=tinv method=Utenima cat=nse catdesc=umq device_id=enim log_id=oreve pri=low userfrom=snisiu adminprof=atem timezone=ET main_type=vento trigger_policy=litsed sub_type=ciun severity_level=rehender policy=tetura src=10.124.71.88 src_port=7540 dst=10.22.248.52 dst_port=6566 http_method=cons http_url=tinvolu http_host=ptat http_agent=amquisn http_session_id=Finibus signature_subclass=nsequat signature_id=3661 srccountry=scipi content_switch_name=rem server_pool_name=reh false_positive_mitigation=rsitame user_name=tcons monitor_status=squamest http_refer=https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi http_version=usmodit dev_id=orese threat_weight=umdolore history_threat_weight=umqui threat_level=adipisci ftp_mode=eir ftp_cmd=ull cipher_suite=tlabor msg_id=itecto", + "event.timezone": "ET", + "fileset.name": "fortimanager", + "host.name": "deFinibu3940.internal.lan", + "http.request.referrer": "https://mail.example.com/emveleum/siuta.html?ate=epteur#onproi", + "input.type": "log", + "log.level": "low", + "log.offset": 45844, + "network.bytes": 8020, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s5799", + "observer.ingress.interface.name": "eth1805", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.7318", + "related.hosts": [ + "deFinibu3940.internal.lan" + ], + "related.ip": [ + "10.22.248.52", + "10.124.71.88" + ], + "related.user": [ + "tcons" + ], + "rsa.internal.event_desc": "tinv", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "uiratio", + "rsa.misc.OS": "xce", + "rsa.misc.action": [ + "cancel", + "cons" + ], + "rsa.misc.category": "ciun", + "rsa.misc.client": "amquisn", + "rsa.misc.context": "uas", + "rsa.misc.event_source": "umdol", + "rsa.misc.event_type": "ipiscin", + "rsa.misc.fcatnum": "nse", + "rsa.misc.filter": "umq", + "rsa.misc.hardware_id": "enim", + "rsa.misc.log_session_id": "Finibus", + "rsa.misc.policy_id": "mipsa", + "rsa.misc.policy_name": "tetura", + "rsa.misc.reference_id": "oreve", + "rsa.misc.rule_name": "rautod", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 3661, + "rsa.misc.version": "1.7318", + "rsa.misc.vsys": "ineavol", + "rsa.network.alias_host": [ + "deFinibu3940.internal.lan" + ], + "rsa.network.dinterface": "enp0s5799", + "rsa.network.network_service": "orsit", + "rsa.network.sinterface": "eth1805", + "rsa.threat.threat_desc": "adipisci", + "rsa.time.duration_time": 118.122, + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.reputation_num": 29.865, + "rsa.web.web_ref_domain": "ptat", + "rule.name": "rautod", + "service.type": "fortinet", + "source.bytes": 1737, + "source.geo.country_name": "scipi", + "source.ip": [ + "10.124.71.88" + ], + "source.mac": "01:00:5e:5b:68:89", + "source.port": 7540, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.com/etcon/chit.txt?erspici=itinvolu#adeserun", + "url.query": "tinvolu", + "user.name": "tcons" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "destination.bytes": 6230, + "destination.ip": [ + "10.26.58.20" + ], + "destination.port": 2809, + "event.action": "block", + "event.code": "rchitect", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-10-4 time=9:00:32 logver=ametcons devid=velite devname=ipexeac logid=explicab type=samvolu subtype=teiru level=low vd=orinrep srcip=10.228.213.136 srcport=7247 srcintf=lo1719 dstip=10.185.107.27 dstport=2257 dstintf=enp0s4999 poluuid=iduntutl sessionid=mipsumd proto=udp action=block policyid=quelauda trandisp=rcit duration=166.303000 sentbyte=7229 rcvdbyte=6230 devtype=orese osname=evelite osversion=1.4895 mastersrcmac=oremipsu srcmac=01:00:5e:cd:f6:0e crscore=37.237000 craction=equunt crlevel=mto eventtype=iae user=dent service=Uten hostname=tatiset4191.localdomain profile=aconseq reqtype=mquamei url=https://api.example.org/fug/liquid.txt?ptate=lloi#nseq direction=external msg=isetqua method=ianonn cat=oluptas catdesc=doe device_id=quipex log_id=rchitect pri=very-high userfrom=Bonor adminprof=ipex timezone=PT main_type=upta trigger_policy=ivel sub_type=tmollita severity_level=tionofd policy=iatnula src=10.185.37.176 src_port=1859 dst=10.26.58.20 dst_port=2809 http_method=essequam http_url=undeo http_host=ficiade http_agent=uiinea http_session_id=uianonn signature_subclass=eavolupt signature_id=784 srccountry=elitsedq content_switch_name=liquam server_pool_name=sinto false_positive_mitigation=edi user_name=eumiure monitor_status=ore http_refer=https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri http_version=tiae dev_id=giat threat_weight=nculpa history_threat_weight=olupt threat_level=tvol ftp_mode=ostru ftp_cmd=mea cipher_suite=tuserror msg_id=agnama", + "event.timezone": "PT", + "fileset.name": "fortimanager", + "host.name": "tatiset4191.localdomain", + "http.request.referrer": "https://internal.example.com/mSe/sis.gif?rchite=rcit#orumwri", + "input.type": "log", + "log.level": "very-high", + "log.offset": 47392, + "network.bytes": 13459, + "network.direction": "external", + "observer.egress.interface.name": "enp0s4999", + "observer.ingress.interface.name": "lo1719", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4895", + "related.hosts": [ + "tatiset4191.localdomain" + ], + "related.ip": [ + "10.26.58.20", + "10.185.37.176" + ], + "related.user": [ + "eumiure" + ], + "rsa.internal.event_desc": "isetqua", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "iae", + "rsa.misc.OS": "evelite", + "rsa.misc.action": [ + "essequam", + "block" + ], + "rsa.misc.category": "tmollita", + "rsa.misc.client": "uiinea", + "rsa.misc.context": "rcit", + "rsa.misc.event_source": "ipexeac", + "rsa.misc.event_type": "samvolu", + "rsa.misc.fcatnum": "oluptas", + "rsa.misc.filter": "doe", + "rsa.misc.hardware_id": "quipex", + "rsa.misc.log_session_id": "uianonn", + "rsa.misc.policy_id": "quelauda", + "rsa.misc.policy_name": "iatnula", + "rsa.misc.reference_id": "rchitect", + "rsa.misc.rule_name": "aconseq", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 784, + "rsa.misc.version": "1.4895", + "rsa.misc.vsys": "orinrep", + "rsa.network.alias_host": [ + "tatiset4191.localdomain" + ], + "rsa.network.dinterface": "enp0s4999", + "rsa.network.network_service": "Uten", + "rsa.network.sinterface": "lo1719", + "rsa.threat.threat_desc": "tvol", + "rsa.time.duration_time": 166.303, + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.time.timezone": "PT", + "rsa.web.reputation_num": 37.237, + "rsa.web.web_ref_domain": "ficiade", + "rule.name": "aconseq", + "service.type": "fortinet", + "source.bytes": 7229, + "source.geo.country_name": "elitsedq", + "source.ip": [ + "10.185.37.176" + ], + "source.mac": "01:00:5e:cd:f6:0e", + "source.port": 1859, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.org/fug/liquid.txt?ptate=lloi#nseq", + "url.query": "undeo", + "user.name": "eumiure" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.bytes": 5047, + "destination.geo.country_name": "nven", + "destination.ip": [ + "10.14.145.107" + ], + "destination.nat.ip": "10.250.231.196", + "destination.nat.port": 5863, + "destination.port": 4362, + "event.action": "block", + "event.code": "nostr", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=deritq dtime=2017-10-19 04:03:07.172538723 +0000 UTC devid=boreetdo devname=teni vd=iin date=2017-10-19 time=4:03:07 logid=nostr type=luptatem subtype=tNequepo level=low eventtime=eumfug logtime=sper srcip=10.200.12.126 srcport=2347 srcintf=enp0s7374 srcintfrole=liqu dstip=10.14.145.107 dstport=4362 dstintf=enp0s7861 dstintfrole=aliq poluuid=utem sessionid=oreetd proto=HOPOPT action=block policyid=Nequepo policytype=edictas crscore=55.933000 craction=tur crlevel=borisnis appcat=elitsedd service=hitecto srccountry=loremi dstcountry=nven trandisp=isci tranip=10.250.231.196 tranport=5863 duration=4.105000 sentbyte=2763 rcvdbyte=5047 sentpkt=aquioff app=cip", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 48887, + "network.bytes": 7810, + "observer.egress.interface.name": "enp0s7861", + "observer.ingress.interface.name": "enp0s7374", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.14.145.107", + "10.200.12.126", + "10.250.231.196" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tNequepo", + "rsa.misc.context": "isci", + "rsa.misc.event_source": "teni", + "rsa.misc.event_type": "luptatem", + "rsa.misc.hardware_id": "boreetdo", + "rsa.misc.log_session_id": "oreetd", + "rsa.misc.obj_name": "cip", + "rsa.misc.policy_id": "Nequepo", + "rsa.misc.reference_id": "nostr", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "iin", + "rsa.network.dinterface": "enp0s7861", + "rsa.network.network_service": "hitecto", + "rsa.network.sinterface": "enp0s7374", + "rsa.time.duration_time": 4.105, + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.time.event_time_str": "eumfug", + "rsa.web.reputation_num": 55.933, + "service.type": "fortinet", + "source.bytes": 2763, + "source.geo.country_name": "loremi", + "source.ip": [ + "10.200.12.126" + ], + "source.port": 2347, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.bytes": 2565, + "destination.geo.country_name": "fugia", + "destination.ip": [ + "10.21.203.112" + ], + "destination.nat.ip": "10.103.36.192", + "destination.nat.port": 1974, + "destination.port": 5930, + "event.action": "cancel", + "event.code": "tura", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=onsequat dtime=2017-11-02 11:05:41.432538723 +0000 UTC devid=tiumd devname=atuse vd=imad date=2017-11-2 time=11:05:41 logid=tura type=equuntur subtype=rve level=high eventtime=mqua logtime=xer srcip=10.225.34.176 srcport=5569 srcintf=lo2867 srcintfrole=amquisn dstip=10.21.203.112 dstport=5930 dstintf=enp0s1294 dstintfrole=sum poluuid=lloinve sessionid=eni proto=HOPOPT action=cancel policyid=edquiac policytype=psamvolu crscore=80.314000 craction=unturma crlevel=iavol appcat=psumdol service=urautodi srccountry=equamni dstcountry=fugia trandisp=uptate tranip=10.103.36.192 tranport=1974 duration=129.001000 sentbyte=2801 rcvdbyte=2565 sentpkt=imidest app=citation", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 49556, + "network.bytes": 5366, + "observer.egress.interface.name": "enp0s1294", + "observer.ingress.interface.name": "lo2867", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.225.34.176", + "10.21.203.112", + "10.103.36.192" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "rve", + "rsa.misc.context": "uptate", + "rsa.misc.event_source": "atuse", + "rsa.misc.event_type": "equuntur", + "rsa.misc.hardware_id": "tiumd", + "rsa.misc.log_session_id": "eni", + "rsa.misc.obj_name": "citation", + "rsa.misc.policy_id": "edquiac", + "rsa.misc.reference_id": "tura", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "imad", + "rsa.network.dinterface": "enp0s1294", + "rsa.network.network_service": "urautodi", + "rsa.network.sinterface": "lo2867", + "rsa.time.duration_time": 129.001, + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.time.event_time_str": "mqua", + "rsa.web.reputation_num": 80.314, + "service.type": "fortinet", + "source.bytes": 2801, + "source.geo.country_name": "equamni", + "source.ip": [ + "10.225.34.176" + ], + "source.port": 5569, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "destination.bytes": 6222, + "destination.geo.country_name": "roid", + "destination.ip": [ + "10.5.67.140" + ], + "destination.nat.ip": "10.118.111.183", + "destination.nat.port": 5410, + "destination.port": 5687, + "event.action": "accept", + "event.code": "dexea", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=nof devname=\"usantiu\" devid=\"periam\" vd=remip date=2017-11-16 time=6:08:15 logid=dexea type=aturExc subtype=antiumto level=low eventtime=obe logtime=niamqu srcip=10.140.59.161 srcport=3599 srcintf=eth575 srcintfrole=tev dstip=10.5.67.140 dstport=5687 dstintf=enp0s6143 dstintfrole=intoc poluuid=obeataev sessionid=rrorsit proto=udp action=accept policyid=umquid policytype=olabo crscore=79.046000 craction=dolor crlevel=rsp appcat=quir service=giatqu srccountry=olors dstcountry=roid trandisp=lorum tranip=10.118.111.183 tranport=5410 duration=96.462000 sentbyte=6821 rcvdbyte=6222 sentpkt=mipsu app=nvol", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 50230, + "network.bytes": 13043, + "observer.egress.interface.name": "enp0s6143", + "observer.ingress.interface.name": "eth575", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.5.67.140", + "10.118.111.183", + "10.140.59.161" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "antiumto", + "rsa.misc.context": "lorum", + "rsa.misc.event_source": "usantiu", + "rsa.misc.event_type": "aturExc", + "rsa.misc.hardware_id": "periam", + "rsa.misc.log_session_id": "rrorsit", + "rsa.misc.obj_name": "nvol", + "rsa.misc.policy_id": "umquid", + "rsa.misc.reference_id": "dexea", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "remip", + "rsa.network.dinterface": "enp0s6143", + "rsa.network.network_service": "giatqu", + "rsa.network.sinterface": "eth575", + "rsa.time.duration_time": 96.462, + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.time.event_time_str": "obe", + "rsa.web.reputation_num": 79.046, + "service.type": "fortinet", + "source.bytes": 6821, + "source.geo.country_name": "olors", + "source.ip": [ + "10.140.59.161" + ], + "source.port": 3599, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.bytes": 5351, + "destination.ip": [ + "10.28.212.191" + ], + "destination.port": 1997, + "event.action": "accept", + "event.code": "abillo", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-12-1 time=1:10:49 logver=llu devid=quaUt devname=labor logid=oris type=tatemse subtype=uta level=very-high vd=tse srcip=10.170.104.148 srcport=5722 srcintf=lo259 dstip=10.60.92.40 dstport=5836 dstintf=enp0s4446 poluuid=dicons sessionid=BCSedutp proto=udp action=accept policyid=ritatise trandisp=nihilm duration=104.607000 sentbyte=6659 rcvdbyte=5351 devtype=isauteir osname=eritquii osversion=1.4493 mastersrcmac=uisno srcmac=01:00:5e:e9:ec:d5 crscore=34.736000 craction=itaed crlevel=invol eventtype=Loremips user=cidun service=tassitas hostname=nimadmi4084.api.home profile=eufugia reqtype=nor url=https://example.net/aturQui/tquii.html?uiac=squ#litess direction=unknown msg=involupt method=itempo cat=upt catdesc=rve device_id=amq log_id=abillo pri=high userfrom=ationem adminprof=Nem timezone=OMST main_type=ollita trigger_policy=dipisci sub_type=amnisiu severity_level=ptat policy=epr src=10.7.70.169 src_port=2514 dst=10.28.212.191 dst_port=1997 http_method=nostru http_url=Loremip http_host=veleumiu http_agent=rcita http_session_id=turad signature_subclass=sequamni signature_id=4799 srccountry=ollita content_switch_name=ectetu server_pool_name=radi false_positive_mitigation=ula user_name=itsed monitor_status=rad http_refer=https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin http_version=suntexpl dev_id=urve threat_weight=sBonoru history_threat_weight=everi threat_level=squ ftp_mode=emagnaal ftp_cmd=nih cipher_suite=ncididu msg_id=itati", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "nimadmi4084.api.home", + "http.request.referrer": "https://internal.example.com/ididu/autodit.gif?seru=oriss#imadmin", + "input.type": "log", + "log.level": "high", + "log.offset": 50842, + "network.bytes": 12010, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s4446", + "observer.ingress.interface.name": "lo259", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4493", + "related.hosts": [ + "nimadmi4084.api.home" + ], + "related.ip": [ + "10.7.70.169", + "10.28.212.191" + ], + "related.user": [ + "itsed" + ], + "rsa.internal.event_desc": "involupt", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "Loremips", + "rsa.misc.OS": "eritquii", + "rsa.misc.action": [ + "accept", + "nostru" + ], + "rsa.misc.category": "amnisiu", + "rsa.misc.client": "rcita", + "rsa.misc.context": "nihilm", + "rsa.misc.event_source": "labor", + "rsa.misc.event_type": "tatemse", + "rsa.misc.fcatnum": "upt", + "rsa.misc.filter": "rve", + "rsa.misc.hardware_id": "amq", + "rsa.misc.log_session_id": "turad", + "rsa.misc.policy_id": "ritatise", + "rsa.misc.policy_name": "epr", + "rsa.misc.reference_id": "abillo", + "rsa.misc.rule_name": "eufugia", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 4799, + "rsa.misc.version": "1.4493", + "rsa.misc.vsys": "tse", + "rsa.network.alias_host": [ + "nimadmi4084.api.home" + ], + "rsa.network.dinterface": "enp0s4446", + "rsa.network.network_service": "tassitas", + "rsa.network.sinterface": "lo259", + "rsa.threat.threat_desc": "squ", + "rsa.time.duration_time": 104.607, + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 34.736, + "rsa.web.web_ref_domain": "veleumiu", + "rule.name": "eufugia", + "service.type": "fortinet", + "source.bytes": 6659, + "source.geo.country_name": "ollita", + "source.ip": [ + "10.7.70.169" + ], + "source.mac": "01:00:5e:e9:ec:d5", + "source.port": 2514, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.net/aturQui/tquii.html?uiac=squ#litess", + "url.query": "Loremip", + "user.name": "itsed" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.bytes": 7417, + "destination.ip": [ + "10.143.144.52" + ], + "destination.port": 974, + "event.action": "block", + "event.code": "iqu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2017-12-15 time=8:13:24 logver=estla devid=ione devname=ecillum logid=maccu type=ame subtype=pitlabo level=very-high vd=urExc srcip=10.37.124.214 srcport=6919 srcintf=lo7727 dstip=10.37.111.228 dstport=7082 dstintf=enp0s20 poluuid=dmini sessionid=tquid proto=17 action=block policyid=iatisun trandisp=cto duration=144.899000 sentbyte=2372 rcvdbyte=7417 devtype=imadmini osname=iatisund osversion=1.6506 mastersrcmac=aUtenim srcmac=01:00:5e:28:0c:11 crscore=172.422000 craction=etdol crlevel=sed eventtype=uep user=ametco service=nde hostname=reprehe3525.www5.example profile=mquisno reqtype=eaco url=https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel direction=internal msg=dexea method=sedquia cat=litesse catdesc=ntmo device_id=aliqu log_id=iqu pri=very-high userfrom=ationula adminprof=doconse timezone=CEST main_type=oreeufug trigger_policy=ptatems sub_type=tenima severity_level=emagnam policy=iaco src=10.148.197.60 src_port=5711 dst=10.143.144.52 dst_port=974 http_method=nvo http_url=lab http_host=sedqui http_agent=iuntNe http_session_id=tdolor signature_subclass=Ute signature_id=2191 srccountry=uepor content_switch_name=umSecti server_pool_name=eabil false_positive_mitigation=ibusB user_name=rporis monitor_status=etco http_refer=https://example.org/ereprehe/olu.html?liqu=ipsu#siarch http_version=itautfu dev_id=rrorsi threat_weight=ole history_threat_weight=odi threat_level=tper ftp_mode=olor ftp_cmd=corpo cipher_suite=commod msg_id=iumd", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "reprehe3525.www5.example", + "http.request.referrer": "https://example.org/ereprehe/olu.html?liqu=ipsu#siarch", + "input.type": "log", + "log.level": "very-high", + "log.offset": 52319, + "network.bytes": 9789, + "network.direction": "internal", + "observer.egress.interface.name": "enp0s20", + "observer.ingress.interface.name": "lo7727", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.6506", + "related.hosts": [ + "reprehe3525.www5.example" + ], + "related.ip": [ + "10.143.144.52", + "10.148.197.60" + ], + "related.user": [ + "rporis" + ], + "rsa.internal.event_desc": "dexea", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "uep", + "rsa.misc.OS": "iatisund", + "rsa.misc.action": [ + "block", + "nvo" + ], + "rsa.misc.category": "tenima", + "rsa.misc.client": "iuntNe", + "rsa.misc.context": "cto", + "rsa.misc.event_source": "ecillum", + "rsa.misc.event_type": "ame", + "rsa.misc.fcatnum": "litesse", + "rsa.misc.filter": "ntmo", + "rsa.misc.hardware_id": "aliqu", + "rsa.misc.log_session_id": "tdolor", + "rsa.misc.policy_id": "iatisun", + "rsa.misc.policy_name": "iaco", + "rsa.misc.reference_id": "iqu", + "rsa.misc.rule_name": "mquisno", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 2191, + "rsa.misc.version": "1.6506", + "rsa.misc.vsys": "urExc", + "rsa.network.alias_host": [ + "reprehe3525.www5.example" + ], + "rsa.network.dinterface": "enp0s20", + "rsa.network.network_service": "nde", + "rsa.network.sinterface": "lo7727", + "rsa.threat.threat_desc": "tper", + "rsa.time.duration_time": 144.899, + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 172.422, + "rsa.web.web_ref_domain": "sedqui", + "rule.name": "mquisno", + "service.type": "fortinet", + "source.bytes": 2372, + "source.geo.country_name": "uepor", + "source.ip": [ + "10.148.197.60" + ], + "source.mac": "01:00:5e:28:0c:11", + "source.port": 5711, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/mvele/teveli.htm?Nequepor=luptate#aturvel", + "url.query": "lab", + "user.name": "rporis" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "destination.bytes": 7299, + "destination.geo.country_name": "ciad", + "destination.ip": [ + "10.22.149.132" + ], + "destination.nat.ip": "10.251.183.113", + "destination.nat.port": 2604, + "destination.port": 7725, + "event.action": "block", + "event.code": "bor", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=aborisn dtime=2017-12-29 15:15:58.472538723 +0000 UTC devid=onproid devname=sitv vd=equam date=2017-12-29 time=3:15:58 logid=bor type=ameaquei subtype=aeca level=very-high eventtime=aperiam logtime=ngelit srcip=10.217.145.137 srcport=5242 srcintf=enp0s6940 srcintfrole=orema dstip=10.22.149.132 dstport=7725 dstintf=lo7156 dstintfrole=neavolup poluuid=lits sessionid=Nemoen proto=0 action=block policyid=rur policytype=quaturve crscore=166.007000 craction=oeiusmod crlevel=uidolore appcat=iacon service=ncu srccountry=quaturve dstcountry=ciad trandisp=diconseq tranip=10.251.183.113 tranport=2604 duration=161.433000 sentbyte=5697 rcvdbyte=7299 sentpkt=eseosqu app=uptatem", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 53795, + "network.bytes": 12996, + "observer.egress.interface.name": "lo7156", + "observer.ingress.interface.name": "enp0s6940", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.217.145.137", + "10.22.149.132", + "10.251.183.113" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "aeca", + "rsa.misc.context": "diconseq", + "rsa.misc.event_source": "sitv", + "rsa.misc.event_type": "ameaquei", + "rsa.misc.hardware_id": "onproid", + "rsa.misc.log_session_id": "Nemoen", + "rsa.misc.obj_name": "uptatem", + "rsa.misc.policy_id": "rur", + "rsa.misc.reference_id": "bor", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "equam", + "rsa.network.dinterface": "lo7156", + "rsa.network.network_service": "ncu", + "rsa.network.sinterface": "enp0s6940", + "rsa.time.duration_time": 161.433, + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.time.event_time_str": "aperiam", + "rsa.web.reputation_num": 166.007, + "service.type": "fortinet", + "source.bytes": 5697, + "source.geo.country_name": "quaturve", + "source.ip": [ + "10.217.145.137" + ], + "source.port": 5242, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "destination.bytes": 1519, + "destination.geo.country_name": "iarchit", + "destination.ip": [ + "10.203.66.175" + ], + "destination.nat.ip": "10.51.60.203", + "destination.nat.port": 5315, + "destination.port": 3904, + "event.action": "accept", + "event.code": "mfugi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=uamnihil devname=\"nisi\" devid=\"imadm\" vd=siutali date=2018-1-12 time=10:18:32 logid=mfugi type=ceroinBC subtype=lorumw level=low eventtime=squir logtime=commod srcip=10.183.16.252 srcport=3150 srcintf=lo6718 srcintfrole=eabillo dstip=10.203.66.175 dstport=3904 dstintf=enp0s3868 dstintfrole=dipisciv poluuid=nsequun sessionid=hen proto=icmp action=accept policyid=velillum policytype=itamet crscore=123.013000 craction=hil crlevel=itl appcat=idolo service=ncidid srccountry=oid dstcountry=iarchit trandisp=volupt tranip=10.51.60.203 tranport=5315 duration=165.955000 sentbyte=7551 rcvdbyte=1519 sentpkt=ten app=Utenim", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 54475, + "network.bytes": 9070, + "observer.egress.interface.name": "enp0s3868", + "observer.ingress.interface.name": "lo6718", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.51.60.203", + "10.203.66.175", + "10.183.16.252" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "lorumw", + "rsa.misc.context": "volupt", + "rsa.misc.event_source": "nisi", + "rsa.misc.event_type": "ceroinBC", + "rsa.misc.hardware_id": "imadm", + "rsa.misc.log_session_id": "hen", + "rsa.misc.obj_name": "Utenim", + "rsa.misc.policy_id": "velillum", + "rsa.misc.reference_id": "mfugi", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "siutali", + "rsa.network.dinterface": "enp0s3868", + "rsa.network.network_service": "ncidid", + "rsa.network.sinterface": "lo6718", + "rsa.time.duration_time": 165.955, + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.time.event_time_str": "squir", + "rsa.web.reputation_num": 123.013, + "service.type": "fortinet", + "source.bytes": 7551, + "source.geo.country_name": "oid", + "source.ip": [ + "10.183.16.252" + ], + "source.port": 3150, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.bytes": 6650, + "destination.ip": [ + "10.61.200.105" + ], + "destination.port": 2813, + "event.action": "accept", + "event.code": "orinc", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-1-27 time=5:21:06 logver=uasiarch devid=iamquisn devname=magnama logid=reprehe type=citatio subtype=dolo level=medium vd=esciunt srcip=10.133.245.26 srcport=1727 srcintf=enp0s2674 dstip=10.76.87.30 dstport=2858 dstintf=enp0s2918 poluuid=remag sessionid=roinBCSe proto=HOPOPT action=accept policyid=labori trandisp=ditau duration=39.920000 sentbyte=5413 rcvdbyte=6650 devtype=tam osname=olu osversion=1.409 mastersrcmac=iut srcmac=01:00:5e:5c:c2:50 crscore=69.137000 craction=boris crlevel=ris eventtype=nisiuta user=utper service=uipexe hostname=ursint411.www.lan profile=gnamali reqtype=iumdo url=https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc direction=internal msg=lamco method=natuser cat=Excepteu catdesc=omnis device_id=tati log_id=orinc pri=very-high userfrom=eturadi adminprof=cinge timezone=PT main_type=ira trigger_policy=niamq sub_type=quatD severity_level=nevol policy=lumquid src=10.157.14.165 src_port=7170 dst=10.61.200.105 dst_port=2813 http_method=tquov http_url=natu http_host=doei http_agent=acomm http_session_id=veleumi signature_subclass=volupt signature_id=6822 srccountry=itatise content_switch_name=ure server_pool_name=userro false_positive_mitigation=oree user_name=nimadmi monitor_status=utaliq http_refer=https://example.com/tinvolu/uredol.txt?did=lamcol#idolor http_version=tutlabor dev_id=nse threat_weight=rauto history_threat_weight=rese threat_level=nonproi ftp_mode=doconse ftp_cmd=henderi cipher_suite=tisunde msg_id=ende", + "event.timezone": "PT", + "fileset.name": "fortimanager", + "host.name": "ursint411.www.lan", + "http.request.referrer": "https://example.com/tinvolu/uredol.txt?did=lamcol#idolor", + "input.type": "log", + "log.level": "very-high", + "log.offset": 55100, + "network.bytes": 12063, + "network.direction": "internal", + "observer.egress.interface.name": "enp0s2918", + "observer.ingress.interface.name": "enp0s2674", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.409", + "related.hosts": [ + "ursint411.www.lan" + ], + "related.ip": [ + "10.61.200.105", + "10.157.14.165" + ], + "related.user": [ + "nimadmi" + ], + "rsa.internal.event_desc": "lamco", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "nisiuta", + "rsa.misc.OS": "olu", + "rsa.misc.action": [ + "accept", + "tquov" + ], + "rsa.misc.category": "quatD", + "rsa.misc.client": "acomm", + "rsa.misc.context": "ditau", + "rsa.misc.event_source": "magnama", + "rsa.misc.event_type": "citatio", + "rsa.misc.fcatnum": "Excepteu", + "rsa.misc.filter": "omnis", + "rsa.misc.hardware_id": "tati", + "rsa.misc.log_session_id": "veleumi", + "rsa.misc.policy_id": "labori", + "rsa.misc.policy_name": "lumquid", + "rsa.misc.reference_id": "orinc", + "rsa.misc.rule_name": "gnamali", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 6822, + "rsa.misc.version": "1.409", + "rsa.misc.vsys": "esciunt", + "rsa.network.alias_host": [ + "ursint411.www.lan" + ], + "rsa.network.dinterface": "enp0s2918", + "rsa.network.network_service": "uipexe", + "rsa.network.sinterface": "enp0s2674", + "rsa.threat.threat_desc": "nonproi", + "rsa.time.duration_time": 39.92, + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.time.timezone": "PT", + "rsa.web.reputation_num": 69.137, + "rsa.web.web_ref_domain": "doei", + "rule.name": "gnamali", + "service.type": "fortinet", + "source.bytes": 5413, + "source.geo.country_name": "itatise", + "source.ip": [ + "10.157.14.165" + ], + "source.mac": "01:00:5e:5c:c2:50", + "source.port": 7170, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.org/tem/iadeseru.jpg?olorsita=odoco#etc", + "url.query": "natu", + "user.name": "nimadmi" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.bytes": 5375, + "destination.ip": [ + "10.217.111.77" + ], + "destination.port": 7309, + "event.action": "allow", + "event.code": "entoreve", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-2-10 time=12:23:41 logver=commod devid=oris devname=rcita logid=ataev type=oris subtype=incidi level=high vd=tutlabo srcip=10.32.66.161 srcport=881 srcintf=lo4523 dstip=10.134.238.8 dstport=2976 dstintf=enp0s1238 poluuid=edquiac sessionid=sit proto=HOPOPT action=allow policyid=olo trandisp=laboris duration=163.866000 sentbyte=7328 rcvdbyte=5375 devtype=tutl osname=nevolu osversion=1.5475 mastersrcmac=ostru srcmac=01:00:5e:e9:5f:84 crscore=157.516000 craction=aven crlevel=idolore eventtype=psaqu user=psa service=pta hostname=ididunt7607.mail.localhost profile=ntutlabo reqtype=leumiure url=https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe direction=internal msg=Lore method=oin cat=eritquii catdesc=taliqui device_id=ecatcu log_id=entoreve pri=high userfrom=umquam adminprof=onev timezone=CET main_type=tionev trigger_policy=ali sub_type=ionu severity_level=perna policy=moll src=10.242.178.15 src_port=3948 dst=10.217.111.77 dst_port=7309 http_method=datatno http_url=equepor http_host=antium http_agent=ugiatn http_session_id=utpe signature_subclass=hend signature_id=1170 srccountry=agnamali content_switch_name=ptateve server_pool_name=aliqua false_positive_mitigation=officiad user_name=nimadmin monitor_status=iavol http_refer=https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis http_version=olor dev_id=emoenim threat_weight=turadipi history_threat_weight=umSec threat_level=onsecte ftp_mode=inibusBo ftp_cmd=tqui cipher_suite=sequun msg_id=nimadm", + "event.timezone": "CET", + "fileset.name": "fortimanager", + "host.name": "ididunt7607.mail.localhost", + "http.request.referrer": "https://example.net/iumtota/qui.jpg?quel=ugitsed#ritatis", + "input.type": "log", + "log.level": "high", + "log.offset": 56577, + "network.bytes": 12703, + "network.direction": "internal", + "observer.egress.interface.name": "enp0s1238", + "observer.ingress.interface.name": "lo4523", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.5475", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], + "related.ip": [ + "10.217.111.77", + "10.242.178.15" + ], + "related.user": [ + "nimadmin" + ], + "rsa.internal.event_desc": "Lore", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "psaqu", + "rsa.misc.OS": "nevolu", + "rsa.misc.action": [ + "datatno", + "allow" + ], + "rsa.misc.category": "ionu", + "rsa.misc.client": "ugiatn", + "rsa.misc.context": "laboris", + "rsa.misc.event_source": "rcita", + "rsa.misc.event_type": "oris", + "rsa.misc.fcatnum": "eritquii", + "rsa.misc.filter": "taliqui", + "rsa.misc.hardware_id": "ecatcu", + "rsa.misc.log_session_id": "utpe", + "rsa.misc.policy_id": "olo", + "rsa.misc.policy_name": "moll", + "rsa.misc.reference_id": "entoreve", + "rsa.misc.rule_name": "ntutlabo", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 1170, + "rsa.misc.version": "1.5475", + "rsa.misc.vsys": "tutlabo", + "rsa.network.alias_host": [ + "ididunt7607.mail.localhost" + ], + "rsa.network.dinterface": "enp0s1238", + "rsa.network.network_service": "pta", + "rsa.network.sinterface": "lo4523", + "rsa.threat.threat_desc": "onsecte", + "rsa.time.duration_time": 163.866, + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.time.timezone": "CET", + "rsa.web.reputation_num": 157.516, + "rsa.web.web_ref_domain": "antium", + "rule.name": "ntutlabo", + "service.type": "fortinet", + "source.bytes": 7328, + "source.geo.country_name": "agnamali", + "source.ip": [ + "10.242.178.15" + ], + "source.mac": "01:00:5e:e9:5f:84", + "source.port": 3948, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.net/epteurs/usmodtem.gif?itvo=asi#tobe", + "url.query": "equepor", + "user.name": "nimadmin" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "destination.bytes": 6059, + "destination.ip": [ + "10.86.152.227" + ], + "destination.port": 850, + "event.action": "cancel", + "event.code": "onsec", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-2-24 time=7:26:15 logver=vitaedic devid=remip devname=rsita logid=rehe type=aper subtype=gnaa level=low vd=uta srcip=10.161.128.235 srcport=6280 srcintf=eth2121 dstip=10.84.29.117 dstport=1245 dstintf=eth7500 poluuid=errorsi sessionid=umwr proto=HOPOPT action=cancel policyid=cupida trandisp=rinc duration=5.709000 sentbyte=289 rcvdbyte=6059 devtype=dquia osname=ommod osversion=1.142 mastersrcmac=dico srcmac=01:00:5e:06:53:8a crscore=35.836000 craction=imipsa crlevel=iscinge eventtype=ora user=meumfug service=inimve hostname=mco2906.domain profile=sitvolu reqtype=eratv url=https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav direction=inbound msg=nse method=turQuis cat=tat catdesc=pta device_id=henderi log_id=onsec pri=high userfrom=itaspern adminprof=tau timezone=GMT+02:00 main_type=rsintoc trigger_policy=boreetd sub_type=rehende severity_level=sitamet policy=xerc src=10.199.119.251 src_port=7286 dst=10.86.152.227 dst_port=850 http_method=ant http_url=tiu http_host=ommodoco http_agent=rehe http_session_id=eseosqu signature_subclass=oeius signature_id=641 srccountry=eaqueip content_switch_name=laud server_pool_name=uido false_positive_mitigation=uis user_name=msequin monitor_status=autem http_refer=https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist http_version=orroqui dev_id=sci threat_weight=psamvolu history_threat_weight=itsedqui threat_level=oreve ftp_mode=omn ftp_cmd=onevol cipher_suite=ese msg_id=reprehen", + "event.timezone": "GMT+02:00", + "fileset.name": "fortimanager", + "host.name": "mco2906.domain", + "http.request.referrer": "https://internal.example.org/ipi/qua.htm?itat=adipisc#omnisist", + "input.type": "log", + "log.level": "high", + "log.offset": 58063, + "network.bytes": 6348, + "network.direction": "inbound", + "observer.egress.interface.name": "eth7500", + "observer.ingress.interface.name": "eth2121", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.142", + "related.hosts": [ + "mco2906.domain" + ], + "related.ip": [ + "10.199.119.251", + "10.86.152.227" + ], + "related.user": [ + "msequin" + ], + "rsa.internal.event_desc": "nse", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "ora", + "rsa.misc.OS": "ommod", + "rsa.misc.action": [ + "ant", + "cancel" + ], + "rsa.misc.category": "rehende", + "rsa.misc.client": "rehe", + "rsa.misc.context": "rinc", + "rsa.misc.event_source": "rsita", + "rsa.misc.event_type": "aper", + "rsa.misc.fcatnum": "tat", + "rsa.misc.filter": "pta", + "rsa.misc.hardware_id": "henderi", + "rsa.misc.log_session_id": "eseosqu", + "rsa.misc.policy_id": "cupida", + "rsa.misc.policy_name": "xerc", + "rsa.misc.reference_id": "onsec", + "rsa.misc.rule_name": "sitvolu", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 641, + "rsa.misc.version": "1.142", + "rsa.misc.vsys": "uta", + "rsa.network.alias_host": [ + "mco2906.domain" + ], + "rsa.network.dinterface": "eth7500", + "rsa.network.network_service": "inimve", + "rsa.network.sinterface": "eth2121", + "rsa.threat.threat_desc": "oreve", + "rsa.time.duration_time": 5.709, + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.time.timezone": "GMT+02:00", + "rsa.web.reputation_num": 35.836, + "rsa.web.web_ref_domain": "ommodoco", + "rule.name": "sitvolu", + "service.type": "fortinet", + "source.bytes": 289, + "source.geo.country_name": "eaqueip", + "source.ip": [ + "10.199.119.251" + ], + "source.mac": "01:00:5e:06:53:8a", + "source.port": 7286, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.com/iadolo/cidu.txt?aliquide=redolori#eav", + "url.query": "tiu", + "user.name": "msequin" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.bytes": 3374, + "destination.ip": [ + "10.234.171.117" + ], + "destination.port": 4488, + "event.action": "deny", + "event.code": "quian", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-3-11 time=2:28:49 logver=eumfugia devid=nimvenia devname=dol logid=rissusc type=lit subtype=quin level=low vd=eddoei srcip=10.35.73.208 srcport=7081 srcintf=eth6552 dstip=10.216.120.61 dstport=6389 dstintf=eth2068 poluuid=dolor sessionid=emUteni proto=tcp action=deny policyid=illoin trandisp=rinre duration=166.295000 sentbyte=5988 rcvdbyte=3374 devtype=olorem osname=mquae osversion=1.1789 mastersrcmac=rQuis srcmac=01:00:5e:b5:9a:3e crscore=5.250000 craction=enimadmi crlevel=elit eventtype=uia user=tem service=unt hostname=ntex5135.corp profile=mqua reqtype=equa url=https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd direction=outbound msg=olorin method=oluptat cat=olors catdesc=mSecti device_id=ius log_id=quian pri=low userfrom=urExce adminprof=upt timezone=PST main_type=pteurs trigger_policy=intocc sub_type=abo severity_level=orisnis policy=reseo src=10.239.194.105 src_port=3629 dst=10.234.171.117 dst_port=4488 http_method=tenatus http_url=odic http_host=ono http_agent=umtota http_session_id=consequ signature_subclass=ine signature_id=3409 srccountry=dex content_switch_name=ipis server_pool_name=nsecte false_positive_mitigation=miurere user_name=tat monitor_status=pitlabor http_refer=https://example.com/olupta/ape.jpg?mnisiut=eabil#olu http_version=uaUte dev_id=empor threat_weight=ate history_threat_weight=eca threat_level=inre ftp_mode=aliqu ftp_cmd=orem cipher_suite=dquian msg_id=isaute", + "event.timezone": "PST", + "fileset.name": "fortimanager", + "host.name": "ntex5135.corp", + "http.request.referrer": "https://example.com/olupta/ape.jpg?mnisiut=eabil#olu", + "input.type": "log", + "log.level": "low", + "log.offset": 59527, + "network.bytes": 9362, + "network.direction": "outbound", + "observer.egress.interface.name": "eth2068", + "observer.ingress.interface.name": "eth6552", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1789", + "related.hosts": [ + "ntex5135.corp" + ], + "related.ip": [ + "10.239.194.105", + "10.234.171.117" + ], + "related.user": [ + "tat" + ], + "rsa.internal.event_desc": "olorin", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "uia", + "rsa.misc.OS": "mquae", + "rsa.misc.action": [ + "deny", + "tenatus" + ], + "rsa.misc.category": "abo", + "rsa.misc.client": "umtota", + "rsa.misc.context": "rinre", + "rsa.misc.event_source": "dol", + "rsa.misc.event_type": "lit", + "rsa.misc.fcatnum": "olors", + "rsa.misc.filter": "mSecti", + "rsa.misc.hardware_id": "ius", + "rsa.misc.log_session_id": "consequ", + "rsa.misc.policy_id": "illoin", + "rsa.misc.policy_name": "reseo", + "rsa.misc.reference_id": "quian", + "rsa.misc.rule_name": "mqua", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 3409, + "rsa.misc.version": "1.1789", + "rsa.misc.vsys": "eddoei", + "rsa.network.alias_host": [ + "ntex5135.corp" + ], + "rsa.network.dinterface": "eth2068", + "rsa.network.network_service": "unt", + "rsa.network.sinterface": "eth6552", + "rsa.threat.threat_desc": "inre", + "rsa.time.duration_time": 166.295, + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.timezone": "PST", + "rsa.web.reputation_num": 5.25, + "rsa.web.web_ref_domain": "ono", + "rule.name": "mqua", + "service.type": "fortinet", + "source.bytes": 5988, + "source.geo.country_name": "dex", + "source.ip": [ + "10.239.194.105" + ], + "source.mac": "01:00:5e:b5:9a:3e", + "source.port": 3629, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.com/isc/umdol.jpg?atn=sectet#boreetd", + "url.query": "odic", + "user.name": "tat" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.bytes": 2855, + "destination.geo.country_name": "rinc", + "destination.ip": [ + "10.249.16.201" + ], + "destination.nat.ip": "10.107.168.208", + "destination.nat.port": 1864, + "destination.port": 4293, + "event.action": "accept", + "event.code": "ntocca", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=emagnaal dtime=2018-03-25 09:31:24.032538723 +0000 UTC devid=uunturm devname=nonnumq vd=tqu date=2018-3-25 time=9:31:24 logid=ntocca type=emquelau subtype=adolorsi level=medium eventtime=maliquam logtime=ovol srcip=10.34.41.75 srcport=4436 srcintf=enp0s7638 srcintfrole=eseosqu dstip=10.249.16.201 dstport=4293 dstintf=lo5084 dstintfrole=mvele poluuid=qui sessionid=etMa proto=3 action=accept policyid=aspe policytype=uradipi crscore=22.220000 craction=atu crlevel=amremape appcat=illoinve service=uis srccountry=itanimi dstcountry=rinc trandisp=isistena tranip=10.107.168.208 tranport=1864 duration=45.477000 sentbyte=1067 rcvdbyte=2855 sentpkt=ctionofd app=uianonnu", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 60960, + "network.bytes": 3922, + "network.protocol": "GGP", + "observer.egress.interface.name": "lo5084", + "observer.ingress.interface.name": "enp0s7638", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.107.168.208", + "10.34.41.75", + "10.249.16.201" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "adolorsi", + "rsa.misc.context": "isistena", + "rsa.misc.event_source": "nonnumq", + "rsa.misc.event_type": "emquelau", + "rsa.misc.hardware_id": "uunturm", + "rsa.misc.log_session_id": "etMa", + "rsa.misc.obj_name": "uianonnu", + "rsa.misc.policy_id": "aspe", + "rsa.misc.reference_id": "ntocca", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "tqu", + "rsa.network.dinterface": "lo5084", + "rsa.network.network_service": "uis", + "rsa.network.sinterface": "enp0s7638", + "rsa.time.duration_time": 45.477, + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.time.event_time_str": "maliquam", + "rsa.web.reputation_num": 22.22, + "service.type": "fortinet", + "source.bytes": 1067, + "source.geo.country_name": "itanimi", + "source.ip": [ + "10.34.41.75" + ], + "source.port": 4436, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.bytes": 7292, + "destination.ip": [ + "10.109.106.194" + ], + "destination.port": 5356, + "event.action": "allow", + "event.code": "vol", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=nisiste date=2018-4-8 time=4:33:58 log_id=sedqu devid=itautfu devname=aaliq logid=tDui type=ernatur subtype=itsed level=low vd=xeacomm srcip=10.112.57.220 srcport=5803 srcintf=enp0s1897 dstip=10.19.151.236 dstport=884 dstintf=enp0s4144 poluuid=estiaeco sessionid=vele proto=HOPOPT action=allow policyid=yCiceroi trandisp=loremeu duration=156.263000 sentbyte=3719 rcvdbyte=7292 devtype=colab osname=itte osversion=1.6905 mastersrcmac=orumS srcmac=01:00:5e:c1:b8:93 crscore=60.950000 craction=uptat crlevel=incidun eventtype=agnaaliq user=aturQuis service=cepteurs hostname=tat1845.internal.invalid profile=rumetMal reqtype=tiumtot url=https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat direction=inbound msg=eddoe method=seq cat=uae catdesc=tobeata device_id=ctas log_id=vol pri=high userfrom=gna adminprof=itautf timezone=ET main_type=eprehe trigger_policy=ariatu sub_type=aqueip severity_level=aqueip policy=rautod src=10.96.168.24 src_port=6206 dst=10.109.106.194 dst_port=5356 http_method=Sedut http_url=stiaec http_host=rveli http_agent=serr http_session_id=umdolo signature_subclass=iduntut signature_id=4281 srccountry=rorsitv content_switch_name=caboNemo server_pool_name=cididun false_positive_mitigation=iamqu user_name=ommodoc monitor_status=mwrit http_refer=https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo http_version=oru dev_id=ainc threat_weight=aeab history_threat_weight=iat threat_level=acom ftp_mode=olo ftp_cmd=eipsaq cipher_suite=enatu msg_id=mfu", + "event.timezone": "ET", + "fileset.name": "fortimanager", + "host.name": "tat1845.internal.invalid", + "http.request.referrer": "https://www5.example.com/madminim/onse.txt?reeuf=orinrepr#tinvo", + "input.type": "log", + "log.level": "high", + "log.offset": 61635, + "network.bytes": 11011, + "network.direction": "inbound", + "observer.egress.interface.name": "enp0s4144", + "observer.ingress.interface.name": "enp0s1897", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.6905", + "related.hosts": [ + "tat1845.internal.invalid" + ], + "related.ip": [ + "10.109.106.194", + "10.96.168.24" + ], + "related.user": [ + "ommodoc" + ], + "rsa.internal.event_desc": "eddoe", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "agnaaliq", + "rsa.misc.OS": "itte", + "rsa.misc.action": [ + "Sedut", + "allow" + ], + "rsa.misc.category": "aqueip", + "rsa.misc.client": "serr", + "rsa.misc.context": "loremeu", + "rsa.misc.event_source": "aaliq", + "rsa.misc.event_type": "ernatur", + "rsa.misc.fcatnum": "uae", + "rsa.misc.filter": "tobeata", + "rsa.misc.hardware_id": "ctas", + "rsa.misc.log_session_id": "umdolo", + "rsa.misc.policy_id": "yCiceroi", + "rsa.misc.policy_name": "rautod", + "rsa.misc.reference_id": "vol", + "rsa.misc.rule_name": "rumetMal", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 4281, + "rsa.misc.version": "1.6905", + "rsa.misc.vsys": "xeacomm", + "rsa.network.alias_host": [ + "tat1845.internal.invalid" + ], + "rsa.network.dinterface": "enp0s4144", + "rsa.network.network_service": "cepteurs", + "rsa.network.sinterface": "enp0s1897", + "rsa.threat.threat_desc": "acom", + "rsa.time.duration_time": 156.263, + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.time.timezone": "ET", + "rsa.web.reputation_num": 60.95, + "rsa.web.web_ref_domain": "rveli", + "rule.name": "rumetMal", + "service.type": "fortinet", + "source.bytes": 3719, + "source.geo.country_name": "rorsitv", + "source.ip": [ + "10.96.168.24" + ], + "source.mac": "01:00:5e:c1:b8:93", + "source.port": 6206, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.com/imadm/ugiat.txt?Nequepor=nisiu#ptat", + "url.query": "stiaec", + "user.name": "ommodoc" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.bytes": 6693, + "destination.ip": [ + "10.47.191.95" + ], + "destination.port": 6242, + "event.action": "deny", + "event.code": "remagnam", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=aliqui date=2018-4-22 time=11:36:32 log_id=uipexea devid=sauteiru devname=nibusB logid=eetdolo type=issuscip subtype=iduntu level=high vd=rinc srcip=10.109.224.208 srcport=1769 srcintf=enp0s3638 dstip=10.31.34.96 dstport=4651 dstintf=enp0s390 poluuid=atis sessionid=edol proto=icmp action=deny policyid=adip trandisp=ugiatq duration=128.795000 sentbyte=4249 rcvdbyte=6693 devtype=atemUte osname=emag osversion=1.1353 mastersrcmac=ecatcup srcmac=01:00:5e:63:85:d2 crscore=62.286000 craction=oin crlevel=isautem eventtype=eiusm user=assit service=ulpaq hostname=ulamc767.internal.lan profile=iades reqtype=mremape url=https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed direction=inbound msg=maveniam method=ctobeat cat=emoenim catdesc=oqui device_id=olab log_id=remagnam pri=high userfrom=mSecti adminprof=volupt timezone=OMST main_type=ela trigger_policy=fugits sub_type=litseddo severity_level=idestl policy=ptasn src=10.112.155.228 src_port=5011 dst=10.47.191.95 dst_port=6242 http_method=velillu http_url=radipi http_host=iatn http_agent=aturE http_session_id=beat signature_subclass=pern signature_id=7568 srccountry=itvolupt content_switch_name=uradip server_pool_name=perspi false_positive_mitigation=uaer user_name=aed monitor_status=tectobe http_refer=https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali http_version=ofdeFin dev_id=siutaliq threat_weight=urvel history_threat_weight=turE threat_level=ntium ftp_mode=imadmi ftp_cmd=dquiac cipher_suite=liquide msg_id=uatD", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "ulamc767.internal.lan", + "http.request.referrer": "https://example.org/scingeli/uatDuis.gif?apari=itesseci#utali", + "input.type": "log", + "log.level": "high", + "log.offset": 63134, + "network.bytes": 10942, + "network.direction": "inbound", + "observer.egress.interface.name": "enp0s390", + "observer.ingress.interface.name": "enp0s3638", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1353", + "related.hosts": [ + "ulamc767.internal.lan" + ], + "related.ip": [ + "10.47.191.95", + "10.112.155.228" + ], + "related.user": [ + "aed" + ], + "rsa.internal.event_desc": "maveniam", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "eiusm", + "rsa.misc.OS": "emag", + "rsa.misc.action": [ + "deny", + "velillu" + ], + "rsa.misc.category": "litseddo", + "rsa.misc.client": "aturE", + "rsa.misc.context": "ugiatq", + "rsa.misc.event_source": "nibusB", + "rsa.misc.event_type": "issuscip", + "rsa.misc.fcatnum": "emoenim", + "rsa.misc.filter": "oqui", + "rsa.misc.hardware_id": "olab", + "rsa.misc.log_session_id": "beat", + "rsa.misc.policy_id": "adip", + "rsa.misc.policy_name": "ptasn", + "rsa.misc.reference_id": "remagnam", + "rsa.misc.rule_name": "iades", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 7568, + "rsa.misc.version": "1.1353", + "rsa.misc.vsys": "rinc", + "rsa.network.alias_host": [ + "ulamc767.internal.lan" + ], + "rsa.network.dinterface": "enp0s390", + "rsa.network.network_service": "ulpaq", + "rsa.network.sinterface": "enp0s3638", + "rsa.threat.threat_desc": "ntium", + "rsa.time.duration_time": 128.795, + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 62.286, + "rsa.web.web_ref_domain": "iatn", + "rule.name": "iades", + "service.type": "fortinet", + "source.bytes": 4249, + "source.geo.country_name": "itvolupt", + "source.ip": [ + "10.112.155.228" + ], + "source.mac": "01:00:5e:63:85:d2", + "source.port": 5011, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.net/ionemu/nul.jpg?volupt=ori#sed", + "url.query": "radipi", + "user.name": "aed" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.bytes": 6033, + "destination.geo.country_name": "amrema", + "destination.ip": [ + "10.140.137.17" + ], + "destination.nat.ip": "10.62.241.218", + "destination.nat.port": 7444, + "destination.port": 446, + "event.action": "allow", + "event.code": "tmol", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=gnidolor dtime=2018-05-07 06:39:06.812538723 +0000 UTC devid=BCSedut devname=metco vd=vel date=2018-5-7 time=6:39:06 logid=tmol type=acommodi subtype=ccaecat level=low eventtime=mqu logtime=mips srcip=10.103.169.94 srcport=2174 srcintf=lo5821 srcintfrole=osqu dstip=10.140.137.17 dstport=446 dstintf=enp0s4444 dstintfrole=iono poluuid=atcupi sessionid=dexe proto=0 action=allow policyid=exerci policytype=ems crscore=15.728000 craction=nulapa crlevel=tess appcat=eroi service=enby srccountry=riatur dstcountry=amrema trandisp=illum tranip=10.62.241.218 tranport=7444 duration=5.969000 sentbyte=4832 rcvdbyte=6033 sentpkt=urere app=involu", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 64633, + "network.bytes": 10865, + "observer.egress.interface.name": "enp0s4444", + "observer.ingress.interface.name": "lo5821", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.103.169.94", + "10.62.241.218", + "10.140.137.17" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ccaecat", + "rsa.misc.context": "illum", + "rsa.misc.event_source": "metco", + "rsa.misc.event_type": "acommodi", + "rsa.misc.hardware_id": "BCSedut", + "rsa.misc.log_session_id": "dexe", + "rsa.misc.obj_name": "involu", + "rsa.misc.policy_id": "exerci", + "rsa.misc.reference_id": "tmol", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "vel", + "rsa.network.dinterface": "enp0s4444", + "rsa.network.network_service": "enby", + "rsa.network.sinterface": "lo5821", + "rsa.time.duration_time": 5.969, + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.time.event_time_str": "mqu", + "rsa.web.reputation_num": 15.728, + "service.type": "fortinet", + "source.bytes": 4832, + "source.geo.country_name": "riatur", + "source.ip": [ + "10.103.169.94" + ], + "source.port": 2174, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "destination.bytes": 2687, + "destination.geo.country_name": "umetMalo", + "destination.ip": [ + "10.251.212.166" + ], + "destination.nat.ip": "10.77.105.160", + "destination.nat.port": 5541, + "destination.port": 3925, + "event.action": "cancel", + "event.code": "sistena", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=tem devname=\"litsedq\" devid=\"amre\" vd=orpori date=2018-5-21 time=1:41:41 logid=sistena type=iam subtype=saquae level=low eventtime=itanimid logtime=ianonnum srcip=10.90.229.92 srcport=6796 srcintf=lo1752 srcintfrole=inculp dstip=10.251.212.166 dstport=3925 dstintf=eth1592 dstintfrole=aboNemo poluuid=tsedquia sessionid=ididun proto=21 action=cancel policyid=enim policytype=gnido crscore=85.453000 craction=erepr crlevel=tsedqu appcat=uisa service=uptat srccountry=siutal dstcountry=umetMalo trandisp=onevolu tranip=10.77.105.160 tranport=5541 duration=155.903000 sentbyte=5294 rcvdbyte=2687 sentpkt=ira app=umfu", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 65278, + "network.bytes": 7981, + "observer.egress.interface.name": "eth1592", + "observer.ingress.interface.name": "lo1752", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.251.212.166", + "10.77.105.160", + "10.90.229.92" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "saquae", + "rsa.misc.context": "onevolu", + "rsa.misc.event_source": "litsedq", + "rsa.misc.event_type": "iam", + "rsa.misc.hardware_id": "amre", + "rsa.misc.log_session_id": "ididun", + "rsa.misc.obj_name": "umfu", + "rsa.misc.policy_id": "enim", + "rsa.misc.reference_id": "sistena", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "orpori", + "rsa.network.dinterface": "eth1592", + "rsa.network.network_service": "uptat", + "rsa.network.sinterface": "lo1752", + "rsa.time.duration_time": 155.903, + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.time.event_time_str": "itanimid", + "rsa.web.reputation_num": 85.453, + "service.type": "fortinet", + "source.bytes": 5294, + "source.geo.country_name": "siutal", + "source.ip": [ + "10.90.229.92" + ], + "source.port": 6796, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "destination.bytes": 205, + "destination.ip": [ + "10.112.242.68" + ], + "destination.port": 3105, + "event.action": "cancel", + "event.code": "atisund", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-6-4 time=8:44:15 logver=uamq devid=mnisist devname=dutp logid=ecillu type=ipsaqu subtype=asun level=very-high vd=llumd srcip=10.100.223.157 srcport=1307 srcintf=eth5742 dstip=10.232.243.87 dstport=4546 dstintf=lo299 poluuid=atisetq sessionid=mSectio proto=0 action=cancel policyid=nonnumqu trandisp=atis duration=63.050000 sentbyte=3508 rcvdbyte=205 devtype=uam osname=tisunde osversion=1.4261 mastersrcmac=rured srcmac=01:00:5e:8a:c1:2a crscore=19.243000 craction=meumfug crlevel=iam eventtype=animi user=porainc service=nsectetu hostname=spici5547.internal.test profile=tate reqtype=sintocca url=https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi direction=internal msg=tnul method=ons cat=radip catdesc=amremap device_id=dolorsit log_id=atisund pri=very-high userfrom=uredo adminprof=uamni timezone=CT main_type=quisqua trigger_policy=sedquian sub_type=lamcorpo severity_level=rem policy=apariat src=10.216.49.112 src_port=4521 dst=10.112.242.68 dst_port=3105 http_method=aut http_url=eriti http_host=ipsum http_agent=com http_session_id=uptate signature_subclass=tevelite signature_id=5880 srccountry=nimadmi content_switch_name=mquiado server_pool_name=agn false_positive_mitigation=dip user_name=urmag monitor_status=nim http_refer=https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm http_version=uunturma dev_id=namaliqu threat_weight=tatemacc history_threat_weight=licab threat_level=roidents ftp_mode=volupta ftp_cmd=stiaeco cipher_suite=tanim msg_id=osam", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "spici5547.internal.test", + "http.request.referrer": "https://www5.example.net/tutlabo/incid.gif?ptate=tconsect#usm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 65899, + "network.bytes": 3713, + "network.direction": "internal", + "observer.egress.interface.name": "lo299", + "observer.ingress.interface.name": "eth5742", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4261", + "related.hosts": [ + "spici5547.internal.test" + ], + "related.ip": [ + "10.112.242.68", + "10.216.49.112" + ], + "related.user": [ + "urmag" + ], + "rsa.internal.event_desc": "tnul", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "animi", + "rsa.misc.OS": "tisunde", + "rsa.misc.action": [ + "aut", + "cancel" + ], + "rsa.misc.category": "lamcorpo", + "rsa.misc.client": "com", + "rsa.misc.context": "atis", + "rsa.misc.event_source": "dutp", + "rsa.misc.event_type": "ipsaqu", + "rsa.misc.fcatnum": "radip", + "rsa.misc.filter": "amremap", + "rsa.misc.hardware_id": "dolorsit", + "rsa.misc.log_session_id": "uptate", + "rsa.misc.policy_id": "nonnumqu", + "rsa.misc.policy_name": "apariat", + "rsa.misc.reference_id": "atisund", + "rsa.misc.rule_name": "tate", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 5880, + "rsa.misc.version": "1.4261", + "rsa.misc.vsys": "llumd", + "rsa.network.alias_host": [ + "spici5547.internal.test" + ], + "rsa.network.dinterface": "lo299", + "rsa.network.network_service": "nsectetu", + "rsa.network.sinterface": "eth5742", + "rsa.threat.threat_desc": "roidents", + "rsa.time.duration_time": 63.05, + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 19.243, + "rsa.web.web_ref_domain": "ipsum", + "rule.name": "tate", + "service.type": "fortinet", + "source.bytes": 3508, + "source.geo.country_name": "nimadmi", + "source.ip": [ + "10.216.49.112" + ], + "source.mac": "01:00:5e:8a:c1:2a", + "source.port": 4521, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/asuntex/uovolup.html?amali=uiav#henderi", + "url.query": "eriti", + "user.name": "urmag" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "destination.bytes": 1768, + "destination.ip": [ + "10.96.100.84" + ], + "destination.port": 2253, + "event.action": "accept", + "event.code": "etco", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-6-19 time=3:46:49 logver=tla devid=nimve devname=edutpe logid=tenb type=billoinv subtype=asia level=medium vd=paquioff srcip=10.252.175.174 srcport=1995 srcintf=enp0s1531 dstip=10.196.226.219 dstport=545 dstintf=lo2390 poluuid=uaera sessionid=nsequa proto=tcp action=accept policyid=orporis trandisp=oluptate duration=28.731000 sentbyte=2397 rcvdbyte=1768 devtype=itvolu osname=citation osversion=1.491 mastersrcmac=aincid srcmac=01:00:5e:7e:ea:3f crscore=149.960000 craction=tNeque crlevel=uidolore eventtype=uatDuisa user=usB service=magnaali hostname=istenatu3686.invalid profile=remagna reqtype=eritqu url=https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve direction=internal msg=oremagna method=nulamc cat=tempori catdesc=rsintocc device_id=nderit log_id=etco pri=very-high userfrom=lore adminprof=ameiusmo timezone=PT main_type=veniamqu trigger_policy=equat sub_type=reeu severity_level=atemacc policy=rsitvolu src=10.182.58.108 src_port=4811 dst=10.96.100.84 dst_port=2253 http_method=utlabore http_url=texplica http_host=boru http_agent=ntut http_session_id=elaud signature_subclass=acomm signature_id=5667 srccountry=emUten content_switch_name=uamni server_pool_name=laboris false_positive_mitigation=pers user_name=lpaquiof monitor_status=isisten http_refer=https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors http_version=uid dev_id=numqua threat_weight=citatio history_threat_weight=sed threat_level=mUten ftp_mode=eursint ftp_cmd=velillum cipher_suite=oin msg_id=teurs", + "event.timezone": "PT", + "fileset.name": "fortimanager", + "host.name": "istenatu3686.invalid", + "http.request.referrer": "https://api.example.net/seddoei/rnatur.jpg?olores=idolorem#umdolors", + "input.type": "log", + "log.level": "very-high", + "log.offset": 67398, + "network.bytes": 4165, + "network.direction": "internal", + "observer.egress.interface.name": "lo2390", + "observer.ingress.interface.name": "enp0s1531", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.491", + "related.hosts": [ + "istenatu3686.invalid" + ], + "related.ip": [ + "10.182.58.108", + "10.96.100.84" + ], + "related.user": [ + "lpaquiof" + ], + "rsa.internal.event_desc": "oremagna", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "uatDuisa", + "rsa.misc.OS": "citation", + "rsa.misc.action": [ + "utlabore", + "accept" + ], + "rsa.misc.category": "reeu", + "rsa.misc.client": "ntut", + "rsa.misc.context": "oluptate", + "rsa.misc.event_source": "edutpe", + "rsa.misc.event_type": "billoinv", + "rsa.misc.fcatnum": "tempori", + "rsa.misc.filter": "rsintocc", + "rsa.misc.hardware_id": "nderit", + "rsa.misc.log_session_id": "elaud", + "rsa.misc.policy_id": "orporis", + "rsa.misc.policy_name": "rsitvolu", + "rsa.misc.reference_id": "etco", + "rsa.misc.rule_name": "remagna", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 5667, + "rsa.misc.version": "1.491", + "rsa.misc.vsys": "paquioff", + "rsa.network.alias_host": [ + "istenatu3686.invalid" + ], + "rsa.network.dinterface": "lo2390", + "rsa.network.network_service": "magnaali", + "rsa.network.sinterface": "enp0s1531", + "rsa.threat.threat_desc": "mUten", + "rsa.time.duration_time": 28.731, + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.time.timezone": "PT", + "rsa.web.reputation_num": 149.96, + "rsa.web.web_ref_domain": "boru", + "rule.name": "remagna", + "service.type": "fortinet", + "source.bytes": 2397, + "source.geo.country_name": "emUten", + "source.ip": [ + "10.182.58.108" + ], + "source.mac": "01:00:5e:7e:ea:3f", + "source.port": 4811, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.org/mnisiut/porinci.htm?norum=emUten#dminimve", + "url.query": "texplica", + "user.name": "lpaquiof" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "destination.bytes": 2952, + "destination.geo.country_name": "tatem", + "destination.ip": [ + "10.246.41.77" + ], + "destination.nat.ip": "10.157.22.21", + "destination.nat.port": 5252, + "destination.port": 1217, + "event.action": "block", + "event.code": "rios", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=untutl devname=\"cons\" devid=\"vel\" vd=illumdo date=2018-7-3 time=10:49:23 logid=rios type=deF subtype=dutpe level=very-high eventtime=itan logtime=uisnos srcip=10.228.61.5 srcport=1179 srcintf=eth4741 srcintfrole=lites dstip=10.246.41.77 dstport=1217 dstintf=lo7502 dstintfrole=olu poluuid=ectet sessionid=tquovo proto=17 action=block policyid=lapa policytype=xeacom crscore=22.822000 craction=qui crlevel=henderi appcat=rainc service=dminim srccountry=sse dstcountry=tatem trandisp=umexe tranip=10.157.22.21 tranport=5252 duration=135.630000 sentbyte=2167 rcvdbyte=2952 sentpkt=quamei app=nvento", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 68917, + "network.bytes": 5119, + "observer.egress.interface.name": "lo7502", + "observer.ingress.interface.name": "eth4741", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.246.41.77", + "10.228.61.5", + "10.157.22.21" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "dutpe", + "rsa.misc.context": "umexe", + "rsa.misc.event_source": "cons", + "rsa.misc.event_type": "deF", + "rsa.misc.hardware_id": "vel", + "rsa.misc.log_session_id": "tquovo", + "rsa.misc.obj_name": "nvento", + "rsa.misc.policy_id": "lapa", + "rsa.misc.reference_id": "rios", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "illumdo", + "rsa.network.dinterface": "lo7502", + "rsa.network.network_service": "dminim", + "rsa.network.sinterface": "eth4741", + "rsa.time.duration_time": 135.63, + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.time.event_time_str": "itan", + "rsa.web.reputation_num": 22.822, + "service.type": "fortinet", + "source.bytes": 2167, + "source.geo.country_name": "sse", + "source.ip": [ + "10.228.61.5" + ], + "source.port": 1179, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "destination.bytes": 4226, + "destination.geo.country_name": "nonpro", + "destination.ip": [ + "10.239.231.168" + ], + "destination.nat.ip": "10.188.131.18", + "destination.nat.port": 981, + "destination.port": 88, + "event.action": "allow", + "event.code": "psu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=qua devname=\"llumdo\" devid=\"tot\" vd=itquii date=2018-7-17 time=5:51:58 logid=psu type=iat subtype=ept level=high eventtime=ectob logtime=aUtenim srcip=10.242.119.111 srcport=645 srcintf=lo1640 srcintfrole=tDuisa dstip=10.239.231.168 dstport=88 dstintf=lo3385 dstintfrole=nimi poluuid=niamqu sessionid=uioffi proto=1 action=allow policyid=consequa policytype=tionu crscore=60.452000 craction=quines crlevel=entsu appcat=ineavol service=abor srccountry=giatq dstcountry=nonpro trandisp=elitsedd tranip=10.188.131.18 tranport=981 duration=46.954000 sentbyte=2770 rcvdbyte=4226 sentpkt=tam app=uovo", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 69520, + "network.bytes": 6996, + "observer.egress.interface.name": "lo3385", + "observer.ingress.interface.name": "lo1640", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.242.119.111", + "10.239.231.168", + "10.188.131.18" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ept", + "rsa.misc.context": "elitsedd", + "rsa.misc.event_source": "llumdo", + "rsa.misc.event_type": "iat", + "rsa.misc.hardware_id": "tot", + "rsa.misc.log_session_id": "uioffi", + "rsa.misc.obj_name": "uovo", + "rsa.misc.policy_id": "consequa", + "rsa.misc.reference_id": "psu", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "itquii", + "rsa.network.dinterface": "lo3385", + "rsa.network.network_service": "abor", + "rsa.network.sinterface": "lo1640", + "rsa.time.duration_time": 46.954, + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.time.event_time_str": "ectob", + "rsa.web.reputation_num": 60.452, + "service.type": "fortinet", + "source.bytes": 2770, + "source.geo.country_name": "giatq", + "source.ip": [ + "10.242.119.111" + ], + "source.port": 645, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "destination.bytes": 306, + "destination.ip": [ + "10.247.124.74" + ], + "destination.port": 2491, + "event.action": "accept", + "event.code": "nderitin", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=orinrepr date=2018-8-1 time=12:54:32 log_id=untut devid=siu devname=lorem logid=icons type=hende subtype=umdol level=medium vd=psaq srcip=10.24.154.250 srcport=2108 srcintf=eth2707 dstip=10.124.187.230 dstport=6119 dstintf=lo105 poluuid=mqu sessionid=tse proto=udp action=accept policyid=ueip trandisp=amvo duration=20.956000 sentbyte=2068 rcvdbyte=306 devtype=reetdolo osname=tten osversion=1.979 mastersrcmac=usa srcmac=01:00:5e:6a:a6:c9 crscore=45.307000 craction=oremagna crlevel=siuta eventtype=amnihil user=nderit service=ficia hostname=tru3812.mail.lan profile=olo reqtype=xer url=https://api.example.net/nsec/smo.gif?etq=trumexe#rai direction=outbound msg=tNequepo method=byCicer cat=imvenia catdesc=ipit device_id=tdolorem log_id=nderitin pri=low userfrom=enderitq adminprof=amvolu timezone=GMT-07:00 main_type=temvele trigger_policy=ofd sub_type=quam severity_level=umdol policy=porincid src=10.106.101.87 src_port=7569 dst=10.247.124.74 dst_port=2491 http_method=inea http_url=ipsu http_host=iden http_agent=oreseo http_session_id=edictasu signature_subclass=aerat signature_id=4358 srccountry=lites content_switch_name=col server_pool_name=litsedd false_positive_mitigation=mnis user_name=ainci monitor_status=aturve http_refer=https://api.example.com/mporain/secte.txt?amqui=rume#uptate http_version=tisundeo dev_id=uid threat_weight=eFini history_threat_weight=mnis threat_level=tametco ftp_mode=snisiut ftp_cmd=lit cipher_suite=laborio msg_id=aaliqu", + "event.timezone": "GMT-07:00", + "fileset.name": "fortimanager", + "host.name": "tru3812.mail.lan", + "http.request.referrer": "https://api.example.com/mporain/secte.txt?amqui=rume#uptate", + "input.type": "log", + "log.level": "low", + "log.offset": 70122, + "network.bytes": 2374, + "network.direction": "outbound", + "observer.egress.interface.name": "lo105", + "observer.ingress.interface.name": "eth2707", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.979", + "related.hosts": [ + "tru3812.mail.lan" + ], + "related.ip": [ + "10.247.124.74", + "10.106.101.87" + ], + "related.user": [ + "ainci" + ], + "rsa.internal.event_desc": "tNequepo", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "amnihil", + "rsa.misc.OS": "tten", + "rsa.misc.action": [ + "inea", + "accept" + ], + "rsa.misc.category": "quam", + "rsa.misc.client": "oreseo", + "rsa.misc.context": "amvo", + "rsa.misc.event_source": "lorem", + "rsa.misc.event_type": "hende", + "rsa.misc.fcatnum": "imvenia", + "rsa.misc.filter": "ipit", + "rsa.misc.hardware_id": "tdolorem", + "rsa.misc.log_session_id": "edictasu", + "rsa.misc.policy_id": "ueip", + "rsa.misc.policy_name": "porincid", + "rsa.misc.reference_id": "nderitin", + "rsa.misc.rule_name": "olo", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 4358, + "rsa.misc.version": "1.979", + "rsa.misc.vsys": "psaq", + "rsa.network.alias_host": [ + "tru3812.mail.lan" + ], + "rsa.network.dinterface": "lo105", + "rsa.network.network_service": "ficia", + "rsa.network.sinterface": "eth2707", + "rsa.threat.threat_desc": "tametco", + "rsa.time.duration_time": 20.956, + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.reputation_num": 45.307, + "rsa.web.web_ref_domain": "iden", + "rule.name": "olo", + "service.type": "fortinet", + "source.bytes": 2068, + "source.geo.country_name": "lites", + "source.ip": [ + "10.106.101.87" + ], + "source.mac": "01:00:5e:6a:a6:c9", + "source.port": 7569, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.net/nsec/smo.gif?etq=trumexe#rai", + "url.query": "ipsu", + "user.name": "ainci" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.action": "deny", + "event.code": "consec", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-8-15 time=7:57:06 devname=mid device_id=henderi log_id=consec type=event subtype=dquia pri=high desc=isiutali user=rehe userfrom=volupta msg=etcons action=deny adom=etdol408.internal.home session_id=agnamali", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 71594, + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.user": [ + "rehe" + ], + "rsa.db.index": "etcons", + "rsa.internal.event_desc": "isiutali", + "rsa.internal.messageid": "event_fortinetmgr", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "dquia", + "rsa.misc.event_source": "mid", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "henderi", + "rsa.misc.log_session_id": "agnamali", + "rsa.misc.reference_id": "consec", + "rsa.misc.severity": "high", + "rsa.network.domain": "etdol408.internal.home", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "server.domain": "etdol408.internal.home", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "user.name": "rehe" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "destination.bytes": 806, + "destination.ip": [ + "10.162.114.52" + ], + "destination.port": 2925, + "event.action": "allow", + "event.code": "san", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-8-29 time=2:59:40 logver=cae devid=Utenimad devname=onsequ logid=Bon type=amquisno subtype=mullam level=very-high vd=admi srcip=10.111.106.60 srcport=5449 srcintf=lo5820 dstip=10.142.181.192 dstport=4386 dstintf=lo6200 poluuid=lmolest sessionid=miurerep proto=17 action=allow policyid=Sed trandisp=isau duration=66.574000 sentbyte=75 rcvdbyte=806 devtype=idest osname=ostru osversion=1.4342 mastersrcmac=enimip srcmac=01:00:5e:11:d6:5d crscore=66.141000 craction=umquiado crlevel=taspe eventtype=empori user=mipsum service=tium hostname=riaturE1644.www5.example profile=ender reqtype=uine url=https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta direction=internal msg=reetdo method=mad cat=mdolor catdesc=amcorpor device_id=oremquel log_id=san pri=high userfrom=amqui adminprof=itatise timezone=GMT-07:00 main_type=cia trigger_policy=lup sub_type=cipitla severity_level=niam policy=mullamc src=10.215.144.167 src_port=6675 dst=10.162.114.52 dst_port=2925 http_method=quepor http_url=Lor http_host=ten http_agent=exeacomm http_session_id=cusan signature_subclass=oquisq signature_id=4993 srccountry=ihilmol content_switch_name=seosqui server_pool_name=tiset false_positive_mitigation=ciade user_name=erspici monitor_status=xercitat http_refer=https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita http_version=loreme dev_id=eratv threat_weight=tametcon history_threat_weight=orsi threat_level=ull ftp_mode=mcor ftp_cmd=iamquis cipher_suite=aeabi msg_id=ore", + "event.timezone": "GMT-07:00", + "fileset.name": "fortimanager", + "host.name": "riaturE1644.www5.example", + "http.request.referrer": "https://internal.example.net/utlab/entoreve.html?umdol=nseq#autodita", + "input.type": "log", + "log.level": "high", + "log.offset": 71812, + "network.bytes": 881, + "network.direction": "internal", + "observer.egress.interface.name": "lo6200", + "observer.ingress.interface.name": "lo5820", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4342", + "related.hosts": [ + "riaturE1644.www5.example" + ], + "related.ip": [ + "10.215.144.167", + "10.162.114.52" + ], + "related.user": [ + "erspici" + ], + "rsa.internal.event_desc": "reetdo", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "empori", + "rsa.misc.OS": "ostru", + "rsa.misc.action": [ + "quepor", + "allow" + ], + "rsa.misc.category": "cipitla", + "rsa.misc.client": "exeacomm", + "rsa.misc.context": "isau", + "rsa.misc.event_source": "onsequ", + "rsa.misc.event_type": "amquisno", + "rsa.misc.fcatnum": "mdolor", + "rsa.misc.filter": "amcorpor", + "rsa.misc.hardware_id": "oremquel", + "rsa.misc.log_session_id": "cusan", + "rsa.misc.policy_id": "Sed", + "rsa.misc.policy_name": "mullamc", + "rsa.misc.reference_id": "san", + "rsa.misc.rule_name": "ender", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 4993, + "rsa.misc.version": "1.4342", + "rsa.misc.vsys": "admi", + "rsa.network.alias_host": [ + "riaturE1644.www5.example" + ], + "rsa.network.dinterface": "lo6200", + "rsa.network.network_service": "tium", + "rsa.network.sinterface": "lo5820", + "rsa.threat.threat_desc": "ull", + "rsa.time.duration_time": 66.574, + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.reputation_num": 66.141, + "rsa.web.web_ref_domain": "ten", + "rule.name": "ender", + "service.type": "fortinet", + "source.bytes": 75, + "source.geo.country_name": "ihilmol", + "source.ip": [ + "10.215.144.167" + ], + "source.mac": "01:00:5e:11:d6:5d", + "source.port": 6675, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.com/dolo/exeacom.txt?tlab=eufugiat#upta", + "url.query": "Lor", + "user.name": "erspici" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "destination.bytes": 7641, + "destination.ip": [ + "10.78.75.82" + ], + "destination.port": 7799, + "event.action": "accept", + "event.code": "fugi", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-9-12 time=10:02:15 logver=catcup devid=ectetur devname=cons logid=spiciati type=upidata subtype=utlabo level=high vd=ersp srcip=10.101.207.156 srcport=2086 srcintf=enp0s4931 dstip=10.12.8.82 dstport=4369 dstintf=enp0s7520 poluuid=nemull sessionid=trumex proto=6 action=accept policyid=doloremq trandisp=iade duration=26.420000 sentbyte=5013 rcvdbyte=7641 devtype=uidolo osname=ita osversion=1.6452 mastersrcmac=rchite srcmac=01:00:5e:41:90:bf crscore=107.693000 craction=tionem crlevel=volupta eventtype=adol user=econsequ service=orever hostname=mdolo7008.api.corp profile=reetdolo reqtype=psam url=https://www5.example.org/orumet/aliqu.txt?tion=sun#utod direction=outbound msg=rinci method=uamestqu cat=riatu catdesc=ulaparia device_id=remagna log_id=fugi pri=very-high userfrom=xerc adminprof=caecat timezone=OMST main_type=cor trigger_policy=nonnumqu sub_type=uidexea severity_level=emu policy=asia src=10.162.128.87 src_port=6214 dst=10.78.75.82 dst_port=7799 http_method=uptat http_url=con http_host=tem http_agent=orpori http_session_id=lor signature_subclass=quiinea signature_id=7098 srccountry=rroquis content_switch_name=dolorema server_pool_name=prehe false_positive_mitigation=bori user_name=Sedutp monitor_status=ritinvo http_refer=https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve http_version=tdolo dev_id=billoi threat_weight=sequu history_threat_weight=ffic threat_level=imadmini ftp_mode=isnostru ftp_cmd=ostr cipher_suite=tinvo msg_id=lorumwr", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "mdolo7008.api.corp", + "http.request.referrer": "https://internal.example.net/ica/nat.jpg?ddoe=nsequ#lloinve", + "input.type": "log", + "log.level": "very-high", + "log.offset": 73306, + "network.bytes": 12654, + "network.direction": "outbound", + "observer.egress.interface.name": "enp0s7520", + "observer.ingress.interface.name": "enp0s4931", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.6452", + "related.hosts": [ + "mdolo7008.api.corp" + ], + "related.ip": [ + "10.162.128.87", + "10.78.75.82" + ], + "related.user": [ + "Sedutp" + ], + "rsa.internal.event_desc": "rinci", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "adol", + "rsa.misc.OS": "ita", + "rsa.misc.action": [ + "uptat", + "accept" + ], + "rsa.misc.category": "uidexea", + "rsa.misc.client": "orpori", + "rsa.misc.context": "iade", + "rsa.misc.event_source": "cons", + "rsa.misc.event_type": "upidata", + "rsa.misc.fcatnum": "riatu", + "rsa.misc.filter": "ulaparia", + "rsa.misc.hardware_id": "remagna", + "rsa.misc.log_session_id": "lor", + "rsa.misc.policy_id": "doloremq", + "rsa.misc.policy_name": "asia", + "rsa.misc.reference_id": "fugi", + "rsa.misc.rule_name": "reetdolo", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 7098, + "rsa.misc.version": "1.6452", + "rsa.misc.vsys": "ersp", + "rsa.network.alias_host": [ + "mdolo7008.api.corp" + ], + "rsa.network.dinterface": "enp0s7520", + "rsa.network.network_service": "orever", + "rsa.network.sinterface": "enp0s4931", + "rsa.threat.threat_desc": "imadmini", + "rsa.time.duration_time": 26.42, + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 107.693, + "rsa.web.web_ref_domain": "tem", + "rule.name": "reetdolo", + "service.type": "fortinet", + "source.bytes": 5013, + "source.geo.country_name": "rroquis", + "source.ip": [ + "10.162.128.87" + ], + "source.mac": "01:00:5e:41:90:bf", + "source.port": 6214, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.org/orumet/aliqu.txt?tion=sun#utod", + "url.query": "con", + "user.name": "Sedutp" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.bytes": 5464, + "destination.geo.country_name": "mdolorem", + "destination.ip": [ + "10.137.36.151" + ], + "destination.nat.ip": "10.51.106.43", + "destination.nat.port": 6486, + "destination.port": 196, + "event.action": "block", + "event.code": "auteir", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ctetura devname=\"reseosqu\" devid=\"ittenbyC\" vd=tlabor date=2018-9-27 time=5:04:49 logid=auteir type=uredolo subtype=uido level=medium eventtime=quiratio logtime=aincidu srcip=10.75.198.93 srcport=1982 srcintf=eth725 srcintfrole=umqu dstip=10.137.36.151 dstport=196 dstintf=lo1813 dstintfrole=rspici poluuid=duntutla sessionid=emeu proto=1 action=block policyid=atemUten policytype=turadipi crscore=16.226000 craction=estqu crlevel=orinre appcat=prehen service=equa srccountry=ciatisun dstcountry=mdolorem trandisp=nnumq tranip=10.51.106.43 tranport=6486 duration=78.551000 sentbyte=3531 rcvdbyte=5464 sentpkt=oremeumf app=volupt", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 74789, + "network.bytes": 8995, + "observer.egress.interface.name": "lo1813", + "observer.ingress.interface.name": "eth725", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.75.198.93", + "10.137.36.151", + "10.51.106.43" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "uido", + "rsa.misc.context": "nnumq", + "rsa.misc.event_source": "reseosqu", + "rsa.misc.event_type": "uredolo", + "rsa.misc.hardware_id": "ittenbyC", + "rsa.misc.log_session_id": "emeu", + "rsa.misc.obj_name": "volupt", + "rsa.misc.policy_id": "atemUten", + "rsa.misc.reference_id": "auteir", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "tlabor", + "rsa.network.dinterface": "lo1813", + "rsa.network.network_service": "equa", + "rsa.network.sinterface": "eth725", + "rsa.time.duration_time": 78.551, + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.time.event_time_str": "quiratio", + "rsa.web.reputation_num": 16.226, + "service.type": "fortinet", + "source.bytes": 3531, + "source.geo.country_name": "ciatisun", + "source.ip": [ + "10.75.198.93" + ], + "source.port": 1982, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.bytes": 5744, + "destination.geo.country_name": "tlab", + "destination.ip": [ + "10.7.230.206" + ], + "destination.nat.ip": "10.249.93.150", + "destination.nat.port": 799, + "destination.port": 5757, + "event.action": "allow", + "event.code": "mvol", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=tnulapa devname=\"caecatcu\" devid=\"xcepte\" vd=deserun date=2018-10-11 time=12:07:23 logid=mvol type=erep subtype=teurs level=low eventtime=tiumdol logtime=byCicer srcip=10.154.151.111 srcport=5860 srcintf=eth1273 srcintfrole=uisnos dstip=10.7.230.206 dstport=5757 dstintf=lo1291 dstintfrole=pisc poluuid=eumfu sessionid=tseddoe proto=HOPOPT action=allow policyid=emulla policytype=bill crscore=147.522000 craction=oditaut crlevel=oloremqu appcat=untNeque service=reetdol srccountry=perspi dstcountry=tlab trandisp=udexerci tranip=10.249.93.150 tranport=799 duration=113.020000 sentbyte=2808 rcvdbyte=5744 sentpkt=ovolup app=squ", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 75425, + "network.bytes": 8552, + "observer.egress.interface.name": "lo1291", + "observer.ingress.interface.name": "eth1273", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.7.230.206", + "10.154.151.111", + "10.249.93.150" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "teurs", + "rsa.misc.context": "udexerci", + "rsa.misc.event_source": "caecatcu", + "rsa.misc.event_type": "erep", + "rsa.misc.hardware_id": "xcepte", + "rsa.misc.log_session_id": "tseddoe", + "rsa.misc.obj_name": "squ", + "rsa.misc.policy_id": "emulla", + "rsa.misc.reference_id": "mvol", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "deserun", + "rsa.network.dinterface": "lo1291", + "rsa.network.network_service": "reetdol", + "rsa.network.sinterface": "eth1273", + "rsa.time.duration_time": 113.02, + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.time.event_time_str": "tiumdol", + "rsa.web.reputation_num": 147.522, + "service.type": "fortinet", + "source.bytes": 2808, + "source.geo.country_name": "perspi", + "source.ip": [ + "10.154.151.111" + ], + "source.port": 5860, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.bytes": 6280, + "destination.ip": [ + "10.26.4.3" + ], + "destination.port": 5291, + "event.action": "deny", + "event.code": "iameaq", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-10-25 time=7:09:57 logver=dolor devid=lit devname=ptatem logid=oeiusmod type=ugi subtype=utaliq level=very-high vd=toc srcip=10.76.177.154 srcport=1428 srcintf=eth4425 dstip=10.207.160.170 dstport=7037 dstintf=lo1570 poluuid=reseo sessionid=iration proto=tcp action=deny policyid=magn trandisp=iaecon duration=54.100000 sentbyte=622 rcvdbyte=6280 devtype=ill osname=oris osversion=1.5718 mastersrcmac=ulamcol srcmac=01:00:5e:19:ce:4b crscore=142.771000 craction=oNe crlevel=utfu eventtype=santiumd user=cididunt service=ctasu hostname=itse5466.api.example profile=ica reqtype=mnisis url=https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin direction=outbound msg=uat method=itasper cat=nibusBo catdesc=volupta device_id=olorinr log_id=iameaq pri=high userfrom=docons adminprof=uun timezone=OMST main_type=mremap trigger_policy=ate sub_type=agnaal severity_level=ibusB policy=mexe src=10.217.209.221 src_port=3639 dst=10.26.4.3 dst_port=5291 http_method=rsitame http_url=eca http_host=quirat http_agent=urmagn http_session_id=essec signature_subclass=prehende signature_id=1261 srccountry=setquas content_switch_name=nti server_pool_name=osamnis false_positive_mitigation=atisetqu user_name=ciduntut monitor_status=atisu http_refer=https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu http_version=suntincu dev_id=lore threat_weight=equatu history_threat_weight=enbyCi threat_level=dolo ftp_mode=adipi ftp_cmd=beata cipher_suite=evelites msg_id=ipiscive", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "itse5466.api.example", + "http.request.referrer": "https://internal.example.com/architec/incul.txt?aborios=mco#amnisiu", + "input.type": "log", + "log.level": "high", + "log.offset": 76059, + "network.bytes": 6902, + "network.direction": "outbound", + "observer.egress.interface.name": "lo1570", + "observer.ingress.interface.name": "eth4425", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.5718", + "related.hosts": [ + "itse5466.api.example" + ], + "related.ip": [ + "10.217.209.221", + "10.26.4.3" + ], + "related.user": [ + "ciduntut" + ], + "rsa.internal.event_desc": "uat", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "santiumd", + "rsa.misc.OS": "oris", + "rsa.misc.action": [ + "deny", + "rsitame" + ], + "rsa.misc.category": "agnaal", + "rsa.misc.client": "urmagn", + "rsa.misc.context": "iaecon", + "rsa.misc.event_source": "ptatem", + "rsa.misc.event_type": "ugi", + "rsa.misc.fcatnum": "nibusBo", + "rsa.misc.filter": "volupta", + "rsa.misc.hardware_id": "olorinr", + "rsa.misc.log_session_id": "essec", + "rsa.misc.policy_id": "magn", + "rsa.misc.policy_name": "mexe", + "rsa.misc.reference_id": "iameaq", + "rsa.misc.rule_name": "ica", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 1261, + "rsa.misc.version": "1.5718", + "rsa.misc.vsys": "toc", + "rsa.network.alias_host": [ + "itse5466.api.example" + ], + "rsa.network.dinterface": "lo1570", + "rsa.network.network_service": "ctasu", + "rsa.network.sinterface": "eth4425", + "rsa.threat.threat_desc": "dolo", + "rsa.time.duration_time": 54.1, + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 142.771, + "rsa.web.web_ref_domain": "quirat", + "rule.name": "ica", + "service.type": "fortinet", + "source.bytes": 622, + "source.geo.country_name": "setquas", + "source.ip": [ + "10.217.209.221" + ], + "source.mac": "01:00:5e:19:ce:4b", + "source.port": 3639, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.com/nonnumqu/isciveli.gif?wri=aute#iscin", + "url.query": "eca", + "user.name": "ciduntut" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "destination.bytes": 6960, + "destination.ip": [ + "10.180.162.174" + ], + "destination.port": 7186, + "event.action": "accept", + "event.code": "taedic", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=umtot date=2018-11-9 time=2:12:32 log_id=eumiurer devid=inv devname=eac logid=rainc type=tinculp subtype=uianon level=high vd=corpori srcip=10.232.131.132 srcport=581 srcintf=enp0s6255 dstip=10.232.246.98 dstport=1854 dstintf=enp0s1526 poluuid=ivelit sessionid=itlabori proto=icmp action=accept policyid=oide trandisp=magni duration=72.993000 sentbyte=5817 rcvdbyte=6960 devtype=rrorsit osname=emipsu osversion=1.6603 mastersrcmac=temUte srcmac=01:00:5e:fe:be:28 crscore=134.746000 craction=hitec crlevel=sci eventtype=luptatev user=ruredo service=iamquis hostname=dquiac6194.api.lan profile=nidolo reqtype=runtmoll url=https://www5.example.org/utlabo/scip.html?voluptas=inv#upta direction=external msg=ors method=olupta cat=raincidu catdesc=nisi device_id=uipexea log_id=taedic pri=high userfrom=ugi adminprof=urExcep timezone=CET main_type=usant trigger_policy=uidolore sub_type=litse severity_level=ugitse policy=utfugi src=10.241.140.241 src_port=1813 dst=10.180.162.174 dst_port=7186 http_method=ido http_url=atnu http_host=ssuscipi http_agent=evita http_session_id=tconsect signature_subclass=lpaquiof signature_id=532 srccountry=lors content_switch_name=Finibus server_pool_name=totam false_positive_mitigation=idat user_name=nulapar monitor_status=git http_refer=https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli http_version=siuta dev_id=porincid threat_weight=itame history_threat_weight=inv threat_level=remaper ftp_mode=quaUteni ftp_cmd=evelit cipher_suite=oluptat msg_id=ditem", + "event.timezone": "CET", + "fileset.name": "fortimanager", + "host.name": "dquiac6194.api.lan", + "http.request.referrer": "https://www5.example.com/odtem/tati.jpg?ueips=umqu#ntexpli", + "input.type": "log", + "log.level": "high", + "log.offset": 77550, + "network.bytes": 12777, + "network.direction": "external", + "observer.egress.interface.name": "enp0s1526", + "observer.ingress.interface.name": "enp0s6255", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.6603", + "related.hosts": [ + "dquiac6194.api.lan" + ], + "related.ip": [ + "10.241.140.241", + "10.180.162.174" + ], + "related.user": [ + "nulapar" + ], + "rsa.internal.event_desc": "ors", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "luptatev", + "rsa.misc.OS": "emipsu", + "rsa.misc.action": [ + "ido", + "accept" + ], + "rsa.misc.category": "litse", + "rsa.misc.client": "evita", + "rsa.misc.context": "magni", + "rsa.misc.event_source": "eac", + "rsa.misc.event_type": "tinculp", + "rsa.misc.fcatnum": "raincidu", + "rsa.misc.filter": "nisi", + "rsa.misc.hardware_id": "uipexea", + "rsa.misc.log_session_id": "tconsect", + "rsa.misc.policy_id": "oide", + "rsa.misc.policy_name": "utfugi", + "rsa.misc.reference_id": "taedic", + "rsa.misc.rule_name": "nidolo", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 532, + "rsa.misc.version": "1.6603", + "rsa.misc.vsys": "corpori", + "rsa.network.alias_host": [ + "dquiac6194.api.lan" + ], + "rsa.network.dinterface": "enp0s1526", + "rsa.network.network_service": "iamquis", + "rsa.network.sinterface": "enp0s6255", + "rsa.threat.threat_desc": "remaper", + "rsa.time.duration_time": 72.993, + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.time.timezone": "CET", + "rsa.web.reputation_num": 134.746, + "rsa.web.web_ref_domain": "ssuscipi", + "rule.name": "nidolo", + "service.type": "fortinet", + "source.bytes": 5817, + "source.geo.country_name": "lors", + "source.ip": [ + "10.241.140.241" + ], + "source.mac": "01:00:5e:fe:be:28", + "source.port": 1813, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.org/utlabo/scip.html?voluptas=inv#upta", + "url.query": "atnu", + "user.name": "nulapar" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "destination.bytes": 5783, + "destination.ip": [ + "10.62.140.108" + ], + "destination.port": 1225, + "event.action": "deny", + "event.code": "enimip", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2018-11-23 time=9:15:06 devname=oditautf device_id=asiarc log_id=eddoei type=generic subtype=iatqu pri=very-high devid=itessec devname=dat logid=tdol type=emul subtype=ariatu level=high vd=reseo srcip=10.53.70.207 srcport=1793 srcintf=lo2279 dstip=10.73.140.61 dstport=2114 dstintf=lo368 poluuid=stlabo sessionid=atema proto=1 action=deny policyid=orporiss trandisp=iamq duration=128.426000 sentbyte=1800 rcvdbyte=5783 devtype=pis osname=riosam osversion=1.2052 mastersrcmac=iosam srcmac=01:00:5e:21:d3:0a crscore=65.426000 craction=archi crlevel=nes eventtype=atvolupt user=umwritt service=uae hostname=amco1592.mail.host profile=aaliq reqtype=olupta url=https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata direction=outbound msg=tame method=olo cat=vel catdesc=equamn device_id=tempora log_id=enimip pri=very-high userfrom=saqua adminprof=aperia timezone=OMST main_type=tNeque trigger_policy=metcon sub_type=enimadmi severity_level=orem policy=corpor src=10.110.99.222 src_port=5685 dst=10.62.140.108 dst_port=1225 http_method=ssitasp http_url=ptat http_host=asp http_agent=uatDui http_session_id=nofdeFin signature_subclass=unde signature_id=3979 srccountry=seruntm content_switch_name=aera server_pool_name=scive false_positive_mitigation=ngelit user_name=moenimi monitor_status=mqu http_refer=https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund http_version=tutla dev_id=isund threat_weight=atemU history_threat_weight=uidex threat_level=uptate ftp_mode=eac ftp_cmd=peria cipher_suite=amaliq msg_id=ium", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "amco1592.mail.host", + "http.request.referrer": "https://mail.example.org/ueipsaq/upid.gif?utla=emUte#tisund", + "input.type": "log", + "log.level": "very-high", + "log.offset": 79056, + "network.bytes": 7583, + "network.direction": "outbound", + "observer.egress.interface.name": "lo368", + "observer.ingress.interface.name": "lo2279", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2052", + "related.hosts": [ + "amco1592.mail.host" + ], + "related.ip": [ + "10.110.99.222", + "10.62.140.108" + ], + "related.user": [ + "moenimi" + ], + "rsa.internal.event_desc": "tame", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "atvolupt", + "rsa.misc.OS": "riosam", + "rsa.misc.action": [ + "ssitasp", + "deny" + ], + "rsa.misc.category": "enimadmi", + "rsa.misc.client": "uatDui", + "rsa.misc.context": "iamq", + "rsa.misc.event_source": "dat", + "rsa.misc.event_type": "emul", + "rsa.misc.fcatnum": "vel", + "rsa.misc.filter": "equamn", + "rsa.misc.hardware_id": "tempora", + "rsa.misc.log_session_id": "nofdeFin", + "rsa.misc.policy_id": "orporiss", + "rsa.misc.policy_name": "corpor", + "rsa.misc.reference_id": "enimip", + "rsa.misc.rule_name": "aaliq", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 3979, + "rsa.misc.version": "1.2052", + "rsa.misc.vsys": "reseo", + "rsa.network.alias_host": [ + "amco1592.mail.host" + ], + "rsa.network.dinterface": "lo368", + "rsa.network.network_service": "uae", + "rsa.network.sinterface": "lo2279", + "rsa.threat.threat_desc": "uptate", + "rsa.time.duration_time": 128.426, + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 65.426, + "rsa.web.web_ref_domain": "asp", + "rule.name": "aaliq", + "service.type": "fortinet", + "source.bytes": 1800, + "source.geo.country_name": "seruntm", + "source.ip": [ + "10.110.99.222" + ], + "source.mac": "01:00:5e:21:d3:0a", + "source.port": 5685, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.com/ssusci/snostrud.txt?dolo=siutaliq#obeata", + "url.query": "ptat", + "user.name": "moenimi" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "destination.bytes": 7612, + "destination.ip": [ + "10.53.50.77" + ], + "destination.port": 5330, + "event.action": "accept", + "event.code": "etdo", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ptate date=2018-12-7 time=4:17:40 log_id=tenatu devid=emo devname=ratio logid=maperia type=Maloru subtype=sumquia level=low vd=imadmini srcip=10.237.5.219 srcport=3828 srcintf=eth4604 dstip=10.197.99.150 dstport=3877 dstintf=enp0s7388 poluuid=odo sessionid=itseddoe proto=prm action=accept policyid=itinvo trandisp=uiavol duration=96.864000 sentbyte=2685 rcvdbyte=7612 devtype=urmagn osname=ficiade osversion=1.2691 mastersrcmac=equ srcmac=01:00:5e:f5:2a:24 crscore=163.671000 craction=mipsum crlevel=dolor eventtype=cupidata user=niamquis service=lapariat hostname=dicta7226.mail.example profile=eddoei reqtype=cingel url=https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn direction=unknown msg=loinv method=umd cat=madmi catdesc=xercit device_id=avolup log_id=etdo pri=medium userfrom=veleum adminprof=emUten timezone=CT main_type=proiden trigger_policy=cita sub_type=iac severity_level=ntincul policy=mnisiste src=10.4.244.115 src_port=4588 dst=10.53.50.77 dst_port=5330 http_method=lorem http_url=lore http_host=orroqu http_agent=tlabo http_session_id=iameaque signature_subclass=sautemve signature_id=6466 srccountry=emoe content_switch_name=ameiusmo server_pool_name=ntiumtot false_positive_mitigation=aeab user_name=idolo monitor_status=temac http_refer=https://api.example.net/ollita/idolore.html?illu=iut#asiarc http_version=imidest dev_id=mwri threat_weight=orsi history_threat_weight=ritinvol threat_level=rporiss ftp_mode=atu ftp_cmd=ddo cipher_suite=veli msg_id=ata", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "dicta7226.mail.example", + "http.request.referrer": "https://api.example.net/ollita/idolore.html?illu=iut#asiarc", + "input.type": "log", + "log.level": "medium", + "log.offset": 80595, + "network.bytes": 10297, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s7388", + "observer.ingress.interface.name": "eth4604", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2691", + "related.hosts": [ + "dicta7226.mail.example" + ], + "related.ip": [ + "10.53.50.77", + "10.4.244.115" + ], + "related.user": [ + "idolo" + ], + "rsa.internal.event_desc": "loinv", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "cupidata", + "rsa.misc.OS": "ficiade", + "rsa.misc.action": [ + "lorem", + "accept" + ], + "rsa.misc.category": "iac", + "rsa.misc.client": "tlabo", + "rsa.misc.context": "uiavol", + "rsa.misc.event_source": "ratio", + "rsa.misc.event_type": "Maloru", + "rsa.misc.fcatnum": "madmi", + "rsa.misc.filter": "xercit", + "rsa.misc.hardware_id": "avolup", + "rsa.misc.log_session_id": "iameaque", + "rsa.misc.policy_id": "itinvo", + "rsa.misc.policy_name": "mnisiste", + "rsa.misc.reference_id": "etdo", + "rsa.misc.rule_name": "eddoei", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 6466, + "rsa.misc.version": "1.2691", + "rsa.misc.vsys": "imadmini", + "rsa.network.alias_host": [ + "dicta7226.mail.example" + ], + "rsa.network.dinterface": "enp0s7388", + "rsa.network.network_service": "lapariat", + "rsa.network.sinterface": "eth4604", + "rsa.threat.threat_desc": "rporiss", + "rsa.time.duration_time": 96.864, + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 163.671, + "rsa.web.web_ref_domain": "orroqu", + "rule.name": "eddoei", + "service.type": "fortinet", + "source.bytes": 2685, + "source.geo.country_name": "emoe", + "source.ip": [ + "10.4.244.115" + ], + "source.mac": "01:00:5e:f5:2a:24", + "source.port": 4588, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.com/temporai/umw.jpg?mveniamq=litsed#ptasn", + "url.query": "lore", + "user.name": "idolo" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "destination.bytes": 3484, + "destination.geo.country_name": "litess", + "destination.ip": [ + "10.236.211.111" + ], + "destination.nat.ip": "10.120.212.78", + "destination.nat.port": 119, + "destination.port": 1801, + "event.action": "allow", + "event.code": "atur", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=lor dtime=2018-12-21 23:20:14.972538723 +0000 UTC devid=ori devname=eleumiu vd=amre date=2018-12-21 time=11:20:14 logid=atur type=untex subtype=Except level=very-high eventtime=econse logtime=iac srcip=10.221.100.157 srcport=865 srcintf=lo4518 srcintfrole=mqu dstip=10.236.211.111 dstport=1801 dstintf=enp0s454 dstintfrole=rauto poluuid=pteursi sessionid=iquamqua proto=tcp action=allow policyid=psumqui policytype=equeporr crscore=32.741000 craction=cusanti crlevel=doloreme appcat=nsecte service=reprehen srccountry=taspe dstcountry=litess trandisp=enimadm tranip=10.120.212.78 tranport=119 duration=17.257000 sentbyte=4752 rcvdbyte=3484 sentpkt=ntsuntin app=ectetur", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 82093, + "network.bytes": 8236, + "observer.egress.interface.name": "enp0s454", + "observer.ingress.interface.name": "lo4518", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.236.211.111", + "10.120.212.78", + "10.221.100.157" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "Except", + "rsa.misc.context": "enimadm", + "rsa.misc.event_source": "eleumiu", + "rsa.misc.event_type": "untex", + "rsa.misc.hardware_id": "ori", + "rsa.misc.log_session_id": "iquamqua", + "rsa.misc.obj_name": "ectetur", + "rsa.misc.policy_id": "psumqui", + "rsa.misc.reference_id": "atur", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "amre", + "rsa.network.dinterface": "enp0s454", + "rsa.network.network_service": "reprehen", + "rsa.network.sinterface": "lo4518", + "rsa.time.duration_time": 17.257, + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.time.event_time_str": "econse", + "rsa.web.reputation_num": 32.741, + "service.type": "fortinet", + "source.bytes": 4752, + "source.geo.country_name": "taspe", + "source.ip": [ + "10.221.100.157" + ], + "source.port": 865, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "destination.bytes": 5326, + "destination.ip": [ + "10.208.231.15" + ], + "destination.port": 412, + "event.action": "accept", + "event.code": "redol", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-1-5 time=6:22:49 logver=intocca devid=vel devname=xeacom logid=orum type=voluptat subtype=nsequ level=medium vd=tenimad srcip=10.140.215.210 srcport=7229 srcintf=lo568 dstip=10.71.213.217 dstport=7475 dstintf=eth5820 poluuid=lup sessionid=reetdolo proto=HOPOPT action=accept policyid=dolor trandisp=emagnam duration=154.150000 sentbyte=2336 rcvdbyte=5326 devtype=emull osname=enatuser osversion=1.3052 mastersrcmac=ectob srcmac=01:00:5e:4a:5d:af crscore=9.013000 craction=niamqu crlevel=nrep eventtype=lauda user=ionevo service=busB hostname=pidatatn2627.www.localdomain profile=eritinvo reqtype=quiav url=https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere direction=inbound msg=ciun method=ssitaspe cat=deomnis catdesc=ulamcol device_id=onn log_id=redol pri=medium userfrom=utlabore adminprof=nci timezone=OMST main_type=liqu trigger_policy=ectetura sub_type=aUte severity_level=untNeque policy=roi src=10.210.82.202 src_port=2749 dst=10.208.231.15 dst_port=412 http_method=rios http_url=diconseq http_host=tenima http_agent=iusm http_session_id=mveleumi signature_subclass=equinesc signature_id=5076 srccountry=mfugiatq content_switch_name=dmini server_pool_name=emveleu false_positive_mitigation=loree user_name=riatur monitor_status=tempor http_refer=https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua http_version=ciat dev_id=iamq threat_weight=porin history_threat_weight=yCi threat_level=arc ftp_mode=santium ftp_cmd=numquame cipher_suite=umfugi msg_id=amestqui", + "event.timezone": "OMST", + "fileset.name": "fortimanager", + "host.name": "pidatatn2627.www.localdomain", + "http.request.referrer": "https://internal.example.com/spiciati/tise.gif?ctas=rvelillu#qua", + "input.type": "log", + "log.level": "medium", + "log.offset": 82769, + "network.bytes": 7662, + "network.direction": "inbound", + "observer.egress.interface.name": "eth5820", + "observer.ingress.interface.name": "lo568", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.3052", + "related.hosts": [ + "pidatatn2627.www.localdomain" + ], + "related.ip": [ + "10.210.82.202", + "10.208.231.15" + ], + "related.user": [ + "riatur" + ], + "rsa.internal.event_desc": "ciun", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "lauda", + "rsa.misc.OS": "enatuser", + "rsa.misc.action": [ + "accept", + "rios" + ], + "rsa.misc.category": "aUte", + "rsa.misc.client": "iusm", + "rsa.misc.context": "emagnam", + "rsa.misc.event_source": "xeacom", + "rsa.misc.event_type": "voluptat", + "rsa.misc.fcatnum": "deomnis", + "rsa.misc.filter": "ulamcol", + "rsa.misc.hardware_id": "onn", + "rsa.misc.log_session_id": "mveleumi", + "rsa.misc.policy_id": "dolor", + "rsa.misc.policy_name": "roi", + "rsa.misc.reference_id": "redol", + "rsa.misc.rule_name": "eritinvo", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5076, + "rsa.misc.version": "1.3052", + "rsa.misc.vsys": "tenimad", + "rsa.network.alias_host": [ + "pidatatn2627.www.localdomain" + ], + "rsa.network.dinterface": "eth5820", + "rsa.network.network_service": "busB", + "rsa.network.sinterface": "lo568", + "rsa.threat.threat_desc": "arc", + "rsa.time.duration_time": 154.15, + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.time.timezone": "OMST", + "rsa.web.reputation_num": 9.013, + "rsa.web.web_ref_domain": "tenima", + "rule.name": "eritinvo", + "service.type": "fortinet", + "source.bytes": 2336, + "source.geo.country_name": "mfugiatq", + "source.ip": [ + "10.210.82.202" + ], + "source.mac": "01:00:5e:4a:5d:af", + "source.port": 2749, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://mail.example.org/ngelit/dipiscin.gif?serro=ctet#umiurere", + "url.query": "diconseq", + "user.name": "riatur" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "destination.bytes": 220, + "destination.geo.country_name": "aqueipsa", + "destination.ip": [ + "10.123.59.69" + ], + "destination.nat.ip": "10.53.251.202", + "destination.nat.port": 7501, + "destination.port": 5399, + "event.action": "accept", + "event.code": "edd", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=tesseq devname=\"nimides\" devid=\"iusmodte\" vd=involup date=2019-1-19 time=1:25:23 logid=edd type=dolorsi subtype=mcolabo level=low eventtime=exe logtime=nve srcip=10.226.255.3 srcport=5449 srcintf=lo7680 srcintfrole=iaconseq dstip=10.123.59.69 dstport=5399 dstintf=lo5835 dstintfrole=ntsunti poluuid=bor sessionid=uisnos proto=6 action=accept policyid=tation policytype=seddoe crscore=21.625000 craction=eur crlevel=ntmolli appcat=pitl service=nulap srccountry=ipexe dstcountry=aqueipsa trandisp=psum tranip=10.53.251.202 tranport=7501 duration=131.751000 sentbyte=6876 rcvdbyte=220 sentpkt=ugi app=ptate", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 84276, + "network.bytes": 7096, + "observer.egress.interface.name": "lo5835", + "observer.ingress.interface.name": "lo7680", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.123.59.69", + "10.226.255.3", + "10.53.251.202" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "mcolabo", + "rsa.misc.context": "psum", + "rsa.misc.event_source": "nimides", + "rsa.misc.event_type": "dolorsi", + "rsa.misc.hardware_id": "iusmodte", + "rsa.misc.log_session_id": "uisnos", + "rsa.misc.obj_name": "ptate", + "rsa.misc.policy_id": "tation", + "rsa.misc.reference_id": "edd", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "involup", + "rsa.network.dinterface": "lo5835", + "rsa.network.network_service": "nulap", + "rsa.network.sinterface": "lo7680", + "rsa.time.duration_time": 131.751, + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.time.event_time_str": "exe", + "rsa.web.reputation_num": 21.625, + "service.type": "fortinet", + "source.bytes": 6876, + "source.geo.country_name": "ipexe", + "source.ip": [ + "10.226.255.3" + ], + "source.port": 5449, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "destination.bytes": 7868, + "destination.geo.country_name": "persp", + "destination.ip": [ + "10.212.56.26" + ], + "destination.nat.ip": "10.29.141.252", + "destination.nat.port": 2077, + "destination.port": 3032, + "event.action": "block", + "event.code": "uide", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=rur devname=\"edut\" devid=\"sitametc\" vd=iarchite date=2019-2-2 time=8:27:57 logid=uide type=iono subtype=aboris level=very-high eventtime=imidest logtime=ulamc srcip=10.3.85.176 srcport=318 srcintf=eth2546 srcintfrole=uptateve dstip=10.212.56.26 dstport=3032 dstintf=enp0s2353 dstintfrole=loin poluuid=cinge sessionid=tutl proto=udp action=block policyid=nesciu policytype=ueip crscore=162.484000 craction=orumSe crlevel=mSe appcat=itame service=quaturv srccountry=lumdolor dstcountry=persp trandisp=leumi tranip=10.29.141.252 tranport=2077 duration=106.468000 sentbyte=3472 rcvdbyte=7868 sentpkt=orum app=reseos", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 84887, + "network.bytes": 11340, + "observer.egress.interface.name": "enp0s2353", + "observer.ingress.interface.name": "eth2546", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.212.56.26", + "10.3.85.176", + "10.29.141.252" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "aboris", + "rsa.misc.context": "leumi", + "rsa.misc.event_source": "edut", + "rsa.misc.event_type": "iono", + "rsa.misc.hardware_id": "sitametc", + "rsa.misc.log_session_id": "tutl", + "rsa.misc.obj_name": "reseos", + "rsa.misc.policy_id": "nesciu", + "rsa.misc.reference_id": "uide", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "iarchite", + "rsa.network.dinterface": "enp0s2353", + "rsa.network.network_service": "quaturv", + "rsa.network.sinterface": "eth2546", + "rsa.time.duration_time": 106.468, + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.time.event_time_str": "imidest", + "rsa.web.reputation_num": 162.484, + "service.type": "fortinet", + "source.bytes": 3472, + "source.geo.country_name": "lumdolor", + "source.ip": [ + "10.3.85.176" + ], + "source.port": 318, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.bytes": 4658, + "destination.ip": [ + "10.236.175.163" + ], + "destination.port": 6562, + "event.action": "cancel", + "event.code": "oeni", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-2-17 time=3:30:32 devname=orem device_id=seq log_id=cus type=generic subtype=tnulap pri=very-high devid=psamvolu devname=inculp logid=eni type=tcupid subtype=ercita level=very-high vd=olorinr srcip=10.110.166.81 srcport=7354 srcintf=lo3023 dstip=10.181.48.82 dstport=1225 dstintf=eth7640 poluuid=conseq sessionid=Nemoen proto=6 action=cancel policyid=umquamei trandisp=nih duration=55.527000 sentbyte=3449 rcvdbyte=4658 devtype=quia osname=eabill osversion=1.95 mastersrcmac=oeiusmo srcmac=01:00:5e:82:ca:1b crscore=67.321000 craction=rumwrit crlevel=tionofd eventtype=ill user=orroquis service=laparia hostname=emveleu4029.api.local profile=tconse reqtype=ntsun url=https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia direction=external msg=metcons method=lumd cat=liquaUt catdesc=snos device_id=maccusan log_id=oeni pri=medium userfrom=tiaecon adminprof=tincu timezone=GMT-07:00 main_type=untmoll trigger_policy=par sub_type=idatatno severity_level=tfugit policy=tla src=10.126.11.186 src_port=589 dst=10.236.175.163 dst_port=6562 http_method=atemqui http_url=icaboN http_host=Utenimad http_agent=res http_session_id=officiad signature_subclass=nsectet signature_id=3977 srccountry=temU content_switch_name=ciduntut server_pool_name=ionofd false_positive_mitigation=etqua user_name=udantiu monitor_status=tium http_refer=https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons http_version=uamestq dev_id=aliquaUt threat_weight=boreet history_threat_weight=mquam threat_level=volu ftp_mode=nof ftp_cmd=boNe cipher_suite=ovolu msg_id=cid", + "event.timezone": "GMT-07:00", + "fileset.name": "fortimanager", + "host.name": "emveleu4029.api.local", + "http.request.referrer": "https://internal.example.net/leumiu/iuta.html?tfugit=rorsitv#tiaecons", + "input.type": "log", + "log.level": "medium", + "log.offset": 85506, + "network.bytes": 8107, + "network.direction": "external", + "observer.egress.interface.name": "eth7640", + "observer.ingress.interface.name": "lo3023", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.95", + "related.hosts": [ + "emveleu4029.api.local" + ], + "related.ip": [ + "10.126.11.186", + "10.236.175.163" + ], + "related.user": [ + "udantiu" + ], + "rsa.internal.event_desc": "metcons", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "ill", + "rsa.misc.OS": "eabill", + "rsa.misc.action": [ + "atemqui", + "cancel" + ], + "rsa.misc.category": "idatatno", + "rsa.misc.client": "res", + "rsa.misc.context": "nih", + "rsa.misc.event_source": "inculp", + "rsa.misc.event_type": "tcupid", + "rsa.misc.fcatnum": "liquaUt", + "rsa.misc.filter": "snos", + "rsa.misc.hardware_id": "maccusan", + "rsa.misc.log_session_id": "officiad", + "rsa.misc.policy_id": "umquamei", + "rsa.misc.policy_name": "tla", + "rsa.misc.reference_id": "oeni", + "rsa.misc.rule_name": "tconse", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 3977, + "rsa.misc.version": "1.95", + "rsa.misc.vsys": "olorinr", + "rsa.network.alias_host": [ + "emveleu4029.api.local" + ], + "rsa.network.dinterface": "eth7640", + "rsa.network.network_service": "laparia", + "rsa.network.sinterface": "lo3023", + "rsa.threat.threat_desc": "volu", + "rsa.time.duration_time": 55.527, + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.time.timezone": "GMT-07:00", + "rsa.web.reputation_num": 67.321, + "rsa.web.web_ref_domain": "Utenimad", + "rule.name": "tconse", + "service.type": "fortinet", + "source.bytes": 3449, + "source.geo.country_name": "temU", + "source.ip": [ + "10.126.11.186" + ], + "source.mac": "01:00:5e:82:ca:1b", + "source.port": 589, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://internal.example.net/inc/riaturEx.htm?mnihilm=itinvo#lestia", + "url.query": "icaboN", + "user.name": "udantiu" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.bytes": 3339, + "destination.geo.country_name": "paq", + "destination.ip": [ + "10.11.150.136" + ], + "destination.nat.ip": "10.83.98.220", + "destination.nat.port": 1300, + "destination.port": 3615, + "event.action": "cancel", + "event.code": "oeius", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=equamn devname=\"mes\" devid=\"itatio\" vd=ssecillu date=2019-3-3 time=10:33:06 logid=oeius type=itin subtype=nostrud level=medium eventtime=byCic logtime=mnisiuta srcip=10.171.60.173 srcport=209 srcintf=lo1917 srcintfrole=usmodite dstip=10.11.150.136 dstport=3615 dstintf=lo5438 dstintfrole=olup poluuid=urQuis sessionid=iquip proto=1 action=cancel policyid=untutl policytype=elite crscore=176.898000 craction=ipsaq crlevel=spici appcat=nvolupt service=antiu srccountry=llumquid dstcountry=paq trandisp=olup tranip=10.83.98.220 tranport=1300 duration=73.115000 sentbyte=5812 rcvdbyte=3339 sentpkt=amquis app=umtotam", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 87085, + "network.bytes": 9151, + "observer.egress.interface.name": "lo5438", + "observer.ingress.interface.name": "lo1917", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.11.150.136", + "10.171.60.173", + "10.83.98.220" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "nostrud", + "rsa.misc.context": "olup", + "rsa.misc.event_source": "mes", + "rsa.misc.event_type": "itin", + "rsa.misc.hardware_id": "itatio", + "rsa.misc.log_session_id": "iquip", + "rsa.misc.obj_name": "umtotam", + "rsa.misc.policy_id": "untutl", + "rsa.misc.reference_id": "oeius", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ssecillu", + "rsa.network.dinterface": "lo5438", + "rsa.network.network_service": "antiu", + "rsa.network.sinterface": "lo1917", + "rsa.time.duration_time": 73.115, + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.time.event_time_str": "byCic", + "rsa.web.reputation_num": 176.898, + "service.type": "fortinet", + "source.bytes": 5812, + "source.geo.country_name": "llumquid", + "source.ip": [ + "10.171.60.173" + ], + "source.port": 209, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.bytes": 3946, + "destination.geo.country_name": "ipisc", + "destination.ip": [ + "10.74.88.209" + ], + "destination.nat.ip": "10.92.3.166", + "destination.nat.port": 5777, + "destination.port": 740, + "event.action": "deny", + "event.code": "uiavo", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=pitlabo dtime=2019-03-17 17:35:40.532538723 +0000 UTC devid=lorsita devname=datatno vd=emac date=2019-3-17 time=5:35:40 logid=uiavo type=tdo subtype=ratvolup level=high eventtime=dolo logtime=quioffic srcip=10.238.49.73 srcport=1554 srcintf=enp0s11 srcintfrole=riatu dstip=10.74.88.209 dstport=740 dstintf=lo5287 dstintfrole=quep poluuid=tfugitse sessionid=oenimips proto=udp action=deny policyid=mdo policytype=map crscore=148.871000 craction=osqui crlevel=consequ appcat=catcupid service=velitess srccountry=sit dstcountry=ipisc trandisp=onsectet tranip=10.92.3.166 tranport=5777 duration=156.314000 sentbyte=715 rcvdbyte=3946 sentpkt=itvol app=dolo", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 87705, + "network.bytes": 4661, + "observer.egress.interface.name": "lo5287", + "observer.ingress.interface.name": "enp0s11", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.92.3.166", + "10.238.49.73", + "10.74.88.209" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "ratvolup", + "rsa.misc.context": "onsectet", + "rsa.misc.event_source": "datatno", + "rsa.misc.event_type": "tdo", + "rsa.misc.hardware_id": "lorsita", + "rsa.misc.log_session_id": "oenimips", + "rsa.misc.obj_name": "dolo", + "rsa.misc.policy_id": "mdo", + "rsa.misc.reference_id": "uiavo", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "emac", + "rsa.network.dinterface": "lo5287", + "rsa.network.network_service": "velitess", + "rsa.network.sinterface": "enp0s11", + "rsa.time.duration_time": 156.314, + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.time.event_time_str": "dolo", + "rsa.web.reputation_num": 148.871, + "service.type": "fortinet", + "source.bytes": 715, + "source.geo.country_name": "sit", + "source.ip": [ + "10.238.49.73" + ], + "source.port": 1554, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "destination.bytes": 4329, + "destination.geo.country_name": "quelaud", + "destination.ip": [ + "10.187.107.47" + ], + "destination.nat.ip": "10.84.200.121", + "destination.nat.port": 3226, + "destination.port": 288, + "event.action": "allow", + "event.code": "periamea", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=amquisno dtime=2019-04-01 00:38:14.792538723 +0000 UTC devid=uptasnul devname=ptate vd=deri date=2019-4-1 time=12:38:14 logid=periamea type=equatD subtype=quaturQu level=high eventtime=rpo logtime=inr srcip=10.119.248.36 srcport=2450 srcintf=enp0s1885 srcintfrole=ten dstip=10.187.107.47 dstport=288 dstintf=lo2445 dstintfrole=fugia poluuid=psa sessionid=iset proto=prm action=allow policyid=ecte policytype=ionemull crscore=84.399000 craction=sBo crlevel=nimides appcat=iurere service=edolorin srccountry=labor dstcountry=quelaud trandisp=ira tranip=10.84.200.121 tranport=3226 duration=128.212000 sentbyte=2150 rcvdbyte=4329 sentpkt=nos app=icta", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 88364, + "network.bytes": 6479, + "observer.egress.interface.name": "lo2445", + "observer.ingress.interface.name": "enp0s1885", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.119.248.36", + "10.187.107.47", + "10.84.200.121" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "quaturQu", + "rsa.misc.context": "ira", + "rsa.misc.event_source": "ptate", + "rsa.misc.event_type": "equatD", + "rsa.misc.hardware_id": "uptasnul", + "rsa.misc.log_session_id": "iset", + "rsa.misc.obj_name": "icta", + "rsa.misc.policy_id": "ecte", + "rsa.misc.reference_id": "periamea", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "deri", + "rsa.network.dinterface": "lo2445", + "rsa.network.network_service": "edolorin", + "rsa.network.sinterface": "enp0s1885", + "rsa.time.duration_time": 128.212, + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.time.event_time_str": "rpo", + "rsa.web.reputation_num": 84.399, + "service.type": "fortinet", + "source.bytes": 2150, + "source.geo.country_name": "labor", + "source.ip": [ + "10.119.248.36" + ], + "source.port": 2450, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.bytes": 1057, + "destination.geo.country_name": "nvolupt", + "destination.ip": [ + "10.135.213.17" + ], + "destination.nat.ip": "10.30.239.222", + "destination.nat.port": 1546, + "destination.port": 6427, + "event.action": "block", + "event.code": "atae", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=itseddo devname=\"tasu\" devid=\"mquae\" vd=CSedu date=2019-4-15 time=7:40:49 logid=atae type=aeconseq subtype=boNemo level=very-high eventtime=nemulla logtime=tmollit srcip=10.167.128.229 srcport=4052 srcintf=eth1833 srcintfrole=ciatisu dstip=10.135.213.17 dstport=6427 dstintf=eth6468 dstintfrole=ritat poluuid=dipi sessionid=asnulapa proto=prm action=block policyid=onsequa policytype=seddoe crscore=23.021000 craction=Bonorume crlevel=emeumfu appcat=tla service=uidexea srccountry=odtem dstcountry=nvolupt trandisp=stia tranip=10.30.239.222 tranport=1546 duration=10.721000 sentbyte=6561 rcvdbyte=1057 sentpkt=itectobe app=rroq", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 89019, + "network.bytes": 7618, + "observer.egress.interface.name": "eth6468", + "observer.ingress.interface.name": "eth1833", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.135.213.17", + "10.167.128.229", + "10.30.239.222" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "boNemo", + "rsa.misc.context": "stia", + "rsa.misc.event_source": "tasu", + "rsa.misc.event_type": "aeconseq", + "rsa.misc.hardware_id": "mquae", + "rsa.misc.log_session_id": "asnulapa", + "rsa.misc.obj_name": "rroq", + "rsa.misc.policy_id": "onsequa", + "rsa.misc.reference_id": "atae", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "CSedu", + "rsa.network.dinterface": "eth6468", + "rsa.network.network_service": "uidexea", + "rsa.network.sinterface": "eth1833", + "rsa.time.duration_time": 10.721, + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.time.event_time_str": "nemulla", + "rsa.web.reputation_num": 23.021, + "service.type": "fortinet", + "source.bytes": 6561, + "source.geo.country_name": "odtem", + "source.ip": [ + "10.167.128.229" + ], + "source.port": 4052, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "destination.bytes": 1150, + "destination.ip": [ + "10.115.166.48" + ], + "destination.port": 7491, + "event.action": "block", + "event.code": "tiumt", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-4-29 time=2:43:23 devname=uunt device_id=pic log_id=unt type=generic subtype=emUt pri=medium devid=pernatur devname=orem logid=enbyCice type=velil subtype=nsequat level=low vd=duntutl srcip=10.238.172.76 srcport=156 srcintf=lo1215 dstip=10.201.119.253 dstport=2230 dstintf=enp0s7218 poluuid=nimad sessionid=tionu proto=udp action=block policyid=emagna trandisp=quin duration=68.078000 sentbyte=2527 rcvdbyte=1150 devtype=consequ osname=min osversion=1.1028 mastersrcmac=edicta srcmac=01:00:5e:cd:6c:ed crscore=163.905000 craction=itinvolu crlevel=urerepre eventtype=iumdol user=serror service=uptass hostname=rspic5637.api.local profile=itatise reqtype=iut url=https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce direction=inbound msg=uraut method=reetdol cat=umtotam catdesc=itaedi device_id=ant log_id=tiumt pri=very-high userfrom=ratvolup adminprof=iamqu timezone=CT main_type=quaturve trigger_policy=tsunti sub_type=ero severity_level=iusmodi policy=acomm src=10.169.133.219 src_port=92 dst=10.115.166.48 dst_port=7491 http_method=eleumiur http_url=ididun http_host=edi http_agent=gia http_session_id=uaturQui signature_subclass=emi signature_id=5446 srccountry=etM content_switch_name=eve server_pool_name=iru false_positive_mitigation=ipit user_name=emq monitor_status=elitsedq http_refer=https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua http_version=erit dev_id=lorsitam threat_weight=emagnama history_threat_weight=ute threat_level=Excep ftp_mode=utpersp ftp_cmd=rehe cipher_suite=tiumt msg_id=ulamc", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "rspic5637.api.local", + "http.request.referrer": "https://www.example.net/onsequat/emagnaa.gif?itse=tco#nnumqua", + "input.type": "log", + "log.level": "very-high", + "log.offset": 89654, + "network.bytes": 3677, + "network.direction": "inbound", + "observer.egress.interface.name": "enp0s7218", + "observer.ingress.interface.name": "lo1215", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1028", + "related.hosts": [ + "rspic5637.api.local" + ], + "related.ip": [ + "10.169.133.219", + "10.115.166.48" + ], + "related.user": [ + "emq" + ], + "rsa.internal.event_desc": "uraut", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "iumdol", + "rsa.misc.OS": "min", + "rsa.misc.action": [ + "eleumiur", + "block" + ], + "rsa.misc.category": "ero", + "rsa.misc.client": "gia", + "rsa.misc.context": "quin", + "rsa.misc.event_source": "orem", + "rsa.misc.event_type": "velil", + "rsa.misc.fcatnum": "umtotam", + "rsa.misc.filter": "itaedi", + "rsa.misc.hardware_id": "ant", + "rsa.misc.log_session_id": "uaturQui", + "rsa.misc.policy_id": "emagna", + "rsa.misc.policy_name": "acomm", + "rsa.misc.reference_id": "tiumt", + "rsa.misc.rule_name": "itatise", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 5446, + "rsa.misc.version": "1.1028", + "rsa.misc.vsys": "duntutl", + "rsa.network.alias_host": [ + "rspic5637.api.local" + ], + "rsa.network.dinterface": "enp0s7218", + "rsa.network.network_service": "uptass", + "rsa.network.sinterface": "lo1215", + "rsa.threat.threat_desc": "Excep", + "rsa.time.duration_time": 68.078, + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 163.905, + "rsa.web.web_ref_domain": "edi", + "rule.name": "itatise", + "service.type": "fortinet", + "source.bytes": 2527, + "source.geo.country_name": "etM", + "source.ip": [ + "10.169.133.219" + ], + "source.mac": "01:00:5e:cd:6c:ed", + "source.port": 92, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.net/ita/esse.txt?amquis=iatquovo#rExce", + "url.query": "ididun", + "user.name": "emq" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "destination.bytes": 4374, + "destination.ip": [ + "10.226.39.82" + ], + "destination.port": 3950, + "event.action": "block", + "event.code": "isetqu", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=runt date=2019-5-13 time=9:45:57 log_id=emipsu devid=icaboNem devname=Except logid=fugits type=maliquam subtype=mav level=very-high vd=ecill srcip=10.36.122.89 srcport=5040 srcintf=lo3887 dstip=10.206.76.186 dstport=741 dstintf=eth2435 poluuid=atisund sessionid=enbyCic proto=1 action=block policyid=nrepre trandisp=uisautem duration=145.667000 sentbyte=4247 rcvdbyte=4374 devtype=tio osname=aconseq osversion=1.4195 mastersrcmac=enatuser srcmac=01:00:5e:1a:9c:4f crscore=124.786000 craction=rcitatio crlevel=olore eventtype=ntexp user=atio service=roquisqu hostname=rror3870.www5.local profile=volu reqtype=occ url=https://www5.example.net/culpa/isun.txt?cola=tura#rat direction=internal msg=sect method=ing cat=nis catdesc=aboreet device_id=ulapari log_id=isetqu pri=high userfrom=ons adminprof=Sedu timezone=CEST main_type=icaboNem trigger_policy=enderi sub_type=edqu severity_level=cita policy=uidolore src=10.146.255.40 src_port=3003 dst=10.226.39.82 dst_port=3950 http_method=oluptate http_url=orumwrit http_host=aconse http_agent=ites http_session_id=abori signature_subclass=dolor signature_id=3543 srccountry=amqu content_switch_name=uamest server_pool_name=ntoccaec false_positive_mitigation=ites user_name=caecatcu monitor_status=iof http_refer=https://api.example.com/uae/mdolo.txt?aute=itatise#utpers http_version=equunt dev_id=Nemo threat_weight=itse history_threat_weight=lillumq threat_level=idid ftp_mode=uis ftp_cmd=velits cipher_suite=mmodo msg_id=rporissu", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "rror3870.www5.local", + "http.request.referrer": "https://api.example.com/uae/mdolo.txt?aute=itatise#utpers", + "input.type": "log", + "log.level": "high", + "log.offset": 91192, + "network.bytes": 8621, + "network.direction": "internal", + "observer.egress.interface.name": "eth2435", + "observer.ingress.interface.name": "lo3887", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4195", + "related.hosts": [ + "rror3870.www5.local" + ], + "related.ip": [ + "10.146.255.40", + "10.226.39.82" + ], + "related.user": [ + "caecatcu" + ], + "rsa.internal.event_desc": "sect", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "ntexp", + "rsa.misc.OS": "aconseq", + "rsa.misc.action": [ + "block", + "oluptate" + ], + "rsa.misc.category": "edqu", + "rsa.misc.client": "ites", + "rsa.misc.context": "uisautem", + "rsa.misc.event_source": "Except", + "rsa.misc.event_type": "maliquam", + "rsa.misc.fcatnum": "nis", + "rsa.misc.filter": "aboreet", + "rsa.misc.hardware_id": "ulapari", + "rsa.misc.log_session_id": "abori", + "rsa.misc.policy_id": "nrepre", + "rsa.misc.policy_name": "uidolore", + "rsa.misc.reference_id": "isetqu", + "rsa.misc.rule_name": "volu", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 3543, + "rsa.misc.version": "1.4195", + "rsa.misc.vsys": "ecill", + "rsa.network.alias_host": [ + "rror3870.www5.local" + ], + "rsa.network.dinterface": "eth2435", + "rsa.network.network_service": "roquisqu", + "rsa.network.sinterface": "lo3887", + "rsa.threat.threat_desc": "idid", + "rsa.time.duration_time": 145.667, + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 124.786, + "rsa.web.web_ref_domain": "aconse", + "rule.name": "volu", + "service.type": "fortinet", + "source.bytes": 4247, + "source.geo.country_name": "amqu", + "source.ip": [ + "10.146.255.40" + ], + "source.mac": "01:00:5e:1a:9c:4f", + "source.port": 3003, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.net/culpa/isun.txt?cola=tura#rat", + "url.query": "orumwrit", + "user.name": "caecatcu" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.bytes": 2380, + "destination.geo.country_name": "tani", + "destination.ip": [ + "10.224.212.88" + ], + "destination.nat.ip": "10.35.240.70", + "destination.nat.port": 2587, + "destination.port": 5404, + "event.action": "deny", + "event.code": "ddoei", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=utemvel dtime=2019-05-28 04:48:31.832538723 +0000 UTC devid=exercita devname=emaperi vd=aspernat date=2019-5-28 time=4:48:31 logid=ddoei type=nihi subtype=umfu level=low eventtime=ehen logtime=olupt srcip=10.53.82.96 srcport=7088 srcintf=eth297 srcintfrole=nostru dstip=10.224.212.88 dstport=5404 dstintf=lo4266 dstintfrole=natuserr poluuid=ipi sessionid=eniamqui proto=icmp action=deny policyid=urvelill policytype=iadese crscore=174.116000 craction=isundeo crlevel=emq appcat=rehender service=uat srccountry=apa dstcountry=tani trandisp=per tranip=10.35.240.70 tranport=2587 duration=62.993000 sentbyte=7102 rcvdbyte=2380 sentpkt=ataevit app=chi", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 92675, + "network.bytes": 9482, + "observer.egress.interface.name": "lo4266", + "observer.ingress.interface.name": "eth297", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.53.82.96", + "10.224.212.88", + "10.35.240.70" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "umfu", + "rsa.misc.context": "per", + "rsa.misc.event_source": "emaperi", + "rsa.misc.event_type": "nihi", + "rsa.misc.hardware_id": "exercita", + "rsa.misc.log_session_id": "eniamqui", + "rsa.misc.obj_name": "chi", + "rsa.misc.policy_id": "urvelill", + "rsa.misc.reference_id": "ddoei", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "aspernat", + "rsa.network.dinterface": "lo4266", + "rsa.network.network_service": "uat", + "rsa.network.sinterface": "eth297", + "rsa.time.duration_time": 62.993, + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.time.event_time_str": "ehen", + "rsa.web.reputation_num": 174.116, + "service.type": "fortinet", + "source.bytes": 7102, + "source.geo.country_name": "apa", + "source.ip": [ + "10.53.82.96" + ], + "source.port": 7088, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "destination.bytes": 475, + "destination.geo.country_name": "aevitae", + "destination.ip": [ + "10.233.128.7" + ], + "destination.nat.ip": "10.66.149.234", + "destination.nat.port": 6236, + "destination.port": 2455, + "event.action": "cancel", + "event.code": "uei", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=lorsita devname=\"oeius\" devid=\"trud\" vd=aco date=2019-6-11 time=11:51:06 logid=uei type=tsedqu subtype=agni level=very-high eventtime=rsint logtime=catc srcip=10.186.253.240 srcport=6982 srcintf=enp0s5429 srcintfrole=end dstip=10.233.128.7 dstport=2455 dstintf=eth5315 dstintfrole=onnumq poluuid=lupt sessionid=ugiatq proto=prm action=cancel policyid=utla policytype=iosamn crscore=164.209000 craction=tor crlevel=toreve appcat=ita service=orain srccountry=tnulap dstcountry=aevitae trandisp=aqu tranip=10.66.149.234 tranport=6236 duration=128.130000 sentbyte=6344 rcvdbyte=475 sentpkt=loremeu app=tate", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 93330, + "network.bytes": 6819, + "observer.egress.interface.name": "eth5315", + "observer.ingress.interface.name": "enp0s5429", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.66.149.234", + "10.186.253.240", + "10.233.128.7" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "agni", + "rsa.misc.context": "aqu", + "rsa.misc.event_source": "oeius", + "rsa.misc.event_type": "tsedqu", + "rsa.misc.hardware_id": "trud", + "rsa.misc.log_session_id": "ugiatq", + "rsa.misc.obj_name": "tate", + "rsa.misc.policy_id": "utla", + "rsa.misc.reference_id": "uei", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "aco", + "rsa.network.dinterface": "eth5315", + "rsa.network.network_service": "orain", + "rsa.network.sinterface": "enp0s5429", + "rsa.time.duration_time": 128.13, + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.time.event_time_str": "rsint", + "rsa.web.reputation_num": 164.209, + "service.type": "fortinet", + "source.bytes": 6344, + "source.geo.country_name": "tnulap", + "source.ip": [ + "10.186.253.240" + ], + "source.port": 6982, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "destination.bytes": 1387, + "destination.geo.country_name": "avolupt", + "destination.ip": [ + "10.46.11.114" + ], + "destination.nat.ip": "10.173.140.201", + "destination.nat.port": 6422, + "destination.port": 4009, + "event.action": "cancel", + "event.code": "rsintocc", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=elaud dtime=2019-06-25 18:53:40.352538723 +0000 UTC devid=iad devname=irat vd=upi date=2019-6-25 time=6:53:40 logid=rsintocc type=itanim subtype=sinto level=medium eventtime=lore logtime=eabi srcip=10.227.133.134 srcport=3351 srcintf=enp0s4820 srcintfrole=erspici dstip=10.46.11.114 dstport=4009 dstintf=enp0s7159 dstintfrole=oremq poluuid=rspiciat sessionid=ptas proto=tcp action=cancel policyid=ore policytype=dut crscore=128.554000 craction=remape crlevel=itectob appcat=sedquia service=mquisnos srccountry=mwritt dstcountry=avolupt trandisp=lumdolo tranip=10.173.140.201 tranport=6422 duration=133.394000 sentbyte=7249 rcvdbyte=1387 sentpkt=str app=sit", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 93940, + "network.bytes": 8636, + "observer.egress.interface.name": "enp0s7159", + "observer.ingress.interface.name": "enp0s4820", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.227.133.134", + "10.46.11.114", + "10.173.140.201" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "sinto", + "rsa.misc.context": "lumdolo", + "rsa.misc.event_source": "irat", + "rsa.misc.event_type": "itanim", + "rsa.misc.hardware_id": "iad", + "rsa.misc.log_session_id": "ptas", + "rsa.misc.obj_name": "sit", + "rsa.misc.policy_id": "ore", + "rsa.misc.reference_id": "rsintocc", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "upi", + "rsa.network.dinterface": "enp0s7159", + "rsa.network.network_service": "mquisnos", + "rsa.network.sinterface": "enp0s4820", + "rsa.time.duration_time": 133.394, + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.time.event_time_str": "lore", + "rsa.web.reputation_num": 128.554, + "service.type": "fortinet", + "source.bytes": 7249, + "source.geo.country_name": "mwritt", + "source.ip": [ + "10.227.133.134" + ], + "source.port": 3351, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.bytes": 1751, + "destination.geo.country_name": "ari", + "destination.ip": [ + "10.69.130.207" + ], + "destination.nat.ip": "10.170.236.123", + "destination.nat.port": 4346, + "destination.port": 1191, + "event.action": "cancel", + "event.code": "sciveli", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=elillum dtime=2019-07-10 01:56:14.612538723 +0000 UTC devid=isnos devname=emp vd=eos date=2019-7-10 time=1:56:14 logid=sciveli type=Bonoru subtype=rai level=low eventtime=omm logtime=cepteu srcip=10.205.18.11 srcport=6737 srcintf=eth4759 srcintfrole=ueipsa dstip=10.69.130.207 dstport=1191 dstintf=eth614 dstintfrole=architec poluuid=era sessionid=ptatem proto=udp action=cancel policyid=isi policytype=ssecill crscore=44.181000 craction=exerci crlevel=ptatemUt appcat=temqu service=ofd srccountry=nimvenia dstcountry=ari trandisp=eir tranip=10.170.236.123 tranport=4346 duration=150.036000 sentbyte=6877 rcvdbyte=1751 sentpkt=orum app=tation", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "low", + "log.offset": 94604, + "network.bytes": 8628, + "observer.egress.interface.name": "eth614", + "observer.ingress.interface.name": "eth4759", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.69.130.207", + "10.170.236.123", + "10.205.18.11" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "rai", + "rsa.misc.context": "eir", + "rsa.misc.event_source": "emp", + "rsa.misc.event_type": "Bonoru", + "rsa.misc.hardware_id": "isnos", + "rsa.misc.log_session_id": "ptatem", + "rsa.misc.obj_name": "tation", + "rsa.misc.policy_id": "isi", + "rsa.misc.reference_id": "sciveli", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "eos", + "rsa.network.dinterface": "eth614", + "rsa.network.network_service": "ofd", + "rsa.network.sinterface": "eth4759", + "rsa.time.duration_time": 150.036, + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.time.event_time_str": "omm", + "rsa.web.reputation_num": 44.181, + "service.type": "fortinet", + "source.bytes": 6877, + "source.geo.country_name": "nimvenia", + "source.ip": [ + "10.205.18.11" + ], + "source.port": 6737, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.bytes": 1742, + "destination.ip": [ + "10.124.34.251" + ], + "destination.port": 3899, + "event.action": "deny", + "event.code": "mrem", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=repre date=2019-7-24 time=8:58:48 log_id=ore devid=ionemu devname=rehend logid=uiad type=tasu subtype=sciun level=high vd=taev srcip=10.196.124.206 srcport=7569 srcintf=enp0s2181 dstip=10.186.88.110 dstport=4203 dstintf=enp0s5497 poluuid=asnulapa sessionid=hende proto=0 action=deny policyid=ntmolli trandisp=uto duration=178.755000 sentbyte=6361 rcvdbyte=1742 devtype=ipsu osname=taedi osversion=1.2682 mastersrcmac=acom srcmac=01:00:5e:99:e3:a5 crscore=175.099000 craction=Cic crlevel=aturveli eventtype=lica user=Exc service=amvolup hostname=velill3821.mail.invalid profile=asnulap reqtype=usmodte url=https://example.com/loremag/mqu.gif?bore=lapari#aborios direction=external msg=lorem method=mnisiuta cat=quiadolo catdesc=abo device_id=msequine log_id=mrem pri=medium userfrom=atuserr adminprof=nsequatu timezone=ET main_type=uptasnu trigger_policy=atemUt sub_type=iurere severity_level=oident policy=volup src=10.97.254.192 src_port=302 dst=10.124.34.251 dst_port=3899 http_method=imide http_url=sequa http_host=ine http_agent=ollitan http_session_id=eacomm signature_subclass=onseq signature_id=6250 srccountry=reetd content_switch_name=equamnih server_pool_name=tevelite false_positive_mitigation=sitvolup user_name=epor monitor_status=atatnonp http_refer=https://example.org/elauda/ria.htm?uptatemU=iono#quun http_version=itationu dev_id=eniamqui threat_weight=adolo history_threat_weight=oreetdol threat_level=uinesciu ftp_mode=sciun ftp_cmd=tametc cipher_suite=rExcep msg_id=avolup", + "event.timezone": "ET", + "fileset.name": "fortimanager", + "host.name": "velill3821.mail.invalid", + "http.request.referrer": "https://example.org/elauda/ria.htm?uptatemU=iono#quun", + "input.type": "log", + "log.level": "medium", + "log.offset": 95254, + "network.bytes": 8103, + "network.direction": "external", + "observer.egress.interface.name": "enp0s5497", + "observer.ingress.interface.name": "enp0s2181", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2682", + "related.hosts": [ + "velill3821.mail.invalid" + ], + "related.ip": [ + "10.97.254.192", + "10.124.34.251" + ], + "related.user": [ + "epor" + ], + "rsa.internal.event_desc": "lorem", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "lica", + "rsa.misc.OS": "taedi", + "rsa.misc.action": [ + "deny", + "imide" + ], + "rsa.misc.category": "iurere", + "rsa.misc.client": "ollitan", + "rsa.misc.context": "uto", + "rsa.misc.event_source": "rehend", + "rsa.misc.event_type": "tasu", + "rsa.misc.fcatnum": "quiadolo", + "rsa.misc.filter": "abo", + "rsa.misc.hardware_id": "msequine", + "rsa.misc.log_session_id": "eacomm", + "rsa.misc.policy_id": "ntmolli", + "rsa.misc.policy_name": "volup", + "rsa.misc.reference_id": "mrem", + "rsa.misc.rule_name": "asnulap", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 6250, + "rsa.misc.version": "1.2682", + "rsa.misc.vsys": "taev", + "rsa.network.alias_host": [ + "velill3821.mail.invalid" + ], + "rsa.network.dinterface": "enp0s5497", + "rsa.network.network_service": "amvolup", + "rsa.network.sinterface": "enp0s2181", + "rsa.threat.threat_desc": "uinesciu", + "rsa.time.duration_time": 178.755, + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.timezone": "ET", + "rsa.web.reputation_num": 175.099, + "rsa.web.web_ref_domain": "ine", + "rule.name": "asnulap", + "service.type": "fortinet", + "source.bytes": 6361, + "source.geo.country_name": "reetd", + "source.ip": [ + "10.97.254.192" + ], + "source.mac": "01:00:5e:99:e3:a5", + "source.port": 302, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.com/loremag/mqu.gif?bore=lapari#aborios", + "url.query": "sequa", + "user.name": "epor" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "destination.bytes": 3936, + "destination.geo.country_name": "tio", + "destination.ip": [ + "10.81.58.91" + ], + "destination.nat.ip": "10.204.98.238", + "destination.nat.port": 3885, + "destination.port": 2247, + "event.action": "cancel", + "event.code": "ngelit", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=olores devname=\"ineavol\" devid=\"bori\" vd=taev date=2019-8-7 time=4:01:23 logid=ngelit type=uidexea subtype=stiaec level=very-high eventtime=quipex logtime=rsintoc srcip=10.9.41.221 srcport=4010 srcintf=eth434 srcintfrole=estlabor dstip=10.81.58.91 dstport=2247 dstintf=lo6072 dstintfrole=udexerci poluuid=onemul sessionid=elaud proto=tcp action=cancel policyid=trudexe policytype=tiumtota crscore=53.861000 craction=ariaturE crlevel=fug appcat=umqu service=umqu srccountry=roide dstcountry=tio trandisp=autem tranip=10.204.98.238 tranport=3885 duration=108.380000 sentbyte=2498 rcvdbyte=3936 sentpkt=aquioffi app=aliqui", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "very-high", + "log.offset": 96754, + "network.bytes": 6434, + "observer.egress.interface.name": "lo6072", + "observer.ingress.interface.name": "eth434", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.9.41.221", + "10.81.58.91", + "10.204.98.238" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "stiaec", + "rsa.misc.context": "autem", + "rsa.misc.event_source": "ineavol", + "rsa.misc.event_type": "uidexea", + "rsa.misc.hardware_id": "bori", + "rsa.misc.log_session_id": "elaud", + "rsa.misc.obj_name": "aliqui", + "rsa.misc.policy_id": "trudexe", + "rsa.misc.reference_id": "ngelit", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "taev", + "rsa.network.dinterface": "lo6072", + "rsa.network.network_service": "umqu", + "rsa.network.sinterface": "eth434", + "rsa.time.duration_time": 108.38, + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.time.event_time_str": "quipex", + "rsa.web.reputation_num": 53.861, + "service.type": "fortinet", + "source.bytes": 2498, + "source.geo.country_name": "roide", + "source.ip": [ + "10.9.41.221" + ], + "source.port": 4010, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "event.action": "cancel", + "event.code": "velits", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-8-21 time=11:03:57 devname=unti device_id=tena log_id=velits type=event subtype=oditautf pri=high desc=rmagni user=tiono userfrom=utemvele msg=taevi action=cancel adom=xplicabo4308.www.example session_id=tquo", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 97381, + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.user": [ + "tiono" + ], + "rsa.db.index": "taevi", + "rsa.internal.event_desc": "rmagni", + "rsa.internal.messageid": "event_fortinetmgr", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "oditautf", + "rsa.misc.event_source": "unti", + "rsa.misc.event_type": "event", + "rsa.misc.hardware_id": "tena", + "rsa.misc.log_session_id": "tquo", + "rsa.misc.reference_id": "velits", + "rsa.misc.severity": "high", + "rsa.network.domain": "xplicabo4308.www.example", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "server.domain": "xplicabo4308.www.example", + "service.type": "fortinet", + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "user.name": "tiono" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.bytes": 11, + "destination.geo.country_name": "mollita", + "destination.ip": [ + "10.37.120.29" + ], + "destination.nat.ip": "10.212.208.70", + "destination.nat.port": 3237, + "destination.port": 4170, + "event.action": "accept", + "event.code": "eiusmo", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=nrepr devname=\"uipex\" devid=\"alorumw\" vd=nibus date=2019-9-5 time=6:06:31 logid=eiusmo type=rci subtype=seosquir level=medium eventtime=ume logtime=ercitati srcip=10.35.84.125 srcport=341 srcintf=enp0s2388 srcintfrole=pernatu dstip=10.37.120.29 dstport=4170 dstintf=enp0s1127 dstintfrole=tasuntex poluuid=etura sessionid=taedi proto=udp action=accept policyid=quiacon policytype=udexerc crscore=66.169000 craction=undeomni crlevel=ritquiin appcat=taspern service=iadeser srccountry=nos dstcountry=mollita trandisp=eserun tranip=10.212.208.70 tranport=3237 duration=36.569000 sentbyte=5330 rcvdbyte=11 sentpkt=otamr app=eveli", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 97600, + "network.bytes": 5341, + "observer.egress.interface.name": "enp0s1127", + "observer.ingress.interface.name": "enp0s2388", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.35.84.125", + "10.212.208.70", + "10.37.120.29" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "seosquir", + "rsa.misc.context": "eserun", + "rsa.misc.event_source": "uipex", + "rsa.misc.event_type": "rci", + "rsa.misc.hardware_id": "alorumw", + "rsa.misc.log_session_id": "taedi", + "rsa.misc.obj_name": "eveli", + "rsa.misc.policy_id": "quiacon", + "rsa.misc.reference_id": "eiusmo", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "nibus", + "rsa.network.dinterface": "enp0s1127", + "rsa.network.network_service": "iadeser", + "rsa.network.sinterface": "enp0s2388", + "rsa.time.duration_time": 36.569, + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.time.event_time_str": "ume", + "rsa.web.reputation_num": 66.169, + "service.type": "fortinet", + "source.bytes": 5330, + "source.geo.country_name": "nos", + "source.ip": [ + "10.35.84.125" + ], + "source.port": 341, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "destination.bytes": 7419, + "destination.geo.country_name": "ullamcor", + "destination.ip": [ + "10.199.201.26" + ], + "destination.nat.ip": "10.207.207.106", + "destination.nat.port": 2048, + "destination.port": 3770, + "event.action": "accept", + "event.code": "olor", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=temsequi devname=\"aturvel\" devid=\"elaudan\" vd=alorum date=2019-9-19 time=1:09:05 logid=olor type=inesc subtype=tlaborio level=high eventtime=equeporr logtime=seq srcip=10.143.65.84 srcport=2670 srcintf=enp0s5828 srcintfrole=ddoeiu dstip=10.199.201.26 dstport=3770 dstintf=eth4236 dstintfrole=ore poluuid=onse sessionid=abo proto=1 action=accept policyid=magnaa policytype=tateveli crscore=94.258000 craction=xplica crlevel=dex appcat=rsintocc service=iusmo srccountry=oquisqu dstcountry=ullamcor trandisp=remagn tranip=10.207.207.106 tranport=2048 duration=94.877000 sentbyte=6896 rcvdbyte=7419 sentpkt=tvolup app=ites", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 98232, + "network.bytes": 14315, + "observer.egress.interface.name": "eth4236", + "observer.ingress.interface.name": "enp0s5828", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.199.201.26", + "10.207.207.106", + "10.143.65.84" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.category": "tlaborio", + "rsa.misc.context": "remagn", + "rsa.misc.event_source": "aturvel", + "rsa.misc.event_type": "inesc", + "rsa.misc.hardware_id": "elaudan", + "rsa.misc.log_session_id": "abo", + "rsa.misc.obj_name": "ites", + "rsa.misc.policy_id": "magnaa", + "rsa.misc.reference_id": "olor", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "alorum", + "rsa.network.dinterface": "eth4236", + "rsa.network.network_service": "iusmo", + "rsa.network.sinterface": "enp0s5828", + "rsa.time.duration_time": 94.877, + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.time.event_time_str": "equeporr", + "rsa.web.reputation_num": 94.258, + "service.type": "fortinet", + "source.bytes": 6896, + "source.geo.country_name": "oquisqu", + "source.ip": [ + "10.143.65.84" + ], + "source.port": 2670, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.bytes": 3702, + "destination.geo.country_name": "rrorsi", + "destination.ip": [ + "10.163.236.253" + ], + "destination.nat.ip": "10.41.61.88", + "destination.nat.port": 426, + "destination.port": 7768, + "event.action": "block", + "event.code": "lestiaec", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=rExce dtime=2019-10-03 20:11:40.172538723 +0000 UTC devid=rittenby devname=gni vd=ritq date=2019-10-3 time=8:11:40 logid=lestiaec type=rissusci subtype=fdeFi level=high eventtime=ehende logtime=riatu srcip=10.204.27.48 srcport=5998 srcintf=lo7358 srcintfrole=emaperia dstip=10.163.236.253 dstport=7768 dstintf=enp0s2100 dstintfrole=sequatu poluuid=ugi sessionid=oditau proto=1 action=block policyid=mvele policytype=atae crscore=123.668000 craction=imips crlevel=admi appcat=ocons service=tiumdol srccountry=sunt dstcountry=rrorsi trandisp=remagna tranip=10.41.61.88 tranport=426 duration=82.943000 sentbyte=525 rcvdbyte=3702 sentpkt=dolor app=ips", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "high", + "log.offset": 98858, + "network.bytes": 4227, + "observer.egress.interface.name": "enp0s2100", + "observer.ingress.interface.name": "lo7358", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.41.61.88", + "10.204.27.48", + "10.163.236.253" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "fdeFi", + "rsa.misc.context": "remagna", + "rsa.misc.event_source": "gni", + "rsa.misc.event_type": "rissusci", + "rsa.misc.hardware_id": "rittenby", + "rsa.misc.log_session_id": "oditau", + "rsa.misc.obj_name": "ips", + "rsa.misc.policy_id": "mvele", + "rsa.misc.reference_id": "lestiaec", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ritq", + "rsa.network.dinterface": "enp0s2100", + "rsa.network.network_service": "tiumdol", + "rsa.network.sinterface": "lo7358", + "rsa.time.duration_time": 82.943, + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.time.event_time_str": "ehende", + "rsa.web.reputation_num": 123.668, + "service.type": "fortinet", + "source.bytes": 525, + "source.geo.country_name": "sunt", + "source.ip": [ + "10.204.27.48" + ], + "source.port": 5998, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.bytes": 5239, + "destination.geo.country_name": "ation", + "destination.ip": [ + "10.185.44.26" + ], + "destination.nat.ip": "10.53.110.111", + "destination.nat.port": 2549, + "destination.port": 3193, + "event.action": "cancel", + "event.code": "amest", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=ipitlab dtime=2019-10-18 03:14:14.432538723 +0000 UTC devid=ipsa devname=dents vd=erepreh date=2019-10-18 time=3:14:14 logid=amest type=dolore subtype=xer level=medium eventtime=onemul logtime=off srcip=10.246.81.164 srcport=3453 srcintf=lo3071 srcintfrole=ende dstip=10.185.44.26 dstport=3193 dstintf=lo7861 dstintfrole=tationul poluuid=tam sessionid=byCic proto=0 action=cancel policyid=cons policytype=serro crscore=5.473000 craction=uiac crlevel=aecatcu appcat=sed service=uisnostr srccountry=aquei dstcountry=ation trandisp=sumqu tranip=10.53.110.111 tranport=2549 duration=141.141000 sentbyte=5569 rcvdbyte=5239 sentpkt=entore app=uaturQ", + "fileset.name": "fortimanager", + "input.type": "log", + "log.level": "medium", + "log.offset": 99513, + "network.bytes": 10808, + "observer.egress.interface.name": "lo7861", + "observer.ingress.interface.name": "lo3071", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "related.ip": [ + "10.246.81.164", + "10.53.110.111", + "10.185.44.26" + ], + "rsa.internal.messageid": "generic_fortinetmgr_1", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "xer", + "rsa.misc.context": "sumqu", + "rsa.misc.event_source": "dents", + "rsa.misc.event_type": "dolore", + "rsa.misc.hardware_id": "ipsa", + "rsa.misc.log_session_id": "byCic", + "rsa.misc.obj_name": "uaturQ", + "rsa.misc.policy_id": "cons", + "rsa.misc.reference_id": "amest", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "erepreh", + "rsa.network.dinterface": "lo7861", + "rsa.network.network_service": "uisnostr", + "rsa.network.sinterface": "lo3071", + "rsa.time.duration_time": 141.141, + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.time.event_time_str": "onemul", + "rsa.web.reputation_num": 5.473, + "service.type": "fortinet", + "source.bytes": 5569, + "source.geo.country_name": "aquei", + "source.ip": [ + "10.246.81.164" + ], + "source.port": 3453, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.bytes": 4334, + "destination.ip": [ + "10.146.77.206" + ], + "destination.port": 1554, + "event.action": "allow", + "event.code": "veli", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=xpli date=2019-11-1 time=10:16:48 log_id=quae devid=totamre devname=lam logid=quamestq type=porai subtype=oinve level=medium vd=hender srcip=10.84.154.230 srcport=1335 srcintf=enp0s1127 dstip=10.212.63.179 dstport=6790 dstintf=eth1762 poluuid=eufugia sessionid=temqu proto=3 action=allow policyid=tvolup trandisp=lori duration=130.339000 sentbyte=4763 rcvdbyte=4334 devtype=rnatur osname=etdolo osversion=1.802 mastersrcmac=adipisci srcmac=01:00:5e:7b:68:0e crscore=36.122000 craction=culpaq crlevel=quis eventtype=lupt user=upt service=aboN hostname=cupida6106.www5.local profile=tdo reqtype=asperna url=https://api.example.com/aco/empo.jpg?iumdol=iusm#ido direction=unknown msg=peri method=aspernat cat=seq catdesc=olup device_id=uamqu log_id=veli pri=high userfrom=etco adminprof=nulap timezone=CT main_type=radip trigger_policy=tali sub_type=ntin severity_level=loreseos policy=ites src=10.109.172.90 src_port=2785 dst=10.146.77.206 dst_port=1554 http_method=amnihilm http_url=ipsamv http_host=proid http_agent=xcep http_session_id=udantium signature_subclass=sum signature_id=1723 srccountry=iaecon content_switch_name=euf server_pool_name=norume false_positive_mitigation=hilmo user_name=aquaeab monitor_status=eporr http_refer=https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu http_version=lapa dev_id=imadm threat_weight=giatquo history_threat_weight=oeiusm threat_level=oreeuf ftp_mode=iusmodt ftp_cmd=umwrit cipher_suite=atatn msg_id=uatD", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "cupida6106.www5.local", + "http.request.referrer": "https://www.example.com/metMalo/santiu.jpg?icon=enderit#roquisqu", + "input.type": "log", + "log.level": "high", + "log.offset": 100164, + "network.bytes": 9097, + "network.direction": "unknown", + "network.protocol": "GGP", + "observer.egress.interface.name": "eth1762", + "observer.ingress.interface.name": "enp0s1127", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.802", + "related.hosts": [ + "cupida6106.www5.local" + ], + "related.ip": [ + "10.146.77.206", + "10.109.172.90" + ], + "related.user": [ + "aquaeab" + ], + "rsa.internal.event_desc": "peri", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "lupt", + "rsa.misc.OS": "etdolo", + "rsa.misc.action": [ + "amnihilm", + "allow" + ], + "rsa.misc.category": "ntin", + "rsa.misc.client": "xcep", + "rsa.misc.context": "lori", + "rsa.misc.event_source": "lam", + "rsa.misc.event_type": "porai", + "rsa.misc.fcatnum": "seq", + "rsa.misc.filter": "olup", + "rsa.misc.hardware_id": "uamqu", + "rsa.misc.log_session_id": "udantium", + "rsa.misc.policy_id": "tvolup", + "rsa.misc.policy_name": "ites", + "rsa.misc.reference_id": "veli", + "rsa.misc.rule_name": "tdo", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 1723, + "rsa.misc.version": "1.802", + "rsa.misc.vsys": "hender", + "rsa.network.alias_host": [ + "cupida6106.www5.local" + ], + "rsa.network.dinterface": "eth1762", + "rsa.network.network_service": "aboN", + "rsa.network.sinterface": "enp0s1127", + "rsa.threat.threat_desc": "oreeuf", + "rsa.time.duration_time": 130.339, + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 36.122, + "rsa.web.web_ref_domain": "proid", + "rule.name": "tdo", + "service.type": "fortinet", + "source.bytes": 4763, + "source.geo.country_name": "iaecon", + "source.ip": [ + "10.109.172.90" + ], + "source.mac": "01:00:5e:7b:68:0e", + "source.port": 2785, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://api.example.com/aco/empo.jpg?iumdol=iusm#ido", + "url.query": "ipsamv", + "user.name": "aquaeab" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "destination.bytes": 6464, + "destination.ip": [ + "10.202.250.141" + ], + "destination.port": 1824, + "event.action": "allow", + "event.code": "ern", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-11-15 time=5:19:22 devname=ptate device_id=Nemoe log_id=cupidat type=generic subtype=onsequ pri=high devid=nostr devname=umtotam logid=mqua type=emU subtype=gnido level=very-high vd=plicab srcip=10.8.161.226 srcport=3191 srcintf=eth5256 dstip=10.13.234.237 dstport=3760 dstintf=enp0s1149 poluuid=oeiusmo sessionid=nisi proto=6 action=allow policyid=lupt trandisp=tlaborio duration=18.804000 sentbyte=1061 rcvdbyte=6464 devtype=itan osname=iquidexe osversion=1.2314 mastersrcmac=fugia srcmac=01:00:5e:09:8f:0e crscore=5.320000 craction=onof crlevel=quam eventtype=rure user=ipis service=liqu hostname=unt2122.internal.local profile=orsitame reqtype=tassitas url=https://example.org/uidolor/turve.htm?temporai=uasiarch#ect direction=unknown msg=occae method=lpaqu cat=minimav catdesc=col device_id=riamea log_id=ern pri=low userfrom=odtempo adminprof=con timezone=CEST main_type=offici trigger_policy=uipexe sub_type=ium severity_level=quamqua policy=nsequatu src=10.38.18.72 src_port=3177 dst=10.202.250.141 dst_port=1824 http_method=volu http_url=quatDui http_host=stenat http_agent=liquip http_session_id=eiusmodt signature_subclass=dmi signature_id=4174 srccountry=ameaque content_switch_name=pitlabor server_pool_name=essequa false_positive_mitigation=ini user_name=maperia monitor_status=ovolup http_refer=https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei http_version=iveli dev_id=lill threat_weight=voluptat history_threat_weight=aturveli threat_level=incidunt ftp_mode=tatnonp ftp_cmd=abi cipher_suite=nimave msg_id=atu", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "unt2122.internal.local", + "http.request.referrer": "https://mail.example.com/veniamq/uisno.htm?luptas=omm#eaquei", + "input.type": "log", + "log.level": "low", + "log.offset": 101635, + "network.bytes": 7525, + "network.direction": "unknown", + "observer.egress.interface.name": "enp0s1149", + "observer.ingress.interface.name": "eth5256", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.2314", + "related.hosts": [ + "unt2122.internal.local" + ], + "related.ip": [ + "10.202.250.141", + "10.38.18.72" + ], + "related.user": [ + "maperia" + ], + "rsa.internal.event_desc": "occae", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "rure", + "rsa.misc.OS": "iquidexe", + "rsa.misc.action": [ + "volu", + "allow" + ], + "rsa.misc.category": "ium", + "rsa.misc.client": "liquip", + "rsa.misc.context": "tlaborio", + "rsa.misc.event_source": "umtotam", + "rsa.misc.event_type": "emU", + "rsa.misc.fcatnum": "minimav", + "rsa.misc.filter": "col", + "rsa.misc.hardware_id": "riamea", + "rsa.misc.log_session_id": "eiusmodt", + "rsa.misc.policy_id": "lupt", + "rsa.misc.policy_name": "nsequatu", + "rsa.misc.reference_id": "ern", + "rsa.misc.rule_name": "orsitame", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 4174, + "rsa.misc.version": "1.2314", + "rsa.misc.vsys": "plicab", + "rsa.network.alias_host": [ + "unt2122.internal.local" + ], + "rsa.network.dinterface": "enp0s1149", + "rsa.network.network_service": "liqu", + "rsa.network.sinterface": "eth5256", + "rsa.threat.threat_desc": "incidunt", + "rsa.time.duration_time": 18.804, + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 5.32, + "rsa.web.web_ref_domain": "stenat", + "rule.name": "orsitame", + "service.type": "fortinet", + "source.bytes": 1061, + "source.geo.country_name": "ameaque", + "source.ip": [ + "10.38.18.72" + ], + "source.mac": "01:00:5e:09:8f:0e", + "source.port": 3177, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://example.org/uidolor/turve.htm?temporai=uasiarch#ect", + "url.query": "quatDui", + "user.name": "maperia" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "destination.bytes": 4714, + "destination.ip": [ + "10.139.144.75" + ], + "destination.port": 5037, + "event.action": "block", + "event.code": "rchitec", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "logver=siu date=2019-11-30 time=12:21:57 log_id=inrepr devid=cero devname=ita logid=xercitat type=meumfug subtype=umt level=very-high vd=laparia srcip=10.195.87.127 srcport=760 srcintf=lo3094 dstip=10.52.118.202 dstport=6556 dstintf=enp0s5751 poluuid=ectobe sessionid=rehender proto=udp action=block policyid=orinc trandisp=tcons duration=52.473000 sentbyte=7043 rcvdbyte=4714 devtype=suscipi osname=imipsam osversion=1.4674 mastersrcmac=hilm srcmac=01:00:5e:73:ca:c1 crscore=54.412000 craction=etd crlevel=erspici eventtype=tfug user=atatno service=sed hostname=luptat2613.internal.localhost profile=olupt reqtype=mipsum url=https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo direction=inbound msg=alorum method=tmollit cat=bori catdesc=antium device_id=reetdo log_id=rchitec pri=medium userfrom=cipitlab adminprof=venia timezone=CT main_type=quid trigger_policy=mwrit sub_type=cid severity_level=lupt policy=adipisc src=10.182.124.88 src_port=116 dst=10.139.144.75 dst_port=5037 http_method=utodi http_url=isiutali http_host=oremeu http_agent=mquaerat http_session_id=conse signature_subclass=mestq signature_id=5535 srccountry=turQuisa content_switch_name=itasper server_pool_name=cidu false_positive_mitigation=ips user_name=modo monitor_status=ela http_refer=https://example.org/unti/niamqu.html?ris=veli#giatnu http_version=tanimide dev_id=ectetur threat_weight=umexer history_threat_weight=nim threat_level=nisiuta ftp_mode=cipitla ftp_cmd=ditautf cipher_suite=oluptasn msg_id=madmin", + "event.timezone": "CT", + "fileset.name": "fortimanager", + "host.name": "luptat2613.internal.localhost", + "http.request.referrer": "https://example.org/unti/niamqu.html?ris=veli#giatnu", + "input.type": "log", + "log.level": "medium", + "log.offset": 103183, + "network.bytes": 11757, + "network.direction": "inbound", + "observer.egress.interface.name": "enp0s5751", + "observer.ingress.interface.name": "lo3094", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.4674", + "related.hosts": [ + "luptat2613.internal.localhost" + ], + "related.ip": [ + "10.182.124.88", + "10.139.144.75" + ], + "related.user": [ + "modo" + ], + "rsa.internal.event_desc": "alorum", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "tfug", + "rsa.misc.OS": "imipsam", + "rsa.misc.action": [ + "utodi", + "block" + ], + "rsa.misc.category": "cid", + "rsa.misc.client": "mquaerat", + "rsa.misc.context": "tcons", + "rsa.misc.event_source": "ita", + "rsa.misc.event_type": "meumfug", + "rsa.misc.fcatnum": "bori", + "rsa.misc.filter": "antium", + "rsa.misc.hardware_id": "reetdo", + "rsa.misc.log_session_id": "conse", + "rsa.misc.policy_id": "orinc", + "rsa.misc.policy_name": "adipisc", + "rsa.misc.reference_id": "rchitec", + "rsa.misc.rule_name": "olupt", + "rsa.misc.severity": "medium", + "rsa.misc.sig_id": 5535, + "rsa.misc.version": "1.4674", + "rsa.misc.vsys": "laparia", + "rsa.network.alias_host": [ + "luptat2613.internal.localhost" + ], + "rsa.network.dinterface": "enp0s5751", + "rsa.network.network_service": "sed", + "rsa.network.sinterface": "lo3094", + "rsa.threat.threat_desc": "nisiuta", + "rsa.time.duration_time": 52.473, + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.time.timezone": "CT", + "rsa.web.reputation_num": 54.412, + "rsa.web.web_ref_domain": "oremeu", + "rule.name": "olupt", + "service.type": "fortinet", + "source.bytes": 7043, + "source.geo.country_name": "turQuisa", + "source.ip": [ + "10.182.124.88" + ], + "source.mac": "01:00:5e:73:ca:c1", + "source.port": 116, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www.example.net/Maloru/lapariat.htm?tlabori=rehender#odtempo", + "url.query": "isiutali", + "user.name": "modo" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.bytes": 568, + "destination.ip": [ + "10.188.124.185" + ], + "destination.port": 5837, + "event.action": "block", + "event.code": "tate", + "event.dataset": "fortinet.fortimanager", + "event.module": "fortinet", + "event.original": "date=2019-12-14 time=7:24:31 logver=imadm devid=stla devname=cab logid=orr type=olu subtype=quatDu level=low vd=siste srcip=10.151.47.249 srcport=6697 srcintf=lo5632 dstip=10.155.194.6 dstport=3005 dstintf=enp0s6106 poluuid=quatDu sessionid=deFinib proto=HOPOPT action=block policyid=taedic trandisp=ffi duration=130.219000 sentbyte=2693 rcvdbyte=568 devtype=consequ osname=rumw osversion=1.1386 mastersrcmac=temveleu srcmac=01:00:5e:df:96:27 crscore=104.315000 craction=item crlevel=remipsum eventtype=olupt user=usc service=ernat hostname=neavo4796.internal.domain profile=tatemac reqtype=exer url=https://www5.example.com/xea/ssecill.html?quianonn=quun#one direction=internal msg=riame method=uaUte cat=quae catdesc=utlabor device_id=ameius log_id=tate pri=very-high userfrom=lupta adminprof=atemseq timezone=CEST main_type=amcolab trigger_policy=ectobea sub_type=itsedq severity_level=pta policy=remipsu src=10.35.10.19 src_port=3941 dst=10.188.124.185 dst_port=5837 http_method=tali http_url=tasper http_host=amquisn http_agent=esciu http_session_id=iamea signature_subclass=perspi signature_id=7117 srccountry=emaccus content_switch_name=expl server_pool_name=giat false_positive_mitigation=uscipi user_name=dolo monitor_status=tionevol http_refer=https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept http_version=Mal dev_id=tquasia threat_weight=ficiad history_threat_weight=roinBC threat_level=eufu ftp_mode=tio ftp_cmd=equatDu cipher_suite=exea msg_id=tasnulap", + "event.timezone": "CEST", + "fileset.name": "fortimanager", + "host.name": "neavo4796.internal.domain", + "http.request.referrer": "https://internal.example.com/uptatema/dutpers.htm?tion=iumdol#ept", + "input.type": "log", + "log.level": "very-high", + "log.offset": 104692, + "network.bytes": 3261, + "network.direction": "internal", + "observer.egress.interface.name": "enp0s6106", + "observer.ingress.interface.name": "lo5632", + "observer.product": "FortiManager", + "observer.type": "Configuration", + "observer.vendor": "Fortinet", + "observer.version": "1.1386", + "related.hosts": [ + "neavo4796.internal.domain" + ], + "related.ip": [ + "10.188.124.185", + "10.35.10.19" + ], + "related.user": [ + "dolo" + ], + "rsa.internal.event_desc": "riame", + "rsa.internal.messageid": "generic_fortinetmgr", + "rsa.investigations.event_vcat": "olupt", + "rsa.misc.OS": "rumw", + "rsa.misc.action": [ + "block", + "tali" + ], + "rsa.misc.category": "itsedq", + "rsa.misc.client": "esciu", + "rsa.misc.context": "ffi", + "rsa.misc.event_source": "cab", + "rsa.misc.event_type": "olu", + "rsa.misc.fcatnum": "quae", + "rsa.misc.filter": "utlabor", + "rsa.misc.hardware_id": "ameius", + "rsa.misc.log_session_id": "iamea", + "rsa.misc.policy_id": "taedic", + "rsa.misc.policy_name": "remipsu", + "rsa.misc.reference_id": "tate", + "rsa.misc.rule_name": "tatemac", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 7117, + "rsa.misc.version": "1.1386", + "rsa.misc.vsys": "siste", + "rsa.network.alias_host": [ + "neavo4796.internal.domain" + ], + "rsa.network.dinterface": "enp0s6106", + "rsa.network.network_service": "ernat", + "rsa.network.sinterface": "lo5632", + "rsa.threat.threat_desc": "eufu", + "rsa.time.duration_time": 130.219, + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.time.timezone": "CEST", + "rsa.web.reputation_num": 104.315, + "rsa.web.web_ref_domain": "amquisn", + "rule.name": "tatemac", + "service.type": "fortinet", + "source.bytes": 2693, + "source.geo.country_name": "emaccus", + "source.ip": [ + "10.35.10.19" + ], + "source.mac": "01:00:5e:df:96:27", + "source.port": 3941, + "tags": [ + "fortinet.fortimanager", + "forwarded" + ], + "url.original": "https://www5.example.com/xea/ssecill.html?quianonn=quun#one", + "url.query": "tasper", + "user.name": "dolo" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js b/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js index c467cc77c87..a24bd621934 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js +++ b/x-pack/filebeat/module/googlecloud/audit/config/pipeline.js @@ -43,11 +43,24 @@ function Audit(keep_original_message) { ignore_missing: true }); + // Use the monitored resource type's labels to set the cloud metadata. + // The labels can vary based on the resource.type. + // https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource var setCloudMetadata = new processor.Convert({ fields: [ - {from: "json.resource.labels.project_id", to: "cloud.project.id"}, + { + from: "json.resource.labels.project_id", + to: "cloud.project.id", + type: "string" + }, + { + from: "json.resource.labels.instance_id", + to: "cloud.instance.id", + type: "string" + } ], - ignore_missing: true + ignore_missing: true, + fail_on_error: false, }); // The log includes a protoPayload field. @@ -61,99 +74,213 @@ function Audit(keep_original_message) { // The LogEntry's protoPayload is moved to the json field. The protoPayload // contains the structured audit log fields. + // https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog var convertProtoPayload = new processor.Convert({ fields: [ - {from: "json.@type", to: "googlecloud.audit.type"}, - - {from: "json.authenticationInfo.principalEmail", to: "json.authenticationInfo.principal_email"}, - {from: "json.authenticationInfo.authoritySelector", to: "json.authenticationInfo.authority_selector"}, - {from: "json.authenticationInfo", to: "googlecloud.audit.authentication_info"}, - - {from: "json.authorizationInfo", to: "googlecloud.audit.authorization_info"}, - - {from: "json.methodName", to: "googlecloud.audit.method_name"}, - - {from: "json.numResponseItems", to: "googlecloud.audit.num_response_items", type: "long"}, - - {from: "json.request.@type", to: "googlecloud.audit.request.proto_name"}, - {from: "json.request.filter", to: "googlecloud.audit.request.filter"}, - {from: "json.request.name", to: "googlecloud.audit.request.name"}, - {from: "json.request.resourceName", to: "googlecloud.audit.request.resource_name"}, - - {from: "json.requestMetadata.callerIp", to: "json.requestMetadata.caller_ip", type: "ip"}, - {from: "json.requestMetadata.callerSuppliedUserAgent", to: "json.requestMetadata.caller_supplied_user_agent"}, - {from: "json.requestMetadata", to: "googlecloud.audit.request_metadata"}, - - {from: "json.response.@type", to: "googlecloud.audit.response.proto_name"}, - {from: "json.response.status", to: "googlecloud.audit.response.status"}, - {from: "json.response.details.group", to: "googlecloud.audit.response.details.group"}, - {from: "json.response.details.kind", to: "googlecloud.audit.response.details.kind"}, - {from: "json.response.details.name", to: "googlecloud.audit.response.details.name"}, - {from: "json.response.details.uid", to: "googlecloud.audit.response.details.uid"}, - - {from: "json.resourceName", to: "googlecloud.audit.resource_name"}, - - {from: "json.resourceLocation.currentLocations", to: "json.resourceLocation.current_locations"}, - {from: "json.resourceLocation", to: "googlecloud.audit.resource_location"}, - - {from: "json.serviceName", to: "googlecloud.audit.service_name"}, - - {from: "json.status", to: "googlecloud.audit.status"}, - + { + from: "json.@type", + to: "googlecloud.audit.type", + type: "string" + }, + { + from: "json.authenticationInfo.principalEmail", + to: "googlecloud.audit.authentication_info.principal_email", + type: "string" + }, + { + from: "json.authenticationInfo.authoritySelector", + to: "googlecloud.audit.authentication_info.authority_selector", + type: "string" + }, + { + from: "json.authorizationInfo", + to: "googlecloud.audit.authorization_info" + // Type is an array of objects. + }, + { + from: "json.methodName", + to: "googlecloud.audit.method_name", + type: "string", + }, + { + from: "json.numResponseItems", + to: "googlecloud.audit.num_response_items", + type: "long" + }, + { + from: "json.request.@type", + to: "googlecloud.audit.request.proto_name", + type: "string" + }, + // The values in the request object will depend on the proto type. + // So be very careful about making any assumptions about data shape. + { + from: "json.request.filter", + to: "googlecloud.audit.request.filter", + type: "string" + }, + { + from: "json.request.name", + to: "googlecloud.audit.request.name", + type: "string" + }, + { + from: "json.request.resourceName", + to: "googlecloud.audit.request.resource_name", + type: "string" + }, + { + from: "json.requestMetadata.callerIp", + to: "googlecloud.audit.request_metadata.caller_ip", + type: "ip" + }, + { + from: "json.requestMetadata.callerSuppliedUserAgent", + to: "googlecloud.audit.request_metadata.caller_supplied_user_agent", + type: "string", + }, + { + from: "json.response.@type", + to: "googlecloud.audit.response.proto_name", + type: "string" + }, + // The values in the response object will depend on the proto type. + // So be very careful about making any assumptions about data shape. + { + from: "json.response.status", + to: "googlecloud.audit.response.status", + type: "string" + }, + { + from: "json.response.details.group", + to: "googlecloud.audit.response.details.group", + type: "string" + }, + { + from: "json.response.details.kind", + to: "googlecloud.audit.response.details.kind", + type: "string" + }, + { + from: "json.response.details.name", + to: "googlecloud.audit.response.details.name", + type: "string" + }, + { + from: "json.response.details.uid", + to: "googlecloud.audit.response.details.uid", + type: "string", + }, + { + from: "json.resourceName", + to: "googlecloud.audit.resource_name", + type: "string", + }, + { + from: "json.resourceLocation.currentLocations", + to: "googlecloud.audit.resource_location.current_locations" + // Type is a string array. + }, + { + from: "json.serviceName", + to: "googlecloud.audit.service_name", + type: "string", + }, + { + from: "json.status.code", + to: "googlecloud.audit.status.code", + type: "integer", + }, + { + from: "json.status.message", + to: "googlecloud.audit.status.message", + type: "string" + }, ], mode: "rename", ignore_missing: true, + fail_on_error: false, }); // Copy some fields var copyFields = new processor.Convert({ fields: [ - {from: "googlecloud.audit.request_metadata.caller_ip", to: "source.ip"}, - {from: "googlecloud.audit.authentication_info.principal_email", to: "user.email"}, - {from: "googlecloud.audit.service_name", to: "service.name"}, - {from: "googlecloud.audit.request_metadata.caller_supplied_user_agent", to: "user_agent.original"}, - {from: "googlecloud.audit.method_name", to: "event.action"}, + { + from: "googlecloud.audit.request_metadata.caller_ip", + to: "source.ip", + type: "ip" + }, + { + from: "googlecloud.audit.authentication_info.principal_email", + to: "user.email", + type: "string" + }, + { + from: "googlecloud.audit.service_name", + to: "service.name", + type: "string" + }, + { + from: "googlecloud.audit.request_metadata.caller_supplied_user_agent", + to: "user_agent.original", + type: "string" + }, + { + from: "googlecloud.audit.method_name", + to: "event.action", + type: "string" + }, ], + ignore_missing: true, fail_on_error: false, }); // Drop extra fields var dropExtraFields = function(evt) { evt.Delete("json"); - evt.Delete("googlecloud.audit.request_metadata.requestAttributes"); - evt.Delete("googlecloud.audit.request_metadata.destinationAttributes"); }; - // Rename nested fields - var RenameNestedFields = function(evt) { + // Rename nested fields. + var renameNestedFields = function(evt) { var arr = evt.Get("googlecloud.audit.authorization_info"); - for (var i = 0; i < arr.length; i++) { - arr[i].resource_attributes = arr[i].resourceAttributes; - delete arr[i].resourceAttributes; + if (Array.isArray(arr)) { + for (var i = 0; i < arr.length; i++) { + if (arr[i].resourceAttributes) { + // Convert to snake_case. + arr[i].resource_attributes = arr[i].resourceAttributes; + delete arr[i].resourceAttributes; + } + } } }; // Set ECS categorization fields. var setECSCategorization = function(evt) { + evt.Put("event.kind", "event"); + + // google.rpc.Code value for OK is 0. + if (evt.Get("googlecloud.audit.status.code") === 0) { + evt.Put("event.outcome", "success"); + return; + } + + // Try to use authorization_info.granted when there was no status code. if (evt.Get("googlecloud.audit.status.code") == null) { var authorization_info = evt.Get("googlecloud.audit.authorization_info"); - if (authorization_info.length === 1) { - if (authorization_info[0].granted == null) { - evt.Put("event.outcome", "unknown"); - } else if (authorization_info[0].granted === true) { + if (Array.isArray(authorization_info) && authorization_info.length === 1) { + if (authorization_info[0].granted === true) { evt.Put("event.outcome", "success"); - } else { + } else if (authorization_info[0].granted === false) { evt.Put("event.outcome", "failure"); } - } else { - evt.Put("event.outcome", "unknown"); - } - } else if (evt.Get("googlecloud.audit.status.code") === 0) { - evt.Put("event.outcome", "success"); - } else { - evt.Put("event.outcome", "failure"); + return + } + + evt.Put("event.outcome", "unknown"); + return; } - evt.Put("event.kind", "event"); + + evt.Put("event.outcome", "failure"); }; var pipeline = new processor.Chain() @@ -167,7 +294,7 @@ function Audit(keep_original_message) { .Add(convertProtoPayload) .Add(copyFields) .Add(dropExtraFields) - .Add(RenameNestedFields) + .Add(renameNestedFields) .Add(setECSCategorization) .Build(); diff --git a/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml index 6c148a0c07c..8e0d3ac6fdb 100644 --- a/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Google Cloud audit logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - user_agent: field: user_agent.original ignore_missing: true diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log index 6446bf639f4..9c228890527 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log @@ -2,3 +2,6 @@ {"insertId":"-h6onuze1h7dg","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":false,"permission":"compute.machineTypes.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.machineTypes.aggregatedList","numResponseItems":"71","request":{"@type":"type.googleapis.com/compute.machineTypes.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:45:51.711Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/machineTypes","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:45:52.367887078Z","resource":{"labels":{"location":"global","method":"compute.machineTypes.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:45:51.228Z"} {"insertId":"yonau2dg2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"granted":true,"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"response":{"@type":"core.k8s.io/v1.Status","apiVersion":"v1","details":{"group":"batch","kind":"jobs","name":"gsuite-exporter-1589294700","uid":"2beff34a-945f-11ea-bacf-42010a80007f"},"kind":"Status","metadata":{},"status":"Success"},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} {"insertId":"yonau3dc2zi","logName":"projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"xxx@xxx.xxx"},"authorizationInfo":[{"permission":"compute.instances.list","resourceAttributes":{"name":"projects/elastic-beats","service":"resourcemanager","type":"resourcemanager.projects"}}],"methodName":"beta.compute.instances.aggregatedList","numResponseItems":"61","request":{"@type":"type.googleapis.com/compute.instances.aggregatedList"},"requestMetadata":{"callerIp":"192.168.1.1","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2019-12-19T00:44:25.198Z"}},"resourceLocation":{"currentLocations":["global"]},"resourceName":"projects/elastic-beats/global/instances","serviceName":"compute.googleapis.com","status":{"code":7,"message":"PERMISSION_DENIED"}},"receiveTimestamp":"2019-12-19T00:44:25.262379373Z","resource":{"labels":{"location":"global","method":"compute.instances.aggregatedList","project_id":"elastic-beats","service":"compute.googleapis.com","version":"beta"},"type":"api"},"severity":"INFO","timestamp":"2019-12-19T00:44:25.051Z"} +{"insertId":"87efd529-6349-45d2-b905-fc607e6c5d3b","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook/cert-manager\""},"logName":"projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"first":true,"id":"5555555-6349-45d2-b905-fc607e6c5d3b","last":true,"producer":"k8s.io"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:serviceaccount:cert-manager:cert-manager-webhook"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","resource":"authorization.k8s.io/v1beta1/subjectaccessreviews"}],"methodName":"io.k8s.authorization.v1beta1.subjectaccessreviews.create","request":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":false}},"requestMetadata":{"callerIp":"10.11.12.13","callerSuppliedUserAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format"},"resourceName":"authorization.k8s.io/v1beta1/subjectaccessreviews","response":{"@type":"authorization.k8s.io/v1beta1.SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","kind":"SubjectAccessReview","metadata":{"creationTimestamp":null},"spec":{"group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"nonResourceAttributes":{"path":"/apis/webhook.cert-manager.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller"},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}},"serviceName":"k8s.io","status":{"code":0}},"receiveTimestamp":"2020-08-05T21:07:32.157698684Z","resource":{"labels":{"cluster_name":"analysis-cluster","location":"us-central1-a","project_id":"elastic-siem"},"type":"k8s_cluster"},"timestamp":"2020-08-05T21:07:30.974750Z"} +{"insertId":"v2spcwdzmc2","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"first":true,"id":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"authorizationInfo":[{"granted":true,"permission":"compute.images.create","resourceAttributes":{"name":"projects/foo/global/images/windows-server-2016-v20200805","service":"compute","type":"compute.images"}}],"methodName":"v1.compute.images.insert","request":{"@type":"type.googleapis.com/compute.images.insert","family":"windows-server-2016","guestOsFeatures":[{"type":"VIRTIO_SCSI_MULTIQUEUE"},{"type":"WINDOWS"}],"name":"windows-server-2016-v20200805","rawDisk":{"source":"https://storage.googleapis.com/storage/v1/b/foo/o/windows-server-2016-v20200805.tar.gz"},"sourceType":"RAW"},"requestMetadata":{"callerIp":"1.2.3.4","callerSuppliedUserAgent":"google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)","destinationAttributes":{},"requestAttributes":{"auth":{},"time":"2020-08-05T21:59:27.515Z"}},"resourceLocation":{"currentLocations":["eu"]},"resourceName":"projects/foo/global/images/windows-server-2016-v20200805","response":{"@type":"type.googleapis.com/operation","id":"44919313","insertTime":"2020-08-05T14:59:27.259-07:00","name":"operation-1596664766354-5ac287c395484-fa3923bd-543e018e","operationType":"insert","progress":"0","selfLink":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/operation-1596664766354-5ac287c395484-fa3923bd-543e018e","selfLinkWithId":"https://www.googleapis.com/compute/v1/projects/foo/global/operations/4491931805423146320","startTime":"2020-08-05T14:59:27.274-07:00","status":"RUNNING","targetId":"12345","targetLink":"https://www.googleapis.com/compute/v1/projects/foo/global/images/windows-server-2016-v20200805","user":"user@mycompany.com"},"serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T21:59:27.822546978Z","resource":{"labels":{"image_id":"771879043","project_id":"foo"},"type":"gce_image"},"severity":"NOTICE","timestamp":"2020-08-05T21:59:26.456Z"} +{"insertId":"-c7ctxmd2zab","logName":"projects/foo/logs/cloudaudit.googleapis.com%2Factivity","operation":{"id":"operation-1596646123456-5ac2438b775f6-f8ca1382-e70b6831","last":true,"producer":"compute.googleapis.com"},"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"user@mycompany.com"},"methodName":"beta.compute.instances.stop","request":{"@type":"type.googleapis.com/compute.instances.stop"},"requestMetadata":{"callerIp":"2.3.4.5","callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)"},"resourceName":"projects/foo/zones/us-central1-a/instances/win10-test","serviceName":"compute.googleapis.com"},"receiveTimestamp":"2020-08-05T16:56:41.315135528Z","resource":{"labels":{"instance_id":"590261181","project_id":"foo","zone":"us-central1-a"},"type":"gce_instance"},"severity":"NOTICE","timestamp":"2020-08-05T16:56:40.428Z"} diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 18754e2db95..2d1832bc54a 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -79,7 +79,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -136,7 +136,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -188,12 +188,160 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", "user_agent.os.name": "Mac OS X", "user_agent.os.version": "10.15", "user_agent.version": "71.0." + }, + { + "@timestamp": "2020-08-05T21:07:30.974Z", + "cloud.project.id": "elastic-siem", + "event.action": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "event.dataset": "googlecloud.audit", + "event.id": "87efd529-6349-45d2-b905-fc607e6c5d3b", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "success", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "system:serviceaccount:cert-manager:cert-manager-webhook", + "googlecloud.audit.authorization_info": [ + { + "granted": true, + "permission": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "resource": "authorization.k8s.io/v1beta1/subjectaccessreviews" + } + ], + "googlecloud.audit.method_name": "io.k8s.authorization.v1beta1.subjectaccessreviews.create", + "googlecloud.audit.request.proto_name": "authorization.k8s.io/v1beta1.SubjectAccessReview", + "googlecloud.audit.request_metadata.caller_ip": "10.11.12.13", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "webhook/v0.0.0 (linux/amd64) kubernetes/$Format", + "googlecloud.audit.resource_name": "authorization.k8s.io/v1beta1/subjectaccessreviews", + "googlecloud.audit.response.proto_name": "authorization.k8s.io/v1beta1.SubjectAccessReview", + "googlecloud.audit.response.status": "map[allowed:true reason:RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\"]", + "googlecloud.audit.service_name": "k8s.io", + "googlecloud.audit.status.code": 0, + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Fdata_access", + "log.offset": 5100, + "service.name": "k8s.io", + "service.type": "googlecloud", + "source.ip": "10.11.12.13", + "tags": [ + "forwarded" + ], + "user.email": "system:serviceaccount:cert-manager:cert-manager-webhook", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "webhook/v0.0.0 (linux/amd64) kubernetes/$Format", + "user_agent.os.name": "Linux" + }, + { + "@timestamp": "2020-08-05T21:59:26.456Z", + "cloud.project.id": "foo", + "event.action": "v1.compute.images.insert", + "event.dataset": "googlecloud.audit", + "event.id": "v2spcwdzmc2", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "success", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "user@mycompany.com", + "googlecloud.audit.authorization_info": [ + { + "granted": true, + "permission": "compute.images.create", + "resource_attributes": { + "name": "projects/foo/global/images/windows-server-2016-v20200805", + "service": "compute", + "type": "compute.images" + } + } + ], + "googlecloud.audit.method_name": "v1.compute.images.insert", + "googlecloud.audit.request.name": "windows-server-2016-v20200805", + "googlecloud.audit.request.proto_name": "type.googleapis.com/compute.images.insert", + "googlecloud.audit.request_metadata.caller_ip": "1.2.3.4", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)", + "googlecloud.audit.resource_location.current_locations": [ + "eu" + ], + "googlecloud.audit.resource_name": "projects/foo/global/images/windows-server-2016-v20200805", + "googlecloud.audit.response.proto_name": "type.googleapis.com/operation", + "googlecloud.audit.response.status": "RUNNING", + "googlecloud.audit.service_name": "compute.googleapis.com", + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity", + "log.offset": 7530, + "service.name": "compute.googleapis.com", + "service.type": "googlecloud", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "tags": [ + "forwarded" + ], + "user.email": "user@mycompany.com", + "user_agent.device.name": "Mac", + "user_agent.name": "Other", + "user_agent.original": "google-cloud-sdk gcloud/290.0.1 command/gcloud.compute.images.create invocation-id/032752ad0fa44b4ea951951d2deef6a3 environment/None environment-version/None interactive/True from-script/False python/2.7.17 term/xterm-256color (Macintosh; Intel Mac OS X 19.6.0),gzip(gfe)", + "user_agent.os.full": "Mac OS X 19.6.0", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "19.6.0" + }, + { + "@timestamp": "2020-08-05T16:56:40.428Z", + "cloud.instance.id": "590261181", + "cloud.project.id": "foo", + "event.action": "beta.compute.instances.stop", + "event.dataset": "googlecloud.audit", + "event.id": "-c7ctxmd2zab", + "event.kind": "event", + "event.module": "googlecloud", + "event.outcome": "unknown", + "fileset.name": "audit", + "googlecloud.audit.authentication_info.principal_email": "user@mycompany.com", + "googlecloud.audit.method_name": "beta.compute.instances.stop", + "googlecloud.audit.request.proto_name": "type.googleapis.com/compute.instances.stop", + "googlecloud.audit.request_metadata.caller_ip": "2.3.4.5", + "googlecloud.audit.request_metadata.caller_supplied_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)", + "googlecloud.audit.resource_name": "projects/foo/zones/us-central1-a/instances/win10-test", + "googlecloud.audit.service_name": "compute.googleapis.com", + "googlecloud.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog", + "input.type": "log", + "log.logger": "projects/foo/logs/cloudaudit.googleapis.com%2Factivity", + "log.offset": 9946, + "service.name": "compute.googleapis.com", + "service.type": "googlecloud", + "source.as.number": 3215, + "source.as.organization.name": "Orange", + "source.geo.city_name": "Clermont-Ferrand", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "FR", + "source.geo.location.lat": 45.7838, + "source.geo.location.lon": 3.0966, + "source.geo.region_iso_code": "FR-63", + "source.geo.region_name": "Puy-de-D\u00f4me", + "source.ip": "2.3.4.5", + "tags": [ + "forwarded" + ], + "user.email": "user@mycompany.com", + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0,gzip(gfe),gzip(gfe)", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "79.0." } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml index 8d68de684a6..b01435b7b62 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for Google Cloud Firewall Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml index 161de8ea031..a8af06f2f4b 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/ingest/pipeline.yml @@ -1,6 +1,10 @@ description: Pipeline for Google Cloud VPC Flow Logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 5301bb8567a..f557da1b720 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -1,6 +1,49 @@ - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 4af4410b17e..37f11e4a945 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -16,14 +16,28 @@ include::../include/gs-link.asciidoc[] It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] -- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] +[options="header"] +|=========================================================================================================================================================================================================================== +| GSuite Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== +[float] === Configure the module -In order for filebeat to ingest data from the Google Reports API you must set up a `ServiceAccount` that has access to the `Admin SDK API`. Additionally https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Domain-Wide Delegation] is required for your application to work properly. +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/gsuitemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/gsuitemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. -This module will make use of the following `oauth2 scope`: +This module will make use of the following *oauth2 scope*: - `https://www.googleapis.com/auth/admin.reports.audit.readonly` @@ -44,6 +58,22 @@ you can set up your module: enabled: true var.jwt_file: "./credentials_file.json" var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" ---- Every fileset has the following configuration options: @@ -63,29 +93,36 @@ Duration of the time limit on HTTP requests made by the module. Defaults to *`var.interval`*:: -Duration between requests to the API. Defaults to `60s`. +Duration between requests to the API. Defaults to `2h`. + +NOTE: GSuite defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. *`var.user_key`*:: Specifies the user key to fetch reports from. Defaults to `all`. +*`var.initial_interval`*:: + +It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to `24h`. + [float] ==== GSuite Reports ECS fields This is a list of GSuite Reports fields that are mapped to ECS. [options="header"] -|======================================================================================= -| GSuite Reports | ECS Fields | -| items[].id.time | @timestamp | -| items[].id.uniqueQualifier | event.id | -| items[].id.applicationName | event.provider | -| items[].events[].name | event.action | -| items[].customerId | organization.id | -| items[].ipAddress | client.ip, related.ip, client.as.*, client.geo.* | -| items[].actor.email | client.user.email, client.user.name, client.user.domain | -| items[].actor.profileId | client.user.id | -|======================================================================================= +|=============================================================================================== +| GSuite Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== These are the common ones to all filesets. diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml new file mode 100644 index 00000000000..7c82f3ed6e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The GSuite edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml new file mode 100644 index 00000000000..b5c62d3657f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-admin + file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js new file mode 100644 index 00000000000..0e014e8094c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -0,0 +1,946 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "GPLUS_PREMIUM_FEATURES": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "UPDATE_BUILDING": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CHANGE_CALENDAR_SETTING": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": + case "CHANGE_CONTACTS_SETTING": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "CHANGE_ORGANIZATION_NAME": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "CHANGE_SSO_SETTINGS": + case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_MOBILE_SETTING": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CREATE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": + case "DELETE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": + evt.Put("event.type", ["group", "change"]); + break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; + case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": + case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": + evt.Put("event.type", ["info"]); + break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": + evt.Put("event.type", ["user", "info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.intValue !== null) { + return param.intValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedUserInfo = function(evt) { + var email = evt.Get("gsuite.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + evt.Put("event.duration", end.UnixNano() - start.UnixNano()); + }; + + var setEventOutcome = function(evt) { + var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); + }; + + var deleteField = function(field) { + return function(evt) { + evt.Delete(field); + }; + }; + + var parseDate = function(field, targetField) { + return new processor.Chain() + .Add(new processor.Timestamp({ + field: field, + target_field: targetField, + timezone: "UTC", + layouts: [ + "2006-01-02T15:04:05Z", + "2006-01-02T15:04:05.999Z", + "2006/01/02 15:04:05 UTC", + ], + tests: [ + "2020-02-05T18:19:23Z", + "2020-02-05T18:19:23.599Z", + "2020/07/28 04:59:59 UTC", + ], + ignore_missing: true, + })) + .Add(deleteField(field)) + .Build() + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.admin.APPLICATION_EDITION", + to: "gsuite.admin.application.edition", + }, + { + from: "gsuite.admin.APPLICATION_NAME", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.APPLICATION_ENABLED", + to: "gsuite.admin.application.enabled", + }, + { + from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", + to: "gsuite.admin.application.licences_order_number", + }, + { + from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "gsuite.admin.application.licences_purchased", + type: "long", + }, + { + from: "gsuite.admin.REAUTH_APPLICATION", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.GROUP_EMAIL", + to: "gsuite.admin.group.email", + }, + { + from: "gsuite.admin.GROUP_NAME", + to: "group.name", + }, + { + from: "gsuite.admin.NEW_VALUE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_VALUE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ORG_UNIT_NAME", + to: "gsuite.admin.org_unit.name", + }, + { + from: "gsuite.admin.SETTING_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.SETTING_DESCRIPTION", + to: "gsuite.admin.setting.description", + }, + { + from: "gsuite.admin.USER_DEFINED_SETTING_NAME", + to: "gsuite.admin.user_defined_setting.name", + }, + { + from: "gsuite.admin.GROUP_PRIORITIES", + to: "gsuite.admin.group.priorities", + }, + { + from: "gsuite.admin.DOMAIN_NAME", + to: "gsuite.admin.domain.name", + }, + { + from: "gsuite.admin.DOMAIN_ALIAS", + to: "gsuite.admin.domain.alias", + }, + { + from: "gsuite.admin.SECONDARY_DOMAIN_NAME", + to: "gsuite.admin.domain.secondary_name", + }, + { + from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", + to: "gsuite.admin.managed_configuration", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "gsuite.admin.non_featured_services_selection", + }, + { + from: "gsuite.admin.FIELD_NAME", + to: "gsuite.admin.field", + }, + { + from: "gsuite.admin.RESOURCE_IDENTIFIER", + to: "gsuite.admin.resource.id", + }, + { + from: "gsuite.admin.USER_EMAIL", + to: "gsuite.admin.user.email", + }, + { + from: "gsuite.admin.GATEWAY_NAME", + to: "gsuite.admin.gateway.name", + }, + { + from: "gsuite.admin.APP_ID", + to: "gsuite.admin.application.id", + }, + { + from: "gsuite.admin.ASP_ID", + to: "gsuite.admin.application.asp_id", + }, + { + from: "gsuite.admin.CHROME_OS_SESSION_TYPE", + to: "gsuite.admin.chrome_os.session_type", + }, + { + from: "gsuite.admin.DEVICE_NEW_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.DEVICE_SERIAL_NUMBER", + to: "gsuite.admin.device.serial_number", + }, + { + from: "gsuite.admin.DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DEVICE_TYPE", + to: "gsuite.admin.device.type", + }, + { + from: "gsuite.admin.PRINT_SERVER_NAME", + to: "gsuite.admin.print_server.name", + }, + { + from: "gsuite.admin.PRINTER_NAME", + to: "gsuite.admin.printer.name", + }, + { + from: "gsuite.admin.DEVICE_COMMAND_DETAILS", + to: "gsuite.admin.device.command_details", + }, + { + from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ROLE_NAME", + to: "gsuite.admin.role.name", + }, + { + from: "gsuite.admin.ROLE_ID", + to: "gsuite.admin.role.id", + }, + { + from: "gsuite.admin.PRIVILEGE_NAME", + to: "gsuite.admin.privilege.name", + }, + { + from: "gsuite.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "gsuite.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "gsuite.admin.SITE_NAME", + to: "gsuite.admin.url.name", + }, + { + from: "gsuite.admin.SERVICE_NAME", + to: "gsuite.admin.service.name", + }, + { + from: "gsuite.admin.PRODUCT_NAME", + to: "gsuite.admin.product.name", + }, + { + from: "gsuite.admin.SKU_NAME", + to: "gsuite.admin.product.sku", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "gsuite.admin.email.log_search_filter.message_id", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "gsuite.admin.email.log_search_filter.recipient.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", + to: "gsuite.admin.email.log_search_filter.sender.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "gsuite.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "gsuite.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "gsuite.admin.QUARANTINE_NAME", + to: "gsuite.admin.email.quarantine_name", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ENABLED", + to: "gsuite.admin.chrome_licenses.enabled", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ALLOWED", + to: "gsuite.admin.chrome_licenses.allowed", + }, + { + from: "gsuite.admin.FULL_ORG_UNIT_PATH", + to: "gsuite.admin.org_unit.full", + }, + { + from: "gsuite.admin.OAUTH2_SERVICE_NAME", + to: "gsuite.admin.oauth2.service.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_ID", + to: "gsuite.admin.oauth2.application.id", + }, + { + from: "gsuite.admin.OAUTH2_APP_NAME", + to: "gsuite.admin.oauth2.application.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_TYPE", + to: "gsuite.admin.oauth2.application.type", + }, + { + from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ALERT_NAME", + to: "gsuite.admin.alert.name", + }, + { + from: "gsuite.admin.API_CLIENT_NAME", + to: "gsuite.admin.api.client.name", + }, + { + from: "gsuite.admin.API_SCOPES", + to: "gsuite.admin.api.scopes", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "gsuite.admin.mdm.token", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "gsuite.admin.mdm.vendor", + }, + { + from: "gsuite.admin.INFO_TYPE", + to: "gsuite.admin.info_type", + }, + { + from: "gsuite.admin.RULE_NAME", + to: "gsuite.admin.rule.name", + }, + { + from: "gsuite.admin.USER_CUSTOM_FIELD", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "gsuite.admin.email_monitor.dest_email", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "gsuite.admin.email_monitor.level.chat", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "gsuite.admin.email_monitor.level.draft", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "gsuite.admin.email_monitor.level.incoming", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "gsuite.admin.email_monitor.level.outgoing", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "gsuite.admin.email_dump.include_deleted", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "gsuite.admin.email_dump.package_content", + }, + { + from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", + to: "gsuite.admin.email_dump.query", + }, + { + from: "gsuite.admin.DESTINATION_USER_EMAIL", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REQUEST_ID", + to: "gsuite.admin.request.id", + }, + { + from: "gsuite.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "gsuite.admin.USER_NICKNAME", + to: "gsuite.admin.user.nickname", + }, + { + from: "gsuite.admin.ACTION_ID", + to: "gsuite.admin.mobile.action.id", + }, + { + from: "gsuite.admin.ACTION_TYPE", + to: "gsuite.admin.mobile.action.type", + }, + { + from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "gsuite.admin.mobile.certificate.name", + }, + { + from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "gsuite.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "gsuite.admin.COMPANY_DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", + to: "gsuite.admin.distribution.entity.name", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", + to: "gsuite.admin.distribution.entity.type", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.PERMISSION_GROUP_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", + "gsuite.admin.email.log_search_filter.end_date" + )) + .Add(parseDate( + "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", + "gsuite.admin.email.log_search_filter.start_date" + )) + .Add(parseDate( + "gsuite.admin.BIRTHDATE", + "gsuite.admin.user.birthdate" + )) + .Add(parseDate( + "gsuite.admin.BEGIN_DATE_TIME", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.START_DATE", + "event.start" + )) + .Add(parseDate( + "gsuite.admin.END_DATE", + "event.end" + )) + .Add(parseDate( + "gsuite.admin.END_DATE_TIME", + "event.end" + )) + .Add(setGroupInfo) + .Add(setRelatedUserInfo) + .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..7c44c612d13 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -0,0 +1,466 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..88580177907 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -0,0 +1,655 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..70de8368e2c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -0,0 +1,201 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..4ce27e5aff2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1062 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "command", + "-a" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..ed54f20525a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..c43835104fa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,400 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..4fb31027b62 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -0,0 +1,160 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00.000Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..a8d965c7c8d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -0,0 +1,4183 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "NON_AUTO_RENEWAL", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.verification_method": "ANALYTICS", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "true", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.api.scopes": [ + "a", + "b" + ], + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.licences_order_number": "abcd123", + "gsuite.admin.application.licences_purchased": 1, + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log new file mode 100644 index 00000000000..dc0842dc0d4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..bdb57f64b88 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -0,0 +1,463 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00.000Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1188, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1671, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2254, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4302, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..42a9699094c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -0,0 +1,731 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..d51d602ae7b --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -0,0 +1,407 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..8e2f2896bdb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -0,0 +1,1566 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "name", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mobile.company_owned_devices": 10, + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "GROUP", + "gsuite.admin.new_value": "GRANTED", + "gsuite.admin.old_value": "DENIED", + "gsuite.admin.setting.name": "LOCATION", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "cert", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..b2a88d67fe8 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -0,0 +1,839 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.allowed": "EMPTY", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.service.name": "new", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..65321e3842a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -0,0 +1,1222 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "ADMIN_CONSOLE", + "gsuite.admin.new_value": "INHERIT", + "gsuite.admin.old_value": "NEVER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "CALENDAR", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..b5afcff1ea3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -0,0 +1,258 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..f6220f7fcbd --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -0,0 +1,3766 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.asp_id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 1, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "custom", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.email_monitor.level.chat": "info", + "gsuite.admin.email_monitor.level.draft": "info", + "gsuite.admin.email_monitor.level.incoming": "info", + "gsuite.admin.email_monitor.level.outgoing": "info", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "a,b,c", + "gsuite.admin.new_value": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_dump.include_deleted": "true", + "gsuite.admin.email_dump.package_content": "contents", + "gsuite.admin.email_dump.query": "foo bar", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.birthdate": "2002-10-02T15:00:00.000Z", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js index fd6955f98a9..2867ee518f8 100644 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ b/x-pack/filebeat/module/gsuite/config/common.js @@ -24,9 +24,9 @@ var gsuite = (function () { { from: "json.events.name", to: "event.action" }, { from: "json.id.applicationName", to: "event.provider" }, { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, - { from: "json.actor.email", to: "client.user.email" }, - { from: "json.actor.profileId", to: "client.user.id", type: "string" }, - { from: "json.ipAddress", to: "client.ip", type: "ip" }, + { from: "json.actor.email", to: "source.user.email" }, + { from: "json.actor.profileId", to: "source.user.id", type: "string" }, + { from: "json.ipAddress", to: "source.ip", type: "ip" }, { from: "json.kind", to: "gsuite.kind" }, { from: "json.id.customerId", to: "organization.id", type: "string" }, { from: "json.actor.callerType", to: "gsuite.actor.type" }, @@ -40,7 +40,7 @@ var gsuite = (function () { }); var completeUserData = function(evt) { - var email = evt.Get("client.user.email"); + var email = evt.Get("source.user.email"); if (!email) { return; } @@ -50,16 +50,16 @@ var gsuite = (function () { return; } - evt.Put("client.user.name", data[0]); - evt.Put("client.user.domain", data[1]); + evt.Put("source.user.name", data[0]); + evt.Put("source.user.domain", data[1]); }; var copyFields = function(evt) { - var ip = evt.Get("client.ip"); + var ip = evt.Get("source.ip"); if (ip) { evt.Put("related.ip", [ip]); } - var userName = evt.Get("client.user.name"); + var userName = evt.Get("source.user.name"); if (userName) { evt.Put("related.user", [userName]); } diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml new file mode 100644 index 00000000000..9c031b89ce5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml @@ -0,0 +1,89 @@ +- name: drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: > + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: > + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: > + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: > + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: > + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: > + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: > + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: > + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: > + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: > + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: > + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: > + Added membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: > + Type of change in Team Drive membership of a user/group. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: > + Type of change in Team Drive settings. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: > + Removed membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. + diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml new file mode 100644 index 00000000000..5f1bd6ecbf3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-drive + file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js new file mode 100644 index 00000000000..eb1d1170ea5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js @@ -0,0 +1,190 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var drive = (function () { + var path = require("path"); + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["file"]); + switch (evt.Get("event.action")) { + case "add_to_folder": + case "edit": + case "add_lock": + case "move": + case "remove_from_folder": + case "rename": + case "remove_lock": + case "sheets_import_range": + evt.Put("event.type", ["change"]); + break; + case "approval_canceled": + case "approval_comment_added": + case "approval_requested": + case "approval_reviewer_responded": + case "change_acl_editors": + case "change_document_access_scope": + case "change_document_visibility": + case "shared_drive_membership_change": + case "shared_drive_settings_change": + case "sheets_import_range_access_change": + case "change_user_access": + evt.AppendTo("event.category", "iam"); + evt.Put("event.type", ["change"]); + break; + case "create": + case "untrash": + case "upload": + evt.Put("event.type", ["creation"]); + break; + case "delete": + case "trash": + evt.Put("event.type", ["deletion"]); + break; + case "download": + case "preview": + case "print": + case "view": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.boolValue !== null) { + return param.boolValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.drive."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setFileInfo = function(evt) { + var type = evt.Get("gsuite.drive.file.type"); + if (!type) { + return; + } + + switch (type) { + case "folder": + case "shared_drive": + evt.Put("file.type", "dir"); + break; + default: + evt.Put("file.type", "file"); + } + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(evt.Get("file.name")); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var setOwnerInfo = function(evt) { + var email = evt.Get("gsuite.drive.file.owner.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("file.owner", data[0]); + evt.AppendTo("related.user", data[0]); + }; + + var setTargetRelatedUser = function(evt) { + var email = evt.Get("gsuite.drive.target"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.drive.doc_id", + to: "gsuite.drive.file.id", + }, + { + from: "gsuite.drive.doc_title", + to: "file.name", + }, + { + from: "gsuite.drive.doc_type", + to: "gsuite.drive.file.type", + }, + { + from: "gsuite.drive.owner", + to: "gsuite.drive.file.owner.email", + }, + { + from: "gsuite.drive.owner_is_shared_drive", + to: "gsuite.drive.file.owner.is_shared_drive", + }, + { + from: "gsuite.drive.new_settings_state", + to: "gsuite.drive.new_value", + }, + { + from: "gsuite.drive.old_settings_state", + to: "gsuite.drive.old_value", + }, + { + from: "gsuite.drive.target_user", + to: "gsuite.drive.target", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setFileInfo) + .Add(setOwnerInfo) + .Add(setTargetRelatedUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return drive.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log new file mode 100644 index 00000000000..3cd073a7379 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log @@ -0,0 +1,28 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json new file mode 100644 index 00000000000..3d75fea232d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -0,0 +1,1706 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_to_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_canceled", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 816, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_comment_added", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1529, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_requested", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_reviewer_responded", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2961, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4386, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "download", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5088, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "edit", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6492, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "move", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7196, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "preview", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8102, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "print", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8805, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_from_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9506, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "rename", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.extension": "gif", + "file.name": "bar.gif", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": true, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.old_value": "foo.gif", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10319, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "untrash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "trash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12514, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13215, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "upload", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13922, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "view", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_id": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14624, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_editors", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15366, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_access_scope", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16275, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_visibility", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_membership_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.added_role": "editor", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.membership_change_type": "add_to_shared_drive", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.removed_role": "content_manager", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18189, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_settings_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "restricted", + "gsuite.drive.old_value": "unrestricted", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_settings_change_type": "direct_acl", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19117, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range_access_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20060, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_user_access", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "can_comment", + "gsuite.drive.old_value": "can_view", + "gsuite.drive.old_visibility": "people_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "private", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20815, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 5003648f341..1d4d320cd3b 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzMVU2PIzUQvedXlJYD0orpCI45IEUorNDOMKvJLmKFUKfSLqdLcbsau5yd5tcju5Mhk2TExwxofWq5vl49v6q+gi0NM9jExEoTAGV1NINX48WrCYCh2ATulcXP4NsJAOy94UZMcjnIMjkTZ8V2BR47OsqYjyGLyWldHGdg0cWDSYc+ewdJ/YPzWcF83oxFY08NW272RavJg8ONBAL2VkKHORhwLUlPA6BBD2sCK8kbQIVWtY+z6dTQjpz0FGK1Edk4qhrppmg69lfRbKeBegkap7uvp4EsBfINTbFR3rEyxanjqHssx3wcc4KNSqhyxw+mAwFbGj5JMEf3T9CQz/uWShiI3eecPLL/hC7RodPZIxPA6w/Lxd3rGcy9aEsBUqQA7EFbgogdgZEO2VenYYuf3y/ufpxf14f4MVKSRjZUwp+IfLv4WPy9+Ks2degPoC/zs6XhefTcejdAHyiSV/jUkofVn8yvgCOs3i4+rir4bpRChr5qxMfUUai3NKwysfk20G+JokoAKwFu50lb+Ob6FubvfjjYIkgA9MCGvLJlGn2DrEUBm0aS13jeKu3I6wtL4c2yTEhJ/RV02PdkwAbpYMVKXfzl16rY8seeivHZJfCGPTrocXCC5vELLrBpwbKjSFo01eKOAMGwLWOgkA1iYTfKLrfPGUCeR0OK7P6XqcuH7rHr8wLDZFi/2DsOZ/Rv2ZuXI36UQ5QUGjohPhf6mzzffMZ8Sdig59/LXq3GMX8efSOBYybQFjWPJVpLjZKB9bAfv9zMl3E/LWeoInbuDMbxrwQuLOPjBNj3jpvSVZ1vTiA+1ddf9gawxM7B8t1xhVKzuojDIrsUqD7ZB8/EcC0b9ofcJVEF3+dtBVkFWbi9xMhrR4fRLZIBlX8jt6x6b/j+oLZhmp/ncr/sWRmVTL0eXq7fu3Ej55+SheX85howaZvX8vgAl7FI2CTPWveo7cthAfhQ/o5j8suVo6KmWDdiLj+6E7/5h6rLTY9pIad9oi414k3t8tvW/xWIUgNKjceI/ggAAP//yAgQFA==" + return "eJzkXFtz3Dayfvev6EoefE4qGtXJox5OldaaOK5IlkqSs5va2qIwRJNEBAI0AM549tdv4cIRZ4bkXEDZk6xe7BoS39do3Lob3TyDZ1xeQK5rZvANgGGG4wV853/47g0ARZ0qVhkmxQX8/xsACG/DjaQ1t40yhpzqC/fsDAQpsYVo/yhmpOYmcS9eQEa4bh6ZZWXfVrKuVi9vEdq/955UV5iyjKWBdPJm9cKNVAhMZFKVxDYGMpO12WwAKREwQ8hkLSgQA4Uxlb44P6c4Ry4rVHqSS5lznKSyPCe0ZOJM0+dzhZVURp/P/+9cYYYKRYrnJDVszgxDfc6ZNkGWtj7aOiGpkWpie7x61CjgGZcLqWjr9x412L/HAl0zkFnAfLP2/DfCa2x6erH2COCHTw/T+x8u4FJIU6CCWqMCJsAUCJqUCFSWhInJZrPpPx6n9x8vr5OmvW8pa6MZRde8p+Wv09/d+0KKs6IuiWiE7tbPMy7j1HMr+BIqhRqFgUWBAp5eNP8ETMPTr9Pfnybwzk8FK/pTKoWuS1TJMy6frGLtrwo/16iNVJBJBbeXtSngp+tbuLz70DzTIBUQAYyiMCxj6N9VciYNkDSVtTB6u6s4R2FGngrvH9wKcdA/QkmqCilkSpbwxAyW+p//mrhn9j9BFX7YpWI5E4RDRZZcEro+glOSFpAxjhqNm1MFmSMQoCxzy8CAfSAzmPtpZ7vPrAB2PVI0hPGvsursH34hZWU3MFJTZr4PLy631P/MBB1P8X46aFmrFDcUb4n21PPNCetLqpwI9m+3r078Mo9Tn1egRwJTEGOXJckyTA1SmC3D8rOdeavDatneL2y3t+RonyXQsRuvIVQVZ6nvFlJm/90Qs69vW/2z/WlWoEea7KS0v8TwtbDeaoe/mxMFmXHchD6INkCswe7k5Sy1k1EnUlFUiajLGapjpbi1GOAx7DlEwUhQSBFLcEQa9QEiVbVKC6KP18pHL4nMoMGEFeZuOVjUaLSQ4MPVbjaiq2Q8xpV5VRGtbeO9ZKhI+kxyjJSjlDPG18UJwL1CuM1hgiVhPIbZwbzVUClWErUEBwiEUoW6Z+IJXCTuhIzhFbjwx6w7ZZ3JhsYwkXdzSk7jOSWnB3GqPKkFM9GbW/vMIRws5sAWt6LNah41tFLlnssCQUVMAUykvKZM5P5UktK8vNUvUaOlWD0EnAEma4gnFDMmkCZj0dr2jR1sCc4CwfDoNw9bcK/bd7+gK8WkchbOsWzvLQ684HSzBQ+HcEaOZmoZPg5nkCl2FJsNKhD26zHwaUyloEQtk/hpG5B2c5dEkBxpkkqRsbxWJHbatOduAIc18J4tWookQ2Jq5daRmjNrHGjkmMZItGn5AnyU4qwhgoYIVkSbHjTAz9bJBGu8225VUms249h4XM7StxbQEV6CdVYEZV8aJ2EZXmsdqmdhFervf76+fPjl+sP7Xx6T6dWn5OPtx+Tn6eXjp/vpVfIwvf/tw7vpQ/IwvZ6+e5xedarYGeNjDa0D6x7Kxh2LtK3abA1ky9Xv347jTQyLcpiF4XgFS59jl26gbqAG2GZMmYIS003X8aCPywG5Bj3bPDG4IMuo/fC9x/AbEdyFAJG1YWWJkFontJnp3UKkhZIlJlJPNGrNpEg2AjgHifPOocHtAwQ017Rnd0a7RUw0KkZ4pO905bDAYwUfapD1gCW00TJGPUHMfp1Uignjtmk77Ue0dhwwBOB+6tdg3TESqSxLImgSokRHzzwP0wSbenZQyWN2z0+Cfa5xMyxqCqYdsu3unHHMewbXsceod/vQfXS2O8cOQwS+yRFLkaPd1+hZaBY2n74pF/QVo5W7BmXQb3H2yAh+i8MZ8lsUj2ZZ4EwzM8RSKUnrNN4fDTh7MOnnegyih18/dfPMav6c1JULIWeE9UXzuBT5fkErDwIKU6moBiYcBXgKsLN8wGpuS2OkId1Wz/7COIwjZfHeIOFcLpAmG8HugwbiIylRuws2C3ZmoZB6/J4N01lok881UUQYJjDag2qfDi+wQ+Rc5olGotIiyRi3p0mJWscH2rjMweOCx32rg0Ea8HvjbX1yaUOUSaIsxy6hHOyAGdknDtpDdWxh7KYv8iOkUZiyiqEwk+jgXf/IvZAcNnAoKKrXFCwwHKkxVnVKtfXzMZp6q+HD3bAPtkNtryCdR95DtOC9rK5HIi+Ctg2s6+bqIyCfgo0lVT5sV21qJZwd/+VakaQ2xU+TMUzBbY24PIqfBuzDb6MUjWmtmFnupZlxru+CJva5wevgjRmVDuaBu5Vt7hjPvndGtKXZ9vtPeVbMUbEsiJ6UaAo54g5yj9x6iWsk4ElOUkNAxGYPYVS/2d0nDA8I4ajiXT6HMrAwVB0ZpXAxibozJvFybc4mKXe2TSzT5d0H8FA7+HQqq+Ov0hoqj9Jz5UPLiZHPGHXNc3N1A3MUVCpAoSTnpe2ag+1n9Q3GoR1MumEik1EB4q4QFtOwYJzDDFdpL9oQg7AoiHFpbXbZt7NgF0RDWhCRn4bpsc/idYZtUkrBjFQTitok0dcpFoWJkBjszeTGtw6ebKDbQyJu1TBJC3J0dMFK5C4c1rjBA+8tAVUkixLBAcTJwEQqS7YV2zlIjAYjThJZm1xGStJgHCoJrctq4tNEMKHI0fS4EDMpOZLNXW9Njg+C2kMeNbAMApan0UBcirujoU1WKX6xi26ndE3KVSqFQRE3cz2EfrliZ3wmvzTJVztF+VyjWsaFlp0n7HD8PtikJjn87rPa52tHXggHlF4z3aekTUg6QmJfSG/zdz/gIa2fvxf12AdPrzinYqh78YYPlqCiFJXxlnS89Ra00oKEVJbloD/ViCHLiohlIhcCaeL12m107Qqeu2jxKoAekIBAYAC5EH1pRkwbxWZ1SA02zMTdsXdPnTYLeBY/FX6ERcHSokl3Jz7AHiLfrq5CqvysJ9HudOdZl1bHX5BdWrWQPUpd1+cpq3KlRsXm2/Uxh+T3zxjnZMa7Fb/HWfz3Al2RlLu3bqQHplfAPVeoLlEoySSnqA65e+kGcEV5B2O0LN4ISTpQjhMnY4flE6y1G3fxXMm0dq7ilZ1g/gT7qtN/c2K305hdiZBdDwmpYhL1u/eM905WeMdlTeFOyT8wtcZMY8mtReCsf1Khsq6k9TSL5tDvnvNunOxRdmjuWwcA04kuiLKn4pamDli92yr4m28EGSc5UBTSZRcvwip35K4QCTy934F6c4BKopaJq00aT8K1HceJssoAdEVQcAmaCTuGrvzSj4h1BfxcLskSchSorCGicY6KcN+yxwBo63n02VZvJQGFefaIpPQST0K5pqxqH+XMQrWlFxoUcrca7NojrXbgqgyxdM4IcYnpTLhK1PZb3X2eM81mjLcL3aK7+9sK0/WRqByNn9InsrNE1590zlVh10pI0pcKKmUFDzpwGbocQ/RJ/+h+Wa9gYcaHs2xHiIICVd8VRGwlyzjSr9fC7C29LhCNTlhpRy5RFjBZ3SonVKbH9upKpq3dewXp8lYCK3hWcKwDyn2FNeE0/ALcViXTUEhO9bpWdy3XxCN8fQntrJVuM+Xt11vzpFt0vw8kWxWzkWK3SkjsPPTmvj+g0xS19qH3tdCvjx1bl4BwLZuyd1eAArZXRgILgacGqRPIEdoGnl97M8GVhLcUs8r1pMHU6rlroBRpouQB5uRO3VxaTCjResO6YJXP+XQLwp6Y594ZYmLgnICv7A31b9ov3QhTf+wLhVDB7sGtVlonbEuHG+o7VXWtGTONW/kNNNddRnA6elJYyvnoK+/eo/5V1p7fu4+ODXoL0H8jRcHGstkKdfjE0qhYB0l5UqEqmSsmGW9YQ2XkCnllMdUVtRb7tx2/LcVt3DiMrQef4DewWcdVfm3T3jjUPXjHXcyB1tVhnOoAh4k49hD/Web3K3h0Hxvv7H/0/zbWbd5WyskqI9ZB3OrXbeOU/OlUMfKccF8T+3NpIFQlRNy/bqvh4ebx7qXcwaXZELFeBbGtj6bI1PpDpaShdmUwINdgvbyekJHLz29CL1oSdUV2XQc2hpAohCdSVcpaek9ABIUnhX+4zzY99QQ/DDH10clkHQ5eQAzvzZrvcsjaVLUJ49JTJ9TbJV8BFTqk6zRFpGs92rLYuMxjPz4VPnflk5uSkJV0cNw8LQjnaD2csRNPr20XX/CbnNOvusqdmntuHAjjtRrbsfOdDtjf4G5ooMOv0dFUoYvOE65Pq7NMJ/4TIknmvt7Y2fGuK5Y2QK0rljLZs/1stl7tWKTkcSv75Rotqgqw4xQiJYeHuz0T9/+aK8QOT1/KLTPM2uzJbMQw9r3P+fK3Vw+XN9dAalPYRTP07Tup8lowk1TEFOPJAvDJRxTy7SSO9QM3SSXtHvRd2UQds852Opy6FravcNwtV5csmbyWEI7DJ2SuS/SfAAAA//8ELOHy" } diff --git a/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml new file mode 100644 index 00000000000..05cd6b68590 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/_meta/fields.yml @@ -0,0 +1,57 @@ +- name: groups + type: group + fields: + - name: acl_permission + type: keyword + description: > + Group permission setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: email + type: keyword + description: > + Group email. + - name: member.email + type: keyword + description: > + Member email. + - name: member.role + type: keyword + description: > + Member role. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: setting + type: keyword + description: > + Group setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: new_value + type: keyword + description: > + New value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: old_value + type: keyword + description: + Old value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: value + type: keyword + description: > + Value of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: message.id + type: keyword + description: > + SMTP message Id of an email message. + Present for moderation events. + - name: message.moderation_action + type: keyword + description: > + Message moderation action. + Possible values are `approved` and `rejected`. + - name: status + type: keyword + description: > + A status describing the output of an operation. + Possible values are `failed` and `succeeded`. + diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml new file mode 100644 index 00000000000..46a3ed338d9 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-groups + file: ${path.home}/module/gsuite/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js new file mode 100644 index 00000000000..326eccfee71 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -0,0 +1,203 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var groups = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + evt.Put("event.type", ["group"]); + switch (evt.Get("event.action")) { + case "change_acl_permission": + case "change_basic_setting": + case "change_identity_setting": + case "change_info_setting": + case "change_new_members_restrictions_setting": + case "change_post_replies_setting": + case "change_spam_moderation_setting": + case "change_topic_setting": + evt.AppendTo("event.type", "change"); + break; + case "accept_invitation": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "approve_join_request": + case "join": + evt.AppendTo("event.type", "user"); + evt.AppendTo("event.type", "change"); + break; + case "request_to_join": + case "ban_user_with_moderation": + case "revoke_invitation": + case "invite_user": + case "reject_join_request": + case "reinvite_user": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "create_group": + case "add_info_setting": + evt.AppendTo("event.type", "creation"); + break; + case "delete_group": + case "remove_info_setting": + evt.AppendTo("event.type", "deletion"); + break; + case "moderate_message": + case "always_post_from_user": + evt.AppendTo("event.type", "info"); + break; + case "add_user": + evt.AppendTo("event.type", "creation"); + evt.AppendTo("event.type", "user"); + break; + case "remove_user": + evt.AppendTo("event.type", "deletion"); + evt.AppendTo("event.type", "user"); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.groups."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setOutcome = function(evt) { + switch (evt.Get("gsuite.groups.status")) { + case "failed": + evt.Put("event.outcome", "failure"); + break; + case "succeeded": + evt.Put("event.outcome", "success"); + break; + } + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.groups.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedMemberInfo = function(evt) { + var email = evt.Get("gsuite.groups.member.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.groups.group_email", + to: "gsuite.groups.email", + }, + { + from: "gsuite.groups.new_value_repeated", + to: "gsuite.groups.new_value", + }, + { + from: "gsuite.groups.old_value_repeated", + to: "gsuite.groups.old_value", + }, + { + from: "gsuite.groups.user_email", + to: "gsuite.groups.member.email", + }, + { + from: "gsuite.groups.basic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.identity_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.info_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.new_members_restrictions_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.post_replies_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.spam_moderation_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.topic_setting", + to: "gsuite.groups.setting", + }, + { + from: "gsuite.groups.message_id", + to: "gsuite.groups.message.id", + }, + { + from: "gsuite.groups.message_moderation_action", + to: "gsuite.groups.message.moderation_action", + }, + { + from: "gsuite.groups.member_role", + to: "gsuite.groups.member.role", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setOutcome) + .Add(setGroupInfo) + .Add(setRelatedMemberInfo) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return groups.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/groups/manifest.yml b/x-pack/filebeat/module/gsuite/groups/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log new file mode 100644 index 00000000000..e67fe7571a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log @@ -0,0 +1,25 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json new file mode 100644 index 00000000000..8944e12d5e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -0,0 +1,1347 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_permission", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "acl_change", + "gsuite.groups.acl_permission": "can_add_members", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": [ + "managers", + "members" + ], + "gsuite.groups.old_value": [ + "managers" + ], + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "accept_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 559, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approve_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "request_to_join", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_basic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "true", + "gsuite.groups.old_value": "false", + "gsuite.groups.setting": "allow_external_members", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2665, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete_group", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_identity_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "display_name_only", + "gsuite.groups.old_value": "display_name_or_google_profile", + "gsuite.groups.setting": "required_forms_of_identity", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3998, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "footer", + "gsuite.groups.old_value": "old footer", + "gsuite.groups.setting": "custom_footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4466, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.setting": "custom_footer", + "gsuite.groups.value": "footer", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4983, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_new_members_restrictions_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "inherit", + "gsuite.groups.old_value": "overriden_to_false", + "gsuite.groups.setting": "new_members_can_post", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5454, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_post_replies_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "reply_to_custom_address", + "gsuite.groups.old_value": "reply_to_author_only", + "gsuite.groups.setting": "where_should_replies_be_sent", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6027, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_spam_moderation_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "moderate_and_do_not_send_notifications", + "gsuite.groups.old_value": "moderate_and_send_notifications", + "gsuite.groups.setting": "how_to_handle_suspected_spam_messages", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6602, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_topic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.new_value": "discussions_questions", + "gsuite.groups.old_value": "discussions", + "gsuite.groups.setting": "allowed_topic_types", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "moderate_message", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.message.id": "message id", + "gsuite.groups.message.moderation_action": "approved", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "always_post_from_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.status": "succeeded", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8282, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8760, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ban_user_with_moderation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.groups.member.role": "manager", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9228, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "revoke_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9712, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "invite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10148, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reject_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10578, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reinvite_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11016, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_user", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.groups", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion", + "user" + ], + "fileset.name": "groups", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.event.type": "moderator_action", + "gsuite.groups.email": "group@example.com", + "gsuite.groups.member.email": "user@example.com", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/ingest/common.yml b/x-pack/filebeat/module/gsuite/ingest/common.yml index 46ae0a7aa25..f35335c1846 100644 --- a/x-pack/filebeat/module/gsuite/ingest/common.yml +++ b/x-pack/filebeat/module/gsuite/ingest/common.yml @@ -1,28 +1,31 @@ description: Pipeline for parsing gsuite logs processors: - geoip: - field: client.ip - target_field: client.geo + field: source.ip + target_field: source.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb - field: client.ip - target_field: client.as + field: source.ip + target_field: source.as properties: - asn - organization_name ignore_missing: true - rename: - field: client.as.asn - target_field: client.as.number + field: source.as.asn + target_field: source.as.number ignore_missing: true - rename: - field: client.as.organization_name - target_field: client.as.organization.name + field: source.as.organization_name + target_field: source.as.organization.name ignore_missing: true - remove: field: json ignore_missing: true + - set: + field: event.ingested + value: "{{ _ingest.timestamp }}" on_failure: - set: diff --git a/x-pack/filebeat/module/gsuite/login/_meta/fields.yml b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml new file mode 100644 index 00000000000..dc8e9711616 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: login + type: group + fields: + - name: affected_email_address + type: keyword + - name: challenge_method + type: keyword + description: > + Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: type + type: keyword + description: > + Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: is_second_factor + type: boolean + - name: is_suspicious + type: boolean diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml new file mode 100644 index 00000000000..b501012b3d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-login + file: ${path.home}/module/gsuite/login/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js new file mode 100644 index 00000000000..13c155661a0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -0,0 +1,98 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["authentication"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "success"); + break; + case "logout": + evt.Put("event.type", ["end"]); + break; + case "account_disabled_generic": + case "account_disabled_spamming_through_relay": + case "account_disabled_spamming": + case "account_disabled_hijacked": + case "account_disabled_password_leak": + evt.Put("event.type", ["user", "change"]); + break; + case "gov_attack_warning": + case "login_challenge": + case "login_verification": + case "suspicious_login": + case "suspicious_login_less_secure_app": + case "suspicious_programmatic_login": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(login_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + switch (p.name) { + // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login + // this is a timestamp in microseconds + case "timestamp": + var millis = p.intValue / 1000; + evt.Put("event.start", new Date(millis).toUTCString()); + break; + case "challenge_status": + if (p.value === "Challenge Passed") { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + break; + case "is_second_factor": + case "is_suspicious": + evt.Put("gsuite.login."+p.name, p.boolValue); + break; + // the rest of params are strings + default: + evt.Put("gsuite.login."+p.name, getParamValue(p)); + } + }); + + evt.Delete("json.events.parameters"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/login/manifest.yml b/x-pack/filebeat/module/gsuite/login/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log new file mode 100644 index 00000000000..b721c74bf48 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json new file mode 100644 index 00000000000..00731f235f3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -0,0 +1,496 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_password_leak", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_generic", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1776, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming_through_relay", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2176, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.affected_email_address": "foo@elastic.co", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2591, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "gov_attack_warning", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "account_warning", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_failure", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.failure_type": "login_failure_access_code_disallowed", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_challenge", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4262, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_verification", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_second_factor": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4743, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "logout", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.provider": "login", + "event.type": [ + "end" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5273, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_success", + "event.category": [ + "authentication" + ], + "event.dataset": "gsuite.login", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "success", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "gsuite.actor.type": "USER", + "gsuite.event.type": "login", + "gsuite.kind": "admin#reports#activity", + "gsuite.login.challenge_method": "backup_code", + "gsuite.login.is_suspicious": false, + "gsuite.login.type": "exchange", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml index 4139260481a..1e703737e0d 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -17,10 +17,12 @@ oauth2.google.delegated_account: {{ .delegated_account }} oauth2.scopes: - https://www.googleapis.com/auth/admin.reports.audit.readonly -date_cursor.field: id.time date_cursor.url_field: startTime date_cursor.initial_interval: {{ .initial_interval }} +pagination.id_field: nextPageToken +pagination.url_field: pageToken + {{ else if eq .input "file" }} type: log paths: diff --git a/x-pack/filebeat/module/gsuite/saml/manifest.yml b/x-pack/filebeat/module/gsuite/saml/manifest.yml index 7b6e1e42ced..48570efe448 100644 --- a/x-pack/filebeat/module/gsuite/saml/manifest.yml +++ b/x-pack/filebeat/module/gsuite/saml/manifest.yml @@ -12,7 +12,7 @@ var: - name: user_key default: all - name: interval - default: 5s + default: 2h - name: tags default: [forwarded] diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index aa57092897b..36dec3bfb61 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -1,20 +1,6 @@ [ { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "login_failure", "event.category": [ "authentication" @@ -49,26 +35,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:01.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "login_success", "event.category": [ "authentication" @@ -101,6 +87,20 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml index 88afbc0d629..773ab620173 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -17,10 +17,12 @@ oauth2.google.delegated_account: {{ .delegated_account }} oauth2.scopes: - https://www.googleapis.com/auth/admin.reports.audit.readonly -date_cursor.field: id.time date_cursor.url_field: startTime date_cursor.initial_interval: {{ .initial_interval }} +pagination.id_field: nextPageToken +pagination.url_field: pageToken + {{ else if eq .input "file" }} type: log paths: diff --git a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml index 7b6e1e42ced..48570efe448 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/manifest.yml @@ -12,7 +12,7 @@ var: - name: user_key default: all - name: interval - default: 5s + default: 2h - name: tags default: [forwarded] diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index a4b00539c9f..47aba59e1da 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -1,20 +1,6 @@ [ { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "2sv_disable", "event.category": [ "iam" @@ -43,26 +29,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "2sv_enroll", "event.category": [ "iam" @@ -91,26 +77,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "password_edit", "event.category": [ "iam" @@ -139,26 +125,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_email_edit", "event.category": [ "iam" @@ -187,26 +173,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_phone_edit", "event.category": [ "iam" @@ -235,26 +221,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "recovery_secret_qa_edit", "event.category": [ "iam" @@ -283,26 +269,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "titanium_enroll", "event.category": [ "iam" @@ -331,26 +317,26 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] }, { "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", "event.action": "titanium_unenroll", "event.category": [ "iam" @@ -379,6 +365,20 @@ "foo" ], "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml b/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml index 80db3a86a86..87c3deacb97 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/ibmmq/errorlog/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for parsing MQ error logs. processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - gsub: field: message pattern: ^[\-]{5}[a-z0-9\. :]*[\-]{5,} diff --git a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc index bb1c301cd4c..5f96d5ff79b 100644 --- a/x-pack/filebeat/module/imperva/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/imperva/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index 68b88a27df5..e9d408c7b22 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml index 4a84f2a8bc8..a51475c0588 100644 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Imperva SecureSphere processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 4ab905ff64f..7894d6ff317 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -19,14 +19,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis5408.mail.local" + ], "related.ip": [ "10.81.122.126", "10.70.155.35" ], "related.user": [ "magn", - "aqui", - "tatno" + "tatno", + "aqui" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -105,14 +108,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ccusan7572.api.home" + ], "related.ip": [ "10.58.116.231", "10.159.182.171" ], "related.user": [ - "qua", "temUten", - "uradi" + "uradi", + "qua" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -160,14 +166,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "elaudant5931.internal.invalid" + ], "related.ip": [ "10.232.27.250", "10.18.124.28" ], "related.user": [ - "mquidol", "modocons", - "lapariat" + "lapariat", + "mquidol" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -221,9 +230,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amest4147.mail.host" + ], "related.ip": [ - "10.197.250.10", - "10.6.137.200" + "10.6.137.200", + "10.197.250.10" ], "related.user": [ "oluptas", @@ -287,14 +299,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.179.124.125", "10.36.194.106" ], "related.user": [ - "acommod", + "ncidid", "reme", - "ncidid" + "acommod" ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", @@ -351,14 +366,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "didunt1355.corp" + ], "related.ip": [ "10.129.149.43", "10.211.105.204" ], "related.user": [ + "eveli", "labor", - "orema", - "eveli" + "orema" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -410,14 +428,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "pora6854.www5.home" + ], "related.ip": [ "10.214.191.180", "10.112.250.193" ], "related.user": [ - "ipsumdol", + "Exc", "ide", - "Exc" + "ipsumdol" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -468,6 +489,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasn6599.www.localhost" + ], "related.ip": [ "10.192.34.76", "10.251.20.13" @@ -523,13 +547,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasnu6684.mail.lan" + ], "related.ip": [ "10.74.105.218", "10.59.138.212" ], "related.user": [ - "archite", "idunt", + "archite", "boree" ], "rsa.counters.dclass_c1": 248, @@ -582,14 +609,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rinre2977.api.corp" + ], "related.ip": [ - "10.168.159.13", - "10.230.173.4" + "10.230.173.4", + "10.168.159.13" ], "related.user": [ - "isnostr", + "atemq", "inci", - "atemq" + "isnostr" ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -641,6 +671,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "atevelit2450.local" + ], "related.ip": [ "10.41.21.204", "10.49.167.57" @@ -702,14 +735,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itla658.api.localhost" + ], "related.ip": [ "10.62.147.186", "10.216.125.252" ], "related.user": [ - "lorsita", + "dolore", "llamco", - "dolore" + "lorsita" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", @@ -769,13 +805,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "umdolor4389.api.home" + ], "related.ip": [ "10.52.125.9", "10.204.128.215" ], "related.user": [ - "paquioff", "nci", + "paquioff", "rum" ], "rsa.counters.event_counter": 332, @@ -783,8 +822,8 @@ "rsa.internal.event_desc": "rumet", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "texpli" + "texpli", + "deny" ], "rsa.misc.category": "verita", "rsa.misc.disposition": "sectet", @@ -832,13 +871,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rationev6444.localhost" + ], "related.ip": [ - "10.200.68.129", - "10.34.148.166" + "10.34.148.166", + "10.200.68.129" ], "related.user": [ - "miu", "icabo", + "miu", "untutlab" ], "rsa.counters.dclass_c1": 5427, @@ -887,6 +929,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ipi7727.www5.domain" + ], "related.ip": [ "10.134.5.40", "10.226.101.180" @@ -946,9 +991,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "spernatu5539.domain" + ], "related.ip": [ - "10.126.26.131", - "10.30.98.10" + "10.30.98.10", + "10.126.26.131" ], "related.user": [ "dipisci", @@ -1005,14 +1053,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nimid372.api.corp" + ], "related.ip": [ "10.233.120.207", "10.190.10.219" ], "related.user": [ "item", - "accusant", - "quamnih" + "quamnih", + "accusant" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1092,13 +1143,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "maliquam2147.internal.home" + ], "related.ip": [ - "10.248.184.200", - "10.100.98.56" + "10.100.98.56", + "10.248.184.200" ], "related.user": [ - "proident", "ritati", + "proident", "boru" ], "rsa.counters.dclass_c1": 5923, @@ -1151,14 +1205,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "olabor2983.internal.localhost" + ], "related.ip": [ "10.197.6.245", "10.82.28.220" ], "related.user": [ - "aecatcup", "oluptat", - "dtempo" + "dtempo", + "aecatcup" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1210,6 +1267,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "hitec2111.mail.corp" + ], "related.ip": [ "10.167.252.183", "10.6.27.103" @@ -1271,22 +1331,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "adminim2559.www5.invalid" + ], "related.ip": [ "10.81.184.7", "10.88.45.111" ], "related.user": [ + "lmole", "iameaque", - "undeomni", - "lmole" + "undeomni" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "illu" + "illu", + "deny" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1336,14 +1399,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dolorem6882.api.local" + ], "related.ip": [ - "10.214.3.140", - "10.29.119.245" + "10.29.119.245", + "10.214.3.140" ], "related.user": [ + "edolorin", "scipitl", - "taliqui", - "edolorin" + "taliqui" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1397,22 +1463,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "temaccu5302.test" + ], "related.ip": [ - "10.218.123.234", - "10.110.133.7" + "10.110.133.7", + "10.218.123.234" ], "related.user": [ - "etconsec", + "caboNem", "pta", - "caboNem" + "etconsec" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "vitaed", - "allow" + "allow", + "vitaed" ], "rsa.misc.category": "enim", "rsa.misc.disposition": "Finibus", @@ -1462,6 +1531,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nder347.www.corp" + ], "related.ip": [ "10.105.190.170", "10.182.152.242" @@ -1523,13 +1595,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idunt4633.internal.host" + ], "related.ip": [ "10.59.188.188", "10.123.166.197" ], "related.user": [ - "liquam", "emUte", + "liquam", "min" ], "rsa.counters.event_counter": 7102, @@ -1587,14 +1662,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ectob4634.mail.localhost" + ], "related.ip": [ - "10.201.168.116", - "10.72.75.207" + "10.72.75.207", + "10.201.168.116" ], "related.user": [ - "urau", + "eFini", "eufug", - "eFini" + "urau" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1646,14 +1724,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "snu6436.www.local" + ], "related.ip": [ "10.9.46.123", "10.58.133.175" ], "related.user": [ - "nde", + "oco", "mfu", - "oco" + "nde" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1705,14 +1786,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lore7099.www.host" + ], "related.ip": [ - "10.70.29.203", - "10.169.50.59" + "10.169.50.59", + "10.70.29.203" ], "related.user": [ - "pta", + "mquisnos", "veniamq", - "mquisnos" + "pta" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1764,14 +1848,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lesti6939.api.local" + ], "related.ip": [ "10.137.85.123", "10.165.182.111" ], "related.user": [ "ames", - "sis", - "Bonorum" + "Bonorum", + "sis" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1853,14 +1940,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "upt6017.api.localdomain" + ], "related.ip": [ - "10.173.178.109", - "10.64.184.196" + "10.64.184.196", + "10.173.178.109" ], "related.user": [ - "uian", "tam", - "nesci" + "nesci", + "uian" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1918,9 +2008,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "turQuis4046.api.test" + ], "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "related.user": [ "aUtenima", @@ -1977,14 +2070,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "con6049.internal.lan" + ], "related.ip": [ "10.59.182.36", "10.18.150.82" ], "related.user": [ "mtota", - "qua", - "luptat" + "luptat", + "qua" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2063,14 +2159,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tatnonp1371.www.invalid" + ], "related.ip": [ - "10.228.229.144", - "10.151.240.35" + "10.151.240.35", + "10.228.229.144" ], "related.user": [ - "lam", "ametcons", - "ama" + "ama", + "lam" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2118,13 +2217,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tium3542.internal.invalid" + ], "related.ip": [ "10.242.48.203", "10.147.142.242" ], "related.user": [ - "quisn", "ese", + "quisn", "quasi" ], "rsa.counters.dclass_c1": 3970, @@ -2179,14 +2281,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis3991.mail.invalid" + ], "related.ip": [ "10.213.165.165", "10.254.10.98" ], "related.user": [ - "ttenb", "civeli", - "eufugia" + "eufugia", + "ttenb" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", @@ -2274,14 +2379,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ihi7294.www5.localhost" + ], "related.ip": [ - "10.116.1.130", - "10.169.28.157" + "10.169.28.157", + "10.116.1.130" ], "related.user": [ "reseo", - "eturadip", - "amco" + "amco", + "eturadip" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2339,9 +2447,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caecat4920.api.host" + ], "related.ip": [ - "10.45.69.152", - "10.29.138.31" + "10.29.138.31", + "10.45.69.152" ], "related.user": [ "volupta", @@ -2398,14 +2509,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "setquas6188.internal.local" + ], "related.ip": [ "10.100.113.11", "10.152.213.228" ], "related.user": [ "ptatev", - "velillum", - "itationu" + "itationu", + "velillum" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2485,14 +2599,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo3674.www5.localhost" + ], "related.ip": [ "10.208.33.55", "10.248.102.129" ], "related.user": [ - "ulapari", + "mremaper", "inimv", - "mremaper" + "ulapari" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2544,14 +2661,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "totamr7676.www5.home" + ], "related.ip": [ "10.203.164.132", "10.109.230.216" ], "related.user": [ + "mporin", "ectobea", - "ibus", - "mporin" + "ibus" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,14 +2723,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idents7231.mail.home" + ], "related.ip": [ - "10.117.81.75", - "10.151.203.60" + "10.151.203.60", + "10.117.81.75" ], "related.user": [ "iconsequ", - "dol", - "exeac" + "exeac", + "dol" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2662,13 +2785,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tat50.mail.host" + ], "related.ip": [ "10.224.217.153", "10.45.152.205" ], "related.user": [ - "utlabo", "eriti", + "utlabo", "imav" ], "rsa.counters.dclass_c1": 922, @@ -2722,22 +2848,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mips3283.corp" + ], "related.ip": [ - "10.60.164.100", - "10.1.193.187" + "10.1.193.187", + "10.60.164.100" ], "related.user": [ - "adipis", + "hite", "ugi", - "hite" + "adipis" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "taevitae" + "taevitae", + "allow" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2786,9 +2915,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "aliquip7229.mail.domain" + ], "related.ip": [ - "10.146.228.234", - "10.248.244.203" + "10.248.244.203", + "10.146.228.234" ], "related.user": [ "mquamei", @@ -2841,14 +2973,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "fde7756.mail.corp" + ], "related.ip": [ "10.122.127.237", "10.86.121.152" ], "related.user": [ - "nimv", "ine", - "consecte" + "consecte", + "nimv" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2900,9 +3035,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "agnama5013.internal.example" + ], "related.ip": [ - "10.204.223.184", - "10.201.223.119" + "10.201.223.119", + "10.204.223.184" ], "related.user": [ "rcit", @@ -2959,14 +3097,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "edictas4693.home" + ], "related.ip": [ "10.223.56.33", "10.200.12.126" ], "related.user": [ + "magnido", "Nequepo", - "elitsedd", - "magnido" + "elitsedd" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3020,13 +3161,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibu2565.api.local" + ], "related.ip": [ "10.94.89.177", "10.65.225.101" ], "related.user": [ - "citation", "tuserror", + "citation", "emquel" ], "rsa.counters.event_counter": 2513, @@ -3034,8 +3178,8 @@ "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "eruntmol" + "eruntmol", + "cancel" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3084,13 +3228,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsun7120.home" + ], "related.ip": [ "10.65.174.196", "10.191.184.105" ], "related.user": [ - "tione", "iin", + "tione", "uta" ], "rsa.counters.dclass_c1": 5836, @@ -3141,9 +3288,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lumquid6940.mail.localdomain" + ], "related.ip": [ - "10.224.148.48", - "10.41.181.179" + "10.41.181.179", + "10.224.148.48" ], "related.user": [ "equepor", @@ -3206,9 +3356,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amcorp7299.api.example" + ], "related.ip": [ - "10.21.61.134", - "10.21.208.103" + "10.21.208.103", + "10.21.61.134" ], "related.user": [ "ostr", @@ -3265,14 +3418,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "magnama868.api.local" + ], "related.ip": [ - "10.221.192.116", - "10.23.6.216" + "10.23.6.216", + "10.221.192.116" ], "related.user": [ "iarchit", - "tevelite", - "iamquisn" + "iamquisn", + "tevelite" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3326,13 +3482,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tionevol3157.mail.invalid" + ], "related.ip": [ - "10.240.62.238", - "10.191.142.143" + "10.191.142.143", + "10.240.62.238" ], "related.user": [ - "modtempo", "nofde", + "modtempo", "animide" ], "rsa.counters.event_counter": 7580, @@ -3392,9 +3551,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mquis319.api.local" + ], "related.ip": [ - "10.111.22.134", - "10.178.79.217" + "10.178.79.217", + "10.111.22.134" ], "related.user": [ "ccusan", @@ -3456,14 +3618,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "urad5712.api.host" + ], "related.ip": [ "10.161.225.172", "10.77.86.215" ], "related.user": [ + "xerc", "meaqu", - "rcit", - "xerc" + "rcit" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3514,13 +3679,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "enbyCic4659.www5.example" + ], "related.ip": [ "10.186.133.184", "10.211.161.187" ], "related.user": [ - "sci", "boriosa", + "sci", "acons" ], "rsa.counters.dclass_c1": 1578, @@ -3568,14 +3736,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inBCSed5308.api.corp" + ], "related.ip": [ "10.254.198.47", "10.160.147.230" ], "related.user": [ - "illoin", "nimvenia", - "ndeomnis" + "ndeomnis", + "illoin" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3623,14 +3794,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "reseo2067.api.localdomain" + ], "related.ip": [ "10.182.197.243", "10.40.24.93" ], "related.user": [ - "orisnis", "exerci", - "mSecti" + "mSecti", + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3682,14 +3856,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itte6905.mail.invalid" + ], "related.ip": [ "10.249.13.159", "10.108.130.106" ], "related.user": [ - "colab", "uisautei", - "exeacomm" + "exeacomm", + "colab" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3743,6 +3920,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caboNemo274.www.host" + ], "related.ip": [ "10.39.244.49", "10.64.94.174" @@ -3757,8 +3937,8 @@ "rsa.internal.event_desc": "enimips", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "gna" + "gna", + "cancel" ], "rsa.misc.category": "Nequepor", "rsa.misc.disposition": "nisiu", @@ -3863,14 +4043,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "qui5978.api.test" + ], "related.ip": [ - "10.134.135.22", - "10.115.203.143" + "10.115.203.143", + "10.134.135.22" ], "related.user": [ + "involu", "orpori", - "utoditau", - "involu" + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3922,6 +4105,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iamq2577.internal.corp" + ], "related.ip": [ "10.43.244.252", "10.251.212.166" @@ -4009,14 +4195,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "usB4127.localhost" + ], "related.ip": [ "10.88.189.164", "10.20.231.188" ], "related.user": [ - "mqu", + "tesseq", "uatDuisa", - "tesseq" + "mqu" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4096,13 +4285,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "abor3266.mail.home" + ], "related.ip": [ - "10.231.77.26", - "10.225.11.197" + "10.225.11.197", + "10.231.77.26" ], "related.user": [ - "volu", "ineavol", + "volu", "rehe" ], "rsa.counters.dclass_c1": 3064, @@ -4153,14 +4345,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eprehe2455.www.home" + ], "related.ip": [ - "10.106.166.105", - "10.148.3.197" + "10.148.3.197", + "10.106.166.105" ], "related.user": [ - "avolup", "olupt", - "usa" + "usa", + "avolup" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4208,14 +4403,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "destla2110.www5.localdomain" + ], "related.ip": [ "10.57.169.205", "10.172.121.239" ], "related.user": [ + "ipsu", "iuta", - "ctas", - "ipsu" + "ctas" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4267,6 +4465,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "exerc3694.api.home" + ], "related.ip": [ "10.129.234.200", "10.42.218.103" @@ -4326,14 +4527,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ididu5928.www5.local" + ], "related.ip": [ - "10.111.132.221", - "10.76.121.224" + "10.76.121.224", + "10.111.132.221" ], "related.user": [ - "ali", + "oloremi", "scive", - "oloremi" + "ali" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4385,14 +4589,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "boriosa7066.www.corp" + ], "related.ip": [ - "10.17.214.21", - "10.195.8.141" + "10.195.8.141", + "10.17.214.21" ], "related.user": [ + "dolo", "ota", - "enimip", - "dolo" + "enimip" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4444,13 +4651,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ssusc1892.internal.host" + ], "related.ip": [ "10.179.60.167", "10.173.13.179" ], "related.user": [ - "ptasn", "apar", + "ptasn", "isn" ], "rsa.counters.dclass_c1": 758, @@ -4503,14 +4713,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iatisund424.mail.localdomain" + ], "related.ip": [ - "10.42.135.34", - "10.178.190.123" + "10.178.190.123", + "10.42.135.34" ], "related.user": [ - "ore", + "tiset", "orsi", - "tiset" + "ore" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4590,6 +4803,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "uidolo7626.local" + ], "related.ip": [ "10.207.198.239", "10.8.147.176" @@ -4648,13 +4864,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dmini3435.internal.domain" + ], "related.ip": [ - "10.206.221.180", - "10.116.26.185" + "10.116.26.185", + "10.206.221.180" ], "related.user": [ - "litesseq", "oNe", + "litesseq", "nseq" ], "rsa.counters.dclass_c1": 3218, @@ -4703,9 +4922,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo1864.domain" + ], "related.ip": [ - "10.86.180.150", - "10.253.127.130" + "10.253.127.130", + "10.86.180.150" ], "related.user": [ "mnisis", @@ -4764,6 +4986,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inv6528.www5.example" + ], "related.ip": [ "10.220.175.201", "10.158.161.5" @@ -4855,14 +5080,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nisiutal4437.www.example" + ], "related.ip": [ - "10.248.16.82", - "10.150.27.144" + "10.150.27.144", + "10.248.16.82" ], "related.user": [ + "res", "ditautf", - "tuserror", - "res" + "tuserror" ], "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4914,14 +5142,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tqui5172.www.local" + ], "related.ip": [ - "10.173.19.140", - "10.146.131.76" + "10.146.131.76", + "10.173.19.140" ], "related.user": [ - "Except", + "orsi", "olo", - "orsi" + "Except" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4972,9 +5203,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "intocca6708.mail.corp" + ], "related.ip": [ - "10.69.5.227", - "10.171.175.165" + "10.171.175.165", + "10.69.5.227" ], "related.user": [ "rumw", @@ -5027,14 +5261,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isetqu2843.www.invalid" + ], "related.ip": [ "10.213.214.118", "10.253.175.129" ], "related.user": [ "nrep", - "epteurs", - "ate" + "ate", + "epteurs" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5088,13 +5325,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "commodo6041.mail.localhost" + ], "related.ip": [ "10.149.91.130", "10.89.26.170" ], "related.user": [ - "aboris", "atus", + "aboris", "orumetMa" ], "rsa.counters.event_counter": 5863, @@ -5154,22 +5394,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "gitse6744.api.local" + ], "related.ip": [ "10.81.108.232", "10.52.106.68" ], "related.user": [ - "aco", + "uaturve", "neavolup", - "uaturve" + "aco" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "Quisaut", - "allow" + "allow", + "Quisaut" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5221,9 +5464,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "par3605.internal.localdomain" + ], "related.ip": [ - "10.223.10.28", - "10.230.48.97" + "10.230.48.97", + "10.223.10.28" ], "related.user": [ "erit", @@ -5235,8 +5481,8 @@ "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "tconse", - "deny" + "deny", + "tconse" ], "rsa.misc.category": "uaerat", "rsa.misc.disposition": "met", @@ -5286,14 +5532,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isau4356.www.home" + ], "related.ip": [ "10.115.42.231", "10.161.212.150" ], "related.user": [ - "tasnul", "sequamn", - "res" + "res", + "tasnul" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5347,22 +5596,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "labo3477.www5.domain" + ], "related.ip": [ - "10.247.108.144", - "10.226.75.20" + "10.226.75.20", + "10.247.108.144" ], "related.user": [ - "fugia", + "maccusan", "tema", - "maccusan" + "fugia" ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "iat" + "iat", + "block" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5411,14 +5663,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itseddo2209.mail.domain" + ], "related.ip": [ - "10.192.15.65", - "10.97.22.61" + "10.97.22.61", + "10.192.15.65" ], "related.user": [ + "illumd", "rExcep", - "nimides", - "illumd" + "nimides" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5468,13 +5723,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "duntutl3396.api.host" + ], "related.ip": [ - "10.116.76.161", - "10.197.254.133" + "10.197.254.133", + "10.116.76.161" ], "related.user": [ - "ide", "trudex", + "ide", "idu" ], "rsa.counters.event_counter": 2608, @@ -5532,14 +5790,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "colabo6686.internal.invalid" + ], "related.ip": [ - "10.28.77.79", - "10.144.14.15" + "10.144.14.15", + "10.28.77.79" ], "related.user": [ "rspic", - "utlab", - "upta" + "upta", + "utlab" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5590,14 +5851,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsunti1164.www.example" + ], "related.ip": [ "10.18.15.43", "10.248.177.182" ], "related.user": [ "quei", - "quaturve", - "caecat" + "caecat", + "quaturve" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc index 9b53fa89810..90b29c1ebcb 100644 --- a/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/infoblox/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 35ad775a3aa..b464486074b 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml index 5693b4aea49..dd46c730477 100644 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Infoblox NIOS processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{rsa.misc.event_source}}' + allow_duplicates: false + if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 9552bff05b5..9d1e178db5a 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.5191", + "related.hosts": [ + "volup208.invalid" + ], "rsa.db.index": "mwritten", "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "volup208.invalid", @@ -38,6 +41,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "atio5608.www5.localhost", + "com1060.api.example" + ], "related.ip": [ "10.202.204.154" ], @@ -73,6 +80,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ptass3168.www5.example" + ], "related.ip": [ "10.13.70.213" ], @@ -100,6 +110,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mcolabor1656.www5.corp" + ], "rsa.internal.data": "veleumi", "rsa.internal.event_desc": "tia", "rsa.internal.messageid": "acpid", @@ -124,6 +137,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Cice513.api.local" + ], "rsa.db.index": "occ", "rsa.internal.event_desc": "ect", "rsa.internal.messageid": "openvpn-member", @@ -148,6 +164,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "obeataev7086.mail.invalid" + ], "rsa.internal.event_desc": "natura", "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "obeataev7086.mail.invalid", @@ -170,6 +189,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nibusBon7400.localhost" + ], "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "nibusBon7400.localhost", "rsa.misc.result": "success", @@ -192,6 +214,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iat1852.api.localdomain" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "iat1852.api.localdomain", @@ -214,6 +239,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mquisnos5771.example" + ], "related.ip": [ "10.104.111.129" ], @@ -244,6 +272,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.3162", + "related.hosts": [ + "ite996.host" + ], "rsa.email.email_src": "umdolore", "rsa.internal.data": "umdo", "rsa.internal.messageid": "kernel", @@ -268,6 +299,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "enim2780.www.lan" + ], "rsa.internal.data": "eriame", "rsa.internal.event_desc": "lorema", "rsa.internal.messageid": "rc6", @@ -292,6 +326,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "emporinc5075.internal.host" + ], "rsa.internal.data": "atcu", "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "emporinc5075.internal.host", @@ -315,6 +352,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "strude910.internal.local" + ], "rsa.internal.event_desc": "shutting down for system reboot", "rsa.internal.messageid": "shutdown", "rsa.misc.event_source": "strude910.internal.local", @@ -357,6 +397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itaut7095.invalid" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "ritatis", "rsa.misc.event_source": "itaut7095.invalid", @@ -379,6 +422,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "colabor1552.www5.local" + ], "rsa.internal.event_desc": "lorumw", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "colabor1552.www5.local", @@ -401,6 +447,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "inima5444.www5.lan" + ], "rsa.internal.data": "nihi", "rsa.internal.event_desc": "Lor", "rsa.internal.messageid": "validate_dhcpd", @@ -424,6 +473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "erc3217.internal.lan" + ], "rsa.internal.data": "olupt", "rsa.internal.event_desc": "modoco", "rsa.internal.messageid": "debug_mount", @@ -449,6 +501,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uames499.internal.host" + ], "related.ip": [ "10.45.25.68" ], @@ -482,6 +537,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2299", + "related.hosts": [ + "iineavo951.internal.test" + ], "rsa.internal.data": "intoccae", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "iineavo951.internal.test", @@ -505,6 +563,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Loremip6417.mail.test" + ], "rsa.db.index": "emoeni", "rsa.internal.event_desc": "oenimips", "rsa.internal.messageid": "syslog", @@ -528,6 +589,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mnisist2347.mail.host" + ], "rsa.internal.data": "temveleu", "rsa.internal.event_desc": "Sent mail for colabo (eme)", "rsa.internal.messageid": "sSMTP", @@ -552,6 +616,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2807", + "related.hosts": [ + "datatn5076.internal.example" + ], "rsa.internal.event_desc": "ihilm", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "datatn5076.internal.example", @@ -575,6 +642,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit2385.internal.home" + ], "rsa.internal.data": "run", "rsa.internal.event_desc": "building file list", "rsa.internal.messageid": "rsyncd", @@ -598,6 +668,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "quisnos4590.mail.domain" + ], "rsa.internal.event_desc": "eritqu", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "quisnos4590.mail.domain", @@ -620,6 +693,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "wri2784.api.domain" + ], "rsa.db.index": "hitect", "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", @@ -643,6 +719,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "asun1250.api.localdomain" + ], "rsa.internal.data": "oluptate", "rsa.internal.event_desc": "onseq", "rsa.internal.messageid": "rc3", @@ -667,6 +746,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "intoc2428.domain" + ], "rsa.internal.data": "dantiumt", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "luptasn", @@ -690,6 +772,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ento4488.www5.localhost" + ], "rsa.internal.event_desc": "amre", "rsa.internal.messageid": "rc6", "rsa.misc.event_source": "ento4488.www5.localhost", @@ -712,6 +797,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "boris5916.www5.example" + ], "rsa.internal.data": "uioffi", "rsa.internal.event_desc": "Distribution Complete", "rsa.internal.messageid": "controld", @@ -735,6 +823,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "temqu3331.api.host" + ], "rsa.internal.event_desc": "reseos", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "temqu3331.api.host", @@ -782,6 +873,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "radi1512.mail.example" + ], "rsa.db.index": "ris", "rsa.internal.event_desc": "uamqu", "rsa.internal.messageid": "openvpn-member", @@ -806,6 +900,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "onsecte7184.mail.domain" + ], "rsa.internal.event_desc": "reme", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "onsecte7184.mail.domain", @@ -828,6 +925,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "eveli265.www5.localdomain" + ], "rsa.db.index": "nse", "rsa.internal.messageid": "ipmievd", "rsa.misc.event_source": "eveli265.www5.localdomain", @@ -853,6 +953,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uptatema6843.www.host", + "derit4688.mail.localhost" + ], "related.ip": [ "10.74.104.215" ], @@ -887,6 +991,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "evolup4403.local" + ], "rsa.internal.data": "smo", "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "evolup4403.local", @@ -909,6 +1016,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nonn839.api.corp" + ], "rsa.internal.event_desc": "temquiav", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", @@ -931,6 +1041,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "adm7744.mail.domain" + ], "rsa.internal.event_desc": "isc", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", @@ -955,6 +1068,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "process.pid": 845, + "related.hosts": [ + "ios6980.example" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.action": [ "deny" @@ -979,6 +1095,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "osquira6030.internal.corp" + ], "rsa.internal.data": "com", "rsa.internal.event_desc": "tnulapa", "rsa.internal.messageid": "diskcheck", @@ -1002,6 +1121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "squirati63.mail.lan" + ], "rsa.internal.data": "nbyCic", "rsa.internal.event_desc": "utlabor", "rsa.internal.messageid": "watchdog", @@ -1025,6 +1147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lup2134.www.localhost" + ], "rsa.internal.data": "upida", "rsa.internal.messageid": "rc", "rsa.misc.client": "tvolupt", @@ -1048,6 +1173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umdo4017.www.local" + ], "rsa.internal.data": "ati", "rsa.internal.event_desc": "uine", "rsa.internal.messageid": "snmptrapd", @@ -1071,6 +1199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loreme853.www5.localdomain" + ], "rsa.internal.event_desc": "con", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", @@ -1094,6 +1225,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "orumSe728.internal.test" + ], "rsa.db.index": "evit", "rsa.internal.data": "itess", "rsa.internal.event_desc": "runtm", @@ -1119,6 +1253,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "oremi7400.www.local" + ], "rsa.internal.data": "ineavo", "rsa.internal.event_desc": "pexe", "rsa.internal.messageid": "acpid", @@ -1142,6 +1279,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ess651.test" + ], "related.ip": [ "10.143.187.97" ], @@ -1171,6 +1311,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "epre6970.www.example" + ], "related.user": [ "temUt" ], @@ -1202,6 +1345,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tali7803.www.localdomain" + ], "rsa.internal.event_desc": "ender", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", @@ -1225,6 +1371,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uradi6198.test" + ], "rsa.internal.event_desc": "frequency initialized from file", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "uradi6198.test", @@ -1248,6 +1397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umSe1918.local" + ], "rsa.counters.dclass_c1": 2836, "rsa.internal.event_desc": "ntpd exiting on signal", "rsa.internal.messageid": "ntpd", @@ -1271,6 +1423,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "odoconse228.mail.localdomain" + ], "rsa.internal.event_desc": "tenim", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "odoconse228.mail.localdomain", @@ -1293,6 +1448,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "cteturad4074.mail.host" + ], "rsa.internal.event_desc": "tetu", "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "cteturad4074.mail.host", @@ -1315,6 +1473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itation6137.home" + ], "rsa.internal.event_desc": "sequat", "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "itation6137.home", @@ -1359,6 +1520,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dun1276.api.localdomain" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "dun1276.api.localdomain", @@ -1382,6 +1546,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iquidexe304.mail.test" + ], "rsa.internal.event_desc": "oreetd", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "iquidexe304.mail.test", @@ -1405,6 +1572,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "preh2690.api.localdomain" + ], "rsa.internal.data": "mac", "rsa.internal.event_desc": "qui", "rsa.internal.messageid": "captured_dns_uploader", @@ -1430,6 +1600,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7214", + "related.hosts": [ + "rem3032.mail.domain" + ], "rsa.email.email_src": "ica", "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "rem3032.mail.domain", @@ -1455,6 +1628,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7727", + "related.hosts": [ + "tetur2694.mail.local" + ], "rsa.db.index": "itinv", "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "tetur2694.mail.local", @@ -1478,6 +1654,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "utaliqu6138.mail.localhost" + ], "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "oremi", @@ -1501,6 +1680,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tame4953.mail.localhost" + ], "rsa.db.index": "prehen", "rsa.internal.event_desc": "ntutlabo", "rsa.internal.messageid": "restarting", @@ -1525,6 +1707,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loi7596.www5.home" + ], "rsa.internal.data": "deserun", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "esseq", @@ -1548,6 +1733,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mmodoc4947.internal.test" + ], "rsa.internal.data": "atu", "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "mmodoc4947.internal.test", @@ -1571,6 +1759,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olorem2760.www5.test" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "olorem2760.www5.test", @@ -1593,6 +1784,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol3346.www.lan" + ], "rsa.internal.data": "olorese", "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", "rsa.internal.messageid": "scheduled_ftp_backups", @@ -1619,6 +1813,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit6496.api.local" + ], "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", "rsa.internal.messageid": "scheduled_scp_backups", "rsa.misc.device_name": "midestl", @@ -1662,6 +1859,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "col3570.www.invalid" + ], "rsa.email.email_dst": "tsed", "rsa.internal.messageid": "sSMTP", "rsa.misc.event_source": "col3570.www.invalid", @@ -1685,6 +1885,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mipsamvo4282.api.home" + ], "rsa.internal.event_desc": "oreveri", "rsa.internal.messageid": "init", "rsa.misc.event_source": "mipsamvo4282.api.home", @@ -1707,6 +1910,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umq1309.api.test" + ], "rsa.internal.event_desc": "mve", "rsa.internal.messageid": "debug", "rsa.misc.event_source": "umq1309.api.test", @@ -1729,6 +1935,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ugit5828.www5.test" + ], "rsa.internal.data": "asnu", "rsa.internal.messageid": "rc", "rsa.misc.client": "hitec", @@ -1772,6 +1981,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "archite1843.mail.home" + ], "rsa.internal.event_desc": "uta", "rsa.internal.messageid": "radiusd", "rsa.misc.event_source": "archite1843.mail.home", @@ -1794,6 +2006,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "derit5270.mail.local" + ], "rsa.internal.event_desc": "ntexpl", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "derit5270.mail.local", @@ -1816,6 +2031,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itanim4024.api.example" + ], "related.ip": [ "10.156.34.19" ], @@ -1873,6 +2091,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ataevi1984.internal.host" + ], "related.ip": [ "10.17.87.79" ], @@ -1900,6 +2121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tionula1586.host" + ], "rsa.internal.data": "idolor", "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", @@ -1923,6 +2147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "llam1884.www.corp" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "llam1884.www.corp", @@ -1946,6 +2173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ore5643.api.lan" + ], "rsa.internal.data": "edolorin", "rsa.internal.event_desc": "dolorem", "rsa.internal.messageid": "acpid", @@ -1969,6 +2199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "exeacomm79.api.corp" + ], "rsa.internal.data": "mides", "rsa.internal.event_desc": "ciun", "rsa.internal.messageid": "rc3", @@ -1993,6 +2226,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lorsita6602.mail.local" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "lorsita6602.mail.local", "rsa.misc.result_code": "npr", @@ -2015,6 +2251,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ratv2649.www.host" + ], "rsa.internal.data": "tali", "rsa.internal.event_desc": "BCS", "rsa.internal.messageid": "speedstep_control", @@ -2038,6 +2277,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "abor4353.www5.host" + ], "rsa.internal.event_desc": "tesseq", "rsa.internal.messageid": "python", "rsa.misc.event_source": "abor4353.www5.host", @@ -2062,6 +2304,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.388", + "related.hosts": [ + "rerepre6748.internal.domain" + ], "rsa.db.index": "sinto", "rsa.internal.data": "tdolore", "rsa.internal.messageid": "openvpn-member", @@ -2086,6 +2331,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "qui3176.internal.example" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "amvolu", "rsa.misc.event_source": "qui3176.internal.example", @@ -2109,6 +2357,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "der7349.invalid" + ], "rsa.internal.event_desc": "eiusmod", "rsa.internal.messageid": "monitor", "rsa.misc.event_source": "der7349.invalid", @@ -2132,6 +2383,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "veleum3833.internal.test" + ], "rsa.internal.event_desc": "iusmodt", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "veleum3833.internal.test", @@ -2154,6 +2408,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "aquio6685.internal.test" + ], "rsa.internal.data": "aquio", "rsa.internal.event_desc": "riatu", "rsa.internal.messageid": "rc6", @@ -2177,6 +2434,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tanimid4871.internal.domain" + ], "rsa.internal.data": "abor", "rsa.internal.event_desc": "nBCSe", "rsa.internal.messageid": "debug", @@ -2200,6 +2460,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "icta82.internal.lan" + ], "rsa.internal.data": "uei", "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", @@ -2224,6 +2487,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol6197.mail.localdomain" + ], "rsa.internal.data": "inBCSe", "rsa.internal.event_desc": "otamrem", "rsa.internal.messageid": "speedstep_control", @@ -2247,6 +2513,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lumqu617.www.test" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "lumqu617.www.test", @@ -2270,6 +2539,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uido492.www5.home" + ], "rsa.internal.data": "uid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "snostrum", @@ -2294,6 +2566,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.6198", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], "rsa.internal.event_desc": "ommo", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "reseosqu1629.mail.lan", @@ -2317,6 +2592,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itseddoe5595.internal.localhost" + ], "rsa.internal.data": "ehende", "rsa.internal.event_desc": "tutla", "rsa.internal.messageid": "smart_check_io", @@ -2340,6 +2618,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.internal.event_desc": "dolor", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "olu5333.www.domain", @@ -2362,6 +2643,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dtemp1362.internal.example" + ], "rsa.internal.event_desc": "itae", "rsa.internal.messageid": "init", "rsa.misc.event_source": "dtemp1362.internal.example", diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml index 4eb24ff7d03..ecaa40ce67c 100644 --- a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline for IPTables processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 12ec5964e29..be40af66202 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -17,3 +17,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + netscreen: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9523 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc index 1c14aa17126..c59b7ac4a95 100644 --- a/x-pack/filebeat/module/juniper/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/juniper/_meta/docs.asciidoc @@ -51,7 +51,52 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `netscreen` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "netscreen" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9523` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/juniper/fields.go b/x-pack/filebeat/module/juniper/fields.go index 392e80bb2ab..6122a564654 100644 --- a/x-pack/filebeat/module/juniper/fields.go +++ b/x-pack/filebeat/module/juniper/fields.go @@ -19,5 +19,5 @@ func init() { // AssetJuniper returns asset data. // This is the base64 encoded gzipped contents of module/juniper. func AssetJuniper() string { - return "eJzsvf9zGzeSKP77/hX45IeP7ZRDJ07ie+u3d698knLRru3oLNu5erVVUyCmSSLCAGMAQ4r561+hgRkOORhKogBKvvf2h61YJBvdDaDR3/s7cgXr1+SPRvIa9F8IsdwKeE3+7v9A/v7p/W+XfyGkBMM0ry1X8jX5t78QQtrfkBkHUZrJX0j4r9f4qfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHY4rpcve30uY0UbYApd8TWZUGNj6eIBu+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJV4jCOEeFh8F6lDyWnhwhKkLRxpiQEHhDNzP7DcIM+ZkhakNe5+cGkslbZFw0RxtLw6BMGS2t0Phthxj5NbglBLVgvOFoQSA8ZwJcmCW0MoeQ/2d24lGNPu/mRwNDpizUI1oiQSlqDJFLpzV1NtgLwDSx1qlMy0qnpLPX2r5ubFBWVXYM2zAfhTroFZsX5ObMCbkg/ghYU/4bKH5iTKSAFLEAdwUii5ez+3OHkKtQZGbcCkhBmXUBIlBaJl6VQAqWgdx6oy8yLZhdmzx+/CPT8//YEsqWjCjeclSMtnPJxOuKbMEqHmfr/0YCOQOu7Ah9OC33PbUVNtOWsE1fj7sLGT0ZMxAH3QSYmdjAHk8ZMyuiXL4+7Jy/+3J/v3xK2aZ0Pud33V9I8CCdndlkeD3ZIeIvSyo6bBqEazTG/v/dmW6/7fDzNjqYUKpH2MyNGm5LZggu7c4UeCHkir148RsYXTqR4jYlwehlhejamVHI/3pJVAD5Eeedk2AyhT2lAjek3Mzux9sXULOGwGeshASbifFbGjhwyg32BFjHNxx7VyJC7Knlclyj7PrgGZidhHIhy8M/vYMdTqRvIvDWzUaN3RH/603jZqT5Rk7nGgVj12y3ZE3Cx5XnHY5+6JW4bPOKP9+/xWzcnZEqQllyicSSNL0M4E0RAE1YD0Gb+GkhiwDsjWj7fXMOMGS7sJA9j3Nli6TRiAvtOmDD2B6f1Lhx3MAV134MndeLBQJpO+2j+Xvypj+yJS7J5IA7Lkct5+aGLHpudD+nr4yw85YIMfjTL2/GL5E6FlqZ2sHLvuu8wdUG/V18rc5avc7H31fy97Hbfyy4ZdueAdaX1vWUkomfMlyM5J9vUqAo5Fh/kv8log5WNU/r6OiMaoQ0PV60LDlwx73Q8e4gYj3dM1cvnML00u8CI9D95sS8nHdQ2E0aEEmQIBbhegyadzaX94RZQmvwhF7Y8vyZQaPEVtgGzG541G1e8Gug9Rd79iujEMms/4TOBfcL+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU6eX3ze0vco0SDo7pYSYtbGQhUe0YC2g7YAf1KNZ577t9J8ziUV7W+2tZUb+JBL/9qTGHF+8flVhAUB/QEn7s+CDqMhl1O8PpuDOlQcD319FkBL0EeJXf+KS5Hz0/tEST2+/WApgjksVvqonWyCFdn9bLRVtM43ihZeFGe6nCghgFmlv0YB7Lj3ADk37sxxQ5hnHZQO0y1F9a3aVVvIHkY/QouvYtPHoqpWymCyW6Ukma4Hm0aIhi8NGOsAGl7VYh32yX3ZCXoClC2I4SWQp98Tu9ANefnzz8/IihpiAGS3yh5OPArl9RacMLWSBvKxgn01p4KpRtrOp9BUUy/03FU2UQjkKZ2qJfSYwWU0s7IVb8ZqoNXo/WFfzbF5YFZByZtdPS0Fo76JaY6dY4HPCLf/bF5+/8NfjRfpL2oUoC3S/xxQ809nD76la9DkJTmTjNamET6y4kzKO8n1GPR7Bj8iuZWxVX58Sf7Vkfuc/Pgj+VfClHb6MlIRFn1O/n9h/6f7IjdkmynfRLdQqhIera0rV1AwKsSUsqu8GrBHTiqL14Zab1c4JoIsa8WlRdPEQjzBGQ9HAVqrTPlpG33Q1MA4FYgxYmqs0k6zlmuvdbgPllTw0h+MGFKEzFQjS/fCCEDkuZwH5ejG5MXtGzGAnCIWGK7DnrDRyC6shaLlY3nnAjrE8D+BVGA1ZxGrI5jC/S+jLeyf+1YIu2ef2o1Gq2bttk3Ir2rltmZoc3JJlHbGmFXkCqC+gWmP4sX7SpimFQNjiiUvizJX1PWslTxzkKCpxUteOg727MIl17ahwhntW753GXFx8Io7sxtj5cgMT0W46uenRDtpbdChgkyjeg62+9qNnDA6U9LTg3PCZ8Lt54TOEgoaCv7z09b3+gEqZYFchvPONOBDO12PCUr3vzYQ8xUEXsJKhakFz5nZ8KjNecMHav+j0M2czM143vHWuTcgnPX21LVWS3hC/ntEGL14mXHxADF6t6ozji5O3lwE3ZdR6djDq1rpXY2X4BP51aVBNI/D/fHJP1VoiKPpHnOlbpvyzeYnG4Pd6zlomU/Iy59fkRXyvQIqCRUi7itApz6qSRv/EVmBBg+WWiKAGkuU3CkX2Wbig6uJXzcTI3c1R9g28O53pUtkHGY1AVtIJdR8vRuIm3E90GIJ+ZmwBdWUWc9Ed6nXiD86zSVpZMjpEVs+89GK2tQF3T5QnzOIsCd2iRZF5ZRMJdswgqarUZmGknVHraQMNVYfo5DB56AYa3QL0VgqS6pLIpWuqOB/xvJ7la6i/ClDlsPBLFLNdPAk3YlJG6w7ZF4IPgOkOGLgG2BKliMK9ma7C2Nz+ln2EMQlU1UtwEYPwKgTlaICbzXfEYO9ejNtH+ggX7q1o8d57Chvn8zR41cpaReJtmlTn5oq52WT5VQ+EOPPZJmD7Q7kn0rm7rawRyy61VsV06fXftzl8EBEZbvRb4iFaxsuH1mCNr1yinJfHlhkf+972NZAU5G5KdNjSpdQ5nsHQ5JNeKZMt2KrY7SZNt0X+/H14WulVTVBqA0W5RsGkmquvFpfNcLy7ywHTWhdi7b6ZdPLpqKSzmOluYQIDO+09qJHyuNqCLdPDFEr6SNjllb1rmcwYOxWcygOb581hC24s25UCWZC3jXGopnUB+puJbUjebnUwoGbtFeAzWYO7yUcQxPCTW4X9LzTMAMNkvkDQZ1qXfIlL51mg+chLsguW0H2cYd5cSKva66PRuFmP30s6NqdRG7F2hNrnNBz+ppDCg/oft9owk0fdeE8d9K4k2eTwZJdOplqUkugaqDI3Rdix//UVwU1yC8NNEc7Su50+1O0kY8raggiUY6cG0Tuh9RMTagUbDE0g0ybVzbD6zuvcuBaFxlQrYsc2nOdUhRtA32ZHGoGXan3ijyMCbljPkbfmMFzeac351CxeZNcOyRYsHkgdrohpHYEUTZQ4lMo1qYRucNOI1aUaixTFbzwOHTGC2Zlq9nghFAZWLBlQI4cEFiC5jZn6cgewtrVQxFgL7Kzz+WTt3hx0DvQv9JdpYuDhnGnGhif8Y3hE9dufTBnrKdK0JXzZzNFNqBzMfJyUzDRuqjKEGSJ4h3M5mNtwudtK71vCSpNfrsMqbHctAkBu341XL/dobEqSVMrwxMKjludLTSnZek7TGEqf3t3R7vwNMIW+VoX3VEUyaYCzdldZVGUtiNUse0hrF/J1t0ML5b8/R6QtgRZKh0SZvdSpqZ/PED3mja0q6Z/AIvb0Q6x/LXgA3Y7CbofMS/pc/aq+2Z4IUPVfxAzwcu1oF1usVSWULIIHS/iCbRCzYs2UeVBhHp7EO8s1I/RM2VL9v0Hplth12oUH3HFXwnO1rlvzx65cIEIhObaUqxH5HIjcuZNxxn4oRGAiMXFqZIWrnNrrB1C59L76zb9UGlZGvd/+KhS0SIUawBzw+PMFlTOoZCwyi0LxgKXsOqF+lEJsVbzaWOhJyGGOfrGo+609f7zFxcdpqbJhF3HOcGzta3cxzQ0BHfzizwyff0tYtxiBZhjWNtw0GxyvvQS9IRcgt+UxoCe0DlgK++Q6T5TusVhALsF4/V2hr8n/ve9vhVKk6lWK/dZ+9ega3qza7Sf9Hl5QbVN7abrAKf2qIQ7pQbVoce6U0qUndqY60qpGkJAMddb/EYSKkDbLrtIbxYNf/PhrSA+ek0AMAkpojCXRCr5nYYa0JLZl/2AZsMxnxzWaO0uTGev4E6iHveC+whbG/4ZULbidhGUZS/rySkuOMVqE0mU/G6u3H/veQlQSSkiimNGumkvGPgCEXBIqhlx0sFyMBNyuZEpu4MN+pVVeTA+8eV8jXFGjC8Z9ck2ZRC/gfGUMNEY2x7I8I/BNuFPuHE7GWqig3/DKb746bgKdHTtx9+wuEXv2zLlU8qe3GR4OSxPEQtCjVGMo7/U7UbUnsQNe8uv4DWhpF6sDWdUkJKbq+ek1jgT5TkBy57EFWWq6SG1l3d86H2djaYVWNCG1NRgFy+DjRx8LwKmqspJMbUVtB+W1oBle9U9/x48lMbX28MMD5MX30xVdTO8gxm2jZIVl6VahXxapiSD2j7vMilGmTEgc9YIsSZfGiq887NUFeUySA3ZW0iokaer7/VMpS7tId2phG+5vIIy1AK1iejUoHcqGCjuk2861Ca83LdxYtAVIquo60928m6JXQRa9HCk1YPg9VsdPK/kctiupws6g6747mCn3C7WsCZi68//fk37x8Sa9oyL/He8I/kXXK27xhrKhgFpI0cQd7cZ0JyKIvKaZntELnHJVm3efR97D6B7YUb9AsCuzEEtB1J4jMPq7qFbULPobqhTCyNVhg1b+MzftsamKzM8aSHttAhzhHTLTIxm7lfdv4eVpsTJc0k45tw1kgmg2v0JG+FtUAsFhMHbqdvCzpujD174NcM+T4/6xWKqmnLZ9c3uP1ihbFTf4fVact2YY3v6+toIIjDu8TtOgDRyJU786r4n47in1Ftw2V3jHfu8l/n8lLz3kuZpaNxA/LS9UPTrcHsW16u9A/ohfPk99/P5KbI0lLx1YmLoPdiOyPk0QE/CxB8iJwtW3MSN1KVZ5+xlvx3VDQXaXl3Y68eW3vg+4qlxrD/pFibnpzdqsqn8czdosg6xl7LcaLQTcuLrM0O/U+E/2K/NIoJ6+xs/fBPccdPGdpWbynaPUSMFGM8Z5R+UlSJLqjmdikEVoG/KwCWpBR0RBAakydofZWtD+6qqX3niJJXTMNr6Qu72+fLF+cWuDk1Cy1jvURiryz5woOCtayE3kRaPJDmXllzyuaQoLEaOaK10zua1Twbyyx3Si1Z3U9jVEf/TIdK7y3jKShU5OO9/+0i4ZKIpwYmzMMjW/XxCnp5d06oW8JpceIeIB4vSexL3i2Bk7uixTXRObZ6WOGbcXDmV+wC87lCK13Njvg9PwwdurvaEXK3m8znofCPs4iz73I8FBBxQO11oMAslSnd6vK0+Mml0K/R+BM/CMPYepPLTD17HeNY14zg/jZeR3Do6z1RVF0fOu8JdCblXOMbV+/dMM/3OoaMk1qfOcNyMKhs2ZqUFtfSBssb6mHfSUmnsPODkeovfyJQ4qssV1Q+ToTfsqu+kKw0PkSNipDXyUydEKXlHWdtPOa7cOhF0VDtGye9aBVXvl0Le1kw+1FoDNclzg42ltkmlOHf+KMrFg5kdbvGpuia8fDH+frmXtTkGhg6jT4PGx/4uOCziV7d9xzJP3xsc8tPh3L1DnjMuVZMqxtmrIzHz5HfKSdKUToeBR/anxIBzd2bcOhJvhHByj5iGMTBm1ghy5tYnTJVg3JFom/3GLQsuS7hOzADBjT1M87ynbMGF0RTTLRJT0BjfrKjmAjN4Ih48H3+Xc0KRid+530YpkxnOoZr65kIPpBGH1cnTLp+zBm3qUHTrJcyAZUFF2CTEtx2eno0UGXo31/A9zp1Q4pWvLskr+Kr8t92HlEtDSrCUi4iTYaoa2/vdCGlKHD03s/XY0i6PDfEYf0gtVLXIls3zhpQwoyEEFDpftjH8kK3ptOIlaEHXWMhlVXhcydPIjXQfoNUdfg2ztgrc++qN5bbBxowkStjGNhg2bLrvdU0axer5dxhNjWkGWcVUVbn7lOcYnXjohPeSfWutlrz0/rO2i1wFZjQRqlTs8EDj3b1lv3Cx0RpZPy8vrhpc15j09DCyvl09r6z/Q00P9DsdTN7f1TQEYOK3q+b5GueeYkKx3/nLi3NyPlCo+mhk61obqkv2Y5CwsKurhp0nNaTv4g8LudVx5d6LiGKqytwVX4OKu12lI+BCHC4j6tEifbcEHzI4QuV5zwUcSod9Am0XD+FzXnahnBEnXpXaahyUgSd4+dMpeR3ddZPzmWqne1988t1z2kAUJmtcA2v6XgSf+jWFWHlr24VpX+LGERwhUa94ue0Q6aor6ZJyQYeBDNK5wgnWV85A65FJC/4OHeLrTxd3C8ZKFRpA+QDsgKSQbmD4fDIiEXlVTJuyXCf3z/CqSFoH1IPbGDis0fleL1V6iJqrhF0OdkrsCtMcoyCBm372qu+5SpuS266ybtMXLWAUG2y3qdjwomQTXthPpM8SS83B5dGs8pPPZ+RpqJX43AinK0+5wAIOzAM7u66Vcd98Rr4bOhrkbhTmSqqV3DKEDLAGm1kst6GPTNpk9AguuN200JO2yv19KE16C3PK1uTTqLkm+FTThyjKDwtvsZhLUlEuZ5pWsDcdo6Yap/bm75OwpVxe4LLkvSp9cvSmLWAv6yyCFLlB+8JUAceIXBbSdt+497AivzYSTcl3qgRBnnK5nHz7nHDFnpOp+z9w/0clFWvDzeTbeHzRsrqYCTqYnJ9ah9rW8E8uCC6Kvi6Uk+t2+JWa7W3UYFVWTP1fpwHPtg2CAe0OchShZZVW7u5g9vnd71QD+egTgL/99vO73998OPv2W59zu6Sa8tEzuVL6KmXJ8o0X7Pd2wX6EbdQJRmVqJSLU7KTtUtI9B5S552KdwYSZKQ3ScJZSgPRcSRkwrtJ7QSLxgVRAixXlw+HE9/YOYO/z1EDd9Uldom6aaaZLYaelsTp15TvWa2dziPXf0mTvaFvzkc9Jemixy2Yw2EClCcUmm7qXUO/iQMz4qKOpJTWbI/ZQUqPdiCJk7pb3xIXywf0E7+64cMgH/f/DcNWNyuwn/z3IESt7PvqAyF4kH+RwtHHcffgpdYSkra2d7dmlT22X0d5m2WGfzGfodhuc3Jsj023Lan6MeBgWfc0oF47XbTOXiyAzzk/7tW3YicuZgxbmkRYG41mFbc514VTEA+g5JPEa061D9dGJqqpG7nqiBtjJwxo33Re793Bt/wPiOnWHmzlMs74vbpdUlv+u4lGzDW6WWn6IZLg3dsOFt5Azjak54ypZluixLHjEfkW1HAYdHjvqRlZ1oXIJ48v37y7Ib96PuklKjSPy5aipBJf/+ZZ8aUCP9G5thCw07HbqzJvc0HOIrsmHtugsmtbVaeks4UPaB6pSjxFwQOuDHEc3QbWR4Ni94ZbpBzRQQXWVYbcc2AzuBVonLEDugDZlsqm0WzDTdrvaAl1Su6sV3hfuFCRbVFSnKivp4K5rOhhffO/oE2WDdKokMItF8rPAYJa2gKoDPJtjq6UMYNX0jwxQa5p8EobvOJX8eGHQveCpH5zQua0Cp3omR1oWlOFglPTlJw62kQmN9x7g6bxe/iSv7SL5+85kwawuSpO073oPuoN8WOTpFoCXgiaXGLIAOecyYVHkEHSO3GhZzAqz4pYllx+ymAm1MrRKn7vShy3tMh/0DFEXJgsuc4oTLmvQ1XSdLOF9ALtmV3mAL6nIcVZ4XdRaWVWkD0kh9OVPBXoc08MW2e6mUPOizMFsBzh9/huTRUWvC2tTuQ22AbsTLSDDo1BxmQlpLvMhXQtTiKkoUodFt2B/nxF48s7gPdipeyH2Yaeu6u3D/jkj7FcZYf9LRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Poqg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jOIEKsss4wywUbzZoswBvJryWVygDLcAiXrxxXMj0Ky1eqtgugZQa3mqrqgokMPmwHOEOQBOHq6dqmd4s6yCYL5LopMsQ0mOaWMyoyFBCZgs5BsnXCrKs+bEnF+k8opznwXhbYBjQLZN8OJg/WPrE2C/TpvF6+yuODNsWU279maTTGTJF2VtwOYK2Si2qT5ZojVGA6fZWb8T7+ZLO2eoDBLryfP71zxANHtS8LcN9NPl0HuR7sGReQw4YxxSzHJvJZyuLsbcA5dANT8BqTFIssoo7Xy59KY+tBM/9EsI1mWWALPoMcZoxBR3MFJU9WMLoNm8s8p6RSZSPAMJWD2wE4n2eQTao2K2qTzvzvQY9lkCcBrGHOjdU0vSdkAzuDxqehzsVqnY3XBjuR60zy1Wfm+yOeAbrVQKsMiqQvBcqFdj7lerVQ3BR+wmx66GuqaZYDXo4UwqaAvPTz7VPD5cZSmXzOcWnstNGphgW2UMHPCsoBtUmOa3o9uq1JTg0WJzfM0g+7PrTTwD6Yc1qWqe8AL1OHVdvWQRneIl4VTCtVZelK5ABnMNN4VeRJjgwdj3Kwub5K3p6pNulblvLa1JonBiqo5bZJnn0muIR0LXY2UE3SiTodXCy+Te/WEsp3PS1mQiV/zjvgGVL+nc2bXOo4oBkkjrOhM6CaPDdBqHmWoyvnWS5wrXRqAVZNm3mOa1Zxw3KIhcpkObA55kBIsNhcKTnc5DLcN4BOnfHnoaZOx5OrVWoLJEtFmfIDoJNboiq9ZqQ0nxeReVz3hruSoNO/WXXhh/ImB5t0MvUGrB/xmuWQZSjcDDNxUguDADa1NKgL70hKji41xn1YsEWqOv8BaLiuefJAQA26mmsq7aDnbgrIqyyA0z+9vhPZp087U0ATANZqXlBTJxwY0AetaWqoGqjIod9pYMgH33U0E/D0THaQ07Zw7UFWusyAcXpHpsngGzbeN5whH8BA6kQAP/A4g3Fi4Ev6AxBr0JoMagZTyvB5BsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumksmUxdKRKfF3heob9KZmnw7t+mPlQeaPqLXzfRMDXddJ+/W2pTTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMNlhlLq9Te4GXBpbF0lkEzWHJtc6jhy1pmaN1klW5kSjdrrC1apKPom8Yq8qGRZLB0lz2ScVjeZyp4SU40lNySE6rL0M3QYPv3ODp+clZGLo1NCEUwOESfYH8DpgSJlep0+RBc5uPcWVULtYbBYMEb+TdTTbKm3rc8Y46H3meE8840zOGaVHS30cImFivnze4wkOxICm5wOEO7eth6bKBETFPXSlsybDxKyGpBLeGW1BpmY0fhHmm5dxlCEWN8sDo6FAiXobP7SF9owWXuifw9VN1qfTwNsWoOdgF6svm+Wahm8KIRImEJuhtHZBWpqTZA3oGlOBHc31XaseDpWzU3Ly582eszchpGfD0ndhGZUoTNgD9AGH2MaEvyHuzv3Eow8X0eHuoszJvhyO7uFuHinlgDVLPFhEsexQ9n7h6hv/aO+MRZGJgM8ULQRuKs33mDc1zbJu7xBu47/dr30JS/HXdHU9eEO8wvHjH23UYUCWuabtd5FZclH+Ha4q0YcxccYxr1iEDaDK57jxOqpRiZeIndczOOA8f+uQYs0fClAWP3NO0+PFv57r3yvcqAY3n8ql5i73qkurzTbXfKPpw8Rhgb2/o7dmg3r6OUp5z9f/N8Q7fY+WkrFHDt+NlAqyFdEu8dj7B7XKbUAPHp2h02ZHCrul0Kv3gYfGU3Cr7DXGnfvj7KRkKoIQYAx53R/fOqNJWGsiOM9x10mPZLS1R7N4eGNRonoO1DugZdca9uHAvpzZJ+MAdfcgFzIAKWIAg1hs+l37jNvP740ceWzA8ov3H9PSd9+iCTnh1mjeRfGtgdk0jjl6+H72EdEw+bgtJqNLz0F5IpKQFzK8iK28WYoCAkUhnSaewaDiovurNp4diJ8qR7ooSac0YFcRiMmD6IxcNih0uNjGl8ON7Vi7WJo9dLZ1upnazW1A88FZyaYqGy2wTeiOvMNZylshlq5KRifwRPvB8A8ZfGYYtvWhjEwgRQPXkjjHKG+NZ9O8VgOfk1/GJC3sh1968BdIu2vJGW0HLCVFU3FnRcDGdx4zvC8pln3+zuBc5Y3NoQbv/ZvPz+h7862/e0tx0tx76Joh3OaZE2YnZbxw1dgyb/0vnkzIuABiIXv/Wp63/yn3m5wXnr1O/djwOTl2+SbU92B6a4dSbk/W8fzxztoME7T9BfWnLDNNRUsrXTKoN6JnZzQQhy6Dn5+O41OZf2x5fPyfn707P/ek0+nUv76ifydLVYEwncLkATtlAmjEpTWgOz+K0fXv2v/+/ZkyhHwC4yyrhdfqBMnVQ0Po7HZD59d7zml/4snrdIxa94+biQ7sumGzA/sGHcrR/4GL47iunGOvnMtW2oIG/fvI8i+6eSkM+XddjJ+N9KwiTOW4fuVyNCkZCbhSduwWN8g/fsw5xaWNEHGJGOp/uCvClLjX5af8pj6HRPL6vqQ+Oc942FnJ+8u/Cv0mh4rKLmiNGPLaeS11TD203OLxwqI94vx8MDJ0Ek4aFbe5yHrSZW+OlaxxUQPXRpWXL3ZSo2AdveLP/4O3fEA+BMQrzgKtzw0+0jMEBlk2udRa+77ZNGyfuA4YXSthPJA6FbYoANN4Db9c2S1xyZ954eLuftY9KS9W6M8RJiduOxvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrD1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwABrsmV2AlmDJx3UNz8mn9hl7iw6wH8lF6wAbvAS/jWlq7aieIygTI6Zxi3Twiz8nVIioMlFvvogJblRjYt4StHsDubSKGIuPOZfk0/moQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwnnxSJODvlI6MWOqKBepWHil4ARhKG6QQzQskvSq+oLodzugl5M8dkL02ou/HXmEs3BbsCkHHVM3HXxLvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxGHP8WDso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eBuF7Gn2nLWCKoJ9osmLRJPz65fv1VzNZvFp78DK+wCsm/vFrIf3YL+NvbwPnN4O3TfNHYB0oZk8VG0TZOyc8LtEnr8kuOofzKgRxFWjWXquJwOS44jfNkwBsaM4Iydxw9rjnZY4gniRZyKO1d6TSKFCQPcjiGctnCEHRydVMIAn6mVdO+Kk1sx5bD7IRkoSttULdP1oxt5NynxXUuxZkBwKDt6gh9mRx/mkhhum4j8JFhcAEFEB6gLaggtVe1eF7sArolayc2WecZZeq2kqkbyanEmh+G+Rf1xlQin3HNZOvmjtOkYQMkvXAB5ExCbDNhwG2ev7Ajzd3I0Ybyj/0HSFUZZcBmyFtJyIUZjhBEp693vwQifr3cZ6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIhwbuTNJpwKLyGbkZD9uXC47sZMRyV0Mt7ROEkVgC8Okw2UOQDCyfodf7t3tvbKb+zZ67DZllo20u+VsqTX6EsvAC3aIWX8rLQjf4zlI0Jy1JCFDMNFvN7WA2wU+tbHZbiQgO2E/TIzV48HPlqZD2m49GE0v99MU1Au/Vka6oqZpZ4RbXoFxct1rexpqGA0ihV1I1hTixo3AxoP33AZ9y6N1SO/uBztaP96Oph8Kk2zI6a1JCw7jmygc0IYUbwTCLYTB10vdyxup00fdO3/RktCmb965ZL1UjyNAbpDjnQD5eo/jjzdvWarRBsfZstvJR31UCZLyjt1Cfhz1OKakbXAYO6UeS9B2/NTJK3cauygqsAv1AFESuuVJJh6N8LXRDcdeSlpl9Trtiep8UCL4ax0ie85lJk/If01+/v578vTt6ZuLZ+SUG8vlvOFmASWWwkdxEWqusvcF2hcJw2zZmccjbDN+cSRjTKvMXsV99Z9uV2MYdDcGPfLJhj7f5bowTPvv6n57jj/EKRYzpTLWJn2TKUZFqu50O4R8oCVvjF+BKE0Mr7ig2osnJzbdHWL4rsfLq/CeG14es9NIP1P+kzsIrRdxpy/m5pLnq7N4I/fddQxrhErDnv83OInwk8FZCI4b6JVllHFXptI5EwMGIRtktdJzKvmfe7KqZb6jcFtmH8Dp/pkaYfeM62gtaaauP7+45fC18C2+fO+irazmX4EKu2BUA6k1lKrikkYL7nri6YJaDtKaG9PjBT0mtW/pgxLrWz9CnenguqvzxAmummqLzZA2pO4Xq0dsdhSEzW0k6gxK0NRCWSRLKttzPpzw+aVdsQueXWi15GXXPCx8j9a1CJrq4GCE5j/uWdvWaeMKzoZIXh6Jym7J0OvPrkfIjA4PxczJJffR88Wu4j7SAq5TOlMOBb+r5gnXqDP1ftSrhJ5HCPU6Kmqs1BBjlfYS30GrwFJc7Ql+a+K+9SROfcXLUsDxpNw7XO+2ci6yvT25d5Cca8djHIfci7Bar8OQXLfR2eekFtRtmXuflSYgmV7XY15+TIU8gj15iww63dmWvypjyTvKFlyOmHQlzSQ5vtnl9SeJmf61Bic+nH7km5yZCXlb0pp8xn94/ahU0ted/nP4eJIFXYLTnARQTb40oNcEexCaWkkDrUYVL0519Bb4m+PIy9ADjznImrddIKUn3/flG8ezJekIqG4O0IfQHPW2mOKUp7wOs90z3raW3mpi5GzD8PByQ3QjZdSONc+7l8dHnn0bqZEauwCxCBZm/o2gZMVlqVaGmBoYn3HmPnkeqxMMebLDC+LI8/hucm7IU+wIC5JtniEMXT7rcYs0Et/xtzCnbE0+me3Gt10EttotpE2eXetWOILBPvLa900tRAVr1fCQuRdxwPGuD0Ck+n+r0hTLeYbs2yY7v0I91p3Xq9cRipHC6EELvzmA2OPk9Y6RGjJ8g+u9lXVnSPp4F9AhNcdx2HUBg+292SRk+m0Y7FC8IcXNxc9YNpByJOBohRuSXMKMy+CrR+GEXf0qWo80HUTsDioUy4TbxgGzo/6lFoydzzY37aGX0khvys6HbS1li+rILfA3qyLDycA66m9HliEvUy7TTRBLejccyVhUmPfxjAipftkObotvo70p749M7RxgnfftuwHrmur2TLk/P9+QslrwQSt14m6Hs2V98vutyLPJZ5b4thZKr/Nt+N9MTeW/3dgxpkVku4t6q57HnibHlr+9QOg30PZgKtGAqrbf+n6qRk9BAdJqVR8iOkrVTAfOhVud8bCms7bhhnIExNFXdxz3Hp6oqqZy3d1HvHY4Tt/bK0vQ7hkquJypuFJAzVXuGqEb5MeOFdlitoK8XdFnX3LlCPzSCLEm/9lQwWccSnKKdc/eORhFZQXTgil1xR8o6P47TIlff2M/UzGmzSfvNrsJh9eNRZX7wBGmN9/1D90SYcpOcEd7n/yEfFzXnvSN58Axx+/g+OZpmBVJm8nuoO1w8I4I/cTE2tbuInMMV12nXG5j5z2LtdKttx9DzB/ejmx5r1dO4uPU8qLOO4doDyvcyjd67ls0tVKZNJFtpNw6bj9ITW3cNclkQU3KaH8PsA7l9IkhN1ok3OYe1IS70hmjRaNTeUN6MA3ogs7T2ZQb0Mmfp23QSdMft0GHU59BsMC1BYmqVXrjxMFPdpo7RW+hYSdVJrVG5Zc4Ri3hlsz9iMuievUi/PdJQOFF+I+Q1xRz+1MBOp6dF8h5wOi5J6YfPEePa2/U2oCcMgxEcyYVlzPQeiTuOqT7KHT1Ff8bWR91zx4BybYv8ay3DZErhWFtlfVKRZY42vE783F7d+w+Ygax7v/pHzBM0Bof+MnrBejj+COczh4ynp6e4OjHZ+QE14+jBtoeqVnKCJ9PQIfhn7CVhbmnOS9kDR33GNnbcLfoE9PrFL13p/mfh3ol794aJb7b5JL/GffW8KtMMuX8H2dEwlxZ7jewXlAzMgHKsGO3FeptpV98fLig2+psE6AGCS47Z6xtnN7W38QTUgyfH6OiYru/UTf18OPooGUnTbgxTXKlEyFjslQ+b939YiiIIWid1Qc62JS+9Dxzi5NLDE7vk05HyZDoOoOHKPLTS0zt3P8Y9aTnYUjeXXruwXFchBojimXOF303pBoc2VFkysIdPdokb9NocgHmVxAs6kzNDb7ZjCvpP0goW38iBuN1SpPzyzf/eHdBLtw7RX6TI9NXNthmqqQ+BNuPKxXHFsUQWwC7Mgc5kW8nhPP2IIsNnev6dXYtwjANNIwg3EjBPVouaD5oCvkASq7Ho+sKMmo0IM6W2uZoEz77WC6p4KU/iBEkdgXh0bpa7xOEyLErWJtdsZ3o5LcJpIlhL6ytTcFxBm0W0LiVORjC6CO4TXwu28oXpbld33CjmKqqrH3ibom3xyM4hOIl+CuuQexamqldLCtBZWHMQw28dSt7Gf57oLat0Ypi60uNi1rxY6RVxxD2GBDEAJGKWwPIVragUg4aZ+RuNxVWRURGYrZHatvcPSxh5uHvb9+8D+/ei53luwfFKr3r+0/es42bq2KpRJOLAW/aOc4yzLnpJmO343wbya0hTz0S5hl268DC3nai7g54gkhHqRFNJmn2NuD6SXIb0gUm20UHS9CYKTBrBGFKMqitM5Qv/R6OtFdYrXJKX894Z7C3I7QdorXSlijH31///U0sBTfK9tTnTun58RMsdwsMtlysU+qbnUQbxfzH2W8X5xfkHb2uuCy7sd7xbXW0HT0Nc2uI4ghZgYwBdfvI6tSneMli8vRsX+VYzI5XsPnQRfgtydnVji1nWZDK56ehS2/AYi+G4nib8sC9AlqKq//2dcNdYY4sh5pk6tuN/hJnQj9QdmMYV41WfBfUrXxx73NimkiKOjXkb8ZqJef/NhWUXQluLJR/exH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1X/5PAAAA///7GLnI" + return "eJzsvW2TGzeSIPx9fwUefzhJDpmyZVt7o5udC213e9w7ktyrluSNi4moAFEgCTcKKAEosulf/wQSqBdWochuNlBs7d18mLCaZCKRSCTyPb9DN3T7Gv1RCVZS9S8IGWY4fY3+w/0B/cen979d/wtCOdVEsdIwKV6jv/0LQqj+DVowynM9+xfk/+s1fGr/9x0SuKCvkaBmI9XNjAlD1QITOrN/b76GkFxTtVHM0NfIqKr7idmW9LXFcSNV3vl7The44iaDJV+jBeaa7nw8QLf+33tcUCQXyKxojRhqEEObFVUUPjMKLxaMoBXWaE6pQHKuqVrTfDbYn9L4HptZKlmVd99Kn6jtsoC1wHxne+Orj60fWqJdpNDLnb/vX2H8wAan8nHFtP0eYhpVmubISERwaSpPf4U3qKBa46X9NzaIyIJqu2lpP++BRuitXKJzSmQObBzYiIPF+kgdu50aLl1TYTK7tciAPcKJqe9JroHmRApDhdH2fjChDRamRkMHcTSsOAbBHJv+B0PsmMPJLoGwQZsVIyuEkaZaMynQihmNMHpPze/MCKp1ffqzAWs0m9UrWfEcCbqmCs1pw3clVpqid9RgixpGCyWLzlJP38qlfnGFyQ01+tkA/DlTlBi+fY6MxxujD9QJC8fhooPmLEhITteUH0FJLkX/fu5Q8pyWihJsPCY5XTBBcyQFB7QMnnOKClyGsSr0Mot2Yfac8Tt/zy/Pf0BrzCt/41lOhWEL5rmT3mJiEJdLd15qcBCwO2bBe26B79njKLEyjFQcK/i9P9jZKGcMQB/FKSHOGEAe55TRI1lPeyYv/9+Z7D8Tu2qaA3nY9ZXzPzLYSP9YHg12a3yM0EuOmqJaVookensfTrZU9/9hmGmDDS2oMI8ROVzlzGSE494dfiToUWHU9jEitrI61WNEjInjEEurMdWS4/FyWk7xMdIjLdkWlOYxbagRvSZkZ3a+WLsFLDYDPWSgJDzMiujpIQPoB6yIcSr2XCsTUVF0vCpB8jlyDbYZiXwoQMF7k49MoVZXgn2paKtGq2b//k/bXaP2TApiHwds5GO3bEfEzZqlFYdd6p7ZZdiCEdy9z2/lEl2sqTDoGoQzqkROlTVBFPWCarD1BbulOdLUWCA7P95dQ48bLPUhDGA/2GBpDmEA+l6HMvQExvcvHceYg33dgyb3o8FK6kT6apcvf5XadEUk73OkpiJnYll/qENs0/EhfT30Zccw2OBHo4S9vFr/hHCeKysrx657n7iD3Rv5tRJ3/So1eV/930teS630sqEvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh3/MtUPnCLY2u4CI9995sg9HHbUkRwUMJMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xBi6qA2QLtqwUqH4H9n2MuvsV7xvCoOmMzwj+BfvrpUzlZttnHdcrf/UOBqk2WOXJlLqOROtsu0vJy6vPO/oeRopy3D9ShPRWG1r4R9SjbaGtqONU7Yhn/y0VWzKBef2bXW3lAB1S6V97EiMurz6/CpDAoz+gxMNJ0GA0pHKM16dl1KHieOzrs6I4p2qS2PWvsBS6PH9IlNTh2w2WApjjYqWP2snGSZbcz4ZrReuyVbTgoljT5UxyTomR6msUwJZ6J8i5sTzHNCKOdDS3mO4oqm9lX21Bewj9CC2+gswfi6paSA3JboUUaL4dHBpCin6pqDYWoGZFybf+nOyXraBHFJMV0iyn6On3yKxUhV7+/PMztMEaaUpFs8oeSjwK5fUOlNClFJqmIwX5ariCyEqYxqdQFXMn9OxV1kEI6CmeyzXtEIOJYGZlLd60URQXo/eHfDVsc2JS0ZxVfT0tBqG+CWmOjWOBLRAz/6xefv/DX7QT6S9KEKA10v8c7Oaf1h58i7dUoZfoQhBc6oq7yIo1Ke8l10PQHxj8CORWhlb58SX6N7vd5+jHH9G/ISKV1ZdhF37R5+h/cPO/7BeZRrtE+SZ4hELm9NHaumJDM4I5n2Nyk1YDdsgJaeDaYOPsCktEKvJSMmHANDE0nOAMzJFRpWSi/LRWH9QlJQxzwBgw1UYqq1mLrdM67AdrzFnuGCOEFEILWYncvjCcAvJMLL1ydDB5cfdGDCDHiAX667AnbDRyClsucf5Y3jmPDtLsT4oKahQjAavDm8LdL4Mt7J77WgjbZx+bVqOVi/rYZuhXubFHM7Q5mUBSWWPMSHRDaXmAaI/ixftKiKYkoVpna5Zneaqo60UteZZUUIUNXPLcUrBjF66ZMhXm1mjf8b2LgIuDFcya3RArB2K4XfirfnmOlJXWGhwqQDSsltQ0XztICa0SJT2dnBIuE24/JVSSUNBQ8F+e177XD7SQhqJrz+9EUXho59sxQWn/VwdivoLAi18p0yVnKTMbHrU5r9lA7X8UupmVuQn5HW6dfQM8r9dcV1st/gn57xFhdOJlwfgJYvR2VWscXZ29ufK6L8HCkocVpVR9jRfBE/nVpUFUj8P98ck9VWCIg+kecqXumvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FYBTH9Sk1n+ENlRRBxYbxCnWBknRKxfZJeLJ1cSvm4iBu5oibOtp97tUORAOspooWQnJ5XLbD8QtmBposQj9jMgKK0yMI6K91FvAH5zmAlXC5/TwHZ/5aEVt7IJuF6hPGUTYE7sEi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJZDUfPEn3IlKLdYPMC84WFHYcMPA1JVLkIwp2e9yZNin9LHs2xASRRcmpCTLAqBMVgwJvFOuJwU69mTInYuRru3aQncdYeZczR9mvkMKsIh1TW58aK+elzXLKT0T4C5GnILsF+acUqbst7BGLdvVaxXTptR/7FB6IqGQ3+g0y9Nb4y4fWVOlOOUW+Lw8scL4PZbYtxbG22ZbpEalymqd7B32SjX+mdLNirWPUmTbNF7vx9eFrpWQxA6gVFOVrQgVWTDq1vqi4Yd8ZRhXCZcnr6pe2l02BBV6GSnMR4hDeqe1Fh5TDVSNmnmgkN8JFxgwuyr5n0GNsV7MoDm+f0YismLVuZE71DL2rtAEzqQvU3kpsRvJysaFHHtJeAbZYWLzXdApNCA65XtDRTtEFVVQQxxDYqtY5W7PcajbAD2FBdl0Lso894oU3eVsyNdkO2/N0saBby4nM8K3brLZCz+prFilg0P2+0YiHPurCeW6lcSPPZoMlm3QyWcWWQMVAkXsoxIb+sa8KaJBfKlpNxkqWux0XtfJxgzUCJPIRvgHkfohN1IhKwQ5BE8i0ZWESvL7LIgWuZZYA1TJLoT2XMUXRLtCX0aEm0JU6r8hpTMie+Rh8YwbP5b3enGPF5iG5dkywoH0get0QYjuCMBko8TEUa13x1GGnEStKVobIgr5wODTGC2Rly8WAQ7DwJNgxIEcYhK6pYiZl6ciejdWr+yLATmRnn8snbfHioHege6WbShcLDeJOJSVswVrDJ6zdumDOWE8Vryunz2YKHEDjYmR5WzBRu6hyH2QJ4u3N5qkO4fOuld61BKVCv1371Fim64SAvl8N1q9PaKxKUpdSs4iC4068Bea0yF2HKUjlr+/uaBeeipssXeuie4oiURVUMXJfWRTc2wRVbHs21q1ka26GE0vufg+2tqYil8onzO7dmZz/cYLuNXVoV87/oCRsR1vE0teCD8htJeh+xJykT9mr7pvhhfRV/17MeC/XCje5xUIahNHKd7wIJ9ByuczqRJWTCPWaEe8t1KfombIj+/4O6VbQtRrER1jxl5yRberbs0cuXAECvrm24NsRuVzxlHnTYQJ+qDgFxMLiVApDb1NrrA1Cl8L569p+qDjPtf0/eFQxrxEKNYA58DiTFRZLmgm6SS0LxgKXdNMJ9YMSYoxi88rQjoQY5uhrh7rV1rvPX1h06BJHE3YN5ThL1rZyH9HAEOznFzlkuvpbwLiFCjBLsLrhoG5zvtSaqhm6pu5QKk3VDC8ptPL2me4LqWocBrBrME5vJ/B75H7f6VshFZorubGf1X/1uqYzu0b7SV/mV1iZ2G66BnBsj4q/U3JQHTrVnZI8b9TGVFdKltQHFFO9xW8Ewpwq02QXqXZR/zcX3vLio9MEAJKQAgpzjoQU3ylaUrBk9mU/gNkw5ZNDKqXshWnsFThJ0ONeMBdhq8M/g51tmFl5ZdnJenQOC86h2kQgKb5bSvvfe14CUFKygOKYcN+4Ewx8AQhYJOUCWelgGNUzdN3KlP5gg25lVRqMz1w5X6WtEeNKRl2yTe7Fryc8RoRX2tQM6f8xOCb4CdP2JH1NtPdvWMUXPh1XgSbXftwNC1v0ri1TOqXsySHDy2J5DlggrLUkDPyl9jSC9iQc2Ft2Q18jjMrVVjOCOcqZvnmOSgUzUZ4jasiTsKKMFT6m9vKeD72rs1G4oIYqjUqsoYuXhkYOrhcBkUVhpZjcCdoPS2uoIXvVPfcenErj65xhgofJiW8ii7Ia3sEEx4bRholcbnw+LZGC0NI8bzIpRokx2Oai4nyLvlSYO+dnLgvMhJcaorMQlyNPV9frGUtd2rN1qxK+ZeKG5r4WqE5Exxq8U95AsZ9806A2Y/m+g+ODrhBJRV13spNzS/QRqNGDkVYnweu30nte0fWwXU8TdKaqYP3BTqldrH5NwNbx/35N+8fImvaC8fR3vNnyL7Bac40VzStCUR05omF3m6aKYZ4FXtNkj8g1LFmrzf33sfMA2hdm1C9AyY0+quVADI+xX90+dCusV80NtWphoMqwIiuX+VvX2DRlhmc1pF6LMLuRZpmZVsT+qvn3sNIUWXkuEIOcu0oQTrGyf4JGeC1qvoDQeztVXdh5OPrghF817PP0qF8sIos5E03f7O6D5ctG1T1erzVTlZ7a09fVRgCBcY/fNAHSwJU4c6u7nozjnlJnwSV3jTfkc17my3P03kmap75xA3LT9nzRr8XtWVivdg7oU/jyO+7ny3MgqS95a8TE0HuwG5FzaYBuCzPHRFYWbJgOG6lrvU3Zy343qusLtJ26sNePLZzxPSHXWNKfNQujy/ODmmws/9wBTdYi9lLkrUY7Q2euPtP3O+Xug/3aLCCodr/xwzfeHTevTFO5KU3zGFWCU+0oI92DspFojRXDcz6oAnRNGZhAJccjgkBToZP2R9k50K6q6laeWUllNYy6vpDZc75+cXnV16GRbxnrPApjddlHDhS8cy1kG2lxSKJLYdA1WwoMwmKERUupUjavfTKQX5ZJr2rdTUJXR/hPi0jnLgOX5TLAOO9/+4iYILzKqRVnfpCt/fkMPb24xUXJ6Wt05RwiDixI71nYLwKRucljm+Ccap+WMGZM31iV+wi87lGK13FjvvdPwwemb/aEXI1iyyVV6UbYhUn2uRsL8DiAdrpSVK8kzy33OFt9ZNLoTuh9As/CMPbupfLTD07HeNY047g8D5eR3Dk6T2RRZhPnXcGp+NwrGOPq/Hu6mn9n0ZEC6lMXMG5G5hUZs9K8WnqirLEu5o20lAo6D1i5XuM3MiUOq3yD1Wky9IZd9a10xf4hspsYaY381ApRjN5hUvdTDiu3VgRNasdI8V2toKr9UsjZmtGHWiuKdfTcYG2wqWIpzo0/CjN+MrPDLj6Xt4jlL8bfL/uyVlNgaDH6NGh87O6CxSJ8det3LPH0vQGTnw/n7h3znDEhq1gxzk4diV5Gv1NWksZ0Ogw8sj9FBpy6M+MOS7zh3Mo9pCtCqNaLiqMLuz4iMqfaskTd7DdsWTCR09vIBOBMm+M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAQ8Tv72+DORAI+lHPXXOhEGrFfHT1t8jlLqnTpi26dhBmQzKsIbUJ83eHp2UiRoXNzDd/j1AklTvlqkry8r8p9236ImdAopwYzHnAyzGVlOr8b2Zrkk+dm1h5b3OSxAR7jD6mhRcmTZfO8QTldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0dPAjbQfgNXtf00XdRW489Vrw0wFjRlRcGOtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3KQ0bnTnoiHWSfUsl1yx3/rO6i1xB9WgiVC7J8YHG+3vLfmG81RpJNy8vrBrclpD0dBpZX6+eVtb/IedH+p2O3t5/yLkPwIRvV8nSNc49h4Rid/LXV5focqBQddFI1rXWV5fsxyBiYVdTDbuMakjfxx/mc6vDyr0TEdlc5qkrvgYVd32lw+OCLC4j6tEqfrcEFzKYoPK84wL2pcMugbaJh7Aly5tQzogTr4htNQ7KwCO8/PGUvGbfZZXymaqne199ct1z6kAUJGvcUlJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIyvP17czRsrhW8A5QKwgy35dAPNlrMRiciKbF7l+Ta6f4YVWdQ6oA7cStPjGp3v9VLFh6iYjNjloFdil+lqioIEprvZq67nKq5yZprKurYvmscoNNiurdhwoqQNL+zfpMsSi03B9WRW+dnnC/TU10p8rrjVleeMQwEH5IFd3JZS228+Q98NHQ2iH4W5EXIjdgwhTUkFzSzWu9BHJm0SPIELrp8WelZXub/3pUlv6RKTLfo0aq5xNlf4FEX5fuEdEjOBCszEQuGC7k3HKLGCqb3p+yTsKJdXsCx6L3OXHN22BexknQWQQge0L0gVsIRIZSHt9o17Tzfo10qAKflO5pSjp0ysZ98+R0yS52hu/4/a/8MC861mevZtOL5oSJktOB5Mzo+tQ+1q+GdXCBYFXxfIyW09/Eou9jZqMDIppu6vc49n3QZBU2UZOYjQuogrd3uYfX73O1YUfXQJwN9++/nd728+XHz7rcu5XWOF2ShPbqS6iVmyfPCC/V4v2I2wjTrBsIitRPianbhdSprnABP7XGwTmDALqajQjMQUIB1XUgKMi/hekEB8IBbQbIPZcDjxg70D0Ps8NlB7fWKXqOtqnuhSmHmujYpd+Q712skcYt23NNo7Wtd8pHOSHlvs0g4GG6g0vtikrXvx9S4WxIKNOprqrSZzxB671WA3osA2++U9YaF8dD/B+zsuLPJe//8wXLVVmd3kv5OwWN7x0XtE9iJ5Euao47j78JNygqStnZPt2KVPTZPRXmfZQZ/MZ+B2G3Du4ch03bKaTREPg6KvBWbc0rpu5nLlZcblebe2DTpxWXPQ0GWghcF4VmGdc51ZFfGI/RyTeA3p1r766EwWRSX6nqgBduK4xk0Pxe49vTV/p2GdusFNH6dZPxS3ayzyf5fhqFmLm8GGHSMZHozdcOEd5HSlS0aYjJYlOpUFD9hvsBLDoMNjR12LosxkKmF8/f7dFfrN+VHbpNQwIl8mTSW4/s+36EtF1Ujv1oqLTNF+p860yQ0dh+gWfaiLzoJpXY2WTiI+pF2gMvYYAQu0PMpxdAiqCQTHHgw3jz+gAXOsigSnZcEmcC/gMmIBcgO0yqNNpd2BGbfb1Q7oHJu+VvhQuHMqyKrAKlZZSQN3W+LB+OIHR58wGaRTRYGZraLzAqGLuAVUDeDFElotJQAr538kgFri6JMwXMep6OwFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5foncWtW0d93IjJiVJbrqH3XO9At5OMiT3cAvOY4usQQGRVLJiIWRQ5Bp8iNFtki0xtmSHT5IbIFlxuNi/i5K13YwqzTQU8QdSEiYyKlOGGipKqYb6MlvA9gl+QmDfA15il4hZVZqaSRWfyQFEBf/5SBxzE+bJ7sbnK5zPIUxLaA4+e/EZEV+DYzJpbbYBew5WhOEzwKBROJkGYiHdIl1xmf8yx2WHQH9vcJgUfvDN6BHbsXYhd27KreLuyfE8J+lRD2vyaE/T8Twv5LGthGlhzPaQqR0kCPb56JrKg4KN/zbYJ3sgZe3iTQS4qKs2VRptG+rZaJ+TJ2EpKHzFIoJZp+IfF9IyLTLiExwQlqRdJYkxZwGmtSb3VVJphFSkRTVp3EVDXSWNOD3iYQIUYaa5ilgg1mTRLglWC3AgupKUnAhOtXliqJHoX1K1maFcV5AreaLMqM8AQ+bAs4QZAE4Kr51sR3i1rIOgnkssoSxDSIYoYRzBMUEOkML6kg24hZV13YAvPtnzSfp8B7nUEb0CSQXTuYNFi7xNok0OfLcv0qjQ9aZ3Nm/pKk0RjRWdxZcT3ASkYX1TrJNQeolKj4VW7a+fijzdrqAKZm5fz88Z0jDjiofUmAu27y8TrIdWAvGKcpbBidLVIcIlvELM7eBZxCN9AZKyFJMUsi6li5/inXphw0848EWyuSBDZnC5rCjNHgaC5ozqIVjO7CZiINlxQyrzjVRKagtgfOlglkkyz1BpuoM/870EMZ5FEAK7pk2igc3xPSwk6g8SlapiK1SkZrDZ3IVSL56jLzHYsngG4UxUUCRdKVAqVCO51yvVlJpjM3YTY+9C1WOAmD5yOFsDEgr918+9hwmTZYRJ9znGszr1SsYYE1VOpmBaWAWkXHNb4eXdckxwYLkxsW8YddH9tpYB/MJc7z2HeA5bHDqnXroARvESsyoqQsknQlsoATmGmsyNIkR/qORynIXN5Eb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TIJ64plkgtcShVbgBXzapnimhVMkxRiodBJGDbFHAhBDTRXig43ugx3DaBjZ/w5qLHT8cRmE9sCSVJRJt0A6OiWqIyvGUnFlllgHteD4W4EVfHfrDJzQ3mjg406mboF60a8JmGyBIWbfiZObGHgwcaWBmXmHEnR0cVa2w8zsopV5z8ATW9LFj0QUFJVLBUWZtBzNwbkTRLA8Z9e14ns06feFNAIgJVcZliXEQcGdEErHBuqopin0O8UJUAH13U0EfD4RLaQ47Zw7UCWKk+AcXxHpk7gG9bON5wgH0DT2IkAbuBxAuNE0y/xGSDUoDUa1ASmlGbLBIJXl7G9bFqRFPdAkTy6Iq0VCXXFjQDYxBux1YVZ6ehdNddExC6UCE6LfShQ16Qz9vbN0sRnKwc0fkSvmekZG+62jN6ttcrnSfLQK8UTvIWVpirLWeyq9yRjK+rIUAoyGKINLmJ7g9cZE9rgRQLNYM2USaGGr0uRoHWTkaoSMd2sobZogY6ibyoj0YdKoMHSTfZIwmF5nzFnOTpTNGcGnWGV+26GGtq/h9Fxk7MSUmlsQiiAgSH6CPobEMlRqFSnyYdgIh3lLoqSyy0dDBY8SL+FrKI19b4jj1kaOp8RzDtTdElvUYH7jRbaWKxYVv1hIMmR5EzDcIZ6dX/00EAJ6aospTJo2HgUoc0KG8QMKhVdjLHCA9Jy7zOEIkR4b3U0KCAmfGf3kb7QnInUE/k7qNrVunhqZOSSmhVVs/b7eiWrwYuGkKBrqppxREaiEitN0TtqMEwEd3cVNyR4+lYu9YsrV/b6DJ37EV/PkVkFphRBM+AP1I8+BrQFek/N78wIqsPnPGTqJMRbwMju5hbB4m6zmmJFVjMmWBA/mLk7QX/tnviEWRiQDPGC40rArN9lBXNc6ybu4QbuvX7te/aUvh13s6emCbefXzxi7NuDyCLWNN2t8yosiz7SWwO3YsxdMMU06hGB1A6uew8TqgUfmXgJ3XMTjgOH/rmaGqTol4pqs6dp9/HZyvfvle9UBhjL41Z1ErvvkWryTnfdKftwchhBbGzn79ChXb8O7jzm7P/D8w3tYpfntVCAtcO8AVZDvCTee7KwfVzmWFPk0rUbbNDgVjWn5H9xGnxFMwq+wVwq174+SEaEsEaaUhh3hvfPq1JYaEwmGO876DDtlhag9rZMQyoFE9D2IV1SVTCnbkyFdLukG8zB1ozTJUWcrilHWGu2FO7g2nn9YdaHlswnlN+w/h5On59k0rPFrBLsS0X7YxJx+PJ18D2uY+JxU1BqjYbl7kISKQSF3Aq0YWY1JigQClSGNBq7okeVF93btLDkBHnSPFFcLhnBHFkMRkwfwOK02MFSI2MaT0e7crXVYfQ66Wwb2ctqjf3AY86wzlYyuU3gjLjGXINZKu1QIysVuyN4wv0AkLs0Flt40/wgFsIpVrM3XEtriO/ct3MIlqNf/S9m6I3YNv8aQDdgy2thEM5nRBZlZagKi+Ekbny7sXTm2Tf9s4AZizsHwsw/q5ff//AXa/ued46jptg3QbQ9n2ZxI2Z3ddzgLVXoXxufnH7h0QDkwrc+dv1Pep4XLc47XL/3PI5MXj4k2570B6bYdWbo/W8fL+zeqaLOeQL+0pxpomiJBdlardKrZ7yfC4KAQs/Rx3ev0aUwP758ji7fn1/812v06VKYVz+hp5vVFgnKzIoqRFZS+1FpUilKDHzrh1f/+/979iRIEWpWCWVcnx4gU2cFDo/j0Ym5757X/Nrx4mWNVPiK548L6a5sOoD5kQ3j7vzAh/DtKaatdfKZKVNhjt6+eR9E9k8paDpf1nGc8X+koLMwbS26X40IhY0cFp5wBI/xDd5zDkts6AafYEQ6cPcVepPnCvy0jstD6DRPLynKY+OcD42FXJ69u3Kv0mh4rMB6wujHjlPJaar+7UaXVxaVEe+XpeGRkyCi0NCuPU7DWhPL3HStaQVEB12c58x+GfM2YNuZ5R9+5yZkAGsSwgWX/oaf77LAAJU21zqJXnfXJw2j9x7DK6lMI5IHQjeHABscADPbw5JXT0x7tx8mlvVjUm/r3RjhBQ3ZjVN5cT12YPlirSVhVuV0fqOBjoOsXFZYLOmsMZ2IFAu2rBTN0XwLMKnIIWsoLGfKI1sPDIpGR7Tl4KKLBP0OeETdv1vCFd0BoGghDc18Znf8PKP4pM2FznDmUvETgC6NSgN8kYAlFgmqhXmK65Cq/0mZgKg4z2pPXDq1vG/B233M+qt1nQkn0GAvzIoqQQ36uC3pc/SpfsbeggPsR3RVO8AGL8FvY5paPapnAmVixDSukfZ+8ecIcx5UJsr2i5DghhUk5q2psm8gE0YibeAxZwJ9uhwVKAQSZJPJq+gi2wKVZYKxbxawojp2Rq8Fm6DExb2IsVPRwd+eAFs3WiHjVCyjT4oEnK3ykVALHdFAncqDeScAIxCBdIIFwugXqTZY5cM53Qi9WUKyl0LY3vhbyKWbU7OhVIRVz8hdE+8b45YG826oziGDoGU8ZEYMdsiEz3OFtISCGSuW/IiN8BbXHIsp4vh3cFDWCSIdF+Vgg7suyzaSsrYW7BIM2N2XJ3akkhLoQrCO1w/ubhF7rAwjFccKQb9oVCPx9OL29Vu5lItFePo7JZlZ0eTHu4PsR7ugu40dvC8s3hbdN5VZUWF8svgo2rqK2Tnhbgk9bslx1D9pqkYRlpUhclpK+yXHEb6uCKFaj+AMncePa452XOIJ4IWsiruUaosChQkD3KYQTjs40h6OVipBgE+XUth3xcqtkHLY/BANFKXdXa3j9aMbeTcxcl1LoWaAM5o3+/F+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0R+YIZ/CtFLIYyauFmRyauRb10yoRVrlnIrfyRyrdEACjXxin6I1HbDYgw12cvaLZmLuTownjzf5Pkq4wSoJrn7UQlwqhPQYIEbPe/QGEcPl6175eIzYlxhNC5zJl9UBg83O6wmsmK9AuiSxKJQs2kqFIp0buQuA5hyKyBTrbjxsT60bsJESyj+GO1omCCOxgGHW4zBEIBtZv8Et9up1Xtr1vo2zXlllWwvTL2WJr9DmUgWfkGLP+TloQvMdLKqhipN4SEAQS/fqpBcys4KkNzXZDHtkZ+WGmjRoPftZ7Oqbt1sn29HL/nrx64dZKuK+gadoY4YYVVFu57rQ9RUs6GkTypxCtKcTBg4DGgw88BnVH1jqmd/fJWOvHu+3ph0xHG3J65615h/GhHQ72BjtuBcIdhMHXu7uXB3enJj07d9Gi7E0dPrlovVSnESAH5HgjQL5edvzx8JHFGm0wzZHdTT6qSSVIzDt2B/kxKTvG3NuAGRulHkrQen7q6JU7lVllBTUreYIoCd7xJCOHhv/a6IFDLyUlk3qd9kR1Pkju/bUWkT18mcgT8l+zn7//Hj19e/7m6hk6Z9owsayYXtEcSuGDuHC5lMn7Au2LhEG27MLh4Y8ZvjiSMaZkYq/ivvpPe6ohDJobAx75aEOf73NdCKT9N3W/Hccf4BSKmWIRapPeZophHqs7XW8jH3DOKu1WQFIhzQrGsXLiyYpNe4cIvOvh8iq455rlU3Ya6WbKf7KMUHsRe30x20uers7ijdh31yGs4SsNO/5f7ySCTwa84B03tFOWkYddmVKlTAwYhGyA1FItsWB/7smqFulY4a7EPoLSXZ4aIfeCqWAtaaKuP7/Y5eC1cC2+XO+inazmXynmZkWwoqhUNJcFEzhYcNcRT1fYMCqMPpgez/GUu32LT7pZ1/qRlokY116dJ1ZwlVgZaIbUbnW/WJ2w2ZEXNneRqAuaU4UNzbNoSWV7+MMKn1/qFZvg2ZWSa5Y3zcP893BZcq+pDhjDN/+xz9quThtWcNpNsnyiXTZL+l5/ZjuyzeDwUMicXDMXPV/1FfeRFnCN0hlzKPh9NU96CzpT50edSuhlYKNORwWNFWukjVRO4ltoBTUYVnsC35rZbz0J775gec7pdFLuHax3VzkXON6O3DtKztXjMabZ7pVfrdNhSGzr6OxzVHJsj8y+z1IhKojalmNefkiFnMCevEMGnWpsy1+lNugdJismRky6HCeSHN/0af1JQKZ/qagVH1Y/ck3O9Ay9zXGJPsM/nH6US+HqTv85fDzRCq+p1Zw4xQp9qajaIuhBqEspNK01qnBxqt1vBr+ZRl76HnjEQlas7gIp3PZdX75xPOstTYBqy0AffHPUu2IKU57SOsz6PF63lt5pYmRtQ//wMo1UJUTQjtXPm5fHRZ5dG6mRGjsPMfMWZvqDwGjDRC43GumSErZgxH7yPFQn6PNkhxfEbs/h2+bcoKfQEZYK0j5DELp81qEWqgS842/pEpMt+qR3G982EdiiX0gbPbvWrjCBwT7y2ndNLUAFatWAyeyLOKB40wcgUP2/U2kK5TxD8u1uO71CPdad16nXgR3DDoOM5n9zxGanyesd26rP8PWu91rWXcDWx7uADnczjcOuCRjsnk2bkOmOYXBC4YYUh4ufoWwg5kjA0Qo32HJOF0x4Xz0IJ+jqV+BypOkgYHdUoVgi3FoHTE/9iy0YG59t6r37XkojvSkbH7YxmKyKiVvgt6sCwdHAOuoeR5IhL3Mm4k0Qi3o37JahqDDt4xkQUt2yHTgW10a7Le8PTO0cYJ327TuAdYlVzVP2z8/brWxWbNBKHdnbYW1Zl/x+p+2Z6DNLXFsLqbbpDvyvusTibwc7xtSI7HZRr9Xz0NNkyfLXFwD9wN5OphINdlX3W9+/q1EuyKgwSpbHiI5cVvOBc+FOPO7XtNY2PVCOADi66o5p7+GZLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsL5JXSN0QH70rMgasw1N2xV98SVVjsAvFedb9J8V5mzBaI7Ooe7ZOQeDqGzoPCNS3rATBd1/p3Pk1m/tZ8zHtPno3WbbcHhZGVC5jxxheviuf2iW8FN2vDva+eRn6OO2dFtvPQeWOO4Exw9P0UUWtZlsD22Lg3NEqCc61La2j8wUrrpGudzFznkWS6lqbz+EmD+8HTnyTq+cyOxU06JMO4doDynsygc99zWaSspEmsguUnYdex6oxCbsmiQiwzpmtL8DWPly+siQK8UjHnMHasRTaYzRrFKxvCEdmJqqDC/j2ZQt6OjP0y7oqOmPu6A91ycQLPTWUAGqVXzjxMKPxs2NordStJcqE1ujcktMUUu4I3M/wrKgXr3w/33mUXjh/8PnNYXc/phTFc7O89s5YfTcbaYbPAePa2fU2mA7uR+IZk0qJhZUqZG463Dfk+yrq/gfJH3QPTsBknVf4kXnGAJXCsLaMumVCiwxGftduLi9ZbuPkEGsun/6Bx0maI0P/GTliqpp/BFWZ/cZT0/PYPTjM3QG64dRo8pM1CxlhM5nVPnhn3QnC3NPc16aNHTcIWTnwO2iT3SnU/Tek2Z/HuuVvH9rlPBpo2v2Z9hbw24SyZTLf1wgQZfSMHeA5QrrkQlQmkzdVqhzlG7x8eGC9qiTTYAaJLj0eKxunF7X34QTUjRbTlFRsdvfqJl6+HF00LKVJkzrKrrSCZAhWSqdt+5hMRTAkCqV1Ac6OJSu9Lywi6NrCE7vk06TZEg0ncF9FPnpNaR27n+MOtLzOCTvLz334DguQrXm2Trli94PqXpHdhCZPLOsh6vobRp1KsDshnqLOlFzg2/acSXdBwlk609IQ7xOKnR5/eYf767QlX2n0G9iZPpKi22iSupjsP24kWFsQQyRFSU3+ign8t2EcNoeZKGhc02/zqZFGKSB+hGErRTco+VSxQZNIU+g5Do8mq4go0YD4GywqSab8NnFco05yx0jBpDoC8LJulrvE4RAsRu61X2xHYnz6wTSyLBXxpQ6YzCDNgloOMoUBCH4EdwmthR15YtUzGwP3CgiiyJpn7g74u3w8A6hcAn+hinK+5ZmbBfLhmORaX2qgbd2ZSfDf/e7rWu0gti6UuOslGyKtOoQwg4DBBgAUmFrAMhKVliIQeOM1O2m/KqAyEjMdqK2zc3D4mce/v72zXv/7r3oLd88KEaqvu8/es82pm+yteRVKgK8qec4Cz/nppmMXY/zrQQzGj11SOhn0K0DCnvribo98AiQDu6GV4mk2VuP6yfBjE8XmO0WHaypgkyBRcURkYLQ0lhD+dqd4Uh7hc0mpfR1hLcGez1C2yJaSmWQtPT99d/fhFJwg2SPzXdSLadPsOwXGOy4WOfYNTsJNor5+8VvV5dX6B2+LZjIm7He4WO1e5s8DXNniOLItvw2Brvbt61GfQqXLEZPz3ZVjtliuoLNUxfh11tOrnbsOMu8VL489116PRZ7MeTTHcqJewXUOy7+29cNN4U5Ih9qkrFvN/hLrAl9ouxGP64arPgmqFu44t7nSFeBFHWs0V+1UVIs/zbnmNxwpg3N//rC/+158ykTC0rCHy2YohvMg4oMnvPObxAWOdISjbClokumjdpay35KYVFis/LN+hscUB+HAZLglJoKTVcI7eq1iFSdLuSNPtlgToXp5KTUePuBjLNmmtqsd/nHcR/DO6cLXHGTwZ14jRaY75Qi72xpN4P/fSc5op4U2Y6Mb8vWjMKLBSMwSGBOqUByDn0jOg29mnPR+B6b6V/sA1sZ3vrGZWyxFonVyUKnbpM0IlEU3qCCao2Xvi8RkVZ+wwCzkCL5Vi7ROSUyHwn7eFjRfVSu53PEBKYewlNKIyjCtC+aXCAmtMHC1GiEbXzDjnrE8+E7FVTF4R4ya90aV+fUjidAK2vbwoTd35kRVOv69A9PQRB0TVW3QUWJlaboHTUYNHVfc9ss9fStXOoXVy6p9tkA/LlPB2vVCow+UCcsHIeLDpojnWToOokL52HR5kIv0yrP/ozf+Xt+ef6DD7i4tm+tdQ09AW4xMYjLpTuvYV8b2B1MsvbcAt/Tu3OH7O/9wc5GOWMA+ihOCXHGAPI4p4weyXraM3n5/85k/5nYVdMcyMOur5z/kQV7XT0a7NapQqUPQ03RlFmxDydbqvv/MMzA9ktXcP8w5HCVM5NBP+rHiN6u4fSIEFtFnKgbFTEmjkMsrcZUS47Hy2k5PWpYbFqyLSjNUxeBjIctum0TXSNJmg/0kIGS8DAroqeHDKAfsCLGqTh9nXl/MG6QfI5cg21GIh8KUPDe5CNTqNU+OtCo0arZv//TdteoPZOC2McBG/nYLdsRcQNN6hKKwy51z+wyLvmlc5/fyqUf6+qrGKCXnDVBFPWCarD1BbulOdIUJu3u/Hh3DT1usNSHMID9YIOlOYQB6HsdytATGN+/dBxjDvZ1D5rcjwYRWyzs4ctf67xSz5G8z5GaiqbzMJdLHWKbjg/p66EvO4bBBj8aJezl1fqnth/gyHXvE3eweyO/VuKuX6Um76v/e8mbuPbJ07gvF5wjrestyxFGS7amonGSfb2KgCXRcf6LtBZI/hiVv68jojHq0JDlNlP0S4Kz7gYP4YBh376Z34XvKXYFF+m592Yb7CqsCR5KkDmtk0c/XQrzwyskFfqFS2x+fLmb5kWkWLBlpcbzW9p9H6PufsX7hjDoYy2bBMt4gp4ZY9kxdTXR1+5gkGqDVZ5Mqds/qd4pJJ939D2MFOV4mJrmWqv6R9Sj7ZthAqfqtsuHVGzJBOb1b3a1lQN0SKV/7UmMuLz6/CpAAhTsJosikKDBaEjlGK9Py6hDxfHY12dFcZ6wvH7HtIOl0OX5Q6KkDt9usBTAHBcrfdRONk6y5H423OTgtooWXBRrupxJzqFv6tcogC31TpBzY3mOaUQc6erxcB1F9a0cjrMYJ/QjtPgKMn8sqmohtakL9+bbwaE1k7gsQM2Kkm/9OdkvQzIzxWSFNMspevo9MitVoZc///wMbbAfJVSvsocSj0J5vQMl/FydZKQgXw1XuKEqtU+h6btqr7IOQkBP8VyuaYcYLFyiU4s3bRTFxej9IV8N25yYVDRnRzVNOESob0KaY+NYYAvETN33B0T6C9cmtEZ6OM7qnwjqRbZUoZfoQhBc6orjplnZveR6CPoDgx+B3MrQKj++RP9mt/sc/fgj+jdEpLL6sus5UA9T+x/c/C/7RabRLlHC7S+EzOmjtXXFhmYEcz7H5CZ96VNOhTT1aDSwKywR65oXME3GptIBcyRvZgQsAw23MQeM3Rx7I5XVrMXWaR32g04zihBSCC1kJXL7wnAYyKChI8Ddkhd3b8QAcoxYoL8Oe8JGI6ew5RLnj+Wd8+ggzf6EYZSKkYDV4U3h7pfBFnbPfS2E7bOPTavRykV9bDP0q9zYoxnanEwgqawxZiS6obQ8QLRH8eJ9JURzgymydcqB5xe15IGxVG4+tYBJ/B27cM0UjEy9PN/1vYuAi6M70x2I4Xbhr/rlOVJWWmtwqAxni4xO/28okaye+eSU2J1HMpIvlyQUNBT8bfOrD9ANv5nRTBTFfhDQiKC0/6sDMV9B4MWvlOmSs9TdSx6tOa9ZqkLYB6ZIH9c06q78DrfOvgH1RCDPdbXV4p+Q/x4RRideBuOCJonRwwggqdDV2Zsrr/sSLCx5WFFK1dd4ETyRX10aRPU43B+f3FMFhnho1C0amvJV+5PWYHd6DljmM/Ty51doA3QvKBYIcx72FdTVzwvU+o/QhirqwGKDOMXaICl65SK7RDy5mvh1EzFwV1OEbT3tfpcqB8JBVhMlKyG5XG77gbgFUwMtFqGfEVlhhYlxRKTQvshi4Sa4o0r4nB6+4zMfraiNXdDtAvUpgwj7pi1Yi6KwSqYUdRhB4c2oTAPJ2lMrMQGN1cUohPc5SEIqVUPUBoscqxwJqQrM2Z+h/F6piiB9cp/lcDSJ7jYLbw+RWqwbZF5wtqCw44CBrymRIh9RsNvjzrSZoKF9aENMEFmUnJogA4w6UTEo8OONprXBypyIka/t2kF2HmPlXc4cZb9CiuidkPNBgsSDmx6I/ESEvxB5CrJbkH9KcaLuOfXqtYrp0ms/9ik8EFHJbvQbBMO4/Qhy3w63xi7flwcWON+HMtu2Pwr84SAVJVLlNE/3DvokG/9M6WbFWseoM22aL3bj68PXSsliBlArKMrXhAqsmHRqfVFxw74zjCqEy5LX1S9tL5sCC7wMleYixCG8U9uLDimHq0bMPNFIboSLjBlclH3PoMe4npo0vH1GI7Ji1rqROdUz9K7SBsykLlDXPWskLxcbeuQh7RVgi4XFe02n0ITgkOsFHe3c0DRBHENgq1rnbM1yq9kAP4QF2XUtyD72iBfe5G3J1GQ7bM/TxYJuLScyw7dus9oKPauvWaSAQff7RiMe+oFu37U8mw2WbLurVbElUBF9FGdD/9hXBTTILxWtJmMly92Oi1r5uMEw9rTqNuDqolkCcrFGPTREjagU7BA0gUxbFibB67ssUuBaZglQLbMU2nMZUxTtAo016qOFmkBX6rwipzEhe+Zj8I0ZPJf3enOOFZuH5NoxwYL2geh1Q4jtCMJkoMTHUKx1xU/UNF9WhsiCvnA4NMaLH+Ay4BAsPAl2DMgRBqFrqphJ3Rp0rPu0X90XAY6NJu25fCYe3OZe6abSxUKDuJMbdd8aPmHt1gVzxnqqeF05fTZT4AAaFyPLB5Nhm0mwQbxDU2QSHsLnXSu9awlKhX679qmxTNcJAX2/Gqxfn9BYlaQupWYRBcedeAvMaZG33YWbuzvahafiJkvXuuieokhUBVWM3FcWBfc20eTnO1SyNTfDiSV3vwdbW1ORw5zkg3JLzv84QfeaOrQrh9Npu4ilrwUfkBvmAe9FzEn6lL3qvhmdBOvFjPdyrXCTWyykQbiZpBZOoOVymdWJKicR6jUj3luoT9EzZUf2/R3SraBr9bDtd6P4S87IdoppOyNy4QoQ8M21Bd+OyOWKp8ybDhPwQ+Wb/4fFqRSG3qbWWBuELttRAXV1VZ5r+3/wqGJeIxRqAHPgcSYrLJY0E3STWhaMBS7pphPqByXEGMXmlaEdCTHM0dcOdautd5+/kaHEJY4m7BrK8cGEjkluDhiC/fwih0xXfwsYt1ABZglWNxzUbc6XWlM1Q9fUHUqlqZrhJYVW3j7TfSFVjcMAdg3G6e0Efo/c7zt9K6RCcyU39rP6r6Se42jNrtF+0pf5FVYmtpuuARzbo+LvlBxUh051pyTP2xmkia6ULKkPKKZ6i98IhDlVpskuUu2i/m8uvOXFR6cJACQhBRTmHAkpvlO0pGDJ7Mt+mGIuym4f/dA0FKfHvWAuwlaHfwY780M1WlmPzmHBOVSbCCTFd0tp/3vPSwBKShZQHBPuG3eCgS8AAYukXCCYMM+onqHrVqb0Bxt0K6vSYHzmyvkqbY0YVzLqkm1yL36baSaEV9rUDOn/MTgm+AnT9iR9TbT3b1jFFz4dV4Em137cDQtb9K4tUzql7Mkhw8tieQ5YIKy1JAz8pfY0gvYkHNhbdkNfdwYZwuDC56hUMBPlOaKGPAkryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57D06l8XXOMMHD5MQ3kUVZDe9ggmPDaMNELjc+n9ZPm3zeZFKMEmOwzUXF+RZ9qTB3zs9cFpj5Qbyw73ohLkeerq7XM9EA+8FoOCZuaO5rgepEdKzBO+UNFPvJNw1qM5bvOzg+6AqRVNR1Jzs5t0QfgRq9365Phddvpfe8outhu54m6ExVwfqDnVK7WP2anTF5+zXtHyNr2gvG09/xZsu/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0i1ztj/PvvY+cBtC/MqF+Akht9VMuBGB5jv7p96FZYr5obatXCQJVhRVYu87eusWnKDM9qSL0WYXYjzTIzrYj9VfPvYaUpsvJcIAY5d5UgnGJl/wSN8FrUfAFhPfm1Luw8HH1wwq8a9nl61C8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBJnbnXXk3HcU+osuOkG1zov8+W5H8GNnvrGDfVsSlf0a3F7FtarnQP6VAP+vfv58rw737URE0PvwW5EzqUBui3MHBNZWbBhOmykrvU2ZS/73aiuL9B26sJeP7ZwxvfE447PmoXR5flBTTaWf+6AJmsReynyVqOdoTNXn+n7nXL3wX5tFhBUu9/44RvvjptXpqnclKZ5jCrBqXaUke5B2Ui0xorhOR9UAbqmDEygkuMRQaCp0En7o+wcaFdVdSvPrKSyGkZdX8jsOV+/uLzq69DIt4x1HoWxuuwjBwreuRayjbQ4JNGlMOiaLQUGYTHCoqVUKZvXPhnIL8ukV7XuJqGrI/ynRaRzl4HLchlgnPe/fURMEF7l1IozP8jW/nyGnl7c4qLk9DW6cg4RBxak9yzsF4HI3OSxTXBOtU9LGDOmb6zKfQRe9yjF67gx3/un4QPTN3tCrkax5ZKqdCPswiT73I0FeBxAO10pqleS55Z7nK0+Mml0J/Q+gWdhGHv3UvnpB6djPGuacVyeh8tI7hydJ7Ios4nzruBUfO4VjHF1/j1dzb+z6EgB9akLGDcj84qMWWleLT1R1lgX80ZaSgWdB6xcr/EbmRKHVb7B6jQZesOu+la6Yv8Q2U2MtEZ+aoUoRu8wqfsph5VbK4ImtWOk+K5WUNV+KeRszehDrRXFOnpusDbYVLEU58YfhRk/mdlhF5/LW8TyF+Pvl31ZqykwtBh9GjQ+dnfBYhG+uvU7lnj63oDJz4dz9455zpiQVawYZ6eORC+j3ykrSWM6HQYe2Z8iA07dmXGHJd5wbuUe0hUhVOtFxdGFXR8RmVNtWaJu9hu2LJjI6W1kAnCmzXGa5wNlCywMppiqkZhTBfHNAivGIYMn4MFz8XexRBiI+J39bXBnIgEfyrlrLnQijdivjp42+ZwlVbr0RbdOwgxI5lWENiG+7vD0bKTI0Lm5hu9x6oQSp3w1SV7eV+W+bT/ETGiUU4MZDzgZ5rIynd+NbE3yyXMza48tbvLYAI/xh9TQouTJsnneoJwusA8B+c6XdQzfZ2tarXhNFcdbKOQy0j+u6GngRtoPwOr2v6aLugrc+eq1YaaCxowouLHWNhg2bHrodY0axer4dwiOjWkCWUVkUdj7lIaNzhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk+EDj/b1lvzDeao2km5cXVg1uS0h6Oo2sr1dPK+v/kPMj/U5Hb+8/5NwHYMK3q2TpGueeQ0KxO/nrq0t0OVCoumgk61rrq0v2YxCxsKuphl1GNaTv4w/zudVh5d6JiGwu89QVX4OKu77S4XFBFpcR9WgVv1uCCxlMUHnecQH70mGXQNvEQ9iS5U0oZ8SJV8S2Ggdl4BFe/nhKXrPvskr5TNXTva8+ue45dSAKkjVuKam6XgSX+jWnofLWugvTvsSNCRwhQa94vusQaaor8RozjoeBDNS4whHUVy6oUiOTFtwdOsbXHy/u5o2VwjeAcgHYwZZ8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelxjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/Zv0mWJxabgejKr/OzzBXrqayU+V9zqynPGoYAD8sAubkup7Tefoe+GjgbRj8LcCLkRO4aQpqSCZhbrXegjkzYJnsAF108LPaur3N/70qS3dInJFn0aNdc4myt8iqJ8v/AOiZlABWZioXBB96ZjlFjB1N70fRJ2lMsrWBa9l7lLjm7bAnayzgJIoQPaF6QKWEKkspB2+8a9pxv0ayXAlHwnc8rRUybWs2+fIybJczS3/0ft/2GB+VYzPfs2HF80pMwWHA8m58fWoXY1/LMrBIuCrwvk5LYefiUXexs1GJkUU/fXucezboOgqbKMHERoXcSVuz3MPr/7HSuKProE4G+//fzu9zcfLr791uXcrrHCbJQnN1LdxCxZPnjBfq8X7EbYRp1gWMRWInzNTtwuJc1zgIl9LrYJTJiFVFRoRmIKkI4rKQHGRXwvSCA+EAtotsFsOJz4wd4B6H0eG6i9PrFL1HU1T3QpzDzXRsWufId67WQOse5bGu0drWs+0jlJjy12aQeDDVQaX2zS1r34ehcLYsFGHU31VpM5Yo/darAbUWCb/fKesFA+up/g/R0XFnmv/38YrtqqzG7y30lYLO/46D0ie5E8CXPUcdx9+Ek5QdLWzsl27NKnpslor7PsoE/mM3C7DTj3cGS6blnNpoiHQdHXAjNuaV03c7nyMuPyvFvbBp24rDlo6DLQwmA8q7DOuc6sinjEfo5JvIZ0a199dCaLohJ9T9QAO3Fc46aHYvee3pq/07BO3eCmj9OsH4rbNRb5v8tw1KzFzWDDjpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGxo65FUWYylTC+fv/uCv3m/KhtUmoYkS+TphJc/+db9KWiaqR3a8VFpmi/U2fa5IaOQ3SLPtRFZ8G0rkZLJxEf0i5QGXuMgAVaHuU4OgTVBIJjD4abxx/QgDlWRYLTsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtF5gdBF3AKqBvBiCa2WEoCV8z8SQC1x9EkYruNUdPaCoHvGYj84vnNbQa3qGR1pkWECg1Hil59Y2FpENN47gOfLcv2TuDWr6O87ERkxKst11L7rHegW8nGRpzsAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS3KTBvga8xS8wsqsVNLILH5ICqCvf8rA4xgfNk92N7lcZnkKYlvA8fPfiMgKfJsZE8ttsAvYcjSnCR6FgolESDORDumS64zPeRY7LLoD+/uEwKN3Bu/Ajt0LsQs7dlVvF/bPCWG/Sgj7XxPC/p8JYf8lDWwjS47nNIVIaaDHN89EVlQclO/5NsE7WQMvbxLoJUXF2bIo02jfVsvEfBk7CclDZimUEk2/kPi+EZFpl5CY4AS1ImmsSQs4jTWpt7oqE8wiJaIpq05iqhpprOlBbxOIECONNcxSwQazJgnwSrBbgYXUlCRgwvUrS5VEj8L6lSzNiuI8gVtNFmVGeAIftgWcIEgCcNV8a+K7RS1knQRyWWUJYhpEMcMI5gkKiHSGl1SQbcSsqy5sgfn2T5rPU+C9zqANaBLIrh1MGqxdYm0S6PNluX6Vxgetszkzf0nSaIzoLO6suB5gJaOLap3kmgNUSlT8KjftfPzRZm11AFOzcn7++M4RBxzUviTAXTf5eB3kOrAXjNMUNozOFikOkS1iFmfvAk6hG+iMlZCkmCURdaxc/5RrUw6a+UeCrRVJApuzBU1hxmhwNBc0Z9EKRndhM5GGSwqZV5xqIlNQ2wNnywSySZZ6g03Umf8d6KEM8iiAFV0ybRSO7wlpYSfQ+BQtU5FaJaO1hk7kKpF8dZn5jsUTQDeK4iKBIulKgVKhnU653qwk05mbMBsf+hYrnITB85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuj+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRkLm+it2cqdfyWpazUpWKRgXJsmKmiZ59xJmi8FjstVB11ok4DF4pv47u1uHRdT7MFl9Gf8wZ4gpR/a/NGlzoWaAKJY23oBKhGz03gcpmEdcUyyQUupYotwIp5tUxxzQqmSQqxUOgkDJtiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekzBZgsJNPxMntjDwYGNLgzJzjqTo6GKt7YcZWcWq8x+Aprclix4IKKkqlgoLM+i5GwPyJgng+E+v60T26VNvCmgEwEouM6zLiAMDuqAVjg1VUcxT6HeKEqCD6zqaCHh8IlvIcVu4diBLlSfAOL4jUyfwDWvnG06QD6Bp7EQAN/A4gXGi6Zf4DBBq0BoNagJTSrNlAsGry9heNq1IinugSB5dkdaKhLriRgBs4o3Y6sKsdPSummsiYhdKBKfFPhSoa9IZe/tmaeKzlQMaP6LXzPSMDXdbRu/WWuXzJHnoleIJ3sJKU5XlLHbVe5KxFXVkKAUZDNEGF7G9weuMCW3wIoFmsGbKpFDD16VI0LrJSFWJmG7WUFu0QEfRN5WR6EMl0GDpJnsk4bC8z5izHJ0pmjODzrDKfTdDDe3fw+i4yVkJqTQ2IRTAwBB9BP0NiOQoVKrT5EMwkY5yF0XJ5ZYOBgsepN9CVtGaet+RxywNnc8I5p0puqS3qMD9RgttLFYsq/4wkORIcqZhOEO9uj96aKCEdFWWUhk0bDyK0GaFDWIGlYouxljhAWm59xlCESK8tzoaFBATvrP7SF9ozkTqifwdVO1qXTw1MnJJzYqqWft9vZLV4EVDSNA1Vc04IiNRiZWm6B01GCaCu7uKGxI8fSuX+sWVK3t9hs79iK/nyKwCU4qgGfAH6kcfA9oCvafmd2YE1eFzHjJ1EuItYGR3c4tgcbdZTbEiqxkTLIgfzNydoL92T3zCLAxIhnjBcSVg1u+ygjmudRP3cAP3Xr/2PXtK34672VPThNvPLx4x9u1BZBFrmu7WeRWWRR/prYFbMeYumGIa9YhAagfXvYcJ1YKPTLyE7rkJx4FD/1xNDVL0S0W12dO0+/hs5fv3yncqA4zlcas6id33SDV5p7vulH04OYwgNrbzd+jQrl8Hdx5z9v/h+YZ2scvzWijA2mHeAKshXhLvPVnYPi5zrCly6doNNmhwq5pT8r84Db6iGQXfYC6Va18fJCNCWCNNKYw7w/vnVSksNCYTjPcddJh2SwtQe1umIZWCCWj7kC6pKphTN6ZCul3SDeZga8bpkiJO15QjrDVbCndw7bz+MOtDS+YTym9Yfw+nz08y6dliVgn2paL9MYk4fPk6+B7XMfG4KSi1RsNydyGJFIJCbgXaMLMaExQIBSpDGo1d0aPKi+5tWlhygjxpnigul4xgjiwGI6YPYHFa7GCpkTGNp6NdudrqMHqddLaN7GW1xn7gMWdYZyuZ3CZwRlxjrsEslXaokZWK3RE84X4AyF0aiy28aX4QC+EUq9kbrqU1xHfu2zkEy9Gv/hcz9EZsm38NoBuw5bUwCOczIouyMlSFxXASN77dWDrz7Jv+WcCMxZ0DYeaf1cvvf/iLtX3PO8dRU+ybINqeT7O4EbO7Om7wlir0r41PTr/waABy4Vsfu/4nPc+LFucdrt97HkcmLx+SbU/6A1PsOjP0/rePF3bvVFHnPAF/ac40UbTEgmytVunVM97PBUFAoefo47vX6FKYH18+R5fvzy/+6zX6dCnMq5/Q081qiwRlZkUVIiup/ag0qRQlBr71w6v//f89exKkCDWrhDKuTw+QqbMCh8fx6MTcd89rfu148bJGKnzF88eFdFc2HcD8yIZxd37gQ/j2FNPWOvnMlKkwR2/fvA8i+6cUNJ0v6zjO+D9S0FmYthbdr0aEwkYOC084gsf4Bu85hyU2dINPMCIduPsKvclzBX5ax+UhdJqnlxTlsXHOh8ZCLs/eXblXaTQ8VmA9YfRjx6nkNFX/dqPLK4vKiPfL0vDISRBRaGjXHqdhrYllbrrWtAKigy7Oc2a/jHkbsO3M8g+/cxMygDUJ4YJLf8PPd1lggEqba51Er7vrk4bRe4/hlVSmEckDoZtDgA0OgJntYcmrJ6a92w8Ty/oxqbf1bozwgobsxqm8uB47sHyx1pIwq3I6v9FAx0FWLisslnTWmE5EigVbVormaL4FmFTkkDUUljPlka0HBkWjI9pycNFFgn4HPKLu3y3hiu4AULSQhmY+szt+nlF80uZCZzhzqfgJQJdGpQG+SMASiwTVwjzFdUjV/6RMQFScZ7UnLp1a3rfg7T5m/dW6zoQTaLAXZkWVoAZ93Jb0OfpUP2NvwQH2I7qqHWCDl+C3MU2tHtUzgTIxYhrXSHu/+HOEOQ8qE2X7RUhwwwoS89ZU2TeQCSORNvCYM4E+XY4KFAIJssnkVXSRbYHKMsHYNwtYUR07o9eCTVDi4l7E2Kno4G9PgK0brZBxKpbRJ0UCzlb5SKiFjmigTuXBvBOAEYhAOsECYfSLVBus8uGcboTeLCHZSyFsb/wt5NLNqdlQKsKqZ+SuifeNcUuDeTdU55BB0DIeMiMGO2TC57lCWkLBjBVLfsRGeItrjsUUcfw7OCjrBJGOi3KwwV2XZRtJWVsLdgkG7O7LEztSSQl0IVjH6wd3t4g9VoaRimOFoF80qpF4enH7+q1cysUiPP2dksysaPLj3UH2o13Q3cYO3hcWb4vum8qsqDA+WXwUbV3F7Jxwt4Qet+Q46p80VaMIy8oQOS2l/ZLjCF9XhFCtR3CGzuPHNUc7LvEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsfogGitLurtbx+tGNvJsYua6lUDPAGc2b/Xg/TE8fZgJpZqqA/ERQXEC9iPZQV1gjnMvSvi5mRZlCciPaI3OEM/hWClmM5NXCTA7NXIv6aZUIq9wzkVv5I5VuCIDRL4xT9MYjNhuQ4S7OXtFszN3J0YTxZv8nSVcYJcG1z1qIS4XQHgOEiFnv/gBCuHy9a1+vEZsS4wmhc5myeiCw+Tld4TWTFWiXRBalkgUbyVCkUyN3IfCcQxHZAp3tx42JdSN2EiLZx3BH60RBBHYwjDpc5ggEA+s3+KU+3c4r2963UbZryywrYfrlbLE1+hzKwDNyjFl/Jy0I3uMlFVQxUm8JCAKJfv3UAmZW8NSGZrshj+yM/DDTRo0HP+s9HdN262R7erl/T169cGsl3FfQNG2McMMKqq1cd9qeoiUdDSL5U4jWFOLgQUDjwQceg7ojax3Tu/tkrPXj3fb0Q6ajDTm989a8w/jQDgd7gx23AuEOwuDr3d3Lg7tTk56du2hR9qYOn1y0XqrTCJADcrwRIF8vO/54+MhijTaY5sjuJh/VpBIk5h27g/yYlB1j7m3AjI1SDyVoPT919MqdyqyygpqVPEGUBO94kpFDw39t9MChl5KSSb1Oe6I6HyT3/lqLyB6+TOQJ+a/Zz99/j56+PX9z9QydM22YWFZMr2gOpfBBXLhcyuR9gfZFwiBbduHw8McMXxzJGFMysVdxX/2nPdUQBs2NAY98tKHP97kuBNL+m7rfjuMPcArFTLEItUlvM8Uwj9WdrreRDzhnlXYrIKmQZgXjWDnxZMWmvUME3vVweRXcc83yKTuNdDPlP1lGqL2Ivb6Y7SVPV2fxRuy76xDW8JWGHf+vdxLBJwNe8I4b2inLyMOuTKlSJgYMQjZAaqmWWLA/92RVi3SscFdiH0HpLk+NkHvBVLCWNFHXn1/scvBauBZfrnfRTlbzrxRzsyJYUVQqmsuCCRwsuOuIpytsGBVGH0yP53jK3b7FJ92sa/1Iy0SMa6/OEyu4SqwMNENqt7pfrE7Y7MgLm7tI1AXNqcKG5lm0pLI9/GGFzy/1ik3w7ErJNcub5mH+e7gsuddUB4zhm//YZ21Xpw0rOO0mWT7RLpslfa8/sx3ZZnB4KGROrpmLnq/6ivtIC7hG6Yw5FPy+mie9BZ2p86NOJfQysFGno4LGijXSRion8S20ghoMqz2Bb83st56Ed1+wPOd0Oin3Dta7q5wLHG9H7h0l5+rxGNNs98qv1ukwJLZ1dPY5Kjm2R2bfZ6kQFURtyzEvP6RCTmBP3iGDTjW25a9SG/QOkxUTIyZdjhNJjm/6tP4kINO/VNSKD6sfuSZneobe5rhEn+EfTj/KpXB1p/8cPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41e43g99MIy99DzxiIStWd4EUbvuuL984nvWWJkC1ZaAPvjnqXTGFKU9pHWZ9Hq9bS+80MbK2oX94mUaqEiJox+rnzcvjIs+ujdRIjZ2HmHkLM/1BYLRhIpcbjXRJCVswYj95HqoT9Hmywwtit+fwbXNu0FPoCEsFaZ8hCF0+61ALVQLe8bd0ickWfdK7jW+bCGzRL6SNnl1rV5jAYB957bumFqACtWrAZPZFHFC86QMQqP7fqTSFcp4h+Xa3nV6hHuvO69TrwI5hh0FG8785YrPT5PWObdVn+HrXey3rLmDr411Ah7uZxmHXBAx2z6ZNyHTHMDihcEOKw8XPUDYQcyTgaIUbbDmnCya8rx6EE3T1K3A50nQQsDuqUCwRbq0Dpqf+xRaMjc829d59L6WR3pSND9sYTFbFxC3w21WB4GhgHXWPI8mQlzkT8SaIRb0bdstQVJj28QwIqW7ZDhyLa6PdlvcHpnYOsE779h3AusSq5in75+ftVjYrNmiljuztsLasS36/0/ZM9Jklrq2FVNt0B/5XXWLxt4MdY2pEdruo1+p56GmyZPnrC4B+YG8nU4kGu6r7re/f1SgXZFQYJctjREcuq/nAuXAnHvdrWmubHihHABxddce09/BMFiUW2+Y+wrWDcfrOXllTZZ+hjImFDCsFWN+krhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+s8Kc7ZgNEfnUPfsnINBVDZ0nhEpb9iJgu6/0zly67f2M+Zj2nz0brNtOLysDKjcR44wPXzXPzRL+Ck73h3tfPIz9HFbuq23ngNLHHeC44en6CKL2ky2h7bFwTki1BMdalvbR2YKV12jXO5i5zyLpVS1tx9CzB/ejhx5p1dOZHaqaVGmnUO0hxR25YOe+xpNJWUiTWQXKbuOPQ9UYhN2TRKRYR0z2t8BrHw5fWTIleIRj7kDNeKpNMZoVqlY3pAOTE1VhpfxbMoWdPTnaRd01PTHXdCe6xMIFnprqADVKr5xYuFH4+ZG0Vsp2kuVia1RuSWmqCXckbkfYVlQr174/z7zKLzw/+HzmkJuf8ypCmfn+e2cMHruNtMNnoPHtTNqbbCd3A9EsyYVEwuq1EjcdbjvSfbVVfwPkj7onp0Aybov8aJzDIErBWFtmfRKBZaYjP0uXNzest1HyCBW3T/9gw4TtMYHfrJyRdU0/girs/uMp6dnMPrxGTqD9cOoUWUmapYyQuczqvzwT7qThbmnOS9NGjruELJz4HbRJ7rTKXrvSbM/j/VK3r81Svi00TX7M+ytYTeJZMrlPy6QoEtpmDvAcoX1yAQoTaZuK9Q5Srf4+HBBe9TJJkANElx6PFY3Tq/rb8IJKZotp6io2O1v1Ew9/Dg6aNlKE6Z1FV3pBMiQLJXOW/ewGApgSJVK6gMdHEpXel7YxdE1BKf3SadJMiSazuA+ivz0GlI79z9GHel5HJL3l557cBwXoVrzbJ3yRe+HVL0jO4hMnlnWw1X0No06FWB2Q71Fnai5wTftuJLugwSy9SekIV4nFbq8fvOPd1foyr5T6DcxMn2lxTZRJfUx2H7cyDC2IIbIipIbfZQT+W5COG0PstDQuaZfZ9MiDNJA/QjCVgru0XKpYoOmkCdQch0eTVeQUaMBcDbYVJNN+Oxiucac5Y4RA0j0BeFkXa33CUKg2A3d6r7YjsT5dQJpZNgrY0qdMZhBmwQ0HGUKghD8CG4TW4q68kUqZrYHbhSRRZG0T9wd8XZ4eIdQuAR/wxTlfUsztotlw7HItD7VwFu7spPhv/vd1jVaQWxdqXFWSjZFWnUIYYcBAgwAqbA1AGQlKyzEoHFG6nZTflVAZCRmO1Hb5uZh8TMPf3/75r1/9170lm8eFCNV3/cfvWcb0zfZWvIqFQHe1HOchZ9z00zGrsf5VoIZjZ46JPQz6NYBhb31RN0eeARIB3fDq0TS7K3H9ZNgxqcLzHaLDtZUQabAouKISEFoaayhfO3OcKS9wmaTUvo6wluDvR6hbREtpTJIWvr++u9vQim4QbLH5jupltMnWPYLDHZcrHPsmp0EG8X8/eK3q8sr9A7fFkzkzVjv8LHavU2ehrkzRHFkW34bg93t21ajPoVLFqOnZ7sqx2wxXcHmqYvw6y0nVzt2nGVeKl+e+y69Hou9GPLpDuXEvQLqHRf/7euGm8IckQ81ydi3G/wl1oQ+UXajH1cNVnwT1C1cce9zpKtAijrW6K/aKCmWf5tzTG4404bmf33h//a8+ZSJBSXhjxZM0Q3mQUUGz3nnNwiLHGmJRthS0SXTRm2tZT+lsCixWflm/Q0OqI/DAElwSk2FpiuEdvVaRKpOF/JGn2wwp8Ko7b/8/wEAAP//sMlYiA==" } diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 95d8bf8a477..ac3e93cc485 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml index 64ad00379f7..bc38869e537 100644 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Juniper JUNOS processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml b/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml new file mode 100644 index 00000000000..0fde2181329 --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Juniper" + product: "Netscreen" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/juniper/netscreen/config/liblogparser.js + - ${path.home}/module/juniper/netscreen/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js b/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} for %{p0}"); + +var dup7 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" +match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + +var dup8 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + +var dup9 = date_time({ + dest: "event_time", + args: ["fld1"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup10 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" +match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + +var dup11 = // "Pattern{Field(fld1,false)}" +match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + +var dup12 = // "Pattern{Constant('Address '), Field(p0,false)}" +match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + +var dup13 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + +var dup14 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + +var dup15 = // "Pattern{Constant('admin '), Field(p0,false)}" +match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + +var dup16 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + +var dup17 = setc("eventcategory","1502000000"); + +var dup18 = setc("eventcategory","1703000000"); + +var dup19 = setc("eventcategory","1603000000"); + +var dup20 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" +match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + +var dup21 = // "Pattern{}" +match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + +var dup22 = setc("eventcategory","1502050000"); + +var dup23 = // "Pattern{Constant(''), Field(p0,false)}" +match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + +var dup24 = // "Pattern{Constant('password '), Field(p0,false)}" +match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + +var dup25 = // "Pattern{Constant('name '), Field(p0,false)}" +match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + +var dup26 = // "Pattern{Field(administrator,false)}" +match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + +var dup27 = setc("eventcategory","1801010000"); + +var dup28 = setc("eventcategory","1401060000"); + +var dup29 = setc("ec_subject","User"); + +var dup30 = setc("ec_activity","Logon"); + +var dup31 = setc("ec_theme","Authentication"); + +var dup32 = setc("ec_outcome","Success"); + +var dup33 = setc("eventcategory","1401070000"); + +var dup34 = setc("ec_activity","Logoff"); + +var dup35 = setc("eventcategory","1303000000"); + +var dup36 = // "Pattern{Field(disposition,false)}" +match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + +var dup37 = setc("eventcategory","1402020200"); + +var dup38 = setc("ec_theme","UserGroup"); + +var dup39 = setc("ec_outcome","Error"); + +var dup40 = // "Pattern{Constant('via '), Field(p0,false)}" +match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + +var dup41 = // "Pattern{Field(fld1,false), Constant(')')}" +match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + +var dup42 = setc("eventcategory","1402020300"); + +var dup43 = setc("ec_activity","Modify"); + +var dup44 = setc("eventcategory","1605000000"); + +var dup45 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" +match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + +var dup46 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + +var dup47 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + +var dup48 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" +match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + +var dup49 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + +var dup50 = setc("eventcategory","1701020000"); + +var dup51 = setc("ec_theme","Configuration"); + +var dup52 = // "Pattern{Constant('changed'), Field(p0,false)}" +match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + +var dup53 = setc("eventcategory","1301000000"); + +var dup54 = setc("ec_outcome","Failure"); + +var dup55 = // "Pattern{Constant('The '), Field(p0,false)}" +match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + +var dup56 = // "Pattern{Constant('interface'), Field(p0,false)}" +match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + +var dup57 = // "Pattern{Constant('Interface'), Field(p0,false)}" +match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + +var dup58 = setc("eventcategory","1001000000"); + +var dup59 = setc("dclass_counter1_string","Number of times the attack occurred"); + +var dup60 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + ], +}); + +var dup61 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], +}); + +var dup62 = setc("eventcategory","1608010000"); + +var dup63 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" +match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + +var dup64 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" +match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + +var dup65 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + +var dup66 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + +var dup67 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + +var dup68 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" +match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + +var dup69 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + +var dup70 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" +match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + +var dup71 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" +match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + +var dup72 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + +var dup73 = // "Pattern{Constant('. '), Field(p0,false)}" +match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + +var dup74 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" +match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + +var dup75 = // "Pattern{Constant('SYN '), Field(p0,false)}" +match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + +var dup76 = // "Pattern{Constant('timeout value '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + +var dup77 = // "Pattern{Constant('destination '), Field(p0,false)}" +match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + +var dup78 = // "Pattern{Constant('source '), Field(p0,false)}" +match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + +var dup79 = // "Pattern{Constant('A '), Field(p0,false)}" +match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + +var dup80 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var dup81 = // "Pattern{Constant(', int '), Field(p0,false)}" +match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + +var dup82 = // "Pattern{Constant('int '), Field(p0,false)}" +match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + +var dup83 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + +var dup84 = setc("eventcategory","1002020000"); + +var dup85 = setc("eventcategory","1002000000"); + +var dup86 = setc("eventcategory","1603110000"); + +var dup87 = // "Pattern{Constant('HA '), Field(p0,false)}" +match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + +var dup88 = // "Pattern{Constant('encryption '), Field(p0,false)}" +match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + +var dup89 = // "Pattern{Constant('authentication '), Field(p0,false)}" +match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + +var dup90 = // "Pattern{Constant('key '), Field(p0,false)}" +match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + +var dup91 = setc("eventcategory","1613040200"); + +var dup92 = // "Pattern{Constant('disabled'), Field(,false)}" +match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + +var dup93 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" +match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + +var dup94 = // "Pattern{Constant('up'), Field(,false)}" +match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + +var dup95 = // "Pattern{Constant('down'), Field(,false)}" +match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + +var dup96 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + +var dup97 = setc("eventcategory","1613050200"); + +var dup98 = // "Pattern{Constant('set'), Field(,false)}" +match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + +var dup99 = // "Pattern{Constant('unset'), Field(,false)}" +match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + +var dup100 = // "Pattern{Constant('undefined '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + +var dup101 = // "Pattern{Constant('set '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + +var dup102 = // "Pattern{Constant('active '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + +var dup103 = // "Pattern{Constant('to '), Field(p0,false)}" +match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + +var dup104 = // "Pattern{Constant('created '), Field(p0,false)}" +match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + +var dup105 = // "Pattern{Constant(', '), Field(p0,false)}" +match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + +var dup106 = // "Pattern{Constant('is '), Field(p0,false)}" +match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + +var dup107 = // "Pattern{Constant('was '), Field(p0,false)}" +match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + +var dup108 = // "Pattern{Constant(''), Field(fld2,false)}" +match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + +var dup109 = // "Pattern{Constant('threshold '), Field(p0,false)}" +match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + +var dup110 = // "Pattern{Constant('interval '), Field(p0,false)}" +match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + +var dup111 = // "Pattern{Constant('of '), Field(p0,false)}" +match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + +var dup112 = // "Pattern{Constant('that '), Field(p0,false)}" +match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + +var dup113 = // "Pattern{Constant('Zone '), Field(p0,false)}" +match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + +var dup114 = // "Pattern{Constant('Interface '), Field(p0,false)}" +match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + +var dup115 = // "Pattern{Constant('n '), Field(p0,false)}" +match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + +var dup116 = // "Pattern{Constant('.'), Field(,false)}" +match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + +var dup117 = setc("eventcategory","1603090000"); + +var dup118 = // "Pattern{Constant('for '), Field(p0,false)}" +match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + +var dup119 = // "Pattern{Constant('the '), Field(p0,false)}" +match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + +var dup120 = // "Pattern{Constant('removed '), Field(p0,false)}" +match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + +var dup121 = setc("eventcategory","1603030000"); + +var dup122 = // "Pattern{Constant('interface '), Field(p0,false)}" +match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + +var dup123 = // "Pattern{Constant('the interface '), Field(p0,false)}" +match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + +var dup124 = // "Pattern{Field(interface,false)}" +match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + +var dup125 = // "Pattern{Constant('s '), Field(p0,false)}" +match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + +var dup126 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + +var dup127 = // "Pattern{Constant('has been '), Field(p0,false)}" +match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + +var dup128 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" +match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + +var dup129 = // "Pattern{Constant('removed from '), Field(p0,false)}" +match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + +var dup130 = // "Pattern{Constant('added to '), Field(p0,false)}" +match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + +var dup131 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + +var dup132 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var dup133 = // "Pattern{Constant('Interface '), Field(p0,false)}" +match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + +var dup134 = // "Pattern{Constant('set to '), Field(fld2,false)}" +match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + +var dup135 = // "Pattern{Constant('gateway '), Field(p0,false)}" +match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + +var dup136 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" +match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + +var dup137 = // "Pattern{Constant('port number '), Field(p0,false)}" +match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + +var dup138 = // "Pattern{Constant('has been '), Field(disposition,false)}" +match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + +var dup139 = // "Pattern{Constant('IP '), Field(p0,false)}" +match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + +var dup140 = // "Pattern{Constant('port '), Field(p0,false)}" +match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + +var dup141 = setc("eventcategory","1702030000"); + +var dup142 = // "Pattern{Constant('up '), Field(p0,false)}" +match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + +var dup143 = // "Pattern{Constant('down '), Field(p0,false)}" +match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + +var dup144 = setc("eventcategory","1601000000"); + +var dup145 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" +match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + +var dup146 = date_time({ + dest: "event_time", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup147 = setc("eventcategory","1103000000"); + +var dup148 = setc("ec_subject","NetworkComm"); + +var dup149 = setc("ec_activity","Scan"); + +var dup150 = setc("ec_theme","TEV"); + +var dup151 = setc("eventcategory","1103010000"); + +var dup152 = // "Pattern{Constant(': '), Field(p0,false)}" +match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + +var dup153 = // "Pattern{Constant('IP '), Field(p0,false)}" +match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + +var dup154 = // "Pattern{Constant('address pool '), Field(p0,false)}" +match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + +var dup155 = // "Pattern{Constant('pool '), Field(p0,false)}" +match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + +var dup156 = // "Pattern{Constant('enabled '), Field(p0,false)}" +match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + +var dup157 = // "Pattern{Constant('disabled '), Field(p0,false)}" +match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + +var dup158 = // "Pattern{Constant('AH '), Field(p0,false)}" +match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + +var dup159 = // "Pattern{Constant('ESP '), Field(p0,false)}" +match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + +var dup160 = // "Pattern{Constant('’'), Field(p0,false)}" +match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "’%{p0}"); + +var dup161 = // "Pattern{Constant('&'), Field(p0,false)}" +match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); + +var dup162 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + +var dup163 = // "Pattern{Constant('Source'), Field(p0,false)}" +match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + +var dup164 = // "Pattern{Constant('Destination'), Field(p0,false)}" +match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + +var dup165 = // "Pattern{Constant('from '), Field(p0,false)}" +match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + +var dup166 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + +var dup167 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" +match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + +var dup168 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" +match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + +var dup169 = // "Pattern{Constant('syslog '), Field(p0,false)}" +match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + +var dup170 = // "Pattern{Constant('Syslog '), Field(p0,false)}" +match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + +var dup171 = // "Pattern{Constant('host '), Field(p0,false)}" +match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + +var dup172 = // "Pattern{Constant('domain name '), Field(p0,false)}" +match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + +var dup173 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" +match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + +var dup174 = // "Pattern{Constant('security facility '), Field(p0,false)}" +match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + +var dup175 = // "Pattern{Constant('facility '), Field(p0,false)}" +match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + +var dup176 = // "Pattern{Constant('local0'), Field(,false)}" +match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + +var dup177 = // "Pattern{Constant('local1'), Field(,false)}" +match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + +var dup178 = // "Pattern{Constant('local2'), Field(,false)}" +match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + +var dup179 = // "Pattern{Constant('local3'), Field(,false)}" +match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + +var dup180 = // "Pattern{Constant('local4'), Field(,false)}" +match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + +var dup181 = // "Pattern{Constant('local5'), Field(,false)}" +match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + +var dup182 = // "Pattern{Constant('local6'), Field(,false)}" +match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + +var dup183 = // "Pattern{Constant('local7'), Field(,false)}" +match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + +var dup184 = // "Pattern{Constant('auth/sec'), Field(,false)}" +match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + +var dup185 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + +var dup186 = setc("eventcategory","1603020000"); + +var dup187 = setc("eventcategory","1803000000"); + +var dup188 = // "Pattern{Constant('All '), Field(p0,false)}" +match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + +var dup189 = setc("eventcategory","1603010000"); + +var dup190 = setc("eventcategory","1603100000"); + +var dup191 = // "Pattern{Constant('primary '), Field(p0,false)}" +match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + +var dup192 = // "Pattern{Constant('secondary '), Field(p0,false)}" +match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + +var dup193 = // "Pattern{Constant('t '), Field(p0,false)}" +match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + +var dup194 = // "Pattern{Constant('w '), Field(p0,false)}" +match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + +var dup195 = // "Pattern{Constant('server '), Field(p0,false)}" +match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + +var dup196 = // "Pattern{Constant('has '), Field(p0,false)}" +match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + +var dup197 = // "Pattern{Constant('SCS'), Field(p0,false)}" +match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + +var dup198 = // "Pattern{Constant('bound to '), Field(p0,false)}" +match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + +var dup199 = // "Pattern{Constant('unbound from '), Field(p0,false)}" +match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + +var dup200 = setc("eventcategory","1801030000"); + +var dup201 = setc("eventcategory","1302010200"); + +var dup202 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" +match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + +var dup203 = // "Pattern{Constant('unbind '), Field(p0,false)}" +match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + +var dup204 = // "Pattern{Constant('PKA key '), Field(p0,false)}" +match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + +var dup205 = setc("eventcategory","1304000000"); + +var dup206 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" +match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + +var dup207 = // "Pattern{Constant('occurred for '), Field(p0,false)}" +match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + +var dup208 = setc("eventcategory","1401030000"); + +var dup209 = // "Pattern{Constant('aborted'), Field(,false)}" +match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + +var dup210 = // "Pattern{Constant('performed'), Field(,false)}" +match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + +var dup211 = setc("eventcategory","1605020000"); + +var dup212 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" +match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + +var dup213 = setc("ec_subject","Certificate"); + +var dup214 = // "Pattern{Constant('certificate '), Field(p0,false)}" +match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + +var dup215 = // "Pattern{Constant('CRL '), Field(p0,false)}" +match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + +var dup216 = // "Pattern{Constant('auto '), Field(p0,false)}" +match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + +var dup217 = // "Pattern{Constant('RSA '), Field(p0,false)}" +match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + +var dup218 = // "Pattern{Constant('DSA '), Field(p0,false)}" +match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + +var dup219 = // "Pattern{Constant('key pair.'), Field(,false)}" +match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + +var dup220 = setc("ec_subject","CryptoKey"); + +var dup221 = setc("ec_subject","Configuration"); + +var dup222 = setc("ec_activity","Request"); + +var dup223 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" +match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + +var dup224 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" +match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + +var dup225 = setc("eventcategory","1612000000"); + +var dup226 = // "Pattern{Constant('yes '), Field(p0,false)}" +match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + +var dup227 = // "Pattern{Constant('no '), Field(p0,false)}" +match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + +var dup228 = // "Pattern{Constant('location '), Field(p0,false)}" +match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + +var dup229 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" +match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + +var dup230 = // "Pattern{Constant('arp re'), Field(p0,false)}" +match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + +var dup231 = // "Pattern{Constant('q '), Field(p0,false)}" +match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + +var dup232 = // "Pattern{Constant('ply '), Field(p0,false)}" +match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + +var dup233 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + +var dup234 = setc("eventcategory","1201000000"); + +var dup235 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" +match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + +var dup236 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + +var dup237 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" +match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + +var dup238 = // "Pattern{Constant('1 '), Field(p0,false)}" +match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + +var dup239 = // "Pattern{Constant('2 '), Field(p0,false)}" +match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + +var dup240 = // "Pattern{Constant('unset '), Field(p0,false)}" +match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + +var dup241 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var dup242 = setc("eventcategory","1401000000"); + +var dup243 = // "Pattern{Constant('SSH '), Field(p0,false)}" +match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + +var dup244 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" +match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + +var dup245 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" +match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + +var dup246 = // "Pattern{Constant('S'), Field(p0,false)}" +match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + +var dup247 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" +match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + +var dup248 = // "Pattern{Constant('SH'), Field(p0,false)}" +match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + +var dup249 = // "Pattern{Constant('the root system '), Field(p0,false)}" +match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + +var dup250 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + +var dup251 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" +match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + +var dup252 = // "Pattern{Constant('SH '), Field(p0,false)}" +match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + +var dup253 = // "Pattern{Constant('a '), Field(p0,false)}" +match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + +var dup254 = // "Pattern{Constant('ert '), Field(p0,false)}" +match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + +var dup255 = // "Pattern{Constant('SSL '), Field(p0,false)}" +match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + +var dup256 = setc("eventcategory","1608000000"); + +var dup257 = // "Pattern{Constant('id: '), Field(p0,false)}" +match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + +var dup258 = // "Pattern{Constant('ID '), Field(p0,false)}" +match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + +var dup259 = // "Pattern{Constant('permit '), Field(p0,false)}" +match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + +var dup260 = // "Pattern{Constant('IGMP '), Field(p0,false)}" +match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + +var dup261 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" +match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + +var dup262 = // "Pattern{Constant('not do '), Field(p0,false)}" +match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + +var dup263 = // "Pattern{Constant('do '), Field(p0,false)}" +match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + +var dup264 = // "Pattern{Constant('shut down '), Field(p0,false)}" +match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + +var dup265 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" +match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + +var dup266 = // "Pattern{Constant('Unit '), Field(p0,false)}" +match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + +var dup267 = // "Pattern{Constant('local unit= '), Field(p0,false)}" +match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + +var dup268 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + +var dup269 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" +match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + +var dup270 = // "Pattern{Constant('ruity'), Field(p0,false)}" +match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + +var dup271 = // "Pattern{Constant('urity'), Field(p0,false)}" +match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + +var dup272 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" +match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + +var dup273 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + +var dup274 = setc("eventcategory","1805010000"); + +var dup275 = setc("eventcategory","1805000000"); + +var dup276 = date_time({ + dest: "starttime", + args: ["fld2"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup277 = call({ + dest: "nwparser.bytes", + fn: CALC, + args: [ + field("sbytes"), + constant("+"), + field("rbytes"), + ], +}); + +var dup278 = setc("action","Deny"); + +var dup279 = setc("disposition","Deny"); + +var dup280 = setc("direction","outgoing"); + +var dup281 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + field("sport"), + field("dport"), + ], +}); + +var dup282 = setc("direction","incoming"); + +var dup283 = setc("eventcategory","1801000000"); + +var dup284 = setf("action","disposition"); + +var dup285 = // "Pattern{Constant('start_time='), Field(p0,false)}" +match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + +var dup286 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" +match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + +var dup287 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" +match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + +var dup288 = // "Pattern{Field(daddr,false)}" +match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + +var dup289 = // "Pattern{Constant('Admin '), Field(p0,false)}" +match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + +var dup290 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" +match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + +var dup291 = // "Pattern{Constant('Telnet '), Field(p0,false)}" +match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + +var dup292 = setc("eventcategory","1401050200"); + +var dup293 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + ], +}); + +var dup294 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], +}); + +var dup295 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + +var dup296 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + +var dup297 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" +match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + +var dup298 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var dup299 = setc("eventcategory","1204000000"); + +var dup300 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var dup301 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" +match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + +var dup302 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + +var dup303 = setc("eventcategory","1801020000"); + +var dup304 = setc("disposition","failed"); + +var dup305 = // "Pattern{Constant('ut '), Field(p0,false)}" +match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + +var dup306 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + +var dup307 = // "Pattern{Constant('user '), Field(p0,false)}" +match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + +var dup308 = // "Pattern{Constant('the '), Field(logon_type,false)}" +match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + +var dup309 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" +match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + +var dup310 = // "Pattern{Constant('backup1 '), Field(p0,false)}" +match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + +var dup311 = // "Pattern{Constant('backup2 '), Field(p0,false)}" +match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + +var dup312 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + +var dup313 = // "Pattern{Constant('assigned '), Field(p0,false)}" +match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + +var dup314 = // "Pattern{Constant('assigned to '), Field(p0,false)}" +match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + +var dup315 = setc("eventcategory","1803020000"); + +var dup316 = setc("eventcategory","1613030000"); + +var dup317 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" +match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + +var dup318 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" +match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + +var dup319 = // "Pattern{Constant('KA '), Field(p0,false)}" +match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + +var dup320 = // "Pattern{Constant('assword '), Field(p0,false)}" +match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + +var dup321 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" +match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + +var dup322 = // "Pattern{Constant('at host '), Field(saddr,false)}" +match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + +var dup323 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" +match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + +var dup324 = // "Pattern{Constant('CS '), Field(p0,false)}" +match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + +var dup325 = setc("event_description","Cannot connect to NSM server"); + +var dup326 = setc("eventcategory","1603040000"); + +var dup327 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" +match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + +var dup328 = // "Pattern{Constant('pattern '), Field(p0,false)}" +match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + +var dup329 = // "Pattern{Constant('server.ini '), Field(p0,false)}" +match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + +var dup330 = // "Pattern{Constant('file.'), Field(,false)}" +match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + +var dup331 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" +match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + +var dup332 = // "Pattern{Constant('added into '), Field(p0,false)}" +match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + +var dup333 = // "Pattern{Constant('loader '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + +var dup334 = call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$OUT"), + field("daddr"), + field("saddr"), + field("dport"), + field("sport"), + ], +}); + +var dup335 = linear_select([ + dup10, + dup11, +]); + +var dup336 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" +match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var dup337 = linear_select([ + dup13, + dup14, +]); + +var dup338 = linear_select([ + dup15, + dup16, +]); + +var dup339 = linear_select([ + dup56, + dup57, +]); + +var dup340 = linear_select([ + dup65, + dup66, +]); + +var dup341 = linear_select([ + dup68, + dup69, +]); + +var dup342 = linear_select([ + dup71, + dup72, +]); + +var dup343 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" +match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, +])); + +var dup344 = linear_select([ + dup74, + dup75, +]); + +var dup345 = linear_select([ + dup81, + dup82, +]); + +var dup346 = linear_select([ + dup24, + dup90, +]); + +var dup347 = linear_select([ + dup94, + dup95, +]); + +var dup348 = linear_select([ + dup98, + dup99, +]); + +var dup349 = linear_select([ + dup100, + dup101, + dup102, +]); + +var dup350 = linear_select([ + dup113, + dup114, +]); + +var dup351 = linear_select([ + dup111, + dup16, +]); + +var dup352 = linear_select([ + dup127, + dup107, +]); + +var dup353 = linear_select([ + dup8, + dup21, +]); + +var dup354 = linear_select([ + dup122, + dup133, +]); + +var dup355 = linear_select([ + dup142, + dup143, +]); + +var dup356 = linear_select([ + dup145, + dup21, +]); + +var dup357 = linear_select([ + dup127, + dup106, +]); + +var dup358 = linear_select([ + dup152, + dup96, +]); + +var dup359 = linear_select([ + dup154, + dup155, +]); + +var dup360 = linear_select([ + dup156, + dup157, +]); + +var dup361 = linear_select([ + dup99, + dup134, +]); + +var dup362 = linear_select([ + dup158, + dup159, +]); + +var dup363 = linear_select([ + dup160, + dup161, +]); + +var dup364 = linear_select([ + dup163, + dup164, +]); + +var dup365 = linear_select([ + dup165, + dup103, +]); + +var dup366 = linear_select([ + dup164, + dup163, +]); + +var dup367 = linear_select([ + dup46, + dup47, +]); + +var dup368 = linear_select([ + dup168, + dup169, +]); + +var dup369 = linear_select([ + dup174, + dup175, +]); + +var dup370 = linear_select([ + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, +]); + +var dup371 = linear_select([ + dup49, + dup21, +]); + +var dup372 = linear_select([ + dup191, + dup192, +]); + +var dup373 = linear_select([ + dup96, + dup152, +]); + +var dup374 = linear_select([ + dup198, + dup199, +]); + +var dup375 = linear_select([ + dup24, + dup202, +]); + +var dup376 = linear_select([ + dup103, + dup165, +]); + +var dup377 = linear_select([ + dup207, + dup118, +]); + +var dup378 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var dup379 = linear_select([ + dup214, + dup215, +]); + +var dup380 = linear_select([ + dup217, + dup218, +]); + +var dup381 = linear_select([ + dup224, + dup217, +]); + +var dup382 = linear_select([ + dup226, + dup227, +]); + +var dup383 = linear_select([ + dup233, + dup124, +]); + +var dup384 = linear_select([ + dup231, + dup232, +]); + +var dup385 = linear_select([ + dup235, + dup236, +]); + +var dup386 = linear_select([ + dup238, + dup239, +]); + +var dup387 = linear_select([ + dup244, + dup245, +]); + +var dup388 = linear_select([ + dup247, + dup248, +]); + +var dup389 = linear_select([ + dup249, + dup250, +]); + +var dup390 = linear_select([ + dup251, + dup252, +]); + +var dup391 = linear_select([ + dup253, + dup254, +]); + +var dup392 = linear_select([ + dup262, + dup263, +]); + +var dup393 = linear_select([ + dup266, + dup267, +]); + +var dup394 = linear_select([ + dup270, + dup271, +]); + +var dup395 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var dup396 = linear_select([ + dup286, + dup287, +]); + +var dup397 = linear_select([ + dup289, + dup290, +]); + +var dup398 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, +])); + +var dup399 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, +])); + +var dup400 = linear_select([ + dup302, + dup26, +]); + +var dup401 = linear_select([ + dup115, + dup305, +]); + +var dup402 = linear_select([ + dup125, + dup96, +]); + +var dup403 = linear_select([ + dup191, + dup310, + dup311, +]); + +var dup404 = linear_select([ + dup312, + dup16, +]); + +var dup405 = linear_select([ + dup319, + dup320, +]); + +var dup406 = linear_select([ + dup321, + dup317, +]); + +var dup407 = linear_select([ + dup324, + dup252, +]); + +var dup408 = linear_select([ + dup329, + dup331, +]); + +var dup409 = linear_select([ + dup332, + dup129, +]); + +var dup410 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup60, + dup284, +])); + +var dup411 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup278, + dup279, + dup60, +])); + +var dup412 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup60, + dup284, +])); + +var dup413 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup278, + dup279, + dup61, +])); + +var dup414 = all_match({ + processors: [ + dup265, + dup393, + dup268, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var dup415 = all_match({ + processors: [ + dup269, + dup394, + dup272, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var dup416 = all_match({ + processors: [ + dup80, + dup345, + dup295, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var dup417 = all_match({ + processors: [ + dup298, + dup345, + dup131, + ], + on_success: processor_chain([ + dup299, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), +}); + +var dup418 = all_match({ + processors: [ + dup300, + dup345, + dup131, + ], + on_success: processor_chain([ + dup299, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), +}); + +var hdr1 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' [No Name]system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" +match("HEADER#0:0001", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [No Name]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' ['), Field(hvsys,false), Constant(']system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" +match("HEADER#1:0003", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} [%{hvsys}]system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0003"), +])); + +var hdr3 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' system-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant('('), Field(hfld3,false), Constant('): '), Field(payload,false)}" +match("HEADER#2:0004", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} system-%{hseverity}-%{messageid}(%{hfld3}): %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr4 = // "Pattern{Field(hfld1,false), Constant(': NetScreen device_id='), Field(hfld2,true), Constant(' '), Field(p0,false)}" +match("HEADER#3:0002/0", "message", "%{hfld1}: NetScreen device_id=%{hfld2->} %{p0}"); + +var part1 = // "Pattern{Constant('[No Name]system'), Field(p0,false)}" +match("HEADER#3:0002/1_0", "nwparser.p0", "[No Name]system%{p0}"); + +var part2 = // "Pattern{Constant('['), Field(hvsys,false), Constant(']system'), Field(p0,false)}" +match("HEADER#3:0002/1_1", "nwparser.p0", "[%{hvsys}]system%{p0}"); + +var part3 = // "Pattern{Constant('system'), Field(p0,false)}" +match("HEADER#3:0002/1_2", "nwparser.p0", "system%{p0}"); + +var select1 = linear_select([ + part1, + part2, + part3, +]); + +var part4 = // "Pattern{Constant('-'), Field(hseverity,false), Constant('-'), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#3:0002/2", "nwparser.p0", "-%{hseverity}-%{messageid}: %{payload}"); + +var all1 = all_match({ + processors: [ + hdr4, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","0002"), + ]), +}); + +var select2 = linear_select([ + hdr1, + hdr2, + hdr3, + all1, +]); + +var part5 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with ip address '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#0:00001", "nwparser.payload", "%{zone->} address %{interface->} with ip address %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1 = msg("00001", part5); + +var part6 = // "Pattern{Field(zone,true), Constant(' address '), Field(interface,true), Constant(' with domain name '), Field(domain,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#1:00001:01", "nwparser.payload", "%{zone->} address %{interface->} with domain name %{domain->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg2 = msg("00001:01", part6); + +var part7 = // "Pattern{Constant('ip address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" +match("MESSAGE#2:00001:02/1_0", "nwparser.p0", "ip address %{hostip->} in zone %{p0}"); + +var select3 = linear_select([ + part7, + dup7, +]); + +var part8 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#2:00001:02/2", "nwparser.p0", "%{zone->} has been %{disposition}"); + +var all2 = all_match({ + processors: [ + dup6, + select3, + part8, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg3 = msg("00001:02", all2); + +var part9 = // "Pattern{Constant('arp entry '), Field(hostip,true), Constant(' interface changed!')}" +match("MESSAGE#3:00001:03", "nwparser.payload", "arp entry %{hostip->} interface changed!", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg4 = msg("00001:03", part9); + +var part10 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' in zone '), Field(p0,false)}" +match("MESSAGE#4:00001:04/1_0", "nwparser.p0", "IP address %{hostip->} in zone %{p0}"); + +var select4 = linear_select([ + part10, + dup7, +]); + +var part11 = // "Pattern{Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' session'), Field(p0,false)}" +match("MESSAGE#4:00001:04/2", "nwparser.p0", "%{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} session%{p0}"); + +var part12 = // "Pattern{Constant('.'), Field(fld1,false)}" +match("MESSAGE#4:00001:04/3_1", "nwparser.p0", ".%{fld1}"); + +var select5 = linear_select([ + dup8, + part12, +]); + +var all3 = all_match({ + processors: [ + dup6, + select4, + part11, + select5, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg5 = msg("00001:04", all3); + +var part13 = // "Pattern{Field(fld2,false), Constant(': Address '), Field(group_object,true), Constant(' for ip address '), Field(hostip,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' session '), Field(p0,false)}" +match("MESSAGE#5:00001:05/0", "nwparser.payload", "%{fld2}: Address %{group_object->} for ip address %{hostip->} in zone %{zone->} has been %{disposition->} from host %{saddr->} session %{p0}"); + +var all4 = all_match({ + processors: [ + part13, + dup335, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg6 = msg("00001:05", all4); + +var part14 = // "Pattern{Constant('Address group '), Field(group_object,true), Constant(' '), Field(info,false)}" +match("MESSAGE#6:00001:06", "nwparser.payload", "Address group %{group_object->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg7 = msg("00001:06", part14); + +var msg8 = msg("00001:07", dup336); + +var part15 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#8:00001:08/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{p0}"); + +var part16 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('via NSRP Peer session. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#8:00001:08/4", "nwparser.p0", "%{} %{username}via NSRP Peer session. (%{fld1})"); + +var all5 = all_match({ + processors: [ + dup12, + dup337, + part15, + dup338, + part16, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg9 = msg("00001:08", all5); + +var part17 = // "Pattern{Constant('for IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' in zone '), Field(zone,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' session. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#9:00001:09/2", "nwparser.p0", "for IP address %{hostip}/%{mask->} in zone %{zone->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} session. (%{fld1})"); + +var all6 = all_match({ + processors: [ + dup12, + dup337, + part17, + ], + on_success: processor_chain([ + dup1, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg10 = msg("00001:09", all6); + +var select6 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, +]); + +var part18 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#10:00002:03", "nwparser.payload", "Admin user %{administrator->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg11 = msg("00002:03", part18); + +var part19 = // "Pattern{Constant('E-mail address '), Field(user_address,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#11:00002:04", "nwparser.payload", "E-mail address %{user_address->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg12 = msg("00002:04", part19); + +var part20 = // "Pattern{Constant('E-mail notification has been '), Field(disposition,false)}" +match("MESSAGE#12:00002:05", "nwparser.payload", "E-mail notification has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg13 = msg("00002:05", part20); + +var part21 = // "Pattern{Constant('Inclusion of traffic logs with e-mail notification of event alarms has been '), Field(disposition,false)}" +match("MESSAGE#13:00002:06", "nwparser.payload", "Inclusion of traffic logs with e-mail notification of event alarms has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg14 = msg("00002:06", part21); + +var part22 = // "Pattern{Constant('LCD display has been '), Field(action,true), Constant(' and the LCD control keys have been '), Field(disposition,false)}" +match("MESSAGE#14:00002:07", "nwparser.payload", "LCD display has been %{action->} and the LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg15 = msg("00002:07", part22); + +var part23 = // "Pattern{Constant('HTTP component blocking for '), Field(fld2,true), Constant(' is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#15:00002:55", "nwparser.payload", "HTTP component blocking for %{fld2->} is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, +])); + +var msg16 = msg("00002:55", part23); + +var part24 = // "Pattern{Constant('LCD display has been '), Field(disposition,false)}" +match("MESSAGE#16:00002:08", "nwparser.payload", "LCD display has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg17 = msg("00002:08", part24); + +var part25 = // "Pattern{Constant('LCD control keys have been '), Field(disposition,false)}" +match("MESSAGE#17:00002:09", "nwparser.payload", "LCD control keys have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg18 = msg("00002:09", part25); + +var part26 = // "Pattern{Constant('Mail server '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#18:00002:10", "nwparser.payload", "Mail server %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg19 = msg("00002:10", part26); + +var part27 = // "Pattern{Constant('Management restriction for '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#19:00002:11", "nwparser.payload", "Management restriction for %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, +])); + +var msg20 = msg("00002:11", part27); + +var part28 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false)}" +match("MESSAGE#20:00002:12", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg21 = msg("00002:12", part28); + +var part29 = // "Pattern{Constant('System configuration has been '), Field(disposition,false)}" +match("MESSAGE#21:00002:15", "nwparser.payload", "System configuration has been %{disposition}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg22 = msg("00002:15", part29); + +var msg23 = msg("00002:17", dup336); + +var part30 = // "Pattern{Constant('Unexpected error from e'), Field(p0,false)}" +match("MESSAGE#23:00002:18/0", "nwparser.payload", "Unexpected error from e%{p0}"); + +var part31 = // "Pattern{Constant('-mail '), Field(p0,false)}" +match("MESSAGE#23:00002:18/1_0", "nwparser.p0", "-mail %{p0}"); + +var part32 = // "Pattern{Constant('mail '), Field(p0,false)}" +match("MESSAGE#23:00002:18/1_1", "nwparser.p0", "mail %{p0}"); + +var select7 = linear_select([ + part31, + part32, +]); + +var part33 = // "Pattern{Constant('server('), Field(fld2,false), Constant('):')}" +match("MESSAGE#23:00002:18/2", "nwparser.p0", "server(%{fld2}):"); + +var all7 = all_match({ + processors: [ + part30, + select7, + part33, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg24 = msg("00002:18", all7); + +var part34 = // "Pattern{Constant('Web Admin '), Field(change_attribute,true), Constant(' value has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#24:00002:19", "nwparser.payload", "Web Admin %{change_attribute->} value has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg25 = msg("00002:19", part34); + +var part35 = // "Pattern{Constant('Root admin password restriction of minimum '), Field(fld2,true), Constant(' characters has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#25:00002:20/0", "nwparser.payload", "Root admin password restriction of minimum %{fld2->} characters has been %{disposition->} by admin %{administrator->} %{p0}"); + +var part36 = // "Pattern{Constant('from Console '), Field(,false)}" +match("MESSAGE#25:00002:20/1_0", "nwparser.p0", "from Console %{}"); + +var select8 = linear_select([ + part36, + dup20, + dup21, +]); + +var all8 = all_match({ + processors: [ + part35, + select8, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg26 = msg("00002:20", all8); + +var part37 = // "Pattern{Constant('Root admin '), Field(p0,false)}" +match("MESSAGE#26:00002:21/0_0", "nwparser.payload", "Root admin %{p0}"); + +var part38 = // "Pattern{Field(fld2,true), Constant(' admin '), Field(p0,false)}" +match("MESSAGE#26:00002:21/0_1", "nwparser.payload", "%{fld2->} admin %{p0}"); + +var select9 = linear_select([ + part37, + part38, +]); + +var select10 = linear_select([ + dup24, + dup25, +]); + +var part39 = // "Pattern{Constant('has been changed by admin '), Field(administrator,false)}" +match("MESSAGE#26:00002:21/3", "nwparser.p0", "has been changed by admin %{administrator}"); + +var all9 = all_match({ + processors: [ + select9, + dup23, + select10, + part39, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg27 = msg("00002:21", all9); + +var part40 = // "Pattern{Field(change_attribute,true), Constant(' from '), Field(protocol,true), Constant(' before administrative session disconnects has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(p0,false)}" +match("MESSAGE#27:00002:22/0", "nwparser.payload", "%{change_attribute->} from %{protocol->} before administrative session disconnects has been changed from %{change_old->} to %{change_new->} by admin %{p0}"); + +var part41 = // "Pattern{Field(administrator,true), Constant(' from Console')}" +match("MESSAGE#27:00002:22/1_0", "nwparser.p0", "%{administrator->} from Console"); + +var part42 = // "Pattern{Field(administrator,true), Constant(' from host '), Field(saddr,false)}" +match("MESSAGE#27:00002:22/1_1", "nwparser.p0", "%{administrator->} from host %{saddr}"); + +var select11 = linear_select([ + part41, + part42, + dup26, +]); + +var all10 = all_match({ + processors: [ + part40, + select11, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg28 = msg("00002:22", all10); + +var part43 = // "Pattern{Constant('Root admin access restriction through console only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#28:00002:23/0", "nwparser.payload", "Root admin access restriction through console only has been %{disposition->} by admin %{administrator->} %{p0}"); + +var part44 = // "Pattern{Constant('from Console'), Field(,false)}" +match("MESSAGE#28:00002:23/1_1", "nwparser.p0", "from Console%{}"); + +var select12 = linear_select([ + dup20, + part44, + dup21, +]); + +var all11 = all_match({ + processors: [ + part43, + select12, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg29 = msg("00002:23", all11); + +var part45 = // "Pattern{Constant('Admin access restriction of '), Field(protocol,true), Constant(' administration through tunnel only has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' from '), Field(p0,false)}" +match("MESSAGE#29:00002:24/0", "nwparser.payload", "Admin access restriction of %{protocol->} administration through tunnel only has been %{disposition->} by admin %{administrator->} from %{p0}"); + +var part46 = // "Pattern{Constant('host '), Field(saddr,false)}" +match("MESSAGE#29:00002:24/1_0", "nwparser.p0", "host %{saddr}"); + +var part47 = // "Pattern{Constant('Console'), Field(,false)}" +match("MESSAGE#29:00002:24/1_1", "nwparser.p0", "Console%{}"); + +var select13 = linear_select([ + part46, + part47, +]); + +var all12 = all_match({ + processors: [ + part45, + select13, + ], + on_success: processor_chain([ + dup22, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg30 = msg("00002:24", all12); + +var part48 = // "Pattern{Constant('Admin AUTH: Local instance of an '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#30:00002:25", "nwparser.payload", "Admin AUTH: Local instance of an %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1402000000"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg31 = msg("00002:25", part48); + +var part49 = // "Pattern{Constant('Cannot connect to e-mail server '), Field(hostip,false), Constant('.')}" +match("MESSAGE#31:00002:26", "nwparser.payload", "Cannot connect to e-mail server %{hostip}.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg32 = msg("00002:26", part49); + +var part50 = // "Pattern{Constant('Mail server is not configured.'), Field(,false)}" +match("MESSAGE#32:00002:27", "nwparser.payload", "Mail server is not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg33 = msg("00002:27", part50); + +var part51 = // "Pattern{Constant('Mail recipients were not configured.'), Field(,false)}" +match("MESSAGE#33:00002:28", "nwparser.payload", "Mail recipients were not configured.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg34 = msg("00002:28", part51); + +var part52 = // "Pattern{Constant('Single use password restriction for read-write administrators has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" +match("MESSAGE#34:00002:29", "nwparser.payload", "Single use password restriction for read-write administrators has been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg35 = msg("00002:29", part52); + +var part53 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#35:00002:30", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, +])); + +var msg36 = msg("00002:30", part53); + +var part54 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#36:00002:41", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport}", processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, +])); + +var msg37 = msg("00002:41", part54); + +var part55 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' '), Field(space,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" +match("MESSAGE#37:00002:31", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} %{space->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup35, + dup29, + dup30, + dup31, + dup2, + dup3, + dup4, + dup5, +])); + +var msg38 = msg("00002:31", part55); + +var part56 = // "Pattern{Constant('E-mail notification '), Field(p0,false)}" +match("MESSAGE#38:00002:32/0_0", "nwparser.payload", "E-mail notification %{p0}"); + +var part57 = // "Pattern{Constant('Transparent virutal '), Field(p0,false)}" +match("MESSAGE#38:00002:32/0_1", "nwparser.payload", "Transparent virutal %{p0}"); + +var select14 = linear_select([ + part56, + part57, +]); + +var part58 = // "Pattern{Constant('wire mode has been '), Field(disposition,false)}" +match("MESSAGE#38:00002:32/1", "nwparser.p0", "wire mode has been %{disposition}"); + +var all13 = all_match({ + processors: [ + select14, + part58, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg39 = msg("00002:32", all13); + +var part59 = // "Pattern{Constant('Malicious URL '), Field(url,true), Constant(' has been '), Field(disposition,true), Constant(' for zone '), Field(zone,false)}" +match("MESSAGE#39:00002:35", "nwparser.payload", "Malicious URL %{url->} has been %{disposition->} for zone %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg40 = msg("00002:35", part59); + +var part60 = // "Pattern{Constant('Bypass'), Field(p0,false)}" +match("MESSAGE#40:00002:36/0", "nwparser.payload", "Bypass%{p0}"); + +var part61 = // "Pattern{Constant('-others-IPSec '), Field(p0,false)}" +match("MESSAGE#40:00002:36/1_0", "nwparser.p0", "-others-IPSec %{p0}"); + +var part62 = // "Pattern{Constant(' non-IP traffic '), Field(p0,false)}" +match("MESSAGE#40:00002:36/1_1", "nwparser.p0", " non-IP traffic %{p0}"); + +var select15 = linear_select([ + part61, + part62, +]); + +var part63 = // "Pattern{Constant('option has been '), Field(disposition,false)}" +match("MESSAGE#40:00002:36/2", "nwparser.p0", "option has been %{disposition}"); + +var all14 = all_match({ + processors: [ + part60, + select15, + part63, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg41 = msg("00002:36", all14); + +var part64 = // "Pattern{Constant('Logging of '), Field(p0,false)}" +match("MESSAGE#41:00002:37/0", "nwparser.payload", "Logging of %{p0}"); + +var part65 = // "Pattern{Constant('dropped '), Field(p0,false)}" +match("MESSAGE#41:00002:37/1_0", "nwparser.p0", "dropped %{p0}"); + +var part66 = // "Pattern{Constant('IKE '), Field(p0,false)}" +match("MESSAGE#41:00002:37/1_1", "nwparser.p0", "IKE %{p0}"); + +var part67 = // "Pattern{Constant('SNMP '), Field(p0,false)}" +match("MESSAGE#41:00002:37/1_2", "nwparser.p0", "SNMP %{p0}"); + +var part68 = // "Pattern{Constant('ICMP '), Field(p0,false)}" +match("MESSAGE#41:00002:37/1_3", "nwparser.p0", "ICMP %{p0}"); + +var select16 = linear_select([ + part65, + part66, + part67, + part68, +]); + +var part69 = // "Pattern{Constant('traffic to self has been '), Field(disposition,false)}" +match("MESSAGE#41:00002:37/2", "nwparser.p0", "traffic to self has been %{disposition}"); + +var all15 = all_match({ + processors: [ + part64, + select16, + part69, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg42 = msg("00002:37", all15); + +var part70 = // "Pattern{Constant('Logging of dropped traffic to self (excluding multicast) has been '), Field(p0,false)}" +match("MESSAGE#42:00002:38/0", "nwparser.payload", "Logging of dropped traffic to self (excluding multicast) has been %{p0}"); + +var part71 = // "Pattern{Field(disposition,true), Constant(' on '), Field(zone,false)}" +match("MESSAGE#42:00002:38/1_0", "nwparser.p0", "%{disposition->} on %{zone}"); + +var select17 = linear_select([ + part71, + dup36, +]); + +var all16 = all_match({ + processors: [ + part70, + select17, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg43 = msg("00002:38", all16); + +var part72 = // "Pattern{Constant('Traffic shaping is '), Field(disposition,false)}" +match("MESSAGE#43:00002:39", "nwparser.payload", "Traffic shaping is %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg44 = msg("00002:39", part72); + +var part73 = // "Pattern{Constant('Admin account created for ''), Field(username,false), Constant('' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#44:00002:40", "nwparser.payload", "Admin account created for '%{username}' by %{administrator->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup37, + dup29, + setc("ec_activity","Create"), + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg45 = msg("00002:40", part73); + +var part74 = // "Pattern{Constant('ADMIN AUTH: Privilege requested for unknown user '), Field(username,false), Constant('. Possible HA syncronization problem.')}" +match("MESSAGE#45:00002:44", "nwparser.payload", "ADMIN AUTH: Privilege requested for unknown user %{username}. Possible HA syncronization problem.", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg46 = msg("00002:44", part74); + +var part75 = // "Pattern{Field(change_attribute,true), Constant(' for account ''), Field(change_old,false), Constant('' has been '), Field(disposition,true), Constant(' to ''), Field(change_new,false), Constant('' '), Field(p0,false)}" +match("MESSAGE#46:00002:42/0", "nwparser.payload", "%{change_attribute->} for account '%{change_old}' has been %{disposition->} to '%{change_new}' %{p0}"); + +var part76 = // "Pattern{Constant('by '), Field(administrator,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#46:00002:42/1_0", "nwparser.p0", "by %{administrator->} via %{p0}"); + +var select18 = linear_select([ + part76, + dup40, +]); + +var part77 = // "Pattern{Constant(''), Field(logon_type,true), Constant(' from host '), Field(p0,false)}" +match("MESSAGE#46:00002:42/2", "nwparser.p0", "%{logon_type->} from host %{p0}"); + +var part78 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#46:00002:42/3_0", "nwparser.p0", "%{saddr->} to %{daddr}:%{dport->} (%{p0}"); + +var part79 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#46:00002:42/3_1", "nwparser.p0", "%{saddr}:%{sport->} (%{p0}"); + +var select19 = linear_select([ + part78, + part79, +]); + +var all17 = all_match({ + processors: [ + part75, + select18, + part77, + select19, + dup41, + ], + on_success: processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg47 = msg("00002:42", all17); + +var part80 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for '), Field(p0,false)}" +match("MESSAGE#47:00002:43/0", "nwparser.payload", "Admin account %{disposition->} for %{p0}"); + +var part81 = // "Pattern{Constant('''), Field(username,false), Constant('''), Field(p0,false)}" +match("MESSAGE#47:00002:43/1_0", "nwparser.p0", "'%{username}'%{p0}"); + +var part82 = // "Pattern{Constant('"'), Field(username,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#47:00002:43/1_1", "nwparser.p0", "\"%{username}\"%{p0}"); + +var select20 = linear_select([ + part81, + part82, +]); + +var part83 = // "Pattern{Field(,false), Constant('by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#47:00002:43/2", "nwparser.p0", "%{}by %{administrator->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + +var all18 = all_match({ + processors: [ + part80, + select20, + part83, + ], + on_success: processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg48 = msg("00002:43", all18); + +var part84 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#48:00002:50", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg49 = msg("00002:50", part84); + +var part85 = // "Pattern{Constant('Admin account '), Field(disposition,true), Constant(' for "'), Field(username,false), Constant('" by '), Field(administrator,true), Constant(' '), Field(fld2,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#49:00002:51", "nwparser.payload", "Admin account %{disposition->} for \"%{username}\" by %{administrator->} %{fld2->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup29, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg50 = msg("00002:51", part85); + +var part86 = // "Pattern{Constant('Extraneous exit is issued by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#50:00002:45", "nwparser.payload", "Extraneous exit is issued by %{username->} via %{logon_type->} from host %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg51 = msg("00002:45", part86); + +var part87 = // "Pattern{Constant('Ping of Death attack protection '), Field(p0,false)}" +match("MESSAGE#51:00002:47/0_0", "nwparser.payload", "Ping of Death attack protection %{p0}"); + +var part88 = // "Pattern{Constant('Src Route IP option filtering '), Field(p0,false)}" +match("MESSAGE#51:00002:47/0_1", "nwparser.payload", "Src Route IP option filtering %{p0}"); + +var part89 = // "Pattern{Constant('Teardrop attack protection '), Field(p0,false)}" +match("MESSAGE#51:00002:47/0_2", "nwparser.payload", "Teardrop attack protection %{p0}"); + +var part90 = // "Pattern{Constant('Land attack protection '), Field(p0,false)}" +match("MESSAGE#51:00002:47/0_3", "nwparser.payload", "Land attack protection %{p0}"); + +var part91 = // "Pattern{Constant('SYN flood protection '), Field(p0,false)}" +match("MESSAGE#51:00002:47/0_4", "nwparser.payload", "SYN flood protection %{p0}"); + +var select21 = linear_select([ + part87, + part88, + part89, + part90, + part91, +]); + +var part92 = // "Pattern{Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#51:00002:47/1", "nwparser.p0", "is %{disposition->} on zone %{zone->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})"); + +var all19 = all_match({ + processors: [ + select21, + part92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg52 = msg("00002:47", all19); + +var part93 = // "Pattern{Constant('Dropping pkts if not '), Field(p0,false)}" +match("MESSAGE#52:00002:48/0", "nwparser.payload", "Dropping pkts if not %{p0}"); + +var part94 = // "Pattern{Constant('exactly same with incoming if '), Field(p0,false)}" +match("MESSAGE#52:00002:48/1_0", "nwparser.p0", "exactly same with incoming if %{p0}"); + +var part95 = // "Pattern{Constant('in route table '), Field(p0,false)}" +match("MESSAGE#52:00002:48/1_1", "nwparser.p0", "in route table %{p0}"); + +var select22 = linear_select([ + part94, + part95, +]); + +var part96 = // "Pattern{Constant('(IP spoof protection) is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(username,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#52:00002:48/2", "nwparser.p0", "(IP spoof protection) is %{disposition->} on zone %{zone->} by %{username->} via %{p0}"); + +var part97 = // "Pattern{Constant('NSRP Peer. ('), Field(p0,false)}" +match("MESSAGE#52:00002:48/3_0", "nwparser.p0", "NSRP Peer. (%{p0}"); + +var select23 = linear_select([ + part97, + dup45, +]); + +var all20 = all_match({ + processors: [ + part93, + select22, + part96, + select23, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg53 = msg("00002:48", all20); + +var part98 = // "Pattern{Field(signame,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#53:00002:52/0", "nwparser.payload", "%{signame->} %{p0}"); + +var part99 = // "Pattern{Constant('protection'), Field(p0,false)}" +match("MESSAGE#53:00002:52/1_0", "nwparser.p0", "protection%{p0}"); + +var part100 = // "Pattern{Constant('limiting'), Field(p0,false)}" +match("MESSAGE#53:00002:52/1_1", "nwparser.p0", "limiting%{p0}"); + +var part101 = // "Pattern{Constant('detection'), Field(p0,false)}" +match("MESSAGE#53:00002:52/1_2", "nwparser.p0", "detection%{p0}"); + +var part102 = // "Pattern{Constant('filtering '), Field(p0,false)}" +match("MESSAGE#53:00002:52/1_3", "nwparser.p0", "filtering %{p0}"); + +var select24 = linear_select([ + part99, + part100, + part101, + part102, +]); + +var part103 = // "Pattern{Field(,false), Constant('is '), Field(disposition,true), Constant(' on zone '), Field(zone,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#53:00002:52/2", "nwparser.p0", "%{}is %{disposition->} on zone %{zone->} by %{p0}"); + +var part104 = // "Pattern{Constant('admin via '), Field(p0,false)}" +match("MESSAGE#53:00002:52/3_1", "nwparser.p0", "admin via %{p0}"); + +var select25 = linear_select([ + dup46, + part104, + dup47, +]); + +var select26 = linear_select([ + dup48, + dup45, +]); + +var all21 = all_match({ + processors: [ + part98, + select24, + part103, + select25, + select26, + dup41, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg54 = msg("00002:52", all21); + +var part105 = // "Pattern{Constant('Admin password for account "'), Field(username,false), Constant('" has been '), Field(disposition,true), Constant(' by '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#54:00002:53", "nwparser.payload", "Admin password for account \"%{username}\" has been %{disposition->} by %{administrator->} via %{logon_type->} (%{fld1})", processor_chain([ + dup42, + dup43, + dup38, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg55 = msg("00002:53", part105); + +var part106 = // "Pattern{Constant('Traffic shaping clearing DSCP selector is turned O'), Field(p0,false)}" +match("MESSAGE#55:00002:54/0", "nwparser.payload", "Traffic shaping clearing DSCP selector is turned O%{p0}"); + +var part107 = // "Pattern{Constant('FF'), Field(p0,false)}" +match("MESSAGE#55:00002:54/1_0", "nwparser.p0", "FF%{p0}"); + +var part108 = // "Pattern{Constant('N'), Field(p0,false)}" +match("MESSAGE#55:00002:54/1_1", "nwparser.p0", "N%{p0}"); + +var select27 = linear_select([ + part107, + part108, +]); + +var all22 = all_match({ + processors: [ + part106, + select27, + dup49, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), +}); + +var msg56 = msg("00002:54", all22); + +var part109 = // "Pattern{Field(change_attribute,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#56:00002/0", "nwparser.payload", "%{change_attribute->} %{p0}"); + +var part110 = // "Pattern{Constant('has been changed'), Field(p0,false)}" +match("MESSAGE#56:00002/1_0", "nwparser.p0", "has been changed%{p0}"); + +var select28 = linear_select([ + part110, + dup52, +]); + +var part111 = // "Pattern{Field(,false), Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#56:00002/2", "nwparser.p0", "%{}from %{change_old->} to %{change_new}"); + +var all23 = all_match({ + processors: [ + part109, + select28, + part111, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg57 = msg("00002", all23); + +var part112 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1215:00002:56", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed. (%{fld1})", processor_chain([ + dup53, + dup9, + dup2, + dup3, + dup4, + dup5, +])); + +var msg58 = msg("00002:56", part112); + +var select29 = linear_select([ + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, +]); + +var part113 = // "Pattern{Constant('Multiple authentication failures have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" +match("MESSAGE#57:00003", "nwparser.payload", "Multiple authentication failures have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg59 = msg("00003", part113); + +var part114 = // "Pattern{Constant('Multiple authentication failures have been detected!'), Field(,false)}" +match("MESSAGE#58:00003:01", "nwparser.payload", "Multiple authentication failures have been detected!%{}", processor_chain([ + dup53, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg60 = msg("00003:01", part114); + +var part115 = // "Pattern{Constant('The console debug buffer has been '), Field(disposition,false)}" +match("MESSAGE#59:00003:02", "nwparser.payload", "The console debug buffer has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg61 = msg("00003:02", part115); + +var part116 = // "Pattern{Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" +match("MESSAGE#60:00003:03", "nwparser.payload", "%{change_attribute->} changed from %{change_old->} to %{change_new}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg62 = msg("00003:03", part116); + +var part117 = // "Pattern{Constant('serial'), Field(p0,false)}" +match("MESSAGE#61:00003:05/1_0", "nwparser.p0", "serial%{p0}"); + +var part118 = // "Pattern{Constant('local'), Field(p0,false)}" +match("MESSAGE#61:00003:05/1_1", "nwparser.p0", "local%{p0}"); + +var select30 = linear_select([ + part117, + part118, +]); + +var part119 = // "Pattern{Field(,false), Constant('console has been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false), Constant('.')}" +match("MESSAGE#61:00003:05/2", "nwparser.p0", "%{}console has been %{disposition->} by admin %{administrator}."); + +var all24 = all_match({ + processors: [ + dup55, + select30, + part119, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg63 = msg("00003:05", all24); + +var select31 = linear_select([ + msg59, + msg60, + msg61, + msg62, + msg63, +]); + +var part120 = // "Pattern{Field(info,false), Constant('DNS server IP has been changed')}" +match("MESSAGE#62:00004", "nwparser.payload", "%{info}DNS server IP has been changed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg64 = msg("00004", part120); + +var part121 = // "Pattern{Constant('DNS cache table has been '), Field(disposition,false)}" +match("MESSAGE#63:00004:01", "nwparser.payload", "DNS cache table has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg65 = msg("00004:01", part121); + +var part122 = // "Pattern{Constant('Daily DNS lookup has been '), Field(disposition,false)}" +match("MESSAGE#64:00004:02", "nwparser.payload", "Daily DNS lookup has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg66 = msg("00004:02", part122); + +var part123 = // "Pattern{Constant('Daily DNS lookup time has been '), Field(disposition,false)}" +match("MESSAGE#65:00004:03", "nwparser.payload", "Daily DNS lookup time has been %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg67 = msg("00004:03", part123); + +var part124 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#66:00004:04/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on %{p0}"); + +var part125 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' '), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#66:00004:04/2", "nwparser.p0", "%{} %{interface->} %{space}The attack occurred %{dclass_counter1->} times"); + +var all25 = all_match({ + processors: [ + part124, + dup339, + part125, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, + ]), +}); + +var msg68 = msg("00004:04", all25); + +var part126 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,false)}" +match("MESSAGE#67:00004:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol}", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup3, + dup61, +])); + +var msg69 = msg("00004:05", part126); + +var part127 = // "Pattern{Constant('DNS lookup time has been changed to start at '), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' with an interval of '), Field(fld4,false)}" +match("MESSAGE#68:00004:06", "nwparser.payload", "DNS lookup time has been changed to start at %{fld2}:%{fld3->} with an interval of %{fld4}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg70 = msg("00004:06", part127); + +var part128 = // "Pattern{Constant('DNS cache table entries have been refreshed as result of external event.'), Field(,false)}" +match("MESSAGE#69:00004:07", "nwparser.payload", "DNS cache table entries have been refreshed as result of external event.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg71 = msg("00004:07", part128); + +var part129 = // "Pattern{Constant('DNS Proxy module has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#70:00004:08", "nwparser.payload", "DNS Proxy module has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg72 = msg("00004:08", part129); + +var part130 = // "Pattern{Constant('DNS Proxy module has more concurrent client requests than allowed.'), Field(,false)}" +match("MESSAGE#71:00004:09", "nwparser.payload", "DNS Proxy module has more concurrent client requests than allowed.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, +])); + +var msg73 = msg("00004:09", part130); + +var part131 = // "Pattern{Constant('DNS Proxy server select table entries exceeded maximum limit.'), Field(,false)}" +match("MESSAGE#72:00004:10", "nwparser.payload", "DNS Proxy server select table entries exceeded maximum limit.%{}", processor_chain([ + dup62, + dup2, + dup3, + dup4, + dup5, +])); + +var msg74 = msg("00004:10", part131); + +var part132 = // "Pattern{Constant('Proxy server select table added with domain '), Field(domain,false), Constant(', interface '), Field(interface,false), Constant(', primary-ip '), Field(fld2,false), Constant(', secondary-ip '), Field(fld3,false), Constant(', tertiary-ip '), Field(fld4,false), Constant(', failover '), Field(disposition,false)}" +match("MESSAGE#73:00004:11", "nwparser.payload", "Proxy server select table added with domain %{domain}, interface %{interface}, primary-ip %{fld2}, secondary-ip %{fld3}, tertiary-ip %{fld4}, failover %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg75 = msg("00004:11", part132); + +var part133 = // "Pattern{Constant('DNS Proxy server select table entry '), Field(disposition,true), Constant(' with domain '), Field(domain,false)}" +match("MESSAGE#74:00004:12", "nwparser.payload", "DNS Proxy server select table entry %{disposition->} with domain %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg76 = msg("00004:12", part133); + +var part134 = // "Pattern{Constant('DDNS server '), Field(domain,true), Constant(' returned incorrect ip '), Field(fld2,false), Constant(', local-ip should be '), Field(fld3,false)}" +match("MESSAGE#75:00004:13", "nwparser.payload", "DDNS server %{domain->} returned incorrect ip %{fld2}, local-ip should be %{fld3}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg77 = msg("00004:13", part134); + +var part135 = // "Pattern{Constant('automatically refreshed '), Field(p0,false)}" +match("MESSAGE#76:00004:14/1_0", "nwparser.p0", "automatically refreshed %{p0}"); + +var part136 = // "Pattern{Constant('refreshed by HA '), Field(p0,false)}" +match("MESSAGE#76:00004:14/1_1", "nwparser.p0", "refreshed by HA %{p0}"); + +var select32 = linear_select([ + part135, + part136, +]); + +var all26 = all_match({ + processors: [ + dup63, + select32, + dup49, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg78 = msg("00004:14", all26); + +var part137 = // "Pattern{Constant('DNS entries have been refreshed as result of DNS server address change. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#77:00004:15", "nwparser.payload", "DNS entries have been refreshed as result of DNS server address change. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg79 = msg("00004:15", part137); + +var part138 = // "Pattern{Constant('DNS entries have been manually refreshed. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#78:00004:16", "nwparser.payload", "DNS entries have been manually refreshed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg80 = msg("00004:16", part138); + +var all27 = all_match({ + processors: [ + dup64, + dup340, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup9, + dup5, + dup3, + dup60, + ]), +}); + +var msg81 = msg("00004:17", all27); + +var select33 = linear_select([ + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, +]); + +var part139 = // "Pattern{Field(signame,true), Constant(' alarm threshold from the same source has been changed to '), Field(trigger_val,false)}" +match("MESSAGE#80:00005", "nwparser.payload", "%{signame->} alarm threshold from the same source has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg82 = msg("00005", part139); + +var part140 = // "Pattern{Constant('Logging of '), Field(fld2,true), Constant(' traffic to self has been '), Field(disposition,false)}" +match("MESSAGE#81:00005:01", "nwparser.payload", "Logging of %{fld2->} traffic to self has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg83 = msg("00005:01", part140); + +var part141 = // "Pattern{Constant('SYN flood '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" +match("MESSAGE#82:00005:02", "nwparser.payload", "SYN flood %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg84 = msg("00005:02", part141); + +var part142 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" +match("MESSAGE#83:00005:03/0", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + +var part143 = // "Pattern{Field(fld99,false), Constant('interface '), Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#83:00005:03/4", "nwparser.p0", "%{fld99}interface %{interface->} %{p0}"); + +var part144 = // "Pattern{Constant('in zone '), Field(zone,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#83:00005:03/5_0", "nwparser.p0", "in zone %{zone}. %{p0}"); + +var select34 = linear_select([ + part144, + dup73, +]); + +var part145 = // "Pattern{Constant(''), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#83:00005:03/6", "nwparser.p0", "%{space}The attack occurred %{dclass_counter1->} times"); + +var all28 = all_match({ + processors: [ + part142, + dup341, + dup70, + dup342, + part143, + select34, + part145, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, + ]), +}); + +var msg85 = msg("00005:03", all28); + +var msg86 = msg("00005:04", dup343); + +var part146 = // "Pattern{Constant('SYN flood drop pak in '), Field(fld2,true), Constant(' mode when receiving unknown dst mac has been '), Field(disposition,true), Constant(' on '), Field(zone,false), Constant('.')}" +match("MESSAGE#85:00005:05", "nwparser.payload", "SYN flood drop pak in %{fld2->} mode when receiving unknown dst mac has been %{disposition->} on %{zone}.", processor_chain([ + setc("eventcategory","1001020100"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg87 = msg("00005:05", part146); + +var part147 = // "Pattern{Constant('flood timeout has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" +match("MESSAGE#86:00005:06/1", "nwparser.p0", "flood timeout has been set to %{trigger_val->} on %{zone}."); + +var all29 = all_match({ + processors: [ + dup344, + part147, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg88 = msg("00005:06", all29); + +var part148 = // "Pattern{Constant('SYN flood '), Field(p0,false)}" +match("MESSAGE#87:00005:07/0", "nwparser.payload", "SYN flood %{p0}"); + +var part149 = // "Pattern{Constant('alarm threshold '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_0", "nwparser.p0", "alarm threshold %{p0}"); + +var part150 = // "Pattern{Constant('packet queue size '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_1", "nwparser.p0", "packet queue size %{p0}"); + +var part151 = // "Pattern{Constant('attack threshold '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_3", "nwparser.p0", "attack threshold %{p0}"); + +var part152 = // "Pattern{Constant('same source IP threshold '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_4", "nwparser.p0", "same source IP threshold %{p0}"); + +var select35 = linear_select([ + part149, + part150, + dup76, + part151, + part152, +]); + +var part153 = // "Pattern{Constant('is set to '), Field(trigger_val,false), Constant('.')}" +match("MESSAGE#87:00005:07/2", "nwparser.p0", "is set to %{trigger_val}."); + +var all30 = all_match({ + processors: [ + part148, + select35, + part153, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg89 = msg("00005:07", all30); + +var part154 = // "Pattern{Constant('flood same '), Field(p0,false)}" +match("MESSAGE#88:00005:08/1", "nwparser.p0", "flood same %{p0}"); + +var select36 = linear_select([ + dup77, + dup78, +]); + +var part155 = // "Pattern{Constant('ip threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" +match("MESSAGE#88:00005:08/3", "nwparser.p0", "ip threshold has been set to %{trigger_val->} on %{zone}."); + +var all31 = all_match({ + processors: [ + dup344, + part154, + select36, + part155, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg90 = msg("00005:08", all31); + +var part156 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#89:00005:09", "nwparser.payload", "Screen service %{service->} is %{disposition->} on interface %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg91 = msg("00005:09", part156); + +var part157 = // "Pattern{Constant('Screen service '), Field(service,true), Constant(' is '), Field(disposition,true), Constant(' on '), Field(zone,false)}" +match("MESSAGE#90:00005:10", "nwparser.payload", "Screen service %{service->} is %{disposition->} on %{zone}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg92 = msg("00005:10", part157); + +var part158 = // "Pattern{Constant('The SYN flood '), Field(p0,false)}" +match("MESSAGE#91:00005:11/0", "nwparser.payload", "The SYN flood %{p0}"); + +var part159 = // "Pattern{Constant('alarm threshold'), Field(,false)}" +match("MESSAGE#91:00005:11/1_0", "nwparser.p0", "alarm threshold%{}"); + +var part160 = // "Pattern{Constant('packet queue size'), Field(,false)}" +match("MESSAGE#91:00005:11/1_1", "nwparser.p0", "packet queue size%{}"); + +var part161 = // "Pattern{Constant('timeout value'), Field(,false)}" +match("MESSAGE#91:00005:11/1_2", "nwparser.p0", "timeout value%{}"); + +var part162 = // "Pattern{Constant('attack threshold'), Field(,false)}" +match("MESSAGE#91:00005:11/1_3", "nwparser.p0", "attack threshold%{}"); + +var part163 = // "Pattern{Constant('same source IP'), Field(,false)}" +match("MESSAGE#91:00005:11/1_4", "nwparser.p0", "same source IP%{}"); + +var select37 = linear_select([ + part159, + part160, + part161, + part162, + part163, +]); + +var all32 = all_match({ + processors: [ + part158, + select37, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg93 = msg("00005:11", all32); + +var part164 = // "Pattern{Constant('The SYN-ACK-ACK proxy threshold value has been set to '), Field(trigger_val,true), Constant(' on '), Field(interface,false), Constant('.')}" +match("MESSAGE#92:00005:12", "nwparser.payload", "The SYN-ACK-ACK proxy threshold value has been set to %{trigger_val->} on %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg94 = msg("00005:12", part164); + +var part165 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" +match("MESSAGE#93:00005:13", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg95 = msg("00005:13", part165); + +var part166 = // "Pattern{Constant('syn proxy drop packet with unknown mac!'), Field(,false)}" +match("MESSAGE#94:00005:14", "nwparser.payload", "syn proxy drop packet with unknown mac!%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg96 = msg("00005:14", part166); + +var part167 = // "Pattern{Field(signame,true), Constant(' alarm threshold has been changed to '), Field(trigger_val,false)}" +match("MESSAGE#95:00005:15", "nwparser.payload", "%{signame->} alarm threshold has been changed to %{trigger_val}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg97 = msg("00005:15", part167); + +var part168 = // "Pattern{Field(signame,true), Constant(' threshold has been set to '), Field(trigger_val,true), Constant(' on '), Field(zone,false), Constant('.')}" +match("MESSAGE#96:00005:16", "nwparser.payload", "%{signame->} threshold has been set to %{trigger_val->} on %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg98 = msg("00005:16", part168); + +var part169 = // "Pattern{Constant('destination-based '), Field(p0,false)}" +match("MESSAGE#97:00005:17/1_0", "nwparser.p0", "destination-based %{p0}"); + +var part170 = // "Pattern{Constant('source-based '), Field(p0,false)}" +match("MESSAGE#97:00005:17/1_1", "nwparser.p0", "source-based %{p0}"); + +var select38 = linear_select([ + part169, + part170, +]); + +var part171 = // "Pattern{Constant('session-limit threshold has been set at '), Field(trigger_val,true), Constant(' in zone '), Field(zone,false), Constant('.')}" +match("MESSAGE#97:00005:17/2", "nwparser.p0", "session-limit threshold has been set at %{trigger_val->} in zone %{zone}."); + +var all33 = all_match({ + processors: [ + dup79, + select38, + part171, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg99 = msg("00005:17", all33); + +var all34 = all_match({ + processors: [ + dup80, + dup345, + dup83, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg100 = msg("00005:18", all34); + +var part172 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#99:00005:19", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup84, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, +])); + +var msg101 = msg("00005:19", part172); + +var part173 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(').'), Field(space,true), Constant(' Occurred '), Field(fld2,true), Constant(' times. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" +match("MESSAGE#100:00005:20", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} int %{interface}).%{space->} Occurred %{fld2->} times. (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup84, + dup9, + dup2, + dup3, + dup4, + dup5, +])); + +var msg102 = msg("00005:20", part173); + +var select39 = linear_select([ + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, +]); + +var part174 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#101:00006", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, +])); + +var msg103 = msg("00006", part174); + +var part175 = // "Pattern{Constant('Hostname set to "'), Field(hostname,false), Constant('"')}" +match("MESSAGE#102:00006:01", "nwparser.payload", "Hostname set to \"%{hostname}\"", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg104 = msg("00006:01", part175); + +var part176 = // "Pattern{Constant('Domain set to '), Field(domain,false)}" +match("MESSAGE#103:00006:02", "nwparser.payload", "Domain set to %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg105 = msg("00006:02", part176); + +var part177 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key.'), Field(,false)}" +match("MESSAGE#104:00006:03", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg106 = msg("00006:03", part177); + +var part178 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" +match("MESSAGE#105:00006:04/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + +var all35 = all_match({ + processors: [ + part178, + dup340, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg107 = msg("00006:04", all35); + +var all36 = all_match({ + processors: [ + dup64, + dup340, + dup67, + ], + on_success: processor_chain([ + dup84, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup60, + ]), +}); + +var msg108 = msg("00006:05", all36); + +var select40 = linear_select([ + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, +]); + +var part179 = // "Pattern{Constant('HA cluster ID has been changed to '), Field(fld2,false)}" +match("MESSAGE#107:00007", "nwparser.payload", "HA cluster ID has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg109 = msg("00007", part179); + +var part180 = // "Pattern{Field(change_attribute,true), Constant(' of the local NetScreen device has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#108:00007:01", "nwparser.payload", "%{change_attribute->} of the local NetScreen device has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg110 = msg("00007:01", part180); + +var part181 = // "Pattern{Constant('HA state of the local device has changed to backup because a device with a '), Field(p0,false)}" +match("MESSAGE#109:00007:02/0", "nwparser.payload", "HA state of the local device has changed to backup because a device with a %{p0}"); + +var part182 = // "Pattern{Constant('higher priority has been detected'), Field(,false)}" +match("MESSAGE#109:00007:02/1_0", "nwparser.p0", "higher priority has been detected%{}"); + +var part183 = // "Pattern{Constant('lower MAC value has been detected'), Field(,false)}" +match("MESSAGE#109:00007:02/1_1", "nwparser.p0", "lower MAC value has been detected%{}"); + +var select41 = linear_select([ + part182, + part183, +]); + +var all37 = all_match({ + processors: [ + part181, + select41, + ], + on_success: processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg111 = msg("00007:02", all37); + +var part184 = // "Pattern{Constant('HA state of the local device has changed to init because IP tracking has failed'), Field(,false)}" +match("MESSAGE#110:00007:03", "nwparser.payload", "HA state of the local device has changed to init because IP tracking has failed%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg112 = msg("00007:03", part184); + +var select42 = linear_select([ + dup88, + dup89, +]); + +var part185 = // "Pattern{Constant('has been changed'), Field(,false)}" +match("MESSAGE#111:00007:04/4", "nwparser.p0", "has been changed%{}"); + +var all38 = all_match({ + processors: [ + dup87, + select42, + dup23, + dup346, + part185, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg113 = msg("00007:04", all38); + +var part186 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because a master already exists'), Field(,false)}" +match("MESSAGE#112:00007:05", "nwparser.payload", "HA: Local NetScreen device has been elected backup because a master already exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg114 = msg("00007:05", part186); + +var part187 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster'), Field(,false)}" +match("MESSAGE#113:00007:06", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its MAC value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg115 = msg("00007:06", part187); + +var part188 = // "Pattern{Constant('HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster'), Field(,false)}" +match("MESSAGE#114:00007:07", "nwparser.payload", "HA: Local NetScreen device has been elected backup because its priority value is higher than those of other devices in the cluster%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg116 = msg("00007:07", part188); + +var part189 = // "Pattern{Constant('HA: Local device has been elected master because no other master exists'), Field(,false)}" +match("MESSAGE#115:00007:08", "nwparser.payload", "HA: Local device has been elected master because no other master exists%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg117 = msg("00007:08", part189); + +var part190 = // "Pattern{Constant('HA: Local device priority has been changed to '), Field(fld2,false)}" +match("MESSAGE#116:00007:09", "nwparser.payload", "HA: Local device priority has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg118 = msg("00007:09", part190); + +var part191 = // "Pattern{Constant('HA: Previous master has promoted the local NetScreen device to master'), Field(,false)}" +match("MESSAGE#117:00007:10", "nwparser.payload", "HA: Previous master has promoted the local NetScreen device to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg119 = msg("00007:10", part191); + +var part192 = // "Pattern{Constant('IP tracking device failover threshold has been '), Field(p0,false)}" +match("MESSAGE#118:00007:11/0", "nwparser.payload", "IP tracking device failover threshold has been %{p0}"); + +var select43 = linear_select([ + dup92, + dup93, +]); + +var all39 = all_match({ + processors: [ + part192, + select43, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg120 = msg("00007:11", all39); + +var part193 = // "Pattern{Constant('IP tracking has been '), Field(disposition,false)}" +match("MESSAGE#119:00007:12", "nwparser.payload", "IP tracking has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg121 = msg("00007:12", part193); + +var part194 = // "Pattern{Constant('IP tracking to '), Field(hostip,true), Constant(' with interval '), Field(fld2,true), Constant(' threshold '), Field(trigger_val,true), Constant(' weight '), Field(fld4,true), Constant(' interface '), Field(interface,true), Constant(' method '), Field(fld5,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#120:00007:13", "nwparser.payload", "IP tracking to %{hostip->} with interval %{fld2->} threshold %{trigger_val->} weight %{fld4->} interface %{interface->} method %{fld5->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg122 = msg("00007:13", part194); + +var part195 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#121:00007:14", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, +])); + +var msg123 = msg("00007:14", part195); + +var part196 = // "Pattern{Constant('Primary HA interface has been changed to '), Field(interface,false)}" +match("MESSAGE#122:00007:15", "nwparser.payload", "Primary HA interface has been changed to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg124 = msg("00007:15", part196); + +var part197 = // "Pattern{Constant('Reporting of HA configuration and status changes to NetScreen-Global Manager has been '), Field(disposition,false)}" +match("MESSAGE#123:00007:16", "nwparser.payload", "Reporting of HA configuration and status changes to NetScreen-Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg125 = msg("00007:16", part197); + +var part198 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#124:00007:17", "nwparser.payload", "Tracked IP %{hostip->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg126 = msg("00007:17", part198); + +var part199 = // "Pattern{Constant('Tracked IP '), Field(hostip,true), Constant(' options have been changed from int '), Field(fld2,true), Constant(' thr '), Field(fld3,true), Constant(' wgt '), Field(fld4,true), Constant(' inf '), Field(fld5,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#125:00007:18/0", "nwparser.payload", "Tracked IP %{hostip->} options have been changed from int %{fld2->} thr %{fld3->} wgt %{fld4->} inf %{fld5->} %{p0}"); + +var part200 = // "Pattern{Constant('ping '), Field(p0,false)}" +match("MESSAGE#125:00007:18/1_0", "nwparser.p0", "ping %{p0}"); + +var part201 = // "Pattern{Constant('ARP '), Field(p0,false)}" +match("MESSAGE#125:00007:18/1_1", "nwparser.p0", "ARP %{p0}"); + +var select44 = linear_select([ + part200, + part201, +]); + +var part202 = // "Pattern{Constant('to '), Field(fld6,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#125:00007:18/2", "nwparser.p0", "to %{fld6->} %{p0}"); + +var part203 = // "Pattern{Constant('ping'), Field(,false)}" +match("MESSAGE#125:00007:18/3_0", "nwparser.p0", "ping%{}"); + +var part204 = // "Pattern{Constant('ARP'), Field(,false)}" +match("MESSAGE#125:00007:18/3_1", "nwparser.p0", "ARP%{}"); + +var select45 = linear_select([ + part203, + part204, +]); + +var all40 = all_match({ + processors: [ + part199, + select44, + part202, + select45, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg127 = msg("00007:18", all40); + +var part205 = // "Pattern{Constant('Change '), Field(change_attribute,true), Constant(' path from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" +match("MESSAGE#126:00007:20", "nwparser.payload", "Change %{change_attribute->} path from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg128 = msg("00007:20", part205); + +var part206 = // "Pattern{Constant('HA Slave is '), Field(p0,false)}" +match("MESSAGE#127:00007:21/0", "nwparser.payload", "HA Slave is %{p0}"); + +var all41 = all_match({ + processors: [ + part206, + dup347, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg129 = msg("00007:21", all41); + +var part207 = // "Pattern{Constant('HA change group id to '), Field(groupid,false)}" +match("MESSAGE#128:00007:22", "nwparser.payload", "HA change group id to %{groupid}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg130 = msg("00007:22", part207); + +var part208 = // "Pattern{Constant('HA change priority to '), Field(fld2,false)}" +match("MESSAGE#129:00007:23", "nwparser.payload", "HA change priority to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg131 = msg("00007:23", part208); + +var part209 = // "Pattern{Constant('HA change state to init'), Field(,false)}" +match("MESSAGE#130:00007:24", "nwparser.payload", "HA change state to init%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg132 = msg("00007:24", part209); + +var part210 = // "Pattern{Constant('HA: Change state to initial state.'), Field(,false)}" +match("MESSAGE#131:00007:25", "nwparser.payload", "HA: Change state to initial state.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg133 = msg("00007:25", part210); + +var part211 = // "Pattern{Constant('HA: Change state to slave for '), Field(p0,false)}" +match("MESSAGE#132:00007:26/0", "nwparser.payload", "HA: Change state to slave for %{p0}"); + +var part212 = // "Pattern{Constant('tracking ip failed'), Field(,false)}" +match("MESSAGE#132:00007:26/1_0", "nwparser.p0", "tracking ip failed%{}"); + +var part213 = // "Pattern{Constant('linkdown'), Field(,false)}" +match("MESSAGE#132:00007:26/1_1", "nwparser.p0", "linkdown%{}"); + +var select46 = linear_select([ + part212, + part213, +]); + +var all42 = all_match({ + processors: [ + part211, + select46, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg134 = msg("00007:26", all42); + +var part214 = // "Pattern{Constant('HA: Change to master command issued from original master to change state'), Field(,false)}" +match("MESSAGE#133:00007:27", "nwparser.payload", "HA: Change to master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg135 = msg("00007:27", part214); + +var part215 = // "Pattern{Constant('HA: Elected master no other master'), Field(,false)}" +match("MESSAGE#134:00007:28", "nwparser.payload", "HA: Elected master no other master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg136 = msg("00007:28", part215); + +var part216 = // "Pattern{Constant('HA: Elected slave '), Field(p0,false)}" +match("MESSAGE#135:00007:29/0", "nwparser.payload", "HA: Elected slave %{p0}"); + +var part217 = // "Pattern{Constant('lower priority'), Field(,false)}" +match("MESSAGE#135:00007:29/1_0", "nwparser.p0", "lower priority%{}"); + +var part218 = // "Pattern{Constant('MAC value is larger'), Field(,false)}" +match("MESSAGE#135:00007:29/1_1", "nwparser.p0", "MAC value is larger%{}"); + +var part219 = // "Pattern{Constant('master already exists'), Field(,false)}" +match("MESSAGE#135:00007:29/1_2", "nwparser.p0", "master already exists%{}"); + +var part220 = // "Pattern{Constant('detect new master with higher priority'), Field(,false)}" +match("MESSAGE#135:00007:29/1_3", "nwparser.p0", "detect new master with higher priority%{}"); + +var part221 = // "Pattern{Constant('detect new master with smaller MAC value'), Field(,false)}" +match("MESSAGE#135:00007:29/1_4", "nwparser.p0", "detect new master with smaller MAC value%{}"); + +var select47 = linear_select([ + part217, + part218, + part219, + part220, + part221, +]); + +var all43 = all_match({ + processors: [ + part216, + select47, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg137 = msg("00007:29", all43); + +var part222 = // "Pattern{Constant('HA: Promoted master command issued from original master to change state'), Field(,false)}" +match("MESSAGE#136:00007:30", "nwparser.payload", "HA: Promoted master command issued from original master to change state%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg138 = msg("00007:30", part222); + +var part223 = // "Pattern{Constant('HA: ha link '), Field(p0,false)}" +match("MESSAGE#137:00007:31/0", "nwparser.payload", "HA: ha link %{p0}"); + +var all44 = all_match({ + processors: [ + part223, + dup347, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg139 = msg("00007:31", all44); + +var part224 = // "Pattern{Constant('NSRP '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#138:00007:32/0", "nwparser.payload", "NSRP %{fld2->} %{p0}"); + +var select48 = linear_select([ + dup89, + dup88, +]); + +var part225 = // "Pattern{Constant('changed.'), Field(,false)}" +match("MESSAGE#138:00007:32/4", "nwparser.p0", "changed.%{}"); + +var all45 = all_match({ + processors: [ + part224, + select48, + dup23, + dup346, + part225, + ], + on_success: processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg140 = msg("00007:32", all45); + +var part226 = // "Pattern{Constant('NSRP: VSD '), Field(p0,false)}" +match("MESSAGE#139:00007:33/0_0", "nwparser.payload", "NSRP: VSD %{p0}"); + +var part227 = // "Pattern{Constant('Virtual Security Device group '), Field(p0,false)}" +match("MESSAGE#139:00007:33/0_1", "nwparser.payload", "Virtual Security Device group %{p0}"); + +var select49 = linear_select([ + part226, + part227, +]); + +var part228 = // "Pattern{Constant(''), Field(fld2,true), Constant(' change'), Field(p0,false)}" +match("MESSAGE#139:00007:33/1", "nwparser.p0", "%{fld2->} change%{p0}"); + +var part229 = // "Pattern{Constant('d '), Field(p0,false)}" +match("MESSAGE#139:00007:33/2_0", "nwparser.p0", "d %{p0}"); + +var select50 = linear_select([ + part229, + dup96, +]); + +var part230 = // "Pattern{Constant('to '), Field(fld3,true), Constant(' mode.')}" +match("MESSAGE#139:00007:33/3", "nwparser.p0", "to %{fld3->} mode."); + +var all46 = all_match({ + processors: [ + select49, + part228, + select50, + part230, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg141 = msg("00007:33", all46); + +var part231 = // "Pattern{Constant('NSRP: message '), Field(fld2,true), Constant(' dropped: invalid encryption password.')}" +match("MESSAGE#140:00007:34", "nwparser.payload", "NSRP: message %{fld2->} dropped: invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, +])); + +var msg142 = msg("00007:34", part231); + +var part232 = // "Pattern{Constant('NSRP: nsrp interface change to '), Field(interface,false), Constant('.')}" +match("MESSAGE#141:00007:35", "nwparser.payload", "NSRP: nsrp interface change to %{interface}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg143 = msg("00007:35", part232); + +var part233 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' local unit='), Field(fld3,true), Constant(' duplicate from unit='), Field(fld4,false)}" +match("MESSAGE#142:00007:36", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} local unit=%{fld3->} duplicate from unit=%{fld4}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg144 = msg("00007:36", part233); + +var part234 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' is '), Field(p0,false)}" +match("MESSAGE#143:00007:37/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} is %{p0}"); + +var all47 = all_match({ + processors: [ + part234, + dup348, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg145 = msg("00007:37", all47); + +var part235 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' direction= '), Field(direction,true), Constant(' peer='), Field(fld3,true), Constant(' from '), Field(p0,false)}" +match("MESSAGE#144:00007:38/0", "nwparser.payload", "RTO mirror group id=%{groupid->} direction= %{direction->} peer=%{fld3->} from %{p0}"); + +var part236 = // "Pattern{Constant('state '), Field(p0,false)}" +match("MESSAGE#144:00007:38/4", "nwparser.p0", "state %{p0}"); + +var part237 = // "Pattern{Constant('missed heartbeat'), Field(,false)}" +match("MESSAGE#144:00007:38/5_0", "nwparser.p0", "missed heartbeat%{}"); + +var part238 = // "Pattern{Constant('group detached'), Field(,false)}" +match("MESSAGE#144:00007:38/5_1", "nwparser.p0", "group detached%{}"); + +var select51 = linear_select([ + part237, + part238, +]); + +var all48 = all_match({ + processors: [ + part235, + dup349, + dup103, + dup349, + part236, + select51, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg146 = msg("00007:38", all48); + +var part239 = // "Pattern{Constant('RTO mirror group id='), Field(groupid,true), Constant(' is '), Field(p0,false)}" +match("MESSAGE#145:00007:39/0", "nwparser.payload", "RTO mirror group id=%{groupid->} is %{p0}"); + +var all49 = all_match({ + processors: [ + part239, + dup348, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg147 = msg("00007:39", all49); + +var part240 = // "Pattern{Constant('Remove pathname '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(') as secondary HA path')}" +match("MESSAGE#146:00007:40", "nwparser.payload", "Remove pathname %{fld2->} (ifnum=%{fld3}) as secondary HA path", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg148 = msg("00007:40", part240); + +var part241 = // "Pattern{Constant('Session sync ended by unit='), Field(fld2,false)}" +match("MESSAGE#147:00007:41", "nwparser.payload", "Session sync ended by unit=%{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg149 = msg("00007:41", part241); + +var part242 = // "Pattern{Constant('Set secondary HA path to '), Field(fld2,true), Constant(' (ifnum='), Field(fld3,false), Constant(')')}" +match("MESSAGE#148:00007:42", "nwparser.payload", "Set secondary HA path to %{fld2->} (ifnum=%{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg150 = msg("00007:42", part242); + +var part243 = // "Pattern{Constant('VSD '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#149:00007:43", "nwparser.payload", "VSD %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg151 = msg("00007:43", part243); + +var part244 = // "Pattern{Constant('vsd group id='), Field(groupid,true), Constant(' is '), Field(disposition,true), Constant(' total number='), Field(fld3,false)}" +match("MESSAGE#150:00007:44", "nwparser.payload", "vsd group id=%{groupid->} is %{disposition->} total number=%{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg152 = msg("00007:44", part244); + +var part245 = // "Pattern{Constant('vsd group '), Field(group,true), Constant(' local unit '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#151:00007:45", "nwparser.payload", "vsd group %{group->} local unit %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg153 = msg("00007:45", part245); + +var part246 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#152:00007:46", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup85, + dup2, + dup3, + dup4, + dup59, + dup5, + dup60, +])); + +var msg154 = msg("00007:46", part246); + +var part247 = // "Pattern{Constant('The HA channel changed to interface '), Field(interface,false)}" +match("MESSAGE#153:00007:47", "nwparser.payload", "The HA channel changed to interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg155 = msg("00007:47", part247); + +var part248 = // "Pattern{Constant('Message '), Field(fld2,true), Constant(' was dropped because it contained an invalid encryption password.')}" +match("MESSAGE#154:00007:48", "nwparser.payload", "Message %{fld2->} was dropped because it contained an invalid encryption password.", processor_chain([ + dup97, + dup2, + dup3, + dup4, + setc("disposition","dropped"), + setc("result","Invalid encryption Password"), +])); + +var msg156 = msg("00007:48", part248); + +var part249 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of all Virtual Security Device groups changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#155:00007:49", "nwparser.payload", "The %{change_attribute->} of all Virtual Security Device groups changed from %{change_old->} to %{change_new}", processor_chain([ + setc("eventcategory","1604000000"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg157 = msg("00007:49", part249); + +var part250 = // "Pattern{Constant('Device '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#156:00007:50/0", "nwparser.payload", "Device %{fld2->} %{p0}"); + +var part251 = // "Pattern{Constant('has joined '), Field(p0,false)}" +match("MESSAGE#156:00007:50/1_0", "nwparser.p0", "has joined %{p0}"); + +var part252 = // "Pattern{Constant('quit current '), Field(p0,false)}" +match("MESSAGE#156:00007:50/1_1", "nwparser.p0", "quit current %{p0}"); + +var select52 = linear_select([ + part251, + part252, +]); + +var part253 = // "Pattern{Constant('NSRP cluster '), Field(fld3,false)}" +match("MESSAGE#156:00007:50/2", "nwparser.p0", "NSRP cluster %{fld3}"); + +var all50 = all_match({ + processors: [ + part250, + select52, + part253, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg158 = msg("00007:50", all50); + +var part254 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#157:00007:51/0", "nwparser.payload", "Virtual Security Device group %{group->} was %{p0}"); + +var part255 = // "Pattern{Constant('deleted '), Field(p0,false)}" +match("MESSAGE#157:00007:51/1_1", "nwparser.p0", "deleted %{p0}"); + +var select53 = linear_select([ + dup104, + part255, +]); + +var select54 = linear_select([ + dup105, + dup73, +]); + +var part256 = // "Pattern{Constant('The total number of members in the group '), Field(p0,false)}" +match("MESSAGE#157:00007:51/4", "nwparser.p0", "The total number of members in the group %{p0}"); + +var select55 = linear_select([ + dup106, + dup107, +]); + +var all51 = all_match({ + processors: [ + part254, + select53, + dup23, + select54, + part256, + select55, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg159 = msg("00007:51", all51); + +var part257 = // "Pattern{Constant('Virtual Security Device group '), Field(group,true), Constant(' '), Field(change_attribute,true), Constant(' changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#158:00007:52", "nwparser.payload", "Virtual Security Device group %{group->} %{change_attribute->} changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg160 = msg("00007:52", part257); + +var part258 = // "Pattern{Constant('The secondary HA path of the devices was set to interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,false)}" +match("MESSAGE#159:00007:53", "nwparser.payload", "The secondary HA path of the devices was set to interface %{interface->} with ifnum %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg161 = msg("00007:53", part258); + +var part259 = // "Pattern{Constant('The '), Field(change_attribute,true), Constant(' of the devices changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#160:00007:54", "nwparser.payload", "The %{change_attribute->} of the devices changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg162 = msg("00007:54", part259); + +var part260 = // "Pattern{Constant('The interface '), Field(interface,true), Constant(' with ifnum '), Field(fld2,true), Constant(' was removed from the secondary HA path of the devices.')}" +match("MESSAGE#161:00007:55", "nwparser.payload", "The interface %{interface->} with ifnum %{fld2->} was removed from the secondary HA path of the devices.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg163 = msg("00007:55", part260); + +var part261 = // "Pattern{Constant('The probe that detects the status of High Availability link '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#162:00007:56", "nwparser.payload", "The probe that detects the status of High Availability link %{fld2->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg164 = msg("00007:56", part261); + +var select56 = linear_select([ + dup109, + dup110, +]); + +var select57 = linear_select([ + dup111, + dup112, +]); + +var part262 = // "Pattern{Constant('the probe detecting the status of High Availability link '), Field(fld2,true), Constant(' was set to '), Field(fld3,false)}" +match("MESSAGE#163:00007:57/4", "nwparser.p0", "the probe detecting the status of High Availability link %{fld2->} was set to %{fld3}"); + +var all52 = all_match({ + processors: [ + dup55, + select56, + dup23, + select57, + part262, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg165 = msg("00007:57", all52); + +var part263 = // "Pattern{Constant('A request by device '), Field(fld2,true), Constant(' for session synchronization(s) was accepted.')}" +match("MESSAGE#164:00007:58", "nwparser.payload", "A request by device %{fld2->} for session synchronization(s) was accepted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg166 = msg("00007:58", part263); + +var part264 = // "Pattern{Constant('The current session synchronization by device '), Field(fld2,true), Constant(' completed.')}" +match("MESSAGE#165:00007:59", "nwparser.payload", "The current session synchronization by device %{fld2->} completed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg167 = msg("00007:59", part264); + +var part265 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' direction was set to '), Field(direction,false)}" +match("MESSAGE#166:00007:60", "nwparser.payload", "Run Time Object mirror group %{group->} direction was set to %{direction}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg168 = msg("00007:60", part265); + +var part266 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' was set.')}" +match("MESSAGE#167:00007:61", "nwparser.payload", "Run Time Object mirror group %{group->} was set.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg169 = msg("00007:61", part266); + +var part267 = // "Pattern{Constant('Run Time Object mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' was unset.')}" +match("MESSAGE#168:00007:62", "nwparser.payload", "Run Time Object mirror group %{group->} with direction %{direction->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg170 = msg("00007:62", part267); + +var part268 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' was unset.')}" +match("MESSAGE#169:00007:63", "nwparser.payload", "RTO mirror group %{group->} was unset.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg171 = msg("00007:63", part268); + +var part269 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was removed from the monitoring list '), Field(p0,false)}" +match("MESSAGE#170:00007:64/1", "nwparser.p0", "%{fld2->} was removed from the monitoring list %{p0}"); + +var part270 = // "Pattern{Constant(''), Field(fld3,false)}" +match("MESSAGE#170:00007:64/3", "nwparser.p0", "%{fld3}"); + +var all53 = all_match({ + processors: [ + dup350, + part269, + dup351, + part270, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg172 = msg("00007:64", all53); + +var part271 = // "Pattern{Constant(''), Field(fld2,true), Constant(' with weight '), Field(fld3,true), Constant(' was added'), Field(p0,false)}" +match("MESSAGE#171:00007:65/1", "nwparser.p0", "%{fld2->} with weight %{fld3->} was added%{p0}"); + +var part272 = // "Pattern{Constant(' to or updated on '), Field(p0,false)}" +match("MESSAGE#171:00007:65/2_0", "nwparser.p0", " to or updated on %{p0}"); + +var part273 = // "Pattern{Constant('/updated to '), Field(p0,false)}" +match("MESSAGE#171:00007:65/2_1", "nwparser.p0", "/updated to %{p0}"); + +var select58 = linear_select([ + part272, + part273, +]); + +var part274 = // "Pattern{Constant('the monitoring list '), Field(p0,false)}" +match("MESSAGE#171:00007:65/3", "nwparser.p0", "the monitoring list %{p0}"); + +var part275 = // "Pattern{Constant(''), Field(fld4,false)}" +match("MESSAGE#171:00007:65/5", "nwparser.p0", "%{fld4}"); + +var all54 = all_match({ + processors: [ + dup350, + part271, + select58, + part274, + dup351, + part275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg173 = msg("00007:65", all54); + +var part276 = // "Pattern{Constant('The monitoring '), Field(p0,false)}" +match("MESSAGE#172:00007:66/0_0", "nwparser.payload", "The monitoring %{p0}"); + +var part277 = // "Pattern{Constant('Monitoring '), Field(p0,false)}" +match("MESSAGE#172:00007:66/0_1", "nwparser.payload", "Monitoring %{p0}"); + +var select59 = linear_select([ + part276, + part277, +]); + +var part278 = // "Pattern{Constant('threshold was modified to '), Field(trigger_val,true), Constant(' o'), Field(p0,false)}" +match("MESSAGE#172:00007:66/1", "nwparser.p0", "threshold was modified to %{trigger_val->} o%{p0}"); + +var part279 = // "Pattern{Constant('f '), Field(p0,false)}" +match("MESSAGE#172:00007:66/2_0", "nwparser.p0", "f %{p0}"); + +var select60 = linear_select([ + part279, + dup115, +]); + +var all55 = all_match({ + processors: [ + select59, + part278, + select60, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg174 = msg("00007:66", all55); + +var part280 = // "Pattern{Constant('NSRP data forwarding '), Field(disposition,false), Constant('.')}" +match("MESSAGE#173:00007:67", "nwparser.payload", "NSRP data forwarding %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg175 = msg("00007:67", part280); + +var part281 = // "Pattern{Constant('NSRP b'), Field(p0,false)}" +match("MESSAGE#174:00007:68/0", "nwparser.payload", "NSRP b%{p0}"); + +var part282 = // "Pattern{Constant('lack '), Field(p0,false)}" +match("MESSAGE#174:00007:68/1_0", "nwparser.p0", "lack %{p0}"); + +var part283 = // "Pattern{Constant('ack '), Field(p0,false)}" +match("MESSAGE#174:00007:68/1_1", "nwparser.p0", "ack %{p0}"); + +var select61 = linear_select([ + part282, + part283, +]); + +var part284 = // "Pattern{Constant('hole prevention '), Field(disposition,false), Constant('. Master(s) of Virtual Security Device groups '), Field(p0,false)}" +match("MESSAGE#174:00007:68/2", "nwparser.p0", "hole prevention %{disposition}. Master(s) of Virtual Security Device groups %{p0}"); + +var part285 = // "Pattern{Constant('may not exist '), Field(p0,false)}" +match("MESSAGE#174:00007:68/3_0", "nwparser.p0", "may not exist %{p0}"); + +var part286 = // "Pattern{Constant('always exists '), Field(p0,false)}" +match("MESSAGE#174:00007:68/3_1", "nwparser.p0", "always exists %{p0}"); + +var select62 = linear_select([ + part285, + part286, +]); + +var all56 = all_match({ + processors: [ + part281, + select61, + part284, + select62, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg176 = msg("00007:68", all56); + +var part287 = // "Pattern{Constant('NSRP Run Time Object synchronization between devices was '), Field(disposition,false)}" +match("MESSAGE#175:00007:69", "nwparser.payload", "NSRP Run Time Object synchronization between devices was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg177 = msg("00007:69", part287); + +var part288 = // "Pattern{Constant('The NSRP encryption key was changed.'), Field(,false)}" +match("MESSAGE#176:00007:70", "nwparser.payload", "The NSRP encryption key was changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg178 = msg("00007:70", part288); + +var part289 = // "Pattern{Constant('NSRP transparent Active-Active mode was '), Field(disposition,false), Constant('.')}" +match("MESSAGE#177:00007:71", "nwparser.payload", "NSRP transparent Active-Active mode was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg179 = msg("00007:71", part289); + +var part290 = // "Pattern{Constant('NSRP: nsrp link probe enable on '), Field(interface,false)}" +match("MESSAGE#178:00007:72", "nwparser.payload", "NSRP: nsrp link probe enable on %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg180 = msg("00007:72", part290); + +var select63 = linear_select([ + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, + msg179, + msg180, +]); + +var part291 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#179:00008", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, +])); + +var msg181 = msg("00008", part291); + +var msg182 = msg("00008:01", dup343); + +var part292 = // "Pattern{Constant('NTP settings have been changed'), Field(,false)}" +match("MESSAGE#181:00008:02", "nwparser.payload", "NTP settings have been changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg183 = msg("00008:02", part292); + +var part293 = // "Pattern{Constant('The system clock has been updated through NTP'), Field(,false)}" +match("MESSAGE#182:00008:03", "nwparser.payload", "The system clock has been updated through NTP%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg184 = msg("00008:03", part293); + +var part294 = // "Pattern{Constant('System clock '), Field(p0,false)}" +match("MESSAGE#183:00008:04/0", "nwparser.payload", "System clock %{p0}"); + +var part295 = // "Pattern{Constant('configurations have been'), Field(p0,false)}" +match("MESSAGE#183:00008:04/1_0", "nwparser.p0", "configurations have been%{p0}"); + +var part296 = // "Pattern{Constant('was'), Field(p0,false)}" +match("MESSAGE#183:00008:04/1_1", "nwparser.p0", "was%{p0}"); + +var part297 = // "Pattern{Constant('is'), Field(p0,false)}" +match("MESSAGE#183:00008:04/1_2", "nwparser.p0", "is%{p0}"); + +var select64 = linear_select([ + part295, + part296, + part297, +]); + +var part298 = // "Pattern{Field(,false), Constant('changed'), Field(p0,false)}" +match("MESSAGE#183:00008:04/2", "nwparser.p0", "%{}changed%{p0}"); + +var part299 = // "Pattern{Constant(' by admin '), Field(administrator,false)}" +match("MESSAGE#183:00008:04/3_0", "nwparser.p0", " by admin %{administrator}"); + +var part300 = // "Pattern{Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#183:00008:04/3_1", "nwparser.p0", " by %{username->} (%{fld1})"); + +var part301 = // "Pattern{Constant(' by '), Field(username,false)}" +match("MESSAGE#183:00008:04/3_2", "nwparser.p0", " by %{username}"); + +var part302 = // "Pattern{Constant(' manually.'), Field(,false)}" +match("MESSAGE#183:00008:04/3_3", "nwparser.p0", " manually.%{}"); + +var part303 = // "Pattern{Constant(' manually'), Field(,false)}" +match("MESSAGE#183:00008:04/3_4", "nwparser.p0", " manually%{}"); + +var select65 = linear_select([ + part299, + part300, + part301, + part302, + part303, + dup21, +]); + +var all57 = all_match({ + processors: [ + part294, + select64, + part298, + select65, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), +}); + +var msg185 = msg("00008:04", all57); + +var part304 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" +match("MESSAGE#184:00008:05", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg186 = msg("00008:05", part304); + +var part305 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#185:00008:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, +])); + +var msg187 = msg("00008:06", part305); + +var part306 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#186:00008:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, +])); + +var msg188 = msg("00008:07", part306); + +var part307 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#187:00008:08", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup60, +])); + +var msg189 = msg("00008:08", part307); + +var part308 = // "Pattern{Constant('system clock is changed manually'), Field(,false)}" +match("MESSAGE#188:00008:09", "nwparser.payload", "system clock is changed manually%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg190 = msg("00008:09", part308); + +var part309 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(p0,false)}" +match("MESSAGE#189:00008:10/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol}(zone %{p0}"); + +var all58 = all_match({ + processors: [ + part309, + dup340, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), +}); + +var msg191 = msg("00008:10", all58); + +var select66 = linear_select([ + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + msg187, + msg188, + msg189, + msg190, + msg191, +]); + +var part310 = // "Pattern{Constant('802.1Q VLAN trunking for the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#190:00009", "nwparser.payload", "802.1Q VLAN trunking for the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg192 = msg("00009", part310); + +var part311 = // "Pattern{Constant('802.1Q VLAN tag '), Field(fld1,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#191:00009:01", "nwparser.payload", "802.1Q VLAN tag %{fld1->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg193 = msg("00009:01", part311); + +var part312 = // "Pattern{Constant('DHCP on the interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#192:00009:02", "nwparser.payload", "DHCP on the interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg194 = msg("00009:02", part312); + +var part313 = // "Pattern{Field(change_attribute,true), Constant(' for interface '), Field(interface,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#193:00009:03", "nwparser.payload", "%{change_attribute->} for interface %{interface->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg195 = msg("00009:03", part313); + +var part314 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#194:00009:05", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg196 = msg("00009:05", part314); + +var part315 = // "Pattern{Field(fld2,false), Constant(': The 802.1Q tag '), Field(p0,false)}" +match("MESSAGE#195:00009:06/0_0", "nwparser.payload", "%{fld2}: The 802.1Q tag %{p0}"); + +var part316 = // "Pattern{Constant('The 802.1Q tag '), Field(p0,false)}" +match("MESSAGE#195:00009:06/0_1", "nwparser.payload", "The 802.1Q tag %{p0}"); + +var select67 = linear_select([ + part315, + part316, +]); + +var select68 = linear_select([ + dup119, + dup16, +]); + +var part317 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#195:00009:06/3", "nwparser.p0", "interface %{interface->} has been %{p0}"); + +var part318 = // "Pattern{Constant('changed to '), Field(p0,false)}" +match("MESSAGE#195:00009:06/4_1", "nwparser.p0", "changed to %{p0}"); + +var select69 = linear_select([ + dup120, + part318, +]); + +var part319 = // "Pattern{Field(info,true), Constant(' from host '), Field(saddr,false)}" +match("MESSAGE#195:00009:06/6_0", "nwparser.p0", "%{info->} from host %{saddr}"); + +var part320 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#195:00009:06/6_1", "nwparser.p0", "info"); + +var select70 = linear_select([ + part319, + part320, +]); + +var all59 = all_match({ + processors: [ + select67, + dup118, + select68, + part317, + select69, + dup23, + select70, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg197 = msg("00009:06", all59); + +var part321 = // "Pattern{Constant('Maximum bandwidth '), Field(fld2,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#196:00009:07/0", "nwparser.payload", "Maximum bandwidth %{fld2->} on %{p0}"); + +var part322 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is less than t'), Field(p0,false)}" +match("MESSAGE#196:00009:07/2", "nwparser.p0", "%{} %{interface->} is less than t%{p0}"); + +var part323 = // "Pattern{Constant('he total '), Field(p0,false)}" +match("MESSAGE#196:00009:07/3_0", "nwparser.p0", "he total %{p0}"); + +var part324 = // "Pattern{Constant('otal '), Field(p0,false)}" +match("MESSAGE#196:00009:07/3_1", "nwparser.p0", "otal %{p0}"); + +var select71 = linear_select([ + part323, + part324, +]); + +var part325 = // "Pattern{Constant('guaranteed bandwidth '), Field(fld3,false)}" +match("MESSAGE#196:00009:07/4", "nwparser.p0", "guaranteed bandwidth %{fld3}"); + +var all60 = all_match({ + processors: [ + part321, + dup339, + part322, + select71, + part325, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg198 = msg("00009:07", all60); + +var part326 = // "Pattern{Constant('The configured bandwidth setting on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" +match("MESSAGE#197:00009:09", "nwparser.payload", "The configured bandwidth setting on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg199 = msg("00009:09", part326); + +var part327 = // "Pattern{Constant('The operational mode for the interface '), Field(interface,true), Constant(' has been changed to '), Field(p0,false)}" +match("MESSAGE#198:00009:10/0", "nwparser.payload", "The operational mode for the interface %{interface->} has been changed to %{p0}"); + +var part328 = // "Pattern{Constant('Route'), Field(,false)}" +match("MESSAGE#198:00009:10/1_0", "nwparser.p0", "Route%{}"); + +var part329 = // "Pattern{Constant('NAT'), Field(,false)}" +match("MESSAGE#198:00009:10/1_1", "nwparser.p0", "NAT%{}"); + +var select72 = linear_select([ + part328, + part329, +]); + +var all61 = all_match({ + processors: [ + part327, + select72, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg200 = msg("00009:10", all61); + +var part330 = // "Pattern{Field(fld1,false), Constant(': VLAN '), Field(p0,false)}" +match("MESSAGE#199:00009:11/0_0", "nwparser.payload", "%{fld1}: VLAN %{p0}"); + +var part331 = // "Pattern{Constant('VLAN '), Field(p0,false)}" +match("MESSAGE#199:00009:11/0_1", "nwparser.payload", "VLAN %{p0}"); + +var select73 = linear_select([ + part330, + part331, +]); + +var part332 = // "Pattern{Constant('tag '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#199:00009:11/1", "nwparser.p0", "tag %{fld2->} has been %{disposition}"); + +var all62 = all_match({ + processors: [ + select73, + part332, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg201 = msg("00009:11", all62); + +var part333 = // "Pattern{Constant('DHCP client has been '), Field(disposition,true), Constant(' on interface '), Field(interface,false)}" +match("MESSAGE#200:00009:12", "nwparser.payload", "DHCP client has been %{disposition->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg202 = msg("00009:12", part333); + +var part334 = // "Pattern{Constant('DHCP relay agent settings on '), Field(interface,true), Constant(' have been '), Field(disposition,false)}" +match("MESSAGE#201:00009:13", "nwparser.payload", "DHCP relay agent settings on %{interface->} have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg203 = msg("00009:13", part334); + +var part335 = // "Pattern{Constant('Global-PRO has been '), Field(p0,false)}" +match("MESSAGE#202:00009:14/0_0", "nwparser.payload", "Global-PRO has been %{p0}"); + +var part336 = // "Pattern{Constant('Global PRO has been '), Field(p0,false)}" +match("MESSAGE#202:00009:14/0_1", "nwparser.payload", "Global PRO has been %{p0}"); + +var part337 = // "Pattern{Constant('DNS proxy was '), Field(p0,false)}" +match("MESSAGE#202:00009:14/0_2", "nwparser.payload", "DNS proxy was %{p0}"); + +var select74 = linear_select([ + part335, + part336, + part337, +]); + +var part338 = // "Pattern{Constant(''), Field(disposition,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#202:00009:14/1", "nwparser.p0", "%{disposition->} on %{p0}"); + +var select75 = linear_select([ + dup122, + dup123, +]); + +var part339 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#202:00009:14/4_0", "nwparser.p0", "%{interface->} (%{fld2})"); + +var select76 = linear_select([ + part339, + dup124, +]); + +var all63 = all_match({ + processors: [ + select74, + part338, + select75, + dup23, + select76, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg204 = msg("00009:14", all63); + +var part340 = // "Pattern{Constant('Route between secondary IP'), Field(p0,false)}" +match("MESSAGE#203:00009:15/0", "nwparser.payload", "Route between secondary IP%{p0}"); + +var part341 = // "Pattern{Constant(' addresses '), Field(p0,false)}" +match("MESSAGE#203:00009:15/1_0", "nwparser.p0", " addresses %{p0}"); + +var select77 = linear_select([ + part341, + dup125, +]); + +var all64 = all_match({ + processors: [ + part340, + select77, + dup126, + dup352, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg205 = msg("00009:15", all64); + +var part342 = // "Pattern{Constant('Secondary IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#204:00009:16/0", "nwparser.payload", "Secondary IP address %{hostip}/%{mask->} %{p0}"); + +var part343 = // "Pattern{Constant('deleted from '), Field(p0,false)}" +match("MESSAGE#204:00009:16/3_2", "nwparser.p0", "deleted from %{p0}"); + +var select78 = linear_select([ + dup129, + dup130, + part343, +]); + +var part344 = // "Pattern{Constant('interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#204:00009:16/4", "nwparser.p0", "interface %{interface}."); + +var all65 = all_match({ + processors: [ + part342, + dup352, + dup23, + select78, + part344, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg206 = msg("00009:16", all65); + +var part345 = // "Pattern{Constant('Secondary IP address '), Field(p0,false)}" +match("MESSAGE#205:00009:17/0", "nwparser.payload", "Secondary IP address %{p0}"); + +var part346 = // "Pattern{Field(hostip,false), Constant('/'), Field(mask,true), Constant(' was added to interface '), Field(p0,false)}" +match("MESSAGE#205:00009:17/1_0", "nwparser.p0", "%{hostip}/%{mask->} was added to interface %{p0}"); + +var part347 = // "Pattern{Field(hostip,true), Constant(' was added to interface '), Field(p0,false)}" +match("MESSAGE#205:00009:17/1_1", "nwparser.p0", "%{hostip->} was added to interface %{p0}"); + +var select79 = linear_select([ + part346, + part347, +]); + +var part348 = // "Pattern{Field(interface,false), Constant('.')}" +match("MESSAGE#205:00009:17/2", "nwparser.p0", "%{interface}."); + +var all66 = all_match({ + processors: [ + part345, + select79, + part348, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg207 = msg("00009:17", all66); + +var part349 = // "Pattern{Constant('The configured bandwidth on the interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,false)}" +match("MESSAGE#206:00009:18", "nwparser.payload", "The configured bandwidth on the interface %{interface->} has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg208 = msg("00009:18", part349); + +var part350 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#207:00009:19", "nwparser.payload", "interface %{interface->} with IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg209 = msg("00009:19", part350); + +var part351 = // "Pattern{Constant('interface '), Field(interface,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#208:00009:27", "nwparser.payload", "interface %{interface->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg210 = msg("00009:27", part351); + +var part352 = // "Pattern{Field(fld2,false), Constant(': '), Field(service,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#209:00009:20/0_0", "nwparser.payload", "%{fld2}: %{service->} has been %{p0}"); + +var part353 = // "Pattern{Field(service,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#209:00009:20/0_1", "nwparser.payload", "%{service->} has been %{p0}"); + +var select80 = linear_select([ + part352, + part353, +]); + +var part354 = // "Pattern{Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#209:00009:20/1", "nwparser.p0", "%{disposition->} on interface %{interface->} %{p0}"); + +var part355 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false)}" +match("MESSAGE#209:00009:20/2_0", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}"); + +var part356 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#209:00009:20/2_1", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}:%{sport}"); + +var part357 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false)}" +match("MESSAGE#209:00009:20/2_2", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr}"); + +var part358 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#209:00009:20/2_3", "nwparser.p0", "from host %{saddr->} (%{fld1})"); + +var select81 = linear_select([ + part355, + part356, + part357, + part358, +]); + +var all67 = all_match({ + processors: [ + select80, + part354, + select81, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg211 = msg("00009:20", all67); + +var part359 = // "Pattern{Constant('Source Route IP option! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#210:00009:21/0", "nwparser.payload", "Source Route IP option! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var all68 = all_match({ + processors: [ + part359, + dup345, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, + ]), +}); + +var msg212 = msg("00009:21", all68); + +var part360 = // "Pattern{Constant('MTU for interface '), Field(interface,true), Constant(' has been changed to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#211:00009:22", "nwparser.payload", "MTU for interface %{interface->} has been changed to %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg213 = msg("00009:22", part360); + +var part361 = // "Pattern{Constant('Secondary IP address '), Field(hostip,true), Constant(' has been added to interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#212:00009:23", "nwparser.payload", "Secondary IP address %{hostip->} has been added to interface %{interface->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, +])); + +var msg214 = msg("00009:23", part361); + +var part362 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#213:00009:24/0", "nwparser.payload", "Web has been enabled on interface %{interface->} by admin %{administrator->} via %{p0}"); + +var part363 = // "Pattern{Field(logon_type,true), Constant(' '), Field(space,false), Constant('('), Field(p0,false)}" +match("MESSAGE#213:00009:24/1_0", "nwparser.p0", "%{logon_type->} %{space}(%{p0}"); + +var part364 = // "Pattern{Field(logon_type,false), Constant('. ('), Field(p0,false)}" +match("MESSAGE#213:00009:24/1_1", "nwparser.p0", "%{logon_type}. (%{p0}"); + +var select82 = linear_select([ + part363, + part364, +]); + +var part365 = // "Pattern{Constant(')'), Field(fld1,false)}" +match("MESSAGE#213:00009:24/2", "nwparser.p0", ")%{fld1}"); + +var all69 = all_match({ + processors: [ + part362, + select82, + part365, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), +}); + +var msg215 = msg("00009:24", all69); + +var part366 = // "Pattern{Constant('Web has been enabled on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#214:00009:25", "nwparser.payload", "Web has been enabled on interface %{interface->} by %{username->} via %{logon_type}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, +])); + +var msg216 = msg("00009:25", part366); + +var part367 = // "Pattern{Field(protocol,true), Constant(' has been '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' by '), Field(username,true), Constant(' via NSRP Peer . '), Field(p0,false)}" +match("MESSAGE#215:00009:26/0", "nwparser.payload", "%{protocol->} has been %{disposition->} on interface %{interface->} by %{username->} via NSRP Peer . %{p0}"); + +var all70 = all_match({ + processors: [ + part367, + dup335, + ], + on_success: processor_chain([ + dup1, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), +}); + +var msg217 = msg("00009:26", all70); + +var select83 = linear_select([ + msg192, + msg193, + msg194, + msg195, + msg196, + msg197, + msg198, + msg199, + msg200, + msg201, + msg202, + msg203, + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + msg211, + msg212, + msg213, + msg214, + msg215, + msg216, + msg217, +]); + +var part368 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#216:00010/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} %{p0}"); + +var part369 = // "Pattern{Constant('using protocol '), Field(p0,false)}" +match("MESSAGE#216:00010/1_0", "nwparser.p0", "using protocol %{p0}"); + +var part370 = // "Pattern{Constant('proto '), Field(p0,false)}" +match("MESSAGE#216:00010/1_1", "nwparser.p0", "proto %{p0}"); + +var select84 = linear_select([ + part369, + part370, +]); + +var part371 = // "Pattern{Constant(''), Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#216:00010/2", "nwparser.p0", "%{protocol->} %{p0}"); + +var part372 = // "Pattern{Constant('( zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#216:00010/3_0", "nwparser.p0", "( zone %{zone}, int %{interface}) %{p0}"); + +var part373 = // "Pattern{Constant('zone '), Field(zone,true), Constant(' int '), Field(interface,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#216:00010/3_1", "nwparser.p0", "zone %{zone->} int %{interface}) %{p0}"); + +var select85 = linear_select([ + part372, + part373, + dup126, +]); + +var part374 = // "Pattern{Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times'), Field(p0,false)}" +match("MESSAGE#216:00010/4", "nwparser.p0", ".%{space}The attack occurred %{dclass_counter1->} times%{p0}"); + +var all71 = all_match({ + processors: [ + part368, + select84, + part371, + select85, + part374, + dup353, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup9, + dup3, + dup61, + ]), +}); + +var msg218 = msg("00010", all71); + +var part375 = // "Pattern{Constant('MIP '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#217:00010:01", "nwparser.payload", "MIP %{hostip}/%{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg219 = msg("00010:01", part375); + +var part376 = // "Pattern{Constant('Mapped IP '), Field(hostip,true), Constant(' '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#218:00010:02", "nwparser.payload", "Mapped IP %{hostip->} %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg220 = msg("00010:02", part376); + +var all72 = all_match({ + processors: [ + dup132, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup9, + dup3, + dup60, + ]), +}); + +var msg221 = msg("00010:03", all72); + +var select86 = linear_select([ + msg218, + msg219, + msg220, + msg221, +]); + +var part377 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#220:00011", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg222 = msg("00011", part377); + +var part378 = // "Pattern{Constant('Route to '), Field(daddr,false), Constant('/'), Field(fld2,true), Constant(' [ '), Field(p0,false)}" +match("MESSAGE#221:00011:01/0", "nwparser.payload", "Route to %{daddr}/%{fld2->} [ %{p0}"); + +var select87 = linear_select([ + dup57, + dup56, +]); + +var part379 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' gateway '), Field(fld3,true), Constant(' ] has been '), Field(disposition,false)}" +match("MESSAGE#221:00011:01/2", "nwparser.p0", "%{} %{interface->} gateway %{fld3->} ] has been %{disposition}"); + +var all73 = all_match({ + processors: [ + part378, + select87, + part379, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg223 = msg("00011:01", all73); + +var part380 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#222:00011:02", "nwparser.payload", "%{signame->} from %{saddr->} to %{daddr->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, +])); + +var msg224 = msg("00011:02", part380); + +var part381 = // "Pattern{Constant('An '), Field(p0,false)}" +match("MESSAGE#223:00011:03/0", "nwparser.payload", "An %{p0}"); + +var part382 = // "Pattern{Constant('import '), Field(p0,false)}" +match("MESSAGE#223:00011:03/1_0", "nwparser.p0", "import %{p0}"); + +var part383 = // "Pattern{Constant('export '), Field(p0,false)}" +match("MESSAGE#223:00011:03/1_1", "nwparser.p0", "export %{p0}"); + +var select88 = linear_select([ + part382, + part383, +]); + +var part384 = // "Pattern{Constant('rule in virtual router '), Field(node,true), Constant(' to virtual router '), Field(fld4,true), Constant(' with '), Field(p0,false)}" +match("MESSAGE#223:00011:03/2", "nwparser.p0", "rule in virtual router %{node->} to virtual router %{fld4->} with %{p0}"); + +var part385 = // "Pattern{Constant('route-map '), Field(fld3,true), Constant(' and protocol '), Field(protocol,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#223:00011:03/3_0", "nwparser.p0", "route-map %{fld3->} and protocol %{protocol->} has been %{p0}"); + +var part386 = // "Pattern{Constant('IP-prefix '), Field(hostip,false), Constant('/'), Field(interface,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#223:00011:03/3_1", "nwparser.p0", "IP-prefix %{hostip}/%{interface->} has been %{p0}"); + +var select89 = linear_select([ + part385, + part386, +]); + +var all74 = all_match({ + processors: [ + part381, + select88, + part384, + select89, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg225 = msg("00011:03", all74); + +var part387 = // "Pattern{Constant('A route in virtual router '), Field(node,true), Constant(' that has IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through '), Field(p0,false)}" +match("MESSAGE#224:00011:04/0", "nwparser.payload", "A route in virtual router %{node->} that has IP address %{hostip}/%{fld2->} through %{p0}"); + +var part388 = // "Pattern{Constant(''), Field(interface,true), Constant(' and gateway '), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#224:00011:04/2", "nwparser.p0", "%{interface->} and gateway %{fld3->} with metric %{fld4->} has been %{disposition}"); + +var all75 = all_match({ + processors: [ + part387, + dup354, + part388, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg226 = msg("00011:04", all75); + +var part389 = // "Pattern{Constant('sharable virtual router using name'), Field(p0,false)}" +match("MESSAGE#225:00011:05/1_0", "nwparser.p0", "sharable virtual router using name%{p0}"); + +var part390 = // "Pattern{Constant('virtual router with name'), Field(p0,false)}" +match("MESSAGE#225:00011:05/1_1", "nwparser.p0", "virtual router with name%{p0}"); + +var select90 = linear_select([ + part389, + part390, +]); + +var part391 = // "Pattern{Field(,true), Constant(' '), Field(node,true), Constant(' and id '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#225:00011:05/2", "nwparser.p0", "%{} %{node->} and id %{fld2->} has been %{disposition}"); + +var all76 = all_match({ + processors: [ + dup79, + select90, + part391, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg227 = msg("00011:05", all76); + +var part392 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#226:00011:07", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup59, + dup3, + dup60, +])); + +var msg228 = msg("00011:07", part392); + +var part393 = // "Pattern{Constant('Route(s) in virtual router '), Field(node,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#227:00011:08", "nwparser.payload", "Route(s) in virtual router %{node->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg229 = msg("00011:08", part393); + +var part394 = // "Pattern{Constant('The auto-route-export feature in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#228:00011:09", "nwparser.payload", "The auto-route-export feature in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg230 = msg("00011:09", part394); + +var part395 = // "Pattern{Constant('The maximum number of routes that can be created in virtual router '), Field(node,true), Constant(' is '), Field(fld2,false)}" +match("MESSAGE#229:00011:10", "nwparser.payload", "The maximum number of routes that can be created in virtual router %{node->} is %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg231 = msg("00011:10", part395); + +var part396 = // "Pattern{Constant('The maximum routes limit in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#230:00011:11", "nwparser.payload", "The maximum routes limit in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg232 = msg("00011:11", part396); + +var part397 = // "Pattern{Constant('The router-id of virtual router '), Field(node,true), Constant(' used by OSPF BGP routing instances id has been uninitialized')}" +match("MESSAGE#231:00011:12", "nwparser.payload", "The router-id of virtual router %{node->} used by OSPF BGP routing instances id has been uninitialized", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg233 = msg("00011:12", part397); + +var part398 = // "Pattern{Constant('The router-id that can be used by OSPF BGP routing instances in virtual router '), Field(node,true), Constant(' has been set to '), Field(fld2,false)}" +match("MESSAGE#232:00011:13", "nwparser.payload", "The router-id that can be used by OSPF BGP routing instances in virtual router %{node->} has been set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg234 = msg("00011:13", part398); + +var part399 = // "Pattern{Constant('The routing preference for protocol '), Field(protocol,true), Constant(' in virtual router '), Field(node,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#233:00011:14/0", "nwparser.payload", "The routing preference for protocol %{protocol->} in virtual router %{node->} has been %{p0}"); + +var part400 = // "Pattern{Constant('reset'), Field(,false)}" +match("MESSAGE#233:00011:14/1_1", "nwparser.p0", "reset%{}"); + +var select91 = linear_select([ + dup134, + part400, +]); + +var all77 = all_match({ + processors: [ + part399, + select91, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg235 = msg("00011:14", all77); + +var part401 = // "Pattern{Constant('The system default-route in virtual router '), Field(node,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#234:00011:15", "nwparser.payload", "The system default-route in virtual router %{node->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg236 = msg("00011:15", part401); + +var part402 = // "Pattern{Constant('The system default-route through virtual router '), Field(node,true), Constant(' has been added in virtual router '), Field(fld2,false)}" +match("MESSAGE#235:00011:16", "nwparser.payload", "The system default-route through virtual router %{node->} has been added in virtual router %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg237 = msg("00011:16", part402); + +var part403 = // "Pattern{Constant('The virtual router '), Field(node,true), Constant(' has been made '), Field(p0,false)}" +match("MESSAGE#236:00011:17/0", "nwparser.payload", "The virtual router %{node->} has been made %{p0}"); + +var part404 = // "Pattern{Constant('sharable'), Field(,false)}" +match("MESSAGE#236:00011:17/1_0", "nwparser.p0", "sharable%{}"); + +var part405 = // "Pattern{Constant('unsharable'), Field(,false)}" +match("MESSAGE#236:00011:17/1_1", "nwparser.p0", "unsharable%{}"); + +var part406 = // "Pattern{Constant('default virtual router for virtual system '), Field(fld2,false)}" +match("MESSAGE#236:00011:17/1_2", "nwparser.p0", "default virtual router for virtual system %{fld2}"); + +var select92 = linear_select([ + part404, + part405, + part406, +]); + +var all78 = all_match({ + processors: [ + part403, + select92, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg238 = msg("00011:17", all78); + +var part407 = // "Pattern{Constant('Source route(s) '), Field(p0,false)}" +match("MESSAGE#237:00011:18/0_0", "nwparser.payload", "Source route(s) %{p0}"); + +var part408 = // "Pattern{Constant('A source route '), Field(p0,false)}" +match("MESSAGE#237:00011:18/0_1", "nwparser.payload", "A source route %{p0}"); + +var select93 = linear_select([ + part407, + part408, +]); + +var part409 = // "Pattern{Constant('in virtual router '), Field(node,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#237:00011:18/1", "nwparser.p0", "in virtual router %{node->} %{p0}"); + +var part410 = // "Pattern{Constant('with route addresses of '), Field(p0,false)}" +match("MESSAGE#237:00011:18/2_0", "nwparser.p0", "with route addresses of %{p0}"); + +var part411 = // "Pattern{Constant('that has IP address '), Field(p0,false)}" +match("MESSAGE#237:00011:18/2_1", "nwparser.p0", "that has IP address %{p0}"); + +var select94 = linear_select([ + part410, + part411, +]); + +var part412 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' through interface '), Field(interface,true), Constant(' and '), Field(p0,false)}" +match("MESSAGE#237:00011:18/3", "nwparser.p0", "%{hostip}/%{fld2->} through interface %{interface->} and %{p0}"); + +var part413 = // "Pattern{Constant('a default gateway address '), Field(p0,false)}" +match("MESSAGE#237:00011:18/4_0", "nwparser.p0", "a default gateway address %{p0}"); + +var select95 = linear_select([ + part413, + dup135, +]); + +var part414 = // "Pattern{Constant(''), Field(fld3,true), Constant(' with metric '), Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#237:00011:18/5", "nwparser.p0", "%{fld3->} with metric %{fld4->} %{p0}"); + +var all79 = all_match({ + processors: [ + select93, + part409, + select94, + part412, + select95, + part414, + dup352, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg239 = msg("00011:18", all79); + +var part415 = // "Pattern{Constant('Source Route(s) in virtual router '), Field(node,true), Constant(' with '), Field(p0,false)}" +match("MESSAGE#238:00011:19/0", "nwparser.payload", "Source Route(s) in virtual router %{node->} with %{p0}"); + +var part416 = // "Pattern{Constant('route addresses of '), Field(p0,false)}" +match("MESSAGE#238:00011:19/1_0", "nwparser.p0", "route addresses of %{p0}"); + +var part417 = // "Pattern{Constant('an IP address '), Field(p0,false)}" +match("MESSAGE#238:00011:19/1_1", "nwparser.p0", "an IP address %{p0}"); + +var select96 = linear_select([ + part416, + part417, +]); + +var part418 = // "Pattern{Constant(''), Field(hostip,false), Constant('/'), Field(fld3,true), Constant(' and '), Field(p0,false)}" +match("MESSAGE#238:00011:19/2", "nwparser.p0", "%{hostip}/%{fld3->} and %{p0}"); + +var part419 = // "Pattern{Constant('a default gateway address of '), Field(p0,false)}" +match("MESSAGE#238:00011:19/3_0", "nwparser.p0", "a default gateway address of %{p0}"); + +var select97 = linear_select([ + part419, + dup135, +]); + +var part420 = // "Pattern{Constant(''), Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#238:00011:19/4", "nwparser.p0", "%{fld4->} %{p0}"); + +var part421 = // "Pattern{Constant('has been'), Field(p0,false)}" +match("MESSAGE#238:00011:19/5_1", "nwparser.p0", "has been%{p0}"); + +var select98 = linear_select([ + dup107, + part421, +]); + +var all80 = all_match({ + processors: [ + part415, + select96, + part418, + select97, + part420, + select98, + dup136, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg240 = msg("00011:19", all80); + +var part422 = // "Pattern{Field(fld2,false), Constant(': A '), Field(p0,false)}" +match("MESSAGE#239:00011:20/0_0", "nwparser.payload", "%{fld2}: A %{p0}"); + +var select99 = linear_select([ + part422, + dup79, +]); + +var part423 = // "Pattern{Constant('route has been created in virtual router "'), Field(node,false), Constant('"'), Field(space,false), Constant('with an IP address '), Field(hostip,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('"')}" +match("MESSAGE#239:00011:20/1", "nwparser.p0", "route has been created in virtual router \"%{node}\"%{space}with an IP address %{hostip->} and next-hop as virtual router \"%{fld3}\""); + +var all81 = all_match({ + processors: [ + select99, + part423, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg241 = msg("00011:20", all81); + +var part424 = // "Pattern{Constant('SIBR route(s) in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' with an IP address '), Field(hostip,true), Constant(' and gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#240:00011:21", "nwparser.payload", "SIBR route(s) in virtual router %{node->} for interface %{interface->} with an IP address %{hostip->} and gateway %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg242 = msg("00011:21", part424); + +var part425 = // "Pattern{Constant('SIBR route in virtual router '), Field(node,true), Constant(' for interface '), Field(interface,true), Constant(' that has IP address '), Field(hostip,true), Constant(' through interface '), Field(fld3,true), Constant(' and gateway '), Field(fld4,true), Constant(' with metric '), Field(fld5,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#241:00011:22", "nwparser.payload", "SIBR route in virtual router %{node->} for interface %{interface->} that has IP address %{hostip->} through interface %{fld3->} and gateway %{fld4->} with metric %{fld5->} was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg243 = msg("00011:22", part425); + +var all82 = all_match({ + processors: [ + dup132, + dup345, + dup131, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + call({ + dest: "nwparser.inout", + fn: DIRCHK, + args: [ + field("$IN"), + field("saddr"), + field("daddr"), + ], + }), + ]), +}); + +var msg244 = msg("00011:23", all82); + +var part426 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" that has IP address '), Field(hostip,true), Constant(' through interface '), Field(interface,true), Constant(' and gateway '), Field(fld2,true), Constant(' with metric '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#243:00011:24", "nwparser.payload", "Route in virtual router \"%{node}\" that has IP address %{hostip->} through interface %{interface->} and gateway %{fld2->} with metric %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg245 = msg("00011:24", part426); + +var part427 = // "Pattern{Constant('Route(s) in virtual router "'), Field(node,false), Constant('" with an IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and gateway '), Field(fld3,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#244:00011:25", "nwparser.payload", "Route(s) in virtual router \"%{node}\" with an IP address %{hostip}/%{fld2->} and gateway %{fld3->} %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg246 = msg("00011:25", part427); + +var part428 = // "Pattern{Constant('Route in virtual router "'), Field(node,false), Constant('" with IP address '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' and next-hop as virtual router "'), Field(fld3,false), Constant('" created. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#245:00011:26", "nwparser.payload", "Route in virtual router \"%{node}\" with IP address %{hostip}/%{fld2->} and next-hop as virtual router \"%{fld3}\" created. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg247 = msg("00011:26", part428); + +var select100 = linear_select([ + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + msg230, + msg231, + msg232, + msg233, + msg234, + msg235, + msg236, + msg237, + msg238, + msg239, + msg240, + msg241, + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, +]); + +var part429 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' comments have been '), Field(disposition,false)}" +match("MESSAGE#246:00012:02", "nwparser.payload", "Service group %{group->} comments have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg248 = msg("00012:02", part429); + +var part430 = // "Pattern{Constant('Service group '), Field(change_old,true), Constant(' '), Field(change_attribute,true), Constant(' has been changed to '), Field(change_new,false)}" +match("MESSAGE#247:00012:03", "nwparser.payload", "Service group %{change_old->} %{change_attribute->} has been changed to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg249 = msg("00012:03", part430); + +var part431 = // "Pattern{Field(fld2,true), Constant(' Service group '), Field(group,true), Constant(' has '), Field(disposition,true), Constant(' member '), Field(username,true), Constant(' from host '), Field(saddr,false)}" +match("MESSAGE#248:00012:04", "nwparser.payload", "%{fld2->} Service group %{group->} has %{disposition->} member %{username->} from host %{saddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg250 = msg("00012:04", part431); + +var part432 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(') ('), Field(fld3,false), Constant(')')}" +match("MESSAGE#249:00012:05", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2}) (%{fld3})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, +])); + +var msg251 = msg("00012:05", part432); + +var part433 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#250:00012:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup59, + dup61, +])); + +var msg252 = msg("00012:06", part433); + +var part434 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#251:00012:07", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, + dup59, +])); + +var msg253 = msg("00012:07", part434); + +var part435 = // "Pattern{Field(fld2,false), Constant(': Service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#252:00012:08", "nwparser.payload", "%{fld2}: Service %{service->} has been %{disposition->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg254 = msg("00012:08", part435); + +var all83 = all_match({ + processors: [ + dup80, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg255 = msg("00012:09", all83); + +var all84 = all_match({ + processors: [ + dup132, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), +}); + +var msg256 = msg("00012:10", all84); + +var part436 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#255:00012:11", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, + dup61, +])); + +var msg257 = msg("00012:11", part436); + +var part437 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(zone,false), Constant(') '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#256:00012:12", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{zone}) %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg258 = msg("00012:12", part437); + +var part438 = // "Pattern{Constant('Service group '), Field(group,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#257:00012", "nwparser.payload", "Service group %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg259 = msg("00012", part438); + +var part439 = // "Pattern{Constant('Service '), Field(service,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#258:00012:01", "nwparser.payload", "Service %{service->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg260 = msg("00012:01", part439); + +var select101 = linear_select([ + msg248, + msg249, + msg250, + msg251, + msg252, + msg253, + msg254, + msg255, + msg256, + msg257, + msg258, + msg259, + msg260, +]); + +var part440 = // "Pattern{Constant('Global Manager error in decoding bytes has been detected'), Field(,false)}" +match("MESSAGE#259:00013", "nwparser.payload", "Global Manager error in decoding bytes has been detected%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg261 = msg("00013", part440); + +var part441 = // "Pattern{Constant('Intruder has attempted to connect to the NetScreen-Global Manager port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#260:00013:01", "nwparser.payload", "Intruder has attempted to connect to the NetScreen-Global Manager port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, + setc("signame","An Attempt to connect to NetScreen-Global Manager Port."), +])); + +var msg262 = msg("00013:01", part441); + +var part442 = // "Pattern{Constant('URL Filtering '), Field(fld2,true), Constant(' has been changed to '), Field(fld3,false)}" +match("MESSAGE#261:00013:02", "nwparser.payload", "URL Filtering %{fld2->} has been changed to %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg263 = msg("00013:02", part442); + +var part443 = // "Pattern{Constant('Web Filtering has been '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#262:00013:03", "nwparser.payload", "Web Filtering has been %{disposition->} (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, +])); + +var msg264 = msg("00013:03", part443); + +var select102 = linear_select([ + msg261, + msg262, + msg263, + msg264, +]); + +var part444 = // "Pattern{Field(change_attribute,true), Constant(' in minutes has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#263:00014", "nwparser.payload", "%{change_attribute->} in minutes has changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg265 = msg("00014", part444); + +var part445 = // "Pattern{Constant('The group member '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#264:00014:01/0", "nwparser.payload", "The group member %{username->} has been %{disposition->} %{p0}"); + +var part446 = // "Pattern{Constant('to a group'), Field(,false)}" +match("MESSAGE#264:00014:01/1_0", "nwparser.p0", "to a group%{}"); + +var part447 = // "Pattern{Constant('from a group'), Field(,false)}" +match("MESSAGE#264:00014:01/1_1", "nwparser.p0", "from a group%{}"); + +var select103 = linear_select([ + part446, + part447, +]); + +var all85 = all_match({ + processors: [ + part445, + select103, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg266 = msg("00014:01", all85); + +var part448 = // "Pattern{Constant('The user group '), Field(group,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,false)}" +match("MESSAGE#265:00014:02", "nwparser.payload", "The user group %{group->} has been %{disposition->} by %{username}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg267 = msg("00014:02", part448); + +var part449 = // "Pattern{Constant('The user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(administrator,false)}" +match("MESSAGE#266:00014:03", "nwparser.payload", "The user %{username->} has been %{disposition->} by %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg268 = msg("00014:03", part449); + +var part450 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server { '), Field(hostip,true), Constant(' }: SrvErr ('), Field(fld2,false), Constant('), SockErr ('), Field(fld3,false), Constant('), Valid ('), Field(fld4,false), Constant('),Connected ('), Field(fld5,false), Constant(')')}" +match("MESSAGE#267:00014:04", "nwparser.payload", "Communication error with %{hostname->} server { %{hostip->} }: SrvErr (%{fld2}), SockErr (%{fld3}), Valid (%{fld4}),Connected (%{fld5})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg269 = msg("00014:04", part450); + +var part451 = // "Pattern{Constant('System clock configurations have been '), Field(disposition,true), Constant(' by admin '), Field(administrator,false)}" +match("MESSAGE#268:00014:05", "nwparser.payload", "System clock configurations have been %{disposition->} by admin %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg270 = msg("00014:05", part451); + +var part452 = // "Pattern{Constant('System clock is '), Field(disposition,true), Constant(' manually.')}" +match("MESSAGE#269:00014:06", "nwparser.payload", "System clock is %{disposition->} manually.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg271 = msg("00014:06", part452); + +var part453 = // "Pattern{Constant('System up time is '), Field(disposition,true), Constant(' by '), Field(fld2,false)}" +match("MESSAGE#270:00014:07", "nwparser.payload", "System up time is %{disposition->} by %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg272 = msg("00014:07", part453); + +var part454 = // "Pattern{Constant('Communication error with '), Field(hostname,true), Constant(' server['), Field(hostip,false), Constant(']: SrvErr('), Field(fld2,false), Constant('),SockErr('), Field(fld3,false), Constant('),Valid('), Field(fld4,false), Constant('),Connected('), Field(fld5,false), Constant(') ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#271:00014:08", "nwparser.payload", "Communication error with %{hostname->} server[%{hostip}]: SrvErr(%{fld2}),SockErr(%{fld3}),Valid(%{fld4}),Connected(%{fld5}) (%{fld1})", processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg273 = msg("00014:08", part454); + +var select104 = linear_select([ + msg265, + msg266, + msg267, + msg268, + msg269, + msg270, + msg271, + msg272, + msg273, +]); + +var part455 = // "Pattern{Constant('Authentication type has been changed to '), Field(authmethod,false)}" +match("MESSAGE#272:00015", "nwparser.payload", "Authentication type has been changed to %{authmethod}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg274 = msg("00015", part455); + +var part456 = // "Pattern{Constant('IP tracking to '), Field(daddr,true), Constant(' has '), Field(disposition,false)}" +match("MESSAGE#273:00015:01", "nwparser.payload", "IP tracking to %{daddr->} has %{disposition}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg275 = msg("00015:01", part456); + +var part457 = // "Pattern{Constant('LDAP '), Field(p0,false)}" +match("MESSAGE#274:00015:02/0", "nwparser.payload", "LDAP %{p0}"); + +var part458 = // "Pattern{Constant('server name '), Field(p0,false)}" +match("MESSAGE#274:00015:02/1_0", "nwparser.p0", "server name %{p0}"); + +var part459 = // "Pattern{Constant('distinguished name '), Field(p0,false)}" +match("MESSAGE#274:00015:02/1_2", "nwparser.p0", "distinguished name %{p0}"); + +var part460 = // "Pattern{Constant('common name '), Field(p0,false)}" +match("MESSAGE#274:00015:02/1_3", "nwparser.p0", "common name %{p0}"); + +var select105 = linear_select([ + part458, + dup137, + part459, + part460, +]); + +var all86 = all_match({ + processors: [ + part457, + select105, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg276 = msg("00015:02", all86); + +var part461 = // "Pattern{Constant('Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link'), Field(,false)}" +match("MESSAGE#275:00015:03", "nwparser.payload", "Primary HA link has gone down. Local NetScreen device has begun using the secondary HA link%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg277 = msg("00015:03", part461); + +var part462 = // "Pattern{Constant('RADIUS server '), Field(p0,false)}" +match("MESSAGE#276:00015:04/0", "nwparser.payload", "RADIUS server %{p0}"); + +var part463 = // "Pattern{Constant('secret '), Field(p0,false)}" +match("MESSAGE#276:00015:04/1_2", "nwparser.p0", "secret %{p0}"); + +var select106 = linear_select([ + dup139, + dup140, + part463, +]); + +var all87 = all_match({ + processors: [ + part462, + select106, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg278 = msg("00015:04", all87); + +var part464 = // "Pattern{Constant('SecurID '), Field(p0,false)}" +match("MESSAGE#277:00015:05/0", "nwparser.payload", "SecurID %{p0}"); + +var part465 = // "Pattern{Constant('authentication port '), Field(p0,false)}" +match("MESSAGE#277:00015:05/1_0", "nwparser.p0", "authentication port %{p0}"); + +var part466 = // "Pattern{Constant('duress mode '), Field(p0,false)}" +match("MESSAGE#277:00015:05/1_1", "nwparser.p0", "duress mode %{p0}"); + +var part467 = // "Pattern{Constant('number of retries value '), Field(p0,false)}" +match("MESSAGE#277:00015:05/1_3", "nwparser.p0", "number of retries value %{p0}"); + +var select107 = linear_select([ + part465, + part466, + dup76, + part467, +]); + +var all88 = all_match({ + processors: [ + part464, + select107, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg279 = msg("00015:05", all88); + +var part468 = // "Pattern{Constant('Master '), Field(p0,false)}" +match("MESSAGE#278:00015:06/0_0", "nwparser.payload", "Master %{p0}"); + +var part469 = // "Pattern{Constant('Backup '), Field(p0,false)}" +match("MESSAGE#278:00015:06/0_1", "nwparser.payload", "Backup %{p0}"); + +var select108 = linear_select([ + part468, + part469, +]); + +var part470 = // "Pattern{Constant('SecurID server IP address has been '), Field(disposition,false)}" +match("MESSAGE#278:00015:06/1", "nwparser.p0", "SecurID server IP address has been %{disposition}"); + +var all89 = all_match({ + processors: [ + select108, + part470, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg280 = msg("00015:06", all89); + +var part471 = // "Pattern{Constant('HA change from slave to master'), Field(,false)}" +match("MESSAGE#279:00015:07", "nwparser.payload", "HA change from slave to master%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg281 = msg("00015:07", part471); + +var part472 = // "Pattern{Constant('inconsistent configuration between master and slave'), Field(,false)}" +match("MESSAGE#280:00015:08", "nwparser.payload", "inconsistent configuration between master and slave%{}", processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, +])); + +var msg282 = msg("00015:08", part472); + +var part473 = // "Pattern{Constant('configuration '), Field(p0,false)}" +match("MESSAGE#281:00015:09/0_0", "nwparser.payload", "configuration %{p0}"); + +var part474 = // "Pattern{Constant('Configuration '), Field(p0,false)}" +match("MESSAGE#281:00015:09/0_1", "nwparser.payload", "Configuration %{p0}"); + +var select109 = linear_select([ + part473, + part474, +]); + +var part475 = // "Pattern{Constant('out of sync between local unit and remote unit'), Field(,false)}" +match("MESSAGE#281:00015:09/1", "nwparser.p0", "out of sync between local unit and remote unit%{}"); + +var all90 = all_match({ + processors: [ + select109, + part475, + ], + on_success: processor_chain([ + dup141, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg283 = msg("00015:09", all90); + +var part476 = // "Pattern{Constant('HA control channel change to '), Field(interface,false)}" +match("MESSAGE#282:00015:10", "nwparser.payload", "HA control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg284 = msg("00015:10", part476); + +var part477 = // "Pattern{Constant('HA data channel change to '), Field(interface,false)}" +match("MESSAGE#283:00015:11", "nwparser.payload", "HA data channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg285 = msg("00015:11", part477); + +var part478 = // "Pattern{Constant('control '), Field(p0,false)}" +match("MESSAGE#284:00015:12/1_0", "nwparser.p0", "control %{p0}"); + +var part479 = // "Pattern{Constant('data '), Field(p0,false)}" +match("MESSAGE#284:00015:12/1_1", "nwparser.p0", "data %{p0}"); + +var select110 = linear_select([ + part478, + part479, +]); + +var part480 = // "Pattern{Constant('channel moved from link '), Field(p0,false)}" +match("MESSAGE#284:00015:12/2", "nwparser.p0", "channel moved from link %{p0}"); + +var part481 = // "Pattern{Constant('('), Field(interface,false), Constant(')')}" +match("MESSAGE#284:00015:12/6", "nwparser.p0", "(%{interface})"); + +var all91 = all_match({ + processors: [ + dup87, + select110, + part480, + dup355, + dup103, + dup355, + part481, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg286 = msg("00015:12", all91); + +var part482 = // "Pattern{Constant('HA: Slave is down'), Field(,false)}" +match("MESSAGE#285:00015:13", "nwparser.payload", "HA: Slave is down%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, +])); + +var msg287 = msg("00015:13", part482); + +var part483 = // "Pattern{Constant('NSRP link '), Field(p0,false)}" +match("MESSAGE#286:00015:14/0", "nwparser.payload", "NSRP link %{p0}"); + +var all92 = all_match({ + processors: [ + part483, + dup355, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg288 = msg("00015:14", all92); + +var part484 = // "Pattern{Constant('no HA '), Field(fld2,true), Constant(' channel available ('), Field(fld3,true), Constant(' used by other channel)')}" +match("MESSAGE#287:00015:15", "nwparser.payload", "no HA %{fld2->} channel available (%{fld3->} used by other channel)", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg289 = msg("00015:15", part484); + +var part485 = // "Pattern{Constant('The NSRP configuration is out of synchronization between the local device and the peer device.'), Field(,false)}" +match("MESSAGE#288:00015:16", "nwparser.payload", "The NSRP configuration is out of synchronization between the local device and the peer device.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg290 = msg("00015:16", part485); + +var part486 = // "Pattern{Constant('NSRP '), Field(change_attribute,true), Constant(' '), Field(change_old,true), Constant(' changed to link channel '), Field(change_new,false)}" +match("MESSAGE#289:00015:17", "nwparser.payload", "NSRP %{change_attribute->} %{change_old->} changed to link channel %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg291 = msg("00015:17", part486); + +var part487 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on peer device '), Field(fld2,true), Constant(' changed from '), Field(fld3,true), Constant(' to '), Field(fld4,true), Constant(' state.')}" +match("MESSAGE#290:00015:18", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on peer device %{fld2->} changed from %{fld3->} to %{fld4->} state.", processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + setc("change_attribute","RTO mirror group"), +])); + +var msg292 = msg("00015:18", part487); + +var part488 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' on local device '), Field(fld2,false), Constant(', detected a duplicate direction on the peer device '), Field(fld3,false)}" +match("MESSAGE#291:00015:19", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} on local device %{fld2}, detected a duplicate direction on the peer device %{fld3}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg293 = msg("00015:19", part488); + +var part489 = // "Pattern{Constant('RTO mirror group '), Field(group,true), Constant(' with direction '), Field(direction,true), Constant(' changed on the local device from '), Field(fld2,true), Constant(' to up state, it had peer device '), Field(fld3,false)}" +match("MESSAGE#292:00015:20", "nwparser.payload", "RTO mirror group %{group->} with direction %{direction->} changed on the local device from %{fld2->} to up state, it had peer device %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg294 = msg("00015:20", part489); + +var part490 = // "Pattern{Constant('Peer device '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#293:00015:21/0", "nwparser.payload", "Peer device %{fld2->} %{p0}"); + +var part491 = // "Pattern{Constant('disappeared '), Field(p0,false)}" +match("MESSAGE#293:00015:21/1_0", "nwparser.p0", "disappeared %{p0}"); + +var part492 = // "Pattern{Constant('was discovered '), Field(p0,false)}" +match("MESSAGE#293:00015:21/1_1", "nwparser.p0", "was discovered %{p0}"); + +var select111 = linear_select([ + part491, + part492, +]); + +var all93 = all_match({ + processors: [ + part490, + select111, + dup116, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg295 = msg("00015:21", all93); + +var part493 = // "Pattern{Constant('The local '), Field(p0,false)}" +match("MESSAGE#294:00015:22/0_0", "nwparser.payload", "The local %{p0}"); + +var part494 = // "Pattern{Constant('The peer '), Field(p0,false)}" +match("MESSAGE#294:00015:22/0_1", "nwparser.payload", "The peer %{p0}"); + +var part495 = // "Pattern{Constant('Peer '), Field(p0,false)}" +match("MESSAGE#294:00015:22/0_2", "nwparser.payload", "Peer %{p0}"); + +var select112 = linear_select([ + part493, + part494, + part495, +]); + +var part496 = // "Pattern{Constant('device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#294:00015:22/1", "nwparser.p0", "device %{fld2->} in the Virtual Security Device group %{group->} changed %{change_attribute->} from %{change_old->} to %{change_new->} %{p0}"); + +var all94 = all_match({ + processors: [ + select112, + part496, + dup356, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg296 = msg("00015:22", all94); + +var part497 = // "Pattern{Constant('WebAuth is set to '), Field(fld2,false)}" +match("MESSAGE#295:00015:23", "nwparser.payload", "WebAuth is set to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg297 = msg("00015:23", part497); + +var part498 = // "Pattern{Constant('Default firewall authentication server has been changed to '), Field(hostname,false)}" +match("MESSAGE#296:00015:24", "nwparser.payload", "Default firewall authentication server has been changed to %{hostname}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg298 = msg("00015:24", part498); + +var part499 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification was successful')}" +match("MESSAGE#297:00015:25", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification was successful", processor_chain([ + setc("eventcategory","1613050100"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg299 = msg("00015:25", part499); + +var part500 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' attempted to verify the encrypted password '), Field(fld2,false), Constant('. Verification failed')}" +match("MESSAGE#298:00015:29", "nwparser.payload", "Admin user %{administrator->} attempted to verify the encrypted password %{fld2}. Verification failed", processor_chain([ + dup97, + dup2, + dup3, + dup4, + dup5, +])); + +var msg300 = msg("00015:29", part500); + +var part501 = // "Pattern{Constant('unit '), Field(fld2,true), Constant(' just dis'), Field(p0,false)}" +match("MESSAGE#299:00015:26/0", "nwparser.payload", "unit %{fld2->} just dis%{p0}"); + +var part502 = // "Pattern{Constant('appeared'), Field(,false)}" +match("MESSAGE#299:00015:26/1_0", "nwparser.p0", "appeared%{}"); + +var part503 = // "Pattern{Constant('covered'), Field(,false)}" +match("MESSAGE#299:00015:26/1_1", "nwparser.p0", "covered%{}"); + +var select113 = linear_select([ + part502, + part503, +]); + +var all95 = all_match({ + processors: [ + part501, + select113, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg301 = msg("00015:26", all95); + +var part504 = // "Pattern{Constant('NSRP: HA data channel change to '), Field(interface,false), Constant('. ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#300:00015:33", "nwparser.payload", "NSRP: HA data channel change to %{interface}. (%{fld2})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup146, +])); + +var msg302 = msg("00015:33", part504); + +var part505 = // "Pattern{Constant('NSRP: '), Field(fld2,false)}" +match("MESSAGE#301:00015:27", "nwparser.payload", "NSRP: %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg303 = msg("00015:27", part505); + +var part506 = // "Pattern{Constant('Auth server '), Field(hostname,true), Constant(' RADIUS retry timeout has been set to default of '), Field(fld2,false)}" +match("MESSAGE#302:00015:28", "nwparser.payload", "Auth server %{hostname->} RADIUS retry timeout has been set to default of %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg304 = msg("00015:28", part506); + +var part507 = // "Pattern{Constant('Number of RADIUS retries for auth server '), Field(hostname,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#303:00015:30/0", "nwparser.payload", "Number of RADIUS retries for auth server %{hostname->} %{p0}"); + +var part508 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#303:00015:30/2", "nwparser.p0", "set to %{fld2->} (%{fld1})"); + +var all96 = all_match({ + processors: [ + part507, + dup357, + part508, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg305 = msg("00015:30", all96); + +var part509 = // "Pattern{Constant('Forced timeout for Auth server '), Field(hostname,true), Constant(' is unset to its default value, '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#304:00015:31", "nwparser.payload", "Forced timeout for Auth server %{hostname->} is unset to its default value, %{info->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg306 = msg("00015:31", part509); + +var part510 = // "Pattern{Constant('Accounting port of server RADIUS is set to '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#305:00015:32", "nwparser.payload", "Accounting port of server RADIUS is set to %{network_port}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup4, + dup5, + dup9, +])); + +var msg307 = msg("00015:32", part510); + +var select114 = linear_select([ + msg274, + msg275, + msg276, + msg277, + msg278, + msg279, + msg280, + msg281, + msg282, + msg283, + msg284, + msg285, + msg286, + msg287, + msg288, + msg289, + msg290, + msg291, + msg292, + msg293, + msg294, + msg295, + msg296, + msg297, + msg298, + msg299, + msg300, + msg301, + msg302, + msg303, + msg304, + msg305, + msg306, + msg307, +]); + +var part511 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#306:00016", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg308 = msg("00016", part511); + +var part512 = // "Pattern{Constant('Address VIP ('), Field(fld2,false), Constant(') for '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#307:00016:01", "nwparser.payload", "Address VIP (%{fld2}) for %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, +])); + +var msg309 = msg("00016:01", part512); + +var part513 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(') has been '), Field(disposition,false)}" +match("MESSAGE#308:00016:02", "nwparser.payload", "VIP (%{fld2}) has been %{disposition}", processor_chain([ + dup1, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, +])); + +var msg310 = msg("00016:02", part513); + +var part514 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#309:00016:03", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{fld2})", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup4, + dup5, +])); + +var msg311 = msg("00016:03", part514); + +var part515 = // "Pattern{Constant('VIP multi-port was '), Field(disposition,false)}" +match("MESSAGE#310:00016:05", "nwparser.payload", "VIP multi-port was %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg312 = msg("00016:05", part515); + +var part516 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#311:00016:06", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg313 = msg("00016:06", part516); + +var part517 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' ( zone '), Field(p0,false)}" +match("MESSAGE#312:00016:07/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} ( zone %{p0}"); + +var all97 = all_match({ + processors: [ + part517, + dup340, + dup67, + ], + on_success: processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg314 = msg("00016:07", all97); + +var part518 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') Modify by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#313:00016:08", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) Modify by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001020305"), + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg315 = msg("00016:08", part518); + +var part519 = // "Pattern{Constant('VIP ('), Field(fld2,false), Constant(':'), Field(fld3,true), Constant(' HTTP '), Field(fld4,false), Constant(') New by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#314:00016:09", "nwparser.payload", "VIP (%{fld2}:%{fld3->} HTTP %{fld4}) New by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + setc("eventcategory","1001030305"), + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg316 = msg("00016:09", part519); + +var select115 = linear_select([ + msg308, + msg309, + msg310, + msg311, + msg312, + msg313, + msg314, + msg315, + msg316, +]); + +var part520 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#315:00017", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, +])); + +var msg317 = msg("00017", part520); + +var part521 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID '), Field(p0,false)}" +match("MESSAGE#316:00017:23/0", "nwparser.payload", "Gateway %{fld2->} at %{fld3->} in %{fld5->} mode with ID %{p0}"); + +var part522 = // "Pattern{Constant('['), Field(fld4,false), Constant('] '), Field(p0,false)}" +match("MESSAGE#316:00017:23/1_0", "nwparser.p0", "[%{fld4}] %{p0}"); + +var part523 = // "Pattern{Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#316:00017:23/1_1", "nwparser.p0", "%{fld4->} %{p0}"); + +var select116 = linear_select([ + part522, + part523, +]); + +var part524 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld,false)}" +match("MESSAGE#316:00017:23/2", "nwparser.p0", "has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} %{fld}"); + +var all98 = all_match({ + processors: [ + part521, + select116, + part524, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg318 = msg("00017:23", all98); + +var part525 = // "Pattern{Field(fld1,false), Constant(': Gateway '), Field(p0,false)}" +match("MESSAGE#317:00017:01/0_0", "nwparser.payload", "%{fld1}: Gateway %{p0}"); + +var part526 = // "Pattern{Constant('Gateway '), Field(p0,false)}" +match("MESSAGE#317:00017:01/0_1", "nwparser.payload", "Gateway %{p0}"); + +var select117 = linear_select([ + part525, + part526, +]); + +var part527 = // "Pattern{Constant(''), Field(fld2,true), Constant(' at '), Field(fld3,true), Constant(' in '), Field(fld5,true), Constant(' mode with ID'), Field(p0,false)}" +match("MESSAGE#317:00017:01/1", "nwparser.p0", "%{fld2->} at %{fld3->} in %{fld5->} mode with ID%{p0}"); + +var part528 = // "Pattern{Constant(''), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#317:00017:01/3", "nwparser.p0", "%{fld4->} has been %{disposition}"); + +var all99 = all_match({ + processors: [ + select117, + part527, + dup358, + part528, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg319 = msg("00017:01", all99); + +var part529 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Gateway settings have been '), Field(disposition,false)}" +match("MESSAGE#318:00017:02", "nwparser.payload", "IKE %{hostip}: Gateway settings have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg320 = msg("00017:02", part529); + +var part530 = // "Pattern{Constant('IKE key '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#319:00017:03", "nwparser.payload", "IKE key %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg321 = msg("00017:03", part530); + +var part531 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#320:00017:04/2", "nwparser.p0", "%{group_object->} with range %{fld2->} has been %{disposition}"); + +var all100 = all_match({ + processors: [ + dup153, + dup359, + part531, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg322 = msg("00017:04", all100); + +var part532 = // "Pattern{Constant('IPSec NAT-T for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#321:00017:05", "nwparser.payload", "IPSec NAT-T for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg323 = msg("00017:05", part532); + +var part533 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been set to '), Field(p0,false)}" +match("MESSAGE#322:00017:06/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been set to %{p0}"); + +var part534 = // "Pattern{Constant('clear '), Field(p0,false)}" +match("MESSAGE#322:00017:06/1_0", "nwparser.p0", "clear %{p0}"); + +var part535 = // "Pattern{Constant('copy '), Field(p0,false)}" +match("MESSAGE#322:00017:06/1_2", "nwparser.p0", "copy %{p0}"); + +var select118 = linear_select([ + part534, + dup101, + part535, +]); + +var all101 = all_match({ + processors: [ + part533, + select118, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg324 = msg("00017:06", all101); + +var part536 = // "Pattern{Constant('The DF-BIT for VPN '), Field(group,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#323:00017:07/0", "nwparser.payload", "The DF-BIT for VPN %{group->} has been %{p0}"); + +var part537 = // "Pattern{Constant('clear'), Field(,false)}" +match("MESSAGE#323:00017:07/1_0", "nwparser.p0", "clear%{}"); + +var part538 = // "Pattern{Constant('cleared'), Field(,false)}" +match("MESSAGE#323:00017:07/1_1", "nwparser.p0", "cleared%{}"); + +var part539 = // "Pattern{Constant('copy'), Field(,false)}" +match("MESSAGE#323:00017:07/1_3", "nwparser.p0", "copy%{}"); + +var part540 = // "Pattern{Constant('copied'), Field(,false)}" +match("MESSAGE#323:00017:07/1_4", "nwparser.p0", "copied%{}"); + +var select119 = linear_select([ + part537, + part538, + dup98, + part539, + part540, +]); + +var all102 = all_match({ + processors: [ + part536, + select119, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg325 = msg("00017:07", all102); + +var part541 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and SPI '), Field(fld3,false), Constant('/'), Field(fld4,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#324:00017:08", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and SPI %{fld3}/%{fld4->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg326 = msg("00017:08", part541); + +var part542 = // "Pattern{Field(fld1,false), Constant(': VPN '), Field(p0,false)}" +match("MESSAGE#325:00017:09/0_0", "nwparser.payload", "%{fld1}: VPN %{p0}"); + +var part543 = // "Pattern{Constant('VPN '), Field(p0,false)}" +match("MESSAGE#325:00017:09/0_1", "nwparser.payload", "VPN %{p0}"); + +var select120 = linear_select([ + part542, + part543, +]); + +var part544 = // "Pattern{Constant(''), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#325:00017:09/1", "nwparser.p0", "%{group->} with gateway %{fld2->} %{p0}"); + +var part545 = // "Pattern{Constant('no-rekey '), Field(p0,false)}" +match("MESSAGE#325:00017:09/2_0", "nwparser.p0", "no-rekey %{p0}"); + +var part546 = // "Pattern{Constant('rekey, '), Field(p0,false)}" +match("MESSAGE#325:00017:09/2_1", "nwparser.p0", "rekey, %{p0}"); + +var part547 = // "Pattern{Constant('rekey '), Field(p0,false)}" +match("MESSAGE#325:00017:09/2_2", "nwparser.p0", "rekey %{p0}"); + +var select121 = linear_select([ + part545, + part546, + part547, +]); + +var part548 = // "Pattern{Constant('and p2-proposal '), Field(fld3,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#325:00017:09/3", "nwparser.p0", "and p2-proposal %{fld3->} has been %{p0}"); + +var part549 = // "Pattern{Field(disposition,true), Constant(' from peer unit')}" +match("MESSAGE#325:00017:09/4_0", "nwparser.p0", "%{disposition->} from peer unit"); + +var part550 = // "Pattern{Field(disposition,true), Constant(' from host '), Field(saddr,false)}" +match("MESSAGE#325:00017:09/4_1", "nwparser.p0", "%{disposition->} from host %{saddr}"); + +var select122 = linear_select([ + part549, + part550, + dup36, +]); + +var all103 = all_match({ + processors: [ + select120, + part544, + select121, + part548, + select122, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg327 = msg("00017:09", all103); + +var part551 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false), Constant('. Src IF '), Field(sinterface,true), Constant(' dst IP '), Field(daddr,true), Constant(' with rekeying '), Field(p0,false)}" +match("MESSAGE#326:00017:10/0", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}. Src IF %{sinterface->} dst IP %{daddr->} with rekeying %{p0}"); + +var all104 = all_match({ + processors: [ + part551, + dup360, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg328 = msg("00017:10", all104); + +var part552 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#327:00017:11", "nwparser.payload", "VPN monitoring for VPN %{group->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg329 = msg("00017:11", part552); + +var part553 = // "Pattern{Constant('VPN monitoring '), Field(p0,false)}" +match("MESSAGE#328:00017:12/0", "nwparser.payload", "VPN monitoring %{p0}"); + +var part554 = // "Pattern{Constant('frequency '), Field(p0,false)}" +match("MESSAGE#328:00017:12/1_2", "nwparser.p0", "frequency %{p0}"); + +var select123 = linear_select([ + dup109, + dup110, + part554, +]); + +var all105 = all_match({ + processors: [ + part553, + select123, + dup127, + dup361, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg330 = msg("00017:12", all105); + +var part555 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been added by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#329:00017:26", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been added by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg331 = msg("00017:26", part555); + +var part556 = // "Pattern{Constant('No IP pool has been assigned. You cannot allocate an IP address.'), Field(,false)}" +match("MESSAGE#330:00017:13", "nwparser.payload", "No IP pool has been assigned. You cannot allocate an IP address.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg332 = msg("00017:13", part556); + +var part557 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,false), Constant(', DH group '), Field(group,false), Constant(', ESP '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#331:00017:14", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail}, DH group %{group}, ESP %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup9, + dup5, +])); + +var msg333 = msg("00017:14", part557); + +var part558 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#332:00017:15/0", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group->} %{p0}"); + +var part559 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime ('), Field(fld3,false), Constant(') ('), Field(fld4,false), Constant(') has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#332:00017:15/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime (%{fld3}) (%{fld4}) has been %{disposition}."); + +var all106 = all_match({ + processors: [ + part558, + dup362, + part559, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg334 = msg("00017:15", all106); + +var part560 = // "Pattern{Constant('P1 proposal '), Field(fld2,true), Constant(' with '), Field(protocol_detail,true), Constant(' DH group '), Field(group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#333:00017:31/0", "nwparser.payload", "P1 proposal %{fld2->} with %{protocol_detail->} DH group %{group->} %{p0}"); + +var part561 = // "Pattern{Constant(''), Field(encryption_type,true), Constant(' auth '), Field(authmethod,true), Constant(' and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#333:00017:31/2", "nwparser.p0", "%{encryption_type->} auth %{authmethod->} and lifetime %{fld3->} has been %{disposition}."); + +var all107 = all_match({ + processors: [ + part560, + dup362, + part561, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg335 = msg("00017:31", all107); + +var part562 = // "Pattern{Constant('vpnmonitor interval is '), Field(p0,false)}" +match("MESSAGE#334:00017:16/0", "nwparser.payload", "vpnmonitor interval is %{p0}"); + +var all108 = all_match({ + processors: [ + part562, + dup361, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg336 = msg("00017:16", all108); + +var part563 = // "Pattern{Constant('vpnmonitor threshold is '), Field(p0,false)}" +match("MESSAGE#335:00017:17/0", "nwparser.payload", "vpnmonitor threshold is %{p0}"); + +var select124 = linear_select([ + dup99, + dup93, +]); + +var all109 = all_match({ + processors: [ + part563, + select124, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg337 = msg("00017:17", all109); + +var part564 = // "Pattern{Constant(''), Field(group_object,true), Constant(' with range '), Field(fld2,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#336:00017:18/2", "nwparser.p0", "%{group_object->} with range %{fld2->} was %{disposition}"); + +var all110 = all_match({ + processors: [ + dup153, + dup359, + part564, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg338 = msg("00017:18", all110); + +var part565 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" +match("MESSAGE#337:00017:19/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at %{p0}"); + +var part566 = // "Pattern{Field(,true), Constant(' '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#337:00017:19/2", "nwparser.p0", "%{} %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times"); + +var all111 = all_match({ + processors: [ + part565, + dup339, + part566, + ], + on_success: processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, + ]), +}); + +var msg339 = msg("00017:19", all111); + +var all112 = all_match({ + processors: [ + dup64, + dup340, + dup67, + ], + on_success: processor_chain([ + dup151, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + ]), +}); + +var msg340 = msg("00017:20", all112); + +var part567 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#339:00017:21", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup151, + dup2, + dup3, + dup59, + dup4, + dup5, +])); + +var msg341 = msg("00017:21", part567); + +var part568 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#340:00017:22", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg342 = msg("00017:22", part568); + +var part569 = // "Pattern{Constant('VPN "'), Field(group,false), Constant('" has been bound to tunnel interface '), Field(interface,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#341:00017:24", "nwparser.payload", "VPN \"%{group}\" has been bound to tunnel interface %{interface}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg343 = msg("00017:24", part569); + +var part570 = // "Pattern{Constant('VPN '), Field(group,true), Constant(' with gateway '), Field(fld2,true), Constant(' and P2 proposal standard has been added by admin '), Field(administrator,true), Constant(' via NSRP Peer ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#342:00017:25", "nwparser.payload", "VPN %{group->} with gateway %{fld2->} and P2 proposal standard has been added by admin %{administrator->} via NSRP Peer (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg344 = msg("00017:25", part570); + +var part571 = // "Pattern{Constant('P2 proposal '), Field(fld2,true), Constant(' with DH group '), Field(group,false), Constant(', ESP, enc '), Field(encryption_type,false), Constant(', auth '), Field(authmethod,false), Constant(', and lifetime '), Field(fld3,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#343:00017:28", "nwparser.payload", "P2 proposal %{fld2->} with DH group %{group}, ESP, enc %{encryption_type}, auth %{authmethod}, and lifetime %{fld3->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg345 = msg("00017:28", part571); + +var part572 = // "Pattern{Constant('L2TP "'), Field(fld2,false), Constant('", all-L2TP-users secret "'), Field(fld3,false), Constant('" keepalive '), Field(fld4,true), Constant(' has been '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#344:00017:29", "nwparser.payload", "L2TP \"%{fld2}\", all-L2TP-users secret \"%{fld3}\" keepalive %{fld4->} has been %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, +])); + +var msg346 = msg("00017:29", part572); + +var select125 = linear_select([ + msg317, + msg318, + msg319, + msg320, + msg321, + msg322, + msg323, + msg324, + msg325, + msg326, + msg327, + msg328, + msg329, + msg330, + msg331, + msg332, + msg333, + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, + msg342, + msg343, + msg344, + msg345, + msg346, +]); + +var part573 = // "Pattern{Constant('Positions of policies '), Field(fld2,true), Constant(' and '), Field(fld3,true), Constant(' have been exchanged')}" +match("MESSAGE#345:00018", "nwparser.payload", "Positions of policies %{fld2->} and %{fld3->} have been exchanged", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg347 = msg("00018", part573); + +var part574 = // "Pattern{Constant('Deny Policy Alarm'), Field(,false)}" +match("MESSAGE#346:00018:01", "nwparser.payload", "Deny Policy Alarm%{}", processor_chain([ + setc("eventcategory","1502010000"), + dup2, + dup4, + dup5, + dup3, +])); + +var msg348 = msg("00018:01", part574); + +var part575 = // "Pattern{Constant('Device'), Field(p0,false)}" +match("MESSAGE#347:00018:02/0", "nwparser.payload", "Device%{p0}"); + +var part576 = // "Pattern{Constant('s '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' by admin '), Field(administrator,false)}" +match("MESSAGE#347:00018:02/2", "nwparser.p0", "s %{change_attribute->} has been changed from %{change_old->} to %{change_new->} by admin %{administrator}"); + +var all113 = all_match({ + processors: [ + part575, + dup363, + part576, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg349 = msg("00018:02", all113); + +var part577 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#348:00018:04", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg350 = msg("00018:04", part577); + +var part578 = // "Pattern{Field(fld2,true), Constant(' Policy ('), Field(policy_id,false), Constant(', '), Field(info,true), Constant(' ) was '), Field(disposition,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" +match("MESSAGE#349:00018:16", "nwparser.payload", "%{fld2->} Policy (%{policy_id}, %{info->} ) was %{disposition->} by admin %{administrator->} via NSRP Peer", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, +])); + +var msg351 = msg("00018:16", part578); + +var part579 = // "Pattern{Field(fld2,true), Constant(' Policy '), Field(policy_id,true), Constant(' has been moved '), Field(p0,false)}" +match("MESSAGE#350:00018:06/0", "nwparser.payload", "%{fld2->} Policy %{policy_id->} has been moved %{p0}"); + +var part580 = // "Pattern{Constant('before '), Field(p0,false)}" +match("MESSAGE#350:00018:06/1_0", "nwparser.p0", "before %{p0}"); + +var part581 = // "Pattern{Constant('after '), Field(p0,false)}" +match("MESSAGE#350:00018:06/1_1", "nwparser.p0", "after %{p0}"); + +var select126 = linear_select([ + part580, + part581, +]); + +var part582 = // "Pattern{Constant(''), Field(fld3,true), Constant(' by admin '), Field(administrator,false)}" +match("MESSAGE#350:00018:06/2", "nwparser.p0", "%{fld3->} by admin %{administrator}"); + +var all114 = all_match({ + processors: [ + part579, + select126, + part582, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg352 = msg("00018:06", all114); + +var part583 = // "Pattern{Constant('Policy '), Field(policy_id,true), Constant(' application was modified to '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#351:00018:08", "nwparser.payload", "Policy %{policy_id->} application was modified to %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg353 = msg("00018:08", part583); + +var part584 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#352:00018:09", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, +])); + +var msg354 = msg("00018:09", part584); + +var part585 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(p0,false)}" +match("MESSAGE#353:00018:10/0", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{p0}"); + +var part586 = // "Pattern{Field(disposition,true), Constant(' from peer unit by '), Field(p0,false)}" +match("MESSAGE#353:00018:10/1_0", "nwparser.p0", "%{disposition->} from peer unit by %{p0}"); + +var part587 = // "Pattern{Field(disposition,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#353:00018:10/1_1", "nwparser.p0", "%{disposition->} by %{p0}"); + +var select127 = linear_select([ + part586, + part587, +]); + +var part588 = // "Pattern{Field(username,true), Constant(' via '), Field(interface,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#353:00018:10/2", "nwparser.p0", "%{username->} via %{interface->} from host %{saddr->} (%{fld1})"); + +var all115 = all_match({ + processors: [ + part585, + select127, + part588, + ], + on_success: processor_chain([ + dup17, + dup3, + dup2, + dup9, + dup4, + dup5, + ]), +}); + +var msg355 = msg("00018:10", all115); + +var part589 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#354:00018:11/1_0", "nwparser.p0", "Service %{service->} was %{p0}"); + +var part590 = // "Pattern{Constant('Attack group '), Field(signame,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#354:00018:11/1_1", "nwparser.p0", "Attack group %{signame->} was %{p0}"); + +var select128 = linear_select([ + part589, + part590, +]); + +var part591 = // "Pattern{Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#354:00018:11/2", "nwparser.p0", "%{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} %{p0}"); + +var part592 = // "Pattern{Constant('to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#354:00018:11/3_0", "nwparser.p0", "to %{daddr}:%{dport}. %{p0}"); + +var select129 = linear_select([ + part592, + dup16, +]); + +var all116 = all_match({ + processors: [ + dup162, + select128, + part591, + select129, + dup10, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg356 = msg("00018:11", all116); + +var part593 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the '), Field(p0,false)}" +match("MESSAGE#355:00018:12/0", "nwparser.payload", "In policy %{policy_id}, the %{p0}"); + +var part594 = // "Pattern{Constant('application '), Field(p0,false)}" +match("MESSAGE#355:00018:12/1_0", "nwparser.p0", "application %{p0}"); + +var part595 = // "Pattern{Constant('attack severity '), Field(p0,false)}" +match("MESSAGE#355:00018:12/1_1", "nwparser.p0", "attack severity %{p0}"); + +var part596 = // "Pattern{Constant('DI attack component '), Field(p0,false)}" +match("MESSAGE#355:00018:12/1_2", "nwparser.p0", "DI attack component %{p0}"); + +var select130 = linear_select([ + part594, + part595, + part596, +]); + +var part597 = // "Pattern{Constant('was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#355:00018:12/2", "nwparser.p0", "was modified by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + +var all117 = all_match({ + processors: [ + part593, + select130, + part597, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg357 = msg("00018:12", all117); + +var part598 = // "Pattern{Field(,false), Constant('address '), Field(dhost,false), Constant('('), Field(daddr,false), Constant(') was '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#356:00018:32/1", "nwparser.p0", "%{}address %{dhost}(%{daddr}) was %{disposition->} %{p0}"); + +var all118 = all_match({ + processors: [ + dup364, + part598, + dup365, + dup166, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg358 = msg("00018:32", all118); + +var part599 = // "Pattern{Field(,false), Constant('address '), Field(dhost,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#357:00018:22/1", "nwparser.p0", "%{}address %{dhost->} was %{disposition->} %{p0}"); + +var all119 = all_match({ + processors: [ + dup364, + part599, + dup365, + dup166, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg359 = msg("00018:22", all119); + +var part600 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' from policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#358:00018:15/0", "nwparser.payload", "%{agent->} was %{disposition->} from policy %{policy_id->} %{p0}"); + +var select131 = linear_select([ + dup78, + dup77, +]); + +var part601 = // "Pattern{Constant('address by admin '), Field(administrator,true), Constant(' via NSRP Peer')}" +match("MESSAGE#358:00018:15/2", "nwparser.p0", "address by admin %{administrator->} via NSRP Peer"); + +var all120 = all_match({ + processors: [ + part600, + select131, + part601, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg360 = msg("00018:15", all120); + +var part602 = // "Pattern{Field(agent,true), Constant(' was '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#359:00018:14/0", "nwparser.payload", "%{agent->} was %{disposition->} %{p0}"); + +var part603 = // "Pattern{Constant('to'), Field(p0,false)}" +match("MESSAGE#359:00018:14/1_0", "nwparser.p0", "to%{p0}"); + +var part604 = // "Pattern{Constant('from'), Field(p0,false)}" +match("MESSAGE#359:00018:14/1_1", "nwparser.p0", "from%{p0}"); + +var select132 = linear_select([ + part603, + part604, +]); + +var part605 = // "Pattern{Field(,false), Constant('policy '), Field(policy_id,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#359:00018:14/2", "nwparser.p0", "%{}policy %{policy_id->} %{p0}"); + +var part606 = // "Pattern{Constant('service '), Field(p0,false)}" +match("MESSAGE#359:00018:14/3_0", "nwparser.p0", "service %{p0}"); + +var part607 = // "Pattern{Constant('source address '), Field(p0,false)}" +match("MESSAGE#359:00018:14/3_1", "nwparser.p0", "source address %{p0}"); + +var part608 = // "Pattern{Constant('destination address '), Field(p0,false)}" +match("MESSAGE#359:00018:14/3_2", "nwparser.p0", "destination address %{p0}"); + +var select133 = linear_select([ + part606, + part607, + part608, +]); + +var part609 = // "Pattern{Constant('by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#359:00018:14/4", "nwparser.p0", "by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})"); + +var all121 = all_match({ + processors: [ + part602, + select132, + part605, + select133, + part609, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg361 = msg("00018:14", all121); + +var part610 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#360:00018:29", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg362 = msg("00018:29", part610); + +var part611 = // "Pattern{Field(agent,true), Constant(' was added to policy '), Field(policy_id,true), Constant(' '), Field(rule_group,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(space,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#361:00018:07", "nwparser.payload", "%{agent->} was added to policy %{policy_id->} %{rule_group->} by admin %{administrator->} via NSRP Peer %{space->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg363 = msg("00018:07", part611); + +var part612 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#362:00018:18", "nwparser.payload", "Service %{service->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg364 = msg("00018:18", part612); + +var part613 = // "Pattern{Constant('AntiSpam ns-profile was '), Field(disposition,true), Constant(' from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#363:00018:17", "nwparser.payload", "AntiSpam ns-profile was %{disposition->} from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg365 = msg("00018:17", part613); + +var part614 = // "Pattern{Constant('Source address Info '), Field(info,true), Constant(' was '), Field(disposition,true), Constant(' to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#364:00018:19", "nwparser.payload", "Source address Info %{info->} was %{disposition->} to policy ID %{policy_id->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg366 = msg("00018:19", part614); + +var part615 = // "Pattern{Constant('Destination '), Field(p0,false)}" +match("MESSAGE#365:00018:23/0_0", "nwparser.payload", "Destination %{p0}"); + +var part616 = // "Pattern{Constant('Source '), Field(p0,false)}" +match("MESSAGE#365:00018:23/0_1", "nwparser.payload", "Source %{p0}"); + +var select134 = linear_select([ + part615, + part616, +]); + +var part617 = // "Pattern{Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#365:00018:23/1", "nwparser.p0", "address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} %{p0}"); + +var part618 = // "Pattern{Constant('from host '), Field(p0,false)}" +match("MESSAGE#365:00018:23/2_0", "nwparser.p0", "from host %{p0}"); + +var select135 = linear_select([ + part618, + dup103, +]); + +var part619 = // "Pattern{Field(saddr,true), Constant(' to '), Field(daddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#365:00018:23/4_0", "nwparser.p0", "%{saddr->} to %{daddr->} %{p0}"); + +var part620 = // "Pattern{Field(daddr,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#365:00018:23/4_1", "nwparser.p0", "%{daddr->} %{p0}"); + +var select136 = linear_select([ + part619, + part620, +]); + +var part621 = // "Pattern{Field(dport,false), Constant(':('), Field(fld1,false), Constant(')')}" +match("MESSAGE#365:00018:23/5", "nwparser.p0", "%{dport}:(%{fld1})"); + +var all122 = all_match({ + processors: [ + select134, + part617, + select135, + dup23, + select136, + part621, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg367 = msg("00018:23", all122); + +var part622 = // "Pattern{Constant('Service '), Field(service,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#366:00018:21", "nwparser.payload", "Service %{service->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg368 = msg("00018:21", part622); + +var part623 = // "Pattern{Constant('Policy ('), Field(policyname,false), Constant(') was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#367:00018:24", "nwparser.payload", "Policy (%{policyname}) was %{disposition->} by %{username->} via %{logon_type->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg369 = msg("00018:24", part623); + +var part624 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was added to policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#368:00018:25/1", "nwparser.p0", "%{}address %{info->} was added to policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + +var all123 = all_match({ + processors: [ + dup366, + part624, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg370 = msg("00018:25", all123); + +var part625 = // "Pattern{Field(,false), Constant('address '), Field(info,true), Constant(' was deleted from policy ID '), Field(policy_id,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#369:00018:30/1", "nwparser.p0", "%{}address %{info->} was deleted from policy ID %{policy_id->} by %{username->} via %{logon_type->} from host %{saddr}. (%{fld1})"); + +var all124 = all_match({ + processors: [ + dup366, + part625, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg371 = msg("00018:30", all124); + +var part626 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the application was modified to '), Field(disposition,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#370:00018:26/0", "nwparser.payload", "In policy %{policy_id}, the application was modified to %{disposition->} by %{p0}"); + +var part627 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant('. ('), Field(p0,false)}" +match("MESSAGE#370:00018:26/2_1", "nwparser.p0", "%{logon_type->} from host %{saddr}. (%{p0}"); + +var select137 = linear_select([ + dup48, + part627, +]); + +var all125 = all_match({ + processors: [ + part626, + dup367, + select137, + dup41, + ], + on_success: processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg372 = msg("00018:26", all125); + +var part628 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the DI attack component was modified by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#371:00018:27", "nwparser.payload", "In policy %{policy_id}, the DI attack component was modified by %{username->} via %{logon_type->} from host %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, +])); + +var msg373 = msg("00018:27", part628); + +var part629 = // "Pattern{Constant('In policy '), Field(policyname,false), Constant(', the DI attack component was modified by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#372:00018:28", "nwparser.payload", "In policy %{policyname}, the DI attack component was modified by admin %{administrator->} via %{logon_type}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup4, + dup5, + dup9, + setc("info","the DI attack component was modified"), +])); + +var msg374 = msg("00018:28", part629); + +var part630 = // "Pattern{Constant('Policy ('), Field(policy_id,false), Constant(', '), Field(info,false), Constant(') was '), Field(disposition,false)}" +match("MESSAGE#373:00018:03", "nwparser.payload", "Policy (%{policy_id}, %{info}) was %{disposition}", processor_chain([ + dup17, + dup2, + dup3, + dup4, + dup5, +])); + +var msg375 = msg("00018:03", part630); + +var part631 = // "Pattern{Constant('In policy '), Field(policy_id,false), Constant(', the option '), Field(fld2,true), Constant(' was '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1213:00018:31", "nwparser.payload", "In policy %{policy_id}, the option %{fld2->} was %{disposition}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg376 = msg("00018:31", part631); + +var select138 = linear_select([ + msg347, + msg348, + msg349, + msg350, + msg351, + msg352, + msg353, + msg354, + msg355, + msg356, + msg357, + msg358, + msg359, + msg360, + msg361, + msg362, + msg363, + msg364, + msg365, + msg366, + msg367, + msg368, + msg369, + msg370, + msg371, + msg372, + msg373, + msg374, + msg375, + msg376, +]); + +var part632 = // "Pattern{Constant('Attempt to enable WebTrends has '), Field(disposition,true), Constant(' because WebTrends settings have not yet been configured')}" +match("MESSAGE#374:00019", "nwparser.payload", "Attempt to enable WebTrends has %{disposition->} because WebTrends settings have not yet been configured", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg377 = msg("00019", part632); + +var part633 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because syslog settings have not yet been configured')}" +match("MESSAGE#375:00019:01/2", "nwparser.p0", "has %{disposition->} because syslog settings have not yet been configured"); + +var all126 = all_match({ + processors: [ + dup167, + dup368, + part633, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg378 = msg("00019:01", all126); + +var part634 = // "Pattern{Constant('Socket cannot be assigned for '), Field(p0,false)}" +match("MESSAGE#376:00019:02/0", "nwparser.payload", "Socket cannot be assigned for %{p0}"); + +var part635 = // "Pattern{Constant('WebTrends'), Field(,false)}" +match("MESSAGE#376:00019:02/1_0", "nwparser.p0", "WebTrends%{}"); + +var part636 = // "Pattern{Constant('syslog'), Field(,false)}" +match("MESSAGE#376:00019:02/1_1", "nwparser.p0", "syslog%{}"); + +var select139 = linear_select([ + part635, + part636, +]); + +var all127 = all_match({ + processors: [ + part634, + select139, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg379 = msg("00019:02", all127); + +var part637 = // "Pattern{Constant('Syslog VPN encryption has been '), Field(disposition,false)}" +match("MESSAGE#377:00019:03", "nwparser.payload", "Syslog VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, +])); + +var msg380 = msg("00019:03", part637); + +var select140 = linear_select([ + dup171, + dup78, +]); + +var select141 = linear_select([ + dup139, + dup172, + dup137, + dup122, +]); + +var all128 = all_match({ + processors: [ + dup170, + select140, + dup23, + select141, + dup173, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg381 = msg("00019:04", all128); + +var part638 = // "Pattern{Constant('Syslog message level has been changed to '), Field(p0,false)}" +match("MESSAGE#379:00019:05/0", "nwparser.payload", "Syslog message level has been changed to %{p0}"); + +var part639 = // "Pattern{Constant('debug'), Field(,false)}" +match("MESSAGE#379:00019:05/1_0", "nwparser.p0", "debug%{}"); + +var part640 = // "Pattern{Constant('information'), Field(,false)}" +match("MESSAGE#379:00019:05/1_1", "nwparser.p0", "information%{}"); + +var part641 = // "Pattern{Constant('notification'), Field(,false)}" +match("MESSAGE#379:00019:05/1_2", "nwparser.p0", "notification%{}"); + +var part642 = // "Pattern{Constant('warning'), Field(,false)}" +match("MESSAGE#379:00019:05/1_3", "nwparser.p0", "warning%{}"); + +var part643 = // "Pattern{Constant('error'), Field(,false)}" +match("MESSAGE#379:00019:05/1_4", "nwparser.p0", "error%{}"); + +var part644 = // "Pattern{Constant('critical'), Field(,false)}" +match("MESSAGE#379:00019:05/1_5", "nwparser.p0", "critical%{}"); + +var part645 = // "Pattern{Constant('alert'), Field(,false)}" +match("MESSAGE#379:00019:05/1_6", "nwparser.p0", "alert%{}"); + +var part646 = // "Pattern{Constant('emergency'), Field(,false)}" +match("MESSAGE#379:00019:05/1_7", "nwparser.p0", "emergency%{}"); + +var select142 = linear_select([ + part639, + part640, + part641, + part642, + part643, + part644, + part645, + part646, +]); + +var all129 = all_match({ + processors: [ + part638, + select142, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg382 = msg("00019:05", all129); + +var part647 = // "Pattern{Constant('has been changed to '), Field(p0,false)}" +match("MESSAGE#380:00019:06/2", "nwparser.p0", "has been changed to %{p0}"); + +var all130 = all_match({ + processors: [ + dup170, + dup369, + part647, + dup370, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg383 = msg("00019:06", all130); + +var part648 = // "Pattern{Constant('WebTrends VPN encryption has been '), Field(disposition,false)}" +match("MESSAGE#381:00019:07", "nwparser.payload", "WebTrends VPN encryption has been %{disposition}", processor_chain([ + dup91, + dup2, + dup3, + dup4, + dup5, +])); + +var msg384 = msg("00019:07", part648); + +var part649 = // "Pattern{Constant('WebTrends has been '), Field(disposition,false)}" +match("MESSAGE#382:00019:08", "nwparser.payload", "WebTrends has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg385 = msg("00019:08", part649); + +var part650 = // "Pattern{Constant('WebTrends host '), Field(p0,false)}" +match("MESSAGE#383:00019:09/0", "nwparser.payload", "WebTrends host %{p0}"); + +var select143 = linear_select([ + dup139, + dup172, + dup137, +]); + +var all131 = all_match({ + processors: [ + part650, + select143, + dup173, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg386 = msg("00019:09", all131); + +var part651 = // "Pattern{Constant('Traffic logging via syslog '), Field(p0,false)}" +match("MESSAGE#384:00019:10/1_0", "nwparser.p0", "Traffic logging via syslog %{p0}"); + +var part652 = // "Pattern{Constant('Syslog '), Field(p0,false)}" +match("MESSAGE#384:00019:10/1_1", "nwparser.p0", "Syslog %{p0}"); + +var select144 = linear_select([ + part651, + part652, +]); + +var all132 = all_match({ + processors: [ + dup185, + select144, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg387 = msg("00019:10", all132); + +var part653 = // "Pattern{Constant('has '), Field(disposition,true), Constant(' because there is no syslog server defined')}" +match("MESSAGE#385:00019:11/2", "nwparser.p0", "has %{disposition->} because there is no syslog server defined"); + +var all133 = all_match({ + processors: [ + dup167, + dup368, + part653, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg388 = msg("00019:11", all133); + +var part654 = // "Pattern{Constant('Removing all syslog servers'), Field(,false)}" +match("MESSAGE#386:00019:12", "nwparser.payload", "Removing all syslog servers%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg389 = msg("00019:12", part654); + +var part655 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#387:00019:13/0", "nwparser.payload", "Syslog server %{hostip->} %{p0}"); + +var select145 = linear_select([ + dup107, + dup106, +]); + +var part656 = // "Pattern{Constant(''), Field(disposition,false)}" +match("MESSAGE#387:00019:13/2", "nwparser.p0", "%{disposition}"); + +var all134 = all_match({ + processors: [ + part655, + select145, + part656, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg390 = msg("00019:13", all134); + +var part657 = // "Pattern{Constant('for '), Field(hostip,true), Constant(' has been changed to '), Field(p0,false)}" +match("MESSAGE#388:00019:14/2", "nwparser.p0", "for %{hostip->} has been changed to %{p0}"); + +var all135 = all_match({ + processors: [ + dup170, + dup369, + part657, + dup370, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg391 = msg("00019:14", all135); + +var part658 = // "Pattern{Constant('Syslog cannot connect to the TCP server '), Field(hostip,false), Constant('; the connection is closed.')}" +match("MESSAGE#389:00019:15", "nwparser.payload", "Syslog cannot connect to the TCP server %{hostip}; the connection is closed.", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg392 = msg("00019:15", part658); + +var part659 = // "Pattern{Constant('All syslog servers were removed.'), Field(,false)}" +match("MESSAGE#390:00019:16", "nwparser.payload", "All syslog servers were removed.%{}", processor_chain([ + setc("eventcategory","1701030000"), + setc("ec_activity","Delete"), + dup51, + dup2, + dup3, + dup4, + dup5, +])); + +var msg393 = msg("00019:16", part659); + +var part660 = // "Pattern{Constant('Syslog server '), Field(hostip,true), Constant(' host port number has been changed to '), Field(network_port,true), Constant(' '), Field(fld5,false)}" +match("MESSAGE#391:00019:17", "nwparser.payload", "Syslog server %{hostip->} host port number has been changed to %{network_port->} %{fld5}", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, +])); + +var msg394 = msg("00019:17", part660); + +var part661 = // "Pattern{Constant('Traffic logging '), Field(p0,false)}" +match("MESSAGE#392:00019:18/0", "nwparser.payload", "Traffic logging %{p0}"); + +var part662 = // "Pattern{Constant('via syslog '), Field(p0,false)}" +match("MESSAGE#392:00019:18/1_0", "nwparser.p0", "via syslog %{p0}"); + +var part663 = // "Pattern{Constant('for syslog server '), Field(hostip,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#392:00019:18/1_1", "nwparser.p0", "for syslog server %{hostip->} %{p0}"); + +var select146 = linear_select([ + part662, + part663, +]); + +var all136 = all_match({ + processors: [ + part661, + select146, + dup138, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg395 = msg("00019:18", all136); + +var part664 = // "Pattern{Constant('Transport protocol for syslog server '), Field(hostip,true), Constant(' was changed to udp')}" +match("MESSAGE#393:00019:19", "nwparser.payload", "Transport protocol for syslog server %{hostip->} was changed to udp", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, +])); + +var msg396 = msg("00019:19", part664); + +var part665 = // "Pattern{Constant('The traffic/IDP syslog is enabled on backup device by netscreen via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#394:00019:20", "nwparser.payload", "The traffic/IDP syslog is enabled on backup device by netscreen via web from host %{saddr->} to %{daddr}:%{dport}. (%{fld1})", processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup4, + dup5, +])); + +var msg397 = msg("00019:20", part665); + +var select147 = linear_select([ + msg377, + msg378, + msg379, + msg380, + msg381, + msg382, + msg383, + msg384, + msg385, + msg386, + msg387, + msg388, + msg389, + msg390, + msg391, + msg392, + msg393, + msg394, + msg395, + msg396, + msg397, +]); + +var part666 = // "Pattern{Constant('Schedule '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#395:00020", "nwparser.payload", "Schedule %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg398 = msg("00020", part666); + +var part667 = // "Pattern{Constant('System memory is low '), Field(p0,false)}" +match("MESSAGE#396:00020:01/0", "nwparser.payload", "System memory is low %{p0}"); + +var part668 = // "Pattern{Constant('( '), Field(p0,false)}" +match("MESSAGE#396:00020:01/1_1", "nwparser.p0", "( %{p0}"); + +var select148 = linear_select([ + dup152, + part668, +]); + +var part669 = // "Pattern{Constant(''), Field(fld2,true), Constant(' bytes allocated out of '), Field(p0,false)}" +match("MESSAGE#396:00020:01/2", "nwparser.p0", "%{fld2->} bytes allocated out of %{p0}"); + +var part670 = // "Pattern{Constant('total '), Field(fld3,true), Constant(' bytes')}" +match("MESSAGE#396:00020:01/3_0", "nwparser.p0", "total %{fld3->} bytes"); + +var part671 = // "Pattern{Field(fld4,true), Constant(' bytes total')}" +match("MESSAGE#396:00020:01/3_1", "nwparser.p0", "%{fld4->} bytes total"); + +var select149 = linear_select([ + part670, + part671, +]); + +var all137 = all_match({ + processors: [ + part667, + select148, + part669, + select149, + ], + on_success: processor_chain([ + dup186, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg399 = msg("00020:01", all137); + +var part672 = // "Pattern{Constant('System memory is low ('), Field(fld2,true), Constant(' allocated out of '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,false)}" +match("MESSAGE#397:00020:02", "nwparser.payload", "System memory is low (%{fld2->} allocated out of %{fld3->} ) %{fld4->} times in %{fld5}", processor_chain([ + dup186, + dup2, + dup3, + dup4, + dup5, +])); + +var msg400 = msg("00020:02", part672); + +var select150 = linear_select([ + msg398, + msg399, + msg400, +]); + +var part673 = // "Pattern{Constant('DIP '), Field(fld2,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#398:00021", "nwparser.payload", "DIP %{fld2->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg401 = msg("00021", part673); + +var part674 = // "Pattern{Constant('IP pool '), Field(fld2,true), Constant(' with range '), Field(info,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#399:00021:01", "nwparser.payload", "IP pool %{fld2->} with range %{info->} has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg402 = msg("00021:01", part674); + +var part675 = // "Pattern{Constant('DNS server is not configured'), Field(,false)}" +match("MESSAGE#400:00021:02", "nwparser.payload", "DNS server is not configured%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg403 = msg("00021:02", part675); + +var part676 = // "Pattern{Constant('Connection refused by the DNS server'), Field(,false)}" +match("MESSAGE#401:00021:03", "nwparser.payload", "Connection refused by the DNS server%{}", processor_chain([ + dup187, + dup2, + dup3, + dup4, + dup5, +])); + +var msg404 = msg("00021:03", part676); + +var part677 = // "Pattern{Constant('Unknown DNS error'), Field(,false)}" +match("MESSAGE#402:00021:04", "nwparser.payload", "Unknown DNS error%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg405 = msg("00021:04", part677); + +var part678 = // "Pattern{Constant('DIP port-translatation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#403:00021:05", "nwparser.payload", "DIP port-translatation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg406 = msg("00021:05", part678); + +var part679 = // "Pattern{Constant('DIP port-translation stickiness was '), Field(disposition,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#404:00021:06", "nwparser.payload", "DIP port-translation stickiness was %{disposition->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + setc("info","DIP port-translation stickiness was modified"), +])); + +var msg407 = msg("00021:06", part679); + +var select151 = linear_select([ + msg401, + msg402, + msg403, + msg404, + msg405, + msg406, + msg407, +]); + +var part680 = // "Pattern{Constant('power supplies '), Field(p0,false)}" +match("MESSAGE#405:00022/1_0", "nwparser.p0", "power supplies %{p0}"); + +var part681 = // "Pattern{Constant('fans '), Field(p0,false)}" +match("MESSAGE#405:00022/1_1", "nwparser.p0", "fans %{p0}"); + +var select152 = linear_select([ + part680, + part681, +]); + +var part682 = // "Pattern{Constant('are '), Field(fld2,true), Constant(' functioning properly')}" +match("MESSAGE#405:00022/2", "nwparser.p0", "are %{fld2->} functioning properly"); + +var all138 = all_match({ + processors: [ + dup188, + select152, + part682, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg408 = msg("00022", all138); + +var part683 = // "Pattern{Constant('At least one power supply '), Field(p0,false)}" +match("MESSAGE#406:00022:01/0_0", "nwparser.payload", "At least one power supply %{p0}"); + +var part684 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#406:00022:01/0_1", "nwparser.payload", "The power supply %{fld2->} %{p0}"); + +var part685 = // "Pattern{Constant('At least one fan '), Field(p0,false)}" +match("MESSAGE#406:00022:01/0_2", "nwparser.payload", "At least one fan %{p0}"); + +var select153 = linear_select([ + part683, + part684, + part685, +]); + +var part686 = // "Pattern{Constant('is not functioning properly'), Field(p0,false)}" +match("MESSAGE#406:00022:01/1", "nwparser.p0", "is not functioning properly%{p0}"); + +var all139 = all_match({ + processors: [ + select153, + part686, + dup371, + ], + on_success: processor_chain([ + dup189, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg409 = msg("00022:01", all139); + +var part687 = // "Pattern{Constant('Global Manager VPN management tunnel has been '), Field(disposition,false)}" +match("MESSAGE#407:00022:02", "nwparser.payload", "Global Manager VPN management tunnel has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg410 = msg("00022:02", part687); + +var part688 = // "Pattern{Constant('Global Manager domain name has been defined as '), Field(domain,false)}" +match("MESSAGE#408:00022:03", "nwparser.payload", "Global Manager domain name has been defined as %{domain}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg411 = msg("00022:03", part688); + +var part689 = // "Pattern{Constant('Reporting of the '), Field(p0,false)}" +match("MESSAGE#409:00022:04/0", "nwparser.payload", "Reporting of the %{p0}"); + +var part690 = // "Pattern{Constant('network activities '), Field(p0,false)}" +match("MESSAGE#409:00022:04/1_0", "nwparser.p0", "network activities %{p0}"); + +var part691 = // "Pattern{Constant('device resources '), Field(p0,false)}" +match("MESSAGE#409:00022:04/1_1", "nwparser.p0", "device resources %{p0}"); + +var part692 = // "Pattern{Constant('event logs '), Field(p0,false)}" +match("MESSAGE#409:00022:04/1_2", "nwparser.p0", "event logs %{p0}"); + +var part693 = // "Pattern{Constant('summary logs '), Field(p0,false)}" +match("MESSAGE#409:00022:04/1_3", "nwparser.p0", "summary logs %{p0}"); + +var select154 = linear_select([ + part690, + part691, + part692, + part693, +]); + +var part694 = // "Pattern{Constant('to Global Manager has been '), Field(disposition,false)}" +match("MESSAGE#409:00022:04/2", "nwparser.p0", "to Global Manager has been %{disposition}"); + +var all140 = all_match({ + processors: [ + part689, + select154, + part694, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg412 = msg("00022:04", all140); + +var part695 = // "Pattern{Constant('Global Manager has been '), Field(disposition,false)}" +match("MESSAGE#410:00022:05", "nwparser.payload", "Global Manager has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg413 = msg("00022:05", part695); + +var part696 = // "Pattern{Constant('Global Manager '), Field(p0,false)}" +match("MESSAGE#411:00022:06/0", "nwparser.payload", "Global Manager %{p0}"); + +var part697 = // "Pattern{Constant('report '), Field(p0,false)}" +match("MESSAGE#411:00022:06/1_0", "nwparser.p0", "report %{p0}"); + +var part698 = // "Pattern{Constant('listen '), Field(p0,false)}" +match("MESSAGE#411:00022:06/1_1", "nwparser.p0", "listen %{p0}"); + +var select155 = linear_select([ + part697, + part698, +]); + +var part699 = // "Pattern{Constant('port has been set to '), Field(interface,false)}" +match("MESSAGE#411:00022:06/2", "nwparser.p0", "port has been set to %{interface}"); + +var all141 = all_match({ + processors: [ + part696, + select155, + part699, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg414 = msg("00022:06", all141); + +var part700 = // "Pattern{Constant('The Global Manager keep-alive value has been changed to '), Field(fld2,false)}" +match("MESSAGE#412:00022:07", "nwparser.payload", "The Global Manager keep-alive value has been changed to %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg415 = msg("00022:07", part700); + +var part701 = // "Pattern{Constant('System temperature '), Field(p0,false)}" +match("MESSAGE#413:00022:08/0_0", "nwparser.payload", "System temperature %{p0}"); + +var part702 = // "Pattern{Constant('System's temperature: '), Field(p0,false)}" +match("MESSAGE#413:00022:08/0_1", "nwparser.payload", "System's temperature: %{p0}"); + +var part703 = // "Pattern{Constant('The system temperature '), Field(p0,false)}" +match("MESSAGE#413:00022:08/0_2", "nwparser.payload", "The system temperature %{p0}"); + +var select156 = linear_select([ + part701, + part702, + part703, +]); + +var part704 = // "Pattern{Constant('('), Field(fld2,true), Constant(' C'), Field(p0,false)}" +match("MESSAGE#413:00022:08/1", "nwparser.p0", "(%{fld2->} C%{p0}"); + +var part705 = // "Pattern{Constant('entigrade, '), Field(p0,false)}" +match("MESSAGE#413:00022:08/2_0", "nwparser.p0", "entigrade, %{p0}"); + +var select157 = linear_select([ + part705, + dup96, +]); + +var part706 = // "Pattern{Constant(''), Field(fld3,true), Constant(' F'), Field(p0,false)}" +match("MESSAGE#413:00022:08/3", "nwparser.p0", "%{fld3->} F%{p0}"); + +var part707 = // "Pattern{Constant('ahrenheit '), Field(p0,false)}" +match("MESSAGE#413:00022:08/4_0", "nwparser.p0", "ahrenheit %{p0}"); + +var select158 = linear_select([ + part707, + dup96, +]); + +var part708 = // "Pattern{Constant(') is too high'), Field(,false)}" +match("MESSAGE#413:00022:08/5", "nwparser.p0", ") is too high%{}"); + +var all142 = all_match({ + processors: [ + select156, + part704, + select157, + part706, + select158, + part708, + ], + on_success: processor_chain([ + dup190, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg416 = msg("00022:08", all142); + +var part709 = // "Pattern{Constant('power supply is no'), Field(p0,false)}" +match("MESSAGE#414:00022:09/2", "nwparser.p0", "power supply is no%{p0}"); + +var select159 = linear_select([ + dup193, + dup194, +]); + +var part710 = // "Pattern{Constant('functioning properly'), Field(,false)}" +match("MESSAGE#414:00022:09/4", "nwparser.p0", "functioning properly%{}"); + +var all143 = all_match({ + processors: [ + dup55, + dup372, + part709, + select159, + part710, + ], + on_success: processor_chain([ + dup190, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg417 = msg("00022:09", all143); + +var part711 = // "Pattern{Constant('The NetScreen device was unable to upgrade the file system'), Field(p0,false)}" +match("MESSAGE#415:00022:10/0", "nwparser.payload", "The NetScreen device was unable to upgrade the file system%{p0}"); + +var part712 = // "Pattern{Constant(' due to an internal conflict'), Field(,false)}" +match("MESSAGE#415:00022:10/1_0", "nwparser.p0", " due to an internal conflict%{}"); + +var part713 = // "Pattern{Constant(', but the old file system is intact'), Field(,false)}" +match("MESSAGE#415:00022:10/1_1", "nwparser.p0", ", but the old file system is intact%{}"); + +var select160 = linear_select([ + part712, + part713, +]); + +var all144 = all_match({ + processors: [ + part711, + select160, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg418 = msg("00022:10", all144); + +var part714 = // "Pattern{Constant('The NetScreen device was unable to upgrade '), Field(p0,false)}" +match("MESSAGE#416:00022:11/0", "nwparser.payload", "The NetScreen device was unable to upgrade %{p0}"); + +var part715 = // "Pattern{Constant('due to an internal conflict'), Field(,false)}" +match("MESSAGE#416:00022:11/1_0", "nwparser.p0", "due to an internal conflict%{}"); + +var part716 = // "Pattern{Constant('the loader, but the loader is intact'), Field(,false)}" +match("MESSAGE#416:00022:11/1_1", "nwparser.p0", "the loader, but the loader is intact%{}"); + +var select161 = linear_select([ + part715, + part716, +]); + +var all145 = all_match({ + processors: [ + part714, + select161, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg419 = msg("00022:11", all145); + +var part717 = // "Pattern{Constant('Battery is no'), Field(p0,false)}" +match("MESSAGE#417:00022:12/0", "nwparser.payload", "Battery is no%{p0}"); + +var select162 = linear_select([ + dup194, + dup193, +]); + +var part718 = // "Pattern{Constant('functioning properly.'), Field(,false)}" +match("MESSAGE#417:00022:12/2", "nwparser.p0", "functioning properly.%{}"); + +var all146 = all_match({ + processors: [ + part717, + select162, + part718, + ], + on_success: processor_chain([ + dup190, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg420 = msg("00022:12", all146); + +var part719 = // "Pattern{Constant('System's temperature ('), Field(fld2,true), Constant(' Centigrade, '), Field(fld3,true), Constant(' Fahrenheit) is OK now.')}" +match("MESSAGE#418:00022:13", "nwparser.payload", "System's temperature (%{fld2->} Centigrade, %{fld3->} Fahrenheit) is OK now.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg421 = msg("00022:13", part719); + +var part720 = // "Pattern{Constant('The power supply '), Field(fld2,true), Constant(' is functioning properly. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#419:00022:14", "nwparser.payload", "The power supply %{fld2->} is functioning properly. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg422 = msg("00022:14", part720); + +var select163 = linear_select([ + msg408, + msg409, + msg410, + msg411, + msg412, + msg413, + msg414, + msg415, + msg416, + msg417, + msg418, + msg419, + msg420, + msg421, + msg422, +]); + +var part721 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is not responding')}" +match("MESSAGE#420:00023", "nwparser.payload", "VIP server %{hostip->} is not responding", processor_chain([ + dup189, + dup2, + dup3, + dup4, + dup5, +])); + +var msg423 = msg("00023", part721); + +var part722 = // "Pattern{Constant('VIP/load balance server '), Field(hostip,true), Constant(' cannot be contacted')}" +match("MESSAGE#421:00023:01", "nwparser.payload", "VIP/load balance server %{hostip->} cannot be contacted", processor_chain([ + dup189, + dup2, + dup3, + dup4, + dup5, +])); + +var msg424 = msg("00023:01", part722); + +var part723 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' cannot be contacted')}" +match("MESSAGE#422:00023:02", "nwparser.payload", "VIP server %{hostip->} cannot be contacted", processor_chain([ + dup189, + dup2, + dup3, + dup4, + dup5, +])); + +var msg425 = msg("00023:02", part723); + +var select164 = linear_select([ + msg423, + msg424, + msg425, +]); + +var part724 = // "Pattern{Constant('The DHCP '), Field(p0,false)}" +match("MESSAGE#423:00024/0_0", "nwparser.payload", "The DHCP %{p0}"); + +var part725 = // "Pattern{Constant(' DHCP '), Field(p0,false)}" +match("MESSAGE#423:00024/0_1", "nwparser.payload", " DHCP %{p0}"); + +var select165 = linear_select([ + part724, + part725, +]); + +var part726 = // "Pattern{Constant('IP address pool has '), Field(p0,false)}" +match("MESSAGE#423:00024/2_0", "nwparser.p0", "IP address pool has %{p0}"); + +var part727 = // "Pattern{Constant('options have been '), Field(p0,false)}" +match("MESSAGE#423:00024/2_1", "nwparser.p0", "options have been %{p0}"); + +var select166 = linear_select([ + part726, + part727, +]); + +var all147 = all_match({ + processors: [ + select165, + dup195, + select166, + dup52, + dup371, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg426 = msg("00024", all147); + +var part728 = // "Pattern{Constant('Traffic log '), Field(p0,false)}" +match("MESSAGE#424:00024:01/0_0", "nwparser.payload", "Traffic log %{p0}"); + +var part729 = // "Pattern{Constant('Alarm log '), Field(p0,false)}" +match("MESSAGE#424:00024:01/0_1", "nwparser.payload", "Alarm log %{p0}"); + +var part730 = // "Pattern{Constant('Event log '), Field(p0,false)}" +match("MESSAGE#424:00024:01/0_2", "nwparser.payload", "Event log %{p0}"); + +var part731 = // "Pattern{Constant('Self log '), Field(p0,false)}" +match("MESSAGE#424:00024:01/0_3", "nwparser.payload", "Self log %{p0}"); + +var part732 = // "Pattern{Constant('Asset Recovery log '), Field(p0,false)}" +match("MESSAGE#424:00024:01/0_4", "nwparser.payload", "Asset Recovery log %{p0}"); + +var select167 = linear_select([ + part728, + part729, + part730, + part731, + part732, +]); + +var part733 = // "Pattern{Constant('has overflowed'), Field(,false)}" +match("MESSAGE#424:00024:01/1", "nwparser.p0", "has overflowed%{}"); + +var all148 = all_match({ + processors: [ + select167, + part733, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg427 = msg("00024:01", all148); + +var part734 = // "Pattern{Constant('DHCP relay agent settings on '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#425:00024:02/0", "nwparser.payload", "DHCP relay agent settings on %{fld2->} %{p0}"); + +var part735 = // "Pattern{Constant('are '), Field(p0,false)}" +match("MESSAGE#425:00024:02/1_0", "nwparser.p0", "are %{p0}"); + +var part736 = // "Pattern{Constant('have been '), Field(p0,false)}" +match("MESSAGE#425:00024:02/1_1", "nwparser.p0", "have been %{p0}"); + +var select168 = linear_select([ + part735, + part736, +]); + +var part737 = // "Pattern{Constant(''), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#425:00024:02/2", "nwparser.p0", "%{disposition->} (%{fld1})"); + +var all149 = all_match({ + processors: [ + part734, + select168, + part737, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg428 = msg("00024:02", all149); + +var part738 = // "Pattern{Constant('DHCP server IP address pool '), Field(p0,false)}" +match("MESSAGE#426:00024:03/0", "nwparser.payload", "DHCP server IP address pool %{p0}"); + +var select169 = linear_select([ + dup196, + dup106, +]); + +var part739 = // "Pattern{Constant('changed. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#426:00024:03/2", "nwparser.p0", "changed. (%{fld1})"); + +var all150 = all_match({ + processors: [ + part738, + select169, + part739, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg429 = msg("00024:03", all150); + +var select170 = linear_select([ + msg426, + msg427, + msg428, + msg429, +]); + +var part740 = // "Pattern{Constant('The DHCP server IP address pool has changed'), Field(,false)}" +match("MESSAGE#427:00025", "nwparser.payload", "The DHCP server IP address pool has changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg430 = msg("00025", part740); + +var part741 = // "Pattern{Constant('PKI: The current device '), Field(disposition,true), Constant(' to save the certificate authority configuration.')}" +match("MESSAGE#428:00025:01", "nwparser.payload", "PKI: The current device %{disposition->} to save the certificate authority configuration.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg431 = msg("00025:01", part741); + +var part742 = // "Pattern{Field(disposition,true), Constant(' to send the X509 request file via e-mail')}" +match("MESSAGE#429:00025:02", "nwparser.payload", "%{disposition->} to send the X509 request file via e-mail", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg432 = msg("00025:02", part742); + +var part743 = // "Pattern{Field(disposition,true), Constant(' to save the CA configuration')}" +match("MESSAGE#430:00025:03", "nwparser.payload", "%{disposition->} to save the CA configuration", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg433 = msg("00025:03", part743); + +var part744 = // "Pattern{Constant('Cannot load more X509 certificates. The '), Field(result,false)}" +match("MESSAGE#431:00025:04", "nwparser.payload", "Cannot load more X509 certificates. The %{result}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg434 = msg("00025:04", part744); + +var select171 = linear_select([ + msg430, + msg431, + msg432, + msg433, + msg434, +]); + +var part745 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#432:00026", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg435 = msg("00026", part745); + +var part746 = // "Pattern{Field(signame,true), Constant(' have been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on interface '), Field(interface,false)}" +match("MESSAGE#433:00026:13", "nwparser.payload", "%{signame->} have been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on interface %{interface}", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, +])); + +var msg436 = msg("00026:13", part746); + +var part747 = // "Pattern{Constant('PKA key has been '), Field(p0,false)}" +match("MESSAGE#434:00026:01/2", "nwparser.p0", "PKA key has been %{p0}"); + +var part748 = // "Pattern{Constant('admin user '), Field(administrator,false), Constant('. (Key ID = '), Field(fld2,false), Constant(')')}" +match("MESSAGE#434:00026:01/4", "nwparser.p0", "admin user %{administrator}. (Key ID = %{fld2})"); + +var all151 = all_match({ + processors: [ + dup197, + dup373, + part747, + dup374, + part748, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg437 = msg("00026:01", all151); + +var part749 = // "Pattern{Constant(': SCS '), Field(p0,false)}" +match("MESSAGE#435:00026:02/1_0", "nwparser.p0", ": SCS %{p0}"); + +var select172 = linear_select([ + part749, + dup96, +]); + +var part750 = // "Pattern{Constant('has been '), Field(disposition,true), Constant(' for '), Field(p0,false)}" +match("MESSAGE#435:00026:02/2", "nwparser.p0", "has been %{disposition->} for %{p0}"); + +var part751 = // "Pattern{Constant('root system '), Field(p0,false)}" +match("MESSAGE#435:00026:02/3_0", "nwparser.p0", "root system %{p0}"); + +var part752 = // "Pattern{Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#435:00026:02/3_1", "nwparser.p0", "%{interface->} %{p0}"); + +var select173 = linear_select([ + part751, + part752, +]); + +var all152 = all_match({ + processors: [ + dup197, + select172, + part750, + select173, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg438 = msg("00026:02", all152); + +var part753 = // "Pattern{Constant(''), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#436:00026:03/2", "nwparser.p0", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}"); + +var all153 = all_match({ + processors: [ + dup197, + dup373, + part753, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg439 = msg("00026:03", all153); + +var part754 = // "Pattern{Constant('SCS: Connection has been terminated for admin user '), Field(administrator,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false)}" +match("MESSAGE#437:00026:04", "nwparser.payload", "SCS: Connection has been terminated for admin user %{administrator->} at %{hostip}:%{network_port}", processor_chain([ + dup200, + dup2, + dup4, + dup5, + dup3, +])); + +var msg440 = msg("00026:04", part754); + +var part755 = // "Pattern{Constant('SCS: Host client has requested NO cipher from '), Field(interface,false)}" +match("MESSAGE#438:00026:05", "nwparser.payload", "SCS: Host client has requested NO cipher from %{interface}", processor_chain([ + dup200, + dup2, + dup3, + dup4, + dup5, +])); + +var msg441 = msg("00026:05", part755); + +var part756 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using PKA RSA from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (key-ID='), Field(fld2,false)}" +match("MESSAGE#439:00026:06", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using PKA RSA from %{saddr}:%{sport}. (key-ID=%{fld2}", processor_chain([ + dup201, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, +])); + +var msg442 = msg("00026:06", part756); + +var part757 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' has been authenticated using password from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" +match("MESSAGE#440:00026:07", "nwparser.payload", "SCS: SSH user %{username->} has been authenticated using password from %{saddr}:%{sport}.", processor_chain([ + dup201, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, +])); + +var msg443 = msg("00026:07", part757); + +var part758 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' has been authenticated using '), Field(p0,false)}" +match("MESSAGE#441:00026:08/0", "nwparser.payload", "SSH user %{username->} has been authenticated using %{p0}"); + +var part759 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' [ with key ID '), Field(fld2,true), Constant(' ]')}" +match("MESSAGE#441:00026:08/2", "nwparser.p0", "from %{saddr}:%{sport->} [ with key ID %{fld2->} ]"); + +var all154 = all_match({ + processors: [ + part758, + dup375, + part759, + ], + on_success: processor_chain([ + dup201, + dup29, + dup30, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg444 = msg("00026:08", all154); + +var part760 = // "Pattern{Constant('IPSec tunnel on int '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,true), Constant(' received a packet with a bad SPI.')}" +match("MESSAGE#442:00026:09", "nwparser.payload", "IPSec tunnel on int %{interface->} with tunnel ID %{fld2->} received a packet with a bad SPI.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg445 = msg("00026:09", part760); + +var part761 = // "Pattern{Constant('SSH: '), Field(p0,false)}" +match("MESSAGE#443:00026:10/0", "nwparser.payload", "SSH: %{p0}"); + +var part762 = // "Pattern{Constant('Failed '), Field(p0,false)}" +match("MESSAGE#443:00026:10/1_0", "nwparser.p0", "Failed %{p0}"); + +var part763 = // "Pattern{Constant('Attempt '), Field(p0,false)}" +match("MESSAGE#443:00026:10/1_1", "nwparser.p0", "Attempt %{p0}"); + +var select174 = linear_select([ + part762, + part763, +]); + +var part764 = // "Pattern{Constant('bind duplicate '), Field(p0,false)}" +match("MESSAGE#443:00026:10/3_0", "nwparser.p0", "bind duplicate %{p0}"); + +var select175 = linear_select([ + part764, + dup203, +]); + +var part765 = // "Pattern{Constant('admin user ''), Field(administrator,false), Constant('' (Key ID '), Field(fld2,false), Constant(')')}" +match("MESSAGE#443:00026:10/6", "nwparser.p0", "admin user '%{administrator}' (Key ID %{fld2})"); + +var all155 = all_match({ + processors: [ + part761, + select174, + dup103, + select175, + dup204, + dup376, + part765, + ], + on_success: processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg446 = msg("00026:10", all155); + +var part766 = // "Pattern{Constant('SSH: Maximum number of PKA keys ('), Field(fld2,false), Constant(') has been bound to user ''), Field(username,false), Constant('' Key not bound. (Key ID '), Field(fld3,false), Constant(')')}" +match("MESSAGE#444:00026:11", "nwparser.payload", "SSH: Maximum number of PKA keys (%{fld2}) has been bound to user '%{username}' Key not bound. (Key ID %{fld3})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg447 = msg("00026:11", part766); + +var part767 = // "Pattern{Constant('IKE '), Field(fld2,false), Constant(': Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed')}" +match("MESSAGE#445:00026:12", "nwparser.payload", "IKE %{fld2}: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg448 = msg("00026:12", part767); + +var select176 = linear_select([ + msg435, + msg436, + msg437, + msg438, + msg439, + msg440, + msg441, + msg442, + msg443, + msg444, + msg445, + msg446, + msg447, + msg448, +]); + +var part768 = // "Pattern{Constant('user '), Field(username,true), Constant(' from '), Field(p0,false)}" +match("MESSAGE#446:00027/2", "nwparser.p0", "user %{username->} from %{p0}"); + +var part769 = // "Pattern{Constant('IP address '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#446:00027/3_0", "nwparser.p0", "IP address %{saddr}:%{sport}"); + +var part770 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#446:00027/3_1", "nwparser.p0", "%{saddr}:%{sport}"); + +var part771 = // "Pattern{Constant('console'), Field(,false)}" +match("MESSAGE#446:00027/3_2", "nwparser.p0", "console%{}"); + +var select177 = linear_select([ + part769, + part770, + part771, +]); + +var all156 = all_match({ + processors: [ + dup206, + dup377, + part768, + select177, + ], + on_success: processor_chain([ + dup208, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg449 = msg("00027", all156); + +var part772 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to default port '), Field(change_new,false), Constant('. '), Field(info,false)}" +match("MESSAGE#447:00027:01", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to default port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg450 = msg("00027:01", part772); + +var part773 = // "Pattern{Field(change_attribute,true), Constant(' has been restored from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" +match("MESSAGE#448:00027:02", "nwparser.payload", "%{change_attribute->} has been restored from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg451 = msg("00027:02", part773); + +var part774 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false), Constant('. '), Field(info,false)}" +match("MESSAGE#449:00027:03", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg452 = msg("00027:03", part774); + +var part775 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to port '), Field(change_new,false)}" +match("MESSAGE#450:00027:04", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to port %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg453 = msg("00027:04", part775); + +var part776 = // "Pattern{Constant('ScreenOS '), Field(version,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#451:00027:05/0", "nwparser.payload", "ScreenOS %{version->} %{p0}"); + +var part777 = // "Pattern{Constant('Serial '), Field(p0,false)}" +match("MESSAGE#451:00027:05/1_0", "nwparser.p0", "Serial %{p0}"); + +var part778 = // "Pattern{Constant('serial '), Field(p0,false)}" +match("MESSAGE#451:00027:05/1_1", "nwparser.p0", "serial %{p0}"); + +var select178 = linear_select([ + part777, + part778, +]); + +var part779 = // "Pattern{Constant('# '), Field(fld2,false), Constant(': Asset recovery '), Field(p0,false)}" +match("MESSAGE#451:00027:05/2", "nwparser.p0", "# %{fld2}: Asset recovery %{p0}"); + +var part780 = // "Pattern{Constant('performed '), Field(p0,false)}" +match("MESSAGE#451:00027:05/3_0", "nwparser.p0", "performed %{p0}"); + +var select179 = linear_select([ + part780, + dup127, +]); + +var select180 = linear_select([ + dup209, + dup210, +]); + +var all157 = all_match({ + processors: [ + part776, + select178, + part779, + select179, + dup23, + select180, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg454 = msg("00027:05", all157); + +var part781 = // "Pattern{Constant('Device Reset (Asset Recovery) has been '), Field(p0,false)}" +match("MESSAGE#452:00027:06/0", "nwparser.payload", "Device Reset (Asset Recovery) has been %{p0}"); + +var select181 = linear_select([ + dup210, + dup209, +]); + +var all158 = all_match({ + processors: [ + part781, + select181, + ], + on_success: processor_chain([ + setc("eventcategory","1606000000"), + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg455 = msg("00027:06", all158); + +var part782 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('. '), Field(info,false)}" +match("MESSAGE#453:00027:07", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg456 = msg("00027:07", part782); + +var part783 = // "Pattern{Constant('System configuration has been erased'), Field(,false)}" +match("MESSAGE#454:00027:08", "nwparser.payload", "System configuration has been erased%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg457 = msg("00027:08", part783); + +var part784 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' is due to expire in '), Field(fld3,false), Constant('.')}" +match("MESSAGE#455:00027:09", "nwparser.payload", "License key %{fld2->} is due to expire in %{fld3}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg458 = msg("00027:09", part784); + +var part785 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' has expired.')}" +match("MESSAGE#456:00027:10", "nwparser.payload", "License key %{fld2->} has expired.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg459 = msg("00027:10", part785); + +var part786 = // "Pattern{Constant('License key '), Field(fld2,true), Constant(' expired after 30-day grace period.')}" +match("MESSAGE#457:00027:11", "nwparser.payload", "License key %{fld2->} expired after 30-day grace period.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg460 = msg("00027:11", part786); + +var part787 = // "Pattern{Constant('Request to retrieve license key failed to reach '), Field(p0,false)}" +match("MESSAGE#458:00027:12/0", "nwparser.payload", "Request to retrieve license key failed to reach %{p0}"); + +var part788 = // "Pattern{Constant('the server '), Field(p0,false)}" +match("MESSAGE#458:00027:12/1_0", "nwparser.p0", "the server %{p0}"); + +var select182 = linear_select([ + part788, + dup195, +]); + +var part789 = // "Pattern{Constant('by '), Field(fld2,false), Constant('. Server url: '), Field(url,false)}" +match("MESSAGE#458:00027:12/2", "nwparser.p0", "by %{fld2}. Server url: %{url}"); + +var all159 = all_match({ + processors: [ + part787, + select182, + part789, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg461 = msg("00027:12", all159); + +var part790 = // "Pattern{Constant('user '), Field(username,false)}" +match("MESSAGE#459:00027:13/2", "nwparser.p0", "user %{username}"); + +var all160 = all_match({ + processors: [ + dup206, + dup377, + part790, + ], + on_success: processor_chain([ + dup208, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg462 = msg("00027:13", all160); + +var part791 = // "Pattern{Constant('Configuration Erasure Process '), Field(p0,false)}" +match("MESSAGE#460:00027:14/0", "nwparser.payload", "Configuration Erasure Process %{p0}"); + +var part792 = // "Pattern{Constant('has been initiated '), Field(p0,false)}" +match("MESSAGE#460:00027:14/1_0", "nwparser.p0", "has been initiated %{p0}"); + +var part793 = // "Pattern{Constant('aborted '), Field(p0,false)}" +match("MESSAGE#460:00027:14/1_1", "nwparser.p0", "aborted %{p0}"); + +var select183 = linear_select([ + part792, + part793, +]); + +var part794 = // "Pattern{Constant('.'), Field(space,false), Constant('('), Field(fld1,false), Constant(')')}" +match("MESSAGE#460:00027:14/2", "nwparser.p0", ".%{space}(%{fld1})"); + +var all161 = all_match({ + processors: [ + part791, + select183, + part794, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg463 = msg("00027:14", all161); + +var part795 = // "Pattern{Constant('Waiting for 2nd confirmation. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#461:00027:15", "nwparser.payload", "Waiting for 2nd confirmation. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg464 = msg("00027:15", part795); + +var part796 = // "Pattern{Constant('Admin '), Field(fld3,true), Constant(' policy id '), Field(policy_id,true), Constant(' name "'), Field(fld2,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1220:00027:16", "nwparser.payload", "Admin %{fld3->} policy id %{policy_id->} name \"%{fld2->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg465 = msg("00027:16", part796); + +var part797 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' is locked and will be unlocked after '), Field(duration,true), Constant(' minutes ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1225:00027:17", "nwparser.payload", "Admin %{username->} is locked and will be unlocked after %{duration->} minutes (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg466 = msg("00027:17", part797); + +var part798 = // "Pattern{Constant('Login attempt by admin '), Field(username,true), Constant(' from '), Field(saddr,true), Constant(' is refused as this account is locked ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1226:00027:18", "nwparser.payload", "Login attempt by admin %{username->} from %{saddr->} is refused as this account is locked (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg467 = msg("00027:18", part798); + +var part799 = // "Pattern{Constant('Admin '), Field(username,true), Constant(' has been re-enabled by NetScreen system after being locked due to excessive failed login attempts ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1227:00027:19", "nwparser.payload", "Admin %{username->} has been re-enabled by NetScreen system after being locked due to excessive failed login attempts (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg468 = msg("00027:19", part799); + +var select184 = linear_select([ + msg449, + msg450, + msg451, + msg452, + msg453, + msg454, + msg455, + msg456, + msg457, + msg458, + msg459, + msg460, + msg461, + msg462, + msg463, + msg464, + msg465, + msg466, + msg467, + msg468, +]); + +var part800 = // "Pattern{Constant('An Intruder'), Field(p0,false)}" +match("MESSAGE#462:00028/0_0", "nwparser.payload", "An Intruder%{p0}"); + +var part801 = // "Pattern{Constant('Intruder'), Field(p0,false)}" +match("MESSAGE#462:00028/0_1", "nwparser.payload", "Intruder%{p0}"); + +var part802 = // "Pattern{Constant('An intruter'), Field(p0,false)}" +match("MESSAGE#462:00028/0_2", "nwparser.payload", "An intruter%{p0}"); + +var select185 = linear_select([ + part800, + part801, + part802, +]); + +var part803 = // "Pattern{Field(,false), Constant('has attempted to connect to the NetScreen-Global PRO port! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#462:00028/1", "nwparser.p0", "%{}has attempted to connect to the NetScreen-Global PRO port! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + +var all162 = all_match({ + processors: [ + select185, + part803, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + setc("signame","Attempt to Connect to the NetScreen-Global Port"), + ]), +}); + +var msg469 = msg("00028", all162); + +var part804 = // "Pattern{Constant('DNS has been refreshed'), Field(,false)}" +match("MESSAGE#463:00029", "nwparser.payload", "DNS has been refreshed%{}", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg470 = msg("00029", part804); + +var part805 = // "Pattern{Constant('DHCP file write: out of memory.'), Field(,false)}" +match("MESSAGE#464:00029:01", "nwparser.payload", "DHCP file write: out of memory.%{}", processor_chain([ + dup186, + dup2, + dup3, + dup4, + dup5, +])); + +var msg471 = msg("00029:01", part805); + +var part806 = // "Pattern{Constant('The DHCP process cannot open file '), Field(fld2,true), Constant(' to '), Field(p0,false)}" +match("MESSAGE#465:00029:02/0", "nwparser.payload", "The DHCP process cannot open file %{fld2->} to %{p0}"); + +var part807 = // "Pattern{Constant('read '), Field(p0,false)}" +match("MESSAGE#465:00029:02/1_0", "nwparser.p0", "read %{p0}"); + +var part808 = // "Pattern{Constant('write '), Field(p0,false)}" +match("MESSAGE#465:00029:02/1_1", "nwparser.p0", "write %{p0}"); + +var select186 = linear_select([ + part807, + part808, +]); + +var part809 = // "Pattern{Constant('data.'), Field(,false)}" +match("MESSAGE#465:00029:02/2", "nwparser.p0", "data.%{}"); + +var all163 = all_match({ + processors: [ + part806, + select186, + part809, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg472 = msg("00029:02", all163); + +var part810 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is full. Unable to '), Field(p0,false)}" +match("MESSAGE#466:00029:03/2", "nwparser.p0", "%{} %{interface->} is full. Unable to %{p0}"); + +var part811 = // "Pattern{Constant('commit '), Field(p0,false)}" +match("MESSAGE#466:00029:03/3_0", "nwparser.p0", "commit %{p0}"); + +var part812 = // "Pattern{Constant('offer '), Field(p0,false)}" +match("MESSAGE#466:00029:03/3_1", "nwparser.p0", "offer %{p0}"); + +var select187 = linear_select([ + part811, + part812, +]); + +var part813 = // "Pattern{Constant('IP address to client at '), Field(fld2,false)}" +match("MESSAGE#466:00029:03/4", "nwparser.p0", "IP address to client at %{fld2}"); + +var all164 = all_match({ + processors: [ + dup212, + dup339, + part810, + select187, + part813, + ], + on_success: processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg473 = msg("00029:03", all164); + +var part814 = // "Pattern{Constant('DHCP server set to OFF on '), Field(interface,true), Constant(' (another server found on '), Field(hostip,false), Constant(').')}" +match("MESSAGE#467:00029:04", "nwparser.payload", "DHCP server set to OFF on %{interface->} (another server found on %{hostip}).", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg474 = msg("00029:04", part814); + +var select188 = linear_select([ + msg470, + msg471, + msg472, + msg473, + msg474, +]); + +var part815 = // "Pattern{Constant('CA configuration is invalid'), Field(,false)}" +match("MESSAGE#468:00030", "nwparser.payload", "CA configuration is invalid%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg475 = msg("00030", part815); + +var part816 = // "Pattern{Constant('DSS checking of CRLs has been changed from '), Field(p0,false)}" +match("MESSAGE#469:00030:01/0", "nwparser.payload", "DSS checking of CRLs has been changed from %{p0}"); + +var part817 = // "Pattern{Constant('0 to 1'), Field(,false)}" +match("MESSAGE#469:00030:01/1_0", "nwparser.p0", "0 to 1%{}"); + +var part818 = // "Pattern{Constant('1 to 0'), Field(,false)}" +match("MESSAGE#469:00030:01/1_1", "nwparser.p0", "1 to 0%{}"); + +var select189 = linear_select([ + part817, + part818, +]); + +var all165 = all_match({ + processors: [ + part816, + select189, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg476 = msg("00030:01", all165); + +var part819 = // "Pattern{Constant('For the X509 certificate '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#470:00030:05", "nwparser.payload", "For the X509 certificate %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg477 = msg("00030:05", part819); + +var part820 = // "Pattern{Constant('In the X509 certificate request the '), Field(fld2,true), Constant(' field has been changed from '), Field(fld3,false)}" +match("MESSAGE#471:00030:06", "nwparser.payload", "In the X509 certificate request the %{fld2->} field has been changed from %{fld3}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg478 = msg("00030:06", part820); + +var part821 = // "Pattern{Constant('RA X509 certificate cannot be loaded'), Field(,false)}" +match("MESSAGE#472:00030:07", "nwparser.payload", "RA X509 certificate cannot be loaded%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg479 = msg("00030:07", part821); + +var part822 = // "Pattern{Constant('Self-signed X509 certificate cannot be generated'), Field(,false)}" +match("MESSAGE#473:00030:10", "nwparser.payload", "Self-signed X509 certificate cannot be generated%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg480 = msg("00030:10", part822); + +var part823 = // "Pattern{Constant('The public key for ScreenOS image has successfully been updated'), Field(,false)}" +match("MESSAGE#474:00030:12", "nwparser.payload", "The public key for ScreenOS image has successfully been updated%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg481 = msg("00030:12", part823); + +var part824 = // "Pattern{Constant('The public key used for ScreenOS image authentication cannot be '), Field(p0,false)}" +match("MESSAGE#475:00030:13/0", "nwparser.payload", "The public key used for ScreenOS image authentication cannot be %{p0}"); + +var part825 = // "Pattern{Constant('decoded'), Field(,false)}" +match("MESSAGE#475:00030:13/1_0", "nwparser.p0", "decoded%{}"); + +var part826 = // "Pattern{Constant('loaded'), Field(,false)}" +match("MESSAGE#475:00030:13/1_1", "nwparser.p0", "loaded%{}"); + +var select190 = linear_select([ + part825, + part826, +]); + +var all166 = all_match({ + processors: [ + part824, + select190, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg482 = msg("00030:13", all166); + +var part827 = // "Pattern{Constant('CA IDENT '), Field(p0,false)}" +match("MESSAGE#476:00030:14/1_0", "nwparser.p0", "CA IDENT %{p0}"); + +var part828 = // "Pattern{Constant('Challenge password '), Field(p0,false)}" +match("MESSAGE#476:00030:14/1_1", "nwparser.p0", "Challenge password %{p0}"); + +var part829 = // "Pattern{Constant('CA CGI URL '), Field(p0,false)}" +match("MESSAGE#476:00030:14/1_2", "nwparser.p0", "CA CGI URL %{p0}"); + +var part830 = // "Pattern{Constant('RA CGI URL '), Field(p0,false)}" +match("MESSAGE#476:00030:14/1_3", "nwparser.p0", "RA CGI URL %{p0}"); + +var select191 = linear_select([ + part827, + part828, + part829, + part830, +]); + +var part831 = // "Pattern{Constant('for SCEP '), Field(p0,false)}" +match("MESSAGE#476:00030:14/2", "nwparser.p0", "for SCEP %{p0}"); + +var part832 = // "Pattern{Constant('requests '), Field(p0,false)}" +match("MESSAGE#476:00030:14/3_0", "nwparser.p0", "requests %{p0}"); + +var select192 = linear_select([ + part832, + dup16, +]); + +var part833 = // "Pattern{Constant('has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#476:00030:14/4", "nwparser.p0", "has been changed from %{change_old->} to %{change_new}"); + +var all167 = all_match({ + processors: [ + dup55, + select191, + part831, + select192, + part833, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg483 = msg("00030:14", all167); + +var msg484 = msg("00030:02", dup378); + +var part834 = // "Pattern{Constant('X509 certificate for ScreenOS image authentication is invalid'), Field(,false)}" +match("MESSAGE#478:00030:15", "nwparser.payload", "X509 certificate for ScreenOS image authentication is invalid%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg485 = msg("00030:15", part834); + +var part835 = // "Pattern{Constant('X509 certificate has been deleted'), Field(,false)}" +match("MESSAGE#479:00030:16", "nwparser.payload", "X509 certificate has been deleted%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg486 = msg("00030:16", part835); + +var part836 = // "Pattern{Constant('PKI CRL: no revoke info accept per config DN '), Field(interface,false), Constant('.')}" +match("MESSAGE#480:00030:18", "nwparser.payload", "PKI CRL: no revoke info accept per config DN %{interface}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg487 = msg("00030:18", part836); + +var part837 = // "Pattern{Constant('PKI: A configurable item '), Field(change_attribute,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#481:00030:19/0", "nwparser.payload", "PKI: A configurable item %{change_attribute->} %{p0}"); + +var part838 = // "Pattern{Constant('mode '), Field(p0,false)}" +match("MESSAGE#481:00030:19/1_0", "nwparser.p0", "mode %{p0}"); + +var part839 = // "Pattern{Constant('field'), Field(p0,false)}" +match("MESSAGE#481:00030:19/1_1", "nwparser.p0", "field%{p0}"); + +var select193 = linear_select([ + part838, + part839, +]); + +var part840 = // "Pattern{Field(,false), Constant('has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#481:00030:19/2", "nwparser.p0", "%{}has changed from %{change_old->} to %{change_new}"); + +var all168 = all_match({ + processors: [ + part837, + select193, + part840, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg488 = msg("00030:19", all168); + +var part841 = // "Pattern{Constant('PKI: NSRP cold sync start for total of '), Field(fld2,true), Constant(' items.')}" +match("MESSAGE#482:00030:30", "nwparser.payload", "PKI: NSRP cold sync start for total of %{fld2->} items.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg489 = msg("00030:30", part841); + +var part842 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' out of order expect '), Field(fld3,true), Constant(' of '), Field(fld4,false), Constant('.')}" +match("MESSAGE#483:00030:31", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} out of order expect %{fld3->} of %{fld4}.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg490 = msg("00030:31", part842); + +var part843 = // "Pattern{Constant('PKI: NSRP sync received cold sync item '), Field(fld2,true), Constant(' without first item.')}" +match("MESSAGE#484:00030:32", "nwparser.payload", "PKI: NSRP sync received cold sync item %{fld2->} without first item.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg491 = msg("00030:32", part843); + +var part844 = // "Pattern{Constant('PKI: NSRP sync received normal item during cold sync.'), Field(,false)}" +match("MESSAGE#485:00030:33", "nwparser.payload", "PKI: NSRP sync received normal item during cold sync.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg492 = msg("00030:33", part844); + +var part845 = // "Pattern{Constant('PKI: The CRL '), Field(policy_id,true), Constant(' is deleted.')}" +match("MESSAGE#486:00030:34", "nwparser.payload", "PKI: The CRL %{policy_id->} is deleted.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg493 = msg("00030:34", part845); + +var part846 = // "Pattern{Constant('PKI: The NSRP high availability synchronization '), Field(fld2,true), Constant(' failed.')}" +match("MESSAGE#487:00030:35", "nwparser.payload", "PKI: The NSRP high availability synchronization %{fld2->} failed.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg494 = msg("00030:35", part846); + +var part847 = // "Pattern{Constant('PKI: The '), Field(change_attribute,true), Constant(' has changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false), Constant('.')}" +match("MESSAGE#488:00030:36", "nwparser.payload", "PKI: The %{change_attribute->} has changed from %{change_old->} to %{change_new}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg495 = msg("00030:36", part847); + +var part848 = // "Pattern{Constant('PKI: The X.509 certificate for the ScreenOS image authentication is invalid.'), Field(,false)}" +match("MESSAGE#489:00030:37", "nwparser.payload", "PKI: The X.509 certificate for the ScreenOS image authentication is invalid.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg496 = msg("00030:37", part848); + +var part849 = // "Pattern{Constant('PKI: The X.509 local certificate cannot be sync to vsd member.'), Field(,false)}" +match("MESSAGE#490:00030:38", "nwparser.payload", "PKI: The X.509 local certificate cannot be sync to vsd member.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg497 = msg("00030:38", part849); + +var part850 = // "Pattern{Constant('PKI: The X.509 certificate '), Field(p0,false)}" +match("MESSAGE#491:00030:39/0", "nwparser.payload", "PKI: The X.509 certificate %{p0}"); + +var part851 = // "Pattern{Constant('revocation list '), Field(p0,false)}" +match("MESSAGE#491:00030:39/1_0", "nwparser.p0", "revocation list %{p0}"); + +var select194 = linear_select([ + part851, + dup16, +]); + +var part852 = // "Pattern{Constant('cannot be loaded during NSRP synchronization.'), Field(,false)}" +match("MESSAGE#491:00030:39/2", "nwparser.p0", "cannot be loaded during NSRP synchronization.%{}"); + +var all169 = all_match({ + processors: [ + part850, + select194, + part852, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg498 = msg("00030:39", all169); + +var part853 = // "Pattern{Constant('X509 '), Field(p0,false)}" +match("MESSAGE#492:00030:17/0", "nwparser.payload", "X509 %{p0}"); + +var part854 = // "Pattern{Constant('cannot be loaded'), Field(,false)}" +match("MESSAGE#492:00030:17/2", "nwparser.p0", "cannot be loaded%{}"); + +var all170 = all_match({ + processors: [ + part853, + dup379, + part854, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg499 = msg("00030:17", all170); + +var part855 = // "Pattern{Constant('PKI: The certificate '), Field(fld2,true), Constant(' will expire '), Field(p0,false)}" +match("MESSAGE#493:00030:40/0", "nwparser.payload", "PKI: The certificate %{fld2->} will expire %{p0}"); + +var part856 = // "Pattern{Constant('please '), Field(p0,false)}" +match("MESSAGE#493:00030:40/1_1", "nwparser.p0", "please %{p0}"); + +var select195 = linear_select([ + dup216, + part856, +]); + +var part857 = // "Pattern{Constant('renew.'), Field(,false)}" +match("MESSAGE#493:00030:40/2", "nwparser.p0", "renew.%{}"); + +var all171 = all_match({ + processors: [ + part855, + select195, + part857, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg500 = msg("00030:40", all171); + +var part858 = // "Pattern{Constant('PKI: The certificate revocation list has expired issued by certificate authority '), Field(fld2,false), Constant('.')}" +match("MESSAGE#494:00030:41", "nwparser.payload", "PKI: The certificate revocation list has expired issued by certificate authority %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg501 = msg("00030:41", part858); + +var part859 = // "Pattern{Constant('PKI: The configuration content of certificate authority '), Field(fld2,true), Constant(' is not valid.')}" +match("MESSAGE#495:00030:42", "nwparser.payload", "PKI: The configuration content of certificate authority %{fld2->} is not valid.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg502 = msg("00030:42", part859); + +var part860 = // "Pattern{Constant('PKI: The device cannot allocate this object id number '), Field(fld2,false), Constant('.')}" +match("MESSAGE#496:00030:43", "nwparser.payload", "PKI: The device cannot allocate this object id number %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg503 = msg("00030:43", part860); + +var part861 = // "Pattern{Constant('PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].'), Field(,false)}" +match("MESSAGE#497:00030:44", "nwparser.payload", "PKI: The device cannot extract the X.509 certificate revocation list [ (CRL) ].%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg504 = msg("00030:44", part861); + +var part862 = // "Pattern{Constant('PKI: The device cannot find the PKI object '), Field(fld2,true), Constant(' during cold sync.')}" +match("MESSAGE#498:00030:45", "nwparser.payload", "PKI: The device cannot find the PKI object %{fld2->} during cold sync.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg505 = msg("00030:45", part862); + +var part863 = // "Pattern{Constant('PKI: The device cannot load X.509 certificate onto the device certificate '), Field(fld2,false), Constant('.')}" +match("MESSAGE#499:00030:46", "nwparser.payload", "PKI: The device cannot load X.509 certificate onto the device certificate %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg506 = msg("00030:46", part863); + +var part864 = // "Pattern{Constant('PKI: The device cannot load a certificate pending SCEP completion.'), Field(,false)}" +match("MESSAGE#500:00030:47", "nwparser.payload", "PKI: The device cannot load a certificate pending SCEP completion.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg507 = msg("00030:47", part864); + +var part865 = // "Pattern{Constant('PKI: The device cannot load an X.509 certificate revocation list (CRL).'), Field(,false)}" +match("MESSAGE#501:00030:48", "nwparser.payload", "PKI: The device cannot load an X.509 certificate revocation list (CRL).%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg508 = msg("00030:48", part865); + +var part866 = // "Pattern{Constant('PKI: The device cannot load the CA certificate received through SCEP.'), Field(,false)}" +match("MESSAGE#502:00030:49", "nwparser.payload", "PKI: The device cannot load the CA certificate received through SCEP.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg509 = msg("00030:49", part866); + +var part867 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.'), Field(,false)}" +match("MESSAGE#503:00030:50", "nwparser.payload", "PKI: The device cannot load the X.509 certificate revocation list (CRL) from the file.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg510 = msg("00030:50", part867); + +var part868 = // "Pattern{Constant('PKI: The device cannot load the X.509 local certificate received through SCEP.'), Field(,false)}" +match("MESSAGE#504:00030:51", "nwparser.payload", "PKI: The device cannot load the X.509 local certificate received through SCEP.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg511 = msg("00030:51", part868); + +var part869 = // "Pattern{Constant('PKI: The device cannot load the X.509 '), Field(product,true), Constant(' during boot.')}" +match("MESSAGE#505:00030:52", "nwparser.payload", "PKI: The device cannot load the X.509 %{product->} during boot.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg512 = msg("00030:52", part869); + +var part870 = // "Pattern{Constant('PKI: The device cannot load the X.509 certificate file.'), Field(,false)}" +match("MESSAGE#506:00030:53", "nwparser.payload", "PKI: The device cannot load the X.509 certificate file.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg513 = msg("00030:53", part870); + +var part871 = // "Pattern{Constant('PKI: The device completed the coldsync of the PKI object at '), Field(fld2,true), Constant(' attempt.')}" +match("MESSAGE#507:00030:54", "nwparser.payload", "PKI: The device completed the coldsync of the PKI object at %{fld2->} attempt.", processor_chain([ + dup44, + dup213, + dup31, + dup2, + dup3, + dup4, + dup5, +])); + +var msg514 = msg("00030:54", part871); + +var part872 = // "Pattern{Constant('PKI: The device could not generate '), Field(p0,false)}" +match("MESSAGE#508:00030:55/0", "nwparser.payload", "PKI: The device could not generate %{p0}"); + +var all172 = all_match({ + processors: [ + part872, + dup380, + dup219, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg515 = msg("00030:55", all172); + +var part873 = // "Pattern{Constant('PKI: The device detected an invalid RSA key.'), Field(,false)}" +match("MESSAGE#509:00030:56", "nwparser.payload", "PKI: The device detected an invalid RSA key.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg516 = msg("00030:56", part873); + +var part874 = // "Pattern{Constant('PKI: The device detected an invalid digital signature algorithm (DSA) key.'), Field(,false)}" +match("MESSAGE#510:00030:57", "nwparser.payload", "PKI: The device detected an invalid digital signature algorithm (DSA) key.%{}", processor_chain([ + dup35, + dup220, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg517 = msg("00030:57", part874); + +var part875 = // "Pattern{Constant('PKI: The device failed to coldsync the PKI object at '), Field(fld2,true), Constant(' attempt.')}" +match("MESSAGE#511:00030:58", "nwparser.payload", "PKI: The device failed to coldsync the PKI object at %{fld2->} attempt.", processor_chain([ + dup86, + dup220, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg518 = msg("00030:58", part875); + +var part876 = // "Pattern{Constant('PKI: The device failed to decode the public key of the image'), Field(p0,false)}" +match("MESSAGE#512:00030:59/0", "nwparser.payload", "PKI: The device failed to decode the public key of the image%{p0}"); + +var part877 = // "Pattern{Constant('s signer certificate.'), Field(,false)}" +match("MESSAGE#512:00030:59/2", "nwparser.p0", "s signer certificate.%{}"); + +var all173 = all_match({ + processors: [ + part876, + dup363, + part877, + ], + on_success: processor_chain([ + dup35, + dup220, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg519 = msg("00030:59", all173); + +var part878 = // "Pattern{Constant('PKI: The device failed to install the RSA key.'), Field(,false)}" +match("MESSAGE#513:00030:60", "nwparser.payload", "PKI: The device failed to install the RSA key.%{}", processor_chain([ + dup35, + dup220, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg520 = msg("00030:60", part878); + +var part879 = // "Pattern{Constant('PKI: The device failed to retrieve the pending certificate '), Field(fld2,false), Constant('.')}" +match("MESSAGE#514:00030:61", "nwparser.payload", "PKI: The device failed to retrieve the pending certificate %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg521 = msg("00030:61", part879); + +var part880 = // "Pattern{Constant('PKI: The device failed to save the certificate authority related configuration.'), Field(,false)}" +match("MESSAGE#515:00030:62", "nwparser.payload", "PKI: The device failed to save the certificate authority related configuration.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg522 = msg("00030:62", part880); + +var part881 = // "Pattern{Constant('PKI: The device failed to store the authority configuration.'), Field(,false)}" +match("MESSAGE#516:00030:63", "nwparser.payload", "PKI: The device failed to store the authority configuration.%{}", processor_chain([ + dup18, + dup221, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg523 = msg("00030:63", part881); + +var part882 = // "Pattern{Constant('PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.'), Field(,false)}" +match("MESSAGE#517:00030:64", "nwparser.payload", "PKI: The device failed to synchronize new DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup220, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg524 = msg("00030:64", part882); + +var part883 = // "Pattern{Constant('PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.'), Field(,false)}" +match("MESSAGE#518:00030:65", "nwparser.payload", "PKI: The device failed to synchronize DSA/RSA key pair to NSRP peer.%{}", processor_chain([ + dup18, + dup220, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg525 = msg("00030:65", part883); + +var part884 = // "Pattern{Constant('PKI: The device has detected an invalid X.509 object attribute '), Field(fld2,false), Constant('.')}" +match("MESSAGE#519:00030:66", "nwparser.payload", "PKI: The device has detected an invalid X.509 object attribute %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg526 = msg("00030:66", part884); + +var part885 = // "Pattern{Constant('PKI: The device has detected invalid X.509 object content.'), Field(,false)}" +match("MESSAGE#520:00030:67", "nwparser.payload", "PKI: The device has detected invalid X.509 object content.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg527 = msg("00030:67", part885); + +var part886 = // "Pattern{Constant('PKI: The device has failed to load an invalid X.509 object.'), Field(,false)}" +match("MESSAGE#521:00030:68", "nwparser.payload", "PKI: The device has failed to load an invalid X.509 object.%{}", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg528 = msg("00030:68", part886); + +var part887 = // "Pattern{Constant('PKI: The device is loading the version 0 PKI data.'), Field(,false)}" +match("MESSAGE#522:00030:69", "nwparser.payload", "PKI: The device is loading the version 0 PKI data.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg529 = msg("00030:69", part887); + +var part888 = // "Pattern{Constant('PKI: The device successfully generated a new '), Field(p0,false)}" +match("MESSAGE#523:00030:70/0", "nwparser.payload", "PKI: The device successfully generated a new %{p0}"); + +var all174 = all_match({ + processors: [ + part888, + dup380, + dup219, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg530 = msg("00030:70", all174); + +var part889 = // "Pattern{Constant('PKI: The public key of image'), Field(p0,false)}" +match("MESSAGE#524:00030:71/0", "nwparser.payload", "PKI: The public key of image%{p0}"); + +var part890 = // "Pattern{Constant('s signer has been loaded successfully, for future image authentication.'), Field(,false)}" +match("MESSAGE#524:00030:71/2", "nwparser.p0", "s signer has been loaded successfully, for future image authentication.%{}"); + +var all175 = all_match({ + processors: [ + part889, + dup363, + part890, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg531 = msg("00030:71", all175); + +var part891 = // "Pattern{Constant('PKI: The signature of the image'), Field(p0,false)}" +match("MESSAGE#525:00030:72/0", "nwparser.payload", "PKI: The signature of the image%{p0}"); + +var part892 = // "Pattern{Constant('s signer certificate cannot be verified.'), Field(,false)}" +match("MESSAGE#525:00030:72/2", "nwparser.p0", "s signer certificate cannot be verified.%{}"); + +var all176 = all_match({ + processors: [ + part891, + dup363, + part892, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg532 = msg("00030:72", all176); + +var part893 = // "Pattern{Constant('PKI: The '), Field(p0,false)}" +match("MESSAGE#526:00030:73/0", "nwparser.payload", "PKI: The %{p0}"); + +var part894 = // "Pattern{Constant('file name '), Field(p0,false)}" +match("MESSAGE#526:00030:73/1_0", "nwparser.p0", "file name %{p0}"); + +var part895 = // "Pattern{Constant('friendly name of a certificate '), Field(p0,false)}" +match("MESSAGE#526:00030:73/1_1", "nwparser.p0", "friendly name of a certificate %{p0}"); + +var part896 = // "Pattern{Constant('vsys name '), Field(p0,false)}" +match("MESSAGE#526:00030:73/1_2", "nwparser.p0", "vsys name %{p0}"); + +var select196 = linear_select([ + part894, + part895, + part896, +]); + +var part897 = // "Pattern{Constant('is too long '), Field(fld2,true), Constant(' to do NSRP synchronization allowed '), Field(fld3,false), Constant('.')}" +match("MESSAGE#526:00030:73/2", "nwparser.p0", "is too long %{fld2->} to do NSRP synchronization allowed %{fld3}."); + +var all177 = all_match({ + processors: [ + part893, + select196, + part897, + ], + on_success: processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg533 = msg("00030:73", all177); + +var part898 = // "Pattern{Constant('PKI: Upgrade from earlier version save to file.'), Field(,false)}" +match("MESSAGE#527:00030:74", "nwparser.payload", "PKI: Upgrade from earlier version save to file.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg534 = msg("00030:74", part898); + +var part899 = // "Pattern{Constant('PKI: X.509 certificate has been deleted distinguished name '), Field(username,false), Constant('.')}" +match("MESSAGE#528:00030:75", "nwparser.payload", "PKI: X.509 certificate has been deleted distinguished name %{username}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg535 = msg("00030:75", part899); + +var part900 = // "Pattern{Constant('PKI: X.509 '), Field(p0,false)}" +match("MESSAGE#529:00030:76/0", "nwparser.payload", "PKI: X.509 %{p0}"); + +var part901 = // "Pattern{Constant('file has been loaded successfully filename '), Field(fld2,false), Constant('.')}" +match("MESSAGE#529:00030:76/2", "nwparser.p0", "file has been loaded successfully filename %{fld2}."); + +var all178 = all_match({ + processors: [ + part900, + dup379, + part901, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg536 = msg("00030:76", all178); + +var part902 = // "Pattern{Constant('PKI: failed to install DSA key.'), Field(,false)}" +match("MESSAGE#530:00030:77", "nwparser.payload", "PKI: failed to install DSA key.%{}", processor_chain([ + dup18, + dup220, + dup51, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg537 = msg("00030:77", part902); + +var part903 = // "Pattern{Constant('PKI: no FQDN available when requesting certificate.'), Field(,false)}" +match("MESSAGE#531:00030:78", "nwparser.payload", "PKI: no FQDN available when requesting certificate.%{}", processor_chain([ + dup35, + dup213, + dup222, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg538 = msg("00030:78", part903); + +var part904 = // "Pattern{Constant('PKI: no cert revocation check per config DN '), Field(username,false), Constant('.')}" +match("MESSAGE#532:00030:79", "nwparser.payload", "PKI: no cert revocation check per config DN %{username}.", processor_chain([ + dup35, + dup213, + dup222, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg539 = msg("00030:79", part904); + +var part905 = // "Pattern{Constant('PKI: no nsrp sync for pre 2.5 objects.'), Field(,false)}" +match("MESSAGE#533:00030:80", "nwparser.payload", "PKI: no nsrp sync for pre 2.5 objects.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg540 = msg("00030:80", part905); + +var part906 = // "Pattern{Constant('X509 certificate with subject name '), Field(fld2,true), Constant(' is deleted.')}" +match("MESSAGE#534:00030:81", "nwparser.payload", "X509 certificate with subject name %{fld2->} is deleted.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg541 = msg("00030:81", part906); + +var part907 = // "Pattern{Constant('create new authcfg for CA '), Field(fld2,false)}" +match("MESSAGE#535:00030:82", "nwparser.payload", "create new authcfg for CA %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg542 = msg("00030:82", part907); + +var part908 = // "Pattern{Constant('loadCert: Cannot acquire authcfg for this CA cert '), Field(fld2,false), Constant('.')}" +match("MESSAGE#536:00030:83", "nwparser.payload", "loadCert: Cannot acquire authcfg for this CA cert %{fld2}.", processor_chain([ + dup35, + dup213, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg543 = msg("00030:83", part908); + +var part909 = // "Pattern{Constant('upgrade to 4.0 copy authcfg from global.'), Field(,false)}" +match("MESSAGE#537:00030:84", "nwparser.payload", "upgrade to 4.0 copy authcfg from global.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg544 = msg("00030:84", part909); + +var part910 = // "Pattern{Constant('System CPU utilization is high ('), Field(fld2,true), Constant(' alarm threshold: '), Field(trigger_val,false), Constant(') '), Field(info,false)}" +match("MESSAGE#538:00030:85", "nwparser.payload", "System CPU utilization is high (%{fld2->} alarm threshold: %{trigger_val}) %{info}", processor_chain([ + setc("eventcategory","1603080000"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg545 = msg("00030:85", part910); + +var part911 = // "Pattern{Constant('Pair-wise invoked by started after key generation. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#539:00030:86/2", "nwparser.p0", "Pair-wise invoked by started after key generation. (%{fld1})"); + +var all179 = all_match({ + processors: [ + dup223, + dup381, + part911, + ], + on_success: processor_chain([ + dup225, + dup2, + dup4, + dup5, + dup9, + ]), +}); + +var msg546 = msg("00030:86", all179); + +var part912 = // "Pattern{Constant('SYSTEM CPU utilization is high ('), Field(fld2,true), Constant(' > '), Field(fld3,true), Constant(' ) '), Field(fld4,true), Constant(' times in '), Field(fld5,true), Constant(' minute ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" +match("MESSAGE#1214:00030:87", "nwparser.payload", "SYSTEM CPU utilization is high (%{fld2->} > %{fld3->} ) %{fld4->} times in %{fld5->} minute (%{fld1})\u003c\u003c%{fld6}>", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + dup9, +])); + +var msg547 = msg("00030:87", part912); + +var part913 = // "Pattern{Constant('Pair-wise invoked by passed. ('), Field(fld1,false), Constant(')<<'), Field(fld6,false), Constant('>')}" +match("MESSAGE#1217:00030:88/2", "nwparser.p0", "Pair-wise invoked by passed. (%{fld1})\u003c\u003c%{fld6}>"); + +var all180 = all_match({ + processors: [ + dup223, + dup381, + part913, + ], + on_success: processor_chain([ + dup225, + dup2, + dup4, + dup5, + dup9, + ]), +}); + +var msg548 = msg("00030:88", all180); + +var select197 = linear_select([ + msg475, + msg476, + msg477, + msg478, + msg479, + msg480, + msg481, + msg482, + msg483, + msg484, + msg485, + msg486, + msg487, + msg488, + msg489, + msg490, + msg491, + msg492, + msg493, + msg494, + msg495, + msg496, + msg497, + msg498, + msg499, + msg500, + msg501, + msg502, + msg503, + msg504, + msg505, + msg506, + msg507, + msg508, + msg509, + msg510, + msg511, + msg512, + msg513, + msg514, + msg515, + msg516, + msg517, + msg518, + msg519, + msg520, + msg521, + msg522, + msg523, + msg524, + msg525, + msg526, + msg527, + msg528, + msg529, + msg530, + msg531, + msg532, + msg533, + msg534, + msg535, + msg536, + msg537, + msg538, + msg539, + msg540, + msg541, + msg542, + msg543, + msg544, + msg545, + msg546, + msg547, + msg548, +]); + +var part914 = // "Pattern{Constant('ARP detected IP conflict: IP address '), Field(hostip,true), Constant(' changed from '), Field(sinterface,true), Constant(' to interface '), Field(dinterface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#540:00031:13", "nwparser.payload", "ARP detected IP conflict: IP address %{hostip->} changed from %{sinterface->} to interface %{dinterface->} (%{fld1})", processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg549 = msg("00031:13", part914); + +var part915 = // "Pattern{Constant('SNMP AuthenTraps have been '), Field(disposition,false)}" +match("MESSAGE#541:00031", "nwparser.payload", "SNMP AuthenTraps have been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg550 = msg("00031", part915); + +var part916 = // "Pattern{Constant('SNMP VPN has been '), Field(disposition,false)}" +match("MESSAGE#542:00031:01", "nwparser.payload", "SNMP VPN has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg551 = msg("00031:01", part916); + +var part917 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' attributes-write access '), Field(p0,false)}" +match("MESSAGE#543:00031:02/0", "nwparser.payload", "SNMP community %{fld2->} attributes-write access %{p0}"); + +var part918 = // "Pattern{Constant('; receive traps '), Field(p0,false)}" +match("MESSAGE#543:00031:02/2", "nwparser.p0", "; receive traps %{p0}"); + +var part919 = // "Pattern{Constant('; receive traffic alarms '), Field(p0,false)}" +match("MESSAGE#543:00031:02/4", "nwparser.p0", "; receive traffic alarms %{p0}"); + +var part920 = // "Pattern{Constant('-have been modified'), Field(,false)}" +match("MESSAGE#543:00031:02/6", "nwparser.p0", "-have been modified%{}"); + +var all181 = all_match({ + processors: [ + part917, + dup382, + part918, + dup382, + part919, + dup382, + part920, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg552 = msg("00031:02", all181); + +var part921 = // "Pattern{Field(fld2,true), Constant(' SNMP host '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#544:00031:03/0", "nwparser.payload", "%{fld2->} SNMP host %{hostip->} has been %{p0}"); + +var select198 = linear_select([ + dup130, + dup129, +]); + +var part922 = // "Pattern{Constant('SNMP community '), Field(fld3,false)}" +match("MESSAGE#544:00031:03/2", "nwparser.p0", "SNMP community %{fld3}"); + +var all182 = all_match({ + processors: [ + part921, + select198, + part922, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg553 = msg("00031:03", all182); + +var part923 = // "Pattern{Constant('SNMP '), Field(p0,false)}" +match("MESSAGE#545:00031:04/0", "nwparser.payload", "SNMP %{p0}"); + +var part924 = // "Pattern{Constant('contact '), Field(p0,false)}" +match("MESSAGE#545:00031:04/1_0", "nwparser.p0", "contact %{p0}"); + +var select199 = linear_select([ + part924, + dup228, +]); + +var part925 = // "Pattern{Constant('description has been modified'), Field(,false)}" +match("MESSAGE#545:00031:04/2", "nwparser.p0", "description has been modified%{}"); + +var all183 = all_match({ + processors: [ + part923, + select199, + part925, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg554 = msg("00031:04", all183); + +var part926 = // "Pattern{Constant('SNMP system '), Field(p0,false)}" +match("MESSAGE#546:00031:11/0", "nwparser.payload", "SNMP system %{p0}"); + +var select200 = linear_select([ + dup228, + dup25, +]); + +var part927 = // "Pattern{Constant('has been changed to '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#546:00031:11/2", "nwparser.p0", "has been changed to %{fld2}. (%{fld1})"); + +var all184 = all_match({ + processors: [ + part926, + select200, + part927, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg555 = msg("00031:11", all184); + +var part928 = // "Pattern{Field(fld2,false), Constant(': SNMP community name "'), Field(fld3,false), Constant('" '), Field(p0,false)}" +match("MESSAGE#547:00031:08/0", "nwparser.payload", "%{fld2}: SNMP community name \"%{fld3}\" %{p0}"); + +var part929 = // "Pattern{Constant('attributes -- '), Field(p0,false)}" +match("MESSAGE#547:00031:08/1_0", "nwparser.p0", "attributes -- %{p0}"); + +var part930 = // "Pattern{Constant('-- '), Field(p0,false)}" +match("MESSAGE#547:00031:08/1_1", "nwparser.p0", "-- %{p0}"); + +var select201 = linear_select([ + part929, + part930, +]); + +var part931 = // "Pattern{Constant('write access, '), Field(p0,false)}" +match("MESSAGE#547:00031:08/2", "nwparser.p0", "write access, %{p0}"); + +var part932 = // "Pattern{Constant('; receive traps, '), Field(p0,false)}" +match("MESSAGE#547:00031:08/4", "nwparser.p0", "; receive traps, %{p0}"); + +var part933 = // "Pattern{Constant('; receive traffic alarms, '), Field(p0,false)}" +match("MESSAGE#547:00031:08/6", "nwparser.p0", "; receive traffic alarms, %{p0}"); + +var part934 = // "Pattern{Constant('-'), Field(p0,false)}" +match("MESSAGE#547:00031:08/8", "nwparser.p0", "-%{p0}"); + +var part935 = // "Pattern{Constant('- '), Field(p0,false)}" +match("MESSAGE#547:00031:08/9_0", "nwparser.p0", "- %{p0}"); + +var select202 = linear_select([ + part935, + dup96, +]); + +var part936 = // "Pattern{Constant('have been modified'), Field(,false)}" +match("MESSAGE#547:00031:08/10", "nwparser.p0", "have been modified%{}"); + +var all185 = all_match({ + processors: [ + part928, + select201, + part931, + dup382, + part932, + dup382, + part933, + dup382, + part934, + select202, + part936, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg556 = msg("00031:08", all185); + +var part937 = // "Pattern{Constant('Detect IP conflict ('), Field(fld2,false), Constant(') on '), Field(p0,false)}" +match("MESSAGE#548:00031:05/0", "nwparser.payload", "Detect IP conflict (%{fld2}) on %{p0}"); + +var all186 = all_match({ + processors: [ + part937, + dup339, + dup229, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg557 = msg("00031:05", all186); + +var part938 = // "Pattern{Constant('q, '), Field(p0,false)}" +match("MESSAGE#549:00031:06/1_0", "nwparser.p0", "q, %{p0}"); + +var select203 = linear_select([ + part938, + dup231, + dup232, +]); + +var part939 = // "Pattern{Constant('detect IP conflict ( '), Field(hostip,true), Constant(' )'), Field(p0,false)}" +match("MESSAGE#549:00031:06/2", "nwparser.p0", "detect IP conflict ( %{hostip->} )%{p0}"); + +var select204 = linear_select([ + dup105, + dup96, +]); + +var part940 = // "Pattern{Constant('mac'), Field(p0,false)}" +match("MESSAGE#549:00031:06/4", "nwparser.p0", "mac%{p0}"); + +var part941 = // "Pattern{Constant(''), Field(macaddr,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#549:00031:06/6", "nwparser.p0", "%{macaddr->} on %{p0}"); + +var all187 = all_match({ + processors: [ + dup230, + select203, + part939, + select204, + part940, + dup358, + part941, + dup354, + dup23, + dup383, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg558 = msg("00031:06", all187); + +var part942 = // "Pattern{Constant('detects a duplicate virtual security device group master IP address '), Field(hostip,false), Constant(', MAC address '), Field(macaddr,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#550:00031:07/2", "nwparser.p0", "detects a duplicate virtual security device group master IP address %{hostip}, MAC address %{macaddr->} on %{p0}"); + +var all188 = all_match({ + processors: [ + dup230, + dup384, + part942, + dup339, + dup229, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg559 = msg("00031:07", all188); + +var part943 = // "Pattern{Constant('detected an IP conflict (IP '), Field(hostip,false), Constant(', MAC '), Field(macaddr,false), Constant(') on interface '), Field(p0,false)}" +match("MESSAGE#551:00031:09/2", "nwparser.p0", "detected an IP conflict (IP %{hostip}, MAC %{macaddr}) on interface %{p0}"); + +var all189 = all_match({ + processors: [ + dup230, + dup384, + part943, + dup383, + ], + on_success: processor_chain([ + dup121, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg560 = msg("00031:09", all189); + +var part944 = // "Pattern{Field(fld2,false), Constant(': SNMP community "'), Field(fld3,false), Constant('" has been moved. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#552:00031:10", "nwparser.payload", "%{fld2}: SNMP community \"%{fld3}\" has been moved. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg561 = msg("00031:10", part944); + +var part945 = // "Pattern{Field(fld2,true), Constant(' system contact has been changed to '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#553:00031:12", "nwparser.payload", "%{fld2->} system contact has been changed to %{fld3}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg562 = msg("00031:12", part945); + +var select205 = linear_select([ + msg549, + msg550, + msg551, + msg552, + msg553, + msg554, + msg555, + msg556, + msg557, + msg558, + msg559, + msg560, + msg561, + msg562, +]); + +var part946 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#554:00032", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup234, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg563 = msg("00032", part946); + +var part947 = // "Pattern{Field(signame,true), Constant(' has been detected and blocked! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false)}" +match("MESSAGE#555:00032:01", "nwparser.payload", "%{signame->} has been detected and blocked! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}", processor_chain([ + dup234, + dup2, + dup3, + dup4, + dup5, + dup61, +])); + +var msg564 = msg("00032:01", part947); + +var part948 = // "Pattern{Constant('Vsys '), Field(fld2,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#556:00032:03/0", "nwparser.payload", "Vsys %{fld2->} has been %{p0}"); + +var part949 = // "Pattern{Constant('changed to '), Field(fld3,false)}" +match("MESSAGE#556:00032:03/1_0", "nwparser.p0", "changed to %{fld3}"); + +var part950 = // "Pattern{Constant('created'), Field(,false)}" +match("MESSAGE#556:00032:03/1_1", "nwparser.p0", "created%{}"); + +var part951 = // "Pattern{Constant('deleted'), Field(,false)}" +match("MESSAGE#556:00032:03/1_2", "nwparser.p0", "deleted%{}"); + +var part952 = // "Pattern{Constant('removed'), Field(,false)}" +match("MESSAGE#556:00032:03/1_3", "nwparser.p0", "removed%{}"); + +var select206 = linear_select([ + part949, + part950, + part951, + part952, +]); + +var all190 = all_match({ + processors: [ + part948, + select206, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg565 = msg("00032:03", all190); + +var part953 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' on interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#557:00032:04", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} on interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup234, + dup2, + dup3, + dup4, + dup59, + dup5, + dup61, +])); + +var msg566 = msg("00032:04", part953); + +var part954 = // "Pattern{Field(change_attribute,true), Constant(' for vsys '), Field(fld2,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#558:00032:05", "nwparser.payload", "%{change_attribute->} for vsys %{fld2->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg567 = msg("00032:05", part954); + +var msg568 = msg("00032:02", dup378); + +var select207 = linear_select([ + msg563, + msg564, + msg565, + msg566, + msg567, + msg568, +]); + +var part955 = // "Pattern{Constant('NSM has been '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#560:00033:25", "nwparser.payload", "NSM has been %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("agent","NSM"), +])); + +var msg569 = msg("00033:25", part955); + +var part956 = // "Pattern{Constant('timeout value has been '), Field(p0,false)}" +match("MESSAGE#561:00033/1", "nwparser.p0", "timeout value has been %{p0}"); + +var part957 = // "Pattern{Constant('returned'), Field(p0,false)}" +match("MESSAGE#561:00033/2_1", "nwparser.p0", "returned%{p0}"); + +var select208 = linear_select([ + dup52, + part957, +]); + +var part958 = // "Pattern{Field(,false), Constant('to '), Field(fld2,false)}" +match("MESSAGE#561:00033/3", "nwparser.p0", "%{}to %{fld2}"); + +var all191 = all_match({ + processors: [ + dup385, + part956, + select208, + part958, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg570 = msg("00033", all191); + +var part959 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" +match("MESSAGE#562:00033:03/1_0", "nwparser.p0", "Global PRO %{p0}"); + +var part960 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#562:00033:03/1_1", "nwparser.p0", "%{fld3->} %{p0}"); + +var select209 = linear_select([ + part959, + part960, +]); + +var part961 = // "Pattern{Constant('host has been set to '), Field(fld4,false)}" +match("MESSAGE#562:00033:03/4", "nwparser.p0", "host has been set to %{fld4}"); + +var all192 = all_match({ + processors: [ + dup162, + select209, + dup23, + dup372, + part961, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg571 = msg("00033:03", all192); + +var part962 = // "Pattern{Constant('host has been '), Field(disposition,false)}" +match("MESSAGE#563:00033:02/3", "nwparser.p0", "host has been %{disposition}"); + +var all193 = all_match({ + processors: [ + dup385, + dup23, + dup372, + part962, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg572 = msg("00033:02", all193); + +var part963 = // "Pattern{Constant('Reporting of '), Field(fld2,true), Constant(' to '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#564:00033:04", "nwparser.payload", "Reporting of %{fld2->} to %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg573 = msg("00033:04", part963); + +var part964 = // "Pattern{Constant('Global PRO has been '), Field(disposition,false)}" +match("MESSAGE#565:00033:05", "nwparser.payload", "Global PRO has been %{disposition}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg574 = msg("00033:05", part964); + +var part965 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#566:00033:06", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The attack occurred %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + dup59, + dup4, + dup5, + dup61, +])); + +var msg575 = msg("00033:06", part965); + +var part966 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('. The threshold was exceeded '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#567:00033:01", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}. The threshold was exceeded %{dclass_counter1->} times", processor_chain([ + dup27, + dup2, + dup3, + setc("dclass_counter1_string","Number of times the threshold was exceeded"), + dup4, + dup5, + dup61, +])); + +var msg576 = msg("00033:01", part966); + +var part967 = // "Pattern{Constant('User-defined service '), Field(service,true), Constant(' has been '), Field(disposition,true), Constant(' from '), Field(fld2,true), Constant(' distribution')}" +match("MESSAGE#568:00033:07", "nwparser.payload", "User-defined service %{service->} has been %{disposition->} from %{fld2->} distribution", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg577 = msg("00033:07", part967); + +var part968 = // "Pattern{Constant('?s CA certificate field has not been specified.'), Field(,false)}" +match("MESSAGE#569:00033:08/2", "nwparser.p0", "?s CA certificate field has not been specified.%{}"); + +var all194 = all_match({ + processors: [ + dup237, + dup386, + part968, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg578 = msg("00033:08", all194); + +var part969 = // "Pattern{Constant('?s Cert-Subject field has not been specified.'), Field(,false)}" +match("MESSAGE#570:00033:09/2", "nwparser.p0", "?s Cert-Subject field has not been specified.%{}"); + +var all195 = all_match({ + processors: [ + dup237, + dup386, + part969, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg579 = msg("00033:09", all195); + +var part970 = // "Pattern{Constant('?s host field has been '), Field(p0,false)}" +match("MESSAGE#571:00033:10/2", "nwparser.p0", "?s host field has been %{p0}"); + +var part971 = // "Pattern{Constant('set to '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#571:00033:10/3_0", "nwparser.p0", "set to %{fld2->} %{p0}"); + +var select210 = linear_select([ + part971, + dup240, +]); + +var all196 = all_match({ + processors: [ + dup237, + dup386, + part970, + select210, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg580 = msg("00033:10", all196); + +var part972 = // "Pattern{Constant('?s outgoing interface used to report NACN to Policy Manager '), Field(p0,false)}" +match("MESSAGE#572:00033:11/2", "nwparser.p0", "?s outgoing interface used to report NACN to Policy Manager %{p0}"); + +var part973 = // "Pattern{Constant('has not been specified.'), Field(,false)}" +match("MESSAGE#572:00033:11/4", "nwparser.p0", "has not been specified.%{}"); + +var all197 = all_match({ + processors: [ + dup237, + dup386, + part972, + dup386, + part973, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg581 = msg("00033:11", all197); + +var part974 = // "Pattern{Constant('?s password field has been '), Field(p0,false)}" +match("MESSAGE#573:00033:12/2", "nwparser.p0", "?s password field has been %{p0}"); + +var select211 = linear_select([ + dup101, + dup240, +]); + +var all198 = all_match({ + processors: [ + dup237, + dup386, + part974, + select211, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg582 = msg("00033:12", all198); + +var part975 = // "Pattern{Constant('?s policy-domain field has been '), Field(p0,false)}" +match("MESSAGE#574:00033:13/2", "nwparser.p0", "?s policy-domain field has been %{p0}"); + +var part976 = // "Pattern{Constant('unset .'), Field(,false)}" +match("MESSAGE#574:00033:13/3_0", "nwparser.p0", "unset .%{}"); + +var part977 = // "Pattern{Constant('set to '), Field(domain,false), Constant('.')}" +match("MESSAGE#574:00033:13/3_1", "nwparser.p0", "set to %{domain}."); + +var select212 = linear_select([ + part976, + part977, +]); + +var all199 = all_match({ + processors: [ + dup237, + dup386, + part975, + select212, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg583 = msg("00033:13", all199); + +var part978 = // "Pattern{Constant('?s CA certificate field has been set to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#575:00033:14/2", "nwparser.p0", "?s CA certificate field has been set to %{fld2}."); + +var all200 = all_match({ + processors: [ + dup237, + dup386, + part978, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg584 = msg("00033:14", all200); + +var part979 = // "Pattern{Constant('?s Cert-Subject field has been set to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#576:00033:15/2", "nwparser.p0", "?s Cert-Subject field has been set to %{fld2}."); + +var all201 = all_match({ + processors: [ + dup237, + dup386, + part979, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg585 = msg("00033:15", all201); + +var part980 = // "Pattern{Constant('?s outgoing-interface field has been set to '), Field(interface,false), Constant('.')}" +match("MESSAGE#577:00033:16/2", "nwparser.p0", "?s outgoing-interface field has been set to %{interface}."); + +var all202 = all_match({ + processors: [ + dup237, + dup386, + part980, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg586 = msg("00033:16", all202); + +var part981 = // "Pattern{Constant('?s port field has been '), Field(p0,false)}" +match("MESSAGE#578:00033:17/2", "nwparser.p0", "?s port field has been %{p0}"); + +var part982 = // "Pattern{Constant('set to '), Field(network_port,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#578:00033:17/3_0", "nwparser.p0", "set to %{network_port->} %{p0}"); + +var part983 = // "Pattern{Constant('reset to the default value '), Field(p0,false)}" +match("MESSAGE#578:00033:17/3_1", "nwparser.p0", "reset to the default value %{p0}"); + +var select213 = linear_select([ + part982, + part983, +]); + +var all203 = all_match({ + processors: [ + dup237, + dup386, + part981, + select213, + dup116, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg587 = msg("00033:17", all203); + +var part984 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(p0,false)}" +match("MESSAGE#579:00033:19/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{p0}"); + +var part985 = // "Pattern{Field(fld99,false), Constant('arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" +match("MESSAGE#579:00033:19/4", "nwparser.p0", "%{fld99}arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time."); + +var all204 = all_match({ + processors: [ + part984, + dup341, + dup70, + dup342, + part985, + ], + on_success: processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup61, + ]), +}); + +var msg588 = msg("00033:19", all204); + +var part986 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' time.')}" +match("MESSAGE#580:00033:20", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} time.", processor_chain([ + dup27, + dup2, + dup4, + dup5, + dup3, + dup59, + dup60, +])); + +var msg589 = msg("00033:20", part986); + +var all205 = all_match({ + processors: [ + dup241, + dup345, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg590 = msg("00033:21", all205); + +var part987 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#582:00033:22/0", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var all206 = all_match({ + processors: [ + part987, + dup345, + dup83, + ], + on_success: processor_chain([ + dup27, + dup2, + dup9, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), +}); + +var msg591 = msg("00033:22", all206); + +var part988 = // "Pattern{Constant('NSM primary server with name '), Field(hostname,true), Constant(' was set: addr '), Field(hostip,false), Constant(', port '), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#583:00033:23", "nwparser.payload", "NSM primary server with name %{hostname->} was set: addr %{hostip}, port %{network_port}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg592 = msg("00033:23", part988); + +var part989 = // "Pattern{Constant('session threshold From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(info,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#584:00033:24", "nwparser.payload", "session threshold From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{info}. (%{fld1})", processor_chain([ + setc("eventcategory","1001030500"), + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg593 = msg("00033:24", part989); + +var select214 = linear_select([ + msg569, + msg570, + msg571, + msg572, + msg573, + msg574, + msg575, + msg576, + msg577, + msg578, + msg579, + msg580, + msg581, + msg582, + msg583, + msg584, + msg585, + msg586, + msg587, + msg588, + msg589, + msg590, + msg591, + msg592, + msg593, +]); + +var part990 = // "Pattern{Constant('SCS: Failed '), Field(p0,false)}" +match("MESSAGE#585:00034/0_0", "nwparser.payload", "SCS: Failed %{p0}"); + +var part991 = // "Pattern{Constant('Failed '), Field(p0,false)}" +match("MESSAGE#585:00034/0_1", "nwparser.payload", "Failed %{p0}"); + +var select215 = linear_select([ + part990, + part991, +]); + +var part992 = // "Pattern{Constant('bind '), Field(p0,false)}" +match("MESSAGE#585:00034/2_0", "nwparser.p0", "bind %{p0}"); + +var part993 = // "Pattern{Constant('retrieve '), Field(p0,false)}" +match("MESSAGE#585:00034/2_2", "nwparser.p0", "retrieve %{p0}"); + +var select216 = linear_select([ + part992, + dup203, + part993, +]); + +var select217 = linear_select([ + dup198, + dup103, + dup165, +]); + +var part994 = // "Pattern{Constant('SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" +match("MESSAGE#585:00034/5", "nwparser.p0", "SSH user %{username}. (Key ID=%{fld2})"); + +var all207 = all_match({ + processors: [ + select215, + dup103, + select216, + dup204, + select217, + part994, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg594 = msg("00034", all207); + +var part995 = // "Pattern{Constant('SCS: Incompatible '), Field(p0,false)}" +match("MESSAGE#586:00034:01/0_0", "nwparser.payload", "SCS: Incompatible %{p0}"); + +var part996 = // "Pattern{Constant('Incompatible '), Field(p0,false)}" +match("MESSAGE#586:00034:01/0_1", "nwparser.payload", "Incompatible %{p0}"); + +var select218 = linear_select([ + part995, + part996, +]); + +var part997 = // "Pattern{Constant('SSH version '), Field(version,true), Constant(' has been received from '), Field(p0,false)}" +match("MESSAGE#586:00034:01/1", "nwparser.p0", "SSH version %{version->} has been received from %{p0}"); + +var part998 = // "Pattern{Constant('the SSH '), Field(p0,false)}" +match("MESSAGE#586:00034:01/2_0", "nwparser.p0", "the SSH %{p0}"); + +var select219 = linear_select([ + part998, + dup243, +]); + +var part999 = // "Pattern{Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#586:00034:01/3", "nwparser.p0", "client at %{saddr}:%{sport}"); + +var all208 = all_match({ + processors: [ + select218, + part997, + select219, + part999, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg595 = msg("00034:01", all208); + +var part1000 = // "Pattern{Constant('Maximum number of SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false)}" +match("MESSAGE#587:00034:02", "nwparser.payload", "Maximum number of SCS sessions %{fld2->} has been reached. Connection request from SSH user %{username->} at %{saddr}:%{sport->} has been %{disposition}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg596 = msg("00034:02", part1000); + +var part1001 = // "Pattern{Constant('device failed to authenticate the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#588:00034:03/1", "nwparser.p0", "device failed to authenticate the SSH client at %{saddr}:%{sport}"); + +var all209 = all_match({ + processors: [ + dup387, + part1001, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg597 = msg("00034:03", all209); + +var part1002 = // "Pattern{Constant('SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" +match("MESSAGE#589:00034:04", "nwparser.payload", "SCS: NetScreen device failed to generate a PKA RSA challenge for SSH user %{username->} at %{saddr}:%{sport}. (Key ID=%{fld2})", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg598 = msg("00034:04", part1002); + +var part1003 = // "Pattern{Constant('NetScreen device failed to generate a PKA RSA challenge for SSH user '), Field(username,false), Constant('. (Key ID='), Field(fld2,false), Constant(')')}" +match("MESSAGE#590:00034:05", "nwparser.payload", "NetScreen device failed to generate a PKA RSA challenge for SSH user %{username}. (Key ID=%{fld2})", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg599 = msg("00034:05", part1003); + +var part1004 = // "Pattern{Constant('device failed to '), Field(p0,false)}" +match("MESSAGE#591:00034:06/1", "nwparser.p0", "device failed to %{p0}"); + +var part1005 = // "Pattern{Constant('identify itself '), Field(p0,false)}" +match("MESSAGE#591:00034:06/2_0", "nwparser.p0", "identify itself %{p0}"); + +var part1006 = // "Pattern{Constant('send the identification string '), Field(p0,false)}" +match("MESSAGE#591:00034:06/2_1", "nwparser.p0", "send the identification string %{p0}"); + +var select220 = linear_select([ + part1005, + part1006, +]); + +var part1007 = // "Pattern{Constant('to the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#591:00034:06/3", "nwparser.p0", "to the SSH client at %{saddr}:%{sport}"); + +var all210 = all_match({ + processors: [ + dup387, + part1004, + select220, + part1007, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg600 = msg("00034:06", all210); + +var part1008 = // "Pattern{Constant('SCS connection has been terminated for admin user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#592:00034:07", "nwparser.payload", "SCS connection has been terminated for admin user %{username->} at %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg601 = msg("00034:07", part1008); + +var part1009 = // "Pattern{Constant('SCS: SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' existing PKA keys already bound to '), Field(fld3,true), Constant(' SSH users.')}" +match("MESSAGE#593:00034:08", "nwparser.payload", "SCS: SCS has been %{disposition->} for %{username->} with %{fld2->} existing PKA keys already bound to %{fld3->} SSH users.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg602 = msg("00034:08", part1009); + +var part1010 = // "Pattern{Constant('SCS has been '), Field(disposition,true), Constant(' for '), Field(username,true), Constant(' with '), Field(fld2,true), Constant(' PKA keys already bound to '), Field(fld3,true), Constant(' SSH users')}" +match("MESSAGE#594:00034:09", "nwparser.payload", "SCS has been %{disposition->} for %{username->} with %{fld2->} PKA keys already bound to %{fld3->} SSH users", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg603 = msg("00034:09", part1010); + +var part1011 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" +match("MESSAGE#595:00034:10/2", "nwparser.p0", "%{}client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + +var part1012 = // "Pattern{Constant(''), Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#595:00034:10/4", "nwparser.p0", "%{interface->} %{p0}"); + +var part1013 = // "Pattern{Constant('with'), Field(p0,false)}" +match("MESSAGE#595:00034:10/5_0", "nwparser.p0", "with%{p0}"); + +var part1014 = // "Pattern{Constant('at'), Field(p0,false)}" +match("MESSAGE#595:00034:10/5_1", "nwparser.p0", "at%{p0}"); + +var select221 = linear_select([ + part1013, + part1014, +]); + +var part1015 = // "Pattern{Field(,false), Constant('IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because '), Field(result,false)}" +match("MESSAGE#595:00034:10/6", "nwparser.p0", "%{}IP %{hostip->} but %{disposition->} because %{result}"); + +var all211 = all_match({ + processors: [ + dup246, + dup388, + part1011, + dup354, + part1012, + select221, + part1015, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg604 = msg("00034:10", all211); + +var part1016 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" +match("MESSAGE#596:00034:12/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has attempted to make an SCS connection to %{p0}"); + +var part1017 = // "Pattern{Constant('but '), Field(disposition,true), Constant(' because '), Field(result,false)}" +match("MESSAGE#596:00034:12/4", "nwparser.p0", "but %{disposition->} because %{result}"); + +var all212 = all_match({ + processors: [ + dup246, + dup388, + part1016, + dup389, + part1017, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg605 = msg("00034:12", all212); + +var part1018 = // "Pattern{Field(,false), Constant('client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to '), Field(p0,false)}" +match("MESSAGE#597:00034:11/2", "nwparser.p0", "%{}client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to %{p0}"); + +var part1019 = // "Pattern{Constant('because '), Field(result,false)}" +match("MESSAGE#597:00034:11/4", "nwparser.p0", "because %{result}"); + +var all213 = all_match({ + processors: [ + dup246, + dup388, + part1018, + dup389, + part1019, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg606 = msg("00034:11", all213); + +var part1020 = // "Pattern{Constant('SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection because '), Field(result,false)}" +match("MESSAGE#598:00034:15", "nwparser.payload", "SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection because %{result}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg607 = msg("00034:15", part1020); + +var part1021 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' cannot log in via SCS to '), Field(service,true), Constant(' using the shared '), Field(interface,true), Constant(' interface because '), Field(result,false)}" +match("MESSAGE#599:00034:18/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} cannot log in via SCS to %{service->} using the shared %{interface->} interface because %{result}"); + +var all214 = all_match({ + processors: [ + dup246, + dup390, + part1021, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg608 = msg("00034:18", all214); + +var part1022 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' the PKA RSA challenge')}" +match("MESSAGE#600:00034:20/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has %{disposition->} the PKA RSA challenge"); + +var all215 = all_match({ + processors: [ + dup246, + dup390, + part1022, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg609 = msg("00034:20", all215); + +var part1023 = // "Pattern{Constant('user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested '), Field(p0,false)}" +match("MESSAGE#601:00034:21/2", "nwparser.p0", "user %{username->} at %{saddr}:%{sport->} has requested %{p0}"); + +var part1024 = // "Pattern{Constant('authentication which is not '), Field(p0,false)}" +match("MESSAGE#601:00034:21/4", "nwparser.p0", "authentication which is not %{p0}"); + +var part1025 = // "Pattern{Constant('supported '), Field(p0,false)}" +match("MESSAGE#601:00034:21/5_0", "nwparser.p0", "supported %{p0}"); + +var select222 = linear_select([ + part1025, + dup156, +]); + +var part1026 = // "Pattern{Constant('for that '), Field(p0,false)}" +match("MESSAGE#601:00034:21/6", "nwparser.p0", "for that %{p0}"); + +var part1027 = // "Pattern{Constant('client'), Field(,false)}" +match("MESSAGE#601:00034:21/7_0", "nwparser.p0", "client%{}"); + +var part1028 = // "Pattern{Constant('user'), Field(,false)}" +match("MESSAGE#601:00034:21/7_1", "nwparser.p0", "user%{}"); + +var select223 = linear_select([ + part1027, + part1028, +]); + +var all216 = all_match({ + processors: [ + dup246, + dup390, + part1023, + dup375, + part1024, + select222, + part1026, + select223, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg610 = msg("00034:21", all216); + +var part1029 = // "Pattern{Constant('SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to vsys '), Field(fld2,true), Constant(' using the shared untrusted interface')}" +match("MESSAGE#602:00034:22", "nwparser.payload", "SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to vsys %{fld2->} using the shared untrusted interface", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg611 = msg("00034:22", part1029); + +var part1030 = // "Pattern{Constant('SCS: Unable '), Field(p0,false)}" +match("MESSAGE#603:00034:23/1_0", "nwparser.p0", "SCS: Unable %{p0}"); + +var part1031 = // "Pattern{Constant('Unable '), Field(p0,false)}" +match("MESSAGE#603:00034:23/1_1", "nwparser.p0", "Unable %{p0}"); + +var select224 = linear_select([ + part1030, + part1031, +]); + +var part1032 = // "Pattern{Constant('to validate cookie from the SSH client at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#603:00034:23/2", "nwparser.p0", "to validate cookie from the SSH client at %{saddr}:%{sport}"); + +var all217 = all_match({ + processors: [ + dup162, + select224, + part1032, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg612 = msg("00034:23", all217); + +var part1033 = // "Pattern{Constant('AC '), Field(username,true), Constant(' is advertising URL '), Field(fld2,false)}" +match("MESSAGE#604:00034:24", "nwparser.payload", "AC %{username->} is advertising URL %{fld2}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg613 = msg("00034:24", part1033); + +var part1034 = // "Pattern{Constant('Message from AC '), Field(username,false), Constant(': '), Field(fld2,false)}" +match("MESSAGE#605:00034:25", "nwparser.payload", "Message from AC %{username}: %{fld2}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg614 = msg("00034:25", part1034); + +var part1035 = // "Pattern{Constant('PPPoE Settings changed'), Field(,false)}" +match("MESSAGE#606:00034:26", "nwparser.payload", "PPPoE Settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg615 = msg("00034:26", part1035); + +var part1036 = // "Pattern{Constant('PPPoE is '), Field(disposition,true), Constant(' on '), Field(interface,true), Constant(' interface')}" +match("MESSAGE#607:00034:27", "nwparser.payload", "PPPoE is %{disposition->} on %{interface->} interface", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg616 = msg("00034:27", part1036); + +var part1037 = // "Pattern{Constant('PPPoE'), Field(p0,false)}" +match("MESSAGE#608:00034:28/0", "nwparser.payload", "PPPoE%{p0}"); + +var part1038 = // "Pattern{Constant('s session closed by AC'), Field(,false)}" +match("MESSAGE#608:00034:28/2", "nwparser.p0", "s session closed by AC%{}"); + +var all218 = all_match({ + processors: [ + part1037, + dup363, + part1038, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg617 = msg("00034:28", all218); + +var part1039 = // "Pattern{Constant('SCS: Disabled for '), Field(username,false), Constant('. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#609:00034:29", "nwparser.payload", "SCS: Disabled for %{username}. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg618 = msg("00034:29", part1039); + +var part1040 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to remove PKA key removed.')}" +match("MESSAGE#610:00034:30", "nwparser.payload", "SCS: %{disposition->} to remove PKA key removed.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg619 = msg("00034:30", part1040); + +var part1041 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to retrieve host key')}" +match("MESSAGE#611:00034:31", "nwparser.payload", "SCS: %{disposition->} to retrieve host key", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg620 = msg("00034:31", part1041); + +var part1042 = // "Pattern{Constant('SCS: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" +match("MESSAGE#612:00034:32", "nwparser.payload", "SCS: %{disposition->} to send identification string to client host at %{saddr}:%{sport}.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg621 = msg("00034:32", part1042); + +var part1043 = // "Pattern{Constant('SCS: Max '), Field(fld2,true), Constant(' sessions reached unabel to accept connection : '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#613:00034:33", "nwparser.payload", "SCS: Max %{fld2->} sessions reached unabel to accept connection : %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg622 = msg("00034:33", part1043); + +var part1044 = // "Pattern{Constant('SCS: Maximum number for SCS sessions '), Field(fld2,true), Constant(' has been reached. Connection request from SSH user at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#614:00034:34", "nwparser.payload", "SCS: Maximum number for SCS sessions %{fld2->} has been reached. Connection request from SSH user at %{saddr}:%{sport->} has been %{disposition}.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg623 = msg("00034:34", part1044); + +var part1045 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has unsuccessfully attempted to log in via SCS to '), Field(service,true), Constant(' using the shared untrusted interface because SCS is disabled on that interface.')}" +match("MESSAGE#615:00034:35", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has unsuccessfully attempted to log in via SCS to %{service->} using the shared untrusted interface because SCS is disabled on that interface.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg624 = msg("00034:35", part1045); + +var part1046 = // "Pattern{Constant('SCS: Unsupported cipher type '), Field(fld2,true), Constant(' requested from: '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#616:00034:36", "nwparser.payload", "SCS: Unsupported cipher type %{fld2->} requested from: %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg625 = msg("00034:36", part1046); + +var part1047 = // "Pattern{Constant('The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed'), Field(,false)}" +match("MESSAGE#617:00034:37", "nwparser.payload", "The Point-to-Point Protocol over Ethernet (PPPoE) protocol settings changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg626 = msg("00034:37", part1047); + +var part1048 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to retreive PKA key bound to SSH user '), Field(username,true), Constant(' (Key ID '), Field(fld2,false), Constant(')')}" +match("MESSAGE#618:00034:38", "nwparser.payload", "SSH: %{disposition->} to retreive PKA key bound to SSH user %{username->} (Key ID %{fld2})", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg627 = msg("00034:38", part1048); + +var part1049 = // "Pattern{Constant('SSH: Error processing packet from host '), Field(saddr,true), Constant(' (Code '), Field(fld2,false), Constant(')')}" +match("MESSAGE#619:00034:39", "nwparser.payload", "SSH: Error processing packet from host %{saddr->} (Code %{fld2})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg628 = msg("00034:39", part1049); + +var part1050 = // "Pattern{Constant('SSH: Device failed to send initialization string to client at '), Field(saddr,false)}" +match("MESSAGE#620:00034:40", "nwparser.payload", "SSH: Device failed to send initialization string to client at %{saddr}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg629 = msg("00034:40", part1050); + +var part1051 = // "Pattern{Constant('SCP: Admin user ''), Field(administrator,false), Constant('' attempted to transfer file '), Field(p0,false)}" +match("MESSAGE#621:00034:41/0", "nwparser.payload", "SCP: Admin user '%{administrator}' attempted to transfer file %{p0}"); + +var part1052 = // "Pattern{Constant('the device with insufficient privilege.'), Field(,false)}" +match("MESSAGE#621:00034:41/2", "nwparser.p0", "the device with insufficient privilege.%{}"); + +var all219 = all_match({ + processors: [ + part1051, + dup376, + part1052, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg630 = msg("00034:41", all219); + +var part1053 = // "Pattern{Constant('SSH: Maximum number of SSH sessions ('), Field(fld2,false), Constant(') exceeded. Connection request from SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' denied.')}" +match("MESSAGE#622:00034:42", "nwparser.payload", "SSH: Maximum number of SSH sessions (%{fld2}) exceeded. Connection request from SSH user %{username->} at %{saddr->} denied.", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg631 = msg("00034:42", part1053); + +var part1054 = // "Pattern{Constant('Ethernet driver ran out of rx bd (port '), Field(network_port,false), Constant(')')}" +match("MESSAGE#623:00034:43", "nwparser.payload", "Ethernet driver ran out of rx bd (port %{network_port})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg632 = msg("00034:43", part1054); + +var part1055 = // "Pattern{Constant('Potential replay attack detected on SSH connection initiated from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1224:00034:44", "nwparser.payload", "Potential replay attack detected on SSH connection initiated from %{saddr}:%{sport->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg633 = msg("00034:44", part1055); + +var select225 = linear_select([ + msg594, + msg595, + msg596, + msg597, + msg598, + msg599, + msg600, + msg601, + msg602, + msg603, + msg604, + msg605, + msg606, + msg607, + msg608, + msg609, + msg610, + msg611, + msg612, + msg613, + msg614, + msg615, + msg616, + msg617, + msg618, + msg619, + msg620, + msg621, + msg622, + msg623, + msg624, + msg625, + msg626, + msg627, + msg628, + msg629, + msg630, + msg631, + msg632, + msg633, +]); + +var part1056 = // "Pattern{Constant('PKI Verify Error: '), Field(resultcode,false), Constant(':'), Field(result,false)}" +match("MESSAGE#624:00035", "nwparser.payload", "PKI Verify Error: %{resultcode}:%{result}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg634 = msg("00035", part1056); + +var part1057 = // "Pattern{Constant('SSL - Error MessageID in incoming mail - '), Field(fld2,false)}" +match("MESSAGE#625:00035:01", "nwparser.payload", "SSL - Error MessageID in incoming mail - %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg635 = msg("00035:01", part1057); + +var part1058 = // "Pattern{Constant('SSL - cipher type '), Field(fld2,true), Constant(' is not allowed in export or firewall only system')}" +match("MESSAGE#626:00035:02", "nwparser.payload", "SSL - cipher type %{fld2->} is not allowed in export or firewall only system", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg636 = msg("00035:02", part1058); + +var part1059 = // "Pattern{Constant('SSL CA changed'), Field(,false)}" +match("MESSAGE#627:00035:03", "nwparser.payload", "SSL CA changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg637 = msg("00035:03", part1059); + +var part1060 = // "Pattern{Constant('SSL Error when retrieve local c'), Field(p0,false)}" +match("MESSAGE#628:00035:04/0", "nwparser.payload", "SSL Error when retrieve local c%{p0}"); + +var part1061 = // "Pattern{Constant('a(verify) '), Field(p0,false)}" +match("MESSAGE#628:00035:04/1_0", "nwparser.p0", "a(verify) %{p0}"); + +var part1062 = // "Pattern{Constant('ert(verify) '), Field(p0,false)}" +match("MESSAGE#628:00035:04/1_1", "nwparser.p0", "ert(verify) %{p0}"); + +var part1063 = // "Pattern{Constant('ert(all) '), Field(p0,false)}" +match("MESSAGE#628:00035:04/1_2", "nwparser.p0", "ert(all) %{p0}"); + +var select226 = linear_select([ + part1061, + part1062, + part1063, +]); + +var part1064 = // "Pattern{Constant(': '), Field(fld2,false)}" +match("MESSAGE#628:00035:04/2", "nwparser.p0", ": %{fld2}"); + +var all220 = all_match({ + processors: [ + part1060, + select226, + part1064, + ], + on_success: processor_chain([ + dup117, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg638 = msg("00035:04", all220); + +var part1065 = // "Pattern{Constant('SSL No ssl context. Not ready for connections.'), Field(,false)}" +match("MESSAGE#629:00035:05", "nwparser.payload", "SSL No ssl context. Not ready for connections.%{}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg639 = msg("00035:05", part1065); + +var part1066 = // "Pattern{Constant('SSL c'), Field(p0,false)}" +match("MESSAGE#630:00035:06/0", "nwparser.payload", "SSL c%{p0}"); + +var part1067 = // "Pattern{Constant('changed to none'), Field(,false)}" +match("MESSAGE#630:00035:06/2", "nwparser.p0", "changed to none%{}"); + +var all221 = all_match({ + processors: [ + part1066, + dup391, + part1067, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg640 = msg("00035:06", all221); + +var part1068 = // "Pattern{Constant('SSL cert subject mismatch: '), Field(fld2,true), Constant(' recieved '), Field(fld3,true), Constant(' is expected')}" +match("MESSAGE#631:00035:07", "nwparser.payload", "SSL cert subject mismatch: %{fld2->} recieved %{fld3->} is expected", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg641 = msg("00035:07", part1068); + +var part1069 = // "Pattern{Constant('SSL certificate changed'), Field(,false)}" +match("MESSAGE#632:00035:08", "nwparser.payload", "SSL certificate changed%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg642 = msg("00035:08", part1069); + +var part1070 = // "Pattern{Constant('enabled'), Field(,false)}" +match("MESSAGE#633:00035:09/1_0", "nwparser.p0", "enabled%{}"); + +var select227 = linear_select([ + part1070, + dup92, +]); + +var all222 = all_match({ + processors: [ + dup255, + select227, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg643 = msg("00035:09", all222); + +var part1071 = // "Pattern{Constant('SSL memory allocation fails in process_c'), Field(p0,false)}" +match("MESSAGE#634:00035:10/0", "nwparser.payload", "SSL memory allocation fails in process_c%{p0}"); + +var part1072 = // "Pattern{Constant('a()'), Field(,false)}" +match("MESSAGE#634:00035:10/1_0", "nwparser.p0", "a()%{}"); + +var part1073 = // "Pattern{Constant('ert()'), Field(,false)}" +match("MESSAGE#634:00035:10/1_1", "nwparser.p0", "ert()%{}"); + +var select228 = linear_select([ + part1072, + part1073, +]); + +var all223 = all_match({ + processors: [ + part1071, + select228, + ], + on_success: processor_chain([ + dup186, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg644 = msg("00035:10", all223); + +var part1074 = // "Pattern{Constant('SSL no ssl c'), Field(p0,false)}" +match("MESSAGE#635:00035:11/0", "nwparser.payload", "SSL no ssl c%{p0}"); + +var part1075 = // "Pattern{Constant('a'), Field(,false)}" +match("MESSAGE#635:00035:11/1_0", "nwparser.p0", "a%{}"); + +var part1076 = // "Pattern{Constant('ert'), Field(,false)}" +match("MESSAGE#635:00035:11/1_1", "nwparser.p0", "ert%{}"); + +var select229 = linear_select([ + part1075, + part1076, +]); + +var all224 = all_match({ + processors: [ + part1074, + select229, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg645 = msg("00035:11", all224); + +var part1077 = // "Pattern{Constant('SSL set c'), Field(p0,false)}" +match("MESSAGE#636:00035:12/0", "nwparser.payload", "SSL set c%{p0}"); + +var part1078 = // "Pattern{Constant('id is invalid '), Field(fld2,false)}" +match("MESSAGE#636:00035:12/2", "nwparser.p0", "id is invalid %{fld2}"); + +var all225 = all_match({ + processors: [ + part1077, + dup391, + part1078, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg646 = msg("00035:12", all225); + +var part1079 = // "Pattern{Constant('verify '), Field(p0,false)}" +match("MESSAGE#637:00035:13/1_1", "nwparser.p0", "verify %{p0}"); + +var select230 = linear_select([ + dup101, + part1079, +]); + +var part1080 = // "Pattern{Constant('cert failed. Key type is not RSA'), Field(,false)}" +match("MESSAGE#637:00035:13/2", "nwparser.p0", "cert failed. Key type is not RSA%{}"); + +var all226 = all_match({ + processors: [ + dup255, + select230, + part1080, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg647 = msg("00035:13", all226); + +var part1081 = // "Pattern{Constant('SSL ssl context init failed'), Field(,false)}" +match("MESSAGE#638:00035:14", "nwparser.payload", "SSL ssl context init failed%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg648 = msg("00035:14", part1081); + +var part1082 = // "Pattern{Field(change_attribute,true), Constant(' has been changed '), Field(p0,false)}" +match("MESSAGE#639:00035:15/0", "nwparser.payload", "%{change_attribute->} has been changed %{p0}"); + +var part1083 = // "Pattern{Constant('from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#639:00035:15/1_0", "nwparser.p0", "from %{change_old->} to %{change_new}"); + +var part1084 = // "Pattern{Constant('to '), Field(fld2,false)}" +match("MESSAGE#639:00035:15/1_1", "nwparser.p0", "to %{fld2}"); + +var select231 = linear_select([ + part1083, + part1084, +]); + +var all227 = all_match({ + processors: [ + part1082, + select231, + ], + on_success: processor_chain([ + dup186, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg649 = msg("00035:15", all227); + +var part1085 = // "Pattern{Constant('web SSL certificate changed to by '), Field(username,true), Constant(' via web from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' '), Field(fld5,false)}" +match("MESSAGE#640:00035:16", "nwparser.payload", "web SSL certificate changed to by %{username->} via web from host %{saddr->} to %{daddr}:%{dport->} %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg650 = msg("00035:16", part1085); + +var select232 = linear_select([ + msg634, + msg635, + msg636, + msg637, + msg638, + msg639, + msg640, + msg641, + msg642, + msg643, + msg644, + msg645, + msg646, + msg647, + msg648, + msg649, + msg650, +]); + +var part1086 = // "Pattern{Constant('An optional ScreenOS feature has been activated via a software key'), Field(,false)}" +match("MESSAGE#641:00036", "nwparser.payload", "An optional ScreenOS feature has been activated via a software key%{}", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg651 = msg("00036", part1086); + +var part1087 = // "Pattern{Field(fld2,true), Constant(' license keys were updated successfully by '), Field(p0,false)}" +match("MESSAGE#642:00036:01/0", "nwparser.payload", "%{fld2->} license keys were updated successfully by %{p0}"); + +var part1088 = // "Pattern{Constant('manual '), Field(p0,false)}" +match("MESSAGE#642:00036:01/1_1", "nwparser.p0", "manual %{p0}"); + +var select233 = linear_select([ + dup216, + part1088, +]); + +var part1089 = // "Pattern{Constant('retrieval'), Field(,false)}" +match("MESSAGE#642:00036:01/2", "nwparser.p0", "retrieval%{}"); + +var all228 = all_match({ + processors: [ + part1087, + select233, + part1089, + ], + on_success: processor_chain([ + dup256, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg652 = msg("00036:01", all228); + +var select234 = linear_select([ + msg651, + msg652, +]); + +var part1090 = // "Pattern{Constant('Intra-zone block for zone '), Field(zone,true), Constant(' was set to o'), Field(p0,false)}" +match("MESSAGE#643:00037/0", "nwparser.payload", "Intra-zone block for zone %{zone->} was set to o%{p0}"); + +var part1091 = // "Pattern{Constant('n'), Field(,false)}" +match("MESSAGE#643:00037/1_0", "nwparser.p0", "n%{}"); + +var part1092 = // "Pattern{Constant('ff'), Field(,false)}" +match("MESSAGE#643:00037/1_1", "nwparser.p0", "ff%{}"); + +var select235 = linear_select([ + part1091, + part1092, +]); + +var all229 = all_match({ + processors: [ + part1090, + select235, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg653 = msg("00037", all229); + +var part1093 = // "Pattern{Constant('New zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" +match("MESSAGE#644:00037:01/0", "nwparser.payload", "New zone %{zone->} ( %{p0}"); + +var select236 = linear_select([ + dup257, + dup258, +]); + +var part1094 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was created.'), Field(p0,false)}" +match("MESSAGE#644:00037:01/2", "nwparser.p0", "%{fld2}) was created.%{p0}"); + +var all230 = all_match({ + processors: [ + part1093, + select236, + part1094, + dup353, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg654 = msg("00037:01", all230); + +var part1095 = // "Pattern{Constant('Tunnel zone '), Field(src_zone,true), Constant(' was bound to out zone '), Field(dst_zone,false), Constant('.')}" +match("MESSAGE#645:00037:02", "nwparser.payload", "Tunnel zone %{src_zone->} was bound to out zone %{dst_zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg655 = msg("00037:02", part1095); + +var part1096 = // "Pattern{Constant('was was '), Field(p0,false)}" +match("MESSAGE#646:00037:03/1_0", "nwparser.p0", "was was %{p0}"); + +var part1097 = // "Pattern{Field(zone,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#646:00037:03/1_1", "nwparser.p0", "%{zone->} was %{p0}"); + +var select237 = linear_select([ + part1096, + part1097, +]); + +var part1098 = // "Pattern{Constant('virtual router '), Field(p0,false)}" +match("MESSAGE#646:00037:03/3", "nwparser.p0", "virtual router %{p0}"); + +var part1099 = // "Pattern{Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#646:00037:03/4_0", "nwparser.p0", "%{node->} (%{fld1})"); + +var part1100 = // "Pattern{Field(node,false), Constant('.')}" +match("MESSAGE#646:00037:03/4_1", "nwparser.p0", "%{node}."); + +var select238 = linear_select([ + part1099, + part1100, +]); + +var all231 = all_match({ + processors: [ + dup113, + select237, + dup374, + part1098, + select238, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg656 = msg("00037:03", all231); + +var part1101 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' was changed to non-shared.')}" +match("MESSAGE#647:00037:04", "nwparser.payload", "Zone %{zone->} was changed to non-shared.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg657 = msg("00037:04", part1101); + +var part1102 = // "Pattern{Constant('Zone '), Field(zone,true), Constant(' ( '), Field(p0,false)}" +match("MESSAGE#648:00037:05/0", "nwparser.payload", "Zone %{zone->} ( %{p0}"); + +var select239 = linear_select([ + dup258, + dup257, +]); + +var part1103 = // "Pattern{Constant(''), Field(fld2,false), Constant(') was deleted. '), Field(p0,false)}" +match("MESSAGE#648:00037:05/2", "nwparser.p0", "%{fld2}) was deleted. %{p0}"); + +var part1104 = // "Pattern{Field(space,false)}" +match_copy("MESSAGE#648:00037:05/3_1", "nwparser.p0", "space"); + +var select240 = linear_select([ + dup10, + part1104, +]); + +var all232 = all_match({ + processors: [ + part1102, + select239, + part1103, + select240, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg658 = msg("00037:05", all232); + +var part1105 = // "Pattern{Constant('IP/TCP reassembly for ALG was '), Field(disposition,true), Constant(' on zone '), Field(zone,false), Constant('.')}" +match("MESSAGE#649:00037:06", "nwparser.payload", "IP/TCP reassembly for ALG was %{disposition->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg659 = msg("00037:06", part1105); + +var select241 = linear_select([ + msg653, + msg654, + msg655, + msg656, + msg657, + msg658, + msg659, +]); + +var part1106 = // "Pattern{Constant('OSPF routing instance in vrouter '), Field(p0,false)}" +match("MESSAGE#650:00038/0", "nwparser.payload", "OSPF routing instance in vrouter %{p0}"); + +var part1107 = // "Pattern{Field(node,true), Constant(' is '), Field(p0,false)}" +match("MESSAGE#650:00038/1_0", "nwparser.p0", "%{node->} is %{p0}"); + +var part1108 = // "Pattern{Field(node,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#650:00038/1_1", "nwparser.p0", "%{node->} %{p0}"); + +var select242 = linear_select([ + part1107, + part1108, +]); + +var all233 = all_match({ + processors: [ + part1106, + select242, + dup36, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg660 = msg("00038", all233); + +var part1109 = // "Pattern{Constant('BGP instance name created for vr '), Field(node,false)}" +match("MESSAGE#651:00039", "nwparser.payload", "BGP instance name created for vr %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg661 = msg("00039", part1109); + +var part1110 = // "Pattern{Constant('Low watermark'), Field(p0,false)}" +match("MESSAGE#652:00040/0_0", "nwparser.payload", "Low watermark%{p0}"); + +var part1111 = // "Pattern{Constant('High watermark'), Field(p0,false)}" +match("MESSAGE#652:00040/0_1", "nwparser.payload", "High watermark%{p0}"); + +var select243 = linear_select([ + part1110, + part1111, +]); + +var part1112 = // "Pattern{Field(,false), Constant('for early aging has been changed to the default '), Field(fld2,false)}" +match("MESSAGE#652:00040/1", "nwparser.p0", "%{}for early aging has been changed to the default %{fld2}"); + +var all234 = all_match({ + processors: [ + select243, + part1112, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg662 = msg("00040", all234); + +var part1113 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#653:00040:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg663 = msg("00040:01", part1113); + +var select244 = linear_select([ + msg662, + msg663, +]); + +var part1114 = // "Pattern{Constant('A route-map name in virtual router '), Field(node,true), Constant(' has been removed')}" +match("MESSAGE#654:00041", "nwparser.payload", "A route-map name in virtual router %{node->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg664 = msg("00041", part1114); + +var part1115 = // "Pattern{Constant('VPN ''), Field(group,false), Constant('' from '), Field(daddr,true), Constant(' is '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#655:00041:01", "nwparser.payload", "VPN '%{group}' from %{daddr->} is %{disposition->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg665 = msg("00041:01", part1115); + +var select245 = linear_select([ + msg664, + msg665, +]); + +var part1116 = // "Pattern{Constant('Replay packet detected on IPSec tunnel on '), Field(interface,true), Constant(' with tunnel ID '), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false), Constant(', '), Field(info,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#656:00042", "nwparser.payload", "Replay packet detected on IPSec tunnel on %{interface->} with tunnel ID %{fld2}! From %{saddr->} to %{daddr}/%{dport}, %{info->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg666 = msg("00042", part1116); + +var part1117 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#657:00042:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup9, + dup4, + dup5, + dup60, +])); + +var msg667 = msg("00042:01", part1117); + +var select246 = linear_select([ + msg666, + msg667, +]); + +var part1118 = // "Pattern{Constant('Receive StopCCN_msg, remove l2tp tunnel ('), Field(fld2,false), Constant('-'), Field(fld3,false), Constant('), Result code '), Field(resultcode,true), Constant(' ('), Field(result,false), Constant('). ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#658:00043", "nwparser.payload", "Receive StopCCN_msg, remove l2tp tunnel (%{fld2}-%{fld3}), Result code %{resultcode->} (%{result}). (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg668 = msg("00043", part1118); + +var part1119 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' sequence number '), Field(fld3,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#659:00044/0", "nwparser.payload", "access list %{listnum->} sequence number %{fld3->} %{p0}"); + +var part1120 = // "Pattern{Constant('deny '), Field(p0,false)}" +match("MESSAGE#659:00044/1_1", "nwparser.p0", "deny %{p0}"); + +var select247 = linear_select([ + dup259, + part1120, +]); + +var part1121 = // "Pattern{Constant('ip '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false)}" +match("MESSAGE#659:00044/2", "nwparser.p0", "ip %{hostip}/%{mask->} %{disposition->} in vrouter %{node}"); + +var all235 = all_match({ + processors: [ + part1119, + select247, + part1121, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg669 = msg("00044", all235); + +var part1122 = // "Pattern{Constant('access list '), Field(listnum,true), Constant(' '), Field(disposition,true), Constant(' in vrouter '), Field(node,false), Constant('.')}" +match("MESSAGE#660:00044:01", "nwparser.payload", "access list %{listnum->} %{disposition->} in vrouter %{node}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg670 = msg("00044:01", part1122); + +var select248 = linear_select([ + msg669, + msg670, +]); + +var part1123 = // "Pattern{Constant('RIP instance in virtual router '), Field(node,true), Constant(' was '), Field(disposition,false), Constant('.')}" +match("MESSAGE#661:00045", "nwparser.payload", "RIP instance in virtual router %{node->} was %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg671 = msg("00045", part1123); + +var part1124 = // "Pattern{Constant('remove '), Field(p0,false)}" +match("MESSAGE#662:00047/1_0", "nwparser.p0", "remove %{p0}"); + +var part1125 = // "Pattern{Constant('add '), Field(p0,false)}" +match("MESSAGE#662:00047/1_1", "nwparser.p0", "add %{p0}"); + +var select249 = linear_select([ + part1124, + part1125, +]); + +var part1126 = // "Pattern{Constant('multicast policy from '), Field(src_zone,true), Constant(' '), Field(fld4,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#662:00047/2", "nwparser.p0", "multicast policy from %{src_zone->} %{fld4->} to %{dst_zone->} %{fld3->} (%{fld1})"); + +var all236 = all_match({ + processors: [ + dup185, + select249, + part1126, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg672 = msg("00047", all236); + +var part1127 = // "Pattern{Constant('Access list entry '), Field(listnum,true), Constant(' with '), Field(p0,false)}" +match("MESSAGE#663:00048/0", "nwparser.payload", "Access list entry %{listnum->} with %{p0}"); + +var part1128 = // "Pattern{Constant('a sequence '), Field(p0,false)}" +match("MESSAGE#663:00048/1_0", "nwparser.p0", "a sequence %{p0}"); + +var part1129 = // "Pattern{Constant('sequence '), Field(p0,false)}" +match("MESSAGE#663:00048/1_1", "nwparser.p0", "sequence %{p0}"); + +var select250 = linear_select([ + part1128, + part1129, +]); + +var part1130 = // "Pattern{Constant('number '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#663:00048/2", "nwparser.p0", "number %{fld2->} %{p0}"); + +var part1131 = // "Pattern{Constant('with an action of '), Field(p0,false)}" +match("MESSAGE#663:00048/3_0", "nwparser.p0", "with an action of %{p0}"); + +var select251 = linear_select([ + part1131, + dup112, +]); + +var part1132 = // "Pattern{Constant('with an IP '), Field(p0,false)}" +match("MESSAGE#663:00048/5_0", "nwparser.p0", "with an IP %{p0}"); + +var select252 = linear_select([ + part1132, + dup139, +]); + +var part1133 = // "Pattern{Constant('address '), Field(p0,false)}" +match("MESSAGE#663:00048/6", "nwparser.p0", "address %{p0}"); + +var part1134 = // "Pattern{Constant('and subnetwork mask of '), Field(p0,false)}" +match("MESSAGE#663:00048/7_0", "nwparser.p0", "and subnetwork mask of %{p0}"); + +var select253 = linear_select([ + part1134, + dup16, +]); + +var part1135 = // "Pattern{Field(,true), Constant(' '), Field(fld3,false), Constant('was '), Field(p0,false)}" +match("MESSAGE#663:00048/8", "nwparser.p0", "%{} %{fld3}was %{p0}"); + +var part1136 = // "Pattern{Constant('created on '), Field(p0,false)}" +match("MESSAGE#663:00048/9_0", "nwparser.p0", "created on %{p0}"); + +var select254 = linear_select([ + part1136, + dup129, +]); + +var part1137 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#663:00048/10", "nwparser.p0", "virtual router %{node->} (%{fld1})"); + +var all237 = all_match({ + processors: [ + part1127, + select250, + part1130, + select251, + dup259, + select252, + part1133, + select253, + part1135, + select254, + part1137, + ], + on_success: processor_chain([ + setc("eventcategory","1501000000"), + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg673 = msg("00048", all237); + +var part1138 = // "Pattern{Constant('Route '), Field(p0,false)}" +match("MESSAGE#664:00048:01/0", "nwparser.payload", "Route %{p0}"); + +var part1139 = // "Pattern{Constant('map entry '), Field(p0,false)}" +match("MESSAGE#664:00048:01/1_0", "nwparser.p0", "map entry %{p0}"); + +var part1140 = // "Pattern{Constant('entry '), Field(p0,false)}" +match("MESSAGE#664:00048:01/1_1", "nwparser.p0", "entry %{p0}"); + +var select255 = linear_select([ + part1139, + part1140, +]); + +var part1141 = // "Pattern{Constant('with sequence number '), Field(fld2,true), Constant(' in route map binck-ospf'), Field(p0,false)}" +match("MESSAGE#664:00048:01/2", "nwparser.p0", "with sequence number %{fld2->} in route map binck-ospf%{p0}"); + +var part1142 = // "Pattern{Constant(' in '), Field(p0,false)}" +match("MESSAGE#664:00048:01/3_0", "nwparser.p0", " in %{p0}"); + +var select256 = linear_select([ + part1142, + dup105, +]); + +var part1143 = // "Pattern{Constant('virtual router '), Field(node,true), Constant(' was '), Field(disposition,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#664:00048:01/4", "nwparser.p0", "virtual router %{node->} was %{disposition->} (%{fld1})"); + +var all238 = all_match({ + processors: [ + part1138, + select255, + part1141, + select256, + part1143, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg674 = msg("00048:01", all238); + +var part1144 = // "Pattern{Field(space,false), Constant('set match interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#665:00048:02", "nwparser.payload", "%{space}set match interface %{interface->} (%{fld1})", processor_chain([ + dup211, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg675 = msg("00048:02", part1144); + +var select257 = linear_select([ + msg673, + msg674, + msg675, +]); + +var part1145 = // "Pattern{Constant('Route-lookup preference changed to '), Field(fld8,true), Constant(' ('), Field(fld2,false), Constant(') => '), Field(fld3,true), Constant(' ('), Field(fld4,false), Constant(') => '), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') in virtual router ('), Field(node,false), Constant(')')}" +match("MESSAGE#666:00049", "nwparser.payload", "Route-lookup preference changed to %{fld8->} (%{fld2}) => %{fld3->} (%{fld4}) => %{fld5->} (%{fld6}) in virtual router (%{node})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg676 = msg("00049", part1145); + +var part1146 = // "Pattern{Constant('SIBR routing '), Field(disposition,true), Constant(' in virtual router '), Field(node,false)}" +match("MESSAGE#667:00049:01", "nwparser.payload", "SIBR routing %{disposition->} in virtual router %{node}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg677 = msg("00049:01", part1146); + +var part1147 = // "Pattern{Constant('A virtual router with name '), Field(node,true), Constant(' and ID '), Field(fld2,true), Constant(' has been removed')}" +match("MESSAGE#668:00049:02", "nwparser.payload", "A virtual router with name %{node->} and ID %{fld2->} has been removed", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg678 = msg("00049:02", part1147); + +var part1148 = // "Pattern{Constant('The router-id of virtual router "'), Field(node,false), Constant('" used by OSPF, BGP routing instances id has been uninitialized. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#669:00049:03", "nwparser.payload", "The router-id of virtual router \"%{node}\" used by OSPF, BGP routing instances id has been uninitialized. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg679 = msg("00049:03", part1148); + +var part1149 = // "Pattern{Constant('The system default-route through virtual router "'), Field(node,false), Constant('" has been added in virtual router "'), Field(fld4,false), Constant('" ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#670:00049:04", "nwparser.payload", "The system default-route through virtual router \"%{node}\" has been added in virtual router \"%{fld4}\" (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg680 = msg("00049:04", part1149); + +var part1150 = // "Pattern{Constant('Subnetwork conflict checking for interfaces in virtual router ('), Field(node,false), Constant(') has been enabled. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#671:00049:05", "nwparser.payload", "Subnetwork conflict checking for interfaces in virtual router (%{node}) has been enabled. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg681 = msg("00049:05", part1150); + +var select258 = linear_select([ + msg676, + msg677, + msg678, + msg679, + msg680, + msg681, +]); + +var part1151 = // "Pattern{Constant('Track IP enabled ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#672:00050", "nwparser.payload", "Track IP enabled (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg682 = msg("00050", part1151); + +var part1152 = // "Pattern{Constant('Session utilization has reached '), Field(fld2,false), Constant(', which is '), Field(fld3,true), Constant(' of the system capacity!')}" +match("MESSAGE#673:00051", "nwparser.payload", "Session utilization has reached %{fld2}, which is %{fld3->} of the system capacity!", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg683 = msg("00051", part1152); + +var part1153 = // "Pattern{Constant('AV: Suspicious client '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' used '), Field(fld2,true), Constant(' percent of AV resources, which exceeded the max of '), Field(fld3,true), Constant(' percent.')}" +match("MESSAGE#674:00052", "nwparser.payload", "AV: Suspicious client %{saddr}:%{sport}->%{daddr}:%{dport->} used %{fld2->} percent of AV resources, which exceeded the max of %{fld3->} percent.", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg684 = msg("00052", part1153); + +var part1154 = // "Pattern{Constant('router '), Field(p0,false)}" +match("MESSAGE#675:00055/1_1", "nwparser.p0", "router %{p0}"); + +var select259 = linear_select([ + dup171, + part1154, +]); + +var part1155 = // "Pattern{Constant('instance was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#675:00055/2", "nwparser.p0", "instance was %{disposition->} on interface %{interface}."); + +var all239 = all_match({ + processors: [ + dup260, + select259, + part1155, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg685 = msg("00055", all239); + +var part1156 = // "Pattern{Constant('proxy '), Field(p0,false)}" +match("MESSAGE#676:00055:01/1_0", "nwparser.p0", "proxy %{p0}"); + +var part1157 = // "Pattern{Constant('function '), Field(p0,false)}" +match("MESSAGE#676:00055:01/1_1", "nwparser.p0", "function %{p0}"); + +var select260 = linear_select([ + part1156, + part1157, +]); + +var part1158 = // "Pattern{Constant('was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#676:00055:01/2", "nwparser.p0", "was %{disposition->} on interface %{interface}."); + +var all240 = all_match({ + processors: [ + dup260, + select260, + part1158, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg686 = msg("00055:01", all240); + +var part1159 = // "Pattern{Constant('same subnet check on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#677:00055:02/2", "nwparser.p0", "same subnet check on interface %{interface}."); + +var all241 = all_match({ + processors: [ + dup261, + dup392, + part1159, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg687 = msg("00055:02", all241); + +var part1160 = // "Pattern{Constant('router alert IP option check on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#678:00055:03/2", "nwparser.p0", "router alert IP option check on interface %{interface}."); + +var all242 = all_match({ + processors: [ + dup261, + dup392, + part1160, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg688 = msg("00055:03", all242); + +var part1161 = // "Pattern{Constant('IGMP version was changed to '), Field(version,true), Constant(' on interface '), Field(interface,false)}" +match("MESSAGE#679:00055:04", "nwparser.payload", "IGMP version was changed to %{version->} on interface %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg689 = msg("00055:04", part1161); + +var part1162 = // "Pattern{Constant('IGMP query '), Field(p0,false)}" +match("MESSAGE#680:00055:05/0", "nwparser.payload", "IGMP query %{p0}"); + +var part1163 = // "Pattern{Constant('max response time '), Field(p0,false)}" +match("MESSAGE#680:00055:05/1_1", "nwparser.p0", "max response time %{p0}"); + +var select261 = linear_select([ + dup110, + part1163, +]); + +var part1164 = // "Pattern{Constant('was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false)}" +match("MESSAGE#680:00055:05/2", "nwparser.p0", "was changed to %{fld2->} on interface %{interface}"); + +var all243 = all_match({ + processors: [ + part1162, + select261, + part1164, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg690 = msg("00055:05", all243); + +var part1165 = // "Pattern{Constant('IGMP l'), Field(p0,false)}" +match("MESSAGE#681:00055:06/0", "nwparser.payload", "IGMP l%{p0}"); + +var part1166 = // "Pattern{Constant('eave '), Field(p0,false)}" +match("MESSAGE#681:00055:06/1_0", "nwparser.p0", "eave %{p0}"); + +var part1167 = // "Pattern{Constant('ast member query '), Field(p0,false)}" +match("MESSAGE#681:00055:06/1_1", "nwparser.p0", "ast member query %{p0}"); + +var select262 = linear_select([ + part1166, + part1167, +]); + +var part1168 = // "Pattern{Constant('interval was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#681:00055:06/2", "nwparser.p0", "interval was changed to %{fld2->} on interface %{interface}."); + +var all244 = all_match({ + processors: [ + part1165, + select262, + part1168, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg691 = msg("00055:06", all244); + +var part1169 = // "Pattern{Constant('routers '), Field(p0,false)}" +match("MESSAGE#682:00055:07/1_0", "nwparser.p0", "routers %{p0}"); + +var part1170 = // "Pattern{Constant('hosts '), Field(p0,false)}" +match("MESSAGE#682:00055:07/1_1", "nwparser.p0", "hosts %{p0}"); + +var part1171 = // "Pattern{Constant('groups '), Field(p0,false)}" +match("MESSAGE#682:00055:07/1_2", "nwparser.p0", "groups %{p0}"); + +var select263 = linear_select([ + part1169, + part1170, + part1171, +]); + +var part1172 = // "Pattern{Constant('accept list ID was changed to '), Field(fld2,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#682:00055:07/2", "nwparser.p0", "accept list ID was changed to %{fld2->} on interface %{interface}."); + +var all245 = all_match({ + processors: [ + dup260, + select263, + part1172, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg692 = msg("00055:07", all245); + +var part1173 = // "Pattern{Constant('all groups '), Field(p0,false)}" +match("MESSAGE#683:00055:08/1_0", "nwparser.p0", "all groups %{p0}"); + +var part1174 = // "Pattern{Constant('group '), Field(p0,false)}" +match("MESSAGE#683:00055:08/1_1", "nwparser.p0", "group %{p0}"); + +var select264 = linear_select([ + part1173, + part1174, +]); + +var part1175 = // "Pattern{Constant(''), Field(group,true), Constant(' static flag was '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#683:00055:08/2", "nwparser.p0", "%{group->} static flag was %{disposition->} on interface %{interface}."); + +var all246 = all_match({ + processors: [ + dup260, + select264, + part1175, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg693 = msg("00055:08", all246); + +var part1176 = // "Pattern{Constant('IGMP static group '), Field(group,true), Constant(' was added on interface '), Field(interface,false)}" +match("MESSAGE#684:00055:09", "nwparser.payload", "IGMP static group %{group->} was added on interface %{interface}", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg694 = msg("00055:09", part1176); + +var part1177 = // "Pattern{Constant('IGMP proxy always is '), Field(disposition,true), Constant(' on interface '), Field(interface,false), Constant('.')}" +match("MESSAGE#685:00055:10", "nwparser.payload", "IGMP proxy always is %{disposition->} on interface %{interface}.", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg695 = msg("00055:10", part1177); + +var select265 = linear_select([ + msg685, + msg686, + msg687, + msg688, + msg689, + msg690, + msg691, + msg692, + msg693, + msg694, + msg695, +]); + +var part1178 = // "Pattern{Constant('Remove multicast policy from '), Field(src_zone,true), Constant(' '), Field(saddr,true), Constant(' to '), Field(dst_zone,true), Constant(' '), Field(daddr,false)}" +match("MESSAGE#686:00056", "nwparser.payload", "Remove multicast policy from %{src_zone->} %{saddr->} to %{dst_zone->} %{daddr}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg696 = msg("00056", part1178); + +var part1179 = // "Pattern{Field(fld2,false), Constant(': static multicast route src='), Field(saddr,false), Constant(', grp='), Field(group,true), Constant(' input ifp = '), Field(sinterface,true), Constant(' output ifp = '), Field(dinterface,true), Constant(' added')}" +match("MESSAGE#687:00057", "nwparser.payload", "%{fld2}: static multicast route src=%{saddr}, grp=%{group->} input ifp = %{sinterface->} output ifp = %{dinterface->} added", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg697 = msg("00057", part1179); + +var part1180 = // "Pattern{Constant('PIMSM protocol configured on interface '), Field(interface,false)}" +match("MESSAGE#688:00058", "nwparser.payload", "PIMSM protocol configured on interface %{interface}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg698 = msg("00058", part1180); + +var part1181 = // "Pattern{Constant('DDNS module is '), Field(p0,false)}" +match("MESSAGE#689:00059/0", "nwparser.payload", "DDNS module is %{p0}"); + +var part1182 = // "Pattern{Constant('initialized '), Field(p0,false)}" +match("MESSAGE#689:00059/1_0", "nwparser.p0", "initialized %{p0}"); + +var select266 = linear_select([ + part1182, + dup264, + dup157, + dup156, +]); + +var all247 = all_match({ + processors: [ + part1181, + select266, + dup116, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg699 = msg("00059", all247); + +var part1183 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with server type "'), Field(fld3,false), Constant('" name "'), Field(hostname,false), Constant('" refresh-interval '), Field(fld5,true), Constant(' hours minimum update interval '), Field(fld6,true), Constant(' minutes with '), Field(p0,false)}" +match("MESSAGE#690:00059:02/0", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with server type \"%{fld3}\" name \"%{hostname}\" refresh-interval %{fld5->} hours minimum update interval %{fld6->} minutes with %{p0}"); + +var part1184 = // "Pattern{Constant('secure '), Field(p0,false)}" +match("MESSAGE#690:00059:02/1_0", "nwparser.p0", "secure %{p0}"); + +var part1185 = // "Pattern{Constant('clear-text '), Field(p0,false)}" +match("MESSAGE#690:00059:02/1_1", "nwparser.p0", "clear-text %{p0}"); + +var select267 = linear_select([ + part1184, + part1185, +]); + +var part1186 = // "Pattern{Constant('secure connection.'), Field(,false)}" +match("MESSAGE#690:00059:02/2", "nwparser.p0", "secure connection.%{}"); + +var all248 = all_match({ + processors: [ + part1183, + select267, + part1186, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg700 = msg("00059:02", all248); + +var part1187 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with user name "'), Field(username,false), Constant('" agent "'), Field(fld3,false), Constant('"')}" +match("MESSAGE#691:00059:03", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with user name \"%{username}\" agent \"%{fld3}\"", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg701 = msg("00059:03", part1187); + +var part1188 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is configured with interface "'), Field(interface,false), Constant('" host-name "'), Field(hostname,false), Constant('"')}" +match("MESSAGE#692:00059:04", "nwparser.payload", "DDNS entry with id %{fld2->} is configured with interface \"%{interface}\" host-name \"%{hostname}\"", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg702 = msg("00059:04", part1188); + +var part1189 = // "Pattern{Constant('Hostname '), Field(p0,false)}" +match("MESSAGE#693:00059:05/0_0", "nwparser.payload", "Hostname %{p0}"); + +var part1190 = // "Pattern{Constant('Source interface '), Field(p0,false)}" +match("MESSAGE#693:00059:05/0_1", "nwparser.payload", "Source interface %{p0}"); + +var part1191 = // "Pattern{Constant('Username and password '), Field(p0,false)}" +match("MESSAGE#693:00059:05/0_2", "nwparser.payload", "Username and password %{p0}"); + +var part1192 = // "Pattern{Constant('Server '), Field(p0,false)}" +match("MESSAGE#693:00059:05/0_3", "nwparser.payload", "Server %{p0}"); + +var select268 = linear_select([ + part1189, + part1190, + part1191, + part1192, +]); + +var part1193 = // "Pattern{Constant('of DDNS entry with id '), Field(fld2,true), Constant(' is cleared.')}" +match("MESSAGE#693:00059:05/1", "nwparser.p0", "of DDNS entry with id %{fld2->} is cleared."); + +var all249 = all_match({ + processors: [ + select268, + part1193, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg703 = msg("00059:05", all249); + +var part1194 = // "Pattern{Constant('Agent of DDNS entry with id '), Field(fld2,true), Constant(' is reset to its default value.')}" +match("MESSAGE#694:00059:06", "nwparser.payload", "Agent of DDNS entry with id %{fld2->} is reset to its default value.", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg704 = msg("00059:06", part1194); + +var part1195 = // "Pattern{Constant('Updates for DDNS entry with id '), Field(fld2,true), Constant(' are set to be sent in secure ('), Field(protocol,false), Constant(') mode.')}" +match("MESSAGE#695:00059:07", "nwparser.payload", "Updates for DDNS entry with id %{fld2->} are set to be sent in secure (%{protocol}) mode.", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg705 = msg("00059:07", part1195); + +var part1196 = // "Pattern{Constant('Refresh '), Field(p0,false)}" +match("MESSAGE#696:00059:08/0_0", "nwparser.payload", "Refresh %{p0}"); + +var part1197 = // "Pattern{Constant('Minimum update '), Field(p0,false)}" +match("MESSAGE#696:00059:08/0_1", "nwparser.payload", "Minimum update %{p0}"); + +var select269 = linear_select([ + part1196, + part1197, +]); + +var part1198 = // "Pattern{Constant('interval of DDNS entry with id '), Field(fld2,true), Constant(' is set to default value ('), Field(fld3,false), Constant(').')}" +match("MESSAGE#696:00059:08/1", "nwparser.p0", "interval of DDNS entry with id %{fld2->} is set to default value (%{fld3})."); + +var all250 = all_match({ + processors: [ + select269, + part1198, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg706 = msg("00059:08", all250); + +var part1199 = // "Pattern{Constant('No-Change '), Field(p0,false)}" +match("MESSAGE#697:00059:09/1_0", "nwparser.p0", "No-Change %{p0}"); + +var part1200 = // "Pattern{Constant('Error '), Field(p0,false)}" +match("MESSAGE#697:00059:09/1_1", "nwparser.p0", "Error %{p0}"); + +var select270 = linear_select([ + part1199, + part1200, +]); + +var part1201 = // "Pattern{Constant('response received for DDNS entry update for id '), Field(fld2,true), Constant(' user "'), Field(username,false), Constant('" domain "'), Field(domain,false), Constant('" server type " d'), Field(p0,false)}" +match("MESSAGE#697:00059:09/2", "nwparser.p0", "response received for DDNS entry update for id %{fld2->} user \"%{username}\" domain \"%{domain}\" server type \" d%{p0}"); + +var part1202 = // "Pattern{Constant('yndns '), Field(p0,false)}" +match("MESSAGE#697:00059:09/3_1", "nwparser.p0", "yndns %{p0}"); + +var select271 = linear_select([ + dup263, + part1202, +]); + +var part1203 = // "Pattern{Constant('", server name "'), Field(hostname,false), Constant('"')}" +match("MESSAGE#697:00059:09/4", "nwparser.p0", "\", server name \"%{hostname}\""); + +var all251 = all_match({ + processors: [ + dup162, + select270, + part1201, + select271, + part1203, + ], + on_success: processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg707 = msg("00059:09", all251); + +var part1204 = // "Pattern{Constant('DDNS entry with id '), Field(fld2,true), Constant(' is '), Field(disposition,false), Constant('.')}" +match("MESSAGE#698:00059:01", "nwparser.payload", "DDNS entry with id %{fld2->} is %{disposition}.", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg708 = msg("00059:01", part1204); + +var select272 = linear_select([ + msg699, + msg700, + msg701, + msg702, + msg703, + msg704, + msg705, + msg706, + msg707, + msg708, +]); + +var part1205 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' failed. ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#699:00062:01", "nwparser.payload", "Track IP IP address %{hostip->} failed. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failed"), +])); + +var msg709 = msg("00062:01", part1205); + +var part1206 = // "Pattern{Constant('Track IP failure reached threshold. ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#700:00062:02", "nwparser.payload", "Track IP failure reached threshold. (%{event_time_string})", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP failure reached threshold"), +])); + +var msg710 = msg("00062:02", part1206); + +var part1207 = // "Pattern{Constant('Track IP IP address '), Field(hostip,true), Constant(' succeeded. ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#701:00062:03", "nwparser.payload", "Track IP IP address %{hostip->} succeeded. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Track IP succeeded"), +])); + +var msg711 = msg("00062:03", part1207); + +var part1208 = // "Pattern{Constant('HA linkdown'), Field(,false)}" +match("MESSAGE#702:00062", "nwparser.payload", "HA linkdown%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg712 = msg("00062", part1208); + +var select273 = linear_select([ + msg709, + msg710, + msg711, + msg712, +]); + +var part1209 = // "Pattern{Constant('nsrp track-ip ip '), Field(hostip,true), Constant(' '), Field(disposition,false), Constant('!')}" +match("MESSAGE#703:00063", "nwparser.payload", "nsrp track-ip ip %{hostip->} %{disposition}!", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg713 = msg("00063", part1209); + +var part1210 = // "Pattern{Constant('Can not create track-ip list'), Field(,false)}" +match("MESSAGE#704:00064", "nwparser.payload", "Can not create track-ip list%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg714 = msg("00064", part1210); + +var part1211 = // "Pattern{Constant('track ip fail reaches threshold system may fail over!'), Field(,false)}" +match("MESSAGE#705:00064:01", "nwparser.payload", "track ip fail reaches threshold system may fail over!%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg715 = msg("00064:01", part1211); + +var part1212 = // "Pattern{Constant('Anti-Spam is detached from policy ID '), Field(policy_id,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#706:00064:02", "nwparser.payload", "Anti-Spam is detached from policy ID %{policy_id}. (%{fld1})", processor_chain([ + dup17, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg716 = msg("00064:02", part1212); + +var select274 = linear_select([ + msg714, + msg715, + msg716, +]); + +var msg717 = msg("00070", dup414); + +var part1213 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state from '), Field(fld3,true), Constant(' to '), Field(p0,false)}" +match("MESSAGE#708:00070:01/2", "nwparser.p0", "%{}Device group %{group->} changed state from %{fld3->} to %{p0}"); + +var part1214 = // "Pattern{Constant('Init'), Field(,false)}" +match("MESSAGE#708:00070:01/3_0", "nwparser.p0", "Init%{}"); + +var part1215 = // "Pattern{Constant('init. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#708:00070:01/3_1", "nwparser.p0", "init. (%{fld1})"); + +var select275 = linear_select([ + part1214, + part1215, +]); + +var all252 = all_match({ + processors: [ + dup269, + dup394, + part1213, + select275, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg718 = msg("00070:01", all252); + +var part1216 = // "Pattern{Constant('NSRP: nsrp control channel change to '), Field(interface,false)}" +match("MESSAGE#709:00070:02", "nwparser.payload", "NSRP: nsrp control channel change to %{interface}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg719 = msg("00070:02", part1216); + +var select276 = linear_select([ + msg717, + msg718, + msg719, +]); + +var msg720 = msg("00071", dup414); + +var part1217 = // "Pattern{Constant('The local device '), Field(fld1,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state')}" +match("MESSAGE#711:00071:01", "nwparser.payload", "The local device %{fld1->} in the Virtual Security Device group %{group->} changed state", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg721 = msg("00071:01", part1217); + +var select277 = linear_select([ + msg720, + msg721, +]); + +var msg722 = msg("00072", dup414); + +var msg723 = msg("00072:01", dup415); + +var select278 = linear_select([ + msg722, + msg723, +]); + +var msg724 = msg("00073", dup414); + +var msg725 = msg("00073:01", dup415); + +var select279 = linear_select([ + msg724, + msg725, +]); + +var msg726 = msg("00074", dup395); + +var all253 = all_match({ + processors: [ + dup265, + dup393, + dup273, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg727 = msg("00075", all253); + +var part1218 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' changed state from '), Field(event_state,true), Constant(' to inoperable. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#718:00075:02", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} changed state from %{event_state->} to inoperable. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","local device in the Virtual Security Device group changed state to inoperable"), +])); + +var msg728 = msg("00075:02", part1218); + +var part1219 = // "Pattern{Constant('The local device '), Field(hardware_id,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#719:00075:01", "nwparser.payload", "The local device %{hardware_id->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg729 = msg("00075:01", part1219); + +var select280 = linear_select([ + msg727, + msg728, + msg729, +]); + +var msg730 = msg("00076", dup395); + +var part1220 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' send 2nd path request to unit='), Field(fld3,false)}" +match("MESSAGE#721:00076:01/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} send 2nd path request to unit=%{fld3}"); + +var all254 = all_match({ + processors: [ + dup265, + dup393, + part1220, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg731 = msg("00076:01", all254); + +var select281 = linear_select([ + msg730, + msg731, +]); + +var part1221 = // "Pattern{Constant('HA link disconnect. Begin to use second path of HA'), Field(,false)}" +match("MESSAGE#722:00077", "nwparser.payload", "HA link disconnect. Begin to use second path of HA%{}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, +])); + +var msg732 = msg("00077", part1221); + +var all255 = all_match({ + processors: [ + dup265, + dup393, + dup273, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg733 = msg("00077:01", all255); + +var part1222 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,false)}" +match("MESSAGE#724:00077:02", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group}", processor_chain([ + setc("eventcategory","1607000000"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg734 = msg("00077:02", part1222); + +var select282 = linear_select([ + msg732, + msg733, + msg734, +]); + +var part1223 = // "Pattern{Constant('RTSYNC: NSRP route synchronization is '), Field(disposition,false)}" +match("MESSAGE#725:00084", "nwparser.payload", "RTSYNC: NSRP route synchronization is %{disposition}", processor_chain([ + dup274, + dup2, + dup3, + dup4, + dup5, +])); + +var msg735 = msg("00084", part1223); + +var part1224 = // "Pattern{Constant('Failover '), Field(p0,false)}" +match("MESSAGE#726:00090/0_0", "nwparser.payload", "Failover %{p0}"); + +var part1225 = // "Pattern{Constant('Recovery '), Field(p0,false)}" +match("MESSAGE#726:00090/0_1", "nwparser.payload", "Recovery %{p0}"); + +var select283 = linear_select([ + part1224, + part1225, +]); + +var part1226 = // "Pattern{Constant('untrust interface occurred.'), Field(,false)}" +match("MESSAGE#726:00090/3", "nwparser.p0", "untrust interface occurred.%{}"); + +var all256 = all_match({ + processors: [ + select283, + dup103, + dup372, + part1226, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg736 = msg("00090", all256); + +var part1227 = // "Pattern{Constant('A new route cannot be added to the device because the maximum number of system route entries '), Field(fld2,true), Constant(' has been exceeded')}" +match("MESSAGE#727:00200", "nwparser.payload", "A new route cannot be added to the device because the maximum number of system route entries %{fld2->} has been exceeded", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg737 = msg("00200", part1227); + +var part1228 = // "Pattern{Constant('A route '), Field(hostip,false), Constant('/'), Field(fld2,true), Constant(' cannot be added to the virtual router '), Field(node,true), Constant(' because the number of route entries in the virtual router exceeds the maximum number of routes '), Field(fld3,true), Constant(' allowed')}" +match("MESSAGE#728:00201", "nwparser.payload", "A route %{hostip}/%{fld2->} cannot be added to the virtual router %{node->} because the number of route entries in the virtual router exceeds the maximum number of routes %{fld3->} allowed", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg738 = msg("00201", part1228); + +var part1229 = // "Pattern{Field(fld2,true), Constant(' hello-packet flood from neighbor (ip = '), Field(hostip,true), Constant(' router-id = '), Field(fld3,false), Constant(') on interface '), Field(interface,true), Constant(' packet is dropped')}" +match("MESSAGE#729:00202", "nwparser.payload", "%{fld2->} hello-packet flood from neighbor (ip = %{hostip->} router-id = %{fld3}) on interface %{interface->} packet is dropped", processor_chain([ + dup274, + dup2, + dup4, + dup5, + dup3, +])); + +var msg739 = msg("00202", part1229); + +var part1230 = // "Pattern{Field(fld2,true), Constant(' lsa flood on interface '), Field(interface,true), Constant(' has dropped a packet.')}" +match("MESSAGE#730:00203", "nwparser.payload", "%{fld2->} lsa flood on interface %{interface->} has dropped a packet.", processor_chain([ + dup274, + dup2, + dup4, + dup5, + dup3, +])); + +var msg740 = msg("00203", part1230); + +var part1231 = // "Pattern{Constant('The total number of redistributed routes into '), Field(p0,false)}" +match("MESSAGE#731:00206/0", "nwparser.payload", "The total number of redistributed routes into %{p0}"); + +var part1232 = // "Pattern{Constant('BGP '), Field(p0,false)}" +match("MESSAGE#731:00206/1_0", "nwparser.p0", "BGP %{p0}"); + +var part1233 = // "Pattern{Constant('OSPF '), Field(p0,false)}" +match("MESSAGE#731:00206/1_1", "nwparser.p0", "OSPF %{p0}"); + +var select284 = linear_select([ + part1232, + part1233, +]); + +var part1234 = // "Pattern{Constant('in vrouter '), Field(node,true), Constant(' exceeded system limit ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#731:00206/2", "nwparser.p0", "in vrouter %{node->} exceeded system limit (%{fld2})"); + +var all257 = all_match({ + processors: [ + part1231, + select284, + part1234, + ], + on_success: processor_chain([ + dup274, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg741 = msg("00206", all257); + +var part1235 = // "Pattern{Constant('LSA flood in OSPF with router-id '), Field(fld2,true), Constant(' on '), Field(p0,false)}" +match("MESSAGE#732:00206:01/0", "nwparser.payload", "LSA flood in OSPF with router-id %{fld2->} on %{p0}"); + +var part1236 = // "Pattern{Constant(''), Field(interface,true), Constant(' forced the interface to drop a packet.')}" +match("MESSAGE#732:00206:01/2", "nwparser.p0", "%{interface->} forced the interface to drop a packet."); + +var all258 = all_match({ + processors: [ + part1235, + dup354, + part1236, + ], + on_success: processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg742 = msg("00206:01", all258); + +var part1237 = // "Pattern{Constant('OSPF instance with router-id '), Field(fld3,true), Constant(' received a Hello packet flood from neighbor (IP address '), Field(hostip,false), Constant(', router ID '), Field(fld2,false), Constant(') on '), Field(p0,false)}" +match("MESSAGE#733:00206:02/0", "nwparser.payload", "OSPF instance with router-id %{fld3->} received a Hello packet flood from neighbor (IP address %{hostip}, router ID %{fld2}) on %{p0}"); + +var part1238 = // "Pattern{Constant(''), Field(interface,true), Constant(' forcing the interface to drop the packet.')}" +match("MESSAGE#733:00206:02/2", "nwparser.p0", "%{interface->} forcing the interface to drop the packet."); + +var all259 = all_match({ + processors: [ + part1237, + dup354, + part1238, + ], + on_success: processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg743 = msg("00206:02", all259); + +var part1239 = // "Pattern{Constant('Link State Advertisement Id '), Field(fld2,false), Constant(', router ID '), Field(fld3,false), Constant(', type '), Field(fld4,true), Constant(' cannot be deleted from the real-time database in area '), Field(fld5,false)}" +match("MESSAGE#734:00206:03", "nwparser.payload", "Link State Advertisement Id %{fld2}, router ID %{fld3}, type %{fld4->} cannot be deleted from the real-time database in area %{fld5}", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg744 = msg("00206:03", part1239); + +var part1240 = // "Pattern{Constant('Reject second OSPF neighbor ('), Field(fld2,false), Constant(') on interface ('), Field(interface,false), Constant(') since it_s configured as point-to-point interface')}" +match("MESSAGE#735:00206:04", "nwparser.payload", "Reject second OSPF neighbor (%{fld2}) on interface (%{interface}) since it_s configured as point-to-point interface", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg745 = msg("00206:04", part1240); + +var select285 = linear_select([ + msg741, + msg742, + msg743, + msg744, + msg745, +]); + +var part1241 = // "Pattern{Constant('System wide RIP route limit exceeded, RIP route dropped.'), Field(,false)}" +match("MESSAGE#736:00207", "nwparser.payload", "System wide RIP route limit exceeded, RIP route dropped.%{}", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg746 = msg("00207", part1241); + +var part1242 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from last system wide RIP route limit exceed.')}" +match("MESSAGE#737:00207:01", "nwparser.payload", "%{fld2->} RIP routes dropped from last system wide RIP route limit exceed.", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg747 = msg("00207:01", part1242); + +var part1243 = // "Pattern{Constant('RIP database size limit exceeded for '), Field(fld2,false), Constant(', RIP route dropped.')}" +match("MESSAGE#738:00207:02", "nwparser.payload", "RIP database size limit exceeded for %{fld2}, RIP route dropped.", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg748 = msg("00207:02", part1243); + +var part1244 = // "Pattern{Field(fld2,true), Constant(' RIP routes dropped from the last database size exceed in vr '), Field(fld3,false), Constant('.')}" +match("MESSAGE#739:00207:03", "nwparser.payload", "%{fld2->} RIP routes dropped from the last database size exceed in vr %{fld3}.", processor_chain([ + dup275, + dup2, + dup3, + dup4, + dup5, +])); + +var msg749 = msg("00207:03", part1244); + +var select286 = linear_select([ + msg746, + msg747, + msg748, + msg749, +]); + +var part1245 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" +match("MESSAGE#740:00257", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup278, + dup279, + dup280, +])); + +var msg750 = msg("00257", part1245); + +var part1246 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" +match("MESSAGE#741:00257:14", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup281, + dup278, + dup279, + dup282, +])); + +var msg751 = msg("00257:14", part1246); + +var part1247 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=outgoing action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" +match("MESSAGE#742:00257:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=outgoing action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, + dup280, +])); + +var msg752 = msg("00257:01", part1247); + +var part1248 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction=incoming action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' translated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,false)}" +match("MESSAGE#743:00257:15", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=incoming action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} translated ip=%{dtransaddr->} port=%{dtransport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup281, + dup284, + dup282, +])); + +var msg753 = msg("00257:15", part1248); + +var part1249 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#744:00257:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup278, + dup279, +])); + +var msg754 = msg("00257:02", part1249); + +var part1250 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#745:00257:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, +])); + +var msg755 = msg("00257:03", part1250); + +var part1251 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,false)}" +match("MESSAGE#746:00257:04", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup278, + dup279, +])); + +var msg756 = msg("00257:04", part1251); + +var part1252 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" +match("MESSAGE#747:00257:05", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid->} reason=%{result}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, +])); + +var msg757 = msg("00257:05", part1252); + +var part1253 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" +match("MESSAGE#748:00257:19/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} icmp code=%{icmpcode->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid->} reason=%{result}"); + +var all260 = all_match({ + processors: [ + dup285, + dup396, + part1253, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup284, + ]), +}); + +var msg758 = msg("00257:19", all260); + +var part1254 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#749:00257:16/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype->} src-xlated ip=%{stransaddr->} dst-xlated ip=%{dtransaddr->} session_id=%{sessionid}"); + +var all261 = all_match({ + processors: [ + dup285, + dup396, + part1254, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup284, + ]), +}); + +var msg759 = msg("00257:16", all261); + +var part1255 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' dst-xlated ip='), Field(dtransaddr,true), Constant(' port='), Field(dtransport,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#750:00257:17/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} dst-xlated ip=%{dtransaddr->} port=%{dtransport->} session_id=%{sessionid}"); + +var all262 = all_match({ + processors: [ + dup285, + dup396, + part1255, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, + ]), +}); + +var msg760 = msg("00257:17", all262); + +var part1256 = // "Pattern{Field(,false), Constant('duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,true), Constant(' src-xlated ip='), Field(stransaddr,true), Constant(' port='), Field(stransport,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#751:00257:18/2", "nwparser.p0", "%{}duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport->} src-xlated ip=%{stransaddr->} port=%{stransport->} session_id=%{sessionid}"); + +var all263 = all_match({ + processors: [ + dup285, + dup396, + part1256, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, + ]), +}); + +var msg761 = msg("00257:18", all263); + +var part1257 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(p0,false)}" +match("MESSAGE#752:00257:06/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{p0}"); + +var part1258 = // "Pattern{Field(dport,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#752:00257:06/1_0", "nwparser.p0", "%{dport->} session_id=%{sessionid}"); + +var part1259 = // "Pattern{Field(dport,false)}" +match_copy("MESSAGE#752:00257:06/1_1", "nwparser.p0", "dport"); + +var select287 = linear_select([ + part1258, + part1259, +]); + +var all264 = all_match({ + processors: [ + part1257, + select287, + ], + on_success: processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup278, + dup279, + ]), +}); + +var msg762 = msg("00257:06", all264); + +var part1260 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#753:00257:07", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup61, + dup284, +])); + +var msg763 = msg("00257:07", part1260); + +var part1261 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' tcp='), Field(icmptype,false)}" +match("MESSAGE#754:00257:08", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} tcp=%{icmptype}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup278, + dup279, +])); + +var msg764 = msg("00257:08", part1261); + +var part1262 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(p0,false)}" +match("MESSAGE#755:00257:09/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{p0}"); + +var part1263 = // "Pattern{Field(icmptype,true), Constant(' icmp code='), Field(icmpcode,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" +match("MESSAGE#755:00257:09/1_0", "nwparser.p0", "%{icmptype->} icmp code=%{icmpcode->} session_id=%{sessionid->} reason=%{result}"); + +var part1264 = // "Pattern{Field(icmptype,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#755:00257:09/1_1", "nwparser.p0", "%{icmptype->} session_id=%{sessionid}"); + +var part1265 = // "Pattern{Field(icmptype,false)}" +match_copy("MESSAGE#755:00257:09/1_2", "nwparser.p0", "icmptype"); + +var select288 = linear_select([ + part1263, + part1264, + part1265, +]); + +var all265 = all_match({ + processors: [ + part1262, + select288, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup284, + ]), +}); + +var msg765 = msg("00257:09", all265); + +var part1266 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" +match("MESSAGE#756:00257:10/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + +var part1267 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,false)}" +match("MESSAGE#756:00257:10/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid}"); + +var select289 = linear_select([ + part1267, + dup288, +]); + +var all266 = all_match({ + processors: [ + part1266, + select289, + ], + on_success: processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup278, + dup279, + ]), +}); + +var msg766 = msg("00257:10", all266); + +var part1268 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(p0,false)}" +match("MESSAGE#757:00257:11/0", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{p0}"); + +var part1269 = // "Pattern{Field(daddr,true), Constant(' session_id='), Field(sessionid,true), Constant(' reason='), Field(result,false)}" +match("MESSAGE#757:00257:11/1_0", "nwparser.p0", "%{daddr->} session_id=%{sessionid->} reason=%{result}"); + +var select290 = linear_select([ + part1269, + dup288, +]); + +var all267 = all_match({ + processors: [ + part1268, + select290, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup284, + ]), +}); + +var msg767 = msg("00257:11", all267); + +var part1270 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' type='), Field(fld3,false)}" +match("MESSAGE#758:00257:12", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} type=%{fld3}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup276, + dup277, + dup60, + dup284, +])); + +var msg768 = msg("00257:12", part1270); + +var part1271 = // "Pattern{Constant('start_time="'), Field(fld2,false)}" +match("MESSAGE#759:00257:13", "nwparser.payload", "start_time=\"%{fld2}", processor_chain([ + dup283, + dup2, + dup3, + dup276, + dup4, + dup5, +])); + +var msg769 = msg("00257:13", part1271); + +var select291 = linear_select([ + msg750, + msg751, + msg752, + msg753, + msg754, + msg755, + msg756, + msg757, + msg758, + msg759, + msg760, + msg761, + msg762, + msg763, + msg764, + msg765, + msg766, + msg767, + msg768, + msg769, +]); + +var part1272 = // "Pattern{Constant('user '), Field(username,true), Constant(' has logged on via '), Field(p0,false)}" +match("MESSAGE#760:00259/1", "nwparser.p0", "user %{username->} has logged on via %{p0}"); + +var part1273 = // "Pattern{Constant('the console '), Field(p0,false)}" +match("MESSAGE#760:00259/2_0", "nwparser.p0", "the console %{p0}"); + +var select292 = linear_select([ + part1273, + dup291, + dup243, +]); + +var part1274 = // "Pattern{Constant('from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#760:00259/3", "nwparser.p0", "from %{saddr}:%{sport}"); + +var all268 = all_match({ + processors: [ + dup397, + part1272, + select292, + part1274, + ], + on_success: processor_chain([ + dup28, + dup29, + dup30, + dup31, + dup32, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg770 = msg("00259", all268); + +var part1275 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged out via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#761:00259:07/1", "nwparser.p0", "user %{administrator->} has logged out via %{logon_type->} from %{saddr}:%{sport}"); + +var all269 = all_match({ + processors: [ + dup397, + part1275, + ], + on_success: processor_chain([ + dup33, + dup29, + dup34, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg771 = msg("00259:07", all269); + +var part1276 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for [vsys] admin '), Field(administrator,true), Constant(' has timed out')}" +match("MESSAGE#762:00259:01", "nwparser.payload", "Management session via %{logon_type->} from %{saddr}:%{sport->} for [vsys] admin %{administrator->} has timed out", processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup5, +])); + +var msg772 = msg("00259:01", part1276); + +var part1277 = // "Pattern{Constant('Management session via '), Field(logon_type,true), Constant(' for [ vsys ] admin '), Field(administrator,true), Constant(' has timed out')}" +match("MESSAGE#763:00259:02", "nwparser.payload", "Management session via %{logon_type->} for [ vsys ] admin %{administrator->} has timed out", processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup5, +])); + +var msg773 = msg("00259:02", part1277); + +var part1278 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via the '), Field(logon_type,true), Constant(' has failed')}" +match("MESSAGE#764:00259:03", "nwparser.payload", "Login attempt to system by admin %{administrator->} via the %{logon_type->} has failed", processor_chain([ + dup208, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg774 = msg("00259:03", part1278); + +var part1279 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed')}" +match("MESSAGE#765:00259:04", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{logon_type->} from %{saddr}:%{sport->} has failed", processor_chain([ + dup208, + dup29, + dup30, + dup31, + dup54, + dup2, + dup3, + dup4, + dup5, +])); + +var msg775 = msg("00259:04", part1279); + +var part1280 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the '), Field(p0,false)}" +match("MESSAGE#766:00259:05/0", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the %{p0}"); + +var part1281 = // "Pattern{Constant('Web '), Field(p0,false)}" +match("MESSAGE#766:00259:05/1_2", "nwparser.p0", "Web %{p0}"); + +var select293 = linear_select([ + dup243, + dup291, + part1281, +]); + +var part1282 = // "Pattern{Constant('session on host '), Field(daddr,false), Constant(':'), Field(dport,false)}" +match("MESSAGE#766:00259:05/2", "nwparser.p0", "session on host %{daddr}:%{dport}"); + +var all270 = all_match({ + processors: [ + part1280, + select293, + part1282, + ], + on_success: processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg776 = msg("00259:05", all270); + +var part1283 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log out of the serial console session.')}" +match("MESSAGE#767:00259:06", "nwparser.payload", "Admin user %{administrator->} has been forced to log out of the serial console session.", processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup5, +])); + +var msg777 = msg("00259:06", part1283); + +var select294 = linear_select([ + msg770, + msg771, + msg772, + msg773, + msg774, + msg775, + msg776, + msg777, +]); + +var part1284 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been rejected via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#768:00262", "nwparser.payload", "Admin user %{administrator->} has been rejected via the %{logon_type->} server at %{hostip}", processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup5, +])); + +var msg778 = msg("00262", part1284); + +var part1285 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#769:00263", "nwparser.payload", "Admin user %{administrator->} has been accepted via the %{logon_type->} server at %{hostip}", processor_chain([ + setc("eventcategory","1401050100"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg779 = msg("00263", part1285); + +var part1286 = // "Pattern{Constant('ActiveX control '), Field(p0,false)}" +match("MESSAGE#770:00400/0_0", "nwparser.payload", "ActiveX control %{p0}"); + +var part1287 = // "Pattern{Constant('JAVA applet '), Field(p0,false)}" +match("MESSAGE#770:00400/0_1", "nwparser.payload", "JAVA applet %{p0}"); + +var part1288 = // "Pattern{Constant('EXE file '), Field(p0,false)}" +match("MESSAGE#770:00400/0_2", "nwparser.payload", "EXE file %{p0}"); + +var part1289 = // "Pattern{Constant('ZIP file '), Field(p0,false)}" +match("MESSAGE#770:00400/0_3", "nwparser.payload", "ZIP file %{p0}"); + +var select295 = linear_select([ + part1286, + part1287, + part1288, + part1289, +]); + +var part1290 = // "Pattern{Constant('has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('. '), Field(info,false)}" +match("MESSAGE#770:00400/1", "nwparser.p0", "has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{dinterface->} in zone %{dst_zone}. %{info}"); + +var all271 = all_match({ + processors: [ + select295, + part1290, + ], + on_success: processor_chain([ + setc("eventcategory","1003000000"), + dup2, + dup4, + dup5, + dup3, + dup61, + ]), +}); + +var msg780 = msg("00400", all271); + +var part1291 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" +match("MESSAGE#771:00401", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup293, +])); + +var msg781 = msg("00401", part1291); + +var part1292 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" +match("MESSAGE#772:00402", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup294, +])); + +var msg782 = msg("00402", part1292); + +var part1293 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at '), Field(p0,false)}" +match("MESSAGE#773:00402:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at %{p0}"); + +var part1294 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' in zone '), Field(zone,false), Constant('. '), Field(info,false)}" +match("MESSAGE#773:00402:01/2", "nwparser.p0", "%{} %{interface->} in zone %{zone}. %{info}"); + +var all272 = all_match({ + processors: [ + part1293, + dup339, + part1294, + ], + on_success: processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup294, + ]), +}); + +var msg783 = msg("00402:01", all272); + +var select296 = linear_select([ + msg782, + msg783, +]); + +var part1295 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" +match("MESSAGE#774:00403", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup85, + dup2, + dup4, + dup5, + dup3, + dup293, +])); + +var msg784 = msg("00403", part1295); + +var part1296 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" +match("MESSAGE#775:00404", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup148, + dup149, + dup150, + dup2, + dup4, + dup5, + dup3, + dup294, +])); + +var msg785 = msg("00404", part1296); + +var part1297 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). '), Field(info,false)}" +match("MESSAGE#776:00405", "nwparser.payload", "%{signame}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). %{info}", processor_chain([ + dup147, + dup2, + dup4, + dup5, + dup3, + dup293, +])); + +var msg786 = msg("00405", part1297); + +var msg787 = msg("00406", dup416); + +var msg788 = msg("00407", dup416); + +var msg789 = msg("00408", dup416); + +var all273 = all_match({ + processors: [ + dup132, + dup345, + dup295, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), +}); + +var msg790 = msg("00409", all273); + +var msg791 = msg("00410", dup416); + +var part1298 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#782:00410:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup60, +])); + +var msg792 = msg("00410:01", part1298); + +var select297 = linear_select([ + msg791, + msg792, +]); + +var part1299 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto TCP (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#783:00411/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto TCP (zone %{zone->} %{p0}"); + +var all274 = all_match({ + processors: [ + part1299, + dup345, + dup295, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg793 = msg("00411", all274); + +var part1300 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at '), Field(p0,false)}" +match("MESSAGE#784:00413/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at %{p0}"); + +var part1301 = // "Pattern{Field(,true), Constant(' '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#784:00413/2", "nwparser.p0", "%{} %{interface}.%{space}The attack occurred %{dclass_counter1->} times"); + +var all275 = all_match({ + processors: [ + part1300, + dup339, + part1301, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var msg794 = msg("00413", all275); + +var part1302 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant('(zone '), Field(group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#785:00413:01/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}(zone %{group->} %{p0}"); + +var all276 = all_match({ + processors: [ + part1302, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), +}); + +var msg795 = msg("00413:01", all276); + +var part1303 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#786:00413:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup59, + dup5, + dup9, +])); + +var msg796 = msg("00413:02", part1303); + +var select298 = linear_select([ + msg794, + msg795, + msg796, +]); + +var part1304 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant(', int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#787:00414", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}, int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, +])); + +var msg797 = msg("00414", part1304); + +var part1305 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#788:00414:01", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup3, + dup59, + dup4, + dup5, + dup9, +])); + +var msg798 = msg("00414:01", part1305); + +var select299 = linear_select([ + msg797, + msg798, +]); + +var part1306 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#789:00415", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, +])); + +var msg799 = msg("00415", part1306); + +var all277 = all_match({ + processors: [ + dup132, + dup345, + dup296, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup60, + ]), +}); + +var msg800 = msg("00423", all277); + +var all278 = all_match({ + processors: [ + dup80, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), +}); + +var msg801 = msg("00429", all278); + +var all279 = all_match({ + processors: [ + dup132, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup60, + ]), +}); + +var msg802 = msg("00429:01", all279); + +var select300 = linear_select([ + msg801, + msg802, +]); + +var all280 = all_match({ + processors: [ + dup80, + dup345, + dup297, + dup353, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, + ]), +}); + +var msg803 = msg("00430", all280); + +var all281 = all_match({ + processors: [ + dup132, + dup345, + dup297, + dup353, + ], + on_success: processor_chain([ + dup85, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup60, + ]), +}); + +var msg804 = msg("00430:01", all281); + +var select301 = linear_select([ + msg803, + msg804, +]); + +var msg805 = msg("00431", dup417); + +var msg806 = msg("00432", dup417); + +var msg807 = msg("00433", dup418); + +var msg808 = msg("00434", dup418); + +var msg809 = msg("00435", dup398); + +var all282 = all_match({ + processors: [ + dup132, + dup345, + dup296, + ], + on_success: processor_chain([ + dup58, + dup2, + dup4, + dup59, + dup5, + dup3, + dup60, + ]), +}); + +var msg810 = msg("00435:01", all282); + +var select302 = linear_select([ + msg809, + msg810, +]); + +var msg811 = msg("00436", dup398); + +var all283 = all_match({ + processors: [ + dup64, + dup340, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup9, + dup4, + dup5, + dup3, + dup60, + ]), +}); + +var msg812 = msg("00436:01", all283); + +var select303 = linear_select([ + msg811, + msg812, +]); + +var part1307 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#803:00437", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, +])); + +var msg813 = msg("00437", part1307); + +var all284 = all_match({ + processors: [ + dup301, + dup340, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, + ]), +}); + +var msg814 = msg("00437:01", all284); + +var part1308 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#805:00437:02", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + dup9, +])); + +var msg815 = msg("00437:02", part1308); + +var select304 = linear_select([ + msg813, + msg814, + msg815, +]); + +var part1309 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' using protocol '), Field(protocol,true), Constant(' and arriving at interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times')}" +match("MESSAGE#806:00438", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport->} using protocol %{protocol->} and arriving at interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, +])); + +var msg816 = msg("00438", part1309); + +var part1310 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', on zone '), Field(zone,true), Constant(' interface '), Field(interface,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#807:00438:01", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, on zone %{zone->} interface %{interface}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, +])); + +var msg817 = msg("00438:01", part1310); + +var all285 = all_match({ + processors: [ + dup301, + dup340, + dup67, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup61, + ]), +}); + +var msg818 = msg("00438:02", all285); + +var select305 = linear_select([ + msg816, + msg817, + msg818, +]); + +var part1311 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#809:00440", "nwparser.payload", "%{signame->} has been detected! From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup9, + dup60, +])); + +var msg819 = msg("00440", part1311); + +var part1312 = // "Pattern{Field(signame,true), Constant(' has been detected! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#810:00440:02", "nwparser.payload", "%{signame->} has been detected! From %{saddr}:%{sport->} to %{daddr}:%{dport}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup61, +])); + +var msg820 = msg("00440:02", part1312); + +var all286 = all_match({ + processors: [ + dup241, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup61, + ]), +}); + +var msg821 = msg("00440:01", all286); + +var part1313 = // "Pattern{Constant('Fragmented traffic! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#812:00440:03/0", "nwparser.payload", "Fragmented traffic! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{group->} %{p0}"); + +var all287 = all_match({ + processors: [ + part1313, + dup345, + dup83, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup9, + dup60, + ]), +}); + +var msg822 = msg("00440:03", all287); + +var select306 = linear_select([ + msg819, + msg820, + msg821, + msg822, +]); + +var part1314 = // "Pattern{Field(signame,true), Constant(' id='), Field(fld2,false), Constant('! From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#813:00441", "nwparser.payload", "%{signame->} id=%{fld2}! From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, +])); + +var msg823 = msg("00441", part1314); + +var msg824 = msg("00442", dup399); + +var msg825 = msg("00443", dup399); + +var part1315 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' issued command '), Field(fld2,true), Constant(' to redirect output.')}" +match("MESSAGE#816:00511", "nwparser.payload", "admin %{administrator->} issued command %{fld2->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg826 = msg("00511", part1315); + +var part1316 = // "Pattern{Constant('All System Config saved by admin '), Field(p0,false)}" +match("MESSAGE#817:00511:01/0", "nwparser.payload", "All System Config saved by admin %{p0}"); + +var all288 = all_match({ + processors: [ + part1316, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg827 = msg("00511:01", all288); + +var part1317 = // "Pattern{Constant('All logged events or alarms are cleared by admin '), Field(administrator,false), Constant('.')}" +match("MESSAGE#818:00511:02", "nwparser.payload", "All logged events or alarms are cleared by admin %{administrator}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg828 = msg("00511:02", part1317); + +var part1318 = // "Pattern{Constant('Get new software from flash to slot (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" +match("MESSAGE#819:00511:03/0", "nwparser.payload", "Get new software from flash to slot (file: %{fld2}) by admin %{p0}"); + +var all289 = all_match({ + processors: [ + part1318, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg829 = msg("00511:03", all289); + +var part1319 = // "Pattern{Constant('Get new software from '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') to slot (file: '), Field(fld3,false), Constant(') by admin '), Field(p0,false)}" +match("MESSAGE#820:00511:04/0", "nwparser.payload", "Get new software from %{hostip->} (file: %{fld2}) to slot (file: %{fld3}) by admin %{p0}"); + +var all290 = all_match({ + processors: [ + part1319, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg830 = msg("00511:04", all290); + +var part1320 = // "Pattern{Constant('Get new software to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" +match("MESSAGE#821:00511:05/0", "nwparser.payload", "Get new software to %{hostip->} (file: %{fld2}) by admin %{p0}"); + +var all291 = all_match({ + processors: [ + part1320, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg831 = msg("00511:05", all291); + +var part1321 = // "Pattern{Constant('Log setting is modified by admin '), Field(p0,false)}" +match("MESSAGE#822:00511:06/0", "nwparser.payload", "Log setting is modified by admin %{p0}"); + +var all292 = all_match({ + processors: [ + part1321, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg832 = msg("00511:06", all292); + +var part1322 = // "Pattern{Constant('Save configuration to '), Field(hostip,true), Constant(' (file: '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" +match("MESSAGE#823:00511:07/0", "nwparser.payload", "Save configuration to %{hostip->} (file: %{fld2}) by admin %{p0}"); + +var all293 = all_match({ + processors: [ + part1322, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg833 = msg("00511:07", all293); + +var part1323 = // "Pattern{Constant('Save new software from slot (file: '), Field(fld2,false), Constant(') to flash by admin '), Field(p0,false)}" +match("MESSAGE#824:00511:08/0", "nwparser.payload", "Save new software from slot (file: %{fld2}) to flash by admin %{p0}"); + +var all294 = all_match({ + processors: [ + part1323, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg834 = msg("00511:08", all294); + +var part1324 = // "Pattern{Constant('Save new software from '), Field(hostip,true), Constant(' (file: '), Field(result,false), Constant(') to flash by admin '), Field(p0,false)}" +match("MESSAGE#825:00511:09/0", "nwparser.payload", "Save new software from %{hostip->} (file: %{result}) to flash by admin %{p0}"); + +var all295 = all_match({ + processors: [ + part1324, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg835 = msg("00511:09", all295); + +var part1325 = // "Pattern{Constant('System Config from flash to slot - '), Field(fld2,true), Constant(' by admin '), Field(p0,false)}" +match("MESSAGE#826:00511:10/0", "nwparser.payload", "System Config from flash to slot - %{fld2->} by admin %{p0}"); + +var all296 = all_match({ + processors: [ + part1325, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg836 = msg("00511:10", all296); + +var part1326 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') to slot - '), Field(fld3,true), Constant(' by admin '), Field(p0,false)}" +match("MESSAGE#827:00511:11/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) to slot - %{fld3->} by admin %{p0}"); + +var all297 = all_match({ + processors: [ + part1326, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg837 = msg("00511:11", all297); + +var part1327 = // "Pattern{Constant('System Config load from '), Field(hostip,true), Constant(' (file '), Field(fld2,false), Constant(') by admin '), Field(p0,false)}" +match("MESSAGE#828:00511:12/0", "nwparser.payload", "System Config load from %{hostip->} (file %{fld2}) by admin %{p0}"); + +var all298 = all_match({ + processors: [ + part1327, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg838 = msg("00511:12", all298); + +var part1328 = // "Pattern{Constant('The system configuration was loaded from the slot by admin '), Field(p0,false)}" +match("MESSAGE#829:00511:13/0", "nwparser.payload", "The system configuration was loaded from the slot by admin %{p0}"); + +var all299 = all_match({ + processors: [ + part1328, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg839 = msg("00511:13", all299); + +var part1329 = // "Pattern{Constant('FIPS: Attempt to set RADIUS shared secret with invalid length '), Field(fld2,false)}" +match("MESSAGE#830:00511:14", "nwparser.payload", "FIPS: Attempt to set RADIUS shared secret with invalid length %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg840 = msg("00511:14", part1329); + +var select307 = linear_select([ + msg826, + msg827, + msg828, + msg829, + msg830, + msg831, + msg832, + msg833, + msg834, + msg835, + msg836, + msg837, + msg838, + msg839, + msg840, +]); + +var part1330 = // "Pattern{Constant('The physical state of '), Field(p0,false)}" +match("MESSAGE#831:00513/0", "nwparser.payload", "The physical state of %{p0}"); + +var part1331 = // "Pattern{Constant('the Interface '), Field(p0,false)}" +match("MESSAGE#831:00513/1_1", "nwparser.p0", "the Interface %{p0}"); + +var select308 = linear_select([ + dup123, + part1331, + dup122, +]); + +var part1332 = // "Pattern{Constant(''), Field(interface,true), Constant(' has changed to '), Field(p0,false)}" +match("MESSAGE#831:00513/2", "nwparser.p0", "%{interface->} has changed to %{p0}"); + +var part1333 = // "Pattern{Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#831:00513/3_0", "nwparser.p0", "%{result}. (%{fld1})"); + +var part1334 = // "Pattern{Field(result,false)}" +match_copy("MESSAGE#831:00513/3_1", "nwparser.p0", "result"); + +var select309 = linear_select([ + part1333, + part1334, +]); + +var all300 = all_match({ + processors: [ + part1330, + select308, + part1332, + select309, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + dup9, + ]), +}); + +var msg841 = msg("00513", all300); + +var part1335 = // "Pattern{Constant('Vsys Admin '), Field(p0,false)}" +match("MESSAGE#832:00515/0_0", "nwparser.payload", "Vsys Admin %{p0}"); + +var select310 = linear_select([ + part1335, + dup289, +]); + +var part1336 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged on via the '), Field(logon_type,true), Constant(' ( HTTP'), Field(p0,false)}" +match("MESSAGE#832:00515/1", "nwparser.p0", "%{administrator->} has logged on via the %{logon_type->} ( HTTP%{p0}"); + +var part1337 = // "Pattern{Constant('S'), Field(p0,false)}" +match("MESSAGE#832:00515/2_1", "nwparser.p0", "S%{p0}"); + +var select311 = linear_select([ + dup96, + part1337, +]); + +var part1338 = // "Pattern{Field(,false), Constant(') to port '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#832:00515/3", "nwparser.p0", "%{}) to port %{interface->} from %{saddr}:%{sport}"); + +var all301 = all_match({ + processors: [ + select310, + part1336, + select311, + part1338, + ], + on_success: processor_chain([ + dup303, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg842 = msg("00515", all301); + +var part1339 = // "Pattern{Constant('Login attempt to system by admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#833:00515:01/0", "nwparser.payload", "Login attempt to system by admin %{administrator->} via %{p0}"); + +var part1340 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' has failed '), Field(p0,false)}" +match("MESSAGE#833:00515:01/1_0", "nwparser.p0", "the %{logon_type->} has failed %{p0}"); + +var part1341 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has failed '), Field(p0,false)}" +match("MESSAGE#833:00515:01/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} has failed %{p0}"); + +var select312 = linear_select([ + part1340, + part1341, +]); + +var part1342 = // "Pattern{Field(fld2,false)}" +match_copy("MESSAGE#833:00515:01/2", "nwparser.p0", "fld2"); + +var all302 = all_match({ + processors: [ + part1339, + select312, + part1342, + ], + on_success: processor_chain([ + dup208, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup5, + dup304, + dup3, + ]), +}); + +var msg843 = msg("00515:01", all302); + +var part1343 = // "Pattern{Constant('Management session via '), Field(p0,false)}" +match("MESSAGE#834:00515:02/0", "nwparser.payload", "Management session via %{p0}"); + +var part1344 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' for '), Field(p0,false)}" +match("MESSAGE#834:00515:02/1_0", "nwparser.p0", "the %{logon_type->} for %{p0}"); + +var part1345 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for '), Field(p0,false)}" +match("MESSAGE#834:00515:02/1_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} for %{p0}"); + +var select313 = linear_select([ + part1344, + part1345, +]); + +var part1346 = // "Pattern{Constant('[vsys] admin '), Field(p0,false)}" +match("MESSAGE#834:00515:02/2_0", "nwparser.p0", "[vsys] admin %{p0}"); + +var part1347 = // "Pattern{Constant('vsys admin '), Field(p0,false)}" +match("MESSAGE#834:00515:02/2_1", "nwparser.p0", "vsys admin %{p0}"); + +var select314 = linear_select([ + part1346, + part1347, + dup15, +]); + +var part1348 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has timed out')}" +match("MESSAGE#834:00515:02/3", "nwparser.p0", "%{administrator->} has timed out"); + +var all303 = all_match({ + processors: [ + part1343, + select313, + select314, + part1348, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg844 = msg("00515:02", all303); + +var part1349 = // "Pattern{Constant('[Vsys] '), Field(p0,false)}" +match("MESSAGE#835:00515:04/0_0", "nwparser.payload", "[Vsys] %{p0}"); + +var part1350 = // "Pattern{Constant('Vsys '), Field(p0,false)}" +match("MESSAGE#835:00515:04/0_1", "nwparser.payload", "Vsys %{p0}"); + +var select315 = linear_select([ + part1349, + part1350, +]); + +var part1351 = // "Pattern{Constant('Admin '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" +match("MESSAGE#835:00515:04/1", "nwparser.p0", "Admin %{administrator->} has logged o%{p0}"); + +var part1352 = // "Pattern{Field(logon_type,false)}" +match_copy("MESSAGE#835:00515:04/4_1", "nwparser.p0", "logon_type"); + +var select316 = linear_select([ + dup306, + part1352, +]); + +var all304 = all_match({ + processors: [ + select315, + part1351, + dup401, + dup40, + select316, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg845 = msg("00515:04", all304); + +var part1353 = // "Pattern{Constant('Admin User '), Field(administrator,true), Constant(' has logged on via '), Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#836:00515:06", "nwparser.payload", "Admin User %{administrator->} has logged on via %{logon_type->} from %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg846 = msg("00515:06", part1353); + +var part1354 = // "Pattern{Field(,false), Constant('Admin '), Field(p0,false)}" +match("MESSAGE#837:00515:05/0", "nwparser.payload", "%{}Admin %{p0}"); + +var select317 = linear_select([ + dup307, + dup16, +]); + +var part1355 = // "Pattern{Constant(''), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" +match("MESSAGE#837:00515:05/2", "nwparser.p0", "%{administrator->} has logged o%{p0}"); + +var part1356 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld2,false), Constant(')')}" +match("MESSAGE#837:00515:05/5_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{fld2})"); + +var select318 = linear_select([ + dup308, + part1356, + dup306, +]); + +var all305 = all_match({ + processors: [ + part1354, + select317, + part1355, + dup401, + dup40, + select318, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg847 = msg("00515:05", all305); + +var part1357 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(http) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false)}" +match("MESSAGE#838:00515:07", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(http) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg848 = msg("00515:07", part1357); + +var part1358 = // "Pattern{Field(fld2,true), Constant(' Admin User "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('(http'), Field(p0,false)}" +match("MESSAGE#839:00515:08/0", "nwparser.payload", "%{fld2->} Admin User \"%{administrator}\" logged in for %{logon_type}(http%{p0}"); + +var part1359 = // "Pattern{Constant(') '), Field(p0,false)}" +match("MESSAGE#839:00515:08/1_0", "nwparser.p0", ") %{p0}"); + +var part1360 = // "Pattern{Constant('s) '), Field(p0,false)}" +match("MESSAGE#839:00515:08/1_1", "nwparser.p0", "s) %{p0}"); + +var select319 = linear_select([ + part1359, + part1360, +]); + +var part1361 = // "Pattern{Constant('management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#839:00515:08/2", "nwparser.p0", "management (port %{network_port}) from %{saddr}:%{sport}"); + +var all306 = all_match({ + processors: [ + part1358, + select319, + part1361, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg849 = msg("00515:08", all306); + +var part1362 = // "Pattern{Constant('User '), Field(username,true), Constant(' telnet management session from ('), Field(saddr,false), Constant(':'), Field(sport,false), Constant(') timed out')}" +match("MESSAGE#840:00515:09", "nwparser.payload", "User %{username->} telnet management session from (%{saddr}:%{sport}) timed out", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg850 = msg("00515:09", part1362); + +var part1363 = // "Pattern{Constant('User '), Field(username,true), Constant(' logged out of telnet session from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#841:00515:10", "nwparser.payload", "User %{username->} logged out of telnet session from %{saddr}:%{sport}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg851 = msg("00515:10", part1363); + +var part1364 = // "Pattern{Constant('The session limit threshold has been set to '), Field(trigger_val,true), Constant(' on zone '), Field(zone,false), Constant('.')}" +match("MESSAGE#842:00515:11", "nwparser.payload", "The session limit threshold has been set to %{trigger_val->} on zone %{zone}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg852 = msg("00515:11", part1364); + +var part1365 = // "Pattern{Constant('[ Vsys ] Admin User "'), Field(administrator,false), Constant('" logged in for Web( http'), Field(p0,false)}" +match("MESSAGE#843:00515:12/0", "nwparser.payload", "[ Vsys ] Admin User \"%{administrator}\" logged in for Web( http%{p0}"); + +var part1366 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(')')}" +match("MESSAGE#843:00515:12/2", "nwparser.p0", ") management (port %{network_port})"); + +var all307 = all_match({ + processors: [ + part1365, + dup402, + part1366, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg853 = msg("00515:12", all307); + +var select320 = linear_select([ + dup290, + dup289, +]); + +var part1367 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" +match("MESSAGE#844:00515:13/1", "nwparser.p0", "user %{administrator->} has logged o%{p0}"); + +var select321 = linear_select([ + dup308, + dup306, +]); + +var all308 = all_match({ + processors: [ + select320, + part1367, + dup401, + dup40, + select321, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg854 = msg("00515:13", all308); + +var part1368 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been forced to log o'), Field(p0,false)}" +match("MESSAGE#845:00515:14/0_0", "nwparser.payload", "Admin user %{administrator->} has been forced to log o%{p0}"); + +var part1369 = // "Pattern{Field(username,true), Constant(' '), Field(fld1,true), Constant(' has been forced to log o'), Field(p0,false)}" +match("MESSAGE#845:00515:14/0_1", "nwparser.payload", "%{username->} %{fld1->} has been forced to log o%{p0}"); + +var select322 = linear_select([ + part1368, + part1369, +]); + +var part1370 = // "Pattern{Constant('of the '), Field(p0,false)}" +match("MESSAGE#845:00515:14/2", "nwparser.p0", "of the %{p0}"); + +var part1371 = // "Pattern{Constant('serial '), Field(logon_type,true), Constant(' session.')}" +match("MESSAGE#845:00515:14/3_0", "nwparser.p0", "serial %{logon_type->} session."); + +var part1372 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' ('), Field(event_time,false), Constant(')')}" +match("MESSAGE#845:00515:14/3_1", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port->} (%{event_time})"); + +var part1373 = // "Pattern{Field(logon_type,true), Constant(' session on host '), Field(hostip,false), Constant(':'), Field(network_port,false)}" +match("MESSAGE#845:00515:14/3_2", "nwparser.p0", "%{logon_type->} session on host %{hostip}:%{network_port}"); + +var select323 = linear_select([ + part1371, + part1372, + part1373, +]); + +var all309 = all_match({ + processors: [ + select322, + dup401, + part1370, + select323, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg855 = msg("00515:14", all309); + +var part1374 = // "Pattern{Field(fld2,false), Constant(': Admin User '), Field(administrator,true), Constant(' has logged o'), Field(p0,false)}" +match("MESSAGE#846:00515:15/0", "nwparser.payload", "%{fld2}: Admin User %{administrator->} has logged o%{p0}"); + +var part1375 = // "Pattern{Constant('the '), Field(logon_type,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#846:00515:15/3_0", "nwparser.p0", "the %{logon_type->} (%{p0}"); + +var part1376 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#846:00515:15/3_1", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport->} (%{p0}"); + +var select324 = linear_select([ + part1375, + part1376, +]); + +var all310 = all_match({ + processors: [ + part1374, + dup401, + dup40, + select324, + dup41, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg856 = msg("00515:15", all310); + +var part1377 = // "Pattern{Field(fld2,false), Constant(': Admin '), Field(p0,false)}" +match("MESSAGE#847:00515:16/0_0", "nwparser.payload", "%{fld2}: Admin %{p0}"); + +var select325 = linear_select([ + part1377, + dup289, +]); + +var part1378 = // "Pattern{Constant('user '), Field(administrator,true), Constant(' attempt access to '), Field(url,true), Constant(' illegal from '), Field(logon_type,false), Constant('( http'), Field(p0,false)}" +match("MESSAGE#847:00515:16/1", "nwparser.p0", "user %{administrator->} attempt access to %{url->} illegal from %{logon_type}( http%{p0}"); + +var part1379 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#847:00515:16/3", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}. (%{fld1})"); + +var all311 = all_match({ + processors: [ + select325, + part1378, + dup402, + part1379, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg857 = msg("00515:16", all311); + +var part1380 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged out for '), Field(logon_type,false), Constant('('), Field(p0,false)}" +match("MESSAGE#848:00515:17/0", "nwparser.payload", "Admin user \"%{administrator}\" logged out for %{logon_type}(%{p0}"); + +var part1381 = // "Pattern{Constant('https '), Field(p0,false)}" +match("MESSAGE#848:00515:17/1_0", "nwparser.p0", "https %{p0}"); + +var part1382 = // "Pattern{Constant(' http '), Field(p0,false)}" +match("MESSAGE#848:00515:17/1_1", "nwparser.p0", " http %{p0}"); + +var select326 = linear_select([ + part1381, + part1382, +]); + +var part1383 = // "Pattern{Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#848:00515:17/2", "nwparser.p0", ") management (port %{network_port}) from %{saddr}:%{sport}"); + +var all312 = all_match({ + processors: [ + part1380, + select326, + part1383, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg858 = msg("00515:17", all312); + +var part1384 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' login attempt for '), Field(logon_type,false), Constant('(https) management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#849:00515:18", "nwparser.payload", "Admin user %{administrator->} login attempt for %{logon_type}(https) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup242, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg859 = msg("00515:18", part1384); + +var part1385 = // "Pattern{Constant('Vsys admin user '), Field(administrator,true), Constant(' logged on via '), Field(p0,false)}" +match("MESSAGE#850:00515:19/0", "nwparser.payload", "Vsys admin user %{administrator->} logged on via %{p0}"); + +var part1386 = // "Pattern{Field(logon_type,true), Constant(' from remote IP address '), Field(saddr,true), Constant(' using port '), Field(sport,false), Constant('. ('), Field(p0,false)}" +match("MESSAGE#850:00515:19/1_0", "nwparser.p0", "%{logon_type->} from remote IP address %{saddr->} using port %{sport}. (%{p0}"); + +var part1387 = // "Pattern{Constant('the console. ('), Field(p0,false)}" +match("MESSAGE#850:00515:19/1_1", "nwparser.p0", "the console. (%{p0}"); + +var select327 = linear_select([ + part1386, + part1387, +]); + +var all313 = all_match({ + processors: [ + part1385, + select327, + dup41, + ], + on_success: processor_chain([ + dup242, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg860 = msg("00515:19", all313); + +var part1388 = // "Pattern{Constant('netscreen: Management session via SCS from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' for admin netscreen has timed out ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#851:00515:20", "nwparser.payload", "netscreen: Management session via SCS from %{saddr}:%{sport->} for admin netscreen has timed out (%{fld1})", processor_chain([ + dup242, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg861 = msg("00515:20", part1388); + +var select328 = linear_select([ + msg842, + msg843, + msg844, + msg845, + msg846, + msg847, + msg848, + msg849, + msg850, + msg851, + msg852, + msg853, + msg854, + msg855, + msg856, + msg857, + msg858, + msg859, + msg860, + msg861, +]); + +var part1389 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(fld1,false), Constant('at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#852:00518", "nwparser.payload", "Admin user %{administrator->} %{fld1}at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg862 = msg("00518", part1389); + +var part1390 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#853:00518:17", "nwparser.payload", "Admin user %{administrator->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg863 = msg("00518:17", part1390); + +var part1391 = // "Pattern{Constant('Local authentication for WebAuth user '), Field(username,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#854:00518:01", "nwparser.payload", "Local authentication for WebAuth user %{username->} was %{disposition}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg864 = msg("00518:01", part1391); + +var part1392 = // "Pattern{Constant('Local authentication for user '), Field(username,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#855:00518:02", "nwparser.payload", "Local authentication for user %{username->} was %{disposition}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg865 = msg("00518:02", part1392); + +var part1393 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' must enter "Next Code" for SecurID '), Field(hostip,false)}" +match("MESSAGE#856:00518:03", "nwparser.payload", "User %{username->} at %{saddr->} must enter \"Next Code\" for SecurID %{hostip}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg866 = msg("00518:03", part1393); + +var part1394 = // "Pattern{Constant('WebAuth user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#857:00518:04", "nwparser.payload", "WebAuth user %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup205, + dup2, + dup4, + dup5, + dup3, +])); + +var msg867 = msg("00518:04", part1394); + +var part1395 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been challenged via the '), Field(authmethod,true), Constant(' server at '), Field(hostip,true), Constant(' (Rejected since challenge is not supported for '), Field(logon_type,false), Constant(')')}" +match("MESSAGE#858:00518:05", "nwparser.payload", "User %{username->} at %{saddr->} has been challenged via the %{authmethod->} server at %{hostip->} (Rejected since challenge is not supported for %{logon_type})", processor_chain([ + dup205, + dup2, + dup4, + dup5, + dup3, +])); + +var msg868 = msg("00518:05", part1395); + +var part1396 = // "Pattern{Constant('Error in authentication for WebAuth user '), Field(username,false)}" +match("MESSAGE#859:00518:06", "nwparser.payload", "Error in authentication for WebAuth user %{username}", processor_chain([ + dup35, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, +])); + +var msg869 = msg("00518:06", part1396); + +var part1397 = // "Pattern{Constant('Authentication for user '), Field(username,true), Constant(' was denied (long '), Field(p0,false)}" +match("MESSAGE#860:00518:07/0", "nwparser.payload", "Authentication for user %{username->} was denied (long %{p0}"); + +var part1398 = // "Pattern{Constant('username '), Field(p0,false)}" +match("MESSAGE#860:00518:07/1_1", "nwparser.p0", "username %{p0}"); + +var select329 = linear_select([ + dup24, + part1398, +]); + +var part1399 = // "Pattern{Constant(')'), Field(,false)}" +match("MESSAGE#860:00518:07/2", "nwparser.p0", ")%{}"); + +var all314 = all_match({ + processors: [ + part1397, + select329, + part1399, + ], + on_success: processor_chain([ + dup53, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg870 = msg("00518:07", all314); + +var part1400 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' '), Field(authmethod,true), Constant(' authentication attempt has timed out')}" +match("MESSAGE#861:00518:08", "nwparser.payload", "User %{username->} at %{saddr->} %{authmethod->} authentication attempt has timed out", processor_chain([ + dup35, + dup29, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, +])); + +var msg871 = msg("00518:08", part1400); + +var part1401 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#862:00518:09", "nwparser.payload", "User %{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}", processor_chain([ + dup205, + dup2, + dup4, + dup5, + dup3, +])); + +var msg872 = msg("00518:09", part1401); + +var part1402 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,true), Constant(' ('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' failed due to '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#863:00518:10", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type->} (%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} failed due to %{result}. (%{fld1})", processor_chain([ + dup208, + dup29, + dup30, + dup31, + dup54, + dup2, + dup4, + dup9, + dup5, + dup3, + dup304, +])); + +var msg873 = msg("00518:10", part1402); + +var part1403 = // "Pattern{Constant('ADM: Local admin authentication failed for login name '), Field(p0,false)}" +match("MESSAGE#864:00518:11/0", "nwparser.payload", "ADM: Local admin authentication failed for login name %{p0}"); + +var part1404 = // "Pattern{Constant('''), Field(username,false), Constant('': '), Field(p0,false)}" +match("MESSAGE#864:00518:11/1_0", "nwparser.p0", "'%{username}': %{p0}"); + +var part1405 = // "Pattern{Field(username,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#864:00518:11/1_1", "nwparser.p0", "%{username}: %{p0}"); + +var select330 = linear_select([ + part1404, + part1405, +]); + +var part1406 = // "Pattern{Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#864:00518:11/2", "nwparser.p0", "%{result->} (%{fld1})"); + +var all315 = all_match({ + processors: [ + part1403, + select330, + part1406, + ], + on_success: processor_chain([ + dup208, + dup29, + dup30, + dup31, + dup54, + dup2, + dup9, + dup4, + dup5, + dup3, + ]), +}); + +var msg874 = msg("00518:11", all315); + +var part1407 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" login attempt for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#865:00518:12", "nwparser.payload", "Admin user \"%{administrator}\" login attempt for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{disposition}. (%{fld1})", processor_chain([ + dup242, + dup2, + dup4, + dup9, + dup5, + dup3, +])); + +var msg875 = msg("00518:12", part1407); + +var part1408 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' is rejected by the Radius server at '), Field(hostip,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#866:00518:13", "nwparser.payload", "User %{username->} at %{saddr->} is rejected by the Radius server at %{hostip}. (%{fld1})", processor_chain([ + dup292, + dup2, + dup3, + dup4, + dup9, + dup5, +])); + +var msg876 = msg("00518:13", part1408); + +var part1409 = // "Pattern{Field(fld2,false), Constant(': Admin user has been rejected via the Radius server at '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#867:00518:14", "nwparser.payload", "%{fld2}: Admin user has been rejected via the Radius server at %{hostip->} (%{fld1})", processor_chain([ + dup292, + dup2, + dup4, + dup5, + dup9, +])); + +var msg877 = msg("00518:14", part1409); + +var select331 = linear_select([ + msg862, + msg863, + msg864, + msg865, + msg866, + msg867, + msg868, + msg869, + msg870, + msg871, + msg872, + msg873, + msg874, + msg875, + msg876, + msg877, +]); + +var part1410 = // "Pattern{Constant('Admin user '), Field(administrator,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#868:00519/0", "nwparser.payload", "Admin user %{administrator->} %{p0}"); + +var part1411 = // "Pattern{Constant('of group '), Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" +match("MESSAGE#868:00519/1_1", "nwparser.p0", "of group %{group->} at %{saddr->} has %{p0}"); + +var part1412 = // "Pattern{Field(group,true), Constant(' at '), Field(saddr,true), Constant(' has '), Field(p0,false)}" +match("MESSAGE#868:00519/1_2", "nwparser.p0", "%{group->} at %{saddr->} has %{p0}"); + +var select332 = linear_select([ + dup196, + part1411, + part1412, +]); + +var part1413 = // "Pattern{Constant('been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server '), Field(p0,false)}" +match("MESSAGE#868:00519/2", "nwparser.p0", "been %{disposition->} via the %{logon_type->} server %{p0}"); + +var part1414 = // "Pattern{Constant('at '), Field(p0,false)}" +match("MESSAGE#868:00519/3_0", "nwparser.p0", "at %{p0}"); + +var select333 = linear_select([ + part1414, + dup16, +]); + +var part1415 = // "Pattern{Constant(''), Field(hostip,false)}" +match("MESSAGE#868:00519/4", "nwparser.p0", "%{hostip}"); + +var all316 = all_match({ + processors: [ + part1410, + select332, + part1413, + select333, + part1415, + ], + on_success: processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg878 = msg("00519", all316); + +var part1416 = // "Pattern{Constant('Local authentication for '), Field(p0,false)}" +match("MESSAGE#869:00519:01/0", "nwparser.payload", "Local authentication for %{p0}"); + +var select334 = linear_select([ + dup309, + dup307, +]); + +var part1417 = // "Pattern{Constant(''), Field(username,true), Constant(' was '), Field(disposition,false)}" +match("MESSAGE#869:00519:01/2", "nwparser.p0", "%{username->} was %{disposition}"); + +var all317 = all_match({ + processors: [ + part1416, + select334, + part1417, + ], + on_success: processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg879 = msg("00519:01", all317); + +var part1418 = // "Pattern{Constant('User '), Field(p0,false)}" +match("MESSAGE#870:00519:02/1_1", "nwparser.p0", "User %{p0}"); + +var select335 = linear_select([ + dup309, + part1418, +]); + +var part1419 = // "Pattern{Constant(''), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' has been '), Field(disposition,true), Constant(' via the '), Field(logon_type,true), Constant(' server at '), Field(hostip,false)}" +match("MESSAGE#870:00519:02/2", "nwparser.p0", "%{username->} at %{saddr->} has been %{disposition->} via the %{logon_type->} server at %{hostip}"); + +var all318 = all_match({ + processors: [ + dup162, + select335, + part1419, + ], + on_success: processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg880 = msg("00519:02", all318); + +var part1420 = // "Pattern{Constant('Admin user "'), Field(administrator,false), Constant('" logged in for '), Field(logon_type,false), Constant('('), Field(network_service,false), Constant(') management (port '), Field(network_port,false), Constant(') from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' '), Field(fld4,false)}" +match("MESSAGE#871:00519:03", "nwparser.payload", "Admin user \"%{administrator}\" logged in for %{logon_type}(%{network_service}) management (port %{network_port}) from %{saddr}:%{sport->} %{fld4}", processor_chain([ + dup242, + dup2, + dup3, + dup4, + dup5, +])); + +var msg881 = msg("00519:03", part1420); + +var part1421 = // "Pattern{Constant('ADM: Local admin authentication successful for login name '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#872:00519:04", "nwparser.payload", "ADM: Local admin authentication successful for login name %{username->} (%{fld1})", processor_chain([ + dup242, + dup2, + dup4, + dup5, + dup9, +])); + +var msg882 = msg("00519:04", part1421); + +var part1422 = // "Pattern{Field(fld2,false), Constant('Admin user '), Field(administrator,true), Constant(' has been accepted via the Radius server at '), Field(hostip,false), Constant('('), Field(fld1,false), Constant(')')}" +match("MESSAGE#873:00519:05", "nwparser.payload", "%{fld2}Admin user %{administrator->} has been accepted via the Radius server at %{hostip}(%{fld1})", processor_chain([ + dup242, + dup2, + dup4, + dup5, + dup9, +])); + +var msg883 = msg("00519:05", part1422); + +var select336 = linear_select([ + msg878, + msg879, + msg880, + msg881, + msg882, + msg883, +]); + +var part1423 = // "Pattern{Field(hostname,true), Constant(' user authentication attempt has timed out')}" +match("MESSAGE#874:00520", "nwparser.payload", "%{hostname->} user authentication attempt has timed out", processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg884 = msg("00520", part1423); + +var part1424 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#875:00520:01/0", "nwparser.payload", "User %{username->} at %{hostip->} %{p0}"); + +var part1425 = // "Pattern{Constant('RADIUS '), Field(p0,false)}" +match("MESSAGE#875:00520:01/1_0", "nwparser.p0", "RADIUS %{p0}"); + +var part1426 = // "Pattern{Constant('SecurID '), Field(p0,false)}" +match("MESSAGE#875:00520:01/1_1", "nwparser.p0", "SecurID %{p0}"); + +var part1427 = // "Pattern{Constant('LDAP '), Field(p0,false)}" +match("MESSAGE#875:00520:01/1_2", "nwparser.p0", "LDAP %{p0}"); + +var part1428 = // "Pattern{Constant('Local '), Field(p0,false)}" +match("MESSAGE#875:00520:01/1_3", "nwparser.p0", "Local %{p0}"); + +var select337 = linear_select([ + part1425, + part1426, + part1427, + part1428, +]); + +var part1429 = // "Pattern{Constant('authentication attempt has timed out'), Field(,false)}" +match("MESSAGE#875:00520:01/2", "nwparser.p0", "authentication attempt has timed out%{}"); + +var all319 = all_match({ + processors: [ + part1424, + select337, + part1429, + ], + on_success: processor_chain([ + dup35, + dup31, + dup39, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg885 = msg("00520:01", all319); + +var part1430 = // "Pattern{Constant('Trying '), Field(p0,false)}" +match("MESSAGE#876:00520:02/0", "nwparser.payload", "Trying %{p0}"); + +var part1431 = // "Pattern{Constant('server '), Field(fld2,false)}" +match("MESSAGE#876:00520:02/2", "nwparser.p0", "server %{fld2}"); + +var all320 = all_match({ + processors: [ + part1430, + dup403, + part1431, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg886 = msg("00520:02", all320); + +var part1432 = // "Pattern{Constant('Primary '), Field(p0,false)}" +match("MESSAGE#877:00520:03/1_0", "nwparser.p0", "Primary %{p0}"); + +var part1433 = // "Pattern{Constant('Backup1 '), Field(p0,false)}" +match("MESSAGE#877:00520:03/1_1", "nwparser.p0", "Backup1 %{p0}"); + +var part1434 = // "Pattern{Constant('Backup2 '), Field(p0,false)}" +match("MESSAGE#877:00520:03/1_2", "nwparser.p0", "Backup2 %{p0}"); + +var select338 = linear_select([ + part1432, + part1433, + part1434, +]); + +var part1435 = // "Pattern{Constant(''), Field(fld2,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#877:00520:03/2", "nwparser.p0", "%{fld2}, %{p0}"); + +var part1436 = // "Pattern{Constant(''), Field(fld3,false), Constant(', and '), Field(p0,false)}" +match("MESSAGE#877:00520:03/4", "nwparser.p0", "%{fld3}, and %{p0}"); + +var part1437 = // "Pattern{Constant(''), Field(fld4,true), Constant(' servers failed')}" +match("MESSAGE#877:00520:03/6", "nwparser.p0", "%{fld4->} servers failed"); + +var all321 = all_match({ + processors: [ + dup162, + select338, + part1435, + dup403, + part1436, + dup403, + part1437, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg887 = msg("00520:03", all321); + +var part1438 = // "Pattern{Constant('Trying '), Field(fld2,true), Constant(' Server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#878:00520:04", "nwparser.payload", "Trying %{fld2->} Server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg888 = msg("00520:04", part1438); + +var part1439 = // "Pattern{Constant('Active Server Switchover: New requests for '), Field(fld31,true), Constant(' server will try '), Field(fld32,true), Constant(' from now on. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1221:00520:05", "nwparser.payload", "Active Server Switchover: New requests for %{fld31->} server will try %{fld32->} from now on. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg889 = msg("00520:05", part1439); + +var select339 = linear_select([ + msg884, + msg885, + msg886, + msg887, + msg888, + msg889, +]); + +var part1440 = // "Pattern{Constant('Can't connect to E-mail server '), Field(hostip,false)}" +match("MESSAGE#879:00521", "nwparser.payload", "Can't connect to E-mail server %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg890 = msg("00521", part1440); + +var part1441 = // "Pattern{Constant('HA link state has '), Field(fld2,false)}" +match("MESSAGE#880:00522", "nwparser.payload", "HA link state has %{fld2}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg891 = msg("00522", part1441); + +var part1442 = // "Pattern{Constant('URL filtering received an error from '), Field(fld2,true), Constant(' (error '), Field(resultcode,false), Constant(').')}" +match("MESSAGE#881:00523", "nwparser.payload", "URL filtering received an error from %{fld2->} (error %{resultcode}).", processor_chain([ + dup234, + dup2, + dup3, + dup4, + dup5, +])); + +var msg892 = msg("00523", part1442); + +var part1443 = // "Pattern{Constant('NetScreen device at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has responded successfully to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#882:00524", "nwparser.payload", "NetScreen device at %{hostip}:%{network_port->} has responded successfully to SNMP request from %{saddr}:%{sport}", processor_chain([ + dup211, + dup2, + dup3, + dup4, + dup5, +])); + +var msg893 = msg("00524", part1443); + +var part1444 = // "Pattern{Constant('SNMP request from an unknown SNMP community public at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#883:00524:02", "nwparser.payload", "SNMP request from an unknown SNMP community public at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg894 = msg("00524:02", part1444); + +var part1445 = // "Pattern{Constant('SNMP: NetScreen device has responded successfully to the SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#884:00524:03", "nwparser.payload", "SNMP: NetScreen device has responded successfully to the SNMP request from %{saddr}:%{sport}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg895 = msg("00524:03", part1445); + +var part1446 = // "Pattern{Constant('SNMP request from an unknown SNMP community admin at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#885:00524:04", "nwparser.payload", "SNMP request from an unknown SNMP community admin at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg896 = msg("00524:04", part1446); + +var part1447 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,true), Constant(' has been received. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#886:00524:05", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{hostip}:%{network_port->} has been received. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, +])); + +var msg897 = msg("00524:05", part1447); + +var part1448 = // "Pattern{Constant('SNMP request has been received from an unknown host in SNMP community '), Field(fld2,true), Constant(' at '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#887:00524:06", "nwparser.payload", "SNMP request has been received from an unknown host in SNMP community %{fld2->} at %{hostip}:%{network_port}. (%{fld1})", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup9, +])); + +var msg898 = msg("00524:06", part1448); + +var part1449 = // "Pattern{Constant('SNMP request from an unknown SNMP community '), Field(fld2,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has been received')}" +match("MESSAGE#888:00524:12", "nwparser.payload", "SNMP request from an unknown SNMP community %{fld2->} at %{saddr}:%{sport->} to %{daddr}:%{dport->} has been received", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg899 = msg("00524:12", part1449); + +var part1450 = // "Pattern{Constant('SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has been received, but the SNMP version type is incorrect. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#889:00524:14", "nwparser.payload", "SNMP request from %{saddr}:%{sport->} has been received, but the SNMP version type is incorrect. (%{fld1})", processor_chain([ + dup19, + dup2, + dup4, + setc("result","the SNMP version type is incorrect"), + dup5, + dup9, +])); + +var msg900 = msg("00524:14", part1450); + +var part1451 = // "Pattern{Constant('SNMP request has been received'), Field(p0,false)}" +match("MESSAGE#890:00524:13/0", "nwparser.payload", "SNMP request has been received%{p0}"); + +var part1452 = // "Pattern{Field(,false), Constant('but '), Field(result,false)}" +match("MESSAGE#890:00524:13/2", "nwparser.p0", "%{}but %{result}"); + +var all322 = all_match({ + processors: [ + part1451, + dup404, + part1452, + ], + on_success: processor_chain([ + dup18, + dup2, + dup4, + dup5, + ]), +}); + +var msg901 = msg("00524:13", all322); + +var part1453 = // "Pattern{Constant('Response to SNMP request from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' has '), Field(disposition,true), Constant(' due to '), Field(result,false)}" +match("MESSAGE#891:00524:07", "nwparser.payload", "Response to SNMP request from %{saddr}:%{sport->} to %{daddr}:%{dport->} has %{disposition->} due to %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg902 = msg("00524:07", part1453); + +var part1454 = // "Pattern{Constant('SNMP community '), Field(fld2,true), Constant(' cannot be added because '), Field(result,false)}" +match("MESSAGE#892:00524:08", "nwparser.payload", "SNMP community %{fld2->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg903 = msg("00524:08", part1454); + +var part1455 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added to community '), Field(fld2,true), Constant(' because of '), Field(result,false)}" +match("MESSAGE#893:00524:09", "nwparser.payload", "SNMP host %{hostip->} cannot be added to community %{fld2->} because of %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg904 = msg("00524:09", part1455); + +var part1456 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be added because '), Field(result,false)}" +match("MESSAGE#894:00524:10", "nwparser.payload", "SNMP host %{hostip->} cannot be added because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg905 = msg("00524:10", part1456); + +var part1457 = // "Pattern{Constant('SNMP host '), Field(hostip,true), Constant(' cannot be removed from community '), Field(fld2,true), Constant(' because '), Field(result,false)}" +match("MESSAGE#895:00524:11", "nwparser.payload", "SNMP host %{hostip->} cannot be removed from community %{fld2->} because %{result}", processor_chain([ + dup18, + dup2, + dup4, + dup5, +])); + +var msg906 = msg("00524:11", part1457); + +var part1458 = // "Pattern{Constant('SNMP user/community '), Field(fld34,true), Constant(' doesn't exist. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1222:00524:16", "nwparser.payload", "SNMP user/community %{fld34->} doesn't exist. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg907 = msg("00524:16", part1458); + +var select340 = linear_select([ + msg893, + msg894, + msg895, + msg896, + msg897, + msg898, + msg899, + msg900, + msg901, + msg902, + msg903, + msg904, + msg905, + msg906, + msg907, +]); + +var part1459 = // "Pattern{Constant('The new PIN for user '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has been '), Field(disposition,true), Constant(' by SecurID '), Field(fld2,false)}" +match("MESSAGE#896:00525", "nwparser.payload", "The new PIN for user %{username->} at %{hostip->} has been %{disposition->} by SecurID %{fld2}", processor_chain([ + dup205, + setc("ec_subject","Password"), + dup38, + dup2, + dup3, + dup4, + dup5, +])); + +var msg908 = msg("00525", part1459); + +var part1460 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' has selected a system-generated PIN for authentication with SecurID '), Field(fld2,false)}" +match("MESSAGE#897:00525:01", "nwparser.payload", "User %{username->} at %{hostip->} has selected a system-generated PIN for authentication with SecurID %{fld2}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg909 = msg("00525:01", part1460); + +var part1461 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must enter the "new PIN" for SecurID '), Field(fld2,false)}" +match("MESSAGE#898:00525:02", "nwparser.payload", "User %{username->} at %{hostip->} must enter the \"new PIN\" for SecurID %{fld2}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg910 = msg("00525:02", part1461); + +var part1462 = // "Pattern{Constant('User '), Field(username,true), Constant(' at '), Field(hostip,true), Constant(' must make a "New PIN" choice for SecurID '), Field(fld2,false)}" +match("MESSAGE#899:00525:03", "nwparser.payload", "User %{username->} at %{hostip->} must make a \"New PIN\" choice for SecurID %{fld2}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg911 = msg("00525:03", part1462); + +var select341 = linear_select([ + msg908, + msg909, + msg910, + msg911, +]); + +var part1463 = // "Pattern{Constant('The user limit has been exceeded and '), Field(hostip,true), Constant(' cannot be added')}" +match("MESSAGE#900:00526", "nwparser.payload", "The user limit has been exceeded and %{hostip->} cannot be added", processor_chain([ + dup37, + dup221, + dup38, + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg912 = msg("00526", part1463); + +var part1464 = // "Pattern{Constant('A DHCP-'), Field(p0,false)}" +match("MESSAGE#901:00527/0", "nwparser.payload", "A DHCP-%{p0}"); + +var part1465 = // "Pattern{Constant(' assigned '), Field(p0,false)}" +match("MESSAGE#901:00527/1_1", "nwparser.p0", " assigned %{p0}"); + +var select342 = linear_select([ + dup313, + part1465, +]); + +var part1466 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' has been '), Field(p0,false)}" +match("MESSAGE#901:00527/2", "nwparser.p0", "IP address %{hostip->} has been %{p0}"); + +var part1467 = // "Pattern{Constant('freed from '), Field(p0,false)}" +match("MESSAGE#901:00527/3_1", "nwparser.p0", "freed from %{p0}"); + +var part1468 = // "Pattern{Constant('freed '), Field(p0,false)}" +match("MESSAGE#901:00527/3_2", "nwparser.p0", "freed %{p0}"); + +var select343 = linear_select([ + dup314, + part1467, + part1468, +]); + +var all323 = all_match({ + processors: [ + part1464, + select342, + part1466, + select343, + dup108, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg913 = msg("00527", all323); + +var part1469 = // "Pattern{Constant('A DHCP-assigned IP address has been manually released'), Field(,false)}" +match("MESSAGE#902:00527:01", "nwparser.payload", "A DHCP-assigned IP address has been manually released%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg914 = msg("00527:01", part1469); + +var part1470 = // "Pattern{Constant('DHCP server has '), Field(p0,false)}" +match("MESSAGE#903:00527:02/0", "nwparser.payload", "DHCP server has %{p0}"); + +var part1471 = // "Pattern{Constant('released '), Field(p0,false)}" +match("MESSAGE#903:00527:02/1_1", "nwparser.p0", "released %{p0}"); + +var part1472 = // "Pattern{Constant('assigned or released '), Field(p0,false)}" +match("MESSAGE#903:00527:02/1_2", "nwparser.p0", "assigned or released %{p0}"); + +var select344 = linear_select([ + dup313, + part1471, + part1472, +]); + +var part1473 = // "Pattern{Constant('an IP address'), Field(,false)}" +match("MESSAGE#903:00527:02/2", "nwparser.p0", "an IP address%{}"); + +var all324 = all_match({ + processors: [ + part1470, + select344, + part1473, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg915 = msg("00527:02", all324); + +var part1474 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has detected an IP conflict and has declined address '), Field(hostip,false)}" +match("MESSAGE#904:00527:03", "nwparser.payload", "MAC address %{macaddr->} has detected an IP conflict and has declined address %{hostip}", processor_chain([ + dup274, + dup2, + dup3, + dup4, + dup5, +])); + +var msg916 = msg("00527:03", part1474); + +var part1475 = // "Pattern{Constant('One or more DHCP-assigned IP addresses have been manually released.'), Field(,false)}" +match("MESSAGE#905:00527:04", "nwparser.payload", "One or more DHCP-assigned IP addresses have been manually released.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg917 = msg("00527:04", part1475); + +var part1476 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' is more than '), Field(fld2,true), Constant(' allocated.')}" +match("MESSAGE#906:00527:05/2", "nwparser.p0", "%{} %{interface->} is more than %{fld2->} allocated."); + +var all325 = all_match({ + processors: [ + dup212, + dup339, + part1476, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg918 = msg("00527:05", all325); + +var part1477 = // "Pattern{Constant('IP address '), Field(hostip,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#907:00527:06/0", "nwparser.payload", "IP address %{hostip->} %{p0}"); + +var select345 = linear_select([ + dup106, + dup127, +]); + +var part1478 = // "Pattern{Constant('released from '), Field(p0,false)}" +match("MESSAGE#907:00527:06/3_1", "nwparser.p0", "released from %{p0}"); + +var select346 = linear_select([ + dup314, + part1478, +]); + +var part1479 = // "Pattern{Constant(''), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#907:00527:06/4", "nwparser.p0", "%{fld2->} (%{fld1})"); + +var all326 = all_match({ + processors: [ + part1477, + select345, + dup23, + select346, + part1479, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg919 = msg("00527:06", all326); + +var part1480 = // "Pattern{Constant('One or more IP addresses have expired. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#908:00527:07", "nwparser.payload", "One or more IP addresses have expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg920 = msg("00527:07", part1480); + +var part1481 = // "Pattern{Constant('DHCP server on interface '), Field(interface,true), Constant(' received '), Field(protocol_detail,true), Constant(' from '), Field(smacaddr,true), Constant(' requesting out-of-scope IP address '), Field(hostip,false), Constant('/'), Field(mask,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#909:00527:08", "nwparser.payload", "DHCP server on interface %{interface->} received %{protocol_detail->} from %{smacaddr->} requesting out-of-scope IP address %{hostip}/%{mask->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg921 = msg("00527:08", part1481); + +var part1482 = // "Pattern{Constant('MAC address '), Field(macaddr,true), Constant(' has '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#910:00527:09/0", "nwparser.payload", "MAC address %{macaddr->} has %{disposition->} %{p0}"); + +var part1483 = // "Pattern{Constant('address '), Field(hostip,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#910:00527:09/1_0", "nwparser.p0", "address %{hostip->} (%{p0}"); + +var part1484 = // "Pattern{Field(hostip,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#910:00527:09/1_1", "nwparser.p0", "%{hostip->} (%{p0}"); + +var select347 = linear_select([ + part1483, + part1484, +]); + +var all327 = all_match({ + processors: [ + part1482, + select347, + dup41, + ], + on_success: processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg922 = msg("00527:09", all327); + +var part1485 = // "Pattern{Constant('One or more IP addresses are expired. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#911:00527:10", "nwparser.payload", "One or more IP addresses are expired. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg923 = msg("00527:10", part1485); + +var select348 = linear_select([ + msg913, + msg914, + msg915, + msg916, + msg917, + msg918, + msg919, + msg920, + msg921, + msg922, + msg923, +]); + +var part1486 = // "Pattern{Constant('SCS: User ''), Field(username,false), Constant('' authenticated using password :')}" +match("MESSAGE#912:00528", "nwparser.payload", "SCS: User '%{username}' authenticated using password :", processor_chain([ + setc("eventcategory","1302010000"), + dup29, + dup31, + dup32, + dup2, + dup3, + dup4, + dup5, +])); + +var msg924 = msg("00528", part1486); + +var part1487 = // "Pattern{Constant('SCS: Connection terminated for user '), Field(username,true), Constant(' from')}" +match("MESSAGE#913:00528:01", "nwparser.payload", "SCS: Connection terminated for user %{username->} from", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg925 = msg("00528:01", part1487); + +var part1488 = // "Pattern{Constant('SCS: Disabled for all root/vsys on device. Client host attempting connection to interface ''), Field(interface,false), Constant('' with address '), Field(hostip,true), Constant(' from '), Field(saddr,false)}" +match("MESSAGE#914:00528:02", "nwparser.payload", "SCS: Disabled for all root/vsys on device. Client host attempting connection to interface '%{interface}' with address %{hostip->} from %{saddr}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg926 = msg("00528:02", part1488); + +var part1489 = // "Pattern{Constant('SSH: NetScreen device '), Field(disposition,true), Constant(' to identify itself to the SSH client at '), Field(hostip,false)}" +match("MESSAGE#915:00528:03", "nwparser.payload", "SSH: NetScreen device %{disposition->} to identify itself to the SSH client at %{hostip}", processor_chain([ + dup205, + dup2, + dup4, + dup5, + dup3, +])); + +var msg927 = msg("00528:03", part1489); + +var part1490 = // "Pattern{Constant('SSH: Incompatible SSH version string has been received from SSH client at '), Field(hostip,false)}" +match("MESSAGE#916:00528:04", "nwparser.payload", "SSH: Incompatible SSH version string has been received from SSH client at %{hostip}", processor_chain([ + dup205, + dup2, + dup4, + dup5, + dup3, +])); + +var msg928 = msg("00528:04", part1490); + +var part1491 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to send identification string to client host at '), Field(hostip,false)}" +match("MESSAGE#917:00528:05", "nwparser.payload", "SSH: %{disposition->} to send identification string to client host at %{hostip}", processor_chain([ + dup205, + dup2, + dup3, + dup4, + dup5, +])); + +var msg929 = msg("00528:05", part1491); + +var part1492 = // "Pattern{Constant('SSH: Client at '), Field(saddr,true), Constant(' attempted to connect with invalid version string.')}" +match("MESSAGE#918:00528:06", "nwparser.payload", "SSH: Client at %{saddr->} attempted to connect with invalid version string.", processor_chain([ + dup315, + dup2, + dup3, + dup4, + dup5, + setc("result","invalid version string"), +])); + +var msg930 = msg("00528:06", part1492); + +var part1493 = // "Pattern{Constant('SSH: '), Field(disposition,true), Constant(' to negotiate '), Field(p0,false)}" +match("MESSAGE#919:00528:07/0", "nwparser.payload", "SSH: %{disposition->} to negotiate %{p0}"); + +var part1494 = // "Pattern{Constant('MAC '), Field(p0,false)}" +match("MESSAGE#919:00528:07/1_1", "nwparser.p0", "MAC %{p0}"); + +var part1495 = // "Pattern{Constant('key exchange '), Field(p0,false)}" +match("MESSAGE#919:00528:07/1_2", "nwparser.p0", "key exchange %{p0}"); + +var part1496 = // "Pattern{Constant('host key '), Field(p0,false)}" +match("MESSAGE#919:00528:07/1_3", "nwparser.p0", "host key %{p0}"); + +var select349 = linear_select([ + dup88, + part1494, + part1495, + part1496, +]); + +var part1497 = // "Pattern{Constant('algorithm with host '), Field(hostip,false)}" +match("MESSAGE#919:00528:07/2", "nwparser.p0", "algorithm with host %{hostip}"); + +var all328 = all_match({ + processors: [ + part1493, + select349, + part1497, + ], + on_success: processor_chain([ + dup316, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg931 = msg("00528:07", all328); + +var part1498 = // "Pattern{Constant('SSH: Unsupported cipher type '), Field(fld2,true), Constant(' requested from '), Field(saddr,false)}" +match("MESSAGE#920:00528:08", "nwparser.payload", "SSH: Unsupported cipher type %{fld2->} requested from %{saddr}", processor_chain([ + dup316, + dup2, + dup4, + dup5, + dup3, +])); + +var msg932 = msg("00528:08", part1498); + +var part1499 = // "Pattern{Constant('SSH: Host client has requested NO cipher from '), Field(saddr,false)}" +match("MESSAGE#921:00528:09", "nwparser.payload", "SSH: Host client has requested NO cipher from %{saddr}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg933 = msg("00528:09", part1499); + +var part1500 = // "Pattern{Constant('SSH: Disabled for ''), Field(vsys,false), Constant(''. Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#922:00528:10", "nwparser.payload", "SSH: Disabled for '%{vsys}'. Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg934 = msg("00528:10", part1500); + +var part1501 = // "Pattern{Constant('SSH: Disabled for '), Field(fld2,true), Constant(' Attempted connection '), Field(disposition,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#923:00528:11", "nwparser.payload", "SSH: Disabled for %{fld2->} Attempted connection %{disposition->} from %{saddr}:%{sport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg935 = msg("00528:11", part1501); + +var part1502 = // "Pattern{Constant('SSH: SSH user '), Field(username,true), Constant(' at '), Field(saddr,true), Constant(' tried unsuccessfully to log in to '), Field(vsys,true), Constant(' using the shared untrusted interface. SSH disabled on that interface.')}" +match("MESSAGE#924:00528:12", "nwparser.payload", "SSH: SSH user %{username->} at %{saddr->} tried unsuccessfully to log in to %{vsys->} using the shared untrusted interface. SSH disabled on that interface.", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + setc("disposition","disabled"), +])); + +var msg936 = msg("00528:12", part1502); + +var part1503 = // "Pattern{Constant('SSH: SSH client at '), Field(saddr,true), Constant(' tried unsuccessfully to '), Field(p0,false)}" +match("MESSAGE#925:00528:13/0", "nwparser.payload", "SSH: SSH client at %{saddr->} tried unsuccessfully to %{p0}"); + +var part1504 = // "Pattern{Constant('make '), Field(p0,false)}" +match("MESSAGE#925:00528:13/1_0", "nwparser.p0", "make %{p0}"); + +var part1505 = // "Pattern{Constant('establish '), Field(p0,false)}" +match("MESSAGE#925:00528:13/1_1", "nwparser.p0", "establish %{p0}"); + +var select350 = linear_select([ + part1504, + part1505, +]); + +var part1506 = // "Pattern{Constant('an SSH connection to '), Field(p0,false)}" +match("MESSAGE#925:00528:13/2", "nwparser.p0", "an SSH connection to %{p0}"); + +var part1507 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' SSH '), Field(p0,false)}" +match("MESSAGE#925:00528:13/4", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} SSH %{p0}"); + +var part1508 = // "Pattern{Constant('not enabled '), Field(p0,false)}" +match("MESSAGE#925:00528:13/5_0", "nwparser.p0", "not enabled %{p0}"); + +var select351 = linear_select([ + part1508, + dup157, +]); + +var part1509 = // "Pattern{Constant('on that interface.'), Field(,false)}" +match("MESSAGE#925:00528:13/6", "nwparser.p0", "on that interface.%{}"); + +var all329 = all_match({ + processors: [ + part1503, + select350, + part1506, + dup339, + part1507, + select351, + part1509, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg937 = msg("00528:13", all329); + +var part1510 = // "Pattern{Constant('SSH: SSH client '), Field(saddr,true), Constant(' unsuccessfully attempted to make an SSH connection to '), Field(vsys,true), Constant(' SSH was not completely initialized for that system.')}" +match("MESSAGE#926:00528:14", "nwparser.payload", "SSH: SSH client %{saddr->} unsuccessfully attempted to make an SSH connection to %{vsys->} SSH was not completely initialized for that system.", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg938 = msg("00528:14", part1510); + +var part1511 = // "Pattern{Constant('SSH: Admin user '), Field(p0,false)}" +match("MESSAGE#927:00528:15/0", "nwparser.payload", "SSH: Admin user %{p0}"); + +var part1512 = // "Pattern{Field(administrator,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#927:00528:15/1_1", "nwparser.p0", "%{administrator->} %{p0}"); + +var select352 = linear_select([ + dup317, + part1512, +]); + +var part1513 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' requested unsupported '), Field(p0,false)}" +match("MESSAGE#927:00528:15/2", "nwparser.p0", "at host %{saddr->} requested unsupported %{p0}"); + +var part1514 = // "Pattern{Constant('PKA algorithm '), Field(p0,false)}" +match("MESSAGE#927:00528:15/3_0", "nwparser.p0", "PKA algorithm %{p0}"); + +var part1515 = // "Pattern{Constant('authentication method '), Field(p0,false)}" +match("MESSAGE#927:00528:15/3_1", "nwparser.p0", "authentication method %{p0}"); + +var select353 = linear_select([ + part1514, + part1515, +]); + +var all330 = all_match({ + processors: [ + part1511, + select352, + part1513, + select353, + dup108, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg939 = msg("00528:15", all330); + +var part1516 = // "Pattern{Constant('SCP: Admin ''), Field(administrator,false), Constant('' at host '), Field(saddr,true), Constant(' executed invalid scp command: ''), Field(fld2,false), Constant(''')}" +match("MESSAGE#928:00528:16", "nwparser.payload", "SCP: Admin '%{administrator}' at host %{saddr->} executed invalid scp command: '%{fld2}'", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg940 = msg("00528:16", part1516); + +var part1517 = // "Pattern{Constant('SCP: Disabled for ''), Field(username,false), Constant(''. Attempted file transfer failed from host '), Field(saddr,false)}" +match("MESSAGE#929:00528:17", "nwparser.payload", "SCP: Disabled for '%{username}'. Attempted file transfer failed from host %{saddr}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg941 = msg("00528:17", part1517); + +var part1518 = // "Pattern{Constant('authentication successful for admin user '), Field(p0,false)}" +match("MESSAGE#930:00528:18/2", "nwparser.p0", "authentication successful for admin user %{p0}"); + +var all331 = all_match({ + processors: [ + dup318, + dup405, + part1518, + dup406, + dup322, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + setc("disposition","successful"), + setc("event_description","authentication successful for admin user"), + ]), +}); + +var msg942 = msg("00528:18", all331); + +var part1519 = // "Pattern{Constant('authentication failed for admin user '), Field(p0,false)}" +match("MESSAGE#931:00528:26/2", "nwparser.p0", "authentication failed for admin user %{p0}"); + +var all332 = all_match({ + processors: [ + dup318, + dup405, + part1519, + dup406, + dup322, + ], + on_success: processor_chain([ + dup208, + dup29, + dup31, + dup54, + dup2, + dup4, + dup5, + dup304, + dup3, + setc("event_description","authentication failed for admin user"), + ]), +}); + +var msg943 = msg("00528:26", all332); + +var part1520 = // "Pattern{Constant(': SSH user '), Field(username,true), Constant(' has been '), Field(disposition,true), Constant(' using password from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#932:00528:19/2", "nwparser.p0", ": SSH user %{username->} has been %{disposition->} using password from %{saddr}:%{sport}"); + +var all333 = all_match({ + processors: [ + dup323, + dup407, + part1520, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg944 = msg("00528:19", all333); + +var part1521 = // "Pattern{Constant(': Connection has been '), Field(disposition,true), Constant(' for admin user '), Field(administrator,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#933:00528:20/2", "nwparser.p0", ": Connection has been %{disposition->} for admin user %{administrator->} at %{saddr}:%{sport}"); + +var all334 = all_match({ + processors: [ + dup323, + dup407, + part1521, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg945 = msg("00528:20", all334); + +var part1522 = // "Pattern{Constant('SCS: SSH user '), Field(username,true), Constant(' at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has requested PKA RSA authentication, which is not supported for that client.')}" +match("MESSAGE#934:00528:21", "nwparser.payload", "SCS: SSH user %{username->} at %{saddr}:%{sport->} has requested PKA RSA authentication, which is not supported for that client.", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, +])); + +var msg946 = msg("00528:21", part1522); + +var part1523 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,true), Constant(' has attempted to make an SCS connection to '), Field(p0,false)}" +match("MESSAGE#935:00528:22/0", "nwparser.payload", "SCS: SSH client at %{saddr->} has attempted to make an SCS connection to %{p0}"); + +var part1524 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' with IP '), Field(hostip,true), Constant(' but '), Field(disposition,true), Constant(' because SCS is not enabled for that interface.')}" +match("MESSAGE#935:00528:22/2", "nwparser.p0", "%{} %{interface->} with IP %{hostip->} but %{disposition->} because SCS is not enabled for that interface."); + +var all335 = all_match({ + processors: [ + part1523, + dup339, + part1524, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS is not enabled for that interface"), + ]), +}); + +var msg947 = msg("00528:22", all335); + +var part1525 = // "Pattern{Constant('SCS: SSH client at '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' has '), Field(disposition,true), Constant(' to make an SCS connection to vsys '), Field(vsys,true), Constant(' because SCS cannot generate the host and server keys before timing out.')}" +match("MESSAGE#936:00528:23", "nwparser.payload", "SCS: SSH client at %{saddr}:%{sport->} has %{disposition->} to make an SCS connection to vsys %{vsys->} because SCS cannot generate the host and server keys before timing out.", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + setc("result","SCS cannot generate the host and server keys before timing out"), +])); + +var msg948 = msg("00528:23", part1525); + +var part1526 = // "Pattern{Constant('SSH: '), Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#937:00528:24", "nwparser.payload", "SSH: %{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup283, + dup2, + dup3, + dup4, + dup5, +])); + +var msg949 = msg("00528:24", part1526); + +var part1527 = // "Pattern{Constant('SSH: Admin '), Field(p0,false)}" +match("MESSAGE#938:00528:25/0", "nwparser.payload", "SSH: Admin %{p0}"); + +var part1528 = // "Pattern{Constant('at host '), Field(saddr,true), Constant(' attempted to be authenticated with no authentication methods enabled.')}" +match("MESSAGE#938:00528:25/2", "nwparser.p0", "at host %{saddr->} attempted to be authenticated with no authentication methods enabled."); + +var all336 = all_match({ + processors: [ + part1527, + dup406, + part1528, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + ]), +}); + +var msg950 = msg("00528:25", all336); + +var select354 = linear_select([ + msg924, + msg925, + msg926, + msg927, + msg928, + msg929, + msg930, + msg931, + msg932, + msg933, + msg934, + msg935, + msg936, + msg937, + msg938, + msg939, + msg940, + msg941, + msg942, + msg943, + msg944, + msg945, + msg946, + msg947, + msg948, + msg949, + msg950, +]); + +var part1529 = // "Pattern{Constant('manually '), Field(p0,false)}" +match("MESSAGE#939:00529/1_0", "nwparser.p0", "manually %{p0}"); + +var part1530 = // "Pattern{Constant('automatically '), Field(p0,false)}" +match("MESSAGE#939:00529/1_1", "nwparser.p0", "automatically %{p0}"); + +var select355 = linear_select([ + part1529, + part1530, +]); + +var part1531 = // "Pattern{Constant('refreshed'), Field(,false)}" +match("MESSAGE#939:00529/2", "nwparser.p0", "refreshed%{}"); + +var all337 = all_match({ + processors: [ + dup63, + select355, + part1531, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg951 = msg("00529", all337); + +var part1532 = // "Pattern{Constant('DNS entries have been refreshed by '), Field(p0,false)}" +match("MESSAGE#940:00529:01/0", "nwparser.payload", "DNS entries have been refreshed by %{p0}"); + +var part1533 = // "Pattern{Constant('state change'), Field(,false)}" +match("MESSAGE#940:00529:01/1_0", "nwparser.p0", "state change%{}"); + +var part1534 = // "Pattern{Constant('HA'), Field(,false)}" +match("MESSAGE#940:00529:01/1_1", "nwparser.p0", "HA%{}"); + +var select356 = linear_select([ + part1533, + part1534, +]); + +var all338 = all_match({ + processors: [ + part1532, + select356, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg952 = msg("00529:01", all338); + +var select357 = linear_select([ + msg951, + msg952, +]); + +var part1535 = // "Pattern{Constant('An IP conflict has been detected and the DHCP client has declined address '), Field(hostip,false)}" +match("MESSAGE#941:00530", "nwparser.payload", "An IP conflict has been detected and the DHCP client has declined address %{hostip}", processor_chain([ + dup274, + dup2, + dup3, + dup4, + dup5, +])); + +var msg953 = msg("00530", part1535); + +var part1536 = // "Pattern{Constant('DHCP client IP '), Field(hostip,true), Constant(' for the '), Field(p0,false)}" +match("MESSAGE#942:00530:01/0", "nwparser.payload", "DHCP client IP %{hostip->} for the %{p0}"); + +var part1537 = // "Pattern{Field(,true), Constant(' '), Field(interface,true), Constant(' has been manually released')}" +match("MESSAGE#942:00530:01/2", "nwparser.p0", "%{} %{interface->} has been manually released"); + +var all339 = all_match({ + processors: [ + part1536, + dup339, + part1537, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg954 = msg("00530:01", all339); + +var part1538 = // "Pattern{Constant('DHCP client is unable to get an IP address for the '), Field(interface,true), Constant(' interface')}" +match("MESSAGE#943:00530:02", "nwparser.payload", "DHCP client is unable to get an IP address for the %{interface->} interface", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg955 = msg("00530:02", part1538); + +var part1539 = // "Pattern{Constant('DHCP client lease for '), Field(hostip,true), Constant(' has expired')}" +match("MESSAGE#944:00530:03", "nwparser.payload", "DHCP client lease for %{hostip->} has expired", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg956 = msg("00530:03", part1539); + +var part1540 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the untrust Interface '), Field(interface,true), Constant(' with lease '), Field(fld2,false), Constant('.')}" +match("MESSAGE#945:00530:04", "nwparser.payload", "DHCP server %{hostip->} has assigned the untrust Interface %{interface->} with lease %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg957 = msg("00530:04", part1540); + +var part1541 = // "Pattern{Constant('DHCP server '), Field(hostip,true), Constant(' has assigned the '), Field(interface,true), Constant(' interface '), Field(fld2,true), Constant(' with lease '), Field(fld3,false)}" +match("MESSAGE#946:00530:05", "nwparser.payload", "DHCP server %{hostip->} has assigned the %{interface->} interface %{fld2->} with lease %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg958 = msg("00530:05", part1541); + +var part1542 = // "Pattern{Constant('DHCP client is unable to get IP address for the untrust interface.'), Field(,false)}" +match("MESSAGE#947:00530:06", "nwparser.payload", "DHCP client is unable to get IP address for the untrust interface.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg959 = msg("00530:06", part1542); + +var select358 = linear_select([ + msg953, + msg954, + msg955, + msg956, + msg957, + msg958, + msg959, +]); + +var part1543 = // "Pattern{Constant('System clock configurations have been changed by admin '), Field(p0,false)}" +match("MESSAGE#948:00531/0", "nwparser.payload", "System clock configurations have been changed by admin %{p0}"); + +var all340 = all_match({ + processors: [ + part1543, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg960 = msg("00531", all340); + +var part1544 = // "Pattern{Constant('failed to get clock through NTP'), Field(,false)}" +match("MESSAGE#949:00531:01", "nwparser.payload", "failed to get clock through NTP%{}", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg961 = msg("00531:01", part1544); + +var part1545 = // "Pattern{Constant('The system clock has been updated through NTP.'), Field(,false)}" +match("MESSAGE#950:00531:02", "nwparser.payload", "The system clock has been updated through NTP.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg962 = msg("00531:02", part1545); + +var part1546 = // "Pattern{Constant('The system clock was updated from '), Field(type,true), Constant(' NTP server type '), Field(hostname,true), Constant(' with a'), Field(p0,false)}" +match("MESSAGE#951:00531:03/0", "nwparser.payload", "The system clock was updated from %{type->} NTP server type %{hostname->} with a%{p0}"); + +var part1547 = // "Pattern{Constant(' ms '), Field(p0,false)}" +match("MESSAGE#951:00531:03/1_0", "nwparser.p0", " ms %{p0}"); + +var select359 = linear_select([ + part1547, + dup115, +]); + +var part1548 = // "Pattern{Constant('adjustment of '), Field(fld3,false), Constant('. Authentication was '), Field(fld4,false), Constant('. Update mode was '), Field(p0,false)}" +match("MESSAGE#951:00531:03/2", "nwparser.p0", "adjustment of %{fld3}. Authentication was %{fld4}. Update mode was %{p0}"); + +var part1549 = // "Pattern{Field(fld5,false), Constant('('), Field(fld2,false), Constant(')')}" +match("MESSAGE#951:00531:03/3_0", "nwparser.p0", "%{fld5}(%{fld2})"); + +var part1550 = // "Pattern{Field(fld5,false)}" +match_copy("MESSAGE#951:00531:03/3_1", "nwparser.p0", "fld5"); + +var select360 = linear_select([ + part1549, + part1550, +]); + +var all341 = all_match({ + processors: [ + part1546, + select359, + part1548, + select360, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup146, + ]), +}); + +var msg963 = msg("00531:03", all341); + +var part1551 = // "Pattern{Constant('The NetScreen device is attempting to contact the '), Field(p0,false)}" +match("MESSAGE#952:00531:04/0", "nwparser.payload", "The NetScreen device is attempting to contact the %{p0}"); + +var part1552 = // "Pattern{Constant('primary backup '), Field(p0,false)}" +match("MESSAGE#952:00531:04/1_0", "nwparser.p0", "primary backup %{p0}"); + +var part1553 = // "Pattern{Constant('secondary backup '), Field(p0,false)}" +match("MESSAGE#952:00531:04/1_1", "nwparser.p0", "secondary backup %{p0}"); + +var select361 = linear_select([ + part1552, + part1553, + dup191, +]); + +var part1554 = // "Pattern{Constant('NTP server '), Field(hostname,false)}" +match("MESSAGE#952:00531:04/2", "nwparser.p0", "NTP server %{hostname}"); + +var all342 = all_match({ + processors: [ + part1551, + select361, + part1554, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg964 = msg("00531:04", all342); + +var part1555 = // "Pattern{Constant('No NTP server could be contacted. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#953:00531:05", "nwparser.payload", "No NTP server could be contacted. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg965 = msg("00531:05", part1555); + +var part1556 = // "Pattern{Constant('Network Time Protocol adjustment of '), Field(fld2,true), Constant(' from NTP server '), Field(hostname,true), Constant(' exceeds the allowed adjustment of '), Field(fld3,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#954:00531:06", "nwparser.payload", "Network Time Protocol adjustment of %{fld2->} from NTP server %{hostname->} exceeds the allowed adjustment of %{fld3}. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg966 = msg("00531:06", part1556); + +var part1557 = // "Pattern{Constant('No acceptable time could be obtained from any NTP server. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#955:00531:07", "nwparser.payload", "No acceptable time could be obtained from any NTP server. (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg967 = msg("00531:07", part1557); + +var part1558 = // "Pattern{Constant('Administrator '), Field(administrator,true), Constant(' changed the '), Field(change_attribute,true), Constant(' from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' (by '), Field(fld3,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#956:00531:08", "nwparser.payload", "Administrator %{administrator->} changed the %{change_attribute->} from %{change_old->} to %{change_new->} (by %{fld3->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport}) (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg968 = msg("00531:08", part1558); + +var part1559 = // "Pattern{Constant('Network Time Protocol settings changed. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#957:00531:09", "nwparser.payload", "Network Time Protocol settings changed. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg969 = msg("00531:09", part1559); + +var part1560 = // "Pattern{Constant('NTP server is '), Field(disposition,true), Constant(' on interface '), Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#958:00531:10", "nwparser.payload", "NTP server is %{disposition->} on interface %{interface->} (%{fld1})", processor_chain([ + dup86, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg970 = msg("00531:10", part1560); + +var part1561 = // "Pattern{Constant('The system clock will be changed from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' received from primary NTP server '), Field(hostip,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#959:00531:11", "nwparser.payload", "The system clock will be changed from %{change_old->} to %{change_new->} received from primary NTP server %{hostip->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","system clock changed based on receive from primary NTP server"), +])); + +var msg971 = msg("00531:11", part1561); + +var part1562 = // "Pattern{Field(fld35,true), Constant(' NTP server '), Field(saddr,true), Constant(' could not be contacted. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1223:00531:12", "nwparser.payload", "%{fld35->} NTP server %{saddr->} could not be contacted. (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg972 = msg("00531:12", part1562); + +var select362 = linear_select([ + msg960, + msg961, + msg962, + msg963, + msg964, + msg965, + msg966, + msg967, + msg968, + msg969, + msg970, + msg971, + msg972, +]); + +var part1563 = // "Pattern{Constant('VIP server '), Field(hostip,true), Constant(' is now responding')}" +match("MESSAGE#960:00533", "nwparser.payload", "VIP server %{hostip->} is now responding", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg973 = msg("00533", part1563); + +var part1564 = // "Pattern{Field(fld2,true), Constant(' has been cleared')}" +match("MESSAGE#961:00534", "nwparser.payload", "%{fld2->} has been cleared", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg974 = msg("00534", part1564); + +var part1565 = // "Pattern{Constant('Cannot find the CA certificate with distinguished name '), Field(fld2,false)}" +match("MESSAGE#962:00535", "nwparser.payload", "Cannot find the CA certificate with distinguished name %{fld2}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg975 = msg("00535", part1565); + +var part1566 = // "Pattern{Constant('Distinguished name '), Field(dn,true), Constant(' in the X509 certificate request is '), Field(disposition,false)}" +match("MESSAGE#963:00535:01", "nwparser.payload", "Distinguished name %{dn->} in the X509 certificate request is %{disposition}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg976 = msg("00535:01", part1566); + +var part1567 = // "Pattern{Constant('Local certificate with distinguished name '), Field(dn,true), Constant(' is '), Field(disposition,false)}" +match("MESSAGE#964:00535:02", "nwparser.payload", "Local certificate with distinguished name %{dn->} is %{disposition}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg977 = msg("00535:02", part1567); + +var part1568 = // "Pattern{Constant('PKCS #7 data cannot be decapsulated'), Field(,false)}" +match("MESSAGE#965:00535:03", "nwparser.payload", "PKCS #7 data cannot be decapsulated%{}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg978 = msg("00535:03", part1568); + +var part1569 = // "Pattern{Constant('SCEP_FAILURE message has been received from the CA'), Field(,false)}" +match("MESSAGE#966:00535:04", "nwparser.payload", "SCEP_FAILURE message has been received from the CA%{}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, + setc("result","SCEP_FAILURE message"), +])); + +var msg979 = msg("00535:04", part1569); + +var part1570 = // "Pattern{Constant('PKI error message has been received: '), Field(result,false)}" +match("MESSAGE#967:00535:05", "nwparser.payload", "PKI error message has been received: %{result}", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, +])); + +var msg980 = msg("00535:05", part1570); + +var part1571 = // "Pattern{Constant('PKI: Saved CA configuration (CA cert subject name '), Field(dn,false), Constant('). ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#968:00535:06", "nwparser.payload", "PKI: Saved CA configuration (CA cert subject name %{dn}). (%{event_time_string})", processor_chain([ + dup316, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Saved CA configuration - cert subject name"), +])); + +var msg981 = msg("00535:06", part1571); + +var select363 = linear_select([ + msg975, + msg976, + msg977, + msg978, + msg979, + msg980, + msg981, +]); + +var part1572 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#969:00536:49/0", "nwparser.payload", "IKE %{hostip->} %{p0}"); + +var part1573 = // "Pattern{Constant('Phase 2 msg ID '), Field(sessionid,false), Constant(': '), Field(disposition,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#969:00536:49/1_0", "nwparser.p0", "Phase 2 msg ID %{sessionid}: %{disposition}. %{p0}"); + +var part1574 = // "Pattern{Constant('Phase 1: '), Field(disposition,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#969:00536:49/1_1", "nwparser.p0", "Phase 1: %{disposition->} %{p0}"); + +var part1575 = // "Pattern{Constant('phase 2:'), Field(disposition,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#969:00536:49/1_2", "nwparser.p0", "phase 2:%{disposition}. %{p0}"); + +var part1576 = // "Pattern{Constant('phase 1:'), Field(disposition,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#969:00536:49/1_3", "nwparser.p0", "phase 1:%{disposition}. %{p0}"); + +var select364 = linear_select([ + part1573, + part1574, + part1575, + part1576, +]); + +var all343 = all_match({ + processors: [ + part1572, + select364, + dup10, + ], + on_success: processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, + ]), +}); + +var msg982 = msg("00536:49", all343); + +var part1577 = // "Pattern{Constant('UDP packets have been received from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' at interface '), Field(interface,true), Constant(' at '), Field(daddr,false), Constant('/'), Field(dport,false)}" +match("MESSAGE#970:00536", "nwparser.payload", "UDP packets have been received from %{saddr}/%{sport->} at interface %{interface->} at %{daddr}/%{dport}", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, +])); + +var msg983 = msg("00536", part1577); + +var part1578 = // "Pattern{Constant('Attempt to set tunnel ('), Field(fld2,false), Constant(') without IP address at both end points! Check outgoing interface.')}" +match("MESSAGE#971:00536:01", "nwparser.payload", "Attempt to set tunnel (%{fld2}) without IP address at both end points! Check outgoing interface.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg984 = msg("00536:01", part1578); + +var part1579 = // "Pattern{Constant('Gateway '), Field(fld2,true), Constant(' at '), Field(hostip,true), Constant(' in '), Field(fld4,true), Constant(' mode with ID: '), Field(fld3,true), Constant(' has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#972:00536:02", "nwparser.payload", "Gateway %{fld2->} at %{hostip->} in %{fld4->} mode with ID: %{fld3->} has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg985 = msg("00536:02", part1579); + +var part1580 = // "Pattern{Constant('IKE gateway '), Field(fld2,true), Constant(' has been '), Field(disposition,false), Constant('. '), Field(info,false)}" +match("MESSAGE#973:00536:03", "nwparser.payload", "IKE gateway %{fld2->} has been %{disposition}. %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg986 = msg("00536:03", part1580); + +var part1581 = // "Pattern{Constant('VPN monitoring for VPN '), Field(group,true), Constant(' has deactivated the SA with ID '), Field(fld2,false), Constant('.')}" +match("MESSAGE#974:00536:04", "nwparser.payload", "VPN monitoring for VPN %{group->} has deactivated the SA with ID %{fld2}.", processor_chain([ + setc("eventcategory","1801010100"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg987 = msg("00536:04", part1581); + +var part1582 = // "Pattern{Constant('VPN ID number cannot be assigned'), Field(,false)}" +match("MESSAGE#975:00536:05", "nwparser.payload", "VPN ID number cannot be assigned%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg988 = msg("00536:05", part1582); + +var part1583 = // "Pattern{Constant('Local gateway IP address has changed to '), Field(fld2,false), Constant('. VPNs cannot terminate at an interface with IP '), Field(hostip,false)}" +match("MESSAGE#976:00536:06", "nwparser.payload", "Local gateway IP address has changed to %{fld2}. VPNs cannot terminate at an interface with IP %{hostip}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg989 = msg("00536:06", part1583); + +var part1584 = // "Pattern{Constant('Local gateway IP address has changed from '), Field(change_old,true), Constant(' to another setting')}" +match("MESSAGE#977:00536:07", "nwparser.payload", "Local gateway IP address has changed from %{change_old->} to another setting", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg990 = msg("00536:07", part1584); + +var part1585 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification message')}" +match("MESSAGE#978:00536:08", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg991 = msg("00536:08", part1585); + +var part1586 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Sent initial contact notification')}" +match("MESSAGE#979:00536:09", "nwparser.payload", "IKE %{hostip}: Sent initial contact notification", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg992 = msg("00536:09", part1586); + +var part1587 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Responded to a packet with a bad SPI after rebooting')}" +match("MESSAGE#980:00536:10", "nwparser.payload", "IKE %{hostip}: Responded to a packet with a bad SPI after rebooting", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg993 = msg("00536:10", part1587); + +var part1588 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Removed Phase 2 SAs after receiving a notification message')}" +match("MESSAGE#981:00536:11", "nwparser.payload", "IKE %{hostip}: Removed Phase 2 SAs after receiving a notification message", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg994 = msg("00536:11", part1588); + +var part1589 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected first Phase 1 packet from an unrecognized source')}" +match("MESSAGE#982:00536:12", "nwparser.payload", "IKE %{hostip}: Rejected first Phase 1 packet from an unrecognized source", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg995 = msg("00536:12", part1589); + +var part1590 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Rejected an initial Phase 1 packet from an unrecognized peer gateway')}" +match("MESSAGE#983:00536:13", "nwparser.payload", "IKE %{hostip}: Rejected an initial Phase 1 packet from an unrecognized peer gateway", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg996 = msg("00536:13", part1590); + +var part1591 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received initial contact notification and removed Phase '), Field(p0,false)}" +match("MESSAGE#984:00536:14/0", "nwparser.payload", "IKE %{hostip}: Received initial contact notification and removed Phase %{p0}"); + +var part1592 = // "Pattern{Constant('SAs'), Field(,false)}" +match("MESSAGE#984:00536:14/2", "nwparser.p0", "SAs%{}"); + +var all344 = all_match({ + processors: [ + part1591, + dup386, + part1592, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg997 = msg("00536:14", all344); + +var part1593 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a notification message for '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#985:00536:50", "nwparser.payload", "IKE %{hostip}: Received a notification message for %{disposition}. (%{fld1})", processor_chain([ + dup44, + dup2, + dup9, + dup3, + dup4, + dup5, +])); + +var msg998 = msg("00536:50", part1593); + +var part1594 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received incorrect ID payload: IP address '), Field(fld2,true), Constant(' instead of IP address '), Field(fld3,false)}" +match("MESSAGE#986:00536:15", "nwparser.payload", "IKE %{hostip}: Received incorrect ID payload: IP address %{fld2->} instead of IP address %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg999 = msg("00536:15", part1594); + +var part1595 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Phase 2 negotiation request is already in the task list')}" +match("MESSAGE#987:00536:16", "nwparser.payload", "IKE %{hostip}: Phase 2 negotiation request is already in the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1000 = msg("00536:16", part1595); + +var part1596 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been lost '), Field(fld2,true), Constant(' times')}" +match("MESSAGE#988:00536:17", "nwparser.payload", "IKE %{hostip}: Heartbeats have been lost %{fld2->} times", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1001 = msg("00536:17", part1596); + +var part1597 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped peer packet because no policy uses the peer configuration')}" +match("MESSAGE#989:00536:18", "nwparser.payload", "IKE %{hostip}: Dropped peer packet because no policy uses the peer configuration", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1002 = msg("00536:18", part1597); + +var part1598 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Dropped packet because remote gateway OK is not used in any VPN tunnel configurations')}" +match("MESSAGE#990:00536:19", "nwparser.payload", "IKE %{hostip}: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1003 = msg("00536:19", part1598); + +var part1599 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added the initial contact task to the task list')}" +match("MESSAGE#991:00536:20", "nwparser.payload", "IKE %{hostip}: Added the initial contact task to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1004 = msg("00536:20", part1599); + +var part1600 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Added Phase 2 session tasks to the task list')}" +match("MESSAGE#992:00536:21", "nwparser.payload", "IKE %{hostip}: Added Phase 2 session tasks to the task list", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1005 = msg("00536:21", part1600); + +var part1601 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : '), Field(disposition,true), Constant(' proposals from peer. Negotiations failed')}" +match("MESSAGE#993:00536:22", "nwparser.payload", "IKE %{hostip->} Phase 1 : %{disposition->} proposals from peer. Negotiations failed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","Negotiations failed"), +])); + +var msg1006 = msg("00536:22", part1601); + +var part1602 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1 : Aborted negotiations because the time limit has elapsed')}" +match("MESSAGE#994:00536:23", "nwparser.payload", "IKE %{hostip->} Phase 1 : Aborted negotiations because the time limit has elapsed", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("result","The time limit has elapsed"), + setc("disposition","Aborted"), +])); + +var msg1007 = msg("00536:23", part1602); + +var part1603 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled')}" +match("MESSAGE#995:00536:24", "nwparser.payload", "IKE %{hostip->} Phase 2: Received a message but did not check a policy because id-mode is set to IP or policy-checking is disabled", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1008 = msg("00536:24", part1603); + +var part1604 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Received DH group '), Field(fld2,true), Constant(' instead of expected group '), Field(fld3,true), Constant(' for PFS')}" +match("MESSAGE#996:00536:25", "nwparser.payload", "IKE %{hostip->} Phase 2: Received DH group %{fld2->} instead of expected group %{fld3->} for PFS", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1009 = msg("00536:25", part1604); + +var part1605 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: No policy exists for the proxy ID received: local ID '), Field(fld2,true), Constant(' remote ID '), Field(fld3,false)}" +match("MESSAGE#997:00536:26", "nwparser.payload", "IKE %{hostip->} Phase 2: No policy exists for the proxy ID received: local ID %{fld2->} remote ID %{fld3}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1010 = msg("00536:26", part1605); + +var part1606 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: RSA private key is needed to sign packets')}" +match("MESSAGE#998:00536:27", "nwparser.payload", "IKE %{hostip->} Phase 1: RSA private key is needed to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1011 = msg("00536:27", part1606); + +var part1607 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Aggressive mode negotiations have '), Field(disposition,false)}" +match("MESSAGE#999:00536:28", "nwparser.payload", "IKE %{hostip->} Phase 1: Aggressive mode negotiations have %{disposition}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1012 = msg("00536:28", part1607); + +var part1608 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Vendor ID payload indicates that the peer does not support NAT-T')}" +match("MESSAGE#1000:00536:29", "nwparser.payload", "IKE %{hostip->} Phase 1: Vendor ID payload indicates that the peer does not support NAT-T", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1013 = msg("00536:29", part1608); + +var part1609 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Retransmission limit has been reached')}" +match("MESSAGE#1001:00536:30", "nwparser.payload", "IKE %{hostip->} Phase 1: Retransmission limit has been reached", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1014 = msg("00536:30", part1609); + +var part1610 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an invalid RSA signature')}" +match("MESSAGE#1002:00536:31", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an invalid RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1015 = msg("00536:31", part1610); + +var part1611 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Received an incorrect public key authentication method')}" +match("MESSAGE#1003:00536:32", "nwparser.payload", "IKE %{hostip->} Phase 1: Received an incorrect public key authentication method", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1016 = msg("00536:32", part1611); + +var part1612 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: No private key exists to sign packets')}" +match("MESSAGE#1004:00536:33", "nwparser.payload", "IKE %{hostip->} Phase 1: No private key exists to sign packets", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1017 = msg("00536:33", part1612); + +var part1613 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID')}" +match("MESSAGE#1005:00536:34", "nwparser.payload", "IKE %{hostip->} Phase 1: Main mode packet has arrived with ID type IP address but no user configuration was found for that ID", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1018 = msg("00536:34", part1613); + +var part1614 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: IKE initiator has detected NAT in front of the local device')}" +match("MESSAGE#1006:00536:35", "nwparser.payload", "IKE %{hostip->} Phase 1: IKE initiator has detected NAT in front of the local device", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1019 = msg("00536:35", part1614); + +var part1615 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Discarded a second initial packet'), Field(p0,false)}" +match("MESSAGE#1007:00536:36/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Discarded a second initial packet%{p0}"); + +var part1616 = // "Pattern{Field(,false), Constant('which arrived within '), Field(fld2,true), Constant(' after the first')}" +match("MESSAGE#1007:00536:36/2", "nwparser.p0", "%{}which arrived within %{fld2->} after the first"); + +var all345 = all_match({ + processors: [ + part1615, + dup404, + part1616, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1020 = msg("00536:36", all345); + +var part1617 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Completed Aggressive mode negotiations with a '), Field(fld2,true), Constant(' lifetime')}" +match("MESSAGE#1008:00536:37", "nwparser.payload", "IKE %{hostip->} Phase 1: Completed Aggressive mode negotiations with a %{fld2->} lifetime", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1021 = msg("00536:37", part1617); + +var part1618 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a subject name that does not match the ID payload')}" +match("MESSAGE#1009:00536:38", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a subject name that does not match the ID payload", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1022 = msg("00536:38", part1618); + +var part1619 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Certificate received has a different IP address '), Field(fld2,true), Constant(' than expected')}" +match("MESSAGE#1010:00536:39", "nwparser.payload", "IKE %{hostip->} Phase 1: Certificate received has a different IP address %{fld2->} than expected", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1023 = msg("00536:39", part1619); + +var part1620 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot use a preshared key because the peer'), Field(p0,false)}" +match("MESSAGE#1011:00536:40/0", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot use a preshared key because the peer%{p0}"); + +var part1621 = // "Pattern{Constant('s gateway has a dynamic IP address and negotiations are in Main mode'), Field(,false)}" +match("MESSAGE#1011:00536:40/2", "nwparser.p0", "s gateway has a dynamic IP address and negotiations are in Main mode%{}"); + +var all346 = all_match({ + processors: [ + part1620, + dup363, + part1621, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1024 = msg("00536:40", all346); + +var part1622 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated negotiations in Aggressive mode')}" +match("MESSAGE#1012:00536:47", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated negotiations in Aggressive mode", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1025 = msg("00536:47", part1622); + +var part1623 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Cannot verify RSA signature')}" +match("MESSAGE#1013:00536:41", "nwparser.payload", "IKE %{hostip->} Phase 1: Cannot verify RSA signature", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1026 = msg("00536:41", part1623); + +var part1624 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 1: Initiated Main mode negotiations')}" +match("MESSAGE#1014:00536:42", "nwparser.payload", "IKE %{hostip->} Phase 1: Initiated Main mode negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1027 = msg("00536:42", part1624); + +var part1625 = // "Pattern{Constant('IKE '), Field(hostip,true), Constant(' Phase 2: Initiated negotiations')}" +match("MESSAGE#1015:00536:43", "nwparser.payload", "IKE %{hostip->} Phase 2: Initiated negotiations", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1028 = msg("00536:43", part1625); + +var part1626 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Changed heartbeat interval to '), Field(fld2,false)}" +match("MESSAGE#1016:00536:44", "nwparser.payload", "IKE %{hostip}: Changed heartbeat interval to %{fld2}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1029 = msg("00536:44", part1626); + +var part1627 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Heartbeats have been '), Field(disposition,true), Constant(' because '), Field(result,false)}" +match("MESSAGE#1017:00536:45", "nwparser.payload", "IKE %{hostip}: Heartbeats have been %{disposition->} because %{result}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1030 = msg("00536:45", part1627); + +var part1628 = // "Pattern{Constant('Received an IKE packet on '), Field(interface,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('/'), Field(fld1,false), Constant('. Cookies: '), Field(ike_cookie1,false), Constant(', '), Field(ike_cookie2,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#1018:00536:48", "nwparser.payload", "Received an IKE packet on %{interface->} from %{saddr}:%{sport->} to %{daddr}:%{dport}/%{fld1}. Cookies: %{ike_cookie1}, %{ike_cookie2}. (%{event_time_string})", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Received an IKE packet on interface"), +])); + +var msg1031 = msg("00536:48", part1628); + +var part1629 = // "Pattern{Constant('IKE '), Field(hostip,false), Constant(': Received a bad SPI')}" +match("MESSAGE#1019:00536:46", "nwparser.payload", "IKE %{hostip}: Received a bad SPI", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1032 = msg("00536:46", part1629); + +var select365 = linear_select([ + msg982, + msg983, + msg984, + msg985, + msg986, + msg987, + msg988, + msg989, + msg990, + msg991, + msg992, + msg993, + msg994, + msg995, + msg996, + msg997, + msg998, + msg999, + msg1000, + msg1001, + msg1002, + msg1003, + msg1004, + msg1005, + msg1006, + msg1007, + msg1008, + msg1009, + msg1010, + msg1011, + msg1012, + msg1013, + msg1014, + msg1015, + msg1016, + msg1017, + msg1018, + msg1019, + msg1020, + msg1021, + msg1022, + msg1023, + msg1024, + msg1025, + msg1026, + msg1027, + msg1028, + msg1029, + msg1030, + msg1031, + msg1032, +]); + +var part1630 = // "Pattern{Constant('PPPoE '), Field(disposition,true), Constant(' to establish a session: '), Field(info,false)}" +match("MESSAGE#1020:00537", "nwparser.payload", "PPPoE %{disposition->} to establish a session: %{info}", processor_chain([ + dup18, + dup2, + dup4, + dup5, + dup3, +])); + +var msg1033 = msg("00537", part1630); + +var part1631 = // "Pattern{Constant('PPPoE session shuts down: '), Field(result,false)}" +match("MESSAGE#1021:00537:01", "nwparser.payload", "PPPoE session shuts down: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1034 = msg("00537:01", part1631); + +var part1632 = // "Pattern{Constant('The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: '), Field(result,false)}" +match("MESSAGE#1022:00537:02", "nwparser.payload", "The Point-to-Point over Ethernet (PPPoE) connection failed to establish a session: %{result}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1035 = msg("00537:02", part1632); + +var part1633 = // "Pattern{Constant('PPPoE session has successfully established'), Field(,false)}" +match("MESSAGE#1023:00537:03", "nwparser.payload", "PPPoE session has successfully established%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1036 = msg("00537:03", part1633); + +var select366 = linear_select([ + msg1033, + msg1034, + msg1035, + msg1036, +]); + +var part1634 = // "Pattern{Constant('NACN failed to register to Policy Manager '), Field(fld2,true), Constant(' because '), Field(p0,false)}" +match("MESSAGE#1024:00538/0", "nwparser.payload", "NACN failed to register to Policy Manager %{fld2->} because %{p0}"); + +var select367 = linear_select([ + dup111, + dup119, +]); + +var part1635 = // "Pattern{Constant(''), Field(result,false)}" +match("MESSAGE#1024:00538/2", "nwparser.p0", "%{result}"); + +var all347 = all_match({ + processors: [ + part1634, + select367, + part1635, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1037 = msg("00538", all347); + +var part1636 = // "Pattern{Constant('NACN successfully registered to Policy Manager '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1025:00538:01", "nwparser.payload", "NACN successfully registered to Policy Manager %{fld2}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1038 = msg("00538:01", part1636); + +var part1637 = // "Pattern{Constant('The NACN protocol has started for Policy Manager '), Field(fld2,true), Constant(' on hostname '), Field(hostname,true), Constant(' IP address '), Field(hostip,true), Constant(' port '), Field(network_port,false), Constant('.')}" +match("MESSAGE#1026:00538:02", "nwparser.payload", "The NACN protocol has started for Policy Manager %{fld2->} on hostname %{hostname->} IP address %{hostip->} port %{network_port}.", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1039 = msg("00538:02", part1637); + +var part1638 = // "Pattern{Constant('Cannot connect to NSM Server at '), Field(hostip,true), Constant(' ('), Field(fld2,true), Constant(' connect attempt(s)) '), Field(fld3,false)}" +match("MESSAGE#1027:00538:03", "nwparser.payload", "Cannot connect to NSM Server at %{hostip->} (%{fld2->} connect attempt(s)) %{fld3}", processor_chain([ + dup19, + dup2, + dup4, + dup5, + dup3, +])); + +var msg1040 = msg("00538:03", part1638); + +var part1639 = // "Pattern{Constant('Device is not known to Global PRO data collector at '), Field(hostip,false)}" +match("MESSAGE#1028:00538:04", "nwparser.payload", "Device is not known to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1041 = msg("00538:04", part1639); + +var part1640 = // "Pattern{Constant('Lost '), Field(p0,false)}" +match("MESSAGE#1029:00538:05/0", "nwparser.payload", "Lost %{p0}"); + +var part1641 = // "Pattern{Constant('socket connection'), Field(p0,false)}" +match("MESSAGE#1029:00538:05/1_0", "nwparser.p0", "socket connection%{p0}"); + +var part1642 = // "Pattern{Constant('connection'), Field(p0,false)}" +match("MESSAGE#1029:00538:05/1_1", "nwparser.p0", "connection%{p0}"); + +var select368 = linear_select([ + part1641, + part1642, +]); + +var part1643 = // "Pattern{Field(,false), Constant('to Global PRO data collector at '), Field(hostip,false)}" +match("MESSAGE#1029:00538:05/2", "nwparser.p0", "%{}to Global PRO data collector at %{hostip}"); + +var all348 = all_match({ + processors: [ + part1640, + select368, + part1643, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1042 = msg("00538:05", all348); + +var part1644 = // "Pattern{Constant('Device has connected to the Global PRO'), Field(p0,false)}" +match("MESSAGE#1030:00538:06/0", "nwparser.payload", "Device has connected to the Global PRO%{p0}"); + +var part1645 = // "Pattern{Constant(' '), Field(fld2,true), Constant(' primary data collector at '), Field(p0,false)}" +match("MESSAGE#1030:00538:06/1_0", "nwparser.p0", " %{fld2->} primary data collector at %{p0}"); + +var part1646 = // "Pattern{Constant(' primary data collector at '), Field(p0,false)}" +match("MESSAGE#1030:00538:06/1_1", "nwparser.p0", " primary data collector at %{p0}"); + +var select369 = linear_select([ + part1645, + part1646, +]); + +var part1647 = // "Pattern{Field(hostip,false)}" +match_copy("MESSAGE#1030:00538:06/2", "nwparser.p0", "hostip"); + +var all349 = all_match({ + processors: [ + part1644, + select369, + part1647, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1043 = msg("00538:06", all349); + +var part1648 = // "Pattern{Constant('Connection to Global PRO data collector at '), Field(hostip,true), Constant(' has'), Field(p0,false)}" +match("MESSAGE#1031:00538:07/0", "nwparser.payload", "Connection to Global PRO data collector at %{hostip->} has%{p0}"); + +var part1649 = // "Pattern{Constant(' been'), Field(p0,false)}" +match("MESSAGE#1031:00538:07/1_0", "nwparser.p0", " been%{p0}"); + +var select370 = linear_select([ + part1649, + dup16, +]); + +var all350 = all_match({ + processors: [ + part1648, + select370, + dup136, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1044 = msg("00538:07", all350); + +var part1650 = // "Pattern{Constant('Cannot connect to Global PRO data collector at '), Field(hostip,false)}" +match("MESSAGE#1032:00538:08", "nwparser.payload", "Cannot connect to Global PRO data collector at %{hostip}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1045 = msg("00538:08", part1650); + +var part1651 = // "Pattern{Constant('NSM: Connected to NSM server at '), Field(hostip,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1033:00538:09", "nwparser.payload", "NSM: Connected to NSM server at %{hostip->} (%{info}) (%{fld1})", processor_chain([ + dup303, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connected to NSM server"), +])); + +var msg1046 = msg("00538:09", part1651); + +var part1652 = // "Pattern{Constant('NSM: Connection to NSM server at '), Field(hostip,true), Constant(' is down. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(p0,false)}" +match("MESSAGE#1034:00538:10/0", "nwparser.payload", "NSM: Connection to NSM server at %{hostip->} is down. Reason: %{resultcode}, %{result->} (%{p0}"); + +var part1653 = // "Pattern{Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1034:00538:10/1_0", "nwparser.p0", "%{info}) (%{fld1})"); + +var select371 = linear_select([ + part1653, + dup41, +]); + +var all351 = all_match({ + processors: [ + part1652, + select371, + ], + on_success: processor_chain([ + dup200, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Connection to NSM server is down"), + ]), +}); + +var msg1047 = msg("00538:10", all351); + +var part1654 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld2,true), Constant(' connect attempt(s)) ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1035:00538:11", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld2->} connect attempt(s)) (%{fld1})", processor_chain([ + dup200, + dup2, + dup3, + dup9, + dup4, + dup5, + dup325, +])); + +var msg1048 = msg("00538:11", part1654); + +var part1655 = // "Pattern{Constant('NSM: Cannot connect to NSM server at '), Field(hostip,false), Constant('. Reason: '), Field(resultcode,false), Constant(', '), Field(result,true), Constant(' ('), Field(info,false), Constant(') ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1036:00538:12", "nwparser.payload", "NSM: Cannot connect to NSM server at %{hostip}. Reason: %{resultcode}, %{result->} (%{info}) (%{fld1})", processor_chain([ + dup200, + dup2, + dup3, + dup9, + dup4, + dup5, + dup325, +])); + +var msg1049 = msg("00538:12", part1655); + +var part1656 = // "Pattern{Constant('NSM: Sent 2B message ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1037:00538:13", "nwparser.payload", "NSM: Sent 2B message (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, + setc("event_description","Sent 2B message"), +])); + +var msg1050 = msg("00538:13", part1656); + +var select372 = linear_select([ + msg1037, + msg1038, + msg1039, + msg1040, + msg1041, + msg1042, + msg1043, + msg1044, + msg1045, + msg1046, + msg1047, + msg1048, + msg1049, + msg1050, +]); + +var part1657 = // "Pattern{Constant('No IP address in L2TP IP pool for user '), Field(username,false)}" +match("MESSAGE#1038:00539", "nwparser.payload", "No IP address in L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1051 = msg("00539", part1657); + +var part1658 = // "Pattern{Constant('No L2TP IP pool for user '), Field(username,false)}" +match("MESSAGE#1039:00539:01", "nwparser.payload", "No L2TP IP pool for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1052 = msg("00539:01", part1658); + +var part1659 = // "Pattern{Constant('Cannot allocate IP addr from Pool '), Field(group_object,true), Constant(' for user '), Field(username,false)}" +match("MESSAGE#1040:00539:02", "nwparser.payload", "Cannot allocate IP addr from Pool %{group_object->} for user %{username}", processor_chain([ + dup117, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1053 = msg("00539:02", part1659); + +var part1660 = // "Pattern{Constant('Dialup HDLC PPP failed to establish a session: '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1041:00539:03", "nwparser.payload", "Dialup HDLC PPP failed to establish a session: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1054 = msg("00539:03", part1660); + +var part1661 = // "Pattern{Constant('Dialup HDLC PPP session has successfully established.'), Field(,false)}" +match("MESSAGE#1042:00539:04", "nwparser.payload", "Dialup HDLC PPP session has successfully established.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1055 = msg("00539:04", part1661); + +var part1662 = // "Pattern{Constant('No IP Pool has been assigned. You cannot allocate an IP address'), Field(,false)}" +match("MESSAGE#1043:00539:05", "nwparser.payload", "No IP Pool has been assigned. You cannot allocate an IP address%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1056 = msg("00539:05", part1662); + +var part1663 = // "Pattern{Constant('PPP settings changed.'), Field(,false)}" +match("MESSAGE#1044:00539:06", "nwparser.payload", "PPP settings changed.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1057 = msg("00539:06", part1663); + +var select373 = linear_select([ + msg1051, + msg1052, + msg1053, + msg1054, + msg1055, + msg1056, + msg1057, +]); + +var part1664 = // "Pattern{Constant('ScreenOS '), Field(fld2,true), Constant(' serial # '), Field(serial_number,false), Constant(': Asset recovery has been '), Field(disposition,false)}" +match("MESSAGE#1045:00541", "nwparser.payload", "ScreenOS %{fld2->} serial # %{serial_number}: Asset recovery has been %{disposition}", processor_chain([ + dup326, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1058 = msg("00541", part1664); + +var part1665 = // "Pattern{Constant('Neighbor router ID - '), Field(fld2,true), Constant(' IP address - '), Field(hostip,true), Constant(' changed its state to '), Field(change_new,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1216:00541:01", "nwparser.payload", "Neighbor router ID - %{fld2->} IP address - %{hostip->} changed its state to %{change_new}. (%{fld1})", processor_chain([ + dup275, + dup9, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1059 = msg("00541:01", part1665); + +var part1666 = // "Pattern{Constant('The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from '), Field(change_old,true), Constant(' to '), Field(change_new,true), Constant(' state, (neighbor router-id 1'), Field(fld2,false), Constant(', ip-address '), Field(hostip,false), Constant('). ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1218:00541:02", "nwparser.payload", "The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from %{change_old->} to %{change_new->} state, (neighbor router-id 1%{fld2}, ip-address %{hostip}). (%{fld1})", processor_chain([ + dup275, + dup9, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1060 = msg("00541:02", part1666); + +var part1667 = // "Pattern{Constant('LSA in following area aged out: LSA area ID '), Field(fld3,false), Constant(', LSA ID '), Field(fld4,false), Constant(', router ID '), Field(fld2,false), Constant(', type '), Field(fld7,true), Constant(' in OSPF. ('), Field(fld1,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#1219:00541:03/0", "nwparser.payload", "LSA in following area aged out: LSA area ID %{fld3}, LSA ID %{fld4}, router ID %{fld2}, type %{fld7->} in OSPF. (%{fld1})%{p0}"); + +var part1668 = // "Pattern{Constant('<<'), Field(fld16,false), Constant('>')}" +match("MESSAGE#1219:00541:03/1_0", "nwparser.p0", "\u003c\u003c%{fld16}>"); + +var select374 = linear_select([ + part1668, + dup21, +]); + +var all352 = all_match({ + processors: [ + part1667, + select374, + ], + on_success: processor_chain([ + dup44, + dup9, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1061 = msg("00541:03", all352); + +var select375 = linear_select([ + msg1058, + msg1059, + msg1060, + msg1061, +]); + +var part1669 = // "Pattern{Constant('BGP of vr: '), Field(node,false), Constant(', prefix adding: '), Field(fld2,false), Constant(', ribin overflow '), Field(fld3,true), Constant(' times (max rib-in '), Field(fld4,false), Constant(')')}" +match("MESSAGE#1046:00542", "nwparser.payload", "BGP of vr: %{node}, prefix adding: %{fld2}, ribin overflow %{fld3->} times (max rib-in %{fld4})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1062 = msg("00542", part1669); + +var part1670 = // "Pattern{Constant('Access for '), Field(p0,false)}" +match("MESSAGE#1047:00543/0", "nwparser.payload", "Access for %{p0}"); + +var part1671 = // "Pattern{Constant('WebAuth firewall '), Field(p0,false)}" +match("MESSAGE#1047:00543/1_0", "nwparser.p0", "WebAuth firewall %{p0}"); + +var part1672 = // "Pattern{Constant('firewall '), Field(p0,false)}" +match("MESSAGE#1047:00543/1_1", "nwparser.p0", "firewall %{p0}"); + +var select376 = linear_select([ + part1671, + part1672, +]); + +var part1673 = // "Pattern{Constant('user '), Field(username,true), Constant(' '), Field(space,false), Constant('at '), Field(hostip,true), Constant(' (accepted at '), Field(fld2,true), Constant(' for duration '), Field(duration,true), Constant(' via the '), Field(logon_type,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#1047:00543/2", "nwparser.p0", "user %{username->} %{space}at %{hostip->} (accepted at %{fld2->} for duration %{duration->} via the %{logon_type}) %{p0}"); + +var part1674 = // "Pattern{Constant('by policy id '), Field(policy_id,true), Constant(' is '), Field(p0,false)}" +match("MESSAGE#1047:00543/3_0", "nwparser.p0", "by policy id %{policy_id->} is %{p0}"); + +var select377 = linear_select([ + part1674, + dup106, +]); + +var part1675 = // "Pattern{Constant('now over ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1047:00543/4", "nwparser.p0", "now over (%{fld1})"); + +var all353 = all_match({ + processors: [ + part1670, + select376, + part1673, + select377, + part1675, + ], + on_success: processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup9, + dup3, + ]), +}); + +var msg1063 = msg("00543", all353); + +var part1676 = // "Pattern{Constant('User '), Field(username,true), Constant(' [ of group '), Field(group,true), Constant(' ] at '), Field(hostip,true), Constant(' has been challenged by the RADIUS server at '), Field(daddr,false)}" +match("MESSAGE#1048:00544", "nwparser.payload", "User %{username->} [ of group %{group->} ] at %{hostip->} has been challenged by the RADIUS server at %{daddr}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup3, + dup60, + setc("action","RADIUS server challenge"), +])); + +var msg1064 = msg("00544", part1676); + +var part1677 = // "Pattern{Constant('delete-route-> trust-vr: '), Field(fld2,false)}" +match("MESSAGE#1049:00546", "nwparser.payload", "delete-route-> trust-vr: %{fld2}", processor_chain([ + dup283, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1065 = msg("00546", part1677); + +var part1678 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned because max content size was exceeded.')}" +match("MESSAGE#1050:00547", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned because max content size was exceeded.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, +])); + +var msg1066 = msg("00547", part1678); + +var part1679 = // "Pattern{Constant('AV: Content from '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' was not scanned due to a scan engine error or constraint.')}" +match("MESSAGE#1051:00547:01", "nwparser.payload", "AV: Content from %{saddr}:%{sport}->%{daddr}:%{dport->} was not scanned due to a scan engine error or constraint.", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup3, + dup61, +])); + +var msg1067 = msg("00547:01", part1679); + +var part1680 = // "Pattern{Constant('AV object scan-mgr data has been '), Field(disposition,false), Constant('.')}" +match("MESSAGE#1052:00547:02", "nwparser.payload", "AV object scan-mgr data has been %{disposition}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1068 = msg("00547:02", part1680); + +var part1681 = // "Pattern{Constant('AV: Content from '), Field(location_desc,false), Constant(', http url: '), Field(url,false), Constant(', is passed '), Field(p0,false)}" +match("MESSAGE#1053:00547:03/0", "nwparser.payload", "AV: Content from %{location_desc}, http url: %{url}, is passed %{p0}"); + +var part1682 = // "Pattern{Constant('due to '), Field(p0,false)}" +match("MESSAGE#1053:00547:03/1_0", "nwparser.p0", "due to %{p0}"); + +var part1683 = // "Pattern{Constant('because '), Field(p0,false)}" +match("MESSAGE#1053:00547:03/1_1", "nwparser.p0", "because %{p0}"); + +var select378 = linear_select([ + part1682, + part1683, +]); + +var part1684 = // "Pattern{Constant(''), Field(result,false), Constant('. ('), Field(event_time_string,false), Constant(')')}" +match("MESSAGE#1053:00547:03/2", "nwparser.p0", "%{result}. (%{event_time_string})"); + +var all354 = all_match({ + processors: [ + part1681, + select378, + part1684, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + setc("event_description","Content is bypassed for connection"), + ]), +}); + +var msg1069 = msg("00547:03", all354); + +var select379 = linear_select([ + msg1066, + msg1067, + msg1068, + msg1069, +]); + +var part1685 = // "Pattern{Constant('add-route-> untrust-vr: '), Field(fld2,false)}" +match("MESSAGE#1054:00549", "nwparser.payload", "add-route-> untrust-vr: %{fld2}", processor_chain([ + dup283, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1070 = msg("00549", part1685); + +var part1686 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred during configlet file processing.')}" +match("MESSAGE#1055:00551", "nwparser.payload", "Error %{resultcode->} occurred during configlet file processing.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1071 = msg("00551", part1686); + +var part1687 = // "Pattern{Constant('Error '), Field(resultcode,true), Constant(' occurred, causing failure to establish secure management with Management System.')}" +match("MESSAGE#1056:00551:01", "nwparser.payload", "Error %{resultcode->} occurred, causing failure to establish secure management with Management System.", processor_chain([ + dup86, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1072 = msg("00551:01", part1687); + +var part1688 = // "Pattern{Constant('Configlet file '), Field(p0,false)}" +match("MESSAGE#1057:00551:02/0", "nwparser.payload", "Configlet file %{p0}"); + +var part1689 = // "Pattern{Constant('decryption '), Field(p0,false)}" +match("MESSAGE#1057:00551:02/1_0", "nwparser.p0", "decryption %{p0}"); + +var select380 = linear_select([ + part1689, + dup89, +]); + +var all355 = all_match({ + processors: [ + part1688, + select380, + dup128, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1073 = msg("00551:02", all355); + +var part1690 = // "Pattern{Constant('Rapid Deployment cannot start because gateway has undergone configuration changes. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1058:00551:03", "nwparser.payload", "Rapid Deployment cannot start because gateway has undergone configuration changes. (%{fld1})", processor_chain([ + dup18, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1074 = msg("00551:03", part1690); + +var part1691 = // "Pattern{Constant('Secure management established successfully with remote server. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1059:00551:04", "nwparser.payload", "Secure management established successfully with remote server. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1075 = msg("00551:04", part1691); + +var select381 = linear_select([ + msg1071, + msg1072, + msg1073, + msg1074, + msg1075, +]); + +var part1692 = // "Pattern{Constant('SCAN-MGR: Failed to get '), Field(p0,false)}" +match("MESSAGE#1060:00553/0", "nwparser.payload", "SCAN-MGR: Failed to get %{p0}"); + +var part1693 = // "Pattern{Constant('AltServer '), Field(p0,false)}" +match("MESSAGE#1060:00553/1_0", "nwparser.p0", "AltServer %{p0}"); + +var part1694 = // "Pattern{Constant('Version '), Field(p0,false)}" +match("MESSAGE#1060:00553/1_1", "nwparser.p0", "Version %{p0}"); + +var part1695 = // "Pattern{Constant('Path_GateLockCE '), Field(p0,false)}" +match("MESSAGE#1060:00553/1_2", "nwparser.p0", "Path_GateLockCE %{p0}"); + +var select382 = linear_select([ + part1693, + part1694, + part1695, +]); + +var all356 = all_match({ + processors: [ + part1692, + select382, + dup327, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1076 = msg("00553", all356); + +var part1696 = // "Pattern{Constant('SCAN-MGR: Zero pattern size from server.ini.'), Field(,false)}" +match("MESSAGE#1061:00553:01", "nwparser.payload", "SCAN-MGR: Zero pattern size from server.ini.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1077 = msg("00553:01", part1696); + +var part1697 = // "Pattern{Constant('SCAN-MGR: Pattern size from server.ini is too large: '), Field(bytes,true), Constant(' (bytes).')}" +match("MESSAGE#1062:00553:02", "nwparser.payload", "SCAN-MGR: Pattern size from server.ini is too large: %{bytes->} (bytes).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1078 = msg("00553:02", part1697); + +var part1698 = // "Pattern{Constant('SCAN-MGR: Pattern URL from server.ini is too long: '), Field(fld2,false), Constant('; max is '), Field(fld3,false), Constant('.')}" +match("MESSAGE#1063:00553:03", "nwparser.payload", "SCAN-MGR: Pattern URL from server.ini is too long: %{fld2}; max is %{fld3}.", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1079 = msg("00553:03", part1698); + +var part1699 = // "Pattern{Constant('SCAN-MGR: Failed to retrieve '), Field(p0,false)}" +match("MESSAGE#1064:00553:04/0", "nwparser.payload", "SCAN-MGR: Failed to retrieve %{p0}"); + +var select383 = linear_select([ + dup328, + dup329, +]); + +var part1700 = // "Pattern{Constant('file: '), Field(fld2,false), Constant('; http status code: '), Field(resultcode,false), Constant('.')}" +match("MESSAGE#1064:00553:04/2", "nwparser.p0", "file: %{fld2}; http status code: %{resultcode}."); + +var all357 = all_match({ + processors: [ + part1699, + select383, + part1700, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1080 = msg("00553:04", all357); + +var part1701 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into a RAM file.'), Field(,false)}" +match("MESSAGE#1065:00553:05", "nwparser.payload", "SCAN-MGR: Failed to write pattern into a RAM file.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1081 = msg("00553:05", part1701); + +var part1702 = // "Pattern{Constant('SCAN-MGR: Check Pattern File failed: code from VSAPI: '), Field(resultcode,false)}" +match("MESSAGE#1066:00553:06", "nwparser.payload", "SCAN-MGR: Check Pattern File failed: code from VSAPI: %{resultcode}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1082 = msg("00553:06", part1702); + +var part1703 = // "Pattern{Constant('SCAN-MGR: Failed to write pattern into flash.'), Field(,false)}" +match("MESSAGE#1067:00553:07", "nwparser.payload", "SCAN-MGR: Failed to write pattern into flash.%{}", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1083 = msg("00553:07", part1703); + +var part1704 = // "Pattern{Constant('SCAN-MGR: Internal error while setting up for retrieving '), Field(p0,false)}" +match("MESSAGE#1068:00553:08/0", "nwparser.payload", "SCAN-MGR: Internal error while setting up for retrieving %{p0}"); + +var select384 = linear_select([ + dup329, + dup328, +]); + +var all358 = all_match({ + processors: [ + part1704, + select384, + dup330, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1084 = msg("00553:08", all358); + +var part1705 = // "Pattern{Constant('SCAN-MGR: '), Field(fld2,true), Constant(' '), Field(disposition,false), Constant(': Err: '), Field(resultcode,false), Constant('.')}" +match("MESSAGE#1069:00553:09", "nwparser.payload", "SCAN-MGR: %{fld2->} %{disposition}: Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1085 = msg("00553:09", part1705); + +var part1706 = // "Pattern{Constant('SCAN-MGR: TMIntCPVSInit '), Field(disposition,true), Constant(' due to '), Field(result,false)}" +match("MESSAGE#1070:00553:10", "nwparser.payload", "SCAN-MGR: TMIntCPVSInit %{disposition->} due to %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1086 = msg("00553:10", part1706); + +var part1707 = // "Pattern{Constant('SCAN-MGR: Attempted Pattern Creation Date('), Field(fld2,false), Constant(') is after AV Key Expiration date('), Field(fld3,false), Constant(').')}" +match("MESSAGE#1071:00553:11", "nwparser.payload", "SCAN-MGR: Attempted Pattern Creation Date(%{fld2}) is after AV Key Expiration date(%{fld3}).", processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1087 = msg("00553:11", part1707); + +var part1708 = // "Pattern{Constant('SCAN-MGR: TMIntSetDecompressLayer '), Field(disposition,false), Constant(': Layer: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" +match("MESSAGE#1072:00553:12", "nwparser.payload", "SCAN-MGR: TMIntSetDecompressLayer %{disposition}: Layer: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1088 = msg("00553:12", part1708); + +var part1709 = // "Pattern{Constant('SCAN-MGR: TMIntSetExtractFileSizeLimit '), Field(disposition,false), Constant(': Limit: '), Field(fld2,false), Constant(', Err: '), Field(resultcode,false), Constant('.')}" +match("MESSAGE#1073:00553:13", "nwparser.payload", "SCAN-MGR: TMIntSetExtractFileSizeLimit %{disposition}: Limit: %{fld2}, Err: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1089 = msg("00553:13", part1709); + +var part1710 = // "Pattern{Constant('SCAN-MGR: TMIntScanFile '), Field(disposition,false), Constant(': ret: '), Field(fld2,false), Constant('; cpapiErrCode: '), Field(resultcode,false), Constant('.')}" +match("MESSAGE#1074:00553:14", "nwparser.payload", "SCAN-MGR: TMIntScanFile %{disposition}: ret: %{fld2}; cpapiErrCode: %{resultcode}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1090 = msg("00553:14", part1710); + +var part1711 = // "Pattern{Constant('SCAN-MGR: VSAPI resource usage error. Left usage: '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1075:00553:15", "nwparser.payload", "SCAN-MGR: VSAPI resource usage error. Left usage: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1091 = msg("00553:15", part1711); + +var part1712 = // "Pattern{Constant('SCAN-MGR: Set decompress layer to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1076:00553:16", "nwparser.payload", "SCAN-MGR: Set decompress layer to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1092 = msg("00553:16", part1712); + +var part1713 = // "Pattern{Constant('SCAN-MGR: Set maximum content size to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1077:00553:17", "nwparser.payload", "SCAN-MGR: Set maximum content size to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1093 = msg("00553:17", part1713); + +var part1714 = // "Pattern{Constant('SCAN-MGR: Set maximum number of concurrent messages to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1078:00553:18", "nwparser.payload", "SCAN-MGR: Set maximum number of concurrent messages to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1094 = msg("00553:18", part1714); + +var part1715 = // "Pattern{Constant('SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1079:00553:19", "nwparser.payload", "SCAN-MGR: Set drop if maximum number of concurrent messages exceeds max to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1095 = msg("00553:19", part1715); + +var part1716 = // "Pattern{Constant('SCAN-MGR: Set Pattern URL to '), Field(fld2,false), Constant('; update interval is '), Field(fld3,false), Constant('.')}" +match("MESSAGE#1080:00553:20", "nwparser.payload", "SCAN-MGR: Set Pattern URL to %{fld2}; update interval is %{fld3}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1096 = msg("00553:20", part1716); + +var part1717 = // "Pattern{Constant('SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.'), Field(,false)}" +match("MESSAGE#1081:00553:21", "nwparser.payload", "SCAN-MGR: Unset Pattern URL; Pattern will not be updated automatically.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1097 = msg("00553:21", part1717); + +var part1718 = // "Pattern{Constant('SCAN-MGR: New pattern updated: version: '), Field(version,false), Constant(', size: '), Field(bytes,true), Constant(' (bytes).')}" +match("MESSAGE#1082:00553:22", "nwparser.payload", "SCAN-MGR: New pattern updated: version: %{version}, size: %{bytes->} (bytes).", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1098 = msg("00553:22", part1718); + +var select385 = linear_select([ + msg1076, + msg1077, + msg1078, + msg1079, + msg1080, + msg1081, + msg1082, + msg1083, + msg1084, + msg1085, + msg1086, + msg1087, + msg1088, + msg1089, + msg1090, + msg1091, + msg1092, + msg1093, + msg1094, + msg1095, + msg1096, + msg1097, + msg1098, +]); + +var part1719 = // "Pattern{Constant('SCAN-MGR: Cannot get '), Field(p0,false)}" +match("MESSAGE#1083:00554/0", "nwparser.payload", "SCAN-MGR: Cannot get %{p0}"); + +var part1720 = // "Pattern{Constant('AltServer info '), Field(p0,false)}" +match("MESSAGE#1083:00554/1_0", "nwparser.p0", "AltServer info %{p0}"); + +var part1721 = // "Pattern{Constant('Version number '), Field(p0,false)}" +match("MESSAGE#1083:00554/1_1", "nwparser.p0", "Version number %{p0}"); + +var part1722 = // "Pattern{Constant('Path_GateLockCE info '), Field(p0,false)}" +match("MESSAGE#1083:00554/1_2", "nwparser.p0", "Path_GateLockCE info %{p0}"); + +var select386 = linear_select([ + part1720, + part1721, + part1722, +]); + +var all359 = all_match({ + processors: [ + part1719, + select386, + dup327, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1099 = msg("00554", all359); + +var part1723 = // "Pattern{Constant('SCAN-MGR: Per server.ini file, the AV pattern file size is zero.'), Field(,false)}" +match("MESSAGE#1084:00554:01", "nwparser.payload", "SCAN-MGR: Per server.ini file, the AV pattern file size is zero.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1100 = msg("00554:01", part1723); + +var part1724 = // "Pattern{Constant('SCAN-MGR: AV pattern file size is too large ('), Field(bytes,true), Constant(' bytes).')}" +match("MESSAGE#1085:00554:02", "nwparser.payload", "SCAN-MGR: AV pattern file size is too large (%{bytes->} bytes).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1101 = msg("00554:02", part1724); + +var part1725 = // "Pattern{Constant('SCAN-MGR: Alternate AV pattern file server URL is too long: '), Field(bytes,true), Constant(' bytes. Max: '), Field(fld2,true), Constant(' bytes.')}" +match("MESSAGE#1086:00554:03", "nwparser.payload", "SCAN-MGR: Alternate AV pattern file server URL is too long: %{bytes->} bytes. Max: %{fld2->} bytes.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1102 = msg("00554:03", part1725); + +var part1726 = // "Pattern{Constant('SCAN-MGR: Cannot retrieve '), Field(p0,false)}" +match("MESSAGE#1087:00554:04/0", "nwparser.payload", "SCAN-MGR: Cannot retrieve %{p0}"); + +var part1727 = // "Pattern{Constant('file from '), Field(hostip,false), Constant(':'), Field(network_port,false), Constant('. HTTP status code: '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1087:00554:04/2", "nwparser.p0", "file from %{hostip}:%{network_port}. HTTP status code: %{fld2}."); + +var all360 = all_match({ + processors: [ + part1726, + dup408, + part1727, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1103 = msg("00554:04", all360); + +var part1728 = // "Pattern{Constant('SCAN-MGR: Cannot write AV pattern file to '), Field(p0,false)}" +match("MESSAGE#1088:00554:05/0", "nwparser.payload", "SCAN-MGR: Cannot write AV pattern file to %{p0}"); + +var part1729 = // "Pattern{Constant('RAM '), Field(p0,false)}" +match("MESSAGE#1088:00554:05/1_0", "nwparser.p0", "RAM %{p0}"); + +var part1730 = // "Pattern{Constant('flash '), Field(p0,false)}" +match("MESSAGE#1088:00554:05/1_1", "nwparser.p0", "flash %{p0}"); + +var select387 = linear_select([ + part1729, + part1730, +]); + +var all361 = all_match({ + processors: [ + part1728, + select387, + dup116, + ], + on_success: processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1104 = msg("00554:05", all361); + +var part1731 = // "Pattern{Constant('SCAN-MGR: Cannot check AV pattern file. VSAPI code: '), Field(fld2,false)}" +match("MESSAGE#1089:00554:06", "nwparser.payload", "SCAN-MGR: Cannot check AV pattern file. VSAPI code: %{fld2}", processor_chain([ + dup144, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1105 = msg("00554:06", part1731); + +var part1732 = // "Pattern{Constant('SCAN-MGR: Internal error occurred while retrieving '), Field(p0,false)}" +match("MESSAGE#1090:00554:07/0", "nwparser.payload", "SCAN-MGR: Internal error occurred while retrieving %{p0}"); + +var all362 = all_match({ + processors: [ + part1732, + dup408, + dup330, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1106 = msg("00554:07", all362); + +var part1733 = // "Pattern{Constant('SCAN-MGR: Internal error occurred when calling this function: '), Field(fld2,false), Constant('. '), Field(fld3,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1091:00554:08/0", "nwparser.payload", "SCAN-MGR: Internal error occurred when calling this function: %{fld2}. %{fld3->} %{p0}"); + +var part1734 = // "Pattern{Constant('Error: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1091:00554:08/1_0", "nwparser.p0", "Error: %{resultcode->} %{p0}"); + +var part1735 = // "Pattern{Constant('Returned a NULL VSC handler '), Field(p0,false)}" +match("MESSAGE#1091:00554:08/1_1", "nwparser.p0", "Returned a NULL VSC handler %{p0}"); + +var part1736 = // "Pattern{Constant('cpapiErrCode: '), Field(resultcode,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1091:00554:08/1_2", "nwparser.p0", "cpapiErrCode: %{resultcode->} %{p0}"); + +var select388 = linear_select([ + part1734, + part1735, + part1736, +]); + +var all363 = all_match({ + processors: [ + part1733, + select388, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1107 = msg("00554:08", all363); + +var part1737 = // "Pattern{Constant('SCAN-MGR: Number of decompression layers has been set to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1092:00554:09", "nwparser.payload", "SCAN-MGR: Number of decompression layers has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1108 = msg("00554:09", part1737); + +var part1738 = // "Pattern{Constant('SCAN-MGR: Maximum content size has been set to '), Field(fld2,true), Constant(' KB.')}" +match("MESSAGE#1093:00554:10", "nwparser.payload", "SCAN-MGR: Maximum content size has been set to %{fld2->} KB.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1109 = msg("00554:10", part1738); + +var part1739 = // "Pattern{Constant('SCAN-MGR: Maximum number of concurrent messages has been set to '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1094:00554:11", "nwparser.payload", "SCAN-MGR: Maximum number of concurrent messages has been set to %{fld2}.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1110 = msg("00554:11", part1739); + +var part1740 = // "Pattern{Constant('SCAN-MGR: Fail mode has been set to '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/0", "nwparser.payload", "SCAN-MGR: Fail mode has been set to %{p0}"); + +var part1741 = // "Pattern{Constant('drop '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/1_0", "nwparser.p0", "drop %{p0}"); + +var part1742 = // "Pattern{Constant('pass '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/1_1", "nwparser.p0", "pass %{p0}"); + +var select389 = linear_select([ + part1741, + part1742, +]); + +var part1743 = // "Pattern{Constant('unexamined traffic if '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/2", "nwparser.p0", "unexamined traffic if %{p0}"); + +var part1744 = // "Pattern{Constant('content size '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/3_0", "nwparser.p0", "content size %{p0}"); + +var part1745 = // "Pattern{Constant('number of concurrent messages '), Field(p0,false)}" +match("MESSAGE#1095:00554:12/3_1", "nwparser.p0", "number of concurrent messages %{p0}"); + +var select390 = linear_select([ + part1744, + part1745, +]); + +var part1746 = // "Pattern{Constant('exceeds max.'), Field(,false)}" +match("MESSAGE#1095:00554:12/4", "nwparser.p0", "exceeds max.%{}"); + +var all364 = all_match({ + processors: [ + part1740, + select389, + part1743, + select390, + part1746, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1111 = msg("00554:12", all364); + +var part1747 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been set to '), Field(fld2,false), Constant(', and the update interval to '), Field(fld3,true), Constant(' minutes.')}" +match("MESSAGE#1096:00554:13", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been set to %{fld2}, and the update interval to %{fld3->} minutes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1112 = msg("00554:13", part1747); + +var part1748 = // "Pattern{Constant('SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.'), Field(,false)}" +match("MESSAGE#1097:00554:14", "nwparser.payload", "SCAN-MGR: URL for AV pattern update server has been unset, and the update interval returned to its default.%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1113 = msg("00554:14", part1748); + +var part1749 = // "Pattern{Constant('SCAN-MGR: New AV pattern file has been updated. Version: '), Field(version,false), Constant('; size: '), Field(bytes,true), Constant(' bytes.')}" +match("MESSAGE#1098:00554:15", "nwparser.payload", "SCAN-MGR: New AV pattern file has been updated. Version: %{version}; size: %{bytes->} bytes.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1114 = msg("00554:15", part1749); + +var part1750 = // "Pattern{Constant('SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1099:00554:16", "nwparser.payload", "SCAN-MGR: AV client has exceeded its resource allotment. Remaining available resources: %{fld2}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1115 = msg("00554:16", part1750); + +var part1751 = // "Pattern{Constant('SCAN-MGR: Attempted to load AV pattern file created '), Field(fld2,true), Constant(' after the AV subscription expired. (Exp: '), Field(fld3,false), Constant(')')}" +match("MESSAGE#1100:00554:17", "nwparser.payload", "SCAN-MGR: Attempted to load AV pattern file created %{fld2->} after the AV subscription expired. (Exp: %{fld3})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1116 = msg("00554:17", part1751); + +var select391 = linear_select([ + msg1099, + msg1100, + msg1101, + msg1102, + msg1103, + msg1104, + msg1105, + msg1106, + msg1107, + msg1108, + msg1109, + msg1110, + msg1111, + msg1112, + msg1113, + msg1114, + msg1115, + msg1116, +]); + +var part1752 = // "Pattern{Constant('Vrouter '), Field(node,true), Constant(' PIMSM cannot process non-multicast address '), Field(hostip,false)}" +match("MESSAGE#1101:00555", "nwparser.payload", "Vrouter %{node->} PIMSM cannot process non-multicast address %{hostip}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1117 = msg("00555", part1752); + +var part1753 = // "Pattern{Constant('UF-MGR: Failed to process a request. Reason: '), Field(result,false)}" +match("MESSAGE#1102:00556", "nwparser.payload", "UF-MGR: Failed to process a request. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1118 = msg("00556", part1753); + +var part1754 = // "Pattern{Constant('UF-MGR: Failed to abort a transaction. Reason: '), Field(result,false)}" +match("MESSAGE#1103:00556:01", "nwparser.payload", "UF-MGR: Failed to abort a transaction. Reason: %{result}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1119 = msg("00556:01", part1754); + +var part1755 = // "Pattern{Constant('UF-MGR: UF '), Field(p0,false)}" +match("MESSAGE#1104:00556:02/0", "nwparser.payload", "UF-MGR: UF %{p0}"); + +var part1756 = // "Pattern{Constant('K'), Field(p0,false)}" +match("MESSAGE#1104:00556:02/1_0", "nwparser.p0", "K%{p0}"); + +var part1757 = // "Pattern{Constant('k'), Field(p0,false)}" +match("MESSAGE#1104:00556:02/1_1", "nwparser.p0", "k%{p0}"); + +var select392 = linear_select([ + part1756, + part1757, +]); + +var part1758 = // "Pattern{Constant('ey '), Field(p0,false)}" +match("MESSAGE#1104:00556:02/2", "nwparser.p0", "ey %{p0}"); + +var part1759 = // "Pattern{Constant('Expired'), Field(p0,false)}" +match("MESSAGE#1104:00556:02/3_0", "nwparser.p0", "Expired%{p0}"); + +var part1760 = // "Pattern{Constant('expired'), Field(p0,false)}" +match("MESSAGE#1104:00556:02/3_1", "nwparser.p0", "expired%{p0}"); + +var select393 = linear_select([ + part1759, + part1760, +]); + +var part1761 = // "Pattern{Field(,false), Constant('(expiration date: '), Field(fld2,false), Constant('; current date: '), Field(fld3,false), Constant(').')}" +match("MESSAGE#1104:00556:02/4", "nwparser.p0", "%{}(expiration date: %{fld2}; current date: %{fld3})."); + +var all365 = all_match({ + processors: [ + part1755, + select392, + part1758, + select393, + part1761, + ], + on_success: processor_chain([ + dup256, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1120 = msg("00556:02", all365); + +var part1762 = // "Pattern{Constant('UF-MGR: Failed to '), Field(p0,false)}" +match("MESSAGE#1105:00556:03/0", "nwparser.payload", "UF-MGR: Failed to %{p0}"); + +var part1763 = // "Pattern{Constant('enable '), Field(p0,false)}" +match("MESSAGE#1105:00556:03/1_0", "nwparser.p0", "enable %{p0}"); + +var part1764 = // "Pattern{Constant('disable '), Field(p0,false)}" +match("MESSAGE#1105:00556:03/1_1", "nwparser.p0", "disable %{p0}"); + +var select394 = linear_select([ + part1763, + part1764, +]); + +var part1765 = // "Pattern{Constant('cache.'), Field(,false)}" +match("MESSAGE#1105:00556:03/2", "nwparser.p0", "cache.%{}"); + +var all366 = all_match({ + processors: [ + part1762, + select394, + part1765, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1121 = msg("00556:03", all366); + +var part1766 = // "Pattern{Constant('UF-MGR: Internal Error: '), Field(resultcode,false)}" +match("MESSAGE#1106:00556:04", "nwparser.payload", "UF-MGR: Internal Error: %{resultcode}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1122 = msg("00556:04", part1766); + +var part1767 = // "Pattern{Constant('UF-MGR: Cache size changed to '), Field(fld2,false), Constant('(K).')}" +match("MESSAGE#1107:00556:05", "nwparser.payload", "UF-MGR: Cache size changed to %{fld2}(K).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1123 = msg("00556:05", part1767); + +var part1768 = // "Pattern{Constant('UF-MGR: Cache timeout changes to '), Field(fld2,true), Constant(' (hours).')}" +match("MESSAGE#1108:00556:06", "nwparser.payload", "UF-MGR: Cache timeout changes to %{fld2->} (hours).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1124 = msg("00556:06", part1768); + +var part1769 = // "Pattern{Constant('UF-MGR: Category update interval changed to '), Field(fld2,true), Constant(' (weeks).')}" +match("MESSAGE#1109:00556:07", "nwparser.payload", "UF-MGR: Category update interval changed to %{fld2->} (weeks).", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1125 = msg("00556:07", part1769); + +var part1770 = // "Pattern{Constant('UF-MGR: Cache '), Field(p0,false)}" +match("MESSAGE#1110:00556:08/0", "nwparser.payload", "UF-MGR: Cache %{p0}"); + +var all367 = all_match({ + processors: [ + part1770, + dup360, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1126 = msg("00556:08", all367); + +var part1771 = // "Pattern{Constant('UF-MGR: URL BLOCKED: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), '), Field(fld4,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(fld5,false), Constant(', reason '), Field(result,false)}" +match("MESSAGE#1111:00556:09", "nwparser.payload", "UF-MGR: URL BLOCKED: ip_addr (%{fld2}) -> ip_addr (%{fld3}), %{fld4->} action: %{disposition}, category: %{fld5}, reason %{result}", processor_chain([ + dup234, + dup2, + dup3, + dup4, + dup5, + dup284, +])); + +var msg1127 = msg("00556:09", part1771); + +var part1772 = // "Pattern{Constant('UF-MGR: URL FILTER ERR: ip_addr ('), Field(fld2,false), Constant(') -> ip_addr ('), Field(fld3,false), Constant('), host: '), Field(fld5,true), Constant(' page: '), Field(fld4,true), Constant(' code: '), Field(resultcode,true), Constant(' reason: '), Field(result,false), Constant('.')}" +match("MESSAGE#1112:00556:10", "nwparser.payload", "UF-MGR: URL FILTER ERR: ip_addr (%{fld2}) -> ip_addr (%{fld3}), host: %{fld5->} page: %{fld4->} code: %{resultcode->} reason: %{result}.", processor_chain([ + dup234, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1128 = msg("00556:10", part1772); + +var part1773 = // "Pattern{Constant('UF-MGR: Primary CPA server changed to '), Field(fld2,false)}" +match("MESSAGE#1113:00556:11", "nwparser.payload", "UF-MGR: Primary CPA server changed to %{fld2}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1129 = msg("00556:11", part1773); + +var part1774 = // "Pattern{Constant('UF-MGR: '), Field(fld2,true), Constant(' CPA server '), Field(p0,false)}" +match("MESSAGE#1114:00556:12/0", "nwparser.payload", "UF-MGR: %{fld2->} CPA server %{p0}"); + +var select395 = linear_select([ + dup140, + dup171, +]); + +var part1775 = // "Pattern{Constant('changed to '), Field(fld3,false), Constant('.')}" +match("MESSAGE#1114:00556:12/2", "nwparser.p0", "changed to %{fld3}."); + +var all368 = all_match({ + processors: [ + part1774, + select395, + part1775, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1130 = msg("00556:12", all368); + +var part1776 = // "Pattern{Constant('UF-MGR: SurfControl URL filtering '), Field(disposition,false), Constant('.')}" +match("MESSAGE#1115:00556:13", "nwparser.payload", "UF-MGR: SurfControl URL filtering %{disposition}.", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1131 = msg("00556:13", part1776); + +var part1777 = // "Pattern{Constant('UF-MGR: The url '), Field(url,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#1116:00556:14/0", "nwparser.payload", "UF-MGR: The url %{url->} was %{p0}"); + +var part1778 = // "Pattern{Constant('category '), Field(fld2,false), Constant('.')}" +match("MESSAGE#1116:00556:14/2", "nwparser.p0", "category %{fld2}."); + +var all369 = all_match({ + processors: [ + part1777, + dup409, + part1778, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1132 = msg("00556:14", all369); + +var part1779 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#1117:00556:15/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was %{p0}"); + +var part1780 = // "Pattern{Constant('profile '), Field(fld3,true), Constant(' with action '), Field(disposition,false), Constant('.')}" +match("MESSAGE#1117:00556:15/2", "nwparser.p0", "profile %{fld3->} with action %{disposition}."); + +var all370 = all_match({ + processors: [ + part1779, + dup409, + part1780, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + dup284, + ]), +}); + +var msg1133 = msg("00556:15", all370); + +var part1781 = // "Pattern{Constant('UF-MGR: The '), Field(p0,false)}" +match("MESSAGE#1118:00556:16/0", "nwparser.payload", "UF-MGR: The %{p0}"); + +var part1782 = // "Pattern{Constant('profile '), Field(p0,false)}" +match("MESSAGE#1118:00556:16/1_0", "nwparser.p0", "profile %{p0}"); + +var part1783 = // "Pattern{Constant('category '), Field(p0,false)}" +match("MESSAGE#1118:00556:16/1_1", "nwparser.p0", "category %{p0}"); + +var select396 = linear_select([ + part1782, + part1783, +]); + +var part1784 = // "Pattern{Constant(''), Field(fld2,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#1118:00556:16/2", "nwparser.p0", "%{fld2->} was %{p0}"); + +var select397 = linear_select([ + dup104, + dup120, +]); + +var all371 = all_match({ + processors: [ + part1781, + select396, + part1784, + select397, + dup116, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1134 = msg("00556:16", all371); + +var part1785 = // "Pattern{Constant('UF-MGR: The category '), Field(fld2,true), Constant(' was set in profile '), Field(profile,true), Constant(' as the '), Field(p0,false)}" +match("MESSAGE#1119:00556:17/0", "nwparser.payload", "UF-MGR: The category %{fld2->} was set in profile %{profile->} as the %{p0}"); + +var part1786 = // "Pattern{Constant('black '), Field(p0,false)}" +match("MESSAGE#1119:00556:17/1_0", "nwparser.p0", "black %{p0}"); + +var part1787 = // "Pattern{Constant('white '), Field(p0,false)}" +match("MESSAGE#1119:00556:17/1_1", "nwparser.p0", "white %{p0}"); + +var select398 = linear_select([ + part1786, + part1787, +]); + +var part1788 = // "Pattern{Constant('list.'), Field(,false)}" +match("MESSAGE#1119:00556:17/2", "nwparser.p0", "list.%{}"); + +var all372 = all_match({ + processors: [ + part1785, + select398, + part1788, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1135 = msg("00556:17", all372); + +var part1789 = // "Pattern{Constant('UF-MGR: The action for '), Field(fld2,true), Constant(' in profile '), Field(profile,true), Constant(' was '), Field(p0,false)}" +match("MESSAGE#1120:00556:18/0", "nwparser.payload", "UF-MGR: The action for %{fld2->} in profile %{profile->} was %{p0}"); + +var part1790 = // "Pattern{Constant('changed '), Field(p0,false)}" +match("MESSAGE#1120:00556:18/1_1", "nwparser.p0", "changed %{p0}"); + +var select399 = linear_select([ + dup101, + part1790, +]); + +var part1791 = // "Pattern{Constant('to '), Field(fld3,false), Constant('.')}" +match("MESSAGE#1120:00556:18/2", "nwparser.p0", "to %{fld3}."); + +var all373 = all_match({ + processors: [ + part1789, + select399, + part1791, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1136 = msg("00556:18", all373); + +var part1792 = // "Pattern{Constant('UF-MGR: The category list from the CPA server '), Field(p0,false)}" +match("MESSAGE#1121:00556:20/0", "nwparser.payload", "UF-MGR: The category list from the CPA server %{p0}"); + +var part1793 = // "Pattern{Constant('updated on'), Field(p0,false)}" +match("MESSAGE#1121:00556:20/2", "nwparser.p0", "updated on%{p0}"); + +var select400 = linear_select([ + dup103, + dup96, +]); + +var part1794 = // "Pattern{Constant('the device.'), Field(,false)}" +match("MESSAGE#1121:00556:20/4", "nwparser.p0", "the device.%{}"); + +var all374 = all_match({ + processors: [ + part1792, + dup357, + part1793, + select400, + part1794, + ], + on_success: processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1137 = msg("00556:20", all374); + +var part1795 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' action: '), Field(disposition,false), Constant(', category: '), Field(category,false), Constant(', reason: '), Field(result,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1122:00556:21", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} action: %{disposition}, category: %{category}, reason: %{result->} (%{fld1})", processor_chain([ + dup234, + dup2, + dup3, + dup9, + dup4, + dup5, + dup284, +])); + +var msg1138 = msg("00556:21", part1795); + +var part1796 = // "Pattern{Constant('UF-MGR: URL BLOCKED: '), Field(saddr,false), Constant('('), Field(sport,false), Constant(')->'), Field(daddr,false), Constant('('), Field(dport,false), Constant('), '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1123:00556:22", "nwparser.payload", "UF-MGR: URL BLOCKED: %{saddr}(%{sport})->%{daddr}(%{dport}), %{fld2->} (%{fld1})", processor_chain([ + dup234, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1139 = msg("00556:22", part1796); + +var select401 = linear_select([ + msg1118, + msg1119, + msg1120, + msg1121, + msg1122, + msg1123, + msg1124, + msg1125, + msg1126, + msg1127, + msg1128, + msg1129, + msg1130, + msg1131, + msg1132, + msg1133, + msg1134, + msg1135, + msg1136, + msg1137, + msg1138, + msg1139, +]); + +var part1797 = // "Pattern{Constant('PPP LCP on interface '), Field(interface,true), Constant(' is '), Field(fld2,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1124:00572", "nwparser.payload", "PPP LCP on interface %{interface->} is %{fld2}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1140 = msg("00572", part1797); + +var part1798 = // "Pattern{Constant('PPP authentication state on interface '), Field(interface,false), Constant(': '), Field(result,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1125:00572:01", "nwparser.payload", "PPP authentication state on interface %{interface}: %{result}. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1141 = msg("00572:01", part1798); + +var part1799 = // "Pattern{Constant('PPP on interface '), Field(interface,true), Constant(' is '), Field(disposition,true), Constant(' by receiving Terminate-Request. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1126:00572:03", "nwparser.payload", "PPP on interface %{interface->} is %{disposition->} by receiving Terminate-Request. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1142 = msg("00572:03", part1799); + +var select402 = linear_select([ + msg1140, + msg1141, + msg1142, +]); + +var part1800 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" rebuilding lookup tree for virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1127:00615", "nwparser.payload", "PBR policy \"%{policyname}\" rebuilding lookup tree for virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg1143 = msg("00615", part1800); + +var part1801 = // "Pattern{Constant('PBR policy "'), Field(policyname,false), Constant('" lookup tree rebuilt successfully in virtual router "'), Field(node,false), Constant('". ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1128:00615:01", "nwparser.payload", "PBR policy \"%{policyname}\" lookup tree rebuilt successfully in virtual router \"%{node}\". (%{fld1})", processor_chain([ + dup44, + dup2, + dup4, + dup5, + dup9, +])); + +var msg1144 = msg("00615:01", part1801); + +var select403 = linear_select([ + msg1143, + msg1144, +]); + +var part1802 = // "Pattern{Field(signame,true), Constant(' attack! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,false), Constant(', through policy '), Field(policyname,false), Constant('. Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1129:00601", "nwparser.payload", "%{signame->} attack! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol}, through policy %{policyname}. Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, +])); + +var msg1145 = msg("00601", part1802); + +var part1803 = // "Pattern{Field(signame,true), Constant(' has been detected from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' through policy '), Field(policyname,true), Constant(' '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1130:00601:01", "nwparser.payload", "%{signame->} has been detected from %{saddr}/%{sport->} to %{daddr}/%{dport->} through policy %{policyname->} %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup9, + dup4, + dup5, + dup61, +])); + +var msg1146 = msg("00601:01", part1803); + +var part1804 = // "Pattern{Constant('Error in initializing multicast.'), Field(,false)}" +match("MESSAGE#1131:00601:18", "nwparser.payload", "Error in initializing multicast.%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1147 = msg("00601:18", part1804); + +var select404 = linear_select([ + msg1145, + msg1146, + msg1147, +]); + +var part1805 = // "Pattern{Constant('PIMSM Error in initializing interface state change'), Field(,false)}" +match("MESSAGE#1132:00602", "nwparser.payload", "PIMSM Error in initializing interface state change%{}", processor_chain([ + dup19, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1148 = msg("00602", part1805); + +var part1806 = // "Pattern{Constant('Switch event: the status of ethernet port '), Field(fld2,true), Constant(' changed to link '), Field(p0,false)}" +match("MESSAGE#1133:00612/0", "nwparser.payload", "Switch event: the status of ethernet port %{fld2->} changed to link %{p0}"); + +var part1807 = // "Pattern{Constant(', duplex '), Field(p0,false)}" +match("MESSAGE#1133:00612/2", "nwparser.p0", ", duplex %{p0}"); + +var part1808 = // "Pattern{Constant('full '), Field(p0,false)}" +match("MESSAGE#1133:00612/3_0", "nwparser.p0", "full %{p0}"); + +var part1809 = // "Pattern{Constant('half '), Field(p0,false)}" +match("MESSAGE#1133:00612/3_1", "nwparser.p0", "half %{p0}"); + +var select405 = linear_select([ + part1808, + part1809, +]); + +var part1810 = // "Pattern{Constant(', speed 10'), Field(p0,false)}" +match("MESSAGE#1133:00612/4", "nwparser.p0", ", speed 10%{p0}"); + +var part1811 = // "Pattern{Constant('0 '), Field(p0,false)}" +match("MESSAGE#1133:00612/5_0", "nwparser.p0", "0 %{p0}"); + +var select406 = linear_select([ + part1811, + dup96, +]); + +var part1812 = // "Pattern{Constant('M. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1133:00612/6", "nwparser.p0", "M. (%{fld1})"); + +var all375 = all_match({ + processors: [ + part1806, + dup355, + part1807, + select405, + part1810, + select406, + part1812, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1149 = msg("00612", all375); + +var part1813 = // "Pattern{Constant('RTSYNC: Event posted to send all the DRP routes to backup device. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1134:00620", "nwparser.payload", "RTSYNC: Event posted to send all the DRP routes to backup device. (%{fld1})", processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1150 = msg("00620", part1813); + +var part1814 = // "Pattern{Constant('RTSYNC: '), Field(p0,false)}" +match("MESSAGE#1135:00620:01/0", "nwparser.payload", "RTSYNC: %{p0}"); + +var part1815 = // "Pattern{Constant('Serviced'), Field(p0,false)}" +match("MESSAGE#1135:00620:01/1_0", "nwparser.p0", "Serviced%{p0}"); + +var part1816 = // "Pattern{Constant('Recieved'), Field(p0,false)}" +match("MESSAGE#1135:00620:01/1_1", "nwparser.p0", "Recieved%{p0}"); + +var select407 = linear_select([ + part1815, + part1816, +]); + +var part1817 = // "Pattern{Field(,false), Constant('coldstart request for route synchronization from NSRP peer. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1135:00620:01/2", "nwparser.p0", "%{}coldstart request for route synchronization from NSRP peer. (%{fld1})"); + +var all376 = all_match({ + processors: [ + part1814, + select407, + part1817, + ], + on_success: processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1151 = msg("00620:01", all376); + +var part1818 = // "Pattern{Constant('RTSYNC: Started timer to purge all the DRP backup routes - '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1136:00620:02", "nwparser.payload", "RTSYNC: Started timer to purge all the DRP backup routes - %{fld2->} (%{fld1})", processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1152 = msg("00620:02", part1818); + +var part1819 = // "Pattern{Constant('RTSYNC: Event posted to purge backup routes in all vrouters. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1137:00620:03", "nwparser.payload", "RTSYNC: Event posted to purge backup routes in all vrouters. (%{fld1})", processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1153 = msg("00620:03", part1819); + +var part1820 = // "Pattern{Constant('RTSYNC: Timer to purge the DRP backup routes is stopped. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1138:00620:04", "nwparser.payload", "RTSYNC: Timer to purge the DRP backup routes is stopped. (%{fld1})", processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1154 = msg("00620:04", part1820); + +var select408 = linear_select([ + msg1150, + msg1151, + msg1152, + msg1153, + msg1154, +]); + +var part1821 = // "Pattern{Constant('NHRP : NHRP instance in virtual router '), Field(node,true), Constant(' is created. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1139:00622", "nwparser.payload", "NHRP : NHRP instance in virtual router %{node->} is created. (%{fld1})", processor_chain([ + dup275, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1155 = msg("00622", part1821); + +var part1822 = // "Pattern{Constant('Session (id '), Field(sessionid,true), Constant(' src-ip '), Field(saddr,true), Constant(' dst-ip '), Field(daddr,true), Constant(' dst port '), Field(dport,false), Constant(') route is '), Field(p0,false)}" +match("MESSAGE#1140:00625/0", "nwparser.payload", "Session (id %{sessionid->} src-ip %{saddr->} dst-ip %{daddr->} dst port %{dport}) route is %{p0}"); + +var part1823 = // "Pattern{Constant('invalid'), Field(p0,false)}" +match("MESSAGE#1140:00625/1_0", "nwparser.p0", "invalid%{p0}"); + +var part1824 = // "Pattern{Constant('valid'), Field(p0,false)}" +match("MESSAGE#1140:00625/1_1", "nwparser.p0", "valid%{p0}"); + +var select409 = linear_select([ + part1823, + part1824, +]); + +var all377 = all_match({ + processors: [ + part1822, + select409, + dup49, + ], + on_success: processor_chain([ + dup275, + dup2, + dup4, + dup5, + dup9, + ]), +}); + +var msg1156 = msg("00625", all377); + +var part1825 = // "Pattern{Constant('audit log queue '), Field(p0,false)}" +match("MESSAGE#1141:00628/0", "nwparser.payload", "audit log queue %{p0}"); + +var part1826 = // "Pattern{Constant('Traffic Log '), Field(p0,false)}" +match("MESSAGE#1141:00628/1_0", "nwparser.p0", "Traffic Log %{p0}"); + +var part1827 = // "Pattern{Constant('Event Alarm Log '), Field(p0,false)}" +match("MESSAGE#1141:00628/1_1", "nwparser.p0", "Event Alarm Log %{p0}"); + +var part1828 = // "Pattern{Constant('Event Log '), Field(p0,false)}" +match("MESSAGE#1141:00628/1_2", "nwparser.p0", "Event Log %{p0}"); + +var select410 = linear_select([ + part1826, + part1827, + part1828, +]); + +var part1829 = // "Pattern{Constant('is overwritten ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1141:00628/2", "nwparser.p0", "is overwritten (%{fld1})"); + +var all378 = all_match({ + processors: [ + part1825, + select410, + part1829, + ], + on_success: processor_chain([ + dup225, + dup2, + dup4, + dup5, + dup9, + ]), +}); + +var msg1157 = msg("00628", all378); + +var part1830 = // "Pattern{Constant('Log setting was modified to '), Field(disposition,true), Constant(' '), Field(fld2,true), Constant(' level by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1142:00767:50", "nwparser.payload", "Log setting was modified to %{disposition->} %{fld2->} level by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + dup284, +])); + +var msg1158 = msg("00767:50", part1830); + +var part1831 = // "Pattern{Constant('Attack CS:Man in Middle is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1143:00767:51", "nwparser.payload", "Attack CS:Man in Middle is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, +])); + +var msg1159 = msg("00767:51", part1831); + +var part1832 = // "Pattern{Constant('Attack group '), Field(group,true), Constant(' is created by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1144:00767:52", "nwparser.payload", "Attack group %{group->} is created by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, +])); + +var msg1160 = msg("00767:52", part1832); + +var part1833 = // "Pattern{Constant('Attack CS:Man in Middle is added to attack group '), Field(group,true), Constant(' by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1145:00767:53", "nwparser.payload", "Attack CS:Man in Middle is added to attack group %{group->} by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup58, + dup2, + dup4, + dup5, + dup9, +])); + +var msg1161 = msg("00767:53", part1833); + +var part1834 = // "Pattern{Constant('Cannot contact the SecurID server'), Field(,false)}" +match("MESSAGE#1146:00767", "nwparser.payload", "Cannot contact the SecurID server%{}", processor_chain([ + dup27, + setc("ec_theme","Communication"), + dup39, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1162 = msg("00767", part1834); + +var part1835 = // "Pattern{Constant('System auto-config of file '), Field(fld2,true), Constant(' from TFTP server '), Field(hostip,true), Constant(' has '), Field(p0,false)}" +match("MESSAGE#1147:00767:01/0", "nwparser.payload", "System auto-config of file %{fld2->} from TFTP server %{hostip->} has %{p0}"); + +var part1836 = // "Pattern{Constant('been loaded successfully'), Field(,false)}" +match("MESSAGE#1147:00767:01/1_0", "nwparser.p0", "been loaded successfully%{}"); + +var part1837 = // "Pattern{Constant('failed'), Field(,false)}" +match("MESSAGE#1147:00767:01/1_1", "nwparser.p0", "failed%{}"); + +var select411 = linear_select([ + part1836, + part1837, +]); + +var all379 = all_match({ + processors: [ + part1835, + select411, + ], + on_success: processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1163 = msg("00767:01", all379); + +var part1838 = // "Pattern{Constant('netscreen: System Config saved from host '), Field(saddr,false)}" +match("MESSAGE#1148:00767:02", "nwparser.payload", "netscreen: System Config saved from host %{saddr}", processor_chain([ + setc("eventcategory","1702000000"), + dup2, + dup3, + dup4, + dup5, +])); + +var msg1164 = msg("00767:02", part1838); + +var part1839 = // "Pattern{Constant('System Config saved to filename '), Field(filename,false)}" +match("MESSAGE#1149:00767:03", "nwparser.payload", "System Config saved to filename %{filename}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1165 = msg("00767:03", part1839); + +var part1840 = // "Pattern{Constant('System is operational.'), Field(,false)}" +match("MESSAGE#1150:00767:04", "nwparser.payload", "System is operational.%{}", processor_chain([ + dup44, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1166 = msg("00767:04", part1840); + +var part1841 = // "Pattern{Constant('The device cannot contact the SecurID server'), Field(,false)}" +match("MESSAGE#1151:00767:05", "nwparser.payload", "The device cannot contact the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1167 = msg("00767:05", part1841); + +var part1842 = // "Pattern{Constant('The device cannot send data to the SecurID server'), Field(,false)}" +match("MESSAGE#1152:00767:06", "nwparser.payload", "The device cannot send data to the SecurID server%{}", processor_chain([ + dup27, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1168 = msg("00767:06", part1842); + +var part1843 = // "Pattern{Constant('The system configuration was saved from peer unit by admin'), Field(,false)}" +match("MESSAGE#1153:00767:07", "nwparser.payload", "The system configuration was saved from peer unit by admin%{}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1169 = msg("00767:07", part1843); + +var part1844 = // "Pattern{Constant('The system configuration was saved by admin '), Field(p0,false)}" +match("MESSAGE#1154:00767:08/0", "nwparser.payload", "The system configuration was saved by admin %{p0}"); + +var all380 = all_match({ + processors: [ + part1844, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1170 = msg("00767:08", all380); + +var part1845 = // "Pattern{Constant('traffic shaping is turned O'), Field(p0,false)}" +match("MESSAGE#1155:00767:09/0", "nwparser.payload", "traffic shaping is turned O%{p0}"); + +var part1846 = // "Pattern{Constant('N'), Field(,false)}" +match("MESSAGE#1155:00767:09/1_0", "nwparser.p0", "N%{}"); + +var part1847 = // "Pattern{Constant('FF'), Field(,false)}" +match("MESSAGE#1155:00767:09/1_1", "nwparser.p0", "FF%{}"); + +var select412 = linear_select([ + part1846, + part1847, +]); + +var all381 = all_match({ + processors: [ + part1845, + select412, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1171 = msg("00767:09", all381); + +var part1848 = // "Pattern{Constant('The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(p0,false)}" +match("MESSAGE#1156:00767:10/0", "nwparser.payload", "The system configuration was saved from host %{saddr->} by admin %{p0}"); + +var all382 = all_match({ + processors: [ + part1848, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1172 = msg("00767:10", all382); + +var part1849 = // "Pattern{Constant('Fatal error. The NetScreen device was unable to upgrade the '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/0", "nwparser.payload", "Fatal error. The NetScreen device was unable to upgrade the %{p0}"); + +var part1850 = // "Pattern{Constant('file system '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/1_1", "nwparser.p0", "file system %{p0}"); + +var select413 = linear_select([ + dup333, + part1850, +]); + +var part1851 = // "Pattern{Constant(', and the '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/2", "nwparser.p0", ", and the %{p0}"); + +var part1852 = // "Pattern{Constant('old file system '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/3_1", "nwparser.p0", "old file system %{p0}"); + +var select414 = linear_select([ + dup333, + part1852, +]); + +var part1853 = // "Pattern{Constant('is damaged.'), Field(,false)}" +match("MESSAGE#1157:00767:11/4", "nwparser.p0", "is damaged.%{}"); + +var all383 = all_match({ + processors: [ + part1849, + select413, + part1851, + select414, + part1853, + ], + on_success: processor_chain([ + dup18, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1173 = msg("00767:11", all383); + +var part1854 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1158:00767:12", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from host %{saddr->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1174 = msg("00767:12", part1854); + +var part1855 = // "Pattern{Field(fld2,false), Constant('Environment variable '), Field(fld3,true), Constant(' is changed to '), Field(fld4,true), Constant(' by admin '), Field(p0,false)}" +match("MESSAGE#1159:00767:13/0", "nwparser.payload", "%{fld2}Environment variable %{fld3->} is changed to %{fld4->} by admin %{p0}"); + +var all384 = all_match({ + processors: [ + part1855, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1175 = msg("00767:13", all384); + +var part1856 = // "Pattern{Constant('System was '), Field(p0,false)}" +match("MESSAGE#1160:00767:14/0", "nwparser.payload", "System was %{p0}"); + +var part1857 = // "Pattern{Constant('reset '), Field(p0,false)}" +match("MESSAGE#1160:00767:14/1_0", "nwparser.p0", "reset %{p0}"); + +var select415 = linear_select([ + part1857, + dup264, +]); + +var part1858 = // "Pattern{Constant('at '), Field(fld2,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#1160:00767:14/2", "nwparser.p0", "at %{fld2->} by %{p0}"); + +var part1859 = // "Pattern{Constant('admin '), Field(administrator,false)}" +match("MESSAGE#1160:00767:14/3_0", "nwparser.p0", "admin %{administrator}"); + +var part1860 = // "Pattern{Field(username,false)}" +match_copy("MESSAGE#1160:00767:14/3_1", "nwparser.p0", "username"); + +var select416 = linear_select([ + part1859, + part1860, +]); + +var all385 = all_match({ + processors: [ + part1856, + select415, + part1858, + select416, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1176 = msg("00767:14", all385); + +var part1861 = // "Pattern{Constant('System '), Field(p0,false)}" +match("MESSAGE#1161:00767:15/1_0", "nwparser.p0", "System %{p0}"); + +var part1862 = // "Pattern{Constant('Event '), Field(p0,false)}" +match("MESSAGE#1161:00767:15/1_1", "nwparser.p0", "Event %{p0}"); + +var part1863 = // "Pattern{Constant('Traffic '), Field(p0,false)}" +match("MESSAGE#1161:00767:15/1_2", "nwparser.p0", "Traffic %{p0}"); + +var select417 = linear_select([ + part1861, + part1862, + part1863, +]); + +var part1864 = // "Pattern{Constant('log was reviewed by '), Field(p0,false)}" +match("MESSAGE#1161:00767:15/2", "nwparser.p0", "log was reviewed by %{p0}"); + +var part1865 = // "Pattern{Field(,true), Constant(' '), Field(username,false), Constant('.')}" +match("MESSAGE#1161:00767:15/4", "nwparser.p0", "%{} %{username}."); + +var all386 = all_match({ + processors: [ + dup185, + select417, + part1864, + dup338, + part1865, + ], + on_success: processor_chain([ + dup225, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1177 = msg("00767:15", all386); + +var part1866 = // "Pattern{Field(fld2,true), Constant(' Admin '), Field(administrator,true), Constant(' issued command '), Field(info,true), Constant(' to redirect output.')}" +match("MESSAGE#1162:00767:16", "nwparser.payload", "%{fld2->} Admin %{administrator->} issued command %{info->} to redirect output.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1178 = msg("00767:16", part1866); + +var part1867 = // "Pattern{Field(fld2,true), Constant(' Save new software from '), Field(fld3,true), Constant(' to flash by admin '), Field(p0,false)}" +match("MESSAGE#1163:00767:17/0", "nwparser.payload", "%{fld2->} Save new software from %{fld3->} to flash by admin %{p0}"); + +var all387 = all_match({ + processors: [ + part1867, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1179 = msg("00767:17", all387); + +var part1868 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' has been '), Field(fld2,true), Constant(' saved to flash.')}" +match("MESSAGE#1164:00767:18", "nwparser.payload", "Attack database version %{version->} has been %{fld2->} saved to flash.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1180 = msg("00767:18", part1868); + +var part1869 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' was rejected because the authentication check failed.')}" +match("MESSAGE#1165:00767:19", "nwparser.payload", "Attack database version %{version->} was rejected because the authentication check failed.", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1181 = msg("00767:19", part1869); + +var part1870 = // "Pattern{Constant('The dictionary file version of the RADIUS server '), Field(hostname,true), Constant(' does not match '), Field(fld2,false)}" +match("MESSAGE#1166:00767:20", "nwparser.payload", "The dictionary file version of the RADIUS server %{hostname->} does not match %{fld2}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1182 = msg("00767:20", part1870); + +var part1871 = // "Pattern{Constant('Session ('), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(', '), Field(fld4,false), Constant(') cleared '), Field(fld5,false)}" +match("MESSAGE#1167:00767:21", "nwparser.payload", "Session (%{fld2->} %{fld3}, %{fld4}) cleared %{fld5}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1183 = msg("00767:21", part1871); + +var part1872 = // "Pattern{Constant('The system configuration was not saved '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/0", "nwparser.payload", "The system configuration was not saved %{p0}"); + +var part1873 = // "Pattern{Field(fld2,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/1_0", "nwparser.p0", "%{fld2->} by admin %{administrator->} via NSRP Peer %{p0}"); + +var part1874 = // "Pattern{Constant(''), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/1_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var select418 = linear_select([ + part1873, + part1874, +]); + +var part1875 = // "Pattern{Constant('by administrator '), Field(fld3,false), Constant('. '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/2", "nwparser.p0", "by administrator %{fld3}. %{p0}"); + +var part1876 = // "Pattern{Constant('It was locked '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/3_0", "nwparser.p0", "It was locked %{p0}"); + +var part1877 = // "Pattern{Constant('Locked '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/3_1", "nwparser.p0", "Locked %{p0}"); + +var select419 = linear_select([ + part1876, + part1877, +]); + +var part1878 = // "Pattern{Constant('by administrator '), Field(fld4,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1168:00767:22/4", "nwparser.p0", "by administrator %{fld4->} %{p0}"); + +var all388 = all_match({ + processors: [ + part1872, + select418, + part1875, + select419, + part1878, + dup356, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1184 = msg("00767:22", all388); + +var part1879 = // "Pattern{Constant('Save new software from slot filename '), Field(filename,true), Constant(' to flash memory by administrator '), Field(administrator,false)}" +match("MESSAGE#1169:00767:23", "nwparser.payload", "Save new software from slot filename %{filename->} to flash memory by administrator %{administrator}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var msg1185 = msg("00767:23", part1879); + +var part1880 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' from '), Field(p0,false)}" +match("MESSAGE#1170:00767:25/0", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} from %{p0}"); + +var select420 = linear_select([ + dup171, + dup16, +]); + +var part1881 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#1170:00767:25/3_0", "nwparser.p0", "%{saddr}:%{sport->} by %{p0}"); + +var part1882 = // "Pattern{Field(saddr,true), Constant(' by '), Field(p0,false)}" +match("MESSAGE#1170:00767:25/3_1", "nwparser.p0", "%{saddr->} by %{p0}"); + +var select421 = linear_select([ + part1881, + part1882, +]); + +var all389 = all_match({ + processors: [ + part1880, + select420, + dup23, + select421, + dup108, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var msg1186 = msg("00767:25", all389); + +var part1883 = // "Pattern{Constant('Lock configuration '), Field(p0,false)}" +match("MESSAGE#1171:00767:26/0", "nwparser.payload", "Lock configuration %{p0}"); + +var part1884 = // "Pattern{Constant('started'), Field(p0,false)}" +match("MESSAGE#1171:00767:26/1_0", "nwparser.p0", "started%{p0}"); + +var part1885 = // "Pattern{Constant('ended'), Field(p0,false)}" +match("MESSAGE#1171:00767:26/1_1", "nwparser.p0", "ended%{p0}"); + +var select422 = linear_select([ + part1884, + part1885, +]); + +var part1886 = // "Pattern{Field(,false), Constant('by task '), Field(p0,false)}" +match("MESSAGE#1171:00767:26/2", "nwparser.p0", "%{}by task %{p0}"); + +var part1887 = // "Pattern{Constant(''), Field(fld3,false), Constant(', with a timeout value of '), Field(fld2,false)}" +match("MESSAGE#1171:00767:26/3_0", "nwparser.p0", "%{fld3}, with a timeout value of %{fld2}"); + +var part1888 = // "Pattern{Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1171:00767:26/3_1", "nwparser.p0", "%{fld2->} (%{fld1})"); + +var select423 = linear_select([ + part1887, + part1888, +]); + +var all390 = all_match({ + processors: [ + part1883, + select422, + part1886, + select423, + ], + on_success: processor_chain([ + dup50, + dup43, + dup51, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1187 = msg("00767:26", all390); + +var part1889 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' changed to '), Field(p0,false)}" +match("MESSAGE#1172:00767:27/0", "nwparser.payload", "Environment variable %{fld2->} changed to %{p0}"); + +var part1890 = // "Pattern{Field(fld3,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1172:00767:27/1_0", "nwparser.p0", "%{fld3->} by %{username->} (%{fld1})"); + +var part1891 = // "Pattern{Field(fld3,false)}" +match_copy("MESSAGE#1172:00767:27/1_1", "nwparser.p0", "fld3"); + +var select424 = linear_select([ + part1890, + part1891, +]); + +var all391 = all_match({ + processors: [ + part1889, + select424, + ], + on_success: processor_chain([ + dup225, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1188 = msg("00767:27", all391); + +var part1892 = // "Pattern{Constant('The system configuration was loaded from IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1173:00767:28", "nwparser.payload", "The system configuration was loaded from IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1189 = msg("00767:28", part1892); + +var part1893 = // "Pattern{Constant('Save configuration to IP address '), Field(hostip,true), Constant(' under filename '), Field(filename,true), Constant(' by administrator by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1174:00767:29", "nwparser.payload", "Save configuration to IP address %{hostip->} under filename %{filename->} by administrator by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1190 = msg("00767:29", part1893); + +var part1894 = // "Pattern{Field(fld2,false), Constant(': The system configuration was saved from host '), Field(saddr,true), Constant(' by admin '), Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1175:00767:30", "nwparser.payload", "%{fld2}: The system configuration was saved from host %{saddr->} by admin %{administrator->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1191 = msg("00767:30", part1894); + +var part1895 = // "Pattern{Constant('logged events or alarms '), Field(p0,false)}" +match("MESSAGE#1176:00767:31/1_0", "nwparser.p0", "logged events or alarms %{p0}"); + +var part1896 = // "Pattern{Constant('traffic logs '), Field(p0,false)}" +match("MESSAGE#1176:00767:31/1_1", "nwparser.p0", "traffic logs %{p0}"); + +var select425 = linear_select([ + part1895, + part1896, +]); + +var part1897 = // "Pattern{Constant('were cleared by admin '), Field(p0,false)}" +match("MESSAGE#1176:00767:31/2", "nwparser.p0", "were cleared by admin %{p0}"); + +var all392 = all_match({ + processors: [ + dup188, + select425, + part1897, + dup400, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1192 = msg("00767:31", all392); + +var part1898 = // "Pattern{Constant('SIP parser error '), Field(p0,false)}" +match("MESSAGE#1177:00767:32/0", "nwparser.payload", "SIP parser error %{p0}"); + +var part1899 = // "Pattern{Constant('SIP-field'), Field(p0,false)}" +match("MESSAGE#1177:00767:32/1_0", "nwparser.p0", "SIP-field%{p0}"); + +var part1900 = // "Pattern{Constant('Message'), Field(p0,false)}" +match("MESSAGE#1177:00767:32/1_1", "nwparser.p0", "Message%{p0}"); + +var select426 = linear_select([ + part1899, + part1900, +]); + +var part1901 = // "Pattern{Constant(': '), Field(result,false), Constant('('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1177:00767:32/2", "nwparser.p0", ": %{result}(%{fld1})"); + +var all393 = all_match({ + processors: [ + part1898, + select426, + part1901, + ], + on_success: processor_chain([ + dup27, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1193 = msg("00767:32", all393); + +var part1902 = // "Pattern{Constant('Daylight Saving Time has started. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1178:00767:33", "nwparser.payload", "Daylight Saving Time has started. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1194 = msg("00767:33", part1902); + +var part1903 = // "Pattern{Constant('NetScreen devices do not support multiple IP addresses '), Field(hostip,true), Constant(' or ports '), Field(network_port,true), Constant(' in SIP headers RESPONSE ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1179:00767:34", "nwparser.payload", "NetScreen devices do not support multiple IP addresses %{hostip->} or ports %{network_port->} in SIP headers RESPONSE (%{fld1})", processor_chain([ + dup315, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1195 = msg("00767:34", part1903); + +var part1904 = // "Pattern{Constant('Environment variable '), Field(fld2,true), Constant(' set to '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1180:00767:35", "nwparser.payload", "Environment variable %{fld2->} set to %{fld3->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1196 = msg("00767:35", part1904); + +var part1905 = // "Pattern{Constant('System configuration saved from '), Field(fld2,true), Constant(' by '), Field(username,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1181:00767:36", "nwparser.payload", "System configuration saved from %{fld2->} by %{username->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1197 = msg("00767:36", part1905); + +var part1906 = // "Pattern{Constant('Trial keys are available to download to enable advanced features. '), Field(space,true), Constant(' To find out, please visit '), Field(url,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1182:00767:37", "nwparser.payload", "Trial keys are available to download to enable advanced features. %{space->} To find out, please visit %{url->} (%{fld1})", processor_chain([ + dup256, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1198 = msg("00767:37", part1906); + +var part1907 = // "Pattern{Constant('Log buffer was full and remaining messages were sent to external destination. '), Field(fld2,true), Constant(' packets were dropped. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1183:00767:38", "nwparser.payload", "Log buffer was full and remaining messages were sent to external destination. %{fld2->} packets were dropped. (%{fld1})", processor_chain([ + setc("eventcategory","1602000000"), + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1199 = msg("00767:38", part1907); + +var part1908 = // "Pattern{Constant('Cannot '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/0", "nwparser.payload", "Cannot %{p0}"); + +var part1909 = // "Pattern{Constant('download '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/1_0", "nwparser.p0", "download %{p0}"); + +var part1910 = // "Pattern{Constant('parse '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/1_1", "nwparser.p0", "parse %{p0}"); + +var select427 = linear_select([ + part1909, + part1910, +]); + +var part1911 = // "Pattern{Constant('attack database '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/2", "nwparser.p0", "attack database %{p0}"); + +var part1912 = // "Pattern{Constant('from '), Field(url,true), Constant(' ('), Field(result,false), Constant('). '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/3_0", "nwparser.p0", "from %{url->} (%{result}). %{p0}"); + +var part1913 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#1184:00767:39/3_1", "nwparser.p0", "%{fld2->} %{p0}"); + +var select428 = linear_select([ + part1912, + part1913, +]); + +var all394 = all_match({ + processors: [ + part1908, + select427, + part1911, + select428, + dup10, + ], + on_success: processor_chain([ + dup326, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1200 = msg("00767:39", all394); + +var part1914 = // "Pattern{Constant('Deep Inspection update key is '), Field(disposition,false), Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1185:00767:40", "nwparser.payload", "Deep Inspection update key is %{disposition}. (%{fld1})", processor_chain([ + dup62, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1201 = msg("00767:40", part1914); + +var part1915 = // "Pattern{Constant('System configuration saved by '), Field(username,true), Constant(' via '), Field(logon_type,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1186:00767:42", "nwparser.payload", "System configuration saved by %{username->} via %{logon_type->} to %{daddr}:%{dport->} by %{fld2->} (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1202 = msg("00767:42", part1915); + +var part1916 = // "Pattern{Constant('Daylight Saving Time ended. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1187:00767:43", "nwparser.payload", "Daylight Saving Time ended. (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1203 = msg("00767:43", part1916); + +var part1917 = // "Pattern{Constant('New GMT zone ahead or behind by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1188:00767:44", "nwparser.payload", "New GMT zone ahead or behind by %{fld2->} (%{fld1})", processor_chain([ + dup44, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1204 = msg("00767:44", part1917); + +var part1918 = // "Pattern{Constant('Attack database version '), Field(version,true), Constant(' is saved to flash. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1189:00767:45", "nwparser.payload", "Attack database version %{version->} is saved to flash. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1205 = msg("00767:45", part1918); + +var part1919 = // "Pattern{Constant('System configuration saved by netscreen via '), Field(logon_type,true), Constant(' by netscreen. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1190:00767:46", "nwparser.payload", "System configuration saved by netscreen via %{logon_type->} by netscreen. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1206 = msg("00767:46", part1919); + +var part1920 = // "Pattern{Constant('User '), Field(username,true), Constant(' belongs to a different group in the RADIUS server than that allowed in the device. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1191:00767:47", "nwparser.payload", "User %{username->} belongs to a different group in the RADIUS server than that allowed in the device. (%{fld1})", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup9, +])); + +var msg1207 = msg("00767:47", part1920); + +var part1921 = // "Pattern{Constant('System configuration saved by '), Field(p0,false)}" +match("MESSAGE#1192:00767:24/0", "nwparser.payload", "System configuration saved by %{p0}"); + +var part1922 = // "Pattern{Field(logon_type,true), Constant(' by '), Field(fld2,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1192:00767:24/2", "nwparser.p0", "%{logon_type->} by %{fld2->} (%{fld1})"); + +var all395 = all_match({ + processors: [ + part1921, + dup367, + part1922, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup9, + dup4, + dup5, + ]), +}); + +var msg1208 = msg("00767:24", all395); + +var part1923 = // "Pattern{Constant('HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1193:00767:48", "nwparser.payload", "HA: Synchronization file(s) hidden file end with c sent to backup device in cluster. (%{fld1})", processor_chain([ + dup274, + dup2, + dup3, + dup9, + dup4, + dup5, +])); + +var msg1209 = msg("00767:48", part1923); + +var part1924 = // "Pattern{Field(fld2,true), Constant(' turn o'), Field(p0,false)}" +match("MESSAGE#1194:00767:49/0", "nwparser.payload", "%{fld2->} turn o%{p0}"); + +var part1925 = // "Pattern{Constant('n'), Field(p0,false)}" +match("MESSAGE#1194:00767:49/1_0", "nwparser.p0", "n%{p0}"); + +var part1926 = // "Pattern{Constant('ff'), Field(p0,false)}" +match("MESSAGE#1194:00767:49/1_1", "nwparser.p0", "ff%{p0}"); + +var select429 = linear_select([ + part1925, + part1926, +]); + +var part1927 = // "Pattern{Field(,false), Constant('debug switch for '), Field(fld3,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#1194:00767:49/2", "nwparser.p0", "%{}debug switch for %{fld3->} (%{fld1})"); + +var all396 = all_match({ + processors: [ + part1924, + select429, + part1927, + ], + on_success: processor_chain([ + dup1, + dup2, + dup4, + dup5, + dup9, + ]), +}); + +var msg1210 = msg("00767:49", all396); + +var select430 = linear_select([ + msg1158, + msg1159, + msg1160, + msg1161, + msg1162, + msg1163, + msg1164, + msg1165, + msg1166, + msg1167, + msg1168, + msg1169, + msg1170, + msg1171, + msg1172, + msg1173, + msg1174, + msg1175, + msg1176, + msg1177, + msg1178, + msg1179, + msg1180, + msg1181, + msg1182, + msg1183, + msg1184, + msg1185, + msg1186, + msg1187, + msg1188, + msg1189, + msg1190, + msg1191, + msg1192, + msg1193, + msg1194, + msg1195, + msg1196, + msg1197, + msg1198, + msg1199, + msg1200, + msg1201, + msg1202, + msg1203, + msg1204, + msg1205, + msg1206, + msg1207, + msg1208, + msg1209, + msg1210, +]); + +var part1928 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1195:01269", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup279, + dup3, + dup277, + dup60, +])); + +var msg1211 = msg("01269", part1928); + +var msg1212 = msg("01269:01", dup410); + +var msg1213 = msg("01269:02", dup411); + +var msg1214 = msg("01269:03", dup412); + +var select431 = linear_select([ + msg1211, + msg1212, + msg1213, + msg1214, +]); + +var part1929 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1199:17852", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup278, + dup279, + dup277, + dup334, +])); + +var msg1215 = msg("17852", part1929); + +var part1930 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1200:17852:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup334, + dup284, +])); + +var msg1216 = msg("17852:01", part1930); + +var part1931 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1201:17852:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup278, + dup279, + dup61, +])); + +var msg1217 = msg("17852:02", part1931); + +var part1932 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1202:17852:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup334, + dup284, +])); + +var msg1218 = msg("17852:03", part1932); + +var select432 = linear_select([ + msg1215, + msg1216, + msg1217, + msg1218, +]); + +var msg1219 = msg("23184", dup413); + +var part1933 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1204:23184:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup61, + dup284, +])); + +var msg1220 = msg("23184:01", part1933); + +var part1934 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1205:23184:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup278, + dup279, + dup277, + dup61, +])); + +var msg1221 = msg("23184:02", part1934); + +var part1935 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1206:23184:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup334, + dup284, +])); + +var msg1222 = msg("23184:03", part1935); + +var select433 = linear_select([ + msg1219, + msg1220, + msg1221, + msg1222, +]); + +var msg1223 = msg("27052", dup413); + +var part1936 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,false), Constant('direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1208:27052:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol}direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup61, + dup284, +])); + +var msg1224 = msg("27052:01", part1936); + +var select434 = linear_select([ + msg1223, + msg1224, +]); + +var part1937 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1209:39568", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup187, + dup2, + dup4, + dup279, + dup5, + dup276, + dup3, + dup277, + dup278, + dup60, +])); + +var msg1225 = msg("39568", part1937); + +var msg1226 = msg("39568:01", dup410); + +var msg1227 = msg("39568:02", dup411); + +var msg1228 = msg("39568:03", dup412); + +var select435 = linear_select([ + msg1225, + msg1226, + msg1227, + msg1228, +]); + +var chain1 = processor_chain([ + select2, + msgid_select({ + "00001": select6, + "00002": select29, + "00003": select31, + "00004": select33, + "00005": select39, + "00006": select40, + "00007": select63, + "00008": select66, + "00009": select83, + "00010": select86, + "00011": select100, + "00012": select101, + "00013": select102, + "00014": select104, + "00015": select114, + "00016": select115, + "00017": select125, + "00018": select138, + "00019": select147, + "00020": select150, + "00021": select151, + "00022": select163, + "00023": select164, + "00024": select170, + "00025": select171, + "00026": select176, + "00027": select184, + "00028": msg469, + "00029": select188, + "00030": select197, + "00031": select205, + "00032": select207, + "00033": select214, + "00034": select225, + "00035": select232, + "00036": select234, + "00037": select241, + "00038": msg660, + "00039": msg661, + "00040": select244, + "00041": select245, + "00042": select246, + "00043": msg668, + "00044": select248, + "00045": msg671, + "00047": msg672, + "00048": select257, + "00049": select258, + "00050": msg682, + "00051": msg683, + "00052": msg684, + "00055": select265, + "00056": msg696, + "00057": msg697, + "00058": msg698, + "00059": select272, + "00062": select273, + "00063": msg713, + "00064": select274, + "00070": select276, + "00071": select277, + "00072": select278, + "00073": select279, + "00074": msg726, + "00075": select280, + "00076": select281, + "00077": select282, + "00084": msg735, + "00090": msg736, + "00200": msg737, + "00201": msg738, + "00202": msg739, + "00203": msg740, + "00206": select285, + "00207": select286, + "00257": select291, + "00259": select294, + "00262": msg778, + "00263": msg779, + "00400": msg780, + "00401": msg781, + "00402": select296, + "00403": msg784, + "00404": msg785, + "00405": msg786, + "00406": msg787, + "00407": msg788, + "00408": msg789, + "00409": msg790, + "00410": select297, + "00411": msg793, + "00413": select298, + "00414": select299, + "00415": msg799, + "00423": msg800, + "00429": select300, + "00430": select301, + "00431": msg805, + "00432": msg806, + "00433": msg807, + "00434": msg808, + "00435": select302, + "00436": select303, + "00437": select304, + "00438": select305, + "00440": select306, + "00441": msg823, + "00442": msg824, + "00443": msg825, + "00511": select307, + "00513": msg841, + "00515": select328, + "00518": select331, + "00519": select336, + "00520": select339, + "00521": msg890, + "00522": msg891, + "00523": msg892, + "00524": select340, + "00525": select341, + "00526": msg912, + "00527": select348, + "00528": select354, + "00529": select357, + "00530": select358, + "00531": select362, + "00533": msg973, + "00534": msg974, + "00535": select363, + "00536": select365, + "00537": select366, + "00538": select372, + "00539": select373, + "00541": select375, + "00542": msg1062, + "00543": msg1063, + "00544": msg1064, + "00546": msg1065, + "00547": select379, + "00549": msg1070, + "00551": select381, + "00553": select385, + "00554": select391, + "00555": msg1117, + "00556": select401, + "00572": select402, + "00601": select404, + "00602": msg1148, + "00612": msg1149, + "00615": select403, + "00620": select408, + "00622": msg1155, + "00625": msg1156, + "00628": msg1157, + "00767": select430, + "01269": select431, + "17852": select432, + "23184": select433, + "27052": select434, + "39568": select435, + }), +]); + +var part1938 = // "Pattern{Constant('Address '), Field(group_object,true), Constant(' for '), Field(p0,false)}" +match("MESSAGE#2:00001:02/0", "nwparser.payload", "Address %{group_object->} for %{p0}"); + +var part1939 = // "Pattern{Constant('domain address '), Field(domain,true), Constant(' in zone '), Field(p0,false)}" +match("MESSAGE#2:00001:02/1_1", "nwparser.p0", "domain address %{domain->} in zone %{p0}"); + +var part1940 = // "Pattern{Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#4:00001:04/3_0", "nwparser.p0", " (%{fld1})"); + +var part1941 = // "Pattern{Constant('('), Field(fld1,false), Constant(')')}" +match("MESSAGE#5:00001:05/1_0", "nwparser.p0", "(%{fld1})"); + +var part1942 = // "Pattern{Field(fld1,false)}" +match_copy("MESSAGE#5:00001:05/1_1", "nwparser.p0", "fld1"); + +var part1943 = // "Pattern{Constant('Address '), Field(p0,false)}" +match("MESSAGE#8:00001:08/0", "nwparser.payload", "Address %{p0}"); + +var part1944 = // "Pattern{Constant('MIP('), Field(interface,false), Constant(') '), Field(p0,false)}" +match("MESSAGE#8:00001:08/1_0", "nwparser.p0", "MIP(%{interface}) %{p0}"); + +var part1945 = // "Pattern{Field(group_object,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#8:00001:08/1_1", "nwparser.p0", "%{group_object->} %{p0}"); + +var part1946 = // "Pattern{Constant('admin '), Field(p0,false)}" +match("MESSAGE#8:00001:08/3_0", "nwparser.p0", "admin %{p0}"); + +var part1947 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#8:00001:08/3_1", "nwparser.p0", "p0"); + +var part1948 = // "Pattern{Constant('from host '), Field(saddr,true), Constant(' ')}" +match("MESSAGE#25:00002:20/1_1", "nwparser.p0", "from host %{saddr->} "); + +var part1949 = // "Pattern{}" +match_copy("MESSAGE#25:00002:20/1_2", "nwparser.p0", ""); + +var part1950 = // "Pattern{Constant(''), Field(p0,false)}" +match("MESSAGE#26:00002:21/1", "nwparser.p0", "%{p0}"); + +var part1951 = // "Pattern{Constant('password '), Field(p0,false)}" +match("MESSAGE#26:00002:21/2_0", "nwparser.p0", "password %{p0}"); + +var part1952 = // "Pattern{Constant('name '), Field(p0,false)}" +match("MESSAGE#26:00002:21/2_1", "nwparser.p0", "name %{p0}"); + +var part1953 = // "Pattern{Field(administrator,false)}" +match_copy("MESSAGE#27:00002:22/1_2", "nwparser.p0", "administrator"); + +var part1954 = // "Pattern{Field(disposition,false)}" +match_copy("MESSAGE#42:00002:38/1_1", "nwparser.p0", "disposition"); + +var part1955 = // "Pattern{Constant('via '), Field(p0,false)}" +match("MESSAGE#46:00002:42/1_1", "nwparser.p0", "via %{p0}"); + +var part1956 = // "Pattern{Field(fld1,false), Constant(')')}" +match("MESSAGE#46:00002:42/4", "nwparser.p0", "%{fld1})"); + +var part1957 = // "Pattern{Field(logon_type,true), Constant(' from host '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant('. ('), Field(p0,false)}" +match("MESSAGE#52:00002:48/3_1", "nwparser.p0", "%{logon_type->} from host %{saddr->} to %{daddr}:%{dport}. (%{p0}"); + +var part1958 = // "Pattern{Constant('admin '), Field(administrator,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#53:00002:52/3_0", "nwparser.p0", "admin %{administrator->} via %{p0}"); + +var part1959 = // "Pattern{Field(username,true), Constant(' via '), Field(p0,false)}" +match("MESSAGE#53:00002:52/3_2", "nwparser.p0", "%{username->} via %{p0}"); + +var part1960 = // "Pattern{Constant('NSRP Peer . ('), Field(p0,false)}" +match("MESSAGE#53:00002:52/4_0", "nwparser.p0", "NSRP Peer . (%{p0}"); + +var part1961 = // "Pattern{Constant('. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#55:00002:54/2", "nwparser.p0", ". (%{fld1})"); + +var part1962 = // "Pattern{Constant('changed'), Field(p0,false)}" +match("MESSAGE#56:00002/1_1", "nwparser.p0", "changed%{p0}"); + +var part1963 = // "Pattern{Constant('The '), Field(p0,false)}" +match("MESSAGE#61:00003:05/0", "nwparser.payload", "The %{p0}"); + +var part1964 = // "Pattern{Constant('interface'), Field(p0,false)}" +match("MESSAGE#66:00004:04/1_0", "nwparser.p0", "interface%{p0}"); + +var part1965 = // "Pattern{Constant('Interface'), Field(p0,false)}" +match("MESSAGE#66:00004:04/1_1", "nwparser.p0", "Interface%{p0}"); + +var part1966 = // "Pattern{Constant('DNS entries have been '), Field(p0,false)}" +match("MESSAGE#76:00004:14/0", "nwparser.payload", "DNS entries have been %{p0}"); + +var part1967 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" +match("MESSAGE#79:00004:17/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{p0}"); + +var part1968 = // "Pattern{Field(zone,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#79:00004:17/1_0", "nwparser.p0", "%{zone}, %{p0}"); + +var part1969 = // "Pattern{Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#79:00004:17/1_1", "nwparser.p0", "%{zone->} %{p0}"); + +var part1970 = // "Pattern{Constant('int '), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#79:00004:17/2", "nwparser.p0", "int %{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + +var part1971 = // "Pattern{Field(dport,false), Constant(','), Field(p0,false)}" +match("MESSAGE#83:00005:03/1_0", "nwparser.p0", "%{dport},%{p0}"); + +var part1972 = // "Pattern{Field(dport,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#83:00005:03/1_1", "nwparser.p0", "%{dport->} %{p0}"); + +var part1973 = // "Pattern{Field(space,false), Constant('using protocol '), Field(p0,false)}" +match("MESSAGE#83:00005:03/2", "nwparser.p0", "%{space}using protocol %{p0}"); + +var part1974 = // "Pattern{Field(protocol,false), Constant(','), Field(p0,false)}" +match("MESSAGE#83:00005:03/3_0", "nwparser.p0", "%{protocol},%{p0}"); + +var part1975 = // "Pattern{Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#83:00005:03/3_1", "nwparser.p0", "%{protocol->} %{p0}"); + +var part1976 = // "Pattern{Constant('. '), Field(p0,false)}" +match("MESSAGE#83:00005:03/5_1", "nwparser.p0", ". %{p0}"); + +var part1977 = // "Pattern{Field(fld2,false), Constant(': SYN '), Field(p0,false)}" +match("MESSAGE#86:00005:06/0_0", "nwparser.payload", "%{fld2}: SYN %{p0}"); + +var part1978 = // "Pattern{Constant('SYN '), Field(p0,false)}" +match("MESSAGE#86:00005:06/0_1", "nwparser.payload", "SYN %{p0}"); + +var part1979 = // "Pattern{Constant('timeout value '), Field(p0,false)}" +match("MESSAGE#87:00005:07/1_2", "nwparser.p0", "timeout value %{p0}"); + +var part1980 = // "Pattern{Constant('destination '), Field(p0,false)}" +match("MESSAGE#88:00005:08/2_0", "nwparser.p0", "destination %{p0}"); + +var part1981 = // "Pattern{Constant('source '), Field(p0,false)}" +match("MESSAGE#88:00005:08/2_1", "nwparser.p0", "source %{p0}"); + +var part1982 = // "Pattern{Constant('A '), Field(p0,false)}" +match("MESSAGE#97:00005:17/0", "nwparser.payload", "A %{p0}"); + +var part1983 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#98:00005:18/0", "nwparser.payload", "%{signame->} From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var part1984 = // "Pattern{Constant(', int '), Field(p0,false)}" +match("MESSAGE#98:00005:18/1_0", "nwparser.p0", ", int %{p0}"); + +var part1985 = // "Pattern{Constant('int '), Field(p0,false)}" +match("MESSAGE#98:00005:18/1_1", "nwparser.p0", "int %{p0}"); + +var part1986 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#98:00005:18/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times. (%{fld1})"); + +var part1987 = // "Pattern{Constant('HA '), Field(p0,false)}" +match("MESSAGE#111:00007:04/0", "nwparser.payload", "HA %{p0}"); + +var part1988 = // "Pattern{Constant('encryption '), Field(p0,false)}" +match("MESSAGE#111:00007:04/1_0", "nwparser.p0", "encryption %{p0}"); + +var part1989 = // "Pattern{Constant('authentication '), Field(p0,false)}" +match("MESSAGE#111:00007:04/1_1", "nwparser.p0", "authentication %{p0}"); + +var part1990 = // "Pattern{Constant('key '), Field(p0,false)}" +match("MESSAGE#111:00007:04/3_1", "nwparser.p0", "key %{p0}"); + +var part1991 = // "Pattern{Constant('disabled'), Field(,false)}" +match("MESSAGE#118:00007:11/1_0", "nwparser.p0", "disabled%{}"); + +var part1992 = // "Pattern{Constant('set to '), Field(trigger_val,false)}" +match("MESSAGE#118:00007:11/1_1", "nwparser.p0", "set to %{trigger_val}"); + +var part1993 = // "Pattern{Constant('up'), Field(,false)}" +match("MESSAGE#127:00007:21/1_0", "nwparser.p0", "up%{}"); + +var part1994 = // "Pattern{Constant('down'), Field(,false)}" +match("MESSAGE#127:00007:21/1_1", "nwparser.p0", "down%{}"); + +var part1995 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#139:00007:33/2_1", "nwparser.p0", " %{p0}"); + +var part1996 = // "Pattern{Constant('set'), Field(,false)}" +match("MESSAGE#143:00007:37/1_0", "nwparser.p0", "set%{}"); + +var part1997 = // "Pattern{Constant('unset'), Field(,false)}" +match("MESSAGE#143:00007:37/1_1", "nwparser.p0", "unset%{}"); + +var part1998 = // "Pattern{Constant('undefined '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_0", "nwparser.p0", "undefined %{p0}"); + +var part1999 = // "Pattern{Constant('set '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_1", "nwparser.p0", "set %{p0}"); + +var part2000 = // "Pattern{Constant('active '), Field(p0,false)}" +match("MESSAGE#144:00007:38/1_2", "nwparser.p0", "active %{p0}"); + +var part2001 = // "Pattern{Constant('to '), Field(p0,false)}" +match("MESSAGE#144:00007:38/2", "nwparser.p0", "to %{p0}"); + +var part2002 = // "Pattern{Constant('created '), Field(p0,false)}" +match("MESSAGE#157:00007:51/1_0", "nwparser.p0", "created %{p0}"); + +var part2003 = // "Pattern{Constant(', '), Field(p0,false)}" +match("MESSAGE#157:00007:51/3_0", "nwparser.p0", ", %{p0}"); + +var part2004 = // "Pattern{Constant('is '), Field(p0,false)}" +match("MESSAGE#157:00007:51/5_0", "nwparser.p0", "is %{p0}"); + +var part2005 = // "Pattern{Constant('was '), Field(p0,false)}" +match("MESSAGE#157:00007:51/5_1", "nwparser.p0", "was %{p0}"); + +var part2006 = // "Pattern{Constant(''), Field(fld2,false)}" +match("MESSAGE#157:00007:51/6", "nwparser.p0", "%{fld2}"); + +var part2007 = // "Pattern{Constant('threshold '), Field(p0,false)}" +match("MESSAGE#163:00007:57/1_0", "nwparser.p0", "threshold %{p0}"); + +var part2008 = // "Pattern{Constant('interval '), Field(p0,false)}" +match("MESSAGE#163:00007:57/1_1", "nwparser.p0", "interval %{p0}"); + +var part2009 = // "Pattern{Constant('of '), Field(p0,false)}" +match("MESSAGE#163:00007:57/3_0", "nwparser.p0", "of %{p0}"); + +var part2010 = // "Pattern{Constant('that '), Field(p0,false)}" +match("MESSAGE#163:00007:57/3_1", "nwparser.p0", "that %{p0}"); + +var part2011 = // "Pattern{Constant('Zone '), Field(p0,false)}" +match("MESSAGE#170:00007:64/0_0", "nwparser.payload", "Zone %{p0}"); + +var part2012 = // "Pattern{Constant('Interface '), Field(p0,false)}" +match("MESSAGE#170:00007:64/0_1", "nwparser.payload", "Interface %{p0}"); + +var part2013 = // "Pattern{Constant('n '), Field(p0,false)}" +match("MESSAGE#172:00007:66/2_1", "nwparser.p0", "n %{p0}"); + +var part2014 = // "Pattern{Constant('.'), Field(,false)}" +match("MESSAGE#174:00007:68/4", "nwparser.p0", ".%{}"); + +var part2015 = // "Pattern{Constant('for '), Field(p0,false)}" +match("MESSAGE#195:00009:06/1", "nwparser.p0", "for %{p0}"); + +var part2016 = // "Pattern{Constant('the '), Field(p0,false)}" +match("MESSAGE#195:00009:06/2_0", "nwparser.p0", "the %{p0}"); + +var part2017 = // "Pattern{Constant('removed '), Field(p0,false)}" +match("MESSAGE#195:00009:06/4_0", "nwparser.p0", "removed %{p0}"); + +var part2018 = // "Pattern{Constant('interface '), Field(p0,false)}" +match("MESSAGE#202:00009:14/2_0", "nwparser.p0", "interface %{p0}"); + +var part2019 = // "Pattern{Constant('the interface '), Field(p0,false)}" +match("MESSAGE#202:00009:14/2_1", "nwparser.p0", "the interface %{p0}"); + +var part2020 = // "Pattern{Field(interface,false)}" +match_copy("MESSAGE#202:00009:14/4_1", "nwparser.p0", "interface"); + +var part2021 = // "Pattern{Constant('s '), Field(p0,false)}" +match("MESSAGE#203:00009:15/1_1", "nwparser.p0", "s %{p0}"); + +var part2022 = // "Pattern{Constant('on interface '), Field(interface,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#203:00009:15/2", "nwparser.p0", "on interface %{interface->} %{p0}"); + +var part2023 = // "Pattern{Constant('has been '), Field(p0,false)}" +match("MESSAGE#203:00009:15/3_0", "nwparser.p0", "has been %{p0}"); + +var part2024 = // "Pattern{Constant(''), Field(disposition,false), Constant('.')}" +match("MESSAGE#203:00009:15/4", "nwparser.p0", "%{disposition}."); + +var part2025 = // "Pattern{Constant('removed from '), Field(p0,false)}" +match("MESSAGE#204:00009:16/3_0", "nwparser.p0", "removed from %{p0}"); + +var part2026 = // "Pattern{Constant('added to '), Field(p0,false)}" +match("MESSAGE#204:00009:16/3_1", "nwparser.p0", "added to %{p0}"); + +var part2027 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#210:00009:21/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times. (%{fld1})"); + +var part2028 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#219:00010:03/0", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var part2029 = // "Pattern{Constant('Interface '), Field(p0,false)}" +match("MESSAGE#224:00011:04/1_1", "nwparser.p0", "Interface %{p0}"); + +var part2030 = // "Pattern{Constant('set to '), Field(fld2,false)}" +match("MESSAGE#233:00011:14/1_0", "nwparser.p0", "set to %{fld2}"); + +var part2031 = // "Pattern{Constant('gateway '), Field(p0,false)}" +match("MESSAGE#237:00011:18/4_1", "nwparser.p0", "gateway %{p0}"); + +var part2032 = // "Pattern{Field(,true), Constant(' '), Field(disposition,false)}" +match("MESSAGE#238:00011:19/6", "nwparser.p0", "%{} %{disposition}"); + +var part2033 = // "Pattern{Constant('port number '), Field(p0,false)}" +match("MESSAGE#274:00015:02/1_1", "nwparser.p0", "port number %{p0}"); + +var part2034 = // "Pattern{Constant('has been '), Field(disposition,false)}" +match("MESSAGE#274:00015:02/2", "nwparser.p0", "has been %{disposition}"); + +var part2035 = // "Pattern{Constant('IP '), Field(p0,false)}" +match("MESSAGE#276:00015:04/1_0", "nwparser.p0", "IP %{p0}"); + +var part2036 = // "Pattern{Constant('port '), Field(p0,false)}" +match("MESSAGE#276:00015:04/1_1", "nwparser.p0", "port %{p0}"); + +var part2037 = // "Pattern{Constant('up '), Field(p0,false)}" +match("MESSAGE#284:00015:12/3_0", "nwparser.p0", "up %{p0}"); + +var part2038 = // "Pattern{Constant('down '), Field(p0,false)}" +match("MESSAGE#284:00015:12/3_1", "nwparser.p0", "down %{p0}"); + +var part2039 = // "Pattern{Constant('('), Field(fld1,false), Constant(') ')}" +match("MESSAGE#294:00015:22/2_0", "nwparser.p0", "(%{fld1}) "); + +var part2040 = // "Pattern{Constant(': '), Field(p0,false)}" +match("MESSAGE#317:00017:01/2_0", "nwparser.p0", ": %{p0}"); + +var part2041 = // "Pattern{Constant('IP '), Field(p0,false)}" +match("MESSAGE#320:00017:04/0", "nwparser.payload", "IP %{p0}"); + +var part2042 = // "Pattern{Constant('address pool '), Field(p0,false)}" +match("MESSAGE#320:00017:04/1_0", "nwparser.p0", "address pool %{p0}"); + +var part2043 = // "Pattern{Constant('pool '), Field(p0,false)}" +match("MESSAGE#320:00017:04/1_1", "nwparser.p0", "pool %{p0}"); + +var part2044 = // "Pattern{Constant('enabled '), Field(p0,false)}" +match("MESSAGE#326:00017:10/1_0", "nwparser.p0", "enabled %{p0}"); + +var part2045 = // "Pattern{Constant('disabled '), Field(p0,false)}" +match("MESSAGE#326:00017:10/1_1", "nwparser.p0", "disabled %{p0}"); + +var part2046 = // "Pattern{Constant('AH '), Field(p0,false)}" +match("MESSAGE#332:00017:15/1_0", "nwparser.p0", "AH %{p0}"); + +var part2047 = // "Pattern{Constant('ESP '), Field(p0,false)}" +match("MESSAGE#332:00017:15/1_1", "nwparser.p0", "ESP %{p0}"); + +var part2048 = // "Pattern{Constant('’'), Field(p0,false)}" +match("MESSAGE#347:00018:02/1_0", "nwparser.p0", "’%{p0}"); + +var part2049 = // "Pattern{Constant('&'), Field(p0,false)}" +match("MESSAGE#347:00018:02/1_1", "nwparser.p0", "\u0026%{p0}"); + +var part2050 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#354:00018:11/0", "nwparser.payload", "%{} %{p0}"); + +var part2051 = // "Pattern{Constant('Source'), Field(p0,false)}" +match("MESSAGE#356:00018:32/0_0", "nwparser.payload", "Source%{p0}"); + +var part2052 = // "Pattern{Constant('Destination'), Field(p0,false)}" +match("MESSAGE#356:00018:32/0_1", "nwparser.payload", "Destination%{p0}"); + +var part2053 = // "Pattern{Constant('from '), Field(p0,false)}" +match("MESSAGE#356:00018:32/2_0", "nwparser.p0", "from %{p0}"); + +var part2054 = // "Pattern{Constant('policy ID '), Field(policy_id,true), Constant(' by admin '), Field(administrator,true), Constant(' via NSRP Peer . ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#356:00018:32/3", "nwparser.p0", "policy ID %{policy_id->} by admin %{administrator->} via NSRP Peer . (%{fld1})"); + +var part2055 = // "Pattern{Constant('Attempt to enable '), Field(p0,false)}" +match("MESSAGE#375:00019:01/0", "nwparser.payload", "Attempt to enable %{p0}"); + +var part2056 = // "Pattern{Constant('traffic logging via syslog '), Field(p0,false)}" +match("MESSAGE#375:00019:01/1_0", "nwparser.p0", "traffic logging via syslog %{p0}"); + +var part2057 = // "Pattern{Constant('syslog '), Field(p0,false)}" +match("MESSAGE#375:00019:01/1_1", "nwparser.p0", "syslog %{p0}"); + +var part2058 = // "Pattern{Constant('Syslog '), Field(p0,false)}" +match("MESSAGE#378:00019:04/0", "nwparser.payload", "Syslog %{p0}"); + +var part2059 = // "Pattern{Constant('host '), Field(p0,false)}" +match("MESSAGE#378:00019:04/1_0", "nwparser.p0", "host %{p0}"); + +var part2060 = // "Pattern{Constant('domain name '), Field(p0,false)}" +match("MESSAGE#378:00019:04/3_1", "nwparser.p0", "domain name %{p0}"); + +var part2061 = // "Pattern{Constant('has been changed to '), Field(fld2,false)}" +match("MESSAGE#378:00019:04/4", "nwparser.p0", "has been changed to %{fld2}"); + +var part2062 = // "Pattern{Constant('security facility '), Field(p0,false)}" +match("MESSAGE#380:00019:06/1_0", "nwparser.p0", "security facility %{p0}"); + +var part2063 = // "Pattern{Constant('facility '), Field(p0,false)}" +match("MESSAGE#380:00019:06/1_1", "nwparser.p0", "facility %{p0}"); + +var part2064 = // "Pattern{Constant('local0'), Field(,false)}" +match("MESSAGE#380:00019:06/3_0", "nwparser.p0", "local0%{}"); + +var part2065 = // "Pattern{Constant('local1'), Field(,false)}" +match("MESSAGE#380:00019:06/3_1", "nwparser.p0", "local1%{}"); + +var part2066 = // "Pattern{Constant('local2'), Field(,false)}" +match("MESSAGE#380:00019:06/3_2", "nwparser.p0", "local2%{}"); + +var part2067 = // "Pattern{Constant('local3'), Field(,false)}" +match("MESSAGE#380:00019:06/3_3", "nwparser.p0", "local3%{}"); + +var part2068 = // "Pattern{Constant('local4'), Field(,false)}" +match("MESSAGE#380:00019:06/3_4", "nwparser.p0", "local4%{}"); + +var part2069 = // "Pattern{Constant('local5'), Field(,false)}" +match("MESSAGE#380:00019:06/3_5", "nwparser.p0", "local5%{}"); + +var part2070 = // "Pattern{Constant('local6'), Field(,false)}" +match("MESSAGE#380:00019:06/3_6", "nwparser.p0", "local6%{}"); + +var part2071 = // "Pattern{Constant('local7'), Field(,false)}" +match("MESSAGE#380:00019:06/3_7", "nwparser.p0", "local7%{}"); + +var part2072 = // "Pattern{Constant('auth/sec'), Field(,false)}" +match("MESSAGE#380:00019:06/3_8", "nwparser.p0", "auth/sec%{}"); + +var part2073 = // "Pattern{Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#384:00019:10/0", "nwparser.payload", "%{fld2->} %{p0}"); + +var part2074 = // "Pattern{Constant('All '), Field(p0,false)}" +match("MESSAGE#405:00022/0", "nwparser.payload", "All %{p0}"); + +var part2075 = // "Pattern{Constant('primary '), Field(p0,false)}" +match("MESSAGE#414:00022:09/1_0", "nwparser.p0", "primary %{p0}"); + +var part2076 = // "Pattern{Constant('secondary '), Field(p0,false)}" +match("MESSAGE#414:00022:09/1_1", "nwparser.p0", "secondary %{p0}"); + +var part2077 = // "Pattern{Constant('t '), Field(p0,false)}" +match("MESSAGE#414:00022:09/3_0", "nwparser.p0", "t %{p0}"); + +var part2078 = // "Pattern{Constant('w '), Field(p0,false)}" +match("MESSAGE#414:00022:09/3_1", "nwparser.p0", "w %{p0}"); + +var part2079 = // "Pattern{Constant('server '), Field(p0,false)}" +match("MESSAGE#423:00024/1", "nwparser.p0", "server %{p0}"); + +var part2080 = // "Pattern{Constant('has '), Field(p0,false)}" +match("MESSAGE#426:00024:03/1_0", "nwparser.p0", "has %{p0}"); + +var part2081 = // "Pattern{Constant('SCS'), Field(p0,false)}" +match("MESSAGE#434:00026:01/0", "nwparser.payload", "SCS%{p0}"); + +var part2082 = // "Pattern{Constant('bound to '), Field(p0,false)}" +match("MESSAGE#434:00026:01/3_0", "nwparser.p0", "bound to %{p0}"); + +var part2083 = // "Pattern{Constant('unbound from '), Field(p0,false)}" +match("MESSAGE#434:00026:01/3_1", "nwparser.p0", "unbound from %{p0}"); + +var part2084 = // "Pattern{Constant('PKA RSA '), Field(p0,false)}" +match("MESSAGE#441:00026:08/1_1", "nwparser.p0", "PKA RSA %{p0}"); + +var part2085 = // "Pattern{Constant('unbind '), Field(p0,false)}" +match("MESSAGE#443:00026:10/3_1", "nwparser.p0", "unbind %{p0}"); + +var part2086 = // "Pattern{Constant('PKA key '), Field(p0,false)}" +match("MESSAGE#443:00026:10/4", "nwparser.p0", "PKA key %{p0}"); + +var part2087 = // "Pattern{Constant('Multiple login failures '), Field(p0,false)}" +match("MESSAGE#446:00027/0", "nwparser.payload", "Multiple login failures %{p0}"); + +var part2088 = // "Pattern{Constant('occurred for '), Field(p0,false)}" +match("MESSAGE#446:00027/1_0", "nwparser.p0", "occurred for %{p0}"); + +var part2089 = // "Pattern{Constant('aborted'), Field(,false)}" +match("MESSAGE#451:00027:05/5_0", "nwparser.p0", "aborted%{}"); + +var part2090 = // "Pattern{Constant('performed'), Field(,false)}" +match("MESSAGE#451:00027:05/5_1", "nwparser.p0", "performed%{}"); + +var part2091 = // "Pattern{Constant('IP pool of DHCP server on '), Field(p0,false)}" +match("MESSAGE#466:00029:03/0", "nwparser.payload", "IP pool of DHCP server on %{p0}"); + +var part2092 = // "Pattern{Constant('certificate '), Field(p0,false)}" +match("MESSAGE#492:00030:17/1_0", "nwparser.p0", "certificate %{p0}"); + +var part2093 = // "Pattern{Constant('CRL '), Field(p0,false)}" +match("MESSAGE#492:00030:17/1_1", "nwparser.p0", "CRL %{p0}"); + +var part2094 = // "Pattern{Constant('auto '), Field(p0,false)}" +match("MESSAGE#493:00030:40/1_0", "nwparser.p0", "auto %{p0}"); + +var part2095 = // "Pattern{Constant('RSA '), Field(p0,false)}" +match("MESSAGE#508:00030:55/1_0", "nwparser.p0", "RSA %{p0}"); + +var part2096 = // "Pattern{Constant('DSA '), Field(p0,false)}" +match("MESSAGE#508:00030:55/1_1", "nwparser.p0", "DSA %{p0}"); + +var part2097 = // "Pattern{Constant('key pair.'), Field(,false)}" +match("MESSAGE#508:00030:55/2", "nwparser.p0", "key pair.%{}"); + +var part2098 = // "Pattern{Constant('FIPS test for '), Field(p0,false)}" +match("MESSAGE#539:00030:86/0", "nwparser.payload", "FIPS test for %{p0}"); + +var part2099 = // "Pattern{Constant('ECDSA '), Field(p0,false)}" +match("MESSAGE#539:00030:86/1_0", "nwparser.p0", "ECDSA %{p0}"); + +var part2100 = // "Pattern{Constant('yes '), Field(p0,false)}" +match("MESSAGE#543:00031:02/1_0", "nwparser.p0", "yes %{p0}"); + +var part2101 = // "Pattern{Constant('no '), Field(p0,false)}" +match("MESSAGE#543:00031:02/1_1", "nwparser.p0", "no %{p0}"); + +var part2102 = // "Pattern{Constant('location '), Field(p0,false)}" +match("MESSAGE#545:00031:04/1_1", "nwparser.p0", "location %{p0}"); + +var part2103 = // "Pattern{Field(,true), Constant(' '), Field(interface,false)}" +match("MESSAGE#548:00031:05/2", "nwparser.p0", "%{} %{interface}"); + +var part2104 = // "Pattern{Constant('arp re'), Field(p0,false)}" +match("MESSAGE#549:00031:06/0", "nwparser.payload", "arp re%{p0}"); + +var part2105 = // "Pattern{Constant('q '), Field(p0,false)}" +match("MESSAGE#549:00031:06/1_1", "nwparser.p0", "q %{p0}"); + +var part2106 = // "Pattern{Constant('ply '), Field(p0,false)}" +match("MESSAGE#549:00031:06/1_2", "nwparser.p0", "ply %{p0}"); + +var part2107 = // "Pattern{Field(interface,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#549:00031:06/9_0", "nwparser.p0", "%{interface->} (%{fld1})"); + +var part2108 = // "Pattern{Constant('Global PRO '), Field(p0,false)}" +match("MESSAGE#561:00033/0_0", "nwparser.payload", "Global PRO %{p0}"); + +var part2109 = // "Pattern{Field(fld3,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#561:00033/0_1", "nwparser.payload", "%{fld3->} %{p0}"); + +var part2110 = // "Pattern{Constant('NACN Policy Manager '), Field(p0,false)}" +match("MESSAGE#569:00033:08/0", "nwparser.payload", "NACN Policy Manager %{p0}"); + +var part2111 = // "Pattern{Constant('1 '), Field(p0,false)}" +match("MESSAGE#569:00033:08/1_0", "nwparser.p0", "1 %{p0}"); + +var part2112 = // "Pattern{Constant('2 '), Field(p0,false)}" +match("MESSAGE#569:00033:08/1_1", "nwparser.p0", "2 %{p0}"); + +var part2113 = // "Pattern{Constant('unset '), Field(p0,false)}" +match("MESSAGE#571:00033:10/3_1", "nwparser.p0", "unset %{p0}"); + +var part2114 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#581:00033:21/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var part2115 = // "Pattern{Constant('SSH '), Field(p0,false)}" +match("MESSAGE#586:00034:01/2_1", "nwparser.p0", "SSH %{p0}"); + +var part2116 = // "Pattern{Constant('SCS: NetScreen '), Field(p0,false)}" +match("MESSAGE#588:00034:03/0_0", "nwparser.payload", "SCS: NetScreen %{p0}"); + +var part2117 = // "Pattern{Constant('NetScreen '), Field(p0,false)}" +match("MESSAGE#588:00034:03/0_1", "nwparser.payload", "NetScreen %{p0}"); + +var part2118 = // "Pattern{Constant('S'), Field(p0,false)}" +match("MESSAGE#595:00034:10/0", "nwparser.payload", "S%{p0}"); + +var part2119 = // "Pattern{Constant('CS: SSH'), Field(p0,false)}" +match("MESSAGE#595:00034:10/1_0", "nwparser.p0", "CS: SSH%{p0}"); + +var part2120 = // "Pattern{Constant('SH'), Field(p0,false)}" +match("MESSAGE#595:00034:10/1_1", "nwparser.p0", "SH%{p0}"); + +var part2121 = // "Pattern{Constant('the root system '), Field(p0,false)}" +match("MESSAGE#596:00034:12/3_0", "nwparser.p0", "the root system %{p0}"); + +var part2122 = // "Pattern{Constant('vsys '), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#596:00034:12/3_1", "nwparser.p0", "vsys %{fld2->} %{p0}"); + +var part2123 = // "Pattern{Constant('CS: SSH '), Field(p0,false)}" +match("MESSAGE#599:00034:18/1_0", "nwparser.p0", "CS: SSH %{p0}"); + +var part2124 = // "Pattern{Constant('SH '), Field(p0,false)}" +match("MESSAGE#599:00034:18/1_1", "nwparser.p0", "SH %{p0}"); + +var part2125 = // "Pattern{Constant('a '), Field(p0,false)}" +match("MESSAGE#630:00035:06/1_0", "nwparser.p0", "a %{p0}"); + +var part2126 = // "Pattern{Constant('ert '), Field(p0,false)}" +match("MESSAGE#630:00035:06/1_1", "nwparser.p0", "ert %{p0}"); + +var part2127 = // "Pattern{Constant('SSL '), Field(p0,false)}" +match("MESSAGE#633:00035:09/0", "nwparser.payload", "SSL %{p0}"); + +var part2128 = // "Pattern{Constant('id: '), Field(p0,false)}" +match("MESSAGE#644:00037:01/1_0", "nwparser.p0", "id: %{p0}"); + +var part2129 = // "Pattern{Constant('ID '), Field(p0,false)}" +match("MESSAGE#644:00037:01/1_1", "nwparser.p0", "ID %{p0}"); + +var part2130 = // "Pattern{Constant('permit '), Field(p0,false)}" +match("MESSAGE#659:00044/1_0", "nwparser.p0", "permit %{p0}"); + +var part2131 = // "Pattern{Constant('IGMP '), Field(p0,false)}" +match("MESSAGE#675:00055/0", "nwparser.payload", "IGMP %{p0}"); + +var part2132 = // "Pattern{Constant('IGMP will '), Field(p0,false)}" +match("MESSAGE#677:00055:02/0", "nwparser.payload", "IGMP will %{p0}"); + +var part2133 = // "Pattern{Constant('not do '), Field(p0,false)}" +match("MESSAGE#677:00055:02/1_0", "nwparser.p0", "not do %{p0}"); + +var part2134 = // "Pattern{Constant('do '), Field(p0,false)}" +match("MESSAGE#677:00055:02/1_1", "nwparser.p0", "do %{p0}"); + +var part2135 = // "Pattern{Constant('shut down '), Field(p0,false)}" +match("MESSAGE#689:00059/1_1", "nwparser.p0", "shut down %{p0}"); + +var part2136 = // "Pattern{Constant('NSRP: '), Field(p0,false)}" +match("MESSAGE#707:00070/0", "nwparser.payload", "NSRP: %{p0}"); + +var part2137 = // "Pattern{Constant('Unit '), Field(p0,false)}" +match("MESSAGE#707:00070/1_0", "nwparser.p0", "Unit %{p0}"); + +var part2138 = // "Pattern{Constant('local unit= '), Field(p0,false)}" +match("MESSAGE#707:00070/1_1", "nwparser.p0", "local unit= %{p0}"); + +var part2139 = // "Pattern{Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#707:00070/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + +var part2140 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Sec'), Field(p0,false)}" +match("MESSAGE#708:00070:01/0", "nwparser.payload", "The local device %{fld2->} in the Virtual Sec%{p0}"); + +var part2141 = // "Pattern{Constant('ruity'), Field(p0,false)}" +match("MESSAGE#708:00070:01/1_0", "nwparser.p0", "ruity%{p0}"); + +var part2142 = // "Pattern{Constant('urity'), Field(p0,false)}" +match("MESSAGE#708:00070:01/1_1", "nwparser.p0", "urity%{p0}"); + +var part2143 = // "Pattern{Field(,false), Constant('Device group '), Field(group,true), Constant(' changed state')}" +match("MESSAGE#713:00072:01/2", "nwparser.p0", "%{}Device group %{group->} changed state"); + +var part2144 = // "Pattern{Constant(''), Field(fld2,true), Constant(' of VSD group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#717:00075/2", "nwparser.p0", "%{fld2->} of VSD group %{group->} %{info}"); + +var part2145 = // "Pattern{Constant('start_time='), Field(p0,false)}" +match("MESSAGE#748:00257:19/0", "nwparser.payload", "start_time=%{p0}"); + +var part2146 = // "Pattern{Constant('\"'), Field(fld2,false), Constant('\"'), Field(p0,false)}" +match("MESSAGE#748:00257:19/1_0", "nwparser.p0", "\\\"%{fld2}\\\"%{p0}"); + +var part2147 = // "Pattern{Constant(' "'), Field(fld2,false), Constant('" '), Field(p0,false)}" +match("MESSAGE#748:00257:19/1_1", "nwparser.p0", " \"%{fld2}\" %{p0}"); + +var part2148 = // "Pattern{Field(daddr,false)}" +match_copy("MESSAGE#756:00257:10/1_1", "nwparser.p0", "daddr"); + +var part2149 = // "Pattern{Constant('Admin '), Field(p0,false)}" +match("MESSAGE#760:00259/0_0", "nwparser.payload", "Admin %{p0}"); + +var part2150 = // "Pattern{Constant('Vsys admin '), Field(p0,false)}" +match("MESSAGE#760:00259/0_1", "nwparser.payload", "Vsys admin %{p0}"); + +var part2151 = // "Pattern{Constant('Telnet '), Field(p0,false)}" +match("MESSAGE#760:00259/2_1", "nwparser.p0", "Telnet %{p0}"); + +var part2152 = // "Pattern{Constant(''), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#777:00406/2", "nwparser.p0", "%{interface}). Occurred %{dclass_counter1->} times."); + +var part2153 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#790:00423/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times."); + +var part2154 = // "Pattern{Constant(''), Field(interface,false), Constant(').'), Field(space,false), Constant('Occurred '), Field(dclass_counter1,true), Constant(' times.'), Field(p0,false)}" +match("MESSAGE#793:00430/2", "nwparser.p0", "%{interface}).%{space}Occurred %{dclass_counter1->} times.%{p0}"); + +var part2155 = // "Pattern{Field(obj_type,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#795:00431/0", "nwparser.payload", "%{obj_type->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var part2156 = // "Pattern{Field(signame,true), Constant(' '), Field(disposition,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(zone,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#797:00433/0", "nwparser.payload", "%{signame->} %{disposition}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{zone->} %{p0}"); + +var part2157 = // "Pattern{Field(signame,false), Constant('! From '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(', proto '), Field(protocol,true), Constant(' (zone '), Field(p0,false)}" +match("MESSAGE#804:00437:01/0", "nwparser.payload", "%{signame}! From %{saddr}:%{sport->} to %{daddr}:%{dport}, proto %{protocol->} (zone %{p0}"); + +var part2158 = // "Pattern{Field(administrator,true), Constant(' ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#817:00511:01/1_0", "nwparser.p0", "%{administrator->} (%{fld1})"); + +var part2159 = // "Pattern{Constant('ut '), Field(p0,false)}" +match("MESSAGE#835:00515:04/2_1", "nwparser.p0", "ut %{p0}"); + +var part2160 = // "Pattern{Field(logon_type,true), Constant(' from '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#835:00515:04/4_0", "nwparser.p0", "%{logon_type->} from %{saddr}:%{sport}"); + +var part2161 = // "Pattern{Constant('user '), Field(p0,false)}" +match("MESSAGE#837:00515:05/1_0", "nwparser.p0", "user %{p0}"); + +var part2162 = // "Pattern{Constant('the '), Field(logon_type,false)}" +match("MESSAGE#837:00515:05/5_0", "nwparser.p0", "the %{logon_type}"); + +var part2163 = // "Pattern{Constant('WebAuth user '), Field(p0,false)}" +match("MESSAGE#869:00519:01/1_0", "nwparser.p0", "WebAuth user %{p0}"); + +var part2164 = // "Pattern{Constant('backup1 '), Field(p0,false)}" +match("MESSAGE#876:00520:02/1_1", "nwparser.p0", "backup1 %{p0}"); + +var part2165 = // "Pattern{Constant('backup2 '), Field(p0,false)}" +match("MESSAGE#876:00520:02/1_2", "nwparser.p0", "backup2 %{p0}"); + +var part2166 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#890:00524:13/1_0", "nwparser.p0", ",%{p0}"); + +var part2167 = // "Pattern{Constant('assigned '), Field(p0,false)}" +match("MESSAGE#901:00527/1_0", "nwparser.p0", "assigned %{p0}"); + +var part2168 = // "Pattern{Constant('assigned to '), Field(p0,false)}" +match("MESSAGE#901:00527/3_0", "nwparser.p0", "assigned to %{p0}"); + +var part2169 = // "Pattern{Constant('''), Field(administrator,false), Constant('' '), Field(p0,false)}" +match("MESSAGE#927:00528:15/1_0", "nwparser.p0", "'%{administrator}' %{p0}"); + +var part2170 = // "Pattern{Constant('SSH: P'), Field(p0,false)}" +match("MESSAGE#930:00528:18/0", "nwparser.payload", "SSH: P%{p0}"); + +var part2171 = // "Pattern{Constant('KA '), Field(p0,false)}" +match("MESSAGE#930:00528:18/1_0", "nwparser.p0", "KA %{p0}"); + +var part2172 = // "Pattern{Constant('assword '), Field(p0,false)}" +match("MESSAGE#930:00528:18/1_1", "nwparser.p0", "assword %{p0}"); + +var part2173 = // "Pattern{Constant('\''), Field(administrator,false), Constant('\' '), Field(p0,false)}" +match("MESSAGE#930:00528:18/3_0", "nwparser.p0", "\\'%{administrator}\\' %{p0}"); + +var part2174 = // "Pattern{Constant('at host '), Field(saddr,false)}" +match("MESSAGE#930:00528:18/4", "nwparser.p0", "at host %{saddr}"); + +var part2175 = // "Pattern{Field(,false), Constant('S'), Field(p0,false)}" +match("MESSAGE#932:00528:19/0", "nwparser.payload", "%{}S%{p0}"); + +var part2176 = // "Pattern{Constant('CS '), Field(p0,false)}" +match("MESSAGE#932:00528:19/1_0", "nwparser.p0", "CS %{p0}"); + +var part2177 = // "Pattern{Constant('from server.ini file.'), Field(,false)}" +match("MESSAGE#1060:00553/2", "nwparser.p0", "from server.ini file.%{}"); + +var part2178 = // "Pattern{Constant('pattern '), Field(p0,false)}" +match("MESSAGE#1064:00553:04/1_0", "nwparser.p0", "pattern %{p0}"); + +var part2179 = // "Pattern{Constant('server.ini '), Field(p0,false)}" +match("MESSAGE#1064:00553:04/1_1", "nwparser.p0", "server.ini %{p0}"); + +var part2180 = // "Pattern{Constant('file.'), Field(,false)}" +match("MESSAGE#1068:00553:08/2", "nwparser.p0", "file.%{}"); + +var part2181 = // "Pattern{Constant('AV pattern '), Field(p0,false)}" +match("MESSAGE#1087:00554:04/1_1", "nwparser.p0", "AV pattern %{p0}"); + +var part2182 = // "Pattern{Constant('added into '), Field(p0,false)}" +match("MESSAGE#1116:00556:14/1_0", "nwparser.p0", "added into %{p0}"); + +var part2183 = // "Pattern{Constant('loader '), Field(p0,false)}" +match("MESSAGE#1157:00767:11/1_0", "nwparser.p0", "loader %{p0}"); + +var select436 = linear_select([ + dup10, + dup11, +]); + +var part2184 = // "Pattern{Constant('Policy ID='), Field(policy_id,true), Constant(' Rate='), Field(fld2,true), Constant(' exceeds threshold')}" +match("MESSAGE#7:00001:07", "nwparser.payload", "Policy ID=%{policy_id->} Rate=%{fld2->} exceeds threshold", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var select437 = linear_select([ + dup13, + dup14, +]); + +var select438 = linear_select([ + dup15, + dup16, +]); + +var select439 = linear_select([ + dup56, + dup57, +]); + +var select440 = linear_select([ + dup65, + dup66, +]); + +var select441 = linear_select([ + dup68, + dup69, +]); + +var select442 = linear_select([ + dup71, + dup72, +]); + +var part2185 = // "Pattern{Field(signame,true), Constant(' from '), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' protocol '), Field(protocol,true), Constant(' ('), Field(interface,false), Constant(')')}" +match("MESSAGE#84:00005:04", "nwparser.payload", "%{signame->} from %{saddr}/%{sport->} to %{daddr}/%{dport->} protocol %{protocol->} (%{interface})", processor_chain([ + dup58, + dup2, + dup3, + dup4, + dup5, + dup61, +])); + +var select443 = linear_select([ + dup74, + dup75, +]); + +var select444 = linear_select([ + dup81, + dup82, +]); + +var select445 = linear_select([ + dup24, + dup90, +]); + +var select446 = linear_select([ + dup94, + dup95, +]); + +var select447 = linear_select([ + dup98, + dup99, +]); + +var select448 = linear_select([ + dup100, + dup101, + dup102, +]); + +var select449 = linear_select([ + dup113, + dup114, +]); + +var select450 = linear_select([ + dup111, + dup16, +]); + +var select451 = linear_select([ + dup127, + dup107, +]); + +var select452 = linear_select([ + dup8, + dup21, +]); + +var select453 = linear_select([ + dup122, + dup133, +]); + +var select454 = linear_select([ + dup142, + dup143, +]); + +var select455 = linear_select([ + dup145, + dup21, +]); + +var select456 = linear_select([ + dup127, + dup106, +]); + +var select457 = linear_select([ + dup152, + dup96, +]); + +var select458 = linear_select([ + dup154, + dup155, +]); + +var select459 = linear_select([ + dup156, + dup157, +]); + +var select460 = linear_select([ + dup99, + dup134, +]); + +var select461 = linear_select([ + dup158, + dup159, +]); + +var select462 = linear_select([ + dup160, + dup161, +]); + +var select463 = linear_select([ + dup163, + dup164, +]); + +var select464 = linear_select([ + dup165, + dup103, +]); + +var select465 = linear_select([ + dup164, + dup163, +]); + +var select466 = linear_select([ + dup46, + dup47, +]); + +var select467 = linear_select([ + dup168, + dup169, +]); + +var select468 = linear_select([ + dup174, + dup175, +]); + +var select469 = linear_select([ + dup176, + dup177, + dup178, + dup179, + dup180, + dup181, + dup182, + dup183, + dup184, +]); + +var select470 = linear_select([ + dup49, + dup21, +]); + +var select471 = linear_select([ + dup191, + dup192, +]); + +var select472 = linear_select([ + dup96, + dup152, +]); + +var select473 = linear_select([ + dup198, + dup199, +]); + +var select474 = linear_select([ + dup24, + dup202, +]); + +var select475 = linear_select([ + dup103, + dup165, +]); + +var select476 = linear_select([ + dup207, + dup118, +]); + +var part2186 = // "Pattern{Field(change_attribute,true), Constant(' has been changed from '), Field(change_old,true), Constant(' to '), Field(change_new,false)}" +match("MESSAGE#477:00030:02", "nwparser.payload", "%{change_attribute->} has been changed from %{change_old->} to %{change_new}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var select477 = linear_select([ + dup214, + dup215, +]); + +var select478 = linear_select([ + dup217, + dup218, +]); + +var select479 = linear_select([ + dup224, + dup217, +]); + +var select480 = linear_select([ + dup226, + dup227, +]); + +var select481 = linear_select([ + dup233, + dup124, +]); + +var select482 = linear_select([ + dup231, + dup232, +]); + +var select483 = linear_select([ + dup235, + dup236, +]); + +var select484 = linear_select([ + dup238, + dup239, +]); + +var select485 = linear_select([ + dup244, + dup245, +]); + +var select486 = linear_select([ + dup247, + dup248, +]); + +var select487 = linear_select([ + dup249, + dup250, +]); + +var select488 = linear_select([ + dup251, + dup252, +]); + +var select489 = linear_select([ + dup253, + dup254, +]); + +var select490 = linear_select([ + dup262, + dup263, +]); + +var select491 = linear_select([ + dup266, + dup267, +]); + +var select492 = linear_select([ + dup270, + dup271, +]); + +var part2187 = // "Pattern{Constant('The local device '), Field(fld2,true), Constant(' in the Virtual Security Device group '), Field(group,true), Constant(' '), Field(info,false)}" +match("MESSAGE#716:00074", "nwparser.payload", "The local device %{fld2->} in the Virtual Security Device group %{group->} %{info}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, +])); + +var select493 = linear_select([ + dup286, + dup287, +]); + +var select494 = linear_select([ + dup289, + dup290, +]); + +var part2188 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to '), Field(daddr,false), Constant(', using protocol '), Field(protocol,false), Constant(', and arriving at interface '), Field(dinterface,true), Constant(' in zone '), Field(dst_zone,false), Constant('.'), Field(space,false), Constant('The attack occurred '), Field(dclass_counter1,true), Constant(' times.')}" +match("MESSAGE#799:00435", "nwparser.payload", "%{signame->} From %{saddr->} to %{daddr}, using protocol %{protocol}, and arriving at interface %{dinterface->} in zone %{dst_zone}.%{space}The attack occurred %{dclass_counter1->} times.", processor_chain([ + dup58, + dup2, + dup59, + dup4, + dup5, + dup3, + dup60, +])); + +var part2189 = // "Pattern{Field(signame,true), Constant(' From '), Field(saddr,true), Constant(' to zone '), Field(zone,false), Constant(', proto '), Field(protocol,true), Constant(' (int '), Field(interface,false), Constant('). Occurred '), Field(dclass_counter1,true), Constant(' times. ('), Field(fld1,false), Constant(')')}" +match("MESSAGE#814:00442", "nwparser.payload", "%{signame->} From %{saddr->} to zone %{zone}, proto %{protocol->} (int %{interface}). Occurred %{dclass_counter1->} times. (%{fld1})", processor_chain([ + dup58, + dup4, + dup59, + dup5, + dup9, + dup2, + dup3, + dup60, +])); + +var select495 = linear_select([ + dup302, + dup26, +]); + +var select496 = linear_select([ + dup115, + dup305, +]); + +var select497 = linear_select([ + dup125, + dup96, +]); + +var select498 = linear_select([ + dup191, + dup310, + dup311, +]); + +var select499 = linear_select([ + dup312, + dup16, +]); + +var select500 = linear_select([ + dup319, + dup320, +]); + +var select501 = linear_select([ + dup321, + dup317, +]); + +var select502 = linear_select([ + dup324, + dup252, +]); + +var select503 = linear_select([ + dup329, + dup331, +]); + +var select504 = linear_select([ + dup332, + dup129, +]); + +var part2190 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1196:01269:01", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} direction=%{direction->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup60, + dup284, +])); + +var part2191 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1197:01269:02", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup278, + dup279, + dup60, +])); + +var part2192 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' proto='), Field(protocol,true), Constant(' src zone='), Field(src_zone,true), Constant(' dst zone='), Field(dst_zone,true), Constant(' action='), Field(disposition,true), Constant(' sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' icmp type='), Field(icmptype,false)}" +match("MESSAGE#1198:01269:03", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} proto=%{protocol->} src zone=%{src_zone->} dst zone=%{dst_zone->} action=%{disposition->} sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} icmp type=%{icmptype}", processor_chain([ + dup283, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup60, + dup284, +])); + +var part2193 = // "Pattern{Constant('start_time="'), Field(fld2,false), Constant('" duration='), Field(duration,true), Constant(' policy_id='), Field(policy_id,true), Constant(' service='), Field(service,true), Constant(' ('), Field(fld3,false), Constant(') proto='), Field(protocol,true), Constant(' direction='), Field(direction,true), Constant(' action=Deny sent='), Field(sbytes,true), Constant(' rcvd='), Field(rbytes,true), Constant(' src='), Field(saddr,true), Constant(' dst='), Field(daddr,true), Constant(' src_port='), Field(sport,true), Constant(' dst_port='), Field(dport,false)}" +match("MESSAGE#1203:23184", "nwparser.payload", "start_time=\"%{fld2}\" duration=%{duration->} policy_id=%{policy_id->} service=%{service->} (%{fld3}) proto=%{protocol->} direction=%{direction->} action=Deny sent=%{sbytes->} rcvd=%{rbytes->} src=%{saddr->} dst=%{daddr->} src_port=%{sport->} dst_port=%{dport}", processor_chain([ + dup187, + dup2, + dup4, + dup5, + dup276, + dup3, + dup277, + dup278, + dup279, + dup61, +])); + +var all397 = all_match({ + processors: [ + dup265, + dup393, + dup268, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var all398 = all_match({ + processors: [ + dup269, + dup394, + dup272, + ], + on_success: processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + ]), +}); + +var all399 = all_match({ + processors: [ + dup80, + dup345, + dup295, + ], + on_success: processor_chain([ + dup58, + dup2, + dup59, + dup3, + dup4, + dup5, + dup61, + ]), +}); + +var all400 = all_match({ + processors: [ + dup298, + dup345, + dup131, + ], + on_success: processor_chain([ + dup299, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), +}); + +var all401 = all_match({ + processors: [ + dup300, + dup345, + dup131, + ], + on_success: processor_chain([ + dup299, + dup2, + dup3, + dup9, + dup59, + dup4, + dup5, + dup61, + ]), +}); diff --git a/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml similarity index 91% rename from x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml rename to x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml index 963dec7e275..7e5bef61bab 100644 --- a/x-pack/filebeat/module/kaspersky/av/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml @@ -1,7 +1,11 @@ --- -description: Pipeline for Kaspersky Anti-Virus +description: Pipeline for Netscreen processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original diff --git a/x-pack/filebeat/module/juniper/netscreen/manifest.yml b/x-pack/filebeat/module/juniper/netscreen/manifest.yml new file mode 100644 index 00000000000..7da6bc1d60b --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["juniper.netscreen", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9523 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log b/x-pack/filebeat/module/juniper/netscreen/test/generated.log new file mode 100644 index 00000000000..3d8481ffa94 --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log @@ -0,0 +1,100 @@ +modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59) +luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33) +deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF) +untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect +eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044) +eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 . +rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo) +intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated +numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33) +ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu +atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet +dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74 +acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50) +tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25) +etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175 +ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi. +umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre +tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese +smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87 +ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50) +mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state +isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added +isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu +bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation +iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51 +orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu +enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User "ntiumto" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883 +ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin +mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid +orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed +ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07) +quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru +emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations +scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita +equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet. +iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable +rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem. +orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet. +eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo +imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam) +ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50) +orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24) +ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51 +umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu > nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)< +inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe +nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 . +uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15) +sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration. +etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima +giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58) +magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32) +tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06) +laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe. +nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266 +ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49) +adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24) +emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added +giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-> untrust-vr: exer +lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat +accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router "asper" used by OSPF, BGP routing instances id has been uninitialized. (dictasun) +itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list +int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49) +mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times +inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110 +tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32) +qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica +udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi +isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15) +utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped. +agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna +ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan +catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure +cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06) +chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success +vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state +rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding +upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065 +ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57) +ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted +luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users. +iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce) +dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun +ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49) +iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23) +qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success +eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31) +veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA +reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed +ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae +archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected! +remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA +llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57) +quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59 +lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA +preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40) +avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed +eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin +texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22) +elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57) +toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json new file mode 100644 index 00000000000..a33eb424fdd --- /dev/null +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -0,0 +1,2565 @@ +[ + { + "event.code": "00628", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 0, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00628", + "rsa.misc.hardware_id": "olab", + "rsa.misc.severity": "low", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00620", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 126, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00620", + "rsa.misc.hardware_id": "isiutal", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "moenimi", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00062", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", + "fileset.name": "netscreen", + "host.ip": "10.159.227.210", + "input.type": "log", + "log.level": "medium", + "log.offset": 275, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.159.227.210" + ], + "rsa.internal.event_desc": "Track IP succeeded", + "rsa.internal.messageid": "00062", + "rsa.misc.hardware_id": "tquovol", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ntsuntin", + "rsa.time.event_time_str": "ofdeF", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00004", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 403, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00004", + "rsa.misc.hardware_id": "tem", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ons", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00034", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 545, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00034", + "rsa.misc.hardware_id": "tatiset", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "eprehen", + "rsa.network.network_port": 1044, + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00026", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 662, + "network.interface.name": "enp0s5377", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00026", + "rsa.misc.disposition": "tasuntex", + "rsa.misc.hardware_id": "mqui", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "civeli", + "rsa.network.interface": "enp0s5377", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00026", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 767, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.user": [ + "xeac" + ], + "rsa.internal.messageid": "00026", + "rsa.misc.hardware_id": "eporroqu", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "uat", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "xeac" + }, + { + "event.code": "00535", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 942, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00535", + "rsa.misc.hardware_id": "ents", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "pida", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00520", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 1045, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00520", + "rsa.misc.hardware_id": "qui", + "rsa.misc.severity": "medium", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00072", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", + "fileset.name": "netscreen", + "group.name": "xerci", + "input.type": "log", + "log.level": "high", + "log.offset": 1212, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "aqu", + "rsa.internal.messageid": "00072", + "rsa.misc.group": "xerci", + "rsa.misc.hardware_id": "quae", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "maccusa", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00084", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 1321, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00084", + "rsa.misc.disposition": "nsectet", + "rsa.misc.hardware_id": "umexerci", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "ern", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00527", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", + "fileset.name": "netscreen", + "host.ip": "10.90.127.74", + "host.mac": "01:00:5e:11:0a:26", + "input.type": "log", + "log.level": "medium", + "log.offset": 1432, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.90.127.74" + ], + "rsa.internal.messageid": "00527", + "rsa.misc.hardware_id": "leumiu", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "namali", + "rsa.network.eth_host": "01:00:5e:11:0a:26", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00050", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 1597, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00050", + "rsa.misc.hardware_id": "amc", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "atur", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00524", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", + "fileset.name": "netscreen", + "host.ip": "10.61.30.190", + "input.type": "log", + "log.level": "medium", + "log.offset": 1694, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.61.30.190" + ], + "rsa.internal.messageid": "00524", + "rsa.misc.hardware_id": "olor", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "Neque", + "rsa.network.network_port": 2509, + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00521", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", + "fileset.name": "netscreen", + "host.ip": "10.210.240.175", + "input.type": "log", + "log.level": "medium", + "log.offset": 1870, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.210.240.175" + ], + "rsa.internal.messageid": "00521", + "rsa.misc.hardware_id": "uela", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "boN", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00553", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 1974, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00553", + "rsa.misc.hardware_id": "tlabo", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "uames", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00005", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 2082, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00005", + "rsa.misc.hardware_id": "oluptate", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "issus", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00038", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 2195, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00038", + "rsa.misc.disposition": "ese", + "rsa.misc.hardware_id": "imvenia", + "rsa.misc.node": "urerepr", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "spi", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00012", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", + "fileset.name": "netscreen", + "group.name": "uiac", + "input.type": "log", + "log.level": "medium", + "log.offset": 2307, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.170.139.87" + ], + "related.user": [ + "idolo" + ], + "rsa.internal.messageid": "00012", + "rsa.misc.disposition": "epte", + "rsa.misc.group": "uiac", + "rsa.misc.hardware_id": "etcons", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "iusmodi", + "service.type": "juniper", + "source.ip": [ + "10.170.139.87" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "idolo" + }, + { + "event.code": "00551", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 2438, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00551", + "rsa.misc.hardware_id": "tquov", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "diconseq", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00071", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", + "fileset.name": "netscreen", + "group.name": "norum", + "input.type": "log", + "log.level": "medium", + "log.offset": 2609, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00071", + "rsa.misc.group": "norum", + "rsa.misc.hardware_id": "nihilmol", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "xercita", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00057", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", + "fileset.name": "netscreen", + "group.name": "cusant", + "input.type": "log", + "log.level": "medium", + "log.offset": 2766, + "observer.egress.interface.name": "eth3657", + "observer.ingress.interface.name": "lo2786", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.198.41.214" + ], + "rsa.internal.messageid": "00057", + "rsa.misc.group": "cusant", + "rsa.misc.hardware_id": "ritatise", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "uamei", + "rsa.network.dinterface": "eth3657", + "rsa.network.sinterface": "lo2786", + "service.type": "juniper", + "source.ip": [ + "10.198.41.214" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00075", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", + "fileset.name": "netscreen", + "group.name": "lor", + "input.type": "log", + "log.level": "high", + "log.offset": 2944, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "velillu", + "rsa.internal.messageid": "00075", + "rsa.misc.group": "lor", + "rsa.misc.hardware_id": "uasiar", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "utlab", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00039", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 3086, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00039", + "rsa.misc.hardware_id": "rauto", + "rsa.misc.node": "itation", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "ationev", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00262", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", + "fileset.name": "netscreen", + "host.ip": "10.11.251.51", + "input.type": "log", + "log.level": "high", + "log.offset": 3191, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.11.251.51" + ], + "related.user": [ + "rum" + ], + "rsa.identity.logon_type": "quaea", + "rsa.internal.messageid": "00262", + "rsa.misc.hardware_id": "equaturv", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "siu", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "rum" + }, + { + "event.code": "00038", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 3331, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00038", + "rsa.misc.disposition": "ecillu", + "rsa.misc.hardware_id": "vitaedic", + "rsa.misc.node": "remagn", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "orin", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00515", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 3444, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.80.237.27" + ], + "related.user": [ + "ntiumto" + ], + "rsa.identity.logon_type": "umetMalo", + "rsa.internal.messageid": "00515", + "rsa.misc.hardware_id": "taut", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "tanimi", + "rsa.network.network_port": 2206, + "service.type": "juniper", + "source.ip": [ + "10.80.237.27" + ], + "source.port": 2883, + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "ntiumto" + }, + { + "event.code": "00073", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", + "fileset.name": "netscreen", + "group.name": "iqu", + "input.type": "log", + "log.level": "high", + "log.offset": 3622, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "oin", + "rsa.internal.messageid": "00073", + "rsa.misc.group": "iqu", + "rsa.misc.hardware_id": "tconsect", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "rum", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00030", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", + "event.outcome": "unknown", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 3726, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00030", + "rsa.investigations.ec_outcome": "Error", + "rsa.investigations.ec_subject": "Certificate", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.hardware_id": "lmo", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "aliquamq", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00034", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 3851, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00034", + "rsa.misc.hardware_id": "elitsed", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "labore", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00612", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 3944, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00612", + "rsa.misc.hardware_id": "itanim", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "nesciun", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00077", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", + "fileset.name": "netscreen", + "group.name": "itat", + "input.type": "log", + "log.level": "medium", + "log.offset": 4126, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "stlaboru", + "rsa.internal.messageid": "00077", + "rsa.misc.group": "itat", + "rsa.misc.hardware_id": "quaU", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "undeomni", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00536", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", + "fileset.name": "netscreen", + "host.ip": "10.10.77.119", + "input.type": "log", + "log.level": "high", + "log.offset": 4248, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.10.77.119" + ], + "rsa.internal.messageid": "00536", + "rsa.misc.hardware_id": "plicaboN", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "amc", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00536", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", + "fileset.name": "netscreen", + "host.ip": "10.200.22.41", + "input.type": "log", + "log.level": "medium", + "log.offset": 4418, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.200.22.41" + ], + "rsa.internal.messageid": "00536", + "rsa.misc.hardware_id": "henderi", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "iusmodt", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00203", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 4587, + "network.interface.name": "eth82", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00203", + "rsa.misc.hardware_id": "sintoc", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "atae", + "rsa.network.interface": "eth82", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00011", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 4709, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00011", + "rsa.misc.hardware_id": "tesseci", + "rsa.misc.node": "nse", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "tat", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00002", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", + "event.outcome": "unknown", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 4821, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.user": [ + "atu" + ], + "rsa.internal.messageid": "00002", + "rsa.investigations.ec_outcome": "Error", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.hardware_id": "ursin", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "utemvel", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "atu" + }, + { + "event.code": "00206", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", + "fileset.name": "netscreen", + "host.ip": "10.219.1.151", + "input.type": "log", + "log.level": "high", + "log.offset": 4975, + "network.interface.name": "enp0s3375", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.219.1.151" + ], + "rsa.internal.messageid": "00206", + "rsa.misc.hardware_id": "dolor", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "isiut", + "rsa.network.interface": "enp0s3375", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00075", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", + "fileset.name": "netscreen", + "group.name": "reet", + "input.type": "log", + "log.level": "medium", + "log.offset": 5232, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "tquo", + "rsa.internal.messageid": "00075", + "rsa.misc.group": "reet", + "rsa.misc.hardware_id": "eufug", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "est", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00026", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 5362, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.user": [ + "ntut" + ], + "rsa.internal.messageid": "00026", + "rsa.misc.hardware_id": "ide", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "edq", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "ntut" + }, + { + "event.code": "00048", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 5499, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00048", + "rsa.misc.disposition": "porinc", + "rsa.misc.hardware_id": "saquaea", + "rsa.misc.node": "itatio", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ons", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00050", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 5689, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00050", + "rsa.misc.hardware_id": "oinBCSed", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "orem", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00555", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", + "fileset.name": "netscreen", + "host.ip": "10.158.18.51", + "input.type": "log", + "log.level": "medium", + "log.offset": 5793, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.158.18.51" + ], + "rsa.internal.messageid": "00555", + "rsa.misc.hardware_id": "hen", + "rsa.misc.node": "ali", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "periamea", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00030", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu > nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)<", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 5926, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00030", + "rsa.misc.hardware_id": "odoc", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "atura", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00003", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 6093, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00003", + "rsa.misc.disposition": "roinBCSe", + "rsa.misc.hardware_id": "tect", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "uiad", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00026", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 6190, + "network.interface.name": "eth7686", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00026", + "rsa.misc.disposition": "tam", + "rsa.misc.hardware_id": "borumSec", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "tatemseq", + "rsa.network.interface": "eth7686", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00620", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 6292, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00620", + "rsa.misc.hardware_id": "sistena", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "uidexeac", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00025", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 6457, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00025", + "rsa.misc.disposition": "quide", + "rsa.misc.hardware_id": "dquianon", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "urExc", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00076", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", + "fileset.name": "netscreen", + "group.name": "fugiatn", + "input.type": "log", + "log.level": "high", + "log.offset": 6605, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "enima", + "rsa.internal.messageid": "00076", + "rsa.misc.group": "fugiatn", + "rsa.misc.hardware_id": "Sed", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "oremeumf", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00524", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", + "fileset.name": "netscreen", + "host.ip": "10.46.217.155", + "input.type": "log", + "log.level": "low", + "log.offset": 6738, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.46.217.155" + ], + "rsa.internal.messageid": "00524", + "rsa.misc.hardware_id": "lors", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "its", + "rsa.network.network_port": 76, + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00628", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 6907, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00628", + "rsa.misc.hardware_id": "sumquiad", + "rsa.misc.severity": "high", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00628", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 7034, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00628", + "rsa.misc.hardware_id": "madmi", + "rsa.misc.severity": "high", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00556", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 7167, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00556", + "rsa.misc.hardware_id": "udantiu", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "itametco", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00058", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 7293, + "network.interface.name": "eth2266", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00058", + "rsa.misc.hardware_id": "uredol", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "maliqua", + "rsa.network.interface": "eth2266", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.154.16.147" + ], + "destination.port": 6881, + "event.code": "00625", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 7413, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.142.21.251", + "10.154.16.147" + ], + "rsa.internal.messageid": "00625", + "rsa.misc.hardware_id": "ute", + "rsa.misc.log_session_id": "tationu", + "rsa.misc.severity": "low", + "service.type": "juniper", + "source.ip": [ + "10.142.21.251" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.119.53.68" + ], + "destination.port": 1783, + "event.code": "00042", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 7588, + "network.interface.name": "enp0s1170", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.105.212.51", + "10.119.53.68" + ], + "rsa.db.index": "giatqu", + "rsa.internal.messageid": "00042", + "rsa.misc.hardware_id": "mquis", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "ratvo", + "rsa.network.interface": "enp0s1170", + "service.type": "juniper", + "source.ip": [ + "10.105.212.51" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00057", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", + "fileset.name": "netscreen", + "group.name": "aparia", + "input.type": "log", + "log.level": "medium", + "log.offset": 7797, + "observer.egress.interface.name": "enp0s90", + "observer.ingress.interface.name": "lo6813", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.174.2.175" + ], + "rsa.internal.messageid": "00057", + "rsa.misc.group": "aparia", + "rsa.misc.hardware_id": "pta", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "dolo", + "rsa.network.dinterface": "enp0s90", + "rsa.network.sinterface": "lo6813", + "service.type": "juniper", + "source.ip": [ + "10.174.2.175" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00549", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-> untrust-vr: exer", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 7970, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00549", + "rsa.misc.hardware_id": "ttenb", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "eirure", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00536", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 8063, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "pariat", + "rsa.internal.messageid": "00536", + "rsa.misc.disposition": "elites", + "rsa.misc.hardware_id": "rcitat", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "cinge", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00049", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 8176, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00049", + "rsa.misc.hardware_id": "CSed", + "rsa.misc.node": "asper", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "tiu", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00064", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 8351, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00064", + "rsa.misc.hardware_id": "onoru", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "data", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00541", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", + "fileset.name": "netscreen", + "host.ip": "10.89.179.48", + "input.type": "log", + "log.level": "high", + "log.offset": 8448, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.89.179.48" + ], + "rsa.internal.messageid": "00541", + "rsa.misc.change_new": "etco", + "rsa.misc.change_old": "etcons", + "rsa.misc.hardware_id": "ionevo", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "llitani", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00017", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 8744, + "network.interface.name": "enp0s4987", + "network.protocol": "icmp", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.57.108.5" + ], + "rsa.counters.dclass_c1": 2282, + "rsa.counters.dclass_c1_str": "Number of times the attack occurred", + "rsa.internal.messageid": "00017", + "rsa.misc.hardware_id": "eetdo", + "rsa.misc.policy_name": "mipsamv", + "rsa.misc.severity": "low", + "rsa.misc.space": "", + "rsa.misc.vsys": "mquisno", + "rsa.network.interface": "enp0s4987", + "service.type": "juniper", + "source.ip": [ + "10.57.108.5" + ], + "source.port": 5523, + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00263", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", + "fileset.name": "netscreen", + "host.ip": "10.197.10.110", + "input.type": "log", + "log.level": "low", + "log.offset": 8917, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.197.10.110" + ], + "related.user": [ + "saq" + ], + "rsa.identity.logon_type": "asiarch", + "rsa.internal.messageid": "00263", + "rsa.misc.hardware_id": "aea", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "emipsumd", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "saq" + }, + { + "event.code": "00622", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 9056, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00622", + "rsa.misc.hardware_id": "vel", + "rsa.misc.node": "ptate", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ionevo", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00528", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 9190, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.59.51.171" + ], + "related.user": [ + "ritquiin" + ], + "rsa.internal.messageid": "00528", + "rsa.misc.hardware_id": "caboN", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "imipsam", + "service.type": "juniper", + "source.ip": [ + "10.59.51.171" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "ritquiin" + }, + { + "event.code": "00071", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", + "fileset.name": "netscreen", + "group.name": "setquas", + "input.type": "log", + "log.level": "medium", + "log.offset": 9360, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "nbyCi", + "rsa.internal.messageid": "00071", + "rsa.misc.group": "setquas", + "rsa.misc.hardware_id": "uae", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "imveni", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00018", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 9480, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.80.103.229" + ], + "related.user": [ + "fugitsed" + ], + "rsa.db.index": "itaedict", + "rsa.internal.messageid": "00018", + "rsa.misc.disposition": "eroi", + "rsa.misc.hardware_id": "luptatev", + "rsa.misc.policy_id": "oNem", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "occaeca", + "service.type": "juniper", + "source.ip": [ + "10.80.103.229" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "fugitsed" + }, + { + "event.code": "00207", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 9651, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00207", + "rsa.misc.hardware_id": "edquiano", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "mSecti", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00075", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", + "fileset.name": "netscreen", + "group.name": "amremap", + "input.type": "log", + "log.level": "high", + "log.offset": 9788, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.db.index": "oremagna", + "rsa.internal.messageid": "00075", + "rsa.misc.group": "amremap", + "rsa.misc.hardware_id": "iqu", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "quamqua", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00040", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 9895, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00040", + "rsa.misc.hardware_id": "ide", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "quunturm", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00524", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", + "fileset.name": "netscreen", + "host.ip": "10.163.9.35", + "input.type": "log", + "log.level": "low", + "log.offset": 10031, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.163.9.35" + ], + "rsa.internal.messageid": "00524", + "rsa.misc.hardware_id": "quame", + "rsa.misc.result": "failure", + "rsa.misc.severity": "low", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.193.80.21" + ], + "destination.port": 5657, + "event.code": "00625", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 10175, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.51.161.245", + "10.193.80.21" + ], + "rsa.internal.messageid": "00625", + "rsa.misc.hardware_id": "modi", + "rsa.misc.log_session_id": "ntoccae", + "rsa.misc.severity": "low", + "service.type": "juniper", + "source.ip": [ + "10.51.161.245" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00524", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 10359, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00524", + "rsa.misc.hardware_id": "iusmodit", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00072", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", + "fileset.name": "netscreen", + "group.name": "lla", + "input.type": "log", + "log.level": "medium", + "log.offset": 10472, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00072", + "rsa.misc.group": "lla", + "rsa.misc.hardware_id": "litsed", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "ciun", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00533", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", + "fileset.name": "netscreen", + "host.ip": "10.41.222.7", + "input.type": "log", + "log.level": "medium", + "log.offset": 10612, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.41.222.7" + ], + "rsa.internal.messageid": "00533", + "rsa.misc.hardware_id": "uaturQ", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "iusmod", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00070", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 10725, + "network.interface.name": "lo4065", + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00070", + "rsa.misc.hardware_id": "ivel", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "tmollita", + "rsa.network.interface": "lo4065", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.134.20.213" + ], + "event.code": "00040", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", + "fileset.name": "netscreen", + "group.name": "xeaco", + "input.type": "log", + "log.level": "low", + "log.offset": 10837, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.134.20.213" + ], + "rsa.internal.messageid": "00040", + "rsa.misc.disposition": "eavolupt", + "rsa.misc.group": "xeaco", + "rsa.misc.hardware_id": "mmodic", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "essequam", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00023", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", + "fileset.name": "netscreen", + "host.ip": "10.110.144.189", + "input.type": "log", + "log.level": "medium", + "log.offset": 10970, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.110.144.189" + ], + "rsa.internal.messageid": "00023", + "rsa.misc.hardware_id": "utaliqui", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "mcorpor", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00034", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 11104, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.user": [ + "tasnu" + ], + "rsa.internal.messageid": "00034", + "rsa.misc.disposition": "olabo", + "rsa.misc.hardware_id": "ing", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "hen", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "tasnu" + }, + { + "event.code": "00554", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 11272, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00554", + "rsa.misc.hardware_id": "orain", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "equaturQ", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00541", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 11435, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00541", + "rsa.misc.disposition": "cidun", + "rsa.misc.hardware_id": "ptasn", + "rsa.misc.serial_number": "Loremips", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "liqui", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00628", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 11556, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00628", + "rsa.misc.hardware_id": "odi", + "rsa.misc.severity": "medium", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00628", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 11683, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00628", + "rsa.misc.hardware_id": "ecatcup", + "rsa.misc.severity": "high", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00538", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 11811, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00538", + "rsa.misc.hardware_id": "iaecon", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "dminima", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00075", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", + "fileset.name": "netscreen", + "group.name": "uasiarch", + "input.type": "log", + "log.level": "low", + "log.offset": 11950, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.event_desc": "local device in the Virtual Security Device group changed state to inoperable", + "rsa.internal.messageid": "00075", + "rsa.misc.event_state": "iamquisn", + "rsa.misc.group": "uasiarch", + "rsa.misc.hardware_id": "reetdolo", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "umquam", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00535", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 12154, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00535", + "rsa.misc.hardware_id": "volupt", + "rsa.misc.result": "SCEP_FAILURE message", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "equ", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00026", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 12270, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00026", + "rsa.misc.hardware_id": "entoreve", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "rudexer", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00038", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 12443, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00038", + "rsa.misc.disposition": "taevitae", + "rsa.misc.hardware_id": "oloreeu", + "rsa.misc.node": "uame", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "imipsa", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00003", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", + "event.outcome": "failure", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 12552, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00003", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.hardware_id": "caboNe", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "ptate", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00529", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 12670, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00529", + "rsa.misc.hardware_id": "ntium", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "veniamqu", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.185.50.112" + ], + "destination.port": 7180, + "event.code": "00625", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 12770, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.185.50.112", + "10.126.150.15" + ], + "rsa.internal.messageid": "00625", + "rsa.misc.hardware_id": "tot", + "rsa.misc.log_session_id": "oreeu", + "rsa.misc.severity": "high", + "service.type": "juniper", + "source.ip": [ + "10.126.150.15" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00521", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", + "fileset.name": "netscreen", + "host.ip": "10.152.90.59", + "input.type": "log", + "log.level": "medium", + "log.offset": 12952, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.152.90.59" + ], + "rsa.internal.messageid": "00521", + "rsa.misc.hardware_id": "tDuisa", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "iscive", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00077", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 13059, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00077", + "rsa.misc.hardware_id": "icons", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "hende", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.166.144.66" + ], + "destination.port": 3051, + "event.code": "00625", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 13177, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.119.181.171", + "10.166.144.66" + ], + "rsa.internal.messageid": "00625", + "rsa.misc.hardware_id": "dol", + "rsa.misc.log_session_id": "gnamal", + "rsa.misc.severity": "low", + "service.type": "juniper", + "source.ip": [ + "10.119.181.171" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00041", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "high", + "log.offset": 13350, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00041", + "rsa.misc.hardware_id": "litse", + "rsa.misc.node": "estqu", + "rsa.misc.severity": "high", + "rsa.misc.vsys": "archit", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "event.code": "00038", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 13479, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00038", + "rsa.misc.disposition": "emporin", + "rsa.misc.hardware_id": "consect", + "rsa.misc.node": "ons", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "eetdolo", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.96.218.99" + ], + "destination.port": 277, + "event.code": "00021", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 13601, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.96.165.147", + "10.96.218.99" + ], + "related.user": [ + "utla" + ], + "rsa.db.index": "DIP port-translation stickiness was modified", + "rsa.identity.logon_type": "ntm", + "rsa.internal.messageid": "00021", + "rsa.misc.disposition": "atio", + "rsa.misc.hardware_id": "isquames", + "rsa.misc.severity": "low", + "service.type": "juniper", + "source.ip": [ + "10.96.165.147" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "utla" + }, + { + "destination.ip": [ + "10.230.29.67" + ], + "destination.port": 7478, + "event.code": "00021", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "medium", + "log.offset": 13787, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "related.ip": [ + "10.201.72.59", + "10.230.29.67" + ], + "related.user": [ + "repr" + ], + "rsa.db.index": "DIP port-translation stickiness was modified", + "rsa.identity.logon_type": "idu", + "rsa.internal.messageid": "00021", + "rsa.misc.disposition": "uidol", + "rsa.misc.hardware_id": "ratvolu", + "rsa.misc.severity": "medium", + "service.type": "juniper", + "source.ip": [ + "10.201.72.59" + ], + "tags": [ + "juniper.netscreen", + "forwarded" + ], + "user.name": "repr" + }, + { + "event.code": "00602", + "event.dataset": "juniper.netscreen", + "event.module": "juniper", + "event.original": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", + "fileset.name": "netscreen", + "input.type": "log", + "log.level": "low", + "log.offset": 13981, + "observer.product": "Netscreen", + "observer.type": "Firewall", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "00602", + "rsa.misc.hardware_id": "rau", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "sciuntN", + "service.type": "juniper", + "tags": [ + "juniper.netscreen", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/kaspersky/README.md b/x-pack/filebeat/module/kaspersky/README.md deleted file mode 100644 index 005ced11763..00000000000 --- a/x-pack/filebeat/module/kaspersky/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# kaspersky module - -This is a module for Kaspersky Anti-Virus logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML kasperskyav version 127 -at 2020-07-13 17:55:38.911054 +0000 UTC. - diff --git a/x-pack/filebeat/module/kaspersky/_meta/fields.yml b/x-pack/filebeat/module/kaspersky/_meta/fields.yml deleted file mode 100644 index 9d6e927574d..00000000000 --- a/x-pack/filebeat/module/kaspersky/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: kaspersky - title: Kaspersky Anti-Virus - description: > - kaspersky fields. - fields: diff --git a/x-pack/filebeat/module/kaspersky/av/config/pipeline.js b/x-pack/filebeat/module/kaspersky/av/config/pipeline.js deleted file mode 100644 index 58bdd0e0c23..00000000000 --- a/x-pack/filebeat/module/kaspersky/av/config/pipeline.js +++ /dev/null @@ -1,917 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -function DeviceProcessor() { - var builder = new processor.Chain(); - builder.Add(save_flags); - builder.Add(strip_syslog_priority); - builder.Add(chain1); - builder.Add(populate_fields); - builder.Add(restore_flags); - var chain = builder.Build(); - return { - process: chain.Run, - } -} - -var map_getSeveritylevel = { - keyvaluepairs: { - "1": constant("Info"), - "2": constant("Warning"), - "3": constant("Error"), - "4": constant("Critical"), - }, -}; - -var dup1 = setc("eventcategory","1609000000"); - -var dup2 = date_time({ - dest: "event_time", - args: ["fld2","fld3"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup3 = field("fld6"); - -var dup4 = setc("eventcategory","1603000000"); - -var dup5 = setc("eventcategory","1612000000"); - -var dup6 = setc("eventcategory","1003010000"); - -var dup7 = setc("obj_type","Dangerous Object"); - -var dup8 = setc("eventcategory","1605000000"); - -var dup9 = setc("ec_subject","NetworkComm"); - -var dup10 = setc("ec_activity","Detect"); - -var dup11 = setc("ec_theme","TEV"); - -var dup12 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}"); - -var dup13 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); - -var dup14 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); - -var dup15 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); - -var dup16 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); - -var dup17 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); - -var dup18 = setf("msg","$MSG"); - -var dup19 = date_time({ - dest: "event_time", - args: ["fld11","fld12","fld13"], - fmts: [ - [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], - ], -}); - -var dup20 = setf("obj_type","protocol"); - -var dup21 = setc("eventcategory","1601020000"); - -var dup22 = lookup({ - dest: "nwparser.severity", - map: map_getSeveritylevel, - key: dup3, -}); - -var dup23 = linear_select([ - dup13, - dup14, -]); - -var dup24 = linear_select([ - dup15, - dup16, -]); - -var dup25 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var dup26 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var dup27 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var dup28 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var dup29 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var dup30 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var dup31 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var dup32 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var dup33 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup21, - dup2, - dup22, -])); - -var dup34 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup8, - dup2, - dup22, -])); - -var dup35 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ - dup1, - dup2, - dup22, -])); - -var hdr1 = match("HEADER#0:0001", "message", "%kasperskyav: %{hfld1}^^%{hrecorded_time}^^%{messageid}^^%{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld1"), - constant("^^"), - field("hrecorded_time"), - constant("^^"), - field("messageid"), - constant("^^"), - field("payload"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%kasperskyav-%{hlevel}: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hdate"), - constant(" "), - field("htime"), - constant(" "), - field("hfld1"), - constant(" "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, -]); - -var msg1 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED:01", dup25); - -var msg2 = msg("KLSRV_EVENT_HOSTS_NEW_DETECTED", dup26); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var msg3 = msg("KLSRV_EVENT_HOSTS_NOT_VISIBLE", dup26); - -var msg4 = msg("KLSRV_HOST_STATUS_WARNING:01", dup25); - -var msg5 = msg("KLSRV_HOST_STATUS_WARNING", dup26); - -var select3 = linear_select([ - msg4, - msg5, -]); - -var part1 = match("MESSAGE#5:KLSRV_RUNTIME_ERROR", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup4, - dup2, - dup22, -])); - -var msg6 = msg("KLSRV_RUNTIME_ERROR", part1); - -var msg7 = msg("KLSRV_HOST_STATUS_CRITICAL:01", dup25); - -var msg8 = msg("KLSRV_HOST_STATUS_CRITICAL", dup26); - -var select4 = linear_select([ - msg7, - msg8, -]); - -var msg9 = msg("KLSRV_HOST_MOVED_WITH_RULE_EX", dup26); - -var msg10 = msg("KLSRV_HOST_OUT_CONTROL", dup26); - -var msg11 = msg("KLSRV_INVISIBLE_HOSTS_REMOVED", dup26); - -var msg12 = msg("KLAUD_EV_OBJECTMODIFY:01", dup27); - -var msg13 = msg("KLAUD_EV_OBJECTMODIFY", dup28); - -var select5 = linear_select([ - msg12, - msg13, -]); - -var msg14 = msg("KLAUD_EV_TASK_STATE_CHANGED:01", dup27); - -var msg15 = msg("KLAUD_EV_TASK_STATE_CHANGED", dup28); - -var select6 = linear_select([ - msg14, - msg15, -]); - -var msg16 = msg("KLAUD_EV_ADMGROUP_CHANGED:01", dup27); - -var msg17 = msg("KLAUD_EV_ADMGROUP_CHANGED", dup28); - -var select7 = linear_select([ - msg16, - msg17, -]); - -var msg18 = msg("KLAUD_EV_SERVERCONNECT:01", dup27); - -var msg19 = msg("KLAUD_EV_SERVERCONNECT", dup28); - -var select8 = linear_select([ - msg18, - msg19, -]); - -var msg20 = msg("00010009", dup26); - -var msg21 = msg("00010013", dup26); - -var msg22 = msg("00020006", dup26); - -var msg23 = msg("00020007", dup26); - -var msg24 = msg("00020008", dup26); - -var msg25 = msg("00030006", dup26); - -var msg26 = msg("00030015", dup26); - -var msg27 = msg("00040007", dup26); - -var msg28 = msg("00040008", dup26); - -var part2 = match("MESSAGE#28:GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld19}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var msg29 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND:01", part2); - -var part3 = match("MESSAGE#29:GNRL_EV_SUSPICIOUS_OBJECT_FOUND", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var msg30 = msg("GNRL_EV_SUSPICIOUS_OBJECT_FOUND", part3); - -var select9 = linear_select([ - msg29, - msg30, -]); - -var part4 = match("MESSAGE#30:GNRL_EV_OBJECT_CURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var msg31 = msg("GNRL_EV_OBJECT_CURED:01", part4); - -var msg32 = msg("GNRL_EV_OBJECT_CURED", dup29); - -var select10 = linear_select([ - msg31, - msg32, -]); - -var part5 = match("MESSAGE#32:GNRL_EV_OBJECT_NOTCURED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup8, - dup2, - dup7, - dup22, -])); - -var msg33 = msg("GNRL_EV_OBJECT_NOTCURED:01", part5); - -var msg34 = msg("GNRL_EV_OBJECT_NOTCURED", dup29); - -var select11 = linear_select([ - msg33, - msg34, -]); - -var part6 = match("MESSAGE#34:GNRL_EV_OBJECT_DELETED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var msg35 = msg("GNRL_EV_OBJECT_DELETED:01", part6); - -var msg36 = msg("GNRL_EV_OBJECT_DELETED", dup29); - -var select12 = linear_select([ - msg35, - msg36, -]); - -var part7 = match("MESSAGE#36:GNRL_EV_VIRUS_FOUND:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Virus '%{fld7}' detected in message from '%{from}' to '%{to}'.^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ - dup6, - dup2, - dup7, - dup22, - setc("event_description","Virus detected in email message"), -])); - -var msg37 = msg("GNRL_EV_VIRUS_FOUND:01", part7); - -var part8 = match("MESSAGE#37:GNRL_EV_VIRUS_FOUND:03", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld18}^^%{virusname}^^%{username}^^%{fld22}", processor_chain([ - dup8, - dup2, - dup7, - dup22, -])); - -var msg38 = msg("GNRL_EV_VIRUS_FOUND:03", part8); - -var msg39 = msg("GNRL_EV_VIRUS_FOUND:02", dup29); - -var select13 = linear_select([ - msg37, - msg38, - msg39, -]); - -var part9 = match("MESSAGE#39:GNRL_EV_VIRUS_OUTBREAK", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup6, - dup2, - dup22, -])); - -var msg40 = msg("GNRL_EV_VIRUS_OUTBREAK", part9); - -var part10 = match("MESSAGE#40:GNRL_EV_ATTACK_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{threat_name}^^%{protocol}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup5, - dup9, - dup10, - dup11, - dup2, - dup22, -])); - -var msg41 = msg("GNRL_EV_ATTACK_DETECTED:01", part10); - -var part11 = match("MESSAGE#41:GNRL_EV_ATTACK_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup6, - dup9, - dup10, - dup11, - dup2, - dup22, -])); - -var msg42 = msg("GNRL_EV_ATTACK_DETECTED", part11); - -var select14 = linear_select([ - msg41, - msg42, -]); - -var msg43 = msg("KLEVP_GroupTaskSyncState:01", dup30); - -var msg44 = msg("KLEVP_GroupTaskSyncState", dup31); - -var select15 = linear_select([ - msg43, - msg44, -]); - -var msg45 = msg("KLPRCI_TaskState:01", dup30); - -var msg46 = msg("KLPRCI_TaskState", dup31); - -var select16 = linear_select([ - msg45, - msg46, -]); - -var msg47 = msg("KLSRV_EV_LICENSE_CHECK_90", dup32); - -var msg48 = msg("KLNAG_EV_INV_APP_UNINSTALLED", dup32); - -var msg49 = msg("KLNAG_EV_DEVICE_ARRIVAL", dup32); - -var msg50 = msg("KLNAG_EV_DEVICE_REMOVE", dup32); - -var msg51 = msg("FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE", dup31); - -var part12 = match("MESSAGE#51:HTTP:Object_Infected/2", "nwparser.p0", "%{}'%{obj_name}' is infected with '%{virusname}'(Database date: %{fld14}, %{p0}"); - -var all1 = all_match({ - processors: [ - dup12, - dup23, - part12, - dup24, - dup17, - ], - on_success: processor_chain([ - dup6, - dup18, - dup19, - dup20, - ]), -}); - -var msg52 = msg("HTTP:Object_Infected", all1); - -var part13 = match("MESSAGE#52:HTTP:Object_Scanning_Error/2", "nwparser.p0", "%{}'%{obj_name}' scanning resulted in an error (Database date: %{fld14}, %{p0}"); - -var all2 = all_match({ - processors: [ - dup12, - dup23, - part13, - dup24, - dup17, - ], - on_success: processor_chain([ - dup4, - dup18, - dup19, - dup20, - ]), -}); - -var msg53 = msg("HTTP:Object_Scanning_Error", all2); - -var part14 = match("MESSAGE#53:HTTP:Object_Scanned_And_Clean/2", "nwparser.p0", "%{}'%{obj_name}' has been scanned and flagged as clean(Database date: %{fld14}, %{p0}"); - -var all3 = all_match({ - processors: [ - dup12, - dup23, - part14, - dup24, - dup17, - ], - on_success: processor_chain([ - dup8, - dup18, - dup19, - dup20, - ]), -}); - -var msg54 = msg("HTTP:Object_Scanned_And_Clean", all3); - -var part15 = match("MESSAGE#54:HTTP:Object_Not_Scanned_01/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy as %{policyname->} %{fld17->} ( %{p0}"); - -var all4 = all_match({ - processors: [ - dup12, - dup23, - part15, - dup24, - dup17, - ], - on_success: processor_chain([ - dup8, - dup18, - dup19, - dup20, - ]), -}); - -var msg55 = msg("HTTP:Object_Not_Scanned_01", all4); - -var part16 = match("MESSAGE#55:HTTP:Object_Not_Scanned_02/2", "nwparser.p0", "%{}'%{obj_name}' has not been scanned as defined by the policy ( %{p0}"); - -var all5 = all_match({ - processors: [ - dup12, - dup23, - part16, - dup24, - dup17, - ], - on_success: processor_chain([ - dup8, - dup18, - dup19, - dup20, - ]), -}); - -var msg56 = msg("HTTP:Object_Not_Scanned_02", all5); - -var part17 = match("MESSAGE#57:HTTP:01/2", "nwparser.p0", "%{}'%{obj_name}"); - -var all6 = all_match({ - processors: [ - dup12, - dup23, - part17, - ], - on_success: processor_chain([ - dup8, - dup18, - dup19, - dup20, - ]), -}); - -var msg57 = msg("HTTP:01", all6); - -var select17 = linear_select([ - msg52, - msg53, - msg54, - msg55, - msg56, - msg57, -]); - -var msg58 = msg("KLSRV_EV_LICENSE_CHECK_MORE_110", dup30); - -var msg59 = msg("000000ce", dup33); - -var msg60 = msg("000000d4", dup33); - -var msg61 = msg("000000d5", dup25); - -var msg62 = msg("000000d8", dup25); - -var msg63 = msg("000000da", dup25); - -var msg64 = msg("000000db", dup34); - -var msg65 = msg("000000d6", dup25); - -var msg66 = msg("000000de", dup34); - -var part18 = match("MESSAGE#66:000000e1", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - setc("eventcategory","1606000000"), - dup2, - dup22, -])); - -var msg67 = msg("000000e1", part18); - -var msg68 = msg("0000012f", dup25); - -var msg69 = msg("00000134", dup34); - -var msg70 = msg("00000143", dup34); - -var msg71 = msg("00000141", dup25); - -var msg72 = msg("00000353", dup25); - -var msg73 = msg("00000354", dup25); - -var msg74 = msg("000003fb", dup34); - -var msg75 = msg("000003fd", dup25); - -var msg76 = msg("000000cc", dup25); - -var part19 = match("MESSAGE#76:000000e2", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld7}^^%{fld8}^^%{fld15}^^", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg77 = msg("000000e2", part19); - -var msg78 = msg("KLSRV_EV_LICENSE_SRV_LIMITED_MODE", dup35); - -var part20 = match("MESSAGE#78:KSNPROXY_STOPPED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ - setc("eventcategory","1801030000"), - dup2, - dup22, -])); - -var msg79 = msg("KSNPROXY_STOPPED", part20); - -var part21 = match("MESSAGE#79:KLSRV_UPD_BASES_UPDATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg80 = msg("KLSRV_UPD_BASES_UPDATED", part21); - -var part22 = match("MESSAGE#80:FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not scanned. Reason: %{event_description->} Object name: %{filename}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg81 = msg("FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED", part22); - -var part23 = match("MESSAGE#81:KLNAG_EV_INV_APP_INSTALLED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{product}^^%{version}^^%{fld8}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg82 = msg("KLNAG_EV_INV_APP_INSTALLED", part23); - -var part24 = match("MESSAGE#82:GNRL_EV_LICENSE_EXPIRATION", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info->} User: %{username->} Component: %{fld5}Result\\Description: %{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg83 = msg("GNRL_EV_LICENSE_EXPIRATION", part24); - -var part25 = match("MESSAGE#83:KSNPROXY_STARTED_CON_CHK_FAILED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{fld5}^^%{fld7}^^%{fld8}^^", processor_chain([ - setc("eventcategory","1703000000"), - dup2, - dup22, -])); - -var msg84 = msg("KSNPROXY_STARTED_CON_CHK_FAILED", part25); - -var part26 = match("MESSAGE#84:000003f8", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{fld23->} Object: %{obj_name->} Object\\Path: %{url->} User:%{username->} Update ID: %{fld51}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg85 = msg("000003f8", part26); - -var msg86 = msg("FSEE_AKPLUGIN_AVBASES_CORRUPTED", dup35); - -var part27 = match("MESSAGE#86:GNRL_EV_OBJECT_BLOCKED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{fld19}^^%{virusname}^^%{username}^^%{fld18}", processor_chain([ - dup1, - dup2, - dup7, - dup22, -])); - -var msg87 = msg("GNRL_EV_OBJECT_BLOCKED", part27); - -var part28 = match("MESSAGE#87:0000014d", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg88 = msg("0000014d", part28); - -var part29 = match("MESSAGE#88:000003f7/0", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_description}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Event type:%{event_type->} Result: %{result->} %{p0}"); - -var part30 = match("MESSAGE#88:000003f7/1_0", "nwparser.p0", "Object: %{obj_name->} Object\\Path: %{url->} User:%{username}(%{privilege})%{p0}"); - -var part31 = match("MESSAGE#88:000003f7/1_1", "nwparser.p0", "User:%{username}(%{privilege})%{p0}"); - -var select18 = linear_select([ - part30, - part31, -]); - -var part32 = match("MESSAGE#88:000003f7/2", "nwparser.p0", "%{}Release date: %{fld23}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}"); - -var all7 = all_match({ - processors: [ - part29, - select18, - part32, - ], - on_success: processor_chain([ - dup1, - dup2, - dup22, - ]), -}); - -var msg89 = msg("000003f7", all7); - -var part33 = match("MESSAGE#89:FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^Object not quarantined. Reason: %{event_description}^^%{context}^^%{product}^^%{version}^^%{filename}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var msg90 = msg("FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED", part33); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "000000cc": msg76, - "000000ce": msg59, - "000000d4": msg60, - "000000d5": msg61, - "000000d6": msg65, - "000000d8": msg62, - "000000da": msg63, - "000000db": msg64, - "000000de": msg66, - "000000e1": msg67, - "000000e2": msg77, - "0000012f": msg68, - "00000134": msg69, - "00000141": msg71, - "00000143": msg70, - "0000014d": msg88, - "00000353": msg72, - "00000354": msg73, - "000003f7": msg89, - "000003f8": msg85, - "000003fb": msg74, - "000003fd": msg75, - "00010009": msg20, - "00010013": msg21, - "00020006": msg22, - "00020007": msg23, - "00020008": msg24, - "00030006": msg25, - "00030015": msg26, - "00040007": msg27, - "00040008": msg28, - "FSEE_AKPLUGIN_AVBASES_CORRUPTED": msg86, - "FSEE_AKPLUGIN_CRITICAL_PATCHES_AVAILABLE": msg51, - "FSEE_AKPLUGIN_OBJECT_NOT_ISOLATED": msg90, - "FSEE_AKPLUGIN_OBJECT_NOT_PROCESSED": msg81, - "GNRL_EV_ATTACK_DETECTED": select14, - "GNRL_EV_LICENSE_EXPIRATION": msg83, - "GNRL_EV_OBJECT_BLOCKED": msg87, - "GNRL_EV_OBJECT_CURED": select10, - "GNRL_EV_OBJECT_DELETED": select12, - "GNRL_EV_OBJECT_NOTCURED": select11, - "GNRL_EV_SUSPICIOUS_OBJECT_FOUND": select9, - "GNRL_EV_VIRUS_FOUND": select13, - "GNRL_EV_VIRUS_OUTBREAK": msg40, - "HTTP": select17, - "KLAUD_EV_ADMGROUP_CHANGED": select7, - "KLAUD_EV_OBJECTMODIFY": select5, - "KLAUD_EV_SERVERCONNECT": select8, - "KLAUD_EV_TASK_STATE_CHANGED": select6, - "KLEVP_GroupTaskSyncState": select15, - "KLNAG_EV_DEVICE_ARRIVAL": msg49, - "KLNAG_EV_DEVICE_REMOVE": msg50, - "KLNAG_EV_INV_APP_INSTALLED": msg82, - "KLNAG_EV_INV_APP_UNINSTALLED": msg48, - "KLPRCI_TaskState": select16, - "KLSRV_EVENT_HOSTS_NEW_DETECTED": select2, - "KLSRV_EVENT_HOSTS_NOT_VISIBLE": msg3, - "KLSRV_EV_LICENSE_CHECK_90": msg47, - "KLSRV_EV_LICENSE_CHECK_MORE_110": msg58, - "KLSRV_EV_LICENSE_SRV_LIMITED_MODE": msg78, - "KLSRV_HOST_MOVED_WITH_RULE_EX": msg9, - "KLSRV_HOST_OUT_CONTROL": msg10, - "KLSRV_HOST_STATUS_CRITICAL": select4, - "KLSRV_HOST_STATUS_WARNING": select3, - "KLSRV_INVISIBLE_HOSTS_REMOVED": msg11, - "KLSRV_RUNTIME_ERROR": msg6, - "KLSRV_UPD_BASES_UPDATED": msg80, - "KSNPROXY_STARTED_CON_CHK_FAILED": msg84, - "KSNPROXY_STOPPED": msg79, - }), -]); - -var part34 = match("MESSAGE#51:HTTP:Object_Infected/0", "nwparser.payload", "%{fld11->} %{fld12->} %{fld13->} %{protocol->} %{p0}"); - -var part35 = match("MESSAGE#51:HTTP:Object_Infected/1_0", "nwparser.p0", "object %{p0}"); - -var part36 = match("MESSAGE#51:HTTP:Object_Infected/1_1", "nwparser.p0", "Object %{p0}"); - -var part37 = match("MESSAGE#51:HTTP:Object_Infected/3_0", "nwparser.p0", "Client's %{p0}"); - -var part38 = match("MESSAGE#51:HTTP:Object_Infected/3_1", "nwparser.p0", "client's %{p0}"); - -var part39 = match("MESSAGE#51:HTTP:Object_Infected/4", "nwparser.p0", "%{}address: %{hostip})"); - -var select19 = linear_select([ - dup13, - dup14, -]); - -var select20 = linear_select([ - dup15, - dup16, -]); - -var part40 = match("MESSAGE#0:KLSRV_EVENT_HOSTS_NEW_DETECTED:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var part41 = match("MESSAGE#1:KLSRV_EVENT_HOSTS_NEW_DETECTED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup1, - dup2, - dup22, -])); - -var part42 = match("MESSAGE#11:KLAUD_EV_OBJECTMODIFY:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var part43 = match("MESSAGE#12:KLAUD_EV_OBJECTMODIFY", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{username}^^%{fld18}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var part44 = match("MESSAGE#31:GNRL_EV_OBJECT_CURED", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{obj_name}^^%{fld17}^^%{virusname}", processor_chain([ - dup6, - dup2, - dup7, - dup22, -])); - -var part45 = match("MESSAGE#42:KLEVP_GroupTaskSyncState:01", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var part46 = match("MESSAGE#43:KLEVP_GroupTaskSyncState", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var part47 = match("MESSAGE#46:KLSRV_EV_LICENSE_CHECK_90", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}", processor_chain([ - dup5, - dup2, - dup22, -])); - -var part48 = match("MESSAGE#58:000000ce", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup21, - dup2, - dup22, -])); - -var part49 = match("MESSAGE#63:000000db", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^%{fld16}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld21}^^%{fld22}", processor_chain([ - dup8, - dup2, - dup22, -])); - -var part50 = match("MESSAGE#77:KLSRV_EV_LICENSE_SRV_LIMITED_MODE", "nwparser.payload", "%{fld1}^^%{fld2->} %{fld3}.%{fld4}^^%{event_type}^^%{fld6}^^%{hostip}^^%{hostname}^^%{group_object}^^%{info}^^%{event_description}^^%{context}^^%{product}^^%{version}^^%{fld15}^^", processor_chain([ - dup1, - dup2, - dup22, -])); diff --git a/x-pack/filebeat/module/kaspersky/fields.go b/x-pack/filebeat/module/kaspersky/fields.go deleted file mode 100644 index 60034a8e98c..00000000000 --- a/x-pack/filebeat/module/kaspersky/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package kaspersky - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "kaspersky", asset.ModuleFieldsPri, AssetKaspersky); err != nil { - panic(err) - } -} - -// AssetKaspersky returns asset data. -// This is the base64 encoded gzipped contents of module/kaspersky. -func AssetKaspersky() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q/JFTU1aHO1/gshllsBr8k/2j+RN9Ly7z5z3Zi/EFKCYZrXliv5mvzbXwghmx+TGQdRmslfSPiv1/i5+993RNIKXhMJdqX01YRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8duiuly97fS5jRRtgCl3xNZlQY2Pp4gHD7v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDKHkP9nduJRjT7v5kcDQ6Ys1CNaIkEpagyRS6c1dTbYC8A0sdapTMtKp6Sz19q+bmxQVlV2DNswH4U66BWbF+TmzAm5IP4IWFP+Gyh+YkykgBSxAHcFIouXs/tzh5CrUGRm3ApIQZl1ASJQWiZelUAKloHceqMvMi2YXZs8fvwj0/P/2BLKlowo3nJUjLZzycTrimzBKh5n6/9GAjkDruwIfTgt9z21FTbTlrBNX4+7Cxk9GTMQB90EmJnYwB5PGTMroly+Puycv/vyf798StmmdD7nd91fSPAgnZ3ZZHg92SHiL0sqOmwahGs0xv7/3Zluv+3w8zY6mFCqR9jMjRpuS2YILu3OFHgh5Iq9ePEbGF06keI2JcHoZYXo2plRyP96SVQA+RHnnZNgMoU9pQI3pNzM7sfbF1CzhsBnrIQEm4nxWxo4cMoN9gRYxzcce1ciQuyp5XJco+z64BmYnYRyIcvDP72DHU6kbyLw1s1Gjd0R/+tN42ak+UZO5xoFY9dst2RNwseV5x2OfuiVuGzzij/fv8Vs3J2RKkJZconEkjS9DOBNEQBNWA9Bm/hpIYsA7I1o+31zDjBku7CQPY9zZYuk0YgL7Tpgw9gen9S4cdzAFdd+DJ3XiwUCaTvto/l78qY/siUuyeSAOy5HLefmhix6bnQ/p6+MsPOWCDH40y9vxi+ROhZamdrBy77rvMHVBv1dfK3OWr3Ox99f8uex238suGXbngHWl9b1lJKJnzJcjOSfb1KgKORYf5L/JaIOVjVP6+jojGqEND1etCw5cMe90PHuIGI93TNXL5zC9NLvAiPQ/ebEvJx3UNhNGhBJkCAW4XoMmnc2l/eEWUJr8IRe2PL8mUGjxFbYBsxueNRtXvBroPUXe/YroxDJrP+EzgX3C/nqtcbrZ91nG78lfvYFB6RXWZTanrSbQe2X1Onl983tL3KNEg6O6WEmLWxkIVHtGAtoO2AH9SjWee+7fSfM4lFe1vtrWVG/iQS//akxhxfvH5VYQFAf0BJ+7Pgg6jIZdTvD6bgzpUHA99fRZAS9BHiV3/ikuR89P7REk9vv1gKYI5LFb6qJ1sghXZ/Wy0VbTON4oWXhRnupwoIYBZpb9GAey49wA5N+7McUOYZx2UDtMtRfWt2lVbyB5GP0KLr2LTx6KqVspgslulJJmuB5tGiIYvDRjrABpe1WId9sl92Ql6ApQtiOElkKffE7vQDXn588/PyIoaYgBkt8oeTjwK5fUWnDC1kgbysYJ9NaeCqUbazqfQVFMv9NxVNlEI5CmdqiX0mMFlNLOyFW/GaqDV6P1hX82xeWBWQcmbXT0tBaO+iWmOnWOBzwi3/2xefv/DX40X6S9qFKAt0v8cUPNPZw++pWvQ5CU5k4zWphE+suJMyjvJ9Rj0ewY/IrmVsVV+fEn+1ZH7nPz4I/lXwpR2+jJSERZ9Tv67sP/TfZEbss2Ub6JbKFUJj9bWlSsoGBViStlVXg3YIyeVxWtDrbcrHBNBlrXi0qJpYiGe4IyHowCtVab8tI0+aGpgnArEGDE1VmmnWcu11zrcB0sqeOkPRgwpQmaqkaV7YQQg8lzOg3J0Y/Li9o0YQE4RCwzXYU/YaGQX1kLR8rG8cwEdYvifQCqwmrOI1RFM4f6X0Rb2z30rhN2zT+1Go1Wzdtsm5Fe1clsztDm5JEo7Y8wqcgVQ38C0R/HifSVM04qBMcWSl0WZK+p61kqeOUjQ1OIlLx0He3bhkmvbUOGM9i3fu4y4OHjFndmNsXJkhqciXPXzU6KdtDboUEGmUT0H233tRk4YnSnp6cE54TPh9nNCZwkFDQX/+Wnre/0AlbJALsN5ZxrwoZ2uxwSl+18biPkKAi9hpcLUgufMbHjU5rzhA7X/UehmTuZmPO9469wbEM56e+paqyU8If81IoxevMy4eIAYvVvVGUcXJ28ugu7LqHTs4VWt9K7GS/CJ/OrSIJrH4f745J8qNMTRdI+5UrdN+Wbzk43B7vUctMwn5OXPr8gK+V4BlYQKEfcVoFMf1aSN/4isQIMHSy0RQI0lSu6Ui2wz8cHVxK+biZG7miNsG3j3u9IlMg6zmoAtpBJqvt4NxM24HmixhPxM2IJqyqxnorvUa8QfneaSNDLk9Igtn/loRW3qgm4fqM8ZRNgTu0SLonJKppJtGEHT1ahMQ8m6o1ZShhqrj1HI4HNQjDW6hWgslSXVJZFKV1TwP2P5vUpXUf6UIcvhYBapZjp4ku7EpA3WHTIvBJ8BUhwx8A0wJcsRBXuz3YWxOf0sewjikqmqFmCjB2DUiUpRgbea74jBXr2Ztg90kC/d2tHjPHaUt0/m6PGrlLSLRNu0qU9NlfOyyXIqH4jxZ7LMwXYH8k8lc3db2CMW3eqtiunTaz/ucnggorLd6DfEwrUNl48sQZteOUW5Lw8ssr/3PWxroKnI3JTpMaVLKPO9gyHJJjxTplux1THaTJvui/34+vC10qqaINQGi/INA0k1V16trxph+XeWgya0rkVb/bLpZVNRSeex0lxCBIZ3WnvRI+VxNYTbJ4aolfSRMUuretczGDB2qzkUh7fPGsIW3Fk3qgQzIe8aY9FM6gN1t5LakbxcauHATdorwGYzh/cSjqEJ4Sa3C3reaZiBBsn8gaBOtS75kpdOs8HzEBdkl60g+7jDvDiR1zXXR6Nws58+FnTtTiK3Yu2JNU7oOX3NIYUHdL9vNOGmj7pwnjtp3MmzyWDJLp1MNaklUDVQ5O4LseN/6quCGuSXBpqjHSV3uv0p2sjHFTUEkShHzg0i90NqpiZUCrYYmkGmzSub4fWdVzlwrYsMqNZFDu25TimKtoG+TA41g67Ue0UexoTcMR+jb8zgubzTm3Oo2LxJrh0SLNg8EDvdEFI7gigbKPEpFGvTiNxhpxErSjWWqQpeeBw64wWzstVscEKoDCzYMiBHDggsQXObs3RkD2Ht6qEIsBfZ2efyyVu8OOgd6F/prtLFQcO4Uw2Mz/jG8Ilrtz6YM9ZTJejK+bOZIhvQuRh5uSmYaF1UZQiyRPEOZvOxNuHztpXetwSVJr9dhtRYbtqEgF2/Gq7f7tBYlaSpleEJBcetzhaa07L0HaYwlb+9u6NdeBphi3yti+4oimRTgebsrrIoStsRqtj2ENavZOtuhhdL/n4PSFuCLJUOCbN7KVPTPx6ge00b2lXTP4DF7WiHWP5a8AG7nQTdj5iX9Dl71X0zvJCh6j+ImeDlWtAut1gqSyhZhI4X8QRaoeZFm6jyIEK9PYh3FurH6JmyJfv+julW2LUaxUdc8VeCs3Xu27NHLlwgAqG5thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGlmF04RC1MOTsGAHSyJU48av7nozjnlJvwWV3jXfs817m81Py3kuap6FxA/HT9kLRr8PtWVyv9g7oh/Dl99zP56fI0lDy1omJofdgOyLn0wA9CRN/iJwsWHETN1KXZp2zl/12VDcUaHt1Ya8fW3rj+4inxrH+pFuYnJ/eqMmm8s/doMk6xF7KcqPRTsiJr88M/U6F/2C/NosI6u1v/PBNcMdNG9tVbirbPUaNFGA8Z5R/UFaKLKnmdCoGVYC+KQOXpBZ0RBAYkCZrf5StDe2rqn7liZNUTsNo6wu52+fLF+cXuzo0CS1jvUdhrC77wIGCt66F3ERaPJLkXFpyyeeSorAYOaK10jmb1z4ZyC93SC9a3U1hV0f8T4dI7y7jKStV5OC8/+0j4ZKJpgQnzsIgW/fzCXl6dk2rWsBrcuEdIh4sSu9J3C+CkbmjxzbRObV5WuKYcXPlVO4D8LpDKV7Pjfk+PA0fuLnaE3K1ms/noPONsIuz7HM/FhBwQO10ocEslCjd6fG2+sik0a3Q+xE8C8PYe5DKTz94HeNZ14zj/DReRnLr6DxTVV0cOe8KdyXkXuEYV+/fM830O4eOklifOsNxM6ps2JiVFtTSB8oa62PeSUulsfOAk+stfiNT4qguV1Q/TIbesKu+k640PESOiJHWyE+dEKXkHWVtP+W4cutE0FHtGCW/axVUvV8KeVsz+VBrDdQkzw02ltomleLc+aMoFw9mdrjFp+qa8PLF+PvlXtbmGBg6jD4NGh/7u+CwiF/d9h3LPH1vcMhPh3P3DnnOuFRNqhhnr47EzJPfKSdJUzodBh7ZnxIDzt2ZcetIvBHCyT1iGsbAmFkjyJlbnzBVgnFHom32G7csuCzhOjEDBDf2MM3znrIFF0ZTTLdITEFjfLOimgvM4Il48Hz8Xc4JRSZ+534bpUxmOIdq6psLPZBGHFYnT7t8zhq0qUPRrZcwA5YFFWGTEN92eHo2UmTo3VzD9zh3QolXvrokr+Cr8t92H1IuDSnBUi4iToapamzvdyOkKXH03MzWY0u7PDbEY/whtVDVIls2zxtSwoyGEFDofNnG8EO2ptOKl6AFXWMhl1XhcSVPIzfSfYBWd/g1zNoqcO+rN5bbBhszkihhG9tg2LDpvtc1aRSr599hNDWmGWQVU1Xl7lOeY3TioRPeS/attVry0vvP2i5yFZjRRKhSscMDjXf3lv3CxUZrZP28vLhqcF1j0tPDyPp29byy/g81PdDvdDB5/1tNQwAmfrtqnq9x7ikmFPudv7w4J+cDhaqPRrautaG6ZD8GCQu7umrYeVJD+i7+sJBbHVfuvYgopqrMXfE1qLjbVToCLsThMqIeLdJ3S/AhgyNUnvdcwKF02CfQdvEQPudlF8oZceJVqa3GQRl4gpc/nZLX0V03OZ+pdrr3xSffPacNRGGyxjWwpu9F8KlfU4iVt7ZdmPYlbhzBERL1ipfbDpGuupIuKRd0GMggnSucYH3lDLQembTg79Ahvv50cbdgrFShAZQPwA5ICukGhs8nIxKRV8W0Kct1cv8Mr4qkdUA9uI2Bwxqd7/VSpYeouUrY5WCnxK4wzTEKErjpZ6/6nqu0KbntKus2fdECRrHBdpuKDS9KNuGF/UT6LLHUHFwezSo/+XxGnoZaic+NcLrylAss4MA8sLPrWhn3zWfku6GjQe5GYa6kWsktQ8gAa7CZxXIb+sikTUaP4ILbTQs9aavc34fSpLcwp2xNPo2aa4JPNX2Iovyw8BaLuSQV5XKmaQV70zFqqnFqb/4+CVvK5QUuS96r0idHb9oC9rLOIkiRG7QvTBVwjMhlIW33jXsPK/JrI9GUfKdKEOQpl8vJt88JV+w5mbr/A/d/VFKxNtxMvo3HFy2ri5mgg8n5qXWobQ3/5ILgoujrQjm5bodfqdneRg1WZcXU/3Ua8GzbIBjQ7iBHEVpWaeXuDmaf3/1ONZCPPgH4228/v/v9zYezb7/1ObdLqikfPZMrpa9SlizfeMF+bxfsR9hGnWBUplYiQs1O2i4l3XNAmXsu1hlMmJnSIA1nKQVIz5WUAeMqvRckEh9IBbRYUT4cTnxv7wD2Pk8N1F2f1CXqpplmuhR2WhqrU1e+Y712NodY/y1N9o62NR/5nKSHFrtsBoMNVJpQbLKpewn1Lg7EjI86mlpSszliDyU12o0oQuZueU9cKB/cT/DujguHfND/PwxX3ajMfvLfgxyxsuejD4jsRfJBDkcbx92Hn1JHSNra2tmeXfrUdhntbZYd9sl8hm63wcm9OTLdtqzmx4iHYdHXjHLheN02c7kIMuP8tF/bhp24nDloYR5pYTCeVdjmXBdORTyAnkMSrzHdOlQfnaiqauSuJ2qAnTyscdN9sXsP1/bvENepO9zMYZr1fXG7pLL8dxWPmm1ws9TyQyTDvbEbLryFnGlMzRlXybJEj2XBI/YrquUw6PDYUTeyqguVSxhfvn93QX7zftRNUmockS9HTSW4/I+35EsDeqR3ayNkoWG3U2fe5IaeQ3RNPrRFZ9G0rk5LZwkf0j5QlXqMgANaH+Q4ugmqjQTH7g23TD+ggQqqqwy75cBmcC/QOmEBcge0KZNNpd2Cmbbb1RboktpdrfC+cKcg2aKiOlVZSQd3XdPB+OJ7R58oG6RTJYFZLJKfBQaztAVUHeDZHFstZQCrpn9kgFrT5JMwfMep5McLg+4FT/3ghM5tFTjVMznSsqAMB6OkLz9xsI1MaLz3AE/n9fIneW0Xyd93JgtmdVGapH3Xe9Ad5MMiT7cAvBQ0ucSQBcg5lwmLIoegc+RGy2JWmBW3LLn8kMVMqJWhVfrclT5saZf5oGeIujBZcJlTnHBZg66m62QJ7wPYNbvKA3xJRY6zwuui1sqqIn1ICqEvfyrQ45getsh2N4WaF2UOZjvA6fPfmCwqel1Ym8ptsA3YnWgBGR6FistMSHOZD+lamEJMRZE6LLoF+/uMwJN3Bu/BTt0LsQ87dVVvH/bPGWG/ygj7XzLC/h8ZYf81D2yrakGnkEOkdNDTm2eyqBqByvd0neGdbIHXVxn0kqoRfF7VebRvp2VSMU+dhBQg8xxKiYEvLL1vRBbGJyRm2EGjWR5r0gHOY02atWnqDLNImezKqrOYqlZZZ3rAdQYRYpV1hlku2GjWZAHeSH4tqVQGWIZDuHzluJLpUVi+UrVdAC0zuNVUVRdMZPBhO8AZgiQIV0/XNr1b1EE2WSDXTZEhpsE0t5xRkaGAyBR0DpKtE2Zd9WFLKtZ/QjnNgfeywDagWSD7djB5sPaJtVmgT+f18lUeH7Qpptz+NUujMWaKtLPidgBrlVxUmyzXHKEC0+mr3Iz38SebtdUDDHbh/fzpnSMeOKp9WYD7bvLpOsj1YM+4gBw2jClmOTaRz1IWZ28DzqEbmILXmKRYZBF1vF7+VBpbD5r5J4JtNMsCW/AZ5DBjDDqaKyh5soLRbdhc5jkllSobAYapHNwOwPk8g2xStVlRm3Tmfw96LIM8CWANc26spuk9IRvYGTQ+DXUuVutsvDbYiVxnkq8+M98f8QzQrQZaZVAkfSlQLrTzKderheKm8BNm00NfU02zHPBypBA2BeSln2+fGi43lsrkc45LY6eNTjUssIUKflZQDqhNclzT69FtTXJqsDi5YZZ+2PWhnQb2wZzTskx9B3iZOqzatg7K8BbxqmBaqSpLVyIHOIOZxqsiT3Jk6HiUg831VfL2TLVJ37KU16bWPDFQQS23TfLsM8ElpGuxs4Fqkk7U6eBi8W16t5ZQvutpMRMq+XPeAc+Q8u9s3uRSxwHNIHGcDZ0B1eS5CULNsxxdOc9ygWulUwuwatrMc1yzihuWQyxUJsuBzTEHQoLF5krJ4SaX4b4BdOqMPw81dTqeXK1SWyBZKsqUHwCd3BJV6TUjpfm8iMzjujfclQSd/s2qCz+UNznYpJOpN2D9iNcshyxD4WaYiZNaGASwqaVBXXhHUnJ0qTHuw4ItUtX5D0DDdc2TBwJq0NVcU2kHPXdTQF5lAZz+6fWdyD592pkCmgCwVvOCmjrhwIA+aE1TQ9VARQ79TgNDPviuo5mAp2eyg5y2hWsPstJlBozTOzJNBt+w8b7hDPkABlInAviBxxmMEwNf0h+AWIPWZFAzmFKGzzMIXlOn9rIZzXLcA83K5Iq00SzWFTcBYJtuxFYfZmOSd9VcMpm6UCI6Lfa+QH2TztTk27lNf6w80PQRvW6mZ2q46zp5t9amnGbJQ2+0yPAWNgZ0UfLUVe9Zxla0kaEcbLDMWFql9gYvCy6NpbMMmsGSa5tDDV/WMkPrJqt0I1O6WWNt0SIdRd80VpEPjSSDpbvskYzD8j5TwUtyoqHklpxQXYZuhgbbv8fR8ZOzMnJpbEIogsEh+gT7GzAlSKxUp8uH4DIf586qWqg1DAYL3si/mWqSNfW+5RlzPPQ+I5x3pmEO16Siu40WNrFYOW92h4FkR1Jwg8MZ2tXD1mMDJWKaulbakmHjUUJWC2oJt6TWMBs7CvdIy73LEIoY44PV0aFAuAyd3Uf6Qgsuc0/k76HqVuvjaYhVc7AL0JPN981CNYMXjRAJS9DdOCKrSE21AfIOLMWJ4P6u0o4FT9+quXlx4cten5HTMOLrObGLyJQibAb8AcLoY0Rbkvdgf+dWgonv8/BQZ2HeDEd2d7cIF/fEGqCaLSZc8ih+OHP3CP21d8QnzsLAZIgXgjYSZ/3OG5zj2jZxjzdw3+nXvoem/O24O5q6JtxhfvGIse82okhY03S7zqu4LPkI1xZvxZi74BjTqEcE0mZw3XucUC3FyMRL7J6bcRw49s81YImGLw0Yu6dp9+HZynfvle9VBhzL41f1EnvXI9XlnW67U/bh5DHC2NjW37FDu3kdpTzl7P+b5xu6xc5PW6GAa8fPBloN6ZJ473iE3eMypQaIT9fusCGDW9XtUvjFw+Aru1HwHeZK+/b1UTYSQg0xADjujO6fV6WpNJQdYbzvoMO0X1qi2rs5NKzROAFtH9I16Ip7deNYSG+W9IM5+JILmAMRsARBqDF8Lv3Gbeb1x48+tmR+QPmN6+856dMHmfTsMGsk/9LA7phEGr98PXwP65h42BSUVqPhpb+QTEkJmFtBVtwuxgQFIZHKkE5j13BQedGdTQvHTpQn3RMl1JwzKojDYMT0QSweFjtcamRM48Pxrl6sTRy9XjrbSu1ktaZ+4Kng1BQLld0m8EZcZ67hLJXNUCMnFfsjeOL9AIi/NA5bfNPCIBYmgOrJG2GUM8S37tspBsvJr+EXE/JGrrt/DaBbtOWNtISWE6aqurGg42I4ixvfEZbPPPtmdy9wxuLWhnD7z+bl9z/81dm+p73taDn2TRTtcE6LtBGz2zpu6Bo0+ZfOJ2deBDQQufitT13/k//Myw3OW6d+734cmLx8k2x7sjswxa0zIe9/+3jmaAcN3nmC/tKSG6ahppKtnVYZ1DOxmwtCkEPPycd3r8m5tD++fE7O35+e/edr8ulc2lc/kaerxZpI4HYBmrCFMmFUmtIamMVv/fDqf/23Z0+iHAG7yCjjdvmBMnVS0fg4HpP59N3xml/6s3jeIhW/4uXjQrovm27A/MCGcbd+4GP47iimG+vkM9e2oYK8ffM+iuyfSkI+X9ZhJ+P/KAmTOG8dul+NCEVCbhaeuAWP8Q3esw9zamFFH2BEOp7uC/KmLDX6af0pj6HTPb2sqg+Nc943FnJ+8u7Cv0qj4bGKmiNGP7acSl5TDW83Ob9wqIx4vxwPD5wEkYSHbu1xHraaWOGnax1XQPTQpWXJ3Zep2ARse7P84+/cEQ+AMwnxgqtww0+3j8AAlU2udRa97rZPGiXvA4YXSttOJA+EbokBNtwAbtc3S15zZN57erict49JS9a7McZLiNmNx/LiBuzQ8qXGKMadyun9RgMdhzi5rKmcw6QznZiSMz5vNJRkukaYIEvMGorLmfrA1gODotERbTm66CxDvwORUPfvl3AldwBoqJSFImR2p88zSs/aUpqCFj4VPwPo2uo8wGcZjsQsQ7WwyHEdcvU/qTMwlZZF64nLp5bvWvCOjsnuan1nwgNosGd2AVqCJR/XNTwnn9pn7C06wH4kF60DbPAS/DamqbWjeo6gTIyYxi3SwS/+nFAhospEvfkiJrhRjYl5S9DuDeTSKmIsPuZckk/nowKFYYJsNnmVXGQ7oKrOMPbNAdZgUmf0OrAZSlz8i5g6FR397Rmw9aMVCgFynnxSJOLslI+MWuiIBupVHip6ARhJGKYTzAglvyi9oroczukm5M0ck700oe7GX2Mu3RTsCkDGVc/EXRPvGuNWlop+qM4jQ7BlPGZGDCjkMuS5YlpCxa0TS2HERpzEpaDyGHH8Wzgo2wSRnotyQOC2y3ITSVk6C3aOBuz2y5M6UgkMuxAs0/WDu13EnmrLWSOoJtgvmrRIPD27fv1WzdVsFp/+DqywC8i+vVvIfnQL+tvYw/vM4e3QfdPYBUgbksVH0TZNys4Jt0vo8UuOo/7JgB5FWDWWqeNyOiw5jvBlwxgYM4Izdh4/rDnaYYkniBdxKu5c6TWJFCYMcDuGcNrCEXZwdFIJA3ymVtK9K05uxZTD7odkoChtU7VM149u5N2kxHctxZoBwaHs6Al+mB19mEtiuG0i8pNgcQEEER2gLqghtFS1e13sArgmaiU3W+YZZ+m1kqoayavFmRyG+xb1x1UinHLPZenkj9KmYwAlv3AB5E1AbDJgw22cvbIjzN/J0YTxjv4HSVcYZcFlyFpIy4UYjRFGpKx3vwcjfL7eZajXSM2J8YTQqcpZPRAhfgoLuuSqQe2SqarWquIjGYpwbOTOJJ0KLCKbkZP9uHG57MRORiR3MdzSOkkUgS0Mkw6XOQDByPodfrl3t/fKbu7b6LHblFk20u6Ws6XW6EssAy/YIWb9rbQgfI/nIEFz1pKEDMFEv93UAm4X+NTGZruRgOyE/TAxVo8HP1uaDmm79WA0vdxPU1Av/FoZ6Yqapp0RbnkFxsl1r+1pqGE0iBR2IVlTiBs3AhsP3nMb9C2P1iG9ux/saP14O5p+KEyyIae3Ji04jG+icEAbUrwRCLcQBl8vdS9vpE4fde/8RUtCm75555L1Uj2OALlBjncC5Os9jj/evGWpRhscZ8tuJx/1USVIyjt2C/lx1OOYkrbBYeyUeixB2/FTJ6/caeyiqMAu1ANESeiWJ5l4NMLXRjcceylpldXrtCeq80GJ4K91iOw5l5k8If85+fn778nTt6dvLp6RU24sl/OGmwWUWAofxUWoucreF2hfJAyzZWcej7DN+MWRjDGtMnsV99V/ul2NYdDdGPTIJxv6fJfrwjDtv6v77Tn+EKdYzJTKWJv0TaYYFam60+0Q8oGWvDF+BaI0MbzigmovnpzYdHeI4bseL6/Ce254ecxOI/1M+U/uILRexJ2+mJtLnq/O4o3cd9cxrBEqDXv+3+Akwk8GZyE4bqBXllHGXZlK50wMGIRskNVKz6nkf+7Jqpb5jsJtmX0Ap/tnaoTdM66jtaSZuv784pbD18K3+PK9i7aymn8FKuyCUQ2k1lCqiksaLbjriacLajlIa25Mjxf0mNS+pQ9KrG/9CHWmg+uuzhMnuGqqLTZD2pC6X6wesdlREDa3kagzKEFTC2WRLKlsz/lwwueXdsUueHah1ZKXXfOw8D1a1yJoqoODEZr/uGdtW6eNKzgbInl5JCq7JUOvP7seITM6PBQzJ5fcR88Xu4r7SAu4TulMORT8rponXKPO1PtRrxJ6HiHU66iosVJDjFXaS3wHrQJLcbUn+K2J+9aTOPUVL0sBx5Ny73C928q5yPb25N5Bcq4dj3Ecci/Car0OQ3LdRmefk1pQt2XufVaagGR6XY95+TEV8gj25C0y6HRnW/6qjCXvKFtwOWLSlTST5Phml9efJGb61xqc+HD6kW9yZibkbUlr8hn/4fWjUklfd/rP4eNJFnQJTnMSQDX50oBeE+xBaGolDbQaVbw41dFb4G+OIy9DDzzmIGvedoGUnnzfl28cz5akI6C6OUAfQnPU22KKU57yOsx2z3jbWnqriZGzDcPDyw3RjZRRO9Y8714eH3n2baRGauwCxCJYmPk3gpIVl6VaGWJqYHzGmfvkeaxOMOTJDi+II8/ju8m5IU+xIyxItnmGMHT5rMct0kh8x9/CnLI1+WS2G992Edhqt5A2eXatW+EIBvvIa983tRAVrFXDQ+ZexAHHuz4Aker/rUpTLOcZsm+b7PwK9Vh3Xq9eRyhGCqMHLfzmAGKPk9c7RmrI8A2u91bWnSHp411Ah9Qcx2HXBQy292aTkOm3YbBD8YYUNxc/Y9lAypGAoxVuSHIJMy6Drx6FE3b1q2g90nQQsTuoUCwTbhsHzI76l1owdj7b3LSHXkojvSk7H7a1lC2qI7fA36yKDCcD66i/HVmGvEy5TDdBLOndcCRjUWHexzMipPplO7gtvo32prw/MrVzgHXet+8GrGuq2zPl/vx8Q8pqwQet1Im7Hc6W9cnvtyLPJp9Z4ttaKL3Ot+F/MzWV/3Zjx5gWke0u6q16HnuaHFv+9gKh30Dbg6lEA6rafuv7qRo9BQVIq1V9iOgoVTMdOBdudcbDms7ahhvKERBHX91x3Ht4oqqaynV3H/Ha4Th9b68sQbtnqOBypuJKATVXuWuEbpAfO1Zki9kK8nZFn33JlSPwSyPEmvxHQwWfcSjJKdY9e+dgFJUVTAum1BV/oKD77zAlfv2N/UzFmDafvNvsJhxeNxZV7gNHmN581z90S4QpO8Ed7X3yE/JxXXvSN54Dxxy/g+Obp2FWJG0mu4O2w8E7IvQTE2tbu4vMMVx1nXK5jZ33LNZKt95+DDF/eDuy5b1eOYmPU8uLOu8coj2scCvf6Llv0dRKZdJEtpFy67j9IDW1cdckkwU1KaP9PcA6lNMnhtxokXCbe1AT7kpnjBaNTuUN6cE0oAs6T2dTbkAnf562QSdNf9wGHU59BsEC1xYkqlbpjRMHP9lp7hS9hYadVJnUGpVf4hi1hFsy9yMui+rVi/DfJwGFF+E/Ql5TzO1PBeh4dl4g5wGj556YfvAcPa69UWsDcsowEM2ZVFzOQOuRuOuQ7qPQ1Vf8b2R91D17BCTbvsSz3jZErhSGtVXWKxVZ4mjH78zH7d2x+4gZxLr/p3/AMEFrfOAnrxegj+OPcDp7yHh6eoKjH5+RE1w/jhpoe6RmKSN8PgEdhn/CVhbmnua8kDV03GNkb8Pdok9Mr1P03p3mfx7qlbx7a5T4bpNL/mfcW8OvMsmU83+cEQlzZbnfwHpBzcgEKMOO3Vaot5V+8fHhgm6rs02AGiS47JyxtnF6W38TT0gxfH6Miort/kbd1MOPo4OWnTThxjTJlU6EjMlS+bx194uhIIagdVYf6GBT+tLzzC1OLjE4vU86HSVDousMHqLITy8xtXP/Y9STnocheXfpuQfHcRFqjCiWOV/03ZBqcGRHkSkLd/Rok7xNo8kFmF9BsKgzNTf4ZjOupP8goWz9iRiM1ylNzi/f/OPdBblw7xT5TY5MX9lgm6mS+hBsP65UHFsUQ2wB7Moc5ES+nRDO24MsNnSu69fZtQjDNNAwgnAjBfdouaD5oCnkAyi5Ho+uK8io0YA4W2qbo0347GO5pIKX/iBGkNgVhEfrar1PECLHrmBtdsV2opPfJpAmhr2wtjYFxxm0WUDjVuZgCKOP4DbxuWwrX5Tmdn3DjWKqqrL2ibsl3h6P4BCKl+CvuAaxa2mmdrGsBJWFMQ818Nat7GX474HatkYriq0vNS5qxY+RVh1D2GNAEANEKm4NIFvZgko5aJyRu91UWBURGYnZHqltc/ewhJmHv7998z68ey92lu8eFKv0ru8/ec82bq6KpRJNLga8aec4yzDnppuM3Y7zbSS3hjz1SJhn2K0DC3vbibo74AkiHaVGNJmk2duA6yfJbUgXmGwXHSxBY6bArBGEKcmgts5QvvR7ONJeYbXKKX09453B3o7QdojWSluiHH9//fc3sRTcKNtTnzul58dPsNwtMNhysU6pb3YSbRTz97PfLs4vyDt6XXFZdmO949vqaDt6GubWEMURsgIZA+r2kdWpT/GSxeTp2b7KsZgdr2DzoYvwW5Kzqx1bzrIglc9PQ5fegMVeDMXxNuWBewW0FFf/5euGu8IcWQ41ydS3G/0lzoR+oOzGMK4arfguqFv54t7nxDSRFHVqyN+M1UrO/20qKLsS3Fgo//Yi/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV67/83wAAAP//mfi+qw==" -} diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index ef13fce514e..8e793bd2f9c 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -1,4 +1,18 @@ - module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: enabled: true diff --git a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc index 5819117e04b..8a3facdc259 100644 --- a/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/microsoft/_meta/docs.asciidoc @@ -1,22 +1,130 @@ [role="xpack"] :modulename: microsoft -:has-dashboards: false +:has-dashboards: true == Microsoft module -experimental[] +This is a module for ingesting data from the different Microsoft Products. Currently supports these filesets: + +- `defender_atp` fileset: Supports Microsoft Defender ATP +- `dhcp` fileset: Supports Microsoft DHCP logs -This is a module for receiving Microsoft DHCP logs over Syslog or a file. +include::../include/what-happens.asciidoc[] include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: dhcp +:fileset_ex: defender_atp include::../include/config-option-intro.asciidoc[] +[float] +==== `defender_atp` fileset settings + +beta[] + +To allow the filebeat module to ingest data from the Microsoft Defender API, you would need to create a new application on your Azure domain. + +The procedure to create an application is found on the below link: + +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp[Create a new Azure Application] + +When giving the application the API permissions described in the documentation (Windows Defender ATP Alert.Read.All) it will only grant access to read alerts from ATP and nothing else in the Azure Domain. + +After the application has been created, it should contain 3 values that you need to apply to the module configuration. + +These values are: + +- Client ID +- Client Secret +- Tenant ID + +Example config: + +[source,yaml] +---- +- module: microsoft + defender_atp: + enabled: true + var.oauth2.client.id: "123abc-879546asd-349587-ad64508" + var.oauth2.client.secret: "980453~-Sg99gedf" + var.oauth2.token_url: "https://login.microsoftonline.com/INSERT-TENANT-ID/oauth2/token" +---- + +*`var.oauth2.client.id`*:: + +This is the client ID related to creating a new application on Azure. + +*`var.oauth2.client.secret`*:: + +The secret related to the client ID. + +*`var.oauth2.token_url`*:: + +A predefined URL towards the Oauth2 service for Microsoft. The URL should always be the same with the exception of the Tenant ID that needs to be added to the full URL. + +[float] +==== Defender ATP ECS fields + +This is a list of Defender ATP fields that are mapped to ECS. + +[options="header"] +|====================================================================== +| Defender ATP Fields | ECS Fields | +| alertCreationTime | @timestamp | +| aadTenantId | cloud.account.id | +| category | threat.technique.name | +| computerDnsName | host.hostname | +| description | rule.description | +| detectionSource | observer.name | +| evidence.fileName | file.name | +| evidence.filePath | file.path | +| evidence.processId | process.pid | +| evidence.processCommandLine | process.command_line | +| evidence.processCreationTime | process.start | +| evidence.parentProcessId | process.parent.pid | +| evidence.parentProcessCreationTime | process.parent.start | +| evidence.sha1 | file.hash.sha1 | +| evidence.sha256 | file.hash.sha256 | +| evidence.url | url.full | +| firstEventTime | event.start | +| id | event.id | +| lastEventTime | event.end | +| machineId | cloud.instance.id | +| relatedUser.userName | host.user.name | +| relatedUser.domainName | host.user.domain | +| title | message | +| severity | event.severity | +|====================================================================== + +:has-dashboards!: + +[float] +=== Dashboards + +This module comes with a sample dashboard for Defender ATP. + +[role="screenshot"] +image::./images/filebeat-defender-atp-overview.png[] + +The best way to view Defender ATP events and alert data is in the SIEM. + +[role="screenshot"] +image::./images/siem-alerts-cs.jpg[] + +[float] +For alerts, go to Detections -> External alerts. + +[role="screenshot"] +image::./images/siem-events-cs.jpg[] + +[float] +And for all other Defender ATP event types, go to Host -> Events. + +:fileset_ex: dhcp + [float] ==== `dhcp` fileset settings @@ -24,6 +132,8 @@ experimental[] NOTE: This was converted from RSA NetWitness log parser XML "msdhcp" device revision 99. +include::../include/var-paths.asciidoc[] + *`var.input`*:: The input from which messages are read. One of `file`, `tcp` or `udp`. @@ -51,7 +161,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/microsoft/_meta/fields.yml b/x-pack/filebeat/module/microsoft/_meta/fields.yml index 9b510450005..fcc100e25bd 100644 --- a/x-pack/filebeat/module/microsoft/_meta/fields.yml +++ b/x-pack/filebeat/module/microsoft/_meta/fields.yml @@ -1,5 +1,5 @@ - key: microsoft - title: Microsoft DHCP + title: Microsoft description: > - microsoft fields. + Microsoft Module fields: diff --git a/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json new file mode 100644 index 00000000000..1cede27b376 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/_meta/kibana/7/dashboard/Filebeat-microsoft-atp-overview.json @@ -0,0 +1,1221 @@ +{ + "objects": [ + { + "attributes": { + "description": "Microsoft Defender ATP Alert Overview", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "w": 4, + "x": 0, + "y": 0 + }, + "panelIndex": "8343f7ea-b977-44bf-bf81-6d41742093a4", + "panelRefName": "panel_0", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 24, + "i": "74d36139-4d22-44d4-bfc8-020c575febb1", + "w": 25, + "x": 4, + "y": 0 + }, + "panelIndex": "74d36139-4d22-44d4-bfc8-020c575febb1", + "panelRefName": "panel_1", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "ATP Techniques [Filebeat Microsoft]" + }, + "gridData": { + "h": 24, + "i": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "w": 19, + "x": 29, + "y": 0 + }, + "panelIndex": "a3e140ed-a0ed-4da0-8142-72d68fd7c5e5", + "panelRefName": "panel_2", + "title": "ATP Techniques [Filebeat Microsoft]", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "w": 4, + "x": 0, + "y": 6 + }, + "panelIndex": "f3843ab0-8b0f-4f64-805c-4ab0d0965d8a", + "panelRefName": "panel_3", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "16e7059b-70a5-4ea4-b622-9015d7430419", + "w": 4, + "x": 0, + "y": 12 + }, + "panelIndex": "16e7059b-70a5-4ea4-b622-9015d7430419", + "panelRefName": "panel_4", + "version": "7.8.1" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "w": 4, + "x": 0, + "y": 18 + }, + "panelIndex": "d8a5a667-ed0b-42ed-ae7d-edbfa722677f", + "panelRefName": "panel_5", + "version": "7.8.1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "cb8de6bb-1096-427d-834e-210963aad3e5", + "w": 48, + "x": 0, + "y": 24 + }, + "panelIndex": "cb8de6bb-1096-427d-834e-210963aad3e5", + "panelRefName": "panel_6", + "version": "7.8.1" + } + ], + "timeRestore": false, + "title": "[Filebeat Microsoft] ATP Overview", + "version": 1 + }, + "id": "65402c30-ca6a-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "name": "panel_1", + "type": "lens" + }, + { + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_2", + "type": "lens" + }, + { + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "name": "panel_6", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEzLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Counter for new incidents", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "New Incidents", + "field": "microsoft.defender_atp.incidentId" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 1 + }, + { + "from": 1, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP New Incidents Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "3c64f400-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzYsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"event.severity\\\",\\\"orderBy\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":6,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"24h\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"cardinality\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-19ade524-0042-4ecd-ac59-9696c8c2e225\\\":{\\\"label\\\":\\\"Top values of event.severity\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"event.severity\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":6,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\"},\\\"col-2-677e5501-ca31-435c-8eab-38b5297e54c2\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"24h\\\"},\\\"id\\\":\\\"677e5501-ca31-435c-8eab-38b5297e54c2\\\"},\\\"col-3-27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":{\\\"label\\\":\\\"Number of incidents\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"cardinality\\\",\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"microsoft.defender_atp.incidentId\\\",\\\"isBucketed\\\":false,\\\"params\\\":{\\\"format\\\":{\\\"id\\\":\\\"number\\\",\\\"params\\\":{\\\"decimals\\\":0}}},\\\"id\\\":\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\"}}\" | lens_format_column format=\"number\" columnId=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" decimals=0}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Number of incidents\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} \n layers={lens_xy_layer layerId=\"ac550ae9-6e17-4944-9545-25bbe83d9dbb\" hide=false xAccessor=\"677e5501-ca31-435c-8eab-38b5297e54c2\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"19ade524-0042-4ecd-ac59-9696c8c2e225\" seriesType=\"line\" accessors=\"27212c7c-83ee-4292-a4c6-396d9b77dce6\" columnToLabel=\"{\\\"27212c7c-83ee-4292-a4c6-396d9b77dce6\\\":\\\"Number of incidents\\\",\\\"19ade524-0042-4ecd-ac59-9696c8c2e225\\\":\\\"Top values of event.severity\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "ac550ae9-6e17-4944-9545-25bbe83d9dbb": { + "columnOrder": [ + "19ade524-0042-4ecd-ac59-9696c8c2e225", + "677e5501-ca31-435c-8eab-38b5297e54c2", + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "columns": { + "19ade524-0042-4ecd-ac59-9696c8c2e225": { + "dataType": "number", + "isBucketed": true, + "label": "Top values of event.severity", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "27212c7c-83ee-4292-a4c6-396d9b77dce6", + "type": "column" + }, + "orderDirection": "desc", + "size": 6 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "27212c7c-83ee-4292-a4c6-396d9b77dce6": { + "dataType": "number", + "isBucketed": false, + "label": "Number of incidents", + "operationType": "cardinality", + "params": { + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "microsoft.defender_atp.incidentId" + }, + "677e5501-ca31-435c-8eab-38b5297e54c2": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "24h" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27212c7c-83ee-4292-a4c6-396d9b77dce6" + ], + "layerId": "ac550ae9-6e17-4944-9545-25bbe83d9dbb", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "19ade524-0042-4ecd-ac59-9696c8c2e225", + "xAccessor": "677e5501-ca31-435c-8eab-38b5297e54c2" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "ATP New Incidents [Filebeat Microsoft]", + "visualizationType": "lnsXY" + }, + "id": "e415af10-ca67-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzcsMV0=" + }, + { + "attributes": { + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" \n filters=\"[{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.module\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.module\\\":\\\"microsoft\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}},{\\\"meta\\\":{\\\"index\\\":\\\"filebeat-*\\\",\\\"alias\\\":null,\\\"negate\\\":false,\\\"disabled\\\":false,\\\"type\\\":\\\"phrase\\\",\\\"key\\\":\\\"event.dataset\\\",\\\"params\\\":{\\\"query\\\":\\\"microsoft.defender_atp\\\"}},\\\"query\\\":{\\\"match_phrase\\\":{\\\"event.dataset\\\":\\\"microsoft.defender_atp\\\"}},\\\"$state\\\":{\\\"store\\\":\\\"appState\\\"}}]\"\n| lens_merge_tables layerIds=\"f93e2634-0dd5-4aec-b6de-45284dd39630\" \n tables={esaggs index=\"filebeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"threat.technique.name\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"count\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{}}]\" | lens_rename_columns idMap=\"{\\\"col-0-12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\":{\\\"label\\\":\\\"Related MITRE attach techniques\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"threat.technique.name\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"id\\\":\\\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\\\"},\\\"col-1-0f67be87-cc6f-48e7-8afd-d9401037d006\\\":{\\\"label\\\":\\\"Number of techniques\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"count\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"Records\\\",\\\"id\\\":\\\"0f67be87-cc6f-48e7-8afd-d9401037d006\\\"}}\"}\n| lens_pie shape=\"treemap\" hideLabels=false groups=\"12ecaf1f-b957-4c15-8f43-8f043a7d1d51\" metric=\"0f67be87-cc6f-48e7-8afd-d9401037d006\" numberDisplay=\"percent\" categoryDisplay=\"default\" legendDisplay=\"default\" percentDecimals=3 nestedLegend=false", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "filebeat-*", + "title": "filebeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "filebeat-*", + "layers": { + "f93e2634-0dd5-4aec-b6de-45284dd39630": { + "columnOrder": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51", + "0f67be87-cc6f-48e7-8afd-d9401037d006" + ], + "columns": { + "0f67be87-cc6f-48e7-8afd-d9401037d006": { + "dataType": "number", + "isBucketed": false, + "label": "Number of techniques", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51": { + "dataType": "string", + "isBucketed": true, + "label": "Related MITRE attach techniques", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.name" + } + }, + "indexPatternId": "filebeat-*" + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "12ecaf1f-b957-4c15-8f43-8f043a7d1d51" + ], + "layerId": "f93e2634-0dd5-4aec-b6de-45284dd39630", + "legendDisplay": "default", + "metric": "0f67be87-cc6f-48e7-8afd-d9401037d006", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "treemap" + } + }, + "title": "ATP Techniques [Filebeat Microsoft]", + "visualizationType": "lnsPie" + }, + "id": "14d367f0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "lens": "7.8.0" + }, + "references": [], + "type": "lens", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzgsMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related domains", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Domains", + "field": "microsoft.defender_atp.evidence.domainName" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Domains Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "9e902dc0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzksMV0=" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related IP Addresses", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Networks", + "field": "microsoft.defender_atp.evidence.ipAddress" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP IP Addresses Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "b9fcbf60-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEwLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP counter for related Users", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "event.dataset:\"microsoft.defender_atp\" " + } + } + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Related Users", + "field": "host.user.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "ATP Related Users Counter [Filebeat Microsoft]", + "type": "metric" + } + }, + "id": "62f081c0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzExLDFd" + }, + { + "attributes": { + "description": "Microsoft Defender ATP Incident Table", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "microsoft" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "microsoft" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "microsoft.defender_atp" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "microsoft.defender_atp" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Incident ID", + "field": "microsoft.defender_atp.incidentId", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Current Status", + "field": "microsoft.defender_atp.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "5", + "params": { + "customLabel": "Assigned To", + "field": "microsoft.defender_atp.assignedTo", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "9", + "params": { + "customLabel": "Severity", + "field": "event.severity", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Hostname", + "field": "host.hostname", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "6", + "params": { + "customLabel": "Title", + "field": "event.test.message", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "8", + "params": { + "aggregate": "concat", + "field": "@timestamp", + "size": 1, + "sortField": "@timestamp", + "sortOrder": "desc" + }, + "schema": "metric", + "type": "top_hits" + }, + { + "enabled": true, + "id": "10", + "params": { + "customLabel": "Category", + "field": "threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "_key", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "row": true, + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "ATP Incident Table [Filebeat Microsoft]", + "type": "table" + } + }, + "id": "00e8fca0-ca68-11ea-9d4d-9737a63aaa55", + "migrationVersion": { + "visualization": "7.8.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-07-20T09:45:23.877Z", + "version": "WzEyLDFd" + } + ], + "version": "7.8.0" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml new file mode 100644 index 00000000000..fae3cf2cfd0 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml @@ -0,0 +1,91 @@ +- name: microsoft.defender_atp + type: group + release: beta + default_field: false + description: > + Module for ingesting Microsoft Defender ATP. + fields: + - name: lastUpdateTime + type: date + description: > + The date and time (in UTC) the alert was last updated. + + - name: resolvedTime + type: date + description: > + The date and time in which the status of the alert was changed to 'Resolved'. + + - name: incidentId + type: keyword + description: > + The Incident ID of the Alert. + + - name: investigationId + type: keyword + description: > + The Investigation ID related to the Alert. + + - name: investigationState + type: keyword + description: > + The current state of the Investigation. + + - name: assignedTo + type: keyword + description: > + Owner of the alert. + + - name: status + type: keyword + description: > + Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. + + - name: classification + type: keyword + description: > + Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. + + - name: determination + type: keyword + description: > + Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. + + - name: threatFamilyName + type: keyword + description: > + Threat family. + + - name: rbacGroupName + type: keyword + description: > + User group related to the alert + + - name: evidence.domainName + type: keyword + description: > + Domain name related to the alert + + - name: evidence.ipAddress + type: ip + description: > + IP address involved in the alert + + - name: evidence.aadUserId + type: keyword + description: > + ID of the user involved in the alert + + - name: evidence.accountName + type: keyword + description: > + Username of the user involved in the alert + + - name: evidence.entityType + type: keyword + description: > + The type of evidence + + - name: evidence.userPrincipalName + type: keyword + description: > + Principal name of the user involved in the alert diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml new file mode 100644 index 00000000000..f69e14d5f97 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -0,0 +1,43 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +http_method: GET +http_headers: {"Content-Type": "application/json"} +interval: {{ .interval }} +json_objects_array: value +split_events_by: evidence +url: {{ .url }} + +oauth2: {{ .oauth2 | tojson }} +oauth2.provider: azure +oauth2.azure.resource: https://api.securitycenter.windows.com/ +http_headers: {{ .http_headers | tojson }} +date_cursor.field: lastUpdateTime +date_cursor.url_field: '$filter' +date_cursor.value_template: {{ .date_cursor.value_template }} +date_cursor.initial_interval: 5m +date_cursor.date_format: '2006-01-02T15:04:05.9999999Z' + + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: json + - add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml new file mode 100644 index 00000000000..0f35c753092 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -0,0 +1,304 @@ +--- +description: Pipeline for parsing microsoft atp logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- remove: + field: + - message + - json.comments + - host + ignore_missing: true + +######################### +## ECS General Mapping ## +######################### +- script: + lang: painless + if: ctx?.json != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx['json'].empty) { + ctx.json.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + +- script: + lang: painless + if: ctx?.json?.evidence != null + params: + values: + - null + - "" + - "-" + - "N/A" + source: | + if (!ctx.json['evidence'].empty) { + ctx.json.evidence.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + } + +- set: + field: cloud.provider + value: azure +- set: + field: '@timestamp' + value: '{{json.alertUpdateTime}}' + if: ctx.json?.alertUpdateTime != null +- rename: + field: json.aadTenantId + target_field: cloud.account.id + ignore_missing: true +- rename: + field: json.machineId + target_field: cloud.instance.id + ignore_missing: true +- rename: + field: json.title + target_field: message + ignore_missing: true + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +# Events returned from the API is always in UTC, so should never use anything else +- set: + field: event.timezone + value: UTC +- set: + field: event.action + value: '{{json.category}}' + if: ctx.json?.category != null +- set: + field: event.provider + value: defender_atp +- set: + field: event.created + value: '{{json.alertCreationTime}}' + if: ctx.json?.alertCreationTime != null +- append: + field: event.category + value: host +- append: + field: event.category + value: malware + if: ctx.json?.category == 'Malware' +- append: + field: event.category + value: process + if: ctx.json?.evidence?.entityType == 'Process' +- append: + field: event.type + value: user + if: ctx.json?.evidence?.entityType == 'User' +- append: + field: event.type + value: + - creation + - start + if: ctx.json?.status == 'New' +- append: + field: event.type + value: end + if: ctx.json?.status == 'Resolved' +- rename: + field: json.id + target_field: event.id + ignore_missing: true +- rename: + field: json.firstEventTime + target_field: event.start + ignore_missing: true +- rename: + field: json.lastEventTime + target_field: event.end + ignore_missing: true +- set: + field: event.severity + value: 0 + if: ctx.json?.severity == 'Unspecified' +- set: + field: event.severity + value: 1 + if: ctx.json?.severity == 'Informational' +- set: + field: event.severity + value: 2 + if: ctx.json?.severity == 'Low' +- set: + field: event.severity + value: 3 + if: ctx.json?.severity == 'Medium' +- set: + field: event.severity + value: 4 + if: ctx.json?.severity == 'High' +- script: + lang: painless + if: "ctx?.event?.start != null && ctx?.event?.end != null" + source: > + Instant eventstart = ZonedDateTime.parse(ctx?.event?.start).toInstant(); + Instant eventend = ZonedDateTime.parse(ctx?.event?.end).toInstant(); + ctx.event['duration'] = ChronoUnit.NANOS.between(eventstart, eventend); + +######################## +## ECS Threat Mapping ## +######################## +- set: + field: threat.framework + value: MITRE ATT&CK + if: ctx.json?.category != null +- rename: + field: json.category + target_field: threat.technique.name + ignore_missing: true +- rename: + field: json.description + target_field: rule.description + ignore_missing: true + if: (ctx.json?.description).length() < 1020 + +###################### +## ECS File Mapping ## +###################### +- rename: + field: json.evidence.fileName + target_field: file.name + ignore_missing: true +- rename: + field: json.evidence.sha256 + target_field: file.hash.sha256 + ignore_missing: true +- rename: + field: json.evidence.sha1 + target_field: file.hash.sha1 + ignore_missing: true +- rename: + field: json.evidence.filePath + target_field: file.path + ignore_missing: true + +###################### +## ECS Process Mapping ## +###################### +- rename: + field: json.evidence.processId + target_field: process.pid + ignore_missing: true +- rename: + field: json.evidence.processCommandLine + target_field: process.command_line + ignore_missing: true +- rename: + field: json.evidence.processCreationTime + target_field: process.start + ignore_missing: true +- rename: + field: json.evidence.parentProcessId + target_field: process.parent.pid + ignore_missing: true +- rename: + field: json.evidence.parentProcessCreationTime + target_field: process.parent.start + ignore_missing: true + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.product + value: Defender ATP +- set: + field: observer.vendor + value: Microsoft +- rename: + field: json.detectionSource + target_field: observer.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: json.evidence.url + target_field: url.full + ignore_missing: true + if: ctx?.json?.evidence?.url != null + +###################### +## ECS Host Mapping ## +###################### +- rename: + field: json.computerDnsName + target_field: host.hostname + ignore_missing: true +- set: + field: host.name + value: '{{host.hostname}}' + if: ctx?.host?.hostname != null + +###################### +## ECS User Mapping ## +###################### +- rename: + field: json.relatedUser.userName + target_field: host.user.name + ignore_missing: true +- rename: + field: json.relatedUser.domainName + target_field: host.user.domain + ignore_missing: true +- rename: + field: json.evidence.userSid + target_field: host.user.id + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{json.evidence.ipAddress}}' + if: ctx.json?.evidence?.ipAddress != null +- append: + field: related.user + value: '{{host.user.name}}' + if: ctx.host?.user?.name != null +- append: + field: related.hash + value: '{{file.hash.sha1}}' + if: ctx.file?.hash?.sha1 != null +- append: + field: related.hash + value: '{{file.hash.sha256}}' + if: ctx.file?.hash?.sha256 != null +- append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null && ctx.host?.hostname != '' + allow_duplicates: false + +############# +## Cleanup ## +############# +- remove: + field: + - json.alertCreationTime + - json.severity + - json.relatedUser + ignore_missing: true +- rename: + field: json + target_field: microsoft.defender_atp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml new file mode 100644 index 00000000000..22db3448710 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: interval + default: 5m + - name: date_cursor + default: + value_template: "lastUpdateTime gt {{.}}" + - name: tags + default: [defender-atp, forwarded] + - name: http_headers + default: + User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0 + - name: url + default: "https://api.securitycenter.windows.com/api/alerts?$expand=evidence" + - name: oauth2 + + +ingest_pipeline: ingest/pipeline.yml +input: config/atp.yml + + diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log new file mode 100644 index 00000000000..44ada18d449 --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log @@ -0,0 +1,4 @@ +{"id":"da637291085411733957_-1043898914","incidentId":12,"investigationId":9,"assignedTo":"elastic@elasticuser.com","severity":"Low","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"An active 'Exeselrun' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.","alertCreationTime":"2020-06-30T10:09:01.1569718Z","firstEventTime":"2020-06-30T10:07:44.333733Z","lastEventTime":"2020-06-30T10:07:44.333733Z","lastUpdateTime":"2020-07-03T15:15:39.13Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"c5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":null,"sha256":null,"fileName":"SB.xsl","filePath":"C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5","processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} +{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"543bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"Process","sha1":"b6d237154f2e528f0b503b58b025862d66b02b73","sha256":"a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77","fileName":"notepad.exe","filePath":"C:\\Windows\\System32","processId":4104,"processCommandLine":"\"notepad.exe\"","processCreationTime":"2020-06-30T09:45:38.9784654Z","parentProcessId":6012,"parentProcessCreationTime":"2020-06-30T09:04:51.487396Z","ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} +{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"53425a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"43521344-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"User","sha1":null,"sha256":null,"fileName":null,"filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":"administrator1","domainName":"TestServer4","userSid":"S-1-5-21-46152456-1367606905-4031241297-500","aadUserId":null,"userPrincipalName":null}} +{"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json new file mode 100644 index 00000000000..0423289d6ac --- /dev/null +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -0,0 +1,239 @@ +[ + { + "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host", + "malware" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 0, + "event.end": "2020-06-30T10:07:44.333733Z", + "event.id": "da637291085411733957_-1043898914", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 2, + "event.start": "2020-06-30T10:07:44.333733Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.name": "SB.xsl", + "file.path": "C:\\Windows\\Temp\\sb-sim-temp-ikyxqi\\sb_10554_bs_h4qpk5", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "input.type": "log", + "log.offset": 0, + "message": "An active 'Exeselrun' malware was detected", + "microsoft.defender_atp.assignedTo": "elastic@elasticuser.com", + "microsoft.defender_atp.evidence.entityType": "File", + "microsoft.defender_atp.incidentId": 12, + "microsoft.defender_atp.investigationId": 9, + "microsoft.defender_atp.investigationState": "Benign", + "microsoft.defender_atp.lastUpdateTime": "2020-07-03T15:15:39.13Z", + "microsoft.defender_atp.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.defender_atp.status": "Resolved", + "observer.name": "WindowsDefenderAv", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + }, + { + "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "DefenseEvasion", + "event.category": [ + "host", + "process" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 2442699369800, + "event.end": "2020-06-30T09:45:39.5484377Z", + "event.id": "da637291048912199236_1126926584", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 3, + "event.start": "2020-06-30T09:04:56.8490679Z", + "event.timezone": "UTC", + "event.type": [ + "creation", + "start" + ], + "file.hash.sha1": "b6d237154f2e528f0b503b58b025862d66b02b73", + "file.hash.sha256": "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77", + "file.name": "notepad.exe", + "file.path": "C:\\Windows\\System32", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "host.user.domain": "TestServer4", + "host.user.name": "administrator1", + "input.type": "log", + "log.offset": 1825, + "message": "Suspicious process injection observed", + "microsoft.defender_atp.evidence.entityType": "Process", + "microsoft.defender_atp.incidentId": 11, + "microsoft.defender_atp.investigationId": 7, + "microsoft.defender_atp.investigationState": "TerminatedByUser", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T15:29:44.7733333Z", + "microsoft.defender_atp.status": "New", + "observer.name": "WindowsDefenderAtp", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "process.command_line": "\"notepad.exe\"", + "process.parent.pid": 6012, + "process.parent.start": "2020-06-30T09:04:51.487396Z", + "process.pid": 4104, + "process.start": "2020-06-30T09:45:38.9784654Z", + "related.hash": [ + "b6d237154f2e528f0b503b58b025862d66b02b73", + "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77" + ], + "related.hosts": [ + "testserver4" + ], + "related.user": [ + "administrator1" + ], + "rule.description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "DefenseEvasion" + }, + { + "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "DefenseEvasion", + "event.category": [ + "host" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 2442699369800, + "event.end": "2020-06-30T09:45:39.5484377Z", + "event.id": "da637291048912199236_1126926584", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 3, + "event.start": "2020-06-30T09:04:56.8490679Z", + "event.timezone": "UTC", + "event.type": [ + "user", + "creation", + "start" + ], + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "host.user.domain": "TestServer4", + "host.user.id": "S-1-5-21-46152456-1367606905-4031241297-500", + "host.user.name": "administrator1", + "input.type": "log", + "log.offset": 3537, + "message": "Suspicious process injection observed", + "microsoft.defender_atp.evidence.accountName": "administrator1", + "microsoft.defender_atp.evidence.domainName": "TestServer4", + "microsoft.defender_atp.evidence.entityType": "User", + "microsoft.defender_atp.incidentId": 11, + "microsoft.defender_atp.investigationId": 7, + "microsoft.defender_atp.investigationState": "TerminatedByUser", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T15:29:44.7733333Z", + "microsoft.defender_atp.status": "New", + "observer.name": "WindowsDefenderAtp", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], + "related.user": [ + "administrator1" + ], + "rule.description": "A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "DefenseEvasion" + }, + { + "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3", + "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d", + "cloud.provider": "azure", + "event.action": "Malware", + "event.category": [ + "host", + "malware" + ], + "event.dataset": "microsoft.defender_atp", + "event.duration": 892514711800, + "event.end": "2020-06-30T09:46:15.0876676Z", + "event.id": "da637291063515066999_-2102938302", + "event.kind": "alert", + "event.module": "microsoft", + "event.provider": "defender_atp", + "event.severity": 1, + "event.start": "2020-06-30T09:31:22.5729558Z", + "event.timezone": "UTC", + "event.type": [ + "end" + ], + "file.hash.sha1": "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "file.hash.sha256": "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356", + "file.name": "amsistream-1D89ECED25A52AB98B76FF619B7BA07A", + "fileset.name": "defender_atp", + "host.hostname": "testserver4", + "host.name": "testserver4", + "input.type": "log", + "log.offset": 5117, + "message": "'Mountsi' malware was detected", + "microsoft.defender_atp.assignedTo": "Automation", + "microsoft.defender_atp.evidence.entityType": "File", + "microsoft.defender_atp.incidentId": 12, + "microsoft.defender_atp.investigationId": 9, + "microsoft.defender_atp.investigationState": "Benign", + "microsoft.defender_atp.lastUpdateTime": "2020-06-30T11:13:12.9Z", + "microsoft.defender_atp.resolvedTime": "2020-06-30T11:13:12.2680434Z", + "microsoft.defender_atp.status": "Resolved", + "observer.name": "WindowsDefenderAv", + "observer.product": "Defender ATP", + "observer.vendor": "Microsoft", + "related.hash": [ + "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", + "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" + ], + "related.hosts": [ + "testserver4" + ], + "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", + "service.type": "microsoft", + "tags": [ + "defender-atp", + "forwarded" + ], + "threat.framework": "MITRE ATT&CK", + "threat.technique.name": "Malware" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index e8e683f9022..83985fba51d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml index 184e6c3e4a9..6ba5eef3032 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Microsoft DHCP processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index a350394d3bd..48ad613503d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciade5699.domain" + ], "related.ip": [ "10.124.22.221" ], @@ -41,6 +44,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orev6153.internal.domain" + ], "related.ip": [ "10.103.162.55" ], @@ -70,6 +76,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uatDuis2964.test" + ], "related.ip": [ "10.58.0.245" ], @@ -99,6 +108,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "untNequ5075.www5.domain" + ], "related.ip": [ "10.163.217.10" ], @@ -130,6 +142,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "idexea3181.www.local" + ], "related.ip": [ "10.111.27.193" ], @@ -159,6 +174,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etM953.api.domain" + ], "related.ip": [ "10.97.38.141" ], @@ -188,6 +206,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inv5716.mail.invalid" + ], "related.ip": [ "10.17.21.125" ], @@ -217,6 +238,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uines6355.internal.localdomain" + ], "related.ip": [ "10.73.69.75" ], @@ -246,6 +270,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rehender4535.www5.test" + ], "related.ip": [ "10.45.25.68" ], @@ -275,6 +302,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mporain2624.www.localhost" + ], "related.ip": [ "10.68.93.6" ], @@ -304,6 +334,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tutla2716.www.domain" + ], "related.ip": [ "10.192.110.182" ], @@ -333,6 +366,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "conseq557.mail.lan" + ], "related.ip": [ "10.148.153.201" ], @@ -362,6 +398,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etconse7424.internal.lan" + ], "related.ip": [ "10.213.147.241" ], @@ -391,6 +430,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tMalor7410.www.localhost" + ], "related.ip": [ "10.183.233.5" ], @@ -422,6 +464,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equat2243.www5.localdomain" + ], "related.ip": [ "10.52.186.29" ], @@ -451,6 +496,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectio2175.www.localhost" + ], "related.ip": [ "10.194.114.58" ], @@ -480,6 +528,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "liqui6106.internal.home" + ], "related.ip": [ "10.212.42.224" ], @@ -509,6 +560,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.244.144.198" ], @@ -540,6 +594,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ "10.90.86.89" ], @@ -569,6 +626,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "riosamn7650.api.test" + ], "related.ip": [ "10.158.237.92" ], @@ -601,6 +661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aper5651.test" + ], "related.ip": [ "10.20.147.134" ], @@ -633,6 +696,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inventor6088.www.invalid" + ], "related.ip": [ "10.213.145.202" ], @@ -662,6 +728,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cipitlab6201.www5.example" + ], "related.ip": [ "10.76.10.73" ], @@ -691,6 +760,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Nemoenim2039.api.localhost" + ], "related.ip": [ "10.226.199.190" ], @@ -721,6 +793,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iquipe2458.api.host" + ], "related.ip": [ "10.20.129.206" ], @@ -750,6 +825,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "intoc1426.mail.lan" + ], "related.ip": [ "10.22.110.210" ], @@ -779,6 +857,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3751.mail.lan" + ], "related.ip": [ "10.218.87.174" ], @@ -808,6 +889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tqu4367.www5.localhost" + ], "related.ip": [ "10.140.113.244" ], @@ -837,6 +921,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inci5738.www5.invalid" + ], "related.ip": [ "10.159.181.29" ], @@ -866,6 +953,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "itecto1300.internal.corp" + ], "related.ip": [ "10.178.173.128" ], @@ -895,6 +985,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "siut1579.www.domain" + ], "related.ip": [ "10.217.38.30" ], @@ -924,6 +1017,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ame6223.www5.localhost" + ], "related.ip": [ "10.178.49.161" ], @@ -953,6 +1049,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aturve1647.mail.localhost" + ], "related.ip": [ "10.175.103.215" ], @@ -982,6 +1081,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aco6894.mail.home" + ], "related.ip": [ "10.192.21.74" ], @@ -1013,6 +1115,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tetu2485.internal.invalid" + ], "related.ip": [ "10.142.25.100" ], @@ -1043,6 +1148,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreme60.www5.localhost" + ], "related.ip": [ "10.162.114.217" ], @@ -1074,6 +1182,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat7214.domain" + ], "related.ip": [ "10.0.132.176" ], @@ -1104,6 +1215,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "amcor5091.internal.corp" + ], "related.ip": [ "10.22.187.69" ], @@ -1135,6 +1249,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ncidid5410.internal.domain" + ], "related.ip": [ "10.2.128.234" ], @@ -1165,6 +1282,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nofd988.api.example" + ], "related.ip": [ "10.223.160.140" ], @@ -1197,6 +1317,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "borisnis6159.www5.localdomain" + ], "related.ip": [ "10.137.14.180" ], @@ -1226,6 +1349,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dminima4348.mail.home" + ], "related.ip": [ "10.192.182.230" ], @@ -1256,6 +1382,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "oluptas6981.www5.localhost" + ], "related.ip": [ "10.95.241.28" ], @@ -1288,6 +1417,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equ4808.www.localhost" + ], "related.ip": [ "10.74.240.121" ], @@ -1320,6 +1452,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nsec923.internal.local" + ], "related.ip": [ "10.139.127.232" ], @@ -1351,6 +1486,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "emoe4059.api.localdomain" + ], "related.ip": [ "10.170.6.54" ], @@ -1380,6 +1518,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equun6662.home" + ], "related.ip": [ "10.46.115.216" ], @@ -1409,6 +1550,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dtempori5735.www5.local" + ], "related.ip": [ "10.226.5.189" ], @@ -1438,6 +1582,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cupi7581.internal.local" + ], "related.ip": [ "10.0.20.5" ], @@ -1468,6 +1615,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "quasiar5281.mail.invalid" + ], "related.ip": [ "10.180.101.232" ], @@ -1500,6 +1650,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tionula1586.host" + ], "related.ip": [ "10.141.158.225" ], @@ -1529,6 +1682,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ore5643.api.lan" + ], "related.ip": [ "10.94.88.5" ], @@ -1559,6 +1715,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciun39.localdomain" + ], "related.ip": [ "10.155.18.139" ], @@ -1591,6 +1750,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iutali7297.www.domain" + ], "related.ip": [ "10.85.48.117" ], @@ -1620,6 +1782,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "docon5398.mail.host" + ], "related.ip": [ "10.224.146.6" ], @@ -1649,6 +1814,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "destlabo7803.mail.localhost" + ], "related.ip": [ "10.182.152.242" ], @@ -1678,6 +1846,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fugits1163.host" + ], "related.ip": [ "10.225.157.110" ], @@ -1707,6 +1878,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "adol170.internal.example" + ], "related.ip": [ "10.236.185.102" ], @@ -1736,6 +1910,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "red5516.localhost" + ], "related.ip": [ "10.146.72.62" ], @@ -1767,6 +1944,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "qui3176.internal.example" + ], "related.ip": [ "10.221.7.206" ], @@ -1796,6 +1976,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat2979.internal.local" + ], "related.ip": [ "10.196.35.130" ], @@ -1825,6 +2008,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "prehe1037.api.example" + ], "related.ip": [ "10.182.219.241" ], @@ -1854,6 +2040,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "abor1370.www.domain" + ], "related.ip": [ "10.101.163.40" ], @@ -1883,6 +2072,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "atDuis5759.internal.test" + ], "related.ip": [ "10.141.39.190" ], @@ -1912,6 +2104,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ict2699.internal.localhost" + ], "related.ip": [ "10.41.89.217" ], @@ -1941,6 +2136,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cive2292.api.local" + ], "related.ip": [ "10.86.44.130" ], @@ -1971,6 +2169,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aconsequ2331.www5.localhost" + ], "related.ip": [ "10.209.71.69" ], @@ -2004,6 +2205,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3596.www.test" + ], "related.ip": [ "10.48.104.137" ], @@ -2036,6 +2240,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "elites6366.mail.lan" + ], "related.ip": [ "10.225.255.211" ], @@ -2068,6 +2275,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orumSe4514.www.corp" + ], "related.ip": [ "10.137.103.62" ], @@ -2097,6 +2307,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fdeFi6975.www5.local" + ], "related.ip": [ "10.156.88.51" ], @@ -2126,6 +2339,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dol3000.www5.local" + ], "related.ip": [ "10.7.99.47" ], @@ -2155,6 +2371,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umd5182.mail.host" + ], "related.ip": [ "10.243.252.157" ], @@ -2186,6 +2405,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "expl2616.www.test" + ], "related.ip": [ "10.95.73.196" ], @@ -2215,6 +2437,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "risni1535.example" + ], "related.ip": [ "10.145.104.170" ], @@ -2244,6 +2469,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umtotamr7221.mail.host" + ], "related.ip": [ "10.18.152.236" ], @@ -2273,6 +2501,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "related.ip": [ "10.15.240.220" ], @@ -2302,6 +2533,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tur4536.localdomain" + ], "related.ip": [ "10.147.130.71" ], @@ -2331,6 +2565,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ffic6926.home" + ], "related.ip": [ "10.203.146.137" ], @@ -2360,6 +2597,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ate4386.api.localhost" + ], "related.ip": [ "10.5.98.182" ], @@ -2389,6 +2629,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iameaque5093.api.corp" + ], "related.ip": [ "10.6.180.90" ], @@ -2418,6 +2661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tatisetq3237.www5.corp" + ], "related.ip": [ "10.111.93.224" ], @@ -2447,6 +2693,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rvelill32.internal.corp" + ], "related.ip": [ "10.196.157.28" ], @@ -2476,6 +2725,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectetura2657.www.localdomain" + ], "related.ip": [ "10.143.0.78" ], @@ -2505,6 +2757,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ico3220.api.test" + ], "related.ip": [ "10.184.187.32" ], @@ -2534,6 +2789,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Duisa7769.test" + ], "related.ip": [ "10.30.87.51" ], @@ -2563,6 +2821,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ptatev6552.www.test" + ], "related.ip": [ "10.180.62.222" ], @@ -2593,6 +2854,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olore6487.www5.local" + ], "related.ip": [ "10.198.9.209" ], @@ -2625,6 +2889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nvol548.corp" + ], "related.ip": [ "10.41.217.115" ], @@ -2656,6 +2923,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "pteursi466.www.localdomain" + ], "related.ip": [ "10.212.196.228" ], @@ -2685,6 +2955,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olupt1936.host" + ], "related.ip": [ "10.166.180.119" ], @@ -2714,6 +2987,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uisaut2157.corp" + ], "related.ip": [ "10.7.142.212" ], @@ -2744,6 +3020,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ecte882.www5.host" + ], "related.ip": [ "10.209.237.97" ], @@ -2776,6 +3055,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreeu4417.example" + ], "related.ip": [ "10.61.26.207" ], @@ -2806,6 +3088,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tper4341.lan" + ], "related.ip": [ "10.139.88.194" ], @@ -2837,6 +3122,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nimve4965.mail.corp" + ], "related.ip": [ "10.86.134.125" ], @@ -2866,6 +3154,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mquisno5146.home" + ], "related.ip": [ "10.41.78.169" ], @@ -2895,6 +3186,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "imaveni4500.api.localdomain" + ], "related.ip": [ "10.69.181.95" ], @@ -2925,6 +3219,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "veleu2874.www5.localhost" + ], "related.ip": [ "10.222.6.52" ], @@ -2956,6 +3253,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nemul5083.api.localdomain" + ], "related.ip": [ "10.218.41.80" ], diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go index c3034bb7090..2576fcb8ac7 100644 --- a/x-pack/filebeat/module/microsoft/fields.go +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -19,5 +19,5 @@ func init() { // AssetMicrosoft returns asset data. // This is the base64 encoded gzipped contents of module/microsoft. func AssetMicrosoft() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q9JxZlWRs3sXwix3Ap4Td61fyKnv55c/IWQEgzTvLZcydfk3/5CCNn8jMw4iNJM/kLCf73Gz93/viOSVvCaSLArpa8mXFrQM8pg4v7efY0QtQS90tzCa2J10//Ermt47RBdKV32/l7CjDbCFrjkazKjwsDWxwOE2/+9pxUQNSN2AS1ipEOMrBagAT+zms5mnJEFNWQKIImaGtBLKCcD+rShdyBmrlVT356UXaZulkWsJRVb5I2vPrZ+bInNIpWZb/19/wrjGzbYlY8Lbtz3CDekMVASqwijtW0C/zVdkQqMoXP3b2oJUxUYR7Ryn++AJuStmpNTYKoEHSfEw+K7SB1KTgsXliBt4UhLDDggnJn7geUGec6UtCCtcfeDS2OptC0aJoqj5dUhCJbU7n4wxI57nNwShFqyWnC2IJQYMIYrSRbcGkLJe7C/cyvBmHb3J4Oj0RFrFqoRJZGwBE2m0J27mmoD5B1Y6lCjZKZV1Vvq6Vs1Ny8uKLsCa54NwJ9yDcyK9XNiA96UfAAvLPwJlz00J1FGCliCOICTQsnd+7nFyVOoNTBqAyYlzLiEkigpEC1LpwJIRes4VpWZF8kuzJ49fhfu+fnpD2RJRRNuPC9BWj7j4XTCNWWWCDX3+6UHG4HUcQc+nBb8ntuOmmrLWSOoxt+HjZ2MnowB6INOSuxkDCCPn5TRLVked09e/v892b8nbtU8G3K/66umfxRIyO62PBrslvQQoZcdNQ1GNZplenvvz7Zc9/9+mBlLLVQg7WNEjjYltwUTdOcOPxL0QFq9foyILZxO9RgR4/IwxPJqTK3keLwnrQR6iPTIy7YZQJnShhrRa2J2Zu+LrVvAYTPQQwZKwv2siB09ZAD9BitinIs7rpUjcVH2vCpR9nl2DchMxD4S4eCd2ceOoVY3kn9pYKNG647+8Kf1tlF7oiRzjwO16rFbtiPiZsnzisM+d0/cMnzGGe3f57dqTs6WIC25ROFMGlmCdiaIhiCoBqTP+DWUxIB1QLZ+vL2GGTdY2k0YwL63wdJtwgD0nTZl6AlM71867GAO6LoDT+7Gg4UymfTV/rn8VRnbF5Fi90QakCWX8/ZDEzs2PR/S18NffsgBG/xolLHnF8ufCC1L7WTl2HXfZe6Aequ+VuYuX+Vm76v/d9nruJVfNuzKBe9I63vLSkLJnC9Bdk6yr1cRcCw6zH+R1wIpH6Py93VENEYdGqpeFxq+ZNjrfvAQNxjpnq6Ry2d+aXKBF+l58GZbSj6uayCMDiXIFAhwuwBNPp1L+8MrojT5RShqf3xJptTgKWoDZDM+bzSqfjfQfYi6+xXTjWHQfMZnAv+C+/Vc5XKz7bOO25W/egeD0iuqy2xKXU+i9cjuc/L84vOWvkeJBkF3t5QQszYWqvCIBrQdtAX4k2o889y/leZzLqlof7OtrdzAh1z6157EiPOLz68iLAjoDzhxfxZ0GA25nOL12RzUoeJ46OuzAFqCPkrs+ldcipyf3idK6vHtB0sRzGGx0kftZBOsyO5no62idb5RtPCiONPlRAkBzCr9NQpgx70HyLlxZ44bwjzroHSYbimqb9Wu2kL2MPoRWnwVmz4WVbVSBpPdKiXJdD3YNEI0fGnAWAfQ8KoW67BP7stO0BOgbEEML4E8/Z7YhW7Iy59/fkZW1BADILtV9nDiUSivt+CEqZU0kI8V7Ks5FUw10nY+haaaeqHnrrKJQiBP6VQtoccMLqOZla14M1YDrUbvD/tqjs0DswpK3uzqaSkY9U1Mc+wcC3xGuP1n8/L7H/5qvEh/UaMAbZH+54Cafzp78C1dgyYvyZlktDaN8JEVZ1LeSa7HoN8z+BHJrYyt8uNL8q+O3Ofkxx/JvxKmtNOXkYqw6HPy34X9n+6L3JBtpnwT3UKpSni0tq5cQcGoEFPKrvJqwB45qSxeG2q9XeGYCLKsFZcWTRML8QRnPBwFaK0y5adt9EFTA+NUIMaIqbFKO81arr3W4T5YUsFLfzBiSBEyU40s3QsjAJHnch6UoxuTF7dvxAByilhguA57wkYju7AWipaP5Z0L6BDD/wRSgdWcRayOYAr3v4y2sH/uWyHsnn1qNxqtmrXbNiG/qpXbmqHNySVR2hljVpErgPoGpj2KF+8rYZpWDIwplrwsylxR17NW8sxBgqYWL3npONizC5dc24YKZ7Rv+d5lxMXBK+7MboyVIzM8FeGqn58S7aS1QYcKMo3qOdjuazdywuhMSU8PzgmfCbefEzpLKGgo+M9PW9/rB6iUBXIZzjvTgA/tdD0mKN3/2kDMVxB4CSsVphY8Z2bDozbnDR+o/Y9CN3MyN+N5x1vn3oBw1ttT11ot4Qn5rxFh9OJlxsUDxOjdqs44ujh5cxF0X0alYw+vaqV3NV6CT+RXlwbRPA73xyf/VKEhjqZ7zJW6bco3m59sDHav56BlPiEvf35FVsj3CqgkVIi4rwCd+qgmbfxHZAUaPFhqiQBqLFFyp1xkm4kPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkZ8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Zy+9VuorypwxZDgezSDXTwZN0JyZtsO6QeSH4DJDiiIFvgClZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9oIN86daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lAjD+TZQ62O5B/Kpm728IesehWb1VMn177cZfDAxGV7Ua/IRaubbh8ZAna9Mopyn15YJH9ve9hWwNNReamTI8pXUKZ7x0MSTbhmTLdiq2O0WbadF/sx9eHr5VW1QShNliUbxhIqrnyan3VCMu/sxw0oXUt2uqXTS+biko6j5XmEiIwvNPaix4pj6sh3D4xRK2kj4xZWtW7nsGAsVvNoTi8fdYQtuDOulElmAl51xiLZlIfqLuV1I7k5VILB27SXgE2mzm8l3AMTQg3uV3Q807DDDRI5g8Edap1yZe8dJoNnoe4ILtsBdnHHebFibyuuT4ahZv99LGga3cSuRVrT6xxQs/paw4pPKD7faMJN33UhfPcSeNOnk0GS3bpZKpJLYGqgSJ3X4gd/1NfFdQgvzTQHO0oudPtT9FGPq6oIYhEOXJuELkfUjM1oVKwxdAMMm1e2Qyv77zKgWtdZEC1LnJoz3VKUbQN9GVyqBl0pd4r8jAm5I75GH1jBs/lnd6cQ8XmTXLtkGDB5oHY6YaQ2hFE2UCJT6FYm0bkDjuNWFGqsUxV8MLj0BkvmJWtZoMTQmVgwZYBOXJAYAma25ylI3sIa1cPRYC9yM4+l0/e4sVB70D/SneVLg4axp1qYHzGN4ZPXLv1wZyxnipBV86fzRTZgM7FyMtNwUTroipDkCWKdzCbj7UJn7et9L4lqDT57TKkxnLTJgTs+tVw/XaHxqokTa0MTyg4bnW20JyWpe8whan87d0d7cLTCFvka110R1Ekmwo0Z3eVRVHajlDFtoewfiVbdzO8WPL3e0DaEmSpdEiY3UuZmv7xAN1r2tCumv4BLG5HO8Ty14IP2O0k6H7EvKTP2avum+GFDFX/QcwEL9eCdrnFUllCySJ0vIgn0Ao1L9pElQcR6u1BvLNQP0bPlC3Z93dMt8Ku1Sg+4oq/Epytc9+ePXLhAhEIzbWlWI/I5UbkzJuOM/BDIwARi4tTJS1c59ZYO4TOpffXbfqh0rI07v/wUaWiRSjWAOaGx5ktqJxDIWGVWxaMBS5h1Qv1oxJirebTxkJPQgxz9I1H3Wnr/ecvLjpMTZMJu45zgmdrW7mPaWgI7uYXeWT6+lvEuMUKMMewtuGg2eR86SXoCbkEvymNAT2hc8BW3iHTfaZ0i8MAdgvG6+0Mf0/873t9K5QmU61W7rP2r0HX9GbXaD/p8/KCapvaTdcBTu1RCXdKDapDj3WnlCg7tTHXlVI1hIBirrf4jSRUgLZddpHeLBr+5sNbQXz0mgBgElJEYS6JVPI7DTWgJbMv+wHNhmM+OazR2l2Yzl7BnUQ97gX3EbY2/DOgbMXtIijLXtaTU1xwitUmkij53Vy5/97zEqCSUkQUx4x0014w8AUi4JBUM+Kkg+VgJuRyI1N2Bxv0K6vyYHziy/ka44wYXzLqk23KIH4D4ylhojG2PZDhH4Ntwp9w43Yy1EQH/4ZTfPHTcRXo6NqPv2Fxi963ZcqnlD25yfByWJ4iFoQaoxhHf6nbjag9iRv2ll/Ba0JJvVgbzqggJTdXz0mtcSbKcwKWPYkrylTTQ2ov7/jQ+zobTSuwoA2pqcEuXgYbOfheBExVlZNiaitoPyytAcv2qnv+PXgoja+3hxkeJi++marqZngHM2wbJSsuS7UK+bRMSQa1fd5lUowyY0DmrBFiTb40VHjnZ6kqymWQGrK3kFAjT1ff65lKXdpDulMJ33J5BWWoBWoT0alB71QwUNwn33SoTXi5b+PEoCtEVlHXn+zk3RK7CLTo/Xb5UHj9VgfPK7kctuvpgs6gK7472Cm3izWsidj6879f0/4xsaY94yL/He9I/gVX666xhrJhQNrIEcTdbQY0p6KIvKbZHpFLXLJVm3ffx94D6F6YUb8AsCtzUMuBFB7jsLp76BbULLob6tTCSJVhwxY+87etsenKDE9aSDstwhwh3TITo5n7VffvYaUpcfJcEo45d41kAqh2f8JGeBvUQgFh8HbqtrDz5uiDF37NsM/To36xmKqmXHZ9s/sPVigb1Xd4vZZcN+bYnr6+NoIIjHv8jhMgjVyJE7+678k47in1Flx213jHPu9lPj8l772keRoaNxA/bS8U/TrcnsX1au+Afghffs/9fH6KLA0lb52YGHoPtiNyPg3QkzDxh8jJghU3cSN1adY5e9lvR3VDgbZXF/b6saU3vo94ahzrT7qFyfnpjZpsKv/cDZqsQ+ylLDca7YSc+PrM0O9U+A/2a7OIoN7+xg/fBHfctLFd5aay3WPUSAHGc0b5B2WlyJJqTqdiUAXomzJwSWpBRwSBAWmy9kfZ2tC+qupXnjhJ5TSMtr6Qu32+fHF+satDk9Ay1nsUxuqyDxwoeOtayE2kxSNJzqUll3wuKQqLkSNaK52zee2Tgfxyh/Si1d0UdnXE/3SI9O4ynrJSRQ7O+98+Ei6ZaEpw4iwMsnU/n5CnZ9e0qgW8JhfeIeLBovSexP0iGJk7emwTnVObpyWOGTdXTuU+AK87lOL13Jjvw9PwgZurPSFXq/l8DjrfCLs4yz73YwEBB9ROFxrMQonSnR5vq49MGt0KvR/BszCMvQep/PSD1zGedc04zk/jZSS3js4zVdXFkfOucFdC7hWOcfX+PdNMv3PoKIn1qTMcN6PKho1ZaUEtfaCssT7mnbRUGjsPOLne4jcyJY7qckX1w2ToDbvqO+lKw0PkiBhpjfzUCVFK3lHW9lOOK7dOBB3VjlHyu1ZB1fulkLc1kw+11kBN8txgY6ltUinOnT+KcvFgZodbfKquCS9fjL9f7mVtjoGhw+jToPGxvwsOi/jVbd+xzNP3Bof8dDh375DnjEvVpIpx9upIzDz5nXKSNKXTYeCR/Skx4NydGbeOxBshnNwjpmEMjJk1gpy59QlTJRh3JNpmv3HLgssSrhMzQHBjD9M87ylbcGE0xXSLxBQ0xjcrqrnADJ6IB8/H3+WcUGTid+63UcpkhnOopr650ANpxGF18rTL56xBmzoU3XoJM2BZUBE2CfFth6dnI0WG3s01fI9zJ5R45atL8gq+Kv9t9yHl0pASLOUi4mSYqsb2fjdCmhJHz81sPba0y2NDPMYfUgtVLbJl87whJcxoCAGFzpdtDD9kazqteAla0DUWclkVHlfyNHIj3QdodYdfw6ytAve+emO5bbAxI4kStrENhg2b7ntdk0axev4dRlNjmkFWMVVV7j7lOUYnHjrhvWTfWqslL73/rO0iV4EZTYQqFTs80Hh3b9kvXGy0RtbPy4urBtc1Jj09jKxvV88r6/9Q0wP9TgeT97/VNARg4rer5vka555iQrHf+cuLc3I+UKj6aGTrWhuqS/ZjkLCwq6uGnSc1pO/iDwu51XHl3ouIYqrK3BVfg4q7XaUj4EIcLiPq0SJ9twQfMjhC5XnPBRxKh30CbRcP4XNedqGcESdeldpqHJSBJ3j50yl5Hd11k/OZaqd7X3zy3XPaQBQma1wDa/peBJ/6NYVYeWvbhWlf4sYRHCFRr3i57RDpqivpknJBh4EM0rnCCdZXzkDrkUkL/g4d4utPF3cLxkoVGkD5AOyApJBuYPh8MiIReVVMm7JcJ/fP8KpIWgfUg9sYOKzR+V4vVXqImquEXQ52SuwK0xyjIIGbfvaq77lKm5LbrrJu0xctYBQbbLep2PCiZBNe2E+kzxJLzcHl0azyk89n5GmolfjcCKcrT7nAAg7MAzu7rpVx33xGvhs6GuRuFOZKqpXcMoQMsAabWSy3oY9M2mT0CC643bTQk7bK/X0oTXoLc8rW5NOouSb4VNOHKMoPC2+xmEtSUS5nmlawNx2jphqn9ubvk7ClXF7gsuS9Kn1y9KYtYC/rLIIUuUH7wlQBx4hcFtJ237j3sCK/NhJNyXeqBEGecrmcfPuccMWek6n7P3D/RyUVa8PN5Nt4fNGyupgJOpicn1qH2tbwTy4ILoq+LpST63b4lZrtbdRgVVZM/V+nAc+2DYIB7Q5yFKFllVbu7mD2+d3vVAP56BOAv/3287vf33w4+/Zbn3O7pJry0TO5UvoqZcnyjRfs93bBfoRt1AlGZWolItTspO1S0j0HlLnnYp3BhJkpDdJwllKA9FxJGTCu0ntBIvGBVECLFeXD4cT39g5g7/PUQN31SV2ibppppkthp6WxOnXlO9ZrZ3OI9d/SZO9oW/ORz0l6aLHLZjDYQKUJxSabupdQ7+JAzPioo6klNZsj9lBSo92IImTulvfEhfLB/QTv7rhwyAf9/8Nw1Y3K7Cf/PcgRK3s++oDIXiQf5HC0cdx9+Cl1hKStrZ3t2aVPbZfR3mbZYZ/MZ+h2G5zcmyPTbctqfox4GBZ9zSgXjtdtM5eLIDPOT/u1bdiJy5mDFuaRFgbjWYVtznXhVMQD6Dkk8RrTrUP10YmqqkbueqIG2MnDGjfdF7v3cG3/DnGdusPNHKZZ3xe3SyrLf1fxqNkGN0stP0Qy3Bu74cJbyJnG1JxxlSxL9FgWPGK/oloOgw6PHXUjq7pQuYTx5ft3F+Q370fdJKXGEfly1FSCy/94S740oEd6tzZCFhp2O3XmTW7oOUTX5ENbdBZN6+q0dJbwIe0DVanHCDig9UGOo5ug2khw7N5wy/QDGqigusqwWw5sBvcCrRMWIHdAmzLZVNotmGm7XW2BLqnd1QrvC3cKki0qqlOVlXRw1zUdjC++d/SJskE6VRKYxSL5WWAwS1tA1QGezbHVUgawavpHBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/yUj7P+REfZf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9J5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtX7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/DX53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/pfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2X++Jp/OpX31E3m6WqyJBG4XoAlbKBNGpSmtgVn81g+v/td/e/YkyhGwi4wybpcfKFMnFY2P4zGZT98dr/mlP4vnLVLxK14+LqT7sukGzA9sGHfrBz6G745iurFOPnNtGyrI2zfvo8j+qSTk82UddjL+j5IwifPWofvViFAk5GbhiVvwGN/gPfswpxZW9AFGpOPpviBvylKjn9af8hg63dPLqvrQOOd9YyHnJ+8u/Ks0Gh6rqDli9GPLqeQ11fB2k/MLh8qI98vx8MBJEEl46NYe52GriRV+utZxBUQPXVqW3H2Zik3AtjfLP/7OHfEAOJMQL7gKN/x0+wgMUNnkWmfR6277pFHyPmB4obTtRPJA6JYYYMMN4HZ9s+Q1R+a9p4fLefuYtGS9G2O8hJjdeCwvbsAOLV9qjGLcqZzebzTQcYiTy5rKOUw604kpOePzRkNJpmuECbLErKG4nKkPbD0wKBod0Zaji84y9DsQCXX/fglXcgeAhkpZKEJmd/o8o/SsLaUpaOFT8TOArq3OA3yW4UjMMlQLixzXIVf/kzoDU2lZtJ64fGr5rgXv6JjsrtZ3JjyABntmF6AlWPJxXcNz8ql9xt6iA+xHctE6wAYvwW9jmlo7qucIysSIadwiHfzizwkVIqpM1JsvYoIb1ZiYtwTt3kAurSLG4mPOJfl0PipQGCbIZpNXyUW2A6rqDGPfHGANJnVGrwObocTFv4ipU9HR354BWz9aoRAg58knRSLOTvnIqIWOaKBe5aGiF4CRhGE6wYxQ8ovSK6rL4ZxuQt7MMdlLE+pu/DXm0k3BrgBkXPVM3DXxrjFuZanoh+o8MgRbxmNmxIBCLkOeK6YlVNw6sRRGbMRJXAoqjxHHv4WDsk0Q6bkoBwRuuyw3kZSls2DnaMBuvzypI5XAsAvBMl0/uNtF7Km2nDWCaoL9okmLxNOz69dv1VzNZvHp78AKu4Ds27uF7Ee3oL+NPbzPHN4O3TeNXYC0IVl8FG3TpOyccLuEHr/kOOqfDOhRhFVjmToup8OS4whfNoyBMSM4Y+fxw5qjHZZ4gngRp+LOlV6TSGHCALdjCKctHGEHRyeVMMBnaiXdu+LkVkw57H5IBorSNlXLdP3oRt5NSnzXUqwZEBzKjp7gh9nRh7kkhtsmIj8JFhdAENEB6oIaQktVu9fFLoBrolZys2WecZZeK6mqkbxanMlhuG9Rf1wlwin3XJZO/ihtOgZQ8gsXQN4ExCYDNtzG2Ss7wvydHE0Y7+h/kHSFURZchqyFtFyI0RhhRMp693swwufrXYZ6jdScGE8Inaqc1QMR4qewoEuuGtQumapqrSo+kqEIx0buTNKpwCKyGTnZjxuXy07sZERyF8MtrZNEEdjCMOlwmQMQjKzf4Zd7d3uv7Oa+jR67TZllI+1uOVtqjb7EMvCCHWLW30oLwvd4DhI0Zy1JyBBM9NtNLeB2gU9tbLYbCchO2A8TY/V48LOl6ZC2Ww9G08v9NAX1wq+Vka6oadoZ4ZZXYJxc99qehhpGg0hhF5I1hbhxI7Dx4D23Qd/yaB3Su/vBjtaPt6Pph8IkG3J6a9KCw/gmCge0IcUbgXALYfD1UvfyRur0UffOX7QktOmbdy5ZL9XjCJAb5HgnQL7e4/jjzVuWarTBcbbsdvJRH1WCpLxjt5AfRz2OKWkbHMZOqccStB0/dfLKncYuigrsQj1AlIRueZKJRyN8bXTDsZeSVlm9TnuiOh+UCP5ah8iec5nJE/Kfk5+//548fXv65uIZOeXGcjlvuFlAiaXwUVyEmqvsfYH2RcIwW3bm8QjbjF8cyRjTKrNXcV/9p9vVGAbdjUGPfLKhz3e5LgzT/ru6357jD3GKxUypjLVJ32SKUZGqO90OIR9oyRvjVyBKE8MrLqj24smJTXeHGL7r8fIqvOeGl8fsNNLPlP/kDkLrRdzpi7m55PnqLN7IfXcdwxqh0rDn/w1OIvxkcBaC4wZ6ZRll3JWpdM7EgEHIBlmt9JxK/ueerGqZ7yjcltkHcLp/pkbYPeM6WkuaqevPL245fC18iy/fu2grq/lXoMIuGNVAag2lqrik0YK7nni6oJaDtObG9HhBj0ntW/qgxPrWj1BnOrju6jxxgqum2mIzpA2p+8XqEZsdBWFzG4k6gxI0tVAWyZLK9pwPJ3x+aVfsgmcXWi152TUPC9+jdS2Cpjo4GKH5j3vWtnXauIKzIZKXR6KyWzL0+rPrETKjw0Mxc3LJffR8sau4j7SA65TOlEPB76p5wjXqTL0f9Sqh5xFCvY6KGis1xFilvcR30CqwFFd7gt+auG89iVNf8bIUcDwp9w7Xu62ci2xvT+4dJOfa8RjHIfcirNbrMCTXbXT2OakFdVvm3melCUim1/WYlx9TIY9gT94ig053tuWvyljyjrIFlyMmXUkzSY5vdnn9SWKmf63BiQ+nH/kmZ2ZC3pa0Jp/xH14/KpX0daf/HD6eZEGX4DQnAVSTLw3oNcEehKZW0kCrUcWLUx29Bf7mOPIy9MBjDrLmbRdI6cn3ffnG8WxJOgKqmwP0ITRHvS2mOOUpr8Ns94y3raW3mhg52zA8vNwQ3UgZtWPN8+7l8ZFn30ZqpMYuQCyChZl/IyhZcVmqlSGmBsZnnLlPnsfqBEOe7PCCOPI8vpucG/IUO8KCZJtnCEOXz3rcIo3Ed/wtzClbk09mu/FtF4Gtdgtpk2fXuhWOYLCPvPZ9UwtRwVo1PGTuRRxwvOsDEKn+36o0xXKeIfu2yc6vUI915/XqdYRipDB60MJvDiD2OHm9Y6SGDN/gem9l3RmSPt4FdEjNcRx2XcBge282CZl+GwY7FG9IcXPxM5YNpBwJOFrhhiSXMOMy+OpROGFXv4rWI00HEbuDCsUy4bZxwOyof6kFY+ezzU176KU00puy82FbS9miOnIL/M2qyHAysI7625FlyMuUy3QTxJLeDUcyFhXmfTwjQqpftoPb4ttob8r7I1M7B1jnfftuwLqmuj1T7s/PN6SsFnzQSp242+FsWZ/8fivybPKZJb6thdLrfBv+N1NT+W83doxpEdnuot6q57GnybHlby8Q+g20PZhKNKCq7be+n6rRU1CAtFrVh4iOUjXTgXPhVmc8rOmsbbihHAFx9NUdx72HJ6qqqVx39xGvHY7T9/bKErR7hgouZyquFFBzlbtG6Ab5sWNFtpitIG9X9NmXXDkCvzRCrMl/NFTwGYeSnGLds3cORlFZwbRgSl3xBwq6/w5T4tff2M9UjGnzybvNbsLhdWNR5T5whOnNd/1Dt0SYshPc0d4nPyEf17UnfeM5cMzxOzi+eRpmRdJmsjtoOxy8I0I/MbG2tbvIHMNV1ymX29h5z2KtdOvtxxDzh7cjW97rlZP4OLW8qPPOIdrDCrfyjZ77Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscG1BomqV3jhx8JOd5k7RW2jYSZVJrVH5JY5RS7glcz/isqhevQj/fRJQeBH+I+Q1xdz+VICOZ+cFch4weu6J6QfP0ePaG7U2IKcMA9GcScXlDLQeibsO6T4KXX3F/0bWR92zR0Cy7Us8621D5EphWFtlvVKRJY52/M583N4du4+YQaz7f/oHDBO0xgd+8noB+jj+CKezh4ynpyc4+vEZOcH146iBtkdqljLC5xPQYfgnbGVh7mnOC1lDxz1G9jbcLfrE9DpF791p/uehXsm7t0aJ7za55H/GvTX8KpNMOf/HGZEwV5b7DawX1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy84Zaxunt/U38YQUw+fHqKjY7m/UTT38ODpo2UkTbkyTXOlEyJgslc9bd78YCmIIWmf1gQ42pS89z9zi5BKD0/uk01EyJLrO4CGK/PQSUzv3P0Y96XkYkneXnntwHBehxohimfNF3w2pBkd2FJmycEePNsnbNJpcgPkVBIs6U3ODbzbjSvoPEsrWn4jBeJ3S5PzyzT/eXZAL906R3+TI9JUNtpkqqQ/B9uNKxbFFMcQWwK7MQU7k2wnhvD3IYkPnun6dXYswTAMNIwg3UnCPlguaD5pCPoCS6/HouoKMGg2Is6W2OdqEzz6WSyp46Q9iBIldQXi0rtb7BCFy7ArWZldsJzr5bQJpYtgLa2tTcJxBmwU0bmUOhjD6CG4Tn8u28kVpbtc33Cimqiprn7hb4u3xCA6heAn+imsQu5ZmahfLSlBZGPNQA2/dyl6G/x6obWu0otj6UuOiVvwYadUxhD0GBDFApOLWALKVLaiUg8YZudtNhVURkZGY7ZHaNncPS5h5+PvbN+/Du/diZ/nuQbFK7/r+k/ds4+aqWCrR5GLAm3aOswxzbrrJ2O0430Zya8hTj4R5ht06sLC3nai7A54g0lFqRJNJmr0NuH6S3IZ0gcl20cESNGYKzBpBmJIMausM5Uu/hyPtFVarnNLXM94Z7O0IbYdorbQlyvH3139/E0vBjbI99blTen78BMvdAoMtF+uU+mYn0UYxfz/77eL8gryj1xWXZTfWO76tjrajp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ8Qo2H7oIvyU5u9qx5SwLUvn8NHTpDVjsxVAcb1MeuFdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoB8puDOOq0YrvgrqVL+59TkwTSVGnhvzNWK3k/N+mgrIrwY2F8m8vwt+ed59yOQMW/2jGNayoiCoydCp6vyFUlsQoMnIsNcy5sXrtLPtjCoua2kVo1t/hQHZxGCCJTqljoekLoX29FlO614W80yc7zEFavf7L/w0AAP//gcy74w==" + return "eJzsfV1zGzmS4Pv8Clw/nO0JNz3t/tgb3+xeaCX3tm5tt9ayuzcuJqICRCVJjFBAGUCRYv/6CyRQxSILRUoUQMl754duWyITmQkgkd/5LbmB9RtScaaVUTP7J0IstwLekPe9H5VgmOa15Uq+If/yJ0LI5tfkvSobAX8iZMZBlOYN/tr9+ZZIWkEP+KSEGcgSdEFt3X2MELuu4Q2Za9X0f6pBADXwhkzB0t7PS5jRRtgCl3tDZlQY2Pr1ANf2j8eUzJQmXM7BWC7nPUIuAnbk7NPVpPfFXbr6tAlq7Oe6pBY+8Qq2PtLS5X6584s9OLo/nxaA3yJUlsTyCshzLsnnT+cviF0AoQK0JStqcHXS4PLlBuMoohqMEksos6LJJVktOFsgmsZS2xiiZjtIswWVcyiJVeTZx4DVswPYc8l4CdJellHcb2C9Unr3d3dA/zLAJZcXLaJnDtGD6Czd6ZlTBzs9Tj3gDjENwm2wY9hRCF7b4dY+EEfWaO3Y5vYYWs5tIX4AQWoMn0soP6l0iP26kqC3ztsBJPwJTYfAdQ2MzzgYxKDPo517MCFXyhg+FUCWVDRgCNXwhjz7LG+kWslnL8mzD7By/7uUV1rNNRjzDK/ZnW8ME47FM85wN5LT6MHel6ifnay+UoZbvgT3g0+62fz7AEUlWNAVl3kICpu2tcidyPug7NmSckGnAkk6q63733sqVlTjT66BNZrb9RVoo6QE0f/hJ/8MuR99lisqLZTXambb7/5qF6APccYuNFD7M624WH+gI/L9yLvuIJMZgj70wkwp+zf3hqdF4bMB7XWDXUGI27IfJ1g68c5gUqqKcpkWswuEiSs9BDVen5Wlu+FRzHh9P6Qurwj14NwjgKLCPcv3RYrS0jE+5du2eWIbt6UPwo4x1Uib/qDhXqbCEqR1F3xdJ3583dcdku1Cd0TH0XOlnSZVU5GWdR1Yck8GtkhKsCulbyZcWtAzymAitxFUS9Arza2TdrqBgfEwRPt4M+FDj4aAGOkQI6sFaMDfWU1nM87IghoyBZBETQ3oZV8V72SjofcgZtcSOkDK0D7ZqIHWnWmxRd746mPr7zeBKjPfORD7VrjHOfu04MZ9jnDjzhIKV0Zr2wT+a7oiFRhD5+7f1BKmKnBizwvhwSl9p+bkApgqQccJ8bD4LlLHkrO5gSBt4UhLDDggnJn7geVBqVXSgrSoznJpLJW2RcPEdZOhvXkXBA9Zo4gd9zih6UltMD0pMWCM094W3BpCyQewv3Mr3YsYdn8SEauBWLNQjSiJhCVoMoXu3NVUGyDvwVKHGiUzrareUs/fqbl5dUXZDVjzYqgpcA3MivVLYgPelHwELyz8CZc9NCdxTwMsQRzBSaHk7v3c4uQF1BoYKi8OkxJmXEJJlBSIlnV6LaloHceqMvMi2YXZs8fvwz2/vPjOq9/+xqPxvtHe4ZYyS4Sa+/3Sg41A6jjq9v604OfcdtRUW84aQTV+P2zsZPRkDEAfdVJiJ2MAefykjG7J8rR78vr/78n+PXGr5tmQh11fNf1HgYTsbsuTwW5JjxF62VHTYFSjWaa39+Fsy3X/H4YZugsrkPYpIkebktsC/WZPET2QVq+fImILp1M9RcS4PA6xvBpTKzme7kkrgR4jPfKybQZQprShRvSamJ3Z+2DrFnDYDPSQgZLwMCtiRw8ZQD9gRYxzUQ59PyfgYt8zFGWfZ9eAzETsIxEO3pt97BRqdSP5lwY2arTu6A8/Wm8btedKMvc4UKueumU7Im6WPK847HP3fCsu1h7Id2pO3i5BWnKNwpk0mAhASa0hCKoB6TN+CyUxYB2QrS9vr2HGDZZ2EwawH2ywdJswAH2vTRl6AtP7l447mAO67sGT+/FgoUwmfbV/Ln9RxvZFpNg9kQZkyeW8/aWJHZueD+nr4e8gwnUX7u4Pi/UZe3m1/KELiY1d913mDqi36mtl7vKn3Oz96f9d9tphcC+DbNiVC96R1veWlYSSOV+C7JxkX68i4Fh0nP8irwVSPkXl7+uIaIw6NFS9LjR8ybDX/eAhbjDSPV0jl9/6pckVXqSXwZttKfm0roEwOpQgUyDA7QI0+Xwp7Xc/EaXJz0JR+/1rMqUGT1EbIJvxeaOHWUpDuo9Rd79iujEMms/4TOBfcN+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU5eXv22pe9RzM3a3VJCzNpYqMIjGtB20BbgT6rxzHP/VprPuaSi/c62tnKAD7n0rz2JEZdXv/0UYUFAf8CJh7Ogw2jI5RSvz+agDhXHY1+fBdAS9Eli17/gUuTy4iFRUo9vP1iKYI6LlT5pJ5tgRXY/G20VrcuNooUXxZku50oIYFbpr1EAO+49Qs6NO3PcEOZZ59P9thTVd2pXbSF7GP0ELb6KTZ+Kqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92EsfwLKFsTwEsjzvxC70A15/eOPL7A8xwDIbpU9nHgSyusdOGFqJQ3kYwX7ak4F5kx3PoWmmoZqGV6FR2gXAnlOp2oJPWb4JN7hKx/Em7EaaDV6f9hXc2wemVVQ8mZXT0vBqG9immPnWOAzwu3fm9d/+e6vxov0VzUK0Bbpvw+o+buzB9/RNWjymryVjNamET6y4kzKe8n1GPQHBj8iuZWxVb5/Tf7ZkfuSfP89+WfClMZyDtwmv+hL8t+F/Z/ug9yQbaZ8E91CqUp4srauXEHBqBBTym7yasAeOaksXhtqvV3hmAiyrBWXtq2ciSKKh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63C+WVPDSH4wYUoTMVCNL98IIQOS5nAfl6GDy4vaNGEBOEQsM12FP2GhkF9ZC0fKpvHMBHWL4H0AqsJqziNURTOH+h9EW9s99K4Tds0/tRqNVs3bbJuQXtXJbM7Q5uSRKO2PMKnIDUB9g2pN48b4SpmnFwJhiycuizBV1fdtKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3Z7WsUHTM8FeGqYwF3rcGgQwWZRvUcbPexg5wwOlPS06NzwmfC7eeEzhIKGgr+TXniR6iUBXIdzjvTgA/tdD0mKN2fNhDzFQRewkqFqQXPmdnwpM15wwdq/5PQzZzMzXje8da5NyCc9fbUtVZLeEL+a0QYvXiZcfEIMXq3qjOOrs7ProLuy6h07OFVrfSuxkvwifzq0iCap+H++OyfKjTE0XSPuVK3Tflm85WNwe71HLTMJ+T1jz+RFfK9AioJFSLuKwjdINSMbPxHZAUaPFhqiQBqLFFyp1xkm4mPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkR8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Ry+9VuorypwxZDkezSDXTwZN0LyZtsO6QeSX4DEITrojTkSlZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9pIN87daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lIjH/bdqNLy3YH8g8lc3db2CMW3eqtiunTawfN/AYiKtuNPiMWbm24fGQJ2vTKKcp9eWCR/X3oYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nQf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7UcNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+M0StpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJed8Yi2ZSH6i7ldSO5OVSC0du0l4BNps5vJdwCk0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bgXZpx3mxYm8rbk+GYWb/fSxoFt3ErkVa0+scULP6WsOqZ0mkiTiG0246aMunJdOGnfybDJYsksnU01qCVQNFLmHQuz4n/qqoAb5pYHmZEfJnW5/ijbycUUNQSTKkXODyH2XmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gr5NDzaAr9V6RxzEhd8zH6BszeC7v9eYcKzYPybVjggWbB2KnG0JqRxBlkVa7D1esTSNyh51GrCjVWKYqeOVx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKF2xjSo0PwM74xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzqTbht20rvW8JKk1+vQ6psdy0CQG7fjVcv92hsSpJU2ND79ORhfqgw0qWm4b03d0d7cLTCFvka110T1Ekmwo0Z/eVRVHaTlDFtoewfiVbdzO8WPL3e0DaEmSJIzkOyi01/ccjdK9pQ7tq+g9gcTvaIZa/FnzA7tAIeg9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyqMI9fYg3luon6Jnypbsw6b7vms1io+44q8EZ+vct2ePXLhCBEJzbdmfJtBHUzciZ950nIEfGwFk0BG9E6dKWrjNrbF2CF1K76/b9EOlZWncf/BRpaJFKNYA5sDj7EfvFBJWuWXBWOASVr1QPyoh1mo+bSz0JMQwRz9MDXLaev/5i4sOU9Nkwm4zToVna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5Buj69E/oHLCVd8h0nynd4jCA3YIJk2B8n3///V7fCqXJVKsVzgAIPw26pje7RvtJX5ZXVNvUbroOcGqPSrhTalAdeqo7pUTZqY25rpSqIQQUc73FZzKMCGuzi/Rm0fAzH94K4qPXBACTkCIKc0mkkt9qqAEtmX3ZDyYyIitvH/3YAC2vx73iPsLWhn8GlK24XQRl2ct6coELTrHaRBIlv50r9/c9LwEqKUVEccxIN+0FA18hAg5JNSM4KIWDmXTTpXwQM4r5kU1d74DxuS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgm/wo3byVATHfwbTvHF346rQCfXfvwNi1v0vi1TPqXs2SHDy2F5gVgQaoxiHP2lbjei9iRu2Dt+A28IJfVibTijgpTc3LwktcaZKC8JWPYsrihTTY+pvbznQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgsTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZll0kxyowBmbNGiDX50lDhnZ9lb5oY0t0uJNTI09X3eqZSl/aQ7lTCd1zeQBlqgdpEdGrQOxUMFPebbzrUJrzct3Fi0BUiq6jrT3byboldBFr0fr1+LLx+rYPnlVwP2/V0QWc/pDDTaIQRF2tYE7H153+/pv19Yk17xkX+O96R/DOu1l1jDWXDgLSRI4i72wxoTkUReU2zPSLXuGSrNu++j70H0L0wo34BYDfmqJYDKTzGYXX30C2oWXQ3FOfnDd+Hhi185m9bY9OVGZ63kHZahDlCumUmRjP3re7fw0pT4uS5JBxz7hrJBFDtfoSN8DaohQLC4O3UbWHn4eiDF37NsM/Tk36xmKqmvcmo/QcrlI3qe7xeS64bc2pPX18bQQTGPX6nCZBGrsS5X933ZBz3lHoLLrtrvGOf9zJfXpAPXtI83xl56ot+HW4v4nq1d0A/hi+/536+vECWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfJzw1jvXn3cLk8uKgJpvKP3dAk3WIvZblRqOdkHNfnxn6nQr/i/3aLCKotz/x3TfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Run69fXV7t6tAktIz1HoWxuuwjBwreuRZyE2nxSJJLack1n0uKwmLkiNZK52xe+2wgv9whvWp1N4VdHfGvDpHeXcZTVqrIwfnw6yfCJRNNCU6chUG27usT8vztLa1qAW9wdK/TcxEsSu9J3C+CkbmTxzbRObV5WuKYcXPjVO4j8LpHKV7PjfkhPA0fubnZE3K1ms/noPONsIuz7Ld+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9xN4Foax9yCVn3/0OsaLrhnH5UW8jOTO0Xmmqro4cd4V7krIvcIxrt6/Z5rptw4dJbE+dYbjZlTZsDErLailj5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+nAy9YVd9J11peIgcESOtkZ87IUrJe8rafspx5daJoJPaMUp+2yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7N7HCLT9Ut4eWr8ffLvazNKTB0GH0eND72d8FhEb+67TuWefre4JBfDOfuHfOccamaVDHOXh2JmSe/U06SpnQ6DDyyPyQGnLsz49aROBPCyT1iGsbAmFkjyFu3PmGqBOOORNvsN25ZcFnCbWIGCG7scZrnA2ULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz81n03SpnMcA7V1DcXeiSNOKxOnnf5nDVoU4eiWy9hBiwLKsImIb7t8PRipMjQu7mG73HuhBKvfHVJXsFX5T/tfkm5NKQES7mIOBmmqrG9742QpsTJczNbjy3t8tgQj/GH1EJVi2zZPGekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeR26k+wVa3eHbMGurwL2v3lhuG2zMSKKEbWyDYcOmh17XpFGsnn+H0dSYZpBVTFWVu095jtG5h054L9m31mrJS+8/a7vIVWBGE6FKxY4PNN7fW/YzFxutkfXz8uKqwW2NSU+PI+vb1fPK+n+o6ZF+p6PJ+99qGgIw8dtV83yNcy8wodjv/PXVJbkcKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0vfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGZyg8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9rz777jltIAqTNW6BNX0vgk/9mkKsvLXtwrQvceMEjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4eO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNfofK+XKj1EzVXCLgc7JXaFaU5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyZFb5+W9vyfNQK/FbI5yuPOUCCzgwD+ztba2M++QL8u3Q0SB3ozA3Uq3kliFkgDXYzGK5DX1k0iajJ3DB7aaFnrdV7h9CadI7mFO2Jp9HzTXBp5o+RlF+WHiLxVySinI507SCvekYNdU4tTd/n4Qt5fIKlyUfVOmTozdtAXtZZxGkyAHtC1MFHCNyWUjbfeM+wIr80kg0Jd+rEgR5zuVy8ueXhCv2kkzdf8D9h0oq1oabyZ/j8UXL6mIm6GByfmodalvDP78iuCj6ulBOrtvhV2q2t1GDVVkx9T+dBjzbNggGtDvIUYSWVVq5u4PZb+9/pxrIJ58A/Oc///b+97OPb//8Z59zu6Sa8tEzuVL6JmXJ8sEL9nu7YD/CNuoEozK1EhFqdtJ2KemeA8rcc7HOYMLMlAZpOEspQHqupAwYV+m9IJH4QCqgxYry4XDiB3sHsPd5aqDu+qQuUTfNNNOlsNPSWJ268h3rtbM5xPpvabJ3tK35yOckPbbYZTMYbKDShGKTTd1LqHdxIGZ81NHUkprNEXssqdFuRBEyd8t74kL56H6C93dcOOSD/v9xuOpGZfaT/x7liJU9H31AZC+Sj3I42jjuPvyUOkHS1tbO9uzS57bLaG+z7LBP5gt0uw1O7uHIdNuymp8iHoZFXzPKheN128zlKsiMy4t+bRt24nLmoIV5pIXBeFZhm3NdOBXxCHqOSbzGdOtQfXSuqqqRu56oAXbyuMZND8XuA9zaf4O4Tt3hZo7TrB+K2zWV5b+qeNRsg5ullh8jGR6M3XDhLeRMY2rOuEqWJXoqCx6xX1Eth0GHp466kVVdqFzC+PrD+yvyq/ejbpJS44h8OWkqwfV/vCNfGtAjvVsbIQsNu5068yY39Byia/KxLTqLpnV1WjpL+JD2garUYwQc0Poox9EhqDYSHHsw3DL9gAYqqK4y7JYDm8G9QOuEBcgd0KZMNpV2C2babldboEtqd7XCh8KdgmSLiupUZSUd3HVNB+OLHxx9omyQTpUEZrFIfhYYzNIWUHWAZ3NstZQBrJr+IwPUmiafhOE7TiU/Xhh0L3jqByd0bqvAqZ7JkZYFZTgYJX35iYNtZELjvQd4Oq+XP8hbu0j+vjNZMKuL0iTtu96D7iAfF3m6A+CloMklhixAzrlMWBQ5BJ0jN1oWs8KsuGXJ5YcsZkKtDK3S5670YUu7zAc9Q9SFyYLLnOKEyxp0NV0nS3gfwK7ZTR7gSypynBVeF7VWVhXpQ1IIfflDgR7H9LBFtrsp1LwoczDbAU6f/8ZkUdHbwtpUboNtwO5EC8jwKFRcZkKay3xI18IUYiqK1GHRLdh/yQg8eWfwHuzUvRD7sFNX9fZh/5gR9k8ZYf9TRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Pomg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jNIEKsss4wywUbzZoswBvJbyWVygDLcAiXPzmuZHoUlj+p2i6AlhncaqqqCyYy+LAd4AxBEoSrp2ub3i3qIJsskOumyBDTYJpbzqjIUEBkCjoHydYJs676sCUV6z+gnObAe1lgG9AskH07mDxY+8TaLNCn83r5Ux4ftCmm3P41S6MxZoq0s+J2AGuVXFSbLNccoQLT6avcjPfxJ5u11QMMduH9/OmdIx44qn1ZgPtu8uk6yPVgz7iAHDaMKWY5NpHPUhZnbwPOoRuYgteYpFhkEXW8Xv5QGlsPmvkngm00ywJb8BnkMGMMOporKHmygtFt2FzmOSWVKhsBhqkc3A7A+TyDbFK1WVGbdOZ/D3osgzwJYA1zbqym6T0hG9gZND4NdS5W62y8NtiJXGeSrz4z3x/xDNCtBlplUCR9KVAutPMp16uF4qbwE2bTQ19TTbMc8HKkEDYF5KWfb58aLjeWyuRzjktjp41ONSywhQp+VlAOqE1yXNPr0W1NcmqwOLlhln7Y9bGdBvbBnNOyTH0HeJk6rNq2DsrwFvGqYFqpKktXIgc4g5nGqyJPcmToeJSDzfVN8vZMtUnfspTXptY8MVBBLbdN8uwzwSWka7GzgWqSTtTp4GLxbXq3llC+62kxEyr5c94Bz5Dy72ze5FLHAc0gcZwNnQHV5LkJQs2zHF05z3KBa6VTC7Bq2sxzXLOKG5ZDLFQmy4HNMQdCgsXmSsnhJpfhvgF06ow/DzV1Op5crVJbIFkqypQfAJ3cElXpNSOl+byIzON6MNyVBJ3+zaoLP5Q3Odikk6k3YP2I1yyHLEPhZpiJk1oYBLCppUFdeEdScnSpMe6XBVukqvMfgIbbmicPBNSgq7mm0g567qaAvMoCOP3T6zuRff68MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7EOB+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKnjVWkY+NJIOlu+yRjMPyfqOCl+RcQ8ktOae6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7Ova1qodYwGCx4kH8z1SRr6n3HM+Z46H1GOO9MwxxuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYUHpCWe58hFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vPm4VqBi8aIRKWoLtxRFaRmmoD5D1YihPB/V2lHQuev1Nz8+rKl72+IBdhxNdLYheRKUXYDPgjhNHHiLYkH8D+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4J+mvviE+chYHJEK8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6W6dV3FZ8gluLd6KMXfBKaZRjwikzeC6DzihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Pu47OV798r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2fY4d28yZKecrZ/4fnG7rFLi9aoYBrx88GWg3pknjveYTd4zKlBohP1+6wIYNb1e1S+Mbj4Cu7UfAd5kr79vVRNhJCDTEAOO6M7p9Xpak0lJ1gvO+gw7RfWqLauzk0rNE4AW0f0jXoint141RIb5b0gzn4kguYAxGwBEGoMXwu/cZt5vXHjz62ZH5E+Y3r7znp00eZ9OwwayT/0sDumEQav3w9fI/rmHjcFJRWo+Glv5BMSQmYW0FW3C7GBAUhkcqQTmPXcFR50b1NC8dOlCfdEyXUnDMqiMNgxPRBLB4XO1xqZEzj4/GuXqxNHL1eOttK7WS1pn7gqeDUFAuV3SbwRlxnruEslc1QIycV+yN44v0AiL80Dlt808IgFiaA6smZMMoZ4lv37QKD5eSX8I0JOZPr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P69ef2X7/7qbN+L3na0HPsminY4p0XaiNldHTd0DZr8U+eTM68CGohc/Nanrv/Jf+blBuetU793P45MXj4k257tDkxx60zIh18/vXW0gwbvPEF/ackN01BTydZOqwzqmdjNBSHIoZfk0/s35FLa71+/JJcfLt7+5xvy+VLan34gz1eLNZHA7QI0YQtlwqg0pTUwi5/67qf/9d9ePItyBOwio4zb5QfK1ElF4+N4TObTd89rfu3P4mWLVPyKl08L6b5sOoD5kQ3j7vzAx/DdUUw31slvXNuGCvLu7EMU2T+UhHy+rONOxv9REiZx3jp0vxoRioQcFp64BU/xDd6zD3NqYUUfYUQ6nu4rclaWGv20/pTH0OmeXlbVx8Y5HxoLuTx/f+VfpdHwWEXNCaMfW04lr6mGt5tcXjlURrxfjodHToJIwkO39jgPW02s8NO1TisgeujSsuTuw1RsAra9Wf7xd+6EB8CZhHjBVbjhF9tHYIDKJtc6i1531yeNkg8BwyulbSeSB0K3xAAbbgC368OS15yY954eLuftY9KS9X6M8RJiduOpvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrL1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwCBrsW7sALcGST+saXpLP7TP2Dh1g35Or1gE2eAl+HdPU2lE9J1AmRkzjFungF39JqBBRZaLefBAT3KjGxLwlaPcGcmkVMRYfcy7J58tRgcIwQTabvEoush1QVWcY++YAazCpM3od2AwlLv5FTJ2Kjv72DNj60QqFADlPPikScXbKR0YtdEQD9SoPFb0AjCQM0wlmhJKflV5RXQ7ndBNyNsdkL02ou/G3mEs3BbsCkHHVM3HXxPvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxFHP8ODso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eDuFrGn2nLWCKoJ9osmLRLP396+eafmajaLT38HVtgFZN/eLWQ/uQX9bezh/dbh7dA9a+wCpA3J4qNomyZl54S7JfT4JcdR/2xAjyKsGsvUaTkdlhxH+LphDIwZwRk7jx/XHO24xBPEizgVd670mkQKEwa4nUI4beEIOzg6qYQBPlMr6d4VJ7diymH3RTJQlLapWqbrRzfyblLiu5ZizYDgUHb0BD/Mjj7MJTHcNhH5SbC4AIKIDlAX1BBaqtq9LnYBXBO1kpst84yz9FZJVY3k1eJMDsN9i/rTKhFOueeydPJHadMxgJKfuQByFhCbDNhwF2ev7Ajzd3I0Ybyj/1HSFUZZcB2yFtJyIUZjhBEp690fwAifr3cd6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIpwaubeSTgUWkc3I+X7cuFx2YicjkrsYbmmdJIrAFoZJh8scgWBk/Q6/3Lvbe2U392302G3KLBtpd8vZUmv0JZaBF+wYs/5OWhC+x3OQoDlrSUKGYKLfbmoBtwt8amOz3UhAdsK+mxirx4OfLU3HtN16NJpe76cpqBd+rYx0RU3Tzgi3vALj5LrX9jTUMBpECruQrCnEwY3AxoMP3AZ9x6N1TO/uRzta39+Npu8Kk2zI6Z1JCw7jQxQOaEOKNwLhDsLg66Xu9UHq9En3zl+0JLTpwzuXrJfqaQTIATneCZCv9zh+f3jLUo02OM2W3U0+6pNKkJR37A7y46THMSVtg8PYKfVYgrbjp05eudPYRVGBXahHiJLQLU8y8WiEj41uOPZS0iqr12lPVOejEsFf6xDZcy4zeUL+c/LjX/5Cnr+7OLt6QS64sVzOG24WUGIpfBQXoeYqe1+gfZEwzJadeTzCNuMHRzLGtMrsVdxX/+l2NYZBd2PQI59s6PN9rgvDtP+u7rfn+EOcYjFTKmNt0jeZYlSk6k63Q8hHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUpO430M+U/u4PQehF3+mJuLnm+Ooszue+uY1gjVBr2/L/BSYS/GZyF4LiBXllGGXdlKp0zMWAQskFWKz2nkv+xJ6ta5jsKd2X2EZzun6kRds+4jtaSZur687NbDl8L3+LL9y7aymr+BaiwC0Y1kFpDqSouabTgrieerqjlIK05mB4v6CmpfUcflVjf+hHqTAfXXZ1nTnDVVFtshrQhdb9YPWGzoyBs7iJRZ1CCphbKIllS2Z7z4YTPz+2KXfDsSqslL7vmYeFztK5F0FQHByM0/3HP2rZOG1dwNkTy8kRUdkuGXn92PUJmdHgoZk4uuY+eL3YV95EWcJ3SmXIo+H01T7hFnan3pV4l9DxCqNdRUWOlhhirtJf4DloFluJqz/BTE/epZ3HqK16WAk4n5d7jeneVc5Ht7cm9o+RcOx7jNORehdV6HYbkuo3OviS1oG7L3PusNAHJ9Loe8/JjKuQJ7Mk7ZNDpzrb8RRlL3lO24HLEpCtpJsnxzS6vP0vM9K81OPHh9CPf5MxMyLuS1uQ3/IfXj0olfd3p34ePJ1nQJTjNSQDV5EsDek2wB6GplTTQalTx4lRHb4HfOY28DD3wmIOsedsFUnryfV++cTxbkk6A6uYAfQzNUe+KKU55yusw2z3jbWvprSZGzjYMDy83RDdSRu1Y87J7eXzk2beRGqmxCxCLYGHm3whKVlyWamWIqYHxGWfuNy9jdYIhT3Z4QRx5Ht9Nzg15jh1hQbLNM4Shyxc9bpFG4jv+DuaUrclns934tovAVruFtMmza90KJzDYR177vqmFqGCtGh4y9yIOON71AYhU/29VmmI5z5B922TnV6jHuvN69TpCMVIYPWjhO0cQe5q83jFSQ4ZvcL23su4tkj7eBXRIzWkcdl3AYHtvNgmZfhsGOxRvSHG4+BnLBlKOBBytcEOSS5hxGXz1KJywq19F65Gmg4jdUYVimXDbOGB21L/UgrHz2eamPfRSGulN2fmwraVsUZ24Bf5mVWQ4GVhH/e3IMuRlymW6CWJJ74YjGYsK8z6eESHVL9vBbfFttDfl/ZGpnQOs8759B7CuqW7PlPvxyw0pqwUftFIn7nY4W9Ynv9+JPJt8Zolva6H0Ot+G/83UVP7LwY4xLSLbXdRb9Tz2NDm2/O0VQj9A26OpRAOq2n7r+6kaPQUFSKtVfYzoKFUzHTgX7nTGw5rO2oYD5QiIo6/uOO09PFdVTeW6u4947XCcvrdXlqDdM1RwOVNxpYCam9w1Qgfkx44V2WK2grxd0WdfcuUI/NwIsSb/0VDBZxxKcoF1z945GEVlBdOCKXXDHyno/jtMiV9/Yz9TMabNJ+82uwmH141FlfvIEaaH7/rHbokwZSe4o71PfkI+rWtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+ZmJta3eROYWrrlMut7HznsVa6dbbjyHmj+9GtrzXKyfxcWp5UeedQ7SHFW7lg577Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscGtBomqV3jhx8JOd5k7RW2jYSZVJrVH5JU5RS7glcz/hsqhevQp/Pw8ovAp/CXlNMbc/FaDj2XmBnEeMnnti+sFz9Lj2Rq0NyCnDQDRnUnE5A61H4q5Duk9CV1/xP8j6qHv2BEi2fYlnvW2IXCkMa6usVyqyxMmO31sft3fH7hNmEOv+j/4dhgla4wM/eb0AfRp/hNPZQ8bT83Mc/fiCnOP6cdRA2xM1Sxnh8znoMPwTtrIw9zTnhayh4x4jexvuFn1mep2i9+40/+NYr+T9W6PEd5tc8z/i3hp+k0mmXP77WyJhriz3G1gvqBmZAGXYqdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs9PUVGx3d+om3r4aXTQspMm3JgmudKJkDFZKp+37mExFMQQtM7qAx1sSl96vnWLk2sMTu+TTifJkOg6g4co8vNrTO3c/xj1pOdxSN5feu7BcVyEGiOKZc4XfTekGhzZUWTKwh092iRv02hyAeY3ECzqTM0NvtmMK+k/SChbfyAG43VKk8vrs39/f0Wu3DtFfpUj01c22GaqpD4G208rFccWxRBbALsxRzmR7yaE8/Ygiw2d6/p1di3CMA00jCDcSME9Wi5oPmgK+QhKrsej6woyajQgzpba5mQTPvtYLqngpT+IESR2BeHJulrvE4TIsRtYm12xnejktwmkiWEvrK1NwXEGbRbQuJU5GMLoE7hNfC7byheluV0fuFFMVVXWPnF3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOaxBt66lb0M/z1Q29ZoRbH1pcZFrfgp0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2xO1be4eljDz8Pd3Zx/Cu/dqZ/nuQbFK7/r+k/ds4+amWCrR5GLAWTvHWYY5N91k7HacbyO5NeS5R8K8wG4dWNjbTtTdAU8Q6Sg1oskkzd4FXD9LbkO6wGS76GAJGjMFZo0gTEkGtXWG8rXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj7y7+exVJwo2xPfe6Unp8+wXK3wGDLxTqlvtlJtFHMv7399eryiryntxWXZTfWO76tjraTp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ6Qo2H7sIvyU5u9qx5SwLUvnyInTpDVjsxVCcblMeuVdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoR8puDOOq0YrvgrqVL+59SUwTSVGnhvzNWK3k/F+mgrIbwY2F8m+vws9edr/lcgYs/qsZ17CiIqrI0KnofYdQWRKjyMix1DDnxuq1s+xPKSxqahehWX+HA9nFYYAkOqVOhaYvhPb1WkzpXhfyTp/sMAdp9fpP/zcAAP//faH2Mw==" } diff --git a/x-pack/filebeat/module/microsoft/module.yml b/x-pack/filebeat/module/microsoft/module.yml new file mode 100644 index 00000000000..991a3a8d25c --- /dev/null +++ b/x-pack/filebeat/module/microsoft/module.yml @@ -0,0 +1,3 @@ +dashboards: +- id: 65402c30-ca6a-11ea-9d4d-9737a63aaa55 + file: Filebeat-microsoft-atp-overview.json \ No newline at end of file diff --git a/x-pack/filebeat/module/misp/threat/ingest/pipeline.json b/x-pack/filebeat/module/misp/threat/ingest/pipeline.json index 0d710feeb24..59abc2fc21e 100644 --- a/x-pack/filebeat/module/misp/threat/ingest/pipeline.json +++ b/x-pack/filebeat/module/misp/threat/ingest/pipeline.json @@ -1,6 +1,12 @@ { "description": "Pipeline for normalizing MISP threat", "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + }, { "geoip": { "field": "destination.ip", diff --git a/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml b/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml index 39a10a9ff99..cae8f53ab34 100644 --- a/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/mssql/log/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: Pipeline to parse MSSQL logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message patterns: diff --git a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc index b696ca4dea3..830b397ec45 100644 --- a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc @@ -39,7 +39,7 @@ traffic from network devices. netflow_port: 2055 ----- -`var.netflow_host`:: Address to find to. Defaults to `localhost`. +`var.netflow_host`:: Address to bind to. Defaults to `localhost`. `var.netflow_port`:: Port to listen on. Defaults to `2055`. diff --git a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc index 8f773354af9..3d0477a9f43 100644 --- a/x-pack/filebeat/module/netscout/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/netscout/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index ec1e377e5cd..dbbca93154b 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml index 66f9ab7bcc1..44b0b754e15 100644 --- a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml +++ b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Arbor Peakflow SP processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index a6bd506ffea..530aa6f4cc1 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-01-29T08:09:59.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -19,7 +18,6 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "olab", "rsa.misc.version": "1.6078", - "rsa.time.event_time": "2020-01-29T08:09:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -28,7 +26,6 @@ "user.name": "rci" }, { - "@timestamp": "2020-02-12T15:12:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -44,7 +41,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2020-02-12T15:12:33.000Z", "rsa.time.starttime": "2016-02-12T15:12:33.000Z", "service.type": "netscout", "tags": [ @@ -54,7 +50,6 @@ "user.name": "tatemac" }, { - "@timestamp": "2020-02-26T22:15:08.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -71,7 +66,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-02-26T22:15:08.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -80,7 +74,6 @@ "user.name": "nseq" }, { - "@timestamp": "2020-03-12T05:17:42.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -92,7 +85,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-03-12T05:17:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -100,7 +92,6 @@ ] }, { - "@timestamp": "2020-03-26T12:20:16.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -114,7 +105,6 @@ "rsa.internal.messageid": "Device", "rsa.misc.node": "ritquiin", "rsa.misc.parent_node": "umqui", - "rsa.time.event_time": "2020-03-26T12:20:16.000Z", "rsa.time.starttime": "2016-03-26T12:20:16.000Z", "service.type": "netscout", "tags": [ @@ -123,7 +113,6 @@ ] }, { - "@timestamp": "2020-04-09T19:22:51.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -143,7 +132,6 @@ "rsa.misc.policy_name": "utper", "rsa.misc.severity": "medium", "rsa.time.duration_time": 116.48, - "rsa.time.event_time": "2020-04-09T19:22:51.000Z", "rsa.time.starttime": "2016-04-09T19:22:51.000Z", "service.type": "netscout", "source.ip": [ @@ -155,7 +143,6 @@ ] }, { - "@timestamp": "2020-04-24T02:25:25.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -171,7 +158,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2020-04-24T02:25:25.000Z", "rsa.time.starttime": "2016-04-24T02:25:25.000Z", "service.type": "netscout", "tags": [ @@ -181,7 +167,6 @@ "user.name": "incidi" }, { - "@timestamp": "2020-05-08T09:27:59.000Z", "event.code": "Peakflow", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -195,7 +180,6 @@ "rsa.internal.messageid": "Peakflow", "rsa.misc.node": "oloremqu", "rsa.misc.parent_node": "temvel", - "rsa.time.event_time": "2020-05-08T09:27:59.000Z", "rsa.time.starttime": "2016-05-08T09:27:59.000Z", "service.type": "netscout", "tags": [ @@ -204,7 +188,6 @@ ] }, { - "@timestamp": "2020-05-22T16:30:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -220,7 +203,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2020-05-22T16:30:33.000Z", "rsa.time.starttime": "2016-05-22T16:30:33.000Z", "service.type": "netscout", "tags": [ @@ -230,7 +212,6 @@ "user.name": "anti" }, { - "@timestamp": "2020-06-05T23:33:08.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -242,7 +223,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-06-05T23:33:08.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -250,7 +230,6 @@ ] }, { - "@timestamp": "2020-06-20T06:35:42.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -269,7 +248,6 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "uipexea", "rsa.misc.version": "1.5162", - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -278,7 +256,6 @@ "user.name": "nci" }, { - "@timestamp": "2020-07-04T13:38:16.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -294,7 +271,6 @@ "rsa.misc.node": "mvolu", "rsa.misc.parent_node": "radip", "rsa.time.endtime": "2016-07-04T13:38:16.000Z", - "rsa.time.event_time": "2020-07-04T13:38:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -302,7 +278,6 @@ ] }, { - "@timestamp": "2019-07-18T20:40:50.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -319,7 +294,6 @@ "rsa.misc.group": "dquiac", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-07-18T20:40:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -328,7 +302,6 @@ "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" }, { - "@timestamp": "2019-08-02T03:43:25.000Z", "destination.ip": [ "10.155.162.162" ], @@ -350,7 +323,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-08-02T03:43:25.000Z", "service.type": "netscout", "source.ip": [ "10.66.171.247" @@ -362,7 +334,6 @@ "url.original": "https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis" }, { - "@timestamp": "2019-08-16T10:45:59.000Z", "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", @@ -379,7 +350,6 @@ "rsa.internal.resource": "lupta", "rsa.misc.event_type": "Fault Occured", "rsa.misc.node": "iusmodt", - "rsa.time.event_time": "2019-08-16T10:45:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -387,7 +357,6 @@ ] }, { - "@timestamp": "2019-08-30T17:48:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -403,7 +372,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-08-30T17:48:33.000Z", "rsa.time.starttime": "2016-08-30T17:48:33.000Z", "service.type": "netscout", "tags": [ @@ -413,7 +381,6 @@ "user.name": "uiano" }, { - "@timestamp": "2019-09-14T00:51:07.000Z", "destination.ip": [ "10.179.26.34" ], @@ -429,13 +396,12 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.38.77.13", - "10.179.26.34" + "10.179.26.34", + "10.38.77.13" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-09-14T00:51:07.000Z", "service.type": "netscout", "source.ip": [ "10.38.77.13" @@ -447,7 +413,6 @@ "url.original": "https://example.org/isiu/nimadmi.gif?ari=equun#suntinc" }, { - "@timestamp": "2019-09-28T07:53:42.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -461,7 +426,6 @@ "rsa.internal.event_desc": "abilloi", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "tatevel", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "rsa.time.starttime": "2016-09-28T07:53:42.000Z", "service.type": "netscout", "tags": [ @@ -470,7 +434,6 @@ ] }, { - "@timestamp": "2019-10-12T14:56:16.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -491,7 +454,6 @@ "rsa.misc.severity": "very-high", "rsa.misc.sig_id": 2933, "rsa.network.interface": "lo5882", - "rsa.time.event_time": "2019-10-12T14:56:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -499,7 +461,6 @@ ] }, { - "@timestamp": "2019-10-26T21:58:50.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -520,7 +481,6 @@ "rsa.misc.severity": "high", "rsa.misc.sig_id": 2902, "rsa.network.interface": "lo4987", - "rsa.time.event_time": "2019-10-26T21:58:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -528,7 +488,6 @@ ] }, { - "@timestamp": "2019-11-10T05:01:24.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -544,7 +503,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "rsa.time.starttime": "2016-11-10T05:01:24.000Z", "service.type": "netscout", "tags": [ @@ -554,7 +512,6 @@ "user.name": "qua" }, { - "@timestamp": "2019-11-24T12:03:59.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -566,7 +523,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -574,7 +530,6 @@ ] }, { - "@timestamp": "2019-12-08T19:06:33.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -590,7 +545,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-12-08T19:06:33.000Z", "rsa.time.starttime": "2016-12-08T19:06:33.000Z", "service.type": "netscout", "tags": [ @@ -600,7 +554,6 @@ "user.name": "turveli" }, { - "@timestamp": "2019-12-23T02:09:07.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -616,7 +569,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-12-23T02:09:07.000Z", "rsa.time.starttime": "2016-12-23T02:09:07.000Z", "service.type": "netscout", "tags": [ @@ -626,7 +578,6 @@ "user.name": "caecatc" }, { - "@timestamp": "2020-01-06T09:11:41.000Z", "destination.ip": [ "10.224.68.213" ], @@ -646,7 +597,6 @@ "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "taed", "rsa.time.endtime": "2017-01-06T09:11:41.000Z", - "rsa.time.event_time": "2020-01-06T09:11:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -654,7 +604,6 @@ ] }, { - "@timestamp": "2020-01-20T16:14:16.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -668,7 +617,6 @@ "rsa.internal.event_desc": "lor", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "aperi", - "rsa.time.event_time": "2020-01-20T16:14:16.000Z", "rsa.time.starttime": "2017-01-20T16:14:16.000Z", "service.type": "netscout", "tags": [ @@ -677,7 +625,6 @@ ] }, { - "@timestamp": "2020-02-03T23:16:50.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -691,7 +638,6 @@ "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "oin", - "rsa.time.event_time": "2020-02-03T23:16:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -699,7 +645,6 @@ ] }, { - "@timestamp": "2020-02-18T06:19:24.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -714,7 +659,6 @@ "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ritatis", "rsa.time.endtime": "2017-02-18T06:19:24.000Z", - "rsa.time.event_time": "2020-02-18T06:19:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -722,7 +666,6 @@ ] }, { - "@timestamp": "2020-03-04T13:21:59.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -739,7 +682,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-03-04T13:21:59.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -748,7 +690,6 @@ "user.name": "mqui" }, { - "@timestamp": "2020-03-18T20:24:33.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -762,7 +703,6 @@ "rsa.internal.messageid": "Device", "rsa.misc.node": "tdolorem", "rsa.misc.parent_node": "ono", - "rsa.time.event_time": "2020-03-18T20:24:33.000Z", "rsa.time.starttime": "2017-03-18T20:24:33.000Z", "service.type": "netscout", "tags": [ @@ -771,7 +711,6 @@ ] }, { - "@timestamp": "2020-04-02T03:27:07.000Z", "destination.ip": [ "10.60.185.151" ], @@ -790,7 +729,6 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "uidolo", - "rsa.time.event_time": "2020-04-02T03:27:07.000Z", "rsa.time.starttime": "2017-04-02T03:27:07.000Z", "service.type": "netscout", "tags": [ @@ -799,7 +737,6 @@ ] }, { - "@timestamp": "2020-04-16T10:29:41.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -811,7 +748,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -819,7 +755,6 @@ ] }, { - "@timestamp": "2020-04-30T17:32:16.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", @@ -836,7 +771,6 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "modoco", "rsa.misc.parent_node": "estqu", - "rsa.time.event_time": "2020-04-30T17:32:16.000Z", "rsa.time.starttime": "2017-04-30T17:32:16.000Z", "service.type": "netscout", "tags": [ @@ -845,7 +779,6 @@ ] }, { - "@timestamp": "2020-05-15T00:34:50.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -862,7 +795,6 @@ "rsa.misc.group": "ents", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-05-15T00:34:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -871,7 +803,6 @@ "url.original": "https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae" }, { - "@timestamp": "2020-05-29T07:37:24.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -886,7 +817,6 @@ "rsa.internal.event_desc": "mdolore", "rsa.internal.messageid": "BGP", "rsa.misc.node": "reetd", - "rsa.time.event_time": "2020-05-29T07:37:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -894,7 +824,6 @@ ] }, { - "@timestamp": "2020-06-12T14:39:58.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -909,7 +838,6 @@ "rsa.misc.node": "mque", "rsa.misc.parent_node": "uovolup", "rsa.time.endtime": "2017-06-12T14:39:58.000Z", - "rsa.time.event_time": "2020-06-12T14:39:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -917,7 +845,6 @@ ] }, { - "@timestamp": "2020-06-26T21:42:33.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -934,7 +861,6 @@ "rsa.misc.severity": "very-high", "rsa.time.duration_time": 38.117, "rsa.time.endtime": "2017-06-26T21:42:33.000Z", - "rsa.time.event_time": "2020-06-26T21:42:33.000Z", "rsa.time.starttime": "2017-06-26T21:42:33.000Z", "service.type": "netscout", "tags": [ @@ -943,7 +869,6 @@ ] }, { - "@timestamp": "2020-07-11T04:45:07.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -958,7 +883,6 @@ "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "BGP", "rsa.misc.node": "doloremi", - "rsa.time.event_time": "2020-07-11T04:45:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -966,7 +890,6 @@ ] }, { - "@timestamp": "2019-07-25T11:47:41.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -981,7 +904,6 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "tincu", "rsa.misc.trigger_val": "sci", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -989,7 +911,6 @@ ] }, { - "@timestamp": "2019-08-08T18:50:15.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1006,7 +927,6 @@ "rsa.misc.group": "eaq", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-08-08T18:50:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1015,7 +935,6 @@ "url.original": "https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup" }, { - "@timestamp": "2019-08-23T01:52:50.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1032,7 +951,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-08-23T01:52:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1041,7 +959,6 @@ "user.name": "suntexp" }, { - "@timestamp": "2019-09-06T08:55:24.000Z", "destination.ip": [ "10.168.131.247" ], @@ -1063,7 +980,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-09-06T08:55:24.000Z", "service.type": "netscout", "source.ip": [ "10.136.232.108" @@ -1075,7 +991,6 @@ "url.original": "https://example.net/temqu/edol.jpg?ipi=reseos#pariatu" }, { - "@timestamp": "2019-09-20T15:57:58.000Z", "destination.ip": [ "10.209.182.237" ], @@ -1095,7 +1010,6 @@ "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "tper", "rsa.time.endtime": "2017-09-20T15:57:58.000Z", - "rsa.time.event_time": "2019-09-20T15:57:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1103,7 +1017,6 @@ ] }, { - "@timestamp": "2019-10-04T23:00:32.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1118,7 +1031,6 @@ "rsa.misc.node": "xerc", "rsa.misc.parent_node": "iutali", "rsa.time.endtime": "2017-10-04T23:00:32.000Z", - "rsa.time.event_time": "2019-10-04T23:00:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1126,7 +1038,6 @@ ] }, { - "@timestamp": "2019-10-19T06:03:07.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1141,7 +1052,6 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "ati", "rsa.misc.parent_node": "tlabo", - "rsa.time.event_time": "2019-10-19T06:03:07.000Z", "rsa.time.starttime": "2017-10-19T06:03:07.000Z", "service.type": "netscout", "tags": [ @@ -1150,7 +1060,6 @@ ] }, { - "@timestamp": "2019-11-02T13:05:41.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", @@ -1167,7 +1076,6 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "offi", "rsa.misc.parent_node": "giatnu", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "rsa.time.starttime": "2017-11-02T13:05:41.000Z", "service.type": "netscout", "tags": [ @@ -1176,7 +1084,6 @@ ] }, { - "@timestamp": "2019-11-16T20:08:15.000Z", "destination.ip": [ "10.128.31.83" ], @@ -1194,8 +1101,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.128.31.83", - "10.97.164.220" + "10.97.164.220", + "10.128.31.83" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", @@ -1204,7 +1111,6 @@ "rsa.misc.policy_name": "ncidid", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 50.929, - "rsa.time.event_time": "2019-11-16T20:08:15.000Z", "rsa.time.starttime": "2017-11-16T08:08:15.000Z", "service.type": "netscout", "source.ip": [ @@ -1218,7 +1124,6 @@ "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" }, { - "@timestamp": "2019-12-01T03:10:49.000Z", "destination.ip": [ "10.163.161.165" ], @@ -1234,13 +1139,12 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.163.161.165", - "10.83.23.104" + "10.83.23.104", + "10.163.161.165" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "netscout", "source.ip": [ "10.83.23.104" @@ -1252,7 +1156,6 @@ "url.original": "https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte" }, { - "@timestamp": "2019-12-15T10:13:24.000Z", "destination.ip": [ "10.53.248.4" ], @@ -1272,7 +1175,6 @@ "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "derit", "rsa.time.endtime": "2017-12-15T10:13:24.000Z", - "rsa.time.event_time": "2019-12-15T10:13:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1280,7 +1182,6 @@ ] }, { - "@timestamp": "2019-12-29T17:15:58.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1292,7 +1193,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-12-29T17:15:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1300,7 +1200,6 @@ ] }, { - "@timestamp": "2020-01-13T00:18:32.000Z", "event.code": "Flow", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1314,7 +1213,6 @@ "rsa.internal.messageid": "Flow", "rsa.misc.node": "tessec", "rsa.misc.parent_node": "olupta", - "rsa.time.event_time": "2020-01-13T00:18:32.000Z", "rsa.time.starttime": "2018-01-13T00:18:32.000Z", "service.type": "netscout", "tags": [ @@ -1323,7 +1221,6 @@ ] }, { - "@timestamp": "2020-01-27T07:21:06.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1340,7 +1237,6 @@ "rsa.misc.severity": "medium", "rsa.time.duration_time": 24.633, "rsa.time.endtime": "2018-01-27T07:21:06.000Z", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "rsa.time.starttime": "2018-01-27T07:21:06.000Z", "service.type": "netscout", "tags": [ @@ -1349,7 +1245,6 @@ ] }, { - "@timestamp": "2020-02-10T14:23:41.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1366,7 +1261,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-02-10T14:23:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1375,7 +1269,6 @@ "user.name": "uiac" }, { - "@timestamp": "2020-02-24T21:26:15.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1389,7 +1282,6 @@ "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "iatisu", - "rsa.time.event_time": "2020-02-24T21:26:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1397,7 +1289,6 @@ ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1414,7 +1305,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1423,7 +1313,6 @@ "user.name": "ersp" }, { - "@timestamp": "2020-03-25T11:31:24.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1435,7 +1324,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-03-25T11:31:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1443,7 +1331,6 @@ ] }, { - "@timestamp": "2020-04-08T18:33:58.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1455,7 +1342,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-04-08T18:33:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1463,7 +1349,6 @@ ] }, { - "@timestamp": "2020-04-23T01:36:32.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1480,7 +1365,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-04-23T01:36:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1489,7 +1373,6 @@ "user.name": "rsitv" }, { - "@timestamp": "2020-05-07T08:39:06.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1506,7 +1389,6 @@ "rsa.misc.group": "upida", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2020-05-07T08:39:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1515,7 +1397,6 @@ "url.original": "https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse" }, { - "@timestamp": "2020-05-21T15:41:41.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1532,7 +1413,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-05-21T15:41:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1541,7 +1421,6 @@ "user.name": "udexerci" }, { - "@timestamp": "2020-06-04T22:44:15.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1555,7 +1434,6 @@ "rsa.internal.messageid": "Device", "rsa.misc.node": "illoin", "rsa.misc.parent_node": "tanimid", - "rsa.time.event_time": "2020-06-04T22:44:15.000Z", "rsa.time.starttime": "2018-06-04T22:44:15.000Z", "service.type": "netscout", "tags": [ @@ -1564,7 +1442,6 @@ ] }, { - "@timestamp": "2020-06-19T05:46:49.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1583,7 +1460,6 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "natuse", "rsa.misc.version": "1.4425", - "rsa.time.event_time": "2020-06-19T05:46:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1592,7 +1468,6 @@ "user.name": "ati" }, { - "@timestamp": "2020-07-03T12:49:23.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1613,7 +1488,6 @@ "rsa.misc.severity": "low", "rsa.misc.sig_id": 2366, "rsa.network.interface": "enp0s4306", - "rsa.time.event_time": "2020-07-03T12:49:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1621,7 +1495,6 @@ ] }, { - "@timestamp": "2019-07-17T19:51:58.000Z", "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1637,7 +1510,6 @@ "rsa.misc.node": "entsunt", "rsa.misc.parent_node": "ihilm", "rsa.time.endtime": "2018-07-17T19:51:58.000Z", - "rsa.time.event_time": "2019-07-17T19:51:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1645,7 +1517,6 @@ ] }, { - "@timestamp": "2019-08-01T02:54:32.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1665,7 +1536,6 @@ "rsa.misc.policy_name": "ciad", "rsa.misc.severity": "medium", "rsa.time.duration_time": 29.657, - "rsa.time.event_time": "2019-08-01T02:54:32.000Z", "rsa.time.starttime": "2018-08-01T02:54:32.000Z", "service.type": "netscout", "source.ip": [ @@ -1677,7 +1547,6 @@ ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1689,7 +1558,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1697,7 +1565,6 @@ ] }, { - "@timestamp": "2019-08-29T16:59:40.000Z", "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1718,7 +1585,6 @@ "rsa.misc.severity": "medium", "rsa.misc.sig_id": 5089, "rsa.network.interface": "lo4293", - "rsa.time.event_time": "2019-08-29T16:59:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1726,7 +1592,6 @@ ] }, { - "@timestamp": "2019-09-13T00:02:15.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1741,7 +1606,6 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "uptate", "rsa.misc.trigger_val": "tpersp", - "rsa.time.event_time": "2019-09-13T00:02:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1749,7 +1613,6 @@ ] }, { - "@timestamp": "2019-09-27T07:04:49.000Z", "event.action": "Fault Occured", "event.code": "TMS", "event.dataset": "netscout.sightline", @@ -1766,7 +1629,6 @@ "rsa.internal.resource": "dol", "rsa.misc.event_type": "Fault Occured", "rsa.misc.node": "proiden", - "rsa.time.event_time": "2019-09-27T07:04:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1774,7 +1636,6 @@ ] }, { - "@timestamp": "2019-10-11T14:07:23.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1789,7 +1650,6 @@ "rsa.misc.node": "isis", "rsa.misc.parent_node": "uasiar", "rsa.time.endtime": "2018-10-11T14:07:23.000Z", - "rsa.time.event_time": "2019-10-11T14:07:23.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1797,7 +1657,6 @@ ] }, { - "@timestamp": "2019-10-25T21:09:57.000Z", "destination.ip": [ "10.216.83.142" ], @@ -1825,7 +1684,6 @@ "rsa.misc.policy_name": "ntsunt", "rsa.misc.severity": "low", "rsa.time.duration_time": 2.919, - "rsa.time.event_time": "2019-10-25T21:09:57.000Z", "rsa.time.starttime": "2018-10-25T09:09:57.000Z", "service.type": "netscout", "source.ip": [ @@ -1839,7 +1697,6 @@ "url.original": "https://example.net/con/preh.html?quamest=mac#qui" }, { - "@timestamp": "2019-11-09T04:12:32.000Z", "destination.ip": [ "10.28.226.128" ], @@ -1855,13 +1712,12 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.28.226.128", - "10.122.76.148" + "10.122.76.148", + "10.28.226.128" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "netscout", "source.ip": [ "10.122.76.148" @@ -1873,7 +1729,6 @@ "url.original": "https://mail.example.org/idunt/luptat.txt?ica=lillum#remips" }, { - "@timestamp": "2019-11-23T11:15:06.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1890,7 +1745,6 @@ "rsa.misc.group": "amcor", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-11-23T11:15:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1899,7 +1753,6 @@ "url.original": "https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt" }, { - "@timestamp": "2019-12-07T18:17:40.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1916,7 +1769,6 @@ "rsa.misc.group": "equepor", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-12-07T18:17:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1925,7 +1777,6 @@ "url.original": "https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation" }, { - "@timestamp": "2019-12-22T01:20:14.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -1942,7 +1793,6 @@ "rsa.misc.group": "isciv", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-12-22T01:20:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1951,7 +1801,6 @@ "url.original": "https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt" }, { - "@timestamp": "2020-01-05T08:22:49.000Z", "destination.ip": [ "10.98.209.10" ], @@ -1973,7 +1822,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "netscout", "source.ip": [ "10.31.177.226" @@ -1985,7 +1833,6 @@ "url.original": "https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo" }, { - "@timestamp": "2020-01-19T15:25:23.000Z", "destination.ip": [ "10.179.210.218" ], @@ -2007,7 +1854,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-01-19T15:25:23.000Z", "service.type": "netscout", "source.ip": [ "10.44.47.27" @@ -2019,7 +1865,6 @@ "url.original": "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo" }, { - "@timestamp": "2020-02-02T22:27:57.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2038,7 +1883,6 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "emvele", "rsa.misc.version": "1.2883", - "rsa.time.event_time": "2020-02-02T22:27:57.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2047,7 +1891,6 @@ "user.name": "lor" }, { - "@timestamp": "2020-02-17T05:30:32.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2062,7 +1905,6 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "iquamqua", "rsa.misc.trigger_val": "ita", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2070,7 +1912,6 @@ ] }, { - "@timestamp": "2020-03-03T12:33:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2082,7 +1923,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-03-03T12:33:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2090,7 +1930,6 @@ ] }, { - "@timestamp": "2020-03-17T19:35:40.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2107,7 +1946,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-03-17T19:35:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2116,7 +1954,6 @@ "user.name": "tMal" }, { - "@timestamp": "2020-04-01T02:38:14.000Z", "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2135,7 +1972,6 @@ "rsa.internal.messageid": "configuration", "rsa.misc.parent_node": "maveni", "rsa.misc.version": "1.2552", - "rsa.time.event_time": "2020-04-01T02:38:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2144,7 +1980,6 @@ "user.name": "onu" }, { - "@timestamp": "2020-04-15T09:40:49.000Z", "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2158,7 +1993,6 @@ "observer.vendor": "Netscout", "rsa.internal.messageid": "BGP", "rsa.misc.node": "norumet", - "rsa.time.event_time": "2020-04-15T09:40:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2166,7 +2000,6 @@ ] }, { - "@timestamp": "2020-04-29T16:43:23.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2183,7 +2016,6 @@ "rsa.misc.severity": "very-high", "rsa.time.duration_time": 177.586, "rsa.time.endtime": "2019-04-29T16:43:23.000Z", - "rsa.time.event_time": "2020-04-29T16:43:23.000Z", "rsa.time.starttime": "2019-04-29T16:43:23.000Z", "service.type": "netscout", "tags": [ @@ -2192,7 +2024,6 @@ ] }, { - "@timestamp": "2020-05-13T23:45:57.000Z", "event.action": "Script mitigation", "event.code": "script", "event.dataset": "netscout.sightline", @@ -2209,7 +2040,6 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "remipsum", "rsa.misc.parent_node": "tempor", - "rsa.time.event_time": "2020-05-13T23:45:57.000Z", "rsa.time.starttime": "2019-05-13T23:45:57.000Z", "service.type": "netscout", "tags": [ @@ -2218,7 +2048,6 @@ ] }, { - "@timestamp": "2020-05-28T06:48:31.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2235,7 +2064,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-05-28T06:48:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2244,7 +2072,6 @@ "user.name": "orroqu" }, { - "@timestamp": "2020-06-11T13:51:06.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2256,7 +2083,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2020-06-11T13:51:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2264,7 +2090,6 @@ ] }, { - "@timestamp": "2020-06-25T20:53:40.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2281,7 +2106,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2020-06-25T20:53:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2290,7 +2114,6 @@ "user.name": "veniamq" }, { - "@timestamp": "2020-07-10T03:56:14.000Z", "destination.ip": [ "10.55.156.64" ], @@ -2312,7 +2135,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2020-07-10T03:56:14.000Z", "service.type": "netscout", "source.ip": [ "10.151.129.181" @@ -2324,7 +2146,6 @@ "url.original": "https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2341,7 +2162,6 @@ "rsa.misc.group": "quasiarc", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2350,7 +2170,6 @@ "url.original": "https://www.example.net/rever/ore.jpg?oluptat=metco#acom" }, { - "@timestamp": "2019-08-07T18:01:23.000Z", "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2370,7 +2189,6 @@ "rsa.misc.policy_name": "iacons", "rsa.misc.severity": "medium", "rsa.time.duration_time": 77.637, - "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "rsa.time.starttime": "2019-08-07T18:01:23.000Z", "service.type": "netscout", "source.ip": [ @@ -2382,7 +2200,6 @@ ] }, { - "@timestamp": "2019-08-22T01:03:57.000Z", "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2396,7 +2213,6 @@ "rsa.internal.event_desc": "radipisc", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ntiu", - "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "rsa.time.starttime": "2019-08-22T01:03:57.000Z", "service.type": "netscout", "tags": [ @@ -2405,7 +2221,6 @@ ] }, { - "@timestamp": "2019-09-05T08:06:31.000Z", "destination.ip": [ "10.166.90.130" ], @@ -2427,7 +2242,6 @@ "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", "rsa.misc.msgIdPart2": "Host", - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "netscout", "source.ip": [ "10.73.89.189" @@ -2439,7 +2253,6 @@ "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" }, { - "@timestamp": "2019-09-19T15:09:05.000Z", "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2456,7 +2269,6 @@ "rsa.misc.group": "laudan", "rsa.misc.msgIdPart1": "Protection", "rsa.misc.msgIdPart2": "Mode", - "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2465,7 +2277,6 @@ "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" }, { - "@timestamp": "2019-10-03T22:11:40.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2482,7 +2293,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2491,7 +2301,6 @@ "user.name": "rcitat" }, { - "@timestamp": "2019-10-18T05:14:14.000Z", "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2503,7 +2312,6 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2511,7 +2319,6 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", "destination.ip": [ "10.226.51.191" ], @@ -2531,7 +2338,6 @@ "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "magnid", "rsa.time.endtime": "2019-11-01T12:16:48.000Z", - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2539,7 +2345,6 @@ ] }, { - "@timestamp": "2019-11-15T19:19:22.000Z", "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2556,7 +2361,6 @@ "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", "rsa.misc.msgIdPart2": "Log", - "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2565,7 +2369,6 @@ "user.name": "tvolup" }, { - "@timestamp": "2019-11-30T02:21:57.000Z", "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2581,7 +2384,6 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "rsa.time.starttime": "2019-11-30T02:21:57.000Z", "service.type": "netscout", "tags": [ @@ -2591,7 +2393,6 @@ "user.name": "luptas" }, { - "@timestamp": "2019-12-14T09:24:31.000Z", "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", @@ -2606,7 +2407,6 @@ "rsa.misc.node": "aev", "rsa.misc.parent_node": "inrepr", "rsa.time.endtime": "2019-12-14T09:24:31.000Z", - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", diff --git a/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml index 98fd4f0ff58..49371346925 100644 --- a/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml +++ b/x-pack/filebeat/module/o365/audit/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Office 365 Audit logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - user_agent: field: user_agent.original ignore_missing: true diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 92415bf00c4..56a4f778e7f 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -59,7 +59,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -127,7 +127,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -195,7 +195,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -263,7 +263,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index d6e9404a842..b5c79d506d1 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -67,7 +67,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -143,7 +143,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -219,7 +219,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -295,7 +295,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -372,7 +372,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -448,7 +448,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -524,7 +524,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -601,7 +601,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -677,7 +677,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -753,7 +753,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -829,7 +829,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 9f10e9f89f3..cc096b3acc2 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -316,7 +316,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -390,7 +390,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -465,7 +465,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -540,7 +540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -615,7 +615,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 2daa90ba4b7..60c77401b35 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -88,7 +88,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -185,7 +185,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -282,7 +282,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -379,7 +379,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -476,7 +476,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -573,7 +573,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -670,7 +670,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -767,7 +767,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -864,7 +864,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -961,7 +961,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1058,7 +1058,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1155,7 +1155,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1252,7 +1252,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1349,7 +1349,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1443,7 +1443,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1540,7 +1540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1637,7 +1637,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1731,7 +1731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1828,7 +1828,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1925,7 +1925,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2022,7 +2022,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2119,7 +2119,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2216,7 +2216,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2313,7 +2313,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2410,7 +2410,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2507,7 +2507,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2604,7 +2604,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2701,7 +2701,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2798,7 +2798,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2894,7 +2894,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2992,7 +2992,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3076,7 +3076,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3173,7 +3173,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3257,7 +3257,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3355,7 +3355,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3439,7 +3439,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3537,7 +3537,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3634,7 +3634,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3731,7 +3731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3815,7 +3815,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3913,7 +3913,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4007,7 +4007,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4104,7 +4104,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4201,7 +4201,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4285,7 +4285,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4382,7 +4382,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4479,7 +4479,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4576,7 +4576,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4673,7 +4673,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4770,7 +4770,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4867,7 +4867,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4964,7 +4964,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5061,7 +5061,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5158,7 +5158,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5255,7 +5255,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5352,7 +5352,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5449,7 +5449,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5546,7 +5546,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5640,7 +5640,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5737,7 +5737,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5834,7 +5834,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5931,7 +5931,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6028,7 +6028,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6125,7 +6125,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6222,7 +6222,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6319,7 +6319,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6416,7 +6416,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6513,7 +6513,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6610,7 +6610,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml index 78f6fa37047..0da85185ca2 100644 --- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -1,6 +1,9 @@ description: Pipeline for Okta system logs. processors: + - set: + field: event.ingested + value: "{{_ingest.timestamp}}" - user_agent: field: user_agent.original ignore_missing: true @@ -10,7 +13,7 @@ processors: ignore_missing: true - geoip: field: destination.ip - target_field: source.geo + target_field: destination.geo ignore_missing: true - geoip: database_file: GeoLite2-ASN.mmdb @@ -44,8 +47,8 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - + on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index c85eeff2148..437a7ea5627 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -65,7 +65,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -140,7 +140,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -230,7 +230,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/panw/fields.go b/x-pack/filebeat/module/panw/fields.go index 5864f7597ab..927d5d4f226 100644 --- a/x-pack/filebeat/module/panw/fields.go +++ b/x-pack/filebeat/module/panw/fields.go @@ -19,5 +19,5 @@ func init() { // AssetPanw returns asset data. // This is the base64 encoded gzipped contents of module/panw. func AssetPanw() string { - return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpauw26HFBUyOJNcXRDkdxtU+/IC3LWouOtE42iG6STH6/+fNRpJewwfYaauW2FwBixGJ/l6HXbGox5K7h9wsAgL8oayxCTgwrZQlurBA8oGyJNx5+Wd08LP/+9OsFQG7QZv46DlqCU9Vh2nBJW+M1FExN3T1JiIXrNs4DOVMFUmKcA6pIcdX9aCgFR3rkD49Tqs9Jf6dPHOUTQe9iBkuFvxqOHWENyLix6FG+l+rwNthuibOjd88xAsCDqhAoj4xhcpBSCVRKdIkZSGk8ePTekLtKAnlqWGOSZ5SuaZouaUKA/wu6LGIJ1UuLT2g7MaD1f6jl6mh0Km1D0q/kjjmncjeDOFyfdlhBoKv3qawNeYwT5FyNkve6UL3KD5A5ddxg8GxRZxKtyMvy4eaffRlVljF6fwkm3z8Kb42HGjknrjAbM56u8yCzKcB9ACdezuAfR3C3SgH2qwhxKo97EEuueD2UIHaASVo1Qy/GqTDvG/l1oPjuTPthwPa+nDske4/2HVZ16OHh85cZedLKE2ae6aETMaVdPcPXk85+GdcMi7vd3uKN7N2pnWntWqv6s0l55BU8tFJ6gwJa1dIwwt2H6B8FUjKqU1mEF5poTkNrqqrGGWnToc8Jf2YKwvXnXi1mwNJ2WSpf9pvS0GG/LaWpD3viE42VG/tWm7wgdWZLheDO65c/jFPcQp+dfafsaDw6CbxrBOWUbb9iui7rNsbyr7HZreEwjp+MxtRyki5yMvcN2zdKfcP2zMxrJVgQtz/HzbexX2M9Hj/eh6+NLHxkf/x432unV+0wdl+QyzjmCTkzWoBcvI0VVi4D45MToJESGRaVskYbavziEhYFq3arGBeXQAyLNTpTuMWUiSxtx7Z/weHtLuwOnLLgmgrZaDAZOjG5QY5djEqX4/1C+hyHXxp0Gj+7plojJxkT37UJwHsqAJ1wOySLJ0zjwTjNWKETzDp5McraRB0fnfnS4CEkS0VEmoipW+wZnzmknpX30HXEu84JUnM+LkdQr9kGif8Wjhoh2vwH6MLNT+Xrs5YiGwIpffK8ModlOYK5iROCqA26nqD3yLcAAAD//yC/rB0=" + return "eJzMmM9u4zYQxu95irm5BeLcesmhQNpFgABpamw26DGgqbHEmuJoh6O42qcvSEu21qJtxU6C6GbJ5PebPx9JaQpLbK6hUm51ASBGLG5+Zeg1m0oMuWv4/QIA4C/KaouwIIaZsgQ3VggeUFbESw+/zG4epn8//noBsDBoM38dB03BqXI7bbikqfAacqa6au8kxMJ1G+eBBVMJUmCcA8pIcdX+qS8FO3rkt7dTqoekf9InjvKJoNcxg6XcX/XHDrB6ZFxb9Cg/S7V4S2xWxNnOs0OMAPCgSgRaRMYwOUihBEolusAMpDAePHpvyF0lgTzVrDHJM0jXcZo2aUKA/wm6LGIJVVOLL2hbMaD5v6jlamd0Km190h/kdjmP5W4Ecbge11hBoK33vqz1eYwT5IUaJO9toTYqryBzarfB4GBRRxLNyMv04eZbV0aVZYzeX4JZdLfCU+OhQl4Ql5gNGffXuZfZFGAXwJ6HI/iHEdzNUoCbVYQ4lccOxJLL3w4liG1hklbN0ItxKsz7QX7tKX46037psX0u5/bJPqN9+1Xte7h//zwjH7XyETOP9NCemNKuHuHro84+j2uExdFljMrvMfhJB4Rv4WAQ5wTV9R4Ichmw+oVNArn1YeeD1ptW7cS1ptKqejYp076BqWdKL1FAq0pqRrj7Eg2tQApGta+scKarxzhMU1nWzkiTDn1M+CNTEK4/O7WYAUuraaF8sTklh5b/bSp1tT2k72mshbEfdeoMUie2VAjutH75wzjFDWyy03XKmsajk8A7R1BO2eYHpusyb2Is/xib3RoO4/jFaEytb+kiJ3Nfs/2g1NdsT8y8VoI5cfM+br6N/Rrr8fT1Pmx/MvGR/enr/UY7vY2EsV1BLuOYF+TMaIGwsBa4rrByGRifnACNFMgwKZU12lDtJ5cwyVk1K8U4uQRimMzRmdxNjpnI0mpo+zM2i7twXHHKgqtLZKPBZOjELAxy7GJUuhgeYNIvlvi9Rqfx2dXlHDnJmNhojwDeUw7ohJs+WXzlNR6M04wlOsGslRejrE3U8cmZ7zVuQ7KUR6QjMbWLPeOBt+aT8h66jnjdOUFqzOayA/WWbZD42LHTCNHmr6ALP96Vb5O1FFkfSOm9L1BjWKYDmJs4IYhaotsQHPzmEtReKfJYoQ7ZXy9SYYLuo4+lPO2/ev58tpCv5wOx/wMAAP//TA8GjA==" } diff --git a/x-pack/filebeat/module/panw/panos/_meta/fields.yml b/x-pack/filebeat/module/panw/panos/_meta/fields.yml index a5900461f08..490befc3e65 100644 --- a/x-pack/filebeat/module/panw/panos/_meta/fields.yml +++ b/x-pack/filebeat/module/panw/panos/_meta/fields.yml @@ -61,6 +61,11 @@ description: > Post-NAT destination port. + - name: endreason + type: keyword + description: > + The reason a session terminated. + - name: network type: group description: > @@ -131,3 +136,9 @@ type: keyword description: >- Action taken for the session. + - name: type + description: >- + Specifies the type of the log + - name: sub_type + description: >- + Specifies the sub type of the log diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 8cf62c795ab..258dda2c70d 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -35,17 +35,18 @@ processors: - extract_array: field: csv overwrite_keys: true + omit_empty: true mappings: event.created: 1 observer.serial_number: 2 - _temp_.message_type: 3 - _temp_.message_subtype: 4 + panw.panos.type: 3 + panw.panos.sub_type: 4 _temp_.generated_time: 6 - extract_array: when: equals: - _temp_.message_type: TRAFFIC + panw.panos.type: TRAFFIC field: csv overwrite_keys: true omit_empty: true @@ -101,12 +102,13 @@ processors: source.packets: 44 server.packets: 45 destination.packets: 45 + panw.panos.endreason: 46 observer.hostname: 52 - extract_array: when: equals: - _temp_.message_type: THREAT + panw.panos.type: THREAT field: csv omit_empty: true overwrite_keys: true @@ -193,4 +195,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 7cc44f287b6..a958993a61c 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -1,5 +1,8 @@ description: "Pipeline for Palo Alto Networks PAN-OS Logs" processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # keep message as log.original. - rename: @@ -131,72 +134,72 @@ processors: - set: field: network.direction value: inbound - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "trust"' - set: field: network.direction value: outbound - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "untrust"' - set: field: network.direction value: internal - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "trust" && ctx?.panw?.panos?.destination?.zone == "trust"' - set: field: network.direction value: external - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.panw?.panos?.source?.zone == "untrust" && ctx?.panw?.panos?.destination?.zone == "untrust"' - set: field: network.direction value: unknown - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ((ctx?.panw?.panos?.source?.zone != "trust" && ctx?.panw?.panos?.source?.zone != "untrust") || (ctx?.panw?.panos?.destination?.zone != "trust" && ctx?.panw?.panos?.destination?.zone != "untrust"))' # Set network.direction from threat direction (Threat logs). - set: field: network.direction value: inbound - if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' + if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "0" || ctx?._temp_?.direction == "client-to-server")' - set: field: network.direction value: outbound - if: 'ctx?._temp_?.message_type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' + if: 'ctx?.panw?.panos?.type == "THREAT" && (ctx?._temp_?.direction == "1" || ctx?._temp_?.direction == "server-to-client")' - set: field: network.direction value: unknown - if: 'ctx?._temp_?.message_type == "THREAT" && ctx?.network?.direction == null' + if: 'ctx?.panw?.panos?.type == "THREAT" && ctx?.network?.direction == null' # Set network.type for TRAFFIC. - set: field: network.type value: 'ipv4' - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session == null' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session == null' - set: field: network.type value: 'ipv6' - if: 'ctx?._temp_?.message_type == "TRAFFIC" && ctx?.labels?.ipv6_session != null' + if: 'ctx?.panw?.panos?.type == "TRAFFIC" && ctx?.labels?.ipv6_session != null' # Set event.category depending on log type. - set: field: event.kind value: event - if: 'ctx?._temp_?.message_type == "TRAFFIC"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - append: field: event.category value: - network_traffic - network - if: 'ctx?._temp_?.message_type == "TRAFFIC"' + if: 'ctx?.panw?.panos?.type == "TRAFFIC"' - set: field: event.kind value: alert - if: 'ctx?._temp_?.message_type == "THREAT"' + if: 'ctx?.panw?.panos?.type == "THREAT"' - append: field: event.category value: - security_threat - intrusion_detection - network - if: 'ctx?._temp_?.message_type == "THREAT"' + if: 'ctx?.panw?.panos?.type == "THREAT"' - append: field: event.type value: allowed @@ -214,89 +217,89 @@ processors: - set: field: event.action value: flow_started - if: 'ctx?._temp_?.message_subtype == "start"' + if: 'ctx?.panw?.panos?.sub_type == "start"' - append: field: event.type value: - start - connection - if: 'ctx?._temp_?.message_subtype == "start"' + if: 'ctx?.panw?.panos?.sub_type == "start"' - set: field: event.action value: flow_terminated - if: 'ctx?._temp_?.message_subtype == "end"' + if: 'ctx?.panw?.panos?.sub_type == "end"' - append: field: event.type value: - end - connection - if: 'ctx?._temp_?.message_subtype == "end"' + if: 'ctx?.panw?.panos?.sub_type == "end"' - set: field: event.action value: flow_dropped - if: 'ctx?._temp_?.message_subtype == "drop"' + if: 'ctx?.panw?.panos?.sub_type == "drop"' - append: field: event.type value: - denied - connection - if: 'ctx?._temp_?.message_subtype == "drop"' + if: 'ctx?.panw?.panos?.sub_type == "drop"' - set: field: event.action value: flow_denied - if: 'ctx?._temp_?.message_subtype == "deny"' + if: 'ctx?.panw?.panos?.sub_type == "deny"' - append: field: event.type value: - denied - connection - if: 'ctx?._temp_?.message_subtype == "deny"' + if: 'ctx?.panw?.panos?.sub_type == "deny"' # event.action for threat logs. - set: field: event.action value: data_match - if: 'ctx?._temp_?.message_subtype == "data"' + if: 'ctx?.panw?.panos?.sub_type == "data"' - set: field: event.action value: file_match - if: 'ctx?._temp_?.message_subtype == "file"' + if: 'ctx?.panw?.panos?.sub_type == "file"' - set: field: event.action value: flood_detected - if: 'ctx?._temp_?.message_subtype == "flood"' + if: 'ctx?.panw?.panos?.sub_type == "flood"' - set: field: event.action value: packet_attack - if: 'ctx?._temp_?.message_subtype == "packet"' + if: 'ctx?.panw?.panos?.sub_type == "packet"' - set: field: event.action value: scan_detected - if: 'ctx?._temp_?.message_subtype == "scan"' + if: 'ctx?.panw?.panos?.sub_type == "scan"' - set: field: event.action value: spyware_detected - if: 'ctx?._temp_?.message_subtype == "spyware"' + if: 'ctx?.panw?.panos?.sub_type == "spyware"' - set: field: event.action value: url_filtering - if: 'ctx?._temp_?.message_subtype == "url"' + if: 'ctx?.panw?.panos?.sub_type == "url"' - set: field: event.action value: virus_detected - if: 'ctx?._temp_?.message_subtype == "virus"' + if: 'ctx?.panw?.panos?.sub_type == "virus"' - set: field: event.action value: exploit_detected - if: 'ctx?._temp_?.message_subtype == "vulnerability"' + if: 'ctx?.panw?.panos?.sub_type == "vulnerability"' - set: field: event.action - value: wildfire_veredict - if: 'ctx?._temp_?.message_subtype == "wildfire"' + value: wildfire_verdict + if: 'ctx?.panw?.panos?.sub_type == "wildfire"' - set: field: event.action value: wildfire_virus_detected - if: 'ctx?._temp_?.message_subtype == "wildfire-virus"' + if: 'ctx?.panw?.panos?.sub_type == "wildfire-virus"' # Set numeric log.level from event.severity. @@ -469,6 +472,12 @@ processors: value: "{{panw.panos.file.hash}}" if: "ctx?.panw?.panos?.file?.hash != null" + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" + allow_duplicates: false + # Remove temporary fields. - remove: field: diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index c4d59a09d91..96530ab70f3 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -13,6 +13,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -33,6 +35,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -53,6 +57,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -73,6 +79,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -93,6 +101,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -113,6 +123,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -133,6 +145,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -153,6 +167,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -173,6 +189,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -193,6 +211,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -213,6 +233,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -233,6 +255,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -253,6 +277,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -273,6 +299,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -293,6 +321,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "general", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -313,6 +343,8 @@ "observer.serial_number": "1606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "general", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -333,6 +365,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "general", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -353,6 +387,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -373,6 +409,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -393,6 +431,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -413,6 +453,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -433,6 +475,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -453,6 +497,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "general", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -473,6 +519,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -493,6 +541,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -513,6 +563,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "routing", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -533,6 +585,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -553,6 +607,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -573,6 +629,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -593,6 +651,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "0", + "panw.panos.type": "CONFIG", "service.type": "panw", "tags": [ "pan-os", @@ -613,6 +673,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "general", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -633,6 +695,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "ras", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -653,6 +717,8 @@ "observer.serial_number": "01606001116", "observer.type": "firewall", "observer.vendor": "Palo Alto Networks", + "panw.panos.sub_type": "vpn", + "panw.panos.type": "SYSTEM", "service.type": "panw", "tags": [ "pan-os", @@ -730,6 +796,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 6f61cf168de..37735ccfce0 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -62,9 +62,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lorexx.cn/loader.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -154,9 +156,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lsiu.info/evo/count.php?o=2", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -246,9 +250,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lsiu.info/evo/count.php?o=5", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -338,9 +344,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lsiu.info/evo/count.php?o=7", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -430,9 +438,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -522,9 +532,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -614,9 +626,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "liteautobestguide.cn/load.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -706,9 +720,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "liteautobestguide.cn/index.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -798,9 +814,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "litetopdetect.cn/index.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -890,9 +908,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -982,9 +1002,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "girlteenxxxfreemov.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1074,9 +1096,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "imagesrepository.com/resolution.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1166,9 +1190,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "hottestfiles.com/search/search.php?q=xxx", + "panw.panos.type": "THREAT", "panw.panos.url.category": "search-engines", "related.ip": [ "192.168.0.2", @@ -1257,9 +1283,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "infodist1.com/in.cgi?11¶meter=404", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -1349,9 +1377,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "cls-softwares.com/suc.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1441,9 +1471,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "cls-softwares.com/softwarefortubeview.40013.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1529,9 +1561,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "findmorepill.com/klik/search.php?q=xxx", + "panw.panos.type": "THREAT", "panw.panos.url.category": "online-gambling", "related.ip": [ "192.168.0.2", @@ -1621,9 +1655,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "allowedwebsurfing.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1713,9 +1749,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "antivirus-remote.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1805,9 +1843,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "bklinkov.ru/hi/start.cfg", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1897,9 +1937,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "blogsexnakedgirlxxx.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -1989,9 +2031,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "bklinkov.ru/hi/start.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -2081,9 +2125,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2173,9 +2219,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2265,9 +2313,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2357,9 +2407,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2449,9 +2501,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2541,9 +2595,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2633,9 +2689,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2725,9 +2783,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2817,9 +2877,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2909,9 +2971,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -3001,9 +3065,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "-/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -3089,9 +3155,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "wantfinest.com/tds/in.cgi?default", + "panw.panos.type": "THREAT", "panw.panos.url.category": "unknown", "related.ip": [ "192.168.0.2", @@ -3177,9 +3245,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "sameshitasiteverwas.com/traf/tds/in.cgi?2", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -3265,9 +3335,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "svarkon.ru/update.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -3356,9 +3428,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "onlinescanxpp.com/land/eurl/1.php?code=", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -3444,9 +3518,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -3532,9 +3608,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "nolagtime.com/gwc.txt", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -3623,9 +3701,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "karavan.us/bon/index.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "unknown", "related.ip": [ "192.168.0.2", @@ -3711,9 +3791,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "findnolimits.com/go.php?sid=1", + "panw.panos.type": "THREAT", "panw.panos.url.category": "dead-sites", "related.ip": [ "192.168.0.2", @@ -3799,9 +3881,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "bizoplata.ru/moun.html", + "panw.panos.type": "THREAT", "panw.panos.url.category": "parked-domains", "related.ip": [ "192.168.0.2", @@ -3887,9 +3971,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "bizoplata.ru/palast.html", + "panw.panos.type": "THREAT", "panw.panos.url.category": "parked-domains", "related.ip": [ "192.168.0.2", @@ -3966,9 +4052,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "spyware", "panw.panos.threat.id": "13024", "panw.panos.threat.name": "Bredolab.Gen Command and Control Traffic", "panw.panos.threat.resource": "controller.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "204.232.231.46", @@ -4066,9 +4154,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "www.15min.it/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4154,9 +4244,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "tubemov.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "adult-and-pornography", "related.ip": [ "192.168.0.2", @@ -4242,9 +4334,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4330,9 +4424,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "movfree.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "spyware-and-adware", "related.ip": [ "192.168.0.2", @@ -4421,9 +4517,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "gometascan.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4512,9 +4610,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4603,9 +4703,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4694,9 +4796,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "basdzsdas.com/poker/config.bin", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4785,9 +4889,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "basdzsdas.com/poker/config.bin", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -4867,9 +4973,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "uLLGRaXP.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "173.236.179.57", @@ -4967,9 +5075,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "basdzsdas.com/poker/config.bin", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5049,9 +5159,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "FunkyEmoticons_setup.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "91.209.163.202", @@ -5140,9 +5252,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "52hxw.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "122.226.169.183", @@ -5239,9 +5353,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "softsellfast.com/test/config.bin", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5321,9 +5437,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "setup.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "109.201.131.15", @@ -5409,9 +5527,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "Live-Player_setup.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "91.209.163.202", @@ -5506,9 +5626,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "boialex.narod.ru/config.txt", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5594,9 +5716,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "edw-melon.narod.ru/config.txt", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5682,9 +5806,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "maximtushin.narod.ru/config.txt", + "panw.panos.type": "THREAT", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5764,9 +5890,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "uLLGRaXP.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "173.236.179.57", @@ -5864,9 +5992,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "marketingsoluchion.biz/fkn/config.bin", + "panw.panos.type": "THREAT", "panw.panos.url.category": "unknown", "related.ip": [ "192.168.0.2", @@ -5955,9 +6085,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "default.aspx", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.6", @@ -6037,9 +6169,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "sck.aspx", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "65.54.161.34", @@ -6128,9 +6262,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "ADSAdClient31.dll", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "65.55.5.231", @@ -6228,9 +6364,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "c.gif", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.6", @@ -6310,9 +6448,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "csi", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.239.17", @@ -6404,9 +6544,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "internal-tuner.pandora.com", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6486,9 +6628,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.198", @@ -6574,9 +6718,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "file", "panw.panos.threat.id": "52020", "panw.panos.threat.name": "Windows Executable (EXE)", "panw.panos.threat.resource": "about.exe", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "188.190.124.75", @@ -6665,9 +6811,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -6753,9 +6901,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.239.3", @@ -6841,9 +6991,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.239.3", @@ -6929,9 +7081,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -7023,9 +7177,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "__utm.gif", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7105,9 +7261,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.193", @@ -7193,9 +7351,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "nav_logo107.png", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.239.20", @@ -7281,9 +7441,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "Eadweard_Muybridge", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "208.80.154.225", @@ -7369,9 +7531,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "load.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "208.80.154.234", @@ -7457,9 +7621,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "8fe44cb728c0f40750c64ee906eb72.css", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "65.54.75.25", @@ -7548,9 +7714,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.206", @@ -7636,9 +7804,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.195", @@ -7724,9 +7894,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "appcast.xml", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "207.178.96.34", @@ -7815,9 +7987,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.195", @@ -7903,9 +8077,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "csi", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.239.20", @@ -7991,9 +8167,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "index.php", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "66.152.109.24", @@ -8082,9 +8260,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -8176,9 +8356,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "__utm.gif", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8258,9 +8440,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -8346,9 +8530,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -8440,9 +8626,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "internal-tuner.pandora.com", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8522,9 +8710,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.201", @@ -8610,9 +8800,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.201", @@ -8698,9 +8890,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -8786,9 +8980,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", @@ -8874,9 +9070,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "ga.js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.198", @@ -8962,9 +9160,11 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "data", "panw.panos.threat.id": "60000", "panw.panos.threat.name": "PII", "panw.panos.threat.resource": "js", + "panw.panos.type": "THREAT", "panw.panos.url.category": "any", "related.ip": [ "74.125.224.200", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 11116597ea6..587b481636f 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -70,6 +70,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -166,6 +168,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -262,6 +266,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -361,6 +367,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -460,6 +468,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -556,6 +566,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -652,6 +664,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -751,6 +765,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -850,6 +866,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -949,6 +967,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -1048,6 +1068,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1147,6 +1169,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1246,6 +1270,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1345,6 +1371,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1444,6 +1472,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -1543,6 +1573,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -1642,6 +1674,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -1741,6 +1775,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1840,6 +1876,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -1936,6 +1974,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2032,6 +2072,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2131,6 +2173,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2227,6 +2271,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2326,6 +2372,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2425,6 +2473,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "private-ip-addresses", "related.ip": [ "192.168.0.2", @@ -2524,6 +2574,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2620,6 +2672,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2716,6 +2770,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2815,6 +2871,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -2914,6 +2972,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3010,6 +3070,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3109,6 +3171,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "search-engines", "related.ip": [ "192.168.0.2", @@ -3208,6 +3272,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3304,6 +3370,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3400,6 +3468,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3499,6 +3569,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3598,6 +3670,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3694,6 +3768,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3790,6 +3866,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -3884,6 +3962,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.100", @@ -3975,6 +4055,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", @@ -4072,6 +4154,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-security", "related.ip": [ "192.168.0.100", @@ -4166,6 +4250,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4265,6 +4351,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4359,6 +4447,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.100", @@ -4453,6 +4543,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4549,6 +4641,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4648,6 +4742,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4744,6 +4840,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4840,6 +4938,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -4936,6 +5036,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5032,6 +5134,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5128,6 +5232,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", "related.ip": [ "192.168.0.2", @@ -5227,6 +5333,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "search-engines", "related.ip": [ "192.168.0.2", @@ -5326,6 +5434,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "malware-sites", "related.ip": [ "192.168.0.2", @@ -5422,6 +5532,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5521,6 +5633,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5617,6 +5731,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5713,6 +5829,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5812,6 +5930,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -5911,6 +6031,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6007,6 +6129,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6103,6 +6227,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6199,6 +6325,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", @@ -6295,6 +6423,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6391,6 +6521,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6487,6 +6619,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6586,6 +6720,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6682,6 +6818,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", "related.ip": [ "192.168.0.2", @@ -6781,6 +6919,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6877,6 +7017,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -6973,6 +7115,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7072,6 +7216,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7168,6 +7314,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "not-resolved", "related.ip": [ "192.168.0.2", @@ -7264,6 +7412,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7360,6 +7510,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7459,6 +7611,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7549,6 +7703,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7648,6 +7804,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "search-engines", "related.ip": [ "192.168.0.2", @@ -7747,6 +7905,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "search-engines", "related.ip": [ "192.168.0.2", @@ -7837,6 +7997,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -7927,6 +8089,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8026,6 +8190,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8122,6 +8288,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8218,6 +8386,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8317,6 +8487,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8413,6 +8585,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8503,6 +8677,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8599,6 +8775,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8698,6 +8876,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8794,6 +8974,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8890,6 +9072,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -8986,6 +9170,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "entertainment-and-arts", "related.ip": [ "192.168.0.2", @@ -9085,6 +9271,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9184,6 +9372,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9283,6 +9473,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9373,6 +9565,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9472,6 +9666,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9571,6 +9767,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", @@ -9670,6 +9868,8 @@ "panw.panos.source.nat.ip": "0.0.0.0", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", "related.ip": [ "192.168.0.2", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 40105c59295..93fe08f75d9 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -67,10 +67,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 37679, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -163,10 +168,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 28249, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -259,10 +269,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 63898, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -355,10 +370,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 7515, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -451,10 +471,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 3225, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -547,10 +572,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 60449, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -643,10 +673,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 60559, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -739,10 +774,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 47414, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -835,10 +875,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 37673, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -931,10 +976,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 8232, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1027,10 +1077,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 32982, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1123,10 +1178,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 10473, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1219,10 +1279,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 20446, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1315,10 +1380,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 34699, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1411,10 +1481,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22820, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1507,10 +1582,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 41060, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1603,10 +1683,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 9058, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1699,10 +1784,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 54846, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1795,10 +1885,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 52731, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1891,10 +1986,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 15165, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1987,10 +2087,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 53918, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "b.scorecardresearch.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.137.131", @@ -2083,10 +2188,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 40792, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2179,10 +2289,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 54044, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2275,10 +2390,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 19544, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2371,10 +2491,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 13462, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2467,10 +2592,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 44892, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2563,10 +2693,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 16487, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2659,10 +2794,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 23952, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2755,10 +2895,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 2810, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2851,10 +2996,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 13272, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2947,10 +3097,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 8663, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3043,10 +3198,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 55738, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3139,10 +3299,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 10650, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3235,10 +3400,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 44087, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3331,10 +3501,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 15915, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "consent.cmp.oath.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3427,10 +3602,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 41165, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "cdn.taboola.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -3526,10 +3706,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 54133, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "rules.quantcount.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.192.7.152", @@ -3625,10 +3810,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 8485, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3724,10 +3914,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 12496, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3823,10 +4018,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 17029, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3922,10 +4122,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 23696, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4021,10 +4226,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 34769, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4120,10 +4330,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22486, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4219,10 +4434,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 12894, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4318,10 +4538,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 62348, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4417,10 +4642,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 6224, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4516,10 +4746,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 44120, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4615,10 +4850,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 44228, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4714,10 +4954,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 31322, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4813,10 +5058,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 1672, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "www.googleadservices.com/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.98", @@ -4909,10 +5159,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 20801, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5005,10 +5260,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 24533, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5101,10 +5361,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 30150, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5197,10 +5462,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 36305, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5293,10 +5563,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42682, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5389,10 +5664,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22530, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5485,10 +5765,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 43713, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5581,10 +5866,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 60608, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5677,10 +5967,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 9302, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5773,10 +6068,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 11634, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "service.maxymiser.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5872,10 +6172,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 30818, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -5971,10 +6276,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 64260, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6070,10 +6380,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 7071, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6169,10 +6484,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 4512, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6268,10 +6588,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 3422, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6367,10 +6692,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 4651, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6466,10 +6796,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 19068, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6565,10 +6900,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 5831, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6664,10 +7004,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 7084, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6763,10 +7108,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 18633, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6862,10 +7212,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 25557, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6961,10 +7316,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 20661, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7060,10 +7420,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 65438, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7159,10 +7524,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 53101, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7258,10 +7628,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 35463, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7357,10 +7732,15 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 45769, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "url", "panw.panos.threat.id": "9999", "panw.panos.threat.name": "URL-filtering", "panw.panos.threat.resource": "segment-data.zqtk.net/", + "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 62c6b543cca..5f979092c4b 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -67,6 +67,7 @@ "panw.panos.destination.nat.ip": "184.51.253.152", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "22751", "panw.panos.network.nat.community_id": "1:D1fZ8H3SfYS5p3yDzVdiwbnGJlU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -75,7 +76,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 16418, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "184.51.253.152", @@ -170,6 +176,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24223", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -178,7 +185,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -276,6 +288,7 @@ "panw.panos.destination.nat.ip": "17.253.3.202", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24138", "panw.panos.network.nat.community_id": "1:VnGCPYRgvHZCFJBmPOwtCg7/sMY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -284,7 +297,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 51990, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.253.3.202", @@ -379,6 +397,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24043", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -387,7 +406,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -485,6 +509,7 @@ "panw.panos.destination.nat.ip": "216.58.194.99", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23003", "panw.panos.network.nat.community_id": "1:pvg9sIAzBs2eyqMclcdCIYEBO1Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -493,7 +518,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 15252, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "216.58.194.99", @@ -588,6 +618,7 @@ "panw.panos.destination.nat.ip": "209.234.224.22", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "23919", "panw.panos.network.nat.community_id": "1:u81/Ahz4HsL4LAVrUEiPkbXlX9A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -596,7 +627,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 40763, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "209.234.224.22", @@ -691,6 +727,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "21394", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -699,7 +736,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -794,6 +836,7 @@ "panw.panos.destination.nat.ip": "172.217.2.238", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23698", "panw.panos.network.nat.community_id": "1:DoBKpBbAds/XQwbKPGjMrcuHTGo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -802,7 +845,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 52881, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.2.238", @@ -897,6 +945,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24179", "panw.panos.network.nat.community_id": "1:viuINkmqZ3Q7wH9NHmhVu6rZuOs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -905,7 +954,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 26654, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1000,6 +1054,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23933", "panw.panos.network.nat.community_id": "1:wR8JpmqlhC4f7BvxdzxRlKdkPiQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1008,7 +1063,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 2486, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1103,6 +1163,7 @@ "panw.panos.destination.nat.ip": "17.249.60.78", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "22662", "panw.panos.network.nat.community_id": "1:JuPhgq+FyomxcGW/tt851C0l4Hg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1111,7 +1172,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42021, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.249.60.78", @@ -1206,6 +1272,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24161", "panw.panos.network.nat.community_id": "1:rsDXUIQYGBC2VYTxep2/bVIc3Xs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1214,7 +1281,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 24377, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1309,6 +1381,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24107", "panw.panos.network.nat.community_id": "1:ewaPydF3S4wOU8oEi8ykj+ETSIY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1317,7 +1390,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 48792, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1412,6 +1490,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24063", "panw.panos.network.nat.community_id": "1:+6FjOLCCWY+JDxSWKn7tYpAXksA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1420,7 +1499,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 2987, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1515,6 +1599,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24145", "panw.panos.network.nat.community_id": "1:rR5F8eZHI1nwmznedxqG9e8vUQE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1523,7 +1608,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 6945, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1618,6 +1708,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24245", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1626,7 +1717,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1721,6 +1817,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24167", "panw.panos.network.nat.community_id": "1:81Mi4MwpmNYtUrc7CMJH0MPRelU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1729,7 +1826,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42208, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1824,6 +1926,7 @@ "panw.panos.destination.nat.ip": "98.138.49.44", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24212", "panw.panos.network.nat.community_id": "1:FfbVY/+5Mds7zDjSs5/Yfw5bxNQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1832,7 +1935,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 14660, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "98.138.49.44", @@ -1927,6 +2035,7 @@ "panw.panos.destination.nat.ip": "72.30.3.43", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24149", "panw.panos.network.nat.community_id": "1:TGvDRLypWuNWkuMsAxPzc5TSbAo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -1935,7 +2044,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 16483, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "72.30.3.43", @@ -2030,6 +2144,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24185", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2038,7 +2153,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -2133,6 +2253,7 @@ "panw.panos.destination.nat.ip": "172.217.9.142", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "23856", "panw.panos.network.nat.community_id": "1:NNgF+9vrbBFNpCI3JhUT4YWepd4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2141,7 +2262,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 5570, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2236,6 +2362,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24173", "panw.panos.network.nat.community_id": "1:9T+RKr8xDB21pvAf/Fihyq72sLY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2244,7 +2371,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 24430, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -2342,6 +2474,7 @@ "panw.panos.destination.nat.ip": "54.84.80.198", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24257", "panw.panos.network.nat.community_id": "1:k69UBIONLgCiGo9UhMOEY0pQnZ4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2350,7 +2483,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 12122, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "start", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.84.80.198", @@ -2446,6 +2584,7 @@ "panw.panos.destination.nat.ip": "199.167.55.52", "panw.panos.destination.nat.port": 4282, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24090", "panw.panos.network.nat.community_id": "1:07q7McJtir76GhJwAJffz+C0sNo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2454,7 +2593,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 49145, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "drop", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -2549,6 +2693,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24242", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2557,7 +2702,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "deny", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2649,6 +2799,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24190", "panw.panos.network.nat.community_id": "1:JM1EdN05nKTy8Sq9WGpY15fCNJk=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2657,7 +2808,11 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 33110, "panw.panos.source.zone": "trust", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -2749,6 +2904,7 @@ "panw.panos.destination.nat.ip": "172.217.9.142", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23892", "panw.panos.network.nat.community_id": "1:3vS12CJ5QBY6RbGXOUPYKL9E0+U=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2757,7 +2913,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 9299, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "test", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2852,6 +3013,7 @@ "panw.panos.destination.nat.ip": "151.101.2.2", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24360", "panw.panos.network.nat.community_id": "1:l6nFWeOSs/2aQaVCfYhfQ09l0ko=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2860,7 +3022,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 47194, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -2958,6 +3125,7 @@ "panw.panos.destination.nat.ip": "216.58.194.66", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23952", "panw.panos.network.nat.community_id": "1:hVpNmZPedeB/gYRm9U4/gS+LNkQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -2966,7 +3134,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 62921, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.66", @@ -3061,6 +3234,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24328", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3069,7 +3243,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3164,6 +3343,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24385", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3172,7 +3352,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -3267,6 +3452,7 @@ "panw.panos.destination.nat.ip": "184.51.253.193", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24172", "panw.panos.network.nat.community_id": "1:zBrhHOnlJT7YZV7WXiPAQBEhScI=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3275,7 +3461,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 41958, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.253.193", @@ -3370,6 +3561,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24131", "panw.panos.network.nat.community_id": "1:QjiWUuclXv+JzWhbuYDyyP+YyTk=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3378,7 +3570,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 51374, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3474,6 +3671,7 @@ "panw.panos.destination.nat.ip": "199.167.55.52", "panw.panos.destination.nat.port": 4282, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24393", "panw.panos.network.nat.community_id": "1:WSYAeVnYXY4WmfLFYEEo/atQJE8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3482,7 +3680,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 25566, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -3580,6 +3783,7 @@ "panw.panos.destination.nat.ip": "199.167.52.219", "panw.panos.destination.nat.port": 17472, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24976", "panw.panos.network.nat.community_id": "1:XrQuj5ypAzAqGAy0lpIvWQVVZ2E=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3588,7 +3792,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 63757, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.52.219", @@ -3686,6 +3895,7 @@ "panw.panos.destination.nat.ip": "52.71.117.196", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24348", "panw.panos.network.nat.community_id": "1:EG9O/WtvoWuYwaB1MXJTgr43kac=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3694,7 +3904,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 3803, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.71.117.196", @@ -3789,6 +4004,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24046", "panw.panos.network.nat.community_id": "1:eI0W7/EQJgRBimA1ZM4XVOSKMqo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3797,7 +4013,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 34994, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3892,6 +4113,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24196", "panw.panos.network.nat.community_id": "1:uSrPYHIl4eJpdC+J0IAMuGStuNc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -3900,7 +4122,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 38064, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3998,6 +4225,7 @@ "panw.panos.destination.nat.ip": "35.186.194.41", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24264", "panw.panos.network.nat.community_id": "1:djhBHAw6H+Q9Bcz6i7V+GTrjtzA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4006,7 +4234,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42924, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.194.41", @@ -4100,6 +4333,7 @@ "panw.panos.destination.nat.ip": "35.201.124.9", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24248", "panw.panos.network.nat.community_id": "1:hIY5A8O11VWtEfpYG2l5voTvbVQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4108,7 +4342,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 58977, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.124.9", @@ -4206,6 +4445,7 @@ "panw.panos.destination.nat.ip": "100.24.131.237", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24268", "panw.panos.network.nat.community_id": "1:sXYelUOdA/EfjcKKE8M5kPe+M+c=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4214,7 +4454,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 64732, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.131.237", @@ -4309,6 +4554,7 @@ "panw.panos.destination.nat.ip": "184.51.252.247", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24175", "panw.panos.network.nat.community_id": "1:D6pPzYoIWTOXxVzuweKvZYK6FVE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4317,7 +4563,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 58292, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -4415,6 +4666,7 @@ "panw.panos.destination.nat.ip": "35.190.88.148", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24312", "panw.panos.network.nat.community_id": "1:VFQjrA+iaNcIu6vFJNU6ls7+4Is=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4423,7 +4675,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 32209, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.190.88.148", @@ -4521,6 +4778,7 @@ "panw.panos.destination.nat.ip": "35.186.243.83", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24164", "panw.panos.network.nat.community_id": "1:Xx31zYZNYc/mjf2GOihkp6JogmA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4529,7 +4787,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 38822, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.243.83", @@ -4624,6 +4887,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24198", "panw.panos.network.nat.community_id": "1:445AeHI1LAvb+ii4arRZeLAO4zM=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4632,7 +4896,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 16044, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4727,6 +4996,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "trust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24184", "panw.panos.network.nat.community_id": "1:+5KwsEYW+tFecEENSBwHbKTvUv8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4735,7 +5005,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 56614, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4833,6 +5108,7 @@ "panw.panos.destination.nat.ip": "100.24.165.74", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "trust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24314", "panw.panos.network.nat.community_id": "1:DRqq/mx90TOYq1a5yLf562kwIvc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4841,7 +5117,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 53168, "panw.panos.source.zone": "untrust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.165.74", @@ -4936,6 +5217,7 @@ "panw.panos.destination.nat.ip": "184.51.252.247", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24204", "panw.panos.network.nat.community_id": "1:vx03vuDn4sh2/e89Lm3RoSpVIVM=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -4944,7 +5226,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 28012, "panw.panos.source.zone": "xtrust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -5038,6 +5325,7 @@ "panw.panos.destination.nat.ip": "35.201.94.140", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "xuntrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24234", "panw.panos.network.nat.community_id": "1:u1uvQ3wfJoaG/nNiBhvQMHQSVlU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5046,7 +5334,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 16050, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.94.140", @@ -5138,6 +5431,7 @@ "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24390", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5145,7 +5439,12 @@ "panw.panos.source.interface": "ethernet1/2", "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5240,6 +5539,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24093", "panw.panos.network.nat.community_id": "1:lz0ZCL4R4wwyqmvefpkiJk7yR18=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5248,7 +5548,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 61722, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5343,6 +5648,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24117", "panw.panos.network.nat.community_id": "1:DkOVz0BGrlh9OPZZ8+58eugW7gU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5351,7 +5657,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 14247, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5446,6 +5757,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24142", "panw.panos.network.nat.community_id": "1:twx1eOqehbazvI0g0nkTeVynrY0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5454,7 +5766,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 33580, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5549,6 +5866,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24195", "panw.panos.network.nat.community_id": "1:hcgjXpi+ne3QnFDBLeskkVg4V+M=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5557,7 +5875,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 13498, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5652,6 +5975,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24124", "panw.panos.network.nat.community_id": "1:C91XK45Q10iqwwp4XYM+Wg1Ua8A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5660,7 +5984,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 20365, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5755,6 +6084,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24153", "panw.panos.network.nat.community_id": "1:hsTAFtOdeb7+Ofe152B+9h69mbE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5763,7 +6093,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 61464, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5858,6 +6193,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24122", "panw.panos.network.nat.community_id": "1:htOXUg3QOGd0fpgLjYzQlvRMzUQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5866,7 +6202,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42877, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -5961,6 +6302,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24171", "panw.panos.network.nat.community_id": "1:gHWCOTtilTTqOn7fOKh7zVq45Xw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -5969,7 +6311,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 5918, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6064,6 +6411,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24069", "panw.panos.network.nat.community_id": "1:OGDvpe1+4KQfCsxk0I61jm0+DIc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6072,7 +6420,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 28944, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6167,6 +6520,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24282", "panw.panos.network.nat.community_id": "1:po/vy4RoD5WeFPgCZnduQkE47yY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6175,7 +6529,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 13415, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6270,6 +6629,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24218", "panw.panos.network.nat.community_id": "1:wIxYOe++IxscmxBcRwrPGEIlZF4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6278,7 +6638,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 2489, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6373,6 +6738,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24200", "panw.panos.network.nat.community_id": "1:xN7R3QI47jVAQhgJrOAvdsu+oes=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6381,7 +6747,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 49328, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6476,6 +6847,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24224", "panw.panos.network.nat.community_id": "1:BxuDgAhR5Rh55XOXYnYF+6GKhps=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6484,7 +6856,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 36036, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6582,6 +6959,7 @@ "panw.panos.destination.nat.ip": "66.28.0.45", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24240", "panw.panos.network.nat.community_id": "1:Yv+Yq/7HK9SajeKHOV50RYQWjRU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6590,7 +6968,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 33744, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "66.28.0.45", @@ -6685,6 +7068,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24183", "panw.panos.network.nat.community_id": "1:MxVcaRP5Y1xyEiYiNsmO1lVcN+A=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6693,7 +7077,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 45809, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6788,6 +7177,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24211", "panw.panos.network.nat.community_id": "1:p8DU1xLXG63f/3s/r6ZKJcQo9u8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6796,7 +7186,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 3675, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6891,6 +7286,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24253", "panw.panos.network.nat.community_id": "1:bU3nBIz+M3cDoPKg8azcJgVx+8Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -6899,7 +7295,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 5787, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6994,6 +7395,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24221", "panw.panos.network.nat.community_id": "1:vnb4ttnFy2i39tg89p3jkGs6eDg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7002,7 +7404,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 12342, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7097,6 +7504,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24310", "panw.panos.network.nat.community_id": "1:71/qcXOmOV3sXCqZ1T6JVPlE9y8=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7105,7 +7513,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 18729, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7203,6 +7616,7 @@ "panw.panos.destination.nat.ip": "23.52.174.25", "panw.panos.destination.nat.port": 80, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24326", "panw.panos.network.nat.community_id": "1:5ECmBtgiSUvWFJAA318pVeeu5Pw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7211,7 +7625,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 57858, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.52.174.25", @@ -7306,6 +7725,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24201", "panw.panos.network.nat.community_id": "1:hxrz+dYE5XEf60JMlFz6JKWD6Ek=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7314,7 +7734,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 2722, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7409,6 +7834,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24130", "panw.panos.network.nat.community_id": "1:8cb9oPS9OJnzqGAkowgmRpiqmJU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7417,7 +7843,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 6674, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7515,6 +7946,7 @@ "panw.panos.destination.nat.ip": "54.230.5.228", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24237", "panw.panos.network.nat.community_id": "1:Qc2oBV7ermdHPwGTWFOi4D1TcLg=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7523,7 +7955,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 37427, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.230.5.228", @@ -7618,6 +8055,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24108", "panw.panos.network.nat.community_id": "1:5IHTDvzRd4yPLPdpI4ErHcRK4/w=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7626,7 +8064,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22408, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7721,6 +8164,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24247", "panw.panos.network.nat.community_id": "1:0s4n+/itsIbV3mUc8OnOxmZ6exs=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7729,7 +8173,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 27899, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7824,6 +8273,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24098", "panw.panos.network.nat.community_id": "1:+GsjKlESn/QeXwrAsS8c8EaMzi0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7832,7 +8282,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 52939, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7927,6 +8382,7 @@ "panw.panos.destination.nat.ip": "208.83.246.20", "panw.panos.destination.nat.port": 123, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24263", "panw.panos.network.nat.community_id": "1:OSARbLstqz9D5CGo0NQuv0a9g20=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -7935,7 +8391,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 42907, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.195", "208.83.246.20", @@ -8029,6 +8490,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24258", "panw.panos.network.nat.community_id": "1:Cc+ekkpKaB3f2BPdSyd/esY/QVI=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8037,7 +8499,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 19658, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -8131,6 +8598,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24155", "panw.panos.network.nat.community_id": "1:uPFYX4KL/wjyCp4kt+08v7myT3w=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8139,7 +8607,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 64352, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8233,6 +8706,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24232", "panw.panos.network.nat.community_id": "1:f3vxOCmoOo/FOLV6VRqKjZ7eUVE=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8241,7 +8715,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 60126, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8337,6 +8816,7 @@ "panw.panos.destination.nat.ip": "35.185.88.112", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24330", "panw.panos.network.nat.community_id": "1:/rmnQ6QBbJzgkfNBrkCgvu5UHiU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8345,7 +8825,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 59771, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.185.88.112", @@ -8440,6 +8925,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "23960", "panw.panos.network.nat.community_id": "1:9Ub1pskil4C0tLo85OJa61g1D0Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8448,7 +8934,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 35748, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8543,6 +9034,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24236", "panw.panos.network.nat.community_id": "1:rh7nCIUBzUAekx4F+OTwBbpRh+E=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8551,7 +9043,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 63701, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8646,6 +9143,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24276", "panw.panos.network.nat.community_id": "1:eIIc+AXkJtZLyfNqUAVZLumaYVQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8654,7 +9152,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 57872, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8752,6 +9255,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24299", "panw.panos.network.nat.community_id": "1:Mn7w9ScywW3qjDMNsO8QsGj6BY0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8760,7 +9264,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 37581, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -8858,6 +9367,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24229", "panw.panos.network.nat.community_id": "1:8oAG19bm5FROhazDy0CcTH+Cfqc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8866,7 +9376,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 19226, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -8964,6 +9479,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24283", "panw.panos.network.nat.community_id": "1:ZhVElLU1QcpGayhElc2L/+Rp+xw=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -8972,7 +9488,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 61721, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9067,6 +9588,7 @@ "panw.panos.destination.nat.ip": "104.254.150.9", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24369", "panw.panos.network.nat.community_id": "1:aHhDlT3Bx285CJRrBykpRsei1a0=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9075,7 +9597,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 10098, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "104.254.150.9", @@ -9173,6 +9700,7 @@ "panw.panos.destination.nat.ip": "50.19.85.24", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-rst-from-client", "panw.panos.flow_id": "24354", "panw.panos.network.nat.community_id": "1:RLfRarGPGl+PnGhB8fb+S+uTX1o=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9181,7 +9709,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 4564, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9279,6 +9812,7 @@ "panw.panos.destination.nat.ip": "52.0.218.108", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24254", "panw.panos.network.nat.community_id": "1:/0iCZCsnpk+5MR4Tc26unyr/T4Q=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9287,7 +9821,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 32104, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.0.218.108", @@ -9385,6 +9924,7 @@ "panw.panos.destination.nat.ip": "52.6.117.19", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24246", "panw.panos.network.nat.community_id": "1:486dmnLzuTH8P7j6jI6JsUtW2VU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9393,7 +9933,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 14172, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.6.117.19", @@ -9491,6 +10036,7 @@ "panw.panos.destination.nat.ip": "34.238.96.22", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24343", "panw.panos.network.nat.community_id": "1:6LTK93w8ZdfxzSfZXzebKR6jWxo=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9499,7 +10045,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 10286, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "34.238.96.22", @@ -9597,6 +10148,7 @@ "panw.panos.destination.nat.ip": "130.211.47.17", "panw.panos.destination.nat.port": 443, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "tcp-fin", "panw.panos.flow_id": "24262", "panw.panos.network.nat.community_id": "1:roV5JFl0FdQHIRUkgeZm+ZeyeCQ=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9605,7 +10157,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 30799, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "130.211.47.17", @@ -9700,6 +10257,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24281", "panw.panos.network.nat.community_id": "1:5G+JVi/ClM/MfHhUL//vH/GmuaA=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9708,7 +10266,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 13490, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -9803,6 +10366,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 0, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24424", "panw.panos.network.nat.community_id": "1:QVXHpdoObbzEeqP6DGULYxqYgAY=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9811,7 +10375,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 0, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -9906,6 +10475,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24230", "panw.panos.network.nat.community_id": "1:mdksC4jGw6MN7g3nGdquiqQ95vU=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -9914,7 +10484,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 53751, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10009,6 +10584,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24243", "panw.panos.network.nat.community_id": "1:+zC2Y+UE7UqApr01oqb755Xyuf4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10017,7 +10593,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 21643, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10112,6 +10693,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24077", "panw.panos.network.nat.community_id": "1:xawqUBgLyfe1E61ObEXv4nbO590=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10120,7 +10702,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22446, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10215,6 +10802,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24266", "panw.panos.network.nat.community_id": "1:PDWWOeDVqKGZ/hwjVVdCDdF6qB4=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10223,7 +10811,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 22301, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10318,6 +10911,7 @@ "panw.panos.destination.nat.ip": "8.8.8.8", "panw.panos.destination.nat.port": 53, "panw.panos.destination.zone": "untrust", + "panw.panos.endreason": "aged-out", "panw.panos.flow_id": "24269", "panw.panos.network.nat.community_id": "1:yNIHAg1M08IChho9000mtg7zUOc=", "panw.panos.ruleset": "new_outbound_from_trust", @@ -10326,7 +10920,12 @@ "panw.panos.source.nat.ip": "192.168.1.63", "panw.panos.source.nat.port": 58124, "panw.panos.source.zone": "trust", + "panw.panos.sub_type": "end", + "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", diff --git a/x-pack/filebeat/module/proofpoint/README.md b/x-pack/filebeat/module/proofpoint/README.md new file mode 100644 index 00000000000..9ce835721f0 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/README.md @@ -0,0 +1,7 @@ +# proofpoint module + +This is a module for Proofpoint Email Security logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML proofpoint version 131 +at 2020-09-01 14:17:48.203341 +0000 UTC. + diff --git a/x-pack/filebeat/module/tenable/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml similarity index 86% rename from x-pack/filebeat/module/tenable/_meta/config.yml rename to x-pack/filebeat/module/proofpoint/_meta/config.yml index 5d4527eb47b..d25f23041e3 100644 --- a/x-pack/filebeat/module/tenable/_meta/config.yml +++ b/x-pack/filebeat/module/proofpoint/_meta/config.yml @@ -1,11 +1,11 @@ -- module: tenable - nessus_security: +- module: proofpoint + emailsecurity: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9516 + # var.syslog_port: 9531 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/module/tenable/_meta/docs.asciidoc b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc similarity index 74% rename from x-pack/filebeat/module/tenable/_meta/docs.asciidoc rename to x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc index a0b811750cb..b4f2ce21100 100644 --- a/x-pack/filebeat/module/tenable/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/proofpoint/_meta/docs.asciidoc @@ -1,28 +1,28 @@ [role="xpack"] -:modulename: tenable +:modulename: proofpoint :has-dashboards: false -== Tenable module +== Proofpoint module experimental[] -This is a module for receiving Tenable Network Security Nessus logs over Syslog or a file. +This is a module for receiving Proofpoint Email Security logs over Syslog or a file. include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: nessus_security +:fileset_ex: emailsecurity include::../include/config-option-intro.asciidoc[] [float] -==== `nessus_security` fileset settings +==== `emailsecurity` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "nessusvs" device revision 0. +NOTE: This was converted from RSA NetWitness log parser XML "proofpoint" device revision 131. *`var.input`*:: @@ -36,7 +36,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9516` +The port to listen for syslog traffic. Defaults to `9531` NOTE: Ports below 1024 require Filebeat to run as root. @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/proofpoint/_meta/fields.yml b/x-pack/filebeat/module/proofpoint/_meta/fields.yml new file mode 100644 index 00000000000..6a65d925e9e --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: proofpoint + title: Proofpoint Email Security + description: > + proofpoint fields. + fields: diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml new file mode 100644 index 00000000000..05fe8a00db0 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Proofpoint" + product: "Email" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/proofpoint/emailsecurity/config/liblogparser.js + - ${path.home}/module/proofpoint/emailsecurity/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js b/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); + +var dup19 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" +match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); + +var dup20 = // "Pattern{Constant('mod='), Field(p0,false)}" +match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); + +var dup21 = call({ + dest: "nwparser.filename", + fn: RMQ, + args: [ + field("fld1"), + ], +}); + +var dup22 = setc("eventcategory","1207040200"); + +var dup23 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" +match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); + +var dup24 = // "Pattern{Field(duration_string,false)}" +match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); + +var dup25 = setc("eventcategory","1003010000"); + +var dup26 = setc("eventcategory","1003000000"); + +var dup27 = setc("eventcategory","1207040000"); + +var dup28 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); + +var dup29 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); + +var dup30 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); + +var dup31 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); + +var dup32 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" +match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); + +var dup33 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" +match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); + +var dup34 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" +match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); + +var dup35 = // "Pattern{Field(dhost,false)}" +match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); + +var dup36 = date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup37 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); + +var dup38 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); + +var dup39 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); + +var dup40 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" +match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); + +var dup41 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" +match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); + +var dup42 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" +match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); + +var dup43 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); + +var dup44 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); + +var dup45 = linear_select([ + dup1, + dup2, + dup3, + dup4, + dup5, +]); + +var dup46 = linear_select([ + dup14, + dup15, +]); + +var dup47 = linear_select([ + dup19, + dup20, +]); + +var dup48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" +match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ + dup26, + dup9, +])); + +var dup49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var dup50 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var dup51 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" +match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ + dup17, + dup9, +])); + +var dup52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" +match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ + dup17, + dup9, +])); + +var dup53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" +match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ + dup27, + dup9, +])); + +var dup54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" +match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ + dup17, + dup9, +])); + +var dup55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" +match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ + dup17, + dup9, +])); + +var dup56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" +match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ + dup17, + dup9, +])); + +var dup57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" +match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ + dup17, + dup9, +])); + +var dup58 = linear_select([ + dup28, + dup29, + dup30, + dup31, +]); + +var dup59 = linear_select([ + dup40, + dup33, + dup34, + dup35, +]); + +var dup60 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" +match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ + dup17, + dup9, +])); + +var dup61 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" +match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ + dup17, + dup9, +])); + +var dup62 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" +match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ + dup17, + dup9, +])); + +var dup63 = all_match({ + processors: [ + dup38, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var dup64 = all_match({ + processors: [ + dup39, + dup59, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var dup65 = all_match({ + processors: [ + dup37, + dup58, + dup41, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var dup66 = all_match({ + processors: [ + dup37, + dup58, + dup42, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var dup67 = all_match({ + processors: [ + dup43, + dup59, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var dup68 = all_match({ + processors: [ + dup44, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var hdr1 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" +match("HEADER#0:0024/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{hinstance}[%{hfld3}]: %{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld3"), + constant("]: "), + field("p0"), + ], + }), +])); + +var part1 = // "Pattern{Field(,false), Constant('s='), Field(hfld4,true), Constant(' cmd=send '), Field(p0,false)}" +match("HEADER#0:0024/2", "nwparser.p0", "%{}s=%{hfld4->} cmd=send %{p0}"); + +var all1 = all_match({ + processors: [ + hdr1, + dup45, + part1, + ], + on_success: processor_chain([ + setc("header_id","0024"), + setc("messageid","send"), + ]), +}); + +var hdr2 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld3,false), Constant(']: '), Field(p0,false)}" +match("HEADER#1:0023/0", "message", "%{hdate}T%{htime}.%{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]: %{p0}"); + +var part2 = // "Pattern{Field(,true), Constant(' '), Field(payload,false)}" +match("HEADER#1:0023/2", "nwparser.p0", "%{} %{payload}"); + +var all2 = all_match({ + processors: [ + hdr2, + dup45, + part2, + ], + on_success: processor_chain([ + setc("header_id","0023"), + ]), +}); + +var hdr3 = // "Pattern{Field(hdate,false), Constant('T'), Field(htime,false), Constant('.'), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(p0,false)}" +match("HEADER#2:0025", "message", "%{hdate}T%{htime}.%{hfld1->} %{hinstance->} %{messageid}[%{hfld2}]: %{p0}", processor_chain([ + setc("header_id","0025"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld2"), + constant("]: "), + field("p0"), + ], + }), +])); + +var hdr4 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld4,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#3:0026", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %{hinstance}[%{hfld4}]: %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0026"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld4"), + constant("]: "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" m="), + field("hfld2"), + constant(" x="), + field("hfld3"), + constant(" attachment="), + field("hfld7"), + constant(" file="), + field("hfld5"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr5 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' attachment='), Field(hfld7,true), Constant(' file='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#4:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} attachment=%{hfld7->} file=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0003"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" m="), + field("hfld2"), + constant(" x="), + field("hfld3"), + constant(" attachment="), + field("hfld7"), + constant(" file="), + field("hfld5"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr6 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' m='), Field(hfld4,true), Constant(' x='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#5:0015", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} m=%{hfld4->} x=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0015"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld2"), + constant("]: "), + field("hseverity"), + constant(" s="), + field("hfld3"), + constant(" m="), + field("hfld4"), + constant(" x="), + field("hfld5"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' s='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#6:0016", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} s=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0016"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld2"), + constant("]: "), + field("hseverity"), + constant(" s="), + field("hfld3"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr8 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" +match("HEADER#7:0017", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ + setc("header_id","0017"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_ttl"), + ], + }), + dup7, +])); + +var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#8:0018", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} cmd=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0018"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(": "), + field("hseverity"), + constant(" s="), + field("hfld2"), + constant(" m="), + field("hfld3"), + constant(" x="), + field("hfld4"), + constant(" cmd="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr10 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#9:0019", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance->} %{hseverity->} s=%{hfld2->} mod=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0019"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld2"), + constant(" mod="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,false), Constant('='), Field(hfld3,true), Constant(' '), Field(p0,false)}" +match("HEADER#10:0020", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{hseverity->} mod=%{msgIdPart1->} %{msgIdPart2}=%{hfld3->} %{p0}", processor_chain([ + setc("header_id","0020"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld2"), + constant("]: "), + field("hseverity"), + constant(" mod="), + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant("="), + field("hfld3"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr12 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld2,false), Constant(']: '), Field(severity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' '), Field(p0,false)}" +match("HEADER#11:0021", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}[%{hfld2}]: %{severity->} mod=%{msgIdPart1->} %{p0}", processor_chain([ + setc("header_id","0021"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_type"), + ], + }), + dup7, +])); + +var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld1,true), Constant(' '), Field(hinstance,false), Constant(': '), Field(hseverity,true), Constant(' s='), Field(hfld2,true), Constant(' m='), Field(hfld3,true), Constant(' x='), Field(hfld4,true), Constant(' '), Field(msgIdPart1,false), Constant('='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#12:0022", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld1->} %{hinstance}: %{hseverity->} s=%{hfld2->} m=%{hfld3->} x=%{hfld4->} %{msgIdPart1}=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0022"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(": "), + field("hseverity"), + constant(" s="), + field("hfld2"), + constant(" m="), + field("hfld3"), + constant(" x="), + field("hfld4"), + constant(" "), + field("msgIdPart1"), + constant("="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr14 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#13:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0001"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" m="), + field("hfld2"), + constant(" x="), + field("hfld3"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' m='), Field(hfld2,true), Constant(' x='), Field(hfld3,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#14:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} m=%{hfld2->} x=%{hfld3->} cmd=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0008"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" m="), + field("hfld2"), + constant(" x="), + field("hfld3"), + constant(" cmd="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr16 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#15:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0002"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#16:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} mod=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0007"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" mod="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr18 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' s='), Field(hfld1,true), Constant(' cmd='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#17:0012", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} s=%{hfld1->} cmd=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0012"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" s="), + field("hfld1"), + constant(" cmd="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' type='), Field(hfld5,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#18:0004", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} type=%{hfld5->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0004"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" mod="), + field("msgIdPart1"), + constant(" type="), + field("hfld5"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr20 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' pid='), Field(hfld5,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#19:0005", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} pid=%{hfld5->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0005"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" pid="), + field("hfld5"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(msgIdPart1,true), Constant(' cmd='), Field(msgIdPart2,true), Constant(' '), Field(p0,false)}" +match("HEADER#20:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{msgIdPart1->} cmd=%{msgIdPart2->} %{p0}", processor_chain([ + setc("header_id","0006"), + dup6, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" mod="), + field("msgIdPart1"), + constant(" cmd="), + field("msgIdPart2"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr22 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(hseverity,true), Constant(' mod='), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#21:0009", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{hseverity->} mod=%{messageid->} %{p0}", processor_chain([ + setc("header_id","0009"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("hseverity"), + constant(" mod="), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hinstance,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#22:0014", "message", "%{hmonth->} %{hday->} %{htime->} %{hfld2->} %{hinstance}[%{hfld1}]: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0014"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant("["), + field("hfld1"), + constant("]: "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr24 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" +match("HEADER#23:0013", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid}[%{hfld1}]: %{p0}", processor_chain([ + setc("header_id","0013"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("p0"), + ], + }), +])); + +var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(htime,true), Constant(' '), Field(hinstance,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#24:0011", "message", "%{hmonth->} %{hday->} %{htime->} %{hinstance->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0011"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hinstance"), + constant(" "), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr26 = // "Pattern{Field(messageid,false), Constant('['), Field(hfld1,false), Constant(']: '), Field(p0,false)}" +match("HEADER#25:0010", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ + setc("header_id","0010"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("["), + field("hfld1"), + constant("]: "), + field("p0"), + ], + }), +])); + +var select1 = linear_select([ + all1, + all2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + hdr14, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, +]); + +var part3 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" +match("MESSAGE#0:mail_env_rcpt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ + dup8, + dup9, +])); + +var msg1 = msg("mail_env_rcpt", part3); + +var part4 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' r='), Field(event_counter,true), Constant(' value='), Field(to,true), Constant(' verified='), Field(fld3,true), Constant(' routes='), Field(fld4,false)}" +match("MESSAGE#1:mail_env_rcpt:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} r=%{event_counter->} value=%{to->} verified=%{fld3->} routes=%{fld4}", processor_chain([ + dup8, + dup9, +])); + +var msg2 = msg("mail_env_rcpt:01", part4); + +var select2 = linear_select([ + msg1, + msg2, +]); + +var part5 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" +match("MESSAGE#2:mail_attachment", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ + dup10, + dup9, +])); + +var msg3 = msg("mail_attachment", part5); + +var part6 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,true), Constant(' a='), Field(fld12,false)}" +match("MESSAGE#3:mail_attachment:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11->} a=%{fld12}", processor_chain([ + dup10, + dup9, +])); + +var msg4 = msg("mail_attachment:01", part6); + +var part7 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" +match("MESSAGE#4:mail_attachment:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ + dup10, + dup9, +])); + +var msg5 = msg("mail_attachment:02", part7); + +var part8 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' file='), Field(filename,true), Constant(' mime='), Field(content_type,true), Constant(' type='), Field(fld6,true), Constant(' omime='), Field(fld7,true), Constant(' oext='), Field(fld8,true), Constant(' corrupted='), Field(fld9,true), Constant(' protected='), Field(fld10,true), Constant(' size='), Field(bytes,true), Constant(' virtual='), Field(fld11,false)}" +match("MESSAGE#5:mail_attachment:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} file=%{filename->} mime=%{content_type->} type=%{fld6->} omime=%{fld7->} oext=%{fld8->} corrupted=%{fld9->} protected=%{fld10->} size=%{bytes->} virtual=%{fld11}", processor_chain([ + dup10, + dup9, +])); + +var msg6 = msg("mail_attachment:03", part8); + +var select3 = linear_select([ + msg3, + msg4, + msg5, + msg6, +]); + +var part9 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#6:mail_msg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup11, + dup9, + dup12, + dup13, +])); + +var msg7 = msg("mail_msg", part9); + +var part10 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#7:mail_msg:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup11, + dup9, + dup12, + dup13, +])); + +var msg8 = msg("mail_msg:01", part10); + +var part11 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#8:mail_msg:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} virusname=%{threat_name->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup11, + dup9, + dup12, + dup13, +])); + +var msg9 = msg("mail_msg:04", part11); + +var part12 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#9:mail_msg:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup11, + dup9, + dup12, + dup13, +])); + +var msg10 = msg("mail_msg:02", part12); + +var part13 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject='), Field(subject,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#10:mail_msg:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=%{subject->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup11, + dup9, + dup12, + dup13, +])); + +var msg11 = msg("mail_msg:03", part13); + +var select4 = linear_select([ + msg7, + msg8, + msg9, + msg10, + msg11, +]); + +var part14 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" +match("MESSAGE#11:mail_env_from:ofrom/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); + +var all3 = all_match({ + processors: [ + part14, + dup46, + ], + on_success: processor_chain([ + dup16, + dup9, + ]), +}); + +var msg12 = msg("mail_env_from:ofrom", all3); + +var part15 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(to,true), Constant(' ofrom='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" +match("MESSAGE#12:mail_env_from:ofrom:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{to->} ofrom=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ + dup16, + dup9, +])); + +var msg13 = msg("mail_env_from:ofrom:01", part15); + +var part16 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(p0,false)}" +match("MESSAGE#13:mail_env_from/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{p0}"); + +var all4 = all_match({ + processors: [ + part16, + dup46, + ], + on_success: processor_chain([ + dup16, + dup9, + ]), +}); + +var msg14 = msg("mail_env_from", all4); + +var part17 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(from,true), Constant(' qid='), Field(fld15,true), Constant(' tls='), Field(fld17,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' host='), Field(hostname,true), Constant(' ip='), Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" +match("MESSAGE#14:mail_env_from:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{from->} qid=%{fld15->} tls=%{fld17->} routes=%{fld4->} notroutes=%{fld18->} host=%{hostname->} ip=%{hostip->} sampling=%{fld19}", processor_chain([ + dup16, + dup9, +])); + +var msg15 = msg("mail_env_from:01", part17); + +var select5 = linear_select([ + msg12, + msg13, + msg14, + msg15, +]); + +var part18 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" +match("MESSAGE#15:mail_helo", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ + dup17, + dup9, +])); + +var msg16 = msg("mail_helo", part18); + +var part19 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' value='), Field(ddomain,true), Constant(' routes='), Field(fld4,false)}" +match("MESSAGE#16:mail_helo:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} value=%{ddomain->} routes=%{fld4}", processor_chain([ + dup17, + dup9, +])); + +var msg17 = msg("mail_helo:01", part19); + +var select6 = linear_select([ + msg16, + msg17, +]); + +var part20 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#17:mail_continue-system-sendmail", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg18 = msg("mail_continue-system-sendmail", part20); + +var part21 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#18:mail_release", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=%{result->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg19 = msg("mail_release", part21); + +var part22 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#19:session_data/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} %{p0}"); + +var part23 = // "Pattern{Constant('rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" +match("MESSAGE#19:session_data/1_0", "nwparser.p0", "rcpt_notroutes=%{fld20->} data_routes=%{fld21}"); + +var part24 = // "Pattern{Constant('rcpt='), Field(to,true), Constant(' suborg='), Field(fld22,false)}" +match("MESSAGE#19:session_data/1_1", "nwparser.p0", "rcpt=%{to->} suborg=%{fld22}"); + +var part25 = // "Pattern{Constant('from='), Field(from,true), Constant(' suborg='), Field(fld22,false)}" +match("MESSAGE#19:session_data/1_2", "nwparser.p0", "from=%{from->} suborg=%{fld22}"); + +var select7 = linear_select([ + part23, + part24, + part25, +]); + +var all5 = all_match({ + processors: [ + part22, + select7, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg20 = msg("session_data", all5); + +var part26 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt_notroutes='), Field(fld20,true), Constant(' data_routes='), Field(fld21,false)}" +match("MESSAGE#20:session_data:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rcpt_notroutes=%{fld20->} data_routes=%{fld21}", processor_chain([ + dup17, + dup9, +])); + +var msg21 = msg("session_data:01", part26); + +var select8 = linear_select([ + msg20, + msg21, +]); + +var part27 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#21:session_store", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg22 = msg("session_store", part27); + +var part28 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' folder='), Field(fld22,true), Constant(' pri='), Field(fld23,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#22:session_store:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} folder=%{fld22->} pri=%{fld23->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg23 = msg("session_store:01", part28); + +var select9 = linear_select([ + msg22, + msg23, +]); + +var part29 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" +match("MESSAGE#23:session_headers", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ + dup17, + dup9, +])); + +var msg24 = msg("session_headers", part29); + +var part30 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" +match("MESSAGE#24:session_headers:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ + dup17, + dup9, +])); + +var msg25 = msg("session_headers:01", part30); + +var select10 = linear_select([ + msg24, + msg25, +]); + +var part31 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" +match("MESSAGE#25:session_judge/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}"); + +var all6 = all_match({ + processors: [ + dup18, + dup47, + part31, + ], + on_success: processor_chain([ + dup17, + dup9, + dup21, + ]), +}); + +var msg26 = msg("session_judge", all6); + +var part32 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,false)}" +match("MESSAGE#26:session_judge:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename}", processor_chain([ + dup17, + dup9, +])); + +var msg27 = msg("session_judge:01", part32); + +var select11 = linear_select([ + msg26, + msg27, +]); + +var part33 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" +match("MESSAGE#27:session_connect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ + dup17, + dup9, +])); + +var msg28 = msg("session_connect", part33); + +var part34 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ip='), Field(hostip,true), Constant(' country='), Field(location_country,true), Constant(' lip='), Field(fld24,true), Constant(' prot='), Field(fld25,true), Constant(' hops_active='), Field(fld26,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,true), Constant(' perlwait='), Field(fld27,false)}" +match("MESSAGE#28:session_connect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} ip=%{hostip->} country=%{location_country->} lip=%{fld24->} prot=%{fld25->} hops_active=%{fld26->} routes=%{fld4->} notroutes=%{fld18->} perlwait=%{fld27}", processor_chain([ + dup17, + dup9, +])); + +var msg29 = msg("session_connect:01", part34); + +var select12 = linear_select([ + msg28, + msg29, +]); + +var part35 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" +match("MESSAGE#29:session_resolve", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ + dup17, + dup9, +])); + +var msg30 = msg("session_resolve", part35); + +var part36 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' host='), Field(hostname,true), Constant(' resolve='), Field(fld28,true), Constant(' reverse='), Field(fld13,true), Constant(' routes='), Field(fld4,true), Constant(' notroutes='), Field(fld18,false)}" +match("MESSAGE#30:session_resolve:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} host=%{hostname->} resolve=%{fld28->} reverse=%{fld13->} routes=%{fld4->} notroutes=%{fld18}", processor_chain([ + dup17, + dup9, +])); + +var msg31 = msg("session_resolve:01", part36); + +var select13 = linear_select([ + msg30, + msg31, +]); + +var part37 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" +match("MESSAGE#31:session_throttle", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ + dup17, + dup9, +])); + +var msg32 = msg("session_throttle", part37); + +var part38 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' ip='), Field(hostip,true), Constant(' rate='), Field(fld29,true), Constant(' crate='), Field(fld30,true), Constant(' limit='), Field(fld31,false)}" +match("MESSAGE#32:session_throttle:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} ip=%{hostip->} rate=%{fld29->} crate=%{fld30->} limit=%{fld31}", processor_chain([ + dup17, + dup9, +])); + +var msg33 = msg("session_throttle:01", part38); + +var select14 = linear_select([ + msg32, + msg33, +]); + +var part39 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" +match("MESSAGE#33:session_dispose", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ + dup22, + dup9, +])); + +var msg34 = msg("session_dispose", part39); + +var part40 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' rate='), Field(fld58,false)}" +match("MESSAGE#34:session_dispose:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} rate=%{fld58}", processor_chain([ + dup22, + dup9, +])); + +var msg35 = msg("session_dispose:01", part40); + +var part41 = // "Pattern{Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" +match("MESSAGE#35:session_dispose:02/2", "nwparser.p0", "%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}"); + +var all7 = all_match({ + processors: [ + dup18, + dup47, + part41, + ], + on_success: processor_chain([ + dup22, + dup9, + dup21, + ]), +}); + +var msg36 = msg("session_dispose:02", all7); + +var part42 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,false)}" +match("MESSAGE#36:session_dispose:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action}", processor_chain([ + dup22, + dup9, +])); + +var msg37 = msg("session_dispose:03", part42); + +var select15 = linear_select([ + msg34, + msg35, + msg36, + msg37, +]); + +var part43 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#37:session_disconnect", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup17, + dup9, + dup13, +])); + +var msg38 = msg("session_disconnect", part43); + +var part44 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#38:session_disconnect:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup17, + dup9, + dup13, +])); + +var msg39 = msg("session_disconnect:01", part44); + +var select16 = linear_select([ + msg38, + msg39, +]); + +var part45 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#39:av_run:02/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{fld1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} %{p0}"); + +var part46 = // "Pattern{Constant('cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" +match("MESSAGE#39:av_run:02/1_0", "nwparser.p0", "cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); + +var part47 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" +match("MESSAGE#39:av_run:02/1_2", "nwparser.p0", "vendor=%{fld36->} duration=%{p0}"); + +var select17 = linear_select([ + part46, + dup23, + part47, +]); + +var all8 = all_match({ + processors: [ + part45, + select17, + dup24, + ], + on_success: processor_chain([ + dup25, + dup9, + dup21, + ]), +}); + +var msg40 = msg("av_run:02", all8); + +var part48 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#40:av_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ + dup25, + dup9, +])); + +var msg41 = msg("av_run:03", part48); + +var part49 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#41:av_run/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} %{p0}"); + +var part50 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" +match("MESSAGE#41:av_run/1_1", "nwparser.p0", "name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{p0}"); + +var part51 = // "Pattern{Constant('name='), Field(fld34,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(p0,false)}" +match("MESSAGE#41:av_run/1_2", "nwparser.p0", "name=%{fld34->} vendor=%{fld36->} duration=%{p0}"); + +var select18 = linear_select([ + dup23, + part50, + part51, +]); + +var all9 = all_match({ + processors: [ + part49, + select18, + dup24, + ], + on_success: processor_chain([ + dup25, + dup9, + ]), +}); + +var msg42 = msg("av_run", all9); + +var part52 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' name='), Field(fld34,true), Constant(' cleaned='), Field(fld35,true), Constant(' vendor='), Field(fld36,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#42:av_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} name=%{fld34->} cleaned=%{fld35->} vendor=%{fld36->} duration=%{duration_string}", processor_chain([ + dup25, + dup9, +])); + +var msg43 = msg("av_run:01", part52); + +var select19 = linear_select([ + msg40, + msg41, + msg42, + msg43, +]); + +var msg44 = msg("av_refresh", dup48); + +var msg45 = msg("av_init", dup48); + +var part53 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" +match("MESSAGE#45:av_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ + dup26, + dup9, +])); + +var msg46 = msg("av_load", part53); + +var part54 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#46:access_run:02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg47 = msg("access_run:02", part54); + +var part55 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' attachment='), Field(fld58,true), Constant(' file='), Field(filename,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#47:access_run:04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} attachment=%{fld58->} file=%{filename->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg48 = msg("access_run:04", part55); + +var msg49 = msg("access_run:03", dup49); + +var msg50 = msg("access_run:01", dup50); + +var select20 = linear_select([ + msg47, + msg48, + msg49, + msg50, +]); + +var part56 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" +match("MESSAGE#50:access_refresh", "nwparser.payload", "%{fld0->} %{severity->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ + dup17, + dup9, +])); + +var msg51 = msg("access_refresh", part56); + +var msg52 = msg("access_refresh:01", dup51); + +var select21 = linear_select([ + msg51, + msg52, +]); + +var msg53 = msg("access_load", dup52); + +var msg54 = msg("regulation_init", dup51); + +var msg55 = msg("regulation_refresh", dup51); + +var part57 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} %{p0}"); + +var part58 = // "Pattern{Constant('ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/1_0", "nwparser.p0", "ipscore=%{fld40->} suspectscore=%{p0}"); + +var part59 = // "Pattern{Constant('suspectscore='), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/1_1", "nwparser.p0", "suspectscore=%{p0}"); + +var select22 = linear_select([ + part58, + part59, +]); + +var part60 = // "Pattern{Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/2", "nwparser.p0", "%{fld41->} phishscore=%{fld42->} %{p0}"); + +var part61 = // "Pattern{Constant('bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/3_0", "nwparser.p0", "bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{p0}"); + +var part62 = // "Pattern{Constant('adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(p0,false)}" +match("MESSAGE#55:spam_run:rule/3_1", "nwparser.p0", "adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{p0}"); + +var select23 = linear_select([ + part61, + part62, +]); + +var part63 = // "Pattern{Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#55:spam_run:rule/4", "nwparser.p0", "%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}"); + +var all10 = all_match({ + processors: [ + part57, + select22, + part60, + select23, + part63, + ], + on_success: processor_chain([ + dup27, + dup9, + ]), +}); + +var msg56 = msg("spam_run:rule", all10); + +var part64 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#56:spam_run:rule_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ + dup27, + dup9, +])); + +var msg57 = msg("spam_run:rule_02", part64); + +var part65 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld57,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld58,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#57:spam_run:rule_03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld57->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld58->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ + dup27, + dup9, +])); + +var msg58 = msg("spam_run:rule_03", part65); + +var part66 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' kscore.is_bulkscore='), Field(fld57,true), Constant(' kscore.compositescore='), Field(fld40,true), Constant(' circleOfTrustscore='), Field(fld41,true), Constant(' compositescore='), Field(fld42,true), Constant(' urlsuspect_oldscore='), Field(fld43,true), Constant(' suspectscore='), Field(reputation_num,true), Constant(' recipient_domain_to_sender_totalscore='), Field(fld58,true), Constant(' phishscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld45,true), Constant(' kscore.is_spamscore='), Field(fld46,true), Constant(' recipient_to_sender_totalscore='), Field(fld47,true), Constant(' recipient_domain_to_sender_domain_totalscore='), Field(fld48,true), Constant(' rbsscore='), Field(fld49,true), Constant(' spamscore='), Field(fld50,true), Constant(' recipient_to_sender_domain_totalscore='), Field(fld51,true), Constant(' urlsuspectscore='), Field(fld52,true), Constant(' '), Field(fld53,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#58:spam_run:rule_04", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} kscore.is_bulkscore=%{fld57->} kscore.compositescore=%{fld40->} circleOfTrustscore=%{fld41->} compositescore=%{fld42->} urlsuspect_oldscore=%{fld43->} suspectscore=%{reputation_num->} recipient_domain_to_sender_totalscore=%{fld58->} phishscore=%{fld44->} bulkscore=%{fld45->} kscore.is_spamscore=%{fld46->} recipient_to_sender_totalscore=%{fld47->} recipient_domain_to_sender_domain_totalscore=%{fld48->} rbsscore=%{fld49->} spamscore=%{fld50->} recipient_to_sender_domain_totalscore=%{fld51->} urlsuspectscore=%{fld52->} %{fld53->} duration=%{duration_string}", processor_chain([ + dup27, + dup9, +])); + +var msg59 = msg("spam_run:rule_04", part66); + +var part67 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' ndrscore='), Field(fld53,true), Constant(' suspectscore='), Field(fld40,true), Constant(' malwarescore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' adjustscore='), Field(fld54,true), Constant(' adultscore='), Field(fld44,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' raw='), Field(fld51,true), Constant(' tests='), Field(fld52,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#59:spam_run:rule_05", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} policy=%{fld38->} score=%{fld39->} ndrscore=%{fld53->} suspectscore=%{fld40->} malwarescore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} spamscore=%{reputation_num->} adjustscore=%{fld54->} adultscore=%{fld44->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50->} raw=%{fld51->} tests=%{fld52->} duration=%{duration_string}", processor_chain([ + dup27, + dup9, +])); + +var msg60 = msg("spam_run:rule_05", part67); + +var part68 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' mod='), Field(agent,true), Constant(' total_uri_count='), Field(dclass_counter1,true), Constant(' uris_excluded_from_report_info='), Field(dclass_counter2,false)}" +match("MESSAGE#60:spam_run:rule_06", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} mod=%{agent->} total_uri_count=%{dclass_counter1->} uris_excluded_from_report_info=%{dclass_counter2}", processor_chain([ + dup27, + dup9, +])); + +var msg61 = msg("spam_run:rule_06", part68); + +var part69 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" +match("MESSAGE#61:spam_run:action_01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ + dup27, + dup9, +])); + +var msg62 = msg("spam_run:action_01", part69); + +var part70 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' ipscore='), Field(fld40,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' bulkscore='), Field(fld43,true), Constant(' adultscore='), Field(fld44,true), Constant(' tests='), Field(fld52,false)}" +match("MESSAGE#62:spam_run:action", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} ipscore=%{fld40->} suspectscore=%{fld41->} phishscore=%{fld42->} bulkscore=%{fld43->} adultscore=%{fld44->} tests=%{fld52}", processor_chain([ + dup27, + dup9, +])); + +var msg63 = msg("spam_run:action", part70); + +var part71 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' action='), Field(action,true), Constant(' num_domains='), Field(fld53,true), Constant(' num_domains_to_lookup='), Field(fld40,false)}" +match("MESSAGE#63:spam_run:action_02", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} action=%{action->} num_domains=%{fld53->} num_domains_to_lookup=%{fld40}", processor_chain([ + dup27, + dup9, +])); + +var msg64 = msg("spam_run:action_02", part71); + +var select24 = linear_select([ + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, +]); + +var msg65 = msg("spam_refresh", dup53); + +var msg66 = msg("spam_init", dup53); + +var part72 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" +match("MESSAGE#66:spam_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ + dup27, + dup9, +])); + +var msg67 = msg("spam_load", part72); + +var part73 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" +match("MESSAGE#67:batv_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ + dup17, + dup9, +])); + +var msg68 = msg("batv_run", part73); + +var part74 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' policy='), Field(fld38,true), Constant(' address='), Field(fld54,false)}" +match("MESSAGE#68:batv_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} policy=%{fld38->} address=%{fld54}", processor_chain([ + dup17, + dup9, +])); + +var msg69 = msg("batv_run:01", part74); + +var msg70 = msg("batv_run:02", dup49); + +var msg71 = msg("batv_run:03", dup50); + +var select25 = linear_select([ + msg68, + msg69, + msg70, + msg71, +]); + +var msg72 = msg("zerohour_refresh", dup54); + +var msg73 = msg("zerohour_init", dup54); + +var msg74 = msg("zerohour_load", dup52); + +var part75 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#74:zerohour_run", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg75 = msg("zerohour_run", part75); + +var part76 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' count='), Field(fld2,true), Constant(' name='), Field(fld34,true), Constant(' init_time='), Field(fld3,true), Constant(' init_virusthreat='), Field(fld4,true), Constant(' virusthreat='), Field(fld5,true), Constant(' virusthreatid='), Field(fld6,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#75:zerohour_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} count=%{fld2->} name=%{fld34->} init_time=%{fld3->} init_virusthreat=%{fld4->} virusthreat=%{fld5->} virusthreatid=%{fld6->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg76 = msg("zerohour_run:01", part76); + +var select26 = linear_select([ + msg75, + msg76, +]); + +var part77 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#76:service_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg77 = msg("service_refresh", part77); + +var part78 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#77:perl_clone", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} id=%{fld5->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg78 = msg("perl_clone", part78); + +var part79 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#78:cvt_convert", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg79 = msg("cvt_convert", part79); + +var part80 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#79:cvt_convert:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg80 = msg("cvt_convert:01", part80); + +var part81 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cset='), Field(fld56,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#80:cvt_convert:02", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} cset=%{fld56->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg81 = msg("cvt_convert:02", part81); + +var select27 = linear_select([ + msg79, + msg80, + msg81, +]); + +var part82 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' name='), Field(fld34,true), Constant(' status='), Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#81:cvt_detect", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} mod=%{agent->} cmd=%{obj_type->} name=%{fld34->} status=%{result->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg82 = msg("cvt_detect", part82); + +var msg83 = msg("cvtd:01", dup55); + +var msg84 = msg("cvtd", dup56); + +var select28 = linear_select([ + msg83, + msg84, +]); + +var part83 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(fld5,true), Constant(' mod='), Field(agent,true), Constant(' encrypted='), Field(fld6,false)}" +match("MESSAGE#84:cvtd_encrypted", "nwparser.payload", "%{fld0->} %{severity->} pid=%{fld5->} mod=%{agent->} encrypted=%{fld6}", processor_chain([ + dup17, + dup9, +])); + +var msg85 = msg("cvtd_encrypted", part83); + +var msg86 = msg("filter:01", dup55); + +var msg87 = msg("filter", dup56); + +var select29 = linear_select([ + msg86, + msg87, +]); + +var msg88 = msg("soap_listen", dup57); + +var msg89 = msg("http_listen", dup57); + +var part84 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(event_description,false)}" +match("MESSAGE#89:mltr", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{event_description}", processor_chain([ + dup17, + dup9, +])); + +var msg90 = msg("mltr", part84); + +var msg91 = msg("milter_listen", dup57); + +var msg92 = msg("smtpsrv_load", dup52); + +var msg93 = msg("smtpsrv_listen", dup57); + +var part85 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#93:smtpsrv_run", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg94 = msg("smtpsrv_run", part85); + +var part86 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#94:smtpsrv/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} %{p0}"); + +var part87 = // "Pattern{Field(result,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#94:smtpsrv/1_0", "nwparser.p0", "%{result->} err=%{fld58}"); + +var part88 = // "Pattern{Field(result,false)}" +match_copy("MESSAGE#94:smtpsrv/1_1", "nwparser.p0", "result"); + +var select30 = linear_select([ + part87, + part88, +]); + +var all11 = all_match({ + processors: [ + part86, + select30, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg95 = msg("smtpsrv", all11); + +var part89 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" +match("MESSAGE#95:send", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ + dup17, + dup9, +])); + +var msg96 = msg("send", part89); + +var part90 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' cmd='), Field(obj_type,true), Constant(' profile='), Field(fld52,true), Constant(' qid='), Field(fld15,true), Constant(' rcpts='), Field(to,false)}" +match("MESSAGE#96:send:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} cmd=%{obj_type->} profile=%{fld52->} qid=%{fld15->} rcpts=%{to}", processor_chain([ + dup17, + dup9, +])); + +var msg97 = msg("send:01", part90); + +var part91 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' cmd='), Field(obj_type,true), Constant(' rcpt='), Field(to,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#97:send:02", "nwparser.payload", "%{fld0}: %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} cmd=%{obj_type->} rcpt=%{to->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg98 = msg("send:02", part91); + +var select31 = linear_select([ + msg96, + msg97, + msg98, +]); + +var part92 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(p0,false)}" +match("MESSAGE#98:queued-alert/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{p0}"); + +var part93 = // "Pattern{Field(fld55,true), Constant(' tls_verify='), Field(fld70,false), Constant(', pri='), Field(p0,false)}" +match("MESSAGE#98:queued-alert/1_0", "nwparser.p0", "%{fld55->} tls_verify=%{fld70}, pri=%{p0}"); + +var part94 = // "Pattern{Field(fld55,false), Constant(', pri='), Field(p0,false)}" +match("MESSAGE#98:queued-alert/1_1", "nwparser.p0", "%{fld55}, pri=%{p0}"); + +var select32 = linear_select([ + part93, + part94, +]); + +var part95 = // "Pattern{Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#98:queued-alert/2", "nwparser.p0", "%{fld23}, relay=%{p0}"); + +var all12 = all_match({ + processors: [ + part92, + select32, + part95, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg99 = msg("queued-alert", all12); + +var part96 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#99:queued-alert:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); + +var part97 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant(']')}" +match("MESSAGE#99:queued-alert:01/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}]"); + +var select33 = linear_select([ + part97, + dup33, + dup34, + dup35, +]); + +var all13 = all_match({ + processors: [ + part96, + select33, + ], + on_success: processor_chain([ + dup17, + dup9, + dup36, + ]), +}); + +var msg100 = msg("queued-alert:01", all13); + +var part98 = // "Pattern{Constant('['), Field(fld50,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#100:queued-alert:02/1_0", "nwparser.p0", "[%{fld50}] [%{daddr}],%{p0}"); + +var select34 = linear_select([ + part98, + dup29, + dup30, + dup31, +]); + +var part99 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(s_cipher,false), Constant(', bits='), Field(fld59,false)}" +match("MESSAGE#100:queued-alert:02/2", "nwparser.p0", "%{}version=%{version}, verify=%{fld57}, cipher=%{s_cipher}, bits=%{fld59}"); + +var all14 = all_match({ + processors: [ + dup37, + select34, + part99, + ], + on_success: processor_chain([ + dup17, + dup9, + dup36, + ]), +}); + +var msg101 = msg("queued-alert:02", all14); + +var select35 = linear_select([ + msg99, + msg100, + msg101, +]); + +var msg102 = msg("queued-VoltageEncrypt", dup63); + +var msg103 = msg("queued-VoltageEncrypt:01", dup64); + +var select36 = linear_select([ + msg102, + msg103, +]); + +var msg104 = msg("queued-default", dup63); + +var msg105 = msg("queued-default:01", dup64); + +var msg106 = msg("queued-default:02", dup65); + +var msg107 = msg("queued-default:03", dup66); + +var msg108 = msg("queued-default:04", dup60); + +var select37 = linear_select([ + msg104, + msg105, + msg106, + msg107, + msg108, +]); + +var msg109 = msg("queued-reinject", dup63); + +var msg110 = msg("queued-reinject:01", dup64); + +var msg111 = msg("queued-reinject:02", dup65); + +var msg112 = msg("queued-reinject:03", dup66); + +var part100 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': maxrcpts='), Field(fld56,false), Constant(', rcpts='), Field(fld57,false), Constant(', count='), Field(fld58,false), Constant(', ids='), Field(fld59,false)}" +match("MESSAGE#111:queued-reinject:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: maxrcpts=%{fld56}, rcpts=%{fld57}, count=%{fld58}, ids=%{fld59}", processor_chain([ + dup17, + dup9, +])); + +var msg113 = msg("queued-reinject:05", part100); + +var msg114 = msg("queued-reinject:04", dup60); + +var msg115 = msg("queued-reinject:06", dup61); + +var select38 = linear_select([ + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, +]); + +var part101 = // "Pattern{Field(,false), Constant('version='), Field(version,false), Constant(', verify='), Field(disposition,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" +match("MESSAGE#114:queued-eurort/2", "nwparser.p0", "%{}version=%{version}, verify=%{disposition}, cipher=%{fld58}, bits=%{fld59}"); + +var all15 = all_match({ + processors: [ + dup37, + dup58, + part101, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg116 = msg("queued-eurort", all15); + +var msg117 = msg("queued-eurort:01", dup63); + +var msg118 = msg("queued-eurort:02", dup67); + +var msg119 = msg("queued-eurort:03", dup60); + +var select39 = linear_select([ + msg116, + msg117, + msg118, + msg119, +]); + +var msg120 = msg("queued-vdedc2v5", dup63); + +var msg121 = msg("queued-vdedc2v5:01", dup67); + +var select40 = linear_select([ + msg120, + msg121, +]); + +var msg122 = msg("sm-msp-queue", dup66); + +var part102 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: starting daemon ('), Field(fld7,false), Constant('): '), Field(fld6,false)}" +match("MESSAGE#122:sm-msp-queue:01", "nwparser.payload", "%{agent}[%{process_id}]: starting daemon (%{fld7}): %{fld6}", processor_chain([ + setc("eventcategory","1605000000"), + dup9, +])); + +var msg123 = msg("sm-msp-queue:01", part102); + +var part103 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', ctladdr='), Field(fld13,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#123:sm-msp-queue:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, ctladdr=%{fld13}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); + +var all16 = all_match({ + processors: [ + part103, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg124 = msg("sm-msp-queue:02", all16); + +var select41 = linear_select([ + msg122, + msg123, + msg124, +]); + +var part104 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', tls_verify='), Field(fld24,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#124:sendmail:15/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, tls_verify=%{fld24}, pri=%{fld23}, relay=%{p0}"); + +var part105 = // "Pattern{Field(dhost,false), Constant('. ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#124:sendmail:15/1_1", "nwparser.p0", "%{dhost}. [%{daddr}],%{p0}"); + +var part106 = // "Pattern{Field(dhost,false), Constant('.,'), Field(p0,false)}" +match("MESSAGE#124:sendmail:15/1_2", "nwparser.p0", "%{dhost}.,%{p0}"); + +var select42 = linear_select([ + dup28, + part105, + part106, +]); + +var all17 = all_match({ + processors: [ + part104, + select42, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg125 = msg("sendmail:15", all17); + +var part107 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld54,false), Constant(', nrcpts='), Field(fld55,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(p0,false)}" +match("MESSAGE#125:sendmail:14/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld54}, nrcpts=%{fld55}, msgid=%{id}, proto=%{protocol}, daemon=%{p0}"); + +var part108 = // "Pattern{Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#125:sendmail:14/1_0", "nwparser.p0", "%{fld69}, tls_verify=%{fld70}, auth=%{authmethod}, relay=%{p0}"); + +var part109 = // "Pattern{Field(fld69,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#125:sendmail:14/1_1", "nwparser.p0", "%{fld69}, relay=%{p0}"); + +var select43 = linear_select([ + part108, + part109, +]); + +var all18 = all_match({ + processors: [ + part107, + select43, + dup59, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg126 = msg("sendmail:14", all18); + +var msg127 = msg("sendmail", dup68); + +var part110 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': available mech='), Field(fld2,false), Constant(', allowed mech='), Field(fld3,false)}" +match("MESSAGE#127:sendmail:01", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: available mech=%{fld2}, allowed mech=%{fld3}", processor_chain([ + dup17, + dup9, +])); + +var msg128 = msg("sendmail:01", part110); + +var part111 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': milter='), Field(fld2,false), Constant(', action='), Field(action,false), Constant(', reject='), Field(fld3,false)}" +match("MESSAGE#128:sendmail:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: milter=%{fld2}, action=%{action}, reject=%{fld3}", processor_chain([ + dup17, + dup9, +])); + +var msg129 = msg("sendmail:02", part111); + +var part112 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(': host='), Field(hostname,false), Constant(', addr='), Field(saddr,false), Constant(', reject='), Field(fld3,false)}" +match("MESSAGE#129:sendmail:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}: host=%{hostname}, addr=%{saddr}, reject=%{fld3}", processor_chain([ + dup17, + dup9, +])); + +var msg130 = msg("sendmail:03", part112); + +var part113 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" +match("MESSAGE#130:sendmail:08", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ + dup17, + dup9, +])); + +var msg131 = msg("sendmail:08", part113); + +var part114 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': '), Field(fld2,false), Constant(': '), Field(fld3,false), Constant(': rule='), Field(rulename,true), Constant(' policy='), Field(fld38,true), Constant(' score='), Field(fld39,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' classifier='), Field(fld45,true), Constant(' adjust='), Field(fld46,true), Constant(' reason='), Field(fld47,true), Constant(' scancount='), Field(fld48,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" +match("MESSAGE#131:sendmail:09", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: %{fld2}: %{fld3}: rule=%{rulename->} policy=%{fld38->} score=%{fld39->} spamscore=%{reputation_num->} suspectscore=%{fld41->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} classifier=%{fld45->} adjust=%{fld46->} reason=%{fld47->} scancount=%{fld48->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ + dup17, + dup9, +])); + +var msg132 = msg("sendmail:09", part114); + +var part115 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': Milter '), Field(action,false), Constant(': rcpt'), Field(p0,false)}" +match("MESSAGE#132:sendmail:10/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: Milter %{action}: rcpt%{p0}"); + +var part116 = // "Pattern{Constant(': '), Field(p0,false)}" +match("MESSAGE#132:sendmail:10/1_0", "nwparser.p0", ": %{p0}"); + +var part117 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#132:sendmail:10/1_1", "nwparser.p0", "p0"); + +var select44 = linear_select([ + part116, + part117, +]); + +var part118 = // "Pattern{Field(,true), Constant(' '), Field(fld2,false)}" +match("MESSAGE#132:sendmail:10/2", "nwparser.p0", "%{} %{fld2}"); + +var all19 = all_match({ + processors: [ + part115, + select44, + part118, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg133 = msg("sendmail:10", all19); + +var part119 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#133:sendmail:11/0", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); + +var all20 = all_match({ + processors: [ + part119, + dup58, + dup42, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg134 = msg("sendmail:11", all20); + +var part120 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' from '), Field(from,false), Constant(', from='), Field(fld3,false)}" +match("MESSAGE#134:sendmail:12", "nwparser.payload", "%{fld10->} %{agent}[%{process_id}]: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} from %{from}, from=%{fld3}", processor_chain([ + dup17, + dup9, +])); + +var msg135 = msg("sendmail:12", part120); + +var part121 = // "Pattern{Field(fld10,true), Constant(' '), Field(agent,false), Constant(']'), Field(p0,false)}" +match("MESSAGE#135:sendmail:13/0_0", "nwparser.payload", "%{fld10->} %{agent}]%{p0}"); + +var part122 = // "Pattern{Field(agent,false), Constant(']'), Field(p0,false)}" +match("MESSAGE#135:sendmail:13/0_1", "nwparser.payload", "%{agent}]%{p0}"); + +var select45 = linear_select([ + part121, + part122, +]); + +var part123 = // "Pattern{Field(process_id,false), Constant('[: '), Field(fld1,false), Constant(': SYSERR('), Field(fld2,false), Constant('): '), Field(action,false), Constant(': '), Field(event_description,true), Constant(' file '), Field(filename,false), Constant(': '), Field(fld3,false)}" +match("MESSAGE#135:sendmail:13/1", "nwparser.p0", "%{process_id}[: %{fld1}: SYSERR(%{fld2}): %{action}: %{event_description->} file %{filename}: %{fld3}"); + +var all21 = all_match({ + processors: [ + select45, + part123, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg136 = msg("sendmail:13", all21); + +var part124 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': '), Field(fld57,false), Constant(':'), Field(event_description,false)}" +match("MESSAGE#136:sendmail:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: %{fld57}:%{event_description}", processor_chain([ + dup17, + dup9, +])); + +var msg137 = msg("sendmail:04", part124); + +var part125 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(':'), Field(event_description,false)}" +match("MESSAGE#137:sendmail:05", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}:%{event_description}", processor_chain([ + dup17, + dup9, +])); + +var msg138 = msg("sendmail:05", part125); + +var part126 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: AUTH='), Field(authmethod,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#169:sendmail:06/0", "nwparser.payload", "%{agent}[%{process_id}]: AUTH=%{authmethod}, relay=%{p0}"); + +var part127 = // "Pattern{Field(,false), Constant('authid='), Field(uid,false), Constant(', mech='), Field(scheme,false), Constant(', bits='), Field(fld59,false)}" +match("MESSAGE#169:sendmail:06/2", "nwparser.p0", "%{}authid=%{uid}, mech=%{scheme}, bits=%{fld59}"); + +var all22 = all_match({ + processors: [ + part126, + dup58, + part127, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg139 = msg("sendmail:06", all22); + +var msg140 = msg("sendmail:07", dup61); + +var select46 = linear_select([ + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, +]); + +var part128 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' pid='), Field(process_id,true), Constant(' status='), Field(fld29,false)}" +match("MESSAGE#138:info:eid_pid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} pid=%{process_id->} status=%{fld29}", processor_chain([ + dup17, + dup9, +])); + +var msg141 = msg("info:eid_pid_status", part128); + +var part129 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status='), Field(fld29,false)}" +match("MESSAGE#139:info:eid_status", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=%{fld29}", processor_chain([ + dup17, + dup9, +])); + +var msg142 = msg("info:eid_status", part129); + +var part130 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' '), Field(info,false)}" +match("MESSAGE#140:info:eid", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} %{info}", processor_chain([ + dup17, + dup9, +])); + +var msg143 = msg("info:eid", part130); + +var msg144 = msg("info:pid", dup62); + +var part131 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(p0,false)}" +match("MESSAGE#143:info/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{p0}"); + +var part132 = // "Pattern{Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' ofrom='), Field(from,false)}" +match("MESSAGE#143:info/1_0", "nwparser.p0", "%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} ofrom=%{from}"); + +var part133 = // "Pattern{Field(sessionid1,true), Constant(' status='), Field(info,true), Constant(' restquery_stage='), Field(fld3,false)}" +match("MESSAGE#143:info/1_1", "nwparser.p0", "%{sessionid1->} status=%{info->} restquery_stage=%{fld3}"); + +var part134 = // "Pattern{Field(sessionid1,false)}" +match_copy("MESSAGE#143:info/1_2", "nwparser.p0", "sessionid1"); + +var select47 = linear_select([ + part132, + part133, + part134, +]); + +var all23 = all_match({ + processors: [ + part131, + select47, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg145 = msg("info", all23); + +var part135 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(action,true), Constant(' active='), Field(fld2,true), Constant(' expires='), Field(fld3,true), Constant(' msg='), Field(event_description,false)}" +match("MESSAGE#144:info:02", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{action->} active=%{fld2->} expires=%{fld3->} msg=%{event_description}", processor_chain([ + dup17, + dup9, +])); + +var msg146 = msg("info:02", part135); + +var part136 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' server='), Field(saddr,true), Constant(' elapsed='), Field(duration_string,true), Constant(' avgtime='), Field(fld2,true), Constant(' qname='), Field(fld3,true), Constant(' qtype='), Field(fld4,false)}" +match("MESSAGE#145:info:03", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} server=%{saddr->} elapsed=%{duration_string->} avgtime=%{fld2->} qname=%{fld3->} qtype=%{fld4}", processor_chain([ + dup17, + dup9, +])); + +var msg147 = msg("info:03", part136); + +var part137 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" +match("MESSAGE#146:info:01", "nwparser.payload", "%{fld0->} %{severity->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ + dup17, + dup9, +])); + +var msg148 = msg("info:01", part137); + +var part138 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sys='), Field(fld1,true), Constant(' evt='), Field(p0,false)}" +match("MESSAGE#147:info:04/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sys=%{fld1->} evt=%{p0}"); + +var part139 = // "Pattern{Field(action,true), Constant(' msg='), Field(event_description,false)}" +match("MESSAGE#147:info:04/1_0", "nwparser.p0", "%{action->} msg=%{event_description}"); + +var part140 = // "Pattern{Field(action,false)}" +match_copy("MESSAGE#147:info:04/1_1", "nwparser.p0", "action"); + +var select48 = linear_select([ + part139, + part140, +]); + +var all24 = all_match({ + processors: [ + part138, + select48, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg149 = msg("info:04", all24); + +var part141 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#148:info:05/0", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} %{p0}"); + +var part142 = // "Pattern{Constant('type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" +match("MESSAGE#148:info:05/1_0", "nwparser.p0", "type=%{fld6->} cmd=%{obj_type->} id=%{fld5}"); + +var part143 = // "Pattern{Constant('cmd='), Field(obj_type,false)}" +match("MESSAGE#148:info:05/1_1", "nwparser.p0", "cmd=%{obj_type}"); + +var select49 = linear_select([ + part142, + part143, +]); + +var all25 = all_match({ + processors: [ + part141, + select49, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg150 = msg("info:05", all25); + +var select50 = linear_select([ + msg141, + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, +]); + +var msg151 = msg("note:pid", dup62); + +var part144 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' module='), Field(agent,true), Constant(' action='), Field(action,true), Constant(' size='), Field(bytes,false)}" +match("MESSAGE#149:note:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} module=%{agent->} action=%{action->} size=%{bytes}", processor_chain([ + dup17, + dup9, +])); + +var msg152 = msg("note:01", part144); + +var select51 = linear_select([ + msg151, + msg152, +]); + +var part145 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' secprofile_name='), Field(fld3,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#150:rprt", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} secprofile_name=%{fld3->} rcpts=%{dclass_counter2->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var msg153 = msg("rprt", part145); + +var part146 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' module='), Field(agent,true), Constant(' age='), Field(fld6,true), Constant(' limit='), Field(fld31,false)}" +match("MESSAGE#151:err", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} module=%{agent->} age=%{fld6->} limit=%{fld31}", processor_chain([ + dup17, + dup9, +])); + +var msg154 = msg("err", part146); + +var part147 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' eid='), Field(fld4,true), Constant(' result='), Field(result,false)}" +match("MESSAGE#152:warn", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} eid=%{fld4->} result=%{result}", processor_chain([ + dup17, + dup9, +])); + +var msg155 = msg("warn", part147); + +var part148 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file: '), Field(filename,false), Constant('"')}" +match("MESSAGE#153:warn:01", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file: %{filename}\"", processor_chain([ + dup17, + dup9, +])); + +var msg156 = msg("warn:01", part148); + +var part149 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' eid='), Field(fld4,true), Constant(' status="'), Field(event_state,true), Constant(' file '), Field(filename,true), Constant(' does not contain enough (or correct) info. Fix this or remove the file."')}" +match("MESSAGE#154:warn:02", "nwparser.payload", "%{fld0->} %{severity->} eid=%{fld4->} status=\"%{event_state->} file %{filename->} does not contain enough (or correct) info. Fix this or remove the file.\"", processor_chain([ + dup17, + dup9, + setc("event_description","does not contain enough (or correct) info. Fix this or remove the file"), +])); + +var msg157 = msg("warn:02", part149); + +var select52 = linear_select([ + msg155, + msg156, + msg157, +]); + +var msg158 = msg("queued-aglife", dup68); + +var msg159 = msg("pdr_run", dup50); + +var part150 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' ttl='), Field(fld1,true), Constant(' reply="'), Field(p0,false)}" +match("MESSAGE#157:pdr_ttl/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} ttl=%{fld1->} reply=\"%{p0}"); + +var part151 = // "Pattern{Constant('\"'), Field(fld2,true), Constant(' rscore='), Field(fld3,false), Constant('\""')}" +match("MESSAGE#157:pdr_ttl/1_0", "nwparser.p0", "\\\"%{fld2->} rscore=%{fld3}\\\"\""); + +var part152 = // "Pattern{Field(fld2,false), Constant('"')}" +match("MESSAGE#157:pdr_ttl/1_1", "nwparser.p0", "%{fld2}\""); + +var select53 = linear_select([ + part151, + part152, +]); + +var all26 = all_match({ + processors: [ + part150, + select53, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var msg160 = msg("pdr_ttl", all26); + +var part153 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' signature='), Field(fld1,true), Constant(' identity='), Field(sigid_string,true), Constant(' host='), Field(hostname,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" +match("MESSAGE#158:dkimv_run:signature", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} signature=%{fld1->} identity=%{sigid_string->} host=%{hostname->} result=%{result->} result_detail=%{fld2}", processor_chain([ + dup17, + dup9, +])); + +var msg161 = msg("dkimv_run:signature", part153); + +var part154 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' status="'), Field(info,false), Constant(', '), Field(event_state,false), Constant('"')}" +match("MESSAGE#159:dkimv_run:status", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} status=\"%{info}, %{event_state}\"", processor_chain([ + dup17, + dup9, +])); + +var msg162 = msg("dkimv_run:status", part154); + +var select54 = linear_select([ + msg161, + msg162, +]); + +var part155 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' unexpected response type='), Field(fld1,false)}" +match("MESSAGE#160:dkimv_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} unexpected response type=%{fld1}", processor_chain([ + dup17, + dup9, + setc("result","unexpected response"), +])); + +var msg163 = msg("dkimv_type", part155); + +var part156 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' publickey_cache_entries='), Field(fld6,false)}" +match("MESSAGE#161:dkimv_type:01", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} publickey_cache_entries=%{fld6}", processor_chain([ + dup17, + dup9, +])); + +var msg164 = msg("dkimv_type:01", part156); + +var select55 = linear_select([ + msg163, + msg164, +]); + +var msg165 = msg("dmarc_run:rule", dup49); + +var part157 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,true), Constant(' result_detail='), Field(fld2,false)}" +match("MESSAGE#163:dmarc_run:result", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} result=%{result->} result_detail=%{fld2}", processor_chain([ + dup17, + dup9, +])); + +var msg166 = msg("dmarc_run:result", part157); + +var select56 = linear_select([ + msg165, + msg166, +]); + +var part158 = // "Pattern{Field(fld0,false), Constant(': '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' policy_cache_entries='), Field(fld6,false)}" +match("MESSAGE#164:dmarc_type", "nwparser.payload", "%{fld0}: %{severity->} mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{fld5->} policy_cache_entries=%{fld6}", processor_chain([ + dup17, + dup9, +])); + +var msg167 = msg("dmarc_type", part158); + +var msg168 = msg("spf_run:rule", dup49); + +var part159 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' cmd='), Field(obj_type,true), Constant(' result='), Field(result,false)}" +match("MESSAGE#166:spf_run:cmd", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} cmd=%{obj_type->} result=%{result}", processor_chain([ + dup17, + dup9, +])); + +var msg169 = msg("spf_run:cmd", part159); + +var select57 = linear_select([ + msg168, + msg169, +]); + +var part160 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' action='), Field(action,true), Constant(' score='), Field(fld39,true), Constant(' submsgadjust='), Field(fld53,true), Constant(' spamscore='), Field(reputation_num,true), Constant(' suspectscore='), Field(fld41,true), Constant(' malwarescore='), Field(fld49,true), Constant(' phishscore='), Field(fld42,true), Constant(' adultscore='), Field(fld44,true), Constant(' bulkscore='), Field(fld43,true), Constant(' tests='), Field(fld52,false)}" +match("MESSAGE#167:action_checksubmsg", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} action=%{action->} score=%{fld39->} submsgadjust=%{fld53->} spamscore=%{reputation_num->} suspectscore=%{fld41->} malwarescore=%{fld49->} phishscore=%{fld42->} adultscore=%{fld44->} bulkscore=%{fld43->} tests=%{fld52}", processor_chain([ + dup17, + dup9, +])); + +var msg170 = msg("action_checksubmsg", part160); + +var part161 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' authscope='), Field(fld5,true), Constant(' err='), Field(fld58,false)}" +match("MESSAGE#168:rest_oauth", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} authscope=%{fld5->} err=%{fld58}", processor_chain([ + dup17, + dup9, +])); + +var msg171 = msg("rest_oauth", part161); + +var part162 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid ccard')}" +match("MESSAGE#171:filter_instance1:01", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid ccard", processor_chain([ + dup17, + dup9, + setc("event_description","load smartid ccard"), + dup36, +])); + +var msg172 = msg("filter_instance1:01", part162); + +var part163 = // "Pattern{Constant('mod='), Field(agent,true), Constant(' type='), Field(fld1,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(id,true), Constant(' load smartid jcb')}" +match("MESSAGE#172:filter_instance1:02", "nwparser.payload", "mod=%{agent->} type=%{fld1->} cmd=%{obj_type->} id=%{id->} load smartid jcb", processor_chain([ + dup17, + dup9, + setc("event_description","load smartid jcb"), + dup36, +])); + +var msg173 = msg("filter_instance1:02", part163); + +var part164 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' attachments='), Field(dclass_counter1,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' size='), Field(bytes,true), Constant(' guid='), Field(fld14,true), Constant(' hdr_mid='), Field(id,true), Constant(' qid='), Field(fld15,true), Constant(' subject="'), Field(subject,false), Constant('" '), Field(p0,false)}" +match("MESSAGE#173:filter_instance1:03/0", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} attachments=%{dclass_counter1->} rcpts=%{dclass_counter2->} routes=%{fld4->} size=%{bytes->} guid=%{fld14->} hdr_mid=%{id->} qid=%{fld15->} subject=\"%{subject}\" %{p0}"); + +var part165 = // "Pattern{Constant('spamscore='), Field(reputation_num,true), Constant(' virusname='), Field(threat_name,true), Constant(' duration='), Field(p0,false)}" +match("MESSAGE#173:filter_instance1:03/1_0", "nwparser.p0", "spamscore=%{reputation_num->} virusname=%{threat_name->} duration=%{p0}"); + +var part166 = // "Pattern{Constant('duration='), Field(p0,false)}" +match("MESSAGE#173:filter_instance1:03/1_1", "nwparser.p0", "duration=%{p0}"); + +var select58 = linear_select([ + part165, + part166, +]); + +var part167 = // "Pattern{Field(fld16,true), Constant(' elapsed='), Field(duration_string,false)}" +match("MESSAGE#173:filter_instance1:03/2", "nwparser.p0", "%{fld16->} elapsed=%{duration_string}"); + +var all27 = all_match({ + processors: [ + part164, + select58, + part167, + ], + on_success: processor_chain([ + dup11, + dup9, + dup12, + dup13, + dup36, + ]), +}); + +var msg174 = msg("filter_instance1:03", all27); + +var part168 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' module='), Field(event_source,true), Constant(' rule='), Field(rulename,true), Constant(' action='), Field(action,true), Constant(' helo='), Field(fld32,true), Constant(' msgs='), Field(fld33,true), Constant(' rcpts='), Field(dclass_counter2,true), Constant(' routes='), Field(fld4,true), Constant(' duration='), Field(duration_string,true), Constant(' elapsed='), Field(fld16,false)}" +match("MESSAGE#174:filter_instance1:04", "nwparser.payload", "s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} module=%{event_source->} rule=%{rulename->} action=%{action->} helo=%{fld32->} msgs=%{fld33->} rcpts=%{dclass_counter2->} routes=%{fld4->} duration=%{duration_string->} elapsed=%{fld16}", processor_chain([ + dup17, + dup9, + dup13, + dup36, +])); + +var msg175 = msg("filter_instance1:04", part168); + +var part169 = // "Pattern{Constant('s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' header.from="\"'), Field(info,false), Constant('\" '), Field(fld4,true), Constant(' <<'), Field(user_address,false), Constant('>"')}" +match("MESSAGE#175:filter_instance1:05", "nwparser.payload", "s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} header.from=\"\\\"%{info}\\\" %{fld4->} \u003c\u003c%{user_address}>\"", processor_chain([ + dup17, + dup9, + dup36, +])); + +var msg176 = msg("filter_instance1:05", part169); + +var part170 = tagval("MESSAGE#176:filter_instance1", "nwparser.payload", tvm, { + "X-Proofpoint-Spam-Details": "fld71", + "a": "fld12", + "action": "action", + "active": "fld2", + "addr": "saddr", + "adjust": "fld46", + "adjustscore": "fld54", + "adultscore": "fld44", + "alert": "fld53", + "attachments": "fld80", + "avgtime": "fld2", + "bulkscore": "fld43", + "cipher": "s_cipher", + "cipher_bits": "fld59", + "classifier": "fld45", + "cmd": "obj_type", + "corrupted": "fld9", + "country": "location_country", + "data_notroutes": "fld32", + "data_routes": "fld31", + "definitions": "fld50", + "delegate-for": "fld5", + "dict": "fld87", + "dkimresult": "fld65", + "duration": "duration_string", + "elapsed": "duration_string", + "engine": "fld49", + "evt": "action", + "expires": "fld3", + "file": "filename", + "from": "from", + "guid": "fld14", + "hdr_mid": "id", + "header-size": "bytes", + "header.from": "fld40", + "helo": "fld32", + "hops-ip": "fld61", + "hops_active": "fld26", + "host": "hostname", + "id": "id", + "install_dir": "directory", + "instance": "fld90", + "ip": "hostip", + "ksurl": "fld7", + "lint": "fld33", + "lip": "fld24", + "m": "mail_id", + "malwarescore": "fld41", + "maxfd": "fld91", + "method": "fld37", + "mime": "content_type", + "mlxlogscore": "fld95", + "mlxscore": "fld94", + "mod": "agent", + "module": "event_source", + "msg": "msg", + "msgs": "fld76", + "notroutes": "fld18", + "num_domains": "fld53", + "num_domains_to_lookup": "fld40", + "oext": "fld8", + "omime": "fld7", + "perlwait": "fld27", + "phishscore": "fld42", + "pid": "process_id", + "policy": "fld48", + "policy_cache_entries": "fld6", + "profile": "fld52", + "prot": "fld25", + "protected": "fld10", + "publickey_cache_entries": "fld6", + "qid": "fld15", + "qname": "fld3", + "qtype": "fld4", + "query": "fld38", + "r": "event_counter", + "rcpt": "to", + "rcpt_notroutes": "fld29", + "rcpt_routes": "fld28", + "rcpts": "fld59", + "realm": "fld61", + "reason": "fld47", + "record": "fld39", + "release": "fld92", + "resolve": "fld28", + "result": "result", + "result_detail": "fld74", + "result_record": "fld2", + "reverse": "fld13", + "rewritten": "fld17", + "routes": "fld4", + "rule": "rulename", + "s": "sessionid", + "scancount": "fld18", + "score": "fld39", + "server": "saddr", + "sha256": "checksum", + "sig": "fld60", + "signatures": "fld94", + "size": "bytes", + "smtp.mailfrom": "fld44", + "spamscore": "reputation_num", + "spfresult": "fld68", + "subject": "subject", + "submsgadjust": "fld53", + "suborg": "fld22", + "suspectscore": "fld41", + "sys": "fld1", + "tests": "fld52", + "threshold": "fld11", + "tls": "fld60", + "tls_version": "fld84", + "type": "fld1", + "uid": "uid", + "user": "username", + "value": "context", + "vendor": "fld36", + "verified": "fld3", + "verify": "fld57", + "version": "version", + "virtual": "fld11", + "virusname": "threat_name", + "x": "sessionid1", +}, processor_chain([ + dup17, + dup36, +])); + +var msg177 = msg("filter_instance1", part170); + +var select59 = linear_select([ + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, +]); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "access_load": msg53, + "access_refresh": select21, + "access_run": select20, + "action_checksubmsg": msg170, + "av_init": msg45, + "av_load": msg46, + "av_refresh": msg44, + "av_run": select19, + "batv_run": select25, + "cvt_convert": select27, + "cvt_detect": msg82, + "cvtd": select28, + "cvtd_encrypted": msg85, + "dkimv_run": select54, + "dkimv_type": select55, + "dmarc_run": select56, + "dmarc_type": msg167, + "err": msg154, + "filter": select29, + "filter_instance1": select59, + "http_listen": msg89, + "info": select50, + "mail_attachment": select3, + "mail_continue-system-sendmail": msg18, + "mail_env_from": select5, + "mail_env_rcpt": select2, + "mail_helo": select6, + "mail_msg": select4, + "mail_release": msg19, + "milter_listen": msg91, + "mltr": msg90, + "note": select51, + "pdr_run": msg159, + "pdr_ttl": msg160, + "perl_clone": msg78, + "queued-VoltageEncrypt": select36, + "queued-aglife": msg158, + "queued-alert": select35, + "queued-default": select37, + "queued-eurort": select39, + "queued-reinject": select38, + "queued-vdedc2v5": select40, + "regulation_init": msg54, + "regulation_refresh": msg55, + "rest_oauth": msg171, + "rprt": msg153, + "send": select31, + "sendmail": select46, + "service_refresh": msg77, + "session_connect": select12, + "session_data": select8, + "session_disconnect": select16, + "session_dispose": select15, + "session_headers": select10, + "session_judge": select11, + "session_resolve": select13, + "session_store": select9, + "session_throttle": select14, + "sm-msp-queue": select41, + "smtpsrv": msg95, + "smtpsrv_listen": msg93, + "smtpsrv_load": msg92, + "smtpsrv_run": msg94, + "soap_listen": msg88, + "spam_init": msg66, + "spam_load": msg67, + "spam_refresh": msg65, + "spam_run": select24, + "spf_run": select57, + "warn": select52, + "zerohour_init": msg73, + "zerohour_load": msg74, + "zerohour_refresh": msg72, + "zerohour_run": select26, + }), +]); + +var part171 = // "Pattern{Constant('info'), Field(p0,false)}" +match("HEADER#0:0024/1_0", "nwparser.p0", "info%{p0}"); + +var part172 = // "Pattern{Constant('rprt'), Field(p0,false)}" +match("HEADER#0:0024/1_1", "nwparser.p0", "rprt%{p0}"); + +var part173 = // "Pattern{Constant('warn'), Field(p0,false)}" +match("HEADER#0:0024/1_2", "nwparser.p0", "warn%{p0}"); + +var part174 = // "Pattern{Constant('err'), Field(p0,false)}" +match("HEADER#0:0024/1_3", "nwparser.p0", "err%{p0}"); + +var part175 = // "Pattern{Constant('note'), Field(p0,false)}" +match("HEADER#0:0024/1_4", "nwparser.p0", "note%{p0}"); + +var part176 = // "Pattern{Field(hostip,true), Constant(' sampling='), Field(fld19,false)}" +match("MESSAGE#11:mail_env_from:ofrom/1_0", "nwparser.p0", "%{hostip->} sampling=%{fld19}"); + +var part177 = // "Pattern{Field(hostip,false)}" +match_copy("MESSAGE#11:mail_env_from:ofrom/1_1", "nwparser.p0", "hostip"); + +var part178 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#25:session_judge/0", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} %{p0}"); + +var part179 = // "Pattern{Constant('attachment='), Field(fld58,true), Constant(' file='), Field(fld1,true), Constant(' mod='), Field(p0,false)}" +match("MESSAGE#25:session_judge/1_0", "nwparser.p0", "attachment=%{fld58->} file=%{fld1->} mod=%{p0}"); + +var part180 = // "Pattern{Constant('mod='), Field(p0,false)}" +match("MESSAGE#25:session_judge/1_1", "nwparser.p0", "mod=%{p0}"); + +var part181 = // "Pattern{Constant('vendor='), Field(fld36,true), Constant(' version="'), Field(component_version,false), Constant('" duration='), Field(p0,false)}" +match("MESSAGE#39:av_run:02/1_1", "nwparser.p0", "vendor=%{fld36->} version=\"%{component_version}\" duration=%{p0}"); + +var part182 = // "Pattern{Field(duration_string,false)}" +match_copy("MESSAGE#39:av_run:02/2", "nwparser.p0", "duration_string"); + +var part183 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_0", "nwparser.p0", "[%{daddr}] [%{daddr}],%{p0}"); + +var part184 = // "Pattern{Constant('['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_1", "nwparser.p0", "[%{daddr}],%{p0}"); + +var part185 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant('],'), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_2", "nwparser.p0", "%{dhost->} [%{daddr}],%{p0}"); + +var part186 = // "Pattern{Field(dhost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#98:queued-alert/3_3", "nwparser.p0", "%{dhost},%{p0}"); + +var part187 = // "Pattern{Field(,false), Constant('dsn='), Field(resultcode,false), Constant(', stat='), Field(info,false)}" +match("MESSAGE#98:queued-alert/4", "nwparser.p0", "%{}dsn=%{resultcode}, stat=%{info}"); + +var part188 = // "Pattern{Constant('['), Field(daddr,false), Constant(']')}" +match("MESSAGE#99:queued-alert:01/1_1", "nwparser.p0", "[%{daddr}]"); + +var part189 = // "Pattern{Field(dhost,true), Constant(' ['), Field(daddr,false), Constant(']')}" +match("MESSAGE#99:queued-alert:01/1_2", "nwparser.p0", "%{dhost->} [%{daddr}]"); + +var part190 = // "Pattern{Field(dhost,false)}" +match_copy("MESSAGE#99:queued-alert:01/1_3", "nwparser.p0", "dhost"); + +var part191 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: STARTTLS='), Field(fld1,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#100:queued-alert:02/0", "nwparser.payload", "%{agent}[%{process_id}]: STARTTLS=%{fld1}, relay=%{p0}"); + +var part192 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld51,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#101:queued-VoltageEncrypt/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld51}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); + +var part193 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#120:queued-VoltageEncrypt:01/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, relay=%{p0}"); + +var part194 = // "Pattern{Constant('['), Field(daddr,false), Constant('] ['), Field(daddr,false), Constant(']')}" +match("MESSAGE#120:queued-VoltageEncrypt:01/1_0", "nwparser.p0", "[%{daddr}] [%{daddr}]"); + +var part195 = // "Pattern{Field(,false), Constant('field='), Field(fld2,false), Constant(', status='), Field(info,false)}" +match("MESSAGE#104:queued-default:02/2", "nwparser.p0", "%{}field=%{fld2}, status=%{info}"); + +var part196 = // "Pattern{Field(,false), Constant('version='), Field(fld55,false), Constant(', verify='), Field(fld57,false), Constant(', cipher='), Field(fld58,false), Constant(', bits='), Field(fld59,false)}" +match("MESSAGE#105:queued-default:03/2", "nwparser.p0", "%{}version=%{fld55}, verify=%{fld57}, cipher=%{fld58}, bits=%{fld59}"); + +var part197 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': from='), Field(from,false), Constant(', size='), Field(bytes,false), Constant(', class='), Field(fld57,false), Constant(', nrcpts='), Field(fld58,false), Constant(', msgid='), Field(id,false), Constant(', proto='), Field(protocol,false), Constant(', daemon='), Field(fld69,false), Constant(', tls_verify='), Field(fld70,false), Constant(', auth='), Field(fld71,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#116:queued-eurort:02/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: from=%{from}, size=%{bytes}, class=%{fld57}, nrcpts=%{fld58}, msgid=%{id}, proto=%{protocol}, daemon=%{fld69}, tls_verify=%{fld70}, auth=%{fld71}, relay=%{p0}"); + +var part198 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': to='), Field(to,false), Constant(', delay='), Field(fld53,false), Constant(', xdelay='), Field(fld54,false), Constant(', mailer='), Field(fld55,false), Constant(', pri='), Field(fld23,false), Constant(', relay='), Field(p0,false)}" +match("MESSAGE#126:sendmail/0", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: to=%{to}, delay=%{fld53}, xdelay=%{fld54}, mailer=%{fld55}, pri=%{fld23}, relay=%{p0}"); + +var select60 = linear_select([ + dup1, + dup2, + dup3, + dup4, + dup5, +]); + +var select61 = linear_select([ + dup14, + dup15, +]); + +var select62 = linear_select([ + dup19, + dup20, +]); + +var part199 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' vendor='), Field(fld36,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,true), Constant(' signatures='), Field(fld94,false)}" +match("MESSAGE#43:av_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} vendor=%{fld36->} engine=%{fld49->} definitions=%{fld50->} signatures=%{fld94}", processor_chain([ + dup26, + dup9, +])); + +var part200 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' m='), Field(mail_id,true), Constant(' x='), Field(sessionid1,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#48:access_run:03", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} m=%{mail_id->} x=%{sessionid1->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var part201 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' s='), Field(sessionid,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' rule='), Field(rulename,true), Constant(' duration='), Field(duration_string,false)}" +match("MESSAGE#49:access_run:01", "nwparser.payload", "%{fld0->} %{severity->} s=%{sessionid->} mod=%{agent->} cmd=%{obj_type->} rule=%{rulename->} duration=%{duration_string}", processor_chain([ + dup17, + dup9, +])); + +var part202 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' action='), Field(action,true), Constant(' dict='), Field(fld37,true), Constant(' file='), Field(filename,false)}" +match("MESSAGE#51:access_refresh:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} action=%{action->} dict=%{fld37->} file=%{filename}", processor_chain([ + dup17, + dup9, +])); + +var part203 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,false)}" +match("MESSAGE#52:access_load", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5}", processor_chain([ + dup17, + dup9, +])); + +var part204 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' engine='), Field(fld49,true), Constant(' definitions='), Field(fld50,false)}" +match("MESSAGE#64:spam_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} engine=%{fld49->} definitions=%{fld50}", processor_chain([ + dup27, + dup9, +])); + +var part205 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' type='), Field(fld6,true), Constant(' cmd='), Field(obj_type,true), Constant(' id='), Field(fld5,true), Constant(' version='), Field(fld55,false)}" +match("MESSAGE#71:zerohour_refresh", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} type=%{fld6->} cmd=%{obj_type->} id=%{fld5->} version=%{fld55}", processor_chain([ + dup17, + dup9, +])); + +var part206 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' sig='), Field(fld60,false)}" +match("MESSAGE#82:cvtd:01", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} sig=%{fld60}", processor_chain([ + dup17, + dup9, +])); + +var part207 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,false)}" +match("MESSAGE#83:cvtd", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type}", processor_chain([ + dup17, + dup9, +])); + +var part208 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' mod='), Field(agent,true), Constant(' cmd='), Field(obj_type,true), Constant(' addr='), Field(saddr,false)}" +match("MESSAGE#87:soap_listen", "nwparser.payload", "%{fld0->} %{severity->} mod=%{agent->} cmd=%{obj_type->} addr=%{saddr}", processor_chain([ + dup17, + dup9, +])); + +var select63 = linear_select([ + dup28, + dup29, + dup30, + dup31, +]); + +var select64 = linear_select([ + dup40, + dup33, + dup34, + dup35, +]); + +var part209 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(fld1,false), Constant(': timeout waiting for input from '), Field(fld11,true), Constant(' during server cmd read')}" +match("MESSAGE#106:queued-default:04", "nwparser.payload", "%{agent}[%{process_id}]: %{fld1}: timeout waiting for input from %{fld11->} during server cmd read", processor_chain([ + dup17, + dup9, +])); + +var part210 = // "Pattern{Field(agent,false), Constant('['), Field(process_id,false), Constant(']: '), Field(event_description,false)}" +match("MESSAGE#113:queued-reinject:06", "nwparser.payload", "%{agent}[%{process_id}]: %{event_description}", processor_chain([ + dup17, + dup9, +])); + +var part211 = // "Pattern{Field(fld0,true), Constant(' '), Field(severity,true), Constant(' pid='), Field(process_id,true), Constant(' '), Field(web_method,true), Constant(' /'), Field(info,false), Constant(': '), Field(resultcode,false)}" +match("MESSAGE#141:info:pid", "nwparser.payload", "%{fld0->} %{severity->} pid=%{process_id->} %{web_method->} /%{info}: %{resultcode}", processor_chain([ + dup17, + dup9, +])); + +var all28 = all_match({ + processors: [ + dup38, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var all29 = all_match({ + processors: [ + dup39, + dup59, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var all30 = all_match({ + processors: [ + dup37, + dup58, + dup41, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var all31 = all_match({ + processors: [ + dup37, + dup58, + dup42, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var all32 = all_match({ + processors: [ + dup43, + dup59, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); + +var all33 = all_match({ + processors: [ + dup44, + dup58, + dup32, + ], + on_success: processor_chain([ + dup17, + dup9, + ]), +}); diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml new file mode 100644 index 00000000000..a5eafc083d9 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Proofpoint Email Security + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml new file mode 100644 index 00000000000..de5ef117be3 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["proofpoint.emailsecurity", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9531 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log new file mode 100644 index 00000000000..2c98612c595 --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 avolupt low mod=perl cmd=clone cmd=olab id=nto duration=sse +2016/02/12T13:12:33.umdo itessequ session_store[vol]: info luptat high s=nibus mod=mipsumq cmd=gnaali module=enatus rule=mquia folder=ameaqu pri=aqu duration=utper +February 26 20:15:08 emape low s=incidi mod=session_connect cmd=nse ip=10.46.185.46 country=temvel lip=iatu prot=serror hops_active=anti routes=ofdeF notroutes=metcons perlwait=roinBCS +2016/03/12T03:17:42.iam mqua queued-eurort[3391]: olab: from=mquisnos, size=5771, class=ore, nrcpts=etconsec, msgid=err, proto=rdp, daemon=mUt, tls_verify=usmodte, auth=ele, relay=tenbyCic5882.api.home [10.69.20.77] +March 26 10:20:16 pteursi medium mod=service cmd=refresh cmd=turveli duration=toccae +April 9 17:22:51 ccusan low mod=zerohour type=Ciceroi cmd=refresh id=aveniam version=uradi +April 24 00:25:25 aboreetd high mod=smtpsrv cmd=listen cmd=dun addr=10.89.185.38 +May 8 07:27:59 ctetura medium mod=zerohour type=dolore cmd=init id=abor version=iqui +May 22 14:30:33 ritatis oloremi high s=icab mod=av_run cmd=mwr rule=fugi name=inculpaq cleaned=agna vendor=tionemu duration=eomnisis +2016/06/05T21:33:08.incidi picia queued-reinject[mUtenima]: warn emaperi[7183]: sumquiad: from=dexeaco, size=6178, class=colabor, nrcpts=iusmodt, msgid=etdolo, proto=tcp, daemon=lorumw, relay=ommod3671.mail.domain +June 20 04:35:42 imadmi high s=tion mod=session_judge cmd=eataev module=liquide rule=uasia +2016/07/04T11:38:16.uames tati access_run[utaliqu]: warn oriosamn medium s=santium m=iciatisu x=rehender mod=eporroqu cmd=uat rule=tem duration=est +July 18 18:40:50 samvolu err eid=ittenbyC module=isc age=aturve limit=emulla +2016/08/02T01:43:25.itame eumfug zerohour_init[lit]: note asun low mod=quamnih type=oluptate cmd=onseq id=serunt version=aquaeabi +August 16 08:45:59 ento warn eid=pic status="evita file suntexp does not contain enough (or correct) info. Fix this or remove the file." +August 30 15:48:33 tmo very-high s=abi mod=spam_run cmd=sectetur rule=uioffi policy=oru score=temqu ndrscore=edol ipscore=colab suspectscore=ommodico phishscore=quatD bulkscore=mcolab spamscore=67.309000 adjustscore=tenima adultscore=tsedqu classifier=agnid adjust=proide reason=dolorem scancount=tlab engine=volupt definitions=osqui raw=xerc tests=iutali duration=fdeFi +2016/09/13T22:51:07.sequine ectio dkimv_type[dutper]: err lamcolab: low mod=radi unexpected response type=gel +September 28 05:53:42 xeacomm very-high mod=av type=aturQui cmd=load id=utlabor +October 12 12:56:16 madmi tur low s=uatD mod=mail_attachment cmd=ariatu id=edquiac file=nci mime=tev type=saute omime=ntocca oext=ostru corrupted=ntoccae protected=autf size=3471 virtual=temquiav +2016/10/26T19:58:50.tor qui queued-aglife[4499]: eavolup: to=fugiatn, delay=docon, xdelay=etconsec, mailer=ios, pri=evolu, relay=ersp3536.www5.lan, dsn=sauteiru, stat=mod +2016/11/10T03:01:24.iquipe itempor mail_env_rcpt[quin]: err upida high s=nve m=remag x=uredol mod=ccaecat cmd=tquiin r=7440 value=temqu verified=ovol routes=ptasn +November 24 10:03:59 idolore low mod=spam type=eetdolo cmd=refresh id=cteturad engine=untut definitions=uamni +December 8 17:06:33 orumSe high mod=regulation type=isnost cmd=init id=queips action=cancel dict=itess file=iscinge +2016-12-23T12:09:07.inci atatn queued-alert[temUt]: info avol[752]: STARTTLS=essequam, relay=[10.193.83.81], version=1.5020, verify=str, cipher=iat, bits=etur +2017/01/06T07:11:41.isnostr umqu smtpsrv_run[tinv]: warn adipisc medium mod=isnisi cmd=ritatise rule=uamei duration=siut +2017/01/20T14:14:16.ttenby boris dkimv_run[stenatu]: err isiuta low s=ratv m=riat x=ianon mod=tsed cmd=nts status="siut, tconsect" +2017/02/03T21:16:50.ctetura aveni sendmail[elit]: note seosqui sequamni[3866]: STARTTLS=tdol, relay=sit6590.lan [10.123.143.188], version=ncididun, verify=umSe, cipher=xeacomm, bits=cinge +February 18 04:19:24 runtmol very-high mod=spam type=odi cmd=load id=ptass +March 4 11:21:59 aec medium mod=spam type=iduntu cmd=load id=ccaeca +March 18 18:24:33 leumiu tla very-high s=uaeratv mod=session_connect cmd=isa ip=10.38.65.236 country=dqu lip=pid prot=rExc hops_active=iusmo routes=tame notroutes=naaliq perlwait=nte +2017/04/02T01:27:07.ullamcor itationu dmarc_run[proident]: rprt maliquam medium s=atione m=lores x=ritati mod=orisni cmd=ons rule=remagn duration=ecillu +April 16 08:29:41 umetMalo high mod=av type=utp cmd=refresh id=aeconseq vendor=lor engine=Sedut definitions=yCiceroi signatures=quunt +April 30 15:32:16 aliq low mod=access type=teni cmd=refresh id=dquiac action=accept dict=tore file=elits +2017/05/14T22:34:50.uamnihi risnis mail_release[uov]: info itlab low s=sBono m=loremqu x=tetur mod=amvo cmd=siuta status=failure err=ommodo +May 29 05:37:24 atv high mod=access type=quira cmd=refresh id=rehende action=block dict=obeataev file=tempor +June 12 12:39:58 tlaboree note s=norumet m=dtempo x=tin module=fugitse action=deny size=3916 +2017/06/26T19:42:33.aturQu aaliq session_store[mipsamvo]: warn eiusmod very-high s=reetdo m=oreveri x=ehende mod=eaqueip cmd=eum module=lamc rule=umetMal folder=asper pri=umq duration=naal +2017/07/11T02:45:07.uto iuntNequ pdr_ttl[esseq]: warn aincidun low s=veniamq mod=occ ttl=oloreseo reply="\"iruredol rscore=veniamqu\"" +July 25 09:47:41 minim ataevi low s=repreh mod=av_run cmd=plic rule=irured name=illumqui cleaned=saq vendor=amali duration=ate +2017/08/08T16:50:15.autfugi tasun mail_continue-system-sendmail[duntutla]: err ntium low s=asuntexp mod=adminim cmd=orisni action=cancel err=lmole +2017/08/22T23:52:50.dolorem tem spam_init[exeacomm]: info aspe very-high mod=mides type=ciun cmd=olupta id=tsuntinc engine=inrepreh definitions=quovo +September 6 06:55:24 occaec acommodi medium s=quaeab mod=mail_env_rcpt cmd=fici r=5161 value=dipiscin verified=olup routes=aco +2017/09/20T13:57:58.mag tob smtpsrv_load[dolores]: rprt equamnih high mod=deF type=itempo cmd=orumw id=redol +October 4 21:00:32 radipis high s=tiumto mod=mail_env_from cmd=litan value=nder qid=stenatus tls=equep routes=ever notroutes=tali host=BCS3474.lan ip=10.1.204.187 sampling=quin +2017/10/19T04:03:07.nculpaq culpaqui regulation_init[tvolup]: note tdolore low mod=col type=obea cmd=emp id=agnaaliq action=cancel dict=uptatem file=oinv +queued-reinject[2957]: odt +2017/11/16T18:08:15.caecat rautod rprt[olest]: info eataev very-high s=ritati m=edquia x=itesse mod=mullam cmd=mexerc secprofile_name=meaque rcpts=5808 duration=mip +2017/12/01T01:10:49.deriti sintocc session_throttle[cididu]: rprt uteir high s=mwrit mod=ptat cmd=der rule=equuntur ip=10.219.133.187 rate=quameiu crate=diduntu limit=eiusmod +December 15 08:13:24 tassita very-high mod=smtpsrv cmd=run cmd=oremi rule=ugitsedq duration=turmag +2017/12/29T15:15:58.consecte pteurs dkimv_run[catcupi]: info autf very-high s=tiaecon m=uaturve x=amquisno mod=uido cmd=tla signature=mquiad identity=CSe host=lors7553.api.local result=unknown result_detail=rroqui +2018/01/12T22:18:32.itae dtempo cvtd[atnula]: warn ditautf low mod=iquidex cmd=olup +2018/01/27T05:21:06.rspici snisi queued-aglife[766]: olor: to=etquasia, delay=nula, xdelay=quiacons, mailer=uisa, pri=xeacommo, relay=[10.65.174.31], dsn=atur, stat=issu +2018/02/10T12:23:41.ite tasnul note[tuserr]: note tise very-high s=tnul m=expl x=ess module=quiad action=cancel size=6084 +2018/02/24T19:26:15.llumq tenim spam_init[eiusmo]: warn ainc medium mod=antiumdo type=ecill cmd=iduntu id=pisci engine=sunt definitions=texplica +March 11 02:28:49 ate action_checksubmsg s=con m=tqu x=eirur action=accept score=tametco submsgadjust=mquisnos spamscore=25.933000 suspectscore=cit malwarescore=siar phishscore=isn adultscore=veniamq bulkscore=lup tests=iumtotam +2018/03/25T09:31:24.voluptas velill regulation_init[rspic]: err orinrepr high mod=meum type=borumSec cmd=aecatcup id=snisiut action=allow dict=nre file=inB +2018/04/08T16:33:58.upt ulamc cvt_detect[cept]: err aedictas low pid=4253 mod=orio cmd=gna name=ici status=success err=olu +2018/04/22T23:36:32.seq moll queued-VoltageEncrypt[2861]: sunt: from=dquianon, size=956, class=itesse, nrcpts=iamqui, msgid=quide, proto=igmp, daemon=cididun, relay=str4641.domain [10.151.31.58] +2018/05/07T06:39:06.cti rumSecti session_throttle[riamea]: info eca very-high s=tes mod=equam cmd=isi rule=iaecon ip=10.119.38.124 rate=rep crate=remap limit=deri +May 21 13:41:41 scipit high pid=745 mod=cvt cmd=detect cmd=borisnis name=onorumet status=success err=isiutali +June 4 20:44:15 aedict low mod=cvtd cmd=miurere +2018/06/19T03:46:49.seq rumSe queued-vdedc2v5[tatnonp]: rprt ommo[4821]: idunt: to=expl, delay=olore, xdelay=uian, mailer=atuserro, pri=madminim, relay=[10.52.47.230] [10.113.119.47], dsn=quioff, stat=iuntN +2018/07/03T10:49:23.mquis lorsi filter[tetura]: rprt eeufug high mod=modt sig=iduntutl +July 17 17:51:58 expl very-high pid=prehende mod=cvtd cmd=encrypted encrypted=lup +August 1 00:54:32 umd sumd medium s=dat mod=session_judge cmd=aUtenima module=turQuis rule=taevi +2018/08/15T07:57:06.ercitati eve spf_run[rro]: err oeiusmo very-high s=cusanti m=tconse x=rem mod=tseddoei cmd=teursint rule=etMa duration=llita +2018/08/29T14:59:40.nostrum orroquis av_init[eumi]: info tvo low mod=tuser type=mmo cmd=eve id=nbyCicer vendor=scipit engine=equuntu definitions=quamni signatures=turveli +September 12 22:02:15 ihilm medium s=caboNemo mod=mltr uptas +2018/09/27T05:04:49.dol exe info[tis]: note oluptat low eid=tinvolup pid=497 status=tvol +October 11 12:07:23 eritqui medium s=atus mod=session_judge cmd=tassitas module=obea rule=velite +2018/10/25T19:09:57.lore luptate av_init[eritqu]: err elites very-high mod=tamr type=serr cmd=usci id=unturmag vendor=dexeaco engine=lupta definitions=ura signatures=oreeufug +2018/11/09T02:12:32.ree itten milter_listen[quipexea]: warn orsitv medium mod=nostrum cmd=autodita addr=10.27.154.247 +2018/11/23T09:15:06.utfugi ursintoc dkimv_type[tio]: rprt mmodicon: high mod=trudex unexpected response type=tvol +2018/12/07T16:17:40.rehen uaeab session_throttle[ptat]: warn mipsu high s=eturadip mod=amquaera cmd=rsitamet rule=leumiur ip=10.253.121.154 rate=olesti crate=edquia limit=ihi +December 21 23:20:14 emoenimi high pid=5895 mod=cvt cmd=detect cmd=mqu name=onorume status=unknown err=veleu +January 5 06:22:49 dquia high s=bori mod=mltr dipi +January 19 13:25:23 quovolu high s=dexe mod=mltr nemul +2019/02/02T20:27:57.quatur dminim mail_msg[ptatevel]: warn aperiame very-high s=eirured mod=sequamn cmd=perspici module=inimve rule=aea action=allow attachments=5821 rcpts=296 routes=ptat size=4878 guid=nde hdr_mid=quame qid=orumwri subject=atisu spamscore=66.849000 virusname=tse duration=rad elapsed=iat +2019/02/17T03:30:32.lorum suntexpl sm-msp-queue[iqu]: rprt iquamqu[6293]: audant: to=obeata, ctladdr=uredol, delay=uptat, xdelay=toditau, mailer=uiad, pri=nvolupta, relay=[10.80.133.120] [10.147.147.248], dsn=onpr, stat=uira +2019/03/03T10:33:06.aliqu sequine regulation_refresh[utaliqui]: note isciv very-high mod=econ type=aborio cmd=rve id=catcup action=deny dict=runtmoll file=busBon +2019/03/17T17:35:40.occaeca dan queued-alert[pta]: err upt[4762]: itaedict: to=eroi, delay=onemull, xdelay=mdo, mailer=labore, pri=lorem, relay=[10.68.159.207] [10.232.240.177], dsn=estq, stat=quasiarc +2019/04/01T00:38:14.tDuisaut uel warn[dexerc]: info vol high eid=agn status="iqu file: quamqua" +April 15 07:40:49 uunturm very-high mod=regulation type=iaconseq cmd=init id=tseddo action=cancel dict=rissusci file=ectetur +April 29 14:43:23 quaturve medium mod=zerohour type=gnamali cmd=init id=iumtota version=issusci +2019/05/13T21:45:57.ecillumd iumto dmarc_type[sequatu]: rprt tiumtot: medium mod=mdoloree type=que cmd=inBCSed id=cteturad policy_cache_entries=umq +May 28 04:48:31 reseo quam very-high s=pariat mod=mail_env_rcpt cmd=icaboNe r=4840 value=lumd verified=tiaec routes=lorem +June 11 11:51:06 seq low mod=info sys=lorsita evt=deny active=itation expires=utlabo msg=tat +June 25 18:53:40 ididu medium s=epteurs mod=mail_env_from cmd=itse value=rever ofrom=sBonoru qid=ecatcu tls=ntoccae routes=iscive notroutes=amni host=etconse5657.api.lan ip=10.118.249.126 sampling=dminimv +2019/07/10T01:56:14.rep nostru access_load[docons]: info emipsumq low mod=qua type=modit cmd=tatione id=aedicta +July 24 08:58:48 uas high s=reeufu mod=mail_env_from cmd=umexe value=xce ofrom=omnisis qid=corporis tls=tco routes=stiaec notroutes=Cicero host=ven5410.mail.host ip=10.170.55.203 sampling=deom +2019/08/07T16:01:23.Utenima nse info[umq]: note enim low mod=meaquei sys=snisiu evt=allow active=atev expires=vento msg=litsed +August 21 23:03:57 susc taed high s=mipsumd mod=mail_continue-system-sendmail cmd=eiusmo action=block err=sum +September 5 06:06:31 ipex low s=upta cmd=send profile=ivel qid=tmollita rcpts=tionofd +2019/09/19T13:09:05.ccaec repreh http_listen[imven]: note usan very-high mod=idolo cmd=olup addr=10.199.46.88 +2019/10/03T20:11:40.nulapari beataevi queued-VoltageEncrypt[3274]: eruntmol: from=plicab, size=5930, class=dmin, nrcpts=sum, msgid=lloinve, proto=ggp, daemon=nim, relay=Sedutper7794.www5.domain [10.154.22.241] +2019/10/18T03:14:14.nvol doloreeu cvtd_encrypted[elillumq]: info loremeum medium pid=obeataev mod=rrorsit encrypted=aincid +November 1 10:16:48 nis info pid=472 iin /uteiru: xer +2019/11/15T17:19:22.isauteir eritquii soap_listen[atevelit]: note dese low mod=ionula cmd=itaed addr=10.38.111.125 +November 30 00:21:57 ationem high mod=spam type=ing cmd=load id=ollita +2019/12/14T07:24:31.nih ncididu queued-default[4250]: STARTTLS=gitsed, relay=estla4081.corp, version=meumf, verify=rExce, cipher=quisquam, bits=boreet diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json new file mode 100644 index 00000000000..f9043afa34a --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json @@ -0,0 +1,2569 @@ +[ + { + "event.code": "perl_clone", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "January 29 06:09:59 avolupt low mod=perl cmd=clone cmd=olab id=nto duration=sse", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 0, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "perl_clone", + "rsa.misc.client": "perl", + "rsa.misc.msgIdPart1": "perl", + "rsa.misc.msgIdPart2": "clone", + "rsa.misc.obj_type": "clone cmd=olab", + "rsa.misc.severity": "low", + "rsa.time.duration_str": "sse", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_store", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/02/12T13:12:33.umdo itessequ session_store[vol]: info luptat high s=nibus mod=mipsumq cmd=gnaali module=enatus rule=mquia folder=ameaqu pri=aqu duration=utper", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 80, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_store", + "rsa.misc.client": "mipsumq", + "rsa.misc.event_source": "enatus", + "rsa.misc.log_session_id": "nibus", + "rsa.misc.obj_type": "gnaali", + "rsa.misc.rule_name": "mquia", + "rsa.misc.severity": "high", + "rsa.time.duration_str": "utper", + "rule.name": "mquia", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_connect_nse", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "February 26 20:15:08 emape low s=incidi mod=session_connect cmd=nse ip=10.46.185.46 country=temvel lip=iatu prot=serror hops_active=anti routes=ofdeF notroutes=metcons perlwait=roinBCS", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 244, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_connect_nse", + "rsa.misc.msgIdPart1": "session_connect", + "rsa.misc.msgIdPart2": "nse", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "tenbyCic5882.api.home", + "destination.ip": [ + "10.69.20.77" + ], + "event.code": "err", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/03/12T03:17:42.iam mqua queued-eurort[3391]: olab: from=mquisnos, size=5771, class=ore, nrcpts=etconsec, msgid=err, proto=rdp, daemon=mUt, tls_verify=usmodte, auth=ele, relay=tenbyCic5882.api.home [10.69.20.77]", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 429, + "network.bytes": 5771, + "network.protocol": "rdp", + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 3391, + "related.hosts": [ + "tenbyCic5882.api.home" + ], + "related.ip": [ + "10.69.20.77" + ], + "rsa.email.email_src": "mquisnos", + "rsa.internal.messageid": "queued-eurort", + "rsa.misc.client": "queued-eurort", + "rsa.misc.reference_id": "err", + "rsa.network.host_dst": "tenbyCic5882.api.home", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "service_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "March 26 10:20:16 pteursi medium mod=service cmd=refresh cmd=turveli duration=toccae", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 645, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "service_refresh", + "rsa.misc.client": "service", + "rsa.misc.msgIdPart1": "service", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh cmd=turveli", + "rsa.misc.severity": "medium", + "rsa.time.duration_str": "toccae", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "zerohour_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 9 17:22:51 ccusan low mod=zerohour type=Ciceroi cmd=refresh id=aveniam version=uradi", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 730, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "zerohour_refresh", + "rsa.misc.client": "zerohour", + "rsa.misc.msgIdPart1": "zerohour", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "smtpsrv_listen", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 24 00:25:25 aboreetd high mod=smtpsrv cmd=listen cmd=dun addr=10.89.185.38", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 821, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.89.185.38" + ], + "rsa.internal.messageid": "smtpsrv_listen", + "rsa.misc.client": "smtpsrv", + "rsa.misc.msgIdPart1": "smtpsrv", + "rsa.misc.msgIdPart2": "listen", + "rsa.misc.obj_type": "listen cmd=dun", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "source.ip": [ + "10.89.185.38" + ], + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "zerohour_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "May 8 07:27:59 ctetura medium mod=zerohour type=dolore cmd=init id=abor version=iqui", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 902, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "zerohour_init", + "rsa.misc.client": "zerohour", + "rsa.misc.msgIdPart1": "zerohour", + "rsa.misc.msgIdPart2": "init", + "rsa.misc.obj_type": "init", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "May 22 14:30:33 ritatis oloremi high s=icab mod=av_run cmd=mwr rule=fugi name=inculpaq cleaned=agna vendor=tionemu duration=eomnisis", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 987, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_run", + "rsa.misc.client": "av_run", + "rsa.misc.log_session_id": "icab", + "rsa.misc.obj_type": "mwr", + "rsa.misc.rule_name": "fugi", + "rsa.misc.severity": "high", + "rsa.time.duration_str": "eomnisis", + "rule.name": "fugi", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "ommod3671.mail.domain", + "event.code": "etdolo", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/06/05T21:33:08.incidi picia queued-reinject[mUtenima]: warn emaperi[7183]: sumquiad: from=dexeaco, size=6178, class=colabor, nrcpts=iusmodt, msgid=etdolo, proto=tcp, daemon=lorumw, relay=ommod3671.mail.domain", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 1120, + "network.bytes": 6178, + "network.protocol": "tcp", + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 7183, + "related.hosts": [ + "ommod3671.mail.domain" + ], + "rsa.email.email_src": "dexeaco", + "rsa.internal.messageid": "queued-reinject", + "rsa.misc.client": "emaperi", + "rsa.misc.reference_id": "etdolo", + "rsa.network.host_dst": "ommod3671.mail.domain", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_judge_eataev", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "June 20 04:35:42 imadmi high s=tion mod=session_judge cmd=eataev module=liquide rule=uasia", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 1334, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_judge_eataev", + "rsa.misc.msgIdPart1": "session_judge", + "rsa.misc.msgIdPart2": "eataev", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "access_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/07/04T11:38:16.uames tati access_run[utaliqu]: warn oriosamn medium s=santium m=iciatisu x=rehender mod=eporroqu cmd=uat rule=tem duration=est", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 1425, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "access_run", + "rsa.misc.client": "eporroqu", + "rsa.misc.log_session_id": "santium", + "rsa.misc.log_session_id1": "rehender", + "rsa.misc.mail_id": "iciatisu", + "rsa.misc.obj_type": "uat", + "rsa.misc.rule_name": "tem", + "rsa.misc.severity": "medium", + "rsa.time.duration_str": "est", + "rule.name": "tem", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "err", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "July 18 18:40:50 samvolu err eid=ittenbyC module=isc age=aturve limit=emulla", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "err", + "log.offset": 1573, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "err", + "rsa.misc.client": "isc", + "rsa.misc.severity": "err", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "zerohour_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/08/02T01:43:25.itame eumfug zerohour_init[lit]: note asun low mod=quamnih type=oluptate cmd=onseq id=serunt version=aquaeabi", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 1650, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "zerohour_init", + "rsa.misc.client": "quamnih", + "rsa.misc.obj_type": "onseq", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "warn", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "August 16 08:45:59 ento warn eid=pic status=\"evita file suntexp does not contain enough (or correct) info. Fix this or remove the file.\"", + "file.name": "suntexp", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "warn", + "log.offset": 1780, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "does not contain enough (or correct) info. Fix this or remove the file", + "rsa.internal.messageid": "warn", + "rsa.misc.event_state": "evita", + "rsa.misc.severity": "warn", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_run_sectetur", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "August 30 15:48:33 tmo very-high s=abi mod=spam_run cmd=sectetur rule=uioffi policy=oru score=temqu ndrscore=edol ipscore=colab suspectscore=ommodico phishscore=quatD bulkscore=mcolab spamscore=67.309000 adjustscore=tenima adultscore=tsedqu classifier=agnid adjust=proide reason=dolorem scancount=tlab engine=volupt definitions=osqui raw=xerc tests=iutali duration=fdeFi", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 1917, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_run_sectetur", + "rsa.misc.msgIdPart1": "spam_run", + "rsa.misc.msgIdPart2": "sectetur", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dkimv_type", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/09/13T22:51:07.sequine ectio dkimv_type[dutper]: err lamcolab: low mod=radi unexpected response type=gel", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 2288, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "dkimv_type", + "rsa.misc.client": "radi", + "rsa.misc.result": "unexpected response", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "September 28 05:53:42 xeacomm very-high mod=av type=aturQui cmd=load id=utlabor", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2398, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_load", + "rsa.misc.client": "av", + "rsa.misc.msgIdPart1": "av", + "rsa.misc.msgIdPart2": "load", + "rsa.misc.obj_type": "load", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_attachment", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "October 12 12:56:16 madmi tur low s=uatD mod=mail_attachment cmd=ariatu id=edquiac file=nci mime=tev type=saute omime=ntocca oext=ostru corrupted=ntoccae protected=autf size=3471 virtual=temquiav", + "file.name": "nci", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 2478, + "network.bytes": 3471, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_attachment", + "rsa.misc.client": "mail_attachment", + "rsa.misc.content_type": "tev", + "rsa.misc.log_session_id": "uatD", + "rsa.misc.obj_type": "ariatu", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "ersp3536.www5.lan", + "event.code": "queued-aglife", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/10/26T19:58:50.tor qui queued-aglife[4499]: eavolup: to=fugiatn, delay=docon, xdelay=etconsec, mailer=ios, pri=evolu, relay=ersp3536.www5.lan, dsn=sauteiru, stat=mod", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 2674, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 4499, + "related.hosts": [ + "ersp3536.www5.lan" + ], + "rsa.db.index": "mod", + "rsa.email.email_dst": "fugiatn", + "rsa.internal.messageid": "queued-aglife", + "rsa.misc.client": "queued-aglife", + "rsa.misc.result_code": "sauteiru", + "rsa.network.host_dst": "ersp3536.www5.lan", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_rcpt", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016/11/10T03:01:24.iquipe itempor mail_env_rcpt[quin]: err upida high s=nve m=remag x=uredol mod=ccaecat cmd=tquiin r=7440 value=temqu verified=ovol routes=ptasn", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 2845, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.counters.event_counter": 7440, + "rsa.email.email_dst": "temqu", + "rsa.internal.messageid": "mail_env_rcpt", + "rsa.misc.client": "ccaecat", + "rsa.misc.log_session_id": "nve", + "rsa.misc.log_session_id1": "uredol", + "rsa.misc.mail_id": "remag", + "rsa.misc.obj_type": "tquiin", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "November 24 10:03:59 idolore low mod=spam type=eetdolo cmd=refresh id=cteturad engine=untut definitions=uamni", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 3008, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_refresh", + "rsa.misc.client": "spam", + "rsa.misc.msgIdPart1": "spam", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "regulation_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "December 8 17:06:33 orumSe high mod=regulation type=isnost cmd=init id=queips action=cancel dict=itess file=iscinge", + "file.name": "iscinge", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 3118, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "regulation_init", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "regulation", + "rsa.misc.msgIdPart1": "regulation", + "rsa.misc.msgIdPart2": "init", + "rsa.misc.obj_type": "init", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.193.83.81" + ], + "event.code": "queued-alert", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2016-12-23T12:09:07.inci atatn queued-alert[temUt]: info avol[752]: STARTTLS=essequam, relay=[10.193.83.81], version=1.5020, verify=str, cipher=iat, bits=etur", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 3234, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "observer.version": "1.5020", + "process.pid": 752, + "related.ip": [ + "10.193.83.81" + ], + "rsa.crypto.cipher_src": "iat", + "rsa.internal.messageid": "queued-alert", + "rsa.misc.client": "avol", + "rsa.misc.version": "1.5020", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "smtpsrv_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/01/06T07:11:41.isnostr umqu smtpsrv_run[tinv]: warn adipisc medium mod=isnisi cmd=ritatise rule=uamei duration=siut", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 3393, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "smtpsrv_run", + "rsa.misc.client": "isnisi", + "rsa.misc.obj_type": "ritatise", + "rsa.misc.rule_name": "uamei", + "rsa.misc.severity": "medium", + "rsa.time.duration_str": "siut", + "rule.name": "uamei", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dkimv_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/01/20T14:14:16.ttenby boris dkimv_run[stenatu]: err isiuta low s=ratv m=riat x=ianon mod=tsed cmd=nts status=\"siut, tconsect\"", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 3514, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.db.index": "siut", + "rsa.internal.messageid": "dkimv_run", + "rsa.misc.client": "tsed", + "rsa.misc.event_state": "tconsect", + "rsa.misc.log_session_id": "ratv", + "rsa.misc.log_session_id1": "ianon", + "rsa.misc.mail_id": "riat", + "rsa.misc.obj_type": "nts", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "sit6590.lan", + "destination.ip": [ + "10.123.143.188" + ], + "event.code": "sendmail", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/02/03T21:16:50.ctetura aveni sendmail[elit]: note seosqui sequamni[3866]: STARTTLS=tdol, relay=sit6590.lan [10.123.143.188], version=ncididun, verify=umSe, cipher=xeacomm, bits=cinge", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 3645, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 3866, + "related.hosts": [ + "sit6590.lan" + ], + "related.ip": [ + "10.123.143.188" + ], + "rsa.internal.messageid": "sendmail", + "rsa.misc.client": "sequamni", + "rsa.network.host_dst": "sit6590.lan", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "February 18 04:19:24 runtmol very-high mod=spam type=odi cmd=load id=ptass", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3833, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_load", + "rsa.misc.client": "spam", + "rsa.misc.msgIdPart1": "spam", + "rsa.misc.msgIdPart2": "load", + "rsa.misc.obj_type": "load", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "March 4 11:21:59 aec medium mod=spam type=iduntu cmd=load id=ccaeca", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 3908, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_load", + "rsa.misc.client": "spam", + "rsa.misc.msgIdPart1": "spam", + "rsa.misc.msgIdPart2": "load", + "rsa.misc.obj_type": "load", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_connect", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "March 18 18:24:33 leumiu tla very-high s=uaeratv mod=session_connect cmd=isa ip=10.38.65.236 country=dqu lip=pid prot=rExc hops_active=iusmo routes=tame notroutes=naaliq perlwait=nte", + "fileset.name": "emailsecurity", + "geo.country_name": "dqu", + "host.ip": "10.38.65.236", + "input.type": "log", + "log.level": "very-high", + "log.offset": 3976, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.38.65.236" + ], + "rsa.internal.messageid": "session_connect", + "rsa.misc.client": "session_connect", + "rsa.misc.log_session_id": "uaeratv", + "rsa.misc.obj_type": "isa", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dmarc_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/04/02T01:27:07.ullamcor itationu dmarc_run[proident]: rprt maliquam medium s=atione m=lores x=ritati mod=orisni cmd=ons rule=remagn duration=ecillu", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 4159, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "dmarc_run", + "rsa.misc.client": "orisni", + "rsa.misc.log_session_id": "atione", + "rsa.misc.log_session_id1": "ritati", + "rsa.misc.mail_id": "lores", + "rsa.misc.obj_type": "ons", + "rsa.misc.rule_name": "remagn", + "rsa.misc.severity": "medium", + "rsa.time.duration_str": "ecillu", + "rule.name": "remagn", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 16 08:29:41 umetMalo high mod=av type=utp cmd=refresh id=aeconseq vendor=lor engine=Sedut definitions=yCiceroi signatures=quunt", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 4312, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_refresh", + "rsa.misc.client": "av", + "rsa.misc.msgIdPart1": "av", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "access_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 30 15:32:16 aliq low mod=access type=teni cmd=refresh id=dquiac action=accept dict=tore file=elits", + "file.name": "elits", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 4446, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "access_refresh", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "access", + "rsa.misc.msgIdPart1": "access", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_release", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/05/14T22:34:50.uamnihi risnis mail_release[uov]: info itlab low s=sBono m=loremqu x=tetur mod=amvo cmd=siuta status=failure err=ommodo", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 4551, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_release", + "rsa.misc.client": "amvo", + "rsa.misc.log_session_id": "sBono", + "rsa.misc.log_session_id1": "tetur", + "rsa.misc.mail_id": "loremqu", + "rsa.misc.obj_type": "siuta", + "rsa.misc.result": "failure", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "access_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "May 29 05:37:24 atv high mod=access type=quira cmd=refresh id=rehende action=block dict=obeataev file=tempor", + "file.name": "tempor", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 4691, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "access_refresh", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "access", + "rsa.misc.msgIdPart1": "access", + "rsa.misc.msgIdPart2": "refresh", + "rsa.misc.obj_type": "refresh", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "note", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "June 12 12:39:58 tlaboree note s=norumet m=dtempo x=tin module=fugitse action=deny size=3916", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "note", + "log.offset": 4800, + "network.bytes": 3916, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "note", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "fugitse", + "rsa.misc.log_session_id": "norumet", + "rsa.misc.log_session_id1": "tin", + "rsa.misc.mail_id": "dtempo", + "rsa.misc.severity": "note", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_store", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/06/26T19:42:33.aturQu aaliq session_store[mipsamvo]: warn eiusmod very-high s=reetdo m=oreveri x=ehende mod=eaqueip cmd=eum module=lamc rule=umetMal folder=asper pri=umq duration=naal", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4893, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_store", + "rsa.misc.client": "eaqueip", + "rsa.misc.event_source": "lamc", + "rsa.misc.log_session_id": "reetdo", + "rsa.misc.log_session_id1": "ehende", + "rsa.misc.mail_id": "oreveri", + "rsa.misc.obj_type": "eum", + "rsa.misc.rule_name": "umetMal", + "rsa.misc.severity": "very-high", + "rsa.time.duration_str": "naal", + "rule.name": "umetMal", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "pdr_ttl", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/07/11T02:45:07.uto iuntNequ pdr_ttl[esseq]: warn aincidun low s=veniamq mod=occ ttl=oloreseo reply=\"\\\"iruredol rscore=veniamqu\\\"\"", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 5082, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "pdr_ttl", + "rsa.misc.client": "occ", + "rsa.misc.log_session_id": "veniamq", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "July 25 09:47:41 minim ataevi low s=repreh mod=av_run cmd=plic rule=irured name=illumqui cleaned=saq vendor=amali duration=ate", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 5217, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_run", + "rsa.misc.client": "av_run", + "rsa.misc.log_session_id": "repreh", + "rsa.misc.obj_type": "plic", + "rsa.misc.rule_name": "irured", + "rsa.misc.severity": "low", + "rsa.time.duration_str": "ate", + "rule.name": "irured", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "mail_continue-system-sendmail", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/08/08T16:50:15.autfugi tasun mail_continue-system-sendmail[duntutla]: err ntium low s=asuntexp mod=adminim cmd=orisni action=cancel err=lmole", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 5344, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_continue-system-sendmail", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "adminim", + "rsa.misc.log_session_id": "asuntexp", + "rsa.misc.obj_type": "orisni", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/08/22T23:52:50.dolorem tem spam_init[exeacomm]: info aspe very-high mod=mides type=ciun cmd=olupta id=tsuntinc engine=inrepreh definitions=quovo", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 5491, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_init", + "rsa.misc.client": "mides", + "rsa.misc.obj_type": "olupta", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_rcpt", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "September 6 06:55:24 occaec acommodi medium s=quaeab mod=mail_env_rcpt cmd=fici r=5161 value=dipiscin verified=olup routes=aco", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 5641, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.counters.event_counter": 5161, + "rsa.email.email_dst": "dipiscin", + "rsa.internal.messageid": "mail_env_rcpt", + "rsa.misc.client": "mail_env_rcpt", + "rsa.misc.log_session_id": "quaeab", + "rsa.misc.obj_type": "fici", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "smtpsrv_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/09/20T13:57:58.mag tob smtpsrv_load[dolores]: rprt equamnih high mod=deF type=itempo cmd=orumw id=redol", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 5768, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "smtpsrv_load", + "rsa.misc.client": "deF", + "rsa.misc.obj_type": "orumw", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_from_litan", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "October 4 21:00:32 radipis high s=tiumto mod=mail_env_from cmd=litan value=nder qid=stenatus tls=equep routes=ever notroutes=tali host=BCS3474.lan ip=10.1.204.187 sampling=quin", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 5877, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_env_from_litan", + "rsa.misc.msgIdPart1": "mail_env_from", + "rsa.misc.msgIdPart2": "litan", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "regulation_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/10/19T04:03:07.nculpaq culpaqui regulation_init[tvolup]: note tdolore low mod=col type=obea cmd=emp id=agnaaliq action=cancel dict=uptatem file=oinv", + "file.name": "oinv", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 6054, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "regulation_init", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "col", + "rsa.misc.obj_type": "emp", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "queued-reinject", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "queued-reinject[2957]: odt", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 6208, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 2957, + "rsa.internal.event_desc": "odt", + "rsa.internal.messageid": "queued-reinject", + "rsa.misc.client": "queued-reinject", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "rprt", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/11/16T18:08:15.caecat rautod rprt[olest]: info eataev very-high s=ritati m=edquia x=itesse mod=mullam cmd=mexerc secprofile_name=meaque rcpts=5808 duration=mip", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6235, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.counters.dclass_c2": 5808, + "rsa.internal.messageid": "rprt", + "rsa.misc.client": "mullam", + "rsa.misc.log_session_id": "ritati", + "rsa.misc.log_session_id1": "itesse", + "rsa.misc.mail_id": "edquia", + "rsa.misc.obj_type": "mexerc", + "rsa.misc.severity": "very-high", + "rsa.time.duration_str": "mip", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_throttle", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/12/01T01:10:49.deriti sintocc session_throttle[cididu]: rprt uteir high s=mwrit mod=ptat cmd=der rule=equuntur ip=10.219.133.187 rate=quameiu crate=diduntu limit=eiusmod", + "fileset.name": "emailsecurity", + "host.ip": "10.219.133.187", + "input.type": "log", + "log.level": "high", + "log.offset": 6400, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.219.133.187" + ], + "rsa.internal.messageid": "session_throttle", + "rsa.misc.client": "ptat", + "rsa.misc.log_session_id": "mwrit", + "rsa.misc.obj_type": "der", + "rsa.misc.rule_name": "equuntur", + "rsa.misc.severity": "high", + "rule.name": "equuntur", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "smtpsrv_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "December 15 08:13:24 tassita very-high mod=smtpsrv cmd=run cmd=oremi rule=ugitsedq duration=turmag", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6575, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "smtpsrv_run", + "rsa.misc.client": "smtpsrv", + "rsa.misc.msgIdPart1": "smtpsrv", + "rsa.misc.msgIdPart2": "run", + "rsa.misc.obj_type": "run cmd=oremi", + "rsa.misc.rule_name": "ugitsedq", + "rsa.misc.severity": "very-high", + "rsa.time.duration_str": "turmag", + "rule.name": "ugitsedq", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dkimv_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2017/12/29T15:15:58.consecte pteurs dkimv_run[catcupi]: info autf very-high s=tiaecon m=uaturve x=amquisno mod=uido cmd=tla signature=mquiad identity=CSe host=lors7553.api.local result=unknown result_detail=rroqui", + "fileset.name": "emailsecurity", + "host.name": "lors7553.api.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6674, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.hosts": [ + "lors7553.api.local" + ], + "rsa.internal.messageid": "dkimv_run", + "rsa.misc.client": "uido", + "rsa.misc.log_session_id": "tiaecon", + "rsa.misc.log_session_id1": "amquisno", + "rsa.misc.mail_id": "uaturve", + "rsa.misc.obj_type": "tla", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id_str": "CSe", + "rsa.network.alias_host": [ + "lors7553.api.local" + ], + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvtd", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/01/12T22:18:32.itae dtempo cvtd[atnula]: warn ditautf low mod=iquidex cmd=olup", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 6888, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "cvtd", + "rsa.misc.client": "iquidex", + "rsa.misc.obj_type": "olup", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.65.174.31" + ], + "event.code": "queued-aglife", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/01/27T05:21:06.rspici snisi queued-aglife[766]: olor: to=etquasia, delay=nula, xdelay=quiacons, mailer=uisa, pri=xeacommo, relay=[10.65.174.31], dsn=atur, stat=issu", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 6972, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 766, + "related.ip": [ + "10.65.174.31" + ], + "rsa.db.index": "issu", + "rsa.email.email_dst": "etquasia", + "rsa.internal.messageid": "queued-aglife", + "rsa.misc.client": "queued-aglife", + "rsa.misc.result_code": "atur", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "note", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/02/10T12:23:41.ite tasnul note[tuserr]: note tise very-high s=tnul m=expl x=ess module=quiad action=cancel size=6084", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 7142, + "network.bytes": 6084, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "note", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "quiad", + "rsa.misc.log_session_id": "tnul", + "rsa.misc.log_session_id1": "ess", + "rsa.misc.mail_id": "expl", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/02/24T19:26:15.llumq tenim spam_init[eiusmo]: warn ainc medium mod=antiumdo type=ecill cmd=iduntu id=pisci engine=sunt definitions=texplica", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 7264, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_init", + "rsa.misc.client": "antiumdo", + "rsa.misc.obj_type": "iduntu", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "action_checksubmsg", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "March 11 02:28:49 ate action_checksubmsg s=con m=tqu x=eirur action=accept score=tametco submsgadjust=mquisnos spamscore=25.933000 suspectscore=cit malwarescore=siar phishscore=isn adultscore=veniamq bulkscore=lup tests=iumtotam", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "action_checksubmsg", + "log.offset": 7409, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "action_checksubmsg", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.log_session_id": "con", + "rsa.misc.log_session_id1": "eirur", + "rsa.misc.mail_id": "tqu", + "rsa.misc.severity": "action_checksubmsg", + "rsa.web.reputation_num": 25.933, + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "regulation_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/03/25T09:31:24.voluptas velill regulation_init[rspic]: err orinrepr high mod=meum type=borumSec cmd=aecatcup id=snisiut action=allow dict=nre file=inB", + "file.name": "inB", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 7638, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "regulation_init", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "meum", + "rsa.misc.obj_type": "aecatcup", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvt_detect", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/04/08T16:33:58.upt ulamc cvt_detect[cept]: err aedictas low pid=4253 mod=orio cmd=gna name=ici status=success err=olu", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 7794, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 4253, + "rsa.internal.messageid": "cvt_detect", + "rsa.misc.client": "orio", + "rsa.misc.obj_type": "gna", + "rsa.misc.result": "success", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "str4641.domain", + "destination.ip": [ + "10.151.31.58" + ], + "event.code": "quide", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/04/22T23:36:32.seq moll queued-VoltageEncrypt[2861]: sunt: from=dquianon, size=956, class=itesse, nrcpts=iamqui, msgid=quide, proto=igmp, daemon=cididun, relay=str4641.domain [10.151.31.58]", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 7917, + "network.bytes": 956, + "network.protocol": "igmp", + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 2861, + "related.hosts": [ + "str4641.domain" + ], + "related.ip": [ + "10.151.31.58" + ], + "rsa.email.email_src": "dquianon", + "rsa.internal.messageid": "queued-VoltageEncrypt", + "rsa.misc.client": "queued-VoltageEncrypt", + "rsa.misc.reference_id": "quide", + "rsa.network.host_dst": "str4641.domain", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_throttle", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/05/07T06:39:06.cti rumSecti session_throttle[riamea]: info eca very-high s=tes mod=equam cmd=isi rule=iaecon ip=10.119.38.124 rate=rep crate=remap limit=deri", + "fileset.name": "emailsecurity", + "host.ip": "10.119.38.124", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8112, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.119.38.124" + ], + "rsa.internal.messageid": "session_throttle", + "rsa.misc.client": "equam", + "rsa.misc.log_session_id": "tes", + "rsa.misc.obj_type": "isi", + "rsa.misc.rule_name": "iaecon", + "rsa.misc.severity": "very-high", + "rule.name": "iaecon", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvt_detect", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "May 21 13:41:41 scipit high pid=745 mod=cvt cmd=detect cmd=borisnis name=onorumet status=success err=isiutali", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 8275, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 745, + "rsa.internal.messageid": "cvt_detect", + "rsa.misc.client": "cvt", + "rsa.misc.msgIdPart1": "cvt", + "rsa.misc.msgIdPart2": "detect", + "rsa.misc.obj_type": "detect cmd=borisnis", + "rsa.misc.result": "success", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvtd", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "June 4 20:44:15 aedict low mod=cvtd cmd=miurere", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 8385, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "cvtd", + "rsa.misc.client": "cvtd", + "rsa.misc.obj_type": "miurere", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.113.119.47" + ], + "event.code": "queued-vdedc2v5", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/06/19T03:46:49.seq rumSe queued-vdedc2v5[tatnonp]: rprt ommo[4821]: idunt: to=expl, delay=olore, xdelay=uian, mailer=atuserro, pri=madminim, relay=[10.52.47.230] [10.113.119.47], dsn=quioff, stat=iuntN", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 8433, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 4821, + "related.ip": [ + "10.113.119.47" + ], + "rsa.db.index": "iuntN", + "rsa.email.email_dst": "expl", + "rsa.internal.messageid": "queued-vdedc2v5", + "rsa.misc.client": "ommo", + "rsa.misc.result_code": "quioff", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "filter", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/07/03T10:49:23.mquis lorsi filter[tetura]: rprt eeufug high mod=modt sig=iduntutl", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 8640, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "filter", + "rsa.misc.client": "modt", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvtd_encrypted", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "July 17 17:51:58 expl very-high pid=prehende mod=cvtd cmd=encrypted encrypted=lup", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8727, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "cvtd_encrypted", + "rsa.misc.client": "cvtd cmd=encrypted", + "rsa.misc.msgIdPart1": "cvtd", + "rsa.misc.msgIdPart2": "encrypted", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_judge", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "August 1 00:54:32 umd sumd medium s=dat mod=session_judge cmd=aUtenima module=turQuis rule=taevi", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 8809, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_judge", + "rsa.misc.client": "session_judge", + "rsa.misc.event_source": "turQuis", + "rsa.misc.log_session_id": "dat", + "rsa.misc.obj_type": "aUtenima", + "rsa.misc.rule_name": "taevi", + "rsa.misc.severity": "medium", + "rule.name": "taevi", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spf_run", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/08/15T07:57:06.ercitati eve spf_run[rro]: err oeiusmo very-high s=cusanti m=tconse x=rem mod=tseddoei cmd=teursint rule=etMa duration=llita", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8906, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spf_run", + "rsa.misc.client": "tseddoei", + "rsa.misc.log_session_id": "cusanti", + "rsa.misc.log_session_id1": "rem", + "rsa.misc.mail_id": "tconse", + "rsa.misc.obj_type": "teursint", + "rsa.misc.rule_name": "etMa", + "rsa.misc.severity": "very-high", + "rsa.time.duration_str": "llita", + "rule.name": "etMa", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/08/29T14:59:40.nostrum orroquis av_init[eumi]: info tvo low mod=tuser type=mmo cmd=eve id=nbyCicer vendor=scipit engine=equuntu definitions=quamni signatures=turveli", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 9051, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_init", + "rsa.misc.client": "tuser", + "rsa.misc.obj_type": "eve", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mltr", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "September 12 22:02:15 ihilm medium s=caboNemo mod=mltr uptas", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 9222, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "uptas", + "rsa.internal.messageid": "mltr", + "rsa.misc.client": "mltr", + "rsa.misc.log_session_id": "caboNemo", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "info", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/09/27T05:04:49.dol exe info[tis]: note oluptat low eid=tinvolup pid=497 status=tvol", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 9283, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 497, + "rsa.internal.messageid": "info", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_judge_tassitas", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "October 11 12:07:23 eritqui medium s=atus mod=session_judge cmd=tassitas module=obea rule=velite", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 9372, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "session_judge_tassitas", + "rsa.misc.msgIdPart1": "session_judge", + "rsa.misc.msgIdPart2": "tassitas", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "av_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/10/25T19:09:57.lore luptate av_init[eritqu]: err elites very-high mod=tamr type=serr cmd=usci id=unturmag vendor=dexeaco engine=lupta definitions=ura signatures=oreeufug", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9469, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "av_init", + "rsa.misc.client": "tamr", + "rsa.misc.obj_type": "usci", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "milter_listen", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/11/09T02:12:32.ree itten milter_listen[quipexea]: warn orsitv medium mod=nostrum cmd=autodita addr=10.27.154.247", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 9644, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.27.154.247" + ], + "rsa.internal.messageid": "milter_listen", + "rsa.misc.client": "nostrum", + "rsa.misc.obj_type": "autodita", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "source.ip": [ + "10.27.154.247" + ], + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dkimv_type", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/11/23T09:15:06.utfugi ursintoc dkimv_type[tio]: rprt mmodicon: high mod=trudex unexpected response type=tvol", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 9762, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "dkimv_type", + "rsa.misc.client": "trudex", + "rsa.misc.result": "unexpected response", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "session_throttle", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2018/12/07T16:17:40.rehen uaeab session_throttle[ptat]: warn mipsu high s=eturadip mod=amquaera cmd=rsitamet rule=leumiur ip=10.253.121.154 rate=olesti crate=edquia limit=ihi", + "fileset.name": "emailsecurity", + "host.ip": "10.253.121.154", + "input.type": "log", + "log.level": "high", + "log.offset": 9876, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.253.121.154" + ], + "rsa.internal.messageid": "session_throttle", + "rsa.misc.client": "amquaera", + "rsa.misc.log_session_id": "eturadip", + "rsa.misc.obj_type": "rsitamet", + "rsa.misc.rule_name": "leumiur", + "rsa.misc.severity": "high", + "rule.name": "leumiur", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvt_detect", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "December 21 23:20:14 emoenimi high pid=5895 mod=cvt cmd=detect cmd=mqu name=onorume status=unknown err=veleu", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 10051, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 5895, + "rsa.internal.messageid": "cvt_detect", + "rsa.misc.client": "cvt", + "rsa.misc.msgIdPart1": "cvt", + "rsa.misc.msgIdPart2": "detect", + "rsa.misc.obj_type": "detect cmd=mqu", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mltr", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "January 5 06:22:49 dquia high s=bori mod=mltr dipi", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 10160, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "dipi", + "rsa.internal.messageid": "mltr", + "rsa.misc.client": "mltr", + "rsa.misc.log_session_id": "bori", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mltr", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "January 19 13:25:23 quovolu high s=dexe mod=mltr nemul", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 10211, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "nemul", + "rsa.internal.messageid": "mltr", + "rsa.misc.client": "mltr", + "rsa.misc.log_session_id": "dexe", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "quame", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/02/02T20:27:57.quatur dminim mail_msg[ptatevel]: warn aperiame very-high s=eirured mod=sequamn cmd=perspici module=inimve rule=aea action=allow attachments=5821 rcpts=296 routes=ptat size=4878 guid=nde hdr_mid=quame qid=orumwri subject=atisu spamscore=66.849000 virusname=tse duration=rad elapsed=iat", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10266, + "network.bytes": 4878, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.counters.dclass_c1": 5821, + "rsa.counters.dclass_c1_str": "No of attachments:", + "rsa.counters.dclass_c2": 296, + "rsa.counters.dclass_c2_str": "No of recipients:", + "rsa.email.subject": "atisu", + "rsa.internal.messageid": "mail_msg", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "sequamn", + "rsa.misc.event_source": "inimve", + "rsa.misc.log_session_id": "eirured", + "rsa.misc.obj_type": "perspici", + "rsa.misc.reference_id": "quame", + "rsa.misc.rule_name": "aea", + "rsa.misc.severity": "very-high", + "rsa.threat.threat_category": "tse", + "rsa.time.duration_str": "rad", + "rsa.web.reputation_num": 66.849, + "rule.name": "aea", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.147.147.248" + ], + "event.code": "sm-msp-queue", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/02/17T03:30:32.lorum suntexpl sm-msp-queue[iqu]: rprt iquamqu[6293]: audant: to=obeata, ctladdr=uredol, delay=uptat, xdelay=toditau, mailer=uiad, pri=nvolupta, relay=[10.80.133.120] [10.147.147.248], dsn=onpr, stat=uira", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 10572, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 6293, + "related.ip": [ + "10.147.147.248" + ], + "rsa.db.index": "uira", + "rsa.email.email_dst": "obeata", + "rsa.internal.messageid": "sm-msp-queue", + "rsa.misc.client": "iquamqu", + "rsa.misc.result_code": "onpr", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "regulation_refresh", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/03/03T10:33:06.aliqu sequine regulation_refresh[utaliqui]: note isciv very-high mod=econ type=aborio cmd=rve id=catcup action=deny dict=runtmoll file=busBon", + "file.name": "busBon", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10797, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "regulation_refresh", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "econ", + "rsa.misc.obj_type": "rve", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.232.240.177" + ], + "event.code": "queued-alert", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/03/17T17:35:40.occaeca dan queued-alert[pta]: err upt[4762]: itaedict: to=eroi, delay=onemull, xdelay=mdo, mailer=labore, pri=lorem, relay=[10.68.159.207] [10.232.240.177], dsn=estq, stat=quasiarc", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 10959, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 4762, + "related.ip": [ + "10.232.240.177" + ], + "rsa.db.index": "quasiarc", + "rsa.email.email_dst": "eroi", + "rsa.internal.messageid": "queued-alert", + "rsa.misc.client": "upt", + "rsa.misc.result_code": "estq", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "warn", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/04/01T00:38:14.tDuisaut uel warn[dexerc]: info vol high eid=agn status=\"iqu file: quamqua\"", + "file.name": "quamqua", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 11161, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "warn", + "rsa.misc.event_state": "iqu", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "cancel", + "event.code": "regulation_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 15 07:40:49 uunturm very-high mod=regulation type=iaconseq cmd=init id=tseddo action=cancel dict=rissusci file=ectetur", + "file.name": "ectetur", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11257, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "regulation_init", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.client": "regulation", + "rsa.misc.msgIdPart1": "regulation", + "rsa.misc.msgIdPart2": "init", + "rsa.misc.obj_type": "init", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "zerohour_init", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "April 29 14:43:23 quaturve medium mod=zerohour type=gnamali cmd=init id=iumtota version=issusci", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 11382, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "zerohour_init", + "rsa.misc.client": "zerohour", + "rsa.misc.msgIdPart1": "zerohour", + "rsa.misc.msgIdPart2": "init", + "rsa.misc.obj_type": "init", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "dmarc_type", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/05/13T21:45:57.ecillumd iumto dmarc_type[sequatu]: rprt tiumtot: medium mod=mdoloree type=que cmd=inBCSed id=cteturad policy_cache_entries=umq", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 11478, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "dmarc_type", + "rsa.misc.client": "mdoloree", + "rsa.misc.obj_type": "inBCSed", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_rcpt", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "May 28 04:48:31 reseo quam very-high s=pariat mod=mail_env_rcpt cmd=icaboNe r=4840 value=lumd verified=tiaec routes=lorem", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11626, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.counters.event_counter": 4840, + "rsa.email.email_dst": "lumd", + "rsa.internal.messageid": "mail_env_rcpt", + "rsa.misc.client": "mail_env_rcpt", + "rsa.misc.log_session_id": "pariat", + "rsa.misc.obj_type": "icaboNe", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "info", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "June 11 11:51:06 seq low mod=info sys=lorsita evt=deny active=itation expires=utlabo msg=tat", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 11748, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "tat", + "rsa.internal.messageid": "info", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "info", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_from_itse", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "June 25 18:53:40 ididu medium s=epteurs mod=mail_env_from cmd=itse value=rever ofrom=sBonoru qid=ecatcu tls=ntoccae routes=iscive notroutes=amni host=etconse5657.api.lan ip=10.118.249.126 sampling=dminimv", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 11841, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_env_from_itse", + "rsa.misc.msgIdPart1": "mail_env_from", + "rsa.misc.msgIdPart2": "itse", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "access_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/07/10T01:56:14.rep nostru access_load[docons]: info emipsumq low mod=qua type=modit cmd=tatione id=aedicta", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 12046, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "access_load", + "rsa.misc.client": "qua", + "rsa.misc.obj_type": "tatione", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "mail_env_from_umexe", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "July 24 08:58:48 uas high s=reeufu mod=mail_env_from cmd=umexe value=xce ofrom=omnisis qid=corporis tls=tco routes=stiaec notroutes=Cicero host=ven5410.mail.host ip=10.170.55.203 sampling=deom", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 12158, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_env_from_umexe", + "rsa.misc.msgIdPart1": "mail_env_from", + "rsa.misc.msgIdPart2": "umexe", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "allow", + "event.code": "info", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/08/07T16:01:23.Utenima nse info[umq]: note enim low mod=meaquei sys=snisiu evt=allow active=atev expires=vento msg=litsed", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 12351, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.event_desc": "litsed", + "rsa.internal.messageid": "info", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.client": "meaquei", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "mail_continue-system-sendmail", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "August 21 23:03:57 susc taed high s=mipsumd mod=mail_continue-system-sendmail cmd=eiusmo action=block err=sum", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 12478, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "mail_continue-system-sendmail", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.client": "mail_continue-system-sendmail", + "rsa.misc.log_session_id": "mipsumd", + "rsa.misc.obj_type": "eiusmo", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "send", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "September 5 06:06:31 ipex low s=upta cmd=send profile=ivel qid=tmollita rcpts=tionofd", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 12588, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.email.email_dst": "tionofd", + "rsa.internal.messageid": "send", + "rsa.misc.log_session_id": "upta", + "rsa.misc.obj_type": "send", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "http_listen", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/09/19T13:09:05.ccaec repreh http_listen[imven]: note usan very-high mod=idolo cmd=olup addr=10.199.46.88", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "very-high", + "log.offset": 12674, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.199.46.88" + ], + "rsa.internal.messageid": "http_listen", + "rsa.misc.client": "idolo", + "rsa.misc.obj_type": "olup", + "rsa.misc.severity": "very-high", + "service.type": "proofpoint", + "source.ip": [ + "10.199.46.88" + ], + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "Sedutper7794.www5.domain", + "destination.ip": [ + "10.154.22.241" + ], + "event.code": "lloinve", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/10/03T20:11:40.nulapari beataevi queued-VoltageEncrypt[3274]: eruntmol: from=plicab, size=5930, class=dmin, nrcpts=sum, msgid=lloinve, proto=ggp, daemon=nim, relay=Sedutper7794.www5.domain [10.154.22.241]", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 12784, + "network.bytes": 5930, + "network.protocol": "ggp", + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 3274, + "related.hosts": [ + "Sedutper7794.www5.domain" + ], + "related.ip": [ + "10.154.22.241" + ], + "rsa.email.email_src": "plicab", + "rsa.internal.messageid": "queued-VoltageEncrypt", + "rsa.misc.client": "queued-VoltageEncrypt", + "rsa.misc.reference_id": "lloinve", + "rsa.network.host_dst": "Sedutper7794.www5.domain", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "cvtd_encrypted", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/10/18T03:14:14.nvol doloreeu cvtd_encrypted[elillumq]: info loremeum medium pid=obeataev mod=rrorsit encrypted=aincid", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "medium", + "log.offset": 12994, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "cvtd_encrypted", + "rsa.misc.client": "rrorsit", + "rsa.misc.severity": "medium", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "info", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "November 1 10:16:48 nis info pid=472 iin /uteiru: xer", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "info", + "log.offset": 13117, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 472, + "rsa.db.index": "uteiru", + "rsa.internal.messageid": "info", + "rsa.misc.action": [ + "iin" + ], + "rsa.misc.result_code": "xer", + "rsa.misc.severity": "info", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "soap_listen", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/11/15T17:19:22.isauteir eritquii soap_listen[atevelit]: note dese low mod=ionula cmd=itaed addr=10.38.111.125", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "low", + "log.offset": 13171, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "related.ip": [ + "10.38.111.125" + ], + "rsa.internal.messageid": "soap_listen", + "rsa.misc.client": "ionula", + "rsa.misc.obj_type": "itaed", + "rsa.misc.severity": "low", + "service.type": "proofpoint", + "source.ip": [ + "10.38.111.125" + ], + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "event.code": "spam_load", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "November 30 00:21:57 ationem high mod=spam type=ing cmd=load id=ollita", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.level": "high", + "log.offset": 13286, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "rsa.internal.messageid": "spam_load", + "rsa.misc.client": "spam", + "rsa.misc.msgIdPart1": "spam", + "rsa.misc.msgIdPart2": "load", + "rsa.misc.obj_type": "load", + "rsa.misc.severity": "high", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + }, + { + "destination.address": "estla4081.corp", + "event.code": "queued-default", + "event.dataset": "proofpoint.emailsecurity", + "event.module": "proofpoint", + "event.original": "2019/12/14T07:24:31.nih ncididu queued-default[4250]: STARTTLS=gitsed, relay=estla4081.corp, version=meumf, verify=rExce, cipher=quisquam, bits=boreet", + "fileset.name": "emailsecurity", + "input.type": "log", + "log.offset": 13357, + "observer.product": "Email", + "observer.type": "Firewall", + "observer.vendor": "Proofpoint", + "process.pid": 4250, + "related.hosts": [ + "estla4081.corp" + ], + "rsa.internal.messageid": "queued-default", + "rsa.misc.client": "queued-default", + "rsa.network.host_dst": "estla4081.corp", + "service.type": "proofpoint", + "tags": [ + "proofpoint.emailsecurity", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/proofpoint/fields.go b/x-pack/filebeat/module/proofpoint/fields.go new file mode 100644 index 00000000000..1eaf9c03f9f --- /dev/null +++ b/x-pack/filebeat/module/proofpoint/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package proofpoint + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "proofpoint", asset.ModuleFieldsPri, AssetProofpoint); err != nil { + panic(err) + } +} + +// AssetProofpoint returns asset data. +// This is the base64 encoded gzipped contents of module/proofpoint. +func AssetProofpoint() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q9JrZWa1YpL+xdCLLcCXpOL7m/krKJckEtgjeZ2/RdCSjBM89pyJV+Tf/sLIaQHgsw4iNJM/kLCf73GL7j/fUckreA1kWBXSl9NuLSgZ5TBxP29+xohagl6pbmF18Tqpv+JXdfw2mG9Urrs/b2EGW2ELXDJ12RGhYGtjwcYt/97TysgakbsAlrESIcYWS1AA35mNZ3NOCMLasgUQBI1NaCXUE4G9GlD70DMXKumvj0pu0zdLItYSyq2yBtffWz92BKbRSoz3/r7/hXGN2ywKx8X3LjvEW5IY6AkVhFGa9sE/mu6IhUYQ+fu39QSpiowjmjlPt8BTchbNSenwFQJOk6Ih8V3kTqUnBYuLEHawpGWGHBAODP3A8sN8pwpaUFa4+4Hl8ZSaVs0TBRHy6tDECyp3f1giB33OLklCLVkteBsQSgxYAxXkiy4NYSS92B/51aCMe3uTwZHoyPWLFQjSiJhCZpMoTt3NdUGyDuw1KFGyUyrqrfU07dqbl5cUHYF1jwbgD/lGpgV6+fEBrwp+QBeWPgTLntoTqKMFLAEcQAnhZK793OLk6dQa2DUBkxKmHEJJVFSIFqWTgWQitZxrCozL5JdmD17/C7c8/PTH8iSiibceF6CtHzGw+mEa8osEWru90sPNgKp4w58OC34PbcdNdWWs0ZQjb8PGzsZPRkD0AedlNjJGEAePymjW7I87p68/P97sn9P3Kp5NuR+11dN/yiQkN1teTTYLekhQi87ahqMajTL9Pben2257v/9MDOWWqgArYpHhxxtSm4LJujOHX4k6IG0ev0YEVs4neoxIsblYYjl1ZhayfF4T1oJ9BDpkZdtM4AypQ01otfE7MzeF1u3gMNmoIcMlIT7WRE7esgA+g1WxDgXd1wrR+Ki7HlVouzz7BqQmYh9JMLBO7OPHUOtbiT/0sBGjdYd/eFP622j9kRJ5h4HatVjt2xHxM2S5xWHfe6euGX4jDPav89v1ZycLUFaconCmTSyBO1MEA1BUA1In/FrKIkB64Bs/Xh7DTNusLSbMIB9b4Ol24QB6DttytATmN6/dNjBHNB1B57cjQcLZTLpq/1z+asyti8ixe6JNCBLLufthyZ2bHo+pK+Hv/yQAzb40Shjzy+WPxFaltrJyrHrvsvcAfVWfa3MXb7Kzd5X/++y13Erv2zYlQvekdb3lpWEkjlfguycZF+vIuBYdJj/Iq8FUj5G5e/riGiMOjRUvS40fMmw1/3gIW4w0j1dI5fP/NLkAi/S8+DNtpR8XNdAGB1KkCkQ4HYBmnw6l/aHV0Rp8otQ1P74kkypwVPUBshmfN5oVP1uoPsQdfcrphvDoPmMzwT+BffrucrlZttnHbcrf/UOBqVXVJfZlLqeROuR3efk+cXnLX2PEg2C7m4pIWZtLFThEQ1oO2gL8CfVeOa5fyvN51xS0f5mW1u5gQ+59K89iRHnF59fRVgQ0B9w4v4s6DAacjnF67M5qEPF8dDXZwG0BH2U2PWvuBQ5P71PlNTj2w+WIpjDYqWP2skmWJHdz0ZbRet8o2jhRXGmy4kSAphV+msUwI57D5Bz484cN4R51kHpMN1SVN+qXbWF7GH0I7T4KjZ9LKpqpQwmu1VKkul6sGmEaPjSgLEOoOFVLdZhn9yXnaAnQNmCGF4Cefo9sQvdkJc///yMrKghBkB2q+zhxKNQXm/BCVMraSAfK9hXcyqYaqTtfApNNfVCz11lE4VAntKpWkKPGVxGMytb8WasBlqN3h/21RybB2YVlLzZ1dNSMOqbmObYORb4jHD7z+bl9z/81XiR/qJGAdoi/c8BNf909uBbugZNXpIzyWhtGuEjK86kvJNcj0G/Z/AjklsZW+XHl+RfHbnPyY8/kn8lTGmnLyMVYdHn5L8L+z/dF7kh20z5JrqFUpXwaG1duYKCUSGmlF3l1YA9clJZvDbUervCMRFk6YsDkNUQT3DGw1GA1ipTftpGHzQ1ME4FYoyYGqu006zl2msd7oMlFbz0ByOGFCEz1cjSvTACEHku50E5ujF5cftGDCCniAWG67AnbDSyC2uhaPlY3rmADjH8TyAVWM1ZxOoIpnD/y2gL++e+FcLu2ad2o9GqWbttE/KrWrmtGdqcXBKlnTFmFbkCqG9g2qN48b4SpmnFwJhiycuizBV1PWslzxwkaGrxkpeOgz27cMm1bahwRvuW711GXBy84s7sxlg5MsNTEa76+SnRTlobdKgg06ieg+2+diMnjM6U9PTgnPCZcPs5obOEgoaC//y09b1+gEpZIJfhvDMN+NBO12OC0v2vDcR8BYGXsFJhasFzZjY8anPe8IHa/yh0MydzM553vHXuDQhnvT11rdUSnpD/GhFGL15mXDxAjN6t6oyji5M3F0H3ZVQ69vCqVnpX4yX4RH51aRDN43B/fPJPFRriaLrHXKnbpnyz+cnGYPd6DlrmE/Ly51dkhXyvgEpChYj7CtCpj2rSxn9EVqDBg6WWCKDGEiV3ykW2mfjgauLXzcTIXc0Rtg28+13pEhmHWU3AFlIJNV/vBuJmXA+0WEJ+JmxBNWXWM9Fd6jXij05zSRoZcnrEls98tKI2dUG3D9TnDCLsiV2iRVE5JVPJNoyg6WpUpqFk3VErKUON1ccoZPA5KMYa3UI0lsqS6pJIpSsq+J+x/F6lqyh/ypDlcDCLVDMdPEl3YtIG6w6ZF4LPACmOGPgGmJLliIK92e7C2Jx+lj0EcclUVQuw0QMw6kSlqMBbzXfEYK/eTNsHOsiXbu3ocR47ytsnc/T4VUraRaJt2tSnpsp52WQ5lQ/E+DNZ5mC7A/mnkrm7LewRi271VsX06bUfdzk8EFHZbvQbYuHahstHlqBNr5yi3JcHFtnf+x62NdBUZG7K9JjSJZT53sGQZBOeKdOt2OoYbaZN98V+fH34WmlVTRBqg0X5hoGkmiuv1leNsPw7y0ETWteirX7Z9LKpqKTzWGkuIQLDO6296JHyuBrC7RND1Er6yJilVb3rGQwYu9UcisPbZw1hC+6sG1WCmZB3jbFoJvWBultJ7UheLrVw4CbtFWCzmcN7CcfQhHCT2wU97zTMQINk/kBQp1qXfMlLp9ngeYgLsstWkH3cYV6cyOua66NRuNlPHwu6dieRW7H2xBon9Jy+5pDCA7rfN5pw00ddOM+dNO7k2WSwZJdOpprUEqgaKHL3hdjxP/VVQQ3ySwPN0Y6SO93+FG3k44oagkiUI+cGkfshNVMTKgVbDM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNjghVAYWbBmQIwcElhCaYT4AYe3qoQiwF9nZ5/LJW7w46B3oX+mu0sVBw7hTDYzP+MbwiWu3Ppgz1lMl6Mr5s5kiG9C5GHm5KZhoXVRlCLJE8Q5m87E24fO2ld63BJUmv12G1Fhu2oSAXb8art/u0FiVpKmV4QkFx63OFprTsvQdpjCVv727o114GmGLfK2L7iiKZFOB5uyusihK2xGq2PYQ1q9k626GF0v+fg9IW4IslQ4Js3spU9M/HqB7TRvaVdM/gMXtaIdY/lrwAbudBN2PmJf0OXvVfTO8kKHqP4iZ4OVa0C63WCpLKFmEjhfxBFqh5kWbqPIgQr09iHcW6sfombIl+/6O6VbYtRrFR1zxV4Kzde7bs0cuXCACobm2FOsRudyInHnTcQZ+aAQgYnFxqqSF69waa4fQufT+uk0/VFqWxv0fPqpUtAjFGsDc8DizBZVzKCSscsuCscAlrHqhflRCrNV82ljoSYhhjr7xqDttvf/8xUWHqWkyYddxTvBsbSv3MQ0Nwd38Io9MX3+LGLdYAeYY1jYcNJucL70EPSGX4DelMaAndA7Yyjtkus+UbnEYwG7BeL2d4e+J/32vb4XSZKrVyn3W/jXomt7sGu0nfV5eUG1Tu+k6wKk9KuFOqUF16LHulBJlpzbmulKqhhBQzPUWv5GECtC2yy7Sm0XD33x4K4iPXhMATEKKKMwlkUp+p6EGtGT2ZT+g2XDMJ4c1WrsL09kruJOox73gPsLWhn8GlK24XQRl2ct6cooLTrHaRBIlv5sr9997XgJUUoqI4piRbtoLBr5ABBySakacdLAczIRcbmTK7mCDfmVVHoxPfDlfY5wR40tGfbJNGcRvYDwlTDTGtgcy/GOwTfgTbtxOhpro4N9wii9+Oq4CHV378TcsbtH7tkz5lLInNxleDstTxIJQYxTj6C91uxG1J3HD3vIreE0oqRdrwxkVpOTm6jmpNc5EeU7AsidxRZlqekjt5R0fel9no2kFFrQhNTXYxctgIwffi4CpqnJSTG0F7YelNWDZXnXPvwcPpfH19jDDw+TFN1NV3QzvYIZto2TFZalWIZ+WKcmgts+7TIpRZgzInDVCrMmXhgrv/CxVRbkMUkP2FhJq5Onqez1TqUt7SHcq4Vsur6AMtUBtIjo16J0KBor75JsOtQkv922cGHSFyCrq+pOdvFtiF4EWvd8uHwqv3+rgeSWXw3Y9XdAZdMV3BzvldrGGNRFbf/73a9o/Jta0Z1zkv+Mdyb/gat011lA2DEgbOYK4u82A5lQUkdc02yNyiUu2avPu+9h7AN0LM+oXAHZlDmo5kMJjHFZ3D92CmkV3Q51aGKkybNjCZ/62NTZdmeFJC2mnRZgjpFtmYjRzv+r+Paw0JU6eS8Ix566RTADV7k/YCG+DWiggDN5O3RZ23hx98MKvGfZ5etQvFlPVlMuub3b/wQplo/oOr9eS68Yc29PX10YQgXGP33ECpJErceJX9z0Zxz2l3oLL7hrv2Oe9zOen5L2XNE9D4wbip+2Fol+H27O4Xu0d0A/hy++5n89PkaWh5K0TE0PvwXZEzqcBehIm/hA5WbDiJm6kLs06Zy/77ahuKND26sJeP7b0xvcRT41j/Um3MDk/vVGTTeWfu0GTdYi9lOVGo52QE1+fGfqdCv/Bfm0WEdTb3/jhm+COmza2q9xUtnuMGinAeM4o/6CsFFlSzelUDKoAfVMGLkkt6IggMCBN1v4oWxvaV1X9yhMnqZyG0dYXcrfPly/OL3Z1aBJaxnqPwlhd9oEDBW9dC7mJtHgkybm05JLPJUVhMXJEa6VzNq99MpBf7pBetLqbwq6O+J8Okd5dxlNWqsjBef/bR8IlE00JTpyFQbbu5xPy9OyaVrWf6osOEQ8Wpfck7hfByNzRY5vonNo8LXHMuLlyKvcBeN2hFK/nxnwfnoYP3FztCblazedz0PlG2MVZ9rkfCwg4oHa60GAWSpTu9HhbfWTS6Fbo/QiehWHsPUjlpx+8jvGsa8ZxfhovI7l1dJ6pqi6OnHeFuxJyr3CMq/fvmWb6nUNHSaxPneG4GVU2bMxKC2rpA2WN9THvpKXS2HnAyfUWv5EpcVSXK6ofJkNv2FXfSVcaHiJHxEhr5KdOiFLyjrK2n3JcuXUi6Kh2jJLftQqq3i+FvK2ZfKi1BmqS5wYbS22TSnHu/FGUiwczO9ziU3VNePli/P1yL2tzDAwdRp8GjY/9XXBYxK9u+45lnr43OOSnw7l7hzxnXKomVYyzV0di5snvlJOkKZ0OA4/sT4kB5+7MuHUk3gjh5B4xDWNgzKwR5MytT5gqwbgj0Tb7jVsWXJZwnZgBght7mOZ5T9mCC6MpplskpqAxvllRzQVm8EQ8eD7+LueEIhO/c7+NUiYznEM19c2FHkgjDquTp10+Zw3a1KHo1kuYAcuCirBJiG87PD0bKTL0bq7he5w7ocQrX12SV/BV+W+7DymXhpRgKRcRJ8NUNbb3uxHSlDh6bmbrsaVdHhviMf6QWqhqkS2b5w0pYUZDCCh0vmxj+CFb02nFS9CCrrGQy6rwuJKnkRvpPkCrO/waZm0VuPfVG8ttg40ZSZSwjW0wbNh03+uaNIrV8+8wmhrTDLKKqapy9ynPMTrx0AnvJfvWWi156f1nbRe5CsxoIlSp2OGBxrt7y37hYqM1sn5eXlw1uK4x6elhZH27el5Z/4eaHuh3Opi8/62mIQATv101z9c49xQTiv3OX16ck/OBQtVHI1vX2lBdsh+DhIVdXTXsPKkhfRd/WMitjiv3XkQUU1XmrvgaVNztKh0BF+JwGVGPFum7JfiQwREqz3su4FA67BNou3gIn/OyC+WMOPGq1FbjoAw8wcufTsnr6K6bnM9UO9374pPvntMGojBZ4xpY0/ci+NSvKcTKW9suTPsSN47gCIl6xctth0hXXUmXlAs6DGSQzhVOsL5yBlqPTFrwd+gQX3+6uFswVqrQAMoHYAckhXQDw+eTEYnIq2LalOU6uX+GV0XSOqAe3MbAYY3O93qp0kPUXCXscrBTYleY5hgFCdz0s1d9z1XalNx2lXWbvmgBo9hgu03Fhhclm/DCfiJ9llhqDi6PZpWffD4jT0OtxOdGOF15ygUWcGAe2Nl1rYz75jPy3dDRIHejMFdSreSWIWSANdjMYrkNfWTSJqNHcMHtpoWetFXu70Np0luYU7Ymn0bNNcGnmj5EUX5YeIvFXJKKcjnTtIK96Rg11Ti1N3+fhC3l8gKXJe9V6ZOjN20Be1lnEaTIDdoXpgo4RuSykLb7xr2HFfm1kWhKvlMlCPKUy+Xk2+eEK/acTN3/gfs/KqlYG24m38bji5bVxUzQweT81DrUtoZ/ckFwUfR1oZxct8Ov1GxvowarsmLq/zoNeLZtEAxod5CjCC2rtHJ3B7PP736nGshHnwD87bef3/3+5sPZt9/6nNsl1ZSPnsmV0lcpS5ZvvGC/twv2I2yjTjAqUysRoWYnbZeS7jmgzD0X6wwmzExpkIazlAKk50rKgHGV3gsSiQ+kAlqsKB8OJ763dwB7n6cG6q5P6hJ100wzXQo7LY3VqSvfsV47m0Os/5Yme0fbmo98TtJDi102g8EGKk0oNtnUvYR6FwdixkcdTS2p2Ryxh5Ia7UYUIXO3vCculA/uJ3h3x4VDPuj/H4arblRmP/nvQY5Y2fPRB0T2Ivkgh6ON4+7DT6kjJG1t7WzPLn1qu4z2NssO+2Q+Q7fb4OTeHJluW1bzY8TDsOhrRrlwvG6buVwEmXF+2q9tw05czhy0MI+0MBjPKmxzrgunIh5AzyGJ15huHaqPTlRVNXLXEzXATh7WuOm+2L2Ha/t3iOvUHW7mMM36vrhdUln+u4pHzTa4WWr5IZLh3tgNF95CzjSm5oyrZFmix7LgEfsV1XIYdHjsqBtZ1YXKJYwv37+7IL95P+omKTWOyJejphJc/sdb8qUBPdK7tRGy0LDbqTNvckPPIbomH9qis2haV6els4QPaR+oSj1GwAGtD3Ic3QTVRoJj94Zbph/QQAXVVYbdcmAzuBdonbAAuQPalMmm0m7BTNvtagt0Se2uVnhfuFOQbFFRnaqspIO7rulgfPG9o0+UDdKpksAsFsnPAoNZ2gKqDvBsjq2WMoBV0z8yQK1p8kkYvuNU8uOFQfeCp35wQue2CpzqmRxpWVCGg1HSl5842EYmNN57gKfzevmTvLaL5O87kwWzuihN0r7rPegO8mGRp1sAXgqaXGLIAuScy4RFkUPQOXKjZTErzIpbllx+yGIm1MrQKn3uSh+2tMt80DNEXZgsuMwpTrisQVfTdbKE9wHsml3lAb6kIsdZ4XVRa2VVkT4khdCXPxXocUwPW2S7m0LNizIHsx3g9PlvTBYVvS6sTeU22AbsTrSADI9CxWUmpLnMh3QtTCGmokgdFt2C/X1G4Mk7g/dgp+6F2Ieduqq3D/vnjLBfZYT9Lxlh/4+MsP+aB7ZVtaBTyCFSOujpzTNZVI1A5Xu6zvBOtsDrqwx6SdUIPq/qPNq30zKpmKdOQgqQeQ6lxMAXlt43IgvjExIz7KDRLI816QDnsSbN2jR1hlmkTHZl1VlMVausMz3gOoMIsco6wywXbDRrsgBvJL+WVCoDLMMhXL5yXMn0KCxfqdougJYZ3GqqqgsmMviwHeAMQRKEq6drm94t6iCbLJDrpsgQ02CaW86oyFBAZAo6B8nWCbOu+rAlFes/oZzmwHtZYBvQLJB9O5g8WPvE2izQp/N6+SqPD9oUU27/mqXRGDNF2llxO4C1Si6qTZZrjlCB6fRVbsb7+JPN2uoBBrvwfv70zhEPHNW+LMB9N/l0HeR6sGdcQA4bxhSzHJvIZymLs7cB59ANTMFrTFIssog6Xi9/Ko2tB838E8E2mmWBLfgMcpgxBh3NFZQ8WcHoNmwu85ySSpWNAMNUDm4H4HyeQTap2qyoTTrzvwc9lkGeBLCGOTdW0/SekA3sDBqfhjoXq3U2XhvsRK4zyVefme+PeAboVgOtMiiSvhQoF9r5lOvVQnFT+Amz6aGvqaZZDng5UgibAvLSz7dPDZcbS2XyOcelsdNGpxoW2EIFPysoB9QmOa7p9ei2Jjk1WJzcMEs/7PrQTgP7YM5pWaa+A7xMHVZtWwdleIt4VTCtVJWlK5EDnMFM41WRJzkydDzKweb6Knl7ptqkb1nKa1NrnhiooJbbJnn2meAS0rXY2UA1SSfqdHCx+Da9W0so3/W0mAmV/DnvgGdI+Xc2b3Kp44BmkDjOhs6AavLcBKHmWY6unGe5wLXSqQVYNW3mOa5ZxQ3LIRYqk+XA5pgDIcFic6XkcJPLcN8AOnXGn4eaOh1PrlapLZAsFWXKD4BObomq9JqR0nxeROZx3RvuSoJO/2bVhR/Kmxxs0snUG7B+xGuWQ5ahcDPMxEktDALY1NKgLrwjKTm61Bj3YcEWqer8B6DhuubJAwE16GquqbSDnrspIK+yAE7/9PpOZJ8+7UwBTQBYq3lBTZ1wYEAftKapoWqgIod+p4EhH3zX0UzA0zPZQU7bwrUHWekyA8bpHZkmg2/YeN9whnwAA6kTAfzA4wzGiYEv6Q9ArEFrMqgZTCnD5xkEr6lTe9mMZjnugWZlckXaaBbripsAsE03YqsPszHJu2oumUxdKBGdFntfoL5JZ2ry7dymP1YeaPqIXjfTMzXcdZ28W2tTTrPkoTdaZHgLGwO6KHnqqvcsYyvayFAONlhmLK1Se4OXBZfG0lkGzWDJtc2hhi9rmaF1k1W6kSndrLG2aJGOom8aq8iHRpLB0l32SMZheZ+p4CU50VByS06oLkM3Q4Pt3+Po+MlZGbk0NiEUweAQfYL9DZgSJFaq0+VDcJmPc2dVLdQaBoMFb+TfTDXJmnrf8ow5HnqfEc470zCHa1LR3UYLm1isnDe7w0CyIym4weEM7eph67GBEjFNXSttybDxKCGrBbWEW1JrmI0dhXuk5d5lCEWM8cHq6FAgXIbO7iN9oQWXuSfy91B1q/XxNMSqOdgF6Mnm+2ahmsGLRoiEJehuHJFVpKbaAHkHluJEcH9XaceCp2/V3Ly48GWvz8hpGPH1nNhFZEoRNgP+AGH0MaItyXuwv3MrwcT3eXioszBvhiO7u1uEi3tiDVDNFhMueRQ/nLl7hP7aO+ITZ2FgMsQLQRuJs37nDc5xbZu4xxu47/Rr30NT/nbcHU1dE+4wv3jE2HcbUSSsabpd51VclnyEa4u3YsxdcIxp1CMCaTO47j1OqJZiZOIlds/NOA4c++casETDlwaM3dO0+/Bs5bv3yvcqA47l8at6ib3rkeryTrfdKftw8hhhbGzr79ih3byOUp5y9v/N8w3dYuenrVDAteNnA62GdEm8dzzC7nGZUgPEp2t32JDBrep2KfziYfCV3Sj4DnOlffv6KBsJoYYYABx3RvfPq9JUGsqOMN530GHaLy1R7d0cGtZonIC2D+kadMW9unEspDdL+sEcfMkFzIEIWIIg1Bg+l37jNvP640cfWzI/oPzG9fec9OmDTHp2mDWSf2lgd0wijV++Hr6HdUw8bApKq9Hw0l9IpqQEzK0gK24XY4KCkEhlSKexaziovOjOpoVjJ8qT7okSas4ZFcRhMGL6IBYPix0uNTKm8eF4Vy/WJo5eL51tpXayWlM/8FRwaoqFym4TeCOuM9dwlspmqJGTiv0RPPF+AMRfGoctvmlhEAsTQPXkjTDKGeJb9+0Ug+Xk1/CLCXkj192/BtAt2vJGWkLLCVNV3VjQcTGcxY3vCMtnnn2zuxc4Y3FrQ7j9Z/Py+x/+6mzf0952tBz7Jop2OKdF2ojZbR03dA2a/EvnkzMvAhqIXPzWp67/yX/m5QbnrVO/dz8OTF6+SbY92R2Y4taZkPe/fTxztIMG7zxBf2nJDdNQU8nWTqsM6pnYzQUhyKHn5OO71+Rc2h9fPifn70/P/vM1+XQu7aufyNPVYk0kcLsATdhCmTAqTWkNzOK3fnj1v/7bsydRjoBdZJRxu/xAmTqpaHwcj8l8+u54zS/9WTxvkYpf8fJxId2XTTdgfmDDuFs/8DF8dxTTjXXymWvbUEHevnkfRfZPJSGfL+uwk/F/lIRJnLcO3a9GhCIhNwtP3ILH+Abv2Yc5tbCiDzAiHU/3BXlTlhr9tP6Ux9Dpnl5W1YfGOe8bCzk/eXfhX6XR8FhFzRGjH1tOJa+phrebnF84VEa8X46HB06CSMJDt/Y4D1tNrPDTtY4rIHro0rLk7stUbAK2vVn+8XfuiAfAmYR4wVW44afbR2CAyibXOoted9snjZL3AcMLpW0nkgdCt8QAG24At+ubJa85Mu89PVzO28ekJevdGOMlxOzGY3lxA3Zo+VJjFONO5fR+o4GOQ5xc1lTOYdKZTkzJGZ83GkoyXSNMkCVmDcXlTH1g64FB0eiIthxddJah34FIqPv3S7iSOwA0VMpCETK70+cZpWdtKU1BC5+KnwF0bXUe4LMMR2KWoVpY5LgOufqf1BmYSsui9cTlU8t3LXhHx2R3tb4z4QE02DO7AC3Bko/rGp6TT+0z9hYdYD+Si9YBNngJfhvT1NpRPUdQJkZM4xbp4Bd/TqgQUWWi3nwRE9yoxsS8JWj3BnJpFTEWH3MuyafzUYHCMEE2m7xKLrIdUFVnGPvmAGswqTN6HdgMJS7+RUydio7+9gzY+tEKhQA5Tz4pEnF2ykdGLXREA/UqDxW9AIwkDNMJZoSSX5ReUV0O53QT8maOyV6aUHfjrzGXbgp2BSDjqmfirol3jXErS0U/VOeRIdgyHjMjBhRyGfJcMS2h4taJpTBiI07iUlB5jDj+LRyUbYJIz0U5IHDbZbmJpCydBTtHA3b75UkdqQSGXQiW6frB3S5iT7XlrBFUE+wXTVoknp5dv36r5mo2i09/B1bYBWTf3i1kP7oF/W3s4X3m8HbovmnsAqQNyeKjaJsmZeeE2yX0+CXHUf9kQI8irBrL1HE5HZYcR/iyYQyMGcEZO48f1hztsMQTxIs4FXeu9JpEChMGuB1DOG3hCDs4OqmEAT5TK+neFSe3Ysph90MyUJS2qVqm60c38m5S4ruWYs2A4FB29AQ/zI4+zCUx3DYR+UmwuACCiA5QF9QQWqravS52AVwTtZKbLfOMs/RaSVWN5NXiTA7DfYv64yoRTrnnsnTyR2nTMYCSX7gA8iYgNhmw4TbOXtkR5u/kaMJ4R/+DpCuMsuAyZC2k5UKMxggjUta734MRPl/vMtRrpObEeELoVOWsHogQP4UFXXLVoHbJVFVrVfGRDEU4NnJnkk4FFpHNyMl+3LhcdmInI5K7GG5pnSSKwBaGSYfLHIBgZP0Ov9y723tlN/dt9NhtyiwbaXfL2VJr9CWWgRfsELP+VloQvsdzkKA5a0lChmCi325qAbcLfGpjs91IQHbCfpgYq8eDny1Nh7TdejCaXu6nKagXfq2MdEVN084It7wC4+S61/Y01DAaRAq7kKwpxI0bgY0H77kN+pZH65De3Q92tH68HU0/FCbZkNNbkxYcxjdROKANKd4IhFsIg6+Xupc3UqePunf+oiWhTd+8c8l6qR5HgNwgxzsB8vUexx9v3rJUow2Os2W3k4/6qBIk5R27hfw46nFMSdvgMHZKPZag7fipk1fuNHZRVGAX6gGiJHTLk0w8GuFroxuOvZS0yup12hPV+aBE8Nc6RPacy0yekP+c/Pz99+Tp29M3F8/IKTeWy3nDzQJKLIWP4iLUXGXvC7QvEobZsjOPR9hm/OJIxphWmb2K++o/3a7GMOhuDHrkkw19vst1YZj239X99hx/iFMsZkplrE36JlOMilTd6XYI+UBL3hi/AlGaGF5xQbUXT05sujvE8F2Pl1fhPTe8PGankX6m/Cd3EFov4k5fzM0lz1dn8Ubuu+sY1giVhj3/b3AS4SeDsxAcN9AryyjjrkylcyYGDEI2yGql51TyP/dkVct8R+G2zD6A0/0zNcLuGdfRWtJMXX9+ccvha+FbfPneRVtZzb8CFXbBqAZSayhVxSWNFtz1xNMFtRykNTemxwt6TGrf0gcl1rd+hDrTwXVX54kTXDXVFpshbUjdL1aP2OwoCJvbSNQZlKCphbJIllS253w44fNLu2IXPLvQasnLrnlY+B6taxE01cHBCM1/3LO2rdPGFZwNkbw8EpXdkqHXn12PkBkdHoqZk0vuo+eLXcV9pAVcp3SmHAp+V80TrlFn6v2oVwk9jxDqdVTUWKkhxirtJb6DVoGluNoT/NbEfetJnPqKl6WA40m5d7jebeVcZHt7cu8gOdeOxzgOuRdhtV6HIbluo7PPSS2o2zL3PitNQDK9rse8/JgKeQR78hYZdLqzLX9VxpJ3lC24HDHpSppJcnyzy+tPEjP9aw1OfDj9yDc5MxPytqQ1+Yz/8PpRqaSvO/3n8PEkC7oEpzkJoJp8aUCvCfYgNLWSBlqNKl6c6ugt8DfHkZehBx5zkDVvu0BKT77vyzeOZ0vSEVDdHKAPoTnqbTHFKU95HWa7Z7xtLb3VxMjZhuHh5YboRsqoHWuedy+Pjzz7NlIjNXYBYhEszPwbQcmKy1KtDDE1MD7jzH3yPFYnGPJkhxfEkefx3eTckKfYERYk2zxDGLp81uMWaSS+429hTtmafDLbjW+7CGy1W0ibPLvWrXAEg33kte+bWogK1qrhIXMv4oDjXR+ASPX/VqUplvMM2bdNdn6Feqw7r1evIxQjhdGDFn5zALHHyesdIzVk+AbXeyvrzpD08S6gQ2qO47DrAgbbe7NJyPTbMNiheEOKm4ufsWwg5UjA0Qo3JLmEGZfBV4/CCbv6VbQeaTqI2B1UKJYJt40DZkf9Sy0YO59tbtpDL6WR3pSdD9tayhbVkVvgb1ZFhpOBddTfjixDXqZcppsglvRuOJKxqDDv4xkRUv2yHdwW30Z7U94fmdo5wDrv23cD1jXV7Zlyf36+IWW14INW6sTdDmfL+uT3W5Fnk88s8W0tlF7n2/C/mZrKf7uxY0yLyHYX9VY9jz1Nji1/e4HQb6DtwVSiAVVtv/X9VI2eggKk1ao+RHSUqpkOnAu3OuNhTWdtww3lCIijr+447j08UVVN5bq7j3jtcJy+t1eWoN0zVHA5U3GlgJqr3DVCN8iPHSuyxWwFebuiz77kyhH4pRFiTf6joYLPOJTkFOuevXMwisoKpgVT6oo/UND9d5gSv/7GfqZiTJtP3m12Ew6vG4sq94EjTG++6x+6JcKUneCO9j75Cfm4rj3pG8+BY47fwfHN0zArkjaT3UHb4eAdEfqJibWt3UXmGK66Trncxs57FmulW28/hpg/vB3Z8l6vnMTHqeVFnXcO0R5WuJVv9Ny3aGqlMmki20i5ddx+kJrauGuSyYKalNH+HmAdyukTQ260SLjNPagJd6UzRotGp/KG9GAa0AWdp7MpN6CTP0/boJOmP26DDqc+g2CBawsSVav0xomDn+w0d4reQsNOqkxqjcovcYxawi2Z+xGXRfXqRfjvk4DCi/AfIa8p5vanAnQ8Oy+Q84DRc09MP3iOHtfeqLUBOWUYiOZMKi5noPVI3HVI91Ho6iv+N7I+6p49ApJtX+JZbxsiVwrD2irrlYoscbTjd+bj9u7YfcQMYt3/0z9gmKA1PvCT1wvQx/FHOJ09ZDw9PcHRj8/ICa4fRw20PVKzlBE+n4AOwz9hKwtzT3NeyBo67jGyt+Fu0Sem1yl6707zPw/1St69NUp8t8kl/zPureFXmWTK+T/OiIS5stxvYL2gZmQClGHHbivU20q/+PhwQbfV2SZADRJcds5Y2zi9rb+JJ6QYPj9GRcV2f6Nu6uHH0UHLTppwY5rkSidCxmSpfN66+8VQEEPQOqsPdLApfel55hYnlxic3iedjpIh0XUGD1Hkp5eY2rn/MepJz8OQvLv03IPjuAg1RhTLnC/6bkg1OLKjyJSFO3q0Sd6m0eQCzK8gWNSZmht8sxlX0n+QULb+RAzG65Qm55dv/vHugly4d4r8Jkemr2ywzVRJfQi2H1cqji2KIbYAdmUOciLfTgjn7UEWGzrX9evsWoRhGmgYQbiRgnu0XNB80BTyAZRcj0fXFWTUaECcLbXN0SZ89rFcUsFLfxAjSOwKwqN1td4nCJFjV7A2u2I70clvE0gTw15YW5uC4wzaLKBxK3MwhNFHcJv4XLaVL0pzu77hRjFVVVn7xN0Sb49HcAjFS/BXXIPYtTRTu1hWgsrCmIcaeOtW9jL890BtW6MVxdaXGhe14sdIq44h7DEgiAEiFbcGkK1sQaUcNM7I3W4qrIqIjMRsj9S2uXtYwszD39++eR/evRc7y3cPilV61/efvGcbN1fFUokmFwPetHOcZZhz003Gbsf5NpJbQ556JMwz7NaBhb3tRN0d8ASRjlIjmkzS7G3A9ZPkNqQLTLaLDpagMVNg1gjClGRQW2coX/o9HGmvsFrllL6e8c5gb0doO0RrpS1Rjr+//vubWApulO2pz53S8+MnWO4WGGy5WKfUNzuJNor5+9lvF+cX5B29rrgsu7He8W11tB09DXNriOIIWYGMAXX7yOrUp3jJYvL0bF/lWMyOV7D50EX4LcnZ1Y4tZ1mQyuenoUtvwGIvhuJ4m/LAvQJaiqv/8nXDXWGOLIeaZOrbjf4SZ0I/UHZjGFeNVnwX1K18ce9zYppIijo15G/GaiXn/zYVlF0JbiyUf3sR/va8+5TLGbD4RzOuYUVFVJGhU9H7DaGyJEaRkWOpYc6N1Wtn2R9TWNTULkKz/g4HsovDAEl0Sh0LTV8I7eu1mNK9LuSdPtlhDtLq9V/+bwAAAP//wSvBkg==" +} diff --git a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml index 58097c578d8..e69402c6a95 100644 --- a/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml @@ -1,6 +1,9 @@ --- description: Pipeline for parsing RabbitMQ logs processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' - grok: field: message pattern_definitions: diff --git a/x-pack/filebeat/module/radware/_meta/docs.asciidoc b/x-pack/filebeat/module/radware/_meta/docs.asciidoc index 7335cb86eab..622f5d5e461 100644 --- a/x-pack/filebeat/module/radware/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/radware/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index 24f226db8f3..e978b023425 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml index 9b916ed8805..f1ddbd56ba7 100644 --- a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml +++ b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Radware DefensePro processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original diff --git a/x-pack/filebeat/module/rapid7/README.md b/x-pack/filebeat/module/rapid7/README.md deleted file mode 100644 index 4de9f128593..00000000000 --- a/x-pack/filebeat/module/rapid7/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# rapid7 module - -This is a module for Rapid7 NeXpose logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML nexpose version 134 -at 2020-07-13 17:55:40.743386 +0000 UTC. - diff --git a/x-pack/filebeat/module/rapid7/_meta/fields.yml b/x-pack/filebeat/module/rapid7/_meta/fields.yml deleted file mode 100644 index 7e68584af5e..00000000000 --- a/x-pack/filebeat/module/rapid7/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: rapid7 - title: Rapid7 NeXpose - description: > - rapid7 fields. - fields: diff --git a/x-pack/filebeat/module/rapid7/fields.go b/x-pack/filebeat/module/rapid7/fields.go deleted file mode 100644 index 54c2c9ea600..00000000000 --- a/x-pack/filebeat/module/rapid7/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package rapid7 - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "rapid7", asset.ModuleFieldsPri, AssetRapid7); err != nil { - panic(err) - } -} - -// AssetRapid7 returns asset data. -// This is the base64 encoded gzipped contents of module/rapid7. -func AssetRapid7() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99e+UnKRre2o2fZztbVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dE05qX//YnQiy3Al6TD/hv8h7+USsDfyKkBMM0ry1X8jX5658IIeE3ZMZBlGbyJxL+6zV+6P73HZG0gtdEgl0pfTXh0oKeUQYT9/fua4SoJeiV5hZeE6ub/id2XcNrh+JK6bL39xJmtBG2wCVfkxkVBrY+HmDb/u89rYCoGbELaBEjHWJktQAN+JnVdDbjjCyoIVMASdTUgF5CORnQpw29AzFzrZr69qTsMnWzLGItqdgib3z1sfVjS2wWqcx86+/7VxjfsMGufFxw475HuCGNgZJYRRitbRP4r+mKVGAMnbt/U0uYqsA4opX7fAc0IW/VnJwCUyXoOCEeFt9F6lByWriwBGkLR1piwAHhzNwPLDfIc6akBWmNux9cGkulbdEwURwtrw5BsKR294Mhdtzj5JYg1JLVgrMFocSAMVxJsuDWEEreg/2dWwnGtLs/GRyNjlizUI0oiYQlaDKF7tzVVBsg78BShxolM62q3lJP36q5eXFB2RVY82wA/pRrYFasnxMb8KbkA3hh4U+47KE5iTJSwBLEAZwUSu7ezy1OnkKtgVEbMClhxiWUREmBaFk6FUAqWsexqsy8SHZh9uzxu3DPz09/IEsqmnDjeQnS8hkPpxOuKbNEqLnfLz3YCKSOO/DhtOD33HbUVFvOGkE1/j5s7GT0ZAxAH3RSYidjAHn8pIxuyfK4e/Ly/+/J/j1xq+bZkPtdXzX9V4GE7G7Lo8FuSQ8RetlR02BUo1mmt/f+bMt1/++HmbHUQgXSPkbkaFNyWzBBd+7wI0EPpNXrx4jYwulUjxExLg9DLK/G1EqOx3vSSqCHSI+8bJsBlCltqBG9JmZn9r7YugUcNgM9ZKAk3M+K2NFDBtBvsCLGubjjWjkSF2XPqxJln2fXgMxE7CMRDt6ZfewYanUj+ZcGNmq07ugPf1pvG7UnSjL3OFCrHrtlOyJuljyvOOxz98Qtw2ec0f59fqvm5GwJ0pJLFM6kkSVoZ4JoCIJqQPqMX0NJDFgHZOvH22uYcYOl3YQB7HsbLN0mDEDfaVOGnsD0/qXDDuaArjvw5G48WCiTSV/tn8tflbF9ESl2T6QBWXI5bz80sWPT8yF9PfzlhxywwY9GGXt+sfyJ0LLUTlaOXfdd5g6ot+prZe7yVW72vvp/l72OW/llw65c8I60vresJJTM+RJk5yT7ehUBx6LD/Bd5LZDyMSp/X0dEY9Shoep1oeFLhr3uBw9xg5Hu6Rq5fOaXJhd4kZ4Hb7al5OO6BsLoUIJMgQC3C9Dk07m0P7wiSpNfhKL2x5dkSg2eojZANuPzRqPqdwPdh6i7XzHdGAbNZ3wm8C+4X89VLjfbPuu4XfmrdzAovaK6zKbU9SRaj+w+J88vPm/pe5RoEHR3Swkxa2OhCo9oQNtBW4A/qcYzz/1baT7nkor2N9vayg18yKV/7UmMOL/4/CrCgoD+gBP3Z0GH0ZDLKV6fzUEdKo6Hvj4LoCXoo8Suf8WlyPnpfaKkHt9+sBTBHBYrfdRONsGK7H422ipa5xtFCy+KM11OlBDArNJfowB23HuAnBt35rghzLMOSofplqL6Vu2qLWQPox+hxVex6WNRVStlMNmtUpJM14NNI0TDlwaMdQANr2qxDvvkvuwEPQHKFsTwEsjT74ld6Ia8/PnnZ2RFDTEAsltlDycehfJ6C06YWkkD+VjBvppTwVQjbedTaKqpF3ruKpsoBPKUTtUSeszgMppZ2Yo3YzXQavT+sK/m2Dwwq6Dkza6eloJR38Q0x86xwGeE2382L7//4c/Gi/QXNQrQFul/Dqj5p7MH39I1aPKSnElGa9MIH1lxJuWd5HoM+j2DH5HcytgqP74k/+7IfU5+/JH8O2FKO30ZqQiLPif/Xdj/6b7IDdlmyjfRLZSqhEdr68oVFIwKMaXsKq8G7JGTyuK1odbbFY6JIMtacWnRNLEQT3DGw1GA1ipTftpGHzQ1ME4FYoyYGqu006zl2msd7oMlFbz0ByOGFCEz1cjSvTACEHku50E5ujF5cftGDCCniAWG67AnbDSyC2uhaPlY3rmADjH8DyAVWM1ZxOoIpnD/y2gL++e+FcLu2ad2o9GqWbttE/KrWrmtGdqcXBKlnTFmFbkCqG9g2qN48b4SpmnFwJhiycuizBV1PWslzxwkaGrxkpeOgz27cMm1bahwRvuW711GXBy84s7sxlg5MsNTEa76+SnRTlobdKgg06ieg+2+diMnjM6U9PTgnPCZcPs5obOEgoaC//y09b1+gEpZIJfhvDMN+NBO12OC0v2vDcR8BYGXsFJhasFzZjY8anPe8IHa/yh0MydzM553vHXuDQhnvT11rdUSnpD/GhFGL15mXDxAjN6t6oyji5M3F0H3ZVQ69vCqVnpX4yX4RH51aRDN43B/fPJPFRriaLrHXKnbpnyz+cnGYPd6DlrmE/Ly51dkhXyvgEpChYj7CtCpj2rSxn9EVqDBg6WWCKDGEiV3ykW2mfjgauLXzcTIXc0Rtg28+13pEhmHWU3AFlIJNV/vBuJmXA+0WEJ+JmxBNWXWM9Fd6jXij05zSRoZcnrEls98tKI2dUG3D9TnDCLsiV2iRVE5JVPJNoyg6WpUpqFk3VErKUON1ccoZPA5KMYa3UI0lsqS6pJIpSsq+B+x/F6lqyh/ypDlcDCLVDMdPEl3YtIG6w6ZF4LPACmOGPgGmJLliIK92e7C2Jx+lj0EcclUVQuw0QMw6kSlqMBbzXfEYK/eTNsHOsiXbu3ocR47ytsnc/T4VUraRaJt2tSnpsp52WQ5lQ/E+DNZ5mC7A/mHkrm7LewRi271VsX06bUfdzk8EFHZbvQbYuHahstHlqBNr5yi3JcHFtnf+x62NdBUZG7K9JjSJZT53sGQZBOeKdOt2OoYbaZN98V+fH34WmlVTRBqg0X5hoGkmiuv1leNsPw7y0ETWteirX7Z9LKpqKTzWGkuIQLDO6296JHyuBrC7RND1Er6yJilVb3rGQwYu9UcisPbZw1hC+6sG1WCmZB3jbFoJvWBultJ7UheLrVw4CbtFWCzmcN7CcfQhHCT2wU97zTMQINk/kBQp1qXfMlLp9ngeYgLsstWkH3cYV6cyOua66NRuNlPHwu6dieRW7H2xBon9Jy+5pDCA7rfN5pw00ddOM+dNO7k2WSwZJdOpprUEqgaKHL3hdjxP/VVQQ3ySwPN0Y6SO93+FG3k44oagkiUI+cGkfshNVMTKgVbDM0g0+aVzfD6zqscuNZFBlTrIof2XKcURdtAXyaHmkFX6r0iD2NC7piP0Tdm8Fze6c05VGzeJNcOCRZsHoidbgipHUGUDZT4FIq1aUTusNOIFaUay1QFLzwOnfGCWdlqNjghVAYWbBmQIwcElqC5zVk6soewdvVQBNiL7Oxz+eQtXhz0DvSvdFfp4qBh3KkGxmd8Y/jEtVsfzBnrqRJ05fzZTJEN6FyMvNwUTLQuqjIEWaJ4B7P5WJvwedtK71uCSpPfLkNqLDdtQsCuXw3Xb3dorErS1MrwhILjVmcLzWlZ+g5TmMrf3t3RLjyNsEW+1kV3FEWyqUBzdldZFKXtCFVsewjrV7J1N8OLJX+/B6QtQZZKh4TZvZSp6b8eoHtNG9pV038Bi9vRDrH8teADdjsJuh8xL+lz9qr7ZnghQ9V/EDPBy7WgXW6xVJZQsggdL+IJtELNizZR5UGEensQ7yzUj9EzZUv2/Q3TrbBrNYqPuOKvBGfr3Ldnj1y4QARCc20p1iNyuRE586bjDPzQCEDE4uJUSQvXuTXWDqFz6f11m36otCyN+z98VKloEYo1gLnhcWYLKudQSFjllgVjgUtY9UL9qIRYq/m0sdCTEMMcfeNRd9p6//mLiw5T02TCruOc4NnaVu5jGhqCu/lFHpm+/hYxbrECzDGsbThoNjlfegl6Qi7Bb0pjQE/oHLCVd8h0nynd4jCA3YLxejvD3xP/+17fCqXJVKuV+6z9a9A1vdk12k/6vLyg2qZ203WAU3tUwp1Sg+rQY90pJcpObcx1pVQNIaCY6y1+IwkVoG2XXaQ3i4a/+fBWEB+9JgCYhBRRmEsilfxOQw1oyezLfkCz4ZhPDmu0dhems1dwJ1GPe8F9hK0N/wwoW3G7CMqyl/XkFBecYrWJJEp+N1fuv/e8BKikFBHFMSPdtBcMfIEIOCTVjDjpYDmYCbncyJTdwQb9yqo8GJ/4cr7GOCPGl4z6ZJsyiN/AeEqYaIxtD2T4x2Cb8CfcuJ0MNdHBv+EUX/x0XAU6uvbjb1jcovdtmfIpZU9uMrwclqeIBaHGKMbRX+p2I2pP4oa95VfwmlBSL9aGMypIyc3Vc1JrnInynIBlT+KKMtX0kNrLOz70vs5G0wosaENqarCLl8FGDr4XAVNV5aSY2graD0trwLK96p5/Dx5K4+vtYYaHyYtvpqq6Gd7BDNtGyYrLUq1CPi1TkkFtn3eZFKPMGJA5a4RYky8NFd75WaqKchmkhuwtJNTI09X3eqZSl/aQ7lTCt1xeQRlqgdpEdGrQOxUMFPfJNx1qE17u2zgx6AqRVdT1Jzt5t8QuAi16v10+FF6/1cHzSi6H7Xq6oDPoiu8OdsrtYg1rIrb+/O/XtH9MrGnPuMh/xzuSf8HVumusoWwYkDZyBHF3mwHNqSgir2m2R+QSl2zV5t33sfcAuhdm1C8A7Moc1HIghcc4rO4eugU1i+6GOrUwUmXYsIXP/G1rbLoyw5MW0k6LMEdIt8zEaOZ+1f17WGlKnDyXhGPOXSOZAKrdn7AR3ga1UEAYvJ26Ley8OfrghV8z7PP0qF8spqopl13f7P6DFcpG9R1eryXXjTm2p6+vjSAC4x6/4wRII1fixK/uezKOe0q9BZfdNd6xz3uZz0/Jey9pnobGDcRP2wtFvw63Z3G92jugH8KX33M/n58iS0PJWycmht6D7YicTwP0JEz8IXKyYMVN3EhdmnXOXvbbUd1QoO3Vhb1+bOmN7yOeGsf6k25hcn56oyabyj93gybrEHspy41GOyEnvj4z9DsV/oP92iwiqLe/8cM3wR03bWxXuals9xg1UoDxnFH+QVkpsqSa06kYVAH6pgxcklrQEUFgQJqs/VG2NrSvqvqVJ05SOQ2jrS/kbp8vX5xf7OrQJLSM9R6FsbrsAwcK3roWchNp8UiSc2nJJZ9LisJi5IjWSudsXvtkIL/cIb1odTeFXR3xPx0ivbuMp6xUkYPz/rePhEsmmhKcOAuDbN3PJ+Tp2TWtagGvyYV3iHiwKL0ncb8IRuaOHttE59TmaYljxs2VU7kPwOsOpXg9N+b78DR84OZqT8jVaj6fg843wi7Oss/9WEDAAbXThQazUKJ0p8fb6iOTRrdC70fwLAxj70EqP/3gdYxnXTOO89N4Gcmto/NMVXVx5Lwr3JWQe4VjXL1/zzTT7xw6SmJ96gzHzaiyYWNWWlBLHyhrrI95Jy2Vxs4DTq63+I1MiaO6XFH9MBl6w676TrrS8BA5IkZaIz91QpSSd5S1/ZTjyq0TQUe1Y5T8rlVQ9X4p5G3N5EOtNVCTPDfYWGqbVIpz54+iXDyY2eEWn6prwssX4++Xe1mbY2DoMPo0aHzs74LDIn5123cs8/S9wSE/Hc7dO+Q541I1qWKcvToSM09+p5wkTel0GHhkf0oMOHdnxq0j8UYIJ/eIaRgDY2aNIGdufcJUCcYdibbZb9yy4LKE68QMENzYwzTPe8oWXBhNMd0iMQWN8c2Kai4wgyfiwfPxdzknFJn4nfttlDKZ4RyqqW8u9EAacVidPO3yOWvQpg5Ft17CDFgWVIRNQnzb4enZSJGhd3MN3+PcCSVe+eqSvIKvyn/bfUi5NKQES7mIOBmmqrG9342QpsTRczNbjy3t8tgQj/GH1EJVi2zZPG9ICTMaQkCh82Ubww/Zmk4rXoIWdI2FXFaFx5U8jdxI9wFa3eHXMGurwL2v3lhuG2zMSKKEbWyDYcOm+17XpFGsnn+H0dSYZpBVTFWVu095jtGJh054L9m31mrJS+8/a7vIVWBGE6FKxQ4PNN7dW/YLFxutkfXz8uKqwXWNSU8PI+vb1fPK+n+p6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/g7hO3eFmDtOs74vbJZXlf6h41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X++JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf1XBqg1TT4Jw3ecSn68MOhe8NQPTujcVoFTPZMjLQvKcDBK+vITB9vIhMZ7D/B0Xi9/ktd2kfx9Z7JgVhelSdp3vQfdQT4s8nQLwEtBk0sMWYCcc5mwKHIIOkdutCxmhVlxy5LLD1nMhFoZWqXPXenDlnaZD3qGqAuTBZc5xQmXNehquk6W8D6AXbOrPMCXVOQ4K7wuaq2sKtKHpBD68qcCPY7pYYtsd1OoeVHmYLYDnD7/jcmioteFtancBtuA3YkWkOFRqLjMhDSX+ZCuhSnEVBSpw6JbsL/PCDx5Z/Ae7NS9EPuwU1f19mH/nBH2q4yw/y0j7P+REfaf88C2qhZ0CjlESgc9vXkmi6oRqHxP1xneyRZ4fZVBL6kawedVnUf7dlomFfPUSUgBMs+hlBj4wtL7RmRhfEJihh00muWxJh3gPNakWZumzjCLlMmurDqLqWqVdaYHXGcQIVZZZ5jlgo1mTRbgjeTXkkplgGU4hMtXjiuZHoXlK1XbBdAyg1tNVXXBRAYftgOcIUiCcPV0bdO7RR1kkwVy3RQZYhpMc8sZFRkKiExB5yDZOmHWVR+2pGL9B5TTHHgvC2wDmgWybweTB2ufWJsF+nReL1/l8UGbYsrtn7M0GmOmSDsrbgewVslFtclyzREqMJ2+ys14H3+yWVs9wGAX3s+f3jnigaPalwW47yafroNcD/aMC8hhw5hilmMT+SxlcfY24By6gSl4jUmKRRZRx+vlT6Wx9aCZfyLYRrMssAWfQQ4zxqCjuYKSJysY3YbNZZ5TUqmyEWCYysHtAJzPM8gmVZsVtUln/vegxzLIkwDWMOfGapreE7KBnUHj01DnYrXOxmuDnch1JvnqM/P9Ec8A3WqgVQZF0pcC5UI7n3K9WihuCj9hNj30NdU0ywEvRwphU0Be+vn2qeFyY6lMPue4NHba6FTDAluo4GcF5YDaJMc1vR7d1iSnBouTG2bph10f2mlgH8w5LcvUd4CXqcOqbeugDG8RrwqmlaqydCVygDOYabwq8iRHho5HOdhcXyVvz1Sb9C1LeW1qzRMDFdRy2yTPPhNcQroWOxuoJulEnQ4uFt+md2sJ5bueFjOhkj/nHfAMKf/O5k0udRzQDBLH2dAZUE2emyDUPMvRlfMsF7hWOrUAq6bNPMc1q7hhOcRCZbIc2BxzICRYbK6UHG5yGe4bQKfO+PNQU6fjydUqtQWSpaJM+QHQyS1RlV4zUprPi8g8rnvDXUnQ6d+suvBDeZODTTqZegPWj3jNcsgyFG6GmTiphUEAm1oa1IV3JCVHlxrjPizYIlWd/wA0XNc8eSCgBl3NNZV20HM3BeRVFsDpn17fiezTp50poAkAazUvqKkTDgzog9Y0NVQNVOTQ7zQw5IPvOpoJeHomO8hpW7j2ICtdZsA4vSPTZPANG+8bzpAPYCB1IoAfeJzBODHwJf0BiDVoTQY1gyll+DyD4DV1ai+b0SzHPdCsTK5IG81iXXETALbpRmz1YTYmeVfNJZOpCyWi02LvC9Q36UxNvp3b9MfKA00f0etmeqaGu66Td2ttymmWPPRGiwxvYWNAFyVPXfWeZWxFGxnKwQbLjKVVam/wsuDSWDrLoBksubY51PBlLTO0brJKNzKlmzXWFi3SUfRNYxX50EgyWLrLHsk4LO8zFbwkJxpKbskJ1WXoZmiw/XscHT85KyOXxiaEIhgcok+wvwFTgsRKdbp8CC7zce6sqoVaw2Cw4I38m6kmWVPvW54xx0PvM8J5ZxrmcE0quttoYROLlfNmdxhIdiQFNzicoV09bD02UCKmqWulLRk2HiVktaCWcEtqDbOxo3CPtNy7DKGIMT5YHR0KhMvQ2X2kL7TgMvdE/h6qbrU+noZYNQe7AD3ZfN8sVDN40QiRsATdjSOyitRUGyDvwFKcCO7vKu1Y8PStmpsXF77s9Rk5DSO+nhO7iEwpwmbAHyCMPka0JXkP9nduJZj4Pg8PdRbmzXBkd3eLcHFPrAGq2WLCJY/ihzN3j9Bfe0d84iwMTIZ4IWgjcdbvvME5rm0T93gD951+7Xtoyt+Ou6Opa8Id5hePGPtuI4qENU2367yKy5KPcG3xVoy5C44xjXpEIG0G173HCdVSjEy8xO65GceBY/9cA5Zo+NKAsXuadh+erXz3XvleZcCxPH5VL7F3PVJd3um2O2UfTh4jjI1t/R07tJvXUcpTzv6/eb6hW+z8tBUKuHb8bKDVkC6J945H2D0uU2qA+HTtDhsyuFXdLoVfPAy+shsF32GutG9fH2UjIdQQA4Djzuj+eVWaSkPZEcb7DjpM+6Ulqr2bQ8MajRPQ9iFdg664VzeOhfRmST+Ygy+5gDkQAUsQhBrD59Jv3GZef/zoY0vmB5TfuP6ekz59kEnPDrNG8i8N7I5JpPHL18P3sI6Jh01BaTUaXvoLyZSUgLkVZMXtYkxQEBKpDOk0dg0HlRfd2bRw7ER50j1RQs05o4I4DEZMH8TiYbHDpUbGND4c7+rF2sTR66WzrdROVmvqB54KTk2xUNltAm/EdeYazlLZDDVyUrE/gifeD4D4S+OwxTctDGJhAqievBFGOUN8676dYrCc/Bp+MSFv5Lr71wC6RVveSEtoOWGqqhsLOi6Gs7jxHWH5zLNvdvcCZyxubQi3/2xefv/Dn53te9rbjpZj30TRDue0SBsxu63jhq5Bk3/rfHLmRUADkYvf+tT1P/nPvNzgvHXq9+7HgcnLN8m2J7sDU9w6E/L+t49njnbQ4J0n6C8tuWEaairZ2mmVQT0Tu7kgBDn0nHx895qcS/vjy+fk/P3p2T9ek0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/UBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnH5OfvvydP356+uXhGTrmxXM4bbhZQYil8FBeh5ip7X6B9kTDMlp15PMI24xdHMsa0yuxV3Ff/6XY1hkF3Y9Ajn2zo812uC8O0/67ut+f4Q5xiMVMqY23SN5liVKTqTrdDyAda8sb4FYjSxPCKC6q9eHJi090hhu96vLwK77nh5TE7jfQz5T+5g9B6EXf6Ym4ueb46izdy313HsEaoNOz5f4OTCD8ZnIXguIFeWUYZd2UqnTMxYBCyQVYrPaeS/7Enq1rmOwq3ZfYBnO6fqRF2z7iO1pJm6vrzi1sOXwvf4sv3LtrKav4VqLALRjWQWkOpKi5ptOCuJ54uqOUgrbkxPV7QY1L7lj4osb71I9SZDq67Ok+c4KqpttgMaUPqfrF6xGZHQdjcRqLOoARNLZRFsqSyPefDCZ9f2hW74NmFVkteds3DwvdoXYugqQ4ORmj+4561bZ02ruBsiOTlkajslgy9/ux6hMzo8FDMnFxyHz1f7CruIy3gOqUz5VDwu2qecI06U+9HvUroeYRQr6OixkoNMVZpL/EdtAosxdWe4Lcm7ltP4tRXvCwFHE/KvcP1bivnItvbk3sHybl2PMZxyL0Iq/U6DMl1G519TmpB3Za591lpApLpdT3m5cdUyCPYk7fIoNOdbfmrMpa8o2zB5YhJV9JMkuObXV5/kpjpX2tw4sPpR77JmZmQtyWtyWf8h9ePSiV93ek/h48nWdAlOM1JANXkSwN6TbAHoamVNNBqVPHiVEdvgb85jrwMPfCYg6x52wVSevJ9X75xPFuSjoDq5gB9CM1Rb4spTnnK6zDbPeNta+mtJkbONgwPLzdEN1JG7VjzvHt5fOTZt5EaqbELEItgYebfCEpWXJZqZYipgfEZZ+6T57E6wZAnO7wgjjyP7ybnhjzFjrAg2eYZwtDlsx63SCPxHX8Lc8rW5JPZbnzbRWCr3ULa5Nm1boUjGOwjr33f1EJUsFYND5l7EQcc7/oARKr/typNsZxnyL5tsvMr1GPdeb16HaEYKYwetPCbA4g9Tl7vGKkhwze43ltZd4akj3cBHVJzHIddFzDY3ptNQqbfhsEOxRtS3Fz8jGUDKUcCjla4IcklzLgMvnoUTtjVr6L1SNNBxO6gQrFMuG0cMDvqX2rB2Plsc9MeeimN9KbsfNjWUraojtwCf7MqMpwMrKP+dmQZ8jLlMt0EsaR3w5GMRYV5H8+IkOqX7eC2+Dbam/L+yNTOAdZ5374bsK6pbs+U+/PzDSmrBR+0Uifudjhb1ie/34o8m3xmiW9rofQ634b/xdRU/vXGjjEtIttd1Fv1PPY0Obb85QVCv4G2B1OJBlS1/db3UzV6CgqQVqv6ENFRqmY6cC7c6oyHNZ21DTeUIyCOvrrjuPfwRFU1levuPuK1w3H63l5ZgnbPUMHlTMWVAmquctcI3SA/dqzIFrMV5O2KPvuSK0fgl0aINfnPhgo+41CSU6x79s7BKCormBZMqSv+QEH332FK/Pob+5mKMW0+ebfZTTi8biyq3AeOML35rn/olghTdoI72vvkJ+TjuvakbzwHjjl+B8c3T8OsSNpMdgdth4N3ROgnJta2dheZY7jqOuVyGzvvWayVbr39GGL+8HZky3u9chIfp5YXdd45RHtY4Va+0XPfoqmVyqSJbCPl1nH7QWpq465JJgtqUkb7e4B1KKdPDLnRIuE296Am3JXOGC0ancob0oNpQBd0ns6m3IBO/jxtg06a/rgNOpz6DIIFri1IVK3SGycOfrLT3Cl6Cw07qTKpNSq/xDFqCbdk7kdcFtWrF+G/TwIKL8J/hLymmNufCtDx7LxAzgNGzz0x/eA5elx7o9YG5JRhIJozqbicgdYjcdch3Uehq6/438j6qHv2CEi2fYlnvW2IXCkMa6usVyqyxNGO35mP27tj9xEziHX/T3+HYYLW+MBPXi9AH8cf4XT2kPH09ARHPz4jJ7h+HDXQ9kjNUkb4fAI6DP+ErSzMPc15IWvouMfI3oa7RZ+YXqfovTvN/zjUK3n31ijx3SaX/I+4t4ZfZZIp538/IxLmynK/gfWCmpEJUIYdu61Qbyv94uPDBd1WZ5sANUhw2TljbeP0tv4mnpBi+PwYFRXb/Y26qYcfRwctO2nCjWmSK50IGZOl8nnr7hdDQQxB66w+0MGm9KXnmVucXGJwep90OkqGRNcZPESRn15iauf+x6gnPQ9D8u7Scw+O4yLUGFEsc77ouyHV4MiOIlMW7ujRJnmbRpMLML+CYFFnam7wzWZcSf9BQtn6EzEYr1OanF+++fu7C3Lh3inymxyZvrLBNlMl9SHYflypOLYohtgC2JU5yIl8OyGctwdZbOhc16+zaxGGaaBhBOFGCu7RckHzQVPIB1ByPR5dV5BRowFxttQ2R5vw2cdySQUv/UGMILErCI/W1XqfIESOXcHa7IrtRCe/TSBNDHthbW0KjjNos4DGrczBEEYfwW3ic9lWvijN7fqGG8VUVWXtE3dLvD0ewSEUL8FfcQ1i19JM7WJZCSoLYx5q4K1b2cvw3wO1bY1WFFtfalzUih8jrTqGsMeAIAaIVNwaQLayBZVy0Dgjd7upsCoiMhKzPVLb5u5hCTMPf3/75n14917sLN89KFbpXd9/8p5t3FwVSyWaXAx4085xlmHOTTcZux3n20huDXnqkTDPsFsHFva2E3V3wBNEOkqNaDJJs7cB10+S25AuMNkuOliCxkyBWSMIU5JBbZ2hfOn3cKS9wmqVU/p6xjuDvR2h7RCtlbZEOf7++h9vYim4UbanPndKz4+fYLlbYLDlYp1S3+wk2ijmb2e/XZxfkHf0uuKy7MZ6x7fV0Xb0NMytIYojZAUyBtTtI6tTn+Ili8nTs32VYzE7XsHmQxfhtyRnVzu2nGVBKp+fhi69AYu9GIrjbcoD9wpoKa7+y9cNd4U5shxqkqlvN/pLnAn9QNmNYVw1WvFdULfyxb3PiWkiKerUkL8Yq5Wc/3UqKLsS3Fgo//Ii/O159ymXM2Dxj2Zcw4qKqCJDp6L3G0JlSYwiI8dSw5wbq9fOsj+msKipXYRm/R0OZBeHAZLolDoWmr4Q2tdrMaV7Xcg7fbLDHKTV6z/93wAAAP//cyu42Q==" -} diff --git a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js b/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js deleted file mode 100644 index 009e6ae8fa5..00000000000 --- a/x-pack/filebeat/module/rapid7/nexpose/config/pipeline.js +++ /dev/null @@ -1,5891 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -function DeviceProcessor() { - var builder = new processor.Chain(); - builder.Add(save_flags); - builder.Add(strip_syslog_priority); - builder.Add(chain1); - builder.Add(populate_fields); - builder.Add(restore_flags); - var chain = builder.Build(); - return { - process: chain.Run, - } -} - -var dup1 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}"); - -var dup2 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); - -var dup3 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); - -var dup4 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("payload"), - ], -}); - -var dup5 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("payload"), - ], -}); - -var dup6 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); - -var dup7 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); - -var dup8 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}"); - -var dup9 = call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("hfld1"), - constant(" "), - field("payload"), - ], -}); - -var dup10 = call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - ], -}); - -var dup11 = setc("eventcategory","1614000000"); - -var dup12 = setc("ec_activity","Scan"); - -var dup13 = setc("ec_theme","TEV"); - -var dup14 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], -}); - -var dup15 = setf("msg","$MSG"); - -var dup16 = setf("obj_name","hobj_name"); - -var dup17 = setc("obj_type","Asset"); - -var dup18 = setc("eventcategory","1614030000"); - -var dup19 = setc("ec_outcome","Error"); - -var dup20 = setc("eventcategory","1605000000"); - -var dup21 = setc("ec_activity","Start"); - -var dup22 = setc("ec_outcome","Success"); - -var dup23 = setc("eventcategory","1611000000"); - -var dup24 = setc("ec_activity","Stop"); - -var dup25 = setc("action","Shutting down"); - -var dup26 = setc("action","shutting down"); - -var dup27 = setc("ec_outcome","Failure"); - -var dup28 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}"); - -var dup29 = setf("fld17","hfld17"); - -var dup30 = setf("group_object","hsite"); - -var dup31 = setf("shost","hshost"); - -var dup32 = setf("sport","hsport"); - -var dup33 = setf("protocol","hprotocol"); - -var dup34 = setf("fld18","hinfo"); - -var dup35 = setc("ec_subject","Service"); - -var dup36 = setc("event_description","Nexpose is changing the database port number"); - -var dup37 = setc("event_state","DONE"); - -var dup38 = setc("event_description","Nexpose is executing data transfer process"); - -var dup39 = setc("event_description","Nexpose is installing the database"); - -var dup40 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}"); - -var dup41 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - -var dup42 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var dup43 = setc("ec_outcome","Unknown"); - -var dup44 = setc("eventcategory","1701000000"); - -var dup45 = setc("ec_subject","User"); - -var dup46 = setc("ec_activity","Logon"); - -var dup47 = setc("ec_theme","Authentication"); - -var dup48 = setc("eventcategory","1401030000"); - -var dup49 = setc("ec_subject","NetworkComm"); - -var dup50 = setc("ec_subject","Group"); - -var dup51 = setc("ec_activity","Detect"); - -var dup52 = setc("ec_theme","Configuration"); - -var dup53 = setc("eventcategory","1801010000"); - -var dup54 = setf("obj_type","messageid"); - -var dup55 = setc("event_description","Cannot preload incremental pool with a connection"); - -var dup56 = setc("eventcategory","1605030000"); - -var dup57 = setc("ec_activity","Modify"); - -var dup58 = setc("action","Replaced conf values"); - -var dup59 = setc("service","fld1"); - -var dup60 = linear_select([ - dup7, - dup8, -]); - -var dup61 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var dup62 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var dup63 = linear_select([ - dup41, - dup42, -]); - -var dup64 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var dup65 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ - dup20, - dup15, -])); - -var dup66 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var dup67 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup15, -])); - -var dup68 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup25, -])); - -var dup69 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ - dup20, - dup14, - dup15, - dup59, -])); - -var hdr1 = match("HEADER#0:0031", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] %{hfld39}[Thread: %{messageid}] [Started: %{hfld40}] [Duration: %{hfld41}] %{payload}", processor_chain([ - setc("header_id","0031"), -])); - -var part1 = match("HEADER#1:0022/1_0", "nwparser.p0", "%{hpriority}] %{hfld39}[%{p0}"); - -var select1 = linear_select([ - part1, - dup2, - dup3, -]); - -var part2 = match("HEADER#1:0022/2", "nwparser.p0", "Thread: %{hfld17}] %{messageid->} %{payload}"); - -var all1 = all_match({ - processors: [ - dup1, - select1, - part2, - ], - on_success: processor_chain([ - setc("header_id","0022"), - ]), -}); - -var hdr2 = match("HEADER#2:0028", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid}: %{payload}", processor_chain([ - setc("header_id","0028"), - dup4, -])); - -var hdr3 = match("HEADER#3:0017", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0017"), - dup5, -])); - -var hdr4 = match("HEADER#4:0024", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] %{hfld41->} %{messageid->} completed %{payload}", processor_chain([ - setc("header_id","0024"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" completed "), - field("payload"), - ], - }), -])); - -var hdr5 = match("HEADER#5:0018", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0018"), - dup5, -])); - -var hdr6 = match("HEADER#6:0029", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Silo ID: %{hfld22}] [Site: %{hsite}] [Site ID: %{hinfo}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0029"), - dup5, -])); - -var hdr7 = match("HEADER#7:0019", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0019"), - dup5, -])); - -var hdr8 = match("HEADER#8:0020", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}:%{hsport}/%{hprotocol}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0020"), - dup5, -])); - -var hdr9 = match("HEADER#9:0021", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0021"), - dup5, -])); - -var hdr10 = match("HEADER#10:0023", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Site: %{hsite}] [%{hshost}] [%{hinfo}]: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0023"), - dup5, -])); - -var hdr11 = match("HEADER#11:0036", "message", "%NEXPOSE-%{hfld49}: %{hfld1}: %{messageid->} %{hfld2->} %{payload}", processor_chain([ - setc("header_id","0036"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("hfld2"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr12 = match("HEADER#12:0001", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} [%{hobj_name}] %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr13 = match("HEADER#13:0037", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hfld1->} '%{hfld2}' - %{hfld1->} %{payload}", processor_chain([ - setc("header_id","0037"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("hfld1"), - constant(" '"), - field("hfld2"), - constant("' - "), - field("hfld1"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr14 = match("HEADER#14:0002", "message", "%NEXPOSE-%{hfld49}: %{messageid->} %{hdate}T%{htime->} %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr15 = match("HEADER#15:0003", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{hfld41}) %{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), - dup5, -])); - -var hdr16 = match("HEADER#16:0030", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] %{messageid}: %{payload}", processor_chain([ - setc("header_id","0030"), - dup4, -])); - -var hdr17 = match("HEADER#17:0040", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}] [Thread: %{hfld17}] [Principal: %{username}] [%{messageid}: %{payload}", processor_chain([ - setc("header_id","0040"), -])); - -var part3 = match("HEADER#18:0034/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] %{messageid->} %{hfld21->} %{payload}"); - -var all2 = all_match({ - processors: [ - dup6, - dup60, - part3, - ], - on_success: processor_chain([ - setc("header_id","0034"), - ]), -}); - -var part4 = match("HEADER#19:0035/1_0", "nwparser.p0", "%{hpriority}] [%{p0}"); - -var select2 = linear_select([ - part4, - dup2, - dup3, -]); - -var part5 = match("HEADER#19:0035/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] %{messageid->} %{hfld21->} %{payload}"); - -var all3 = all_match({ - processors: [ - dup1, - select2, - part5, - ], - on_success: processor_chain([ - setc("header_id","0035"), - ]), -}); - -var hdr18 = match("HEADER#20:0004", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - dup5, -])); - -var part6 = match("HEADER#21:0032/2", "nwparser.p0", "Thread: %{hfld17}] [Silo ID: %{hfld18}] [Report: %{hobj_name}] [%{messageid->} Config ID: %{hfld19}] %{payload}"); - -var all4 = all_match({ - processors: [ - dup6, - dup60, - part6, - ], - on_success: processor_chain([ - setc("header_id","0032"), - ]), -}); - -var hdr19 = match("HEADER#22:0038", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{messageid}: %{hfld1->} %{payload}", processor_chain([ - setc("header_id","0038"), - dup9, -])); - -var hdr20 = match("HEADER#23:0039", "message", "%NEXPOSE-%{hfld49}: %{messageid}: %{hfld1->} %{payload}", processor_chain([ - setc("header_id","0039"), - dup9, -])); - -var hdr21 = match("HEADER#24:0005", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld48->} %{hfld41->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0005"), - dup5, -])); - -var hdr22 = match("HEADER#25:0006", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] [%{messageid}] %{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var part7 = match("HEADER#26:0033/2", "nwparser.p0", "Thread: %{hfld17}] [%{hfld18}] [%{hfld19}] [%{p0}"); - -var part8 = match("HEADER#26:0033/3_0", "nwparser.p0", "%{hfld20}] [%{hfld21}] [%{hfld22}] [%{hfld23}]%{p0}"); - -var part9 = match("HEADER#26:0033/3_1", "nwparser.p0", "%{hfld20}] [%{hfld21}]%{p0}"); - -var part10 = match("HEADER#26:0033/3_2", "nwparser.p0", "%{hfld20}]%{p0}"); - -var select3 = linear_select([ - part8, - part9, - part10, -]); - -var part11 = match("HEADER#26:0033/4", "nwparser.p0", "%{} %{messageid->} %{hfld24->} %{payload}"); - -var all5 = all_match({ - processors: [ - dup6, - dup60, - part7, - select3, - part11, - ], - on_success: processor_chain([ - setc("header_id","0033"), - ]), -}); - -var hdr23 = match("HEADER#27:0007", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0007"), - dup5, -])); - -var hdr24 = match("HEADER#28:0008", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] (%{messageid}) %{payload}", processor_chain([ - setc("header_id","0008"), -])); - -var hdr25 = match("HEADER#29:0009", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{fld41->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0009"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("fld41"), - constant(" "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr26 = match("HEADER#30:0010", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{messageid}: %{payload}", processor_chain([ - setc("header_id","0010"), - dup4, -])); - -var hdr27 = match("HEADER#31:0011", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{messageid}(%{hobj_name}): %{payload}", processor_chain([ - setc("header_id","0011"), -])); - -var hdr28 = match("HEADER#32:0012", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} %{hfld41->} %{hfld42->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0012"), - dup5, -])); - -var hdr29 = match("HEADER#33:0013", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{payload}", processor_chain([ - setc("header_id","0013"), - call({ - dest: "nwparser.messageid", - fn: STRCAT, - args: [ - field("msgIdPart1"), - constant("_"), - field("msgIdPart2"), - constant("_"), - field("msgIdPart3"), - ], - }), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld45"), - constant(" ("), - field("hfld46"), - constant(") - "), - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("msgIdPart3"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr30 = match("HEADER#34:0014", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2->} %{payload}", processor_chain([ - setc("header_id","0014"), - dup10, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld45"), - constant(" ("), - field("hfld46"), - constant(") - "), - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr31 = match("HEADER#35:0015", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{messageid->} %{payload}", processor_chain([ - setc("header_id","0015"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld45"), - constant(" ("), - field("hfld46"), - constant(") - "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr32 = match("HEADER#36:0016", "message", "%NEXPOSE-%{hfld49}: %{hfld40->} %{hdate}T%{htime->} [%{hobj_name}] %{hfld45->} (%{hfld46}) - %{msgIdPart1->} %{msgIdPart2}(U) %{payload}", processor_chain([ - setc("header_id","0016"), - dup10, - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld45"), - constant(" ("), - field("hfld46"), - constant(") - "), - field("msgIdPart1"), - constant(" "), - field("msgIdPart2"), - constant("(U) "), - field("payload"), - ], - }), -])); - -var hdr33 = match("HEADER#37:0026", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Constructor threw %{payload}", processor_chain([ - setc("header_id","0026"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" Constructor threw "), - field("payload"), - ], - }), -])); - -var hdr34 = match("HEADER#38:0027", "message", "%NEXPOSE-%{hfld49}: %{messageid->} Called method %{payload}", processor_chain([ - setc("header_id","0027"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" Called method "), - field("payload"), - ], - }), -])); - -var hdr35 = match("HEADER#39:0025", "message", "%NEXPOSE-%{hfld49}: %{hfld41->} %{hfld42->} %{messageid->} frames %{payload}", processor_chain([ - setc("header_id","0025"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" frames "), - field("payload"), - ], - }), -])); - -var hdr36 = match("HEADER#40:9999", "message", "%NEXPOSE-%{hfld49}: %{payload}", processor_chain([ - setc("header_id","9999"), - setc("messageid","NEXPOSE_GENERIC"), -])); - -var select4 = linear_select([ - hdr1, - all1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, - hdr9, - hdr10, - hdr11, - hdr12, - hdr13, - hdr14, - hdr15, - hdr16, - hdr17, - all2, - all3, - hdr18, - all4, - hdr19, - hdr20, - hdr21, - hdr22, - all5, - hdr23, - hdr24, - hdr25, - hdr26, - hdr27, - hdr28, - hdr29, - hdr30, - hdr31, - hdr32, - hdr33, - hdr34, - hdr35, - hdr36, -]); - -var part12 = match("MESSAGE#0:NOT_VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - NOT VULNERABLE VERSION .", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg1 = msg("NOT_VULNERABLE_VERSION", part12); - -var part13 = match("MESSAGE#1:VULNERABLE_VERSION", "nwparser.payload", "%{signame->} - VULNERABLE VERSION .", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg2 = msg("VULNERABLE_VERSION", part13); - -var part14 = match("MESSAGE#2:NOT_VULNERABLE", "nwparser.payload", "%{signame->} - NOT VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg3 = msg("NOT_VULNERABLE", part14); - -var part15 = match("MESSAGE#3:NOT_VULNERABLE:01", "nwparser.payload", "%{signame->} - NOT VULNERABLE(U) [UNIQUE ID: %{fld45}]", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg4 = msg("NOT_VULNERABLE:01", part15); - -var part16 = match("MESSAGE#4:NOT_VULNERABLE:02", "nwparser.payload", "%{signame->} - NOT VULNERABLE .", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg5 = msg("NOT_VULNERABLE:02", part16); - -var select5 = linear_select([ - msg3, - msg4, - msg5, -]); - -var part17 = match("MESSAGE#5:VULNERABLE", "nwparser.payload", "%{signame->} - VULNERABLE [UNIQUE ID: %{fld45}]", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg6 = msg("VULNERABLE", part17); - -var part18 = match("MESSAGE#6:VULNERABLE:01", "nwparser.payload", "%{signame->} - VULNERABLE .", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg7 = msg("VULNERABLE:01", part18); - -var select6 = linear_select([ - msg6, - msg7, -]); - -var part19 = match("MESSAGE#7:ERROR", "nwparser.payload", "%{signame->} - ERROR [UNIQUE ID: %{fld45}] - %{context}", processor_chain([ - dup18, - dup12, - dup13, - dup19, - dup14, - dup15, - dup16, - dup17, -])); - -var msg8 = msg("ERROR", part19); - -var part20 = match("MESSAGE#8:ERROR:01", "nwparser.payload", "%{signame->} - ERROR - %{context}", processor_chain([ - dup18, - dup12, - dup13, - dup19, - dup14, - dup15, - dup16, - dup17, -])); - -var msg9 = msg("ERROR:01", part20); - -var select7 = linear_select([ - msg8, - msg9, -]); - -var part21 = match("MESSAGE#9:ExtMgr", "nwparser.payload", "Initialization successful.%{}", processor_chain([ - dup20, - dup21, - dup13, - dup22, - dup14, - dup15, - setc("event_description","Initialization successful"), -])); - -var msg10 = msg("ExtMgr", part21); - -var part22 = match("MESSAGE#10:ExtMgr:01", "nwparser.payload", "initializing...%{}", processor_chain([ - dup20, - dup21, - dup13, - dup14, - dup15, - setc("event_description","initializing"), -])); - -var msg11 = msg("ExtMgr:01", part22); - -var part23 = match("MESSAGE#11:ExtMgr:02", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ - dup23, - dup24, - dup13, - dup22, - dup14, - dup15, - setc("event_description","Shutdown successful."), -])); - -var msg12 = msg("ExtMgr:02", part23); - -var part24 = match("MESSAGE#12:ExtMgr:03", "nwparser.payload", "Shutting down...%{}", processor_chain([ - dup23, - dup24, - dup13, - dup14, - dup15, - dup25, -])); - -var msg13 = msg("ExtMgr:03", part24); - -var select8 = linear_select([ - msg10, - msg11, - msg12, - msg13, -]); - -var part25 = match("MESSAGE#13:ScanMgr", "nwparser.payload", "Shutting down %{info}", processor_chain([ - dup20, - dup24, - dup13, - dup14, - dup15, - dup25, -])); - -var msg14 = msg("ScanMgr", part25); - -var part26 = match("MESSAGE#14:ScanMgr:01", "nwparser.payload", "shutting down...%{}", processor_chain([ - dup23, - dup24, - dup13, - dup14, - dup15, - dup26, -])); - -var msg15 = msg("ScanMgr:01", part26); - -var part27 = match("MESSAGE#15:ScanMgr:02", "nwparser.payload", "Scan %{fld30->} is being stopped.", processor_chain([ - dup20, - dup12, - dup13, - dup27, - dup14, - dup15, -])); - -var msg16 = msg("ScanMgr:02", part27); - -var select9 = linear_select([ - msg14, - msg15, - msg16, -]); - -var part28 = match("MESSAGE#16:NSE", "nwparser.payload", "Logging initialized %{fld30}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Logging initialized"), -])); - -var msg17 = msg("NSE", part28); - -var part29 = match("MESSAGE#17:NSE:01/1_0", "nwparser.p0", "Initializing %{p0}"); - -var part30 = match("MESSAGE#17:NSE:01/1_1", "nwparser.p0", "initializing %{p0}"); - -var select10 = linear_select([ - part29, - part30, -]); - -var part31 = match("MESSAGE#17:NSE:01/2", "nwparser.p0", "%{} %{fld30}"); - -var all6 = all_match({ - processors: [ - dup28, - select10, - part31, - ], - on_success: processor_chain([ - dup20, - dup14, - dup15, - setc("action","Initializing"), - ]), -}); - -var msg18 = msg("NSE:01", all6); - -var part32 = match("MESSAGE#18:NSE:02", "nwparser.payload", "shutting down %{fld30}", processor_chain([ - dup20, - dup14, - dup15, - dup26, -])); - -var msg19 = msg("NSE:02", part32); - -var part33 = match("MESSAGE#19:NSE:03", "nwparser.payload", "NeXpose scan engine initialization completed.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","NeXpose scan engine initialization completed."), -])); - -var msg20 = msg("NSE:03", part33); - -var part34 = match("MESSAGE#20:NSE:04", "nwparser.payload", "disabling promiscuous on all devices...%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","disabling promiscuous on all devices"), -])); - -var msg21 = msg("NSE:04", part34); - -var part35 = match("MESSAGE#213:NSE:05", "nwparser.payload", "NSE connection failure%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg22 = msg("NSE:05", part35); - -var part36 = match("MESSAGE#328:NSE:07", "nwparser.payload", "NSE DN is %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg23 = msg("NSE:07", part36); - -var select11 = linear_select([ - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, - msg23, -]); - -var part37 = match("MESSAGE#21:Console", "nwparser.payload", "NSE Name: %{fld30}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg24 = msg("Console", part37); - -var part38 = match("MESSAGE#22:Console:01", "nwparser.payload", "NSE Identifier: %{fld30}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg25 = msg("Console:01", part38); - -var part39 = match("MESSAGE#23:Console:02", "nwparser.payload", "NSE version: %{fld30}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg26 = msg("Console:02", part39); - -var part40 = match("MESSAGE#24:Console:03", "nwparser.payload", "Last update: %{fld30}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg27 = msg("Console:03", part40); - -var part41 = match("MESSAGE#25:Console:04", "nwparser.payload", "VM version: %{fld30}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg28 = msg("Console:04", part41); - -var part42 = match("MESSAGE#26:Console:05", "nwparser.payload", "log rotation completed%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","log rotation completed"), -])); - -var msg29 = msg("Console:05", part42); - -var part43 = match("MESSAGE#27:Console:06", "nwparser.payload", "rotating logs...%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","rotating logs"), -])); - -var msg30 = msg("Console:06", part43); - -var select12 = linear_select([ - msg24, - msg25, - msg26, - msg27, - msg28, - msg29, - msg30, -]); - -var part44 = match("MESSAGE#28:ProtocolFper", "nwparser.payload", "Loaded %{fld30}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Loaded"), -])); - -var msg31 = msg("ProtocolFper", part44); - -var part45 = match("MESSAGE#29:Nexpose", "nwparser.payload", "Closing service: %{fld30}", processor_chain([ - dup20, - dup35, - dup24, - dup14, - dup15, - dup16, - dup17, - setc("action","Closing service"), -])); - -var msg32 = msg("Nexpose", part45); - -var part46 = match("MESSAGE#30:Nexpose:01", "nwparser.payload", "Freeing %{fld30}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, - setc("action","Freeing"), -])); - -var msg33 = msg("Nexpose:01", part46); - -var part47 = match("MESSAGE#31:Nexpose:02", "nwparser.payload", "starting %{fld30}", processor_chain([ - dup11, - dup12, - dup13, - dup22, - dup14, - dup15, - dup16, - dup17, - setc("action","starting"), -])); - -var msg34 = msg("Nexpose:02", part47); - -var part48 = match("MESSAGE#32:Nexpose:03", "nwparser.payload", "%{fld31->} nodes completed, %{fld32->} active, %{fld33->} pending.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg35 = msg("Nexpose:03", part48); - -var part49 = match("MESSAGE#373:Backup_completed", "nwparser.payload", "Nexpose system backup completed successfully in %{info}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Backup completed"), -])); - -var msg36 = msg("Backup_completed", part49); - -var part50 = match("MESSAGE#408:Nexpose:04", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}. DONE.", processor_chain([ - dup20, - dup14, - dup15, - dup36, - dup37, -])); - -var msg37 = msg("Nexpose:04", part50); - -var part51 = match("MESSAGE#409:Nexpose:05", "nwparser.payload", "Nexpose is changing the database port number from %{change_old->} to %{change_new}.", processor_chain([ - dup20, - dup14, - dup15, - dup36, -])); - -var msg38 = msg("Nexpose:05", part51); - -var part52 = match("MESSAGE#410:Nexpose:06", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new->} DONE.", processor_chain([ - dup20, - dup14, - dup15, - dup38, - dup37, -])); - -var msg39 = msg("Nexpose:06", part52); - -var part53 = match("MESSAGE#411:Nexpose:07", "nwparser.payload", "Nexpose is executing the data transfer process from %{change_old->} to %{change_new}", processor_chain([ - dup20, - dup14, - dup15, - dup38, -])); - -var msg40 = msg("Nexpose:07", part53); - -var part54 = match("MESSAGE#412:Nexpose:08", "nwparser.payload", "Nexpose is installing the %{db_name->} database. DONE.", processor_chain([ - dup20, - dup14, - dup15, - dup39, - dup37, -])); - -var msg41 = msg("Nexpose:08", part54); - -var part55 = match("MESSAGE#413:Nexpose:09", "nwparser.payload", "Nexpose is installing the %{db_name->} database to %{directory->} using PostgreSQL binaries from package %{filename}.%{fld1}.", processor_chain([ - dup20, - dup14, - dup15, - dup39, -])); - -var msg42 = msg("Nexpose:09", part55); - -var part56 = match("MESSAGE#414:Nexpose:10", "nwparser.payload", "Nexpose is moving %{change_old->} to %{change_new}.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Nexpose is moving a directory"), -])); - -var msg43 = msg("Nexpose:10", part56); - -var part57 = match("MESSAGE#415:Nexpose:11", "nwparser.payload", "%{event_description->} DONE.", processor_chain([ - dup20, - dup14, - dup15, - dup37, -])); - -var msg44 = msg("Nexpose:11", part57); - -var msg45 = msg("Nexpose:12", dup61); - -var select13 = linear_select([ - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, - msg40, - msg41, - msg42, - msg43, - msg44, - msg45, -]); - -var part58 = match("MESSAGE#33:Shutting", "nwparser.payload", "Shutting down %{fld30}", processor_chain([ - dup23, - dup14, - dup15, - dup16, - dup17, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - dup25, -])); - -var msg46 = msg("Shutting", part58); - -var part59 = match("MESSAGE#34:shutting:01", "nwparser.payload", "Interrupted, %{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg47 = msg("shutting:01", part59); - -var part60 = match("MESSAGE#35:shutting", "nwparser.payload", "shutting down %{fld30}", processor_chain([ - dup23, - dup14, - dup15, - dup16, - dup17, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - dup26, -])); - -var msg48 = msg("shutting", part60); - -var part61 = match("MESSAGE#36:Shutdown", "nwparser.payload", "Shutdown successful.%{}", processor_chain([ - dup23, - dup14, - dup15, - dup16, - dup17, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - dup25, -])); - -var msg49 = msg("Shutdown", part61); - -var part62 = match("MESSAGE#37:Security", "nwparser.payload", "Security Console shutting down.%{}", processor_chain([ - dup23, - dup14, - dup15, - dup29, - dup25, -])); - -var msg50 = msg("Security", part62); - -var part63 = match("MESSAGE#261:Security:02", "nwparser.payload", "Security Console restarting from an auto-update%{}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg51 = msg("Security:02", part63); - -var part64 = match("MESSAGE#296:Security:06", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Security Console started", processor_chain([ - dup20, - dup15, -])); - -var msg52 = msg("Security:06", part64); - -var part65 = match("MESSAGE#297:Security:03/0", "nwparser.payload", "%{}Security Console %{p0}"); - -var part66 = match("MESSAGE#297:Security:03/1_0", "nwparser.p0", "started %{}"); - -var part67 = match("MESSAGE#297:Security:03/1_1", "nwparser.p0", "web interface ready. %{info->} "); - -var select14 = linear_select([ - part66, - part67, -]); - -var all7 = all_match({ - processors: [ - part65, - select14, - ], - on_success: processor_chain([ - dup20, - dup15, - ]), -}); - -var msg53 = msg("Security:03", all7); - -var part68 = match("MESSAGE#426:Security:04", "nwparser.payload", "Security Console is launching in Maintenance Mode. %{action}.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Security Console is launching in Maintenance Mode"), -])); - -var msg54 = msg("Security:04", part68); - -var part69 = match("MESSAGE#427:Security:05", "nwparser.payload", "Security Console update failed.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Security Console update failed"), -])); - -var msg55 = msg("Security:05", part69); - -var select15 = linear_select([ - msg50, - msg51, - msg52, - msg53, - msg54, - msg55, -]); - -var part70 = match("MESSAGE#38:Web", "nwparser.payload", "Web server stopped%{}", processor_chain([ - dup23, - dup14, - dup15, - dup16, - dup17, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("action","Stopped"), -])); - -var msg56 = msg("Web", part70); - -var part71 = match("MESSAGE#304:Web:02", "nwparser.payload", "Web %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg57 = msg("Web:02", part71); - -var select16 = linear_select([ - msg56, - msg57, -]); - -var part72 = match("MESSAGE#39:Done", "nwparser.payload", "Done shutting down.%{}", processor_chain([ - dup23, - dup14, - dup15, - dup16, - dup17, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - dup26, -])); - -var msg58 = msg("Done", part72); - -var part73 = match("MESSAGE#282:Done:02", "nwparser.payload", "Done with statistics generation [Started: %{fld1}] [Duration: %{fld2}].", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg59 = msg("Done:02", part73); - -var select17 = linear_select([ - msg58, - msg59, -]); - -var part74 = match("MESSAGE#40:Queueing:01", "nwparser.payload", "Queueing %{protocol->} port scan", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg60 = msg("Queueing:01", part74); - -var part75 = match("MESSAGE#41:Queueing", "nwparser.payload", "Queueing %{fld30}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, - setc("action","Queueing"), -])); - -var msg61 = msg("Queueing", part75); - -var select18 = linear_select([ - msg60, - msg61, -]); - -var part76 = match("MESSAGE#42:Performing/0", "nwparser.payload", "Performing %{p0}"); - -var part77 = match("MESSAGE#42:Performing/1_0", "nwparser.p0", "form %{p0}"); - -var part78 = match("MESSAGE#42:Performing/1_1", "nwparser.p0", "query %{p0}"); - -var select19 = linear_select([ - part77, - part78, -]); - -var part79 = match("MESSAGE#42:Performing/2", "nwparser.p0", "%{}injection against %{info}"); - -var all8 = all_match({ - processors: [ - part76, - select19, - part79, - ], - on_success: processor_chain([ - dup20, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, - setc("action","Performing injection"), - ]), -}); - -var msg62 = msg("Performing", all8); - -var part80 = match("MESSAGE#43:Performing:01", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, -])); - -var msg63 = msg("Performing:01", part80); - -var select20 = linear_select([ - msg62, - msg63, -]); - -var part81 = match("MESSAGE#44:Trying", "nwparser.payload", "Trying %{fld30->} injection %{fld31}", processor_chain([ - dup20, - dup12, - dup13, - dup14, - dup15, - dup16, - dup17, - setc("action","Trying injection"), -])); - -var msg64 = msg("Trying", part81); - -var part82 = match("MESSAGE#45:Rewrote", "nwparser.payload", "Rewrote to %{url}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var msg65 = msg("Rewrote", part82); - -var msg66 = msg("SPIDER", dup62); - -var msg67 = msg("Preparing", dup62); - -var part83 = match("MESSAGE#48:Scan", "nwparser.payload", "Scan started by: \"%{username}\" %{fld34}", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - setc("action","scan started"), -])); - -var msg68 = msg("Scan", part83); - -var part84 = match("MESSAGE#49:Scan:01", "nwparser.payload", "Scan [%{fld35}] completed in %{fld36}", processor_chain([ - dup11, - dup12, - dup13, - dup22, - dup14, - dup15, - setc("action","scan completed"), -])); - -var msg69 = msg("Scan:01", part84); - -var part85 = match("MESSAGE#50:Scan:03", "nwparser.payload", "Scan for site %{fld11->} started by Schedule[%{info}].", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg70 = msg("Scan:03", part85); - -var part86 = match("MESSAGE#51:Scan:04", "nwparser.payload", "Scan startup took %{fld24->} seconds", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg71 = msg("Scan:04", part86); - -var part87 = match("MESSAGE#52:Scan:06/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE VERSION"); - -var all9 = all_match({ - processors: [ - dup40, - dup63, - part87, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg72 = msg("Scan:06", all9); - -var part88 = match("MESSAGE#53:Scan:05/2", "nwparser.p0", "] %{fld12->} (%{info}) - VULNERABLE"); - -var all10 = all_match({ - processors: [ - dup40, - dup63, - part88, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg73 = msg("Scan:05", all10); - -var part89 = match("MESSAGE#54:Scan:07/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE VERSION"); - -var all11 = all_match({ - processors: [ - dup40, - dup63, - part89, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg74 = msg("Scan:07", all11); - -var part90 = match("MESSAGE#55:Scan:09/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE [UNIQUE ID: %{fld13}]"); - -var all12 = all_match({ - processors: [ - dup40, - dup63, - part90, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg75 = msg("Scan:09", all12); - -var part91 = match("MESSAGE#56:Scan:08/2", "nwparser.p0", "] %{fld12->} (%{info}) - NOT VULNERABLE"); - -var all13 = all_match({ - processors: [ - dup40, - dup63, - part91, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg76 = msg("Scan:08", all13); - -var part92 = match("MESSAGE#57:Scan:10", "nwparser.payload", "Scan for site %{fld12->} started by \"%{username}\".", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg77 = msg("Scan:10", part92); - -var part93 = match("MESSAGE#58:Scan:11", "nwparser.payload", "Scan stopped: \"%{username}\"", processor_chain([ - dup18, - dup12, - dup13, - dup14, - dup15, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg78 = msg("Scan:11", part93); - -var part94 = match("MESSAGE#59:Scan:12", "nwparser.payload", "Scan Engine shutting down...%{}", processor_chain([ - dup23, - dup12, - dup13, - dup19, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg79 = msg("Scan:12", part94); - -var part95 = match("MESSAGE#60:Scan:13", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Scan synopsis inconsistency resolved.", processor_chain([ - dup11, - dup12, - dup13, - dup22, - dup14, - dup15, - setc("event_description","Scan synopsis inconsistency resolved"), -])); - -var msg80 = msg("Scan:13", part95); - -var part96 = match("MESSAGE#62:Scan:15/0", "nwparser.payload", "Silo ID: %{fld1}] [Scan ID: %{fld2}] Scan for site %{audit_object->} - %{p0}"); - -var part97 = match("MESSAGE#62:Scan:15/1_0", "nwparser.p0", "Non-Windows Systems Audit%{p0}"); - -var part98 = match("MESSAGE#62:Scan:15/1_1", "nwparser.p0", "Audit%{p0}"); - -var select21 = linear_select([ - part97, - part98, -]); - -var part99 = match("MESSAGE#62:Scan:15/2", "nwparser.p0", "%{}restored. %{info}"); - -var all14 = all_match({ - processors: [ - part96, - select21, - part99, - ], - on_success: processor_chain([ - dup11, - dup12, - dup13, - dup22, - dup14, - dup15, - setc("event_description","Scan for site restored"), - ]), -}); - -var msg81 = msg("Scan:15", all14); - -var part100 = match("MESSAGE#63:Scan:02", "nwparser.payload", "%{event_description}", processor_chain([ - dup11, - dup12, - dup13, - dup22, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg82 = msg("Scan:02", part100); - -var select22 = linear_select([ - msg68, - msg69, - msg70, - msg71, - msg72, - msg73, - msg74, - msg75, - msg76, - msg77, - msg78, - msg79, - msg80, - msg81, - msg82, -]); - -var part101 = match("MESSAGE#61:Scan:14", "nwparser.payload", "Scan ID: %{fld1}] Inconsistency discovered for scan. %{info}", processor_chain([ - dup18, - dup12, - dup13, - dup43, - dup14, - dup15, - setc("event_description","Inconsistency discovered for scan"), -])); - -var msg83 = msg("Scan:14", part101); - -var part102 = match("MESSAGE#64:Site", "nwparser.payload", "Site saved.%{}", processor_chain([ - dup44, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg84 = msg("Site", part102); - -var part103 = match("MESSAGE#65:Authenticated", "nwparser.payload", "Authenticated: %{username}", processor_chain([ - setc("eventcategory","1401060000"), - dup45, - dup46, - dup47, - dup22, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg85 = msg("Authenticated", part103); - -var part104 = match("MESSAGE#66:Authentication", "nwparser.payload", "Authentication failed. Login information is missing.%{}", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg86 = msg("Authentication", part104); - -var part105 = match("MESSAGE#67:Authentication:01", "nwparser.payload", "Authentication failed for %{username}: Access denied.", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg87 = msg("Authentication:01", part105); - -var part106 = match("MESSAGE#68:Authentication:02", "nwparser.payload", "Authentication failed. User account may be invalid or disabled.%{}", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg88 = msg("Authentication:02", part106); - -var part107 = match("MESSAGE#69:Authentication:03", "nwparser.payload", "%{info}", processor_chain([ - setc("eventcategory","1304000000"), - dup45, - dup46, - dup47, - dup14, - dup15, - dup16, - dup29, -])); - -var msg89 = msg("Authentication:03", part107); - -var select23 = linear_select([ - msg86, - msg87, - msg88, - msg89, -]); - -var part108 = match("MESSAGE#70:User", "nwparser.payload", "User (%{username}) is over the limit (%{fld12}) for failed login attempts.", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg90 = msg("User", part108); - -var part109 = match("MESSAGE#265:User:04", "nwparser.payload", "User name: %{username}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg91 = msg("User:04", part109); - -var select24 = linear_select([ - msg90, - msg91, -]); - -var msg92 = msg("persistent-xss", dup61); - -var part110 = match("MESSAGE#72:Adding:01", "nwparser.payload", "Adding user to datastore: %{username}", processor_chain([ - setc("eventcategory","1402020200"), - dup45, - setc("ec_activity","Create"), - dup47, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("obj_type","User"), -])); - -var msg93 = msg("Adding:01", part110); - -var msg94 = msg("Adding", dup62); - -var select25 = linear_select([ - msg93, - msg94, -]); - -var msg95 = msg("credentials", dup62); - -var msg96 = msg("SPIDER-XSS", dup62); - -var msg97 = msg("Processing", dup62); - -var msg98 = msg("but", dup62); - -var msg99 = msg("j_password", dup62); - -var msg100 = msg("j_username", dup62); - -var msg101 = msg("osspi_defaultTargetLocation", dup62); - -var part111 = match("MESSAGE#81:spider-parse-robot-exclusions", "nwparser.payload", "spider-parse-robot-exclusions: %{fld40->} Malformed HTTP %{fld41}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var msg102 = msg("spider-parse-robot-exclusions", part111); - -var msg103 = msg("Cataloged", dup62); - -var msg104 = msg("Dumping", dup62); - -var msg105 = msg("Form", dup62); - -var msg106 = msg("Relaunching", dup62); - -var msg107 = msg("main", dup62); - -var msg108 = msg("SystemFingerprint", dup62); - -var part112 = match("MESSAGE#88:Searching", "nwparser.payload", "Searching for %{service->} domain %{fld11}...", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg109 = msg("Searching", part112); - -var msg110 = msg("TCPSocket", dup62); - -var part113 = match("MESSAGE#90:connected", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup49, - dup14, - dup15, - dup16, - dup17, -])); - -var msg111 = msg("connected", part113); - -var part114 = match("MESSAGE#91:Failed", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup49, - dup27, - dup14, - dup15, -])); - -var msg112 = msg("Failed", part114); - -var part115 = match("MESSAGE#92:Attempting:01", "nwparser.payload", "Attempting to authenticate user %{username->} from %{saddr}.", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg113 = msg("Attempting:01", part115); - -var msg114 = msg("Attempting", dup64); - -var select26 = linear_select([ - msg113, - msg114, -]); - -var part116 = match("MESSAGE#94:Recursively:01", "nwparser.payload", "Recursively listing files on %{service}[%{info}]", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg115 = msg("Recursively:01", part116); - -var msg116 = msg("Recursively", dup62); - -var select27 = linear_select([ - msg115, - msg116, -]); - -var msg117 = msg("building", dup62); - -var msg118 = msg("Sending", dup62); - -var msg119 = msg("sending", dup64); - -var part117 = match("MESSAGE#99:creating", "nwparser.payload", "creating new connection to %{obj_name}", processor_chain([ - dup20, - dup49, - dup14, - dup15, - dup17, -])); - -var msg120 = msg("creating", part117); - -var part118 = match("MESSAGE#100:Trusted", "nwparser.payload", "Trusted MAC address checking is disabled%{}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg121 = msg("Trusted", part118); - -var part119 = match("MESSAGE#101:signon_type", "nwparser.payload", "signon_type: %{fld40}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var msg122 = msg("signon_type", part119); - -var msg123 = msg("list-user-directory", dup62); - -var msg124 = msg("dcerpc-get-ms-blaster-codes", dup62); - -var msg125 = msg("Could", dup62); - -var part120 = match("MESSAGE#105:Asserting", "nwparser.payload", "Asserting software fingerprint name=%{obj_name}, version=%{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("obj_type","Software Fingerprint"), -])); - -var msg126 = msg("Asserting", part120); - -var part121 = match("MESSAGE#106:Asserting:01", "nwparser.payload", "Asserting run entry: %{service}: %{filename}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg127 = msg("Asserting:01", part121); - -var part122 = match("MESSAGE#107:Asserting:02", "nwparser.payload", "Asserting network interface: %{sinterface->} with IP: %{saddr->} and netmask: %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg128 = msg("Asserting:02", part122); - -var part123 = match("MESSAGE#108:Asserting:03", "nwparser.payload", "Asserting highest MDAC version of %{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg129 = msg("Asserting:03", part123); - -var msg130 = msg("Asserting:04", dup62); - -var select28 = linear_select([ - msg126, - msg127, - msg128, - msg129, - msg130, -]); - -var part124 = match("MESSAGE#110:Determining:01", "nwparser.payload", "Determining version of file %{filename->} (%{application})", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg131 = msg("Determining:01", part124); - -var msg132 = msg("Determining", dup62); - -var select29 = linear_select([ - msg131, - msg132, -]); - -var part125 = match("MESSAGE#112:Webmin", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup35, - dup27, - dup14, - dup15, - dup16, - dup17, -])); - -var msg133 = msg("Webmin", part125); - -var part126 = match("MESSAGE#113:Running:02", "nwparser.payload", "Running unresolved %{service}", processor_chain([ - dup20, - dup35, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg134 = msg("Running:02", part126); - -var part127 = match("MESSAGE#114:Running:01", "nwparser.payload", "Running %{protocol->} service %{service}", processor_chain([ - dup20, - dup35, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg135 = msg("Running:01", part127); - -var part128 = match("MESSAGE#115:Running", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup35, - dup14, - dup15, - dup16, - dup17, -])); - -var msg136 = msg("Running", part128); - -var select30 = linear_select([ - msg134, - msg135, - msg136, -]); - -var part129 = match("MESSAGE#116:path:/0_0", "nwparser.payload", "Service path:%{p0}"); - -var part130 = match("MESSAGE#116:path:/0_1", "nwparser.payload", "path:%{p0}"); - -var select31 = linear_select([ - part129, - part130, -]); - -var part131 = match("MESSAGE#116:path:/1", "nwparser.p0", "%{} %{filename}"); - -var all15 = all_match({ - processors: [ - select31, - part131, - ], - on_success: processor_chain([ - dup20, - dup15, - ]), -}); - -var msg137 = msg("path:", all15); - -var part132 = match("MESSAGE#117:path:01", "nwparser.payload", "Service path is insecure.%{}", processor_chain([ - dup20, - dup15, - setc("info","Service path is insecure."), -])); - -var msg138 = msg("path:01", part132); - -var part133 = match("MESSAGE#118:Service", "nwparser.payload", "Service %{service->} %{action->} on Provider: %{fld2}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg139 = msg("Service", part133); - -var part134 = match("MESSAGE#119:ServiceFingerprint", "nwparser.payload", "Service running: %{event_description}", processor_chain([ - dup20, - dup35, - dup14, - dup15, - dup16, - dup17, -])); - -var msg140 = msg("ServiceFingerprint", part134); - -var msg141 = msg("path", dup65); - -var select32 = linear_select([ - msg137, - msg138, - msg139, - msg140, - msg141, -]); - -var msg142 = msg("using", dup61); - -var part135 = match("MESSAGE#122:Found:01", "nwparser.payload", "Found group: CIFS Group %{group}", processor_chain([ - dup20, - dup50, - dup51, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg143 = msg("Found:01", part135); - -var part136 = match("MESSAGE#123:Found:02", "nwparser.payload", "Found user: CIFS User %{username}", processor_chain([ - dup20, - dup45, - dup51, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg144 = msg("Found:02", part136); - -var part137 = match("MESSAGE#124:Found:03", "nwparser.payload", "Found user %{username}", processor_chain([ - dup20, - dup45, - dup51, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg145 = msg("Found:03", part137); - -var part138 = match("MESSAGE#125:Found:04", "nwparser.payload", "Found interface %{sinterface}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg146 = msg("Found:04", part138); - -var part139 = match("MESSAGE#126:Found:05", "nwparser.payload", "Found DHCP-assigned WINS server: %{saddr}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg147 = msg("Found:05", part139); - -var msg148 = msg("Found", dup62); - -var select33 = linear_select([ - msg143, - msg144, - msg145, - msg146, - msg147, - msg148, -]); - -var part140 = match("MESSAGE#128:FTP", "nwparser.payload", "FTP name: %{fld40}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var msg149 = msg("FTP", part140); - -var part141 = match("MESSAGE#129:Starting:02", "nwparser.payload", "Starting Office fingerprinting with dir %{directory}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg150 = msg("Starting:02", part141); - -var part142 = match("MESSAGE#130:Starting:01", "nwparser.payload", "Starting scan against %{fld11->} (%{fld12}) with scan template: %{fld13}.", processor_chain([ - dup20, - dup12, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg151 = msg("Starting:01", part142); - -var msg152 = msg("Starting", dup62); - -var select34 = linear_select([ - msg150, - msg151, - msg152, -]); - -var msg153 = msg("loading", dup61); - -var part143 = match("MESSAGE#133:trying", "nwparser.payload", "trying the next key: %{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg154 = msg("trying", part143); - -var msg155 = msg("Retrieving", dup64); - -var part144 = match("MESSAGE#135:Got", "nwparser.payload", "Got version: %{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, -])); - -var msg156 = msg("Got", part144); - -var msg157 = msg("unexpected", dup64); - -var part145 = match("MESSAGE#137:checking:03", "nwparser.payload", "checking version of '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg158 = msg("checking:03", part145); - -var part146 = match("MESSAGE#138:No", "nwparser.payload", "No closed UDP ports, IP fingerprinting may be less accurate%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg159 = msg("No", part146); - -var part147 = match("MESSAGE#139:No:01", "nwparser.payload", "No credentials available%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg160 = msg("No:01", part147); - -var part148 = match("MESSAGE#140:No:02", "nwparser.payload", "No access to %{directory->} with %{service}[%{info}]", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg161 = msg("No:02", part148); - -var part149 = match("MESSAGE#141:No:03", "nwparser.payload", "No approved updates found for processing.%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg162 = msg("No:03", part149); - -var msg163 = msg("No:04", dup61); - -var select35 = linear_select([ - msg159, - msg160, - msg161, - msg162, - msg163, -]); - -var part150 = match("MESSAGE#142:Applying", "nwparser.payload", "Applying update ID %{fld12}.", processor_chain([ - dup44, - dup52, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg164 = msg("Applying", part150); - -var part151 = match("MESSAGE#143:Update", "nwparser.payload", "Update ID %{fld12->} applied successfully.", processor_chain([ - dup44, - dup52, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg165 = msg("Update", part151); - -var part152 = match("MESSAGE#227:Update:02", "nwparser.payload", "Update ID %{fld1}, for product ID %{id}, %{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg166 = msg("Update:02", part152); - -var msg167 = msg("Update:03", dup61); - -var select36 = linear_select([ - msg165, - msg166, - msg167, -]); - -var part153 = match("MESSAGE#144:Installing", "nwparser.payload", "Installing directory %{directory}.", processor_chain([ - dup20, - dup52, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg168 = msg("Installing", part153); - -var part154 = match("MESSAGE#145:Installing:01", "nwparser.payload", "Installing file, %{filename}.", processor_chain([ - dup20, - dup52, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg169 = msg("Installing:01", part154); - -var part155 = match("MESSAGE#405:Installing:02", "nwparser.payload", "Installing Postgres files into %{directory->} from %{info}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Installing Postgres files"), -])); - -var msg170 = msg("Installing:02", part155); - -var select37 = linear_select([ - msg168, - msg169, - msg170, -]); - -var part156 = match("MESSAGE#146:Resolving", "nwparser.payload", "Resolving additional DNS records%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg171 = msg("Resolving", part156); - -var part157 = match("MESSAGE#147:DNS", "nwparser.payload", "DNS name: %{obj_name}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("obj_type","DNS"), -])); - -var msg172 = msg("DNS", part157); - -var part158 = match("MESSAGE#148:Scanning", "nwparser.payload", "Scanning %{fld23->} %{protocol->} ports", processor_chain([ - dup11, - dup12, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg173 = msg("Scanning", part158); - -var msg174 = msg("param:", dup64); - -var part159 = match("MESSAGE#150:Windows", "nwparser.payload", "Windows %{obj_name->} dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg175 = msg("Windows", part159); - -var part160 = match("MESSAGE#151:Windows:01", "nwparser.payload", "Windows Media Player version: %{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg176 = msg("Windows:01", part160); - -var msg177 = msg("Windows:02", dup61); - -var select38 = linear_select([ - msg175, - msg176, - msg177, -]); - -var msg178 = msg("Parsed", dup64); - -var part161 = match("MESSAGE#153:JRE", "nwparser.payload", "JRE version %{version->} is installed", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg179 = msg("JRE", part161); - -var msg180 = msg("Microsoft", dup64); - -var part162 = match("MESSAGE#155:MDAC", "nwparser.payload", "MDAC version: %{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg181 = msg("MDAC", part162); - -var part163 = match("MESSAGE#156:Name", "nwparser.payload", "Name Server: %{saddr}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg182 = msg("Name", part163); - -var msg183 = msg("Flash", dup64); - -var msg184 = msg("Skipping", dup64); - -var part164 = match("MESSAGE#159:Closing", "nwparser.payload", "Closing service: %{service->} (source: %{info})", processor_chain([ - dup20, - dup35, - dup24, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg185 = msg("Closing", part164); - -var part165 = match("MESSAGE#238:Closing:03", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld3}] Closing connection to scan engine.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Closing connection to scan engine"), -])); - -var msg186 = msg("Closing:03", part165); - -var msg187 = msg("Closing:02", dup61); - -var select39 = linear_select([ - msg185, - msg186, - msg187, -]); - -var part166 = match("MESSAGE#160:key", "nwparser.payload", "key does not exist: %{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg188 = msg("key", part166); - -var part167 = match("MESSAGE#161:Listing", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup50, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg189 = msg("Listing", part167); - -var msg190 = msg("Getting", dup64); - -var part168 = match("MESSAGE#163:Version:", "nwparser.payload", "Version: %{version}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg191 = msg("Version:", part168); - -var msg192 = msg("IE", dup64); - -var part169 = match("MESSAGE#165:Completed", "nwparser.payload", "Completed %{protocol->} port scan (%{dclass_counter1->} open ports): %{fld11->} seconds", processor_chain([ - dup20, - dup12, - dup13, - dup22, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","No. of Open ports"), -])); - -var msg193 = msg("Completed", part169); - -var part170 = match("MESSAGE#291:Completed:01", "nwparser.payload", "Completed %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg194 = msg("Completed:01", part170); - -var part171 = match("MESSAGE#344:Completed:02", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of asset group synopses.", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Completed computation of asset group synopses"), -])); - -var msg195 = msg("Completed:02", part171); - -var part172 = match("MESSAGE#345:Completed:03", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed computation of site synopsis.", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Completed computation of site synopsis"), -])); - -var msg196 = msg("Completed:03", part172); - -var part173 = match("MESSAGE#346:Completed:04", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Completed recomputation of synopsis data.", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Completed recomputation of synopsis data"), -])); - -var msg197 = msg("Completed:04", part173); - -var part174 = match("MESSAGE#347:Completed:05", "nwparser.payload", "Scan ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ - dup18, - dup12, - dup13, - dup43, - dup14, - dup15, -])); - -var msg198 = msg("Completed:05", part174); - -var part175 = match("MESSAGE#348:Completed:06", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ - dup18, - dup12, - dup13, - dup43, - dup14, - dup15, -])); - -var msg199 = msg("Completed:06", part175); - -var part176 = match("MESSAGE#460:Completed:07", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] [Started: %{fld5}T%{fld6}] [Duration: %{fld7}] Completed purging sub-scan results.", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Completed purging sub-scan results"), -])); - -var msg200 = msg("Completed:07", part176); - -var part177 = match("MESSAGE#461:Completed:08", "nwparser.payload", "SiteID: %{fld1}] [Scan ID: %{fld2}] [Started: %{fld3}T%{fld4}] [Duration: %{fld5}] Completed computation of synopsis.", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Completed computation of synopsis"), -])); - -var msg201 = msg("Completed:08", part177); - -var select40 = linear_select([ - msg193, - msg194, - msg195, - msg196, - msg197, - msg198, - msg199, - msg200, - msg201, -]); - -var part178 = match("MESSAGE#166:Retrieved", "nwparser.payload", "Retrieved XML version %{version->} for file %{filename}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg202 = msg("Retrieved", part178); - -var part179 = match("MESSAGE#167:CIFS", "nwparser.payload", "CIFS Name Service name: %{service}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg203 = msg("CIFS", part179); - -var msg204 = msg("Cached:", dup64); - -var msg205 = msg("Enumerating", dup64); - -var part180 = match("MESSAGE#170:Checking:01", "nwparser.payload", "Checking for approved updates.%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg206 = msg("Checking:01", part180); - -var msg207 = msg("Checking:02", dup64); - -var select41 = linear_select([ - msg206, - msg207, -]); - -var part181 = match("MESSAGE#172:CSIDL_SYSTEMX86", "nwparser.payload", "CSIDL_SYSTEMX86 dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg208 = msg("CSIDL_SYSTEMX86", part181); - -var part182 = match("MESSAGE#173:CSIDL_SYSTEM", "nwparser.payload", "CSIDL_SYSTEM dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg209 = msg("CSIDL_SYSTEM", part182); - -var part183 = match("MESSAGE#174:office", "nwparser.payload", "office root dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg210 = msg("office", part183); - -var part184 = match("MESSAGE#175:Exchange", "nwparser.payload", "Exchange root dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg211 = msg("Exchange", part184); - -var part185 = match("MESSAGE#176:SQL", "nwparser.payload", "SQL Server root dir is: '%{directory}'", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg212 = msg("SQL", part185); - -var part186 = match("MESSAGE#177:starting", "nwparser.payload", "starting %{service}", processor_chain([ - dup20, - dup12, - dup13, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg213 = msg("starting", part186); - -var part187 = match("MESSAGE#178:Host", "nwparser.payload", "Host type (from MAC %{smacaddr}): %{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg214 = msg("Host", part187); - -var part188 = match("MESSAGE#268:Host:01", "nwparser.payload", "Host Address: %{saddr}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg215 = msg("Host:01", part188); - -var part189 = match("MESSAGE#269:Host:02", "nwparser.payload", "Host FQDN: %{fqdn}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg216 = msg("Host:02", part189); - -var select42 = linear_select([ - msg214, - msg215, - msg216, -]); - -var part190 = match("MESSAGE#179:Advertising", "nwparser.payload", "Advertising %{service->} service", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg217 = msg("Advertising", part190); - -var part191 = match("MESSAGE#180:IP", "nwparser.payload", "IP fingerprint:%{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg218 = msg("IP", part191); - -var part192 = match("MESSAGE#181:Updating:01", "nwparser.payload", "Updating file, %{filename}.", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg219 = msg("Updating:01", part192); - -var part193 = match("MESSAGE#182:Updating", "nwparser.payload", "Updating %{info}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg220 = msg("Updating", part193); - -var select43 = linear_select([ - msg219, - msg220, -]); - -var part194 = match("MESSAGE#183:Updated", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} vulnerabilities in %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","Number of vulnerabilities"), -])); - -var msg221 = msg("Updated", part194); - -var part195 = match("MESSAGE#184:Updated:01", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} assets in %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","Number of assets"), -])); - -var msg222 = msg("Updated:01", part195); - -var part196 = match("MESSAGE#185:Updated:02", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} sites in %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","Number of sites"), -])); - -var msg223 = msg("Updated:02", part196); - -var part197 = match("MESSAGE#186:Updated:03", "nwparser.payload", "Updated risk scores for %{dclass_counter1->} groups in %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","Number of groups"), -])); - -var msg224 = msg("Updated:03", part197); - -var part198 = match("MESSAGE#260:Updated:04/0", "nwparser.payload", "Started: %{fld2}] [Duration: %{fld3}] Updated risk scores for %{fld1->} %{p0}"); - -var part199 = match("MESSAGE#260:Updated:04/1_0", "nwparser.p0", "vulnerabilities.%{}"); - -var part200 = match("MESSAGE#260:Updated:04/1_1", "nwparser.p0", "assets.%{}"); - -var part201 = match("MESSAGE#260:Updated:04/1_2", "nwparser.p0", "sites.%{}"); - -var part202 = match("MESSAGE#260:Updated:04/1_3", "nwparser.p0", "groups.%{}"); - -var select44 = linear_select([ - part199, - part200, - part201, - part202, -]); - -var all16 = all_match({ - processors: [ - part198, - select44, - ], - on_success: processor_chain([ - dup20, - dup15, - ]), -}); - -var msg225 = msg("Updated:04", all16); - -var part203 = match("MESSAGE#311:Updated:06/0", "nwparser.payload", "%{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Updated %{p0}"); - -var part204 = match("MESSAGE#311:Updated:06/1_0", "nwparser.p0", "scan risk scores%{p0}"); - -var part205 = match("MESSAGE#311:Updated:06/1_1", "nwparser.p0", "risk scores for site%{p0}"); - -var select45 = linear_select([ - part204, - part205, -]); - -var part206 = match("MESSAGE#311:Updated:06/2", "nwparser.p0", ".%{}"); - -var all17 = all_match({ - processors: [ - part203, - select45, - part206, - ], - on_success: processor_chain([ - dup11, - dup14, - dup15, - setc("event_description","Updated risk scores"), - ]), -}); - -var msg226 = msg("Updated:06", all17); - -var msg227 = msg("Updated:05", dup65); - -var select46 = linear_select([ - msg221, - msg222, - msg223, - msg224, - msg225, - msg226, - msg227, -]); - -var part207 = match("MESSAGE#187:Started", "nwparser.payload", "Started auto-update.%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg228 = msg("Started", part207); - -var msg229 = msg("Started:02", dup61); - -var select47 = linear_select([ - msg228, - msg229, -]); - -var part208 = match("MESSAGE#188:Executing", "nwparser.payload", "Executing job JobID[%{info}] Risk and daily history updater for silo %{fld12}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg230 = msg("Executing", part208); - -var part209 = match("MESSAGE#189:Executing:01", "nwparser.payload", "Executing job JobID[%{info}] Auto-update retriever", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg231 = msg("Executing:01", part209); - -var part210 = match("MESSAGE#190:Executing:02", "nwparser.payload", "Executing job JobID[%{info}] %{fld1->} retention updater-default", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg232 = msg("Executing:02", part210); - -var part211 = match("MESSAGE#191:Executing:04", "nwparser.payload", "Executing job JobID[%{info}] %{obj_type}: %{obj_name}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg233 = msg("Executing:04", part211); - -var part212 = match("MESSAGE#326:Executing:03", "nwparser.payload", "Executing SQL: %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg234 = msg("Executing:03", part212); - -var select48 = linear_select([ - msg230, - msg231, - msg232, - msg233, - msg234, -]); - -var part213 = match("MESSAGE#192:A", "nwparser.payload", "A set of SSH administrative credentials have failed verification.%{}", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg235 = msg("A", part213); - -var part214 = match("MESSAGE#193:Administrative:01", "nwparser.payload", "Administrative credentials failed (access denied).%{}", processor_chain([ - dup48, - dup45, - dup46, - dup47, - dup27, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg236 = msg("Administrative:01", part214); - -var part215 = match("MESSAGE#194:Administrative", "nwparser.payload", "Administrative credentials for %{service->} will be used.", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg237 = msg("Administrative", part215); - -var select49 = linear_select([ - msg236, - msg237, -]); - -var part216 = match("MESSAGE#195:Initializing:01", "nwparser.payload", "Engine: %{fld1}] [Engine ID: %{fld2}] Initializing remote scan engine (%{dhost}).", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Initializing remote scan engine"), -])); - -var msg238 = msg("Initializing:01", part216); - -var part217 = match("MESSAGE#196:Initializing/1_0", "nwparser.p0", "Initializing %{service}."); - -var part218 = match("MESSAGE#196:Initializing/1_1", "nwparser.p0", "Initializing JDBC drivers %{}"); - -var part219 = match("MESSAGE#196:Initializing/1_2", "nwparser.p0", "%{event_description}"); - -var select50 = linear_select([ - part217, - part218, - part219, -]); - -var all18 = all_match({ - processors: [ - dup28, - select50, - ], - on_success: processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - ]), -}); - -var msg239 = msg("Initializing", all18); - -var select51 = linear_select([ - msg238, - msg239, -]); - -var msg240 = msg("Creating", dup64); - -var msg241 = msg("Loading", dup64); - -var part220 = match("MESSAGE#199:Loaded", "nwparser.payload", "Loaded %{dclass_counter1->} policy checks for scan.", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","No. of policies"), -])); - -var msg242 = msg("Loaded", part220); - -var msg243 = msg("Loaded:01", dup66); - -var select52 = linear_select([ - msg242, - msg243, -]); - -var part221 = match("MESSAGE#200:Finished", "nwparser.payload", "Finished locating %{dclass_counter1->} live nodes. [Started: %{fld11}] [Duration: %{fld12}]", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","No. of live nodes"), -])); - -var msg244 = msg("Finished", part221); - -var part222 = match("MESSAGE#201:Finished:01", "nwparser.payload", "Finished loading %{service}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg245 = msg("Finished:01", part222); - -var part223 = match("MESSAGE#202:Finished:02", "nwparser.payload", "Finished resolving DNS records%{}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg246 = msg("Finished:02", part223); - -var msg247 = msg("Finished:03", dup67); - -var select53 = linear_select([ - msg244, - msg245, - msg246, - msg247, -]); - -var msg248 = msg("CheckProcessor:", dup64); - -var msg249 = msg("Locating", dup64); - -var part224 = match("MESSAGE#205:TCP", "nwparser.payload", "TCP port scanner is using: %{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg250 = msg("TCP", part224); - -var part225 = match("MESSAGE#206:UDP", "nwparser.payload", "UDP port scanner is using: %{fld11}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg251 = msg("UDP", part225); - -var part226 = match("MESSAGE#207:Queued", "nwparser.payload", "Queued live nodes for scanning: %{dclass_counter1}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, - setc("dclass_counter1_string","Live nodes"), -])); - -var msg252 = msg("Queued", part226); - -var msg253 = msg("Reading", dup64); - -var msg254 = msg("Registering", dup64); - -var part227 = match("MESSAGE#210:Registered", "nwparser.payload", "Registered session [%{fld12}] for IP [%{saddr}]", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg255 = msg("Registered", part227); - -var part228 = match("MESSAGE#219:Registered:02", "nwparser.payload", "Registered session for principal name [%{username}] for IP [%{saddr}]", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg256 = msg("Registered:02", part228); - -var select54 = linear_select([ - msg255, - msg256, -]); - -var part229 = match("MESSAGE#211:Seeing", "nwparser.payload", "Seeing if %{saddr->} is a valid network node", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var msg257 = msg("Seeing", part229); - -var part230 = match("MESSAGE#212:Logging", "nwparser.payload", "Logging initialized. [Name = %{obj_name}] [Level = %{fld11}] [Timezone = %{fld12}]", processor_chain([ - dup20, - dup14, - dup15, - dup16, -])); - -var msg258 = msg("Logging", part230); - -var msg259 = msg("Firefox", dup64); - -var msg260 = msg("nodes", dup64); - -var msg261 = msg("common", dup67); - -var msg262 = msg("jess.JessException:", dup67); - -var part231 = match("MESSAGE#218:Successfully", "nwparser.payload", "Successfully %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg263 = msg("Successfully", part231); - -var msg264 = msg("Establishing", dup61); - -var msg265 = msg("Response", dup61); - -var msg266 = msg("Auto-update", dup61); - -var msg267 = msg("Approved:03", dup61); - -var msg268 = msg("HHH000436:", dup61); - -var msg269 = msg("Staged", dup61); - -var msg270 = msg("Refreshing", dup61); - -var msg271 = msg("Activation", dup61); - -var msg272 = msg("Acknowledging", dup61); - -var msg273 = msg("Acknowledged", dup61); - -var msg274 = msg("Validating", dup61); - -var msg275 = msg("Patching", dup61); - -var msg276 = msg("JAR", dup61); - -var msg277 = msg("Destroying", dup61); - -var msg278 = msg("Invocation", dup61); - -var msg279 = msg("Using", dup61); - -var part232 = match("MESSAGE#243:Route:01", "nwparser.payload", "Route: %{fld1->} shutdown complete, %{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg280 = msg("Route:01", part232); - -var part233 = match("MESSAGE#244:Route:02", "nwparser.payload", "Route: %{fld1->} started and consuming from: %{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg281 = msg("Route:02", part233); - -var select55 = linear_select([ - msg280, - msg281, -]); - -var msg282 = msg("Deploying", dup61); - -var msg283 = msg("Generating", dup61); - -var msg284 = msg("Staging", dup61); - -var msg285 = msg("Removing", dup61); - -var msg286 = msg("At", dup61); - -var msg287 = msg("An", dup61); - -var msg288 = msg("The", dup61); - -var msg289 = msg("Downloading", dup61); - -var msg290 = msg("Downloaded", dup61); - -var msg291 = msg("Restarting", dup61); - -var msg292 = msg("Requested", dup61); - -var part234 = match("MESSAGE#257:Freeing", "nwparser.payload", "Freeing session for principal name [%{username}]", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg293 = msg("Freeing", part234); - -var part235 = match("MESSAGE#258:Freeing:01", "nwparser.payload", "Freeing %{dclass_counter1->} current sessions.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg294 = msg("Freeing:01", part235); - -var select56 = linear_select([ - msg293, - msg294, -]); - -var part236 = match("MESSAGE#259:Kill", "nwparser.payload", "Kill session for principal name [%{username}]", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg295 = msg("Kill", part236); - -var part237 = match("MESSAGE#262:Created:01", "nwparser.payload", "Created temporary directory %{filename}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg296 = msg("Created:01", part237); - -var part238 = match("MESSAGE#331:Created:02", "nwparser.payload", "Created %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg297 = msg("Created:02", part238); - -var select57 = linear_select([ - msg296, - msg297, -]); - -var part239 = match("MESSAGE#263:Product", "nwparser.payload", "Product Version: %{version}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg298 = msg("Product", part239); - -var part240 = match("MESSAGE#264:Current", "nwparser.payload", "Current directory: %{filename}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg299 = msg("Current", part240); - -var part241 = match("MESSAGE#308:Current:01", "nwparser.payload", "Current DB_VERSION = %{version}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg300 = msg("Current:01", part241); - -var select58 = linear_select([ - msg299, - msg300, -]); - -var part242 = match("MESSAGE#266:Super", "nwparser.payload", "Super user: %{result}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg301 = msg("Super", part242); - -var part243 = match("MESSAGE#267:Computer", "nwparser.payload", "Computer name: %{hostname}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg302 = msg("Computer", part243); - -var part244 = match("MESSAGE#270:Operating", "nwparser.payload", "Operating system: %{os}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg303 = msg("Operating", part244); - -var part245 = match("MESSAGE#271:CPU", "nwparser.payload", "CPU speed: %{fld1}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg304 = msg("CPU", part245); - -var part246 = match("MESSAGE#272:Number", "nwparser.payload", "Number of CPUs: %{dclass_counter1}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg305 = msg("Number", part246); - -var part247 = match("MESSAGE#273:Total", "nwparser.payload", "Total %{fld1}: %{fld2}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg306 = msg("Total", part247); - -var part248 = match("MESSAGE#320:Total:02", "nwparser.payload", "Total %{dclass_counter1->} routes, of which %{dclass_counter2->} is started.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg307 = msg("Total:02", part248); - -var select59 = linear_select([ - msg306, - msg307, -]); - -var part249 = match("MESSAGE#274:Available", "nwparser.payload", "Available %{fld1}: %{fld2}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg308 = msg("Available", part249); - -var part250 = match("MESSAGE#275:Disk", "nwparser.payload", "Disk space used by %{fld1}: %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg309 = msg("Disk", part250); - -var part251 = match("MESSAGE#276:JVM", "nwparser.payload", "JVM %{fld1}: %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg310 = msg("JVM", part251); - -var part252 = match("MESSAGE#277:Pausing", "nwparser.payload", "Pausing ProtocolHandler [%{info}]", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg311 = msg("Pausing", part252); - -var part253 = match("MESSAGE#278:Policy", "nwparser.payload", "Policy %{policyname->} replaces %{fld1}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg312 = msg("Policy", part253); - -var part254 = match("MESSAGE#420:Policy:01", "nwparser.payload", "Policy benchmark %{policyname->} in %{info->} with hash %{fld1->} is not valid builtin content and will not load.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Policy benchmark is not valid builtin content and will not load"), -])); - -var msg313 = msg("Policy:01", part254); - -var select60 = linear_select([ - msg312, - msg313, -]); - -var part255 = match("MESSAGE#279:Bulk", "nwparser.payload", "Bulk %{action->} %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg314 = msg("Bulk", part255); - -var part256 = match("MESSAGE#280:Importing", "nwparser.payload", "%{action->} %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg315 = msg("Importing", part256); - -var part257 = match("MESSAGE#281:Imported", "nwparser.payload", "%{action->} %{dclass_counter1->} new categories, categorized %{fld1->} vulnerabilities and %{fld2->} tags.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg316 = msg("Imported", part257); - -var msg317 = msg("Imported:01", dup65); - -var select61 = linear_select([ - msg316, - msg317, -]); - -var part258 = match("MESSAGE#283:Compiling", "nwparser.payload", "Compiling %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg318 = msg("Compiling", part258); - -var part259 = match("MESSAGE#284:Vulnerability", "nwparser.payload", "Vulnerability %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg319 = msg("Vulnerability", part259); - -var part260 = match("MESSAGE#285:Truncating", "nwparser.payload", "Truncating %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg320 = msg("Truncating", part260); - -var part261 = match("MESSAGE#286:Synchronizing", "nwparser.payload", "Synchronizing %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg321 = msg("Synchronizing", part261); - -var part262 = match("MESSAGE#287:Parsing", "nwparser.payload", "Parsing %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg322 = msg("Parsing", part262); - -var part263 = match("MESSAGE#288:Remapping", "nwparser.payload", "Remapping %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg323 = msg("Remapping", part263); - -var part264 = match("MESSAGE#289:Remapped", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Remapped %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg324 = msg("Remapped", part264); - -var part265 = match("MESSAGE#290:Database", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Database %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg325 = msg("Database", part265); - -var part266 = match("MESSAGE#428:Database:01", "nwparser.payload", "Database %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg326 = msg("Database:01", part266); - -var select62 = linear_select([ - msg325, - msg326, -]); - -var part267 = match("MESSAGE#292:Accepting", "nwparser.payload", "Accepting %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg327 = msg("Accepting", part267); - -var part268 = match("MESSAGE#293:VERSION:03", "nwparser.payload", "VERSION %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg328 = msg("VERSION:03", part268); - -var part269 = match("MESSAGE#294:Detected", "nwparser.payload", "Detected %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg329 = msg("Detected", part269); - -var part270 = match("MESSAGE#295:Telling", "nwparser.payload", "Telling %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg330 = msg("Telling", part270); - -var part271 = match("MESSAGE#298:Stopping", "nwparser.payload", "Stopping %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg331 = msg("Stopping", part271); - -var part272 = match("MESSAGE#299:removing", "nwparser.payload", "removing %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg332 = msg("removing", part272); - -var part273 = match("MESSAGE#300:Enabling", "nwparser.payload", "Enabling %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg333 = msg("Enabling", part273); - -var part274 = match("MESSAGE#301:Granting", "nwparser.payload", "Granting %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg334 = msg("Granting", part274); - -var part275 = match("MESSAGE#302:Version", "nwparser.payload", "Version %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg335 = msg("Version", part275); - -var part276 = match("MESSAGE#303:Configuring", "nwparser.payload", "Configuring %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg336 = msg("Configuring", part276); - -var part277 = match("MESSAGE#305:Scheduler", "nwparser.payload", "Scheduler %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg337 = msg("Scheduler", part277); - -var part278 = match("MESSAGE#341:Scheduler:01", "nwparser.payload", "Silo: %{fld1}] [Started: %{fld2}] [Duration: %{fld3}] Scheduler started.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Scheduler started"), -])); - -var msg338 = msg("Scheduler:01", part278); - -var part279 = match("MESSAGE#429:Scheduler:02", "nwparser.payload", "%{fld1}: %{fld2}] Scheduler %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg339 = msg("Scheduler:02", part279); - -var select63 = linear_select([ - msg337, - msg338, - msg339, -]); - -var part280 = match("MESSAGE#306:PostgreSQL", "nwparser.payload", "PostgreSQL %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg340 = msg("PostgreSQL", part280); - -var part281 = match("MESSAGE#307:Cleaning", "nwparser.payload", "Cleaning %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg341 = msg("Cleaning", part281); - -var part282 = match("MESSAGE#462:Cleaning:01", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] [%{fld4}] Cleaning up sub-scan results.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Cleaning up sub-scan results"), -])); - -var msg342 = msg("Cleaning:01", part282); - -var select64 = linear_select([ - msg341, - msg342, -]); - -var part283 = match("MESSAGE#309:Installed:01/0", "nwparser.payload", "Installed DB%{p0}"); - -var part284 = match("MESSAGE#309:Installed:01/1_0", "nwparser.p0", "_VERSION after upgrade%{p0}"); - -var part285 = match("MESSAGE#309:Installed:01/1_1", "nwparser.p0", " VERSION %{p0}"); - -var select65 = linear_select([ - part284, - part285, -]); - -var part286 = match("MESSAGE#309:Installed:01/2", "nwparser.p0", "%{}= %{version}"); - -var all19 = all_match({ - processors: [ - part283, - select65, - part286, - ], - on_success: processor_chain([ - dup20, - dup14, - dup15, - ]), -}); - -var msg343 = msg("Installed:01", all19); - -var part287 = match("MESSAGE#310:Inserted", "nwparser.payload", "Inserted %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg344 = msg("Inserted", part287); - -var part288 = match("MESSAGE#313:Deleted", "nwparser.payload", "Started: %{fld1}] [Duration: %{fld2}] Deleted %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg345 = msg("Deleted", part288); - -var msg346 = msg("Default", dup66); - -var msg347 = msg("Apache", dup66); - -var msg348 = msg("JMX", dup66); - -var msg349 = msg("AllowUseOriginalMessage", dup66); - -var part289 = match("MESSAGE#321:Initialized", "nwparser.payload", "Initialized PolicyCheckService with %{dclass_counter1->} benchmarks, containing %{fld1->} policies. The total check count is %{dclass_counter2}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg350 = msg("Initialized", part289); - -var part290 = match("MESSAGE#322:Initialized:01", "nwparser.payload", "Initialized %{dclass_counter1->} policy benchmarks in total.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg351 = msg("Initialized:01", part290); - -var part291 = match("MESSAGE#379:Initialized_Scheduler", "nwparser.payload", "Initialized Scheduler Signaller of type: %{obj_type->} %{obj_name}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Initialized Scheduler Signaller"), -])); - -var msg352 = msg("Initialized_Scheduler", part291); - -var select66 = linear_select([ - msg350, - msg351, - msg352, -]); - -var msg353 = msg("Error", dup66); - -var part292 = match("MESSAGE#324:Graceful", "nwparser.payload", "Graceful shutdown of %{dclass_counter1->} routes completed in %{dclass_counter2->} seconds", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg354 = msg("Graceful", part292); - -var msg355 = msg("StreamCaching", dup61); - -var msg356 = msg("Local", dup66); - -var part293 = match("MESSAGE#329:DB_VERSION", "nwparser.payload", "DB_VERSION = %{version}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg357 = msg("DB_VERSION", part293); - -var part294 = match("MESSAGE#330:Populating", "nwparser.payload", "Populating %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg358 = msg("Populating", part294); - -var part295 = match("MESSAGE#332:EventLog", "nwparser.payload", "EventLog %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg359 = msg("EventLog", part295); - -var part296 = match("MESSAGE#333:Making", "nwparser.payload", "Making %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg360 = msg("Making", part296); - -var part297 = match("MESSAGE#334:Setting", "nwparser.payload", "Setting %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg361 = msg("Setting", part297); - -var part298 = match("MESSAGE#335:initdb", "nwparser.payload", "initdb %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg362 = msg("initdb", part298); - -var part299 = match("MESSAGE#336:Verifying", "nwparser.payload", "Verifying %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg363 = msg("Verifying", part299); - -var msg364 = msg("OS", dup66); - -var part300 = match("MESSAGE#338:Benchmark", "nwparser.payload", "Benchmark %{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg365 = msg("Benchmark", part300); - -var part301 = match("MESSAGE#339:Report:01", "nwparser.payload", "Report Config ID: %{fld1}] [Started: %{fld2}T%{fld3}] [Duration: %{fld4}] %{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup29, - dup54, - dup16, -])); - -var msg366 = msg("Report:01", part301); - -var part302 = match("MESSAGE#340:Report", "nwparser.payload", "Report Config ID: %{fld1}] %{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup29, - dup54, - dup16, -])); - -var msg367 = msg("Report", part302); - -var select67 = linear_select([ - msg366, - msg367, -]); - -var part303 = match("MESSAGE#342:Cannot_preload", "nwparser.payload", "Engine ID: %{fld1}] [Engine Name: %{fld2}] Cannot preload incremental pool with a connection %{fld3}", processor_chain([ - dup53, - dup14, - dup15, - dup55, -])); - -var msg368 = msg("Cannot_preload", part303); - -var part304 = match("MESSAGE#343:Cannot_preload:01", "nwparser.payload", "Cannot preload incremental pool with a connection%{fld3}", processor_chain([ - dup53, - dup14, - dup15, - dup55, -])); - -var msg369 = msg("Cannot_preload:01", part304); - -var select68 = linear_select([ - msg368, - msg369, -]); - -var part305 = match("MESSAGE#349:ERROR:02", "nwparser.payload", "ERROR: syntax error at or near \"%{fld1}\"", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","Syntax error"), -])); - -var msg370 = msg("ERROR:02", part305); - -var part306 = match("MESSAGE#350:QuartzRepeaterBuilder", "nwparser.payload", "QuartzRepeaterBuilder failed to add schedule to ScanConfig: null%{}", processor_chain([ - dup53, - dup14, - dup15, - setc("event_description","QuartzRepeaterBuilder failed to add schedule"), -])); - -var msg371 = msg("QuartzRepeaterBuilder", part306); - -var part307 = match("MESSAGE#351:Backing_up", "nwparser.payload", "Backing up %{event_source}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Backing up"), -])); - -var msg372 = msg("Backing_up", part307); - -var part308 = match("MESSAGE#352:Not_configured", "nwparser.payload", "com.rapid.nexpose.scanpool.stateInterval is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid.nexpose.scanpool.stateInterval is not configured"), -])); - -var msg373 = msg("Not_configured", part308); - -var part309 = match("MESSAGE#353:Not_configured:01", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured"), -])); - -var msg374 = msg("Not_configured:01", part309); - -var part310 = match("MESSAGE#354:Not_configured:02", "nwparser.payload", "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout is not configured"), -])); - -var msg375 = msg("Not_configured:02", part310); - -var part311 = match("MESSAGE#355:Not_configured:03", "nwparser.payload", "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured"), -])); - -var msg376 = msg("Not_configured:03", part311); - -var part312 = match("MESSAGE#356:Not_configured:04", "nwparser.payload", "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout is not configured"), -])); - -var msg377 = msg("Not_configured:04", part312); - -var part313 = match("MESSAGE#357:Not_configured:05", "nwparser.payload", "com.rapid7.nexpose.nsc.dbcc is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.dbcc is not configured"), -])); - -var msg378 = msg("Not_configured:05", part313); - -var part314 = match("MESSAGE#358:Not_configured:06", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize is not configured"), -])); - -var msg379 = msg("Not_configured:06", part314); - -var part315 = match("MESSAGE#359:Not_configured:07", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured"), -])); - -var msg380 = msg("Not_configured:07", part315); - -var part316 = match("MESSAGE#360:Not_configured:08", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation is not configured"), -])); - -var msg381 = msg("Not_configured:08", part316); - -var part317 = match("MESSAGE#361:Not_configured:09", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled is not configured"), -])); - -var msg382 = msg("Not_configured:09", part317); - -var part318 = match("MESSAGE#362:Not_configured:10", "nwparser.payload", "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval is not configured"), -])); - -var msg383 = msg("Not_configured:10", part318); - -var part319 = match("MESSAGE#363:Not_configured:11", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured"), -])); - -var msg384 = msg("Not_configured:11", part319); - -var part320 = match("MESSAGE#364:Not_configured:12", "nwparser.payload", "com.rapid7.nexpose.nse.nscClient.readTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nse.nscClient.readTimeout is not configured"), -])); - -var msg385 = msg("Not_configured:12", part320); - -var part321 = match("MESSAGE#365:Not_configured:13", "nwparser.payload", "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout is not configured"), -])); - -var msg386 = msg("Not_configured:13", part321); - -var part322 = match("MESSAGE#366:Not_configured:14", "nwparser.payload", "com.rapid7.nexpose.scan.consolidation.delay is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.consolidation.delay is not configured"), -])); - -var msg387 = msg("Not_configured:14", part322); - -var part323 = match("MESSAGE#367:Not_configured:15", "nwparser.payload", "com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.lifecyclemonitor.delay is not configured"), -])); - -var msg388 = msg("Not_configured:15", part323); - -var part324 = match("MESSAGE#368:Not_configured:16", "nwparser.payload", "com.rapid7.nexpose.scan.usescanpool is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.usescanpool is not configured"), -])); - -var msg389 = msg("Not_configured:16", part324); - -var part325 = match("MESSAGE#369:Not_configured:17", "nwparser.payload", "com.rapid7.nsc.workflow.timeout is not configured - returning default value %{resultcode}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nsc.workflow.timeout is not configured"), -])); - -var msg390 = msg("Not_configured:17", part325); - -var part326 = match("MESSAGE#370:Delivered", "nwparser.payload", "Delivered mail to %{to}: %{fld1->} %{fld2->} %{mail_id->} [InternalId=%{fld3}] Queued mail for delivery", processor_chain([ - dup56, - dup14, - dup15, - setc("action","Queued mail for delivery"), -])); - -var msg391 = msg("Delivered", part326); - -var part327 = match("MESSAGE#371:Engine_update", "nwparser.payload", "Engine update thread pool shutting down.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Engine update thread pool shutting down"), -])); - -var msg392 = msg("Engine_update", part327); - -var part328 = match("MESSAGE#372:Freed_triggers", "nwparser.payload", "Freed %{fld1->} triggers from 'acquired' / 'blocked' state.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Freed triggers from 'acquired' / 'blocked' state"), -])); - -var msg393 = msg("Freed_triggers", part328); - -var part329 = match("MESSAGE#374:Upgrade_completed", "nwparser.payload", "PG Upgrade has completed succesfully%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Upgrade has completed succesfully"), -])); - -var msg394 = msg("Upgrade_completed", part329); - -var part330 = match("MESSAGE#375:PG", "nwparser.payload", "%{fld1}: %{process->} %{param}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg395 = msg("PG", part330); - -var select69 = linear_select([ - msg394, - msg395, -]); - -var part331 = match("MESSAGE#376:DEFAULT_SCHEDULER", "nwparser.payload", "DEFAULT SCHEDULER: %{obj_name}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","DEFAULT SCHEDULER"), -])); - -var msg396 = msg("DEFAULT_SCHEDULER", part331); - -var part332 = match("MESSAGE#377:Context_loader", "nwparser.payload", "Context loader config file is jar:file:%{filename}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Context loader config file"), -])); - -var msg397 = msg("Context_loader", part332); - -var part333 = match("MESSAGE#378:Copied_file", "nwparser.payload", "Copied %{filename->} file from %{directory->} to %{info}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Copied file"), -])); - -var msg398 = msg("Copied_file", part333); - -var part334 = match("MESSAGE#380:Java", "nwparser.payload", "Java HotSpot(TM) %{info}", processor_chain([ - dup20, - dup15, - setc("event_description","Console VM version"), -])); - -var msg399 = msg("Java", part334); - -var part335 = match("MESSAGE#381:Changing", "nwparser.payload", "Changing permissions of %{obj_type->} '%{obj_name}' to %{change_new}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Changing permissions"), -])); - -var msg400 = msg("Changing", part335); - -var part336 = match("MESSAGE#382:Changing:01", "nwparser.payload", "Changing the new database AUTH method to %{change_new}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Changing new database AUTH method"), -])); - -var msg401 = msg("Changing:01", part336); - -var select70 = linear_select([ - msg400, - msg401, -]); - -var part337 = match("MESSAGE#383:Job_execution", "nwparser.payload", "Job execution threads will use class loader of thread: %{info}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Job execution threads will use class loader"), -])); - -var msg402 = msg("Job_execution", part337); - -var part338 = match("MESSAGE#384:Initialized:02", "nwparser.payload", "JobStoreCMT initialized.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","JobStoreCMT initialized"), -])); - -var msg403 = msg("Initialized:02", part338); - -var part339 = match("MESSAGE#385:Initialized:03", "nwparser.payload", "Quartz scheduler '%{obj_name}' %{event_description}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Quartz scheduler initialized"), -])); - -var msg404 = msg("Initialized:03", part339); - -var part340 = match("MESSAGE#386:Created:03", "nwparser.payload", "Quartz Scheduler %{version->} created.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Quartz Scheduler created."), -])); - -var msg405 = msg("Created:03", part340); - -var part341 = match("MESSAGE#387:Scheduler_version", "nwparser.payload", "Quartz scheduler version: %{version}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg406 = msg("Scheduler_version", part341); - -var select71 = linear_select([ - msg404, - msg405, - msg406, -]); - -var part342 = match("MESSAGE#388:Recovering", "nwparser.payload", "Recovering %{fld1->} %{event_description}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Recovering jobs"), -])); - -var msg407 = msg("Recovering", part342); - -var part343 = match("MESSAGE#389:Recovery", "nwparser.payload", "Recovery complete.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Recovery"), - setc("disposition","Complete"), -])); - -var msg408 = msg("Recovery", part343); - -var part344 = match("MESSAGE#390:Removed", "nwparser.payload", "Removed %{fld1->} 'complete' triggers.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Removed triggers"), -])); - -var msg409 = msg("Removed", part344); - -var part345 = match("MESSAGE#391:Removed:01", "nwparser.payload", "Removed %{fld1->} stale fired job entries.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Removed job entries"), -])); - -var msg410 = msg("Removed:01", part345); - -var select72 = linear_select([ - msg409, - msg410, -]); - -var part346 = match("MESSAGE#392:Restoring", "nwparser.payload", "%{action}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg411 = msg("Restoring", part346); - -var part347 = match("MESSAGE#393:Upgrading", "nwparser.payload", "Upgrading database%{fld1}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Upgrading database"), -])); - -var msg412 = msg("Upgrading", part347); - -var part348 = match("MESSAGE#394:Exploits", "nwparser.payload", "Exploits are up to date.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Exploits are up to date"), -])); - -var msg413 = msg("Exploits", part348); - -var part349 = match("MESSAGE#395:Failure", "nwparser.payload", "Failure communicating with NSE @ %{dhost}:%{dport}.", processor_chain([ - dup53, - dup49, - dup27, - dup14, - dup15, - setc("event_description","Failure communicating with NSE"), -])); - -var msg414 = msg("Failure", part349); - -var part350 = match("MESSAGE#396:Renamed", "nwparser.payload", "Renamed %{filename->} to %{info}", processor_chain([ - dup20, - dup57, - dup22, - dup14, - dup15, -])); - -var msg415 = msg("Renamed", part350); - -var part351 = match("MESSAGE#397:Reinitializing", "nwparser.payload", "Reinitializing web server for maintenance mode...%{}", processor_chain([ - dup20, - dup57, - dup22, - dup14, - dup15, - setc("event_description","Reinitializing web server for maintenance mode"), -])); - -var msg416 = msg("Reinitializing", part351); - -var part352 = match("MESSAGE#398:Replaced", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} file with new auth method: %{change_new}.", processor_chain([ - dup20, - dup57, - dup22, - dup14, - dup15, - dup58, -])); - -var msg417 = msg("Replaced", part352); - -var part353 = match("MESSAGE#399:Replaced:01", "nwparser.payload", "Replaced %{change_old->} values from %{filename->} with new setting values", processor_chain([ - dup20, - dup57, - dup22, - dup14, - dup15, - dup58, -])); - -var msg418 = msg("Replaced:01", part353); - -var select73 = linear_select([ - msg417, - msg418, -]); - -var part354 = match("MESSAGE#400:System", "nwparser.payload", "System is running low on memory: %{fld1}MB total (%{fld2}MB free)", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","System is running low on memory"), -])); - -var msg419 = msg("System", part354); - -var part355 = match("MESSAGE#401:System:01", "nwparser.payload", "%{info}", processor_chain([ - dup20, - dup14, - dup15, - dup30, - dup31, - dup32, - dup33, -])); - -var msg420 = msg("System:01", part355); - -var select74 = linear_select([ - msg419, - msg420, -]); - -var part356 = match("MESSAGE#402:Analyzing", "nwparser.payload", "Analyzing the database.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Analyzing the database"), -])); - -var msg421 = msg("Analyzing", part356); - -var part357 = match("MESSAGE#403:Connection", "nwparser.payload", "Connection to the new database was successful. %{action}.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Connection to the new database was successful"), -])); - -var msg422 = msg("Connection", part357); - -var part358 = match("MESSAGE#404:Handling", "nwparser.payload", "Handling %{fld1->} trigger(s) that missed their scheduled fire-time.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Handling trigger(s) that missed their scheduled fire-time"), -])); - -var msg423 = msg("Handling", part358); - -var part359 = match("MESSAGE#406:LDAP", "nwparser.payload", "LDAP authentication requires resolution%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","LDAP authentication requires resolution"), -])); - -var msg424 = msg("LDAP", part359); - -var part360 = match("MESSAGE#407:Maintenance", "nwparser.payload", "Maintenance Task Started%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Maintenance Task Started"), -])); - -var msg425 = msg("Maintenance", part360); - -var msg426 = msg("Migration", dup61); - -var msg427 = msg("Mobile", dup68); - -var msg428 = msg("ConsoleScanImporter", dup68); - -var part361 = match("MESSAGE#421:Postgres:01", "nwparser.payload", "%{event_description}. Cleaning up. %{directory}", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Cleaning up"), -])); - -var msg429 = msg("Postgres:01", part361); - -var part362 = match("MESSAGE#422:Succesfully", "nwparser.payload", "Succesfully %{event_description->} to %{dport}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg430 = msg("Succesfully", part362); - -var part363 = match("MESSAGE#423:Unzipped", "nwparser.payload", "%{action->} %{fld1->} bytes into %{directory}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg431 = msg("Unzipped", part363); - -var part364 = match("MESSAGE#424:vacuumdb", "nwparser.payload", "%{process->} executed with a return value of %{resultcode}.", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg432 = msg("vacuumdb", part364); - -var part365 = match("MESSAGE#425:Processed_vuln", "nwparser.payload", "Started: %{fld2}T%{fld3}] [Duration: %{fld4}] Processed vuln check types for %{fld5->} vuln checks.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Processed vuln check types"), -])); - -var msg433 = msg("Processed_vuln", part365); - -var part366 = match("MESSAGE#430:Reflections", "nwparser.payload", "Reflections %{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var msg434 = msg("Reflections", part366); - -var part367 = match("MESSAGE#431:CorrelationAttributes", "nwparser.payload", "0.16: %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg435 = msg("CorrelationAttributes", part367); - -var part368 = match("MESSAGE#432:CorrelationAttributes:01", "nwparser.payload", "0.49: %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg436 = msg("CorrelationAttributes:01", part368); - -var part369 = match("MESSAGE#433:CorrelationAttributes:02", "nwparser.payload", "0.245: %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg437 = msg("CorrelationAttributes:02", part369); - -var part370 = match("MESSAGE#434:CorrelationAttributes:03", "nwparser.payload", "0.325: %{info}", processor_chain([ - dup20, - dup15, -])); - -var msg438 = msg("CorrelationAttributes:03", part370); - -var msg439 = msg("ConsoleProductInfoProvider", dup69); - -var msg440 = msg("NSXAssetEventHandler", dup69); - -var msg441 = msg("ProductNotificationService", dup69); - -var msg442 = msg("AssetEventHandler", dup69); - -var msg443 = msg("SiteEventHandler", dup69); - -var msg444 = msg("UserEventHandler", dup69); - -var msg445 = msg("VulnerabilityExceptionEventHandler", dup69); - -var msg446 = msg("TagEventHandler", dup69); - -var msg447 = msg("AssetGroupEventHandler", dup69); - -var msg448 = msg("ScanEventHandler", dup69); - -var part371 = match("MESSAGE#445:Not_configured:18", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size is not configured"), -])); - -var msg449 = msg("Not_configured:18", part371); - -var part372 = match("MESSAGE#446:Not_configured:19", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond is not configured"), -])); - -var msg450 = msg("Not_configured:19", part372); - -var part373 = match("MESSAGE#447:Not_configured:20", "nwparser.payload", "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration is not configured"), -])); - -var msg451 = msg("Not_configured:20", part373); - -var part374 = match("MESSAGE#448:Not_configured:21", "nwparser.payload", "com.rapid7.nexpose.nse.excludedFileSystems is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nse.excludedFileSystems is not configured"), -])); - -var msg452 = msg("Not_configured:21", part374); - -var part375 = match("MESSAGE#449:Not_configured:22", "nwparser.payload", "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable is not configured"), -])); - -var msg453 = msg("Not_configured:22", part375); - -var part376 = match("MESSAGE#450:Not_configured:23", "nwparser.payload", "com.rapid7.nexpose.scan.logMemory.interval is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.logMemory.interval is not configured"), -])); - -var msg454 = msg("Not_configured:23", part376); - -var part377 = match("MESSAGE#451:Not_configured:24", "nwparser.payload", "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations is not configured"), -])); - -var msg455 = msg("Not_configured:24", part377); - -var part378 = match("MESSAGE#452:Not_configured:25", "nwparser.payload", "com.rapid7.scan.perTestDurationLogging is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.scan.perTestDurationLogging is not configured"), -])); - -var msg456 = msg("Not_configured:25", part378); - -var part379 = match("MESSAGE#453:Not_configured:26", "nwparser.payload", "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured"), -])); - -var msg457 = msg("Not_configured:26", part379); - -var part380 = match("MESSAGE#454:Not_configured:27", "nwparser.payload", "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured - returning default value %{result}.", processor_chain([ - dup56, - dup14, - dup15, - setc("event_description","com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size is not configured"), -])); - -var msg458 = msg("Not_configured:27", part380); - -var part381 = match("MESSAGE#455:Spring", "nwparser.payload", "%{process->} detected on classpath: [%{fld2}]", processor_chain([ - dup20, - dup14, - dup15, - setc("action","detected"), -])); - -var msg459 = msg("Spring", part381); - -var part382 = match("MESSAGE#456:Storing", "nwparser.payload", "%{fld1}] [%{fld2}] Storing scan details for %{event_type}.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Storing scan details"), -])); - -var msg460 = msg("Storing", part382); - -var part383 = match("MESSAGE#457:Clearing", "nwparser.payload", "Clearing object tracker after %{dclass_counter1->} hits and %{dclass_counter2->} misses.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","Clearing object tracker"), -])); - -var msg461 = msg("Clearing", part383); - -var part384 = match("MESSAGE#458:All", "nwparser.payload", "%{fld1}] [%{fld2}] All scan engines are up to date.", processor_chain([ - dup20, - dup14, - dup15, - setc("result","All scan engines are up to date"), -])); - -var msg462 = msg("All", part384); - -var part385 = match("MESSAGE#459:New", "nwparser.payload", "New Provider %{audit_object->} discovered.", processor_chain([ - dup20, - dup14, - dup15, - setc("action","New Provider discovered"), -])); - -var msg463 = msg("New", part385); - -var part386 = match("MESSAGE#463:Session", "nwparser.payload", "%{fld1}] [%{fld2}] [%{fld3}] Session created.", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Session created"), -])); - -var msg464 = msg("Session", part386); - -var part387 = match("MESSAGE#464:Debug", "nwparser.payload", "Debug logging is not enabled for this scan.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Debug logging is not enabled"), -])); - -var msg465 = msg("Debug", part387); - -var msg466 = msg("Debug:01", dup61); - -var select75 = linear_select([ - msg465, - msg466, -]); - -var part388 = match("MESSAGE#466:ACES", "nwparser.payload", "ACES logging is not enabled.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","ACES logging is not enabled"), -])); - -var msg467 = msg("ACES", part388); - -var msg468 = msg("ACES:01", dup61); - -var select76 = linear_select([ - msg467, - msg468, -]); - -var part389 = match("MESSAGE#468:Invulnerable", "nwparser.payload", "Invulnerable Data Storage is on.%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Invulnerable Data Storage is on"), -])); - -var msg469 = msg("Invulnerable", part389); - -var part390 = match("MESSAGE#469:Nmap", "nwparser.payload", "Nmap ARP Ping for local networks%{}", processor_chain([ - dup20, - dup14, - dup15, - setc("event_description","Nmap ARP Ping for local networks"), -])); - -var msg470 = msg("Nmap", part390); - -var part391 = match("MESSAGE#470:Nmap:01", "nwparser.payload", "%{event_description}", processor_chain([ - setc("eventcategory","1801000000"), - dup14, - dup15, -])); - -var msg471 = msg("Nmap:01", part391); - -var select77 = linear_select([ - msg470, - msg471, -]); - -var part392 = match("MESSAGE#471:Cause/0_0", "nwparser.payload", "Authentication %{result->} for principal %{fld}] %{info}"); - -var part393 = match("MESSAGE#471:Cause/0_1", "nwparser.payload", " %{result}] %{info}"); - -var select78 = linear_select([ - part392, - part393, -]); - -var all20 = all_match({ - processors: [ - select78, - ], - on_success: processor_chain([ - setc("eventcategory","1301000000"), - dup14, - dup15, - ]), -}); - -var msg472 = msg("Cause", all20); - -var part394 = match("MESSAGE#472:NEXPOSE_GENERIC", "nwparser.payload", "%{fld1}", processor_chain([ - setc("eventcategory","1901000000"), - dup15, -])); - -var msg473 = msg("NEXPOSE_GENERIC", part394); - -var chain1 = processor_chain([ - select4, - msgid_select({ - "0.16": msg435, - "0.245": msg437, - "0.325": msg438, - "0.49": msg436, - "A": msg235, - "ACES": select76, - "Accepting": msg327, - "Acknowledged": msg273, - "Acknowledging": msg272, - "Activation": msg271, - "Adding": select25, - "Administrative": select49, - "Advertising": msg217, - "All": msg462, - "AllowUseOriginalMessage": msg349, - "An": msg287, - "Analyzing": msg421, - "Apache": msg347, - "Applying": msg164, - "Approved": msg267, - "Asserting": select28, - "AssetEventHandler": msg442, - "AssetGroupEventHandler": msg447, - "At": msg286, - "Attempting": select26, - "Authenticated": msg85, - "Authentication": select23, - "Auto-update": msg266, - "Available": msg308, - "Backing": msg372, - "Benchmark": msg365, - "Bulk": msg314, - "CIFS": msg203, - "CPU": msg304, - "CSIDL_SYSTEM": msg209, - "CSIDL_SYSTEMX86": msg208, - "Cached:": msg204, - "Cannot": select68, - "Cataloged": msg103, - "Cause": msg472, - "Changing": select70, - "CheckProcessor:": msg248, - "Checking": select41, - "Cleaning": select64, - "Clearing": msg461, - "Closing": select39, - "Compiling": msg318, - "Completed": select40, - "Computer": msg302, - "Configuring": msg336, - "Connection": msg422, - "Console": select12, - "ConsoleProductInfoProvider": msg439, - "ConsoleScanImporter": msg428, - "Context": msg397, - "Copied": msg398, - "Could": msg125, - "Created": select57, - "Creating": msg240, - "Current": select58, - "DB_VERSION": msg357, - "DEFAULT": msg396, - "DNS": msg172, - "Database": select62, - "Debug": select75, - "Default": msg346, - "Deleted": msg345, - "Delivered": msg391, - "Deploying": msg282, - "Destroying": msg277, - "Detected": msg329, - "Determining": select29, - "Disk": msg309, - "Done": select17, - "Downloaded": msg290, - "Downloading": msg289, - "Dumping": msg104, - "ERROR": select7, - "ERROR:": msg370, - "Enabling": msg333, - "Engine": msg392, - "Enumerating": msg205, - "Error": msg353, - "Establishing": msg264, - "EventLog": msg359, - "Exchange": msg211, - "Executing": select48, - "Exploits": msg413, - "ExtMgr": select8, - "FTP": msg149, - "Failed": msg112, - "Failure": msg414, - "Finished": select53, - "Firefox": msg259, - "Flash": msg183, - "Form": msg105, - "Found": select33, - "Freed": msg393, - "Freeing": select56, - "Generating": msg283, - "Getting": msg190, - "Got": msg156, - "Graceful": msg354, - "Granting": msg334, - "HHH000436:": msg268, - "Handling": msg423, - "Host": select42, - "IE": msg192, - "IP": msg218, - "Imported": select61, - "Importing": msg315, - "Inconsistency": msg83, - "Initialized": select66, - "Initializing": select51, - "Inserted": msg344, - "Installed": msg343, - "Installing": select37, - "Interrupted,": msg47, - "Invocation": msg278, - "Invulnerable": msg469, - "JAR": msg276, - "JMX": msg348, - "JRE": msg179, - "JVM": msg310, - "Java": msg399, - "Job": msg402, - "JobStoreCMT": msg403, - "Kill": msg295, - "LDAP": msg424, - "Listing": msg189, - "Loaded": select52, - "Loading": msg241, - "Local": msg356, - "Locating": msg249, - "Logging": msg258, - "MDAC": msg181, - "Maintenance": msg425, - "Making": msg360, - "Microsoft": msg180, - "Migration": msg426, - "Mobile": msg427, - "NEXPOSE_GENERIC": msg473, - "NOT_VULNERABLE": select5, - "NOT_VULNERABLE_VERSION": msg1, - "NSE": select11, - "NSXAssetEventHandler": msg440, - "Name": msg182, - "New": msg463, - "Nexpose": select13, - "Nmap": select77, - "No": select35, - "Number": msg305, - "OS": msg364, - "Operating": msg303, - "PG": select69, - "Parsed": msg178, - "Parsing": msg322, - "Patching": msg275, - "Pausing": msg311, - "Performing": select20, - "Policy": select60, - "Populating": msg358, - "PostgreSQL": msg340, - "Postgres": msg429, - "Preparing": msg67, - "Processed": msg433, - "Processing": msg97, - "Product": msg298, - "ProductNotificationService": msg441, - "ProtocolFper": msg31, - "Quartz": select71, - "QuartzRepeaterBuilder": msg371, - "Queued": msg252, - "Queueing": select18, - "Reading": msg253, - "Recovering": msg407, - "Recovery": msg408, - "Recursively": select27, - "Reflections": msg434, - "Refreshing": msg270, - "Registered": select54, - "Registering": msg254, - "Reinitializing": msg416, - "Relaunching": msg106, - "Remapped": msg324, - "Remapping": msg323, - "Removed": select72, - "Removing": msg285, - "Renamed": msg415, - "Replaced": select73, - "Report": select67, - "Requested": msg292, - "Resolving": msg171, - "Response": msg265, - "Restarting": msg291, - "Restoring": msg411, - "Retrieved": msg202, - "Retrieving": msg155, - "Rewrote": msg65, - "Route:": select55, - "Running": select30, - "SPIDER": msg66, - "SPIDER-XSS": msg96, - "SQL": msg212, - "Scan": select22, - "ScanEventHandler": msg448, - "ScanMgr": select9, - "Scanning": msg173, - "Scheduler": select63, - "Searching": msg109, - "Security": select15, - "Seeing": msg257, - "Sending": msg118, - "Service": select32, - "Session": msg464, - "Setting": msg361, - "Shutdown": msg49, - "Shutting": msg46, - "Site": msg84, - "SiteEventHandler": msg443, - "Skipping": msg184, - "Spring": msg459, - "Staged": msg269, - "Staging": msg284, - "Started": select47, - "Starting": select34, - "Stopping": msg331, - "Storing": msg460, - "StreamCaching": msg355, - "Succesfully": msg430, - "Successfully": msg263, - "Super": msg301, - "Synchronizing": msg321, - "System": select74, - "SystemFingerprint": msg108, - "TCP": msg250, - "TCPSocket": msg110, - "TagEventHandler": msg446, - "Telling": msg330, - "The": msg288, - "Total": select59, - "Truncating": msg320, - "Trusted": msg121, - "Trying": msg64, - "UDP": msg251, - "Unzipped": msg431, - "Update": select36, - "Updated": select46, - "Updating": select43, - "Upgrading": msg412, - "User": select24, - "UserEventHandler": msg444, - "Using": msg279, - "VERSION": msg328, - "VULNERABLE": select6, - "VULNERABLE_VERSION": msg2, - "Validating": msg274, - "Verifying": msg363, - "Version": msg335, - "Version:": msg191, - "Vulnerability": msg319, - "VulnerabilityExceptionEventHandler": msg445, - "Web": select16, - "Webmin": msg133, - "Windows": select38, - "building": msg117, - "but": msg98, - "checking": msg158, - "com.rapid.nexpose.scanpool.stateInterval": msg373, - "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout": msg374, - "com.rapid7.nexpose.comms.clientConnectionProvider.getConnectionTimeout": msg375, - "com.rapid7.nexpose.datastore.connection.evictionThreadTime": msg376, - "com.rapid7.nexpose.datastore.eviction.connection.threadIdleTimeout": msg377, - "com.rapid7.nexpose.nsc.critical.task.executor.core.thread.pool.size": msg449, - "com.rapid7.nexpose.nsc.critical.task.executor.max.thread.pool.size": msg458, - "com.rapid7.nexpose.nsc.dbcc": msg378, - "com.rapid7.nexpose.nsc.scan.multiengine.scanHaltTimeoutMilliSecond": msg450, - "com.rapid7.nexpose.nsc.scan.scan.event.monitor.poll.duration": msg451, - "com.rapid7.nexpose.nsc.scanExecutorService.maximumCorePoolSize": msg379, - "com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize": msg380, - "com.rapid7.nexpose.nsc.scanExecutorService.monitorCorePoolSizeIncreaseOnSaturation": msg381, - "com.rapid7.nexpose.nsc.scanExecutorService.monitorEnabled": msg382, - "com.rapid7.nexpose.nsc.scanExecutorService.monitorInterval": msg383, - "com.rapid7.nexpose.nse.excludedFileSystems": msg452, - "com.rapid7.nexpose.nse.nscClient.connectTimeout": msg384, - "com.rapid7.nexpose.nse.nscClient.readTimeout": msg385, - "com.rapid7.nexpose.reportGenerator.assetCollectionUpdateTimeout": msg386, - "com.rapid7.nexpose.scan.consolidation.delay": msg387, - "com.rapid7.nexpose.scan.lifecyclemonitor.delay": msg388, - "com.rapid7.nexpose.scan.logCPUMemoryToMemLog.enable": msg453, - "com.rapid7.nexpose.scan.logMemory.interval": msg454, - "com.rapid7.nexpose.scan.monitor.numberSavedAssetDurations": msg455, - "com.rapid7.nexpose.scan.usescanpool": msg389, - "com.rapid7.nsc.workflow.timeout": msg390, - "com.rapid7.scan.perTestDurationLogging": msg456, - "com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism": msg457, - "common": msg261, - "connected": msg111, - "creating": msg120, - "credentials": msg95, - "dcerpc-get-ms-blaster-codes": msg124, - "initdb": msg362, - "j_password": msg99, - "j_username": msg100, - "jess.JessException:": msg262, - "key": msg188, - "list-user-directory": msg123, - "loading": msg153, - "main": msg107, - "nodes": msg260, - "office": msg210, - "osspi_defaultTargetLocation": msg101, - "param:": msg174, - "persistent-xss": msg92, - "removing": msg332, - "sending": msg119, - "shutting": msg48, - "signon_type": msg122, - "spider-parse-robot-exclusions": msg102, - "starting": msg213, - "trying": msg154, - "unexpected": msg157, - "using": msg142, - "vacuumdb": msg432, - }), -]); - -var hdr37 = match("HEADER#1:0022/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{p0}"); - -var part395 = match("HEADER#1:0022/1_1", "nwparser.p0", "%{hpriority}][%{p0}"); - -var part396 = match("HEADER#1:0022/1_2", "nwparser.p0", "%{hpriority}[%{p0}"); - -var hdr38 = match("HEADER#18:0034/0", "message", "%NEXPOSE-%{hfld49}: %{hdate}T%{htime->} [%{hpriority}]%{p0}"); - -var part397 = match("HEADER#18:0034/1_0", "nwparser.p0", " [%{p0}"); - -var part398 = match("HEADER#18:0034/1_1", "nwparser.p0", "[%{p0}"); - -var part399 = match("MESSAGE#17:NSE:01/0", "nwparser.payload", "%{} %{p0}"); - -var part400 = match("MESSAGE#52:Scan:06/0", "nwparser.payload", "Scan: [ %{p0}"); - -var part401 = match("MESSAGE#52:Scan:06/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - -var part402 = match("MESSAGE#52:Scan:06/1_1", "nwparser.p0", "%{saddr->} %{p0}"); - -var select79 = linear_select([ - dup7, - dup8, -]); - -var part403 = match("MESSAGE#416:Nexpose:12", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var part404 = match("MESSAGE#46:SPIDER", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup17, -])); - -var select80 = linear_select([ - dup41, - dup42, -]); - -var part405 = match("MESSAGE#93:Attempting", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup16, - dup29, - dup30, - dup31, - dup32, - dup33, - dup34, -])); - -var part406 = match("MESSAGE#120:path", "nwparser.payload", "%{info}", processor_chain([ - dup20, - dup15, -])); - -var part407 = match("MESSAGE#318:Loaded:01", "nwparser.payload", "%{info}", processor_chain([ - dup20, - dup14, - dup15, -])); - -var part408 = match("MESSAGE#236:Finished:03", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup15, -])); - -var part409 = match("MESSAGE#418:Mobile", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup14, - dup15, - dup25, -])); - -var part410 = match("MESSAGE#435:ConsoleProductInfoProvider", "nwparser.payload", "%{fld1->} %{action}", processor_chain([ - dup20, - dup14, - dup15, - dup59, -])); diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log deleted file mode 100644 index ed2f7ef05fa..00000000000 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -%NEXPOSE-nci: SiteEventHandler deny -%NEXPOSE-iin: persistent-xss -%NEXPOSE-tenima: Telling laboreet -%NEXPOSE-giatq: SPIDER-XSS -%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi. -%NEXPOSE-isaute: tcup -%NEXPOSE-ofdeFini: Using -%NEXPOSE-emulla: mpori -%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese -%NEXPOSE-iumtotam: Invocation: -%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: -%NEXPOSE-tur: roi credentials: -%NEXPOSE-equatu: upta -%NEXPOSE-itam: str Approved: -%NEXPOSE-ionemu: eetdolo -%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim. -%NEXPOSE-siutaliq: dutp -%NEXPOSE-isau: HHH000436: -%NEXPOSE-rumwrit: Skipping -%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state. -%NEXPOSE-ssecil: nodes: -%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny -%NEXPOSE-nsec: quidolor j_password: -%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN -%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed -%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa -%NEXPOSE-msequ: uat -%NEXPOSE-ataevita: oremqu -%NEXPOSE-oremi: ugitsedq -%NEXPOSE-ipsaqu: TagEventHandler cancel -%NEXPOSE-tiaecon: Acknowledged: -%NEXPOSE-itametc: ProductNotificationService: allow -%NEXPOSE-olori: ido -%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu -%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide -%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect -%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti -%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default -%NEXPOSE-tatevel: midestl -%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin -%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr -%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers. -%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo -%NEXPOSE-uatu: Shutting down ' -%NEXPOSE-ende: DEFAULT SCHEDULER: ' -%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame. -%NEXPOSE-exe: Reading -%NEXPOSE-eddoei: Benchmark lorumw -%NEXPOSE-ctionofd: j_password: -%NEXPOSE-boreetd: tNe -%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm. -%NEXPOSE-iadeseru: Adding -%NEXPOSE-eosqui: iatquo -%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua -%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut -%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui -%NEXPOSE-Loremip: Requested: -%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen -%NEXPOSE-tur: The: -%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex -%NEXPOSE-exerc: Retrieving -%NEXPOSE-uaturQ: but: -%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation -%NEXPOSE-magnido: mcolab -%NEXPOSE-tiumd: Dumping -%NEXPOSE-orisnis: umq -%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid -%NEXPOSE-uisno: enat -%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve -%NEXPOSE-lupta: utla -%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept -%NEXPOSE-ostr: amcorp 0.49: iadolo -%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni -%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine. -%NEXPOSE-eosqu: reetdolo -%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel -%NEXPOSE-Neq: rcita -%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud -%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape -%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown. -%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq -%NEXPOSE-ptate: oloreeu credentials: -%NEXPOSE-iscinge: Populating ora -%NEXPOSE-orincidi: ScanEventHandler: cancel -%NEXPOSE-mSecti: Updating ius -%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq -%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss -%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui -%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow -%NEXPOSE-agn: Stopping eritinvo -%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo -%NEXPOSE-ctobeat: common -%NEXPOSE-olab: remagnam Destroying: -%NEXPOSE-adipi: idid Destroying: -%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru -%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer. -%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono -%NEXPOSE-tempori: sedquian -%NEXPOSE-umfu: No -%NEXPOSE-nisi: credentials: diff --git a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json b/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json deleted file mode 100644 index 741cde33d3f..00000000000 --- a/x-pack/filebeat/module/rapid7/nexpose/test/generated.log-expected.json +++ /dev/null @@ -1,1855 +0,0 @@ -[ - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nci: SiteEventHandler deny", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 0, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-iin: persistent-xss ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 36, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tenima: Telling laboreet", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 66, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-giatq: SPIDER-XSS ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 100, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-lupt: 2016-3-26T10:20:16 [xea] [Thread: qua] [Site: luptatev] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value admi.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 128, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-isaute: tcup", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 308, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ofdeFini: Using ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 330, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-emulla: mpori", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 356, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Migration", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nisiuta: 2016-5-22T2:30:33 [tvolu] ecte[Thread: Migration] [Started: tinvolu] [Duration: iurer] iciadese", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 379, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "iciadese", - "rsa.internal.messageid": "Migration", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-iumtotam: Invocation: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 493, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tectobe: Nequepo ConsoleScanImporter: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 525, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tur: roi credentials: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 573, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-equatu: upta", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 605, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-itam: str Approved: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 627, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ionemu: eetdolo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 657, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-amcol: 2016-8-30T3:48:33 [adeser] [Thread: oin] [Site: mvenia] com.rapid7.nexpose.nse.nscClient.connectTimeout is not configured - returning default value madminim.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 682, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-siutaliq: dutp", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 856, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-isau: HHH000436: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 880, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-rumwrit: Skipping ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 907, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-eri: 2016-10-26T7:58:50 [quunt] [Thread: olori] [Site: mquae] Freed eriti triggers from 'acquired' / 'blocked' state.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 935, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ssecil: nodes: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1062, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-dquia: 2016-11-24T10:03:59 [temporin] [Thread: dol] [Site: tatione] SiteEventHandler deny", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1087, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nsec: quidolor j_password: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1187, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.action": "Shutting down", - "event.code": "Mobile", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-veniamq: 2016-12-23T12:09:07 [occ] oloreseo[Thread: Mobile] [Started: iruredol] [Duration: veniamqu] licaboN", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1224, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "licaboN", - "rsa.internal.messageid": "Mobile", - "rsa.misc.action": [ - "Shutting down" - ], - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nse: 2017/01/06T07:11:41 [modoc] [Thread: boNem] [Site: iumt] Database tsed", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1342, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Migration", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-enim: 2017-1-20T2:14:16 [Finibus] radi[Thread: Migration] [Started: xeacom] [Duration: des] atnulapa", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1427, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "atnulapa", - "rsa.internal.messageid": "Migration", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-msequ: uat", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1537, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ataevita: oremqu", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1557, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-oremi: ugitsedq", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1583, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ipsaqu: TagEventHandler cancel", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1608, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tiaecon: Acknowledged: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1648, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-itametc: ProductNotificationService: allow", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1681, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-olori: ido", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1733, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Activation", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-lpaquiof: Activation 2017-5-14T10:34:50 oloreeu", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1753, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "oloreeu", - "rsa.internal.messageid": "Activation", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-umfugi: 2017-5-29T5:37:24 [stquidol] [Thread: Nemoenim] [Site: imadmini] Populating ide", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1810, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Error", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-olu: 2017-6-12T12:39:58 [iameaque] identsun[Thread: Error] [Started: ender] [Duration: inc] tect", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 1907, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "tect", - "rsa.internal.messageid": "Error", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.action": "Upgrading database", - "event.code": "Upgrading", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-magnam: 2017-6-26T7:42:33 [uinesc] cid[Thread: Upgrading] [Started: emi] [Duration: Bonorum] Upgrading databaselesti", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2013, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "Upgrading", - "rsa.misc.action": [ - "Upgrading database" - ], - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-assi: 2017-7-11T2:45:07 [eserun] [Thread: rvelill] [Site: lupta] Default ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2139, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tatevel: midestl", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2222, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "An", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ufugi: An 2017-8-8T4:50:15 cin", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2248, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "cin", - "rsa.internal.messageid": "An", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "PostgreSQL", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-onofdeF: 2017-8-22T11:52:50 [ibusBo] orin[Thread: PostgreSQL] [Started: enia] [Duration: iavol] PostgreSQL natuserr", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2288, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "natuserr", - "rsa.internal.messageid": "PostgreSQL", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-orsitam: 2017-9-6T6:55:24 [iquaUten] [Thread: prehende] [Site: lup] com.rapid7.nexpose.nsc.scanExecutorService.minimumCorePoolSize is not configured - returning default value tpers.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2413, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Remapped", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-aea: 2017/09/20T13:57:58 [tvolu] dutper[Thread: Remapped] [Started: tlaboru] [Duration: aeabillo] Started: ciad] [Duration: ugiatqu] Remapped eruntmo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2604, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "eruntmo", - "rsa.internal.messageid": "Remapped", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uatu: Shutting down '", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2763, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ende: DEFAULT SCHEDULER: '", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2794, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-mexerci: 2017-11-2T11:05:41 [urEx] [Thread: ditaut] [Site: ctetur] Storing ] [mvolupta] Storing scan details for squame.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2830, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-exe: Reading ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2960, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-eddoei: Benchmark lorumw", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 2983, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ctionofd: j_password: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3017, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-boreetd: tNe", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3049, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ntocca: 2018-1-12T10:18:32 [trudex] tvol[Thread: com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout] [Started: lup] [Duration: mipsamv] com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured - returning default value exeacomm.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3071, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout is not configured", - "rsa.internal.messageid": "com.rapid7.nexpose.comms.clientConnectionProvider.autoPairTimeout", - "rsa.misc.result_code": "exeacomm", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-iadeseru: Adding ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3351, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-eosqui: iatquo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3378, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Establishing", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-iqu: Establishing 2018-2-24T7:26:15 quamqua", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3402, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "quamqua", - "rsa.internal.messageid": "Establishing", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Deleted", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-diduntut: 2018/03/11T02:28:49 [rroq] olore[Thread: Deleted] [Started: eratvolu] [Duration: oconsequ] Started: roqui] [Duration: oluptate] Deleted ntut", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3455, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "ntut", - "rsa.internal.messageid": "Deleted", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Error", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-aturve: Error 2018-3-25T9:31:24 edqui", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3615, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "edqui", - "rsa.internal.messageid": "Error", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-Loremip: Requested: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3662, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "0.16", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nge: 2018/04/22T23:36:32 [psum] tate[Thread: 0.16] [Started: dtempo] [Duration: lumqu] 0.16: moen", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3692, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "moen", - "rsa.internal.messageid": "0.16", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tur: The: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3799, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Renamed", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-mipsa: 2018-5-21T1:41:41 [uas] iat[Thread: Renamed] [Started: hite] [Duration: adipis] Renamed abo to suntex", - "event.outcome": "success", - "file.name": "abo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3819, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "suntex", - "rsa.internal.messageid": "Renamed", - "rsa.investigations.ec_activity": "Modify", - "rsa.investigations.ec_outcome": "Success", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-exerc: Retrieving ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3937, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uaturQ: but: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3965, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-dolor: 2018-7-3T10:49:23 [equunt] [Thread: mto] [Site: iae] Invocation ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 3988, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-magnido: mcolab", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4069, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tiumd: Dumping ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4094, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-orisnis: umq", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4119, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-intoc: 2018-8-29T2:59:40 [obeataev] [Thread: rrorsit] [Site: aincid] Populating umquid", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4141, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uisno: enat", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4237, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "suntexpl JVM frames", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-oriss: imadmin suntexpl JVM frames : urve", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4258, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "suntexpl JVM frames", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-lupta: utla", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4332, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "AssetGroupEventHandler", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ntore: 2018-10-25T7:09:57 [tect] ion[Thread: AssetGroupEventHandler] [Started: tutl] [Duration: niam] oru accept", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4353, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "AssetGroupEventHandler", - "rsa.misc.action": [ - "accept" - ], - "service.name": "fld1", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ostr: amcorp 0.49: iadolo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4475, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "loading", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-mali: 2018-11-23T9:15:06 [amestqu] qui[Thread: loading] [Started: nemullam] [Duration: modoco] maveni", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4510, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "maveni", - "rsa.internal.messageid": "loading", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Closing", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-upt: 2018-12-7T4:17:40 [giatquo] toccaec[Thread: Closing] [Started: nihilmo] [Duration: atquo] Engine: umetMa] [Engine ID: ngelitse] Closing connection to scan engine.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4621, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "Closing connection to scan engine", - "rsa.internal.messageid": "Closing", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-eosqu: reetdolo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4798, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ten: 2019-1-5T6:22:49 [Utenim] [Thread: itationu] [Site: eprehen] NSXAssetEventHandler cancel", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4823, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-Neq: rcita", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4927, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "removing", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-quatD: 2019-2-2T8:27:57 [nevol] lumquid[Thread: removing] [Started: Sectio] [Duration: tiumdol] removing laud", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 4947, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "laud", - "rsa.internal.messageid": "removing", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-atquo: 2019-2-17T3:30:32 [estl] [Thread: ern] [Site: ationula] Recovering abilloin emape", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5066, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-Malor: 2019-3-3T10:33:06 [amn] [Thread: nre] [Site: sintoc] com.rapid7.thread.threadPoolNonBlockingOpsProviderParallelism is not configured - returning default value unknown.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5164, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Setting", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-pta: 2019-3-17T5:35:40 [ididunt] tlaboree[Thread: Setting] [Started: sequa] [Duration: erc] Setting isq", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5348, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "isq", - "rsa.internal.messageid": "Setting", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ptate: oloreeu credentials: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5461, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-iscinge: Populating ora", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5499, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-orincidi: ScanEventHandler: cancel", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5532, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-mSecti: Updating ius", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5576, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "No", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-aturExc: 2019-5-28T4:48:31 [rsit] intocca[Thread: No] [Started: equuntu] [Duration: ntutlab] eaq", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5606, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "eaq", - "rsa.internal.messageid": "No", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "[Site:", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ipis: 2019-6-11T11:51:06 [nsecte] [Thread: miurere] [Site: tat] persistent-xss ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5712, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "[Site:", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Activation", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-olupta: 2019-6-25T6:53:40 [ape] amestqu[Thread: Activation] [Started: luptas] [Duration: ariatu] psumqui", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5801, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "psumqui", - "rsa.internal.messageid": "Activation", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "AssetGroupEventHandler", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uunturm: 2019-7-10T1:56:14 [nonnumq] tqu[Thread: AssetGroupEventHandler] [Started: ntocca] [Duration: emquelau] adolorsi allow", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 5915, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "AssetGroupEventHandler", - "rsa.misc.action": [ - "allow" - ], - "service.name": "fld1", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-agn: Stopping eritinvo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6051, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.action": "Shutting down", - "event.code": "ConsoleScanImporter", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-uisaut: 2019-8-7T4:01:23 [apar] ulpaq[Thread: ConsoleScanImporter] [Started: reeuf] [Duration: orinrepr] tinvo", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6083, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "tinvo", - "rsa.internal.messageid": "ConsoleScanImporter", - "rsa.misc.action": [ - "Shutting down" - ], - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-ctobeat: common ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6203, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-olab: remagnam Destroying: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6229, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-adipi: idid Destroying: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6266, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Job", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-lore: 2019-10-3T8:11:40 [uisautem] olorsi[Thread: Job] [Started: everitat] [Duration: tetu] Job execution threads will use class loader of thread: stlaboru", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6300, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.db.index": "stlaboru", - "rsa.internal.event_desc": "Job execution threads will use class loader", - "rsa.internal.messageid": "Job", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-mco: 2019-10-18T3:14:14 [nofdeF] itvolupt[Thread: com.rapid7.nexpose.datastore.connection.evictionThreadTime] [Started: uradip] [Duration: perspi] com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured - returning default value uaer.", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6465, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "com.rapid7.nexpose.datastore.connection.evictionThreadTime is not configured", - "rsa.internal.messageid": "com.rapid7.nexpose.datastore.connection.evictionThreadTime", - "rsa.misc.result_code": "uaer", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "Restarting", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tenim: 2019-11-1T10:16:48 [osqu] cti[Thread: Restarting] [Started: orsitvo] [Duration: elit] iono", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6730, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.event_desc": "iono", - "rsa.internal.messageid": "Restarting", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-tempori: sedquian", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6837, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-umfu: No ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6864, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - }, - { - "event.code": "NEXPOSE_GENERIC", - "event.dataset": "rapid7.nexpose", - "event.module": "rapid7", - "event.original": "%NEXPOSE-nisi: credentials: ", - "fileset.name": "nexpose", - "input.type": "log", - "log.offset": 6883, - "observer.product": "Nexpose", - "observer.type": "Vulnerability", - "observer.vendor": "Rapid7", - "rsa.internal.messageid": "NEXPOSE_GENERIC", - "service.type": "rapid7", - "tags": [ - "rapid7.nexpose", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/snort/README.md b/x-pack/filebeat/module/snort/README.md new file mode 100644 index 00000000000..3be60407787 --- /dev/null +++ b/x-pack/filebeat/module/snort/README.md @@ -0,0 +1,7 @@ +# snort module + +This is a module for Snort/Sourcefire logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML snort version 134 +at 2020-09-01 14:18:11.30825 +0000 UTC. + diff --git a/x-pack/filebeat/module/kaspersky/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml similarity index 88% rename from x-pack/filebeat/module/kaspersky/_meta/config.yml rename to x-pack/filebeat/module/snort/_meta/config.yml index befc314eb68..e3804a605b9 100644 --- a/x-pack/filebeat/module/kaspersky/_meta/config.yml +++ b/x-pack/filebeat/module/snort/_meta/config.yml @@ -1,11 +1,11 @@ -- module: kaspersky - av: +- module: snort + log: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9514 + # var.syslog_port: 9532 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc similarity index 76% rename from x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc rename to x-pack/filebeat/module/snort/_meta/docs.asciidoc index 0522311ff49..f2ae38f0043 100644 --- a/x-pack/filebeat/module/kaspersky/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/snort/_meta/docs.asciidoc @@ -1,28 +1,28 @@ [role="xpack"] -:modulename: kaspersky +:modulename: snort :has-dashboards: false -== Kaspersky module +== Snort module experimental[] -This is a module for receiving Kaspersky Anti-Virus logs over Syslog or a file. +This is a module for receiving Snort/Sourcefire logs over Syslog or a file. include::../include/gs-link.asciidoc[] include::../include/configuring-intro.asciidoc[] -:fileset_ex: av +:fileset_ex: log include::../include/config-option-intro.asciidoc[] [float] -==== `av` fileset settings +==== `log` fileset settings experimental[] -NOTE: This was converted from RSA NetWitness log parser XML "kasperskyav" device revision 127. +NOTE: This was converted from RSA NetWitness log parser XML "snort" device revision 134. *`var.input`*:: @@ -36,7 +36,7 @@ Set to `0.0.0.0` to bind to all available interfaces. *`var.syslog_port`*:: -The port to listen for syslog traffic. Defaults to `9514` +The port to listen for syslog traffic. Defaults to `9532` NOTE: Ports below 1024 require Filebeat to run as root. @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/snort/_meta/fields.yml b/x-pack/filebeat/module/snort/_meta/fields.yml new file mode 100644 index 00000000000..f9589132eb0 --- /dev/null +++ b/x-pack/filebeat/module/snort/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: snort + title: Snort/Sourcefire + description: > + snort fields. + fields: diff --git a/x-pack/filebeat/module/snort/fields.go b/x-pack/filebeat/module/snort/fields.go new file mode 100644 index 00000000000..f143694b520 --- /dev/null +++ b/x-pack/filebeat/module/snort/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package snort + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "snort", asset.ModuleFieldsPri, AssetSnort); err != nil { + panic(err) + } +} + +// AssetSnort returns asset data. +// This is the base64 encoded gzipped contents of module/snort. +func AssetSnort() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JkUrbvxBiuRXwmly6f764VI1mMOMa/kJICYZpXluu5Gvyb38hhPgfkRkHUZrJX0j4r9f4mfvfd0TSCl4TCXal9NWESwt6RhlM3N+7rxGilqBXmlt4Taxu+p/YdQ2vHYorpcve30uY0UbYApd8TWZUGNj6eIBs+7/3tAKiZsQuoEWMdIiR1QI04GdW09mMM7KghkwBJFFTA3oJ5WRAnzb0DsTMtWrq25Oyy9TNsoi1pGKLvPHVx9aPLbFZpDLzrb/vX2F8wwa78nHBjfse4YY0BkpiFWG0tk3gv6YrUoExdO7+TS1hqgLjiFbu8x3QhLxVc3IKTJWg44R4WHwXqUPJaeHCEqQtHGmJAQeEM3M/sNwgz5mSFqQ17n5waSyVtkXDRHG0vDoEwZLa3Q+G2HGPk1uCUEtWC84WhBIDxnAlyYJbQyh5D/Z3biUY0+7+ZHA0OmLNQjWiJBKWoMkUunNXU22AvANLHWqUzLSqeks9favm5sUFZVdgzbMB+FOugVmxfk5swJuSD+CFhT/hsofmJMpIAUsQB3BSKLl7P7c4eQq1BkZtwKSEGZdQEiUFomXpVACpaB3HqjLzItmF2bPH78I9Pz/9gSypaMKN5yVIy2c8nE64pswSoeZ+v/RgI5A67sCH04Lfc9tRU205awTV+PuwsZPRkzEAfdBJiZ2MAeTxkzK6Jcvj7snL/78n+/fErZpnQ+53fdX0jwIJ2d2WR4Pdkh4i9LKjpsGg6vsYcXNsy3X/74eZsdRCBdI+RuRoU3JbMEF37vAjQQ+k1evHiNjC6VSPETEuD0Msr8bUSo7He9JKoIdIj7xsmwGUKW2oEb0mZmf2vti6BRw2Az1koCTcz4rY0UMG0G+wIsa5uONaORIXZc+rEmWfZ9eAzETsIxEO3pl97BhqdSP5lwY2arTu6A9/Wm8btSdKMvc4UKseu2U7Im6WPK847HP3xC3DZ5zR/n1+q+bkbAnSEu/RJI0sQTsTREMQVAPSZ/waSmLAOiBbP95ew4wbLO0mDGDf22DpNmEA+k6bMvQEpvcvHXYwB3TdgSd348FCmUz6av9c/qqM7YtIsXsiDciSy3n7oYkdm54P6evhLz/kgA1+NMrY84vlT4SWpXaycuy67zJ3QL1VXytzl69ys/fV/7vsddzKLxt25YJ3pPW9ZSWhZM6XIDsn2derCDgWHea/yGuBlI9R+fs6IhqjDg1VrwsNXzLsdT94iBuMdE/XyOUzvzS5wIv0PHizLSUf1zUQRocSZAoEuF2AJp/Opf3hFVGa/CIUtT++JFNq8BS1AbIZnzcaVb8b6D5E3f2K6cYwaD7jM4F/wf16rnK52fZZx+3KX72DQekV1WU2pa4n0Xpk9zl5fvF5S9+jRIOgu1tKiFkbC1V4RAPaDtoC/Ek1nnnu30rzOZdUtL/Z1lZu4EMu/WtPYsT5xedXERYE9AecuD8LOoyGXE7x+mwO6lBxPPT1WQAtQR8ldv0rLkXOT+8TJfX49oOlCOawWOmjdrIJVmT3s9FW0TrfKFp4UZzpcqKEAGaV/hoFsOPeA+TcuDPHDWGedVA6TLcU1bdqV20hexj9CC2+ik0fi6paKYPJbpWSZLoebBohGr40YKwDaHhVi3XYJ/dlJ+gJULYghpdAnn5P7EI35OXPPz8jK2qIAZDdKns48SiU11twwtRKGsjHCvbVnAqmGmk7n0JTTb3Qc1fZRCGQp3SqltBjBpfRzMpWvBmrgVaj94d9NcfmgVkFJW929bQUjPompjl2jgU+I9z+s3n5/Q9/NV6kv6hRgLZI/3NAzT+dPfiWrkGTl+RMMlqbRvjIijMp7yTXY9DvGfyI5FbGVvnxJflXR+5z8uOP5F8JU9rpy0hFWPQ5+e/C/k/3RW7INlO+iW6hVCU8WltXrqBgVIgpZVd5NWCPnFQWrw213q5wTARZ1opLi6aJhXiCMx6OArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpT8YMaQImalGlu6FEYDIczkPytGNyYvbN2IAOUUsMFyHPWGjkV1YC0XLx/LOBXSI4X8CqcBqziJWRzCF+19GW9g/960Qds8+tRuNVs3abZuQX9XKbc3Q5uSSKO2MMavIFUB9A9MexYv3lTBNKwbGFEteFmWuqOtZK3nmIEFTi5e8dBzs2YVLrm1DhTPat3zvMuLi4BV3ZjfGypEZnopw1c9PiXbS2qBDBZlG9Rxs97UbOWF0pqSnB+eEz4TbzwmdJRQ0FPznp63v9QNUygK5DOedacCHdroeE5Tuf20g5isIvISVClMLnjOz4VGb84YP1P5HoZs5mZvxvOOtc29AOOvtqWutlvCE/NeIMJpQnSoeIEbvVnXG0cXJm4ug+zIqHXt4VSu9q/ESfCK/ujSI5nG4Pz75pwoNcTTdY67UbVO+2fxkY7B7PQct8wl5+fMrskK+V0AloULEfQXo1Ec1aeM/IivQ4MFSSwRQY4mSO+Ui20x8cDXx62Zi5K7mCNsG3v2udImMw6wmYAuphJqvdwNxM64HWiwhPxO2oJoy65noLvUa8UenuSSNDDk9YstnPlpRm7qg2wfqcwYR9sQu0aKonJKpZBtG0HQ1KtNQsu6olZShxupjFDL4HBRjjW4hGktlSXVJpNIVFfzPWH6v0lWUP2XIcjiYRaqZDp6kOzFpg3WHzAvBZ4AURwx8A0zJckTB3mx3YWxOP8segrhkqqoF2OgBGHWiUlTgreY7YrBXb6btAx3kS7d29DiPHeXtkzl6/Col7SLRNm3qU1PlvGyynMoHYvyZLHOw3YH8U8nc3Rb2iEW3eqti+vTaj7scHoiobDf6DbFwbcPlI0vQpldOUe7LA4vs730P2xpoKjI3ZXpM6RLKfO9gSLIJz5TpVmx1jDbTpvtiP74+fK20qiYItcGifMNAUs2VV+urRlj+neWgCa1r0Va/bHrZVFTSeaw0lxCB4Z3WXvRIeVwN4faJIWolfWTM0qre9QwGjN1qDsXh7bOGsAV31o0qwUzIu8ZYNJP6QN2tpHYkL5daOHCT9gqw2czhvYRjaEK4ye2CnncaZqBBMn8gqFOtS77kpdNs8DzEBdllK8g+7jAvTuR1zfXRKNzsp48FXbuTyK1Ye2KNE3pOX3NI4QHd7xtNuOmjLpznThp38mwyWLJLJ1NNaglUDRS5+0Ls+J/6qqAG+aWB5mhHyZ1uf4o28nFFDUEkypFzg8j9kJqpCZWCLYZmkGnzymZ4fedVDlzrIgOqdZFDe65TiqJtoC+TQ82gK/VekYcxIXfMx+gbM3gu7/TmHCo2b5JrhwQLNg/ETjeE1I4gygZKfArF2jQid9hpxIpSjWWqghceh854waxsNRucECoDC7YMyJEDAkvQ3OYsHdlDWLt6KALsRXb2uXzyFi8Oegf6V7qrdHHQMO5UA+MzvjF84tqtD+aM9VQJunL+bKbIBnQuRl5uCiZaF1UZgixRvIPZfKxN+LxtpfctQaXJb5chNZabNiFg16+G67c7NFYlaWpleELBcauzhea0LH2HKUzlb+/uaBeeRtgiX+uiO4oi2VSgOburLIrSdoQqtj2E9SvZupvhxZK/3wPSliBLpUPC7F7K1PSPB+he04Z21fQPYHE72iGWvxZ8wG4nQfcj5iV9zl513wwvZKj6D2ImeLkWtMstlsoSShah40U8gVaoedEmqjyIUG8P4p2F+jF6pmzJvr9juhV2rUbxEVf8leBsnfv27JELF4hAaK4txXpELjciZ950nIEfGgGIWFycKmnhOrfG2iF0Lr2/btMPlZalcf+HjyoVLUKxBjA3PM5sQeUcCgmr3LJgLHAJq16oH5UQazWfNhZ6EmKYo2886k5b7z9/cdFhappM2HWcEzxb28p9TENDcDe/yCPT198ixi1WgDmGtQ0HzSbnSy9BT8gl+E1pDOgJnQO28g6Z7jOlWxwGsFswXm9n+Hvif9/rW6E0mWq1cp+1fw26pje7RvtJn5cXVNvUbroOcGqPSrhTalAdeqw7pUTZqY25rpSqIQQUc73FbyShArTtsov0ZtHwNx/eCuKj1wQAk5AiCnNJpJLfaagBLZl92Q9oNhzzyWGN1u7CdPYK7iTqcS+4j7C14Z8BZStuF0FZ9rKenOKCU6w2kUTJ7+bK/feelwCVlCKiOGakm/aCgS8QAYekmhEnHSwHMyGXG5myO9igX1mVB+MTX87XGGfE+JJRn2xTBvEbGE8JE42x7YEM/xhsE/6EG7eToSY6+Dec4oufjqtAR9d+/A2LW/S+LVM+pezJTYaXw/IUsSDUGMU4+kvdbkTtSdywt/wKXhNK6sXacEYFKbm5ek5qjTNRnhOw7ElcUaaaHlJ7eceH3tfZaFqBBW1ITQ128TLYyMH3ImCqqpwUU1tB+2FpDVi2V93z78FDaXy9PczwMHnxzVRVN8M7mGHbKFlxWapVyKdlSjKo7fMuk2KUGQMyZ40Qa/KlocI7P0tVUS6D1JC9hYQaebr6Xs9U6tIe0p1K+JbLKyhDLVCbiE4NeqeCgeI++aZDbcLLfRsnBl0hsoq6/mQn75bYRaBF77fLh8Lrtzp4XsnlsF1PF3QGXfHdwU65XaxhTcTWn//9mvaPiTXtGRf573hH8i+4WneNNZQNA9JGjiDubjOgORVF5DXN9ohc4pKt2rz7PvYeQPfCjPoFgF2Zg1oOpPAYh9XdQ7egZtHdUKcWRqoMG7bwmb9tjU1XZnjSQtppEeYI6ZaZGM3cr7p/DytNiZPnknDMuWskE0C1+xM2wtugFgoIg7dTt4WdN0cfvPBrhn2eHvWLxVQ15bLrm91/sELZqL7D67XkujHH9vT1tRFEYNzjd5wAaeRKnPjVfU/GcU+pt+Cyu8Y79nkv8/kpee8lzdPQuIH4aXuh6Nfh9iyuV3sH9EP48nvu5/NTZGkoeevExNB7sB2R82mAnoSJP0ROFqy4iRupS7PO2ct+O6obCrS9urDXjy298X3EU+NYf9ItTM5Pb9RkU/nnbtBkHWIvZbnRaCfkxNdnhn6nwn+wX5tFBPX2N374Jrjjpo3tKjeV7R6jRgownjPKPygrRZZUczoVgypA35SBS1ILOiIIDEiTtT/K1ob2VVW/8sRJKqdhtPWF3O3z5Yvzi10dmoSWsd6jMFaXfeBAwVvXQm4iLR5Jci4tueRzSVFYjBzRWumczWufDOSXO6QXre6msKsj/qdDpHeX8ZSVKnJw3v/2kXDJRFOCE2dhkK37+YQ8PbumVS3gNbnwDhEPFqX3JO4Xwcjc0WOb6JzaPC1xzLi5cir3AXjdoRSv58Z8H56GD9xc7Qm5Ws3nc9D5RtjFWfa5HwsIOKB2utBgFkqU7vR4W31k0uhW6P0InoVh7D1I5acfvI7xrGvGcX4aLyO5dXSeqaoujpx3hbsScq9wjKv375lm+p1DR0msT53huBlVNmzMSgtq6QNljfUx76Sl0th5wMn1Fr+RKXFUlyuqHyZDb9hV30lXGh4iR8RIa+SnTohS8o6ytp9yXLl1IuiodoyS37UKqt4vhbytmXyotQZqkucGG0ttk0px7vxRlIsHMzvc4lN1TXj5Yvz9ci9rcwwMHUafBo2P/V1wWMSvbvuOZZ6+Nzjkp8O5e4c8Z1yqJlWMs1dHYubJ75STpCmdDgOP7E+JAefuzLh1JN4I4eQeMQ1jYMysEeTMrU+YKsG4I9E2+41bFlyWcJ2YAYIbe5jmeU/ZggujKaZbJKagMb5ZUc0FZvBEPHg+/i7nhCITv3O/jVImM5xDNfXNhR5IIw6rk6ddPmcN2tSh6NZLmAHLgoqwSYhvOzw9Gyky9G6u4XucO6HEK19dklfwVflvuw8pl4aUYCkXESfDVDW297sR0pQ4em5m67GlXR4b4jH+kFqoapEtm+cNKWFGQwgodL5sY/ghW9NpxUvQgq6xkMuq8LiSp5Eb6T5Aqzv8GmZtFbj31RvLbYONGUmUsI1tMGzYdN/rmjSK1fPvMJoa0wyyiqmqcvcpzzE68dAJ7yX71loteen9Z20XuQrMaCJUqdjhgca7e8t+4WKjNbJ+Xl5cNbiuMenpYWR9u3peWf+Hmh7odzqYvP+tpiEAE79dNc/XOPcUE4r9zl9enJPzgULVRyNb19pQXbIfg4SFXV017DypIX0Xf1jIrY4r915EFFNV5q74GlTc7SodARficBlRjxbpuyX4kMERKs97LuBQOuwTaLt4CJ/zsgvljDjxqtRW46AMPMHLn07J6+ium5zPVDvd++KT757TBqIwWeMaWNP3IvjUrynEylvbLkz7EjeO4AiJesXLbYdIV11Jl5QLOgxkkM4VTrC+cgZaj0xa8HfoEF9/urhbMFaq0ADKB2AHJIV0A8PnkxGJyKti2pTlOrl/hldF0jqgHtzGwGGNzvd6qdJD1Fwl7HKwU2JXmOYYBQnc9LNXfc9V2pTcdpV1m75oAaPYYLtNxYYXJZvwwn4ifZZYag4uj2aVn3w+I09DrcTnRjhdecoFFnBgHtjZda2M++Yz8t3Q0SB3ozBXUq3kliFkgDXYzGK5DX1k0iajR3DB7aaFnrRV7u9DadJbmFO2Jp9GzTXBp5o+RFF+WHiLxVySinI507SCvekYNdU4tTd/n4Qt5fIClyXvVemTozdtAXtZZxGkyA3aF6YKOEbkspC2+8a9hxX5tZFoSr5TJQjylMvl5NvnhCv2nEzd/4H7PyqpWBtuJt/G44uW1cVM0MHk/NQ61LaGf3JBcFH0daGcXLfDr9Rsb6MGq7Ji6v86DXi2bRAMaHeQowgtq7Rydwezz+9+pxrIR58A/O23n9/9/ubD2bff+pzbJdWUj57JldJXKUuWb7xgv7cL9iNso04wKlMrEaFmJ22Xku45oMw9F+sMJsxMaZCGs5QCpOdKyoBxld4LEokPpAJarCgfDie+t3cAe5+nBuquT+oSddNMM10KOy2N1akr37FeO5tDrP+WJntH25qPfE7SQ4tdNoPBBipNKDbZ1L2EehcHYsZHHU0tqdkcsYeSGu1GFCFzt7wnLpQP7id4d8eFQz7o/x+Gq25UZj/570GOWNnz0QdE9iL5IIejjePuw0+pIyRtbe1szy59aruM9jbLDvtkPkO32+Dk3hyZbltW82PEw7Doa0a5cLxum7lcBJlxftqvbcNOXM4ctDCPtDAYzypsc64LpyIeQM8hideYbh2qj05UVTVy1xM1wE4e1rjpvti9h2v7d4jr1B1u5jDN+r64XVJZ/ruKR802uFlq+SGS4d7YDRfeQs40puaMq2RZosey4BH7FdVyGHR47KgbWdWFyiWML9+/uyC/eT/qJik1jsiXo6YSXP7HW/KlAT3Su7URstCw26kzb3JDzyG6Jh/aorNoWlenpbOED2kfqEo9RsABrQ9yHN0E1UaCY/eGW6Yf0EAF1VWG3XJgM7gXaJ2wALkD2pTJptJuwUzb7WoLdEntrlZ4X7hTkGxRUZ2qrKSDu67pYHzxvaNPlA3SqZLALBbJzwKDWdoCqg7wbI6tljKAVdM/MkCtafJJGL7jVPLjhUH3gqd+cELntgqc6pkcaVlQhoNR0pefONhGJjTee4Cn83r5k7y2i+TvO5MFs7ooTdK+6z3oDvJhkadbAF4KmlxiyALknMuERZFD0Dlyo2UxK8yKW5ZcfshiJtTK0Cp97koftrTLfNAzRF2YLLjMKU64rEFX03WyhPcB7Jpd5QG+pCLHWeF1UWtlVZE+JIXQlz8V6HFMD1tku5tCzYsyB7Md4PT5b0wWFb0urE3lNtgG7E60gAyPQsVlJqS5zId0LUwhpqJIHRbdgv19RuDJO4P3YKfuhdiHnbqqtw/754ywX2WE/S8ZYf+PjLD/mge2VbWgU8ghUjro6c0zWVSNQOV7us7wTrbA66sMeknVCD6v6jzat9MyqZinTkIKkHkOpcTAF5beNyIL4xMSM+yg0SyPNekA57Emzdo0dYZZpEx2ZdVZTFWrrDM94DqDCLHKOsMsF2w0a7IAbyS/llQqAyzDIVy+clzJ9CgsX6naLoCWGdxqqqoLJjL4sB3gDEEShKuna5veLeogmyyQ66bIENNgmlvOqMhQQGQKOgfJ1gmzrvqwJRXrP6Gc5sB7WWAb0CyQfTuYPFj7xNos0Kfzevkqjw/aFFNu/5ql0RgzRdpZcTuAtUouqk2Wa45Qgen0VW7G+/iTzdrqAQa78H7+9M4RDxzVvizAfTf5dB3kerBnXEAOG8YUsxybyGcpi7O3AefQDUzBa0xSLLKIOl4vfyqNrQfN/BPBNpplgS34DHKYMQYdzRWUPFnB6DZsLvOckkqVjQDDVA5uB+B8nkE2qdqsqE06878HPZZBngSwhjk3VtP0npAN7Awan4Y6F6t1Nl4b7ESuM8lXn5nvj3gG6FYDrTIokr4UKBfa+ZTr1UJxU/gJs+mhr6mmWQ54OVIImwLy0s+3Tw2XG0tl8jnHpbHTRqcaFthCBT8rKAfUJjmu6fXotiY5NVic3DBLP+z60E4D+2DOaVmmvgO8TB1WbVsHZXiLeFUwrVSVpSuRA5zBTONVkSc5MnQ8ysHm+ip5e6bapG9ZymtTa54YqKCW2yZ59pngEtK12NlANUkn6nRwsfg2vVtLKN/1tJgJlfw574BnSPl3Nm9yqeOAZpA4zobOgGry3ASh5lmOrpxnucC10qkFWDVt5jmuWcUNyyEWKpPlwOaYAyHBYnOl5HCTy3DfADp1xp+HmjodT65WqS2QLBVlyg+ATm6JqvSakdJ8XkTmcd0b7kqCTv9m1YUfypscbNLJ1BuwfsRrlkOWoXAzzMRJLQwC2NTSoC68Iyk5utQY92HBFqnq/Aeg4brmyQMBNehqrqm0g567KSCvsgBO//T6TmSfPu1MAU0AWKt5QU2dcGBAH7SmqaFqoCKHfqeBIR9819FMwNMz2UFO28K1B1npMgPG6R2ZJoNv2HjfcIZ8AAOpEwH8wOMMxomBL+kPQKxBazKoGUwpw+cZBK+pU3vZjGY57oFmZXJF2mgW64qbALBNN2KrD7MxybtqLplMXSgRnRZ7X6C+SWdq8u3cpj9WHmj6iF430zM13HWdvFtrU06z5KE3WmR4CxsDuih56qr3LGMr2shQDjZYZiytUnuDlwWXxtJZBs1gybXNoYYva5mhdZNVupEp3ayxtmiRjqJvGqvIh0aSwdJd9kjGYXmfqeAlOdFQcktOqC5DN0OD7d/j6PjJWRm5NDYhFMHgEH2C/Q2YEiRWqtPlQ3CZj3NnVS3UGgaDBW/k30w1yZp63/KMOR56nxHOO9Mwh2tS0d1GC5tYrJw3u8NAsiMpuMHhDO3qYeuxgRIxTV0rbcmw8SghqwW1hFtSa5iNHYV7pOXeZQhFjPHB6uhQIFyGzu4jfaEFl7kn8vdQdav18TTEqjnYBejJ5vtmoZrBi0aIhCXobhyRVaSm2gB5B5biRHB/V2nHgqdv1dy8uPBlr8/IaRjx9ZzYRWRKETYD/gBh9DGiLcl7sL9zK8HE93l4qLMwb4Yju7tbhIt7Yg1QzRYTLnkUP5y5e4T+2jviE2dhYDLEC0EbibN+5w3OcW2buMcbuO/0a99DU/523B1NXRPuML94xNh3G1EkrGm6XedVXJZ8hGuLt2LMXXCMadQjAmkzuO49TqiWYmTiJXbPzTgOHPvnGrBEw5cGjN3TtPvwbOW798r3KgOO5fGreom965Hq8k633Sn7cPIYYWxs6+/Yod28jlKecvb/zfMN3WLnp61QwLXjZwOthnRJvHc8wu5xmVIDxKdrd9iQwa3qdin84mHwld0o+A5zpX37+igbCaGGGAAcd0b3z6vSVBrKjjDed9Bh2i8tUe3dHBrWaJyAtg/pGnTFvbpxLKQ3S/rBHHzJBcyBCFiCINQYPpd+4zbz+uNHH1syP6D8xvX3nPTpg0x6dpg1kn9pYHdMIo1fvh6+h3VMPGwKSqvR8NJfSKakBMytICtuF2OCgpBIZUinsWs4qLzozqaFYyfKk+6JEmrOGRXEYTBi+iAWD4sdLjUypvHheFcv1iaOXi+dbaV2slpTP/BUcGqKhcpuE3gjrjPXcJbKZqiRk4r9ETzxfgDEXxqHLb5pYRALE0D15I0wyhniW/ftFIPl5Nfwiwl5I9fdvwbQLdryRlpCywlTVd1Y0HExnMWN7wjLZ559s7sXOGNxa0O4/Wfz8vsf/ups39PedrQc+yaKdjinRdqI2W0dN3QNmvxL55MzLwIaiFz81qeu/8l/5uUG561Tv3c/Dkxevkm2PdkdmOLWmZD3v308c7SDBu88QX9pyQ3TUFPJ1k6rDOqZ2M0FIcih5+Tju9fkXNofXz4n5+9Pz/7zNfl0Lu2rn8jT1WJNJHC7AE3YQpkwKk1pDczit3549b/+27MnUY6AXWSUcbv8QJk6qWh8HI/JfPrueM0v/Vk8b5GKX/HycSHdl003YH5gw7hbP/AxfHcU04118plr21BB3r55H0X2TyUhny/rsJPxf5SESZy3Dt2vRoQiITcLT9yCx/gG79mHObWwog8wIh1P9wV5U5Ya/bT+lMfQ6Z5eVtWHxjnvGws5P3l34V+l0fBYRc0Rox9bTiWvqYa3m5xfOFRGvF+OhwdOgkjCQ7f2OA9bTazw07WOKyB66NKy5O7LVGwCtr1Z/vF37ogHwJmEeMFVuOGn20dggMom1zqLXnfbJ42S9wHDC6VtJ5IHQrfEABtuALfrmyWvOTLvPT1cztvHpCXr3RjjJcTsxmN5cQN2aPlSYxTjTuX0fqOBjkOcXNZUzmHSmU5MyRmfNxpKMl0jTJAlZg3F5Ux9YOuBQdHoiLYcXXSWod+BSKj790u4kjsANFTKQhEyu9PnGaVnbSlNQQufip8BdG11HuCzDEdilqFaWOS4Drn6n9QZmErLovXE5VPLdy14R8dkd7W+M+EBNNgzuwAtwZKP6xqek0/tM/YWHWA/kovWATZ4CX4b09TaUT1HUCZGTOMW6eAXf06oEFFlot58ERPcqMbEvCVo9wZyaRUxFh9zLsmn81GBwjBBNpu8Si6yHVBVZxj75gBrMKkzeh3YDCUu/kVMnYqO/vYM2PrRCoUAOU8+KRJxdspHRi10RAP1Kg8VvQCMJAzTCWaEkl+UXlFdDud0E/JmjslemlB3468xl24KdgUg46pn4q6Jd41xK0tFP1TnkSHYMh4zIwYUchnyXDEtoeLWiaUwYiNO4lJQeYw4/i0clG2CSM9FOSBw22W5iaQsnQU7RwN2++VJHakEhl0Ilun6wd0uYk+15awRVBPsF01aJJ6eXb9+q+ZqNotPfwdW2AVk394tZD+6Bf1t7OF95vB26L5p7AKkDcnio2ibJmXnhNsl9Pglx1H/ZECPIqway9RxOR2WHEf4smEMjBnBGTuPH9Yc7bDEE8SLOBV3rvSaRAoTBrgdQzht4Qg7ODqphAE+Uyvp3hUnt2LKYfdDMlCUtqlaputHN/JuUuK7lmLNgOBQdvQEP8yOPswlMdw2EflJsLgAgogOUBfUEFqq2r0udgFcE7WSmy3zjLP0WklVjeTV4kwOw32L+uMqEU6557J08kdp0zGAkl+4APImIDYZsOE2zl7ZEebv5GjCeEf/g6QrjLLgMmQtpOVCjMYII1LWu9+DET5f7zLUa6TmxHhC6FTlrB6IED+FBV1y1aB2yVRVa1XxkQxFODZyZ5JOBRaRzcjJfty4XHZiJyOSuxhuaZ0kisAWhkmHyxyAYGT9Dr/cu9t7ZTf3bfTYbcosG2l3y9lSa/QlloEX7BCz/lZaEL7Hc5CgOWtJQoZgot9uagG3C3xqY7PdSEB2wn6YGKvHg58tTYe03Xowml7upymoF36tjHRFTdPOCLe8AuPkutf2NNQwGkQKu5CsKcSNG4GNB++5DfqWR+uQ3t0PdrR+vB1NPxQm2ZDTW5MWHMY3UTigDSneCIRbCIOvl7qXN1Knj7p3/qIloU3fvHPJeqkeR4DcIMc7AfL1Hscfb96yVKMNjrNlt5OP+qgSJOUdu4X8OOpxTEnb4DB2Sj2WoO34qZNX7jR2UVRgF+oBoiR0y5NMPBrha6Mbjr2UtMrqddoT1fmgRPDXOkT2nMtMnpD/nPz8/ffk6dvTNxfPyCk3lst5w80CSiyFj+Ii1Fxl7wu0LxKG2bIzj0fYZvziSMaYVpm9ivvqP92uxjDobgx65JMNfb7LdWGY9t/V/fYcf4hTLGZKZaxN+iZTjIpU3el2CPlAS94YvwJRmhhecUG1F09ObLo7xPBdj5dX4T03vDxmp5F+pvwndxBaL+JOX8zNJc9XZ/FG7rvrGNYIlYY9/29wEuEng7MQHDfQK8so465MpXMmBgxCNshqpedU8j/3ZFXLfEfhtsw+gNP9MzXC7hnX0VrSTF1/fnHL4WvhW3z53kVbWc2/AhV2wagGUmsoVcUljRbc9cTTBbUcpDU3pscLekxq39IHJda3foQ608F1V+eJE1w11RabIW1I3S9Wj9jsKAib20jUGZSgqYWySJZUtud8OOHzS7tiFzy70GrJy655WPgerWsRNNXBwQjNf9yztq3TxhWcDZG8PBKV3ZKh159dj5AZHR6KmZNL7qPni13FfaQFXKd0phwKflfNE65RZ+r9qFcJPY8Q6nVU1FipIcYq7SW+g1aBpbjaE/zWxH3rSZz6ipelgONJuXe43m3lXGR7e3LvIDnXjsc4DrkXYbVehyG5bqOzz0ktqNsy9z4rTUAyva7HvPyYCnkEe/IWGXS6sy1/VcaSd5QtuBwx6UqaSXJ8s8vrTxIz/WsNTnw4/cg3OTMT8rakNfmM//D6Uamkrzv95/DxJAu6BKc5CaCafGlArwn2IDS1kgZajSpenOroLfA3x5GXoQcec5A1b7tASk++78s3jmdL0hFQ3RygD6E56m0xxSlPeR1mu2e8bS291cTI2Ybh4eWG6EbKqB1rnncvj488+zZSIzV2AWIRLMz8G0HJistSrQwxNTA+48x98jxWJxjyZIcXxJHn8d3k3JCn2BEWJNs8Qxi6fNbjFmkkvuNvYU7Zmnwy241vuwhstVtImzy71q1wBIN95LXvm1qICtaq4SFzL+KA410fgEj1/1alKZbzDNm3TXZ+hXqsO69XryMUI4XRgxZ+cwCxx8nrHSM1ZPgG13sr686Q9PEuoENqjuOw6wIG23uzScj02zDYoXhDipuLn7FsIOVIwNEKNyS5hBmXwVePwgm7+lW0Hmk6iNgdVCiWCbeNA2ZH/UstGDufbW7aQy+lkd6UnQ/bWsoW1ZFb4G9WRYaTgXXU344sQ16mXKabIJb0bjiSsagw7+MZEVL9sh3cFt9Ge1PeH5naOcA679t3A9Y11e2Zcn9+viFlteCDVurE3Q5ny/rk91uRZ5PPLPFtLZRe59vwv5mayn+7sWNMi8h2F/VWPY89TY4tf3uB0G+g7cFUogFVbb/1/VSNnoICpNWqPkR0lKqZDpwLtzrjYU1nbcMN5QiIo6/uOO49PFFVTeW6u4947XCcvrdXlqDdM1RwOVNxpYCaq9w1QjfIjx0rssVsBXm7os++5MoR+KURYk3+o6GCzziU5BTrnr1zMIrKCqYFU+qKP1DQ/XeYEr/+xn6mYkybT95tdhMOrxuLKveBI0xvvusfuiXClJ3gjvY++Qn5uK496RvPgWOO38HxzdMwK5I2k91B2+HgHRH6iYm1rd1F5hiuuk653MbOexZrpVtvP4aYP7wd2fJer5zEx6nlRZ13DtEeVriVb/Tct2hqpTJpIttIuXXcfpCa2rhrksmCmpTR/h5gHcrpE0NutEi4zT2oCXelM0aLRqfyhvRgGtAFnaezKTegkz9P26CTpj9ugw6nPoNggWsLElWr9MaJg5/sNHeK3kLDTqpMao3KL3GMWsItmfsRl0X16kX475OAwovwHyGvKeb2pwJ0PDsvkPOA0XNPTD94jh7X3qi1ATllGIjmTCouZ6D1SNx1SPdR6Oor/jeyPuqePQKSbV/iWW8bIlcKw9oq65WKLHG043fm4/bu2H3EDGLd/9M/YJigNT7wk9cL0MfxRzidPWQ8PT3B0Y/PyAmuH0cNtD1Ss5QRPp+ADsM/YSsLc09zXsgaOu4xsrfhbtEnptcpeu9O8z8P9UrevTVKfLfJJf8z7q3hV5lkyvk/zoiEubLcb2C9oGZkApRhx24r1NtKv/j4cEG31dkmQA0SXHbOWNs4va2/iSekGD4/RkXFdn+jburhx9FBy06acGOa5EonQsZkqXzeuvvFUBBD0DqrD3SwKX3peeYWJ5cYnN4nnY6SIdF1Bg9R5KeXmNq5/zHqSc/DkLy79NyD47gINUYUy5wv+m5INTiyo8iUhTt6tEneptHkAsyvIFjUmZobfLMZV9J/kFC2/kQMxuuUJueXb/7x7oJcuHeK/CZHpq9ssM1USX0Ith9XKo4tiiG2AHZlDnIi304I5+1BFhs61/Xr7FqEYRpoGEG4kYJ7tFzQfNAU8gGUXI9H1xVk1GhAnC21zdEmfPaxXFLBS38QI0jsCsKjdbXeJwiRY1ewNrtiO9HJbxNIE8NeWFubguMM2iygcStzMITRR3Cb+Fy2lS9Kc7u+4UYxVVVZ+8TdEm+PR3AIxUvwV1yD2LU0U7tYVoLKwpiHGnjrVvYy/PdAbVujFcXWlxoXteLHSKuOIewxIIgBIhW3BpCtbEGlHDTOyN1uKqyKiIzEbI/Utrl7WMLMw9/fvnkf3r0XO8t3D4pVetf3n7xnGzdXxVKJJhcD3rRznGWYc9NNxm7H+TaSW0OeeiTMM+zWgYW97UTdHfAEkY5SI5pM0uxtwPWT5DakC0y2iw6WoDFTYNYIwpRkUFtnKF/6PRxpr7Ba5ZS+nvHOYG9HaDtEa6UtUY6/v/77m1gKbpTtqc+d0vPjJ1juFhhsuVin1Dc7iTaK+fvZbxfnF+Qdva64LLux3vFtdbQdPQ1za4jiCFmBjAF1+8jq1Kd4yWLy9Gxf5VjMjlew+dBF+C3J2dWOLWdZkMrnp6FLb8BiL4bieJvywL0CWoqr//J1w11hjiyHmmTq243+EmdCP1B2YxhXjVZ8F9StfHHvc2KaSIo6NeRvxmol5/82FZRdCW4slH97Ef72vPuUyxmw+EczrmFFRVSRoVPR+w2hsiRGkZFjqWHOjdVrZ9kfU1jU1C5Cs/4OB7KLwwBJdEodC01fCO3rtZjSvS7knT7ZYQ7S6vVf/m8AAAD///snugo=" +} diff --git a/x-pack/filebeat/module/snort/log/_meta/fields.yml b/x-pack/filebeat/module/snort/log/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/snort/log/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml new file mode 100644 index 00000000000..f36e381ab96 --- /dev/null +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Snort" + product: "IDS" + type: "IDS" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/snort/log/config/liblogparser.js + - ${path.home}/module/snort/log/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/snort/log/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var dup3 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" +match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); + +var dup4 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" +match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); + +var dup5 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var dup6 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" +match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); + +var dup7 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" +match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); + +var dup8 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); + +var dup9 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" +match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); + +var dup10 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" +match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); + +var dup11 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); + +var dup12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var dup13 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var dup14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var dup15 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], +}); + +var dup16 = setc("messageid","Primary_Detection_Engine"); + +var dup17 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], +}); + +var dup18 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" From "), + field("hsensor"), + constant(" at "), + field("p0"), + ], +}); + +var dup19 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" "), + field("p0"), + ], +}); + +var dup20 = // "Pattern{Constant('at'), Field(p0,false)}" +match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); + +var dup21 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); + +var dup22 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + constant("_"), + field("msgIdPart3"), + ], +}); + +var dup23 = call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + constant("_"), + field("msgIdPart3"), + constant("_"), + field("msgIdPart4"), + ], +}); + +var dup24 = setc("messageid","HMNOTIFY"); + +var dup25 = setc("messageid","SystemSettings"); + +var dup26 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" +match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); + +var dup27 = // "Pattern{Constant(': ['), Field(p0,false)}" +match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); + +var dup28 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" +match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); + +var dup29 = setc("messageid","Snort_AlertLog"); + +var dup30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); + +var dup31 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup32 = setf("msg","$MSG"); + +var dup33 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" +match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); + +var dup34 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" +match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); + +var dup35 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" +match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); + +var dup36 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" +match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); + +var dup37 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" +match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); + +var dup38 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); + +var dup39 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); + +var dup40 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); + +var dup41 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" +match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); + +var dup42 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" +match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + +var dup43 = // "Pattern{Field(daddr,false)}" +match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); + +var dup44 = setc("eventcategory","1003030000"); + +var dup45 = setf("severity","threat_val"); + +var dup46 = setf("event_log","hfld1"); + +var dup47 = setf("hostname","host"); + +var dup48 = setf("hostid","host"); + +var dup49 = setf("event_counter","hevent_source"); + +var dup50 = setf("sigid","messageid"); + +var dup51 = setf("version","hversion"); + +var dup52 = setf("sensor","hfld11"); + +var dup53 = setf("context","hfld10"); + +var dup54 = setf("fld10","hfld10"); + +var dup55 = call({ + dest: "nwparser.signame", + fn: RMQ, + args: [ + field("fld10"), + ], +}); + +var dup56 = date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO,dW,dc(" UTC")], + ], +}); + +var dup57 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); + +var dup58 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" +match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); + +var dup59 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); + +var dup60 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" +match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); + +var dup61 = setc("eventcategory","1103000000"); + +var dup62 = setc("eventcategory","1002040000"); + +var dup63 = setc("eventcategory","1001020206"); + +var dup64 = setc("eventcategory","1002000000"); + +var dup65 = setc("eventcategory","1001020200"); + +var dup66 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" +match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); + +var dup67 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" +match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); + +var dup68 = // "Pattern{Constant(': '), Field(p0,false)}" +match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); + +var dup69 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); + +var dup70 = setc("eventcategory","1001020100"); + +var dup71 = setc("eventcategory","1001030000"); + +var dup72 = setc("ec_subject","NetworkComm"); + +var dup73 = setc("ec_activity","Detect"); + +var dup74 = setc("ec_theme","TEV"); + +var dup75 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); + +var dup76 = setf("signame","context"); + +var dup77 = setc("ec_subject","Process"); + +var dup78 = setc("eventcategory","1001020204"); + +var dup79 = setc("eventcategory","1001030500"); + +var dup80 = setc("eventcategory","1001020300"); + +var dup81 = setc("eventcategory","1001030305"); + +var dup82 = setc("eventcategory","1104000000"); + +var dup83 = setc("eventcategory","1001020205"); + +var dup84 = setc("ec_activity","Scan"); + +var dup85 = setc("eventcategory","1002010100"); + +var dup86 = setc("eventcategory","1002060000"); + +var dup87 = setc("eventcategory","1103020000"); + +var dup88 = setc("eventcategory","1103030000"); + +var dup89 = setc("eventcategory","1001020309"); + +var dup90 = setc("eventcategory","1301000000"); + +var dup91 = setc("eventcategory","1401030000"); + +var dup92 = setc("eventcategory","1003020000"); + +var dup93 = setc("eventcategory","1001030202"); + +var dup94 = setc("eventcategory","1001020308"); + +var dup95 = setc("eventcategory","1001030301"); + +var dup96 = setc("eventcategory","1001030304"); + +var dup97 = setc("eventcategory","1001020306"); + +var dup98 = setc("eventcategory","1001030302"); + +var dup99 = setc("eventcategory","1001020202"); + +var dup100 = setc("eventcategory","1003010000"); + +var dup101 = setc("eventcategory","1001020305"); + +var dup102 = setc("eventcategory","1003000000"); + +var dup103 = setc("eventcategory","1001030201"); + +var dup104 = setc("eventcategory","1001030203"); + +var dup105 = setc("eventcategory","1001020301"); + +var dup106 = setc("eventcategory","1001020304"); + +var dup107 = setc("eventcategory","1201010000"); + +var dup108 = setc("eventcategory","1303000000"); + +var dup109 = setc("eventcategory","1001020203"); + +var dup110 = setc("eventcategory","1204000000"); + +var dup111 = setc("eventcategory","1001020307"); + +var dup112 = setc("eventcategory","1401060000"); + +var dup113 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); + +var dup114 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); + +var dup115 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); + +var dup116 = // "Pattern{Constant(''), Field(p0,false)}" +match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); + +var dup117 = setc("eventcategory","1003050000"); + +var dup118 = setc("eventcategory","1001020201"); + +var dup119 = setc("eventcategory","1207040100"); + +var dup120 = setc("eventcategory","1102000000"); + +var dup121 = setc("eventcategory","1003010800"); + +var dup122 = setc("eventcategory","1603090000"); + +var dup123 = setc("eventcategory","1003040000"); + +var dup124 = // "Pattern{Constant(':alert '), Field(p0,false)}" +match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); + +var dup125 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); + +var dup126 = // "Pattern{Constant(''), Field(daddr,false)}" +match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); + +var dup127 = setc("eventcategory","1605000000"); + +var dup128 = setc("dclass_counter1_string","connections"); + +var dup129 = date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dF,dH,dc(":"),dT,dc(":"),dS,dW], + ], +}); + +var dup130 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" +match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); + +var dup131 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" +match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); + +var dup132 = // "Pattern{Field(sinterface,false)}" +match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); + +var dup133 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" +match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); + +var dup134 = // "Pattern{Field(protocol,false)}" +match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); + +var dup135 = setc("eventcategory","1605020000"); + +var dup136 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); + +var dup137 = setc("ec_subject","User"); + +var dup138 = setc("ec_activity","Logon"); + +var dup139 = setc("ec_theme","Authentication"); + +var dup140 = setc("ec_outcome","Success"); + +var dup141 = setf("filename","hfld1"); + +var dup142 = setf("username","hfld3"); + +var dup143 = setf("hostip","hfld2"); + +var dup144 = setc("ec_activity","Logoff"); + +var dup145 = // "Pattern{Constant('>'), Field(p0,false)}" +match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); + +var dup146 = setc("category","Session Expiration"); + +var dup147 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); + +var dup148 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); + +var dup149 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); + +var dup150 = setc("eventcategory","1801000000"); + +var dup151 = setc("dclass_counter1_string","Number of File Events"); + +var dup152 = setc("dclass_counter2_string","Number of IPS Events"); + +var dup153 = // "Pattern{Constant('-*> '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); + +var dup154 = // "Pattern{Constant('> '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); + +var dup155 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); + +var dup156 = // "Pattern{Constant('at '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); + +var dup157 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); + +var dup158 = date_time({ + dest: "event_time", + args: ["month","day","time"], + fmts: [ + [dB,dF,dH,dc(":"),dT,dc(":"),dS], + ], +}); + +var dup159 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" +match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); + +var dup160 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" +match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); + +var dup161 = date_time({ + dest: "event_time", + args: ["hyear","hmonth","day","time"], + fmts: [ + [dW,dG,dF,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup162 = date_time({ + dest: "event_time", + args: ["month","day","hyear","time"], + fmts: [ + [dB,dF,dW,dH,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup163 = date_time({ + dest: "starttime", + args: ["fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dc("T"),dH,dc(":"),dU,dc(":"),dO,dc("Z")], + ], +}); + +var dup164 = setf("msg_id","hfld3"); + +var dup165 = constant("1003030000"); + +var dup166 = constant("1001000000"); + +var dup167 = linear_select([ + dup3, + dup4, +]); + +var dup168 = linear_select([ + dup6, + dup7, +]); + +var dup169 = linear_select([ + dup9, + dup10, +]); + +var dup170 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" +match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ + dup19, +])); + +var dup171 = linear_select([ + dup26, + dup27, +]); + +var dup172 = linear_select([ + dup33, + dup34, + dup35, + dup36, +]); + +var dup173 = linear_select([ + dup38, + dup39, + dup40, +]); + +var dup174 = linear_select([ + dup41, + dup42, + dup43, +]); + +var dup175 = linear_select([ + dup58, + dup59, +]); + +var dup176 = linear_select([ + dup67, + dup68, + dup69, +]); + +var dup177 = linear_select([ + dup113, + dup114, + dup115, +]); + +var dup178 = linear_select([ + dup68, + dup69, +]); + +var dup179 = linear_select([ + dup67, + dup124, + dup68, + dup69, +]); + +var dup180 = linear_select([ + dup39, + dup125, +]); + +var dup181 = linear_select([ + dup42, + dup126, +]); + +var dup182 = linear_select([ + dup131, + dup132, +]); + +var dup183 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, +])); + +var dup184 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var dup185 = linear_select([ + dup136, + dup134, +]); + +var dup186 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" +match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var dup187 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" +match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var dup188 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" +match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var dup189 = linear_select([ + dup148, + dup149, +]); + +var dup190 = linear_select([ + dup153, + dup154, +]); + +var dup191 = linear_select([ + dup155, + dup156, +]); + +var dup192 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup193 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var dup194 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup195 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var dup196 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup197 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup198 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup199 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup200 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup201 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup202 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup203 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup204 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup205 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup206 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup207 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup208 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup209 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup210 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup211 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup212 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup213 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup82, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup214 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup215 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup85, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup216 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup85, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup217 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup218 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup86, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup219 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup86, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup220 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup221 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup222 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup223 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup224 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup87, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup225 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup88, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup226 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup88, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup227 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup228 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup229 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup230 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup231 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup232 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup233 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup234 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup235 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup236 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup91, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup237 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup91, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup238 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup239 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup240 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup241 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup242 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup243 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup244 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup245 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup246 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup95, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup247 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup95, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup248 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup96, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup249 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup96, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup250 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup251 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup252 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup253 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup254 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup255 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup256 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup257 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup258 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup259 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup260 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup261 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup262 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup263 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup264 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup265 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup266 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup267 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup268 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup269 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup270 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup271 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup103, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup272 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup103, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup273 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup274 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup275 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup276 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup277 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup278 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup106, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup279 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup106, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup280 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup281 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup107, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup282 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup107, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup283 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup284 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup285 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup286 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup287 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup288 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup289 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup290 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup291 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup292 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup293 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup294 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup295 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup109, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup296 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup109, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup297 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup110, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup298 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup111, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup299 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup111, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup300 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup110, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var dup301 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup112, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup302 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup303 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup117, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup304 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup305 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup118, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup306 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup307 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup308 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup309 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup310 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup311 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup312 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup119, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup313 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup120, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup314 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup315 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup316 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup317 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup121, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup318 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup319 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup122, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup320 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup123, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup321 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup322 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup323 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup324 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup325 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup326 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup119, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup327 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup121, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup328 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup329 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup120, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup330 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup331 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup332 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup333 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup334 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup335 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup336 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup337 = all_match({ + processors: [ + dup66, + dup179, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup338 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup118, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup339 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup340 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup341 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup342 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup343 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup344 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup345 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup346 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup347 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup348 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup349 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup350 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup351 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup352 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var dup353 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var dup354 = all_match({ + processors: [ + dup130, + dup182, + ], + on_success: processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var dup355 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + dup159, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var dup356 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + dup160, + dup185, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var hdr1 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" +match("HEADER#0:0055", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ + setc("header_id","0055"), + dup1, +])); + +var hdr2 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' '), Field(fld1,true), Constant(' %NGIPS-'), Field(severity,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" +match("HEADER#1:0056", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %{fld1->} %NGIPS-%{severity}-%{hfld3}:%{payload}", processor_chain([ + setc("header_id","0056"), + setc("messageid","NGIPS_events"), +])); + +var part1 = // "Pattern{Field(result,false), Constant('] From '), Field(p0,false)}" +match("HEADER#2:00010/2", "nwparser.p0", "%{result}] From %{p0}"); + +var part2 = // "Pattern{Constant('"'), Field(group_object,false), Constant('/'), Field(hfld11,false), Constant('" at '), Field(p0,false)}" +match("HEADER#2:00010/3_0", "nwparser.p0", "\"%{group_object}/%{hfld11}\" at %{p0}"); + +var part3 = // "Pattern{Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(p0,false)}" +match("HEADER#2:00010/3_1", "nwparser.p0", "%{group_object}/%{hfld11->} at %{p0}"); + +var select1 = linear_select([ + part2, + part3, +]); + +var part4 = // "Pattern{Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#2:00010/4", "nwparser.p0", "%{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var all1 = all_match({ + processors: [ + dup2, + dup167, + part1, + select1, + part4, + ], + on_success: processor_chain([ + setc("header_id","00010"), + ]), +}); + +var all2 = all_match({ + processors: [ + dup2, + dup167, + dup5, + ], + on_success: processor_chain([ + setc("header_id","00011"), + ]), +}); + +var all3 = all_match({ + processors: [ + dup2, + dup168, + dup8, + ], + on_success: processor_chain([ + setc("header_id","00012"), + ]), +}); + +var all4 = all_match({ + processors: [ + dup2, + dup169, + dup11, + ], + on_success: processor_chain([ + setc("header_id","00013"), + ]), +}); + +var hdr3 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant(':'), Field(hfld3,true), Constant(' at '), Field(hfld4,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant(']'), Field(payload,false)}" +match("HEADER#6:0015", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: %{hfld2}:%{hfld3->} at %{hfld4}: [%{hevent_source}:%{messageid}:%{hversion}]%{payload}", processor_chain([ + setc("header_id","0015"), +])); + +var all5 = all_match({ + processors: [ + dup12, + dup167, + dup13, + ], + on_success: processor_chain([ + setc("header_id","00020"), + ]), +}); + +var all6 = all_match({ + processors: [ + dup12, + dup167, + dup5, + ], + on_success: processor_chain([ + setc("header_id","00021"), + ]), +}); + +var all7 = all_match({ + processors: [ + dup12, + dup168, + dup8, + ], + on_success: processor_chain([ + setc("header_id","00022"), + ]), +}); + +var all8 = all_match({ + processors: [ + dup12, + dup169, + dup11, + ], + on_success: processor_chain([ + setc("header_id","00023"), + ]), +}); + +var all9 = all_match({ + processors: [ + dup14, + dup167, + dup13, + ], + on_success: processor_chain([ + setc("header_id","00030"), + ]), +}); + +var all10 = all_match({ + processors: [ + dup14, + dup167, + dup5, + ], + on_success: processor_chain([ + setc("header_id","00031"), + ]), +}); + +var all11 = all_match({ + processors: [ + dup14, + dup168, + dup8, + ], + on_success: processor_chain([ + setc("header_id","00032"), + ]), +}); + +var all12 = all_match({ + processors: [ + dup14, + dup169, + dup11, + ], + on_success: processor_chain([ + setc("header_id","00033"), + ]), +}); + +var hdr4 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#15:0030/0", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var all13 = all_match({ + processors: [ + hdr4, + dup168, + dup8, + ], + on_success: processor_chain([ + setc("header_id","0030"), + ]), +}); + +var hdr5 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" +match("HEADER#16:0004", "message", "snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ + setc("header_id","0004"), +])); + +var hdr6 = // "Pattern{Constant('snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" +match("HEADER#17:0005", "message", "snort: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr7 = // "Pattern{Constant('snort['), Field(hpid,false), Constant(']: '), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#18:0018", "message", "snort[%{hpid}]: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0018"), +])); + +var hdr8 = // "Pattern{Constant('snort: '), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#19:0006", "message", "snort: %{messageid}: %{payload}", processor_chain([ + setc("header_id","0006"), +])); + +var hdr9 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#20:0007", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0007"), + dup15, +])); + +var hdr10 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" +match("HEADER#21:0008", "message", "%{month->} %{day->} %{time->} %{host->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ + setc("header_id","0008"), +])); + +var hdr11 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine ('), Field(hfld10,false), Constant(')]['), Field(policyname,false), Constant(']['), Field(hfld2,false), Constant(':'), Field(id,false), Constant(':'), Field(hfld3,false), Constant(']'), Field(payload,false)}" +match("HEADER#22:0046", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine (%{hfld10})][%{policyname}][%{hfld2}:%{id}:%{hfld3}]%{payload}", processor_chain([ + setc("header_id","0046"), + dup16, +])); + +var hdr12 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hpid,false), Constant(']['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" +match("HEADER#23:0009", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hpid}][%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ + setc("header_id","0009"), +])); + +var hdr13 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld5,false), Constant(': '), Field(hfld6,false), Constant(': '), Field(hfld7,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" +match("HEADER#24:0022", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{host->} %{hfld5}: %{hfld6}: %{hfld7}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ + setc("header_id","0022"), + dup17, + dup18, +])); + +var hdr14 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" +match("HEADER#25:0010", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} From %{hsensor->} at %{p0}", processor_chain([ + setc("header_id","0010"), + dup17, + dup18, +])); + +var part5 = // "Pattern{Constant('From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" +match("HEADER#26:0011/1_0", "nwparser.p0", "From %{hsensor->} at%{p0}"); + +var select2 = linear_select([ + part5, + dup20, +]); + +var all14 = all_match({ + processors: [ + dup170, + select2, + dup21, + ], + on_success: processor_chain([ + setc("header_id","0011"), + dup22, + ]), +}); + +var part6 = // "Pattern{Field(fld10,true), Constant(' From '), Field(hsensor,true), Constant(' at'), Field(p0,false)}" +match("HEADER#27:0014/1_0", "nwparser.p0", "%{fld10->} From %{hsensor->} at%{p0}"); + +var select3 = linear_select([ + part6, + dup20, +]); + +var all15 = all_match({ + processors: [ + dup170, + select3, + dup21, + ], + on_success: processor_chain([ + setc("header_id","0014"), + dup22, + ]), +}); + +var hdr15 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" +match("HEADER#28:0012", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} From %{hsensor->} at %{p0}", processor_chain([ + setc("header_id","0012"), + dup23, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" "), + field("msgIdPart4"), + constant(" From "), + field("hsensor"), + constant(" at "), + field("p0"), + ], + }), +])); + +var hdr16 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(msgIdPart4,true), Constant(' '), Field(hfld12,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" +match("HEADER#29:0016", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{msgIdPart4->} %{hfld12->} From %{hsensor->} at %{p0}", processor_chain([ + setc("header_id","0016"), + dup23, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" "), + field("msgIdPart4"), + constant(" "), + field("hfld12"), + constant(" From "), + field("hsensor"), + constant(" at "), + field("p0"), + ], + }), +])); + +var hdr17 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' snort: '), Field(messageid,false), Constant(':'), Field(payload,false)}" +match("HEADER#30:0013", "message", "%{month->} %{day->} %{time->} %{host->} snort: %{messageid}:%{payload}", processor_chain([ + setc("header_id","0013"), +])); + +var hdr18 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': HMNOTIFY: '), Field(payload,false)}" +match("HEADER#31:0020", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: HMNOTIFY: %{payload}", processor_chain([ + setc("header_id","0020"), + dup24, +])); + +var hdr19 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' : HMNOTIFY: '), Field(payload,false)}" +match("HEADER#32:0035", "message", "%{month->} %{day->} %{time->} %{host->} : HMNOTIFY: %{payload}", processor_chain([ + setc("header_id","0035"), + dup24, +])); + +var hdr20 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] "'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#33:0017", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] \"%{messageid->} %{p0}", processor_chain([ + setc("header_id","0017"), + dup15, +])); + +var hdr21 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(fld,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hsigid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#34:0019", "message", "%{month->} %{day->} %{time->} %{host->} %{fld}: [%{hevent_source}:%{hsigid}:%{hversion}] %{messageid->} %{p0}", processor_chain([ + setc("header_id","0019"), + dup15, +])); + +var hdr22 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hostname,true), Constant(' '), Field(hfld1,false), Constant(': [Primary Detection Engine'), Field(payload,false)}" +match("HEADER#35:0041", "message", "%{month->} %{day->} %{time->} %{hostname->} %{hfld1}: [Primary Detection Engine%{payload}", processor_chain([ + setc("header_id","0041"), + dup16, +])); + +var hdr23 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Protocol: '), Field(hprotocol,false), Constant(', '), Field(payload,false)}" +match("HEADER#36:0045", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Protocol: %{hprotocol}, %{payload}", processor_chain([ + setc("header_id","0045"), + setc("messageid","connection_events"), +])); + +var hdr24 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(hfld4,true), Constant(' '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" +match("HEADER#37:0042", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{hfld4->} %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ + setc("header_id","0042"), + dup25, +])); + +var hdr25 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hfld5,false), Constant('] '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" +match("HEADER#38:00212", "message", "%{month->} %{day->} %{time->} %{hfld1}: [%{hfld5}] %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ + setc("header_id","00212"), + dup25, +])); + +var hdr26 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(hfld1,false), Constant(': '), Field(host,false), Constant(': '), Field(hfld3,false), Constant('@'), Field(hfld2,false), Constant(', '), Field(payload,false)}" +match("HEADER#39:0021", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{host}: %{hfld3}@%{hfld2}, %{payload}", processor_chain([ + setc("header_id","0021"), + dup25, +])); + +var hdr27 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(payload,false)}" +match("HEADER#40:0029", "message", "%{month->} %{day->} %{time->} %{host}: [%{hevent_source}:%{messageid}:%{hversion}] %{payload}", processor_chain([ + setc("header_id","0029"), +])); + +var hdr28 = // "Pattern{Constant('snort'), Field(p0,false)}" +match("HEADER#41:0024/0", "message", "snort%{p0}"); + +var all16 = all_match({ + processors: [ + hdr28, + dup171, + dup28, + ], + on_success: processor_chain([ + setc("header_id","0024"), + dup29, + ]), +}); + +var hdr29 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort'), Field(p0,false)}" +match("HEADER#42:0025/0", "message", "%{month->} %{day->} %{time->} snort%{p0}"); + +var all17 = all_match({ + processors: [ + hdr29, + dup171, + dup28, + ], + on_success: processor_chain([ + setc("header_id","0025"), + dup29, + ]), +}); + +var part7 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#43:0023/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var all18 = all_match({ + processors: [ + dup30, + dup167, + part7, + ], + on_success: processor_chain([ + setc("header_id","0023"), + dup29, + ]), +}); + +var part8 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#44:0026/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var all19 = all_match({ + processors: [ + dup30, + dup167, + part8, + ], + on_success: processor_chain([ + setc("header_id","0026"), + dup29, + ]), +}); + +var all20 = all_match({ + processors: [ + dup30, + dup168, + dup8, + ], + on_success: processor_chain([ + setc("header_id","0027"), + dup29, + ]), +}); + +var all21 = all_match({ + processors: [ + dup30, + dup169, + dup11, + ], + on_success: processor_chain([ + setc("header_id","0028"), + dup29, + ]), +}); + +var hdr30 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': Sha256:'), Field(hfld2,true), Constant(' Disposition: Malware'), Field(p0,false)}" +match("HEADER#47:0040", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: Sha256:%{hfld2->} Disposition: Malware%{p0}", processor_chain([ + setc("header_id","0040"), + setc("messageid","MALWARE"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant(" Disposition: Malware"), + field("p0"), + ], + }), +])); + +var hdr31 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' From '), Field(hsensor,true), Constant(' at '), Field(p0,false)}" +match("HEADER#48:0043", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} From %{hsensor->} at %{p0}", processor_chain([ + setc("header_id","0043"), + dup22, + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant(" "), + field("msgIdPart2"), + constant(" "), + field("msgIdPart3"), + constant(" From "), + field("hsensor"), + constant(" at "), + field("p0"), + ], + }), +])); + +var hdr32 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" +match("HEADER#49:0044", "message", "%{month->} %{day->} %{time->} %{host->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0044"), +])); + +var hdr33 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(hyear,true), Constant(' '), Field(time,true), Constant(' '), Field(p0,false)}" +match("HEADER#50:0057/0", "message", "%{month->} %{day->} %{hyear->} %{time->} %{p0}"); + +var part9 = // "Pattern{Field(hostname,false), Constant(': %FTD-'), Field(p0,false)}" +match("HEADER#50:0057/1_0", "nwparser.p0", "%{hostname}: %FTD-%{p0}"); + +var part10 = // "Pattern{Field(hostname,true), Constant(' %FTD-'), Field(p0,false)}" +match("HEADER#50:0057/1_1", "nwparser.p0", "%{hostname->} %FTD-%{p0}"); + +var select4 = linear_select([ + part9, + part10, +]); + +var part11 = // "Pattern{Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" +match("HEADER#50:0057/2", "nwparser.p0", "%{fld2}-%{hfld3}:%{payload}"); + +var all22 = all_match({ + processors: [ + hdr33, + select4, + part11, + ], + on_success: processor_chain([ + setc("header_id","0057"), + dup1, + ]), +}); + +var hdr34 = // "Pattern{Field(hyear,false), Constant('-'), Field(hmonth,false), Constant('-'), Field(day,false), Constant('T'), Field(time,false), Constant('Z '), Field(hostname,true), Constant(' %FTD-'), Field(fld2,false), Constant('-'), Field(hfld3,false), Constant(':'), Field(payload,false)}" +match("HEADER#51:0058", "message", "%{hyear}-%{hmonth}-%{day}T%{time}Z %{hostname->} %FTD-%{fld2}-%{hfld3}:%{payload}", processor_chain([ + setc("header_id","0058"), + dup1, +])); + +var select5 = linear_select([ + hdr1, + hdr2, + all1, + all2, + all3, + all4, + hdr3, + all5, + all6, + all7, + all8, + all9, + all10, + all11, + all12, + all13, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + hdr14, + all14, + all15, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + all16, + all17, + all18, + all19, + all20, + all21, + hdr30, + hdr31, + hdr32, + all22, + hdr34, +]); + +var part12 = // "Pattern{Field(event_type,true), Constant(' (Sensor '), Field(sensor,false), Constant('): Severity:'), Field(severity,false), Constant(': '), Field(result,false)}" +match("MESSAGE#0:HMNOTIFY", "nwparser.payload", "%{event_type->} (Sensor %{sensor}): Severity:%{severity}: %{result}", processor_chain([ + setc("eventcategory","1604000000"), + dup31, + dup32, +])); + +var msg1 = msg("HMNOTIFY", part12); + +var msg2 = msg("0", dup192); + +var msg3 = msg("0:01", dup193); + +var select6 = linear_select([ + msg2, + msg3, +]); + +var msg4 = msg("1", dup194); + +var msg5 = msg("1:01", dup195); + +var select7 = linear_select([ + msg4, + msg5, +]); + +var msg6 = msg("2", dup192); + +var msg7 = msg("2:01", dup193); + +var select8 = linear_select([ + msg6, + msg7, +]); + +var msg8 = msg("3", dup192); + +var msg9 = msg("3:01", dup193); + +var select9 = linear_select([ + msg8, + msg9, +]); + +var msg10 = msg("3-10127", dup196); + +var msg11 = msg("3-10161", dup197); + +var msg12 = msg("3-10480", dup196); + +var msg13 = msg("3-10481", dup196); + +var msg14 = msg("3-11619", dup196); + +var msg15 = msg("3-11672", dup196); + +var msg16 = msg("3-12028", dup196); + +var msg17 = msg("3-12636", dup196); + +var msg18 = msg("3-12692", dup196); + +var msg19 = msg("3-7019", dup196); + +var msg20 = msg("3-7196", dup197); + +var msg21 = msg("3-8092", dup198); + +var msg22 = msg("3-8351", dup197); + +var msg23 = msg("3-10126", dup196); + +var msg24 = msg("4", dup192); + +var msg25 = msg("4:01", dup193); + +var select10 = linear_select([ + msg24, + msg25, +]); + +var msg26 = msg("5", dup195); + +var msg27 = msg("6", dup192); + +var msg28 = msg("6:01", dup193); + +var select11 = linear_select([ + msg27, + msg28, +]); + +var msg29 = msg("7", dup192); + +var msg30 = msg("7:01", dup193); + +var select12 = linear_select([ + msg29, + msg30, +]); + +var msg31 = msg("8", dup194); + +var msg32 = msg("8:01", dup195); + +var select13 = linear_select([ + msg31, + msg32, +]); + +var msg33 = msg("9", dup199); + +var msg34 = msg("10", dup200); + +var all23 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + setc("eventcategory","1614000000"), + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg35 = msg("11", all23); + +var msg36 = msg("12", dup192); + +var msg37 = msg("12:01", dup193); + +var select14 = linear_select([ + msg36, + msg37, +]); + +var msg38 = msg("13", dup192); + +var msg39 = msg("13:01", dup193); + +var select15 = linear_select([ + msg38, + msg39, +]); + +var msg40 = msg("14", dup192); + +var msg41 = msg("15", dup192); + +var msg42 = msg("15:01", dup193); + +var select16 = linear_select([ + msg41, + msg42, +]); + +var msg43 = msg("16", dup192); + +var msg44 = msg("16:01", dup193); + +var select17 = linear_select([ + msg43, + msg44, +]); + +var msg45 = msg("17", dup192); + +var msg46 = msg("17:01", dup193); + +var select18 = linear_select([ + msg45, + msg46, +]); + +var msg47 = msg("18", dup192); + +var msg48 = msg("18:01", dup193); + +var select19 = linear_select([ + msg47, + msg48, +]); + +var msg49 = msg("19", dup194); + +var msg50 = msg("19:01", dup195); + +var select20 = linear_select([ + msg49, + msg50, +]); + +var msg51 = msg("20", dup194); + +var msg52 = msg("20:01", dup195); + +var select21 = linear_select([ + msg51, + msg52, +]); + +var msg53 = msg("21", dup194); + +var msg54 = msg("21:01", dup195); + +var select22 = linear_select([ + msg53, + msg54, +]); + +var msg55 = msg("23", dup194); + +var msg56 = msg("23:01", dup195); + +var select23 = linear_select([ + msg55, + msg56, +]); + +var msg57 = msg("24", dup201); + +var msg58 = msg("25", dup201); + +var all24 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var msg59 = msg("25:01", all24); + +var select24 = linear_select([ + msg58, + msg59, +]); + +var msg60 = msg("26", dup195); + +var msg61 = msg("27", dup202); + +var msg62 = msg("28", dup202); + +var msg63 = msg("29", dup202); + +var msg64 = msg("30", dup202); + +var msg65 = msg("34", dup202); + +var msg66 = msg("45", dup192); + +var msg67 = msg("46", dup192); + +var msg68 = msg("46:01", dup193); + +var select25 = linear_select([ + msg67, + msg68, +]); + +var msg69 = msg("47", dup192); + +var msg70 = msg("47:01", dup193); + +var select26 = linear_select([ + msg69, + msg70, +]); + +var msg71 = msg("54", dup192); + +var msg72 = msg("54:01", dup193); + +var select27 = linear_select([ + msg71, + msg72, +]); + +var msg73 = msg("55", dup192); + +var msg74 = msg("55:01", dup193); + +var select28 = linear_select([ + msg73, + msg74, +]); + +var msg75 = msg("58", dup192); + +var msg76 = msg("58:01", dup193); + +var select29 = linear_select([ + msg75, + msg76, +]); + +var msg77 = msg("96", dup192); + +var msg78 = msg("97", dup192); + +var msg79 = msg("97:01", dup193); + +var select30 = linear_select([ + msg78, + msg79, +]); + +var msg80 = msg("103", dup203); + +var msg81 = msg("103:01", dup204); + +var select31 = linear_select([ + msg80, + msg81, +]); + +var msg82 = msg("104", dup205); + +var msg83 = msg("104:01", dup206); + +var select32 = linear_select([ + msg82, + msg83, +]); + +var msg84 = msg("105", dup203); + +var msg85 = msg("105:01", dup204); + +var select33 = linear_select([ + msg84, + msg85, +]); + +var msg86 = msg("105-1", dup203); + +var msg87 = msg("105-2", dup203); + +var msg88 = msg("105-3", dup203); + +var msg89 = msg("105-4", dup207); + +var msg90 = msg("106", dup203); + +var msg91 = msg("106:01", dup204); + +var select34 = linear_select([ + msg90, + msg91, +]); + +var msg92 = msg("106-1", dup208); + +var msg93 = msg("106-2", dup209); + +var msg94 = msg("106-3", dup208); + +var msg95 = msg("106-4", dup208); + +var msg96 = msg("107", dup203); + +var msg97 = msg("107:01", dup204); + +var select35 = linear_select([ + msg96, + msg97, +]); + +var msg98 = msg("108", dup203); + +var all25 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var msg99 = msg("108:01", all25); + +var msg100 = msg("108:02", dup204); + +var select36 = linear_select([ + msg98, + msg99, + msg100, +]); + +var msg101 = msg("109", dup203); + +var msg102 = msg("109:01", dup204); + +var select37 = linear_select([ + msg101, + msg102, +]); + +var msg103 = msg("110", dup203); + +var msg104 = msg("110:01", dup204); + +var select38 = linear_select([ + msg103, + msg104, +]); + +var msg105 = msg("110-1", dup207); + +var msg106 = msg("110-2", dup207); + +var msg107 = msg("110-3", dup207); + +var msg108 = msg("110-4", dup207); + +var msg109 = msg("111", dup203); + +var msg110 = msg("111:01", dup204); + +var select39 = linear_select([ + msg109, + msg110, +]); + +var msg111 = msg("111-1", dup207); + +var msg112 = msg("111-10", dup207); + +var msg113 = msg("111-11", dup207); + +var msg114 = msg("111-12", dup207); + +var msg115 = msg("111-13", dup207); + +var msg116 = msg("111-14", dup207); + +var msg117 = msg("111-15", dup207); + +var msg118 = msg("111-16", dup207); + +var msg119 = msg("111-17", dup207); + +var msg120 = msg("111-2", dup207); + +var msg121 = msg("111-3", dup207); + +var msg122 = msg("111-4", dup207); + +var msg123 = msg("111-5", dup207); + +var msg124 = msg("111-6", dup207); + +var msg125 = msg("111-7", dup207); + +var msg126 = msg("111-8", dup207); + +var msg127 = msg("111-9", dup207); + +var msg128 = msg("112", dup203); + +var msg129 = msg("112:01", dup204); + +var select40 = linear_select([ + msg128, + msg129, +]); + +var msg130 = msg("112-1", dup207); + +var msg131 = msg("112-2", dup207); + +var msg132 = msg("112-3", dup207); + +var msg133 = msg("112-4", dup207); + +var msg134 = msg("113", dup203); + +var msg135 = msg("113:01", dup204); + +var select41 = linear_select([ + msg134, + msg135, +]); + +var msg136 = msg("114", dup203); + +var msg137 = msg("114:01", dup204); + +var select42 = linear_select([ + msg136, + msg137, +]); + +var msg138 = msg("115", dup203); + +var msg139 = msg("115:01", dup204); + +var select43 = linear_select([ + msg138, + msg139, +]); + +var msg140 = msg("115-1", dup207); + +var msg141 = msg("115-2", dup207); + +var msg142 = msg("115-3", dup210); + +var msg143 = msg("115-4", dup210); + +var msg144 = msg("115-5", dup207); + +var msg145 = msg("116", dup203); + +var msg146 = msg("116:01", dup204); + +var select44 = linear_select([ + msg145, + msg146, +]); + +var msg147 = msg("116-5", dup209); + +var msg148 = msg("117", dup203); + +var msg149 = msg("117:01", dup204); + +var select45 = linear_select([ + msg148, + msg149, +]); + +var msg150 = msg("118", dup203); + +var msg151 = msg("118:01", dup204); + +var select46 = linear_select([ + msg150, + msg151, +]); + +var msg152 = msg("119", dup203); + +var all26 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var msg153 = msg("119:01", all26); + +var select47 = linear_select([ + msg152, + msg153, +]); + +var msg154 = msg("119-1", dup211); + +var msg155 = msg("119-10", dup211); + +var msg156 = msg("119-11", dup211); + +var msg157 = msg("119-12", dup211); + +var msg158 = msg("119-13", dup211); + +var msg159 = msg("119-14", dup211); + +var msg160 = msg("119-15", dup211); + +var msg161 = msg("119-16", dup211); + +var msg162 = msg("119-17", dup211); + +var msg163 = msg("119-18", dup211); + +var msg164 = msg("119-2", dup211); + +var msg165 = msg("119-3", dup211); + +var msg166 = msg("119-4", dup211); + +var msg167 = msg("119-5", dup211); + +var msg168 = msg("119-6", dup211); + +var msg169 = msg("119-7", dup211); + +var msg170 = msg("119-8", dup211); + +var msg171 = msg("119-9", dup211); + +var msg172 = msg("120", dup203); + +var msg173 = msg("120:01", dup204); + +var select48 = linear_select([ + msg172, + msg173, +]); + +var msg174 = msg("120-1", dup211); + +var msg175 = msg("121", dup203); + +var msg176 = msg("121:01", dup204); + +var select49 = linear_select([ + msg175, + msg176, +]); + +var msg177 = msg("121-1", dup212); + +var msg178 = msg("121-2", dup212); + +var msg179 = msg("121-3", dup212); + +var msg180 = msg("121-4", dup212); + +var msg181 = msg("122", dup203); + +var msg182 = msg("122:01", dup204); + +var select50 = linear_select([ + msg181, + msg182, +]); + +var msg183 = msg("122-1", dup212); + +var msg184 = msg("122-10", dup212); + +var msg185 = msg("122-11", dup213); + +var msg186 = msg("122-12", dup212); + +var msg187 = msg("122-13", dup212); + +var msg188 = msg("122-14", dup212); + +var msg189 = msg("122-15", dup213); + +var msg190 = msg("122-16", dup212); + +var msg191 = msg("122-17", dup212); + +var msg192 = msg("122-18", dup212); + +var msg193 = msg("122-19", dup213); + +var msg194 = msg("122-2", dup212); + +var msg195 = msg("122-20", dup212); + +var msg196 = msg("122-21", dup212); + +var msg197 = msg("122-22", dup212); + +var msg198 = msg("122-23", dup213); + +var msg199 = msg("122-24", dup212); + +var msg200 = msg("122-25", dup213); + +var msg201 = msg("122-26", dup213); + +var msg202 = msg("122-27", dup212); + +var msg203 = msg("122-3", dup213); + +var msg204 = msg("122-4", dup212); + +var msg205 = msg("122-5", dup212); + +var msg206 = msg("122-6", dup212); + +var msg207 = msg("122-7", dup213); + +var msg208 = msg("122-8", dup212); + +var msg209 = msg("122-9", dup212); + +var msg210 = msg("123-10", dup207); + +var msg211 = msg("123-9", dup207); + +var msg212 = msg("124", dup203); + +var msg213 = msg("124:01", dup204); + +var select51 = linear_select([ + msg212, + msg213, +]); + +var msg214 = msg("124-1", dup210); + +var msg215 = msg("125", dup203); + +var msg216 = msg("125:01", dup204); + +var select52 = linear_select([ + msg215, + msg216, +]); + +var msg217 = msg("125-3", dup207); + +var msg218 = msg("125-5", dup207); + +var msg219 = msg("125-6", dup214); + +var msg220 = msg("125-8", dup207); + +var msg221 = msg("126", dup203); + +var msg222 = msg("126:01", dup204); + +var select53 = linear_select([ + msg221, + msg222, +]); + +var msg223 = msg("126-1", dup207); + +var msg224 = msg("127", dup203); + +var msg225 = msg("127:01", dup204); + +var select54 = linear_select([ + msg224, + msg225, +]); + +var msg226 = msg("128", dup203); + +var msg227 = msg("128:01", dup204); + +var select55 = linear_select([ + msg226, + msg227, +]); + +var msg228 = msg("129", dup203); + +var msg229 = msg("129:01", dup204); + +var select56 = linear_select([ + msg228, + msg229, +]); + +var msg230 = msg("129-2", dup207); + +var msg231 = msg("129-6", dup207); + +var msg232 = msg("130", dup203); + +var msg233 = msg("130:01", dup204); + +var select57 = linear_select([ + msg232, + msg233, +]); + +var msg234 = msg("131", dup203); + +var msg235 = msg("131:01", dup204); + +var select58 = linear_select([ + msg234, + msg235, +]); + +var msg236 = msg("131-3", dup207); + +var msg237 = msg("132", dup203); + +var msg238 = msg("132:01", dup204); + +var select59 = linear_select([ + msg237, + msg238, +]); + +var msg239 = msg("133", dup203); + +var msg240 = msg("133:01", dup204); + +var select60 = linear_select([ + msg239, + msg240, +]); + +var msg241 = msg("134", dup203); + +var msg242 = msg("134:01", dup204); + +var select61 = linear_select([ + msg241, + msg242, +]); + +var msg243 = msg("135", dup203); + +var msg244 = msg("135:01", dup204); + +var select62 = linear_select([ + msg243, + msg244, +]); + +var msg245 = msg("136", dup203); + +var msg246 = msg("136:01", dup204); + +var select63 = linear_select([ + msg245, + msg246, +]); + +var msg247 = msg("137", dup203); + +var msg248 = msg("137:01", dup204); + +var select64 = linear_select([ + msg247, + msg248, +]); + +var msg249 = msg("138", dup203); + +var msg250 = msg("138:01", dup204); + +var select65 = linear_select([ + msg249, + msg250, +]); + +var msg251 = msg("140", dup203); + +var msg252 = msg("140:01", dup204); + +var select66 = linear_select([ + msg251, + msg252, +]); + +var msg253 = msg("141", dup203); + +var msg254 = msg("141:01", dup204); + +var select67 = linear_select([ + msg253, + msg254, +]); + +var msg255 = msg("142", dup203); + +var msg256 = msg("142:01", dup204); + +var select68 = linear_select([ + msg255, + msg256, +]); + +var msg257 = msg("143", dup203); + +var msg258 = msg("143:01", dup204); + +var select69 = linear_select([ + msg257, + msg258, +]); + +var msg259 = msg("144", dup214); + +var all27 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg260 = msg("144:01", all27); + +var select70 = linear_select([ + msg259, + msg260, +]); + +var msg261 = msg("145", dup203); + +var msg262 = msg("145:01", dup204); + +var select71 = linear_select([ + msg261, + msg262, +]); + +var msg263 = msg("146", dup203); + +var msg264 = msg("146:01", dup204); + +var select72 = linear_select([ + msg263, + msg264, +]); + +var msg265 = msg("147", dup203); + +var msg266 = msg("147:01", dup204); + +var select73 = linear_select([ + msg265, + msg266, +]); + +var msg267 = msg("148", dup203); + +var msg268 = msg("148:01", dup204); + +var select74 = linear_select([ + msg267, + msg268, +]); + +var msg269 = msg("149", dup203); + +var msg270 = msg("149:01", dup204); + +var select75 = linear_select([ + msg269, + msg270, +]); + +var msg271 = msg("150", dup203); + +var msg272 = msg("150:01", dup204); + +var select76 = linear_select([ + msg271, + msg272, +]); + +var msg273 = msg("151", dup203); + +var msg274 = msg("151:01", dup204); + +var select77 = linear_select([ + msg273, + msg274, +]); + +var msg275 = msg("152", dup203); + +var msg276 = msg("152:01", dup204); + +var select78 = linear_select([ + msg275, + msg276, +]); + +var msg277 = msg("153", dup203); + +var msg278 = msg("153:01", dup204); + +var select79 = linear_select([ + msg277, + msg278, +]); + +var msg279 = msg("154", dup203); + +var msg280 = msg("154:01", dup204); + +var select80 = linear_select([ + msg279, + msg280, +]); + +var msg281 = msg("155", dup203); + +var msg282 = msg("155:01", dup204); + +var select81 = linear_select([ + msg281, + msg282, +]); + +var msg283 = msg("156", dup203); + +var msg284 = msg("156:01", dup204); + +var select82 = linear_select([ + msg283, + msg284, +]); + +var msg285 = msg("157", dup203); + +var msg286 = msg("157:01", dup204); + +var select83 = linear_select([ + msg285, + msg286, +]); + +var msg287 = msg("158", dup203); + +var msg288 = msg("158:01", dup204); + +var select84 = linear_select([ + msg287, + msg288, +]); + +var msg289 = msg("159", dup203); + +var msg290 = msg("159:01", dup204); + +var select85 = linear_select([ + msg289, + msg290, +]); + +var msg291 = msg("160", dup203); + +var msg292 = msg("160:01", dup204); + +var select86 = linear_select([ + msg291, + msg292, +]); + +var msg293 = msg("161", dup203); + +var msg294 = msg("161:01", dup204); + +var select87 = linear_select([ + msg293, + msg294, +]); + +var msg295 = msg("162", dup203); + +var msg296 = msg("162:01", dup204); + +var select88 = linear_select([ + msg295, + msg296, +]); + +var msg297 = msg("163", dup203); + +var msg298 = msg("163:01", dup204); + +var select89 = linear_select([ + msg297, + msg298, +]); + +var msg299 = msg("164", dup203); + +var msg300 = msg("164:01", dup204); + +var select90 = linear_select([ + msg299, + msg300, +]); + +var msg301 = msg("165", dup203); + +var msg302 = msg("165:01", dup204); + +var select91 = linear_select([ + msg301, + msg302, +]); + +var msg303 = msg("166", dup203); + +var msg304 = msg("166:01", dup204); + +var select92 = linear_select([ + msg303, + msg304, +]); + +var msg305 = msg("167", dup203); + +var msg306 = msg("167:01", dup204); + +var select93 = linear_select([ + msg305, + msg306, +]); + +var msg307 = msg("168", dup203); + +var msg308 = msg("168:01", dup204); + +var select94 = linear_select([ + msg307, + msg308, +]); + +var msg309 = msg("169", dup203); + +var msg310 = msg("169:01", dup204); + +var select95 = linear_select([ + msg309, + msg310, +]); + +var msg311 = msg("170", dup203); + +var msg312 = msg("170:01", dup204); + +var select96 = linear_select([ + msg311, + msg312, +]); + +var msg313 = msg("171", dup203); + +var msg314 = msg("171:01", dup204); + +var select97 = linear_select([ + msg313, + msg314, +]); + +var msg315 = msg("172", dup203); + +var msg316 = msg("172:01", dup204); + +var select98 = linear_select([ + msg315, + msg316, +]); + +var msg317 = msg("173", dup203); + +var msg318 = msg("173:01", dup204); + +var select99 = linear_select([ + msg317, + msg318, +]); + +var msg319 = msg("174", dup203); + +var msg320 = msg("174:01", dup204); + +var select100 = linear_select([ + msg319, + msg320, +]); + +var msg321 = msg("175", dup203); + +var msg322 = msg("175:01", dup204); + +var select101 = linear_select([ + msg321, + msg322, +]); + +var msg323 = msg("176", dup203); + +var msg324 = msg("176:01", dup204); + +var select102 = linear_select([ + msg323, + msg324, +]); + +var msg325 = msg("177", dup203); + +var msg326 = msg("177:01", dup204); + +var select103 = linear_select([ + msg325, + msg326, +]); + +var msg327 = msg("179", dup203); + +var msg328 = msg("179:01", dup204); + +var select104 = linear_select([ + msg327, + msg328, +]); + +var msg329 = msg("180", dup203); + +var msg330 = msg("180:01", dup204); + +var select105 = linear_select([ + msg329, + msg330, +]); + +var all28 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup72, + dup73, + dup74, + dup84, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg331 = msg("181", all28); + +var all29 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup72, + dup73, + dup74, + dup84, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg332 = msg("181:01", all29); + +var select106 = linear_select([ + msg331, + msg332, +]); + +var msg333 = msg("182", dup203); + +var msg334 = msg("182:01", dup204); + +var select107 = linear_select([ + msg333, + msg334, +]); + +var msg335 = msg("183", dup203); + +var msg336 = msg("183:01", dup204); + +var select108 = linear_select([ + msg335, + msg336, +]); + +var msg337 = msg("184", dup203); + +var msg338 = msg("184:01", dup204); + +var select109 = linear_select([ + msg337, + msg338, +]); + +var msg339 = msg("185", dup203); + +var msg340 = msg("185:01", dup204); + +var select110 = linear_select([ + msg339, + msg340, +]); + +var msg341 = msg("186", dup203); + +var msg342 = msg("186:01", dup204); + +var select111 = linear_select([ + msg341, + msg342, +]); + +var msg343 = msg("187", dup203); + +var msg344 = msg("187:01", dup204); + +var select112 = linear_select([ + msg343, + msg344, +]); + +var msg345 = msg("188", dup203); + +var msg346 = msg("188:01", dup204); + +var select113 = linear_select([ + msg345, + msg346, +]); + +var msg347 = msg("189", dup203); + +var msg348 = msg("189:01", dup204); + +var select114 = linear_select([ + msg347, + msg348, +]); + +var msg349 = msg("190", dup203); + +var msg350 = msg("190:01", dup204); + +var select115 = linear_select([ + msg349, + msg350, +]); + +var msg351 = msg("191", dup203); + +var msg352 = msg("191:01", dup204); + +var select116 = linear_select([ + msg351, + msg352, +]); + +var msg353 = msg("192", dup203); + +var msg354 = msg("192:01", dup204); + +var select117 = linear_select([ + msg353, + msg354, +]); + +var msg355 = msg("193", dup203); + +var msg356 = msg("193:01", dup204); + +var select118 = linear_select([ + msg355, + msg356, +]); + +var msg357 = msg("194", dup203); + +var msg358 = msg("194:01", dup204); + +var select119 = linear_select([ + msg357, + msg358, +]); + +var msg359 = msg("195", dup203); + +var msg360 = msg("195:01", dup204); + +var select120 = linear_select([ + msg359, + msg360, +]); + +var msg361 = msg("196", dup203); + +var msg362 = msg("196:01", dup204); + +var select121 = linear_select([ + msg361, + msg362, +]); + +var msg363 = msg("197", dup203); + +var msg364 = msg("197:01", dup204); + +var select122 = linear_select([ + msg363, + msg364, +]); + +var msg365 = msg("198", dup203); + +var msg366 = msg("198:01", dup204); + +var select123 = linear_select([ + msg365, + msg366, +]); + +var msg367 = msg("199", dup203); + +var msg368 = msg("199:01", dup204); + +var select124 = linear_select([ + msg367, + msg368, +]); + +var msg369 = msg("200", dup203); + +var msg370 = msg("200:01", dup204); + +var select125 = linear_select([ + msg369, + msg370, +]); + +var msg371 = msg("201", dup203); + +var msg372 = msg("201:01", dup204); + +var select126 = linear_select([ + msg371, + msg372, +]); + +var msg373 = msg("202", dup203); + +var msg374 = msg("202:01", dup204); + +var select127 = linear_select([ + msg373, + msg374, +]); + +var msg375 = msg("203", dup203); + +var msg376 = msg("203:01", dup204); + +var select128 = linear_select([ + msg375, + msg376, +]); + +var msg377 = msg("204", dup203); + +var msg378 = msg("204:01", dup204); + +var select129 = linear_select([ + msg377, + msg378, +]); + +var msg379 = msg("205", dup203); + +var msg380 = msg("205:01", dup204); + +var select130 = linear_select([ + msg379, + msg380, +]); + +var msg381 = msg("206", dup203); + +var msg382 = msg("206:01", dup204); + +var select131 = linear_select([ + msg381, + msg382, +]); + +var msg383 = msg("207", dup203); + +var msg384 = msg("207:01", dup204); + +var select132 = linear_select([ + msg383, + msg384, +]); + +var msg385 = msg("208", dup203); + +var msg386 = msg("208:01", dup204); + +var select133 = linear_select([ + msg385, + msg386, +]); + +var msg387 = msg("209", dup203); + +var msg388 = msg("209:01", dup204); + +var select134 = linear_select([ + msg387, + msg388, +]); + +var msg389 = msg("210", dup203); + +var msg390 = msg("210:01", dup204); + +var select135 = linear_select([ + msg389, + msg390, +]); + +var msg391 = msg("211", dup203); + +var msg392 = msg("211:01", dup204); + +var select136 = linear_select([ + msg391, + msg392, +]); + +var msg393 = msg("212", dup203); + +var msg394 = msg("212:01", dup204); + +var select137 = linear_select([ + msg393, + msg394, +]); + +var msg395 = msg("213", dup203); + +var msg396 = msg("213:01", dup204); + +var select138 = linear_select([ + msg395, + msg396, +]); + +var msg397 = msg("214", dup203); + +var msg398 = msg("214:01", dup204); + +var select139 = linear_select([ + msg397, + msg398, +]); + +var msg399 = msg("215", dup203); + +var msg400 = msg("215:01", dup204); + +var select140 = linear_select([ + msg399, + msg400, +]); + +var msg401 = msg("216", dup203); + +var msg402 = msg("216:01", dup204); + +var select141 = linear_select([ + msg401, + msg402, +]); + +var msg403 = msg("217", dup203); + +var msg404 = msg("217:01", dup204); + +var select142 = linear_select([ + msg403, + msg404, +]); + +var msg405 = msg("218", dup203); + +var msg406 = msg("218:01", dup204); + +var select143 = linear_select([ + msg405, + msg406, +]); + +var msg407 = msg("219", dup203); + +var msg408 = msg("219:01", dup204); + +var select144 = linear_select([ + msg407, + msg408, +]); + +var msg409 = msg("220", dup203); + +var msg410 = msg("220:01", dup204); + +var select145 = linear_select([ + msg409, + msg410, +]); + +var msg411 = msg("221", dup215); + +var msg412 = msg("221:01", dup216); + +var select146 = linear_select([ + msg411, + msg412, +]); + +var msg413 = msg("222", dup215); + +var msg414 = msg("222:01", dup216); + +var select147 = linear_select([ + msg413, + msg414, +]); + +var msg415 = msg("223", dup215); + +var msg416 = msg("223:01", dup216); + +var select148 = linear_select([ + msg415, + msg416, +]); + +var msg417 = msg("224", dup215); + +var msg418 = msg("224:01", dup216); + +var select149 = linear_select([ + msg417, + msg418, +]); + +var msg419 = msg("225", dup215); + +var msg420 = msg("225:01", dup216); + +var select150 = linear_select([ + msg419, + msg420, +]); + +var msg421 = msg("226", dup215); + +var msg422 = msg("226:01", dup216); + +var select151 = linear_select([ + msg421, + msg422, +]); + +var msg423 = msg("227", dup215); + +var msg424 = msg("227:01", dup216); + +var select152 = linear_select([ + msg423, + msg424, +]); + +var msg425 = msg("228", dup215); + +var msg426 = msg("228:01", dup216); + +var select153 = linear_select([ + msg425, + msg426, +]); + +var msg427 = msg("229", dup215); + +var msg428 = msg("229:01", dup216); + +var select154 = linear_select([ + msg427, + msg428, +]); + +var msg429 = msg("230", dup215); + +var msg430 = msg("230:01", dup216); + +var select155 = linear_select([ + msg429, + msg430, +]); + +var msg431 = msg("231", dup215); + +var msg432 = msg("231:01", dup216); + +var select156 = linear_select([ + msg431, + msg432, +]); + +var msg433 = msg("232", dup215); + +var msg434 = msg("232:01", dup216); + +var select157 = linear_select([ + msg433, + msg434, +]); + +var msg435 = msg("233", dup215); + +var msg436 = msg("233:01", dup216); + +var select158 = linear_select([ + msg435, + msg436, +]); + +var msg437 = msg("234", dup215); + +var msg438 = msg("234:01", dup216); + +var select159 = linear_select([ + msg437, + msg438, +]); + +var msg439 = msg("235", dup215); + +var msg440 = msg("235:01", dup216); + +var select160 = linear_select([ + msg439, + msg440, +]); + +var msg441 = msg("236", dup215); + +var msg442 = msg("236:01", dup216); + +var select161 = linear_select([ + msg441, + msg442, +]); + +var msg443 = msg("237", dup215); + +var msg444 = msg("237:01", dup216); + +var select162 = linear_select([ + msg443, + msg444, +]); + +var msg445 = msg("238", dup215); + +var msg446 = msg("238:01", dup216); + +var select163 = linear_select([ + msg445, + msg446, +]); + +var msg447 = msg("239", dup215); + +var msg448 = msg("239:01", dup216); + +var select164 = linear_select([ + msg447, + msg448, +]); + +var msg449 = msg("240", dup215); + +var msg450 = msg("240:01", dup216); + +var select165 = linear_select([ + msg449, + msg450, +]); + +var msg451 = msg("241", dup215); + +var msg452 = msg("241:01", dup216); + +var select166 = linear_select([ + msg451, + msg452, +]); + +var msg453 = msg("243", dup215); + +var msg454 = msg("243:01", dup216); + +var select167 = linear_select([ + msg453, + msg454, +]); + +var msg455 = msg("244", dup215); + +var msg456 = msg("244:01", dup216); + +var select168 = linear_select([ + msg455, + msg456, +]); + +var msg457 = msg("245", dup215); + +var msg458 = msg("245:01", dup216); + +var select169 = linear_select([ + msg457, + msg458, +]); + +var msg459 = msg("246", dup215); + +var msg460 = msg("246:01", dup216); + +var select170 = linear_select([ + msg459, + msg460, +]); + +var msg461 = msg("247", dup215); + +var msg462 = msg("247:01", dup216); + +var select171 = linear_select([ + msg461, + msg462, +]); + +var msg463 = msg("248", dup215); + +var msg464 = msg("248:01", dup216); + +var select172 = linear_select([ + msg463, + msg464, +]); + +var msg465 = msg("249", dup215); + +var msg466 = msg("249:01", dup216); + +var select173 = linear_select([ + msg465, + msg466, +]); + +var msg467 = msg("250", dup215); + +var msg468 = msg("250:01", dup216); + +var select174 = linear_select([ + msg467, + msg468, +]); + +var msg469 = msg("251", dup215); + +var msg470 = msg("251:01", dup216); + +var select175 = linear_select([ + msg469, + msg470, +]); + +var msg471 = msg("252", dup196); + +var msg472 = msg("252:01", dup217); + +var select176 = linear_select([ + msg471, + msg472, +]); + +var msg473 = msg("253", dup196); + +var msg474 = msg("253:01", dup217); + +var select177 = linear_select([ + msg473, + msg474, +]); + +var msg475 = msg("254", dup196); + +var msg476 = msg("254:01", dup217); + +var select178 = linear_select([ + msg475, + msg476, +]); + +var msg477 = msg("255", dup196); + +var msg478 = msg("255:01", dup217); + +var select179 = linear_select([ + msg477, + msg478, +]); + +var msg479 = msg("256", dup196); + +var msg480 = msg("256:01", dup217); + +var select180 = linear_select([ + msg479, + msg480, +]); + +var msg481 = msg("257", dup196); + +var msg482 = msg("257:01", dup217); + +var select181 = linear_select([ + msg481, + msg482, +]); + +var msg483 = msg("258", dup218); + +var msg484 = msg("258:01", dup219); + +var select182 = linear_select([ + msg483, + msg484, +]); + +var msg485 = msg("259", dup218); + +var msg486 = msg("259:01", dup219); + +var select183 = linear_select([ + msg485, + msg486, +]); + +var msg487 = msg("260", dup218); + +var msg488 = msg("260:01", dup219); + +var select184 = linear_select([ + msg487, + msg488, +]); + +var msg489 = msg("261", dup218); + +var msg490 = msg("261:01", dup219); + +var select185 = linear_select([ + msg489, + msg490, +]); + +var msg491 = msg("262", dup218); + +var msg492 = msg("262:01", dup219); + +var select186 = linear_select([ + msg491, + msg492, +]); + +var msg493 = msg("264", dup218); + +var msg494 = msg("264:01", dup219); + +var select187 = linear_select([ + msg493, + msg494, +]); + +var msg495 = msg("265", dup218); + +var msg496 = msg("265:01", dup219); + +var select188 = linear_select([ + msg495, + msg496, +]); + +var msg497 = msg("266", dup218); + +var msg498 = msg("266:01", dup219); + +var select189 = linear_select([ + msg497, + msg498, +]); + +var msg499 = msg("267", dup218); + +var msg500 = msg("267:01", dup219); + +var select190 = linear_select([ + msg499, + msg500, +]); + +var msg501 = msg("268", dup198); + +var msg502 = msg("268:01", dup220); + +var select191 = linear_select([ + msg501, + msg502, +]); + +var msg503 = msg("269", dup198); + +var msg504 = msg("269:01", dup220); + +var select192 = linear_select([ + msg503, + msg504, +]); + +var msg505 = msg("270", dup198); + +var msg506 = msg("270:01", dup220); + +var select193 = linear_select([ + msg505, + msg506, +]); + +var msg507 = msg("271", dup198); + +var msg508 = msg("271:01", dup220); + +var select194 = linear_select([ + msg507, + msg508, +]); + +var msg509 = msg("272", dup198); + +var msg510 = msg("272:01", dup220); + +var select195 = linear_select([ + msg509, + msg510, +]); + +var msg511 = msg("273", dup198); + +var msg512 = msg("273:01", dup220); + +var select196 = linear_select([ + msg511, + msg512, +]); + +var msg513 = msg("274", dup198); + +var msg514 = msg("274:01", dup220); + +var select197 = linear_select([ + msg513, + msg514, +]); + +var msg515 = msg("275", dup198); + +var msg516 = msg("275:01", dup220); + +var select198 = linear_select([ + msg515, + msg516, +]); + +var msg517 = msg("276", dup198); + +var msg518 = msg("276:01", dup220); + +var select199 = linear_select([ + msg517, + msg518, +]); + +var msg519 = msg("277", dup198); + +var msg520 = msg("277:01", dup220); + +var select200 = linear_select([ + msg519, + msg520, +]); + +var msg521 = msg("278", dup198); + +var msg522 = msg("278:01", dup220); + +var select201 = linear_select([ + msg521, + msg522, +]); + +var msg523 = msg("279", dup198); + +var msg524 = msg("279:01", dup220); + +var select202 = linear_select([ + msg523, + msg524, +]); + +var msg525 = msg("280", dup198); + +var msg526 = msg("280:01", dup220); + +var select203 = linear_select([ + msg525, + msg526, +]); + +var msg527 = msg("281", dup198); + +var msg528 = msg("281:01", dup220); + +var select204 = linear_select([ + msg527, + msg528, +]); + +var msg529 = msg("282", dup198); + +var msg530 = msg("282:01", dup220); + +var select205 = linear_select([ + msg529, + msg530, +]); + +var msg531 = msg("283", dup197); + +var msg532 = msg("283:01", dup221); + +var select206 = linear_select([ + msg531, + msg532, +]); + +var msg533 = msg("284", dup197); + +var msg534 = msg("284:01", dup221); + +var select207 = linear_select([ + msg533, + msg534, +]); + +var msg535 = msg("285", dup197); + +var msg536 = msg("285:01", dup221); + +var select208 = linear_select([ + msg535, + msg536, +]); + +var msg537 = msg("286", dup197); + +var msg538 = msg("286:01", dup221); + +var select209 = linear_select([ + msg537, + msg538, +]); + +var msg539 = msg("287", dup197); + +var msg540 = msg("287:01", dup221); + +var select210 = linear_select([ + msg539, + msg540, +]); + +var msg541 = msg("288", dup197); + +var msg542 = msg("288:01", dup221); + +var select211 = linear_select([ + msg541, + msg542, +]); + +var msg543 = msg("289", dup197); + +var msg544 = msg("289:01", dup221); + +var select212 = linear_select([ + msg543, + msg544, +]); + +var msg545 = msg("290", dup197); + +var msg546 = msg("290:01", dup221); + +var select213 = linear_select([ + msg545, + msg546, +]); + +var msg547 = msg("291", dup197); + +var msg548 = msg("291:01", dup221); + +var select214 = linear_select([ + msg547, + msg548, +]); + +var msg549 = msg("292", dup197); + +var msg550 = msg("292:01", dup221); + +var select215 = linear_select([ + msg549, + msg550, +]); + +var msg551 = msg("293", dup197); + +var msg552 = msg("293:01", dup221); + +var select216 = linear_select([ + msg551, + msg552, +]); + +var msg553 = msg("295", dup197); + +var msg554 = msg("295:01", dup221); + +var select217 = linear_select([ + msg553, + msg554, +]); + +var msg555 = msg("296", dup197); + +var msg556 = msg("296:01", dup221); + +var select218 = linear_select([ + msg555, + msg556, +]); + +var msg557 = msg("297", dup197); + +var msg558 = msg("297:01", dup221); + +var select219 = linear_select([ + msg557, + msg558, +]); + +var msg559 = msg("298", dup197); + +var msg560 = msg("298:01", dup221); + +var select220 = linear_select([ + msg559, + msg560, +]); + +var msg561 = msg("299", dup197); + +var msg562 = msg("299:01", dup221); + +var select221 = linear_select([ + msg561, + msg562, +]); + +var msg563 = msg("300", dup197); + +var msg564 = msg("300:01", dup221); + +var select222 = linear_select([ + msg563, + msg564, +]); + +var msg565 = msg("301", dup197); + +var msg566 = msg("301:01", dup221); + +var select223 = linear_select([ + msg565, + msg566, +]); + +var msg567 = msg("302", dup197); + +var msg568 = msg("302:01", dup221); + +var select224 = linear_select([ + msg567, + msg568, +]); + +var msg569 = msg("303", dup218); + +var msg570 = msg("303:01", dup219); + +var select225 = linear_select([ + msg569, + msg570, +]); + +var msg571 = msg("304", dup197); + +var msg572 = msg("304:01", dup221); + +var select226 = linear_select([ + msg571, + msg572, +]); + +var msg573 = msg("305", dup197); + +var msg574 = msg("305:01", dup221); + +var select227 = linear_select([ + msg573, + msg574, +]); + +var msg575 = msg("306", dup196); + +var msg576 = msg("306:01", dup217); + +var select228 = linear_select([ + msg575, + msg576, +]); + +var msg577 = msg("307", dup197); + +var msg578 = msg("307:01", dup221); + +var select229 = linear_select([ + msg577, + msg578, +]); + +var msg579 = msg("308", dup197); + +var msg580 = msg("308:01", dup221); + +var select230 = linear_select([ + msg579, + msg580, +]); + +var msg581 = msg("309", dup197); + +var msg582 = msg("309:01", dup221); + +var select231 = linear_select([ + msg581, + msg582, +]); + +var msg583 = msg("310", dup197); + +var msg584 = msg("310:01", dup221); + +var select232 = linear_select([ + msg583, + msg584, +]); + +var msg585 = msg("311", dup197); + +var msg586 = msg("311:01", dup221); + +var select233 = linear_select([ + msg585, + msg586, +]); + +var msg587 = msg("312", dup222); + +var msg588 = msg("312:01", dup223); + +var select234 = linear_select([ + msg587, + msg588, +]); + +var msg589 = msg("313", dup197); + +var msg590 = msg("313:01", dup221); + +var select235 = linear_select([ + msg589, + msg590, +]); + +var msg591 = msg("314", dup218); + +var msg592 = msg("314:01", dup219); + +var select236 = linear_select([ + msg591, + msg592, +]); + +var msg593 = msg("315", dup197); + +var msg594 = msg("315:01", dup221); + +var select237 = linear_select([ + msg593, + msg594, +]); + +var msg595 = msg("316", dup197); + +var msg596 = msg("316:01", dup221); + +var select238 = linear_select([ + msg595, + msg596, +]); + +var msg597 = msg("317", dup197); + +var msg598 = msg("317:01", dup221); + +var select239 = linear_select([ + msg597, + msg598, +]); + +var msg599 = msg("318", dup196); + +var msg600 = msg("318:01", dup217); + +var select240 = linear_select([ + msg599, + msg600, +]); + +var msg601 = msg("319", dup197); + +var msg602 = msg("319:01", dup221); + +var select241 = linear_select([ + msg601, + msg602, +]); + +var msg603 = msg("320", dup205); + +var msg604 = msg("320:01", dup206); + +var select242 = linear_select([ + msg603, + msg604, +]); + +var msg605 = msg("321", dup224); + +var all30 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup87, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg606 = msg("321:01", all30); + +var select243 = linear_select([ + msg605, + msg606, +]); + +var msg607 = msg("322", dup225); + +var msg608 = msg("322:01", dup226); + +var select244 = linear_select([ + msg607, + msg608, +]); + +var msg609 = msg("323", dup225); + +var msg610 = msg("323:01", dup226); + +var select245 = linear_select([ + msg609, + msg610, +]); + +var msg611 = msg("324", dup225); + +var msg612 = msg("324:01", dup226); + +var select246 = linear_select([ + msg611, + msg612, +]); + +var msg613 = msg("325", dup225); + +var msg614 = msg("325:01", dup226); + +var select247 = linear_select([ + msg613, + msg614, +]); + +var msg615 = msg("326", dup225); + +var msg616 = msg("326:01", dup226); + +var select248 = linear_select([ + msg615, + msg616, +]); + +var msg617 = msg("327", dup225); + +var msg618 = msg("327:01", dup226); + +var select249 = linear_select([ + msg617, + msg618, +]); + +var msg619 = msg("328", dup225); + +var msg620 = msg("328:01", dup226); + +var select250 = linear_select([ + msg619, + msg620, +]); + +var msg621 = msg("329", dup225); + +var msg622 = msg("329:01", dup226); + +var select251 = linear_select([ + msg621, + msg622, +]); + +var msg623 = msg("330", dup225); + +var msg624 = msg("330:01", dup226); + +var select252 = linear_select([ + msg623, + msg624, +]); + +var msg625 = msg("331", dup225); + +var msg626 = msg("331:01", dup226); + +var select253 = linear_select([ + msg625, + msg626, +]); + +var msg627 = msg("332", dup225); + +var msg628 = msg("332:01", dup226); + +var select254 = linear_select([ + msg627, + msg628, +]); + +var msg629 = msg("333", dup225); + +var msg630 = msg("333:01", dup226); + +var select255 = linear_select([ + msg629, + msg630, +]); + +var msg631 = msg("334", dup227); + +var msg632 = msg("334:01", dup228); + +var select256 = linear_select([ + msg631, + msg632, +]); + +var msg633 = msg("335", dup227); + +var msg634 = msg("335:01", dup228); + +var select257 = linear_select([ + msg633, + msg634, +]); + +var msg635 = msg("336", dup227); + +var msg636 = msg("336:01", dup228); + +var select258 = linear_select([ + msg635, + msg636, +]); + +var msg637 = msg("337", dup222); + +var msg638 = msg("337:01", dup223); + +var select259 = linear_select([ + msg637, + msg638, +]); + +var msg639 = msg("338", dup227); + +var msg640 = msg("338:01", dup228); + +var select260 = linear_select([ + msg639, + msg640, +]); + +var msg641 = msg("339", dup227); + +var msg642 = msg("339:01", dup228); + +var select261 = linear_select([ + msg641, + msg642, +]); + +var msg643 = msg("340", dup197); + +var msg644 = msg("340:01", dup221); + +var select262 = linear_select([ + msg643, + msg644, +]); + +var msg645 = msg("341", dup197); + +var msg646 = msg("341:01", dup221); + +var select263 = linear_select([ + msg645, + msg646, +]); + +var msg647 = msg("342", dup197); + +var msg648 = msg("342:01", dup221); + +var select264 = linear_select([ + msg647, + msg648, +]); + +var msg649 = msg("343", dup197); + +var msg650 = msg("343:01", dup221); + +var select265 = linear_select([ + msg649, + msg650, +]); + +var msg651 = msg("344", dup197); + +var msg652 = msg("344:01", dup221); + +var select266 = linear_select([ + msg651, + msg652, +]); + +var msg653 = msg("345", dup197); + +var msg654 = msg("345:01", dup221); + +var select267 = linear_select([ + msg653, + msg654, +]); + +var msg655 = msg("346", dup227); + +var msg656 = msg("346:01", dup228); + +var select268 = linear_select([ + msg655, + msg656, +]); + +var msg657 = msg("347", dup227); + +var msg658 = msg("347:01", dup228); + +var select269 = linear_select([ + msg657, + msg658, +]); + +var msg659 = msg("348", dup227); + +var msg660 = msg("348:01", dup228); + +var select270 = linear_select([ + msg659, + msg660, +]); + +var msg661 = msg("349", dup197); + +var msg662 = msg("349:01", dup221); + +var select271 = linear_select([ + msg661, + msg662, +]); + +var msg663 = msg("350", dup197); + +var msg664 = msg("350:01", dup221); + +var select272 = linear_select([ + msg663, + msg664, +]); + +var msg665 = msg("351", dup197); + +var msg666 = msg("351:01", dup221); + +var select273 = linear_select([ + msg665, + msg666, +]); + +var msg667 = msg("352", dup197); + +var msg668 = msg("352:01", dup221); + +var select274 = linear_select([ + msg667, + msg668, +]); + +var msg669 = msg("353", dup194); + +var msg670 = msg("353:01", dup229); + +var select275 = linear_select([ + msg669, + msg670, +]); + +var msg671 = msg("354", dup194); + +var msg672 = msg("354:01", dup229); + +var select276 = linear_select([ + msg671, + msg672, +]); + +var msg673 = msg("355", dup227); + +var msg674 = msg("355:01", dup228); + +var select277 = linear_select([ + msg673, + msg674, +]); + +var msg675 = msg("356", dup227); + +var msg676 = msg("356:01", dup228); + +var select278 = linear_select([ + msg675, + msg676, +]); + +var msg677 = msg("357", dup194); + +var msg678 = msg("357:01", dup229); + +var select279 = linear_select([ + msg677, + msg678, +]); + +var msg679 = msg("358", dup194); + +var msg680 = msg("358:01", dup229); + +var select280 = linear_select([ + msg679, + msg680, +]); + +var all31 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup82, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg681 = msg("359", all31); + +var all32 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup82, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg682 = msg("359:01", all32); + +var select281 = linear_select([ + msg681, + msg682, +]); + +var msg683 = msg("360", dup227); + +var msg684 = msg("360:01", dup228); + +var select282 = linear_select([ + msg683, + msg684, +]); + +var msg685 = msg("361", dup227); + +var msg686 = msg("361:01", dup228); + +var select283 = linear_select([ + msg685, + msg686, +]); + +var msg687 = msg("362", dup227); + +var msg688 = msg("362:01", dup228); + +var select284 = linear_select([ + msg687, + msg688, +]); + +var msg689 = msg("363", dup230); + +var msg690 = msg("363:01", dup231); + +var select285 = linear_select([ + msg689, + msg690, +]); + +var msg691 = msg("364", dup230); + +var msg692 = msg("364:01", dup231); + +var select286 = linear_select([ + msg691, + msg692, +]); + +var msg693 = msg("365", dup232); + +var msg694 = msg("365:01", dup231); + +var select287 = linear_select([ + msg693, + msg694, +]); + +var msg695 = msg("366", dup232); + +var msg696 = msg("366:01", dup231); + +var select288 = linear_select([ + msg695, + msg696, +]); + +var msg697 = msg("368", dup232); + +var msg698 = msg("368:01", dup231); + +var select289 = linear_select([ + msg697, + msg698, +]); + +var msg699 = msg("369", dup232); + +var msg700 = msg("369:01", dup231); + +var select290 = linear_select([ + msg699, + msg700, +]); + +var msg701 = msg("370", dup232); + +var msg702 = msg("370:01", dup231); + +var select291 = linear_select([ + msg701, + msg702, +]); + +var msg703 = msg("371", dup232); + +var msg704 = msg("371:01", dup231); + +var select292 = linear_select([ + msg703, + msg704, +]); + +var msg705 = msg("372", dup232); + +var msg706 = msg("372:01", dup231); + +var select293 = linear_select([ + msg705, + msg706, +]); + +var msg707 = msg("373", dup232); + +var msg708 = msg("373:01", dup231); + +var select294 = linear_select([ + msg707, + msg708, +]); + +var msg709 = msg("374", dup232); + +var msg710 = msg("374:01", dup231); + +var select295 = linear_select([ + msg709, + msg710, +]); + +var msg711 = msg("375", dup232); + +var msg712 = msg("375:01", dup231); + +var select296 = linear_select([ + msg711, + msg712, +]); + +var msg713 = msg("376", dup232); + +var msg714 = msg("376:01", dup233); + +var select297 = linear_select([ + msg713, + msg714, +]); + +var msg715 = msg("377", dup232); + +var msg716 = msg("377:01", dup231); + +var select298 = linear_select([ + msg715, + msg716, +]); + +var msg717 = msg("378", dup232); + +var msg718 = msg("378:01", dup231); + +var select299 = linear_select([ + msg717, + msg718, +]); + +var msg719 = msg("379", dup232); + +var msg720 = msg("379:01", dup231); + +var select300 = linear_select([ + msg719, + msg720, +]); + +var msg721 = msg("380", dup232); + +var msg722 = msg("380:01", dup231); + +var select301 = linear_select([ + msg721, + msg722, +]); + +var msg723 = msg("381", dup232); + +var msg724 = msg("381:01", dup231); + +var select302 = linear_select([ + msg723, + msg724, +]); + +var msg725 = msg("382", dup232); + +var msg726 = msg("382:01", dup231); + +var select303 = linear_select([ + msg725, + msg726, +]); + +var msg727 = msg("384", dup232); + +var msg728 = msg("384:01", dup231); + +var select304 = linear_select([ + msg727, + msg728, +]); + +var msg729 = msg("385", dup232); + +var msg730 = msg("385:01", dup231); + +var select305 = linear_select([ + msg729, + msg730, +]); + +var msg731 = msg("386", dup232); + +var msg732 = msg("386:01", dup231); + +var select306 = linear_select([ + msg731, + msg732, +]); + +var msg733 = msg("387", dup232); + +var msg734 = msg("387:01", dup231); + +var select307 = linear_select([ + msg733, + msg734, +]); + +var msg735 = msg("388", dup232); + +var msg736 = msg("388:01", dup231); + +var select308 = linear_select([ + msg735, + msg736, +]); + +var msg737 = msg("389", dup232); + +var msg738 = msg("389:01", dup231); + +var select309 = linear_select([ + msg737, + msg738, +]); + +var msg739 = msg("390", dup230); + +var msg740 = msg("390:01", dup231); + +var select310 = linear_select([ + msg739, + msg740, +]); + +var msg741 = msg("391", dup232); + +var msg742 = msg("391:01", dup231); + +var select311 = linear_select([ + msg741, + msg742, +]); + +var msg743 = msg("392", dup232); + +var msg744 = msg("392:01", dup231); + +var select312 = linear_select([ + msg743, + msg744, +]); + +var msg745 = msg("393", dup232); + +var msg746 = msg("393:01", dup231); + +var select313 = linear_select([ + msg745, + msg746, +]); + +var msg747 = msg("394", dup232); + +var msg748 = msg("394:01", dup231); + +var select314 = linear_select([ + msg747, + msg748, +]); + +var msg749 = msg("395", dup232); + +var msg750 = msg("395:01", dup231); + +var select315 = linear_select([ + msg749, + msg750, +]); + +var msg751 = msg("396", dup232); + +var msg752 = msg("396:01", dup231); + +var select316 = linear_select([ + msg751, + msg752, +]); + +var msg753 = msg("397", dup232); + +var msg754 = msg("397:01", dup231); + +var select317 = linear_select([ + msg753, + msg754, +]); + +var msg755 = msg("398", dup232); + +var msg756 = msg("398:01", dup231); + +var select318 = linear_select([ + msg755, + msg756, +]); + +var msg757 = msg("399", dup232); + +var msg758 = msg("399:01", dup231); + +var select319 = linear_select([ + msg757, + msg758, +]); + +var msg759 = msg("400", dup232); + +var msg760 = msg("400:01", dup231); + +var select320 = linear_select([ + msg759, + msg760, +]); + +var msg761 = msg("401", dup232); + +var msg762 = msg("401:01", dup231); + +var select321 = linear_select([ + msg761, + msg762, +]); + +var msg763 = msg("402", dup232); + +var msg764 = msg("402:01", dup231); + +var select322 = linear_select([ + msg763, + msg764, +]); + +var msg765 = msg("403", dup232); + +var msg766 = msg("403:01", dup231); + +var select323 = linear_select([ + msg765, + msg766, +]); + +var msg767 = msg("404", dup232); + +var msg768 = msg("404:01", dup231); + +var select324 = linear_select([ + msg767, + msg768, +]); + +var msg769 = msg("405", dup232); + +var msg770 = msg("405:01", dup231); + +var select325 = linear_select([ + msg769, + msg770, +]); + +var msg771 = msg("406", dup232); + +var msg772 = msg("406:01", dup231); + +var select326 = linear_select([ + msg771, + msg772, +]); + +var msg773 = msg("407", dup232); + +var msg774 = msg("407:01", dup231); + +var select327 = linear_select([ + msg773, + msg774, +]); + +var msg775 = msg("408", dup232); + +var msg776 = msg("408:01", dup231); + +var select328 = linear_select([ + msg775, + msg776, +]); + +var msg777 = msg("409", dup232); + +var msg778 = msg("409:01", dup231); + +var select329 = linear_select([ + msg777, + msg778, +]); + +var msg779 = msg("410", dup232); + +var msg780 = msg("410:01", dup231); + +var select330 = linear_select([ + msg779, + msg780, +]); + +var msg781 = msg("411", dup232); + +var msg782 = msg("411:01", dup231); + +var select331 = linear_select([ + msg781, + msg782, +]); + +var msg783 = msg("412", dup232); + +var msg784 = msg("412:01", dup231); + +var select332 = linear_select([ + msg783, + msg784, +]); + +var msg785 = msg("413", dup232); + +var msg786 = msg("413:01", dup231); + +var select333 = linear_select([ + msg785, + msg786, +]); + +var msg787 = msg("414", dup232); + +var msg788 = msg("414:01", dup231); + +var select334 = linear_select([ + msg787, + msg788, +]); + +var msg789 = msg("415", dup232); + +var msg790 = msg("415:01", dup231); + +var select335 = linear_select([ + msg789, + msg790, +]); + +var msg791 = msg("416", dup232); + +var msg792 = msg("416:01", dup231); + +var select336 = linear_select([ + msg791, + msg792, +]); + +var msg793 = msg("417", dup232); + +var msg794 = msg("417:01", dup231); + +var select337 = linear_select([ + msg793, + msg794, +]); + +var msg795 = msg("418", dup232); + +var msg796 = msg("418:01", dup231); + +var select338 = linear_select([ + msg795, + msg796, +]); + +var msg797 = msg("419", dup232); + +var msg798 = msg("419:01", dup231); + +var select339 = linear_select([ + msg797, + msg798, +]); + +var msg799 = msg("420", dup232); + +var msg800 = msg("420:01", dup231); + +var select340 = linear_select([ + msg799, + msg800, +]); + +var msg801 = msg("421", dup232); + +var msg802 = msg("421:01", dup231); + +var select341 = linear_select([ + msg801, + msg802, +]); + +var msg803 = msg("422", dup232); + +var msg804 = msg("422:01", dup231); + +var select342 = linear_select([ + msg803, + msg804, +]); + +var msg805 = msg("423", dup232); + +var msg806 = msg("423:01", dup231); + +var select343 = linear_select([ + msg805, + msg806, +]); + +var msg807 = msg("424", dup232); + +var msg808 = msg("424:01", dup231); + +var select344 = linear_select([ + msg807, + msg808, +]); + +var msg809 = msg("425", dup232); + +var msg810 = msg("425:01", dup231); + +var select345 = linear_select([ + msg809, + msg810, +]); + +var msg811 = msg("426", dup232); + +var msg812 = msg("426:01", dup231); + +var select346 = linear_select([ + msg811, + msg812, +]); + +var msg813 = msg("427", dup232); + +var msg814 = msg("427:01", dup231); + +var select347 = linear_select([ + msg813, + msg814, +]); + +var msg815 = msg("428", dup232); + +var msg816 = msg("428:01", dup231); + +var select348 = linear_select([ + msg815, + msg816, +]); + +var msg817 = msg("429", dup232); + +var msg818 = msg("429:01", dup231); + +var select349 = linear_select([ + msg817, + msg818, +]); + +var msg819 = msg("430", dup232); + +var msg820 = msg("430:01", dup231); + +var select350 = linear_select([ + msg819, + msg820, +]); + +var all33 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg821 = msg("431", all33); + +var all34 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg822 = msg("431:01", all34); + +var select351 = linear_select([ + msg821, + msg822, +]); + +var msg823 = msg("432", dup232); + +var msg824 = msg("432:01", dup231); + +var select352 = linear_select([ + msg823, + msg824, +]); + +var msg825 = msg("433", dup232); + +var msg826 = msg("433:01", dup231); + +var select353 = linear_select([ + msg825, + msg826, +]); + +var msg827 = msg("436", dup232); + +var msg828 = msg("436:01", dup231); + +var select354 = linear_select([ + msg827, + msg828, +]); + +var msg829 = msg("437", dup232); + +var msg830 = msg("437:01", dup231); + +var select355 = linear_select([ + msg829, + msg830, +]); + +var msg831 = msg("438", dup232); + +var msg832 = msg("438:01", dup231); + +var select356 = linear_select([ + msg831, + msg832, +]); + +var msg833 = msg("439", dup232); + +var msg834 = msg("439:01", dup231); + +var select357 = linear_select([ + msg833, + msg834, +]); + +var msg835 = msg("440", dup232); + +var msg836 = msg("440:01", dup231); + +var select358 = linear_select([ + msg835, + msg836, +]); + +var msg837 = msg("441", dup232); + +var msg838 = msg("441:01", dup231); + +var select359 = linear_select([ + msg837, + msg838, +]); + +var msg839 = msg("443", dup232); + +var msg840 = msg("443:01", dup231); + +var select360 = linear_select([ + msg839, + msg840, +]); + +var msg841 = msg("445", dup232); + +var msg842 = msg("445:01", dup231); + +var select361 = linear_select([ + msg841, + msg842, +]); + +var msg843 = msg("446", dup232); + +var msg844 = msg("446:01", dup231); + +var select362 = linear_select([ + msg843, + msg844, +]); + +var msg845 = msg("448", dup232); + +var msg846 = msg("448:01", dup231); + +var select363 = linear_select([ + msg845, + msg846, +]); + +var msg847 = msg("449", dup232); + +var msg848 = msg("449:01", dup231); + +var select364 = linear_select([ + msg847, + msg848, +]); + +var msg849 = msg("450", dup232); + +var msg850 = msg("450:01", dup231); + +var select365 = linear_select([ + msg849, + msg850, +]); + +var msg851 = msg("451", dup232); + +var msg852 = msg("451:01", dup231); + +var select366 = linear_select([ + msg851, + msg852, +]); + +var msg853 = msg("452", dup232); + +var msg854 = msg("452:01", dup231); + +var select367 = linear_select([ + msg853, + msg854, +]); + +var msg855 = msg("453", dup232); + +var msg856 = msg("453:01", dup231); + +var select368 = linear_select([ + msg855, + msg856, +]); + +var msg857 = msg("454", dup232); + +var msg858 = msg("454:01", dup231); + +var select369 = linear_select([ + msg857, + msg858, +]); + +var msg859 = msg("455", dup232); + +var msg860 = msg("455:01", dup231); + +var select370 = linear_select([ + msg859, + msg860, +]); + +var msg861 = msg("456", dup232); + +var msg862 = msg("456:01", dup231); + +var select371 = linear_select([ + msg861, + msg862, +]); + +var msg863 = msg("457", dup232); + +var msg864 = msg("457:01", dup231); + +var select372 = linear_select([ + msg863, + msg864, +]); + +var msg865 = msg("458", dup232); + +var msg866 = msg("458:01", dup231); + +var select373 = linear_select([ + msg865, + msg866, +]); + +var msg867 = msg("459", dup232); + +var msg868 = msg("459:01", dup231); + +var select374 = linear_select([ + msg867, + msg868, +]); + +var msg869 = msg("460", dup232); + +var msg870 = msg("460:01", dup231); + +var select375 = linear_select([ + msg869, + msg870, +]); + +var msg871 = msg("461", dup232); + +var msg872 = msg("461:01", dup231); + +var select376 = linear_select([ + msg871, + msg872, +]); + +var msg873 = msg("462", dup232); + +var msg874 = msg("462:01", dup231); + +var select377 = linear_select([ + msg873, + msg874, +]); + +var msg875 = msg("463", dup232); + +var msg876 = msg("463:01", dup231); + +var select378 = linear_select([ + msg875, + msg876, +]); + +var msg877 = msg("465", dup232); + +var msg878 = msg("465:01", dup231); + +var select379 = linear_select([ + msg877, + msg878, +]); + +var msg879 = msg("466", dup232); + +var msg880 = msg("466:01", dup231); + +var select380 = linear_select([ + msg879, + msg880, +]); + +var msg881 = msg("467", dup232); + +var msg882 = msg("467:01", dup231); + +var select381 = linear_select([ + msg881, + msg882, +]); + +var msg883 = msg("469", dup232); + +var msg884 = msg("469:01", dup231); + +var select382 = linear_select([ + msg883, + msg884, +]); + +var msg885 = msg("471", dup230); + +var msg886 = msg("471:01", dup233); + +var select383 = linear_select([ + msg885, + msg886, +]); + +var msg887 = msg("472", dup232); + +var msg888 = msg("472:01", dup231); + +var select384 = linear_select([ + msg887, + msg888, +]); + +var msg889 = msg("473", dup232); + +var msg890 = msg("473:01", dup231); + +var select385 = linear_select([ + msg889, + msg890, +]); + +var msg891 = msg("474", dup234); + +var msg892 = msg("474:01", dup235); + +var select386 = linear_select([ + msg891, + msg892, +]); + +var msg893 = msg("475", dup232); + +var msg894 = msg("475:01", dup231); + +var select387 = linear_select([ + msg893, + msg894, +]); + +var msg895 = msg("476", dup234); + +var msg896 = msg("476:01", dup235); + +var select388 = linear_select([ + msg895, + msg896, +]); + +var msg897 = msg("477", dup230); + +var msg898 = msg("477:01", dup233); + +var select389 = linear_select([ + msg897, + msg898, +]); + +var msg899 = msg("478", dup194); + +var msg900 = msg("478:01", dup229); + +var select390 = linear_select([ + msg899, + msg900, +]); + +var msg901 = msg("480", dup232); + +var msg902 = msg("480:01", dup231); + +var select391 = linear_select([ + msg901, + msg902, +]); + +var msg903 = msg("481", dup232); + +var msg904 = msg("481:01", dup231); + +var select392 = linear_select([ + msg903, + msg904, +]); + +var msg905 = msg("482", dup232); + +var msg906 = msg("482:01", dup231); + +var select393 = linear_select([ + msg905, + msg906, +]); + +var msg907 = msg("483", dup232); + +var msg908 = msg("483:01", dup231); + +var select394 = linear_select([ + msg907, + msg908, +]); + +var msg909 = msg("484", dup234); + +var msg910 = msg("484:01", dup235); + +var select395 = linear_select([ + msg909, + msg910, +]); + +var msg911 = msg("485", dup232); + +var msg912 = msg("485:01", dup231); + +var select396 = linear_select([ + msg911, + msg912, +]); + +var msg913 = msg("486", dup232); + +var msg914 = msg("486:01", dup231); + +var select397 = linear_select([ + msg913, + msg914, +]); + +var msg915 = msg("487", dup232); + +var msg916 = msg("487:01", dup231); + +var select398 = linear_select([ + msg915, + msg916, +]); + +var msg917 = msg("488", dup196); + +var msg918 = msg("488:01", dup217); + +var select399 = linear_select([ + msg917, + msg918, +]); + +var msg919 = msg("489", dup227); + +var msg920 = msg("489:01", dup228); + +var select400 = linear_select([ + msg919, + msg920, +]); + +var msg921 = msg("490", dup196); + +var msg922 = msg("490:01", dup217); + +var select401 = linear_select([ + msg921, + msg922, +]); + +var msg923 = msg("491", dup227); + +var msg924 = msg("492", dup236); + +var msg925 = msg("492:01", dup237); + +var select402 = linear_select([ + msg924, + msg925, +]); + +var msg926 = msg("493", dup196); + +var msg927 = msg("493:01", dup217); + +var select403 = linear_select([ + msg926, + msg927, +]); + +var msg928 = msg("494", dup196); + +var msg929 = msg("494:01", dup217); + +var select404 = linear_select([ + msg928, + msg929, +]); + +var msg930 = msg("495", dup196); + +var msg931 = msg("495:01", dup217); + +var select405 = linear_select([ + msg930, + msg931, +]); + +var msg932 = msg("496", dup196); + +var msg933 = msg("496:01", dup217); + +var select406 = linear_select([ + msg932, + msg933, +]); + +var msg934 = msg("497", dup196); + +var msg935 = msg("497:01", dup217); + +var select407 = linear_select([ + msg934, + msg935, +]); + +var msg936 = msg("498", dup196); + +var msg937 = msg("498:01", dup217); + +var select408 = linear_select([ + msg936, + msg937, +]); + +var msg938 = msg("499", dup230); + +var msg939 = msg("499:01", dup233); + +var select409 = linear_select([ + msg938, + msg939, +]); + +var msg940 = msg("500", dup196); + +var msg941 = msg("500:01", dup217); + +var select410 = linear_select([ + msg940, + msg941, +]); + +var msg942 = msg("501", dup196); + +var msg943 = msg("501:01", dup217); + +var select411 = linear_select([ + msg942, + msg943, +]); + +var msg944 = msg("502", dup196); + +var msg945 = msg("502:01", dup217); + +var select412 = linear_select([ + msg944, + msg945, +]); + +var msg946 = msg("503", dup196); + +var msg947 = msg("503:01", dup217); + +var select413 = linear_select([ + msg946, + msg947, +]); + +var msg948 = msg("504", dup196); + +var msg949 = msg("504:01", dup217); + +var select414 = linear_select([ + msg948, + msg949, +]); + +var msg950 = msg("505", dup196); + +var msg951 = msg("505:01", dup217); + +var select415 = linear_select([ + msg950, + msg951, +]); + +var msg952 = msg("506", dup238); + +var msg953 = msg("506:01", dup239); + +var select416 = linear_select([ + msg952, + msg953, +]); + +var msg954 = msg("507", dup196); + +var msg955 = msg("507:01", dup217); + +var select417 = linear_select([ + msg954, + msg955, +]); + +var msg956 = msg("508", dup196); + +var msg957 = msg("508:01", dup217); + +var select418 = linear_select([ + msg956, + msg957, +]); + +var msg958 = msg("509", dup240); + +var msg959 = msg("509:01", dup241); + +var select419 = linear_select([ + msg958, + msg959, +]); + +var msg960 = msg("510", dup196); + +var msg961 = msg("510:01", dup217); + +var select420 = linear_select([ + msg960, + msg961, +]); + +var msg962 = msg("511", dup196); + +var msg963 = msg("511:01", dup217); + +var select421 = linear_select([ + msg962, + msg963, +]); + +var msg964 = msg("512", dup236); + +var msg965 = msg("512:01", dup237); + +var select422 = linear_select([ + msg964, + msg965, +]); + +var msg966 = msg("513", dup196); + +var msg967 = msg("513:01", dup217); + +var select423 = linear_select([ + msg966, + msg967, +]); + +var msg968 = msg("514", dup238); + +var msg969 = msg("514:01", dup239); + +var select424 = linear_select([ + msg968, + msg969, +]); + +var msg970 = msg("516", dup242); + +var msg971 = msg("516:01", dup243); + +var select425 = linear_select([ + msg970, + msg971, +]); + +var msg972 = msg("517", dup196); + +var msg973 = msg("517:01", dup217); + +var select426 = linear_select([ + msg972, + msg973, +]); + +var msg974 = msg("518", dup196); + +var msg975 = msg("518:01", dup217); + +var select427 = linear_select([ + msg974, + msg975, +]); + +var msg976 = msg("519", dup196); + +var msg977 = msg("519:01", dup217); + +var select428 = linear_select([ + msg976, + msg977, +]); + +var msg978 = msg("520", dup196); + +var msg979 = msg("520:01", dup217); + +var select429 = linear_select([ + msg978, + msg979, +]); + +var msg980 = msg("521", dup196); + +var msg981 = msg("521:01", dup217); + +var select430 = linear_select([ + msg980, + msg981, +]); + +var msg982 = msg("522", dup196); + +var msg983 = msg("522:01", dup217); + +var select431 = linear_select([ + msg982, + msg983, +]); + +var msg984 = msg("523", dup196); + +var msg985 = msg("523:01", dup217); + +var select432 = linear_select([ + msg984, + msg985, +]); + +var msg986 = msg("524", dup244); + +var msg987 = msg("524:01", dup245); + +var select433 = linear_select([ + msg986, + msg987, +]); + +var msg988 = msg("525", dup196); + +var msg989 = msg("525:01", dup217); + +var select434 = linear_select([ + msg988, + msg989, +]); + +var msg990 = msg("526", dup244); + +var msg991 = msg("526:01", dup245); + +var select435 = linear_select([ + msg990, + msg991, +]); + +var msg992 = msg("527", dup196); + +var msg993 = msg("527:01", dup217); + +var select436 = linear_select([ + msg992, + msg993, +]); + +var msg994 = msg("528", dup196); + +var msg995 = msg("528:01", dup217); + +var select437 = linear_select([ + msg994, + msg995, +]); + +var msg996 = msg("529", dup198); + +var msg997 = msg("529:01", dup220); + +var select438 = linear_select([ + msg996, + msg997, +]); + +var msg998 = msg("530", dup196); + +var msg999 = msg("530:01", dup217); + +var select439 = linear_select([ + msg998, + msg999, +]); + +var msg1000 = msg("532", dup246); + +var msg1001 = msg("532:01", dup247); + +var select440 = linear_select([ + msg1000, + msg1001, +]); + +var msg1002 = msg("533", dup246); + +var msg1003 = msg("533:01", dup247); + +var select441 = linear_select([ + msg1002, + msg1003, +]); + +var msg1004 = msg("534", dup196); + +var msg1005 = msg("534:01", dup217); + +var select442 = linear_select([ + msg1004, + msg1005, +]); + +var msg1006 = msg("535", dup196); + +var msg1007 = msg("535:01", dup217); + +var select443 = linear_select([ + msg1006, + msg1007, +]); + +var msg1008 = msg("536", dup246); + +var msg1009 = msg("536:01", dup247); + +var select444 = linear_select([ + msg1008, + msg1009, +]); + +var msg1010 = msg("537", dup246); + +var msg1011 = msg("537:01", dup247); + +var select445 = linear_select([ + msg1010, + msg1011, +]); + +var msg1012 = msg("538", dup246); + +var msg1013 = msg("538:01", dup247); + +var select446 = linear_select([ + msg1012, + msg1013, +]); + +var msg1014 = msg("539", dup246); + +var msg1015 = msg("539:01", dup247); + +var select447 = linear_select([ + msg1014, + msg1015, +]); + +var msg1016 = msg("540", dup196); + +var msg1017 = msg("540:01", dup217); + +var select448 = linear_select([ + msg1016, + msg1017, +]); + +var msg1018 = msg("541", dup196); + +var msg1019 = msg("541:01", dup217); + +var select449 = linear_select([ + msg1018, + msg1019, +]); + +var msg1020 = msg("542", dup196); + +var msg1021 = msg("542:01", dup217); + +var select450 = linear_select([ + msg1020, + msg1021, +]); + +var msg1022 = msg("543", dup227); + +var msg1023 = msg("543:01", dup228); + +var select451 = linear_select([ + msg1022, + msg1023, +]); + +var msg1024 = msg("544", dup227); + +var msg1025 = msg("544:01", dup228); + +var select452 = linear_select([ + msg1024, + msg1025, +]); + +var msg1026 = msg("545", dup227); + +var msg1027 = msg("545:01", dup228); + +var select453 = linear_select([ + msg1026, + msg1027, +]); + +var msg1028 = msg("546", dup227); + +var msg1029 = msg("546:01", dup228); + +var select454 = linear_select([ + msg1028, + msg1029, +]); + +var msg1030 = msg("547", dup227); + +var msg1031 = msg("547:01", dup228); + +var select455 = linear_select([ + msg1030, + msg1031, +]); + +var msg1032 = msg("548", dup227); + +var msg1033 = msg("548:01", dup228); + +var select456 = linear_select([ + msg1032, + msg1033, +]); + +var msg1034 = msg("549", dup196); + +var msg1035 = msg("549:01", dup217); + +var select457 = linear_select([ + msg1034, + msg1035, +]); + +var msg1036 = msg("550", dup196); + +var msg1037 = msg("550:01", dup217); + +var select458 = linear_select([ + msg1036, + msg1037, +]); + +var msg1038 = msg("551", dup196); + +var msg1039 = msg("551:01", dup217); + +var select459 = linear_select([ + msg1038, + msg1039, +]); + +var msg1040 = msg("552", dup196); + +var msg1041 = msg("552:01", dup217); + +var select460 = linear_select([ + msg1040, + msg1041, +]); + +var msg1042 = msg("553", dup227); + +var msg1043 = msg("553:01", dup228); + +var select461 = linear_select([ + msg1042, + msg1043, +]); + +var msg1044 = msg("554", dup227); + +var msg1045 = msg("554:01", dup228); + +var select462 = linear_select([ + msg1044, + msg1045, +]); + +var msg1046 = msg("555", dup248); + +var msg1047 = msg("555:01", dup249); + +var select463 = linear_select([ + msg1046, + msg1047, +]); + +var msg1048 = msg("556", dup196); + +var msg1049 = msg("556:01", dup217); + +var select464 = linear_select([ + msg1048, + msg1049, +]); + +var msg1050 = msg("557", dup196); + +var msg1051 = msg("557:01", dup217); + +var select465 = linear_select([ + msg1050, + msg1051, +]); + +var msg1052 = msg("558", dup196); + +var msg1053 = msg("558:01", dup217); + +var select466 = linear_select([ + msg1052, + msg1053, +]); + +var msg1054 = msg("559", dup196); + +var msg1055 = msg("559:01", dup217); + +var select467 = linear_select([ + msg1054, + msg1055, +]); + +var msg1056 = msg("560", dup196); + +var msg1057 = msg("560:01", dup217); + +var select468 = linear_select([ + msg1056, + msg1057, +]); + +var msg1058 = msg("561", dup196); + +var msg1059 = msg("561:01", dup217); + +var select469 = linear_select([ + msg1058, + msg1059, +]); + +var msg1060 = msg("562", dup196); + +var msg1061 = msg("562:01", dup217); + +var select470 = linear_select([ + msg1060, + msg1061, +]); + +var msg1062 = msg("563", dup196); + +var msg1063 = msg("563:01", dup217); + +var select471 = linear_select([ + msg1062, + msg1063, +]); + +var msg1064 = msg("564", dup196); + +var msg1065 = msg("564:01", dup217); + +var select472 = linear_select([ + msg1064, + msg1065, +]); + +var msg1066 = msg("565", dup196); + +var msg1067 = msg("565:01", dup217); + +var select473 = linear_select([ + msg1066, + msg1067, +]); + +var msg1068 = msg("566", dup196); + +var msg1069 = msg("566:01", dup217); + +var select474 = linear_select([ + msg1068, + msg1069, +]); + +var msg1070 = msg("567", dup250); + +var msg1071 = msg("567:01", dup251); + +var select475 = linear_select([ + msg1070, + msg1071, +]); + +var msg1072 = msg("568", dup196); + +var msg1073 = msg("568:01", dup217); + +var select476 = linear_select([ + msg1072, + msg1073, +]); + +var msg1074 = msg("569", dup252); + +var all35 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg1075 = msg("569:01", all35); + +var select477 = linear_select([ + msg1074, + msg1075, +]); + +var msg1076 = msg("570", dup197); + +var msg1077 = msg("570:01", dup221); + +var select478 = linear_select([ + msg1076, + msg1077, +]); + +var msg1078 = msg("571", dup197); + +var msg1079 = msg("571:01", dup221); + +var select479 = linear_select([ + msg1078, + msg1079, +]); + +var msg1080 = msg("572", dup198); + +var msg1081 = msg("572:01", dup220); + +var select480 = linear_select([ + msg1080, + msg1081, +]); + +var msg1082 = msg("573", dup197); + +var msg1083 = msg("573:01", dup221); + +var select481 = linear_select([ + msg1082, + msg1083, +]); + +var msg1084 = msg("574", dup253); + +var msg1085 = msg("574:01", dup254); + +var select482 = linear_select([ + msg1084, + msg1085, +]); + +var msg1086 = msg("575", dup255); + +var msg1087 = msg("575:01", dup256); + +var select483 = linear_select([ + msg1086, + msg1087, +]); + +var msg1088 = msg("576", dup255); + +var msg1089 = msg("576:01", dup256); + +var select484 = linear_select([ + msg1088, + msg1089, +]); + +var msg1090 = msg("577", dup255); + +var msg1091 = msg("577:01", dup256); + +var select485 = linear_select([ + msg1090, + msg1091, +]); + +var msg1092 = msg("578", dup255); + +var msg1093 = msg("578:01", dup256); + +var select486 = linear_select([ + msg1092, + msg1093, +]); + +var msg1094 = msg("579", dup255); + +var msg1095 = msg("579:01", dup256); + +var select487 = linear_select([ + msg1094, + msg1095, +]); + +var msg1096 = msg("580", dup255); + +var msg1097 = msg("580:01", dup256); + +var select488 = linear_select([ + msg1096, + msg1097, +]); + +var msg1098 = msg("581", dup257); + +var all36 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg1099 = msg("581:01", all36); + +var select489 = linear_select([ + msg1098, + msg1099, +]); + +var msg1100 = msg("582", dup255); + +var msg1101 = msg("582:01", dup256); + +var select490 = linear_select([ + msg1100, + msg1101, +]); + +var msg1102 = msg("583", dup255); + +var msg1103 = msg("583:01", dup256); + +var select491 = linear_select([ + msg1102, + msg1103, +]); + +var msg1104 = msg("584", dup255); + +var msg1105 = msg("584:01", dup256); + +var select492 = linear_select([ + msg1104, + msg1105, +]); + +var msg1106 = msg("585", dup255); + +var msg1107 = msg("585:01", dup256); + +var select493 = linear_select([ + msg1106, + msg1107, +]); + +var msg1108 = msg("586", dup255); + +var msg1109 = msg("586:01", dup256); + +var select494 = linear_select([ + msg1108, + msg1109, +]); + +var msg1110 = msg("587", dup255); + +var msg1111 = msg("587:01", dup256); + +var select495 = linear_select([ + msg1110, + msg1111, +]); + +var msg1112 = msg("588", dup255); + +var msg1113 = msg("588:01", dup256); + +var select496 = linear_select([ + msg1112, + msg1113, +]); + +var msg1114 = msg("589", dup255); + +var msg1115 = msg("589:01", dup256); + +var select497 = linear_select([ + msg1114, + msg1115, +]); + +var msg1116 = msg("590", dup255); + +var msg1117 = msg("590:01", dup256); + +var select498 = linear_select([ + msg1116, + msg1117, +]); + +var msg1118 = msg("591", dup255); + +var msg1119 = msg("591:01", dup256); + +var select499 = linear_select([ + msg1118, + msg1119, +]); + +var msg1120 = msg("592", dup255); + +var msg1121 = msg("592:01", dup256); + +var select500 = linear_select([ + msg1120, + msg1121, +]); + +var msg1122 = msg("593", dup255); + +var msg1123 = msg("593:01", dup256); + +var select501 = linear_select([ + msg1122, + msg1123, +]); + +var msg1124 = msg("594", dup255); + +var msg1125 = msg("594:01", dup256); + +var select502 = linear_select([ + msg1124, + msg1125, +]); + +var msg1126 = msg("595", dup258); + +var msg1127 = msg("595:01", dup259); + +var select503 = linear_select([ + msg1126, + msg1127, +]); + +var msg1128 = msg("596", dup255); + +var msg1129 = msg("596:01", dup256); + +var select504 = linear_select([ + msg1128, + msg1129, +]); + +var msg1130 = msg("597", dup255); + +var msg1131 = msg("597:01", dup256); + +var select505 = linear_select([ + msg1130, + msg1131, +]); + +var msg1132 = msg("598", dup258); + +var msg1133 = msg("598:01", dup259); + +var select506 = linear_select([ + msg1132, + msg1133, +]); + +var msg1134 = msg("599", dup258); + +var msg1135 = msg("599:01", dup259); + +var select507 = linear_select([ + msg1134, + msg1135, +]); + +var msg1136 = msg("600", dup255); + +var msg1137 = msg("600:01", dup256); + +var select508 = linear_select([ + msg1136, + msg1137, +]); + +var msg1138 = msg("601", dup196); + +var msg1139 = msg("601:01", dup217); + +var select509 = linear_select([ + msg1138, + msg1139, +]); + +var msg1140 = msg("602", dup196); + +var msg1141 = msg("602:01", dup217); + +var select510 = linear_select([ + msg1140, + msg1141, +]); + +var msg1142 = msg("603", dup196); + +var msg1143 = msg("603:01", dup217); + +var select511 = linear_select([ + msg1142, + msg1143, +]); + +var msg1144 = msg("604", dup196); + +var msg1145 = msg("604:01", dup217); + +var select512 = linear_select([ + msg1144, + msg1145, +]); + +var msg1146 = msg("605", dup236); + +var msg1147 = msg("605:01", dup237); + +var select513 = linear_select([ + msg1146, + msg1147, +]); + +var msg1148 = msg("606", dup196); + +var msg1149 = msg("606:01", dup217); + +var select514 = linear_select([ + msg1148, + msg1149, +]); + +var msg1150 = msg("607", dup196); + +var msg1151 = msg("607:01", dup217); + +var select515 = linear_select([ + msg1150, + msg1151, +]); + +var msg1152 = msg("608", dup196); + +var msg1153 = msg("608:01", dup217); + +var select516 = linear_select([ + msg1152, + msg1153, +]); + +var msg1154 = msg("609", dup196); + +var msg1155 = msg("609:01", dup217); + +var select517 = linear_select([ + msg1154, + msg1155, +]); + +var msg1156 = msg("610", dup196); + +var msg1157 = msg("610:01", dup217); + +var select518 = linear_select([ + msg1156, + msg1157, +]); + +var msg1158 = msg("611", dup236); + +var msg1159 = msg("611:01", dup237); + +var select519 = linear_select([ + msg1158, + msg1159, +]); + +var msg1160 = msg("612", dup255); + +var msg1161 = msg("612:01", dup256); + +var select520 = linear_select([ + msg1160, + msg1161, +]); + +var msg1162 = msg("613", dup194); + +var msg1163 = msg("613:01", dup229); + +var select521 = linear_select([ + msg1162, + msg1163, +]); + +var msg1164 = msg("614", dup205); + +var msg1165 = msg("614:01", dup206); + +var select522 = linear_select([ + msg1164, + msg1165, +]); + +var msg1166 = msg("615", dup194); + +var msg1167 = msg("615:01", dup229); + +var select523 = linear_select([ + msg1166, + msg1167, +]); + +var msg1168 = msg("616", dup194); + +var msg1169 = msg("616:01", dup229); + +var select524 = linear_select([ + msg1168, + msg1169, +]); + +var msg1170 = msg("617", dup194); + +var msg1171 = msg("617:01", dup229); + +var select525 = linear_select([ + msg1170, + msg1171, +]); + +var msg1172 = msg("618", dup194); + +var msg1173 = msg("618:01", dup229); + +var select526 = linear_select([ + msg1172, + msg1173, +]); + +var msg1174 = msg("619", dup194); + +var msg1175 = msg("619:01", dup229); + +var select527 = linear_select([ + msg1174, + msg1175, +]); + +var msg1176 = msg("620", dup194); + +var msg1177 = msg("620:01", dup229); + +var select528 = linear_select([ + msg1176, + msg1177, +]); + +var msg1178 = msg("621", dup194); + +var msg1179 = msg("621:01", dup229); + +var select529 = linear_select([ + msg1178, + msg1179, +]); + +var msg1180 = msg("622", dup194); + +var msg1181 = msg("622:01", dup229); + +var select530 = linear_select([ + msg1180, + msg1181, +]); + +var msg1182 = msg("623", dup194); + +var msg1183 = msg("623:01", dup229); + +var select531 = linear_select([ + msg1182, + msg1183, +]); + +var msg1184 = msg("624", dup194); + +var msg1185 = msg("624:01", dup229); + +var select532 = linear_select([ + msg1184, + msg1185, +]); + +var msg1186 = msg("625", dup194); + +var msg1187 = msg("625:01", dup229); + +var select533 = linear_select([ + msg1186, + msg1187, +]); + +var msg1188 = msg("626", dup194); + +var msg1189 = msg("626:01", dup229); + +var select534 = linear_select([ + msg1188, + msg1189, +]); + +var msg1190 = msg("627", dup194); + +var msg1191 = msg("627:01", dup229); + +var select535 = linear_select([ + msg1190, + msg1191, +]); + +var msg1192 = msg("628", dup234); + +var msg1193 = msg("628:01", dup235); + +var select536 = linear_select([ + msg1192, + msg1193, +]); + +var msg1194 = msg("629", dup225); + +var msg1195 = msg("629:01", dup226); + +var select537 = linear_select([ + msg1194, + msg1195, +]); + +var msg1196 = msg("630", dup234); + +var msg1197 = msg("630:01", dup229); + +var select538 = linear_select([ + msg1196, + msg1197, +]); + +var all37 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg1198 = msg("631", all37); + +var msg1199 = msg("631:01", dup251); + +var select539 = linear_select([ + msg1198, + msg1199, +]); + +var msg1200 = msg("632", dup250); + +var msg1201 = msg("632:01", dup251); + +var select540 = linear_select([ + msg1200, + msg1201, +]); + +var msg1202 = msg("634", dup194); + +var msg1203 = msg("634:01", dup229); + +var select541 = linear_select([ + msg1202, + msg1203, +]); + +var msg1204 = msg("635", dup194); + +var msg1205 = msg("635:01", dup229); + +var select542 = linear_select([ + msg1204, + msg1205, +]); + +var msg1206 = msg("636", dup194); + +var msg1207 = msg("636:01", dup229); + +var select543 = linear_select([ + msg1206, + msg1207, +]); + +var msg1208 = msg("637", dup194); + +var msg1209 = msg("637:01", dup229); + +var select544 = linear_select([ + msg1208, + msg1209, +]); + +var msg1210 = msg("638", dup196); + +var msg1211 = msg("638:01", dup217); + +var select545 = linear_select([ + msg1210, + msg1211, +]); + +var msg1212 = msg("639", dup196); + +var msg1213 = msg("639:01", dup217); + +var select546 = linear_select([ + msg1212, + msg1213, +]); + +var msg1214 = msg("640", dup196); + +var msg1215 = msg("640:01", dup217); + +var select547 = linear_select([ + msg1214, + msg1215, +]); + +var msg1216 = msg("641", dup196); + +var msg1217 = msg("641:01", dup217); + +var select548 = linear_select([ + msg1216, + msg1217, +]); + +var msg1218 = msg("642", dup196); + +var msg1219 = msg("642:01", dup217); + +var select549 = linear_select([ + msg1218, + msg1219, +]); + +var msg1220 = msg("643", dup196); + +var msg1221 = msg("643:01", dup217); + +var select550 = linear_select([ + msg1220, + msg1221, +]); + +var msg1222 = msg("644", dup196); + +var msg1223 = msg("644:01", dup217); + +var select551 = linear_select([ + msg1222, + msg1223, +]); + +var msg1224 = msg("645", dup196); + +var msg1225 = msg("645:01", dup217); + +var select552 = linear_select([ + msg1224, + msg1225, +]); + +var msg1226 = msg("646", dup196); + +var msg1227 = msg("646:01", dup217); + +var select553 = linear_select([ + msg1226, + msg1227, +]); + +var msg1228 = msg("647", dup196); + +var msg1229 = msg("647:01", dup217); + +var select554 = linear_select([ + msg1228, + msg1229, +]); + +var msg1230 = msg("648", dup196); + +var msg1231 = msg("648:01", dup217); + +var select555 = linear_select([ + msg1230, + msg1231, +]); + +var msg1232 = msg("649", dup196); + +var msg1233 = msg("649:01", dup217); + +var select556 = linear_select([ + msg1232, + msg1233, +]); + +var msg1234 = msg("650", dup196); + +var msg1235 = msg("650:01", dup217); + +var select557 = linear_select([ + msg1234, + msg1235, +]); + +var msg1236 = msg("651", dup196); + +var msg1237 = msg("651:01", dup217); + +var select558 = linear_select([ + msg1236, + msg1237, +]); + +var msg1238 = msg("652", dup196); + +var msg1239 = msg("652:01", dup217); + +var select559 = linear_select([ + msg1238, + msg1239, +]); + +var msg1240 = msg("653", dup196); + +var msg1241 = msg("653:01", dup217); + +var select560 = linear_select([ + msg1240, + msg1241, +]); + +var msg1242 = msg("654", dup197); + +var msg1243 = msg("654:01", dup221); + +var select561 = linear_select([ + msg1242, + msg1243, +]); + +var msg1244 = msg("655", dup250); + +var msg1245 = msg("655:01", dup251); + +var select562 = linear_select([ + msg1244, + msg1245, +]); + +var msg1246 = msg("656", dup197); + +var msg1247 = msg("656:01", dup221); + +var select563 = linear_select([ + msg1246, + msg1247, +]); + +var msg1248 = msg("657", dup197); + +var msg1249 = msg("657:01", dup221); + +var select564 = linear_select([ + msg1248, + msg1249, +]); + +var msg1250 = msg("658", dup198); + +var msg1251 = msg("658:01", dup220); + +var select565 = linear_select([ + msg1250, + msg1251, +]); + +var msg1252 = msg("659", dup250); + +var msg1253 = msg("659:01", dup251); + +var select566 = linear_select([ + msg1252, + msg1253, +]); + +var msg1254 = msg("660", dup250); + +var msg1255 = msg("660:01", dup251); + +var select567 = linear_select([ + msg1254, + msg1255, +]); + +var msg1256 = msg("661", dup250); + +var msg1257 = msg("661:01", dup251); + +var select568 = linear_select([ + msg1256, + msg1257, +]); + +var msg1258 = msg("662", dup250); + +var msg1259 = msg("662:01", dup251); + +var select569 = linear_select([ + msg1258, + msg1259, +]); + +var msg1260 = msg("663", dup250); + +var msg1261 = msg("663:01", dup251); + +var select570 = linear_select([ + msg1260, + msg1261, +]); + +var msg1262 = msg("664", dup250); + +var msg1263 = msg("664:01", dup251); + +var select571 = linear_select([ + msg1262, + msg1263, +]); + +var msg1264 = msg("665", dup250); + +var msg1265 = msg("665:01", dup251); + +var select572 = linear_select([ + msg1264, + msg1265, +]); + +var msg1266 = msg("666", dup250); + +var msg1267 = msg("666:01", dup251); + +var select573 = linear_select([ + msg1266, + msg1267, +]); + +var msg1268 = msg("667", dup250); + +var msg1269 = msg("667:01", dup251); + +var select574 = linear_select([ + msg1268, + msg1269, +]); + +var msg1270 = msg("668", dup250); + +var msg1271 = msg("668:01", dup251); + +var select575 = linear_select([ + msg1270, + msg1271, +]); + +var msg1272 = msg("669", dup250); + +var msg1273 = msg("669:01", dup251); + +var select576 = linear_select([ + msg1272, + msg1273, +]); + +var msg1274 = msg("670", dup250); + +var msg1275 = msg("670:01", dup251); + +var select577 = linear_select([ + msg1274, + msg1275, +]); + +var msg1276 = msg("671", dup250); + +var msg1277 = msg("671:01", dup251); + +var select578 = linear_select([ + msg1276, + msg1277, +]); + +var msg1278 = msg("672", dup250); + +var msg1279 = msg("672:01", dup251); + +var select579 = linear_select([ + msg1278, + msg1279, +]); + +var msg1280 = msg("673", dup260); + +var msg1281 = msg("673:01", dup261); + +var select580 = linear_select([ + msg1280, + msg1281, +]); + +var msg1282 = msg("674", dup197); + +var msg1283 = msg("674:01", dup221); + +var select581 = linear_select([ + msg1282, + msg1283, +]); + +var msg1284 = msg("675", dup197); + +var msg1285 = msg("675:01", dup221); + +var select582 = linear_select([ + msg1284, + msg1285, +]); + +var msg1286 = msg("676", dup260); + +var msg1287 = msg("676:01", dup261); + +var select583 = linear_select([ + msg1286, + msg1287, +]); + +var msg1288 = msg("677", dup196); + +var msg1289 = msg("677:01", dup217); + +var select584 = linear_select([ + msg1288, + msg1289, +]); + +var msg1290 = msg("678", dup196); + +var msg1291 = msg("678:01", dup217); + +var select585 = linear_select([ + msg1290, + msg1291, +]); + +var msg1292 = msg("679", dup196); + +var msg1293 = msg("679:01", dup217); + +var select586 = linear_select([ + msg1292, + msg1293, +]); + +var msg1294 = msg("680", dup236); + +var msg1295 = msg("680:01", dup237); + +var select587 = linear_select([ + msg1294, + msg1295, +]); + +var msg1296 = msg("681", dup260); + +var msg1297 = msg("681:01", dup261); + +var select588 = linear_select([ + msg1296, + msg1297, +]); + +var msg1298 = msg("682", dup197); + +var msg1299 = msg("682:01", dup221); + +var select589 = linear_select([ + msg1298, + msg1299, +]); + +var msg1300 = msg("683", dup196); + +var msg1301 = msg("683:01", dup217); + +var select590 = linear_select([ + msg1300, + msg1301, +]); + +var msg1302 = msg("684", dup196); + +var msg1303 = msg("684:01", dup217); + +var select591 = linear_select([ + msg1302, + msg1303, +]); + +var msg1304 = msg("685", dup196); + +var msg1305 = msg("685:01", dup217); + +var select592 = linear_select([ + msg1304, + msg1305, +]); + +var msg1306 = msg("686", dup240); + +var msg1307 = msg("686:01", dup241); + +var select593 = linear_select([ + msg1306, + msg1307, +]); + +var msg1308 = msg("687", dup260); + +var msg1309 = msg("687:01", dup261); + +var select594 = linear_select([ + msg1308, + msg1309, +]); + +var msg1310 = msg("688", dup236); + +var msg1311 = msg("688:01", dup237); + +var select595 = linear_select([ + msg1310, + msg1311, +]); + +var msg1312 = msg("689", dup240); + +var msg1313 = msg("689:01", dup241); + +var select596 = linear_select([ + msg1312, + msg1313, +]); + +var msg1314 = msg("690", dup197); + +var msg1315 = msg("690:01", dup221); + +var select597 = linear_select([ + msg1314, + msg1315, +]); + +var msg1316 = msg("691", dup240); + +var msg1317 = msg("691:01", dup241); + +var select598 = linear_select([ + msg1316, + msg1317, +]); + +var msg1318 = msg("692", dup240); + +var msg1319 = msg("692:01", dup241); + +var select599 = linear_select([ + msg1318, + msg1319, +]); + +var msg1320 = msg("693", dup240); + +var msg1321 = msg("693:01", dup241); + +var select600 = linear_select([ + msg1320, + msg1321, +]); + +var msg1322 = msg("694", dup240); + +var msg1323 = msg("694:01", dup241); + +var select601 = linear_select([ + msg1322, + msg1323, +]); + +var msg1324 = msg("695", dup197); + +var msg1325 = msg("695:01", dup221); + +var select602 = linear_select([ + msg1324, + msg1325, +]); + +var msg1326 = msg("696", dup197); + +var msg1327 = msg("696:01", dup221); + +var select603 = linear_select([ + msg1326, + msg1327, +]); + +var msg1328 = msg("697", dup197); + +var msg1329 = msg("697:01", dup221); + +var select604 = linear_select([ + msg1328, + msg1329, +]); + +var msg1330 = msg("698", dup197); + +var msg1331 = msg("698:01", dup221); + +var select605 = linear_select([ + msg1330, + msg1331, +]); + +var msg1332 = msg("699", dup197); + +var msg1333 = msg("699:01", dup221); + +var select606 = linear_select([ + msg1332, + msg1333, +]); + +var msg1334 = msg("700", dup197); + +var msg1335 = msg("700:01", dup221); + +var select607 = linear_select([ + msg1334, + msg1335, +]); + +var msg1336 = msg("701", dup197); + +var msg1337 = msg("701:01", dup221); + +var select608 = linear_select([ + msg1336, + msg1337, +]); + +var msg1338 = msg("702", dup197); + +var msg1339 = msg("702:01", dup221); + +var select609 = linear_select([ + msg1338, + msg1339, +]); + +var msg1340 = msg("703", dup197); + +var msg1341 = msg("703:01", dup221); + +var select610 = linear_select([ + msg1340, + msg1341, +]); + +var msg1342 = msg("704", dup197); + +var msg1343 = msg("704:01", dup221); + +var select611 = linear_select([ + msg1342, + msg1343, +]); + +var msg1344 = msg("705", dup197); + +var msg1345 = msg("705:01", dup221); + +var select612 = linear_select([ + msg1344, + msg1345, +]); + +var msg1346 = msg("706", dup197); + +var msg1347 = msg("706:01", dup221); + +var select613 = linear_select([ + msg1346, + msg1347, +]); + +var msg1348 = msg("707", dup197); + +var msg1349 = msg("707:01", dup221); + +var select614 = linear_select([ + msg1348, + msg1349, +]); + +var msg1350 = msg("708", dup197); + +var msg1351 = msg("708:01", dup221); + +var select615 = linear_select([ + msg1350, + msg1351, +]); + +var msg1352 = msg("709", dup248); + +var msg1353 = msg("709:01", dup249); + +var select616 = linear_select([ + msg1352, + msg1353, +]); + +var msg1354 = msg("710", dup248); + +var msg1355 = msg("710:01", dup249); + +var select617 = linear_select([ + msg1354, + msg1355, +]); + +var msg1356 = msg("711", dup196); + +var msg1357 = msg("711:01", dup217); + +var select618 = linear_select([ + msg1356, + msg1357, +]); + +var msg1358 = msg("712", dup196); + +var msg1359 = msg("712:01", dup217); + +var select619 = linear_select([ + msg1358, + msg1359, +]); + +var msg1360 = msg("713", dup198); + +var msg1361 = msg("713:01", dup220); + +var select620 = linear_select([ + msg1360, + msg1361, +]); + +var msg1362 = msg("714", dup196); + +var msg1363 = msg("714:01", dup217); + +var select621 = linear_select([ + msg1362, + msg1363, +]); + +var msg1364 = msg("715", dup248); + +var msg1365 = msg("715:01", dup249); + +var select622 = linear_select([ + msg1364, + msg1365, +]); + +var msg1366 = msg("716", dup248); + +var msg1367 = msg("716:01", dup249); + +var select623 = linear_select([ + msg1366, + msg1367, +]); + +var msg1368 = msg("717", dup196); + +var msg1369 = msg("717:01", dup217); + +var select624 = linear_select([ + msg1368, + msg1369, +]); + +var msg1370 = msg("718", dup196); + +var msg1371 = msg("718:01", dup217); + +var select625 = linear_select([ + msg1370, + msg1371, +]); + +var msg1372 = msg("719", dup196); + +var msg1373 = msg("719:01", dup217); + +var select626 = linear_select([ + msg1372, + msg1373, +]); + +var msg1374 = msg("720", dup192); + +var msg1375 = msg("720:01", dup262); + +var select627 = linear_select([ + msg1374, + msg1375, +]); + +var msg1376 = msg("721", dup263); + +var msg1377 = msg("721:01", dup264); + +var select628 = linear_select([ + msg1376, + msg1377, +]); + +var msg1378 = msg("722", dup238); + +var msg1379 = msg("722:01", dup239); + +var select629 = linear_select([ + msg1378, + msg1379, +]); + +var msg1380 = msg("723", dup238); + +var msg1381 = msg("723:01", dup239); + +var select630 = linear_select([ + msg1380, + msg1381, +]); + +var msg1382 = msg("724", dup238); + +var msg1383 = msg("724:01", dup239); + +var select631 = linear_select([ + msg1382, + msg1383, +]); + +var msg1384 = msg("725", dup238); + +var msg1385 = msg("725:01", dup239); + +var select632 = linear_select([ + msg1384, + msg1385, +]); + +var msg1386 = msg("726", dup238); + +var msg1387 = msg("726:01", dup239); + +var select633 = linear_select([ + msg1386, + msg1387, +]); + +var msg1388 = msg("727", dup238); + +var msg1389 = msg("727:01", dup239); + +var select634 = linear_select([ + msg1388, + msg1389, +]); + +var msg1390 = msg("728", dup238); + +var msg1391 = msg("728:01", dup239); + +var select635 = linear_select([ + msg1390, + msg1391, +]); + +var msg1392 = msg("729", dup263); + +var msg1393 = msg("729:01", dup264); + +var select636 = linear_select([ + msg1392, + msg1393, +]); + +var msg1394 = msg("730", dup263); + +var msg1395 = msg("730:01", dup264); + +var select637 = linear_select([ + msg1394, + msg1395, +]); + +var msg1396 = msg("731", dup238); + +var msg1397 = msg("731:01", dup239); + +var select638 = linear_select([ + msg1396, + msg1397, +]); + +var msg1398 = msg("732", dup238); + +var msg1399 = msg("732:01", dup239); + +var select639 = linear_select([ + msg1398, + msg1399, +]); + +var msg1400 = msg("733", dup238); + +var msg1401 = msg("733:01", dup239); + +var select640 = linear_select([ + msg1400, + msg1401, +]); + +var msg1402 = msg("734", dup238); + +var msg1403 = msg("734:01", dup239); + +var select641 = linear_select([ + msg1402, + msg1403, +]); + +var msg1404 = msg("735", dup238); + +var msg1405 = msg("735:01", dup239); + +var select642 = linear_select([ + msg1404, + msg1405, +]); + +var msg1406 = msg("736", dup263); + +var msg1407 = msg("736:01", dup264); + +var select643 = linear_select([ + msg1406, + msg1407, +]); + +var msg1408 = msg("737", dup263); + +var msg1409 = msg("737:01", dup264); + +var select644 = linear_select([ + msg1408, + msg1409, +]); + +var msg1410 = msg("738", dup263); + +var msg1411 = msg("738:01", dup264); + +var select645 = linear_select([ + msg1410, + msg1411, +]); + +var msg1412 = msg("739", dup238); + +var msg1413 = msg("739:01", dup239); + +var select646 = linear_select([ + msg1412, + msg1413, +]); + +var msg1414 = msg("740", dup263); + +var msg1415 = msg("740:01", dup264); + +var select647 = linear_select([ + msg1414, + msg1415, +]); + +var msg1416 = msg("741", dup238); + +var msg1417 = msg("741:01", dup239); + +var select648 = linear_select([ + msg1416, + msg1417, +]); + +var msg1418 = msg("742", dup238); + +var msg1419 = msg("742:01", dup239); + +var select649 = linear_select([ + msg1418, + msg1419, +]); + +var msg1420 = msg("743", dup238); + +var msg1421 = msg("743:01", dup239); + +var select650 = linear_select([ + msg1420, + msg1421, +]); + +var msg1422 = msg("744", dup238); + +var msg1423 = msg("744:01", dup239); + +var select651 = linear_select([ + msg1422, + msg1423, +]); + +var msg1424 = msg("745", dup238); + +var msg1425 = msg("745:01", dup239); + +var select652 = linear_select([ + msg1424, + msg1425, +]); + +var msg1426 = msg("746", dup238); + +var msg1427 = msg("746:01", dup239); + +var select653 = linear_select([ + msg1426, + msg1427, +]); + +var msg1428 = msg("747", dup238); + +var msg1429 = msg("747:01", dup239); + +var select654 = linear_select([ + msg1428, + msg1429, +]); + +var msg1430 = msg("748", dup238); + +var msg1431 = msg("748:01", dup239); + +var select655 = linear_select([ + msg1430, + msg1431, +]); + +var msg1432 = msg("749", dup238); + +var msg1433 = msg("749:01", dup239); + +var select656 = linear_select([ + msg1432, + msg1433, +]); + +var msg1434 = msg("751", dup238); + +var msg1435 = msg("751:01", dup239); + +var select657 = linear_select([ + msg1434, + msg1435, +]); + +var msg1436 = msg("752", dup238); + +var msg1437 = msg("752:01", dup239); + +var select658 = linear_select([ + msg1436, + msg1437, +]); + +var msg1438 = msg("753", dup238); + +var msg1439 = msg("753:01", dup239); + +var select659 = linear_select([ + msg1438, + msg1439, +]); + +var msg1440 = msg("754", dup263); + +var msg1441 = msg("754:01", dup264); + +var select660 = linear_select([ + msg1440, + msg1441, +]); + +var msg1442 = msg("755", dup238); + +var msg1443 = msg("755:01", dup239); + +var select661 = linear_select([ + msg1442, + msg1443, +]); + +var msg1444 = msg("756", dup238); + +var msg1445 = msg("756:01", dup239); + +var select662 = linear_select([ + msg1444, + msg1445, +]); + +var msg1446 = msg("757", dup192); + +var msg1447 = msg("757:01", dup262); + +var select663 = linear_select([ + msg1446, + msg1447, +]); + +var msg1448 = msg("758", dup192); + +var msg1449 = msg("758:01", dup262); + +var select664 = linear_select([ + msg1448, + msg1449, +]); + +var msg1450 = msg("759", dup263); + +var msg1451 = msg("759:01", dup264); + +var select665 = linear_select([ + msg1450, + msg1451, +]); + +var msg1452 = msg("760", dup238); + +var msg1453 = msg("760:01", dup239); + +var select666 = linear_select([ + msg1452, + msg1453, +]); + +var msg1454 = msg("761", dup238); + +var msg1455 = msg("761:01", dup239); + +var select667 = linear_select([ + msg1454, + msg1455, +]); + +var msg1456 = msg("762", dup238); + +var msg1457 = msg("762:01", dup239); + +var select668 = linear_select([ + msg1456, + msg1457, +]); + +var msg1458 = msg("763", dup238); + +var msg1459 = msg("763:01", dup239); + +var select669 = linear_select([ + msg1458, + msg1459, +]); + +var msg1460 = msg("764", dup238); + +var msg1461 = msg("764:01", dup239); + +var select670 = linear_select([ + msg1460, + msg1461, +]); + +var msg1462 = msg("765", dup238); + +var msg1463 = msg("765:01", dup239); + +var select671 = linear_select([ + msg1462, + msg1463, +]); + +var msg1464 = msg("766", dup238); + +var msg1465 = msg("766:01", dup239); + +var select672 = linear_select([ + msg1464, + msg1465, +]); + +var msg1466 = msg("767", dup238); + +var msg1467 = msg("767:01", dup239); + +var select673 = linear_select([ + msg1466, + msg1467, +]); + +var msg1468 = msg("768", dup238); + +var msg1469 = msg("768:01", dup239); + +var select674 = linear_select([ + msg1468, + msg1469, +]); + +var msg1470 = msg("769", dup238); + +var msg1471 = msg("769:01", dup239); + +var select675 = linear_select([ + msg1470, + msg1471, +]); + +var msg1472 = msg("770", dup238); + +var msg1473 = msg("770:01", dup239); + +var select676 = linear_select([ + msg1472, + msg1473, +]); + +var msg1474 = msg("771", dup192); + +var msg1475 = msg("771:01", dup262); + +var select677 = linear_select([ + msg1474, + msg1475, +]); + +var msg1476 = msg("772", dup192); + +var msg1477 = msg("772:01", dup262); + +var select678 = linear_select([ + msg1476, + msg1477, +]); + +var msg1478 = msg("773", dup263); + +var msg1479 = msg("773:01", dup264); + +var select679 = linear_select([ + msg1478, + msg1479, +]); + +var msg1480 = msg("774", dup192); + +var msg1481 = msg("774:01", dup262); + +var select680 = linear_select([ + msg1480, + msg1481, +]); + +var msg1482 = msg("775", dup238); + +var msg1483 = msg("775:01", dup239); + +var select681 = linear_select([ + msg1482, + msg1483, +]); + +var msg1484 = msg("776", dup238); + +var msg1485 = msg("776:01", dup239); + +var select682 = linear_select([ + msg1484, + msg1485, +]); + +var msg1486 = msg("777", dup238); + +var msg1487 = msg("777:01", dup239); + +var select683 = linear_select([ + msg1486, + msg1487, +]); + +var msg1488 = msg("778", dup263); + +var msg1489 = msg("778:01", dup264); + +var select684 = linear_select([ + msg1488, + msg1489, +]); + +var msg1490 = msg("779", dup238); + +var msg1491 = msg("779:01", dup239); + +var select685 = linear_select([ + msg1490, + msg1491, +]); + +var msg1492 = msg("780", dup238); + +var msg1493 = msg("780:01", dup239); + +var select686 = linear_select([ + msg1492, + msg1493, +]); + +var msg1494 = msg("781", dup238); + +var msg1495 = msg("781:01", dup239); + +var select687 = linear_select([ + msg1494, + msg1495, +]); + +var msg1496 = msg("782", dup238); + +var msg1497 = msg("782:01", dup239); + +var select688 = linear_select([ + msg1496, + msg1497, +]); + +var msg1498 = msg("783", dup238); + +var msg1499 = msg("783:01", dup239); + +var select689 = linear_select([ + msg1498, + msg1499, +]); + +var msg1500 = msg("784", dup238); + +var msg1501 = msg("784:01", dup239); + +var select690 = linear_select([ + msg1500, + msg1501, +]); + +var msg1502 = msg("785", dup238); + +var msg1503 = msg("785:01", dup239); + +var select691 = linear_select([ + msg1502, + msg1503, +]); + +var msg1504 = msg("786", dup238); + +var msg1505 = msg("786:01", dup239); + +var select692 = linear_select([ + msg1504, + msg1505, +]); + +var msg1506 = msg("787", dup238); + +var msg1507 = msg("787:01", dup239); + +var select693 = linear_select([ + msg1506, + msg1507, +]); + +var msg1508 = msg("788", dup238); + +var msg1509 = msg("788:01", dup239); + +var select694 = linear_select([ + msg1508, + msg1509, +]); + +var msg1510 = msg("789", dup238); + +var msg1511 = msg("789:01", dup239); + +var select695 = linear_select([ + msg1510, + msg1511, +]); + +var msg1512 = msg("790", dup238); + +var msg1513 = msg("790:01", dup239); + +var select696 = linear_select([ + msg1512, + msg1513, +]); + +var msg1514 = msg("791", dup238); + +var msg1515 = msg("791:01", dup239); + +var select697 = linear_select([ + msg1514, + msg1515, +]); + +var msg1516 = msg("792", dup238); + +var msg1517 = msg("792:01", dup239); + +var select698 = linear_select([ + msg1516, + msg1517, +]); + +var msg1518 = msg("793", dup263); + +var msg1519 = msg("793:01", dup264); + +var select699 = linear_select([ + msg1518, + msg1519, +]); + +var msg1520 = msg("794", dup238); + +var msg1521 = msg("794:01", dup239); + +var select700 = linear_select([ + msg1520, + msg1521, +]); + +var msg1522 = msg("795", dup238); + +var msg1523 = msg("795:01", dup239); + +var select701 = linear_select([ + msg1522, + msg1523, +]); + +var msg1524 = msg("796", dup238); + +var msg1525 = msg("796:01", dup239); + +var select702 = linear_select([ + msg1524, + msg1525, +]); + +var msg1526 = msg("797", dup238); + +var msg1527 = msg("797:01", dup239); + +var select703 = linear_select([ + msg1526, + msg1527, +]); + +var msg1528 = msg("798", dup238); + +var msg1529 = msg("798:01", dup239); + +var select704 = linear_select([ + msg1528, + msg1529, +]); + +var msg1530 = msg("799", dup238); + +var msg1531 = msg("799:01", dup239); + +var select705 = linear_select([ + msg1530, + msg1531, +]); + +var msg1532 = msg("800", dup238); + +var msg1533 = msg("800:01", dup239); + +var select706 = linear_select([ + msg1532, + msg1533, +]); + +var msg1534 = msg("801", dup238); + +var msg1535 = msg("801:01", dup239); + +var select707 = linear_select([ + msg1534, + msg1535, +]); + +var msg1536 = msg("802", dup192); + +var msg1537 = msg("802:01", dup262); + +var select708 = linear_select([ + msg1536, + msg1537, +]); + +var msg1538 = msg("803", dup265); + +var msg1539 = msg("803:01", dup266); + +var select709 = linear_select([ + msg1538, + msg1539, +]); + +var msg1540 = msg("804", dup267); + +var msg1541 = msg("804:01", dup268); + +var select710 = linear_select([ + msg1540, + msg1541, +]); + +var msg1542 = msg("805", dup265); + +var msg1543 = msg("805:01", dup266); + +var select711 = linear_select([ + msg1542, + msg1543, +]); + +var msg1544 = msg("806", dup265); + +var msg1545 = msg("806:01", dup266); + +var select712 = linear_select([ + msg1544, + msg1545, +]); + +var msg1546 = msg("807", dup265); + +var msg1547 = msg("807:01", dup266); + +var select713 = linear_select([ + msg1546, + msg1547, +]); + +var msg1548 = msg("808", dup265); + +var msg1549 = msg("808:01", dup266); + +var select714 = linear_select([ + msg1548, + msg1549, +]); + +var msg1550 = msg("809", dup269); + +var msg1551 = msg("809:01", dup270); + +var select715 = linear_select([ + msg1550, + msg1551, +]); + +var msg1552 = msg("810", dup265); + +var msg1553 = msg("810:01", dup266); + +var select716 = linear_select([ + msg1552, + msg1553, +]); + +var msg1554 = msg("811", dup265); + +var msg1555 = msg("811:01", dup266); + +var select717 = linear_select([ + msg1554, + msg1555, +]); + +var msg1556 = msg("812", dup265); + +var msg1557 = msg("812:01", dup266); + +var select718 = linear_select([ + msg1556, + msg1557, +]); + +var msg1558 = msg("813", dup265); + +var msg1559 = msg("813:01", dup266); + +var select719 = linear_select([ + msg1558, + msg1559, +]); + +var msg1560 = msg("815", dup265); + +var msg1561 = msg("815:01", dup266); + +var select720 = linear_select([ + msg1560, + msg1561, +]); + +var msg1562 = msg("817", dup265); + +var msg1563 = msg("817:01", dup266); + +var select721 = linear_select([ + msg1562, + msg1563, +]); + +var msg1564 = msg("818", dup265); + +var msg1565 = msg("818:01", dup266); + +var select722 = linear_select([ + msg1564, + msg1565, +]); + +var msg1566 = msg("819", dup265); + +var msg1567 = msg("819:01", dup266); + +var select723 = linear_select([ + msg1566, + msg1567, +]); + +var msg1568 = msg("820", dup265); + +var msg1569 = msg("820:01", dup266); + +var select724 = linear_select([ + msg1568, + msg1569, +]); + +var msg1570 = msg("821", dup267); + +var msg1571 = msg("821:01", dup268); + +var select725 = linear_select([ + msg1570, + msg1571, +]); + +var msg1572 = msg("823", dup265); + +var msg1573 = msg("823:01", dup266); + +var select726 = linear_select([ + msg1572, + msg1573, +]); + +var msg1574 = msg("824", dup265); + +var msg1575 = msg("824:01", dup266); + +var select727 = linear_select([ + msg1574, + msg1575, +]); + +var msg1576 = msg("825", dup265); + +var msg1577 = msg("825:01", dup266); + +var select728 = linear_select([ + msg1576, + msg1577, +]); + +var msg1578 = msg("826", dup265); + +var msg1579 = msg("826:01", dup266); + +var select729 = linear_select([ + msg1578, + msg1579, +]); + +var msg1580 = msg("827", dup265); + +var msg1581 = msg("827:01", dup266); + +var select730 = linear_select([ + msg1580, + msg1581, +]); + +var msg1582 = msg("828", dup265); + +var msg1583 = msg("828:01", dup266); + +var select731 = linear_select([ + msg1582, + msg1583, +]); + +var msg1584 = msg("829", dup265); + +var msg1585 = msg("829:01", dup266); + +var select732 = linear_select([ + msg1584, + msg1585, +]); + +var msg1586 = msg("830", dup265); + +var msg1587 = msg("830:01", dup266); + +var select733 = linear_select([ + msg1586, + msg1587, +]); + +var msg1588 = msg("832", dup265); + +var msg1589 = msg("832:01", dup266); + +var select734 = linear_select([ + msg1588, + msg1589, +]); + +var msg1590 = msg("833", dup265); + +var msg1591 = msg("833:01", dup266); + +var select735 = linear_select([ + msg1590, + msg1591, +]); + +var msg1592 = msg("834", dup265); + +var msg1593 = msg("834:01", dup266); + +var select736 = linear_select([ + msg1592, + msg1593, +]); + +var msg1594 = msg("835", dup265); + +var msg1595 = msg("835:01", dup266); + +var select737 = linear_select([ + msg1594, + msg1595, +]); + +var msg1596 = msg("836", dup265); + +var msg1597 = msg("836:01", dup266); + +var select738 = linear_select([ + msg1596, + msg1597, +]); + +var msg1598 = msg("837", dup265); + +var msg1599 = msg("837:01", dup266); + +var select739 = linear_select([ + msg1598, + msg1599, +]); + +var msg1600 = msg("838", dup265); + +var msg1601 = msg("838:01", dup266); + +var select740 = linear_select([ + msg1600, + msg1601, +]); + +var msg1602 = msg("839", dup225); + +var msg1603 = msg("839:01", dup226); + +var select741 = linear_select([ + msg1602, + msg1603, +]); + +var msg1604 = msg("840", dup265); + +var msg1605 = msg("840:01", dup266); + +var select742 = linear_select([ + msg1604, + msg1605, +]); + +var msg1606 = msg("841", dup265); + +var msg1607 = msg("841:01", dup266); + +var select743 = linear_select([ + msg1606, + msg1607, +]); + +var msg1608 = msg("842", dup265); + +var msg1609 = msg("842:01", dup266); + +var select744 = linear_select([ + msg1608, + msg1609, +]); + +var msg1610 = msg("843", dup265); + +var msg1611 = msg("843:01", dup266); + +var select745 = linear_select([ + msg1610, + msg1611, +]); + +var msg1612 = msg("844", dup265); + +var msg1613 = msg("844:01", dup266); + +var select746 = linear_select([ + msg1612, + msg1613, +]); + +var msg1614 = msg("845", dup265); + +var msg1615 = msg("845:01", dup266); + +var select747 = linear_select([ + msg1614, + msg1615, +]); + +var msg1616 = msg("846", dup265); + +var msg1617 = msg("846:01", dup266); + +var select748 = linear_select([ + msg1616, + msg1617, +]); + +var msg1618 = msg("847", dup265); + +var msg1619 = msg("847:01", dup266); + +var select749 = linear_select([ + msg1618, + msg1619, +]); + +var msg1620 = msg("848", dup265); + +var msg1621 = msg("848:01", dup266); + +var select750 = linear_select([ + msg1620, + msg1621, +]); + +var msg1622 = msg("849", dup265); + +var msg1623 = msg("849:01", dup266); + +var select751 = linear_select([ + msg1622, + msg1623, +]); + +var msg1624 = msg("850", dup265); + +var msg1625 = msg("850:01", dup266); + +var select752 = linear_select([ + msg1624, + msg1625, +]); + +var msg1626 = msg("851", dup265); + +var msg1627 = msg("851:01", dup266); + +var select753 = linear_select([ + msg1626, + msg1627, +]); + +var msg1628 = msg("852", dup265); + +var msg1629 = msg("852:01", dup266); + +var select754 = linear_select([ + msg1628, + msg1629, +]); + +var msg1630 = msg("853", dup265); + +var msg1631 = msg("853:01", dup266); + +var select755 = linear_select([ + msg1630, + msg1631, +]); + +var msg1632 = msg("854", dup265); + +var msg1633 = msg("854:01", dup266); + +var select756 = linear_select([ + msg1632, + msg1633, +]); + +var msg1634 = msg("855", dup265); + +var msg1635 = msg("855:01", dup266); + +var select757 = linear_select([ + msg1634, + msg1635, +]); + +var msg1636 = msg("856", dup265); + +var msg1637 = msg("856:01", dup266); + +var select758 = linear_select([ + msg1636, + msg1637, +]); + +var msg1638 = msg("857", dup265); + +var msg1639 = msg("857:01", dup266); + +var select759 = linear_select([ + msg1638, + msg1639, +]); + +var msg1640 = msg("858", dup265); + +var msg1641 = msg("858:01", dup266); + +var select760 = linear_select([ + msg1640, + msg1641, +]); + +var msg1642 = msg("859", dup265); + +var msg1643 = msg("859:01", dup266); + +var select761 = linear_select([ + msg1642, + msg1643, +]); + +var msg1644 = msg("860", dup265); + +var msg1645 = msg("860:01", dup266); + +var select762 = linear_select([ + msg1644, + msg1645, +]); + +var msg1646 = msg("861", dup240); + +var msg1647 = msg("861:01", dup241); + +var select763 = linear_select([ + msg1646, + msg1647, +]); + +var msg1648 = msg("862", dup265); + +var msg1649 = msg("862:01", dup266); + +var select764 = linear_select([ + msg1648, + msg1649, +]); + +var msg1650 = msg("863", dup265); + +var msg1651 = msg("863:01", dup266); + +var select765 = linear_select([ + msg1650, + msg1651, +]); + +var msg1652 = msg("864", dup265); + +var msg1653 = msg("864:01", dup266); + +var select766 = linear_select([ + msg1652, + msg1653, +]); + +var msg1654 = msg("865", dup265); + +var msg1655 = msg("865:01", dup266); + +var select767 = linear_select([ + msg1654, + msg1655, +]); + +var msg1656 = msg("866", dup265); + +var msg1657 = msg("866:01", dup266); + +var select768 = linear_select([ + msg1656, + msg1657, +]); + +var msg1658 = msg("867", dup265); + +var msg1659 = msg("867:01", dup266); + +var select769 = linear_select([ + msg1658, + msg1659, +]); + +var msg1660 = msg("868", dup265); + +var msg1661 = msg("868:01", dup266); + +var select770 = linear_select([ + msg1660, + msg1661, +]); + +var msg1662 = msg("869", dup265); + +var msg1663 = msg("869:01", dup266); + +var select771 = linear_select([ + msg1662, + msg1663, +]); + +var msg1664 = msg("870", dup265); + +var msg1665 = msg("870:01", dup266); + +var select772 = linear_select([ + msg1664, + msg1665, +]); + +var msg1666 = msg("871", dup265); + +var msg1667 = msg("871:01", dup266); + +var select773 = linear_select([ + msg1666, + msg1667, +]); + +var msg1668 = msg("872", dup265); + +var msg1669 = msg("872:01", dup266); + +var select774 = linear_select([ + msg1668, + msg1669, +]); + +var msg1670 = msg("873", dup265); + +var msg1671 = msg("873:01", dup266); + +var select775 = linear_select([ + msg1670, + msg1671, +]); + +var msg1672 = msg("874", dup240); + +var msg1673 = msg("874:01", dup241); + +var select776 = linear_select([ + msg1672, + msg1673, +]); + +var msg1674 = msg("875", dup265); + +var msg1675 = msg("875:01", dup266); + +var select777 = linear_select([ + msg1674, + msg1675, +]); + +var msg1676 = msg("876", dup267); + +var msg1677 = msg("876:01", dup268); + +var select778 = linear_select([ + msg1676, + msg1677, +]); + +var msg1678 = msg("877", dup265); + +var msg1679 = msg("877:01", dup266); + +var select779 = linear_select([ + msg1678, + msg1679, +]); + +var msg1680 = msg("878", dup265); + +var msg1681 = msg("878:01", dup266); + +var select780 = linear_select([ + msg1680, + msg1681, +]); + +var msg1682 = msg("879", dup265); + +var msg1683 = msg("879:01", dup266); + +var select781 = linear_select([ + msg1682, + msg1683, +]); + +var msg1684 = msg("880", dup265); + +var msg1685 = msg("880:01", dup266); + +var select782 = linear_select([ + msg1684, + msg1685, +]); + +var msg1686 = msg("881", dup265); + +var msg1687 = msg("881:01", dup266); + +var select783 = linear_select([ + msg1686, + msg1687, +]); + +var msg1688 = msg("882", dup265); + +var msg1689 = msg("882:01", dup266); + +var select784 = linear_select([ + msg1688, + msg1689, +]); + +var msg1690 = msg("883", dup265); + +var msg1691 = msg("883:01", dup266); + +var select785 = linear_select([ + msg1690, + msg1691, +]); + +var msg1692 = msg("884", dup265); + +var msg1693 = msg("884:01", dup266); + +var select786 = linear_select([ + msg1692, + msg1693, +]); + +var msg1694 = msg("885", dup265); + +var msg1695 = msg("885:01", dup266); + +var select787 = linear_select([ + msg1694, + msg1695, +]); + +var msg1696 = msg("886", dup265); + +var msg1697 = msg("886:01", dup266); + +var select788 = linear_select([ + msg1696, + msg1697, +]); + +var msg1698 = msg("887", dup240); + +var msg1699 = msg("887:01", dup241); + +var select789 = linear_select([ + msg1698, + msg1699, +]); + +var msg1700 = msg("888", dup265); + +var msg1701 = msg("888:01", dup266); + +var select790 = linear_select([ + msg1700, + msg1701, +]); + +var msg1702 = msg("889", dup265); + +var msg1703 = msg("889:01", dup266); + +var select791 = linear_select([ + msg1702, + msg1703, +]); + +var msg1704 = msg("890", dup265); + +var msg1705 = msg("890:01", dup266); + +var select792 = linear_select([ + msg1704, + msg1705, +]); + +var msg1706 = msg("891", dup265); + +var msg1707 = msg("891:01", dup266); + +var select793 = linear_select([ + msg1706, + msg1707, +]); + +var msg1708 = msg("892", dup265); + +var msg1709 = msg("892:01", dup266); + +var select794 = linear_select([ + msg1708, + msg1709, +]); + +var msg1710 = msg("893", dup265); + +var msg1711 = msg("893:01", dup266); + +var select795 = linear_select([ + msg1710, + msg1711, +]); + +var msg1712 = msg("894", dup265); + +var msg1713 = msg("894:01", dup266); + +var select796 = linear_select([ + msg1712, + msg1713, +]); + +var msg1714 = msg("895", dup265); + +var msg1715 = msg("895:01", dup266); + +var select797 = linear_select([ + msg1714, + msg1715, +]); + +var msg1716 = msg("896", dup197); + +var msg1717 = msg("896:01", dup266); + +var select798 = linear_select([ + msg1716, + msg1717, +]); + +var msg1718 = msg("897", dup265); + +var msg1719 = msg("897:01", dup266); + +var select799 = linear_select([ + msg1718, + msg1719, +]); + +var msg1720 = msg("898", dup265); + +var msg1721 = msg("898:01", dup266); + +var select800 = linear_select([ + msg1720, + msg1721, +]); + +var msg1722 = msg("899", dup265); + +var msg1723 = msg("899:01", dup266); + +var select801 = linear_select([ + msg1722, + msg1723, +]); + +var msg1724 = msg("900", dup265); + +var msg1725 = msg("900:01", dup266); + +var select802 = linear_select([ + msg1724, + msg1725, +]); + +var msg1726 = msg("901", dup265); + +var msg1727 = msg("901:01", dup266); + +var select803 = linear_select([ + msg1726, + msg1727, +]); + +var msg1728 = msg("902", dup265); + +var msg1729 = msg("902:01", dup266); + +var select804 = linear_select([ + msg1728, + msg1729, +]); + +var msg1730 = msg("903", dup265); + +var msg1731 = msg("903:01", dup266); + +var select805 = linear_select([ + msg1730, + msg1731, +]); + +var msg1732 = msg("904", dup196); + +var msg1733 = msg("904:01", dup217); + +var select806 = linear_select([ + msg1732, + msg1733, +]); + +var msg1734 = msg("905", dup265); + +var msg1735 = msg("905:01", dup266); + +var select807 = linear_select([ + msg1734, + msg1735, +]); + +var msg1736 = msg("906", dup265); + +var msg1737 = msg("906:01", dup266); + +var select808 = linear_select([ + msg1736, + msg1737, +]); + +var msg1738 = msg("907", dup265); + +var msg1739 = msg("907:01", dup266); + +var select809 = linear_select([ + msg1738, + msg1739, +]); + +var msg1740 = msg("908", dup265); + +var msg1741 = msg("908:01", dup266); + +var select810 = linear_select([ + msg1740, + msg1741, +]); + +var msg1742 = msg("909", dup265); + +var msg1743 = msg("909:01", dup266); + +var select811 = linear_select([ + msg1742, + msg1743, +]); + +var msg1744 = msg("910", dup265); + +var msg1745 = msg("910:01", dup266); + +var select812 = linear_select([ + msg1744, + msg1745, +]); + +var msg1746 = msg("911", dup265); + +var msg1747 = msg("911:01", dup266); + +var select813 = linear_select([ + msg1746, + msg1747, +]); + +var msg1748 = msg("912", dup265); + +var msg1749 = msg("912:01", dup266); + +var select814 = linear_select([ + msg1748, + msg1749, +]); + +var msg1750 = msg("913", dup265); + +var msg1751 = msg("913:01", dup266); + +var select815 = linear_select([ + msg1750, + msg1751, +]); + +var msg1752 = msg("914", dup265); + +var msg1753 = msg("914:01", dup266); + +var select816 = linear_select([ + msg1752, + msg1753, +]); + +var msg1754 = msg("915", dup265); + +var msg1755 = msg("915:01", dup266); + +var select817 = linear_select([ + msg1754, + msg1755, +]); + +var msg1756 = msg("916", dup271); + +var msg1757 = msg("916:01", dup272); + +var select818 = linear_select([ + msg1756, + msg1757, +]); + +var msg1758 = msg("917", dup265); + +var msg1759 = msg("917:01", dup266); + +var select819 = linear_select([ + msg1758, + msg1759, +]); + +var msg1760 = msg("918", dup265); + +var msg1761 = msg("918:01", dup266); + +var select820 = linear_select([ + msg1760, + msg1761, +]); + +var msg1762 = msg("919", dup265); + +var msg1763 = msg("919:01", dup266); + +var select821 = linear_select([ + msg1762, + msg1763, +]); + +var msg1764 = msg("920", dup265); + +var msg1765 = msg("920:01", dup266); + +var select822 = linear_select([ + msg1764, + msg1765, +]); + +var msg1766 = msg("921", dup265); + +var msg1767 = msg("921:01", dup266); + +var select823 = linear_select([ + msg1766, + msg1767, +]); + +var msg1768 = msg("922", dup265); + +var msg1769 = msg("922:01", dup266); + +var select824 = linear_select([ + msg1768, + msg1769, +]); + +var msg1770 = msg("923", dup271); + +var msg1771 = msg("923:01", dup272); + +var select825 = linear_select([ + msg1770, + msg1771, +]); + +var msg1772 = msg("924", dup265); + +var msg1773 = msg("924:01", dup266); + +var select826 = linear_select([ + msg1772, + msg1773, +]); + +var msg1774 = msg("925", dup265); + +var msg1775 = msg("925:01", dup266); + +var select827 = linear_select([ + msg1774, + msg1775, +]); + +var msg1776 = msg("926", dup271); + +var msg1777 = msg("926:01", dup272); + +var select828 = linear_select([ + msg1776, + msg1777, +]); + +var msg1778 = msg("927", dup265); + +var msg1779 = msg("927:01", dup266); + +var select829 = linear_select([ + msg1778, + msg1779, +]); + +var msg1780 = msg("928", dup265); + +var msg1781 = msg("928:01", dup266); + +var select830 = linear_select([ + msg1780, + msg1781, +]); + +var msg1782 = msg("929", dup265); + +var msg1783 = msg("929:01", dup266); + +var select831 = linear_select([ + msg1782, + msg1783, +]); + +var msg1784 = msg("930", dup265); + +var msg1785 = msg("930:01", dup266); + +var select832 = linear_select([ + msg1784, + msg1785, +]); + +var msg1786 = msg("931", dup265); + +var msg1787 = msg("931:01", dup266); + +var select833 = linear_select([ + msg1786, + msg1787, +]); + +var msg1788 = msg("932", dup265); + +var msg1789 = msg("932:01", dup266); + +var select834 = linear_select([ + msg1788, + msg1789, +]); + +var msg1790 = msg("933", dup265); + +var msg1791 = msg("933:01", dup266); + +var select835 = linear_select([ + msg1790, + msg1791, +]); + +var msg1792 = msg("935", dup198); + +var msg1793 = msg("935:01", dup220); + +var select836 = linear_select([ + msg1792, + msg1793, +]); + +var msg1794 = msg("936", dup265); + +var msg1795 = msg("936:01", dup266); + +var select837 = linear_select([ + msg1794, + msg1795, +]); + +var msg1796 = msg("937", dup265); + +var msg1797 = msg("937:01", dup266); + +var select838 = linear_select([ + msg1796, + msg1797, +]); + +var msg1798 = msg("939", dup196); + +var msg1799 = msg("939:01", dup217); + +var select839 = linear_select([ + msg1798, + msg1799, +]); + +var msg1800 = msg("940", dup265); + +var msg1801 = msg("940:01", dup217); + +var select840 = linear_select([ + msg1800, + msg1801, +]); + +var msg1802 = msg("941", dup265); + +var msg1803 = msg("941:01", dup266); + +var select841 = linear_select([ + msg1802, + msg1803, +]); + +var msg1804 = msg("942", dup265); + +var msg1805 = msg("942:01", dup266); + +var select842 = linear_select([ + msg1804, + msg1805, +]); + +var msg1806 = msg("943", dup265); + +var msg1807 = msg("943:01", dup266); + +var select843 = linear_select([ + msg1806, + msg1807, +]); + +var msg1808 = msg("944", dup265); + +var msg1809 = msg("944:01", dup266); + +var select844 = linear_select([ + msg1808, + msg1809, +]); + +var msg1810 = msg("945", dup265); + +var msg1811 = msg("945:01", dup266); + +var select845 = linear_select([ + msg1810, + msg1811, +]); + +var msg1812 = msg("946", dup265); + +var msg1813 = msg("946:01", dup266); + +var select846 = linear_select([ + msg1812, + msg1813, +]); + +var msg1814 = msg("947", dup265); + +var msg1815 = msg("947:01", dup266); + +var select847 = linear_select([ + msg1814, + msg1815, +]); + +var msg1816 = msg("948", dup265); + +var msg1817 = msg("948:01", dup266); + +var select848 = linear_select([ + msg1816, + msg1817, +]); + +var msg1818 = msg("949", dup265); + +var msg1819 = msg("949:01", dup266); + +var select849 = linear_select([ + msg1818, + msg1819, +]); + +var msg1820 = msg("950", dup265); + +var msg1821 = msg("950:01", dup266); + +var select850 = linear_select([ + msg1820, + msg1821, +]); + +var msg1822 = msg("951", dup265); + +var msg1823 = msg("951:01", dup266); + +var select851 = linear_select([ + msg1822, + msg1823, +]); + +var msg1824 = msg("952", dup265); + +var msg1825 = msg("952:01", dup266); + +var select852 = linear_select([ + msg1824, + msg1825, +]); + +var msg1826 = msg("953", dup265); + +var msg1827 = msg("953:01", dup217); + +var select853 = linear_select([ + msg1826, + msg1827, +]); + +var msg1828 = msg("954", dup265); + +var msg1829 = msg("954:01", dup266); + +var select854 = linear_select([ + msg1828, + msg1829, +]); + +var msg1830 = msg("955", dup265); + +var msg1831 = msg("955:01", dup266); + +var select855 = linear_select([ + msg1830, + msg1831, +]); + +var msg1832 = msg("956", dup265); + +var msg1833 = msg("956:01", dup266); + +var select856 = linear_select([ + msg1832, + msg1833, +]); + +var msg1834 = msg("957", dup265); + +var msg1835 = msg("957:01", dup266); + +var select857 = linear_select([ + msg1834, + msg1835, +]); + +var msg1836 = msg("958", dup265); + +var msg1837 = msg("958:01", dup266); + +var select858 = linear_select([ + msg1836, + msg1837, +]); + +var msg1838 = msg("959", dup196); + +var msg1839 = msg("959:01", dup217); + +var select859 = linear_select([ + msg1838, + msg1839, +]); + +var msg1840 = msg("960", dup265); + +var msg1841 = msg("960:01", dup266); + +var select860 = linear_select([ + msg1840, + msg1841, +]); + +var msg1842 = msg("961", dup265); + +var msg1843 = msg("961:01", dup266); + +var select861 = linear_select([ + msg1842, + msg1843, +]); + +var msg1844 = msg("962", dup265); + +var msg1845 = msg("962:01", dup217); + +var select862 = linear_select([ + msg1844, + msg1845, +]); + +var msg1846 = msg("963", dup265); + +var msg1847 = msg("963:01", dup266); + +var select863 = linear_select([ + msg1846, + msg1847, +]); + +var msg1848 = msg("964", dup265); + +var msg1849 = msg("964:01", dup266); + +var select864 = linear_select([ + msg1848, + msg1849, +]); + +var msg1850 = msg("965", dup265); + +var msg1851 = msg("965:01", dup266); + +var select865 = linear_select([ + msg1850, + msg1851, +]); + +var msg1852 = msg("966", dup265); + +var msg1853 = msg("966:01", dup266); + +var select866 = linear_select([ + msg1852, + msg1853, +]); + +var msg1854 = msg("967", dup265); + +var msg1855 = msg("967:01", dup266); + +var select867 = linear_select([ + msg1854, + msg1855, +]); + +var msg1856 = msg("968", dup265); + +var msg1857 = msg("968:01", dup266); + +var select868 = linear_select([ + msg1856, + msg1857, +]); + +var msg1858 = msg("969", dup265); + +var msg1859 = msg("969:01", dup266); + +var select869 = linear_select([ + msg1858, + msg1859, +]); + +var msg1860 = msg("970", dup265); + +var msg1861 = msg("970:01", dup266); + +var select870 = linear_select([ + msg1860, + msg1861, +]); + +var msg1862 = msg("971", dup265); + +var msg1863 = msg("971:01", dup266); + +var select871 = linear_select([ + msg1862, + msg1863, +]); + +var msg1864 = msg("972", dup265); + +var msg1865 = msg("972:01", dup266); + +var select872 = linear_select([ + msg1864, + msg1865, +]); + +var msg1866 = msg("973", dup265); + +var msg1867 = msg("973:01", dup266); + +var select873 = linear_select([ + msg1866, + msg1867, +]); + +var msg1868 = msg("974", dup265); + +var msg1869 = msg("974:01", dup266); + +var select874 = linear_select([ + msg1868, + msg1869, +]); + +var msg1870 = msg("975", dup265); + +var msg1871 = msg("975:01", dup266); + +var select875 = linear_select([ + msg1870, + msg1871, +]); + +var msg1872 = msg("976", dup265); + +var msg1873 = msg("976:01", dup266); + +var select876 = linear_select([ + msg1872, + msg1873, +]); + +var msg1874 = msg("977", dup265); + +var msg1875 = msg("977:01", dup266); + +var select877 = linear_select([ + msg1874, + msg1875, +]); + +var msg1876 = msg("978", dup196); + +var msg1877 = msg("978:01", dup217); + +var select878 = linear_select([ + msg1876, + msg1877, +]); + +var msg1878 = msg("979", dup196); + +var msg1879 = msg("979:01", dup217); + +var select879 = linear_select([ + msg1878, + msg1879, +]); + +var msg1880 = msg("980", dup265); + +var msg1881 = msg("980:01", dup266); + +var select880 = linear_select([ + msg1880, + msg1881, +]); + +var msg1882 = msg("981", dup265); + +var msg1883 = msg("981:01", dup266); + +var select881 = linear_select([ + msg1882, + msg1883, +]); + +var msg1884 = msg("982", dup265); + +var msg1885 = msg("982:01", dup266); + +var select882 = linear_select([ + msg1884, + msg1885, +]); + +var msg1886 = msg("983", dup265); + +var msg1887 = msg("983:01", dup266); + +var select883 = linear_select([ + msg1886, + msg1887, +]); + +var msg1888 = msg("984", dup265); + +var msg1889 = msg("984:01", dup266); + +var select884 = linear_select([ + msg1888, + msg1889, +]); + +var msg1890 = msg("985", dup265); + +var msg1891 = msg("985:01", dup266); + +var select885 = linear_select([ + msg1890, + msg1891, +]); + +var msg1892 = msg("986", dup265); + +var msg1893 = msg("986:01", dup266); + +var select886 = linear_select([ + msg1892, + msg1893, +]); + +var msg1894 = msg("987", dup265); + +var msg1895 = msg("987:01", dup266); + +var select887 = linear_select([ + msg1894, + msg1895, +]); + +var msg1896 = msg("988", dup265); + +var msg1897 = msg("988:01", dup266); + +var select888 = linear_select([ + msg1896, + msg1897, +]); + +var msg1898 = msg("989", dup192); + +var msg1899 = msg("989:01", dup262); + +var select889 = linear_select([ + msg1898, + msg1899, +]); + +var msg1900 = msg("990", dup265); + +var msg1901 = msg("990:01", dup266); + +var select890 = linear_select([ + msg1900, + msg1901, +]); + +var msg1902 = msg("991", dup265); + +var msg1903 = msg("991:01", dup266); + +var select891 = linear_select([ + msg1902, + msg1903, +]); + +var msg1904 = msg("992", dup265); + +var msg1905 = msg("992:01", dup266); + +var select892 = linear_select([ + msg1904, + msg1905, +]); + +var msg1906 = msg("993", dup265); + +var msg1907 = msg("993:01", dup266); + +var select893 = linear_select([ + msg1906, + msg1907, +]); + +var msg1908 = msg("994", dup265); + +var msg1909 = msg("994:01", dup266); + +var select894 = linear_select([ + msg1908, + msg1909, +]); + +var msg1910 = msg("995", dup265); + +var msg1911 = msg("995:01", dup266); + +var select895 = linear_select([ + msg1910, + msg1911, +]); + +var msg1912 = msg("996", dup265); + +var msg1913 = msg("996:01", dup266); + +var select896 = linear_select([ + msg1912, + msg1913, +]); + +var msg1914 = msg("997", dup265); + +var msg1915 = msg("997:01", dup266); + +var select897 = linear_select([ + msg1914, + msg1915, +]); + +var msg1916 = msg("998", dup265); + +var msg1917 = msg("998:01", dup266); + +var select898 = linear_select([ + msg1916, + msg1917, +]); + +var msg1918 = msg("999", dup265); + +var msg1919 = msg("999:01", dup266); + +var select899 = linear_select([ + msg1918, + msg1919, +]); + +var msg1920 = msg("1000", dup265); + +var msg1921 = msg("1000:01", dup266); + +var select900 = linear_select([ + msg1920, + msg1921, +]); + +var msg1922 = msg("1001", dup265); + +var msg1923 = msg("1001:01", dup266); + +var select901 = linear_select([ + msg1922, + msg1923, +]); + +var msg1924 = msg("1002", dup265); + +var msg1925 = msg("1002:01", dup266); + +var select902 = linear_select([ + msg1924, + msg1925, +]); + +var msg1926 = msg("1003", dup265); + +var msg1927 = msg("1003:01", dup266); + +var select903 = linear_select([ + msg1926, + msg1927, +]); + +var msg1928 = msg("1004", dup265); + +var msg1929 = msg("1004:01", dup266); + +var select904 = linear_select([ + msg1928, + msg1929, +]); + +var msg1930 = msg("1005", dup265); + +var msg1931 = msg("1005:01", dup266); + +var select905 = linear_select([ + msg1930, + msg1931, +]); + +var msg1932 = msg("1007", dup265); + +var msg1933 = msg("1007:01", dup266); + +var select906 = linear_select([ + msg1932, + msg1933, +]); + +var msg1934 = msg("1008", dup265); + +var msg1935 = msg("1008:01", dup266); + +var select907 = linear_select([ + msg1934, + msg1935, +]); + +var msg1936 = msg("1009", dup196); + +var msg1937 = msg("1009:01", dup217); + +var select908 = linear_select([ + msg1936, + msg1937, +]); + +var msg1938 = msg("1010", dup265); + +var msg1939 = msg("1010:01", dup266); + +var select909 = linear_select([ + msg1938, + msg1939, +]); + +var msg1940 = msg("1011", dup267); + +var msg1941 = msg("1011:01", dup268); + +var select910 = linear_select([ + msg1940, + msg1941, +]); + +var msg1942 = msg("1012", dup265); + +var msg1943 = msg("1012:01", dup266); + +var select911 = linear_select([ + msg1942, + msg1943, +]); + +var msg1944 = msg("1013", dup265); + +var msg1945 = msg("1013:01", dup266); + +var select912 = linear_select([ + msg1944, + msg1945, +]); + +var msg1946 = msg("1014", dup267); + +var msg1947 = msg("1014:01", dup268); + +var select913 = linear_select([ + msg1946, + msg1947, +]); + +var msg1948 = msg("1015", dup265); + +var msg1949 = msg("1015:01", dup266); + +var select914 = linear_select([ + msg1948, + msg1949, +]); + +var msg1950 = msg("1016", dup265); + +var msg1951 = msg("1016:01", dup266); + +var select915 = linear_select([ + msg1950, + msg1951, +]); + +var msg1952 = msg("1017", dup265); + +var msg1953 = msg("1017:01", dup266); + +var select916 = linear_select([ + msg1952, + msg1953, +]); + +var msg1954 = msg("1018", dup265); + +var msg1955 = msg("1018:01", dup266); + +var select917 = linear_select([ + msg1954, + msg1955, +]); + +var msg1956 = msg("1019", dup265); + +var msg1957 = msg("1019:01", dup266); + +var select918 = linear_select([ + msg1956, + msg1957, +]); + +var msg1958 = msg("1020", dup265); + +var msg1959 = msg("1020:01", dup266); + +var select919 = linear_select([ + msg1958, + msg1959, +]); + +var msg1960 = msg("1021", dup265); + +var msg1961 = msg("1021:01", dup266); + +var select920 = linear_select([ + msg1960, + msg1961, +]); + +var msg1962 = msg("1022", dup265); + +var msg1963 = msg("1022:01", dup266); + +var select921 = linear_select([ + msg1962, + msg1963, +]); + +var msg1964 = msg("1023", dup265); + +var msg1965 = msg("1023:01", dup266); + +var select922 = linear_select([ + msg1964, + msg1965, +]); + +var msg1966 = msg("1024", dup265); + +var msg1967 = msg("1024:01", dup266); + +var select923 = linear_select([ + msg1966, + msg1967, +]); + +var msg1968 = msg("1025", dup265); + +var msg1969 = msg("1025:01", dup266); + +var select924 = linear_select([ + msg1968, + msg1969, +]); + +var msg1970 = msg("1026", dup265); + +var msg1971 = msg("1026:01", dup266); + +var select925 = linear_select([ + msg1970, + msg1971, +]); + +var msg1972 = msg("1027", dup265); + +var msg1973 = msg("1027:01", dup266); + +var select926 = linear_select([ + msg1972, + msg1973, +]); + +var msg1974 = msg("1028", dup265); + +var msg1975 = msg("1028:01", dup266); + +var select927 = linear_select([ + msg1974, + msg1975, +]); + +var msg1976 = msg("1029", dup265); + +var msg1977 = msg("1029:01", dup266); + +var select928 = linear_select([ + msg1976, + msg1977, +]); + +var msg1978 = msg("1030", dup265); + +var msg1979 = msg("1030:01", dup266); + +var select929 = linear_select([ + msg1978, + msg1979, +]); + +var msg1980 = msg("1031", dup265); + +var msg1981 = msg("1031:01", dup266); + +var select930 = linear_select([ + msg1980, + msg1981, +]); + +var msg1982 = msg("1032", dup265); + +var msg1983 = msg("1032:01", dup266); + +var select931 = linear_select([ + msg1982, + msg1983, +]); + +var msg1984 = msg("1033", dup265); + +var msg1985 = msg("1033:01", dup266); + +var select932 = linear_select([ + msg1984, + msg1985, +]); + +var msg1986 = msg("1034", dup265); + +var msg1987 = msg("1034:01", dup266); + +var select933 = linear_select([ + msg1986, + msg1987, +]); + +var msg1988 = msg("1035", dup265); + +var msg1989 = msg("1035:01", dup266); + +var select934 = linear_select([ + msg1988, + msg1989, +]); + +var msg1990 = msg("1036", dup265); + +var msg1991 = msg("1036:01", dup266); + +var select935 = linear_select([ + msg1990, + msg1991, +]); + +var msg1992 = msg("1037", dup265); + +var msg1993 = msg("1037:01", dup266); + +var select936 = linear_select([ + msg1992, + msg1993, +]); + +var msg1994 = msg("1038", dup265); + +var msg1995 = msg("1038:01", dup266); + +var select937 = linear_select([ + msg1994, + msg1995, +]); + +var msg1996 = msg("1039", dup265); + +var msg1997 = msg("1039:01", dup266); + +var select938 = linear_select([ + msg1996, + msg1997, +]); + +var msg1998 = msg("1040", dup265); + +var msg1999 = msg("1040:01", dup266); + +var select939 = linear_select([ + msg1998, + msg1999, +]); + +var msg2000 = msg("1041", dup265); + +var msg2001 = msg("1041:01", dup266); + +var select940 = linear_select([ + msg2000, + msg2001, +]); + +var msg2002 = msg("1042", dup196); + +var msg2003 = msg("1042:01", dup217); + +var select941 = linear_select([ + msg2002, + msg2003, +]); + +var msg2004 = msg("1043", dup265); + +var msg2005 = msg("1043:01", dup266); + +var select942 = linear_select([ + msg2004, + msg2005, +]); + +var msg2006 = msg("1044", dup265); + +var msg2007 = msg("1044:01", dup266); + +var select943 = linear_select([ + msg2006, + msg2007, +]); + +var msg2008 = msg("1045", dup273); + +var all38 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg2009 = msg("1045:01", all38); + +var select944 = linear_select([ + msg2008, + msg2009, +]); + +var msg2010 = msg("1046", dup265); + +var msg2011 = msg("1046:01", dup266); + +var select945 = linear_select([ + msg2010, + msg2011, +]); + +var msg2012 = msg("1047", dup198); + +var msg2013 = msg("1047:01", dup220); + +var select946 = linear_select([ + msg2012, + msg2013, +]); + +var msg2014 = msg("1048", dup265); + +var msg2015 = msg("1048:01", dup266); + +var select947 = linear_select([ + msg2014, + msg2015, +]); + +var msg2016 = msg("1049", dup198); + +var msg2017 = msg("1049:01", dup220); + +var select948 = linear_select([ + msg2016, + msg2017, +]); + +var msg2018 = msg("1050", dup265); + +var msg2019 = msg("1050:01", dup266); + +var select949 = linear_select([ + msg2018, + msg2019, +]); + +var msg2020 = msg("1051", dup265); + +var msg2021 = msg("1051:01", dup266); + +var select950 = linear_select([ + msg2020, + msg2021, +]); + +var msg2022 = msg("1052", dup265); + +var msg2023 = msg("1052:01", dup266); + +var select951 = linear_select([ + msg2022, + msg2023, +]); + +var msg2024 = msg("1053", dup267); + +var msg2025 = msg("1053:01", dup268); + +var select952 = linear_select([ + msg2024, + msg2025, +]); + +var msg2026 = msg("1054", dup265); + +var msg2027 = msg("1054:01", dup266); + +var select953 = linear_select([ + msg2026, + msg2027, +]); + +var msg2028 = msg("1055", dup265); + +var msg2029 = msg("1055:01", dup266); + +var select954 = linear_select([ + msg2028, + msg2029, +]); + +var msg2030 = msg("1056", dup265); + +var msg2031 = msg("1056:01", dup266); + +var select955 = linear_select([ + msg2030, + msg2031, +]); + +var msg2032 = msg("1057", dup265); + +var msg2033 = msg("1057:01", dup266); + +var select956 = linear_select([ + msg2032, + msg2033, +]); + +var msg2034 = msg("1058", dup265); + +var msg2035 = msg("1058:01", dup266); + +var select957 = linear_select([ + msg2034, + msg2035, +]); + +var msg2036 = msg("1059", dup265); + +var msg2037 = msg("1059:01", dup266); + +var select958 = linear_select([ + msg2036, + msg2037, +]); + +var msg2038 = msg("1060", dup265); + +var msg2039 = msg("1060:01", dup266); + +var select959 = linear_select([ + msg2038, + msg2039, +]); + +var msg2040 = msg("1061", dup265); + +var msg2041 = msg("1061:01", dup266); + +var select960 = linear_select([ + msg2040, + msg2041, +]); + +var msg2042 = msg("1062", dup265); + +var msg2043 = msg("1062:01", dup266); + +var select961 = linear_select([ + msg2042, + msg2043, +]); + +var msg2044 = msg("1063", dup267); + +var msg2045 = msg("1063:01", dup268); + +var select962 = linear_select([ + msg2044, + msg2045, +]); + +var msg2046 = msg("1064", dup265); + +var msg2047 = msg("1064:01", dup266); + +var select963 = linear_select([ + msg2046, + msg2047, +]); + +var msg2048 = msg("1065", dup265); + +var msg2049 = msg("1065:01", dup266); + +var select964 = linear_select([ + msg2048, + msg2049, +]); + +var msg2050 = msg("1066", dup248); + +var msg2051 = msg("1066:01", dup249); + +var select965 = linear_select([ + msg2050, + msg2051, +]); + +var msg2052 = msg("1067", dup265); + +var msg2053 = msg("1067:01", dup266); + +var select966 = linear_select([ + msg2052, + msg2053, +]); + +var msg2054 = msg("1068", dup274); + +var msg2055 = msg("1068:01", dup275); + +var select967 = linear_select([ + msg2054, + msg2055, +]); + +var msg2056 = msg("1069", dup265); + +var msg2057 = msg("1069:01", dup266); + +var select968 = linear_select([ + msg2056, + msg2057, +]); + +var msg2058 = msg("1070", dup265); + +var msg2059 = msg("1070:01", dup266); + +var select969 = linear_select([ + msg2058, + msg2059, +]); + +var msg2060 = msg("1071", dup265); + +var msg2061 = msg("1071:01", dup266); + +var select970 = linear_select([ + msg2060, + msg2061, +]); + +var msg2062 = msg("1072", dup265); + +var msg2063 = msg("1072:01", dup266); + +var select971 = linear_select([ + msg2062, + msg2063, +]); + +var msg2064 = msg("1073", dup265); + +var msg2065 = msg("1073:01", dup266); + +var select972 = linear_select([ + msg2064, + msg2065, +]); + +var msg2066 = msg("1075", dup265); + +var msg2067 = msg("1075:01", dup266); + +var select973 = linear_select([ + msg2066, + msg2067, +]); + +var msg2068 = msg("1076", dup265); + +var msg2069 = msg("1076:01", dup266); + +var select974 = linear_select([ + msg2068, + msg2069, +]); + +var msg2070 = msg("1077", dup265); + +var msg2071 = msg("1077:01", dup266); + +var select975 = linear_select([ + msg2070, + msg2071, +]); + +var msg2072 = msg("1078", dup265); + +var msg2073 = msg("1078:01", dup266); + +var select976 = linear_select([ + msg2072, + msg2073, +]); + +var msg2074 = msg("1079", dup265); + +var msg2075 = msg("1079:01", dup266); + +var select977 = linear_select([ + msg2074, + msg2075, +]); + +var msg2076 = msg("1080", dup267); + +var msg2077 = msg("1080:01", dup268); + +var select978 = linear_select([ + msg2076, + msg2077, +]); + +var msg2078 = msg("1081", dup198); + +var msg2079 = msg("1081:01", dup220); + +var select979 = linear_select([ + msg2078, + msg2079, +]); + +var msg2080 = msg("1082", dup196); + +var msg2081 = msg("1082:01", dup217); + +var select980 = linear_select([ + msg2080, + msg2081, +]); + +var msg2082 = msg("1083", dup198); + +var msg2083 = msg("1083:01", dup220); + +var select981 = linear_select([ + msg2082, + msg2083, +]); + +var msg2084 = msg("1084", dup198); + +var msg2085 = msg("1084:01", dup220); + +var select982 = linear_select([ + msg2084, + msg2085, +]); + +var msg2086 = msg("1085", dup197); + +var msg2087 = msg("1085:01", dup221); + +var select983 = linear_select([ + msg2086, + msg2087, +]); + +var msg2088 = msg("1086", dup197); + +var msg2089 = msg("1086:01", dup221); + +var select984 = linear_select([ + msg2088, + msg2089, +]); + +var msg2090 = msg("1087", dup196); + +var msg2091 = msg("1087:01", dup217); + +var select985 = linear_select([ + msg2090, + msg2091, +]); + +var msg2092 = msg("1088", dup265); + +var msg2093 = msg("1088:01", dup266); + +var select986 = linear_select([ + msg2092, + msg2093, +]); + +var msg2094 = msg("1089", dup265); + +var msg2095 = msg("1089:01", dup266); + +var select987 = linear_select([ + msg2094, + msg2095, +]); + +var msg2096 = msg("1090", dup265); + +var msg2097 = msg("1090:01", dup266); + +var select988 = linear_select([ + msg2096, + msg2097, +]); + +var msg2098 = msg("1091", dup198); + +var msg2099 = msg("1091:01", dup220); + +var select989 = linear_select([ + msg2098, + msg2099, +]); + +var msg2100 = msg("1092", dup265); + +var msg2101 = msg("1092:01", dup266); + +var select990 = linear_select([ + msg2100, + msg2101, +]); + +var msg2102 = msg("1093", dup265); + +var msg2103 = msg("1093:01", dup266); + +var select991 = linear_select([ + msg2102, + msg2103, +]); + +var msg2104 = msg("1094", dup265); + +var msg2105 = msg("1094:01", dup266); + +var select992 = linear_select([ + msg2104, + msg2105, +]); + +var msg2106 = msg("1095", dup265); + +var msg2107 = msg("1095:01", dup266); + +var select993 = linear_select([ + msg2106, + msg2107, +]); + +var msg2108 = msg("1096", dup265); + +var msg2109 = msg("1096:01", dup266); + +var select994 = linear_select([ + msg2108, + msg2109, +]); + +var msg2110 = msg("1097", dup267); + +var msg2111 = msg("1097:01", dup268); + +var select995 = linear_select([ + msg2110, + msg2111, +]); + +var msg2112 = msg("1098", dup265); + +var msg2113 = msg("1098:01", dup266); + +var select996 = linear_select([ + msg2112, + msg2113, +]); + +var msg2114 = msg("1099", dup194); + +var msg2115 = msg("1099:01", dup229); + +var select997 = linear_select([ + msg2114, + msg2115, +]); + +var msg2116 = msg("1100", dup196); + +var msg2117 = msg("1100:01", dup217); + +var select998 = linear_select([ + msg2116, + msg2117, +]); + +var msg2118 = msg("1101", dup196); + +var msg2119 = msg("1101:01", dup217); + +var select999 = linear_select([ + msg2118, + msg2119, +]); + +var msg2120 = msg("1102", dup196); + +var msg2121 = msg("1102:01", dup217); + +var select1000 = linear_select([ + msg2120, + msg2121, +]); + +var msg2122 = msg("1103", dup196); + +var msg2123 = msg("1103:01", dup217); + +var select1001 = linear_select([ + msg2122, + msg2123, +]); + +var msg2124 = msg("1104", dup196); + +var msg2125 = msg("1104:01", dup217); + +var select1002 = linear_select([ + msg2124, + msg2125, +]); + +var msg2126 = msg("1105", dup265); + +var msg2127 = msg("1105:01", dup266); + +var select1003 = linear_select([ + msg2126, + msg2127, +]); + +var msg2128 = msg("1106", dup265); + +var msg2129 = msg("1106:01", dup266); + +var select1004 = linear_select([ + msg2128, + msg2129, +]); + +var msg2130 = msg("1107", dup265); + +var msg2131 = msg("1107:01", dup266); + +var select1005 = linear_select([ + msg2130, + msg2131, +]); + +var msg2132 = msg("1108", dup265); + +var msg2133 = msg("1108:01", dup266); + +var select1006 = linear_select([ + msg2132, + msg2133, +]); + +var msg2134 = msg("1109", dup265); + +var msg2135 = msg("1109:01", dup266); + +var select1007 = linear_select([ + msg2134, + msg2135, +]); + +var msg2136 = msg("1110", dup265); + +var msg2137 = msg("1110:01", dup266); + +var select1008 = linear_select([ + msg2136, + msg2137, +]); + +var msg2138 = msg("1111", dup267); + +var msg2139 = msg("1111:01", dup268); + +var select1009 = linear_select([ + msg2138, + msg2139, +]); + +var msg2140 = msg("1112", dup265); + +var msg2141 = msg("1112:01", dup266); + +var select1010 = linear_select([ + msg2140, + msg2141, +]); + +var msg2142 = msg("1113", dup265); + +var msg2143 = msg("1113:01", dup266); + +var select1011 = linear_select([ + msg2142, + msg2143, +]); + +var msg2144 = msg("1114", dup196); + +var msg2145 = msg("1114:01", dup217); + +var select1012 = linear_select([ + msg2144, + msg2145, +]); + +var msg2146 = msg("1115", dup198); + +var msg2147 = msg("1115:01", dup220); + +var select1013 = linear_select([ + msg2146, + msg2147, +]); + +var msg2148 = msg("1116", dup265); + +var msg2149 = msg("1116:01", dup266); + +var select1014 = linear_select([ + msg2148, + msg2149, +]); + +var msg2150 = msg("1117", dup265); + +var msg2151 = msg("1117:01", dup266); + +var select1015 = linear_select([ + msg2150, + msg2151, +]); + +var msg2152 = msg("1118", dup196); + +var msg2153 = msg("1118:01", dup217); + +var select1016 = linear_select([ + msg2152, + msg2153, +]); + +var msg2154 = msg("1119", dup265); + +var msg2155 = msg("1119:01", dup266); + +var select1017 = linear_select([ + msg2154, + msg2155, +]); + +var msg2156 = msg("1120", dup265); + +var msg2157 = msg("1120:01", dup266); + +var select1018 = linear_select([ + msg2156, + msg2157, +]); + +var msg2158 = msg("1121", dup265); + +var msg2159 = msg("1121:01", dup266); + +var select1019 = linear_select([ + msg2158, + msg2159, +]); + +var msg2160 = msg("1122", dup196); + +var msg2161 = msg("1122:01", dup217); + +var select1020 = linear_select([ + msg2160, + msg2161, +]); + +var msg2162 = msg("1123", dup265); + +var msg2163 = msg("1123:01", dup266); + +var select1021 = linear_select([ + msg2162, + msg2163, +]); + +var msg2164 = msg("1124", dup265); + +var msg2165 = msg("1124:01", dup266); + +var select1022 = linear_select([ + msg2164, + msg2165, +]); + +var msg2166 = msg("1125", dup265); + +var msg2167 = msg("1125:01", dup266); + +var select1023 = linear_select([ + msg2166, + msg2167, +]); + +var msg2168 = msg("1126", dup265); + +var msg2169 = msg("1126:01", dup266); + +var select1024 = linear_select([ + msg2168, + msg2169, +]); + +var msg2170 = msg("1127", dup265); + +var msg2171 = msg("1127:01", dup266); + +var select1025 = linear_select([ + msg2170, + msg2171, +]); + +var msg2172 = msg("1128", dup265); + +var msg2173 = msg("1128:01", dup266); + +var select1026 = linear_select([ + msg2172, + msg2173, +]); + +var msg2174 = msg("1129", dup265); + +var msg2175 = msg("1129:01", dup266); + +var select1027 = linear_select([ + msg2174, + msg2175, +]); + +var msg2176 = msg("1130", dup265); + +var msg2177 = msg("1130:01", dup266); + +var select1028 = linear_select([ + msg2176, + msg2177, +]); + +var msg2178 = msg("1131", dup265); + +var msg2179 = msg("1131:01", dup266); + +var select1029 = linear_select([ + msg2178, + msg2179, +]); + +var msg2180 = msg("1132", dup197); + +var msg2181 = msg("1132:01", dup221); + +var select1030 = linear_select([ + msg2180, + msg2181, +]); + +var msg2182 = msg("1133", dup194); + +var msg2183 = msg("1133:01", dup229); + +var select1031 = linear_select([ + msg2182, + msg2183, +]); + +var msg2184 = msg("1134", dup265); + +var msg2185 = msg("1134:01", dup266); + +var select1032 = linear_select([ + msg2184, + msg2185, +]); + +var msg2186 = msg("1136", dup196); + +var msg2187 = msg("1136:01", dup217); + +var select1033 = linear_select([ + msg2186, + msg2187, +]); + +var msg2188 = msg("1137", dup265); + +var msg2189 = msg("1137:01", dup266); + +var select1034 = linear_select([ + msg2188, + msg2189, +]); + +var msg2190 = msg("1138", dup198); + +var msg2191 = msg("1138:01", dup220); + +var select1035 = linear_select([ + msg2190, + msg2191, +]); + +var msg2192 = msg("1139", dup196); + +var msg2193 = msg("1139:01", dup217); + +var select1036 = linear_select([ + msg2192, + msg2193, +]); + +var msg2194 = msg("1140", dup265); + +var msg2195 = msg("1140:01", dup266); + +var select1037 = linear_select([ + msg2194, + msg2195, +]); + +var msg2196 = msg("1141", dup265); + +var msg2197 = msg("1141:01", dup266); + +var select1038 = linear_select([ + msg2196, + msg2197, +]); + +var msg2198 = msg("1142", dup265); + +var msg2199 = msg("1142:01", dup266); + +var select1039 = linear_select([ + msg2198, + msg2199, +]); + +var msg2200 = msg("1143", dup265); + +var msg2201 = msg("1143:01", dup266); + +var select1040 = linear_select([ + msg2200, + msg2201, +]); + +var msg2202 = msg("1144", dup265); + +var msg2203 = msg("1144:01", dup266); + +var select1041 = linear_select([ + msg2202, + msg2203, +]); + +var msg2204 = msg("1145", dup265); + +var msg2205 = msg("1145:01", dup266); + +var select1042 = linear_select([ + msg2204, + msg2205, +]); + +var msg2206 = msg("1146", dup265); + +var msg2207 = msg("1146:01", dup266); + +var select1043 = linear_select([ + msg2206, + msg2207, +]); + +var msg2208 = msg("1147", dup265); + +var msg2209 = msg("1147:01", dup266); + +var select1044 = linear_select([ + msg2208, + msg2209, +]); + +var msg2210 = msg("1148", dup265); + +var msg2211 = msg("1148:01", dup266); + +var select1045 = linear_select([ + msg2210, + msg2211, +]); + +var msg2212 = msg("1149", dup265); + +var msg2213 = msg("1149:01", dup266); + +var select1046 = linear_select([ + msg2212, + msg2213, +]); + +var msg2214 = msg("1150", dup265); + +var msg2215 = msg("1150:01", dup266); + +var select1047 = linear_select([ + msg2214, + msg2215, +]); + +var msg2216 = msg("1151", dup265); + +var msg2217 = msg("1151:01", dup266); + +var select1048 = linear_select([ + msg2216, + msg2217, +]); + +var msg2218 = msg("1152", dup265); + +var msg2219 = msg("1152:01", dup266); + +var select1049 = linear_select([ + msg2218, + msg2219, +]); + +var msg2220 = msg("1153", dup265); + +var msg2221 = msg("1153:01", dup266); + +var select1050 = linear_select([ + msg2220, + msg2221, +]); + +var msg2222 = msg("1154", dup265); + +var msg2223 = msg("1154:01", dup266); + +var select1051 = linear_select([ + msg2222, + msg2223, +]); + +var msg2224 = msg("1155", dup265); + +var msg2225 = msg("1155:01", dup266); + +var select1052 = linear_select([ + msg2224, + msg2225, +]); + +var msg2226 = msg("1156", dup265); + +var msg2227 = msg("1156:01", dup266); + +var select1053 = linear_select([ + msg2226, + msg2227, +]); + +var msg2228 = msg("1157", dup265); + +var msg2229 = msg("1157:01", dup266); + +var select1054 = linear_select([ + msg2228, + msg2229, +]); + +var msg2230 = msg("1158", dup265); + +var msg2231 = msg("1158:01", dup266); + +var select1055 = linear_select([ + msg2230, + msg2231, +]); + +var msg2232 = msg("1159", dup265); + +var msg2233 = msg("1159:01", dup266); + +var select1056 = linear_select([ + msg2232, + msg2233, +]); + +var msg2234 = msg("1160", dup196); + +var msg2235 = msg("1160:01", dup217); + +var select1057 = linear_select([ + msg2234, + msg2235, +]); + +var msg2236 = msg("1161", dup265); + +var msg2237 = msg("1161:01", dup266); + +var select1058 = linear_select([ + msg2236, + msg2237, +]); + +var msg2238 = msg("1162", dup265); + +var msg2239 = msg("1162:01", dup266); + +var select1059 = linear_select([ + msg2238, + msg2239, +]); + +var msg2240 = msg("1163", dup265); + +var msg2241 = msg("1163:01", dup266); + +var select1060 = linear_select([ + msg2240, + msg2241, +]); + +var msg2242 = msg("1164", dup265); + +var msg2243 = msg("1164:01", dup266); + +var select1061 = linear_select([ + msg2242, + msg2243, +]); + +var msg2244 = msg("1165", dup265); + +var msg2245 = msg("1165:01", dup266); + +var select1062 = linear_select([ + msg2244, + msg2245, +]); + +var msg2246 = msg("1166", dup265); + +var msg2247 = msg("1166:01", dup266); + +var select1063 = linear_select([ + msg2246, + msg2247, +]); + +var msg2248 = msg("1167", dup265); + +var msg2249 = msg("1167:01", dup266); + +var select1064 = linear_select([ + msg2248, + msg2249, +]); + +var msg2250 = msg("1168", dup265); + +var msg2251 = msg("1168:01", dup266); + +var select1065 = linear_select([ + msg2250, + msg2251, +]); + +var msg2252 = msg("1171", dup196); + +var msg2253 = msg("1171:01", dup217); + +var select1066 = linear_select([ + msg2252, + msg2253, +]); + +var msg2254 = msg("1172", dup265); + +var msg2255 = msg("1172:01", dup266); + +var select1067 = linear_select([ + msg2254, + msg2255, +]); + +var msg2256 = msg("1173", dup265); + +var msg2257 = msg("1173:01", dup266); + +var select1068 = linear_select([ + msg2256, + msg2257, +]); + +var msg2258 = msg("1174", dup265); + +var msg2259 = msg("1174:01", dup266); + +var select1069 = linear_select([ + msg2258, + msg2259, +]); + +var msg2260 = msg("1175", dup265); + +var msg2261 = msg("1175:01", dup266); + +var select1070 = linear_select([ + msg2260, + msg2261, +]); + +var msg2262 = msg("1176", dup265); + +var msg2263 = msg("1176:01", dup266); + +var select1071 = linear_select([ + msg2262, + msg2263, +]); + +var msg2264 = msg("1177", dup196); + +var msg2265 = msg("1177:01", dup217); + +var select1072 = linear_select([ + msg2264, + msg2265, +]); + +var msg2266 = msg("1178", dup265); + +var msg2267 = msg("1178:01", dup266); + +var select1073 = linear_select([ + msg2266, + msg2267, +]); + +var msg2268 = msg("1179", dup265); + +var msg2269 = msg("1179:01", dup266); + +var select1074 = linear_select([ + msg2268, + msg2269, +]); + +var msg2270 = msg("1180", dup265); + +var msg2271 = msg("1180:01", dup266); + +var select1075 = linear_select([ + msg2270, + msg2271, +]); + +var msg2272 = msg("1181", dup198); + +var msg2273 = msg("1181:01", dup220); + +var select1076 = linear_select([ + msg2272, + msg2273, +]); + +var msg2274 = msg("1182", dup265); + +var msg2275 = msg("1182:01", dup266); + +var select1077 = linear_select([ + msg2274, + msg2275, +]); + +var msg2276 = msg("1183", dup196); + +var msg2277 = msg("1183:01", dup217); + +var select1078 = linear_select([ + msg2276, + msg2277, +]); + +var msg2278 = msg("1184", dup196); + +var msg2279 = msg("1184:01", dup217); + +var select1079 = linear_select([ + msg2278, + msg2279, +]); + +var msg2280 = msg("1185", dup265); + +var msg2281 = msg("1185:01", dup266); + +var select1080 = linear_select([ + msg2280, + msg2281, +]); + +var msg2282 = msg("1186", dup196); + +var msg2283 = msg("1186:01", dup217); + +var select1081 = linear_select([ + msg2282, + msg2283, +]); + +var msg2284 = msg("1187", dup265); + +var msg2285 = msg("1187:01", dup266); + +var select1082 = linear_select([ + msg2284, + msg2285, +]); + +var msg2286 = msg("1188", dup196); + +var msg2287 = msg("1188:01", dup217); + +var select1083 = linear_select([ + msg2286, + msg2287, +]); + +var msg2288 = msg("1189", dup196); + +var msg2289 = msg("1189:01", dup217); + +var select1084 = linear_select([ + msg2288, + msg2289, +]); + +var msg2290 = msg("1190", dup196); + +var msg2291 = msg("1190:01", dup217); + +var select1085 = linear_select([ + msg2290, + msg2291, +]); + +var msg2292 = msg("1191", dup196); + +var msg2293 = msg("1191:01", dup217); + +var select1086 = linear_select([ + msg2292, + msg2293, +]); + +var msg2294 = msg("1192", dup194); + +var msg2295 = msg("1192:01", dup229); + +var select1087 = linear_select([ + msg2294, + msg2295, +]); + +var msg2296 = msg("1193", dup269); + +var msg2297 = msg("1193:01", dup270); + +var select1088 = linear_select([ + msg2296, + msg2297, +]); + +var msg2298 = msg("1194", dup265); + +var msg2299 = msg("1194:01", dup266); + +var select1089 = linear_select([ + msg2298, + msg2299, +]); + +var msg2300 = msg("1195", dup265); + +var msg2301 = msg("1195:01", dup266); + +var select1090 = linear_select([ + msg2300, + msg2301, +]); + +var msg2302 = msg("1196", dup265); + +var msg2303 = msg("1196:01", dup266); + +var select1091 = linear_select([ + msg2302, + msg2303, +]); + +var msg2304 = msg("1197", dup265); + +var msg2305 = msg("1197:01", dup266); + +var select1092 = linear_select([ + msg2304, + msg2305, +]); + +var msg2306 = msg("1198", dup196); + +var msg2307 = msg("1198:01", dup217); + +var select1093 = linear_select([ + msg2306, + msg2307, +]); + +var msg2308 = msg("1199", dup265); + +var msg2309 = msg("1199:01", dup266); + +var select1094 = linear_select([ + msg2308, + msg2309, +]); + +var msg2310 = msg("1200", dup196); + +var msg2311 = msg("1200:01", dup217); + +var select1095 = linear_select([ + msg2310, + msg2311, +]); + +var msg2312 = msg("1201", dup196); + +var msg2313 = msg("1201:01", dup217); + +var select1096 = linear_select([ + msg2312, + msg2313, +]); + +var msg2314 = msg("1202", dup265); + +var msg2315 = msg("1202:01", dup266); + +var select1097 = linear_select([ + msg2314, + msg2315, +]); + +var msg2316 = msg("1204", dup265); + +var msg2317 = msg("1204:01", dup266); + +var select1098 = linear_select([ + msg2316, + msg2317, +]); + +var msg2318 = msg("1205", dup265); + +var msg2319 = msg("1205:01", dup266); + +var select1099 = linear_select([ + msg2318, + msg2319, +]); + +var msg2320 = msg("1206", dup265); + +var msg2321 = msg("1206:01", dup266); + +var select1100 = linear_select([ + msg2320, + msg2321, +]); + +var msg2322 = msg("1207", dup265); + +var msg2323 = msg("1207:01", dup266); + +var select1101 = linear_select([ + msg2322, + msg2323, +]); + +var msg2324 = msg("1208", dup265); + +var msg2325 = msg("1208:01", dup266); + +var select1102 = linear_select([ + msg2324, + msg2325, +]); + +var msg2326 = msg("1209", dup265); + +var msg2327 = msg("1209:01", dup266); + +var select1103 = linear_select([ + msg2326, + msg2327, +]); + +var msg2328 = msg("1211", dup265); + +var msg2329 = msg("1211:01", dup266); + +var select1104 = linear_select([ + msg2328, + msg2329, +]); + +var msg2330 = msg("1212", dup265); + +var msg2331 = msg("1212:01", dup266); + +var select1105 = linear_select([ + msg2330, + msg2331, +]); + +var msg2332 = msg("1213", dup265); + +var msg2333 = msg("1213:01", dup266); + +var select1106 = linear_select([ + msg2332, + msg2333, +]); + +var msg2334 = msg("1214", dup265); + +var msg2335 = msg("1214:01", dup266); + +var select1107 = linear_select([ + msg2334, + msg2335, +]); + +var msg2336 = msg("1215", dup265); + +var msg2337 = msg("1215:01", dup266); + +var select1108 = linear_select([ + msg2336, + msg2337, +]); + +var msg2338 = msg("1216", dup265); + +var msg2339 = msg("1216:01", dup266); + +var select1109 = linear_select([ + msg2338, + msg2339, +]); + +var msg2340 = msg("1217", dup265); + +var msg2341 = msg("1217:01", dup266); + +var select1110 = linear_select([ + msg2340, + msg2341, +]); + +var msg2342 = msg("1218", dup265); + +var msg2343 = msg("1218:01", dup266); + +var select1111 = linear_select([ + msg2342, + msg2343, +]); + +var msg2344 = msg("1219", dup265); + +var msg2345 = msg("1219:01", dup266); + +var select1112 = linear_select([ + msg2344, + msg2345, +]); + +var msg2346 = msg("1220", dup265); + +var msg2347 = msg("1220:01", dup266); + +var select1113 = linear_select([ + msg2346, + msg2347, +]); + +var msg2348 = msg("1221", dup265); + +var msg2349 = msg("1221:01", dup266); + +var select1114 = linear_select([ + msg2348, + msg2349, +]); + +var msg2350 = msg("1222", dup265); + +var msg2351 = msg("1222:01", dup266); + +var select1115 = linear_select([ + msg2350, + msg2351, +]); + +var msg2352 = msg("1224", dup265); + +var msg2353 = msg("1224:01", dup266); + +var select1116 = linear_select([ + msg2352, + msg2353, +]); + +var msg2354 = msg("1225", dup196); + +var msg2355 = msg("1225:01", dup217); + +var select1117 = linear_select([ + msg2354, + msg2355, +]); + +var msg2356 = msg("1226", dup196); + +var msg2357 = msg("1226:01", dup217); + +var select1118 = linear_select([ + msg2356, + msg2357, +]); + +var msg2358 = msg("1227", dup196); + +var msg2359 = msg("1227:01", dup217); + +var select1119 = linear_select([ + msg2358, + msg2359, +]); + +var msg2360 = msg("1228", dup194); + +var msg2361 = msg("1228:01", dup229); + +var select1120 = linear_select([ + msg2360, + msg2361, +]); + +var msg2362 = msg("1229", dup227); + +var msg2363 = msg("1229:01", dup228); + +var select1121 = linear_select([ + msg2362, + msg2363, +]); + +var msg2364 = msg("1230", dup263); + +var msg2365 = msg("1230:01", dup264); + +var select1122 = linear_select([ + msg2364, + msg2365, +]); + +var msg2366 = msg("1231", dup263); + +var msg2367 = msg("1231:01", dup264); + +var select1123 = linear_select([ + msg2366, + msg2367, +]); + +var msg2368 = msg("1232", dup263); + +var msg2369 = msg("1232:01", dup264); + +var select1124 = linear_select([ + msg2368, + msg2369, +]); + +var msg2370 = msg("1233", dup265); + +var msg2371 = msg("1233:01", dup266); + +var select1125 = linear_select([ + msg2370, + msg2371, +]); + +var msg2372 = msg("1234", dup263); + +var msg2373 = msg("1234:01", dup264); + +var select1126 = linear_select([ + msg2372, + msg2373, +]); + +var msg2374 = msg("1235", dup263); + +var msg2375 = msg("1235:01", dup264); + +var select1127 = linear_select([ + msg2374, + msg2375, +]); + +var msg2376 = msg("1236", dup196); + +var msg2377 = msg("1236:01", dup217); + +var select1128 = linear_select([ + msg2376, + msg2377, +]); + +var msg2378 = msg("1237", dup196); + +var msg2379 = msg("1237:01", dup217); + +var select1129 = linear_select([ + msg2378, + msg2379, +]); + +var msg2380 = msg("1238", dup196); + +var msg2381 = msg("1238:01", dup217); + +var select1130 = linear_select([ + msg2380, + msg2381, +]); + +var msg2382 = msg("1239", dup276); + +var msg2383 = msg("1239:01", dup277); + +var select1131 = linear_select([ + msg2382, + msg2383, +]); + +var msg2384 = msg("1240", dup197); + +var msg2385 = msg("1240:01", dup221); + +var select1132 = linear_select([ + msg2384, + msg2385, +]); + +var msg2386 = msg("1241", dup265); + +var msg2387 = msg("1241:01", dup266); + +var select1133 = linear_select([ + msg2386, + msg2387, +]); + +var msg2388 = msg("1242", dup265); + +var msg2389 = msg("1242:01", dup266); + +var select1134 = linear_select([ + msg2388, + msg2389, +]); + +var msg2390 = msg("1243", dup265); + +var msg2391 = msg("1243:01", dup266); + +var select1135 = linear_select([ + msg2390, + msg2391, +]); + +var msg2392 = msg("1244", dup265); + +var msg2393 = msg("1244:01", dup266); + +var select1136 = linear_select([ + msg2392, + msg2393, +]); + +var msg2394 = msg("1245", dup265); + +var msg2395 = msg("1245:01", dup266); + +var select1137 = linear_select([ + msg2394, + msg2395, +]); + +var msg2396 = msg("1246", dup267); + +var msg2397 = msg("1246:01", dup268); + +var select1138 = linear_select([ + msg2396, + msg2397, +]); + +var msg2398 = msg("1247", dup267); + +var msg2399 = msg("1247:01", dup268); + +var select1139 = linear_select([ + msg2398, + msg2399, +]); + +var msg2400 = msg("1248", dup265); + +var msg2401 = msg("1248:01", dup266); + +var select1140 = linear_select([ + msg2400, + msg2401, +]); + +var msg2402 = msg("1249", dup265); + +var msg2403 = msg("1249:01", dup266); + +var select1141 = linear_select([ + msg2402, + msg2403, +]); + +var msg2404 = msg("1250", dup265); + +var msg2405 = msg("1250:01", dup266); + +var select1142 = linear_select([ + msg2404, + msg2405, +]); + +var msg2406 = msg("1251", dup196); + +var msg2407 = msg("1251:01", dup217); + +var select1143 = linear_select([ + msg2406, + msg2407, +]); + +var msg2408 = msg("1252", dup278); + +var msg2409 = msg("1252:01", dup279); + +var select1144 = linear_select([ + msg2408, + msg2409, +]); + +var msg2410 = msg("1253", dup278); + +var msg2411 = msg("1253:01", dup279); + +var select1145 = linear_select([ + msg2410, + msg2411, +]); + +var msg2412 = msg("1254", dup265); + +var msg2413 = msg("1254:01", dup266); + +var select1146 = linear_select([ + msg2412, + msg2413, +]); + +var msg2414 = msg("1255", dup265); + +var msg2415 = msg("1255:01", dup266); + +var select1147 = linear_select([ + msg2414, + msg2415, +]); + +var msg2416 = msg("1256", dup265); + +var msg2417 = msg("1256:01", dup266); + +var select1148 = linear_select([ + msg2416, + msg2417, +]); + +var msg2418 = msg("1257", dup198); + +var msg2419 = msg("1257:01", dup220); + +var select1149 = linear_select([ + msg2418, + msg2419, +]); + +var msg2420 = msg("1258", dup198); + +var msg2421 = msg("1258:01", dup220); + +var select1150 = linear_select([ + msg2420, + msg2421, +]); + +var msg2422 = msg("1259", dup265); + +var msg2423 = msg("1259:01", dup266); + +var select1151 = linear_select([ + msg2422, + msg2423, +]); + +var msg2424 = msg("1260", dup196); + +var msg2425 = msg("1260:01", dup217); + +var select1152 = linear_select([ + msg2424, + msg2425, +]); + +var msg2426 = msg("1261", dup197); + +var msg2427 = msg("1261:01", dup221); + +var select1153 = linear_select([ + msg2426, + msg2427, +]); + +var msg2428 = msg("1262", dup258); + +var msg2429 = msg("1262:01", dup259); + +var select1154 = linear_select([ + msg2428, + msg2429, +]); + +var msg2430 = msg("1263", dup258); + +var msg2431 = msg("1263:01", dup259); + +var select1155 = linear_select([ + msg2430, + msg2431, +]); + +var msg2432 = msg("1264", dup258); + +var msg2433 = msg("1264:01", dup259); + +var select1156 = linear_select([ + msg2432, + msg2433, +]); + +var msg2434 = msg("1265", dup258); + +var msg2435 = msg("1265:01", dup259); + +var select1157 = linear_select([ + msg2434, + msg2435, +]); + +var msg2436 = msg("1266", dup258); + +var msg2437 = msg("1266:01", dup259); + +var select1158 = linear_select([ + msg2436, + msg2437, +]); + +var msg2438 = msg("1267", dup258); + +var msg2439 = msg("1267:01", dup259); + +var select1159 = linear_select([ + msg2438, + msg2439, +]); + +var msg2440 = msg("1268", dup280); + +var all39 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg2441 = msg("1268:01", all39); + +var select1160 = linear_select([ + msg2440, + msg2441, +]); + +var msg2442 = msg("1269", dup258); + +var msg2443 = msg("1269:01", dup259); + +var select1161 = linear_select([ + msg2442, + msg2443, +]); + +var msg2444 = msg("1270", dup258); + +var msg2445 = msg("1270:01", dup259); + +var select1162 = linear_select([ + msg2444, + msg2445, +]); + +var msg2446 = msg("1271", dup258); + +var msg2447 = msg("1271:01", dup259); + +var select1163 = linear_select([ + msg2446, + msg2447, +]); + +var msg2448 = msg("1272", dup258); + +var msg2449 = msg("1272:01", dup259); + +var select1164 = linear_select([ + msg2448, + msg2449, +]); + +var msg2450 = msg("1273", dup258); + +var msg2451 = msg("1273:01", dup259); + +var select1165 = linear_select([ + msg2450, + msg2451, +]); + +var msg2452 = msg("1274", dup258); + +var msg2453 = msg("1274:01", dup259); + +var select1166 = linear_select([ + msg2452, + msg2453, +]); + +var msg2454 = msg("1275", dup258); + +var msg2455 = msg("1275:01", dup259); + +var select1167 = linear_select([ + msg2454, + msg2455, +]); + +var msg2456 = msg("1276", dup258); + +var msg2457 = msg("1276:01", dup259); + +var select1168 = linear_select([ + msg2456, + msg2457, +]); + +var msg2458 = msg("1277", dup255); + +var msg2459 = msg("1277:01", dup256); + +var select1169 = linear_select([ + msg2458, + msg2459, +]); + +var msg2460 = msg("1278", dup255); + +var msg2461 = msg("1278:01", dup256); + +var select1170 = linear_select([ + msg2460, + msg2461, +]); + +var msg2462 = msg("1279", dup255); + +var msg2463 = msg("1279:01", dup256); + +var select1171 = linear_select([ + msg2462, + msg2463, +]); + +var msg2464 = msg("1280", dup255); + +var msg2465 = msg("1280:01", dup256); + +var select1172 = linear_select([ + msg2464, + msg2465, +]); + +var msg2466 = msg("1281", dup255); + +var msg2467 = msg("1281:01", dup256); + +var select1173 = linear_select([ + msg2466, + msg2467, +]); + +var msg2468 = msg("1282", dup255); + +var msg2469 = msg("1282:01", dup256); + +var select1174 = linear_select([ + msg2468, + msg2469, +]); + +var msg2470 = msg("1283", dup198); + +var msg2471 = msg("1283:01", dup220); + +var select1175 = linear_select([ + msg2470, + msg2471, +]); + +var msg2472 = msg("1284", dup265); + +var msg2473 = msg("1284:01", dup266); + +var select1176 = linear_select([ + msg2472, + msg2473, +]); + +var msg2474 = msg("1285", dup265); + +var msg2475 = msg("1285:01", dup266); + +var select1177 = linear_select([ + msg2474, + msg2475, +]); + +var msg2476 = msg("1286", dup265); + +var msg2477 = msg("1286:01", dup266); + +var select1178 = linear_select([ + msg2476, + msg2477, +]); + +var msg2478 = msg("1287", dup265); + +var msg2479 = msg("1287:01", dup266); + +var select1179 = linear_select([ + msg2478, + msg2479, +]); + +var msg2480 = msg("1288", dup265); + +var msg2481 = msg("1288:01", dup266); + +var select1180 = linear_select([ + msg2480, + msg2481, +]); + +var msg2482 = msg("1289", dup196); + +var msg2483 = msg("1289:01", dup217); + +var select1181 = linear_select([ + msg2482, + msg2483, +]); + +var msg2484 = msg("1290", dup265); + +var msg2485 = msg("1290:01", dup266); + +var select1182 = linear_select([ + msg2484, + msg2485, +]); + +var msg2486 = msg("1291", dup265); + +var msg2487 = msg("1291:01", dup266); + +var select1183 = linear_select([ + msg2486, + msg2487, +]); + +var msg2488 = msg("1292", dup196); + +var msg2489 = msg("1292:01", dup217); + +var select1184 = linear_select([ + msg2488, + msg2489, +]); + +var msg2490 = msg("1293", dup196); + +var msg2491 = msg("1293:01", dup217); + +var select1185 = linear_select([ + msg2490, + msg2491, +]); + +var msg2492 = msg("1294", dup196); + +var msg2493 = msg("1294:01", dup217); + +var select1186 = linear_select([ + msg2492, + msg2493, +]); + +var msg2494 = msg("1295", dup196); + +var msg2495 = msg("1295:01", dup217); + +var select1187 = linear_select([ + msg2494, + msg2495, +]); + +var msg2496 = msg("1296", dup255); + +var msg2497 = msg("1296:01", dup256); + +var select1188 = linear_select([ + msg2496, + msg2497, +]); + +var msg2498 = msg("1297", dup255); + +var msg2499 = msg("1297:01", dup256); + +var select1189 = linear_select([ + msg2498, + msg2499, +]); + +var msg2500 = msg("1298", dup255); + +var msg2501 = msg("1298:01", dup256); + +var select1190 = linear_select([ + msg2500, + msg2501, +]); + +var msg2502 = msg("1299", dup255); + +var msg2503 = msg("1299:01", dup256); + +var select1191 = linear_select([ + msg2502, + msg2503, +]); + +var msg2504 = msg("1300", dup265); + +var msg2505 = msg("1300:01", dup266); + +var select1192 = linear_select([ + msg2504, + msg2505, +]); + +var msg2506 = msg("1301", dup265); + +var msg2507 = msg("1301:01", dup266); + +var select1193 = linear_select([ + msg2506, + msg2507, +]); + +var msg2508 = msg("1302", dup265); + +var msg2509 = msg("1302:01", dup266); + +var select1194 = linear_select([ + msg2508, + msg2509, +]); + +var msg2510 = msg("1303", dup265); + +var msg2511 = msg("1303:01", dup266); + +var select1195 = linear_select([ + msg2510, + msg2511, +]); + +var msg2512 = msg("1304", dup265); + +var msg2513 = msg("1304:01", dup266); + +var select1196 = linear_select([ + msg2512, + msg2513, +]); + +var msg2514 = msg("1305", dup265); + +var msg2515 = msg("1305:01", dup266); + +var select1197 = linear_select([ + msg2514, + msg2515, +]); + +var msg2516 = msg("1306", dup265); + +var msg2517 = msg("1306:01", dup266); + +var select1198 = linear_select([ + msg2516, + msg2517, +]); + +var msg2518 = msg("1307", dup265); + +var msg2519 = msg("1307:01", dup266); + +var select1199 = linear_select([ + msg2518, + msg2519, +]); + +var msg2520 = msg("1308", dup265); + +var msg2521 = msg("1308:01", dup266); + +var select1200 = linear_select([ + msg2520, + msg2521, +]); + +var msg2522 = msg("1309", dup265); + +var msg2523 = msg("1309:01", dup266); + +var select1201 = linear_select([ + msg2522, + msg2523, +]); + +var msg2524 = msg("1310", dup281); + +var msg2525 = msg("1310:01", dup282); + +var select1202 = linear_select([ + msg2524, + msg2525, +]); + +var msg2526 = msg("1311", dup281); + +var msg2527 = msg("1311:01", dup282); + +var select1203 = linear_select([ + msg2526, + msg2527, +]); + +var msg2528 = msg("1312", dup281); + +var msg2529 = msg("1312:01", dup282); + +var select1204 = linear_select([ + msg2528, + msg2529, +]); + +var msg2530 = msg("1313", dup281); + +var msg2531 = msg("1313:01", dup282); + +var select1205 = linear_select([ + msg2530, + msg2531, +]); + +var msg2532 = msg("1314", dup281); + +var msg2533 = msg("1314:01", dup282); + +var select1206 = linear_select([ + msg2532, + msg2533, +]); + +var msg2534 = msg("1315", dup281); + +var msg2535 = msg("1315:01", dup282); + +var select1207 = linear_select([ + msg2534, + msg2535, +]); + +var msg2536 = msg("1316", dup281); + +var msg2537 = msg("1316:01", dup282); + +var select1208 = linear_select([ + msg2536, + msg2537, +]); + +var msg2538 = msg("1317", dup281); + +var msg2539 = msg("1317:01", dup282); + +var select1209 = linear_select([ + msg2538, + msg2539, +]); + +var msg2540 = msg("1318", dup281); + +var msg2541 = msg("1318:01", dup282); + +var select1210 = linear_select([ + msg2540, + msg2541, +]); + +var msg2542 = msg("1319", dup281); + +var msg2543 = msg("1319:01", dup282); + +var select1211 = linear_select([ + msg2542, + msg2543, +]); + +var msg2544 = msg("1320", dup281); + +var msg2545 = msg("1320:01", dup282); + +var select1212 = linear_select([ + msg2544, + msg2545, +]); + +var msg2546 = msg("1321", dup196); + +var msg2547 = msg("1321:01", dup217); + +var select1213 = linear_select([ + msg2546, + msg2547, +]); + +var msg2548 = msg("1322", dup196); + +var msg2549 = msg("1322:01", dup217); + +var select1214 = linear_select([ + msg2548, + msg2549, +]); + +var msg2550 = msg("1323", dup196); + +var msg2551 = msg("1323:01", dup217); + +var select1215 = linear_select([ + msg2550, + msg2551, +]); + +var msg2552 = msg("1324", dup197); + +var msg2553 = msg("1324:01", dup221); + +var select1216 = linear_select([ + msg2552, + msg2553, +]); + +var msg2554 = msg("1325", dup197); + +var msg2555 = msg("1325:01", dup221); + +var select1217 = linear_select([ + msg2554, + msg2555, +]); + +var msg2556 = msg("1326", dup197); + +var msg2557 = msg("1326:01", dup221); + +var select1218 = linear_select([ + msg2556, + msg2557, +]); + +var msg2558 = msg("1327", dup197); + +var msg2559 = msg("1327:01", dup221); + +var select1219 = linear_select([ + msg2558, + msg2559, +]); + +var msg2560 = msg("1328", dup265); + +var msg2561 = msg("1328:01", dup266); + +var select1220 = linear_select([ + msg2560, + msg2561, +]); + +var msg2562 = msg("1329", dup265); + +var msg2563 = msg("1329:01", dup266); + +var select1221 = linear_select([ + msg2562, + msg2563, +]); + +var msg2564 = msg("1330", dup265); + +var msg2565 = msg("1330:01", dup266); + +var select1222 = linear_select([ + msg2564, + msg2565, +]); + +var msg2566 = msg("1331", dup265); + +var msg2567 = msg("1331:01", dup266); + +var select1223 = linear_select([ + msg2566, + msg2567, +]); + +var msg2568 = msg("1332", dup265); + +var msg2569 = msg("1332:01", dup266); + +var select1224 = linear_select([ + msg2568, + msg2569, +]); + +var msg2570 = msg("1333", dup265); + +var msg2571 = msg("1333:01", dup266); + +var select1225 = linear_select([ + msg2570, + msg2571, +]); + +var msg2572 = msg("1334", dup265); + +var msg2573 = msg("1334:01", dup266); + +var select1226 = linear_select([ + msg2572, + msg2573, +]); + +var msg2574 = msg("1335", dup265); + +var msg2575 = msg("1335:01", dup266); + +var select1227 = linear_select([ + msg2574, + msg2575, +]); + +var msg2576 = msg("1336", dup265); + +var msg2577 = msg("1336:01", dup266); + +var select1228 = linear_select([ + msg2576, + msg2577, +]); + +var msg2578 = msg("1337", dup265); + +var msg2579 = msg("1337:01", dup266); + +var select1229 = linear_select([ + msg2578, + msg2579, +]); + +var msg2580 = msg("1338", dup265); + +var msg2581 = msg("1338:01", dup266); + +var select1230 = linear_select([ + msg2580, + msg2581, +]); + +var msg2582 = msg("1339", dup265); + +var msg2583 = msg("1339:01", dup266); + +var select1231 = linear_select([ + msg2582, + msg2583, +]); + +var msg2584 = msg("1340", dup274); + +var msg2585 = msg("1340:01", dup275); + +var select1232 = linear_select([ + msg2584, + msg2585, +]); + +var msg2586 = msg("1341", dup265); + +var msg2587 = msg("1341:01", dup266); + +var select1233 = linear_select([ + msg2586, + msg2587, +]); + +var msg2588 = msg("1342", dup265); + +var msg2589 = msg("1342:01", dup266); + +var select1234 = linear_select([ + msg2588, + msg2589, +]); + +var msg2590 = msg("1343", dup265); + +var msg2591 = msg("1343:01", dup266); + +var select1235 = linear_select([ + msg2590, + msg2591, +]); + +var msg2592 = msg("1344", dup265); + +var msg2593 = msg("1344:01", dup266); + +var select1236 = linear_select([ + msg2592, + msg2593, +]); + +var msg2594 = msg("1345", dup265); + +var msg2595 = msg("1345:01", dup266); + +var select1237 = linear_select([ + msg2594, + msg2595, +]); + +var msg2596 = msg("1346", dup265); + +var msg2597 = msg("1346:01", dup266); + +var select1238 = linear_select([ + msg2596, + msg2597, +]); + +var msg2598 = msg("1347", dup265); + +var msg2599 = msg("1347:01", dup266); + +var select1239 = linear_select([ + msg2598, + msg2599, +]); + +var msg2600 = msg("1348", dup265); + +var msg2601 = msg("1348:01", dup266); + +var select1240 = linear_select([ + msg2600, + msg2601, +]); + +var msg2602 = msg("1349", dup265); + +var msg2603 = msg("1349:01", dup266); + +var select1241 = linear_select([ + msg2602, + msg2603, +]); + +var msg2604 = msg("1350", dup265); + +var msg2605 = msg("1350:01", dup266); + +var select1242 = linear_select([ + msg2604, + msg2605, +]); + +var msg2606 = msg("1351", dup267); + +var msg2607 = msg("1351:01", dup268); + +var select1243 = linear_select([ + msg2606, + msg2607, +]); + +var msg2608 = msg("1352", dup267); + +var msg2609 = msg("1352:01", dup268); + +var select1244 = linear_select([ + msg2608, + msg2609, +]); + +var msg2610 = msg("1353", dup265); + +var msg2611 = msg("1353:01", dup266); + +var select1245 = linear_select([ + msg2610, + msg2611, +]); + +var msg2612 = msg("1354", dup265); + +var msg2613 = msg("1354:01", dup266); + +var select1246 = linear_select([ + msg2612, + msg2613, +]); + +var msg2614 = msg("1355", dup267); + +var msg2615 = msg("1355:01", dup268); + +var select1247 = linear_select([ + msg2614, + msg2615, +]); + +var msg2616 = msg("1356", dup267); + +var msg2617 = msg("1356:01", dup268); + +var select1248 = linear_select([ + msg2616, + msg2617, +]); + +var msg2618 = msg("1357", dup265); + +var msg2619 = msg("1357:01", dup266); + +var select1249 = linear_select([ + msg2618, + msg2619, +]); + +var msg2620 = msg("1358", dup265); + +var msg2621 = msg("1358:01", dup266); + +var select1250 = linear_select([ + msg2620, + msg2621, +]); + +var msg2622 = msg("1359", dup265); + +var msg2623 = msg("1359:01", dup266); + +var select1251 = linear_select([ + msg2622, + msg2623, +]); + +var msg2624 = msg("1360", dup265); + +var msg2625 = msg("1360:01", dup266); + +var select1252 = linear_select([ + msg2624, + msg2625, +]); + +var msg2626 = msg("1361", dup265); + +var msg2627 = msg("1361:01", dup266); + +var select1253 = linear_select([ + msg2626, + msg2627, +]); + +var msg2628 = msg("1362", dup265); + +var msg2629 = msg("1362:01", dup266); + +var select1254 = linear_select([ + msg2628, + msg2629, +]); + +var msg2630 = msg("1363", dup265); + +var msg2631 = msg("1363:01", dup266); + +var select1255 = linear_select([ + msg2630, + msg2631, +]); + +var msg2632 = msg("1364", dup265); + +var msg2633 = msg("1364:01", dup266); + +var select1256 = linear_select([ + msg2632, + msg2633, +]); + +var msg2634 = msg("1365", dup265); + +var msg2635 = msg("1365:01", dup266); + +var select1257 = linear_select([ + msg2634, + msg2635, +]); + +var msg2636 = msg("1366", dup265); + +var msg2637 = msg("1366:01", dup266); + +var select1258 = linear_select([ + msg2636, + msg2637, +]); + +var msg2638 = msg("1367", dup265); + +var msg2639 = msg("1367:01", dup266); + +var select1259 = linear_select([ + msg2638, + msg2639, +]); + +var msg2640 = msg("1368", dup265); + +var msg2641 = msg("1368:01", dup266); + +var select1260 = linear_select([ + msg2640, + msg2641, +]); + +var msg2642 = msg("1369", dup265); + +var msg2643 = msg("1369:01", dup266); + +var select1261 = linear_select([ + msg2642, + msg2643, +]); + +var msg2644 = msg("1370", dup265); + +var msg2645 = msg("1370:01", dup266); + +var select1262 = linear_select([ + msg2644, + msg2645, +]); + +var msg2646 = msg("1371", dup265); + +var msg2647 = msg("1371:01", dup266); + +var select1263 = linear_select([ + msg2646, + msg2647, +]); + +var msg2648 = msg("1372", dup265); + +var msg2649 = msg("1372:01", dup266); + +var select1264 = linear_select([ + msg2648, + msg2649, +]); + +var msg2650 = msg("1373", dup265); + +var msg2651 = msg("1373:01", dup266); + +var select1265 = linear_select([ + msg2650, + msg2651, +]); + +var msg2652 = msg("1374", dup265); + +var msg2653 = msg("1374:01", dup266); + +var select1266 = linear_select([ + msg2652, + msg2653, +]); + +var msg2654 = msg("1375", dup238); + +var msg2655 = msg("1375:01", dup239); + +var select1267 = linear_select([ + msg2654, + msg2655, +]); + +var msg2656 = msg("1376", dup265); + +var msg2657 = msg("1376:01", dup266); + +var select1268 = linear_select([ + msg2656, + msg2657, +]); + +var msg2658 = msg("1377", dup227); + +var msg2659 = msg("1377:01", dup228); + +var select1269 = linear_select([ + msg2658, + msg2659, +]); + +var msg2660 = msg("1378", dup227); + +var msg2661 = msg("1378:01", dup228); + +var select1270 = linear_select([ + msg2660, + msg2661, +]); + +var msg2662 = msg("1379", dup222); + +var msg2663 = msg("1379:01", dup223); + +var select1271 = linear_select([ + msg2662, + msg2663, +]); + +var msg2664 = msg("1380", dup265); + +var msg2665 = msg("1380:01", dup266); + +var select1272 = linear_select([ + msg2664, + msg2665, +]); + +var msg2666 = msg("1381", dup194); + +var msg2667 = msg("1381:01", dup229); + +var select1273 = linear_select([ + msg2666, + msg2667, +]); + +var msg2668 = msg("1382", dup222); + +var msg2669 = msg("1382:01", dup223); + +var select1274 = linear_select([ + msg2668, + msg2669, +]); + +var msg2670 = msg("1383", dup196); + +var msg2671 = msg("1383:01", dup217); + +var select1275 = linear_select([ + msg2670, + msg2671, +]); + +var msg2672 = msg("1384", dup196); + +var msg2673 = msg("1384:01", dup217); + +var select1276 = linear_select([ + msg2672, + msg2673, +]); + +var msg2674 = msg("1385", dup240); + +var msg2675 = msg("1385:01", dup241); + +var select1277 = linear_select([ + msg2674, + msg2675, +]); + +var msg2676 = msg("1386", dup197); + +var msg2677 = msg("1386:01", dup221); + +var select1278 = linear_select([ + msg2676, + msg2677, +]); + +var msg2678 = msg("1387", dup197); + +var msg2679 = msg("1387:01", dup221); + +var select1279 = linear_select([ + msg2678, + msg2679, +]); + +var msg2680 = msg("1388", dup222); + +var msg2681 = msg("1388:01", dup223); + +var select1280 = linear_select([ + msg2680, + msg2681, +]); + +var msg2682 = msg("1389", dup265); + +var msg2683 = msg("1389:01", dup266); + +var select1281 = linear_select([ + msg2682, + msg2683, +]); + +var msg2684 = msg("1390", dup196); + +var msg2685 = msg("1390:01", dup217); + +var select1282 = linear_select([ + msg2684, + msg2685, +]); + +var msg2686 = msg("1391", dup267); + +var msg2687 = msg("1391:01", dup268); + +var select1283 = linear_select([ + msg2686, + msg2687, +]); + +var msg2688 = msg("1392", dup265); + +var msg2689 = msg("1392:01", dup266); + +var select1284 = linear_select([ + msg2688, + msg2689, +]); + +var msg2690 = msg("1393", dup196); + +var msg2691 = msg("1393:01", dup217); + +var select1285 = linear_select([ + msg2690, + msg2691, +]); + +var msg2692 = msg("1394", dup196); + +var msg2693 = msg("1394:01", dup217); + +var select1286 = linear_select([ + msg2692, + msg2693, +]); + +var msg2694 = msg("1395", dup265); + +var msg2695 = msg("1395:01", dup266); + +var select1287 = linear_select([ + msg2694, + msg2695, +]); + +var msg2696 = msg("1396", dup265); + +var msg2697 = msg("1396:01", dup266); + +var select1288 = linear_select([ + msg2696, + msg2697, +]); + +var msg2698 = msg("1397", dup265); + +var msg2699 = msg("1397:01", dup266); + +var select1289 = linear_select([ + msg2698, + msg2699, +]); + +var msg2700 = msg("1398", dup196); + +var msg2701 = msg("1398:01", dup217); + +var select1290 = linear_select([ + msg2700, + msg2701, +]); + +var msg2702 = msg("1399", dup265); + +var msg2703 = msg("1399:01", dup266); + +var select1291 = linear_select([ + msg2702, + msg2703, +]); + +var msg2704 = msg("1400", dup265); + +var msg2705 = msg("1400:01", dup266); + +var select1292 = linear_select([ + msg2704, + msg2705, +]); + +var msg2706 = msg("1401", dup265); + +var msg2707 = msg("1401:01", dup266); + +var select1293 = linear_select([ + msg2706, + msg2707, +]); + +var msg2708 = msg("1402", dup265); + +var msg2709 = msg("1402:01", dup266); + +var select1294 = linear_select([ + msg2708, + msg2709, +]); + +var msg2710 = msg("1403", dup265); + +var msg2711 = msg("1403:01", dup266); + +var select1295 = linear_select([ + msg2710, + msg2711, +]); + +var msg2712 = msg("1404", dup265); + +var msg2713 = msg("1404:01", dup266); + +var select1296 = linear_select([ + msg2712, + msg2713, +]); + +var msg2714 = msg("1405", dup265); + +var msg2715 = msg("1405:01", dup266); + +var select1297 = linear_select([ + msg2714, + msg2715, +]); + +var msg2716 = msg("1406", dup265); + +var msg2717 = msg("1406:01", dup266); + +var select1298 = linear_select([ + msg2716, + msg2717, +]); + +var msg2718 = msg("1407", dup265); + +var msg2719 = msg("1407:01", dup266); + +var select1299 = linear_select([ + msg2718, + msg2719, +]); + +var msg2720 = msg("1408", dup198); + +var msg2721 = msg("1408:01", dup220); + +var select1300 = linear_select([ + msg2720, + msg2721, +]); + +var msg2722 = msg("1409", dup222); + +var msg2723 = msg("1409:01", dup223); + +var select1301 = linear_select([ + msg2722, + msg2723, +]); + +var msg2724 = msg("1410", dup265); + +var msg2725 = msg("1410:01", dup266); + +var select1302 = linear_select([ + msg2724, + msg2725, +]); + +var msg2726 = msg("1411", dup242); + +var msg2727 = msg("1411:01", dup243); + +var select1303 = linear_select([ + msg2726, + msg2727, +]); + +var msg2728 = msg("1412", dup283); + +var msg2729 = msg("1412:01", dup284); + +var select1304 = linear_select([ + msg2728, + msg2729, +]); + +var msg2730 = msg("1413", dup242); + +var msg2731 = msg("1413:01", dup243); + +var select1305 = linear_select([ + msg2730, + msg2731, +]); + +var msg2732 = msg("1414", dup283); + +var msg2733 = msg("1414:01", dup284); + +var select1306 = linear_select([ + msg2732, + msg2733, +]); + +var msg2734 = msg("1415", dup242); + +var msg2735 = msg("1415:01", dup243); + +var select1307 = linear_select([ + msg2734, + msg2735, +]); + +var msg2736 = msg("1416", dup242); + +var msg2737 = msg("1416:01", dup243); + +var select1308 = linear_select([ + msg2736, + msg2737, +]); + +var msg2738 = msg("1417", dup242); + +var msg2739 = msg("1417:01", dup243); + +var select1309 = linear_select([ + msg2738, + msg2739, +]); + +var msg2740 = msg("1418", dup283); + +var msg2741 = msg("1418:01", dup284); + +var select1310 = linear_select([ + msg2740, + msg2741, +]); + +var msg2742 = msg("1419", dup242); + +var msg2743 = msg("1419:01", dup243); + +var select1311 = linear_select([ + msg2742, + msg2743, +]); + +var msg2744 = msg("1420", dup283); + +var msg2745 = msg("1420:01", dup284); + +var select1312 = linear_select([ + msg2744, + msg2745, +]); + +var msg2746 = msg("1421", dup253); + +var msg2747 = msg("1421:01", dup254); + +var select1313 = linear_select([ + msg2746, + msg2747, +]); + +var msg2748 = msg("1422", dup222); + +var msg2749 = msg("1422:01", dup223); + +var select1314 = linear_select([ + msg2748, + msg2749, +]); + +var msg2750 = msg("1423", dup197); + +var msg2751 = msg("1423:01", dup217); + +var select1315 = linear_select([ + msg2750, + msg2751, +]); + +var msg2752 = msg("1424", dup196); + +var msg2753 = msg("1424:01", dup217); + +var select1316 = linear_select([ + msg2752, + msg2753, +]); + +var msg2754 = msg("1425", dup265); + +var msg2755 = msg("1425:01", dup217); + +var select1317 = linear_select([ + msg2754, + msg2755, +]); + +var msg2756 = msg("1426", dup242); + +var msg2757 = msg("1426:01", dup243); + +var select1318 = linear_select([ + msg2756, + msg2757, +]); + +var msg2758 = msg("1427", dup242); + +var msg2759 = msg("1427:01", dup243); + +var select1319 = linear_select([ + msg2758, + msg2759, +]); + +var msg2760 = msg("1428", dup196); + +var msg2761 = msg("1428:01", dup217); + +var select1320 = linear_select([ + msg2760, + msg2761, +]); + +var msg2762 = msg("1429", dup196); + +var msg2763 = msg("1429:01", dup217); + +var select1321 = linear_select([ + msg2762, + msg2763, +]); + +var msg2764 = msg("1430", dup278); + +var msg2765 = msg("1430:01", dup279); + +var select1322 = linear_select([ + msg2764, + msg2765, +]); + +var msg2766 = msg("1431", dup196); + +var msg2767 = msg("1431:01", dup217); + +var select1323 = linear_select([ + msg2766, + msg2767, +]); + +var msg2768 = msg("1432", dup196); + +var msg2769 = msg("1432:01", dup217); + +var select1324 = linear_select([ + msg2768, + msg2769, +]); + +var msg2770 = msg("1433", dup265); + +var msg2771 = msg("1433:01", dup266); + +var select1325 = linear_select([ + msg2770, + msg2771, +]); + +var msg2772 = msg("1434", dup265); + +var msg2773 = msg("1434:01", dup266); + +var select1326 = linear_select([ + msg2772, + msg2773, +]); + +var msg2774 = msg("1435", dup196); + +var msg2775 = msg("1435:01", dup217); + +var select1327 = linear_select([ + msg2774, + msg2775, +]); + +var msg2776 = msg("1436", dup196); + +var msg2777 = msg("1436:01", dup217); + +var select1328 = linear_select([ + msg2776, + msg2777, +]); + +var msg2778 = msg("1437", dup196); + +var msg2779 = msg("1437:01", dup217); + +var select1329 = linear_select([ + msg2778, + msg2779, +]); + +var msg2780 = msg("1438", dup196); + +var msg2781 = msg("1438:01", dup217); + +var select1330 = linear_select([ + msg2780, + msg2781, +]); + +var msg2782 = msg("1439", dup196); + +var msg2783 = msg("1439:01", dup217); + +var select1331 = linear_select([ + msg2782, + msg2783, +]); + +var msg2784 = msg("1440", dup196); + +var msg2785 = msg("1440:01", dup217); + +var select1332 = linear_select([ + msg2784, + msg2785, +]); + +var msg2786 = msg("1441", dup196); + +var msg2787 = msg("1441:01", dup217); + +var select1333 = linear_select([ + msg2786, + msg2787, +]); + +var msg2788 = msg("1442", dup196); + +var msg2789 = msg("1442:01", dup217); + +var select1334 = linear_select([ + msg2788, + msg2789, +]); + +var msg2790 = msg("1443", dup196); + +var msg2791 = msg("1443:01", dup217); + +var select1335 = linear_select([ + msg2790, + msg2791, +]); + +var msg2792 = msg("1444", dup196); + +var msg2793 = msg("1444:01", dup217); + +var select1336 = linear_select([ + msg2792, + msg2793, +]); + +var msg2794 = msg("1445", dup227); + +var msg2795 = msg("1445:01", dup228); + +var select1337 = linear_select([ + msg2794, + msg2795, +]); + +var msg2796 = msg("1446", dup250); + +var msg2797 = msg("1446:01", dup251); + +var select1338 = linear_select([ + msg2796, + msg2797, +]); + +var msg2798 = msg("1447", dup196); + +var msg2799 = msg("1447:01", dup217); + +var select1339 = linear_select([ + msg2798, + msg2799, +]); + +var msg2800 = msg("1448", dup196); + +var msg2801 = msg("1448:01", dup217); + +var select1340 = linear_select([ + msg2800, + msg2801, +]); + +var msg2802 = msg("1449", dup227); + +var msg2803 = msg("1449:01", dup228); + +var select1341 = linear_select([ + msg2802, + msg2803, +]); + +var msg2804 = msg("1450", dup250); + +var msg2805 = msg("1450:01", dup251); + +var select1342 = linear_select([ + msg2804, + msg2805, +]); + +var msg2806 = msg("1451", dup265); + +var msg2807 = msg("1451:01", dup266); + +var select1343 = linear_select([ + msg2806, + msg2807, +]); + +var msg2808 = msg("1452", dup265); + +var msg2809 = msg("1452:01", dup266); + +var select1344 = linear_select([ + msg2808, + msg2809, +]); + +var msg2810 = msg("1453", dup265); + +var msg2811 = msg("1453:01", dup266); + +var select1345 = linear_select([ + msg2810, + msg2811, +]); + +var msg2812 = msg("1454", dup265); + +var msg2813 = msg("1454:01", dup266); + +var select1346 = linear_select([ + msg2812, + msg2813, +]); + +var msg2814 = msg("1455", dup265); + +var msg2815 = msg("1455:01", dup266); + +var select1347 = linear_select([ + msg2814, + msg2815, +]); + +var msg2816 = msg("1456", dup265); + +var msg2817 = msg("1456:01", dup266); + +var select1348 = linear_select([ + msg2816, + msg2817, +]); + +var msg2818 = msg("1457", dup265); + +var msg2819 = msg("1457:01", dup266); + +var select1349 = linear_select([ + msg2818, + msg2819, +]); + +var msg2820 = msg("1458", dup265); + +var msg2821 = msg("1458:01", dup266); + +var select1350 = linear_select([ + msg2820, + msg2821, +]); + +var msg2822 = msg("1459", dup265); + +var msg2823 = msg("1459:01", dup266); + +var select1351 = linear_select([ + msg2822, + msg2823, +]); + +var msg2824 = msg("1460", dup265); + +var msg2825 = msg("1460:01", dup266); + +var select1352 = linear_select([ + msg2824, + msg2825, +]); + +var msg2826 = msg("1461", dup265); + +var msg2827 = msg("1461:01", dup266); + +var select1353 = linear_select([ + msg2826, + msg2827, +]); + +var msg2828 = msg("1462", dup265); + +var msg2829 = msg("1462:01", dup266); + +var select1354 = linear_select([ + msg2828, + msg2829, +]); + +var msg2830 = msg("1463", dup196); + +var msg2831 = msg("1463:01", dup217); + +var select1355 = linear_select([ + msg2830, + msg2831, +]); + +var msg2832 = msg("1464", dup196); + +var msg2833 = msg("1464:01", dup217); + +var select1356 = linear_select([ + msg2832, + msg2833, +]); + +var msg2834 = msg("1465", dup265); + +var msg2835 = msg("1465:01", dup266); + +var select1357 = linear_select([ + msg2834, + msg2835, +]); + +var msg2836 = msg("1466", dup265); + +var msg2837 = msg("1466:01", dup266); + +var select1358 = linear_select([ + msg2836, + msg2837, +]); + +var msg2838 = msg("1467", dup265); + +var msg2839 = msg("1467:01", dup266); + +var select1359 = linear_select([ + msg2838, + msg2839, +]); + +var msg2840 = msg("1468", dup265); + +var msg2841 = msg("1468:01", dup266); + +var select1360 = linear_select([ + msg2840, + msg2841, +]); + +var msg2842 = msg("1469", dup265); + +var msg2843 = msg("1469:01", dup266); + +var select1361 = linear_select([ + msg2842, + msg2843, +]); + +var msg2844 = msg("1470", dup265); + +var msg2845 = msg("1470:01", dup266); + +var select1362 = linear_select([ + msg2844, + msg2845, +]); + +var msg2846 = msg("1471", dup265); + +var msg2847 = msg("1471:01", dup266); + +var select1363 = linear_select([ + msg2846, + msg2847, +]); + +var msg2848 = msg("1472", dup265); + +var msg2849 = msg("1472:01", dup266); + +var select1364 = linear_select([ + msg2848, + msg2849, +]); + +var msg2850 = msg("1473", dup265); + +var msg2851 = msg("1473:01", dup266); + +var select1365 = linear_select([ + msg2850, + msg2851, +]); + +var msg2852 = msg("1474", dup265); + +var msg2853 = msg("1474:01", dup266); + +var select1366 = linear_select([ + msg2852, + msg2853, +]); + +var msg2854 = msg("1475", dup265); + +var msg2855 = msg("1475:01", dup266); + +var select1367 = linear_select([ + msg2854, + msg2855, +]); + +var msg2856 = msg("1476", dup265); + +var msg2857 = msg("1476:01", dup266); + +var select1368 = linear_select([ + msg2856, + msg2857, +]); + +var msg2858 = msg("1477", dup265); + +var msg2859 = msg("1477:01", dup266); + +var select1369 = linear_select([ + msg2858, + msg2859, +]); + +var msg2860 = msg("1478", dup265); + +var msg2861 = msg("1478:01", dup266); + +var select1370 = linear_select([ + msg2860, + msg2861, +]); + +var msg2862 = msg("1479", dup265); + +var msg2863 = msg("1479:01", dup266); + +var select1371 = linear_select([ + msg2862, + msg2863, +]); + +var msg2864 = msg("1480", dup265); + +var msg2865 = msg("1480:01", dup266); + +var select1372 = linear_select([ + msg2864, + msg2865, +]); + +var msg2866 = msg("1481", dup265); + +var msg2867 = msg("1481:01", dup266); + +var select1373 = linear_select([ + msg2866, + msg2867, +]); + +var msg2868 = msg("1482", dup265); + +var msg2869 = msg("1482:01", dup266); + +var select1374 = linear_select([ + msg2868, + msg2869, +]); + +var msg2870 = msg("1483", dup265); + +var msg2871 = msg("1483:01", dup266); + +var select1375 = linear_select([ + msg2870, + msg2871, +]); + +var msg2872 = msg("1484", dup265); + +var msg2873 = msg("1484:01", dup266); + +var select1376 = linear_select([ + msg2872, + msg2873, +]); + +var msg2874 = msg("1485", dup265); + +var msg2875 = msg("1485:01", dup266); + +var select1377 = linear_select([ + msg2874, + msg2875, +]); + +var msg2876 = msg("1486", dup265); + +var msg2877 = msg("1486:01", dup266); + +var select1378 = linear_select([ + msg2876, + msg2877, +]); + +var msg2878 = msg("1487", dup265); + +var msg2879 = msg("1487:01", dup266); + +var select1379 = linear_select([ + msg2878, + msg2879, +]); + +var msg2880 = msg("1488", dup265); + +var msg2881 = msg("1488:01", dup266); + +var select1380 = linear_select([ + msg2880, + msg2881, +]); + +var msg2882 = msg("1489", dup265); + +var msg2883 = msg("1489:01", dup266); + +var select1381 = linear_select([ + msg2882, + msg2883, +]); + +var msg2884 = msg("1490", dup265); + +var msg2885 = msg("1490:01", dup266); + +var select1382 = linear_select([ + msg2884, + msg2885, +]); + +var msg2886 = msg("1491", dup265); + +var msg2887 = msg("1491:01", dup266); + +var select1383 = linear_select([ + msg2886, + msg2887, +]); + +var msg2888 = msg("1492", dup265); + +var msg2889 = msg("1492:01", dup266); + +var select1384 = linear_select([ + msg2888, + msg2889, +]); + +var msg2890 = msg("1493", dup265); + +var msg2891 = msg("1493:01", dup266); + +var select1385 = linear_select([ + msg2890, + msg2891, +]); + +var msg2892 = msg("1494", dup265); + +var msg2893 = msg("1494:01", dup266); + +var select1386 = linear_select([ + msg2892, + msg2893, +]); + +var msg2894 = msg("1495", dup265); + +var msg2895 = msg("1495:01", dup266); + +var select1387 = linear_select([ + msg2894, + msg2895, +]); + +var msg2896 = msg("1496", dup265); + +var msg2897 = msg("1496:01", dup266); + +var select1388 = linear_select([ + msg2896, + msg2897, +]); + +var msg2898 = msg("1497", dup265); + +var msg2899 = msg("1497:01", dup266); + +var select1389 = linear_select([ + msg2898, + msg2899, +]); + +var msg2900 = msg("1498", dup265); + +var msg2901 = msg("1498:01", dup266); + +var select1390 = linear_select([ + msg2900, + msg2901, +]); + +var msg2902 = msg("1499", dup265); + +var msg2903 = msg("1499:01", dup266); + +var select1391 = linear_select([ + msg2902, + msg2903, +]); + +var msg2904 = msg("1500", dup265); + +var msg2905 = msg("1500:01", dup266); + +var select1392 = linear_select([ + msg2904, + msg2905, +]); + +var msg2906 = msg("1501", dup265); + +var msg2907 = msg("1501:01", dup266); + +var select1393 = linear_select([ + msg2906, + msg2907, +]); + +var msg2908 = msg("1502", dup265); + +var msg2909 = msg("1502:01", dup266); + +var select1394 = linear_select([ + msg2908, + msg2909, +]); + +var msg2910 = msg("1503", dup265); + +var msg2911 = msg("1503:01", dup266); + +var select1395 = linear_select([ + msg2910, + msg2911, +]); + +var msg2912 = msg("1504", dup196); + +var msg2913 = msg("1504:01", dup217); + +var select1396 = linear_select([ + msg2912, + msg2913, +]); + +var msg2914 = msg("1505", dup269); + +var msg2915 = msg("1505:01", dup270); + +var select1397 = linear_select([ + msg2914, + msg2915, +]); + +var msg2916 = msg("1506", dup269); + +var msg2917 = msg("1506:01", dup270); + +var select1398 = linear_select([ + msg2916, + msg2917, +]); + +var msg2918 = msg("1507", dup269); + +var msg2919 = msg("1507:01", dup270); + +var select1399 = linear_select([ + msg2918, + msg2919, +]); + +var msg2920 = msg("1508", dup265); + +var msg2921 = msg("1508:01", dup266); + +var select1400 = linear_select([ + msg2920, + msg2921, +]); + +var msg2922 = msg("1509", dup265); + +var msg2923 = msg("1509:01", dup266); + +var select1401 = linear_select([ + msg2922, + msg2923, +]); + +var msg2924 = msg("1510", dup269); + +var msg2925 = msg("1510:01", dup270); + +var select1402 = linear_select([ + msg2924, + msg2925, +]); + +var msg2926 = msg("1511", dup265); + +var msg2927 = msg("1511:01", dup266); + +var select1403 = linear_select([ + msg2926, + msg2927, +]); + +var msg2928 = msg("1512", dup269); + +var msg2929 = msg("1512:01", dup270); + +var select1404 = linear_select([ + msg2928, + msg2929, +]); + +var msg2930 = msg("1513", dup265); + +var msg2931 = msg("1513:01", dup266); + +var select1405 = linear_select([ + msg2930, + msg2931, +]); + +var msg2932 = msg("1514", dup269); + +var msg2933 = msg("1514:01", dup270); + +var select1406 = linear_select([ + msg2932, + msg2933, +]); + +var msg2934 = msg("1515", dup265); + +var msg2935 = msg("1515:01", dup266); + +var select1407 = linear_select([ + msg2934, + msg2935, +]); + +var msg2936 = msg("1516", dup269); + +var msg2937 = msg("1516:01", dup270); + +var select1408 = linear_select([ + msg2936, + msg2937, +]); + +var msg2938 = msg("1517", dup265); + +var msg2939 = msg("1517:01", dup266); + +var select1409 = linear_select([ + msg2938, + msg2939, +]); + +var msg2940 = msg("1518", dup265); + +var msg2941 = msg("1518:01", dup266); + +var select1410 = linear_select([ + msg2940, + msg2941, +]); + +var msg2942 = msg("1519", dup265); + +var msg2943 = msg("1519:01", dup266); + +var select1411 = linear_select([ + msg2942, + msg2943, +]); + +var msg2944 = msg("1520", dup265); + +var msg2945 = msg("1520:01", dup266); + +var select1412 = linear_select([ + msg2944, + msg2945, +]); + +var msg2946 = msg("1521", dup265); + +var msg2947 = msg("1521:01", dup266); + +var select1413 = linear_select([ + msg2946, + msg2947, +]); + +var msg2948 = msg("1522", dup265); + +var msg2949 = msg("1522:01", dup266); + +var select1414 = linear_select([ + msg2948, + msg2949, +]); + +var msg2950 = msg("1523", dup265); + +var msg2951 = msg("1523:01", dup266); + +var select1415 = linear_select([ + msg2950, + msg2951, +]); + +var msg2952 = msg("1524", dup265); + +var msg2953 = msg("1524:01", dup266); + +var select1416 = linear_select([ + msg2952, + msg2953, +]); + +var msg2954 = msg("1525", dup265); + +var msg2955 = msg("1525:01", dup266); + +var select1417 = linear_select([ + msg2954, + msg2955, +]); + +var msg2956 = msg("1526", dup265); + +var msg2957 = msg("1526:01", dup266); + +var select1418 = linear_select([ + msg2956, + msg2957, +]); + +var msg2958 = msg("1527", dup240); + +var msg2959 = msg("1527:01", dup241); + +var select1419 = linear_select([ + msg2958, + msg2959, +]); + +var msg2960 = msg("1528", dup265); + +var msg2961 = msg("1528:01", dup266); + +var select1420 = linear_select([ + msg2960, + msg2961, +]); + +var msg2962 = msg("1529", dup222); + +var msg2963 = msg("1529:01", dup223); + +var select1421 = linear_select([ + msg2962, + msg2963, +]); + +var msg2964 = msg("1530", dup227); + +var msg2965 = msg("1530:01", dup228); + +var select1422 = linear_select([ + msg2964, + msg2965, +]); + +var msg2966 = msg("1531", dup265); + +var msg2967 = msg("1531:01", dup266); + +var select1423 = linear_select([ + msg2966, + msg2967, +]); + +var msg2968 = msg("1532", dup265); + +var msg2969 = msg("1532:01", dup266); + +var select1424 = linear_select([ + msg2968, + msg2969, +]); + +var msg2970 = msg("1533", dup265); + +var msg2971 = msg("1533:01", dup266); + +var select1425 = linear_select([ + msg2970, + msg2971, +]); + +var msg2972 = msg("1534", dup265); + +var msg2973 = msg("1534:01", dup266); + +var select1426 = linear_select([ + msg2972, + msg2973, +]); + +var msg2974 = msg("1535", dup265); + +var msg2975 = msg("1535:01", dup266); + +var select1427 = linear_select([ + msg2974, + msg2975, +]); + +var msg2976 = msg("1536", dup269); + +var msg2977 = msg("1536:01", dup270); + +var select1428 = linear_select([ + msg2976, + msg2977, +]); + +var msg2978 = msg("1537", dup265); + +var msg2979 = msg("1537:01", dup266); + +var select1429 = linear_select([ + msg2978, + msg2979, +]); + +var msg2980 = msg("1538", dup222); + +var msg2981 = msg("1538:01", dup223); + +var select1430 = linear_select([ + msg2980, + msg2981, +]); + +var msg2982 = msg("1539", dup265); + +var msg2983 = msg("1539:01", dup266); + +var select1431 = linear_select([ + msg2982, + msg2983, +]); + +var msg2984 = msg("1540", dup265); + +var msg2985 = msg("1540:01", dup266); + +var select1432 = linear_select([ + msg2984, + msg2985, +]); + +var msg2986 = msg("1541", dup225); + +var msg2987 = msg("1541:01", dup226); + +var select1433 = linear_select([ + msg2986, + msg2987, +]); + +var msg2988 = msg("1542", dup265); + +var msg2989 = msg("1542:01", dup266); + +var select1434 = linear_select([ + msg2988, + msg2989, +]); + +var msg2990 = msg("1543", dup265); + +var msg2991 = msg("1543:01", dup266); + +var select1435 = linear_select([ + msg2990, + msg2991, +]); + +var msg2992 = msg("1544", dup267); + +var msg2993 = msg("1544:01", dup268); + +var select1436 = linear_select([ + msg2992, + msg2993, +]); + +var msg2994 = msg("1545", dup198); + +var msg2995 = msg("1545:01", dup220); + +var select1437 = linear_select([ + msg2994, + msg2995, +]); + +var msg2996 = msg("1546", dup198); + +var msg2997 = msg("1546:01", dup220); + +var select1438 = linear_select([ + msg2996, + msg2997, +]); + +var msg2998 = msg("1547", dup269); + +var msg2999 = msg("1547:01", dup270); + +var select1439 = linear_select([ + msg2998, + msg2999, +]); + +var msg3000 = msg("1548", dup265); + +var msg3001 = msg("1548:01", dup266); + +var select1440 = linear_select([ + msg3000, + msg3001, +]); + +var msg3002 = msg("1549", dup222); + +var msg3003 = msg("1549:01", dup223); + +var select1441 = linear_select([ + msg3002, + msg3003, +]); + +var msg3004 = msg("1550", dup222); + +var msg3005 = msg("1550:01", dup223); + +var select1442 = linear_select([ + msg3004, + msg3005, +]); + +var msg3006 = msg("1551", dup265); + +var msg3007 = msg("1551:01", dup266); + +var select1443 = linear_select([ + msg3006, + msg3007, +]); + +var msg3008 = msg("1552", dup265); + +var msg3009 = msg("1552:01", dup266); + +var select1444 = linear_select([ + msg3008, + msg3009, +]); + +var msg3010 = msg("1553", dup265); + +var msg3011 = msg("1553:01", dup266); + +var select1445 = linear_select([ + msg3010, + msg3011, +]); + +var msg3012 = msg("1554", dup265); + +var msg3013 = msg("1554:01", dup266); + +var select1446 = linear_select([ + msg3012, + msg3013, +]); + +var msg3014 = msg("1555", dup265); + +var msg3015 = msg("1555:01", dup266); + +var select1447 = linear_select([ + msg3014, + msg3015, +]); + +var msg3016 = msg("1556", dup265); + +var msg3017 = msg("1556:01", dup266); + +var select1448 = linear_select([ + msg3016, + msg3017, +]); + +var msg3018 = msg("1557", dup265); + +var msg3019 = msg("1557:01", dup266); + +var select1449 = linear_select([ + msg3018, + msg3019, +]); + +var msg3020 = msg("1558", dup267); + +var msg3021 = msg("1558:01", dup268); + +var select1450 = linear_select([ + msg3020, + msg3021, +]); + +var msg3022 = msg("1559", dup265); + +var msg3023 = msg("1559:01", dup266); + +var select1451 = linear_select([ + msg3022, + msg3023, +]); + +var msg3024 = msg("1560", dup265); + +var msg3025 = msg("1560:01", dup266); + +var select1452 = linear_select([ + msg3024, + msg3025, +]); + +var msg3026 = msg("1561", dup265); + +var msg3027 = msg("1561:01", dup266); + +var select1453 = linear_select([ + msg3026, + msg3027, +]); + +var msg3028 = msg("1562", dup222); + +var msg3029 = msg("1562:01", dup223); + +var select1454 = linear_select([ + msg3028, + msg3029, +]); + +var msg3030 = msg("1563", dup265); + +var msg3031 = msg("1563:01", dup266); + +var select1455 = linear_select([ + msg3030, + msg3031, +]); + +var msg3032 = msg("1564", dup265); + +var msg3033 = msg("1564:01", dup266); + +var select1456 = linear_select([ + msg3032, + msg3033, +]); + +var msg3034 = msg("1565", dup269); + +var msg3035 = msg("1565:01", dup270); + +var select1457 = linear_select([ + msg3034, + msg3035, +]); + +var msg3036 = msg("1566", dup265); + +var msg3037 = msg("1566:01", dup266); + +var select1458 = linear_select([ + msg3036, + msg3037, +]); + +var msg3038 = msg("1567", dup265); + +var msg3039 = msg("1567:01", dup266); + +var select1459 = linear_select([ + msg3038, + msg3039, +]); + +var msg3040 = msg("1568", dup265); + +var msg3041 = msg("1568:01", dup266); + +var select1460 = linear_select([ + msg3040, + msg3041, +]); + +var msg3042 = msg("1569", dup265); + +var msg3043 = msg("1569:01", dup266); + +var select1461 = linear_select([ + msg3042, + msg3043, +]); + +var msg3044 = msg("1570", dup265); + +var msg3045 = msg("1570:01", dup266); + +var select1462 = linear_select([ + msg3044, + msg3045, +]); + +var msg3046 = msg("1571", dup265); + +var msg3047 = msg("1571:01", dup266); + +var select1463 = linear_select([ + msg3046, + msg3047, +]); + +var msg3048 = msg("1572", dup265); + +var msg3049 = msg("1572:01", dup266); + +var select1464 = linear_select([ + msg3048, + msg3049, +]); + +var msg3050 = msg("1573", dup265); + +var msg3051 = msg("1573:01", dup266); + +var select1465 = linear_select([ + msg3050, + msg3051, +]); + +var msg3052 = msg("1574", dup265); + +var msg3053 = msg("1574:01", dup266); + +var select1466 = linear_select([ + msg3052, + msg3053, +]); + +var msg3054 = msg("1575", dup265); + +var msg3055 = msg("1575:01", dup266); + +var select1467 = linear_select([ + msg3054, + msg3055, +]); + +var msg3056 = msg("1576", dup265); + +var msg3057 = msg("1576:01", dup266); + +var select1468 = linear_select([ + msg3056, + msg3057, +]); + +var msg3058 = msg("1577", dup265); + +var msg3059 = msg("1577:01", dup266); + +var select1469 = linear_select([ + msg3058, + msg3059, +]); + +var msg3060 = msg("1578", dup265); + +var msg3061 = msg("1578:01", dup266); + +var select1470 = linear_select([ + msg3060, + msg3061, +]); + +var msg3062 = msg("1579", dup265); + +var msg3063 = msg("1579:01", dup266); + +var select1471 = linear_select([ + msg3062, + msg3063, +]); + +var msg3064 = msg("1580", dup265); + +var msg3065 = msg("1580:01", dup266); + +var select1472 = linear_select([ + msg3064, + msg3065, +]); + +var msg3066 = msg("1581", dup265); + +var msg3067 = msg("1581:01", dup266); + +var select1473 = linear_select([ + msg3066, + msg3067, +]); + +var msg3068 = msg("1582", dup265); + +var msg3069 = msg("1582:01", dup266); + +var select1474 = linear_select([ + msg3068, + msg3069, +]); + +var msg3070 = msg("1583", dup265); + +var msg3071 = msg("1583:01", dup266); + +var select1475 = linear_select([ + msg3070, + msg3071, +]); + +var msg3072 = msg("1584", dup265); + +var msg3073 = msg("1584:01", dup266); + +var select1476 = linear_select([ + msg3072, + msg3073, +]); + +var msg3074 = msg("1585", dup265); + +var msg3075 = msg("1585:01", dup266); + +var select1477 = linear_select([ + msg3074, + msg3075, +]); + +var msg3076 = msg("1586", dup265); + +var msg3077 = msg("1586:01", dup266); + +var select1478 = linear_select([ + msg3076, + msg3077, +]); + +var msg3078 = msg("1587", dup265); + +var msg3079 = msg("1587:01", dup266); + +var select1479 = linear_select([ + msg3078, + msg3079, +]); + +var msg3080 = msg("1588", dup265); + +var msg3081 = msg("1588:01", dup266); + +var select1480 = linear_select([ + msg3080, + msg3081, +]); + +var msg3082 = msg("1589", dup265); + +var msg3083 = msg("1589:01", dup266); + +var select1481 = linear_select([ + msg3082, + msg3083, +]); + +var msg3084 = msg("1590", dup265); + +var msg3085 = msg("1590:01", dup266); + +var select1482 = linear_select([ + msg3084, + msg3085, +]); + +var msg3086 = msg("1591", dup265); + +var msg3087 = msg("1591:01", dup266); + +var select1483 = linear_select([ + msg3086, + msg3087, +]); + +var msg3088 = msg("1592", dup265); + +var msg3089 = msg("1592:01", dup266); + +var select1484 = linear_select([ + msg3088, + msg3089, +]); + +var msg3090 = msg("1593", dup265); + +var msg3091 = msg("1593:01", dup266); + +var select1485 = linear_select([ + msg3090, + msg3091, +]); + +var msg3092 = msg("1594", dup265); + +var msg3093 = msg("1594:01", dup266); + +var select1486 = linear_select([ + msg3092, + msg3093, +]); + +var msg3094 = msg("1595", dup265); + +var msg3095 = msg("1595:01", dup266); + +var select1487 = linear_select([ + msg3094, + msg3095, +]); + +var msg3096 = msg("1597", dup265); + +var msg3097 = msg("1597:01", dup266); + +var select1488 = linear_select([ + msg3096, + msg3097, +]); + +var msg3098 = msg("1598", dup265); + +var msg3099 = msg("1598:01", dup266); + +var select1489 = linear_select([ + msg3098, + msg3099, +]); + +var msg3100 = msg("1599", dup265); + +var msg3101 = msg("1599:01", dup266); + +var select1490 = linear_select([ + msg3100, + msg3101, +]); + +var msg3102 = msg("1600", dup265); + +var msg3103 = msg("1600:01", dup266); + +var select1491 = linear_select([ + msg3102, + msg3103, +]); + +var msg3104 = msg("1601", dup265); + +var msg3105 = msg("1601:01", dup266); + +var select1492 = linear_select([ + msg3104, + msg3105, +]); + +var msg3106 = msg("1602", dup265); + +var msg3107 = msg("1602:01", dup266); + +var select1493 = linear_select([ + msg3106, + msg3107, +]); + +var msg3108 = msg("1603", dup265); + +var msg3109 = msg("1603:01", dup266); + +var select1494 = linear_select([ + msg3108, + msg3109, +]); + +var msg3110 = msg("1604", dup265); + +var msg3111 = msg("1604:01", dup266); + +var select1495 = linear_select([ + msg3110, + msg3111, +]); + +var msg3112 = msg("1605", dup198); + +var msg3113 = msg("1605:01", dup220); + +var select1496 = linear_select([ + msg3112, + msg3113, +]); + +var msg3114 = msg("1606", dup265); + +var msg3115 = msg("1606:01", dup266); + +var select1497 = linear_select([ + msg3114, + msg3115, +]); + +var msg3116 = msg("1607", dup265); + +var msg3117 = msg("1607:01", dup266); + +var select1498 = linear_select([ + msg3116, + msg3117, +]); + +var msg3118 = msg("1608", dup265); + +var msg3119 = msg("1608:01", dup266); + +var select1499 = linear_select([ + msg3118, + msg3119, +]); + +var msg3120 = msg("1609", dup265); + +var msg3121 = msg("1609:01", dup266); + +var select1500 = linear_select([ + msg3120, + msg3121, +]); + +var msg3122 = msg("1610", dup269); + +var msg3123 = msg("1610:01", dup270); + +var select1501 = linear_select([ + msg3122, + msg3123, +]); + +var msg3124 = msg("1611", dup265); + +var msg3125 = msg("1611:01", dup266); + +var select1502 = linear_select([ + msg3124, + msg3125, +]); + +var msg3126 = msg("1612", dup265); + +var msg3127 = msg("1612:01", dup266); + +var select1503 = linear_select([ + msg3126, + msg3127, +]); + +var msg3128 = msg("1613", dup265); + +var msg3129 = msg("1613:01", dup266); + +var select1504 = linear_select([ + msg3128, + msg3129, +]); + +var msg3130 = msg("1614", dup265); + +var msg3131 = msg("1614:01", dup266); + +var select1505 = linear_select([ + msg3130, + msg3131, +]); + +var msg3132 = msg("1615", dup265); + +var msg3133 = msg("1615:01", dup266); + +var select1506 = linear_select([ + msg3132, + msg3133, +]); + +var msg3134 = msg("1616", dup196); + +var msg3135 = msg("1616:01", dup217); + +var select1507 = linear_select([ + msg3134, + msg3135, +]); + +var msg3136 = msg("1617", dup265); + +var msg3137 = msg("1617:01", dup266); + +var select1508 = linear_select([ + msg3136, + msg3137, +]); + +var msg3138 = msg("1618", dup196); + +var msg3139 = msg("1618:01", dup217); + +var select1509 = linear_select([ + msg3138, + msg3139, +]); + +var msg3140 = msg("1619", dup265); + +var msg3141 = msg("1619:01", dup266); + +var select1510 = linear_select([ + msg3140, + msg3141, +]); + +var msg3142 = msg("1620", dup196); + +var msg3143 = msg("1620:01", dup217); + +var select1511 = linear_select([ + msg3142, + msg3143, +]); + +var msg3144 = msg("1621", dup222); + +var msg3145 = msg("1621:01", dup223); + +var select1512 = linear_select([ + msg3144, + msg3145, +]); + +var msg3146 = msg("1622", dup227); + +var msg3147 = msg("1622:01", dup228); + +var select1513 = linear_select([ + msg3146, + msg3147, +]); + +var msg3148 = msg("1623", dup227); + +var msg3149 = msg("1623:01", dup228); + +var select1514 = linear_select([ + msg3148, + msg3149, +]); + +var msg3150 = msg("1624", dup222); + +var msg3151 = msg("1624:01", dup223); + +var select1515 = linear_select([ + msg3150, + msg3151, +]); + +var msg3152 = msg("1625", dup222); + +var msg3153 = msg("1625:01", dup223); + +var select1516 = linear_select([ + msg3152, + msg3153, +]); + +var msg3154 = msg("1626", dup265); + +var msg3155 = msg("1626:01", dup266); + +var select1517 = linear_select([ + msg3154, + msg3155, +]); + +var msg3156 = msg("1627", dup196); + +var msg3157 = msg("1627:01", dup217); + +var select1518 = linear_select([ + msg3156, + msg3157, +]); + +var msg3158 = msg("1628", dup265); + +var msg3159 = msg("1628:01", dup266); + +var select1519 = linear_select([ + msg3158, + msg3159, +]); + +var msg3160 = msg("1629", dup196); + +var msg3161 = msg("1629:01", dup217); + +var select1520 = linear_select([ + msg3160, + msg3161, +]); + +var msg3162 = msg("1630", dup227); + +var msg3163 = msg("1630:01", dup228); + +var select1521 = linear_select([ + msg3162, + msg3163, +]); + +var msg3164 = msg("1631", dup196); + +var msg3165 = msg("1631:01", dup217); + +var select1522 = linear_select([ + msg3164, + msg3165, +]); + +var msg3166 = msg("1632", dup196); + +var msg3167 = msg("1632:01", dup217); + +var select1523 = linear_select([ + msg3166, + msg3167, +]); + +var msg3168 = msg("1633", dup196); + +var msg3169 = msg("1633:01", dup217); + +var select1524 = linear_select([ + msg3168, + msg3169, +]); + +var msg3170 = msg("1634", dup222); + +var msg3171 = msg("1634:01", dup223); + +var select1525 = linear_select([ + msg3170, + msg3171, +]); + +var msg3172 = msg("1635", dup222); + +var msg3173 = msg("1635:01", dup223); + +var select1526 = linear_select([ + msg3172, + msg3173, +]); + +var msg3174 = msg("1636", dup222); + +var msg3175 = msg("1636:01", dup223); + +var select1527 = linear_select([ + msg3174, + msg3175, +]); + +var msg3176 = msg("1637", dup265); + +var msg3177 = msg("1637:01", dup266); + +var select1528 = linear_select([ + msg3176, + msg3177, +]); + +var msg3178 = msg("1638", dup194); + +var msg3179 = msg("1638:01", dup229); + +var select1529 = linear_select([ + msg3178, + msg3179, +]); + +var msg3180 = msg("1639", dup196); + +var msg3181 = msg("1639:01", dup217); + +var select1530 = linear_select([ + msg3180, + msg3181, +]); + +var msg3182 = msg("1640", dup196); + +var msg3183 = msg("1640:01", dup217); + +var select1531 = linear_select([ + msg3182, + msg3183, +]); + +var msg3184 = msg("1641", dup198); + +var msg3185 = msg("1641:01", dup220); + +var select1532 = linear_select([ + msg3184, + msg3185, +]); + +var msg3186 = msg("1642", dup265); + +var msg3187 = msg("1642:01", dup266); + +var select1533 = linear_select([ + msg3186, + msg3187, +]); + +var msg3188 = msg("1643", dup265); + +var msg3189 = msg("1643:01", dup266); + +var select1534 = linear_select([ + msg3188, + msg3189, +]); + +var msg3190 = msg("1644", dup265); + +var msg3191 = msg("1644:01", dup266); + +var select1535 = linear_select([ + msg3190, + msg3191, +]); + +var msg3192 = msg("1645", dup265); + +var msg3193 = msg("1645:01", dup266); + +var select1536 = linear_select([ + msg3192, + msg3193, +]); + +var msg3194 = msg("1646", dup265); + +var msg3195 = msg("1646:01", dup266); + +var select1537 = linear_select([ + msg3194, + msg3195, +]); + +var msg3196 = msg("1647", dup265); + +var msg3197 = msg("1647:01", dup266); + +var select1538 = linear_select([ + msg3196, + msg3197, +]); + +var msg3198 = msg("1648", dup265); + +var msg3199 = msg("1648:01", dup266); + +var select1539 = linear_select([ + msg3198, + msg3199, +]); + +var msg3200 = msg("1649", dup265); + +var msg3201 = msg("1649:01", dup266); + +var select1540 = linear_select([ + msg3200, + msg3201, +]); + +var msg3202 = msg("1650", dup265); + +var msg3203 = msg("1650:01", dup266); + +var select1541 = linear_select([ + msg3202, + msg3203, +]); + +var msg3204 = msg("1651", dup265); + +var msg3205 = msg("1651:01", dup266); + +var select1542 = linear_select([ + msg3204, + msg3205, +]); + +var msg3206 = msg("1652", dup265); + +var msg3207 = msg("1652:01", dup266); + +var select1543 = linear_select([ + msg3206, + msg3207, +]); + +var msg3208 = msg("1653", dup265); + +var msg3209 = msg("1653:01", dup266); + +var select1544 = linear_select([ + msg3208, + msg3209, +]); + +var msg3210 = msg("1654", dup265); + +var msg3211 = msg("1654:01", dup266); + +var select1545 = linear_select([ + msg3210, + msg3211, +]); + +var msg3212 = msg("1655", dup269); + +var msg3213 = msg("1655:01", dup270); + +var select1546 = linear_select([ + msg3212, + msg3213, +]); + +var msg3214 = msg("1656", dup265); + +var msg3215 = msg("1656:01", dup266); + +var select1547 = linear_select([ + msg3214, + msg3215, +]); + +var msg3216 = msg("1657", dup265); + +var msg3217 = msg("1657:01", dup266); + +var select1548 = linear_select([ + msg3216, + msg3217, +]); + +var msg3218 = msg("1658", dup265); + +var msg3219 = msg("1658:01", dup266); + +var select1549 = linear_select([ + msg3218, + msg3219, +]); + +var msg3220 = msg("1659", dup265); + +var msg3221 = msg("1659:01", dup266); + +var select1550 = linear_select([ + msg3220, + msg3221, +]); + +var msg3222 = msg("1660", dup265); + +var msg3223 = msg("1660:01", dup266); + +var select1551 = linear_select([ + msg3222, + msg3223, +]); + +var msg3224 = msg("1661", dup265); + +var msg3225 = msg("1661:01", dup266); + +var select1552 = linear_select([ + msg3224, + msg3225, +]); + +var msg3226 = msg("1662", dup265); + +var msg3227 = msg("1662:01", dup266); + +var select1553 = linear_select([ + msg3226, + msg3227, +]); + +var msg3228 = msg("1663", dup265); + +var msg3229 = msg("1663:01", dup266); + +var select1554 = linear_select([ + msg3228, + msg3229, +]); + +var msg3230 = msg("1664", dup265); + +var msg3231 = msg("1664:01", dup266); + +var select1555 = linear_select([ + msg3230, + msg3231, +]); + +var msg3232 = msg("1665", dup265); + +var msg3233 = msg("1665:01", dup266); + +var select1556 = linear_select([ + msg3232, + msg3233, +]); + +var msg3234 = msg("1666", dup196); + +var msg3235 = msg("1666:01", dup217); + +var select1557 = linear_select([ + msg3234, + msg3235, +]); + +var msg3236 = msg("1667", dup265); + +var msg3237 = msg("1667:01", dup266); + +var select1558 = linear_select([ + msg3236, + msg3237, +]); + +var msg3238 = msg("1668", dup265); + +var msg3239 = msg("1668:01", dup266); + +var select1559 = linear_select([ + msg3238, + msg3239, +]); + +var msg3240 = msg("1669", dup198); + +var msg3241 = msg("1669:01", dup220); + +var select1560 = linear_select([ + msg3240, + msg3241, +]); + +var msg3242 = msg("1670", dup265); + +var msg3243 = msg("1670:01", dup266); + +var select1561 = linear_select([ + msg3242, + msg3243, +]); + +var msg3244 = msg("1671", dup265); + +var msg3245 = msg("1671:01", dup266); + +var select1562 = linear_select([ + msg3244, + msg3245, +]); + +var msg3246 = msg("1672", dup227); + +var msg3247 = msg("1672:01", dup228); + +var select1563 = linear_select([ + msg3246, + msg3247, +]); + +var msg3248 = msg("1673", dup196); + +var msg3249 = msg("1673:01", dup217); + +var select1564 = linear_select([ + msg3248, + msg3249, +]); + +var msg3250 = msg("1674", dup196); + +var msg3251 = msg("1674:01", dup217); + +var select1565 = linear_select([ + msg3250, + msg3251, +]); + +var msg3252 = msg("1675", dup196); + +var msg3253 = msg("1675:01", dup217); + +var select1566 = linear_select([ + msg3252, + msg3253, +]); + +var msg3254 = msg("1676", dup196); + +var msg3255 = msg("1676:01", dup217); + +var select1567 = linear_select([ + msg3254, + msg3255, +]); + +var msg3256 = msg("1677", dup196); + +var msg3257 = msg("1677:01", dup217); + +var select1568 = linear_select([ + msg3256, + msg3257, +]); + +var msg3258 = msg("1678", dup196); + +var msg3259 = msg("1678:01", dup217); + +var select1569 = linear_select([ + msg3258, + msg3259, +]); + +var msg3260 = msg("1679", dup196); + +var msg3261 = msg("1679:01", dup217); + +var select1570 = linear_select([ + msg3260, + msg3261, +]); + +var msg3262 = msg("1680", dup196); + +var msg3263 = msg("1680:01", dup217); + +var select1571 = linear_select([ + msg3262, + msg3263, +]); + +var msg3264 = msg("1681", dup196); + +var msg3265 = msg("1681:01", dup217); + +var select1572 = linear_select([ + msg3264, + msg3265, +]); + +var msg3266 = msg("1682", dup196); + +var msg3267 = msg("1682:01", dup217); + +var select1573 = linear_select([ + msg3266, + msg3267, +]); + +var msg3268 = msg("1683", dup196); + +var msg3269 = msg("1683:01", dup217); + +var select1574 = linear_select([ + msg3268, + msg3269, +]); + +var msg3270 = msg("1684", dup196); + +var msg3271 = msg("1684:01", dup217); + +var select1575 = linear_select([ + msg3270, + msg3271, +]); + +var msg3272 = msg("1685", dup196); + +var msg3273 = msg("1685:01", dup217); + +var select1576 = linear_select([ + msg3272, + msg3273, +]); + +var msg3274 = msg("1686", dup196); + +var msg3275 = msg("1686:01", dup217); + +var select1577 = linear_select([ + msg3274, + msg3275, +]); + +var msg3276 = msg("1687", dup196); + +var msg3277 = msg("1687:01", dup217); + +var select1578 = linear_select([ + msg3276, + msg3277, +]); + +var msg3278 = msg("1688", dup196); + +var msg3279 = msg("1688:01", dup217); + +var select1579 = linear_select([ + msg3278, + msg3279, +]); + +var msg3280 = msg("1689", dup196); + +var msg3281 = msg("1689:01", dup217); + +var select1580 = linear_select([ + msg3280, + msg3281, +]); + +var msg3282 = msg("1690", dup196); + +var msg3283 = msg("1690:01", dup217); + +var select1581 = linear_select([ + msg3282, + msg3283, +]); + +var msg3284 = msg("1691", dup196); + +var msg3285 = msg("1691:01", dup217); + +var select1582 = linear_select([ + msg3284, + msg3285, +]); + +var msg3286 = msg("1692", dup196); + +var msg3287 = msg("1692:01", dup217); + +var select1583 = linear_select([ + msg3286, + msg3287, +]); + +var msg3288 = msg("1693", dup196); + +var msg3289 = msg("1693:01", dup217); + +var select1584 = linear_select([ + msg3288, + msg3289, +]); + +var msg3290 = msg("1694", dup196); + +var msg3291 = msg("1694:01", dup217); + +var select1585 = linear_select([ + msg3290, + msg3291, +]); + +var msg3292 = msg("1695", dup196); + +var msg3293 = msg("1695:01", dup217); + +var select1586 = linear_select([ + msg3292, + msg3293, +]); + +var msg3294 = msg("1696", dup196); + +var msg3295 = msg("1696:01", dup217); + +var select1587 = linear_select([ + msg3294, + msg3295, +]); + +var msg3296 = msg("1697", dup196); + +var msg3297 = msg("1697:01", dup217); + +var select1588 = linear_select([ + msg3296, + msg3297, +]); + +var msg3298 = msg("1698", dup196); + +var msg3299 = msg("1698:01", dup217); + +var select1589 = linear_select([ + msg3298, + msg3299, +]); + +var msg3300 = msg("1699", dup196); + +var msg3301 = msg("1699:01", dup217); + +var select1590 = linear_select([ + msg3300, + msg3301, +]); + +var msg3302 = msg("1700", dup265); + +var msg3303 = msg("1700:01", dup266); + +var select1591 = linear_select([ + msg3302, + msg3303, +]); + +var msg3304 = msg("1701", dup265); + +var msg3305 = msg("1701:01", dup266); + +var select1592 = linear_select([ + msg3304, + msg3305, +]); + +var msg3306 = msg("1702", dup265); + +var msg3307 = msg("1702:01", dup266); + +var select1593 = linear_select([ + msg3306, + msg3307, +]); + +var msg3308 = msg("1703", dup265); + +var msg3309 = msg("1703:01", dup266); + +var select1594 = linear_select([ + msg3308, + msg3309, +]); + +var msg3310 = msg("1704", dup265); + +var msg3311 = msg("1704:01", dup266); + +var select1595 = linear_select([ + msg3310, + msg3311, +]); + +var msg3312 = msg("1705", dup269); + +var msg3313 = msg("1705:01", dup270); + +var select1596 = linear_select([ + msg3312, + msg3313, +]); + +var msg3314 = msg("1706", dup265); + +var msg3315 = msg("1706:01", dup266); + +var select1597 = linear_select([ + msg3314, + msg3315, +]); + +var msg3316 = msg("1707", dup269); + +var msg3317 = msg("1707:01", dup270); + +var select1598 = linear_select([ + msg3316, + msg3317, +]); + +var msg3318 = msg("1708", dup265); + +var msg3319 = msg("1708:01", dup266); + +var select1599 = linear_select([ + msg3318, + msg3319, +]); + +var msg3320 = msg("1709", dup265); + +var msg3321 = msg("1709:01", dup266); + +var select1600 = linear_select([ + msg3320, + msg3321, +]); + +var msg3322 = msg("1710", dup265); + +var msg3323 = msg("1710:01", dup266); + +var select1601 = linear_select([ + msg3322, + msg3323, +]); + +var msg3324 = msg("1711", dup265); + +var msg3325 = msg("1711:01", dup266); + +var select1602 = linear_select([ + msg3324, + msg3325, +]); + +var msg3326 = msg("1712", dup265); + +var msg3327 = msg("1712:01", dup266); + +var select1603 = linear_select([ + msg3326, + msg3327, +]); + +var msg3328 = msg("1713", dup265); + +var msg3329 = msg("1713:01", dup266); + +var select1604 = linear_select([ + msg3328, + msg3329, +]); + +var msg3330 = msg("1714", dup265); + +var msg3331 = msg("1714:01", dup266); + +var select1605 = linear_select([ + msg3330, + msg3331, +]); + +var msg3332 = msg("1715", dup265); + +var msg3333 = msg("1715:01", dup266); + +var select1606 = linear_select([ + msg3332, + msg3333, +]); + +var msg3334 = msg("1716", dup265); + +var msg3335 = msg("1716:01", dup266); + +var select1607 = linear_select([ + msg3334, + msg3335, +]); + +var msg3336 = msg("1717", dup265); + +var msg3337 = msg("1717:01", dup266); + +var select1608 = linear_select([ + msg3336, + msg3337, +]); + +var msg3338 = msg("1718", dup265); + +var msg3339 = msg("1718:01", dup266); + +var select1609 = linear_select([ + msg3338, + msg3339, +]); + +var msg3340 = msg("1719", dup265); + +var msg3341 = msg("1719:01", dup266); + +var select1610 = linear_select([ + msg3340, + msg3341, +]); + +var msg3342 = msg("1720", dup265); + +var msg3343 = msg("1720:01", dup266); + +var select1611 = linear_select([ + msg3342, + msg3343, +]); + +var msg3344 = msg("1721", dup265); + +var msg3345 = msg("1721:01", dup266); + +var select1612 = linear_select([ + msg3344, + msg3345, +]); + +var msg3346 = msg("1722", dup265); + +var msg3347 = msg("1722:01", dup266); + +var select1613 = linear_select([ + msg3346, + msg3347, +]); + +var msg3348 = msg("1723", dup265); + +var msg3349 = msg("1723:01", dup266); + +var select1614 = linear_select([ + msg3348, + msg3349, +]); + +var msg3350 = msg("1724", dup265); + +var msg3351 = msg("1724:01", dup266); + +var select1615 = linear_select([ + msg3350, + msg3351, +]); + +var msg3352 = msg("1725", dup265); + +var msg3353 = msg("1725:01", dup266); + +var select1616 = linear_select([ + msg3352, + msg3353, +]); + +var msg3354 = msg("1726", dup265); + +var msg3355 = msg("1726:01", dup266); + +var select1617 = linear_select([ + msg3354, + msg3355, +]); + +var msg3356 = msg("1727", dup265); + +var msg3357 = msg("1727:01", dup266); + +var select1618 = linear_select([ + msg3356, + msg3357, +]); + +var msg3358 = msg("1728", dup227); + +var msg3359 = msg("1728:01", dup228); + +var select1619 = linear_select([ + msg3358, + msg3359, +]); + +var msg3360 = msg("1729", dup196); + +var msg3361 = msg("1729:01", dup217); + +var select1620 = linear_select([ + msg3360, + msg3361, +]); + +var msg3362 = msg("1730", dup265); + +var msg3363 = msg("1730:01", dup266); + +var select1621 = linear_select([ + msg3362, + msg3363, +]); + +var msg3364 = msg("1731", dup265); + +var msg3365 = msg("1731:01", dup266); + +var select1622 = linear_select([ + msg3364, + msg3365, +]); + +var msg3366 = msg("1732", dup255); + +var msg3367 = msg("1732:01", dup256); + +var select1623 = linear_select([ + msg3366, + msg3367, +]); + +var msg3368 = msg("1733", dup258); + +var msg3369 = msg("1733:01", dup259); + +var select1624 = linear_select([ + msg3368, + msg3369, +]); + +var msg3370 = msg("1734", dup222); + +var msg3371 = msg("1734:01", dup223); + +var select1625 = linear_select([ + msg3370, + msg3371, +]); + +var msg3372 = msg("1735", dup265); + +var msg3373 = msg("1735:01", dup266); + +var select1626 = linear_select([ + msg3372, + msg3373, +]); + +var msg3374 = msg("1736", dup265); + +var msg3375 = msg("1736:01", dup266); + +var select1627 = linear_select([ + msg3374, + msg3375, +]); + +var msg3376 = msg("1737", dup265); + +var msg3377 = msg("1737:01", dup266); + +var select1628 = linear_select([ + msg3376, + msg3377, +]); + +var msg3378 = msg("1738", dup265); + +var msg3379 = msg("1738:01", dup266); + +var select1629 = linear_select([ + msg3378, + msg3379, +]); + +var msg3380 = msg("1739", dup285); + +var msg3381 = msg("1739:01", dup286); + +var select1630 = linear_select([ + msg3380, + msg3381, +]); + +var msg3382 = msg("1740", dup285); + +var msg3383 = msg("1740:01", dup286); + +var select1631 = linear_select([ + msg3382, + msg3383, +]); + +var msg3384 = msg("1741", dup265); + +var msg3385 = msg("1741:01", dup266); + +var select1632 = linear_select([ + msg3384, + msg3385, +]); + +var msg3386 = msg("1742", dup198); + +var msg3387 = msg("1742:01", dup220); + +var select1633 = linear_select([ + msg3386, + msg3387, +]); + +var msg3388 = msg("1743", dup198); + +var msg3389 = msg("1743:01", dup220); + +var select1634 = linear_select([ + msg3388, + msg3389, +]); + +var msg3390 = msg("1744", dup285); + +var msg3391 = msg("1744:01", dup286); + +var select1635 = linear_select([ + msg3390, + msg3391, +]); + +var msg3392 = msg("1745", dup265); + +var msg3393 = msg("1745:01", dup266); + +var select1636 = linear_select([ + msg3392, + msg3393, +]); + +var msg3394 = msg("1746", dup255); + +var msg3395 = msg("1746:01", dup256); + +var select1637 = linear_select([ + msg3394, + msg3395, +]); + +var msg3396 = msg("1747", dup258); + +var msg3397 = msg("1747:01", dup259); + +var select1638 = linear_select([ + msg3396, + msg3397, +]); + +var msg3398 = msg("1748", dup222); + +var msg3399 = msg("1748:01", dup223); + +var select1639 = linear_select([ + msg3398, + msg3399, +]); + +var msg3400 = msg("1749", dup265); + +var msg3401 = msg("1749:01", dup266); + +var select1640 = linear_select([ + msg3400, + msg3401, +]); + +var msg3402 = msg("1750", dup265); + +var msg3403 = msg("1750:01", dup266); + +var select1641 = linear_select([ + msg3402, + msg3403, +]); + +var msg3404 = msg("1751", dup222); + +var msg3405 = msg("1751:01", dup223); + +var select1642 = linear_select([ + msg3404, + msg3405, +]); + +var msg3406 = msg("1752", dup196); + +var msg3407 = msg("1752:01", dup217); + +var select1643 = linear_select([ + msg3406, + msg3407, +]); + +var msg3408 = msg("1753", dup265); + +var msg3409 = msg("1753:01", dup266); + +var select1644 = linear_select([ + msg3408, + msg3409, +]); + +var msg3410 = msg("1754", dup265); + +var msg3411 = msg("1754:01", dup266); + +var select1645 = linear_select([ + msg3410, + msg3411, +]); + +var msg3412 = msg("1755", dup222); + +var msg3413 = msg("1755:01", dup223); + +var select1646 = linear_select([ + msg3412, + msg3413, +]); + +var msg3414 = msg("1756", dup265); + +var msg3415 = msg("1756:01", dup266); + +var select1647 = linear_select([ + msg3414, + msg3415, +]); + +var msg3416 = msg("1757", dup269); + +var msg3417 = msg("1757:01", dup270); + +var select1648 = linear_select([ + msg3416, + msg3417, +]); + +var msg3418 = msg("1758", dup265); + +var msg3419 = msg("1758:01", dup266); + +var select1649 = linear_select([ + msg3418, + msg3419, +]); + +var msg3420 = msg("1759", dup260); + +var msg3421 = msg("1759:01", dup261); + +var select1650 = linear_select([ + msg3420, + msg3421, +]); + +var msg3422 = msg("1760", dup196); + +var msg3423 = msg("1760:01", dup217); + +var select1651 = linear_select([ + msg3422, + msg3423, +]); + +var msg3424 = msg("1761", dup196); + +var msg3425 = msg("1761:01", dup217); + +var select1652 = linear_select([ + msg3424, + msg3425, +]); + +var msg3426 = msg("1762", dup269); + +var msg3427 = msg("1762:01", dup270); + +var select1653 = linear_select([ + msg3426, + msg3427, +]); + +var msg3428 = msg("1763", dup198); + +var msg3429 = msg("1763:01", dup220); + +var select1654 = linear_select([ + msg3428, + msg3429, +]); + +var msg3430 = msg("1764", dup198); + +var msg3431 = msg("1764:01", dup220); + +var select1655 = linear_select([ + msg3430, + msg3431, +]); + +var msg3432 = msg("1765", dup265); + +var msg3433 = msg("1765:01", dup266); + +var select1656 = linear_select([ + msg3432, + msg3433, +]); + +var msg3434 = msg("1766", dup265); + +var msg3435 = msg("1766:01", dup266); + +var select1657 = linear_select([ + msg3434, + msg3435, +]); + +var msg3436 = msg("1767", dup265); + +var msg3437 = msg("1767:01", dup266); + +var select1658 = linear_select([ + msg3436, + msg3437, +]); + +var msg3438 = msg("1768", dup267); + +var msg3439 = msg("1768:01", dup268); + +var select1659 = linear_select([ + msg3438, + msg3439, +]); + +var msg3440 = msg("1769", dup265); + +var msg3441 = msg("1769:01", dup266); + +var select1660 = linear_select([ + msg3440, + msg3441, +]); + +var msg3442 = msg("1770", dup265); + +var msg3443 = msg("1770:01", dup266); + +var select1661 = linear_select([ + msg3442, + msg3443, +]); + +var msg3444 = msg("1771", dup287); + +var msg3445 = msg("1771:01", dup288); + +var select1662 = linear_select([ + msg3444, + msg3445, +]); + +var msg3446 = msg("1772", dup265); + +var msg3447 = msg("1772:01", dup266); + +var select1663 = linear_select([ + msg3446, + msg3447, +]); + +var msg3448 = msg("1773", dup265); + +var msg3449 = msg("1773:01", dup266); + +var select1664 = linear_select([ + msg3448, + msg3449, +]); + +var msg3450 = msg("1774", dup265); + +var msg3451 = msg("1774:01", dup266); + +var select1665 = linear_select([ + msg3450, + msg3451, +]); + +var msg3452 = msg("1775", dup240); + +var msg3453 = msg("1775:01", dup241); + +var select1666 = linear_select([ + msg3452, + msg3453, +]); + +var msg3454 = msg("1776", dup240); + +var msg3455 = msg("1776:01", dup241); + +var select1667 = linear_select([ + msg3454, + msg3455, +]); + +var msg3456 = msg("1777", dup198); + +var msg3457 = msg("1777:01", dup220); + +var select1668 = linear_select([ + msg3456, + msg3457, +]); + +var msg3458 = msg("1778", dup198); + +var msg3459 = msg("1778:01", dup220); + +var select1669 = linear_select([ + msg3458, + msg3459, +]); + +var msg3460 = msg("1779", dup227); + +var msg3461 = msg("1779:01", dup228); + +var select1670 = linear_select([ + msg3460, + msg3461, +]); + +var msg3462 = msg("1780", dup222); + +var msg3463 = msg("1780:01", dup223); + +var select1671 = linear_select([ + msg3462, + msg3463, +]); + +var msg3464 = msg("1781", dup281); + +var msg3465 = msg("1781:01", dup282); + +var select1672 = linear_select([ + msg3464, + msg3465, +]); + +var msg3466 = msg("1782", dup281); + +var msg3467 = msg("1782:01", dup282); + +var select1673 = linear_select([ + msg3466, + msg3467, +]); + +var msg3468 = msg("1783", dup281); + +var msg3469 = msg("1783:01", dup282); + +var select1674 = linear_select([ + msg3468, + msg3469, +]); + +var msg3470 = msg("1784", dup281); + +var msg3471 = msg("1784:01", dup282); + +var select1675 = linear_select([ + msg3470, + msg3471, +]); + +var msg3472 = msg("1785", dup281); + +var msg3473 = msg("1785:01", dup282); + +var select1676 = linear_select([ + msg3472, + msg3473, +]); + +var msg3474 = msg("1786", dup281); + +var msg3475 = msg("1786:01", dup282); + +var select1677 = linear_select([ + msg3474, + msg3475, +]); + +var msg3476 = msg("1787", dup265); + +var msg3477 = msg("1787:01", dup266); + +var select1678 = linear_select([ + msg3476, + msg3477, +]); + +var msg3478 = msg("1788", dup265); + +var msg3479 = msg("1788:01", dup266); + +var select1679 = linear_select([ + msg3478, + msg3479, +]); + +var msg3480 = msg("1789", dup196); + +var msg3481 = msg("1789:01", dup217); + +var select1680 = linear_select([ + msg3480, + msg3481, +]); + +var msg3482 = msg("1790", dup196); + +var msg3483 = msg("1790:01", dup217); + +var select1681 = linear_select([ + msg3482, + msg3483, +]); + +var msg3484 = msg("1791", dup192); + +var msg3485 = msg("1791:01", dup262); + +var select1682 = linear_select([ + msg3484, + msg3485, +]); + +var msg3486 = msg("1792", dup222); + +var msg3487 = msg("1792:01", dup223); + +var select1683 = linear_select([ + msg3486, + msg3487, +]); + +var msg3488 = msg("1793", dup281); + +var msg3489 = msg("1793:01", dup282); + +var select1684 = linear_select([ + msg3488, + msg3489, +]); + +var msg3490 = msg("1794", dup281); + +var msg3491 = msg("1794:01", dup282); + +var select1685 = linear_select([ + msg3490, + msg3491, +]); + +var msg3492 = msg("1795", dup281); + +var msg3493 = msg("1795:01", dup282); + +var select1686 = linear_select([ + msg3492, + msg3493, +]); + +var msg3494 = msg("1796", dup281); + +var msg3495 = msg("1796:01", dup282); + +var select1687 = linear_select([ + msg3494, + msg3495, +]); + +var msg3496 = msg("1797", dup281); + +var msg3497 = msg("1797:01", dup282); + +var select1688 = linear_select([ + msg3496, + msg3497, +]); + +var msg3498 = msg("1798", dup281); + +var msg3499 = msg("1798:01", dup282); + +var select1689 = linear_select([ + msg3498, + msg3499, +]); + +var msg3500 = msg("1799", dup281); + +var msg3501 = msg("1799:01", dup282); + +var select1690 = linear_select([ + msg3500, + msg3501, +]); + +var msg3502 = msg("1800", dup263); + +var msg3503 = msg("1800:01", dup264); + +var select1691 = linear_select([ + msg3502, + msg3503, +]); + +var msg3504 = msg("1801", dup267); + +var msg3505 = msg("1801:01", dup268); + +var select1692 = linear_select([ + msg3504, + msg3505, +]); + +var msg3506 = msg("1802", dup267); + +var msg3507 = msg("1802:01", dup268); + +var select1693 = linear_select([ + msg3506, + msg3507, +]); + +var msg3508 = msg("1803", dup267); + +var msg3509 = msg("1803:01", dup268); + +var select1694 = linear_select([ + msg3508, + msg3509, +]); + +var msg3510 = msg("1804", dup267); + +var msg3511 = msg("1804:01", dup268); + +var select1695 = linear_select([ + msg3510, + msg3511, +]); + +var msg3512 = msg("1805", dup265); + +var msg3513 = msg("1805:01", dup266); + +var select1696 = linear_select([ + msg3512, + msg3513, +]); + +var msg3514 = msg("1806", dup196); + +var msg3515 = msg("1806:01", dup217); + +var select1697 = linear_select([ + msg3514, + msg3515, +]); + +var msg3516 = msg("1807", dup265); + +var msg3517 = msg("1807:01", dup266); + +var select1698 = linear_select([ + msg3516, + msg3517, +]); + +var msg3518 = msg("1808", dup267); + +var msg3519 = msg("1808:01", dup268); + +var select1699 = linear_select([ + msg3518, + msg3519, +]); + +var msg3520 = msg("1809", dup238); + +var msg3521 = msg("1809:01", dup239); + +var select1700 = linear_select([ + msg3520, + msg3521, +]); + +var msg3522 = msg("1810", dup196); + +var msg3523 = msg("1810:01", dup217); + +var select1701 = linear_select([ + msg3522, + msg3523, +]); + +var msg3524 = msg("1811", dup196); + +var msg3525 = msg("1811:01", dup217); + +var select1702 = linear_select([ + msg3524, + msg3525, +]); + +var msg3526 = msg("1812", dup196); + +var msg3527 = msg("1812:01", dup217); + +var select1703 = linear_select([ + msg3526, + msg3527, +]); + +var msg3528 = msg("1813", dup232); + +var msg3529 = msg("1813:01", dup231); + +var select1704 = linear_select([ + msg3528, + msg3529, +]); + +var msg3530 = msg("1814", dup198); + +var msg3531 = msg("1814:01", dup220); + +var select1705 = linear_select([ + msg3530, + msg3531, +]); + +var msg3532 = msg("1815", dup265); + +var msg3533 = msg("1815:01", dup266); + +var select1706 = linear_select([ + msg3532, + msg3533, +]); + +var msg3534 = msg("1816", dup265); + +var msg3535 = msg("1816:01", dup266); + +var select1707 = linear_select([ + msg3534, + msg3535, +]); + +var msg3536 = msg("1817", dup265); + +var msg3537 = msg("1817:01", dup266); + +var select1708 = linear_select([ + msg3536, + msg3537, +]); + +var msg3538 = msg("1818", dup265); + +var msg3539 = msg("1818:01", dup266); + +var select1709 = linear_select([ + msg3538, + msg3539, +]); + +var msg3540 = msg("1819", dup196); + +var msg3541 = msg("1819:01", dup217); + +var select1710 = linear_select([ + msg3540, + msg3541, +]); + +var msg3542 = msg("1820", dup265); + +var msg3543 = msg("1820:01", dup266); + +var select1711 = linear_select([ + msg3542, + msg3543, +]); + +var msg3544 = msg("1821", dup201); + +var msg3545 = msg("1821:01", dup289); + +var select1712 = linear_select([ + msg3544, + msg3545, +]); + +var msg3546 = msg("1822", dup265); + +var msg3547 = msg("1822:01", dup266); + +var select1713 = linear_select([ + msg3546, + msg3547, +]); + +var msg3548 = msg("1823", dup265); + +var msg3549 = msg("1823:01", dup266); + +var select1714 = linear_select([ + msg3548, + msg3549, +]); + +var msg3550 = msg("1824", dup265); + +var msg3551 = msg("1824:01", dup266); + +var select1715 = linear_select([ + msg3550, + msg3551, +]); + +var msg3552 = msg("1825", dup265); + +var msg3553 = msg("1825:01", dup266); + +var select1716 = linear_select([ + msg3552, + msg3553, +]); + +var msg3554 = msg("1826", dup265); + +var msg3555 = msg("1826:01", dup266); + +var select1717 = linear_select([ + msg3554, + msg3555, +]); + +var msg3556 = msg("1827", dup265); + +var msg3557 = msg("1827:01", dup266); + +var select1718 = linear_select([ + msg3556, + msg3557, +]); + +var msg3558 = msg("1828", dup265); + +var msg3559 = msg("1828:01", dup266); + +var select1719 = linear_select([ + msg3558, + msg3559, +]); + +var msg3560 = msg("1829", dup265); + +var msg3561 = msg("1829:01", dup266); + +var select1720 = linear_select([ + msg3560, + msg3561, +]); + +var msg3562 = msg("1830", dup265); + +var msg3563 = msg("1830:01", dup266); + +var select1721 = linear_select([ + msg3562, + msg3563, +]); + +var msg3564 = msg("1831", dup198); + +var msg3565 = msg("1831:01", dup220); + +var select1722 = linear_select([ + msg3564, + msg3565, +]); + +var msg3566 = msg("1832", dup196); + +var msg3567 = msg("1832:01", dup217); + +var select1723 = linear_select([ + msg3566, + msg3567, +]); + +var msg3568 = msg("1833", dup281); + +var msg3569 = msg("1833:01", dup282); + +var select1724 = linear_select([ + msg3568, + msg3569, +]); + +var msg3570 = msg("1834", dup265); + +var msg3571 = msg("1834:01", dup266); + +var select1725 = linear_select([ + msg3570, + msg3571, +]); + +var msg3572 = msg("1835", dup265); + +var msg3573 = msg("1835:01", dup266); + +var select1726 = linear_select([ + msg3572, + msg3573, +]); + +var msg3574 = msg("1836", dup281); + +var msg3575 = msg("1836:01", dup282); + +var select1727 = linear_select([ + msg3574, + msg3575, +]); + +var msg3576 = msg("1837", dup281); + +var msg3577 = msg("1837:01", dup282); + +var select1728 = linear_select([ + msg3576, + msg3577, +]); + +var msg3578 = msg("1838", dup197); + +var msg3579 = msg("1838:01", dup221); + +var select1729 = linear_select([ + msg3578, + msg3579, +]); + +var msg3580 = msg("1839", dup265); + +var msg3581 = msg("1839:01", dup266); + +var select1730 = linear_select([ + msg3580, + msg3581, +]); + +var msg3582 = msg("1840", dup265); + +var msg3583 = msg("1840:01", dup266); + +var select1731 = linear_select([ + msg3582, + msg3583, +]); + +var msg3584 = msg("1841", dup265); + +var msg3585 = msg("1841:01", dup266); + +var select1732 = linear_select([ + msg3584, + msg3585, +]); + +var msg3586 = msg("1842", dup222); + +var msg3587 = msg("1842:01", dup223); + +var select1733 = linear_select([ + msg3586, + msg3587, +]); + +var msg3588 = msg("1843", dup205); + +var msg3589 = msg("1843:01", dup206); + +var select1734 = linear_select([ + msg3588, + msg3589, +]); + +var msg3590 = msg("1844", dup222); + +var msg3591 = msg("1844:01", dup223); + +var select1735 = linear_select([ + msg3590, + msg3591, +]); + +var msg3592 = msg("1845", dup222); + +var msg3593 = msg("1845:01", dup223); + +var select1736 = linear_select([ + msg3592, + msg3593, +]); + +var msg3594 = msg("1846", dup196); + +var msg3595 = msg("1846:01", dup217); + +var select1737 = linear_select([ + msg3594, + msg3595, +]); + +var msg3596 = msg("1847", dup265); + +var msg3597 = msg("1847:01", dup266); + +var select1738 = linear_select([ + msg3596, + msg3597, +]); + +var msg3598 = msg("1848", dup265); + +var msg3599 = msg("1848:01", dup266); + +var select1739 = linear_select([ + msg3598, + msg3599, +]); + +var msg3600 = msg("1849", dup265); + +var msg3601 = msg("1849:01", dup266); + +var select1740 = linear_select([ + msg3600, + msg3601, +]); + +var msg3602 = msg("1850", dup197); + +var msg3603 = msg("1850:01", dup221); + +var select1741 = linear_select([ + msg3602, + msg3603, +]); + +var msg3604 = msg("1851", dup265); + +var msg3605 = msg("1851:01", dup266); + +var select1742 = linear_select([ + msg3604, + msg3605, +]); + +var msg3606 = msg("1852", dup265); + +var msg3607 = msg("1852:01", dup266); + +var select1743 = linear_select([ + msg3606, + msg3607, +]); + +var msg3608 = msg("1853", dup205); + +var msg3609 = msg("1853:01", dup206); + +var select1744 = linear_select([ + msg3608, + msg3609, +]); + +var msg3610 = msg("1854", dup215); + +var msg3611 = msg("1854:01", dup216); + +var select1745 = linear_select([ + msg3610, + msg3611, +]); + +var msg3612 = msg("1855", dup215); + +var msg3613 = msg("1855:01", dup216); + +var select1746 = linear_select([ + msg3612, + msg3613, +]); + +var msg3614 = msg("1856", dup215); + +var msg3615 = msg("1856:01", dup216); + +var select1747 = linear_select([ + msg3614, + msg3615, +]); + +var msg3616 = msg("1857", dup265); + +var msg3617 = msg("1857:01", dup266); + +var select1748 = linear_select([ + msg3616, + msg3617, +]); + +var msg3618 = msg("1858", dup265); + +var msg3619 = msg("1858:01", dup266); + +var select1749 = linear_select([ + msg3618, + msg3619, +]); + +var msg3620 = msg("1859", dup265); + +var msg3621 = msg("1859:01", dup266); + +var select1750 = linear_select([ + msg3620, + msg3621, +]); + +var msg3622 = msg("1860", dup265); + +var msg3623 = msg("1860:01", dup266); + +var select1751 = linear_select([ + msg3622, + msg3623, +]); + +var msg3624 = msg("1861", dup265); + +var msg3625 = msg("1861:01", dup266); + +var select1752 = linear_select([ + msg3624, + msg3625, +]); + +var msg3626 = msg("1862", dup265); + +var msg3627 = msg("1862:01", dup266); + +var select1753 = linear_select([ + msg3626, + msg3627, +]); + +var msg3628 = msg("1863", dup267); + +var msg3629 = msg("1863:01", dup268); + +var select1754 = linear_select([ + msg3628, + msg3629, +]); + +var msg3630 = msg("1864", dup227); + +var msg3631 = msg("1864:01", dup228); + +var select1755 = linear_select([ + msg3630, + msg3631, +]); + +var msg3632 = msg("1865", dup265); + +var msg3633 = msg("1865:01", dup266); + +var select1756 = linear_select([ + msg3632, + msg3633, +]); + +var msg3634 = msg("1866", dup222); + +var msg3635 = msg("1866:01", dup223); + +var select1757 = linear_select([ + msg3634, + msg3635, +]); + +var msg3636 = msg("1867", dup196); + +var msg3637 = msg("1867:01", dup217); + +var select1758 = linear_select([ + msg3636, + msg3637, +]); + +var msg3638 = msg("1868", dup265); + +var msg3639 = msg("1869", dup265); + +var msg3640 = msg("1870", dup265); + +var msg3641 = msg("1870:01", dup266); + +var select1759 = linear_select([ + msg3640, + msg3641, +]); + +var msg3642 = msg("1871", dup240); + +var msg3643 = msg("1871:01", dup241); + +var select1760 = linear_select([ + msg3642, + msg3643, +]); + +var msg3644 = msg("1872", dup265); + +var msg3645 = msg("1872:01", dup266); + +var select1761 = linear_select([ + msg3644, + msg3645, +]); + +var msg3646 = msg("1873", dup265); + +var msg3647 = msg("1873:01", dup266); + +var select1762 = linear_select([ + msg3646, + msg3647, +]); + +var msg3648 = msg("1874", dup265); + +var msg3649 = msg("1874:01", dup266); + +var select1763 = linear_select([ + msg3648, + msg3649, +]); + +var msg3650 = msg("1875", dup265); + +var msg3651 = msg("1875:01", dup266); + +var select1764 = linear_select([ + msg3650, + msg3651, +]); + +var msg3652 = msg("1876", dup265); + +var msg3653 = msg("1876:01", dup266); + +var select1765 = linear_select([ + msg3652, + msg3653, +]); + +var msg3654 = msg("1877", dup265); + +var msg3655 = msg("1877:01", dup266); + +var select1766 = linear_select([ + msg3654, + msg3655, +]); + +var msg3656 = msg("1878", dup265); + +var msg3657 = msg("1878:01", dup266); + +var select1767 = linear_select([ + msg3656, + msg3657, +]); + +var msg3658 = msg("1879", dup269); + +var msg3659 = msg("1879:01", dup270); + +var select1768 = linear_select([ + msg3658, + msg3659, +]); + +var msg3660 = msg("1880", dup265); + +var msg3661 = msg("1880:01", dup266); + +var select1769 = linear_select([ + msg3660, + msg3661, +]); + +var msg3662 = msg("1881", dup238); + +var msg3663 = msg("1881:01", dup239); + +var select1770 = linear_select([ + msg3662, + msg3663, +]); + +var msg3664 = msg("1882", dup196); + +var msg3665 = msg("1882:01", dup217); + +var select1771 = linear_select([ + msg3664, + msg3665, +]); + +var msg3666 = msg("1883", dup196); + +var msg3667 = msg("1883:01", dup217); + +var select1772 = linear_select([ + msg3666, + msg3667, +]); + +var msg3668 = msg("1884", dup196); + +var msg3669 = msg("1884:01", dup217); + +var select1773 = linear_select([ + msg3668, + msg3669, +]); + +var msg3670 = msg("1885", dup196); + +var msg3671 = msg("1885:01", dup217); + +var select1774 = linear_select([ + msg3670, + msg3671, +]); + +var msg3672 = msg("1886", dup196); + +var msg3673 = msg("1886:01", dup217); + +var select1775 = linear_select([ + msg3672, + msg3673, +]); + +var msg3674 = msg("1887", dup238); + +var msg3675 = msg("1887:01", dup239); + +var select1776 = linear_select([ + msg3674, + msg3675, +]); + +var msg3676 = msg("1888", dup222); + +var msg3677 = msg("1888:01", dup223); + +var select1777 = linear_select([ + msg3676, + msg3677, +]); + +var msg3678 = msg("1889", dup290); + +var all40 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg3679 = msg("1889:01", all40); + +var select1778 = linear_select([ + msg3678, + msg3679, +]); + +var msg3680 = msg("1890", dup208); + +var msg3681 = msg("1890:01", dup291); + +var select1779 = linear_select([ + msg3680, + msg3681, +]); + +var msg3682 = msg("1891", dup208); + +var msg3683 = msg("1891:01", dup291); + +var select1780 = linear_select([ + msg3682, + msg3683, +]); + +var msg3684 = msg("1892", dup292); + +var msg3685 = msg("1893", dup292); + +var all41 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg3686 = msg("1893:01", all41); + +var select1781 = linear_select([ + msg3685, + msg3686, +]); + +var msg3687 = msg("1894", dup293); + +var msg3688 = msg("1894:01", dup294); + +var select1782 = linear_select([ + msg3687, + msg3688, +]); + +var msg3689 = msg("1895", dup293); + +var msg3690 = msg("1895:01", dup294); + +var select1783 = linear_select([ + msg3689, + msg3690, +]); + +var msg3691 = msg("1896", dup293); + +var msg3692 = msg("1896:01", dup294); + +var select1784 = linear_select([ + msg3691, + msg3692, +]); + +var msg3693 = msg("1897", dup293); + +var msg3694 = msg("1897:01", dup294); + +var select1785 = linear_select([ + msg3693, + msg3694, +]); + +var msg3695 = msg("1898", dup293); + +var msg3696 = msg("1898:01", dup294); + +var select1786 = linear_select([ + msg3695, + msg3696, +]); + +var msg3697 = msg("1899", dup293); + +var msg3698 = msg("1899:01", dup294); + +var select1787 = linear_select([ + msg3697, + msg3698, +]); + +var msg3699 = msg("1900", dup293); + +var msg3700 = msg("1900:01", dup294); + +var select1788 = linear_select([ + msg3699, + msg3700, +]); + +var msg3701 = msg("1901", dup222); + +var msg3702 = msg("1901:01", dup223); + +var select1789 = linear_select([ + msg3701, + msg3702, +]); + +var msg3703 = msg("1902", dup222); + +var msg3704 = msg("1902:01", dup223); + +var select1790 = linear_select([ + msg3703, + msg3704, +]); + +var msg3705 = msg("1903", dup222); + +var msg3706 = msg("1903:01", dup223); + +var select1791 = linear_select([ + msg3705, + msg3706, +]); + +var msg3707 = msg("1904", dup222); + +var msg3708 = msg("1904:01", dup223); + +var select1792 = linear_select([ + msg3707, + msg3708, +]); + +var msg3709 = msg("1905", dup222); + +var msg3710 = msg("1905:01", dup223); + +var select1793 = linear_select([ + msg3709, + msg3710, +]); + +var msg3711 = msg("1906", dup201); + +var msg3712 = msg("1906:01", dup289); + +var select1794 = linear_select([ + msg3711, + msg3712, +]); + +var msg3713 = msg("1907", dup222); + +var msg3714 = msg("1907:01", dup217); + +var select1795 = linear_select([ + msg3713, + msg3714, +]); + +var msg3715 = msg("1908", dup201); + +var msg3716 = msg("1908:01", dup289); + +var select1796 = linear_select([ + msg3715, + msg3716, +]); + +var msg3717 = msg("1909", dup201); + +var msg3718 = msg("1909:01", dup289); + +var select1797 = linear_select([ + msg3717, + msg3718, +]); + +var msg3719 = msg("1910", dup222); + +var msg3720 = msg("1910:01", dup217); + +var select1798 = linear_select([ + msg3719, + msg3720, +]); + +var msg3721 = msg("1911", dup222); + +var msg3722 = msg("1911:01", dup223); + +var select1799 = linear_select([ + msg3721, + msg3722, +]); + +var msg3723 = msg("1912", dup201); + +var msg3724 = msg("1912:01", dup289); + +var select1800 = linear_select([ + msg3723, + msg3724, +]); + +var msg3725 = msg("1913", dup255); + +var msg3726 = msg("1913:01", dup217); + +var select1801 = linear_select([ + msg3725, + msg3726, +]); + +var msg3727 = msg("1914", dup201); + +var msg3728 = msg("1914:01", dup217); + +var select1802 = linear_select([ + msg3727, + msg3728, +]); + +var msg3729 = msg("1915", dup255); + +var msg3730 = msg("1915:01", dup217); + +var select1803 = linear_select([ + msg3729, + msg3730, +]); + +var msg3731 = msg("1916", dup201); + +var msg3732 = msg("1916:01", dup217); + +var select1804 = linear_select([ + msg3731, + msg3732, +]); + +var msg3733 = msg("1917", dup194); + +var msg3734 = msg("1917:01", dup217); + +var select1805 = linear_select([ + msg3733, + msg3734, +]); + +var msg3735 = msg("1918", dup234); + +var msg3736 = msg("1918:01", dup235); + +var select1806 = linear_select([ + msg3735, + msg3736, +]); + +var msg3737 = msg("1919", dup222); + +var msg3738 = msg("1919:01", dup223); + +var select1807 = linear_select([ + msg3737, + msg3738, +]); + +var msg3739 = msg("1920", dup222); + +var msg3740 = msg("1920:01", dup223); + +var select1808 = linear_select([ + msg3739, + msg3740, +]); + +var msg3741 = msg("1921", dup201); + +var msg3742 = msg("1921:01", dup289); + +var select1809 = linear_select([ + msg3741, + msg3742, +]); + +var msg3743 = msg("1922", dup255); + +var msg3744 = msg("1922:01", dup217); + +var select1810 = linear_select([ + msg3743, + msg3744, +]); + +var msg3745 = msg("1923", dup258); + +var all42 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup85, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg3746 = msg("1923:01", all42); + +var select1811 = linear_select([ + msg3745, + msg3746, +]); + +var msg3747 = msg("1924", dup255); + +var msg3748 = msg("1924:01", dup216); + +var select1812 = linear_select([ + msg3747, + msg3748, +]); + +var msg3749 = msg("1925", dup287); + +var msg3750 = msg("1925:01", dup288); + +var select1813 = linear_select([ + msg3749, + msg3750, +]); + +var msg3751 = msg("1926", dup255); + +var msg3752 = msg("1926:01", dup256); + +var select1814 = linear_select([ + msg3751, + msg3752, +]); + +var msg3753 = msg("1927", dup227); + +var msg3754 = msg("1927:01", dup216); + +var select1815 = linear_select([ + msg3753, + msg3754, +]); + +var msg3755 = msg("1928", dup227); + +var msg3756 = msg("1928:01", dup216); + +var select1816 = linear_select([ + msg3755, + msg3756, +]); + +var msg3757 = msg("1929", dup192); + +var msg3758 = msg("1929:01", dup216); + +var select1817 = linear_select([ + msg3757, + msg3758, +]); + +var msg3759 = msg("1930", dup222); + +var msg3760 = msg("1930:01", dup223); + +var select1818 = linear_select([ + msg3759, + msg3760, +]); + +var msg3761 = msg("1931", dup265); + +var msg3762 = msg("1931:01", dup266); + +var select1819 = linear_select([ + msg3761, + msg3762, +]); + +var msg3763 = msg("1932", dup265); + +var msg3764 = msg("1932:01", dup216); + +var select1820 = linear_select([ + msg3763, + msg3764, +]); + +var msg3765 = msg("1933", dup265); + +var msg3766 = msg("1933:01", dup266); + +var select1821 = linear_select([ + msg3765, + msg3766, +]); + +var msg3767 = msg("1934", dup222); + +var msg3768 = msg("1934:01", dup223); + +var select1822 = linear_select([ + msg3767, + msg3768, +]); + +var msg3769 = msg("1935", dup196); + +var msg3770 = msg("1935:01", dup217); + +var select1823 = linear_select([ + msg3769, + msg3770, +]); + +var msg3771 = msg("1936", dup222); + +var msg3772 = msg("1936:01", dup223); + +var select1824 = linear_select([ + msg3771, + msg3772, +]); + +var msg3773 = msg("1937", dup222); + +var msg3774 = msg("1937:01", dup219); + +var select1825 = linear_select([ + msg3773, + msg3774, +]); + +var msg3775 = msg("1938", dup222); + +var msg3776 = msg("1938:01", dup219); + +var select1826 = linear_select([ + msg3775, + msg3776, +]); + +var msg3777 = msg("1939", dup197); + +var msg3778 = msg("1939:01", dup219); + +var select1827 = linear_select([ + msg3777, + msg3778, +]); + +var msg3779 = msg("1940", dup196); + +var msg3780 = msg("1940:01", dup217); + +var select1828 = linear_select([ + msg3779, + msg3780, +]); + +var msg3781 = msg("1941", dup295); + +var msg3782 = msg("1941:01", dup296); + +var select1829 = linear_select([ + msg3781, + msg3782, +]); + +var msg3783 = msg("1942", dup222); + +var msg3784 = msg("1942:01", dup219); + +var select1830 = linear_select([ + msg3783, + msg3784, +]); + +var msg3785 = msg("1943", dup265); + +var msg3786 = msg("1943:01", dup266); + +var select1831 = linear_select([ + msg3785, + msg3786, +]); + +var msg3787 = msg("1944", dup265); + +var msg3788 = msg("1944:01", dup266); + +var select1832 = linear_select([ + msg3787, + msg3788, +]); + +var msg3789 = msg("1945", dup265); + +var msg3790 = msg("1945:01", dup266); + +var select1833 = linear_select([ + msg3789, + msg3790, +]); + +var msg3791 = msg("1946", dup265); + +var msg3792 = msg("1946:01", dup266); + +var select1834 = linear_select([ + msg3791, + msg3792, +]); + +var msg3793 = msg("1947", dup269); + +var msg3794 = msg("1947:01", dup270); + +var select1835 = linear_select([ + msg3793, + msg3794, +]); + +var msg3795 = msg("1948", dup196); + +var msg3796 = msg("1948:01", dup217); + +var select1836 = linear_select([ + msg3795, + msg3796, +]); + +var msg3797 = msg("1949", dup255); + +var msg3798 = msg("1949:01", dup220); + +var select1837 = linear_select([ + msg3797, + msg3798, +]); + +var msg3799 = msg("1950", dup258); + +var all43 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg3800 = msg("1950:01", all43); + +var select1838 = linear_select([ + msg3799, + msg3800, +]); + +var msg3801 = msg("1951", dup287); + +var msg3802 = msg("1951:01", dup288); + +var select1839 = linear_select([ + msg3801, + msg3802, +]); + +var msg3803 = msg("1952", dup255); + +var msg3804 = msg("1952:01", dup266); + +var select1840 = linear_select([ + msg3803, + msg3804, +]); + +var msg3805 = msg("1953", dup287); + +var msg3806 = msg("1953:01", dup288); + +var select1841 = linear_select([ + msg3805, + msg3806, +]); + +var msg3807 = msg("1954", dup255); + +var msg3808 = msg("1954:01", dup256); + +var select1842 = linear_select([ + msg3807, + msg3808, +]); + +var msg3809 = msg("1955", dup287); + +var msg3810 = msg("1955:01", dup221); + +var select1843 = linear_select([ + msg3809, + msg3810, +]); + +var msg3811 = msg("1956", dup255); + +var msg3812 = msg("1956:01", dup217); + +var select1844 = linear_select([ + msg3811, + msg3812, +]); + +var msg3813 = msg("1957", dup258); + +var msg3814 = msg("1957:01", dup259); + +var select1845 = linear_select([ + msg3813, + msg3814, +]); + +var msg3815 = msg("1958", dup255); + +var msg3816 = msg("1958:01", dup256); + +var select1846 = linear_select([ + msg3815, + msg3816, +]); + +var msg3817 = msg("1959", dup280); + +var msg3818 = msg("1959:01", dup245); + +var select1847 = linear_select([ + msg3817, + msg3818, +]); + +var msg3819 = msg("1960", dup257); + +var msg3820 = msg("1960:01", dup221); + +var select1848 = linear_select([ + msg3819, + msg3820, +]); + +var msg3821 = msg("1961", dup258); + +var all44 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup88, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var msg3822 = msg("1961:01", all44); + +var select1849 = linear_select([ + msg3821, + msg3822, +]); + +var msg3823 = msg("1962", dup255); + +var msg3824 = msg("1962:01", dup226); + +var select1850 = linear_select([ + msg3823, + msg3824, +]); + +var msg3825 = msg("1963", dup222); + +var msg3826 = msg("1963:01", dup223); + +var select1851 = linear_select([ + msg3825, + msg3826, +]); + +var msg3827 = msg("1964", dup222); + +var msg3828 = msg("1964:01", dup223); + +var select1852 = linear_select([ + msg3827, + msg3828, +]); + +var msg3829 = msg("1965", dup201); + +var msg3830 = msg("1965:01", dup226); + +var select1853 = linear_select([ + msg3829, + msg3830, +]); + +var msg3831 = msg("1966", dup196); + +var msg3832 = msg("1966:01", dup226); + +var select1854 = linear_select([ + msg3831, + msg3832, +]); + +var msg3833 = msg("1967", dup265); + +var msg3834 = msg("1967:01", dup226); + +var select1855 = linear_select([ + msg3833, + msg3834, +]); + +var msg3835 = msg("1968", dup265); + +var msg3836 = msg("1968:01", dup226); + +var select1856 = linear_select([ + msg3835, + msg3836, +]); + +var msg3837 = msg("1969", dup265); + +var msg3838 = msg("1969:01", dup228); + +var select1857 = linear_select([ + msg3837, + msg3838, +]); + +var msg3839 = msg("1970", dup297); + +var msg3840 = msg("1970:01", dup228); + +var select1858 = linear_select([ + msg3839, + msg3840, +]); + +var msg3841 = msg("1971", dup227); + +var msg3842 = msg("1971:01", dup223); + +var select1859 = linear_select([ + msg3841, + msg3842, +]); + +var msg3843 = msg("1972", dup222); + +var msg3844 = msg("1972:01", dup223); + +var select1860 = linear_select([ + msg3843, + msg3844, +]); + +var msg3845 = msg("1973", dup222); + +var msg3846 = msg("1973:01", dup228); + +var select1861 = linear_select([ + msg3845, + msg3846, +]); + +var msg3847 = msg("1974", dup222); + +var msg3848 = msg("1974:01", dup223); + +var select1862 = linear_select([ + msg3847, + msg3848, +]); + +var msg3849 = msg("1975", dup222); + +var msg3850 = msg("1975:01", dup228); + +var select1863 = linear_select([ + msg3849, + msg3850, +]); + +var msg3851 = msg("1976", dup222); + +var msg3852 = msg("1976:01", dup223); + +var select1864 = linear_select([ + msg3851, + msg3852, +]); + +var msg3853 = msg("1977", dup265); + +var msg3854 = msg("1977:01", dup223); + +var select1865 = linear_select([ + msg3853, + msg3854, +]); + +var msg3855 = msg("1978", dup265); + +var msg3856 = msg("1978:01", dup266); + +var select1866 = linear_select([ + msg3855, + msg3856, +]); + +var msg3857 = msg("1979", dup265); + +var msg3858 = msg("1979:01", dup266); + +var select1867 = linear_select([ + msg3857, + msg3858, +]); + +var msg3859 = msg("1980", dup192); + +var msg3860 = msg("1980:01", dup262); + +var select1868 = linear_select([ + msg3859, + msg3860, +]); + +var msg3861 = msg("1981", dup192); + +var msg3862 = msg("1981:01", dup262); + +var select1869 = linear_select([ + msg3861, + msg3862, +]); + +var msg3863 = msg("1982", dup192); + +var msg3864 = msg("1982:01", dup262); + +var select1870 = linear_select([ + msg3863, + msg3864, +]); + +var msg3865 = msg("1983", dup192); + +var msg3866 = msg("1983:01", dup262); + +var select1871 = linear_select([ + msg3865, + msg3866, +]); + +var msg3867 = msg("1984", dup192); + +var msg3868 = msg("1984:01", dup262); + +var select1872 = linear_select([ + msg3867, + msg3868, +]); + +var msg3869 = msg("1985", dup192); + +var msg3870 = msg("1985:01", dup262); + +var select1873 = linear_select([ + msg3869, + msg3870, +]); + +var msg3871 = msg("1986", dup196); + +var msg3872 = msg("1986:01", dup217); + +var select1874 = linear_select([ + msg3871, + msg3872, +]); + +var msg3873 = msg("1987", dup222); + +var msg3874 = msg("1987:01", dup223); + +var select1875 = linear_select([ + msg3873, + msg3874, +]); + +var msg3875 = msg("1988", dup196); + +var msg3876 = msg("1988:01", dup217); + +var select1876 = linear_select([ + msg3875, + msg3876, +]); + +var msg3877 = msg("1989", dup196); + +var msg3878 = msg("1989:01", dup217); + +var select1877 = linear_select([ + msg3877, + msg3878, +]); + +var msg3879 = msg("1990", dup196); + +var msg3880 = msg("1990:01", dup217); + +var select1878 = linear_select([ + msg3879, + msg3880, +]); + +var msg3881 = msg("1991", dup196); + +var msg3882 = msg("1991:01", dup217); + +var select1879 = linear_select([ + msg3881, + msg3882, +]); + +var msg3883 = msg("1992", dup227); + +var msg3884 = msg("1992:01", dup228); + +var select1880 = linear_select([ + msg3883, + msg3884, +]); + +var msg3885 = msg("1993", dup222); + +var msg3886 = msg("1993:01", dup223); + +var select1881 = linear_select([ + msg3885, + msg3886, +]); + +var msg3887 = msg("1994", dup265); + +var msg3888 = msg("1994:01", dup266); + +var select1882 = linear_select([ + msg3887, + msg3888, +]); + +var msg3889 = msg("1995", dup265); + +var msg3890 = msg("1995:01", dup266); + +var select1883 = linear_select([ + msg3889, + msg3890, +]); + +var msg3891 = msg("1996", dup265); + +var msg3892 = msg("1996:01", dup266); + +var select1884 = linear_select([ + msg3891, + msg3892, +]); + +var msg3893 = msg("1997", dup265); + +var msg3894 = msg("1997:01", dup266); + +var select1885 = linear_select([ + msg3893, + msg3894, +]); + +var msg3895 = msg("1998", dup265); + +var msg3896 = msg("1998:01", dup266); + +var select1886 = linear_select([ + msg3895, + msg3896, +]); + +var msg3897 = msg("1999", dup265); + +var msg3898 = msg("1999:01", dup266); + +var select1887 = linear_select([ + msg3897, + msg3898, +]); + +var msg3899 = msg("2000", dup265); + +var msg3900 = msg("2000:01", dup266); + +var select1888 = linear_select([ + msg3899, + msg3900, +]); + +var msg3901 = msg("2001", dup265); + +var msg3902 = msg("2001:01", dup266); + +var select1889 = linear_select([ + msg3901, + msg3902, +]); + +var msg3903 = msg("2002", dup196); + +var msg3904 = msg("2002:01", dup217); + +var select1890 = linear_select([ + msg3903, + msg3904, +]); + +var msg3905 = msg("2003", dup238); + +var msg3906 = msg("2003:01", dup239); + +var select1891 = linear_select([ + msg3905, + msg3906, +]); + +var msg3907 = msg("2004", dup238); + +var msg3908 = msg("2004:01", dup239); + +var select1892 = linear_select([ + msg3907, + msg3908, +]); + +var msg3909 = msg("2005", dup258); + +var msg3910 = msg("2005:01", dup259); + +var select1893 = linear_select([ + msg3909, + msg3910, +]); + +var msg3911 = msg("2006", dup255); + +var msg3912 = msg("2006:01", dup256); + +var select1894 = linear_select([ + msg3911, + msg3912, +]); + +var msg3913 = msg("2007", dup255); + +var msg3914 = msg("2007:01", dup256); + +var select1895 = linear_select([ + msg3913, + msg3914, +]); + +var msg3915 = msg("2008", dup196); + +var msg3916 = msg("2008:01", dup217); + +var select1896 = linear_select([ + msg3915, + msg3916, +]); + +var msg3917 = msg("2009", dup196); + +var msg3918 = msg("2009:01", dup217); + +var select1897 = linear_select([ + msg3917, + msg3918, +]); + +var msg3919 = msg("2010", dup196); + +var msg3920 = msg("2010:01", dup217); + +var select1898 = linear_select([ + msg3919, + msg3920, +]); + +var msg3921 = msg("2011", dup196); + +var msg3922 = msg("2011:01", dup217); + +var select1899 = linear_select([ + msg3921, + msg3922, +]); + +var msg3923 = msg("2012", dup196); + +var msg3924 = msg("2012:01", dup217); + +var select1900 = linear_select([ + msg3923, + msg3924, +]); + +var msg3925 = msg("2013", dup196); + +var msg3926 = msg("2013:01", dup217); + +var select1901 = linear_select([ + msg3925, + msg3926, +]); + +var msg3927 = msg("2014", dup255); + +var msg3928 = msg("2014:01", dup256); + +var select1902 = linear_select([ + msg3927, + msg3928, +]); + +var msg3929 = msg("2015", dup258); + +var msg3930 = msg("2015:01", dup259); + +var select1903 = linear_select([ + msg3929, + msg3930, +]); + +var msg3931 = msg("2016", dup255); + +var msg3932 = msg("2016:01", dup256); + +var select1904 = linear_select([ + msg3931, + msg3932, +]); + +var msg3933 = msg("2017", dup258); + +var msg3934 = msg("2017:01", dup259); + +var select1905 = linear_select([ + msg3933, + msg3934, +]); + +var msg3935 = msg("2018", dup287); + +var msg3936 = msg("2018:01", dup288); + +var select1906 = linear_select([ + msg3935, + msg3936, +]); + +var msg3937 = msg("2019", dup255); + +var msg3938 = msg("2019:01", dup256); + +var select1907 = linear_select([ + msg3937, + msg3938, +]); + +var msg3939 = msg("2020", dup287); + +var msg3940 = msg("2020:01", dup288); + +var select1908 = linear_select([ + msg3939, + msg3940, +]); + +var msg3941 = msg("2021", dup255); + +var msg3942 = msg("2021:01", dup256); + +var select1909 = linear_select([ + msg3941, + msg3942, +]); + +var msg3943 = msg("2022", dup287); + +var msg3944 = msg("2022:01", dup288); + +var select1910 = linear_select([ + msg3943, + msg3944, +]); + +var msg3945 = msg("2023", dup255); + +var msg3946 = msg("2023:01", dup256); + +var select1911 = linear_select([ + msg3945, + msg3946, +]); + +var msg3947 = msg("2024", dup222); + +var msg3948 = msg("2024:01", dup223); + +var select1912 = linear_select([ + msg3947, + msg3948, +]); + +var msg3949 = msg("2025", dup222); + +var msg3950 = msg("2025:01", dup223); + +var select1913 = linear_select([ + msg3949, + msg3950, +]); + +var msg3951 = msg("2026", dup222); + +var msg3952 = msg("2026:01", dup223); + +var select1914 = linear_select([ + msg3951, + msg3952, +]); + +var msg3953 = msg("2027", dup222); + +var msg3954 = msg("2027:01", dup223); + +var select1915 = linear_select([ + msg3953, + msg3954, +]); + +var msg3955 = msg("2028", dup222); + +var msg3956 = msg("2028:01", dup223); + +var select1916 = linear_select([ + msg3955, + msg3956, +]); + +var msg3957 = msg("2029", dup222); + +var msg3958 = msg("2029:01", dup223); + +var select1917 = linear_select([ + msg3957, + msg3958, +]); + +var msg3959 = msg("2030", dup222); + +var msg3960 = msg("2030:01", dup223); + +var select1918 = linear_select([ + msg3959, + msg3960, +]); + +var msg3961 = msg("2031", dup255); + +var msg3962 = msg("2031:01", dup256); + +var select1919 = linear_select([ + msg3961, + msg3962, +]); + +var msg3963 = msg("2032", dup255); + +var msg3964 = msg("2032:01", dup256); + +var select1920 = linear_select([ + msg3963, + msg3964, +]); + +var msg3965 = msg("2033", dup255); + +var msg3966 = msg("2033:01", dup256); + +var select1921 = linear_select([ + msg3965, + msg3966, +]); + +var msg3967 = msg("2034", dup255); + +var msg3968 = msg("2034:01", dup256); + +var select1922 = linear_select([ + msg3967, + msg3968, +]); + +var msg3969 = msg("2035", dup258); + +var msg3970 = msg("2035:01", dup259); + +var select1923 = linear_select([ + msg3969, + msg3970, +]); + +var msg3971 = msg("2036", dup255); + +var msg3972 = msg("2036:01", dup256); + +var select1924 = linear_select([ + msg3971, + msg3972, +]); + +var msg3973 = msg("2037", dup255); + +var msg3974 = msg("2037:01", dup256); + +var select1925 = linear_select([ + msg3973, + msg3974, +]); + +var msg3975 = msg("2038", dup255); + +var msg3976 = msg("2038:01", dup256); + +var select1926 = linear_select([ + msg3975, + msg3976, +]); + +var msg3977 = msg("2039", dup196); + +var msg3978 = msg("2039:01", dup217); + +var select1927 = linear_select([ + msg3977, + msg3978, +]); + +var msg3979 = msg("2040", dup196); + +var msg3980 = msg("2040:01", dup217); + +var select1928 = linear_select([ + msg3979, + msg3980, +]); + +var msg3981 = msg("2041", dup236); + +var msg3982 = msg("2041:01", dup237); + +var select1929 = linear_select([ + msg3981, + msg3982, +]); + +var msg3983 = msg("2042", dup196); + +var msg3984 = msg("2042:01", dup217); + +var select1930 = linear_select([ + msg3983, + msg3984, +]); + +var msg3985 = msg("2043", dup236); + +var msg3986 = msg("2043:01", dup237); + +var select1931 = linear_select([ + msg3985, + msg3986, +]); + +var msg3987 = msg("2044", dup196); + +var msg3988 = msg("2044:01", dup217); + +var select1932 = linear_select([ + msg3987, + msg3988, +]); + +var msg3989 = msg("2045", dup222); + +var msg3990 = msg("2045:01", dup223); + +var select1933 = linear_select([ + msg3989, + msg3990, +]); + +var msg3991 = msg("2046", dup222); + +var msg3992 = msg("2046:01", dup223); + +var select1934 = linear_select([ + msg3991, + msg3992, +]); + +var msg3993 = msg("2047", dup196); + +var msg3994 = msg("2047:01", dup217); + +var select1935 = linear_select([ + msg3993, + msg3994, +]); + +var msg3995 = msg("2048", dup222); + +var msg3996 = msg("2048:01", dup223); + +var select1936 = linear_select([ + msg3995, + msg3996, +]); + +var msg3997 = msg("2049", dup240); + +var msg3998 = msg("2049:01", dup241); + +var select1937 = linear_select([ + msg3997, + msg3998, +]); + +var msg3999 = msg("2050", dup260); + +var msg4000 = msg("2050:01", dup261); + +var select1938 = linear_select([ + msg3999, + msg4000, +]); + +var msg4001 = msg("2051", dup265); + +var msg4002 = msg("2051:01", dup266); + +var select1939 = linear_select([ + msg4001, + msg4002, +]); + +var msg4003 = msg("2052", dup197); + +var msg4004 = msg("2052:01", dup221); + +var select1940 = linear_select([ + msg4003, + msg4004, +]); + +var msg4005 = msg("2053", dup265); + +var msg4006 = msg("2053:01", dup266); + +var select1941 = linear_select([ + msg4005, + msg4006, +]); + +var msg4007 = msg("2054", dup265); + +var msg4008 = msg("2054:01", dup266); + +var select1942 = linear_select([ + msg4007, + msg4008, +]); + +var msg4009 = msg("2055", dup265); + +var msg4010 = msg("2055:01", dup266); + +var select1943 = linear_select([ + msg4009, + msg4010, +]); + +var msg4011 = msg("2056", dup265); + +var msg4012 = msg("2056:01", dup266); + +var select1944 = linear_select([ + msg4011, + msg4012, +]); + +var msg4013 = msg("2057", dup265); + +var msg4014 = msg("2057:01", dup266); + +var select1945 = linear_select([ + msg4013, + msg4014, +]); + +var msg4015 = msg("2058", dup265); + +var msg4016 = msg("2058:01", dup266); + +var select1946 = linear_select([ + msg4015, + msg4016, +]); + +var msg4017 = msg("2059", dup265); + +var msg4018 = msg("2059:01", dup266); + +var select1947 = linear_select([ + msg4017, + msg4018, +]); + +var msg4019 = msg("2060", dup265); + +var msg4020 = msg("2060:01", dup266); + +var select1948 = linear_select([ + msg4019, + msg4020, +]); + +var msg4021 = msg("2061", dup265); + +var msg4022 = msg("2061:01", dup266); + +var select1949 = linear_select([ + msg4021, + msg4022, +]); + +var msg4023 = msg("2062", dup265); + +var msg4024 = msg("2062:01", dup266); + +var select1950 = linear_select([ + msg4023, + msg4024, +]); + +var msg4025 = msg("2063", dup260); + +var msg4026 = msg("2063:01", dup261); + +var select1951 = linear_select([ + msg4025, + msg4026, +]); + +var msg4027 = msg("2064", dup265); + +var msg4028 = msg("2064:01", dup266); + +var select1952 = linear_select([ + msg4027, + msg4028, +]); + +var msg4029 = msg("2065", dup265); + +var msg4030 = msg("2065:01", dup266); + +var select1953 = linear_select([ + msg4029, + msg4030, +]); + +var msg4031 = msg("2066", dup265); + +var msg4032 = msg("2066:01", dup266); + +var select1954 = linear_select([ + msg4031, + msg4032, +]); + +var msg4033 = msg("2067", dup265); + +var msg4034 = msg("2067:01", dup266); + +var select1955 = linear_select([ + msg4033, + msg4034, +]); + +var msg4035 = msg("2068", dup265); + +var msg4036 = msg("2068:01", dup266); + +var select1956 = linear_select([ + msg4035, + msg4036, +]); + +var msg4037 = msg("2069", dup265); + +var msg4038 = msg("2069:01", dup266); + +var select1957 = linear_select([ + msg4037, + msg4038, +]); + +var msg4039 = msg("2070", dup265); + +var msg4040 = msg("2070:01", dup266); + +var select1958 = linear_select([ + msg4039, + msg4040, +]); + +var msg4041 = msg("2071", dup265); + +var msg4042 = msg("2071:01", dup266); + +var select1959 = linear_select([ + msg4041, + msg4042, +]); + +var msg4043 = msg("2072", dup265); + +var msg4044 = msg("2072:01", dup266); + +var select1960 = linear_select([ + msg4043, + msg4044, +]); + +var msg4045 = msg("2073", dup265); + +var msg4046 = msg("2073:01", dup266); + +var select1961 = linear_select([ + msg4045, + msg4046, +]); + +var msg4047 = msg("2074", dup265); + +var msg4048 = msg("2074:01", dup266); + +var select1962 = linear_select([ + msg4047, + msg4048, +]); + +var msg4049 = msg("2075", dup265); + +var msg4050 = msg("2075:01", dup266); + +var select1963 = linear_select([ + msg4049, + msg4050, +]); + +var msg4051 = msg("2076", dup265); + +var msg4052 = msg("2076:01", dup266); + +var select1964 = linear_select([ + msg4051, + msg4052, +]); + +var msg4053 = msg("2077", dup265); + +var msg4054 = msg("2077:01", dup266); + +var select1965 = linear_select([ + msg4053, + msg4054, +]); + +var msg4055 = msg("2078", dup265); + +var msg4056 = msg("2078:01", dup266); + +var select1966 = linear_select([ + msg4055, + msg4056, +]); + +var msg4057 = msg("2079", dup258); + +var msg4058 = msg("2079:01", dup259); + +var select1967 = linear_select([ + msg4057, + msg4058, +]); + +var msg4059 = msg("2080", dup255); + +var msg4060 = msg("2080:01", dup256); + +var select1968 = linear_select([ + msg4059, + msg4060, +]); + +var msg4061 = msg("2081", dup258); + +var msg4062 = msg("2081:01", dup259); + +var select1969 = linear_select([ + msg4061, + msg4062, +]); + +var msg4063 = msg("2082", dup255); + +var msg4064 = msg("2082:01", dup256); + +var select1970 = linear_select([ + msg4063, + msg4064, +]); + +var msg4065 = msg("2083", dup255); + +var msg4066 = msg("2083:01", dup256); + +var select1971 = linear_select([ + msg4065, + msg4066, +]); + +var msg4067 = msg("2084", dup255); + +var msg4068 = msg("2084:01", dup256); + +var select1972 = linear_select([ + msg4067, + msg4068, +]); + +var msg4069 = msg("2085", dup265); + +var msg4070 = msg("2085:01", dup266); + +var select1973 = linear_select([ + msg4069, + msg4070, +]); + +var msg4071 = msg("2086", dup265); + +var msg4072 = msg("2086:01", dup266); + +var select1974 = linear_select([ + msg4071, + msg4072, +]); + +var msg4073 = msg("2087", dup222); + +var msg4074 = msg("2087:01", dup223); + +var select1975 = linear_select([ + msg4073, + msg4074, +]); + +var msg4075 = msg("2088", dup255); + +var msg4076 = msg("2088:01", dup256); + +var select1976 = linear_select([ + msg4075, + msg4076, +]); + +var msg4077 = msg("2089", dup255); + +var msg4078 = msg("2089:01", dup256); + +var select1977 = linear_select([ + msg4077, + msg4078, +]); + +var msg4079 = msg("2090", dup267); + +var msg4080 = msg("2090:01", dup268); + +var select1978 = linear_select([ + msg4079, + msg4080, +]); + +var msg4081 = msg("2091", dup194); + +var msg4082 = msg("2091:01", dup229); + +var select1979 = linear_select([ + msg4081, + msg4082, +]); + +var msg4083 = msg("2092", dup222); + +var msg4084 = msg("2092:01", dup223); + +var select1980 = linear_select([ + msg4083, + msg4084, +]); + +var msg4085 = msg("2093", dup222); + +var msg4086 = msg("2093:01", dup223); + +var select1981 = linear_select([ + msg4085, + msg4086, +]); + +var msg4087 = msg("2094", dup222); + +var msg4088 = msg("2094:01", dup223); + +var select1982 = linear_select([ + msg4087, + msg4088, +]); + +var msg4089 = msg("2095", dup201); + +var msg4090 = msg("2095:01", dup289); + +var select1983 = linear_select([ + msg4089, + msg4090, +]); + +var msg4091 = msg("2096", dup192); + +var msg4092 = msg("2096:01", dup262); + +var select1984 = linear_select([ + msg4091, + msg4092, +]); + +var msg4093 = msg("2097", dup192); + +var msg4094 = msg("2097:01", dup262); + +var select1985 = linear_select([ + msg4093, + msg4094, +]); + +var msg4095 = msg("2098", dup192); + +var msg4096 = msg("2098:01", dup262); + +var select1986 = linear_select([ + msg4095, + msg4096, +]); + +var msg4097 = msg("2099", dup192); + +var msg4098 = msg("2099:01", dup262); + +var select1987 = linear_select([ + msg4097, + msg4098, +]); + +var msg4099 = msg("2100", dup192); + +var msg4100 = msg("2100:01", dup262); + +var select1988 = linear_select([ + msg4099, + msg4100, +]); + +var msg4101 = msg("2101", dup198); + +var msg4102 = msg("2101:01", dup220); + +var select1989 = linear_select([ + msg4101, + msg4102, +]); + +var msg4103 = msg("2102", dup198); + +var msg4104 = msg("2102:01", dup220); + +var select1990 = linear_select([ + msg4103, + msg4104, +]); + +var msg4105 = msg("2103", dup276); + +var msg4106 = msg("2103:01", dup277); + +var select1991 = linear_select([ + msg4105, + msg4106, +]); + +var msg4107 = msg("2104", dup197); + +var msg4108 = msg("2104:01", dup221); + +var select1992 = linear_select([ + msg4107, + msg4108, +]); + +var msg4109 = msg("2105", dup222); + +var msg4110 = msg("2105:01", dup223); + +var select1993 = linear_select([ + msg4109, + msg4110, +]); + +var msg4111 = msg("2106", dup222); + +var msg4112 = msg("2106:01", dup223); + +var select1994 = linear_select([ + msg4111, + msg4112, +]); + +var msg4113 = msg("2107", dup222); + +var msg4114 = msg("2107:01", dup223); + +var select1995 = linear_select([ + msg4113, + msg4114, +]); + +var msg4115 = msg("2108", dup222); + +var msg4116 = msg("2108:01", dup223); + +var select1996 = linear_select([ + msg4115, + msg4116, +]); + +var msg4117 = msg("2109", dup222); + +var msg4118 = msg("2109:01", dup223); + +var select1997 = linear_select([ + msg4117, + msg4118, +]); + +var msg4119 = msg("2110", dup222); + +var msg4120 = msg("2110:01", dup223); + +var select1998 = linear_select([ + msg4119, + msg4120, +]); + +var msg4121 = msg("2111", dup222); + +var msg4122 = msg("2111:01", dup223); + +var select1999 = linear_select([ + msg4121, + msg4122, +]); + +var msg4123 = msg("2112", dup222); + +var msg4124 = msg("2112:01", dup223); + +var select2000 = linear_select([ + msg4123, + msg4124, +]); + +var msg4125 = msg("2113", dup222); + +var msg4126 = msg("2113:01", dup223); + +var select2001 = linear_select([ + msg4125, + msg4126, +]); + +var msg4127 = msg("2114", dup222); + +var msg4128 = msg("2114:01", dup223); + +var select2002 = linear_select([ + msg4127, + msg4128, +]); + +var msg4129 = msg("2115", dup265); + +var msg4130 = msg("2115:01", dup266); + +var select2003 = linear_select([ + msg4129, + msg4130, +]); + +var msg4131 = msg("2116", dup265); + +var msg4132 = msg("2116:01", dup266); + +var select2004 = linear_select([ + msg4131, + msg4132, +]); + +var msg4133 = msg("2117", dup265); + +var msg4134 = msg("2117:01", dup266); + +var select2005 = linear_select([ + msg4133, + msg4134, +]); + +var msg4135 = msg("2118", dup222); + +var msg4136 = msg("2118:01", dup223); + +var select2006 = linear_select([ + msg4135, + msg4136, +]); + +var msg4137 = msg("2119", dup222); + +var msg4138 = msg("2119:01", dup223); + +var select2007 = linear_select([ + msg4137, + msg4138, +]); + +var msg4139 = msg("2120", dup222); + +var msg4140 = msg("2120:01", dup223); + +var select2008 = linear_select([ + msg4139, + msg4140, +]); + +var msg4141 = msg("2121", dup298); + +var msg4142 = msg("2121:01", dup299); + +var select2009 = linear_select([ + msg4141, + msg4142, +]); + +var msg4143 = msg("2122", dup298); + +var msg4144 = msg("2122:01", dup299); + +var select2010 = linear_select([ + msg4143, + msg4144, +]); + +var msg4145 = msg("2123", dup196); + +var msg4146 = msg("2123:01", dup217); + +var select2011 = linear_select([ + msg4145, + msg4146, +]); + +var msg4147 = msg("2124", dup192); + +var msg4148 = msg("2124:01", dup262); + +var select2012 = linear_select([ + msg4147, + msg4148, +]); + +var msg4149 = msg("2125", dup227); + +var msg4150 = msg("2125:01", dup228); + +var select2013 = linear_select([ + msg4149, + msg4150, +]); + +var msg4151 = msg("2126", dup222); + +var msg4152 = msg("2126:01", dup223); + +var select2014 = linear_select([ + msg4151, + msg4152, +]); + +var msg4153 = msg("2127", dup265); + +var msg4154 = msg("2127:01", dup266); + +var select2015 = linear_select([ + msg4153, + msg4154, +]); + +var msg4155 = msg("2128", dup265); + +var msg4156 = msg("2128:01", dup266); + +var select2016 = linear_select([ + msg4155, + msg4156, +]); + +var msg4157 = msg("2129", dup265); + +var msg4158 = msg("2129:01", dup266); + +var select2017 = linear_select([ + msg4157, + msg4158, +]); + +var msg4159 = msg("2130", dup265); + +var msg4160 = msg("2130:01", dup266); + +var select2018 = linear_select([ + msg4159, + msg4160, +]); + +var msg4161 = msg("2131", dup265); + +var msg4162 = msg("2131:01", dup266); + +var select2019 = linear_select([ + msg4161, + msg4162, +]); + +var msg4163 = msg("2132", dup265); + +var msg4164 = msg("2132:01", dup266); + +var select2020 = linear_select([ + msg4163, + msg4164, +]); + +var msg4165 = msg("2133", dup265); + +var msg4166 = msg("2133:01", dup266); + +var select2021 = linear_select([ + msg4165, + msg4166, +]); + +var msg4167 = msg("2134", dup265); + +var msg4168 = msg("2134:01", dup266); + +var select2022 = linear_select([ + msg4167, + msg4168, +]); + +var msg4169 = msg("2135", dup265); + +var msg4170 = msg("2135:01", dup266); + +var select2023 = linear_select([ + msg4169, + msg4170, +]); + +var msg4171 = msg("2136", dup285); + +var msg4172 = msg("2136:01", dup286); + +var select2024 = linear_select([ + msg4171, + msg4172, +]); + +var msg4173 = msg("2137", dup265); + +var msg4174 = msg("2137:01", dup266); + +var select2025 = linear_select([ + msg4173, + msg4174, +]); + +var msg4175 = msg("2138", dup265); + +var msg4176 = msg("2138:01", dup266); + +var select2026 = linear_select([ + msg4175, + msg4176, +]); + +var msg4177 = msg("2139", dup265); + +var msg4178 = msg("2139:01", dup266); + +var select2027 = linear_select([ + msg4177, + msg4178, +]); + +var msg4179 = msg("2140", dup265); + +var msg4180 = msg("2140:01", dup266); + +var select2028 = linear_select([ + msg4179, + msg4180, +]); + +var msg4181 = msg("2141", dup265); + +var msg4182 = msg("2141:01", dup266); + +var select2029 = linear_select([ + msg4181, + msg4182, +]); + +var msg4183 = msg("2142", dup265); + +var msg4184 = msg("2142:01", dup266); + +var select2030 = linear_select([ + msg4183, + msg4184, +]); + +var msg4185 = msg("2143", dup265); + +var msg4186 = msg("2143:01", dup266); + +var select2031 = linear_select([ + msg4185, + msg4186, +]); + +var msg4187 = msg("2144", dup265); + +var msg4188 = msg("2144:01", dup266); + +var select2032 = linear_select([ + msg4187, + msg4188, +]); + +var msg4189 = msg("2145", dup265); + +var msg4190 = msg("2145:01", dup266); + +var select2033 = linear_select([ + msg4189, + msg4190, +]); + +var msg4191 = msg("2146", dup265); + +var msg4192 = msg("2146:01", dup266); + +var select2034 = linear_select([ + msg4191, + msg4192, +]); + +var msg4193 = msg("2147", dup265); + +var msg4194 = msg("2147:01", dup266); + +var select2035 = linear_select([ + msg4193, + msg4194, +]); + +var msg4195 = msg("2148", dup265); + +var msg4196 = msg("2148:01", dup266); + +var select2036 = linear_select([ + msg4195, + msg4196, +]); + +var msg4197 = msg("2149", dup265); + +var msg4198 = msg("2149:01", dup266); + +var select2037 = linear_select([ + msg4197, + msg4198, +]); + +var msg4199 = msg("2150", dup265); + +var msg4200 = msg("2150:01", dup266); + +var select2038 = linear_select([ + msg4199, + msg4200, +]); + +var msg4201 = msg("2151", dup265); + +var msg4202 = msg("2151:01", dup266); + +var select2039 = linear_select([ + msg4201, + msg4202, +]); + +var msg4203 = msg("2152", dup265); + +var msg4204 = msg("2152:01", dup266); + +var select2040 = linear_select([ + msg4203, + msg4204, +]); + +var msg4205 = msg("2153", dup265); + +var msg4206 = msg("2153:01", dup266); + +var select2041 = linear_select([ + msg4205, + msg4206, +]); + +var msg4207 = msg("2154", dup265); + +var msg4208 = msg("2154:01", dup266); + +var select2042 = linear_select([ + msg4207, + msg4208, +]); + +var msg4209 = msg("2155", dup265); + +var msg4210 = msg("2155:01", dup266); + +var select2043 = linear_select([ + msg4209, + msg4210, +]); + +var msg4211 = msg("2156", dup265); + +var msg4212 = msg("2156:01", dup266); + +var select2044 = linear_select([ + msg4211, + msg4212, +]); + +var msg4213 = msg("2157", dup265); + +var msg4214 = msg("2157:01", dup266); + +var select2045 = linear_select([ + msg4213, + msg4214, +]); + +var msg4215 = msg("2158", dup196); + +var msg4216 = msg("2158:01", dup217); + +var select2046 = linear_select([ + msg4215, + msg4216, +]); + +var msg4217 = msg("2159", dup196); + +var msg4218 = msg("2159:01", dup217); + +var select2047 = linear_select([ + msg4217, + msg4218, +]); + +var msg4219 = msg("2160", dup263); + +var msg4220 = msg("2160:01", dup264); + +var select2048 = linear_select([ + msg4219, + msg4220, +]); + +var msg4221 = msg("2161", dup263); + +var msg4222 = msg("2161:01", dup264); + +var select2049 = linear_select([ + msg4221, + msg4222, +]); + +var msg4223 = msg("2162", dup263); + +var msg4224 = msg("2162:01", dup264); + +var select2050 = linear_select([ + msg4223, + msg4224, +]); + +var msg4225 = msg("2163", dup263); + +var msg4226 = msg("2163:01", dup264); + +var select2051 = linear_select([ + msg4225, + msg4226, +]); + +var msg4227 = msg("2164", dup263); + +var msg4228 = msg("2164:01", dup264); + +var select2052 = linear_select([ + msg4227, + msg4228, +]); + +var msg4229 = msg("2165", dup263); + +var msg4230 = msg("2165:01", dup264); + +var select2053 = linear_select([ + msg4229, + msg4230, +]); + +var msg4231 = msg("2166", dup263); + +var msg4232 = msg("2166:01", dup264); + +var select2054 = linear_select([ + msg4231, + msg4232, +]); + +var msg4233 = msg("2167", dup263); + +var msg4234 = msg("2167:01", dup264); + +var select2055 = linear_select([ + msg4233, + msg4234, +]); + +var msg4235 = msg("2168", dup263); + +var msg4236 = msg("2168:01", dup264); + +var select2056 = linear_select([ + msg4235, + msg4236, +]); + +var msg4237 = msg("2169", dup263); + +var msg4238 = msg("2169:01", dup264); + +var select2057 = linear_select([ + msg4237, + msg4238, +]); + +var msg4239 = msg("2170", dup263); + +var msg4240 = msg("2170:01", dup264); + +var select2058 = linear_select([ + msg4239, + msg4240, +]); + +var msg4241 = msg("2171", dup263); + +var msg4242 = msg("2171:01", dup264); + +var select2059 = linear_select([ + msg4241, + msg4242, +]); + +var msg4243 = msg("2172", dup263); + +var msg4244 = msg("2172:01", dup264); + +var select2060 = linear_select([ + msg4243, + msg4244, +]); + +var msg4245 = msg("2173", dup263); + +var msg4246 = msg("2173:01", dup264); + +var select2061 = linear_select([ + msg4245, + msg4246, +]); + +var msg4247 = msg("2174", dup276); + +var msg4248 = msg("2174:01", dup277); + +var select2062 = linear_select([ + msg4247, + msg4248, +]); + +var msg4249 = msg("2175", dup276); + +var msg4250 = msg("2175:01", dup277); + +var select2063 = linear_select([ + msg4249, + msg4250, +]); + +var msg4251 = msg("2176", dup246); + +var msg4252 = msg("2176:01", dup247); + +var select2064 = linear_select([ + msg4251, + msg4252, +]); + +var msg4253 = msg("2177", dup246); + +var msg4254 = msg("2177:01", dup247); + +var select2065 = linear_select([ + msg4253, + msg4254, +]); + +var msg4255 = msg("2178", dup227); + +var msg4256 = msg("2178:01", dup228); + +var select2066 = linear_select([ + msg4255, + msg4256, +]); + +var msg4257 = msg("2179", dup227); + +var msg4258 = msg("2179:01", dup228); + +var select2067 = linear_select([ + msg4257, + msg4258, +]); + +var msg4259 = msg("2180", dup196); + +var msg4260 = msg("2180:01", dup217); + +var select2068 = linear_select([ + msg4259, + msg4260, +]); + +var msg4261 = msg("2181", dup196); + +var msg4262 = msg("2181:01", dup217); + +var select2069 = linear_select([ + msg4261, + msg4262, +]); + +var msg4263 = msg("2182", dup192); + +var msg4264 = msg("2182:01", dup262); + +var select2070 = linear_select([ + msg4263, + msg4264, +]); + +var msg4265 = msg("2183", dup222); + +var msg4266 = msg("2183:01", dup223); + +var select2071 = linear_select([ + msg4265, + msg4266, +]); + +var msg4267 = msg("2184", dup201); + +var msg4268 = msg("2184:01", dup289); + +var select2072 = linear_select([ + msg4267, + msg4268, +]); + +var msg4269 = msg("2185", dup222); + +var msg4270 = msg("2185:01", dup223); + +var select2073 = linear_select([ + msg4269, + msg4270, +]); + +var msg4271 = msg("2186", dup196); + +var msg4272 = msg("2186:01", dup217); + +var select2074 = linear_select([ + msg4271, + msg4272, +]); + +var msg4273 = msg("2187", dup196); + +var msg4274 = msg("2187:01", dup217); + +var select2075 = linear_select([ + msg4273, + msg4274, +]); + +var msg4275 = msg("2188", dup196); + +var msg4276 = msg("2188:01", dup217); + +var select2076 = linear_select([ + msg4275, + msg4276, +]); + +var msg4277 = msg("2189", dup196); + +var msg4278 = msg("2189:01", dup217); + +var select2077 = linear_select([ + msg4277, + msg4278, +]); + +var msg4279 = msg("2190", dup276); + +var msg4280 = msg("2190:01", dup277); + +var select2078 = linear_select([ + msg4279, + msg4280, +]); + +var msg4281 = msg("2191", dup276); + +var msg4282 = msg("2191:01", dup277); + +var select2079 = linear_select([ + msg4281, + msg4282, +]); + +var msg4283 = msg("2192", dup276); + +var msg4284 = msg("2192:01", dup277); + +var select2080 = linear_select([ + msg4283, + msg4284, +]); + +var msg4285 = msg("2193", dup276); + +var msg4286 = msg("2193:01", dup277); + +var select2081 = linear_select([ + msg4285, + msg4286, +]); + +var msg4287 = msg("2194", dup265); + +var msg4288 = msg("2194:01", dup266); + +var select2082 = linear_select([ + msg4287, + msg4288, +]); + +var msg4289 = msg("2195", dup265); + +var msg4290 = msg("2195:01", dup266); + +var select2083 = linear_select([ + msg4289, + msg4290, +]); + +var msg4291 = msg("2196", dup265); + +var msg4292 = msg("2196:01", dup266); + +var select2084 = linear_select([ + msg4291, + msg4292, +]); + +var msg4293 = msg("2197", dup265); + +var msg4294 = msg("2197:01", dup266); + +var select2085 = linear_select([ + msg4293, + msg4294, +]); + +var msg4295 = msg("2198", dup265); + +var msg4296 = msg("2198:01", dup266); + +var select2086 = linear_select([ + msg4295, + msg4296, +]); + +var msg4297 = msg("2199", dup265); + +var msg4298 = msg("2199:01", dup266); + +var select2087 = linear_select([ + msg4297, + msg4298, +]); + +var msg4299 = msg("2200", dup265); + +var msg4300 = msg("2200:01", dup266); + +var select2088 = linear_select([ + msg4299, + msg4300, +]); + +var msg4301 = msg("2201", dup265); + +var msg4302 = msg("2201:01", dup266); + +var select2089 = linear_select([ + msg4301, + msg4302, +]); + +var msg4303 = msg("2202", dup265); + +var msg4304 = msg("2202:01", dup266); + +var select2090 = linear_select([ + msg4303, + msg4304, +]); + +var msg4305 = msg("2203", dup265); + +var msg4306 = msg("2203:01", dup266); + +var select2091 = linear_select([ + msg4305, + msg4306, +]); + +var msg4307 = msg("2204", dup265); + +var msg4308 = msg("2204:01", dup266); + +var select2092 = linear_select([ + msg4307, + msg4308, +]); + +var msg4309 = msg("2205", dup265); + +var msg4310 = msg("2205:01", dup266); + +var select2093 = linear_select([ + msg4309, + msg4310, +]); + +var msg4311 = msg("2206", dup265); + +var msg4312 = msg("2206:01", dup266); + +var select2094 = linear_select([ + msg4311, + msg4312, +]); + +var msg4313 = msg("2207", dup265); + +var msg4314 = msg("2207:01", dup266); + +var select2095 = linear_select([ + msg4313, + msg4314, +]); + +var msg4315 = msg("2208", dup265); + +var msg4316 = msg("2208:01", dup266); + +var select2096 = linear_select([ + msg4315, + msg4316, +]); + +var msg4317 = msg("2209", dup265); + +var msg4318 = msg("2209:01", dup266); + +var select2097 = linear_select([ + msg4317, + msg4318, +]); + +var msg4319 = msg("2210", dup265); + +var msg4320 = msg("2210:01", dup266); + +var select2098 = linear_select([ + msg4319, + msg4320, +]); + +var msg4321 = msg("2211", dup265); + +var msg4322 = msg("2211:01", dup266); + +var select2099 = linear_select([ + msg4321, + msg4322, +]); + +var msg4323 = msg("2212", dup265); + +var msg4324 = msg("2212:01", dup266); + +var select2100 = linear_select([ + msg4323, + msg4324, +]); + +var msg4325 = msg("2213", dup265); + +var msg4326 = msg("2213:01", dup266); + +var select2101 = linear_select([ + msg4325, + msg4326, +]); + +var msg4327 = msg("2214", dup265); + +var msg4328 = msg("2214:01", dup266); + +var select2102 = linear_select([ + msg4327, + msg4328, +]); + +var msg4329 = msg("2215", dup265); + +var msg4330 = msg("2215:01", dup266); + +var select2103 = linear_select([ + msg4329, + msg4330, +]); + +var msg4331 = msg("2216", dup265); + +var msg4332 = msg("2216:01", dup266); + +var select2104 = linear_select([ + msg4331, + msg4332, +]); + +var msg4333 = msg("2217", dup265); + +var msg4334 = msg("2217:01", dup266); + +var select2105 = linear_select([ + msg4333, + msg4334, +]); + +var msg4335 = msg("2218", dup265); + +var msg4336 = msg("2218:01", dup266); + +var select2106 = linear_select([ + msg4335, + msg4336, +]); + +var msg4337 = msg("2219", dup265); + +var msg4338 = msg("2219:01", dup266); + +var select2107 = linear_select([ + msg4337, + msg4338, +]); + +var msg4339 = msg("2220", dup265); + +var msg4340 = msg("2220:01", dup266); + +var select2108 = linear_select([ + msg4339, + msg4340, +]); + +var msg4341 = msg("2221", dup265); + +var msg4342 = msg("2221:01", dup266); + +var select2109 = linear_select([ + msg4341, + msg4342, +]); + +var msg4343 = msg("2222", dup194); + +var msg4344 = msg("2222:01", dup229); + +var select2110 = linear_select([ + msg4343, + msg4344, +]); + +var msg4345 = msg("2223", dup265); + +var msg4346 = msg("2223:01", dup266); + +var select2111 = linear_select([ + msg4345, + msg4346, +]); + +var msg4347 = msg("2224", dup265); + +var msg4348 = msg("2224:01", dup266); + +var select2112 = linear_select([ + msg4347, + msg4348, +]); + +var msg4349 = msg("2225", dup265); + +var msg4350 = msg("2225:01", dup266); + +var select2113 = linear_select([ + msg4349, + msg4350, +]); + +var msg4351 = msg("2226", dup265); + +var msg4352 = msg("2226:01", dup266); + +var select2114 = linear_select([ + msg4351, + msg4352, +]); + +var msg4353 = msg("2227", dup265); + +var msg4354 = msg("2227:01", dup266); + +var select2115 = linear_select([ + msg4353, + msg4354, +]); + +var msg4355 = msg("2228", dup240); + +var msg4356 = msg("2228:01", dup241); + +var select2116 = linear_select([ + msg4355, + msg4356, +]); + +var msg4357 = msg("2229", dup265); + +var msg4358 = msg("2229:01", dup266); + +var select2117 = linear_select([ + msg4357, + msg4358, +]); + +var msg4359 = msg("2230", dup265); + +var msg4360 = msg("2230:01", dup266); + +var select2118 = linear_select([ + msg4359, + msg4360, +]); + +var msg4361 = msg("2231", dup265); + +var msg4362 = msg("2231:01", dup266); + +var select2119 = linear_select([ + msg4361, + msg4362, +]); + +var msg4363 = msg("2232", dup265); + +var msg4364 = msg("2232:01", dup266); + +var select2120 = linear_select([ + msg4363, + msg4364, +]); + +var msg4365 = msg("2233", dup265); + +var msg4366 = msg("2233:01", dup266); + +var select2121 = linear_select([ + msg4365, + msg4366, +]); + +var msg4367 = msg("2234", dup265); + +var msg4368 = msg("2234:01", dup266); + +var select2122 = linear_select([ + msg4367, + msg4368, +]); + +var msg4369 = msg("2235", dup265); + +var msg4370 = msg("2235:01", dup266); + +var select2123 = linear_select([ + msg4369, + msg4370, +]); + +var msg4371 = msg("2236", dup265); + +var msg4372 = msg("2236:01", dup266); + +var select2124 = linear_select([ + msg4371, + msg4372, +]); + +var msg4373 = msg("2237", dup265); + +var msg4374 = msg("2237:01", dup266); + +var select2125 = linear_select([ + msg4373, + msg4374, +]); + +var msg4375 = msg("2238", dup265); + +var msg4376 = msg("2238:01", dup266); + +var select2126 = linear_select([ + msg4375, + msg4376, +]); + +var msg4377 = msg("2239", dup265); + +var msg4378 = msg("2239:01", dup266); + +var select2127 = linear_select([ + msg4377, + msg4378, +]); + +var msg4379 = msg("2240", dup265); + +var msg4380 = msg("2240:01", dup266); + +var select2128 = linear_select([ + msg4379, + msg4380, +]); + +var msg4381 = msg("2241", dup265); + +var msg4382 = msg("2241:01", dup266); + +var select2129 = linear_select([ + msg4381, + msg4382, +]); + +var msg4383 = msg("2242", dup265); + +var msg4384 = msg("2242:01", dup266); + +var select2130 = linear_select([ + msg4383, + msg4384, +]); + +var msg4385 = msg("2243", dup265); + +var msg4386 = msg("2243:01", dup266); + +var select2131 = linear_select([ + msg4385, + msg4386, +]); + +var msg4387 = msg("2244", dup265); + +var msg4388 = msg("2244:01", dup266); + +var select2132 = linear_select([ + msg4387, + msg4388, +]); + +var msg4389 = msg("2245", dup265); + +var msg4390 = msg("2245:01", dup266); + +var select2133 = linear_select([ + msg4389, + msg4390, +]); + +var msg4391 = msg("2246", dup265); + +var msg4392 = msg("2246:01", dup266); + +var select2134 = linear_select([ + msg4391, + msg4392, +]); + +var msg4393 = msg("2247", dup265); + +var msg4394 = msg("2247:01", dup266); + +var select2135 = linear_select([ + msg4393, + msg4394, +]); + +var msg4395 = msg("2248", dup265); + +var msg4396 = msg("2248:01", dup266); + +var select2136 = linear_select([ + msg4395, + msg4396, +]); + +var msg4397 = msg("2249", dup265); + +var msg4398 = msg("2249:01", dup266); + +var select2137 = linear_select([ + msg4397, + msg4398, +]); + +var msg4399 = msg("2250", dup298); + +var msg4400 = msg("2250:01", dup299); + +var select2138 = linear_select([ + msg4399, + msg4400, +]); + +var msg4401 = msg("2251", dup276); + +var msg4402 = msg("2251:01", dup277); + +var select2139 = linear_select([ + msg4401, + msg4402, +]); + +var msg4403 = msg("2252", dup276); + +var msg4404 = msg("2252:01", dup277); + +var select2140 = linear_select([ + msg4403, + msg4404, +]); + +var msg4405 = msg("2253", dup222); + +var msg4406 = msg("2253:01", dup223); + +var select2141 = linear_select([ + msg4405, + msg4406, +]); + +var msg4407 = msg("2254", dup222); + +var msg4408 = msg("2254:01", dup223); + +var select2142 = linear_select([ + msg4407, + msg4408, +]); + +var msg4409 = msg("2255", dup255); + +var msg4410 = msg("2255:01", dup256); + +var select2143 = linear_select([ + msg4409, + msg4410, +]); + +var msg4411 = msg("2256", dup255); + +var msg4412 = msg("2256:01", dup256); + +var select2144 = linear_select([ + msg4411, + msg4412, +]); + +var msg4413 = msg("2257", dup276); + +var msg4414 = msg("2257:01", dup277); + +var select2145 = linear_select([ + msg4413, + msg4414, +]); + +var msg4415 = msg("2258", dup276); + +var msg4416 = msg("2258:01", dup277); + +var select2146 = linear_select([ + msg4415, + msg4416, +]); + +var msg4417 = msg("2259", dup222); + +var msg4418 = msg("2259:01", dup223); + +var select2147 = linear_select([ + msg4417, + msg4418, +]); + +var msg4419 = msg("2260", dup222); + +var msg4420 = msg("2260:01", dup223); + +var select2148 = linear_select([ + msg4419, + msg4420, +]); + +var msg4421 = msg("2261", dup194); + +var msg4422 = msg("2261:01", dup229); + +var select2149 = linear_select([ + msg4421, + msg4422, +]); + +var msg4423 = msg("2262", dup194); + +var msg4424 = msg("2262:01", dup229); + +var select2150 = linear_select([ + msg4423, + msg4424, +]); + +var msg4425 = msg("2263", dup194); + +var msg4426 = msg("2263:01", dup229); + +var select2151 = linear_select([ + msg4425, + msg4426, +]); + +var msg4427 = msg("2264", dup194); + +var msg4428 = msg("2264:01", dup229); + +var select2152 = linear_select([ + msg4427, + msg4428, +]); + +var msg4429 = msg("2265", dup194); + +var msg4430 = msg("2265:01", dup229); + +var select2153 = linear_select([ + msg4429, + msg4430, +]); + +var msg4431 = msg("2266", dup194); + +var msg4432 = msg("2266:01", dup229); + +var select2154 = linear_select([ + msg4431, + msg4432, +]); + +var msg4433 = msg("2267", dup194); + +var msg4434 = msg("2267:01", dup229); + +var select2155 = linear_select([ + msg4433, + msg4434, +]); + +var msg4435 = msg("2268", dup194); + +var msg4436 = msg("2268:01", dup229); + +var select2156 = linear_select([ + msg4435, + msg4436, +]); + +var msg4437 = msg("2269", dup194); + +var msg4438 = msg("2269:01", dup229); + +var select2157 = linear_select([ + msg4437, + msg4438, +]); + +var msg4439 = msg("2270", dup194); + +var msg4440 = msg("2270:01", dup229); + +var select2158 = linear_select([ + msg4439, + msg4440, +]); + +var msg4441 = msg("2271", dup192); + +var msg4442 = msg("2271:01", dup262); + +var select2159 = linear_select([ + msg4441, + msg4442, +]); + +var msg4443 = msg("2272", dup222); + +var msg4444 = msg("2272:01", dup223); + +var select2160 = linear_select([ + msg4443, + msg4444, +]); + +var msg4445 = msg("2273", dup196); + +var msg4446 = msg("2273:01", dup217); + +var select2161 = linear_select([ + msg4445, + msg4446, +]); + +var msg4447 = msg("2274", dup298); + +var msg4448 = msg("2274:01", dup299); + +var select2162 = linear_select([ + msg4447, + msg4448, +]); + +var msg4449 = msg("2275", dup250); + +var msg4450 = msg("2275:01", dup251); + +var select2163 = linear_select([ + msg4449, + msg4450, +]); + +var msg4451 = msg("2276", dup265); + +var msg4452 = msg("2276:01", dup266); + +var select2164 = linear_select([ + msg4451, + msg4452, +]); + +var msg4453 = msg("2277", dup265); + +var msg4454 = msg("2277:01", dup266); + +var select2165 = linear_select([ + msg4453, + msg4454, +]); + +var msg4455 = msg("2278", dup265); + +var msg4456 = msg("2278:01", dup266); + +var select2166 = linear_select([ + msg4455, + msg4456, +]); + +var msg4457 = msg("2279", dup265); + +var msg4458 = msg("2279:01", dup266); + +var select2167 = linear_select([ + msg4457, + msg4458, +]); + +var msg4459 = msg("2280", dup265); + +var msg4460 = msg("2280:01", dup266); + +var select2168 = linear_select([ + msg4459, + msg4460, +]); + +var msg4461 = msg("2281", dup265); + +var msg4462 = msg("2281:01", dup266); + +var select2169 = linear_select([ + msg4461, + msg4462, +]); + +var msg4463 = msg("2282", dup265); + +var msg4464 = msg("2282:01", dup266); + +var select2170 = linear_select([ + msg4463, + msg4464, +]); + +var msg4465 = msg("2283", dup265); + +var msg4466 = msg("2283:01", dup266); + +var select2171 = linear_select([ + msg4465, + msg4466, +]); + +var msg4467 = msg("2284", dup265); + +var msg4468 = msg("2284:01", dup266); + +var select2172 = linear_select([ + msg4467, + msg4468, +]); + +var msg4469 = msg("2285", dup265); + +var msg4470 = msg("2285:01", dup266); + +var select2173 = linear_select([ + msg4469, + msg4470, +]); + +var msg4471 = msg("2286", dup265); + +var msg4472 = msg("2286:01", dup266); + +var select2174 = linear_select([ + msg4471, + msg4472, +]); + +var msg4473 = msg("2287", dup265); + +var msg4474 = msg("2287:01", dup266); + +var select2175 = linear_select([ + msg4473, + msg4474, +]); + +var msg4475 = msg("2288", dup265); + +var msg4476 = msg("2288:01", dup266); + +var select2176 = linear_select([ + msg4475, + msg4476, +]); + +var msg4477 = msg("2289", dup265); + +var msg4478 = msg("2289:01", dup266); + +var select2177 = linear_select([ + msg4477, + msg4478, +]); + +var msg4479 = msg("2290", dup265); + +var msg4480 = msg("2290:01", dup266); + +var select2178 = linear_select([ + msg4479, + msg4480, +]); + +var msg4481 = msg("2291", dup265); + +var msg4482 = msg("2291:01", dup266); + +var select2179 = linear_select([ + msg4481, + msg4482, +]); + +var msg4483 = msg("2292", dup265); + +var msg4484 = msg("2292:01", dup266); + +var select2180 = linear_select([ + msg4483, + msg4484, +]); + +var msg4485 = msg("2293", dup265); + +var msg4486 = msg("2293:01", dup266); + +var select2181 = linear_select([ + msg4485, + msg4486, +]); + +var msg4487 = msg("2294", dup265); + +var msg4488 = msg("2294:01", dup266); + +var select2182 = linear_select([ + msg4487, + msg4488, +]); + +var msg4489 = msg("2295", dup265); + +var msg4490 = msg("2295:01", dup266); + +var select2183 = linear_select([ + msg4489, + msg4490, +]); + +var msg4491 = msg("2296", dup265); + +var msg4492 = msg("2296:01", dup266); + +var select2184 = linear_select([ + msg4491, + msg4492, +]); + +var msg4493 = msg("2297", dup265); + +var msg4494 = msg("2297:01", dup266); + +var select2185 = linear_select([ + msg4493, + msg4494, +]); + +var msg4495 = msg("2298", dup265); + +var msg4496 = msg("2298:01", dup266); + +var select2186 = linear_select([ + msg4495, + msg4496, +]); + +var msg4497 = msg("2299", dup265); + +var msg4498 = msg("2299:01", dup266); + +var select2187 = linear_select([ + msg4497, + msg4498, +]); + +var msg4499 = msg("2300", dup265); + +var msg4500 = msg("2300:01", dup266); + +var select2188 = linear_select([ + msg4499, + msg4500, +]); + +var msg4501 = msg("2301", dup265); + +var msg4502 = msg("2301:01", dup266); + +var select2189 = linear_select([ + msg4501, + msg4502, +]); + +var msg4503 = msg("2302", dup265); + +var msg4504 = msg("2302:01", dup266); + +var select2190 = linear_select([ + msg4503, + msg4504, +]); + +var msg4505 = msg("2303", dup265); + +var msg4506 = msg("2303:01", dup266); + +var select2191 = linear_select([ + msg4505, + msg4506, +]); + +var msg4507 = msg("2304", dup265); + +var msg4508 = msg("2304:01", dup266); + +var select2192 = linear_select([ + msg4507, + msg4508, +]); + +var msg4509 = msg("2305", dup265); + +var msg4510 = msg("2305:01", dup266); + +var select2193 = linear_select([ + msg4509, + msg4510, +]); + +var msg4511 = msg("2306", dup265); + +var msg4512 = msg("2306:01", dup266); + +var select2194 = linear_select([ + msg4511, + msg4512, +]); + +var msg4513 = msg("2307", dup265); + +var msg4514 = msg("2307:01", dup266); + +var select2195 = linear_select([ + msg4513, + msg4514, +]); + +var msg4515 = msg("2308", dup276); + +var msg4516 = msg("2308:01", dup277); + +var select2196 = linear_select([ + msg4515, + msg4516, +]); + +var msg4517 = msg("2309", dup276); + +var msg4518 = msg("2309:01", dup277); + +var select2197 = linear_select([ + msg4517, + msg4518, +]); + +var msg4519 = msg("2310", dup276); + +var msg4520 = msg("2310:01", dup277); + +var select2198 = linear_select([ + msg4519, + msg4520, +]); + +var msg4521 = msg("2311", dup276); + +var msg4522 = msg("2311:01", dup277); + +var select2199 = linear_select([ + msg4521, + msg4522, +]); + +var msg4523 = msg("2312", dup196); + +var msg4524 = msg("2312:01", dup217); + +var select2200 = linear_select([ + msg4523, + msg4524, +]); + +var msg4525 = msg("2313", dup196); + +var msg4526 = msg("2313:01", dup217); + +var select2201 = linear_select([ + msg4525, + msg4526, +]); + +var msg4527 = msg("2314", dup196); + +var msg4528 = msg("2314:01", dup217); + +var select2202 = linear_select([ + msg4527, + msg4528, +]); + +var msg4529 = msg("2315", dup276); + +var msg4530 = msg("2315:01", dup277); + +var select2203 = linear_select([ + msg4529, + msg4530, +]); + +var msg4531 = msg("2316", dup276); + +var msg4532 = msg("2316:01", dup277); + +var select2204 = linear_select([ + msg4531, + msg4532, +]); + +var msg4533 = msg("2317", dup196); + +var msg4534 = msg("2317:01", dup217); + +var select2205 = linear_select([ + msg4533, + msg4534, +]); + +var msg4535 = msg("2318", dup196); + +var msg4536 = msg("2318:01", dup217); + +var select2206 = linear_select([ + msg4535, + msg4536, +]); + +var msg4537 = msg("2319", dup222); + +var msg4538 = msg("2319:01", dup223); + +var select2207 = linear_select([ + msg4537, + msg4538, +]); + +var msg4539 = msg("2320", dup222); + +var msg4540 = msg("2320:01", dup223); + +var select2208 = linear_select([ + msg4539, + msg4540, +]); + +var msg4541 = msg("2321", dup265); + +var msg4542 = msg("2321:01", dup266); + +var select2209 = linear_select([ + msg4541, + msg4542, +]); + +var msg4543 = msg("2322", dup265); + +var msg4544 = msg("2322:01", dup266); + +var select2210 = linear_select([ + msg4543, + msg4544, +]); + +var msg4545 = msg("2323", dup265); + +var msg4546 = msg("2323:01", dup266); + +var select2211 = linear_select([ + msg4545, + msg4546, +]); + +var msg4547 = msg("2324", dup265); + +var msg4548 = msg("2324:01", dup266); + +var select2212 = linear_select([ + msg4547, + msg4548, +]); + +var msg4549 = msg("2325", dup265); + +var msg4550 = msg("2325:01", dup266); + +var select2213 = linear_select([ + msg4549, + msg4550, +]); + +var msg4551 = msg("2326", dup265); + +var msg4552 = msg("2326:01", dup266); + +var select2214 = linear_select([ + msg4551, + msg4552, +]); + +var msg4553 = msg("2327", dup265); + +var msg4554 = msg("2327:01", dup266); + +var select2215 = linear_select([ + msg4553, + msg4554, +]); + +var msg4555 = msg("2328", dup265); + +var msg4556 = msg("2328:01", dup266); + +var select2216 = linear_select([ + msg4555, + msg4556, +]); + +var msg4557 = msg("2329", dup260); + +var msg4558 = msg("2329:01", dup261); + +var select2217 = linear_select([ + msg4557, + msg4558, +]); + +var msg4559 = msg("2330", dup222); + +var msg4560 = msg("2330:01", dup223); + +var select2218 = linear_select([ + msg4559, + msg4560, +]); + +var msg4561 = msg("2331", dup265); + +var msg4562 = msg("2331:01", dup266); + +var select2219 = linear_select([ + msg4561, + msg4562, +]); + +var msg4563 = msg("2332", dup227); + +var msg4564 = msg("2332:01", dup228); + +var select2220 = linear_select([ + msg4563, + msg4564, +]); + +var msg4565 = msg("2333", dup227); + +var msg4566 = msg("2333:01", dup228); + +var select2221 = linear_select([ + msg4565, + msg4566, +]); + +var msg4567 = msg("2334", dup227); + +var msg4568 = msg("2334:01", dup228); + +var select2222 = linear_select([ + msg4567, + msg4568, +]); + +var msg4569 = msg("2335", dup227); + +var msg4570 = msg("2335:01", dup228); + +var select2223 = linear_select([ + msg4569, + msg4570, +]); + +var msg4571 = msg("2336", dup274); + +var msg4572 = msg("2336:01", dup275); + +var select2224 = linear_select([ + msg4571, + msg4572, +]); + +var msg4573 = msg("2337", dup295); + +var msg4574 = msg("2337:01", dup296); + +var select2225 = linear_select([ + msg4573, + msg4574, +]); + +var msg4575 = msg("2338", dup222); + +var msg4576 = msg("2338:01", dup223); + +var select2226 = linear_select([ + msg4575, + msg4576, +]); + +var msg4577 = msg("2339", dup274); + +var msg4578 = msg("2339:01", dup275); + +var select2227 = linear_select([ + msg4577, + msg4578, +]); + +var msg4579 = msg("2340", dup222); + +var msg4580 = msg("2340:01", dup223); + +var select2228 = linear_select([ + msg4579, + msg4580, +]); + +var msg4581 = msg("2341", dup265); + +var msg4582 = msg("2341:01", dup266); + +var select2229 = linear_select([ + msg4581, + msg4582, +]); + +var msg4583 = msg("2342", dup265); + +var msg4584 = msg("2342:01", dup266); + +var select2230 = linear_select([ + msg4583, + msg4584, +]); + +var msg4585 = msg("2343", dup222); + +var msg4586 = msg("2343:01", dup223); + +var select2231 = linear_select([ + msg4585, + msg4586, +]); + +var msg4587 = msg("2344", dup222); + +var msg4588 = msg("2344:01", dup223); + +var select2232 = linear_select([ + msg4587, + msg4588, +]); + +var msg4589 = msg("2345", dup265); + +var msg4590 = msg("2345:01", dup266); + +var select2233 = linear_select([ + msg4589, + msg4590, +]); + +var msg4591 = msg("2346", dup265); + +var msg4592 = msg("2346:01", dup266); + +var select2234 = linear_select([ + msg4591, + msg4592, +]); + +var msg4593 = msg("2347", dup265); + +var msg4594 = msg("2347:01", dup266); + +var select2235 = linear_select([ + msg4593, + msg4594, +]); + +var msg4595 = msg("2348", dup276); + +var msg4596 = msg("2348:01", dup277); + +var select2236 = linear_select([ + msg4595, + msg4596, +]); + +var msg4597 = msg("2349", dup276); + +var msg4598 = msg("2349:01", dup277); + +var select2237 = linear_select([ + msg4597, + msg4598, +]); + +var msg4599 = msg("2350", dup276); + +var msg4600 = msg("2350:01", dup277); + +var select2238 = linear_select([ + msg4599, + msg4600, +]); + +var msg4601 = msg("2351", dup276); + +var msg4602 = msg("2351:01", dup277); + +var select2239 = linear_select([ + msg4601, + msg4602, +]); + +var msg4603 = msg("2352", dup276); + +var msg4604 = msg("2352:01", dup277); + +var select2240 = linear_select([ + msg4603, + msg4604, +]); + +var msg4605 = msg("2353", dup196); + +var msg4606 = msg("2353:01", dup217); + +var select2241 = linear_select([ + msg4605, + msg4606, +]); + +var msg4607 = msg("2354", dup196); + +var msg4608 = msg("2354:01", dup217); + +var select2242 = linear_select([ + msg4607, + msg4608, +]); + +var msg4609 = msg("2355", dup196); + +var msg4610 = msg("2355:01", dup217); + +var select2243 = linear_select([ + msg4609, + msg4610, +]); + +var msg4611 = msg("2356", dup196); + +var msg4612 = msg("2356:01", dup217); + +var select2244 = linear_select([ + msg4611, + msg4612, +]); + +var msg4613 = msg("2357", dup196); + +var msg4614 = msg("2357:01", dup217); + +var select2245 = linear_select([ + msg4613, + msg4614, +]); + +var msg4615 = msg("2358", dup196); + +var msg4616 = msg("2358:01", dup217); + +var select2246 = linear_select([ + msg4615, + msg4616, +]); + +var msg4617 = msg("2359", dup196); + +var msg4618 = msg("2359:01", dup217); + +var select2247 = linear_select([ + msg4617, + msg4618, +]); + +var msg4619 = msg("2360", dup196); + +var msg4620 = msg("2360:01", dup217); + +var select2248 = linear_select([ + msg4619, + msg4620, +]); + +var msg4621 = msg("2361", dup196); + +var msg4622 = msg("2361:01", dup217); + +var select2249 = linear_select([ + msg4621, + msg4622, +]); + +var msg4623 = msg("2362", dup196); + +var msg4624 = msg("2362:01", dup217); + +var select2250 = linear_select([ + msg4623, + msg4624, +]); + +var msg4625 = msg("2363", dup265); + +var msg4626 = msg("2363:01", dup266); + +var select2251 = linear_select([ + msg4625, + msg4626, +]); + +var msg4627 = msg("2364", dup265); + +var msg4628 = msg("2364:01", dup266); + +var select2252 = linear_select([ + msg4627, + msg4628, +]); + +var msg4629 = msg("2365", dup265); + +var msg4630 = msg("2365:01", dup266); + +var select2253 = linear_select([ + msg4629, + msg4630, +]); + +var msg4631 = msg("2366", dup265); + +var msg4632 = msg("2366:01", dup266); + +var select2254 = linear_select([ + msg4631, + msg4632, +]); + +var msg4633 = msg("2367", dup265); + +var msg4634 = msg("2367:01", dup266); + +var select2255 = linear_select([ + msg4633, + msg4634, +]); + +var msg4635 = msg("2368", dup265); + +var msg4636 = msg("2368:01", dup266); + +var select2256 = linear_select([ + msg4635, + msg4636, +]); + +var msg4637 = msg("2369", dup265); + +var msg4638 = msg("2369:01", dup266); + +var select2257 = linear_select([ + msg4637, + msg4638, +]); + +var msg4639 = msg("2370", dup265); + +var msg4640 = msg("2370:01", dup266); + +var select2258 = linear_select([ + msg4639, + msg4640, +]); + +var msg4641 = msg("2371", dup265); + +var msg4642 = msg("2371:01", dup266); + +var select2259 = linear_select([ + msg4641, + msg4642, +]); + +var msg4643 = msg("2372", dup265); + +var msg4644 = msg("2372:01", dup266); + +var select2260 = linear_select([ + msg4643, + msg4644, +]); + +var msg4645 = msg("2373", dup222); + +var msg4646 = msg("2373:01", dup266); + +var select2261 = linear_select([ + msg4645, + msg4646, +]); + +var msg4647 = msg("2374", dup222); + +var msg4648 = msg("2374:01", dup266); + +var select2262 = linear_select([ + msg4647, + msg4648, +]); + +var msg4649 = msg("2375", dup192); + +var msg4650 = msg("2375:01", dup266); + +var select2263 = linear_select([ + msg4649, + msg4650, +]); + +var msg4651 = msg("2376", dup222); + +var msg4652 = msg("2376:01", dup266); + +var select2264 = linear_select([ + msg4651, + msg4652, +]); + +var msg4653 = msg("2377", dup222); + +var msg4654 = msg("2377:01", dup217); + +var select2265 = linear_select([ + msg4653, + msg4654, +]); + +var msg4655 = msg("2378", dup222); + +var msg4656 = msg("2378:01", dup266); + +var select2266 = linear_select([ + msg4655, + msg4656, +]); + +var msg4657 = msg("2379", dup222); + +var msg4658 = msg("2379:01", dup266); + +var select2267 = linear_select([ + msg4657, + msg4658, +]); + +var msg4659 = msg("2380", dup222); + +var msg4660 = msg("2380:01", dup217); + +var select2268 = linear_select([ + msg4659, + msg4660, +]); + +var msg4661 = msg("2381", dup267); + +var msg4662 = msg("2381:01", dup268); + +var select2269 = linear_select([ + msg4661, + msg4662, +]); + +var msg4663 = msg("2382", dup276); + +var msg4664 = msg("2382:01", dup266); + +var select2270 = linear_select([ + msg4663, + msg4664, +]); + +var msg4665 = msg("2383", dup276); + +var msg4666 = msg("2383:01", dup266); + +var select2271 = linear_select([ + msg4665, + msg4666, +]); + +var msg4667 = msg("2384", dup276); + +var msg4668 = msg("2384:01", dup266); + +var select2272 = linear_select([ + msg4667, + msg4668, +]); + +var msg4669 = msg("2385", dup276); + +var msg4670 = msg("2385:01", dup266); + +var select2273 = linear_select([ + msg4669, + msg4670, +]); + +var msg4671 = msg("2386", dup194); + +var msg4672 = msg("2386:01", dup266); + +var select2274 = linear_select([ + msg4671, + msg4672, +]); + +var msg4673 = msg("2387", dup265); + +var msg4674 = msg("2387:01", dup266); + +var select2275 = linear_select([ + msg4673, + msg4674, +]); + +var msg4675 = msg("2388", dup265); + +var msg4676 = msg("2388:01", dup266); + +var select2276 = linear_select([ + msg4675, + msg4676, +]); + +var msg4677 = msg("2389", dup222); + +var msg4678 = msg("2389:01", dup266); + +var select2277 = linear_select([ + msg4677, + msg4678, +]); + +var msg4679 = msg("2390", dup222); + +var msg4680 = msg("2390:01", dup266); + +var select2278 = linear_select([ + msg4679, + msg4680, +]); + +var msg4681 = msg("2391", dup222); + +var msg4682 = msg("2391:01", dup266); + +var select2279 = linear_select([ + msg4681, + msg4682, +]); + +var msg4683 = msg("2392", dup222); + +var msg4684 = msg("2392:01", dup266); + +var select2280 = linear_select([ + msg4683, + msg4684, +]); + +var msg4685 = msg("2393", dup265); + +var msg4686 = msg("2393:01", dup266); + +var select2281 = linear_select([ + msg4685, + msg4686, +]); + +var msg4687 = msg("2394", dup198); + +var msg4688 = msg("2394:01", dup266); + +var select2282 = linear_select([ + msg4687, + msg4688, +]); + +var msg4689 = msg("2395", dup265); + +var msg4690 = msg("2395:01", dup266); + +var select2283 = linear_select([ + msg4689, + msg4690, +]); + +var msg4691 = msg("2396", dup269); + +var msg4692 = msg("2396:01", dup266); + +var select2284 = linear_select([ + msg4691, + msg4692, +]); + +var msg4693 = msg("2397", dup265); + +var msg4694 = msg("2397:01", dup266); + +var select2285 = linear_select([ + msg4693, + msg4694, +]); + +var msg4695 = msg("2398", dup265); + +var msg4696 = msg("2398:01", dup266); + +var select2286 = linear_select([ + msg4695, + msg4696, +]); + +var msg4697 = msg("2399", dup265); + +var msg4698 = msg("2399:01", dup300); + +var select2287 = linear_select([ + msg4697, + msg4698, +]); + +var msg4699 = msg("2400", dup265); + +var msg4700 = msg("2400:01", dup266); + +var select2288 = linear_select([ + msg4699, + msg4700, +]); + +var msg4701 = msg("2401", dup276); + +var msg4702 = msg("2401:01", dup266); + +var select2289 = linear_select([ + msg4701, + msg4702, +]); + +var msg4703 = msg("2402", dup276); + +var msg4704 = msg("2402:01", dup277); + +var select2290 = linear_select([ + msg4703, + msg4704, +]); + +var msg4705 = msg("2403", dup276); + +var msg4706 = msg("2403:01", dup266); + +var select2291 = linear_select([ + msg4705, + msg4706, +]); + +var msg4707 = msg("2404", dup276); + +var msg4708 = msg("2404:01", dup266); + +var select2292 = linear_select([ + msg4707, + msg4708, +]); + +var msg4709 = msg("2405", dup265); + +var msg4710 = msg("2405:01", dup266); + +var select2293 = linear_select([ + msg4709, + msg4710, +]); + +var msg4711 = msg("2406", dup248); + +var msg4712 = msg("2406:01", dup266); + +var select2294 = linear_select([ + msg4711, + msg4712, +]); + +var msg4713 = msg("2407", dup265); + +var msg4714 = msg("2407:01", dup266); + +var select2295 = linear_select([ + msg4713, + msg4714, +]); + +var msg4715 = msg("2408", dup265); + +var msg4716 = msg("2408:01", dup266); + +var select2296 = linear_select([ + msg4715, + msg4716, +]); + +var msg4717 = msg("2409", dup222); + +var msg4718 = msg("2409:01", dup268); + +var select2297 = linear_select([ + msg4717, + msg4718, +]); + +var msg4719 = msg("2410", dup265); + +var msg4720 = msg("2410:01", dup229); + +var select2298 = linear_select([ + msg4719, + msg4720, +]); + +var msg4721 = msg("2411", dup267); + +var msg4722 = msg("2411:01", dup266); + +var select2299 = linear_select([ + msg4721, + msg4722, +]); + +var msg4723 = msg("2412", dup287); + +var msg4724 = msg("2412:01", dup266); + +var select2300 = linear_select([ + msg4723, + msg4724, +]); + +var msg4725 = msg("2413", dup196); + +var msg4726 = msg("2413:01", dup266); + +var select2301 = linear_select([ + msg4725, + msg4726, +]); + +var msg4727 = msg("2414", dup196); + +var msg4728 = msg("2414:01", dup266); + +var select2302 = linear_select([ + msg4727, + msg4728, +]); + +var msg4729 = msg("2415", dup196); + +var msg4730 = msg("2415:01", dup266); + +var select2303 = linear_select([ + msg4729, + msg4730, +]); + +var msg4731 = msg("2416", dup227); + +var msg4732 = msg("2416:01", dup266); + +var select2304 = linear_select([ + msg4731, + msg4732, +]); + +var msg4733 = msg("2417", dup227); + +var msg4734 = msg("2417:01", dup266); + +var select2305 = linear_select([ + msg4733, + msg4734, +]); + +var msg4735 = msg("2418", dup196); + +var msg4736 = msg("2418:01", dup266); + +var select2306 = linear_select([ + msg4735, + msg4736, +]); + +var msg4737 = msg("2419", dup196); + +var msg4738 = msg("2419:01", dup266); + +var select2307 = linear_select([ + msg4737, + msg4738, +]); + +var msg4739 = msg("2420", dup196); + +var msg4740 = msg("2420:01", dup266); + +var select2308 = linear_select([ + msg4739, + msg4740, +]); + +var msg4741 = msg("2421", dup196); + +var msg4742 = msg("2421:01", dup270); + +var select2309 = linear_select([ + msg4741, + msg4742, +]); + +var msg4743 = msg("2422", dup196); + +var msg4744 = msg("2422:01", dup266); + +var select2310 = linear_select([ + msg4743, + msg4744, +]); + +var msg4745 = msg("2423", dup196); + +var msg4746 = msg("2423:01", dup217); + +var select2311 = linear_select([ + msg4745, + msg4746, +]); + +var msg4747 = msg("2424", dup222); + +var msg4748 = msg("2424:01", dup223); + +var select2312 = linear_select([ + msg4747, + msg4748, +]); + +var msg4749 = msg("2425", dup222); + +var msg4750 = msg("2425:01", dup223); + +var select2313 = linear_select([ + msg4749, + msg4750, +]); + +var msg4751 = msg("2426", dup222); + +var msg4752 = msg("2426:01", dup266); + +var select2314 = linear_select([ + msg4751, + msg4752, +]); + +var msg4753 = msg("2427", dup222); + +var msg4754 = msg("2427:01", dup266); + +var select2315 = linear_select([ + msg4753, + msg4754, +]); + +var msg4755 = msg("2428", dup222); + +var msg4756 = msg("2428:01", dup266); + +var select2316 = linear_select([ + msg4755, + msg4756, +]); + +var msg4757 = msg("2429", dup222); + +var msg4758 = msg("2429:01", dup266); + +var select2317 = linear_select([ + msg4757, + msg4758, +]); + +var msg4759 = msg("2430", dup222); + +var msg4760 = msg("2430:01", dup266); + +var select2318 = linear_select([ + msg4759, + msg4760, +]); + +var msg4761 = msg("2431", dup222); + +var msg4762 = msg("2431:01", dup266); + +var select2319 = linear_select([ + msg4761, + msg4762, +]); + +var all45 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + setc("eventcategory","1001030303"), + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg4763 = msg("2432", all45); + +var msg4764 = msg("2432:01", dup266); + +var select2320 = linear_select([ + msg4763, + msg4764, +]); + +var msg4765 = msg("2433", dup267); + +var msg4766 = msg("2433:01", dup266); + +var select2321 = linear_select([ + msg4765, + msg4766, +]); + +var msg4767 = msg("2434", dup265); + +var msg4768 = msg("2434:01", dup266); + +var select2322 = linear_select([ + msg4767, + msg4768, +]); + +var msg4769 = msg("2435", dup265); + +var msg4770 = msg("2435:01", dup266); + +var select2323 = linear_select([ + msg4769, + msg4770, +]); + +var msg4771 = msg("2436", dup265); + +var msg4772 = msg("2436:01", dup266); + +var select2324 = linear_select([ + msg4771, + msg4772, +]); + +var msg4773 = msg("2437", dup265); + +var msg4774 = msg("2437:01", dup266); + +var select2325 = linear_select([ + msg4773, + msg4774, +]); + +var msg4775 = msg("2438", dup267); + +var msg4776 = msg("2438:01", dup266); + +var select2326 = linear_select([ + msg4775, + msg4776, +]); + +var msg4777 = msg("2439", dup267); + +var msg4778 = msg("2439:01", dup266); + +var select2327 = linear_select([ + msg4777, + msg4778, +]); + +var msg4779 = msg("2440", dup267); + +var msg4780 = msg("2440:01", dup266); + +var select2328 = linear_select([ + msg4779, + msg4780, +]); + +var msg4781 = msg("2441", dup285); + +var msg4782 = msg("2441:01", dup266); + +var select2329 = linear_select([ + msg4781, + msg4782, +]); + +var msg4783 = msg("2442", dup267); + +var msg4784 = msg("2442:01", dup266); + +var select2330 = linear_select([ + msg4783, + msg4784, +]); + +var msg4785 = msg("2443", dup222); + +var msg4786 = msg("2443:01", dup266); + +var select2331 = linear_select([ + msg4785, + msg4786, +]); + +var msg4787 = msg("2444", dup222); + +var msg4788 = msg("2444:01", dup266); + +var select2332 = linear_select([ + msg4787, + msg4788, +]); + +var msg4789 = msg("2445", dup222); + +var msg4790 = msg("2445:01", dup266); + +var select2333 = linear_select([ + msg4789, + msg4790, +]); + +var msg4791 = msg("2446", dup222); + +var msg4792 = msg("2446:01", dup223); + +var select2334 = linear_select([ + msg4791, + msg4792, +]); + +var msg4793 = msg("2447", dup265); + +var msg4794 = msg("2447:01", dup266); + +var select2335 = linear_select([ + msg4793, + msg4794, +]); + +var msg4795 = msg("2448", dup265); + +var msg4796 = msg("2448:01", dup266); + +var select2336 = linear_select([ + msg4795, + msg4796, +]); + +var msg4797 = msg("2449", dup222); + +var msg4798 = msg("2449:01", dup266); + +var select2337 = linear_select([ + msg4797, + msg4798, +]); + +var msg4799 = msg("2450", dup301); + +var msg4800 = msg("2450:01", dup266); + +var select2338 = linear_select([ + msg4799, + msg4800, +]); + +var msg4801 = msg("2451", dup196); + +var msg4802 = msg("2451:01", dup266); + +var select2339 = linear_select([ + msg4801, + msg4802, +]); + +var msg4803 = msg("2452", dup196); + +var msg4804 = msg("2452:01", dup266); + +var select2340 = linear_select([ + msg4803, + msg4804, +]); + +var msg4805 = msg("2453", dup196); + +var msg4806 = msg("2453:01", dup266); + +var select2341 = linear_select([ + msg4805, + msg4806, +]); + +var msg4807 = msg("2454", dup301); + +var msg4808 = msg("2454:01", dup266); + +var select2342 = linear_select([ + msg4807, + msg4808, +]); + +var msg4809 = msg("2455", dup196); + +var msg4810 = msg("2455:01", dup266); + +var select2343 = linear_select([ + msg4809, + msg4810, +]); + +var msg4811 = msg("2456", dup196); + +var msg4812 = msg("2456:01", dup217); + +var select2344 = linear_select([ + msg4811, + msg4812, +]); + +var msg4813 = msg("2457", dup196); + +var msg4814 = msg("2457:01", dup217); + +var select2345 = linear_select([ + msg4813, + msg4814, +]); + +var msg4815 = msg("2458", dup196); + +var msg4816 = msg("2458:01", dup217); + +var select2346 = linear_select([ + msg4815, + msg4816, +]); + +var msg4817 = msg("2459", dup196); + +var msg4818 = msg("2459:01", dup266); + +var select2347 = linear_select([ + msg4817, + msg4818, +]); + +var msg4819 = msg("2460", dup196); + +var msg4820 = msg("2460:01", dup270); + +var select2348 = linear_select([ + msg4819, + msg4820, +]); + +var msg4821 = msg("2461", dup196); + +var msg4822 = msg("2461:01", dup241); + +var select2349 = linear_select([ + msg4821, + msg4822, +]); + +var msg4823 = msg("2462", dup222); + +var msg4824 = msg("2462:01", dup266); + +var select2350 = linear_select([ + msg4823, + msg4824, +]); + +var msg4825 = msg("2463", dup222); + +var msg4826 = msg("2463:01", dup266); + +var select2351 = linear_select([ + msg4825, + msg4826, +]); + +var msg4827 = msg("2464", dup222); + +var msg4828 = msg("2464:01", dup266); + +var select2352 = linear_select([ + msg4827, + msg4828, +]); + +var msg4829 = msg("2465", dup246); + +var msg4830 = msg("2465:01", dup266); + +var select2353 = linear_select([ + msg4829, + msg4830, +]); + +var msg4831 = msg("2466", dup246); + +var msg4832 = msg("2466:01", dup286); + +var select2354 = linear_select([ + msg4831, + msg4832, +]); + +var msg4833 = msg("2467", dup246); + +var msg4834 = msg("2467:01", dup247); + +var select2355 = linear_select([ + msg4833, + msg4834, +]); + +var msg4835 = msg("2468", dup246); + +var msg4836 = msg("2468:01", dup247); + +var select2356 = linear_select([ + msg4835, + msg4836, +]); + +var msg4837 = msg("2469", dup246); + +var msg4838 = msg("2469:01", dup247); + +var select2357 = linear_select([ + msg4837, + msg4838, +]); + +var msg4839 = msg("2470", dup246); + +var msg4840 = msg("2470:01", dup247); + +var select2358 = linear_select([ + msg4839, + msg4840, +]); + +var msg4841 = msg("2471", dup246); + +var msg4842 = msg("2471:01", dup247); + +var select2359 = linear_select([ + msg4841, + msg4842, +]); + +var msg4843 = msg("2472", dup246); + +var msg4844 = msg("2472:01", dup247); + +var select2360 = linear_select([ + msg4843, + msg4844, +]); + +var msg4845 = msg("2473", dup246); + +var msg4846 = msg("2473:01", dup247); + +var select2361 = linear_select([ + msg4845, + msg4846, +]); + +var msg4847 = msg("2474", dup246); + +var msg4848 = msg("2474:01", dup247); + +var select2362 = linear_select([ + msg4847, + msg4848, +]); + +var msg4849 = msg("2475", dup246); + +var msg4850 = msg("2475:01", dup247); + +var select2363 = linear_select([ + msg4849, + msg4850, +]); + +var msg4851 = msg("2476", dup276); + +var msg4852 = msg("2476:01", dup277); + +var select2364 = linear_select([ + msg4851, + msg4852, +]); + +var msg4853 = msg("2477", dup276); + +var msg4854 = msg("2477:01", dup277); + +var select2365 = linear_select([ + msg4853, + msg4854, +]); + +var msg4855 = msg("2478", dup276); + +var msg4856 = msg("2478:01", dup277); + +var select2366 = linear_select([ + msg4855, + msg4856, +]); + +var msg4857 = msg("2479", dup276); + +var msg4858 = msg("2479:01", dup277); + +var select2367 = linear_select([ + msg4857, + msg4858, +]); + +var msg4859 = msg("2480", dup276); + +var msg4860 = msg("2480:01", dup277); + +var select2368 = linear_select([ + msg4859, + msg4860, +]); + +var msg4861 = msg("2481", dup276); + +var msg4862 = msg("2481:01", dup277); + +var select2369 = linear_select([ + msg4861, + msg4862, +]); + +var msg4863 = msg("2482", dup276); + +var msg4864 = msg("2482:01", dup277); + +var select2370 = linear_select([ + msg4863, + msg4864, +]); + +var msg4865 = msg("2483", dup276); + +var msg4866 = msg("2483:01", dup277); + +var select2371 = linear_select([ + msg4865, + msg4866, +]); + +var msg4867 = msg("2484", dup265); + +var msg4868 = msg("2484:01", dup266); + +var select2372 = linear_select([ + msg4867, + msg4868, +]); + +var msg4869 = msg("2485", dup194); + +var msg4870 = msg("2485:01", dup229); + +var select2373 = linear_select([ + msg4869, + msg4870, +]); + +var msg4871 = msg("2486", dup198); + +var msg4872 = msg("2486:01", dup220); + +var select2374 = linear_select([ + msg4871, + msg4872, +]); + +var msg4873 = msg("2487", dup297); + +var msg4874 = msg("2487:01", dup300); + +var select2375 = linear_select([ + msg4873, + msg4874, +]); + +var msg4875 = msg("2488", dup197); + +var msg4876 = msg("2488:01", dup221); + +var select2376 = linear_select([ + msg4875, + msg4876, +]); + +var msg4877 = msg("2489", dup222); + +var msg4878 = msg("2489:01", dup223); + +var select2377 = linear_select([ + msg4877, + msg4878, +]); + +var msg4879 = msg("2490", dup222); + +var msg4880 = msg("2490:01", dup223); + +var select2378 = linear_select([ + msg4879, + msg4880, +]); + +var msg4881 = msg("2491", dup276); + +var msg4882 = msg("2491:01", dup277); + +var select2379 = linear_select([ + msg4881, + msg4882, +]); + +var msg4883 = msg("2492", dup276); + +var msg4884 = msg("2492:01", dup277); + +var select2380 = linear_select([ + msg4883, + msg4884, +]); + +var msg4885 = msg("2493", dup276); + +var msg4886 = msg("2493:01", dup277); + +var select2381 = linear_select([ + msg4885, + msg4886, +]); + +var msg4887 = msg("2494", dup276); + +var msg4888 = msg("2494:01", dup277); + +var select2382 = linear_select([ + msg4887, + msg4888, +]); + +var msg4889 = msg("2495", dup276); + +var msg4890 = msg("2495:01", dup277); + +var select2383 = linear_select([ + msg4889, + msg4890, +]); + +var msg4891 = msg("2496", dup276); + +var msg4892 = msg("2496:01", dup277); + +var select2384 = linear_select([ + msg4891, + msg4892, +]); + +var msg4893 = msg("2497", dup196); + +var msg4894 = msg("2497:01", dup217); + +var select2385 = linear_select([ + msg4893, + msg4894, +]); + +var msg4895 = msg("2498", dup196); + +var msg4896 = msg("2498:01", dup217); + +var select2386 = linear_select([ + msg4895, + msg4896, +]); + +var msg4897 = msg("2499", dup196); + +var msg4898 = msg("2499:01", dup217); + +var select2387 = linear_select([ + msg4897, + msg4898, +]); + +var msg4899 = msg("2500", dup298); + +var msg4900 = msg("2500:01", dup299); + +var select2388 = linear_select([ + msg4899, + msg4900, +]); + +var msg4901 = msg("2501", dup298); + +var msg4902 = msg("2501:01", dup299); + +var select2389 = linear_select([ + msg4901, + msg4902, +]); + +var msg4903 = msg("2502", dup298); + +var msg4904 = msg("2502:01", dup299); + +var select2390 = linear_select([ + msg4903, + msg4904, +]); + +var msg4905 = msg("2503", dup250); + +var msg4906 = msg("2503:01", dup251); + +var select2391 = linear_select([ + msg4905, + msg4906, +]); + +var msg4907 = msg("2504", dup250); + +var msg4908 = msg("2504:01", dup251); + +var select2392 = linear_select([ + msg4907, + msg4908, +]); + +var msg4909 = msg("2505", dup265); + +var msg4910 = msg("2505:01", dup266); + +var select2393 = linear_select([ + msg4909, + msg4910, +]); + +var msg4911 = msg("2506", dup265); + +var msg4912 = msg("2506:01", dup266); + +var select2394 = linear_select([ + msg4911, + msg4912, +]); + +var msg4913 = msg("2507", dup276); + +var msg4914 = msg("2507:01", dup277); + +var select2395 = linear_select([ + msg4913, + msg4914, +]); + +var msg4915 = msg("2508", dup276); + +var msg4916 = msg("2508:01", dup277); + +var select2396 = linear_select([ + msg4915, + msg4916, +]); + +var msg4917 = msg("2509", dup276); + +var msg4918 = msg("2509:01", dup277); + +var select2397 = linear_select([ + msg4917, + msg4918, +]); + +var msg4919 = msg("2510", dup276); + +var msg4920 = msg("2510:01", dup277); + +var select2398 = linear_select([ + msg4919, + msg4920, +]); + +var msg4921 = msg("2511", dup276); + +var msg4922 = msg("2511:01", dup277); + +var select2399 = linear_select([ + msg4921, + msg4922, +]); + +var msg4923 = msg("2512", dup276); + +var msg4924 = msg("2512:01", dup277); + +var select2400 = linear_select([ + msg4923, + msg4924, +]); + +var msg4925 = msg("2513", dup276); + +var msg4926 = msg("2513:01", dup277); + +var select2401 = linear_select([ + msg4925, + msg4926, +]); + +var msg4927 = msg("2514", dup276); + +var msg4928 = msg("2514:01", dup277); + +var select2402 = linear_select([ + msg4927, + msg4928, +]); + +var msg4929 = msg("2515", dup267); + +var msg4930 = msg("2515:01", dup268); + +var select2403 = linear_select([ + msg4929, + msg4930, +]); + +var msg4931 = msg("2516", dup222); + +var msg4932 = msg("2516:01", dup223); + +var select2404 = linear_select([ + msg4931, + msg4932, +]); + +var msg4933 = msg("2517", dup222); + +var msg4934 = msg("2517:01", dup223); + +var select2405 = linear_select([ + msg4933, + msg4934, +]); + +var msg4935 = msg("2518", dup222); + +var msg4936 = msg("2518:01", dup223); + +var select2406 = linear_select([ + msg4935, + msg4936, +]); + +var msg4937 = msg("2519", dup222); + +var msg4938 = msg("2519:01", dup223); + +var select2407 = linear_select([ + msg4937, + msg4938, +]); + +var msg4939 = msg("2520", dup265); + +var msg4940 = msg("2520:01", dup266); + +var select2408 = linear_select([ + msg4939, + msg4940, +]); + +var msg4941 = msg("2521", dup265); + +var msg4942 = msg("2521:01", dup266); + +var select2409 = linear_select([ + msg4941, + msg4942, +]); + +var msg4943 = msg("2522", dup265); + +var msg4944 = msg("2522:01", dup266); + +var select2410 = linear_select([ + msg4943, + msg4944, +]); + +var msg4945 = msg("2523", dup198); + +var msg4946 = msg("2523:01", dup220); + +var select2411 = linear_select([ + msg4945, + msg4946, +]); + +var msg4947 = msg("2524", dup276); + +var msg4948 = msg("2524:01", dup277); + +var select2412 = linear_select([ + msg4947, + msg4948, +]); + +var msg4949 = msg("2525", dup276); + +var msg4950 = msg("2525:01", dup277); + +var select2413 = linear_select([ + msg4949, + msg4950, +]); + +var msg4951 = msg("2526", dup276); + +var msg4952 = msg("2526:01", dup277); + +var select2414 = linear_select([ + msg4951, + msg4952, +]); + +var msg4953 = msg("2527", dup250); + +var msg4954 = msg("2527:01", dup251); + +var select2415 = linear_select([ + msg4953, + msg4954, +]); + +var msg4955 = msg("2528", dup222); + +var msg4956 = msg("2528:01", dup223); + +var select2416 = linear_select([ + msg4955, + msg4956, +]); + +var msg4957 = msg("2529", dup196); + +var msg4958 = msg("2529:01", dup217); + +var select2417 = linear_select([ + msg4957, + msg4958, +]); + +var msg4959 = msg("2530", dup196); + +var msg4960 = msg("2530:01", dup217); + +var select2418 = linear_select([ + msg4959, + msg4960, +]); + +var msg4961 = msg("2531", dup196); + +var msg4962 = msg("2531:01", dup217); + +var select2419 = linear_select([ + msg4961, + msg4962, +]); + +var msg4963 = msg("2532", dup298); + +var msg4964 = msg("2532:01", dup299); + +var select2420 = linear_select([ + msg4963, + msg4964, +]); + +var msg4965 = msg("2533", dup298); + +var msg4966 = msg("2533:01", dup299); + +var select2421 = linear_select([ + msg4965, + msg4966, +]); + +var msg4967 = msg("2534", dup298); + +var msg4968 = msg("2534:01", dup299); + +var select2422 = linear_select([ + msg4967, + msg4968, +]); + +var msg4969 = msg("2535", dup298); + +var msg4970 = msg("2535:01", dup299); + +var select2423 = linear_select([ + msg4969, + msg4970, +]); + +var msg4971 = msg("2536", dup298); + +var msg4972 = msg("2536:01", dup299); + +var select2424 = linear_select([ + msg4971, + msg4972, +]); + +var msg4973 = msg("2537", dup298); + +var msg4974 = msg("2537:01", dup299); + +var select2425 = linear_select([ + msg4973, + msg4974, +]); + +var msg4975 = msg("2538", dup250); + +var msg4976 = msg("2538:01", dup251); + +var select2426 = linear_select([ + msg4975, + msg4976, +]); + +var msg4977 = msg("2539", dup250); + +var msg4978 = msg("2539:01", dup251); + +var select2427 = linear_select([ + msg4977, + msg4978, +]); + +var msg4979 = msg("2540", dup250); + +var msg4980 = msg("2540:01", dup251); + +var select2428 = linear_select([ + msg4979, + msg4980, +]); + +var msg4981 = msg("2541", dup250); + +var msg4982 = msg("2541:01", dup251); + +var select2429 = linear_select([ + msg4981, + msg4982, +]); + +var msg4983 = msg("2542", dup250); + +var msg4984 = msg("2542:01", dup251); + +var select2430 = linear_select([ + msg4983, + msg4984, +]); + +var msg4985 = msg("2543", dup250); + +var msg4986 = msg("2543:01", dup251); + +var select2431 = linear_select([ + msg4985, + msg4986, +]); + +var msg4987 = msg("2544", dup250); + +var msg4988 = msg("2544:01", dup251); + +var select2432 = linear_select([ + msg4987, + msg4988, +]); + +var msg4989 = msg("2545", dup222); + +var msg4990 = msg("2545:01", dup223); + +var select2433 = linear_select([ + msg4989, + msg4990, +]); + +var msg4991 = msg("2546", dup222); + +var msg4992 = msg("2546:01", dup223); + +var select2434 = linear_select([ + msg4991, + msg4992, +]); + +var msg4993 = msg("2547", dup196); + +var msg4994 = msg("2547:01", dup217); + +var select2435 = linear_select([ + msg4993, + msg4994, +]); + +var msg4995 = msg("2548", dup196); + +var msg4996 = msg("2548:01", dup217); + +var select2436 = linear_select([ + msg4995, + msg4996, +]); + +var msg4997 = msg("2549", dup196); + +var msg4998 = msg("2549:01", dup217); + +var select2437 = linear_select([ + msg4997, + msg4998, +]); + +var msg4999 = msg("2550", dup197); + +var msg5000 = msg("2550:01", dup221); + +var select2438 = linear_select([ + msg4999, + msg5000, +]); + +var msg5001 = msg("2551", dup222); + +var msg5002 = msg("2552", dup222); + +var msg5003 = msg("2553", dup222); + +var msg5004 = msg("2554", dup222); + +var msg5005 = msg("2555", dup222); + +var msg5006 = msg("2556", dup222); + +var msg5007 = msg("2557", dup222); + +var msg5008 = msg("2558", dup222); + +var msg5009 = msg("2559", dup222); + +var msg5010 = msg("2560", dup222); + +var msg5011 = msg("2561", dup196); + +var msg5012 = msg("2562", dup265); + +var msg5013 = msg("2563", dup276); + +var msg5014 = msg("2564", dup276); + +var msg5015 = msg("2565", dup265); + +var msg5016 = msg("2566", dup265); + +var msg5017 = msg("2567", dup265); + +var msg5018 = msg("2568", dup265); + +var msg5019 = msg("2569", dup265); + +var msg5020 = msg("2570", dup196); + +var msg5021 = msg("2571", dup265); + +var msg5022 = msg("2572", dup267); + +var msg5023 = msg("2573", dup265); + +var msg5024 = msg("2574", dup227); + +var msg5025 = msg("2575", dup265); + +var msg5026 = msg("2576", dup222); + +var msg5027 = msg("2577", dup265); + +var msg5028 = msg("2578", dup197); + +var msg5029 = msg("2579", dup197); + +var msg5030 = msg("2580", dup265); + +var msg5031 = msg("2581", dup265); + +var msg5032 = msg("2582", dup265); + +var msg5033 = msg("2583", dup222); + +var msg5034 = msg("2584", dup222); + +var msg5035 = msg("2585", dup196); + +var msg5036 = msg("2586", dup196); + +var msg5037 = msg("2587", dup196); + +var msg5038 = msg("2588", dup265); + +var msg5039 = msg("2589", dup265); + +var msg5040 = msg("2590", dup222); + +var msg5041 = msg("2590:01", dup223); + +var select2439 = linear_select([ + msg5040, + msg5041, +]); + +var msg5042 = msg("2591", dup222); + +var msg5043 = msg("2592", dup222); + +var msg5044 = msg("2593", dup222); + +var msg5045 = msg("2594", dup222); + +var msg5046 = msg("2595", dup222); + +var msg5047 = msg("2596", dup222); + +var msg5048 = msg("2597", dup267); + +var msg5049 = msg("2598", dup267); + +var msg5050 = msg("2599", dup222); + +var msg5051 = msg("2600", dup222); + +var msg5052 = msg("2601", dup222); + +var msg5053 = msg("2602", dup222); + +var msg5054 = msg("2603", dup222); + +var msg5055 = msg("2604", dup222); + +var msg5056 = msg("2605", dup222); + +var msg5057 = msg("2606", dup222); + +var msg5058 = msg("2607", dup222); + +var msg5059 = msg("2608", dup222); + +var msg5060 = msg("2609", dup222); + +var msg5061 = msg("2610", dup222); + +var msg5062 = msg("2611", dup222); + +var msg5063 = msg("2612", dup222); + +var msg5064 = msg("2613", dup222); + +var msg5065 = msg("2614", dup222); + +var msg5066 = msg("2615", dup222); + +var msg5067 = msg("2616", dup222); + +var msg5068 = msg("2617", dup222); + +var msg5069 = msg("2618", dup222); + +var msg5070 = msg("2619", dup222); + +var msg5071 = msg("2620", dup222); + +var msg5072 = msg("2621", dup222); + +var msg5073 = msg("2622", dup222); + +var msg5074 = msg("2623", dup222); + +var msg5075 = msg("2624", dup222); + +var msg5076 = msg("2625", dup222); + +var msg5077 = msg("2626", dup222); + +var msg5078 = msg("2627", dup222); + +var msg5079 = msg("2628", dup222); + +var msg5080 = msg("2629", dup222); + +var msg5081 = msg("2630", dup222); + +var msg5082 = msg("2631", dup222); + +var msg5083 = msg("2632", dup222); + +var msg5084 = msg("2633", dup222); + +var msg5085 = msg("2634", dup222); + +var msg5086 = msg("2635", dup222); + +var msg5087 = msg("2636", dup222); + +var msg5088 = msg("2637", dup222); + +var msg5089 = msg("2638", dup222); + +var msg5090 = msg("2639", dup222); + +var msg5091 = msg("2640", dup222); + +var msg5092 = msg("2641", dup222); + +var msg5093 = msg("2642", dup222); + +var msg5094 = msg("2643", dup222); + +var msg5095 = msg("2644", dup222); + +var msg5096 = msg("2645", dup222); + +var msg5097 = msg("2646", dup222); + +var msg5098 = msg("2647", dup222); + +var msg5099 = msg("2648", dup222); + +var msg5100 = msg("2649", dup222); + +var msg5101 = msg("2650", dup222); + +var msg5102 = msg("2651", dup222); + +var msg5103 = msg("2652", dup222); + +var msg5104 = msg("2653", dup222); + +var msg5105 = msg("2654", dup240); + +var msg5106 = msg("2655", dup196); + +var msg5107 = msg("2656", dup267); + +var msg5108 = msg("2657", dup267); + +var msg5109 = msg("2658", dup265); + +var msg5110 = msg("2659", dup265); + +var msg5111 = msg("2660", dup265); + +var msg5112 = msg("2661", dup265); + +var msg5113 = msg("2662", dup265); + +var msg5114 = msg("2663", dup267); + +var msg5115 = msg("2664", dup196); + +var msg5116 = msg("2665", dup196); + +var msg5117 = msg("2666", dup298); + +var msg5118 = msg("2667", dup265); + +var msg5119 = msg("2668", dup265); + +var msg5120 = msg("2669", dup265); + +var msg5121 = msg("2670", dup265); + +var msg5122 = msg("2671", dup267); + +var msg5123 = msg("2672", dup265); + +var msg5124 = msg("2673", dup267); + +var msg5125 = msg("2674", dup222); + +var msg5126 = msg("2675", dup222); + +var msg5127 = msg("2676", dup222); + +var msg5128 = msg("2677", dup222); + +var msg5129 = msg("2678", dup222); + +var msg5130 = msg("2679", dup222); + +var msg5131 = msg("2680", dup222); + +var msg5132 = msg("2681", dup222); + +var msg5133 = msg("2682", dup222); + +var msg5134 = msg("2683", dup222); + +var msg5135 = msg("2684", dup222); + +var msg5136 = msg("2685", dup222); + +var msg5137 = msg("2686", dup222); + +var msg5138 = msg("2687", dup222); + +var msg5139 = msg("2688", dup222); + +var msg5140 = msg("2689", dup222); + +var msg5141 = msg("2690", dup222); + +var msg5142 = msg("2691", dup222); + +var msg5143 = msg("2692", dup222); + +var msg5144 = msg("2693", dup222); + +var msg5145 = msg("2694", dup222); + +var msg5146 = msg("2695", dup222); + +var msg5147 = msg("2696", dup222); + +var msg5148 = msg("2697", dup222); + +var msg5149 = msg("2698", dup222); + +var msg5150 = msg("2699", dup222); + +var msg5151 = msg("2700", dup222); + +var msg5152 = msg("2701", dup260); + +var msg5153 = msg("2702", dup260); + +var msg5154 = msg("2703", dup260); + +var msg5155 = msg("2704", dup260); + +var msg5156 = msg("2705", dup267); + +var msg5157 = msg("2706", dup196); + +var msg5158 = msg("2707", dup197); + +var msg5159 = msg("2708", dup222); + +var msg5160 = msg("2709", dup222); + +var msg5161 = msg("2710", dup222); + +var msg5162 = msg("2711", dup222); + +var msg5163 = msg("2712", dup222); + +var msg5164 = msg("2713", dup222); + +var msg5165 = msg("2714", dup222); + +var msg5166 = msg("2715", dup222); + +var msg5167 = msg("2716", dup222); + +var msg5168 = msg("2717", dup222); + +var msg5169 = msg("2718", dup222); + +var msg5170 = msg("2719", dup222); + +var msg5171 = msg("2720", dup222); + +var msg5172 = msg("2721", dup222); + +var msg5173 = msg("2722", dup222); + +var msg5174 = msg("2723", dup222); + +var msg5175 = msg("2724", dup222); + +var msg5176 = msg("2725", dup222); + +var msg5177 = msg("2726", dup222); + +var msg5178 = msg("2727", dup222); + +var msg5179 = msg("2728", dup222); + +var msg5180 = msg("2729", dup222); + +var msg5181 = msg("2730", dup222); + +var msg5182 = msg("2731", dup222); + +var msg5183 = msg("2732", dup222); + +var msg5184 = msg("2733", dup222); + +var msg5185 = msg("2734", dup222); + +var msg5186 = msg("2735", dup222); + +var msg5187 = msg("2736", dup222); + +var msg5188 = msg("2737", dup222); + +var msg5189 = msg("2738", dup222); + +var msg5190 = msg("2739", dup222); + +var msg5191 = msg("2740", dup222); + +var msg5192 = msg("2741", dup222); + +var msg5193 = msg("2742", dup222); + +var msg5194 = msg("2743", dup222); + +var msg5195 = msg("2744", dup222); + +var msg5196 = msg("2745", dup222); + +var msg5197 = msg("2746", dup222); + +var msg5198 = msg("2747", dup222); + +var msg5199 = msg("2748", dup222); + +var msg5200 = msg("2749", dup222); + +var msg5201 = msg("2750", dup222); + +var msg5202 = msg("2751", dup222); + +var msg5203 = msg("2752", dup222); + +var msg5204 = msg("2753", dup222); + +var msg5205 = msg("2754", dup222); + +var msg5206 = msg("2755", dup222); + +var msg5207 = msg("2756", dup222); + +var msg5208 = msg("2757", dup222); + +var msg5209 = msg("2758", dup222); + +var msg5210 = msg("2759", dup222); + +var msg5211 = msg("2760", dup222); + +var msg5212 = msg("2761", dup222); + +var msg5213 = msg("2762", dup222); + +var msg5214 = msg("2763", dup222); + +var msg5215 = msg("2764", dup222); + +var msg5216 = msg("2765", dup222); + +var msg5217 = msg("2766", dup222); + +var msg5218 = msg("2767", dup222); + +var msg5219 = msg("2768", dup222); + +var msg5220 = msg("2769", dup222); + +var msg5221 = msg("2770", dup222); + +var msg5222 = msg("2771", dup222); + +var msg5223 = msg("2772", dup222); + +var msg5224 = msg("2773", dup222); + +var msg5225 = msg("2774", dup222); + +var msg5226 = msg("2775", dup222); + +var msg5227 = msg("2776", dup222); + +var msg5228 = msg("2777", dup222); + +var msg5229 = msg("2778", dup222); + +var msg5230 = msg("2779", dup222); + +var msg5231 = msg("2780", dup222); + +var msg5232 = msg("2781", dup222); + +var msg5233 = msg("2782", dup222); + +var msg5234 = msg("2783", dup222); + +var msg5235 = msg("2784", dup222); + +var msg5236 = msg("2785", dup222); + +var msg5237 = msg("2786", dup222); + +var msg5238 = msg("2787", dup222); + +var msg5239 = msg("2788", dup222); + +var msg5240 = msg("2789", dup222); + +var msg5241 = msg("2790", dup222); + +var msg5242 = msg("2791", dup222); + +var msg5243 = msg("2792", dup222); + +var msg5244 = msg("2793", dup222); + +var msg5245 = msg("2794", dup222); + +var msg5246 = msg("2795", dup222); + +var msg5247 = msg("2796", dup222); + +var msg5248 = msg("2797", dup222); + +var msg5249 = msg("2798", dup222); + +var msg5250 = msg("2799", dup222); + +var msg5251 = msg("2800", dup222); + +var msg5252 = msg("2801", dup222); + +var msg5253 = msg("2802", dup222); + +var msg5254 = msg("2803", dup222); + +var msg5255 = msg("2804", dup222); + +var msg5256 = msg("2805", dup222); + +var msg5257 = msg("2806", dup222); + +var msg5258 = msg("2807", dup222); + +var msg5259 = msg("2808", dup222); + +var msg5260 = msg("2809", dup222); + +var msg5261 = msg("2810", dup222); + +var msg5262 = msg("2811", dup222); + +var msg5263 = msg("2812", dup222); + +var msg5264 = msg("2813", dup222); + +var msg5265 = msg("2814", dup222); + +var msg5266 = msg("2815", dup222); + +var msg5267 = msg("2816", dup222); + +var msg5268 = msg("2817", dup222); + +var msg5269 = msg("2818", dup222); + +var msg5270 = msg("2819", dup222); + +var msg5271 = msg("2820", dup222); + +var msg5272 = msg("2821", dup222); + +var msg5273 = msg("2822", dup222); + +var msg5274 = msg("2823", dup222); + +var msg5275 = msg("2824", dup222); + +var msg5276 = msg("2825", dup222); + +var msg5277 = msg("2826", dup222); + +var msg5278 = msg("2827", dup222); + +var msg5279 = msg("2828", dup222); + +var msg5280 = msg("2829", dup222); + +var msg5281 = msg("2830", dup222); + +var msg5282 = msg("2831", dup222); + +var msg5283 = msg("2832", dup222); + +var msg5284 = msg("2833", dup222); + +var msg5285 = msg("2834", dup222); + +var msg5286 = msg("2835", dup222); + +var msg5287 = msg("2836", dup222); + +var msg5288 = msg("2837", dup222); + +var msg5289 = msg("2838", dup222); + +var msg5290 = msg("2839", dup222); + +var msg5291 = msg("2840", dup222); + +var msg5292 = msg("2841", dup222); + +var msg5293 = msg("2842", dup222); + +var msg5294 = msg("2843", dup222); + +var msg5295 = msg("2844", dup222); + +var msg5296 = msg("2845", dup222); + +var msg5297 = msg("2846", dup222); + +var msg5298 = msg("2847", dup222); + +var msg5299 = msg("2848", dup222); + +var msg5300 = msg("2849", dup222); + +var msg5301 = msg("2850", dup222); + +var msg5302 = msg("2851", dup222); + +var msg5303 = msg("2852", dup222); + +var msg5304 = msg("2853", dup222); + +var msg5305 = msg("2854", dup222); + +var msg5306 = msg("2855", dup222); + +var msg5307 = msg("2856", dup222); + +var msg5308 = msg("2857", dup222); + +var msg5309 = msg("2858", dup222); + +var msg5310 = msg("2859", dup222); + +var msg5311 = msg("2860", dup222); + +var msg5312 = msg("2861", dup222); + +var msg5313 = msg("2862", dup222); + +var msg5314 = msg("2863", dup222); + +var msg5315 = msg("2864", dup222); + +var msg5316 = msg("2865", dup222); + +var msg5317 = msg("2866", dup222); + +var msg5318 = msg("2867", dup222); + +var msg5319 = msg("2868", dup222); + +var msg5320 = msg("2869", dup222); + +var msg5321 = msg("2870", dup222); + +var msg5322 = msg("2871", dup222); + +var msg5323 = msg("2872", dup222); + +var msg5324 = msg("2873", dup222); + +var msg5325 = msg("2874", dup222); + +var msg5326 = msg("2875", dup222); + +var msg5327 = msg("2876", dup222); + +var msg5328 = msg("2877", dup222); + +var msg5329 = msg("2878", dup222); + +var msg5330 = msg("2879", dup222); + +var msg5331 = msg("2880", dup222); + +var msg5332 = msg("2881", dup222); + +var msg5333 = msg("2882", dup222); + +var msg5334 = msg("2883", dup222); + +var msg5335 = msg("2884", dup222); + +var msg5336 = msg("2885", dup222); + +var msg5337 = msg("2886", dup222); + +var msg5338 = msg("2887", dup222); + +var msg5339 = msg("2888", dup222); + +var msg5340 = msg("2889", dup222); + +var msg5341 = msg("2890", dup222); + +var msg5342 = msg("2891", dup222); + +var msg5343 = msg("2892", dup222); + +var msg5344 = msg("2893", dup222); + +var msg5345 = msg("2894", dup222); + +var msg5346 = msg("2895", dup222); + +var msg5347 = msg("2896", dup222); + +var msg5348 = msg("2897", dup222); + +var msg5349 = msg("2898", dup222); + +var msg5350 = msg("2899", dup222); + +var msg5351 = msg("2900", dup222); + +var msg5352 = msg("2901", dup222); + +var msg5353 = msg("2902", dup222); + +var msg5354 = msg("2903", dup222); + +var msg5355 = msg("2904", dup222); + +var msg5356 = msg("2905", dup222); + +var msg5357 = msg("2906", dup222); + +var msg5358 = msg("2907", dup222); + +var msg5359 = msg("2908", dup222); + +var msg5360 = msg("2909", dup222); + +var msg5361 = msg("2910", dup222); + +var msg5362 = msg("2911", dup222); + +var msg5363 = msg("2912", dup222); + +var msg5364 = msg("2913", dup222); + +var msg5365 = msg("2914", dup222); + +var msg5366 = msg("2915", dup222); + +var msg5367 = msg("2916", dup222); + +var msg5368 = msg("2917", dup222); + +var msg5369 = msg("2918", dup222); + +var msg5370 = msg("2919", dup222); + +var msg5371 = msg("2921", dup244); + +var msg5372 = msg("2922", dup196); + +var msg5373 = msg("2923", dup236); + +var msg5374 = msg("2924", dup236); + +var msg5375 = msg("2925", dup196); + +var msg5376 = msg("2926", dup196); + +var msg5377 = msg("2927", dup222); + +var msg5378 = msg("2928", dup276); + +var msg5379 = msg("2929", dup276); + +var msg5380 = msg("2930", dup276); + +var msg5381 = msg("2931", dup276); + +var msg5382 = msg("2932", dup276); + +var msg5383 = msg("2933", dup276); + +var msg5384 = msg("2934", dup276); + +var msg5385 = msg("2935", dup276); + +var msg5386 = msg("2936", dup276); + +var msg5387 = msg("2937", dup276); + +var msg5388 = msg("2938", dup276); + +var msg5389 = msg("2939", dup276); + +var msg5390 = msg("2940", dup276); + +var msg5391 = msg("2941", dup276); + +var msg5392 = msg("2942", dup276); + +var msg5393 = msg("2943", dup276); + +var msg5394 = msg("2944", dup276); + +var msg5395 = msg("2945", dup276); + +var msg5396 = msg("2946", dup276); + +var msg5397 = msg("2947", dup276); + +var msg5398 = msg("2948", dup276); + +var msg5399 = msg("2949", dup276); + +var msg5400 = msg("2950", dup197); + +var msg5401 = msg("2951", dup197); + +var msg5402 = msg("2952", dup246); + +var msg5403 = msg("2953", dup246); + +var msg5404 = msg("2954", dup246); + +var msg5405 = msg("2955", dup246); + +var msg5406 = msg("2956", dup276); + +var msg5407 = msg("2957", dup276); + +var msg5408 = msg("2958", dup276); + +var msg5409 = msg("2959", dup276); + +var msg5410 = msg("2960", dup276); + +var msg5411 = msg("2961", dup276); + +var msg5412 = msg("2962", dup276); + +var msg5413 = msg("2963", dup276); + +var msg5414 = msg("2964", dup276); + +var msg5415 = msg("2965", dup276); + +var msg5416 = msg("2966", dup276); + +var msg5417 = msg("2967", dup276); + +var msg5418 = msg("2968", dup276); + +var msg5419 = msg("2969", dup276); + +var msg5420 = msg("2970", dup276); + +var msg5421 = msg("2971", dup276); + +var msg5422 = msg("2972", dup246); + +var msg5423 = msg("2973", dup246); + +var msg5424 = msg("2974", dup246); + +var msg5425 = msg("2975", dup246); + +var msg5426 = msg("2976", dup246); + +var msg5427 = msg("2977", dup246); + +var msg5428 = msg("2978", dup246); + +var msg5429 = msg("2979", dup246); + +var msg5430 = msg("2980", dup246); + +var msg5431 = msg("2981", dup246); + +var msg5432 = msg("2982", dup246); + +var msg5433 = msg("2983", dup246); + +var msg5434 = msg("2984", dup276); + +var msg5435 = msg("2985", dup276); + +var msg5436 = msg("2986", dup276); + +var msg5437 = msg("2987", dup276); + +var msg5438 = msg("2988", dup276); + +var msg5439 = msg("2989", dup276); + +var msg5440 = msg("2990", dup276); + +var msg5441 = msg("2991", dup276); + +var msg5442 = msg("2992", dup276); + +var msg5443 = msg("2993", dup276); + +var msg5444 = msg("2994", dup276); + +var msg5445 = msg("2995", dup276); + +var msg5446 = msg("2996", dup276); + +var msg5447 = msg("2997", dup276); + +var msg5448 = msg("2998", dup276); + +var msg5449 = msg("2999", dup276); + +var msg5450 = msg("3000", dup276); + +var msg5451 = msg("3001", dup276); + +var msg5452 = msg("3002", dup276); + +var msg5453 = msg("3003", dup276); + +var msg5454 = msg("3004", dup276); + +var msg5455 = msg("3005", dup276); + +var msg5456 = msg("3006", dup222); + +var msg5457 = msg("3007", dup222); + +var msg5458 = msg("3008", dup222); + +var msg5459 = msg("3009", dup205); + +var msg5460 = msg("3010", dup205); + +var msg5461 = msg("3011", dup205); + +var msg5462 = msg("3012", dup205); + +var msg5463 = msg("3013", dup205); + +var msg5464 = msg("3014", dup205); + +var msg5465 = msg("3015", dup205); + +var msg5466 = msg("3016", dup205); + +var msg5467 = msg("3017", dup222); + +var msg5468 = msg("3018", dup276); + +var msg5469 = msg("3019", dup276); + +var msg5470 = msg("3020", dup276); + +var msg5471 = msg("3021", dup276); + +var msg5472 = msg("3022", dup276); + +var msg5473 = msg("3023", dup276); + +var msg5474 = msg("3024", dup276); + +var msg5475 = msg("3025", dup276); + +var msg5476 = msg("3026", dup276); + +var msg5477 = msg("3027", dup276); + +var msg5478 = msg("3028", dup276); + +var msg5479 = msg("3029", dup276); + +var msg5480 = msg("3030", dup276); + +var msg5481 = msg("3031", dup276); + +var msg5482 = msg("3032", dup276); + +var msg5483 = msg("3033", dup276); + +var msg5484 = msg("3034", dup276); + +var msg5485 = msg("3035", dup276); + +var msg5486 = msg("3036", dup276); + +var msg5487 = msg("3037", dup276); + +var msg5488 = msg("3038", dup276); + +var msg5489 = msg("3039", dup276); + +var msg5490 = msg("3040", dup276); + +var msg5491 = msg("3041", dup276); + +var msg5492 = msg("3042", dup198); + +var msg5493 = msg("3043", dup198); + +var msg5494 = msg("3044", dup198); + +var msg5495 = msg("3045", dup198); + +var msg5496 = msg("3046", dup198); + +var msg5497 = msg("3047", dup198); + +var msg5498 = msg("3048", dup198); + +var msg5499 = msg("3049", dup198); + +var msg5500 = msg("3050", dup198); + +var msg5501 = msg("3051", dup198); + +var msg5502 = msg("3052", dup198); + +var msg5503 = msg("3053", dup198); + +var msg5504 = msg("3054", dup198); + +var msg5505 = msg("3055", dup198); + +var msg5506 = msg("3056", dup198); + +var msg5507 = msg("3057", dup198); + +var msg5508 = msg("3058", dup222); + +var msg5509 = msg("3059", dup265); + +var msg5510 = msg("3060", dup265); + +var msg5511 = msg("3061", dup196); + +var msg5512 = msg("3062", dup265); + +var msg5513 = msg("3063", dup205); + +var msg5514 = msg("3064", dup205); + +var msg5515 = msg("3065", dup222); + +var msg5516 = msg("3066", dup222); + +var msg5517 = msg("3067", dup222); + +var msg5518 = msg("3068", dup222); + +var msg5519 = msg("3069", dup222); + +var msg5520 = msg("3070", dup222); + +var msg5521 = msg("3071", dup222); + +var msg5522 = msg("3072", dup222); + +var msg5523 = msg("3073", dup222); + +var msg5524 = msg("3074", dup222); + +var msg5525 = msg("3075", dup222); + +var msg5526 = msg("3076", dup222); + +var msg5527 = msg("3077", dup222); + +var msg5528 = msg("3078", dup222); + +var msg5529 = msg("3079", dup197); + +var msg5530 = msg("3080", dup222); + +var msg5531 = msg("3081", dup205); + +var msg5532 = msg("3082", dup205); + +var msg5533 = msg("3083", dup205); + +var msg5534 = msg("3084", dup222); + +var msg5535 = msg("3085", dup222); + +var msg5536 = msg("3086", dup302); + +var msg5537 = msg("3087", dup267); + +var msg5538 = msg("3088", dup267); + +var msg5539 = msg("3089", dup198); + +var msg5540 = msg("3090", dup276); + +var msg5541 = msg("3091", dup276); + +var msg5542 = msg("3092", dup276); + +var msg5543 = msg("3093", dup276); + +var msg5544 = msg("3094", dup276); + +var msg5545 = msg("3095", dup276); + +var msg5546 = msg("3096", dup276); + +var msg5547 = msg("3097", dup276); + +var msg5548 = msg("3098", dup276); + +var msg5549 = msg("3099", dup276); + +var msg5550 = msg("3100", dup276); + +var msg5551 = msg("3101", dup276); + +var msg5552 = msg("3102", dup276); + +var msg5553 = msg("3103", dup276); + +var msg5554 = msg("3104", dup276); + +var msg5555 = msg("3105", dup276); + +var msg5556 = msg("3106", dup276); + +var msg5557 = msg("3107", dup276); + +var msg5558 = msg("3108", dup276); + +var msg5559 = msg("3109", dup276); + +var msg5560 = msg("3110", dup276); + +var msg5561 = msg("3111", dup276); + +var msg5562 = msg("3112", dup276); + +var msg5563 = msg("3113", dup276); + +var msg5564 = msg("3114", dup276); + +var msg5565 = msg("3115", dup276); + +var msg5566 = msg("3116", dup276); + +var msg5567 = msg("3117", dup276); + +var msg5568 = msg("3118", dup276); + +var msg5569 = msg("3119", dup276); + +var msg5570 = msg("3120", dup276); + +var msg5571 = msg("3121", dup276); + +var msg5572 = msg("3122", dup276); + +var msg5573 = msg("3123", dup276); + +var msg5574 = msg("3124", dup276); + +var msg5575 = msg("3125", dup276); + +var msg5576 = msg("3126", dup276); + +var msg5577 = msg("3127", dup276); + +var msg5578 = msg("3128", dup276); + +var msg5579 = msg("3129", dup276); + +var msg5580 = msg("3130", dup197); + +var msg5581 = msg("3131", dup265); + +var msg5582 = msg("3132", dup265); + +var msg5583 = msg("3133", dup265); + +var msg5584 = msg("3134", dup265); + +var msg5585 = msg("3135", dup276); + +var msg5586 = msg("3136", dup276); + +var msg5587 = msg("3137", dup276); + +var msg5588 = msg("3138", dup276); + +var msg5589 = msg("3139", dup276); + +var msg5590 = msg("3140", dup276); + +var msg5591 = msg("3141", dup276); + +var msg5592 = msg("3142", dup276); + +var msg5593 = msg("3143", dup276); + +var msg5594 = msg("3144", dup276); + +var msg5595 = msg("3145", dup276); + +var msg5596 = msg("3146", dup276); + +var msg5597 = msg("3147", dup278); + +var msg5598 = msg("3148", dup265); + +var msg5599 = msg("3149", dup267); + +var msg5600 = msg("3150", dup297); + +var msg5601 = msg("3151", dup225); + +var msg5602 = msg("3152", dup236); + +var msg5603 = msg("3153", dup197); + +var msg5604 = msg("3154", dup197); + +var msg5605 = msg("3155", dup205); + +var msg5606 = msg("3156", dup276); + +var msg5607 = msg("3157", dup276); + +var msg5608 = msg("3158", dup276); + +var msg5609 = msg("3159", dup276); + +var msg5610 = msg("3160", dup276); + +var msg5611 = msg("3161", dup276); + +var msg5612 = msg("3162", dup276); + +var msg5613 = msg("3163", dup276); + +var msg5614 = msg("3164", dup276); + +var msg5615 = msg("3165", dup276); + +var msg5616 = msg("3166", dup201); + +var msg5617 = msg("3167", dup276); + +var msg5618 = msg("3168", dup201); + +var msg5619 = msg("3169", dup201); + +var msg5620 = msg("3170", dup201); + +var msg5621 = msg("3171", dup276); + +var msg5622 = msg("3172", dup276); + +var msg5623 = msg("3173", dup276); + +var msg5624 = msg("3174", dup276); + +var msg5625 = msg("3175", dup276); + +var msg5626 = msg("3176", dup276); + +var msg5627 = msg("3177", dup276); + +var msg5628 = msg("3178", dup276); + +var msg5629 = msg("3179", dup276); + +var msg5630 = msg("3180", dup276); + +var msg5631 = msg("3181", dup276); + +var msg5632 = msg("3182", dup276); + +var msg5633 = msg("3183", dup276); + +var msg5634 = msg("3184", dup276); + +var msg5635 = msg("3185", dup276); + +var msg5636 = msg("3186", dup276); + +var msg5637 = msg("3187", dup276); + +var msg5638 = msg("3188", dup276); + +var msg5639 = msg("3189", dup276); + +var msg5640 = msg("3190", dup276); + +var msg5641 = msg("3191", dup276); + +var msg5642 = msg("3192", dup265); + +var msg5643 = msg("3193", dup267); + +var msg5644 = msg("3194", dup267); + +var msg5645 = msg("3195", dup276); + +var msg5646 = msg("3196", dup276); + +var msg5647 = msg("3197", dup276); + +var msg5648 = msg("3198", dup276); + +var msg5649 = msg("3199", dup222); + +var msg5650 = msg("3200", dup222); + +var msg5651 = msg("3201", dup271); + +var msg5652 = msg("3202", dup276); + +var msg5653 = msg("3203", dup276); + +var msg5654 = msg("3204", dup276); + +var msg5655 = msg("3205", dup276); + +var msg5656 = msg("3206", dup276); + +var msg5657 = msg("3207", dup276); + +var msg5658 = msg("3208", dup276); + +var msg5659 = msg("3209", dup276); + +var msg5660 = msg("3210", dup276); + +var msg5661 = msg("3211", dup276); + +var msg5662 = msg("3212", dup276); + +var msg5663 = msg("3213", dup276); + +var msg5664 = msg("3214", dup276); + +var msg5665 = msg("3215", dup276); + +var msg5666 = msg("3216", dup276); + +var msg5667 = msg("3217", dup276); + +var msg5668 = msg("3218", dup276); + +var msg5669 = msg("3219", dup276); + +var msg5670 = msg("3220", dup276); + +var msg5671 = msg("3221", dup276); + +var msg5672 = msg("3222", dup276); + +var msg5673 = msg("3223", dup276); + +var msg5674 = msg("3224", dup276); + +var msg5675 = msg("3225", dup276); + +var msg5676 = msg("3226", dup276); + +var msg5677 = msg("3227", dup276); + +var msg5678 = msg("3228", dup276); + +var msg5679 = msg("3229", dup276); + +var msg5680 = msg("3230", dup276); + +var msg5681 = msg("3231", dup276); + +var msg5682 = msg("3232", dup276); + +var msg5683 = msg("3233", dup276); + +var msg5684 = msg("3234", dup276); + +var msg5685 = msg("3235", dup276); + +var msg5686 = msg("3236", dup276); + +var msg5687 = msg("3237", dup276); + +var msg5688 = msg("3238", dup201); + +var msg5689 = msg("3239", dup201); + +var msg5690 = msg("3240", dup276); + +var msg5691 = msg("3241", dup276); + +var msg5692 = msg("3242", dup276); + +var msg5693 = msg("3243", dup276); + +var msg5694 = msg("3244", dup276); + +var msg5695 = msg("3245", dup276); + +var msg5696 = msg("3246", dup276); + +var msg5697 = msg("3247", dup276); + +var msg5698 = msg("3248", dup276); + +var msg5699 = msg("3249", dup276); + +var msg5700 = msg("3250", dup276); + +var msg5701 = msg("3251", dup276); + +var msg5702 = msg("3252", dup276); + +var msg5703 = msg("3253", dup276); + +var msg5704 = msg("3254", dup276); + +var msg5705 = msg("3255", dup276); + +var msg5706 = msg("3256", dup201); + +var msg5707 = msg("3257", dup201); + +var msg5708 = msg("3258", dup201); + +var msg5709 = msg("3259", dup201); + +var msg5710 = msg("3260", dup201); + +var msg5711 = msg("3261", dup201); + +var msg5712 = msg("3262", dup276); + +var msg5713 = msg("3263", dup276); + +var msg5714 = msg("3264", dup276); + +var msg5715 = msg("3265", dup276); + +var msg5716 = msg("3266", dup276); + +var msg5717 = msg("3267", dup276); + +var msg5718 = msg("3268", dup276); + +var msg5719 = msg("3269", dup276); + +var msg5720 = msg("3270", dup276); + +var msg5721 = msg("3271", dup276); + +var msg5722 = msg("3272", dup205); + +var msg5723 = msg("3273", dup236); + +var msg5724 = msg("3274", dup278); + +var msg5725 = msg("3275", dup276); + +var msg5726 = msg("3276", dup276); + +var msg5727 = msg("3277", dup255); + +var msg5728 = msg("3278", dup255); + +var msg5729 = msg("3279", dup255); + +var msg5730 = msg("3280", dup255); + +var msg5731 = msg("3281", dup255); + +var msg5732 = msg("3282", dup255); + +var msg5733 = msg("3283", dup255); + +var msg5734 = msg("3284", dup255); + +var msg5735 = msg("3285", dup255); + +var msg5736 = msg("3286", dup255); + +var msg5737 = msg("3287", dup255); + +var msg5738 = msg("3288", dup255); + +var msg5739 = msg("3289", dup255); + +var msg5740 = msg("3290", dup255); + +var msg5741 = msg("3291", dup255); + +var msg5742 = msg("3292", dup255); + +var msg5743 = msg("3293", dup255); + +var msg5744 = msg("3294", dup255); + +var msg5745 = msg("3295", dup255); + +var msg5746 = msg("3296", dup255); + +var msg5747 = msg("3297", dup255); + +var msg5748 = msg("3298", dup255); + +var msg5749 = msg("3299", dup255); + +var msg5750 = msg("3300", dup255); + +var msg5751 = msg("3301", dup255); + +var msg5752 = msg("3302", dup255); + +var msg5753 = msg("3303", dup255); + +var msg5754 = msg("3304", dup255); + +var msg5755 = msg("3305", dup255); + +var msg5756 = msg("3306", dup255); + +var msg5757 = msg("3307", dup255); + +var msg5758 = msg("3308", dup255); + +var msg5759 = msg("3309", dup255); + +var msg5760 = msg("3310", dup255); + +var msg5761 = msg("3311", dup255); + +var msg5762 = msg("3312", dup255); + +var msg5763 = msg("3313", dup255); + +var msg5764 = msg("3314", dup255); + +var msg5765 = msg("3315", dup255); + +var msg5766 = msg("3316", dup255); + +var msg5767 = msg("3317", dup255); + +var msg5768 = msg("3318", dup255); + +var msg5769 = msg("3319", dup255); + +var msg5770 = msg("3320", dup255); + +var msg5771 = msg("3321", dup255); + +var msg5772 = msg("3322", dup255); + +var msg5773 = msg("3323", dup255); + +var msg5774 = msg("3324", dup255); + +var msg5775 = msg("3325", dup255); + +var msg5776 = msg("3326", dup255); + +var msg5777 = msg("3327", dup255); + +var msg5778 = msg("3328", dup255); + +var msg5779 = msg("3329", dup255); + +var msg5780 = msg("3330", dup255); + +var msg5781 = msg("3331", dup255); + +var msg5782 = msg("3332", dup255); + +var msg5783 = msg("3333", dup255); + +var msg5784 = msg("3334", dup255); + +var msg5785 = msg("3335", dup255); + +var msg5786 = msg("3336", dup255); + +var msg5787 = msg("3337", dup255); + +var msg5788 = msg("3338", dup255); + +var msg5789 = msg("3339", dup255); + +var msg5790 = msg("3340", dup255); + +var msg5791 = msg("3341", dup255); + +var msg5792 = msg("3342", dup255); + +var msg5793 = msg("3343", dup255); + +var msg5794 = msg("3344", dup255); + +var msg5795 = msg("3345", dup255); + +var msg5796 = msg("3346", dup255); + +var msg5797 = msg("3347", dup255); + +var msg5798 = msg("3348", dup255); + +var msg5799 = msg("3349", dup255); + +var msg5800 = msg("3350", dup255); + +var msg5801 = msg("3351", dup255); + +var msg5802 = msg("3352", dup255); + +var msg5803 = msg("3353", dup255); + +var msg5804 = msg("3354", dup255); + +var msg5805 = msg("3355", dup255); + +var msg5806 = msg("3356", dup255); + +var msg5807 = msg("3357", dup255); + +var msg5808 = msg("3358", dup255); + +var msg5809 = msg("3359", dup255); + +var msg5810 = msg("3360", dup255); + +var msg5811 = msg("3361", dup255); + +var msg5812 = msg("3362", dup255); + +var msg5813 = msg("3363", dup255); + +var msg5814 = msg("3364", dup255); + +var msg5815 = msg("3365", dup255); + +var msg5816 = msg("3366", dup255); + +var msg5817 = msg("3367", dup255); + +var msg5818 = msg("3368", dup255); + +var msg5819 = msg("3369", dup255); + +var msg5820 = msg("3370", dup255); + +var msg5821 = msg("3371", dup255); + +var msg5822 = msg("3372", dup255); + +var msg5823 = msg("3373", dup255); + +var msg5824 = msg("3374", dup255); + +var msg5825 = msg("3375", dup255); + +var msg5826 = msg("3376", dup255); + +var msg5827 = msg("3377", dup276); + +var msg5828 = msg("3378", dup276); + +var msg5829 = msg("3379", dup276); + +var msg5830 = msg("3380", dup276); + +var msg5831 = msg("3381", dup276); + +var msg5832 = msg("3382", dup276); + +var msg5833 = msg("3383", dup276); + +var msg5834 = msg("3384", dup276); + +var msg5835 = msg("3385", dup276); + +var msg5836 = msg("3386", dup276); + +var msg5837 = msg("3387", dup276); + +var msg5838 = msg("3388", dup276); + +var msg5839 = msg("3389", dup276); + +var msg5840 = msg("3390", dup276); + +var msg5841 = msg("3391", dup276); + +var msg5842 = msg("3392", dup276); + +var msg5843 = msg("3393", dup276); + +var msg5844 = msg("3394", dup276); + +var msg5845 = msg("3395", dup276); + +var msg5846 = msg("3396", dup276); + +var msg5847 = msg("3397", dup276); + +var msg5848 = msg("3398", dup276); + +var msg5849 = msg("3399", dup276); + +var msg5850 = msg("3400", dup276); + +var msg5851 = msg("3401", dup276); + +var msg5852 = msg("3402", dup276); + +var msg5853 = msg("3403", dup276); + +var msg5854 = msg("3404", dup276); + +var msg5855 = msg("3405", dup276); + +var msg5856 = msg("3406", dup276); + +var msg5857 = msg("3407", dup276); + +var msg5858 = msg("3408", dup276); + +var msg5859 = msg("3409", dup276); + +var msg5860 = msg("3410", dup276); + +var msg5861 = msg("3411", dup276); + +var msg5862 = msg("3412", dup276); + +var msg5863 = msg("3413", dup276); + +var msg5864 = msg("3414", dup276); + +var msg5865 = msg("3415", dup276); + +var msg5866 = msg("3416", dup276); + +var msg5867 = msg("3417", dup276); + +var msg5868 = msg("3418", dup276); + +var msg5869 = msg("3419", dup276); + +var msg5870 = msg("3420", dup276); + +var msg5871 = msg("3421", dup276); + +var msg5872 = msg("3422", dup276); + +var msg5873 = msg("3423", dup276); + +var msg5874 = msg("3424", dup276); + +var msg5875 = msg("3425", dup276); + +var msg5876 = msg("3426", dup276); + +var msg5877 = msg("3427", dup276); + +var msg5878 = msg("3428", dup276); + +var msg5879 = msg("3429", dup276); + +var msg5880 = msg("3430", dup276); + +var msg5881 = msg("3431", dup276); + +var msg5882 = msg("3432", dup276); + +var msg5883 = msg("3433", dup276); + +var msg5884 = msg("3434", dup276); + +var msg5885 = msg("3435", dup276); + +var msg5886 = msg("3436", dup276); + +var msg5887 = msg("3437", dup276); + +var msg5888 = msg("3438", dup276); + +var msg5889 = msg("3439", dup276); + +var msg5890 = msg("3440", dup276); + +var msg5891 = msg("3441", dup227); + +var msg5892 = msg("3442", dup198); + +var msg5893 = msg("3443", dup240); + +var msg5894 = msg("3444", dup240); + +var msg5895 = msg("3445", dup240); + +var msg5896 = msg("3446", dup240); + +var msg5897 = msg("3447", dup240); + +var msg5898 = msg("3448", dup240); + +var msg5899 = msg("3449", dup240); + +var msg5900 = msg("3450", dup240); + +var msg5901 = msg("3451", dup240); + +var msg5902 = msg("3452", dup240); + +var msg5903 = msg("3453", dup196); + +var msg5904 = msg("3454", dup196); + +var msg5905 = msg("3455", dup197); + +var msg5906 = msg("3456", dup240); + +var msg5907 = msg("3457", dup222); + +var msg5908 = msg("3458", dup222); + +var msg5909 = msg("3459", dup196); + +var msg5910 = msg("3460", dup227); + +var msg5911 = msg("3461", dup297); + +var msg5912 = msg("3462", dup222); + +var msg5913 = msg("3463", dup265); + +var msg5914 = msg("3464", dup267); + +var msg5915 = msg("3465", dup265); + +var msg5916 = msg("3466", dup267); + +var msg5917 = msg("3467", dup265); + +var msg5918 = msg("3468", dup265); + +var msg5919 = msg("3469", dup198); + +var msg5920 = msg("3470", dup197); + +var msg5921 = msg("3471", dup267); + +var msg5922 = msg("3472", dup197); + +var msg5923 = msg("3473", dup267); + +var msg5924 = msg("3474", dup197); + +var msg5925 = msg("3475", dup197); + +var msg5926 = msg("3476", dup197); + +var msg5927 = msg("3477", dup197); + +var msg5928 = msg("3478", dup197); + +var msg5929 = msg("3479", dup197); + +var msg5930 = msg("3480", dup197); + +var msg5931 = msg("3481", dup197); + +var msg5932 = msg("3482", dup197); + +var msg5933 = msg("3483", dup197); + +var msg5934 = msg("3484", dup197); + +var msg5935 = msg("3485", dup197); + +var msg5936 = msg("3486", dup265); + +var msg5937 = msg("3487", dup196); + +var msg5938 = msg("3488", dup196); + +var msg5939 = msg("3489", dup196); + +var msg5940 = msg("3490", dup196); + +var msg5941 = msg("3491", dup196); + +var msg5942 = msg("3492", dup196); + +var msg5943 = msg("3493", dup250); + +var msg5944 = msg("3494", dup250); + +var msg5945 = msg("3495", dup250); + +var msg5946 = msg("3496", dup250); + +var msg5947 = msg("3497", dup250); + +var msg5948 = msg("3498", dup250); + +var msg5949 = msg("3499", dup298); + +var msg5950 = msg("3500", dup298); + +var msg5951 = msg("3501", dup298); + +var msg5952 = msg("3502", dup298); + +var msg5953 = msg("3503", dup298); + +var msg5954 = msg("3504", dup298); + +var msg5955 = msg("3505", dup298); + +var msg5956 = msg("3506", dup298); + +var msg5957 = msg("3507", dup298); + +var msg5958 = msg("3508", dup298); + +var msg5959 = msg("3509", dup298); + +var msg5960 = msg("3510", dup298); + +var msg5961 = msg("3511", dup222); + +var msg5962 = msg("3512", dup196); + +var msg5963 = msg("3513", dup196); + +var msg5964 = msg("3514", dup196); + +var msg5965 = msg("3515", dup196); + +var msg5966 = msg("3516", dup196); + +var msg5967 = msg("3517", dup222); + +var msg5968 = msg("3518", dup197); + +var msg5969 = msg("3519", dup197); + +var msg5970 = msg("3520", dup222); + +var msg5971 = msg("3521", dup222); + +var msg5972 = msg("3522", dup222); + +var msg5973 = msg("3523", dup227); + +var msg5974 = msg("3524", dup196); + +var msg5975 = msg("3525", dup196); + +var msg5976 = msg("3526", dup222); + +var msg5977 = msg("3527", dup222); + +var msg5978 = msg("3528", dup240); + +var msg5979 = msg("3529", dup222); + +var msg5980 = msg("3530", dup197); + +var msg5981 = msg("3531", dup197); + +var msg5982 = msg("3532", dup222); + +var msg5983 = msg("3533", dup278); + +var msg5984 = msg("3534", dup197); + +var msg5985 = msg("3535", dup196); + +var msg5986 = msg("3536", dup197); + +var msg5987 = msg("3537", dup278); + +var msg5988 = msg("3538", dup222); + +var msg5989 = msg("3539", dup222); + +var msg5990 = msg("3540", dup222); + +var msg5991 = msg("3541", dup222); + +var msg5992 = msg("3542", dup240); + +var msg5993 = msg("3543", dup240); + +var msg5994 = msg("3544", dup265); + +var msg5995 = msg("3545", dup265); + +var msg5996 = msg("3546", dup267); + +var msg5997 = msg("3547", dup267); + +var msg5998 = msg("3548", dup265); + +var msg5999 = msg("3549", dup265); + +var msg6000 = msg("3550", dup267); + +var msg6001 = msg("3551", dup265); + +var msg6002 = msg("3552", dup265); + +var msg6003 = msg("3553", dup265); + +var msg6004 = msg("3554", dup276); + +var msg6005 = msg("3555", dup276); + +var msg6006 = msg("3556", dup276); + +var msg6007 = msg("3557", dup276); + +var msg6008 = msg("3558", dup276); + +var msg6009 = msg("3559", dup276); + +var msg6010 = msg("3560", dup276); + +var msg6011 = msg("3561", dup276); + +var msg6012 = msg("3562", dup276); + +var msg6013 = msg("3563", dup276); + +var msg6014 = msg("3564", dup276); + +var msg6015 = msg("3565", dup276); + +var msg6016 = msg("3566", dup276); + +var msg6017 = msg("3567", dup276); + +var msg6018 = msg("3568", dup276); + +var msg6019 = msg("3569", dup276); + +var msg6020 = msg("3570", dup276); + +var msg6021 = msg("3571", dup276); + +var msg6022 = msg("3572", dup276); + +var msg6023 = msg("3573", dup276); + +var msg6024 = msg("3574", dup276); + +var msg6025 = msg("3575", dup276); + +var msg6026 = msg("3576", dup276); + +var msg6027 = msg("3577", dup276); + +var msg6028 = msg("3578", dup276); + +var msg6029 = msg("3579", dup276); + +var msg6030 = msg("3580", dup276); + +var msg6031 = msg("3581", dup276); + +var msg6032 = msg("3582", dup276); + +var msg6033 = msg("3583", dup276); + +var msg6034 = msg("3584", dup276); + +var msg6035 = msg("3585", dup276); + +var msg6036 = msg("3586", dup276); + +var msg6037 = msg("3587", dup276); + +var msg6038 = msg("3588", dup276); + +var msg6039 = msg("3589", dup276); + +var msg6040 = msg("3590", dup276); + +var msg6041 = msg("3591", dup276); + +var msg6042 = msg("3592", dup276); + +var msg6043 = msg("3593", dup276); + +var msg6044 = msg("3594", dup276); + +var msg6045 = msg("3595", dup276); + +var msg6046 = msg("3596", dup276); + +var msg6047 = msg("3597", dup276); + +var msg6048 = msg("3598", dup276); + +var msg6049 = msg("3599", dup276); + +var msg6050 = msg("3600", dup276); + +var msg6051 = msg("3601", dup276); + +var msg6052 = msg("3602", dup276); + +var msg6053 = msg("3603", dup276); + +var msg6054 = msg("3604", dup276); + +var msg6055 = msg("3605", dup276); + +var msg6056 = msg("3606", dup276); + +var msg6057 = msg("3607", dup276); + +var msg6058 = msg("3608", dup276); + +var msg6059 = msg("3609", dup276); + +var msg6060 = msg("3610", dup276); + +var msg6061 = msg("3611", dup276); + +var msg6062 = msg("3612", dup276); + +var msg6063 = msg("3613", dup276); + +var msg6064 = msg("3614", dup276); + +var msg6065 = msg("3615", dup276); + +var msg6066 = msg("3616", dup276); + +var msg6067 = msg("3617", dup276); + +var msg6068 = msg("3618", dup276); + +var msg6069 = msg("3619", dup276); + +var msg6070 = msg("3620", dup276); + +var msg6071 = msg("3621", dup276); + +var msg6072 = msg("3622", dup276); + +var msg6073 = msg("3623", dup276); + +var msg6074 = msg("3624", dup276); + +var msg6075 = msg("3625", dup276); + +var msg6076 = msg("3626", dup198); + +var msg6077 = msg("3627", dup196); + +var msg6078 = msg("3628", dup196); + +var msg6079 = msg("3629", dup265); + +var msg6080 = msg("3630", dup222); + +var msg6081 = msg("3631", dup222); + +var msg6082 = msg("3632", dup267); + +var msg6083 = msg("3633", dup196); + +var msg6084 = msg("3634", dup267); + +var msg6085 = msg("3635", dup205); + +var msg6086 = msg("3636", dup205); + +var msg6087 = msg("3637", dup196); + +var msg6088 = msg("3638", dup267); + +var msg6089 = msg("3639", dup198); + +var msg6090 = msg("3640", dup198); + +var msg6091 = msg("3641", dup198); + +var msg6092 = msg("3642", dup198); + +var msg6093 = msg("3643", dup198); + +var msg6094 = msg("3644", dup198); + +var msg6095 = msg("3645", dup198); + +var msg6096 = msg("3646", dup198); + +var msg6097 = msg("3647", dup198); + +var msg6098 = msg("3648", dup198); + +var msg6099 = msg("3649", dup198); + +var msg6100 = msg("3650", dup198); + +var msg6101 = msg("3651", dup222); + +var msg6102 = msg("3652", dup222); + +var msg6103 = msg("3653", dup222); + +var msg6104 = msg("3654", dup222); + +var msg6105 = msg("3655", dup222); + +var msg6106 = msg("3656", dup222); + +var msg6107 = msg("3657", dup196); + +var msg6108 = msg("3658", dup222); + +var msg6109 = msg("3659", dup222); + +var msg6110 = msg("3660", dup222); + +var msg6111 = msg("3661", dup222); + +var msg6112 = msg("3662", dup222); + +var msg6113 = msg("3663", dup222); + +var msg6114 = msg("3664", dup222); + +var msg6115 = msg("3665", dup196); + +var msg6116 = msg("3666", dup196); + +var msg6117 = msg("3667", dup285); + +var msg6118 = msg("3668", dup285); + +var msg6119 = msg("3669", dup260); + +var msg6120 = msg("3670", dup260); + +var msg6121 = msg("3671", dup260); + +var msg6122 = msg("3672", dup260); + +var msg6123 = msg("3673", dup198); + +var msg6124 = msg("3674", dup265); + +var msg6125 = msg("3675", dup198); + +var msg6126 = msg("3676", dup265); + +var msg6127 = msg("3677", dup201); + +var msg6128 = msg("3678", dup201); + +var msg6129 = msg("3679", dup201); + +var msg6130 = msg("3680", dup196); + +var msg6131 = msg("3681", dup196); + +var msg6132 = msg("3682", dup250); + +var msg6133 = msg("3683", dup267); + +var msg6134 = msg("3684", dup196); + +var msg6135 = msg("3685", dup201); + +var msg6136 = msg("3686", dup197); + +var msg6137 = msg("3687", dup248); + +var msg6138 = msg("3688", dup248); + +var msg6139 = msg("3689", dup267); + +var msg6140 = msg("3690", dup260); + +var msg6141 = msg("3691", dup196); + +var msg6142 = msg("3692", dup196); + +var msg6143 = msg("3693", dup267); + +var msg6144 = msg("3694", dup265); + +var msg6145 = msg("3695", dup222); + +var msg6146 = msg("3696", dup198); + +var msg6147 = msg("3697", dup276); + +var msg6148 = msg("3698", dup276); + +var msg6149 = msg("3699", dup276); + +var msg6150 = msg("3700", dup276); + +var msg6151 = msg("3701", dup276); + +var msg6152 = msg("3702", dup276); + +var msg6153 = msg("3703", dup276); + +var msg6154 = msg("3704", dup276); + +var msg6155 = msg("3705", dup276); + +var msg6156 = msg("3706", dup276); + +var msg6157 = msg("3707", dup276); + +var msg6158 = msg("3708", dup276); + +var msg6159 = msg("3709", dup276); + +var msg6160 = msg("3710", dup276); + +var msg6161 = msg("3711", dup276); + +var msg6162 = msg("3712", dup276); + +var msg6163 = msg("3713", dup276); + +var msg6164 = msg("3714", dup276); + +var msg6165 = msg("3715", dup276); + +var msg6166 = msg("3716", dup276); + +var msg6167 = msg("3717", dup276); + +var msg6168 = msg("3718", dup276); + +var msg6169 = msg("3719", dup276); + +var msg6170 = msg("3720", dup276); + +var msg6171 = msg("3721", dup276); + +var msg6172 = msg("3722", dup276); + +var msg6173 = msg("3723", dup276); + +var msg6174 = msg("3724", dup276); + +var msg6175 = msg("3725", dup276); + +var msg6176 = msg("3726", dup276); + +var msg6177 = msg("3727", dup276); + +var msg6178 = msg("3728", dup276); + +var msg6179 = msg("3729", dup276); + +var msg6180 = msg("3730", dup276); + +var msg6181 = msg("3731", dup276); + +var msg6182 = msg("3732", dup276); + +var msg6183 = msg("3733", dup276); + +var msg6184 = msg("3734", dup276); + +var msg6185 = msg("3735", dup276); + +var msg6186 = msg("3736", dup276); + +var msg6187 = msg("3737", dup276); + +var msg6188 = msg("3738", dup276); + +var msg6189 = msg("3739", dup276); + +var msg6190 = msg("3740", dup276); + +var msg6191 = msg("3741", dup276); + +var msg6192 = msg("3742", dup276); + +var msg6193 = msg("3743", dup276); + +var msg6194 = msg("3744", dup276); + +var msg6195 = msg("3745", dup276); + +var msg6196 = msg("3746", dup276); + +var msg6197 = msg("3747", dup276); + +var msg6198 = msg("3748", dup276); + +var msg6199 = msg("3749", dup276); + +var msg6200 = msg("3750", dup276); + +var msg6201 = msg("3751", dup276); + +var msg6202 = msg("3752", dup276); + +var msg6203 = msg("3753", dup276); + +var msg6204 = msg("3754", dup276); + +var msg6205 = msg("3755", dup276); + +var msg6206 = msg("3756", dup276); + +var msg6207 = msg("3757", dup276); + +var msg6208 = msg("3758", dup276); + +var msg6209 = msg("3759", dup276); + +var msg6210 = msg("3760", dup276); + +var msg6211 = msg("3761", dup276); + +var msg6212 = msg("3762", dup276); + +var msg6213 = msg("3763", dup276); + +var msg6214 = msg("3764", dup276); + +var msg6215 = msg("3765", dup276); + +var msg6216 = msg("3766", dup276); + +var msg6217 = msg("3767", dup276); + +var msg6218 = msg("3768", dup276); + +var msg6219 = msg("3769", dup276); + +var msg6220 = msg("3770", dup276); + +var msg6221 = msg("3771", dup276); + +var msg6222 = msg("3772", dup276); + +var msg6223 = msg("3773", dup276); + +var msg6224 = msg("3774", dup276); + +var msg6225 = msg("3775", dup276); + +var msg6226 = msg("3776", dup276); + +var msg6227 = msg("3777", dup276); + +var msg6228 = msg("3778", dup276); + +var msg6229 = msg("3779", dup276); + +var msg6230 = msg("3780", dup276); + +var msg6231 = msg("3781", dup276); + +var msg6232 = msg("3782", dup276); + +var msg6233 = msg("3783", dup276); + +var msg6234 = msg("3784", dup276); + +var msg6235 = msg("3785", dup276); + +var msg6236 = msg("3786", dup276); + +var msg6237 = msg("3787", dup276); + +var msg6238 = msg("3788", dup276); + +var msg6239 = msg("3789", dup276); + +var msg6240 = msg("3790", dup276); + +var msg6241 = msg("3791", dup276); + +var msg6242 = msg("3792", dup276); + +var msg6243 = msg("3793", dup276); + +var msg6244 = msg("3794", dup276); + +var msg6245 = msg("3795", dup276); + +var msg6246 = msg("3796", dup276); + +var msg6247 = msg("3797", dup276); + +var msg6248 = msg("3798", dup276); + +var msg6249 = msg("3799", dup276); + +var msg6250 = msg("3800", dup276); + +var msg6251 = msg("3801", dup276); + +var msg6252 = msg("3802", dup276); + +var msg6253 = msg("3803", dup276); + +var msg6254 = msg("3804", dup276); + +var msg6255 = msg("3805", dup276); + +var msg6256 = msg("3806", dup276); + +var msg6257 = msg("3807", dup276); + +var msg6258 = msg("3808", dup276); + +var msg6259 = msg("3809", dup276); + +var msg6260 = msg("3810", dup276); + +var msg6261 = msg("3811", dup276); + +var msg6262 = msg("3812", dup276); + +var msg6263 = msg("3813", dup267); + +var msg6264 = msg("3814", dup265); + +var msg6265 = msg("3815", dup222); + +var msg6266 = msg("3816", dup267); + +var msg6267 = msg("3817", dup295); + +var msg6268 = msg("3818", dup295); + +var msg6269 = msg("3819", dup196); + +var msg6270 = msg("3820", dup265); + +var msg6271 = msg("3821", dup265); + +var msg6272 = msg("3822", dup265); + +var msg6273 = msg("3823", dup267); + +var msg6274 = msg("3824", dup222); + +var msg6275 = msg("3825", dup196); + +var msg6276 = msg("3826", dup196); + +var msg6277 = msg("3827", dup265); + +var msg6278 = msg("3828", dup276); + +var msg6279 = msg("3829", dup276); + +var msg6280 = msg("3830", dup276); + +var msg6281 = msg("3831", dup276); + +var msg6282 = msg("3832", dup276); + +var msg6283 = msg("3833", dup276); + +var msg6284 = msg("3834", dup276); + +var msg6285 = msg("3835", dup276); + +var msg6286 = msg("3836", dup276); + +var msg6287 = msg("3837", dup276); + +var msg6288 = msg("3838", dup276); + +var msg6289 = msg("3839", dup276); + +var msg6290 = msg("3840", dup276); + +var msg6291 = msg("3841", dup276); + +var msg6292 = msg("3842", dup276); + +var msg6293 = msg("3843", dup276); + +var msg6294 = msg("3844", dup276); + +var msg6295 = msg("3845", dup276); + +var msg6296 = msg("3846", dup276); + +var msg6297 = msg("3847", dup276); + +var msg6298 = msg("3848", dup276); + +var msg6299 = msg("3849", dup276); + +var msg6300 = msg("3850", dup276); + +var msg6301 = msg("3851", dup276); + +var msg6302 = msg("3852", dup276); + +var msg6303 = msg("3853", dup276); + +var msg6304 = msg("3854", dup276); + +var msg6305 = msg("3855", dup276); + +var msg6306 = msg("3856", dup276); + +var msg6307 = msg("3857", dup276); + +var msg6308 = msg("3858", dup276); + +var msg6309 = msg("3859", dup276); + +var msg6310 = msg("3860", dup276); + +var msg6311 = msg("3861", dup276); + +var msg6312 = msg("3862", dup276); + +var msg6313 = msg("3863", dup276); + +var msg6314 = msg("3864", dup276); + +var msg6315 = msg("3865", dup276); + +var msg6316 = msg("3866", dup276); + +var msg6317 = msg("3867", dup276); + +var msg6318 = msg("3868", dup276); + +var msg6319 = msg("3869", dup276); + +var msg6320 = msg("3870", dup276); + +var msg6321 = msg("3871", dup276); + +var msg6322 = msg("3872", dup276); + +var msg6323 = msg("3873", dup276); + +var msg6324 = msg("3874", dup276); + +var msg6325 = msg("3875", dup276); + +var msg6326 = msg("3876", dup276); + +var msg6327 = msg("3877", dup276); + +var msg6328 = msg("3878", dup276); + +var msg6329 = msg("3879", dup276); + +var msg6330 = msg("3880", dup276); + +var msg6331 = msg("3881", dup276); + +var msg6332 = msg("3882", dup276); + +var msg6333 = msg("3883", dup276); + +var msg6334 = msg("3884", dup276); + +var msg6335 = msg("3885", dup276); + +var msg6336 = msg("3886", dup276); + +var msg6337 = msg("3887", dup276); + +var msg6338 = msg("3888", dup276); + +var msg6339 = msg("3889", dup276); + +var msg6340 = msg("3890", dup276); + +var msg6341 = msg("3891", dup276); + +var msg6342 = msg("3892", dup276); + +var msg6343 = msg("3893", dup276); + +var msg6344 = msg("3894", dup276); + +var msg6345 = msg("3895", dup276); + +var msg6346 = msg("3896", dup276); + +var msg6347 = msg("3897", dup276); + +var msg6348 = msg("3898", dup276); + +var msg6349 = msg("3899", dup276); + +var msg6350 = msg("3900", dup276); + +var msg6351 = msg("3901", dup276); + +var msg6352 = msg("3902", dup276); + +var msg6353 = msg("3903", dup276); + +var msg6354 = msg("3904", dup276); + +var msg6355 = msg("3905", dup276); + +var msg6356 = msg("3906", dup276); + +var msg6357 = msg("3907", dup276); + +var msg6358 = msg("3908", dup276); + +var msg6359 = msg("3909", dup276); + +var msg6360 = msg("3910", dup276); + +var msg6361 = msg("3911", dup276); + +var msg6362 = msg("3912", dup276); + +var msg6363 = msg("3913", dup276); + +var msg6364 = msg("3914", dup276); + +var msg6365 = msg("3915", dup276); + +var msg6366 = msg("3916", dup276); + +var msg6367 = msg("3917", dup276); + +var msg6368 = msg("3918", dup276); + +var msg6369 = msg("3919", dup276); + +var msg6370 = msg("3920", dup276); + +var msg6371 = msg("3921", dup276); + +var msg6372 = msg("3922", dup276); + +var msg6373 = msg("3923", dup276); + +var msg6374 = msg("3924", dup276); + +var msg6375 = msg("3925", dup276); + +var msg6376 = msg("3926", dup276); + +var msg6377 = msg("3927", dup276); + +var msg6378 = msg("3928", dup276); + +var msg6379 = msg("3929", dup276); + +var msg6380 = msg("3930", dup276); + +var msg6381 = msg("3931", dup276); + +var msg6382 = msg("3932", dup276); + +var msg6383 = msg("3933", dup276); + +var msg6384 = msg("3934", dup276); + +var msg6385 = msg("3935", dup276); + +var msg6386 = msg("3936", dup276); + +var msg6387 = msg("3937", dup276); + +var msg6388 = msg("3938", dup276); + +var msg6389 = msg("3939", dup276); + +var msg6390 = msg("3940", dup276); + +var msg6391 = msg("3941", dup276); + +var msg6392 = msg("3942", dup276); + +var msg6393 = msg("3943", dup276); + +var msg6394 = msg("3944", dup276); + +var msg6395 = msg("3945", dup276); + +var msg6396 = msg("3946", dup276); + +var msg6397 = msg("3947", dup276); + +var msg6398 = msg("3948", dup276); + +var msg6399 = msg("3949", dup276); + +var msg6400 = msg("3950", dup276); + +var msg6401 = msg("3951", dup276); + +var msg6402 = msg("3952", dup276); + +var msg6403 = msg("3953", dup276); + +var msg6404 = msg("3954", dup276); + +var msg6405 = msg("3955", dup276); + +var msg6406 = msg("3956", dup276); + +var msg6407 = msg("3957", dup276); + +var msg6408 = msg("3958", dup276); + +var msg6409 = msg("3959", dup276); + +var msg6410 = msg("3960", dup276); + +var msg6411 = msg("3961", dup276); + +var msg6412 = msg("3962", dup276); + +var msg6413 = msg("3963", dup276); + +var msg6414 = msg("3964", dup276); + +var msg6415 = msg("3965", dup276); + +var msg6416 = msg("3966", dup276); + +var msg6417 = msg("3967", dup276); + +var msg6418 = msg("3968", dup276); + +var msg6419 = msg("3969", dup276); + +var msg6420 = msg("3970", dup276); + +var msg6421 = msg("3971", dup276); + +var msg6422 = msg("3972", dup276); + +var msg6423 = msg("3973", dup276); + +var msg6424 = msg("3974", dup276); + +var msg6425 = msg("3975", dup276); + +var msg6426 = msg("3976", dup276); + +var msg6427 = msg("3977", dup276); + +var msg6428 = msg("3978", dup276); + +var msg6429 = msg("3979", dup276); + +var msg6430 = msg("3980", dup276); + +var msg6431 = msg("3981", dup276); + +var msg6432 = msg("3982", dup276); + +var msg6433 = msg("3983", dup276); + +var msg6434 = msg("3984", dup276); + +var msg6435 = msg("3985", dup276); + +var msg6436 = msg("3986", dup276); + +var msg6437 = msg("3987", dup276); + +var msg6438 = msg("3988", dup276); + +var msg6439 = msg("3989", dup276); + +var msg6440 = msg("3990", dup276); + +var msg6441 = msg("3991", dup276); + +var msg6442 = msg("3992", dup276); + +var msg6443 = msg("3993", dup276); + +var msg6444 = msg("3994", dup276); + +var msg6445 = msg("3995", dup276); + +var msg6446 = msg("3996", dup276); + +var msg6447 = msg("3997", dup276); + +var msg6448 = msg("3998", dup276); + +var msg6449 = msg("3999", dup276); + +var msg6450 = msg("4000", dup276); + +var msg6451 = msg("4001", dup276); + +var msg6452 = msg("4002", dup276); + +var msg6453 = msg("4003", dup276); + +var msg6454 = msg("4004", dup276); + +var msg6455 = msg("4005", dup276); + +var msg6456 = msg("4006", dup276); + +var msg6457 = msg("4007", dup276); + +var msg6458 = msg("4008", dup276); + +var msg6459 = msg("4009", dup276); + +var msg6460 = msg("4010", dup276); + +var msg6461 = msg("4011", dup276); + +var msg6462 = msg("4012", dup276); + +var msg6463 = msg("4013", dup276); + +var msg6464 = msg("4014", dup276); + +var msg6465 = msg("4015", dup276); + +var msg6466 = msg("4016", dup276); + +var msg6467 = msg("4017", dup276); + +var msg6468 = msg("4018", dup276); + +var msg6469 = msg("4019", dup276); + +var msg6470 = msg("4020", dup276); + +var msg6471 = msg("4021", dup276); + +var msg6472 = msg("4022", dup276); + +var msg6473 = msg("4023", dup276); + +var msg6474 = msg("4024", dup276); + +var msg6475 = msg("4025", dup276); + +var msg6476 = msg("4026", dup276); + +var msg6477 = msg("4027", dup276); + +var msg6478 = msg("4028", dup276); + +var msg6479 = msg("4029", dup276); + +var msg6480 = msg("4030", dup276); + +var msg6481 = msg("4031", dup276); + +var msg6482 = msg("4032", dup276); + +var msg6483 = msg("4033", dup276); + +var msg6484 = msg("4034", dup276); + +var msg6485 = msg("4035", dup276); + +var msg6486 = msg("4036", dup276); + +var msg6487 = msg("4037", dup276); + +var msg6488 = msg("4038", dup276); + +var msg6489 = msg("4039", dup276); + +var msg6490 = msg("4040", dup276); + +var msg6491 = msg("4041", dup276); + +var msg6492 = msg("4042", dup276); + +var msg6493 = msg("4043", dup276); + +var msg6494 = msg("4044", dup276); + +var msg6495 = msg("4045", dup276); + +var msg6496 = msg("4046", dup276); + +var msg6497 = msg("4047", dup276); + +var msg6498 = msg("4048", dup276); + +var msg6499 = msg("4049", dup276); + +var msg6500 = msg("4050", dup276); + +var msg6501 = msg("4051", dup276); + +var msg6502 = msg("4052", dup276); + +var msg6503 = msg("4053", dup276); + +var msg6504 = msg("4054", dup276); + +var msg6505 = msg("4055", dup276); + +var msg6506 = msg("4056", dup276); + +var msg6507 = msg("4057", dup276); + +var msg6508 = msg("4058", dup276); + +var msg6509 = msg("4059", dup276); + +var msg6510 = msg("4060", dup196); + +var msg6511 = msg("4061", dup276); + +var msg6512 = msg("4062", dup276); + +var msg6513 = msg("4063", dup276); + +var msg6514 = msg("4064", dup276); + +var msg6515 = msg("4065", dup276); + +var msg6516 = msg("4066", dup276); + +var msg6517 = msg("4067", dup276); + +var msg6518 = msg("4068", dup276); + +var msg6519 = msg("4069", dup276); + +var msg6520 = msg("4070", dup276); + +var msg6521 = msg("4071", dup276); + +var msg6522 = msg("4072", dup276); + +var msg6523 = msg("4073", dup276); + +var msg6524 = msg("4074", dup276); + +var msg6525 = msg("4075", dup276); + +var msg6526 = msg("4076", dup276); + +var msg6527 = msg("4077", dup276); + +var msg6528 = msg("4078", dup276); + +var msg6529 = msg("4079", dup276); + +var msg6530 = msg("4080", dup276); + +var msg6531 = msg("4081", dup276); + +var msg6532 = msg("4082", dup276); + +var msg6533 = msg("4083", dup276); + +var msg6534 = msg("4084", dup276); + +var msg6535 = msg("4085", dup276); + +var msg6536 = msg("4086", dup276); + +var msg6537 = msg("4087", dup276); + +var msg6538 = msg("4088", dup276); + +var msg6539 = msg("4089", dup276); + +var msg6540 = msg("4090", dup276); + +var msg6541 = msg("4091", dup276); + +var msg6542 = msg("4092", dup276); + +var msg6543 = msg("4093", dup276); + +var msg6544 = msg("4094", dup276); + +var msg6545 = msg("4095", dup276); + +var msg6546 = msg("4096", dup276); + +var msg6547 = msg("4097", dup276); + +var msg6548 = msg("4098", dup276); + +var msg6549 = msg("4099", dup276); + +var msg6550 = msg("4100", dup276); + +var msg6551 = msg("4101", dup276); + +var msg6552 = msg("4102", dup276); + +var msg6553 = msg("4103", dup276); + +var msg6554 = msg("4104", dup276); + +var msg6555 = msg("4105", dup276); + +var msg6556 = msg("4106", dup276); + +var msg6557 = msg("4107", dup276); + +var msg6558 = msg("4108", dup276); + +var msg6559 = msg("4109", dup276); + +var msg6560 = msg("4110", dup276); + +var msg6561 = msg("4111", dup276); + +var msg6562 = msg("4112", dup276); + +var msg6563 = msg("4113", dup276); + +var msg6564 = msg("4114", dup276); + +var msg6565 = msg("4115", dup276); + +var msg6566 = msg("4116", dup276); + +var msg6567 = msg("4117", dup276); + +var msg6568 = msg("4118", dup276); + +var msg6569 = msg("4119", dup276); + +var msg6570 = msg("4120", dup276); + +var msg6571 = msg("4121", dup276); + +var msg6572 = msg("4122", dup276); + +var msg6573 = msg("4123", dup276); + +var msg6574 = msg("4124", dup276); + +var msg6575 = msg("4125", dup276); + +var msg6576 = msg("4126", dup196); + +var msg6577 = msg("4127", dup222); + +var msg6578 = msg("4128", dup265); + +var msg6579 = msg("4129", dup198); + +var msg6580 = msg("4130", dup222); + +var msg6581 = msg("4131", dup196); + +var msg6582 = msg("4132", dup265); + +var msg6583 = msg("4133", dup265); + +var msg6584 = msg("4134", dup265); + +var msg6585 = msg("4135", dup267); + +var msg6586 = msg("4136", dup267); + +var msg6587 = msg("4140", dup198); + +var msg6588 = msg("4141", dup198); + +var msg6589 = msg("4142", dup196); + +var msg6590 = msg("4143", dup196); + +var msg6591 = msg("4144", dup196); + +var msg6592 = msg("4145", dup265); + +var msg6593 = msg("4146", dup265); + +var msg6594 = msg("4147", dup265); + +var msg6595 = msg("4148", dup265); + +var msg6596 = msg("4149", dup265); + +var msg6597 = msg("4150", dup265); + +var msg6598 = msg("4151", dup265); + +var msg6599 = msg("4152", dup265); + +var msg6600 = msg("4153", dup265); + +var msg6601 = msg("4154", dup265); + +var msg6602 = msg("4155", dup265); + +var msg6603 = msg("4156", dup265); + +var msg6604 = msg("4157", dup265); + +var msg6605 = msg("4158", dup265); + +var msg6606 = msg("4159", dup265); + +var msg6607 = msg("4160", dup265); + +var msg6608 = msg("4161", dup265); + +var msg6609 = msg("4162", dup265); + +var msg6610 = msg("4163", dup265); + +var msg6611 = msg("4164", dup265); + +var msg6612 = msg("4165", dup265); + +var msg6613 = msg("4166", dup265); + +var msg6614 = msg("4167", dup265); + +var msg6615 = msg("4168", dup265); + +var msg6616 = msg("4169", dup265); + +var msg6617 = msg("4170", dup265); + +var msg6618 = msg("4171", dup265); + +var msg6619 = msg("4172", dup265); + +var msg6620 = msg("4173", dup265); + +var msg6621 = msg("4174", dup265); + +var msg6622 = msg("4175", dup265); + +var msg6623 = msg("4176", dup265); + +var msg6624 = msg("4177", dup265); + +var msg6625 = msg("4178", dup265); + +var msg6626 = msg("4179", dup265); + +var msg6627 = msg("4180", dup194); + +var msg6628 = msg("4181", dup265); + +var msg6629 = msg("4182", dup265); + +var msg6630 = msg("4183", dup265); + +var msg6631 = msg("4184", dup265); + +var msg6632 = msg("4185", dup265); + +var msg6633 = msg("4186", dup265); + +var msg6634 = msg("4187", dup265); + +var msg6635 = msg("4188", dup194); + +var msg6636 = msg("4189", dup265); + +var msg6637 = msg("4190", dup265); + +var msg6638 = msg("4191", dup265); + +var msg6639 = msg("4192", dup265); + +var msg6640 = msg("4193", dup265); + +var msg6641 = msg("4194", dup196); + +var msg6642 = msg("4195", dup265); + +var msg6643 = msg("4196", dup265); + +var msg6644 = msg("4197", dup265); + +var msg6645 = msg("4198", dup265); + +var msg6646 = msg("4199", dup265); + +var msg6647 = msg("4200", dup265); + +var msg6648 = msg("4201", dup265); + +var msg6649 = msg("4202", dup265); + +var msg6650 = msg("4203", dup265); + +var msg6651 = msg("4204", dup265); + +var msg6652 = msg("4205", dup265); + +var msg6653 = msg("4206", dup265); + +var msg6654 = msg("4207", dup265); + +var msg6655 = msg("4208", dup265); + +var msg6656 = msg("4209", dup265); + +var msg6657 = msg("4210", dup265); + +var msg6658 = msg("4211", dup265); + +var msg6659 = msg("4212", dup265); + +var msg6660 = msg("4213", dup265); + +var msg6661 = msg("4214", dup265); + +var msg6662 = msg("4215", dup265); + +var msg6663 = msg("4216", dup265); + +var msg6664 = msg("4217", dup265); + +var msg6665 = msg("4218", dup265); + +var msg6666 = msg("4219", dup265); + +var msg6667 = msg("4220", dup265); + +var msg6668 = msg("4221", dup265); + +var msg6669 = msg("4222", dup265); + +var msg6670 = msg("4223", dup265); + +var msg6671 = msg("4224", dup265); + +var msg6672 = msg("4225", dup265); + +var msg6673 = msg("4226", dup265); + +var msg6674 = msg("4227", dup265); + +var msg6675 = msg("4228", dup265); + +var msg6676 = msg("4229", dup265); + +var msg6677 = msg("4230", dup265); + +var msg6678 = msg("4231", dup265); + +var msg6679 = msg("4232", dup265); + +var msg6680 = msg("4233", dup265); + +var msg6681 = msg("4234", dup265); + +var msg6682 = msg("4235", dup265); + +var msg6683 = msg("4236", dup265); + +var msg6684 = msg("4237", dup276); + +var msg6685 = msg("4238", dup276); + +var msg6686 = msg("4239", dup276); + +var msg6687 = msg("4240", dup276); + +var msg6688 = msg("4241", dup276); + +var msg6689 = msg("4242", dup276); + +var msg6690 = msg("4243", dup276); + +var msg6691 = msg("4244", dup276); + +var msg6692 = msg("4245", dup276); + +var msg6693 = msg("4246", dup276); + +var msg6694 = msg("4247", dup276); + +var msg6695 = msg("4248", dup276); + +var msg6696 = msg("4249", dup276); + +var msg6697 = msg("4250", dup276); + +var msg6698 = msg("4251", dup276); + +var msg6699 = msg("4252", dup276); + +var msg6700 = msg("4253", dup276); + +var msg6701 = msg("4254", dup276); + +var msg6702 = msg("4255", dup276); + +var msg6703 = msg("4256", dup276); + +var msg6704 = msg("4257", dup276); + +var msg6705 = msg("4258", dup276); + +var msg6706 = msg("4259", dup276); + +var msg6707 = msg("4260", dup276); + +var msg6708 = msg("4261", dup276); + +var msg6709 = msg("4262", dup276); + +var msg6710 = msg("4263", dup276); + +var msg6711 = msg("4264", dup276); + +var msg6712 = msg("4265", dup276); + +var msg6713 = msg("4266", dup276); + +var msg6714 = msg("4267", dup276); + +var msg6715 = msg("4268", dup276); + +var msg6716 = msg("4269", dup276); + +var msg6717 = msg("4270", dup276); + +var msg6718 = msg("4271", dup276); + +var msg6719 = msg("4272", dup276); + +var msg6720 = msg("4273", dup276); + +var msg6721 = msg("4274", dup276); + +var msg6722 = msg("4275", dup276); + +var msg6723 = msg("4276", dup276); + +var msg6724 = msg("4277", dup276); + +var msg6725 = msg("4278", dup276); + +var msg6726 = msg("4279", dup276); + +var msg6727 = msg("4280", dup276); + +var msg6728 = msg("4281", dup276); + +var msg6729 = msg("4282", dup276); + +var msg6730 = msg("4283", dup276); + +var msg6731 = msg("4284", dup276); + +var msg6732 = msg("4285", dup276); + +var msg6733 = msg("4286", dup276); + +var msg6734 = msg("4287", dup276); + +var msg6735 = msg("4288", dup276); + +var msg6736 = msg("4289", dup276); + +var msg6737 = msg("4290", dup276); + +var msg6738 = msg("4291", dup276); + +var msg6739 = msg("4292", dup276); + +var msg6740 = msg("4293", dup276); + +var msg6741 = msg("4294", dup276); + +var msg6742 = msg("4295", dup276); + +var msg6743 = msg("4296", dup276); + +var msg6744 = msg("4297", dup276); + +var msg6745 = msg("4298", dup276); + +var msg6746 = msg("4299", dup276); + +var msg6747 = msg("4300", dup276); + +var msg6748 = msg("4301", dup276); + +var msg6749 = msg("4302", dup276); + +var msg6750 = msg("4303", dup276); + +var msg6751 = msg("4304", dup276); + +var msg6752 = msg("4305", dup276); + +var msg6753 = msg("4306", dup276); + +var msg6754 = msg("4307", dup276); + +var msg6755 = msg("4308", dup276); + +var msg6756 = msg("4309", dup276); + +var msg6757 = msg("4310", dup276); + +var msg6758 = msg("4311", dup276); + +var msg6759 = msg("4312", dup276); + +var msg6760 = msg("4313", dup276); + +var msg6761 = msg("4314", dup276); + +var msg6762 = msg("4315", dup276); + +var msg6763 = msg("4316", dup276); + +var msg6764 = msg("4317", dup276); + +var msg6765 = msg("4318", dup276); + +var msg6766 = msg("4319", dup276); + +var msg6767 = msg("4320", dup276); + +var msg6768 = msg("4321", dup276); + +var msg6769 = msg("4322", dup276); + +var msg6770 = msg("4323", dup276); + +var msg6771 = msg("4324", dup276); + +var msg6772 = msg("4325", dup276); + +var msg6773 = msg("4326", dup276); + +var msg6774 = msg("4327", dup276); + +var msg6775 = msg("4328", dup276); + +var msg6776 = msg("4329", dup276); + +var msg6777 = msg("4330", dup276); + +var msg6778 = msg("4331", dup276); + +var msg6779 = msg("4332", dup276); + +var msg6780 = msg("4333", dup276); + +var msg6781 = msg("4334", dup276); + +var msg6782 = msg("4335", dup276); + +var msg6783 = msg("4336", dup276); + +var msg6784 = msg("4337", dup276); + +var msg6785 = msg("4338", dup276); + +var msg6786 = msg("4339", dup276); + +var msg6787 = msg("4340", dup276); + +var msg6788 = msg("4341", dup276); + +var msg6789 = msg("4342", dup276); + +var msg6790 = msg("4343", dup276); + +var msg6791 = msg("4344", dup276); + +var msg6792 = msg("4345", dup276); + +var msg6793 = msg("4346", dup276); + +var msg6794 = msg("4347", dup276); + +var msg6795 = msg("4348", dup276); + +var msg6796 = msg("4349", dup276); + +var msg6797 = msg("4350", dup276); + +var msg6798 = msg("4351", dup276); + +var msg6799 = msg("4352", dup276); + +var msg6800 = msg("4353", dup276); + +var msg6801 = msg("4354", dup276); + +var msg6802 = msg("4355", dup276); + +var msg6803 = msg("4356", dup276); + +var msg6804 = msg("4357", dup276); + +var msg6805 = msg("4358", dup276); + +var msg6806 = msg("4359", dup276); + +var msg6807 = msg("4360", dup276); + +var msg6808 = msg("4361", dup276); + +var msg6809 = msg("4362", dup276); + +var msg6810 = msg("4363", dup276); + +var msg6811 = msg("4364", dup276); + +var msg6812 = msg("4365", dup276); + +var msg6813 = msg("4366", dup276); + +var msg6814 = msg("4367", dup276); + +var msg6815 = msg("4368", dup276); + +var msg6816 = msg("4369", dup276); + +var msg6817 = msg("4370", dup276); + +var msg6818 = msg("4371", dup276); + +var msg6819 = msg("4372", dup276); + +var msg6820 = msg("4373", dup276); + +var msg6821 = msg("4374", dup276); + +var msg6822 = msg("4375", dup276); + +var msg6823 = msg("4376", dup276); + +var msg6824 = msg("4377", dup276); + +var msg6825 = msg("4378", dup276); + +var msg6826 = msg("4379", dup276); + +var msg6827 = msg("4380", dup276); + +var msg6828 = msg("4381", dup276); + +var msg6829 = msg("4382", dup276); + +var msg6830 = msg("4383", dup276); + +var msg6831 = msg("4384", dup276); + +var msg6832 = msg("4385", dup276); + +var msg6833 = msg("4386", dup276); + +var msg6834 = msg("4387", dup276); + +var msg6835 = msg("4388", dup276); + +var msg6836 = msg("4389", dup276); + +var msg6837 = msg("4390", dup276); + +var msg6838 = msg("4391", dup276); + +var msg6839 = msg("4392", dup276); + +var msg6840 = msg("4393", dup276); + +var msg6841 = msg("4394", dup276); + +var msg6842 = msg("4395", dup276); + +var msg6843 = msg("4396", dup276); + +var msg6844 = msg("4397", dup276); + +var msg6845 = msg("4398", dup276); + +var msg6846 = msg("4399", dup276); + +var msg6847 = msg("4400", dup276); + +var msg6848 = msg("4401", dup276); + +var msg6849 = msg("4402", dup276); + +var msg6850 = msg("4403", dup276); + +var msg6851 = msg("4404", dup276); + +var msg6852 = msg("4405", dup276); + +var msg6853 = msg("4406", dup276); + +var msg6854 = msg("4407", dup276); + +var msg6855 = msg("4408", dup276); + +var msg6856 = msg("4409", dup276); + +var msg6857 = msg("4410", dup276); + +var msg6858 = msg("4411", dup276); + +var msg6859 = msg("4412", dup276); + +var msg6860 = msg("4413", dup276); + +var msg6861 = msg("4414", dup276); + +var msg6862 = msg("4415", dup276); + +var msg6863 = msg("4416", dup276); + +var msg6864 = msg("4417", dup276); + +var msg6865 = msg("4418", dup276); + +var msg6866 = msg("4419", dup276); + +var msg6867 = msg("4420", dup276); + +var msg6868 = msg("4421", dup276); + +var msg6869 = msg("4422", dup276); + +var msg6870 = msg("4423", dup276); + +var msg6871 = msg("4424", dup276); + +var msg6872 = msg("4425", dup276); + +var msg6873 = msg("4426", dup276); + +var msg6874 = msg("4427", dup276); + +var msg6875 = msg("4428", dup276); + +var msg6876 = msg("4429", dup276); + +var msg6877 = msg("4430", dup276); + +var msg6878 = msg("4431", dup276); + +var msg6879 = msg("4432", dup276); + +var msg6880 = msg("4433", dup276); + +var msg6881 = msg("4434", dup276); + +var msg6882 = msg("4435", dup276); + +var msg6883 = msg("4436", dup276); + +var msg6884 = msg("4437", dup276); + +var msg6885 = msg("4438", dup276); + +var msg6886 = msg("4439", dup276); + +var msg6887 = msg("4440", dup276); + +var msg6888 = msg("4441", dup276); + +var msg6889 = msg("4442", dup276); + +var msg6890 = msg("4443", dup276); + +var msg6891 = msg("4444", dup276); + +var msg6892 = msg("4445", dup276); + +var msg6893 = msg("4446", dup276); + +var msg6894 = msg("4447", dup276); + +var msg6895 = msg("4448", dup276); + +var msg6896 = msg("4449", dup276); + +var msg6897 = msg("4450", dup276); + +var msg6898 = msg("4451", dup276); + +var msg6899 = msg("4452", dup276); + +var msg6900 = msg("4453", dup276); + +var msg6901 = msg("4454", dup276); + +var msg6902 = msg("4455", dup276); + +var msg6903 = msg("4456", dup276); + +var msg6904 = msg("4457", dup276); + +var msg6905 = msg("4458", dup276); + +var msg6906 = msg("4459", dup276); + +var msg6907 = msg("4460", dup276); + +var msg6908 = msg("4461", dup276); + +var msg6909 = msg("4462", dup276); + +var msg6910 = msg("4463", dup276); + +var msg6911 = msg("4464", dup276); + +var msg6912 = msg("4465", dup276); + +var msg6913 = msg("4466", dup276); + +var msg6914 = msg("4467", dup276); + +var msg6915 = msg("4468", dup276); + +var msg6916 = msg("4469", dup276); + +var msg6917 = msg("4470", dup276); + +var msg6918 = msg("4471", dup276); + +var msg6919 = msg("4472", dup276); + +var msg6920 = msg("4473", dup276); + +var msg6921 = msg("4474", dup276); + +var msg6922 = msg("4475", dup276); + +var msg6923 = msg("4476", dup276); + +var msg6924 = msg("4477", dup276); + +var msg6925 = msg("4478", dup276); + +var msg6926 = msg("4479", dup276); + +var msg6927 = msg("4480", dup276); + +var msg6928 = msg("4481", dup276); + +var msg6929 = msg("4482", dup276); + +var msg6930 = msg("4483", dup276); + +var msg6931 = msg("4484", dup276); + +var msg6932 = msg("4485", dup276); + +var msg6933 = msg("4486", dup276); + +var msg6934 = msg("4487", dup276); + +var msg6935 = msg("4488", dup276); + +var msg6936 = msg("4489", dup276); + +var msg6937 = msg("4490", dup276); + +var msg6938 = msg("4491", dup276); + +var msg6939 = msg("4492", dup276); + +var msg6940 = msg("4493", dup276); + +var msg6941 = msg("4494", dup276); + +var msg6942 = msg("4495", dup276); + +var msg6943 = msg("4496", dup276); + +var msg6944 = msg("4497", dup276); + +var msg6945 = msg("4498", dup276); + +var msg6946 = msg("4499", dup276); + +var msg6947 = msg("4500", dup276); + +var msg6948 = msg("4501", dup276); + +var msg6949 = msg("4502", dup276); + +var msg6950 = msg("4503", dup276); + +var msg6951 = msg("4504", dup276); + +var msg6952 = msg("4505", dup276); + +var msg6953 = msg("4506", dup276); + +var msg6954 = msg("4507", dup276); + +var msg6955 = msg("4508", dup276); + +var msg6956 = msg("4509", dup276); + +var msg6957 = msg("4510", dup276); + +var msg6958 = msg("4511", dup276); + +var msg6959 = msg("4512", dup276); + +var msg6960 = msg("4513", dup276); + +var msg6961 = msg("4514", dup276); + +var msg6962 = msg("4515", dup276); + +var msg6963 = msg("4516", dup276); + +var msg6964 = msg("4517", dup276); + +var msg6965 = msg("4518", dup276); + +var msg6966 = msg("4519", dup276); + +var msg6967 = msg("4520", dup276); + +var msg6968 = msg("4521", dup276); + +var msg6969 = msg("4522", dup276); + +var msg6970 = msg("4523", dup276); + +var msg6971 = msg("4524", dup276); + +var msg6972 = msg("4525", dup276); + +var msg6973 = msg("4526", dup276); + +var msg6974 = msg("4527", dup276); + +var msg6975 = msg("4528", dup276); + +var msg6976 = msg("4529", dup276); + +var msg6977 = msg("4530", dup276); + +var msg6978 = msg("4531", dup276); + +var msg6979 = msg("4532", dup276); + +var msg6980 = msg("4533", dup276); + +var msg6981 = msg("4534", dup276); + +var msg6982 = msg("4535", dup276); + +var msg6983 = msg("4536", dup276); + +var msg6984 = msg("4537", dup276); + +var msg6985 = msg("4538", dup276); + +var msg6986 = msg("4539", dup276); + +var msg6987 = msg("4540", dup276); + +var msg6988 = msg("4541", dup276); + +var msg6989 = msg("4542", dup276); + +var msg6990 = msg("4543", dup276); + +var msg6991 = msg("4544", dup276); + +var msg6992 = msg("4545", dup276); + +var msg6993 = msg("4546", dup276); + +var msg6994 = msg("4547", dup276); + +var msg6995 = msg("4548", dup276); + +var msg6996 = msg("4549", dup276); + +var msg6997 = msg("4550", dup276); + +var msg6998 = msg("4551", dup276); + +var msg6999 = msg("4552", dup276); + +var msg7000 = msg("4553", dup276); + +var msg7001 = msg("4554", dup276); + +var msg7002 = msg("4555", dup276); + +var msg7003 = msg("4556", dup276); + +var msg7004 = msg("4557", dup276); + +var msg7005 = msg("4558", dup276); + +var msg7006 = msg("4559", dup276); + +var msg7007 = msg("4560", dup276); + +var msg7008 = msg("4561", dup276); + +var msg7009 = msg("4562", dup276); + +var msg7010 = msg("4563", dup276); + +var msg7011 = msg("4564", dup276); + +var msg7012 = msg("4565", dup276); + +var msg7013 = msg("4566", dup276); + +var msg7014 = msg("4567", dup276); + +var msg7015 = msg("4568", dup276); + +var msg7016 = msg("4569", dup276); + +var msg7017 = msg("4570", dup276); + +var msg7018 = msg("4571", dup276); + +var msg7019 = msg("4572", dup276); + +var msg7020 = msg("4573", dup276); + +var msg7021 = msg("4574", dup276); + +var msg7022 = msg("4575", dup276); + +var msg7023 = msg("4576", dup276); + +var msg7024 = msg("4577", dup276); + +var msg7025 = msg("4578", dup276); + +var msg7026 = msg("4579", dup276); + +var msg7027 = msg("4580", dup276); + +var msg7028 = msg("4581", dup276); + +var msg7029 = msg("4582", dup276); + +var msg7030 = msg("4583", dup276); + +var msg7031 = msg("4584", dup276); + +var msg7032 = msg("4585", dup276); + +var msg7033 = msg("4586", dup276); + +var msg7034 = msg("4587", dup276); + +var msg7035 = msg("4588", dup276); + +var msg7036 = msg("4589", dup276); + +var msg7037 = msg("4590", dup276); + +var msg7038 = msg("4591", dup276); + +var msg7039 = msg("4592", dup276); + +var msg7040 = msg("4593", dup276); + +var msg7041 = msg("4594", dup276); + +var msg7042 = msg("4595", dup276); + +var msg7043 = msg("4596", dup276); + +var msg7044 = msg("4597", dup276); + +var msg7045 = msg("4598", dup276); + +var msg7046 = msg("4599", dup276); + +var msg7047 = msg("4600", dup276); + +var msg7048 = msg("4601", dup276); + +var msg7049 = msg("4602", dup276); + +var msg7050 = msg("4603", dup276); + +var msg7051 = msg("4604", dup276); + +var msg7052 = msg("4605", dup276); + +var msg7053 = msg("4606", dup276); + +var msg7054 = msg("4607", dup276); + +var msg7055 = msg("4608", dup276); + +var msg7056 = msg("4609", dup276); + +var msg7057 = msg("4610", dup276); + +var msg7058 = msg("4611", dup276); + +var msg7059 = msg("4612", dup276); + +var msg7060 = msg("4613", dup276); + +var msg7061 = msg("4614", dup276); + +var msg7062 = msg("4615", dup276); + +var msg7063 = msg("4616", dup276); + +var msg7064 = msg("4617", dup276); + +var msg7065 = msg("4618", dup276); + +var msg7066 = msg("4619", dup276); + +var msg7067 = msg("4620", dup276); + +var msg7068 = msg("4621", dup276); + +var msg7069 = msg("4622", dup276); + +var msg7070 = msg("4623", dup276); + +var msg7071 = msg("4624", dup276); + +var msg7072 = msg("4625", dup276); + +var msg7073 = msg("4626", dup276); + +var msg7074 = msg("4627", dup276); + +var msg7075 = msg("4628", dup276); + +var msg7076 = msg("4629", dup276); + +var msg7077 = msg("4630", dup276); + +var msg7078 = msg("4631", dup276); + +var msg7079 = msg("4632", dup276); + +var msg7080 = msg("4633", dup276); + +var msg7081 = msg("4634", dup276); + +var msg7082 = msg("4635", dup276); + +var msg7083 = msg("4636", dup276); + +var msg7084 = msg("4637", dup267); + +var msg7085 = msg("4638", dup198); + +var msg7086 = msg("4639", dup222); + +var msg7087 = msg("4640", dup222); + +var msg7088 = msg("4641", dup222); + +var msg7089 = msg("4642", dup222); + +var msg7090 = msg("4643", dup267); + +var msg7091 = msg("4644", dup267); + +var msg7092 = msg("4645", dup196); + +var msg7093 = msg("4646", dup196); + +var msg7094 = msg("4647", dup201); + +var msg7095 = msg("4648", dup265); + +var msg7096 = msg("4649", dup260); + +var msg7097 = msg("4650", dup265); + +var msg7098 = msg("4651", dup276); + +var msg7099 = msg("4652", dup276); + +var msg7100 = msg("4653", dup276); + +var msg7101 = msg("4654", dup276); + +var msg7102 = msg("4655", dup276); + +var msg7103 = msg("4656", dup276); + +var msg7104 = msg("4657", dup276); + +var msg7105 = msg("4658", dup276); + +var msg7106 = msg("4659", dup276); + +var msg7107 = msg("4660", dup276); + +var msg7108 = msg("4661", dup276); + +var msg7109 = msg("4662", dup276); + +var msg7110 = msg("4663", dup276); + +var msg7111 = msg("4664", dup276); + +var msg7112 = msg("4665", dup276); + +var msg7113 = msg("4666", dup276); + +var msg7114 = msg("4667", dup276); + +var msg7115 = msg("4668", dup276); + +var msg7116 = msg("4669", dup276); + +var msg7117 = msg("4670", dup276); + +var msg7118 = msg("4671", dup276); + +var msg7119 = msg("4672", dup276); + +var msg7120 = msg("4673", dup276); + +var msg7121 = msg("4674", dup276); + +var msg7122 = msg("4675", dup267); + +var msg7123 = msg("4676", dup222); + +var msg7124 = msg("4677", dup222); + +var msg7125 = msg("4678", dup196); + +var msg7126 = msg("4679", dup267); + +var msg7127 = msg("4680", dup267); + +var msg7128 = msg("4681", dup265); + +var msg7129 = msg("4682", dup276); + +var msg7130 = msg("4683", dup276); + +var msg7131 = msg("4684", dup276); + +var msg7132 = msg("4685", dup276); + +var msg7133 = msg("4686", dup276); + +var msg7134 = msg("4687", dup276); + +var msg7135 = msg("4688", dup276); + +var msg7136 = msg("4689", dup276); + +var msg7137 = msg("4690", dup276); + +var msg7138 = msg("4691", dup276); + +var msg7139 = msg("4692", dup276); + +var msg7140 = msg("4693", dup276); + +var msg7141 = msg("4694", dup276); + +var msg7142 = msg("4695", dup276); + +var msg7143 = msg("4696", dup276); + +var msg7144 = msg("4697", dup276); + +var msg7145 = msg("4698", dup276); + +var msg7146 = msg("4699", dup276); + +var msg7147 = msg("4700", dup276); + +var msg7148 = msg("4701", dup276); + +var msg7149 = msg("4702", dup276); + +var msg7150 = msg("4703", dup276); + +var msg7151 = msg("4704", dup276); + +var msg7152 = msg("4705", dup276); + +var msg7153 = msg("4706", dup276); + +var msg7154 = msg("4707", dup276); + +var msg7155 = msg("4708", dup276); + +var msg7156 = msg("4709", dup276); + +var msg7157 = msg("4710", dup276); + +var msg7158 = msg("4711", dup276); + +var msg7159 = msg("4712", dup276); + +var msg7160 = msg("4713", dup276); + +var msg7161 = msg("4714", dup276); + +var msg7162 = msg("4715", dup276); + +var msg7163 = msg("4716", dup276); + +var msg7164 = msg("4717", dup276); + +var msg7165 = msg("4718", dup276); + +var msg7166 = msg("4719", dup276); + +var msg7167 = msg("4720", dup276); + +var msg7168 = msg("4721", dup276); + +var msg7169 = msg("4722", dup276); + +var msg7170 = msg("4723", dup276); + +var msg7171 = msg("4724", dup276); + +var msg7172 = msg("4725", dup276); + +var msg7173 = msg("4726", dup276); + +var msg7174 = msg("4727", dup276); + +var msg7175 = msg("4728", dup276); + +var msg7176 = msg("4729", dup276); + +var msg7177 = msg("4730", dup276); + +var msg7178 = msg("4731", dup276); + +var msg7179 = msg("4732", dup276); + +var msg7180 = msg("4733", dup276); + +var msg7181 = msg("4734", dup276); + +var msg7182 = msg("4735", dup276); + +var msg7183 = msg("4736", dup276); + +var msg7184 = msg("4737", dup276); + +var msg7185 = msg("4738", dup276); + +var msg7186 = msg("4739", dup276); + +var msg7187 = msg("4740", dup276); + +var msg7188 = msg("4741", dup276); + +var msg7189 = msg("4742", dup276); + +var msg7190 = msg("4743", dup276); + +var msg7191 = msg("4744", dup276); + +var msg7192 = msg("4745", dup276); + +var msg7193 = msg("4746", dup276); + +var msg7194 = msg("4747", dup276); + +var msg7195 = msg("4748", dup276); + +var msg7196 = msg("4749", dup276); + +var msg7197 = msg("4750", dup276); + +var msg7198 = msg("4751", dup276); + +var msg7199 = msg("4752", dup276); + +var msg7200 = msg("4753", dup276); + +var msg7201 = msg("4754", dup201); + +var msg7202 = msg("4755", dup201); + +var msg7203 = msg("4756", dup201); + +var msg7204 = msg("4757", dup201); + +var msg7205 = msg("4758", dup276); + +var msg7206 = msg("4759", dup276); + +var msg7207 = msg("4760", dup276); + +var msg7208 = msg("4761", dup276); + +var msg7209 = msg("4762", dup276); + +var msg7210 = msg("4763", dup276); + +var msg7211 = msg("4764", dup276); + +var msg7212 = msg("4765", dup276); + +var msg7213 = msg("4766", dup276); + +var msg7214 = msg("4767", dup276); + +var msg7215 = msg("4768", dup276); + +var msg7216 = msg("4769", dup276); + +var msg7217 = msg("4770", dup276); + +var msg7218 = msg("4771", dup276); + +var msg7219 = msg("4772", dup276); + +var msg7220 = msg("4773", dup276); + +var msg7221 = msg("4774", dup276); + +var msg7222 = msg("4775", dup276); + +var msg7223 = msg("4776", dup276); + +var msg7224 = msg("4777", dup276); + +var msg7225 = msg("4778", dup276); + +var msg7226 = msg("4779", dup276); + +var msg7227 = msg("4780", dup276); + +var msg7228 = msg("4781", dup276); + +var msg7229 = msg("4782", dup276); + +var msg7230 = msg("4783", dup276); + +var msg7231 = msg("4784", dup276); + +var msg7232 = msg("4785", dup276); + +var msg7233 = msg("4786", dup276); + +var msg7234 = msg("4787", dup276); + +var msg7235 = msg("4788", dup276); + +var msg7236 = msg("4789", dup276); + +var msg7237 = msg("4790", dup276); + +var msg7238 = msg("4791", dup276); + +var msg7239 = msg("4792", dup276); + +var msg7240 = msg("4793", dup276); + +var msg7241 = msg("4794", dup276); + +var msg7242 = msg("4795", dup276); + +var msg7243 = msg("4796", dup276); + +var msg7244 = msg("4797", dup276); + +var msg7245 = msg("4798", dup276); + +var msg7246 = msg("4799", dup276); + +var msg7247 = msg("4800", dup276); + +var msg7248 = msg("4801", dup276); + +var msg7249 = msg("4802", dup276); + +var msg7250 = msg("4803", dup276); + +var msg7251 = msg("4804", dup276); + +var msg7252 = msg("4805", dup276); + +var msg7253 = msg("4806", dup276); + +var msg7254 = msg("4807", dup276); + +var msg7255 = msg("4808", dup276); + +var msg7256 = msg("4809", dup276); + +var msg7257 = msg("4810", dup276); + +var msg7258 = msg("4811", dup276); + +var msg7259 = msg("4812", dup276); + +var msg7260 = msg("4813", dup276); + +var msg7261 = msg("4814", dup276); + +var msg7262 = msg("4815", dup276); + +var msg7263 = msg("4816", dup276); + +var msg7264 = msg("4817", dup276); + +var msg7265 = msg("4818", dup276); + +var msg7266 = msg("4819", dup276); + +var msg7267 = msg("4820", dup276); + +var msg7268 = msg("4821", dup276); + +var msg7269 = msg("4822", dup201); + +var msg7270 = msg("4823", dup201); + +var msg7271 = msg("4824", dup201); + +var msg7272 = msg("4825", dup201); + +var msg7273 = msg("4826", dup276); + +var msg7274 = msg("4827", dup276); + +var msg7275 = msg("4828", dup276); + +var msg7276 = msg("4829", dup276); + +var msg7277 = msg("4830", dup276); + +var msg7278 = msg("4831", dup276); + +var msg7279 = msg("4832", dup276); + +var msg7280 = msg("4833", dup276); + +var msg7281 = msg("4834", dup276); + +var msg7282 = msg("4835", dup276); + +var msg7283 = msg("4836", dup276); + +var msg7284 = msg("4837", dup276); + +var msg7285 = msg("4838", dup276); + +var msg7286 = msg("4839", dup276); + +var msg7287 = msg("4840", dup276); + +var msg7288 = msg("4841", dup276); + +var msg7289 = msg("4842", dup276); + +var msg7290 = msg("4843", dup276); + +var msg7291 = msg("4844", dup276); + +var msg7292 = msg("4845", dup276); + +var msg7293 = msg("4846", dup276); + +var msg7294 = msg("4847", dup276); + +var msg7295 = msg("4848", dup276); + +var msg7296 = msg("4849", dup276); + +var msg7297 = msg("4850", dup276); + +var msg7298 = msg("4851", dup276); + +var msg7299 = msg("4852", dup276); + +var msg7300 = msg("4853", dup276); + +var msg7301 = msg("4854", dup276); + +var msg7302 = msg("4855", dup276); + +var msg7303 = msg("4856", dup276); + +var msg7304 = msg("4857", dup276); + +var msg7305 = msg("4858", dup276); + +var msg7306 = msg("4859", dup276); + +var msg7307 = msg("4860", dup276); + +var msg7308 = msg("4861", dup276); + +var msg7309 = msg("4862", dup276); + +var msg7310 = msg("4863", dup276); + +var msg7311 = msg("4864", dup276); + +var msg7312 = msg("4865", dup276); + +var msg7313 = msg("4866", dup276); + +var msg7314 = msg("4867", dup276); + +var msg7315 = msg("4868", dup276); + +var msg7316 = msg("4869", dup276); + +var msg7317 = msg("4870", dup276); + +var msg7318 = msg("4871", dup276); + +var msg7319 = msg("4872", dup276); + +var msg7320 = msg("4873", dup276); + +var msg7321 = msg("4874", dup276); + +var msg7322 = msg("4875", dup276); + +var msg7323 = msg("4876", dup276); + +var msg7324 = msg("4877", dup276); + +var msg7325 = msg("4878", dup276); + +var msg7326 = msg("4879", dup276); + +var msg7327 = msg("4880", dup276); + +var msg7328 = msg("4881", dup276); + +var msg7329 = msg("4882", dup276); + +var msg7330 = msg("4883", dup276); + +var msg7331 = msg("4884", dup276); + +var msg7332 = msg("4885", dup276); + +var msg7333 = msg("4886", dup276); + +var msg7334 = msg("4887", dup276); + +var msg7335 = msg("4888", dup276); + +var msg7336 = msg("4889", dup276); + +var msg7337 = msg("4890", dup265); + +var msg7338 = msg("4891", dup265); + +var msg7339 = msg("4892", dup265); + +var msg7340 = msg("4893", dup265); + +var msg7341 = msg("4894", dup265); + +var msg7342 = msg("4895", dup265); + +var msg7343 = msg("4896", dup265); + +var msg7344 = msg("4897", dup265); + +var msg7345 = msg("4898", dup265); + +var msg7346 = msg("4899", dup265); + +var msg7347 = msg("4900", dup265); + +var msg7348 = msg("4901", dup265); + +var msg7349 = msg("4902", dup265); + +var msg7350 = msg("4903", dup265); + +var msg7351 = msg("4904", dup265); + +var msg7352 = msg("4905", dup265); + +var msg7353 = msg("4906", dup265); + +var msg7354 = msg("4907", dup265); + +var msg7355 = msg("4908", dup265); + +var msg7356 = msg("4909", dup265); + +var msg7357 = msg("4910", dup265); + +var msg7358 = msg("4911", dup265); + +var msg7359 = msg("4912", dup265); + +var msg7360 = msg("4913", dup265); + +var msg7361 = msg("4914", dup265); + +var msg7362 = msg("4915", dup265); + +var msg7363 = msg("4916", dup201); + +var msg7364 = msg("4917", dup201); + +var msg7365 = msg("4918", dup198); + +var msg7366 = msg("4919", dup198); + +var msg7367 = msg("4920", dup198); + +var msg7368 = msg("4921", dup198); + +var msg7369 = msg("4922", dup198); + +var msg7370 = msg("4923", dup198); + +var msg7371 = msg("4924", dup198); + +var msg7372 = msg("4925", dup198); + +var msg7373 = msg("4926", dup198); + +var msg7374 = msg("4927", dup198); + +var msg7375 = msg("4928", dup198); + +var msg7376 = msg("4929", dup198); + +var msg7377 = msg("4930", dup198); + +var msg7378 = msg("4931", dup198); + +var msg7379 = msg("4932", dup198); + +var msg7380 = msg("4933", dup198); + +var msg7381 = msg("4934", dup198); + +var msg7382 = msg("4935", dup198); + +var msg7383 = msg("4936", dup198); + +var msg7384 = msg("4937", dup198); + +var msg7385 = msg("4938", dup198); + +var msg7386 = msg("4939", dup198); + +var msg7387 = msg("4940", dup198); + +var msg7388 = msg("4941", dup198); + +var msg7389 = msg("4942", dup198); + +var msg7390 = msg("4943", dup198); + +var msg7391 = msg("4944", dup198); + +var msg7392 = msg("4945", dup198); + +var msg7393 = msg("4946", dup198); + +var msg7394 = msg("4947", dup198); + +var msg7395 = msg("4948", dup198); + +var msg7396 = msg("4949", dup198); + +var msg7397 = msg("4950", dup198); + +var msg7398 = msg("4951", dup198); + +var msg7399 = msg("4952", dup198); + +var msg7400 = msg("4953", dup198); + +var msg7401 = msg("4954", dup198); + +var msg7402 = msg("4955", dup198); + +var msg7403 = msg("4956", dup198); + +var msg7404 = msg("4957", dup198); + +var msg7405 = msg("4958", dup198); + +var msg7406 = msg("4959", dup198); + +var msg7407 = msg("4960", dup198); + +var msg7408 = msg("4961", dup198); + +var msg7409 = msg("4962", dup198); + +var msg7410 = msg("4963", dup198); + +var msg7411 = msg("4964", dup198); + +var msg7412 = msg("4965", dup198); + +var msg7413 = msg("4966", dup198); + +var msg7414 = msg("4967", dup198); + +var msg7415 = msg("4968", dup198); + +var msg7416 = msg("4969", dup198); + +var msg7417 = msg("4970", dup198); + +var msg7418 = msg("4971", dup198); + +var msg7419 = msg("4972", dup198); + +var msg7420 = msg("4973", dup198); + +var msg7421 = msg("4974", dup198); + +var msg7422 = msg("4975", dup198); + +var msg7423 = msg("4976", dup198); + +var msg7424 = msg("4977", dup198); + +var msg7425 = msg("4978", dup198); + +var msg7426 = msg("4979", dup198); + +var msg7427 = msg("4980", dup198); + +var msg7428 = msg("4981", dup198); + +var msg7429 = msg("4982", dup265); + +var msg7430 = msg("4983", dup265); + +var msg7431 = msg("4984", dup236); + +var msg7432 = msg("4985", dup267); + +var msg7433 = msg("4986", dup267); + +var msg7434 = msg("4987", dup267); + +var msg7435 = msg("4988", dup265); + +var msg7436 = msg("4989", dup260); + +var msg7437 = msg("4990", dup260); + +var msg7438 = msg("4991", dup276); + +var msg7439 = msg("4992", dup276); + +var msg7440 = msg("4993", dup276); + +var msg7441 = msg("4994", dup276); + +var msg7442 = msg("4995", dup276); + +var msg7443 = msg("4996", dup276); + +var msg7444 = msg("4997", dup276); + +var msg7445 = msg("4998", dup276); + +var msg7446 = msg("4999", dup276); + +var msg7447 = msg("5000", dup276); + +var msg7448 = msg("5001", dup276); + +var msg7449 = msg("5002", dup276); + +var msg7450 = msg("5003", dup276); + +var msg7451 = msg("5004", dup276); + +var msg7452 = msg("5005", dup276); + +var msg7453 = msg("5006", dup276); + +var msg7454 = msg("5007", dup276); + +var msg7455 = msg("5008", dup276); + +var msg7456 = msg("5009", dup276); + +var msg7457 = msg("5010", dup276); + +var msg7458 = msg("5011", dup276); + +var msg7459 = msg("5012", dup276); + +var msg7460 = msg("5013", dup276); + +var msg7461 = msg("5014", dup276); + +var msg7462 = msg("5015", dup276); + +var msg7463 = msg("5016", dup276); + +var msg7464 = msg("5017", dup276); + +var msg7465 = msg("5018", dup276); + +var msg7466 = msg("5019", dup276); + +var msg7467 = msg("5020", dup276); + +var msg7468 = msg("5021", dup276); + +var msg7469 = msg("5022", dup276); + +var msg7470 = msg("5023", dup276); + +var msg7471 = msg("5024", dup276); + +var msg7472 = msg("5025", dup276); + +var msg7473 = msg("5026", dup276); + +var msg7474 = msg("5027", dup276); + +var msg7475 = msg("5028", dup276); + +var msg7476 = msg("5029", dup276); + +var msg7477 = msg("5030", dup276); + +var msg7478 = msg("5031", dup276); + +var msg7479 = msg("5032", dup276); + +var msg7480 = msg("5033", dup276); + +var msg7481 = msg("5034", dup276); + +var msg7482 = msg("5035", dup276); + +var msg7483 = msg("5036", dup276); + +var msg7484 = msg("5037", dup276); + +var msg7485 = msg("5038", dup276); + +var msg7486 = msg("5039", dup276); + +var msg7487 = msg("5040", dup276); + +var msg7488 = msg("5041", dup276); + +var msg7489 = msg("5042", dup276); + +var msg7490 = msg("5043", dup276); + +var msg7491 = msg("5044", dup276); + +var msg7492 = msg("5045", dup276); + +var msg7493 = msg("5046", dup276); + +var msg7494 = msg("5047", dup276); + +var msg7495 = msg("5048", dup276); + +var msg7496 = msg("5049", dup276); + +var msg7497 = msg("5050", dup276); + +var msg7498 = msg("5051", dup276); + +var msg7499 = msg("5052", dup276); + +var msg7500 = msg("5053", dup276); + +var msg7501 = msg("5054", dup276); + +var msg7502 = msg("5055", dup276); + +var msg7503 = msg("5056", dup276); + +var msg7504 = msg("5057", dup276); + +var msg7505 = msg("5058", dup276); + +var msg7506 = msg("5059", dup276); + +var msg7507 = msg("5060", dup276); + +var msg7508 = msg("5061", dup276); + +var msg7509 = msg("5062", dup276); + +var msg7510 = msg("5063", dup276); + +var msg7511 = msg("5064", dup276); + +var msg7512 = msg("5065", dup276); + +var msg7513 = msg("5066", dup276); + +var msg7514 = msg("5067", dup276); + +var msg7515 = msg("5068", dup276); + +var msg7516 = msg("5069", dup276); + +var msg7517 = msg("5070", dup276); + +var msg7518 = msg("5071", dup276); + +var msg7519 = msg("5072", dup276); + +var msg7520 = msg("5073", dup276); + +var msg7521 = msg("5074", dup276); + +var msg7522 = msg("5075", dup276); + +var msg7523 = msg("5076", dup276); + +var msg7524 = msg("5077", dup276); + +var msg7525 = msg("5078", dup276); + +var msg7526 = msg("5079", dup276); + +var msg7527 = msg("5080", dup276); + +var msg7528 = msg("5081", dup276); + +var msg7529 = msg("5082", dup276); + +var msg7530 = msg("5083", dup276); + +var msg7531 = msg("5084", dup276); + +var msg7532 = msg("5085", dup276); + +var msg7533 = msg("5086", dup276); + +var msg7534 = msg("5087", dup276); + +var msg7535 = msg("5088", dup276); + +var msg7536 = msg("5089", dup276); + +var msg7537 = msg("5090", dup276); + +var msg7538 = msg("5091", dup276); + +var msg7539 = msg("5092", dup276); + +var msg7540 = msg("5093", dup276); + +var msg7541 = msg("5094", dup276); + +var msg7542 = msg("5095", dup276); + +var msg7543 = msg("5096", dup276); + +var msg7544 = msg("5097", dup276); + +var msg7545 = msg("5098", dup276); + +var msg7546 = msg("5099", dup276); + +var msg7547 = msg("5100", dup276); + +var msg7548 = msg("5101", dup276); + +var msg7549 = msg("5102", dup276); + +var msg7550 = msg("5103", dup276); + +var msg7551 = msg("5104", dup276); + +var msg7552 = msg("5105", dup276); + +var msg7553 = msg("5106", dup276); + +var msg7554 = msg("5107", dup276); + +var msg7555 = msg("5108", dup276); + +var msg7556 = msg("5109", dup276); + +var msg7557 = msg("5110", dup276); + +var msg7558 = msg("5111", dup276); + +var msg7559 = msg("5112", dup276); + +var msg7560 = msg("5113", dup276); + +var msg7561 = msg("5114", dup276); + +var msg7562 = msg("5115", dup276); + +var msg7563 = msg("5116", dup276); + +var msg7564 = msg("5117", dup276); + +var msg7565 = msg("5118", dup276); + +var msg7566 = msg("5119", dup276); + +var msg7567 = msg("5120", dup276); + +var msg7568 = msg("5121", dup276); + +var msg7569 = msg("5122", dup276); + +var msg7570 = msg("5123", dup276); + +var msg7571 = msg("5124", dup276); + +var msg7572 = msg("5125", dup276); + +var msg7573 = msg("5126", dup276); + +var msg7574 = msg("5127", dup276); + +var msg7575 = msg("5128", dup276); + +var msg7576 = msg("5129", dup276); + +var msg7577 = msg("5130", dup276); + +var msg7578 = msg("5131", dup276); + +var msg7579 = msg("5132", dup276); + +var msg7580 = msg("5133", dup276); + +var msg7581 = msg("5134", dup276); + +var msg7582 = msg("5135", dup276); + +var msg7583 = msg("5136", dup276); + +var msg7584 = msg("5137", dup276); + +var msg7585 = msg("5138", dup276); + +var msg7586 = msg("5139", dup276); + +var msg7587 = msg("5140", dup276); + +var msg7588 = msg("5141", dup276); + +var msg7589 = msg("5142", dup276); + +var msg7590 = msg("5143", dup276); + +var msg7591 = msg("5144", dup276); + +var msg7592 = msg("5145", dup276); + +var msg7593 = msg("5146", dup276); + +var msg7594 = msg("5147", dup276); + +var msg7595 = msg("5148", dup276); + +var msg7596 = msg("5149", dup276); + +var msg7597 = msg("5150", dup276); + +var msg7598 = msg("5151", dup276); + +var msg7599 = msg("5152", dup276); + +var msg7600 = msg("5153", dup276); + +var msg7601 = msg("5154", dup276); + +var msg7602 = msg("5155", dup276); + +var msg7603 = msg("5156", dup276); + +var msg7604 = msg("5157", dup276); + +var msg7605 = msg("5158", dup276); + +var msg7606 = msg("5159", dup276); + +var msg7607 = msg("5160", dup276); + +var msg7608 = msg("5161", dup276); + +var msg7609 = msg("5162", dup276); + +var msg7610 = msg("5163", dup276); + +var msg7611 = msg("5164", dup276); + +var msg7612 = msg("5165", dup276); + +var msg7613 = msg("5166", dup276); + +var msg7614 = msg("5167", dup276); + +var msg7615 = msg("5168", dup276); + +var msg7616 = msg("5169", dup276); + +var msg7617 = msg("5170", dup276); + +var msg7618 = msg("5171", dup276); + +var msg7619 = msg("5172", dup276); + +var msg7620 = msg("5173", dup276); + +var msg7621 = msg("5174", dup276); + +var msg7622 = msg("5175", dup276); + +var msg7623 = msg("5176", dup276); + +var msg7624 = msg("5177", dup276); + +var msg7625 = msg("5178", dup276); + +var msg7626 = msg("5179", dup276); + +var msg7627 = msg("5180", dup276); + +var msg7628 = msg("5181", dup276); + +var msg7629 = msg("5182", dup276); + +var msg7630 = msg("5183", dup276); + +var msg7631 = msg("5184", dup276); + +var msg7632 = msg("5185", dup276); + +var msg7633 = msg("5186", dup276); + +var msg7634 = msg("5187", dup276); + +var msg7635 = msg("5188", dup276); + +var msg7636 = msg("5189", dup276); + +var msg7637 = msg("5190", dup276); + +var msg7638 = msg("5191", dup276); + +var msg7639 = msg("5192", dup276); + +var msg7640 = msg("5193", dup276); + +var msg7641 = msg("5194", dup276); + +var msg7642 = msg("5195", dup276); + +var msg7643 = msg("5196", dup276); + +var msg7644 = msg("5197", dup276); + +var msg7645 = msg("5198", dup276); + +var msg7646 = msg("5199", dup276); + +var msg7647 = msg("5200", dup276); + +var msg7648 = msg("5201", dup276); + +var msg7649 = msg("5202", dup276); + +var msg7650 = msg("5203", dup276); + +var msg7651 = msg("5204", dup276); + +var msg7652 = msg("5205", dup276); + +var msg7653 = msg("5206", dup276); + +var msg7654 = msg("5207", dup276); + +var msg7655 = msg("5208", dup276); + +var msg7656 = msg("5209", dup276); + +var msg7657 = msg("5210", dup276); + +var msg7658 = msg("5211", dup276); + +var msg7659 = msg("5212", dup276); + +var msg7660 = msg("5213", dup276); + +var msg7661 = msg("5214", dup276); + +var msg7662 = msg("5215", dup276); + +var msg7663 = msg("5216", dup276); + +var msg7664 = msg("5217", dup276); + +var msg7665 = msg("5218", dup276); + +var msg7666 = msg("5219", dup276); + +var msg7667 = msg("5220", dup276); + +var msg7668 = msg("5221", dup276); + +var msg7669 = msg("5222", dup276); + +var msg7670 = msg("5223", dup276); + +var msg7671 = msg("5224", dup276); + +var msg7672 = msg("5225", dup276); + +var msg7673 = msg("5226", dup276); + +var msg7674 = msg("5227", dup276); + +var msg7675 = msg("5228", dup276); + +var msg7676 = msg("5229", dup276); + +var msg7677 = msg("5230", dup276); + +var msg7678 = msg("5231", dup276); + +var msg7679 = msg("5232", dup276); + +var msg7680 = msg("5233", dup276); + +var msg7681 = msg("5234", dup276); + +var msg7682 = msg("5235", dup276); + +var msg7683 = msg("5236", dup276); + +var msg7684 = msg("5237", dup276); + +var msg7685 = msg("5238", dup276); + +var msg7686 = msg("5239", dup276); + +var msg7687 = msg("5240", dup276); + +var msg7688 = msg("5241", dup276); + +var msg7689 = msg("5242", dup276); + +var msg7690 = msg("5243", dup276); + +var msg7691 = msg("5244", dup276); + +var msg7692 = msg("5245", dup276); + +var msg7693 = msg("5246", dup276); + +var msg7694 = msg("5247", dup276); + +var msg7695 = msg("5248", dup276); + +var msg7696 = msg("5249", dup276); + +var msg7697 = msg("5250", dup276); + +var msg7698 = msg("5251", dup276); + +var msg7699 = msg("5252", dup276); + +var msg7700 = msg("5253", dup276); + +var msg7701 = msg("5254", dup276); + +var msg7702 = msg("5255", dup276); + +var msg7703 = msg("5256", dup276); + +var msg7704 = msg("5257", dup276); + +var msg7705 = msg("5258", dup276); + +var msg7706 = msg("5259", dup276); + +var msg7707 = msg("5260", dup276); + +var msg7708 = msg("5261", dup276); + +var msg7709 = msg("5262", dup276); + +var msg7710 = msg("5263", dup276); + +var msg7711 = msg("5264", dup276); + +var msg7712 = msg("5265", dup276); + +var msg7713 = msg("5266", dup276); + +var msg7714 = msg("5267", dup276); + +var msg7715 = msg("5268", dup276); + +var msg7716 = msg("5269", dup276); + +var msg7717 = msg("5270", dup276); + +var msg7718 = msg("5271", dup276); + +var msg7719 = msg("5272", dup276); + +var msg7720 = msg("5273", dup276); + +var msg7721 = msg("5274", dup276); + +var msg7722 = msg("5275", dup276); + +var msg7723 = msg("5276", dup276); + +var msg7724 = msg("5277", dup276); + +var msg7725 = msg("5278", dup276); + +var msg7726 = msg("5279", dup276); + +var msg7727 = msg("5280", dup276); + +var msg7728 = msg("5281", dup276); + +var msg7729 = msg("5282", dup276); + +var msg7730 = msg("5283", dup276); + +var msg7731 = msg("5284", dup276); + +var msg7732 = msg("5285", dup276); + +var msg7733 = msg("5286", dup276); + +var msg7734 = msg("5287", dup276); + +var msg7735 = msg("5288", dup276); + +var msg7736 = msg("5289", dup276); + +var msg7737 = msg("5290", dup276); + +var msg7738 = msg("5291", dup276); + +var msg7739 = msg("5292", dup276); + +var msg7740 = msg("5293", dup276); + +var msg7741 = msg("5294", dup276); + +var msg7742 = msg("5295", dup276); + +var msg7743 = msg("5296", dup276); + +var msg7744 = msg("5297", dup276); + +var msg7745 = msg("5298", dup276); + +var msg7746 = msg("5299", dup276); + +var msg7747 = msg("5300", dup276); + +var msg7748 = msg("5301", dup201); + +var msg7749 = msg("5302", dup276); + +var msg7750 = msg("5303", dup201); + +var msg7751 = msg("5304", dup201); + +var msg7752 = msg("5305", dup276); + +var msg7753 = msg("5306", dup201); + +var msg7754 = msg("5307", dup276); + +var msg7755 = msg("5308", dup276); + +var msg7756 = msg("5309", dup201); + +var msg7757 = msg("5310", dup276); + +var msg7758 = msg("5311", dup201); + +var msg7759 = msg("5312", dup201); + +var msg7760 = msg("5313", dup276); + +var msg7761 = msg("5314", dup201); + +var msg7762 = msg("5315", dup276); + +var msg7763 = msg("5316", dup222); + +var msg7764 = msg("5317", dup222); + +var msg7765 = msg("5318", dup269); + +var msg7766 = msg("5319", dup269); + +var msg7767 = msg("5320", dup263); + +var msg7768 = msg("5321", dup263); + +var msg7769 = msg("5322", dup263); + +var msg7770 = msg("5323", dup263); + +var msg7771 = msg("5324", dup263); + +var msg7772 = msg("5325", dup201); + +var msg7773 = msg("5326", dup201); + +var msg7774 = msg("5327", dup201); + +var msg7775 = msg("5328", dup201); + +var msg7776 = msg("5329", dup201); + +var msg7777 = msg("5330", dup201); + +var msg7778 = msg("5331", dup201); + +var msg7779 = msg("5332", dup201); + +var msg7780 = msg("5333", dup276); + +var msg7781 = msg("5334", dup276); + +var msg7782 = msg("5335", dup276); + +var msg7783 = msg("5336", dup276); + +var msg7784 = msg("5337", dup276); + +var msg7785 = msg("5338", dup276); + +var msg7786 = msg("5339", dup276); + +var msg7787 = msg("5340", dup276); + +var msg7788 = msg("5341", dup276); + +var msg7789 = msg("5342", dup276); + +var msg7790 = msg("5343", dup276); + +var msg7791 = msg("5344", dup276); + +var msg7792 = msg("5345", dup276); + +var msg7793 = msg("5346", dup276); + +var msg7794 = msg("5347", dup276); + +var msg7795 = msg("5348", dup276); + +var msg7796 = msg("5349", dup276); + +var msg7797 = msg("5350", dup276); + +var msg7798 = msg("5351", dup276); + +var msg7799 = msg("5352", dup276); + +var msg7800 = msg("5353", dup276); + +var msg7801 = msg("5354", dup276); + +var msg7802 = msg("5355", dup276); + +var msg7803 = msg("5356", dup276); + +var msg7804 = msg("5357", dup276); + +var msg7805 = msg("5358", dup276); + +var msg7806 = msg("5359", dup276); + +var msg7807 = msg("5360", dup276); + +var msg7808 = msg("5361", dup276); + +var msg7809 = msg("5362", dup276); + +var msg7810 = msg("5363", dup276); + +var msg7811 = msg("5364", dup276); + +var msg7812 = msg("5365", dup276); + +var msg7813 = msg("5366", dup276); + +var msg7814 = msg("5367", dup276); + +var msg7815 = msg("5368", dup276); + +var msg7816 = msg("5369", dup276); + +var msg7817 = msg("5370", dup276); + +var msg7818 = msg("5371", dup276); + +var msg7819 = msg("5372", dup276); + +var msg7820 = msg("5373", dup276); + +var msg7821 = msg("5374", dup276); + +var msg7822 = msg("5375", dup276); + +var msg7823 = msg("5376", dup276); + +var msg7824 = msg("5377", dup276); + +var msg7825 = msg("5378", dup276); + +var msg7826 = msg("5379", dup276); + +var msg7827 = msg("5380", dup276); + +var msg7828 = msg("5381", dup276); + +var msg7829 = msg("5382", dup276); + +var msg7830 = msg("5383", dup276); + +var msg7831 = msg("5384", dup276); + +var msg7832 = msg("5385", dup276); + +var msg7833 = msg("5386", dup276); + +var msg7834 = msg("5387", dup276); + +var msg7835 = msg("5388", dup276); + +var msg7836 = msg("5389", dup276); + +var msg7837 = msg("5390", dup276); + +var msg7838 = msg("5391", dup276); + +var msg7839 = msg("5392", dup276); + +var msg7840 = msg("5393", dup276); + +var msg7841 = msg("5394", dup276); + +var msg7842 = msg("5395", dup276); + +var msg7843 = msg("5396", dup276); + +var msg7844 = msg("5397", dup276); + +var msg7845 = msg("5398", dup276); + +var msg7846 = msg("5399", dup276); + +var msg7847 = msg("5400", dup276); + +var msg7848 = msg("5401", dup276); + +var msg7849 = msg("5402", dup276); + +var msg7850 = msg("5403", dup276); + +var msg7851 = msg("5404", dup276); + +var msg7852 = msg("5405", dup276); + +var msg7853 = msg("5406", dup276); + +var msg7854 = msg("5407", dup276); + +var msg7855 = msg("5408", dup276); + +var msg7856 = msg("5409", dup276); + +var msg7857 = msg("5410", dup276); + +var msg7858 = msg("5411", dup276); + +var msg7859 = msg("5412", dup276); + +var msg7860 = msg("5413", dup276); + +var msg7861 = msg("5414", dup276); + +var msg7862 = msg("5415", dup276); + +var msg7863 = msg("5416", dup276); + +var msg7864 = msg("5417", dup276); + +var msg7865 = msg("5418", dup276); + +var msg7866 = msg("5419", dup276); + +var msg7867 = msg("5420", dup276); + +var msg7868 = msg("5421", dup276); + +var msg7869 = msg("5422", dup276); + +var msg7870 = msg("5423", dup276); + +var msg7871 = msg("5424", dup276); + +var msg7872 = msg("5425", dup276); + +var msg7873 = msg("5426", dup276); + +var msg7874 = msg("5427", dup276); + +var msg7875 = msg("5428", dup276); + +var msg7876 = msg("5429", dup276); + +var msg7877 = msg("5430", dup276); + +var msg7878 = msg("5431", dup276); + +var msg7879 = msg("5432", dup276); + +var msg7880 = msg("5433", dup276); + +var msg7881 = msg("5434", dup276); + +var msg7882 = msg("5435", dup276); + +var msg7883 = msg("5436", dup276); + +var msg7884 = msg("5437", dup276); + +var msg7885 = msg("5438", dup276); + +var msg7886 = msg("5439", dup276); + +var msg7887 = msg("5440", dup276); + +var msg7888 = msg("5441", dup276); + +var msg7889 = msg("5442", dup276); + +var msg7890 = msg("5443", dup276); + +var msg7891 = msg("5444", dup276); + +var msg7892 = msg("5445", dup276); + +var msg7893 = msg("5446", dup276); + +var msg7894 = msg("5447", dup276); + +var msg7895 = msg("5448", dup276); + +var msg7896 = msg("5449", dup276); + +var msg7897 = msg("5450", dup276); + +var msg7898 = msg("5451", dup276); + +var msg7899 = msg("5452", dup276); + +var msg7900 = msg("5453", dup276); + +var msg7901 = msg("5454", dup276); + +var msg7902 = msg("5455", dup276); + +var msg7903 = msg("5456", dup276); + +var msg7904 = msg("5457", dup276); + +var msg7905 = msg("5458", dup276); + +var msg7906 = msg("5459", dup276); + +var msg7907 = msg("5460", dup276); + +var msg7908 = msg("5461", dup276); + +var msg7909 = msg("5462", dup276); + +var msg7910 = msg("5463", dup276); + +var msg7911 = msg("5464", dup276); + +var msg7912 = msg("5465", dup276); + +var msg7913 = msg("5466", dup276); + +var msg7914 = msg("5467", dup276); + +var msg7915 = msg("5468", dup276); + +var msg7916 = msg("5469", dup276); + +var msg7917 = msg("5470", dup276); + +var msg7918 = msg("5471", dup276); + +var msg7919 = msg("5472", dup276); + +var msg7920 = msg("5473", dup276); + +var msg7921 = msg("5474", dup276); + +var msg7922 = msg("5475", dup276); + +var msg7923 = msg("5476", dup276); + +var msg7924 = msg("5477", dup276); + +var msg7925 = msg("5478", dup276); + +var msg7926 = msg("5479", dup276); + +var msg7927 = msg("5480", dup276); + +var msg7928 = msg("5481", dup276); + +var msg7929 = msg("5482", dup276); + +var msg7930 = msg("5483", dup276); + +var msg7931 = msg("5484", dup276); + +var msg7932 = msg("5485", dup276); + +var msg7933 = msg("5486", dup276); + +var msg7934 = msg("5487", dup276); + +var msg7935 = msg("5488", dup276); + +var msg7936 = msg("5489", dup276); + +var msg7937 = msg("5490", dup276); + +var msg7938 = msg("5491", dup276); + +var msg7939 = msg("5492", dup276); + +var msg7940 = msg("5493", dup276); + +var msg7941 = msg("5494", dup276); + +var msg7942 = msg("5495", dup276); + +var msg7943 = msg("5496", dup276); + +var msg7944 = msg("5497", dup276); + +var msg7945 = msg("5498", dup276); + +var msg7946 = msg("5499", dup276); + +var msg7947 = msg("5500", dup276); + +var msg7948 = msg("5501", dup276); + +var msg7949 = msg("5502", dup276); + +var msg7950 = msg("5503", dup276); + +var msg7951 = msg("5504", dup276); + +var msg7952 = msg("5505", dup276); + +var msg7953 = msg("5506", dup276); + +var msg7954 = msg("5507", dup276); + +var msg7955 = msg("5508", dup276); + +var msg7956 = msg("5509", dup276); + +var msg7957 = msg("5510", dup276); + +var msg7958 = msg("5511", dup276); + +var msg7959 = msg("5512", dup276); + +var msg7960 = msg("5513", dup276); + +var msg7961 = msg("5514", dup276); + +var msg7962 = msg("5515", dup276); + +var msg7963 = msg("5516", dup276); + +var msg7964 = msg("5517", dup276); + +var msg7965 = msg("5518", dup276); + +var msg7966 = msg("5519", dup276); + +var msg7967 = msg("5520", dup276); + +var msg7968 = msg("5521", dup276); + +var msg7969 = msg("5522", dup276); + +var msg7970 = msg("5523", dup276); + +var msg7971 = msg("5524", dup276); + +var msg7972 = msg("5525", dup276); + +var msg7973 = msg("5526", dup276); + +var msg7974 = msg("5527", dup276); + +var msg7975 = msg("5528", dup276); + +var msg7976 = msg("5529", dup276); + +var msg7977 = msg("5530", dup276); + +var msg7978 = msg("5531", dup276); + +var msg7979 = msg("5532", dup276); + +var msg7980 = msg("5533", dup276); + +var msg7981 = msg("5534", dup276); + +var msg7982 = msg("5535", dup276); + +var msg7983 = msg("5536", dup276); + +var msg7984 = msg("5537", dup276); + +var msg7985 = msg("5538", dup276); + +var msg7986 = msg("5539", dup276); + +var msg7987 = msg("5540", dup276); + +var msg7988 = msg("5541", dup276); + +var msg7989 = msg("5542", dup276); + +var msg7990 = msg("5543", dup276); + +var msg7991 = msg("5544", dup276); + +var msg7992 = msg("5545", dup276); + +var msg7993 = msg("5546", dup276); + +var msg7994 = msg("5547", dup276); + +var msg7995 = msg("5548", dup276); + +var msg7996 = msg("5549", dup276); + +var msg7997 = msg("5550", dup276); + +var msg7998 = msg("5551", dup276); + +var msg7999 = msg("5552", dup276); + +var msg8000 = msg("5553", dup276); + +var msg8001 = msg("5554", dup276); + +var msg8002 = msg("5555", dup276); + +var msg8003 = msg("5556", dup276); + +var msg8004 = msg("5557", dup276); + +var msg8005 = msg("5558", dup276); + +var msg8006 = msg("5559", dup276); + +var msg8007 = msg("5560", dup276); + +var msg8008 = msg("5561", dup276); + +var msg8009 = msg("5562", dup276); + +var msg8010 = msg("5563", dup276); + +var msg8011 = msg("5564", dup276); + +var msg8012 = msg("5565", dup276); + +var msg8013 = msg("5566", dup276); + +var msg8014 = msg("5567", dup276); + +var msg8015 = msg("5568", dup276); + +var msg8016 = msg("5569", dup276); + +var msg8017 = msg("5570", dup276); + +var msg8018 = msg("5571", dup276); + +var msg8019 = msg("5572", dup276); + +var msg8020 = msg("5573", dup276); + +var msg8021 = msg("5574", dup276); + +var msg8022 = msg("5575", dup276); + +var msg8023 = msg("5576", dup276); + +var msg8024 = msg("5577", dup276); + +var msg8025 = msg("5578", dup276); + +var msg8026 = msg("5579", dup276); + +var msg8027 = msg("5580", dup276); + +var msg8028 = msg("5581", dup276); + +var msg8029 = msg("5582", dup276); + +var msg8030 = msg("5583", dup276); + +var msg8031 = msg("5584", dup276); + +var msg8032 = msg("5585", dup276); + +var msg8033 = msg("5586", dup276); + +var msg8034 = msg("5587", dup276); + +var msg8035 = msg("5588", dup276); + +var msg8036 = msg("5589", dup276); + +var msg8037 = msg("5590", dup276); + +var msg8038 = msg("5591", dup276); + +var msg8039 = msg("5592", dup276); + +var msg8040 = msg("5593", dup276); + +var msg8041 = msg("5594", dup276); + +var msg8042 = msg("5595", dup276); + +var msg8043 = msg("5596", dup276); + +var msg8044 = msg("5597", dup276); + +var msg8045 = msg("5598", dup276); + +var msg8046 = msg("5599", dup276); + +var msg8047 = msg("5600", dup276); + +var msg8048 = msg("5601", dup276); + +var msg8049 = msg("5602", dup276); + +var msg8050 = msg("5603", dup276); + +var msg8051 = msg("5604", dup276); + +var msg8052 = msg("5605", dup276); + +var msg8053 = msg("5606", dup276); + +var msg8054 = msg("5607", dup276); + +var msg8055 = msg("5608", dup276); + +var msg8056 = msg("5609", dup276); + +var msg8057 = msg("5610", dup276); + +var msg8058 = msg("5611", dup276); + +var msg8059 = msg("5612", dup276); + +var msg8060 = msg("5613", dup276); + +var msg8061 = msg("5614", dup276); + +var msg8062 = msg("5615", dup276); + +var msg8063 = msg("5616", dup276); + +var msg8064 = msg("5617", dup276); + +var msg8065 = msg("5618", dup276); + +var msg8066 = msg("5619", dup276); + +var msg8067 = msg("5620", dup276); + +var msg8068 = msg("5621", dup276); + +var msg8069 = msg("5622", dup276); + +var msg8070 = msg("5623", dup276); + +var msg8071 = msg("5624", dup276); + +var msg8072 = msg("5625", dup276); + +var msg8073 = msg("5626", dup276); + +var msg8074 = msg("5627", dup276); + +var msg8075 = msg("5628", dup276); + +var msg8076 = msg("5629", dup276); + +var msg8077 = msg("5630", dup276); + +var msg8078 = msg("5631", dup276); + +var msg8079 = msg("5632", dup276); + +var msg8080 = msg("5633", dup276); + +var msg8081 = msg("5634", dup276); + +var msg8082 = msg("5635", dup276); + +var msg8083 = msg("5636", dup276); + +var msg8084 = msg("5637", dup276); + +var msg8085 = msg("5638", dup276); + +var msg8086 = msg("5639", dup276); + +var msg8087 = msg("5640", dup276); + +var msg8088 = msg("5641", dup276); + +var msg8089 = msg("5642", dup276); + +var msg8090 = msg("5643", dup276); + +var msg8091 = msg("5644", dup276); + +var msg8092 = msg("5645", dup276); + +var msg8093 = msg("5646", dup276); + +var msg8094 = msg("5647", dup276); + +var msg8095 = msg("5648", dup276); + +var msg8096 = msg("5649", dup276); + +var msg8097 = msg("5650", dup276); + +var msg8098 = msg("5651", dup276); + +var msg8099 = msg("5652", dup276); + +var msg8100 = msg("5653", dup276); + +var msg8101 = msg("5654", dup276); + +var msg8102 = msg("5655", dup276); + +var msg8103 = msg("5656", dup276); + +var msg8104 = msg("5657", dup276); + +var msg8105 = msg("5658", dup276); + +var msg8106 = msg("5659", dup276); + +var msg8107 = msg("5660", dup276); + +var msg8108 = msg("5661", dup276); + +var msg8109 = msg("5662", dup276); + +var msg8110 = msg("5663", dup276); + +var msg8111 = msg("5664", dup276); + +var msg8112 = msg("5665", dup276); + +var msg8113 = msg("5666", dup276); + +var msg8114 = msg("5667", dup276); + +var msg8115 = msg("5668", dup276); + +var msg8116 = msg("5669", dup276); + +var msg8117 = msg("5670", dup276); + +var msg8118 = msg("5671", dup276); + +var msg8119 = msg("5672", dup276); + +var msg8120 = msg("5673", dup276); + +var msg8121 = msg("5674", dup276); + +var msg8122 = msg("5675", dup276); + +var msg8123 = msg("5676", dup276); + +var msg8124 = msg("5677", dup276); + +var msg8125 = msg("5678", dup276); + +var msg8126 = msg("5679", dup276); + +var msg8127 = msg("5680", dup276); + +var msg8128 = msg("5681", dup276); + +var msg8129 = msg("5682", dup276); + +var msg8130 = msg("5683", dup276); + +var msg8131 = msg("5684", dup276); + +var msg8132 = msg("5685", dup250); + +var msg8133 = msg("5686", dup250); + +var msg8134 = msg("5687", dup250); + +var msg8135 = msg("5688", dup250); + +var msg8136 = msg("5689", dup250); + +var msg8137 = msg("5690", dup250); + +var msg8138 = msg("5691", dup250); + +var msg8139 = msg("5692", dup196); + +var msg8140 = msg("5693", dup196); + +var msg8141 = msg("5694", dup196); + +var msg8142 = msg("5695", dup267); + +var msg8143 = msg("5696", dup196); + +var msg8144 = msg("5697", dup196); + +var msg8145 = msg("5698", dup196); + +var msg8146 = msg("5699", dup196); + +var msg8147 = msg("5700", dup196); + +var msg8148 = msg("5701", dup196); + +var msg8149 = msg("5702", dup196); + +var msg8150 = msg("5703", dup196); + +var msg8151 = msg("5704", dup222); + +var msg8152 = msg("5705", dup222); + +var msg8153 = msg("5706", dup196); + +var msg8154 = msg("5707", dup196); + +var msg8155 = msg("5708", dup196); + +var msg8156 = msg("5709", dup265); + +var msg8157 = msg("5710", dup267); + +var msg8158 = msg("5711", dup267); + +var msg8159 = msg("5712", dup267); + +var msg8160 = msg("5713", dup197); + +var msg8161 = msg("5714", dup250); + +var msg8162 = msg("5715", dup201); + +var msg8163 = msg("5716", dup198); + +var msg8164 = msg("5717", dup198); + +var msg8165 = msg("5718", dup198); + +var msg8166 = msg("5719", dup198); + +var msg8167 = msg("5720", dup198); + +var msg8168 = msg("5721", dup198); + +var msg8169 = msg("5722", dup198); + +var msg8170 = msg("5723", dup198); + +var msg8171 = msg("5724", dup198); + +var msg8172 = msg("5725", dup198); + +var msg8173 = msg("5726", dup198); + +var msg8174 = msg("5727", dup198); + +var msg8175 = msg("5728", dup198); + +var msg8176 = msg("5729", dup198); + +var msg8177 = msg("5730", dup198); + +var msg8178 = msg("5731", dup198); + +var msg8179 = msg("5732", dup198); + +var msg8180 = msg("5733", dup198); + +var msg8181 = msg("5734", dup198); + +var msg8182 = msg("5735", dup198); + +var msg8183 = msg("5736", dup198); + +var msg8184 = msg("5737", dup198); + +var msg8185 = msg("5738", dup198); + +var msg8186 = msg("5739", dup197); + +var msg8187 = msg("5740", dup265); + +var msg8188 = msg("5741", dup267); + +var msg8189 = msg("5742", dup303); + +var msg8190 = msg("5743", dup303); + +var msg8191 = msg("5744", dup303); + +var msg8192 = msg("5745", dup303); + +var msg8193 = msg("5746", dup303); + +var msg8194 = msg("5747", dup303); + +var msg8195 = msg("5748", dup303); + +var msg8196 = msg("5749", dup303); + +var msg8197 = msg("5750", dup303); + +var msg8198 = msg("5751", dup303); + +var msg8199 = msg("5752", dup303); + +var msg8200 = msg("5753", dup303); + +var msg8201 = msg("5754", dup303); + +var msg8202 = msg("5755", dup303); + +var msg8203 = msg("5756", dup303); + +var msg8204 = msg("5757", dup303); + +var msg8205 = msg("5758", dup303); + +var msg8206 = msg("5759", dup303); + +var msg8207 = msg("5760", dup303); + +var msg8208 = msg("5761", dup303); + +var msg8209 = msg("5762", dup303); + +var msg8210 = msg("5763", dup303); + +var msg8211 = msg("5764", dup303); + +var msg8212 = msg("5765", dup303); + +var msg8213 = msg("5766", dup303); + +var msg8214 = msg("5767", dup303); + +var msg8215 = msg("5768", dup303); + +var msg8216 = msg("5769", dup303); + +var msg8217 = msg("5770", dup303); + +var msg8218 = msg("5771", dup303); + +var msg8219 = msg("5772", dup303); + +var msg8220 = msg("5773", dup303); + +var msg8221 = msg("5774", dup303); + +var msg8222 = msg("5775", dup303); + +var msg8223 = msg("5776", dup303); + +var msg8224 = msg("5777", dup303); + +var msg8225 = msg("5778", dup303); + +var msg8226 = msg("5779", dup303); + +var msg8227 = msg("5780", dup303); + +var msg8228 = msg("5781", dup303); + +var msg8229 = msg("5782", dup303); + +var msg8230 = msg("5783", dup303); + +var msg8231 = msg("5784", dup303); + +var msg8232 = msg("5785", dup303); + +var msg8233 = msg("5786", dup303); + +var msg8234 = msg("5787", dup303); + +var msg8235 = msg("5788", dup303); + +var msg8236 = msg("5789", dup303); + +var msg8237 = msg("5790", dup303); + +var msg8238 = msg("5791", dup303); + +var msg8239 = msg("5792", dup303); + +var msg8240 = msg("5793", dup303); + +var msg8241 = msg("5794", dup303); + +var msg8242 = msg("5795", dup303); + +var msg8243 = msg("5796", dup303); + +var msg8244 = msg("5797", dup303); + +var msg8245 = msg("5798", dup303); + +var msg8246 = msg("5799", dup303); + +var msg8247 = msg("5800", dup303); + +var msg8248 = msg("5801", dup303); + +var msg8249 = msg("5802", dup303); + +var msg8250 = msg("5803", dup303); + +var msg8251 = msg("5804", dup303); + +var msg8252 = msg("5805", dup303); + +var msg8253 = msg("5806", dup303); + +var msg8254 = msg("5807", dup303); + +var msg8255 = msg("5808", dup303); + +var msg8256 = msg("5809", dup303); + +var msg8257 = msg("5810", dup303); + +var msg8258 = msg("5811", dup303); + +var msg8259 = msg("5812", dup303); + +var msg8260 = msg("5813", dup303); + +var msg8261 = msg("5814", dup303); + +var msg8262 = msg("5815", dup303); + +var msg8263 = msg("5816", dup303); + +var msg8264 = msg("5817", dup303); + +var msg8265 = msg("5818", dup303); + +var msg8266 = msg("5819", dup303); + +var msg8267 = msg("5820", dup303); + +var msg8268 = msg("5821", dup303); + +var msg8269 = msg("5822", dup303); + +var msg8270 = msg("5823", dup303); + +var msg8271 = msg("5824", dup303); + +var msg8272 = msg("5825", dup303); + +var msg8273 = msg("5826", dup303); + +var msg8274 = msg("5827", dup303); + +var msg8275 = msg("5828", dup303); + +var msg8276 = msg("5829", dup303); + +var msg8277 = msg("5830", dup303); + +var msg8278 = msg("5831", dup303); + +var msg8279 = msg("5832", dup303); + +var msg8280 = msg("5833", dup303); + +var msg8281 = msg("5834", dup303); + +var msg8282 = msg("5835", dup303); + +var msg8283 = msg("5836", dup303); + +var msg8284 = msg("5837", dup303); + +var msg8285 = msg("5838", dup303); + +var msg8286 = msg("5839", dup303); + +var msg8287 = msg("5840", dup303); + +var msg8288 = msg("5841", dup303); + +var msg8289 = msg("5842", dup303); + +var msg8290 = msg("5843", dup303); + +var msg8291 = msg("5844", dup303); + +var msg8292 = msg("5845", dup303); + +var msg8293 = msg("5846", dup303); + +var msg8294 = msg("5847", dup303); + +var msg8295 = msg("5848", dup303); + +var msg8296 = msg("5849", dup303); + +var msg8297 = msg("5850", dup303); + +var msg8298 = msg("5851", dup303); + +var msg8299 = msg("5852", dup303); + +var msg8300 = msg("5853", dup303); + +var msg8301 = msg("5854", dup303); + +var msg8302 = msg("5855", dup303); + +var msg8303 = msg("5856", dup303); + +var msg8304 = msg("5857", dup303); + +var msg8305 = msg("5858", dup303); + +var msg8306 = msg("5859", dup303); + +var msg8307 = msg("5860", dup303); + +var msg8308 = msg("5861", dup303); + +var msg8309 = msg("5862", dup303); + +var msg8310 = msg("5863", dup303); + +var msg8311 = msg("5864", dup303); + +var msg8312 = msg("5865", dup303); + +var msg8313 = msg("5866", dup303); + +var msg8314 = msg("5867", dup303); + +var msg8315 = msg("5868", dup303); + +var msg8316 = msg("5869", dup303); + +var msg8317 = msg("5870", dup303); + +var msg8318 = msg("5871", dup303); + +var msg8319 = msg("5872", dup303); + +var msg8320 = msg("5873", dup303); + +var msg8321 = msg("5874", dup303); + +var msg8322 = msg("5875", dup303); + +var msg8323 = msg("5876", dup303); + +var msg8324 = msg("5877", dup303); + +var msg8325 = msg("5878", dup303); + +var msg8326 = msg("5879", dup303); + +var msg8327 = msg("5880", dup303); + +var msg8328 = msg("5881", dup303); + +var msg8329 = msg("5882", dup303); + +var msg8330 = msg("5883", dup303); + +var msg8331 = msg("5884", dup303); + +var msg8332 = msg("5885", dup303); + +var msg8333 = msg("5886", dup303); + +var msg8334 = msg("5887", dup303); + +var msg8335 = msg("5888", dup303); + +var msg8336 = msg("5889", dup303); + +var msg8337 = msg("5890", dup303); + +var msg8338 = msg("5891", dup303); + +var msg8339 = msg("5892", dup303); + +var msg8340 = msg("5893", dup303); + +var msg8341 = msg("5894", dup303); + +var msg8342 = msg("5895", dup303); + +var msg8343 = msg("5896", dup303); + +var msg8344 = msg("5897", dup303); + +var msg8345 = msg("5898", dup303); + +var msg8346 = msg("5899", dup303); + +var msg8347 = msg("5900", dup303); + +var msg8348 = msg("5901", dup303); + +var msg8349 = msg("5902", dup303); + +var msg8350 = msg("5903", dup303); + +var msg8351 = msg("5904", dup303); + +var msg8352 = msg("5905", dup303); + +var msg8353 = msg("5906", dup303); + +var msg8354 = msg("5907", dup303); + +var msg8355 = msg("5908", dup303); + +var msg8356 = msg("5909", dup303); + +var msg8357 = msg("5910", dup303); + +var msg8358 = msg("5911", dup303); + +var msg8359 = msg("5912", dup303); + +var msg8360 = msg("5913", dup303); + +var msg8361 = msg("5914", dup303); + +var msg8362 = msg("5915", dup303); + +var msg8363 = msg("5916", dup303); + +var msg8364 = msg("5917", dup303); + +var msg8365 = msg("5918", dup303); + +var msg8366 = msg("5919", dup303); + +var msg8367 = msg("5920", dup303); + +var msg8368 = msg("5921", dup303); + +var msg8369 = msg("5922", dup303); + +var msg8370 = msg("5923", dup303); + +var msg8371 = msg("5924", dup303); + +var msg8372 = msg("5925", dup303); + +var msg8373 = msg("5926", dup303); + +var msg8374 = msg("5927", dup303); + +var msg8375 = msg("5928", dup303); + +var msg8376 = msg("5929", dup303); + +var msg8377 = msg("5930", dup303); + +var msg8378 = msg("5931", dup303); + +var msg8379 = msg("5932", dup303); + +var msg8380 = msg("5933", dup303); + +var msg8381 = msg("5934", dup303); + +var msg8382 = msg("5935", dup303); + +var msg8383 = msg("5936", dup303); + +var msg8384 = msg("5937", dup303); + +var msg8385 = msg("5938", dup303); + +var msg8386 = msg("5939", dup303); + +var msg8387 = msg("5940", dup303); + +var msg8388 = msg("5941", dup303); + +var msg8389 = msg("5942", dup303); + +var msg8390 = msg("5943", dup303); + +var msg8391 = msg("5944", dup303); + +var msg8392 = msg("5945", dup303); + +var msg8393 = msg("5946", dup303); + +var msg8394 = msg("5947", dup303); + +var msg8395 = msg("5948", dup303); + +var msg8396 = msg("5949", dup303); + +var msg8397 = msg("5950", dup303); + +var msg8398 = msg("5951", dup303); + +var msg8399 = msg("5952", dup303); + +var msg8400 = msg("5953", dup303); + +var msg8401 = msg("5954", dup303); + +var msg8402 = msg("5955", dup303); + +var msg8403 = msg("5956", dup303); + +var msg8404 = msg("5957", dup303); + +var msg8405 = msg("5958", dup303); + +var msg8406 = msg("5959", dup303); + +var msg8407 = msg("5960", dup303); + +var msg8408 = msg("5961", dup303); + +var msg8409 = msg("5962", dup303); + +var msg8410 = msg("5963", dup303); + +var msg8411 = msg("5964", dup303); + +var msg8412 = msg("5965", dup303); + +var msg8413 = msg("5966", dup303); + +var msg8414 = msg("5967", dup303); + +var msg8415 = msg("5968", dup303); + +var msg8416 = msg("5969", dup303); + +var msg8417 = msg("5970", dup303); + +var msg8418 = msg("5971", dup303); + +var msg8419 = msg("5972", dup303); + +var msg8420 = msg("5973", dup303); + +var msg8421 = msg("5974", dup303); + +var msg8422 = msg("5975", dup303); + +var msg8423 = msg("5976", dup303); + +var msg8424 = msg("5977", dup303); + +var msg8425 = msg("5978", dup303); + +var msg8426 = msg("5979", dup303); + +var msg8427 = msg("5980", dup303); + +var msg8428 = msg("5981", dup303); + +var msg8429 = msg("5982", dup303); + +var msg8430 = msg("5983", dup303); + +var msg8431 = msg("5984", dup303); + +var msg8432 = msg("5985", dup303); + +var msg8433 = msg("5986", dup303); + +var msg8434 = msg("5987", dup303); + +var msg8435 = msg("5988", dup303); + +var msg8436 = msg("5989", dup303); + +var msg8437 = msg("5990", dup303); + +var msg8438 = msg("5991", dup303); + +var msg8439 = msg("5992", dup303); + +var msg8440 = msg("5993", dup303); + +var msg8441 = msg("5994", dup303); + +var msg8442 = msg("5995", dup303); + +var msg8443 = msg("5996", dup303); + +var msg8444 = msg("5997", dup267); + +var msg8445 = msg("5998", dup196); + +var msg8446 = msg("5999", dup196); + +var msg8447 = msg("6000", dup196); + +var msg8448 = msg("6001", dup196); + +var msg8449 = msg("6002", dup265); + +var msg8450 = msg("6003", dup265); + +var msg8451 = msg("6004", dup265); + +var msg8452 = msg("6005", dup265); + +var msg8453 = msg("6006", dup265); + +var msg8454 = msg("6007", dup265); + +var msg8455 = msg("6008", dup265); + +var msg8456 = msg("6009", dup265); + +var msg8457 = msg("6010", dup196); + +var msg8458 = msg("6011", dup222); + +var msg8459 = msg("6012", dup205); + +var msg8460 = msg("6013", dup205); + +var msg8461 = msg("6014", dup205); + +var msg8462 = msg("6015", dup205); + +var msg8463 = msg("6016", dup205); + +var msg8464 = msg("6017", dup205); + +var msg8465 = msg("6018", dup205); + +var msg8466 = msg("6019", dup205); + +var msg8467 = msg("6020", dup205); + +var msg8468 = msg("6021", dup205); + +var msg8469 = msg("6022", dup205); + +var msg8470 = msg("6023", dup205); + +var msg8471 = msg("6024", dup205); + +var msg8472 = msg("6025", dup205); + +var msg8473 = msg("6026", dup205); + +var msg8474 = msg("6027", dup205); + +var msg8475 = msg("6028", dup205); + +var msg8476 = msg("6029", dup205); + +var msg8477 = msg("6030", dup205); + +var msg8478 = msg("6031", dup205); + +var msg8479 = msg("6032", dup205); + +var msg8480 = msg("6033", dup205); + +var msg8481 = msg("6034", dup205); + +var msg8482 = msg("6035", dup205); + +var msg8483 = msg("6036", dup205); + +var msg8484 = msg("6037", dup205); + +var msg8485 = msg("6038", dup205); + +var msg8486 = msg("6039", dup205); + +var msg8487 = msg("6040", dup205); + +var msg8488 = msg("6041", dup205); + +var msg8489 = msg("6042", dup205); + +var msg8490 = msg("6043", dup205); + +var msg8491 = msg("6044", dup205); + +var msg8492 = msg("6045", dup205); + +var msg8493 = msg("6046", dup205); + +var msg8494 = msg("6047", dup205); + +var msg8495 = msg("6048", dup205); + +var msg8496 = msg("6049", dup205); + +var msg8497 = msg("6050", dup205); + +var msg8498 = msg("6051", dup205); + +var msg8499 = msg("6052", dup205); + +var msg8500 = msg("6053", dup205); + +var msg8501 = msg("6054", dup205); + +var msg8502 = msg("6055", dup205); + +var msg8503 = msg("6056", dup205); + +var msg8504 = msg("6057", dup205); + +var msg8505 = msg("6058", dup205); + +var msg8506 = msg("6059", dup205); + +var all46 = all_match({ + processors: [ + dup66, + dup178, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dB,dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + ]), +}); + +var msg8507 = msg("6060", all46); + +var msg8508 = msg("6061", dup205); + +var msg8509 = msg("6062", dup205); + +var msg8510 = msg("6063", dup205); + +var msg8511 = msg("6064", dup205); + +var msg8512 = msg("6065", dup205); + +var msg8513 = msg("6066", dup205); + +var msg8514 = msg("6067", dup205); + +var msg8515 = msg("6068", dup205); + +var msg8516 = msg("6069", dup205); + +var msg8517 = msg("6070", dup205); + +var msg8518 = msg("6071", dup205); + +var msg8519 = msg("6072", dup205); + +var msg8520 = msg("6073", dup205); + +var msg8521 = msg("6074", dup205); + +var msg8522 = msg("6075", dup205); + +var msg8523 = msg("6076", dup205); + +var msg8524 = msg("6077", dup205); + +var msg8525 = msg("6078", dup205); + +var msg8526 = msg("6079", dup205); + +var msg8527 = msg("6080", dup205); + +var msg8528 = msg("6081", dup205); + +var msg8529 = msg("6082", dup205); + +var msg8530 = msg("6083", dup205); + +var msg8531 = msg("6084", dup205); + +var msg8532 = msg("6085", dup205); + +var msg8533 = msg("6086", dup205); + +var msg8534 = msg("6087", dup205); + +var msg8535 = msg("6088", dup205); + +var msg8536 = msg("6089", dup205); + +var msg8537 = msg("6090", dup205); + +var msg8538 = msg("6091", dup205); + +var msg8539 = msg("6092", dup205); + +var msg8540 = msg("6093", dup205); + +var msg8541 = msg("6094", dup205); + +var msg8542 = msg("6095", dup205); + +var msg8543 = msg("6096", dup205); + +var msg8544 = msg("6097", dup205); + +var msg8545 = msg("6098", dup205); + +var msg8546 = msg("6099", dup205); + +var msg8547 = msg("6100", dup205); + +var msg8548 = msg("6101", dup205); + +var msg8549 = msg("6102", dup205); + +var msg8550 = msg("6103", dup205); + +var msg8551 = msg("6104", dup205); + +var msg8552 = msg("6105", dup205); + +var msg8553 = msg("6106", dup205); + +var msg8554 = msg("6107", dup205); + +var msg8555 = msg("6108", dup205); + +var msg8556 = msg("6109", dup205); + +var msg8557 = msg("6110", dup205); + +var msg8558 = msg("6111", dup205); + +var msg8559 = msg("6112", dup205); + +var msg8560 = msg("6113", dup205); + +var msg8561 = msg("6114", dup205); + +var msg8562 = msg("6115", dup205); + +var msg8563 = msg("6116", dup205); + +var msg8564 = msg("6117", dup205); + +var msg8565 = msg("6118", dup205); + +var msg8566 = msg("6119", dup205); + +var msg8567 = msg("6120", dup205); + +var msg8568 = msg("6121", dup205); + +var msg8569 = msg("6122", dup205); + +var msg8570 = msg("6123", dup205); + +var msg8571 = msg("6124", dup205); + +var msg8572 = msg("6125", dup205); + +var msg8573 = msg("6126", dup205); + +var msg8574 = msg("6127", dup205); + +var msg8575 = msg("6128", dup205); + +var msg8576 = msg("6129", dup205); + +var msg8577 = msg("6130", dup205); + +var msg8578 = msg("6131", dup205); + +var msg8579 = msg("6132", dup205); + +var msg8580 = msg("6133", dup205); + +var msg8581 = msg("6134", dup205); + +var msg8582 = msg("6135", dup205); + +var msg8583 = msg("6136", dup205); + +var msg8584 = msg("6137", dup205); + +var msg8585 = msg("6138", dup205); + +var msg8586 = msg("6139", dup205); + +var msg8587 = msg("6140", dup205); + +var msg8588 = msg("6141", dup205); + +var msg8589 = msg("6142", dup205); + +var msg8590 = msg("6143", dup205); + +var msg8591 = msg("6144", dup205); + +var msg8592 = msg("6145", dup205); + +var msg8593 = msg("6146", dup205); + +var msg8594 = msg("6147", dup205); + +var msg8595 = msg("6148", dup205); + +var msg8596 = msg("6149", dup205); + +var msg8597 = msg("6150", dup205); + +var msg8598 = msg("6151", dup205); + +var msg8599 = msg("6152", dup205); + +var msg8600 = msg("6153", dup205); + +var msg8601 = msg("6154", dup205); + +var msg8602 = msg("6155", dup205); + +var msg8603 = msg("6156", dup205); + +var msg8604 = msg("6157", dup205); + +var msg8605 = msg("6158", dup205); + +var msg8606 = msg("6159", dup205); + +var msg8607 = msg("6160", dup205); + +var msg8608 = msg("6161", dup205); + +var msg8609 = msg("6162", dup205); + +var msg8610 = msg("6163", dup205); + +var msg8611 = msg("6164", dup205); + +var msg8612 = msg("6165", dup205); + +var msg8613 = msg("6166", dup205); + +var msg8614 = msg("6167", dup205); + +var msg8615 = msg("6168", dup205); + +var msg8616 = msg("6169", dup205); + +var msg8617 = msg("6170", dup205); + +var msg8618 = msg("6171", dup205); + +var msg8619 = msg("6172", dup205); + +var msg8620 = msg("6173", dup205); + +var msg8621 = msg("6174", dup205); + +var msg8622 = msg("6175", dup205); + +var msg8623 = msg("6176", dup205); + +var msg8624 = msg("6177", dup205); + +var msg8625 = msg("6178", dup205); + +var msg8626 = msg("6179", dup205); + +var msg8627 = msg("6180", dup205); + +var msg8628 = msg("6181", dup205); + +var msg8629 = msg("6182", dup196); + +var msg8630 = msg("6183", dup303); + +var msg8631 = msg("6184", dup303); + +var msg8632 = msg("6185", dup303); + +var msg8633 = msg("6186", dup303); + +var msg8634 = msg("6187", dup303); + +var msg8635 = msg("6188", dup303); + +var msg8636 = msg("6189", dup303); + +var msg8637 = msg("6190", dup303); + +var msg8638 = msg("6191", dup303); + +var msg8639 = msg("6192", dup303); + +var msg8640 = msg("6193", dup303); + +var msg8641 = msg("6194", dup303); + +var msg8642 = msg("6195", dup303); + +var msg8643 = msg("6196", dup303); + +var msg8644 = msg("6197", dup303); + +var msg8645 = msg("6198", dup303); + +var msg8646 = msg("6199", dup303); + +var msg8647 = msg("6200", dup303); + +var msg8648 = msg("6201", dup303); + +var msg8649 = msg("6202", dup303); + +var msg8650 = msg("6203", dup303); + +var msg8651 = msg("6204", dup303); + +var msg8652 = msg("6205", dup303); + +var msg8653 = msg("6206", dup303); + +var msg8654 = msg("6207", dup303); + +var msg8655 = msg("6208", dup303); + +var msg8656 = msg("6209", dup303); + +var msg8657 = msg("6210", dup303); + +var msg8658 = msg("6211", dup303); + +var msg8659 = msg("6212", dup303); + +var msg8660 = msg("6213", dup303); + +var msg8661 = msg("6214", dup303); + +var msg8662 = msg("6215", dup303); + +var msg8663 = msg("6216", dup303); + +var msg8664 = msg("6217", dup303); + +var msg8665 = msg("6218", dup303); + +var msg8666 = msg("6219", dup303); + +var msg8667 = msg("6220", dup303); + +var msg8668 = msg("6221", dup303); + +var msg8669 = msg("6222", dup303); + +var msg8670 = msg("6223", dup303); + +var msg8671 = msg("6224", dup303); + +var msg8672 = msg("6225", dup303); + +var msg8673 = msg("6226", dup303); + +var msg8674 = msg("6227", dup303); + +var msg8675 = msg("6228", dup303); + +var msg8676 = msg("6229", dup303); + +var msg8677 = msg("6230", dup303); + +var msg8678 = msg("6231", dup303); + +var msg8679 = msg("6232", dup303); + +var msg8680 = msg("6233", dup303); + +var msg8681 = msg("6234", dup303); + +var msg8682 = msg("6235", dup303); + +var msg8683 = msg("6236", dup303); + +var msg8684 = msg("6237", dup303); + +var msg8685 = msg("6238", dup303); + +var msg8686 = msg("6239", dup303); + +var msg8687 = msg("6240", dup303); + +var msg8688 = msg("6241", dup303); + +var msg8689 = msg("6242", dup303); + +var msg8690 = msg("6243", dup303); + +var msg8691 = msg("6244", dup303); + +var msg8692 = msg("6245", dup303); + +var msg8693 = msg("6246", dup303); + +var msg8694 = msg("6247", dup303); + +var msg8695 = msg("6248", dup303); + +var msg8696 = msg("6249", dup303); + +var msg8697 = msg("6250", dup303); + +var msg8698 = msg("6251", dup303); + +var msg8699 = msg("6252", dup303); + +var msg8700 = msg("6253", dup303); + +var msg8701 = msg("6254", dup303); + +var msg8702 = msg("6255", dup303); + +var msg8703 = msg("6256", dup303); + +var msg8704 = msg("6257", dup303); + +var msg8705 = msg("6258", dup303); + +var msg8706 = msg("6259", dup303); + +var msg8707 = msg("6260", dup303); + +var msg8708 = msg("6261", dup303); + +var msg8709 = msg("6262", dup303); + +var msg8710 = msg("6263", dup303); + +var msg8711 = msg("6264", dup303); + +var msg8712 = msg("6265", dup303); + +var msg8713 = msg("6266", dup303); + +var msg8714 = msg("6267", dup303); + +var msg8715 = msg("6268", dup303); + +var msg8716 = msg("6269", dup303); + +var msg8717 = msg("6270", dup303); + +var msg8718 = msg("6271", dup303); + +var msg8719 = msg("6272", dup303); + +var msg8720 = msg("6273", dup303); + +var msg8721 = msg("6274", dup303); + +var msg8722 = msg("6275", dup303); + +var msg8723 = msg("6276", dup303); + +var msg8724 = msg("6277", dup303); + +var msg8725 = msg("6278", dup303); + +var msg8726 = msg("6279", dup303); + +var msg8727 = msg("6280", dup303); + +var msg8728 = msg("6281", dup303); + +var msg8729 = msg("6282", dup303); + +var msg8730 = msg("6283", dup303); + +var msg8731 = msg("6284", dup303); + +var msg8732 = msg("6285", dup205); + +var msg8733 = msg("6286", dup205); + +var msg8734 = msg("6287", dup205); + +var msg8735 = msg("6288", dup205); + +var msg8736 = msg("6289", dup205); + +var msg8737 = msg("6290", dup205); + +var msg8738 = msg("6291", dup205); + +var msg8739 = msg("6292", dup205); + +var msg8740 = msg("6293", dup205); + +var msg8741 = msg("6294", dup205); + +var msg8742 = msg("6295", dup205); + +var msg8743 = msg("6296", dup205); + +var msg8744 = msg("6297", dup205); + +var msg8745 = msg("6298", dup205); + +var msg8746 = msg("6299", dup205); + +var msg8747 = msg("6300", dup205); + +var msg8748 = msg("6301", dup205); + +var msg8749 = msg("6302", dup205); + +var msg8750 = msg("6303", dup205); + +var msg8751 = msg("6304", dup205); + +var msg8752 = msg("6305", dup205); + +var msg8753 = msg("6306", dup205); + +var msg8754 = msg("6307", dup205); + +var msg8755 = msg("6308", dup205); + +var msg8756 = msg("6309", dup205); + +var msg8757 = msg("6310", dup205); + +var msg8758 = msg("6311", dup205); + +var msg8759 = msg("6312", dup205); + +var msg8760 = msg("6313", dup205); + +var msg8761 = msg("6314", dup205); + +var msg8762 = msg("6315", dup205); + +var msg8763 = msg("6316", dup205); + +var msg8764 = msg("6317", dup205); + +var msg8765 = msg("6318", dup205); + +var msg8766 = msg("6319", dup205); + +var msg8767 = msg("6320", dup205); + +var msg8768 = msg("6321", dup205); + +var msg8769 = msg("6322", dup205); + +var msg8770 = msg("6323", dup205); + +var msg8771 = msg("6324", dup205); + +var msg8772 = msg("6325", dup205); + +var msg8773 = msg("6326", dup205); + +var msg8774 = msg("6327", dup205); + +var msg8775 = msg("6328", dup205); + +var msg8776 = msg("6329", dup205); + +var msg8777 = msg("6330", dup205); + +var msg8778 = msg("6331", dup205); + +var msg8779 = msg("6332", dup205); + +var msg8780 = msg("6333", dup205); + +var msg8781 = msg("6334", dup205); + +var msg8782 = msg("6335", dup205); + +var msg8783 = msg("6336", dup205); + +var msg8784 = msg("6337", dup205); + +var msg8785 = msg("6338", dup205); + +var msg8786 = msg("6339", dup205); + +var msg8787 = msg("6340", dup303); + +var msg8788 = msg("6341", dup303); + +var msg8789 = msg("6342", dup303); + +var msg8790 = msg("6343", dup303); + +var msg8791 = msg("6344", dup303); + +var msg8792 = msg("6345", dup303); + +var msg8793 = msg("6346", dup303); + +var msg8794 = msg("6347", dup303); + +var msg8795 = msg("6348", dup303); + +var msg8796 = msg("6349", dup303); + +var msg8797 = msg("6350", dup303); + +var msg8798 = msg("6351", dup303); + +var msg8799 = msg("6352", dup303); + +var msg8800 = msg("6353", dup303); + +var msg8801 = msg("6354", dup303); + +var msg8802 = msg("6355", dup303); + +var msg8803 = msg("6356", dup303); + +var msg8804 = msg("6357", dup303); + +var msg8805 = msg("6358", dup303); + +var msg8806 = msg("6359", dup303); + +var msg8807 = msg("6360", dup303); + +var msg8808 = msg("6361", dup303); + +var msg8809 = msg("6362", dup303); + +var msg8810 = msg("6363", dup303); + +var msg8811 = msg("6364", dup303); + +var msg8812 = msg("6365", dup303); + +var msg8813 = msg("6366", dup303); + +var msg8814 = msg("6367", dup303); + +var msg8815 = msg("6368", dup303); + +var msg8816 = msg("6369", dup303); + +var msg8817 = msg("6370", dup303); + +var msg8818 = msg("6371", dup303); + +var msg8819 = msg("6372", dup303); + +var msg8820 = msg("6373", dup303); + +var msg8821 = msg("6374", dup303); + +var msg8822 = msg("6375", dup303); + +var msg8823 = msg("6376", dup303); + +var msg8824 = msg("6377", dup303); + +var msg8825 = msg("6378", dup303); + +var msg8826 = msg("6379", dup303); + +var msg8827 = msg("6380", dup303); + +var msg8828 = msg("6381", dup303); + +var msg8829 = msg("6382", dup303); + +var msg8830 = msg("6383", dup303); + +var msg8831 = msg("6384", dup303); + +var msg8832 = msg("6385", dup303); + +var msg8833 = msg("6386", dup303); + +var msg8834 = msg("6387", dup303); + +var msg8835 = msg("6388", dup303); + +var msg8836 = msg("6389", dup303); + +var msg8837 = msg("6390", dup303); + +var msg8838 = msg("6391", dup303); + +var msg8839 = msg("6392", dup303); + +var msg8840 = msg("6393", dup303); + +var msg8841 = msg("6394", dup303); + +var msg8842 = msg("6395", dup205); + +var msg8843 = msg("6396", dup205); + +var msg8844 = msg("6397", dup205); + +var msg8845 = msg("6398", dup205); + +var msg8846 = msg("6399", dup205); + +var msg8847 = msg("6400", dup205); + +var msg8848 = msg("6401", dup205); + +var msg8849 = msg("6402", dup205); + +var msg8850 = msg("6403", dup269); + +var msg8851 = msg("6404", dup196); + +var msg8852 = msg("6405", dup222); + +var msg8853 = msg("6406", dup196); + +var msg8854 = msg("6407", dup196); + +var msg8855 = msg("6408", dup196); + +var msg8856 = msg("6409", dup267); + +var msg8857 = msg("6410", dup267); + +var msg8858 = msg("6411", dup267); + +var msg8859 = msg("6412", dup250); + +var msg8860 = msg("6413", dup250); + +var msg8861 = msg("6414", dup267); + +var msg8862 = msg("6415", dup276); + +var msg8863 = msg("6416", dup276); + +var msg8864 = msg("6417", dup276); + +var msg8865 = msg("6418", dup276); + +var msg8866 = msg("6419", dup276); + +var msg8867 = msg("6420", dup276); + +var msg8868 = msg("6421", dup276); + +var msg8869 = msg("6422", dup276); + +var msg8870 = msg("6423", dup276); + +var msg8871 = msg("6424", dup276); + +var msg8872 = msg("6425", dup276); + +var msg8873 = msg("6426", dup276); + +var msg8874 = msg("6427", dup276); + +var msg8875 = msg("6428", dup276); + +var msg8876 = msg("6429", dup276); + +var msg8877 = msg("6430", dup276); + +var msg8878 = msg("6431", dup276); + +var msg8879 = msg("6432", dup276); + +var msg8880 = msg("6433", dup276); + +var msg8881 = msg("6434", dup276); + +var msg8882 = msg("6435", dup276); + +var msg8883 = msg("6436", dup276); + +var msg8884 = msg("6437", dup276); + +var msg8885 = msg("6438", dup276); + +var msg8886 = msg("6439", dup276); + +var msg8887 = msg("6440", dup276); + +var msg8888 = msg("6441", dup276); + +var msg8889 = msg("6442", dup276); + +var msg8890 = msg("6443", dup276); + +var msg8891 = msg("6444", dup276); + +var msg8892 = msg("6445", dup276); + +var msg8893 = msg("6446", dup276); + +var msg8894 = msg("6447", dup276); + +var msg8895 = msg("6448", dup276); + +var msg8896 = msg("6449", dup276); + +var msg8897 = msg("6450", dup276); + +var msg8898 = msg("6451", dup276); + +var msg8899 = msg("6452", dup276); + +var msg8900 = msg("6453", dup276); + +var msg8901 = msg("6454", dup276); + +var msg8902 = msg("6455", dup276); + +var msg8903 = msg("6456", dup276); + +var msg8904 = msg("6457", dup276); + +var msg8905 = msg("6458", dup276); + +var msg8906 = msg("6459", dup276); + +var msg8907 = msg("6460", dup276); + +var msg8908 = msg("6461", dup276); + +var msg8909 = msg("6462", dup276); + +var msg8910 = msg("6463", dup276); + +var msg8911 = msg("6464", dup276); + +var msg8912 = msg("6465", dup276); + +var msg8913 = msg("6466", dup276); + +var msg8914 = msg("6467", dup196); + +var msg8915 = msg("6468", dup196); + +var msg8916 = msg("6469", dup196); + +var msg8917 = msg("6470", dup196); + +var msg8918 = msg("6471", dup285); + +var msg8919 = msg("6472", dup205); + +var msg8920 = msg("6473", dup205); + +var msg8921 = msg("6474", dup205); + +var msg8922 = msg("6475", dup205); + +var msg8923 = msg("6476", dup205); + +var msg8924 = msg("6477", dup303); + +var msg8925 = msg("6478", dup303); + +var msg8926 = msg("6479", dup303); + +var msg8927 = msg("6480", dup303); + +var msg8928 = msg("6481", dup303); + +var msg8929 = msg("6482", dup303); + +var msg8930 = msg("6483", dup303); + +var msg8931 = msg("6484", dup303); + +var msg8932 = msg("6485", dup303); + +var msg8933 = msg("6486", dup303); + +var msg8934 = msg("6487", dup303); + +var msg8935 = msg("6488", dup303); + +var msg8936 = msg("6489", dup303); + +var msg8937 = msg("6490", dup303); + +var msg8938 = msg("6491", dup303); + +var msg8939 = msg("6492", dup205); + +var msg8940 = msg("6493", dup205); + +var msg8941 = msg("6494", dup303); + +var msg8942 = msg("6495", dup303); + +var msg8943 = msg("6496", dup303); + +var msg8944 = msg("6497", dup205); + +var msg8945 = msg("6498", dup205); + +var msg8946 = msg("6499", dup205); + +var msg8947 = msg("6500", dup205); + +var msg8948 = msg("6501", dup205); + +var msg8949 = msg("6502", dup197); + +var msg8950 = msg("6503", dup197); + +var msg8951 = msg("6504", dup194); + +var msg8952 = msg("6505", dup267); + +var msg8953 = msg("6506", dup267); + +var msg8954 = msg("6507", dup267); + +var msg8955 = msg("6508", dup222); + +var msg8956 = msg("6509", dup267); + +var msg8957 = msg("6510", dup267); + +var msg8958 = msg("6511", dup267); + +var msg8959 = msg("6512", dup194); + +var msg8960 = msg("6513", dup222); + +var msg8961 = msg("6514", dup222); + +var msg8962 = msg("6515", dup222); + +var msg8963 = msg("6516", dup265); + +var msg8964 = msg("6517", dup265); + +var msg8965 = msg("6518", dup265); + +var msg8966 = msg("6519", dup265); + +var msg8967 = msg("6520", dup276); + +var msg8968 = msg("6521", dup276); + +var msg8969 = msg("6522", dup276); + +var msg8970 = msg("6523", dup276); + +var msg8971 = msg("6524", dup276); + +var msg8972 = msg("6525", dup276); + +var msg8973 = msg("6526", dup276); + +var msg8974 = msg("6527", dup276); + +var msg8975 = msg("6528", dup276); + +var msg8976 = msg("6529", dup276); + +var msg8977 = msg("6530", dup276); + +var msg8978 = msg("6531", dup276); + +var msg8979 = msg("6532", dup276); + +var msg8980 = msg("6533", dup276); + +var msg8981 = msg("6534", dup276); + +var msg8982 = msg("6535", dup276); + +var msg8983 = msg("6536", dup276); + +var msg8984 = msg("6537", dup276); + +var msg8985 = msg("6538", dup276); + +var msg8986 = msg("6539", dup276); + +var msg8987 = msg("6540", dup276); + +var msg8988 = msg("6541", dup276); + +var msg8989 = msg("6542", dup276); + +var msg8990 = msg("6543", dup276); + +var msg8991 = msg("6544", dup276); + +var msg8992 = msg("6545", dup276); + +var msg8993 = msg("6546", dup276); + +var msg8994 = msg("6547", dup276); + +var msg8995 = msg("6548", dup276); + +var msg8996 = msg("6549", dup276); + +var msg8997 = msg("6550", dup276); + +var msg8998 = msg("6551", dup276); + +var msg8999 = msg("6552", dup276); + +var msg9000 = msg("6553", dup276); + +var msg9001 = msg("6554", dup276); + +var msg9002 = msg("6555", dup276); + +var msg9003 = msg("6556", dup276); + +var msg9004 = msg("6557", dup276); + +var msg9005 = msg("6558", dup276); + +var msg9006 = msg("6559", dup276); + +var msg9007 = msg("6560", dup276); + +var msg9008 = msg("6561", dup276); + +var msg9009 = msg("6562", dup276); + +var msg9010 = msg("6563", dup276); + +var msg9011 = msg("6564", dup276); + +var msg9012 = msg("6565", dup276); + +var msg9013 = msg("6566", dup276); + +var msg9014 = msg("6567", dup276); + +var msg9015 = msg("6568", dup276); + +var msg9016 = msg("6569", dup276); + +var msg9017 = msg("6570", dup276); + +var msg9018 = msg("6571", dup276); + +var msg9019 = msg("6572", dup276); + +var msg9020 = msg("6573", dup276); + +var msg9021 = msg("6574", dup276); + +var msg9022 = msg("6575", dup276); + +var msg9023 = msg("6576", dup276); + +var msg9024 = msg("6577", dup276); + +var msg9025 = msg("6578", dup276); + +var msg9026 = msg("6579", dup276); + +var msg9027 = msg("6580", dup276); + +var msg9028 = msg("6581", dup276); + +var msg9029 = msg("6582", dup276); + +var msg9030 = msg("6583", dup276); + +var msg9031 = msg("6584", dup276); + +var msg9032 = msg("6585", dup276); + +var msg9033 = msg("6586", dup276); + +var msg9034 = msg("6587", dup276); + +var msg9035 = msg("6588", dup276); + +var msg9036 = msg("6589", dup276); + +var msg9037 = msg("6590", dup276); + +var msg9038 = msg("6591", dup276); + +var msg9039 = msg("6592", dup276); + +var msg9040 = msg("6593", dup276); + +var msg9041 = msg("6594", dup276); + +var msg9042 = msg("6595", dup276); + +var msg9043 = msg("6596", dup276); + +var msg9044 = msg("6597", dup276); + +var msg9045 = msg("6598", dup276); + +var msg9046 = msg("6599", dup276); + +var msg9047 = msg("6600", dup276); + +var msg9048 = msg("6601", dup276); + +var msg9049 = msg("6602", dup276); + +var msg9050 = msg("6603", dup276); + +var msg9051 = msg("6604", dup276); + +var msg9052 = msg("6605", dup276); + +var msg9053 = msg("6606", dup276); + +var msg9054 = msg("6607", dup276); + +var msg9055 = msg("6608", dup276); + +var msg9056 = msg("6609", dup276); + +var msg9057 = msg("6610", dup276); + +var msg9058 = msg("6611", dup276); + +var msg9059 = msg("6612", dup276); + +var msg9060 = msg("6613", dup276); + +var msg9061 = msg("6614", dup276); + +var msg9062 = msg("6615", dup276); + +var msg9063 = msg("6616", dup276); + +var msg9064 = msg("6617", dup276); + +var msg9065 = msg("6618", dup276); + +var msg9066 = msg("6619", dup276); + +var msg9067 = msg("6620", dup276); + +var msg9068 = msg("6621", dup276); + +var msg9069 = msg("6622", dup276); + +var msg9070 = msg("6623", dup276); + +var msg9071 = msg("6624", dup276); + +var msg9072 = msg("6625", dup276); + +var msg9073 = msg("6626", dup276); + +var msg9074 = msg("6627", dup276); + +var msg9075 = msg("6628", dup276); + +var msg9076 = msg("6629", dup276); + +var msg9077 = msg("6630", dup276); + +var msg9078 = msg("6631", dup276); + +var msg9079 = msg("6632", dup276); + +var msg9080 = msg("6633", dup276); + +var msg9081 = msg("6634", dup276); + +var msg9082 = msg("6635", dup276); + +var msg9083 = msg("6636", dup276); + +var msg9084 = msg("6637", dup276); + +var msg9085 = msg("6638", dup276); + +var msg9086 = msg("6639", dup276); + +var msg9087 = msg("6640", dup276); + +var msg9088 = msg("6641", dup276); + +var msg9089 = msg("6642", dup276); + +var msg9090 = msg("6643", dup276); + +var msg9091 = msg("6644", dup276); + +var msg9092 = msg("6645", dup276); + +var msg9093 = msg("6646", dup276); + +var msg9094 = msg("6647", dup276); + +var msg9095 = msg("6648", dup276); + +var msg9096 = msg("6649", dup276); + +var msg9097 = msg("6650", dup276); + +var msg9098 = msg("6651", dup276); + +var msg9099 = msg("6652", dup276); + +var msg9100 = msg("6653", dup276); + +var msg9101 = msg("6654", dup276); + +var msg9102 = msg("6655", dup276); + +var msg9103 = msg("6656", dup276); + +var msg9104 = msg("6657", dup276); + +var msg9105 = msg("6658", dup276); + +var msg9106 = msg("6659", dup276); + +var msg9107 = msg("6660", dup276); + +var msg9108 = msg("6661", dup276); + +var msg9109 = msg("6662", dup276); + +var msg9110 = msg("6663", dup276); + +var msg9111 = msg("6664", dup276); + +var msg9112 = msg("6665", dup276); + +var msg9113 = msg("6666", dup276); + +var msg9114 = msg("6667", dup276); + +var msg9115 = msg("6668", dup276); + +var msg9116 = msg("6669", dup276); + +var msg9117 = msg("6670", dup276); + +var msg9118 = msg("6671", dup276); + +var msg9119 = msg("6672", dup276); + +var msg9120 = msg("6673", dup276); + +var msg9121 = msg("6674", dup276); + +var msg9122 = msg("6675", dup276); + +var msg9123 = msg("6676", dup276); + +var msg9124 = msg("6677", dup276); + +var msg9125 = msg("6678", dup276); + +var msg9126 = msg("6679", dup276); + +var msg9127 = msg("6680", dup265); + +var msg9128 = msg("6681", dup265); + +var msg9129 = msg("6682", dup265); + +var msg9130 = msg("6683", dup265); + +var msg9131 = msg("6684", dup265); + +var msg9132 = msg("6685", dup265); + +var msg9133 = msg("6686", dup265); + +var msg9134 = msg("6687", dup265); + +var msg9135 = msg("6688", dup196); + +var msg9136 = msg("6689", dup267); + +var msg9137 = msg("6690", dup267); + +var msg9138 = msg("6691", dup267); + +var msg9139 = msg("6692", dup267); + +var msg9140 = msg("6693", dup267); + +var msg9141 = msg("6694", dup267); + +var msg9142 = msg("6695", dup267); + +var msg9143 = msg("6696", dup267); + +var msg9144 = msg("6697", dup267); + +var msg9145 = msg("6698", dup267); + +var msg9146 = msg("6699", dup267); + +var msg9147 = msg("6700", dup304); + +var msg9148 = msg("6701", dup267); + +var msg9149 = msg("6702", dup276); + +var msg9150 = msg("6703", dup276); + +var msg9151 = msg("6704", dup276); + +var msg9152 = msg("6705", dup276); + +var msg9153 = msg("6706", dup276); + +var msg9154 = msg("6707", dup276); + +var msg9155 = msg("6708", dup276); + +var msg9156 = msg("6709", dup276); + +var msg9157 = msg("6710", dup276); + +var msg9158 = msg("6711", dup276); + +var msg9159 = msg("6712", dup276); + +var msg9160 = msg("6713", dup276); + +var msg9161 = msg("6714", dup276); + +var msg9162 = msg("6715", dup276); + +var msg9163 = msg("6716", dup276); + +var msg9164 = msg("6717", dup276); + +var msg9165 = msg("6718", dup276); + +var msg9166 = msg("6719", dup276); + +var msg9167 = msg("6720", dup276); + +var msg9168 = msg("6721", dup276); + +var msg9169 = msg("6722", dup276); + +var msg9170 = msg("6723", dup276); + +var msg9171 = msg("6724", dup276); + +var msg9172 = msg("6725", dup276); + +var msg9173 = msg("6726", dup276); + +var msg9174 = msg("6727", dup276); + +var msg9175 = msg("6728", dup276); + +var msg9176 = msg("6729", dup276); + +var msg9177 = msg("6730", dup276); + +var msg9178 = msg("6731", dup276); + +var msg9179 = msg("6732", dup276); + +var msg9180 = msg("6733", dup276); + +var msg9181 = msg("6734", dup276); + +var msg9182 = msg("6735", dup276); + +var msg9183 = msg("6736", dup276); + +var msg9184 = msg("6737", dup276); + +var msg9185 = msg("6738", dup276); + +var msg9186 = msg("6739", dup276); + +var msg9187 = msg("6740", dup276); + +var msg9188 = msg("6741", dup276); + +var msg9189 = msg("6742", dup276); + +var msg9190 = msg("6743", dup276); + +var msg9191 = msg("6744", dup276); + +var msg9192 = msg("6745", dup276); + +var msg9193 = msg("6746", dup276); + +var msg9194 = msg("6747", dup276); + +var msg9195 = msg("6748", dup276); + +var msg9196 = msg("6749", dup276); + +var msg9197 = msg("6750", dup276); + +var msg9198 = msg("6751", dup276); + +var msg9199 = msg("6752", dup276); + +var msg9200 = msg("6753", dup276); + +var msg9201 = msg("6754", dup276); + +var msg9202 = msg("6755", dup276); + +var msg9203 = msg("6756", dup276); + +var msg9204 = msg("6757", dup276); + +var msg9205 = msg("6758", dup276); + +var msg9206 = msg("6759", dup276); + +var msg9207 = msg("6760", dup276); + +var msg9208 = msg("6761", dup276); + +var msg9209 = msg("6762", dup276); + +var msg9210 = msg("6763", dup276); + +var msg9211 = msg("6764", dup276); + +var msg9212 = msg("6765", dup276); + +var msg9213 = msg("6766", dup276); + +var msg9214 = msg("6767", dup276); + +var msg9215 = msg("6768", dup276); + +var msg9216 = msg("6769", dup276); + +var msg9217 = msg("6770", dup276); + +var msg9218 = msg("6771", dup276); + +var msg9219 = msg("6772", dup276); + +var msg9220 = msg("6773", dup276); + +var msg9221 = msg("6774", dup276); + +var msg9222 = msg("6775", dup276); + +var msg9223 = msg("6776", dup276); + +var msg9224 = msg("6777", dup276); + +var msg9225 = msg("6778", dup276); + +var msg9226 = msg("6779", dup276); + +var msg9227 = msg("6780", dup276); + +var msg9228 = msg("6781", dup276); + +var msg9229 = msg("6782", dup276); + +var msg9230 = msg("6783", dup276); + +var msg9231 = msg("6784", dup276); + +var msg9232 = msg("6785", dup276); + +var msg9233 = msg("6786", dup276); + +var msg9234 = msg("6787", dup276); + +var msg9235 = msg("6788", dup276); + +var msg9236 = msg("6789", dup276); + +var msg9237 = msg("6790", dup276); + +var msg9238 = msg("6791", dup276); + +var msg9239 = msg("6792", dup276); + +var msg9240 = msg("6793", dup276); + +var msg9241 = msg("6794", dup276); + +var msg9242 = msg("6795", dup276); + +var msg9243 = msg("6796", dup276); + +var msg9244 = msg("6797", dup276); + +var msg9245 = msg("6798", dup276); + +var msg9246 = msg("6799", dup276); + +var msg9247 = msg("6800", dup276); + +var msg9248 = msg("6801", dup276); + +var msg9249 = msg("6802", dup276); + +var msg9250 = msg("6803", dup276); + +var msg9251 = msg("6804", dup276); + +var msg9252 = msg("6805", dup276); + +var msg9253 = msg("6806", dup276); + +var msg9254 = msg("6807", dup276); + +var msg9255 = msg("6808", dup276); + +var msg9256 = msg("6809", dup276); + +var msg9257 = msg("6810", dup276); + +var msg9258 = msg("6811", dup276); + +var msg9259 = msg("6812", dup276); + +var msg9260 = msg("6813", dup276); + +var msg9261 = msg("6814", dup276); + +var msg9262 = msg("6815", dup276); + +var msg9263 = msg("6816", dup276); + +var msg9264 = msg("6817", dup276); + +var msg9265 = msg("6818", dup276); + +var msg9266 = msg("6819", dup276); + +var msg9267 = msg("6820", dup276); + +var msg9268 = msg("6821", dup276); + +var msg9269 = msg("6822", dup276); + +var msg9270 = msg("6823", dup276); + +var msg9271 = msg("6824", dup276); + +var msg9272 = msg("6825", dup276); + +var msg9273 = msg("6826", dup276); + +var msg9274 = msg("6827", dup276); + +var msg9275 = msg("6828", dup276); + +var msg9276 = msg("6829", dup276); + +var msg9277 = msg("6830", dup276); + +var msg9278 = msg("6831", dup276); + +var msg9279 = msg("6832", dup276); + +var msg9280 = msg("6833", dup276); + +var msg9281 = msg("6834", dup276); + +var msg9282 = msg("6835", dup276); + +var msg9283 = msg("6836", dup276); + +var msg9284 = msg("6837", dup276); + +var msg9285 = msg("6838", dup276); + +var msg9286 = msg("6839", dup276); + +var msg9287 = msg("6840", dup276); + +var msg9288 = msg("6841", dup276); + +var msg9289 = msg("6842", dup276); + +var msg9290 = msg("6843", dup276); + +var msg9291 = msg("6844", dup276); + +var msg9292 = msg("6845", dup276); + +var msg9293 = msg("6846", dup276); + +var msg9294 = msg("6847", dup276); + +var msg9295 = msg("6848", dup276); + +var msg9296 = msg("6849", dup276); + +var msg9297 = msg("6850", dup276); + +var msg9298 = msg("6851", dup276); + +var msg9299 = msg("6852", dup276); + +var msg9300 = msg("6853", dup276); + +var msg9301 = msg("6854", dup276); + +var msg9302 = msg("6855", dup276); + +var msg9303 = msg("6856", dup276); + +var msg9304 = msg("6857", dup276); + +var msg9305 = msg("6858", dup276); + +var msg9306 = msg("6859", dup276); + +var msg9307 = msg("6860", dup276); + +var msg9308 = msg("6861", dup276); + +var msg9309 = msg("6862", dup276); + +var msg9310 = msg("6863", dup276); + +var msg9311 = msg("6864", dup276); + +var msg9312 = msg("6865", dup276); + +var msg9313 = msg("6866", dup276); + +var msg9314 = msg("6867", dup276); + +var msg9315 = msg("6868", dup276); + +var msg9316 = msg("6869", dup276); + +var msg9317 = msg("6870", dup276); + +var msg9318 = msg("6871", dup276); + +var msg9319 = msg("6872", dup276); + +var msg9320 = msg("6873", dup276); + +var msg9321 = msg("6874", dup276); + +var msg9322 = msg("6875", dup276); + +var msg9323 = msg("6876", dup276); + +var msg9324 = msg("6877", dup276); + +var msg9325 = msg("6878", dup276); + +var msg9326 = msg("6879", dup276); + +var msg9327 = msg("6880", dup276); + +var msg9328 = msg("6881", dup276); + +var msg9329 = msg("6882", dup276); + +var msg9330 = msg("6883", dup276); + +var msg9331 = msg("6884", dup276); + +var msg9332 = msg("6885", dup276); + +var msg9333 = msg("6886", dup276); + +var msg9334 = msg("6887", dup276); + +var msg9335 = msg("6888", dup276); + +var msg9336 = msg("6889", dup276); + +var msg9337 = msg("6890", dup276); + +var msg9338 = msg("6891", dup276); + +var msg9339 = msg("6892", dup276); + +var msg9340 = msg("6893", dup276); + +var msg9341 = msg("6894", dup276); + +var msg9342 = msg("6895", dup276); + +var msg9343 = msg("6896", dup276); + +var msg9344 = msg("6897", dup276); + +var msg9345 = msg("6898", dup276); + +var msg9346 = msg("6899", dup276); + +var msg9347 = msg("6900", dup276); + +var msg9348 = msg("6901", dup276); + +var msg9349 = msg("6902", dup276); + +var msg9350 = msg("6903", dup276); + +var msg9351 = msg("6904", dup276); + +var msg9352 = msg("6905", dup276); + +var msg9353 = msg("6906", dup276); + +var msg9354 = msg("6907", dup276); + +var msg9355 = msg("6908", dup276); + +var msg9356 = msg("6909", dup276); + +var msg9357 = msg("6910", dup276); + +var msg9358 = msg("6911", dup276); + +var msg9359 = msg("6912", dup276); + +var msg9360 = msg("6913", dup276); + +var msg9361 = msg("6914", dup276); + +var msg9362 = msg("6915", dup276); + +var msg9363 = msg("6916", dup276); + +var msg9364 = msg("6917", dup276); + +var msg9365 = msg("6918", dup276); + +var msg9366 = msg("6919", dup276); + +var msg9367 = msg("6920", dup276); + +var msg9368 = msg("6921", dup276); + +var msg9369 = msg("6922", dup276); + +var msg9370 = msg("6923", dup276); + +var msg9371 = msg("6924", dup276); + +var msg9372 = msg("6925", dup276); + +var msg9373 = msg("6926", dup276); + +var msg9374 = msg("6927", dup276); + +var msg9375 = msg("6928", dup276); + +var msg9376 = msg("6929", dup276); + +var msg9377 = msg("6930", dup276); + +var msg9378 = msg("6931", dup276); + +var msg9379 = msg("6932", dup276); + +var msg9380 = msg("6933", dup276); + +var msg9381 = msg("6934", dup276); + +var msg9382 = msg("6935", dup276); + +var msg9383 = msg("6936", dup276); + +var msg9384 = msg("6937", dup276); + +var msg9385 = msg("6938", dup276); + +var msg9386 = msg("6939", dup276); + +var msg9387 = msg("6940", dup276); + +var msg9388 = msg("6941", dup276); + +var msg9389 = msg("6942", dup276); + +var msg9390 = msg("6943", dup276); + +var msg9391 = msg("6944", dup276); + +var msg9392 = msg("6945", dup276); + +var msg9393 = msg("6946", dup276); + +var msg9394 = msg("6947", dup276); + +var msg9395 = msg("6948", dup276); + +var msg9396 = msg("6949", dup276); + +var msg9397 = msg("6950", dup276); + +var msg9398 = msg("6951", dup276); + +var msg9399 = msg("6952", dup276); + +var msg9400 = msg("6953", dup276); + +var msg9401 = msg("6954", dup276); + +var msg9402 = msg("6955", dup276); + +var msg9403 = msg("6956", dup276); + +var msg9404 = msg("6957", dup276); + +var msg9405 = msg("6958", dup276); + +var msg9406 = msg("6959", dup276); + +var msg9407 = msg("6960", dup276); + +var msg9408 = msg("6961", dup276); + +var msg9409 = msg("6962", dup276); + +var msg9410 = msg("6963", dup276); + +var msg9411 = msg("6964", dup276); + +var msg9412 = msg("6965", dup276); + +var msg9413 = msg("6966", dup276); + +var msg9414 = msg("6967", dup276); + +var msg9415 = msg("6968", dup276); + +var msg9416 = msg("6969", dup276); + +var msg9417 = msg("6970", dup276); + +var msg9418 = msg("6971", dup276); + +var msg9419 = msg("6972", dup276); + +var msg9420 = msg("6973", dup276); + +var msg9421 = msg("6974", dup276); + +var msg9422 = msg("6975", dup276); + +var msg9423 = msg("6976", dup276); + +var msg9424 = msg("6977", dup276); + +var msg9425 = msg("6978", dup276); + +var msg9426 = msg("6979", dup276); + +var msg9427 = msg("6980", dup276); + +var msg9428 = msg("6981", dup276); + +var msg9429 = msg("6982", dup276); + +var msg9430 = msg("6983", dup276); + +var msg9431 = msg("6984", dup276); + +var msg9432 = msg("6985", dup276); + +var msg9433 = msg("6986", dup276); + +var msg9434 = msg("6987", dup276); + +var msg9435 = msg("6988", dup276); + +var msg9436 = msg("6989", dup276); + +var msg9437 = msg("6990", dup276); + +var msg9438 = msg("6991", dup276); + +var msg9439 = msg("6992", dup276); + +var msg9440 = msg("6993", dup276); + +var msg9441 = msg("6994", dup276); + +var msg9442 = msg("6995", dup276); + +var msg9443 = msg("6996", dup276); + +var msg9444 = msg("6997", dup276); + +var msg9445 = msg("6998", dup276); + +var msg9446 = msg("6999", dup276); + +var msg9447 = msg("7000", dup276); + +var msg9448 = msg("7001", dup276); + +var msg9449 = msg("7002", dup267); + +var msg9450 = msg("7003", dup265); + +var msg9451 = msg("7004", dup265); + +var msg9452 = msg("7005", dup265); + +var msg9453 = msg("7006", dup265); + +var msg9454 = msg("7007", dup265); + +var msg9455 = msg("7008", dup265); + +var msg9456 = msg("7009", dup265); + +var msg9457 = msg("7010", dup265); + +var msg9458 = msg("7011", dup265); + +var msg9459 = msg("7012", dup265); + +var msg9460 = msg("7013", dup265); + +var msg9461 = msg("7014", dup265); + +var msg9462 = msg("7015", dup265); + +var msg9463 = msg("7016", dup265); + +var msg9464 = msg("7017", dup265); + +var msg9465 = msg("7018", dup265); + +var msg9466 = msg("7019", dup196); + +var msg9467 = msg("7020", dup265); + +var msg9468 = msg("7021", dup198); + +var msg9469 = msg("7022", dup267); + +var msg9470 = msg("7023", dup196); + +var msg9471 = msg("7024", dup267); + +var msg9472 = msg("7025", dup267); + +var msg9473 = msg("7026", dup265); + +var msg9474 = msg("7027", dup265); + +var msg9475 = msg("7028", dup265); + +var msg9476 = msg("7029", dup265); + +var msg9477 = msg("7030", dup196); + +var msg9478 = msg("7031", dup196); + +var msg9479 = msg("7032", dup196); + +var msg9480 = msg("7033", dup196); + +var msg9481 = msg("7034", dup196); + +var msg9482 = msg("7035", dup276); + +var msg9483 = msg("7036", dup276); + +var msg9484 = msg("7037", dup276); + +var msg9485 = msg("7038", dup276); + +var msg9486 = msg("7039", dup276); + +var msg9487 = msg("7040", dup276); + +var msg9488 = msg("7041", dup276); + +var msg9489 = msg("7042", dup276); + +var msg9490 = msg("7043", dup276); + +var msg9491 = msg("7044", dup276); + +var msg9492 = msg("7045", dup276); + +var msg9493 = msg("7046", dup276); + +var msg9494 = msg("7047", dup267); + +var msg9495 = msg("7048", dup267); + +var msg9496 = msg("7049", dup303); + +var msg9497 = msg("7050", dup303); + +var msg9498 = msg("7051", dup303); + +var msg9499 = msg("7052", dup303); + +var msg9500 = msg("7053", dup303); + +var msg9501 = msg("7054", dup303); + +var msg9502 = msg("7055", dup303); + +var msg9503 = msg("7056", dup205); + +var msg9504 = msg("7057", dup205); + +var msg9505 = msg("7058", dup205); + +var msg9506 = msg("7059", dup205); + +var msg9507 = msg("7060", dup205); + +var msg9508 = msg("7061", dup205); + +var msg9509 = msg("7062", dup205); + +var msg9510 = msg("7063", dup205); + +var msg9511 = msg("7064", dup205); + +var msg9512 = msg("7065", dup205); + +var msg9513 = msg("7066", dup205); + +var msg9514 = msg("7067", dup205); + +var msg9515 = msg("7068", dup205); + +var msg9516 = msg("7069", dup205); + +var msg9517 = msg("7070", dup265); + +var msg9518 = msg("7071", dup265); + +var msg9519 = msg("7072", dup205); + +var msg9520 = msg("7073", dup205); + +var msg9521 = msg("7074", dup205); + +var msg9522 = msg("7075", dup205); + +var msg9523 = msg("7076", dup205); + +var msg9524 = msg("7077", dup205); + +var msg9525 = msg("7078", dup205); + +var msg9526 = msg("7079", dup205); + +var msg9527 = msg("7080", dup205); + +var msg9528 = msg("7081", dup205); + +var msg9529 = msg("7082", dup205); + +var msg9530 = msg("7083", dup205); + +var msg9531 = msg("7084", dup205); + +var msg9532 = msg("7085", dup205); + +var msg9533 = msg("7086", dup205); + +var msg9534 = msg("7087", dup205); + +var msg9535 = msg("7088", dup205); + +var msg9536 = msg("7089", dup205); + +var msg9537 = msg("7090", dup205); + +var msg9538 = msg("7091", dup205); + +var msg9539 = msg("7092", dup205); + +var msg9540 = msg("7093", dup205); + +var msg9541 = msg("7094", dup205); + +var msg9542 = msg("7095", dup205); + +var msg9543 = msg("7096", dup205); + +var msg9544 = msg("7097", dup205); + +var msg9545 = msg("7098", dup205); + +var msg9546 = msg("7099", dup205); + +var msg9547 = msg("7100", dup205); + +var msg9548 = msg("7101", dup205); + +var msg9549 = msg("7102", dup205); + +var msg9550 = msg("7103", dup205); + +var msg9551 = msg("7104", dup205); + +var msg9552 = msg("7105", dup205); + +var msg9553 = msg("7106", dup205); + +var msg9554 = msg("7107", dup205); + +var msg9555 = msg("7108", dup205); + +var msg9556 = msg("7109", dup205); + +var msg9557 = msg("7110", dup205); + +var msg9558 = msg("7111", dup205); + +var msg9559 = msg("7112", dup205); + +var msg9560 = msg("7113", dup205); + +var msg9561 = msg("7114", dup205); + +var msg9562 = msg("7115", dup205); + +var msg9563 = msg("7116", dup205); + +var msg9564 = msg("7117", dup205); + +var msg9565 = msg("7118", dup205); + +var msg9566 = msg("7119", dup205); + +var msg9567 = msg("7120", dup205); + +var msg9568 = msg("7121", dup205); + +var msg9569 = msg("7122", dup205); + +var msg9570 = msg("7123", dup303); + +var msg9571 = msg("7124", dup303); + +var msg9572 = msg("7125", dup303); + +var msg9573 = msg("7126", dup192); + +var msg9574 = msg("7127", dup303); + +var msg9575 = msg("7128", dup303); + +var msg9576 = msg("7129", dup303); + +var msg9577 = msg("7130", dup303); + +var msg9578 = msg("7131", dup303); + +var msg9579 = msg("7132", dup303); + +var msg9580 = msg("7133", dup303); + +var msg9581 = msg("7134", dup303); + +var msg9582 = msg("7135", dup303); + +var msg9583 = msg("7136", dup303); + +var msg9584 = msg("7137", dup303); + +var msg9585 = msg("7138", dup192); + +var msg9586 = msg("7139", dup192); + +var msg9587 = msg("7140", dup303); + +var msg9588 = msg("7141", dup303); + +var msg9589 = msg("7142", dup303); + +var msg9590 = msg("7143", dup303); + +var msg9591 = msg("7144", dup303); + +var msg9592 = msg("7145", dup303); + +var msg9593 = msg("7146", dup303); + +var msg9594 = msg("7147", dup303); + +var msg9595 = msg("7148", dup303); + +var msg9596 = msg("7149", dup303); + +var msg9597 = msg("7150", dup303); + +var msg9598 = msg("7151", dup303); + +var msg9599 = msg("7152", dup303); + +var msg9600 = msg("7153", dup303); + +var msg9601 = msg("7154", dup303); + +var msg9602 = msg("7155", dup303); + +var msg9603 = msg("7156", dup303); + +var msg9604 = msg("7157", dup303); + +var msg9605 = msg("7158", dup303); + +var msg9606 = msg("7159", dup303); + +var msg9607 = msg("7160", dup303); + +var msg9608 = msg("7161", dup303); + +var msg9609 = msg("7162", dup303); + +var msg9610 = msg("7163", dup303); + +var msg9611 = msg("7164", dup303); + +var msg9612 = msg("7165", dup303); + +var msg9613 = msg("7166", dup303); + +var msg9614 = msg("7167", dup303); + +var msg9615 = msg("7168", dup303); + +var msg9616 = msg("7169", dup303); + +var msg9617 = msg("7170", dup303); + +var msg9618 = msg("7171", dup303); + +var msg9619 = msg("7172", dup303); + +var msg9620 = msg("7173", dup303); + +var msg9621 = msg("7174", dup303); + +var msg9622 = msg("7175", dup303); + +var msg9623 = msg("7176", dup303); + +var msg9624 = msg("7177", dup303); + +var msg9625 = msg("7178", dup303); + +var msg9626 = msg("7179", dup303); + +var msg9627 = msg("7180", dup303); + +var msg9628 = msg("7181", dup303); + +var msg9629 = msg("7182", dup303); + +var msg9630 = msg("7183", dup303); + +var msg9631 = msg("7184", dup303); + +var msg9632 = msg("7185", dup303); + +var msg9633 = msg("7186", dup303); + +var msg9634 = msg("7187", dup303); + +var msg9635 = msg("7188", dup303); + +var msg9636 = msg("7189", dup303); + +var msg9637 = msg("7190", dup303); + +var msg9638 = msg("7191", dup303); + +var msg9639 = msg("7192", dup303); + +var msg9640 = msg("7193", dup303); + +var msg9641 = msg("7194", dup303); + +var msg9642 = msg("7195", dup303); + +var msg9643 = msg("7196", dup222); + +var msg9644 = msg("7197", dup265); + +var msg9645 = msg("7198", dup265); + +var msg9646 = msg("7199", dup267); + +var msg9647 = msg("7200", dup267); + +var msg9648 = msg("7201", dup267); + +var msg9649 = msg("7202", dup267); + +var msg9650 = msg("7203", dup267); + +var msg9651 = msg("7204", dup267); + +var msg9652 = msg("7205", dup267); + +var msg9653 = msg("7206", dup196); + +var msg9654 = msg("7207", dup260); + +var msg9655 = msg("7208", dup196); + +var msg9656 = msg("7209", dup276); + +var msg9657 = msg("7210", dup276); + +var msg9658 = msg("7211", dup276); + +var msg9659 = msg("7212", dup276); + +var msg9660 = msg("7213", dup276); + +var msg9661 = msg("7214", dup276); + +var msg9662 = msg("7215", dup276); + +var msg9663 = msg("7216", dup276); + +var msg9664 = msg("7217", dup276); + +var msg9665 = msg("7218", dup276); + +var msg9666 = msg("7219", dup276); + +var msg9667 = msg("7220", dup276); + +var msg9668 = msg("7221", dup276); + +var msg9669 = msg("7222", dup276); + +var msg9670 = msg("7223", dup276); + +var msg9671 = msg("7224", dup276); + +var msg9672 = msg("7225", dup276); + +var msg9673 = msg("7226", dup276); + +var msg9674 = msg("7227", dup276); + +var msg9675 = msg("7228", dup276); + +var msg9676 = msg("7229", dup276); + +var msg9677 = msg("7230", dup276); + +var msg9678 = msg("7231", dup276); + +var msg9679 = msg("7232", dup276); + +var msg9680 = msg("7233", dup276); + +var msg9681 = msg("7234", dup276); + +var msg9682 = msg("7235", dup276); + +var msg9683 = msg("7236", dup276); + +var msg9684 = msg("7237", dup276); + +var msg9685 = msg("7238", dup276); + +var msg9686 = msg("7239", dup276); + +var msg9687 = msg("7240", dup276); + +var msg9688 = msg("7241", dup276); + +var msg9689 = msg("7242", dup276); + +var msg9690 = msg("7243", dup276); + +var msg9691 = msg("7244", dup276); + +var msg9692 = msg("7245", dup276); + +var msg9693 = msg("7246", dup276); + +var msg9694 = msg("7247", dup276); + +var msg9695 = msg("7248", dup276); + +var msg9696 = msg("7249", dup276); + +var msg9697 = msg("7250", dup276); + +var msg9698 = msg("7251", dup276); + +var msg9699 = msg("7252", dup276); + +var msg9700 = msg("7253", dup276); + +var msg9701 = msg("7254", dup276); + +var msg9702 = msg("7255", dup276); + +var msg9703 = msg("7256", dup276); + +var msg9704 = msg("7257", dup276); + +var msg9705 = msg("7258", dup276); + +var msg9706 = msg("7259", dup276); + +var msg9707 = msg("7260", dup276); + +var msg9708 = msg("7261", dup276); + +var msg9709 = msg("7262", dup276); + +var msg9710 = msg("7263", dup276); + +var msg9711 = msg("7264", dup276); + +var msg9712 = msg("7265", dup276); + +var msg9713 = msg("7266", dup276); + +var msg9714 = msg("7267", dup276); + +var msg9715 = msg("7268", dup276); + +var msg9716 = msg("7269", dup276); + +var msg9717 = msg("7270", dup276); + +var msg9718 = msg("7271", dup276); + +var msg9719 = msg("7272", dup276); + +var msg9720 = msg("7273", dup276); + +var msg9721 = msg("7274", dup276); + +var msg9722 = msg("7275", dup276); + +var msg9723 = msg("7276", dup276); + +var msg9724 = msg("7277", dup276); + +var msg9725 = msg("7278", dup276); + +var msg9726 = msg("7279", dup276); + +var msg9727 = msg("7280", dup276); + +var msg9728 = msg("7281", dup276); + +var msg9729 = msg("7282", dup276); + +var msg9730 = msg("7283", dup276); + +var msg9731 = msg("7284", dup276); + +var msg9732 = msg("7285", dup276); + +var msg9733 = msg("7286", dup276); + +var msg9734 = msg("7287", dup276); + +var msg9735 = msg("7288", dup276); + +var msg9736 = msg("7289", dup276); + +var msg9737 = msg("7290", dup276); + +var msg9738 = msg("7291", dup276); + +var msg9739 = msg("7292", dup276); + +var msg9740 = msg("7293", dup276); + +var msg9741 = msg("7294", dup276); + +var msg9742 = msg("7295", dup276); + +var msg9743 = msg("7296", dup276); + +var msg9744 = msg("7297", dup276); + +var msg9745 = msg("7298", dup276); + +var msg9746 = msg("7299", dup276); + +var msg9747 = msg("7300", dup276); + +var msg9748 = msg("7301", dup276); + +var msg9749 = msg("7302", dup276); + +var msg9750 = msg("7303", dup276); + +var msg9751 = msg("7304", dup276); + +var msg9752 = msg("7305", dup276); + +var msg9753 = msg("7306", dup276); + +var msg9754 = msg("7307", dup276); + +var msg9755 = msg("7308", dup276); + +var msg9756 = msg("7309", dup276); + +var msg9757 = msg("7310", dup276); + +var msg9758 = msg("7311", dup276); + +var msg9759 = msg("7312", dup276); + +var msg9760 = msg("7313", dup276); + +var msg9761 = msg("7314", dup276); + +var msg9762 = msg("7315", dup276); + +var msg9763 = msg("7316", dup276); + +var msg9764 = msg("7317", dup276); + +var msg9765 = msg("7318", dup276); + +var msg9766 = msg("7319", dup276); + +var msg9767 = msg("7320", dup276); + +var msg9768 = msg("7321", dup276); + +var msg9769 = msg("7322", dup276); + +var msg9770 = msg("7323", dup276); + +var msg9771 = msg("7324", dup276); + +var msg9772 = msg("7325", dup276); + +var msg9773 = msg("7326", dup276); + +var msg9774 = msg("7327", dup276); + +var msg9775 = msg("7328", dup276); + +var msg9776 = msg("7329", dup276); + +var msg9777 = msg("7330", dup276); + +var msg9778 = msg("7331", dup276); + +var msg9779 = msg("7332", dup276); + +var msg9780 = msg("7333", dup276); + +var msg9781 = msg("7334", dup276); + +var msg9782 = msg("7335", dup276); + +var msg9783 = msg("7336", dup276); + +var msg9784 = msg("7337", dup276); + +var msg9785 = msg("7338", dup276); + +var msg9786 = msg("7339", dup276); + +var msg9787 = msg("7340", dup276); + +var msg9788 = msg("7341", dup276); + +var msg9789 = msg("7342", dup276); + +var msg9790 = msg("7343", dup276); + +var msg9791 = msg("7344", dup276); + +var msg9792 = msg("7345", dup276); + +var msg9793 = msg("7346", dup276); + +var msg9794 = msg("7347", dup276); + +var msg9795 = msg("7348", dup276); + +var msg9796 = msg("7349", dup276); + +var msg9797 = msg("7350", dup276); + +var msg9798 = msg("7351", dup276); + +var msg9799 = msg("7352", dup276); + +var msg9800 = msg("7353", dup276); + +var msg9801 = msg("7354", dup276); + +var msg9802 = msg("7355", dup276); + +var msg9803 = msg("7356", dup276); + +var msg9804 = msg("7357", dup276); + +var msg9805 = msg("7358", dup276); + +var msg9806 = msg("7359", dup276); + +var msg9807 = msg("7360", dup276); + +var msg9808 = msg("7361", dup276); + +var msg9809 = msg("7362", dup276); + +var msg9810 = msg("7363", dup276); + +var msg9811 = msg("7364", dup276); + +var msg9812 = msg("7365", dup276); + +var msg9813 = msg("7366", dup276); + +var msg9814 = msg("7367", dup276); + +var msg9815 = msg("7368", dup276); + +var msg9816 = msg("7369", dup276); + +var msg9817 = msg("7370", dup276); + +var msg9818 = msg("7371", dup276); + +var msg9819 = msg("7372", dup276); + +var msg9820 = msg("7373", dup276); + +var msg9821 = msg("7374", dup276); + +var msg9822 = msg("7375", dup276); + +var msg9823 = msg("7376", dup276); + +var msg9824 = msg("7377", dup276); + +var msg9825 = msg("7378", dup276); + +var msg9826 = msg("7379", dup276); + +var msg9827 = msg("7380", dup276); + +var msg9828 = msg("7381", dup276); + +var msg9829 = msg("7382", dup276); + +var msg9830 = msg("7383", dup276); + +var msg9831 = msg("7384", dup276); + +var msg9832 = msg("7385", dup276); + +var msg9833 = msg("7386", dup276); + +var msg9834 = msg("7387", dup276); + +var msg9835 = msg("7388", dup276); + +var msg9836 = msg("7389", dup276); + +var msg9837 = msg("7390", dup276); + +var msg9838 = msg("7391", dup276); + +var msg9839 = msg("7392", dup276); + +var msg9840 = msg("7393", dup276); + +var msg9841 = msg("7394", dup276); + +var msg9842 = msg("7395", dup276); + +var msg9843 = msg("7396", dup276); + +var msg9844 = msg("7397", dup276); + +var msg9845 = msg("7398", dup276); + +var msg9846 = msg("7399", dup276); + +var msg9847 = msg("7400", dup276); + +var msg9848 = msg("7401", dup276); + +var msg9849 = msg("7402", dup276); + +var msg9850 = msg("7403", dup276); + +var msg9851 = msg("7404", dup276); + +var msg9852 = msg("7405", dup276); + +var msg9853 = msg("7406", dup276); + +var msg9854 = msg("7407", dup276); + +var msg9855 = msg("7408", dup276); + +var msg9856 = msg("7409", dup276); + +var msg9857 = msg("7410", dup276); + +var msg9858 = msg("7411", dup276); + +var msg9859 = msg("7412", dup276); + +var msg9860 = msg("7413", dup276); + +var msg9861 = msg("7414", dup276); + +var msg9862 = msg("7415", dup276); + +var msg9863 = msg("7416", dup276); + +var msg9864 = msg("7417", dup276); + +var msg9865 = msg("7418", dup276); + +var msg9866 = msg("7419", dup276); + +var msg9867 = msg("7420", dup276); + +var msg9868 = msg("7421", dup196); + +var msg9869 = msg("7422", dup287); + +var msg9870 = msg("7423", dup287); + +var msg9871 = msg("7424", dup287); + +var msg9872 = msg("7425", dup265); + +var msg9873 = msg("7426", dup265); + +var msg9874 = msg("7427", dup265); + +var msg9875 = msg("7428", dup265); + +var msg9876 = msg("7429", dup265); + +var msg9877 = msg("7430", dup265); + +var msg9878 = msg("7431", dup265); + +var msg9879 = msg("7432", dup265); + +var msg9880 = msg("7433", dup265); + +var msg9881 = msg("7434", dup265); + +var msg9882 = msg("7435", dup265); + +var msg9883 = msg("7436", dup265); + +var msg9884 = msg("7437", dup265); + +var msg9885 = msg("7438", dup265); + +var msg9886 = msg("7439", dup265); + +var msg9887 = msg("7440", dup265); + +var msg9888 = msg("7441", dup265); + +var msg9889 = msg("7442", dup265); + +var msg9890 = msg("7443", dup265); + +var msg9891 = msg("7444", dup265); + +var msg9892 = msg("7445", dup265); + +var msg9893 = msg("7446", dup265); + +var msg9894 = msg("7447", dup265); + +var msg9895 = msg("7448", dup265); + +var msg9896 = msg("7449", dup265); + +var msg9897 = msg("7450", dup265); + +var msg9898 = msg("7451", dup265); + +var msg9899 = msg("7452", dup265); + +var msg9900 = msg("7453", dup265); + +var msg9901 = msg("7454", dup265); + +var msg9902 = msg("7455", dup265); + +var msg9903 = msg("7456", dup265); + +var msg9904 = msg("7457", dup265); + +var msg9905 = msg("7458", dup265); + +var msg9906 = msg("7459", dup265); + +var msg9907 = msg("7460", dup265); + +var msg9908 = msg("7461", dup265); + +var msg9909 = msg("7462", dup265); + +var msg9910 = msg("7463", dup265); + +var msg9911 = msg("7464", dup265); + +var msg9912 = msg("7465", dup265); + +var msg9913 = msg("7466", dup265); + +var msg9914 = msg("7467", dup265); + +var msg9915 = msg("7468", dup265); + +var msg9916 = msg("7469", dup265); + +var msg9917 = msg("7470", dup265); + +var msg9918 = msg("7471", dup265); + +var msg9919 = msg("7472", dup265); + +var msg9920 = msg("7473", dup265); + +var msg9921 = msg("7474", dup265); + +var msg9922 = msg("7475", dup265); + +var msg9923 = msg("7476", dup265); + +var msg9924 = msg("7477", dup265); + +var msg9925 = msg("7478", dup265); + +var msg9926 = msg("7479", dup265); + +var msg9927 = msg("7480", dup265); + +var msg9928 = msg("7481", dup265); + +var msg9929 = msg("7482", dup265); + +var msg9930 = msg("7483", dup265); + +var msg9931 = msg("7484", dup265); + +var msg9932 = msg("7485", dup265); + +var msg9933 = msg("7486", dup265); + +var msg9934 = msg("7487", dup265); + +var msg9935 = msg("7488", dup265); + +var msg9936 = msg("7489", dup265); + +var msg9937 = msg("7490", dup265); + +var msg9938 = msg("7491", dup265); + +var msg9939 = msg("7492", dup265); + +var msg9940 = msg("7493", dup265); + +var msg9941 = msg("7494", dup265); + +var msg9942 = msg("7495", dup265); + +var msg9943 = msg("7496", dup265); + +var msg9944 = msg("7497", dup265); + +var msg9945 = msg("7498", dup265); + +var msg9946 = msg("7499", dup265); + +var msg9947 = msg("7500", dup265); + +var msg9948 = msg("7501", dup265); + +var msg9949 = msg("7502", dup265); + +var msg9950 = msg("7503", dup265); + +var msg9951 = msg("7504", dup303); + +var msg9952 = msg("7505", dup303); + +var msg9953 = msg("7506", dup303); + +var msg9954 = msg("7507", dup303); + +var msg9955 = msg("7508", dup303); + +var msg9956 = msg("7509", dup303); + +var msg9957 = msg("7510", dup303); + +var msg9958 = msg("7511", dup303); + +var msg9959 = msg("7512", dup303); + +var msg9960 = msg("7513", dup303); + +var msg9961 = msg("7514", dup303); + +var msg9962 = msg("7515", dup303); + +var msg9963 = msg("7516", dup303); + +var msg9964 = msg("7517", dup303); + +var msg9965 = msg("7518", dup303); + +var msg9966 = msg("7519", dup303); + +var msg9967 = msg("7520", dup303); + +var msg9968 = msg("7521", dup303); + +var msg9969 = msg("7522", dup303); + +var msg9970 = msg("7523", dup303); + +var msg9971 = msg("7524", dup303); + +var msg9972 = msg("7525", dup303); + +var msg9973 = msg("7526", dup303); + +var msg9974 = msg("7527", dup303); + +var msg9975 = msg("7528", dup303); + +var msg9976 = msg("7529", dup303); + +var msg9977 = msg("7530", dup303); + +var msg9978 = msg("7531", dup303); + +var msg9979 = msg("7532", dup303); + +var msg9980 = msg("7533", dup303); + +var msg9981 = msg("7534", dup303); + +var msg9982 = msg("7535", dup303); + +var msg9983 = msg("7536", dup303); + +var msg9984 = msg("7537", dup303); + +var msg9985 = msg("7538", dup303); + +var msg9986 = msg("7539", dup303); + +var msg9987 = msg("7540", dup303); + +var msg9988 = msg("7541", dup303); + +var msg9989 = msg("7542", dup303); + +var msg9990 = msg("7543", dup303); + +var msg9991 = msg("7544", dup303); + +var msg9992 = msg("7545", dup303); + +var msg9993 = msg("7546", dup303); + +var msg9994 = msg("7547", dup303); + +var msg9995 = msg("7548", dup303); + +var msg9996 = msg("7549", dup303); + +var msg9997 = msg("7550", dup303); + +var msg9998 = msg("7551", dup303); + +var msg9999 = msg("7552", dup303); + +var msg10000 = msg("7553", dup303); + +var msg10001 = msg("7554", dup303); + +var msg10002 = msg("7555", dup303); + +var msg10003 = msg("7556", dup303); + +var msg10004 = msg("7557", dup303); + +var msg10005 = msg("7558", dup303); + +var msg10006 = msg("7559", dup303); + +var msg10007 = msg("7560", dup303); + +var msg10008 = msg("7561", dup303); + +var msg10009 = msg("7562", dup303); + +var msg10010 = msg("7563", dup303); + +var msg10011 = msg("7564", dup303); + +var msg10012 = msg("7565", dup303); + +var msg10013 = msg("7566", dup303); + +var msg10014 = msg("7567", dup303); + +var msg10015 = msg("7568", dup303); + +var msg10016 = msg("7569", dup303); + +var msg10017 = msg("7570", dup303); + +var msg10018 = msg("7571", dup303); + +var msg10019 = msg("7572", dup303); + +var msg10020 = msg("7573", dup303); + +var msg10021 = msg("7574", dup303); + +var msg10022 = msg("7575", dup303); + +var msg10023 = msg("7576", dup303); + +var msg10024 = msg("7577", dup303); + +var msg10025 = msg("7578", dup303); + +var msg10026 = msg("7579", dup303); + +var msg10027 = msg("7580", dup303); + +var msg10028 = msg("7581", dup303); + +var msg10029 = msg("7582", dup303); + +var msg10030 = msg("7583", dup303); + +var msg10031 = msg("7584", dup303); + +var msg10032 = msg("7585", dup303); + +var msg10033 = msg("7586", dup303); + +var msg10034 = msg("7587", dup303); + +var msg10035 = msg("7588", dup303); + +var msg10036 = msg("7589", dup303); + +var msg10037 = msg("7590", dup303); + +var msg10038 = msg("7591", dup303); + +var msg10039 = msg("7592", dup303); + +var msg10040 = msg("7593", dup303); + +var msg10041 = msg("7594", dup303); + +var msg10042 = msg("7595", dup303); + +var msg10043 = msg("7596", dup303); + +var msg10044 = msg("7597", dup303); + +var msg10045 = msg("7598", dup303); + +var msg10046 = msg("7599", dup303); + +var msg10047 = msg("7600", dup303); + +var msg10048 = msg("7601", dup303); + +var msg10049 = msg("7602", dup303); + +var msg10050 = msg("7603", dup303); + +var msg10051 = msg("7604", dup205); + +var msg10052 = msg("7605", dup205); + +var msg10053 = msg("7606", dup205); + +var msg10054 = msg("7607", dup205); + +var msg10055 = msg("7608", dup205); + +var msg10056 = msg("7609", dup205); + +var msg10057 = msg("7610", dup205); + +var msg10058 = msg("7611", dup205); + +var msg10059 = msg("7612", dup205); + +var msg10060 = msg("7613", dup205); + +var msg10061 = msg("7614", dup205); + +var msg10062 = msg("7615", dup205); + +var msg10063 = msg("7616", dup205); + +var msg10064 = msg("7617", dup205); + +var msg10065 = msg("7618", dup205); + +var msg10066 = msg("7619", dup205); + +var msg10067 = msg("7620", dup205); + +var msg10068 = msg("7621", dup205); + +var msg10069 = msg("7622", dup205); + +var msg10070 = msg("7623", dup205); + +var msg10071 = msg("7624", dup205); + +var msg10072 = msg("7625", dup205); + +var msg10073 = msg("7626", dup205); + +var msg10074 = msg("7627", dup205); + +var msg10075 = msg("7628", dup205); + +var msg10076 = msg("7629", dup205); + +var msg10077 = msg("7630", dup205); + +var msg10078 = msg("7631", dup205); + +var msg10079 = msg("7632", dup205); + +var msg10080 = msg("7633", dup205); + +var msg10081 = msg("7634", dup205); + +var msg10082 = msg("7635", dup205); + +var msg10083 = msg("7636", dup205); + +var msg10084 = msg("7637", dup205); + +var msg10085 = msg("7638", dup205); + +var msg10086 = msg("7639", dup205); + +var msg10087 = msg("7640", dup205); + +var msg10088 = msg("7641", dup205); + +var msg10089 = msg("7642", dup205); + +var msg10090 = msg("7643", dup205); + +var msg10091 = msg("7644", dup205); + +var msg10092 = msg("7645", dup205); + +var msg10093 = msg("7646", dup205); + +var msg10094 = msg("7647", dup205); + +var msg10095 = msg("7648", dup205); + +var msg10096 = msg("7649", dup205); + +var msg10097 = msg("7650", dup205); + +var msg10098 = msg("7651", dup205); + +var msg10099 = msg("7652", dup205); + +var msg10100 = msg("7653", dup205); + +var msg10101 = msg("7654", dup205); + +var msg10102 = msg("7655", dup205); + +var msg10103 = msg("7656", dup205); + +var msg10104 = msg("7657", dup205); + +var msg10105 = msg("7658", dup205); + +var msg10106 = msg("7659", dup205); + +var msg10107 = msg("7660", dup205); + +var msg10108 = msg("7661", dup205); + +var msg10109 = msg("7662", dup205); + +var msg10110 = msg("7663", dup205); + +var msg10111 = msg("7664", dup205); + +var msg10112 = msg("7665", dup205); + +var msg10113 = msg("7666", dup205); + +var msg10114 = msg("7667", dup205); + +var msg10115 = msg("7668", dup205); + +var msg10116 = msg("7669", dup205); + +var msg10117 = msg("7670", dup205); + +var msg10118 = msg("7671", dup205); + +var msg10119 = msg("7672", dup205); + +var msg10120 = msg("7673", dup205); + +var msg10121 = msg("7674", dup205); + +var msg10122 = msg("7675", dup205); + +var msg10123 = msg("7676", dup205); + +var msg10124 = msg("7677", dup205); + +var msg10125 = msg("7678", dup205); + +var msg10126 = msg("7679", dup205); + +var msg10127 = msg("7680", dup205); + +var msg10128 = msg("7681", dup205); + +var msg10129 = msg("7682", dup205); + +var msg10130 = msg("7683", dup205); + +var msg10131 = msg("7684", dup205); + +var msg10132 = msg("7685", dup205); + +var msg10133 = msg("7686", dup205); + +var msg10134 = msg("7687", dup205); + +var msg10135 = msg("7688", dup205); + +var msg10136 = msg("7689", dup205); + +var msg10137 = msg("7690", dup205); + +var msg10138 = msg("7691", dup205); + +var msg10139 = msg("7692", dup205); + +var msg10140 = msg("7693", dup205); + +var msg10141 = msg("7694", dup205); + +var msg10142 = msg("7695", dup205); + +var msg10143 = msg("7696", dup205); + +var msg10144 = msg("7697", dup205); + +var msg10145 = msg("7698", dup205); + +var msg10146 = msg("7699", dup205); + +var msg10147 = msg("7700", dup205); + +var msg10148 = msg("7701", dup205); + +var msg10149 = msg("7702", dup205); + +var msg10150 = msg("7703", dup205); + +var msg10151 = msg("7704", dup205); + +var msg10152 = msg("7705", dup205); + +var msg10153 = msg("7706", dup205); + +var msg10154 = msg("7707", dup205); + +var msg10155 = msg("7708", dup205); + +var msg10156 = msg("7709", dup205); + +var msg10157 = msg("7710", dup205); + +var msg10158 = msg("7711", dup205); + +var msg10159 = msg("7712", dup205); + +var msg10160 = msg("7713", dup205); + +var msg10161 = msg("7714", dup205); + +var msg10162 = msg("7715", dup205); + +var msg10163 = msg("7716", dup205); + +var msg10164 = msg("7717", dup205); + +var msg10165 = msg("7718", dup205); + +var msg10166 = msg("7719", dup205); + +var msg10167 = msg("7720", dup205); + +var msg10168 = msg("7721", dup205); + +var msg10169 = msg("7722", dup205); + +var msg10170 = msg("7723", dup205); + +var msg10171 = msg("7724", dup205); + +var msg10172 = msg("7725", dup205); + +var msg10173 = msg("7726", dup205); + +var msg10174 = msg("7727", dup205); + +var msg10175 = msg("7728", dup205); + +var msg10176 = msg("7729", dup205); + +var msg10177 = msg("7730", dup205); + +var msg10178 = msg("7731", dup205); + +var msg10179 = msg("7732", dup205); + +var msg10180 = msg("7733", dup205); + +var msg10181 = msg("7734", dup205); + +var msg10182 = msg("7735", dup205); + +var msg10183 = msg("7736", dup205); + +var msg10184 = msg("7737", dup205); + +var msg10185 = msg("7738", dup205); + +var msg10186 = msg("7739", dup205); + +var msg10187 = msg("7740", dup205); + +var msg10188 = msg("7741", dup205); + +var msg10189 = msg("7742", dup205); + +var msg10190 = msg("7743", dup205); + +var msg10191 = msg("7744", dup205); + +var msg10192 = msg("7745", dup205); + +var msg10193 = msg("7746", dup205); + +var msg10194 = msg("7747", dup205); + +var msg10195 = msg("7748", dup205); + +var msg10196 = msg("7749", dup205); + +var msg10197 = msg("7750", dup205); + +var msg10198 = msg("7751", dup205); + +var msg10199 = msg("7752", dup205); + +var msg10200 = msg("7753", dup205); + +var msg10201 = msg("7754", dup205); + +var msg10202 = msg("7755", dup205); + +var msg10203 = msg("7756", dup205); + +var msg10204 = msg("7757", dup205); + +var msg10205 = msg("7758", dup205); + +var msg10206 = msg("7759", dup205); + +var msg10207 = msg("7760", dup205); + +var msg10208 = msg("7761", dup205); + +var msg10209 = msg("7762", dup205); + +var msg10210 = msg("7763", dup205); + +var msg10211 = msg("7764", dup205); + +var msg10212 = msg("7765", dup205); + +var msg10213 = msg("7766", dup205); + +var msg10214 = msg("7767", dup205); + +var msg10215 = msg("7768", dup205); + +var msg10216 = msg("7769", dup205); + +var msg10217 = msg("7770", dup205); + +var msg10218 = msg("7771", dup205); + +var msg10219 = msg("7772", dup205); + +var msg10220 = msg("7773", dup205); + +var msg10221 = msg("7774", dup205); + +var msg10222 = msg("7775", dup205); + +var msg10223 = msg("7776", dup205); + +var msg10224 = msg("7777", dup205); + +var msg10225 = msg("7778", dup205); + +var msg10226 = msg("7779", dup205); + +var msg10227 = msg("7780", dup205); + +var msg10228 = msg("7781", dup205); + +var msg10229 = msg("7782", dup205); + +var msg10230 = msg("7783", dup205); + +var msg10231 = msg("7784", dup205); + +var msg10232 = msg("7785", dup205); + +var msg10233 = msg("7786", dup205); + +var msg10234 = msg("7787", dup205); + +var msg10235 = msg("7788", dup205); + +var msg10236 = msg("7789", dup205); + +var msg10237 = msg("7790", dup205); + +var msg10238 = msg("7791", dup205); + +var msg10239 = msg("7792", dup205); + +var msg10240 = msg("7793", dup205); + +var msg10241 = msg("7794", dup205); + +var msg10242 = msg("7795", dup205); + +var msg10243 = msg("7796", dup205); + +var msg10244 = msg("7797", dup205); + +var msg10245 = msg("7798", dup205); + +var msg10246 = msg("7799", dup205); + +var msg10247 = msg("7800", dup205); + +var msg10248 = msg("7801", dup205); + +var msg10249 = msg("7802", dup205); + +var msg10250 = msg("7803", dup205); + +var msg10251 = msg("7804", dup205); + +var msg10252 = msg("7805", dup205); + +var msg10253 = msg("7806", dup205); + +var msg10254 = msg("7807", dup205); + +var msg10255 = msg("7808", dup205); + +var msg10256 = msg("7809", dup205); + +var msg10257 = msg("7810", dup205); + +var msg10258 = msg("7811", dup205); + +var msg10259 = msg("7812", dup205); + +var msg10260 = msg("7813", dup205); + +var msg10261 = msg("7814", dup205); + +var msg10262 = msg("7815", dup205); + +var msg10263 = msg("7816", dup205); + +var msg10264 = msg("7817", dup205); + +var msg10265 = msg("7818", dup205); + +var msg10266 = msg("7819", dup205); + +var msg10267 = msg("7820", dup205); + +var msg10268 = msg("7821", dup205); + +var msg10269 = msg("7822", dup205); + +var msg10270 = msg("7823", dup303); + +var msg10271 = msg("7824", dup303); + +var msg10272 = msg("7825", dup303); + +var msg10273 = msg("7826", dup303); + +var msg10274 = msg("7827", dup303); + +var msg10275 = msg("7828", dup303); + +var msg10276 = msg("7829", dup303); + +var msg10277 = msg("7830", dup303); + +var msg10278 = msg("7831", dup303); + +var msg10279 = msg("7832", dup303); + +var msg10280 = msg("7833", dup303); + +var msg10281 = msg("7834", dup303); + +var msg10282 = msg("7835", dup303); + +var msg10283 = msg("7836", dup303); + +var msg10284 = msg("7837", dup303); + +var msg10285 = msg("7838", dup303); + +var msg10286 = msg("7839", dup303); + +var msg10287 = msg("7840", dup303); + +var msg10288 = msg("7841", dup303); + +var msg10289 = msg("7842", dup303); + +var msg10290 = msg("7843", dup303); + +var msg10291 = msg("7844", dup303); + +var msg10292 = msg("7845", dup303); + +var msg10293 = msg("7846", dup303); + +var msg10294 = msg("7847", dup303); + +var msg10295 = msg("7848", dup303); + +var msg10296 = msg("7849", dup303); + +var msg10297 = msg("7850", dup303); + +var msg10298 = msg("7851", dup303); + +var msg10299 = msg("7852", dup303); + +var msg10300 = msg("7853", dup303); + +var msg10301 = msg("7854", dup303); + +var msg10302 = msg("7855", dup303); + +var msg10303 = msg("7856", dup303); + +var msg10304 = msg("7857", dup303); + +var msg10305 = msg("7858", dup196); + +var msg10306 = msg("7859", dup196); + +var msg10307 = msg("7860", dup196); + +var msg10308 = msg("7861", dup196); + +var msg10309 = msg("7862", dup265); + +var msg10310 = msg("7863", dup265); + +var msg10311 = msg("7864", dup265); + +var msg10312 = msg("7865", dup265); + +var msg10313 = msg("7866", dup265); + +var msg10314 = msg("7867", dup265); + +var msg10315 = msg("7868", dup265); + +var msg10316 = msg("7869", dup265); + +var msg10317 = msg("7870", dup265); + +var msg10318 = msg("7871", dup265); + +var msg10319 = msg("7872", dup265); + +var msg10320 = msg("7873", dup265); + +var msg10321 = msg("7874", dup265); + +var msg10322 = msg("7875", dup265); + +var msg10323 = msg("7876", dup265); + +var msg10324 = msg("7877", dup265); + +var msg10325 = msg("7878", dup265); + +var msg10326 = msg("7879", dup265); + +var msg10327 = msg("7880", dup265); + +var msg10328 = msg("7881", dup265); + +var msg10329 = msg("7882", dup265); + +var msg10330 = msg("7883", dup265); + +var msg10331 = msg("7884", dup265); + +var msg10332 = msg("7885", dup265); + +var msg10333 = msg("7886", dup265); + +var msg10334 = msg("7887", dup265); + +var msg10335 = msg("7888", dup265); + +var msg10336 = msg("7889", dup265); + +var msg10337 = msg("7890", dup265); + +var msg10338 = msg("7891", dup265); + +var msg10339 = msg("7892", dup265); + +var msg10340 = msg("7893", dup265); + +var msg10341 = msg("7894", dup265); + +var msg10342 = msg("7895", dup265); + +var msg10343 = msg("7896", dup265); + +var msg10344 = msg("7897", dup265); + +var msg10345 = msg("7898", dup265); + +var msg10346 = msg("7899", dup265); + +var msg10347 = msg("7900", dup265); + +var msg10348 = msg("7901", dup265); + +var msg10349 = msg("7902", dup265); + +var msg10350 = msg("7903", dup265); + +var msg10351 = msg("7904", dup265); + +var msg10352 = msg("7905", dup265); + +var msg10353 = msg("7906", dup265); + +var msg10354 = msg("7907", dup265); + +var msg10355 = msg("7908", dup265); + +var msg10356 = msg("7909", dup265); + +var msg10357 = msg("7910", dup265); + +var msg10358 = msg("7911", dup265); + +var msg10359 = msg("7912", dup265); + +var msg10360 = msg("7913", dup265); + +var msg10361 = msg("7914", dup265); + +var msg10362 = msg("7915", dup265); + +var msg10363 = msg("7916", dup265); + +var msg10364 = msg("7917", dup265); + +var msg10365 = msg("7918", dup265); + +var msg10366 = msg("7919", dup265); + +var msg10367 = msg("7920", dup265); + +var msg10368 = msg("7921", dup265); + +var msg10369 = msg("7922", dup265); + +var msg10370 = msg("7923", dup265); + +var msg10371 = msg("7924", dup265); + +var msg10372 = msg("7925", dup265); + +var msg10373 = msg("7926", dup265); + +var msg10374 = msg("7927", dup265); + +var msg10375 = msg("7928", dup265); + +var msg10376 = msg("7929", dup265); + +var msg10377 = msg("7930", dup265); + +var msg10378 = msg("7931", dup265); + +var msg10379 = msg("7932", dup265); + +var msg10380 = msg("7933", dup265); + +var msg10381 = msg("7934", dup265); + +var msg10382 = msg("7935", dup265); + +var msg10383 = msg("7936", dup265); + +var msg10384 = msg("7937", dup265); + +var msg10385 = msg("7938", dup265); + +var msg10386 = msg("7939", dup265); + +var msg10387 = msg("7940", dup265); + +var msg10388 = msg("7941", dup265); + +var msg10389 = msg("7942", dup265); + +var msg10390 = msg("7943", dup265); + +var msg10391 = msg("7944", dup265); + +var msg10392 = msg("7945", dup265); + +var msg10393 = msg("7946", dup265); + +var msg10394 = msg("7947", dup265); + +var msg10395 = msg("7948", dup265); + +var msg10396 = msg("7949", dup265); + +var msg10397 = msg("7950", dup265); + +var msg10398 = msg("7951", dup265); + +var msg10399 = msg("7952", dup265); + +var msg10400 = msg("7953", dup265); + +var msg10401 = msg("7954", dup265); + +var msg10402 = msg("7955", dup265); + +var msg10403 = msg("7956", dup265); + +var msg10404 = msg("7957", dup265); + +var msg10405 = msg("7958", dup265); + +var msg10406 = msg("7959", dup265); + +var msg10407 = msg("7960", dup265); + +var msg10408 = msg("7961", dup265); + +var msg10409 = msg("7962", dup265); + +var msg10410 = msg("7963", dup265); + +var msg10411 = msg("7964", dup265); + +var msg10412 = msg("7965", dup265); + +var msg10413 = msg("7966", dup265); + +var msg10414 = msg("7967", dup265); + +var msg10415 = msg("7968", dup265); + +var msg10416 = msg("7969", dup265); + +var msg10417 = msg("7970", dup265); + +var msg10418 = msg("7971", dup265); + +var msg10419 = msg("7972", dup265); + +var msg10420 = msg("7973", dup265); + +var msg10421 = msg("7974", dup265); + +var msg10422 = msg("7975", dup265); + +var msg10423 = msg("7976", dup265); + +var msg10424 = msg("7977", dup265); + +var msg10425 = msg("7978", dup265); + +var msg10426 = msg("7979", dup265); + +var msg10427 = msg("7980", dup265); + +var msg10428 = msg("7981", dup265); + +var msg10429 = msg("7982", dup265); + +var msg10430 = msg("7983", dup265); + +var msg10431 = msg("7984", dup265); + +var msg10432 = msg("7985", dup265); + +var msg10433 = msg("7986", dup265); + +var msg10434 = msg("7987", dup265); + +var msg10435 = msg("7988", dup265); + +var msg10436 = msg("7989", dup265); + +var msg10437 = msg("7990", dup265); + +var msg10438 = msg("7991", dup265); + +var msg10439 = msg("7992", dup265); + +var msg10440 = msg("7993", dup265); + +var msg10441 = msg("7994", dup265); + +var msg10442 = msg("7995", dup265); + +var msg10443 = msg("7996", dup265); + +var msg10444 = msg("7997", dup265); + +var msg10445 = msg("7998", dup265); + +var msg10446 = msg("7999", dup265); + +var msg10447 = msg("8000", dup265); + +var msg10448 = msg("8001", dup265); + +var msg10449 = msg("8002", dup265); + +var msg10450 = msg("8003", dup265); + +var msg10451 = msg("8004", dup265); + +var msg10452 = msg("8005", dup265); + +var msg10453 = msg("8006", dup265); + +var msg10454 = msg("8007", dup265); + +var msg10455 = msg("8008", dup265); + +var msg10456 = msg("8009", dup265); + +var msg10457 = msg("8010", dup265); + +var msg10458 = msg("8011", dup265); + +var msg10459 = msg("8012", dup265); + +var msg10460 = msg("8013", dup265); + +var msg10461 = msg("8014", dup265); + +var msg10462 = msg("8015", dup265); + +var msg10463 = msg("8016", dup265); + +var msg10464 = msg("8017", dup265); + +var msg10465 = msg("8018", dup265); + +var msg10466 = msg("8019", dup265); + +var msg10467 = msg("8020", dup265); + +var msg10468 = msg("8021", dup265); + +var msg10469 = msg("8022", dup265); + +var msg10470 = msg("8023", dup265); + +var msg10471 = msg("8024", dup265); + +var msg10472 = msg("8025", dup265); + +var msg10473 = msg("8026", dup265); + +var msg10474 = msg("8027", dup265); + +var msg10475 = msg("8028", dup265); + +var msg10476 = msg("8029", dup265); + +var msg10477 = msg("8030", dup265); + +var msg10478 = msg("8031", dup265); + +var msg10479 = msg("8032", dup265); + +var msg10480 = msg("8033", dup265); + +var msg10481 = msg("8034", dup265); + +var msg10482 = msg("8035", dup265); + +var msg10483 = msg("8036", dup265); + +var msg10484 = msg("8037", dup265); + +var msg10485 = msg("8038", dup265); + +var msg10486 = msg("8039", dup265); + +var msg10487 = msg("8040", dup265); + +var msg10488 = msg("8041", dup265); + +var msg10489 = msg("8042", dup265); + +var msg10490 = msg("8043", dup265); + +var msg10491 = msg("8044", dup265); + +var msg10492 = msg("8045", dup265); + +var msg10493 = msg("8046", dup265); + +var msg10494 = msg("8047", dup265); + +var msg10495 = msg("8048", dup265); + +var msg10496 = msg("8049", dup265); + +var msg10497 = msg("8050", dup265); + +var msg10498 = msg("8051", dup265); + +var msg10499 = msg("8052", dup265); + +var msg10500 = msg("8053", dup265); + +var msg10501 = msg("8054", dup265); + +var msg10502 = msg("8055", dup265); + +var msg10503 = msg("8056", dup198); + +var msg10504 = msg("8057", dup198); + +var msg10505 = msg("8058", dup265); + +var msg10506 = msg("8059", dup260); + +var msg10507 = msg("8060", dup197); + +var msg10508 = msg("8061", dup265); + +var msg10509 = msg("8062", dup265); + +var msg10510 = msg("8063", dup265); + +var msg10511 = msg("8064", dup265); + +var msg10512 = msg("8065", dup265); + +var msg10513 = msg("8066", dup265); + +var msg10514 = msg("8067", dup265); + +var msg10515 = msg("8068", dup265); + +var msg10516 = msg("8069", dup265); + +var msg10517 = msg("8070", dup265); + +var msg10518 = msg("8071", dup303); + +var msg10519 = msg("8072", dup303); + +var msg10520 = msg("8073", dup303); + +var msg10521 = msg("8074", dup205); + +var msg10522 = msg("8075", dup205); + +var msg10523 = msg("8076", dup205); + +var msg10524 = msg("8077", dup205); + +var msg10525 = msg("8078", dup205); + +var msg10526 = msg("8079", dup205); + +var msg10527 = msg("8080", dup205); + +var msg10528 = msg("8081", dup194); + +var msg10529 = msg("8082", dup196); + +var msg10530 = msg("8083", dup197); + +var msg10531 = msg("8084", dup265); + +var msg10532 = msg("8085", dup267); + +var msg10533 = msg("8086", dup267); + +var msg10534 = msg("8087", dup201); + +var msg10535 = msg("8088", dup267); + +var msg10536 = msg("8089", dup267); + +var msg10537 = msg("8090", dup201); + +var msg10538 = msg("8091", dup267); + +var msg10539 = msg("8092", dup198); + +var msg10540 = msg("8093", dup276); + +var msg10541 = msg("8094", dup276); + +var msg10542 = msg("8095", dup276); + +var msg10543 = msg("8096", dup276); + +var msg10544 = msg("8097", dup276); + +var msg10545 = msg("8098", dup276); + +var msg10546 = msg("8099", dup276); + +var msg10547 = msg("8100", dup276); + +var msg10548 = msg("8101", dup276); + +var msg10549 = msg("8102", dup276); + +var msg10550 = msg("8103", dup276); + +var msg10551 = msg("8104", dup276); + +var msg10552 = msg("8105", dup276); + +var msg10553 = msg("8106", dup276); + +var msg10554 = msg("8107", dup276); + +var msg10555 = msg("8108", dup276); + +var msg10556 = msg("8109", dup276); + +var msg10557 = msg("8110", dup276); + +var msg10558 = msg("8111", dup276); + +var msg10559 = msg("8112", dup276); + +var msg10560 = msg("8113", dup276); + +var msg10561 = msg("8114", dup276); + +var msg10562 = msg("8115", dup276); + +var msg10563 = msg("8116", dup276); + +var msg10564 = msg("8117", dup276); + +var msg10565 = msg("8118", dup276); + +var msg10566 = msg("8119", dup276); + +var msg10567 = msg("8120", dup276); + +var msg10568 = msg("8121", dup276); + +var msg10569 = msg("8122", dup276); + +var msg10570 = msg("8123", dup276); + +var msg10571 = msg("8124", dup276); + +var msg10572 = msg("8125", dup276); + +var msg10573 = msg("8126", dup276); + +var msg10574 = msg("8127", dup276); + +var msg10575 = msg("8128", dup276); + +var msg10576 = msg("8129", dup276); + +var msg10577 = msg("8130", dup276); + +var msg10578 = msg("8131", dup276); + +var msg10579 = msg("8132", dup276); + +var msg10580 = msg("8133", dup276); + +var msg10581 = msg("8134", dup276); + +var msg10582 = msg("8135", dup276); + +var msg10583 = msg("8136", dup276); + +var msg10584 = msg("8137", dup276); + +var msg10585 = msg("8138", dup276); + +var msg10586 = msg("8139", dup276); + +var msg10587 = msg("8140", dup276); + +var msg10588 = msg("8141", dup276); + +var msg10589 = msg("8142", dup276); + +var msg10590 = msg("8143", dup276); + +var msg10591 = msg("8144", dup276); + +var msg10592 = msg("8145", dup276); + +var msg10593 = msg("8146", dup276); + +var msg10594 = msg("8147", dup276); + +var msg10595 = msg("8148", dup276); + +var msg10596 = msg("8149", dup276); + +var msg10597 = msg("8150", dup276); + +var msg10598 = msg("8151", dup276); + +var msg10599 = msg("8152", dup276); + +var msg10600 = msg("8153", dup276); + +var msg10601 = msg("8154", dup276); + +var msg10602 = msg("8155", dup276); + +var msg10603 = msg("8156", dup276); + +var msg10604 = msg("8157", dup276); + +var msg10605 = msg("8158", dup276); + +var msg10606 = msg("8159", dup276); + +var msg10607 = msg("8160", dup276); + +var msg10608 = msg("8161", dup276); + +var msg10609 = msg("8162", dup276); + +var msg10610 = msg("8163", dup276); + +var msg10611 = msg("8164", dup276); + +var msg10612 = msg("8165", dup276); + +var msg10613 = msg("8166", dup276); + +var msg10614 = msg("8167", dup276); + +var msg10615 = msg("8168", dup276); + +var msg10616 = msg("8169", dup276); + +var msg10617 = msg("8170", dup276); + +var msg10618 = msg("8171", dup276); + +var msg10619 = msg("8172", dup276); + +var msg10620 = msg("8173", dup276); + +var msg10621 = msg("8174", dup276); + +var msg10622 = msg("8175", dup276); + +var msg10623 = msg("8176", dup276); + +var msg10624 = msg("8177", dup276); + +var msg10625 = msg("8178", dup276); + +var msg10626 = msg("8179", dup276); + +var msg10627 = msg("8180", dup276); + +var msg10628 = msg("8181", dup276); + +var msg10629 = msg("8182", dup276); + +var msg10630 = msg("8183", dup276); + +var msg10631 = msg("8184", dup276); + +var msg10632 = msg("8185", dup276); + +var msg10633 = msg("8186", dup276); + +var msg10634 = msg("8187", dup276); + +var msg10635 = msg("8188", dup276); + +var msg10636 = msg("8189", dup276); + +var msg10637 = msg("8190", dup276); + +var msg10638 = msg("8191", dup276); + +var msg10639 = msg("8192", dup276); + +var msg10640 = msg("8193", dup276); + +var msg10641 = msg("8194", dup276); + +var msg10642 = msg("8195", dup276); + +var msg10643 = msg("8196", dup276); + +var msg10644 = msg("8197", dup276); + +var msg10645 = msg("8198", dup276); + +var msg10646 = msg("8199", dup276); + +var msg10647 = msg("8200", dup276); + +var msg10648 = msg("8201", dup276); + +var msg10649 = msg("8202", dup276); + +var msg10650 = msg("8203", dup276); + +var msg10651 = msg("8204", dup276); + +var msg10652 = msg("8205", dup276); + +var msg10653 = msg("8206", dup276); + +var msg10654 = msg("8207", dup276); + +var msg10655 = msg("8208", dup276); + +var msg10656 = msg("8209", dup276); + +var msg10657 = msg("8210", dup276); + +var msg10658 = msg("8211", dup276); + +var msg10659 = msg("8212", dup276); + +var msg10660 = msg("8213", dup276); + +var msg10661 = msg("8214", dup276); + +var msg10662 = msg("8215", dup276); + +var msg10663 = msg("8216", dup276); + +var msg10664 = msg("8217", dup276); + +var msg10665 = msg("8218", dup276); + +var msg10666 = msg("8219", dup276); + +var msg10667 = msg("8220", dup276); + +var msg10668 = msg("8221", dup276); + +var msg10669 = msg("8222", dup276); + +var msg10670 = msg("8223", dup276); + +var msg10671 = msg("8224", dup276); + +var msg10672 = msg("8225", dup276); + +var msg10673 = msg("8226", dup276); + +var msg10674 = msg("8227", dup276); + +var msg10675 = msg("8228", dup276); + +var msg10676 = msg("8229", dup276); + +var msg10677 = msg("8230", dup276); + +var msg10678 = msg("8231", dup276); + +var msg10679 = msg("8232", dup276); + +var msg10680 = msg("8233", dup276); + +var msg10681 = msg("8234", dup276); + +var msg10682 = msg("8235", dup276); + +var msg10683 = msg("8236", dup276); + +var msg10684 = msg("8237", dup276); + +var msg10685 = msg("8238", dup276); + +var msg10686 = msg("8239", dup276); + +var msg10687 = msg("8240", dup276); + +var msg10688 = msg("8241", dup276); + +var msg10689 = msg("8242", dup276); + +var msg10690 = msg("8243", dup276); + +var msg10691 = msg("8244", dup276); + +var msg10692 = msg("8245", dup276); + +var msg10693 = msg("8246", dup276); + +var msg10694 = msg("8247", dup276); + +var msg10695 = msg("8248", dup276); + +var msg10696 = msg("8249", dup276); + +var msg10697 = msg("8250", dup276); + +var msg10698 = msg("8251", dup276); + +var msg10699 = msg("8252", dup276); + +var msg10700 = msg("8253", dup276); + +var msg10701 = msg("8254", dup276); + +var msg10702 = msg("8255", dup276); + +var msg10703 = msg("8256", dup276); + +var msg10704 = msg("8257", dup276); + +var msg10705 = msg("8258", dup276); + +var msg10706 = msg("8259", dup276); + +var msg10707 = msg("8260", dup276); + +var msg10708 = msg("8261", dup276); + +var msg10709 = msg("8262", dup276); + +var msg10710 = msg("8263", dup276); + +var msg10711 = msg("8264", dup276); + +var msg10712 = msg("8265", dup276); + +var msg10713 = msg("8266", dup276); + +var msg10714 = msg("8267", dup276); + +var msg10715 = msg("8268", dup276); + +var msg10716 = msg("8269", dup276); + +var msg10717 = msg("8270", dup276); + +var msg10718 = msg("8271", dup276); + +var msg10719 = msg("8272", dup276); + +var msg10720 = msg("8273", dup276); + +var msg10721 = msg("8274", dup276); + +var msg10722 = msg("8275", dup276); + +var msg10723 = msg("8276", dup276); + +var msg10724 = msg("8277", dup276); + +var msg10725 = msg("8278", dup276); + +var msg10726 = msg("8279", dup276); + +var msg10727 = msg("8280", dup276); + +var msg10728 = msg("8281", dup276); + +var msg10729 = msg("8282", dup276); + +var msg10730 = msg("8283", dup276); + +var msg10731 = msg("8284", dup276); + +var msg10732 = msg("8285", dup276); + +var msg10733 = msg("8286", dup276); + +var msg10734 = msg("8287", dup276); + +var msg10735 = msg("8288", dup276); + +var msg10736 = msg("8289", dup276); + +var msg10737 = msg("8290", dup276); + +var msg10738 = msg("8291", dup276); + +var msg10739 = msg("8292", dup276); + +var msg10740 = msg("8293", dup276); + +var msg10741 = msg("8294", dup276); + +var msg10742 = msg("8295", dup276); + +var msg10743 = msg("8296", dup276); + +var msg10744 = msg("8297", dup276); + +var msg10745 = msg("8298", dup276); + +var msg10746 = msg("8299", dup276); + +var msg10747 = msg("8300", dup276); + +var msg10748 = msg("8301", dup276); + +var msg10749 = msg("8302", dup276); + +var msg10750 = msg("8303", dup276); + +var msg10751 = msg("8304", dup276); + +var msg10752 = msg("8305", dup276); + +var msg10753 = msg("8306", dup276); + +var msg10754 = msg("8307", dup276); + +var msg10755 = msg("8308", dup276); + +var msg10756 = msg("8309", dup276); + +var msg10757 = msg("8310", dup276); + +var msg10758 = msg("8311", dup276); + +var msg10759 = msg("8312", dup276); + +var msg10760 = msg("8313", dup276); + +var msg10761 = msg("8314", dup276); + +var msg10762 = msg("8315", dup276); + +var msg10763 = msg("8316", dup276); + +var msg10764 = msg("8317", dup276); + +var msg10765 = msg("8318", dup276); + +var msg10766 = msg("8319", dup276); + +var msg10767 = msg("8320", dup276); + +var msg10768 = msg("8321", dup276); + +var msg10769 = msg("8322", dup276); + +var msg10770 = msg("8323", dup276); + +var msg10771 = msg("8324", dup276); + +var msg10772 = msg("8325", dup276); + +var msg10773 = msg("8326", dup276); + +var msg10774 = msg("8327", dup276); + +var msg10775 = msg("8328", dup276); + +var msg10776 = msg("8329", dup276); + +var msg10777 = msg("8330", dup276); + +var msg10778 = msg("8331", dup276); + +var msg10779 = msg("8332", dup276); + +var msg10780 = msg("8333", dup276); + +var msg10781 = msg("8334", dup276); + +var msg10782 = msg("8335", dup276); + +var msg10783 = msg("8336", dup276); + +var msg10784 = msg("8337", dup276); + +var msg10785 = msg("8338", dup276); + +var msg10786 = msg("8339", dup276); + +var msg10787 = msg("8340", dup276); + +var msg10788 = msg("8341", dup276); + +var msg10789 = msg("8342", dup276); + +var msg10790 = msg("8343", dup276); + +var msg10791 = msg("8344", dup276); + +var msg10792 = msg("8345", dup276); + +var msg10793 = msg("8346", dup276); + +var msg10794 = msg("8347", dup276); + +var msg10795 = msg("8348", dup276); + +var msg10796 = msg("8349", dup265); + +var msg10797 = msg("8350", dup196); + +var msg10798 = msg("8351", dup222); + +var msg10799 = msg("8352", dup303); + +var msg10800 = msg("8353", dup303); + +var msg10801 = msg("8354", dup303); + +var msg10802 = msg("8355", dup303); + +var msg10803 = msg("8356", dup303); + +var msg10804 = msg("8357", dup303); + +var msg10805 = msg("8358", dup303); + +var msg10806 = msg("8359", dup303); + +var msg10807 = msg("8360", dup303); + +var msg10808 = msg("8361", dup205); + +var msg10809 = msg("8362", dup205); + +var msg10810 = msg("8363", dup265); + +var msg10811 = msg("8364", dup265); + +var msg10812 = msg("8365", dup265); + +var msg10813 = msg("8366", dup265); + +var msg10814 = msg("8367", dup265); + +var msg10815 = msg("8368", dup265); + +var msg10816 = msg("8369", dup265); + +var msg10817 = msg("8370", dup265); + +var msg10818 = msg("8371", dup265); + +var msg10819 = msg("8372", dup265); + +var msg10820 = msg("8373", dup265); + +var msg10821 = msg("8374", dup265); + +var msg10822 = msg("8375", dup265); + +var msg10823 = msg("8376", dup265); + +var msg10824 = msg("8377", dup265); + +var msg10825 = msg("8378", dup265); + +var msg10826 = msg("8379", dup265); + +var msg10827 = msg("8380", dup265); + +var msg10828 = msg("8381", dup265); + +var msg10829 = msg("8382", dup265); + +var msg10830 = msg("8383", dup265); + +var msg10831 = msg("8384", dup265); + +var msg10832 = msg("8385", dup265); + +var msg10833 = msg("8386", dup265); + +var msg10834 = msg("8387", dup265); + +var msg10835 = msg("8388", dup265); + +var msg10836 = msg("8389", dup265); + +var msg10837 = msg("8390", dup265); + +var msg10838 = msg("8391", dup265); + +var msg10839 = msg("8392", dup265); + +var msg10840 = msg("8393", dup265); + +var msg10841 = msg("8394", dup265); + +var msg10842 = msg("8395", dup265); + +var msg10843 = msg("8396", dup265); + +var msg10844 = msg("8397", dup265); + +var msg10845 = msg("8398", dup265); + +var msg10846 = msg("8399", dup265); + +var msg10847 = msg("8400", dup265); + +var msg10848 = msg("8401", dup265); + +var msg10849 = msg("8402", dup265); + +var msg10850 = msg("8403", dup265); + +var msg10851 = msg("8404", dup265); + +var msg10852 = msg("8405", dup265); + +var msg10853 = msg("8406", dup265); + +var msg10854 = msg("8407", dup267); + +var msg10855 = msg("8408", dup267); + +var msg10856 = msg("8409", dup265); + +var msg10857 = msg("8410", dup265); + +var msg10858 = msg("8411", dup265); + +var msg10859 = msg("8412", dup265); + +var msg10860 = msg("8413", dup265); + +var msg10861 = msg("8414", dup201); + +var msg10862 = msg("8415", dup222); + +var msg10863 = msg("8416", dup267); + +var msg10864 = msg("8417", dup265); + +var msg10865 = msg("8418", dup265); + +var msg10866 = msg("8419", dup265); + +var msg10867 = msg("8420", dup265); + +var msg10868 = msg("8421", dup265); + +var msg10869 = msg("8422", dup265); + +var msg10870 = msg("8423", dup265); + +var msg10871 = msg("8424", dup265); + +var msg10872 = msg("8425", dup265); + +var msg10873 = msg("8426", dup201); + +var msg10874 = msg("8427", dup201); + +var msg10875 = msg("8428", dup201); + +var msg10876 = msg("8429", dup201); + +var msg10877 = msg("8430", dup201); + +var msg10878 = msg("8431", dup201); + +var msg10879 = msg("8432", dup201); + +var msg10880 = msg("8433", dup201); + +var msg10881 = msg("8434", dup201); + +var msg10882 = msg("8435", dup201); + +var msg10883 = msg("8436", dup201); + +var msg10884 = msg("8437", dup201); + +var msg10885 = msg("8438", dup201); + +var msg10886 = msg("8439", dup201); + +var msg10887 = msg("8440", dup201); + +var msg10888 = msg("8441", dup267); + +var msg10889 = msg("8442", dup250); + +var msg10890 = msg("8443", dup265); + +var msg10891 = msg("8444", dup265); + +var msg10892 = msg("8445", dup265); + +var msg10893 = msg("8446", dup196); + +var msg10894 = msg("8447", dup265); + +var msg10895 = msg("8448", dup267); + +var msg10896 = msg("8449", dup276); + +var msg10897 = msg("8450", dup276); + +var msg10898 = msg("8451", dup276); + +var msg10899 = msg("8452", dup276); + +var msg10900 = msg("8453", dup276); + +var msg10901 = msg("8454", dup276); + +var msg10902 = msg("8455", dup276); + +var msg10903 = msg("8456", dup276); + +var msg10904 = msg("8457", dup276); + +var msg10905 = msg("8458", dup276); + +var msg10906 = msg("8459", dup276); + +var msg10907 = msg("8460", dup276); + +var msg10908 = msg("8461", dup303); + +var msg10909 = msg("8462", dup303); + +var msg10910 = msg("8463", dup303); + +var msg10911 = msg("8464", dup303); + +var msg10912 = msg("8465", dup303); + +var msg10913 = msg("8466", dup303); + +var msg10914 = msg("8467", dup303); + +var msg10915 = msg("8468", dup303); + +var msg10916 = msg("8469", dup303); + +var msg10917 = msg("8470", dup205); + +var msg10918 = msg("8471", dup205); + +var msg10919 = msg("8472", dup205); + +var msg10920 = msg("8473", dup205); + +var msg10921 = msg("8474", dup205); + +var msg10922 = msg("8475", dup205); + +var msg10923 = msg("8476", dup205); + +var msg10924 = msg("8477", dup205); + +var msg10925 = msg("8478", dup265); + +var msg10926 = msg("8479", dup222); + +var msg10927 = msg("8480", dup222); + +var msg10928 = msg("8481", dup198); + +var msg10929 = msg("8482", dup196); + +var msg10930 = msg("8483", dup196); + +var msg10931 = msg("8484", dup301); + +var msg10932 = msg("8485", dup265); + +var msg10933 = msg("8486", dup265); + +var msg10934 = msg("8487", dup265); + +var msg10935 = msg("8488", dup265); + +var msg10936 = msg("8489", dup265); + +var msg10937 = msg("8490", dup265); + +var msg10938 = msg("8491", dup265); + +var msg10939 = msg("8492", dup265); + +var msg10940 = msg("8493", dup265); + +var msg10941 = msg("8494", dup197); + +var msg10942 = msg("8495", dup197); + +var msg10943 = msg("8496", dup240); + +var msg10944 = msg("8497", dup240); + +var msg10945 = msg("8498", dup240); + +var msg10946 = msg("8499", dup240); + +var msg10947 = msg("8500", dup240); + +var msg10948 = msg("8501", dup240); + +var msg10949 = msg("8502", dup240); + +var msg10950 = msg("8503", dup240); + +var msg10951 = msg("8504", dup240); + +var msg10952 = msg("8505", dup240); + +var msg10953 = msg("8506", dup240); + +var msg10954 = msg("8507", dup240); + +var msg10955 = msg("8508", dup240); + +var msg10956 = msg("8509", dup240); + +var msg10957 = msg("8510", dup240); + +var msg10958 = msg("8511", dup240); + +var msg10959 = msg("8512", dup240); + +var msg10960 = msg("8513", dup240); + +var msg10961 = msg("8514", dup240); + +var msg10962 = msg("8515", dup240); + +var msg10963 = msg("8516", dup240); + +var msg10964 = msg("8517", dup240); + +var msg10965 = msg("8518", dup240); + +var msg10966 = msg("8519", dup240); + +var msg10967 = msg("8520", dup240); + +var msg10968 = msg("8521", dup240); + +var msg10969 = msg("8522", dup240); + +var msg10970 = msg("8523", dup240); + +var msg10971 = msg("8524", dup240); + +var msg10972 = msg("8525", dup240); + +var msg10973 = msg("8526", dup240); + +var msg10974 = msg("8527", dup240); + +var msg10975 = msg("8528", dup240); + +var msg10976 = msg("8529", dup240); + +var msg10977 = msg("8530", dup240); + +var msg10978 = msg("8531", dup240); + +var msg10979 = msg("8532", dup240); + +var msg10980 = msg("8533", dup240); + +var msg10981 = msg("8534", dup240); + +var msg10982 = msg("8535", dup240); + +var msg10983 = msg("8536", dup240); + +var msg10984 = msg("8537", dup240); + +var msg10985 = msg("8538", dup240); + +var msg10986 = msg("8539", dup240); + +var msg10987 = msg("8540", dup240); + +var msg10988 = msg("8541", dup222); + +var msg10989 = msg("8542", dup303); + +var msg10990 = msg("8543", dup303); + +var msg10991 = msg("8544", dup303); + +var msg10992 = msg("8545", dup303); + +var msg10993 = msg("8546", dup303); + +var msg10994 = msg("8547", dup205); + +var msg10995 = msg("8548", dup205); + +var msg10996 = msg("8549", dup205); + +var msg10997 = msg("8550", dup222); + +var msg10998 = msg("8551", dup222); + +var msg10999 = msg("8552", dup276); + +var msg11000 = msg("8553", dup276); + +var msg11001 = msg("8554", dup276); + +var msg11002 = msg("8555", dup276); + +var msg11003 = msg("8556", dup276); + +var msg11004 = msg("8557", dup276); + +var msg11005 = msg("8558", dup276); + +var msg11006 = msg("8559", dup276); + +var msg11007 = msg("8560", dup276); + +var msg11008 = msg("8561", dup276); + +var msg11009 = msg("8562", dup276); + +var msg11010 = msg("8563", dup276); + +var msg11011 = msg("8564", dup276); + +var msg11012 = msg("8565", dup276); + +var msg11013 = msg("8566", dup276); + +var msg11014 = msg("8567", dup276); + +var msg11015 = msg("8568", dup276); + +var msg11016 = msg("8569", dup276); + +var msg11017 = msg("8570", dup276); + +var msg11018 = msg("8571", dup276); + +var msg11019 = msg("8572", dup276); + +var msg11020 = msg("8573", dup276); + +var msg11021 = msg("8574", dup276); + +var msg11022 = msg("8575", dup276); + +var msg11023 = msg("8576", dup276); + +var msg11024 = msg("8577", dup276); + +var msg11025 = msg("8578", dup276); + +var msg11026 = msg("8579", dup276); + +var msg11027 = msg("8580", dup276); + +var msg11028 = msg("8581", dup276); + +var msg11029 = msg("8582", dup276); + +var msg11030 = msg("8583", dup276); + +var msg11031 = msg("8584", dup276); + +var msg11032 = msg("8585", dup276); + +var msg11033 = msg("8586", dup276); + +var msg11034 = msg("8587", dup276); + +var msg11035 = msg("8588", dup276); + +var msg11036 = msg("8589", dup276); + +var msg11037 = msg("8590", dup276); + +var msg11038 = msg("8591", dup276); + +var msg11039 = msg("8592", dup276); + +var msg11040 = msg("8593", dup276); + +var msg11041 = msg("8594", dup276); + +var msg11042 = msg("8595", dup276); + +var msg11043 = msg("8596", dup276); + +var msg11044 = msg("8597", dup276); + +var msg11045 = msg("8598", dup276); + +var msg11046 = msg("8599", dup276); + +var msg11047 = msg("8600", dup276); + +var msg11048 = msg("8601", dup276); + +var msg11049 = msg("8602", dup276); + +var msg11050 = msg("8603", dup276); + +var msg11051 = msg("8604", dup276); + +var msg11052 = msg("8605", dup276); + +var msg11053 = msg("8606", dup276); + +var msg11054 = msg("8607", dup276); + +var msg11055 = msg("8608", dup276); + +var msg11056 = msg("8609", dup276); + +var msg11057 = msg("8610", dup276); + +var msg11058 = msg("8611", dup276); + +var msg11059 = msg("8612", dup276); + +var msg11060 = msg("8613", dup276); + +var msg11061 = msg("8614", dup276); + +var msg11062 = msg("8615", dup276); + +var msg11063 = msg("8616", dup276); + +var msg11064 = msg("8617", dup276); + +var msg11065 = msg("8618", dup276); + +var msg11066 = msg("8619", dup276); + +var msg11067 = msg("8620", dup276); + +var msg11068 = msg("8621", dup276); + +var msg11069 = msg("8622", dup276); + +var msg11070 = msg("8623", dup276); + +var msg11071 = msg("8624", dup276); + +var msg11072 = msg("8625", dup276); + +var msg11073 = msg("8626", dup276); + +var msg11074 = msg("8627", dup276); + +var msg11075 = msg("8628", dup276); + +var msg11076 = msg("8629", dup276); + +var msg11077 = msg("8630", dup276); + +var msg11078 = msg("8631", dup276); + +var msg11079 = msg("8632", dup276); + +var msg11080 = msg("8633", dup276); + +var msg11081 = msg("8634", dup276); + +var msg11082 = msg("8635", dup276); + +var msg11083 = msg("8636", dup276); + +var msg11084 = msg("8637", dup276); + +var msg11085 = msg("8638", dup276); + +var msg11086 = msg("8639", dup276); + +var msg11087 = msg("8640", dup276); + +var msg11088 = msg("8641", dup276); + +var msg11089 = msg("8642", dup276); + +var msg11090 = msg("8643", dup276); + +var msg11091 = msg("8644", dup276); + +var msg11092 = msg("8645", dup276); + +var msg11093 = msg("8646", dup276); + +var msg11094 = msg("8647", dup276); + +var msg11095 = msg("8648", dup276); + +var msg11096 = msg("8649", dup276); + +var msg11097 = msg("8650", dup276); + +var msg11098 = msg("8651", dup276); + +var msg11099 = msg("8652", dup276); + +var msg11100 = msg("8653", dup276); + +var msg11101 = msg("8654", dup276); + +var msg11102 = msg("8655", dup276); + +var msg11103 = msg("8656", dup276); + +var msg11104 = msg("8657", dup276); + +var msg11105 = msg("8658", dup276); + +var msg11106 = msg("8659", dup276); + +var msg11107 = msg("8660", dup276); + +var msg11108 = msg("8661", dup276); + +var msg11109 = msg("8662", dup276); + +var msg11110 = msg("8663", dup276); + +var msg11111 = msg("8664", dup276); + +var msg11112 = msg("8665", dup276); + +var msg11113 = msg("8666", dup276); + +var msg11114 = msg("8667", dup276); + +var msg11115 = msg("8668", dup276); + +var msg11116 = msg("8669", dup276); + +var msg11117 = msg("8670", dup276); + +var msg11118 = msg("8671", dup276); + +var msg11119 = msg("8672", dup276); + +var msg11120 = msg("8673", dup276); + +var msg11121 = msg("8674", dup276); + +var msg11122 = msg("8675", dup276); + +var msg11123 = msg("8676", dup276); + +var msg11124 = msg("8677", dup276); + +var msg11125 = msg("8678", dup276); + +var msg11126 = msg("8679", dup276); + +var msg11127 = msg("8680", dup276); + +var msg11128 = msg("8681", dup276); + +var msg11129 = msg("8682", dup276); + +var msg11130 = msg("8683", dup276); + +var msg11131 = msg("8684", dup276); + +var msg11132 = msg("8685", dup276); + +var msg11133 = msg("8686", dup276); + +var msg11134 = msg("8687", dup276); + +var msg11135 = msg("8688", dup276); + +var msg11136 = msg("8689", dup276); + +var msg11137 = msg("8690", dup201); + +var msg11138 = msg("8691", dup276); + +var msg11139 = msg("8692", dup201); + +var msg11140 = msg("8693", dup276); + +var msg11141 = msg("8694", dup201); + +var msg11142 = msg("8695", dup201); + +var msg11143 = msg("8696", dup276); + +var msg11144 = msg("8697", dup201); + +var msg11145 = msg("8698", dup276); + +var msg11146 = msg("8699", dup201); + +var msg11147 = msg("8700", dup265); + +var msg11148 = msg("8701", dup267); + +var msg11149 = msg("8702", dup222); + +var msg11150 = msg("8703", dup222); + +var msg11151 = msg("8704", dup250); + +var msg11152 = msg("8705", dup222); + +var msg11153 = msg("8706", dup222); + +var msg11154 = msg("8707", dup269); + +var msg11155 = msg("8708", dup267); + +var msg11156 = msg("8709", dup198); + +var msg11157 = msg("8710", dup198); + +var msg11158 = msg("8711", dup267); + +var msg11159 = msg("8712", dup269); + +var msg11160 = msg("8713", dup260); + +var msg11161 = msg("8714", dup260); + +var msg11162 = msg("8715", dup260); + +var msg11163 = msg("8716", dup260); + +var msg11164 = msg("8717", dup265); + +var msg11165 = msg("8718", dup265); + +var msg11166 = msg("8719", dup265); + +var msg11167 = msg("8720", dup265); + +var msg11168 = msg("8721", dup265); + +var msg11169 = msg("8722", dup265); + +var msg11170 = msg("8723", dup265); + +var msg11171 = msg("8724", dup265); + +var msg11172 = msg("8725", dup265); + +var msg11173 = msg("8726", dup265); + +var msg11174 = msg("8727", dup265); + +var msg11175 = msg("8728", dup265); + +var msg11176 = msg("8729", dup222); + +var msg11177 = msg("8730", dup198); + +var msg11178 = msg("8731", dup196); + +var msg11179 = msg("8732", dup196); + +var msg11180 = msg("8733", dup196); + +var msg11181 = msg("8734", dup269); + +var msg11182 = msg("8735", dup265); + +var msg11183 = msg("8736", dup265); + +var msg11184 = msg("8737", dup265); + +var msg11185 = msg("8738", dup265); + +var msg11186 = msg("8739", dup265); + +var msg11187 = msg("8740", dup265); + +var msg11188 = msg("8741", dup265); + +var msg11189 = msg("8742", dup265); + +var msg11190 = msg("8743", dup265); + +var msg11191 = msg("8744", dup265); + +var msg11192 = msg("8745", dup265); + +var msg11193 = msg("8746", dup265); + +var msg11194 = msg("8747", dup265); + +var msg11195 = msg("8748", dup265); + +var msg11196 = msg("8749", dup265); + +var msg11197 = msg("8750", dup265); + +var msg11198 = msg("8751", dup265); + +var msg11199 = msg("8752", dup265); + +var msg11200 = msg("8753", dup265); + +var msg11201 = msg("8754", dup265); + +var msg11202 = msg("8755", dup265); + +var msg11203 = msg("8756", dup265); + +var msg11204 = msg("8757", dup265); + +var msg11205 = msg("8758", dup265); + +var msg11206 = msg("8759", dup265); + +var msg11207 = msg("8760", dup265); + +var msg11208 = msg("8761", dup265); + +var msg11209 = msg("8762", dup265); + +var msg11210 = msg("8763", dup265); + +var msg11211 = msg("8764", dup265); + +var msg11212 = msg("8765", dup265); + +var msg11213 = msg("8766", dup265); + +var msg11214 = msg("8767", dup265); + +var msg11215 = msg("8768", dup265); + +var msg11216 = msg("8769", dup265); + +var msg11217 = msg("8770", dup265); + +var msg11218 = msg("8771", dup265); + +var msg11219 = msg("8772", dup265); + +var msg11220 = msg("8773", dup265); + +var msg11221 = msg("8774", dup265); + +var msg11222 = msg("8775", dup265); + +var msg11223 = msg("8776", dup265); + +var msg11224 = msg("8777", dup265); + +var msg11225 = msg("8778", dup265); + +var msg11226 = msg("8779", dup265); + +var msg11227 = msg("8780", dup265); + +var msg11228 = msg("8781", dup265); + +var msg11229 = msg("8782", dup265); + +var msg11230 = msg("8783", dup265); + +var msg11231 = msg("8784", dup265); + +var msg11232 = msg("8785", dup265); + +var msg11233 = msg("8786", dup265); + +var msg11234 = msg("8787", dup265); + +var msg11235 = msg("8788", dup265); + +var msg11236 = msg("8789", dup265); + +var msg11237 = msg("8790", dup265); + +var msg11238 = msg("8791", dup265); + +var msg11239 = msg("8792", dup265); + +var msg11240 = msg("8793", dup265); + +var msg11241 = msg("8794", dup265); + +var msg11242 = msg("8795", dup265); + +var msg11243 = msg("8796", dup265); + +var msg11244 = msg("8797", dup265); + +var msg11245 = msg("8798", dup265); + +var msg11246 = msg("8799", dup265); + +var msg11247 = msg("8800", dup265); + +var msg11248 = msg("8801", dup265); + +var msg11249 = msg("8802", dup265); + +var msg11250 = msg("8803", dup265); + +var msg11251 = msg("8804", dup265); + +var msg11252 = msg("8805", dup265); + +var msg11253 = msg("8806", dup265); + +var msg11254 = msg("8807", dup265); + +var msg11255 = msg("8808", dup265); + +var msg11256 = msg("8809", dup265); + +var msg11257 = msg("8810", dup265); + +var msg11258 = msg("8811", dup265); + +var msg11259 = msg("8812", dup265); + +var msg11260 = msg("8813", dup265); + +var msg11261 = msg("8814", dup265); + +var msg11262 = msg("8815", dup265); + +var msg11263 = msg("8816", dup265); + +var msg11264 = msg("8817", dup265); + +var msg11265 = msg("8818", dup265); + +var msg11266 = msg("8819", dup265); + +var msg11267 = msg("8820", dup265); + +var msg11268 = msg("8821", dup265); + +var msg11269 = msg("8822", dup265); + +var msg11270 = msg("8823", dup265); + +var msg11271 = msg("8824", dup265); + +var msg11272 = msg("8825", dup265); + +var msg11273 = msg("8826", dup265); + +var msg11274 = msg("8827", dup265); + +var msg11275 = msg("8828", dup265); + +var msg11276 = msg("8829", dup265); + +var msg11277 = msg("8830", dup265); + +var msg11278 = msg("8831", dup265); + +var msg11279 = msg("8832", dup265); + +var msg11280 = msg("8833", dup265); + +var msg11281 = msg("8834", dup265); + +var msg11282 = msg("8835", dup265); + +var msg11283 = msg("8836", dup265); + +var msg11284 = msg("8837", dup265); + +var msg11285 = msg("8838", dup265); + +var msg11286 = msg("8839", dup265); + +var msg11287 = msg("8840", dup265); + +var msg11288 = msg("8841", dup265); + +var msg11289 = msg("8842", dup265); + +var msg11290 = msg("8843", dup265); + +var msg11291 = msg("8844", dup265); + +var msg11292 = msg("8845", dup265); + +var msg11293 = msg("8846", dup265); + +var msg11294 = msg("8847", dup265); + +var msg11295 = msg("8848", dup265); + +var msg11296 = msg("8849", dup265); + +var msg11297 = msg("8850", dup265); + +var msg11298 = msg("8851", dup265); + +var msg11299 = msg("8852", dup265); + +var msg11300 = msg("8853", dup265); + +var msg11301 = msg("8854", dup265); + +var msg11302 = msg("8855", dup265); + +var msg11303 = msg("8856", dup265); + +var msg11304 = msg("8857", dup276); + +var msg11305 = msg("8858", dup276); + +var msg11306 = msg("8859", dup276); + +var msg11307 = msg("8860", dup276); + +var msg11308 = msg("8861", dup276); + +var msg11309 = msg("8862", dup276); + +var msg11310 = msg("8863", dup276); + +var msg11311 = msg("8864", dup276); + +var msg11312 = msg("8865", dup276); + +var msg11313 = msg("8866", dup276); + +var msg11314 = msg("8867", dup276); + +var msg11315 = msg("8868", dup276); + +var msg11316 = msg("8869", dup276); + +var msg11317 = msg("8870", dup276); + +var msg11318 = msg("8871", dup276); + +var msg11319 = msg("8872", dup276); + +var msg11320 = msg("8873", dup276); + +var msg11321 = msg("8874", dup276); + +var msg11322 = msg("8875", dup276); + +var msg11323 = msg("8876", dup276); + +var msg11324 = msg("8877", dup276); + +var msg11325 = msg("8878", dup276); + +var msg11326 = msg("8879", dup276); + +var msg11327 = msg("8880", dup276); + +var msg11328 = msg("8881", dup276); + +var msg11329 = msg("8882", dup276); + +var msg11330 = msg("8883", dup276); + +var msg11331 = msg("8884", dup276); + +var msg11332 = msg("8885", dup276); + +var msg11333 = msg("8886", dup276); + +var msg11334 = msg("8887", dup276); + +var msg11335 = msg("8888", dup276); + +var msg11336 = msg("8889", dup276); + +var msg11337 = msg("8890", dup276); + +var msg11338 = msg("8891", dup276); + +var msg11339 = msg("8892", dup276); + +var msg11340 = msg("8893", dup276); + +var msg11341 = msg("8894", dup276); + +var msg11342 = msg("8895", dup276); + +var msg11343 = msg("8896", dup276); + +var msg11344 = msg("8897", dup276); + +var msg11345 = msg("8898", dup276); + +var msg11346 = msg("8899", dup276); + +var msg11347 = msg("8900", dup276); + +var msg11348 = msg("8901", dup276); + +var msg11349 = msg("8902", dup276); + +var msg11350 = msg("8903", dup276); + +var msg11351 = msg("8904", dup276); + +var msg11352 = msg("8905", dup276); + +var msg11353 = msg("8906", dup276); + +var msg11354 = msg("8907", dup276); + +var msg11355 = msg("8908", dup276); + +var msg11356 = msg("8909", dup276); + +var msg11357 = msg("8910", dup276); + +var msg11358 = msg("8911", dup276); + +var msg11359 = msg("8912", dup276); + +var msg11360 = msg("8913", dup276); + +var msg11361 = msg("8914", dup276); + +var msg11362 = msg("8915", dup276); + +var msg11363 = msg("8916", dup276); + +var msg11364 = msg("8917", dup276); + +var msg11365 = msg("8918", dup276); + +var msg11366 = msg("8919", dup276); + +var msg11367 = msg("8920", dup276); + +var msg11368 = msg("8921", dup276); + +var msg11369 = msg("8922", dup276); + +var msg11370 = msg("8923", dup276); + +var msg11371 = msg("8924", dup276); + +var msg11372 = msg("8925", dup276); + +var msg11373 = msg("8926", dup276); + +var msg11374 = msg("8927", dup276); + +var msg11375 = msg("8928", dup276); + +var msg11376 = msg("8929", dup276); + +var msg11377 = msg("8930", dup276); + +var msg11378 = msg("8931", dup276); + +var msg11379 = msg("8932", dup276); + +var msg11380 = msg("8933", dup276); + +var msg11381 = msg("8934", dup276); + +var msg11382 = msg("8935", dup276); + +var msg11383 = msg("8936", dup276); + +var msg11384 = msg("8937", dup276); + +var msg11385 = msg("8938", dup276); + +var msg11386 = msg("8939", dup276); + +var msg11387 = msg("8940", dup276); + +var msg11388 = msg("8941", dup276); + +var msg11389 = msg("8942", dup276); + +var msg11390 = msg("8943", dup276); + +var msg11391 = msg("8944", dup276); + +var msg11392 = msg("8945", dup276); + +var msg11393 = msg("8946", dup276); + +var msg11394 = msg("8947", dup276); + +var msg11395 = msg("8948", dup276); + +var msg11396 = msg("8949", dup276); + +var msg11397 = msg("8950", dup276); + +var msg11398 = msg("8951", dup276); + +var msg11399 = msg("8952", dup276); + +var msg11400 = msg("8953", dup276); + +var msg11401 = msg("8954", dup276); + +var msg11402 = msg("8955", dup276); + +var msg11403 = msg("8956", dup276); + +var msg11404 = msg("8957", dup276); + +var msg11405 = msg("8958", dup276); + +var msg11406 = msg("8959", dup276); + +var msg11407 = msg("8960", dup276); + +var msg11408 = msg("8961", dup276); + +var msg11409 = msg("8962", dup276); + +var msg11410 = msg("8963", dup276); + +var msg11411 = msg("8964", dup276); + +var msg11412 = msg("8965", dup276); + +var msg11413 = msg("8966", dup276); + +var msg11414 = msg("8967", dup276); + +var msg11415 = msg("8968", dup276); + +var msg11416 = msg("8969", dup276); + +var msg11417 = msg("8970", dup276); + +var msg11418 = msg("8971", dup276); + +var msg11419 = msg("8972", dup276); + +var msg11420 = msg("8973", dup276); + +var msg11421 = msg("8974", dup276); + +var msg11422 = msg("8975", dup276); + +var msg11423 = msg("8976", dup276); + +var msg11424 = msg("8977", dup276); + +var msg11425 = msg("8978", dup276); + +var msg11426 = msg("8979", dup276); + +var msg11427 = msg("8980", dup276); + +var msg11428 = msg("8981", dup276); + +var msg11429 = msg("8982", dup276); + +var msg11430 = msg("8983", dup276); + +var msg11431 = msg("8984", dup276); + +var msg11432 = msg("8985", dup276); + +var msg11433 = msg("8986", dup276); + +var msg11434 = msg("8987", dup276); + +var msg11435 = msg("8988", dup276); + +var msg11436 = msg("8989", dup276); + +var msg11437 = msg("8990", dup276); + +var msg11438 = msg("8991", dup276); + +var msg11439 = msg("8992", dup276); + +var msg11440 = msg("8993", dup276); + +var msg11441 = msg("8994", dup276); + +var msg11442 = msg("8995", dup276); + +var msg11443 = msg("8996", dup276); + +var msg11444 = msg("8997", dup276); + +var msg11445 = msg("8998", dup276); + +var msg11446 = msg("8999", dup276); + +var msg11447 = msg("9000", dup276); + +var msg11448 = msg("9001", dup276); + +var msg11449 = msg("9002", dup276); + +var msg11450 = msg("9003", dup276); + +var msg11451 = msg("9004", dup276); + +var msg11452 = msg("9005", dup276); + +var msg11453 = msg("9006", dup276); + +var msg11454 = msg("9007", dup276); + +var msg11455 = msg("9008", dup276); + +var msg11456 = msg("9009", dup276); + +var msg11457 = msg("9010", dup276); + +var msg11458 = msg("9011", dup276); + +var msg11459 = msg("9012", dup276); + +var msg11460 = msg("9013", dup276); + +var msg11461 = msg("9014", dup276); + +var msg11462 = msg("9015", dup276); + +var msg11463 = msg("9016", dup276); + +var msg11464 = msg("9017", dup276); + +var msg11465 = msg("9018", dup276); + +var msg11466 = msg("9019", dup276); + +var msg11467 = msg("9020", dup276); + +var msg11468 = msg("9021", dup276); + +var msg11469 = msg("9022", dup276); + +var msg11470 = msg("9023", dup276); + +var msg11471 = msg("9024", dup276); + +var msg11472 = msg("9025", dup276); + +var msg11473 = msg("9026", dup276); + +var msg11474 = msg("9027", dup276); + +var msg11475 = msg("9028", dup276); + +var msg11476 = msg("9029", dup276); + +var msg11477 = msg("9030", dup276); + +var msg11478 = msg("9031", dup276); + +var msg11479 = msg("9032", dup276); + +var msg11480 = msg("9033", dup276); + +var msg11481 = msg("9034", dup276); + +var msg11482 = msg("9035", dup276); + +var msg11483 = msg("9036", dup276); + +var msg11484 = msg("9037", dup276); + +var msg11485 = msg("9038", dup276); + +var msg11486 = msg("9039", dup276); + +var msg11487 = msg("9040", dup276); + +var msg11488 = msg("9041", dup276); + +var msg11489 = msg("9042", dup276); + +var msg11490 = msg("9043", dup276); + +var msg11491 = msg("9044", dup276); + +var msg11492 = msg("9045", dup276); + +var msg11493 = msg("9046", dup276); + +var msg11494 = msg("9047", dup276); + +var msg11495 = msg("9048", dup276); + +var msg11496 = msg("9049", dup276); + +var msg11497 = msg("9050", dup276); + +var msg11498 = msg("9051", dup276); + +var msg11499 = msg("9052", dup276); + +var msg11500 = msg("9053", dup276); + +var msg11501 = msg("9054", dup276); + +var msg11502 = msg("9055", dup276); + +var msg11503 = msg("9056", dup276); + +var msg11504 = msg("9057", dup276); + +var msg11505 = msg("9058", dup276); + +var msg11506 = msg("9059", dup276); + +var msg11507 = msg("9060", dup276); + +var msg11508 = msg("9061", dup276); + +var msg11509 = msg("9062", dup276); + +var msg11510 = msg("9063", dup276); + +var msg11511 = msg("9064", dup276); + +var msg11512 = msg("9065", dup276); + +var msg11513 = msg("9066", dup276); + +var msg11514 = msg("9067", dup276); + +var msg11515 = msg("9068", dup276); + +var msg11516 = msg("9069", dup276); + +var msg11517 = msg("9070", dup276); + +var msg11518 = msg("9071", dup276); + +var msg11519 = msg("9072", dup276); + +var msg11520 = msg("9073", dup276); + +var msg11521 = msg("9074", dup276); + +var msg11522 = msg("9075", dup276); + +var msg11523 = msg("9076", dup276); + +var msg11524 = msg("9077", dup276); + +var msg11525 = msg("9078", dup276); + +var msg11526 = msg("9079", dup276); + +var msg11527 = msg("9080", dup276); + +var msg11528 = msg("9081", dup276); + +var msg11529 = msg("9082", dup276); + +var msg11530 = msg("9083", dup276); + +var msg11531 = msg("9084", dup276); + +var msg11532 = msg("9085", dup276); + +var msg11533 = msg("9086", dup276); + +var msg11534 = msg("9087", dup276); + +var msg11535 = msg("9088", dup276); + +var msg11536 = msg("9089", dup276); + +var msg11537 = msg("9090", dup276); + +var msg11538 = msg("9091", dup276); + +var msg11539 = msg("9092", dup276); + +var msg11540 = msg("9093", dup276); + +var msg11541 = msg("9094", dup276); + +var msg11542 = msg("9095", dup276); + +var msg11543 = msg("9096", dup276); + +var msg11544 = msg("9097", dup276); + +var msg11545 = msg("9098", dup276); + +var msg11546 = msg("9099", dup276); + +var msg11547 = msg("9100", dup276); + +var msg11548 = msg("9101", dup276); + +var msg11549 = msg("9102", dup276); + +var msg11550 = msg("9103", dup276); + +var msg11551 = msg("9104", dup276); + +var msg11552 = msg("9105", dup276); + +var msg11553 = msg("9106", dup276); + +var msg11554 = msg("9107", dup276); + +var msg11555 = msg("9108", dup276); + +var msg11556 = msg("9109", dup276); + +var msg11557 = msg("9110", dup276); + +var msg11558 = msg("9111", dup276); + +var msg11559 = msg("9112", dup276); + +var msg11560 = msg("9113", dup276); + +var msg11561 = msg("9114", dup276); + +var msg11562 = msg("9115", dup276); + +var msg11563 = msg("9116", dup276); + +var msg11564 = msg("9117", dup276); + +var msg11565 = msg("9118", dup276); + +var msg11566 = msg("9119", dup276); + +var msg11567 = msg("9120", dup276); + +var msg11568 = msg("9121", dup276); + +var msg11569 = msg("9122", dup276); + +var msg11570 = msg("9123", dup276); + +var msg11571 = msg("9124", dup276); + +var msg11572 = msg("9125", dup276); + +var msg11573 = msg("9126", dup276); + +var msg11574 = msg("9127", dup276); + +var msg11575 = msg("9128", dup276); + +var msg11576 = msg("9129", dup265); + +var msg11577 = msg("9130", dup265); + +var msg11578 = msg("9131", dup265); + +var msg11579 = msg("9132", dup276); + +var msg11580 = msg("9133", dup276); + +var msg11581 = msg("9134", dup276); + +var msg11582 = msg("9135", dup276); + +var msg11583 = msg("9136", dup276); + +var msg11584 = msg("9137", dup276); + +var msg11585 = msg("9138", dup276); + +var msg11586 = msg("9139", dup276); + +var msg11587 = msg("9140", dup276); + +var msg11588 = msg("9141", dup276); + +var msg11589 = msg("9142", dup276); + +var msg11590 = msg("9143", dup276); + +var msg11591 = msg("9144", dup276); + +var msg11592 = msg("9145", dup276); + +var msg11593 = msg("9146", dup276); + +var msg11594 = msg("9147", dup276); + +var msg11595 = msg("9148", dup276); + +var msg11596 = msg("9149", dup276); + +var msg11597 = msg("9150", dup276); + +var msg11598 = msg("9151", dup276); + +var msg11599 = msg("9152", dup276); + +var msg11600 = msg("9153", dup276); + +var msg11601 = msg("9154", dup276); + +var msg11602 = msg("9155", dup276); + +var msg11603 = msg("9156", dup276); + +var msg11604 = msg("9157", dup276); + +var msg11605 = msg("9158", dup276); + +var msg11606 = msg("9159", dup276); + +var msg11607 = msg("9160", dup276); + +var msg11608 = msg("9161", dup276); + +var msg11609 = msg("9162", dup276); + +var msg11610 = msg("9163", dup276); + +var msg11611 = msg("9164", dup276); + +var msg11612 = msg("9165", dup276); + +var msg11613 = msg("9166", dup276); + +var msg11614 = msg("9167", dup276); + +var msg11615 = msg("9168", dup276); + +var msg11616 = msg("9169", dup276); + +var msg11617 = msg("9170", dup276); + +var msg11618 = msg("9171", dup276); + +var msg11619 = msg("9172", dup276); + +var msg11620 = msg("9173", dup276); + +var msg11621 = msg("9174", dup276); + +var msg11622 = msg("9175", dup276); + +var msg11623 = msg("9176", dup276); + +var msg11624 = msg("9177", dup276); + +var msg11625 = msg("9178", dup276); + +var msg11626 = msg("9179", dup276); + +var msg11627 = msg("9180", dup276); + +var msg11628 = msg("9181", dup276); + +var msg11629 = msg("9182", dup276); + +var msg11630 = msg("9183", dup276); + +var msg11631 = msg("9184", dup276); + +var msg11632 = msg("9185", dup276); + +var msg11633 = msg("9186", dup276); + +var msg11634 = msg("9187", dup276); + +var msg11635 = msg("9188", dup276); + +var msg11636 = msg("9189", dup276); + +var msg11637 = msg("9190", dup276); + +var msg11638 = msg("9191", dup276); + +var msg11639 = msg("9192", dup276); + +var msg11640 = msg("9193", dup276); + +var msg11641 = msg("9194", dup276); + +var msg11642 = msg("9195", dup276); + +var msg11643 = msg("9196", dup276); + +var msg11644 = msg("9197", dup276); + +var msg11645 = msg("9198", dup276); + +var msg11646 = msg("9199", dup276); + +var msg11647 = msg("9200", dup276); + +var msg11648 = msg("9201", dup276); + +var msg11649 = msg("9202", dup276); + +var msg11650 = msg("9203", dup276); + +var msg11651 = msg("9204", dup276); + +var msg11652 = msg("9205", dup276); + +var msg11653 = msg("9206", dup276); + +var msg11654 = msg("9207", dup276); + +var msg11655 = msg("9208", dup276); + +var msg11656 = msg("9209", dup276); + +var msg11657 = msg("9210", dup276); + +var msg11658 = msg("9211", dup276); + +var msg11659 = msg("9212", dup276); + +var msg11660 = msg("9213", dup276); + +var msg11661 = msg("9214", dup276); + +var msg11662 = msg("9215", dup276); + +var msg11663 = msg("9216", dup276); + +var msg11664 = msg("9217", dup276); + +var msg11665 = msg("9218", dup276); + +var msg11666 = msg("9219", dup276); + +var msg11667 = msg("9220", dup276); + +var msg11668 = msg("9221", dup276); + +var msg11669 = msg("9222", dup276); + +var msg11670 = msg("9223", dup276); + +var msg11671 = msg("9224", dup276); + +var msg11672 = msg("9225", dup276); + +var msg11673 = msg("9226", dup276); + +var msg11674 = msg("9227", dup276); + +var msg11675 = msg("9228", dup276); + +var msg11676 = msg("9229", dup276); + +var msg11677 = msg("9230", dup276); + +var msg11678 = msg("9231", dup276); + +var msg11679 = msg("9232", dup276); + +var msg11680 = msg("9233", dup276); + +var msg11681 = msg("9234", dup276); + +var msg11682 = msg("9235", dup276); + +var msg11683 = msg("9236", dup276); + +var msg11684 = msg("9237", dup276); + +var msg11685 = msg("9238", dup276); + +var msg11686 = msg("9239", dup276); + +var msg11687 = msg("9240", dup276); + +var msg11688 = msg("9241", dup276); + +var msg11689 = msg("9242", dup276); + +var msg11690 = msg("9243", dup276); + +var msg11691 = msg("9244", dup276); + +var msg11692 = msg("9245", dup276); + +var msg11693 = msg("9246", dup276); + +var msg11694 = msg("9247", dup276); + +var msg11695 = msg("9248", dup276); + +var msg11696 = msg("9249", dup276); + +var msg11697 = msg("9250", dup276); + +var msg11698 = msg("9251", dup276); + +var msg11699 = msg("9252", dup276); + +var msg11700 = msg("9253", dup276); + +var msg11701 = msg("9254", dup276); + +var msg11702 = msg("9255", dup276); + +var msg11703 = msg("9256", dup276); + +var msg11704 = msg("9257", dup276); + +var msg11705 = msg("9258", dup276); + +var msg11706 = msg("9259", dup276); + +var msg11707 = msg("9260", dup276); + +var msg11708 = msg("9261", dup276); + +var msg11709 = msg("9262", dup276); + +var msg11710 = msg("9263", dup276); + +var msg11711 = msg("9264", dup276); + +var msg11712 = msg("9265", dup276); + +var msg11713 = msg("9266", dup276); + +var msg11714 = msg("9267", dup276); + +var msg11715 = msg("9268", dup276); + +var msg11716 = msg("9269", dup276); + +var msg11717 = msg("9270", dup276); + +var msg11718 = msg("9271", dup276); + +var msg11719 = msg("9272", dup276); + +var msg11720 = msg("9273", dup276); + +var msg11721 = msg("9274", dup276); + +var msg11722 = msg("9275", dup276); + +var msg11723 = msg("9276", dup276); + +var msg11724 = msg("9277", dup276); + +var msg11725 = msg("9278", dup276); + +var msg11726 = msg("9279", dup276); + +var msg11727 = msg("9280", dup276); + +var msg11728 = msg("9281", dup276); + +var msg11729 = msg("9282", dup276); + +var msg11730 = msg("9283", dup276); + +var msg11731 = msg("9284", dup276); + +var msg11732 = msg("9285", dup276); + +var msg11733 = msg("9286", dup276); + +var msg11734 = msg("9287", dup276); + +var msg11735 = msg("9288", dup276); + +var msg11736 = msg("9289", dup276); + +var msg11737 = msg("9290", dup276); + +var msg11738 = msg("9291", dup276); + +var msg11739 = msg("9292", dup276); + +var msg11740 = msg("9293", dup276); + +var msg11741 = msg("9294", dup276); + +var msg11742 = msg("9295", dup276); + +var msg11743 = msg("9296", dup276); + +var msg11744 = msg("9297", dup276); + +var msg11745 = msg("9298", dup276); + +var msg11746 = msg("9299", dup276); + +var msg11747 = msg("9300", dup276); + +var msg11748 = msg("9301", dup276); + +var msg11749 = msg("9302", dup276); + +var msg11750 = msg("9303", dup276); + +var msg11751 = msg("9304", dup276); + +var msg11752 = msg("9305", dup276); + +var msg11753 = msg("9306", dup276); + +var msg11754 = msg("9307", dup276); + +var msg11755 = msg("9308", dup276); + +var msg11756 = msg("9309", dup276); + +var msg11757 = msg("9310", dup276); + +var msg11758 = msg("9311", dup276); + +var msg11759 = msg("9312", dup276); + +var msg11760 = msg("9313", dup276); + +var msg11761 = msg("9314", dup276); + +var msg11762 = msg("9315", dup276); + +var msg11763 = msg("9316", dup276); + +var msg11764 = msg("9317", dup276); + +var msg11765 = msg("9318", dup276); + +var msg11766 = msg("9319", dup276); + +var msg11767 = msg("9320", dup276); + +var msg11768 = msg("9321", dup276); + +var msg11769 = msg("9322", dup276); + +var msg11770 = msg("9323", dup276); + +var msg11771 = msg("9324", dup196); + +var msg11772 = msg("9325", dup198); + +var msg11773 = msg("9326", dup250); + +var msg11774 = msg("9327", dup250); + +var msg11775 = msg("9328", dup250); + +var msg11776 = msg("9329", dup250); + +var msg11777 = msg("9330", dup250); + +var msg11778 = msg("9331", dup250); + +var msg11779 = msg("9332", dup250); + +var msg11780 = msg("9333", dup250); + +var msg11781 = msg("9334", dup250); + +var msg11782 = msg("9335", dup250); + +var msg11783 = msg("9336", dup250); + +var msg11784 = msg("9337", dup250); + +var msg11785 = msg("9338", dup250); + +var msg11786 = msg("9339", dup196); + +var msg11787 = msg("9340", dup196); + +var msg11788 = msg("9341", dup227); + +var msg11789 = msg("9342", dup250); + +var msg11790 = msg("9343", dup250); + +var msg11791 = msg("9344", dup250); + +var msg11792 = msg("9345", dup287); + +var msg11793 = msg("9346", dup196); + +var msg11794 = msg("9347", dup196); + +var msg11795 = msg("9348", dup250); + +var msg11796 = msg("9349", dup250); + +var msg11797 = msg("9350", dup250); + +var msg11798 = msg("9351", dup196); + +var msg11799 = msg("9352", dup250); + +var msg11800 = msg("9353", dup196); + +var msg11801 = msg("9354", dup196); + +var msg11802 = msg("9355", dup196); + +var msg11803 = msg("9356", dup196); + +var msg11804 = msg("9357", dup196); + +var msg11805 = msg("9358", dup250); + +var msg11806 = msg("9359", dup250); + +var msg11807 = msg("9360", dup250); + +var msg11808 = msg("9361", dup250); + +var msg11809 = msg("9362", dup250); + +var msg11810 = msg("9363", dup196); + +var msg11811 = msg("9364", dup196); + +var msg11812 = msg("9365", dup250); + +var msg11813 = msg("9366", dup250); + +var msg11814 = msg("9367", dup250); + +var msg11815 = msg("9368", dup250); + +var msg11816 = msg("9369", dup250); + +var msg11817 = msg("9370", dup250); + +var msg11818 = msg("9371", dup250); + +var msg11819 = msg("9372", dup250); + +var msg11820 = msg("9373", dup250); + +var msg11821 = msg("9374", dup250); + +var msg11822 = msg("9375", dup250); + +var msg11823 = msg("9376", dup250); + +var msg11824 = msg("9377", dup250); + +var msg11825 = msg("9378", dup250); + +var msg11826 = msg("9379", dup250); + +var msg11827 = msg("9380", dup196); + +var msg11828 = msg("9381", dup250); + +var msg11829 = msg("9382", dup250); + +var msg11830 = msg("9383", dup250); + +var msg11831 = msg("9384", dup250); + +var msg11832 = msg("9385", dup250); + +var msg11833 = msg("9386", dup250); + +var msg11834 = msg("9387", dup196); + +var msg11835 = msg("9388", dup250); + +var msg11836 = msg("9389", dup250); + +var msg11837 = msg("9390", dup196); + +var msg11838 = msg("9391", dup250); + +var msg11839 = msg("9392", dup250); + +var msg11840 = msg("9393", dup250); + +var msg11841 = msg("9394", dup250); + +var msg11842 = msg("9395", dup196); + +var msg11843 = msg("9396", dup196); + +var msg11844 = msg("9397", dup250); + +var msg11845 = msg("9398", dup250); + +var msg11846 = msg("9399", dup250); + +var msg11847 = msg("9400", dup250); + +var msg11848 = msg("9401", dup265); + +var msg11849 = msg("9402", dup274); + +var msg11850 = msg("9403", dup250); + +var msg11851 = msg("9404", dup250); + +var msg11852 = msg("9405", dup250); + +var msg11853 = msg("9406", dup250); + +var msg11854 = msg("9407", dup196); + +var msg11855 = msg("9408", dup250); + +var msg11856 = msg("9409", dup250); + +var msg11857 = msg("9410", dup250); + +var msg11858 = msg("9411", dup250); + +var msg11859 = msg("9412", dup196); + +var msg11860 = msg("9413", dup250); + +var msg11861 = msg("9414", dup250); + +var msg11862 = msg("9415", dup250); + +var msg11863 = msg("9416", dup250); + +var msg11864 = msg("9417", dup250); + +var msg11865 = msg("9418", dup265); + +var msg11866 = msg("9419", dup196); + +var msg11867 = msg("9420", dup196); + +var msg11868 = msg("9421", dup196); + +var msg11869 = msg("9422", dup196); + +var msg11870 = msg("9423", dup196); + +var msg11871 = msg("9424", dup196); + +var msg11872 = msg("9425", dup196); + +var msg11873 = msg("9426", dup196); + +var msg11874 = msg("9427", dup265); + +var msg11875 = msg("9428", dup265); + +var msg11876 = msg("9429", dup265); + +var msg11877 = msg("9430", dup265); + +var msg11878 = msg("9431", dup222); + +var msg11879 = msg("9432", dup267); + +var msg11880 = msg("9433", dup267); + +var msg11881 = msg("9434", dup267); + +var msg11882 = msg("9435", dup267); + +var msg11883 = msg("9436", dup267); + +var msg11884 = msg("9437", dup276); + +var msg11885 = msg("9438", dup276); + +var msg11886 = msg("9439", dup276); + +var msg11887 = msg("9440", dup276); + +var msg11888 = msg("9441", dup276); + +var msg11889 = msg("9442", dup276); + +var msg11890 = msg("9443", dup276); + +var msg11891 = msg("9444", dup276); + +var msg11892 = msg("9445", dup276); + +var msg11893 = msg("9446", dup276); + +var msg11894 = msg("9447", dup276); + +var msg11895 = msg("9448", dup276); + +var msg11896 = msg("9449", dup276); + +var msg11897 = msg("9450", dup276); + +var msg11898 = msg("9451", dup276); + +var msg11899 = msg("9452", dup276); + +var msg11900 = msg("9453", dup276); + +var msg11901 = msg("9454", dup276); + +var msg11902 = msg("9455", dup276); + +var msg11903 = msg("9456", dup276); + +var msg11904 = msg("9457", dup276); + +var msg11905 = msg("9458", dup276); + +var msg11906 = msg("9459", dup276); + +var msg11907 = msg("9460", dup276); + +var msg11908 = msg("9461", dup276); + +var msg11909 = msg("9462", dup276); + +var msg11910 = msg("9463", dup276); + +var msg11911 = msg("9464", dup276); + +var msg11912 = msg("9465", dup276); + +var msg11913 = msg("9466", dup276); + +var msg11914 = msg("9467", dup276); + +var msg11915 = msg("9468", dup276); + +var msg11916 = msg("9469", dup276); + +var msg11917 = msg("9470", dup276); + +var msg11918 = msg("9471", dup276); + +var msg11919 = msg("9472", dup276); + +var msg11920 = msg("9473", dup276); + +var msg11921 = msg("9474", dup276); + +var msg11922 = msg("9475", dup276); + +var msg11923 = msg("9476", dup276); + +var msg11924 = msg("9477", dup276); + +var msg11925 = msg("9478", dup276); + +var msg11926 = msg("9479", dup276); + +var msg11927 = msg("9480", dup276); + +var msg11928 = msg("9481", dup276); + +var msg11929 = msg("9482", dup276); + +var msg11930 = msg("9483", dup276); + +var msg11931 = msg("9484", dup276); + +var msg11932 = msg("9485", dup276); + +var msg11933 = msg("9486", dup276); + +var msg11934 = msg("9487", dup276); + +var msg11935 = msg("9488", dup276); + +var msg11936 = msg("9489", dup276); + +var msg11937 = msg("9490", dup276); + +var msg11938 = msg("9491", dup276); + +var msg11939 = msg("9492", dup276); + +var msg11940 = msg("9493", dup276); + +var msg11941 = msg("9494", dup276); + +var msg11942 = msg("9495", dup276); + +var msg11943 = msg("9496", dup276); + +var msg11944 = msg("9497", dup276); + +var msg11945 = msg("9498", dup276); + +var msg11946 = msg("9499", dup276); + +var msg11947 = msg("9500", dup276); + +var msg11948 = msg("9501", dup276); + +var msg11949 = msg("9502", dup276); + +var msg11950 = msg("9503", dup276); + +var msg11951 = msg("9504", dup276); + +var msg11952 = msg("9505", dup276); + +var msg11953 = msg("9506", dup276); + +var msg11954 = msg("9507", dup276); + +var msg11955 = msg("9508", dup276); + +var msg11956 = msg("9509", dup276); + +var msg11957 = msg("9510", dup276); + +var msg11958 = msg("9511", dup276); + +var msg11959 = msg("9512", dup276); + +var msg11960 = msg("9513", dup276); + +var msg11961 = msg("9514", dup276); + +var msg11962 = msg("9515", dup276); + +var msg11963 = msg("9516", dup276); + +var msg11964 = msg("9517", dup276); + +var msg11965 = msg("9518", dup276); + +var msg11966 = msg("9519", dup276); + +var msg11967 = msg("9520", dup276); + +var msg11968 = msg("9521", dup276); + +var msg11969 = msg("9522", dup276); + +var msg11970 = msg("9523", dup276); + +var msg11971 = msg("9524", dup276); + +var msg11972 = msg("9525", dup276); + +var msg11973 = msg("9526", dup276); + +var msg11974 = msg("9527", dup276); + +var msg11975 = msg("9528", dup276); + +var msg11976 = msg("9529", dup276); + +var msg11977 = msg("9530", dup276); + +var msg11978 = msg("9531", dup276); + +var msg11979 = msg("9532", dup276); + +var msg11980 = msg("9533", dup276); + +var msg11981 = msg("9534", dup276); + +var msg11982 = msg("9535", dup276); + +var msg11983 = msg("9536", dup276); + +var msg11984 = msg("9537", dup276); + +var msg11985 = msg("9538", dup276); + +var msg11986 = msg("9539", dup276); + +var msg11987 = msg("9540", dup276); + +var msg11988 = msg("9541", dup276); + +var msg11989 = msg("9542", dup276); + +var msg11990 = msg("9543", dup276); + +var msg11991 = msg("9544", dup276); + +var msg11992 = msg("9545", dup276); + +var msg11993 = msg("9546", dup276); + +var msg11994 = msg("9547", dup276); + +var msg11995 = msg("9548", dup276); + +var msg11996 = msg("9549", dup276); + +var msg11997 = msg("9550", dup276); + +var msg11998 = msg("9551", dup276); + +var msg11999 = msg("9552", dup276); + +var msg12000 = msg("9553", dup276); + +var msg12001 = msg("9554", dup276); + +var msg12002 = msg("9555", dup276); + +var msg12003 = msg("9556", dup276); + +var msg12004 = msg("9557", dup276); + +var msg12005 = msg("9558", dup276); + +var msg12006 = msg("9559", dup276); + +var msg12007 = msg("9560", dup276); + +var msg12008 = msg("9561", dup276); + +var msg12009 = msg("9562", dup276); + +var msg12010 = msg("9563", dup276); + +var msg12011 = msg("9564", dup276); + +var msg12012 = msg("9565", dup276); + +var msg12013 = msg("9566", dup276); + +var msg12014 = msg("9567", dup276); + +var msg12015 = msg("9568", dup276); + +var msg12016 = msg("9569", dup276); + +var msg12017 = msg("9570", dup276); + +var msg12018 = msg("9571", dup276); + +var msg12019 = msg("9572", dup276); + +var msg12020 = msg("9573", dup276); + +var msg12021 = msg("9574", dup276); + +var msg12022 = msg("9575", dup276); + +var msg12023 = msg("9576", dup276); + +var msg12024 = msg("9577", dup276); + +var msg12025 = msg("9578", dup276); + +var msg12026 = msg("9579", dup276); + +var msg12027 = msg("9580", dup276); + +var msg12028 = msg("9581", dup276); + +var msg12029 = msg("9582", dup276); + +var msg12030 = msg("9583", dup276); + +var msg12031 = msg("9584", dup276); + +var msg12032 = msg("9585", dup276); + +var msg12033 = msg("9586", dup276); + +var msg12034 = msg("9587", dup276); + +var msg12035 = msg("9588", dup276); + +var msg12036 = msg("9589", dup276); + +var msg12037 = msg("9590", dup276); + +var msg12038 = msg("9591", dup276); + +var msg12039 = msg("9592", dup276); + +var msg12040 = msg("9593", dup276); + +var msg12041 = msg("9594", dup276); + +var msg12042 = msg("9595", dup276); + +var msg12043 = msg("9596", dup276); + +var msg12044 = msg("9597", dup276); + +var msg12045 = msg("9598", dup276); + +var msg12046 = msg("9599", dup276); + +var msg12047 = msg("9600", dup276); + +var msg12048 = msg("9601", dup276); + +var msg12049 = msg("9602", dup276); + +var msg12050 = msg("9603", dup276); + +var msg12051 = msg("9604", dup276); + +var msg12052 = msg("9605", dup276); + +var msg12053 = msg("9606", dup276); + +var msg12054 = msg("9607", dup276); + +var msg12055 = msg("9608", dup276); + +var msg12056 = msg("9609", dup276); + +var msg12057 = msg("9610", dup276); + +var msg12058 = msg("9611", dup276); + +var msg12059 = msg("9612", dup276); + +var msg12060 = msg("9613", dup276); + +var msg12061 = msg("9614", dup276); + +var msg12062 = msg("9615", dup276); + +var msg12063 = msg("9616", dup276); + +var msg12064 = msg("9617", dup276); + +var msg12065 = msg("9618", dup276); + +var msg12066 = msg("9619", dup267); + +var msg12067 = msg("9620", dup267); + +var msg12068 = msg("9621", dup295); + +var msg12069 = msg("9622", dup198); + +var msg12070 = msg("9623", dup273); + +var msg12071 = msg("9624", dup273); + +var msg12072 = msg("9625", dup267); + +var msg12073 = msg("9626", dup265); + +var msg12074 = msg("9627", dup265); + +var msg12075 = msg("9628", dup265); + +var msg12076 = msg("9629", dup265); + +var msg12077 = msg("9630", dup265); + +var msg12078 = msg("9631", dup265); + +var msg12079 = msg("9632", dup222); + +var msg12080 = msg("9633", dup222); + +var msg12081 = msg("9634", dup222); + +var msg12082 = msg("9635", dup222); + +var msg12083 = msg("9636", dup222); + +var msg12084 = msg("9637", dup267); + +var msg12085 = msg("9638", dup274); + +var msg12086 = msg("9639", dup265); + +var msg12087 = msg("9640", dup265); + +var msg12088 = msg("9641", dup267); + +var msg12089 = msg("9642", dup267); + +var msg12090 = msg("9643", dup267); + +var msg12091 = msg("9644", dup303); + +var msg12092 = msg("9645", dup303); + +var msg12093 = msg("9646", dup303); + +var msg12094 = msg("9647", dup303); + +var msg12095 = msg("9648", dup303); + +var msg12096 = msg("9649", dup303); + +var msg12097 = msg("9650", dup303); + +var msg12098 = msg("9651", dup303); + +var msg12099 = msg("9652", dup303); + +var msg12100 = msg("9653", dup205); + +var msg12101 = msg("9654", dup205); + +var msg12102 = msg("9655", dup205); + +var msg12103 = msg("9656", dup205); + +var msg12104 = msg("9657", dup205); + +var msg12105 = msg("9658", dup205); + +var msg12106 = msg("9659", dup205); + +var msg12107 = msg("9660", dup205); + +var msg12108 = msg("9661", dup205); + +var msg12109 = msg("9662", dup205); + +var msg12110 = msg("9663", dup205); + +var msg12111 = msg("9664", dup205); + +var msg12112 = msg("9665", dup205); + +var msg12113 = msg("9666", dup205); + +var msg12114 = msg("9667", dup205); + +var msg12115 = msg("9668", dup265); + +var msg12116 = msg("9669", dup265); + +var msg12117 = msg("9670", dup265); + +var msg12118 = msg("9671", dup265); + +var msg12119 = msg("9672", dup265); + +var msg12120 = msg("9673", dup265); + +var msg12121 = msg("9674", dup276); + +var msg12122 = msg("9675", dup276); + +var msg12123 = msg("9676", dup276); + +var msg12124 = msg("9677", dup276); + +var msg12125 = msg("9678", dup276); + +var msg12126 = msg("9679", dup276); + +var msg12127 = msg("9680", dup276); + +var msg12128 = msg("9681", dup276); + +var msg12129 = msg("9682", dup276); + +var msg12130 = msg("9683", dup276); + +var msg12131 = msg("9684", dup276); + +var msg12132 = msg("9685", dup276); + +var msg12133 = msg("9686", dup276); + +var msg12134 = msg("9687", dup276); + +var msg12135 = msg("9688", dup276); + +var msg12136 = msg("9689", dup276); + +var msg12137 = msg("9690", dup276); + +var msg12138 = msg("9691", dup276); + +var msg12139 = msg("9692", dup276); + +var msg12140 = msg("9693", dup276); + +var msg12141 = msg("9694", dup276); + +var msg12142 = msg("9695", dup276); + +var msg12143 = msg("9696", dup276); + +var msg12144 = msg("9697", dup276); + +var msg12145 = msg("9698", dup276); + +var msg12146 = msg("9699", dup276); + +var msg12147 = msg("9700", dup276); + +var msg12148 = msg("9701", dup276); + +var msg12149 = msg("9702", dup276); + +var msg12150 = msg("9703", dup276); + +var msg12151 = msg("9704", dup276); + +var msg12152 = msg("9705", dup276); + +var msg12153 = msg("9706", dup276); + +var msg12154 = msg("9707", dup276); + +var msg12155 = msg("9708", dup276); + +var msg12156 = msg("9709", dup276); + +var msg12157 = msg("9710", dup276); + +var msg12158 = msg("9711", dup276); + +var msg12159 = msg("9712", dup276); + +var msg12160 = msg("9713", dup276); + +var msg12161 = msg("9714", dup276); + +var msg12162 = msg("9715", dup276); + +var msg12163 = msg("9716", dup276); + +var msg12164 = msg("9717", dup276); + +var msg12165 = msg("9718", dup276); + +var msg12166 = msg("9719", dup276); + +var msg12167 = msg("9720", dup276); + +var msg12168 = msg("9721", dup276); + +var msg12169 = msg("9722", dup276); + +var msg12170 = msg("9723", dup276); + +var msg12171 = msg("9724", dup276); + +var msg12172 = msg("9725", dup276); + +var msg12173 = msg("9726", dup276); + +var msg12174 = msg("9727", dup276); + +var msg12175 = msg("9728", dup276); + +var msg12176 = msg("9729", dup276); + +var msg12177 = msg("9730", dup276); + +var msg12178 = msg("9731", dup276); + +var msg12179 = msg("9732", dup276); + +var msg12180 = msg("9733", dup276); + +var msg12181 = msg("9734", dup276); + +var msg12182 = msg("9735", dup276); + +var msg12183 = msg("9736", dup276); + +var msg12184 = msg("9737", dup276); + +var msg12185 = msg("9738", dup276); + +var msg12186 = msg("9739", dup276); + +var msg12187 = msg("9740", dup276); + +var msg12188 = msg("9741", dup276); + +var msg12189 = msg("9742", dup276); + +var msg12190 = msg("9743", dup276); + +var msg12191 = msg("9744", dup276); + +var msg12192 = msg("9745", dup276); + +var msg12193 = msg("9746", dup276); + +var msg12194 = msg("9747", dup276); + +var msg12195 = msg("9748", dup276); + +var msg12196 = msg("9749", dup276); + +var msg12197 = msg("9750", dup276); + +var msg12198 = msg("9751", dup276); + +var msg12199 = msg("9752", dup276); + +var msg12200 = msg("9753", dup276); + +var msg12201 = msg("9754", dup276); + +var msg12202 = msg("9755", dup276); + +var msg12203 = msg("9756", dup276); + +var msg12204 = msg("9757", dup276); + +var msg12205 = msg("9758", dup276); + +var msg12206 = msg("9759", dup276); + +var msg12207 = msg("9760", dup276); + +var msg12208 = msg("9761", dup276); + +var msg12209 = msg("9762", dup276); + +var msg12210 = msg("9763", dup276); + +var msg12211 = msg("9764", dup276); + +var msg12212 = msg("9765", dup276); + +var msg12213 = msg("9766", dup276); + +var msg12214 = msg("9767", dup276); + +var msg12215 = msg("9768", dup201); + +var msg12216 = msg("9769", dup276); + +var msg12217 = msg("9770", dup201); + +var msg12218 = msg("9771", dup276); + +var msg12219 = msg("9772", dup276); + +var msg12220 = msg("9773", dup201); + +var msg12221 = msg("9774", dup201); + +var msg12222 = msg("9775", dup276); + +var msg12223 = msg("9776", dup276); + +var msg12224 = msg("9777", dup276); + +var msg12225 = msg("9778", dup276); + +var msg12226 = msg("9779", dup201); + +var msg12227 = msg("9780", dup276); + +var msg12228 = msg("9781", dup276); + +var msg12229 = msg("9782", dup276); + +var msg12230 = msg("9783", dup201); + +var msg12231 = msg("9784", dup276); + +var msg12232 = msg("9785", dup201); + +var msg12233 = msg("9786", dup276); + +var msg12234 = msg("9787", dup276); + +var msg12235 = msg("9788", dup201); + +var msg12236 = msg("9789", dup276); + +var msg12237 = msg("9790", dup196); + +var msg12238 = msg("9791", dup265); + +var msg12239 = msg("9792", dup222); + +var msg12240 = msg("9793", dup265); + +var msg12241 = msg("9794", dup265); + +var msg12242 = msg("9795", dup194); + +var msg12243 = msg("9796", dup194); + +var msg12244 = msg("9797", dup194); + +var msg12245 = msg("9798", dup194); + +var msg12246 = msg("9799", dup194); + +var msg12247 = msg("9800", dup194); + +var msg12248 = msg("9801", dup198); + +var msg12249 = msg("9802", dup276); + +var msg12250 = msg("9803", dup276); + +var msg12251 = msg("9804", dup276); + +var msg12252 = msg("9805", dup276); + +var msg12253 = msg("9806", dup276); + +var msg12254 = msg("9807", dup276); + +var msg12255 = msg("9808", dup276); + +var msg12256 = msg("9809", dup276); + +var msg12257 = msg("9810", dup276); + +var msg12258 = msg("9811", dup276); + +var msg12259 = msg("9812", dup265); + +var msg12260 = msg("9813", dup222); + +var msg12261 = msg("9814", dup265); + +var msg12262 = msg("9815", dup265); + +var msg12263 = msg("9816", dup265); + +var msg12264 = msg("9817", dup265); + +var msg12265 = msg("9818", dup265); + +var msg12266 = msg("9819", dup265); + +var msg12267 = msg("9820", dup265); + +var msg12268 = msg("9821", dup265); + +var msg12269 = msg("9822", dup265); + +var msg12270 = msg("9823", dup267); + +var msg12271 = msg("9824", dup265); + +var msg12272 = msg("9825", dup265); + +var msg12273 = msg("9826", dup265); + +var msg12274 = msg("9827", dup303); + +var msg12275 = msg("9828", dup303); + +var msg12276 = msg("9829", dup303); + +var msg12277 = msg("9830", dup303); + +var msg12278 = msg("9831", dup303); + +var msg12279 = msg("9832", dup205); + +var msg12280 = msg("9833", dup205); + +var msg12281 = msg("9834", dup205); + +var msg12282 = msg("9835", dup205); + +var msg12283 = msg("9836", dup205); + +var msg12284 = msg("9837", dup205); + +var msg12285 = msg("9838", dup205); + +var msg12286 = msg("9839", dup205); + +var msg12287 = msg("9840", dup265); + +var msg12288 = msg("9841", dup222); + +var msg12289 = msg("9842", dup265); + +var msg12290 = msg("9843", dup265); + +var msg12291 = msg("9844", dup265); + +var msg12292 = msg("9845", dup265); + +var msg12293 = msg("9846", dup265); + +var msg12294 = msg("9847", dup265); + +var msg12295 = msg("9848", dup267); + +var msg12296 = msg("9849", dup267); + +var msg12297 = msg("9850", dup276); + +var msg12298 = msg("9851", dup276); + +var msg12299 = msg("9852", dup276); + +var msg12300 = msg("9853", dup276); + +var msg12301 = msg("9854", dup276); + +var msg12302 = msg("9855", dup276); + +var msg12303 = msg("9856", dup276); + +var msg12304 = msg("9857", dup276); + +var msg12305 = msg("9858", dup276); + +var msg12306 = msg("9859", dup276); + +var msg12307 = msg("9860", dup276); + +var msg12308 = msg("9861", dup276); + +var msg12309 = msg("9862", dup276); + +var msg12310 = msg("9863", dup276); + +var msg12311 = msg("9864", dup276); + +var msg12312 = msg("9865", dup276); + +var msg12313 = msg("9866", dup276); + +var msg12314 = msg("9867", dup276); + +var msg12315 = msg("9868", dup276); + +var msg12316 = msg("9869", dup276); + +var msg12317 = msg("9870", dup276); + +var msg12318 = msg("9871", dup276); + +var msg12319 = msg("9872", dup276); + +var msg12320 = msg("9873", dup276); + +var msg12321 = msg("9874", dup276); + +var msg12322 = msg("9875", dup276); + +var msg12323 = msg("9876", dup276); + +var msg12324 = msg("9877", dup276); + +var msg12325 = msg("9878", dup276); + +var msg12326 = msg("9879", dup276); + +var msg12327 = msg("9880", dup276); + +var msg12328 = msg("9881", dup276); + +var msg12329 = msg("9882", dup276); + +var msg12330 = msg("9883", dup276); + +var msg12331 = msg("9884", dup276); + +var msg12332 = msg("9885", dup276); + +var msg12333 = msg("9886", dup276); + +var msg12334 = msg("9887", dup276); + +var msg12335 = msg("9888", dup276); + +var msg12336 = msg("9889", dup276); + +var msg12337 = msg("9890", dup276); + +var msg12338 = msg("9891", dup276); + +var msg12339 = msg("9892", dup276); + +var msg12340 = msg("9893", dup276); + +var msg12341 = msg("9894", dup276); + +var msg12342 = msg("9895", dup276); + +var msg12343 = msg("9896", dup276); + +var msg12344 = msg("9897", dup276); + +var msg12345 = msg("9898", dup276); + +var msg12346 = msg("9899", dup276); + +var msg12347 = msg("9900", dup276); + +var msg12348 = msg("9901", dup276); + +var msg12349 = msg("9902", dup276); + +var msg12350 = msg("9903", dup276); + +var msg12351 = msg("9904", dup276); + +var msg12352 = msg("9905", dup276); + +var msg12353 = msg("9906", dup276); + +var msg12354 = msg("9907", dup276); + +var msg12355 = msg("9908", dup276); + +var msg12356 = msg("9909", dup276); + +var msg12357 = msg("9910", dup276); + +var msg12358 = msg("9911", dup276); + +var msg12359 = msg("9912", dup276); + +var msg12360 = msg("9913", dup276); + +var msg12361 = msg("9914", dup276); + +var msg12362 = msg("9915", dup276); + +var msg12363 = msg("9916", dup276); + +var msg12364 = msg("9917", dup276); + +var msg12365 = msg("9918", dup276); + +var msg12366 = msg("9919", dup276); + +var msg12367 = msg("9920", dup276); + +var msg12368 = msg("9921", dup276); + +var msg12369 = msg("9922", dup276); + +var msg12370 = msg("9923", dup276); + +var msg12371 = msg("9924", dup276); + +var msg12372 = msg("9925", dup276); + +var msg12373 = msg("9926", dup276); + +var msg12374 = msg("9927", dup276); + +var msg12375 = msg("9928", dup276); + +var msg12376 = msg("9929", dup276); + +var msg12377 = msg("9930", dup276); + +var msg12378 = msg("9931", dup276); + +var msg12379 = msg("9932", dup276); + +var msg12380 = msg("9933", dup276); + +var msg12381 = msg("9934", dup276); + +var msg12382 = msg("9935", dup276); + +var msg12383 = msg("9936", dup276); + +var msg12384 = msg("9937", dup276); + +var msg12385 = msg("9938", dup276); + +var msg12386 = msg("9939", dup276); + +var msg12387 = msg("9940", dup276); + +var msg12388 = msg("9941", dup276); + +var msg12389 = msg("9942", dup276); + +var msg12390 = msg("9943", dup276); + +var msg12391 = msg("9944", dup276); + +var msg12392 = msg("9945", dup276); + +var msg12393 = msg("9946", dup276); + +var msg12394 = msg("9947", dup276); + +var msg12395 = msg("9948", dup276); + +var msg12396 = msg("9949", dup276); + +var msg12397 = msg("9950", dup276); + +var msg12398 = msg("9951", dup276); + +var msg12399 = msg("9952", dup276); + +var msg12400 = msg("9953", dup276); + +var msg12401 = msg("9954", dup276); + +var msg12402 = msg("9955", dup276); + +var msg12403 = msg("9956", dup276); + +var msg12404 = msg("9957", dup276); + +var msg12405 = msg("9958", dup276); + +var msg12406 = msg("9959", dup276); + +var msg12407 = msg("9960", dup276); + +var msg12408 = msg("9961", dup276); + +var msg12409 = msg("9962", dup276); + +var msg12410 = msg("9963", dup276); + +var msg12411 = msg("9964", dup276); + +var msg12412 = msg("9965", dup276); + +var msg12413 = msg("9966", dup276); + +var msg12414 = msg("9967", dup276); + +var msg12415 = msg("9968", dup276); + +var msg12416 = msg("9969", dup276); + +var msg12417 = msg("9970", dup276); + +var msg12418 = msg("9971", dup276); + +var msg12419 = msg("9972", dup276); + +var msg12420 = msg("9973", dup276); + +var msg12421 = msg("9974", dup276); + +var msg12422 = msg("9975", dup276); + +var msg12423 = msg("9976", dup276); + +var msg12424 = msg("9977", dup276); + +var msg12425 = msg("9978", dup276); + +var msg12426 = msg("9979", dup276); + +var msg12427 = msg("9980", dup276); + +var msg12428 = msg("9981", dup276); + +var msg12429 = msg("9982", dup276); + +var msg12430 = msg("9983", dup276); + +var msg12431 = msg("9984", dup276); + +var msg12432 = msg("9985", dup276); + +var msg12433 = msg("9986", dup276); + +var msg12434 = msg("9987", dup276); + +var msg12435 = msg("9988", dup276); + +var msg12436 = msg("9989", dup276); + +var msg12437 = msg("9990", dup276); + +var msg12438 = msg("9991", dup276); + +var msg12439 = msg("9992", dup276); + +var msg12440 = msg("9993", dup276); + +var msg12441 = msg("9994", dup276); + +var msg12442 = msg("9995", dup276); + +var msg12443 = msg("9996", dup276); + +var msg12444 = msg("9997", dup276); + +var msg12445 = msg("9998", dup276); + +var msg12446 = msg("9999", dup276); + +var msg12447 = msg("10000", dup276); + +var msg12448 = msg("10001", dup276); + +var msg12449 = msg("10002", dup276); + +var msg12450 = msg("10003", dup276); + +var msg12451 = msg("10004", dup276); + +var msg12452 = msg("10005", dup276); + +var msg12453 = msg("10006", dup276); + +var msg12454 = msg("10007", dup276); + +var msg12455 = msg("10008", dup276); + +var msg12456 = msg("10009", dup276); + +var msg12457 = msg("10010", dup222); + +var msg12458 = msg("10011", dup222); + +var msg12459 = msg("10012", dup222); + +var msg12460 = msg("10013", dup265); + +var msg12461 = msg("10014", dup265); + +var msg12462 = msg("10015", dup265); + +var msg12463 = msg("10016", dup265); + +var msg12464 = msg("10017", dup265); + +var msg12465 = msg("10018", dup276); + +var msg12466 = msg("10019", dup276); + +var msg12467 = msg("10020", dup276); + +var msg12468 = msg("10021", dup276); + +var msg12469 = msg("10022", dup276); + +var msg12470 = msg("10023", dup276); + +var msg12471 = msg("10024", dup276); + +var msg12472 = msg("10025", dup276); + +var msg12473 = msg("10026", dup276); + +var msg12474 = msg("10027", dup276); + +var msg12475 = msg("10028", dup276); + +var msg12476 = msg("10029", dup276); + +var msg12477 = msg("10030", dup276); + +var msg12478 = msg("10031", dup276); + +var msg12479 = msg("10032", dup276); + +var msg12480 = msg("10033", dup276); + +var msg12481 = msg("10034", dup276); + +var msg12482 = msg("10035", dup276); + +var msg12483 = msg("10036", dup276); + +var msg12484 = msg("10037", dup276); + +var msg12485 = msg("10038", dup276); + +var msg12486 = msg("10039", dup276); + +var msg12487 = msg("10040", dup276); + +var msg12488 = msg("10041", dup276); + +var msg12489 = msg("10042", dup276); + +var msg12490 = msg("10043", dup276); + +var msg12491 = msg("10044", dup276); + +var msg12492 = msg("10045", dup276); + +var msg12493 = msg("10046", dup276); + +var msg12494 = msg("10047", dup276); + +var msg12495 = msg("10048", dup276); + +var msg12496 = msg("10049", dup276); + +var msg12497 = msg("10050", dup276); + +var msg12498 = msg("10051", dup276); + +var msg12499 = msg("10052", dup276); + +var msg12500 = msg("10053", dup276); + +var msg12501 = msg("10054", dup276); + +var msg12502 = msg("10055", dup276); + +var msg12503 = msg("10056", dup276); + +var msg12504 = msg("10057", dup276); + +var msg12505 = msg("10058", dup276); + +var msg12506 = msg("10059", dup276); + +var msg12507 = msg("10060", dup276); + +var msg12508 = msg("10061", dup276); + +var msg12509 = msg("10062", dup267); + +var msg12510 = msg("10063", dup265); + +var msg12511 = msg("10064", dup222); + +var msg12512 = msg("10065", dup192); + +var msg12513 = msg("10066", dup192); + +var msg12514 = msg("10067", dup192); + +var msg12515 = msg("10068", dup192); + +var msg12516 = msg("10069", dup192); + +var msg12517 = msg("10070", dup192); + +var msg12518 = msg("10071", dup192); + +var msg12519 = msg("10072", dup192); + +var msg12520 = msg("10073", dup192); + +var msg12521 = msg("10074", dup192); + +var msg12522 = msg("10075", dup192); + +var msg12523 = msg("10076", dup192); + +var msg12524 = msg("10077", dup192); + +var msg12525 = msg("10078", dup250); + +var msg12526 = msg("10079", dup250); + +var msg12527 = msg("10080", dup250); + +var msg12528 = msg("10081", dup250); + +var msg12529 = msg("10082", dup250); + +var msg12530 = msg("10083", dup250); + +var msg12531 = msg("10084", dup265); + +var msg12532 = msg("10085", dup265); + +var msg12533 = msg("10086", dup265); + +var msg12534 = msg("10087", dup222); + +var msg12535 = msg("10088", dup303); + +var msg12536 = msg("10089", dup303); + +var msg12537 = msg("10090", dup303); + +var msg12538 = msg("10091", dup303); + +var msg12539 = msg("10092", dup303); + +var msg12540 = msg("10093", dup303); + +var msg12541 = msg("10094", dup303); + +var msg12542 = msg("10095", dup303); + +var msg12543 = msg("10096", dup303); + +var msg12544 = msg("10097", dup303); + +var msg12545 = msg("10098", dup303); + +var msg12546 = msg("10099", dup303); + +var msg12547 = msg("10100", dup303); + +var msg12548 = msg("10101", dup205); + +var msg12549 = msg("10102", dup205); + +var msg12550 = msg("10103", dup205); + +var msg12551 = msg("10104", dup205); + +var msg12552 = msg("10105", dup205); + +var msg12553 = msg("10106", dup205); + +var msg12554 = msg("10107", dup205); + +var msg12555 = msg("10108", dup205); + +var msg12556 = msg("10109", dup205); + +var msg12557 = msg("10110", dup205); + +var msg12558 = msg("10111", dup205); + +var msg12559 = msg("10112", dup205); + +var msg12560 = msg("10113", dup192); + +var msg12561 = msg("10114", dup192); + +var msg12562 = msg("10115", dup198); + +var msg12563 = msg("10116", dup265); + +var msg12564 = msg("10117", dup276); + +var msg12565 = msg("10118", dup276); + +var msg12566 = msg("10119", dup276); + +var msg12567 = msg("10120", dup276); + +var msg12568 = msg("10121", dup276); + +var msg12569 = msg("10122", dup276); + +var msg12570 = msg("10123", dup287); + +var msg12571 = msg("10124", dup285); + +var msg12572 = msg("10125", dup222); + +var msg12573 = msg("10126", dup265); + +var msg12574 = msg("10127", dup198); + +var msg12575 = msg("10128", dup265); + +var msg12576 = msg("10129", dup265); + +var msg12577 = msg("10130", dup196); + +var msg12578 = msg("10131", dup269); + +var msg12579 = msg("10132", dup198); + +var msg12580 = msg("10133", dup198); + +var msg12581 = msg("10134", dup222); + +var msg12582 = msg("10135", dup198); + +var msg12583 = msg("10136", dup285); + +var msg12584 = msg("10137", dup265); + +var msg12585 = msg("10138", dup265); + +var msg12586 = msg("10139", dup265); + +var msg12587 = msg("10140", dup265); + +var msg12588 = msg("10141", dup265); + +var msg12589 = msg("10142", dup265); + +var msg12590 = msg("10143", dup265); + +var msg12591 = msg("10144", dup265); + +var msg12592 = msg("10145", dup265); + +var msg12593 = msg("10146", dup265); + +var msg12594 = msg("10147", dup265); + +var msg12595 = msg("10148", dup265); + +var msg12596 = msg("10149", dup265); + +var msg12597 = msg("10150", dup265); + +var msg12598 = msg("10151", dup265); + +var msg12599 = msg("10152", dup265); + +var msg12600 = msg("10153", dup265); + +var msg12601 = msg("10154", dup265); + +var msg12602 = msg("10155", dup265); + +var msg12603 = msg("10156", dup265); + +var msg12604 = msg("10157", dup265); + +var msg12605 = msg("10158", dup276); + +var msg12606 = msg("10159", dup276); + +var msg12607 = msg("10160", dup276); + +var msg12608 = msg("10161", dup276); + +var msg12609 = msg("10162", dup265); + +var msg12610 = msg("10163", dup265); + +var msg12611 = msg("10164", dup303); + +var msg12612 = msg("10165", dup303); + +var msg12613 = msg("10166", dup303); + +var msg12614 = msg("10167", dup303); + +var msg12615 = msg("10168", dup205); + +var msg12616 = msg("10169", dup205); + +var msg12617 = msg("10170", dup265); + +var msg12618 = msg("10171", dup265); + +var msg12619 = msg("10172", dup267); + +var msg12620 = msg("10173", dup194); + +var msg12621 = msg("10174", dup194); + +var msg12622 = msg("10175", dup194); + +var msg12623 = msg("10176", dup224); + +var msg12624 = msg("10177", dup224); + +var msg12625 = msg("10178", dup224); + +var msg12626 = msg("10179", dup303); + +var msg12627 = msg("10180", dup303); + +var msg12628 = msg("10181", dup303); + +var msg12629 = msg("10182", dup303); + +var msg12630 = msg("10183", dup303); + +var msg12631 = msg("10184", dup205); + +var msg12632 = msg("10185", dup205); + +var msg12633 = msg("10186", dup250); + +var msg12634 = msg("10187", dup197); + +var msg12635 = msg("10188", dup222); + +var msg12636 = msg("10189", dup265); + +var msg12637 = msg("10190", dup265); + +var msg12638 = msg("10191", dup265); + +var msg12639 = msg("10192", dup265); + +var msg12640 = msg("10193", dup265); + +var msg12641 = msg("10194", dup265); + +var msg12642 = msg("10195", dup267); + +var msg12643 = msg("10196", dup205); + +var msg12644 = msg("10197", dup205); + +var msg12645 = msg("10198", dup276); + +var msg12646 = msg("10199", dup276); + +var msg12647 = msg("10200", dup276); + +var msg12648 = msg("10201", dup276); + +var msg12649 = msg("10202", dup194); + +var msg12650 = msg("10203", dup194); + +var msg12651 = msg("10204", dup194); + +var msg12652 = msg("10205", dup194); + +var msg12653 = msg("10206", dup194); + +var msg12654 = msg("10207", dup194); + +var msg12655 = msg("10208", dup276); + +var msg12656 = msg("10209", dup276); + +var msg12657 = msg("10210", dup276); + +var msg12658 = msg("10211", dup276); + +var msg12659 = msg("10212", dup276); + +var msg12660 = msg("10213", dup276); + +var msg12661 = msg("10214", dup265); + +var msg12662 = msg("10215", dup265); + +var msg12663 = msg("10216", dup265); + +var msg12664 = msg("10217", dup276); + +var msg12665 = msg("10218", dup276); + +var msg12666 = msg("10219", dup276); + +var msg12667 = msg("10220", dup276); + +var msg12668 = msg("10221", dup276); + +var msg12669 = msg("10222", dup276); + +var msg12670 = msg("10223", dup276); + +var msg12671 = msg("10224", dup276); + +var msg12672 = msg("10225", dup276); + +var msg12673 = msg("10226", dup276); + +var msg12674 = msg("10227", dup276); + +var msg12675 = msg("10228", dup276); + +var msg12676 = msg("10229", dup276); + +var msg12677 = msg("10230", dup276); + +var msg12678 = msg("10231", dup276); + +var msg12679 = msg("10232", dup276); + +var msg12680 = msg("10233", dup276); + +var msg12681 = msg("10234", dup276); + +var msg12682 = msg("10235", dup276); + +var msg12683 = msg("10236", dup276); + +var msg12684 = msg("10237", dup276); + +var msg12685 = msg("10238", dup276); + +var msg12686 = msg("10239", dup276); + +var msg12687 = msg("10240", dup276); + +var msg12688 = msg("10241", dup276); + +var msg12689 = msg("10242", dup276); + +var msg12690 = msg("10243", dup276); + +var msg12691 = msg("10244", dup276); + +var msg12692 = msg("10245", dup276); + +var msg12693 = msg("10246", dup276); + +var msg12694 = msg("10247", dup276); + +var msg12695 = msg("10248", dup276); + +var msg12696 = msg("10249", dup276); + +var msg12697 = msg("10250", dup276); + +var msg12698 = msg("10251", dup276); + +var msg12699 = msg("10252", dup276); + +var msg12700 = msg("10253", dup276); + +var msg12701 = msg("10254", dup276); + +var msg12702 = msg("10255", dup276); + +var msg12703 = msg("10256", dup276); + +var msg12704 = msg("10257", dup276); + +var msg12705 = msg("10258", dup276); + +var msg12706 = msg("10259", dup276); + +var msg12707 = msg("10260", dup276); + +var msg12708 = msg("10261", dup276); + +var msg12709 = msg("10262", dup276); + +var msg12710 = msg("10263", dup276); + +var msg12711 = msg("10264", dup276); + +var msg12712 = msg("10265", dup276); + +var msg12713 = msg("10266", dup276); + +var msg12714 = msg("10267", dup276); + +var msg12715 = msg("10268", dup276); + +var msg12716 = msg("10269", dup276); + +var msg12717 = msg("10270", dup276); + +var msg12718 = msg("10271", dup276); + +var msg12719 = msg("10272", dup276); + +var msg12720 = msg("10273", dup276); + +var msg12721 = msg("10274", dup276); + +var msg12722 = msg("10275", dup276); + +var msg12723 = msg("10276", dup276); + +var msg12724 = msg("10277", dup276); + +var msg12725 = msg("10278", dup276); + +var msg12726 = msg("10279", dup276); + +var msg12727 = msg("10280", dup276); + +var msg12728 = msg("10281", dup276); + +var msg12729 = msg("10282", dup276); + +var msg12730 = msg("10283", dup276); + +var msg12731 = msg("10284", dup276); + +var msg12732 = msg("10285", dup276); + +var msg12733 = msg("10286", dup276); + +var msg12734 = msg("10287", dup276); + +var msg12735 = msg("10288", dup276); + +var msg12736 = msg("10289", dup276); + +var msg12737 = msg("10290", dup276); + +var msg12738 = msg("10291", dup276); + +var msg12739 = msg("10292", dup276); + +var msg12740 = msg("10293", dup276); + +var msg12741 = msg("10294", dup276); + +var msg12742 = msg("10295", dup276); + +var msg12743 = msg("10296", dup276); + +var msg12744 = msg("10297", dup276); + +var msg12745 = msg("10298", dup276); + +var msg12746 = msg("10299", dup276); + +var msg12747 = msg("10300", dup276); + +var msg12748 = msg("10301", dup276); + +var msg12749 = msg("10302", dup276); + +var msg12750 = msg("10303", dup276); + +var msg12751 = msg("10304", dup276); + +var msg12752 = msg("10305", dup276); + +var msg12753 = msg("10306", dup276); + +var msg12754 = msg("10307", dup276); + +var msg12755 = msg("10308", dup276); + +var msg12756 = msg("10309", dup276); + +var msg12757 = msg("10310", dup276); + +var msg12758 = msg("10311", dup276); + +var msg12759 = msg("10312", dup276); + +var msg12760 = msg("10313", dup276); + +var msg12761 = msg("10314", dup276); + +var msg12762 = msg("10315", dup276); + +var msg12763 = msg("10316", dup276); + +var msg12764 = msg("10317", dup276); + +var msg12765 = msg("10318", dup276); + +var msg12766 = msg("10319", dup276); + +var msg12767 = msg("10320", dup276); + +var msg12768 = msg("10321", dup276); + +var msg12769 = msg("10322", dup276); + +var msg12770 = msg("10323", dup276); + +var msg12771 = msg("10324", dup276); + +var msg12772 = msg("10325", dup276); + +var msg12773 = msg("10326", dup276); + +var msg12774 = msg("10327", dup276); + +var msg12775 = msg("10328", dup276); + +var msg12776 = msg("10329", dup276); + +var msg12777 = msg("10330", dup276); + +var msg12778 = msg("10331", dup276); + +var msg12779 = msg("10332", dup276); + +var msg12780 = msg("10333", dup276); + +var msg12781 = msg("10334", dup276); + +var msg12782 = msg("10335", dup276); + +var msg12783 = msg("10336", dup276); + +var msg12784 = msg("10337", dup276); + +var msg12785 = msg("10338", dup276); + +var msg12786 = msg("10339", dup276); + +var msg12787 = msg("10340", dup276); + +var msg12788 = msg("10341", dup276); + +var msg12789 = msg("10342", dup276); + +var msg12790 = msg("10343", dup276); + +var msg12791 = msg("10344", dup276); + +var msg12792 = msg("10345", dup276); + +var msg12793 = msg("10346", dup276); + +var msg12794 = msg("10347", dup276); + +var msg12795 = msg("10348", dup276); + +var msg12796 = msg("10349", dup276); + +var msg12797 = msg("10350", dup276); + +var msg12798 = msg("10351", dup276); + +var msg12799 = msg("10352", dup276); + +var msg12800 = msg("10353", dup276); + +var msg12801 = msg("10354", dup276); + +var msg12802 = msg("10355", dup276); + +var msg12803 = msg("10356", dup276); + +var msg12804 = msg("10357", dup276); + +var msg12805 = msg("10358", dup276); + +var msg12806 = msg("10359", dup276); + +var msg12807 = msg("10360", dup276); + +var msg12808 = msg("10361", dup276); + +var msg12809 = msg("10362", dup276); + +var msg12810 = msg("10363", dup276); + +var msg12811 = msg("10364", dup276); + +var msg12812 = msg("10365", dup276); + +var msg12813 = msg("10366", dup276); + +var msg12814 = msg("10367", dup276); + +var msg12815 = msg("10368", dup276); + +var msg12816 = msg("10369", dup276); + +var msg12817 = msg("10370", dup276); + +var msg12818 = msg("10371", dup276); + +var msg12819 = msg("10372", dup276); + +var msg12820 = msg("10373", dup276); + +var msg12821 = msg("10374", dup276); + +var msg12822 = msg("10375", dup276); + +var msg12823 = msg("10376", dup276); + +var msg12824 = msg("10377", dup276); + +var msg12825 = msg("10378", dup276); + +var msg12826 = msg("10379", dup276); + +var msg12827 = msg("10380", dup276); + +var msg12828 = msg("10381", dup276); + +var msg12829 = msg("10382", dup276); + +var msg12830 = msg("10383", dup276); + +var msg12831 = msg("10384", dup276); + +var msg12832 = msg("10385", dup276); + +var msg12833 = msg("10386", dup276); + +var msg12834 = msg("10387", dup265); + +var msg12835 = msg("10388", dup265); + +var msg12836 = msg("10389", dup265); + +var msg12837 = msg("10390", dup265); + +var msg12838 = msg("10391", dup265); + +var msg12839 = msg("10392", dup265); + +var msg12840 = msg("10393", dup265); + +var msg12841 = msg("10394", dup265); + +var msg12842 = msg("10395", dup265); + +var msg12843 = msg("10396", dup265); + +var msg12844 = msg("10397", dup265); + +var msg12845 = msg("10398", dup265); + +var msg12846 = msg("10399", dup265); + +var msg12847 = msg("10400", dup265); + +var msg12848 = msg("10401", dup265); + +var msg12849 = msg("10402", dup192); + +var msg12850 = msg("10403", dup192); + +var msg12851 = msg("10404", dup265); + +var msg12852 = msg("10405", dup265); + +var msg12853 = msg("10406", dup265); + +var msg12854 = msg("10407", dup222); + +var msg12855 = msg("10408", dup287); + +var msg12856 = msg("10409", dup258); + +var msg12857 = msg("10410", dup287); + +var msg12858 = msg("10411", dup258); + +var msg12859 = msg("10412", dup265); + +var msg12860 = msg("10413", dup265); + +var msg12861 = msg("10414", dup265); + +var msg12862 = msg("10415", dup265); + +var msg12863 = msg("10416", dup265); + +var msg12864 = msg("10417", dup265); + +var msg12865 = msg("10418", dup196); + +var msg12866 = msg("10419", dup265); + +var msg12867 = msg("10420", dup265); + +var msg12868 = msg("10421", dup265); + +var msg12869 = msg("10422", dup265); + +var msg12870 = msg("10423", dup265); + +var msg12871 = msg("10424", dup265); + +var msg12872 = msg("10425", dup265); + +var msg12873 = msg("10426", dup265); + +var msg12874 = msg("10427", dup194); + +var msg12875 = msg("10428", dup194); + +var msg12876 = msg("10429", dup194); + +var msg12877 = msg("10430", dup194); + +var msg12878 = msg("10431", dup194); + +var msg12879 = msg("10432", dup194); + +var msg12880 = msg("10433", dup194); + +var msg12881 = msg("10434", dup194); + +var msg12882 = msg("10435", dup303); + +var msg12883 = msg("10436", dup303); + +var msg12884 = msg("10437", dup303); + +var msg12885 = msg("10438", dup303); + +var msg12886 = msg("10439", dup303); + +var msg12887 = msg("10440", dup303); + +var msg12888 = msg("10441", dup303); + +var msg12889 = msg("10442", dup192); + +var msg12890 = msg("10443", dup192); + +var msg12891 = msg("10444", dup192); + +var msg12892 = msg("10445", dup192); + +var msg12893 = msg("10446", dup192); + +var msg12894 = msg("10447", dup192); + +var msg12895 = msg("10448", dup192); + +var msg12896 = msg("10449", dup192); + +var msg12897 = msg("10450", dup192); + +var msg12898 = msg("10451", dup192); + +var msg12899 = msg("10452", dup192); + +var msg12900 = msg("10453", dup192); + +var msg12901 = msg("10454", dup192); + +var msg12902 = msg("10455", dup192); + +var msg12903 = msg("10456", dup192); + +var msg12904 = msg("10457", dup192); + +var msg12905 = msg("10458", dup192); + +var msg12906 = msg("10459", dup192); + +var msg12907 = msg("10460", dup192); + +var msg12908 = msg("10461", dup192); + +var msg12909 = msg("10462", dup192); + +var msg12910 = msg("10463", dup192); + +var msg12911 = msg("10464", dup285); + +var msg12912 = msg("10465", dup265); + +var msg12913 = msg("10466", dup265); + +var msg12914 = msg("10467", dup265); + +var msg12915 = msg("10468", dup265); + +var msg12916 = msg("10469", dup265); + +var msg12917 = msg("10470", dup265); + +var msg12918 = msg("10471", dup265); + +var msg12919 = msg("10472", dup265); + +var msg12920 = msg("10473", dup265); + +var msg12921 = msg("10474", dup265); + +var msg12922 = msg("10475", dup222); + +var msg12923 = msg("10476", dup265); + +var msg12924 = msg("10477", dup265); + +var msg12925 = msg("10478", dup265); + +var msg12926 = msg("10479", dup265); + +var msg12927 = msg("10480", dup222); + +var msg12928 = msg("10481", dup222); + +var msg12929 = msg("10482", dup287); + +var msg12930 = msg("10483", dup258); + +var msg12931 = msg("10484", dup287); + +var msg12932 = msg("10485", dup258); + +var msg12933 = msg("10486", dup276); + +var msg12934 = msg("10487", dup276); + +var msg12935 = msg("10488", dup276); + +var msg12936 = msg("10489", dup276); + +var msg12937 = msg("10490", dup276); + +var msg12938 = msg("10491", dup276); + +var msg12939 = msg("10492", dup276); + +var msg12940 = msg("10493", dup276); + +var msg12941 = msg("10494", dup276); + +var msg12942 = msg("10495", dup276); + +var msg12943 = msg("10496", dup276); + +var msg12944 = msg("10497", dup276); + +var msg12945 = msg("10498", dup276); + +var msg12946 = msg("10499", dup276); + +var msg12947 = msg("10500", dup276); + +var msg12948 = msg("10501", dup276); + +var msg12949 = msg("10502", dup276); + +var msg12950 = msg("10503", dup276); + +var msg12951 = msg("10504", dup196); + +var msg12952 = msg("10505", dup196); + +var msg12953 = msg("10506", dup196); + +var msg12954 = msg("10507", dup196); + +var msg12955 = msg("10508", dup196); + +var msg12956 = msg("10509", dup196); + +var msg12957 = msg("10510", dup196); + +var msg12958 = msg("10511", dup196); + +var msg12959 = msg("10512", dup196); + +var msg12960 = msg("10513", dup196); + +var msg12961 = msg("10514", dup276); + +var msg12962 = msg("10515", dup276); + +var msg12963 = msg("10516", dup276); + +var msg12964 = msg("10517", dup276); + +var msg12965 = msg("10518", dup276); + +var msg12966 = msg("10519", dup276); + +var msg12967 = msg("10520", dup276); + +var msg12968 = msg("10521", dup276); + +var msg12969 = msg("10522", dup276); + +var msg12970 = msg("10523", dup276); + +var msg12971 = msg("10524", dup276); + +var msg12972 = msg("10525", dup276); + +var msg12973 = msg("10526", dup276); + +var msg12974 = msg("10527", dup276); + +var msg12975 = msg("10528", dup276); + +var msg12976 = msg("10529", dup276); + +var msg12977 = msg("10530", dup276); + +var msg12978 = msg("10531", dup276); + +var msg12979 = msg("10532", dup276); + +var msg12980 = msg("10533", dup276); + +var msg12981 = msg("10534", dup276); + +var msg12982 = msg("10535", dup276); + +var msg12983 = msg("10536", dup276); + +var msg12984 = msg("10537", dup276); + +var msg12985 = msg("10538", dup276); + +var msg12986 = msg("10539", dup276); + +var msg12987 = msg("10540", dup276); + +var msg12988 = msg("10541", dup276); + +var msg12989 = msg("10542", dup276); + +var msg12990 = msg("10543", dup276); + +var msg12991 = msg("10544", dup276); + +var msg12992 = msg("10545", dup276); + +var msg12993 = msg("10546", dup276); + +var msg12994 = msg("10547", dup276); + +var msg12995 = msg("10548", dup276); + +var msg12996 = msg("10549", dup276); + +var msg12997 = msg("10550", dup276); + +var msg12998 = msg("10551", dup276); + +var msg12999 = msg("10552", dup276); + +var msg13000 = msg("10553", dup276); + +var msg13001 = msg("10554", dup276); + +var msg13002 = msg("10555", dup276); + +var msg13003 = msg("10556", dup276); + +var msg13004 = msg("10557", dup276); + +var msg13005 = msg("10558", dup276); + +var msg13006 = msg("10559", dup276); + +var msg13007 = msg("10560", dup276); + +var msg13008 = msg("10561", dup276); + +var msg13009 = msg("10562", dup276); + +var msg13010 = msg("10563", dup276); + +var msg13011 = msg("10564", dup276); + +var msg13012 = msg("10565", dup276); + +var msg13013 = msg("10566", dup276); + +var msg13014 = msg("10567", dup276); + +var msg13015 = msg("10568", dup276); + +var msg13016 = msg("10569", dup276); + +var msg13017 = msg("10570", dup276); + +var msg13018 = msg("10571", dup276); + +var msg13019 = msg("10572", dup276); + +var msg13020 = msg("10573", dup276); + +var msg13021 = msg("10574", dup276); + +var msg13022 = msg("10575", dup276); + +var msg13023 = msg("10576", dup276); + +var msg13024 = msg("10577", dup276); + +var msg13025 = msg("10578", dup276); + +var msg13026 = msg("10579", dup276); + +var msg13027 = msg("10580", dup276); + +var msg13028 = msg("10581", dup276); + +var msg13029 = msg("10582", dup276); + +var msg13030 = msg("10583", dup276); + +var msg13031 = msg("10584", dup276); + +var msg13032 = msg("10585", dup276); + +var msg13033 = msg("10586", dup276); + +var msg13034 = msg("10587", dup276); + +var msg13035 = msg("10588", dup276); + +var msg13036 = msg("10589", dup276); + +var msg13037 = msg("10590", dup276); + +var msg13038 = msg("10591", dup276); + +var msg13039 = msg("10592", dup276); + +var msg13040 = msg("10593", dup276); + +var msg13041 = msg("10594", dup276); + +var msg13042 = msg("10595", dup276); + +var msg13043 = msg("10596", dup276); + +var msg13044 = msg("10597", dup276); + +var msg13045 = msg("10598", dup276); + +var msg13046 = msg("10599", dup276); + +var msg13047 = msg("10600", dup276); + +var msg13048 = msg("10601", dup276); + +var msg13049 = msg("10602", dup276); + +var msg13050 = msg("10603", dup276); + +var msg13051 = msg("10604", dup276); + +var msg13052 = msg("10605", dup276); + +var msg13053 = msg("10606", dup276); + +var msg13054 = msg("10607", dup276); + +var msg13055 = msg("10608", dup276); + +var msg13056 = msg("10609", dup276); + +var msg13057 = msg("10610", dup276); + +var msg13058 = msg("10611", dup276); + +var msg13059 = msg("10612", dup276); + +var msg13060 = msg("10613", dup276); + +var msg13061 = msg("10614", dup276); + +var msg13062 = msg("10615", dup276); + +var msg13063 = msg("10616", dup276); + +var msg13064 = msg("10617", dup276); + +var msg13065 = msg("10618", dup276); + +var msg13066 = msg("10619", dup276); + +var msg13067 = msg("10620", dup276); + +var msg13068 = msg("10621", dup276); + +var msg13069 = msg("10622", dup276); + +var msg13070 = msg("10623", dup276); + +var msg13071 = msg("10624", dup276); + +var msg13072 = msg("10625", dup276); + +var msg13073 = msg("10626", dup276); + +var msg13074 = msg("10627", dup276); + +var msg13075 = msg("10628", dup276); + +var msg13076 = msg("10629", dup276); + +var msg13077 = msg("10630", dup276); + +var msg13078 = msg("10631", dup276); + +var msg13079 = msg("10632", dup276); + +var msg13080 = msg("10633", dup276); + +var msg13081 = msg("10634", dup276); + +var msg13082 = msg("10635", dup276); + +var msg13083 = msg("10636", dup276); + +var msg13084 = msg("10637", dup276); + +var msg13085 = msg("10638", dup276); + +var msg13086 = msg("10639", dup276); + +var msg13087 = msg("10640", dup276); + +var msg13088 = msg("10641", dup276); + +var msg13089 = msg("10642", dup276); + +var msg13090 = msg("10643", dup276); + +var msg13091 = msg("10644", dup276); + +var msg13092 = msg("10645", dup276); + +var msg13093 = msg("10646", dup276); + +var msg13094 = msg("10647", dup276); + +var msg13095 = msg("10648", dup276); + +var msg13096 = msg("10649", dup276); + +var msg13097 = msg("10650", dup276); + +var msg13098 = msg("10651", dup276); + +var msg13099 = msg("10652", dup276); + +var msg13100 = msg("10653", dup276); + +var msg13101 = msg("10654", dup276); + +var msg13102 = msg("10655", dup276); + +var msg13103 = msg("10656", dup276); + +var msg13104 = msg("10657", dup276); + +var msg13105 = msg("10658", dup276); + +var msg13106 = msg("10659", dup276); + +var msg13107 = msg("10660", dup276); + +var msg13108 = msg("10661", dup276); + +var msg13109 = msg("10662", dup276); + +var msg13110 = msg("10663", dup276); + +var msg13111 = msg("10664", dup276); + +var msg13112 = msg("10665", dup276); + +var msg13113 = msg("10666", dup276); + +var msg13114 = msg("10667", dup276); + +var msg13115 = msg("10668", dup276); + +var msg13116 = msg("10669", dup276); + +var msg13117 = msg("10670", dup201); + +var msg13118 = msg("10671", dup276); + +var msg13119 = msg("10672", dup276); + +var msg13120 = msg("10673", dup201); + +var msg13121 = msg("10674", dup276); + +var msg13122 = msg("10675", dup201); + +var msg13123 = msg("10676", dup201); + +var msg13124 = msg("10677", dup201); + +var msg13125 = msg("10678", dup276); + +var msg13126 = msg("10679", dup276); + +var msg13127 = msg("10680", dup201); + +var msg13128 = msg("10681", dup276); + +var msg13129 = msg("10682", dup276); + +var msg13130 = msg("10683", dup201); + +var msg13131 = msg("10684", dup201); + +var msg13132 = msg("10685", dup276); + +var msg13133 = msg("10686", dup276); + +var msg13134 = msg("10687", dup276); + +var msg13135 = msg("10688", dup276); + +var msg13136 = msg("10689", dup201); + +var msg13137 = msg("10690", dup276); + +var msg13138 = msg("10691", dup201); + +var msg13139 = msg("10692", dup276); + +var msg13140 = msg("10693", dup276); + +var msg13141 = msg("10694", dup201); + +var msg13142 = msg("10695", dup201); + +var msg13143 = msg("10696", dup276); + +var msg13144 = msg("10697", dup276); + +var msg13145 = msg("10698", dup276); + +var msg13146 = msg("10699", dup276); + +var msg13147 = msg("10700", dup276); + +var msg13148 = msg("10701", dup276); + +var msg13149 = msg("10702", dup276); + +var msg13150 = msg("10703", dup276); + +var msg13151 = msg("10704", dup276); + +var msg13152 = msg("10705", dup276); + +var msg13153 = msg("10706", dup276); + +var msg13154 = msg("10707", dup276); + +var msg13155 = msg("10708", dup276); + +var msg13156 = msg("10709", dup276); + +var msg13157 = msg("10710", dup276); + +var msg13158 = msg("10711", dup276); + +var msg13159 = msg("10712", dup276); + +var msg13160 = msg("10713", dup276); + +var msg13161 = msg("10714", dup276); + +var msg13162 = msg("10715", dup276); + +var msg13163 = msg("10716", dup276); + +var msg13164 = msg("10717", dup276); + +var msg13165 = msg("10718", dup276); + +var msg13166 = msg("10719", dup276); + +var msg13167 = msg("10720", dup276); + +var msg13168 = msg("10721", dup276); + +var msg13169 = msg("10722", dup276); + +var msg13170 = msg("10723", dup276); + +var msg13171 = msg("10724", dup276); + +var msg13172 = msg("10725", dup276); + +var msg13173 = msg("10726", dup276); + +var msg13174 = msg("10727", dup276); + +var msg13175 = msg("10728", dup276); + +var msg13176 = msg("10729", dup276); + +var msg13177 = msg("10730", dup276); + +var msg13178 = msg("10731", dup276); + +var msg13179 = msg("10732", dup276); + +var msg13180 = msg("10733", dup276); + +var msg13181 = msg("10734", dup276); + +var msg13182 = msg("10735", dup276); + +var msg13183 = msg("10736", dup276); + +var msg13184 = msg("10737", dup276); + +var msg13185 = msg("10738", dup276); + +var msg13186 = msg("10739", dup276); + +var msg13187 = msg("10740", dup276); + +var msg13188 = msg("10741", dup276); + +var msg13189 = msg("10742", dup276); + +var msg13190 = msg("10743", dup276); + +var msg13191 = msg("10744", dup276); + +var msg13192 = msg("10745", dup276); + +var msg13193 = msg("10746", dup276); + +var msg13194 = msg("10747", dup276); + +var msg13195 = msg("10748", dup276); + +var msg13196 = msg("10749", dup276); + +var msg13197 = msg("10750", dup276); + +var msg13198 = msg("10751", dup276); + +var msg13199 = msg("10752", dup276); + +var msg13200 = msg("10753", dup276); + +var msg13201 = msg("10754", dup276); + +var msg13202 = msg("10755", dup276); + +var msg13203 = msg("10756", dup276); + +var msg13204 = msg("10757", dup276); + +var msg13205 = msg("10758", dup276); + +var msg13206 = msg("10759", dup276); + +var msg13207 = msg("10760", dup276); + +var msg13208 = msg("10761", dup276); + +var msg13209 = msg("10762", dup276); + +var msg13210 = msg("10763", dup276); + +var msg13211 = msg("10764", dup276); + +var msg13212 = msg("10765", dup276); + +var msg13213 = msg("10766", dup276); + +var msg13214 = msg("10767", dup276); + +var msg13215 = msg("10768", dup276); + +var msg13216 = msg("10769", dup276); + +var msg13217 = msg("10770", dup276); + +var msg13218 = msg("10771", dup276); + +var msg13219 = msg("10772", dup276); + +var msg13220 = msg("10773", dup276); + +var msg13221 = msg("10774", dup276); + +var msg13222 = msg("10775", dup276); + +var msg13223 = msg("10776", dup276); + +var msg13224 = msg("10777", dup276); + +var msg13225 = msg("10778", dup276); + +var msg13226 = msg("10779", dup276); + +var msg13227 = msg("10780", dup276); + +var msg13228 = msg("10781", dup276); + +var msg13229 = msg("10782", dup276); + +var msg13230 = msg("10783", dup276); + +var msg13231 = msg("10784", dup276); + +var msg13232 = msg("10785", dup276); + +var msg13233 = msg("10786", dup276); + +var msg13234 = msg("10787", dup276); + +var msg13235 = msg("10788", dup276); + +var msg13236 = msg("10789", dup276); + +var msg13237 = msg("10790", dup276); + +var msg13238 = msg("10791", dup276); + +var msg13239 = msg("10792", dup276); + +var msg13240 = msg("10793", dup276); + +var msg13241 = msg("10794", dup276); + +var msg13242 = msg("10795", dup276); + +var msg13243 = msg("10796", dup276); + +var msg13244 = msg("10797", dup276); + +var msg13245 = msg("10798", dup276); + +var msg13246 = msg("10799", dup276); + +var msg13247 = msg("10800", dup276); + +var msg13248 = msg("10801", dup276); + +var msg13249 = msg("10802", dup276); + +var msg13250 = msg("10803", dup276); + +var msg13251 = msg("10804", dup276); + +var msg13252 = msg("10805", dup276); + +var msg13253 = msg("10806", dup276); + +var msg13254 = msg("10807", dup276); + +var msg13255 = msg("10808", dup276); + +var msg13256 = msg("10809", dup276); + +var msg13257 = msg("10810", dup276); + +var msg13258 = msg("10811", dup276); + +var msg13259 = msg("10812", dup276); + +var msg13260 = msg("10813", dup276); + +var msg13261 = msg("10814", dup276); + +var msg13262 = msg("10815", dup276); + +var msg13263 = msg("10816", dup276); + +var msg13264 = msg("10817", dup276); + +var msg13265 = msg("10818", dup276); + +var msg13266 = msg("10819", dup276); + +var msg13267 = msg("10820", dup276); + +var msg13268 = msg("10821", dup276); + +var msg13269 = msg("10822", dup276); + +var msg13270 = msg("10823", dup276); + +var msg13271 = msg("10824", dup276); + +var msg13272 = msg("10825", dup276); + +var msg13273 = msg("10826", dup276); + +var msg13274 = msg("10827", dup276); + +var msg13275 = msg("10828", dup276); + +var msg13276 = msg("10829", dup276); + +var msg13277 = msg("10830", dup276); + +var msg13278 = msg("10831", dup276); + +var msg13279 = msg("10832", dup276); + +var msg13280 = msg("10833", dup276); + +var msg13281 = msg("10834", dup276); + +var msg13282 = msg("10835", dup276); + +var msg13283 = msg("10836", dup276); + +var msg13284 = msg("10837", dup276); + +var msg13285 = msg("10838", dup276); + +var msg13286 = msg("10839", dup276); + +var msg13287 = msg("10840", dup276); + +var msg13288 = msg("10841", dup276); + +var msg13289 = msg("10842", dup276); + +var msg13290 = msg("10843", dup276); + +var msg13291 = msg("10844", dup276); + +var msg13292 = msg("10845", dup276); + +var msg13293 = msg("10846", dup276); + +var msg13294 = msg("10847", dup276); + +var msg13295 = msg("10848", dup276); + +var msg13296 = msg("10849", dup276); + +var msg13297 = msg("10850", dup276); + +var msg13298 = msg("10851", dup276); + +var msg13299 = msg("10852", dup276); + +var msg13300 = msg("10853", dup276); + +var msg13301 = msg("10854", dup276); + +var msg13302 = msg("10855", dup276); + +var msg13303 = msg("10856", dup276); + +var msg13304 = msg("10857", dup276); + +var msg13305 = msg("10858", dup276); + +var msg13306 = msg("10859", dup276); + +var msg13307 = msg("10860", dup276); + +var msg13308 = msg("10861", dup276); + +var msg13309 = msg("10862", dup276); + +var msg13310 = msg("10863", dup276); + +var msg13311 = msg("10864", dup276); + +var msg13312 = msg("10865", dup276); + +var msg13313 = msg("10866", dup276); + +var msg13314 = msg("10867", dup276); + +var msg13315 = msg("10868", dup276); + +var msg13316 = msg("10869", dup276); + +var msg13317 = msg("10870", dup276); + +var msg13318 = msg("10871", dup276); + +var msg13319 = msg("10872", dup276); + +var msg13320 = msg("10873", dup276); + +var msg13321 = msg("10874", dup276); + +var msg13322 = msg("10875", dup276); + +var msg13323 = msg("10876", dup276); + +var msg13324 = msg("10877", dup276); + +var msg13325 = msg("10878", dup276); + +var msg13326 = msg("10879", dup276); + +var msg13327 = msg("10880", dup276); + +var msg13328 = msg("10881", dup276); + +var msg13329 = msg("10882", dup276); + +var msg13330 = msg("10883", dup276); + +var msg13331 = msg("10884", dup276); + +var msg13332 = msg("10885", dup276); + +var msg13333 = msg("10886", dup276); + +var msg13334 = msg("10887", dup276); + +var msg13335 = msg("10888", dup276); + +var msg13336 = msg("10889", dup276); + +var msg13337 = msg("10890", dup276); + +var msg13338 = msg("10891", dup276); + +var msg13339 = msg("10892", dup276); + +var msg13340 = msg("10893", dup276); + +var msg13341 = msg("10894", dup276); + +var msg13342 = msg("10895", dup276); + +var msg13343 = msg("10896", dup276); + +var msg13344 = msg("10897", dup276); + +var msg13345 = msg("10898", dup276); + +var msg13346 = msg("10899", dup276); + +var msg13347 = msg("10900", dup276); + +var msg13348 = msg("10901", dup276); + +var msg13349 = msg("10902", dup276); + +var msg13350 = msg("10903", dup276); + +var msg13351 = msg("10904", dup276); + +var msg13352 = msg("10905", dup276); + +var msg13353 = msg("10906", dup276); + +var msg13354 = msg("10907", dup276); + +var msg13355 = msg("10908", dup276); + +var msg13356 = msg("10909", dup276); + +var msg13357 = msg("10910", dup276); + +var msg13358 = msg("10911", dup276); + +var msg13359 = msg("10912", dup276); + +var msg13360 = msg("10913", dup276); + +var msg13361 = msg("10914", dup276); + +var msg13362 = msg("10915", dup276); + +var msg13363 = msg("10916", dup276); + +var msg13364 = msg("10917", dup276); + +var msg13365 = msg("10918", dup276); + +var msg13366 = msg("10919", dup276); + +var msg13367 = msg("10920", dup276); + +var msg13368 = msg("10921", dup276); + +var msg13369 = msg("10922", dup276); + +var msg13370 = msg("10923", dup276); + +var msg13371 = msg("10924", dup276); + +var msg13372 = msg("10925", dup276); + +var msg13373 = msg("10926", dup276); + +var msg13374 = msg("10927", dup276); + +var msg13375 = msg("10928", dup276); + +var msg13376 = msg("10929", dup276); + +var msg13377 = msg("10930", dup276); + +var msg13378 = msg("10931", dup276); + +var msg13379 = msg("10932", dup276); + +var msg13380 = msg("10933", dup276); + +var msg13381 = msg("10934", dup276); + +var msg13382 = msg("10935", dup276); + +var msg13383 = msg("10936", dup276); + +var msg13384 = msg("10937", dup276); + +var msg13385 = msg("10938", dup276); + +var msg13386 = msg("10939", dup276); + +var msg13387 = msg("10940", dup276); + +var msg13388 = msg("10941", dup276); + +var msg13389 = msg("10942", dup276); + +var msg13390 = msg("10943", dup276); + +var msg13391 = msg("10944", dup276); + +var msg13392 = msg("10945", dup276); + +var msg13393 = msg("10946", dup276); + +var msg13394 = msg("10947", dup276); + +var msg13395 = msg("10948", dup276); + +var msg13396 = msg("10949", dup276); + +var msg13397 = msg("10950", dup276); + +var msg13398 = msg("10951", dup276); + +var msg13399 = msg("10952", dup276); + +var msg13400 = msg("10953", dup276); + +var msg13401 = msg("10954", dup201); + +var msg13402 = msg("10955", dup201); + +var msg13403 = msg("10956", dup201); + +var msg13404 = msg("10957", dup201); + +var msg13405 = msg("10958", dup276); + +var msg13406 = msg("10959", dup201); + +var msg13407 = msg("10960", dup276); + +var msg13408 = msg("10961", dup276); + +var msg13409 = msg("10962", dup276); + +var msg13410 = msg("10963", dup276); + +var msg13411 = msg("10964", dup201); + +var msg13412 = msg("10965", dup276); + +var msg13413 = msg("10966", dup201); + +var msg13414 = msg("10967", dup201); + +var msg13415 = msg("10968", dup276); + +var msg13416 = msg("10969", dup276); + +var msg13417 = msg("10970", dup201); + +var msg13418 = msg("10971", dup201); + +var msg13419 = msg("10972", dup201); + +var msg13420 = msg("10973", dup201); + +var msg13421 = msg("10974", dup276); + +var msg13422 = msg("10975", dup276); + +var msg13423 = msg("10976", dup276); + +var msg13424 = msg("10977", dup276); + +var msg13425 = msg("10978", dup265); + +var msg13426 = msg("10979", dup265); + +var msg13427 = msg("10980", dup265); + +var msg13428 = msg("10981", dup265); + +var msg13429 = msg("10982", dup265); + +var msg13430 = msg("10983", dup265); + +var msg13431 = msg("10984", dup265); + +var msg13432 = msg("10985", dup265); + +var msg13433 = msg("10986", dup265); + +var msg13434 = msg("10987", dup265); + +var msg13435 = msg("10988", dup265); + +var msg13436 = msg("10989", dup265); + +var msg13437 = msg("10990", dup265); + +var msg13438 = msg("10991", dup265); + +var msg13439 = msg("10992", dup265); + +var msg13440 = msg("10993", dup265); + +var msg13441 = msg("10994", dup265); + +var msg13442 = msg("10995", dup198); + +var msg13443 = msg("10996", dup265); + +var msg13444 = msg("10997", dup267); + +var msg13445 = msg("10998", dup197); + +var msg13446 = msg("10999", dup265); + +var msg13447 = msg("11000", dup222); + +var msg13448 = msg("11001", dup222); + +var msg13449 = msg("11002", dup222); + +var msg13450 = msg("11003", dup222); + +var msg13451 = msg("11004", dup197); + +var msg13452 = msg("11005", dup276); + +var msg13453 = msg("11006", dup276); + +var msg13454 = msg("11007", dup276); + +var msg13455 = msg("11008", dup276); + +var msg13456 = msg("11009", dup276); + +var msg13457 = msg("11010", dup276); + +var msg13458 = msg("11011", dup276); + +var msg13459 = msg("11012", dup276); + +var msg13460 = msg("11013", dup276); + +var msg13461 = msg("11014", dup276); + +var msg13462 = msg("11015", dup276); + +var msg13463 = msg("11016", dup276); + +var msg13464 = msg("11017", dup276); + +var msg13465 = msg("11018", dup276); + +var msg13466 = msg("11019", dup276); + +var msg13467 = msg("11020", dup276); + +var msg13468 = msg("11021", dup276); + +var msg13469 = msg("11022", dup276); + +var msg13470 = msg("11023", dup276); + +var msg13471 = msg("11024", dup276); + +var msg13472 = msg("11025", dup276); + +var msg13473 = msg("11026", dup276); + +var msg13474 = msg("11027", dup276); + +var msg13475 = msg("11028", dup276); + +var msg13476 = msg("11029", dup276); + +var msg13477 = msg("11030", dup276); + +var msg13478 = msg("11031", dup276); + +var msg13479 = msg("11032", dup276); + +var msg13480 = msg("11033", dup276); + +var msg13481 = msg("11034", dup276); + +var msg13482 = msg("11035", dup276); + +var msg13483 = msg("11036", dup276); + +var msg13484 = msg("11037", dup276); + +var msg13485 = msg("11038", dup276); + +var msg13486 = msg("11039", dup276); + +var msg13487 = msg("11040", dup276); + +var msg13488 = msg("11041", dup276); + +var msg13489 = msg("11042", dup276); + +var msg13490 = msg("11043", dup276); + +var msg13491 = msg("11044", dup276); + +var msg13492 = msg("11045", dup276); + +var msg13493 = msg("11046", dup276); + +var msg13494 = msg("11047", dup276); + +var msg13495 = msg("11048", dup276); + +var msg13496 = msg("11049", dup276); + +var msg13497 = msg("11050", dup276); + +var msg13498 = msg("11051", dup276); + +var msg13499 = msg("11052", dup276); + +var msg13500 = msg("11053", dup276); + +var msg13501 = msg("11054", dup276); + +var msg13502 = msg("11055", dup276); + +var msg13503 = msg("11056", dup276); + +var msg13504 = msg("11057", dup276); + +var msg13505 = msg("11058", dup276); + +var msg13506 = msg("11059", dup276); + +var msg13507 = msg("11060", dup276); + +var msg13508 = msg("11061", dup276); + +var msg13509 = msg("11062", dup276); + +var msg13510 = msg("11063", dup276); + +var msg13511 = msg("11064", dup276); + +var msg13512 = msg("11065", dup276); + +var msg13513 = msg("11066", dup276); + +var msg13514 = msg("11067", dup276); + +var msg13515 = msg("11068", dup276); + +var msg13516 = msg("11069", dup276); + +var msg13517 = msg("11070", dup276); + +var msg13518 = msg("11071", dup276); + +var msg13519 = msg("11072", dup276); + +var msg13520 = msg("11073", dup276); + +var msg13521 = msg("11074", dup276); + +var msg13522 = msg("11075", dup276); + +var msg13523 = msg("11076", dup276); + +var msg13524 = msg("11077", dup276); + +var msg13525 = msg("11078", dup276); + +var msg13526 = msg("11079", dup276); + +var msg13527 = msg("11080", dup276); + +var msg13528 = msg("11081", dup276); + +var msg13529 = msg("11082", dup276); + +var msg13530 = msg("11083", dup276); + +var msg13531 = msg("11084", dup276); + +var msg13532 = msg("11085", dup276); + +var msg13533 = msg("11086", dup276); + +var msg13534 = msg("11087", dup276); + +var msg13535 = msg("11088", dup276); + +var msg13536 = msg("11089", dup276); + +var msg13537 = msg("11090", dup276); + +var msg13538 = msg("11091", dup276); + +var msg13539 = msg("11092", dup276); + +var msg13540 = msg("11093", dup276); + +var msg13541 = msg("11094", dup276); + +var msg13542 = msg("11095", dup276); + +var msg13543 = msg("11096", dup276); + +var msg13544 = msg("11097", dup276); + +var msg13545 = msg("11098", dup276); + +var msg13546 = msg("11099", dup276); + +var msg13547 = msg("11100", dup276); + +var msg13548 = msg("11101", dup276); + +var msg13549 = msg("11102", dup276); + +var msg13550 = msg("11103", dup276); + +var msg13551 = msg("11104", dup276); + +var msg13552 = msg("11105", dup276); + +var msg13553 = msg("11106", dup276); + +var msg13554 = msg("11107", dup276); + +var msg13555 = msg("11108", dup276); + +var msg13556 = msg("11109", dup276); + +var msg13557 = msg("11110", dup276); + +var msg13558 = msg("11111", dup276); + +var msg13559 = msg("11112", dup276); + +var msg13560 = msg("11113", dup276); + +var msg13561 = msg("11114", dup276); + +var msg13562 = msg("11115", dup276); + +var msg13563 = msg("11116", dup276); + +var msg13564 = msg("11117", dup276); + +var msg13565 = msg("11118", dup276); + +var msg13566 = msg("11119", dup276); + +var msg13567 = msg("11120", dup276); + +var msg13568 = msg("11121", dup276); + +var msg13569 = msg("11122", dup276); + +var msg13570 = msg("11123", dup276); + +var msg13571 = msg("11124", dup276); + +var msg13572 = msg("11125", dup276); + +var msg13573 = msg("11126", dup276); + +var msg13574 = msg("11127", dup276); + +var msg13575 = msg("11128", dup276); + +var msg13576 = msg("11129", dup276); + +var msg13577 = msg("11130", dup276); + +var msg13578 = msg("11131", dup276); + +var msg13579 = msg("11132", dup276); + +var msg13580 = msg("11133", dup276); + +var msg13581 = msg("11134", dup276); + +var msg13582 = msg("11135", dup276); + +var msg13583 = msg("11136", dup276); + +var msg13584 = msg("11137", dup276); + +var msg13585 = msg("11138", dup276); + +var msg13586 = msg("11139", dup276); + +var msg13587 = msg("11140", dup276); + +var msg13588 = msg("11141", dup276); + +var msg13589 = msg("11142", dup276); + +var msg13590 = msg("11143", dup276); + +var msg13591 = msg("11144", dup276); + +var msg13592 = msg("11145", dup276); + +var msg13593 = msg("11146", dup276); + +var msg13594 = msg("11147", dup276); + +var msg13595 = msg("11148", dup276); + +var msg13596 = msg("11149", dup276); + +var msg13597 = msg("11150", dup276); + +var msg13598 = msg("11151", dup276); + +var msg13599 = msg("11152", dup276); + +var msg13600 = msg("11153", dup276); + +var msg13601 = msg("11154", dup276); + +var msg13602 = msg("11155", dup276); + +var msg13603 = msg("11156", dup276); + +var msg13604 = msg("11157", dup276); + +var msg13605 = msg("11158", dup276); + +var msg13606 = msg("11159", dup276); + +var msg13607 = msg("11160", dup276); + +var msg13608 = msg("11161", dup276); + +var msg13609 = msg("11162", dup276); + +var msg13610 = msg("11163", dup276); + +var msg13611 = msg("11164", dup276); + +var msg13612 = msg("11165", dup276); + +var msg13613 = msg("11166", dup276); + +var msg13614 = msg("11167", dup276); + +var msg13615 = msg("11168", dup276); + +var msg13616 = msg("11169", dup276); + +var msg13617 = msg("11170", dup276); + +var msg13618 = msg("11171", dup276); + +var msg13619 = msg("11172", dup276); + +var msg13620 = msg("11173", dup276); + +var msg13621 = msg("11174", dup276); + +var msg13622 = msg("11175", dup201); + +var msg13623 = msg("11176", dup265); + +var msg13624 = msg("11177", dup265); + +var msg13625 = msg("11178", dup265); + +var msg13626 = msg("11179", dup265); + +var msg13627 = msg("11180", dup196); + +var msg13628 = msg("11181", dup265); + +var msg13629 = msg("11182", dup265); + +var msg13630 = msg("11183", dup265); + +var msg13631 = msg("11184", dup265); + +var msg13632 = msg("11185", dup198); + +var msg13633 = msg("11186", dup198); + +var msg13634 = msg("11187", dup265); + +var msg13635 = msg("11188", dup265); + +var msg13636 = msg("11189", dup265); + +var msg13637 = msg("11190", dup265); + +var msg13638 = msg("11191", dup196); + +var msg13639 = msg("11192", dup196); + +var msg13640 = msg("11193", dup240); + +var msg13641 = msg("11194", dup240); + +var msg13642 = msg("11196", dup197); + +var msg13643 = msg("11197", dup265); + +var msg13644 = msg("11198", dup265); + +var msg13645 = msg("11199", dup265); + +var msg13646 = msg("11200", dup265); + +var msg13647 = msg("11201", dup265); + +var msg13648 = msg("11202", dup265); + +var msg13649 = msg("11203", dup196); + +var msg13650 = msg("11204", dup196); + +var msg13651 = msg("11205", dup196); + +var msg13652 = msg("11206", dup265); + +var msg13653 = msg("11207", dup265); + +var msg13654 = msg("11208", dup265); + +var msg13655 = msg("11209", dup265); + +var msg13656 = msg("11210", dup265); + +var msg13657 = msg("11211", dup265); + +var msg13658 = msg("11212", dup265); + +var msg13659 = msg("11213", dup265); + +var msg13660 = msg("11214", dup265); + +var msg13661 = msg("11215", dup265); + +var msg13662 = msg("11216", dup265); + +var msg13663 = msg("11217", dup265); + +var msg13664 = msg("11218", dup265); + +var msg13665 = msg("11219", dup265); + +var msg13666 = msg("11220", dup265); + +var msg13667 = msg("11221", dup265); + +var msg13668 = msg("11222", dup198); + +var msg13669 = msg("11223", dup269); + +var msg13670 = msg("11224", dup265); + +var msg13671 = msg("11225", dup265); + +var msg13672 = msg("11226", dup265); + +var msg13673 = msg("11227", dup265); + +var msg13674 = msg("11228", dup265); + +var msg13675 = msg("11229", dup265); + +var msg13676 = msg("11230", dup265); + +var msg13677 = msg("11231", dup265); + +var msg13678 = msg("11232", dup265); + +var msg13679 = msg("11233", dup265); + +var msg13680 = msg("11234", dup265); + +var msg13681 = msg("11235", dup265); + +var msg13682 = msg("11236", dup265); + +var msg13683 = msg("11237", dup265); + +var msg13684 = msg("11238", dup265); + +var msg13685 = msg("11239", dup265); + +var msg13686 = msg("11240", dup265); + +var msg13687 = msg("11241", dup265); + +var msg13688 = msg("11242", dup265); + +var msg13689 = msg("11243", dup265); + +var msg13690 = msg("11244", dup265); + +var msg13691 = msg("11245", dup265); + +var msg13692 = msg("11246", dup265); + +var msg13693 = msg("11247", dup265); + +var msg13694 = msg("11248", dup265); + +var msg13695 = msg("11249", dup265); + +var msg13696 = msg("11250", dup265); + +var msg13697 = msg("11251", dup265); + +var msg13698 = msg("11252", dup265); + +var msg13699 = msg("11253", dup265); + +var msg13700 = msg("11254", dup265); + +var msg13701 = msg("11255", dup265); + +var msg13702 = msg("11256", dup265); + +var msg13703 = msg("11257", dup267); + +var msg13704 = msg("11258", dup197); + +var msg13705 = msg("11259", dup265); + +var msg13706 = msg("11260", dup265); + +var msg13707 = msg("11261", dup265); + +var msg13708 = msg("11262", dup265); + +var msg13709 = msg("11263", dup198); + +var msg13710 = msg("11264", dup260); + +var msg13711 = msg("11265", dup222); + +var msg13712 = msg("11266", dup222); + +var msg13713 = msg("11267", dup267); + +var msg13714 = msg("11268", dup194); + +var msg13715 = msg("11269", dup194); + +var msg13716 = msg("11270", dup194); + +var msg13717 = msg("11271", dup194); + +var msg13718 = msg("11272", dup267); + +var msg13719 = msg("11273", dup198); + +var msg13720 = msg("11274", dup265); + +var msg13721 = msg("11275", dup265); + +var msg13722 = msg("11276", dup265); + +var msg13723 = msg("11277", dup265); + +var msg13724 = msg("11278", dup265); + +var msg13725 = msg("11279", dup265); + +var msg13726 = msg("11280", dup265); + +var msg13727 = msg("11281", dup265); + +var msg13728 = msg("11282", dup265); + +var msg13729 = msg("11283", dup265); + +var msg13730 = msg("11284", dup265); + +var msg13731 = msg("11285", dup265); + +var msg13732 = msg("11286", dup265); + +var msg13733 = msg("11287", dup265); + +var msg13734 = msg("11288", dup287); + +var msg13735 = msg("11289", dup198); + +var msg13736 = msg("11290", dup197); + +var msg13737 = msg("11291", dup265); + +var msg13738 = msg("11292", dup265); + +var msg13739 = msg("11293", dup265); + +var msg13740 = msg("11294", dup265); + +var msg13741 = msg("11295", dup265); + +var msg13742 = msg("11296", dup265); + +var msg13743 = msg("11297", dup265); + +var msg13744 = msg("11298", dup265); + +var msg13745 = msg("11299", dup265); + +var msg13746 = msg("11300", dup265); + +var msg13747 = msg("11301", dup265); + +var msg13748 = msg("11302", dup265); + +var msg13749 = msg("11303", dup265); + +var msg13750 = msg("11304", dup265); + +var msg13751 = msg("11305", dup303); + +var msg13752 = msg("11306", dup303); + +var msg13753 = msg("11307", dup303); + +var msg13754 = msg("11308", dup303); + +var msg13755 = msg("11309", dup303); + +var msg13756 = msg("11310", dup303); + +var msg13757 = msg("11311", dup303); + +var msg13758 = msg("11312", dup303); + +var msg13759 = msg("11313", dup303); + +var msg13760 = msg("11314", dup192); + +var msg13761 = msg("11315", dup192); + +var msg13762 = msg("11316", dup192); + +var msg13763 = msg("11317", dup192); + +var msg13764 = msg("11318", dup192); + +var msg13765 = msg("11319", dup192); + +var msg13766 = msg("11320", dup192); + +var msg13767 = msg("11321", dup192); + +var msg13768 = msg("11322", dup192); + +var msg13769 = msg("11323", dup192); + +var msg13770 = msg("11324", dup265); + +var msg13771 = msg("11325", dup265); + +var msg13772 = msg("11326", dup276); + +var msg13773 = msg("11327", dup276); + +var msg13774 = msg("11328", dup276); + +var msg13775 = msg("11329", dup276); + +var msg13776 = msg("11330", dup276); + +var msg13777 = msg("11331", dup276); + +var msg13778 = msg("11332", dup276); + +var msg13779 = msg("11333", dup276); + +var msg13780 = msg("11334", dup276); + +var msg13781 = msg("11335", dup276); + +var msg13782 = msg("11336", dup276); + +var msg13783 = msg("11337", dup276); + +var msg13784 = msg("11338", dup276); + +var msg13785 = msg("11339", dup276); + +var msg13786 = msg("11340", dup276); + +var msg13787 = msg("11341", dup276); + +var msg13788 = msg("11342", dup276); + +var msg13789 = msg("11343", dup276); + +var msg13790 = msg("11344", dup276); + +var msg13791 = msg("11345", dup276); + +var msg13792 = msg("11346", dup276); + +var msg13793 = msg("11347", dup276); + +var msg13794 = msg("11348", dup276); + +var msg13795 = msg("11349", dup276); + +var msg13796 = msg("11350", dup276); + +var msg13797 = msg("11351", dup276); + +var msg13798 = msg("11352", dup276); + +var msg13799 = msg("11353", dup276); + +var msg13800 = msg("11354", dup276); + +var msg13801 = msg("11355", dup276); + +var msg13802 = msg("11356", dup276); + +var msg13803 = msg("11357", dup276); + +var msg13804 = msg("11358", dup276); + +var msg13805 = msg("11359", dup276); + +var msg13806 = msg("11360", dup276); + +var msg13807 = msg("11361", dup276); + +var msg13808 = msg("11362", dup276); + +var msg13809 = msg("11363", dup276); + +var msg13810 = msg("11364", dup276); + +var msg13811 = msg("11365", dup276); + +var msg13812 = msg("11366", dup276); + +var msg13813 = msg("11367", dup276); + +var msg13814 = msg("11368", dup276); + +var msg13815 = msg("11369", dup276); + +var msg13816 = msg("11370", dup276); + +var msg13817 = msg("11371", dup276); + +var msg13818 = msg("11372", dup276); + +var msg13819 = msg("11373", dup276); + +var msg13820 = msg("11374", dup276); + +var msg13821 = msg("11375", dup276); + +var msg13822 = msg("11376", dup276); + +var msg13823 = msg("11377", dup276); + +var msg13824 = msg("11378", dup276); + +var msg13825 = msg("11379", dup276); + +var msg13826 = msg("11380", dup276); + +var msg13827 = msg("11381", dup276); + +var msg13828 = msg("11382", dup276); + +var msg13829 = msg("11383", dup276); + +var msg13830 = msg("11384", dup276); + +var msg13831 = msg("11385", dup276); + +var msg13832 = msg("11386", dup276); + +var msg13833 = msg("11387", dup276); + +var msg13834 = msg("11388", dup276); + +var msg13835 = msg("11389", dup276); + +var msg13836 = msg("11390", dup276); + +var msg13837 = msg("11391", dup276); + +var msg13838 = msg("11392", dup276); + +var msg13839 = msg("11393", dup276); + +var msg13840 = msg("11394", dup276); + +var msg13841 = msg("11395", dup276); + +var msg13842 = msg("11396", dup276); + +var msg13843 = msg("11397", dup276); + +var msg13844 = msg("11398", dup276); + +var msg13845 = msg("11399", dup276); + +var msg13846 = msg("11400", dup276); + +var msg13847 = msg("11401", dup276); + +var msg13848 = msg("11402", dup276); + +var msg13849 = msg("11403", dup276); + +var msg13850 = msg("11404", dup276); + +var msg13851 = msg("11405", dup276); + +var msg13852 = msg("11406", dup276); + +var msg13853 = msg("11407", dup276); + +var msg13854 = msg("11408", dup276); + +var msg13855 = msg("11409", dup276); + +var msg13856 = msg("11410", dup276); + +var msg13857 = msg("11411", dup276); + +var msg13858 = msg("11412", dup276); + +var msg13859 = msg("11413", dup276); + +var msg13860 = msg("11414", dup276); + +var msg13861 = msg("11415", dup276); + +var msg13862 = msg("11416", dup276); + +var msg13863 = msg("11417", dup276); + +var msg13864 = msg("11418", dup276); + +var msg13865 = msg("11419", dup276); + +var msg13866 = msg("11420", dup276); + +var msg13867 = msg("11421", dup276); + +var msg13868 = msg("11422", dup276); + +var msg13869 = msg("11423", dup276); + +var msg13870 = msg("11424", dup276); + +var msg13871 = msg("11425", dup276); + +var msg13872 = msg("11426", dup276); + +var msg13873 = msg("11427", dup276); + +var msg13874 = msg("11428", dup276); + +var msg13875 = msg("11429", dup276); + +var msg13876 = msg("11430", dup276); + +var msg13877 = msg("11431", dup276); + +var msg13878 = msg("11432", dup276); + +var msg13879 = msg("11433", dup276); + +var msg13880 = msg("11434", dup276); + +var msg13881 = msg("11435", dup276); + +var msg13882 = msg("11436", dup276); + +var msg13883 = msg("11437", dup276); + +var msg13884 = msg("11438", dup276); + +var msg13885 = msg("11439", dup276); + +var msg13886 = msg("11440", dup276); + +var msg13887 = msg("11441", dup276); + +var msg13888 = msg("11442", dup276); + +var msg13889 = msg("11443", dup276); + +var msg13890 = msg("11444", dup276); + +var msg13891 = msg("11445", dup276); + +var msg13892 = msg("11446", dup276); + +var msg13893 = msg("11447", dup276); + +var msg13894 = msg("11448", dup276); + +var msg13895 = msg("11449", dup276); + +var msg13896 = msg("11450", dup276); + +var msg13897 = msg("11451", dup276); + +var msg13898 = msg("11452", dup276); + +var msg13899 = msg("11453", dup276); + +var msg13900 = msg("11454", dup276); + +var msg13901 = msg("11455", dup276); + +var msg13902 = msg("11456", dup276); + +var msg13903 = msg("11457", dup276); + +var msg13904 = msg("11458", dup276); + +var msg13905 = msg("11459", dup276); + +var msg13906 = msg("11460", dup276); + +var msg13907 = msg("11461", dup276); + +var msg13908 = msg("11462", dup276); + +var msg13909 = msg("11463", dup276); + +var msg13910 = msg("11464", dup276); + +var msg13911 = msg("11465", dup276); + +var msg13912 = msg("11466", dup276); + +var msg13913 = msg("11467", dup276); + +var msg13914 = msg("11468", dup276); + +var msg13915 = msg("11469", dup276); + +var msg13916 = msg("11470", dup276); + +var msg13917 = msg("11471", dup276); + +var msg13918 = msg("11472", dup276); + +var msg13919 = msg("11473", dup276); + +var msg13920 = msg("11474", dup276); + +var msg13921 = msg("11475", dup276); + +var msg13922 = msg("11476", dup276); + +var msg13923 = msg("11477", dup276); + +var msg13924 = msg("11478", dup276); + +var msg13925 = msg("11479", dup276); + +var msg13926 = msg("11480", dup276); + +var msg13927 = msg("11481", dup276); + +var msg13928 = msg("11482", dup276); + +var msg13929 = msg("11483", dup276); + +var msg13930 = msg("11484", dup276); + +var msg13931 = msg("11485", dup276); + +var msg13932 = msg("11486", dup276); + +var msg13933 = msg("11487", dup276); + +var msg13934 = msg("11488", dup276); + +var msg13935 = msg("11489", dup276); + +var msg13936 = msg("11490", dup276); + +var msg13937 = msg("11491", dup276); + +var msg13938 = msg("11492", dup276); + +var msg13939 = msg("11493", dup276); + +var msg13940 = msg("11494", dup276); + +var msg13941 = msg("11495", dup276); + +var msg13942 = msg("11496", dup276); + +var msg13943 = msg("11497", dup276); + +var msg13944 = msg("11498", dup276); + +var msg13945 = msg("11499", dup276); + +var msg13946 = msg("11500", dup276); + +var msg13947 = msg("11501", dup276); + +var msg13948 = msg("11502", dup276); + +var msg13949 = msg("11503", dup276); + +var msg13950 = msg("11504", dup276); + +var msg13951 = msg("11505", dup276); + +var msg13952 = msg("11506", dup276); + +var msg13953 = msg("11507", dup276); + +var msg13954 = msg("11508", dup276); + +var msg13955 = msg("11509", dup276); + +var msg13956 = msg("11510", dup276); + +var msg13957 = msg("11511", dup276); + +var msg13958 = msg("11512", dup276); + +var msg13959 = msg("11513", dup276); + +var msg13960 = msg("11514", dup276); + +var msg13961 = msg("11515", dup276); + +var msg13962 = msg("11516", dup276); + +var msg13963 = msg("11517", dup276); + +var msg13964 = msg("11518", dup276); + +var msg13965 = msg("11519", dup276); + +var msg13966 = msg("11520", dup276); + +var msg13967 = msg("11521", dup276); + +var msg13968 = msg("11522", dup276); + +var msg13969 = msg("11523", dup276); + +var msg13970 = msg("11524", dup276); + +var msg13971 = msg("11525", dup276); + +var msg13972 = msg("11526", dup276); + +var msg13973 = msg("11527", dup276); + +var msg13974 = msg("11528", dup276); + +var msg13975 = msg("11529", dup276); + +var msg13976 = msg("11530", dup276); + +var msg13977 = msg("11531", dup276); + +var msg13978 = msg("11532", dup276); + +var msg13979 = msg("11533", dup276); + +var msg13980 = msg("11534", dup276); + +var msg13981 = msg("11535", dup276); + +var msg13982 = msg("11536", dup276); + +var msg13983 = msg("11537", dup276); + +var msg13984 = msg("11538", dup276); + +var msg13985 = msg("11539", dup276); + +var msg13986 = msg("11540", dup276); + +var msg13987 = msg("11541", dup276); + +var msg13988 = msg("11542", dup276); + +var msg13989 = msg("11543", dup276); + +var msg13990 = msg("11544", dup276); + +var msg13991 = msg("11545", dup276); + +var msg13992 = msg("11546", dup276); + +var msg13993 = msg("11547", dup276); + +var msg13994 = msg("11548", dup276); + +var msg13995 = msg("11549", dup276); + +var msg13996 = msg("11550", dup276); + +var msg13997 = msg("11551", dup276); + +var msg13998 = msg("11552", dup276); + +var msg13999 = msg("11553", dup276); + +var msg14000 = msg("11554", dup276); + +var msg14001 = msg("11555", dup276); + +var msg14002 = msg("11556", dup276); + +var msg14003 = msg("11557", dup276); + +var msg14004 = msg("11558", dup276); + +var msg14005 = msg("11559", dup276); + +var msg14006 = msg("11560", dup276); + +var msg14007 = msg("11561", dup276); + +var msg14008 = msg("11562", dup276); + +var msg14009 = msg("11563", dup276); + +var msg14010 = msg("11564", dup276); + +var msg14011 = msg("11565", dup276); + +var msg14012 = msg("11566", dup276); + +var msg14013 = msg("11567", dup276); + +var msg14014 = msg("11568", dup276); + +var msg14015 = msg("11569", dup276); + +var msg14016 = msg("11570", dup276); + +var msg14017 = msg("11571", dup276); + +var msg14018 = msg("11572", dup276); + +var msg14019 = msg("11573", dup276); + +var msg14020 = msg("11574", dup276); + +var msg14021 = msg("11575", dup276); + +var msg14022 = msg("11576", dup276); + +var msg14023 = msg("11577", dup276); + +var msg14024 = msg("11578", dup276); + +var msg14025 = msg("11579", dup276); + +var msg14026 = msg("11580", dup276); + +var msg14027 = msg("11581", dup276); + +var msg14028 = msg("11582", dup276); + +var msg14029 = msg("11583", dup276); + +var msg14030 = msg("11584", dup276); + +var msg14031 = msg("11585", dup276); + +var msg14032 = msg("11586", dup276); + +var msg14033 = msg("11587", dup276); + +var msg14034 = msg("11588", dup201); + +var msg14035 = msg("11589", dup201); + +var msg14036 = msg("11590", dup201); + +var msg14037 = msg("11591", dup276); + +var msg14038 = msg("11592", dup276); + +var msg14039 = msg("11593", dup276); + +var msg14040 = msg("11594", dup276); + +var msg14041 = msg("11595", dup201); + +var msg14042 = msg("11596", dup201); + +var msg14043 = msg("11597", dup276); + +var msg14044 = msg("11598", dup201); + +var msg14045 = msg("11599", dup276); + +var msg14046 = msg("11600", dup276); + +var msg14047 = msg("11601", dup201); + +var msg14048 = msg("11602", dup276); + +var msg14049 = msg("11603", dup276); + +var msg14050 = msg("11604", dup276); + +var msg14051 = msg("11605", dup201); + +var msg14052 = msg("11606", dup276); + +var msg14053 = msg("11607", dup276); + +var msg14054 = msg("11608", dup276); + +var msg14055 = msg("11609", dup201); + +var msg14056 = msg("11610", dup201); + +var msg14057 = msg("11611", dup276); + +var msg14058 = msg("11612", dup201); + +var msg14059 = msg("11613", dup201); + +var msg14060 = msg("11614", dup276); + +var msg14061 = msg("11615", dup276); + +var msg14062 = msg("11616", dup260); + +var msg14063 = msg("11617", dup197); + +var msg14064 = msg("11618", dup197); + +var msg14065 = msg("11619", dup260); + +var msg14066 = msg("11620", dup265); + +var msg14067 = msg("11621", dup265); + +var msg14068 = msg("11622", dup265); + +var msg14069 = msg("11623", dup265); + +var msg14070 = msg("11624", dup265); + +var msg14071 = msg("11625", dup265); + +var msg14072 = msg("11626", dup265); + +var msg14073 = msg("11627", dup265); + +var msg14074 = msg("11628", dup265); + +var msg14075 = msg("11629", dup265); + +var msg14076 = msg("11630", dup265); + +var msg14077 = msg("11631", dup265); + +var msg14078 = msg("11632", dup265); + +var msg14079 = msg("11633", dup265); + +var msg14080 = msg("11634", dup265); + +var msg14081 = msg("11635", dup265); + +var msg14082 = msg("11636", dup265); + +var msg14083 = msg("11637", dup265); + +var msg14084 = msg("11638", dup265); + +var msg14085 = msg("11639", dup265); + +var msg14086 = msg("11640", dup265); + +var msg14087 = msg("11641", dup265); + +var msg14088 = msg("11642", dup265); + +var msg14089 = msg("11643", dup265); + +var msg14090 = msg("11644", dup265); + +var msg14091 = msg("11645", dup265); + +var msg14092 = msg("11646", dup265); + +var msg14093 = msg("11647", dup265); + +var msg14094 = msg("11648", dup265); + +var msg14095 = msg("11649", dup265); + +var msg14096 = msg("11650", dup265); + +var msg14097 = msg("11651", dup265); + +var msg14098 = msg("11652", dup265); + +var msg14099 = msg("11653", dup265); + +var msg14100 = msg("11654", dup265); + +var msg14101 = msg("11655", dup265); + +var msg14102 = msg("11656", dup265); + +var msg14103 = msg("11657", dup265); + +var msg14104 = msg("11658", dup265); + +var msg14105 = msg("11659", dup265); + +var msg14106 = msg("11660", dup265); + +var msg14107 = msg("11661", dup265); + +var msg14108 = msg("11662", dup265); + +var msg14109 = msg("11663", dup265); + +var msg14110 = msg("11664", dup265); + +var msg14111 = msg("11665", dup265); + +var msg14112 = msg("11666", dup265); + +var msg14113 = msg("11667", dup265); + +var msg14114 = msg("11668", dup267); + +var msg14115 = msg("11669", dup222); + +var msg14116 = msg("11670", dup197); + +var msg14117 = msg("11671", dup265); + +var msg14118 = msg("11672", dup222); + +var msg14119 = msg("11673", dup265); + +var msg14120 = msg("11674", dup265); + +var msg14121 = msg("11675", dup265); + +var msg14122 = msg("11676", dup265); + +var msg14123 = msg("11677", dup265); + +var msg14124 = msg("11678", dup265); + +var msg14125 = msg("11679", dup267); + +var msg14126 = msg("11680", dup222); + +var msg14127 = msg("11681", dup196); + +var msg14128 = msg("11682", dup287); + +var msg14129 = msg("11683", dup260); + +var msg14130 = msg("11684", dup222); + +var msg14131 = msg("11685", dup240); + +var msg14132 = msg("11686", dup222); + +var msg14133 = msg("11687", dup196); + +var msg14134 = msg("11688", dup276); + +var msg14135 = msg("11689", dup276); + +var msg14136 = msg("11690", dup276); + +var msg14137 = msg("11691", dup276); + +var msg14138 = msg("11692", dup276); + +var msg14139 = msg("11693", dup276); + +var msg14140 = msg("11694", dup276); + +var msg14141 = msg("11695", dup276); + +var msg14142 = msg("11696", dup276); + +var msg14143 = msg("11697", dup276); + +var msg14144 = msg("11698", dup276); + +var msg14145 = msg("11699", dup276); + +var msg14146 = msg("11700", dup276); + +var msg14147 = msg("11701", dup276); + +var msg14148 = msg("11702", dup276); + +var msg14149 = msg("11703", dup276); + +var msg14150 = msg("11704", dup276); + +var msg14151 = msg("11705", dup276); + +var msg14152 = msg("11706", dup276); + +var msg14153 = msg("11707", dup276); + +var msg14154 = msg("11708", dup276); + +var msg14155 = msg("11709", dup276); + +var msg14156 = msg("11710", dup276); + +var msg14157 = msg("11711", dup276); + +var msg14158 = msg("11712", dup276); + +var msg14159 = msg("11713", dup276); + +var msg14160 = msg("11714", dup276); + +var msg14161 = msg("11715", dup276); + +var msg14162 = msg("11716", dup276); + +var msg14163 = msg("11717", dup276); + +var msg14164 = msg("11718", dup276); + +var msg14165 = msg("11719", dup276); + +var msg14166 = msg("11720", dup276); + +var msg14167 = msg("11721", dup276); + +var msg14168 = msg("11722", dup276); + +var msg14169 = msg("11723", dup276); + +var msg14170 = msg("11724", dup276); + +var msg14171 = msg("11725", dup276); + +var msg14172 = msg("11726", dup276); + +var msg14173 = msg("11727", dup276); + +var msg14174 = msg("11728", dup276); + +var msg14175 = msg("11729", dup276); + +var msg14176 = msg("11730", dup276); + +var msg14177 = msg("11731", dup276); + +var msg14178 = msg("11732", dup276); + +var msg14179 = msg("11733", dup276); + +var msg14180 = msg("11734", dup276); + +var msg14181 = msg("11735", dup276); + +var msg14182 = msg("11736", dup276); + +var msg14183 = msg("11737", dup276); + +var msg14184 = msg("11738", dup276); + +var msg14185 = msg("11739", dup276); + +var msg14186 = msg("11740", dup276); + +var msg14187 = msg("11741", dup276); + +var msg14188 = msg("11742", dup276); + +var msg14189 = msg("11743", dup276); + +var msg14190 = msg("11744", dup276); + +var msg14191 = msg("11745", dup276); + +var msg14192 = msg("11746", dup276); + +var msg14193 = msg("11747", dup276); + +var msg14194 = msg("11748", dup276); + +var msg14195 = msg("11749", dup276); + +var msg14196 = msg("11750", dup276); + +var msg14197 = msg("11751", dup276); + +var msg14198 = msg("11752", dup276); + +var msg14199 = msg("11753", dup276); + +var msg14200 = msg("11754", dup276); + +var msg14201 = msg("11755", dup276); + +var msg14202 = msg("11756", dup276); + +var msg14203 = msg("11757", dup276); + +var msg14204 = msg("11758", dup276); + +var msg14205 = msg("11759", dup276); + +var msg14206 = msg("11760", dup276); + +var msg14207 = msg("11761", dup276); + +var msg14208 = msg("11762", dup276); + +var msg14209 = msg("11763", dup276); + +var msg14210 = msg("11764", dup276); + +var msg14211 = msg("11765", dup276); + +var msg14212 = msg("11766", dup276); + +var msg14213 = msg("11767", dup276); + +var msg14214 = msg("11768", dup276); + +var msg14215 = msg("11769", dup276); + +var msg14216 = msg("11770", dup276); + +var msg14217 = msg("11771", dup276); + +var msg14218 = msg("11772", dup276); + +var msg14219 = msg("11773", dup276); + +var msg14220 = msg("11774", dup276); + +var msg14221 = msg("11775", dup276); + +var msg14222 = msg("11776", dup276); + +var msg14223 = msg("11777", dup276); + +var msg14224 = msg("11778", dup276); + +var msg14225 = msg("11779", dup276); + +var msg14226 = msg("11780", dup276); + +var msg14227 = msg("11781", dup276); + +var msg14228 = msg("11782", dup276); + +var msg14229 = msg("11783", dup276); + +var msg14230 = msg("11784", dup276); + +var msg14231 = msg("11785", dup276); + +var msg14232 = msg("11786", dup276); + +var msg14233 = msg("11787", dup276); + +var msg14234 = msg("11788", dup276); + +var msg14235 = msg("11789", dup276); + +var msg14236 = msg("11790", dup276); + +var msg14237 = msg("11791", dup276); + +var msg14238 = msg("11792", dup276); + +var msg14239 = msg("11793", dup276); + +var msg14240 = msg("11794", dup276); + +var msg14241 = msg("11795", dup276); + +var msg14242 = msg("11796", dup276); + +var msg14243 = msg("11797", dup276); + +var msg14244 = msg("11798", dup276); + +var msg14245 = msg("11799", dup276); + +var msg14246 = msg("11800", dup276); + +var msg14247 = msg("11801", dup276); + +var msg14248 = msg("11802", dup276); + +var msg14249 = msg("11803", dup276); + +var msg14250 = msg("11804", dup276); + +var msg14251 = msg("11805", dup276); + +var msg14252 = msg("11806", dup276); + +var msg14253 = msg("11807", dup276); + +var msg14254 = msg("11808", dup276); + +var msg14255 = msg("11809", dup276); + +var msg14256 = msg("11810", dup276); + +var msg14257 = msg("11811", dup276); + +var msg14258 = msg("11812", dup276); + +var msg14259 = msg("11813", dup276); + +var msg14260 = msg("11814", dup276); + +var msg14261 = msg("11815", dup276); + +var msg14262 = msg("11816", dup196); + +var msg14263 = msg("11817", dup265); + +var msg14264 = msg("11818", dup265); + +var msg14265 = msg("11819", dup265); + +var msg14266 = msg("11820", dup265); + +var msg14267 = msg("11821", dup265); + +var msg14268 = msg("11822", dup265); + +var msg14269 = msg("11823", dup265); + +var msg14270 = msg("11824", dup265); + +var msg14271 = msg("11825", dup265); + +var msg14272 = msg("11826", dup265); + +var msg14273 = msg("11827", dup265); + +var msg14274 = msg("11828", dup265); + +var msg14275 = msg("11829", dup265); + +var msg14276 = msg("11830", dup265); + +var msg14277 = msg("11831", dup265); + +var msg14278 = msg("11832", dup265); + +var msg14279 = msg("11833", dup265); + +var msg14280 = msg("11834", dup265); + +var msg14281 = msg("11835", dup196); + +var msg14282 = msg("11836", dup196); + +var msg14283 = msg("11837", dup250); + +var msg14284 = msg("11838", dup267); + +var msg14285 = msg("11839", dup265); + +var msg14286 = msg("11840", dup265); + +var msg14287 = msg("11841", dup265); + +var msg14288 = msg("11842", dup265); + +var msg14289 = msg("11843", dup276); + +var msg14290 = msg("11844", dup276); + +var msg14291 = msg("11845", dup276); + +var msg14292 = msg("11846", dup276); + +var msg14293 = msg("11847", dup276); + +var msg14294 = msg("11848", dup276); + +var msg14295 = msg("11849", dup276); + +var msg14296 = msg("11850", dup276); + +var msg14297 = msg("11851", dup276); + +var msg14298 = msg("11852", dup276); + +var msg14299 = msg("11853", dup276); + +var msg14300 = msg("11854", dup276); + +var msg14301 = msg("11855", dup276); + +var msg14302 = msg("11856", dup276); + +var msg14303 = msg("11857", dup276); + +var msg14304 = msg("11858", dup276); + +var msg14305 = msg("11859", dup276); + +var msg14306 = msg("11860", dup276); + +var msg14307 = msg("11861", dup276); + +var msg14308 = msg("11862", dup276); + +var msg14309 = msg("11863", dup276); + +var msg14310 = msg("11864", dup276); + +var msg14311 = msg("11865", dup276); + +var msg14312 = msg("11866", dup276); + +var msg14313 = msg("11867", dup276); + +var msg14314 = msg("11868", dup276); + +var msg14315 = msg("11869", dup276); + +var msg14316 = msg("11870", dup276); + +var msg14317 = msg("11871", dup276); + +var msg14318 = msg("11872", dup276); + +var msg14319 = msg("11873", dup276); + +var msg14320 = msg("11874", dup276); + +var msg14321 = msg("11875", dup276); + +var msg14322 = msg("11876", dup276); + +var msg14323 = msg("11877", dup276); + +var msg14324 = msg("11878", dup276); + +var msg14325 = msg("11879", dup276); + +var msg14326 = msg("11880", dup276); + +var msg14327 = msg("11881", dup276); + +var msg14328 = msg("11882", dup276); + +var msg14329 = msg("11883", dup276); + +var msg14330 = msg("11884", dup276); + +var msg14331 = msg("11885", dup276); + +var msg14332 = msg("11886", dup276); + +var msg14333 = msg("11887", dup276); + +var msg14334 = msg("11888", dup276); + +var msg14335 = msg("11889", dup276); + +var msg14336 = msg("11890", dup276); + +var msg14337 = msg("11891", dup276); + +var msg14338 = msg("11892", dup276); + +var msg14339 = msg("11893", dup276); + +var msg14340 = msg("11894", dup276); + +var msg14341 = msg("11895", dup276); + +var msg14342 = msg("11896", dup276); + +var msg14343 = msg("11897", dup276); + +var msg14344 = msg("11898", dup276); + +var msg14345 = msg("11899", dup276); + +var msg14346 = msg("11900", dup276); + +var msg14347 = msg("11901", dup276); + +var msg14348 = msg("11902", dup276); + +var msg14349 = msg("11903", dup276); + +var msg14350 = msg("11904", dup276); + +var msg14351 = msg("11905", dup276); + +var msg14352 = msg("11906", dup276); + +var msg14353 = msg("11907", dup276); + +var msg14354 = msg("11908", dup276); + +var msg14355 = msg("11909", dup276); + +var msg14356 = msg("11910", dup276); + +var msg14357 = msg("11911", dup276); + +var msg14358 = msg("11912", dup276); + +var msg14359 = msg("11913", dup276); + +var msg14360 = msg("11914", dup276); + +var msg14361 = msg("11915", dup276); + +var msg14362 = msg("11916", dup276); + +var msg14363 = msg("11917", dup276); + +var msg14364 = msg("11918", dup276); + +var msg14365 = msg("11919", dup276); + +var msg14366 = msg("11920", dup276); + +var msg14367 = msg("11921", dup276); + +var msg14368 = msg("11922", dup276); + +var msg14369 = msg("11923", dup276); + +var msg14370 = msg("11924", dup276); + +var msg14371 = msg("11925", dup276); + +var msg14372 = msg("11926", dup276); + +var msg14373 = msg("11927", dup276); + +var msg14374 = msg("11928", dup276); + +var msg14375 = msg("11929", dup276); + +var msg14376 = msg("11930", dup276); + +var msg14377 = msg("11931", dup276); + +var msg14378 = msg("11932", dup276); + +var msg14379 = msg("11933", dup276); + +var msg14380 = msg("11934", dup276); + +var msg14381 = msg("11935", dup276); + +var msg14382 = msg("11936", dup276); + +var msg14383 = msg("11937", dup276); + +var msg14384 = msg("11938", dup276); + +var msg14385 = msg("11939", dup265); + +var msg14386 = msg("11940", dup265); + +var msg14387 = msg("11941", dup265); + +var msg14388 = msg("11942", dup265); + +var msg14389 = msg("11943", dup265); + +var msg14390 = msg("11944", dup265); + +var msg14391 = msg("11945", dup276); + +var msg14392 = msg("11946", dup196); + +var msg14393 = msg("11947", dup196); + +var msg14394 = msg("11948", dup303); + +var msg14395 = msg("11949", dup192); + +var msg14396 = msg("11950", dup192); + +var msg14397 = msg("11951", dup192); + +var msg14398 = msg("11952", dup192); + +var msg14399 = msg("11953", dup192); + +var msg14400 = msg("11954", dup192); + +var msg14401 = msg("11955", dup276); + +var msg14402 = msg("11956", dup276); + +var msg14403 = msg("11957", dup276); + +var msg14404 = msg("11958", dup276); + +var msg14405 = msg("11959", dup276); + +var msg14406 = msg("11960", dup276); + +var msg14407 = msg("11961", dup276); + +var msg14408 = msg("11962", dup276); + +var msg14409 = msg("11963", dup276); + +var msg14410 = msg("11964", dup276); + +var msg14411 = msg("11965", dup265); + +var msg14412 = msg("11966", dup265); + +var msg14413 = msg("11967", dup265); + +var msg14414 = msg("11968", dup196); + +var msg14415 = msg("11969", dup273); + +var msg14416 = msg("11970", dup198); + +var msg14417 = msg("11971", dup201); + +var msg14418 = msg("11972", dup196); + +var msg14419 = msg("11973", dup201); + +var msg14420 = msg("11974", dup287); + +var msg14421 = msg("11975", dup196); + +var msg14422 = msg("11976", dup197); + +var msg14423 = msg("11977", dup197); + +var msg14424 = msg("11978", dup201); + +var msg14425 = msg("11979", dup196); + +var msg14426 = msg("11980", dup201); + +var msg14427 = msg("11981", dup201); + +var msg14428 = msg("11982", dup196); + +var msg14429 = msg("11983", dup196); + +var msg14430 = msg("11984", dup196); + +var msg14431 = msg("11985", dup201); + +var msg14432 = msg("11986", dup287); + +var msg14433 = msg("11987", dup287); + +var msg14434 = msg("11988", dup287); + +var msg14435 = msg("11989", dup287); + +var msg14436 = msg("11990", dup287); + +var msg14437 = msg("11991", dup287); + +var msg14438 = msg("11992", dup297); + +var msg14439 = msg("11993", dup287); + +var msg14440 = msg("11994", dup287); + +var msg14441 = msg("11995", dup297); + +var msg14442 = msg("11996", dup287); + +var msg14443 = msg("11997", dup287); + +var msg14444 = msg("11998", dup287); + +var msg14445 = msg("11999", dup287); + +var msg14446 = msg("12000", dup196); + +var msg14447 = msg("12001", dup201); + +var msg14448 = msg("12002", dup197); + +var msg14449 = msg("12003", dup197); + +var msg14450 = msg("12004", dup196); + +var msg14451 = msg("12005", dup196); + +var msg14452 = msg("12006", dup196); + +var msg14453 = msg("12007", dup273); + +var msg14454 = msg("12008", dup287); + +var msg14455 = msg("12009", dup197); + +var msg14456 = msg("12010", dup265); + +var msg14457 = msg("12011", dup265); + +var msg14458 = msg("12012", dup265); + +var msg14459 = msg("12013", dup265); + +var msg14460 = msg("12014", dup265); + +var msg14461 = msg("12015", dup265); + +var msg14462 = msg("12016", dup265); + +var msg14463 = msg("12017", dup265); + +var msg14464 = msg("12018", dup265); + +var msg14465 = msg("12019", dup265); + +var msg14466 = msg("12020", dup265); + +var msg14467 = msg("12021", dup265); + +var msg14468 = msg("12022", dup265); + +var msg14469 = msg("12023", dup265); + +var msg14470 = msg("12024", dup265); + +var msg14471 = msg("12025", dup265); + +var msg14472 = msg("12026", dup265); + +var msg14473 = msg("12027", dup260); + +var msg14474 = msg("12028", dup250); + +var msg14475 = msg("12029", dup265); + +var msg14476 = msg("12030", dup265); + +var msg14477 = msg("12031", dup197); + +var msg14478 = msg("12032", dup197); + +var msg14479 = msg("12033", dup197); + +var msg14480 = msg("12034", dup197); + +var msg14481 = msg("12035", dup197); + +var msg14482 = msg("12036", dup197); + +var msg14483 = msg("12037", dup197); + +var msg14484 = msg("12038", dup197); + +var msg14485 = msg("12039", dup197); + +var msg14486 = msg("12040", dup197); + +var msg14487 = msg("12041", dup197); + +var msg14488 = msg("12042", dup197); + +var msg14489 = msg("12043", dup198); + +var msg14490 = msg("12044", dup198); + +var msg14491 = msg("12045", dup198); + +var msg14492 = msg("12046", dup273); + +var msg14493 = msg("12047", dup303); + +var msg14494 = msg("12048", dup303); + +var msg14495 = msg("12049", dup303); + +var msg14496 = msg("12050", dup303); + +var msg14497 = msg("12051", dup192); + +var msg14498 = msg("12052", dup192); + +var msg14499 = msg("12053", dup192); + +var msg14500 = msg("12054", dup192); + +var msg14501 = msg("12055", dup192); + +var msg14502 = msg("12056", dup267); + +var msg14503 = msg("12057", dup265); + +var msg14504 = msg("12058", dup222); + +var msg14505 = msg("12059", dup240); + +var msg14506 = msg("12060", dup240); + +var msg14507 = msg("12061", dup287); + +var msg14508 = msg("12062", dup265); + +var msg14509 = msg("12063", dup265); + +var msg14510 = msg("12064", dup265); + +var msg14511 = msg("12065", dup196); + +var msg14512 = msg("12066", dup196); + +var msg14513 = msg("12067", dup196); + +var msg14514 = msg("12068", dup196); + +var msg14515 = msg("12069", dup196); + +var msg14516 = msg("12070", dup196); + +var msg14517 = msg("12072", dup287); + +var msg14518 = msg("12073", dup196); + +var msg14519 = msg("12074", dup196); + +var msg14520 = msg("12075", dup269); + +var msg14521 = msg("12076", dup198); + +var msg14522 = msg("12077", dup192); + +var msg14523 = msg("12078", dup197); + +var msg14524 = msg("12079", dup197); + +var msg14525 = msg("12080", dup196); + +var msg14526 = msg("12081", dup222); + +var msg14527 = msg("12082", dup198); + +var msg14528 = msg("12083", dup265); + +var msg14529 = msg("12084", dup265); + +var msg14530 = msg("12085", dup265); + +var msg14531 = msg("12086", dup265); + +var msg14532 = msg("12087", dup265); + +var msg14533 = msg("12088", dup265); + +var msg14534 = msg("12089", dup265); + +var msg14535 = msg("12090", dup265); + +var msg14536 = msg("12091", dup198); + +var msg14537 = msg("12092", dup198); + +var msg14538 = msg("12093", dup198); + +var msg14539 = msg("12094", dup198); + +var msg14540 = msg("12095", dup265); + +var msg14541 = msg("12096", dup265); + +var msg14542 = msg("12097", dup265); + +var msg14543 = msg("12098", dup265); + +var msg14544 = msg("12099", dup269); + +var msg14545 = msg("12100", dup276); + +var msg14546 = msg("12101", dup276); + +var msg14547 = msg("12102", dup276); + +var msg14548 = msg("12103", dup276); + +var msg14549 = msg("12104", dup276); + +var msg14550 = msg("12105", dup276); + +var msg14551 = msg("12106", dup276); + +var msg14552 = msg("12107", dup276); + +var msg14553 = msg("12108", dup276); + +var msg14554 = msg("12109", dup276); + +var msg14555 = msg("12110", dup276); + +var msg14556 = msg("12111", dup276); + +var msg14557 = msg("12112", dup194); + +var msg14558 = msg("12113", dup197); + +var msg14559 = msg("12114", dup201); + +var msg14560 = msg("12115", dup201); + +var msg14561 = msg("12116", dup265); + +var msg14562 = msg("12117", dup265); + +var msg14563 = msg("12118", dup265); + +var msg14564 = msg("12119", dup265); + +var msg14565 = msg("12120", dup303); + +var msg14566 = msg("12121", dup303); + +var msg14567 = msg("12122", dup303); + +var msg14568 = msg("12123", dup303); + +var msg14569 = msg("12124", dup303); + +var msg14570 = msg("12125", dup303); + +var msg14571 = msg("12126", dup303); + +var msg14572 = msg("12127", dup303); + +var msg14573 = msg("12128", dup303); + +var msg14574 = msg("12129", dup303); + +var msg14575 = msg("12130", dup303); + +var msg14576 = msg("12131", dup303); + +var msg14577 = msg("12132", dup303); + +var msg14578 = msg("12133", dup303); + +var msg14579 = msg("12134", dup303); + +var msg14580 = msg("12135", dup303); + +var msg14581 = msg("12136", dup303); + +var msg14582 = msg("12137", dup303); + +var msg14583 = msg("12138", dup303); + +var msg14584 = msg("12139", dup303); + +var msg14585 = msg("12140", dup303); + +var msg14586 = msg("12141", dup303); + +var msg14587 = msg("12142", dup192); + +var msg14588 = msg("12143", dup192); + +var msg14589 = msg("12144", dup192); + +var msg14590 = msg("12145", dup192); + +var msg14591 = msg("12146", dup192); + +var msg14592 = msg("12147", dup192); + +var msg14593 = msg("12148", dup192); + +var msg14594 = msg("12149", dup192); + +var msg14595 = msg("12150", dup192); + +var msg14596 = msg("12151", dup192); + +var msg14597 = msg("12152", dup192); + +var msg14598 = msg("12153", dup192); + +var msg14599 = msg("12154", dup192); + +var msg14600 = msg("12155", dup192); + +var msg14601 = msg("12156", dup192); + +var msg14602 = msg("12157", dup192); + +var msg14603 = msg("12158", dup192); + +var msg14604 = msg("12159", dup192); + +var msg14605 = msg("12160", dup192); + +var msg14606 = msg("12161", dup192); + +var msg14607 = msg("12162", dup192); + +var msg14608 = msg("12163", dup192); + +var msg14609 = msg("12164", dup192); + +var msg14610 = msg("12165", dup192); + +var msg14611 = msg("12166", dup192); + +var msg14612 = msg("12167", dup196); + +var msg14613 = msg("12168", dup265); + +var msg14614 = msg("12169", dup265); + +var msg14615 = msg("12170", dup287); + +var msg14616 = msg("12171", dup287); + +var msg14617 = msg("12172", dup196); + +var msg14618 = msg("12173", dup196); + +var msg14619 = msg("12174", dup196); + +var msg14620 = msg("12175", dup196); + +var msg14621 = msg("12176", dup196); + +var msg14622 = msg("12177", dup196); + +var msg14623 = msg("12178", dup196); + +var msg14624 = msg("12179", dup196); + +var msg14625 = msg("12180", dup196); + +var msg14626 = msg("12181", dup196); + +var msg14627 = msg("12182", dup196); + +var msg14628 = msg("12183", dup197); + +var msg14629 = msg("12184", dup269); + +var msg14630 = msg("12185", dup287); + +var msg14631 = msg("12186", dup258); + +var msg14632 = msg("12187", dup287); + +var msg14633 = msg("12188", dup253); + +var msg14634 = msg("12189", dup265); + +var msg14635 = msg("12190", dup265); + +var msg14636 = msg("12191", dup265); + +var msg14637 = msg("12192", dup265); + +var msg14638 = msg("12193", dup265); + +var msg14639 = msg("12194", dup265); + +var msg14640 = msg("12195", dup265); + +var msg14641 = msg("12196", dup265); + +var msg14642 = msg("12197", dup222); + +var msg14643 = msg("12198", dup242); + +var msg14644 = msg("12199", dup198); + +var msg14645 = msg("12200", dup265); + +var msg14646 = msg("12201", dup265); + +var msg14647 = msg("12202", dup222); + +var msg14648 = msg("12203", dup265); + +var msg14649 = msg("12204", dup265); + +var msg14650 = msg("12205", dup265); + +var msg14651 = msg("12206", dup265); + +var msg14652 = msg("12207", dup265); + +var msg14653 = msg("12208", dup265); + +var msg14654 = msg("12209", dup196); + +var msg14655 = msg("12210", dup287); + +var msg14656 = msg("12211", dup287); + +var msg14657 = msg("12212", dup201); + +var msg14658 = msg("12213", dup201); + +var msg14659 = msg("12214", dup201); + +var msg14660 = msg("12215", dup201); + +var msg14661 = msg("12216", dup222); + +var msg14662 = msg("12217", dup222); + +var msg14663 = msg("12218", dup222); + +var msg14664 = msg("12219", dup197); + +var msg14665 = msg("12220", dup196); + +var msg14666 = msg("12221", dup265); + +var msg14667 = msg("12222", dup196); + +var msg14668 = msg("12223", dup196); + +var msg14669 = msg("12224", dup303); + +var msg14670 = msg("12225", dup303); + +var msg14671 = msg("12226", dup303); + +var msg14672 = msg("12227", dup303); + +var msg14673 = msg("12228", dup303); + +var msg14674 = msg("12229", dup303); + +var msg14675 = msg("12230", dup303); + +var msg14676 = msg("12231", dup303); + +var msg14677 = msg("12232", dup303); + +var msg14678 = msg("12233", dup192); + +var msg14679 = msg("12234", dup192); + +var msg14680 = msg("12235", dup192); + +var msg14681 = msg("12236", dup192); + +var msg14682 = msg("12237", dup192); + +var msg14683 = msg("12238", dup192); + +var msg14684 = msg("12239", dup192); + +var msg14685 = msg("12240", dup192); + +var msg14686 = msg("12241", dup192); + +var msg14687 = msg("12242", dup192); + +var msg14688 = msg("12243", dup192); + +var msg14689 = msg("12244", dup192); + +var msg14690 = msg("12245", dup192); + +var msg14691 = msg("12246", dup265); + +var msg14692 = msg("12247", dup265); + +var msg14693 = msg("12248", dup265); + +var msg14694 = msg("12249", dup265); + +var msg14695 = msg("12250", dup265); + +var msg14696 = msg("12251", dup265); + +var msg14697 = msg("12252", dup265); + +var msg14698 = msg("12253", dup265); + +var msg14699 = msg("12254", dup196); + +var msg14700 = msg("12255", dup265); + +var msg14701 = msg("12256", dup196); + +var msg14702 = msg("12257", dup265); + +var msg14703 = msg("12258", dup265); + +var msg14704 = msg("12259", dup265); + +var msg14705 = msg("12260", dup265); + +var msg14706 = msg("12261", dup265); + +var msg14707 = msg("12262", dup265); + +var msg14708 = msg("12263", dup265); + +var msg14709 = msg("12264", dup265); + +var msg14710 = msg("12265", dup265); + +var msg14711 = msg("12266", dup265); + +var msg14712 = msg("12267", dup265); + +var msg14713 = msg("12268", dup265); + +var msg14714 = msg("12269", dup265); + +var msg14715 = msg("12270", dup265); + +var msg14716 = msg("12271", dup265); + +var msg14717 = msg("12272", dup265); + +var msg14718 = msg("12273", dup265); + +var msg14719 = msg("12274", dup265); + +var msg14720 = msg("12275", dup265); + +var msg14721 = msg("12276", dup265); + +var msg14722 = msg("12277", dup196); + +var msg14723 = msg("12278", dup196); + +var msg14724 = msg("12279", dup197); + +var msg14725 = msg("12280", dup196); + +var msg14726 = msg("12281", dup196); + +var msg14727 = msg("12282", dup196); + +var msg14728 = msg("12283", dup196); + +var msg14729 = msg("12284", dup267); + +var msg14730 = msg("12285", dup196); + +var msg14731 = msg("12286", dup267); + +var msg14732 = msg("12287", dup303); + +var msg14733 = msg("12288", dup303); + +var msg14734 = msg("12289", dup303); + +var msg14735 = msg("12290", dup303); + +var msg14736 = msg("12291", dup303); + +var msg14737 = msg("12292", dup303); + +var msg14738 = msg("12293", dup303); + +var msg14739 = msg("12294", dup303); + +var msg14740 = msg("12295", dup303); + +var msg14741 = msg("12296", dup303); + +var msg14742 = msg("12297", dup192); + +var msg14743 = msg("12298", dup192); + +var msg14744 = msg("12299", dup196); + +var msg14745 = msg("12300", dup196); + +var msg14746 = msg("12301", dup265); + +var msg14747 = msg("12302", dup265); + +var msg14748 = msg("12303", dup196); + +var msg14749 = msg("12304", dup196); + +var msg14750 = msg("12305", dup196); + +var msg14751 = msg("12306", dup196); + +var msg14752 = msg("12307", dup276); + +var msg14753 = msg("12308", dup276); + +var msg14754 = msg("12309", dup276); + +var msg14755 = msg("12310", dup276); + +var msg14756 = msg("12311", dup276); + +var msg14757 = msg("12312", dup276); + +var msg14758 = msg("12313", dup276); + +var msg14759 = msg("12314", dup276); + +var msg14760 = msg("12315", dup276); + +var msg14761 = msg("12316", dup276); + +var msg14762 = msg("12317", dup276); + +var msg14763 = msg("12318", dup276); + +var msg14764 = msg("12319", dup276); + +var msg14765 = msg("12320", dup276); + +var msg14766 = msg("12321", dup276); + +var msg14767 = msg("12322", dup276); + +var msg14768 = msg("12323", dup276); + +var msg14769 = msg("12324", dup276); + +var msg14770 = msg("12325", dup276); + +var msg14771 = msg("12326", dup276); + +var msg14772 = msg("12327", dup276); + +var msg14773 = msg("12328", dup276); + +var msg14774 = msg("12329", dup276); + +var msg14775 = msg("12330", dup276); + +var msg14776 = msg("12331", dup276); + +var msg14777 = msg("12332", dup276); + +var msg14778 = msg("12333", dup276); + +var msg14779 = msg("12334", dup276); + +var msg14780 = msg("12335", dup276); + +var msg14781 = msg("12336", dup276); + +var msg14782 = msg("12337", dup276); + +var msg14783 = msg("12338", dup276); + +var msg14784 = msg("12339", dup276); + +var msg14785 = msg("12340", dup276); + +var msg14786 = msg("12341", dup276); + +var msg14787 = msg("12342", dup276); + +var msg14788 = msg("12343", dup276); + +var msg14789 = msg("12344", dup276); + +var msg14790 = msg("12345", dup276); + +var msg14791 = msg("12346", dup276); + +var msg14792 = msg("12347", dup276); + +var msg14793 = msg("12348", dup276); + +var msg14794 = msg("12349", dup276); + +var msg14795 = msg("12350", dup276); + +var msg14796 = msg("12351", dup276); + +var msg14797 = msg("12352", dup276); + +var msg14798 = msg("12353", dup276); + +var msg14799 = msg("12354", dup276); + +var msg14800 = msg("12355", dup276); + +var msg14801 = msg("12356", dup276); + +var msg14802 = msg("12357", dup196); + +var msg14803 = msg("12358", dup197); + +var msg14804 = msg("12359", dup197); + +var msg14805 = msg("12360", dup267); + +var msg14806 = msg("12361", dup303); + +var msg14807 = msg("12362", dup197); + +var msg14808 = msg("12363", dup303); + +var msg14809 = msg("12364", dup303); + +var msg14810 = msg("12365", dup303); + +var msg14811 = msg("12366", dup303); + +var msg14812 = msg("12367", dup303); + +var msg14813 = msg("12368", dup303); + +var msg14814 = msg("12369", dup303); + +var msg14815 = msg("12370", dup303); + +var msg14816 = msg("12371", dup303); + +var msg14817 = msg("12372", dup303); + +var msg14818 = msg("12373", dup192); + +var msg14819 = msg("12374", dup192); + +var msg14820 = msg("12375", dup192); + +var msg14821 = msg("12376", dup192); + +var msg14822 = msg("12377", dup192); + +var msg14823 = msg("12378", dup192); + +var msg14824 = msg("12379", dup303); + +var msg14825 = msg("12380", dup265); + +var msg14826 = msg("12381", dup265); + +var msg14827 = msg("12382", dup265); + +var msg14828 = msg("12383", dup265); + +var msg14829 = msg("12384", dup265); + +var msg14830 = msg("12385", dup265); + +var msg14831 = msg("12386", dup265); + +var msg14832 = msg("12387", dup265); + +var msg14833 = msg("12388", dup265); + +var msg14834 = msg("12389", dup265); + +var msg14835 = msg("12390", dup196); + +var msg14836 = msg("12391", dup196); + +var msg14837 = msg("12392", dup196); + +var msg14838 = msg("12393", dup265); + +var msg14839 = msg("12394", dup265); + +var msg14840 = msg("12395", dup265); + +var msg14841 = msg("12396", dup265); + +var msg14842 = msg("12397", dup265); + +var msg14843 = msg("12398", dup265); + +var msg14844 = msg("12399", dup265); + +var msg14845 = msg("12400", dup265); + +var msg14846 = msg("12401", dup265); + +var msg14847 = msg("12402", dup265); + +var msg14848 = msg("12403", dup265); + +var msg14849 = msg("12404", dup265); + +var msg14850 = msg("12405", dup265); + +var msg14851 = msg("12406", dup265); + +var msg14852 = msg("12407", dup265); + +var msg14853 = msg("12408", dup265); + +var msg14854 = msg("12409", dup265); + +var msg14855 = msg("12410", dup265); + +var msg14856 = msg("12411", dup265); + +var msg14857 = msg("12412", dup265); + +var msg14858 = msg("12413", dup265); + +var msg14859 = msg("12414", dup265); + +var msg14860 = msg("12415", dup265); + +var msg14861 = msg("12416", dup265); + +var msg14862 = msg("12417", dup265); + +var msg14863 = msg("12418", dup265); + +var msg14864 = msg("12419", dup265); + +var msg14865 = msg("12420", dup265); + +var msg14866 = msg("12421", dup196); + +var msg14867 = msg("12422", dup196); + +var msg14868 = msg("12423", dup250); + +var msg14869 = msg("12424", dup222); + +var msg14870 = msg("12425", dup196); + +var msg14871 = msg("12426", dup196); + +var msg14872 = msg("12427", dup196); + +var msg14873 = msg("12428", dup265); + +var msg14874 = msg("12429", dup265); + +var msg14875 = msg("12430", dup265); + +var msg14876 = msg("12431", dup265); + +var msg14877 = msg("12432", dup265); + +var msg14878 = msg("12433", dup265); + +var msg14879 = msg("12434", dup265); + +var msg14880 = msg("12435", dup265); + +var msg14881 = msg("12436", dup196); + +var msg14882 = msg("12437", dup196); + +var msg14883 = msg("12438", dup265); + +var msg14884 = msg("12439", dup265); + +var msg14885 = msg("12440", dup265); + +var msg14886 = msg("12441", dup265); + +var msg14887 = msg("12442", dup265); + +var msg14888 = msg("12443", dup265); + +var msg14889 = msg("12444", dup240); + +var msg14890 = msg("12445", dup240); + +var msg14891 = msg("12446", dup240); + +var msg14892 = msg("12447", dup240); + +var msg14893 = msg("12448", dup265); + +var msg14894 = msg("12449", dup265); + +var msg14895 = msg("12450", dup265); + +var msg14896 = msg("12451", dup265); + +var msg14897 = msg("12452", dup265); + +var msg14898 = msg("12453", dup265); + +var msg14899 = msg("12454", dup196); + +var msg14900 = msg("12455", dup196); + +var msg14901 = msg("12456", dup196); + +var msg14902 = msg("12457", dup196); + +var msg14903 = msg("12458", dup287); + +var msg14904 = msg("12459", dup265); + +var msg14905 = msg("12460", dup265); + +var msg14906 = msg("12461", dup265); + +var msg14907 = msg("12462", dup265); + +var msg14908 = msg("12463", dup222); + +var msg14909 = msg("12464", dup222); + +var msg14910 = msg("12465", dup196); + +var msg14911 = msg("12466", dup265); + +var msg14912 = msg("12467", dup265); + +var msg14913 = msg("12468", dup265); + +var msg14914 = msg("12469", dup265); + +var msg14915 = msg("12470", dup265); + +var msg14916 = msg("12471", dup265); + +var msg14917 = msg("12472", dup265); + +var msg14918 = msg("12473", dup265); + +var msg14919 = msg("12474", dup265); + +var msg14920 = msg("12475", dup265); + +var msg14921 = msg("12476", dup265); + +var msg14922 = msg("12477", dup265); + +var msg14923 = msg("12478", dup265); + +var msg14924 = msg("12479", dup265); + +var msg14925 = msg("12480", dup303); + +var msg14926 = msg("12481", dup303); + +var msg14927 = msg("12482", dup303); + +var msg14928 = msg("12483", dup303); + +var msg14929 = msg("12484", dup303); + +var msg14930 = msg("12485", dup303); + +var msg14931 = msg("12486", dup303); + +var msg14932 = msg("12487", dup303); + +var msg14933 = msg("12488", dup303); + +var msg14934 = msg("12489", dup276); + +var msg14935 = msg("12490", dup276); + +var msg14936 = msg("12491", dup276); + +var msg14937 = msg("12492", dup276); + +var msg14938 = msg("12493", dup276); + +var msg14939 = msg("12494", dup276); + +var msg14940 = msg("12495", dup276); + +var msg14941 = msg("12496", dup276); + +var msg14942 = msg("12497", dup276); + +var msg14943 = msg("12498", dup276); + +var msg14944 = msg("12499", dup276); + +var msg14945 = msg("12500", dup276); + +var msg14946 = msg("12501", dup276); + +var msg14947 = msg("12502", dup276); + +var msg14948 = msg("12503", dup276); + +var msg14949 = msg("12504", dup276); + +var msg14950 = msg("12505", dup276); + +var msg14951 = msg("12506", dup276); + +var msg14952 = msg("12507", dup276); + +var msg14953 = msg("12508", dup276); + +var msg14954 = msg("12509", dup276); + +var msg14955 = msg("12510", dup276); + +var msg14956 = msg("12511", dup276); + +var msg14957 = msg("12512", dup276); + +var msg14958 = msg("12513", dup276); + +var msg14959 = msg("12514", dup276); + +var msg14960 = msg("12515", dup276); + +var msg14961 = msg("12516", dup276); + +var msg14962 = msg("12517", dup276); + +var msg14963 = msg("12518", dup276); + +var msg14964 = msg("12519", dup276); + +var msg14965 = msg("12520", dup276); + +var msg14966 = msg("12521", dup276); + +var msg14967 = msg("12522", dup276); + +var msg14968 = msg("12523", dup276); + +var msg14969 = msg("12524", dup276); + +var msg14970 = msg("12525", dup276); + +var msg14971 = msg("12526", dup276); + +var msg14972 = msg("12527", dup276); + +var msg14973 = msg("12528", dup276); + +var msg14974 = msg("12529", dup276); + +var msg14975 = msg("12530", dup276); + +var msg14976 = msg("12531", dup276); + +var msg14977 = msg("12532", dup276); + +var msg14978 = msg("12533", dup276); + +var msg14979 = msg("12534", dup276); + +var msg14980 = msg("12535", dup276); + +var msg14981 = msg("12536", dup276); + +var msg14982 = msg("12537", dup276); + +var msg14983 = msg("12538", dup276); + +var msg14984 = msg("12539", dup276); + +var msg14985 = msg("12540", dup276); + +var msg14986 = msg("12541", dup276); + +var msg14987 = msg("12542", dup276); + +var msg14988 = msg("12543", dup276); + +var msg14989 = msg("12544", dup276); + +var msg14990 = msg("12545", dup276); + +var msg14991 = msg("12546", dup276); + +var msg14992 = msg("12547", dup276); + +var msg14993 = msg("12548", dup276); + +var msg14994 = msg("12549", dup276); + +var msg14995 = msg("12550", dup276); + +var msg14996 = msg("12551", dup276); + +var msg14997 = msg("12552", dup276); + +var msg14998 = msg("12553", dup276); + +var msg14999 = msg("12554", dup276); + +var msg15000 = msg("12555", dup276); + +var msg15001 = msg("12556", dup276); + +var msg15002 = msg("12557", dup276); + +var msg15003 = msg("12558", dup276); + +var msg15004 = msg("12559", dup276); + +var msg15005 = msg("12560", dup276); + +var msg15006 = msg("12561", dup276); + +var msg15007 = msg("12562", dup276); + +var msg15008 = msg("12563", dup276); + +var msg15009 = msg("12564", dup276); + +var msg15010 = msg("12565", dup276); + +var msg15011 = msg("12566", dup276); + +var msg15012 = msg("12567", dup276); + +var msg15013 = msg("12568", dup276); + +var msg15014 = msg("12569", dup276); + +var msg15015 = msg("12570", dup276); + +var msg15016 = msg("12571", dup276); + +var msg15017 = msg("12572", dup276); + +var msg15018 = msg("12573", dup276); + +var msg15019 = msg("12574", dup276); + +var msg15020 = msg("12575", dup276); + +var msg15021 = msg("12576", dup276); + +var msg15022 = msg("12577", dup276); + +var msg15023 = msg("12578", dup276); + +var msg15024 = msg("12579", dup276); + +var msg15025 = msg("12580", dup276); + +var msg15026 = msg("12581", dup276); + +var msg15027 = msg("12582", dup276); + +var msg15028 = msg("12583", dup276); + +var msg15029 = msg("12584", dup276); + +var msg15030 = msg("12585", dup276); + +var msg15031 = msg("12586", dup276); + +var msg15032 = msg("12587", dup276); + +var msg15033 = msg("12588", dup276); + +var msg15034 = msg("12589", dup276); + +var msg15035 = msg("12590", dup276); + +var msg15036 = msg("12591", dup198); + +var msg15037 = msg("12592", dup201); + +var msg15038 = msg("12593", dup196); + +var msg15039 = msg("12594", dup198); + +var msg15040 = msg("12595", dup269); + +var msg15041 = msg("12596", dup222); + +var msg15042 = msg("12597", dup198); + +var msg15043 = msg("12598", dup265); + +var msg15044 = msg("12599", dup265); + +var msg15045 = msg("12600", dup265); + +var msg15046 = msg("12601", dup265); + +var msg15047 = msg("12602", dup265); + +var msg15048 = msg("12603", dup265); + +var msg15049 = msg("12604", dup265); + +var msg15050 = msg("12605", dup265); + +var msg15051 = msg("12606", dup265); + +var msg15052 = msg("12607", dup265); + +var msg15053 = msg("12608", dup258); + +var msg15054 = msg("12609", dup258); + +var msg15055 = msg("12610", dup302); + +var msg15056 = msg("12611", dup196); + +var msg15057 = msg("12612", dup265); + +var msg15058 = msg("12613", dup265); + +var msg15059 = msg("12614", dup265); + +var msg15060 = msg("12615", dup265); + +var msg15061 = msg("12616", dup265); + +var msg15062 = msg("12617", dup265); + +var msg15063 = msg("12618", dup267); + +var msg15064 = msg("12619", dup196); + +var msg15065 = msg("12620", dup303); + +var msg15066 = msg("12621", dup303); + +var msg15067 = msg("12622", dup303); + +var msg15068 = msg("12623", dup303); + +var msg15069 = msg("12624", dup303); + +var msg15070 = msg("12625", dup303); + +var msg15071 = msg("12626", dup258); + +var msg15072 = msg("12627", dup287); + +var msg15073 = msg("12628", dup258); + +var msg15074 = msg("12629", dup265); + +var msg15075 = msg("12630", dup196); + +var msg15076 = msg("12631", dup196); + +var msg15077 = msg("12632", dup196); + +var msg15078 = msg("12633", dup196); + +var msg15079 = msg("12634", dup196); + +var msg15080 = msg("12635", dup198); + +var msg15081 = msg("12636", dup222); + +var msg15082 = msg("12637", dup194); + +var msg15083 = msg("12638", dup194); + +var msg15084 = msg("12639", dup194); + +var msg15085 = msg("12640", dup194); + +var msg15086 = msg("12641", dup196); + +var msg15087 = msg("12642", dup198); + +var msg15088 = msg("12643", dup265); + +var msg15089 = msg("12644", dup265); + +var msg15090 = msg("12645", dup265); + +var msg15091 = msg("12646", dup265); + +var msg15092 = msg("12647", dup265); + +var msg15093 = msg("12648", dup265); + +var msg15094 = msg("12649", dup265); + +var msg15095 = msg("12650", dup265); + +var msg15096 = msg("12651", dup265); + +var msg15097 = msg("12652", dup303); + +var msg15098 = msg("12653", dup303); + +var msg15099 = msg("12654", dup303); + +var msg15100 = msg("12655", dup303); + +var msg15101 = msg("12656", dup303); + +var msg15102 = msg("12657", dup303); + +var msg15103 = msg("12658", dup303); + +var msg15104 = msg("12659", dup303); + +var msg15105 = msg("12660", dup303); + +var msg15106 = msg("12661", dup192); + +var msg15107 = msg("12663", dup265); + +var msg15108 = msg("12664", dup196); + +var msg15109 = msg("12665", dup222); + +var msg15110 = msg("12666", dup222); + +var msg15111 = msg("12667", dup269); + +var msg15112 = msg("12668", dup265); + +var msg15113 = msg("12669", dup265); + +var msg15114 = msg("12670", dup265); + +var msg15115 = msg("12671", dup265); + +var msg15116 = msg("12672", dup303); + +var msg15117 = msg("12673", dup303); + +var msg15118 = msg("12674", dup303); + +var msg15119 = msg("12675", dup192); + +var msg15120 = msg("12676", dup303); + +var msg15121 = msg("12677", dup303); + +var msg15122 = msg("12678", dup303); + +var msg15123 = msg("12679", dup303); + +var msg15124 = msg("12680", dup201); + +var msg15125 = msg("12681", dup197); + +var msg15126 = msg("12682", dup201); + +var msg15127 = msg("12683", dup201); + +var msg15128 = msg("12684", dup192); + +var msg15129 = msg("12685", dup197); + +var msg15130 = msg("12686", dup196); + +var msg15131 = msg("12687", dup267); + +var msg15132 = msg("12688", dup267); + +var msg15133 = msg("12689", dup265); + +var msg15134 = msg("12690", dup265); + +var msg15135 = msg("12691", dup196); + +var msg15136 = msg("12692", dup201); + +var msg15137 = msg("12693", dup303); + +var msg15138 = msg("12694", dup303); + +var msg15139 = msg("12695", dup303); + +var msg15140 = msg("12696", dup303); + +var msg15141 = msg("12697", dup303); + +var msg15142 = msg("12698", dup303); + +var msg15143 = msg("12699", dup192); + +var msg15144 = msg("12700", dup192); + +var msg15145 = msg("12701", dup192); + +var msg15146 = msg("12702", dup192); + +var msg15147 = msg("12703", dup265); + +var msg15148 = msg("12704", dup197); + +var msg15149 = msg("12705", dup197); + +var msg15150 = msg("12706", dup197); + +var msg15151 = msg("12707", dup267); + +var msg15152 = msg("12708", dup222); + +var msg15153 = msg("12709", dup196); + +var msg15154 = msg("12710", dup196); + +var msg15155 = msg("12711", dup265); + +var msg15156 = msg("12712", dup242); + +var msg15157 = msg("12713", dup222); + +var msg15158 = msg("12714", dup265); + +var msg15159 = msg("12715", dup265); + +var msg15160 = msg("12716", dup265); + +var msg15161 = msg("12717", dup265); + +var msg15162 = msg("12718", dup303); + +var msg15163 = msg("12719", dup303); + +var msg15164 = msg("12720", dup303); + +var msg15165 = msg("12721", dup303); + +var msg15166 = msg("12722", dup303); + +var msg15167 = msg("12723", dup303); + +var msg15168 = msg("12724", dup192); + +var msg15169 = msg("12725", dup192); + +var msg15170 = msg("12726", dup192); + +var msg15171 = msg("12727", dup192); + +var msg15172 = msg("12728", dup267); + +var msg15173 = msg("12729", dup265); + +var msg15174 = msg("12730", dup265); + +var msg15175 = msg("12731", dup265); + +var msg15176 = msg("12732", dup265); + +var msg15177 = msg("12733", dup265); + +var msg15178 = msg("12734", dup265); + +var msg15179 = msg("12735", dup265); + +var msg15180 = msg("12736", dup265); + +var msg15181 = msg("12737", dup265); + +var msg15182 = msg("12738", dup265); + +var msg15183 = msg("12739", dup265); + +var msg15184 = msg("12740", dup265); + +var msg15185 = msg("12741", dup201); + +var msg15186 = msg("12742", dup222); + +var msg15187 = msg("12743", dup201); + +var msg15188 = msg("12744", dup267); + +var msg15189 = msg("12745", dup267); + +var msg15190 = msg("12746", dup222); + +var msg15191 = msg("12747", dup194); + +var msg15192 = msg("12748", dup194); + +var msg15193 = msg("12749", dup194); + +var msg15194 = msg("12750", dup194); + +var msg15195 = msg("12751", dup265); + +var msg15196 = msg("12752", dup265); + +var msg15197 = msg("12753", dup265); + +var msg15198 = msg("12754", dup265); + +var msg15199 = msg("12755", dup265); + +var msg15200 = msg("12756", dup265); + +var msg15201 = msg("12757", dup267); + +var msg15202 = msg("12758", dup303); + +var msg15203 = msg("12759", dup303); + +var msg15204 = msg("12760", dup303); + +var msg15205 = msg("12761", dup303); + +var msg15206 = msg("12762", dup265); + +var msg15207 = msg("12763", dup265); + +var msg15208 = msg("12764", dup265); + +var msg15209 = msg("12765", dup265); + +var msg15210 = msg("12766", dup265); + +var msg15211 = msg("12767", dup265); + +var msg15212 = msg("12768", dup265); + +var msg15213 = msg("12769", dup265); + +var msg15214 = msg("12770", dup196); + +var msg15215 = msg("12771", dup196); + +var msg15216 = msg("12772", dup196); + +var msg15217 = msg("12773", dup196); + +var msg15218 = msg("12774", dup196); + +var msg15219 = msg("12775", dup196); + +var msg15220 = msg("12776", dup265); + +var msg15221 = msg("12777", dup265); + +var msg15222 = msg("12778", dup265); + +var msg15223 = msg("12779", dup265); + +var msg15224 = msg("12780", dup265); + +var msg15225 = msg("12781", dup265); + +var msg15226 = msg("12782", dup265); + +var msg15227 = msg("12783", dup265); + +var msg15228 = msg("12784", dup197); + +var msg15229 = msg("12785", dup197); + +var msg15230 = msg("12786", dup222); + +var msg15231 = msg("12787", dup222); + +var msg15232 = msg("12788", dup222); + +var msg15233 = msg("12789", dup303); + +var msg15234 = msg("12790", dup303); + +var msg15235 = msg("12791", dup303); + +var msg15236 = msg("12792", dup303); + +var msg15237 = msg("12793", dup303); + +var msg15238 = msg("12794", dup303); + +var msg15239 = msg("12795", dup303); + +var msg15240 = msg("12796", dup303); + +var msg15241 = msg("12797", dup303); + +var msg15242 = msg("12798", dup196); + +var msg15243 = msg("12799", dup196); + +var msg15244 = msg("12800", dup196); + +var msg15245 = msg("12801", dup196); + +var msg15246 = msg("12802", dup196); + +var msg15247 = msg("12803", dup265); + +var msg15248 = msg("12804", dup265); + +var msg15249 = msg("12805", dup265); + +var msg15250 = msg("12806", dup265); + +var msg15251 = msg("12807", dup250); + +var msg15252 = msg("12808", dup276); + +var msg15253 = msg("12809", dup276); + +var msg15254 = msg("12810", dup276); + +var msg15255 = msg("12811", dup276); + +var msg15256 = msg("12812", dup276); + +var msg15257 = msg("12813", dup276); + +var msg15258 = msg("12814", dup276); + +var msg15259 = msg("12815", dup276); + +var msg15260 = msg("12816", dup276); + +var msg15261 = msg("12817", dup276); + +var msg15262 = msg("12818", dup276); + +var msg15263 = msg("12819", dup276); + +var msg15264 = msg("12820", dup276); + +var msg15265 = msg("12821", dup276); + +var msg15266 = msg("12822", dup276); + +var msg15267 = msg("12823", dup276); + +var msg15268 = msg("12824", dup276); + +var msg15269 = msg("12825", dup276); + +var msg15270 = msg("12826", dup276); + +var msg15271 = msg("12827", dup276); + +var msg15272 = msg("12828", dup276); + +var msg15273 = msg("12829", dup276); + +var msg15274 = msg("12830", dup276); + +var msg15275 = msg("12831", dup276); + +var msg15276 = msg("12832", dup276); + +var msg15277 = msg("12833", dup276); + +var msg15278 = msg("12834", dup276); + +var msg15279 = msg("12835", dup276); + +var msg15280 = msg("12836", dup276); + +var msg15281 = msg("12837", dup276); + +var msg15282 = msg("12838", dup276); + +var msg15283 = msg("12839", dup276); + +var msg15284 = msg("12840", dup276); + +var msg15285 = msg("12841", dup276); + +var msg15286 = msg("12842", dup276); + +var msg15287 = msg("12843", dup276); + +var msg15288 = msg("12844", dup276); + +var msg15289 = msg("12845", dup276); + +var msg15290 = msg("12846", dup276); + +var msg15291 = msg("12847", dup276); + +var msg15292 = msg("12848", dup276); + +var msg15293 = msg("12849", dup276); + +var msg15294 = msg("12850", dup276); + +var msg15295 = msg("12851", dup276); + +var msg15296 = msg("12852", dup276); + +var msg15297 = msg("12853", dup276); + +var msg15298 = msg("12854", dup276); + +var msg15299 = msg("12855", dup276); + +var msg15300 = msg("12856", dup276); + +var msg15301 = msg("12857", dup276); + +var msg15302 = msg("12858", dup276); + +var msg15303 = msg("12859", dup276); + +var msg15304 = msg("12860", dup276); + +var msg15305 = msg("12861", dup276); + +var msg15306 = msg("12862", dup276); + +var msg15307 = msg("12863", dup276); + +var msg15308 = msg("12864", dup276); + +var msg15309 = msg("12865", dup276); + +var msg15310 = msg("12866", dup276); + +var msg15311 = msg("12867", dup276); + +var msg15312 = msg("12868", dup276); + +var msg15313 = msg("12869", dup276); + +var msg15314 = msg("12870", dup276); + +var msg15315 = msg("12871", dup276); + +var msg15316 = msg("12872", dup276); + +var msg15317 = msg("12873", dup276); + +var msg15318 = msg("12874", dup276); + +var msg15319 = msg("12875", dup276); + +var msg15320 = msg("12876", dup276); + +var msg15321 = msg("12877", dup276); + +var msg15322 = msg("12878", dup276); + +var msg15323 = msg("12879", dup276); + +var msg15324 = msg("12880", dup276); + +var msg15325 = msg("12881", dup276); + +var msg15326 = msg("12882", dup276); + +var msg15327 = msg("12883", dup276); + +var msg15328 = msg("12884", dup276); + +var msg15329 = msg("12885", dup276); + +var msg15330 = msg("12886", dup276); + +var msg15331 = msg("12887", dup276); + +var msg15332 = msg("12888", dup276); + +var msg15333 = msg("12889", dup276); + +var msg15334 = msg("12890", dup276); + +var msg15335 = msg("12891", dup276); + +var msg15336 = msg("12892", dup276); + +var msg15337 = msg("12893", dup276); + +var msg15338 = msg("12894", dup276); + +var msg15339 = msg("12895", dup276); + +var msg15340 = msg("12896", dup276); + +var msg15341 = msg("12897", dup276); + +var msg15342 = msg("12898", dup276); + +var msg15343 = msg("12899", dup276); + +var msg15344 = msg("12900", dup276); + +var msg15345 = msg("12901", dup276); + +var msg15346 = msg("12902", dup276); + +var msg15347 = msg("12903", dup276); + +var msg15348 = msg("12904", dup222); + +var msg15349 = msg("12905", dup222); + +var msg15350 = msg("12906", dup276); + +var msg15351 = msg("12907", dup276); + +var msg15352 = msg("12908", dup276); + +var msg15353 = msg("12909", dup276); + +var msg15354 = msg("12910", dup276); + +var msg15355 = msg("12911", dup276); + +var msg15356 = msg("12912", dup276); + +var msg15357 = msg("12913", dup276); + +var msg15358 = msg("12914", dup276); + +var msg15359 = msg("12915", dup276); + +var msg15360 = msg("12916", dup276); + +var msg15361 = msg("12917", dup276); + +var msg15362 = msg("12918", dup276); + +var msg15363 = msg("12919", dup276); + +var msg15364 = msg("12920", dup276); + +var msg15365 = msg("12921", dup276); + +var msg15366 = msg("12922", dup276); + +var msg15367 = msg("12923", dup276); + +var msg15368 = msg("12924", dup276); + +var msg15369 = msg("12925", dup276); + +var msg15370 = msg("12926", dup276); + +var msg15371 = msg("12927", dup276); + +var msg15372 = msg("12928", dup276); + +var msg15373 = msg("12929", dup276); + +var msg15374 = msg("12930", dup276); + +var msg15375 = msg("12931", dup276); + +var msg15376 = msg("12932", dup276); + +var msg15377 = msg("12933", dup276); + +var msg15378 = msg("12934", dup276); + +var msg15379 = msg("12935", dup276); + +var msg15380 = msg("12936", dup276); + +var msg15381 = msg("12937", dup276); + +var msg15382 = msg("12938", dup276); + +var msg15383 = msg("12939", dup276); + +var msg15384 = msg("12940", dup276); + +var msg15385 = msg("12941", dup276); + +var msg15386 = msg("12942", dup276); + +var msg15387 = msg("12943", dup276); + +var msg15388 = msg("12944", dup276); + +var msg15389 = msg("12945", dup276); + +var msg15390 = msg("12946", dup276); + +var msg15391 = msg("12947", dup276); + +var msg15392 = msg("12948", dup265); + +var msg15393 = msg("12949", dup265); + +var msg15394 = msg("12950", dup265); + +var msg15395 = msg("12951", dup265); + +var msg15396 = msg("12952", dup265); + +var msg15397 = msg("12953", dup265); + +var msg15398 = msg("12954", dup265); + +var msg15399 = msg("12955", dup265); + +var msg15400 = msg("12956", dup265); + +var msg15401 = msg("12957", dup265); + +var msg15402 = msg("12958", dup265); + +var msg15403 = msg("12959", dup265); + +var msg15404 = msg("12960", dup265); + +var msg15405 = msg("12961", dup265); + +var msg15406 = msg("12962", dup265); + +var msg15407 = msg("12963", dup265); + +var msg15408 = msg("12964", dup265); + +var msg15409 = msg("12965", dup265); + +var msg15410 = msg("12966", dup265); + +var msg15411 = msg("12967", dup265); + +var msg15412 = msg("12968", dup265); + +var msg15413 = msg("12969", dup265); + +var msg15414 = msg("12970", dup265); + +var msg15415 = msg("12971", dup222); + +var msg15416 = msg("12972", dup265); + +var msg15417 = msg("12973", dup276); + +var msg15418 = msg("12974", dup276); + +var msg15419 = msg("12975", dup276); + +var msg15420 = msg("12976", dup276); + +var msg15421 = msg("12977", dup276); + +var msg15422 = msg("12978", dup276); + +var msg15423 = msg("12979", dup276); + +var msg15424 = msg("12980", dup276); + +var msg15425 = msg("12981", dup276); + +var msg15426 = msg("12982", dup276); + +var msg15427 = msg("12983", dup222); + +var msg15428 = msg("12984", dup276); + +var msg15429 = msg("12985", dup276); + +var msg15430 = msg("12986", dup276); + +var msg15431 = msg("12987", dup276); + +var msg15432 = msg("12988", dup276); + +var msg15433 = msg("12989", dup276); + +var msg15434 = msg("12990", dup276); + +var msg15435 = msg("12991", dup276); + +var msg15436 = msg("12992", dup276); + +var msg15437 = msg("12993", dup276); + +var msg15438 = msg("12994", dup276); + +var msg15439 = msg("12995", dup276); + +var msg15440 = msg("12996", dup276); + +var msg15441 = msg("12997", dup276); + +var msg15442 = msg("12998", dup276); + +var msg15443 = msg("12999", dup276); + +var msg15444 = msg("13000", dup276); + +var msg15445 = msg("13001", dup276); + +var msg15446 = msg("13002", dup276); + +var msg15447 = msg("13003", dup276); + +var msg15448 = msg("13004", dup276); + +var msg15449 = msg("13005", dup276); + +var msg15450 = msg("13006", dup276); + +var msg15451 = msg("13007", dup276); + +var msg15452 = msg("13008", dup276); + +var msg15453 = msg("13009", dup276); + +var msg15454 = msg("13010", dup276); + +var msg15455 = msg("13011", dup276); + +var msg15456 = msg("13012", dup276); + +var msg15457 = msg("13013", dup276); + +var msg15458 = msg("13014", dup276); + +var msg15459 = msg("13015", dup276); + +var msg15460 = msg("13016", dup276); + +var msg15461 = msg("13017", dup276); + +var msg15462 = msg("13018", dup276); + +var msg15463 = msg("13019", dup276); + +var msg15464 = msg("13020", dup276); + +var msg15465 = msg("13021", dup276); + +var msg15466 = msg("13022", dup276); + +var msg15467 = msg("13023", dup276); + +var msg15468 = msg("13024", dup276); + +var msg15469 = msg("13025", dup276); + +var msg15470 = msg("13026", dup276); + +var msg15471 = msg("13027", dup276); + +var msg15472 = msg("13028", dup276); + +var msg15473 = msg("13029", dup276); + +var msg15474 = msg("13030", dup276); + +var msg15475 = msg("13031", dup276); + +var msg15476 = msg("13032", dup276); + +var msg15477 = msg("13033", dup276); + +var msg15478 = msg("13034", dup276); + +var msg15479 = msg("13035", dup276); + +var msg15480 = msg("13036", dup276); + +var msg15481 = msg("13037", dup276); + +var msg15482 = msg("13038", dup276); + +var msg15483 = msg("13039", dup276); + +var msg15484 = msg("13040", dup276); + +var msg15485 = msg("13041", dup276); + +var msg15486 = msg("13042", dup276); + +var msg15487 = msg("13043", dup276); + +var msg15488 = msg("13044", dup276); + +var msg15489 = msg("13045", dup276); + +var msg15490 = msg("13046", dup276); + +var msg15491 = msg("13047", dup276); + +var msg15492 = msg("13048", dup276); + +var msg15493 = msg("13049", dup276); + +var msg15494 = msg("13050", dup276); + +var msg15495 = msg("13051", dup276); + +var msg15496 = msg("13052", dup276); + +var msg15497 = msg("13053", dup276); + +var msg15498 = msg("13054", dup276); + +var msg15499 = msg("13055", dup276); + +var msg15500 = msg("13056", dup276); + +var msg15501 = msg("13057", dup276); + +var msg15502 = msg("13058", dup276); + +var msg15503 = msg("13059", dup276); + +var msg15504 = msg("13060", dup276); + +var msg15505 = msg("13061", dup276); + +var msg15506 = msg("13062", dup276); + +var msg15507 = msg("13063", dup276); + +var msg15508 = msg("13064", dup276); + +var msg15509 = msg("13065", dup276); + +var msg15510 = msg("13066", dup276); + +var msg15511 = msg("13067", dup276); + +var msg15512 = msg("13068", dup276); + +var msg15513 = msg("13069", dup276); + +var msg15514 = msg("13070", dup276); + +var msg15515 = msg("13071", dup276); + +var msg15516 = msg("13072", dup276); + +var msg15517 = msg("13073", dup276); + +var msg15518 = msg("13074", dup276); + +var msg15519 = msg("13075", dup276); + +var msg15520 = msg("13076", dup276); + +var msg15521 = msg("13077", dup276); + +var msg15522 = msg("13078", dup276); + +var msg15523 = msg("13079", dup276); + +var msg15524 = msg("13080", dup276); + +var msg15525 = msg("13081", dup276); + +var msg15526 = msg("13082", dup276); + +var msg15527 = msg("13083", dup276); + +var msg15528 = msg("13084", dup276); + +var msg15529 = msg("13085", dup276); + +var msg15530 = msg("13086", dup276); + +var msg15531 = msg("13087", dup276); + +var msg15532 = msg("13088", dup276); + +var msg15533 = msg("13089", dup276); + +var msg15534 = msg("13090", dup276); + +var msg15535 = msg("13091", dup276); + +var msg15536 = msg("13092", dup276); + +var msg15537 = msg("13093", dup276); + +var msg15538 = msg("13094", dup276); + +var msg15539 = msg("13095", dup276); + +var msg15540 = msg("13096", dup276); + +var msg15541 = msg("13097", dup276); + +var msg15542 = msg("13098", dup276); + +var msg15543 = msg("13099", dup276); + +var msg15544 = msg("13100", dup276); + +var msg15545 = msg("13101", dup276); + +var msg15546 = msg("13102", dup276); + +var msg15547 = msg("13103", dup276); + +var msg15548 = msg("13104", dup276); + +var msg15549 = msg("13105", dup276); + +var msg15550 = msg("13106", dup276); + +var msg15551 = msg("13107", dup276); + +var msg15552 = msg("13108", dup276); + +var msg15553 = msg("13109", dup276); + +var msg15554 = msg("13110", dup276); + +var msg15555 = msg("13111", dup276); + +var msg15556 = msg("13112", dup276); + +var msg15557 = msg("13113", dup276); + +var msg15558 = msg("13114", dup276); + +var msg15559 = msg("13115", dup276); + +var msg15560 = msg("13116", dup276); + +var msg15561 = msg("13117", dup276); + +var msg15562 = msg("13118", dup276); + +var msg15563 = msg("13119", dup276); + +var msg15564 = msg("13120", dup276); + +var msg15565 = msg("13121", dup276); + +var msg15566 = msg("13122", dup276); + +var msg15567 = msg("13123", dup276); + +var msg15568 = msg("13124", dup276); + +var msg15569 = msg("13125", dup276); + +var msg15570 = msg("13126", dup276); + +var msg15571 = msg("13127", dup276); + +var msg15572 = msg("13128", dup276); + +var msg15573 = msg("13129", dup276); + +var msg15574 = msg("13130", dup201); + +var msg15575 = msg("13131", dup276); + +var msg15576 = msg("13132", dup276); + +var msg15577 = msg("13133", dup276); + +var msg15578 = msg("13134", dup201); + +var msg15579 = msg("13135", dup276); + +var msg15580 = msg("13136", dup276); + +var msg15581 = msg("13137", dup276); + +var msg15582 = msg("13138", dup276); + +var msg15583 = msg("13139", dup201); + +var msg15584 = msg("13140", dup201); + +var msg15585 = msg("13141", dup276); + +var msg15586 = msg("13142", dup276); + +var msg15587 = msg("13143", dup201); + +var msg15588 = msg("13144", dup201); + +var msg15589 = msg("13145", dup201); + +var msg15590 = msg("13146", dup276); + +var msg15591 = msg("13147", dup201); + +var msg15592 = msg("13148", dup201); + +var msg15593 = msg("13149", dup276); + +var msg15594 = msg("13150", dup276); + +var msg15595 = msg("13151", dup276); + +var msg15596 = msg("13152", dup201); + +var msg15597 = msg("13153", dup276); + +var msg15598 = msg("13154", dup276); + +var msg15599 = msg("13155", dup201); + +var msg15600 = msg("13156", dup201); + +var msg15601 = msg("13157", dup276); + +var msg15602 = msg("13158", dup222); + +var msg15603 = msg("13159", dup222); + +var msg15604 = msg("13160", dup267); + +var msg15605 = msg("13161", dup222); + +var msg15606 = msg("13162", dup276); + +var msg15607 = msg("13163", dup276); + +var msg15608 = msg("13164", dup276); + +var msg15609 = msg("13165", dup276); + +var msg15610 = msg("13166", dup276); + +var msg15611 = msg("13167", dup276); + +var msg15612 = msg("13168", dup276); + +var msg15613 = msg("13169", dup276); + +var msg15614 = msg("13170", dup276); + +var msg15615 = msg("13171", dup276); + +var msg15616 = msg("13172", dup276); + +var msg15617 = msg("13173", dup276); + +var msg15618 = msg("13174", dup276); + +var msg15619 = msg("13175", dup276); + +var msg15620 = msg("13176", dup276); + +var msg15621 = msg("13177", dup276); + +var msg15622 = msg("13178", dup276); + +var msg15623 = msg("13179", dup276); + +var msg15624 = msg("13180", dup276); + +var msg15625 = msg("13181", dup276); + +var msg15626 = msg("13182", dup276); + +var msg15627 = msg("13183", dup276); + +var msg15628 = msg("13184", dup276); + +var msg15629 = msg("13185", dup276); + +var msg15630 = msg("13186", dup276); + +var msg15631 = msg("13187", dup276); + +var msg15632 = msg("13188", dup276); + +var msg15633 = msg("13189", dup276); + +var msg15634 = msg("13190", dup276); + +var msg15635 = msg("13191", dup276); + +var msg15636 = msg("13192", dup276); + +var msg15637 = msg("13193", dup276); + +var msg15638 = msg("13194", dup276); + +var msg15639 = msg("13195", dup276); + +var msg15640 = msg("13196", dup276); + +var msg15641 = msg("13197", dup276); + +var msg15642 = msg("13198", dup276); + +var msg15643 = msg("13199", dup276); + +var msg15644 = msg("13200", dup276); + +var msg15645 = msg("13201", dup276); + +var msg15646 = msg("13202", dup276); + +var msg15647 = msg("13203", dup276); + +var msg15648 = msg("13204", dup276); + +var msg15649 = msg("13205", dup276); + +var msg15650 = msg("13206", dup276); + +var msg15651 = msg("13207", dup276); + +var msg15652 = msg("13208", dup276); + +var msg15653 = msg("13209", dup276); + +var msg15654 = msg("13210", dup276); + +var msg15655 = msg("13211", dup276); + +var msg15656 = msg("13212", dup276); + +var msg15657 = msg("13213", dup276); + +var msg15658 = msg("13214", dup276); + +var msg15659 = msg("13215", dup276); + +var msg15660 = msg("13216", dup265); + +var msg15661 = msg("13217", dup265); + +var msg15662 = msg("13218", dup265); + +var msg15663 = msg("13219", dup265); + +var msg15664 = msg("13220", dup265); + +var msg15665 = msg("13221", dup222); + +var msg15666 = msg("13222", dup222); + +var msg15667 = msg("13223", dup269); + +var msg15668 = msg("13224", dup265); + +var msg15669 = msg("13225", dup265); + +var msg15670 = msg("13226", dup265); + +var msg15671 = msg("13227", dup265); + +var msg15672 = msg("13228", dup265); + +var msg15673 = msg("13229", dup265); + +var msg15674 = msg("13230", dup265); + +var msg15675 = msg("13231", dup265); + +var msg15676 = msg("13232", dup265); + +var msg15677 = msg("13233", dup265); + +var msg15678 = msg("13234", dup265); + +var msg15679 = msg("13235", dup265); + +var msg15680 = msg("13236", dup303); + +var msg15681 = msg("13237", dup303); + +var msg15682 = msg("13238", dup303); + +var msg15683 = msg("13239", dup303); + +var msg15684 = msg("13240", dup303); + +var msg15685 = msg("13241", dup303); + +var msg15686 = msg("13242", dup303); + +var msg15687 = msg("13243", dup303); + +var msg15688 = msg("13244", dup303); + +var msg15689 = msg("13245", dup192); + +var msg15690 = msg("13246", dup192); + +var msg15691 = msg("13247", dup192); + +var msg15692 = msg("13248", dup192); + +var msg15693 = msg("13249", dup196); + +var msg15694 = msg("13250", dup287); + +var msg15695 = msg("13251", dup258); + +var msg15696 = msg("13252", dup287); + +var msg15697 = msg("13253", dup258); + +var msg15698 = msg("13254", dup287); + +var msg15699 = msg("13255", dup258); + +var msg15700 = msg("13256", dup287); + +var msg15701 = msg("13257", dup258); + +var msg15702 = msg("13258", dup265); + +var msg15703 = msg("13259", dup265); + +var msg15704 = msg("13260", dup265); + +var msg15705 = msg("13261", dup265); + +var msg15706 = msg("13262", dup265); + +var msg15707 = msg("13263", dup265); + +var msg15708 = msg("13264", dup265); + +var msg15709 = msg("13265", dup265); + +var msg15710 = msg("13266", dup265); + +var msg15711 = msg("13267", dup265); + +var msg15712 = msg("13268", dup269); + +var msg15713 = msg("13269", dup196); + +var msg15714 = msg("13270", dup196); + +var msg15715 = msg("13271", dup196); + +var msg15716 = msg("13272", dup196); + +var msg15717 = msg("13273", dup265); + +var msg15718 = msg("13274", dup265); + +var msg15719 = msg("13275", dup265); + +var msg15720 = msg("13276", dup265); + +var msg15721 = msg("13277", dup303); + +var msg15722 = msg("13278", dup303); + +var msg15723 = msg("13279", dup303); + +var msg15724 = msg("13280", dup303); + +var msg15725 = msg("13281", dup303); + +var msg15726 = msg("13282", dup303); + +var msg15727 = msg("13283", dup303); + +var msg15728 = msg("13284", dup303); + +var msg15729 = msg("13285", dup303); + +var msg15730 = msg("13286", dup303); + +var msg15731 = msg("13287", dup201); + +var msg15732 = msg("13288", dup201); + +var msg15733 = msg("13289", dup265); + +var msg15734 = msg("13290", dup265); + +var msg15735 = msg("13291", dup222); + +var msg15736 = msg("13292", dup196); + +var msg15737 = msg("13293", dup267); + +var msg15738 = msg("13294", dup265); + +var msg15739 = msg("13295", dup265); + +var msg15740 = msg("13296", dup265); + +var msg15741 = msg("13297", dup265); + +var msg15742 = msg("13298", dup265); + +var msg15743 = msg("13299", dup265); + +var msg15744 = msg("13300", dup267); + +var msg15745 = msg("13301", dup267); + +var msg15746 = msg("13302", dup265); + +var msg15747 = msg("13303", dup265); + +var msg15748 = msg("13304", dup265); + +var msg15749 = msg("13305", dup265); + +var msg15750 = msg("13306", dup265); + +var msg15751 = msg("13307", dup198); + +var msg15752 = msg("13308", dup265); + +var msg15753 = msg("13309", dup198); + +var msg15754 = msg("13310", dup198); + +var msg15755 = msg("13311", dup198); + +var msg15756 = msg("13312", dup265); + +var msg15757 = msg("13313", dup265); + +var msg15758 = msg("13314", dup265); + +var msg15759 = msg("13315", dup265); + +var msg15760 = msg("13316", dup267); + +var msg15761 = msg("13317", dup267); + +var msg15762 = msg("13318", dup267); + +var msg15763 = msg("13319", dup267); + +var msg15764 = msg("13320", dup267); + +var msg15765 = msg("13321", dup265); + +var msg15766 = msg("13322", dup265); + +var msg15767 = msg("13323", dup265); + +var msg15768 = msg("13324", dup265); + +var msg15769 = msg("13325", dup265); + +var msg15770 = msg("13326", dup265); + +var msg15771 = msg("13327", dup265); + +var msg15772 = msg("13328", dup265); + +var msg15773 = msg("13329", dup265); + +var msg15774 = msg("13330", dup265); + +var msg15775 = msg("13331", dup265); + +var msg15776 = msg("13332", dup265); + +var msg15777 = msg("13333", dup265); + +var msg15778 = msg("13334", dup265); + +var msg15779 = msg("13335", dup265); + +var msg15780 = msg("13336", dup265); + +var msg15781 = msg("13337", dup194); + +var msg15782 = msg("13338", dup194); + +var msg15783 = msg("13339", dup303); + +var msg15784 = msg("13340", dup303); + +var msg15785 = msg("13341", dup303); + +var msg15786 = msg("13342", dup303); + +var msg15787 = msg("13343", dup303); + +var msg15788 = msg("13344", dup303); + +var msg15789 = msg("13345", dup303); + +var msg15790 = msg("13346", dup303); + +var msg15791 = msg("13347", dup303); + +var msg15792 = msg("13348", dup265); + +var msg15793 = msg("13349", dup265); + +var msg15794 = msg("13350", dup265); + +var msg15795 = msg("13351", dup265); + +var msg15796 = msg("13352", dup265); + +var msg15797 = msg("13353", dup265); + +var msg15798 = msg("13354", dup265); + +var msg15799 = msg("13355", dup265); + +var msg15800 = msg("13356", dup260); + +var msg15801 = msg("13357", dup236); + +var msg15802 = msg("13358", dup273); + +var msg15803 = msg("13359", dup236); + +var msg15804 = msg("13360", dup236); + +var msg15805 = msg("13361", dup222); + +var msg15806 = msg("13362", dup222); + +var msg15807 = msg("13363", dup222); + +var msg15808 = msg("13364", dup197); + +var msg15809 = msg("13365", dup222); + +var msg15810 = msg("13366", dup260); + +var msg15811 = msg("13367", dup276); + +var msg15812 = msg("13368", dup276); + +var msg15813 = msg("13369", dup276); + +var msg15814 = msg("13370", dup276); + +var msg15815 = msg("13371", dup276); + +var msg15816 = msg("13372", dup276); + +var msg15817 = msg("13373", dup276); + +var msg15818 = msg("13374", dup276); + +var msg15819 = msg("13375", dup276); + +var msg15820 = msg("13376", dup276); + +var msg15821 = msg("13377", dup276); + +var msg15822 = msg("13378", dup276); + +var msg15823 = msg("13379", dup276); + +var msg15824 = msg("13380", dup276); + +var msg15825 = msg("13381", dup276); + +var msg15826 = msg("13382", dup276); + +var msg15827 = msg("13383", dup276); + +var msg15828 = msg("13384", dup276); + +var msg15829 = msg("13385", dup276); + +var msg15830 = msg("13386", dup276); + +var msg15831 = msg("13387", dup276); + +var msg15832 = msg("13388", dup276); + +var msg15833 = msg("13389", dup276); + +var msg15834 = msg("13390", dup276); + +var msg15835 = msg("13391", dup276); + +var msg15836 = msg("13392", dup276); + +var msg15837 = msg("13393", dup276); + +var msg15838 = msg("13394", dup276); + +var msg15839 = msg("13395", dup276); + +var msg15840 = msg("13396", dup276); + +var msg15841 = msg("13397", dup276); + +var msg15842 = msg("13398", dup276); + +var msg15843 = msg("13399", dup276); + +var msg15844 = msg("13400", dup276); + +var msg15845 = msg("13401", dup276); + +var msg15846 = msg("13402", dup276); + +var msg15847 = msg("13403", dup276); + +var msg15848 = msg("13404", dup276); + +var msg15849 = msg("13405", dup276); + +var msg15850 = msg("13406", dup276); + +var msg15851 = msg("13407", dup276); + +var msg15852 = msg("13408", dup276); + +var msg15853 = msg("13409", dup276); + +var msg15854 = msg("13410", dup276); + +var msg15855 = msg("13411", dup276); + +var msg15856 = msg("13412", dup276); + +var msg15857 = msg("13413", dup276); + +var msg15858 = msg("13414", dup276); + +var msg15859 = msg("13415", dup197); + +var msg15860 = msg("13416", dup198); + +var msg15861 = msg("13417", dup222); + +var msg15862 = msg("13418", dup198); + +var msg15863 = msg("13419", dup265); + +var msg15864 = msg("13420", dup265); + +var msg15865 = msg("13421", dup265); + +var msg15866 = msg("13422", dup265); + +var msg15867 = msg("13423", dup265); + +var msg15868 = msg("13424", dup265); + +var msg15869 = msg("13425", dup198); + +var msg15870 = msg("13426", dup265); + +var msg15871 = msg("13427", dup265); + +var msg15872 = msg("13428", dup265); + +var msg15873 = msg("13429", dup265); + +var msg15874 = msg("13430", dup265); + +var msg15875 = msg("13431", dup265); + +var msg15876 = msg("13432", dup265); + +var msg15877 = msg("13433", dup265); + +var msg15878 = msg("13434", dup265); + +var msg15879 = msg("13435", dup265); + +var msg15880 = msg("13436", dup265); + +var msg15881 = msg("13437", dup265); + +var msg15882 = msg("13438", dup265); + +var msg15883 = msg("13439", dup265); + +var msg15884 = msg("13440", dup265); + +var msg15885 = msg("13441", dup265); + +var msg15886 = msg("13442", dup265); + +var msg15887 = msg("13443", dup265); + +var msg15888 = msg("13444", dup265); + +var msg15889 = msg("13445", dup265); + +var msg15890 = msg("13446", dup265); + +var msg15891 = msg("13447", dup265); + +var msg15892 = msg("13448", dup201); + +var msg15893 = msg("13449", dup201); + +var msg15894 = msg("13450", dup198); + +var msg15895 = msg("13451", dup265); + +var msg15896 = msg("13452", dup265); + +var msg15897 = msg("13453", dup265); + +var msg15898 = msg("13454", dup265); + +var msg15899 = msg("13455", dup265); + +var msg15900 = msg("13456", dup265); + +var msg15901 = msg("13457", dup265); + +var msg15902 = msg("13458", dup265); + +var msg15903 = msg("13459", dup265); + +var msg15904 = msg("13460", dup265); + +var msg15905 = msg("13465", dup265); + +var msg15906 = msg("13466", dup265); + +var msg15907 = msg("13467", dup265); + +var msg15908 = msg("13468", dup265); + +var msg15909 = msg("13469", dup265); + +var msg15910 = msg("13470", dup196); + +var msg15911 = msg("13471", dup196); + +var msg15912 = msg("13472", dup196); + +var msg15913 = msg("13473", dup196); + +var msg15914 = msg("13474", dup267); + +var msg15915 = msg("13475", dup198); + +var msg15916 = msg("13476", dup197); + +var msg15917 = msg("13477", dup196); + +var msg15918 = msg("13478", dup196); + +var msg15919 = msg("13479", dup303); + +var msg15920 = msg("13480", dup303); + +var msg15921 = msg("13481", dup303); + +var msg15922 = msg("13482", dup303); + +var msg15923 = msg("13483", dup303); + +var msg15924 = msg("13484", dup303); + +var msg15925 = msg("13485", dup303); + +var msg15926 = msg("13486", dup303); + +var msg15927 = msg("13487", dup303); + +var msg15928 = msg("13488", dup303); + +var msg15929 = msg("13489", dup303); + +var msg15930 = msg("13490", dup303); + +var msg15931 = msg("13491", dup303); + +var msg15932 = msg("13492", dup303); + +var msg15933 = msg("13493", dup303); + +var msg15934 = msg("13494", dup303); + +var msg15935 = msg("13495", dup303); + +var msg15936 = msg("13496", dup303); + +var msg15937 = msg("13497", dup303); + +var msg15938 = msg("13498", dup303); + +var msg15939 = msg("13499", dup303); + +var msg15940 = msg("13500", dup303); + +var msg15941 = msg("13501", dup303); + +var msg15942 = msg("13502", dup303); + +var msg15943 = msg("13503", dup303); + +var msg15944 = msg("13504", dup303); + +var msg15945 = msg("13505", dup303); + +var msg15946 = msg("13506", dup192); + +var msg15947 = msg("13507", dup192); + +var msg15948 = msg("13508", dup192); + +var msg15949 = msg("13509", dup192); + +var msg15950 = msg("13510", dup222); + +var msg15951 = msg("13511", dup196); + +var msg15952 = msg("13512", dup260); + +var msg15953 = msg("13513", dup260); + +var msg15954 = msg("13514", dup260); + +var msg15955 = msg("13515", dup196); + +var msg15956 = msg("13516", dup197); + +var msg15957 = msg("13517", dup196); + +var msg15958 = msg("13518", dup265); + +var msg15959 = msg("13519", dup222); + +var msg15960 = msg("13520", dup269); + +var msg15961 = msg("13521", dup269); + +var msg15962 = msg("13522", dup197); + +var msg15963 = msg("13523", dup265); + +var msg15964 = msg("13524", dup265); + +var msg15965 = msg("13525", dup265); + +var msg15966 = msg("13526", dup265); + +var msg15967 = msg("13527", dup265); + +var msg15968 = msg("13528", dup265); + +var msg15969 = msg("13529", dup265); + +var msg15970 = msg("13530", dup265); + +var msg15971 = msg("13531", dup265); + +var msg15972 = msg("13532", dup265); + +var msg15973 = msg("13533", dup265); + +var msg15974 = msg("13534", dup265); + +var msg15975 = msg("13535", dup265); + +var msg15976 = msg("13536", dup265); + +var msg15977 = msg("13537", dup265); + +var msg15978 = msg("13538", dup265); + +var msg15979 = msg("13539", dup267); + +var msg15980 = msg("13540", dup267); + +var msg15981 = msg("13541", dup267); + +var msg15982 = msg("13542", dup267); + +var msg15983 = msg("13543", dup265); + +var msg15984 = msg("13544", dup265); + +var msg15985 = msg("13545", dup265); + +var msg15986 = msg("13546", dup265); + +var msg15987 = msg("13547", dup265); + +var msg15988 = msg("13548", dup265); + +var msg15989 = msg("13549", dup265); + +var msg15990 = msg("13550", dup265); + +var msg15991 = msg("13551", dup260); + +var msg15992 = msg("13552", dup222); + +var msg15993 = msg("13553", dup197); + +var msg15994 = msg("13554", dup197); + +var msg15995 = msg("13555", dup197); + +var msg15996 = msg("13556", dup303); + +var msg15997 = msg("13557", dup303); + +var msg15998 = msg("13558", dup303); + +var msg15999 = msg("13559", dup303); + +var msg16000 = msg("13560", dup303); + +var msg16001 = msg("13561", dup303); + +var msg16002 = msg("13562", dup303); + +var msg16003 = msg("13563", dup303); + +var msg16004 = msg("13564", dup303); + +var msg16005 = msg("13565", dup303); + +var msg16006 = msg("13566", dup303); + +var msg16007 = msg("13567", dup303); + +var msg16008 = msg("13568", dup303); + +var msg16009 = msg("13569", dup269); + +var msg16010 = msg("13570", dup265); + +var msg16011 = msg("13571", dup265); + +var msg16012 = msg("13572", dup269); + +var msg16013 = msg("13573", dup265); + +var msg16014 = msg("13580", dup267); + +var msg16015 = msg("13581", dup267); + +var msg16016 = msg("13582", dup265); + +var msg16017 = msg("13583", dup266); + +var msg16018 = msg("13584", dup266); + +var msg16019 = msg("13585", dup217); + +var all47 = all_match({ + processors: [ + dup66, + dup178, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup76, + dup56, + ]), +}); + +var msg16020 = msg("13585:01", all47); + +var select2440 = linear_select([ + msg16019, + msg16020, +]); + +var msg16021 = msg("13586", dup196); + +var msg16022 = msg("13587", dup287); + +var msg16023 = msg("13588", dup287); + +var msg16024 = msg("13589", dup287); + +var msg16025 = msg("13590", dup287); + +var msg16026 = msg("13591", dup194); + +var msg16027 = msg("13592", dup269); + +var msg16028 = msg("13593", dup260); + +var msg16029 = msg("13593:01", dup261); + +var select2441 = linear_select([ + msg16028, + msg16029, +]); + +var msg16030 = msg("13594", dup198); + +var msg16031 = msg("13595", dup266); + +var msg16032 = msg("13596", dup266); + +var msg16033 = msg("13597", dup266); + +var msg16034 = msg("13598", dup266); + +var msg16035 = msg("13599", dup229); + +var msg16036 = msg("13600", dup229); + +var msg16037 = msg("13601", dup229); + +var msg16038 = msg("13602", dup229); + +var msg16039 = msg("13603", dup266); + +var msg16040 = msg("13604", dup266); + +var msg16041 = msg("13605", dup266); + +var msg16042 = msg("13606", dup266); + +var msg16043 = msg("13607", dup266); + +var msg16044 = msg("13608", dup266); + +var msg16045 = msg("13609", dup266); + +var msg16046 = msg("13610", dup266); + +var msg16047 = msg("13611", dup196); + +var msg16048 = msg("13612", dup285); + +var msg16049 = msg("13613", dup285); + +var msg16050 = msg("13614", dup222); + +var msg16051 = msg("13615", dup222); + +var msg16052 = msg("13616", dup197); + +var msg16053 = msg("13617", dup222); + +var msg16054 = msg("13618", dup222); + +var msg16055 = msg("13619", dup196); + +var msg16056 = msg("13620", dup222); + +var msg16057 = msg("13621", dup266); + +var msg16058 = msg("13622", dup266); + +var msg16059 = msg("13623", dup266); + +var msg16060 = msg("13624", dup266); + +var msg16061 = msg("13625", dup262); + +var msg16062 = msg("13626", dup265); + +var msg16063 = msg("13627", dup266); + +var msg16064 = msg("13628", dup265); + +var msg16065 = msg("13628:01", dup266); + +var select2442 = linear_select([ + msg16064, + msg16065, +]); + +var msg16066 = msg("13629", dup265); + +var msg16067 = msg("13630", dup265); + +var msg16068 = msg("13631", dup196); + +var msg16069 = msg("13632", dup266); + +var msg16070 = msg("13633", dup265); + +var msg16071 = msg("13634", dup265); + +var msg16072 = msg("13635", dup192); + +var msg16073 = msg("13636", dup192); + +var msg16074 = msg("13637", dup303); + +var msg16075 = msg("13638", dup303); + +var msg16076 = msg("13639", dup303); + +var msg16077 = msg("13640", dup303); + +var msg16078 = msg("13641", dup303); + +var msg16079 = msg("13642", dup303); + +var msg16080 = msg("13643", dup303); + +var msg16081 = msg("13644", dup303); + +var msg16082 = msg("13645", dup303); + +var msg16083 = msg("13646", dup303); + +var msg16084 = msg("13647", dup303); + +var msg16085 = msg("13648", dup303); + +var msg16086 = msg("13649", dup303); + +var msg16087 = msg("13650", dup303); + +var msg16088 = msg("13651", dup303); + +var msg16089 = msg("13652", dup303); + +var msg16090 = msg("13653", dup303); + +var msg16091 = msg("13654", dup192); + +var msg16092 = msg("13655", dup192); + +var msg16093 = msg("13656", dup267); + +var msg16094 = msg("13657", dup265); + +var msg16095 = msg("13658", dup265); + +var msg16096 = msg("13659", dup265); + +var msg16097 = msg("13660", dup265); + +var msg16098 = msg("13661", dup265); + +var msg16099 = msg("13662", dup265); + +var msg16100 = msg("13663", dup222); + +var msg16101 = msg("13664", dup196); + +var msg16102 = msg("13665", dup267); + +var msg16103 = msg("13666", dup267); + +var msg16104 = msg("13667", dup196); + +var msg16105 = msg("13668", dup265); + +var msg16106 = msg("13669", dup265); + +var msg16107 = msg("13670", dup265); + +var msg16108 = msg("13671", dup265); + +var msg16109 = msg("13672", dup265); + +var msg16110 = msg("13673", dup265); + +var msg16111 = msg("13674", dup265); + +var msg16112 = msg("13675", dup265); + +var msg16113 = msg("13676", dup267); + +var msg16114 = msg("13677", dup265); + +var msg16115 = msg("13678", dup196); + +var msg16116 = msg("13679", dup265); + +var msg16117 = msg("13680", dup265); + +var msg16118 = msg("13681", dup265); + +var msg16119 = msg("13682", dup265); + +var msg16120 = msg("13683", dup265); + +var msg16121 = msg("13684", dup265); + +var msg16122 = msg("13685", dup265); + +var msg16123 = msg("13686", dup265); + +var msg16124 = msg("13687", dup265); + +var msg16125 = msg("13688", dup265); + +var msg16126 = msg("13689", dup265); + +var msg16127 = msg("13690", dup265); + +var msg16128 = msg("13691", dup265); + +var msg16129 = msg("13692", dup265); + +var msg16130 = msg("13693", dup196); + +var msg16131 = msg("13694", dup196); + +var msg16132 = msg("13695", dup196); + +var msg16133 = msg("13696", dup196); + +var msg16134 = msg("13697", dup196); + +var msg16135 = msg("13698", dup196); + +var msg16136 = msg("13699", dup265); + +var msg16137 = msg("13700", dup265); + +var msg16138 = msg("13709", dup240); + +var msg16139 = msg("13710", dup240); + +var msg16140 = msg("13711", dup201); + +var msg16141 = msg("13712", dup260); + +var msg16142 = msg("13713", dup260); + +var msg16143 = msg("13714", dup201); + +var msg16144 = msg("13715", dup267); + +var msg16145 = msg("13716", dup287); + +var msg16146 = msg("13717", dup258); + +var msg16147 = msg("13718", dup222); + +var msg16148 = msg("13719", dup197); + +var msg16149 = msg("13720", dup265); + +var msg16150 = msg("13721", dup265); + +var msg16151 = msg("13722", dup265); + +var msg16152 = msg("13723", dup265); + +var msg16153 = msg("13724", dup265); + +var msg16154 = msg("13725", dup265); + +var msg16155 = msg("13726", dup265); + +var msg16156 = msg("13727", dup265); + +var msg16157 = msg("13728", dup265); + +var msg16158 = msg("13729", dup265); + +var msg16159 = msg("13730", dup265); + +var msg16160 = msg("13731", dup265); + +var msg16161 = msg("13732", dup265); + +var msg16162 = msg("13733", dup265); + +var msg16163 = msg("13734", dup265); + +var msg16164 = msg("13735", dup265); + +var msg16165 = msg("13736", dup265); + +var msg16166 = msg("13737", dup265); + +var msg16167 = msg("13738", dup265); + +var msg16168 = msg("13739", dup265); + +var msg16169 = msg("13740", dup265); + +var msg16170 = msg("13741", dup265); + +var msg16171 = msg("13742", dup265); + +var msg16172 = msg("13743", dup265); + +var msg16173 = msg("13744", dup265); + +var msg16174 = msg("13745", dup265); + +var msg16175 = msg("13746", dup265); + +var msg16176 = msg("13747", dup265); + +var msg16177 = msg("13748", dup265); + +var msg16178 = msg("13749", dup265); + +var msg16179 = msg("13750", dup265); + +var msg16180 = msg("13751", dup265); + +var msg16181 = msg("13752", dup265); + +var msg16182 = msg("13753", dup265); + +var msg16183 = msg("13754", dup265); + +var msg16184 = msg("13755", dup265); + +var msg16185 = msg("13756", dup265); + +var msg16186 = msg("13757", dup265); + +var msg16187 = msg("13758", dup265); + +var msg16188 = msg("13759", dup265); + +var msg16189 = msg("13760", dup265); + +var msg16190 = msg("13761", dup265); + +var msg16191 = msg("13762", dup303); + +var msg16192 = msg("13763", dup303); + +var msg16193 = msg("13764", dup303); + +var msg16194 = msg("13765", dup303); + +var msg16195 = msg("13766", dup303); + +var msg16196 = msg("13767", dup303); + +var msg16197 = msg("13768", dup303); + +var msg16198 = msg("13769", dup303); + +var msg16199 = msg("13770", dup303); + +var msg16200 = msg("13771", dup303); + +var msg16201 = msg("13772", dup303); + +var msg16202 = msg("13773", dup198); + +var msg16203 = msg("13774", dup192); + +var msg16204 = msg("13775", dup192); + +var msg16205 = msg("13776", dup303); + +var msg16206 = msg("13777", dup303); + +var msg16207 = msg("13778", dup303); + +var msg16208 = msg("13779", dup303); + +var msg16209 = msg("13780", dup303); + +var msg16210 = msg("13781", dup303); + +var msg16211 = msg("13782", dup303); + +var msg16212 = msg("13783", dup265); + +var msg16213 = msg("13784", dup265); + +var msg16214 = msg("13785", dup265); + +var msg16215 = msg("13786", dup265); + +var msg16216 = msg("13787", dup265); + +var msg16217 = msg("13788", dup265); + +var msg16218 = msg("13789", dup265); + +var msg16219 = msg("13790", dup267); + +var msg16220 = msg("13791", dup260); + +var msg16221 = msg("13797", dup196); + +var msg16222 = msg("13798", dup198); + +var msg16223 = msg("13799", dup267); + +var msg16224 = msg("13800", dup222); + +var msg16225 = msg("13801", dup196); + +var msg16226 = msg("13802", dup198); + +var msg16227 = msg("13803", dup267); + +var msg16228 = msg("13804", dup222); + +var msg16229 = msg("13805", dup287); + +var msg16230 = msg("13806", dup258); + +var msg16231 = msg("13807", dup267); + +var msg16232 = msg("13808", dup303); + +var msg16233 = msg("13809", dup303); + +var msg16234 = msg("13810", dup303); + +var msg16235 = msg("13811", dup303); + +var msg16236 = msg("13812", dup303); + +var msg16237 = msg("13813", dup303); + +var msg16238 = msg("13814", dup192); + +var msg16239 = msg("13815", dup192); + +var msg16240 = msg("13816", dup255); + +var msg16241 = msg("13817", dup255); + +var msg16242 = msg("13818", dup255); + +var msg16243 = msg("13819", dup267); + +var msg16244 = msg("13820", dup265); + +var msg16245 = msg("13821", dup265); + +var msg16246 = msg("13822", dup265); + +var msg16247 = msg("13823", dup267); + +var msg16248 = msg("13824", dup269); + +var msg16249 = msg("13825", dup198); + +var msg16250 = msg("13826", dup196); + +var msg16251 = msg("13827", dup198); + +var msg16252 = msg("13828", dup265); + +var msg16253 = msg("13829", dup265); + +var msg16254 = msg("13830", dup265); + +var msg16255 = msg("13831", dup265); + +var msg16256 = msg("13832", dup265); + +var msg16257 = msg("13833", dup265); + +var msg16258 = msg("13834", dup265); + +var msg16259 = msg("13835", dup198); + +var msg16260 = msg("13838", dup267); + +var msg16261 = msg("13839", dup196); + +var msg16262 = msg("13840", dup197); + +var msg16263 = msg("13841", dup197); + +var msg16264 = msg("13842", dup197); + +var msg16265 = msg("13843", dup197); + +var msg16266 = msg("13844", dup196); + +var msg16267 = msg("13845", dup196); + +var msg16268 = msg("13846", dup222); + +var msg16269 = msg("13847", dup303); + +var msg16270 = msg("13848", dup303); + +var msg16271 = msg("13849", dup303); + +var msg16272 = msg("13850", dup303); + +var msg16273 = msg("13851", dup303); + +var msg16274 = msg("13852", dup303); + +var msg16275 = msg("13853", dup303); + +var msg16276 = msg("13854", dup303); + +var msg16277 = msg("13855", dup303); + +var msg16278 = msg("13856", dup192); + +var msg16279 = msg("13857", dup265); + +var msg16280 = msg("13858", dup265); + +var msg16281 = msg("13859", dup265); + +var msg16282 = msg("13860", dup265); + +var msg16283 = msg("13861", dup196); + +var msg16284 = msg("13862", dup196); + +var msg16285 = msg("13863", dup301); + +var msg16286 = msg("13864", dup196); + +var msg16287 = msg("13865", dup267); + +var msg16288 = msg("13866", dup303); + +var msg16289 = msg("13867", dup303); + +var msg16290 = msg("13868", dup303); + +var msg16291 = msg("13869", dup303); + +var msg16292 = msg("13870", dup303); + +var msg16293 = msg("13871", dup303); + +var msg16294 = msg("13872", dup303); + +var msg16295 = msg("13873", dup303); + +var msg16296 = msg("13874", dup303); + +var msg16297 = msg("13875", dup303); + +var msg16298 = msg("13876", dup192); + +var msg16299 = msg("13877", dup192); + +var msg16300 = msg("13878", dup192); + +var msg16301 = msg("13879", dup269); + +var msg16302 = msg("13880", dup196); + +var msg16303 = msg("13881", dup196); + +var msg16304 = msg("13882", dup196); + +var msg16305 = msg("13883", dup265); + +var msg16306 = msg("13884", dup265); + +var msg16307 = msg("13885", dup265); + +var msg16308 = msg("13886", dup265); + +var msg16309 = msg("13887", dup196); + +var msg16310 = msg("13888", dup260); + +var msg16311 = msg("13889", dup260); + +var msg16312 = msg("13890", dup260); + +var msg16313 = msg("13891", dup240); + +var msg16314 = msg("13892", dup196); + +var msg16315 = msg("13893", dup265); + +var msg16316 = msg("13894", dup287); + +var msg16317 = msg("13895", dup201); + +var msg16318 = msg("13896", dup196); + +var msg16319 = msg("13897", dup222); + +var msg16320 = msg("13898", dup196); + +var msg16321 = msg("13899", dup196); + +var msg16322 = msg("13900", dup196); + +var msg16323 = msg("13901", dup276); + +var msg16324 = msg("13902", dup201); + +var msg16325 = msg("13903", dup265); + +var msg16326 = msg("13904", dup265); + +var msg16327 = msg("13905", dup265); + +var msg16328 = msg("13906", dup265); + +var msg16329 = msg("13907", dup265); + +var msg16330 = msg("13908", dup265); + +var msg16331 = msg("13909", dup265); + +var msg16332 = msg("13910", dup265); + +var msg16333 = msg("13911", dup265); + +var msg16334 = msg("13912", dup196); + +var msg16335 = msg("13913", dup265); + +var msg16336 = msg("13914", dup265); + +var msg16337 = msg("13915", dup265); + +var msg16338 = msg("13916", dup222); + +var msg16339 = msg("13917", dup267); + +var msg16340 = msg("13918", dup267); + +var msg16341 = msg("13919", dup267); + +var msg16342 = msg("13920", dup267); + +var msg16343 = msg("13921", dup196); + +var msg16344 = msg("13922", dup197); + +var msg16345 = msg("13923", dup198); + +var msg16346 = msg("13924", dup267); + +var msg16347 = msg("13925", dup222); + +var msg16348 = msg("13926", dup197); + +var msg16349 = msg("13927", dup295); + +var msg16350 = msg("13928", dup260); + +var msg16351 = msg("13929", dup260); + +var msg16352 = msg("13930", dup303); + +var msg16353 = msg("13931", dup303); + +var msg16354 = msg("13932", dup303); + +var msg16355 = msg("13933", dup303); + +var msg16356 = msg("13934", dup303); + +var msg16357 = msg("13935", dup303); + +var msg16358 = msg("13936", dup303); + +var msg16359 = msg("13937", dup303); + +var msg16360 = msg("13938", dup303); + +var msg16361 = msg("13939", dup303); + +var msg16362 = msg("13940", dup303); + +var msg16363 = msg("13941", dup192); + +var msg16364 = msg("13942", dup192); + +var msg16365 = msg("13943", dup303); + +var msg16366 = msg("13944", dup192); + +var msg16367 = msg("13945", dup192); + +var msg16368 = msg("13946", dup267); + +var msg16369 = msg("13947", dup267); + +var msg16370 = msg("13948", dup196); + +var msg16371 = msg("13949", dup196); + +var msg16372 = msg("13950", dup267); + +var msg16373 = msg("13951", dup267); + +var msg16374 = msg("13952", dup192); + +var msg16375 = msg("13953", dup192); + +var msg16376 = msg("13954", dup267); + +var msg16377 = msg("13958", dup267); + +var msg16378 = msg("13960", dup267); + +var msg16379 = msg("13961", dup267); + +var msg16380 = msg("13962", dup265); + +var msg16381 = msg("13963", dup267); + +var msg16382 = msg("13964", dup196); + +var msg16383 = msg("13965", dup265); + +var msg16384 = msg("13966", dup265); + +var msg16385 = msg("13967", dup265); + +var msg16386 = msg("13968", dup265); + +var msg16387 = msg("13969", dup267); + +var msg16388 = msg("13970", dup192); + +var msg16389 = msg("13971", dup267); + +var msg16390 = msg("13972", dup269); + +var msg16391 = msg("13973", dup267); + +var msg16392 = msg("13974", dup265); + +var msg16393 = msg("13975", dup265); + +var msg16394 = msg("13976", dup265); + +var msg16395 = msg("13977", dup265); + +var msg16396 = msg("13978", dup265); + +var msg16397 = msg("13979", dup265); + +var msg16398 = msg("13980", dup267); + +var msg16399 = msg("13981", dup269); + +var msg16400 = msg("13982", dup265); + +var msg16401 = msg("13983", dup196); + +var msg16402 = msg("13984", dup255); + +var msg16403 = msg("13985", dup255); + +var msg16404 = msg("13986", dup255); + +var msg16405 = msg("13987", dup260); + +var msg16406 = msg("13988", dup260); + +var msg16407 = msg("13989", dup260); + +var msg16408 = msg("13990", dup260); + +var msg16409 = msg("13991", dup240); + +var msg16410 = msg("13992", dup240); + +var msg16411 = msg("13993", dup240); + +var msg16412 = msg("13994", dup240); + +var msg16413 = msg("13995", dup240); + +var msg16414 = msg("13996", dup240); + +var msg16415 = msg("13997", dup240); + +var msg16416 = msg("13998", dup240); + +var msg16417 = msg("13999", dup260); + +var msg16418 = msg("14000", dup260); + +var msg16419 = msg("14001", dup260); + +var msg16420 = msg("14002", dup260); + +var msg16421 = msg("14003", dup260); + +var msg16422 = msg("14004", dup260); + +var msg16423 = msg("14005", dup260); + +var msg16424 = msg("14006", dup260); + +var msg16425 = msg("14007", dup260); + +var msg16426 = msg("14008", dup260); + +var msg16427 = msg("14013", dup265); + +var msg16428 = msg("14014", dup265); + +var msg16429 = msg("14015", dup265); + +var msg16430 = msg("14016", dup265); + +var msg16431 = msg("14017", dup196); + +var msg16432 = msg("14018", dup196); + +var msg16433 = msg("14019", dup267); + +var msg16434 = msg("14020", dup267); + +var msg16435 = msg("14021", dup265); + +var msg16436 = msg("14022", dup265); + +var msg16437 = msg("14023", dup265); + +var msg16438 = msg("14024", dup265); + +var msg16439 = msg("14025", dup265); + +var msg16440 = msg("14026", dup265); + +var msg16441 = msg("14027", dup265); + +var msg16442 = msg("14028", dup265); + +var msg16443 = msg("14029", dup265); + +var msg16444 = msg("14030", dup265); + +var msg16445 = msg("14031", dup265); + +var msg16446 = msg("14032", dup265); + +var msg16447 = msg("14033", dup265); + +var msg16448 = msg("14034", dup265); + +var msg16449 = msg("14035", dup265); + +var msg16450 = msg("14036", dup265); + +var msg16451 = msg("14037", dup201); + +var msg16452 = msg("14038", dup201); + +var msg16453 = msg("14039", dup222); + +var msg16454 = msg("14040", dup222); + +var msg16455 = msg("14041", dup222); + +var msg16456 = msg("14042", dup265); + +var msg16457 = msg("14043", dup265); + +var msg16458 = msg("14044", dup265); + +var msg16459 = msg("14045", dup265); + +var msg16460 = msg("14046", dup265); + +var msg16461 = msg("14047", dup265); + +var msg16462 = msg("14048", dup265); + +var msg16463 = msg("14049", dup265); + +var msg16464 = msg("14050", dup265); + +var msg16465 = msg("14051", dup265); + +var msg16466 = msg("14052", dup265); + +var msg16467 = msg("14053", dup265); + +var msg16468 = msg("14054", dup303); + +var msg16469 = msg("14055", dup303); + +var msg16470 = msg("14056", dup303); + +var msg16471 = msg("14057", dup303); + +var msg16472 = msg("14058", dup303); + +var msg16473 = msg("14059", dup303); + +var msg16474 = msg("14060", dup303); + +var msg16475 = msg("14061", dup303); + +var msg16476 = msg("14062", dup303); + +var msg16477 = msg("14063", dup303); + +var msg16478 = msg("14064", dup303); + +var msg16479 = msg("14065", dup303); + +var msg16480 = msg("14066", dup303); + +var msg16481 = msg("14067", dup303); + +var msg16482 = msg("14068", dup303); + +var msg16483 = msg("14069", dup303); + +var msg16484 = msg("14070", dup303); + +var msg16485 = msg("14071", dup303); + +var msg16486 = msg("14072", dup303); + +var msg16487 = msg("14073", dup303); + +var msg16488 = msg("14074", dup303); + +var msg16489 = msg("14075", dup303); + +var msg16490 = msg("14076", dup303); + +var msg16491 = msg("14077", dup303); + +var msg16492 = msg("14078", dup303); + +var msg16493 = msg("14079", dup303); + +var msg16494 = msg("14080", dup303); + +var msg16495 = msg("14081", dup192); + +var msg16496 = msg("14082", dup192); + +var msg16497 = msg("14083", dup192); + +var msg16498 = msg("14084", dup192); + +var msg16499 = msg("14085", dup192); + +var msg16500 = msg("14086", dup192); + +var msg16501 = msg("14087", dup192); + +var msg16502 = msg("14088", dup265); + +var msg16503 = msg("14089", dup265); + +var msg16504 = msg("14090", dup265); + +var msg16505 = msg("14091", dup265); + +var msg16506 = msg("14092", dup265); + +var msg16507 = msg("14093", dup265); + +var msg16508 = msg("14094", dup265); + +var msg16509 = msg("14095", dup265); + +var msg16510 = msg("14096", dup265); + +var msg16511 = msg("14097", dup265); + +var msg16512 = msg("14098", dup265); + +var msg16513 = msg("14099", dup265); + +var msg16514 = msg("14100", dup265); + +var msg16515 = msg("14101", dup265); + +var msg16516 = msg("14102", dup265); + +var msg16517 = msg("14103", dup265); + +var msg16518 = msg("14104", dup265); + +var msg16519 = msg("14105", dup265); + +var msg16520 = msg("14106", dup265); + +var msg16521 = msg("14107", dup265); + +var msg16522 = msg("14108", dup265); + +var msg16523 = msg("14109", dup265); + +var msg16524 = msg("14110", dup265); + +var msg16525 = msg("14111", dup265); + +var msg16526 = msg("14112", dup265); + +var msg16527 = msg("14113", dup265); + +var msg16528 = msg("14114", dup265); + +var msg16529 = msg("14115", dup265); + +var msg16530 = msg("14116", dup265); + +var msg16531 = msg("14117", dup265); + +var msg16532 = msg("14118", dup265); + +var msg16533 = msg("14119", dup265); + +var msg16534 = msg("14120", dup265); + +var msg16535 = msg("14121", dup265); + +var msg16536 = msg("14122", dup265); + +var msg16537 = msg("14123", dup265); + +var msg16538 = msg("14124", dup265); + +var msg16539 = msg("14125", dup265); + +var msg16540 = msg("14126", dup265); + +var msg16541 = msg("14127", dup265); + +var msg16542 = msg("14128", dup265); + +var msg16543 = msg("14129", dup265); + +var msg16544 = msg("14130", dup265); + +var msg16545 = msg("14131", dup265); + +var msg16546 = msg("14132", dup265); + +var msg16547 = msg("14133", dup265); + +var msg16548 = msg("14134", dup265); + +var msg16549 = msg("14135", dup265); + +var msg16550 = msg("14136", dup265); + +var msg16551 = msg("14137", dup265); + +var msg16552 = msg("14138", dup265); + +var msg16553 = msg("14139", dup265); + +var msg16554 = msg("14140", dup265); + +var msg16555 = msg("14141", dup265); + +var msg16556 = msg("14142", dup265); + +var msg16557 = msg("14143", dup265); + +var msg16558 = msg("14144", dup265); + +var msg16559 = msg("14145", dup265); + +var msg16560 = msg("14146", dup265); + +var msg16561 = msg("14147", dup265); + +var msg16562 = msg("14148", dup265); + +var msg16563 = msg("14149", dup265); + +var msg16564 = msg("14150", dup265); + +var msg16565 = msg("14151", dup265); + +var msg16566 = msg("14152", dup265); + +var msg16567 = msg("14153", dup265); + +var msg16568 = msg("14154", dup265); + +var msg16569 = msg("14155", dup265); + +var msg16570 = msg("14156", dup265); + +var msg16571 = msg("14157", dup265); + +var msg16572 = msg("14158", dup265); + +var msg16573 = msg("14159", dup265); + +var msg16574 = msg("14160", dup265); + +var msg16575 = msg("14161", dup265); + +var msg16576 = msg("14162", dup265); + +var msg16577 = msg("14163", dup265); + +var msg16578 = msg("14164", dup265); + +var msg16579 = msg("14165", dup265); + +var msg16580 = msg("14166", dup265); + +var msg16581 = msg("14167", dup265); + +var msg16582 = msg("14168", dup265); + +var msg16583 = msg("14169", dup265); + +var msg16584 = msg("14170", dup265); + +var msg16585 = msg("14171", dup265); + +var msg16586 = msg("14172", dup265); + +var msg16587 = msg("14173", dup265); + +var msg16588 = msg("14174", dup265); + +var msg16589 = msg("14175", dup265); + +var msg16590 = msg("14176", dup265); + +var msg16591 = msg("14177", dup265); + +var msg16592 = msg("14178", dup265); + +var msg16593 = msg("14179", dup265); + +var msg16594 = msg("14180", dup265); + +var msg16595 = msg("14181", dup265); + +var msg16596 = msg("14182", dup265); + +var msg16597 = msg("14183", dup265); + +var msg16598 = msg("14184", dup265); + +var msg16599 = msg("14185", dup265); + +var msg16600 = msg("14186", dup265); + +var msg16601 = msg("14187", dup265); + +var msg16602 = msg("14188", dup265); + +var msg16603 = msg("14189", dup265); + +var msg16604 = msg("14190", dup265); + +var msg16605 = msg("14191", dup265); + +var msg16606 = msg("14192", dup265); + +var msg16607 = msg("14193", dup265); + +var msg16608 = msg("14194", dup265); + +var msg16609 = msg("14195", dup265); + +var msg16610 = msg("14196", dup265); + +var msg16611 = msg("14197", dup265); + +var msg16612 = msg("14198", dup265); + +var msg16613 = msg("14199", dup265); + +var msg16614 = msg("14200", dup265); + +var msg16615 = msg("14201", dup265); + +var msg16616 = msg("14202", dup265); + +var msg16617 = msg("14203", dup265); + +var msg16618 = msg("14204", dup265); + +var msg16619 = msg("14205", dup265); + +var msg16620 = msg("14206", dup265); + +var msg16621 = msg("14207", dup265); + +var msg16622 = msg("14208", dup265); + +var msg16623 = msg("14209", dup265); + +var msg16624 = msg("14210", dup265); + +var msg16625 = msg("14211", dup265); + +var msg16626 = msg("14212", dup265); + +var msg16627 = msg("14213", dup265); + +var msg16628 = msg("14214", dup265); + +var msg16629 = msg("14215", dup265); + +var msg16630 = msg("14216", dup265); + +var msg16631 = msg("14217", dup265); + +var msg16632 = msg("14218", dup265); + +var msg16633 = msg("14219", dup265); + +var msg16634 = msg("14220", dup265); + +var msg16635 = msg("14221", dup265); + +var msg16636 = msg("14222", dup265); + +var msg16637 = msg("14223", dup265); + +var msg16638 = msg("14224", dup265); + +var msg16639 = msg("14225", dup265); + +var msg16640 = msg("14226", dup265); + +var msg16641 = msg("14227", dup265); + +var msg16642 = msg("14228", dup265); + +var msg16643 = msg("14229", dup265); + +var msg16644 = msg("14230", dup222); + +var msg16645 = msg("14231", dup265); + +var msg16646 = msg("14232", dup265); + +var msg16647 = msg("14233", dup265); + +var msg16648 = msg("14234", dup265); + +var msg16649 = msg("14235", dup265); + +var msg16650 = msg("14236", dup265); + +var msg16651 = msg("14237", dup265); + +var msg16652 = msg("14238", dup265); + +var msg16653 = msg("14239", dup265); + +var msg16654 = msg("14240", dup265); + +var msg16655 = msg("14241", dup265); + +var msg16656 = msg("14242", dup265); + +var msg16657 = msg("14243", dup265); + +var msg16658 = msg("14244", dup265); + +var msg16659 = msg("14245", dup265); + +var msg16660 = msg("14246", dup265); + +var msg16661 = msg("14247", dup265); + +var msg16662 = msg("14248", dup265); + +var msg16663 = msg("14249", dup265); + +var msg16664 = msg("14250", dup265); + +var msg16665 = msg("14251", dup222); + +var msg16666 = msg("14252", dup269); + +var msg16667 = msg("14253", dup269); + +var msg16668 = msg("14254", dup269); + +var msg16669 = msg("14255", dup265); + +var msg16670 = msg("14256", dup265); + +var msg16671 = msg("14257", dup265); + +var msg16672 = msg("14258", dup265); + +var msg16673 = msg("14259", dup267); + +var msg16674 = msg("14260", dup267); + +var msg16675 = msg("14261", dup267); + +var msg16676 = msg("14262", dup267); + +var msg16677 = msg("14263", dup222); + +var msg16678 = msg("14264", dup196); + +var msg16679 = msg("14265", dup305); + +var msg16680 = msg("14266", dup265); + +var msg16681 = msg("14267", dup265); + +var msg16682 = msg("14268", dup265); + +var msg16683 = msg("14269", dup265); + +var msg16684 = msg("14270", dup265); + +var msg16685 = msg("14271", dup265); + +var msg16686 = msg("14272", dup265); + +var msg16687 = msg("14273", dup265); + +var msg16688 = msg("14274", dup265); + +var msg16689 = msg("14275", dup265); + +var msg16690 = msg("14276", dup265); + +var msg16691 = msg("14277", dup265); + +var msg16692 = msg("14278", dup265); + +var msg16693 = msg("14279", dup265); + +var msg16694 = msg("14280", dup265); + +var msg16695 = msg("14281", dup265); + +var msg16696 = msg("14282", dup265); + +var msg16697 = msg("14283", dup265); + +var msg16698 = msg("14284", dup265); + +var msg16699 = msg("14285", dup265); + +var msg16700 = msg("14286", dup265); + +var msg16701 = msg("14287", dup265); + +var msg16702 = msg("14288", dup265); + +var msg16703 = msg("14289", dup265); + +var msg16704 = msg("14290", dup265); + +var msg16705 = msg("14291", dup265); + +var msg16706 = msg("14292", dup265); + +var msg16707 = msg("14293", dup265); + +var msg16708 = msg("14294", dup265); + +var msg16709 = msg("14295", dup265); + +var msg16710 = msg("14296", dup265); + +var msg16711 = msg("14297", dup265); + +var msg16712 = msg("14298", dup265); + +var msg16713 = msg("14299", dup265); + +var msg16714 = msg("14300", dup265); + +var msg16715 = msg("14301", dup265); + +var msg16716 = msg("14302", dup265); + +var msg16717 = msg("14303", dup265); + +var msg16718 = msg("14304", dup265); + +var msg16719 = msg("14305", dup265); + +var msg16720 = msg("14306", dup265); + +var msg16721 = msg("14307", dup265); + +var msg16722 = msg("14308", dup265); + +var msg16723 = msg("14309", dup265); + +var msg16724 = msg("14310", dup265); + +var msg16725 = msg("14311", dup265); + +var msg16726 = msg("14312", dup265); + +var msg16727 = msg("14313", dup265); + +var msg16728 = msg("14314", dup265); + +var msg16729 = msg("14315", dup265); + +var msg16730 = msg("14316", dup267); + +var msg16731 = msg("14317", dup267); + +var msg16732 = msg("14318", dup267); + +var msg16733 = msg("14319", dup267); + +var msg16734 = msg("14320", dup265); + +var msg16735 = msg("14321", dup265); + +var msg16736 = msg("14322", dup265); + +var msg16737 = msg("14323", dup265); + +var msg16738 = msg("14324", dup265); + +var msg16739 = msg("14325", dup265); + +var msg16740 = msg("14326", dup265); + +var msg16741 = msg("14327", dup265); + +var msg16742 = msg("14328", dup265); + +var msg16743 = msg("14329", dup265); + +var msg16744 = msg("14330", dup265); + +var msg16745 = msg("14331", dup265); + +var msg16746 = msg("14332", dup265); + +var msg16747 = msg("14333", dup265); + +var msg16748 = msg("14334", dup265); + +var msg16749 = msg("14335", dup265); + +var msg16750 = msg("14336", dup265); + +var msg16751 = msg("14337", dup265); + +var msg16752 = msg("14338", dup265); + +var msg16753 = msg("14339", dup265); + +var msg16754 = msg("14340", dup265); + +var msg16755 = msg("14341", dup265); + +var msg16756 = msg("14342", dup265); + +var msg16757 = msg("14343", dup265); + +var msg16758 = msg("14344", dup265); + +var msg16759 = msg("14345", dup265); + +var msg16760 = msg("14346", dup265); + +var msg16761 = msg("14347", dup265); + +var msg16762 = msg("14348", dup265); + +var msg16763 = msg("14349", dup265); + +var msg16764 = msg("14350", dup265); + +var msg16765 = msg("14351", dup265); + +var msg16766 = msg("14352", dup265); + +var msg16767 = msg("14353", dup265); + +var msg16768 = msg("14354", dup265); + +var msg16769 = msg("14355", dup265); + +var msg16770 = msg("14356", dup265); + +var msg16771 = msg("14357", dup265); + +var msg16772 = msg("14358", dup265); + +var msg16773 = msg("14359", dup265); + +var msg16774 = msg("14360", dup265); + +var msg16775 = msg("14361", dup265); + +var msg16776 = msg("14362", dup265); + +var msg16777 = msg("14363", dup265); + +var msg16778 = msg("14364", dup265); + +var msg16779 = msg("14365", dup265); + +var msg16780 = msg("14366", dup265); + +var msg16781 = msg("14367", dup265); + +var msg16782 = msg("14368", dup265); + +var msg16783 = msg("14369", dup265); + +var msg16784 = msg("14370", dup265); + +var msg16785 = msg("14371", dup265); + +var msg16786 = msg("14372", dup265); + +var msg16787 = msg("14373", dup265); + +var msg16788 = msg("14374", dup265); + +var msg16789 = msg("14375", dup265); + +var msg16790 = msg("14376", dup265); + +var msg16791 = msg("14377", dup265); + +var msg16792 = msg("14378", dup265); + +var msg16793 = msg("14379", dup265); + +var msg16794 = msg("14380", dup265); + +var msg16795 = msg("14381", dup265); + +var msg16796 = msg("14382", dup265); + +var msg16797 = msg("14383", dup265); + +var msg16798 = msg("14384", dup265); + +var msg16799 = msg("14385", dup265); + +var msg16800 = msg("14386", dup265); + +var msg16801 = msg("14387", dup265); + +var msg16802 = msg("14388", dup265); + +var msg16803 = msg("14389", dup265); + +var msg16804 = msg("14390", dup265); + +var msg16805 = msg("14391", dup265); + +var msg16806 = msg("14392", dup265); + +var msg16807 = msg("14393", dup265); + +var msg16808 = msg("14394", dup265); + +var msg16809 = msg("14395", dup265); + +var msg16810 = msg("14396", dup265); + +var msg16811 = msg("14397", dup265); + +var msg16812 = msg("14398", dup265); + +var msg16813 = msg("14399", dup265); + +var msg16814 = msg("14400", dup265); + +var msg16815 = msg("14401", dup265); + +var msg16816 = msg("14402", dup265); + +var msg16817 = msg("14403", dup265); + +var msg16818 = msg("14404", dup265); + +var msg16819 = msg("14405", dup265); + +var msg16820 = msg("14406", dup265); + +var msg16821 = msg("14407", dup265); + +var msg16822 = msg("14408", dup265); + +var msg16823 = msg("14409", dup265); + +var msg16824 = msg("14410", dup265); + +var msg16825 = msg("14411", dup265); + +var msg16826 = msg("14412", dup265); + +var msg16827 = msg("14413", dup265); + +var msg16828 = msg("14414", dup265); + +var msg16829 = msg("14415", dup265); + +var msg16830 = msg("14416", dup265); + +var msg16831 = msg("14417", dup265); + +var msg16832 = msg("14418", dup265); + +var msg16833 = msg("14419", dup265); + +var msg16834 = msg("14420", dup265); + +var msg16835 = msg("14421", dup265); + +var msg16836 = msg("14422", dup265); + +var msg16837 = msg("14423", dup265); + +var msg16838 = msg("14424", dup265); + +var msg16839 = msg("14425", dup265); + +var msg16840 = msg("14426", dup265); + +var msg16841 = msg("14427", dup265); + +var msg16842 = msg("14428", dup265); + +var msg16843 = msg("14429", dup265); + +var msg16844 = msg("14430", dup265); + +var msg16845 = msg("14431", dup265); + +var msg16846 = msg("14432", dup265); + +var msg16847 = msg("14433", dup265); + +var msg16848 = msg("14434", dup265); + +var msg16849 = msg("14435", dup265); + +var msg16850 = msg("14436", dup265); + +var msg16851 = msg("14437", dup265); + +var msg16852 = msg("14438", dup265); + +var msg16853 = msg("14439", dup265); + +var msg16854 = msg("14440", dup265); + +var msg16855 = msg("14441", dup265); + +var msg16856 = msg("14442", dup265); + +var msg16857 = msg("14443", dup265); + +var msg16858 = msg("14444", dup265); + +var msg16859 = msg("14445", dup265); + +var msg16860 = msg("14446", dup265); + +var msg16861 = msg("14447", dup265); + +var msg16862 = msg("14448", dup265); + +var msg16863 = msg("14449", dup265); + +var msg16864 = msg("14450", dup265); + +var msg16865 = msg("14451", dup265); + +var msg16866 = msg("14452", dup265); + +var msg16867 = msg("14453", dup265); + +var msg16868 = msg("14454", dup265); + +var msg16869 = msg("14455", dup265); + +var msg16870 = msg("14456", dup265); + +var msg16871 = msg("14457", dup265); + +var msg16872 = msg("14458", dup265); + +var msg16873 = msg("14459", dup265); + +var msg16874 = msg("14460", dup265); + +var msg16875 = msg("14461", dup265); + +var msg16876 = msg("14462", dup265); + +var msg16877 = msg("14463", dup265); + +var msg16878 = msg("14464", dup265); + +var msg16879 = msg("14465", dup265); + +var msg16880 = msg("14466", dup265); + +var msg16881 = msg("14467", dup265); + +var msg16882 = msg("14468", dup265); + +var msg16883 = msg("14469", dup265); + +var msg16884 = msg("14470", dup265); + +var msg16885 = msg("14471", dup265); + +var msg16886 = msg("14472", dup265); + +var msg16887 = msg("14473", dup265); + +var msg16888 = msg("14474", dup265); + +var msg16889 = msg("14475", dup265); + +var msg16890 = msg("14476", dup265); + +var msg16891 = msg("14477", dup265); + +var msg16892 = msg("14478", dup265); + +var msg16893 = msg("14479", dup265); + +var msg16894 = msg("14480", dup265); + +var msg16895 = msg("14481", dup265); + +var msg16896 = msg("14482", dup265); + +var msg16897 = msg("14483", dup265); + +var msg16898 = msg("14484", dup265); + +var msg16899 = msg("14485", dup265); + +var msg16900 = msg("14486", dup265); + +var msg16901 = msg("14487", dup265); + +var msg16902 = msg("14488", dup265); + +var msg16903 = msg("14489", dup265); + +var msg16904 = msg("14490", dup265); + +var msg16905 = msg("14491", dup265); + +var msg16906 = msg("14492", dup265); + +var msg16907 = msg("14493", dup265); + +var msg16908 = msg("14494", dup265); + +var msg16909 = msg("14495", dup265); + +var msg16910 = msg("14496", dup265); + +var msg16911 = msg("14497", dup265); + +var msg16912 = msg("14498", dup265); + +var msg16913 = msg("14499", dup265); + +var msg16914 = msg("14500", dup265); + +var msg16915 = msg("14501", dup265); + +var msg16916 = msg("14502", dup265); + +var msg16917 = msg("14503", dup265); + +var msg16918 = msg("14504", dup265); + +var msg16919 = msg("14505", dup265); + +var msg16920 = msg("14506", dup265); + +var msg16921 = msg("14507", dup265); + +var msg16922 = msg("14508", dup265); + +var msg16923 = msg("14509", dup265); + +var msg16924 = msg("14510", dup265); + +var msg16925 = msg("14511", dup265); + +var msg16926 = msg("14512", dup265); + +var msg16927 = msg("14513", dup265); + +var msg16928 = msg("14514", dup265); + +var msg16929 = msg("14515", dup265); + +var msg16930 = msg("14516", dup265); + +var msg16931 = msg("14517", dup265); + +var msg16932 = msg("14518", dup265); + +var msg16933 = msg("14519", dup265); + +var msg16934 = msg("14520", dup265); + +var msg16935 = msg("14521", dup265); + +var msg16936 = msg("14522", dup265); + +var msg16937 = msg("14523", dup265); + +var msg16938 = msg("14524", dup265); + +var msg16939 = msg("14525", dup265); + +var msg16940 = msg("14526", dup265); + +var msg16941 = msg("14527", dup265); + +var msg16942 = msg("14528", dup265); + +var msg16943 = msg("14529", dup265); + +var msg16944 = msg("14530", dup265); + +var msg16945 = msg("14531", dup265); + +var msg16946 = msg("14532", dup265); + +var msg16947 = msg("14533", dup265); + +var msg16948 = msg("14534", dup265); + +var msg16949 = msg("14535", dup265); + +var msg16950 = msg("14536", dup265); + +var msg16951 = msg("14537", dup265); + +var msg16952 = msg("14538", dup265); + +var msg16953 = msg("14539", dup265); + +var msg16954 = msg("14540", dup265); + +var msg16955 = msg("14541", dup265); + +var msg16956 = msg("14542", dup265); + +var msg16957 = msg("14543", dup265); + +var msg16958 = msg("14544", dup265); + +var msg16959 = msg("14545", dup265); + +var msg16960 = msg("14546", dup265); + +var msg16961 = msg("14547", dup265); + +var msg16962 = msg("14548", dup265); + +var msg16963 = msg("14549", dup265); + +var msg16964 = msg("14550", dup265); + +var msg16965 = msg("14551", dup265); + +var msg16966 = msg("14552", dup265); + +var msg16967 = msg("14553", dup265); + +var msg16968 = msg("14554", dup265); + +var msg16969 = msg("14555", dup265); + +var msg16970 = msg("14556", dup265); + +var msg16971 = msg("14557", dup265); + +var msg16972 = msg("14558", dup265); + +var msg16973 = msg("14559", dup265); + +var msg16974 = msg("14560", dup265); + +var msg16975 = msg("14561", dup265); + +var msg16976 = msg("14562", dup265); + +var msg16977 = msg("14563", dup265); + +var msg16978 = msg("14564", dup265); + +var msg16979 = msg("14565", dup265); + +var msg16980 = msg("14566", dup265); + +var msg16981 = msg("14567", dup265); + +var msg16982 = msg("14568", dup265); + +var msg16983 = msg("14569", dup265); + +var msg16984 = msg("14570", dup265); + +var msg16985 = msg("14571", dup265); + +var msg16986 = msg("14572", dup265); + +var msg16987 = msg("14573", dup265); + +var msg16988 = msg("14574", dup265); + +var msg16989 = msg("14575", dup265); + +var msg16990 = msg("14576", dup265); + +var msg16991 = msg("14577", dup265); + +var msg16992 = msg("14578", dup265); + +var msg16993 = msg("14579", dup265); + +var msg16994 = msg("14580", dup265); + +var msg16995 = msg("14581", dup265); + +var msg16996 = msg("14582", dup265); + +var msg16997 = msg("14583", dup265); + +var msg16998 = msg("14584", dup265); + +var msg16999 = msg("14585", dup265); + +var msg17000 = msg("14586", dup265); + +var msg17001 = msg("14587", dup265); + +var msg17002 = msg("14588", dup265); + +var msg17003 = msg("14589", dup265); + +var msg17004 = msg("14590", dup265); + +var msg17005 = msg("14591", dup265); + +var msg17006 = msg("14592", dup265); + +var msg17007 = msg("14593", dup265); + +var msg17008 = msg("14594", dup265); + +var msg17009 = msg("14595", dup265); + +var msg17010 = msg("14596", dup265); + +var msg17011 = msg("14597", dup265); + +var msg17012 = msg("14598", dup265); + +var msg17013 = msg("14599", dup265); + +var msg17014 = msg("14600", dup222); + +var msg17015 = msg("14601", dup222); + +var msg17016 = msg("14602", dup222); + +var msg17017 = msg("14603", dup265); + +var msg17018 = msg("14604", dup265); + +var msg17019 = msg("14605", dup265); + +var msg17020 = msg("14606", dup265); + +var msg17021 = msg("14607", dup222); + +var msg17022 = msg("14608", dup197); + +var msg17023 = msg("14609", dup197); + +var msg17024 = msg("14610", dup265); + +var msg17025 = msg("14611", dup265); + +var msg17026 = msg("14612", dup265); + +var msg17027 = msg("14613", dup265); + +var msg17028 = msg("14614", dup265); + +var msg17029 = msg("14615", dup196); + +var msg17030 = msg("14616", dup201); + +var msg17031 = msg("14617", dup201); + +var msg17032 = msg("14618", dup201); + +var msg17033 = msg("14619", dup201); + +var msg17034 = msg("14620", dup201); + +var msg17035 = msg("14621", dup201); + +var msg17036 = msg("14622", dup201); + +var msg17037 = msg("14623", dup201); + +var msg17038 = msg("14624", dup201); + +var msg17039 = msg("14625", dup201); + +var msg17040 = msg("14626", dup201); + +var msg17041 = msg("14627", dup201); + +var msg17042 = msg("14628", dup265); + +var msg17043 = msg("14629", dup265); + +var msg17044 = msg("14630", dup265); + +var msg17045 = msg("14631", dup265); + +var msg17046 = msg("14632", dup265); + +var msg17047 = msg("14633", dup265); + +var msg17048 = msg("14634", dup265); + +var msg17049 = msg("14635", dup265); + +var msg17050 = msg("14636", dup265); + +var msg17051 = msg("14637", dup265); + +var msg17052 = msg("14638", dup265); + +var msg17053 = msg("14639", dup265); + +var msg17054 = msg("14640", dup265); + +var msg17055 = msg("14641", dup267); + +var msg17056 = msg("14642", dup196); + +var msg17057 = msg("14643", dup267); + +var msg17058 = msg("14644", dup196); + +var msg17059 = msg("14645", dup267); + +var msg17060 = msg("14646", dup198); + +var msg17061 = msg("14647", dup276); + +var msg17062 = msg("14648", dup276); + +var msg17063 = msg("14649", dup276); + +var msg17064 = msg("14650", dup276); + +var msg17065 = msg("14651", dup276); + +var msg17066 = msg("14652", dup276); + +var msg17067 = msg("14653", dup276); + +var msg17068 = msg("14654", dup276); + +var msg17069 = msg("14655", dup265); + +var msg17070 = msg("14656", dup265); + +var msg17071 = msg("14657", dup265); + +var msg17072 = msg("14661", dup276); + +var msg17073 = msg("14662", dup306); + +var msg17074 = msg("14663", dup306); + +var msg17075 = msg("14664", dup306); + +var msg17076 = msg("14665", dup306); + +var msg17077 = msg("14666", dup306); + +var msg17078 = msg("14667", dup306); + +var msg17079 = msg("14668", dup306); + +var msg17080 = msg("14669", dup306); + +var msg17081 = msg("14670", dup306); + +var msg17082 = msg("14671", dup306); + +var msg17083 = msg("14672", dup306); + +var msg17084 = msg("14673", dup306); + +var msg17085 = msg("14674", dup306); + +var msg17086 = msg("14675", dup306); + +var msg17087 = msg("14676", dup306); + +var msg17088 = msg("14677", dup306); + +var msg17089 = msg("14678", dup306); + +var msg17090 = msg("14679", dup306); + +var msg17091 = msg("14680", dup306); + +var msg17092 = msg("14681", dup306); + +var msg17093 = msg("14682", dup306); + +var msg17094 = msg("14683", dup306); + +var msg17095 = msg("14684", dup306); + +var msg17096 = msg("14685", dup306); + +var msg17097 = msg("14686", dup306); + +var msg17098 = msg("14687", dup306); + +var msg17099 = msg("14688", dup306); + +var msg17100 = msg("14689", dup306); + +var msg17101 = msg("14690", dup306); + +var msg17102 = msg("14691", dup306); + +var msg17103 = msg("14692", dup306); + +var msg17104 = msg("14693", dup306); + +var msg17105 = msg("14694", dup306); + +var msg17106 = msg("14695", dup306); + +var msg17107 = msg("14696", dup306); + +var msg17108 = msg("14697", dup306); + +var msg17109 = msg("14698", dup306); + +var msg17110 = msg("14699", dup306); + +var msg17111 = msg("14700", dup306); + +var msg17112 = msg("14701", dup306); + +var msg17113 = msg("14702", dup306); + +var msg17114 = msg("14703", dup306); + +var msg17115 = msg("14704", dup306); + +var msg17116 = msg("14705", dup306); + +var msg17117 = msg("14706", dup306); + +var msg17118 = msg("14707", dup306); + +var msg17119 = msg("14708", dup306); + +var msg17120 = msg("14709", dup276); + +var msg17121 = msg("14710", dup276); + +var msg17122 = msg("14711", dup276); + +var msg17123 = msg("14712", dup276); + +var msg17124 = msg("14713", dup276); + +var msg17125 = msg("14714", dup276); + +var msg17126 = msg("14715", dup276); + +var msg17127 = msg("14716", dup276); + +var msg17128 = msg("14717", dup276); + +var msg17129 = msg("14718", dup276); + +var msg17130 = msg("14719", dup276); + +var msg17131 = msg("14720", dup276); + +var msg17132 = msg("14721", dup276); + +var msg17133 = msg("14722", dup276); + +var msg17134 = msg("14723", dup276); + +var msg17135 = msg("14724", dup276); + +var msg17136 = msg("14725", dup201); + +var msg17137 = msg("14726", dup201); + +var msg17138 = msg("14727", dup307); + +var msg17139 = msg("14728", dup307); + +var msg17140 = msg("14729", dup307); + +var msg17141 = msg("14730", dup307); + +var msg17142 = msg("14731", dup307); + +var msg17143 = msg("14732", dup307); + +var msg17144 = msg("14733", dup307); + +var msg17145 = msg("14734", dup307); + +var msg17146 = msg("14735", dup307); + +var msg17147 = msg("14736", dup307); + +var msg17148 = msg("14737", dup276); + +var msg17149 = msg("14738", dup308); + +var msg17150 = msg("14739", dup308); + +var msg17151 = msg("14740", dup308); + +var msg17152 = msg("14741", dup273); + +var msg17153 = msg("14742", dup198); + +var msg17154 = msg("14743", dup227); + +var msg17155 = msg("14744", dup265); + +var msg17156 = msg("14745", dup265); + +var msg17157 = msg("14746", dup265); + +var msg17158 = msg("14747", dup265); + +var msg17159 = msg("14748", dup265); + +var msg17160 = msg("14749", dup265); + +var msg17161 = msg("14750", dup265); + +var msg17162 = msg("14751", dup265); + +var msg17163 = msg("14752", dup265); + +var msg17164 = msg("14753", dup265); + +var msg17165 = msg("14754", dup265); + +var msg17166 = msg("14755", dup265); + +var msg17167 = msg("14756", dup240); + +var msg17168 = msg("14757", dup240); + +var msg17169 = msg("14758", dup240); + +var msg17170 = msg("14759", dup240); + +var msg17171 = msg("14760", dup265); + +var msg17172 = msg("14761", dup265); + +var msg17173 = msg("14762", dup265); + +var msg17174 = msg("14763", dup265); + +var msg17175 = msg("14764", dup265); + +var msg17176 = msg("14765", dup265); + +var msg17177 = msg("14766", dup265); + +var msg17178 = msg("14767", dup265); + +var msg17179 = msg("14768", dup285); + +var msg17180 = msg("14769", dup222); + +var msg17181 = msg("14770", dup287); + +var msg17182 = msg("14771", dup197); + +var msg17183 = msg("14772", dup198); + +var msg17184 = msg("14773", dup222); + +var msg17185 = msg("14774", dup196); + +var msg17186 = msg("14775", dup196); + +var msg17187 = msg("14776", dup201); + +var msg17188 = msg("14777", dup196); + +var msg17189 = msg("14778", dup265); + +var msg17190 = msg("14779", dup265); + +var msg17191 = msg("14780", dup265); + +var msg17192 = msg("14781", dup265); + +var msg17193 = msg("14782", dup201); + +var msg17194 = msg("14783", dup201); + +var msg17195 = msg("14784", dup309); + +var msg17196 = msg("14785", dup309); + +var msg17197 = msg("14786", dup309); + +var msg17198 = msg("14787", dup309); + +var msg17199 = msg("14788", dup309); + +var msg17200 = msg("14789", dup309); + +var msg17201 = msg("14790", dup309); + +var msg17202 = msg("14791", dup309); + +var msg17203 = msg("14792", dup309); + +var msg17204 = msg("14793", dup309); + +var msg17205 = msg("14794", dup309); + +var msg17206 = msg("14795", dup309); + +var msg17207 = msg("14796", dup309); + +var msg17208 = msg("14797", dup309); + +var msg17209 = msg("14798", dup309); + +var msg17210 = msg("14799", dup309); + +var msg17211 = msg("14800", dup309); + +var msg17212 = msg("14801", dup309); + +var msg17213 = msg("14802", dup309); + +var msg17214 = msg("14803", dup309); + +var msg17215 = msg("14804", dup309); + +var msg17216 = msg("14805", dup309); + +var msg17217 = msg("14806", dup309); + +var msg17218 = msg("14807", dup309); + +var msg17219 = msg("14808", dup309); + +var msg17220 = msg("14809", dup309); + +var msg17221 = msg("14810", dup309); + +var msg17222 = msg("14811", dup309); + +var msg17223 = msg("14812", dup309); + +var msg17224 = msg("14813", dup309); + +var msg17225 = msg("14814", dup309); + +var msg17226 = msg("14815", dup309); + +var msg17227 = msg("14816", dup309); + +var msg17228 = msg("14817", dup197); + +var msg17229 = msg("14818", dup309); + +var msg17230 = msg("14819", dup309); + +var msg17231 = msg("14820", dup309); + +var msg17232 = msg("14821", dup309); + +var msg17233 = msg("14822", dup309); + +var msg17234 = msg("14823", dup309); + +var msg17235 = msg("14824", dup309); + +var msg17236 = msg("14825", dup309); + +var msg17237 = msg("14826", dup309); + +var msg17238 = msg("14827", dup309); + +var msg17239 = msg("14828", dup309); + +var msg17240 = msg("14829", dup309); + +var msg17241 = msg("14830", dup309); + +var msg17242 = msg("14831", dup309); + +var msg17243 = msg("14832", dup309); + +var msg17244 = msg("14833", dup309); + +var msg17245 = msg("14834", dup309); + +var msg17246 = msg("14835", dup309); + +var msg17247 = msg("14836", dup309); + +var msg17248 = msg("14837", dup309); + +var msg17249 = msg("14838", dup309); + +var msg17250 = msg("14839", dup309); + +var msg17251 = msg("14840", dup309); + +var msg17252 = msg("14841", dup309); + +var msg17253 = msg("14842", dup309); + +var msg17254 = msg("14843", dup309); + +var msg17255 = msg("14844", dup309); + +var msg17256 = msg("14845", dup309); + +var msg17257 = msg("14846", dup309); + +var msg17258 = msg("14847", dup309); + +var msg17259 = msg("14848", dup309); + +var msg17260 = msg("14849", dup309); + +var msg17261 = msg("14850", dup309); + +var msg17262 = msg("14851", dup309); + +var msg17263 = msg("14852", dup309); + +var msg17264 = msg("14853", dup309); + +var msg17265 = msg("14854", dup309); + +var msg17266 = msg("14855", dup309); + +var msg17267 = msg("14856", dup309); + +var msg17268 = msg("14857", dup309); + +var msg17269 = msg("14858", dup309); + +var msg17270 = msg("14859", dup309); + +var msg17271 = msg("14860", dup309); + +var msg17272 = msg("14861", dup309); + +var msg17273 = msg("14862", dup309); + +var msg17274 = msg("14863", dup309); + +var msg17275 = msg("14864", dup309); + +var msg17276 = msg("14865", dup309); + +var msg17277 = msg("14866", dup309); + +var msg17278 = msg("14867", dup309); + +var msg17279 = msg("14868", dup309); + +var msg17280 = msg("14869", dup309); + +var msg17281 = msg("14870", dup309); + +var msg17282 = msg("14871", dup309); + +var msg17283 = msg("14896", dup276); + +var msg17284 = msg("14897", dup265); + +var msg17285 = msg("14898", dup265); + +var msg17286 = msg("14899", dup276); + +var msg17287 = msg("14900", dup276); + +var msg17288 = msg("14986", dup196); + +var msg17289 = msg("14987", dup276); + +var msg17290 = msg("14988", dup276); + +var msg17291 = msg("14989", dup267); + +var msg17292 = msg("14990", dup267); + +var msg17293 = msg("14991", dup260); + +var msg17294 = msg("14992", dup267); + +var msg17295 = msg("14993", dup265); + +var msg17296 = msg("14994", dup265); + +var msg17297 = msg("14995", dup265); + +var msg17298 = msg("14996", dup265); + +var msg17299 = msg("14997", dup265); + +var msg17300 = msg("14998", dup265); + +var msg17301 = msg("14999", dup265); + +var msg17302 = msg("15000", dup265); + +var msg17303 = msg("15001", dup265); + +var msg17304 = msg("15002", dup265); + +var msg17305 = msg("15003", dup265); + +var msg17306 = msg("15004", dup265); + +var msg17307 = msg("15005", dup265); + +var msg17308 = msg("15006", dup265); + +var msg17309 = msg("15007", dup265); + +var msg17310 = msg("15008", dup265); + +var msg17311 = msg("15009", dup276); + +var msg17312 = msg("15010", dup222); + +var msg17313 = msg("15011", dup265); + +var msg17314 = msg("15012", dup265); + +var msg17315 = msg("15013", dup265); + +var msg17316 = msg("15014", dup267); + +var msg17317 = msg("15015", dup201); + +var msg17318 = msg("15016", dup307); + +var msg17319 = msg("15017", dup307); + +var msg17320 = msg("15018", dup307); + +var msg17321 = msg("15019", dup307); + +var msg17322 = msg("15020", dup307); + +var msg17323 = msg("15021", dup309); + +var msg17324 = msg("15022", dup309); + +var msg17325 = msg("15023", dup309); + +var msg17326 = msg("15024", dup309); + +var msg17327 = msg("15025", dup309); + +var msg17328 = msg("15026", dup309); + +var msg17329 = msg("15027", dup309); + +var msg17330 = msg("15028", dup309); + +var msg17331 = msg("15029", dup309); + +var msg17332 = msg("15030", dup309); + +var msg17333 = msg("15031", dup309); + +var msg17334 = msg("15032", dup309); + +var msg17335 = msg("15033", dup309); + +var msg17336 = msg("15034", dup309); + +var msg17337 = msg("15035", dup309); + +var msg17338 = msg("15036", dup309); + +var msg17339 = msg("15037", dup309); + +var msg17340 = msg("15038", dup309); + +var msg17341 = msg("15039", dup309); + +var msg17342 = msg("15040", dup309); + +var msg17343 = msg("15041", dup309); + +var msg17344 = msg("15042", dup309); + +var msg17345 = msg("15043", dup309); + +var msg17346 = msg("15044", dup309); + +var msg17347 = msg("15045", dup309); + +var msg17348 = msg("15046", dup309); + +var msg17349 = msg("15047", dup309); + +var msg17350 = msg("15048", dup309); + +var msg17351 = msg("15049", dup309); + +var msg17352 = msg("15050", dup309); + +var msg17353 = msg("15051", dup309); + +var msg17354 = msg("15052", dup309); + +var msg17355 = msg("15053", dup309); + +var msg17356 = msg("15054", dup309); + +var msg17357 = msg("15055", dup309); + +var msg17358 = msg("15056", dup309); + +var msg17359 = msg("15057", dup309); + +var msg17360 = msg("15058", dup309); + +var msg17361 = msg("15059", dup309); + +var msg17362 = msg("15060", dup309); + +var msg17363 = msg("15061", dup309); + +var msg17364 = msg("15062", dup309); + +var msg17365 = msg("15063", dup309); + +var msg17366 = msg("15064", dup309); + +var msg17367 = msg("15065", dup309); + +var msg17368 = msg("15066", dup309); + +var msg17369 = msg("15067", dup309); + +var msg17370 = msg("15068", dup309); + +var msg17371 = msg("15069", dup265); + +var msg17372 = msg("15070", dup265); + +var msg17373 = msg("15071", dup196); + +var msg17374 = msg("15072", dup196); + +var msg17375 = msg("15073", dup196); + +var msg17376 = msg("15074", dup196); + +var msg17377 = msg("15075", dup196); + +var msg17378 = msg("15076", dup197); + +var msg17379 = msg("15077", dup197); + +var msg17380 = msg("15078", dup222); + +var msg17381 = msg("15079", dup265); + +var msg17382 = msg("15080", dup222); + +var msg17383 = msg("15081", dup267); + +var msg17384 = msg("15082", dup222); + +var msg17385 = msg("15083", dup196); + +var msg17386 = msg("15084", dup265); + +var msg17387 = msg("15085", dup265); + +var msg17388 = msg("15086", dup265); + +var msg17389 = msg("15087", dup265); + +var msg17390 = msg("15088", dup265); + +var msg17391 = msg("15089", dup265); + +var msg17392 = msg("15090", dup265); + +var msg17393 = msg("15091", dup265); + +var msg17394 = msg("15092", dup265); + +var msg17395 = msg("15093", dup265); + +var msg17396 = msg("15094", dup265); + +var msg17397 = msg("15095", dup265); + +var msg17398 = msg("15096", dup265); + +var msg17399 = msg("15097", dup265); + +var msg17400 = msg("15098", dup265); + +var msg17401 = msg("15099", dup265); + +var msg17402 = msg("15100", dup265); + +var msg17403 = msg("15101", dup265); + +var msg17404 = msg("15102", dup265); + +var msg17405 = msg("15103", dup265); + +var msg17406 = msg("15104", dup267); + +var msg17407 = msg("15105", dup267); + +var msg17408 = msg("15106", dup267); + +var msg17409 = msg("15107", dup267); + +var msg17410 = msg("15108", dup267); + +var msg17411 = msg("15109", dup265); + +var msg17412 = msg("15110", dup265); + +var msg17413 = msg("15111", dup265); + +var msg17414 = msg("15112", dup265); + +var msg17415 = msg("15113", dup265); + +var msg17416 = msg("15114", dup267); + +var msg17417 = msg("15115", dup267); + +var msg17418 = msg("15116", dup265); + +var msg17419 = msg("15117", dup269); + +var msg17420 = msg("15118", dup265); + +var msg17421 = msg("15119", dup265); + +var msg17422 = msg("15120", dup265); + +var msg17423 = msg("15121", dup265); + +var msg17424 = msg("15122", dup265); + +var msg17425 = msg("15123", dup265); + +var msg17426 = msg("15124", dup276); + +var msg17427 = msg("15125", dup267); + +var msg17428 = msg("15126", dup265); + +var msg17429 = msg("15127", dup276); + +var msg17430 = msg("15128", dup276); + +var msg17431 = msg("15129", dup276); + +var msg17432 = msg("15130", dup276); + +var msg17433 = msg("15131", dup276); + +var msg17434 = msg("15132", dup276); + +var msg17435 = msg("15133", dup276); + +var msg17436 = msg("15134", dup276); + +var msg17437 = msg("15135", dup276); + +var msg17438 = msg("15136", dup276); + +var msg17439 = msg("15137", dup276); + +var msg17440 = msg("15138", dup276); + +var msg17441 = msg("15139", dup276); + +var msg17442 = msg("15140", dup276); + +var msg17443 = msg("15141", dup276); + +var msg17444 = msg("15142", dup276); + +var msg17445 = msg("15143", dup240); + +var msg17446 = msg("15144", dup240); + +var msg17447 = msg("15145", dup222); + +var msg17448 = msg("15146", dup222); + +var msg17449 = msg("15147", dup222); + +var msg17450 = msg("15148", dup198); + +var msg17451 = msg("15149", dup198); + +var msg17452 = msg("15150", dup285); + +var msg17453 = msg("15151", dup285); + +var msg17454 = msg("15152", dup285); + +var msg17455 = msg("15153", dup285); + +var msg17456 = msg("15154", dup285); + +var msg17457 = msg("15155", dup285); + +var msg17458 = msg("15156", dup285); + +var msg17459 = msg("15157", dup265); + +var msg17460 = msg("15158", dup265); + +var msg17461 = msg("15159", dup265); + +var msg17462 = msg("15160", dup265); + +var msg17463 = msg("15161", dup265); + +var msg17464 = msg("15162", dup265); + +var msg17465 = msg("15163", dup222); + +var msg17466 = msg("15164", dup196); + +var msg17467 = msg("15165", dup192); + +var msg17468 = msg("15166", dup267); + +var msg17469 = msg("15167", dup196); + +var msg17470 = msg("15168", dup196); + +var msg17471 = msg("15169", dup196); + +var msg17472 = msg("15170", dup196); + +var msg17473 = msg("15171", dup265); + +var msg17474 = msg("15172", dup196); + +var msg17475 = msg("15173", dup265); + +var msg17476 = msg("15174", dup265); + +var msg17477 = msg("15175", dup265); + +var msg17478 = msg("15176", dup265); + +var msg17479 = msg("15177", dup265); + +var msg17480 = msg("15178", dup265); + +var msg17481 = msg("15179", dup265); + +var msg17482 = msg("15180", dup265); + +var msg17483 = msg("15181", dup265); + +var msg17484 = msg("15182", dup265); + +var msg17485 = msg("15183", dup265); + +var msg17486 = msg("15184", dup265); + +var msg17487 = msg("15185", dup196); + +var msg17488 = msg("15186", dup201); + +var msg17489 = msg("15187", dup201); + +var msg17490 = msg("15188", dup201); + +var msg17491 = msg("15189", dup201); + +var msg17492 = msg("15190", dup267); + +var msg17493 = msg("15191", dup197); + +var msg17494 = msg("15192", dup265); + +var msg17495 = msg("15193", dup265); + +var msg17496 = msg("15194", dup265); + +var msg17497 = msg("15195", dup265); + +var msg17498 = msg("15196", dup276); + +var msg17499 = msg("15197", dup276); + +var msg17500 = msg("15198", dup276); + +var msg17501 = msg("15199", dup276); + +var msg17502 = msg("15200", dup276); + +var msg17503 = msg("15201", dup276); + +var msg17504 = msg("15202", dup276); + +var msg17505 = msg("15203", dup276); + +var msg17506 = msg("15204", dup276); + +var msg17507 = msg("15205", dup276); + +var msg17508 = msg("15206", dup276); + +var msg17509 = msg("15207", dup276); + +var msg17510 = msg("15208", dup276); + +var msg17511 = msg("15209", dup276); + +var msg17512 = msg("15210", dup276); + +var msg17513 = msg("15211", dup276); + +var msg17514 = msg("15212", dup276); + +var msg17515 = msg("15213", dup276); + +var msg17516 = msg("15214", dup276); + +var msg17517 = msg("15215", dup276); + +var msg17518 = msg("15216", dup276); + +var msg17519 = msg("15217", dup276); + +var msg17520 = msg("15218", dup276); + +var msg17521 = msg("15219", dup276); + +var msg17522 = msg("15220", dup276); + +var msg17523 = msg("15221", dup276); + +var msg17524 = msg("15222", dup276); + +var msg17525 = msg("15223", dup276); + +var msg17526 = msg("15224", dup276); + +var msg17527 = msg("15225", dup276); + +var msg17528 = msg("15226", dup276); + +var msg17529 = msg("15227", dup276); + +var msg17530 = msg("15228", dup265); + +var msg17531 = msg("15229", dup265); + +var msg17532 = msg("15230", dup265); + +var msg17533 = msg("15231", dup265); + +var msg17534 = msg("15232", dup265); + +var msg17535 = msg("15233", dup265); + +var msg17536 = msg("15234", dup265); + +var msg17537 = msg("15235", dup265); + +var msg17538 = msg("15236", dup267); + +var msg17539 = msg("15237", dup265); + +var msg17540 = msg("15238", dup196); + +var msg17541 = msg("15239", dup265); + +var msg17542 = msg("15240", dup265); + +var msg17543 = msg("15241", dup222); + +var msg17544 = msg("15242", dup267); + +var msg17545 = msg("15243", dup265); + +var msg17546 = msg("15244", dup265); + +var msg17547 = msg("15245", dup265); + +var msg17548 = msg("15246", dup265); + +var msg17549 = msg("15247", dup265); + +var msg17550 = msg("15248", dup265); + +var msg17551 = msg("15249", dup265); + +var msg17552 = msg("15250", dup265); + +var msg17553 = msg("15251", dup265); + +var msg17554 = msg("15252", dup265); + +var msg17555 = msg("15253", dup265); + +var msg17556 = msg("15254", dup265); + +var msg17557 = msg("15255", dup222); + +var msg17558 = msg("15256", dup196); + +var msg17559 = msg("15257", dup196); + +var msg17560 = msg("15258", dup196); + +var msg17561 = msg("15259", dup198); + +var msg17562 = msg("15260", dup198); + +var msg17563 = msg("15261", dup196); + +var msg17564 = msg("15262", dup196); + +var msg17565 = msg("15263", dup198); + +var msg17566 = msg("15264", dup267); + +var msg17567 = msg("15265", dup265); + +var msg17568 = msg("15266", dup265); + +var msg17569 = msg("15267", dup265); + +var msg17570 = msg("15268", dup265); + +var msg17571 = msg("15269", dup265); + +var msg17572 = msg("15270", dup265); + +var msg17573 = msg("15271", dup265); + +var msg17574 = msg("15272", dup265); + +var msg17575 = msg("15273", dup265); + +var msg17576 = msg("15274", dup265); + +var msg17577 = msg("15275", dup265); + +var msg17578 = msg("15276", dup265); + +var msg17579 = msg("15277", dup265); + +var msg17580 = msg("15278", dup265); + +var msg17581 = msg("15279", dup265); + +var msg17582 = msg("15280", dup265); + +var msg17583 = msg("15281", dup265); + +var msg17584 = msg("15282", dup265); + +var msg17585 = msg("15283", dup265); + +var msg17586 = msg("15284", dup265); + +var msg17587 = msg("15285", dup265); + +var msg17588 = msg("15286", dup265); + +var msg17589 = msg("15287", dup265); + +var msg17590 = msg("15288", dup265); + +var msg17591 = msg("15289", dup265); + +var msg17592 = msg("15290", dup265); + +var msg17593 = msg("15291", dup265); + +var msg17594 = msg("15292", dup196); + +var msg17595 = msg("15293", dup196); + +var msg17596 = msg("15294", dup265); + +var msg17597 = msg("15295", dup192); + +var msg17598 = msg("15296", dup192); + +var msg17599 = msg("15297", dup192); + +var msg17600 = msg("15298", dup267); + +var msg17601 = msg("15299", dup265); + +var msg17602 = msg("15300", dup267); + +var msg17603 = msg("15301", dup250); + +var msg17604 = msg("15302", dup198); + +var msg17605 = msg("15303", dup269); + +var msg17606 = msg("15304", dup265); + +var msg17607 = msg("15305", dup265); + +var msg17608 = msg("15306", dup267); + +var msg17609 = msg("15307", dup265); + +var msg17610 = msg("15308", dup265); + +var msg17611 = msg("15309", dup265); + +var msg17612 = msg("15310", dup265); + +var msg17613 = msg("15311", dup265); + +var msg17614 = msg("15312", dup265); + +var msg17615 = msg("15313", dup265); + +var msg17616 = msg("15314", dup265); + +var msg17617 = msg("15315", dup265); + +var msg17618 = msg("15316", dup265); + +var msg17619 = msg("15317", dup265); + +var msg17620 = msg("15318", dup265); + +var msg17621 = msg("15319", dup276); + +var msg17622 = msg("15320", dup276); + +var msg17623 = msg("15321", dup276); + +var msg17624 = msg("15322", dup276); + +var msg17625 = msg("15323", dup276); + +var msg17626 = msg("15324", dup276); + +var msg17627 = msg("15325", dup276); + +var msg17628 = msg("15326", dup276); + +var msg17629 = msg("15327", dup218); + +var msg17630 = msg("15328", dup267); + +var msg17631 = msg("15329", dup250); + +var msg17632 = msg("15330", dup265); + +var msg17633 = msg("15331", dup265); + +var msg17634 = msg("15332", dup265); + +var msg17635 = msg("15333", dup265); + +var msg17636 = msg("15334", dup265); + +var msg17637 = msg("15335", dup265); + +var msg17638 = msg("15336", dup265); + +var msg17639 = msg("15337", dup265); + +var msg17640 = msg("15338", dup265); + +var msg17641 = msg("15339", dup265); + +var msg17642 = msg("15340", dup265); + +var msg17643 = msg("15341", dup265); + +var msg17644 = msg("15342", dup265); + +var msg17645 = msg("15343", dup265); + +var msg17646 = msg("15344", dup265); + +var msg17647 = msg("15345", dup265); + +var msg17648 = msg("15346", dup197); + +var msg17649 = msg("15347", dup197); + +var msg17650 = msg("15348", dup197); + +var msg17651 = msg("15349", dup197); + +var msg17652 = msg("15350", dup265); + +var msg17653 = msg("15351", dup265); + +var msg17654 = msg("15352", dup265); + +var msg17655 = msg("15353", dup265); + +var msg17656 = msg("15354", dup250); + +var msg17657 = msg("15355", dup267); + +var msg17658 = msg("15356", dup250); + +var msg17659 = msg("15357", dup267); + +var msg17660 = msg("15358", dup250); + +var msg17661 = msg("15359", dup250); + +var msg17662 = msg("15360", dup250); + +var msg17663 = msg("15361", dup196); + +var msg17664 = msg("15362", dup196); + +var msg17665 = msg("15363", dup265); + +var msg17666 = msg("15364", dup222); + +var msg17667 = msg("15365", dup265); + +var all48 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + setc("eventcategory","1001030300"), + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg17668 = msg("15366", all48); + +var msg17669 = msg("15367", dup201); + +var msg17670 = msg("15368", dup265); + +var msg17671 = msg("15369", dup265); + +var msg17672 = msg("15370", dup265); + +var msg17673 = msg("15371", dup265); + +var msg17674 = msg("15372", dup265); + +var msg17675 = msg("15373", dup265); + +var msg17676 = msg("15374", dup265); + +var msg17677 = msg("15375", dup265); + +var msg17678 = msg("15376", dup265); + +var msg17679 = msg("15377", dup265); + +var msg17680 = msg("15378", dup265); + +var msg17681 = msg("15379", dup265); + +var msg17682 = msg("15380", dup265); + +var msg17683 = msg("15381", dup265); + +var msg17684 = msg("15382", dup222); + +var msg17685 = msg("15383", dup196); + +var msg17686 = msg("15384", dup265); + +var msg17687 = msg("15385", dup265); + +var msg17688 = msg("15386", dup196); + +var msg17689 = msg("15387", dup276); + +var msg17690 = msg("15388", dup222); + +var msg17691 = msg("15389", dup196); + +var msg17692 = msg("15390", dup196); + +var msg17693 = msg("15391", dup196); + +var msg17694 = msg("15392", dup196); + +var msg17695 = msg("15393", dup196); + +var msg17696 = msg("15394", dup196); + +var msg17697 = msg("15395", dup196); + +var msg17698 = msg("15396", dup196); + +var msg17699 = msg("15397", dup196); + +var msg17700 = msg("15398", dup196); + +var msg17701 = msg("15399", dup196); + +var msg17702 = msg("15400", dup196); + +var msg17703 = msg("15401", dup196); + +var msg17704 = msg("15402", dup196); + +var msg17705 = msg("15403", dup196); + +var msg17706 = msg("15404", dup196); + +var msg17707 = msg("15405", dup196); + +var msg17708 = msg("15406", dup196); + +var msg17709 = msg("15407", dup196); + +var msg17710 = msg("15408", dup196); + +var msg17711 = msg("15409", dup196); + +var msg17712 = msg("15410", dup196); + +var msg17713 = msg("15411", dup196); + +var msg17714 = msg("15412", dup222); + +var msg17715 = msg("15413", dup222); + +var msg17716 = msg("15414", dup196); + +var msg17717 = msg("15415", dup196); + +var msg17718 = msg("15416", dup196); + +var msg17719 = msg("15417", dup196); + +var msg17720 = msg("15418", dup196); + +var msg17721 = msg("15420", dup196); + +var msg17722 = msg("15421", dup196); + +var msg17723 = msg("15422", dup222); + +var msg17724 = msg("15423", dup263); + +var msg17725 = msg("15424", dup260); + +var msg17726 = msg("15425", dup260); + +var msg17727 = msg("15426", dup265); + +var msg17728 = msg("15427", dup265); + +var msg17729 = msg("15428", dup265); + +var msg17730 = msg("15429", dup196); + +var msg17731 = msg("15430", dup267); + +var msg17732 = msg("15431", dup222); + +var msg17733 = msg("15432", dup269); + +var msg17734 = msg("15433", dup267); + +var msg17735 = msg("15434", dup267); + +var msg17736 = msg("15435", dup198); + +var msg17737 = msg("15436", dup196); + +var msg17738 = msg("15437", dup196); + +var msg17739 = msg("15438", dup196); + +var msg17740 = msg("15439", dup196); + +var msg17741 = msg("15440", dup196); + +var msg17742 = msg("15441", dup196); + +var msg17743 = msg("15442", dup198); + +var msg17744 = msg("15443", dup198); + +var msg17745 = msg("15444", dup265); + +var msg17746 = msg("15445", dup287); + +var msg17747 = msg("15446", dup267); + +var msg17748 = msg("15447", dup265); + +var msg17749 = msg("15448", dup276); + +var msg17750 = msg("15449", dup196); + +var msg17751 = msg("15450", dup196); + +var msg17752 = msg("15451", dup196); + +var msg17753 = msg("15452", dup196); + +var msg17754 = msg("15453", dup276); + +var msg17755 = msg("15454", dup267); + +var msg17756 = msg("15455", dup222); + +var msg17757 = msg("15456", dup265); + +var msg17758 = msg("15457", dup269); + +var msg17759 = msg("15458", dup196); + +var msg17760 = msg("15459", dup196); + +var msg17761 = msg("15460", dup196); + +var msg17762 = msg("15461", dup196); + +var msg17763 = msg("15462", dup265); + +var msg17764 = msg("15463", dup265); + +var msg17765 = msg("15464", dup265); + +var msg17766 = msg("15465", dup267); + +var msg17767 = msg("15466", dup222); + +var msg17768 = msg("15467", dup222); + +var msg17769 = msg("15468", dup265); + +var msg17770 = msg("15469", dup265); + +var msg17771 = msg("15470", dup269); + +var msg17772 = msg("15471", dup196); + +var msg17773 = msg("15472", dup267); + +var msg17774 = msg("15473", dup267); + +var msg17775 = msg("15474", dup198); + +var msg17776 = msg("15475", dup265); + +var msg17777 = msg("15476", dup263); + +var msg17778 = msg("15477", dup222); + +var msg17779 = msg("15478", dup196); + +var msg17780 = msg("15479", dup222); + +var msg17781 = msg("15480", dup265); + +var msg17782 = msg("15481", dup196); + +var msg17783 = msg("15482", dup273); + +var msg17784 = msg("15483", dup265); + +var msg17785 = msg("15484", dup197); + +var msg17786 = msg("15485", dup197); + +var msg17787 = msg("15486", dup192); + +var msg17788 = msg("15487", dup196); + +var msg17789 = msg("15488", dup196); + +var msg17790 = msg("15489", dup222); + +var msg17791 = msg("15490", dup269); + +var msg17792 = msg("15491", dup222); + +var msg17793 = msg("15492", dup196); + +var msg17794 = msg("15493", dup196); + +var msg17795 = msg("15494", dup250); + +var msg17796 = msg("15495", dup250); + +var msg17797 = msg("15496", dup250); + +var msg17798 = msg("15497", dup250); + +var msg17799 = msg("15498", dup267); + +var msg17800 = msg("15499", dup267); + +var msg17801 = msg("15500", dup196); + +var msg17802 = msg("15501", dup265); + +var msg17803 = msg("15502", dup265); + +var msg17804 = msg("15503", dup196); + +var msg17805 = msg("15504", dup196); + +var msg17806 = msg("15505", dup265); + +var msg17807 = msg("15506", dup267); + +var msg17808 = msg("15507", dup201); + +var msg17809 = msg("15508", dup201); + +var msg17810 = msg("15509", dup198); + +var msg17811 = msg("15510", dup194); + +var msg17812 = msg("15511", dup222); + +var msg17813 = msg("15512", dup276); + +var msg17814 = msg("15513", dup276); + +var msg17815 = msg("15514", dup201); + +var msg17816 = msg("15515", dup260); + +var msg17817 = msg("15516", dup265); + +var msg17818 = msg("15517", dup267); + +var msg17819 = msg("15518", dup265); + +var msg17820 = msg("15519", dup267); + +var msg17821 = msg("15520", dup267); + +var msg17822 = msg("15521", dup267); + +var msg17823 = msg("15522", dup198); + +var msg17824 = msg("15523", dup222); + +var msg17825 = msg("15524", dup196); + +var msg17826 = msg("15525", dup196); + +var msg17827 = msg("15526", dup222); + +var msg17828 = msg("15527", dup198); + +var msg17829 = msg("15528", dup276); + +var msg17830 = msg("15529", dup265); + +var msg17831 = msg("15530", dup310); + +var msg17832 = msg("15531", dup267); + +var msg17833 = msg("15532", dup310); + +var msg17834 = msg("15533", dup310); + +var msg17835 = msg("15534", dup267); + +var msg17836 = msg("15535", dup267); + +var msg17837 = msg("15536", dup267); + +var msg17838 = msg("15537", dup267); + +var msg17839 = msg("15538", dup265); + +var msg17840 = msg("15539", dup267); + +var msg17841 = msg("15540", dup265); + +var msg17842 = msg("15541", dup267); + +var msg17843 = msg("15542", dup267); + +var msg17844 = msg("15543", dup265); + +var msg17845 = msg("15544", dup265); + +var msg17846 = msg("15545", dup265); + +var msg17847 = msg("15546", dup265); + +var msg17848 = msg("15547", dup265); + +var msg17849 = msg("15548", dup265); + +var msg17850 = msg("15549", dup265); + +var msg17851 = msg("15550", dup265); + +var msg17852 = msg("15551", dup265); + +var msg17853 = msg("15552", dup265); + +var msg17854 = msg("15553", dup263); + +var msg17855 = msg("15554", dup196); + +var msg17856 = msg("15555", dup222); + +var msg17857 = msg("15556", dup269); + +var msg17858 = msg("15557", dup265); + +var msg17859 = msg("15558", dup265); + +var msg17860 = msg("15559", dup201); + +var msg17861 = msg("15560", dup196); + +var msg17862 = msg("15561", dup196); + +var msg17863 = msg("15562", dup265); + +var msg17864 = msg("15563", dup192); + +var msg17865 = msg("15564", dup192); + +var msg17866 = msg("15565", dup192); + +var msg17867 = msg("15566", dup303); + +var msg17868 = msg("15567", dup303); + +var msg17869 = msg("15568", dup196); + +var msg17870 = msg("15569", dup196); + +var msg17871 = msg("15570", dup196); + +var msg17872 = msg("15571", dup222); + +var msg17873 = msg("15572", dup198); + +var msg17874 = msg("15573", dup222); + +var msg17875 = msg("15574", dup222); + +var msg17876 = msg("15575", dup196); + +var msg17877 = msg("15576", dup196); + +var msg17878 = msg("15577", dup196); + +var msg17879 = msg("15578", dup198); + +var msg17880 = msg("15579", dup198); + +var msg17881 = msg("15580", dup196); + +var msg17882 = msg("15581", dup198); + +var msg17883 = msg("15582", dup265); + +var msg17884 = msg("15583", dup194); + +var msg17885 = msg("15584", dup260); + +var msg17886 = msg("15585", dup265); + +var msg17887 = msg("15586", dup265); + +var msg17888 = msg("15587", dup265); + +var msg17889 = msg("15588", dup265); + +var msg17890 = msg("15589", dup265); + +var msg17891 = msg("15590", dup265); + +var msg17892 = msg("15591", dup265); + +var msg17893 = msg("15592", dup265); + +var msg17894 = msg("15593", dup265); + +var msg17895 = msg("15594", dup265); + +var msg17896 = msg("15595", dup265); + +var msg17897 = msg("15596", dup265); + +var msg17898 = msg("15597", dup265); + +var msg17899 = msg("15598", dup265); + +var msg17900 = msg("15599", dup265); + +var msg17901 = msg("15600", dup265); + +var msg17902 = msg("15601", dup265); + +var msg17903 = msg("15602", dup265); + +var msg17904 = msg("15603", dup265); + +var msg17905 = msg("15604", dup265); + +var msg17906 = msg("15605", dup265); + +var msg17907 = msg("15606", dup265); + +var msg17908 = msg("15607", dup265); + +var msg17909 = msg("15608", dup265); + +var msg17910 = msg("15609", dup265); + +var msg17911 = msg("15610", dup265); + +var msg17912 = msg("15611", dup265); + +var msg17913 = msg("15612", dup265); + +var msg17914 = msg("15613", dup265); + +var msg17915 = msg("15614", dup265); + +var msg17916 = msg("15615", dup265); + +var msg17917 = msg("15616", dup265); + +var msg17918 = msg("15617", dup265); + +var msg17919 = msg("15618", dup265); + +var msg17920 = msg("15619", dup265); + +var msg17921 = msg("15620", dup265); + +var msg17922 = msg("15621", dup265); + +var msg17923 = msg("15622", dup265); + +var msg17924 = msg("15623", dup265); + +var msg17925 = msg("15624", dup265); + +var msg17926 = msg("15625", dup265); + +var msg17927 = msg("15626", dup265); + +var msg17928 = msg("15627", dup265); + +var msg17929 = msg("15628", dup265); + +var msg17930 = msg("15629", dup265); + +var msg17931 = msg("15630", dup265); + +var msg17932 = msg("15631", dup265); + +var msg17933 = msg("15632", dup265); + +var msg17934 = msg("15633", dup265); + +var msg17935 = msg("15634", dup265); + +var msg17936 = msg("15635", dup265); + +var msg17937 = msg("15636", dup265); + +var msg17938 = msg("15637", dup265); + +var msg17939 = msg("15638", dup265); + +var msg17940 = msg("15639", dup265); + +var msg17941 = msg("15640", dup265); + +var msg17942 = msg("15641", dup265); + +var msg17943 = msg("15642", dup265); + +var msg17944 = msg("15643", dup265); + +var msg17945 = msg("15644", dup265); + +var msg17946 = msg("15645", dup265); + +var msg17947 = msg("15646", dup265); + +var msg17948 = msg("15647", dup265); + +var msg17949 = msg("15648", dup265); + +var msg17950 = msg("15649", dup265); + +var msg17951 = msg("15650", dup265); + +var msg17952 = msg("15651", dup265); + +var msg17953 = msg("15652", dup265); + +var msg17954 = msg("15653", dup265); + +var msg17955 = msg("15654", dup265); + +var msg17956 = msg("15655", dup265); + +var msg17957 = msg("15656", dup265); + +var msg17958 = msg("15657", dup265); + +var msg17959 = msg("15658", dup265); + +var msg17960 = msg("15659", dup265); + +var msg17961 = msg("15660", dup265); + +var msg17962 = msg("15661", dup265); + +var msg17963 = msg("15662", dup265); + +var msg17964 = msg("15663", dup265); + +var msg17965 = msg("15664", dup265); + +var msg17966 = msg("15665", dup265); + +var msg17967 = msg("15666", dup265); + +var msg17968 = msg("15667", dup265); + +var msg17969 = msg("15668", dup265); + +var msg17970 = msg("15669", dup265); + +var msg17971 = msg("15670", dup265); + +var msg17972 = msg("15671", dup265); + +var msg17973 = msg("15672", dup265); + +var msg17974 = msg("15673", dup265); + +var msg17975 = msg("15674", dup265); + +var msg17976 = msg("15675", dup265); + +var msg17977 = msg("15676", dup265); + +var msg17978 = msg("15677", dup265); + +var msg17979 = msg("15678", dup196); + +var msg17980 = msg("15679", dup196); + +var msg17981 = msg("15680", dup196); + +var msg17982 = msg("15681", dup269); + +var msg17983 = msg("15682", dup265); + +var msg17984 = msg("15683", dup285); + +var msg17985 = msg("15684", dup196); + +var msg17986 = msg("15685", dup265); + +var msg17987 = msg("15686", dup265); + +var msg17988 = msg("15687", dup265); + +var msg17989 = msg("15688", dup265); + +var msg17990 = msg("15689", dup265); + +var msg17991 = msg("15690", dup265); + +var msg17992 = msg("15691", dup265); + +var msg17993 = msg("15692", dup265); + +var msg17994 = msg("15693", dup267); + +var msg17995 = msg("15694", dup267); + +var msg17996 = msg("15695", dup267); + +var msg17997 = msg("15696", dup287); + +var msg17998 = msg("15697", dup265); + +var msg17999 = msg("15698", dup265); + +var msg18000 = msg("15699", dup222); + +var msg18001 = msg("15700", dup222); + +var msg18002 = msg("15701", dup285); + +var msg18003 = msg("15702", dup201); + +var msg18004 = msg("15703", dup267); + +var msg18005 = msg("15704", dup267); + +var msg18006 = msg("15705", dup267); + +var msg18007 = msg("15706", dup267); + +var msg18008 = msg("15707", dup267); + +var msg18009 = msg("15708", dup222); + +var msg18010 = msg("15709", dup267); + +var msg18011 = msg("15710", dup276); + +var msg18012 = msg("15711", dup222); + +var msg18013 = msg("15712", dup196); + +var msg18014 = msg("15713", dup196); + +var msg18015 = msg("15714", dup196); + +var msg18016 = msg("15715", dup197); + +var msg18017 = msg("15716", dup196); + +var msg18018 = msg("15717", dup196); + +var msg18019 = msg("15718", dup196); + +var msg18020 = msg("15719", dup196); + +var msg18021 = msg("15720", dup196); + +var msg18022 = msg("15721", dup196); + +var msg18023 = msg("15722", dup201); + +var msg18024 = msg("15723", dup260); + +var msg18025 = msg("15724", dup260); + +var msg18026 = msg("15725", dup260); + +var msg18027 = msg("15726", dup222); + +var msg18028 = msg("15727", dup196); + +var msg18029 = msg("15728", dup287); + +var msg18030 = msg("15729", dup287); + +var msg18031 = msg("15730", dup192); + +var msg18032 = msg("15731", dup269); + +var msg18033 = msg("15732", dup196); + +var msg18034 = msg("15733", dup196); + +var msg18035 = msg("15734", dup198); + +var msg18036 = msg("15847", dup276); + +var msg18037 = msg("15848", dup196); + +var msg18038 = msg("15849", dup196); + +var msg18039 = msg("15850", dup196); + +var all49 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg18040 = msg("15851", all49); + +var msg18041 = msg("15852", dup265); + +var msg18042 = msg("15853", dup265); + +var msg18043 = msg("15854", dup265); + +var msg18044 = msg("15855", dup265); + +var msg18045 = msg("15856", dup265); + +var msg18046 = msg("15857", dup196); + +var msg18047 = msg("15858", dup265); + +var msg18048 = msg("15859", dup265); + +var msg18049 = msg("15860", dup276); + +var msg18050 = msg("15861", dup265); + +var msg18051 = msg("15862", dup265); + +var msg18052 = msg("15863", dup265); + +var msg18053 = msg("15864", dup265); + +var msg18054 = msg("15865", dup265); + +var msg18055 = msg("15866", dup267); + +var msg18056 = msg("15867", dup265); + +var msg18057 = msg("15868", dup197); + +var msg18058 = msg("15869", dup267); + +var msg18059 = msg("15870", dup265); + +var msg18060 = msg("15871", dup265); + +var msg18061 = msg("15872", dup265); + +var msg18062 = msg("15873", dup196); + +var msg18063 = msg("15874", dup260); + +var msg18064 = msg("15875", dup260); + +var msg18065 = msg("15876", dup260); + +var msg18066 = msg("15877", dup260); + +var msg18067 = msg("15878", dup265); + +var msg18068 = msg("15879", dup265); + +var msg18069 = msg("15880", dup196); + +var msg18070 = msg("15881", dup276); + +var msg18071 = msg("15882", dup196); + +var msg18072 = msg("15883", dup222); + +var msg18073 = msg("15884", dup222); + +var msg18074 = msg("15885", dup222); + +var msg18075 = msg("15886", dup222); + +var msg18076 = msg("15887", dup222); + +var msg18077 = msg("15888", dup222); + +var msg18078 = msg("15889", dup222); + +var msg18079 = msg("15890", dup222); + +var msg18080 = msg("15891", dup222); + +var msg18081 = msg("15892", dup222); + +var msg18082 = msg("15893", dup196); + +var msg18083 = msg("15894", dup196); + +var msg18084 = msg("15895", dup222); + +var msg18085 = msg("15896", dup198); + +var msg18086 = msg("15897", dup267); + +var msg18087 = msg("15898", dup265); + +var msg18088 = msg("15899", dup265); + +var msg18089 = msg("15900", dup265); + +var msg18090 = msg("15901", dup222); + +var msg18091 = msg("15902", dup196); + +var msg18092 = msg("15903", dup196); + +var msg18093 = msg("15904", dup265); + +var msg18094 = msg("15905", dup265); + +var msg18095 = msg("15906", dup222); + +var msg18096 = msg("15907", dup222); + +var msg18097 = msg("15908", dup194); + +var msg18098 = msg("15909", dup265); + +var msg18099 = msg("15910", dup196); + +var msg18100 = msg("15911", dup276); + +var msg18101 = msg("15912", dup196); + +var msg18102 = msg("15913", dup265); + +var msg18103 = msg("15914", dup265); + +var msg18104 = msg("15915", dup265); + +var msg18105 = msg("15916", dup265); + +var msg18106 = msg("15917", dup297); + +var msg18107 = msg("15918", dup265); + +var msg18108 = msg("15919", dup265); + +var msg18109 = msg("15920", dup265); + +var msg18110 = msg("15921", dup265); + +var msg18111 = msg("15922", dup265); + +var msg18112 = msg("15923", dup265); + +var msg18113 = msg("15924", dup265); + +var msg18114 = msg("15925", dup265); + +var msg18115 = msg("15926", dup265); + +var msg18116 = msg("15927", dup265); + +var msg18117 = msg("15928", dup265); + +var msg18118 = msg("15929", dup265); + +var msg18119 = msg("15930", dup198); + +var msg18120 = msg("15931", dup196); + +var msg18121 = msg("15932", dup198); + +var msg18122 = msg("15933", dup265); + +var msg18123 = msg("15934", dup196); + +var msg18124 = msg("15935", dup196); + +var msg18125 = msg("15936", dup196); + +var msg18126 = msg("15937", dup197); + +var msg18127 = msg("15938", dup192); + +var msg18128 = msg("15939", dup196); + +var msg18129 = msg("15940", dup201); + +var msg18130 = msg("15941", dup198); + +var msg18131 = msg("15942", dup201); + +var msg18132 = msg("15943", dup201); + +var msg18133 = msg("15944", dup198); + +var msg18134 = msg("15945", dup265); + +var msg18135 = msg("15946", dup267); + +var msg18136 = msg("15947", dup287); + +var msg18137 = msg("15948", dup222); + +var msg18138 = msg("15949", dup222); + +var msg18139 = msg("15950", dup222); + +var msg18140 = msg("15951", dup260); + +var msg18141 = msg("15952", dup269); + +var msg18142 = msg("15953", dup265); + +var msg18143 = msg("15954", dup198); + +var msg18144 = msg("15955", dup196); + +var msg18145 = msg("15956", dup265); + +var msg18146 = msg("15957", dup198); + +var msg18147 = msg("15958", dup267); + +var msg18148 = msg("15959", dup198); + +var msg18149 = msg("15960", dup198); + +var msg18150 = msg("15961", dup196); + +var msg18151 = msg("15962", dup222); + +var msg18152 = msg("15963", dup218); + +var msg18153 = msg("15964", dup196); + +var msg18154 = msg("15965", dup222); + +var msg18155 = msg("15966", dup194); + +var msg18156 = msg("15967", dup222); + +var msg18157 = msg("15968", dup201); + +var msg18158 = msg("15969", dup198); + +var msg18159 = msg("15970", dup222); + +var msg18160 = msg("15971", dup196); + +var msg18161 = msg("15972", dup196); + +var msg18162 = msg("15973", dup222); + +var msg18163 = msg("15974", dup197); + +var msg18164 = msg("15975", dup267); + +var msg18165 = msg("15976", dup267); + +var msg18166 = msg("15977", dup201); + +var msg18167 = msg("15978", dup267); + +var msg18168 = msg("15979", dup222); + +var msg18169 = msg("15980", dup265); + +var msg18170 = msg("15981", dup198); + +var msg18171 = msg("15982", dup198); + +var msg18172 = msg("15983", dup196); + +var msg18173 = msg("15984", dup198); + +var msg18174 = msg("15985", dup196); + +var msg18175 = msg("15986", dup222); + +var msg18176 = msg("15987", dup265); + +var msg18177 = msg("15988", dup196); + +var msg18178 = msg("15989", dup198); + +var msg18179 = msg("15990", dup265); + +var msg18180 = msg("15991", dup198); + +var msg18181 = msg("15992", dup194); + +var msg18182 = msg("15993", dup201); + +var msg18183 = msg("15994", dup198); + +var msg18184 = msg("15995", dup269); + +var msg18185 = msg("15996", dup222); + +var msg18186 = msg("15997", dup196); + +var msg18187 = msg("15998", dup196); + +var msg18188 = msg("15999", dup287); + +var msg18189 = msg("16000", dup265); + +var msg18190 = msg("16001", dup196); + +var msg18191 = msg("16002", dup267); + +var msg18192 = msg("16003", dup267); + +var msg18193 = msg("16004", dup267); + +var msg18194 = msg("16005", dup201); + +var msg18195 = msg("16006", dup196); + +var msg18196 = msg("16007", dup196); + +var all50 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg18197 = msg("16008", all50); + +var msg18198 = msg("16009", dup222); + +var msg18199 = msg("16010", dup287); + +var msg18200 = msg("16011", dup196); + +var msg18201 = msg("16012", dup265); + +var msg18202 = msg("16013", dup196); + +var msg18203 = msg("16014", dup198); + +var msg18204 = msg("16015", dup222); + +var msg18205 = msg("16016", dup222); + +var msg18206 = msg("16017", dup222); + +var msg18207 = msg("16018", dup197); + +var msg18208 = msg("16019", dup222); + +var msg18209 = msg("16020", dup240); + +var msg18210 = msg("16021", dup265); + +var msg18211 = msg("16022", dup196); + +var msg18212 = msg("16023", dup196); + +var msg18213 = msg("16024", dup201); + +var msg18214 = msg("16025", dup222); + +var msg18215 = msg("16026", dup265); + +var msg18216 = msg("16027", dup267); + +var msg18217 = msg("16028", dup196); + +var msg18218 = msg("16029", dup197); + +var msg18219 = msg("16030", dup197); + +var msg18220 = msg("16031", dup265); + +var msg18221 = msg("16032", dup265); + +var msg18222 = msg("16033", dup196); + +var msg18223 = msg("16034", dup222); + +var msg18224 = msg("16035", dup196); + +var msg18225 = msg("16036", dup196); + +var msg18226 = msg("16037", dup222); + +var msg18227 = msg("16038", dup201); + +var msg18228 = msg("16039", dup198); + +var msg18229 = msg("16040", dup196); + +var msg18230 = msg("16041", dup222); + +var msg18231 = msg("16042", dup287); + +var msg18232 = msg("16043", dup265); + +var msg18233 = msg("16044", dup267); + +var msg18234 = msg("16045", dup196); + +var msg18235 = msg("16046", dup196); + +var msg18236 = msg("16047", dup196); + +var msg18237 = msg("16048", dup265); + +var msg18238 = msg("16049", dup260); + +var msg18239 = msg("16050", dup265); + +var msg18240 = msg("16051", dup196); + +var msg18241 = msg("16052", dup198); + +var msg18242 = msg("16053", dup267); + +var msg18243 = msg("16054", dup197); + +var msg18244 = msg("16055", dup222); + +var msg18245 = msg("16056", dup285); + +var msg18246 = msg("16057", dup222); + +var msg18247 = msg("16058", dup222); + +var msg18248 = msg("16059", dup196); + +var msg18249 = msg("16060", dup196); + +var msg18250 = msg("16061", dup196); + +var msg18251 = msg("16062", dup222); + +var msg18252 = msg("16063", dup267); + +var msg18253 = msg("16064", dup196); + +var msg18254 = msg("16065", dup196); + +var msg18255 = msg("16066", dup198); + +var msg18256 = msg("16067", dup196); + +var msg18257 = msg("16068", dup196); + +var msg18258 = msg("16069", dup222); + +var msg18259 = msg("16070", dup222); + +var msg18260 = msg("16071", dup198); + +var msg18261 = msg("16072", dup222); + +var msg18262 = msg("16073", dup197); + +var msg18263 = msg("16074", dup196); + +var msg18264 = msg("16075", dup196); + +var msg18265 = msg("16076", dup201); + +var msg18266 = msg("16077", dup201); + +var msg18267 = msg("16078", dup196); + +var msg18268 = msg("16079", dup267); + +var msg18269 = msg("16080", dup196); + +var msg18270 = msg("16081", dup201); + +var msg18271 = msg("16082", dup252); + +var msg18272 = msg("16083", dup287); + +var msg18273 = msg("16084", dup258); + +var msg18274 = msg("16085", dup201); + +var msg18275 = msg("16086", dup252); + +var msg18276 = msg("16087", dup263); + +var msg18277 = msg("16089", dup222); + +var msg18278 = msg("16090", dup267); + +var msg18279 = msg("16091", dup198); + +var msg18280 = msg("16092", dup192); + +var msg18281 = msg("16093", dup192); + +var msg18282 = msg("16094", dup192); + +var msg18283 = msg("16095", dup192); + +var msg18284 = msg("16096", dup192); + +var msg18285 = msg("16097", dup192); + +var msg18286 = msg("16098", dup192); + +var msg18287 = msg("16099", dup192); + +var msg18288 = msg("16100", dup192); + +var msg18289 = msg("16101", dup192); + +var msg18290 = msg("16102", dup192); + +var msg18291 = msg("16103", dup192); + +var msg18292 = msg("16104", dup192); + +var msg18293 = msg("16105", dup192); + +var msg18294 = msg("16106", dup192); + +var msg18295 = msg("16107", dup192); + +var msg18296 = msg("16108", dup192); + +var msg18297 = msg("16109", dup192); + +var msg18298 = msg("16110", dup192); + +var msg18299 = msg("16111", dup192); + +var msg18300 = msg("16112", dup192); + +var msg18301 = msg("16113", dup192); + +var msg18302 = msg("16114", dup303); + +var msg18303 = msg("16115", dup303); + +var msg18304 = msg("16116", dup303); + +var msg18305 = msg("16117", dup303); + +var msg18306 = msg("16118", dup303); + +var msg18307 = msg("16119", dup303); + +var msg18308 = msg("16120", dup303); + +var msg18309 = msg("16121", dup303); + +var msg18310 = msg("16122", dup303); + +var msg18311 = msg("16123", dup303); + +var msg18312 = msg("16124", dup192); + +var msg18313 = msg("16125", dup303); + +var msg18314 = msg("16126", dup303); + +var msg18315 = msg("16127", dup303); + +var msg18316 = msg("16128", dup303); + +var msg18317 = msg("16129", dup303); + +var msg18318 = msg("16130", dup303); + +var msg18319 = msg("16131", dup192); + +var msg18320 = msg("16132", dup303); + +var msg18321 = msg("16133", dup303); + +var msg18322 = msg("16134", dup303); + +var msg18323 = msg("16135", dup303); + +var msg18324 = msg("16136", dup303); + +var msg18325 = msg("16137", dup303); + +var msg18326 = msg("16138", dup303); + +var msg18327 = msg("16139", dup192); + +var msg18328 = msg("16140", dup192); + +var msg18329 = msg("16141", dup192); + +var msg18330 = msg("16142", dup196); + +var msg18331 = msg("16143", dup196); + +var msg18332 = msg("16144", dup196); + +var msg18333 = msg("16145", dup222); + +var msg18334 = msg("16146", dup311); + +var msg18335 = msg("16147", dup198); + +var msg18336 = msg("16148", dup196); + +var msg18337 = msg("16149", dup196); + +var msg18338 = msg("16150", dup196); + +var msg18339 = msg("16151", dup265); + +var msg18340 = msg("16152", dup196); + +var msg18341 = msg("16153", dup196); + +var msg18342 = msg("16154", dup196); + +var msg18343 = msg("16155", dup196); + +var msg18344 = msg("16156", dup196); + +var msg18345 = msg("16157", dup196); + +var msg18346 = msg("16158", dup196); + +var msg18347 = msg("16159", dup240); + +var msg18348 = msg("16160", dup240); + +var msg18349 = msg("16161", dup240); + +var msg18350 = msg("16162", dup240); + +var msg18351 = msg("16163", dup240); + +var msg18352 = msg("16164", dup240); + +var msg18353 = msg("16165", dup240); + +var msg18354 = msg("16166", dup240); + +var msg18355 = msg("16167", dup240); + +var msg18356 = msg("16168", dup198); + +var msg18357 = msg("16169", dup265); + +var msg18358 = msg("16170", dup267); + +var msg18359 = msg("16171", dup267); + +var msg18360 = msg("16172", dup196); + +var msg18361 = msg("16173", dup196); + +var msg18362 = msg("16174", dup196); + +var msg18363 = msg("16175", dup198); + +var msg18364 = msg("16176", dup196); + +var msg18365 = msg("16177", dup196); + +var msg18366 = msg("16178", dup196); + +var msg18367 = msg("16179", dup287); + +var msg18368 = msg("16180", dup265); + +var msg18369 = msg("16181", dup267); + +var msg18370 = msg("16182", dup196); + +var msg18371 = msg("16183", dup196); + +var msg18372 = msg("16184", dup222); + +var msg18373 = msg("16185", dup196); + +var msg18374 = msg("16186", dup267); + +var msg18375 = msg("16187", dup269); + +var msg18376 = msg("16188", dup265); + +var msg18377 = msg("16189", dup260); + +var msg18378 = msg("16190", dup196); + +var msg18379 = msg("16191", dup285); + +var msg18380 = msg("16192", dup285); + +var msg18381 = msg("16193", dup222); + +var msg18382 = msg("16194", dup267); + +var msg18383 = msg("16195", dup267); + +var msg18384 = msg("16196", dup273); + +var msg18385 = msg("16197", dup198); + +var msg18386 = msg("16198", dup260); + +var msg18387 = msg("16199", dup198); + +var msg18388 = msg("16200", dup196); + +var msg18389 = msg("16201", dup201); + +var msg18390 = msg("16202", dup198); + +var msg18391 = msg("16203", dup198); + +var msg18392 = msg("16204", dup267); + +var msg18393 = msg("16205", dup265); + +var msg18394 = msg("16206", dup196); + +var msg18395 = msg("16207", dup267); + +var msg18396 = msg("16208", dup260); + +var msg18397 = msg("16209", dup198); + +var msg18398 = msg("16210", dup198); + +var msg18399 = msg("16211", dup198); + +var msg18400 = msg("16212", dup198); + +var msg18401 = msg("16213", dup267); + +var msg18402 = msg("16214", dup198); + +var msg18403 = msg("16215", dup287); + +var msg18404 = msg("16216", dup265); + +var msg18405 = msg("16217", dup197); + +var msg18406 = msg("16218", dup265); + +var msg18407 = msg("16219", dup196); + +var msg18408 = msg("16220", dup265); + +var msg18409 = msg("16221", dup198); + +var msg18410 = msg("16222", dup269); + +var msg18411 = msg("16223", dup265); + +var msg18412 = msg("16224", dup265); + +var msg18413 = msg("16225", dup196); + +var msg18414 = msg("16226", dup196); + +var msg18415 = msg("16227", dup265); + +var msg18416 = msg("16228", dup269); + +var msg18417 = msg("16229", dup265); + +var msg18418 = msg("16230", dup265); + +var msg18419 = msg("16231", dup267); + +var msg18420 = msg("16232", dup267); + +var msg18421 = msg("16233", dup267); + +var msg18422 = msg("16234", dup267); + +var msg18423 = msg("16235", dup196); + +var msg18424 = msg("16236", dup196); + +var msg18425 = msg("16237", dup198); + +var msg18426 = msg("16238", dup201); + +var msg18427 = msg("16239", dup201); + +var msg18428 = msg("16240", dup196); + +var msg18429 = msg("16241", dup267); + +var msg18430 = msg("16242", dup192); + +var msg18431 = msg("16243", dup192); + +var msg18432 = msg("16244", dup192); + +var msg18433 = msg("16245", dup192); + +var msg18434 = msg("16246", dup192); + +var msg18435 = msg("16247", dup192); + +var msg18436 = msg("16248", dup192); + +var msg18437 = msg("16249", dup192); + +var msg18438 = msg("16250", dup192); + +var msg18439 = msg("16251", dup192); + +var msg18440 = msg("16252", dup192); + +var msg18441 = msg("16253", dup192); + +var msg18442 = msg("16254", dup192); + +var msg18443 = msg("16255", dup192); + +var msg18444 = msg("16256", dup192); + +var msg18445 = msg("16257", dup192); + +var msg18446 = msg("16258", dup192); + +var msg18447 = msg("16259", dup192); + +var msg18448 = msg("16260", dup192); + +var msg18449 = msg("16261", dup192); + +var msg18450 = msg("16262", dup192); + +var msg18451 = msg("16263", dup192); + +var msg18452 = msg("16264", dup192); + +var msg18453 = msg("16265", dup192); + +var msg18454 = msg("16266", dup192); + +var msg18455 = msg("16267", dup192); + +var msg18456 = msg("16268", dup192); + +var msg18457 = msg("16269", dup192); + +var msg18458 = msg("16270", dup192); + +var msg18459 = msg("16271", dup192); + +var msg18460 = msg("16272", dup192); + +var msg18461 = msg("16273", dup192); + +var msg18462 = msg("16274", dup192); + +var msg18463 = msg("16275", dup192); + +var msg18464 = msg("16276", dup303); + +var msg18465 = msg("16277", dup303); + +var msg18466 = msg("16278", dup303); + +var msg18467 = msg("16279", dup192); + +var msg18468 = msg("16280", dup192); + +var msg18469 = msg("16281", dup196); + +var msg18470 = msg("16282", dup196); + +var msg18471 = msg("16283", dup267); + +var msg18472 = msg("16284", dup196); + +var msg18473 = msg("16285", dup222); + +var msg18474 = msg("16286", dup265); + +var msg18475 = msg("16287", dup198); + +var msg18476 = msg("16288", dup222); + +var msg18477 = msg("16289", dup192); + +var msg18478 = msg("16290", dup260); + +var msg18479 = msg("16291", dup267); + +var msg18480 = msg("16292", dup222); + +var msg18481 = msg("16293", dup265); + +var msg18482 = msg("16294", dup201); + +var msg18483 = msg("16295", dup194); + +var msg18484 = msg("16296", dup194); + +var msg18485 = msg("16297", dup196); + +var msg18486 = msg("16298", dup196); + +var msg18487 = msg("16299", dup196); + +var msg18488 = msg("16300", dup265); + +var msg18489 = msg("16301", dup265); + +var msg18490 = msg("16302", dup196); + +var msg18491 = msg("16303", dup196); + +var msg18492 = msg("16304", dup196); + +var msg18493 = msg("16305", dup265); + +var msg18494 = msg("16306", dup265); + +var msg18495 = msg("16307", dup265); + +var msg18496 = msg("16308", dup265); + +var msg18497 = msg("16309", dup222); + +var msg18498 = msg("16310", dup269); + +var msg18499 = msg("16311", dup269); + +var msg18500 = msg("16312", dup269); + +var msg18501 = msg("16313", dup196); + +var msg18502 = msg("16314", dup222); + +var msg18503 = msg("16315", dup265); + +var msg18504 = msg("16316", dup265); + +var msg18505 = msg("16317", dup196); + +var msg18506 = msg("16318", dup265); + +var msg18507 = msg("16319", dup265); + +var msg18508 = msg("16320", dup267); + +var msg18509 = msg("16321", dup265); + +var msg18510 = msg("16322", dup265); + +var msg18511 = msg("16323", dup196); + +var msg18512 = msg("16324", dup265); + +var msg18513 = msg("16325", dup196); + +var msg18514 = msg("16326", dup196); + +var msg18515 = msg("16327", dup201); + +var msg18516 = msg("16328", dup196); + +var msg18517 = msg("16329", dup285); + +var msg18518 = msg("16330", dup265); + +var msg18519 = msg("16331", dup267); + +var msg18520 = msg("16332", dup269); + +var msg18521 = msg("16333", dup265); + +var msg18522 = msg("16334", dup196); + +var msg18523 = msg("16335", dup197); + +var msg18524 = msg("16336", dup267); + +var msg18525 = msg("16337", dup196); + +var msg18526 = msg("16338", dup265); + +var msg18527 = msg("16339", dup265); + +var msg18528 = msg("16340", dup196); + +var msg18529 = msg("16341", dup198); + +var msg18530 = msg("16342", dup265); + +var msg18531 = msg("16343", dup196); + +var msg18532 = msg("16344", dup287); + +var msg18533 = msg("16345", dup267); + +var msg18534 = msg("16346", dup267); + +var msg18535 = msg("16347", dup196); + +var msg18536 = msg("16348", dup198); + +var msg18537 = msg("16349", dup198); + +var msg18538 = msg("16350", dup198); + +var msg18539 = msg("16351", dup201); + +var all51 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + setc("eventcategory","1001020302"), + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg18540 = msg("16352", all51); + +var msg18541 = msg("16353", dup265); + +var msg18542 = msg("16354", dup197); + +var msg18543 = msg("16355", dup267); + +var msg18544 = msg("16356", dup201); + +var msg18545 = msg("16357", dup201); + +var msg18546 = msg("16358", dup192); + +var msg18547 = msg("16359", dup267); + +var msg18548 = msg("16360", dup265); + +var msg18549 = msg("16361", dup267); + +var msg18550 = msg("16362", dup196); + +var msg18551 = msg("16363", dup227); + +var msg18552 = msg("16364", dup198); + +var msg18553 = msg("16365", dup192); + +var msg18554 = msg("16366", dup222); + +var msg18555 = msg("16367", dup265); + +var msg18556 = msg("16368", dup196); + +var msg18557 = msg("16369", dup196); + +var msg18558 = msg("16370", dup265); + +var msg18559 = msg("16371", dup265); + +var msg18560 = msg("16372", dup265); + +var msg18561 = msg("16373", dup267); + +var msg18562 = msg("16374", dup196); + +var msg18563 = msg("16375", dup222); + +var msg18564 = msg("16376", dup196); + +var msg18565 = msg("16377", dup196); + +var msg18566 = msg("16378", dup267); + +var msg18567 = msg("16379", dup265); + +var msg18568 = msg("16380", dup265); + +var msg18569 = msg("16381", dup246); + +var msg18570 = msg("16382", dup265); + +var msg18571 = msg("16383", dup196); + +var msg18572 = msg("16384", dup198); + +var msg18573 = msg("16385", dup260); + +var msg18574 = msg("16386", dup265); + +var msg18575 = msg("16387", dup265); + +var msg18576 = msg("16388", dup265); + +var msg18577 = msg("16389", dup265); + +var msg18578 = msg("16390", dup196); + +var msg18579 = msg("16391", dup192); + +var msg18580 = msg("16392", dup273); + +var msg18581 = msg("16393", dup197); + +var msg18582 = msg("16394", dup198); + +var msg18583 = msg("16395", dup276); + +var msg18584 = msg("16396", dup276); + +var msg18585 = msg("16397", dup246); + +var msg18586 = msg("16398", dup246); + +var msg18587 = msg("16399", dup246); + +var msg18588 = msg("16400", dup246); + +var msg18589 = msg("16401", dup246); + +var msg18590 = msg("16402", dup246); + +var msg18591 = msg("16403", dup246); + +var msg18592 = msg("16404", dup246); + +var msg18593 = msg("16405", dup201); + +var msg18594 = msg("16406", dup265); + +var msg18595 = msg("16407", dup265); + +var msg18596 = msg("16408", dup198); + +var msg18597 = msg("16409", dup267); + +var msg18598 = msg("16410", dup265); + +var msg18599 = msg("16411", dup267); + +var msg18600 = msg("16412", dup267); + +var msg18601 = msg("16413", dup267); + +var msg18602 = msg("16414", dup267); + +var msg18603 = msg("16415", dup265); + +var msg18604 = msg("16416", dup196); + +var msg18605 = msg("16417", dup276); + +var msg18606 = msg("16418", dup276); + +var msg18607 = msg("16419", dup265); + +var msg18608 = msg("16420", dup265); + +var msg18609 = msg("16421", dup196); + +var msg18610 = msg("16422", dup196); + +var msg18611 = msg("16423", dup267); + +var msg18612 = msg("16424", dup265); + +var msg18613 = msg("16425", dup267); + +var msg18614 = msg("16426", dup267); + +var msg18615 = msg("16427", dup267); + +var msg18616 = msg("16428", dup222); + +var msg18617 = msg("16429", dup267); + +var msg18618 = msg("16430", dup267); + +var msg18619 = msg("16431", dup260); + +var msg18620 = msg("16432", dup265); + +var msg18621 = msg("16433", dup198); + +var msg18622 = msg("16434", dup196); + +var msg18623 = msg("16435", dup196); + +var msg18624 = msg("16436", dup196); + +var msg18625 = msg("16437", dup222); + +var msg18626 = msg("16438", dup269); + +var msg18627 = msg("16439", dup196); + +var msg18628 = msg("16440", dup196); + +var msg18629 = msg("16441", dup196); + +var msg18630 = msg("16442", dup196); + +var msg18631 = msg("16443", dup196); + +var msg18632 = msg("16444", dup196); + +var msg18633 = msg("16445", dup198); + +var msg18634 = msg("16446", dup287); + +var msg18635 = msg("16447", dup258); + +var msg18636 = msg("16448", dup201); + +var msg18637 = msg("16449", dup252); + +var msg18638 = msg("16450", dup260); + +var msg18639 = msg("16451", dup198); + +var msg18640 = msg("16452", dup265); + +var msg18641 = msg("16453", dup198); + +var msg18642 = msg("16454", dup198); + +var msg18643 = msg("16455", dup303); + +var msg18644 = msg("16456", dup303); + +var msg18645 = msg("16457", dup192); + +var msg18646 = msg("16458", dup267); + +var msg18647 = msg("16459", dup192); + +var msg18648 = msg("16460", dup297); + +var msg18649 = msg("16461", dup196); + +var msg18650 = msg("16462", dup196); + +var msg18651 = msg("16463", dup196); + +var msg18652 = msg("16464", dup267); + +var msg18653 = msg("16465", dup267); + +var msg18654 = msg("16466", dup196); + +var msg18655 = msg("16467", dup196); + +var msg18656 = msg("16468", dup196); + +var msg18657 = msg("16469", dup305); + +var msg18658 = msg("16470", dup267); + +var msg18659 = msg("16471", dup267); + +var msg18660 = msg("16472", dup267); + +var msg18661 = msg("16473", dup265); + +var msg18662 = msg("16474", dup196); + +var msg18663 = msg("16475", dup196); + +var msg18664 = msg("16476", dup265); + +var msg18665 = msg("16477", dup265); + +var msg18666 = msg("16478", dup265); + +var msg18667 = msg("16479", dup196); + +var msg18668 = msg("16480", dup196); + +var msg18669 = msg("16481", dup267); + +var msg18670 = msg("16482", dup310); + +var msg18671 = msg("16483", dup238); + +var msg18672 = msg("16484", dup196); + +var msg18673 = msg("16485", dup196); + +var msg18674 = msg("16486", dup192); + +var msg18675 = msg("16487", dup192); + +var msg18676 = msg("16488", dup192); + +var msg18677 = msg("16489", dup303); + +var msg18678 = msg("16490", dup196); + +var msg18679 = msg("16492", dup196); + +var msg18680 = msg("16493", dup196); + +var msg18681 = msg("16494", dup196); + +var msg18682 = msg("16495", dup196); + +var msg18683 = msg("16496", dup196); + +var msg18684 = msg("16497", dup196); + +var msg18685 = msg("16498", dup196); + +var msg18686 = msg("16499", dup196); + +var msg18687 = msg("16500", dup196); + +var msg18688 = msg("16501", dup196); + +var msg18689 = msg("16502", dup196); + +var msg18690 = msg("16503", dup267); + +var msg18691 = msg("16504", dup267); + +var msg18692 = msg("16505", dup267); + +var msg18693 = msg("16506", dup267); + +var msg18694 = msg("16507", dup267); + +var msg18695 = msg("16508", dup267); + +var msg18696 = msg("16509", dup267); + +var msg18697 = msg("16510", dup197); + +var msg18698 = msg("16511", dup197); + +var msg18699 = msg("16512", dup267); + +var msg18700 = msg("16513", dup196); + +var msg18701 = msg("16514", dup196); + +var msg18702 = msg("16515", dup196); + +var msg18703 = msg("16516", dup196); + +var msg18704 = msg("16517", dup196); + +var msg18705 = msg("16518", dup196); + +var msg18706 = msg("16519", dup196); + +var msg18707 = msg("16520", dup196); + +var msg18708 = msg("16521", dup196); + +var msg18709 = msg("16522", dup196); + +var msg18710 = msg("16523", dup196); + +var msg18711 = msg("16524", dup196); + +var msg18712 = msg("16525", dup196); + +var msg18713 = msg("16526", dup196); + +var msg18714 = msg("16527", dup196); + +var msg18715 = msg("16528", dup196); + +var msg18716 = msg("16529", dup196); + +var msg18717 = msg("16530", dup265); + +var msg18718 = msg("16531", dup276); + +var msg18719 = msg("16532", dup276); + +var msg18720 = msg("16533", dup267); + +var msg18721 = msg("16534", dup250); + +var msg18722 = msg("16535", dup267); + +var msg18723 = msg("16536", dup267); + +var msg18724 = msg("16537", dup267); + +var msg18725 = msg("16538", dup196); + +var msg18726 = msg("16539", dup197); + +var msg18727 = msg("16540", dup276); + +var msg18728 = msg("16541", dup197); + +var msg18729 = msg("16542", dup197); + +var msg18730 = msg("16543", dup267); + +var msg18731 = msg("16544", dup311); + +var msg18732 = msg("16545", dup267); + +var msg18733 = msg("16546", dup197); + +var msg18734 = msg("16547", dup196); + +var msg18735 = msg("16548", dup196); + +var msg18736 = msg("16549", dup196); + +var msg18737 = msg("16550", dup196); + +var msg18738 = msg("16551", dup196); + +var msg18739 = msg("16552", dup196); + +var msg18740 = msg("16553", dup267); + +var msg18741 = msg("16554", dup196); + +var msg18742 = msg("16555", dup196); + +var msg18743 = msg("16556", dup196); + +var msg18744 = msg("16557", dup196); + +var msg18745 = msg("16558", dup196); + +var msg18746 = msg("16559", dup309); + +var msg18747 = msg("16560", dup265); + +var msg18748 = msg("16561", dup267); + +var msg18749 = msg("16562", dup267); + +var msg18750 = msg("16563", dup267); + +var msg18751 = msg("16564", dup267); + +var msg18752 = msg("16565", dup265); + +var msg18753 = msg("16566", dup265); + +var msg18754 = msg("16567", dup265); + +var msg18755 = msg("16568", dup265); + +var msg18756 = msg("16569", dup265); + +var msg18757 = msg("16570", dup265); + +var msg18758 = msg("16571", dup265); + +var msg18759 = msg("16572", dup265); + +var msg18760 = msg("16573", dup196); + +var msg18761 = msg("16574", dup196); + +var msg18762 = msg("16575", dup222); + +var msg18763 = msg("16576", dup222); + +var msg18764 = msg("16577", dup276); + +var msg18765 = msg("16578", dup222); + +var msg18766 = msg("16579", dup222); + +var msg18767 = msg("16580", dup202); + +var msg18768 = msg("16581", dup202); + +var msg18769 = msg("16582", dup267); + +var msg18770 = msg("16583", dup267); + +var msg18771 = msg("16584", dup267); + +var msg18772 = msg("16585", dup267); + +var msg18773 = msg("16586", dup267); + +var msg18774 = msg("16587", dup201); + +var msg18775 = msg("16588", dup196); + +var msg18776 = msg("16589", dup222); + +var msg18777 = msg("16590", dup196); + +var msg18778 = msg("16591", dup196); + +var msg18779 = msg("16592", dup196); + +var msg18780 = msg("16593", dup267); + +var msg18781 = msg("16594", dup298); + +var msg18782 = msg("16595", dup267); + +var msg18783 = msg("16596", dup267); + +var msg18784 = msg("16597", dup222); + +var msg18785 = msg("16598", dup197); + +var msg18786 = msg("16599", dup222); + +var msg18787 = msg("16600", dup192); + +var msg18788 = msg("16601", dup267); + +var msg18789 = msg("16602", dup196); + +var msg18790 = msg("16603", dup197); + +var msg18791 = msg("16604", dup267); + +var msg18792 = msg("16605", dup267); + +var msg18793 = msg("16606", dup222); + +var msg18794 = msg("16607", dup196); + +var msg18795 = msg("16608", dup197); + +var msg18796 = msg("16609", dup197); + +var msg18797 = msg("16610", dup222); + +var msg18798 = msg("16611", dup267); + +var msg18799 = msg("16612", dup267); + +var msg18800 = msg("16613", dup192); + +var msg18801 = msg("16614", dup192); + +var msg18802 = msg("16615", dup192); + +var msg18803 = msg("16616", dup192); + +var msg18804 = msg("16617", dup192); + +var msg18805 = msg("16618", dup192); + +var msg18806 = msg("16619", dup192); + +var msg18807 = msg("16620", dup192); + +var msg18808 = msg("16621", dup192); + +var msg18809 = msg("16622", dup192); + +var msg18810 = msg("16623", dup192); + +var msg18811 = msg("16624", dup192); + +var msg18812 = msg("16625", dup192); + +var msg18813 = msg("16626", dup192); + +var msg18814 = msg("16627", dup192); + +var msg18815 = msg("16628", dup192); + +var msg18816 = msg("16629", dup196); + +var msg18817 = msg("16630", dup196); + +var msg18818 = msg("16631", dup196); + +var msg18819 = msg("16632", dup196); + +var msg18820 = msg("16633", dup267); + +var msg18821 = msg("16634", dup267); + +var msg18822 = msg("16635", dup265); + +var msg18823 = msg("16636", dup196); + +var msg18824 = msg("16637", dup196); + +var msg18825 = msg("16638", dup267); + +var msg18826 = msg("16639", dup267); + +var msg18827 = msg("16640", dup267); + +var msg18828 = msg("16641", dup267); + +var msg18829 = msg("16642", dup196); + +var msg18830 = msg("16643", dup267); + +var msg18831 = msg("16644", dup196); + +var msg18832 = msg("16645", dup196); + +var msg18833 = msg("16646", dup222); + +var msg18834 = msg("16647", dup267); + +var msg18835 = msg("16648", dup196); + +var msg18836 = msg("16649", dup267); + +var msg18837 = msg("16650", dup267); + +var msg18838 = msg("16651", dup267); + +var msg18839 = msg("16652", dup267); + +var msg18840 = msg("16653", dup267); + +var msg18841 = msg("16654", dup267); + +var msg18842 = msg("16655", dup267); + +var msg18843 = msg("16656", dup267); + +var msg18844 = msg("16657", dup267); + +var msg18845 = msg("16658", dup267); + +var msg18846 = msg("16659", dup196); + +var msg18847 = msg("16660", dup198); + +var msg18848 = msg("16661", dup196); + +var msg18849 = msg("16662", dup267); + +var msg18850 = msg("16663", dup267); + +var msg18851 = msg("16664", dup196); + +var msg18852 = msg("16665", dup265); + +var msg18853 = msg("16666", dup196); + +var msg18854 = msg("16667", dup196); + +var msg18855 = msg("16668", dup202); + +var msg18856 = msg("16669", dup303); + +var msg18857 = msg("16670", dup303); + +var msg18858 = msg("16671", dup267); + +var msg18859 = msg("16672", dup197); + +var msg18860 = msg("16673", dup267); + +var msg18861 = msg("16674", dup267); + +var msg18862 = msg("16675", dup196); + +var msg18863 = msg("16676", dup196); + +var msg18864 = msg("16677", dup196); + +var msg18865 = msg("16678", dup265); + +var msg18866 = msg("16679", dup201); + +var msg18867 = msg("16680", dup196); + +var msg18868 = msg("16681", dup267); + +var msg18869 = msg("16682", dup265); + +var msg18870 = msg("16683", dup267); + +var msg18871 = msg("16684", dup198); + +var msg18872 = msg("16685", dup222); + +var msg18873 = msg("16686", dup267); + +var msg18874 = msg("16687", dup201); + +var msg18875 = msg("16688", dup196); + +var msg18876 = msg("16689", dup265); + +var msg18877 = msg("16690", dup196); + +var msg18878 = msg("16691", dup265); + +var msg18879 = msg("16692", dup197); + +var msg18880 = msg("16693", dup303); + +var msg18881 = msg("16694", dup198); + +var msg18882 = msg("16695", dup303); + +var msg18883 = msg("16696", dup197); + +var msg18884 = msg("16697", dup198); + +var msg18885 = msg("16698", dup198); + +var msg18886 = msg("16699", dup257); + +var msg18887 = msg("16700", dup257); + +var msg18888 = msg("16701", dup257); + +var msg18889 = msg("16702", dup257); + +var msg18890 = msg("16703", dup260); + +var msg18891 = msg("16704", dup197); + +var msg18892 = msg("16705", dup222); + +var msg18893 = msg("16706", dup201); + +var msg18894 = msg("16707", dup260); + +var msg18895 = msg("16708", dup260); + +var msg18896 = msg("16709", dup198); + +var msg18897 = msg("16710", dup287); + +var msg18898 = msg("16711", dup201); + +var msg18899 = msg("16712", dup267); + +var msg18900 = msg("16713", dup267); + +var msg18901 = msg("16714", dup222); + +var msg18902 = msg("16715", dup267); + +var msg18903 = msg("16716", dup197); + +var msg18904 = msg("16717", dup287); + +var msg18905 = msg("16718", dup196); + +var msg18906 = msg("16719", dup201); + +var msg18907 = msg("16720", dup197); + +var msg18908 = msg("16721", dup197); + +var msg18909 = msg("16722", dup260); + +var msg18910 = msg("16723", dup260); + +var msg18911 = msg("16724", dup222); + +var msg18912 = msg("16725", dup197); + +var msg18913 = msg("16726", dup197); + +var msg18914 = msg("16727", dup201); + +var msg18915 = msg("16728", dup276); + +var msg18916 = msg("16729", dup197); + +var msg18917 = msg("16730", dup197); + +var msg18918 = msg("16731", dup197); + +var msg18919 = msg("16732", dup201); + +var msg18920 = msg("16733", dup197); + +var msg18921 = msg("16734", dup197); + +var msg18922 = msg("16735", dup222); + +var msg18923 = msg("16736", dup201); + +var msg18924 = msg("16737", dup197); + +var msg18925 = msg("16738", dup197); + +var msg18926 = msg("16739", dup201); + +var msg18927 = msg("16740", dup267); + +var msg18928 = msg("16741", dup267); + +var msg18929 = msg("16742", dup265); + +var msg18930 = msg("16743", dup197); + +var msg18931 = msg("16744", dup199); + +var msg18932 = msg("16745", dup197); + +var msg18933 = msg("16746", dup265); + +var msg18934 = msg("16747", dup265); + +var msg18935 = msg("16748", dup265); + +var msg18936 = msg("16749", dup265); + +var msg18937 = msg("16750", dup197); + +var msg18938 = msg("16751", dup197); + +var msg18939 = msg("16752", dup197); + +var msg18940 = msg("16753", dup197); + +var msg18941 = msg("16754", dup276); + +var msg18942 = msg("16755", dup276); + +var msg18943 = msg("16756", dup276); + +var msg18944 = msg("16757", dup276); + +var msg18945 = msg("16758", dup276); + +var msg18946 = msg("16759", dup276); + +var msg18947 = msg("16760", dup276); + +var msg18948 = msg("16761", dup276); + +var msg18949 = msg("16762", dup197); + +var msg18950 = msg("16763", dup197); + +var msg18951 = msg("16764", dup197); + +var msg18952 = msg("16765", dup197); + +var msg18953 = msg("16766", dup197); + +var msg18954 = msg("16767", dup265); + +var msg18955 = msg("16768", dup265); + +var msg18956 = msg("16769", dup265); + +var msg18957 = msg("16770", dup265); + +var msg18958 = msg("16771", dup197); + +var msg18959 = msg("16772", dup265); + +var msg18960 = msg("16773", dup265); + +var msg18961 = msg("16774", dup265); + +var msg18962 = msg("16775", dup265); + +var msg18963 = msg("16776", dup201); + +var msg18964 = msg("16777", dup198); + +var msg18965 = msg("16778", dup198); + +var msg18966 = msg("16779", dup265); + +var msg18967 = msg("16780", dup265); + +var msg18968 = msg("16781", dup265); + +var msg18969 = msg("16782", dup265); + +var msg18970 = msg("16783", dup265); + +var msg18971 = msg("16784", dup265); + +var msg18972 = msg("16785", dup267); + +var msg18973 = msg("16786", dup197); + +var msg18974 = msg("16787", dup201); + +var msg18975 = msg("16788", dup267); + +var msg18976 = msg("16789", dup267); + +var msg18977 = msg("16790", dup267); + +var msg18978 = msg("16791", dup265); + +var msg18979 = msg("16792", dup265); + +var msg18980 = msg("16793", dup265); + +var msg18981 = msg("16794", dup265); + +var msg18982 = msg("16795", dup227); + +var msg18983 = msg("16796", dup255); + +var msg18984 = msg("16797", dup201); + +var msg18985 = msg("16798", dup197); + +var msg18986 = msg("16799", dup197); + +var msg18987 = msg("16800", dup197); + +var msg18988 = msg("16801", dup267); + +var msg18989 = msg("16802", dup265); + +var msg18990 = msg("16803", dup265); + +var msg18991 = msg("16804", dup192); + +var msg18992 = msg("16805", dup192); + +var msg18993 = msg("16806", dup227); + +var msg18994 = msg("16807", dup227); + +var msg18995 = msg("16808", dup192); + +var msg18996 = msg("16809", dup202); + +var msg18997 = msg("16810", dup202); + +var msg18998 = msg("16811", dup202); + +var msg18999 = msg("16812", dup202); + +var msg19000 = msg("16813", dup202); + +var msg19001 = msg("16814", dup202); + +var msg19002 = msg("16815", dup202); + +var msg19003 = msg("16816", dup202); + +var msg19004 = msg("16817", dup202); + +var msg19005 = msg("16818", dup202); + +var msg19006 = msg("16819", dup202); + +var msg19007 = msg("16820", dup202); + +var msg19008 = msg("16821", dup202); + +var msg19009 = msg("16822", dup202); + +var msg19010 = msg("16823", dup202); + +var msg19011 = msg("16824", dup202); + +var msg19012 = msg("16825", dup202); + +var msg19013 = msg("16826", dup202); + +var msg19014 = msg("16827", dup202); + +var msg19015 = msg("16828", dup202); + +var msg19016 = msg("16829", dup202); + +var msg19017 = msg("16830", dup202); + +var msg19018 = msg("16831", dup202); + +var msg19019 = msg("16832", dup202); + +var msg19020 = msg("16833", dup202); + +var msg19021 = msg("16834", dup263); + +var msg19022 = msg("16835", dup263); + +var msg19023 = msg("16836", dup263); + +var msg19024 = msg("16837", dup263); + +var msg19025 = msg("16838", dup263); + +var msg19026 = msg("16839", dup263); + +var msg19027 = msg("16840", dup263); + +var msg19028 = msg("16841", dup263); + +var msg19029 = msg("16842", dup263); + +var msg19030 = msg("16843", dup263); + +var msg19031 = msg("16844", dup263); + +var msg19032 = msg("16845", dup263); + +var msg19033 = msg("16846", dup263); + +var msg19034 = msg("16847", dup263); + +var msg19035 = msg("16848", dup263); + +var msg19036 = msg("16849", dup263); + +var msg19037 = msg("16850", dup263); + +var msg19038 = msg("16851", dup263); + +var msg19039 = msg("16852", dup263); + +var msg19040 = msg("16853", dup263); + +var msg19041 = msg("16854", dup263); + +var msg19042 = msg("16855", dup263); + +var msg19043 = msg("16856", dup263); + +var msg19044 = msg("16857", dup263); + +var msg19045 = msg("16858", dup263); + +var msg19046 = msg("16859", dup263); + +var msg19047 = msg("16860", dup263); + +var msg19048 = msg("16861", dup263); + +var msg19049 = msg("16862", dup263); + +var msg19050 = msg("16863", dup263); + +var msg19051 = msg("16864", dup263); + +var msg19052 = msg("16865", dup263); + +var msg19053 = msg("16866", dup263); + +var msg19054 = msg("16867", dup263); + +var msg19055 = msg("16868", dup263); + +var msg19056 = msg("16869", dup263); + +var msg19057 = msg("16870", dup263); + +var msg19058 = msg("16871", dup263); + +var msg19059 = msg("16872", dup263); + +var msg19060 = msg("16873", dup263); + +var msg19061 = msg("16874", dup263); + +var msg19062 = msg("16875", dup263); + +var msg19063 = msg("16876", dup263); + +var msg19064 = msg("16877", dup263); + +var msg19065 = msg("16878", dup263); + +var msg19066 = msg("16879", dup263); + +var msg19067 = msg("16880", dup263); + +var msg19068 = msg("16881", dup263); + +var msg19069 = msg("16882", dup263); + +var msg19070 = msg("16883", dup263); + +var msg19071 = msg("16884", dup263); + +var msg19072 = msg("16885", dup263); + +var msg19073 = msg("16886", dup263); + +var msg19074 = msg("16887", dup263); + +var msg19075 = msg("16888", dup263); + +var msg19076 = msg("16889", dup263); + +var msg19077 = msg("16890", dup263); + +var msg19078 = msg("16891", dup263); + +var msg19079 = msg("16892", dup263); + +var msg19080 = msg("16893", dup263); + +var msg19081 = msg("16894", dup263); + +var msg19082 = msg("16895", dup263); + +var msg19083 = msg("16896", dup263); + +var msg19084 = msg("16897", dup263); + +var msg19085 = msg("16898", dup263); + +var msg19086 = msg("16899", dup263); + +var msg19087 = msg("16900", dup263); + +var msg19088 = msg("16901", dup263); + +var msg19089 = msg("16902", dup263); + +var msg19090 = msg("16903", dup263); + +var msg19091 = msg("16904", dup263); + +var msg19092 = msg("16905", dup263); + +var msg19093 = msg("16906", dup263); + +var msg19094 = msg("16907", dup263); + +var msg19095 = msg("16908", dup263); + +var msg19096 = msg("16909", dup263); + +var msg19097 = msg("16910", dup263); + +var msg19098 = msg("16911", dup269); + +var msg19099 = msg("16912", dup269); + +var msg19100 = msg("16913", dup269); + +var msg19101 = msg("16914", dup269); + +var msg19102 = msg("16915", dup269); + +var msg19103 = msg("16916", dup269); + +var msg19104 = msg("16917", dup269); + +var msg19105 = msg("16918", dup269); + +var msg19106 = msg("16919", dup269); + +var msg19107 = msg("16920", dup269); + +var msg19108 = msg("16921", dup269); + +var msg19109 = msg("16922", dup269); + +var msg19110 = msg("16923", dup269); + +var msg19111 = msg("16924", dup269); + +var msg19112 = msg("16925", dup269); + +var msg19113 = msg("16926", dup255); + +var msg19114 = msg("16927", dup269); + +var msg19115 = msg("16928", dup269); + +var msg19116 = msg("16929", dup269); + +var msg19117 = msg("16930", dup269); + +var msg19118 = msg("16931", dup269); + +var msg19119 = msg("16932", dup269); + +var msg19120 = msg("16933", dup269); + +var msg19121 = msg("16934", dup312); + +var msg19122 = msg("16935", dup312); + +var msg19123 = msg("16936", dup312); + +var msg19124 = msg("16937", dup312); + +var msg19125 = msg("16938", dup312); + +var msg19126 = msg("16939", dup312); + +var msg19127 = msg("16940", dup312); + +var msg19128 = msg("16941", dup312); + +var msg19129 = msg("16942", dup312); + +var msg19130 = msg("16943", dup312); + +var msg19131 = msg("16944", dup312); + +var msg19132 = msg("16945", dup312); + +var msg19133 = msg("16946", dup312); + +var msg19134 = msg("16947", dup312); + +var msg19135 = msg("16948", dup312); + +var msg19136 = msg("16949", dup312); + +var msg19137 = msg("16950", dup312); + +var msg19138 = msg("16951", dup312); + +var msg19139 = msg("16952", dup312); + +var msg19140 = msg("16953", dup312); + +var msg19141 = msg("16954", dup312); + +var msg19142 = msg("16955", dup312); + +var msg19143 = msg("16956", dup312); + +var msg19144 = msg("16957", dup312); + +var msg19145 = msg("16958", dup312); + +var msg19146 = msg("16959", dup312); + +var msg19147 = msg("16960", dup312); + +var msg19148 = msg("16961", dup312); + +var msg19149 = msg("16962", dup312); + +var msg19150 = msg("16963", dup312); + +var msg19151 = msg("16964", dup312); + +var msg19152 = msg("16965", dup312); + +var msg19153 = msg("16966", dup312); + +var msg19154 = msg("16967", dup312); + +var msg19155 = msg("16968", dup312); + +var msg19156 = msg("16969", dup312); + +var msg19157 = msg("16970", dup312); + +var msg19158 = msg("16971", dup312); + +var msg19159 = msg("16972", dup312); + +var msg19160 = msg("16973", dup312); + +var msg19161 = msg("16974", dup312); + +var msg19162 = msg("16975", dup312); + +var msg19163 = msg("16976", dup312); + +var msg19164 = msg("16977", dup312); + +var msg19165 = msg("16978", dup312); + +var msg19166 = msg("16979", dup312); + +var msg19167 = msg("16980", dup312); + +var msg19168 = msg("16981", dup312); + +var msg19169 = msg("16982", dup312); + +var msg19170 = msg("16983", dup312); + +var msg19171 = msg("16984", dup312); + +var msg19172 = msg("16985", dup312); + +var msg19173 = msg("16986", dup312); + +var msg19174 = msg("16987", dup312); + +var msg19175 = msg("16988", dup312); + +var msg19176 = msg("16989", dup312); + +var msg19177 = msg("16990", dup312); + +var msg19178 = msg("16991", dup312); + +var msg19179 = msg("16992", dup312); + +var msg19180 = msg("16993", dup312); + +var msg19181 = msg("16994", dup312); + +var msg19182 = msg("16995", dup312); + +var msg19183 = msg("16996", dup312); + +var msg19184 = msg("16997", dup312); + +var msg19185 = msg("16998", dup312); + +var msg19186 = msg("16999", dup312); + +var msg19187 = msg("17000", dup312); + +var msg19188 = msg("17001", dup312); + +var msg19189 = msg("17002", dup312); + +var msg19190 = msg("17003", dup312); + +var msg19191 = msg("17004", dup312); + +var msg19192 = msg("17005", dup312); + +var msg19193 = msg("17006", dup312); + +var msg19194 = msg("17007", dup312); + +var msg19195 = msg("17008", dup312); + +var msg19196 = msg("17009", dup312); + +var msg19197 = msg("17010", dup312); + +var msg19198 = msg("17011", dup312); + +var msg19199 = msg("17012", dup312); + +var msg19200 = msg("17013", dup312); + +var msg19201 = msg("17014", dup312); + +var msg19202 = msg("17015", dup312); + +var msg19203 = msg("17016", dup312); + +var msg19204 = msg("17017", dup312); + +var msg19205 = msg("17018", dup312); + +var msg19206 = msg("17019", dup312); + +var msg19207 = msg("17020", dup312); + +var msg19208 = msg("17021", dup312); + +var msg19209 = msg("17022", dup312); + +var msg19210 = msg("17023", dup312); + +var msg19211 = msg("17024", dup312); + +var msg19212 = msg("17025", dup312); + +var msg19213 = msg("17026", dup312); + +var msg19214 = msg("17027", dup312); + +var msg19215 = msg("17028", dup312); + +var msg19216 = msg("17029", dup312); + +var msg19217 = msg("17030", dup312); + +var msg19218 = msg("17031", dup312); + +var msg19219 = msg("17032", dup312); + +var msg19220 = msg("17033", dup312); + +var msg19221 = msg("17034", dup267); + +var msg19222 = msg("17035", dup267); + +var msg19223 = msg("17036", dup267); + +var msg19224 = msg("17037", dup267); + +var msg19225 = msg("17038", dup267); + +var msg19226 = msg("17039", dup267); + +var msg19227 = msg("17041", dup265); + +var msg19228 = msg("17042", dup265); + +var msg19229 = msg("17043", dup202); + +var msg19230 = msg("17044", dup240); + +var msg19231 = msg("17045", dup197); + +var msg19232 = msg("17046", dup197); + +var msg19233 = msg("17047", dup255); + +var msg19234 = msg("17048", dup201); + +var msg19235 = msg("17049", dup265); + +var msg19236 = msg("17050", dup265); + +var msg19237 = msg("17051", dup265); + +var msg19238 = msg("17052", dup265); + +var msg19239 = msg("17053", dup265); + +var msg19240 = msg("17054", dup265); + +var msg19241 = msg("17055", dup198); + +var msg19242 = msg("17056", dup201); + +var msg19243 = msg("17057", dup267); + +var msg19244 = msg("17058", dup287); + +var msg19245 = msg("17059", dup227); + +var msg19246 = msg("17060", dup197); + +var msg19247 = msg("17061", dup265); + +var msg19248 = msg("17062", dup265); + +var msg19249 = msg("17063", dup265); + +var msg19250 = msg("17064", dup265); + +var msg19251 = msg("17065", dup265); + +var msg19252 = msg("17066", dup265); + +var msg19253 = msg("17067", dup265); + +var msg19254 = msg("17068", dup265); + +var msg19255 = msg("17069", dup265); + +var msg19256 = msg("17070", dup265); + +var msg19257 = msg("17071", dup265); + +var msg19258 = msg("17072", dup265); + +var msg19259 = msg("17073", dup265); + +var msg19260 = msg("17074", dup265); + +var msg19261 = msg("17075", dup265); + +var msg19262 = msg("17076", dup265); + +var msg19263 = msg("17077", dup197); + +var msg19264 = msg("17078", dup265); + +var msg19265 = msg("17079", dup265); + +var msg19266 = msg("17080", dup265); + +var msg19267 = msg("17081", dup265); + +var msg19268 = msg("17082", dup265); + +var msg19269 = msg("17083", dup265); + +var msg19270 = msg("17084", dup265); + +var msg19271 = msg("17085", dup265); + +var msg19272 = msg("17086", dup197); + +var msg19273 = msg("17087", dup265); + +var msg19274 = msg("17088", dup265); + +var msg19275 = msg("17089", dup265); + +var msg19276 = msg("17090", dup265); + +var msg19277 = msg("17091", dup197); + +var msg19278 = msg("17092", dup265); + +var msg19279 = msg("17093", dup265); + +var msg19280 = msg("17094", dup265); + +var msg19281 = msg("17095", dup265); + +var msg19282 = msg("17096", dup265); + +var msg19283 = msg("17097", dup265); + +var msg19284 = msg("17098", dup197); + +var msg19285 = msg("17099", dup250); + +var msg19286 = msg("17100", dup250); + +var msg19287 = msg("17101", dup250); + +var msg19288 = msg("17102", dup250); + +var msg19289 = msg("17103", dup265); + +var msg19290 = msg("17104", dup197); + +var msg19291 = msg("17105", dup197); + +var msg19292 = msg("17106", dup269); + +var msg19293 = msg("17107", dup197); + +var msg19294 = msg("17108", dup197); + +var msg19295 = msg("17109", dup267); + +var msg19296 = msg("17110", dup202); + +var msg19297 = msg("17111", dup197); + +var msg19298 = msg("17112", dup255); + +var msg19299 = msg("17113", dup202); + +var msg19300 = msg("17114", dup267); + +var msg19301 = msg("17115", dup265); + +var msg19302 = msg("17116", dup265); + +var msg19303 = msg("17117", dup267); + +var msg19304 = msg("17118", dup267); + +var msg19305 = msg("17119", dup197); + +var msg19306 = msg("17120", dup267); + +var msg19307 = msg("17121", dup267); + +var msg19308 = msg("17122", dup267); + +var msg19309 = msg("17123", dup267); + +var msg19310 = msg("17124", dup267); + +var msg19311 = msg("17125", dup197); + +var msg19312 = msg("17126", dup202); + +var msg19313 = msg("17127", dup276); + +var msg19314 = msg("17128", dup267); + +var msg19315 = msg("17129", dup267); + +var msg19316 = msg("17130", dup267); + +var msg19317 = msg("17131", dup267); + +var msg19318 = msg("17132", dup267); + +var msg19319 = msg("17133", dup265); + +var msg19320 = msg("17134", dup197); + +var msg19321 = msg("17135", dup197); + +var msg19322 = msg("17136", dup267); + +var msg19323 = msg("17137", dup265); + +var msg19324 = msg("17138", dup201); + +var msg19325 = msg("17139", dup267); + +var msg19326 = msg("17140", dup197); + +var msg19327 = msg("17141", dup267); + +var msg19328 = msg("17142", dup201); + +var msg19329 = msg("17143", dup197); + +var msg19330 = msg("17144", dup197); + +var msg19331 = msg("17145", dup197); + +var msg19332 = msg("17146", dup197); + +var msg19333 = msg("17147", dup197); + +var msg19334 = msg("17148", dup201); + +var msg19335 = msg("17149", dup201); + +var msg19336 = msg("17150", dup201); + +var msg19337 = msg("17151", dup198); + +var msg19338 = msg("17152", dup198); + +var msg19339 = msg("17153", dup267); + +var msg19340 = msg("17154", dup267); + +var msg19341 = msg("17155", dup201); + +var msg19342 = msg("17156", dup267); + +var msg19343 = msg("17157", dup265); + +var msg19344 = msg("17158", dup265); + +var msg19345 = msg("17159", dup265); + +var msg19346 = msg("17160", dup197); + +var msg19347 = msg("17161", dup265); + +var msg19348 = msg("17162", dup265); + +var msg19349 = msg("17163", dup265); + +var msg19350 = msg("17164", dup265); + +var msg19351 = msg("17165", dup265); + +var msg19352 = msg("17166", dup201); + +var msg19353 = msg("17167", dup265); + +var msg19354 = msg("17168", dup265); + +var msg19355 = msg("17169", dup265); + +var msg19356 = msg("17170", dup265); + +var msg19357 = msg("17171", dup265); + +var msg19358 = msg("17172", dup265); + +var msg19359 = msg("17173", dup265); + +var msg19360 = msg("17174", dup265); + +var msg19361 = msg("17175", dup265); + +var msg19362 = msg("17176", dup265); + +var msg19363 = msg("17177", dup265); + +var msg19364 = msg("17178", dup265); + +var msg19365 = msg("17179", dup267); + +var msg19366 = msg("17180", dup267); + +var msg19367 = msg("17181", dup267); + +var msg19368 = msg("17182", dup267); + +var msg19369 = msg("17183", dup267); + +var msg19370 = msg("17184", dup267); + +var msg19371 = msg("17185", dup267); + +var msg19372 = msg("17186", dup267); + +var msg19373 = msg("17187", dup267); + +var msg19374 = msg("17188", dup267); + +var msg19375 = msg("17189", dup267); + +var msg19376 = msg("17190", dup267); + +var msg19377 = msg("17191", dup267); + +var msg19378 = msg("17192", dup267); + +var msg19379 = msg("17193", dup267); + +var msg19380 = msg("17194", dup267); + +var msg19381 = msg("17195", dup311); + +var msg19382 = msg("17196", dup267); + +var msg19383 = msg("17197", dup267); + +var msg19384 = msg("17198", dup267); + +var msg19385 = msg("17199", dup197); + +var msg19386 = msg("17200", dup197); + +var msg19387 = msg("17201", dup197); + +var msg19388 = msg("17202", dup197); + +var msg19389 = msg("17203", dup197); + +var msg19390 = msg("17204", dup197); + +var msg19391 = msg("17205", dup201); + +var msg19392 = msg("17206", dup201); + +var msg19393 = msg("17207", dup267); + +var msg19394 = msg("17208", dup267); + +var msg19395 = msg("17209", dup197); + +var msg19396 = msg("17210", dup267); + +var msg19397 = msg("17211", dup267); + +var msg19398 = msg("17212", dup201); + +var msg19399 = msg("17213", dup265); + +var msg19400 = msg("17214", dup197); + +var msg19401 = msg("17215", dup197); + +var msg19402 = msg("17216", dup267); + +var msg19403 = msg("17217", dup267); + +var msg19404 = msg("17218", dup267); + +var msg19405 = msg("17219", dup197); + +var msg19406 = msg("17220", dup197); + +var msg19407 = msg("17221", dup197); + +var msg19408 = msg("17222", dup197); + +var msg19409 = msg("17223", dup267); + +var msg19410 = msg("17224", dup250); + +var msg19411 = msg("17225", dup202); + +var msg19412 = msg("17226", dup202); + +var msg19413 = msg("17227", dup267); + +var msg19414 = msg("17228", dup267); + +var msg19415 = msg("17229", dup202); + +var msg19416 = msg("17230", dup202); + +var msg19417 = msg("17231", dup202); + +var msg19418 = msg("17232", dup202); + +var msg19419 = msg("17233", dup267); + +var msg19420 = msg("17234", dup238); + +var msg19421 = msg("17235", dup238); + +var msg19422 = msg("17236", dup267); + +var msg19423 = msg("17237", dup202); + +var msg19424 = msg("17238", dup197); + +var msg19425 = msg("17239", dup197); + +var msg19426 = msg("17240", dup197); + +var msg19427 = msg("17241", dup265); + +var msg19428 = msg("17242", dup267); + +var msg19429 = msg("17243", dup267); + +var msg19430 = msg("17244", dup197); + +var msg19431 = msg("17245", dup267); + +var msg19432 = msg("17246", dup287); + +var msg19433 = msg("17247", dup287); + +var msg19434 = msg("17248", dup287); + +var msg19435 = msg("17249", dup197); + +var msg19436 = msg("17250", dup197); + +var msg19437 = msg("17251", dup267); + +var msg19438 = msg("17252", dup276); + +var msg19439 = msg("17253", dup306); + +var msg19440 = msg("17254", dup265); + +var msg19441 = msg("17255", dup197); + +var msg19442 = msg("17256", dup267); + +var msg19443 = msg("17257", dup267); + +var msg19444 = msg("17258", dup267); + +var msg19445 = msg("17259", dup265); + +var msg19446 = msg("17260", dup201); + +var msg19447 = msg("17261", dup267); + +var msg19448 = msg("17262", dup267); + +var msg19449 = msg("17263", dup267); + +var msg19450 = msg("17264", dup267); + +var msg19451 = msg("17265", dup265); + +var msg19452 = msg("17266", dup287); + +var msg19453 = msg("17267", dup287); + +var msg19454 = msg("17268", dup267); + +var msg19455 = msg("17269", dup197); + +var msg19456 = msg("17270", dup260); + +var msg19457 = msg("17271", dup201); + +var msg19458 = msg("17272", dup197); + +var msg19459 = msg("17273", dup197); + +var msg19460 = msg("17274", dup197); + +var msg19461 = msg("17275", dup287); + +var msg19462 = msg("17276", dup287); + +var msg19463 = msg("17277", dup265); + +var msg19464 = msg("17278", dup265); + +var msg19465 = msg("17279", dup265); + +var msg19466 = msg("17280", dup265); + +var msg19467 = msg("17281", dup197); + +var msg19468 = msg("17282", dup197); + +var msg19469 = msg("17283", dup197); + +var msg19470 = msg("17284", dup201); + +var msg19471 = msg("17285", dup267); + +var msg19472 = msg("17286", dup197); + +var msg19473 = msg("17287", dup267); + +var msg19474 = msg("17288", dup197); + +var msg19475 = msg("17289", dup201); + +var msg19476 = msg("17290", dup202); + +var msg19477 = msg("17291", dup202); + +var msg19478 = msg("17292", dup267); + +var msg19479 = msg("17293", dup197); + +var msg19480 = msg("17294", dup197); + +var msg19481 = msg("17295", dup197); + +var msg19482 = msg("17296", dup265); + +var msg19483 = msg("17297", dup197); + +var msg19484 = msg("17298", dup197); + +var msg19485 = msg("17299", dup198); + +var msg19486 = msg("17300", dup197); + +var msg19487 = msg("17301", dup267); + +var msg19488 = msg("17302", dup198); + +var msg19489 = msg("17303", dup267); + +var msg19490 = msg("17304", dup197); + +var msg19491 = msg("17305", dup197); + +var msg19492 = msg("17306", dup198); + +var msg19493 = msg("17307", dup260); + +var msg19494 = msg("17308", dup267); + +var msg19495 = msg("17309", dup197); + +var msg19496 = msg("17310", dup267); + +var msg19497 = msg("17311", dup269); + +var msg19498 = msg("17312", dup269); + +var msg19499 = msg("17313", dup202); + +var msg19500 = msg("17314", dup202); + +var msg19501 = msg("17315", dup197); + +var msg19502 = msg("17316", dup267); + +var msg19503 = msg("17317", dup198); + +var msg19504 = msg("17318", dup267); + +var msg19505 = msg("17319", dup267); + +var msg19506 = msg("17320", dup267); + +var msg19507 = msg("17321", dup201); + +var msg19508 = msg("17322", dup202); + +var msg19509 = msg("17323", dup202); + +var msg19510 = msg("17324", dup199); + +var msg19511 = msg("17325", dup202); + +var msg19512 = msg("17326", dup197); + +var msg19513 = msg("17327", dup202); + +var msg19514 = msg("17328", dup197); + +var msg19515 = msg("17329", dup227); + +var msg19516 = msg("17330", dup265); + +var msg19517 = msg("17331", dup197); + +var msg19518 = msg("17332", dup250); + +var msg19519 = msg("17333", dup197); + +var msg19520 = msg("17334", dup197); + +var msg19521 = msg("17335", dup199); + +var msg19522 = msg("17336", dup199); + +var msg19523 = msg("17337", dup202); + +var msg19524 = msg("17338", dup202); + +var msg19525 = msg("17339", dup202); + +var msg19526 = msg("17340", dup202); + +var msg19527 = msg("17341", dup199); + +var msg19528 = msg("17342", dup199); + +var msg19529 = msg("17343", dup199); + +var msg19530 = msg("17344", dup199); + +var msg19531 = msg("17345", dup199); + +var msg19532 = msg("17346", dup267); + +var msg19533 = msg("17347", dup197); + +var msg19534 = msg("17348", dup197); + +var msg19535 = msg("17349", dup197); + +var msg19536 = msg("17350", dup267); + +var msg19537 = msg("17351", dup197); + +var msg19538 = msg("17352", dup197); + +var msg19539 = msg("17353", dup267); + +var msg19540 = msg("17354", dup198); + +var msg19541 = msg("17355", dup267); + +var msg19542 = msg("17356", dup197); + +var msg19543 = msg("17357", dup197); + +var msg19544 = msg("17358", dup197); + +var msg19545 = msg("17359", dup265); + +var msg19546 = msg("17360", dup197); + +var msg19547 = msg("17361", dup198); + +var msg19548 = msg("17362", dup197); + +var msg19549 = msg("17363", dup267); + +var msg19550 = msg("17364", dup202); + +var msg19551 = msg("17365", dup197); + +var msg19552 = msg("17366", dup197); + +var msg19553 = msg("17367", dup227); + +var msg19554 = msg("17368", dup267); + +var msg19555 = msg("17369", dup197); + +var msg19556 = msg("17370", dup265); + +var msg19557 = msg("17371", dup265); + +var msg19558 = msg("17372", dup197); + +var msg19559 = msg("17373", dup197); + +var msg19560 = msg("17374", dup197); + +var msg19561 = msg("17375", dup197); + +var msg19562 = msg("17376", dup267); + +var msg19563 = msg("17377", dup267); + +var msg19564 = msg("17378", dup197); + +var msg19565 = msg("17379", dup197); + +var msg19566 = msg("17380", dup265); + +var msg19567 = msg("17381", dup197); + +var msg19568 = msg("17382", dup267); + +var msg19569 = msg("17383", dup267); + +var msg19570 = msg("17384", dup197); + +var msg19571 = msg("17385", dup197); + +var msg19572 = msg("17386", dup267); + +var msg19573 = msg("17387", dup265); + +var msg19574 = msg("17388", dup197); + +var msg19575 = msg("17389", dup267); + +var msg19576 = msg("17390", dup198); + +var msg19577 = msg("17391", dup265); + +var msg19578 = msg("17392", dup199); + +var msg19579 = msg("17393", dup199); + +var msg19580 = msg("17394", dup265); + +var msg19581 = msg("17395", dup197); + +var msg19582 = msg("17396", dup267); + +var msg19583 = msg("17397", dup197); + +var msg19584 = msg("17398", dup267); + +var msg19585 = msg("17399", dup267); + +var msg19586 = msg("17400", dup263); + +var msg19587 = msg("17401", dup267); + +var msg19588 = msg("17402", dup267); + +var msg19589 = msg("17403", dup197); + +var msg19590 = msg("17404", dup197); + +var msg19591 = msg("17405", dup197); + +var msg19592 = msg("17406", dup197); + +var msg19593 = msg("17407", dup265); + +var msg19594 = msg("17408", dup197); + +var msg19595 = msg("17409", dup267); + +var msg19596 = msg("17410", dup197); + +var msg19597 = msg("17411", dup267); + +var msg19598 = msg("17412", dup260); + +var msg19599 = msg("17413", dup197); + +var msg19600 = msg("17414", dup287); + +var msg19601 = msg("17415", dup287); + +var msg19602 = msg("17416", dup198); + +var msg19603 = msg("17417", dup198); + +var msg19604 = msg("17418", dup202); + +var msg19605 = msg("17419", dup240); + +var msg19606 = msg("17420", dup265); + +var msg19607 = msg("17421", dup201); + +var msg19608 = msg("17422", dup267); + +var msg19609 = msg("17423", dup197); + +var msg19610 = msg("17424", dup201); + +var msg19611 = msg("17425", dup197); + +var msg19612 = msg("17426", dup265); + +var msg19613 = msg("17427", dup202); + +var msg19614 = msg("17428", dup202); + +var msg19615 = msg("17429", dup265); + +var msg19616 = msg("17430", dup267); + +var msg19617 = msg("17431", dup267); + +var msg19618 = msg("17432", dup197); + +var msg19619 = msg("17433", dup267); + +var msg19620 = msg("17434", dup267); + +var msg19621 = msg("17435", dup255); + +var msg19622 = msg("17436", dup255); + +var msg19623 = msg("17437", dup255); + +var msg19624 = msg("17438", dup255); + +var msg19625 = msg("17439", dup267); + +var msg19626 = msg("17440", dup197); + +var msg19627 = msg("17441", dup265); + +var msg19628 = msg("17442", dup267); + +var msg19629 = msg("17443", dup197); + +var msg19630 = msg("17444", dup197); + +var msg19631 = msg("17445", dup267); + +var msg19632 = msg("17446", dup227); + +var msg19633 = msg("17447", dup202); + +var msg19634 = msg("17448", dup267); + +var msg19635 = msg("17449", dup260); + +var msg19636 = msg("17450", dup197); + +var msg19637 = msg("17451", dup265); + +var msg19638 = msg("17452", dup265); + +var msg19639 = msg("17453", dup265); + +var msg19640 = msg("17454", dup265); + +var msg19641 = msg("17455", dup265); + +var msg19642 = msg("17456", dup265); + +var msg19643 = msg("17457", dup267); + +var msg19644 = msg("17458", dup201); + +var msg19645 = msg("17459", dup201); + +var msg19646 = msg("17460", dup201); + +var msg19647 = msg("17461", dup201); + +var msg19648 = msg("17462", dup267); + +var msg19649 = msg("17463", dup269); + +var msg19650 = msg("17464", dup265); + +var msg19651 = msg("17465", dup265); + +var msg19652 = msg("17466", dup267); + +var msg19653 = msg("17467", dup267); + +var msg19654 = msg("17468", dup267); + +var msg19655 = msg("17469", dup197); + +var msg19656 = msg("17470", dup267); + +var msg19657 = msg("17471", dup201); + +var msg19658 = msg("17472", dup201); + +var msg19659 = msg("17473", dup267); + +var msg19660 = msg("17474", dup201); + +var msg19661 = msg("17475", dup201); + +var msg19662 = msg("17476", dup267); + +var msg19663 = msg("17477", dup201); + +var msg19664 = msg("17478", dup267); + +var msg19665 = msg("17479", dup267); + +var msg19666 = msg("17480", dup201); + +var msg19667 = msg("17481", dup197); + +var msg19668 = msg("17482", dup197); + +var msg19669 = msg("17483", dup198); + +var msg19670 = msg("17484", dup198); + +var msg19671 = msg("17485", dup313); + +var msg19672 = msg("17486", dup197); + +var msg19673 = msg("17487", dup265); + +var msg19674 = msg("17488", dup267); + +var msg19675 = msg("17489", dup197); + +var msg19676 = msg("17490", dup267); + +var msg19677 = msg("17491", dup267); + +var msg19678 = msg("17492", dup267); + +var msg19679 = msg("17493", dup197); + +var msg19680 = msg("17494", dup197); + +var msg19681 = msg("17495", dup267); + +var msg19682 = msg("17496", dup267); + +var msg19683 = msg("17497", dup267); + +var msg19684 = msg("17498", dup265); + +var msg19685 = msg("17499", dup265); + +var msg19686 = msg("17500", dup265); + +var msg19687 = msg("17501", dup265); + +var msg19688 = msg("17502", dup265); + +var msg19689 = msg("17503", dup202); + +var msg19690 = msg("17504", dup197); + +var msg19691 = msg("17505", dup267); + +var msg19692 = msg("17506", dup267); + +var msg19693 = msg("17507", dup267); + +var msg19694 = msg("17508", dup265); + +var msg19695 = msg("17509", dup265); + +var msg19696 = msg("17510", dup265); + +var msg19697 = msg("17511", dup267); + +var msg19698 = msg("17512", dup201); + +var msg19699 = msg("17513", dup201); + +var msg19700 = msg("17514", dup201); + +var msg19701 = msg("17515", dup201); + +var msg19702 = msg("17516", dup201); + +var msg19703 = msg("17517", dup267); + +var msg19704 = msg("17518", dup227); + +var msg19705 = msg("17519", dup197); + +var msg19706 = msg("17520", dup267); + +var msg19707 = msg("17521", dup227); + +var msg19708 = msg("17522", dup197); + +var msg19709 = msg("17523", dup197); + +var msg19710 = msg("17524", dup197); + +var msg19711 = msg("17525", dup202); + +var msg19712 = msg("17526", dup197); + +var msg19713 = msg("17527", dup197); + +var msg19714 = msg("17528", dup197); + +var msg19715 = msg("17529", dup267); + +var msg19716 = msg("17530", dup197); + +var msg19717 = msg("17531", dup197); + +var msg19718 = msg("17532", dup267); + +var msg19719 = msg("17533", dup265); + +var msg19720 = msg("17534", dup202); + +var msg19721 = msg("17535", dup201); + +var msg19722 = msg("17536", dup197); + +var msg19723 = msg("17537", dup267); + +var msg19724 = msg("17538", dup267); + +var msg19725 = msg("17539", dup267); + +var msg19726 = msg("17540", dup202); + +var msg19727 = msg("17541", dup197); + +var msg19728 = msg("17542", dup267); + +var msg19729 = msg("17543", dup267); + +var msg19730 = msg("17544", dup197); + +var msg19731 = msg("17545", dup197); + +var msg19732 = msg("17546", dup202); + +var msg19733 = msg("17547", dup202); + +var msg19734 = msg("17548", dup197); + +var msg19735 = msg("17549", dup267); + +var msg19736 = msg("17550", dup197); + +var msg19737 = msg("17551", dup267); + +var msg19738 = msg("17552", dup265); + +var msg19739 = msg("17553", dup197); + +var msg19740 = msg("17554", dup267); + +var msg19741 = msg("17555", dup267); + +var msg19742 = msg("17556", dup267); + +var msg19743 = msg("17557", dup197); + +var msg19744 = msg("17558", dup197); + +var msg19745 = msg("17559", dup197); + +var msg19746 = msg("17560", dup197); + +var msg19747 = msg("17561", dup197); + +var msg19748 = msg("17562", dup197); + +var msg19749 = msg("17563", dup197); + +var msg19750 = msg("17564", dup202); + +var msg19751 = msg("17565", dup267); + +var msg19752 = msg("17566", dup267); + +var msg19753 = msg("17567", dup309); + +var msg19754 = msg("17568", dup197); + +var msg19755 = msg("17569", dup201); + +var msg19756 = msg("17570", dup267); + +var msg19757 = msg("17571", dup269); + +var msg19758 = msg("17572", dup265); + +var msg19759 = msg("17573", dup197); + +var msg19760 = msg("17574", dup197); + +var msg19761 = msg("17575", dup265); + +var msg19762 = msg("17576", dup265); + +var msg19763 = msg("17577", dup202); + +var msg19764 = msg("17578", dup197); + +var msg19765 = msg("17579", dup267); + +var msg19766 = msg("17580", dup267); + +var msg19767 = msg("17581", dup267); + +var msg19768 = msg("17582", dup265); + +var msg19769 = msg("17583", dup265); + +var msg19770 = msg("17584", dup202); + +var msg19771 = msg("17585", dup267); + +var msg19772 = msg("17586", dup269); + +var msg19773 = msg("17587", dup267); + +var msg19774 = msg("17588", dup265); + +var msg19775 = msg("17589", dup265); + +var msg19776 = msg("17590", dup260); + +var msg19777 = msg("17591", dup267); + +var msg19778 = msg("17592", dup265); + +var msg19779 = msg("17593", dup265); + +var msg19780 = msg("17594", dup265); + +var msg19781 = msg("17595", dup265); + +var msg19782 = msg("17596", dup265); + +var msg19783 = msg("17597", dup265); + +var msg19784 = msg("17598", dup202); + +var msg19785 = msg("17599", dup198); + +var msg19786 = msg("17600", dup202); + +var msg19787 = msg("17601", dup267); + +var msg19788 = msg("17602", dup198); + +var msg19789 = msg("17603", dup267); + +var msg19790 = msg("17604", dup267); + +var msg19791 = msg("17605", dup197); + +var msg19792 = msg("17606", dup267); + +var msg19793 = msg("17607", dup309); + +var msg19794 = msg("17608", dup267); + +var msg19795 = msg("17609", dup197); + +var msg19796 = msg("17610", dup201); + +var msg19797 = msg("17611", dup201); + +var msg19798 = msg("17612", dup201); + +var msg19799 = msg("17613", dup267); + +var msg19800 = msg("17614", dup265); + +var msg19801 = msg("17616", dup265); + +var msg19802 = msg("17618", dup267); + +var msg19803 = msg("17619", dup267); + +var msg19804 = msg("17620", dup197); + +var msg19805 = msg("17621", dup197); + +var msg19806 = msg("17622", dup267); + +var msg19807 = msg("17623", dup197); + +var msg19808 = msg("17624", dup197); + +var msg19809 = msg("17625", dup198); + +var msg19810 = msg("17626", dup197); + +var msg19811 = msg("17628", dup267); + +var msg19812 = msg("17629", dup265); + +var msg19813 = msg("17630", dup267); + +var msg19814 = msg("17631", dup197); + +var msg19815 = msg("17632", dup309); + +var msg19816 = msg("17633", dup197); + +var msg19817 = msg("17634", dup201); + +var msg19818 = msg("17635", dup201); + +var msg19819 = msg("17636", dup201); + +var msg19820 = msg("17637", dup201); + +var msg19821 = msg("17638", dup199); + +var msg19822 = msg("17639", dup306); + +var msg19823 = msg("17640", dup201); + +var msg19824 = msg("17641", dup197); + +var msg19825 = msg("17642", dup267); + +var msg19826 = msg("17643", dup314); + +var msg19827 = msg("17644", dup267); + +var msg19828 = msg("17645", dup267); + +var msg19829 = msg("17646", dup267); + +var msg19830 = msg("17647", dup267); + +var msg19831 = msg("17648", dup265); + +var msg19832 = msg("17649", dup197); + +var msg19833 = msg("17650", dup197); + +var msg19834 = msg("17651", dup287); + +var msg19835 = msg("17652", dup265); + +var msg19836 = msg("17653", dup265); + +var msg19837 = msg("17654", dup267); + +var msg19838 = msg("17655", dup267); + +var msg19839 = msg("17656", dup197); + +var msg19840 = msg("17657", dup311); + +var msg19841 = msg("17658", dup267); + +var msg19842 = msg("17659", dup197); + +var msg19843 = msg("17660", dup267); + +var msg19844 = msg("17661", dup309); + +var msg19845 = msg("17662", dup267); + +var msg19846 = msg("17663", dup197); + +var msg19847 = msg("17664", dup267); + +var msg19848 = msg("17665", dup201); + +var msg19849 = msg("17666", dup197); + +var msg19850 = msg("17667", dup198); + +var msg19851 = msg("17668", dup202); + +var msg19852 = msg("17669", dup267); + +var msg19853 = msg("17670", dup265); + +var msg19854 = msg("17671", dup265); + +var msg19855 = msg("17672", dup265); + +var msg19856 = msg("17673", dup265); + +var msg19857 = msg("17674", dup265); + +var msg19858 = msg("17675", dup265); + +var msg19859 = msg("17676", dup265); + +var msg19860 = msg("17677", dup265); + +var msg19861 = msg("17678", dup197); + +var msg19862 = msg("17679", dup265); + +var msg19863 = msg("17680", dup198); + +var msg19864 = msg("17685", dup267); + +var msg19865 = msg("17686", dup267); + +var msg19866 = msg("17687", dup267); + +var msg19867 = msg("17688", dup267); + +var msg19868 = msg("17689", dup267); + +var msg19869 = msg("17690", dup267); + +var msg19870 = msg("17691", dup267); + +var msg19871 = msg("17692", dup267); + +var msg19872 = msg("17693", dup309); + +var msg19873 = msg("17694", dup309); + +var msg19874 = msg("17695", dup197); + +var msg19875 = msg("17696", dup267); + +var msg19876 = msg("17697", dup309); + +var msg19877 = msg("17698", dup197); + +var msg19878 = msg("17699", dup315); + +var msg19879 = msg("17700", dup197); + +var msg19880 = msg("17701", dup267); + +var msg19881 = msg("17702", dup255); + +var msg19882 = msg("17703", dup267); + +var msg19883 = msg("17704", dup197); + +var msg19884 = msg("17705", dup197); + +var msg19885 = msg("17706", dup267); + +var msg19886 = msg("17707", dup201); + +var msg19887 = msg("17708", dup197); + +var msg19888 = msg("17709", dup267); + +var msg19889 = msg("17710", dup197); + +var msg19890 = msg("17711", dup267); + +var msg19891 = msg("17712", dup267); + +var msg19892 = msg("17713", dup197); + +var msg19893 = msg("17714", dup255); + +var msg19894 = msg("17715", dup255); + +var msg19895 = msg("17716", dup197); + +var msg19896 = msg("17717", dup197); + +var msg19897 = msg("17718", dup267); + +var msg19898 = msg("17719", dup267); + +var msg19899 = msg("17720", dup197); + +var msg19900 = msg("17721", dup267); + +var msg19901 = msg("17722", dup197); + +var msg19902 = msg("17723", dup276); + +var msg19903 = msg("17724", dup269); + +var msg19904 = msg("17725", dup197); + +var msg19905 = msg("17726", dup267); + +var msg19906 = msg("17727", dup197); + +var msg19907 = msg("17728", dup197); + +var msg19908 = msg("17729", dup267); + +var msg19909 = msg("17730", dup267); + +var msg19910 = msg("17731", dup202); + +var msg19911 = msg("17732", dup265); + +var msg19912 = msg("17733", dup265); + +var msg19913 = msg("17734", dup265); + +var msg19914 = msg("17735", dup197); + +var msg19915 = msg("17736", dup197); + +var msg19916 = msg("17737", dup197); + +var msg19917 = msg("17738", dup267); + +var msg19918 = msg("17739", dup202); + +var msg19919 = msg("17740", dup197); + +var msg19920 = msg("17741", dup311); + +var msg19921 = msg("17742", dup267); + +var msg19922 = msg("17743", dup267); + +var msg19923 = msg("17745", dup276); + +var msg19924 = msg("17746", dup197); + +var msg19925 = msg("17747", dup197); + +var msg19926 = msg("17748", dup202); + +var msg19927 = msg("17749", dup255); + +var msg19928 = msg("17750", dup198); + +var msg19929 = msg("17751", dup265); + +var msg19930 = msg("17752", dup267); + +var msg19931 = msg("17753", dup267); + +var msg19932 = msg("17754", dup267); + +var msg19933 = msg("17755", dup267); + +var msg19934 = msg("17756", dup197); + +var msg19935 = msg("17757", dup197); + +var msg19936 = msg("17758", dup267); + +var msg19937 = msg("17759", dup267); + +var msg19938 = msg("17760", dup267); + +var msg19939 = msg("17762", dup267); + +var msg19940 = msg("17763", dup267); + +var msg19941 = msg("17764", dup267); + +var msg19942 = msg("17765", dup197); + +var msg19943 = msg("17766", dup267); + +var msg19944 = msg("17767", dup267); + +var msg19945 = msg("17768", dup267); + +var msg19946 = msg("17769", dup267); + +var msg19947 = msg("17770", dup265); + +var msg19948 = msg("17771", dup267); + +var msg19949 = msg("17772", dup265); + +var msg19950 = msg("17773", dup267); + +var msg19951 = msg("17774", dup267); + +var msg19952 = msg("17775", dup316); + +var msg19953 = msg("17776", dup197); + +var msg19954 = msg("17777", dup197); + +var msg19955 = msg("17778", dup201); + +var msg19956 = msg("17779", dup260); + +var msg19957 = msg("17780", dup197); + +var msg19958 = msg("17781", dup267); + +var msg19959 = msg("17782", dup202); + +var msg19960 = msg("17783", dup202); + +var msg19961 = msg("17784", dup202); + +var msg19962 = msg("17785", dup202); + +var msg19963 = msg("17786", dup202); + +var msg19964 = msg("17787", dup202); + +var msg19965 = msg("17788", dup202); + +var msg19966 = msg("17789", dup202); + +var msg19967 = msg("17790", dup202); + +var msg19968 = msg("17791", dup202); + +var msg19969 = msg("17792", dup202); + +var msg19970 = msg("17793", dup202); + +var msg19971 = msg("17794", dup202); + +var msg19972 = msg("17795", dup202); + +var msg19973 = msg("17796", dup202); + +var msg19974 = msg("17797", dup202); + +var msg19975 = msg("17798", dup202); + +var msg19976 = msg("17799", dup202); + +var msg19977 = msg("17800", dup202); + +var msg19978 = msg("17801", dup202); + +var msg19979 = msg("17802", dup202); + +var msg19980 = msg("17803", dup267); + +var msg19981 = msg("17804", dup267); + +var msg19982 = msg("17805", dup238); + +var msg19983 = msg("17806", dup267); + +var msg19984 = msg("17807", dup267); + +var msg19985 = msg("17808", dup267); + +var msg19986 = msg("17809", dup202); + +var msg19987 = msg("17810", dup263); + +var msg19988 = msg("17811", dup263); + +var msg19989 = msg("17812", dup269); + +var msg19990 = msg("17813", dup263); + +var msg19991 = msg("17814", dup263); + +var msg19992 = msg("17815", dup263); + +var msg19993 = msg("17816", dup263); + +var msg19994 = msg("17817", dup263); + +var msg19995 = msg("17818", dup263); + +var msg19996 = msg("17819", dup263); + +var msg19997 = msg("17820", dup263); + +var msg19998 = msg("17821", dup263); + +var msg19999 = msg("17822", dup263); + +var msg20000 = msg("17823", dup263); + +var msg20001 = msg("17824", dup263); + +var msg20002 = msg("17825", dup263); + +var msg20003 = msg("17826", dup263); + +var msg20004 = msg("17827", dup263); + +var msg20005 = msg("17828", dup263); + +var msg20006 = msg("17829", dup263); + +var msg20007 = msg("17830", dup263); + +var msg20008 = msg("17831", dup263); + +var msg20009 = msg("17832", dup263); + +var msg20010 = msg("17833", dup263); + +var msg20011 = msg("17834", dup263); + +var msg20012 = msg("17835", dup263); + +var msg20013 = msg("17836", dup263); + +var msg20014 = msg("17837", dup263); + +var msg20015 = msg("17838", dup263); + +var msg20016 = msg("17839", dup263); + +var msg20017 = msg("17840", dup263); + +var msg20018 = msg("17841", dup263); + +var msg20019 = msg("17842", dup263); + +var msg20020 = msg("17843", dup263); + +var msg20021 = msg("17844", dup263); + +var msg20022 = msg("17845", dup263); + +var msg20023 = msg("17846", dup263); + +var msg20024 = msg("17847", dup263); + +var msg20025 = msg("17848", dup263); + +var msg20026 = msg("17849", dup263); + +var msg20027 = msg("17850", dup263); + +var msg20028 = msg("17851", dup263); + +var msg20029 = msg("17852", dup263); + +var msg20030 = msg("17853", dup263); + +var msg20031 = msg("17854", dup263); + +var msg20032 = msg("17855", dup263); + +var msg20033 = msg("17856", dup263); + +var msg20034 = msg("17857", dup263); + +var msg20035 = msg("17858", dup263); + +var msg20036 = msg("17859", dup263); + +var msg20037 = msg("17860", dup263); + +var msg20038 = msg("17861", dup263); + +var msg20039 = msg("17862", dup263); + +var msg20040 = msg("17863", dup263); + +var msg20041 = msg("17864", dup263); + +var msg20042 = msg("17865", dup263); + +var msg20043 = msg("17866", dup263); + +var msg20044 = msg("17867", dup263); + +var msg20045 = msg("17868", dup263); + +var msg20046 = msg("17869", dup263); + +var msg20047 = msg("17870", dup263); + +var msg20048 = msg("17871", dup263); + +var msg20049 = msg("17872", dup263); + +var msg20050 = msg("17873", dup263); + +var msg20051 = msg("17874", dup263); + +var msg20052 = msg("17875", dup197); + +var msg20053 = msg("17876", dup263); + +var msg20054 = msg("17877", dup263); + +var msg20055 = msg("17878", dup263); + +var msg20056 = msg("17879", dup263); + +var msg20057 = msg("17880", dup263); + +var msg20058 = msg("17881", dup263); + +var msg20059 = msg("17882", dup263); + +var msg20060 = msg("17883", dup263); + +var msg20061 = msg("17884", dup263); + +var msg20062 = msg("17885", dup263); + +var msg20063 = msg("17886", dup263); + +var msg20064 = msg("17887", dup263); + +var msg20065 = msg("17888", dup263); + +var msg20066 = msg("17889", dup263); + +var msg20067 = msg("17890", dup263); + +var msg20068 = msg("17891", dup263); + +var msg20069 = msg("17892", dup263); + +var msg20070 = msg("17893", dup263); + +var msg20071 = msg("17894", dup263); + +var msg20072 = msg("17895", dup263); + +var msg20073 = msg("17896", dup263); + +var msg20074 = msg("17897", dup263); + +var msg20075 = msg("17898", dup269); + +var msg20076 = msg("17899", dup269); + +var msg20077 = msg("17900", dup269); + +var msg20078 = msg("17901", dup269); + +var msg20079 = msg("17902", dup269); + +var msg20080 = msg("17903", dup269); + +var msg20081 = msg("17904", dup269); + +var msg20082 = msg("17905", dup269); + +var msg20083 = msg("17906", dup269); + +var msg20084 = msg("17907", dup269); + +var msg20085 = msg("17908", dup269); + +var msg20086 = msg("17909", dup269); + +var msg20087 = msg("17910", dup269); + +var msg20088 = msg("17911", dup269); + +var msg20089 = msg("17912", dup269); + +var msg20090 = msg("17913", dup269); + +var msg20091 = msg("17914", dup269); + +var msg20092 = msg("17915", dup269); + +var msg20093 = msg("17916", dup269); + +var msg20094 = msg("17917", dup269); + +var msg20095 = msg("17918", dup312); + +var msg20096 = msg("17919", dup312); + +var msg20097 = msg("17920", dup312); + +var msg20098 = msg("17921", dup312); + +var msg20099 = msg("17922", dup312); + +var msg20100 = msg("17923", dup312); + +var msg20101 = msg("17924", dup312); + +var msg20102 = msg("17925", dup312); + +var msg20103 = msg("17926", dup312); + +var msg20104 = msg("17927", dup312); + +var msg20105 = msg("17928", dup312); + +var msg20106 = msg("17929", dup312); + +var msg20107 = msg("17930", dup312); + +var msg20108 = msg("17931", dup312); + +var msg20109 = msg("17932", dup312); + +var msg20110 = msg("17933", dup312); + +var msg20111 = msg("17934", dup312); + +var msg20112 = msg("17935", dup312); + +var msg20113 = msg("17936", dup312); + +var msg20114 = msg("17937", dup312); + +var msg20115 = msg("17938", dup312); + +var msg20116 = msg("17939", dup312); + +var msg20117 = msg("17940", dup312); + +var msg20118 = msg("17941", dup312); + +var msg20119 = msg("17942", dup312); + +var msg20120 = msg("17943", dup312); + +var msg20121 = msg("17944", dup312); + +var msg20122 = msg("17945", dup312); + +var msg20123 = msg("17946", dup312); + +var msg20124 = msg("17947", dup312); + +var msg20125 = msg("17948", dup312); + +var msg20126 = msg("17949", dup312); + +var msg20127 = msg("17950", dup312); + +var msg20128 = msg("17951", dup312); + +var msg20129 = msg("17952", dup312); + +var msg20130 = msg("17953", dup312); + +var msg20131 = msg("17954", dup312); + +var msg20132 = msg("17955", dup312); + +var msg20133 = msg("17956", dup312); + +var msg20134 = msg("17957", dup312); + +var msg20135 = msg("17958", dup312); + +var msg20136 = msg("17959", dup312); + +var msg20137 = msg("17960", dup312); + +var msg20138 = msg("17961", dup312); + +var msg20139 = msg("17962", dup312); + +var msg20140 = msg("17963", dup312); + +var msg20141 = msg("17964", dup312); + +var msg20142 = msg("17965", dup312); + +var msg20143 = msg("17966", dup312); + +var msg20144 = msg("17967", dup312); + +var msg20145 = msg("17968", dup312); + +var msg20146 = msg("17969", dup312); + +var msg20147 = msg("17970", dup312); + +var msg20148 = msg("17971", dup312); + +var msg20149 = msg("17972", dup312); + +var msg20150 = msg("17973", dup287); + +var msg20151 = msg("17974", dup312); + +var msg20152 = msg("17975", dup312); + +var msg20153 = msg("17976", dup312); + +var msg20154 = msg("17977", dup312); + +var msg20155 = msg("17978", dup312); + +var msg20156 = msg("17979", dup312); + +var msg20157 = msg("17980", dup312); + +var msg20158 = msg("17981", dup312); + +var msg20159 = msg("17982", dup312); + +var msg20160 = msg("17983", dup312); + +var msg20161 = msg("17984", dup312); + +var msg20162 = msg("17985", dup312); + +var msg20163 = msg("17986", dup312); + +var msg20164 = msg("17987", dup312); + +var msg20165 = msg("17988", dup312); + +var msg20166 = msg("17989", dup312); + +var msg20167 = msg("17990", dup312); + +var msg20168 = msg("17991", dup312); + +var msg20169 = msg("17992", dup312); + +var msg20170 = msg("17993", dup312); + +var msg20171 = msg("17994", dup312); + +var msg20172 = msg("17995", dup312); + +var msg20173 = msg("17996", dup312); + +var msg20174 = msg("17997", dup312); + +var msg20175 = msg("17998", dup312); + +var msg20176 = msg("17999", dup312); + +var msg20177 = msg("18000", dup312); + +var msg20178 = msg("18001", dup312); + +var msg20179 = msg("18002", dup312); + +var msg20180 = msg("18003", dup312); + +var msg20181 = msg("18004", dup287); + +var msg20182 = msg("18005", dup312); + +var msg20183 = msg("18006", dup312); + +var msg20184 = msg("18007", dup312); + +var msg20185 = msg("18008", dup312); + +var msg20186 = msg("18009", dup312); + +var msg20187 = msg("18010", dup312); + +var msg20188 = msg("18011", dup312); + +var msg20189 = msg("18012", dup312); + +var msg20190 = msg("18013", dup312); + +var msg20191 = msg("18014", dup312); + +var msg20192 = msg("18015", dup312); + +var msg20193 = msg("18016", dup312); + +var msg20194 = msg("18017", dup312); + +var msg20195 = msg("18018", dup312); + +var msg20196 = msg("18019", dup312); + +var msg20197 = msg("18020", dup312); + +var msg20198 = msg("18021", dup312); + +var msg20199 = msg("18022", dup312); + +var msg20200 = msg("18023", dup312); + +var msg20201 = msg("18024", dup312); + +var msg20202 = msg("18025", dup312); + +var msg20203 = msg("18026", dup312); + +var msg20204 = msg("18027", dup312); + +var msg20205 = msg("18028", dup312); + +var msg20206 = msg("18029", dup312); + +var msg20207 = msg("18030", dup312); + +var msg20208 = msg("18031", dup312); + +var msg20209 = msg("18032", dup312); + +var msg20210 = msg("18033", dup312); + +var msg20211 = msg("18034", dup312); + +var msg20212 = msg("18035", dup312); + +var msg20213 = msg("18036", dup312); + +var msg20214 = msg("18037", dup312); + +var msg20215 = msg("18038", dup312); + +var msg20216 = msg("18039", dup312); + +var msg20217 = msg("18040", dup312); + +var msg20218 = msg("18041", dup312); + +var msg20219 = msg("18042", dup312); + +var msg20220 = msg("18043", dup312); + +var msg20221 = msg("18044", dup312); + +var msg20222 = msg("18045", dup312); + +var msg20223 = msg("18046", dup312); + +var msg20224 = msg("18047", dup312); + +var msg20225 = msg("18048", dup312); + +var msg20226 = msg("18049", dup312); + +var msg20227 = msg("18050", dup312); + +var msg20228 = msg("18051", dup265); + +var msg20229 = msg("18052", dup265); + +var msg20230 = msg("18053", dup312); + +var msg20231 = msg("18054", dup312); + +var msg20232 = msg("18055", dup312); + +var msg20233 = msg("18056", dup312); + +var msg20234 = msg("18057", dup312); + +var msg20235 = msg("18058", dup312); + +var msg20236 = msg("18059", dup312); + +var msg20237 = msg("18060", dup312); + +var msg20238 = msg("18061", dup312); + +var msg20239 = msg("18062", dup267); + +var msg20240 = msg("18063", dup267); + +var msg20241 = msg("18064", dup267); + +var msg20242 = msg("18065", dup267); + +var msg20243 = msg("18066", dup267); + +var msg20244 = msg("18067", dup267); + +var msg20245 = msg("18068", dup267); + +var msg20246 = msg("18069", dup265); + +var msg20247 = msg("18070", dup276); + +var msg20248 = msg("18071", dup267); + +var msg20249 = msg("18072", dup265); + +var msg20250 = msg("18073", dup267); + +var msg20251 = msg("18074", dup265); + +var msg20252 = msg("18076", dup265); + +var msg20253 = msg("18077", dup197); + +var msg20254 = msg("18078", dup197); + +var msg20255 = msg("18079", dup263); + +var msg20256 = msg("18080", dup263); + +var msg20257 = msg("18081", dup263); + +var msg20258 = msg("18082", dup263); + +var msg20259 = msg("18083", dup263); + +var msg20260 = msg("18084", dup263); + +var msg20261 = msg("18085", dup263); + +var msg20262 = msg("18086", dup263); + +var msg20263 = msg("18087", dup263); + +var msg20264 = msg("18088", dup263); + +var msg20265 = msg("18089", dup263); + +var msg20266 = msg("18090", dup263); + +var msg20267 = msg("18091", dup263); + +var msg20268 = msg("18092", dup263); + +var msg20269 = msg("18093", dup263); + +var msg20270 = msg("18094", dup263); + +var msg20271 = msg("18095", dup263); + +var msg20272 = msg("18096", dup265); + +var msg20273 = msg("18097", dup265); + +var msg20274 = msg("18098", dup269); + +var msg20275 = msg("18099", dup269); + +var msg20276 = msg("18100", dup263); + +var msg20277 = msg("18101", dup267); + +var msg20278 = msg("18102", dup202); + +var msg20279 = msg("18103", dup263); + +var msg20280 = msg("18104", dup263); + +var msg20281 = msg("18105", dup263); + +var msg20282 = msg("18106", dup263); + +var msg20283 = msg("18107", dup263); + +var msg20284 = msg("18108", dup263); + +var msg20285 = msg("18109", dup263); + +var msg20286 = msg("18110", dup263); + +var msg20287 = msg("18111", dup263); + +var msg20288 = msg("18112", dup263); + +var msg20289 = msg("18113", dup263); + +var msg20290 = msg("18114", dup263); + +var msg20291 = msg("18115", dup263); + +var msg20292 = msg("18116", dup263); + +var msg20293 = msg("18117", dup263); + +var msg20294 = msg("18118", dup263); + +var msg20295 = msg("18119", dup263); + +var msg20296 = msg("18120", dup263); + +var msg20297 = msg("18121", dup263); + +var msg20298 = msg("18122", dup263); + +var msg20299 = msg("18123", dup263); + +var msg20300 = msg("18124", dup263); + +var msg20301 = msg("18125", dup263); + +var msg20302 = msg("18126", dup263); + +var msg20303 = msg("18127", dup263); + +var msg20304 = msg("18128", dup263); + +var msg20305 = msg("18129", dup263); + +var msg20306 = msg("18130", dup263); + +var msg20307 = msg("18131", dup263); + +var msg20308 = msg("18132", dup263); + +var msg20309 = msg("18133", dup263); + +var msg20310 = msg("18134", dup263); + +var msg20311 = msg("18135", dup263); + +var msg20312 = msg("18136", dup263); + +var msg20313 = msg("18137", dup263); + +var msg20314 = msg("18138", dup263); + +var msg20315 = msg("18139", dup263); + +var msg20316 = msg("18140", dup263); + +var msg20317 = msg("18141", dup263); + +var msg20318 = msg("18142", dup263); + +var msg20319 = msg("18143", dup263); + +var msg20320 = msg("18144", dup263); + +var msg20321 = msg("18145", dup263); + +var msg20322 = msg("18146", dup263); + +var msg20323 = msg("18147", dup263); + +var msg20324 = msg("18148", dup263); + +var msg20325 = msg("18149", dup263); + +var msg20326 = msg("18150", dup263); + +var msg20327 = msg("18151", dup263); + +var msg20328 = msg("18152", dup263); + +var msg20329 = msg("18153", dup263); + +var msg20330 = msg("18154", dup263); + +var msg20331 = msg("18155", dup263); + +var msg20332 = msg("18156", dup263); + +var msg20333 = msg("18157", dup263); + +var msg20334 = msg("18158", dup263); + +var msg20335 = msg("18159", dup263); + +var msg20336 = msg("18160", dup263); + +var msg20337 = msg("18161", dup263); + +var msg20338 = msg("18162", dup263); + +var msg20339 = msg("18163", dup263); + +var msg20340 = msg("18164", dup263); + +var msg20341 = msg("18165", dup263); + +var msg20342 = msg("18166", dup263); + +var msg20343 = msg("18167", dup265); + +var msg20344 = msg("18168", dup265); + +var msg20345 = msg("18169", dup265); + +var msg20346 = msg("18170", dup267); + +var msg20347 = msg("18171", dup201); + +var msg20348 = msg("18172", dup201); + +var msg20349 = msg("18173", dup201); + +var msg20350 = msg("18174", dup267); + +var msg20351 = msg("18175", dup267); + +var msg20352 = msg("18176", dup267); + +var msg20353 = msg("18177", dup267); + +var msg20354 = msg("18178", dup267); + +var msg20355 = msg("18179", dup194); + +var msg20356 = msg("18180", dup307); + +var msg20357 = msg("18181", dup227); + +var msg20358 = msg("18182", dup227); + +var msg20359 = msg("18183", dup263); + +var msg20360 = msg("18184", dup263); + +var msg20361 = msg("18185", dup263); + +var msg20362 = msg("18186", dup267); + +var msg20363 = msg("18187", dup267); + +var msg20364 = msg("18188", dup287); + +var msg20365 = msg("18189", dup255); + +var msg20366 = msg("18190", dup255); + +var msg20367 = msg("18191", dup255); + +var msg20368 = msg("18192", dup255); + +var msg20369 = msg("18193", dup269); + +var msg20370 = msg("18194", dup269); + +var msg20371 = msg("18195", dup198); + +var msg20372 = msg("18196", dup265); + +var msg20373 = msg("18197", dup267); + +var msg20374 = msg("18198", dup267); + +var msg20375 = msg("18199", dup267); + +var msg20376 = msg("18200", dup197); + +var msg20377 = msg("18201", dup267); + +var msg20378 = msg("18202", dup269); + +var msg20379 = msg("18203", dup269); + +var msg20380 = msg("18204", dup269); + +var msg20381 = msg("18205", dup269); + +var msg20382 = msg("18206", dup269); + +var msg20383 = msg("18207", dup269); + +var msg20384 = msg("18208", dup267); + +var msg20385 = msg("18209", dup276); + +var msg20386 = msg("18210", dup267); + +var msg20387 = msg("18211", dup306); + +var msg20388 = msg("18212", dup197); + +var msg20389 = msg("18213", dup267); + +var msg20390 = msg("18214", dup267); + +var msg20391 = msg("18215", dup255); + +var msg20392 = msg("18216", dup265); + +var msg20393 = msg("18217", dup267); + +var msg20394 = msg("18218", dup287); + +var msg20395 = msg("18219", dup267); + +var msg20396 = msg("18220", dup267); + +var msg20397 = msg("18221", dup267); + +var msg20398 = msg("18222", dup267); + +var msg20399 = msg("18223", dup267); + +var msg20400 = msg("18224", dup267); + +var msg20401 = msg("18225", dup276); + +var msg20402 = msg("18226", dup276); + +var msg20403 = msg("18227", dup276); + +var msg20404 = msg("18228", dup202); + +var msg20405 = msg("18229", dup197); + +var msg20406 = msg("18230", dup267); + +var msg20407 = msg("18231", dup265); + +var msg20408 = msg("18232", dup202); + +var msg20409 = msg("18233", dup267); + +var msg20410 = msg("18234", dup265); + +var msg20411 = msg("18235", dup267); + +var msg20412 = msg("18236", dup267); + +var msg20413 = msg("18237", dup267); + +var msg20414 = msg("18238", dup267); + +var msg20415 = msg("18239", dup269); + +var msg20416 = msg("18240", dup265); + +var msg20417 = msg("18241", dup265); + +var msg20418 = msg("18242", dup265); + +var msg20419 = msg("18243", dup227); + +var msg20420 = msg("18244", dup197); + +var msg20421 = msg("18245", dup197); + +var msg20422 = msg("18246", dup197); + +var msg20423 = msg("18247", dup269); + +var msg20424 = msg("18248", dup197); + +var msg20425 = msg("18249", dup201); + +var msg20426 = msg("18250", dup197); + +var msg20427 = msg("18251", dup263); + +var msg20428 = msg("18252", dup255); + +var msg20429 = msg("18253", dup263); + +var msg20430 = msg("18254", dup263); + +var msg20431 = msg("18255", dup263); + +var msg20432 = msg("18256", dup263); + +var msg20433 = msg("18257", dup263); + +var msg20434 = msg("18258", dup263); + +var msg20435 = msg("18259", dup263); + +var msg20436 = msg("18260", dup263); + +var msg20437 = msg("18261", dup267); + +var msg20438 = msg("18262", dup267); + +var msg20439 = msg("18263", dup287); + +var msg20440 = msg("18264", dup287); + +var msg20441 = msg("18265", dup265); + +var msg20442 = msg("18266", dup255); + +var msg20443 = msg("18267", dup255); + +var msg20444 = msg("18268", dup263); + +var msg20445 = msg("18269", dup263); + +var msg20446 = msg("18270", dup263); + +var msg20447 = msg("18271", dup263); + +var msg20448 = msg("18272", dup263); + +var msg20449 = msg("18273", dup265); + +var msg20450 = msg("18274", dup265); + +var msg20451 = msg("18275", dup265); + +var msg20452 = msg("18276", dup202); + +var msg20453 = msg("18277", dup267); + +var msg20454 = msg("18278", dup276); + +var msg20455 = msg("18279", dup192); + +var msg20456 = msg("18280", dup267); + +var msg20457 = msg("18281", dup192); + +var msg20458 = msg("18282", dup267); + +var msg20459 = msg("18283", dup197); + +var msg20460 = msg("18284", dup197); + +var msg20461 = msg("18285", dup197); + +var msg20462 = msg("18286", dup267); + +var msg20463 = msg("18287", dup197); + +var msg20464 = msg("18288", dup197); + +var msg20465 = msg("18289", dup197); + +var msg20466 = msg("18290", dup197); + +var msg20467 = msg("18291", dup197); + +var msg20468 = msg("18292", dup197); + +var msg20469 = msg("18293", dup199); + +var msg20470 = msg("18294", dup197); + +var msg20471 = msg("18295", dup197); + +var msg20472 = msg("18296", dup267); + +var msg20473 = msg("18297", dup197); + +var msg20474 = msg("18298", dup267); + +var msg20475 = msg("18299", dup265); + +var msg20476 = msg("18300", dup199); + +var msg20477 = msg("18301", dup267); + +var msg20478 = msg("18302", dup267); + +var msg20479 = msg("18303", dup201); + +var msg20480 = msg("18304", dup267); + +var msg20481 = msg("18305", dup267); + +var msg20482 = msg("18306", dup267); + +var msg20483 = msg("18307", dup267); + +var msg20484 = msg("18308", dup197); + +var msg20485 = msg("18309", dup197); + +var msg20486 = msg("18310", dup267); + +var msg20487 = msg("18311", dup265); + +var msg20488 = msg("18312", dup197); + +var msg20489 = msg("18313", dup267); + +var msg20490 = msg("18314", dup201); + +var msg20491 = msg("18315", dup201); + +var msg20492 = msg("18316", dup255); + +var msg20493 = msg("18317", dup201); + +var msg20494 = msg("18318", dup202); + +var msg20495 = msg("18319", dup201); + +var msg20496 = msg("18320", dup197); + +var msg20497 = msg("18321", dup265); + +var msg20498 = msg("18322", dup265); + +var msg20499 = msg("18323", dup265); + +var msg20500 = msg("18324", dup265); + +var msg20501 = msg("18325", dup265); + +var msg20502 = msg("18326", dup227); + +var msg20503 = msg("18327", dup197); + +var msg20504 = msg("18328", dup267); + +var msg20505 = msg("18329", dup265); + +var msg20506 = msg("18330", dup276); + +var msg20507 = msg("18331", dup197); + +var msg20508 = msg("18332", dup267); + +var msg20509 = msg("18333", dup267); + +var msg20510 = msg("18334", dup267); + +var msg20511 = msg("18335", dup265); + +var msg20512 = msg("18336", dup269); + +var msg20513 = msg("18337", dup269); + +var msg20514 = msg("18338", dup269); + +var msg20515 = msg("18339", dup269); + +var msg20516 = msg("18340", dup269); + +var msg20517 = msg("18341", dup269); + +var msg20518 = msg("18342", dup269); + +var msg20519 = msg("18343", dup269); + +var msg20520 = msg("18344", dup269); + +var msg20521 = msg("18345", dup269); + +var msg20522 = msg("18346", dup269); + +var msg20523 = msg("18347", dup269); + +var msg20524 = msg("18348", dup269); + +var msg20525 = msg("18349", dup269); + +var msg20526 = msg("18350", dup269); + +var msg20527 = msg("18351", dup269); + +var msg20528 = msg("18352", dup269); + +var msg20529 = msg("18353", dup269); + +var msg20530 = msg("18354", dup269); + +var msg20531 = msg("18355", dup269); + +var msg20532 = msg("18356", dup269); + +var msg20533 = msg("18357", dup269); + +var msg20534 = msg("18358", dup269); + +var msg20535 = msg("18359", dup269); + +var msg20536 = msg("18360", dup269); + +var msg20537 = msg("18361", dup269); + +var msg20538 = msg("18362", dup269); + +var msg20539 = msg("18363", dup269); + +var msg20540 = msg("18364", dup269); + +var msg20541 = msg("18365", dup269); + +var msg20542 = msg("18366", dup269); + +var msg20543 = msg("18367", dup269); + +var msg20544 = msg("18368", dup269); + +var msg20545 = msg("18369", dup269); + +var msg20546 = msg("18370", dup269); + +var msg20547 = msg("18371", dup269); + +var msg20548 = msg("18372", dup269); + +var msg20549 = msg("18373", dup269); + +var msg20550 = msg("18374", dup269); + +var msg20551 = msg("18375", dup269); + +var msg20552 = msg("18376", dup269); + +var msg20553 = msg("18377", dup269); + +var msg20554 = msg("18378", dup269); + +var msg20555 = msg("18379", dup269); + +var msg20556 = msg("18380", dup269); + +var msg20557 = msg("18381", dup269); + +var msg20558 = msg("18382", dup269); + +var msg20559 = msg("18383", dup269); + +var msg20560 = msg("18384", dup269); + +var msg20561 = msg("18385", dup269); + +var msg20562 = msg("18386", dup269); + +var msg20563 = msg("18387", dup269); + +var msg20564 = msg("18388", dup269); + +var msg20565 = msg("18389", dup269); + +var msg20566 = msg("18390", dup269); + +var msg20567 = msg("18391", dup269); + +var msg20568 = msg("18392", dup269); + +var msg20569 = msg("18393", dup269); + +var msg20570 = msg("18394", dup269); + +var msg20571 = msg("18395", dup269); + +var msg20572 = msg("18396", dup265); + +var msg20573 = msg("18397", dup267); + +var msg20574 = msg("18398", dup265); + +var msg20575 = msg("18399", dup267); + +var msg20576 = msg("18400", dup202); + +var msg20577 = msg("18401", dup201); + +var msg20578 = msg("18402", dup267); + +var msg20579 = msg("18403", dup197); + +var msg20580 = msg("18404", dup267); + +var msg20581 = msg("18405", dup197); + +var msg20582 = msg("18406", dup201); + +var msg20583 = msg("18407", dup287); + +var msg20584 = msg("18408", dup267); + +var msg20585 = msg("18409", dup267); + +var msg20586 = msg("18410", dup267); + +var msg20587 = msg("18411", dup202); + +var msg20588 = msg("18412", dup202); + +var msg20589 = msg("18413", dup267); + +var msg20590 = msg("18414", dup265); + +var msg20591 = msg("18415", dup202); + +var msg20592 = msg("18416", dup197); + +var msg20593 = msg("18417", dup197); + +var msg20594 = msg("18418", dup267); + +var msg20595 = msg("18419", dup267); + +var msg20596 = msg("18420", dup201); + +var msg20597 = msg("18421", dup267); + +var msg20598 = msg("18422", dup306); + +var msg20599 = msg("18423", dup306); + +var msg20600 = msg("18424", dup306); + +var msg20601 = msg("18425", dup306); + +var msg20602 = msg("18426", dup260); + +var msg20603 = msg("18427", dup311); + +var msg20604 = msg("18428", dup311); + +var msg20605 = msg("18429", dup311); + +var msg20606 = msg("18430", dup311); + +var msg20607 = msg("18431", dup260); + +var msg20608 = msg("18432", dup267); + +var msg20609 = msg("18433", dup276); + +var msg20610 = msg("18434", dup276); + +var msg20611 = msg("18435", dup276); + +var msg20612 = msg("18436", dup276); + +var msg20613 = msg("18437", dup276); + +var msg20614 = msg("18438", dup276); + +var msg20615 = msg("18439", dup267); + +var msg20616 = msg("18440", dup267); + +var msg20617 = msg("18441", dup267); + +var msg20618 = msg("18442", dup267); + +var msg20619 = msg("18443", dup267); + +var msg20620 = msg("18444", dup202); + +var msg20621 = msg("18445", dup267); + +var msg20622 = msg("18446", dup276); + +var msg20623 = msg("18447", dup267); + +var msg20624 = msg("18448", dup267); + +var msg20625 = msg("18449", dup267); + +var msg20626 = msg("18450", dup202); + +var msg20627 = msg("18451", dup197); + +var msg20628 = msg("18452", dup267); + +var msg20629 = msg("18453", dup267); + +var msg20630 = msg("18454", dup267); + +var msg20631 = msg("18455", dup202); + +var msg20632 = msg("18456", dup265); + +var msg20633 = msg("18457", dup197); + +var msg20634 = msg("18458", dup202); + +var msg20635 = msg("18459", dup202); + +var msg20636 = msg("18460", dup197); + +var msg20637 = msg("18461", dup197); + +var msg20638 = msg("18462", dup197); + +var msg20639 = msg("18463", dup267); + +var msg20640 = msg("18464", dup265); + +var msg20641 = msg("18465", dup267); + +var msg20642 = msg("18466", dup267); + +var msg20643 = msg("18467", dup267); + +var msg20644 = msg("18468", dup197); + +var msg20645 = msg("18469", dup255); + +var msg20646 = msg("18470", dup198); + +var msg20647 = msg("18471", dup198); + +var msg20648 = msg("18472", dup201); + +var msg20649 = msg("18473", dup232); + +var msg20650 = msg("18474", dup232); + +var msg20651 = msg("18475", dup197); + +var msg20652 = msg("18476", dup197); + +var msg20653 = msg("18477", dup197); + +var msg20654 = msg("18478", dup265); + +var msg20655 = msg("18479", dup265); + +var msg20656 = msg("18480", dup197); + +var msg20657 = msg("18481", dup197); + +var msg20658 = msg("18482", dup267); + +var msg20659 = msg("18483", dup197); + +var msg20660 = msg("18484", dup197); + +var msg20661 = msg("18485", dup267); + +var msg20662 = msg("18486", dup267); + +var msg20663 = msg("18487", dup197); + +var msg20664 = msg("18488", dup267); + +var msg20665 = msg("18489", dup276); + +var msg20666 = msg("18490", dup265); + +var msg20667 = msg("18491", dup265); + +var msg20668 = msg("18492", dup263); + +var msg20669 = msg("18493", dup265); + +var msg20670 = msg("18494", dup276); + +var msg20671 = msg("18495", dup267); + +var msg20672 = msg("18496", dup267); + +var msg20673 = msg("18497", dup276); + +var msg20674 = msg("18498", dup267); + +var msg20675 = msg("18499", dup267); + +var msg20676 = msg("18500", dup276); + +var msg20677 = msg("18501", dup263); + +var msg20678 = msg("18502", dup287); + +var msg20679 = msg("18503", dup267); + +var msg20680 = msg("18504", dup197); + +var msg20681 = msg("18505", dup197); + +var msg20682 = msg("18506", dup197); + +var msg20683 = msg("18507", dup197); + +var msg20684 = msg("18508", dup267); + +var msg20685 = msg("18509", dup267); + +var msg20686 = msg("18510", dup197); + +var msg20687 = msg("18511", dup198); + +var msg20688 = msg("18512", dup197); + +var msg20689 = msg("18513", dup260); + +var msg20690 = msg("18514", dup267); + +var msg20691 = msg("18515", dup267); + +var msg20692 = msg("18516", dup202); + +var msg20693 = msg("18517", dup197); + +var msg20694 = msg("18518", dup269); + +var msg20695 = msg("18519", dup269); + +var msg20696 = msg("18520", dup267); + +var msg20697 = msg("18521", dup269); + +var msg20698 = msg("18522", dup269); + +var msg20699 = msg("18523", dup267); + +var msg20700 = msg("18524", dup287); + +var msg20701 = msg("18525", dup197); + +var msg20702 = msg("18526", dup267); + +var msg20703 = msg("18527", dup267); + +var msg20704 = msg("18528", dup265); + +var msg20705 = msg("18529", dup311); + +var msg20706 = msg("18530", dup311); + +var msg20707 = msg("18531", dup201); + +var msg20708 = msg("18532", dup201); + +var msg20709 = msg("18533", dup198); + +var msg20710 = msg("18534", dup198); + +var msg20711 = msg("18535", dup201); + +var msg20712 = msg("18536", dup202); + +var msg20713 = msg("18537", dup197); + +var msg20714 = msg("18538", dup267); + +var msg20715 = msg("18539", dup267); + +var msg20716 = msg("18540", dup267); + +var msg20717 = msg("18541", dup202); + +var msg20718 = msg("18542", dup267); + +var msg20719 = msg("18543", dup202); + +var msg20720 = msg("18544", dup202); + +var msg20721 = msg("18545", dup202); + +var msg20722 = msg("18546", dup202); + +var msg20723 = msg("18547", dup202); + +var msg20724 = msg("18548", dup202); + +var msg20725 = msg("18549", dup202); + +var msg20726 = msg("18550", dup202); + +var msg20727 = msg("18551", dup250); + +var msg20728 = msg("18552", dup250); + +var msg20729 = msg("18553", dup250); + +var msg20730 = msg("18554", dup250); + +var msg20731 = msg("18555", dup267); + +var msg20732 = msg("18556", dup260); + +var msg20733 = msg("18557", dup255); + +var msg20734 = msg("18558", dup255); + +var msg20735 = msg("18559", dup267); + +var msg20736 = msg("18560", dup267); + +var msg20737 = msg("18561", dup197); + +var msg20738 = msg("18562", dup303); + +var msg20739 = msg("18563", dup192); + +var msg20740 = msg("18564", dup303); + +var msg20741 = msg("18565", dup265); + +var msg20742 = msg("18566", dup265); + +var msg20743 = msg("18567", dup265); + +var msg20744 = msg("18568", dup265); + +var msg20745 = msg("18569", dup265); + +var msg20746 = msg("18570", dup265); + +var msg20747 = msg("18571", dup265); + +var msg20748 = msg("18572", dup265); + +var msg20749 = msg("18573", dup265); + +var msg20750 = msg("18574", dup197); + +var msg20751 = msg("18575", dup227); + +var msg20752 = msg("18576", dup265); + +var msg20753 = msg("18577", dup192); + +var msg20754 = msg("18578", dup197); + +var msg20755 = msg("18579", dup197); + +var msg20756 = msg("18580", dup227); + +var msg20757 = msg("18581", dup265); + +var msg20758 = msg("18582", dup265); + +var msg20759 = msg("18583", dup197); + +var msg20760 = msg("18584", dup197); + +var msg20761 = msg("18585", dup267); + +var msg20762 = msg("18586", dup260); + +var msg20763 = msg("18587", dup197); + +var msg20764 = msg("18588", dup227); + +var msg20765 = msg("18589", dup267); + +var msg20766 = msg("18590", dup197); + +var msg20767 = msg("18591", dup197); + +var msg20768 = msg("18592", dup267); + +var msg20769 = msg("18593", dup265); + +var msg20770 = msg("18594", dup202); + +var msg20771 = msg("18595", dup202); + +var msg20772 = msg("18596", dup197); + +var msg20773 = msg("18597", dup197); + +var msg20774 = msg("18598", dup227); + +var msg20775 = msg("18599", dup197); + +var msg20776 = msg("18600", dup197); + +var msg20777 = msg("18601", dup202); + +var msg20778 = msg("18602", dup260); + +var msg20779 = msg("18603", dup197); + +var msg20780 = msg("18604", dup201); + +var msg20781 = msg("18605", dup197); + +var msg20782 = msg("18606", dup202); + +var msg20783 = msg("18607", dup202); + +var msg20784 = msg("18608", dup202); + +var msg20785 = msg("18609", dup202); + +var msg20786 = msg("18610", dup197); + +var msg20787 = msg("18611", dup309); + +var msg20788 = msg("18612", dup309); + +var msg20789 = msg("18613", dup309); + +var msg20790 = msg("18614", dup202); + +var msg20791 = msg("18615", dup197); + +var msg20792 = msg("18616", dup197); + +var msg20793 = msg("18617", dup202); + +var msg20794 = msg("18618", dup202); + +var msg20795 = msg("18619", dup267); + +var msg20796 = msg("18620", dup267); + +var msg20797 = msg("18621", dup267); + +var msg20798 = msg("18622", dup267); + +var msg20799 = msg("18623", dup267); + +var msg20800 = msg("18624", dup267); + +var msg20801 = msg("18625", dup276); + +var msg20802 = msg("18626", dup276); + +var msg20803 = msg("18627", dup276); + +var msg20804 = msg("18628", dup276); + +var msg20805 = msg("18629", dup276); + +var msg20806 = msg("18630", dup197); + +var msg20807 = msg("18631", dup197); + +var msg20808 = msg("18632", dup267); + +var msg20809 = msg("18633", dup267); + +var msg20810 = msg("18634", dup267); + +var msg20811 = msg("18635", dup202); + +var msg20812 = msg("18636", dup267); + +var msg20813 = msg("18637", dup267); + +var msg20814 = msg("18638", dup267); + +var msg20815 = msg("18639", dup267); + +var msg20816 = msg("18640", dup265); + +var msg20817 = msg("18641", dup267); + +var msg20818 = msg("18642", dup197); + +var msg20819 = msg("18643", dup197); + +var msg20820 = msg("18644", dup267); + +var msg20821 = msg("18645", dup267); + +var msg20822 = msg("18646", dup267); + +var msg20823 = msg("18647", dup311); + +var msg20824 = msg("18648", dup202); + +var msg20825 = msg("18649", dup197); + +var msg20826 = msg("18650", dup276); + +var msg20827 = msg("18651", dup197); + +var msg20828 = msg("18652", dup197); + +var msg20829 = msg("18653", dup314); + +var msg20830 = msg("18654", dup202); + +var msg20831 = msg("18655", dup267); + +var msg20832 = msg("18656", dup197); + +var msg20833 = msg("18657", dup267); + +var msg20834 = msg("18658", dup197); + +var msg20835 = msg("18659", dup197); + +var msg20836 = msg("18660", dup197); + +var msg20837 = msg("18661", dup267); + +var msg20838 = msg("18662", dup267); + +var msg20839 = msg("18663", dup267); + +var msg20840 = msg("18664", dup267); + +var msg20841 = msg("18665", dup267); + +var msg20842 = msg("18666", dup267); + +var msg20843 = msg("18667", dup267); + +var msg20844 = msg("18668", dup265); + +var msg20845 = msg("18669", dup265); + +var msg20846 = msg("18670", dup267); + +var msg20847 = msg("18671", dup267); + +var msg20848 = msg("18672", dup265); + +var msg20849 = msg("18673", dup267); + +var msg20850 = msg("18674", dup265); + +var msg20851 = msg("18675", dup265); + +var msg20852 = msg("18676", dup197); + +var msg20853 = msg("18677", dup309); + +var msg20854 = msg("18678", dup267); + +var msg20855 = msg("18679", dup267); + +var msg20856 = msg("18680", dup202); + +var msg20857 = msg("18681", dup202); + +var msg20858 = msg("18682", dup202); + +var msg20859 = msg("18683", dup202); + +var msg20860 = msg("18684", dup202); + +var msg20861 = msg("18685", dup202); + +var msg20862 = msg("18686", dup192); + +var msg20863 = msg("18687", dup192); + +var msg20864 = msg("18688", dup192); + +var msg20865 = msg("18689", dup192); + +var msg20866 = msg("18690", dup192); + +var msg20867 = msg("18691", dup202); + +var msg20868 = msg("18700", dup202); + +var msg20869 = msg("18701", dup250); + +var msg20870 = msg("18702", dup250); + +var msg20871 = msg("18703", dup250); + +var msg20872 = msg("18704", dup250); + +var msg20873 = msg("18705", dup250); + +var msg20874 = msg("18706", dup202); + +var msg20875 = msg("18707", dup303); + +var msg20876 = msg("18708", dup263); + +var msg20877 = msg("18709", dup192); + +var msg20878 = msg("18710", dup197); + +var msg20879 = msg("18711", dup303); + +var msg20880 = msg("18712", dup263); + +var msg20881 = msg("18713", dup198); + +var msg20882 = msg("18714", dup198); + +var msg20883 = msg("18715", dup303); + +var msg20884 = msg("18716", dup192); + +var msg20885 = msg("18717", dup192); + +var msg20886 = msg("18718", dup303); + +var msg20887 = msg("18719", dup192); + +var msg20888 = msg("18720", dup192); + +var msg20889 = msg("18721", dup197); + +var msg20890 = msg("18722", dup197); + +var msg20891 = msg("18723", dup303); + +var msg20892 = msg("18724", dup303); + +var msg20893 = msg("18725", dup197); + +var msg20894 = msg("18726", dup197); + +var msg20895 = msg("18727", dup197); + +var msg20896 = msg("18728", dup197); + +var msg20897 = msg("18729", dup197); + +var msg20898 = msg("18730", dup197); + +var msg20899 = msg("18731", dup197); + +var msg20900 = msg("18732", dup197); + +var msg20901 = msg("18733", dup197); + +var msg20902 = msg("18734", dup197); + +var msg20903 = msg("18735", dup197); + +var msg20904 = msg("18736", dup197); + +var msg20905 = msg("18737", dup197); + +var msg20906 = msg("18738", dup197); + +var msg20907 = msg("18739", dup238); + +var msg20908 = msg("18740", dup267); + +var msg20909 = msg("18741", dup265); + +var msg20910 = msg("18742", dup267); + +var msg20911 = msg("18743", dup267); + +var msg20912 = msg("18744", dup197); + +var msg20913 = msg("18745", dup197); + +var msg20914 = msg("18746", dup197); + +var msg20915 = msg("18747", dup197); + +var msg20916 = msg("18748", dup197); + +var msg20917 = msg("18749", dup197); + +var msg20918 = msg("18750", dup201); + +var msg20919 = msg("18751", dup197); + +var msg20920 = msg("18752", dup197); + +var msg20921 = msg("18753", dup267); + +var msg20922 = msg("18754", dup267); + +var msg20923 = msg("18755", dup267); + +var msg20924 = msg("18756", dup267); + +var msg20925 = msg("18757", dup267); + +var msg20926 = msg("18758", dup287); + +var msg20927 = msg("18759", dup197); + +var msg20928 = msg("18760", dup197); + +var msg20929 = msg("18761", dup265); + +var msg20930 = msg("18762", dup269); + +var msg20931 = msg("18763", dup197); + +var msg20932 = msg("18764", dup201); + +var msg20933 = msg("18765", dup250); + +var msg20934 = msg("18766", dup267); + +var msg20935 = msg("18767", dup201); + +var msg20936 = msg("18768", dup197); + +var msg20937 = msg("18769", dup197); + +var msg20938 = msg("18770", dup267); + +var msg20939 = msg("18771", dup267); + +var msg20940 = msg("18772", dup267); + +var msg20941 = msg("18773", dup269); + +var msg20942 = msg("18774", dup269); + +var msg20943 = msg("18775", dup269); + +var msg20944 = msg("18776", dup267); + +var msg20945 = msg("18777", dup198); + +var msg20946 = msg("18778", dup197); + +var msg20947 = msg("18779", dup197); + +var msg20948 = msg("18780", dup197); + +var msg20949 = msg("18781", dup197); + +var msg20950 = msg("18782", dup269); + +var msg20951 = msg("18783", dup197); + +var msg20952 = msg("18784", dup197); + +var msg20953 = msg("18785", dup197); + +var msg20954 = msg("18786", dup197); + +var msg20955 = msg("18787", dup197); + +var msg20956 = msg("18788", dup197); + +var msg20957 = msg("18789", dup197); + +var msg20958 = msg("18790", dup201); + +var msg20959 = msg("18791", dup197); + +var msg20960 = msg("18792", dup267); + +var msg20961 = msg("18793", dup267); + +var msg20962 = msg("18794", dup265); + +var msg20963 = msg("18795", dup267); + +var msg20964 = msg("18796", dup197); + +var msg20965 = msg("18797", dup267); + +var msg20966 = msg("18798", dup198); + +var msg20967 = msg("18799", dup198); + +var msg20968 = msg("18800", dup202); + +var msg20969 = msg("18801", dup267); + +var msg20970 = msg("18802", dup265); + +var msg20971 = msg("18803", dup197); + +var msg20972 = msg("18804", dup267); + +var msg20973 = msg("18805", dup267); + +var msg20974 = msg("18806", dup267); + +var msg20975 = msg("18807", dup198); + +var msg20976 = msg("18808", dup201); + +var msg20977 = msg("18809", dup197); + +var msg20978 = msg("18810", dup265); + +var msg20979 = msg("18811", dup250); + +var msg20980 = msg("18812", dup250); + +var msg20981 = msg("18813", dup250); + +var msg20982 = msg("18814", dup250); + +var msg20983 = msg("18815", dup250); + +var msg20984 = msg("18816", dup250); + +var msg20985 = msg("18817", dup250); + +var msg20986 = msg("18818", dup250); + +var msg20987 = msg("18819", dup250); + +var msg20988 = msg("18820", dup250); + +var msg20989 = msg("18821", dup250); + +var msg20990 = msg("18822", dup250); + +var msg20991 = msg("18823", dup250); + +var msg20992 = msg("18824", dup250); + +var msg20993 = msg("18825", dup250); + +var msg20994 = msg("18826", dup250); + +var msg20995 = msg("18827", dup250); + +var msg20996 = msg("18828", dup250); + +var msg20997 = msg("18829", dup250); + +var msg20998 = msg("18830", dup250); + +var msg20999 = msg("18831", dup250); + +var msg21000 = msg("18832", dup250); + +var msg21001 = msg("18833", dup250); + +var msg21002 = msg("18834", dup250); + +var msg21003 = msg("18835", dup250); + +var msg21004 = msg("18836", dup250); + +var msg21005 = msg("18837", dup250); + +var msg21006 = msg("18838", dup250); + +var msg21007 = msg("18839", dup250); + +var msg21008 = msg("18840", dup250); + +var msg21009 = msg("18841", dup250); + +var msg21010 = msg("18842", dup250); + +var msg21011 = msg("18843", dup250); + +var msg21012 = msg("18844", dup250); + +var msg21013 = msg("18845", dup250); + +var msg21014 = msg("18846", dup250); + +var msg21015 = msg("18847", dup250); + +var msg21016 = msg("18848", dup250); + +var msg21017 = msg("18849", dup250); + +var msg21018 = msg("18850", dup250); + +var msg21019 = msg("18851", dup250); + +var msg21020 = msg("18852", dup250); + +var msg21021 = msg("18853", dup250); + +var msg21022 = msg("18854", dup250); + +var msg21023 = msg("18855", dup250); + +var msg21024 = msg("18856", dup250); + +var msg21025 = msg("18857", dup250); + +var msg21026 = msg("18858", dup250); + +var msg21027 = msg("18859", dup250); + +var msg21028 = msg("18860", dup250); + +var msg21029 = msg("18861", dup250); + +var msg21030 = msg("18862", dup250); + +var msg21031 = msg("18863", dup250); + +var msg21032 = msg("18864", dup250); + +var msg21033 = msg("18865", dup250); + +var msg21034 = msg("18866", dup250); + +var msg21035 = msg("18867", dup250); + +var msg21036 = msg("18868", dup250); + +var msg21037 = msg("18869", dup250); + +var msg21038 = msg("18870", dup250); + +var msg21039 = msg("18871", dup250); + +var msg21040 = msg("18872", dup250); + +var msg21041 = msg("18873", dup250); + +var msg21042 = msg("18874", dup250); + +var msg21043 = msg("18875", dup250); + +var msg21044 = msg("18876", dup250); + +var msg21045 = msg("18877", dup250); + +var msg21046 = msg("18878", dup250); + +var msg21047 = msg("18879", dup250); + +var msg21048 = msg("18880", dup250); + +var msg21049 = msg("18881", dup250); + +var msg21050 = msg("18882", dup250); + +var msg21051 = msg("18883", dup250); + +var msg21052 = msg("18884", dup250); + +var msg21053 = msg("18885", dup250); + +var msg21054 = msg("18886", dup250); + +var msg21055 = msg("18887", dup250); + +var msg21056 = msg("18888", dup250); + +var msg21057 = msg("18889", dup250); + +var msg21058 = msg("18890", dup250); + +var msg21059 = msg("18891", dup250); + +var msg21060 = msg("18892", dup250); + +var msg21061 = msg("18893", dup250); + +var msg21062 = msg("18894", dup250); + +var msg21063 = msg("18895", dup250); + +var msg21064 = msg("18896", dup250); + +var msg21065 = msg("18897", dup250); + +var msg21066 = msg("18898", dup250); + +var msg21067 = msg("18899", dup250); + +var msg21068 = msg("18900", dup269); + +var msg21069 = msg("18901", dup267); + +var msg21070 = msg("18902", dup267); + +var msg21071 = msg("18903", dup267); + +var msg21072 = msg("18904", dup265); + +var msg21073 = msg("18905", dup197); + +var msg21074 = msg("18906", dup197); + +var msg21075 = msg("18907", dup197); + +var msg21076 = msg("18908", dup197); + +var msg21077 = msg("18909", dup197); + +var msg21078 = msg("18910", dup197); + +var msg21079 = msg("18911", dup197); + +var msg21080 = msg("18912", dup197); + +var msg21081 = msg("18913", dup197); + +var msg21082 = msg("18914", dup197); + +var msg21083 = msg("18915", dup197); + +var msg21084 = msg("18916", dup197); + +var msg21085 = msg("18917", dup197); + +var msg21086 = msg("18918", dup197); + +var msg21087 = msg("18919", dup197); + +var msg21088 = msg("18920", dup197); + +var msg21089 = msg("18921", dup197); + +var msg21090 = msg("18922", dup197); + +var msg21091 = msg("18923", dup197); + +var msg21092 = msg("18924", dup197); + +var msg21093 = msg("18925", dup197); + +var msg21094 = msg("18926", dup201); + +var msg21095 = msg("18927", dup265); + +var msg21096 = msg("18928", dup197); + +var msg21097 = msg("18929", dup199); + +var msg21098 = msg("18930", dup267); + +var msg21099 = msg("18931", dup267); + +var msg21100 = msg("18932", dup265); + +var msg21101 = msg("18933", dup274); + +var msg21102 = msg("18934", dup197); + +var msg21103 = msg("18935", dup198); + +var msg21104 = msg("18936", dup269); + +var msg21105 = msg("18937", dup269); + +var msg21106 = msg("18938", dup269); + +var msg21107 = msg("18939", dup202); + +var msg21108 = msg("18940", dup269); + +var msg21109 = msg("18941", dup202); + +var msg21110 = msg("18942", dup269); + +var msg21111 = msg("18943", dup269); + +var msg21112 = msg("18944", dup269); + +var msg21113 = msg("18945", dup263); + +var msg21114 = msg("18946", dup192); + +var msg21115 = msg("18947", dup192); + +var msg21116 = msg("18948", dup267); + +var msg21117 = msg("18949", dup267); + +var msg21118 = msg("18950", dup267); + +var msg21119 = msg("18951", dup267); + +var msg21120 = msg("18952", dup267); + +var msg21121 = msg("18953", dup267); + +var msg21122 = msg("18954", dup267); + +var msg21123 = msg("18955", dup201); + +var msg21124 = msg("18956", dup201); + +var msg21125 = msg("18957", dup267); + +var msg21126 = msg("18958", dup267); + +var msg21127 = msg("18959", dup267); + +var msg21128 = msg("18960", dup267); + +var msg21129 = msg("18961", dup265); + +var msg21130 = msg("18962", dup265); + +var msg21131 = msg("18963", dup201); + +var msg21132 = msg("18964", dup267); + +var msg21133 = msg("18965", dup201); + +var msg21134 = msg("18966", dup267); + +var msg21135 = msg("18967", dup287); + +var msg21136 = msg("18968", dup201); + +var msg21137 = msg("18969", dup201); + +var msg21138 = msg("18970", dup202); + +var msg21139 = msg("18971", dup202); + +var msg21140 = msg("18972", dup199); + +var msg21141 = msg("18973", dup267); + +var msg21142 = msg("18974", dup265); + +var msg21143 = msg("18975", dup265); + +var msg21144 = msg("18976", dup202); + +var msg21145 = msg("18977", dup192); + +var msg21146 = msg("18978", dup192); + +var msg21147 = msg("18979", dup238); + +var msg21148 = msg("18980", dup303); + +var msg21149 = msg("18981", dup303); + +var msg21150 = msg("18982", dup303); + +var msg21151 = msg("18983", dup267); + +var msg21152 = msg("18984", dup269); + +var msg21153 = msg("18985", dup265); + +var msg21154 = msg("18986", dup267); + +var msg21155 = msg("18987", dup267); + +var msg21156 = msg("18988", dup267); + +var msg21157 = msg("18989", dup267); + +var msg21158 = msg("18990", dup267); + +var msg21159 = msg("18991", dup267); + +var msg21160 = msg("18992", dup267); + +var msg21161 = msg("18993", dup267); + +var msg21162 = msg("18994", dup197); + +var msg21163 = msg("18995", dup202); + +var msg21164 = msg("18996", dup202); + +var msg21165 = msg("18997", dup198); + +var msg21166 = msg("18998", dup197); + +var msg21167 = msg("18999", dup197); + +var msg21168 = msg("19000", dup240); + +var msg21169 = msg("19001", dup240); + +var msg21170 = msg("19002", dup197); + +var msg21171 = msg("19003", dup202); + +var msg21172 = msg("19004", dup202); + +var msg21173 = msg("19005", dup267); + +var msg21174 = msg("19006", dup197); + +var msg21175 = msg("19007", dup197); + +var msg21176 = msg("19008", dup267); + +var msg21177 = msg("19009", dup267); + +var msg21178 = msg("19010", dup267); + +var msg21179 = msg("19011", dup197); + +var msg21180 = msg("19012", dup197); + +var msg21181 = msg("19013", dup295); + +var msg21182 = msg("19014", dup295); + +var msg21183 = msg("19015", dup312); + +var msg21184 = msg("19016", dup192); + +var msg21185 = msg("19017", dup192); + +var msg21186 = msg("19018", dup192); + +var msg21187 = msg("19019", dup192); + +var msg21188 = msg("19020", dup267); + +var msg21189 = msg("19021", dup192); + +var msg21190 = msg("19022", dup192); + +var msg21191 = msg("19023", dup192); + +var msg21192 = msg("19024", dup192); + +var msg21193 = msg("19025", dup192); + +var msg21194 = msg("19026", dup303); + +var msg21195 = msg("19027", dup202); + +var msg21196 = msg("19028", dup192); + +var msg21197 = msg("19029", dup192); + +var msg21198 = msg("19030", dup192); + +var msg21199 = msg("19031", dup202); + +var msg21200 = msg("19032", dup192); + +var msg21201 = msg("19033", dup192); + +var msg21202 = msg("19034", dup192); + +var msg21203 = msg("19035", dup192); + +var msg21204 = msg("19036", dup192); + +var msg21205 = msg("19037", dup192); + +var msg21206 = msg("19038", dup192); + +var msg21207 = msg("19039", dup192); + +var msg21208 = msg("19040", dup192); + +var msg21209 = msg("19041", dup192); + +var msg21210 = msg("19042", dup192); + +var msg21211 = msg("19043", dup303); + +var msg21212 = msg("19044", dup303); + +var msg21213 = msg("19045", dup192); + +var msg21214 = msg("19046", dup303); + +var msg21215 = msg("19047", dup303); + +var msg21216 = msg("19048", dup192); + +var msg21217 = msg("19049", dup192); + +var msg21218 = msg("19050", dup192); + +var msg21219 = msg("19051", dup192); + +var msg21220 = msg("19052", dup265); + +var msg21221 = msg("19053", dup238); + +var msg21222 = msg("19054", dup192); + +var msg21223 = msg("19055", dup192); + +var msg21224 = msg("19056", dup192); + +var msg21225 = msg("19057", dup192); + +var msg21226 = msg("19058", dup238); + +var msg21227 = msg("19059", dup303); + +var msg21228 = msg("19060", dup192); + +var msg21229 = msg("19061", dup263); + +var msg21230 = msg("19062", dup192); + +var msg21231 = msg("19063", dup197); + +var msg21232 = msg("19064", dup267); + +var msg21233 = msg("19065", dup202); + +var msg21234 = msg("19066", dup202); + +var msg21235 = msg("19067", dup202); + +var msg21236 = msg("19068", dup202); + +var msg21237 = msg("19069", dup202); + +var msg21238 = msg("19070", dup202); + +var msg21239 = msg("19071", dup267); + +var msg21240 = msg("19072", dup197); + +var msg21241 = msg("19073", dup198); + +var msg21242 = msg("19074", dup265); + +var msg21243 = msg("19075", dup202); + +var msg21244 = msg("19076", dup202); + +var msg21245 = msg("19077", dup202); + +var msg21246 = msg("19078", dup267); + +var msg21247 = msg("19079", dup267); + +var msg21248 = msg("19080", dup267); + +var msg21249 = msg("19081", dup267); + +var msg21250 = msg("19082", dup267); + +var msg21251 = msg("19083", dup267); + +var msg21252 = msg("19084", dup267); + +var msg21253 = msg("19085", dup265); + +var msg21254 = msg("19086", dup202); + +var msg21255 = msg("19087", dup197); + +var msg21256 = msg("19088", dup197); + +var msg21257 = msg("19089", dup197); + +var msg21258 = msg("19090", dup197); + +var msg21259 = msg("19091", dup202); + +var msg21260 = msg("19092", dup202); + +var msg21261 = msg("19093", dup240); + +var msg21262 = msg("19094", dup240); + +var msg21263 = msg("19095", dup267); + +var msg21264 = msg("19096", dup267); + +var msg21265 = msg("19097", dup267); + +var msg21266 = msg("19098", dup202); + +var msg21267 = msg("19099", dup267); + +var msg21268 = msg("19100", dup197); + +var msg21269 = msg("19101", dup198); + +var msg21270 = msg("19102", dup265); + +var msg21271 = msg("19103", dup265); + +var msg21272 = msg("19104", dup197); + +var msg21273 = msg("19105", dup197); + +var msg21274 = msg("19106", dup303); + +var msg21275 = msg("19107", dup267); + +var msg21276 = msg("19108", dup265); + +var msg21277 = msg("19109", dup265); + +var msg21278 = msg("19110", dup265); + +var msg21279 = msg("19111", dup198); + +var msg21280 = msg("19112", dup197); + +var msg21281 = msg("19113", dup197); + +var msg21282 = msg("19114", dup197); + +var msg21283 = msg("19115", dup197); + +var msg21284 = msg("19116", dup267); + +var msg21285 = msg("19117", dup197); + +var msg21286 = msg("19118", dup201); + +var msg21287 = msg("19119", dup267); + +var msg21288 = msg("19120", dup197); + +var msg21289 = msg("19121", dup197); + +var msg21290 = msg("19122", dup312); + +var msg21291 = msg("19123", dup202); + +var msg21292 = msg("19124", dup267); + +var msg21293 = msg("19125", dup197); + +var msg21294 = msg("19126", dup197); + +var msg21295 = msg("19127", dup197); + +var msg21296 = msg("19128", dup202); + +var msg21297 = msg("19129", dup202); + +var msg21298 = msg("19130", dup267); + +var msg21299 = msg("19131", dup197); + +var msg21300 = msg("19132", dup197); + +var msg21301 = msg("19133", dup202); + +var msg21302 = msg("19134", dup267); + +var msg21303 = msg("19135", dup192); + +var msg21304 = msg("19136", dup201); + +var msg21305 = msg("19137", dup197); + +var msg21306 = msg("19138", dup197); + +var msg21307 = msg("19139", dup197); + +var msg21308 = msg("19140", dup197); + +var msg21309 = msg("19141", dup267); + +var msg21310 = msg("19142", dup260); + +var msg21311 = msg("19143", dup267); + +var msg21312 = msg("19144", dup267); + +var msg21313 = msg("19145", dup267); + +var msg21314 = msg("19146", dup267); + +var msg21315 = msg("19147", dup267); + +var msg21316 = msg("19148", dup267); + +var msg21317 = msg("19149", dup267); + +var msg21318 = msg("19150", dup267); + +var msg21319 = msg("19151", dup265); + +var msg21320 = msg("19152", dup265); + +var msg21321 = msg("19153", dup267); + +var msg21322 = msg("19154", dup202); + +var msg21323 = msg("19155", dup197); + +var msg21324 = msg("19156", dup197); + +var msg21325 = msg("19157", dup265); + +var msg21326 = msg("19158", dup202); + +var msg21327 = msg("19159", dup198); + +var msg21328 = msg("19160", dup197); + +var msg21329 = msg("19161", dup197); + +var msg21330 = msg("19162", dup202); + +var msg21331 = msg("19163", dup202); + +var msg21332 = msg("19164", dup192); + +var msg21333 = msg("19165", dup269); + +var msg21334 = msg("19166", dup202); + +var msg21335 = msg("19167", dup197); + +var msg21336 = msg("19168", dup197); + +var msg21337 = msg("19169", dup267); + +var msg21338 = msg("19170", dup267); + +var msg21339 = msg("19171", dup267); + +var msg21340 = msg("19172", dup276); + +var msg21341 = msg("19173", dup255); + +var msg21342 = msg("19174", dup267); + +var msg21343 = msg("19175", dup269); + +var msg21344 = msg("19176", dup265); + +var msg21345 = msg("19177", dup265); + +var msg21346 = msg("19178", dup202); + +var msg21347 = msg("19179", dup202); + +var msg21348 = msg("19180", dup267); + +var msg21349 = msg("19181", dup267); + +var msg21350 = msg("19182", dup197); + +var msg21351 = msg("19183", dup197); + +var msg21352 = msg("19184", dup267); + +var msg21353 = msg("19185", dup267); + +var msg21354 = msg("19186", dup265); + +var msg21355 = msg("19187", dup267); + +var msg21356 = msg("19188", dup267); + +var msg21357 = msg("19189", dup197); + +var msg21358 = msg("19190", dup246); + +var msg21359 = msg("19191", dup276); + +var msg21360 = msg("19192", dup198); + +var msg21361 = msg("19193", dup265); + +var msg21362 = msg("19194", dup265); + +var msg21363 = msg("19195", dup202); + +var msg21364 = msg("19196", dup267); + +var msg21365 = msg("19197", dup265); + +var msg21366 = msg("19198", dup265); + +var msg21367 = msg("19199", dup276); + +var msg21368 = msg("19200", dup267); + +var msg21369 = msg("19201", dup260); + +var msg21370 = msg("19202", dup260); + +var msg21371 = msg("19203", dup267); + +var msg21372 = msg("19204", dup267); + +var msg21373 = msg("19205", dup198); + +var msg21374 = msg("19206", dup197); + +var msg21375 = msg("19207", dup197); + +var msg21376 = msg("19208", dup197); + +var msg21377 = msg("19209", dup197); + +var msg21378 = msg("19210", dup197); + +var msg21379 = msg("19211", dup202); + +var msg21380 = msg("19212", dup197); + +var msg21381 = msg("19213", dup197); + +var msg21382 = msg("19214", dup265); + +var msg21383 = msg("19215", dup202); + +var msg21384 = msg("19216", dup267); + +var msg21385 = msg("19217", dup267); + +var msg21386 = msg("19218", dup265); + +var msg21387 = msg("19219", dup267); + +var msg21388 = msg("19220", dup267); + +var msg21389 = msg("19221", dup197); + +var msg21390 = msg("19222", dup267); + +var msg21391 = msg("19223", dup267); + +var msg21392 = msg("19224", dup202); + +var msg21393 = msg("19225", dup267); + +var msg21394 = msg("19226", dup197); + +var msg21395 = msg("19227", dup197); + +var msg21396 = msg("19228", dup199); + +var msg21397 = msg("19229", dup267); + +var msg21398 = msg("19230", dup267); + +var msg21399 = msg("19231", dup267); + +var msg21400 = msg("19232", dup267); + +var msg21401 = msg("19233", dup265); + +var msg21402 = msg("19234", dup265); + +var msg21403 = msg("19235", dup267); + +var msg21404 = msg("19236", dup267); + +var msg21405 = msg("19237", dup267); + +var msg21406 = msg("19238", dup267); + +var msg21407 = msg("19239", dup265); + +var msg21408 = msg("19240", dup265); + +var msg21409 = msg("19241", dup202); + +var msg21410 = msg("19242", dup202); + +var msg21411 = msg("19243", dup267); + +var msg21412 = msg("19244", dup265); + +var msg21413 = msg("19245", dup265); + +var msg21414 = msg("19246", dup265); + +var msg21415 = msg("19247", dup267); + +var msg21416 = msg("19248", dup197); + +var msg21417 = msg("19249", dup267); + +var msg21418 = msg("19250", dup197); + +var msg21419 = msg("19251", dup267); + +var msg21420 = msg("19252", dup265); + +var msg21421 = msg("19253", dup265); + +var msg21422 = msg("19254", dup201); + +var msg21423 = msg("19255", dup201); + +var msg21424 = msg("19256", dup269); + +var msg21425 = msg("19257", dup267); + +var msg21426 = msg("19258", dup267); + +var msg21427 = msg("19259", dup267); + +var msg21428 = msg("19260", dup202); + +var msg21429 = msg("19261", dup267); + +var msg21430 = msg("19262", dup267); + +var msg21431 = msg("19263", dup267); + +var msg21432 = msg("19264", dup267); + +var msg21433 = msg("19265", dup267); + +var msg21434 = msg("19266", dup267); + +var msg21435 = msg("19267", dup199); + +var msg21436 = msg("19268", dup202); + +var msg21437 = msg("19269", dup250); + +var msg21438 = msg("19270", dup250); + +var msg21439 = msg("19271", dup250); + +var msg21440 = msg("19272", dup250); + +var msg21441 = msg("19273", dup250); + +var msg21442 = msg("19274", dup250); + +var msg21443 = msg("19275", dup298); + +var msg21444 = msg("19276", dup298); + +var msg21445 = msg("19277", dup298); + +var msg21446 = msg("19278", dup298); + +var msg21447 = msg("19279", dup298); + +var msg21448 = msg("19280", dup298); + +var msg21449 = msg("19281", dup199); + +var msg21450 = msg("19282", dup199); + +var msg21451 = msg("19283", dup199); + +var msg21452 = msg("19284", dup199); + +var msg21453 = msg("19285", dup199); + +var msg21454 = msg("19286", dup199); + +var msg21455 = msg("19287", dup199); + +var msg21456 = msg("19288", dup199); + +var msg21457 = msg("19289", dup265); + +var msg21458 = msg("19290", dup276); + +var msg21459 = msg("19291", dup276); + +var msg21460 = msg("19292", dup202); + +var msg21461 = msg("19293", dup267); + +var msg21462 = msg("19294", dup267); + +var msg21463 = msg("19295", dup267); + +var msg21464 = msg("19296", dup267); + +var msg21465 = msg("19297", dup201); + +var msg21466 = msg("19298", dup201); + +var msg21467 = msg("19299", dup267); + +var msg21468 = msg("19300", dup267); + +var msg21469 = msg("19301", dup287); + +var msg21470 = msg("19302", dup287); + +var msg21471 = msg("19303", dup267); + +var msg21472 = msg("19304", dup265); + +var msg21473 = msg("19305", dup265); + +var msg21474 = msg("19306", dup267); + +var msg21475 = msg("19307", dup265); + +var msg21476 = msg("19308", dup197); + +var msg21477 = msg("19309", dup303); + +var msg21478 = msg("19310", dup192); + +var msg21479 = msg("19311", dup303); + +var msg21480 = msg("19312", dup192); + +var msg21481 = msg("19313", dup198); + +var msg21482 = msg("19314", dup276); + +var msg21483 = msg("19315", dup267); + +var msg21484 = msg("19316", dup267); + +var msg21485 = msg("19317", dup197); + +var msg21486 = msg("19318", dup267); + +var msg21487 = msg("19319", dup267); + +var msg21488 = msg("19320", dup267); + +var msg21489 = msg("19321", dup197); + +var msg21490 = msg("19322", dup202); + +var msg21491 = msg("19323", dup201); + +var msg21492 = msg("19324", dup303); + +var msg21493 = msg("19325", dup303); + +var msg21494 = msg("19326", dup192); + +var msg21495 = msg("19327", dup192); + +var msg21496 = msg("19328", dup192); + +var msg21497 = msg("19329", dup192); + +var msg21498 = msg("19330", dup192); + +var msg21499 = msg("19331", dup192); + +var msg21500 = msg("19332", dup192); + +var msg21501 = msg("19333", dup197); + +var msg21502 = msg("19334", dup197); + +var msg21503 = msg("19335", dup297); + +var msg21504 = msg("19336", dup297); + +var msg21505 = msg("19337", dup202); + +var msg21506 = msg("19338", dup202); + +var msg21507 = msg("19339", dup192); + +var msg21508 = msg("19340", dup263); + +var msg21509 = msg("19341", dup238); + +var msg21510 = msg("19342", dup263); + +var msg21511 = msg("19343", dup263); + +var msg21512 = msg("19344", dup263); + +var msg21513 = msg("19345", dup192); + +var msg21514 = msg("19346", dup192); + +var msg21515 = msg("19347", dup192); + +var msg21516 = msg("19348", dup192); + +var msg21517 = msg("19349", dup192); + +var msg21518 = msg("19350", dup197); + +var msg21519 = msg("19351", dup192); + +var msg21520 = msg("19352", dup192); + +var msg21521 = msg("19353", dup192); + +var msg21522 = msg("19354", dup192); + +var msg21523 = msg("19355", dup192); + +var msg21524 = msg("19356", dup202); + +var msg21525 = msg("19357", dup238); + +var msg21526 = msg("19358", dup202); + +var msg21527 = msg("19359", dup192); + +var msg21528 = msg("19360", dup192); + +var msg21529 = msg("19361", dup192); + +var msg21530 = msg("19362", dup192); + +var msg21531 = msg("19363", dup192); + +var msg21532 = msg("19364", dup202); + +var msg21533 = msg("19365", dup202); + +var msg21534 = msg("19366", dup192); + +var msg21535 = msg("19367", dup238); + +var msg21536 = msg("19368", dup192); + +var msg21537 = msg("19369", dup192); + +var msg21538 = msg("19370", dup192); + +var msg21539 = msg("19371", dup192); + +var msg21540 = msg("19372", dup269); + +var msg21541 = msg("19373", dup201); + +var msg21542 = msg("19374", dup201); + +var msg21543 = msg("19375", dup287); + +var msg21544 = msg("19376", dup287); + +var msg21545 = msg("19377", dup202); + +var msg21546 = msg("19378", dup202); + +var msg21547 = msg("19379", dup201); + +var msg21548 = msg("19380", dup201); + +var msg21549 = msg("19381", dup287); + +var msg21550 = msg("19382", dup287); + +var msg21551 = msg("19383", dup287); + +var msg21552 = msg("19384", dup287); + +var msg21553 = msg("19385", dup201); + +var msg21554 = msg("19386", dup201); + +var msg21555 = msg("19387", dup287); + +var msg21556 = msg("19388", dup287); + +var msg21557 = msg("19389", dup197); + +var msg21558 = msg("19390", dup197); + +var msg21559 = msg("19391", dup303); + +var msg21560 = msg("19392", dup303); + +var msg21561 = msg("19393", dup303); + +var msg21562 = msg("19394", dup192); + +var msg21563 = msg("19395", dup192); + +var msg21564 = msg("19396", dup192); + +var msg21565 = msg("19397", dup192); + +var msg21566 = msg("19398", dup192); + +var msg21567 = msg("19399", dup238); + +var msg21568 = msg("19400", dup238); + +var msg21569 = msg("19401", dup238); + +var msg21570 = msg("19402", dup238); + +var msg21571 = msg("19403", dup267); + +var msg21572 = msg("19404", dup192); + +var msg21573 = msg("19405", dup267); + +var msg21574 = msg("19406", dup267); + +var msg21575 = msg("19407", dup267); + +var msg21576 = msg("19408", dup267); + +var msg21577 = msg("19409", dup202); + +var msg21578 = msg("19410", dup202); + +var msg21579 = msg("19411", dup269); + +var msg21580 = msg("19412", dup267); + +var msg21581 = msg("19413", dup197); + +var msg21582 = msg("19414", dup197); + +var msg21583 = msg("19415", dup227); + +var msg21584 = msg("19416", dup265); + +var msg21585 = msg("19417", dup265); + +var msg21586 = msg("19418", dup265); + +var msg21587 = msg("19419", dup265); + +var msg21588 = msg("19420", dup197); + +var msg21589 = msg("19421", dup197); + +var msg21590 = msg("19422", dup265); + +var msg21591 = msg("19423", dup265); + +var msg21592 = msg("19424", dup265); + +var msg21593 = msg("19425", dup265); + +var msg21594 = msg("19426", dup192); + +var msg21595 = msg("19427", dup192); + +var msg21596 = msg("19428", dup192); + +var msg21597 = msg("19429", dup198); + +var msg21598 = msg("19430", dup265); + +var msg21599 = msg("19431", dup197); + +var msg21600 = msg("19432", dup197); + +var msg21601 = msg("19433", dup192); + +var msg21602 = msg("19434", dup269); + +var msg21603 = msg("19435", dup192); + +var msg21604 = msg("19436", dup267); + +var msg21605 = msg("19437", dup260); + +var msg21606 = msg("19438", dup260); + +var msg21607 = msg("19439", dup260); + +var msg21608 = msg("19440", dup260); + +var msg21609 = msg("19441", dup199); + +var msg21610 = msg("19442", dup267); + +var msg21611 = msg("19443", dup267); + +var msg21612 = msg("19444", dup265); + +var msg21613 = msg("19445", dup265); + +var msg21614 = msg("19446", dup265); + +var msg21615 = msg("19447", dup265); + +var msg21616 = msg("19448", dup265); + +var msg21617 = msg("19449", dup265); + +var msg21618 = msg("19450", dup265); + +var msg21619 = msg("19451", dup199); + +var msg21620 = msg("19452", dup199); + +var msg21621 = msg("19453", dup192); + +var msg21622 = msg("19454", dup192); + +var msg21623 = msg("19455", dup238); + +var msg21624 = msg("19456", dup192); + +var msg21625 = msg("19457", dup192); + +var msg21626 = msg("19458", dup197); + +var msg21627 = msg("19459", dup197); + +var msg21628 = msg("19460", dup265); + +var msg21629 = msg("19461", dup265); + +var msg21630 = msg("19462", dup267); + +var msg21631 = msg("19463", dup265); + +var msg21632 = msg("19464", dup197); + +var msg21633 = msg("19465", dup276); + +var msg21634 = msg("19466", dup267); + +var msg21635 = msg("19467", dup202); + +var msg21636 = msg("19468", dup267); + +var msg21637 = msg("19469", dup202); + +var msg21638 = msg("19470", dup263); + +var msg21639 = msg("19471", dup317); + +var msg21640 = msg("19472", dup317); + +var msg21641 = msg("19473", dup317); + +var msg21642 = msg("19474", dup202); + +var msg21643 = msg("19475", dup202); + +var msg21644 = msg("19476", dup267); + +var msg21645 = msg("19477", dup192); + +var msg21646 = msg("19478", dup238); + +var msg21647 = msg("19479", dup238); + +var msg21648 = msg("19480", dup198); + +var msg21649 = msg("19481", dup238); + +var msg21650 = msg("19482", dup269); + +var msg21651 = msg("19483", dup192); + +var msg21652 = msg("19484", dup192); + +var msg21653 = msg("19485", dup303); + +var msg21654 = msg("19486", dup303); + +var msg21655 = msg("19487", dup192); + +var msg21656 = msg("19488", dup238); + +var msg21657 = msg("19489", dup192); + +var msg21658 = msg("19490", dup192); + +var msg21659 = msg("19491", dup192); + +var msg21660 = msg("19492", dup192); + +var msg21661 = msg("19493", dup269); + +var msg21662 = msg("19494", dup192); + +var msg21663 = msg("19495", dup238); + +var msg21664 = msg("19496", dup263); + +var msg21665 = msg("19497", dup263); + +var msg21666 = msg("19498", dup263); + +var msg21667 = msg("19499", dup263); + +var msg21668 = msg("19500", dup263); + +var msg21669 = msg("19501", dup263); + +var msg21670 = msg("19502", dup263); + +var msg21671 = msg("19503", dup263); + +var msg21672 = msg("19504", dup263); + +var msg21673 = msg("19505", dup263); + +var msg21674 = msg("19506", dup263); + +var msg21675 = msg("19507", dup263); + +var msg21676 = msg("19508", dup263); + +var msg21677 = msg("19509", dup263); + +var msg21678 = msg("19510", dup263); + +var msg21679 = msg("19511", dup263); + +var msg21680 = msg("19512", dup263); + +var msg21681 = msg("19513", dup263); + +var msg21682 = msg("19514", dup263); + +var msg21683 = msg("19515", dup263); + +var msg21684 = msg("19516", dup263); + +var msg21685 = msg("19517", dup263); + +var msg21686 = msg("19518", dup263); + +var msg21687 = msg("19519", dup263); + +var msg21688 = msg("19520", dup263); + +var msg21689 = msg("19521", dup263); + +var msg21690 = msg("19522", dup263); + +var msg21691 = msg("19523", dup263); + +var msg21692 = msg("19524", dup263); + +var msg21693 = msg("19525", dup263); + +var msg21694 = msg("19526", dup263); + +var msg21695 = msg("19527", dup263); + +var msg21696 = msg("19528", dup263); + +var msg21697 = msg("19529", dup263); + +var msg21698 = msg("19530", dup263); + +var msg21699 = msg("19531", dup263); + +var msg21700 = msg("19532", dup263); + +var msg21701 = msg("19533", dup263); + +var msg21702 = msg("19534", dup263); + +var msg21703 = msg("19535", dup263); + +var msg21704 = msg("19536", dup263); + +var msg21705 = msg("19537", dup263); + +var msg21706 = msg("19538", dup263); + +var msg21707 = msg("19539", dup263); + +var msg21708 = msg("19540", dup263); + +var msg21709 = msg("19541", dup263); + +var msg21710 = msg("19542", dup263); + +var msg21711 = msg("19543", dup263); + +var msg21712 = msg("19544", dup263); + +var msg21713 = msg("19545", dup263); + +var msg21714 = msg("19546", dup263); + +var msg21715 = msg("19547", dup263); + +var msg21716 = msg("19548", dup263); + +var msg21717 = msg("19549", dup263); + +var msg21718 = msg("19550", dup263); + +var msg21719 = msg("19551", dup202); + +var msg21720 = msg("19552", dup267); + +var msg21721 = msg("19553", dup267); + +var msg21722 = msg("19554", dup263); + +var msg21723 = msg("19555", dup192); + +var msg21724 = msg("19556", dup192); + +var msg21725 = msg("19557", dup192); + +var msg21726 = msg("19558", dup267); + +var msg21727 = msg("19559", dup192); + +var msg21728 = msg("19560", dup197); + +var msg21729 = msg("19561", dup265); + +var msg21730 = msg("19562", dup265); + +var msg21731 = msg("19563", dup265); + +var msg21732 = msg("19564", dup265); + +var msg21733 = msg("19565", dup265); + +var msg21734 = msg("19566", dup303); + +var msg21735 = msg("19567", dup303); + +var msg21736 = msg("19568", dup192); + +var msg21737 = msg("19569", dup192); + +var msg21738 = msg("19570", dup263); + +var msg21739 = msg("19571", dup263); + +var msg21740 = msg("19572", dup192); + +var msg21741 = msg("19573", dup290); + +var msg21742 = msg("19574", dup290); + +var msg21743 = msg("19575", dup290); + +var msg21744 = msg("19576", dup263); + +var msg21745 = msg("19577", dup205); + +var msg21746 = msg("19578", dup303); + +var msg21747 = msg("19579", dup192); + +var msg21748 = msg("19580", dup238); + +var msg21749 = msg("19581", dup192); + +var msg21750 = msg("19582", dup192); + +var msg21751 = msg("19583", dup192); + +var msg21752 = msg("19584", dup238); + +var msg21753 = msg("19585", dup238); + +var msg21754 = msg("19586", dup192); + +var msg21755 = msg("19587", dup192); + +var msg21756 = msg("19588", dup192); + +var msg21757 = msg("19589", dup269); + +var msg21758 = msg("19590", dup192); + +var msg21759 = msg("19591", dup192); + +var msg21760 = msg("19592", dup192); + +var msg21761 = msg("19593", dup238); + +var msg21762 = msg("19594", dup303); + +var msg21763 = msg("19595", dup269); + +var msg21764 = msg("19596", dup192); + +var msg21765 = msg("19597", dup192); + +var msg21766 = msg("19598", dup303); + +var msg21767 = msg("19599", dup260); + +var msg21768 = msg("19600", dup260); + +var msg21769 = msg("19601", dup276); + +var msg21770 = msg("19602", dup276); + +var msg21771 = msg("19603", dup267); + +var msg21772 = msg("19604", dup267); + +var msg21773 = msg("19605", dup267); + +var msg21774 = msg("19606", dup267); + +var msg21775 = msg("19607", dup267); + +var msg21776 = msg("19608", dup192); + +var msg21777 = msg("19609", dup267); + +var msg21778 = msg("19610", dup265); + +var msg21779 = msg("19611", dup269); + +var msg21780 = msg("19612", dup192); + +var msg21781 = msg("19613", dup192); + +var msg21782 = msg("19614", dup192); + +var msg21783 = msg("19615", dup192); + +var msg21784 = msg("19616", dup192); + +var msg21785 = msg("19617", dup276); + +var msg21786 = msg("19618", dup276); + +var msg21787 = msg("19619", dup267); + +var msg21788 = msg("19620", dup267); + +var msg21789 = msg("19621", dup197); + +var msg21790 = msg("19622", dup269); + +var msg21791 = msg("19623", dup269); + +var msg21792 = msg("19624", dup269); + +var msg21793 = msg("19625", dup269); + +var msg21794 = msg("19626", dup269); + +var msg21795 = msg("19627", dup269); + +var msg21796 = msg("19628", dup269); + +var msg21797 = msg("19629", dup269); + +var msg21798 = msg("19630", dup269); + +var msg21799 = msg("19631", dup269); + +var msg21800 = msg("19632", dup269); + +var msg21801 = msg("19633", dup269); + +var msg21802 = msg("19634", dup269); + +var msg21803 = msg("19635", dup269); + +var msg21804 = msg("19636", dup269); + +var msg21805 = msg("19637", dup269); + +var msg21806 = msg("19638", dup269); + +var msg21807 = msg("19639", dup263); + +var msg21808 = msg("19640", dup263); + +var msg21809 = msg("19641", dup263); + +var msg21810 = msg("19642", dup263); + +var msg21811 = msg("19643", dup263); + +var msg21812 = msg("19644", dup263); + +var msg21813 = msg("19645", dup201); + +var msg21814 = msg("19646", dup267); + +var msg21815 = msg("19647", dup267); + +var msg21816 = msg("19648", dup267); + +var msg21817 = msg("19649", dup197); + +var msg21818 = msg("19650", dup265); + +var msg21819 = msg("19651", dup265); + +var msg21820 = msg("19652", dup202); + +var msg21821 = msg("19653", dup267); + +var msg21822 = msg("19654", dup192); + +var msg21823 = msg("19655", dup192); + +var msg21824 = msg("19656", dup192); + +var msg21825 = msg("19657", dup202); + +var msg21826 = msg("19658", dup192); + +var msg21827 = msg("19659", dup192); + +var msg21828 = msg("19660", dup192); + +var msg21829 = msg("19661", dup267); + +var msg21830 = msg("19662", dup263); + +var msg21831 = msg("19663", dup263); + +var msg21832 = msg("19664", dup263); + +var msg21833 = msg("19665", dup201); + +var msg21834 = msg("19666", dup267); + +var msg21835 = msg("19667", dup267); + +var msg21836 = msg("19668", dup276); + +var msg21837 = msg("19669", dup248); + +var msg21838 = msg("19670", dup278); + +var msg21839 = msg("19671", dup267); + +var msg21840 = msg("19672", dup267); + +var msg21841 = msg("19673", dup276); + +var msg21842 = msg("19674", dup267); + +var msg21843 = msg("19675", dup267); + +var msg21844 = msg("19676", dup267); + +var msg21845 = msg("19677", dup267); + +var msg21846 = msg("19678", dup267); + +var msg21847 = msg("19679", dup267); + +var msg21848 = msg("19680", dup267); + +var msg21849 = msg("19681", dup265); + +var msg21850 = msg("19682", dup201); + +var msg21851 = msg("19683", dup201); + +var msg21852 = msg("19684", dup267); + +var msg21853 = msg("19685", dup197); + +var msg21854 = msg("19686", dup267); + +var msg21855 = msg("19687", dup265); + +var msg21856 = msg("19688", dup201); + +var msg21857 = msg("19689", dup287); + +var msg21858 = msg("19690", dup267); + +var msg21859 = msg("19691", dup201); + +var msg21860 = msg("19692", dup265); + +var msg21861 = msg("19693", dup197); + +var msg21862 = msg("19694", dup265); + +var msg21863 = msg("19695", dup192); + +var msg21864 = msg("19696", dup192); + +var msg21865 = msg("19697", dup192); + +var msg21866 = msg("19698", dup192); + +var msg21867 = msg("19699", dup192); + +var msg21868 = msg("19700", dup192); + +var msg21869 = msg("19701", dup192); + +var msg21870 = msg("19702", dup192); + +var msg21871 = msg("19703", dup238); + +var msg21872 = msg("19704", dup192); + +var msg21873 = msg("19705", dup192); + +var msg21874 = msg("19706", dup192); + +var msg21875 = msg("19707", dup197); + +var msg21876 = msg("19708", dup267); + +var msg21877 = msg("19709", dup198); + +var msg21878 = msg("19710", dup267); + +var msg21879 = msg("19711", dup192); + +var msg21880 = msg("19712", dup192); + +var msg21881 = msg("19713", dup197); + +var msg21882 = msg("19714", dup197); + +var msg21883 = msg("19715", dup192); + +var msg21884 = msg("19716", dup192); + +var msg21885 = msg("19717", dup263); + +var msg21886 = msg("19718", dup192); + +var msg21887 = msg("19719", dup238); + +var msg21888 = msg("19720", dup192); + +var msg21889 = msg("19721", dup192); + +var msg21890 = msg("19722", dup192); + +var msg21891 = msg("19723", dup202); + +var msg21892 = msg("19724", dup192); + +var msg21893 = msg("19725", dup202); + +var msg21894 = msg("19726", dup202); + +var msg21895 = msg("19727", dup192); + +var msg21896 = msg("19728", dup202); + +var msg21897 = msg("19729", dup202); + +var msg21898 = msg("19730", dup202); + +var msg21899 = msg("19731", dup202); + +var msg21900 = msg("19732", dup202); + +var msg21901 = msg("19733", dup192); + +var msg21902 = msg("19734", dup263); + +var msg21903 = msg("19735", dup202); + +var msg21904 = msg("19736", dup202); + +var msg21905 = msg("19737", dup202); + +var msg21906 = msg("19738", dup263); + +var msg21907 = msg("19739", dup192); + +var msg21908 = msg("19740", dup238); + +var msg21909 = msg("19741", dup303); + +var msg21910 = msg("19742", dup192); + +var msg21911 = msg("19743", dup192); + +var msg21912 = msg("19744", dup238); + +var msg21913 = msg("19745", dup192); + +var msg21914 = msg("19746", dup192); + +var msg21915 = msg("19747", dup192); + +var msg21916 = msg("19748", dup192); + +var msg21917 = msg("19749", dup192); + +var msg21918 = msg("19750", dup192); + +var msg21919 = msg("19751", dup238); + +var msg21920 = msg("19752", dup192); + +var msg21921 = msg("19753", dup192); + +var msg21922 = msg("19754", dup192); + +var msg21923 = msg("19755", dup192); + +var msg21924 = msg("19756", dup269); + +var msg21925 = msg("19757", dup192); + +var msg21926 = msg("19758", dup192); + +var msg21927 = msg("19759", dup192); + +var msg21928 = msg("19760", dup192); + +var msg21929 = msg("19761", dup227); + +var msg21930 = msg("19762", dup192); + +var msg21931 = msg("19763", dup192); + +var msg21932 = msg("19764", dup192); + +var msg21933 = msg("19765", dup192); + +var msg21934 = msg("19766", dup238); + +var msg21935 = msg("19767", dup192); + +var msg21936 = msg("19768", dup263); + +var msg21937 = msg("19769", dup198); + +var msg21938 = msg("19770", dup198); + +var msg21939 = msg("19771", dup198); + +var msg21940 = msg("19772", dup263); + +var msg21941 = msg("19773", dup263); + +var msg21942 = msg("19774", dup192); + +var msg21943 = msg("19775", dup303); + +var msg21944 = msg("19776", dup192); + +var msg21945 = msg("19777", dup263); + +var msg21946 = msg("19778", dup269); + +var msg21947 = msg("19779", dup260); + +var msg21948 = msg("19780", dup202); + +var msg21949 = msg("19781", dup192); + +var msg21950 = msg("19782", dup192); + +var msg21951 = msg("19783", dup192); + +var msg21952 = msg("19784", dup238); + +var msg21953 = msg("19785", dup192); + +var msg21954 = msg("19786", dup263); + +var msg21955 = msg("19787", dup267); + +var msg21956 = msg("19788", dup192); + +var msg21957 = msg("19789", dup238); + +var msg21958 = msg("19790", dup238); + +var msg21959 = msg("19791", dup192); + +var msg21960 = msg("19792", dup192); + +var msg21961 = msg("19793", dup192); + +var msg21962 = msg("19794", dup192); + +var msg21963 = msg("19795", dup263); + +var msg21964 = msg("19796", dup192); + +var msg21965 = msg("19797", dup192); + +var msg21966 = msg("19798", dup192); + +var msg21967 = msg("19799", dup192); + +var msg21968 = msg("19800", dup192); + +var msg21969 = msg("19801", dup192); + +var msg21970 = msg("19802", dup192); + +var msg21971 = msg("19803", dup192); + +var msg21972 = msg("19804", dup192); + +var msg21973 = msg("19805", dup192); + +var msg21974 = msg("19806", dup267); + +var msg21975 = msg("19807", dup267); + +var msg21976 = msg("19808", dup267); + +var msg21977 = msg("19809", dup267); + +var msg21978 = msg("19810", dup260); + +var msg21979 = msg("19811", dup202); + +var msg21980 = msg("19812", dup267); + +var msg21981 = msg("19813", dup197); + +var msg21982 = msg("19814", dup267); + +var msg21983 = msg("19815", dup267); + +var msg21984 = msg("19816", dup276); + +var msg21985 = msg("19817", dup201); + +var msg21986 = msg("19818", dup265); + +var msg21987 = msg("19819", dup192); + +var msg21988 = msg("19820", dup192); + +var msg21989 = msg("19821", dup238); + +var msg21990 = msg("19822", dup192); + +var msg21991 = msg("19823", dup303); + +var msg21992 = msg("19824", dup192); + +var msg21993 = msg("19825", dup198); + +var msg21994 = msg("19826", dup267); + +var msg21995 = msg("19827", dup303); + +var msg21996 = msg("19828", dup192); + +var msg21997 = msg("19829", dup192); + +var msg21998 = msg("19830", dup192); + +var msg21999 = msg("19831", dup192); + +var msg22000 = msg("19832", dup192); + +var msg22001 = msg("19833", dup192); + +var msg22002 = msg("19834", dup192); + +var msg22003 = msg("19835", dup303); + +var msg22004 = msg("19836", dup192); + +var msg22005 = msg("19837", dup303); + +var msg22006 = msg("19838", dup303); + +var msg22007 = msg("19839", dup263); + +var msg22008 = msg("19840", dup303); + +var msg22009 = msg("19841", dup303); + +var msg22010 = msg("19842", dup263); + +var msg22011 = msg("19843", dup263); + +var msg22012 = msg("19844", dup192); + +var msg22013 = msg("19845", dup192); + +var msg22014 = msg("19846", dup192); + +var msg22015 = msg("19847", dup192); + +var msg22016 = msg("19848", dup263); + +var msg22017 = msg("19849", dup263); + +var msg22018 = msg("19850", dup238); + +var msg22019 = msg("19851", dup238); + +var msg22020 = msg("19852", dup192); + +var msg22021 = msg("19853", dup303); + +var msg22022 = msg("19854", dup192); + +var msg22023 = msg("19855", dup192); + +var msg22024 = msg("19856", dup192); + +var msg22025 = msg("19857", dup192); + +var msg22026 = msg("19858", dup192); + +var msg22027 = msg("19859", dup303); + +var msg22028 = msg("19860", dup303); + +var msg22029 = msg("19861", dup192); + +var msg22030 = msg("19862", dup192); + +var msg22031 = msg("19863", dup265); + +var msg22032 = msg("19864", dup192); + +var msg22033 = msg("19865", dup192); + +var msg22034 = msg("19866", dup192); + +var msg22035 = msg("19867", dup287); + +var msg22036 = msg("19868", dup263); + +var msg22037 = msg("19869", dup198); + +var msg22038 = msg("19870", dup198); + +var msg22039 = msg("19871", dup197); + +var msg22040 = msg("19872", dup267); + +var msg22041 = msg("19873", dup267); + +var msg22042 = msg("19874", dup263); + +var msg22043 = msg("19875", dup263); + +var msg22044 = msg("19876", dup263); + +var msg22045 = msg("19877", dup263); + +var msg22046 = msg("19878", dup263); + +var msg22047 = msg("19879", dup263); + +var msg22048 = msg("19880", dup263); + +var msg22049 = msg("19881", dup263); + +var msg22050 = msg("19882", dup269); + +var msg22051 = msg("19883", dup197); + +var msg22052 = msg("19884", dup287); + +var msg22053 = msg("19885", dup197); + +var msg22054 = msg("19886", dup267); + +var msg22055 = msg("19887", dup287); + +var msg22056 = msg("19888", dup287); + +var msg22057 = msg("19889", dup202); + +var msg22058 = msg("19890", dup255); + +var msg22059 = msg("19891", dup197); + +var msg22060 = msg("19892", dup197); + +var msg22061 = msg("19893", dup197); + +var msg22062 = msg("19894", dup267); + +var msg22063 = msg("19895", dup205); + +var msg22064 = msg("19896", dup263); + +var msg22065 = msg("19897", dup263); + +var msg22066 = msg("19898", dup205); + +var msg22067 = msg("19899", dup303); + +var msg22068 = msg("19900", dup303); + +var msg22069 = msg("19901", dup303); + +var msg22070 = msg("19902", dup303); + +var msg22071 = msg("19903", dup303); + +var msg22072 = msg("19904", dup303); + +var msg22073 = msg("19905", dup205); + +var msg22074 = msg("19906", dup202); + +var msg22075 = msg("19907", dup202); + +var msg22076 = msg("19908", dup197); + +var msg22077 = msg("19909", dup202); + +var msg22078 = msg("19910", dup265); + +var msg22079 = msg("19911", dup197); + +var msg22080 = msg("19912", dup263); + +var msg22081 = msg("19914", dup263); + +var msg22082 = msg("19915", dup205); + +var msg22083 = msg("19916", dup192); + +var msg22084 = msg("19917", dup205); + +var msg22085 = msg("19918", dup238); + +var msg22086 = msg("19919", dup205); + +var msg22087 = msg("19920", dup205); + +var msg22088 = msg("19921", dup192); + +var msg22089 = msg("19922", dup205); + +var msg22090 = msg("19923", dup263); + +var msg22091 = msg("19924", dup192); + +var msg22092 = msg("19925", dup201); + +var msg22093 = msg("19926", dup197); + +var msg22094 = msg("19927", dup318); + +var msg22095 = msg("19928", dup318); + +var msg22096 = msg("19929", dup318); + +var msg22097 = msg("19930", dup318); + +var msg22098 = msg("19931", dup205); + +var msg22099 = msg("19932", dup265); + +var msg22100 = msg("19933", dup265); + +var msg22101 = msg("19934", dup269); + +var msg22102 = msg("19935", dup205); + +var msg22103 = msg("19936", dup205); + +var msg22104 = msg("19937", dup267); + +var msg22105 = msg("19938", dup197); + +var msg22106 = msg("19939", dup303); + +var msg22107 = msg("19940", dup205); + +var msg22108 = msg("19941", dup205); + +var msg22109 = msg("19942", dup205); + +var msg22110 = msg("19943", dup267); + +var msg22111 = msg("19944", dup205); + +var msg22112 = msg("19945", dup205); + +var msg22113 = msg("19946", dup205); + +var msg22114 = msg("19947", dup205); + +var msg22115 = msg("19948", dup205); + +var msg22116 = msg("19949", dup205); + +var msg22117 = msg("19950", dup192); + +var msg22118 = msg("19951", dup263); + +var msg22119 = msg("19952", dup192); + +var msg22120 = msg("19953", dup205); + +var msg22121 = msg("19954", dup192); + +var msg22122 = msg("19955", dup192); + +var msg22123 = msg("19956", dup197); + +var msg22124 = msg("19957", dup267); + +var msg22125 = msg("19958", dup205); + +var msg22126 = msg("19959", dup205); + +var msg22127 = msg("19960", dup205); + +var msg22128 = msg("19961", dup205); + +var msg22129 = msg("19962", dup290); + +var msg22130 = msg("19963", dup205); + +var msg22131 = msg("19964", dup318); + +var msg22132 = msg("19965", dup205); + +var msg22133 = msg("19966", dup263); + +var msg22134 = msg("19967", dup205); + +var msg22135 = msg("19968", dup205); + +var msg22136 = msg("19969", dup205); + +var msg22137 = msg("19970", dup205); + +var msg22138 = msg("19971", dup303); + +var msg22139 = msg("19972", dup197); + +var msg22140 = msg("19973", dup290); + +var msg22141 = msg("19974", dup205); + +var msg22142 = msg("19975", dup205); + +var msg22143 = msg("19976", dup238); + +var msg22144 = msg("19977", dup205); + +var msg22145 = msg("19978", dup290); + +var msg22146 = msg("19979", dup263); + +var msg22147 = msg("19980", dup263); + +var msg22148 = msg("19981", dup192); + +var msg22149 = msg("19982", dup205); + +var msg22150 = msg("19983", dup205); + +var msg22151 = msg("19984", dup263); + +var msg22152 = msg("19985", dup263); + +var msg22153 = msg("19986", dup263); + +var msg22154 = msg("19987", dup303); + +var msg22155 = msg("19988", dup205); + +var msg22156 = msg("19989", dup303); + +var msg22157 = msg("19990", dup303); + +var msg22158 = msg("19991", dup205); + +var msg22159 = msg("19992", dup205); + +var msg22160 = msg("19993", dup192); + +var msg22161 = msg("19994", dup263); + +var msg22162 = msg("19995", dup202); + +var msg22163 = msg("19996", dup238); + +var msg22164 = msg("19997", dup192); + +var msg22165 = msg("19998", dup192); + +var msg22166 = msg("19999", dup303); + +var msg22167 = msg("20000", dup202); + +var msg22168 = msg("20001", dup192); + +var msg22169 = msg("20002", dup192); + +var msg22170 = msg("20003", dup192); + +var msg22171 = msg("20004", dup192); + +var msg22172 = msg("20005", dup192); + +var msg22173 = msg("20006", dup238); + +var msg22174 = msg("20007", dup303); + +var msg22175 = msg("20008", dup202); + +var msg22176 = msg("20009", dup269); + +var msg22177 = msg("20010", dup287); + +var msg22178 = msg("20011", dup202); + +var msg22179 = msg("20012", dup269); + +var msg22180 = msg("20013", dup197); + +var msg22181 = msg("20014", dup192); + +var msg22182 = msg("20015", dup192); + +var msg22183 = msg("20016", dup192); + +var msg22184 = msg("20017", dup238); + +var msg22185 = msg("20018", dup238); + +var msg22186 = msg("20019", dup238); + +var msg22187 = msg("20020", dup263); + +var msg22188 = msg("20021", dup269); + +var msg22189 = msg("20022", dup238); + +var msg22190 = msg("20023", dup263); + +var msg22191 = msg("20024", dup192); + +var msg22192 = msg("20025", dup263); + +var msg22193 = msg("20026", dup192); + +var msg22194 = msg("20027", dup263); + +var msg22195 = msg("20028", dup263); + +var msg22196 = msg("20029", dup267); + +var msg22197 = msg("20030", dup202); + +var msg22198 = msg("20031", dup267); + +var msg22199 = msg("20032", dup265); + +var msg22200 = msg("20033", dup265); + +var msg22201 = msg("20034", dup201); + +var msg22202 = msg("20035", dup192); + +var msg22203 = msg("20036", dup192); + +var msg22204 = msg("20037", dup192); + +var msg22205 = msg("20038", dup192); + +var msg22206 = msg("20039", dup269); + +var msg22207 = msg("20040", dup192); + +var msg22208 = msg("20041", dup263); + +var msg22209 = msg("20042", dup192); + +var msg22210 = msg("20043", dup263); + +var msg22211 = msg("20044", dup265); + +var msg22212 = msg("20045", dup260); + +var msg22213 = msg("20046", dup260); + +var msg22214 = msg("20047", dup260); + +var msg22215 = msg("20048", dup267); + +var msg22216 = msg("20049", dup267); + +var msg22217 = msg("20050", dup267); + +var msg22218 = msg("20051", dup197); + +var msg22219 = msg("20052", dup197); + +var msg22220 = msg("20053", dup240); + +var msg22221 = msg("20054", dup198); + +var msg22222 = msg("20055", dup197); + +var msg22223 = msg("20056", dup265); + +var msg22224 = msg("20057", dup202); + +var msg22225 = msg("20058", dup267); + +var msg22226 = msg("20059", dup267); + +var msg22227 = msg("20060", dup197); + +var msg22228 = msg("20061", dup201); + +var msg22229 = msg("20062", dup267); + +var msg22230 = msg("20063", dup303); + +var msg22231 = msg("20064", dup263); + +var msg22232 = msg("20065", dup192); + +var msg22233 = msg("20066", dup192); + +var msg22234 = msg("20067", dup192); + +var msg22235 = msg("20068", dup269); + +var msg22236 = msg("20069", dup192); + +var msg22237 = msg("20070", dup265); + +var msg22238 = msg("20071", dup265); + +var msg22239 = msg("20072", dup265); + +var msg22240 = msg("20073", dup267); + +var msg22241 = msg("20074", dup192); + +var msg22242 = msg("20075", dup192); + +var msg22243 = msg("20076", dup192); + +var msg22244 = msg("20077", dup192); + +var msg22245 = msg("20078", dup192); + +var msg22246 = msg("20079", dup192); + +var msg22247 = msg("20080", dup192); + +var msg22248 = msg("20081", dup192); + +var msg22249 = msg("20082", dup192); + +var msg22250 = msg("20083", dup192); + +var msg22251 = msg("20084", dup197); + +var msg22252 = msg("20085", dup192); + +var msg22253 = msg("20086", dup192); + +var msg22254 = msg("20087", dup192); + +var msg22255 = msg("20088", dup192); + +var msg22256 = msg("20089", dup202); + +var msg22257 = msg("20090", dup202); + +var msg22258 = msg("20091", dup202); + +var msg22259 = msg("20092", dup202); + +var msg22260 = msg("20093", dup202); + +var msg22261 = msg("20094", dup202); + +var msg22262 = msg("20095", dup313); + +var msg22263 = msg("20096", dup192); + +var msg22264 = msg("20097", dup192); + +var msg22265 = msg("20098", dup192); + +var msg22266 = msg("20099", dup192); + +var msg22267 = msg("20100", dup263); + +var msg22268 = msg("20101", dup263); + +var msg22269 = msg("20102", dup263); + +var msg22270 = msg("20103", dup263); + +var msg22271 = msg("20104", dup269); + +var msg22272 = msg("20105", dup269); + +var msg22273 = msg("20106", dup269); + +var msg22274 = msg("20107", dup192); + +var msg22275 = msg("20108", dup192); + +var msg22276 = msg("20109", dup192); + +var msg22277 = msg("20110", dup267); + +var msg22278 = msg("20111", dup267); + +var msg22279 = msg("20112", dup267); + +var msg22280 = msg("20113", dup267); + +var msg22281 = msg("20114", dup201); + +var msg22282 = msg("20115", dup267); + +var msg22283 = msg("20116", dup201); + +var msg22284 = msg("20117", dup267); + +var msg22285 = msg("20118", dup276); + +var msg22286 = msg("20119", dup267); + +var msg22287 = msg("20120", dup267); + +var msg22288 = msg("20121", dup202); + +var msg22289 = msg("20122", dup202); + +var msg22290 = msg("20123", dup202); + +var msg22291 = msg("20124", dup202); + +var msg22292 = msg("20125", dup202); + +var msg22293 = msg("20126", dup202); + +var msg22294 = msg("20127", dup267); + +var msg22295 = msg("20128", dup202); + +var msg22296 = msg("20129", dup202); + +var msg22297 = msg("20130", dup267); + +var msg22298 = msg("20131", dup287); + +var msg22299 = msg("20132", dup198); + +var msg22300 = msg("20133", dup265); + +var msg22301 = msg("20134", dup197); + +var msg22302 = msg("20135", dup197); + +var msg22303 = msg("20136", dup202); + +var msg22304 = msg("20137", dup265); + +var msg22305 = msg("20138", dup287); + +var msg22306 = msg("20139", dup197); + +var msg22307 = msg("20140", dup197); + +var msg22308 = msg("20141", dup197); + +var msg22309 = msg("20142", dup267); + +var msg22310 = msg("20143", dup263); + +var msg22311 = msg("20144", dup267); + +var msg22312 = msg("20145", dup267); + +var msg22313 = msg("20146", dup202); + +var msg22314 = msg("20147", dup267); + +var msg22315 = msg("20148", dup267); + +var msg22316 = msg("20149", dup267); + +var msg22317 = msg("20150", dup267); + +var msg22318 = msg("20151", dup202); + +var msg22319 = msg("20152", dup267); + +var msg22320 = msg("20153", dup267); + +var msg22321 = msg("20154", dup267); + +var msg22322 = msg("20155", dup267); + +var msg22323 = msg("20156", dup267); + +var msg22324 = msg("20157", dup202); + +var msg22325 = msg("20158", dup265); + +var msg22326 = msg("20159", dup265); + +var msg22327 = msg("20160", dup265); + +var msg22328 = msg("20161", dup265); + +var msg22329 = msg("20162", dup265); + +var msg22330 = msg("20163", dup197); + +var msg22331 = msg("20164", dup197); + +var msg22332 = msg("20165", dup197); + +var msg22333 = msg("20166", dup197); + +var msg22334 = msg("20167", dup197); + +var msg22335 = msg("20168", dup267); + +var msg22336 = msg("20169", dup267); + +var msg22337 = msg("20170", dup267); + +var msg22338 = msg("20171", dup267); + +var msg22339 = msg("20172", dup202); + +var msg22340 = msg("20173", dup202); + +var msg22341 = msg("20174", dup202); + +var msg22342 = msg("20175", dup265); + +var msg22343 = msg("20176", dup197); + +var msg22344 = msg("20177", dup197); + +var msg22345 = msg("20178", dup198); + +var msg22346 = msg("20179", dup197); + +var msg22347 = msg("20180", dup197); + +var msg22348 = msg("20181", dup265); + +var msg22349 = msg("20182", dup265); + +var msg22350 = msg("20183", dup202); + +var msg22351 = msg("20184", dup199); + +var msg22352 = msg("20185", dup199); + +var msg22353 = msg("20186", dup199); + +var msg22354 = msg("20187", dup199); + +var msg22355 = msg("20188", dup199); + +var msg22356 = msg("20189", dup199); + +var msg22357 = msg("20190", dup199); + +var msg22358 = msg("20191", dup199); + +var msg22359 = msg("20192", dup199); + +var msg22360 = msg("20193", dup199); + +var msg22361 = msg("20194", dup199); + +var msg22362 = msg("20195", dup199); + +var msg22363 = msg("20196", dup199); + +var msg22364 = msg("20197", dup199); + +var msg22365 = msg("20198", dup199); + +var msg22366 = msg("20199", dup199); + +var msg22367 = msg("20200", dup199); + +var msg22368 = msg("20201", dup269); + +var msg22369 = msg("20202", dup202); + +var msg22370 = msg("20203", dup263); + +var msg22371 = msg("20204", dup192); + +var msg22372 = msg("20205", dup202); + +var msg22373 = msg("20206", dup202); + +var msg22374 = msg("20207", dup197); + +var msg22375 = msg("20208", dup197); + +var msg22376 = msg("20209", dup197); + +var msg22377 = msg("20210", dup197); + +var msg22378 = msg("20211", dup197); + +var msg22379 = msg("20212", dup202); + +var msg22380 = msg("20213", dup202); + +var msg22381 = msg("20214", dup267); + +var msg22382 = msg("20215", dup202); + +var msg22383 = msg("20216", dup198); + +var msg22384 = msg("20217", dup198); + +var msg22385 = msg("20218", dup198); + +var msg22386 = msg("20219", dup192); + +var msg22387 = msg("20220", dup263); + +var msg22388 = msg("20221", dup192); + +var msg22389 = msg("20222", dup192); + +var msg22390 = msg("20223", dup265); + +var msg22391 = msg("20224", dup197); + +var msg22392 = msg("20225", dup246); + +var msg22393 = msg("20226", dup197); + +var msg22394 = msg("20227", dup267); + +var msg22395 = msg("20228", dup202); + +var msg22396 = msg("20229", dup202); + +var msg22397 = msg("20230", dup269); + +var msg22398 = msg("20231", dup269); + +var msg22399 = msg("20232", dup192); + +var msg22400 = msg("20233", dup192); + +var msg22401 = msg("20234", dup192); + +var msg22402 = msg("20235", dup192); + +var msg22403 = msg("20236", dup197); + +var msg22404 = msg("20237", dup197); + +var msg22405 = msg("20238", dup267); + +var msg22406 = msg("20239", dup197); + +var msg22407 = msg("20240", dup197); + +var msg22408 = msg("20241", dup197); + +var msg22409 = msg("20242", dup197); + +var msg22410 = msg("20243", dup202); + +var msg22411 = msg("20244", dup202); + +var msg22412 = msg("20245", dup202); + +var msg22413 = msg("20246", dup267); + +var msg22414 = msg("20247", dup267); + +var msg22415 = msg("20248", dup255); + +var msg22416 = msg("20249", dup267); + +var msg22417 = msg("20250", dup197); + +var msg22418 = msg("20251", dup198); + +var msg22419 = msg("20252", dup202); + +var msg22420 = msg("20253", dup276); + +var msg22421 = msg("20254", dup267); + +var msg22422 = msg("20255", dup202); + +var msg22423 = msg("20256", dup267); + +var msg22424 = msg("20257", dup265); + +var msg22425 = msg("20258", dup201); + +var msg22426 = msg("20259", dup265); + +var msg22427 = msg("20260", dup265); + +var msg22428 = msg("20261", dup265); + +var msg22429 = msg("20262", dup265); + +var msg22430 = msg("20263", dup265); + +var msg22431 = msg("20264", dup267); + +var msg22432 = msg("20265", dup202); + +var msg22433 = msg("20266", dup267); + +var msg22434 = msg("20267", dup267); + +var msg22435 = msg("20268", dup269); + +var msg22436 = msg("20269", dup265); + +var msg22437 = msg("20270", dup267); + +var msg22438 = msg("20271", dup198); + +var msg22439 = msg("20272", dup197); + +var msg22440 = msg("20273", dup267); + +var msg22441 = msg("20274", dup255); + +var msg22442 = msg("20275", dup201); + +var msg22443 = msg("20276", dup202); + +var msg22444 = msg("20277", dup265); + +var msg22445 = msg("20278", dup265); + +var msg22446 = msg("20279", dup265); + +var msg22447 = msg("20280", dup202); + +var msg22448 = msg("20281", dup202); + +var msg22449 = msg("20282", dup265); + +var msg22450 = msg("20283", dup197); + +var msg22451 = msg("20284", dup197); + +var msg22452 = msg("20285", dup265); + +var msg22453 = msg("20286", dup265); + +var msg22454 = msg("20287", dup265); + +var msg22455 = msg("20288", dup197); + +var msg22456 = msg("20289", dup198); + +var msg22457 = msg("20290", dup198); + +var msg22458 = msg("20291", dup192); + +var msg22459 = msg("20292", dup192); + +var msg22460 = msg("20293", dup269); + +var msg22461 = msg("20294", dup267); + +var msg22462 = msg("20295", dup267); + +var msg22463 = msg("20296", dup202); + +var msg22464 = msg("20297", dup202); + +var msg22465 = msg("20298", dup287); + +var msg22466 = msg("20299", dup287); + +var msg22467 = msg("20300", dup201); + +var msg22468 = msg("20301", dup201); + +var msg22469 = msg("20302", dup202); + +var msg22470 = msg("20303", dup287); + +var msg22471 = msg("20304", dup287); + +var msg22472 = msg("20305", dup287); + +var msg22473 = msg("20306", dup287); + +var msg22474 = msg("20307", dup287); + +var msg22475 = msg("20308", dup287); + +var msg22476 = msg("20309", dup202); + +var msg22477 = msg("20310", dup202); + +var msg22478 = msg("20311", dup202); + +var msg22479 = msg("20312", dup287); + +var msg22480 = msg("20313", dup202); + +var msg22481 = msg("20314", dup287); + +var msg22482 = msg("20315", dup287); + +var msg22483 = msg("20316", dup202); + +var msg22484 = msg("20317", dup202); + +var msg22485 = msg("20318", dup287); + +var msg22486 = msg("20319", dup287); + +var msg22487 = msg("20320", dup201); + +var msg22488 = msg("20321", dup201); + +var msg22489 = msg("20322", dup287); + +var msg22490 = msg("20323", dup287); + +var msg22491 = msg("20324", dup287); + +var msg22492 = msg("20325", dup287); + +var msg22493 = msg("20326", dup287); + +var msg22494 = msg("20327", dup287); + +var msg22495 = msg("20328", dup202); + +var msg22496 = msg("20329", dup202); + +var msg22497 = msg("20330", dup202); + +var msg22498 = msg("20331", dup202); + +var msg22499 = msg("20332", dup202); + +var msg22500 = msg("20333", dup287); + +var msg22501 = msg("20334", dup201); + +var msg22502 = msg("20335", dup201); + +var msg22503 = msg("20336", dup287); + +var msg22504 = msg("20337", dup287); + +var msg22505 = msg("20338", dup287); + +var msg22506 = msg("20339", dup287); + +var msg22507 = msg("20340", dup287); + +var msg22508 = msg("20341", dup287); + +var msg22509 = msg("20342", dup202); + +var msg22510 = msg("20343", dup202); + +var msg22511 = msg("20344", dup202); + +var msg22512 = msg("20345", dup202); + +var msg22513 = msg("20346", dup202); + +var msg22514 = msg("20347", dup202); + +var msg22515 = msg("20348", dup201); + +var msg22516 = msg("20349", dup201); + +var msg22517 = msg("20350", dup287); + +var msg22518 = msg("20351", dup287); + +var msg22519 = msg("20352", dup201); + +var msg22520 = msg("20353", dup287); + +var msg22521 = msg("20354", dup287); + +var msg22522 = msg("20355", dup287); + +var msg22523 = msg("20356", dup201); + +var msg22524 = msg("20357", dup201); + +var msg22525 = msg("20358", dup287); + +var msg22526 = msg("20359", dup287); + +var msg22527 = msg("20360", dup202); + +var msg22528 = msg("20361", dup202); + +var msg22529 = msg("20362", dup202); + +var msg22530 = msg("20363", dup202); + +var msg22531 = msg("20364", dup287); + +var msg22532 = msg("20365", dup287); + +var msg22533 = msg("20366", dup201); + +var msg22534 = msg("20367", dup201); + +var msg22535 = msg("20368", dup287); + +var msg22536 = msg("20369", dup287); + +var msg22537 = msg("20370", dup287); + +var msg22538 = msg("20371", dup287); + +var msg22539 = msg("20372", dup287); + +var msg22540 = msg("20373", dup287); + +var msg22541 = msg("20374", dup202); + +var msg22542 = msg("20375", dup202); + +var msg22543 = msg("20376", dup287); + +var msg22544 = msg("20377", dup287); + +var msg22545 = msg("20378", dup287); + +var msg22546 = msg("20379", dup287); + +var msg22547 = msg("20380", dup287); + +var msg22548 = msg("20381", dup202); + +var msg22549 = msg("20382", dup202); + +var msg22550 = msg("20383", dup202); + +var msg22551 = msg("20384", dup202); + +var msg22552 = msg("20385", dup201); + +var msg22553 = msg("20386", dup202); + +var msg22554 = msg("20387", dup201); + +var msg22555 = msg("20388", dup201); + +var msg22556 = msg("20389", dup201); + +var msg22557 = msg("20390", dup202); + +var msg22558 = msg("20391", dup201); + +var msg22559 = msg("20392", dup201); + +var msg22560 = msg("20393", dup197); + +var msg22561 = msg("20394", dup197); + +var msg22562 = msg("20395", dup197); + +var msg22563 = msg("20396", dup197); + +var msg22564 = msg("20397", dup197); + +var msg22565 = msg("20398", dup197); + +var msg22566 = msg("20399", dup197); + +var msg22567 = msg("20400", dup197); + +var msg22568 = msg("20401", dup197); + +var msg22569 = msg("20402", dup197); + +var msg22570 = msg("20403", dup197); + +var msg22571 = msg("20404", dup202); + +var msg22572 = msg("20405", dup287); + +var msg22573 = msg("20406", dup202); + +var msg22574 = msg("20407", dup202); + +var msg22575 = msg("20408", dup202); + +var msg22576 = msg("20409", dup202); + +var msg22577 = msg("20410", dup273); + +var msg22578 = msg("20411", dup202); + +var msg22579 = msg("20412", dup202); + +var msg22580 = msg("20413", dup202); + +var msg22581 = msg("20414", dup287); + +var msg22582 = msg("20415", dup202); + +var msg22583 = msg("20416", dup202); + +var msg22584 = msg("20417", dup202); + +var msg22585 = msg("20418", dup202); + +var msg22586 = msg("20419", dup273); + +var msg22587 = msg("20420", dup202); + +var msg22588 = msg("20421", dup202); + +var msg22589 = msg("20422", dup287); + +var msg22590 = msg("20423", dup287); + +var msg22591 = msg("20424", dup287); + +var msg22592 = msg("20425", dup287); + +var msg22593 = msg("20426", dup201); + +var msg22594 = msg("20427", dup287); + +var msg22595 = msg("20428", dup192); + +var msg22596 = msg("20429", dup267); + +var msg22597 = msg("20430", dup265); + +var msg22598 = msg("20431", dup197); + +var msg22599 = msg("20432", dup192); + +var msg22600 = msg("20433", dup303); + +var msg22601 = msg("20434", dup263); + +var msg22602 = msg("20435", dup192); + +var msg22603 = msg("20436", dup198); + +var msg22604 = msg("20437", dup198); + +var msg22605 = msg("20438", dup198); + +var msg22606 = msg("20439", dup198); + +var msg22607 = msg("20440", dup197); + +var msg22608 = msg("20441", dup197); + +var msg22609 = msg("20442", dup197); + +var msg22610 = msg("20443", dup202); + +var msg22611 = msg("20444", dup197); + +var msg22612 = msg("20445", dup197); + +var msg22613 = msg("20446", dup197); + +var msg22614 = msg("20447", dup192); + +var msg22615 = msg("20448", dup192); + +var msg22616 = msg("20449", dup238); + +var msg22617 = msg("20450", dup202); + +var msg22618 = msg("20451", dup202); + +var msg22619 = msg("20452", dup287); + +var msg22620 = msg("20453", dup287); + +var msg22621 = msg("20454", dup287); + +var msg22622 = msg("20455", dup202); + +var msg22623 = msg("20456", dup202); + +var msg22624 = msg("20457", dup202); + +var msg22625 = msg("20458", dup287); + +var msg22626 = msg("20459", dup202); + +var msg22627 = msg("20460", dup202); + +var msg22628 = msg("20461", dup202); + +var msg22629 = msg("20462", dup202); + +var msg22630 = msg("20463", dup287); + +var msg22631 = msg("20464", dup287); + +var msg22632 = msg("20465", dup287); + +var msg22633 = msg("20466", dup287); + +var msg22634 = msg("20467", dup287); + +var msg22635 = msg("20468", dup287); + +var msg22636 = msg("20469", dup287); + +var msg22637 = msg("20470", dup202); + +var msg22638 = msg("20471", dup202); + +var msg22639 = msg("20472", dup202); + +var msg22640 = msg("20473", dup202); + +var msg22641 = msg("20474", dup202); + +var msg22642 = msg("20475", dup202); + +var msg22643 = msg("20476", dup202); + +var msg22644 = msg("20477", dup202); + +var msg22645 = msg("20478", dup202); + +var msg22646 = msg("20479", dup202); + +var msg22647 = msg("20480", dup202); + +var msg22648 = msg("20481", dup202); + +var msg22649 = msg("20482", dup202); + +var msg22650 = msg("20483", dup202); + +var msg22651 = msg("20484", dup202); + +var msg22652 = msg("20485", dup287); + +var msg22653 = msg("20486", dup202); + +var msg22654 = msg("20487", dup287); + +var msg22655 = msg("20488", dup202); + +var msg22656 = msg("20489", dup202); + +var msg22657 = msg("20490", dup202); + +var msg22658 = msg("20491", dup202); + +var msg22659 = msg("20492", dup202); + +var msg22660 = msg("20493", dup202); + +var msg22661 = msg("20494", dup202); + +var msg22662 = msg("20495", dup202); + +var msg22663 = msg("20496", dup202); + +var msg22664 = msg("20497", dup202); + +var msg22665 = msg("20498", dup202); + +var msg22666 = msg("20499", dup202); + +var msg22667 = msg("20500", dup202); + +var msg22668 = msg("20501", dup202); + +var msg22669 = msg("20502", dup202); + +var msg22670 = msg("20503", dup202); + +var msg22671 = msg("20504", dup202); + +var msg22672 = msg("20505", dup202); + +var msg22673 = msg("20506", dup202); + +var msg22674 = msg("20507", dup202); + +var msg22675 = msg("20508", dup202); + +var msg22676 = msg("20509", dup202); + +var msg22677 = msg("20510", dup202); + +var msg22678 = msg("20511", dup202); + +var msg22679 = msg("20512", dup202); + +var msg22680 = msg("20513", dup202); + +var msg22681 = msg("20514", dup202); + +var msg22682 = msg("20515", dup202); + +var msg22683 = msg("20516", dup202); + +var msg22684 = msg("20517", dup202); + +var msg22685 = msg("20518", dup202); + +var msg22686 = msg("20519", dup202); + +var msg22687 = msg("20520", dup202); + +var msg22688 = msg("20521", dup202); + +var msg22689 = msg("20522", dup202); + +var msg22690 = msg("20523", dup269); + +var msg22691 = msg("20524", dup269); + +var msg22692 = msg("20525", dup192); + +var msg22693 = msg("20526", dup263); + +var msg22694 = msg("20527", dup202); + +var msg22695 = msg("20528", dup265); + +var msg22696 = msg("20529", dup267); + +var msg22697 = msg("20530", dup265); + +var msg22698 = msg("20531", dup265); + +var msg22699 = msg("20532", dup197); + +var msg22700 = msg("20533", dup265); + +var msg22701 = msg("20534", dup201); + +var msg22702 = msg("20535", dup265); + +var msg22703 = msg("20536", dup265); + +var msg22704 = msg("20537", dup265); + +var msg22705 = msg("20538", dup265); + +var msg22706 = msg("20539", dup265); + +var msg22707 = msg("20540", dup202); + +var msg22708 = msg("20541", dup276); + +var msg22709 = msg("20542", dup267); + +var msg22710 = msg("20543", dup201); + +var msg22711 = msg("20544", dup202); + +var msg22712 = msg("20545", dup202); + +var msg22713 = msg("20546", dup197); + +var msg22714 = msg("20547", dup197); + +var msg22715 = msg("20548", dup319); + +var msg22716 = msg("20549", dup287); + +var msg22717 = msg("20550", dup201); + +var msg22718 = msg("20551", dup197); + +var msg22719 = msg("20552", dup197); + +var msg22720 = msg("20553", dup197); + +var msg22721 = msg("20554", dup267); + +var msg22722 = msg("20555", dup197); + +var msg22723 = msg("20556", dup202); + +var msg22724 = msg("20557", dup197); + +var msg22725 = msg("20558", dup269); + +var msg22726 = msg("20559", dup197); + +var msg22727 = msg("20560", dup201); + +var msg22728 = msg("20561", dup192); + +var msg22729 = msg("20562", dup192); + +var msg22730 = msg("20563", dup202); + +var msg22731 = msg("20564", dup202); + +var msg22732 = msg("20565", dup197); + +var msg22733 = msg("20566", dup197); + +var msg22734 = msg("20567", dup267); + +var msg22735 = msg("20568", dup201); + +var msg22736 = msg("20569", dup202); + +var msg22737 = msg("20570", dup202); + +var msg22738 = msg("20571", dup202); + +var msg22739 = msg("20572", dup197); + +var msg22740 = msg("20573", dup265); + +var msg22741 = msg("20574", dup265); + +var msg22742 = msg("20575", dup267); + +var msg22743 = msg("20576", dup197); + +var msg22744 = msg("20577", dup267); + +var msg22745 = msg("20578", dup197); + +var msg22746 = msg("20579", dup267); + +var msg22747 = msg("20580", dup265); + +var msg22748 = msg("20581", dup267); + +var msg22749 = msg("20582", dup267); + +var msg22750 = msg("20583", dup265); + +var msg22751 = msg("20584", dup265); + +var msg22752 = msg("20585", dup265); + +var msg22753 = msg("20586", dup265); + +var msg22754 = msg("20587", dup192); + +var msg22755 = msg("20588", dup202); + +var msg22756 = msg("20589", dup202); + +var msg22757 = msg("20590", dup267); + +var msg22758 = msg("20591", dup265); + +var msg22759 = msg("20592", dup265); + +var msg22760 = msg("20593", dup265); + +var msg22761 = msg("20594", dup197); + +var msg22762 = msg("20595", dup192); + +var msg22763 = msg("20596", dup267); + +var msg22764 = msg("20597", dup267); + +var msg22765 = msg("20598", dup267); + +var msg22766 = msg("20599", dup267); + +var msg22767 = msg("20600", dup202); + +var msg22768 = msg("20601", dup202); + +var msg22769 = msg("20602", dup202); + +var msg22770 = msg("20603", dup197); + +var msg22771 = msg("20604", dup192); + +var msg22772 = msg("20605", dup192); + +var msg22773 = msg("20606", dup192); + +var msg22774 = msg("20607", dup197); + +var msg22775 = msg("20608", dup197); + +var msg22776 = msg("20609", dup197); + +var msg22777 = msg("20610", dup267); + +var msg22778 = msg("20611", dup197); + +var msg22779 = msg("20612", dup198); + +var msg22780 = msg("20613", dup198); + +var msg22781 = msg("20614", dup267); + +var msg22782 = msg("20615", dup260); + +var msg22783 = msg("20616", dup197); + +var msg22784 = msg("20617", dup267); + +var msg22785 = msg("20618", dup267); + +var msg22786 = msg("20619", dup197); + +var msg22787 = msg("20620", dup197); + +var msg22788 = msg("20621", dup202); + +var msg22789 = msg("20622", dup201); + +var msg22790 = msg("20623", dup260); + +var msg22791 = msg("20624", dup260); + +var msg22792 = msg("20625", dup260); + +var msg22793 = msg("20626", dup192); + +var msg22794 = msg("20627", dup192); + +var msg22795 = msg("20628", dup260); + +var msg22796 = msg("20629", dup260); + +var msg22797 = msg("20630", dup202); + +var msg22798 = msg("20631", dup202); + +var msg22799 = msg("20632", dup202); + +var msg22800 = msg("20633", dup202); + +var msg22801 = msg("20634", dup198); + +var msg22802 = msg("20635", dup260); + +var msg22803 = msg("20636", dup267); + +var msg22804 = msg("20637", dup267); + +var msg22805 = msg("20638", dup267); + +var msg22806 = msg("20639", dup263); + +var msg22807 = msg("20640", dup260); + +var msg22808 = msg("20641", dup260); + +var msg22809 = msg("20642", dup260); + +var msg22810 = msg("20643", dup260); + +var msg22811 = msg("20644", dup260); + +var msg22812 = msg("20645", dup260); + +var msg22813 = msg("20646", dup260); + +var msg22814 = msg("20647", dup260); + +var msg22815 = msg("20648", dup260); + +var msg22816 = msg("20649", dup260); + +var msg22817 = msg("20650", dup202); + +var msg22818 = msg("20651", dup202); + +var msg22819 = msg("20652", dup202); + +var msg22820 = msg("20653", dup197); + +var msg22821 = msg("20654", dup202); + +var msg22822 = msg("20655", dup267); + +var msg22823 = msg("20656", dup202); + +var msg22824 = msg("20657", dup202); + +var msg22825 = msg("20658", dup202); + +var msg22826 = msg("20659", dup267); + +var msg22827 = msg("20660", dup201); + +var msg22828 = msg("20661", dup202); + +var msg22829 = msg("20662", dup197); + +var msg22830 = msg("20663", dup202); + +var msg22831 = msg("20664", dup265); + +var msg22832 = msg("20665", dup265); + +var msg22833 = msg("20666", dup197); + +var msg22834 = msg("20667", dup197); + +var msg22835 = msg("20668", dup269); + +var msg22836 = msg("20669", dup269); + +var msg22837 = msg("20670", dup197); + +var msg22838 = msg("20671", dup267); + +var msg22839 = msg("20672", dup202); + +var msg22840 = msg("20673", dup267); + +var msg22841 = msg("20674", dup267); + +var msg22842 = msg("20675", dup267); + +var msg22843 = msg("20676", dup192); + +var msg22844 = msg("20677", dup192); + +var msg22845 = msg("20678", dup192); + +var msg22846 = msg("20679", dup192); + +var msg22847 = msg("20680", dup202); + +var msg22848 = msg("20681", dup192); + +var msg22849 = msg("20682", dup192); + +var msg22850 = msg("20683", dup202); + +var msg22851 = msg("20684", dup202); + +var msg22852 = msg("20685", dup192); + +var msg22853 = msg("20686", dup192); + +var msg22854 = msg("20687", dup192); + +var msg22855 = msg("20688", dup192); + +var msg22856 = msg("20689", dup192); + +var msg22857 = msg("20690", dup198); + +var msg22858 = msg("20691", dup265); + +var msg22859 = msg("20692", dup265); + +var msg22860 = msg("20693", dup192); + +var msg22861 = msg("20694", dup192); + +var msg22862 = msg("20695", dup192); + +var msg22863 = msg("20696", dup192); + +var msg22864 = msg("20697", dup192); + +var msg22865 = msg("20698", dup199); + +var msg22866 = msg("20699", dup267); + +var msg22867 = msg("20700", dup276); + +var msg22868 = msg("20701", dup276); + +var msg22869 = msg("20702", dup267); + +var msg22870 = msg("20703", dup267); + +var msg22871 = msg("20704", dup267); + +var msg22872 = msg("20705", dup265); + +var msg22873 = msg("20706", dup265); + +var msg22874 = msg("20707", dup265); + +var msg22875 = msg("20708", dup265); + +var msg22876 = msg("20709", dup265); + +var msg22877 = msg("20710", dup265); + +var msg22878 = msg("20711", dup265); + +var msg22879 = msg("20712", dup265); + +var msg22880 = msg("20713", dup265); + +var msg22881 = msg("20714", dup265); + +var msg22882 = msg("20715", dup265); + +var msg22883 = msg("20716", dup265); + +var msg22884 = msg("20717", dup202); + +var msg22885 = msg("20718", dup267); + +var msg22886 = msg("20719", dup267); + +var msg22887 = msg("20720", dup267); + +var msg22888 = msg("20721", dup267); + +var msg22889 = msg("20722", dup201); + +var msg22890 = msg("20723", dup202); + +var msg22891 = msg("20724", dup202); + +var msg22892 = msg("20725", dup198); + +var msg22893 = msg("20726", dup197); + +var msg22894 = msg("20727", dup265); + +var msg22895 = msg("20728", dup202); + +var msg22896 = msg("20729", dup267); + +var msg22897 = msg("20730", dup202); + +var msg22898 = msg("20731", dup202); + +var msg22899 = msg("20732", dup202); + +var msg22900 = msg("20733", dup202); + +var msg22901 = msg("20734", dup197); + +var msg22902 = msg("20735", dup202); + +var msg22903 = msg("20736", dup265); + +var msg22904 = msg("20737", dup285); + +var msg22905 = msg("20738", dup197); + +var msg22906 = msg("20739", dup265); + +var msg22907 = msg("20740", dup197); + +var msg22908 = msg("20741", dup198); + +var msg22909 = msg("20742", dup201); + +var msg22910 = msg("20743", dup201); + +var msg22911 = msg("20744", dup267); + +var msg22912 = msg("20745", dup197); + +var msg22913 = msg("20746", dup197); + +var msg22914 = msg("20747", dup197); + +var msg22915 = msg("20748", dup267); + +var msg22916 = msg("20749", dup197); + +var msg22917 = msg("20750", dup202); + +var msg22918 = msg("20751", dup202); + +var msg22919 = msg("20752", dup303); + +var msg22920 = msg("20753", dup303); + +var msg22921 = msg("20754", dup202); + +var msg22922 = msg("20755", dup202); + +var msg22923 = msg("20756", dup202); + +var msg22924 = msg("20757", dup202); + +var msg22925 = msg("20758", dup287); + +var msg22926 = msg("20759", dup192); + +var msg22927 = msg("20760", dup269); + +var msg22928 = msg("20761", dup197); + +var msg22929 = msg("20762", dup202); + +var msg22930 = msg("20763", dup192); + +var msg22931 = msg("20764", dup197); + +var msg22932 = msg("20765", dup265); + +var msg22933 = msg("20766", dup267); + +var msg22934 = msg("20767", dup267); + +var msg22935 = msg("20768", dup267); + +var msg22936 = msg("20769", dup267); + +var msg22937 = msg("20770", dup267); + +var msg22938 = msg("20771", dup267); + +var msg22939 = msg("20772", dup267); + +var msg22940 = msg("20773", dup267); + +var msg22941 = msg("20774", dup267); + +var msg22942 = msg("20775", dup267); + +var msg22943 = msg("20776", dup267); + +var msg22944 = msg("20777", dup267); + +var msg22945 = msg("20778", dup287); + +var msg22946 = msg("20779", dup287); + +var msg22947 = msg("20780", dup287); + +var msg22948 = msg("20781", dup287); + +var msg22949 = msg("20782", dup287); + +var msg22950 = msg("20783", dup287); + +var msg22951 = msg("20784", dup287); + +var msg22952 = msg("20785", dup287); + +var msg22953 = msg("20786", dup267); + +var msg22954 = msg("20787", dup267); + +var msg22955 = msg("20788", dup267); + +var msg22956 = msg("20789", dup267); + +var msg22957 = msg("20790", dup267); + +var msg22958 = msg("20791", dup202); + +var msg22959 = msg("20792", dup202); + +var msg22960 = msg("20793", dup202); + +var msg22961 = msg("20794", dup202); + +var msg22962 = msg("20795", dup202); + +var msg22963 = msg("20796", dup202); + +var msg22964 = msg("20797", dup202); + +var msg22965 = msg("20798", dup202); + +var msg22966 = msg("20799", dup202); + +var msg22967 = msg("20800", dup202); + +var msg22968 = msg("20801", dup202); + +var msg22969 = msg("20802", dup267); + +var msg22970 = msg("20803", dup287); + +var msg22971 = msg("20804", dup267); + +var msg22972 = msg("20805", dup267); + +var msg22973 = msg("20806", dup267); + +var msg22974 = msg("20807", dup267); + +var msg22975 = msg("20808", dup267); + +var msg22976 = msg("20809", dup267); + +var msg22977 = msg("20810", dup267); + +var msg22978 = msg("20811", dup267); + +var msg22979 = msg("20812", dup197); + +var msg22980 = msg("20813", dup197); + +var msg22981 = msg("20814", dup201); + +var msg22982 = msg("20815", dup202); + +var msg22983 = msg("20816", dup202); + +var msg22984 = msg("20817", dup202); + +var msg22985 = msg("20818", dup202); + +var msg22986 = msg("20819", dup265); + +var msg22987 = msg("20820", dup267); + +var msg22988 = msg("20821", dup267); + +var msg22989 = msg("20822", dup267); + +var msg22990 = msg("20823", dup267); + +var msg22991 = msg("20824", dup267); + +var msg22992 = msg("20825", dup267); + +var msg22993 = msg("20826", dup201); + +var msg22994 = msg("20827", dup267); + +var msg22995 = msg("20828", dup265); + +var msg22996 = msg("20829", dup265); + +var msg22997 = msg("20830", dup192); + +var msg22998 = msg("20831", dup201); + +var msg22999 = msg("20832", dup260); + +var msg23000 = msg("20833", dup263); + +var msg23001 = msg("20834", dup267); + +var msg23002 = msg("20835", dup267); + +var msg23003 = msg("20836", dup202); + +var msg23004 = msg("20837", dup192); + +var msg23005 = msg("20838", dup192); + +var msg23006 = msg("20839", dup202); + +var msg23007 = msg("20840", dup202); + +var msg23008 = msg("20841", dup202); + +var msg23009 = msg("20842", dup197); + +var msg23010 = msg("20843", dup197); + +var msg23011 = msg("20844", dup202); + +var msg23012 = msg("20845", dup267); + +var msg23013 = msg("20846", dup197); + +var msg23014 = msg("20847", dup197); + +var msg23015 = msg("20848", dup202); + +var msg23016 = msg("20849", dup202); + +var msg23017 = msg("20850", dup202); + +var msg23018 = msg("20851", dup202); + +var msg23019 = msg("20852", dup287); + +var msg23020 = msg("20853", dup201); + +var msg23021 = msg("20854", dup202); + +var msg23022 = msg("20855", dup202); + +var msg23023 = msg("20856", dup202); + +var msg23024 = msg("20857", dup202); + +var msg23025 = msg("20858", dup197); + +var msg23026 = msg("20859", dup287); + +var msg23027 = msg("20860", dup202); + +var msg23028 = msg("20861", dup201); + +var msg23029 = msg("20862", dup265); + +var msg23030 = msg("20863", dup265); + +var msg23031 = msg("20864", dup265); + +var msg23032 = msg("20865", dup265); + +var msg23033 = msg("20866", dup265); + +var msg23034 = msg("20867", dup265); + +var msg23035 = msg("20868", dup265); + +var msg23036 = msg("20869", dup287); + +var msg23037 = msg("20870", dup201); + +var msg23038 = msg("20871", dup267); + +var msg23039 = msg("20872", dup267); + +var msg23040 = msg("20873", dup202); + +var msg23041 = msg("20874", dup267); + +var msg23042 = msg("20875", dup265); + +var msg23043 = msg("20876", dup267); + +var msg23044 = msg("20877", dup238); + +var msg23045 = msg("20878", dup276); + +var msg23046 = msg("20879", dup267); + +var msg23047 = msg("20880", dup267); + +var msg23048 = msg("20881", dup202); + +var msg23049 = msg("20882", dup202); + +var msg23050 = msg("20883", dup265); + +var msg23051 = msg("20884", dup267); + +var msg23052 = msg("20885", dup202); + +var msg23053 = msg("20886", dup202); + +var msg23054 = msg("20887", dup202); + +var msg23055 = msg("20888", dup202); + +var msg23056 = msg("20889", dup197); + +var msg23057 = msg("20890", dup202); + +var msg23058 = msg("20891", dup202); + +var msg23059 = msg("20892", dup238); + +var msg23060 = msg("20893", dup202); + +var msg23061 = msg("20894", dup202); + +var msg23062 = msg("20895", dup287); + +var msg23063 = msg("20896", dup287); + +var msg23064 = msg("20897", dup202); + +var msg23065 = msg("20898", dup202); + +var msg23066 = msg("20899", dup202); + +var msg23067 = msg("20900", dup197); + +var msg23068 = msg("20901", dup267); + +var msg23069 = msg("20902", dup197); + +var msg23070 = msg("20903", dup197); + +var msg23071 = msg("20904", dup197); + +var msg23072 = msg("20905", dup202); + +var msg23073 = msg("20906", dup202); + +var msg23074 = msg("20907", dup202); + +var msg23075 = msg("20908", dup202); + +var msg23076 = msg("20909", dup269); + +var msg23077 = msg("20910", dup269); + +var msg23078 = msg("20911", dup202); + +var msg23079 = msg("20912", dup202); + +var msg23080 = msg("20913", dup202); + +var msg23081 = msg("20914", dup202); + +var msg23082 = msg("20915", dup202); + +var msg23083 = msg("20916", dup202); + +var msg23084 = msg("20917", dup202); + +var msg23085 = msg("20918", dup202); + +var msg23086 = msg("20919", dup267); + +var msg23087 = msg("20920", dup267); + +var msg23088 = msg("20921", dup197); + +var msg23089 = msg("20922", dup197); + +var msg23090 = msg("20923", dup197); + +var msg23091 = msg("20924", dup202); + +var msg23092 = msg("20925", dup202); + +var msg23093 = msg("20926", dup202); + +var msg23094 = msg("20927", dup192); + +var msg23095 = msg("20928", dup202); + +var msg23096 = msg("20929", dup202); + +var msg23097 = msg("20930", dup202); + +var msg23098 = msg("20931", dup202); + +var msg23099 = msg("20932", dup202); + +var msg23100 = msg("20933", dup202); + +var msg23101 = msg("20934", dup202); + +var msg23102 = msg("20935", dup202); + +var msg23103 = msg("20936", dup202); + +var msg23104 = msg("20937", dup202); + +var msg23105 = msg("20938", dup202); + +var msg23106 = msg("20939", dup202); + +var msg23107 = msg("20940", dup202); + +var msg23108 = msg("20941", dup202); + +var msg23109 = msg("20942", dup202); + +var msg23110 = msg("20943", dup202); + +var msg23111 = msg("20944", dup202); + +var msg23112 = msg("20945", dup202); + +var msg23113 = msg("20946", dup202); + +var msg23114 = msg("20947", dup202); + +var msg23115 = msg("20948", dup202); + +var msg23116 = msg("20949", dup265); + +var msg23117 = msg("20950", dup202); + +var msg23118 = msg("20951", dup202); + +var msg23119 = msg("20952", dup202); + +var msg23120 = msg("20953", dup202); + +var msg23121 = msg("20954", dup202); + +var msg23122 = msg("20955", dup202); + +var msg23123 = msg("20956", dup202); + +var msg23124 = msg("20957", dup202); + +var msg23125 = msg("20958", dup202); + +var msg23126 = msg("20959", dup202); + +var msg23127 = msg("20960", dup202); + +var msg23128 = msg("20961", dup202); + +var msg23129 = msg("20962", dup202); + +var msg23130 = msg("20963", dup202); + +var msg23131 = msg("20964", dup202); + +var msg23132 = msg("20965", dup202); + +var msg23133 = msg("20966", dup202); + +var msg23134 = msg("20967", dup202); + +var msg23135 = msg("20968", dup202); + +var msg23136 = msg("20969", dup202); + +var msg23137 = msg("20970", dup202); + +var msg23138 = msg("20971", dup202); + +var msg23139 = msg("20972", dup202); + +var msg23140 = msg("20973", dup202); + +var msg23141 = msg("20974", dup202); + +var msg23142 = msg("20975", dup202); + +var msg23143 = msg("20976", dup202); + +var msg23144 = msg("20977", dup202); + +var msg23145 = msg("20978", dup202); + +var msg23146 = msg("20979", dup202); + +var msg23147 = msg("20980", dup202); + +var msg23148 = msg("20981", dup202); + +var msg23149 = msg("20982", dup202); + +var msg23150 = msg("20983", dup202); + +var msg23151 = msg("20984", dup202); + +var msg23152 = msg("20985", dup202); + +var msg23153 = msg("20986", dup202); + +var msg23154 = msg("20987", dup202); + +var msg23155 = msg("20988", dup267); + +var msg23156 = msg("20989", dup199); + +var msg23157 = msg("20990", dup199); + +var msg23158 = msg("20991", dup202); + +var msg23159 = msg("20992", dup202); + +var msg23160 = msg("20993", dup197); + +var msg23161 = msg("20994", dup197); + +var msg23162 = msg("20995", dup202); + +var msg23163 = msg("20996", dup202); + +var msg23164 = msg("20997", dup267); + +var msg23165 = msg("20998", dup267); + +var msg23166 = msg("20999", dup202); + +var msg23167 = msg("21000", dup202); + +var msg23168 = msg("21001", dup202); + +var msg23169 = msg("21002", dup202); + +var msg23170 = msg("21003", dup202); + +var msg23171 = msg("21004", dup202); + +var msg23172 = msg("21005", dup202); + +var msg23173 = msg("21006", dup202); + +var msg23174 = msg("21007", dup202); + +var msg23175 = msg("21008", dup202); + +var msg23176 = msg("21009", dup202); + +var msg23177 = msg("21010", dup202); + +var msg23178 = msg("21011", dup202); + +var msg23179 = msg("21012", dup202); + +var msg23180 = msg("21013", dup202); + +var msg23181 = msg("21014", dup202); + +var msg23182 = msg("21015", dup202); + +var msg23183 = msg("21016", dup202); + +var msg23184 = msg("21017", dup202); + +var msg23185 = msg("21018", dup202); + +var msg23186 = msg("21019", dup197); + +var msg23187 = msg("21020", dup197); + +var msg23188 = msg("21021", dup197); + +var msg23189 = msg("21022", dup265); + +var msg23190 = msg("21023", dup265); + +var msg23191 = msg("21024", dup265); + +var msg23192 = msg("21025", dup202); + +var msg23193 = msg("21026", dup265); + +var msg23194 = msg("21027", dup202); + +var msg23195 = msg("21028", dup192); + +var msg23196 = msg("21029", dup265); + +var msg23197 = msg("21030", dup265); + +var msg23198 = msg("21031", dup265); + +var msg23199 = msg("21032", dup265); + +var msg23200 = msg("21033", dup265); + +var msg23201 = msg("21034", dup265); + +var msg23202 = msg("21035", dup202); + +var msg23203 = msg("21036", dup202); + +var msg23204 = msg("21037", dup287); + +var msg23205 = msg("21038", dup287); + +var msg23206 = msg("21039", dup287); + +var msg23207 = msg("21040", dup287); + +var msg23208 = msg("21041", dup202); + +var msg23209 = msg("21042", dup202); + +var msg23210 = msg("21043", dup202); + +var msg23211 = msg("21044", dup202); + +var msg23212 = msg("21045", dup202); + +var msg23213 = msg("21046", dup269); + +var msg23214 = msg("21047", dup269); + +var msg23215 = msg("21048", dup263); + +var msg23216 = msg("21049", dup263); + +var msg23217 = msg("21050", dup197); + +var msg23218 = msg("21051", dup267); + +var msg23219 = msg("21052", dup202); + +var msg23220 = msg("21053", dup202); + +var msg23221 = msg("21054", dup202); + +var msg23222 = msg("21055", dup192); + +var msg23223 = msg("21056", dup202); + +var msg23224 = msg("21057", dup201); + +var msg23225 = msg("21058", dup202); + +var msg23226 = msg("21059", dup202); + +var msg23227 = msg("21060", dup267); + +var msg23228 = msg("21061", dup202); + +var msg23229 = msg("21062", dup202); + +var msg23230 = msg("21063", dup265); + +var msg23231 = msg("21064", dup265); + +var msg23232 = msg("21065", dup201); + +var msg23233 = msg("21066", dup201); + +var msg23234 = msg("21067", dup201); + +var msg23235 = msg("21068", dup267); + +var msg23236 = msg("21069", dup267); + +var msg23237 = msg("21070", dup267); + +var msg23238 = msg("21071", dup267); + +var msg23239 = msg("21072", dup267); + +var msg23240 = msg("21073", dup267); + +var msg23241 = msg("21074", dup267); + +var msg23242 = msg("21075", dup267); + +var msg23243 = msg("21076", dup265); + +var msg23244 = msg("21077", dup202); + +var msg23245 = msg("21078", dup267); + +var msg23246 = msg("21079", dup202); + +var msg23247 = msg("21080", dup267); + +var msg23248 = msg("21081", dup267); + +var msg23249 = msg("21082", dup202); + +var msg23250 = msg("21083", dup202); + +var msg23251 = msg("21084", dup260); + +var msg23252 = msg("21085", dup260); + +var msg23253 = msg("21086", dup267); + +var msg23254 = msg("21087", dup238); + +var msg23255 = msg("21088", dup267); + +var msg23256 = msg("21089", dup267); + +var msg23257 = msg("21090", dup267); + +var msg23258 = msg("21091", dup267); + +var msg23259 = msg("21092", dup267); + +var msg23260 = msg("21093", dup267); + +var msg23261 = msg("21094", dup265); + +var msg23262 = msg("21095", dup265); + +var msg23263 = msg("21096", dup267); + +var msg23264 = msg("21097", dup267); + +var msg23265 = msg("21098", dup267); + +var msg23266 = msg("21099", dup267); + +var msg23267 = msg("21100", dup197); + +var msg23268 = msg("21101", dup287); + +var msg23269 = msg("21102", dup287); + +var msg23270 = msg("21103", dup287); + +var msg23271 = msg("21104", dup198); + +var msg23272 = msg("21105", dup197); + +var msg23273 = msg("21106", dup202); + +var msg23274 = msg("21107", dup197); + +var msg23275 = msg("21108", dup267); + +var msg23276 = msg("21109", dup202); + +var msg23277 = msg("21110", dup202); + +var msg23278 = msg("21111", dup202); + +var msg23279 = msg("21112", dup267); + +var msg23280 = msg("21113", dup202); + +var msg23281 = msg("21114", dup202); + +var msg23282 = msg("21115", dup202); + +var msg23283 = msg("21116", dup267); + +var msg23284 = msg("21117", dup192); + +var msg23285 = msg("21118", dup192); + +var msg23286 = msg("21119", dup192); + +var msg23287 = msg("21120", dup192); + +var msg23288 = msg("21121", dup192); + +var msg23289 = msg("21122", dup202); + +var msg23290 = msg("21123", dup202); + +var msg23291 = msg("21124", dup202); + +var msg23292 = msg("21125", dup202); + +var msg23293 = msg("21126", dup202); + +var msg23294 = msg("21127", dup202); + +var msg23295 = msg("21128", dup202); + +var msg23296 = msg("21129", dup192); + +var msg23297 = msg("21130", dup192); + +var msg23298 = msg("21131", dup192); + +var msg23299 = msg("21132", dup192); + +var msg23300 = msg("21133", dup192); + +var msg23301 = msg("21134", dup192); + +var msg23302 = msg("21135", dup192); + +var msg23303 = msg("21136", dup192); + +var msg23304 = msg("21137", dup192); + +var msg23305 = msg("21138", dup192); + +var msg23306 = msg("21139", dup192); + +var msg23307 = msg("21140", dup192); + +var msg23308 = msg("21141", dup267); + +var msg23309 = msg("21142", dup202); + +var msg23310 = msg("21143", dup202); + +var msg23311 = msg("21144", dup202); + +var msg23312 = msg("21145", dup202); + +var msg23313 = msg("21146", dup197); + +var msg23314 = msg("21147", dup197); + +var msg23315 = msg("21148", dup197); + +var msg23316 = msg("21149", dup197); + +var msg23317 = msg("21150", dup198); + +var msg23318 = msg("21151", dup202); + +var msg23319 = msg("21152", dup202); + +var msg23320 = msg("21153", dup202); + +var msg23321 = msg("21154", dup197); + +var msg23322 = msg("21155", dup197); + +var msg23323 = msg("21156", dup267); + +var msg23324 = msg("21157", dup267); + +var msg23325 = msg("21158", dup267); + +var msg23326 = msg("21159", dup267); + +var msg23327 = msg("21160", dup197); + +var msg23328 = msg("21161", dup265); + +var msg23329 = msg("21162", dup197); + +var msg23330 = msg("21163", dup197); + +var msg23331 = msg("21164", dup201); + +var msg23332 = msg("21165", dup265); + +var msg23333 = msg("21166", dup267); + +var msg23334 = msg("21167", dup267); + +var msg23335 = msg("21168", dup197); + +var msg23336 = msg("21169", dup303); + +var msg23337 = msg("21170", dup267); + +var msg23338 = msg("21171", dup320); + +var msg23339 = msg("21172", dup320); + +var msg23340 = msg("21173", dup320); + +var msg23341 = msg("21174", dup202); + +var msg23342 = msg("21175", dup269); + +var msg23343 = msg("21176", dup303); + +var msg23344 = msg("21177", dup192); + +var msg23345 = msg("21178", dup192); + +var msg23346 = msg("21179", dup192); + +var msg23347 = msg("21180", dup238); + +var msg23348 = msg("21181", dup192); + +var msg23349 = msg("21182", dup192); + +var msg23350 = msg("21183", dup192); + +var msg23351 = msg("21184", dup303); + +var msg23352 = msg("21185", dup238); + +var msg23353 = msg("21186", dup267); + +var msg23354 = msg("21187", dup192); + +var msg23355 = msg("21188", dup269); + +var msg23356 = msg("21189", dup267); + +var msg23357 = msg("21190", dup287); + +var msg23358 = msg("21191", dup276); + +var msg23359 = msg("21192", dup192); + +var msg23360 = msg("21193", dup192); + +var msg23361 = msg("21194", dup192); + +var msg23362 = msg("21195", dup192); + +var msg23363 = msg("21196", dup192); + +var msg23364 = msg("21197", dup192); + +var msg23365 = msg("21198", dup192); + +var msg23366 = msg("21199", dup192); + +var msg23367 = msg("21200", dup192); + +var msg23368 = msg("21201", dup192); + +var msg23369 = msg("21202", dup192); + +var msg23370 = msg("21203", dup263); + +var msg23371 = msg("21204", dup263); + +var msg23372 = msg("21205", dup263); + +var msg23373 = msg("21206", dup269); + +var msg23374 = msg("21207", dup192); + +var msg23375 = msg("21208", dup192); + +var msg23376 = msg("21209", dup192); + +var msg23377 = msg("21210", dup192); + +var msg23378 = msg("21211", dup192); + +var msg23379 = msg("21212", dup192); + +var msg23380 = msg("21213", dup238); + +var msg23381 = msg("21214", dup265); + +var msg23382 = msg("21215", dup192); + +var msg23383 = msg("21216", dup192); + +var msg23384 = msg("21217", dup192); + +var msg23385 = msg("21218", dup192); + +var msg23386 = msg("21219", dup192); + +var msg23387 = msg("21220", dup192); + +var msg23388 = msg("21221", dup192); + +var msg23389 = msg("21222", dup202); + +var msg23390 = msg("21223", dup192); + +var msg23391 = msg("21224", dup192); + +var msg23392 = msg("21225", dup269); + +var msg23393 = msg("21226", dup202); + +var msg23394 = msg("21227", dup192); + +var msg23395 = msg("21228", dup202); + +var msg23396 = msg("21229", dup198); + +var msg23397 = msg("21230", dup192); + +var msg23398 = msg("21231", dup202); + +var msg23399 = msg("21232", dup202); + +var msg23400 = msg("21233", dup265); + +var msg23401 = msg("21234", dup309); + +var msg23402 = msg("21235", dup197); + +var msg23403 = msg("21236", dup197); + +var msg23404 = msg("21237", dup197); + +var msg23405 = msg("21238", dup197); + +var msg23406 = msg("21239", dup202); + +var msg23407 = msg("21240", dup192); + +var msg23408 = msg("21241", dup192); + +var msg23409 = msg("21242", dup192); + +var msg23410 = msg("21243", dup267); + +var msg23411 = msg("21244", dup267); + +var msg23412 = msg("21245", dup263); + +var msg23413 = msg("21246", dup269); + +var msg23414 = msg("21247", dup197); + +var msg23415 = msg("21248", dup197); + +var msg23416 = msg("21249", dup192); + +var msg23417 = msg("21250", dup192); + +var msg23418 = msg("21251", dup192); + +var msg23419 = msg("21252", dup192); + +var msg23420 = msg("21253", dup267); + +var msg23421 = msg("21254", dup265); + +var msg23422 = msg("21255", dup227); + +var msg23423 = msg("21256", dup227); + +var msg23424 = msg("21257", dup194); + +var msg23425 = msg("21258", dup199); + +var msg23426 = msg("21259", dup267); + +var msg23427 = msg("21260", dup198); + +var msg23428 = msg("21261", dup197); + +var msg23429 = msg("21262", dup255); + +var msg23430 = msg("21263", dup197); + +var msg23431 = msg("21264", dup202); + +var msg23432 = msg("21265", dup199); + +var msg23433 = msg("21266", dup269); + +var msg23434 = msg("21267", dup287); + +var msg23435 = msg("21268", dup267); + +var msg23436 = msg("21269", dup202); + +var msg23437 = msg("21270", dup201); + +var msg23438 = msg("21271", dup260); + +var msg23439 = msg("21272", dup267); + +var msg23440 = msg("21273", dup202); + +var msg23441 = msg("21274", dup202); + +var msg23442 = msg("21275", dup192); + +var msg23443 = msg("21276", dup192); + +var msg23444 = msg("21277", dup192); + +var msg23445 = msg("21278", dup269); + +var msg23446 = msg("21279", dup192); + +var msg23447 = msg("21280", dup192); + +var msg23448 = msg("21281", dup267); + +var msg23449 = msg("21282", dup202); + +var msg23450 = msg("21283", dup202); + +var msg23451 = msg("21284", dup202); + +var msg23452 = msg("21285", dup202); + +var msg23453 = msg("21286", dup202); + +var msg23454 = msg("21287", dup202); + +var msg23455 = msg("21288", dup202); + +var msg23456 = msg("21289", dup276); + +var msg23457 = msg("21290", dup267); + +var msg23458 = msg("21291", dup202); + +var msg23459 = msg("21292", dup267); + +var msg23460 = msg("21293", dup267); + +var msg23461 = msg("21294", dup192); + +var msg23462 = msg("21295", dup202); + +var msg23463 = msg("21296", dup202); + +var msg23464 = msg("21297", dup265); + +var msg23465 = msg("21298", dup265); + +var msg23466 = msg("21299", dup267); + +var msg23467 = msg("21300", dup265); + +var msg23468 = msg("21301", dup267); + +var msg23469 = msg("21302", dup267); + +var msg23470 = msg("21303", dup192); + +var msg23471 = msg("21304", dup192); + +var msg23472 = msg("21305", dup197); + +var msg23473 = msg("21306", dup202); + +var msg23474 = msg("21307", dup267); + +var msg23475 = msg("21308", dup267); + +var msg23476 = msg("21309", dup276); + +var msg23477 = msg("21310", dup267); + +var msg23478 = msg("21311", dup202); + +var msg23479 = msg("21312", dup202); + +var msg23480 = msg("21313", dup202); + +var msg23481 = msg("21314", dup265); + +var msg23482 = msg("21315", dup198); + +var msg23483 = msg("21316", dup267); + +var msg23484 = msg("21317", dup197); + +var msg23485 = msg("21318", dup202); + +var msg23486 = msg("21319", dup276); + +var msg23487 = msg("21320", dup276); + +var msg23488 = msg("21321", dup276); + +var msg23489 = msg("21322", dup267); + +var msg23490 = msg("21323", dup267); + +var msg23491 = msg("21324", dup267); + +var msg23492 = msg("21325", dup202); + +var msg23493 = msg("21326", dup267); + +var msg23494 = msg("21327", dup194); + +var msg23495 = msg("21328", dup201); + +var msg23496 = msg("21329", dup201); + +var msg23497 = msg("21330", dup201); + +var msg23498 = msg("21331", dup201); + +var msg23499 = msg("21332", dup202); + +var msg23500 = msg("21333", dup265); + +var msg23501 = msg("21334", dup265); + +var msg23502 = msg("21335", dup287); + +var msg23503 = msg("21336", dup202); + +var msg23504 = msg("21337", dup265); + +var msg23505 = msg("21338", dup202); + +var msg23506 = msg("21339", dup267); + +var msg23507 = msg("21340", dup267); + +var msg23508 = msg("21341", dup267); + +var msg23509 = msg("21342", dup267); + +var msg23510 = msg("21343", dup267); + +var msg23511 = msg("21344", dup267); + +var msg23512 = msg("21345", dup267); + +var msg23513 = msg("21346", dup267); + +var msg23514 = msg("21347", dup202); + +var msg23515 = msg("21348", dup202); + +var msg23516 = msg("21349", dup197); + +var msg23517 = msg("21350", dup197); + +var msg23518 = msg("21351", dup267); + +var msg23519 = msg("21352", dup267); + +var msg23520 = msg("21353", dup269); + +var msg23521 = msg("21354", dup313); + +var msg23522 = msg("21355", dup313); + +var msg23523 = msg("21356", dup265); + +var msg23524 = msg("21357", dup267); + +var msg23525 = msg("21358", dup201); + +var msg23526 = msg("21359", dup192); + +var msg23527 = msg("21360", dup192); + +var msg23528 = msg("21361", dup238); + +var msg23529 = msg("21362", dup192); + +var msg23530 = msg("21363", dup202); + +var msg23531 = msg("21364", dup192); + +var msg23532 = msg("21365", dup192); + +var msg23533 = msg("21366", dup192); + +var msg23534 = msg("21367", dup192); + +var msg23535 = msg("21368", dup202); + +var msg23536 = msg("21369", dup202); + +var msg23537 = msg("21370", dup197); + +var msg23538 = msg("21371", dup197); + +var msg23539 = msg("21372", dup263); + +var msg23540 = msg("21373", dup263); + +var msg23541 = msg("21374", dup192); + +var msg23542 = msg("21375", dup267); + +var msg23543 = msg("21376", dup192); + +var msg23544 = msg("21377", dup260); + +var msg23545 = msg("21378", dup201); + +var msg23546 = msg("21379", dup202); + +var msg23547 = msg("21380", dup202); + +var msg23548 = msg("21381", dup202); + +var msg23549 = msg("21382", dup202); + +var msg23550 = msg("21383", dup202); + +var msg23551 = msg("21384", dup202); + +var msg23552 = msg("21385", dup265); + +var msg23553 = msg("21386", dup202); + +var msg23554 = msg("21387", dup267); + +var msg23555 = msg("21388", dup265); + +var msg23556 = msg("21389", dup265); + +var msg23557 = msg("21390", dup202); + +var msg23558 = msg("21391", dup202); + +var msg23559 = msg("21392", dup267); + +var msg23560 = msg("21393", dup197); + +var msg23561 = msg("21394", dup267); + +var msg23562 = msg("21395", dup260); + +var msg23563 = msg("21396", dup260); + +var msg23564 = msg("21397", dup197); + +var msg23565 = msg("21398", dup202); + +var msg23566 = msg("21399", dup267); + +var msg23567 = msg("21400", dup192); + +var msg23568 = msg("21401", dup192); + +var msg23569 = msg("21402", dup192); + +var msg23570 = msg("21403", dup238); + +var msg23571 = msg("21404", dup238); + +var msg23572 = msg("21405", dup267); + +var msg23573 = msg("21406", dup265); + +var msg23574 = msg("21407", dup201); + +var msg23575 = msg("21408", dup265); + +var msg23576 = msg("21409", dup201); + +var msg23577 = msg("21410", dup202); + +var msg23578 = msg("21411", dup202); + +var msg23579 = msg("21412", dup202); + +var msg23580 = msg("21413", dup201); + +var msg23581 = msg("21414", dup267); + +var msg23582 = msg("21415", dup267); + +var msg23583 = msg("21416", dup192); + +var msg23584 = msg("21417", dup267); + +var msg23585 = msg("21418", dup192); + +var msg23586 = msg("21419", dup197); + +var msg23587 = msg("21420", dup197); + +var msg23588 = msg("21421", dup197); + +var msg23589 = msg("21422", dup267); + +var msg23590 = msg("21423", dup267); + +var msg23591 = msg("21424", dup192); + +var msg23592 = msg("21425", dup192); + +var msg23593 = msg("21426", dup192); + +var msg23594 = msg("21427", dup192); + +var msg23595 = msg("21428", dup192); + +var msg23596 = msg("21429", dup269); + +var msg23597 = msg("21430", dup192); + +var msg23598 = msg("21431", dup267); + +var msg23599 = msg("21432", dup202); + +var msg23600 = msg("21433", dup202); + +var msg23601 = msg("21434", dup192); + +var msg23602 = msg("21435", dup192); + +var msg23603 = msg("21436", dup192); + +var msg23604 = msg("21437", dup197); + +var msg23605 = msg("21438", dup267); + +var msg23606 = msg("21439", dup267); + +var msg23607 = msg("21440", dup192); + +var msg23608 = msg("21441", dup202); + +var msg23609 = msg("21442", dup269); + +var msg23610 = msg("21443", dup202); + +var msg23611 = msg("21444", dup202); + +var msg23612 = msg("21445", dup227); + +var msg23613 = msg("21446", dup202); + +var msg23614 = msg("21447", dup202); + +var msg23615 = msg("21448", dup192); + +var msg23616 = msg("21449", dup192); + +var msg23617 = msg("21450", dup192); + +var msg23618 = msg("21451", dup269); + +var msg23619 = msg("21452", dup192); + +var msg23620 = msg("21453", dup269); + +var msg23621 = msg("21454", dup192); + +var msg23622 = msg("21455", dup269); + +var msg23623 = msg("21456", dup202); + +var msg23624 = msg("21457", dup267); + +var msg23625 = msg("21458", dup267); + +var msg23626 = msg("21459", dup260); + +var msg23627 = msg("21460", dup202); + +var msg23628 = msg("21461", dup202); + +var msg23629 = msg("21462", dup202); + +var msg23630 = msg("21463", dup202); + +var msg23631 = msg("21464", dup202); + +var msg23632 = msg("21465", dup265); + +var msg23633 = msg("21466", dup202); + +var msg23634 = msg("21467", dup202); + +var msg23635 = msg("21468", dup192); + +var msg23636 = msg("21469", dup269); + +var msg23637 = msg("21470", dup192); + +var msg23638 = msg("21471", dup202); + +var msg23639 = msg("21472", dup192); + +var msg23640 = msg("21473", dup192); + +var msg23641 = msg("21474", dup192); + +var msg23642 = msg("21475", dup269); + +var msg23643 = msg("21476", dup269); + +var msg23644 = msg("21477", dup192); + +var msg23645 = msg("21478", dup202); + +var msg23646 = msg("21479", dup202); + +var msg23647 = msg("21480", dup202); + +var msg23648 = msg("21481", dup267); + +var msg23649 = msg("21482", dup199); + +var msg23650 = msg("21483", dup197); + +var msg23651 = msg("21484", dup201); + +var msg23652 = msg("21485", dup198); + +var msg23653 = msg("21486", dup192); + +var msg23654 = msg("21487", dup192); + +var msg23655 = msg("21488", dup269); + +var msg23656 = msg("21489", dup267); + +var msg23657 = msg("21490", dup202); + +var msg23658 = msg("21491", dup197); + +var msg23659 = msg("21492", dup202); + +var msg23660 = msg("21493", dup265); + +var msg23661 = msg("21494", dup192); + +var msg23662 = msg("21495", dup192); + +var msg23663 = msg("21496", dup192); + +var msg23664 = msg("21497", dup192); + +var msg23665 = msg("21498", dup202); + +var msg23666 = msg("21499", dup202); + +var msg23667 = msg("21500", dup202); + +var msg23668 = msg("21501", dup265); + +var msg23669 = msg("21502", dup192); + +var msg23670 = msg("21503", dup267); + +var msg23671 = msg("21504", dup267); + +var msg23672 = msg("21505", dup267); + +var msg23673 = msg("21506", dup267); + +var msg23674 = msg("21507", dup267); + +var msg23675 = msg("21508", dup267); + +var msg23676 = msg("21509", dup267); + +var msg23677 = msg("21510", dup267); + +var msg23678 = msg("21511", dup192); + +var msg23679 = msg("21512", dup192); + +var msg23680 = msg("21513", dup198); + +var msg23681 = msg("21514", dup192); + +var msg23682 = msg("21515", dup265); + +var msg23683 = msg("21516", dup265); + +var msg23684 = msg("21517", dup265); + +var msg23685 = msg("21518", dup192); + +var msg23686 = msg("21519", dup202); + +var msg23687 = msg("21520", dup192); + +var msg23688 = msg("21521", dup192); + +var msg23689 = msg("21522", dup267); + +var msg23690 = msg("21523", dup192); + +var msg23691 = msg("21524", dup267); + +var msg23692 = msg("21525", dup192); + +var msg23693 = msg("21526", dup269); + +var msg23694 = msg("21527", dup192); + +var msg23695 = msg("21528", dup192); + +var msg23696 = msg("21529", dup197); + +var msg23697 = msg("21530", dup287); + +var msg23698 = msg("21531", dup265); + +var msg23699 = msg("21532", dup265); + +var msg23700 = msg("21533", dup287); + +var msg23701 = msg("21534", dup201); + +var msg23702 = msg("21535", dup201); + +var msg23703 = msg("21536", dup265); + +var msg23704 = msg("21537", dup269); + +var msg23705 = msg("21538", dup202); + +var msg23706 = msg("21539", dup202); + +var msg23707 = msg("21540", dup192); + +var msg23708 = msg("21541", dup192); + +var msg23709 = msg("21542", dup192); + +var msg23710 = msg("21543", dup192); + +var msg23711 = msg("21544", dup313); + +var msg23712 = msg("21545", dup313); + +var all52 = all_match({ + processors: [ + dup66, + dup178, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup120, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg23713 = msg("21546", all52); + +var msg23714 = msg("21547", dup192); + +var msg23715 = msg("21548", dup202); + +var msg23716 = msg("21549", dup202); + +var msg23717 = msg("21550", dup192); + +var msg23718 = msg("21551", dup192); + +var msg23719 = msg("21552", dup192); + +var msg23720 = msg("21553", dup192); + +var msg23721 = msg("21554", dup192); + +var msg23722 = msg("21555", dup205); + +var msg23723 = msg("21556", dup202); + +var msg23724 = msg("21557", dup201); + +var msg23725 = msg("21558", dup265); + +var msg23726 = msg("21559", dup265); + +var msg23727 = msg("21560", dup265); + +var msg23728 = msg("21561", dup265); + +var msg23729 = msg("21562", dup192); + +var msg23730 = msg("21563", dup192); + +var msg23731 = msg("21564", dup192); + +var msg23732 = msg("21565", dup192); + +var msg23733 = msg("21566", dup276); + +var msg23734 = msg("21567", dup267); + +var msg23735 = msg("21568", dup198); + +var msg23736 = msg("21569", dup265); + +var msg23737 = msg("21570", dup197); + +var msg23738 = msg("21571", dup267); + +var msg23739 = msg("21572", dup267); + +var msg23740 = msg("21573", dup202); + +var msg23741 = msg("21574", dup202); + +var msg23742 = msg("21575", dup202); + +var msg23743 = msg("21576", dup202); + +var msg23744 = msg("21577", dup202); + +var msg23745 = msg("21578", dup202); + +var msg23746 = msg("21579", dup202); + +var msg23747 = msg("21580", dup202); + +var msg23748 = msg("21581", dup202); + +var msg23749 = msg("21582", dup202); + +var msg23750 = msg("21583", dup269); + +var msg23751 = msg("21584", dup202); + +var msg23752 = msg("21585", dup202); + +var msg23753 = msg("21586", dup202); + +var msg23754 = msg("21587", dup267); + +var msg23755 = msg("21588", dup263); + +var msg23756 = msg("21589", dup265); + +var msg23757 = msg("21590", dup265); + +var msg23758 = msg("21591", dup263); + +var msg23759 = msg("21592", dup267); + +var msg23760 = msg("21593", dup192); + +var msg23761 = msg("21594", dup267); + +var msg23762 = msg("21595", dup202); + +var msg23763 = msg("21596", dup202); + +var msg23764 = msg("21597", dup202); + +var msg23765 = msg("21598", dup202); + +var msg23766 = msg("21599", dup201); + +var msg23767 = msg("21600", dup201); + +var msg23768 = msg("21601", dup201); + +var msg23769 = msg("21602", dup201); + +var msg23770 = msg("21603", dup201); + +var msg23771 = msg("21604", dup201); + +var msg23772 = msg("21605", dup201); + +var msg23773 = msg("21606", dup201); + +var msg23774 = msg("21607", dup267); + +var msg23775 = msg("21608", dup198); + +var msg23776 = msg("21609", dup267); + +var msg23777 = msg("21610", dup192); + +var msg23778 = msg("21611", dup202); + +var msg23779 = msg("21612", dup202); + +var msg23780 = msg("21613", dup202); + +var msg23781 = msg("21614", dup202); + +var msg23782 = msg("21615", dup202); + +var msg23783 = msg("21616", dup202); + +var msg23784 = msg("21617", dup202); + +var msg23785 = msg("21618", dup202); + +var msg23786 = msg("21619", dup267); + +var msg23787 = msg("21620", dup202); + +var msg23788 = msg("21621", dup202); + +var msg23789 = msg("21622", dup192); + +var msg23790 = msg("21623", dup202); + +var msg23791 = msg("21624", dup202); + +var msg23792 = msg("21625", dup202); + +var msg23793 = msg("21626", dup202); + +var msg23794 = msg("21627", dup202); + +var msg23795 = msg("21628", dup202); + +var msg23796 = msg("21629", dup265); + +var msg23797 = msg("21630", dup265); + +var msg23798 = msg("21631", dup192); + +var msg23799 = msg("21632", dup192); + +var msg23800 = msg("21633", dup276); + +var msg23801 = msg("21634", dup267); + +var msg23802 = msg("21635", dup192); + +var msg23803 = msg("21636", dup263); + +var msg23804 = msg("21637", dup312); + +var msg23805 = msg("21638", dup192); + +var msg23806 = msg("21639", dup263); + +var msg23807 = msg("21640", dup267); + +var msg23808 = msg("21641", dup192); + +var msg23809 = msg("21642", dup269); + +var msg23810 = msg("21643", dup192); + +var msg23811 = msg("21644", dup263); + +var msg23812 = msg("21645", dup263); + +var msg23813 = msg("21646", dup202); + +var msg23814 = msg("21647", dup202); + +var msg23815 = msg("21648", dup202); + +var msg23816 = msg("21649", dup202); + +var msg23817 = msg("21650", dup202); + +var msg23818 = msg("21651", dup202); + +var msg23819 = msg("21652", dup202); + +var msg23820 = msg("21653", dup265); + +var msg23821 = msg("21654", dup202); + +var msg23822 = msg("21655", dup267); + +var msg23823 = msg("21656", dup267); + +var msg23824 = msg("21657", dup202); + +var msg23825 = msg("21658", dup202); + +var msg23826 = msg("21659", dup202); + +var msg23827 = msg("21660", dup202); + +var msg23828 = msg("21661", dup202); + +var msg23829 = msg("21662", dup248); + +var msg23830 = msg("21663", dup260); + +var msg23831 = msg("21664", dup202); + +var msg23832 = msg("21665", dup202); + +var msg23833 = msg("21666", dup202); + +var msg23834 = msg("21667", dup265); + +var msg23835 = msg("21668", dup267); + +var msg23836 = msg("21669", dup287); + +var msg23837 = msg("21670", dup267); + +var msg23838 = msg("21671", dup201); + +var msg23839 = msg("21672", dup201); + +var msg23840 = msg("21673", dup287); + +var msg23841 = msg("21674", dup197); + +var msg23842 = msg("21675", dup197); + +var msg23843 = msg("21676", dup197); + +var msg23844 = msg("21677", dup197); + +var msg23845 = msg("21678", dup267); + +var msg23846 = msg("21679", dup267); + +var msg23847 = msg("21680", dup267); + +var msg23848 = msg("21681", dup267); + +var msg23849 = msg("21682", dup267); + +var msg23850 = msg("21683", dup267); + +var msg23851 = msg("21684", dup267); + +var msg23852 = msg("21685", dup267); + +var msg23853 = msg("21686", dup267); + +var msg23854 = msg("21687", dup202); + +var msg23855 = msg("21688", dup202); + +var msg23856 = msg("21689", dup202); + +var msg23857 = msg("21690", dup202); + +var msg23858 = msg("21691", dup202); + +var msg23859 = msg("21692", dup202); + +var msg23860 = msg("21693", dup202); + +var msg23861 = msg("21694", dup202); + +var msg23862 = msg("21695", dup202); + +var msg23863 = msg("21696", dup202); + +var msg23864 = msg("21697", dup202); + +var msg23865 = msg("21698", dup202); + +var msg23866 = msg("21699", dup202); + +var msg23867 = msg("21700", dup202); + +var msg23868 = msg("21701", dup202); + +var msg23869 = msg("21702", dup202); + +var msg23870 = msg("21703", dup202); + +var msg23871 = msg("21704", dup202); + +var msg23872 = msg("21705", dup202); + +var msg23873 = msg("21706", dup202); + +var msg23874 = msg("21707", dup202); + +var msg23875 = msg("21708", dup202); + +var msg23876 = msg("21709", dup202); + +var msg23877 = msg("21710", dup202); + +var msg23878 = msg("21711", dup202); + +var msg23879 = msg("21712", dup202); + +var msg23880 = msg("21713", dup202); + +var msg23881 = msg("21714", dup202); + +var msg23882 = msg("21715", dup202); + +var msg23883 = msg("21716", dup202); + +var msg23884 = msg("21717", dup202); + +var msg23885 = msg("21718", dup202); + +var msg23886 = msg("21719", dup202); + +var msg23887 = msg("21720", dup202); + +var msg23888 = msg("21721", dup202); + +var msg23889 = msg("21722", dup202); + +var msg23890 = msg("21723", dup202); + +var msg23891 = msg("21724", dup202); + +var msg23892 = msg("21725", dup202); + +var msg23893 = msg("21726", dup202); + +var msg23894 = msg("21727", dup202); + +var msg23895 = msg("21728", dup202); + +var msg23896 = msg("21729", dup202); + +var msg23897 = msg("21730", dup202); + +var msg23898 = msg("21731", dup202); + +var msg23899 = msg("21732", dup202); + +var msg23900 = msg("21733", dup202); + +var msg23901 = msg("21734", dup202); + +var msg23902 = msg("21735", dup202); + +var msg23903 = msg("21736", dup202); + +var msg23904 = msg("21737", dup202); + +var msg23905 = msg("21738", dup202); + +var msg23906 = msg("21739", dup202); + +var msg23907 = msg("21740", dup202); + +var msg23908 = msg("21741", dup202); + +var msg23909 = msg("21742", dup202); + +var msg23910 = msg("21743", dup202); + +var msg23911 = msg("21744", dup202); + +var msg23912 = msg("21745", dup202); + +var msg23913 = msg("21746", dup202); + +var msg23914 = msg("21747", dup202); + +var msg23915 = msg("21748", dup202); + +var msg23916 = msg("21749", dup202); + +var msg23917 = msg("21750", dup202); + +var msg23918 = msg("21751", dup202); + +var msg23919 = msg("21752", dup197); + +var msg23920 = msg("21753", dup197); + +var msg23921 = msg("21754", dup265); + +var msg23922 = msg("21755", dup202); + +var msg23923 = msg("21756", dup202); + +var msg23924 = msg("21757", dup202); + +var msg23925 = msg("21758", dup202); + +var msg23926 = msg("21759", dup197); + +var msg23927 = msg("21760", dup202); + +var msg23928 = msg("21761", dup202); + +var msg23929 = msg("21762", dup197); + +var msg23930 = msg("21763", dup198); + +var msg23931 = msg("21764", dup197); + +var msg23932 = msg("21765", dup202); + +var msg23933 = msg("21766", dup267); + +var msg23934 = msg("21767", dup287); + +var msg23935 = msg("21768", dup287); + +var msg23936 = msg("21769", dup192); + +var msg23937 = msg("21770", dup197); + +var msg23938 = msg("21771", dup197); + +var msg23939 = msg("21772", dup197); + +var msg23940 = msg("21773", dup197); + +var msg23941 = msg("21774", dup197); + +var msg23942 = msg("21775", dup197); + +var msg23943 = msg("21776", dup198); + +var msg23944 = msg("21777", dup260); + +var msg23945 = msg("21778", dup260); + +var msg23946 = msg("21779", dup260); + +var msg23947 = msg("21780", dup260); + +var msg23948 = msg("21781", dup260); + +var msg23949 = msg("21782", dup267); + +var msg23950 = msg("21783", dup267); + +var msg23951 = msg("21784", dup267); + +var msg23952 = msg("21785", dup201); + +var msg23953 = msg("21786", dup201); + +var msg23954 = msg("21787", dup201); + +var msg23955 = msg("21788", dup260); + +var msg23956 = msg("21789", dup260); + +var msg23957 = msg("21790", dup269); + +var msg23958 = msg("21791", dup265); + +var msg23959 = msg("21792", dup202); + +var msg23960 = msg("21793", dup265); + +var msg23961 = msg("21794", dup197); + +var msg23962 = msg("21795", dup285); + +var msg23963 = msg("21796", dup265); + +var msg23964 = msg("21797", dup197); + +var msg23965 = msg("21798", dup197); + +var msg23966 = msg("21799", dup197); + +var msg23967 = msg("21800", dup197); + +var msg23968 = msg("21801", dup197); + +var msg23969 = msg("21802", dup202); + +var msg23970 = msg("21803", dup202); + +var msg23971 = msg("21804", dup202); + +var msg23972 = msg("21805", dup197); + +var msg23973 = msg("21806", dup276); + +var msg23974 = msg("21807", dup202); + +var msg23975 = msg("21808", dup202); + +var msg23976 = msg("21809", dup202); + +var msg23977 = msg("21810", dup202); + +var msg23978 = msg("21811", dup202); + +var msg23979 = msg("21812", dup202); + +var msg23980 = msg("21813", dup202); + +var msg23981 = msg("21814", dup202); + +var msg23982 = msg("21815", dup202); + +var msg23983 = msg("21816", dup202); + +var msg23984 = msg("21817", dup198); + +var msg23985 = msg("21818", dup265); + +var msg23986 = msg("21819", dup265); + +var msg23987 = msg("21820", dup265); + +var msg23988 = msg("21821", dup265); + +var msg23989 = msg("21822", dup265); + +var msg23990 = msg("21823", dup265); + +var msg23991 = msg("21824", dup265); + +var msg23992 = msg("21825", dup265); + +var msg23993 = msg("21826", dup265); + +var msg23994 = msg("21827", dup265); + +var msg23995 = msg("21828", dup265); + +var msg23996 = msg("21829", dup265); + +var msg23997 = msg("21830", dup265); + +var msg23998 = msg("21831", dup265); + +var msg23999 = msg("21832", dup265); + +var msg24000 = msg("21833", dup265); + +var msg24001 = msg("21834", dup265); + +var msg24002 = msg("21835", dup265); + +var msg24003 = msg("21836", dup265); + +var msg24004 = msg("21837", dup265); + +var msg24005 = msg("21838", dup265); + +var msg24006 = msg("21839", dup265); + +var msg24007 = msg("21840", dup265); + +var msg24008 = msg("21841", dup265); + +var msg24009 = msg("21842", dup265); + +var msg24010 = msg("21843", dup265); + +var msg24011 = msg("21844", dup265); + +var msg24012 = msg("21845", dup202); + +var msg24013 = msg("21846", dup202); + +var msg24014 = msg("21847", dup202); + +var msg24015 = msg("21848", dup202); + +var msg24016 = msg("21849", dup202); + +var msg24017 = msg("21850", dup202); + +var msg24018 = msg("21851", dup202); + +var msg24019 = msg("21852", dup192); + +var msg24020 = msg("21853", dup230); + +var msg24021 = msg("21854", dup202); + +var msg24022 = msg("21855", dup202); + +var msg24023 = msg("21856", dup287); + +var msg24024 = msg("21857", dup287); + +var msg24025 = msg("21858", dup267); + +var msg24026 = msg("21859", dup267); + +var msg24027 = msg("21860", dup267); + +var msg24028 = msg("21861", dup202); + +var msg24029 = msg("21862", dup202); + +var msg24030 = msg("21863", dup202); + +var msg24031 = msg("21864", dup202); + +var msg24032 = msg("21865", dup202); + +var msg24033 = msg("21866", dup202); + +var msg24034 = msg("21867", dup202); + +var msg24035 = msg("21868", dup202); + +var msg24036 = msg("21869", dup202); + +var msg24037 = msg("21870", dup202); + +var msg24038 = msg("21871", dup202); + +var msg24039 = msg("21872", dup202); + +var msg24040 = msg("21873", dup202); + +var msg24041 = msg("21874", dup267); + +var msg24042 = msg("21875", dup267); + +var msg24043 = msg("21876", dup267); + +var msg24044 = msg("21877", dup202); + +var msg24045 = msg("21878", dup197); + +var msg24046 = msg("21879", dup202); + +var msg24047 = msg("21880", dup202); + +var msg24048 = msg("21881", dup287); + +var msg24049 = msg("21882", dup265); + +var msg24050 = msg("21883", dup265); + +var msg24051 = msg("21884", dup202); + +var msg24052 = msg("21885", dup202); + +var msg24053 = msg("21886", dup202); + +var msg24054 = msg("21887", dup202); + +var msg24055 = msg("21888", dup202); + +var msg24056 = msg("21889", dup202); + +var msg24057 = msg("21890", dup202); + +var msg24058 = msg("21891", dup202); + +var msg24059 = msg("21892", dup202); + +var msg24060 = msg("21893", dup202); + +var msg24061 = msg("21894", dup202); + +var msg24062 = msg("21895", dup202); + +var msg24063 = msg("21896", dup197); + +var msg24064 = msg("21897", dup197); + +var msg24065 = msg("21898", dup197); + +var msg24066 = msg("21899", dup197); + +var msg24067 = msg("21900", dup197); + +var msg24068 = msg("21901", dup197); + +var msg24069 = msg("21902", dup197); + +var msg24070 = msg("21903", dup197); + +var msg24071 = msg("21904", dup197); + +var msg24072 = msg("21905", dup197); + +var msg24073 = msg("21906", dup197); + +var msg24074 = msg("21907", dup197); + +var msg24075 = msg("21908", dup267); + +var msg24076 = msg("21909", dup267); + +var msg24077 = msg("21910", dup263); + +var msg24078 = msg("21911", dup202); + +var msg24079 = msg("21912", dup202); + +var msg24080 = msg("21913", dup265); + +var msg24081 = msg("21914", dup197); + +var msg24082 = msg("21915", dup267); + +var msg24083 = msg("21916", dup267); + +var msg24084 = msg("21917", dup197); + +var msg24085 = msg("21918", dup197); + +var msg24086 = msg("21919", dup197); + +var msg24087 = msg("21920", dup197); + +var msg24088 = msg("21921", dup197); + +var msg24089 = msg("21922", dup197); + +var msg24090 = msg("21923", dup265); + +var msg24091 = msg("21924", dup263); + +var msg24092 = msg("21925", dup269); + +var msg24093 = msg("21926", dup265); + +var msg24094 = msg("21927", dup197); + +var msg24095 = msg("21928", dup197); + +var msg24096 = msg("21929", dup305); + +var msg24097 = msg("21930", dup305); + +var msg24098 = msg("21931", dup197); + +var msg24099 = msg("21932", dup197); + +var msg24100 = msg("21933", dup197); + +var msg24101 = msg("21934", dup303); + +var msg24102 = msg("21935", dup197); + +var msg24103 = msg("21937", dup197); + +var msg24104 = msg("21938", dup192); + +var msg24105 = msg("21939", dup202); + +var msg24106 = msg("21940", dup202); + +var msg24107 = msg("21941", dup202); + +var msg24108 = msg("21942", dup197); + +var msg24109 = msg("21943", dup197); + +var msg24110 = msg("21944", dup265); + +var msg24111 = msg("21945", dup192); + +var msg24112 = msg("21946", dup192); + +var msg24113 = msg("21947", dup192); + +var msg24114 = msg("21948", dup269); + +var msg24115 = msg("21949", dup201); + +var msg24116 = msg("21950", dup265); + +var msg24117 = msg("21951", dup265); + +var msg24118 = msg("21952", dup197); + +var msg24119 = msg("21953", dup287); + +var msg24120 = msg("21954", dup287); + +var msg24121 = msg("21955", dup202); + +var msg24122 = msg("21956", dup202); + +var msg24123 = msg("21957", dup202); + +var msg24124 = msg("21958", dup202); + +var msg24125 = msg("21959", dup202); + +var msg24126 = msg("21960", dup202); + +var msg24127 = msg("21961", dup287); + +var msg24128 = msg("21962", dup202); + +var msg24129 = msg("21963", dup202); + +var msg24130 = msg("21964", dup202); + +var msg24131 = msg("21965", dup269); + +var msg24132 = msg("21966", dup192); + +var msg24133 = msg("21967", dup287); + +var msg24134 = msg("21968", dup192); + +var msg24135 = msg("21969", dup192); + +var msg24136 = msg("21970", dup192); + +var msg24137 = msg("21971", dup192); + +var msg24138 = msg("21972", dup192); + +var msg24139 = msg("21973", dup192); + +var msg24140 = msg("21974", dup269); + +var msg24141 = msg("21975", dup269); + +var msg24142 = msg("21976", dup192); + +var msg24143 = msg("21977", dup192); + +var msg24144 = msg("21978", dup192); + +var msg24145 = msg("21979", dup192); + +var msg24146 = msg("21980", dup192); + +var msg24147 = msg("21981", dup192); + +var msg24148 = msg("21982", dup192); + +var msg24149 = msg("21983", dup192); + +var msg24150 = msg("21984", dup192); + +var msg24151 = msg("21985", dup197); + +var msg24152 = msg("21986", dup197); + +var msg24153 = msg("21987", dup197); + +var msg24154 = msg("21988", dup197); + +var msg24155 = msg("21989", dup197); + +var msg24156 = msg("21990", dup197); + +var msg24157 = msg("21991", dup267); + +var msg24158 = msg("21992", dup267); + +var msg24159 = msg("21993", dup267); + +var msg24160 = msg("21994", dup267); + +var msg24161 = msg("21995", dup202); + +var msg24162 = msg("21996", dup202); + +var msg24163 = msg("21997", dup192); + +var msg24164 = msg("21998", dup192); + +var msg24165 = msg("21999", dup202); + +var msg24166 = msg("22000", dup238); + +var msg24167 = msg("22001", dup238); + +var msg24168 = msg("22002", dup202); + +var msg24169 = msg("22003", dup265); + +var msg24170 = msg("22004", dup276); + +var msg24171 = msg("22005", dup276); + +var msg24172 = msg("22006", dup276); + +var msg24173 = msg("22007", dup276); + +var msg24174 = msg("22008", dup276); + +var msg24175 = msg("22009", dup276); + +var msg24176 = msg("22010", dup276); + +var msg24177 = msg("22011", dup276); + +var msg24178 = msg("22012", dup276); + +var msg24179 = msg("22013", dup202); + +var msg24180 = msg("22014", dup202); + +var msg24181 = msg("22015", dup202); + +var msg24182 = msg("22016", dup202); + +var msg24183 = msg("22017", dup202); + +var msg24184 = msg("22018", dup202); + +var msg24185 = msg("22019", dup202); + +var msg24186 = msg("22020", dup202); + +var msg24187 = msg("22021", dup202); + +var msg24188 = msg("22022", dup202); + +var msg24189 = msg("22023", dup202); + +var msg24190 = msg("22024", dup202); + +var msg24191 = msg("22025", dup202); + +var msg24192 = msg("22026", dup202); + +var msg24193 = msg("22027", dup202); + +var msg24194 = msg("22028", dup202); + +var msg24195 = msg("22029", dup197); + +var msg24196 = msg("22030", dup197); + +var msg24197 = msg("22031", dup197); + +var msg24198 = msg("22032", dup197); + +var msg24199 = msg("22033", dup263); + +var msg24200 = msg("22034", dup263); + +var msg24201 = msg("22035", dup197); + +var msg24202 = msg("22036", dup197); + +var msg24203 = msg("22037", dup197); + +var msg24204 = msg("22038", dup265); + +var msg24205 = msg("22039", dup202); + +var msg24206 = msg("22040", dup202); + +var msg24207 = msg("22041", dup202); + +var msg24208 = msg("22042", dup202); + +var msg24209 = msg("22043", dup202); + +var msg24210 = msg("22044", dup202); + +var msg24211 = msg("22045", dup202); + +var msg24212 = msg("22046", dup202); + +var msg24213 = msg("22047", dup192); + +var msg24214 = msg("22048", dup192); + +var msg24215 = msg("22049", dup265); + +var msg24216 = msg("22050", dup202); + +var msg24217 = msg("22051", dup263); + +var msg24218 = msg("22052", dup197); + +var msg24219 = msg("22053", dup192); + +var msg24220 = msg("22054", dup192); + +var msg24221 = msg("22055", dup202); + +var msg24222 = msg("22056", dup192); + +var msg24223 = msg("22057", dup192); + +var msg24224 = msg("22058", dup192); + +var msg24225 = msg("22059", dup192); + +var msg24226 = msg("22060", dup192); + +var msg24227 = msg("22061", dup269); + +var msg24228 = msg("22062", dup192); + +var msg24229 = msg("22063", dup302); + +var msg24230 = msg("22064", dup199); + +var msg24231 = msg("22065", dup192); + +var msg24232 = msg("22066", dup197); + +var msg24233 = msg("22067", dup202); + +var msg24234 = msg("22068", dup202); + +var msg24235 = msg("22069", dup202); + +var msg24236 = msg("22070", dup202); + +var msg24237 = msg("22071", dup314); + +var msg24238 = msg("22072", dup314); + +var msg24239 = msg("22073", dup314); + +var msg24240 = msg("22074", dup314); + +var msg24241 = msg("22075", dup197); + +var msg24242 = msg("22076", dup197); + +var msg24243 = msg("22077", dup197); + +var msg24244 = msg("22078", dup197); + +var msg24245 = msg("22079", dup267); + +var msg24246 = msg("22080", dup269); + +var msg24247 = msg("22081", dup197); + +var msg24248 = msg("22082", dup202); + +var msg24249 = msg("22083", dup202); + +var msg24250 = msg("22084", dup202); + +var msg24251 = msg("22085", dup197); + +var msg24252 = msg("22086", dup197); + +var msg24253 = msg("22087", dup197); + +var msg24254 = msg("22088", dup267); + +var msg24255 = msg("22089", dup265); + +var msg24256 = msg("22090", dup269); + +var msg24257 = msg("22091", dup197); + +var msg24258 = msg("22092", dup197); + +var msg24259 = msg("22093", dup197); + +var msg24260 = msg("22094", dup197); + +var msg24261 = msg("22095", dup192); + +var msg24262 = msg("22096", dup263); + +var msg24263 = msg("22097", dup199); + +var msg24264 = msg("22098", dup202); + +var msg24265 = msg("22099", dup192); + +var msg24266 = msg("22100", dup192); + +var msg24267 = msg("22101", dup197); + +var msg24268 = msg("22102", dup197); + +var msg24269 = msg("22103", dup192); + +var msg24270 = msg("22104", dup197); + +var msg24271 = msg("22105", dup197); + +var msg24272 = msg("22106", dup197); + +var msg24273 = msg("22107", dup197); + +var msg24274 = msg("22108", dup197); + +var msg24275 = msg("22109", dup197); + +var msg24276 = msg("22110", dup267); + +var msg24277 = msg("22111", dup267); + +var msg24278 = msg("22112", dup267); + +var msg24279 = msg("22113", dup267); + +var msg24280 = msg("22114", dup267); + +var msg24281 = msg("22115", dup267); + +var msg24282 = msg("22116", dup263); + +var msg24283 = msg("22117", dup263); + +var msg24284 = msg("22118", dup263); + +var msg24285 = msg("22119", dup263); + +var msg24286 = msg("22120", dup263); + +var msg24287 = msg("22121", dup263); + +var msg24288 = msg("22122", dup263); + +var msg24289 = msg("22123", dup263); + +var msg24290 = msg("22124", dup263); + +var msg24291 = msg("22125", dup263); + +var msg24292 = msg("22126", dup263); + +var msg24293 = msg("22127", dup263); + +var msg24294 = msg("22128", dup263); + +var msg24295 = msg("22129", dup263); + +var msg24296 = msg("22130", dup263); + +var msg24297 = msg("22131", dup263); + +var msg24298 = msg("22132", dup263); + +var msg24299 = msg("22133", dup263); + +var msg24300 = msg("22134", dup263); + +var msg24301 = msg("22135", dup263); + +var msg24302 = msg("22136", dup263); + +var msg24303 = msg("22137", dup263); + +var msg24304 = msg("22138", dup263); + +var msg24305 = msg("22139", dup263); + +var msg24306 = msg("22140", dup263); + +var msg24307 = msg("22141", dup263); + +var msg24308 = msg("22142", dup263); + +var msg24309 = msg("22143", dup263); + +var msg24310 = msg("22144", dup263); + +var msg24311 = msg("22145", dup263); + +var msg24312 = msg("22146", dup263); + +var msg24313 = msg("22147", dup263); + +var msg24314 = msg("22148", dup263); + +var msg24315 = msg("22149", dup263); + +var msg24316 = msg("22150", dup263); + +var msg24317 = msg("22151", dup263); + +var msg24318 = msg("22152", dup263); + +var msg24319 = msg("22153", dup263); + +var msg24320 = msg("22154", dup263); + +var msg24321 = msg("22155", dup263); + +var msg24322 = msg("22156", dup263); + +var msg24323 = msg("22157", dup263); + +var msg24324 = msg("22158", dup263); + +var msg24325 = msg("22159", dup263); + +var msg24326 = msg("22160", dup263); + +var msg24327 = msg("22161", dup263); + +var msg24328 = msg("22162", dup263); + +var msg24329 = msg("22163", dup263); + +var msg24330 = msg("22164", dup263); + +var msg24331 = msg("22165", dup263); + +var msg24332 = msg("22166", dup263); + +var msg24333 = msg("22167", dup263); + +var msg24334 = msg("22168", dup263); + +var msg24335 = msg("22169", dup263); + +var msg24336 = msg("22170", dup263); + +var msg24337 = msg("22171", dup263); + +var msg24338 = msg("22172", dup263); + +var msg24339 = msg("22173", dup263); + +var msg24340 = msg("22174", dup263); + +var msg24341 = msg("22175", dup263); + +var msg24342 = msg("22176", dup263); + +var msg24343 = msg("22177", dup263); + +var msg24344 = msg("22178", dup263); + +var msg24345 = msg("22179", dup263); + +var msg24346 = msg("22180", dup263); + +var msg24347 = msg("22181", dup263); + +var msg24348 = msg("22182", dup263); + +var msg24349 = msg("22183", dup263); + +var msg24350 = msg("22184", dup263); + +var msg24351 = msg("22185", dup263); + +var msg24352 = msg("22186", dup263); + +var msg24353 = msg("22187", dup263); + +var msg24354 = msg("22188", dup263); + +var msg24355 = msg("22189", dup263); + +var msg24356 = msg("22190", dup263); + +var msg24357 = msg("22191", dup263); + +var msg24358 = msg("22192", dup263); + +var msg24359 = msg("22193", dup263); + +var msg24360 = msg("22194", dup263); + +var msg24361 = msg("22195", dup263); + +var msg24362 = msg("22196", dup263); + +var msg24363 = msg("22197", dup263); + +var msg24364 = msg("22198", dup263); + +var msg24365 = msg("22199", dup263); + +var msg24366 = msg("22200", dup263); + +var msg24367 = msg("22201", dup263); + +var msg24368 = msg("22202", dup263); + +var msg24369 = msg("22203", dup263); + +var msg24370 = msg("22204", dup263); + +var msg24371 = msg("22205", dup263); + +var msg24372 = msg("22206", dup263); + +var msg24373 = msg("22207", dup263); + +var msg24374 = msg("22208", dup263); + +var msg24375 = msg("22209", dup263); + +var msg24376 = msg("22210", dup263); + +var msg24377 = msg("22211", dup263); + +var msg24378 = msg("22212", dup263); + +var msg24379 = msg("22213", dup263); + +var msg24380 = msg("22214", dup263); + +var msg24381 = msg("22215", dup263); + +var msg24382 = msg("22216", dup263); + +var msg24383 = msg("22217", dup263); + +var msg24384 = msg("22218", dup263); + +var msg24385 = msg("22219", dup263); + +var msg24386 = msg("22220", dup263); + +var msg24387 = msg("22221", dup263); + +var msg24388 = msg("22222", dup263); + +var msg24389 = msg("22223", dup263); + +var msg24390 = msg("22224", dup263); + +var msg24391 = msg("22225", dup263); + +var msg24392 = msg("22226", dup263); + +var msg24393 = msg("22227", dup263); + +var msg24394 = msg("22228", dup263); + +var msg24395 = msg("22229", dup263); + +var msg24396 = msg("22230", dup263); + +var msg24397 = msg("22231", dup263); + +var msg24398 = msg("22232", dup263); + +var msg24399 = msg("22233", dup263); + +var msg24400 = msg("22234", dup263); + +var msg24401 = msg("22235", dup263); + +var msg24402 = msg("22236", dup263); + +var msg24403 = msg("22237", dup263); + +var msg24404 = msg("22238", dup263); + +var msg24405 = msg("22239", dup263); + +var msg24406 = msg("22240", dup263); + +var msg24407 = msg("22241", dup263); + +var msg24408 = msg("22242", dup263); + +var msg24409 = msg("22243", dup263); + +var msg24410 = msg("22244", dup263); + +var msg24411 = msg("22245", dup263); + +var msg24412 = msg("22246", dup263); + +var msg24413 = msg("22247", dup269); + +var msg24414 = msg("22248", dup263); + +var msg24415 = msg("22249", dup263); + +var msg24416 = msg("22250", dup263); + +var msg24417 = msg("22251", dup263); + +var msg24418 = msg("22252", dup263); + +var msg24419 = msg("22253", dup263); + +var msg24420 = msg("22254", dup263); + +var msg24421 = msg("22255", dup263); + +var msg24422 = msg("22256", dup263); + +var msg24423 = msg("22257", dup263); + +var msg24424 = msg("22258", dup263); + +var msg24425 = msg("22259", dup263); + +var msg24426 = msg("22260", dup263); + +var msg24427 = msg("22261", dup263); + +var msg24428 = msg("22262", dup263); + +var msg24429 = msg("22263", dup263); + +var msg24430 = msg("22264", dup263); + +var msg24431 = msg("22265", dup263); + +var msg24432 = msg("22266", dup263); + +var msg24433 = msg("22267", dup263); + +var msg24434 = msg("22268", dup263); + +var msg24435 = msg("22269", dup263); + +var msg24436 = msg("22270", dup263); + +var msg24437 = msg("22271", dup263); + +var msg24438 = msg("22272", dup263); + +var msg24439 = msg("22273", dup263); + +var msg24440 = msg("22274", dup263); + +var msg24441 = msg("22275", dup263); + +var msg24442 = msg("22276", dup263); + +var msg24443 = msg("22277", dup263); + +var msg24444 = msg("22278", dup263); + +var msg24445 = msg("22279", dup263); + +var msg24446 = msg("22280", dup263); + +var msg24447 = msg("22281", dup263); + +var msg24448 = msg("22282", dup263); + +var msg24449 = msg("22283", dup263); + +var msg24450 = msg("22284", dup263); + +var msg24451 = msg("22285", dup263); + +var msg24452 = msg("22286", dup263); + +var msg24453 = msg("22287", dup263); + +var msg24454 = msg("22288", dup263); + +var msg24455 = msg("22289", dup263); + +var msg24456 = msg("22290", dup263); + +var msg24457 = msg("22291", dup263); + +var msg24458 = msg("22292", dup263); + +var msg24459 = msg("22293", dup263); + +var msg24460 = msg("22294", dup263); + +var msg24461 = msg("22295", dup263); + +var msg24462 = msg("22296", dup263); + +var msg24463 = msg("22297", dup263); + +var msg24464 = msg("22298", dup263); + +var msg24465 = msg("22299", dup263); + +var msg24466 = msg("22300", dup263); + +var msg24467 = msg("22301", dup263); + +var msg24468 = msg("22302", dup263); + +var msg24469 = msg("22303", dup263); + +var msg24470 = msg("22304", dup263); + +var msg24471 = msg("22305", dup263); + +var msg24472 = msg("22306", dup263); + +var msg24473 = msg("22307", dup263); + +var msg24474 = msg("22308", dup269); + +var msg24475 = msg("22309", dup263); + +var msg24476 = msg("22310", dup263); + +var msg24477 = msg("22311", dup263); + +var msg24478 = msg("22312", dup263); + +var msg24479 = msg("22313", dup263); + +var msg24480 = msg("22314", dup263); + +var msg24481 = msg("22315", dup263); + +var msg24482 = msg("22316", dup263); + +var msg24483 = msg("22317", dup263); + +var msg24484 = msg("22318", dup263); + +var msg24485 = msg("22319", dup263); + +var msg24486 = msg("22320", dup263); + +var msg24487 = msg("22321", dup263); + +var msg24488 = msg("22322", dup263); + +var msg24489 = msg("22323", dup263); + +var msg24490 = msg("22324", dup263); + +var msg24491 = msg("22325", dup263); + +var msg24492 = msg("22326", dup263); + +var msg24493 = msg("22327", dup263); + +var msg24494 = msg("22328", dup263); + +var msg24495 = msg("22329", dup263); + +var msg24496 = msg("22330", dup263); + +var msg24497 = msg("22331", dup263); + +var msg24498 = msg("22332", dup263); + +var msg24499 = msg("22333", dup263); + +var msg24500 = msg("22334", dup263); + +var msg24501 = msg("22335", dup263); + +var msg24502 = msg("22336", dup263); + +var msg24503 = msg("22337", dup263); + +var msg24504 = msg("22338", dup263); + +var msg24505 = msg("22339", dup227); + +var msg24506 = msg("22340", dup227); + +var msg24507 = msg("22341", dup263); + +var msg24508 = msg("22342", dup263); + +var msg24509 = msg("22343", dup263); + +var msg24510 = msg("22344", dup263); + +var msg24511 = msg("22345", dup263); + +var msg24512 = msg("22346", dup263); + +var msg24513 = msg("22347", dup263); + +var msg24514 = msg("22348", dup263); + +var msg24515 = msg("22349", dup263); + +var msg24516 = msg("22350", dup263); + +var msg24517 = msg("22351", dup263); + +var msg24518 = msg("22352", dup263); + +var msg24519 = msg("22353", dup263); + +var msg24520 = msg("22354", dup263); + +var msg24521 = msg("22355", dup263); + +var msg24522 = msg("22356", dup263); + +var msg24523 = msg("22357", dup263); + +var msg24524 = msg("22358", dup263); + +var msg24525 = msg("22359", dup263); + +var msg24526 = msg("22360", dup263); + +var msg24527 = msg("22361", dup263); + +var msg24528 = msg("22362", dup263); + +var msg24529 = msg("22363", dup263); + +var msg24530 = msg("22364", dup263); + +var msg24531 = msg("22365", dup263); + +var msg24532 = msg("22366", dup263); + +var msg24533 = msg("22367", dup263); + +var msg24534 = msg("22368", dup263); + +var msg24535 = msg("22369", dup263); + +var msg24536 = msg("22370", dup263); + +var msg24537 = msg("22371", dup263); + +var msg24538 = msg("22372", dup263); + +var msg24539 = msg("22373", dup263); + +var msg24540 = msg("22374", dup263); + +var msg24541 = msg("22375", dup263); + +var msg24542 = msg("22376", dup263); + +var msg24543 = msg("22377", dup263); + +var msg24544 = msg("22378", dup263); + +var msg24545 = msg("22379", dup263); + +var msg24546 = msg("22380", dup263); + +var msg24547 = msg("22381", dup263); + +var msg24548 = msg("22382", dup263); + +var msg24549 = msg("22383", dup263); + +var msg24550 = msg("22384", dup263); + +var msg24551 = msg("22385", dup263); + +var msg24552 = msg("22386", dup263); + +var msg24553 = msg("22387", dup263); + +var msg24554 = msg("22388", dup263); + +var msg24555 = msg("22389", dup263); + +var msg24556 = msg("22390", dup263); + +var msg24557 = msg("22391", dup263); + +var msg24558 = msg("22392", dup263); + +var msg24559 = msg("22393", dup263); + +var msg24560 = msg("22394", dup263); + +var msg24561 = msg("22395", dup263); + +var msg24562 = msg("22396", dup263); + +var msg24563 = msg("22397", dup263); + +var msg24564 = msg("22398", dup263); + +var msg24565 = msg("22399", dup263); + +var msg24566 = msg("22400", dup263); + +var msg24567 = msg("22401", dup263); + +var msg24568 = msg("22402", dup263); + +var msg24569 = msg("22403", dup263); + +var msg24570 = msg("22404", dup263); + +var msg24571 = msg("22405", dup263); + +var msg24572 = msg("22406", dup263); + +var msg24573 = msg("22407", dup227); + +var msg24574 = msg("22408", dup263); + +var msg24575 = msg("22409", dup263); + +var msg24576 = msg("22410", dup263); + +var msg24577 = msg("22411", dup263); + +var msg24578 = msg("22412", dup263); + +var msg24579 = msg("22413", dup263); + +var msg24580 = msg("22414", dup263); + +var msg24581 = msg("22415", dup263); + +var msg24582 = msg("22416", dup263); + +var msg24583 = msg("22417", dup263); + +var msg24584 = msg("22418", dup263); + +var msg24585 = msg("22419", dup263); + +var msg24586 = msg("22420", dup263); + +var msg24587 = msg("22421", dup263); + +var msg24588 = msg("22422", dup263); + +var msg24589 = msg("22423", dup263); + +var msg24590 = msg("22424", dup263); + +var msg24591 = msg("22425", dup263); + +var msg24592 = msg("22426", dup263); + +var msg24593 = msg("22427", dup263); + +var msg24594 = msg("22428", dup263); + +var msg24595 = msg("22429", dup263); + +var msg24596 = msg("22430", dup263); + +var msg24597 = msg("22431", dup263); + +var msg24598 = msg("22432", dup263); + +var msg24599 = msg("22433", dup263); + +var msg24600 = msg("22434", dup263); + +var msg24601 = msg("22435", dup263); + +var msg24602 = msg("22436", dup263); + +var msg24603 = msg("22437", dup263); + +var msg24604 = msg("22438", dup263); + +var msg24605 = msg("22439", dup263); + +var msg24606 = msg("22440", dup263); + +var msg24607 = msg("22441", dup263); + +var msg24608 = msg("22442", dup263); + +var msg24609 = msg("22443", dup263); + +var msg24610 = msg("22444", dup263); + +var msg24611 = msg("22445", dup263); + +var msg24612 = msg("22446", dup263); + +var msg24613 = msg("22447", dup263); + +var msg24614 = msg("22448", dup263); + +var msg24615 = msg("22449", dup263); + +var msg24616 = msg("22450", dup263); + +var msg24617 = msg("22451", dup263); + +var msg24618 = msg("22452", dup263); + +var msg24619 = msg("22453", dup263); + +var msg24620 = msg("22454", dup263); + +var msg24621 = msg("22455", dup263); + +var msg24622 = msg("22456", dup263); + +var msg24623 = msg("22457", dup263); + +var msg24624 = msg("22458", dup263); + +var msg24625 = msg("22459", dup263); + +var msg24626 = msg("22460", dup263); + +var msg24627 = msg("22461", dup263); + +var msg24628 = msg("22462", dup263); + +var msg24629 = msg("22463", dup263); + +var msg24630 = msg("22464", dup263); + +var msg24631 = msg("22465", dup263); + +var msg24632 = msg("22466", dup263); + +var msg24633 = msg("22467", dup263); + +var msg24634 = msg("22468", dup263); + +var msg24635 = msg("22469", dup263); + +var msg24636 = msg("22470", dup263); + +var msg24637 = msg("22471", dup263); + +var msg24638 = msg("22472", dup263); + +var msg24639 = msg("22473", dup263); + +var msg24640 = msg("22474", dup263); + +var msg24641 = msg("22475", dup263); + +var msg24642 = msg("22476", dup263); + +var msg24643 = msg("22477", dup263); + +var msg24644 = msg("22478", dup263); + +var msg24645 = msg("22479", dup263); + +var msg24646 = msg("22480", dup263); + +var msg24647 = msg("22481", dup263); + +var msg24648 = msg("22482", dup263); + +var msg24649 = msg("22483", dup263); + +var msg24650 = msg("22484", dup263); + +var msg24651 = msg("22485", dup263); + +var msg24652 = msg("22486", dup263); + +var msg24653 = msg("22487", dup263); + +var msg24654 = msg("22488", dup263); + +var msg24655 = msg("22489", dup263); + +var msg24656 = msg("22490", dup263); + +var msg24657 = msg("22491", dup263); + +var msg24658 = msg("22492", dup263); + +var msg24659 = msg("22493", dup263); + +var msg24660 = msg("22494", dup263); + +var msg24661 = msg("22495", dup263); + +var msg24662 = msg("22496", dup263); + +var msg24663 = msg("22497", dup263); + +var msg24664 = msg("22498", dup263); + +var msg24665 = msg("22499", dup263); + +var msg24666 = msg("22500", dup263); + +var msg24667 = msg("22501", dup263); + +var msg24668 = msg("22502", dup263); + +var msg24669 = msg("22503", dup263); + +var msg24670 = msg("22504", dup263); + +var msg24671 = msg("22505", dup263); + +var msg24672 = msg("22506", dup263); + +var msg24673 = msg("22507", dup263); + +var msg24674 = msg("22508", dup263); + +var msg24675 = msg("22509", dup263); + +var msg24676 = msg("22510", dup263); + +var msg24677 = msg("22511", dup263); + +var msg24678 = msg("22512", dup263); + +var msg24679 = msg("22513", dup263); + +var msg24680 = msg("22514", dup263); + +var msg24681 = msg("22515", dup263); + +var msg24682 = msg("22516", dup263); + +var msg24683 = msg("22517", dup263); + +var msg24684 = msg("22518", dup263); + +var msg24685 = msg("22519", dup263); + +var msg24686 = msg("22520", dup263); + +var msg24687 = msg("22521", dup263); + +var msg24688 = msg("22522", dup263); + +var msg24689 = msg("22523", dup263); + +var msg24690 = msg("22524", dup263); + +var msg24691 = msg("22525", dup263); + +var msg24692 = msg("22526", dup263); + +var msg24693 = msg("22527", dup263); + +var msg24694 = msg("22528", dup263); + +var msg24695 = msg("22529", dup263); + +var msg24696 = msg("22530", dup263); + +var msg24697 = msg("22531", dup263); + +var msg24698 = msg("22532", dup263); + +var msg24699 = msg("22533", dup263); + +var msg24700 = msg("22534", dup263); + +var msg24701 = msg("22535", dup263); + +var msg24702 = msg("22536", dup263); + +var msg24703 = msg("22537", dup263); + +var msg24704 = msg("22538", dup263); + +var msg24705 = msg("22539", dup263); + +var msg24706 = msg("22540", dup263); + +var msg24707 = msg("22541", dup263); + +var msg24708 = msg("22542", dup263); + +var msg24709 = msg("22543", dup263); + +var msg24710 = msg("22544", dup263); + +var msg24711 = msg("22545", dup263); + +var msg24712 = msg("22546", dup263); + +var msg24713 = msg("22547", dup263); + +var msg24714 = msg("22548", dup263); + +var msg24715 = msg("22549", dup263); + +var msg24716 = msg("22550", dup263); + +var msg24717 = msg("22551", dup263); + +var msg24718 = msg("22552", dup263); + +var msg24719 = msg("22553", dup263); + +var msg24720 = msg("22554", dup263); + +var msg24721 = msg("22555", dup263); + +var msg24722 = msg("22556", dup263); + +var msg24723 = msg("22557", dup263); + +var msg24724 = msg("22558", dup263); + +var msg24725 = msg("22559", dup263); + +var msg24726 = msg("22560", dup263); + +var msg24727 = msg("22561", dup263); + +var msg24728 = msg("22562", dup263); + +var msg24729 = msg("22563", dup263); + +var msg24730 = msg("22564", dup263); + +var msg24731 = msg("22565", dup263); + +var msg24732 = msg("22566", dup263); + +var msg24733 = msg("22567", dup263); + +var msg24734 = msg("22568", dup263); + +var msg24735 = msg("22569", dup263); + +var msg24736 = msg("22570", dup263); + +var msg24737 = msg("22571", dup263); + +var msg24738 = msg("22572", dup263); + +var msg24739 = msg("22573", dup263); + +var msg24740 = msg("22574", dup263); + +var msg24741 = msg("22575", dup263); + +var msg24742 = msg("22576", dup263); + +var msg24743 = msg("22577", dup263); + +var msg24744 = msg("22578", dup298); + +var msg24745 = msg("22579", dup298); + +var msg24746 = msg("22580", dup263); + +var msg24747 = msg("22581", dup263); + +var msg24748 = msg("22582", dup263); + +var msg24749 = msg("22583", dup263); + +var msg24750 = msg("22584", dup263); + +var msg24751 = msg("22585", dup263); + +var msg24752 = msg("22586", dup263); + +var msg24753 = msg("22587", dup263); + +var msg24754 = msg("22588", dup263); + +var msg24755 = msg("22589", dup263); + +var msg24756 = msg("22590", dup263); + +var msg24757 = msg("22591", dup263); + +var msg24758 = msg("22592", dup250); + +var msg24759 = msg("22593", dup263); + +var msg24760 = msg("22594", dup263); + +var msg24761 = msg("22595", dup263); + +var msg24762 = msg("22596", dup263); + +var msg24763 = msg("22597", dup263); + +var msg24764 = msg("22598", dup263); + +var msg24765 = msg("22599", dup263); + +var msg24766 = msg("22600", dup263); + +var msg24767 = msg("22601", dup263); + +var msg24768 = msg("22602", dup263); + +var msg24769 = msg("22603", dup263); + +var msg24770 = msg("22604", dup263); + +var msg24771 = msg("22605", dup263); + +var msg24772 = msg("22606", dup263); + +var msg24773 = msg("22607", dup263); + +var msg24774 = msg("22608", dup263); + +var msg24775 = msg("22609", dup263); + +var msg24776 = msg("22610", dup263); + +var msg24777 = msg("22611", dup263); + +var msg24778 = msg("22612", dup263); + +var msg24779 = msg("22613", dup263); + +var msg24780 = msg("22614", dup263); + +var msg24781 = msg("22615", dup263); + +var msg24782 = msg("22616", dup263); + +var msg24783 = msg("22617", dup263); + +var msg24784 = msg("22618", dup263); + +var msg24785 = msg("22619", dup263); + +var msg24786 = msg("22620", dup263); + +var msg24787 = msg("22621", dup263); + +var msg24788 = msg("22622", dup263); + +var msg24789 = msg("22623", dup263); + +var msg24790 = msg("22624", dup263); + +var msg24791 = msg("22625", dup263); + +var msg24792 = msg("22626", dup263); + +var msg24793 = msg("22627", dup263); + +var msg24794 = msg("22628", dup263); + +var msg24795 = msg("22629", dup263); + +var msg24796 = msg("22630", dup263); + +var msg24797 = msg("22631", dup263); + +var msg24798 = msg("22632", dup263); + +var msg24799 = msg("22633", dup263); + +var msg24800 = msg("22634", dup263); + +var msg24801 = msg("22635", dup263); + +var msg24802 = msg("22636", dup263); + +var msg24803 = msg("22637", dup263); + +var msg24804 = msg("22638", dup263); + +var msg24805 = msg("22639", dup263); + +var msg24806 = msg("22640", dup263); + +var msg24807 = msg("22641", dup263); + +var msg24808 = msg("22642", dup263); + +var msg24809 = msg("22643", dup263); + +var msg24810 = msg("22644", dup263); + +var msg24811 = msg("22645", dup263); + +var msg24812 = msg("22646", dup263); + +var msg24813 = msg("22647", dup263); + +var msg24814 = msg("22648", dup263); + +var msg24815 = msg("22649", dup263); + +var msg24816 = msg("22650", dup263); + +var msg24817 = msg("22651", dup263); + +var msg24818 = msg("22652", dup263); + +var msg24819 = msg("22653", dup263); + +var msg24820 = msg("22654", dup263); + +var msg24821 = msg("22655", dup263); + +var msg24822 = msg("22656", dup250); + +var msg24823 = msg("22657", dup250); + +var msg24824 = msg("22658", dup263); + +var msg24825 = msg("22659", dup263); + +var msg24826 = msg("22660", dup263); + +var msg24827 = msg("22661", dup263); + +var msg24828 = msg("22662", dup263); + +var msg24829 = msg("22663", dup263); + +var msg24830 = msg("22664", dup263); + +var msg24831 = msg("22665", dup263); + +var msg24832 = msg("22666", dup263); + +var msg24833 = msg("22667", dup263); + +var msg24834 = msg("22668", dup263); + +var msg24835 = msg("22669", dup263); + +var msg24836 = msg("22670", dup263); + +var msg24837 = msg("22671", dup263); + +var msg24838 = msg("22672", dup263); + +var msg24839 = msg("22673", dup263); + +var msg24840 = msg("22674", dup263); + +var msg24841 = msg("22675", dup263); + +var msg24842 = msg("22676", dup263); + +var msg24843 = msg("22677", dup263); + +var msg24844 = msg("22678", dup263); + +var msg24845 = msg("22679", dup263); + +var msg24846 = msg("22680", dup263); + +var msg24847 = msg("22681", dup263); + +var msg24848 = msg("22682", dup263); + +var msg24849 = msg("22683", dup263); + +var msg24850 = msg("22684", dup263); + +var msg24851 = msg("22685", dup263); + +var msg24852 = msg("22686", dup263); + +var msg24853 = msg("22687", dup263); + +var msg24854 = msg("22688", dup263); + +var msg24855 = msg("22689", dup263); + +var msg24856 = msg("22690", dup263); + +var msg24857 = msg("22691", dup263); + +var msg24858 = msg("22692", dup263); + +var msg24859 = msg("22693", dup263); + +var msg24860 = msg("22694", dup263); + +var msg24861 = msg("22695", dup263); + +var msg24862 = msg("22696", dup263); + +var msg24863 = msg("22697", dup263); + +var msg24864 = msg("22698", dup263); + +var msg24865 = msg("22699", dup263); + +var msg24866 = msg("22700", dup263); + +var msg24867 = msg("22701", dup263); + +var msg24868 = msg("22702", dup263); + +var msg24869 = msg("22703", dup263); + +var msg24870 = msg("22704", dup263); + +var msg24871 = msg("22705", dup263); + +var msg24872 = msg("22706", dup263); + +var msg24873 = msg("22707", dup263); + +var msg24874 = msg("22708", dup263); + +var msg24875 = msg("22709", dup263); + +var msg24876 = msg("22710", dup263); + +var msg24877 = msg("22711", dup263); + +var msg24878 = msg("22712", dup263); + +var msg24879 = msg("22713", dup263); + +var msg24880 = msg("22714", dup263); + +var msg24881 = msg("22715", dup263); + +var msg24882 = msg("22716", dup263); + +var msg24883 = msg("22717", dup263); + +var msg24884 = msg("22718", dup263); + +var msg24885 = msg("22719", dup263); + +var msg24886 = msg("22720", dup263); + +var msg24887 = msg("22721", dup263); + +var msg24888 = msg("22722", dup263); + +var msg24889 = msg("22723", dup263); + +var msg24890 = msg("22724", dup263); + +var msg24891 = msg("22725", dup263); + +var msg24892 = msg("22726", dup263); + +var msg24893 = msg("22727", dup263); + +var msg24894 = msg("22728", dup263); + +var msg24895 = msg("22729", dup263); + +var msg24896 = msg("22730", dup263); + +var msg24897 = msg("22731", dup263); + +var msg24898 = msg("22732", dup263); + +var msg24899 = msg("22733", dup263); + +var msg24900 = msg("22734", dup263); + +var msg24901 = msg("22735", dup263); + +var msg24902 = msg("22736", dup263); + +var msg24903 = msg("22737", dup263); + +var msg24904 = msg("22738", dup263); + +var msg24905 = msg("22739", dup263); + +var msg24906 = msg("22740", dup263); + +var msg24907 = msg("22741", dup263); + +var msg24908 = msg("22742", dup263); + +var msg24909 = msg("22743", dup263); + +var msg24910 = msg("22744", dup263); + +var msg24911 = msg("22745", dup263); + +var msg24912 = msg("22746", dup263); + +var msg24913 = msg("22747", dup263); + +var msg24914 = msg("22748", dup263); + +var msg24915 = msg("22749", dup263); + +var msg24916 = msg("22750", dup263); + +var msg24917 = msg("22751", dup263); + +var msg24918 = msg("22752", dup263); + +var msg24919 = msg("22753", dup263); + +var msg24920 = msg("22754", dup263); + +var msg24921 = msg("22755", dup263); + +var msg24922 = msg("22756", dup263); + +var msg24923 = msg("22757", dup263); + +var msg24924 = msg("22758", dup263); + +var msg24925 = msg("22759", dup263); + +var msg24926 = msg("22760", dup263); + +var msg24927 = msg("22761", dup263); + +var msg24928 = msg("22762", dup263); + +var msg24929 = msg("22763", dup263); + +var msg24930 = msg("22764", dup263); + +var msg24931 = msg("22765", dup263); + +var msg24932 = msg("22766", dup263); + +var msg24933 = msg("22767", dup263); + +var msg24934 = msg("22768", dup263); + +var msg24935 = msg("22769", dup263); + +var msg24936 = msg("22770", dup263); + +var msg24937 = msg("22771", dup263); + +var msg24938 = msg("22772", dup263); + +var msg24939 = msg("22773", dup263); + +var msg24940 = msg("22774", dup263); + +var msg24941 = msg("22775", dup263); + +var msg24942 = msg("22776", dup263); + +var msg24943 = msg("22777", dup263); + +var msg24944 = msg("22778", dup263); + +var msg24945 = msg("22779", dup263); + +var msg24946 = msg("22780", dup263); + +var msg24947 = msg("22781", dup263); + +var msg24948 = msg("22782", dup263); + +var msg24949 = msg("22783", dup263); + +var msg24950 = msg("22784", dup263); + +var msg24951 = msg("22785", dup263); + +var msg24952 = msg("22786", dup263); + +var msg24953 = msg("22787", dup263); + +var msg24954 = msg("22788", dup263); + +var msg24955 = msg("22789", dup263); + +var msg24956 = msg("22790", dup263); + +var msg24957 = msg("22791", dup263); + +var msg24958 = msg("22792", dup263); + +var msg24959 = msg("22793", dup263); + +var msg24960 = msg("22794", dup263); + +var msg24961 = msg("22795", dup263); + +var msg24962 = msg("22796", dup263); + +var msg24963 = msg("22797", dup263); + +var msg24964 = msg("22798", dup263); + +var msg24965 = msg("22799", dup263); + +var msg24966 = msg("22800", dup263); + +var msg24967 = msg("22801", dup263); + +var msg24968 = msg("22802", dup263); + +var msg24969 = msg("22803", dup263); + +var msg24970 = msg("22804", dup263); + +var msg24971 = msg("22805", dup263); + +var msg24972 = msg("22806", dup263); + +var msg24973 = msg("22807", dup263); + +var msg24974 = msg("22808", dup263); + +var msg24975 = msg("22809", dup263); + +var msg24976 = msg("22810", dup263); + +var msg24977 = msg("22811", dup263); + +var msg24978 = msg("22812", dup263); + +var msg24979 = msg("22813", dup263); + +var msg24980 = msg("22814", dup263); + +var msg24981 = msg("22815", dup263); + +var msg24982 = msg("22816", dup263); + +var msg24983 = msg("22817", dup263); + +var msg24984 = msg("22818", dup263); + +var msg24985 = msg("22819", dup263); + +var msg24986 = msg("22820", dup263); + +var msg24987 = msg("22821", dup263); + +var msg24988 = msg("22822", dup263); + +var msg24989 = msg("22823", dup263); + +var msg24990 = msg("22824", dup263); + +var msg24991 = msg("22825", dup263); + +var msg24992 = msg("22826", dup263); + +var msg24993 = msg("22827", dup263); + +var msg24994 = msg("22828", dup263); + +var msg24995 = msg("22829", dup263); + +var msg24996 = msg("22830", dup263); + +var msg24997 = msg("22831", dup263); + +var msg24998 = msg("22832", dup263); + +var msg24999 = msg("22833", dup263); + +var msg25000 = msg("22834", dup263); + +var msg25001 = msg("22835", dup263); + +var msg25002 = msg("22836", dup263); + +var msg25003 = msg("22837", dup263); + +var msg25004 = msg("22838", dup263); + +var msg25005 = msg("22839", dup263); + +var msg25006 = msg("22840", dup263); + +var msg25007 = msg("22841", dup263); + +var msg25008 = msg("22842", dup263); + +var msg25009 = msg("22843", dup263); + +var msg25010 = msg("22844", dup263); + +var msg25011 = msg("22845", dup263); + +var msg25012 = msg("22846", dup263); + +var msg25013 = msg("22847", dup263); + +var msg25014 = msg("22848", dup263); + +var msg25015 = msg("22849", dup263); + +var msg25016 = msg("22850", dup263); + +var msg25017 = msg("22851", dup263); + +var msg25018 = msg("22852", dup263); + +var msg25019 = msg("22853", dup263); + +var msg25020 = msg("22854", dup263); + +var msg25021 = msg("22855", dup263); + +var msg25022 = msg("22856", dup263); + +var msg25023 = msg("22857", dup263); + +var msg25024 = msg("22858", dup263); + +var msg25025 = msg("22859", dup263); + +var msg25026 = msg("22860", dup263); + +var msg25027 = msg("22861", dup263); + +var msg25028 = msg("22862", dup263); + +var msg25029 = msg("22863", dup263); + +var msg25030 = msg("22864", dup263); + +var msg25031 = msg("22865", dup263); + +var msg25032 = msg("22866", dup263); + +var msg25033 = msg("22867", dup263); + +var msg25034 = msg("22868", dup263); + +var msg25035 = msg("22869", dup263); + +var msg25036 = msg("22870", dup263); + +var msg25037 = msg("22871", dup263); + +var msg25038 = msg("22872", dup263); + +var msg25039 = msg("22873", dup263); + +var msg25040 = msg("22874", dup263); + +var msg25041 = msg("22875", dup250); + +var msg25042 = msg("22876", dup263); + +var msg25043 = msg("22877", dup263); + +var msg25044 = msg("22878", dup263); + +var msg25045 = msg("22879", dup263); + +var msg25046 = msg("22880", dup263); + +var msg25047 = msg("22881", dup263); + +var msg25048 = msg("22882", dup263); + +var msg25049 = msg("22883", dup263); + +var msg25050 = msg("22884", dup263); + +var msg25051 = msg("22885", dup263); + +var msg25052 = msg("22886", dup263); + +var msg25053 = msg("22887", dup263); + +var msg25054 = msg("22888", dup263); + +var msg25055 = msg("22889", dup263); + +var msg25056 = msg("22890", dup263); + +var msg25057 = msg("22891", dup263); + +var msg25058 = msg("22892", dup263); + +var msg25059 = msg("22893", dup263); + +var msg25060 = msg("22894", dup263); + +var msg25061 = msg("22895", dup263); + +var msg25062 = msg("22896", dup263); + +var msg25063 = msg("22897", dup263); + +var msg25064 = msg("22898", dup263); + +var msg25065 = msg("22899", dup263); + +var msg25066 = msg("22900", dup263); + +var msg25067 = msg("22901", dup263); + +var msg25068 = msg("22902", dup263); + +var msg25069 = msg("22903", dup263); + +var msg25070 = msg("22904", dup263); + +var msg25071 = msg("22905", dup263); + +var msg25072 = msg("22906", dup263); + +var msg25073 = msg("22907", dup263); + +var msg25074 = msg("22908", dup263); + +var msg25075 = msg("22909", dup263); + +var msg25076 = msg("22910", dup263); + +var msg25077 = msg("22911", dup263); + +var msg25078 = msg("22912", dup263); + +var msg25079 = msg("22913", dup263); + +var msg25080 = msg("22914", dup263); + +var msg25081 = msg("22915", dup202); + +var msg25082 = msg("22916", dup202); + +var msg25083 = msg("22917", dup192); + +var msg25084 = msg("22918", dup192); + +var msg25085 = msg("22919", dup192); + +var msg25086 = msg("22920", dup192); + +var msg25087 = msg("22921", dup192); + +var msg25088 = msg("22922", dup192); + +var msg25089 = msg("22923", dup192); + +var msg25090 = msg("22924", dup227); + +var msg25091 = msg("22925", dup192); + +var msg25092 = msg("22926", dup192); + +var msg25093 = msg("22927", dup192); + +var msg25094 = msg("22928", dup192); + +var msg25095 = msg("22929", dup192); + +var msg25096 = msg("22930", dup192); + +var msg25097 = msg("22931", dup192); + +var msg25098 = msg("22932", dup192); + +var msg25099 = msg("22933", dup192); + +var msg25100 = msg("22934", dup192); + +var msg25101 = msg("22935", dup192); + +var msg25102 = msg("22936", dup192); + +var msg25103 = msg("22937", dup192); + +var msg25104 = msg("22938", dup197); + +var msg25105 = msg("22939", dup269); + +var msg25106 = msg("22940", dup202); + +var msg25107 = msg("22941", dup269); + +var msg25108 = msg("22942", dup285); + +var msg25109 = msg("22943", dup202); + +var msg25110 = msg("22944", dup202); + +var msg25111 = msg("22945", dup202); + +var msg25112 = msg("22946", dup202); + +var msg25113 = msg("22947", dup197); + +var msg25114 = msg("22948", dup201); + +var msg25115 = msg("22949", dup202); + +var msg25116 = msg("22950", dup197); + +var msg25117 = msg("22951", dup197); + +var msg25118 = msg("22952", dup199); + +var msg25119 = msg("22953", dup198); + +var msg25120 = msg("22954", dup197); + +var msg25121 = msg("22955", dup202); + +var msg25122 = msg("22956", dup202); + +var msg25123 = msg("22957", dup263); + +var msg25124 = msg("22958", dup263); + +var msg25125 = msg("22959", dup263); + +var msg25126 = msg("22960", dup263); + +var msg25127 = msg("22961", dup202); + +var msg25128 = msg("22962", dup202); + +var msg25129 = msg("22963", dup202); + +var msg25130 = msg("22964", dup202); + +var msg25131 = msg("22965", dup202); + +var msg25132 = msg("22966", dup202); + +var msg25133 = msg("22967", dup202); + +var msg25134 = msg("22968", dup202); + +var msg25135 = msg("22969", dup202); + +var msg25136 = msg("22970", dup202); + +var msg25137 = msg("22971", dup202); + +var msg25138 = msg("22972", dup202); + +var msg25139 = msg("22973", dup202); + +var msg25140 = msg("22974", dup202); + +var msg25141 = msg("22975", dup202); + +var msg25142 = msg("22976", dup202); + +var msg25143 = msg("22977", dup202); + +var msg25144 = msg("22978", dup202); + +var msg25145 = msg("22979", dup202); + +var msg25146 = msg("22980", dup202); + +var msg25147 = msg("22981", dup202); + +var msg25148 = msg("22982", dup202); + +var msg25149 = msg("22983", dup202); + +var msg25150 = msg("22984", dup202); + +var msg25151 = msg("22985", dup202); + +var msg25152 = msg("22986", dup202); + +var msg25153 = msg("22987", dup202); + +var msg25154 = msg("22988", dup202); + +var msg25155 = msg("22989", dup202); + +var msg25156 = msg("22990", dup202); + +var msg25157 = msg("22991", dup202); + +var msg25158 = msg("22992", dup202); + +var msg25159 = msg("22993", dup202); + +var msg25160 = msg("22994", dup202); + +var msg25161 = msg("22995", dup202); + +var msg25162 = msg("22996", dup202); + +var msg25163 = msg("22997", dup202); + +var msg25164 = msg("22998", dup202); + +var msg25165 = msg("22999", dup202); + +var msg25166 = msg("23000", dup202); + +var msg25167 = msg("23001", dup202); + +var msg25168 = msg("23002", dup202); + +var msg25169 = msg("23003", dup202); + +var msg25170 = msg("23004", dup197); + +var msg25171 = msg("23005", dup197); + +var msg25172 = msg("23006", dup197); + +var msg25173 = msg("23007", dup197); + +var msg25174 = msg("23008", dup201); + +var msg25175 = msg("23009", dup197); + +var msg25176 = msg("23010", dup197); + +var msg25177 = msg("23011", dup202); + +var msg25178 = msg("23012", dup202); + +var msg25179 = msg("23013", dup202); + +var msg25180 = msg("23014", dup197); + +var msg25181 = msg("23015", dup265); + +var msg25182 = msg("23016", dup192); + +var msg25183 = msg("23017", dup202); + +var msg25184 = msg("23018", dup202); + +var msg25185 = msg("23019", dup269); + +var msg25186 = msg("23020", dup263); + +var msg25187 = msg("23021", dup263); + +var msg25188 = msg("23022", dup263); + +var msg25189 = msg("23023", dup263); + +var msg25190 = msg("23024", dup263); + +var msg25191 = msg("23025", dup263); + +var msg25192 = msg("23026", dup263); + +var msg25193 = msg("23027", dup263); + +var msg25194 = msg("23028", dup263); + +var msg25195 = msg("23029", dup263); + +var msg25196 = msg("23030", dup263); + +var msg25197 = msg("23031", dup263); + +var msg25198 = msg("23032", dup263); + +var msg25199 = msg("23033", dup263); + +var msg25200 = msg("23034", dup263); + +var msg25201 = msg("23035", dup263); + +var msg25202 = msg("23036", dup263); + +var msg25203 = msg("23037", dup263); + +var msg25204 = msg("23038", dup263); + +var msg25205 = msg("23039", dup287); + +var msg25206 = msg("23040", dup287); + +var msg25207 = msg("23041", dup202); + +var msg25208 = msg("23042", dup269); + +var msg25209 = msg("23043", dup269); + +var msg25210 = msg("23044", dup269); + +var msg25211 = msg("23045", dup269); + +var msg25212 = msg("23046", dup267); + +var msg25213 = msg("23047", dup267); + +var msg25214 = msg("23048", dup265); + +var msg25215 = msg("23049", dup265); + +var msg25216 = msg("23050", dup265); + +var msg25217 = msg("23051", dup202); + +var msg25218 = msg("23054", dup267); + +var msg25219 = msg("23055", dup227); + +var msg25220 = msg("23056", dup197); + +var msg25221 = msg("23057", dup263); + +var msg25222 = msg("23058", dup202); + +var msg25223 = msg("23059", dup197); + +var msg25224 = msg("23060", dup267); + +var msg25225 = msg("23061", dup263); + +var msg25226 = msg("23062", dup263); + +var msg25227 = msg("23063", dup263); + +var msg25228 = msg("23064", dup263); + +var msg25229 = msg("23065", dup263); + +var msg25230 = msg("23066", dup263); + +var msg25231 = msg("23067", dup263); + +var msg25232 = msg("23068", dup263); + +var msg25233 = msg("23069", dup263); + +var msg25234 = msg("23070", dup263); + +var msg25235 = msg("23071", dup263); + +var msg25236 = msg("23072", dup263); + +var msg25237 = msg("23073", dup263); + +var msg25238 = msg("23074", dup263); + +var msg25239 = msg("23075", dup263); + +var msg25240 = msg("23076", dup263); + +var msg25241 = msg("23077", dup263); + +var msg25242 = msg("23078", dup263); + +var msg25243 = msg("23079", dup263); + +var msg25244 = msg("23080", dup263); + +var msg25245 = msg("23081", dup263); + +var msg25246 = msg("23082", dup263); + +var msg25247 = msg("23083", dup263); + +var msg25248 = msg("23084", dup263); + +var msg25249 = msg("23085", dup202); + +var msg25250 = msg("23086", dup202); + +var msg25251 = msg("23087", dup202); + +var msg25252 = msg("23088", dup202); + +var msg25253 = msg("23089", dup202); + +var msg25254 = msg("23090", dup265); + +var msg25255 = msg("23091", dup197); + +var msg25256 = msg("23092", dup197); + +var msg25257 = msg("23093", dup197); + +var msg25258 = msg("23094", dup197); + +var msg25259 = msg("23095", dup197); + +var msg25260 = msg("23096", dup267); + +var msg25261 = msg("23097", dup198); + +var msg25262 = msg("23098", dup197); + +var msg25263 = msg("23099", dup198); + +var msg25264 = msg("23100", dup197); + +var msg25265 = msg("23101", dup197); + +var msg25266 = msg("23102", dup192); + +var msg25267 = msg("23103", dup192); + +var msg25268 = msg("23104", dup192); + +var msg25269 = msg("23105", dup197); + +var msg25270 = msg("23106", dup192); + +var msg25271 = msg("23107", dup265); + +var msg25272 = msg("23108", dup192); + +var msg25273 = msg("23109", dup192); + +var msg25274 = msg("23110", dup197); + +var msg25275 = msg("23111", dup304); + +var msg25276 = msg("23112", dup198); + +var msg25277 = msg("23113", dup269); + +var msg25278 = msg("23114", dup269); + +var msg25279 = msg("23115", dup240); + +var msg25280 = msg("23116", dup265); + +var msg25281 = msg("23117", dup265); + +var msg25282 = msg("23118", dup265); + +var msg25283 = msg("23119", dup202); + +var msg25284 = msg("23120", dup202); + +var msg25285 = msg("23121", dup265); + +var msg25286 = msg("23122", dup265); + +var msg25287 = msg("23123", dup265); + +var msg25288 = msg("23124", dup267); + +var msg25289 = msg("23125", dup267); + +var msg25290 = msg("23126", dup267); + +var msg25291 = msg("23127", dup267); + +var msg25292 = msg("23128", dup265); + +var msg25293 = msg("23129", dup202); + +var msg25294 = msg("23130", dup202); + +var msg25295 = msg("23131", dup202); + +var msg25296 = msg("23132", dup202); + +var msg25297 = msg("23133", dup197); + +var msg25298 = msg("23134", dup265); + +var msg25299 = msg("23135", dup267); + +var msg25300 = msg("23136", dup267); + +var msg25301 = msg("23137", dup267); + +var msg25302 = msg("23138", dup201); + +var msg25303 = msg("23139", dup201); + +var msg25304 = msg("23140", dup269); + +var msg25305 = msg("23141", dup267); + +var msg25306 = msg("23142", dup265); + +var msg25307 = msg("23143", dup265); + +var msg25308 = msg("23144", dup265); + +var msg25309 = msg("23145", dup265); + +var msg25310 = msg("23146", dup265); + +var msg25311 = msg("23147", dup267); + +var msg25312 = msg("23148", dup202); + +var msg25313 = msg("23149", dup267); + +var msg25314 = msg("23150", dup197); + +var msg25315 = msg("23151", dup197); + +var msg25316 = msg("23152", dup197); + +var msg25317 = msg("23153", dup197); + +var msg25318 = msg("23154", dup197); + +var msg25319 = msg("23155", dup197); + +var msg25320 = msg("23156", dup267); + +var msg25321 = msg("23157", dup267); + +var msg25322 = msg("23158", dup202); + +var msg25323 = msg("23159", dup202); + +var msg25324 = msg("23160", dup202); + +var msg25325 = msg("23161", dup202); + +var msg25326 = msg("23162", dup276); + +var msg25327 = msg("23163", dup276); + +var msg25328 = msg("23164", dup267); + +var msg25329 = msg("23165", dup267); + +var msg25330 = msg("23166", dup202); + +var msg25331 = msg("23167", dup202); + +var msg25332 = msg("23168", dup202); + +var msg25333 = msg("23169", dup202); + +var msg25334 = msg("23170", dup197); + +var msg25335 = msg("23171", dup202); + +var msg25336 = msg("23172", dup265); + +var msg25337 = msg("23173", dup192); + +var msg25338 = msg("23174", dup197); + +var msg25339 = msg("23175", dup197); + +var msg25340 = msg("23176", dup202); + +var msg25341 = msg("23177", dup267); + +var msg25342 = msg("23178", dup197); + +var msg25343 = msg("23179", dup269); + +var msg25344 = msg("23180", dup250); + +var msg25345 = msg("23181", dup202); + +var msg25346 = msg("23182", dup267); + +var msg25347 = msg("23183", dup202); + +var msg25348 = msg("23184", dup202); + +var msg25349 = msg("23185", dup202); + +var msg25350 = msg("23186", dup265); + +var msg25351 = msg("23187", dup202); + +var msg25352 = msg("23188", dup202); + +var msg25353 = msg("23189", dup202); + +var msg25354 = msg("23190", dup202); + +var msg25355 = msg("23191", dup202); + +var msg25356 = msg("23192", dup202); + +var msg25357 = msg("23193", dup202); + +var msg25358 = msg("23194", dup202); + +var msg25359 = msg("23195", dup202); + +var msg25360 = msg("23196", dup202); + +var msg25361 = msg("23197", dup202); + +var msg25362 = msg("23198", dup202); + +var msg25363 = msg("23199", dup202); + +var msg25364 = msg("23200", dup202); + +var msg25365 = msg("23201", dup202); + +var msg25366 = msg("23202", dup202); + +var msg25367 = msg("23203", dup202); + +var msg25368 = msg("23204", dup202); + +var msg25369 = msg("23205", dup202); + +var msg25370 = msg("23206", dup202); + +var msg25371 = msg("23207", dup202); + +var msg25372 = msg("23208", dup202); + +var msg25373 = msg("23209", dup267); + +var msg25374 = msg("23210", dup267); + +var msg25375 = msg("23211", dup197); + +var msg25376 = msg("23212", dup265); + +var msg25377 = msg("23213", dup260); + +var msg25378 = msg("23214", dup192); + +var msg25379 = msg("23215", dup192); + +var msg25380 = msg("23216", dup260); + +var msg25381 = msg("23217", dup199); + +var msg25382 = msg("23218", dup267); + +var msg25383 = msg("23219", dup267); + +var msg25384 = msg("23220", dup267); + +var msg25385 = msg("23221", dup202); + +var msg25386 = msg("23222", dup202); + +var msg25387 = msg("23223", dup202); + +var msg25388 = msg("23224", dup202); + +var msg25389 = msg("23225", dup202); + +var msg25390 = msg("23226", dup202); + +var msg25391 = msg("23227", dup197); + +var msg25392 = msg("23228", dup265); + +var msg25393 = msg("23229", dup265); + +var msg25394 = msg("23230", dup197); + +var msg25395 = msg("23231", dup197); + +var msg25396 = msg("23232", dup197); + +var msg25397 = msg("23233", dup197); + +var msg25398 = msg("23234", dup202); + +var msg25399 = msg("23235", dup202); + +var msg25400 = msg("23236", dup199); + +var msg25401 = msg("23237", dup276); + +var msg25402 = msg("23238", dup276); + +var msg25403 = msg("23239", dup267); + +var msg25404 = msg("23240", dup276); + +var msg25405 = msg("23241", dup260); + +var msg25406 = msg("23242", dup202); + +var msg25407 = msg("23243", dup201); + +var msg25408 = msg("23244", dup192); + +var msg25409 = msg("23245", dup192); + +var msg25410 = msg("23246", dup303); + +var msg25411 = msg("23247", dup303); + +var msg25412 = msg("23248", dup267); + +var msg25413 = msg("23249", dup267); + +var msg25414 = msg("23250", dup202); + +var msg25415 = msg("23251", dup192); + +var msg25416 = msg("23252", dup202); + +var msg25417 = msg("23253", dup265); + +var msg25418 = msg("23254", dup192); + +var msg25419 = msg("23255", dup192); + +var msg25420 = msg("23256", dup202); + +var msg25421 = msg("23257", dup192); + +var msg25422 = msg("23258", dup267); + +var msg25423 = msg("23259", dup267); + +var msg25424 = msg("23260", dup267); + +var msg25425 = msg("23261", dup202); + +var msg25426 = msg("23262", dup192); + +var msg25427 = msg("23263", dup267); + +var msg25428 = msg("23264", dup267); + +var msg25429 = msg("23265", dup267); + +var msg25430 = msg("23266", dup197); + +var msg25431 = msg("23267", dup197); + +var msg25432 = msg("23268", dup197); + +var msg25433 = msg("23269", dup197); + +var msg25434 = msg("23270", dup197); + +var msg25435 = msg("23271", dup197); + +var msg25436 = msg("23272", dup197); + +var msg25437 = msg("23273", dup267); + +var msg25438 = msg("23274", dup267); + +var msg25439 = msg("23275", dup267); + +var msg25440 = msg("23276", dup267); + +var msg25441 = msg("23277", dup267); + +var msg25442 = msg("23278", dup265); + +var msg25443 = msg("23279", dup267); + +var msg25444 = msg("23280", dup265); + +var msg25445 = msg("23281", dup265); + +var msg25446 = msg("23282", dup265); + +var msg25447 = msg("23283", dup265); + +var msg25448 = msg("23284", dup265); + +var msg25449 = msg("23285", dup265); + +var msg25450 = msg("23286", dup265); + +var msg25451 = msg("23287", dup265); + +var msg25452 = msg("23288", dup265); + +var msg25453 = msg("23289", dup265); + +var msg25454 = msg("23290", dup265); + +var msg25455 = msg("23291", dup265); + +var msg25456 = msg("23292", dup265); + +var msg25457 = msg("23293", dup265); + +var msg25458 = msg("23294", dup265); + +var msg25459 = msg("23295", dup265); + +var msg25460 = msg("23296", dup265); + +var msg25461 = msg("23297", dup265); + +var msg25462 = msg("23298", dup265); + +var msg25463 = msg("23299", dup265); + +var msg25464 = msg("23300", dup265); + +var msg25465 = msg("23301", dup265); + +var msg25466 = msg("23302", dup265); + +var msg25467 = msg("23303", dup265); + +var msg25468 = msg("23304", dup265); + +var msg25469 = msg("23305", dup197); + +var msg25470 = msg("23306", dup192); + +var msg25471 = msg("23307", dup192); + +var msg25472 = msg("23308", dup192); + +var msg25473 = msg("23309", dup267); + +var msg25474 = msg("23310", dup267); + +var msg25475 = msg("23311", dup267); + +var msg25476 = msg("23312", dup267); + +var msg25477 = msg("23313", dup267); + +var msg25478 = msg("23314", dup276); + +var msg25479 = msg("23315", dup276); + +var msg25480 = msg("23316", dup267); + +var msg25481 = msg("23317", dup192); + +var msg25482 = msg("23318", dup287); + +var msg25483 = msg("23319", dup202); + +var msg25484 = msg("23320", dup202); + +var msg25485 = msg("23321", dup202); + +var msg25486 = msg("23322", dup202); + +var msg25487 = msg("23323", dup287); + +var msg25488 = msg("23324", dup287); + +var msg25489 = msg("23325", dup287); + +var msg25490 = msg("23326", dup287); + +var msg25491 = msg("23327", dup287); + +var msg25492 = msg("23328", dup287); + +var msg25493 = msg("23329", dup287); + +var msg25494 = msg("23330", dup197); + +var msg25495 = msg("23331", dup192); + +var msg25496 = msg("23332", dup192); + +var msg25497 = msg("23333", dup192); + +var msg25498 = msg("23334", dup192); + +var msg25499 = msg("23335", dup192); + +var msg25500 = msg("23336", dup192); + +var msg25501 = msg("23337", dup192); + +var msg25502 = msg("23338", dup192); + +var msg25503 = msg("23339", dup192); + +var msg25504 = msg("23340", dup192); + +var msg25505 = msg("23341", dup192); + +var msg25506 = msg("23342", dup192); + +var msg25507 = msg("23343", dup192); + +var msg25508 = msg("23344", dup192); + +var msg25509 = msg("23345", dup192); + +var msg25510 = msg("23346", dup197); + +var msg25511 = msg("23347", dup202); + +var msg25512 = msg("23348", dup202); + +var msg25513 = msg("23349", dup202); + +var msg25514 = msg("23350", dup202); + +var msg25515 = msg("23351", dup287); + +var msg25516 = msg("23352", dup265); + +var msg25517 = msg("23353", dup265); + +var msg25518 = msg("23354", dup197); + +var msg25519 = msg("23355", dup197); + +var msg25520 = msg("23356", dup197); + +var msg25521 = msg("23357", dup287); + +var msg25522 = msg("23358", dup287); + +var msg25523 = msg("23359", dup287); + +var msg25524 = msg("23360", dup265); + +var msg25525 = msg("23361", dup265); + +var msg25526 = msg("23362", dup265); + +var msg25527 = msg("23363", dup197); + +var msg25528 = msg("23364", dup197); + +var msg25529 = msg("23365", dup197); + +var msg25530 = msg("23366", dup197); + +var msg25531 = msg("23367", dup197); + +var msg25532 = msg("23368", dup274); + +var msg25533 = msg("23369", dup263); + +var msg25534 = msg("23370", dup197); + +var msg25535 = msg("23371", dup197); + +var msg25536 = msg("23372", dup265); + +var msg25537 = msg("23373", dup265); + +var msg25538 = msg("23374", dup265); + +var msg25539 = msg("23375", dup265); + +var msg25540 = msg("23376", dup265); + +var msg25541 = msg("23377", dup269); + +var msg25542 = msg("23378", dup269); + +var msg25543 = msg("23379", dup192); + +var msg25544 = msg("23380", dup192); + +var msg25545 = msg("23381", dup192); + +var msg25546 = msg("23382", dup192); + +var msg25547 = msg("23383", dup192); + +var msg25548 = msg("23384", dup267); + +var msg25549 = msg("23385", dup267); + +var msg25550 = msg("23386", dup197); + +var msg25551 = msg("23387", dup192); + +var msg25552 = msg("23388", dup192); + +var msg25553 = msg("23389", dup192); + +var msg25554 = msg("23390", dup192); + +var msg25555 = msg("23391", dup192); + +var msg25556 = msg("23392", dup198); + +var msg25557 = msg("23393", dup202); + +var msg25558 = msg("23394", dup192); + +var msg25559 = msg("23395", dup265); + +var msg25560 = msg("23396", dup265); + +var msg25561 = msg("23397", dup197); + +var msg25562 = msg("23398", dup197); + +var msg25563 = msg("23399", dup192); + +var msg25564 = msg("23400", dup202); + +var msg25565 = msg("23401", dup265); + +var msg25566 = msg("23402", dup265); + +var msg25567 = msg("23403", dup265); + +var msg25568 = msg("23404", dup197); + +var msg25569 = msg("23405", dup260); + +var msg25570 = msg("23406", dup260); + +var msg25571 = msg("23407", dup267); + +var msg25572 = msg("23408", dup265); + +var msg25573 = msg("23409", dup267); + +var msg25574 = msg("23410", dup267); + +var msg25575 = msg("23411", dup267); + +var msg25576 = msg("23412", dup267); + +var msg25577 = msg("23413", dup267); + +var msg25578 = msg("23414", dup267); + +var msg25579 = msg("23415", dup267); + +var msg25580 = msg("23416", dup267); + +var msg25581 = msg("23417", dup267); + +var msg25582 = msg("23418", dup267); + +var msg25583 = msg("23419", dup267); + +var msg25584 = msg("23420", dup267); + +var msg25585 = msg("23421", dup267); + +var msg25586 = msg("23422", dup267); + +var msg25587 = msg("23423", dup267); + +var msg25588 = msg("23424", dup267); + +var msg25589 = msg("23425", dup267); + +var msg25590 = msg("23426", dup267); + +var msg25591 = msg("23427", dup267); + +var msg25592 = msg("23428", dup267); + +var msg25593 = msg("23429", dup267); + +var msg25594 = msg("23430", dup267); + +var msg25595 = msg("23431", dup267); + +var msg25596 = msg("23432", dup267); + +var msg25597 = msg("23433", dup267); + +var msg25598 = msg("23434", dup267); + +var msg25599 = msg("23435", dup202); + +var msg25600 = msg("23436", dup267); + +var msg25601 = msg("23437", dup267); + +var msg25602 = msg("23438", dup265); + +var msg25603 = msg("23439", dup265); + +var msg25604 = msg("23440", dup265); + +var msg25605 = msg("23441", dup265); + +var msg25606 = msg("23442", dup199); + +var msg25607 = msg("23443", dup199); + +var msg25608 = msg("23444", dup197); + +var msg25609 = msg("23445", dup267); + +var msg25610 = msg("23446", dup192); + +var msg25611 = msg("23447", dup192); + +var msg25612 = msg("23448", dup238); + +var msg25613 = msg("23449", dup192); + +var msg25614 = msg("23450", dup192); + +var msg25615 = msg("23451", dup287); + +var msg25616 = msg("23452", dup263); + +var msg25617 = msg("23453", dup263); + +var msg25618 = msg("23454", dup263); + +var msg25619 = msg("23455", dup263); + +var msg25620 = msg("23456", dup197); + +var msg25621 = msg("23457", dup197); + +var msg25622 = msg("23458", dup197); + +var msg25623 = msg("23459", dup197); + +var msg25624 = msg("23460", dup192); + +var msg25625 = msg("23461", dup197); + +var msg25626 = msg("23462", dup197); + +var msg25627 = msg("23463", dup197); + +var msg25628 = msg("23464", dup201); + +var msg25629 = msg("23465", dup197); + +var msg25630 = msg("23466", dup265); + +var msg25631 = msg("23467", dup202); + +var msg25632 = msg("23468", dup192); + +var msg25633 = msg("23469", dup192); + +var msg25634 = msg("23470", dup265); + +var msg25635 = msg("23471", dup265); + +var msg25636 = msg("23472", dup303); + +var msg25637 = msg("23473", dup202); + +var msg25638 = msg("23474", dup202); + +var msg25639 = msg("23475", dup202); + +var msg25640 = msg("23476", dup202); + +var msg25641 = msg("23477", dup202); + +var msg25642 = msg("23478", dup197); + +var msg25643 = msg("23479", dup197); + +var msg25644 = msg("23480", dup265); + +var msg25645 = msg("23481", dup202); + +var msg25646 = msg("23482", dup202); + +var msg25647 = msg("23483", dup192); + +var msg25648 = msg("23484", dup202); + +var msg25649 = msg("23485", dup265); + +var msg25650 = msg("23486", dup202); + +var msg25651 = msg("23487", dup202); + +var msg25652 = msg("23488", dup202); + +var msg25653 = msg("23489", dup197); + +var msg25654 = msg("23490", dup267); + +var msg25655 = msg("23491", dup192); + +var msg25656 = msg("23492", dup192); + +var msg25657 = msg("23493", dup192); + +var msg25658 = msg("23494", dup192); + +var msg25659 = msg("23495", dup192); + +var all53 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg25660 = msg("23496", all53); + +var msg25661 = msg("23497", dup202); + +var msg25662 = msg("23498", dup202); + +var msg25663 = msg("23499", dup197); + +var msg25664 = msg("23500", dup267); + +var msg25665 = msg("23501", dup201); + +var msg25666 = msg("23502", dup201); + +var msg25667 = msg("23503", dup201); + +var msg25668 = msg("23504", dup267); + +var msg25669 = msg("23505", dup267); + +var msg25670 = msg("23506", dup267); + +var msg25671 = msg("23507", dup197); + +var msg25672 = msg("23508", dup197); + +var msg25673 = msg("23509", dup267); + +var msg25674 = msg("23510", dup267); + +var msg25675 = msg("23511", dup267); + +var msg25676 = msg("23512", dup267); + +var msg25677 = msg("23513", dup267); + +var msg25678 = msg("23514", dup267); + +var msg25679 = msg("23515", dup267); + +var msg25680 = msg("23516", dup267); + +var msg25681 = msg("23517", dup197); + +var msg25682 = msg("23518", dup197); + +var msg25683 = msg("23519", dup269); + +var msg25684 = msg("23520", dup269); + +var msg25685 = msg("23521", dup269); + +var msg25686 = msg("23522", dup267); + +var msg25687 = msg("23523", dup267); + +var msg25688 = msg("23524", dup267); + +var msg25689 = msg("23525", dup197); + +var msg25690 = msg("23526", dup197); + +var msg25691 = msg("23527", dup197); + +var msg25692 = msg("23528", dup197); + +var msg25693 = msg("23529", dup197); + +var msg25694 = msg("23530", dup197); + +var msg25695 = msg("23531", dup197); + +var msg25696 = msg("23532", dup197); + +var msg25697 = msg("23533", dup197); + +var msg25698 = msg("23534", dup197); + +var msg25699 = msg("23535", dup197); + +var msg25700 = msg("23536", dup197); + +var msg25701 = msg("23537", dup197); + +var msg25702 = msg("23538", dup197); + +var msg25703 = msg("23539", dup197); + +var msg25704 = msg("23540", dup197); + +var msg25705 = msg("23541", dup197); + +var msg25706 = msg("23542", dup197); + +var msg25707 = msg("23543", dup197); + +var msg25708 = msg("23544", dup197); + +var msg25709 = msg("23545", dup197); + +var msg25710 = msg("23546", dup197); + +var msg25711 = msg("23547", dup197); + +var msg25712 = msg("23548", dup197); + +var msg25713 = msg("23549", dup197); + +var msg25714 = msg("23550", dup197); + +var msg25715 = msg("23551", dup197); + +var msg25716 = msg("23552", dup197); + +var msg25717 = msg("23553", dup197); + +var msg25718 = msg("23554", dup197); + +var msg25719 = msg("23555", dup197); + +var msg25720 = msg("23556", dup197); + +var msg25721 = msg("23557", dup197); + +var msg25722 = msg("23558", dup197); + +var msg25723 = msg("23559", dup197); + +var msg25724 = msg("23560", dup201); + +var msg25725 = msg("23561", dup202); + +var msg25726 = msg("23562", dup202); + +var msg25727 = msg("23563", dup202); + +var msg25728 = msg("23564", dup197); + +var msg25729 = msg("23565", dup197); + +var msg25730 = msg("23566", dup197); + +var msg25731 = msg("23567", dup267); + +var msg25732 = msg("23568", dup267); + +var msg25733 = msg("23569", dup267); + +var msg25734 = msg("23570", dup202); + +var msg25735 = msg("23571", dup202); + +var msg25736 = msg("23572", dup202); + +var msg25737 = msg("23573", dup297); + +var msg25738 = msg("23574", dup202); + +var msg25739 = msg("23575", dup202); + +var msg25740 = msg("23576", dup202); + +var msg25741 = msg("23577", dup197); + +var msg25742 = msg("23578", dup267); + +var msg25743 = msg("23579", dup267); + +var msg25744 = msg("23580", dup197); + +var msg25745 = msg("23581", dup197); + +var msg25746 = msg("23582", dup197); + +var msg25747 = msg("23583", dup197); + +var msg25748 = msg("23584", dup197); + +var msg25749 = msg("23585", dup201); + +var msg25750 = msg("23586", dup197); + +var msg25751 = msg("23587", dup197); + +var msg25752 = msg("23588", dup197); + +var msg25753 = msg("23589", dup197); + +var msg25754 = msg("23590", dup197); + +var msg25755 = msg("23591", dup267); + +var msg25756 = msg("23592", dup267); + +var msg25757 = msg("23593", dup192); + +var msg25758 = msg("23594", dup192); + +var msg25759 = msg("23595", dup192); + +var msg25760 = msg("23596", dup269); + +var msg25761 = msg("23597", dup192); + +var msg25762 = msg("23598", dup202); + +var msg25763 = msg("23599", dup202); + +var msg25764 = msg("23600", dup192); + +var msg25765 = msg("23601", dup194); + +var msg25766 = msg("23602", dup194); + +var msg25767 = msg("23603", dup194); + +var msg25768 = msg("23604", dup194); + +var msg25769 = msg("23605", dup202); + +var msg25770 = msg("23606", dup192); + +var msg25771 = msg("23607", dup192); + +var msg25772 = msg("23608", dup313); + +var msg25773 = msg("23609", dup265); + +var msg25774 = msg("23610", dup238); + +var msg25775 = msg("23611", dup202); + +var msg25776 = msg("23612", dup202); + +var msg25777 = msg("23613", dup265); + +var msg25778 = msg("23614", dup201); + +var msg25779 = msg("23615", dup303); + +var msg25780 = msg("23616", dup202); + +var msg25781 = msg("23617", dup287); + +var msg25782 = msg("23618", dup202); + +var msg25783 = msg("23619", dup202); + +var msg25784 = msg("23620", dup202); + +var msg25785 = msg("23621", dup202); + +var msg25786 = msg("23622", dup202); + +var msg25787 = msg("23623", dup267); + +var msg25788 = msg("23624", dup265); + +var msg25789 = msg("23625", dup265); + +var msg25790 = msg("23626", dup310); + +var msg25791 = msg("23627", dup269); + +var msg25792 = msg("23628", dup192); + +var msg25793 = msg("23629", dup263); + +var msg25794 = msg("23630", dup192); + +var msg25795 = msg("23631", dup267); + +var msg25796 = msg("23632", dup197); + +var msg25797 = msg("23633", dup287); + +var msg25798 = msg("23634", dup287); + +var msg25799 = msg("23635", dup192); + +var msg25800 = msg("23636", dup202); + +var msg25801 = msg("23637", dup202); + +var msg25802 = msg("23638", dup202); + +var msg25803 = msg("23639", dup202); + +var msg25804 = msg("23640", dup202); + +var msg25805 = msg("23641", dup287); + +var msg25806 = msg("23642", dup287); + +var msg25807 = msg("23643", dup287); + +var msg25808 = msg("23644", dup202); + +var msg25809 = msg("23645", dup202); + +var msg25810 = msg("23646", dup287); + +var msg25811 = msg("23647", dup202); + +var msg25812 = msg("23648", dup202); + +var msg25813 = msg("23649", dup202); + +var msg25814 = msg("23650", dup202); + +var msg25815 = msg("23651", dup287); + +var msg25816 = msg("23652", dup287); + +var msg25817 = msg("23653", dup287); + +var msg25818 = msg("23654", dup287); + +var msg25819 = msg("23655", dup287); + +var msg25820 = msg("23656", dup287); + +var msg25821 = msg("23657", dup287); + +var msg25822 = msg("23658", dup202); + +var msg25823 = msg("23659", dup202); + +var msg25824 = msg("23660", dup202); + +var msg25825 = msg("23661", dup202); + +var msg25826 = msg("23662", dup202); + +var msg25827 = msg("23663", dup202); + +var msg25828 = msg("23664", dup202); + +var msg25829 = msg("23665", dup202); + +var msg25830 = msg("23666", dup202); + +var msg25831 = msg("23667", dup202); + +var msg25832 = msg("23668", dup202); + +var msg25833 = msg("23669", dup287); + +var msg25834 = msg("23670", dup202); + +var msg25835 = msg("23671", dup287); + +var msg25836 = msg("23672", dup202); + +var msg25837 = msg("23673", dup202); + +var msg25838 = msg("23674", dup202); + +var msg25839 = msg("23675", dup202); + +var msg25840 = msg("23676", dup202); + +var msg25841 = msg("23677", dup202); + +var msg25842 = msg("23678", dup202); + +var msg25843 = msg("23679", dup202); + +var msg25844 = msg("23680", dup202); + +var msg25845 = msg("23681", dup202); + +var msg25846 = msg("23682", dup202); + +var msg25847 = msg("23683", dup202); + +var msg25848 = msg("23684", dup202); + +var msg25849 = msg("23685", dup202); + +var msg25850 = msg("23686", dup202); + +var msg25851 = msg("23687", dup202); + +var msg25852 = msg("23688", dup202); + +var msg25853 = msg("23689", dup202); + +var msg25854 = msg("23690", dup202); + +var msg25855 = msg("23691", dup202); + +var msg25856 = msg("23692", dup202); + +var msg25857 = msg("23693", dup202); + +var msg25858 = msg("23694", dup202); + +var msg25859 = msg("23695", dup202); + +var msg25860 = msg("23696", dup202); + +var msg25861 = msg("23697", dup202); + +var msg25862 = msg("23698", dup269); + +var msg25863 = msg("23699", dup202); + +var msg25864 = msg("23700", dup202); + +var msg25865 = msg("23701", dup202); + +var msg25866 = msg("23702", dup202); + +var msg25867 = msg("23703", dup269); + +var msg25868 = msg("23704", dup267); + +var msg25869 = msg("23705", dup267); + +var msg25870 = msg("23706", dup267); + +var msg25871 = msg("23707", dup202); + +var msg25872 = msg("23708", dup202); + +var msg25873 = msg("23709", dup202); + +var msg25874 = msg("23710", dup202); + +var msg25875 = msg("23711", dup202); + +var msg25876 = msg("23712", dup202); + +var msg25877 = msg("23713", dup202); + +var msg25878 = msg("23714", dup202); + +var msg25879 = msg("23715", dup202); + +var msg25880 = msg("23716", dup202); + +var msg25881 = msg("23717", dup202); + +var msg25882 = msg("23718", dup202); + +var msg25883 = msg("23719", dup267); + +var msg25884 = msg("23720", dup202); + +var msg25885 = msg("23721", dup202); + +var msg25886 = msg("23722", dup202); + +var msg25887 = msg("23723", dup202); + +var msg25888 = msg("23724", dup202); + +var msg25889 = msg("23725", dup267); + +var msg25890 = msg("23726", dup267); + +var msg25891 = msg("23727", dup202); + +var msg25892 = msg("23728", dup202); + +var msg25893 = msg("23729", dup202); + +var msg25894 = msg("23730", dup202); + +var msg25895 = msg("23731", dup202); + +var msg25896 = msg("23732", dup269); + +var msg25897 = msg("23733", dup202); + +var msg25898 = msg("23734", dup202); + +var msg25899 = msg("23735", dup202); + +var msg25900 = msg("23736", dup202); + +var msg25901 = msg("23737", dup202); + +var msg25902 = msg("23738", dup202); + +var msg25903 = msg("23739", dup202); + +var msg25904 = msg("23740", dup202); + +var msg25905 = msg("23741", dup202); + +var msg25906 = msg("23742", dup202); + +var msg25907 = msg("23743", dup202); + +var msg25908 = msg("23744", dup202); + +var msg25909 = msg("23745", dup202); + +var msg25910 = msg("23746", dup202); + +var msg25911 = msg("23747", dup202); + +var msg25912 = msg("23748", dup202); + +var msg25913 = msg("23749", dup202); + +var msg25914 = msg("23750", dup202); + +var msg25915 = msg("23751", dup202); + +var msg25916 = msg("23752", dup202); + +var msg25917 = msg("23753", dup202); + +var msg25918 = msg("23754", dup202); + +var msg25919 = msg("23755", dup202); + +var msg25920 = msg("23756", dup267); + +var msg25921 = msg("23757", dup202); + +var msg25922 = msg("23758", dup202); + +var msg25923 = msg("23759", dup202); + +var msg25924 = msg("23760", dup202); + +var msg25925 = msg("23761", dup202); + +var msg25926 = msg("23762", dup202); + +var msg25927 = msg("23763", dup202); + +var msg25928 = msg("23764", dup202); + +var msg25929 = msg("23765", dup202); + +var msg25930 = msg("23766", dup202); + +var msg25931 = msg("23767", dup202); + +var msg25932 = msg("23768", dup202); + +var msg25933 = msg("23769", dup202); + +var msg25934 = msg("23770", dup202); + +var msg25935 = msg("23771", dup202); + +var msg25936 = msg("23772", dup202); + +var msg25937 = msg("23773", dup202); + +var msg25938 = msg("23774", dup202); + +var msg25939 = msg("23775", dup202); + +var msg25940 = msg("23776", dup202); + +var msg25941 = msg("23777", dup202); + +var msg25942 = msg("23778", dup192); + +var msg25943 = msg("23779", dup265); + +var msg25944 = msg("23780", dup192); + +var msg25945 = msg("23781", dup202); + +var msg25946 = msg("23782", dup192); + +var msg25947 = msg("23783", dup199); + +var msg25948 = msg("23784", dup260); + +var msg25949 = msg("23785", dup202); + +var msg25950 = msg("23786", dup202); + +var msg25951 = msg("23787", dup192); + +var msg25952 = msg("23788", dup192); + +var msg25953 = msg("23789", dup267); + +var msg25954 = msg("23790", dup267); + +var msg25955 = msg("23791", dup265); + +var msg25956 = msg("23792", dup265); + +var msg25957 = msg("23793", dup250); + +var msg25958 = msg("23794", dup202); + +var msg25959 = msg("23795", dup263); + +var msg25960 = msg("23796", dup197); + +var msg25961 = msg("23797", dup202); + +var msg25962 = msg("23798", dup202); + +var msg25963 = msg("23799", dup263); + +var msg25964 = msg("23800", dup263); + +var msg25965 = msg("23801", dup263); + +var msg25966 = msg("23802", dup263); + +var msg25967 = msg("23803", dup263); + +var msg25968 = msg("23804", dup263); + +var msg25969 = msg("23805", dup267); + +var msg25970 = msg("23806", dup197); + +var msg25971 = msg("23807", dup202); + +var msg25972 = msg("23808", dup202); + +var msg25973 = msg("23809", dup202); + +var msg25974 = msg("23810", dup202); + +var msg25975 = msg("23811", dup202); + +var msg25976 = msg("23812", dup202); + +var msg25977 = msg("23813", dup202); + +var msg25978 = msg("23814", dup202); + +var msg25979 = msg("23815", dup202); + +var msg25980 = msg("23816", dup202); + +var msg25981 = msg("23817", dup202); + +var msg25982 = msg("23818", dup202); + +var msg25983 = msg("23819", dup202); + +var msg25984 = msg("23820", dup202); + +var msg25985 = msg("23821", dup202); + +var msg25986 = msg("23822", dup202); + +var msg25987 = msg("23823", dup202); + +var msg25988 = msg("23824", dup263); + +var msg25989 = msg("23825", dup202); + +var msg25990 = msg("23826", dup202); + +var msg25991 = msg("23827", dup265); + +var msg25992 = msg("23828", dup265); + +var msg25993 = msg("23829", dup202); + +var msg25994 = msg("23830", dup202); + +var msg25995 = msg("23831", dup265); + +var msg25996 = msg("23832", dup265); + +var msg25997 = msg("23833", dup202); + +var msg25998 = msg("23834", dup267); + +var msg25999 = msg("23835", dup267); + +var msg26000 = msg("23836", dup265); + +var msg26001 = msg("23837", dup276); + +var msg26002 = msg("23838", dup276); + +var msg26003 = msg("23839", dup197); + +var msg26004 = msg("23840", dup267); + +var msg26005 = msg("23841", dup267); + +var msg26006 = msg("23842", dup197); + +var msg26007 = msg("23843", dup197); + +var msg26008 = msg("23844", dup201); + +var msg26009 = msg("23845", dup201); + +var msg26010 = msg("23846", dup267); + +var msg26011 = msg("23847", dup276); + +var msg26012 = msg("23848", dup202); + +var msg26013 = msg("23849", dup202); + +var msg26014 = msg("23850", dup202); + +var msg26015 = msg("23851", dup269); + +var msg26016 = msg("23852", dup269); + +var msg26017 = msg("23853", dup267); + +var msg26018 = msg("23854", dup267); + +var msg26019 = msg("23855", dup267); + +var msg26020 = msg("23856", dup267); + +var msg26021 = msg("23857", dup250); + +var msg26022 = msg("23858", dup250); + +var msg26023 = msg("23859", dup250); + +var msg26024 = msg("23860", dup265); + +var msg26025 = msg("23861", dup265); + +var msg26026 = msg("23862", dup265); + +var msg26027 = msg("23863", dup303); + +var msg26028 = msg("23864", dup202); + +var msg26029 = msg("23865", dup202); + +var msg26030 = msg("23866", dup202); + +var msg26031 = msg("23867", dup202); + +var msg26032 = msg("23868", dup202); + +var msg26033 = msg("23869", dup202); + +var msg26034 = msg("23870", dup202); + +var msg26035 = msg("23871", dup202); + +var msg26036 = msg("23872", dup201); + +var msg26037 = msg("23873", dup201); + +var msg26038 = msg("23874", dup201); + +var msg26039 = msg("23875", dup201); + +var msg26040 = msg("23876", dup192); + +var msg26041 = msg("23877", dup192); + +var msg26042 = msg("23878", dup265); + +var msg26043 = msg("23879", dup197); + +var msg26044 = msg("23880", dup197); + +var msg26045 = msg("23881", dup202); + +var msg26046 = msg("23882", dup202); + +var msg26047 = msg("23883", dup202); + +var msg26048 = msg("23884", dup202); + +var msg26049 = msg("23885", dup202); + +var msg26050 = msg("23886", dup202); + +var msg26051 = msg("23887", dup202); + +var msg26052 = msg("23888", dup202); + +var msg26053 = msg("23889", dup202); + +var msg26054 = msg("23890", dup202); + +var msg26055 = msg("23891", dup202); + +var msg26056 = msg("23892", dup202); + +var msg26057 = msg("23893", dup192); + +var msg26058 = msg("23894", dup250); + +var msg26059 = msg("23895", dup265); + +var msg26060 = msg("23896", dup265); + +var msg26061 = msg("23897", dup287); + +var msg26062 = msg("23898", dup222); + +var msg26063 = msg("23899", dup201); + +var msg26064 = msg("23900", dup201); + +var msg26065 = msg("23901", dup201); + +var msg26066 = msg("23902", dup201); + +var msg26067 = msg("23903", dup269); + +var msg26068 = msg("23904", dup263); + +var msg26069 = msg("23905", dup267); + +var msg26070 = msg("23906", dup267); + +var msg26071 = msg("23907", dup267); + +var msg26072 = msg("23908", dup267); + +var msg26073 = msg("23909", dup267); + +var msg26074 = msg("23910", dup267); + +var msg26075 = msg("23911", dup267); + +var msg26076 = msg("23912", dup267); + +var msg26077 = msg("23913", dup267); + +var msg26078 = msg("23914", dup267); + +var msg26079 = msg("23915", dup267); + +var msg26080 = msg("23916", dup267); + +var msg26081 = msg("23917", dup267); + +var msg26082 = msg("23918", dup267); + +var msg26083 = msg("23919", dup267); + +var msg26084 = msg("23920", dup267); + +var msg26085 = msg("23921", dup267); + +var msg26086 = msg("23922", dup267); + +var msg26087 = msg("23923", dup267); + +var msg26088 = msg("23924", dup267); + +var msg26089 = msg("23925", dup267); + +var msg26090 = msg("23926", dup267); + +var msg26091 = msg("23927", dup267); + +var msg26092 = msg("23928", dup267); + +var msg26093 = msg("23929", dup267); + +var msg26094 = msg("23930", dup267); + +var msg26095 = msg("23931", dup267); + +var msg26096 = msg("23932", dup267); + +var msg26097 = msg("23933", dup267); + +var msg26098 = msg("23934", dup260); + +var msg26099 = msg("23935", dup192); + +var msg26100 = msg("23936", dup192); + +var msg26101 = msg("23937", dup265); + +var msg26102 = msg("23938", dup192); + +var msg26103 = msg("23939", dup317); + +var msg26104 = msg("23940", dup317); + +var msg26105 = msg("23941", dup192); + +var msg26106 = msg("23942", dup192); + +var msg26107 = msg("23943", dup197); + +var msg26108 = msg("23944", dup265); + +var msg26109 = msg("23945", dup192); + +var msg26110 = msg("23946", dup192); + +var msg26111 = msg("23947", dup260); + +var msg26112 = msg("23948", dup192); + +var msg26113 = msg("23949", dup192); + +var msg26114 = msg("23950", dup267); + +var msg26115 = msg("23951", dup267); + +var msg26116 = msg("23952", dup197); + +var msg26117 = msg("23953", dup192); + +var msg26118 = msg("23954", dup303); + +var msg26119 = msg("23955", dup202); + +var msg26120 = msg("23956", dup197); + +var msg26121 = msg("23957", dup197); + +var msg26122 = msg("23958", dup197); + +var msg26123 = msg("23959", dup197); + +var msg26124 = msg("23960", dup197); + +var msg26125 = msg("23961", dup197); + +var msg26126 = msg("23962", dup202); + +var msg26127 = msg("23963", dup192); + +var msg26128 = msg("23964", dup267); + +var msg26129 = msg("23965", dup267); + +var msg26130 = msg("23966", dup287); + +var msg26131 = msg("23967", dup267); + +var msg26132 = msg("23968", dup192); + +var msg26133 = msg("23969", dup303); + +var msg26134 = msg("23970", dup202); + +var msg26135 = msg("23971", dup192); + +var msg26136 = msg("23972", dup192); + +var msg26137 = msg("23973", dup192); + +var msg26138 = msg("23974", dup197); + +var msg26139 = msg("23975", dup197); + +var msg26140 = msg("23976", dup192); + +var msg26141 = msg("23977", dup192); + +var msg26142 = msg("23978", dup192); + +var msg26143 = msg("23979", dup197); + +var msg26144 = msg("23980", dup197); + +var msg26145 = msg("23981", dup197); + +var msg26146 = msg("23982", dup197); + +var msg26147 = msg("23983", dup197); + +var msg26148 = msg("23984", dup265); + +var msg26149 = msg("23985", dup197); + +var msg26150 = msg("23986", dup197); + +var msg26151 = msg("23987", dup192); + +var msg26152 = msg("23988", dup265); + +var msg26153 = msg("23989", dup197); + +var msg26154 = msg("23990", dup202); + +var msg26155 = msg("23991", dup202); + +var msg26156 = msg("23992", dup197); + +var msg26157 = msg("23993", dup197); + +var msg26158 = msg("23994", dup265); + +var msg26159 = msg("23995", dup265); + +var msg26160 = msg("23996", dup267); + +var msg26161 = msg("23997", dup267); + +var msg26162 = msg("23998", dup197); + +var msg26163 = msg("23999", dup267); + +var msg26164 = msg("24000", dup267); + +var msg26165 = msg("24001", dup267); + +var msg26166 = msg("24002", dup267); + +var msg26167 = msg("24003", dup267); + +var msg26168 = msg("24004", dup197); + +var msg26169 = msg("24005", dup197); + +var msg26170 = msg("24006", dup201); + +var msg26171 = msg("24007", dup197); + +var msg26172 = msg("24008", dup267); + +var msg26173 = msg("24009", dup263); + +var msg26174 = msg("24010", dup192); + +var msg26175 = msg("24011", dup192); + +var msg26176 = msg("24012", dup192); + +var msg26177 = msg("24013", dup192); + +var msg26178 = msg("24014", dup192); + +var msg26179 = msg("24015", dup192); + +var msg26180 = msg("24016", dup192); + +var msg26181 = msg("24017", dup269); + +var msg26182 = msg("24018", dup269); + +var msg26183 = msg("24019", dup269); + +var msg26184 = msg("24020", dup267); + +var msg26185 = msg("24021", dup267); + +var msg26186 = msg("24022", dup267); + +var msg26187 = msg("24023", dup267); + +var msg26188 = msg("24024", dup267); + +var msg26189 = msg("24025", dup267); + +var msg26190 = msg("24026", dup267); + +var msg26191 = msg("24027", dup267); + +var msg26192 = msg("24028", dup267); + +var msg26193 = msg("24029", dup197); + +var msg26194 = msg("24030", dup197); + +var msg26195 = msg("24031", dup263); + +var msg26196 = msg("24032", dup263); + +var msg26197 = msg("24033", dup263); + +var msg26198 = msg("24034", dup263); + +var msg26199 = msg("24035", dup202); + +var msg26200 = msg("24036", dup267); + +var msg26201 = msg("24037", dup267); + +var msg26202 = msg("24038", dup267); + +var msg26203 = msg("24039", dup265); + +var msg26204 = msg("24040", dup265); + +var msg26205 = msg("24041", dup265); + +var msg26206 = msg("24042", dup265); + +var msg26207 = msg("24043", dup265); + +var msg26208 = msg("24044", dup265); + +var msg26209 = msg("24045", dup202); + +var msg26210 = msg("24046", dup202); + +var msg26211 = msg("24047", dup202); + +var msg26212 = msg("24048", dup202); + +var msg26213 = msg("24049", dup202); + +var msg26214 = msg("24050", dup202); + +var msg26215 = msg("24051", dup267); + +var msg26216 = msg("24052", dup267); + +var msg26217 = msg("24053", dup202); + +var msg26218 = msg("24054", dup202); + +var msg26219 = msg("24055", dup267); + +var msg26220 = msg("24056", dup267); + +var msg26221 = msg("24057", dup267); + +var msg26222 = msg("24058", dup267); + +var msg26223 = msg("24059", dup197); + +var msg26224 = msg("24060", dup197); + +var msg26225 = msg("24061", dup197); + +var msg26226 = msg("24062", dup192); + +var msg26227 = msg("24063", dup267); + +var msg26228 = msg("24064", dup267); + +var msg26229 = msg("24065", dup267); + +var msg26230 = msg("24066", dup267); + +var msg26231 = msg("24067", dup269); + +var msg26232 = msg("24068", dup269); + +var msg26233 = msg("24069", dup269); + +var msg26234 = msg("24070", dup269); + +var msg26235 = msg("24071", dup287); + +var msg26236 = msg("24072", dup287); + +var msg26237 = msg("24073", dup287); + +var msg26238 = msg("24074", dup202); + +var msg26239 = msg("24075", dup202); + +var msg26240 = msg("24076", dup202); + +var msg26241 = msg("24077", dup263); + +var msg26242 = msg("24078", dup202); + +var msg26243 = msg("24079", dup202); + +var msg26244 = msg("24080", dup202); + +var msg26245 = msg("24081", dup202); + +var msg26246 = msg("24082", dup263); + +var msg26247 = msg("24083", dup201); + +var msg26248 = msg("24084", dup267); + +var msg26249 = msg("24085", dup267); + +var msg26250 = msg("24086", dup263); + +var msg26251 = msg("24087", dup287); + +var msg26252 = msg("24088", dup230); + +var msg26253 = msg("24089", dup265); + +var msg26254 = msg("24090", dup267); + +var msg26255 = msg("24091", dup199); + +var msg26256 = msg("24092", dup263); + +var msg26257 = msg("24093", dup265); + +var msg26258 = msg("24094", dup202); + +var msg26259 = msg("24095", dup202); + +var msg26260 = msg("24096", dup202); + +var msg26261 = msg("24097", dup202); + +var msg26262 = msg("24098", dup202); + +var msg26263 = msg("24099", dup263); + +var msg26264 = msg("24100", dup202); + +var msg26265 = msg("24101", dup202); + +var msg26266 = msg("24102", dup263); + +var msg26267 = msg("24103", dup265); + +var msg26268 = msg("24104", dup265); + +var msg26269 = msg("24105", dup265); + +var msg26270 = msg("24106", dup265); + +var msg26271 = msg("24107", dup265); + +var msg26272 = msg("24108", dup265); + +var msg26273 = msg("24109", dup265); + +var msg26274 = msg("24110", dup265); + +var msg26275 = msg("24111", dup269); + +var msg26276 = msg("24112", dup260); + +var msg26277 = msg("24113", dup265); + +var msg26278 = msg("24114", dup199); + +var msg26279 = msg("24115", dup263); + +var msg26280 = msg("24116", dup263); + +var msg26281 = msg("24117", dup263); + +var msg26282 = msg("24118", dup263); + +var msg26283 = msg("24119", dup263); + +var msg26284 = msg("24120", dup263); + +var msg26285 = msg("24121", dup263); + +var msg26286 = msg("24122", dup263); + +var msg26287 = msg("24123", dup263); + +var msg26288 = msg("24124", dup267); + +var msg26289 = msg("24125", dup267); + +var msg26290 = msg("24126", dup267); + +var msg26291 = msg("24127", dup192); + +var msg26292 = msg("24128", dup265); + +var msg26293 = msg("24129", dup197); + +var msg26294 = msg("24130", dup197); + +var msg26295 = msg("24131", dup267); + +var msg26296 = msg("24132", dup267); + +var msg26297 = msg("24133", dup267); + +var msg26298 = msg("24134", dup267); + +var msg26299 = msg("24135", dup267); + +var msg26300 = msg("24136", dup267); + +var msg26301 = msg("24137", dup267); + +var msg26302 = msg("24138", dup202); + +var msg26303 = msg("24139", dup202); + +var msg26304 = msg("24140", dup202); + +var msg26305 = msg("24141", dup202); + +var msg26306 = msg("24142", dup202); + +var msg26307 = msg("24143", dup263); + +var msg26308 = msg("24144", dup263); + +var msg26309 = msg("24145", dup263); + +var msg26310 = msg("24146", dup263); + +var msg26311 = msg("24147", dup201); + +var msg26312 = msg("24148", dup269); + +var msg26313 = msg("24149", dup269); + +var msg26314 = msg("24150", dup202); + +var msg26315 = msg("24151", dup202); + +var msg26316 = msg("24152", dup267); + +var msg26317 = msg("24153", dup267); + +var msg26318 = msg("24154", dup198); + +var msg26319 = msg("24155", dup198); + +var msg26320 = msg("24156", dup202); + +var msg26321 = msg("24157", dup202); + +var msg26322 = msg("24158", dup202); + +var msg26323 = msg("24159", dup197); + +var msg26324 = msg("24160", dup197); + +var msg26325 = msg("24161", dup197); + +var msg26326 = msg("24162", dup197); + +var msg26327 = msg("24163", dup197); + +var msg26328 = msg("24164", dup197); + +var msg26329 = msg("24165", dup197); + +var msg26330 = msg("24166", dup197); + +var msg26331 = msg("24167", dup202); + +var msg26332 = msg("24168", dup269); + +var msg26333 = msg("24169", dup263); + +var msg26334 = msg("24170", dup267); + +var msg26335 = msg("24171", dup267); + +var msg26336 = msg("24172", dup260); + +var msg26337 = msg("24173", dup263); + +var msg26338 = msg("24174", dup263); + +var msg26339 = msg("24175", dup263); + +var msg26340 = msg("24176", dup201); + +var msg26341 = msg("24177", dup201); + +var msg26342 = msg("24178", dup201); + +var msg26343 = msg("24179", dup201); + +var msg26344 = msg("24180", dup201); + +var msg26345 = msg("24181", dup201); + +var msg26346 = msg("24182", dup263); + +var msg26347 = msg("24183", dup263); + +var msg26348 = msg("24184", dup263); + +var msg26349 = msg("24185", dup263); + +var msg26350 = msg("24186", dup197); + +var msg26351 = msg("24187", dup197); + +var msg26352 = msg("24188", dup197); + +var msg26353 = msg("24189", dup197); + +var msg26354 = msg("24190", dup202); + +var msg26355 = msg("24191", dup263); + +var msg26356 = msg("24192", dup197); + +var msg26357 = msg("24193", dup197); + +var msg26358 = msg("24194", dup197); + +var msg26359 = msg("24195", dup197); + +var msg26360 = msg("24196", dup265); + +var msg26361 = msg("24197", dup265); + +var msg26362 = msg("24198", dup197); + +var msg26363 = msg("24199", dup267); + +var msg26364 = msg("24200", dup267); + +var msg26365 = msg("24201", dup267); + +var msg26366 = msg("24202", dup267); + +var msg26367 = msg("24203", dup267); + +var msg26368 = msg("24204", dup267); + +var msg26369 = msg("24205", dup267); + +var msg26370 = msg("24206", dup202); + +var msg26371 = msg("24207", dup197); + +var msg26372 = msg("24208", dup197); + +var msg26373 = msg("24209", dup197); + +var msg26374 = msg("24210", dup267); + +var msg26375 = msg("24211", dup263); + +var msg26376 = msg("24212", dup267); + +var msg26377 = msg("24213", dup202); + +var msg26378 = msg("24214", dup263); + +var msg26379 = msg("24215", dup263); + +var msg26380 = msg("24216", dup263); + +var msg26381 = msg("24217", dup263); + +var msg26382 = msg("24218", dup202); + +var msg26383 = msg("24219", dup202); + +var msg26384 = msg("24220", dup197); + +var msg26385 = msg("24221", dup267); + +var msg26386 = msg("24222", dup267); + +var msg26387 = msg("24223", dup267); + +var msg26388 = msg("24224", dup263); + +var msg26389 = msg("24225", dup269); + +var msg26390 = msg("24226", dup267); + +var msg26391 = msg("24227", dup267); + +var msg26392 = msg("24228", dup267); + +var msg26393 = msg("24229", dup201); + +var msg26394 = msg("24230", dup201); + +var msg26395 = msg("24231", dup267); + +var msg26396 = msg("24232", dup267); + +var msg26397 = msg("24233", dup267); + +var msg26398 = msg("24234", dup267); + +var msg26399 = msg("24235", dup263); + +var msg26400 = msg("24236", dup263); + +var msg26401 = msg("24237", dup197); + +var msg26402 = msg("24238", dup197); + +var msg26403 = msg("24239", dup197); + +var msg26404 = msg("24240", dup197); + +var msg26405 = msg("24241", dup197); + +var msg26406 = msg("24242", dup197); + +var msg26407 = msg("24243", dup269); + +var msg26408 = msg("24244", dup197); + +var msg26409 = msg("24245", dup197); + +var msg26410 = msg("24246", dup265); + +var msg26411 = msg("24247", dup265); + +var msg26412 = msg("24248", dup265); + +var msg26413 = msg("24249", dup265); + +var msg26414 = msg("24250", dup202); + +var msg26415 = msg("24251", dup263); + +var msg26416 = msg("24252", dup267); + +var msg26417 = msg("24253", dup202); + +var msg26418 = msg("24254", dup202); + +var msg26419 = msg("24255", dup263); + +var msg26420 = msg("24256", dup265); + +var msg26421 = msg("24257", dup263); + +var msg26422 = msg("24258", dup263); + +var msg26423 = msg("24259", dup263); + +var msg26424 = msg("24260", dup263); + +var msg26425 = msg("24261", dup263); + +var msg26426 = msg("24262", dup263); + +var msg26427 = msg("24263", dup269); + +var msg26428 = msg("24264", dup269); + +var msg26429 = msg("24265", dup269); + +var msg26430 = msg("24266", dup197); + +var msg26431 = msg("24267", dup197); + +var msg26432 = msg("24268", dup197); + +var msg26433 = msg("24269", dup197); + +var msg26434 = msg("24270", dup287); + +var msg26435 = msg("24271", dup263); + +var msg26436 = msg("24272", dup197); + +var msg26437 = msg("24273", dup197); + +var msg26438 = msg("24274", dup265); + +var msg26439 = msg("24275", dup265); + +var msg26440 = msg("24276", dup265); + +var msg26441 = msg("24277", dup267); + +var msg26442 = msg("24278", dup267); + +var msg26443 = msg("24279", dup267); + +var msg26444 = msg("24280", dup267); + +var msg26445 = msg("24281", dup265); + +var msg26446 = msg("24282", dup265); + +var msg26447 = msg("24283", dup267); + +var msg26448 = msg("24284", dup197); + +var msg26449 = msg("24285", dup263); + +var msg26450 = msg("24286", dup263); + +var msg26451 = msg("24287", dup263); + +var msg26452 = msg("24288", dup263); + +var msg26453 = msg("24289", dup267); + +var msg26454 = msg("24290", dup267); + +var msg26455 = msg("24291", dup265); + +var msg26456 = msg("24292", dup265); + +var msg26457 = msg("24293", dup255); + +var msg26458 = msg("24294", dup197); + +var all54 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg26459 = msg("24295", all54); + +var msg26460 = msg("24296", dup232); + +var msg26461 = msg("24297", dup232); + +var msg26462 = msg("24298", dup232); + +var msg26463 = msg("24299", dup232); + +var msg26464 = msg("24300", dup197); + +var msg26465 = msg("24301", dup232); + +var msg26466 = msg("24302", dup232); + +var msg26467 = msg("24303", dup232); + +var msg26468 = msg("24304", dup313); + +var msg26469 = msg("24305", dup232); + +var msg26470 = msg("24306", dup265); + +var msg26471 = msg("24307", dup263); + +var msg26472 = msg("24308", dup263); + +var msg26473 = msg("24309", dup263); + +var msg26474 = msg("24310", dup263); + +var msg26475 = msg("24311", dup263); + +var msg26476 = msg("24312", dup263); + +var msg26477 = msg("24313", dup265); + +var msg26478 = msg("24314", dup197); + +var msg26479 = msg("24315", dup197); + +var msg26480 = msg("24316", dup197); + +var msg26481 = msg("24317", dup197); + +var msg26482 = msg("24318", dup197); + +var msg26483 = msg("24319", dup197); + +var msg26484 = msg("24320", dup197); + +var msg26485 = msg("24321", dup197); + +var msg26486 = msg("24322", dup265); + +var msg26487 = msg("24323", dup265); + +var msg26488 = msg("24324", dup197); + +var msg26489 = msg("24325", dup197); + +var msg26490 = msg("24326", dup197); + +var msg26491 = msg("24327", dup197); + +var msg26492 = msg("24328", dup197); + +var msg26493 = msg("24329", dup197); + +var msg26494 = msg("24330", dup197); + +var msg26495 = msg("24331", dup197); + +var msg26496 = msg("24332", dup197); + +var msg26497 = msg("24333", dup197); + +var msg26498 = msg("24334", dup269); + +var msg26499 = msg("24335", dup197); + +var msg26500 = msg("24336", dup197); + +var msg26501 = msg("24337", dup198); + +var msg26502 = msg("24338", dup197); + +var msg26503 = msg("24339", dup255); + +var msg26504 = msg("24340", dup263); + +var msg26505 = msg("24341", dup263); + +var msg26506 = msg("24342", dup265); + +var msg26507 = msg("24343", dup265); + +var msg26508 = msg("24344", dup267); + +var msg26509 = msg("24345", dup263); + +var msg26510 = msg("24346", dup263); + +var msg26511 = msg("24347", dup263); + +var msg26512 = msg("24348", dup265); + +var msg26513 = msg("24349", dup263); + +var msg26514 = msg("24350", dup263); + +var msg26515 = msg("24351", dup197); + +var msg26516 = msg("24352", dup197); + +var msg26517 = msg("24353", dup197); + +var msg26518 = msg("24354", dup197); + +var msg26519 = msg("24355", dup267); + +var msg26520 = msg("24356", dup267); + +var msg26521 = msg("24357", dup197); + +var msg26522 = msg("24358", dup197); + +var msg26523 = msg("24359", dup276); + +var msg26524 = msg("24360", dup276); + +var msg26525 = msg("24361", dup263); + +var msg26526 = msg("24362", dup202); + +var msg26527 = msg("24363", dup202); + +var msg26528 = msg("24364", dup202); + +var msg26529 = msg("24365", dup202); + +var msg26530 = msg("24366", dup319); + +var msg26531 = msg("24367", dup319); + +var msg26532 = msg("24368", dup260); + +var msg26533 = msg("24369", dup260); + +var msg26534 = msg("24370", dup197); + +var msg26535 = msg("24371", dup197); + +var msg26536 = msg("24372", dup198); + +var msg26537 = msg("24373", dup263); + +var msg26538 = msg("24374", dup263); + +var msg26539 = msg("24375", dup263); + +var msg26540 = msg("24376", dup263); + +var msg26541 = msg("24377", dup263); + +var msg26542 = msg("24378", dup287); + +var msg26543 = msg("24379", dup197); + +var msg26544 = msg("24380", dup197); + +var msg26545 = msg("24381", dup263); + +var msg26546 = msg("24382", dup263); + +var msg26547 = msg("24383", dup263); + +var msg26548 = msg("24384", dup263); + +var msg26549 = msg("24385", dup263); + +var msg26550 = msg("24386", dup287); + +var msg26551 = msg("24387", dup287); + +var msg26552 = msg("24388", dup202); + +var msg26553 = msg("24389", dup202); + +var msg26554 = msg("24390", dup202); + +var msg26555 = msg("24391", dup202); + +var msg26556 = msg("24392", dup202); + +var msg26557 = msg("24393", dup267); + +var msg26558 = msg("24394", dup267); + +var msg26559 = msg("24395", dup197); + +var msg26560 = msg("24396", dup197); + +var msg26561 = msg("24397", dup202); + +var msg26562 = msg("24398", dup263); + +var msg26563 = msg("24399", dup263); + +var msg26564 = msg("24400", dup263); + +var msg26565 = msg("24401", dup197); + +var msg26566 = msg("24402", dup263); + +var msg26567 = msg("24403", dup263); + +var msg26568 = msg("24404", dup263); + +var msg26569 = msg("24405", dup263); + +var msg26570 = msg("24406", dup263); + +var msg26571 = msg("24407", dup263); + +var msg26572 = msg("24408", dup263); + +var msg26573 = msg("24409", dup263); + +var msg26574 = msg("24410", dup263); + +var msg26575 = msg("24411", dup263); + +var msg26576 = msg("24412", dup202); + +var msg26577 = msg("24413", dup202); + +var msg26578 = msg("24414", dup197); + +var msg26579 = msg("24415", dup197); + +var msg26580 = msg("24416", dup263); + +var msg26581 = msg("24417", dup263); + +var msg26582 = msg("24418", dup263); + +var msg26583 = msg("24419", dup263); + +var msg26584 = msg("24420", dup263); + +var msg26585 = msg("24421", dup260); + +var msg26586 = msg("24422", dup260); + +var msg26587 = msg("24423", dup240); + +var msg26588 = msg("24424", dup240); + +var msg26589 = msg("24425", dup199); + +var msg26590 = msg("24426", dup263); + +var msg26591 = msg("24427", dup263); + +var msg26592 = msg("24428", dup201); + +var msg26593 = msg("24429", dup201); + +var msg26594 = msg("24430", dup201); + +var msg26595 = msg("24431", dup201); + +var msg26596 = msg("24432", dup202); + +var msg26597 = msg("24433", dup202); + +var msg26598 = msg("24434", dup202); + +var msg26599 = msg("24435", dup265); + +var msg26600 = msg("24436", dup265); + +var msg26601 = msg("24437", dup263); + +var msg26602 = msg("24438", dup263); + +var msg26603 = msg("24439", dup269); + +var msg26604 = msg("24440", dup287); + +var msg26605 = msg("24441", dup269); + +var msg26606 = msg("24442", dup269); + +var msg26607 = msg("24443", dup263); + +var msg26608 = msg("24444", dup263); + +var msg26609 = msg("24445", dup263); + +var msg26610 = msg("24446", dup255); + +var msg26611 = msg("24447", dup202); + +var msg26612 = msg("24448", dup202); + +var msg26613 = msg("24449", dup267); + +var msg26614 = msg("24450", dup263); + +var msg26615 = msg("24451", dup263); + +var msg26616 = msg("24452", dup197); + +var msg26617 = msg("24453", dup202); + +var msg26618 = msg("24454", dup202); + +var msg26619 = msg("24455", dup202); + +var msg26620 = msg("24456", dup202); + +var msg26621 = msg("24457", dup202); + +var msg26622 = msg("24458", dup202); + +var msg26623 = msg("24459", dup202); + +var msg26624 = msg("24460", dup202); + +var msg26625 = msg("24461", dup202); + +var msg26626 = msg("24462", dup202); + +var msg26627 = msg("24463", dup202); + +var msg26628 = msg("24464", dup202); + +var msg26629 = msg("24465", dup202); + +var msg26630 = msg("24466", dup202); + +var msg26631 = msg("24467", dup202); + +var msg26632 = msg("24468", dup202); + +var msg26633 = msg("24469", dup202); + +var msg26634 = msg("24470", dup202); + +var msg26635 = msg("24471", dup202); + +var msg26636 = msg("24472", dup202); + +var msg26637 = msg("24473", dup202); + +var msg26638 = msg("24474", dup202); + +var msg26639 = msg("24475", dup267); + +var msg26640 = msg("24476", dup197); + +var msg26641 = msg("24477", dup197); + +var msg26642 = msg("24478", dup197); + +var msg26643 = msg("24479", dup197); + +var msg26644 = msg("24480", dup197); + +var msg26645 = msg("24481", dup197); + +var msg26646 = msg("24482", dup263); + +var msg26647 = msg("24483", dup202); + +var msg26648 = msg("24484", dup202); + +var msg26649 = msg("24485", dup197); + +var msg26650 = msg("24486", dup197); + +var msg26651 = msg("24487", dup197); + +var msg26652 = msg("24488", dup267); + +var msg26653 = msg("24489", dup267); + +var msg26654 = msg("24490", dup267); + +var msg26655 = msg("24491", dup321); + +var msg26656 = msg("24492", dup321); + +var msg26657 = msg("24493", dup321); + +var msg26658 = msg("24494", dup321); + +var msg26659 = msg("24495", dup321); + +var msg26660 = msg("24496", dup321); + +var msg26661 = msg("24497", dup321); + +var msg26662 = msg("24498", dup311); + +var msg26663 = msg("24499", dup311); + +var msg26664 = msg("24500", dup314); + +var msg26665 = msg("24501", dup311); + +var msg26666 = msg("24502", dup311); + +var msg26667 = msg("24503", dup308); + +var msg26668 = msg("24504", dup321); + +var msg26669 = msg("24505", dup321); + +var msg26670 = msg("24506", dup314); + +var msg26671 = msg("24507", dup309); + +var msg26672 = msg("24508", dup309); + +var msg26673 = msg("24509", dup314); + +var msg26674 = msg("24510", dup311); + +var msg26675 = msg("24511", dup311); + +var msg26676 = msg("24512", dup309); + +var msg26677 = msg("24513", dup309); + +var msg26678 = msg("24514", dup321); + +var msg26679 = msg("24515", dup321); + +var msg26680 = msg("24516", dup321); + +var msg26681 = msg("24517", dup322); + +var msg26682 = msg("24518", dup311); + +var msg26683 = msg("24519", dup311); + +var msg26684 = msg("24520", dup323); + +var msg26685 = msg("24521", dup314); + +var msg26686 = msg("24522", dup308); + +var msg26687 = msg("24523", dup321); + +var msg26688 = msg("24524", dup324); + +var msg26689 = msg("24525", dup311); + +var msg26690 = msg("24526", dup311); + +var msg26691 = msg("24527", dup311); + +var msg26692 = msg("24528", dup311); + +var msg26693 = msg("24529", dup321); + +var msg26694 = msg("24530", dup321); + +var msg26695 = msg("24531", dup321); + +var msg26696 = msg("24532", dup321); + +var msg26697 = msg("24533", dup321); + +var msg26698 = msg("24534", dup321); + +var msg26699 = msg("24535", dup309); + +var msg26700 = msg("24536", dup309); + +var msg26701 = msg("24537", dup309); + +var msg26702 = msg("24538", dup309); + +var msg26703 = msg("24539", dup321); + +var msg26704 = msg("24540", dup321); + +var msg26705 = msg("24541", dup321); + +var msg26706 = msg("24542", dup321); + +var msg26707 = msg("24543", dup311); + +var msg26708 = msg("24544", dup311); + +var msg26709 = msg("24545", dup321); + +var msg26710 = msg("24546", dup311); + +var msg26711 = msg("24547", dup311); + +var msg26712 = msg("24548", dup311); + +var msg26713 = msg("24549", dup309); + +var msg26714 = msg("24550", dup309); + +var msg26715 = msg("24551", dup309); + +var msg26716 = msg("24552", dup309); + +var msg26717 = msg("24553", dup309); + +var msg26718 = msg("24554", dup314); + +var msg26719 = msg("24555", dup314); + +var msg26720 = msg("24556", dup309); + +var msg26721 = msg("24557", dup309); + +var msg26722 = msg("24558", dup309); + +var msg26723 = msg("24559", dup314); + +var msg26724 = msg("24560", dup314); + +var msg26725 = msg("24561", dup311); + +var msg26726 = msg("24562", dup321); + +var msg26727 = msg("24563", dup321); + +var msg26728 = msg("24564", dup321); + +var msg26729 = msg("24565", dup321); + +var msg26730 = msg("24566", dup321); + +var msg26731 = msg("24567", dup321); + +var msg26732 = msg("24568", dup325); + +var msg26733 = msg("24569", dup321); + +var msg26734 = msg("24570", dup314); + +var msg26735 = msg("24571", dup314); + +var msg26736 = msg("24572", dup314); + +var msg26737 = msg("24573", dup314); + +var msg26738 = msg("24574", dup314); + +var msg26739 = msg("24575", dup325); + +var msg26740 = msg("24576", dup321); + +var msg26741 = msg("24577", dup325); + +var msg26742 = msg("24578", dup314); + +var msg26743 = msg("24579", dup314); + +var msg26744 = msg("24580", dup314); + +var msg26745 = msg("24581", dup314); + +var msg26746 = msg("24582", dup314); + +var msg26747 = msg("24583", dup314); + +var msg26748 = msg("24584", dup314); + +var msg26749 = msg("24585", dup314); + +var msg26750 = msg("24586", dup321); + +var msg26751 = msg("24587", dup309); + +var msg26752 = msg("24588", dup309); + +var msg26753 = msg("24589", dup311); + +var msg26754 = msg("24590", dup311); + +var msg26755 = msg("24591", dup311); + +var msg26756 = msg("24592", dup311); + +var msg26757 = msg("24593", dup311); + +var msg26758 = msg("24594", dup321); + +var msg26759 = msg("24595", dup311); + +var msg26760 = msg("24596", dup311); + +var msg26761 = msg("24597", dup311); + +var msg26762 = msg("24598", dup326); + +var msg26763 = msg("24599", dup314); + +var msg26764 = msg("24600", dup311); + +var msg26765 = msg("24601", dup311); + +var msg26766 = msg("24602", dup311); + +var msg26767 = msg("24603", dup311); + +var msg26768 = msg("24604", dup311); + +var msg26769 = msg("24605", dup311); + +var msg26770 = msg("24606", dup311); + +var msg26771 = msg("24607", dup311); + +var msg26772 = msg("24608", dup311); + +var msg26773 = msg("24609", dup311); + +var msg26774 = msg("24610", dup311); + +var msg26775 = msg("24611", dup311); + +var msg26776 = msg("24612", dup311); + +var msg26777 = msg("24613", dup311); + +var msg26778 = msg("24614", dup311); + +var msg26779 = msg("24615", dup311); + +var msg26780 = msg("24616", dup311); + +var msg26781 = msg("24617", dup311); + +var msg26782 = msg("24618", dup311); + +var msg26783 = msg("24619", dup311); + +var msg26784 = msg("24620", dup311); + +var msg26785 = msg("24621", dup311); + +var msg26786 = msg("24622", dup311); + +var msg26787 = msg("24623", dup325); + +var msg26788 = msg("24624", dup321); + +var msg26789 = msg("24625", dup309); + +var msg26790 = msg("24626", dup309); + +var msg26791 = msg("24627", dup324); + +var msg26792 = msg("24628", dup316); + +var msg26793 = msg("24629", dup322); + +var msg26794 = msg("24630", dup321); + +var msg26795 = msg("24631", dup325); + +var msg26796 = msg("24632", dup325); + +var msg26797 = msg("24633", dup325); + +var msg26798 = msg("24634", dup325); + +var msg26799 = msg("24635", dup321); + +var msg26800 = msg("24636", dup311); + +var msg26801 = msg("24637", dup311); + +var msg26802 = msg("24638", dup311); + +var msg26803 = msg("24639", dup308); + +var msg26804 = msg("24640", dup309); + +var msg26805 = msg("24641", dup309); + +var msg26806 = msg("24642", dup311); + +var msg26807 = msg("24643", dup314); + +var msg26808 = msg("24644", dup314); + +var msg26809 = msg("24645", dup314); + +var msg26810 = msg("24646", dup314); + +var msg26811 = msg("24647", dup309); + +var msg26812 = msg("24648", dup311); + +var msg26813 = msg("24649", dup309); + +var msg26814 = msg("24650", dup309); + +var msg26815 = msg("24651", dup323); + +var msg26816 = msg("24652", dup311); + +var msg26817 = msg("24653", dup325); + +var msg26818 = msg("24654", dup325); + +var msg26819 = msg("24655", dup311); + +var msg26820 = msg("24656", dup311); + +var msg26821 = msg("24657", dup309); + +var msg26822 = msg("24658", dup309); + +var msg26823 = msg("24659", dup309); + +var msg26824 = msg("24660", dup325); + +var msg26825 = msg("24661", dup325); + +var msg26826 = msg("24662", dup311); + +var msg26827 = msg("24663", dup311); + +var msg26828 = msg("24664", dup311); + +var msg26829 = msg("24665", dup311); + +var msg26830 = msg("24666", dup309); + +var msg26831 = msg("24667", dup311); + +var msg26832 = msg("24668", dup311); + +var msg26833 = msg("24669", dup311); + +var msg26834 = msg("24670", dup311); + +var msg26835 = msg("24671", dup311); + +var msg26836 = msg("24672", dup309); + +var msg26837 = msg("24673", dup309); + +var msg26838 = msg("24674", dup309); + +var msg26839 = msg("24675", dup307); + +var msg26840 = msg("24676", dup307); + +var msg26841 = msg("24677", dup324); + +var msg26842 = msg("24678", dup309); + +var msg26843 = msg("24679", dup309); + +var msg26844 = msg("24680", dup309); + +var msg26845 = msg("24681", dup309); + +var msg26846 = msg("24682", dup309); + +var msg26847 = msg("24683", dup309); + +var msg26848 = msg("24684", dup309); + +var msg26849 = msg("24685", dup309); + +var msg26850 = msg("24686", dup309); + +var msg26851 = msg("24687", dup311); + +var msg26852 = msg("24688", dup311); + +var msg26853 = msg("24689", dup314); + +var msg26854 = msg("24690", dup314); + +var msg26855 = msg("24691", dup314); + +var msg26856 = msg("24692", dup314); + +var msg26857 = msg("24693", dup309); + +var msg26858 = msg("24694", dup311); + +var msg26859 = msg("24695", dup311); + +var msg26860 = msg("24696", dup308); + +var msg26861 = msg("24697", dup324); + +var msg26862 = msg("24698", dup324); + +var msg26863 = msg("24699", dup307); + +var msg26864 = msg("24700", dup307); + +var msg26865 = msg("24701", dup309); + +var msg26866 = msg("24702", dup324); + +var msg26867 = msg("24703", dup324); + +var msg26868 = msg("24704", dup322); + +var msg26869 = msg("24705", dup322); + +var msg26870 = msg("24706", dup309); + +var msg26871 = msg("24707", dup309); + +var msg26872 = msg("24708", dup314); + +var msg26873 = msg("24709", dup314); + +var msg26874 = msg("24710", dup314); + +var msg26875 = msg("24711", dup309); + +var msg26876 = msg("24712", dup309); + +var msg26877 = msg("24713", dup309); + +var msg26878 = msg("24714", dup309); + +var msg26879 = msg("24715", dup309); + +var msg26880 = msg("24716", dup309); + +var msg26881 = msg("24717", dup309); + +var msg26882 = msg("24718", dup309); + +var msg26883 = msg("24719", dup314); + +var msg26884 = msg("24720", dup323); + +var msg26885 = msg("24721", dup314); + +var msg26886 = msg("24722", dup314); + +var msg26887 = msg("24723", dup314); + +var msg26888 = msg("24724", dup314); + +var msg26889 = msg("24725", dup314); + +var msg26890 = msg("24726", dup314); + +var msg26891 = msg("24727", dup311); + +var msg26892 = msg("24728", dup311); + +var msg26893 = msg("24729", dup311); + +var msg26894 = msg("24730", dup311); + +var msg26895 = msg("24731", dup311); + +var msg26896 = msg("24732", dup311); + +var msg26897 = msg("24733", dup311); + +var msg26898 = msg("24734", dup311); + +var msg26899 = msg("24735", dup311); + +var msg26900 = msg("24736", dup311); + +var msg26901 = msg("24737", dup311); + +var msg26902 = msg("24738", dup309); + +var msg26903 = msg("24739", dup307); + +var msg26904 = msg("24740", dup327); + +var msg26905 = msg("24741", dup307); + +var msg26906 = msg("24742", dup307); + +var msg26907 = msg("24743", dup307); + +var msg26908 = msg("24744", dup307); + +var msg26909 = msg("24745", dup307); + +var msg26910 = msg("24746", dup307); + +var msg26911 = msg("24747", dup307); + +var msg26912 = msg("24748", dup307); + +var msg26913 = msg("24749", dup307); + +var msg26914 = msg("24750", dup307); + +var msg26915 = msg("24751", dup307); + +var msg26916 = msg("24752", dup307); + +var msg26917 = msg("24753", dup307); + +var msg26918 = msg("24754", dup307); + +var msg26919 = msg("24755", dup307); + +var msg26920 = msg("24756", dup307); + +var msg26921 = msg("24757", dup307); + +var msg26922 = msg("24758", dup307); + +var msg26923 = msg("24759", dup307); + +var msg26924 = msg("24760", dup307); + +var msg26925 = msg("24761", dup324); + +var msg26926 = msg("24762", dup324); + +var msg26927 = msg("24763", dup309); + +var msg26928 = msg("24764", dup309); + +var msg26929 = msg("24765", dup309); + +var msg26930 = msg("24766", dup314); + +var msg26931 = msg("24767", dup314); + +var msg26932 = msg("24768", dup309); + +var msg26933 = msg("24769", dup311); + +var msg26934 = msg("24770", dup311); + +var msg26935 = msg("24771", dup309); + +var msg26936 = msg("24772", dup309); + +var msg26937 = msg("24773", dup309); + +var msg26938 = msg("24774", dup323); + +var msg26939 = msg("24775", dup323); + +var msg26940 = msg("24776", dup323); + +var msg26941 = msg("24777", dup323); + +var msg26942 = msg("24778", dup311); + +var msg26943 = msg("24779", dup311); + +var msg26944 = msg("24780", dup311); + +var msg26945 = msg("24781", dup311); + +var msg26946 = msg("24782", dup311); + +var msg26947 = msg("24783", dup311); + +var msg26948 = msg("24784", dup311); + +var msg26949 = msg("24785", dup311); + +var msg26950 = msg("24786", dup311); + +var msg26951 = msg("24787", dup311); + +var msg26952 = msg("24788", dup311); + +var msg26953 = msg("24789", dup311); + +var msg26954 = msg("24790", dup311); + +var msg26955 = msg("24791", dup311); + +var msg26956 = msg("24792", dup325); + +var msg26957 = msg("24793", dup311); + +var msg26958 = msg("24794", dup311); + +var msg26959 = msg("24795", dup311); + +var msg26960 = msg("24796", dup311); + +var msg26961 = msg("24797", dup311); + +var msg26962 = msg("24798", dup311); + +var msg26963 = msg("24799", dup311); + +var msg26964 = msg("24800", dup311); + +var msg26965 = msg("24801", dup322); + +var msg26966 = msg("24802", dup309); + +var msg26967 = msg("24803", dup314); + +var msg26968 = msg("24804", dup307); + +var msg26969 = msg("24805", dup310); + +var msg26970 = msg("24806", dup314); + +var msg26971 = msg("24807", dup314); + +var msg26972 = msg("24808", dup325); + +var msg26973 = msg("24809", dup325); + +var msg26974 = msg("24810", dup314); + +var msg26975 = msg("24811", dup314); + +var msg26976 = msg("24812", dup314); + +var msg26977 = msg("24813", dup314); + +var msg26978 = msg("24814", dup315); + +var msg26979 = msg("24815", dup309); + +var msg26980 = msg("24816", dup314); + +var msg26981 = msg("24817", dup314); + +var msg26982 = msg("24818", dup314); + +var msg26983 = msg("24819", dup314); + +var msg26984 = msg("24820", dup314); + +var msg26985 = msg("24821", dup314); + +var msg26986 = msg("24822", dup314); + +var msg26987 = msg("24823", dup309); + +var msg26988 = msg("24824", dup314); + +var msg26989 = msg("24825", dup314); + +var msg26990 = msg("24826", dup314); + +var msg26991 = msg("24827", dup309); + +var msg26992 = msg("24828", dup309); + +var msg26993 = msg("24829", dup309); + +var msg26994 = msg("24830", dup309); + +var msg26995 = msg("24831", dup309); + +var msg26996 = msg("24832", dup309); + +var msg26997 = msg("24833", dup309); + +var msg26998 = msg("24834", dup309); + +var msg26999 = msg("24835", dup309); + +var msg27000 = msg("24836", dup309); + +var msg27001 = msg("24837", dup311); + +var msg27002 = msg("24838", dup311); + +var msg27003 = msg("24839", dup311); + +var msg27004 = msg("24840", dup311); + +var msg27005 = msg("24841", dup311); + +var msg27006 = msg("24842", dup321); + +var msg27007 = msg("24843", dup321); + +var msg27008 = msg("24844", dup321); + +var msg27009 = msg("24845", dup321); + +var msg27010 = msg("24846", dup321); + +var msg27011 = msg("24847", dup321); + +var msg27012 = msg("24848", dup321); + +var msg27013 = msg("24849", dup321); + +var msg27014 = msg("24850", dup321); + +var msg27015 = msg("24851", dup321); + +var msg27016 = msg("24852", dup321); + +var msg27017 = msg("24853", dup321); + +var msg27018 = msg("24854", dup321); + +var msg27019 = msg("24855", dup321); + +var msg27020 = msg("24856", dup321); + +var msg27021 = msg("24857", dup321); + +var msg27022 = msg("24858", dup321); + +var msg27023 = msg("24859", dup321); + +var msg27024 = msg("24860", dup311); + +var msg27025 = msg("24861", dup311); + +var msg27026 = msg("24862", dup311); + +var msg27027 = msg("24863", dup311); + +var msg27028 = msg("24864", dup311); + +var msg27029 = msg("24865", dup311); + +var msg27030 = msg("24866", dup314); + +var msg27031 = msg("24867", dup314); + +var msg27032 = msg("24868", dup309); + +var msg27033 = msg("24869", dup311); + +var msg27034 = msg("24870", dup311); + +var msg27035 = msg("24871", dup311); + +var msg27036 = msg("24872", dup311); + +var msg27037 = msg("24873", dup321); + +var msg27038 = msg("24874", dup307); + +var msg27039 = msg("24875", dup307); + +var msg27040 = msg("24876", dup307); + +var msg27041 = msg("24877", dup307); + +var msg27042 = msg("24878", dup314); + +var msg27043 = msg("24879", dup314); + +var msg27044 = msg("24880", dup314); + +var msg27045 = msg("24881", dup314); + +var msg27046 = msg("24882", dup314); + +var msg27047 = msg("24883", dup311); + +var msg27048 = msg("24884", dup311); + +var msg27049 = msg("24885", dup321); + +var msg27050 = msg("24886", dup321); + +var msg27051 = msg("24887", dup321); + +var msg27052 = msg("24888", dup311); + +var msg27053 = msg("24889", dup309); + +var msg27054 = msg("24890", dup309); + +var msg27055 = msg("24891", dup309); + +var msg27056 = msg("24892", dup309); + +var msg27057 = msg("24893", dup309); + +var msg27058 = msg("24894", dup309); + +var msg27059 = msg("24895", dup323); + +var msg27060 = msg("24896", dup323); + +var msg27061 = msg("24897", dup322); + +var msg27062 = msg("24898", dup307); + +var msg27063 = msg("24899", dup311); + +var msg27064 = msg("24900", dup311); + +var msg27065 = msg("24901", dup314); + +var msg27066 = msg("24902", dup314); + +var msg27067 = msg("24903", dup314); + +var msg27068 = msg("24904", dup309); + +var msg27069 = msg("24905", dup309); + +var msg27070 = msg("24906", dup309); + +var msg27071 = msg("24907", dup316); + +var msg27072 = msg("24908", dup328); + +var msg27073 = msg("24909", dup328); + +var msg27074 = msg("24910", dup322); + +var msg27075 = msg("24911", dup309); + +var msg27076 = msg("24912", dup309); + +var msg27077 = msg("24913", dup309); + +var msg27078 = msg("24914", dup309); + +var msg27079 = msg("24915", dup309); + +var msg27080 = msg("24916", dup321); + +var msg27081 = msg("24917", dup321); + +var msg27082 = msg("24918", dup321); + +var msg27083 = msg("24955", dup309); + +var msg27084 = msg("24956", dup311); + +var msg27085 = msg("24957", dup314); + +var msg27086 = msg("24958", dup314); + +var msg27087 = msg("24959", dup314); + +var msg27088 = msg("24960", dup314); + +var msg27089 = msg("24961", dup314); + +var msg27090 = msg("24962", dup314); + +var msg27091 = msg("24963", dup314); + +var msg27092 = msg("24964", dup309); + +var msg27093 = msg("24965", dup309); + +var msg27094 = msg("24966", dup309); + +var msg27095 = msg("24967", dup309); + +var msg27096 = msg("24968", dup309); + +var msg27097 = msg("24969", dup309); + +var msg27098 = msg("24970", dup309); + +var msg27099 = msg("24971", dup311); + +var all55 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup95, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg27100 = msg("24972", all55); + +var msg27101 = msg("24973", dup309); + +var msg27102 = msg("24974", dup309); + +var msg27103 = msg("24975", dup309); + +var msg27104 = msg("24976", dup321); + +var msg27105 = msg("24977", dup311); + +var msg27106 = msg("24978", dup311); + +var msg27107 = msg("24979", dup311); + +var msg27108 = msg("24980", dup323); + +var msg27109 = msg("24981", dup323); + +var msg27110 = msg("24982", dup323); + +var msg27111 = msg("24983", dup323); + +var msg27112 = msg("24984", dup314); + +var msg27113 = msg("24985", dup309); + +var msg27114 = msg("24986", dup309); + +var msg27115 = msg("24987", dup323); + +var msg27116 = msg("24988", dup309); + +var msg27117 = msg("24989", dup314); + +var msg27118 = msg("24990", dup314); + +var msg27119 = msg("24991", dup309); + +var msg27120 = msg("24992", dup309); + +var msg27121 = msg("24993", dup311); + +var msg27122 = msg("24994", dup314); + +var msg27123 = msg("24995", dup309); + +var msg27124 = msg("24996", dup309); + +var msg27125 = msg("24997", dup309); + +var msg27126 = msg("24998", dup309); + +var msg27127 = msg("24999", dup309); + +var msg27128 = msg("25000", dup309); + +var msg27129 = msg("25001", dup321); + +var msg27130 = msg("25002", dup321); + +var msg27131 = msg("25003", dup309); + +var msg27132 = msg("25004", dup311); + +var msg27133 = msg("25005", dup311); + +var msg27134 = msg("25006", dup307); + +var msg27135 = msg("25007", dup321); + +var msg27136 = msg("25008", dup311); + +var msg27137 = msg("25009", dup325); + +var msg27138 = msg("25010", dup321); + +var msg27139 = msg("25011", dup321); + +var msg27140 = msg("25012", dup309); + +var msg27141 = msg("25013", dup309); + +var msg27142 = msg("25014", dup323); + +var msg27143 = msg("25015", dup321); + +var msg27144 = msg("25016", dup321); + +var msg27145 = msg("25017", dup311); + +var msg27146 = msg("25018", dup321); + +var msg27147 = msg("25019", dup316); + +var msg27148 = msg("25020", dup316); + +var msg27149 = msg("25021", dup321); + +var msg27150 = msg("25022", dup321); + +var msg27151 = msg("25023", dup321); + +var msg27152 = msg("25024", dup321); + +var msg27153 = msg("25025", dup321); + +var msg27154 = msg("25026", dup321); + +var msg27155 = msg("25027", dup321); + +var msg27156 = msg("25028", dup321); + +var msg27157 = msg("25029", dup321); + +var msg27158 = msg("25030", dup321); + +var msg27159 = msg("25031", dup321); + +var msg27160 = msg("25032", dup314); + +var msg27161 = msg("25033", dup314); + +var msg27162 = msg("25034", dup314); + +var msg27163 = msg("25035", dup314); + +var msg27164 = msg("25036", dup324); + +var msg27165 = msg("25037", dup311); + +var msg27166 = msg("25038", dup311); + +var msg27167 = msg("25039", dup311); + +var msg27168 = msg("25040", dup311); + +var msg27169 = msg("25041", dup311); + +var msg27170 = msg("25042", dup311); + +var msg27171 = msg("25043", dup311); + +var msg27172 = msg("25044", dup311); + +var msg27173 = msg("25045", dup311); + +var msg27174 = msg("25046", dup311); + +var msg27175 = msg("25047", dup311); + +var msg27176 = msg("25048", dup311); + +var msg27177 = msg("25049", dup321); + +var msg27178 = msg("25050", dup321); + +var msg27179 = msg("25051", dup311); + +var msg27180 = msg("25052", dup311); + +var msg27181 = msg("25053", dup311); + +var msg27182 = msg("25054", dup321); + +var msg27183 = msg("25055", dup311); + +var msg27184 = msg("25056", dup311); + +var msg27185 = msg("25057", dup314); + +var msg27186 = msg("25058", dup311); + +var msg27187 = msg("25059", dup309); + +var msg27188 = msg("25060", dup314); + +var msg27189 = msg("25061", dup314); + +var msg27190 = msg("25062", dup314); + +var msg27191 = msg("25063", dup309); + +var msg27192 = msg("25064", dup309); + +var msg27193 = msg("25065", dup309); + +var msg27194 = msg("25066", dup309); + +var msg27195 = msg("25067", dup321); + +var msg27196 = msg("25068", dup321); + +var msg27197 = msg("25069", dup321); + +var msg27198 = msg("25070", dup321); + +var msg27199 = msg("25071", dup321); + +var msg27200 = msg("25072", dup321); + +var msg27201 = msg("25073", dup321); + +var msg27202 = msg("25074", dup321); + +var msg27203 = msg("25075", dup321); + +var msg27204 = msg("25076", dup321); + +var msg27205 = msg("25077", dup321); + +var msg27206 = msg("25078", dup311); + +var msg27207 = msg("25079", dup311); + +var msg27208 = msg("25080", dup329); + +var msg27209 = msg("25081", dup329); + +var msg27210 = msg("25082", dup314); + +var msg27211 = msg("25083", dup314); + +var msg27212 = msg("25084", dup311); + +var msg27213 = msg("25085", dup311); + +var msg27214 = msg("25086", dup311); + +var msg27215 = msg("25087", dup311); + +var msg27216 = msg("25088", dup311); + +var msg27217 = msg("25089", dup311); + +var msg27218 = msg("25090", dup311); + +var msg27219 = msg("25091", dup311); + +var msg27220 = msg("25092", dup311); + +var msg27221 = msg("25093", dup311); + +var msg27222 = msg("25094", dup311); + +var msg27223 = msg("25095", dup311); + +var msg27224 = msg("25096", dup311); + +var msg27225 = msg("25097", dup311); + +var msg27226 = msg("25098", dup321); + +var msg27227 = msg("25099", dup321); + +var msg27228 = msg("25100", dup321); + +var msg27229 = msg("25101", dup309); + +var msg27230 = msg("25102", dup307); + +var msg27231 = msg("25103", dup311); + +var msg27232 = msg("25104", dup314); + +var msg27233 = msg("25105", dup314); + +var msg27234 = msg("25106", dup311); + +var msg27235 = msg("25107", dup321); + +var msg27236 = msg("25108", dup321); + +var msg27237 = msg("25109", dup321); + +var msg27238 = msg("25110", dup321); + +var msg27239 = msg("25111", dup309); + +var msg27240 = msg("25112", dup309); + +var msg27241 = msg("25113", dup309); + +var msg27242 = msg("25114", dup309); + +var msg27243 = msg("25115", dup309); + +var msg27244 = msg("25116", dup309); + +var msg27245 = msg("25117", dup309); + +var msg27246 = msg("25118", dup309); + +var msg27247 = msg("25119", dup325); + +var msg27248 = msg("25120", dup314); + +var msg27249 = msg("25121", dup311); + +var msg27250 = msg("25122", dup311); + +var msg27251 = msg("25123", dup311); + +var msg27252 = msg("25124", dup311); + +var msg27253 = msg("25125", dup325); + +var msg27254 = msg("25126", dup325); + +var msg27255 = msg("25127", dup325); + +var msg27256 = msg("25128", dup325); + +var msg27257 = msg("25129", dup325); + +var msg27258 = msg("25130", dup325); + +var msg27259 = msg("25131", dup325); + +var msg27260 = msg("25132", dup325); + +var msg27261 = msg("25133", dup325); + +var msg27262 = msg("25134", dup325); + +var msg27263 = msg("25135", dup311); + +var msg27264 = msg("25136", dup311); + +var msg27265 = msg("25137", dup311); + +var msg27266 = msg("25138", dup311); + +var msg27267 = msg("25139", dup311); + +var msg27268 = msg("25140", dup311); + +var msg27269 = msg("25141", dup321); + +var msg27270 = msg("25142", dup321); + +var msg27271 = msg("25143", dup321); + +var msg27272 = msg("25144", dup321); + +var msg27273 = msg("25145", dup321); + +var msg27274 = msg("25146", dup321); + +var msg27275 = msg("25147", dup321); + +var msg27276 = msg("25148", dup321); + +var msg27277 = msg("25149", dup321); + +var msg27278 = msg("25150", dup321); + +var msg27279 = msg("25151", dup321); + +var msg27280 = msg("25152", dup321); + +var msg27281 = msg("25153", dup321); + +var msg27282 = msg("25154", dup321); + +var msg27283 = msg("25155", dup321); + +var msg27284 = msg("25156", dup321); + +var msg27285 = msg("25157", dup321); + +var msg27286 = msg("25158", dup321); + +var msg27287 = msg("25159", dup321); + +var msg27288 = msg("25160", dup321); + +var msg27289 = msg("25161", dup321); + +var msg27290 = msg("25162", dup321); + +var msg27291 = msg("25163", dup321); + +var msg27292 = msg("25164", dup321); + +var msg27293 = msg("25165", dup321); + +var msg27294 = msg("25166", dup321); + +var msg27295 = msg("25167", dup321); + +var msg27296 = msg("25168", dup321); + +var msg27297 = msg("25169", dup321); + +var msg27298 = msg("25170", dup321); + +var msg27299 = msg("25171", dup321); + +var msg27300 = msg("25172", dup321); + +var msg27301 = msg("25173", dup321); + +var msg27302 = msg("25174", dup321); + +var msg27303 = msg("25175", dup321); + +var msg27304 = msg("25176", dup321); + +var msg27305 = msg("25177", dup321); + +var msg27306 = msg("25178", dup308); + +var msg27307 = msg("25179", dup321); + +var msg27308 = msg("25180", dup321); + +var msg27309 = msg("25181", dup321); + +var msg27310 = msg("25182", dup321); + +var msg27311 = msg("25183", dup321); + +var msg27312 = msg("25184", dup321); + +var msg27313 = msg("25185", dup321); + +var msg27314 = msg("25186", dup321); + +var msg27315 = msg("25187", dup321); + +var msg27316 = msg("25188", dup321); + +var msg27317 = msg("25189", dup321); + +var msg27318 = msg("25190", dup321); + +var msg27319 = msg("25191", dup321); + +var msg27320 = msg("25192", dup321); + +var msg27321 = msg("25193", dup321); + +var msg27322 = msg("25194", dup321); + +var msg27323 = msg("25195", dup321); + +var msg27324 = msg("25196", dup321); + +var msg27325 = msg("25197", dup321); + +var msg27326 = msg("25198", dup321); + +var msg27327 = msg("25199", dup321); + +var msg27328 = msg("25200", dup321); + +var msg27329 = msg("25201", dup321); + +var msg27330 = msg("25202", dup321); + +var msg27331 = msg("25203", dup321); + +var msg27332 = msg("25204", dup321); + +var msg27333 = msg("25205", dup321); + +var msg27334 = msg("25206", dup321); + +var msg27335 = msg("25207", dup321); + +var msg27336 = msg("25208", dup321); + +var msg27337 = msg("25209", dup321); + +var msg27338 = msg("25210", dup321); + +var msg27339 = msg("25211", dup321); + +var msg27340 = msg("25212", dup321); + +var msg27341 = msg("25213", dup321); + +var msg27342 = msg("25214", dup321); + +var msg27343 = msg("25215", dup321); + +var msg27344 = msg("25216", dup321); + +var msg27345 = msg("25217", dup321); + +var msg27346 = msg("25218", dup321); + +var msg27347 = msg("25219", dup321); + +var msg27348 = msg("25220", dup321); + +var msg27349 = msg("25221", dup321); + +var msg27350 = msg("25222", dup321); + +var msg27351 = msg("25223", dup321); + +var msg27352 = msg("25224", dup321); + +var msg27353 = msg("25225", dup325); + +var msg27354 = msg("25226", dup325); + +var msg27355 = msg("25227", dup314); + +var msg27356 = msg("25228", dup314); + +var msg27357 = msg("25229", dup321); + +var msg27358 = msg("25230", dup321); + +var msg27359 = msg("25231", dup321); + +var msg27360 = msg("25232", dup311); + +var msg27361 = msg("25233", dup311); + +var msg27362 = msg("25234", dup325); + +var msg27363 = msg("25235", dup325); + +var msg27364 = msg("25236", dup311); + +var msg27365 = msg("25237", dup321); + +var msg27366 = msg("25238", dup311); + +var msg27367 = msg("25239", dup321); + +var msg27368 = msg("25240", dup321); + +var msg27369 = msg("25241", dup321); + +var msg27370 = msg("25242", dup321); + +var msg27371 = msg("25243", dup325); + +var msg27372 = msg("25244", dup321); + +var msg27373 = msg("25245", dup325); + +var msg27374 = msg("25246", dup311); + +var msg27375 = msg("25247", dup309); + +var msg27376 = msg("25248", dup309); + +var msg27377 = msg("25249", dup321); + +var msg27378 = msg("25250", dup314); + +var msg27379 = msg("25251", dup314); + +var msg27380 = msg("25252", dup309); + +var msg27381 = msg("25253", dup309); + +var msg27382 = msg("25254", dup314); + +var msg27383 = msg("25255", dup311); + +var msg27384 = msg("25256", dup321); + +var msg27385 = msg("25257", dup321); + +var msg27386 = msg("25258", dup321); + +var msg27387 = msg("25259", dup321); + +var msg27388 = msg("25260", dup325); + +var msg27389 = msg("25261", dup325); + +var msg27390 = msg("25262", dup325); + +var msg27391 = msg("25263", dup314); + +var msg27392 = msg("25264", dup314); + +var msg27393 = msg("25265", dup314); + +var msg27394 = msg("25266", dup311); + +var msg27395 = msg("25267", dup311); + +var msg27396 = msg("25268", dup321); + +var msg27397 = msg("25269", dup321); + +var msg27398 = msg("25270", dup309); + +var msg27399 = msg("25271", dup321); + +var msg27400 = msg("25272", dup311); + +var msg27401 = msg("25273", dup311); + +var msg27402 = msg("25274", dup324); + +var msg27403 = msg("25275", dup311); + +var msg27404 = msg("25276", dup311); + +var msg27405 = msg("25277", dup321); + +var msg27406 = msg("25278", dup321); + +var msg27407 = msg("25279", dup321); + +var msg27408 = msg("25280", dup321); + +var msg27409 = msg("25281", dup321); + +var msg27410 = msg("25282", dup321); + +var msg27411 = msg("25283", dup321); + +var msg27412 = msg("25284", dup321); + +var msg27413 = msg("25285", dup322); + +var msg27414 = msg("25286", dup314); + +var msg27415 = msg("25287", dup311); + +var msg27416 = msg("25288", dup311); + +var msg27417 = msg("25289", dup323); + +var msg27418 = msg("25290", dup323); + +var msg27419 = msg("25291", dup323); + +var msg27420 = msg("25292", dup323); + +var msg27421 = msg("25293", dup307); + +var msg27422 = msg("25294", dup307); + +var msg27423 = msg("25295", dup307); + +var msg27424 = msg("25296", dup307); + +var msg27425 = msg("25297", dup311); + +var msg27426 = msg("25298", dup311); + +var msg27427 = msg("25299", dup314); + +var msg27428 = msg("25300", dup314); + +var msg27429 = msg("25301", dup311); + +var msg27430 = msg("25302", dup311); + +var msg27431 = msg("25303", dup311); + +var msg27432 = msg("25304", dup311); + +var msg27433 = msg("25305", dup314); + +var msg27434 = msg("25306", dup314); + +var msg27435 = msg("25307", dup314); + +var msg27436 = msg("25308", dup314); + +var msg27437 = msg("25309", dup309); + +var msg27438 = msg("25310", dup309); + +var msg27439 = msg("25311", dup309); + +var msg27440 = msg("25312", dup311); + +var msg27441 = msg("25313", dup311); + +var msg27442 = msg("25314", dup324); + +var msg27443 = msg("25315", dup314); + +var msg27444 = msg("25316", dup309); + +var msg27445 = msg("25317", dup314); + +var msg27446 = msg("25318", dup314); + +var msg27447 = msg("25319", dup314); + +var msg27448 = msg("25320", dup311); + +var msg27449 = msg("25321", dup309); + +var msg27450 = msg("25322", dup311); + +var msg27451 = msg("25323", dup311); + +var msg27452 = msg("25324", dup311); + +var msg27453 = msg("25325", dup311); + +var msg27454 = msg("25326", dup311); + +var msg27455 = msg("25327", dup311); + +var msg27456 = msg("25328", dup311); + +var msg27457 = msg("25329", dup311); + +var msg27458 = msg("25330", dup309); + +var msg27459 = msg("25331", dup309); + +var msg27460 = msg("25332", dup309); + +var msg27461 = msg("25333", dup309); + +var msg27462 = msg("25334", dup309); + +var msg27463 = msg("25335", dup309); + +var msg27464 = msg("25336", dup309); + +var msg27465 = msg("25337", dup309); + +var msg27466 = msg("25338", dup309); + +var msg27467 = msg("25339", dup309); + +var msg27468 = msg("25340", dup309); + +var msg27469 = msg("25341", dup311); + +var msg27470 = msg("25342", dup324); + +var msg27471 = msg("25343", dup311); + +var msg27472 = msg("25344", dup311); + +var msg27473 = msg("25345", dup311); + +var msg27474 = msg("25346", dup311); + +var msg27475 = msg("25347", dup311); + +var msg27476 = msg("25348", dup311); + +var msg27477 = msg("25349", dup311); + +var msg27478 = msg("25350", dup311); + +var msg27479 = msg("25351", dup311); + +var msg27480 = msg("25352", dup311); + +var msg27481 = msg("25353", dup309); + +var msg27482 = msg("25354", dup309); + +var msg27483 = msg("25355", dup307); + +var msg27484 = msg("25356", dup309); + +var msg27485 = msg("25357", dup311); + +var msg27486 = msg("25358", dup311); + +var msg27487 = msg("25359", dup311); + +var msg27488 = msg("25360", dup311); + +var msg27489 = msg("25361", dup311); + +var msg27490 = msg("25362", dup311); + +var msg27491 = msg("25363", dup311); + +var msg27492 = msg("25364", dup311); + +var msg27493 = msg("25365", dup311); + +var msg27494 = msg("25366", dup309); + +var msg27495 = msg("25367", dup309); + +var msg27496 = msg("25368", dup321); + +var msg27497 = msg("25369", dup307); + +var msg27498 = msg("25370", dup311); + +var msg27499 = msg("25371", dup321); + +var msg27500 = msg("25372", dup325); + +var msg27501 = msg("25373", dup314); + +var msg27502 = msg("25374", dup314); + +var msg27503 = msg("25375", dup314); + +var msg27504 = msg("25376", dup309); + +var msg27505 = msg("25377", dup309); + +var msg27506 = msg("25378", dup309); + +var msg27507 = msg("25379", dup309); + +var msg27508 = msg("25380", dup309); + +var msg27509 = msg("25381", dup311); + +var msg27510 = msg("25382", dup311); + +var msg27511 = msg("25383", dup311); + +var msg27512 = msg("25384", dup311); + +var msg27513 = msg("25385", dup311); + +var msg27514 = msg("25386", dup311); + +var msg27515 = msg("25387", dup311); + +var msg27516 = msg("25388", dup311); + +var msg27517 = msg("25389", dup311); + +var msg27518 = msg("25390", dup311); + +var msg27519 = msg("25391", dup311); + +var msg27520 = msg("25392", dup307); + +var msg27521 = msg("25393", dup309); + +var msg27522 = msg("25394", dup314); + +var msg27523 = msg("25395", dup314); + +var msg27524 = msg("25396", dup314); + +var msg27525 = msg("25397", dup314); + +var msg27526 = msg("25398", dup314); + +var msg27527 = msg("25399", dup314); + +var msg27528 = msg("25400", dup314); + +var msg27529 = msg("25401", dup321); + +var msg27530 = msg("25402", dup321); + +var msg27531 = msg("25403", dup321); + +var msg27532 = msg("25404", dup321); + +var msg27533 = msg("25405", dup321); + +var msg27534 = msg("25406", dup321); + +var msg27535 = msg("25407", dup321); + +var msg27536 = msg("25408", dup321); + +var msg27537 = msg("25409", dup321); + +var msg27538 = msg("25410", dup321); + +var msg27539 = msg("25411", dup321); + +var msg27540 = msg("25412", dup321); + +var msg27541 = msg("25413", dup321); + +var msg27542 = msg("25414", dup321); + +var msg27543 = msg("25415", dup321); + +var msg27544 = msg("25416", dup321); + +var msg27545 = msg("25417", dup321); + +var msg27546 = msg("25418", dup321); + +var msg27547 = msg("25419", dup321); + +var msg27548 = msg("25420", dup321); + +var msg27549 = msg("25421", dup321); + +var msg27550 = msg("25422", dup321); + +var msg27551 = msg("25423", dup321); + +var msg27552 = msg("25424", dup321); + +var msg27553 = msg("25425", dup321); + +var msg27554 = msg("25426", dup321); + +var msg27555 = msg("25427", dup321); + +var msg27556 = msg("25428", dup321); + +var msg27557 = msg("25429", dup321); + +var msg27558 = msg("25430", dup321); + +var msg27559 = msg("25431", dup321); + +var msg27560 = msg("25432", dup321); + +var msg27561 = msg("25433", dup321); + +var msg27562 = msg("25434", dup321); + +var msg27563 = msg("25435", dup321); + +var msg27564 = msg("25436", dup321); + +var msg27565 = msg("25437", dup321); + +var msg27566 = msg("25438", dup321); + +var msg27567 = msg("25439", dup321); + +var msg27568 = msg("25440", dup321); + +var msg27569 = msg("25441", dup321); + +var msg27570 = msg("25442", dup321); + +var msg27571 = msg("25443", dup321); + +var msg27572 = msg("25444", dup321); + +var msg27573 = msg("25445", dup321); + +var msg27574 = msg("25446", dup321); + +var msg27575 = msg("25447", dup321); + +var msg27576 = msg("25448", dup321); + +var msg27577 = msg("25449", dup323); + +var msg27578 = msg("25450", dup323); + +var msg27579 = msg("25451", dup314); + +var msg27580 = msg("25452", dup314); + +var msg27581 = msg("25453", dup314); + +var msg27582 = msg("25454", dup314); + +var msg27583 = msg("25455", dup314); + +var msg27584 = msg("25456", dup314); + +var msg27585 = msg("25457", dup314); + +var msg27586 = msg("25458", dup314); + +var msg27587 = msg("25459", dup309); + +var msg27588 = msg("25460", dup309); + +var msg27589 = msg("25461", dup309); + +var msg27590 = msg("25462", dup309); + +var msg27591 = msg("25463", dup309); + +var msg27592 = msg("25464", dup309); + +var msg27593 = msg("25465", dup321); + +var msg27594 = msg("25466", dup324); + +var msg27595 = msg("25467", dup324); + +var msg27596 = msg("25468", dup324); + +var msg27597 = msg("25469", dup324); + +var msg27598 = msg("25470", dup321); + +var msg27599 = msg("25471", dup321); + +var msg27600 = msg("25472", dup311); + +var msg27601 = msg("25473", dup311); + +var msg27602 = msg("25474", dup314); + +var msg27603 = msg("25475", dup323); + +var msg27604 = msg("25476", dup325); + +var msg27605 = msg("25477", dup321); + +var msg27606 = msg("25478", dup314); + +var msg27607 = msg("25479", dup314); + +var msg27608 = msg("25502", dup309); + +var msg27609 = msg("25503", dup321); + +var msg27610 = msg("25504", dup321); + +var msg27611 = msg("25505", dup311); + +var msg27612 = msg("25506", dup311); + +var msg27613 = msg("25507", dup311); + +var msg27614 = msg("25508", dup311); + +var msg27615 = msg("25509", dup311); + +var msg27616 = msg("25510", dup311); + +var msg27617 = msg("25511", dup321); + +var msg27618 = msg("25512", dup321); + +var msg27619 = msg("25513", dup311); + +var msg27620 = msg("25514", dup311); + +var msg27621 = msg("25515", dup311); + +var msg27622 = msg("25516", dup314); + +var msg27623 = msg("25517", dup314); + +var msg27624 = msg("25518", dup323); + +var msg27625 = msg("25519", dup323); + +var msg27626 = msg("25520", dup323); + +var msg27627 = msg("25521", dup314); + +var msg27628 = msg("25522", dup314); + +var msg27629 = msg("25523", dup314); + +var msg27630 = msg("25524", dup314); + +var msg27631 = msg("25525", dup314); + +var msg27632 = msg("25526", dup307); + +var msg27633 = msg("25527", dup309); + +var msg27634 = msg("25528", dup311); + +var msg27635 = msg("25529", dup321); + +var msg27636 = msg("25530", dup321); + +var msg27637 = msg("25531", dup321); + +var msg27638 = msg("25532", dup321); + +var msg27639 = msg("25533", dup325); + +var msg27640 = msg("25534", dup330); + +var msg27641 = msg("25535", dup311); + +var msg27642 = msg("25536", dup314); + +var msg27643 = msg("25537", dup314); + +var msg27644 = msg("25538", dup311); + +var msg27645 = msg("25539", dup311); + +var msg27646 = msg("25540", dup311); + +var msg27647 = msg("25541", dup321); + +var msg27648 = msg("25542", dup308); + +var msg27649 = msg("25543", dup321); + +var msg27650 = msg("25544", dup325); + +var msg27651 = msg("25545", dup321); + +var msg27652 = msg("25546", dup321); + +var msg27653 = msg("25547", dup321); + +var msg27654 = msg("25548", dup321); + +var msg27655 = msg("25549", dup309); + +var msg27656 = msg("25550", dup309); + +var msg27657 = msg("25551", dup321); + +var msg27658 = msg("25552", dup314); + +var msg27659 = msg("25553", dup321); + +var msg27660 = msg("25554", dup321); + +var msg27661 = msg("25555", dup321); + +var msg27662 = msg("25556", dup314); + +var msg27663 = msg("25557", dup316); + +var msg27664 = msg("25558", dup311); + +var msg27665 = msg("25559", dup311); + +var msg27666 = msg("25560", dup311); + +var msg27667 = msg("25561", dup311); + +var msg27668 = msg("25562", dup314); + +var msg27669 = msg("25563", dup309); + +var msg27670 = msg("25564", dup309); + +var msg27671 = msg("25565", dup314); + +var msg27672 = msg("25566", dup314); + +var msg27673 = msg("25567", dup311); + +var msg27674 = msg("25568", dup311); + +var msg27675 = msg("25569", dup311); + +var msg27676 = msg("25570", dup321); + +var msg27677 = msg("25571", dup321); + +var msg27678 = msg("25572", dup321); + +var msg27679 = msg("25573", dup311); + +var msg27680 = msg("25574", dup311); + +var msg27681 = msg("25575", dup311); + +var msg27682 = msg("25576", dup311); + +var msg27683 = msg("25577", dup321); + +var msg27684 = msg("25578", dup311); + +var msg27685 = msg("25579", dup311); + +var msg27686 = msg("25580", dup311); + +var msg27687 = msg("25581", dup316); + +var msg27688 = msg("25582", dup316); + +var msg27689 = msg("25583", dup316); + +var msg27690 = msg("25584", dup316); + +var msg27691 = msg("25585", dup316); + +var msg27692 = msg("25586", dup309); + +var msg27693 = msg("25587", dup309); + +var msg27694 = msg("25588", dup309); + +var msg27695 = msg("25589", dup309); + +var msg27696 = msg("25590", dup311); + +var msg27697 = msg("25591", dup311); + +var msg27698 = msg("25592", dup314); + +var msg27699 = msg("25593", dup311); + +var msg27700 = msg("25594", dup311); + +var msg27701 = msg("25595", dup311); + +var msg27702 = msg("25596", dup311); + +var msg27703 = msg("25597", dup311); + +var msg27704 = msg("25598", dup311); + +var msg27705 = msg("25599", dup321); + +var msg27706 = msg("25600", dup321); + +var msg27707 = msg("25601", dup309); + +var msg27708 = msg("25602", dup314); + +var msg27709 = msg("25603", dup311); + +var msg27710 = msg("25604", dup314); + +var msg27711 = msg("25605", dup314); + +var msg27712 = msg("25606", dup314); + +var msg27713 = msg("25607", dup309); + +var msg27714 = msg("25608", dup309); + +var msg27715 = msg("25609", dup321); + +var msg27716 = msg("25610", dup321); + +var msg27717 = msg("25611", dup311); + +var msg27718 = msg("25612", dup309); + +var msg27719 = msg("25613", dup314); + +var msg27720 = msg("25614", dup314); + +var msg27721 = msg("25615", dup314); + +var msg27722 = msg("25616", dup314); + +var msg27723 = msg("25617", dup309); + +var msg27724 = msg("25618", dup309); + +var msg27725 = msg("25619", dup309); + +var msg27726 = msg("25620", dup309); + +var msg27727 = msg("25621", dup314); + +var msg27728 = msg("25622", dup314); + +var msg27729 = msg("25623", dup321); + +var msg27730 = msg("25624", dup321); + +var msg27731 = msg("25625", dup321); + +var msg27732 = msg("25626", dup321); + +var msg27733 = msg("25627", dup321); + +var msg27734 = msg("25628", dup321); + +var msg27735 = msg("25630", dup309); + +var msg27736 = msg("25631", dup309); + +var msg27737 = msg("25632", dup321); + +var msg27738 = msg("25633", dup321); + +var msg27739 = msg("25634", dup316); + +var msg27740 = msg("25635", dup316); + +var msg27741 = msg("25636", dup316); + +var msg27742 = msg("25637", dup316); + +var msg27743 = msg("25638", dup316); + +var msg27744 = msg("25639", dup316); + +var msg27745 = msg("25640", dup316); + +var msg27746 = msg("25641", dup316); + +var msg27747 = msg("25642", dup316); + +var msg27748 = msg("25643", dup316); + +var msg27749 = msg("25644", dup309); + +var msg27750 = msg("25645", dup309); + +var msg27751 = msg("25646", dup309); + +var msg27752 = msg("25647", dup309); + +var msg27753 = msg("25648", dup309); + +var msg27754 = msg("25649", dup309); + +var msg27755 = msg("25650", dup309); + +var msg27756 = msg("25651", dup311); + +var msg27757 = msg("25652", dup321); + +var msg27758 = msg("25653", dup314); + +var msg27759 = msg("25654", dup309); + +var msg27760 = msg("25655", dup309); + +var msg27761 = msg("25656", dup309); + +var msg27762 = msg("25657", dup314); + +var msg27763 = msg("25658", dup314); + +var msg27764 = msg("25659", dup325); + +var msg27765 = msg("25660", dup321); + +var msg27766 = msg("25661", dup321); + +var msg27767 = msg("25662", dup321); + +var msg27768 = msg("25663", dup321); + +var msg27769 = msg("25664", dup309); + +var msg27770 = msg("25665", dup321); + +var msg27771 = msg("25666", dup321); + +var msg27772 = msg("25667", dup321); + +var msg27773 = msg("25668", dup321); + +var msg27774 = msg("25669", dup321); + +var msg27775 = msg("25670", dup321); + +var msg27776 = msg("25671", dup321); + +var msg27777 = msg("25672", dup321); + +var msg27778 = msg("25673", dup321); + +var msg27779 = msg("25674", dup321); + +var msg27780 = msg("25675", dup321); + +var msg27781 = msg("25676", dup311); + +var msg27782 = msg("25677", dup311); + +var msg27783 = msg("25678", dup311); + +var msg27784 = msg("25679", dup311); + +var msg27785 = msg("25680", dup314); + +var msg27786 = msg("25681", dup309); + +var msg27787 = msg("25682", dup314); + +var msg27788 = msg("25683", dup309); + +var msg27789 = msg("25684", dup321); + +var msg27790 = msg("25685", dup321); + +var msg27791 = msg("25686", dup321); + +var msg27792 = msg("25687", dup321); + +var msg27793 = msg("25688", dup321); + +var msg27794 = msg("25689", dup321); + +var msg27795 = msg("25690", dup321); + +var msg27796 = msg("25691", dup321); + +var msg27797 = msg("25692", dup321); + +var msg27798 = msg("25693", dup321); + +var msg27799 = msg("25694", dup321); + +var msg27800 = msg("25695", dup321); + +var msg27801 = msg("25696", dup321); + +var msg27802 = msg("25697", dup321); + +var msg27803 = msg("25698", dup321); + +var msg27804 = msg("25699", dup321); + +var msg27805 = msg("25700", dup321); + +var msg27806 = msg("25701", dup321); + +var msg27807 = msg("25702", dup321); + +var msg27808 = msg("25703", dup321); + +var msg27809 = msg("25704", dup321); + +var msg27810 = msg("25705", dup321); + +var msg27811 = msg("25706", dup321); + +var msg27812 = msg("25707", dup321); + +var msg27813 = msg("25708", dup321); + +var msg27814 = msg("25709", dup321); + +var msg27815 = msg("25710", dup321); + +var msg27816 = msg("25711", dup321); + +var msg27817 = msg("25712", dup321); + +var msg27818 = msg("25713", dup321); + +var msg27819 = msg("25714", dup321); + +var msg27820 = msg("25715", dup321); + +var msg27821 = msg("25716", dup321); + +var msg27822 = msg("25717", dup321); + +var msg27823 = msg("25718", dup321); + +var msg27824 = msg("25719", dup321); + +var msg27825 = msg("25720", dup321); + +var msg27826 = msg("25721", dup321); + +var msg27827 = msg("25722", dup321); + +var msg27828 = msg("25723", dup321); + +var msg27829 = msg("25724", dup321); + +var msg27830 = msg("25725", dup321); + +var msg27831 = msg("25726", dup321); + +var msg27832 = msg("25727", dup321); + +var msg27833 = msg("25728", dup321); + +var msg27834 = msg("25729", dup321); + +var msg27835 = msg("25730", dup321); + +var msg27836 = msg("25731", dup321); + +var msg27837 = msg("25732", dup321); + +var msg27838 = msg("25733", dup321); + +var msg27839 = msg("25734", dup321); + +var msg27840 = msg("25735", dup321); + +var msg27841 = msg("25736", dup321); + +var msg27842 = msg("25737", dup321); + +var msg27843 = msg("25738", dup321); + +var msg27844 = msg("25739", dup321); + +var msg27845 = msg("25740", dup321); + +var msg27846 = msg("25741", dup321); + +var msg27847 = msg("25742", dup321); + +var msg27848 = msg("25743", dup321); + +var msg27849 = msg("25744", dup321); + +var msg27850 = msg("25745", dup321); + +var msg27851 = msg("25746", dup321); + +var msg27852 = msg("25747", dup321); + +var msg27853 = msg("25748", dup321); + +var msg27854 = msg("25749", dup321); + +var msg27855 = msg("25750", dup321); + +var msg27856 = msg("25751", dup321); + +var msg27857 = msg("25752", dup321); + +var msg27858 = msg("25753", dup321); + +var msg27859 = msg("25754", dup321); + +var msg27860 = msg("25755", dup321); + +var msg27861 = msg("25756", dup321); + +var msg27862 = msg("25757", dup321); + +var msg27863 = msg("25758", dup321); + +var msg27864 = msg("25759", dup321); + +var msg27865 = msg("25760", dup321); + +var msg27866 = msg("25761", dup321); + +var msg27867 = msg("25762", dup321); + +var msg27868 = msg("25763", dup321); + +var msg27869 = msg("25764", dup321); + +var msg27870 = msg("25765", dup321); + +var msg27871 = msg("25766", dup321); + +var msg27872 = msg("25767", dup314); + +var msg27873 = msg("25768", dup309); + +var msg27874 = msg("25769", dup314); + +var msg27875 = msg("25770", dup311); + +var msg27876 = msg("25771", dup325); + +var msg27877 = msg("25772", dup325); + +var msg27878 = msg("25773", dup325); + +var msg27879 = msg("25774", dup323); + +var msg27880 = msg("25775", dup325); + +var msg27881 = msg("25776", dup311); + +var msg27882 = msg("25777", dup311); + +var msg27883 = msg("25778", dup325); + +var msg27884 = msg("25779", dup311); + +var msg27885 = msg("25780", dup309); + +var msg27886 = msg("25781", dup311); + +var msg27887 = msg("25782", dup311); + +var msg27888 = msg("25783", dup322); + +var msg27889 = msg("25784", dup325); + +var msg27890 = msg("25785", dup325); + +var msg27891 = msg("25786", dup311); + +var msg27892 = msg("25787", dup311); + +var msg27893 = msg("25788", dup325); + +var msg27894 = msg("25789", dup325); + +var msg27895 = msg("25790", dup325); + +var msg27896 = msg("25791", dup325); + +var msg27897 = msg("25792", dup325); + +var msg27898 = msg("25793", dup325); + +var msg27899 = msg("25794", dup325); + +var msg27900 = msg("25795", dup309); + +var msg27901 = msg("25796", dup309); + +var msg27902 = msg("25797", dup311); + +var msg27903 = msg("25798", dup307); + +var msg27904 = msg("25799", dup311); + +var msg27905 = msg("25800", dup307); + +var msg27906 = msg("25801", dup311); + +var msg27907 = msg("25802", dup311); + +var msg27908 = msg("25803", dup311); + +var msg27909 = msg("25804", dup311); + +var msg27910 = msg("25805", dup311); + +var msg27911 = msg("25806", dup311); + +var msg27912 = msg("25807", dup321); + +var msg27913 = msg("25808", dup311); + +var msg27914 = msg("25809", dup321); + +var msg27915 = msg("25810", dup311); + +var msg27916 = msg("25811", dup311); + +var msg27917 = msg("25812", dup311); + +var msg27918 = msg("25813", dup311); + +var msg27919 = msg("25814", dup314); + +var msg27920 = msg("25815", dup309); + +var msg27921 = msg("25816", dup309); + +var msg27922 = msg("25817", dup321); + +var msg27923 = msg("25818", dup325); + +var msg27924 = msg("25819", dup325); + +var msg27925 = msg("25820", dup311); + +var msg27926 = msg("25821", dup311); + +var msg27927 = msg("25822", dup311); + +var msg27928 = msg("25823", dup311); + +var msg27929 = msg("25824", dup311); + +var msg27930 = msg("25825", dup314); + +var msg27931 = msg("25826", dup314); + +var msg27932 = msg("25827", dup314); + +var msg27933 = msg("25828", dup314); + +var msg27934 = msg("25829", dup321); + +var msg27935 = msg("25830", dup325); + +var msg27936 = msg("25831", dup311); + +var msg27937 = msg("25832", dup311); + +var msg27938 = msg("25833", dup325); + +var msg27939 = msg("25834", dup311); + +var msg27940 = msg("25835", dup307); + +var msg27941 = msg("25836", dup325); + +var msg27942 = msg("25837", dup325); + +var msg27943 = msg("25838", dup325); + +var msg27944 = msg("25839", dup325); + +var msg27945 = msg("25840", dup325); + +var msg27946 = msg("25841", dup325); + +var msg27947 = msg("25842", dup325); + +var msg27948 = msg("25843", dup325); + +var msg27949 = msg("25844", dup325); + +var msg27950 = msg("25845", dup325); + +var msg27951 = msg("25846", dup325); + +var msg27952 = msg("25847", dup325); + +var msg27953 = msg("25848", dup325); + +var msg27954 = msg("25849", dup314); + +var msg27955 = msg("25850", dup314); + +var msg27956 = msg("25851", dup314); + +var msg27957 = msg("25852", dup314); + +var msg27958 = msg("25853", dup309); + +var msg27959 = msg("25854", dup321); + +var msg27960 = msg("25855", dup311); + +var msg27961 = msg("25856", dup309); + +var msg27962 = msg("25857", dup311); + +var msg27963 = msg("25858", dup311); + +var msg27964 = msg("25859", dup311); + +var msg27965 = msg("25860", dup311); + +var msg27966 = msg("25861", dup311); + +var msg27967 = msg("25862", dup311); + +var msg27968 = msg("25863", dup321); + +var msg27969 = msg("25864", dup321); + +var msg27970 = msg("25865", dup321); + +var msg27971 = msg("25866", dup321); + +var msg27972 = msg("25867", dup321); + +var msg27973 = msg("25868", dup321); + +var msg27974 = msg("25869", dup309); + +var msg27975 = msg("25870", dup309); + +var msg27976 = msg("25871", dup309); + +var msg27977 = msg("25872", dup309); + +var msg27978 = msg("25873", dup309); + +var msg27979 = msg("25874", dup309); + +var msg27980 = msg("25875", dup309); + +var msg27981 = msg("25876", dup309); + +var msg27982 = msg("25877", dup309); + +var msg27983 = msg("25878", dup309); + +var msg27984 = msg("25879", dup309); + +var msg27985 = msg("25880", dup309); + +var msg27986 = msg("25881", dup309); + +var msg27987 = msg("25882", dup309); + +var msg27988 = msg("25883", dup309); + +var msg27989 = msg("25884", dup309); + +var msg27990 = msg("25885", dup309); + +var msg27991 = msg("25886", dup309); + +var msg27992 = msg("25887", dup309); + +var msg27993 = msg("25888", dup309); + +var msg27994 = msg("25889", dup309); + +var msg27995 = msg("25890", dup309); + +var msg27996 = msg("25891", dup309); + +var msg27997 = msg("25892", dup309); + +var msg27998 = msg("25893", dup309); + +var msg27999 = msg("25894", dup309); + +var msg28000 = msg("25895", dup309); + +var msg28001 = msg("25896", dup309); + +var msg28002 = msg("25897", dup309); + +var msg28003 = msg("25898", dup309); + +var msg28004 = msg("25899", dup309); + +var msg28005 = msg("25900", dup309); + +var msg28006 = msg("25901", dup309); + +var msg28007 = msg("25902", dup309); + +var msg28008 = msg("25903", dup309); + +var msg28009 = msg("25904", dup309); + +var msg28010 = msg("25905", dup309); + +var msg28011 = msg("25906", dup309); + +var msg28012 = msg("25907", dup314); + +var msg28013 = msg("25908", dup309); + +var msg28014 = msg("25909", dup309); + +var msg28015 = msg("25910", dup309); + +var msg28016 = msg("25911", dup309); + +var msg28017 = msg("25912", dup309); + +var msg28018 = msg("25913", dup309); + +var msg28019 = msg("25914", dup309); + +var msg28020 = msg("25915", dup309); + +var msg28021 = msg("25916", dup309); + +var msg28022 = msg("25917", dup309); + +var msg28023 = msg("25918", dup309); + +var msg28024 = msg("25919", dup309); + +var msg28025 = msg("25920", dup309); + +var msg28026 = msg("25921", dup309); + +var msg28027 = msg("25922", dup309); + +var msg28028 = msg("25923", dup309); + +var msg28029 = msg("25924", dup309); + +var msg28030 = msg("25925", dup309); + +var msg28031 = msg("25926", dup309); + +var msg28032 = msg("25927", dup309); + +var msg28033 = msg("25928", dup314); + +var msg28034 = msg("25929", dup314); + +var msg28035 = msg("25930", dup314); + +var msg28036 = msg("25931", dup314); + +var msg28037 = msg("25932", dup314); + +var msg28038 = msg("25933", dup314); + +var msg28039 = msg("25934", dup314); + +var msg28040 = msg("25935", dup314); + +var msg28041 = msg("25936", dup314); + +var msg28042 = msg("25937", dup314); + +var msg28043 = msg("25938", dup314); + +var msg28044 = msg("25939", dup314); + +var msg28045 = msg("25940", dup314); + +var msg28046 = msg("25941", dup314); + +var msg28047 = msg("25942", dup314); + +var msg28048 = msg("25943", dup314); + +var msg28049 = msg("25944", dup314); + +var msg28050 = msg("25945", dup314); + +var msg28051 = msg("25946", dup321); + +var msg28052 = msg("25947", dup314); + +var msg28053 = msg("25948", dup311); + +var msg28054 = msg("25949", dup321); + +var msg28055 = msg("25950", dup311); + +var msg28056 = msg("25951", dup311); + +var msg28057 = msg("25952", dup311); + +var msg28058 = msg("25953", dup311); + +var msg28059 = msg("25954", dup311); + +var msg28060 = msg("25955", dup311); + +var msg28061 = msg("25956", dup311); + +var msg28062 = msg("25957", dup311); + +var msg28063 = msg("25958", dup311); + +var msg28064 = msg("25959", dup311); + +var msg28065 = msg("25960", dup311); + +var msg28066 = msg("25961", dup311); + +var msg28067 = msg("25962", dup311); + +var msg28068 = msg("25963", dup311); + +var msg28069 = msg("25964", dup311); + +var msg28070 = msg("25965", dup311); + +var msg28071 = msg("25966", dup311); + +var msg28072 = msg("25967", dup311); + +var msg28073 = msg("25968", dup311); + +var msg28074 = msg("25969", dup309); + +var msg28075 = msg("25970", dup314); + +var msg28076 = msg("25971", dup311); + +var msg28077 = msg("25972", dup311); + +var msg28078 = msg("25973", dup321); + +var msg28079 = msg("25974", dup321); + +var msg28080 = msg("25975", dup314); + +var msg28081 = msg("25976", dup314); + +var msg28082 = msg("25977", dup314); + +var msg28083 = msg("25978", dup321); + +var msg28084 = msg("25979", dup321); + +var msg28085 = msg("25980", dup325); + +var msg28086 = msg("25981", dup314); + +var msg28087 = msg("25982", dup311); + +var msg28088 = msg("25983", dup327); + +var msg28089 = msg("25984", dup311); + +var msg28090 = msg("25985", dup311); + +var msg28091 = msg("25986", dup311); + +var msg28092 = msg("25987", dup321); + +var msg28093 = msg("25988", dup311); + +var msg28094 = msg("25989", dup311); + +var msg28095 = msg("25990", dup321); + +var msg28096 = msg("25991", dup321); + +var msg28097 = msg("25992", dup321); + +var msg28098 = msg("25993", dup321); + +var msg28099 = msg("25994", dup321); + +var msg28100 = msg("25995", dup321); + +var msg28101 = msg("25996", dup321); + +var msg28102 = msg("25997", dup321); + +var msg28103 = msg("25998", dup321); + +var msg28104 = msg("25999", dup321); + +var msg28105 = msg("26000", dup307); + +var msg28106 = msg("26001", dup307); + +var msg28107 = msg("26002", dup307); + +var msg28108 = msg("26003", dup307); + +var msg28109 = msg("26004", dup307); + +var msg28110 = msg("26005", dup307); + +var msg28111 = msg("26006", dup307); + +var msg28112 = msg("26007", dup307); + +var msg28113 = msg("26008", dup316); + +var msg28114 = msg("26009", dup316); + +var msg28115 = msg("26010", dup321); + +var msg28116 = msg("26011", dup309); + +var msg28117 = msg("26012", dup311); + +var msg28118 = msg("26013", dup311); + +var msg28119 = msg("26014", dup311); + +var msg28120 = msg("26015", dup321); + +var msg28121 = msg("26016", dup321); + +var msg28122 = msg("26017", dup321); + +var msg28123 = msg("26018", dup321); + +var msg28124 = msg("26019", dup321); + +var msg28125 = msg("26020", dup311); + +var msg28126 = msg("26021", dup314); + +var msg28127 = msg("26022", dup314); + +var msg28128 = msg("26023", dup321); + +var msg28129 = msg("26024", dup321); + +var msg28130 = msg("26025", dup314); + +var msg28131 = msg("26026", dup321); + +var msg28132 = msg("26027", dup309); + +var msg28133 = msg("26028", dup311); + +var msg28134 = msg("26029", dup311); + +var msg28135 = msg("26030", dup325); + +var msg28136 = msg("26031", dup311); + +var msg28137 = msg("26032", dup311); + +var msg28138 = msg("26033", dup311); + +var msg28139 = msg("26034", dup311); + +var msg28140 = msg("26035", dup311); + +var msg28141 = msg("26036", dup311); + +var msg28142 = msg("26037", dup311); + +var msg28143 = msg("26038", dup311); + +var msg28144 = msg("26039", dup311); + +var msg28145 = msg("26040", dup311); + +var msg28146 = msg("26041", dup311); + +var msg28147 = msg("26042", dup311); + +var msg28148 = msg("26043", dup311); + +var msg28149 = msg("26044", dup311); + +var msg28150 = msg("26045", dup311); + +var msg28151 = msg("26046", dup311); + +var msg28152 = msg("26047", dup311); + +var msg28153 = msg("26048", dup311); + +var msg28154 = msg("26049", dup311); + +var msg28155 = msg("26050", dup311); + +var msg28156 = msg("26051", dup311); + +var msg28157 = msg("26052", dup311); + +var msg28158 = msg("26053", dup311); + +var msg28159 = msg("26054", dup311); + +var msg28160 = msg("26055", dup311); + +var msg28161 = msg("26056", dup311); + +var msg28162 = msg("26057", dup323); + +var msg28163 = msg("26058", dup323); + +var msg28164 = msg("26059", dup314); + +var msg28165 = msg("26060", dup314); + +var msg28166 = msg("26061", dup314); + +var msg28167 = msg("26062", dup314); + +var msg28168 = msg("26063", dup314); + +var msg28169 = msg("26064", dup314); + +var msg28170 = msg("26065", dup314); + +var msg28171 = msg("26066", dup311); + +var msg28172 = msg("26067", dup311); + +var msg28173 = msg("26068", dup311); + +var msg28174 = msg("26069", dup311); + +var msg28175 = msg("26070", dup311); + +var msg28176 = msg("26071", dup311); + +var msg28177 = msg("26072", dup321); + +var msg28178 = msg("26073", dup309); + +var msg28179 = msg("26074", dup309); + +var msg28180 = msg("26075", dup321); + +var msg28181 = msg("26076", dup323); + +var msg28182 = msg("26077", dup323); + +var msg28183 = msg("26078", dup314); + +var msg28184 = msg("26079", dup314); + +var msg28185 = msg("26080", dup309); + +var msg28186 = msg("26081", dup325); + +var msg28187 = msg("26082", dup309); + +var msg28188 = msg("26083", dup314); + +var msg28189 = msg("26084", dup314); + +var msg28190 = msg("26085", dup314); + +var msg28191 = msg("26086", dup321); + +var msg28192 = msg("26087", dup321); + +var msg28193 = msg("26088", dup321); + +var msg28194 = msg("26089", dup309); + +var msg28195 = msg("26090", dup311); + +var msg28196 = msg("26091", dup311); + +var msg28197 = msg("26092", dup311); + +var msg28198 = msg("26093", dup311); + +var msg28199 = msg("26094", dup311); + +var msg28200 = msg("26095", dup311); + +var msg28201 = msg("26096", dup311); + +var msg28202 = msg("26097", dup311); + +var msg28203 = msg("26098", dup311); + +var msg28204 = msg("26099", dup311); + +var msg28205 = msg("26100", dup311); + +var msg28206 = msg("26101", dup314); + +var msg28207 = msg("26102", dup321); + +var msg28208 = msg("26103", dup309); + +var msg28209 = msg("26104", dup321); + +var msg28210 = msg("26105", dup309); + +var msg28211 = msg("26106", dup321); + +var msg28212 = msg("26107", dup316); + +var msg28213 = msg("26108", dup316); + +var msg28214 = msg("26109", dup309); + +var msg28215 = msg("26110", dup311); + +var msg28216 = msg("26111", dup311); + +var msg28217 = msg("26112", dup311); + +var msg28218 = msg("26113", dup311); + +var msg28219 = msg("26114", dup321); + +var msg28220 = msg("26115", dup321); + +var msg28221 = msg("26116", dup321); + +var msg28222 = msg("26117", dup321); + +var msg28223 = msg("26118", dup321); + +var msg28224 = msg("26119", dup321); + +var msg28225 = msg("26120", dup321); + +var msg28226 = msg("26121", dup321); + +var msg28227 = msg("26122", dup309); + +var msg28228 = msg("26123", dup309); + +var msg28229 = msg("26124", dup311); + +var msg28230 = msg("26125", dup325); + +var msg28231 = msg("26126", dup325); + +var msg28232 = msg("26127", dup325); + +var msg28233 = msg("26128", dup325); + +var msg28234 = msg("26129", dup325); + +var msg28235 = msg("26130", dup325); + +var msg28236 = msg("26131", dup311); + +var msg28237 = msg("26132", dup325); + +var msg28238 = msg("26133", dup325); + +var msg28239 = msg("26134", dup311); + +var msg28240 = msg("26135", dup325); + +var msg28241 = msg("26136", dup325); + +var msg28242 = msg("26137", dup325); + +var msg28243 = msg("26138", dup325); + +var msg28244 = msg("26139", dup321); + +var msg28245 = msg("26140", dup321); + +var msg28246 = msg("26141", dup321); + +var msg28247 = msg("26142", dup321); + +var msg28248 = msg("26143", dup321); + +var msg28249 = msg("26144", dup321); + +var msg28250 = msg("26145", dup321); + +var msg28251 = msg("26146", dup321); + +var msg28252 = msg("26147", dup321); + +var msg28253 = msg("26148", dup321); + +var msg28254 = msg("26149", dup321); + +var msg28255 = msg("26150", dup321); + +var msg28256 = msg("26151", dup321); + +var msg28257 = msg("26152", dup321); + +var msg28258 = msg("26153", dup321); + +var msg28259 = msg("26154", dup321); + +var msg28260 = msg("26155", dup321); + +var msg28261 = msg("26156", dup321); + +var msg28262 = msg("26157", dup325); + +var msg28263 = msg("26158", dup325); + +var msg28264 = msg("26159", dup325); + +var msg28265 = msg("26160", dup325); + +var msg28266 = msg("26161", dup325); + +var msg28267 = msg("26162", dup325); + +var msg28268 = msg("26163", dup309); + +var msg28269 = msg("26164", dup309); + +var msg28270 = msg("26165", dup314); + +var msg28271 = msg("26166", dup314); + +var msg28272 = msg("26167", dup314); + +var msg28273 = msg("26168", dup325); + +var msg28274 = msg("26169", dup325); + +var msg28275 = msg("26170", dup309); + +var msg28276 = msg("26171", dup309); + +var msg28277 = msg("26172", dup309); + +var msg28278 = msg("26173", dup309); + +var msg28279 = msg("26174", dup309); + +var msg28280 = msg("26175", dup309); + +var msg28281 = msg("26176", dup309); + +var msg28282 = msg("26177", dup309); + +var msg28283 = msg("26178", dup321); + +var msg28284 = msg("26179", dup331); + +var msg28285 = msg("26180", dup309); + +var msg28286 = msg("26181", dup314); + +var msg28287 = msg("26182", dup314); + +var msg28288 = msg("26183", dup314); + +var msg28289 = msg("26184", dup314); + +var msg28290 = msg("26185", dup314); + +var msg28291 = msg("26186", dup314); + +var msg28292 = msg("26187", dup314); + +var msg28293 = msg("26188", dup309); + +var msg28294 = msg("26189", dup321); + +var msg28295 = msg("26190", dup321); + +var msg28296 = msg("26191", dup314); + +var msg28297 = msg("26192", dup321); + +var msg28298 = msg("26193", dup311); + +var msg28299 = msg("26194", dup311); + +var msg28300 = msg("26195", dup309); + +var msg28301 = msg("26196", dup309); + +var msg28302 = msg("26197", dup309); + +var msg28303 = msg("26198", dup309); + +var msg28304 = msg("26199", dup309); + +var msg28305 = msg("26200", dup309); + +var msg28306 = msg("26201", dup321); + +var msg28307 = msg("26202", dup321); + +var msg28308 = msg("26203", dup321); + +var msg28309 = msg("26204", dup321); + +var msg28310 = msg("26205", dup321); + +var msg28311 = msg("26206", dup314); + +var msg28312 = msg("26207", dup314); + +var msg28313 = msg("26208", dup314); + +var msg28314 = msg("26209", dup309); + +var msg28315 = msg("26210", dup309); + +var msg28316 = msg("26211", dup321); + +var msg28317 = msg("26212", dup321); + +var msg28318 = msg("26213", dup311); + +var msg28319 = msg("26214", dup311); + +var msg28320 = msg("26215", dup311); + +var msg28321 = msg("26216", dup325); + +var msg28322 = msg("26217", dup325); + +var msg28323 = msg("26218", dup325); + +var msg28324 = msg("26219", dup325); + +var msg28325 = msg("26220", dup325); + +var msg28326 = msg("26221", dup325); + +var msg28327 = msg("26222", dup325); + +var msg28328 = msg("26223", dup325); + +var msg28329 = msg("26224", dup325); + +var msg28330 = msg("26225", dup325); + +var msg28331 = msg("26226", dup311); + +var msg28332 = msg("26227", dup311); + +var msg28333 = msg("26228", dup311); + +var msg28334 = msg("26229", dup311); + +var msg28335 = msg("26230", dup307); + +var msg28336 = msg("26231", dup311); + +var msg28337 = msg("26232", dup311); + +var msg28338 = msg("26233", dup311); + +var msg28339 = msg("26234", dup311); + +var msg28340 = msg("26235", dup311); + +var msg28341 = msg("26236", dup311); + +var msg28342 = msg("26237", dup311); + +var msg28343 = msg("26238", dup321); + +var msg28344 = msg("26239", dup321); + +var msg28345 = msg("26240", dup321); + +var msg28346 = msg("26241", dup314); + +var msg28347 = msg("26242", dup309); + +var msg28348 = msg("26243", dup309); + +var msg28349 = msg("26244", dup321); + +var msg28350 = msg("26245", dup321); + +var msg28351 = msg("26246", dup321); + +var msg28352 = msg("26247", dup321); + +var msg28353 = msg("26248", dup325); + +var msg28354 = msg("26249", dup321); + +var msg28355 = msg("26250", dup311); + +var msg28356 = msg("26251", dup314); + +var msg28357 = msg("26252", dup311); + +var msg28358 = msg("26253", dup311); + +var msg28359 = msg("26254", dup311); + +var msg28360 = msg("26255", dup311); + +var msg28361 = msg("26256", dup311); + +var msg28362 = msg("26257", dup311); + +var msg28363 = msg("26258", dup314); + +var msg28364 = msg("26259", dup314); + +var msg28365 = msg("26260", dup321); + +var msg28366 = msg("26261", dup311); + +var msg28367 = msg("26262", dup316); + +var msg28368 = msg("26263", dup311); + +var msg28369 = msg("26264", dup321); + +var msg28370 = msg("26265", dup321); + +var msg28371 = msg("26266", dup321); + +var msg28372 = msg("26267", dup321); + +var msg28373 = msg("26268", dup321); + +var msg28374 = msg("26269", dup321); + +var msg28375 = msg("26270", dup321); + +var msg28376 = msg("26271", dup321); + +var msg28377 = msg("26272", dup321); + +var msg28378 = msg("26273", dup321); + +var msg28379 = msg("26274", dup311); + +var msg28380 = msg("26275", dup311); + +var msg28381 = msg("26276", dup311); + +var msg28382 = msg("26277", dup311); + +var msg28383 = msg("26278", dup332); + +var msg28384 = msg("26279", dup332); + +var msg28385 = msg("26280", dup309); + +var msg28386 = msg("26281", dup309); + +var msg28387 = msg("26282", dup309); + +var msg28388 = msg("26283", dup309); + +var msg28389 = msg("26284", dup321); + +var msg28390 = msg("26285", dup321); + +var msg28391 = msg("26286", dup329); + +var msg28392 = msg("26287", dup314); + +var msg28393 = msg("26288", dup321); + +var msg28394 = msg("26289", dup321); + +var msg28395 = msg("26290", dup321); + +var msg28396 = msg("26291", dup321); + +var msg28397 = msg("26292", dup314); + +var msg28398 = msg("26293", dup311); + +var msg28399 = msg("26294", dup314); + +var msg28400 = msg("26295", dup314); + +var msg28401 = msg("26296", dup311); + +var msg28402 = msg("26297", dup311); + +var msg28403 = msg("26298", dup307); + +var msg28404 = msg("26299", dup322); + +var msg28405 = msg("26300", dup322); + +var msg28406 = msg("26301", dup307); + +var msg28407 = msg("26302", dup322); + +var msg28408 = msg("26303", dup322); + +var msg28409 = msg("26304", dup322); + +var msg28410 = msg("26305", dup307); + +var msg28411 = msg("26306", dup322); + +var msg28412 = msg("26307", dup322); + +var msg28413 = msg("26308", dup322); + +var msg28414 = msg("26309", dup307); + +var msg28415 = msg("26310", dup322); + +var msg28416 = msg("26311", dup322); + +var msg28417 = msg("26312", dup322); + +var msg28418 = msg("26313", dup307); + +var msg28419 = msg("26314", dup311); + +var msg28420 = msg("26315", dup311); + +var msg28421 = msg("26316", dup311); + +var msg28422 = msg("26317", dup309); + +var msg28423 = msg("26318", dup309); + +var msg28424 = msg("26319", dup321); + +var msg28425 = msg("26320", dup316); + +var msg28426 = msg("26321", dup306); + +var msg28427 = msg("26322", dup306); + +var msg28428 = msg("26323", dup311); + +var msg28429 = msg("26324", dup324); + +var msg28430 = msg("26325", dup321); + +var msg28431 = msg("26326", dup321); + +var msg28432 = msg("26327", dup321); + +var msg28433 = msg("26328", dup321); + +var msg28434 = msg("26329", dup309); + +var msg28435 = msg("26330", dup309); + +var msg28436 = msg("26331", dup321); + +var msg28437 = msg("26332", dup321); + +var msg28438 = msg("26333", dup309); + +var msg28439 = msg("26334", dup309); + +var msg28440 = msg("26335", dup321); + +var msg28441 = msg("26336", dup309); + +var msg28442 = msg("26337", dup311); + +var msg28443 = msg("26338", dup311); + +var msg28444 = msg("26339", dup311); + +var msg28445 = msg("26340", dup309); + +var msg28446 = msg("26341", dup311); + +var msg28447 = msg("26342", dup311); + +var msg28448 = msg("26343", dup311); + +var msg28449 = msg("26344", dup311); + +var msg28450 = msg("26345", dup311); + +var msg28451 = msg("26346", dup311); + +var msg28452 = msg("26347", dup311); + +var msg28453 = msg("26348", dup311); + +var msg28454 = msg("26349", dup311); + +var msg28455 = msg("26350", dup311); + +var msg28456 = msg("26351", dup311); + +var msg28457 = msg("26352", dup311); + +var msg28458 = msg("26353", dup323); + +var msg28459 = msg("26354", dup311); + +var msg28460 = msg("26355", dup314); + +var msg28461 = msg("26356", dup314); + +var msg28462 = msg("26357", dup314); + +var msg28463 = msg("26358", dup314); + +var msg28464 = msg("26359", dup314); + +var msg28465 = msg("26360", dup314); + +var msg28466 = msg("26361", dup314); + +var msg28467 = msg("26362", dup314); + +var msg28468 = msg("26363", dup314); + +var msg28469 = msg("26364", dup314); + +var msg28470 = msg("26365", dup314); + +var msg28471 = msg("26366", dup311); + +var msg28472 = msg("26367", dup311); + +var msg28473 = msg("26368", dup311); + +var msg28474 = msg("26369", dup321); + +var msg28475 = msg("26370", dup321); + +var msg28476 = msg("26371", dup321); + +var msg28477 = msg("26372", dup324); + +var msg28478 = msg("26373", dup324); + +var msg28479 = msg("26374", dup324); + +var msg28480 = msg("26375", dup314); + +var msg28481 = msg("26376", dup314); + +var msg28482 = msg("26377", dup311); + +var msg28483 = msg("26378", dup314); + +var msg28484 = msg("26379", dup324); + +var msg28485 = msg("26380", dup323); + +var msg28486 = msg("26381", dup323); + +var msg28487 = msg("26382", dup323); + +var msg28488 = msg("26383", dup311); + +var msg28489 = msg("26384", dup311); + +var msg28490 = msg("26385", dup311); + +var msg28491 = msg("26386", dup330); + +var msg28492 = msg("26387", dup321); + +var msg28493 = msg("26388", dup321); + +var msg28494 = msg("26389", dup314); + +var msg28495 = msg("26390", dup314); + +var msg28496 = msg("26391", dup309); + +var msg28497 = msg("26392", dup314); + +var msg28498 = msg("26393", dup314); + +var msg28499 = msg("26394", dup309); + +var msg28500 = msg("26395", dup321); + +var msg28501 = msg("26396", dup321); + +var msg28502 = msg("26397", dup323); + +var msg28503 = msg("26398", dup321); + +var msg28504 = msg("26399", dup321); + +var msg28505 = msg("26400", dup321); + +var msg28506 = msg("26401", dup321); + +var msg28507 = msg("26402", dup321); + +var msg28508 = msg("26403", dup321); + +var msg28509 = msg("26404", dup321); + +var msg28510 = msg("26405", dup321); + +var msg28511 = msg("26406", dup321); + +var msg28512 = msg("26407", dup321); + +var msg28513 = msg("26408", dup321); + +var msg28514 = msg("26409", dup321); + +var msg28515 = msg("26410", dup323); + +var msg28516 = msg("26411", dup321); + +var msg28517 = msg("26412", dup311); + +var msg28518 = msg("26413", dup321); + +var msg28519 = msg("26414", dup311); + +var msg28520 = msg("26415", dup314); + +var msg28521 = msg("26416", dup314); + +var msg28522 = msg("26417", dup314); + +var msg28523 = msg("26418", dup307); + +var msg28524 = msg("26419", dup325); + +var msg28525 = msg("26420", dup325); + +var msg28526 = msg("26421", dup309); + +var msg28527 = msg("26422", dup314); + +var msg28528 = msg("26423", dup314); + +var msg28529 = msg("26424", dup314); + +var msg28530 = msg("26425", dup307); + +var msg28531 = msg("26426", dup307); + +var msg28532 = msg("26427", dup324); + +var msg28533 = msg("26428", dup321); + +var msg28534 = msg("26429", dup314); + +var msg28535 = msg("26430", dup314); + +var msg28536 = msg("26431", dup311); + +var msg28537 = msg("26432", dup309); + +var msg28538 = msg("26433", dup309); + +var msg28539 = msg("26434", dup311); + +var msg28540 = msg("26435", dup321); + +var msg28541 = msg("26436", dup314); + +var msg28542 = msg("26437", dup314); + +var msg28543 = msg("26438", dup314); + +var msg28544 = msg("26439", dup325); + +var msg28545 = msg("26440", dup323); + +var msg28546 = msg("26441", dup323); + +var msg28547 = msg("26442", dup321); + +var msg28548 = msg("26443", dup321); + +var msg28549 = msg("26444", dup321); + +var msg28550 = msg("26445", dup321); + +var msg28551 = msg("26446", dup321); + +var msg28552 = msg("26447", dup321); + +var msg28553 = msg("26448", dup321); + +var msg28554 = msg("26449", dup321); + +var msg28555 = msg("26450", dup321); + +var msg28556 = msg("26451", dup323); + +var msg28557 = msg("26452", dup321); + +var msg28558 = msg("26453", dup309); + +var msg28559 = msg("26454", dup309); + +var msg28560 = msg("26455", dup309); + +var msg28561 = msg("26456", dup314); + +var msg28562 = msg("26457", dup314); + +var msg28563 = msg("26458", dup314); + +var msg28564 = msg("26459", dup309); + +var msg28565 = msg("26460", dup309); + +var msg28566 = msg("26461", dup309); + +var msg28567 = msg("26462", dup309); + +var msg28568 = msg("26463", dup321); + +var msg28569 = msg("26464", dup321); + +var msg28570 = msg("26465", dup314); + +var msg28571 = msg("26466", dup314); + +var msg28572 = msg("26467", dup321); + +var msg28573 = msg("26468", dup311); + +var msg28574 = msg("26469", dup311); + +var msg28575 = msg("26470", dup310); + +var msg28576 = msg("26471", dup333); + +var msg28577 = msg("26472", dup311); + +var msg28578 = msg("26473", dup309); + +var msg28579 = msg("26474", dup309); + +var msg28580 = msg("26475", dup309); + +var msg28581 = msg("26476", dup309); + +var msg28582 = msg("26477", dup309); + +var msg28583 = msg("26478", dup309); + +var msg28584 = msg("26479", dup309); + +var msg28585 = msg("26480", dup321); + +var msg28586 = msg("26481", dup321); + +var msg28587 = msg("26482", dup321); + +var msg28588 = msg("26483", dup323); + +var msg28589 = msg("26484", dup311); + +var msg28590 = msg("26485", dup311); + +var msg28591 = msg("26486", dup311); + +var msg28592 = msg("26487", dup311); + +var msg28593 = msg("26488", dup314); + +var msg28594 = msg("26489", dup309); + +var msg28595 = msg("26490", dup309); + +var msg28596 = msg("26491", dup311); + +var msg28597 = msg("26492", dup314); + +var msg28598 = msg("26493", dup314); + +var msg28599 = msg("26494", dup314); + +var msg28600 = msg("26495", dup309); + +var msg28601 = msg("26496", dup309); + +var msg28602 = msg("26497", dup314); + +var msg28603 = msg("26498", dup314); + +var msg28604 = msg("26499", dup311); + +var msg28605 = msg("26500", dup311); + +var msg28606 = msg("26501", dup309); + +var msg28607 = msg("26502", dup309); + +var msg28608 = msg("26503", dup309); + +var msg28609 = msg("26504", dup309); + +var msg28610 = msg("26505", dup314); + +var msg28611 = msg("26506", dup311); + +var msg28612 = msg("26507", dup311); + +var msg28613 = msg("26508", dup307); + +var msg28614 = msg("26509", dup307); + +var msg28615 = msg("26510", dup311); + +var msg28616 = msg("26511", dup311); + +var msg28617 = msg("26512", dup311); + +var msg28618 = msg("26513", dup323); + +var msg28619 = msg("26514", dup314); + +var msg28620 = msg("26515", dup314); + +var msg28621 = msg("26516", dup314); + +var msg28622 = msg("26517", dup314); + +var msg28623 = msg("26518", dup314); + +var msg28624 = msg("26519", dup314); + +var msg28625 = msg("26520", dup311); + +var msg28626 = msg("26521", dup311); + +var msg28627 = msg("26522", dup325); + +var msg28628 = msg("26523", dup314); + +var msg28629 = msg("26524", dup314); + +var msg28630 = msg("26525", dup314); + +var msg28631 = msg("26526", dup311); + +var msg28632 = msg("26527", dup311); + +var msg28633 = msg("26528", dup200); + +var msg28634 = msg("26529", dup200); + +var msg28635 = msg("26530", dup200); + +var msg28636 = msg("26531", dup321); + +var msg28637 = msg("26532", dup321); + +var msg28638 = msg("26533", dup321); + +var msg28639 = msg("26534", dup311); + +var msg28640 = msg("26535", dup311); + +var msg28641 = msg("26536", dup311); + +var msg28642 = msg("26537", dup311); + +var msg28643 = msg("26538", dup311); + +var msg28644 = msg("26539", dup311); + +var msg28645 = msg("26540", dup311); + +var msg28646 = msg("26541", dup311); + +var msg28647 = msg("26542", dup325); + +var msg28648 = msg("26543", dup314); + +var msg28649 = msg("26544", dup314); + +var msg28650 = msg("26545", dup314); + +var msg28651 = msg("26546", dup314); + +var msg28652 = msg("26547", dup311); + +var msg28653 = msg("26548", dup309); + +var msg28654 = msg("26549", dup311); + +var msg28655 = msg("26550", dup311); + +var msg28656 = msg("26551", dup311); + +var msg28657 = msg("26552", dup311); + +var msg28658 = msg("26553", dup321); + +var msg28659 = msg("26554", dup321); + +var msg28660 = msg("26555", dup321); + +var msg28661 = msg("26556", dup321); + +var msg28662 = msg("26557", dup314); + +var msg28663 = msg("26558", dup325); + +var msg28664 = msg("26559", dup307); + +var msg28665 = msg("26560", dup321); + +var msg28666 = msg("26561", dup321); + +var msg28667 = msg("26562", dup311); + +var msg28668 = msg("26563", dup321); + +var msg28669 = msg("26564", dup307); + +var msg28670 = msg("26565", dup314); + +var msg28671 = msg("26566", dup314); + +var msg28672 = msg("26567", dup314); + +var msg28673 = msg("26568", dup314); + +var msg28674 = msg("26569", dup325); + +var msg28675 = msg("26570", dup325); + +var msg28676 = msg("26571", dup325); + +var msg28677 = msg("26572", dup325); + +var msg28678 = msg("26573", dup311); + +var msg28679 = msg("26574", dup311); + +var msg28680 = msg("26575", dup324); + +var msg28681 = msg("26576", dup311); + +var msg28682 = msg("26577", dup325); + +var msg28683 = msg("26578", dup321); + +var msg28684 = msg("26579", dup321); + +var msg28685 = msg("26580", dup321); + +var msg28686 = msg("26581", dup321); + +var msg28687 = msg("26582", dup321); + +var msg28688 = msg("26583", dup321); + +var msg28689 = msg("26584", dup325); + +var msg28690 = msg("26585", dup314); + +var msg28691 = msg("26586", dup316); + +var msg28692 = msg("26587", dup314); + +var msg28693 = msg("26588", dup314); + +var msg28694 = msg("26589", dup321); + +var msg28695 = msg("26590", dup311); + +var msg28696 = msg("26591", dup307); + +var msg28697 = msg("26592", dup314); + +var msg28698 = msg("26593", dup309); + +var msg28699 = msg("26594", dup307); + +var msg28700 = msg("26595", dup323); + +var msg28701 = msg("26596", dup323); + +var msg28702 = msg("26597", dup309); + +var msg28703 = msg("26598", dup323); + +var msg28704 = msg("26599", dup311); + +var msg28705 = msg("26600", dup311); + +var msg28706 = msg("26601", dup311); + +var msg28707 = msg("26602", dup309); + +var msg28708 = msg("26603", dup321); + +var msg28709 = msg("26604", dup321); + +var msg28710 = msg("26605", dup321); + +var msg28711 = msg("26606", dup321); + +var msg28712 = msg("26607", dup321); + +var msg28713 = msg("26608", dup321); + +var msg28714 = msg("26609", dup321); + +var msg28715 = msg("26610", dup321); + +var msg28716 = msg("26611", dup321); + +var msg28717 = msg("26612", dup321); + +var msg28718 = msg("26613", dup321); + +var msg28719 = msg("26614", dup321); + +var msg28720 = msg("26615", dup323); + +var msg28721 = msg("26616", dup323); + +var msg28722 = msg("26617", dup311); + +var msg28723 = msg("26618", dup311); + +var msg28724 = msg("26619", dup325); + +var msg28725 = msg("26620", dup325); + +var msg28726 = msg("26621", dup314); + +var msg28727 = msg("26622", dup314); + +var msg28728 = msg("26623", dup314); + +var msg28729 = msg("26624", dup323); + +var msg28730 = msg("26625", dup323); + +var msg28731 = msg("26626", dup309); + +var msg28732 = msg("26627", dup309); + +var msg28733 = msg("26628", dup309); + +var msg28734 = msg("26629", dup325); + +var msg28735 = msg("26630", dup325); + +var msg28736 = msg("26631", dup325); + +var msg28737 = msg("26632", dup324); + +var msg28738 = msg("26633", dup314); + +var msg28739 = msg("26634", dup311); + +var msg28740 = msg("26635", dup311); + +var msg28741 = msg("26636", dup325); + +var msg28742 = msg("26637", dup325); + +var msg28743 = msg("26638", dup311); + +var msg28744 = msg("26639", dup314); + +var msg28745 = msg("26640", dup314); + +var msg28746 = msg("26641", dup311); + +var msg28747 = msg("26642", dup311); + +var msg28748 = msg("26643", dup324); + +var msg28749 = msg("26644", dup314); + +var msg28750 = msg("26645", dup314); + +var msg28751 = msg("26646", dup314); + +var msg28752 = msg("26647", dup314); + +var msg28753 = msg("26648", dup311); + +var msg28754 = msg("26649", dup311); + +var msg28755 = msg("26650", dup323); + +var msg28756 = msg("26651", dup309); + +var msg28757 = msg("26652", dup309); + +var msg28758 = msg("26653", dup311); + +var msg28759 = msg("26654", dup321); + +var msg28760 = msg("26655", dup321); + +var msg28761 = msg("26656", dup321); + +var msg28762 = msg("26657", dup321); + +var msg28763 = msg("26658", dup314); + +var msg28764 = msg("26659", dup314); + +var msg28765 = msg("26660", dup311); + +var msg28766 = msg("26661", dup311); + +var msg28767 = msg("26662", dup311); + +var msg28768 = msg("26663", dup309); + +var msg28769 = msg("26664", dup314); + +var msg28770 = msg("26665", dup314); + +var msg28771 = msg("26666", dup325); + +var msg28772 = msg("26667", dup309); + +var msg28773 = msg("26668", dup325); + +var msg28774 = msg("26669", dup314); + +var msg28775 = msg("26670", dup321); + +var msg28776 = msg("26671", dup321); + +var msg28777 = msg("26672", dup309); + +var msg28778 = msg("26673", dup309); + +var msg28779 = msg("26674", dup309); + +var msg28780 = msg("26675", dup309); + +var msg28781 = msg("26676", dup309); + +var msg28782 = msg("26677", dup321); + +var msg28783 = msg("26678", dup321); + +var msg28784 = msg("26679", dup321); + +var msg28785 = msg("26680", dup321); + +var msg28786 = msg("26681", dup321); + +var msg28787 = msg("26682", dup314); + +var msg28788 = msg("26683", dup321); + +var msg28789 = msg("26684", dup321); + +var msg28790 = msg("26685", dup325); + +var msg28791 = msg("26686", dup325); + +var msg28792 = msg("26687", dup314); + +var msg28793 = msg("26688", dup314); + +var msg28794 = msg("26689", dup321); + +var msg28795 = msg("26690", dup321); + +var msg28796 = msg("26691", dup321); + +var msg28797 = msg("26692", dup321); + +var msg28798 = msg("26693", dup321); + +var msg28799 = msg("26694", dup311); + +var msg28800 = msg("26695", dup321); + +var msg28801 = msg("26696", dup321); + +var msg28802 = msg("26697", dup321); + +var msg28803 = msg("26698", dup311); + +var msg28804 = msg("26699", dup309); + +var msg28805 = msg("26700", dup309); + +var msg28806 = msg("26701", dup309); + +var msg28807 = msg("26702", dup325); + +var msg28808 = msg("26703", dup321); + +var msg28809 = msg("26704", dup314); + +var msg28810 = msg("26705", dup321); + +var msg28811 = msg("26706", dup309); + +var msg28812 = msg("26707", dup309); + +var msg28813 = msg("26708", dup309); + +var msg28814 = msg("26709", dup309); + +var msg28815 = msg("26710", dup309); + +var msg28816 = msg("26711", dup309); + +var msg28817 = msg("26712", dup321); + +var msg28818 = msg("26713", dup321); + +var msg28819 = msg("26714", dup321); + +var msg28820 = msg("26715", dup321); + +var msg28821 = msg("26716", dup311); + +var msg28822 = msg("26717", dup311); + +var msg28823 = msg("26718", dup321); + +var msg28824 = msg("26719", dup321); + +var msg28825 = msg("26720", dup321); + +var msg28826 = msg("26721", dup321); + +var msg28827 = msg("26722", dup321); + +var msg28828 = msg("26723", dup321); + +var msg28829 = msg("26724", dup309); + +var msg28830 = msg("26725", dup321); + +var msg28831 = msg("26726", dup321); + +var msg28832 = msg("26727", dup321); + +var msg28833 = msg("26728", dup321); + +var msg28834 = msg("26729", dup321); + +var msg28835 = msg("26730", dup321); + +var msg28836 = msg("26731", dup321); + +var msg28837 = msg("26732", dup321); + +var msg28838 = msg("26733", dup321); + +var msg28839 = msg("26734", dup321); + +var msg28840 = msg("26735", dup321); + +var msg28841 = msg("26736", dup334); + +var msg28842 = msg("26737", dup321); + +var msg28843 = msg("26738", dup321); + +var msg28844 = msg("26739", dup321); + +var msg28845 = msg("26740", dup321); + +var msg28846 = msg("26741", dup311); + +var msg28847 = msg("26742", dup321); + +var msg28848 = msg("26743", dup324); + +var msg28849 = msg("26744", dup321); + +var msg28850 = msg("26745", dup333); + +var msg28851 = msg("26746", dup321); + +var msg28852 = msg("26747", dup324); + +var msg28853 = msg("26748", dup321); + +var msg28854 = msg("26749", dup321); + +var msg28855 = msg("26750", dup321); + +var msg28856 = msg("26751", dup325); + +var msg28857 = msg("26752", dup310); + +var msg28858 = msg("26753", dup325); + +var msg28859 = msg("26754", dup325); + +var msg28860 = msg("26755", dup309); + +var msg28861 = msg("26756", dup321); + +var msg28862 = msg("26757", dup321); + +var msg28863 = msg("26758", dup321); + +var msg28864 = msg("26759", dup323); + +var msg28865 = msg("26760", dup321); + +var msg28866 = msg("26761", dup321); + +var msg28867 = msg("26762", dup321); + +var msg28868 = msg("26763", dup321); + +var msg28869 = msg("26764", dup314); + +var msg28870 = msg("26765", dup314); + +var msg28871 = msg("26766", dup314); + +var msg28872 = msg("26767", dup314); + +var msg28873 = msg("26768", dup321); + +var msg28874 = msg("26769", dup324); + +var msg28875 = msg("26770", dup321); + +var msg28876 = msg("26771", dup321); + +var msg28877 = msg("26772", dup311); + +var msg28878 = msg("26773", dup321); + +var msg28879 = msg("26774", dup321); + +var msg28880 = msg("26775", dup321); + +var msg28881 = msg("26776", dup321); + +var msg28882 = msg("26777", dup321); + +var msg28883 = msg("26778", dup321); + +var msg28884 = msg("26779", dup321); + +var msg28885 = msg("26780", dup310); + +var msg28886 = msg("26781", dup321); + +var msg28887 = msg("26782", dup321); + +var msg28888 = msg("26783", dup321); + +var msg28889 = msg("26784", dup321); + +var msg28890 = msg("26785", dup321); + +var msg28891 = msg("26786", dup316); + +var msg28892 = msg("26787", dup316); + +var msg28893 = msg("26788", dup316); + +var msg28894 = msg("26789", dup316); + +var msg28895 = msg("26790", dup316); + +var msg28896 = msg("26791", dup316); + +var msg28897 = msg("26792", dup321); + +var msg28898 = msg("26793", dup321); + +var msg28899 = msg("26794", dup314); + +var msg28900 = msg("26795", dup321); + +var msg28901 = msg("26796", dup321); + +var msg28902 = msg("26797", dup314); + +var msg28903 = msg("26798", dup314); + +var msg28904 = msg("26799", dup309); + +var msg28905 = msg("26800", dup309); + +var msg28906 = msg("26801", dup309); + +var msg28907 = msg("26802", dup335); + +var msg28908 = msg("26803", dup321); + +var msg28909 = msg("26804", dup311); + +var msg28910 = msg("26805", dup311); + +var msg28911 = msg("26806", dup311); + +var msg28912 = msg("26807", dup311); + +var msg28913 = msg("26808", dup311); + +var msg28914 = msg("26809", dup321); + +var msg28915 = msg("26810", dup321); + +var msg28916 = msg("26811", dup321); + +var msg28917 = msg("26812", dup321); + +var msg28918 = msg("26813", dup321); + +var msg28919 = msg("26814", dup311); + +var msg28920 = msg("26815", dup321); + +var msg28921 = msg("26816", dup321); + +var msg28922 = msg("26817", dup323); + +var msg28923 = msg("26818", dup321); + +var msg28924 = msg("26819", dup321); + +var msg28925 = msg("26820", dup321); + +var msg28926 = msg("26821", dup321); + +var msg28927 = msg("26822", dup321); + +var msg28928 = msg("26823", dup321); + +var msg28929 = msg("26824", dup311); + +var msg28930 = msg("26825", dup311); + +var msg28931 = msg("26826", dup321); + +var msg28932 = msg("26827", dup321); + +var msg28933 = msg("26828", dup321); + +var msg28934 = msg("26829", dup322); + +var msg28935 = msg("26830", dup309); + +var msg28936 = msg("26831", dup309); + +var msg28937 = msg("26832", dup309); + +var msg28938 = msg("26833", dup309); + +var msg28939 = msg("26834", dup311); + +var msg28940 = msg("26835", dup321); + +var msg28941 = msg("26836", dup321); + +var msg28942 = msg("26837", dup321); + +var msg28943 = msg("26838", dup311); + +var msg28944 = msg("26839", dup321); + +var msg28945 = msg("26840", dup321); + +var msg28946 = msg("26841", dup321); + +var msg28947 = msg("26842", dup321); + +var msg28948 = msg("26843", dup314); + +var msg28949 = msg("26844", dup311); + +var msg28950 = msg("26845", dup325); + +var msg28951 = msg("26846", dup325); + +var msg28952 = msg("26847", dup325); + +var msg28953 = msg("26848", dup325); + +var msg28954 = msg("26849", dup323); + +var msg28955 = msg("26850", dup314); + +var msg28956 = msg("26851", dup314); + +var msg28957 = msg("26852", dup311); + +var msg28958 = msg("26853", dup311); + +var msg28959 = msg("26854", dup309); + +var msg28960 = msg("26855", dup309); + +var msg28961 = msg("26856", dup309); + +var msg28962 = msg("26857", dup309); + +var msg28963 = msg("26858", dup309); + +var msg28964 = msg("26859", dup309); + +var msg28965 = msg("26860", dup309); + +var msg28966 = msg("26861", dup309); + +var msg28967 = msg("26862", dup309); + +var msg28968 = msg("26863", dup309); + +var msg28969 = msg("26864", dup309); + +var msg28970 = msg("26865", dup307); + +var msg28971 = msg("26866", dup309); + +var msg28972 = msg("26867", dup325); + +var msg28973 = msg("26868", dup325); + +var msg28974 = msg("26869", dup311); + +var msg28975 = msg("26870", dup311); + +var msg28976 = msg("26871", dup311); + +var msg28977 = msg("26872", dup311); + +var msg28978 = msg("26873", dup325); + +var msg28979 = msg("26874", dup325); + +var msg28980 = msg("26875", dup325); + +var msg28981 = msg("26876", dup325); + +var msg28982 = msg("26877", dup323); + +var msg28983 = msg("26878", dup325); + +var msg28984 = msg("26879", dup314); + +var msg28985 = msg("26880", dup321); + +var msg28986 = msg("26881", dup321); + +var msg28987 = msg("26882", dup325); + +var msg28988 = msg("26883", dup325); + +var msg28989 = msg("26884", dup325); + +var msg28990 = msg("26885", dup325); + +var msg28991 = msg("26886", dup325); + +var msg28992 = msg("26887", dup325); + +var msg28993 = msg("26888", dup311); + +var msg28994 = msg("26889", dup311); + +var msg28995 = msg("26890", dup325); + +var msg28996 = msg("26891", dup311); + +var msg28997 = msg("26892", dup311); + +var msg28998 = msg("26893", dup311); + +var msg28999 = msg("26894", dup311); + +var msg29000 = msg("26895", dup311); + +var msg29001 = msg("26896", dup311); + +var msg29002 = msg("26897", dup311); + +var msg29003 = msg("26898", dup322); + +var msg29004 = msg("26899", dup322); + +var msg29005 = msg("26900", dup322); + +var msg29006 = msg("26901", dup322); + +var msg29007 = msg("26902", dup314); + +var msg29008 = msg("26903", dup314); + +var msg29009 = msg("26904", dup314); + +var msg29010 = msg("26905", dup324); + +var msg29011 = msg("26906", dup311); + +var msg29012 = msg("26907", dup311); + +var msg29013 = msg("26908", dup311); + +var msg29014 = msg("26909", dup314); + +var msg29015 = msg("26910", dup321); + +var msg29016 = msg("26911", dup321); + +var msg29017 = msg("26912", dup321); + +var msg29018 = msg("26913", dup321); + +var msg29019 = msg("26914", dup321); + +var msg29020 = msg("26915", dup321); + +var msg29021 = msg("26916", dup321); + +var msg29022 = msg("26917", dup321); + +var msg29023 = msg("26918", dup321); + +var msg29024 = msg("26919", dup321); + +var msg29025 = msg("26920", dup321); + +var msg29026 = msg("26921", dup321); + +var msg29027 = msg("26922", dup311); + +var msg29028 = msg("26923", dup321); + +var msg29029 = msg("26924", dup321); + +var msg29030 = msg("26925", dup322); + +var msg29031 = msg("26926", dup323); + +var msg29032 = msg("26927", dup309); + +var msg29033 = msg("26928", dup309); + +var msg29034 = msg("26929", dup311); + +var msg29035 = msg("26930", dup321); + +var msg29036 = msg("26931", dup321); + +var msg29037 = msg("26932", dup321); + +var msg29038 = msg("26933", dup321); + +var msg29039 = msg("26934", dup321); + +var msg29040 = msg("26935", dup311); + +var msg29041 = msg("26936", dup311); + +var msg29042 = msg("26937", dup311); + +var msg29043 = msg("26938", dup314); + +var msg29044 = msg("26939", dup314); + +var msg29045 = msg("26940", dup323); + +var msg29046 = msg("26941", dup323); + +var msg29047 = msg("26942", dup323); + +var msg29048 = msg("26943", dup321); + +var msg29049 = msg("26944", dup321); + +var msg29050 = msg("26945", dup321); + +var msg29051 = msg("26946", dup321); + +var msg29052 = msg("26947", dup311); + +var msg29053 = msg("26948", dup311); + +var msg29054 = msg("26949", dup311); + +var msg29055 = msg("26950", dup311); + +var msg29056 = msg("26951", dup311); + +var msg29057 = msg("26952", dup321); + +var msg29058 = msg("26953", dup311); + +var msg29059 = msg("26954", dup321); + +var msg29060 = msg("26955", dup321); + +var msg29061 = msg("26956", dup311); + +var msg29062 = msg("26957", dup311); + +var msg29063 = msg("26958", dup311); + +var msg29064 = msg("26959", dup311); + +var msg29065 = msg("26960", dup311); + +var msg29066 = msg("26961", dup311); + +var msg29067 = msg("26962", dup311); + +var msg29068 = msg("26963", dup311); + +var msg29069 = msg("26964", dup311); + +var msg29070 = msg("26965", dup321); + +var msg29071 = msg("26966", dup321); + +var msg29072 = msg("26967", dup321); + +var msg29073 = msg("26968", dup321); + +var msg29074 = msg("26969", dup321); + +var msg29075 = msg("26970", dup321); + +var msg29076 = msg("26971", dup321); + +var msg29077 = msg("26972", dup307); + +var msg29078 = msg("26973", dup309); + +var msg29079 = msg("26974", dup314); + +var msg29080 = msg("26975", dup314); + +var msg29081 = msg("26976", dup309); + +var msg29082 = msg("26977", dup309); + +var msg29083 = msg("26978", dup309); + +var msg29084 = msg("26979", dup309); + +var msg29085 = msg("26980", dup315); + +var msg29086 = msg("26981", dup324); + +var msg29087 = msg("26982", dup311); + +var msg29088 = msg("26983", dup311); + +var msg29089 = msg("26984", dup321); + +var msg29090 = msg("26985", dup311); + +var msg29091 = msg("26986", dup321); + +var msg29092 = msg("26987", dup321); + +var msg29093 = msg("26988", dup325); + +var msg29094 = msg("26989", dup323); + +var msg29095 = msg("26990", dup311); + +var msg29096 = msg("26991", dup311); + +var msg29097 = msg("26992", dup311); + +var msg29098 = msg("26993", dup314); + +var msg29099 = msg("26994", dup314); + +var msg29100 = msg("26995", dup321); + +var msg29101 = msg("26996", dup321); + +var msg29102 = msg("26997", dup321); + +var msg29103 = msg("26998", dup321); + +var msg29104 = msg("26999", dup321); + +var msg29105 = msg("27000", dup321); + +var msg29106 = msg("27001", dup309); + +var msg29107 = msg("27002", dup321); + +var msg29108 = msg("27003", dup321); + +var msg29109 = msg("27004", dup311); + +var msg29110 = msg("27005", dup311); + +var msg29111 = msg("27006", dup309); + +var msg29112 = msg("27007", dup321); + +var msg29113 = msg("27008", dup321); + +var msg29114 = msg("27009", dup321); + +var msg29115 = msg("27010", dup321); + +var msg29116 = msg("27011", dup321); + +var msg29117 = msg("27012", dup321); + +var msg29118 = msg("27013", dup321); + +var msg29119 = msg("27014", dup323); + +var msg29120 = msg("27015", dup325); + +var msg29121 = msg("27016", dup314); + +var msg29122 = msg("27017", dup321); + +var msg29123 = msg("27018", dup314); + +var msg29124 = msg("27019", dup314); + +var msg29125 = msg("27020", dup314); + +var msg29126 = msg("27021", dup321); + +var msg29127 = msg("27022", dup321); + +var msg29128 = msg("27023", dup321); + +var msg29129 = msg("27024", dup321); + +var msg29130 = msg("27025", dup321); + +var msg29131 = msg("27026", dup311); + +var msg29132 = msg("27027", dup311); + +var msg29133 = msg("27028", dup314); + +var msg29134 = msg("27029", dup314); + +var msg29135 = msg("27030", dup314); + +var msg29136 = msg("27031", dup314); + +var msg29137 = msg("27032", dup314); + +var msg29138 = msg("27033", dup321); + +var msg29139 = msg("27034", dup321); + +var msg29140 = msg("27035", dup321); + +var msg29141 = msg("27036", dup314); + +var msg29142 = msg("27037", dup314); + +var msg29143 = msg("27038", dup314); + +var msg29144 = msg("27039", dup321); + +var msg29145 = msg("27040", dup311); + +var msg29146 = msg("27041", dup311); + +var msg29147 = msg("27042", dup311); + +var msg29148 = msg("27043", dup321); + +var msg29149 = msg("27044", dup325); + +var msg29150 = msg("27045", dup321); + +var msg29151 = msg("27046", dup327); + +var msg29152 = msg("27047", dup314); + +var msg29153 = msg("27048", dup323); + +var msg29154 = msg("27049", dup321); + +var msg29155 = msg("27050", dup321); + +var msg29156 = msg("27051", dup321); + +var msg29157 = msg("27052", dup321); + +var msg29158 = msg("27053", dup321); + +var msg29159 = msg("27054", dup321); + +var msg29160 = msg("27055", dup321); + +var msg29161 = msg("27056", dup321); + +var msg29162 = msg("27057", dup321); + +var msg29163 = msg("27058", dup321); + +var msg29164 = msg("27059", dup321); + +var msg29165 = msg("27060", dup321); + +var msg29166 = msg("27061", dup311); + +var msg29167 = msg("27062", dup311); + +var msg29168 = msg("27063", dup311); + +var msg29169 = msg("27064", dup314); + +var msg29170 = msg("27065", dup321); + +var msg29171 = msg("27066", dup321); + +var msg29172 = msg("27067", dup311); + +var msg29173 = msg("27068", dup311); + +var msg29174 = msg("27069", dup311); + +var msg29175 = msg("27070", dup311); + +var msg29176 = msg("27071", dup311); + +var msg29177 = msg("27072", dup311); + +var msg29178 = msg("27073", dup311); + +var msg29179 = msg("27074", dup311); + +var msg29180 = msg("27075", dup311); + +var msg29181 = msg("27076", dup314); + +var msg29182 = msg("27077", dup314); + +var msg29183 = msg("27078", dup311); + +var msg29184 = msg("27079", dup311); + +var msg29185 = msg("27080", dup311); + +var msg29186 = msg("27081", dup311); + +var msg29187 = msg("27082", dup311); + +var msg29188 = msg("27083", dup311); + +var msg29189 = msg("27084", dup311); + +var msg29190 = msg("27085", dup307); + +var msg29191 = msg("27086", dup311); + +var msg29192 = msg("27087", dup311); + +var msg29193 = msg("27088", dup311); + +var msg29194 = msg("27089", dup309); + +var msg29195 = msg("27090", dup309); + +var msg29196 = msg("27091", dup321); + +var msg29197 = msg("27092", dup311); + +var msg29198 = msg("27093", dup321); + +var msg29199 = msg("27094", dup200); + +var msg29200 = msg("27095", dup200); + +var msg29201 = msg("27096", dup311); + +var msg29202 = msg("27097", dup200); + +var msg29203 = msg("27098", dup200); + +var msg29204 = msg("27099", dup200); + +var msg29205 = msg("27100", dup311); + +var msg29206 = msg("27101", dup311); + +var msg29207 = msg("27102", dup309); + +var msg29208 = msg("27103", dup309); + +var msg29209 = msg("27104", dup316); + +var msg29210 = msg("27105", dup316); + +var msg29211 = msg("27106", dup311); + +var msg29212 = msg("27107", dup311); + +var msg29213 = msg("27108", dup307); + +var msg29214 = msg("27109", dup311); + +var msg29215 = msg("27110", dup311); + +var msg29216 = msg("27111", dup314); + +var msg29217 = msg("27112", dup314); + +var msg29218 = msg("27113", dup311); + +var msg29219 = msg("27114", dup321); + +var msg29220 = msg("27115", dup311); + +var msg29221 = msg("27116", dup314); + +var msg29222 = msg("27117", dup314); + +var msg29223 = msg("27118", dup314); + +var msg29224 = msg("27119", dup307); + +var msg29225 = msg("27120", dup321); + +var msg29226 = msg("27121", dup314); + +var msg29227 = msg("27122", dup309); + +var msg29228 = msg("27123", dup309); + +var msg29229 = msg("27124", dup309); + +var msg29230 = msg("27125", dup309); + +var msg29231 = msg("27126", dup325); + +var msg29232 = msg("27127", dup325); + +var msg29233 = msg("27128", dup325); + +var msg29234 = msg("27129", dup325); + +var msg29235 = msg("27130", dup325); + +var msg29236 = msg("27131", dup325); + +var msg29237 = msg("27132", dup325); + +var msg29238 = msg("27133", dup325); + +var msg29239 = msg("27134", dup325); + +var msg29240 = msg("27135", dup325); + +var msg29241 = msg("27136", dup311); + +var msg29242 = msg("27137", dup311); + +var msg29243 = msg("27138", dup311); + +var msg29244 = msg("27139", dup311); + +var msg29245 = msg("27140", dup311); + +var msg29246 = msg("27141", dup311); + +var msg29247 = msg("27142", dup311); + +var msg29248 = msg("27143", dup311); + +var msg29249 = msg("27144", dup311); + +var msg29250 = msg("27145", dup321); + +var msg29251 = msg("27146", dup321); + +var msg29252 = msg("27147", dup325); + +var msg29253 = msg("27148", dup325); + +var msg29254 = msg("27149", dup325); + +var msg29255 = msg("27150", dup325); + +var msg29256 = msg("27151", dup325); + +var msg29257 = msg("27152", dup325); + +var msg29258 = msg("27153", dup325); + +var msg29259 = msg("27154", dup325); + +var msg29260 = msg("27155", dup321); + +var msg29261 = msg("27156", dup309); + +var msg29262 = msg("27157", dup309); + +var msg29263 = msg("27158", dup321); + +var msg29264 = msg("27159", dup321); + +var msg29265 = msg("27160", dup321); + +var msg29266 = msg("27161", dup311); + +var msg29267 = msg("27162", dup311); + +var msg29268 = msg("27163", dup311); + +var msg29269 = msg("27164", dup311); + +var msg29270 = msg("27165", dup314); + +var msg29271 = msg("27166", dup309); + +var msg29272 = msg("27167", dup309); + +var msg29273 = msg("27168", dup309); + +var msg29274 = msg("27169", dup321); + +var msg29275 = msg("27170", dup309); + +var msg29276 = msg("27171", dup325); + +var msg29277 = msg("27172", dup325); + +var msg29278 = msg("27173", dup314); + +var msg29279 = msg("27174", dup314); + +var msg29280 = msg("27175", dup314); + +var msg29281 = msg("27176", dup314); + +var msg29282 = msg("27177", dup314); + +var msg29283 = msg("27178", dup321); + +var all56 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup111, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg29284 = msg("27179", all56); + +var msg29285 = msg("27180", dup321); + +var msg29286 = msg("27181", dup321); + +var msg29287 = msg("27182", dup325); + +var msg29288 = msg("27183", dup325); + +var msg29289 = msg("27184", dup325); + +var msg29290 = msg("27185", dup325); + +var msg29291 = msg("27186", dup325); + +var msg29292 = msg("27187", dup325); + +var msg29293 = msg("27188", dup314); + +var msg29294 = msg("27189", dup314); + +var msg29295 = msg("27190", dup314); + +var msg29296 = msg("27191", dup314); + +var msg29297 = msg("27192", dup314); + +var msg29298 = msg("27193", dup324); + +var msg29299 = msg("27194", dup324); + +var msg29300 = msg("27195", dup324); + +var msg29301 = msg("27196", dup314); + +var msg29302 = msg("27197", dup321); + +var msg29303 = msg("27198", dup321); + +var msg29304 = msg("27199", dup321); + +var msg29305 = msg("27200", dup321); + +var msg29306 = msg("27201", dup321); + +var msg29307 = msg("27202", dup310); + +var msg29308 = msg("27203", dup314); + +var msg29309 = msg("27204", dup321); + +var msg29310 = msg("27205", dup309); + +var msg29311 = msg("27206", dup314); + +var msg29312 = msg("27207", dup314); + +var msg29313 = msg("27208", dup309); + +var msg29314 = msg("27209", dup311); + +var msg29315 = msg("27210", dup323); + +var msg29316 = msg("27211", dup309); + +var msg29317 = msg("27212", dup309); + +var msg29318 = msg("27213", dup309); + +var msg29319 = msg("27214", dup309); + +var msg29320 = msg("27215", dup309); + +var msg29321 = msg("27216", dup309); + +var msg29322 = msg("27217", dup309); + +var msg29323 = msg("27218", dup314); + +var msg29324 = msg("27219", dup314); + +var msg29325 = msg("27220", dup311); + +var msg29326 = msg("27221", dup311); + +var msg29327 = msg("27222", dup311); + +var msg29328 = msg("27223", dup314); + +var msg29329 = msg("27224", dup314); + +var msg29330 = msg("27225", dup324); + +var msg29331 = msg("27226", dup314); + +var msg29332 = msg("27227", dup328); + +var msg29333 = msg("27228", dup321); + +var msg29334 = msg("27229", dup311); + +var msg29335 = msg("27230", dup314); + +var msg29336 = msg("27231", dup314); + +var msg29337 = msg("27232", dup309); + +var msg29338 = msg("27233", dup309); + +var msg29339 = msg("27234", dup324); + +var msg29340 = msg("27235", dup311); + +var msg29341 = msg("27236", dup309); + +var msg29342 = msg("27237", dup314); + +var msg29343 = msg("27238", dup314); + +var msg29344 = msg("27239", dup314); + +var msg29345 = msg("27240", dup323); + +var msg29346 = msg("27241", dup311); + +var msg29347 = msg("27242", dup311); + +var msg29348 = msg("27243", dup314); + +var msg29349 = msg("27244", dup314); + +var msg29350 = msg("27245", dup311); + +var msg29351 = msg("27246", dup321); + +var msg29352 = msg("27247", dup321); + +var msg29353 = msg("27248", dup321); + +var msg29354 = msg("27249", dup309); + +var msg29355 = msg("27250", dup309); + +var msg29356 = msg("27251", dup309); + +var msg29357 = msg("27252", dup321); + +var msg29358 = msg("27253", dup321); + +var msg29359 = msg("27254", dup321); + +var msg29360 = msg("27255", dup200); + +var msg29361 = msg("27256", dup321); + +var msg29362 = msg("27257", dup321); + +var msg29363 = msg("27258", dup314); + +var msg29364 = msg("27259", dup314); + +var msg29365 = msg("27260", dup321); + +var msg29366 = msg("27261", dup309); + +var msg29367 = msg("27262", dup309); + +var msg29368 = msg("27263", dup325); + +var msg29369 = msg("27264", dup309); + +var msg29370 = msg("27265", dup309); + +var msg29371 = msg("27266", dup309); + +var msg29372 = msg("27267", dup307); + +var msg29373 = msg("27268", dup307); + +var msg29374 = msg("27269", dup333); + +var msg29375 = msg("27270", dup333); + +var msg29376 = msg("27271", dup311); + +var msg29377 = msg("27272", dup314); + +var msg29378 = msg("27273", dup311); + +var msg29379 = msg("27274", dup311); + +var msg29380 = msg("27275", dup314); + +var msg29381 = msg("27276", dup314); + +var msg29382 = msg("27277", dup314); + +var msg29383 = msg("27278", dup309); + +var msg29384 = msg("27279", dup309); + +var msg29385 = msg("27280", dup309); + +var msg29386 = msg("27281", dup309); + +var msg29387 = msg("27282", dup314); + +var msg29388 = msg("27283", dup314); + +var msg29389 = msg("27284", dup314); + +var msg29390 = msg("27285", dup322); + +var msg29391 = msg("27286", dup322); + +var msg29392 = msg("27287", dup322); + +var msg29393 = msg("27288", dup322); + +var msg29394 = msg("27289", dup321); + +var msg29395 = msg("27290", dup321); + +var msg29396 = msg("27291", dup321); + +var msg29397 = msg("27292", dup321); + +var msg29398 = msg("27293", dup321); + +var msg29399 = msg("27294", dup321); + +var msg29400 = msg("27295", dup321); + +var msg29401 = msg("27296", dup321); + +var msg29402 = msg("27297", dup321); + +var msg29403 = msg("27298", dup321); + +var msg29404 = msg("27299", dup321); + +var msg29405 = msg("27300", dup321); + +var msg29406 = msg("27301", dup321); + +var msg29407 = msg("27302", dup321); + +var msg29408 = msg("27303", dup321); + +var msg29409 = msg("27304", dup321); + +var msg29410 = msg("27305", dup321); + +var msg29411 = msg("27306", dup321); + +var msg29412 = msg("27307", dup321); + +var msg29413 = msg("27308", dup321); + +var msg29414 = msg("27309", dup321); + +var msg29415 = msg("27310", dup321); + +var msg29416 = msg("27311", dup321); + +var msg29417 = msg("27312", dup321); + +var msg29418 = msg("27313", dup321); + +var msg29419 = msg("27314", dup321); + +var msg29420 = msg("27315", dup321); + +var msg29421 = msg("27316", dup321); + +var msg29422 = msg("27317", dup321); + +var msg29423 = msg("27318", dup321); + +var msg29424 = msg("27319", dup321); + +var msg29425 = msg("27320", dup321); + +var msg29426 = msg("27321", dup321); + +var msg29427 = msg("27322", dup321); + +var msg29428 = msg("27323", dup321); + +var msg29429 = msg("27324", dup321); + +var msg29430 = msg("27325", dup321); + +var msg29431 = msg("27326", dup321); + +var msg29432 = msg("27327", dup321); + +var msg29433 = msg("27328", dup321); + +var msg29434 = msg("27329", dup321); + +var msg29435 = msg("27330", dup321); + +var msg29436 = msg("27331", dup321); + +var msg29437 = msg("27332", dup321); + +var msg29438 = msg("27333", dup321); + +var msg29439 = msg("27334", dup321); + +var msg29440 = msg("27335", dup321); + +var msg29441 = msg("27336", dup321); + +var msg29442 = msg("27337", dup321); + +var msg29443 = msg("27338", dup321); + +var msg29444 = msg("27339", dup321); + +var msg29445 = msg("27340", dup321); + +var msg29446 = msg("27341", dup321); + +var msg29447 = msg("27342", dup321); + +var msg29448 = msg("27343", dup321); + +var msg29449 = msg("27344", dup321); + +var msg29450 = msg("27345", dup321); + +var msg29451 = msg("27346", dup321); + +var msg29452 = msg("27347", dup321); + +var msg29453 = msg("27348", dup321); + +var msg29454 = msg("27349", dup321); + +var msg29455 = msg("27350", dup321); + +var msg29456 = msg("27351", dup321); + +var msg29457 = msg("27352", dup321); + +var msg29458 = msg("27353", dup321); + +var msg29459 = msg("27354", dup321); + +var msg29460 = msg("27355", dup321); + +var msg29461 = msg("27356", dup321); + +var msg29462 = msg("27357", dup321); + +var msg29463 = msg("27358", dup321); + +var msg29464 = msg("27359", dup321); + +var msg29465 = msg("27360", dup321); + +var msg29466 = msg("27361", dup321); + +var msg29467 = msg("27362", dup321); + +var msg29468 = msg("27363", dup321); + +var msg29469 = msg("27364", dup321); + +var msg29470 = msg("27365", dup321); + +var msg29471 = msg("27366", dup321); + +var msg29472 = msg("27367", dup321); + +var msg29473 = msg("27368", dup321); + +var msg29474 = msg("27369", dup321); + +var msg29475 = msg("27370", dup321); + +var msg29476 = msg("27371", dup321); + +var msg29477 = msg("27372", dup321); + +var msg29478 = msg("27373", dup321); + +var msg29479 = msg("27374", dup321); + +var msg29480 = msg("27375", dup321); + +var msg29481 = msg("27376", dup321); + +var msg29482 = msg("27377", dup321); + +var msg29483 = msg("27378", dup321); + +var msg29484 = msg("27379", dup321); + +var msg29485 = msg("27380", dup321); + +var msg29486 = msg("27381", dup321); + +var msg29487 = msg("27382", dup321); + +var msg29488 = msg("27383", dup321); + +var msg29489 = msg("27384", dup321); + +var msg29490 = msg("27385", dup321); + +var msg29491 = msg("27386", dup321); + +var msg29492 = msg("27387", dup321); + +var msg29493 = msg("27388", dup321); + +var msg29494 = msg("27389", dup321); + +var msg29495 = msg("27390", dup321); + +var msg29496 = msg("27391", dup321); + +var msg29497 = msg("27392", dup321); + +var msg29498 = msg("27393", dup321); + +var msg29499 = msg("27394", dup321); + +var msg29500 = msg("27395", dup321); + +var msg29501 = msg("27396", dup321); + +var msg29502 = msg("27397", dup321); + +var msg29503 = msg("27398", dup321); + +var msg29504 = msg("27399", dup321); + +var msg29505 = msg("27400", dup321); + +var msg29506 = msg("27401", dup321); + +var msg29507 = msg("27402", dup321); + +var msg29508 = msg("27403", dup321); + +var msg29509 = msg("27404", dup321); + +var msg29510 = msg("27405", dup321); + +var msg29511 = msg("27406", dup321); + +var msg29512 = msg("27407", dup321); + +var msg29513 = msg("27408", dup321); + +var msg29514 = msg("27409", dup321); + +var msg29515 = msg("27410", dup321); + +var msg29516 = msg("27411", dup321); + +var msg29517 = msg("27412", dup321); + +var msg29518 = msg("27413", dup321); + +var msg29519 = msg("27414", dup321); + +var msg29520 = msg("27415", dup321); + +var msg29521 = msg("27416", dup321); + +var msg29522 = msg("27417", dup321); + +var msg29523 = msg("27418", dup321); + +var msg29524 = msg("27419", dup321); + +var msg29525 = msg("27420", dup321); + +var msg29526 = msg("27421", dup321); + +var msg29527 = msg("27422", dup321); + +var msg29528 = msg("27423", dup321); + +var msg29529 = msg("27424", dup321); + +var msg29530 = msg("27425", dup321); + +var msg29531 = msg("27426", dup321); + +var msg29532 = msg("27427", dup321); + +var msg29533 = msg("27428", dup321); + +var msg29534 = msg("27429", dup321); + +var msg29535 = msg("27430", dup321); + +var msg29536 = msg("27431", dup321); + +var msg29537 = msg("27432", dup321); + +var msg29538 = msg("27433", dup321); + +var msg29539 = msg("27434", dup321); + +var msg29540 = msg("27435", dup321); + +var msg29541 = msg("27436", dup321); + +var msg29542 = msg("27437", dup321); + +var msg29543 = msg("27438", dup321); + +var msg29544 = msg("27439", dup321); + +var msg29545 = msg("27440", dup321); + +var msg29546 = msg("27441", dup321); + +var msg29547 = msg("27442", dup321); + +var msg29548 = msg("27443", dup321); + +var msg29549 = msg("27444", dup321); + +var msg29550 = msg("27445", dup321); + +var msg29551 = msg("27446", dup321); + +var msg29552 = msg("27447", dup321); + +var msg29553 = msg("27448", dup321); + +var msg29554 = msg("27449", dup321); + +var msg29555 = msg("27450", dup321); + +var msg29556 = msg("27451", dup321); + +var msg29557 = msg("27452", dup321); + +var msg29558 = msg("27453", dup321); + +var msg29559 = msg("27454", dup321); + +var msg29560 = msg("27455", dup321); + +var msg29561 = msg("27456", dup321); + +var msg29562 = msg("27457", dup321); + +var msg29563 = msg("27458", dup321); + +var msg29564 = msg("27459", dup321); + +var msg29565 = msg("27460", dup321); + +var msg29566 = msg("27461", dup321); + +var msg29567 = msg("27462", dup321); + +var msg29568 = msg("27463", dup321); + +var msg29569 = msg("27464", dup321); + +var msg29570 = msg("27465", dup321); + +var msg29571 = msg("27466", dup321); + +var msg29572 = msg("27467", dup321); + +var msg29573 = msg("27468", dup321); + +var msg29574 = msg("27469", dup321); + +var msg29575 = msg("27470", dup321); + +var msg29576 = msg("27471", dup321); + +var msg29577 = msg("27472", dup321); + +var msg29578 = msg("27473", dup321); + +var msg29579 = msg("27474", dup321); + +var msg29580 = msg("27475", dup321); + +var msg29581 = msg("27476", dup321); + +var msg29582 = msg("27477", dup321); + +var msg29583 = msg("27478", dup321); + +var msg29584 = msg("27479", dup321); + +var msg29585 = msg("27480", dup321); + +var msg29586 = msg("27481", dup321); + +var msg29587 = msg("27482", dup321); + +var msg29588 = msg("27483", dup321); + +var msg29589 = msg("27484", dup321); + +var msg29590 = msg("27485", dup321); + +var msg29591 = msg("27486", dup321); + +var msg29592 = msg("27487", dup321); + +var msg29593 = msg("27488", dup321); + +var msg29594 = msg("27489", dup321); + +var msg29595 = msg("27490", dup321); + +var msg29596 = msg("27491", dup321); + +var msg29597 = msg("27492", dup321); + +var msg29598 = msg("27493", dup321); + +var msg29599 = msg("27494", dup321); + +var msg29600 = msg("27495", dup321); + +var msg29601 = msg("27496", dup321); + +var msg29602 = msg("27497", dup321); + +var msg29603 = msg("27498", dup321); + +var msg29604 = msg("27499", dup321); + +var msg29605 = msg("27500", dup321); + +var msg29606 = msg("27501", dup321); + +var msg29607 = msg("27502", dup321); + +var msg29608 = msg("27503", dup321); + +var msg29609 = msg("27504", dup321); + +var msg29610 = msg("27505", dup321); + +var msg29611 = msg("27506", dup321); + +var msg29612 = msg("27507", dup321); + +var msg29613 = msg("27508", dup321); + +var msg29614 = msg("27509", dup321); + +var msg29615 = msg("27510", dup321); + +var msg29616 = msg("27511", dup321); + +var msg29617 = msg("27512", dup321); + +var msg29618 = msg("27513", dup321); + +var msg29619 = msg("27514", dup321); + +var msg29620 = msg("27515", dup321); + +var msg29621 = msg("27516", dup321); + +var msg29622 = msg("27517", dup321); + +var msg29623 = msg("27518", dup321); + +var msg29624 = msg("27519", dup321); + +var msg29625 = msg("27520", dup321); + +var msg29626 = msg("27521", dup321); + +var msg29627 = msg("27522", dup321); + +var msg29628 = msg("27523", dup321); + +var msg29629 = msg("27524", dup321); + +var msg29630 = msg("27525", dup309); + +var msg29631 = msg("27526", dup309); + +var msg29632 = msg("27527", dup309); + +var msg29633 = msg("27528", dup309); + +var msg29634 = msg("27529", dup309); + +var msg29635 = msg("27530", dup309); + +var msg29636 = msg("27531", dup325); + +var msg29637 = msg("27532", dup311); + +var msg29638 = msg("27533", dup321); + +var msg29639 = msg("27534", dup321); + +var msg29640 = msg("27535", dup321); + +var msg29641 = msg("27536", dup323); + +var msg29642 = msg("27537", dup321); + +var msg29643 = msg("27538", dup321); + +var msg29644 = msg("27539", dup309); + +var msg29645 = msg("27540", dup329); + +var msg29646 = msg("27541", dup329); + +var msg29647 = msg("27542", dup314); + +var msg29648 = msg("27543", dup314); + +var msg29649 = msg("27544", dup321); + +var msg29650 = msg("27545", dup321); + +var msg29651 = msg("27546", dup321); + +var msg29652 = msg("27547", dup321); + +var msg29653 = msg("27548", dup321); + +var msg29654 = msg("27549", dup321); + +var msg29655 = msg("27550", dup311); + +var msg29656 = msg("27551", dup321); + +var msg29657 = msg("27552", dup311); + +var msg29658 = msg("27553", dup311); + +var msg29659 = msg("27554", dup311); + +var msg29660 = msg("27555", dup311); + +var msg29661 = msg("27556", dup311); + +var msg29662 = msg("27557", dup311); + +var msg29663 = msg("27558", dup321); + +var msg29664 = msg("27559", dup321); + +var msg29665 = msg("27560", dup321); + +var msg29666 = msg("27561", dup321); + +var msg29667 = msg("27562", dup321); + +var msg29668 = msg("27563", dup321); + +var msg29669 = msg("27564", dup333); + +var msg29670 = msg("27565", dup311); + +var msg29671 = msg("27566", dup321); + +var msg29672 = msg("27567", dup325); + +var msg29673 = msg("27568", dup311); + +var msg29674 = msg("27569", dup307); + +var msg29675 = msg("27570", dup314); + +var msg29676 = msg("27571", dup309); + +var msg29677 = msg("27572", dup311); + +var msg29678 = msg("27573", dup311); + +var msg29679 = msg("27574", dup311); + +var msg29680 = msg("27575", dup311); + +var msg29681 = msg("27576", dup309); + +var msg29682 = msg("27577", dup321); + +var msg29683 = msg("27578", dup200); + +var msg29684 = msg("27579", dup311); + +var msg29685 = msg("27580", dup307); + +var msg29686 = msg("27581", dup307); + +var msg29687 = msg("27582", dup307); + +var msg29688 = msg("27583", dup307); + +var msg29689 = msg("27584", dup307); + +var msg29690 = msg("27585", dup307); + +var msg29691 = msg("27586", dup307); + +var msg29692 = msg("27587", dup307); + +var msg29693 = msg("27588", dup307); + +var msg29694 = msg("27589", dup307); + +var msg29695 = msg("27590", dup307); + +var msg29696 = msg("27591", dup307); + +var msg29697 = msg("27592", dup311); + +var msg29698 = msg("27593", dup314); + +var msg29699 = msg("27594", dup321); + +var msg29700 = msg("27595", dup321); + +var msg29701 = msg("27596", dup321); + +var msg29702 = msg("27597", dup311); + +var msg29703 = msg("27598", dup316); + +var msg29704 = msg("27599", dup321); + +var msg29705 = msg("27600", dup321); + +var msg29706 = msg("27601", dup321); + +var msg29707 = msg("27602", dup311); + +var msg29708 = msg("27603", dup311); + +var msg29709 = msg("27604", dup326); + +var msg29710 = msg("27605", dup325); + +var msg29711 = msg("27606", dup325); + +var msg29712 = msg("27607", dup325); + +var msg29713 = msg("27608", dup309); + +var msg29714 = msg("27609", dup314); + +var msg29715 = msg("27610", dup334); + +var msg29716 = msg("27611", dup334); + +var msg29717 = msg("27612", dup325); + +var msg29718 = msg("27613", dup325); + +var msg29719 = msg("27614", dup325); + +var msg29720 = msg("27615", dup325); + +var msg29721 = msg("27616", dup325); + +var msg29722 = msg("27617", dup309); + +var msg29723 = msg("27618", dup309); + +var msg29724 = msg("27619", dup309); + +var msg29725 = msg("27620", dup325); + +var msg29726 = msg("27621", dup311); + +var msg29727 = msg("27622", dup311); + +var msg29728 = msg("27623", dup311); + +var msg29729 = msg("27624", dup334); + +var msg29730 = msg("27625", dup321); + +var msg29731 = msg("27626", dup333); + +var msg29732 = msg("27627", dup321); + +var msg29733 = msg("27628", dup321); + +var msg29734 = msg("27629", dup321); + +var msg29735 = msg("27630", dup321); + +var msg29736 = msg("27631", dup321); + +var msg29737 = msg("27632", dup321); + +var msg29738 = msg("27633", dup321); + +var msg29739 = msg("27634", dup309); + +var msg29740 = msg("27635", dup309); + +var msg29741 = msg("27636", dup321); + +var msg29742 = msg("27637", dup321); + +var msg29743 = msg("27638", dup314); + +var msg29744 = msg("27639", dup323); + +var msg29745 = msg("27640", dup321); + +var msg29746 = msg("27641", dup321); + +var msg29747 = msg("27642", dup321); + +var msg29748 = msg("27643", dup321); + +var msg29749 = msg("27644", dup321); + +var msg29750 = msg("27645", dup321); + +var msg29751 = msg("27646", dup309); + +var msg29752 = msg("27647", dup321); + +var msg29753 = msg("27648", dup321); + +var msg29754 = msg("27649", dup321); + +var msg29755 = msg("27650", dup321); + +var msg29756 = msg("27651", dup321); + +var msg29757 = msg("27652", dup321); + +var msg29758 = msg("27653", dup321); + +var msg29759 = msg("27654", dup321); + +var msg29760 = msg("27655", dup321); + +var msg29761 = msg("27656", dup311); + +var msg29762 = msg("27657", dup311); + +var msg29763 = msg("27658", dup311); + +var msg29764 = msg("27659", dup321); + +var msg29765 = msg("27660", dup321); + +var msg29766 = msg("27661", dup321); + +var msg29767 = msg("27662", dup321); + +var msg29768 = msg("27663", dup325); + +var msg29769 = msg("27664", dup321); + +var msg29770 = msg("27665", dup321); + +var msg29771 = msg("27666", dup324); + +var msg29772 = msg("27667", dup314); + +var msg29773 = msg("27668", dup314); + +var msg29774 = msg("27669", dup314); + +var msg29775 = msg("27670", dup321); + +var msg29776 = msg("27671", dup309); + +var msg29777 = msg("27672", dup311); + +var msg29778 = msg("27673", dup311); + +var msg29779 = msg("27674", dup311); + +var msg29780 = msg("27675", dup311); + +var msg29781 = msg("27676", dup311); + +var msg29782 = msg("27677", dup311); + +var msg29783 = msg("27678", dup321); + +var msg29784 = msg("27679", dup321); + +var msg29785 = msg("27680", dup321); + +var msg29786 = msg("27681", dup322); + +var msg29787 = msg("27682", dup322); + +var msg29788 = msg("27683", dup322); + +var msg29789 = msg("27684", dup322); + +var msg29790 = msg("27685", dup322); + +var msg29791 = msg("27686", dup322); + +var msg29792 = msg("27687", dup322); + +var msg29793 = msg("27688", dup314); + +var msg29794 = msg("27689", dup330); + +var msg29795 = msg("27690", dup330); + +var msg29796 = msg("27691", dup309); + +var msg29797 = msg("27692", dup309); + +var msg29798 = msg("27693", dup309); + +var msg29799 = msg("27694", dup309); + +var msg29800 = msg("27695", dup311); + +var msg29801 = msg("27696", dup311); + +var msg29802 = msg("27697", dup311); + +var msg29803 = msg("27698", dup333); + +var msg29804 = msg("27699", dup321); + +var msg29805 = msg("27700", dup327); + +var msg29806 = msg("27701", dup311); + +var msg29807 = msg("27702", dup311); + +var msg29808 = msg("27703", dup311); + +var msg29809 = msg("27704", dup311); + +var msg29810 = msg("27705", dup311); + +var msg29811 = msg("27706", dup311); + +var msg29812 = msg("27707", dup321); + +var msg29813 = msg("27708", dup321); + +var msg29814 = msg("27709", dup325); + +var msg29815 = msg("27710", dup325); + +var msg29816 = msg("27711", dup321); + +var msg29817 = msg("27712", dup311); + +var msg29818 = msg("27713", dup311); + +var msg29819 = msg("27714", dup311); + +var msg29820 = msg("27715", dup311); + +var msg29821 = msg("27716", dup311); + +var msg29822 = msg("27717", dup311); + +var msg29823 = msg("27718", dup309); + +var msg29824 = msg("27719", dup309); + +var msg29825 = msg("27720", dup321); + +var msg29826 = msg("27721", dup311); + +var msg29827 = msg("27722", dup311); + +var msg29828 = msg("27723", dup322); + +var msg29829 = msg("27724", dup322); + +var msg29830 = msg("27725", dup335); + +var msg29831 = msg("27726", dup324); + +var msg29832 = msg("27727", dup324); + +var msg29833 = msg("27728", dup324); + +var msg29834 = msg("27729", dup314); + +var msg29835 = msg("27730", dup314); + +var msg29836 = msg("27731", dup314); + +var msg29837 = msg("27732", dup314); + +var msg29838 = msg("27733", dup307); + +var msg29839 = msg("27734", dup307); + +var msg29840 = msg("27735", dup311); + +var msg29841 = msg("27736", dup311); + +var msg29842 = msg("27737", dup311); + +var msg29843 = msg("27738", dup307); + +var msg29844 = msg("27739", dup307); + +var msg29845 = msg("27740", dup307); + +var msg29846 = msg("27741", dup307); + +var msg29847 = msg("27742", dup309); + +var msg29848 = msg("27743", dup309); + +var msg29849 = msg("27744", dup309); + +var msg29850 = msg("27745", dup309); + +var msg29851 = msg("27746", dup321); + +var msg29852 = msg("27747", dup321); + +var msg29853 = msg("27748", dup322); + +var msg29854 = msg("27749", dup322); + +var msg29855 = msg("27750", dup309); + +var msg29856 = msg("27751", dup309); + +var msg29857 = msg("27752", dup322); + +var msg29858 = msg("27753", dup322); + +var msg29859 = msg("27754", dup309); + +var msg29860 = msg("27755", dup309); + +var msg29861 = msg("27756", dup311); + +var msg29862 = msg("27757", dup314); + +var msg29863 = msg("27758", dup314); + +var msg29864 = msg("27759", dup321); + +var msg29865 = msg("27760", dup314); + +var msg29866 = msg("27761", dup314); + +var msg29867 = msg("27762", dup314); + +var msg29868 = msg("27763", dup314); + +var msg29869 = msg("27764", dup309); + +var msg29870 = msg("27765", dup309); + +var msg29871 = msg("27766", dup314); + +var msg29872 = msg("27767", dup314); + +var msg29873 = msg("27768", dup314); + +var msg29874 = msg("27769", dup309); + +var msg29875 = msg("27770", dup309); + +var msg29876 = msg("27771", dup309); + +var msg29877 = msg("27772", dup309); + +var msg29878 = msg("27773", dup309); + +var msg29879 = msg("27774", dup321); + +var msg29880 = msg("27775", dup321); + +var msg29881 = msg("27776", dup307); + +var msg29882 = msg("27777", dup311); + +var msg29883 = msg("27778", dup307); + +var msg29884 = msg("27779", dup307); + +var msg29885 = msg("27780", dup307); + +var msg29886 = msg("27781", dup314); + +var msg29887 = msg("27782", dup314); + +var msg29888 = msg("27783", dup311); + +var msg29889 = msg("27784", dup311); + +var msg29890 = msg("27785", dup311); + +var msg29891 = msg("27786", dup309); + +var msg29892 = msg("27787", dup309); + +var msg29893 = msg("27788", dup314); + +var msg29894 = msg("27789", dup314); + +var msg29895 = msg("27790", dup314); + +var msg29896 = msg("27791", dup314); + +var msg29897 = msg("27792", dup314); + +var msg29898 = msg("27793", dup314); + +var msg29899 = msg("27794", dup314); + +var msg29900 = msg("27795", dup314); + +var msg29901 = msg("27796", dup322); + +var msg29902 = msg("27797", dup322); + +var msg29903 = msg("27798", dup314); + +var msg29904 = msg("27799", dup314); + +var msg29905 = msg("27800", dup314); + +var msg29906 = msg("27801", dup321); + +var msg29907 = msg("27802", dup321); + +var msg29908 = msg("27803", dup321); + +var msg29909 = msg("27804", dup321); + +var msg29910 = msg("27805", dup321); + +var msg29911 = msg("27806", dup321); + +var msg29912 = msg("27807", dup311); + +var msg29913 = msg("27808", dup311); + +var msg29914 = msg("27809", dup311); + +var msg29915 = msg("27810", dup311); + +var msg29916 = msg("27811", dup321); + +var msg29917 = msg("27812", dup321); + +var msg29918 = msg("27813", dup311); + +var msg29919 = msg("27814", dup311); + +var msg29920 = msg("27815", dup311); + +var msg29921 = msg("27816", dup307); + +var msg29922 = msg("27817", dup321); + +var msg29923 = msg("27818", dup324); + +var msg29924 = msg("27819", dup324); + +var msg29925 = msg("27820", dup309); + +var msg29926 = msg("27821", dup309); + +var msg29927 = msg("27822", dup311); + +var msg29928 = msg("27823", dup325); + +var msg29929 = msg("27824", dup309); + +var msg29930 = msg("27825", dup309); + +var msg29931 = msg("27826", dup311); + +var msg29932 = msg("27827", dup311); + +var msg29933 = msg("27828", dup311); + +var msg29934 = msg("27829", dup325); + +var msg29935 = msg("27830", dup325); + +var msg29936 = msg("27831", dup323); + +var msg29937 = msg("27832", dup323); + +var msg29938 = msg("27833", dup323); + +var msg29939 = msg("27834", dup323); + +var msg29940 = msg("27835", dup325); + +var msg29941 = msg("27836", dup325); + +var msg29942 = msg("27837", dup325); + +var msg29943 = msg("27838", dup325); + +var msg29944 = msg("27839", dup325); + +var msg29945 = msg("27840", dup325); + +var msg29946 = msg("27841", dup325); + +var msg29947 = msg("27842", dup325); + +var msg29948 = msg("27843", dup325); + +var msg29949 = msg("27844", dup325); + +var msg29950 = msg("27845", dup311); + +var msg29951 = msg("27846", dup311); + +var msg29952 = msg("27847", dup314); + +var msg29953 = msg("27848", dup314); + +var msg29954 = msg("27849", dup314); + +var msg29955 = msg("27850", dup309); + +var msg29956 = msg("27851", dup309); + +var msg29957 = msg("27852", dup309); + +var msg29958 = msg("27853", dup309); + +var msg29959 = msg("27854", dup309); + +var msg29960 = msg("27855", dup309); + +var msg29961 = msg("27856", dup309); + +var msg29962 = msg("27857", dup309); + +var msg29963 = msg("27858", dup309); + +var msg29964 = msg("27859", dup309); + +var msg29965 = msg("27860", dup324); + +var msg29966 = msg("27861", dup314); + +var msg29967 = msg("27862", dup323); + +var msg29968 = msg("27863", dup311); + +var msg29969 = msg("27864", dup321); + +var msg29970 = msg("27865", dup311); + +var msg29971 = msg("27866", dup311); + +var msg29972 = msg("27867", dup321); + +var msg29973 = msg("27868", dup325); + +var msg29974 = msg("27869", dup314); + +var msg29975 = msg("27870", dup314); + +var msg29976 = msg("27871", dup314); + +var msg29977 = msg("27872", dup314); + +var msg29978 = msg("27873", dup311); + +var msg29979 = msg("27874", dup311); + +var msg29980 = msg("27875", dup311); + +var msg29981 = msg("27876", dup311); + +var msg29982 = msg("27877", dup311); + +var msg29983 = msg("27878", dup311); + +var msg29984 = msg("27879", dup311); + +var msg29985 = msg("27880", dup311); + +var msg29986 = msg("27881", dup311); + +var msg29987 = msg("27882", dup311); + +var msg29988 = msg("27883", dup311); + +var msg29989 = msg("27884", dup311); + +var msg29990 = msg("27885", dup311); + +var msg29991 = msg("27886", dup311); + +var msg29992 = msg("27887", dup311); + +var msg29993 = msg("27888", dup311); + +var msg29994 = msg("27889", dup311); + +var msg29995 = msg("27890", dup311); + +var msg29996 = msg("27891", dup311); + +var msg29997 = msg("27892", dup311); + +var msg29998 = msg("27893", dup311); + +var msg29999 = msg("27894", dup307); + +var msg30000 = msg("27895", dup307); + +var msg30001 = msg("27896", dup307); + +var msg30002 = msg("27897", dup307); + +var msg30003 = msg("27898", dup307); + +var msg30004 = msg("27899", dup323); + +var msg30005 = msg("27900", dup323); + +var msg30006 = msg("27901", dup311); + +var msg30007 = msg("27902", dup323); + +var msg30008 = msg("27903", dup311); + +var msg30009 = msg("27904", dup323); + +var msg30010 = msg("27905", dup321); + +var msg30011 = msg("27906", dup311); + +var msg30012 = msg("27907", dup311); + +var msg30013 = msg("27908", dup325); + +var msg30014 = msg("27909", dup325); + +var msg30015 = msg("27910", dup321); + +var msg30016 = msg("27911", dup311); + +var msg30017 = msg("27912", dup311); + +var msg30018 = msg("27913", dup321); + +var msg30019 = msg("27914", dup321); + +var msg30020 = msg("27915", dup321); + +var msg30021 = msg("27916", dup321); + +var msg30022 = msg("27917", dup321); + +var msg30023 = msg("27918", dup321); + +var msg30024 = msg("27919", dup321); + +var msg30025 = msg("27920", dup311); + +var msg30026 = msg("27921", dup316); + +var msg30027 = msg("27922", dup314); + +var msg30028 = msg("27923", dup314); + +var msg30029 = msg("27924", dup314); + +var msg30030 = msg("27925", dup314); + +var msg30031 = msg("27926", dup314); + +var msg30032 = msg("27927", dup314); + +var msg30033 = msg("27928", dup314); + +var msg30034 = msg("27929", dup314); + +var msg30035 = msg("27930", dup329); + +var msg30036 = msg("27931", dup329); + +var msg30037 = msg("27932", dup329); + +var msg30038 = msg("27933", dup314); + +var msg30039 = msg("27934", dup314); + +var msg30040 = msg("27935", dup311); + +var msg30041 = msg("27936", dup311); + +var msg30042 = msg("27937", dup314); + +var msg30043 = msg("27938", dup329); + +var msg30044 = msg("27939", dup321); + +var msg30045 = msg("27940", dup324); + +var msg30046 = msg("27941", dup314); + +var msg30047 = msg("27942", dup311); + +var msg30048 = msg("27943", dup311); + +var msg30049 = msg("27944", dup311); + +var msg30050 = msg("27945", dup309); + +var msg30051 = msg("27946", dup321); + +var msg30052 = msg("27947", dup309); + +var msg30053 = msg("27948", dup309); + +var msg30054 = msg("27949", dup321); + +var msg30055 = msg("27950", dup321); + +var msg30056 = msg("27951", dup321); + +var msg30057 = msg("27952", dup321); + +var msg30058 = msg("27953", dup321); + +var msg30059 = msg("27954", dup321); + +var msg30060 = msg("27955", dup321); + +var msg30061 = msg("27956", dup321); + +var msg30062 = msg("27957", dup321); + +var msg30063 = msg("27958", dup321); + +var msg30064 = msg("27959", dup321); + +var msg30065 = msg("27960", dup321); + +var msg30066 = msg("27961", dup321); + +var msg30067 = msg("27962", dup321); + +var msg30068 = msg("27963", dup321); + +var msg30069 = msg("27964", dup321); + +var msg30070 = msg("27965", dup321); + +var msg30071 = msg("27966", dup321); + +var msg30072 = msg("27967", dup321); + +var msg30073 = msg("27968", dup321); + +var msg30074 = msg("27969", dup321); + +var msg30075 = msg("27970", dup321); + +var msg30076 = msg("27971", dup321); + +var msg30077 = msg("27972", dup321); + +var msg30078 = msg("27973", dup321); + +var msg30079 = msg("27974", dup321); + +var msg30080 = msg("27975", dup321); + +var msg30081 = msg("27976", dup321); + +var msg30082 = msg("27977", dup321); + +var msg30083 = msg("27978", dup321); + +var msg30084 = msg("27979", dup321); + +var msg30085 = msg("27980", dup325); + +var msg30086 = msg("27981", dup325); + +var msg30087 = msg("27982", dup311); + +var msg30088 = msg("27983", dup323); + +var msg30089 = msg("27984", dup329); + +var msg30090 = msg("27985", dup329); + +var msg30091 = msg("27986", dup329); + +var msg30092 = msg("27987", dup329); + +var msg30093 = msg("27988", dup329); + +var msg30094 = msg("27989", dup329); + +var msg30095 = msg("27990", dup329); + +var msg30096 = msg("27991", dup329); + +var msg30097 = msg("27992", dup329); + +var msg30098 = msg("27993", dup329); + +var msg30099 = msg("27994", dup329); + +var msg30100 = msg("27995", dup329); + +var msg30101 = msg("27996", dup329); + +var msg30102 = msg("27997", dup329); + +var msg30103 = msg("27998", dup329); + +var msg30104 = msg("27999", dup314); + +var msg30105 = msg("28000", dup311); + +var msg30106 = msg("28001", dup323); + +var msg30107 = msg("28002", dup336); + +var msg30108 = msg("28003", dup336); + +var msg30109 = msg("28004", dup321); + +var msg30110 = msg("28005", dup321); + +var msg30111 = msg("28006", dup321); + +var msg30112 = msg("28007", dup321); + +var msg30113 = msg("28008", dup321); + +var msg30114 = msg("28009", dup321); + +var msg30115 = msg("28010", dup321); + +var msg30116 = msg("28011", dup321); + +var msg30117 = msg("28012", dup321); + +var msg30118 = msg("28013", dup311); + +var msg30119 = msg("28014", dup311); + +var msg30120 = msg("28015", dup337); + +var msg30121 = msg("28016", dup311); + +var msg30122 = msg("28017", dup311); + +var msg30123 = msg("28018", dup311); + +var msg30124 = msg("28019", dup311); + +var msg30125 = msg("28020", dup311); + +var msg30126 = msg("28021", dup311); + +var msg30127 = msg("28022", dup311); + +var msg30128 = msg("28023", dup311); + +var msg30129 = msg("28024", dup307); + +var msg30130 = msg("28025", dup307); + +var msg30131 = msg("28026", dup311); + +var msg30132 = msg("28027", dup311); + +var msg30133 = msg("28028", dup311); + +var msg30134 = msg("28029", dup311); + +var msg30135 = msg("28030", dup311); + +var msg30136 = msg("28031", dup311); + +var msg30137 = msg("28032", dup311); + +var msg30138 = msg("28033", dup321); + +var msg30139 = msg("28034", dup321); + +var msg30140 = msg("28035", dup321); + +var msg30141 = msg("28036", dup321); + +var msg30142 = msg("28037", dup311); + +var msg30143 = msg("28038", dup311); + +var msg30144 = msg("28039", dup337); + +var msg30145 = msg("28040", dup321); + +var msg30146 = msg("28041", dup310); + +var msg30147 = msg("28042", dup321); + +var msg30148 = msg("28043", dup311); + +var msg30149 = msg("28044", dup321); + +var msg30150 = msg("28045", dup321); + +var msg30151 = msg("28046", dup314); + +var msg30152 = msg("28047", dup307); + +var msg30153 = msg("28048", dup311); + +var msg30154 = msg("28049", dup311); + +var msg30155 = msg("28050", dup311); + +var msg30156 = msg("28051", dup311); + +var msg30157 = msg("28052", dup311); + +var msg30158 = msg("28053", dup321); + +var msg30159 = msg("28054", dup307); + +var msg30160 = msg("28055", dup200); + +var msg30161 = msg("28056", dup200); + +var msg30162 = msg("28057", dup200); + +var msg30163 = msg("28058", dup321); + +var msg30164 = msg("28059", dup321); + +var msg30165 = msg("28060", dup321); + +var msg30166 = msg("28061", dup321); + +var msg30167 = msg("28062", dup321); + +var msg30168 = msg("28063", dup321); + +var msg30169 = msg("28064", dup321); + +var msg30170 = msg("28065", dup321); + +var msg30171 = msg("28066", dup321); + +var msg30172 = msg("28067", dup321); + +var msg30173 = msg("28068", dup314); + +var msg30174 = msg("28069", dup321); + +var msg30175 = msg("28070", dup321); + +var msg30176 = msg("28071", dup310); + +var msg30177 = msg("28072", dup321); + +var msg30178 = msg("28073", dup321); + +var msg30179 = msg("28074", dup321); + +var msg30180 = msg("28075", dup321); + +var msg30181 = msg("28076", dup314); + +var msg30182 = msg("28077", dup321); + +var msg30183 = msg("28078", dup321); + +var msg30184 = msg("28079", dup321); + +var msg30185 = msg("28080", dup321); + +var msg30186 = msg("28081", dup200); + +var msg30187 = msg("28082", dup200); + +var msg30188 = msg("28083", dup311); + +var msg30189 = msg("28084", dup321); + +var msg30190 = msg("28085", dup321); + +var msg30191 = msg("28086", dup200); + +var msg30192 = msg("28087", dup200); + +var msg30193 = msg("28088", dup309); + +var msg30194 = msg("28089", dup323); + +var msg30195 = msg("28090", dup323); + +var msg30196 = msg("28093", dup314); + +var msg30197 = msg("28094", dup321); + +var msg30198 = msg("28095", dup321); + +var msg30199 = msg("28096", dup321); + +var msg30200 = msg("28097", dup321); + +var msg30201 = msg("28098", dup322); + +var msg30202 = msg("28099", dup322); + +var msg30203 = msg("28100", dup322); + +var msg30204 = msg("28101", dup322); + +var msg30205 = msg("28102", dup322); + +var msg30206 = msg("28103", dup309); + +var msg30207 = msg("28104", dup321); + +var msg30208 = msg("28105", dup321); + +var msg30209 = msg("28106", dup321); + +var msg30210 = msg("28107", dup321); + +var msg30211 = msg("28108", dup311); + +var msg30212 = msg("28109", dup311); + +var msg30213 = msg("28110", dup311); + +var msg30214 = msg("28111", dup311); + +var msg30215 = msg("28112", dup325); + +var msg30216 = msg("28113", dup309); + +var msg30217 = msg("28114", dup321); + +var msg30218 = msg("28115", dup321); + +var msg30219 = msg("28116", dup321); + +var msg30220 = msg("28117", dup321); + +var msg30221 = msg("28118", dup321); + +var msg30222 = msg("28119", dup321); + +var msg30223 = msg("28120", dup321); + +var msg30224 = msg("28121", dup321); + +var msg30225 = msg("28122", dup321); + +var msg30226 = msg("28123", dup321); + +var msg30227 = msg("28124", dup309); + +var msg30228 = msg("28125", dup321); + +var msg30229 = msg("28126", dup314); + +var msg30230 = msg("28127", dup314); + +var msg30231 = msg("28128", dup309); + +var msg30232 = msg("28129", dup309); + +var msg30233 = msg("28130", dup309); + +var msg30234 = msg("28131", dup309); + +var msg30235 = msg("28132", dup309); + +var msg30236 = msg("28133", dup309); + +var msg30237 = msg("28134", dup321); + +var msg30238 = msg("28135", dup309); + +var msg30239 = msg("28136", dup309); + +var msg30240 = msg("28137", dup309); + +var msg30241 = msg("28138", dup337); + +var msg30242 = msg("28139", dup311); + +var msg30243 = msg("28140", dup321); + +var msg30244 = msg("28141", dup321); + +var msg30245 = msg("28142", dup321); + +var msg30246 = msg("28143", dup321); + +var msg30247 = msg("28144", dup321); + +var msg30248 = msg("28145", dup314); + +var msg30249 = msg("28146", dup321); + +var msg30250 = msg("28147", dup321); + +var msg30251 = msg("28148", dup321); + +var msg30252 = msg("28149", dup314); + +var msg30253 = msg("28150", dup314); + +var msg30254 = msg("28151", dup325); + +var msg30255 = msg("28152", dup321); + +var msg30256 = msg("28153", dup321); + +var msg30257 = msg("28154", dup321); + +var msg30258 = msg("28155", dup321); + +var msg30259 = msg("28156", dup321); + +var msg30260 = msg("28157", dup311); + +var msg30261 = msg("28158", dup325); + +var msg30262 = msg("28159", dup325); + +var msg30263 = msg("28160", dup325); + +var msg30264 = msg("28161", dup324); + +var msg30265 = msg("28162", dup324); + +var msg30266 = msg("28163", dup311); + +var msg30267 = msg("28164", dup321); + +var msg30268 = msg("28165", dup323); + +var msg30269 = msg("28166", dup321); + +var msg30270 = msg("28167", dup321); + +var msg30271 = msg("28168", dup321); + +var msg30272 = msg("28169", dup321); + +var msg30273 = msg("28170", dup321); + +var msg30274 = msg("28171", dup321); + +var msg30275 = msg("28172", dup321); + +var msg30276 = msg("28173", dup321); + +var msg30277 = msg("28174", dup321); + +var msg30278 = msg("28175", dup321); + +var msg30279 = msg("28176", dup321); + +var msg30280 = msg("28177", dup321); + +var msg30281 = msg("28178", dup321); + +var msg30282 = msg("28179", dup321); + +var msg30283 = msg("28180", dup321); + +var msg30284 = msg("28181", dup321); + +var msg30285 = msg("28182", dup321); + +var msg30286 = msg("28183", dup321); + +var msg30287 = msg("28184", dup321); + +var msg30288 = msg("28185", dup321); + +var msg30289 = msg("28186", dup321); + +var msg30290 = msg("28187", dup321); + +var msg30291 = msg("28188", dup321); + +var msg30292 = msg("28189", dup321); + +var msg30293 = msg("28190", dup311); + +var msg30294 = msg("28191", dup325); + +var msg30295 = msg("28192", dup321); + +var msg30296 = msg("28193", dup321); + +var msg30297 = msg("28194", dup311); + +var msg30298 = msg("28195", dup311); + +var msg30299 = msg("28196", dup311); + +var msg30300 = msg("28197", dup311); + +var msg30301 = msg("28198", dup311); + +var msg30302 = msg("28199", dup311); + +var msg30303 = msg("28200", dup311); + +var msg30304 = msg("28201", dup314); + +var msg30305 = msg("28202", dup324); + +var msg30306 = msg("28203", dup324); + +var msg30307 = msg("28204", dup311); + +var msg30308 = msg("28205", dup309); + +var msg30309 = msg("28206", dup309); + +var msg30310 = msg("28207", dup311); + +var msg30311 = msg("28208", dup311); + +var msg30312 = msg("28209", dup321); + +var msg30313 = msg("28210", dup321); + +var msg30314 = msg("28211", dup321); + +var msg30315 = msg("28212", dup321); + +var msg30316 = msg("28213", dup311); + +var msg30317 = msg("28214", dup311); + +var msg30318 = msg("28215", dup311); + +var msg30319 = msg("28216", dup333); + +var msg30320 = msg("28217", dup321); + +var msg30321 = msg("28218", dup321); + +var msg30322 = msg("28219", dup321); + +var msg30323 = msg("28220", dup321); + +var msg30324 = msg("28221", dup321); + +var msg30325 = msg("28222", dup321); + +var msg30326 = msg("28223", dup321); + +var msg30327 = msg("28224", dup321); + +var msg30328 = msg("28225", dup321); + +var msg30329 = msg("28226", dup321); + +var msg30330 = msg("28227", dup309); + +var msg30331 = msg("28228", dup309); + +var msg30332 = msg("28229", dup321); + +var msg30333 = msg("28230", dup321); + +var msg30334 = msg("28231", dup323); + +var msg30335 = msg("28232", dup323); + +var msg30336 = msg("28233", dup311); + +var msg30337 = msg("28234", dup321); + +var msg30338 = msg("28235", dup311); + +var msg30339 = msg("28236", dup311); + +var msg30340 = msg("28237", dup311); + +var msg30341 = msg("28238", dup307); + +var msg30342 = msg("28239", dup321); + +var msg30343 = msg("28240", dup200); + +var msg30344 = msg("28241", dup321); + +var msg30345 = msg("28242", dup321); + +var msg30346 = msg("28243", dup321); + +var msg30347 = msg("28244", dup321); + +var msg30348 = msg("28245", dup314); + +var msg30349 = msg("28246", dup314); + +var msg30350 = msg("28247", dup321); + +var msg30351 = msg("28248", dup321); + +var msg30352 = msg("28249", dup321); + +var msg30353 = msg("28250", dup321); + +var msg30354 = msg("28251", dup322); + +var msg30355 = msg("28252", dup309); + +var msg30356 = msg("28253", dup321); + +var msg30357 = msg("28254", dup321); + +var msg30358 = msg("28255", dup321); + +var msg30359 = msg("28256", dup309); + +var msg30360 = msg("28257", dup311); + +var msg30361 = msg("28258", dup311); + +var msg30362 = msg("28259", dup311); + +var msg30363 = msg("28260", dup311); + +var msg30364 = msg("28261", dup309); + +var msg30365 = msg("28262", dup309); + +var msg30366 = msg("28263", dup309); + +var msg30367 = msg("28264", dup311); + +var msg30368 = msg("28265", dup311); + +var msg30369 = msg("28266", dup309); + +var msg30370 = msg("28267", dup325); + +var msg30371 = msg("28268", dup325); + +var msg30372 = msg("28269", dup325); + +var msg30373 = msg("28270", dup325); + +var msg30374 = msg("28271", dup325); + +var msg30375 = msg("28272", dup325); + +var msg30376 = msg("28273", dup311); + +var msg30377 = msg("28274", dup311); + +var msg30378 = msg("28275", dup311); + +var msg30379 = msg("28276", dup311); + +var msg30380 = msg("28277", dup311); + +var msg30381 = msg("28278", dup322); + +var msg30382 = msg("28279", dup321); + +var msg30383 = msg("28280", dup321); + +var msg30384 = msg("28281", dup321); + +var msg30385 = msg("28282", dup321); + +var msg30386 = msg("28283", dup321); + +var msg30387 = msg("28284", dup311); + +var msg30388 = msg("28285", dup321); + +var msg30389 = msg("28286", dup309); + +var msg30390 = msg("28287", dup311); + +var msg30391 = msg("28288", dup311); + +var msg30392 = msg("28289", dup311); + +var msg30393 = msg("28290", dup311); + +var msg30394 = msg("28291", dup311); + +var msg30395 = msg("28292", dup334); + +var msg30396 = msg("28293", dup324); + +var msg30397 = msg("28294", dup324); + +var msg30398 = msg("28295", dup324); + +var msg30399 = msg("28296", dup324); + +var msg30400 = msg("28297", dup321); + +var msg30401 = msg("28298", dup311); + +var msg30402 = msg("28299", dup322); + +var msg30403 = msg("28300", dup321); + +var msg30404 = msg("28303", dup309); + +var msg30405 = msg("28304", dup311); + +var msg30406 = msg("28305", dup321); + +var msg30407 = msg("28306", dup325); + +var msg30408 = msg("28309", dup311); + +var msg30409 = msg("28315", dup309); + +var msg30410 = msg("28323", dup321); + +var msg30411 = msg("28325", dup321); + +var msg30412 = msg("28326", dup321); + +var msg30413 = msg("28327", dup321); + +var msg30414 = msg("28328", dup321); + +var msg30415 = msg("28329", dup321); + +var msg30416 = msg("28330", dup321); + +var msg30417 = msg("28331", dup309); + +var msg30418 = msg("28332", dup309); + +var msg30419 = msg("28333", dup309); + +var msg30420 = msg("28334", dup309); + +var msg30421 = msg("28335", dup309); + +var msg30422 = msg("28336", dup309); + +var msg30423 = msg("28337", dup309); + +var msg30424 = msg("28338", dup309); + +var msg30425 = msg("28339", dup309); + +var msg30426 = msg("28340", dup309); + +var msg30427 = msg("28341", dup309); + +var msg30428 = msg("28342", dup309); + +var msg30429 = msg("28343", dup309); + +var msg30430 = msg("28344", dup322); + +var msg30431 = msg("28345", dup311); + +var msg30432 = msg("28346", dup311); + +var msg30433 = msg("28347", dup321); + +var msg30434 = msg("28348", dup321); + +var msg30435 = msg("28349", dup314); + +var msg30436 = msg("28350", dup314); + +var msg30437 = msg("28351", dup314); + +var msg30438 = msg("28352", dup311); + +var msg30439 = msg("28353", dup311); + +var msg30440 = msg("28354", dup311); + +var msg30441 = msg("28355", dup311); + +var msg30442 = msg("28356", dup311); + +var msg30443 = msg("28357", dup311); + +var msg30444 = msg("28358", dup311); + +var msg30445 = msg("28359", dup311); + +var msg30446 = msg("28360", dup311); + +var msg30447 = msg("28361", dup311); + +var msg30448 = msg("28362", dup325); + +var msg30449 = msg("28363", dup325); + +var msg30450 = msg("28364", dup325); + +var msg30451 = msg("28365", dup321); + +var msg30452 = msg("28366", dup321); + +var msg30453 = msg("28367", dup314); + +var msg30454 = msg("28368", dup314); + +var msg30455 = msg("28369", dup314); + +var msg30456 = msg("28370", dup314); + +var msg30457 = msg("28371", dup321); + +var msg30458 = msg("28372", dup321); + +var msg30459 = msg("28373", dup321); + +var msg30460 = msg("28374", dup311); + +var msg30461 = msg("28375", dup311); + +var msg30462 = msg("28376", dup311); + +var msg30463 = msg("28377", dup311); + +var msg30464 = msg("28378", dup311); + +var msg30465 = msg("28379", dup311); + +var msg30466 = msg("28380", dup311); + +var msg30467 = msg("28381", dup321); + +var msg30468 = msg("28382", dup314); + +var msg30469 = msg("28383", dup314); + +var msg30470 = msg("28384", dup314); + +var msg30471 = msg("28385", dup311); + +var msg30472 = msg("28386", dup314); + +var msg30473 = msg("28387", dup314); + +var msg30474 = msg("28388", dup311); + +var msg30475 = msg("28389", dup311); + +var msg30476 = msg("28390", dup309); + +var msg30477 = msg("28391", dup309); + +var msg30478 = msg("28392", dup309); + +var msg30479 = msg("28393", dup311); + +var msg30480 = msg("28394", dup311); + +var msg30481 = msg("28395", dup311); + +var msg30482 = msg("28396", dup311); + +var msg30483 = msg("28397", dup311); + +var msg30484 = msg("28398", dup311); + +var msg30485 = msg("28399", dup321); + +var msg30486 = msg("28400", dup321); + +var msg30487 = msg("28401", dup200); + +var msg30488 = msg("28402", dup200); + +var msg30489 = msg("28403", dup200); + +var msg30490 = msg("28404", dup321); + +var msg30491 = msg("28405", dup321); + +var msg30492 = msg("28406", dup321); + +var msg30493 = msg("28407", dup314); + +var msg30494 = msg("28408", dup311); + +var msg30495 = msg("28409", dup311); + +var msg30496 = msg("28410", dup321); + +var msg30497 = msg("28411", dup321); + +var msg30498 = msg("28412", dup311); + +var msg30499 = msg("28413", dup311); + +var msg30500 = msg("28414", dup311); + +var msg30501 = msg("28415", dup321); + +var msg30502 = msg("28416", dup321); + +var msg30503 = msg("28417", dup321); + +var msg30504 = msg("28418", dup321); + +var msg30505 = msg("28419", dup321); + +var msg30506 = msg("28420", dup311); + +var msg30507 = msg("28421", dup311); + +var msg30508 = msg("28422", dup311); + +var msg30509 = msg("28423", dup307); + +var msg30510 = msg("28424", dup311); + +var msg30511 = msg("28425", dup314); + +var msg30512 = msg("28426", dup311); + +var msg30513 = msg("28427", dup311); + +var msg30514 = msg("28428", dup311); + +var msg30515 = msg("28429", dup311); + +var msg30516 = msg("28430", dup307); + +var msg30517 = msg("28431", dup307); + +var msg30518 = msg("28432", dup307); + +var msg30519 = msg("28433", dup307); + +var msg30520 = msg("28434", dup307); + +var msg30521 = msg("28435", dup314); + +var msg30522 = msg("28436", dup314); + +var msg30523 = msg("28437", dup314); + +var msg30524 = msg("28438", dup314); + +var msg30525 = msg("28439", dup321); + +var msg30526 = msg("28440", dup309); + +var msg30527 = msg("28441", dup309); + +var msg30528 = msg("28442", dup309); + +var msg30529 = msg("28443", dup309); + +var msg30530 = msg("28444", dup321); + +var msg30531 = msg("28445", dup321); + +var msg30532 = msg("28446", dup321); + +var msg30533 = msg("28447", dup311); + +var msg30534 = msg("28448", dup314); + +var msg30535 = msg("28449", dup311); + +var msg30536 = msg("28450", dup311); + +var msg30537 = msg("28451", dup311); + +var msg30538 = msg("28452", dup311); + +var msg30539 = msg("28453", dup311); + +var msg30540 = msg("28454", dup311); + +var msg30541 = msg("28455", dup311); + +var msg30542 = msg("28456", dup311); + +var msg30543 = msg("28457", dup311); + +var msg30544 = msg("28458", dup311); + +var msg30545 = msg("28459", dup311); + +var msg30546 = msg("28460", dup311); + +var msg30547 = msg("28461", dup309); + +var msg30548 = msg("28462", dup309); + +var msg30549 = msg("28463", dup309); + +var msg30550 = msg("28464", dup309); + +var msg30551 = msg("28465", dup309); + +var msg30552 = msg("28466", dup309); + +var msg30553 = msg("28467", dup309); + +var msg30554 = msg("28468", dup309); + +var msg30555 = msg("28469", dup309); + +var msg30556 = msg("28470", dup309); + +var msg30557 = msg("28471", dup309); + +var msg30558 = msg("28472", dup309); + +var msg30559 = msg("28473", dup309); + +var msg30560 = msg("28474", dup311); + +var msg30561 = msg("28475", dup311); + +var msg30562 = msg("28476", dup311); + +var msg30563 = msg("28477", dup311); + +var msg30564 = msg("28478", dup311); + +var msg30565 = msg("28479", dup321); + +var msg30566 = msg("28480", dup333); + +var msg30567 = msg("28481", dup321); + +var msg30568 = msg("28482", dup321); + +var msg30569 = msg("28483", dup321); + +var msg30570 = msg("28484", dup321); + +var msg30571 = msg("28485", dup321); + +var msg30572 = msg("28486", dup321); + +var msg30573 = msg("28487", dup311); + +var msg30574 = msg("28488", dup311); + +var msg30575 = msg("28489", dup325); + +var msg30576 = msg("28490", dup311); + +var msg30577 = msg("28491", dup325); + +var msg30578 = msg("28492", dup325); + +var msg30579 = msg("28493", dup321); + +var msg30580 = msg("28494", dup311); + +var msg30581 = msg("28495", dup311); + +var msg30582 = msg("28496", dup325); + +var msg30583 = msg("28497", dup314); + +var msg30584 = msg("28498", dup309); + +var msg30585 = msg("28499", dup309); + +var msg30586 = msg("28500", dup314); + +var msg30587 = msg("28501", dup314); + +var msg30588 = msg("28502", dup309); + +var msg30589 = msg("28503", dup309); + +var msg30590 = msg("28504", dup325); + +var msg30591 = msg("28505", dup314); + +var msg30592 = msg("28506", dup314); + +var msg30593 = msg("28507", dup314); + +var msg30594 = msg("28508", dup314); + +var msg30595 = msg("28509", dup309); + +var msg30596 = msg("28510", dup309); + +var msg30597 = msg("28511", dup309); + +var msg30598 = msg("28512", dup309); + +var msg30599 = msg("28513", dup309); + +var msg30600 = msg("28514", dup309); + +var msg30601 = msg("28515", dup309); + +var msg30602 = msg("28516", dup309); + +var msg30603 = msg("28517", dup309); + +var msg30604 = msg("28518", dup309); + +var msg30605 = msg("28519", dup309); + +var msg30606 = msg("28520", dup309); + +var msg30607 = msg("28521", dup309); + +var msg30608 = msg("28522", dup325); + +var msg30609 = msg("28523", dup325); + +var msg30610 = msg("28524", dup325); + +var msg30611 = msg("28525", dup309); + +var msg30612 = msg("28526", dup309); + +var msg30613 = msg("28527", dup321); + +var msg30614 = msg("28528", dup321); + +var msg30615 = msg("28529", dup321); + +var msg30616 = msg("28530", dup314); + +var msg30617 = msg("28531", dup321); + +var msg30618 = msg("28532", dup324); + +var msg30619 = msg("28533", dup321); + +var msg30620 = msg("28534", dup307); + +var msg30621 = msg("28535", dup307); + +var msg30622 = msg("28536", dup307); + +var msg30623 = msg("28537", dup307); + +var msg30624 = msg("28538", dup321); + +var msg30625 = msg("28539", dup321); + +var msg30626 = msg("28540", dup321); + +var msg30627 = msg("28541", dup321); + +var msg30628 = msg("28542", dup321); + +var msg30629 = msg("28543", dup321); + +var msg30630 = msg("28544", dup309); + +var msg30631 = msg("28545", dup309); + +var msg30632 = msg("28546", dup309); + +var msg30633 = msg("28547", dup321); + +var msg30634 = msg("28548", dup321); + +var msg30635 = msg("28549", dup309); + +var msg30636 = msg("28550", dup309); + +var msg30637 = msg("28551", dup333); + +var msg30638 = msg("28552", dup336); + +var msg30639 = msg("28553", dup321); + +var msg30640 = msg("28554", dup321); + +var msg30641 = msg("28555", dup328); + +var msg30642 = msg("28556", dup329); + +var msg30643 = msg("28557", dup329); + +var msg30644 = msg("28558", dup325); + +var msg30645 = msg("28559", dup321); + +var msg30646 = msg("28560", dup333); + +var msg30647 = msg("28561", dup321); + +var msg30648 = msg("28562", dup321); + +var msg30649 = msg("28563", dup321); + +var msg30650 = msg("28564", dup321); + +var msg30651 = msg("28565", dup321); + +var msg30652 = msg("28566", dup314); + +var msg30653 = msg("28567", dup314); + +var msg30654 = msg("28568", dup311); + +var msg30655 = msg("28569", dup311); + +var msg30656 = msg("28570", dup314); + +var msg30657 = msg("28571", dup314); + +var msg30658 = msg("28572", dup314); + +var msg30659 = msg("28573", dup314); + +var msg30660 = msg("28574", dup314); + +var msg30661 = msg("28575", dup311); + +var msg30662 = msg("28576", dup311); + +var msg30663 = msg("28577", dup314); + +var msg30664 = msg("28578", dup314); + +var msg30665 = msg("28579", dup323); + +var msg30666 = msg("28580", dup323); + +var msg30667 = msg("28581", dup323); + +var msg30668 = msg("28582", dup323); + +var msg30669 = msg("28583", dup323); + +var msg30670 = msg("28584", dup323); + +var msg30671 = msg("28585", dup309); + +var msg30672 = msg("28586", dup309); + +var msg30673 = msg("28587", dup314); + +var msg30674 = msg("28588", dup314); + +var msg30675 = msg("28589", dup311); + +var msg30676 = msg("28590", dup311); + +var msg30677 = msg("28591", dup311); + +var msg30678 = msg("28592", dup311); + +var msg30679 = msg("28593", dup307); + +var msg30680 = msg("28594", dup311); + +var msg30681 = msg("28595", dup311); + +var msg30682 = msg("28596", dup311); + +var msg30683 = msg("28597", dup314); + +var msg30684 = msg("28598", dup314); + +var msg30685 = msg("28599", dup321); + +var msg30686 = msg("28600", dup314); + +var msg30687 = msg("28601", dup314); + +var msg30688 = msg("28602", dup314); + +var msg30689 = msg("28603", dup314); + +var msg30690 = msg("28604", dup321); + +var msg30691 = msg("28605", dup321); + +var msg30692 = msg("28606", dup321); + +var msg30693 = msg("28607", dup321); + +var msg30694 = msg("28608", dup311); + +var msg30695 = msg("28609", dup311); + +var msg30696 = msg("28610", dup311); + +var msg30697 = msg("28611", dup311); + +var msg30698 = msg("28612", dup311); + +var msg30699 = msg("28613", dup311); + +var msg30700 = msg("28614", dup311); + +var msg30701 = msg("28615", dup311); + +var msg30702 = msg("28616", dup311); + +var msg30703 = msg("28617", dup324); + +var msg30704 = msg("28618", dup324); + +var msg30705 = msg("28619", dup311); + +var msg30706 = msg("28620", dup311); + +var msg30707 = msg("28621", dup309); + +var msg30708 = msg("28622", dup311); + +var msg30709 = msg("28623", dup309); + +var msg30710 = msg("28624", dup309); + +var msg30711 = msg("28625", dup309); + +var msg30712 = msg("28626", dup309); + +var msg30713 = msg("28627", dup311); + +var msg30714 = msg("28628", dup311); + +var msg30715 = msg("28629", dup323); + +var msg30716 = msg("28630", dup323); + +var msg30717 = msg("28631", dup309); + +var msg30718 = msg("28632", dup309); + +var msg30719 = msg("28633", dup311); + +var msg30720 = msg("28634", dup309); + +var msg30721 = msg("28635", dup309); + +var msg30722 = msg("28636", dup311); + +var msg30723 = msg("28637", dup311); + +var msg30724 = msg("28638", dup309); + +var msg30725 = msg("28639", dup309); + +var msg30726 = msg("28640", dup309); + +var msg30727 = msg("28641", dup309); + +var msg30728 = msg("28642", dup311); + +var msg30729 = msg("28643", dup311); + +var msg30730 = msg("28644", dup311); + +var msg30731 = msg("28645", dup311); + +var msg30732 = msg("28646", dup311); + +var msg30733 = msg("28647", dup311); + +var msg30734 = msg("28648", dup311); + +var msg30735 = msg("28649", dup311); + +var msg30736 = msg("28650", dup311); + +var msg30737 = msg("28651", dup311); + +var msg30738 = msg("28652", dup311); + +var msg30739 = msg("28653", dup311); + +var msg30740 = msg("28654", dup311); + +var msg30741 = msg("28655", dup311); + +var msg30742 = msg("28656", dup311); + +var msg30743 = msg("28657", dup311); + +var msg30744 = msg("28658", dup314); + +var msg30745 = msg("28659", dup311); + +var msg30746 = msg("28660", dup311); + +var msg30747 = msg("28661", dup311); + +var msg30748 = msg("28662", dup311); + +var msg30749 = msg("28663", dup311); + +var msg30750 = msg("28664", dup309); + +var msg30751 = msg("28665", dup309); + +var msg30752 = msg("28666", dup309); + +var msg30753 = msg("28667", dup311); + +var msg30754 = msg("28668", dup311); + +var msg30755 = msg("28669", dup311); + +var msg30756 = msg("28670", dup311); + +var msg30757 = msg("28671", dup311); + +var msg30758 = msg("28672", dup311); + +var msg30759 = msg("28673", dup311); + +var msg30760 = msg("28674", dup311); + +var msg30761 = msg("28675", dup311); + +var msg30762 = msg("28676", dup311); + +var msg30763 = msg("28677", dup311); + +var msg30764 = msg("28678", dup311); + +var msg30765 = msg("28679", dup311); + +var msg30766 = msg("28680", dup311); + +var msg30767 = msg("28681", dup311); + +var msg30768 = msg("28682", dup311); + +var msg30769 = msg("28683", dup311); + +var msg30770 = msg("28684", dup311); + +var msg30771 = msg("28685", dup311); + +var msg30772 = msg("28686", dup311); + +var msg30773 = msg("28687", dup307); + +var msg30774 = msg("28688", dup307); + +var msg30775 = msg("28689", dup307); + +var msg30776 = msg("28690", dup307); + +var msg30777 = msg("28691", dup311); + +var msg30778 = msg("28692", dup311); + +var msg30779 = msg("28693", dup311); + +var msg30780 = msg("28694", dup311); + +var msg30781 = msg("28695", dup323); + +var msg30782 = msg("28696", dup323); + +var msg30783 = msg("28697", dup323); + +var msg30784 = msg("28698", dup323); + +var msg30785 = msg("28699", dup311); + +var msg30786 = msg("28700", dup311); + +var msg30787 = msg("28701", dup311); + +var msg30788 = msg("28702", dup311); + +var msg30789 = msg("28703", dup311); + +var msg30790 = msg("28704", dup311); + +var msg30791 = msg("28705", dup311); + +var msg30792 = msg("28706", dup311); + +var msg30793 = msg("28707", dup311); + +var msg30794 = msg("28708", dup311); + +var msg30795 = msg("28709", dup311); + +var msg30796 = msg("28710", dup309); + +var msg30797 = msg("28711", dup309); + +var msg30798 = msg("28712", dup309); + +var msg30799 = msg("28713", dup309); + +var msg30800 = msg("28714", dup309); + +var msg30801 = msg("28715", dup309); + +var msg30802 = msg("28716", dup311); + +var msg30803 = msg("28717", dup311); + +var msg30804 = msg("28718", dup311); + +var msg30805 = msg("28719", dup311); + +var msg30806 = msg("28720", dup311); + +var msg30807 = msg("28721", dup311); + +var msg30808 = msg("28722", dup323); + +var msg30809 = msg("28723", dup323); + +var msg30810 = msg("28724", dup321); + +var msg30811 = msg("28725", dup309); + +var msg30812 = msg("28726", dup309); + +var msg30813 = msg("28727", dup309); + +var msg30814 = msg("28728", dup311); + +var msg30815 = msg("28729", dup311); + +var msg30816 = msg("28730", dup311); + +var msg30817 = msg("28731", dup311); + +var msg30818 = msg("28732", dup311); + +var msg30819 = msg("28733", dup311); + +var msg30820 = msg("28734", dup311); + +var msg30821 = msg("28735", dup311); + +var msg30822 = msg("28736", dup311); + +var msg30823 = msg("28737", dup311); + +var msg30824 = msg("28738", dup311); + +var msg30825 = msg("28739", dup311); + +var msg30826 = msg("28740", dup311); + +var msg30827 = msg("28741", dup311); + +var msg30828 = msg("28742", dup311); + +var msg30829 = msg("28743", dup311); + +var msg30830 = msg("28744", dup309); + +var msg30831 = msg("28745", dup309); + +var msg30832 = msg("28746", dup311); + +var msg30833 = msg("28747", dup311); + +var msg30834 = msg("28748", dup311); + +var msg30835 = msg("28749", dup314); + +var msg30836 = msg("28750", dup314); + +var msg30837 = msg("28751", dup314); + +var msg30838 = msg("28752", dup314); + +var msg30839 = msg("28753", dup314); + +var msg30840 = msg("28754", dup314); + +var msg30841 = msg("28755", dup314); + +var msg30842 = msg("28756", dup314); + +var msg30843 = msg("28757", dup314); + +var msg30844 = msg("28758", dup314); + +var msg30845 = msg("28759", dup314); + +var msg30846 = msg("28760", dup314); + +var msg30847 = msg("28761", dup314); + +var msg30848 = msg("28762", dup314); + +var msg30849 = msg("28763", dup314); + +var msg30850 = msg("28764", dup314); + +var msg30851 = msg("28765", dup314); + +var msg30852 = msg("28766", dup314); + +var msg30853 = msg("28767", dup314); + +var msg30854 = msg("28768", dup314); + +var msg30855 = msg("28769", dup314); + +var msg30856 = msg("28770", dup314); + +var msg30857 = msg("28771", dup314); + +var msg30858 = msg("28772", dup314); + +var msg30859 = msg("28773", dup314); + +var msg30860 = msg("28774", dup314); + +var msg30861 = msg("28775", dup314); + +var msg30862 = msg("28776", dup314); + +var msg30863 = msg("28777", dup314); + +var msg30864 = msg("28778", dup314); + +var msg30865 = msg("28779", dup314); + +var msg30866 = msg("28780", dup314); + +var msg30867 = msg("28781", dup314); + +var msg30868 = msg("28782", dup314); + +var msg30869 = msg("28783", dup314); + +var msg30870 = msg("28784", dup314); + +var msg30871 = msg("28785", dup314); + +var msg30872 = msg("28786", dup314); + +var msg30873 = msg("28787", dup314); + +var msg30874 = msg("28788", dup314); + +var msg30875 = msg("28789", dup314); + +var msg30876 = msg("28790", dup311); + +var msg30877 = msg("28791", dup314); + +var msg30878 = msg("28792", dup314); + +var msg30879 = msg("28793", dup314); + +var msg30880 = msg("28794", dup309); + +var msg30881 = msg("28795", dup311); + +var msg30882 = msg("28796", dup311); + +var msg30883 = msg("28797", dup307); + +var msg30884 = msg("28798", dup307); + +var msg30885 = msg("28799", dup321); + +var msg30886 = msg("28800", dup321); + +var msg30887 = msg("28801", dup321); + +var msg30888 = msg("28802", dup321); + +var msg30889 = msg("28803", dup321); + +var msg30890 = msg("28804", dup321); + +var msg30891 = msg("28805", dup321); + +var msg30892 = msg("28806", dup321); + +var msg30893 = msg("28807", dup321); + +var msg30894 = msg("28808", dup321); + +var msg30895 = msg("28809", dup321); + +var msg30896 = msg("28810", dup321); + +var msg30897 = msg("28811", dup311); + +var msg30898 = msg("28812", dup311); + +var msg30899 = msg("28813", dup321); + +var msg30900 = msg("28814", dup321); + +var msg30901 = msg("28815", dup321); + +var msg30902 = msg("28816", dup321); + +var msg30903 = msg("28817", dup321); + +var msg30904 = msg("28818", dup307); + +var msg30905 = msg("28819", dup307); + +var msg30906 = msg("28820", dup323); + +var msg30907 = msg("28821", dup314); + +var msg30908 = msg("28822", dup314); + +var msg30909 = msg("28823", dup314); + +var msg30910 = msg("28824", dup314); + +var msg30911 = msg("28825", dup314); + +var msg30912 = msg("28826", dup314); + +var msg30913 = msg("28827", dup314); + +var msg30914 = msg("28828", dup321); + +var msg30915 = msg("28829", dup321); + +var msg30916 = msg("28830", dup321); + +var msg30917 = msg("28831", dup311); + +var msg30918 = msg("28832", dup311); + +var msg30919 = msg("28833", dup307); + +var msg30920 = msg("28834", dup307); + +var msg30921 = msg("28835", dup307); + +var msg30922 = msg("28836", dup311); + +var msg30923 = msg("28837", dup311); + +var msg30924 = msg("28838", dup311); + +var msg30925 = msg("28839", dup307); + +var msg30926 = msg("28840", dup307); + +var msg30927 = msg("28841", dup307); + +var msg30928 = msg("28842", dup311); + +var msg30929 = msg("28843", dup323); + +var msg30930 = msg("28844", dup323); + +var msg30931 = msg("28845", dup323); + +var msg30932 = msg("28846", dup323); + +var msg30933 = msg("28847", dup323); + +var msg30934 = msg("28848", dup323); + +var msg30935 = msg("28849", dup308); + +var msg30936 = msg("28850", dup311); + +var msg30937 = msg("28851", dup311); + +var msg30938 = msg("28852", dup325); + +var msg30939 = msg("28853", dup323); + +var msg30940 = msg("28854", dup311); + +var msg30941 = msg("28855", dup311); + +var msg30942 = msg("28856", dup321); + +var msg30943 = msg("28857", dup321); + +var msg30944 = msg("28858", dup321); + +var msg30945 = msg("28859", dup325); + +var msg30946 = msg("28860", dup325); + +var msg30947 = msg("28861", dup321); + +var msg30948 = msg("28862", dup325); + +var msg30949 = msg("28863", dup325); + +var msg30950 = msg("28864", dup321); + +var msg30951 = msg("28865", dup325); + +var msg30952 = msg("28866", dup325); + +var msg30953 = msg("28867", dup314); + +var msg30954 = msg("28868", dup314); + +var msg30955 = msg("28869", dup314); + +var msg30956 = msg("28870", dup314); + +var msg30957 = msg("28871", dup314); + +var msg30958 = msg("28872", dup314); + +var msg30959 = msg("28873", dup325); + +var msg30960 = msg("28874", dup325); + +var msg30961 = msg("28875", dup325); + +var msg30962 = msg("28876", dup325); + +var msg30963 = msg("28877", dup325); + +var msg30964 = msg("28878", dup325); + +var msg30965 = msg("28879", dup321); + +var msg30966 = msg("28880", dup311); + +var msg30967 = msg("28881", dup325); + +var msg30968 = msg("28882", dup325); + +var msg30969 = msg("28883", dup321); + +var msg30970 = msg("28884", dup321); + +var msg30971 = msg("28885", dup321); + +var msg30972 = msg("28886", dup321); + +var msg30973 = msg("28887", dup311); + +var msg30974 = msg("28888", dup311); + +var msg30975 = msg("28889", dup311); + +var msg30976 = msg("28890", dup311); + +var msg30977 = msg("28891", dup321); + +var msg30978 = msg("28892", dup321); + +var msg30979 = msg("28893", dup314); + +var msg30980 = msg("28894", dup314); + +var msg30981 = msg("28895", dup314); + +var msg30982 = msg("28896", dup314); + +var msg30983 = msg("28897", dup314); + +var msg30984 = msg("28898", dup314); + +var msg30985 = msg("28899", dup314); + +var msg30986 = msg("28900", dup314); + +var msg30987 = msg("28901", dup314); + +var msg30988 = msg("28902", dup309); + +var msg30989 = msg("28903", dup309); + +var msg30990 = msg("28904", dup309); + +var msg30991 = msg("28905", dup309); + +var msg30992 = msg("28906", dup309); + +var msg30993 = msg("28907", dup309); + +var msg30994 = msg("28908", dup322); + +var msg30995 = msg("28909", dup314); + +var msg30996 = msg("28910", dup311); + +var msg30997 = msg("28911", dup311); + +var msg30998 = msg("28912", dup314); + +var msg30999 = msg("28913", dup321); + +var msg31000 = msg("28914", dup321); + +var msg31001 = msg("28915", dup309); + +var msg31002 = msg("28916", dup309); + +var msg31003 = msg("28917", dup314); + +var msg31004 = msg("28918", dup321); + +var msg31005 = msg("28919", dup321); + +var msg31006 = msg("28920", dup311); + +var msg31007 = msg("28921", dup311); + +var msg31008 = msg("28922", dup311); + +var msg31009 = msg("28923", dup311); + +var msg31010 = msg("28924", dup311); + +var msg31011 = msg("28925", dup311); + +var msg31012 = msg("28926", dup309); + +var msg31013 = msg("28927", dup309); + +var msg31014 = msg("28928", dup321); + +var msg31015 = msg("28929", dup321); + +var msg31016 = msg("28930", dup321); + +var msg31017 = msg("28931", dup325); + +var msg31018 = msg("28932", dup325); + +var msg31019 = msg("28933", dup321); + +var msg31020 = msg("28934", dup321); + +var msg31021 = msg("28935", dup321); + +var msg31022 = msg("28936", dup314); + +var msg31023 = msg("28937", dup311); + +var msg31024 = msg("28938", dup321); + +var msg31025 = msg("28939", dup321); + +var msg31026 = msg("28940", dup325); + +var msg31027 = msg("28941", dup311); + +var msg31028 = msg("28942", dup314); + +var msg31029 = msg("28943", dup314); + +var msg31030 = msg("28944", dup314); + +var msg31031 = msg("28945", dup314); + +var msg31032 = msg("28946", dup311); + +var msg31033 = msg("28947", dup321); + +var msg31034 = msg("28948", dup321); + +var msg31035 = msg("28949", dup321); + +var msg31036 = msg("28950", dup325); + +var msg31037 = msg("28951", dup325); + +var msg31038 = msg("28952", dup311); + +var msg31039 = msg("28953", dup311); + +var msg31040 = msg("28954", dup321); + +var msg31041 = msg("28955", dup310); + +var msg31042 = msg("28956", dup314); + +var msg31043 = msg("28957", dup314); + +var msg31044 = msg("28958", dup321); + +var msg31045 = msg("28959", dup321); + +var msg31046 = msg("28960", dup321); + +var msg31047 = msg("28961", dup309); + +var msg31048 = msg("28962", dup309); + +var msg31049 = msg("28963", dup311); + +var msg31050 = msg("28964", dup307); + +var msg31051 = msg("28965", dup307); + +var msg31052 = msg("28966", dup311); + +var msg31053 = msg("28967", dup311); + +var msg31054 = msg("28968", dup311); + +var msg31055 = msg("28969", dup311); + +var msg31056 = msg("28970", dup314); + +var msg31057 = msg("28971", dup314); + +var msg31058 = msg("28972", dup311); + +var msg31059 = msg("28973", dup311); + +var msg31060 = msg("28974", dup311); + +var msg31061 = msg("28975", dup311); + +var msg31062 = msg("28976", dup321); + +var msg31063 = msg("28977", dup321); + +var msg31064 = msg("28978", dup321); + +var msg31065 = msg("28979", dup321); + +var msg31066 = msg("28980", dup321); + +var msg31067 = msg("28981", dup321); + +var msg31068 = msg("28982", dup321); + +var msg31069 = msg("28983", dup311); + +var msg31070 = msg("28984", dup311); + +var msg31071 = msg("28985", dup311); + +var msg31072 = msg("28986", dup321); + +var msg31073 = msg("28987", dup321); + +var msg31074 = msg("28988", dup321); + +var msg31075 = msg("28989", dup321); + +var msg31076 = msg("28990", dup321); + +var msg31077 = msg("28991", dup333); + +var msg31078 = msg("28992", dup321); + +var msg31079 = msg("28993", dup323); + +var msg31080 = msg("28994", dup321); + +var msg31081 = msg("28995", dup321); + +var msg31082 = msg("28996", dup321); + +var msg31083 = msg("28997", dup325); + +var msg31084 = msg("28998", dup314); + +var msg31085 = msg("28999", dup314); + +var msg31086 = msg("29000", dup314); + +var msg31087 = msg("29001", dup311); + +var msg31088 = msg("29002", dup311); + +var msg31089 = msg("29003", dup311); + +var msg31090 = msg("29004", dup311); + +var msg31091 = msg("29005", dup309); + +var msg31092 = msg("29006", dup314); + +var msg31093 = msg("29007", dup314); + +var msg31094 = msg("29008", dup314); + +var msg31095 = msg("29009", dup309); + +var msg31096 = msg("29010", dup309); + +var msg31097 = msg("29011", dup321); + +var msg31098 = msg("29012", dup321); + +var msg31099 = msg("29013", dup321); + +var msg31100 = msg("29014", dup309); + +var msg31101 = msg("29015", dup321); + +var msg31102 = msg("29016", dup321); + +var msg31103 = msg("29017", dup314); + +var msg31104 = msg("29018", dup322); + +var msg31105 = msg("29019", dup314); + +var msg31106 = msg("29020", dup321); + +var msg31107 = msg("29021", dup321); + +var msg31108 = msg("29022", dup321); + +var msg31109 = msg("29023", dup311); + +var msg31110 = msg("29024", dup311); + +var msg31111 = msg("29025", dup311); + +var msg31112 = msg("29026", dup321); + +var msg31113 = msg("29027", dup311); + +var msg31114 = msg("29028", dup328); + +var msg31115 = msg("29029", dup328); + +var msg31116 = msg("29030", dup321); + +var msg31117 = msg("29031", dup321); + +var msg31118 = msg("29032", dup309); + +var msg31119 = msg("29033", dup309); + +var msg31120 = msg("29034", dup325); + +var msg31121 = msg("29035", dup325); + +var msg31122 = msg("29036", dup311); + +var msg31123 = msg("29037", dup325); + +var msg31124 = msg("29038", dup321); + +var msg31125 = msg("29039", dup321); + +var msg31126 = msg("29040", dup311); + +var msg31127 = msg("29041", dup314); + +var msg31128 = msg("29042", dup314); + +var msg31129 = msg("29043", dup321); + +var msg31130 = msg("29044", dup321); + +var msg31131 = msg("29045", dup321); + +var msg31132 = msg("29046", dup325); + +var msg31133 = msg("29047", dup311); + +var msg31134 = msg("29048", dup311); + +var msg31135 = msg("29049", dup311); + +var msg31136 = msg("29050", dup311); + +var msg31137 = msg("29051", dup311); + +var msg31138 = msg("29052", dup311); + +var msg31139 = msg("29053", dup311); + +var msg31140 = msg("29054", dup311); + +var msg31141 = msg("29055", dup321); + +var msg31142 = msg("29056", dup321); + +var msg31143 = msg("29057", dup321); + +var msg31144 = msg("29058", dup321); + +var msg31145 = msg("29059", dup314); + +var msg31146 = msg("29060", dup314); + +var msg31147 = msg("29061", dup311); + +var msg31148 = msg("29062", dup314); + +var msg31149 = msg("29063", dup314); + +var msg31150 = msg("29064", dup314); + +var msg31151 = msg("29065", dup314); + +var msg31152 = msg("29066", dup311); + +var msg31153 = msg("29067", dup321); + +var msg31154 = msg("29068", dup321); + +var msg31155 = msg("29069", dup321); + +var msg31156 = msg("29070", dup321); + +var msg31157 = msg("29071", dup321); + +var msg31158 = msg("29072", dup321); + +var msg31159 = msg("29073", dup321); + +var msg31160 = msg("29074", dup321); + +var msg31161 = msg("29075", dup321); + +var msg31162 = msg("29076", dup321); + +var msg31163 = msg("29077", dup321); + +var msg31164 = msg("29078", dup321); + +var msg31165 = msg("29079", dup321); + +var msg31166 = msg("29080", dup333); + +var msg31167 = msg("29081", dup321); + +var msg31168 = msg("29082", dup321); + +var msg31169 = msg("29083", dup321); + +var msg31170 = msg("29084", dup321); + +var msg31171 = msg("29085", dup321); + +var msg31172 = msg("29086", dup321); + +var msg31173 = msg("29087", dup321); + +var msg31174 = msg("29088", dup321); + +var msg31175 = msg("29089", dup321); + +var msg31176 = msg("29090", dup311); + +var msg31177 = msg("29091", dup321); + +var msg31178 = msg("29092", dup314); + +var msg31179 = msg("29093", dup321); + +var msg31180 = msg("29094", dup321); + +var msg31181 = msg("29095", dup333); + +var msg31182 = msg("29096", dup333); + +var msg31183 = msg("29097", dup314); + +var msg31184 = msg("29098", dup314); + +var msg31185 = msg("29099", dup314); + +var msg31186 = msg("29100", dup314); + +var msg31187 = msg("29101", dup314); + +var msg31188 = msg("29102", dup314); + +var msg31189 = msg("29103", dup321); + +var msg31190 = msg("29104", dup321); + +var msg31191 = msg("29105", dup314); + +var msg31192 = msg("29106", dup321); + +var msg31193 = msg("29107", dup321); + +var msg31194 = msg("29108", dup321); + +var msg31195 = msg("29109", dup321); + +var msg31196 = msg("29110", dup314); + +var msg31197 = msg("29111", dup321); + +var msg31198 = msg("29112", dup321); + +var msg31199 = msg("29113", dup321); + +var msg31200 = msg("29114", dup321); + +var msg31201 = msg("29115", dup321); + +var msg31202 = msg("29116", dup321); + +var msg31203 = msg("29117", dup321); + +var msg31204 = msg("29118", dup314); + +var msg31205 = msg("29119", dup321); + +var msg31206 = msg("29120", dup321); + +var msg31207 = msg("29121", dup321); + +var msg31208 = msg("29122", dup321); + +var msg31209 = msg("29123", dup321); + +var msg31210 = msg("29124", dup321); + +var msg31211 = msg("29125", dup321); + +var msg31212 = msg("29126", dup321); + +var msg31213 = msg("29127", dup321); + +var msg31214 = msg("29128", dup311); + +var msg31215 = msg("29129", dup311); + +var msg31216 = msg("29130", dup311); + +var msg31217 = msg("29131", dup311); + +var msg31218 = msg("29132", dup321); + +var msg31219 = msg("29133", dup321); + +var msg31220 = msg("29134", dup321); + +var msg31221 = msg("29135", dup324); + +var msg31222 = msg("29136", dup321); + +var msg31223 = msg("29137", dup321); + +var msg31224 = msg("29138", dup321); + +var msg31225 = msg("29139", dup325); + +var msg31226 = msg("29140", dup321); + +var msg31227 = msg("29141", dup314); + +var msg31228 = msg("29142", dup314); + +var msg31229 = msg("29143", dup325); + +var msg31230 = msg("29144", dup321); + +var msg31231 = msg("29145", dup321); + +var msg31232 = msg("29146", dup321); + +var msg31233 = msg("29147", dup321); + +var msg31234 = msg("29148", dup321); + +var msg31235 = msg("29149", dup321); + +var msg31236 = msg("29150", dup311); + +var msg31237 = msg("29151", dup321); + +var msg31238 = msg("29152", dup321); + +var msg31239 = msg("29153", dup321); + +var msg31240 = msg("29154", dup321); + +var msg31241 = msg("29155", dup321); + +var msg31242 = msg("29156", dup321); + +var msg31243 = msg("29157", dup311); + +var msg31244 = msg("29158", dup311); + +var msg31245 = msg("29159", dup311); + +var msg31246 = msg("29160", dup311); + +var msg31247 = msg("29161", dup321); + +var msg31248 = msg("29162", dup314); + +var msg31249 = msg("29163", dup311); + +var msg31250 = msg("29164", dup311); + +var msg31251 = msg("29165", dup311); + +var msg31252 = msg("29166", dup311); + +var msg31253 = msg("29167", dup311); + +var msg31254 = msg("29168", dup311); + +var msg31255 = msg("29169", dup311); + +var msg31256 = msg("29170", dup314); + +var msg31257 = msg("29171", dup321); + +var msg31258 = msg("29172", dup321); + +var msg31259 = msg("29173", dup321); + +var msg31260 = msg("29174", dup325); + +var msg31261 = msg("29175", dup321); + +var msg31262 = msg("29176", dup321); + +var msg31263 = msg("29177", dup321); + +var msg31264 = msg("29178", dup321); + +var msg31265 = msg("29179", dup321); + +var msg31266 = msg("29180", dup325); + +var msg31267 = msg("29181", dup321); + +var msg31268 = msg("29182", dup309); + +var msg31269 = msg("29183", dup309); + +var msg31270 = msg("29184", dup309); + +var msg31271 = msg("29185", dup309); + +var msg31272 = msg("29186", dup311); + +var msg31273 = msg("29187", dup311); + +var msg31274 = msg("29188", dup311); + +var msg31275 = msg("29189", dup311); + +var msg31276 = msg("29190", dup307); + +var msg31277 = msg("29191", dup311); + +var msg31278 = msg("29192", dup311); + +var msg31279 = msg("29193", dup311); + +var msg31280 = msg("29194", dup309); + +var msg31281 = msg("29195", dup309); + +var msg31282 = msg("29196", dup309); + +var msg31283 = msg("29197", dup309); + +var msg31284 = msg("29198", dup309); + +var msg31285 = msg("29199", dup309); + +var msg31286 = msg("29200", dup314); + +var msg31287 = msg("29201", dup309); + +var msg31288 = msg("29202", dup309); + +var msg31289 = msg("29203", dup314); + +var msg31290 = msg("29204", dup314); + +var msg31291 = msg("29205", dup314); + +var msg31292 = msg("29206", dup314); + +var msg31293 = msg("29207", dup309); + +var msg31294 = msg("29208", dup309); + +var msg31295 = msg("29209", dup309); + +var msg31296 = msg("29210", dup309); + +var msg31297 = msg("29211", dup309); + +var msg31298 = msg("29212", dup309); + +var msg31299 = msg("29213", dup314); + +var msg31300 = msg("29214", dup311); + +var msg31301 = msg("29215", dup309); + +var msg31302 = msg("29216", dup321); + +var msg31303 = msg("29217", dup321); + +var msg31304 = msg("29218", dup311); + +var msg31305 = msg("29219", dup311); + +var msg31306 = msg("29220", dup321); + +var msg31307 = msg("29221", dup325); + +var msg31308 = msg("29222", dup325); + +var msg31309 = msg("29223", dup325); + +var msg31310 = msg("29224", dup314); + +var msg31311 = msg("29225", dup314); + +var msg31312 = msg("29226", dup325); + +var msg31313 = msg("29227", dup325); + +var msg31314 = msg("29228", dup325); + +var msg31315 = msg("29229", dup325); + +var msg31316 = msg("29230", dup325); + +var msg31317 = msg("29231", dup325); + +var msg31318 = msg("29232", dup325); + +var msg31319 = msg("29233", dup325); + +var msg31320 = msg("29234", dup325); + +var msg31321 = msg("29235", dup325); + +var msg31322 = msg("29236", dup325); + +var msg31323 = msg("29237", dup325); + +var msg31324 = msg("29238", dup325); + +var msg31325 = msg("29239", dup325); + +var msg31326 = msg("29240", dup325); + +var msg31327 = msg("29241", dup325); + +var msg31328 = msg("29242", dup325); + +var msg31329 = msg("29243", dup325); + +var msg31330 = msg("29244", dup325); + +var msg31331 = msg("29245", dup325); + +var msg31332 = msg("29246", dup325); + +var msg31333 = msg("29247", dup325); + +var msg31334 = msg("29248", dup325); + +var msg31335 = msg("29249", dup325); + +var msg31336 = msg("29250", dup325); + +var msg31337 = msg("29251", dup325); + +var msg31338 = msg("29252", dup325); + +var msg31339 = msg("29253", dup325); + +var msg31340 = msg("29254", dup325); + +var msg31341 = msg("29255", dup325); + +var msg31342 = msg("29256", dup325); + +var msg31343 = msg("29257", dup325); + +var msg31344 = msg("29258", dup314); + +var msg31345 = msg("29259", dup321); + +var msg31346 = msg("29260", dup321); + +var msg31347 = msg("29261", dup321); + +var msg31348 = msg("29262", dup321); + +var msg31349 = msg("29263", dup321); + +var msg31350 = msg("29264", dup309); + +var msg31351 = msg("29265", dup311); + +var msg31352 = msg("29266", dup314); + +var msg31353 = msg("29267", dup311); + +var msg31354 = msg("29268", dup309); + +var msg31355 = msg("29269", dup309); + +var msg31356 = msg("29270", dup311); + +var msg31357 = msg("29271", dup311); + +var msg31358 = msg("29272", dup311); + +var msg31359 = msg("29273", dup311); + +var msg31360 = msg("29274", dup314); + +var msg31361 = msg("29275", dup314); + +var msg31362 = msg("29276", dup314); + +var msg31363 = msg("29277", dup309); + +var msg31364 = msg("29278", dup309); + +var msg31365 = msg("29279", dup309); + +var msg31366 = msg("29280", dup309); + +var msg31367 = msg("29281", dup311); + +var msg31368 = msg("29282", dup311); + +var msg31369 = msg("29283", dup311); + +var msg31370 = msg("29284", dup311); + +var msg31371 = msg("29285", dup311); + +var msg31372 = msg("29286", dup311); + +var msg31373 = msg("29287", dup311); + +var msg31374 = msg("29288", dup311); + +var msg31375 = msg("29289", dup321); + +var msg31376 = msg("29290", dup321); + +var msg31377 = msg("29291", dup321); + +var msg31378 = msg("29292", dup321); + +var msg31379 = msg("29293", dup321); + +var msg31380 = msg("29294", dup321); + +var msg31381 = msg("29295", dup321); + +var msg31382 = msg("29296", dup314); + +var msg31383 = msg("29297", dup314); + +var msg31384 = msg("29298", dup321); + +var msg31385 = msg("29299", dup321); + +var msg31386 = msg("29300", dup321); + +var msg31387 = msg("29301", dup321); + +var msg31388 = msg("29302", dup321); + +var msg31389 = msg("29303", dup321); + +var msg31390 = msg("29304", dup321); + +var msg31391 = msg("29305", dup321); + +var msg31392 = msg("29306", dup321); + +var msg31393 = msg("29307", dup321); + +var msg31394 = msg("29313", dup321); + +var msg31395 = msg("29314", dup336); + +var msg31396 = msg("29315", dup336); + +var msg31397 = msg("29316", dup336); + +var msg31398 = msg("29317", dup314); + +var msg31399 = msg("29318", dup314); + +var msg31400 = msg("29319", dup314); + +var msg31401 = msg("29320", dup314); + +var msg31402 = msg("29321", dup314); + +var msg31403 = msg("29322", dup314); + +var msg31404 = msg("29323", dup329); + +var msg31405 = msg("29324", dup321); + +var msg31406 = msg("29325", dup321); + +var msg31407 = msg("29326", dup309); + +var msg31408 = msg("29327", dup309); + +var msg31409 = msg("29328", dup309); + +var msg31410 = msg("29329", dup309); + +var msg31411 = msg("29330", dup321); + +var msg31412 = msg("29331", dup321); + +var msg31413 = msg("29332", dup321); + +var msg31414 = msg("29333", dup321); + +var msg31415 = msg("29334", dup321); + +var msg31416 = msg("29335", dup321); + +var msg31417 = msg("29336", dup321); + +var msg31418 = msg("29337", dup321); + +var msg31419 = msg("29338", dup321); + +var msg31420 = msg("29339", dup321); + +var msg31421 = msg("29340", dup321); + +var msg31422 = msg("29341", dup325); + +var msg31423 = msg("29342", dup321); + +var msg31424 = msg("29343", dup321); + +var msg31425 = msg("29344", dup321); + +var msg31426 = msg("29345", dup321); + +var msg31427 = msg("29346", dup311); + +var msg31428 = msg("29347", dup321); + +var msg31429 = msg("29348", dup321); + +var msg31430 = msg("29349", dup321); + +var msg31431 = msg("29350", dup321); + +var msg31432 = msg("29351", dup321); + +var msg31433 = msg("29352", dup321); + +var msg31434 = msg("29353", dup321); + +var msg31435 = msg("29354", dup336); + +var msg31436 = msg("29355", dup321); + +var msg31437 = msg("29356", dup321); + +var all57 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup123, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg31438 = msg("29357", all57); + +var msg31439 = msg("29358", dup325); + +var msg31440 = msg("29359", dup321); + +var msg31441 = msg("29360", dup311); + +var msg31442 = msg("29361", dup311); + +var msg31443 = msg("29362", dup324); + +var msg31444 = msg("29363", dup321); + +var msg31445 = msg("29364", dup321); + +var msg31446 = msg("29365", dup321); + +var msg31447 = msg("29366", dup321); + +var msg31448 = msg("29367", dup321); + +var msg31449 = msg("29368", dup321); + +var msg31450 = msg("29369", dup321); + +var msg31451 = msg("29370", dup321); + +var msg31452 = msg("29371", dup325); + +var msg31453 = msg("29372", dup321); + +var msg31454 = msg("29373", dup321); + +var msg31455 = msg("29374", dup324); + +var msg31456 = msg("29375", dup324); + +var msg31457 = msg("29376", dup321); + +var msg31458 = msg("29377", dup321); + +var msg31459 = msg("29378", dup321); + +var msg31460 = msg("29379", dup321); + +var msg31461 = msg("29380", dup321); + +var msg31462 = msg("29381", dup329); + +var msg31463 = msg("29382", dup329); + +var msg31464 = msg("29383", dup329); + +var msg31465 = msg("29384", dup314); + +var msg31466 = msg("29385", dup314); + +var msg31467 = msg("29386", dup314); + +var msg31468 = msg("29387", dup311); + +var msg31469 = msg("29388", dup321); + +var msg31470 = msg("29389", dup321); + +var msg31471 = msg("29390", dup314); + +var msg31472 = msg("29391", dup314); + +var msg31473 = msg("29392", dup314); + +var msg31474 = msg("29393", dup324); + +var msg31475 = msg("29394", dup309); + +var msg31476 = msg("29395", dup321); + +var msg31477 = msg("29396", dup311); + +var msg31478 = msg("29397", dup311); + +var msg31479 = msg("29398", dup311); + +var msg31480 = msg("29399", dup311); + +var msg31481 = msg("29400", dup314); + +var msg31482 = msg("29401", dup311); + +var msg31483 = msg("29402", dup311); + +var msg31484 = msg("29403", dup311); + +var msg31485 = msg("29404", dup309); + +var msg31486 = msg("29405", dup314); + +var msg31487 = msg("29406", dup314); + +var msg31488 = msg("29407", dup314); + +var msg31489 = msg("29408", dup321); + +var msg31490 = msg("29409", dup323); + +var msg31491 = msg("29410", dup323); + +var msg31492 = msg("29411", dup311); + +var msg31493 = msg("29412", dup311); + +var msg31494 = msg("29413", dup311); + +var msg31495 = msg("29414", dup311); + +var msg31496 = msg("29415", dup321); + +var msg31497 = msg("29416", dup321); + +var msg31498 = msg("29417", dup321); + +var msg31499 = msg("29418", dup314); + +var msg31500 = msg("29419", dup314); + +var msg31501 = msg("29420", dup333); + +var msg31502 = msg("29421", dup333); + +var msg31503 = msg("29422", dup321); + +var msg31504 = msg("29423", dup324); + +var msg31505 = msg("29424", dup321); + +var msg31506 = msg("29425", dup321); + +var msg31507 = msg("29426", dup321); + +var msg31508 = msg("29427", dup321); + +var msg31509 = msg("29428", dup321); + +var msg31510 = msg("29429", dup321); + +var msg31511 = msg("29430", dup321); + +var msg31512 = msg("29431", dup325); + +var msg31513 = msg("29432", dup321); + +var msg31514 = msg("29433", dup314); + +var msg31515 = msg("29434", dup309); + +var msg31516 = msg("29435", dup311); + +var msg31517 = msg("29436", dup311); + +var msg31518 = msg("29437", dup314); + +var msg31519 = msg("29438", dup314); + +var msg31520 = msg("29439", dup314); + +var msg31521 = msg("29440", dup321); + +var msg31522 = msg("29442", dup311); + +var msg31523 = msg("29443", dup311); + +var msg31524 = msg("29444", dup311); + +var msg31525 = msg("29445", dup311); + +var msg31526 = msg("29446", dup311); + +var msg31527 = msg("29447", dup307); + +var msg31528 = msg("29448", dup311); + +var msg31529 = msg("29449", dup311); + +var msg31530 = msg("29450", dup311); + +var msg31531 = msg("29451", dup311); + +var msg31532 = msg("29452", dup311); + +var msg31533 = msg("29453", dup311); + +var msg31534 = msg("29454", dup334); + +var msg31535 = msg("29455", dup334); + +var msg31536 = msg("29456", dup334); + +var msg31537 = msg("29457", dup334); + +var msg31538 = msg("29458", dup321); + +var msg31539 = msg("29459", dup321); + +var msg31540 = msg("29460", dup321); + +var msg31541 = msg("29461", dup321); + +var msg31542 = msg("29462", dup325); + +var msg31543 = msg("29463", dup321); + +var msg31544 = msg("29464", dup321); + +var msg31545 = msg("29465", dup309); + +var msg31546 = msg("29466", dup309); + +var msg31547 = msg("29467", dup309); + +var msg31548 = msg("29468", dup309); + +var msg31549 = msg("29469", dup321); + +var msg31550 = msg("29470", dup321); + +var msg31551 = msg("29471", dup321); + +var msg31552 = msg("29472", dup321); + +var msg31553 = msg("29473", dup321); + +var msg31554 = msg("29474", dup321); + +var msg31555 = msg("29475", dup321); + +var msg31556 = msg("29476", dup321); + +var msg31557 = msg("29477", dup321); + +var msg31558 = msg("29478", dup321); + +var msg31559 = msg("29479", dup321); + +var msg31560 = msg("29480", dup321); + +var msg31561 = msg("29481", dup321); + +var msg31562 = msg("29482", dup321); + +var msg31563 = msg("29483", dup321); + +var msg31564 = msg("29484", dup321); + +var msg31565 = msg("29485", dup314); + +var msg31566 = msg("29486", dup314); + +var msg31567 = msg("29487", dup314); + +var msg31568 = msg("29488", dup314); + +var msg31569 = msg("29489", dup321); + +var msg31570 = msg("29490", dup309); + +var msg31571 = msg("29491", dup309); + +var msg31572 = msg("29492", dup321); + +var msg31573 = msg("29493", dup321); + +var msg31574 = msg("29494", dup321); + +var msg31575 = msg("29495", dup321); + +var msg31576 = msg("29496", dup321); + +var msg31577 = msg("29497", dup321); + +var msg31578 = msg("29498", dup314); + +var msg31579 = msg("29499", dup314); + +var msg31580 = msg("29500", dup321); + +var msg31581 = msg("29501", dup311); + +var msg31582 = msg("29502", dup309); + +var msg31583 = msg("29503", dup314); + +var msg31584 = msg("29504", dup314); + +var msg31585 = msg("29505", dup311); + +var msg31586 = msg("29506", dup314); + +var msg31587 = msg("29507", dup314); + +var msg31588 = msg("29508", dup314); + +var msg31589 = msg("29509", dup323); + +var msg31590 = msg("29510", dup323); + +var msg31591 = msg("29511", dup309); + +var msg31592 = msg("29512", dup314); + +var msg31593 = msg("29513", dup309); + +var msg31594 = msg("29514", dup314); + +var msg31595 = msg("29515", dup309); + +var msg31596 = msg("29516", dup314); + +var msg31597 = msg("29517", dup314); + +var msg31598 = msg("29518", dup311); + +var msg31599 = msg("29519", dup314); + +var msg31600 = msg("29520", dup311); + +var msg31601 = msg("29521", dup311); + +var msg31602 = msg("29522", dup307); + +var msg31603 = msg("29523", dup309); + +var msg31604 = msg("29524", dup314); + +var msg31605 = msg("29525", dup314); + +var msg31606 = msg("29526", dup309); + +var msg31607 = msg("29527", dup309); + +var msg31608 = msg("29528", dup309); + +var msg31609 = msg("29529", dup309); + +var msg31610 = msg("29530", dup309); + +var msg31611 = msg("29531", dup309); + +var msg31612 = msg("29532", dup309); + +var msg31613 = msg("29533", dup314); + +var msg31614 = msg("29534", dup314); + +var msg31615 = msg("29535", dup307); + +var msg31616 = msg("29536", dup306); + +var msg31617 = msg("29537", dup314); + +var msg31618 = msg("29538", dup314); + +var msg31619 = msg("29539", dup309); + +var msg31620 = msg("29540", dup309); + +var msg31621 = msg("29541", dup309); + +var msg31622 = msg("29542", dup309); + +var msg31623 = msg("29543", dup309); + +var msg31624 = msg("29544", dup309); + +var msg31625 = msg("29545", dup309); + +var msg31626 = msg("29546", dup309); + +var msg31627 = msg("29547", dup311); + +var msg31628 = msg("29548", dup311); + +var msg31629 = msg("29549", dup316); + +var msg31630 = msg("29550", dup321); + +var msg31631 = msg("29551", dup311); + +var msg31632 = msg("29552", dup311); + +var msg31633 = msg("29553", dup311); + +var msg31634 = msg("29554", dup311); + +var msg31635 = msg("29555", dup321); + +var msg31636 = msg("29556", dup321); + +var msg31637 = msg("29557", dup321); + +var msg31638 = msg("29558", dup321); + +var msg31639 = msg("29559", dup321); + +var msg31640 = msg("29560", dup321); + +var msg31641 = msg("29561", dup321); + +var msg31642 = msg("29562", dup321); + +var msg31643 = msg("29563", dup321); + +var msg31644 = msg("29564", dup321); + +var msg31645 = msg("29565", dup321); + +var msg31646 = msg("29566", dup321); + +var msg31647 = msg("29567", dup321); + +var msg31648 = msg("29568", dup321); + +var msg31649 = msg("29569", dup321); + +var msg31650 = msg("29570", dup309); + +var msg31651 = msg("29571", dup309); + +var msg31652 = msg("29572", dup309); + +var msg31653 = msg("29573", dup309); + +var msg31654 = msg("29574", dup309); + +var msg31655 = msg("29575", dup309); + +var msg31656 = msg("29576", dup309); + +var msg31657 = msg("29577", dup309); + +var msg31658 = msg("29578", dup329); + +var msg31659 = msg("29579", dup311); + +var msg31660 = msg("29580", dup311); + +var msg31661 = msg("29581", dup308); + +var msg31662 = msg("29582", dup311); + +var msg31663 = msg("29583", dup314); + +var msg31664 = msg("29584", dup322); + +var msg31665 = msg("29585", dup309); + +var msg31666 = msg("29586", dup309); + +var msg31667 = msg("29587", dup309); + +var msg31668 = msg("29588", dup309); + +var msg31669 = msg("29589", dup309); + +var msg31670 = msg("29590", dup309); + +var msg31671 = msg("29591", dup309); + +var msg31672 = msg("29592", dup311); + +var msg31673 = msg("29593", dup323); + +var msg31674 = msg("29594", dup323); + +var msg31675 = msg("29595", dup323); + +var msg31676 = msg("29596", dup311); + +var msg31677 = msg("29597", dup311); + +var msg31678 = msg("29598", dup323); + +var msg31679 = msg("29599", dup323); + +var msg31680 = msg("29600", dup323); + +var msg31681 = msg("29601", dup323); + +var msg31682 = msg("29602", dup311); + +var msg31683 = msg("29603", dup311); + +var msg31684 = msg("29604", dup324); + +var msg31685 = msg("29605", dup309); + +var msg31686 = msg("29606", dup309); + +var msg31687 = msg("29607", dup307); + +var msg31688 = msg("29608", dup322); + +var msg31689 = msg("29609", dup322); + +var msg31690 = msg("29610", dup309); + +var msg31691 = msg("29611", dup309); + +var msg31692 = msg("29612", dup314); + +var msg31693 = msg("29613", dup314); + +var msg31694 = msg("29614", dup314); + +var msg31695 = msg("29615", dup321); + +var msg31696 = msg("29616", dup321); + +var msg31697 = msg("29617", dup314); + +var msg31698 = msg("29618", dup314); + +var msg31699 = msg("29619", dup314); + +var msg31700 = msg("29620", dup309); + +var msg31701 = msg("29621", dup307); + +var msg31702 = msg("29622", dup311); + +var msg31703 = msg("29623", dup311); + +var msg31704 = msg("29624", dup309); + +var msg31705 = msg("29625", dup309); + +var msg31706 = msg("29626", dup307); + +var msg31707 = msg("29627", dup307); + +var msg31708 = msg("29628", dup307); + +var msg31709 = msg("29629", dup307); + +var msg31710 = msg("29630", dup311); + +var msg31711 = msg("29631", dup314); + +var msg31712 = msg("29632", dup314); + +var msg31713 = msg("29633", dup314); + +var msg31714 = msg("29634", dup314); + +var msg31715 = msg("29635", dup321); + +var msg31716 = msg("29636", dup321); + +var msg31717 = msg("29637", dup321); + +var msg31718 = msg("29638", dup321); + +var msg31719 = msg("29639", dup311); + +var msg31720 = msg("29640", dup309); + +var msg31721 = msg("29641", dup309); + +var msg31722 = msg("29642", dup309); + +var msg31723 = msg("29643", dup309); + +var msg31724 = msg("29644", dup321); + +var msg31725 = msg("29645", dup325); + +var msg31726 = msg("29646", dup311); + +var msg31727 = msg("29647", dup311); + +var msg31728 = msg("29648", dup311); + +var msg31729 = msg("29649", dup314); + +var msg31730 = msg("29650", dup325); + +var msg31731 = msg("29651", dup325); + +var msg31732 = msg("29652", dup325); + +var msg31733 = msg("29653", dup321); + +var msg31734 = msg("29654", dup321); + +var msg31735 = msg("29655", dup325); + +var msg31736 = msg("29656", dup321); + +var msg31737 = msg("29657", dup321); + +var msg31738 = msg("29658", dup321); + +var msg31739 = msg("29659", dup321); + +var msg31740 = msg("29660", dup324); + +var msg31741 = msg("29661", dup324); + +var msg31742 = msg("29662", dup333); + +var msg31743 = msg("29663", dup321); + +var msg31744 = msg("29664", dup321); + +var msg31745 = msg("29665", dup321); + +var msg31746 = msg("29666", dup321); + +var msg31747 = msg("29667", dup325); + +var msg31748 = msg("29668", dup325); + +var msg31749 = msg("29669", dup311); + +var msg31750 = msg("29670", dup321); + +var msg31751 = msg("29671", dup325); + +var msg31752 = msg("29672", dup325); + +var msg31753 = msg("29673", dup325); + +var msg31754 = msg("29674", dup325); + +var msg31755 = msg("29675", dup325); + +var msg31756 = msg("29676", dup325); + +var msg31757 = msg("29677", dup325); + +var msg31758 = msg("29678", dup325); + +var msg31759 = msg("29679", dup325); + +var msg31760 = msg("29680", dup314); + +var msg31761 = msg("29681", dup314); + +var msg31762 = msg("29682", dup314); + +var msg31763 = msg("29683", dup314); + +var msg31764 = msg("29684", dup314); + +var msg31765 = msg("29685", dup314); + +var msg31766 = msg("29686", dup314); + +var msg31767 = msg("29687", dup314); + +var msg31768 = msg("29688", dup314); + +var msg31769 = msg("29689", dup314); + +var msg31770 = msg("29690", dup314); + +var msg31771 = msg("29691", dup314); + +var msg31772 = msg("29692", dup314); + +var msg31773 = msg("29693", dup314); + +var msg31774 = msg("29694", dup314); + +var msg31775 = msg("29695", dup314); + +var msg31776 = msg("29696", dup314); + +var msg31777 = msg("29697", dup314); + +var msg31778 = msg("29698", dup314); + +var msg31779 = msg("29699", dup314); + +var msg31780 = msg("29700", dup314); + +var msg31781 = msg("29701", dup314); + +var msg31782 = msg("29702", dup314); + +var msg31783 = msg("29703", dup314); + +var msg31784 = msg("29704", dup314); + +var msg31785 = msg("29705", dup314); + +var msg31786 = msg("29706", dup325); + +var msg31787 = msg("29707", dup325); + +var msg31788 = msg("29708", dup325); + +var msg31789 = msg("29709", dup311); + +var msg31790 = msg("29710", dup311); + +var msg31791 = msg("29711", dup325); + +var msg31792 = msg("29712", dup325); + +var msg31793 = msg("29713", dup311); + +var msg31794 = msg("29714", dup311); + +var msg31795 = msg("29715", dup324); + +var msg31796 = msg("29716", dup311); + +var msg31797 = msg("29717", dup325); + +var msg31798 = msg("29718", dup325); + +var msg31799 = msg("29719", dup325); + +var msg31800 = msg("29720", dup325); + +var msg31801 = msg("29721", dup325); + +var msg31802 = msg("29722", dup325); + +var msg31803 = msg("29723", dup309); + +var msg31804 = msg("29724", dup309); + +var msg31805 = msg("29725", dup309); + +var msg31806 = msg("29726", dup309); + +var msg31807 = msg("29727", dup325); + +var msg31808 = msg("29728", dup325); + +var msg31809 = msg("29729", dup325); + +var msg31810 = msg("29730", dup325); + +var msg31811 = msg("29731", dup325); + +var msg31812 = msg("29732", dup325); + +var msg31813 = msg("29733", dup311); + +var msg31814 = msg("29734", dup311); + +var msg31815 = msg("29735", dup325); + +var msg31816 = msg("29736", dup325); + +var msg31817 = msg("29737", dup325); + +var msg31818 = msg("29738", dup325); + +var msg31819 = msg("29739", dup321); + +var msg31820 = msg("29740", dup321); + +var msg31821 = msg("29741", dup311); + +var msg31822 = msg("29742", dup311); + +var msg31823 = msg("29743", dup325); + +var msg31824 = msg("29744", dup325); + +var msg31825 = msg("29745", dup314); + +var msg31826 = msg("29746", dup314); + +var msg31827 = msg("29747", dup314); + +var msg31828 = msg("29748", dup314); + +var msg31829 = msg("29749", dup314); + +var msg31830 = msg("29750", dup330); + +var msg31831 = msg("29751", dup330); + +var msg31832 = msg("29752", dup330); + +var msg31833 = msg("29753", dup311); + +var msg31834 = msg("29754", dup311); + +var msg31835 = msg("29755", dup311); + +var msg31836 = msg("29756", dup322); + +var msg31837 = msg("29757", dup311); + +var msg31838 = msg("29758", dup311); + +var msg31839 = msg("29759", dup324); + +var msg31840 = msg("29760", dup325); + +var msg31841 = msg("29761", dup321); + +var msg31842 = msg("29762", dup321); + +var msg31843 = msg("29763", dup321); + +var msg31844 = msg("29764", dup321); + +var msg31845 = msg("29765", dup321); + +var msg31846 = msg("29766", dup333); + +var msg31847 = msg("29767", dup321); + +var msg31848 = msg("29768", dup321); + +var msg31849 = msg("29769", dup321); + +var msg31850 = msg("29770", dup321); + +var msg31851 = msg("29771", dup321); + +var msg31852 = msg("29772", dup321); + +var msg31853 = msg("29773", dup321); + +var msg31854 = msg("29774", dup321); + +var msg31855 = msg("29775", dup321); + +var msg31856 = msg("29776", dup321); + +var msg31857 = msg("29777", dup321); + +var msg31858 = msg("29778", dup321); + +var msg31859 = msg("29779", dup321); + +var msg31860 = msg("29780", dup321); + +var msg31861 = msg("29781", dup333); + +var msg31862 = msg("29782", dup333); + +var msg31863 = msg("29783", dup321); + +var msg31864 = msg("29784", dup321); + +var msg31865 = msg("29785", dup321); + +var msg31866 = msg("29786", dup321); + +var msg31867 = msg("29787", dup321); + +var msg31868 = msg("29788", dup321); + +var msg31869 = msg("29789", dup321); + +var msg31870 = msg("29790", dup321); + +var msg31871 = msg("29791", dup321); + +var msg31872 = msg("29792", dup307); + +var msg31873 = msg("29793", dup307); + +var msg31874 = msg("29794", dup323); + +var msg31875 = msg("29795", dup323); + +var msg31876 = msg("29796", dup325); + +var msg31877 = msg("29797", dup325); + +var msg31878 = msg("29798", dup314); + +var msg31879 = msg("29799", dup314); + +var msg31880 = msg("29800", dup311); + +var msg31881 = msg("29801", dup311); + +var msg31882 = msg("29802", dup311); + +var msg31883 = msg("29803", dup311); + +var msg31884 = msg("29804", dup311); + +var msg31885 = msg("29805", dup311); + +var msg31886 = msg("29806", dup311); + +var msg31887 = msg("29807", dup314); + +var msg31888 = msg("29808", dup311); + +var msg31889 = msg("29809", dup314); + +var msg31890 = msg("29810", dup314); + +var msg31891 = msg("29811", dup314); + +var msg31892 = msg("29812", dup314); + +var msg31893 = msg("29813", dup314); + +var msg31894 = msg("29814", dup324); + +var msg31895 = msg("29815", dup316); + +var msg31896 = msg("29816", dup321); + +var msg31897 = msg("29817", dup321); + +var msg31898 = msg("29818", dup321); + +var msg31899 = msg("29819", dup325); + +var msg31900 = msg("29820", dup325); + +var msg31901 = msg("29821", dup325); + +var msg31902 = msg("29822", dup325); + +var msg31903 = msg("29823", dup311); + +var msg31904 = msg("29824", dup325); + +var msg31905 = msg("29825", dup321); + +var msg31906 = msg("29826", dup321); + +var msg31907 = msg("29827", dup321); + +var msg31908 = msg("29828", dup321); + +var msg31909 = msg("29829", dup311); + +var msg31910 = msg("29830", dup311); + +var msg31911 = msg("29831", dup311); + +var msg31912 = msg("29832", dup321); + +var msg31913 = msg("29833", dup321); + +var msg31914 = msg("29834", dup314); + +var msg31915 = msg("29835", dup323); + +var msg31916 = msg("29836", dup323); + +var msg31917 = msg("29837", dup321); + +var msg31918 = msg("29838", dup321); + +var msg31919 = msg("29839", dup321); + +var msg31920 = msg("29840", dup321); + +var msg31921 = msg("29841", dup321); + +var msg31922 = msg("29842", dup321); + +var msg31923 = msg("29843", dup321); + +var msg31924 = msg("29844", dup321); + +var msg31925 = msg("29845", dup321); + +var msg31926 = msg("29846", dup321); + +var msg31927 = msg("29847", dup321); + +var msg31928 = msg("29848", dup321); + +var msg31929 = msg("29849", dup321); + +var msg31930 = msg("29850", dup321); + +var msg31931 = msg("29851", dup321); + +var msg31932 = msg("29852", dup321); + +var msg31933 = msg("29853", dup321); + +var msg31934 = msg("29854", dup321); + +var msg31935 = msg("29855", dup321); + +var msg31936 = msg("29856", dup321); + +var msg31937 = msg("29857", dup321); + +var msg31938 = msg("29858", dup321); + +var msg31939 = msg("29859", dup314); + +var msg31940 = msg("29860", dup321); + +var msg31941 = msg("29861", dup321); + +var msg31942 = msg("29862", dup321); + +var msg31943 = msg("29863", dup321); + +var msg31944 = msg("29864", dup311); + +var msg31945 = msg("29865", dup321); + +var msg31946 = msg("29866", dup324); + +var msg31947 = msg("29867", dup321); + +var msg31948 = msg("29868", dup321); + +var msg31949 = msg("29869", dup311); + +var msg31950 = msg("29870", dup310); + +var msg31951 = msg("29871", dup311); + +var msg31952 = msg("29872", dup321); + +var msg31953 = msg("29873", dup321); + +var msg31954 = msg("29874", dup321); + +var msg31955 = msg("29875", dup321); + +var msg31956 = msg("29876", dup324); + +var msg31957 = msg("29877", dup324); + +var msg31958 = msg("29878", dup322); + +var msg31959 = msg("29879", dup322); + +var msg31960 = msg("29880", dup322); + +var msg31961 = msg("29881", dup322); + +var msg31962 = msg("29882", dup321); + +var msg31963 = msg("29883", dup321); + +var msg31964 = msg("29884", dup321); + +var msg31965 = msg("29885", dup321); + +var msg31966 = msg("29886", dup321); + +var msg31967 = msg("29887", dup325); + +var msg31968 = msg("29888", dup324); + +var msg31969 = msg("29889", dup324); + +var msg31970 = msg("29890", dup311); + +var msg31971 = msg("29891", dup321); + +var msg31972 = msg("29892", dup321); + +var msg31973 = msg("29893", dup321); + +var msg31974 = msg("29894", dup321); + +var msg31975 = msg("29895", dup321); + +var msg31976 = msg("29896", dup324); + +var msg31977 = msg("29897", dup325); + +var msg31978 = msg("29898", dup321); + +var msg31979 = msg("29899", dup321); + +var msg31980 = msg("29900", dup321); + +var msg31981 = msg("29901", dup321); + +var msg31982 = msg("29902", dup314); + +var msg31983 = msg("29903", dup314); + +var msg31984 = msg("29904", dup314); + +var msg31985 = msg("29905", dup314); + +var msg31986 = msg("29906", dup324); + +var msg31987 = msg("29907", dup324); + +var msg31988 = msg("29909", dup311); + +var msg31989 = msg("29910", dup321); + +var msg31990 = msg("29911", dup321); + +var msg31991 = msg("29912", dup321); + +var msg31992 = msg("29913", dup321); + +var msg31993 = msg("29914", dup321); + +var msg31994 = msg("29915", dup321); + +var msg31995 = msg("29916", dup321); + +var msg31996 = msg("29917", dup321); + +var msg31997 = msg("29918", dup321); + +var msg31998 = msg("29919", dup321); + +var msg31999 = msg("29920", dup321); + +var msg32000 = msg("29921", dup321); + +var msg32001 = msg("29922", dup321); + +var msg32002 = msg("29923", dup321); + +var msg32003 = msg("29924", dup321); + +var msg32004 = msg("29925", dup321); + +var msg32005 = msg("29926", dup309); + +var msg32006 = msg("29927", dup309); + +var msg32007 = msg("29928", dup314); + +var msg32008 = msg("29929", dup314); + +var msg32009 = msg("29930", dup314); + +var msg32010 = msg("29931", dup314); + +var msg32011 = msg("29932", dup325); + +var msg32012 = msg("29933", dup325); + +var msg32013 = msg("29934", dup309); + +var msg32014 = msg("29935", dup324); + +var msg32015 = msg("29936", dup311); + +var msg32016 = msg("29937", dup309); + +var msg32017 = msg("29938", dup309); + +var msg32018 = msg("29939", dup309); + +var msg32019 = msg("29940", dup309); + +var msg32020 = msg("29941", dup309); + +var msg32021 = msg("29942", dup309); + +var msg32022 = msg("29943", dup311); + +var msg32023 = msg("29944", dup307); + +var msg32024 = msg("29945", dup307); + +var msg32025 = msg("29946", dup309); + +var msg32026 = msg("29947", dup309); + +var msg32027 = msg("29948", dup309); + +var msg32028 = msg("29949", dup316); + +var msg32029 = msg("29950", dup324); + +var msg32030 = msg("29951", dup309); + +var msg32031 = msg("29952", dup309); + +var msg32032 = msg("29953", dup309); + +var msg32033 = msg("29954", dup309); + +var msg32034 = msg("29955", dup311); + +var msg32035 = msg("29956", dup311); + +var msg32036 = msg("29957", dup309); + +var msg32037 = msg("29958", dup309); + +var msg32038 = msg("29959", dup309); + +var msg32039 = msg("29960", dup324); + +var msg32040 = msg("29961", dup324); + +var msg32041 = msg("29962", dup324); + +var msg32042 = msg("29963", dup324); + +var msg32043 = msg("29964", dup314); + +var msg32044 = msg("29965", dup324); + +var msg32045 = msg("29966", dup309); + +var msg32046 = msg("29967", dup309); + +var msg32047 = msg("29968", dup309); + +var msg32048 = msg("29969", dup311); + +var msg32049 = msg("29970", dup311); + +var msg32050 = msg("29971", dup311); + +var msg32051 = msg("29972", dup311); + +var msg32052 = msg("29973", dup321); + +var msg32053 = msg("29974", dup321); + +var msg32054 = msg("29975", dup321); + +var msg32055 = msg("29976", dup321); + +var msg32056 = msg("29977", dup321); + +var msg32057 = msg("29978", dup321); + +var msg32058 = msg("29979", dup311); + +var msg32059 = msg("29980", dup321); + +var msg32060 = msg("29981", dup321); + +var msg32061 = msg("29982", dup321); + +var msg32062 = msg("29983", dup325); + +var msg32063 = msg("29984", dup325); + +var msg32064 = msg("29985", dup321); + +var msg32065 = msg("29986", dup321); + +var msg32066 = msg("29987", dup321); + +var msg32067 = msg("29988", dup325); + +var msg32068 = msg("29989", dup325); + +var msg32069 = msg("29990", dup321); + +var msg32070 = msg("29991", dup321); + +var msg32071 = msg("29992", dup309); + +var msg32072 = msg("29993", dup321); + +var msg32073 = msg("29994", dup321); + +var msg32074 = msg("29995", dup321); + +var msg32075 = msg("29996", dup321); + +var msg32076 = msg("29997", dup321); + +var msg32077 = msg("29998", dup321); + +var msg32078 = msg("29999", dup325); + +var msg32079 = msg("30000", dup311); + +var msg32080 = msg("30001", dup311); + +var msg32081 = msg("30002", dup311); + +var msg32082 = msg("30003", dup311); + +var msg32083 = msg("30004", dup311); + +var msg32084 = msg("30005", dup311); + +var msg32085 = msg("30006", dup311); + +var msg32086 = msg("30007", dup311); + +var msg32087 = msg("30008", dup311); + +var msg32088 = msg("30009", dup311); + +var msg32089 = msg("30010", dup314); + +var msg32090 = msg("30011", dup311); + +var msg32091 = msg("30012", dup314); + +var msg32092 = msg("30013", dup314); + +var msg32093 = msg("30014", dup314); + +var msg32094 = msg("30015", dup314); + +var msg32095 = msg("30016", dup314); + +var msg32096 = msg("30017", dup314); + +var msg32097 = msg("30018", dup314); + +var msg32098 = msg("30019", dup309); + +var msg32099 = msg("30020", dup309); + +var msg32100 = msg("30021", dup309); + +var msg32101 = msg("30022", dup309); + +var msg32102 = msg("30023", dup309); + +var msg32103 = msg("30024", dup309); + +var msg32104 = msg("30025", dup309); + +var msg32105 = msg("30026", dup309); + +var msg32106 = msg("30027", dup309); + +var msg32107 = msg("30028", dup309); + +var msg32108 = msg("30029", dup309); + +var msg32109 = msg("30030", dup309); + +var msg32110 = msg("30031", dup309); + +var msg32111 = msg("30032", dup309); + +var msg32112 = msg("30033", dup314); + +var msg32113 = msg("30034", dup321); + +var msg32114 = msg("30035", dup321); + +var msg32115 = msg("30036", dup321); + +var msg32116 = msg("30037", dup321); + +var msg32117 = msg("30038", dup314); + +var msg32118 = msg("30039", dup321); + +var msg32119 = msg("30040", dup322); + +var msg32120 = msg("30041", dup322); + +var msg32121 = msg("30042", dup316); + +var msg32122 = msg("30043", dup321); + +var msg32123 = msg("30044", dup321); + +var msg32124 = msg("30045", dup321); + +var msg32125 = msg("30046", dup321); + +var msg32126 = msg("30047", dup321); + +var msg32127 = msg("30048", dup309); + +var msg32128 = msg("30049", dup309); + +var msg32129 = msg("30050", dup314); + +var msg32130 = msg("30051", dup314); + +var msg32131 = msg("30052", dup309); + +var msg32132 = msg("30053", dup309); + +var msg32133 = msg("30054", dup333); + +var msg32134 = msg("30055", dup333); + +var msg32135 = msg("30056", dup321); + +var msg32136 = msg("30057", dup321); + +var msg32137 = msg("30058", dup333); + +var msg32138 = msg("30059", dup321); + +var msg32139 = msg("30060", dup321); + +var msg32140 = msg("30061", dup321); + +var msg32141 = msg("30062", dup321); + +var msg32142 = msg("30063", dup321); + +var msg32143 = msg("30064", dup321); + +var msg32144 = msg("30065", dup314); + +var msg32145 = msg("30066", dup325); + +var msg32146 = msg("30067", dup321); + +var msg32147 = msg("30068", dup321); + +var msg32148 = msg("30069", dup321); + +var msg32149 = msg("30070", dup321); + +var msg32150 = msg("30071", dup321); + +var msg32151 = msg("30072", dup321); + +var msg32152 = msg("30073", dup321); + +var msg32153 = msg("30074", dup321); + +var msg32154 = msg("30075", dup321); + +var msg32155 = msg("30076", dup321); + +var msg32156 = msg("30077", dup321); + +var msg32157 = msg("30078", dup321); + +var msg32158 = msg("30079", dup325); + +var msg32159 = msg("30080", dup325); + +var msg32160 = msg("30081", dup325); + +var msg32161 = msg("30082", dup325); + +var msg32162 = msg("30083", dup321); + +var msg32163 = msg("30084", dup321); + +var msg32164 = msg("30085", dup321); + +var msg32165 = msg("30086", dup321); + +var msg32166 = msg("30087", dup321); + +var msg32167 = msg("30088", dup321); + +var msg32168 = msg("30089", dup321); + +var msg32169 = msg("30090", dup321); + +var msg32170 = msg("30091", dup321); + +var msg32171 = msg("30092", dup314); + +var msg32172 = msg("30093", dup314); + +var msg32173 = msg("30094", dup309); + +var msg32174 = msg("30095", dup309); + +var msg32175 = msg("30096", dup309); + +var msg32176 = msg("30097", dup309); + +var msg32177 = msg("30098", dup333); + +var msg32178 = msg("30099", dup321); + +var msg32179 = msg("30100", dup333); + +var msg32180 = msg("30101", dup333); + +var msg32181 = msg("30102", dup325); + +var msg32182 = msg("30103", dup325); + +var msg32183 = msg("30104", dup325); + +var msg32184 = msg("30105", dup325); + +var msg32185 = msg("30106", dup325); + +var msg32186 = msg("30107", dup325); + +var msg32187 = msg("30108", dup325); + +var msg32188 = msg("30109", dup325); + +var msg32189 = msg("30110", dup325); + +var msg32190 = msg("30111", dup325); + +var msg32191 = msg("30112", dup325); + +var msg32192 = msg("30113", dup325); + +var msg32193 = msg("30114", dup309); + +var msg32194 = msg("30115", dup309); + +var msg32195 = msg("30116", dup325); + +var msg32196 = msg("30117", dup325); + +var msg32197 = msg("30118", dup325); + +var msg32198 = msg("30119", dup325); + +var msg32199 = msg("30120", dup325); + +var msg32200 = msg("30121", dup325); + +var msg32201 = msg("30122", dup311); + +var msg32202 = msg("30123", dup325); + +var msg32203 = msg("30124", dup325); + +var msg32204 = msg("30125", dup325); + +var msg32205 = msg("30126", dup325); + +var msg32206 = msg("30127", dup311); + +var msg32207 = msg("30128", dup311); + +var msg32208 = msg("30129", dup325); + +var msg32209 = msg("30130", dup325); + +var msg32210 = msg("30131", dup325); + +var msg32211 = msg("30132", dup325); + +var msg32212 = msg("30133", dup311); + +var msg32213 = msg("30134", dup311); + +var msg32214 = msg("30135", dup311); + +var msg32215 = msg("30136", dup311); + +var msg32216 = msg("30137", dup321); + +var msg32217 = msg("30138", dup321); + +var msg32218 = msg("30139", dup314); + +var msg32219 = msg("30140", dup325); + +var msg32220 = msg("30141", dup325); + +var msg32221 = msg("30142", dup325); + +var msg32222 = msg("30143", dup325); + +var msg32223 = msg("30144", dup309); + +var msg32224 = msg("30145", dup309); + +var msg32225 = msg("30146", dup314); + +var msg32226 = msg("30147", dup314); + +var msg32227 = msg("30148", dup314); + +var msg32228 = msg("30149", dup314); + +var msg32229 = msg("30150", dup311); + +var msg32230 = msg("30151", dup311); + +var msg32231 = msg("30152", dup311); + +var msg32232 = msg("30153", dup309); + +var msg32233 = msg("30154", dup309); + +var msg32234 = msg("30155", dup309); + +var msg32235 = msg("30156", dup309); + +var msg32236 = msg("30157", dup309); + +var msg32237 = msg("30158", dup309); + +var msg32238 = msg("30159", dup309); + +var msg32239 = msg("30160", dup309); + +var msg32240 = msg("30161", dup309); + +var msg32241 = msg("30162", dup309); + +var msg32242 = msg("30163", dup309); + +var msg32243 = msg("30164", dup309); + +var msg32244 = msg("30165", dup309); + +var msg32245 = msg("30166", dup309); + +var msg32246 = msg("30167", dup321); + +var msg32247 = msg("30168", dup321); + +var msg32248 = msg("30169", dup325); + +var msg32249 = msg("30170", dup321); + +var msg32250 = msg("30171", dup321); + +var msg32251 = msg("30172", dup321); + +var msg32252 = msg("30173", dup321); + +var msg32253 = msg("30174", dup321); + +var msg32254 = msg("30175", dup321); + +var msg32255 = msg("30176", dup321); + +var msg32256 = msg("30177", dup321); + +var msg32257 = msg("30178", dup321); + +var msg32258 = msg("30179", dup321); + +var msg32259 = msg("30180", dup321); + +var msg32260 = msg("30181", dup321); + +var msg32261 = msg("30182", dup321); + +var msg32262 = msg("30183", dup321); + +var msg32263 = msg("30184", dup321); + +var msg32264 = msg("30185", dup321); + +var msg32265 = msg("30186", dup321); + +var msg32266 = msg("30187", dup321); + +var msg32267 = msg("30188", dup321); + +var msg32268 = msg("30189", dup321); + +var msg32269 = msg("30190", dup321); + +var msg32270 = msg("30191", dup321); + +var msg32271 = msg("30192", dup321); + +var msg32272 = msg("30193", dup321); + +var msg32273 = msg("30194", dup311); + +var msg32274 = msg("30195", dup314); + +var msg32275 = msg("30196", dup321); + +var msg32276 = msg("30197", dup321); + +var msg32277 = msg("30198", dup321); + +var msg32278 = msg("30199", dup324); + +var msg32279 = msg("30200", dup324); + +var msg32280 = msg("30201", dup325); + +var msg32281 = msg("30202", dup309); + +var msg32282 = msg("30203", dup321); + +var msg32283 = msg("30204", dup321); + +var msg32284 = msg("30205", dup309); + +var msg32285 = msg("30206", dup309); + +var msg32286 = msg("30207", dup309); + +var msg32287 = msg("30208", dup321); + +var msg32288 = msg("30209", dup324); + +var msg32289 = msg("30210", dup325); + +var msg32290 = msg("30211", dup321); + +var msg32291 = msg("30212", dup309); + +var msg32292 = msg("30213", dup309); + +var msg32293 = msg("30214", dup321); + +var msg32294 = msg("30215", dup309); + +var msg32295 = msg("30216", dup321); + +var msg32296 = msg("30217", dup311); + +var msg32297 = msg("30218", dup311); + +var msg32298 = msg("30219", dup311); + +var msg32299 = msg("30220", dup311); + +var msg32300 = msg("30221", dup316); + +var msg32301 = msg("30222", dup316); + +var msg32302 = msg("30223", dup316); + +var msg32303 = msg("30224", dup316); + +var msg32304 = msg("30225", dup316); + +var msg32305 = msg("30226", dup316); + +var msg32306 = msg("30227", dup316); + +var msg32307 = msg("30228", dup316); + +var msg32308 = msg("30229", dup316); + +var msg32309 = msg("30230", dup311); + +var msg32310 = msg("30231", dup321); + +var msg32311 = msg("30232", dup311); + +var msg32312 = msg("30233", dup311); + +var msg32313 = msg("30234", dup321); + +var msg32314 = msg("30235", dup321); + +var msg32315 = msg("30236", dup311); + +var msg32316 = msg("30237", dup321); + +var msg32317 = msg("30238", dup321); + +var msg32318 = msg("30239", dup321); + +var msg32319 = msg("30240", dup324); + +var msg32320 = msg("30241", dup324); + +var msg32321 = msg("30242", dup309); + +var msg32322 = msg("30243", dup309); + +var msg32323 = msg("30244", dup338); + +var msg32324 = msg("30245", dup309); + +var msg32325 = msg("30246", dup309); + +var msg32326 = msg("30247", dup338); + +var msg32327 = msg("30248", dup338); + +var msg32328 = msg("30249", dup314); + +var msg32329 = msg("30250", dup325); + +var msg32330 = msg("30251", dup321); + +var msg32331 = msg("30252", dup314); + +var msg32332 = msg("30253", dup314); + +var msg32333 = msg("30254", dup314); + +var msg32334 = msg("30255", dup310); + +var msg32335 = msg("30256", dup310); + +var msg32336 = msg("30257", dup325); + +var msg32337 = msg("30258", dup321); + +var msg32338 = msg("30259", dup321); + +var msg32339 = msg("30260", dup321); + +var msg32340 = msg("30261", dup321); + +var msg32341 = msg("30262", dup321); + +var msg32342 = msg("30263", dup314); + +var msg32343 = msg("30264", dup314); + +var msg32344 = msg("30265", dup314); + +var msg32345 = msg("30266", dup314); + +var msg32346 = msg("30267", dup314); + +var msg32347 = msg("30268", dup314); + +var msg32348 = msg("30269", dup321); + +var msg32349 = msg("30270", dup321); + +var msg32350 = msg("30271", dup321); + +var msg32351 = msg("30272", dup321); + +var msg32352 = msg("30273", dup321); + +var msg32353 = msg("30274", dup311); + +var msg32354 = msg("30275", dup321); + +var msg32355 = msg("30276", dup321); + +var msg32356 = msg("30277", dup321); + +var msg32357 = msg("30278", dup321); + +var msg32358 = msg("30279", dup321); + +var msg32359 = msg("30280", dup311); + +var msg32360 = msg("30281", dup311); + +var msg32361 = msg("30282", dup323); + +var msg32362 = msg("30283", dup323); + +var msg32363 = msg("30284", dup321); + +var msg32364 = msg("30285", dup321); + +var msg32365 = msg("30286", dup321); + +var msg32366 = msg("30287", dup307); + +var msg32367 = msg("30288", dup321); + +var msg32368 = msg("30289", dup325); + +var msg32369 = msg("30290", dup325); + +var msg32370 = msg("30291", dup309); + +var msg32371 = msg("30292", dup309); + +var msg32372 = msg("30293", dup309); + +var msg32373 = msg("30294", dup322); + +var msg32374 = msg("30295", dup322); + +var msg32375 = msg("30296", dup322); + +var msg32376 = msg("30297", dup314); + +var msg32377 = msg("30298", dup321); + +var msg32378 = msg("30299", dup321); + +var msg32379 = msg("30300", dup321); + +var msg32380 = msg("30301", dup325); + +var msg32381 = msg("30302", dup321); + +var msg32382 = msg("30303", dup321); + +var msg32383 = msg("30304", dup321); + +var msg32384 = msg("30305", dup311); + +var msg32385 = msg("30306", dup311); + +var msg32386 = msg("30307", dup314); + +var msg32387 = msg("30308", dup325); + +var msg32388 = msg("30309", dup325); + +var msg32389 = msg("30310", dup321); + +var msg32390 = msg("30311", dup321); + +var msg32391 = msg("30312", dup311); + +var msg32392 = msg("30313", dup311); + +var msg32393 = msg("30314", dup325); + +var msg32394 = msg("30315", dup325); + +var msg32395 = msg("30316", dup311); + +var msg32396 = msg("30317", dup311); + +var msg32397 = msg("30318", dup311); + +var msg32398 = msg("30319", dup311); + +var msg32399 = msg("30320", dup321); + +var msg32400 = msg("30321", dup321); + +var msg32401 = msg("30322", dup321); + +var msg32402 = msg("30323", dup321); + +var msg32403 = msg("30324", dup311); + +var msg32404 = msg("30325", dup311); + +var msg32405 = msg("30326", dup324); + +var msg32406 = msg("30327", dup325); + +var msg32407 = msg("30328", dup325); + +var msg32408 = msg("30329", dup314); + +var msg32409 = msg("30330", dup314); + +var msg32410 = msg("30331", dup325); + +var msg32411 = msg("30332", dup321); + +var msg32412 = msg("30333", dup321); + +var msg32413 = msg("30334", dup321); + +var msg32414 = msg("30335", dup321); + +var msg32415 = msg("30336", dup321); + +var msg32416 = msg("30337", dup324); + +var msg32417 = msg("30338", dup309); + +var all58 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup96, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg32418 = msg("30339", all58); + +var msg32419 = msg("30340", dup324); + +var msg32420 = msg("30341", dup309); + +var msg32421 = msg("30342", dup310); + +var msg32422 = msg("30343", dup322); + +var msg32423 = msg("30344", dup325); + +var msg32424 = msg("30345", dup325); + +var msg32425 = msg("30347", dup309); + +var msg32426 = msg("30348", dup309); + +var msg32427 = msg("30349", dup309); + +var msg32428 = msg("30350", dup316); + +var msg32429 = msg("30351", dup316); + +var msg32430 = msg("30352", dup316); + +var msg32431 = msg("30353", dup316); + +var msg32432 = msg("30354", dup316); + +var msg32433 = msg("30355", dup316); + +var msg32434 = msg("30356", dup316); + +var msg32435 = msg("30357", dup316); + +var msg32436 = msg("30358", dup316); + +var msg32437 = msg("30359", dup316); + +var msg32438 = msg("30360", dup316); + +var msg32439 = msg("30361", dup316); + +var msg32440 = msg("30362", dup316); + +var msg32441 = msg("30363", dup316); + +var msg32442 = msg("30364", dup316); + +var msg32443 = msg("30365", dup316); + +var msg32444 = msg("30366", dup316); + +var msg32445 = msg("30367", dup316); + +var msg32446 = msg("30368", dup316); + +var msg32447 = msg("30369", dup316); + +var msg32448 = msg("30370", dup316); + +var msg32449 = msg("30371", dup316); + +var msg32450 = msg("30372", dup316); + +var msg32451 = msg("30373", dup316); + +var msg32452 = msg("30374", dup316); + +var msg32453 = msg("30375", dup316); + +var msg32454 = msg("30376", dup316); + +var msg32455 = msg("30377", dup316); + +var msg32456 = msg("30378", dup316); + +var msg32457 = msg("30379", dup316); + +var msg32458 = msg("30380", dup316); + +var msg32459 = msg("30381", dup316); + +var msg32460 = msg("30382", dup316); + +var msg32461 = msg("30383", dup316); + +var msg32462 = msg("30384", dup316); + +var msg32463 = msg("30385", dup316); + +var msg32464 = msg("30386", dup316); + +var msg32465 = msg("30387", dup316); + +var msg32466 = msg("30388", dup316); + +var msg32467 = msg("30389", dup316); + +var msg32468 = msg("30390", dup316); + +var msg32469 = msg("30391", dup316); + +var msg32470 = msg("30392", dup316); + +var msg32471 = msg("30393", dup316); + +var msg32472 = msg("30394", dup316); + +var msg32473 = msg("30395", dup316); + +var msg32474 = msg("30396", dup316); + +var msg32475 = msg("30397", dup316); + +var msg32476 = msg("30398", dup316); + +var msg32477 = msg("30399", dup316); + +var msg32478 = msg("30400", dup316); + +var msg32479 = msg("30401", dup316); + +var msg32480 = msg("30402", dup316); + +var msg32481 = msg("30403", dup316); + +var msg32482 = msg("30404", dup316); + +var msg32483 = msg("30405", dup316); + +var msg32484 = msg("30406", dup316); + +var msg32485 = msg("30407", dup316); + +var msg32486 = msg("30408", dup316); + +var msg32487 = msg("30409", dup316); + +var msg32488 = msg("30410", dup316); + +var msg32489 = msg("30411", dup316); + +var msg32490 = msg("30412", dup316); + +var msg32491 = msg("30413", dup316); + +var msg32492 = msg("30414", dup316); + +var msg32493 = msg("30415", dup316); + +var msg32494 = msg("30416", dup316); + +var msg32495 = msg("30417", dup316); + +var msg32496 = msg("30418", dup316); + +var msg32497 = msg("30419", dup316); + +var msg32498 = msg("30420", dup316); + +var msg32499 = msg("30421", dup316); + +var msg32500 = msg("30422", dup316); + +var msg32501 = msg("30423", dup316); + +var msg32502 = msg("30424", dup316); + +var msg32503 = msg("30425", dup316); + +var msg32504 = msg("30426", dup316); + +var msg32505 = msg("30427", dup316); + +var msg32506 = msg("30428", dup316); + +var msg32507 = msg("30429", dup316); + +var msg32508 = msg("30430", dup316); + +var msg32509 = msg("30431", dup316); + +var msg32510 = msg("30432", dup316); + +var msg32511 = msg("30433", dup316); + +var msg32512 = msg("30434", dup316); + +var msg32513 = msg("30435", dup316); + +var msg32514 = msg("30436", dup316); + +var msg32515 = msg("30437", dup316); + +var msg32516 = msg("30438", dup316); + +var msg32517 = msg("30439", dup316); + +var msg32518 = msg("30440", dup316); + +var msg32519 = msg("30441", dup316); + +var msg32520 = msg("30442", dup316); + +var msg32521 = msg("30443", dup316); + +var msg32522 = msg("30444", dup316); + +var msg32523 = msg("30445", dup316); + +var msg32524 = msg("30446", dup316); + +var msg32525 = msg("30447", dup316); + +var msg32526 = msg("30448", dup316); + +var msg32527 = msg("30449", dup316); + +var msg32528 = msg("30450", dup316); + +var msg32529 = msg("30451", dup316); + +var msg32530 = msg("30452", dup316); + +var msg32531 = msg("30453", dup316); + +var msg32532 = msg("30454", dup316); + +var msg32533 = msg("30455", dup316); + +var msg32534 = msg("30456", dup316); + +var msg32535 = msg("30457", dup316); + +var msg32536 = msg("30458", dup316); + +var msg32537 = msg("30459", dup316); + +var msg32538 = msg("30460", dup316); + +var msg32539 = msg("30461", dup316); + +var msg32540 = msg("30462", dup316); + +var msg32541 = msg("30463", dup316); + +var msg32542 = msg("30464", dup316); + +var msg32543 = msg("30465", dup316); + +var msg32544 = msg("30466", dup316); + +var msg32545 = msg("30467", dup316); + +var msg32546 = msg("30468", dup316); + +var msg32547 = msg("30469", dup316); + +var msg32548 = msg("30470", dup316); + +var msg32549 = msg("30471", dup316); + +var msg32550 = msg("30472", dup316); + +var msg32551 = msg("30473", dup316); + +var msg32552 = msg("30474", dup316); + +var msg32553 = msg("30475", dup316); + +var msg32554 = msg("30476", dup316); + +var msg32555 = msg("30477", dup316); + +var msg32556 = msg("30478", dup316); + +var msg32557 = msg("30479", dup316); + +var msg32558 = msg("30480", dup316); + +var msg32559 = msg("30481", dup321); + +var msg32560 = msg("30482", dup321); + +var msg32561 = msg("30483", dup321); + +var msg32562 = msg("30484", dup321); + +var msg32563 = msg("30485", dup314); + +var msg32564 = msg("30486", dup314); + +var msg32565 = msg("30487", dup309); + +var msg32566 = msg("30488", dup309); + +var msg32567 = msg("30489", dup309); + +var msg32568 = msg("30490", dup311); + +var msg32569 = msg("30491", dup311); + +var msg32570 = msg("30492", dup321); + +var msg32571 = msg("30493", dup321); + +var msg32572 = msg("30494", dup321); + +var msg32573 = msg("30495", dup321); + +var msg32574 = msg("30496", dup321); + +var msg32575 = msg("30497", dup325); + +var msg32576 = msg("30498", dup325); + +var msg32577 = msg("30499", dup311); + +var msg32578 = msg("30500", dup311); + +var msg32579 = msg("30501", dup325); + +var msg32580 = msg("30502", dup325); + +var msg32581 = msg("30503", dup325); + +var msg32582 = msg("30504", dup325); + +var msg32583 = msg("30505", dup325); + +var msg32584 = msg("30506", dup325); + +var msg32585 = msg("30507", dup309); + +var msg32586 = msg("30508", dup325); + +var msg32587 = msg("30509", dup325); + +var msg32588 = msg("30510", dup316); + +var msg32589 = msg("30511", dup316); + +var msg32590 = msg("30512", dup316); + +var msg32591 = msg("30513", dup316); + +var msg32592 = msg("30514", dup316); + +var msg32593 = msg("30515", dup316); + +var msg32594 = msg("30516", dup316); + +var msg32595 = msg("30517", dup316); + +var msg32596 = msg("30518", dup325); + +var msg32597 = msg("30519", dup321); + +var msg32598 = msg("30520", dup309); + +var msg32599 = msg("30521", dup309); + +var msg32600 = msg("30522", dup309); + +var msg32601 = msg("30523", dup309); + +var all59 = all_match({ + processors: [ + dup66, + dup179, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg32602 = msg("30524", all59); + +var msg32603 = msg("30525", dup309); + +var msg32604 = msg("30526", dup311); + +var msg32605 = msg("30527", dup311); + +var msg32606 = msg("30528", dup323); + +var msg32607 = msg("30529", dup323); + +var msg32608 = msg("30530", dup309); + +var msg32609 = msg("30531", dup309); + +var msg32610 = msg("30532", dup314); + +var msg32611 = msg("30533", dup309); + +var msg32612 = msg("30534", dup309); + +var msg32613 = msg("30535", dup314); + +var msg32614 = msg("30536", dup314); + +var msg32615 = msg("30537", dup314); + +var msg32616 = msg("30538", dup314); + +var msg32617 = msg("30539", dup314); + +var msg32618 = msg("30540", dup314); + +var msg32619 = msg("30541", dup321); + +var msg32620 = msg("30542", dup321); + +var msg32621 = msg("30543", dup321); + +var msg32622 = msg("30544", dup321); + +var msg32623 = msg("30545", dup321); + +var msg32624 = msg("30546", dup321); + +var msg32625 = msg("30547", dup321); + +var msg32626 = msg("30548", dup321); + +var msg32627 = msg("30549", dup311); + +var msg32628 = msg("30550", dup321); + +var msg32629 = msg("30551", dup325); + +var msg32630 = msg("30552", dup325); + +var msg32631 = msg("30553", dup314); + +var msg32632 = msg("30554", dup314); + +var msg32633 = msg("30555", dup314); + +var msg32634 = msg("30556", dup314); + +var msg32635 = msg("30562", dup309); + +var msg32636 = msg("30566", dup321); + +var msg32637 = msg("30570", dup321); + +var msg32638 = msg("30711", dup309); + +var msg32639 = msg("30712", dup309); + +var msg32640 = msg("30713", dup309); + +var msg32641 = msg("30714", dup309); + +var msg32642 = msg("30715", dup309); + +var msg32643 = msg("30716", dup309); + +var msg32644 = msg("30717", dup309); + +var msg32645 = msg("30718", dup309); + +var msg32646 = msg("30719", dup314); + +var msg32647 = msg("30720", dup314); + +var msg32648 = msg("30721", dup314); + +var msg32649 = msg("30722", dup314); + +var msg32650 = msg("30723", dup314); + +var msg32651 = msg("30724", dup314); + +var msg32652 = msg("30725", dup314); + +var msg32653 = msg("30726", dup314); + +var msg32654 = msg("30727", dup309); + +var msg32655 = msg("30728", dup309); + +var msg32656 = msg("30729", dup309); + +var msg32657 = msg("30730", dup309); + +var msg32658 = msg("30731", dup309); + +var msg32659 = msg("30732", dup309); + +var msg32660 = msg("30733", dup309); + +var msg32661 = msg("30734", dup309); + +var msg32662 = msg("30735", dup314); + +var msg32663 = msg("30736", dup314); + +var msg32664 = msg("30737", dup314); + +var msg32665 = msg("30738", dup314); + +var msg32666 = msg("30739", dup314); + +var msg32667 = msg("30740", dup314); + +var msg32668 = msg("30741", dup314); + +var msg32669 = msg("30742", dup314); + +var msg32670 = msg("30743", dup321); + +var msg32671 = msg("30744", dup321); + +var msg32672 = msg("30745", dup321); + +var msg32673 = msg("30746", dup321); + +var msg32674 = msg("30747", dup321); + +var msg32675 = msg("30748", dup321); + +var msg32676 = msg("30749", dup321); + +var msg32677 = msg("30750", dup321); + +var msg32678 = msg("30751", dup321); + +var msg32679 = msg("30752", dup321); + +var msg32680 = msg("30753", dup321); + +var msg32681 = msg("30754", dup311); + +var msg32682 = msg("30755", dup311); + +var msg32683 = msg("30756", dup314); + +var msg32684 = msg("30757", dup314); + +var msg32685 = msg("30758", dup314); + +var msg32686 = msg("30759", dup314); + +var msg32687 = msg("30760", dup314); + +var msg32688 = msg("30761", dup309); + +var msg32689 = msg("30762", dup309); + +var msg32690 = msg("30763", dup309); + +var msg32691 = msg("30764", dup309); + +var msg32692 = msg("30765", dup314); + +var msg32693 = msg("30766", dup311); + +var msg32694 = msg("30767", dup311); + +var msg32695 = msg("30768", dup311); + +var msg32696 = msg("30777", dup314); + +var msg32697 = msg("30778", dup314); + +var msg32698 = msg("30779", dup314); + +var msg32699 = msg("30780", dup314); + +var msg32700 = msg("30781", dup314); + +var msg32701 = msg("30782", dup314); + +var msg32702 = msg("30783", dup314); + +var msg32703 = msg("30784", dup314); + +var msg32704 = msg("30785", dup314); + +var msg32705 = msg("30786", dup314); + +var msg32706 = msg("30787", dup314); + +var msg32707 = msg("30788", dup314); + +var msg32708 = msg("30789", dup311); + +var msg32709 = msg("30790", dup314); + +var msg32710 = msg("30791", dup314); + +var msg32711 = msg("30792", dup314); + +var msg32712 = msg("30793", dup314); + +var msg32713 = msg("30794", dup325); + +var msg32714 = msg("30795", dup321); + +var msg32715 = msg("30796", dup321); + +var msg32716 = msg("30797", dup309); + +var msg32717 = msg("30798", dup309); + +var msg32718 = msg("30799", dup309); + +var msg32719 = msg("30800", dup309); + +var msg32720 = msg("30801", dup309); + +var msg32721 = msg("30802", dup309); + +var msg32722 = msg("30803", dup325); + +var msg32723 = msg("30804", dup321); + +var msg32724 = msg("30805", dup321); + +var msg32725 = msg("30806", dup321); + +var msg32726 = msg("30807", dup321); + +var msg32727 = msg("30808", dup321); + +var msg32728 = msg("30809", dup321); + +var msg32729 = msg("30810", dup321); + +var msg32730 = msg("30811", dup321); + +var msg32731 = msg("30812", dup321); + +var msg32732 = msg("30813", dup321); + +var msg32733 = msg("30814", dup321); + +var msg32734 = msg("30815", dup321); + +var msg32735 = msg("30816", dup314); + +var msg32736 = msg("30817", dup314); + +var msg32737 = msg("30818", dup314); + +var msg32738 = msg("30819", dup314); + +var msg32739 = msg("30820", dup314); + +var msg32740 = msg("30821", dup314); + +var msg32741 = msg("30822", dup314); + +var msg32742 = msg("30823", dup314); + +var msg32743 = msg("30824", dup321); + +var msg32744 = msg("30825", dup321); + +var msg32745 = msg("30826", dup321); + +var msg32746 = msg("30827", dup321); + +var msg32747 = msg("30828", dup321); + +var msg32748 = msg("30829", dup321); + +var msg32749 = msg("30830", dup321); + +var msg32750 = msg("30831", dup321); + +var msg32751 = msg("30832", dup321); + +var msg32752 = msg("30833", dup321); + +var msg32753 = msg("30834", dup321); + +var msg32754 = msg("30835", dup321); + +var msg32755 = msg("30836", dup321); + +var msg32756 = msg("30837", dup321); + +var msg32757 = msg("30838", dup321); + +var msg32758 = msg("30839", dup321); + +var msg32759 = msg("30840", dup321); + +var msg32760 = msg("30841", dup321); + +var msg32761 = msg("30842", dup321); + +var msg32762 = msg("30843", dup311); + +var msg32763 = msg("30844", dup311); + +var msg32764 = msg("30845", dup307); + +var msg32765 = msg("30846", dup307); + +var msg32766 = msg("30847", dup325); + +var msg32767 = msg("30848", dup325); + +var msg32768 = msg("30849", dup325); + +var msg32769 = msg("30850", dup325); + +var msg32770 = msg("30851", dup325); + +var msg32771 = msg("30852", dup311); + +var msg32772 = msg("30853", dup329); + +var msg32773 = msg("30854", dup329); + +var msg32774 = msg("30855", dup329); + +var msg32775 = msg("30856", dup329); + +var msg32776 = msg("30857", dup329); + +var msg32777 = msg("30858", dup329); + +var msg32778 = msg("30859", dup329); + +var msg32779 = msg("30860", dup329); + +var msg32780 = msg("30861", dup329); + +var msg32781 = msg("30862", dup329); + +var msg32782 = msg("30863", dup329); + +var msg32783 = msg("30864", dup329); + +var msg32784 = msg("30865", dup329); + +var msg32785 = msg("30866", dup329); + +var msg32786 = msg("30867", dup329); + +var msg32787 = msg("30868", dup329); + +var msg32788 = msg("30869", dup329); + +var msg32789 = msg("30870", dup329); + +var msg32790 = msg("30871", dup329); + +var msg32791 = msg("30872", dup329); + +var msg32792 = msg("30873", dup329); + +var msg32793 = msg("30874", dup329); + +var msg32794 = msg("30875", dup329); + +var msg32795 = msg("30876", dup309); + +var msg32796 = msg("30877", dup309); + +var msg32797 = msg("30878", dup311); + +var msg32798 = msg("30879", dup321); + +var msg32799 = msg("30880", dup200); + +var msg32800 = msg("30881", dup329); + +var msg32801 = msg("30882", dup321); + +var msg32802 = msg("30883", dup321); + +var msg32803 = msg("30884", dup324); + +var msg32804 = msg("30885", dup307); + +var msg32805 = msg("30886", dup307); + +var msg32806 = msg("30887", dup316); + +var msg32807 = msg("30888", dup316); + +var msg32808 = msg("30889", dup309); + +var msg32809 = msg("30890", dup309); + +var msg32810 = msg("30891", dup321); + +var msg32811 = msg("30892", dup325); + +var msg32812 = msg("30893", dup325); + +var msg32813 = msg("30894", dup325); + +var msg32814 = msg("30895", dup325); + +var msg32815 = msg("30896", dup321); + +var msg32816 = msg("30897", dup321); + +var msg32817 = msg("30898", dup314); + +var msg32818 = msg("30899", dup321); + +var msg32819 = msg("30900", dup321); + +var msg32820 = msg("30901", dup325); + +var msg32821 = msg("30902", dup311); + +var msg32822 = msg("30903", dup311); + +var msg32823 = msg("30904", dup311); + +var msg32824 = msg("30905", dup311); + +var msg32825 = msg("30906", dup311); + +var msg32826 = msg("30907", dup311); + +var msg32827 = msg("30908", dup311); + +var msg32828 = msg("30909", dup311); + +var msg32829 = msg("30910", dup314); + +var msg32830 = msg("30911", dup314); + +var msg32831 = msg("30912", dup311); + +var msg32832 = msg("30913", dup311); + +var msg32833 = msg("30914", dup321); + +var msg32834 = msg("30915", dup321); + +var msg32835 = msg("30916", dup333); + +var msg32836 = msg("30917", dup321); + +var msg32837 = msg("30918", dup325); + +var msg32838 = msg("30919", dup321); + +var msg32839 = msg("30920", dup307); + +var msg32840 = msg("30921", dup311); + +var msg32841 = msg("30922", dup311); + +var msg32842 = msg("30923", dup321); + +var msg32843 = msg("30924", dup321); + +var msg32844 = msg("30925", dup321); + +var msg32845 = msg("30926", dup321); + +var msg32846 = msg("30927", dup321); + +var msg32847 = msg("30928", dup314); + +var msg32848 = msg("30929", dup310); + +var msg32849 = msg("30930", dup321); + +var msg32850 = msg("30931", dup310); + +var msg32851 = msg("30932", dup311); + +var msg32852 = msg("30933", dup311); + +var msg32853 = msg("30934", dup311); + +var msg32854 = msg("30935", dup311); + +var msg32855 = msg("30936", dup311); + +var msg32856 = msg("30937", dup311); + +var msg32857 = msg("30938", dup321); + +var msg32858 = msg("30939", dup311); + +var msg32859 = msg("30940", dup311); + +var msg32860 = msg("30941", dup309); + +var msg32861 = msg("30942", dup311); + +var msg32862 = msg("30943", dup311); + +var msg32863 = msg("30944", dup314); + +var msg32864 = msg("30945", dup333); + +var msg32865 = msg("30946", dup321); + +var msg32866 = msg("30947", dup321); + +var msg32867 = msg("30948", dup321); + +var msg32868 = msg("30949", dup321); + +var msg32869 = msg("30950", dup311); + +var msg32870 = msg("30951", dup314); + +var msg32871 = msg("30952", dup321); + +var msg32872 = msg("30953", dup321); + +var msg32873 = msg("30954", dup321); + +var msg32874 = msg("30955", dup321); + +var msg32875 = msg("30956", dup311); + +var msg32876 = msg("30957", dup311); + +var msg32877 = msg("30958", dup311); + +var msg32878 = msg("30959", dup311); + +var msg32879 = msg("30960", dup311); + +var msg32880 = msg("30961", dup325); + +var msg32881 = msg("30962", dup325); + +var msg32882 = msg("30963", dup325); + +var msg32883 = msg("30964", dup325); + +var msg32884 = msg("30965", dup311); + +var msg32885 = msg("30966", dup311); + +var msg32886 = msg("30967", dup311); + +var msg32887 = msg("30968", dup311); + +var msg32888 = msg("30969", dup311); + +var msg32889 = msg("30970", dup311); + +var msg32890 = msg("30971", dup311); + +var msg32891 = msg("30972", dup311); + +var msg32892 = msg("30973", dup311); + +var msg32893 = msg("30974", dup307); + +var msg32894 = msg("30975", dup311); + +var msg32895 = msg("30976", dup311); + +var msg32896 = msg("30977", dup321); + +var msg32897 = msg("30978", dup321); + +var msg32898 = msg("30979", dup321); + +var msg32899 = msg("30980", dup321); + +var msg32900 = msg("30981", dup321); + +var msg32901 = msg("30982", dup321); + +var msg32902 = msg("30983", dup321); + +var msg32903 = msg("30984", dup321); + +var msg32904 = msg("30985", dup321); + +var msg32905 = msg("30986", dup321); + +var msg32906 = msg("30987", dup321); + +var msg32907 = msg("30988", dup321); + +var msg32908 = msg("30989", dup321); + +var msg32909 = msg("30990", dup311); + +var msg32910 = msg("30991", dup311); + +var msg32911 = msg("30992", dup314); + +var msg32912 = msg("30993", dup314); + +var msg32913 = msg("30994", dup314); + +var msg32914 = msg("30995", dup314); + +var msg32915 = msg("30996", dup314); + +var msg32916 = msg("30997", dup321); + +var msg32917 = msg("30998", dup321); + +var msg32918 = msg("30999", dup321); + +var msg32919 = msg("31000", dup321); + +var msg32920 = msg("31001", dup321); + +var msg32921 = msg("31002", dup321); + +var msg32922 = msg("31003", dup321); + +var msg32923 = msg("31004", dup321); + +var msg32924 = msg("31005", dup321); + +var msg32925 = msg("31006", dup321); + +var msg32926 = msg("31007", dup323); + +var msg32927 = msg("31008", dup309); + +var msg32928 = msg("31009", dup309); + +var msg32929 = msg("31010", dup321); + +var msg32930 = msg("31011", dup314); + +var msg32931 = msg("31012", dup314); + +var msg32932 = msg("31013", dup314); + +var msg32933 = msg("31014", dup321); + +var msg32934 = msg("31015", dup309); + +var msg32935 = msg("31016", dup309); + +var msg32936 = msg("31017", dup325); + +var msg32937 = msg("31018", dup325); + +var msg32938 = msg("31019", dup321); + +var msg32939 = msg("31020", dup321); + +var msg32940 = msg("31021", dup311); + +var msg32941 = msg("31022", dup311); + +var msg32942 = msg("31023", dup311); + +var msg32943 = msg("31024", dup311); + +var msg32944 = msg("31025", dup311); + +var msg32945 = msg("31026", dup311); + +var msg32946 = msg("31027", dup309); + +var msg32947 = msg("31028", dup309); + +var msg32948 = msg("31029", dup309); + +var msg32949 = msg("31030", dup309); + +var msg32950 = msg("31031", dup309); + +var msg32951 = msg("31032", dup309); + +var msg32952 = msg("31033", dup321); + +var msg32953 = msg("31034", dup321); + +var msg32954 = msg("31035", dup321); + +var msg32955 = msg("31036", dup321); + +var msg32956 = msg("31037", dup309); + +var msg32957 = msg("31038", dup309); + +var msg32958 = msg("31039", dup309); + +var msg32959 = msg("31040", dup309); + +var msg32960 = msg("31041", dup309); + +var msg32961 = msg("31042", dup321); + +var msg32962 = msg("31043", dup314); + +var msg32963 = msg("31044", dup314); + +var msg32964 = msg("31045", dup330); + +var msg32965 = msg("31046", dup311); + +var msg32966 = msg("31048", dup321); + +var msg32967 = msg("31049", dup321); + +var msg32968 = msg("31050", dup321); + +var msg32969 = msg("31051", dup321); + +var msg32970 = msg("31052", dup321); + +var msg32971 = msg("31053", dup321); + +var msg32972 = msg("31054", dup321); + +var msg32973 = msg("31055", dup321); + +var msg32974 = msg("31056", dup315); + +var msg32975 = msg("31057", dup315); + +var msg32976 = msg("31058", dup315); + +var msg32977 = msg("31059", dup315); + +var msg32978 = msg("31060", dup325); + +var msg32979 = msg("31061", dup325); + +var msg32980 = msg("31062", dup325); + +var msg32981 = msg("31063", dup333); + +var msg32982 = msg("31064", dup321); + +var msg32983 = msg("31065", dup321); + +var msg32984 = msg("31066", dup321); + +var msg32985 = msg("31067", dup322); + +var msg32986 = msg("31068", dup307); + +var msg32987 = msg("31069", dup307); + +var msg32988 = msg("31070", dup321); + +var msg32989 = msg("31071", dup335); + +var msg32990 = msg("31072", dup321); + +var msg32991 = msg("31073", dup321); + +var msg32992 = msg("31074", dup321); + +var msg32993 = msg("31075", dup325); + +var msg32994 = msg("31076", dup314); + +var msg32995 = msg("31077", dup321); + +var msg32996 = msg("31078", dup321); + +var msg32997 = msg("31079", dup321); + +var msg32998 = msg("31080", dup321); + +var msg32999 = msg("31081", dup321); + +var msg33000 = msg("31082", dup323); + +var msg33001 = msg("31083", dup321); + +var msg33002 = msg("31084", dup321); + +var msg33003 = msg("31085", dup314); + +var msg33004 = msg("31086", dup314); + +var msg33005 = msg("31087", dup311); + +var msg33006 = msg("31088", dup311); + +var msg33007 = msg("31089", dup321); + +var msg33008 = msg("31090", dup325); + +var msg33009 = msg("31091", dup321); + +var msg33010 = msg("31092", dup311); + +var msg33011 = msg("31093", dup311); + +var msg33012 = msg("31094", dup311); + +var msg33013 = msg("31095", dup315); + +var msg33014 = msg("31096", dup315); + +var msg33015 = msg("31097", dup315); + +var msg33016 = msg("31098", dup315); + +var msg33017 = msg("31099", dup315); + +var msg33018 = msg("31100", dup315); + +var msg33019 = msg("31101", dup314); + +var msg33020 = msg("31102", dup321); + +var msg33021 = msg("31103", dup309); + +var msg33022 = msg("31104", dup309); + +var msg33023 = msg("31105", dup309); + +var msg33024 = msg("31106", dup309); + +var msg33025 = msg("31107", dup321); + +var msg33026 = msg("31108", dup321); + +var msg33027 = msg("31109", dup321); + +var msg33028 = msg("31110", dup321); + +var msg33029 = msg("31111", dup321); + +var msg33030 = msg("31112", dup321); + +var msg33031 = msg("31113", dup321); + +var msg33032 = msg("31114", dup321); + +var msg33033 = msg("31115", dup321); + +var msg33034 = msg("31116", dup321); + +var msg33035 = msg("31117", dup321); + +var msg33036 = msg("31118", dup321); + +var msg33037 = msg("31119", dup321); + +var msg33038 = msg("31120", dup321); + +var msg33039 = msg("31121", dup321); + +var msg33040 = msg("31122", dup325); + +var msg33041 = msg("31123", dup321); + +var msg33042 = msg("31124", dup321); + +var msg33043 = msg("31125", dup309); + +var msg33044 = msg("31126", dup309); + +var msg33045 = msg("31127", dup309); + +var msg33046 = msg("31128", dup333); + +var msg33047 = msg("31129", dup311); + +var msg33048 = msg("31130", dup311); + +var msg33049 = msg("31131", dup321); + +var msg33050 = msg("31132", dup321); + +var msg33051 = msg("31133", dup321); + +var msg33052 = msg("31134", dup321); + +var msg33053 = msg("31135", dup321); + +var msg33054 = msg("31136", dup321); + +var msg33055 = msg("31137", dup321); + +var msg33056 = msg("31138", dup321); + +var msg33057 = msg("31139", dup321); + +var msg33058 = msg("31140", dup321); + +var msg33059 = msg("31141", dup321); + +var msg33060 = msg("31142", dup321); + +var msg33061 = msg("31143", dup314); + +var msg33062 = msg("31144", dup321); + +var msg33063 = msg("31145", dup321); + +var msg33064 = msg("31146", dup321); + +var msg33065 = msg("31167", dup321); + +var msg33066 = msg("31176", dup309); + +var msg33067 = msg("31177", dup309); + +var msg33068 = msg("31178", dup309); + +var msg33069 = msg("31179", dup309); + +var msg33070 = msg("31180", dup324); + +var msg33071 = msg("31181", dup324); + +var msg33072 = msg("31182", dup309); + +var msg33073 = msg("31183", dup321); + +var msg33074 = msg("31184", dup321); + +var msg33075 = msg("31185", dup321); + +var msg33076 = msg("31186", dup321); + +var msg33077 = msg("31187", dup321); + +var msg33078 = msg("31188", dup309); + +var msg33079 = msg("31189", dup309); + +var msg33080 = msg("31190", dup325); + +var msg33081 = msg("31191", dup325); + +var msg33082 = msg("31192", dup325); + +var msg33083 = msg("31193", dup325); + +var msg33084 = msg("31194", dup325); + +var msg33085 = msg("31195", dup314); + +var msg33086 = msg("31196", dup325); + +var msg33087 = msg("31197", dup325); + +var msg33088 = msg("31198", dup325); + +var msg33089 = msg("31199", dup325); + +var msg33090 = msg("31200", dup325); + +var msg33091 = msg("31201", dup325); + +var msg33092 = msg("31202", dup325); + +var msg33093 = msg("31203", dup325); + +var msg33094 = msg("31204", dup325); + +var msg33095 = msg("31205", dup325); + +var msg33096 = msg("31206", dup325); + +var msg33097 = msg("31207", dup325); + +var msg33098 = msg("31208", dup325); + +var msg33099 = msg("31209", dup325); + +var msg33100 = msg("31210", dup309); + +var msg33101 = msg("31211", dup309); + +var msg33102 = msg("31212", dup310); + +var msg33103 = msg("31213", dup310); + +var msg33104 = msg("31214", dup321); + +var msg33105 = msg("31215", dup325); + +var msg33106 = msg("31216", dup325); + +var msg33107 = msg("31217", dup314); + +var msg33108 = msg("31218", dup321); + +var msg33109 = msg("31219", dup325); + +var msg33110 = msg("31220", dup325); + +var msg33111 = msg("31221", dup321); + +var msg33112 = msg("31222", dup321); + +var msg33113 = msg("31223", dup321); + +var msg33114 = msg("31224", dup321); + +var msg33115 = msg("31225", dup325); + +var msg33116 = msg("31226", dup321); + +var msg33117 = msg("31227", dup321); + +var msg33118 = msg("31228", dup321); + +var msg33119 = msg("31229", dup311); + +var msg33120 = msg("31230", dup311); + +var msg33121 = msg("31231", dup311); + +var msg33122 = msg("31232", dup311); + +var msg33123 = msg("31233", dup321); + +var msg33124 = msg("31234", dup321); + +var msg33125 = msg("31235", dup321); + +var msg33126 = msg("31236", dup321); + +var msg33127 = msg("31237", dup311); + +var msg33128 = msg("31238", dup311); + +var msg33129 = msg("31239", dup321); + +var msg33130 = msg("31240", dup324); + +var msg33131 = msg("31241", dup324); + +var msg33132 = msg("31242", dup321); + +var msg33133 = msg("31243", dup321); + +var msg33134 = msg("31244", dup321); + +var msg33135 = msg("31245", dup311); + +var msg33136 = msg("31246", dup311); + +var msg33137 = msg("31247", dup321); + +var msg33138 = msg("31248", dup321); + +var msg33139 = msg("31249", dup321); + +var msg33140 = msg("31250", dup321); + +var msg33141 = msg("31251", dup321); + +var msg33142 = msg("31252", dup321); + +var msg33143 = msg("31253", dup321); + +var msg33144 = msg("31254", dup321); + +var msg33145 = msg("31255", dup321); + +var msg33146 = msg("31256", dup321); + +var msg33147 = msg("31257", dup321); + +var msg33148 = msg("31258", dup321); + +var msg33149 = msg("31259", dup314); + +var msg33150 = msg("31260", dup310); + +var msg33151 = msg("31261", dup321); + +var msg33152 = msg("31262", dup321); + +var msg33153 = msg("31263", dup321); + +var msg33154 = msg("31264", dup321); + +var msg33155 = msg("31265", dup321); + +var msg33156 = msg("31266", dup321); + +var msg33157 = msg("31267", dup321); + +var msg33158 = msg("31268", dup321); + +var msg33159 = msg("31269", dup321); + +var msg33160 = msg("31270", dup321); + +var msg33161 = msg("31271", dup321); + +var msg33162 = msg("31272", dup321); + +var msg33163 = msg("31273", dup321); + +var msg33164 = msg("31274", dup311); + +var msg33165 = msg("31275", dup311); + +var msg33166 = msg("31276", dup311); + +var msg33167 = msg("31277", dup311); + +var msg33168 = msg("31278", dup311); + +var msg33169 = msg("31279", dup311); + +var msg33170 = msg("31280", dup311); + +var msg33171 = msg("31281", dup314); + +var msg33172 = msg("31282", dup314); + +var msg33173 = msg("31283", dup325); + +var msg33174 = msg("31284", dup325); + +var msg33175 = msg("31285", dup325); + +var msg33176 = msg("31286", dup325); + +var msg33177 = msg("31287", dup321); + +var msg33178 = msg("31288", dup321); + +var msg33179 = msg("31289", dup314); + +var msg33180 = msg("31290", dup321); + +var msg33181 = msg("31291", dup311); + +var msg33182 = msg("31292", dup311); + +var msg33183 = msg("31293", dup321); + +var msg33184 = msg("31294", dup321); + +var msg33185 = msg("31295", dup321); + +var msg33186 = msg("31296", dup325); + +var msg33187 = msg("31297", dup324); + +var msg33188 = msg("31298", dup311); + +var msg33189 = msg("31299", dup321); + +var msg33190 = msg("31300", dup322); + +var msg33191 = msg("31301", dup311); + +var msg33192 = msg("31302", dup314); + +var msg33193 = msg("31303", dup321); + +var msg33194 = msg("31304", dup314); + +var msg33195 = msg("31305", dup314); + +var msg33196 = msg("31306", dup321); + +var msg33197 = msg("31307", dup321); + +var msg33198 = msg("31308", dup311); + +var msg33199 = msg("31309", dup311); + +var msg33200 = msg("31310", dup309); + +var msg33201 = msg("31311", dup309); + +var msg33202 = msg("31312", dup309); + +var msg33203 = msg("31313", dup321); + +var msg33204 = msg("31314", dup321); + +var msg33205 = msg("31315", dup321); + +var msg33206 = msg("31316", dup321); + +var msg33207 = msg("31317", dup321); + +var msg33208 = msg("31318", dup321); + +var msg33209 = msg("31319", dup321); + +var msg33210 = msg("31320", dup307); + +var msg33211 = msg("31321", dup307); + +var msg33212 = msg("31322", dup307); + +var msg33213 = msg("31323", dup311); + +var msg33214 = msg("31324", dup311); + +var msg33215 = msg("31325", dup311); + +var msg33216 = msg("31326", dup321); + +var msg33217 = msg("31327", dup321); + +var msg33218 = msg("31328", dup321); + +var msg33219 = msg("31329", dup321); + +var msg33220 = msg("31330", dup316); + +var msg33221 = msg("31331", dup311); + +var msg33222 = msg("31332", dup311); + +var msg33223 = msg("31333", dup314); + +var msg33224 = msg("31334", dup314); + +var msg33225 = msg("31335", dup314); + +var msg33226 = msg("31336", dup314); + +var msg33227 = msg("31337", dup311); + +var msg33228 = msg("31338", dup309); + +var msg33229 = msg("31339", dup314); + +var msg33230 = msg("31340", dup314); + +var msg33231 = msg("31341", dup314); + +var msg33232 = msg("31342", dup314); + +var msg33233 = msg("31343", dup321); + +var msg33234 = msg("31344", dup321); + +var msg33235 = msg("31345", dup321); + +var msg33236 = msg("31346", dup321); + +var msg33237 = msg("31347", dup311); + +var msg33238 = msg("31348", dup311); + +var msg33239 = msg("31349", dup311); + +var msg33240 = msg("31350", dup311); + +var msg33241 = msg("31351", dup311); + +var msg33242 = msg("31352", dup311); + +var msg33243 = msg("31353", dup311); + +var msg33244 = msg("31354", dup311); + +var msg33245 = msg("31355", dup321); + +var msg33246 = msg("31356", dup311); + +var msg33247 = msg("31357", dup321); + +var msg33248 = msg("31358", dup321); + +var msg33249 = msg("31359", dup321); + +var msg33250 = msg("31360", dup311); + +var msg33251 = msg("31361", dup309); + +var msg33252 = msg("31362", dup311); + +var msg33253 = msg("31363", dup314); + +var msg33254 = msg("31364", dup323); + +var msg33255 = msg("31365", dup311); + +var msg33256 = msg("31366", dup314); + +var msg33257 = msg("31367", dup314); + +var msg33258 = msg("31368", dup311); + +var msg33259 = msg("31369", dup311); + +var msg33260 = msg("31370", dup311); + +var msg33261 = msg("31371", dup311); + +var msg33262 = msg("31372", dup311); + +var msg33263 = msg("31373", dup309); + +var msg33264 = msg("31374", dup309); + +var msg33265 = msg("31375", dup309); + +var msg33266 = msg("31376", dup314); + +var msg33267 = msg("31377", dup314); + +var msg33268 = msg("31378", dup309); + +var msg33269 = msg("31379", dup309); + +var msg33270 = msg("31380", dup311); + +var msg33271 = msg("31381", dup311); + +var msg33272 = msg("31382", dup325); + +var msg33273 = msg("31383", dup325); + +var msg33274 = msg("31384", dup325); + +var msg33275 = msg("31385", dup325); + +var msg33276 = msg("31386", dup325); + +var msg33277 = msg("31387", dup325); + +var msg33278 = msg("31388", dup311); + +var msg33279 = msg("31389", dup311); + +var msg33280 = msg("31390", dup325); + +var msg33281 = msg("31391", dup325); + +var msg33282 = msg("31392", dup311); + +var msg33283 = msg("31393", dup311); + +var msg33284 = msg("31394", dup311); + +var msg33285 = msg("31395", dup311); + +var msg33286 = msg("31396", dup311); + +var msg33287 = msg("31397", dup311); + +var msg33288 = msg("31398", dup311); + +var msg33289 = msg("31399", dup314); + +var msg33290 = msg("31400", dup314); + +var msg33291 = msg("31401", dup314); + +var msg33292 = msg("31402", dup311); + +var msg33293 = msg("31403", dup325); + +var msg33294 = msg("31404", dup325); + +var all60 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg33295 = msg("31405", all60); + +var msg33296 = msg("31406", dup324); + +var msg33297 = msg("31407", dup314); + +var msg33298 = msg("31408", dup314); + +var msg33299 = msg("31409", dup314); + +var msg33300 = msg("31410", dup314); + +var msg33301 = msg("31411", dup311); + +var msg33302 = msg("31412", dup311); + +var msg33303 = msg("31413", dup311); + +var msg33304 = msg("31414", dup311); + +var msg33305 = msg("31415", dup311); + +var msg33306 = msg("31416", dup311); + +var msg33307 = msg("31417", dup325); + +var msg33308 = msg("31418", dup321); + +var msg33309 = msg("31419", dup311); + +var msg33310 = msg("31420", dup309); + +var msg33311 = msg("31421", dup309); + +var msg33312 = msg("31422", dup325); + +var msg33313 = msg("31423", dup321); + +var msg33314 = msg("31424", dup321); + +var msg33315 = msg("31425", dup314); + +var msg33316 = msg("31426", dup322); + +var msg33317 = msg("31427", dup311); + +var msg33318 = msg("31428", dup311); + +var msg33319 = msg("31429", dup311); + +var msg33320 = msg("31433", dup321); + +var msg33321 = msg("31434", dup309); + +var msg33322 = msg("31435", dup309); + +var msg33323 = msg("31436", dup309); + +var msg33324 = msg("31437", dup309); + +var msg33325 = msg("31438", dup311); + +var msg33326 = msg("31439", dup309); + +var msg33327 = msg("31440", dup309); + +var msg33328 = msg("31441", dup309); + +var msg33329 = msg("31442", dup321); + +var msg33330 = msg("31443", dup309); + +var msg33331 = msg("31444", dup321); + +var msg33332 = msg("31445", dup321); + +var msg33333 = msg("31446", dup321); + +var msg33334 = msg("31447", dup321); + +var msg33335 = msg("31448", dup321); + +var msg33336 = msg("31449", dup321); + +var msg33337 = msg("31450", dup321); + +var msg33338 = msg("31451", dup311); + +var msg33339 = msg("31452", dup321); + +var msg33340 = msg("31453", dup321); + +var msg33341 = msg("31454", dup321); + +var msg33342 = msg("31455", dup311); + +var msg33343 = msg("31456", dup321); + +var msg33344 = msg("31457", dup321); + +var msg33345 = msg("31458", dup321); + +var msg33346 = msg("31459", dup321); + +var msg33347 = msg("31460", dup309); + +var msg33348 = msg("31461", dup309); + +var msg33349 = msg("31462", dup309); + +var msg33350 = msg("31463", dup321); + +var msg33351 = msg("31464", dup321); + +var msg33352 = msg("31465", dup321); + +var msg33353 = msg("31466", dup321); + +var msg33354 = msg("31467", dup321); + +var msg33355 = msg("31468", dup321); + +var msg33356 = msg("31469", dup325); + +var msg33357 = msg("31470", dup325); + +var msg33358 = msg("31471", dup325); + +var msg33359 = msg("31472", dup321); + +var msg33360 = msg("31473", dup309); + +var msg33361 = msg("31474", dup309); + +var msg33362 = msg("31475", dup309); + +var msg33363 = msg("31476", dup309); + +var msg33364 = msg("31477", dup307); + +var msg33365 = msg("31478", dup307); + +var msg33366 = msg("31479", dup307); + +var msg33367 = msg("31480", dup307); + +var msg33368 = msg("31481", dup307); + +var msg33369 = msg("31482", dup307); + +var msg33370 = msg("31483", dup307); + +var msg33371 = msg("31484", dup307); + +var msg33372 = msg("31485", dup325); + +var msg33373 = msg("31486", dup325); + +var msg33374 = msg("31487", dup311); + +var msg33375 = msg("31488", dup311); + +var msg33376 = msg("31489", dup314); + +var msg33377 = msg("31490", dup314); + +var msg33378 = msg("31491", dup314); + +var msg33379 = msg("31492", dup314); + +var msg33380 = msg("31493", dup314); + +var msg33381 = msg("31494", dup314); + +var msg33382 = msg("31495", dup325); + +var msg33383 = msg("31496", dup325); + +var msg33384 = msg("31497", dup314); + +var msg33385 = msg("31498", dup314); + +var msg33386 = msg("31499", dup314); + +var msg33387 = msg("31500", dup314); + +var msg33388 = msg("31501", dup314); + +var msg33389 = msg("31502", dup314); + +var msg33390 = msg("31503", dup314); + +var msg33391 = msg("31504", dup311); + +var msg33392 = msg("31505", dup316); + +var msg33393 = msg("31506", dup316); + +var msg33394 = msg("31507", dup321); + +var msg33395 = msg("31508", dup321); + +var msg33396 = msg("31509", dup321); + +var msg33397 = msg("31510", dup321); + +var msg33398 = msg("31511", dup311); + +var msg33399 = msg("31512", dup311); + +var msg33400 = msg("31513", dup323); + +var msg33401 = msg("31514", dup321); + +var msg33402 = msg("31515", dup321); + +var msg33403 = msg("31516", dup321); + +var msg33404 = msg("31517", dup321); + +var msg33405 = msg("31518", dup321); + +var msg33406 = msg("31519", dup309); + +var msg33407 = msg("31520", dup309); + +var msg33408 = msg("31521", dup309); + +var msg33409 = msg("31522", dup309); + +var msg33410 = msg("31523", dup309); + +var msg33411 = msg("31524", dup309); + +var msg33412 = msg("31525", dup314); + +var msg33413 = msg("31526", dup314); + +var msg33414 = msg("31527", dup321); + +var msg33415 = msg("31528", dup321); + +var msg33416 = msg("31529", dup307); + +var msg33417 = msg("31530", dup321); + +var msg33418 = msg("31531", dup314); + +var msg33419 = msg("31532", dup314); + +var msg33420 = msg("31533", dup325); + +var msg33421 = msg("31534", dup309); + +var msg33422 = msg("31535", dup309); + +var msg33423 = msg("31536", dup309); + +var msg33424 = msg("31537", dup309); + +var msg33425 = msg("31538", dup314); + +var msg33426 = msg("31539", dup314); + +var msg33427 = msg("31540", dup309); + +var msg33428 = msg("31541", dup309); + +var msg33429 = msg("31542", dup307); + +var msg33430 = msg("31543", dup325); + +var msg33431 = msg("31544", dup321); + +var msg33432 = msg("31545", dup321); + +var msg33433 = msg("31546", dup307); + +var msg33434 = msg("31547", dup321); + +var msg33435 = msg("31548", dup321); + +var msg33436 = msg("31549", dup314); + +var msg33437 = msg("31550", dup314); + +var msg33438 = msg("31551", dup314); + +var msg33439 = msg("31552", dup314); + +var msg33440 = msg("31553", dup314); + +var msg33441 = msg("31554", dup314); + +var msg33442 = msg("31555", dup311); + +var msg33443 = msg("31556", dup310); + +var msg33444 = msg("31557", dup325); + +var msg33445 = msg("31558", dup321); + +var msg33446 = msg("31559", dup321); + +var msg33447 = msg("31560", dup314); + +var msg33448 = msg("31561", dup314); + +var msg33449 = msg("31562", dup309); + +var msg33450 = msg("31563", dup321); + +var msg33451 = msg("31564", dup333); + +var msg33452 = msg("31565", dup314); + +var msg33453 = msg("31566", dup314); + +var msg33454 = msg("31567", dup316); + +var msg33455 = msg("31568", dup314); + +var msg33456 = msg("31569", dup311); + +var msg33457 = msg("31570", dup322); + +var msg33458 = msg("31571", dup309); + +var msg33459 = msg("31572", dup309); + +var msg33460 = msg("31573", dup309); + +var msg33461 = msg("31574", dup309); + +var msg33462 = msg("31575", dup309); + +var msg33463 = msg("31576", dup309); + +var msg33464 = msg("31577", dup315); + +var msg33465 = msg("31578", dup315); + +var msg33466 = msg("31579", dup309); + +var msg33467 = msg("31580", dup311); + +var msg33468 = msg("31581", dup311); + +var msg33469 = msg("31582", dup311); + +var msg33470 = msg("31583", dup311); + +var msg33471 = msg("31584", dup323); + +var msg33472 = msg("31585", dup323); + +var msg33473 = msg("31586", dup321); + +var msg33474 = msg("31587", dup314); + +var msg33475 = msg("31588", dup307); + +var msg33476 = msg("31589", dup309); + +var msg33477 = msg("31590", dup309); + +var msg33478 = msg("31591", dup309); + +var msg33479 = msg("31592", dup309); + +var msg33480 = msg("31593", dup321); + +var msg33481 = msg("31594", dup314); + +var msg33482 = msg("31595", dup314); + +var msg33483 = msg("31596", dup314); + +var msg33484 = msg("31597", dup314); + +var msg33485 = msg("31598", dup314); + +var msg33486 = msg("31599", dup314); + +var all61 = all_match({ + processors: [ + dup66, + dup179, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg33487 = msg("31600", all61); + +var msg33488 = msg("31601", dup321); + +var msg33489 = msg("31602", dup321); + +var msg33490 = msg("31603", dup321); + +var msg33491 = msg("31604", dup321); + +var msg33492 = msg("31605", dup321); + +var msg33493 = msg("31606", dup321); + +var msg33494 = msg("31607", dup321); + +var msg33495 = msg("31608", dup311); + +var msg33496 = msg("31609", dup311); + +var msg33497 = msg("31610", dup311); + +var msg33498 = msg("31611", dup311); + +var msg33499 = msg("31612", dup324); + +var msg33500 = msg("31613", dup324); + +var msg33501 = msg("31614", dup314); + +var msg33502 = msg("31615", dup324); + +var msg33503 = msg("31616", dup324); + +var msg33504 = msg("31617", dup325); + +var msg33505 = msg("31618", dup325); + +var msg33506 = msg("31619", dup325); + +var msg33507 = msg("31620", dup325); + +var msg33508 = msg("31621", dup325); + +var msg33509 = msg("31622", dup325); + +var msg33510 = msg("31623", dup325); + +var msg33511 = msg("31624", dup325); + +var msg33512 = msg("31625", dup325); + +var msg33513 = msg("31626", dup325); + +var msg33514 = msg("31627", dup325); + +var msg33515 = msg("31628", dup325); + +var msg33516 = msg("31629", dup325); + +var msg33517 = msg("31630", dup325); + +var msg33518 = msg("31631", dup321); + +var msg33519 = msg("31632", dup321); + +var msg33520 = msg("31633", dup321); + +var msg33521 = msg("31634", dup309); + +var msg33522 = msg("31635", dup309); + +var msg33523 = msg("31636", dup322); + +var msg33524 = msg("31637", dup323); + +var msg33525 = msg("31638", dup314); + +var msg33526 = msg("31639", dup321); + +var msg33527 = msg("31640", dup321); + +var msg33528 = msg("31641", dup321); + +var msg33529 = msg("31642", dup321); + +var msg33530 = msg("31643", dup321); + +var msg33531 = msg("31644", dup321); + +var msg33532 = msg("31645", dup325); + +var msg33533 = msg("31646", dup325); + +var msg33534 = msg("31647", dup316); + +var msg33535 = msg("31648", dup316); + +var msg33536 = msg("31649", dup321); + +var msg33537 = msg("31650", dup311); + +var msg33538 = msg("31651", dup316); + +var msg33539 = msg("31652", dup316); + +var msg33540 = msg("31653", dup321); + +var msg33541 = msg("31654", dup321); + +var msg33542 = msg("31655", dup321); + +var msg33543 = msg("31656", dup321); + +var msg33544 = msg("31657", dup321); + +var msg33545 = msg("31658", dup321); + +var msg33546 = msg("31659", dup321); + +var msg33547 = msg("31660", dup321); + +var msg33548 = msg("31661", dup321); + +var msg33549 = msg("31662", dup321); + +var msg33550 = msg("31663", dup321); + +var msg33551 = msg("31664", dup328); + +var msg33552 = msg("31665", dup328); + +var msg33553 = msg("31666", dup328); + +var msg33554 = msg("31667", dup328); + +var msg33555 = msg("31668", dup311); + +var msg33556 = msg("31669", dup321); + +var msg33557 = msg("31670", dup309); + +var msg33558 = msg("31671", dup309); + +var msg33559 = msg("31672", dup324); + +var msg33560 = msg("31673", dup311); + +var msg33561 = msg("31674", dup311); + +var msg33562 = msg("31675", dup311); + +var msg33563 = msg("31676", dup311); + +var msg33564 = msg("31677", dup311); + +var msg33565 = msg("31678", dup314); + +var msg33566 = msg("31679", dup314); + +var msg33567 = msg("31680", dup321); + +var msg33568 = msg("31681", dup321); + +var msg33569 = msg("31682", dup321); + +var msg33570 = msg("31683", dup321); + +var msg33571 = msg("31684", dup314); + +var msg33572 = msg("31685", dup314); + +var msg33573 = msg("31686", dup309); + +var msg33574 = msg("31687", dup309); + +var msg33575 = msg("31688", dup325); + +var msg33576 = msg("31689", dup321); + +var msg33577 = msg("31690", dup333); + +var msg33578 = msg("31691", dup321); + +var msg33579 = msg("31692", dup311); + +var msg33580 = msg("31693", dup321); + +var msg33581 = msg("31694", dup311); + +var msg33582 = msg("31695", dup311); + +var msg33583 = msg("31696", dup314); + +var msg33584 = msg("31697", dup314); + +var msg33585 = msg("31698", dup314); + +var msg33586 = msg("31699", dup311); + +var msg33587 = msg("31700", dup311); + +var msg33588 = msg("31701", dup311); + +var msg33589 = msg("31702", dup314); + +var msg33590 = msg("31703", dup314); + +var msg33591 = msg("31704", dup311); + +var msg33592 = msg("31705", dup329); + +var msg33593 = msg("31706", dup321); + +var msg33594 = msg("31707", dup314); + +var msg33595 = msg("31708", dup314); + +var msg33596 = msg("31709", dup314); + +var msg33597 = msg("31710", dup321); + +var msg33598 = msg("31711", dup333); + +var msg33599 = msg("31712", dup321); + +var msg33600 = msg("31713", dup321); + +var msg33601 = msg("31714", dup321); + +var msg33602 = msg("31715", dup321); + +var msg33603 = msg("31716", dup321); + +var msg33604 = msg("31717", dup321); + +var msg33605 = msg("31718", dup321); + +var msg33606 = msg("31719", dup307); + +var msg33607 = msg("31720", dup321); + +var msg33608 = msg("31721", dup321); + +var msg33609 = msg("31722", dup321); + +var msg33610 = msg("31723", dup314); + +var msg33611 = msg("31724", dup314); + +var msg33612 = msg("31725", dup314); + +var msg33613 = msg("31726", dup314); + +var msg33614 = msg("31727", dup314); + +var msg33615 = msg("31728", dup322); + +var msg33616 = msg("31729", dup322); + +var msg33617 = msg("31730", dup322); + +var msg33618 = msg("31731", dup322); + +var msg33619 = msg("31732", dup314); + +var msg33620 = msg("31733", dup314); + +var msg33621 = msg("31734", dup311); + +var msg33622 = msg("31735", dup325); + +var msg33623 = msg("31736", dup325); + +var msg33624 = msg("31737", dup321); + +var msg33625 = msg("31738", dup329); + +var msg33626 = msg("31739", dup314); + +var msg33627 = msg("31740", dup314); + +var msg33628 = msg("31741", dup316); + +var msg33629 = msg("31742", dup333); + +var msg33630 = msg("31743", dup311); + +var msg33631 = msg("31744", dup321); + +var msg33632 = msg("31745", dup316); + +var msg33633 = msg("31746", dup321); + +var msg33634 = msg("31747", dup316); + +var msg33635 = msg("31748", dup321); + +var msg33636 = msg("31749", dup323); + +var msg33637 = msg("31750", dup323); + +var msg33638 = msg("31751", dup309); + +var msg33639 = msg("31752", dup309); + +var msg33640 = msg("31753", dup321); + +var msg33641 = msg("31754", dup321); + +var msg33642 = msg("31755", dup321); + +var msg33643 = msg("31756", dup314); + +var msg33644 = msg("31757", dup314); + +var msg33645 = msg("31758", dup314); + +var msg33646 = msg("31759", dup314); + +var msg33647 = msg("31760", dup325); + +var msg33648 = msg("31761", dup325); + +var msg33649 = msg("31762", dup325); + +var msg33650 = msg("31763", dup325); + +var msg33651 = msg("31764", dup324); + +var msg33652 = msg("31765", dup324); + +var msg33653 = msg("31766", dup314); + +var msg33654 = msg("31767", dup311); + +var msg33655 = msg("31768", dup321); + +var msg33656 = msg("31769", dup311); + +var msg33657 = msg("31770", dup311); + +var msg33658 = msg("31771", dup314); + +var msg33659 = msg("31772", dup321); + +var msg33660 = msg("31773", dup314); + +var msg33661 = msg("31774", dup314); + +var msg33662 = msg("31775", dup314); + +var msg33663 = msg("31776", dup314); + +var msg33664 = msg("31777", dup309); + +var msg33665 = msg("31778", dup309); + +var msg33666 = msg("31779", dup309); + +var msg33667 = msg("31780", dup309); + +var msg33668 = msg("31781", dup321); + +var msg33669 = msg("31782", dup325); + +var msg33670 = msg("31783", dup325); + +var msg33671 = msg("31784", dup325); + +var msg33672 = msg("31785", dup325); + +var msg33673 = msg("31786", dup325); + +var msg33674 = msg("31787", dup325); + +var msg33675 = msg("31788", dup325); + +var msg33676 = msg("31789", dup325); + +var msg33677 = msg("31790", dup325); + +var msg33678 = msg("31791", dup325); + +var msg33679 = msg("31792", dup325); + +var msg33680 = msg("31793", dup325); + +var msg33681 = msg("31794", dup325); + +var msg33682 = msg("31795", dup325); + +var msg33683 = msg("31796", dup325); + +var msg33684 = msg("31797", dup325); + +var msg33685 = msg("31798", dup314); + +var msg33686 = msg("31799", dup311); + +var msg33687 = msg("31800", dup311); + +var msg33688 = msg("31801", dup325); + +var msg33689 = msg("31802", dup325); + +var msg33690 = msg("31803", dup321); + +var msg33691 = msg("31804", dup321); + +var msg33692 = msg("31805", dup321); + +var msg33693 = msg("31806", dup321); + +var msg33694 = msg("31807", dup321); + +var msg33695 = msg("31808", dup323); + +var msg33696 = msg("31809", dup309); + +var msg33697 = msg("31810", dup309); + +var msg33698 = msg("31811", dup325); + +var msg33699 = msg("31812", dup325); + +var msg33700 = msg("31813", dup325); + +var msg33701 = msg("31814", dup321); + +var msg33702 = msg("31815", dup321); + +var msg33703 = msg("31816", dup321); + +var msg33704 = msg("31817", dup321); + +var msg33705 = msg("31818", dup314); + +var msg33706 = msg("31819", dup314); + +var msg33707 = msg("31820", dup321); + +var msg33708 = msg("31821", dup307); + +var msg33709 = msg("31822", dup307); + +var msg33710 = msg("31823", dup316); + +var msg33711 = msg("31824", dup321); + +var msg33712 = msg("31825", dup321); + +var msg33713 = msg("31826", dup310); + +var msg33714 = msg("31827", dup321); + +var msg33715 = msg("31828", dup321); + +var msg33716 = msg("31829", dup321); + +var msg33717 = msg("31830", dup333); + +var msg33718 = msg("31831", dup333); + +var msg33719 = msg("31832", dup321); + +var msg33720 = msg("31833", dup321); + +var msg33721 = msg("31834", dup321); + +var msg33722 = msg("31835", dup321); + +var msg33723 = msg("31836", dup321); + +var msg33724 = msg("31837", dup321); + +var msg33725 = msg("31838", dup314); + +var msg33726 = msg("31839", dup314); + +var msg33727 = msg("31840", dup314); + +var msg33728 = msg("31841", dup314); + +var msg33729 = msg("31842", dup314); + +var msg33730 = msg("31843", dup309); + +var msg33731 = msg("31844", dup309); + +var msg33732 = msg("31845", dup309); + +var msg33733 = msg("31846", dup332); + +var msg33734 = msg("31847", dup309); + +var msg33735 = msg("31848", dup309); + +var msg33736 = msg("31849", dup309); + +var msg33737 = msg("31850", dup309); + +var msg33738 = msg("31851", dup315); + +var msg33739 = msg("31852", dup315); + +var msg33740 = msg("31853", dup315); + +var msg33741 = msg("31854", dup315); + +var msg33742 = msg("31855", dup315); + +var msg33743 = msg("31856", dup315); + +var msg33744 = msg("31857", dup311); + +var msg33745 = msg("31858", dup311); + +var msg33746 = msg("31859", dup311); + +var msg33747 = msg("31860", dup311); + +var msg33748 = msg("31861", dup314); + +var msg33749 = msg("31862", dup314); + +var msg33750 = msg("31863", dup321); + +var msg33751 = msg("31864", dup321); + +var msg33752 = msg("31865", dup314); + +var msg33753 = msg("31866", dup314); + +var msg33754 = msg("31867", dup314); + +var msg33755 = msg("31868", dup314); + +var msg33756 = msg("31869", dup314); + +var msg33757 = msg("31870", dup314); + +var msg33758 = msg("31871", dup314); + +var msg33759 = msg("31872", dup321); + +var msg33760 = msg("31873", dup314); + +var msg33761 = msg("31874", dup314); + +var msg33762 = msg("31875", dup309); + +var msg33763 = msg("31876", dup309); + +var msg33764 = msg("31877", dup311); + +var msg33765 = msg("31878", dup311); + +var msg33766 = msg("31879", dup311); + +var msg33767 = msg("31880", dup311); + +var msg33768 = msg("31881", dup311); + +var msg33769 = msg("31882", dup311); + +var msg33770 = msg("31883", dup321); + +var msg33771 = msg("31884", dup321); + +var msg33772 = msg("31885", dup321); + +var msg33773 = msg("31886", dup311); + +var msg33774 = msg("31887", dup311); + +var msg33775 = msg("31888", dup311); + +var msg33776 = msg("31889", dup316); + +var msg33777 = msg("31890", dup316); + +var msg33778 = msg("31891", dup311); + +var msg33779 = msg("31892", dup311); + +var msg33780 = msg("31893", dup321); + +var msg33781 = msg("31894", dup321); + +var msg33782 = msg("31895", dup321); + +var msg33783 = msg("31896", dup321); + +var msg33784 = msg("31897", dup321); + +var msg33785 = msg("31898", dup311); + +var msg33786 = msg("31899", dup316); + +var msg33787 = msg("31900", dup316); + +var msg33788 = msg("31901", dup316); + +var msg33789 = msg("31902", dup307); + +var msg33790 = msg("31903", dup307); + +var msg33791 = msg("31904", dup321); + +var msg33792 = msg("31905", dup314); + +var msg33793 = msg("31906", dup314); + +var msg33794 = msg("31907", dup321); + +var msg33795 = msg("31908", dup321); + +var msg33796 = msg("31909", dup321); + +var msg33797 = msg("31910", dup321); + +var msg33798 = msg("31911", dup321); + +var msg33799 = msg("31912", dup311); + +var msg33800 = msg("31913", dup321); + +var msg33801 = msg("31914", dup311); + +var msg33802 = msg("31915", dup321); + +var msg33803 = msg("31916", dup321); + +var msg33804 = msg("31917", dup321); + +var msg33805 = msg("31918", dup321); + +var msg33806 = msg("31919", dup321); + +var msg33807 = msg("31920", dup321); + +var msg33808 = msg("31921", dup321); + +var msg33809 = msg("31922", dup321); + +var msg33810 = msg("31923", dup310); + +var msg33811 = msg("31924", dup321); + +var msg33812 = msg("31925", dup321); + +var msg33813 = msg("31926", dup309); + +var msg33814 = msg("31927", dup309); + +var msg33815 = msg("31928", dup321); + +var msg33816 = msg("31929", dup321); + +var msg33817 = msg("31930", dup321); + +var msg33818 = msg("31931", dup321); + +var msg33819 = msg("31932", dup321); + +var msg33820 = msg("31933", dup321); + +var msg33821 = msg("31934", dup321); + +var msg33822 = msg("31935", dup321); + +var msg33823 = msg("31936", dup321); + +var msg33824 = msg("31937", dup321); + +var msg33825 = msg("31938", dup321); + +var msg33826 = msg("31939", dup314); + +var msg33827 = msg("31940", dup314); + +var msg33828 = msg("31941", dup321); + +var msg33829 = msg("31942", dup314); + +var msg33830 = msg("31943", dup314); + +var msg33831 = msg("31944", dup321); + +var msg33832 = msg("31945", dup316); + +var msg33833 = msg("31946", dup311); + +var msg33834 = msg("31947", dup325); + +var msg33835 = msg("31948", dup325); + +var msg33836 = msg("31949", dup325); + +var msg33837 = msg("31950", dup321); + +var msg33838 = msg("31951", dup321); + +var msg33839 = msg("31952", dup321); + +var msg33840 = msg("31953", dup321); + +var msg33841 = msg("31954", dup321); + +var msg33842 = msg("31955", dup321); + +var msg33843 = msg("31956", dup316); + +var msg33844 = msg("31957", dup321); + +var msg33845 = msg("31958", dup321); + +var msg33846 = msg("31959", dup321); + +var msg33847 = msg("31960", dup325); + +var msg33848 = msg("31961", dup321); + +var msg33849 = msg("31962", dup321); + +var msg33850 = msg("31963", dup321); + +var msg33851 = msg("31964", dup321); + +var msg33852 = msg("31965", dup311); + +var msg33853 = msg("31966", dup311); + +var msg33854 = msg("31967", dup311); + +var msg33855 = msg("31968", dup311); + +var msg33856 = msg("31969", dup311); + +var msg33857 = msg("31970", dup311); + +var msg33858 = msg("31971", dup307); + +var msg33859 = msg("31972", dup311); + +var msg33860 = msg("31973", dup321); + +var msg33861 = msg("31974", dup321); + +var msg33862 = msg("31975", dup311); + +var msg33863 = msg("31976", dup311); + +var msg33864 = msg("31977", dup337); + +var msg33865 = msg("31978", dup337); + +var msg33866 = msg("31979", dup323); + +var msg33867 = msg("31980", dup324); + +var msg33868 = msg("31981", dup324); + +var msg33869 = msg("31982", dup329); + +var msg33870 = msg("31983", dup309); + +var msg33871 = msg("31984", dup324); + +var msg33872 = msg("31985", dup311); + +var msg33873 = msg("31986", dup309); + +var msg33874 = msg("31987", dup309); + +var msg33875 = msg("31988", dup311); + +var msg33876 = msg("31989", dup321); + +var msg33877 = msg("31990", dup325); + +var msg33878 = msg("31991", dup325); + +var msg33879 = msg("31992", dup200); + +var msg33880 = msg("31993", dup200); + +var msg33881 = msg("31994", dup200); + +var msg33882 = msg("31995", dup200); + +var msg33883 = msg("31996", dup200); + +var msg33884 = msg("31997", dup200); + +var msg33885 = msg("31998", dup200); + +var msg33886 = msg("31999", dup200); + +var msg33887 = msg("32000", dup200); + +var msg33888 = msg("32001", dup200); + +var msg33889 = msg("32002", dup321); + +var msg33890 = msg("32003", dup324); + +var msg33891 = msg("32004", dup324); + +var msg33892 = msg("32005", dup321); + +var msg33893 = msg("32006", dup321); + +var msg33894 = msg("32007", dup332); + +var msg33895 = msg("32008", dup311); + +var msg33896 = msg("32009", dup309); + +var msg33897 = msg("32010", dup309); + +var msg33898 = msg("32011", dup309); + +var msg33899 = msg("32012", dup323); + +var msg33900 = msg("32013", dup321); + +var msg33901 = msg("32014", dup311); + +var msg33902 = msg("32015", dup321); + +var msg33903 = msg("32016", dup321); + +var msg33904 = msg("32017", dup321); + +var msg33905 = msg("32018", dup321); + +var msg33906 = msg("32019", dup325); + +var msg33907 = msg("32020", dup321); + +var msg33908 = msg("32021", dup309); + +var msg33909 = msg("32022", dup309); + +var msg33910 = msg("32023", dup321); + +var msg33911 = msg("32024", dup314); + +var msg33912 = msg("32025", dup314); + +var msg33913 = msg("32026", dup314); + +var msg33914 = msg("32027", dup314); + +var msg33915 = msg("32028", dup321); + +var msg33916 = msg("32029", dup314); + +var msg33917 = msg("32030", dup325); + +var msg33918 = msg("32031", dup321); + +var msg33919 = msg("32032", dup321); + +var msg33920 = msg("32033", dup321); + +var msg33921 = msg("32034", dup321); + +var msg33922 = msg("32035", dup321); + +var msg33923 = msg("32036", dup321); + +var msg33924 = msg("32037", dup321); + +var msg33925 = msg("32038", dup311); + +var msg33926 = msg("32039", dup311); + +var msg33927 = msg("32040", dup321); + +var msg33928 = msg("32041", dup311); + +var msg33929 = msg("32042", dup311); + +var msg33930 = msg("32043", dup311); + +var msg33931 = msg("32044", dup314); + +var msg33932 = msg("32045", dup324); + +var msg33933 = msg("32046", dup324); + +var msg33934 = msg("32047", dup324); + +var msg33935 = msg("32048", dup321); + +var msg33936 = msg("32049", dup324); + +var msg33937 = msg("32050", dup321); + +var msg33938 = msg("32051", dup321); + +var msg33939 = msg("32052", dup314); + +var msg33940 = msg("32053", dup321); + +var msg33941 = msg("32054", dup321); + +var msg33942 = msg("32055", dup321); + +var msg33943 = msg("32056", dup314); + +var msg33944 = msg("32057", dup323); + +var msg33945 = msg("32058", dup321); + +var msg33946 = msg("32059", dup309); + +var msg33947 = msg("32060", dup325); + +var msg33948 = msg("32061", dup321); + +var msg33949 = msg("32062", dup309); + +var msg33950 = msg("32063", dup309); + +var msg33951 = msg("32064", dup309); + +var msg33952 = msg("32065", dup321); + +var msg33953 = msg("32066", dup321); + +var msg33954 = msg("32067", dup321); + +var msg33955 = msg("32068", dup314); + +var msg33956 = msg("32069", dup311); + +var msg33957 = msg("32070", dup321); + +var msg33958 = msg("32071", dup321); + +var msg33959 = msg("32072", dup321); + +var msg33960 = msg("32073", dup321); + +var msg33961 = msg("32074", dup321); + +var msg33962 = msg("32075", dup321); + +var msg33963 = msg("32076", dup314); + +var msg33964 = msg("32077", dup314); + +var msg33965 = msg("32078", dup321); + +var msg33966 = msg("32079", dup321); + +var msg33967 = msg("32080", dup321); + +var msg33968 = msg("32081", dup321); + +var msg33969 = msg("32082", dup309); + +var msg33970 = msg("32083", dup309); + +var msg33971 = msg("32084", dup309); + +var msg33972 = msg("32085", dup309); + +var msg33973 = msg("32086", dup321); + +var msg33974 = msg("32087", dup309); + +var msg33975 = msg("32088", dup309); + +var msg33976 = msg("32089", dup309); + +var msg33977 = msg("32090", dup321); + +var msg33978 = msg("32091", dup321); + +var msg33979 = msg("32092", dup325); + +var msg33980 = msg("32093", dup321); + +var msg33981 = msg("32094", dup309); + +var msg33982 = msg("32095", dup309); + +var msg33983 = msg("32096", dup321); + +var msg33984 = msg("32097", dup309); + +var msg33985 = msg("32098", dup309); + +var msg33986 = msg("32099", dup309); + +var msg33987 = msg("32100", dup309); + +var msg33988 = msg("32101", dup311); + +var msg33989 = msg("32102", dup311); + +var msg33990 = msg("32103", dup311); + +var msg33991 = msg("32104", dup311); + +var msg33992 = msg("32105", dup311); + +var msg33993 = msg("32106", dup316); + +var msg33994 = msg("32107", dup314); + +var msg33995 = msg("32108", dup314); + +var msg33996 = msg("32109", dup309); + +var msg33997 = msg("32110", dup324); + +var msg33998 = msg("32111", dup324); + +var msg33999 = msg("32112", dup324); + +var msg34000 = msg("32113", dup324); + +var msg34001 = msg("32114", dup308); + +var msg34002 = msg("32115", dup328); + +var msg34003 = msg("32116", dup328); + +var msg34004 = msg("32117", dup321); + +var msg34005 = msg("32118", dup321); + +var msg34006 = msg("32119", dup321); + +var msg34007 = msg("32120", dup321); + +var msg34008 = msg("32121", dup321); + +var msg34009 = msg("32122", dup309); + +var msg34010 = msg("32123", dup321); + +var msg34011 = msg("32124", dup200); + +var msg34012 = msg("32125", dup325); + +var msg34013 = msg("32126", dup321); + +var msg34014 = msg("32127", dup316); + +var msg34015 = msg("32128", dup316); + +var msg34016 = msg("32129", dup321); + +var msg34017 = msg("32130", dup321); + +var msg34018 = msg("32131", dup309); + +var msg34019 = msg("32132", dup309); + +var msg34020 = msg("32133", dup309); + +var msg34021 = msg("32134", dup314); + +var msg34022 = msg("32135", dup314); + +var msg34023 = msg("32136", dup307); + +var msg34024 = msg("32137", dup325); + +var msg34025 = msg("32138", dup325); + +var msg34026 = msg("32139", dup325); + +var msg34027 = msg("32140", dup325); + +var msg34028 = msg("32141", dup311); + +var msg34029 = msg("32142", dup311); + +var msg34030 = msg("32143", dup311); + +var msg34031 = msg("32144", dup311); + +var msg34032 = msg("32145", dup311); + +var msg34033 = msg("32146", dup311); + +var msg34034 = msg("32147", dup309); + +var msg34035 = msg("32148", dup309); + +var msg34036 = msg("32149", dup311); + +var msg34037 = msg("32150", dup311); + +var msg34038 = msg("32151", dup311); + +var msg34039 = msg("32152", dup311); + +var msg34040 = msg("32153", dup325); + +var msg34041 = msg("32154", dup325); + +var msg34042 = msg("32155", dup325); + +var msg34043 = msg("32156", dup325); + +var msg34044 = msg("32157", dup325); + +var msg34045 = msg("32158", dup325); + +var msg34046 = msg("32159", dup325); + +var msg34047 = msg("32160", dup325); + +var msg34048 = msg("32161", dup323); + +var msg34049 = msg("32162", dup323); + +var msg34050 = msg("32163", dup314); + +var msg34051 = msg("32164", dup314); + +var msg34052 = msg("32165", dup314); + +var msg34053 = msg("32166", dup311); + +var msg34054 = msg("32167", dup311); + +var msg34055 = msg("32168", dup325); + +var msg34056 = msg("32169", dup325); + +var msg34057 = msg("32170", dup309); + +var msg34058 = msg("32171", dup309); + +var msg34059 = msg("32172", dup321); + +var msg34060 = msg("32173", dup321); + +var msg34061 = msg("32174", dup321); + +var msg34062 = msg("32175", dup321); + +var msg34063 = msg("32176", dup321); + +var msg34064 = msg("32177", dup321); + +var msg34065 = msg("32178", dup321); + +var msg34066 = msg("32179", dup321); + +var msg34067 = msg("32180", dup321); + +var msg34068 = msg("32181", dup321); + +var msg34069 = msg("32182", dup311); + +var msg34070 = msg("32183", dup311); + +var msg34071 = msg("32184", dup311); + +var msg34072 = msg("32185", dup311); + +var msg34073 = msg("32186", dup314); + +var msg34074 = msg("32187", dup314); + +var msg34075 = msg("32188", dup321); + +var msg34076 = msg("32189", dup321); + +var msg34077 = msg("32190", dup311); + +var msg34078 = msg("32191", dup311); + +var msg34079 = msg("32192", dup321); + +var msg34080 = msg("32193", dup321); + +var msg34081 = msg("32194", dup321); + +var msg34082 = msg("32195", dup321); + +var msg34083 = msg("32196", dup321); + +var msg34084 = msg("32197", dup321); + +var msg34085 = msg("32198", dup321); + +var msg34086 = msg("32199", dup314); + +var msg34087 = msg("32200", dup321); + +var msg34088 = msg("32201", dup321); + +var msg34089 = msg("32202", dup321); + +var msg34090 = msg("32203", dup316); + +var msg34091 = msg("32204", dup314); + +var msg34092 = msg("32205", dup314); + +var msg34093 = msg("32206", dup309); + +var msg34094 = msg("32207", dup309); + +var msg34095 = msg("32208", dup309); + +var msg34096 = msg("32209", dup309); + +var msg34097 = msg("32210", dup309); + +var msg34098 = msg("32211", dup309); + +var msg34099 = msg("32212", dup309); + +var msg34100 = msg("32213", dup309); + +var msg34101 = msg("32214", dup309); + +var msg34102 = msg("32215", dup309); + +var msg34103 = msg("32216", dup309); + +var msg34104 = msg("32217", dup307); + +var msg34105 = msg("32218", dup307); + +var msg34106 = msg("32219", dup321); + +var msg34107 = msg("32220", dup321); + +var msg34108 = msg("32221", dup321); + +var msg34109 = msg("32222", dup321); + +var msg34110 = msg("32223", dup309); + +var msg34111 = msg("32224", dup309); + +var msg34112 = msg("32225", dup321); + +var msg34113 = msg("32226", dup309); + +var msg34114 = msg("32227", dup309); + +var msg34115 = msg("32228", dup309); + +var msg34116 = msg("32229", dup309); + +var msg34117 = msg("32230", dup311); + +var msg34118 = msg("32231", dup311); + +var msg34119 = msg("32232", dup311); + +var msg34120 = msg("32233", dup311); + +var msg34121 = msg("32234", dup311); + +var msg34122 = msg("32235", dup311); + +var msg34123 = msg("32236", dup311); + +var msg34124 = msg("32237", dup311); + +var msg34125 = msg("32238", dup311); + +var msg34126 = msg("32239", dup311); + +var msg34127 = msg("32240", dup314); + +var msg34128 = msg("32241", dup321); + +var msg34129 = msg("32242", dup321); + +var msg34130 = msg("32243", dup321); + +var msg34131 = msg("32244", dup323); + +var msg34132 = msg("32245", dup307); + +var msg34133 = msg("32246", dup307); + +var msg34134 = msg("32247", dup311); + +var msg34135 = msg("32248", dup321); + +var msg34136 = msg("32249", dup321); + +var msg34137 = msg("32250", dup321); + +var msg34138 = msg("32251", dup314); + +var msg34139 = msg("32252", dup314); + +var msg34140 = msg("32253", dup314); + +var msg34141 = msg("32254", dup314); + +var msg34142 = msg("32255", dup314); + +var msg34143 = msg("32256", dup314); + +var msg34144 = msg("32257", dup314); + +var msg34145 = msg("32258", dup314); + +var msg34146 = msg("32259", dup321); + +var msg34147 = msg("32260", dup321); + +var msg34148 = msg("32261", dup316); + +var msg34149 = msg("32262", dup325); + +var msg34150 = msg("32263", dup325); + +var msg34151 = msg("32264", dup314); + +var msg34152 = msg("32265", dup314); + +var msg34153 = msg("32266", dup325); + +var msg34154 = msg("32267", dup325); + +var msg34155 = msg("32268", dup316); + +var msg34156 = msg("32269", dup316); + +var msg34157 = msg("32270", dup321); + +var msg34158 = msg("32271", dup321); + +var msg34159 = msg("32272", dup321); + +var msg34160 = msg("32273", dup321); + +var msg34161 = msg("32274", dup314); + +var msg34162 = msg("32275", dup314); + +var msg34163 = msg("32276", dup311); + +var msg34164 = msg("32277", dup314); + +var msg34165 = msg("32278", dup321); + +var msg34166 = msg("32279", dup321); + +var msg34167 = msg("32280", dup321); + +var msg34168 = msg("32281", dup321); + +var msg34169 = msg("32282", dup321); + +var msg34170 = msg("32283", dup321); + +var msg34171 = msg("32284", dup321); + +var msg34172 = msg("32285", dup321); + +var msg34173 = msg("32286", dup321); + +var msg34174 = msg("32287", dup321); + +var msg34175 = msg("32288", dup321); + +var msg34176 = msg("32289", dup321); + +var msg34177 = msg("32290", dup321); + +var msg34178 = msg("32291", dup321); + +var msg34179 = msg("32292", dup321); + +var msg34180 = msg("32293", dup321); + +var msg34181 = msg("32294", dup325); + +var msg34182 = msg("32295", dup325); + +var msg34183 = msg("32296", dup325); + +var msg34184 = msg("32297", dup321); + +var msg34185 = msg("32298", dup321); + +var msg34186 = msg("32299", dup321); + +var msg34187 = msg("32300", dup321); + +var msg34188 = msg("32301", dup324); + +var msg34189 = msg("32302", dup324); + +var msg34190 = msg("32303", dup324); + +var msg34191 = msg("32304", dup324); + +var msg34192 = msg("32305", dup324); + +var msg34193 = msg("32306", dup324); + +var msg34194 = msg("32307", dup324); + +var msg34195 = msg("32308", dup324); + +var msg34196 = msg("32309", dup333); + +var msg34197 = msg("32310", dup321); + +var msg34198 = msg("32311", dup321); + +var msg34199 = msg("32312", dup321); + +var msg34200 = msg("32313", dup314); + +var msg34201 = msg("32314", dup314); + +var msg34202 = msg("32315", dup314); + +var msg34203 = msg("32316", dup314); + +var msg34204 = msg("32319", dup314); + +var msg34205 = msg("32320", dup314); + +var msg34206 = msg("32334", dup321); + +var msg34207 = msg("32335", dup311); + +var msg34208 = msg("32336", dup311); + +var msg34209 = msg("32337", dup311); + +var msg34210 = msg("32338", dup321); + +var msg34211 = msg("32342", dup316); + +var msg34212 = msg("32343", dup321); + +var msg34213 = msg("32344", dup321); + +var msg34214 = msg("32345", dup314); + +var msg34215 = msg("32346", dup314); + +var msg34216 = msg("32347", dup314); + +var msg34217 = msg("32348", dup314); + +var msg34218 = msg("32349", dup314); + +var msg34219 = msg("32350", dup323); + +var msg34220 = msg("32351", dup323); + +var msg34221 = msg("32352", dup316); + +var msg34222 = msg("32353", dup322); + +var msg34223 = msg("32354", dup321); + +var msg34224 = msg("32355", dup314); + +var msg34225 = msg("32356", dup308); + +var msg34226 = msg("32357", dup321); + +var msg34227 = msg("32358", dup311); + +var msg34228 = msg("32359", dup314); + +var msg34229 = msg("32360", dup314); + +var msg34230 = msg("32361", dup309); + +var msg34231 = msg("32362", dup325); + +var msg34232 = msg("32363", dup325); + +var msg34233 = msg("32364", dup311); + +var msg34234 = msg("32365", dup311); + +var msg34235 = msg("32366", dup311); + +var msg34236 = msg("32367", dup321); + +var msg34237 = msg("32368", dup321); + +var msg34238 = msg("32369", dup309); + +var msg34239 = msg("32370", dup309); + +var msg34240 = msg("32371", dup309); + +var msg34241 = msg("32372", dup321); + +var msg34242 = msg("32373", dup321); + +var msg34243 = msg("32374", dup321); + +var msg34244 = msg("32375", dup314); + +var msg34245 = msg("32376", dup309); + +var msg34246 = msg("32377", dup309); + +var msg34247 = msg("32378", dup314); + +var msg34248 = msg("32379", dup321); + +var msg34249 = msg("32380", dup314); + +var msg34250 = msg("32381", dup309); + +var msg34251 = msg("32382", dup309); + +var msg34252 = msg("32383", dup325); + +var msg34253 = msg("32384", dup325); + +var msg34254 = msg("32385", dup321); + +var msg34255 = msg("32386", dup311); + +var msg34256 = msg("32387", dup311); + +var msg34257 = msg("32388", dup311); + +var msg34258 = msg("32389", dup311); + +var msg34259 = msg("32390", dup311); + +var msg34260 = msg("32391", dup321); + +var msg34261 = msg("32392", dup321); + +var msg34262 = msg("32393", dup321); + +var msg34263 = msg("32394", dup321); + +var msg34264 = msg("32395", dup321); + +var msg34265 = msg("32396", dup321); + +var msg34266 = msg("32397", dup321); + +var msg34267 = msg("32398", dup314); + +var msg34268 = msg("32399", dup311); + +var msg34269 = msg("32400", dup321); + +var msg34270 = msg("32401", dup321); + +var msg34271 = msg("32402", dup325); + +var msg34272 = msg("32403", dup309); + +var msg34273 = msg("32404", dup314); + +var msg34274 = msg("32405", dup314); + +var msg34275 = msg("32406", dup314); + +var msg34276 = msg("32407", dup314); + +var msg34277 = msg("32408", dup314); + +var msg34278 = msg("32409", dup314); + +var msg34279 = msg("32410", dup314); + +var msg34280 = msg("32411", dup314); + +var msg34281 = msg("32412", dup314); + +var msg34282 = msg("32413", dup314); + +var msg34283 = msg("32414", dup309); + +var msg34284 = msg("32415", dup309); + +var msg34285 = msg("32416", dup309); + +var msg34286 = msg("32417", dup309); + +var msg34287 = msg("32418", dup309); + +var msg34288 = msg("32419", dup309); + +var msg34289 = msg("32420", dup309); + +var msg34290 = msg("32421", dup309); + +var msg34291 = msg("32422", dup309); + +var msg34292 = msg("32423", dup314); + +var msg34293 = msg("32424", dup311); + +var msg34294 = msg("32425", dup311); + +var msg34295 = msg("32426", dup325); + +var msg34296 = msg("32427", dup325); + +var msg34297 = msg("32428", dup309); + +var msg34298 = msg("32429", dup309); + +var msg34299 = msg("32430", dup311); + +var msg34300 = msg("32431", dup311); + +var msg34301 = msg("32432", dup309); + +var msg34302 = msg("32433", dup309); + +var msg34303 = msg("32434", dup309); + +var msg34304 = msg("32435", dup309); + +var msg34305 = msg("32436", dup325); + +var msg34306 = msg("32437", dup325); + +var msg34307 = msg("32438", dup325); + +var msg34308 = msg("32439", dup325); + +var msg34309 = msg("32440", dup325); + +var msg34310 = msg("32441", dup325); + +var msg34311 = msg("32442", dup325); + +var msg34312 = msg("32443", dup325); + +var msg34313 = msg("32444", dup314); + +var msg34314 = msg("32445", dup314); + +var msg34315 = msg("32446", dup321); + +var msg34316 = msg("32447", dup321); + +var msg34317 = msg("32448", dup321); + +var msg34318 = msg("32449", dup321); + +var msg34319 = msg("32450", dup321); + +var msg34320 = msg("32451", dup321); + +var msg34321 = msg("32452", dup321); + +var msg34322 = msg("32453", dup321); + +var msg34323 = msg("32454", dup321); + +var msg34324 = msg("32455", dup325); + +var msg34325 = msg("32456", dup321); + +var msg34326 = msg("32457", dup321); + +var msg34327 = msg("32458", dup323); + +var msg34328 = msg("32459", dup323); + +var msg34329 = msg("32460", dup311); + +var msg34330 = msg("32461", dup311); + +var msg34331 = msg("32462", dup307); + +var msg34332 = msg("32463", dup321); + +var msg34333 = msg("32464", dup321); + +var msg34334 = msg("32465", dup324); + +var msg34335 = msg("32466", dup324); + +var msg34336 = msg("32467", dup324); + +var msg34337 = msg("32468", dup324); + +var msg34338 = msg("32469", dup321); + +var msg34339 = msg("32470", dup309); + +var msg34340 = msg("32471", dup309); + +var msg34341 = msg("32472", dup309); + +var msg34342 = msg("32473", dup309); + +var msg34343 = msg("32474", dup311); + +var msg34344 = msg("32475", dup311); + +var msg34345 = msg("32476", dup309); + +var msg34346 = msg("32477", dup309); + +var msg34347 = msg("32478", dup325); + +var msg34348 = msg("32479", dup325); + +var msg34349 = msg("32480", dup314); + +var msg34350 = msg("32481", dup314); + +var msg34351 = msg("32482", dup325); + +var msg34352 = msg("32483", dup325); + +var msg34353 = msg("32484", dup325); + +var msg34354 = msg("32485", dup325); + +var msg34355 = msg("32486", dup321); + +var msg34356 = msg("32487", dup321); + +var msg34357 = msg("32488", dup325); + +var msg34358 = msg("32489", dup323); + +var msg34359 = msg("32490", dup323); + +var msg34360 = msg("32491", dup325); + +var msg34361 = msg("32492", dup325); + +var msg34362 = msg("32493", dup321); + +var msg34363 = msg("32494", dup321); + +var msg34364 = msg("32495", dup325); + +var msg34365 = msg("32496", dup325); + +var msg34366 = msg("32497", dup325); + +var msg34367 = msg("32498", dup325); + +var msg34368 = msg("32499", dup325); + +var msg34369 = msg("32500", dup325); + +var msg34370 = msg("32501", dup314); + +var msg34371 = msg("32502", dup314); + +var msg34372 = msg("32503", dup325); + +var msg34373 = msg("32504", dup321); + +var msg34374 = msg("32505", dup321); + +var msg34375 = msg("32506", dup321); + +var msg34376 = msg("32507", dup325); + +var msg34377 = msg("32508", dup309); + +var msg34378 = msg("32509", dup309); + +var msg34379 = msg("32510", dup321); + +var msg34380 = msg("32511", dup321); + +var msg34381 = msg("32512", dup321); + +var msg34382 = msg("32513", dup321); + +var msg34383 = msg("32514", dup309); + +var msg34384 = msg("32515", dup309); + +var msg34385 = msg("32516", dup309); + +var msg34386 = msg("32517", dup309); + +var msg34387 = msg("32518", dup311); + +var msg34388 = msg("32519", dup311); + +var msg34389 = msg("32520", dup314); + +var msg34390 = msg("32521", dup321); + +var msg34391 = msg("32522", dup321); + +var msg34392 = msg("32523", dup316); + +var msg34393 = msg("32524", dup316); + +var msg34394 = msg("32525", dup333); + +var msg34395 = msg("32526", dup314); + +var msg34396 = msg("32527", dup314); + +var msg34397 = msg("32528", dup314); + +var msg34398 = msg("32529", dup321); + +var msg34399 = msg("32530", dup309); + +var msg34400 = msg("32531", dup321); + +var msg34401 = msg("32532", dup311); + +var msg34402 = msg("32533", dup311); + +var msg34403 = msg("32534", dup324); + +var msg34404 = msg("32535", dup324); + +var msg34405 = msg("32536", dup324); + +var msg34406 = msg("32537", dup324); + +var msg34407 = msg("32538", dup324); + +var msg34408 = msg("32539", dup324); + +var msg34409 = msg("32540", dup324); + +var msg34410 = msg("32541", dup324); + +var msg34411 = msg("32542", dup324); + +var msg34412 = msg("32543", dup324); + +var msg34413 = msg("32544", dup324); + +var msg34414 = msg("32545", dup324); + +var msg34415 = msg("32546", dup307); + +var msg34416 = msg("32547", dup307); + +var msg34417 = msg("32548", dup321); + +var msg34418 = msg("32549", dup321); + +var msg34419 = msg("32550", dup321); + +var msg34420 = msg("32551", dup321); + +var msg34421 = msg("32552", dup324); + +var msg34422 = msg("32553", dup324); + +var msg34423 = msg("32554", dup311); + +var msg34424 = msg("32555", dup311); + +var msg34425 = msg("32556", dup321); + +var msg34426 = msg("32557", dup321); + +var msg34427 = msg("32558", dup311); + +var msg34428 = msg("32559", dup311); + +var msg34429 = msg("32560", dup311); + +var msg34430 = msg("32561", dup311); + +var msg34431 = msg("32562", dup309); + +var msg34432 = msg("32563", dup314); + +var msg34433 = msg("32564", dup309); + +var msg34434 = msg("32565", dup309); + +var msg34435 = msg("32566", dup314); + +var msg34436 = msg("32567", dup309); + +var msg34437 = msg("32568", dup309); + +var msg34438 = msg("32569", dup309); + +var msg34439 = msg("32570", dup309); + +var msg34440 = msg("32571", dup309); + +var msg34441 = msg("32572", dup309); + +var msg34442 = msg("32573", dup309); + +var msg34443 = msg("32574", dup309); + +var msg34444 = msg("32575", dup309); + +var msg34445 = msg("32576", dup309); + +var msg34446 = msg("32577", dup321); + +var msg34447 = msg("32578", dup321); + +var msg34448 = msg("32579", dup314); + +var msg34449 = msg("32580", dup314); + +var msg34450 = msg("32581", dup311); + +var msg34451 = msg("32582", dup311); + +var msg34452 = msg("32583", dup321); + +var msg34453 = msg("32584", dup321); + +var msg34454 = msg("32585", dup321); + +var msg34455 = msg("32586", dup321); + +var msg34456 = msg("32587", dup309); + +var msg34457 = msg("32588", dup309); + +var msg34458 = msg("32589", dup309); + +var msg34459 = msg("32590", dup314); + +var msg34460 = msg("32591", dup314); + +var msg34461 = msg("32592", dup314); + +var msg34462 = msg("32593", dup314); + +var msg34463 = msg("32594", dup314); + +var msg34464 = msg("32595", dup314); + +var msg34465 = msg("32596", dup314); + +var msg34466 = msg("32597", dup314); + +var msg34467 = msg("32598", dup323); + +var msg34468 = msg("32599", dup321); + +var msg34469 = msg("32600", dup323); + +var msg34470 = msg("32601", dup309); + +var msg34471 = msg("32602", dup314); + +var msg34472 = msg("32603", dup314); + +var msg34473 = msg("32604", dup321); + +var msg34474 = msg("32605", dup321); + +var msg34475 = msg("32606", dup321); + +var msg34476 = msg("32607", dup310); + +var msg34477 = msg("32608", dup310); + +var msg34478 = msg("32609", dup321); + +var msg34479 = msg("32610", dup321); + +var msg34480 = msg("32611", dup314); + +var msg34481 = msg("32612", dup321); + +var msg34482 = msg("32613", dup321); + +var msg34483 = msg("32614", dup321); + +var msg34484 = msg("32615", dup316); + +var msg34485 = msg("32616", dup314); + +var msg34486 = msg("32617", dup314); + +var msg34487 = msg("32618", dup314); + +var msg34488 = msg("32619", dup309); + +var msg34489 = msg("32620", dup309); + +var msg34490 = msg("32621", dup321); + +var msg34491 = msg("32622", dup321); + +var msg34492 = msg("32623", dup321); + +var msg34493 = msg("32624", dup321); + +var msg34494 = msg("32625", dup309); + +var msg34495 = msg("32626", dup314); + +var msg34496 = msg("32627", dup314); + +var msg34497 = msg("32628", dup309); + +var msg34498 = msg("32629", dup309); + +var msg34499 = msg("32630", dup309); + +var msg34500 = msg("32631", dup309); + +var msg34501 = msg("32632", dup314); + +var msg34502 = msg("32633", dup314); + +var msg34503 = msg("32634", dup314); + +var msg34504 = msg("32635", dup314); + +var msg34505 = msg("32636", dup311); + +var msg34506 = msg("32637", dup331); + +var msg34507 = msg("32638", dup311); + +var msg34508 = msg("32639", dup311); + +var msg34509 = msg("32640", dup311); + +var msg34510 = msg("32641", dup311); + +var msg34511 = msg("32642", dup314); + +var msg34512 = msg("32643", dup309); + +var msg34513 = msg("32644", dup309); + +var msg34514 = msg("32645", dup325); + +var msg34515 = msg("32646", dup321); + +var msg34516 = msg("32647", dup328); + +var msg34517 = msg("32648", dup328); + +var msg34518 = msg("32649", dup328); + +var msg34519 = msg("32650", dup328); + +var msg34520 = msg("32651", dup328); + +var msg34521 = msg("32652", dup321); + +var msg34522 = msg("32653", dup321); + +var msg34523 = msg("32654", dup321); + +var msg34524 = msg("32655", dup321); + +var msg34525 = msg("32656", dup321); + +var msg34526 = msg("32657", dup321); + +var msg34527 = msg("32658", dup321); + +var msg34528 = msg("32659", dup321); + +var msg34529 = msg("32660", dup321); + +var msg34530 = msg("32661", dup321); + +var msg34531 = msg("32662", dup321); + +var msg34532 = msg("32663", dup321); + +var msg34533 = msg("32664", dup321); + +var msg34534 = msg("32665", dup321); + +var msg34535 = msg("32666", dup321); + +var msg34536 = msg("32667", dup321); + +var msg34537 = msg("32668", dup314); + +var msg34538 = msg("32669", dup314); + +var msg34539 = msg("32670", dup321); + +var msg34540 = msg("32671", dup309); + +var msg34541 = msg("32672", dup333); + +var msg34542 = msg("32673", dup311); + +var msg34543 = msg("32674", dup321); + +var msg34544 = msg("32675", dup325); + +var msg34545 = msg("32676", dup321); + +var msg34546 = msg("32677", dup321); + +var msg34547 = msg("32678", dup321); + +var msg34548 = msg("32679", dup325); + +var msg34549 = msg("32680", dup325); + +var msg34550 = msg("32681", dup311); + +var msg34551 = msg("32682", dup311); + +var msg34552 = msg("32683", dup309); + +var msg34553 = msg("32684", dup309); + +var msg34554 = msg("32685", dup325); + +var msg34555 = msg("32686", dup325); + +var msg34556 = msg("32687", dup309); + +var msg34557 = msg("32688", dup309); + +var msg34558 = msg("32689", dup325); + +var msg34559 = msg("32690", dup325); + +var msg34560 = msg("32691", dup325); + +var msg34561 = msg("32692", dup325); + +var msg34562 = msg("32693", dup309); + +var msg34563 = msg("32694", dup309); + +var msg34564 = msg("32695", dup325); + +var msg34565 = msg("32696", dup325); + +var msg34566 = msg("32697", dup325); + +var msg34567 = msg("32698", dup325); + +var msg34568 = msg("32699", dup325); + +var msg34569 = msg("32700", dup325); + +var msg34570 = msg("32701", dup325); + +var msg34571 = msg("32702", dup325); + +var msg34572 = msg("32703", dup323); + +var msg34573 = msg("32704", dup323); + +var msg34574 = msg("32705", dup314); + +var msg34575 = msg("32706", dup321); + +var msg34576 = msg("32707", dup309); + +var msg34577 = msg("32708", dup309); + +var msg34578 = msg("32709", dup323); + +var msg34579 = msg("32710", dup325); + +var msg34580 = msg("32711", dup309); + +var msg34581 = msg("32712", dup309); + +var msg34582 = msg("32713", dup311); + +var msg34583 = msg("32714", dup311); + +var msg34584 = msg("32715", dup311); + +var msg34585 = msg("32716", dup311); + +var msg34586 = msg("32717", dup311); + +var msg34587 = msg("32718", dup309); + +var msg34588 = msg("32719", dup309); + +var msg34589 = msg("32720", dup325); + +var msg34590 = msg("32721", dup325); + +var msg34591 = msg("32722", dup325); + +var msg34592 = msg("32723", dup325); + +var msg34593 = msg("32724", dup325); + +var msg34594 = msg("32725", dup325); + +var msg34595 = msg("32726", dup321); + +var msg34596 = msg("32727", dup321); + +var msg34597 = msg("32728", dup321); + +var msg34598 = msg("32729", dup314); + +var msg34599 = msg("32730", dup311); + +var msg34600 = msg("32731", dup309); + +var msg34601 = msg("32732", dup309); + +var msg34602 = msg("32733", dup321); + +var msg34603 = msg("32734", dup321); + +var msg34604 = msg("32735", dup321); + +var msg34605 = msg("32736", dup321); + +var msg34606 = msg("32737", dup322); + +var msg34607 = msg("32738", dup307); + +var msg34608 = msg("32739", dup307); + +var msg34609 = msg("32740", dup314); + +var msg34610 = msg("32741", dup314); + +var msg34611 = msg("32742", dup311); + +var msg34612 = msg("32743", dup321); + +var msg34613 = msg("32744", dup314); + +var msg34614 = msg("32745", dup314); + +var msg34615 = msg("32746", dup314); + +var msg34616 = msg("32747", dup321); + +var msg34617 = msg("32748", dup309); + +var msg34618 = msg("32749", dup311); + +var msg34619 = msg("32750", dup311); + +var msg34620 = msg("32751", dup311); + +var msg34621 = msg("32752", dup311); + +var msg34622 = msg("32753", dup311); + +var msg34623 = msg("32754", dup328); + +var msg34624 = msg("32755", dup314); + +var msg34625 = msg("32756", dup314); + +var msg34626 = msg("32757", dup314); + +var msg34627 = msg("32758", dup314); + +var msg34628 = msg("32759", dup314); + +var msg34629 = msg("32760", dup314); + +var msg34630 = msg("32761", dup322); + +var msg34631 = msg("32762", dup325); + +var msg34632 = msg("32763", dup325); + +var msg34633 = msg("32764", dup323); + +var msg34634 = msg("32765", dup323); + +var msg34635 = msg("32766", dup323); + +var msg34636 = msg("32767", dup323); + +var msg34637 = msg("32768", dup322); + +var msg34638 = msg("32769", dup321); + +var msg34639 = msg("32770", dup321); + +var msg34640 = msg("32771", dup321); + +var msg34641 = msg("32772", dup321); + +var msg34642 = msg("32773", dup311); + +var msg34643 = msg("32774", dup200); + +var msg34644 = msg("32775", dup314); + +var msg34645 = msg("32776", dup321); + +var msg34646 = msg("32777", dup325); + +var msg34647 = msg("32778", dup325); + +var msg34648 = msg("32779", dup321); + +var msg34649 = msg("32780", dup321); + +var msg34650 = msg("32781", dup321); + +var msg34651 = msg("32782", dup309); + +var msg34652 = msg("32783", dup309); + +var msg34653 = msg("32784", dup309); + +var msg34654 = msg("32785", dup309); + +var msg34655 = msg("32786", dup311); + +var msg34656 = msg("32787", dup307); + +var msg34657 = msg("32788", dup307); + +var msg34658 = msg("32789", dup307); + +var msg34659 = msg("32790", dup307); + +var msg34660 = msg("32791", dup321); + +var msg34661 = msg("32792", dup321); + +var msg34662 = msg("32793", dup309); + +var msg34663 = msg("32794", dup309); + +var msg34664 = msg("32795", dup314); + +var msg34665 = msg("32796", dup314); + +var msg34666 = msg("32797", dup314); + +var msg34667 = msg("32798", dup314); + +var msg34668 = msg("32799", dup314); + +var msg34669 = msg("32800", dup314); + +var msg34670 = msg("32801", dup314); + +var msg34671 = msg("32802", dup314); + +var msg34672 = msg("32803", dup311); + +var msg34673 = msg("32804", dup311); + +var msg34674 = msg("32805", dup309); + +var msg34675 = msg("32806", dup309); + +var msg34676 = msg("32807", dup309); + +var msg34677 = msg("32808", dup309); + +var msg34678 = msg("32809", dup309); + +var msg34679 = msg("32810", dup309); + +var msg34680 = msg("32811", dup309); + +var msg34681 = msg("32812", dup309); + +var msg34682 = msg("32813", dup314); + +var msg34683 = msg("32814", dup314); + +var msg34684 = msg("32815", dup311); + +var msg34685 = msg("32816", dup311); + +var msg34686 = msg("32817", dup324); + +var msg34687 = msg("32818", dup324); + +var msg34688 = msg("32819", dup311); + +var msg34689 = msg("32820", dup311); + +var msg34690 = msg("32821", dup325); + +var msg34691 = msg("32822", dup325); + +var msg34692 = msg("32823", dup321); + +var msg34693 = msg("32824", dup321); + +var msg34694 = msg("32825", dup321); + +var msg34695 = msg("32826", dup321); + +var msg34696 = msg("32827", dup321); + +var msg34697 = msg("32828", dup309); + +var msg34698 = msg("32829", dup309); + +var msg34699 = msg("32830", dup309); + +var msg34700 = msg("32831", dup309); + +var msg34701 = msg("32832", dup309); + +var msg34702 = msg("32833", dup309); + +var msg34703 = msg("32834", dup309); + +var msg34704 = msg("32835", dup309); + +var msg34705 = msg("32836", dup309); + +var msg34706 = msg("32837", dup309); + +var msg34707 = msg("32838", dup314); + +var msg34708 = msg("32839", dup314); + +var msg34709 = msg("32840", dup314); + +var msg34710 = msg("32841", dup314); + +var msg34711 = msg("32842", dup314); + +var msg34712 = msg("32843", dup325); + +var msg34713 = msg("32844", dup311); + +var msg34714 = msg("32845", dup314); + +var msg34715 = msg("32846", dup314); + +var msg34716 = msg("32847", dup314); + +var msg34717 = msg("32848", dup314); + +var msg34718 = msg("32849", dup314); + +var msg34719 = msg("32850", dup314); + +var msg34720 = msg("32851", dup314); + +var msg34721 = msg("32852", dup321); + +var msg34722 = msg("32853", dup321); + +var msg34723 = msg("32854", dup321); + +var msg34724 = msg("32855", dup314); + +var msg34725 = msg("32856", dup314); + +var msg34726 = msg("32857", dup309); + +var msg34727 = msg("32858", dup309); + +var msg34728 = msg("32859", dup309); + +var msg34729 = msg("32860", dup309); + +var msg34730 = msg("32861", dup309); + +var msg34731 = msg("32862", dup309); + +var msg34732 = msg("32863", dup309); + +var msg34733 = msg("32864", dup306); + +var msg34734 = msg("32865", dup329); + +var msg34735 = msg("32866", dup314); + +var msg34736 = msg("32867", dup314); + +var msg34737 = msg("32868", dup314); + +var msg34738 = msg("32869", dup311); + +var msg34739 = msg("32870", dup311); + +var msg34740 = msg("32871", dup307); + +var msg34741 = msg("32872", dup309); + +var msg34742 = msg("32873", dup314); + +var msg34743 = msg("32874", dup314); + +var msg34744 = msg("32875", dup321); + +var msg34745 = msg("32876", dup311); + +var msg34746 = msg("32877", dup311); + +var msg34747 = msg("32878", dup311); + +var msg34748 = msg("32879", dup311); + +var msg34749 = msg("32880", dup311); + +var msg34750 = msg("32881", dup321); + +var msg34751 = msg("32882", dup321); + +var msg34752 = msg("32883", dup314); + +var msg34753 = msg("32884", dup314); + +var msg34754 = msg("32885", dup311); + +var msg34755 = msg("32886", dup311); + +var msg34756 = msg("32887", dup307); + +var msg34757 = msg("32888", dup321); + +var msg34758 = msg("32889", dup307); + +var msg34759 = msg("32890", dup309); + +var msg34760 = msg("32891", dup321); + +var msg34761 = msg("32892", dup321); + +var msg34762 = msg("32893", dup321); + +var msg34763 = msg("32894", dup314); + +var msg34764 = msg("32895", dup314); + +var msg34765 = msg("32896", dup314); + +var msg34766 = msg("32897", dup314); + +var msg34767 = msg("32898", dup309); + +var msg34768 = msg("32899", dup309); + +var msg34769 = msg("32900", dup314); + +var msg34770 = msg("32901", dup309); + +var msg34771 = msg("32902", dup309); + +var msg34772 = msg("32903", dup309); + +var msg34773 = msg("32904", dup309); + +var msg34774 = msg("32905", dup311); + +var msg34775 = msg("32906", dup311); + +var msg34776 = msg("32907", dup314); + +var msg34777 = msg("32908", dup321); + +var msg34778 = msg("32909", dup321); + +var msg34779 = msg("32910", dup321); + +var msg34780 = msg("32911", dup323); + +var msg34781 = msg("32912", dup323); + +var msg34782 = msg("32913", dup323); + +var msg34783 = msg("32914", dup323); + +var msg34784 = msg("32915", dup323); + +var msg34785 = msg("32916", dup323); + +var msg34786 = msg("32917", dup323); + +var msg34787 = msg("32918", dup323); + +var msg34788 = msg("32919", dup323); + +var msg34789 = msg("32920", dup323); + +var msg34790 = msg("32921", dup323); + +var msg34791 = msg("32922", dup323); + +var msg34792 = msg("32923", dup323); + +var msg34793 = msg("32924", dup323); + +var msg34794 = msg("32925", dup323); + +var msg34795 = msg("32926", dup323); + +var msg34796 = msg("32927", dup323); + +var msg34797 = msg("32928", dup323); + +var msg34798 = msg("32929", dup323); + +var msg34799 = msg("32930", dup323); + +var msg34800 = msg("32931", dup323); + +var msg34801 = msg("32932", dup323); + +var msg34802 = msg("32933", dup323); + +var msg34803 = msg("32934", dup323); + +var msg34804 = msg("32935", dup323); + +var msg34805 = msg("32936", dup323); + +var msg34806 = msg("32937", dup323); + +var msg34807 = msg("32938", dup323); + +var msg34808 = msg("32939", dup311); + +var msg34809 = msg("32940", dup309); + +var msg34810 = msg("32941", dup309); + +var msg34811 = msg("32942", dup309); + +var msg34812 = msg("32943", dup309); + +var msg34813 = msg("32944", dup325); + +var msg34814 = msg("32945", dup311); + +var msg34815 = msg("32946", dup311); + +var msg34816 = msg("32947", dup311); + +var msg34817 = msg("32948", dup311); + +var msg34818 = msg("32949", dup311); + +var msg34819 = msg("32950", dup321); + +var msg34820 = msg("32951", dup311); + +var msg34821 = msg("32952", dup314); + +var msg34822 = msg("32953", dup311); + +var msg34823 = msg("32954", dup311); + +var msg34824 = msg("32955", dup311); + +var msg34825 = msg("32956", dup321); + +var msg34826 = msg("32957", dup321); + +var msg34827 = msg("32958", dup321); + +var msg34828 = msg("32959", dup309); + +var msg34829 = msg("32960", dup309); + +var msg34830 = msg("32961", dup309); + +var msg34831 = msg("32962", dup314); + +var msg34832 = msg("32963", dup314); + +var msg34833 = msg("32964", dup314); + +var msg34834 = msg("32965", dup330); + +var msg34835 = msg("32966", dup330); + +var msg34836 = msg("32967", dup314); + +var msg34837 = msg("32968", dup323); + +var msg34838 = msg("32969", dup323); + +var msg34839 = msg("32970", dup323); + +var msg34840 = msg("32971", dup307); + +var msg34841 = msg("32972", dup321); + +var msg34842 = msg("32973", dup321); + +var msg34843 = msg("32974", dup314); + +var msg34844 = msg("32975", dup314); + +var msg34845 = msg("32976", dup321); + +var msg34846 = msg("32977", dup321); + +var msg34847 = msg("32978", dup325); + +var msg34848 = msg("32979", dup325); + +var msg34849 = msg("32980", dup325); + +var msg34850 = msg("32981", dup321); + +var msg34851 = msg("32982", dup321); + +var msg34852 = msg("32983", dup321); + +var msg34853 = msg("32984", dup321); + +var msg34854 = msg("32985", dup321); + +var msg34855 = msg("32986", dup321); + +var msg34856 = msg("32987", dup321); + +var msg34857 = msg("32988", dup321); + +var msg34858 = msg("32989", dup321); + +var msg34859 = msg("32990", dup321); + +var msg34860 = msg("32991", dup311); + +var msg34861 = msg("32992", dup311); + +var msg34862 = msg("32993", dup314); + +var msg34863 = msg("32994", dup314); + +var msg34864 = msg("32995", dup311); + +var msg34865 = msg("32996", dup309); + +var msg34866 = msg("32997", dup311); + +var msg34867 = msg("32998", dup311); + +var msg34868 = msg("32999", dup311); + +var msg34869 = msg("33000", dup311); + +var msg34870 = msg("33001", dup311); + +var msg34871 = msg("33002", dup311); + +var msg34872 = msg("33003", dup314); + +var msg34873 = msg("33004", dup314); + +var msg34874 = msg("33005", dup309); + +var msg34875 = msg("33006", dup309); + +var msg34876 = msg("33007", dup309); + +var msg34877 = msg("33008", dup309); + +var msg34878 = msg("33009", dup309); + +var msg34879 = msg("33010", dup309); + +var msg34880 = msg("33011", dup309); + +var msg34881 = msg("33012", dup309); + +var msg34882 = msg("33013", dup314); + +var msg34883 = msg("33014", dup314); + +var msg34884 = msg("33015", dup311); + +var msg34885 = msg("33016", dup309); + +var msg34886 = msg("33017", dup309); + +var msg34887 = msg("33018", dup309); + +var msg34888 = msg("33019", dup309); + +var msg34889 = msg("33020", dup309); + +var msg34890 = msg("33021", dup309); + +var msg34891 = msg("33022", dup309); + +var msg34892 = msg("33023", dup309); + +var msg34893 = msg("33024", dup311); + +var msg34894 = msg("33025", dup311); + +var msg34895 = msg("33026", dup314); + +var msg34896 = msg("33027", dup314); + +var msg34897 = msg("33028", dup314); + +var msg34898 = msg("33029", dup309); + +var msg34899 = msg("33030", dup309); + +var msg34900 = msg("33031", dup309); + +var msg34901 = msg("33032", dup309); + +var msg34902 = msg("33033", dup309); + +var msg34903 = msg("33034", dup309); + +var msg34904 = msg("33035", dup309); + +var msg34905 = msg("33036", dup309); + +var msg34906 = msg("33037", dup309); + +var msg34907 = msg("33038", dup309); + +var msg34908 = msg("33039", dup309); + +var msg34909 = msg("33040", dup309); + +var msg34910 = msg("33041", dup309); + +var msg34911 = msg("33042", dup309); + +var msg34912 = msg("33043", dup307); + +var msg34913 = msg("33044", dup314); + +var msg34914 = msg("33045", dup314); + +var msg34915 = msg("33046", dup314); + +var msg34916 = msg("33047", dup325); + +var msg34917 = msg("33048", dup314); + +var msg34918 = msg("33049", dup314); + +var msg34919 = msg("33050", dup309); + +var msg34920 = msg("33051", dup314); + +var msg34921 = msg("33052", dup314); + +var msg34922 = msg("33053", dup324); + +var msg34923 = msg("33054", dup321); + +var msg34924 = msg("33055", dup321); + +var msg34925 = msg("33056", dup321); + +var msg34926 = msg("33057", dup321); + +var msg34927 = msg("33058", dup321); + +var msg34928 = msg("33059", dup321); + +var msg34929 = msg("33060", dup321); + +var msg34930 = msg("33061", dup321); + +var msg34931 = msg("33062", dup333); + +var msg34932 = msg("33063", dup333); + +var msg34933 = msg("33064", dup321); + +var msg34934 = msg("33065", dup321); + +var msg34935 = msg("33066", dup321); + +var msg34936 = msg("33067", dup321); + +var msg34937 = msg("33068", dup321); + +var msg34938 = msg("33069", dup321); + +var msg34939 = msg("33070", dup333); + +var msg34940 = msg("33071", dup333); + +var msg34941 = msg("33072", dup333); + +var msg34942 = msg("33073", dup333); + +var msg34943 = msg("33074", dup323); + +var msg34944 = msg("33075", dup323); + +var msg34945 = msg("33076", dup323); + +var msg34946 = msg("33077", dup324); + +var msg34947 = msg("33078", dup324); + +var msg34948 = msg("33079", dup324); + +var msg34949 = msg("33080", dup324); + +var msg34950 = msg("33081", dup321); + +var msg34951 = msg("33082", dup321); + +var msg34952 = msg("33083", dup321); + +var msg34953 = msg("33084", dup321); + +var msg34954 = msg("33085", dup325); + +var msg34955 = msg("33086", dup325); + +var msg34956 = msg("33087", dup309); + +var msg34957 = msg("33088", dup311); + +var msg34958 = msg("33089", dup311); + +var msg34959 = msg("33090", dup311); + +var msg34960 = msg("33091", dup311); + +var msg34961 = msg("33092", dup311); + +var msg34962 = msg("33093", dup325); + +var msg34963 = msg("33094", dup325); + +var msg34964 = msg("33095", dup325); + +var msg34965 = msg("33096", dup325); + +var msg34966 = msg("33097", dup325); + +var msg34967 = msg("33098", dup325); + +var msg34968 = msg("33099", dup325); + +var msg34969 = msg("33100", dup314); + +var msg34970 = msg("33101", dup314); + +var msg34971 = msg("33102", dup314); + +var msg34972 = msg("33103", dup314); + +var msg34973 = msg("33104", dup323); + +var msg34974 = msg("33105", dup336); + +var msg34975 = msg("33106", dup336); + +var msg34976 = msg("33107", dup336); + +var msg34977 = msg("33108", dup336); + +var msg34978 = msg("33109", dup314); + +var msg34979 = msg("33110", dup314); + +var msg34980 = msg("33111", dup314); + +var msg34981 = msg("33112", dup314); + +var msg34982 = msg("33113", dup311); + +var msg34983 = msg("33114", dup311); + +var msg34984 = msg("33115", dup309); + +var msg34985 = msg("33116", dup309); + +var msg34986 = msg("33117", dup321); + +var msg34987 = msg("33118", dup321); + +var msg34988 = msg("33119", dup321); + +var msg34989 = msg("33120", dup321); + +var msg34990 = msg("33121", dup321); + +var msg34991 = msg("33122", dup321); + +var msg34992 = msg("33123", dup321); + +var msg34993 = msg("33124", dup321); + +var msg34994 = msg("33125", dup321); + +var msg34995 = msg("33126", dup321); + +var msg34996 = msg("33127", dup321); + +var msg34997 = msg("33128", dup321); + +var msg34998 = msg("33129", dup321); + +var msg34999 = msg("33130", dup321); + +var msg35000 = msg("33131", dup321); + +var msg35001 = msg("33132", dup321); + +var msg35002 = msg("33133", dup321); + +var msg35003 = msg("33134", dup321); + +var msg35004 = msg("33135", dup321); + +var msg35005 = msg("33136", dup321); + +var msg35006 = msg("33137", dup321); + +var msg35007 = msg("33138", dup321); + +var msg35008 = msg("33139", dup321); + +var msg35009 = msg("33140", dup321); + +var msg35010 = msg("33141", dup321); + +var msg35011 = msg("33142", dup321); + +var msg35012 = msg("33143", dup321); + +var msg35013 = msg("33144", dup321); + +var msg35014 = msg("33145", dup321); + +var msg35015 = msg("33146", dup321); + +var msg35016 = msg("33147", dup335); + +var msg35017 = msg("33148", dup335); + +var msg35018 = msg("33149", dup321); + +var msg35019 = msg("33150", dup321); + +var msg35020 = msg("33151", dup321); + +var msg35021 = msg("33152", dup321); + +var msg35022 = msg("33153", dup321); + +var msg35023 = msg("33154", dup321); + +var msg35024 = msg("33155", dup314); + +var msg35025 = msg("33156", dup314); + +var msg35026 = msg("33157", dup307); + +var msg35027 = msg("33158", dup307); + +var msg35028 = msg("33159", dup324); + +var msg35029 = msg("33160", dup324); + +var msg35030 = msg("33161", dup321); + +var msg35031 = msg("33162", dup325); + +var msg35032 = msg("33163", dup325); + +var msg35033 = msg("33164", dup309); + +var msg35034 = msg("33165", dup321); + +var msg35035 = msg("33166", dup311); + +var msg35036 = msg("33167", dup311); + +var msg35037 = msg("33168", dup311); + +var msg35038 = msg("33169", dup311); + +var msg35039 = msg("33170", dup333); + +var msg35040 = msg("33171", dup333); + +var msg35041 = msg("33172", dup333); + +var msg35042 = msg("33173", dup333); + +var msg35043 = msg("33174", dup333); + +var msg35044 = msg("33175", dup333); + +var msg35045 = msg("33176", dup311); + +var msg35046 = msg("33177", dup311); + +var msg35047 = msg("33178", dup309); + +var msg35048 = msg("33179", dup309); + +var msg35049 = msg("33180", dup309); + +var msg35050 = msg("33181", dup309); + +var msg35051 = msg("33182", dup311); + +var msg35052 = msg("33183", dup311); + +var msg35053 = msg("33184", dup311); + +var msg35054 = msg("33185", dup311); + +var msg35055 = msg("33186", dup311); + +var msg35056 = msg("33187", dup311); + +var msg35057 = msg("33188", dup321); + +var msg35058 = msg("33189", dup316); + +var msg35059 = msg("33190", dup316); + +var msg35060 = msg("33191", dup325); + +var msg35061 = msg("33192", dup325); + +var msg35062 = msg("33193", dup325); + +var msg35063 = msg("33194", dup325); + +var msg35064 = msg("33195", dup325); + +var msg35065 = msg("33196", dup325); + +var msg35066 = msg("33197", dup314); + +var msg35067 = msg("33198", dup309); + +var msg35068 = msg("33199", dup321); + +var msg35069 = msg("33200", dup321); + +var msg35070 = msg("33201", dup311); + +var msg35071 = msg("33202", dup311); + +var msg35072 = msg("33203", dup311); + +var msg35073 = msg("33204", dup311); + +var msg35074 = msg("33205", dup311); + +var msg35075 = msg("33206", dup311); + +var msg35076 = msg("33207", dup325); + +var msg35077 = msg("33208", dup321); + +var msg35078 = msg("33209", dup321); + +var msg35079 = msg("33210", dup321); + +var msg35080 = msg("33211", dup321); + +var msg35081 = msg("33212", dup333); + +var msg35082 = msg("33213", dup311); + +var msg35083 = msg("33214", dup311); + +var msg35084 = msg("33215", dup321); + +var msg35085 = msg("33216", dup321); + +var msg35086 = msg("33217", dup321); + +var msg35087 = msg("33218", dup321); + +var msg35088 = msg("33219", dup321); + +var msg35089 = msg("33220", dup321); + +var msg35090 = msg("33221", dup321); + +var msg35091 = msg("33222", dup321); + +var msg35092 = msg("33223", dup321); + +var msg35093 = msg("33224", dup200); + +var msg35094 = msg("33225", dup309); + +var msg35095 = msg("33226", dup309); + +var msg35096 = msg("33227", dup321); + +var msg35097 = msg("33228", dup321); + +var msg35098 = msg("33229", dup311); + +var msg35099 = msg("33230", dup325); + +var msg35100 = msg("33231", dup325); + +var msg35101 = msg("33232", dup325); + +var msg35102 = msg("33233", dup325); + +var msg35103 = msg("33234", dup325); + +var msg35104 = msg("33235", dup325); + +var msg35105 = msg("33236", dup325); + +var msg35106 = msg("33237", dup325); + +var msg35107 = msg("33238", dup325); + +var msg35108 = msg("33239", dup325); + +var msg35109 = msg("33240", dup325); + +var msg35110 = msg("33241", dup325); + +var msg35111 = msg("33242", dup325); + +var msg35112 = msg("33243", dup325); + +var msg35113 = msg("33244", dup325); + +var msg35114 = msg("33245", dup325); + +var msg35115 = msg("33246", dup325); + +var msg35116 = msg("33247", dup325); + +var msg35117 = msg("33248", dup325); + +var msg35118 = msg("33249", dup325); + +var msg35119 = msg("33250", dup325); + +var msg35120 = msg("33251", dup325); + +var msg35121 = msg("33252", dup325); + +var msg35122 = msg("33253", dup325); + +var msg35123 = msg("33254", dup325); + +var msg35124 = msg("33255", dup325); + +var msg35125 = msg("33256", dup325); + +var msg35126 = msg("33257", dup325); + +var msg35127 = msg("33258", dup325); + +var msg35128 = msg("33259", dup325); + +var msg35129 = msg("33260", dup325); + +var msg35130 = msg("33261", dup314); + +var msg35131 = msg("33262", dup314); + +var msg35132 = msg("33263", dup314); + +var msg35133 = msg("33264", dup314); + +var msg35134 = msg("33265", dup314); + +var msg35135 = msg("33266", dup314); + +var msg35136 = msg("33267", dup314); + +var msg35137 = msg("33268", dup314); + +var msg35138 = msg("33269", dup314); + +var msg35139 = msg("33270", dup314); + +var msg35140 = msg("33271", dup311); + +var msg35141 = msg("33272", dup311); + +var msg35142 = msg("33273", dup311); + +var msg35143 = msg("33274", dup311); + +var msg35144 = msg("33275", dup309); + +var msg35145 = msg("33276", dup316); + +var msg35146 = msg("33277", dup316); + +var msg35147 = msg("33278", dup316); + +var msg35148 = msg("33279", dup311); + +var msg35149 = msg("33280", dup321); + +var msg35150 = msg("33281", dup321); + +var msg35151 = msg("33282", dup321); + +var msg35152 = msg("33283", dup321); + +var msg35153 = msg("33284", dup321); + +var msg35154 = msg("33285", dup321); + +var msg35155 = msg("33286", dup311); + +var msg35156 = msg("33287", dup325); + +var msg35157 = msg("33288", dup325); + +var msg35158 = msg("33289", dup321); + +var msg35159 = msg("33290", dup314); + +var msg35160 = msg("33291", dup314); + +var msg35161 = msg("33292", dup311); + +var msg35162 = msg("33293", dup314); + +var msg35163 = msg("33294", dup314); + +var msg35164 = msg("33295", dup309); + +var msg35165 = msg("33296", dup309); + +var msg35166 = msg("33297", dup309); + +var msg35167 = msg("33298", dup309); + +var msg35168 = msg("33299", dup321); + +var msg35169 = msg("33300", dup324); + +var msg35170 = msg("33301", dup324); + +var msg35171 = msg("33302", dup324); + +var msg35172 = msg("33303", dup324); + +var msg35173 = msg("33304", dup321); + +var msg35174 = msg("33305", dup321); + +var msg35175 = msg("33306", dup321); + +var msg35176 = msg("33307", dup311); + +var msg35177 = msg("33308", dup311); + +var msg35178 = msg("33309", dup309); + +var msg35179 = msg("33310", dup309); + +var msg35180 = msg("33311", dup321); + +var msg35181 = msg("33312", dup311); + +var msg35182 = msg("33313", dup311); + +var msg35183 = msg("33314", dup325); + +var msg35184 = msg("33315", dup325); + +var msg35185 = msg("33316", dup325); + +var msg35186 = msg("33317", dup325); + +var msg35187 = msg("33318", dup325); + +var msg35188 = msg("33319", dup325); + +var msg35189 = msg("33320", dup325); + +var msg35190 = msg("33321", dup325); + +var msg35191 = msg("33322", dup325); + +var msg35192 = msg("33323", dup311); + +var msg35193 = msg("33324", dup325); + +var msg35194 = msg("33325", dup325); + +var msg35195 = msg("33326", dup321); + +var msg35196 = msg("33327", dup321); + +var msg35197 = msg("33328", dup321); + +var msg35198 = msg("33329", dup321); + +var msg35199 = msg("33330", dup321); + +var msg35200 = msg("33331", dup325); + +var msg35201 = msg("33332", dup325); + +var msg35202 = msg("33333", dup325); + +var msg35203 = msg("33334", dup325); + +var msg35204 = msg("33335", dup325); + +var msg35205 = msg("33336", dup325); + +var msg35206 = msg("33337", dup325); + +var msg35207 = msg("33338", dup325); + +var msg35208 = msg("33339", dup316); + +var msg35209 = msg("33340", dup325); + +var msg35210 = msg("33341", dup325); + +var msg35211 = msg("33342", dup321); + +var msg35212 = msg("33343", dup314); + +var msg35213 = msg("33344", dup314); + +var msg35214 = msg("33345", dup325); + +var msg35215 = msg("33346", dup325); + +var msg35216 = msg("33347", dup325); + +var msg35217 = msg("33348", dup325); + +var msg35218 = msg("33349", dup325); + +var msg35219 = msg("33350", dup309); + +var msg35220 = msg("33351", dup309); + +var msg35221 = msg("33352", dup311); + +var msg35222 = msg("33353", dup325); + +var msg35223 = msg("33354", dup325); + +var msg35224 = msg("33355", dup314); + +var msg35225 = msg("33356", dup325); + +var msg35226 = msg("33357", dup325); + +var msg35227 = msg("33358", dup325); + +var msg35228 = msg("33359", dup325); + +var msg35229 = msg("33360", dup325); + +var msg35230 = msg("33361", dup325); + +var msg35231 = msg("33362", dup309); + +var msg35232 = msg("33363", dup314); + +var msg35233 = msg("33364", dup314); + +var msg35234 = msg("33365", dup325); + +var msg35235 = msg("33366", dup325); + +var msg35236 = msg("33367", dup314); + +var msg35237 = msg("33368", dup314); + +var msg35238 = msg("33369", dup314); + +var msg35239 = msg("33370", dup314); + +var msg35240 = msg("33371", dup314); + +var msg35241 = msg("33372", dup314); + +var msg35242 = msg("33373", dup314); + +var msg35243 = msg("33374", dup314); + +var msg35244 = msg("33375", dup314); + +var msg35245 = msg("33376", dup314); + +var msg35246 = msg("33377", dup314); + +var msg35247 = msg("33378", dup314); + +var msg35248 = msg("33379", dup314); + +var msg35249 = msg("33380", dup314); + +var msg35250 = msg("33381", dup314); + +var msg35251 = msg("33382", dup314); + +var msg35252 = msg("33383", dup314); + +var msg35253 = msg("33384", dup314); + +var msg35254 = msg("33385", dup314); + +var msg35255 = msg("33386", dup314); + +var msg35256 = msg("33387", dup314); + +var msg35257 = msg("33388", dup314); + +var msg35258 = msg("33389", dup314); + +var msg35259 = msg("33390", dup314); + +var msg35260 = msg("33391", dup314); + +var msg35261 = msg("33392", dup314); + +var msg35262 = msg("33393", dup314); + +var msg35263 = msg("33394", dup314); + +var msg35264 = msg("33395", dup314); + +var msg35265 = msg("33396", dup314); + +var msg35266 = msg("33397", dup314); + +var msg35267 = msg("33398", dup314); + +var msg35268 = msg("33399", dup314); + +var msg35269 = msg("33400", dup314); + +var msg35270 = msg("33401", dup314); + +var msg35271 = msg("33402", dup314); + +var msg35272 = msg("33403", dup314); + +var msg35273 = msg("33404", dup314); + +var msg35274 = msg("33405", dup314); + +var msg35275 = msg("33406", dup314); + +var msg35276 = msg("33407", dup314); + +var msg35277 = msg("33408", dup314); + +var msg35278 = msg("33409", dup314); + +var msg35279 = msg("33410", dup314); + +var msg35280 = msg("33411", dup321); + +var msg35281 = msg("33412", dup311); + +var msg35282 = msg("33413", dup325); + +var msg35283 = msg("33414", dup325); + +var msg35284 = msg("33415", dup325); + +var msg35285 = msg("33416", dup325); + +var msg35286 = msg("33417", dup325); + +var msg35287 = msg("33418", dup325); + +var msg35288 = msg("33419", dup325); + +var msg35289 = msg("33420", dup325); + +var msg35290 = msg("33421", dup311); + +var msg35291 = msg("33422", dup311); + +var msg35292 = msg("33423", dup325); + +var msg35293 = msg("33424", dup325); + +var msg35294 = msg("33425", dup325); + +var msg35295 = msg("33426", dup325); + +var msg35296 = msg("33427", dup325); + +var msg35297 = msg("33428", dup325); + +var msg35298 = msg("33429", dup311); + +var msg35299 = msg("33430", dup314); + +var msg35300 = msg("33431", dup321); + +var msg35301 = msg("33432", dup321); + +var msg35302 = msg("33433", dup321); + +var msg35303 = msg("33434", dup321); + +var msg35304 = msg("33435", dup321); + +var msg35305 = msg("33436", dup309); + +var msg35306 = msg("33437", dup309); + +var msg35307 = msg("33438", dup321); + +var msg35308 = msg("33439", dup321); + +var msg35309 = msg("33440", dup311); + +var msg35310 = msg("33441", dup309); + +var msg35311 = msg("33442", dup309); + +var msg35312 = msg("33443", dup321); + +var msg35313 = msg("33444", dup321); + +var msg35314 = msg("33445", dup323); + +var msg35315 = msg("33446", dup316); + +var msg35316 = msg("33447", dup316); + +var msg35317 = msg("33448", dup316); + +var msg35318 = msg("33449", dup323); + +var msg35319 = msg("33450", dup321); + +var msg35320 = msg("33451", dup309); + +var msg35321 = msg("33452", dup314); + +var msg35322 = msg("33453", dup321); + +var msg35323 = msg("33454", dup309); + +var msg35324 = msg("33455", dup309); + +var msg35325 = msg("33456", dup321); + +var msg35326 = msg("33457", dup321); + +var msg35327 = msg("33458", dup311); + +var msg35328 = msg("33459", dup311); + +var msg35329 = msg("33460", dup311); + +var msg35330 = msg("33461", dup311); + +var msg35331 = msg("33462", dup311); + +var msg35332 = msg("33463", dup311); + +var msg35333 = msg("33464", dup321); + +var msg35334 = msg("33465", dup309); + +var msg35335 = msg("33466", dup309); + +var msg35336 = msg("33467", dup309); + +var msg35337 = msg("33468", dup309); + +var msg35338 = msg("33469", dup311); + +var msg35339 = msg("33470", dup311); + +var msg35340 = msg("33471", dup311); + +var msg35341 = msg("33472", dup311); + +var msg35342 = msg("33473", dup311); + +var msg35343 = msg("33474", dup311); + +var msg35344 = msg("33475", dup314); + +var msg35345 = msg("33476", dup314); + +var msg35346 = msg("33477", dup314); + +var msg35347 = msg("33478", dup314); + +var msg35348 = msg("33564", dup309); + +var msg35349 = msg("33565", dup311); + +var msg35350 = msg("33566", dup309); + +var msg35351 = msg("33567", dup309); + +var msg35352 = msg("33568", dup309); + +var msg35353 = msg("33569", dup311); + +var msg35354 = msg("33570", dup311); + +var msg35355 = msg("33571", dup311); + +var msg35356 = msg("33572", dup311); + +var msg35357 = msg("33573", dup323); + +var msg35358 = msg("33574", dup323); + +var msg35359 = msg("33575", dup311); + +var msg35360 = msg("33576", dup311); + +var msg35361 = msg("33577", dup311); + +var msg35362 = msg("33578", dup311); + +var msg35363 = msg("33579", dup314); + +var msg35364 = msg("33580", dup321); + +var msg35365 = msg("33581", dup314); + +var msg35366 = msg("33582", dup309); + +var msg35367 = msg("33583", dup324); + +var msg35368 = msg("33584", dup311); + +var msg35369 = msg("33585", dup311); + +var msg35370 = msg("33586", dup311); + +var msg35371 = msg("33587", dup309); + +var msg35372 = msg("33588", dup309); + +var msg35373 = msg("33589", dup309); + +var msg35374 = msg("33590", dup309); + +var msg35375 = msg("33591", dup309); + +var msg35376 = msg("33592", dup309); + +var msg35377 = msg("33593", dup309); + +var msg35378 = msg("33594", dup321); + +var msg35379 = msg("33595", dup309); + +var msg35380 = msg("33596", dup309); + +var msg35381 = msg("33597", dup314); + +var msg35382 = msg("33598", dup314); + +var msg35383 = msg("33599", dup314); + +var msg35384 = msg("33600", dup321); + +var msg35385 = msg("33601", dup311); + +var msg35386 = msg("33602", dup311); + +var msg35387 = msg("33603", dup311); + +var msg35388 = msg("33604", dup311); + +var msg35389 = msg("33605", dup325); + +var msg35390 = msg("33606", dup325); + +var msg35391 = msg("33607", dup314); + +var msg35392 = msg("33608", dup314); + +var msg35393 = msg("33609", dup310); + +var msg35394 = msg("33610", dup310); + +var msg35395 = msg("33611", dup310); + +var msg35396 = msg("33612", dup314); + +var msg35397 = msg("33613", dup314); + +var msg35398 = msg("33614", dup314); + +var msg35399 = msg("33615", dup311); + +var msg35400 = msg("33618", dup321); + +var msg35401 = msg("33619", dup321); + +var msg35402 = msg("33620", dup321); + +var msg35403 = msg("33621", dup321); + +var msg35404 = msg("33622", dup324); + +var msg35405 = msg("33623", dup324); + +var msg35406 = msg("33624", dup324); + +var msg35407 = msg("33625", dup324); + +var msg35408 = msg("33626", dup324); + +var msg35409 = msg("33627", dup324); + +var msg35410 = msg("33628", dup324); + +var msg35411 = msg("33629", dup324); + +var msg35412 = msg("33630", dup324); + +var msg35413 = msg("33631", dup324); + +var msg35414 = msg("33632", dup316); + +var msg35415 = msg("33633", dup325); + +var msg35416 = msg("33634", dup324); + +var msg35417 = msg("33635", dup324); + +var msg35418 = msg("33636", dup308); + +var msg35419 = msg("33637", dup322); + +var msg35420 = msg("33638", dup324); + +var msg35421 = msg("33639", dup324); + +var msg35422 = msg("33640", dup314); + +var msg35423 = msg("33641", dup314); + +var msg35424 = msg("33642", dup314); + +var msg35425 = msg("33643", dup309); + +var msg35426 = msg("33644", dup309); + +var msg35427 = msg("33645", dup321); + +var msg35428 = msg("33646", dup324); + +var msg35429 = msg("33647", dup324); + +var msg35430 = msg("33648", dup324); + +var msg35431 = msg("33649", dup325); + +var msg35432 = msg("33650", dup321); + +var msg35433 = msg("33651", dup322); + +var msg35434 = msg("33652", dup322); + +var msg35435 = msg("33653", dup322); + +var all62 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup122, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg35436 = msg("33654", all62); + +var msg35437 = msg("33655", dup310); + +var msg35438 = msg("33656", dup321); + +var msg35439 = msg("33657", dup307); + +var msg35440 = msg("33658", dup307); + +var msg35441 = msg("33659", dup307); + +var msg35442 = msg("33660", dup321); + +var msg35443 = msg("33661", dup314); + +var msg35444 = msg("33662", dup314); + +var msg35445 = msg("33663", dup311); + +var msg35446 = msg("33664", dup314); + +var msg35447 = msg("33665", dup316); + +var msg35448 = msg("33666", dup314); + +var msg35449 = msg("33667", dup314); + +var msg35450 = msg("33668", dup314); + +var msg35451 = msg("33669", dup311); + +var msg35452 = msg("33670", dup324); + +var msg35453 = msg("33671", dup324); + +var msg35454 = msg("33672", dup324); + +var msg35455 = msg("33673", dup321); + +var msg35456 = msg("33674", dup321); + +var msg35457 = msg("33675", dup321); + +var msg35458 = msg("33676", dup316); + +var msg35459 = msg("33677", dup321); + +var msg35460 = msg("33678", dup321); + +var msg35461 = msg("33679", dup324); + +var msg35462 = msg("33680", dup324); + +var msg35463 = msg("33681", dup321); + +var msg35464 = msg("33682", dup314); + +var msg35465 = msg("33683", dup314); + +var msg35466 = msg("33684", dup311); + +var msg35467 = msg("33685", dup311); + +var msg35468 = msg("33686", dup323); + +var msg35469 = msg("33687", dup323); + +var msg35470 = msg("33688", dup323); + +var msg35471 = msg("33689", dup323); + +var msg35472 = msg("33690", dup323); + +var msg35473 = msg("33691", dup323); + +var msg35474 = msg("33692", dup323); + +var msg35475 = msg("33693", dup323); + +var msg35476 = msg("33694", dup323); + +var msg35477 = msg("33695", dup323); + +var msg35478 = msg("33696", dup323); + +var msg35479 = msg("33697", dup323); + +var msg35480 = msg("33698", dup323); + +var msg35481 = msg("33699", dup323); + +var msg35482 = msg("33700", dup323); + +var msg35483 = msg("33701", dup323); + +var msg35484 = msg("33702", dup323); + +var msg35485 = msg("33703", dup323); + +var msg35486 = msg("33704", dup321); + +var msg35487 = msg("33705", dup309); + +var msg35488 = msg("33706", dup309); + +var msg35489 = msg("33707", dup325); + +var msg35490 = msg("33708", dup325); + +var msg35491 = msg("33709", dup323); + +var msg35492 = msg("33710", dup323); + +var msg35493 = msg("33711", dup314); + +var msg35494 = msg("33712", dup314); + +var msg35495 = msg("33713", dup309); + +var msg35496 = msg("33714", dup309); + +var msg35497 = msg("33715", dup309); + +var msg35498 = msg("33716", dup309); + +var msg35499 = msg("33717", dup314); + +var msg35500 = msg("33718", dup311); + +var msg35501 = msg("33719", dup311); + +var msg35502 = msg("33720", dup325); + +var msg35503 = msg("33721", dup325); + +var msg35504 = msg("33722", dup309); + +var msg35505 = msg("33723", dup309); + +var msg35506 = msg("33724", dup311); + +var msg35507 = msg("33725", dup311); + +var msg35508 = msg("33726", dup325); + +var msg35509 = msg("33727", dup325); + +var msg35510 = msg("33728", dup314); + +var msg35511 = msg("33729", dup314); + +var msg35512 = msg("33730", dup325); + +var msg35513 = msg("33731", dup325); + +var msg35514 = msg("33732", dup314); + +var msg35515 = msg("33733", dup314); + +var msg35516 = msg("33734", dup309); + +var msg35517 = msg("33735", dup309); + +var msg35518 = msg("33736", dup325); + +var msg35519 = msg("33737", dup325); + +var msg35520 = msg("33738", dup325); + +var msg35521 = msg("33739", dup325); + +var msg35522 = msg("33740", dup314); + +var msg35523 = msg("33741", dup325); + +var msg35524 = msg("33742", dup325); + +var msg35525 = msg("33743", dup309); + +var msg35526 = msg("33744", dup309); + +var msg35527 = msg("33745", dup321); + +var msg35528 = msg("33746", dup321); + +var msg35529 = msg("33747", dup321); + +var msg35530 = msg("33748", dup321); + +var msg35531 = msg("33749", dup321); + +var msg35532 = msg("33750", dup321); + +var msg35533 = msg("33751", dup321); + +var msg35534 = msg("33752", dup321); + +var msg35535 = msg("33753", dup321); + +var msg35536 = msg("33754", dup321); + +var msg35537 = msg("33755", dup321); + +var msg35538 = msg("33756", dup321); + +var msg35539 = msg("33757", dup321); + +var msg35540 = msg("33758", dup321); + +var msg35541 = msg("33759", dup321); + +var msg35542 = msg("33760", dup325); + +var msg35543 = msg("33761", dup325); + +var msg35544 = msg("33762", dup311); + +var msg35545 = msg("33763", dup325); + +var msg35546 = msg("33764", dup325); + +var msg35547 = msg("33765", dup323); + +var msg35548 = msg("33766", dup323); + +var msg35549 = msg("33767", dup314); + +var msg35550 = msg("33768", dup314); + +var msg35551 = msg("33769", dup314); + +var msg35552 = msg("33770", dup314); + +var msg35553 = msg("33771", dup314); + +var msg35554 = msg("33772", dup314); + +var msg35555 = msg("33773", dup314); + +var msg35556 = msg("33774", dup314); + +var msg35557 = msg("33775", dup325); + +var msg35558 = msg("33776", dup325); + +var msg35559 = msg("33777", dup323); + +var msg35560 = msg("33778", dup323); + +var msg35561 = msg("33779", dup323); + +var msg35562 = msg("33780", dup323); + +var msg35563 = msg("33781", dup323); + +var msg35564 = msg("33782", dup323); + +var msg35565 = msg("33783", dup323); + +var msg35566 = msg("33784", dup323); + +var msg35567 = msg("33785", dup323); + +var msg35568 = msg("33786", dup323); + +var msg35569 = msg("33787", dup323); + +var msg35570 = msg("33788", dup323); + +var msg35571 = msg("33789", dup323); + +var msg35572 = msg("33790", dup323); + +var msg35573 = msg("33791", dup323); + +var msg35574 = msg("33792", dup323); + +var msg35575 = msg("33793", dup323); + +var msg35576 = msg("33794", dup323); + +var msg35577 = msg("33795", dup323); + +var msg35578 = msg("33796", dup323); + +var msg35579 = msg("33797", dup323); + +var msg35580 = msg("33798", dup323); + +var msg35581 = msg("33799", dup323); + +var msg35582 = msg("33800", dup323); + +var msg35583 = msg("33801", dup323); + +var msg35584 = msg("33802", dup323); + +var msg35585 = msg("33803", dup323); + +var msg35586 = msg("33804", dup323); + +var msg35587 = msg("33805", dup323); + +var msg35588 = msg("33806", dup323); + +var msg35589 = msg("33807", dup316); + +var msg35590 = msg("33808", dup314); + +var msg35591 = msg("33809", dup314); + +var msg35592 = msg("33810", dup311); + +var msg35593 = msg("33811", dup314); + +var msg35594 = msg("33812", dup311); + +var msg35595 = msg("33813", dup310); + +var msg35596 = msg("33814", dup307); + +var msg35597 = msg("33815", dup321); + +var msg35598 = msg("33816", dup321); + +var msg35599 = msg("33817", dup310); + +var msg35600 = msg("33818", dup321); + +var msg35601 = msg("33819", dup321); + +var msg35602 = msg("33820", dup321); + +var msg35603 = msg("33821", dup321); + +var msg35604 = msg("33822", dup321); + +var msg35605 = msg("33823", dup321); + +var msg35606 = msg("33824", dup311); + +var msg35607 = msg("33825", dup314); + +var msg35608 = msg("33826", dup324); + +var msg35609 = msg("33827", dup311); + +var msg35610 = msg("33828", dup311); + +var msg35611 = msg("33829", dup311); + +var msg35612 = msg("33830", dup307); + +var msg35613 = msg("33831", dup325); + +var msg35614 = msg("33832", dup316); + +var msg35615 = msg("33833", dup321); + +var msg35616 = msg("33834", dup321); + +var msg35617 = msg("33835", dup321); + +var msg35618 = msg("33836", dup321); + +var msg35619 = msg("33837", dup321); + +var msg35620 = msg("33838", dup321); + +var msg35621 = msg("33839", dup321); + +var msg35622 = msg("33840", dup321); + +var msg35623 = msg("33841", dup321); + +var msg35624 = msg("33842", dup321); + +var msg35625 = msg("33843", dup321); + +var msg35626 = msg("33844", dup321); + +var msg35627 = msg("33845", dup321); + +var msg35628 = msg("33846", dup321); + +var msg35629 = msg("33847", dup321); + +var msg35630 = msg("33848", dup321); + +var msg35631 = msg("33849", dup321); + +var msg35632 = msg("33850", dup321); + +var msg35633 = msg("33851", dup321); + +var msg35634 = msg("33852", dup321); + +var msg35635 = msg("33853", dup307); + +var msg35636 = msg("33854", dup321); + +var msg35637 = msg("33855", dup325); + +var msg35638 = msg("33856", dup314); + +var msg35639 = msg("33857", dup321); + +var msg35640 = msg("33858", dup314); + +var msg35641 = msg("33859", dup321); + +var msg35642 = msg("33860", dup321); + +var msg35643 = msg("33861", dup321); + +var msg35644 = msg("33862", dup321); + +var msg35645 = msg("33863", dup321); + +var msg35646 = msg("33864", dup321); + +var msg35647 = msg("33865", dup321); + +var msg35648 = msg("33866", dup321); + +var msg35649 = msg("33867", dup321); + +var msg35650 = msg("33868", dup321); + +var msg35651 = msg("33869", dup323); + +var msg35652 = msg("33870", dup323); + +var msg35653 = msg("33871", dup332); + +var msg35654 = msg("33872", dup321); + +var msg35655 = msg("33873", dup321); + +var msg35656 = msg("33874", dup321); + +var msg35657 = msg("33875", dup314); + +var msg35658 = msg("33876", dup321); + +var msg35659 = msg("33877", dup321); + +var msg35660 = msg("33878", dup321); + +var msg35661 = msg("33879", dup321); + +var msg35662 = msg("33880", dup321); + +var msg35663 = msg("33881", dup321); + +var msg35664 = msg("33882", dup321); + +var msg35665 = msg("33883", dup321); + +var msg35666 = msg("33884", dup325); + +var msg35667 = msg("33885", dup321); + +var msg35668 = msg("33886", dup321); + +var msg35669 = msg("33887", dup316); + +var msg35670 = msg("33888", dup316); + +var msg35671 = msg("33889", dup316); + +var msg35672 = msg("33890", dup316); + +var msg35673 = msg("33891", dup321); + +var msg35674 = msg("33892", dup321); + +var msg35675 = msg("33893", dup321); + +var msg35676 = msg("33894", dup311); + +var msg35677 = msg("33895", dup311); + +var msg35678 = msg("33896", dup311); + +var msg35679 = msg("33897", dup307); + +var msg35680 = msg("33898", dup307); + +var msg35681 = msg("33899", dup311); + +var msg35682 = msg("33900", dup311); + +var msg35683 = msg("33901", dup311); + +var msg35684 = msg("33902", dup311); + +var msg35685 = msg("33903", dup307); + +var msg35686 = msg("33904", dup307); + +var msg35687 = msg("33905", dup311); + +var msg35688 = msg("33906", dup311); + +var msg35689 = msg("33907", dup325); + +var msg35690 = msg("33908", dup309); + +var msg35691 = msg("33909", dup309); + +var msg35692 = msg("33910", dup324); + +var msg35693 = msg("33911", dup324); + +var msg35694 = msg("33912", dup321); + +var msg35695 = msg("33913", dup321); + +var msg35696 = msg("33914", dup325); + +var msg35697 = msg("33915", dup314); + +var msg35698 = msg("33916", dup314); + +var msg35699 = msg("33917", dup314); + +var msg35700 = msg("33918", dup314); + +var msg35701 = msg("33919", dup314); + +var msg35702 = msg("33920", dup314); + +var msg35703 = msg("33921", dup314); + +var msg35704 = msg("33922", dup307); + +var msg35705 = msg("33923", dup309); + +var msg35706 = msg("33924", dup309); + +var msg35707 = msg("33925", dup309); + +var msg35708 = msg("33926", dup309); + +var msg35709 = msg("33927", dup334); + +var msg35710 = msg("33928", dup324); + +var msg35711 = msg("33929", dup324); + +var msg35712 = msg("33930", dup321); + +var msg35713 = msg("33931", dup321); + +var msg35714 = msg("33932", dup321); + +var msg35715 = msg("33933", dup321); + +var msg35716 = msg("33934", dup314); + +var msg35717 = msg("33935", dup314); + +var msg35718 = msg("33936", dup316); + +var msg35719 = msg("33937", dup316); + +var msg35720 = msg("33938", dup316); + +var msg35721 = msg("33939", dup311); + +var msg35722 = msg("33940", dup311); + +var msg35723 = msg("33941", dup311); + +var msg35724 = msg("33942", dup311); + +var msg35725 = msg("33943", dup311); + +var msg35726 = msg("33944", dup309); + +var msg35727 = msg("33945", dup309); + +var msg35728 = msg("33946", dup309); + +var msg35729 = msg("33947", dup309); + +var msg35730 = msg("33948", dup309); + +var msg35731 = msg("33949", dup309); + +var msg35732 = msg("33950", dup309); + +var msg35733 = msg("33951", dup309); + +var msg35734 = msg("33952", dup309); + +var msg35735 = msg("33953", dup309); + +var msg35736 = msg("33954", dup309); + +var msg35737 = msg("33955", dup309); + +var msg35738 = msg("33956", dup309); + +var msg35739 = msg("33957", dup309); + +var msg35740 = msg("33958", dup309); + +var msg35741 = msg("33959", dup309); + +var msg35742 = msg("33960", dup311); + +var msg35743 = msg("33961", dup311); + +var msg35744 = msg("33962", dup314); + +var msg35745 = msg("33963", dup314); + +var msg35746 = msg("33964", dup314); + +var msg35747 = msg("33965", dup321); + +var msg35748 = msg("33966", dup321); + +var msg35749 = msg("33967", dup311); + +var msg35750 = msg("33968", dup311); + +var msg35751 = msg("33969", dup311); + +var msg35752 = msg("33970", dup311); + +var msg35753 = msg("33971", dup314); + +var msg35754 = msg("33972", dup314); + +var msg35755 = msg("33973", dup314); + +var msg35756 = msg("33974", dup314); + +var msg35757 = msg("33975", dup314); + +var msg35758 = msg("33976", dup314); + +var msg35759 = msg("33977", dup314); + +var msg35760 = msg("33978", dup314); + +var msg35761 = msg("33979", dup309); + +var msg35762 = msg("33980", dup309); + +var msg35763 = msg("33981", dup311); + +var msg35764 = msg("33982", dup311); + +var msg35765 = msg("33983", dup311); + +var msg35766 = msg("33984", dup316); + +var msg35767 = msg("33985", dup321); + +var msg35768 = msg("33986", dup314); + +var msg35769 = msg("33987", dup311); + +var msg35770 = msg("33988", dup321); + +var msg35771 = msg("33989", dup321); + +var msg35772 = msg("33990", dup321); + +var msg35773 = msg("33991", dup321); + +var msg35774 = msg("33992", dup321); + +var msg35775 = msg("33993", dup321); + +var msg35776 = msg("33994", dup321); + +var msg35777 = msg("33995", dup321); + +var msg35778 = msg("33996", dup321); + +var msg35779 = msg("33997", dup321); + +var msg35780 = msg("33998", dup311); + +var msg35781 = msg("33999", dup311); + +var msg35782 = msg("34000", dup311); + +var msg35783 = msg("34001", dup321); + +var msg35784 = msg("34002", dup321); + +var msg35785 = msg("34003", dup321); + +var msg35786 = msg("34004", dup325); + +var msg35787 = msg("34005", dup325); + +var msg35788 = msg("34006", dup325); + +var msg35789 = msg("34007", dup325); + +var msg35790 = msg("34008", dup325); + +var msg35791 = msg("34009", dup325); + +var msg35792 = msg("34010", dup325); + +var msg35793 = msg("34011", dup325); + +var msg35794 = msg("34012", dup325); + +var msg35795 = msg("34013", dup321); + +var msg35796 = msg("34014", dup314); + +var msg35797 = msg("34015", dup314); + +var msg35798 = msg("34016", dup314); + +var msg35799 = msg("34017", dup314); + +var msg35800 = msg("34018", dup316); + +var msg35801 = msg("34019", dup316); + +var msg35802 = msg("34020", dup311); + +var msg35803 = msg("34021", dup311); + +var msg35804 = msg("34022", dup323); + +var msg35805 = msg("34023", dup323); + +var msg35806 = msg("34024", dup314); + +var msg35807 = msg("34025", dup321); + +var msg35808 = msg("34026", dup321); + +var msg35809 = msg("34027", dup309); + +var msg35810 = msg("34028", dup321); + +var msg35811 = msg("34029", dup321); + +var msg35812 = msg("34030", dup321); + +var msg35813 = msg("34031", dup321); + +var msg35814 = msg("34032", dup321); + +var msg35815 = msg("34033", dup321); + +var msg35816 = msg("34034", dup321); + +var msg35817 = msg("34035", dup321); + +var msg35818 = msg("34036", dup321); + +var msg35819 = msg("34037", dup321); + +var msg35820 = msg("34038", dup321); + +var msg35821 = msg("34039", dup321); + +var msg35822 = msg("34040", dup321); + +var msg35823 = msg("34041", dup321); + +var msg35824 = msg("34042", dup321); + +var msg35825 = msg("34043", dup321); + +var msg35826 = msg("34044", dup321); + +var msg35827 = msg("34045", dup321); + +var msg35828 = msg("34046", dup325); + +var msg35829 = msg("34047", dup321); + +var msg35830 = msg("34048", dup324); + +var msg35831 = msg("34049", dup321); + +var msg35832 = msg("34050", dup321); + +var msg35833 = msg("34051", dup324); + +var msg35834 = msg("34052", dup321); + +var msg35835 = msg("34053", dup314); + +var msg35836 = msg("34054", dup314); + +var msg35837 = msg("34055", dup314); + +var msg35838 = msg("34056", dup314); + +var msg35839 = msg("34057", dup309); + +var msg35840 = msg("34058", dup309); + +var msg35841 = msg("34059", dup325); + +var msg35842 = msg("34060", dup325); + +var msg35843 = msg("34061", dup309); + +var msg35844 = msg("34062", dup309); + +var msg35845 = msg("34063", dup309); + +var msg35846 = msg("34064", dup325); + +var msg35847 = msg("34065", dup325); + +var msg35848 = msg("34066", dup309); + +var msg35849 = msg("34067", dup309); + +var msg35850 = msg("34068", dup325); + +var msg35851 = msg("34069", dup325); + +var msg35852 = msg("34070", dup325); + +var msg35853 = msg("34071", dup325); + +var msg35854 = msg("34072", dup325); + +var msg35855 = msg("34073", dup325); + +var msg35856 = msg("34074", dup325); + +var msg35857 = msg("34075", dup325); + +var msg35858 = msg("34076", dup325); + +var msg35859 = msg("34077", dup325); + +var msg35860 = msg("34078", dup311); + +var msg35861 = msg("34079", dup311); + +var msg35862 = msg("34080", dup311); + +var msg35863 = msg("34081", dup311); + +var msg35864 = msg("34082", dup311); + +var msg35865 = msg("34083", dup311); + +var msg35866 = msg("34084", dup325); + +var msg35867 = msg("34085", dup325); + +var msg35868 = msg("34086", dup309); + +var msg35869 = msg("34087", dup309); + +var msg35870 = msg("34088", dup314); + +var msg35871 = msg("34089", dup325); + +var msg35872 = msg("34090", dup325); + +var msg35873 = msg("34091", dup311); + +var msg35874 = msg("34092", dup311); + +var msg35875 = msg("34093", dup309); + +var msg35876 = msg("34094", dup309); + +var msg35877 = msg("34095", dup314); + +var msg35878 = msg("34096", dup314); + +var msg35879 = msg("34097", dup311); + +var msg35880 = msg("34098", dup311); + +var msg35881 = msg("34099", dup314); + +var msg35882 = msg("34100", dup309); + +var msg35883 = msg("34101", dup309); + +var msg35884 = msg("34102", dup309); + +var msg35885 = msg("34103", dup309); + +var msg35886 = msg("34104", dup314); + +var msg35887 = msg("34105", dup314); + +var msg35888 = msg("34106", dup314); + +var msg35889 = msg("34107", dup321); + +var msg35890 = msg("34108", dup321); + +var msg35891 = msg("34109", dup307); + +var msg35892 = msg("34110", dup307); + +var msg35893 = msg("34111", dup321); + +var msg35894 = msg("34112", dup324); + +var msg35895 = msg("34113", dup321); + +var msg35896 = msg("34114", dup324); + +var msg35897 = msg("34115", dup321); + +var msg35898 = msg("34116", dup321); + +var msg35899 = msg("34117", dup321); + +var msg35900 = msg("34118", dup323); + +var msg35901 = msg("34119", dup321); + +var msg35902 = msg("34120", dup321); + +var msg35903 = msg("34121", dup321); + +var msg35904 = msg("34122", dup321); + +var msg35905 = msg("34123", dup314); + +var msg35906 = msg("34124", dup314); + +var msg35907 = msg("34125", dup321); + +var msg35908 = msg("34126", dup321); + +var msg35909 = msg("34127", dup321); + +var msg35910 = msg("34128", dup321); + +var msg35911 = msg("34129", dup321); + +var msg35912 = msg("34130", dup321); + +var msg35913 = msg("34131", dup309); + +var msg35914 = msg("34132", dup321); + +var msg35915 = msg("34133", dup309); + +var msg35916 = msg("34134", dup309); + +var msg35917 = msg("34135", dup314); + +var msg35918 = msg("34136", dup328); + +var msg35919 = msg("34137", dup321); + +var msg35920 = msg("34138", dup321); + +var msg35921 = msg("34139", dup314); + +var msg35922 = msg("34140", dup321); + +var msg35923 = msg("34141", dup309); + +var msg35924 = msg("34142", dup309); + +var msg35925 = msg("34143", dup321); + +var msg35926 = msg("34144", dup321); + +var msg35927 = msg("34145", dup321); + +var msg35928 = msg("34146", dup321); + +var msg35929 = msg("34147", dup314); + +var msg35930 = msg("34148", dup314); + +var msg35931 = msg("34149", dup314); + +var msg35932 = msg("34150", dup314); + +var msg35933 = msg("34151", dup314); + +var msg35934 = msg("34152", dup314); + +var msg35935 = msg("34153", dup314); + +var msg35936 = msg("34154", dup314); + +var msg35937 = msg("34155", dup321); + +var msg35938 = msg("34156", dup311); + +var msg35939 = msg("34157", dup311); + +var msg35940 = msg("34158", dup311); + +var msg35941 = msg("34159", dup311); + +var msg35942 = msg("34160", dup324); + +var msg35943 = msg("34161", dup321); + +var msg35944 = msg("34162", dup309); + +var msg35945 = msg("34163", dup309); + +var msg35946 = msg("34164", dup309); + +var msg35947 = msg("34165", dup309); + +var msg35948 = msg("34166", dup314); + +var msg35949 = msg("34167", dup314); + +var msg35950 = msg("34168", dup314); + +var msg35951 = msg("34169", dup314); + +var msg35952 = msg("34170", dup311); + +var msg35953 = msg("34171", dup311); + +var msg35954 = msg("34172", dup314); + +var msg35955 = msg("34173", dup314); + +var msg35956 = msg("34174", dup314); + +var msg35957 = msg("34175", dup314); + +var msg35958 = msg("34176", dup314); + +var msg35959 = msg("34177", dup314); + +var msg35960 = msg("34178", dup314); + +var msg35961 = msg("34179", dup314); + +var msg35962 = msg("34180", dup311); + +var msg35963 = msg("34181", dup321); + +var msg35964 = msg("34182", dup321); + +var msg35965 = msg("34183", dup321); + +var msg35966 = msg("34184", dup311); + +var msg35967 = msg("34185", dup311); + +var msg35968 = msg("34186", dup311); + +var msg35969 = msg("34187", dup311); + +var msg35970 = msg("34188", dup311); + +var msg35971 = msg("34189", dup311); + +var msg35972 = msg("34190", dup314); + +var msg35973 = msg("34191", dup314); + +var msg35974 = msg("34192", dup314); + +var msg35975 = msg("34193", dup314); + +var msg35976 = msg("34194", dup314); + +var msg35977 = msg("34195", dup325); + +var msg35978 = msg("34196", dup325); + +var msg35979 = msg("34197", dup325); + +var msg35980 = msg("34198", dup325); + +var msg35981 = msg("34199", dup325); + +var msg35982 = msg("34200", dup325); + +var msg35983 = msg("34201", dup325); + +var msg35984 = msg("34202", dup325); + +var msg35985 = msg("34203", dup325); + +var msg35986 = msg("34204", dup325); + +var msg35987 = msg("34205", dup325); + +var msg35988 = msg("34206", dup325); + +var msg35989 = msg("34207", dup325); + +var msg35990 = msg("34208", dup325); + +var msg35991 = msg("34209", dup325); + +var msg35992 = msg("34210", dup325); + +var msg35993 = msg("34211", dup325); + +var msg35994 = msg("34212", dup325); + +var msg35995 = msg("34213", dup324); + +var msg35996 = msg("34214", dup321); + +var msg35997 = msg("34215", dup311); + +var msg35998 = msg("34216", dup321); + +var msg35999 = msg("34217", dup321); + +var msg36000 = msg("34218", dup321); + +var msg36001 = msg("34219", dup321); + +var msg36002 = msg("34220", dup316); + +var msg36003 = msg("34221", dup316); + +var msg36004 = msg("34222", dup316); + +var msg36005 = msg("34223", dup321); + +var msg36006 = msg("34224", dup316); + +var msg36007 = msg("34225", dup333); + +var msg36008 = msg("34226", dup323); + +var msg36009 = msg("34227", dup323); + +var msg36010 = msg("34228", dup311); + +var msg36011 = msg("34229", dup311); + +var msg36012 = msg("34230", dup311); + +var msg36013 = msg("34231", dup311); + +var msg36014 = msg("34232", dup314); + +var msg36015 = msg("34233", dup314); + +var msg36016 = msg("34234", dup314); + +var msg36017 = msg("34235", dup314); + +var msg36018 = msg("34236", dup321); + +var msg36019 = msg("34237", dup321); + +var msg36020 = msg("34238", dup307); + +var msg36021 = msg("34239", dup307); + +var msg36022 = msg("34240", dup314); + +var msg36023 = msg("34241", dup314); + +var msg36024 = msg("34242", dup314); + +var msg36025 = msg("34243", dup314); + +var msg36026 = msg("34244", dup314); + +var msg36027 = msg("34245", dup314); + +var msg36028 = msg("34246", dup321); + +var msg36029 = msg("34247", dup314); + +var msg36030 = msg("34248", dup314); + +var msg36031 = msg("34249", dup314); + +var msg36032 = msg("34250", dup314); + +var msg36033 = msg("34251", dup324); + +var msg36034 = msg("34252", dup324); + +var msg36035 = msg("34253", dup324); + +var msg36036 = msg("34254", dup324); + +var msg36037 = msg("34255", dup314); + +var msg36038 = msg("34256", dup314); + +var msg36039 = msg("34257", dup314); + +var msg36040 = msg("34258", dup314); + +var msg36041 = msg("34259", dup314); + +var msg36042 = msg("34260", dup314); + +var msg36043 = msg("34261", dup324); + +var msg36044 = msg("34262", dup324); + +var msg36045 = msg("34263", dup324); + +var msg36046 = msg("34264", dup309); + +var msg36047 = msg("34265", dup309); + +var msg36048 = msg("34266", dup309); + +var msg36049 = msg("34267", dup309); + +var msg36050 = msg("34268", dup309); + +var msg36051 = msg("34269", dup309); + +var msg36052 = msg("34270", dup309); + +var msg36053 = msg("34271", dup309); + +var msg36054 = msg("34272", dup314); + +var msg36055 = msg("34273", dup314); + +var msg36056 = msg("34274", dup314); + +var msg36057 = msg("34275", dup314); + +var msg36058 = msg("34276", dup309); + +var msg36059 = msg("34277", dup309); + +var msg36060 = msg("34278", dup309); + +var msg36061 = msg("34279", dup309); + +var msg36062 = msg("34280", dup321); + +var msg36063 = msg("34281", dup321); + +var msg36064 = msg("34282", dup321); + +var msg36065 = msg("34283", dup321); + +var msg36066 = msg("34284", dup311); + +var msg36067 = msg("34285", dup311); + +var msg36068 = msg("34286", dup321); + +var msg36069 = msg("34287", dup314); + +var msg36070 = msg("34288", dup324); + +var msg36071 = msg("34289", dup321); + +var msg36072 = msg("34290", dup321); + +var msg36073 = msg("34291", dup325); + +var msg36074 = msg("34292", dup321); + +var msg36075 = msg("34293", dup309); + +var msg36076 = msg("34294", dup309); + +var msg36077 = msg("34295", dup322); + +var msg36078 = msg("34296", dup321); + +var msg36079 = msg("34297", dup321); + +var msg36080 = msg("34298", dup314); + +var msg36081 = msg("34299", dup325); + +var msg36082 = msg("34300", dup307); + +var msg36083 = msg("34301", dup314); + +var msg36084 = msg("34302", dup311); + +var msg36085 = msg("34303", dup311); + +var msg36086 = msg("34304", dup311); + +var msg36087 = msg("34305", dup311); + +var msg36088 = msg("34306", dup310); + +var msg36089 = msg("34307", dup321); + +var msg36090 = msg("34308", dup321); + +var msg36091 = msg("34309", dup321); + +var msg36092 = msg("34310", dup321); + +var msg36093 = msg("34311", dup321); + +var msg36094 = msg("34312", dup321); + +var msg36095 = msg("34313", dup321); + +var msg36096 = msg("34314", dup321); + +var msg36097 = msg("34315", dup321); + +var msg36098 = msg("34316", dup321); + +var msg36099 = msg("34317", dup321); + +var msg36100 = msg("34318", dup321); + +var msg36101 = msg("34319", dup321); + +var msg36102 = msg("34320", dup325); + +var msg36103 = msg("34321", dup325); + +var msg36104 = msg("34322", dup321); + +var msg36105 = msg("34323", dup321); + +var msg36106 = msg("34324", dup321); + +var msg36107 = msg("34325", dup321); + +var msg36108 = msg("34326", dup321); + +var msg36109 = msg("34327", dup321); + +var msg36110 = msg("34328", dup314); + +var msg36111 = msg("34329", dup321); + +var msg36112 = msg("34330", dup311); + +var msg36113 = msg("34331", dup311); + +var msg36114 = msg("34332", dup311); + +var msg36115 = msg("34333", dup311); + +var msg36116 = msg("34334", dup311); + +var msg36117 = msg("34335", dup311); + +var msg36118 = msg("34336", dup321); + +var msg36119 = msg("34337", dup321); + +var msg36120 = msg("34338", dup321); + +var msg36121 = msg("34339", dup321); + +var msg36122 = msg("34340", dup314); + +var msg36123 = msg("34341", dup314); + +var msg36124 = msg("34342", dup314); + +var msg36125 = msg("34343", dup309); + +var msg36126 = msg("34344", dup309); + +var msg36127 = msg("34345", dup314); + +var msg36128 = msg("34346", dup321); + +var msg36129 = msg("34347", dup321); + +var msg36130 = msg("34348", dup311); + +var msg36131 = msg("34349", dup309); + +var msg36132 = msg("34350", dup309); + +var msg36133 = msg("34351", dup309); + +var msg36134 = msg("34352", dup309); + +var msg36135 = msg("34353", dup309); + +var msg36136 = msg("34354", dup311); + +var msg36137 = msg("34355", dup311); + +var msg36138 = msg("34356", dup311); + +var msg36139 = msg("34357", dup311); + +var msg36140 = msg("34358", dup311); + +var msg36141 = msg("34359", dup314); + +var msg36142 = msg("34360", dup314); + +var msg36143 = msg("34361", dup314); + +var msg36144 = msg("34362", dup321); + +var msg36145 = msg("34363", dup322); + +var msg36146 = msg("34364", dup314); + +var msg36147 = msg("34365", dup311); + +var msg36148 = msg("34366", dup321); + +var msg36149 = msg("34367", dup321); + +var msg36150 = msg("34368", dup321); + +var msg36151 = msg("34369", dup316); + +var msg36152 = msg("34370", dup321); + +var msg36153 = msg("34371", dup311); + +var msg36154 = msg("34372", dup311); + +var msg36155 = msg("34373", dup307); + +var msg36156 = msg("34374", dup307); + +var msg36157 = msg("34375", dup307); + +var msg36158 = msg("34376", dup307); + +var msg36159 = msg("34377", dup314); + +var msg36160 = msg("34378", dup314); + +var msg36161 = msg("34379", dup325); + +var msg36162 = msg("34380", dup325); + +var msg36163 = msg("34381", dup325); + +var msg36164 = msg("34382", dup325); + +var msg36165 = msg("34383", dup311); + +var msg36166 = msg("34384", dup311); + +var msg36167 = msg("34385", dup311); + +var msg36168 = msg("34386", dup311); + +var msg36169 = msg("34387", dup314); + +var msg36170 = msg("34388", dup314); + +var msg36171 = msg("34389", dup314); + +var msg36172 = msg("34390", dup314); + +var msg36173 = msg("34391", dup325); + +var msg36174 = msg("34392", dup325); + +var msg36175 = msg("34393", dup323); + +var msg36176 = msg("34394", dup323); + +var msg36177 = msg("34395", dup314); + +var msg36178 = msg("34396", dup314); + +var msg36179 = msg("34397", dup314); + +var msg36180 = msg("34398", dup314); + +var msg36181 = msg("34399", dup311); + +var msg36182 = msg("34400", dup311); + +var msg36183 = msg("34401", dup311); + +var msg36184 = msg("34402", dup311); + +var msg36185 = msg("34403", dup314); + +var msg36186 = msg("34404", dup314); + +var msg36187 = msg("34405", dup325); + +var msg36188 = msg("34406", dup325); + +var msg36189 = msg("34407", dup325); + +var msg36190 = msg("34408", dup325); + +var msg36191 = msg("34409", dup325); + +var msg36192 = msg("34410", dup325); + +var msg36193 = msg("34411", dup325); + +var msg36194 = msg("34412", dup325); + +var msg36195 = msg("34413", dup314); + +var msg36196 = msg("34414", dup314); + +var msg36197 = msg("34415", dup325); + +var msg36198 = msg("34416", dup325); + +var msg36199 = msg("34417", dup325); + +var msg36200 = msg("34418", dup325); + +var msg36201 = msg("34419", dup325); + +var msg36202 = msg("34420", dup325); + +var msg36203 = msg("34421", dup325); + +var msg36204 = msg("34422", dup325); + +var msg36205 = msg("34423", dup325); + +var msg36206 = msg("34424", dup325); + +var msg36207 = msg("34425", dup325); + +var msg36208 = msg("34426", dup314); + +var msg36209 = msg("34427", dup314); + +var msg36210 = msg("34428", dup309); + +var msg36211 = msg("34429", dup309); + +var msg36212 = msg("34430", dup325); + +var msg36213 = msg("34431", dup325); + +var msg36214 = msg("34432", dup325); + +var msg36215 = msg("34433", dup325); + +var msg36216 = msg("34434", dup324); + +var msg36217 = msg("34435", dup324); + +var msg36218 = msg("34436", dup325); + +var msg36219 = msg("34437", dup325); + +var msg36220 = msg("34438", dup309); + +var msg36221 = msg("34439", dup309); + +var msg36222 = msg("34440", dup314); + +var msg36223 = msg("34441", dup314); + +var msg36224 = msg("34442", dup314); + +var msg36225 = msg("34443", dup314); + +var msg36226 = msg("34444", dup325); + +var msg36227 = msg("34445", dup325); + +var msg36228 = msg("34446", dup321); + +var msg36229 = msg("34447", dup333); + +var msg36230 = msg("34448", dup314); + +var msg36231 = msg("34449", dup314); + +var msg36232 = msg("34450", dup314); + +var msg36233 = msg("34451", dup314); + +var msg36234 = msg("34452", dup321); + +var msg36235 = msg("34453", dup321); + +var msg36236 = msg("34454", dup314); + +var msg36237 = msg("34455", dup314); + +var msg36238 = msg("34456", dup314); + +var msg36239 = msg("34457", dup314); + +var msg36240 = msg("34458", dup321); + +var msg36241 = msg("34459", dup321); + +var msg36242 = msg("34460", dup321); + +var msg36243 = msg("34461", dup321); + +var msg36244 = msg("34462", dup321); + +var msg36245 = msg("34463", dup314); + +var msg36246 = msg("34464", dup311); + +var msg36247 = msg("34465", dup325); + +var msg36248 = msg("34466", dup311); + +var msg36249 = msg("34467", dup311); + +var msg36250 = msg("34468", dup321); + +var msg36251 = msg("34469", dup321); + +var msg36252 = msg("34470", dup321); + +var msg36253 = msg("34471", dup314); + +var msg36254 = msg("34472", dup322); + +var msg36255 = msg("34473", dup314); + +var msg36256 = msg("34474", dup314); + +var all63 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup87, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg36257 = msg("34475", all63); + +var msg36258 = msg("34476", dup323); + +var msg36259 = msg("34477", dup314); + +var msg36260 = msg("34478", dup314); + +var msg36261 = msg("34479", dup311); + +var msg36262 = msg("34480", dup311); + +var msg36263 = msg("34481", dup309); + +var msg36264 = msg("34482", dup309); + +var msg36265 = msg("34483", dup309); + +var msg36266 = msg("34484", dup309); + +var msg36267 = msg("34485", dup309); + +var msg36268 = msg("34486", dup309); + +var msg36269 = msg("34487", dup309); + +var msg36270 = msg("34488", dup309); + +var msg36271 = msg("34489", dup321); + +var msg36272 = msg("34490", dup321); + +var msg36273 = msg("34491", dup321); + +var msg36274 = msg("34492", dup314); + +var msg36275 = msg("34493", dup314); + +var msg36276 = msg("34494", dup314); + +var msg36277 = msg("34495", dup314); + +var msg36278 = msg("34496", dup327); + +var msg36279 = msg("34497", dup327); + +var msg36280 = msg("34498", dup314); + +var msg36281 = msg("34499", dup314); + +var msg36282 = msg("34500", dup321); + +var msg36283 = msg("34501", dup321); + +var msg36284 = msg("34502", dup311); + +var msg36285 = msg("34503", dup311); + +var msg36286 = msg("34504", dup311); + +var msg36287 = msg("34505", dup311); + +var msg36288 = msg("34506", dup311); + +var msg36289 = msg("34507", dup311); + +var msg36290 = msg("34508", dup311); + +var msg36291 = msg("34509", dup311); + +var msg36292 = msg("34510", dup311); + +var msg36293 = msg("34511", dup311); + +var msg36294 = msg("34512", dup311); + +var msg36295 = msg("34513", dup311); + +var msg36296 = msg("34514", dup314); + +var msg36297 = msg("34515", dup314); + +var msg36298 = msg("34516", dup314); + +var msg36299 = msg("34517", dup314); + +var msg36300 = msg("34518", dup311); + +var msg36301 = msg("34519", dup311); + +var msg36302 = msg("34520", dup311); + +var msg36303 = msg("34521", dup311); + +var msg36304 = msg("34522", dup311); + +var msg36305 = msg("34523", dup311); + +var msg36306 = msg("34524", dup311); + +var msg36307 = msg("34525", dup311); + +var msg36308 = msg("34526", dup311); + +var msg36309 = msg("34527", dup311); + +var msg36310 = msg("34528", dup314); + +var msg36311 = msg("34529", dup314); + +var msg36312 = msg("34530", dup323); + +var msg36313 = msg("34531", dup323); + +var msg36314 = msg("34532", dup325); + +var msg36315 = msg("34533", dup325); + +var msg36316 = msg("34534", dup314); + +var msg36317 = msg("34535", dup314); + +var msg36318 = msg("34536", dup314); + +var msg36319 = msg("34537", dup314); + +var msg36320 = msg("34538", dup314); + +var msg36321 = msg("34539", dup314); + +var msg36322 = msg("34540", dup321); + +var msg36323 = msg("34541", dup321); + +var msg36324 = msg("34542", dup314); + +var msg36325 = msg("34543", dup314); + +var msg36326 = msg("34544", dup314); + +var msg36327 = msg("34545", dup314); + +var msg36328 = msg("34546", dup314); + +var msg36329 = msg("34547", dup314); + +var msg36330 = msg("34548", dup314); + +var msg36331 = msg("34549", dup314); + +var msg36332 = msg("34550", dup307); + +var msg36333 = msg("34551", dup307); + +var msg36334 = msg("34552", dup311); + +var msg36335 = msg("34553", dup309); + +var msg36336 = msg("34554", dup309); + +var msg36337 = msg("34555", dup309); + +var msg36338 = msg("34556", dup309); + +var msg36339 = msg("34557", dup307); + +var msg36340 = msg("34558", dup307); + +var msg36341 = msg("34559", dup314); + +var msg36342 = msg("34560", dup314); + +var msg36343 = msg("34561", dup311); + +var msg36344 = msg("34562", dup311); + +var msg36345 = msg("34563", dup311); + +var msg36346 = msg("34564", dup311); + +var msg36347 = msg("34565", dup311); + +var msg36348 = msg("34566", dup309); + +var msg36349 = msg("34567", dup321); + +var msg36350 = msg("34568", dup314); + +var msg36351 = msg("34569", dup314); + +var msg36352 = msg("34570", dup321); + +var msg36353 = msg("34571", dup321); + +var msg36354 = msg("34572", dup321); + +var msg36355 = msg("34573", dup314); + +var msg36356 = msg("34574", dup314); + +var msg36357 = msg("34575", dup314); + +var msg36358 = msg("34576", dup314); + +var msg36359 = msg("34577", dup314); + +var msg36360 = msg("34578", dup314); + +var msg36361 = msg("34579", dup314); + +var msg36362 = msg("34580", dup314); + +var msg36363 = msg("34581", dup321); + +var msg36364 = msg("34582", dup314); + +var msg36365 = msg("34583", dup314); + +var msg36366 = msg("34584", dup314); + +var msg36367 = msg("34585", dup314); + +var msg36368 = msg("34586", dup314); + +var msg36369 = msg("34587", dup314); + +var msg36370 = msg("34588", dup314); + +var msg36371 = msg("34589", dup314); + +var msg36372 = msg("34590", dup314); + +var msg36373 = msg("34591", dup314); + +var msg36374 = msg("34592", dup314); + +var msg36375 = msg("34593", dup314); + +var msg36376 = msg("34594", dup314); + +var msg36377 = msg("34595", dup314); + +var msg36378 = msg("34596", dup339); + +var msg36379 = msg("34597", dup339); + +var msg36380 = msg("34598", dup339); + +var msg36381 = msg("34599", dup339); + +var msg36382 = msg("34600", dup339); + +var msg36383 = msg("34601", dup339); + +var msg36384 = msg("34602", dup340); + +var msg36385 = msg("34603", dup341); + +var msg36386 = msg("34604", dup340); + +var msg36387 = msg("34605", dup340); + +var msg36388 = msg("34606", dup340); + +var msg36389 = msg("34607", dup342); + +var msg36390 = msg("34608", dup339); + +var msg36391 = msg("34609", dup339); + +var msg36392 = msg("34610", dup339); + +var msg36393 = msg("34611", dup339); + +var msg36394 = msg("34612", dup343); + +var msg36395 = msg("34613", dup343); + +var msg36396 = msg("34614", dup339); + +var msg36397 = msg("34615", dup344); + +var msg36398 = msg("34616", dup344); + +var msg36399 = msg("34617", dup344); + +var msg36400 = msg("34618", dup344); + +var msg36401 = msg("34619", dup340); + +var msg36402 = msg("34620", dup340); + +var msg36403 = msg("34621", dup340); + +var msg36404 = msg("34622", dup339); + +var msg36405 = msg("34623", dup341); + +var msg36406 = msg("34624", dup339); + +var msg36407 = msg("34625", dup343); + +var msg36408 = msg("34626", dup343); + +var msg36409 = msg("34627", dup343); + +var msg36410 = msg("34628", dup343); + +var msg36411 = msg("34629", dup340); + +var msg36412 = msg("34630", dup340); + +var msg36413 = msg("34631", dup340); + +var msg36414 = msg("34632", dup341); + +var msg36415 = msg("34633", dup340); + +var msg36416 = msg("34634", dup340); + +var msg36417 = msg("34635", dup340); + +var msg36418 = msg("34636", dup339); + +var msg36419 = msg("34637", dup339); + +var msg36420 = msg("34638", dup340); + +var msg36421 = msg("34639", dup340); + +var msg36422 = msg("34640", dup340); + +var msg36423 = msg("34641", dup345); + +var msg36424 = msg("34642", dup345); + +var msg36425 = msg("34643", dup340); + +var msg36426 = msg("34644", dup340); + +var msg36427 = msg("34645", dup341); + +var msg36428 = msg("34646", dup346); + +var msg36429 = msg("34647", dup346); + +var msg36430 = msg("34648", dup346); + +var msg36431 = msg("34649", dup345); + +var msg36432 = msg("34650", dup341); + +var msg36433 = msg("34651", dup341); + +var msg36434 = msg("34652", dup340); + +var msg36435 = msg("34653", dup340); + +var msg36436 = msg("34654", dup339); + +var msg36437 = msg("34655", dup339); + +var msg36438 = msg("34656", dup339); + +var msg36439 = msg("34657", dup339); + +var msg36440 = msg("34658", dup339); + +var msg36441 = msg("34659", dup339); + +var msg36442 = msg("34660", dup339); + +var msg36443 = msg("34661", dup339); + +var msg36444 = msg("34662", dup339); + +var msg36445 = msg("34663", dup339); + +var msg36446 = msg("34664", dup339); + +var msg36447 = msg("34665", dup339); + +var msg36448 = msg("34666", dup339); + +var msg36449 = msg("34667", dup339); + +var msg36450 = msg("34668", dup339); + +var msg36451 = msg("34669", dup339); + +var msg36452 = msg("34670", dup339); + +var msg36453 = msg("34671", dup339); + +var msg36454 = msg("34672", dup339); + +var msg36455 = msg("34673", dup339); + +var msg36456 = msg("34674", dup339); + +var msg36457 = msg("34675", dup339); + +var msg36458 = msg("34676", dup339); + +var msg36459 = msg("34677", dup339); + +var msg36460 = msg("34678", dup339); + +var msg36461 = msg("34679", dup339); + +var msg36462 = msg("34680", dup339); + +var msg36463 = msg("34681", dup339); + +var msg36464 = msg("34682", dup339); + +var msg36465 = msg("34683", dup339); + +var msg36466 = msg("34684", dup339); + +var msg36467 = msg("34685", dup339); + +var msg36468 = msg("34686", dup339); + +var msg36469 = msg("34687", dup339); + +var msg36470 = msg("34688", dup339); + +var msg36471 = msg("34689", dup339); + +var msg36472 = msg("34690", dup339); + +var msg36473 = msg("34691", dup339); + +var msg36474 = msg("34692", dup339); + +var msg36475 = msg("34693", dup339); + +var msg36476 = msg("34694", dup339); + +var msg36477 = msg("34695", dup339); + +var msg36478 = msg("34696", dup339); + +var msg36479 = msg("34697", dup339); + +var msg36480 = msg("34698", dup339); + +var msg36481 = msg("34699", dup339); + +var msg36482 = msg("34700", dup339); + +var msg36483 = msg("34701", dup339); + +var msg36484 = msg("34702", dup339); + +var msg36485 = msg("34703", dup339); + +var msg36486 = msg("34704", dup339); + +var msg36487 = msg("34705", dup339); + +var msg36488 = msg("34706", dup339); + +var msg36489 = msg("34707", dup339); + +var msg36490 = msg("34708", dup339); + +var msg36491 = msg("34709", dup345); + +var msg36492 = msg("34710", dup347); + +var msg36493 = msg("34711", dup339); + +var msg36494 = msg("34712", dup339); + +var msg36495 = msg("34713", dup339); + +var msg36496 = msg("34714", dup341); + +var msg36497 = msg("34715", dup341); + +var msg36498 = msg("34716", dup340); + +var msg36499 = msg("34717", dup340); + +var msg36500 = msg("34718", dup340); + +var msg36501 = msg("34719", dup347); + +var msg36502 = msg("34720", dup347); + +var msg36503 = msg("34721", dup342); + +var msg36504 = msg("34722", dup342); + +var msg36505 = msg("34723", dup342); + +var msg36506 = msg("34724", dup342); + +var msg36507 = msg("34725", dup342); + +var msg36508 = msg("34726", dup342); + +var msg36509 = msg("34727", dup342); + +var msg36510 = msg("34728", dup342); + +var msg36511 = msg("34729", dup347); + +var msg36512 = msg("34730", dup347); + +var msg36513 = msg("34731", dup341); + +var msg36514 = msg("34732", dup341); + +var msg36515 = msg("34733", dup342); + +var msg36516 = msg("34734", dup342); + +var msg36517 = msg("34735", dup342); + +var msg36518 = msg("34736", dup342); + +var msg36519 = msg("34737", dup341); + +var msg36520 = msg("34738", dup341); + +var msg36521 = msg("34739", dup341); + +var msg36522 = msg("34740", dup341); + +var msg36523 = msg("34741", dup340); + +var msg36524 = msg("34742", dup340); + +var msg36525 = msg("34743", dup341); + +var msg36526 = msg("34744", dup341); + +var msg36527 = msg("34745", dup342); + +var msg36528 = msg("34746", dup342); + +var msg36529 = msg("34747", dup342); + +var msg36530 = msg("34748", dup342); + +var msg36531 = msg("34749", dup342); + +var msg36532 = msg("34750", dup342); + +var msg36533 = msg("34751", dup342); + +var msg36534 = msg("34752", dup342); + +var msg36535 = msg("34753", dup342); + +var msg36536 = msg("34754", dup342); + +var msg36537 = msg("34755", dup347); + +var msg36538 = msg("34756", dup347); + +var msg36539 = msg("34757", dup347); + +var msg36540 = msg("34758", dup347); + +var msg36541 = msg("34759", dup342); + +var msg36542 = msg("34760", dup342); + +var msg36543 = msg("34761", dup343); + +var msg36544 = msg("34762", dup343); + +var msg36545 = msg("34763", dup341); + +var msg36546 = msg("34764", dup341); + +var msg36547 = msg("34765", dup342); + +var msg36548 = msg("34766", dup342); + +var msg36549 = msg("34767", dup342); + +var msg36550 = msg("34768", dup342); + +var msg36551 = msg("34769", dup347); + +var msg36552 = msg("34770", dup340); + +var msg36553 = msg("34771", dup340); + +var msg36554 = msg("34772", dup342); + +var msg36555 = msg("34773", dup342); + +var msg36556 = msg("34774", dup347); + +var msg36557 = msg("34775", dup347); + +var msg36558 = msg("34776", dup340); + +var msg36559 = msg("34777", dup340); + +var msg36560 = msg("34778", dup342); + +var msg36561 = msg("34779", dup342); + +var msg36562 = msg("34780", dup347); + +var msg36563 = msg("34781", dup347); + +var msg36564 = msg("34782", dup340); + +var msg36565 = msg("34783", dup340); + +var msg36566 = msg("34784", dup340); + +var msg36567 = msg("34785", dup340); + +var msg36568 = msg("34786", dup347); + +var msg36569 = msg("34787", dup347); + +var msg36570 = msg("34788", dup340); + +var msg36571 = msg("34789", dup340); + +var msg36572 = msg("34790", dup342); + +var msg36573 = msg("34791", dup342); + +var msg36574 = msg("34792", dup340); + +var msg36575 = msg("34793", dup340); + +var msg36576 = msg("34794", dup347); + +var msg36577 = msg("34795", dup347); + +var msg36578 = msg("34796", dup347); + +var msg36579 = msg("34797", dup347); + +var msg36580 = msg("34798", dup341); + +var msg36581 = msg("34799", dup348); + +var msg36582 = msg("34800", dup346); + +var msg36583 = msg("34801", dup346); + +var msg36584 = msg("34802", dup345); + +var msg36585 = msg("34803", dup340); + +var msg36586 = msg("34804", dup340); + +var msg36587 = msg("34805", dup340); + +var msg36588 = msg("34806", dup340); + +var msg36589 = msg("34807", dup347); + +var msg36590 = msg("34808", dup347); + +var msg36591 = msg("34809", dup347); + +var msg36592 = msg("34810", dup347); + +var msg36593 = msg("34811", dup340); + +var msg36594 = msg("34812", dup340); + +var msg36595 = msg("34813", dup340); + +var msg36596 = msg("34814", dup340); + +var msg36597 = msg("34815", dup340); + +var msg36598 = msg("34816", dup347); + +var msg36599 = msg("34817", dup347); + +var msg36600 = msg("34818", dup339); + +var msg36601 = msg("34819", dup340); + +var msg36602 = msg("34820", dup340); + +var msg36603 = msg("34821", dup340); + +var msg36604 = msg("34822", dup340); + +var msg36605 = msg("34823", dup340); + +var msg36606 = msg("34824", dup342); + +var msg36607 = msg("34825", dup342); + +var msg36608 = msg("34826", dup339); + +var msg36609 = msg("34827", dup339); + +var msg36610 = msg("34828", dup339); + +var msg36611 = msg("34829", dup339); + +var msg36612 = msg("34830", dup339); + +var msg36613 = msg("34831", dup339); + +var msg36614 = msg("34832", dup339); + +var msg36615 = msg("34833", dup339); + +var all64 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg36616 = msg("34834", all64); + +var msg36617 = msg("34835", dup339); + +var msg36618 = msg("34836", dup347); + +var msg36619 = msg("34837", dup347); + +var msg36620 = msg("34838", dup347); + +var msg36621 = msg("34839", dup347); + +var msg36622 = msg("34840", dup347); + +var msg36623 = msg("34841", dup347); + +var msg36624 = msg("34842", dup347); + +var msg36625 = msg("34843", dup342); + +var msg36626 = msg("34844", dup339); + +var msg36627 = msg("34845", dup340); + +var msg36628 = msg("34846", dup340); + +var msg36629 = msg("34847", dup339); + +var msg36630 = msg("34848", dup341); + +var msg36631 = msg("34849", dup341); + +var msg36632 = msg("34850", dup341); + +var msg36633 = msg("34851", dup341); + +var msg36634 = msg("34852", dup339); + +var msg36635 = msg("34853", dup340); + +var msg36636 = msg("34854", dup340); + +var msg36637 = msg("34855", dup340); + +var msg36638 = msg("34856", dup340); + +var msg36639 = msg("34857", dup339); + +var msg36640 = msg("34858", dup340); + +var msg36641 = msg("34859", dup340); + +var msg36642 = msg("34860", dup340); + +var msg36643 = msg("34861", dup340); + +var msg36644 = msg("34862", dup339); + +var msg36645 = msg("34863", dup339); + +var msg36646 = msg("34864", dup340); + +var msg36647 = msg("34865", dup339); + +var msg36648 = msg("34866", dup339); + +var msg36649 = msg("34867", dup339); + +var msg36650 = msg("34868", dup339); + +var msg36651 = msg("34869", dup339); + +var msg36652 = msg("34870", dup339); + +var msg36653 = msg("34871", dup339); + +var msg36654 = msg("34872", dup339); + +var msg36655 = msg("34873", dup342); + +var msg36656 = msg("34874", dup342); + +var msg36657 = msg("34875", dup340); + +var msg36658 = msg("34876", dup339); + +var msg36659 = msg("34877", dup339); + +var msg36660 = msg("34878", dup342); + +var msg36661 = msg("34879", dup342); + +var msg36662 = msg("34880", dup342); + +var msg36663 = msg("34881", dup340); + +var msg36664 = msg("34882", dup340); + +var msg36665 = msg("34883", dup340); + +var msg36666 = msg("34884", dup343); + +var msg36667 = msg("34885", dup343); + +var msg36668 = msg("34886", dup339); + +var msg36669 = msg("34887", dup339); + +var msg36670 = msg("34888", dup339); + +var msg36671 = msg("34889", dup341); + +var msg36672 = msg("34890", dup347); + +var msg36673 = msg("34891", dup347); + +var msg36674 = msg("34892", dup347); + +var msg36675 = msg("34893", dup347); + +var msg36676 = msg("34894", dup347); + +var msg36677 = msg("34895", dup347); + +var msg36678 = msg("34896", dup347); + +var msg36679 = msg("34897", dup347); + +var msg36680 = msg("34898", dup347); + +var msg36681 = msg("34899", dup347); + +var msg36682 = msg("34900", dup347); + +var msg36683 = msg("34901", dup347); + +var msg36684 = msg("34902", dup344); + +var msg36685 = msg("34903", dup347); + +var msg36686 = msg("34904", dup347); + +var msg36687 = msg("34905", dup347); + +var msg36688 = msg("34906", dup347); + +var msg36689 = msg("34907", dup347); + +var msg36690 = msg("34908", dup347); + +var msg36691 = msg("34909", dup344); + +var msg36692 = msg("34910", dup344); + +var msg36693 = msg("34911", dup347); + +var msg36694 = msg("34912", dup347); + +var msg36695 = msg("34913", dup347); + +var msg36696 = msg("34914", dup347); + +var msg36697 = msg("34915", dup349); + +var msg36698 = msg("34916", dup349); + +var msg36699 = msg("34917", dup339); + +var msg36700 = msg("34918", dup340); + +var msg36701 = msg("34919", dup340); + +var msg36702 = msg("34920", dup340); + +var msg36703 = msg("34921", dup340); + +var msg36704 = msg("34922", dup340); + +var msg36705 = msg("34923", dup340); + +var msg36706 = msg("34924", dup341); + +var msg36707 = msg("34925", dup341); + +var msg36708 = msg("34926", dup339); + +var msg36709 = msg("34927", dup339); + +var msg36710 = msg("34928", dup339); + +var msg36711 = msg("34929", dup339); + +var msg36712 = msg("34930", dup339); + +var msg36713 = msg("34931", dup339); + +var msg36714 = msg("34932", dup339); + +var msg36715 = msg("34933", dup347); + +var msg36716 = msg("34934", dup339); + +var msg36717 = msg("34935", dup339); + +var msg36718 = msg("34936", dup339); + +var msg36719 = msg("34937", dup341); + +var msg36720 = msg("34938", dup341); + +var msg36721 = msg("34939", dup341); + +var msg36722 = msg("34940", dup341); + +var msg36723 = msg("34941", dup341); + +var msg36724 = msg("34942", dup341); + +var msg36725 = msg("34943", dup341); + +var msg36726 = msg("34944", dup340); + +var msg36727 = msg("34945", dup339); + +var msg36728 = msg("34946", dup340); + +var msg36729 = msg("34947", dup340); + +var msg36730 = msg("34948", dup347); + +var msg36731 = msg("34949", dup347); + +var msg36732 = msg("34950", dup339); + +var msg36733 = msg("34951", dup340); + +var msg36734 = msg("34952", dup345); + +var msg36735 = msg("34953", dup345); + +var msg36736 = msg("34954", dup345); + +var msg36737 = msg("34955", dup345); + +var msg36738 = msg("34956", dup345); + +var msg36739 = msg("34957", dup339); + +var msg36740 = msg("34958", dup339); + +var msg36741 = msg("34959", dup339); + +var msg36742 = msg("34960", dup340); + +var msg36743 = msg("34961", dup340); + +var msg36744 = msg("34962", dup340); + +var msg36745 = msg("34963", dup339); + +var msg36746 = msg("34964", dup339); + +var msg36747 = msg("34965", dup339); + +var msg36748 = msg("34966", dup339); + +var msg36749 = msg("34967", dup341); + +var msg36750 = msg("34968", dup340); + +var msg36751 = msg("34969", dup347); + +var msg36752 = msg("34970", dup347); + +var msg36753 = msg("34971", dup340); + +var msg36754 = msg("34972", dup340); + +var msg36755 = msg("34973", dup341); + +var msg36756 = msg("34974", dup341); + +var msg36757 = msg("34975", dup341); + +var msg36758 = msg("34976", dup340); + +var msg36759 = msg("34977", dup340); + +var msg36760 = msg("34978", dup340); + +var msg36761 = msg("34979", dup340); + +var msg36762 = msg("34980", dup340); + +var msg36763 = msg("34981", dup340); + +var msg36764 = msg("34982", dup339); + +var msg36765 = msg("34983", dup340); + +var msg36766 = msg("34984", dup341); + +var msg36767 = msg("34985", dup341); + +var msg36768 = msg("34986", dup341); + +var msg36769 = msg("34987", dup341); + +var msg36770 = msg("34988", dup341); + +var msg36771 = msg("34989", dup341); + +var msg36772 = msg("34990", dup347); + +var msg36773 = msg("34991", dup347); + +var msg36774 = msg("34992", dup347); + +var msg36775 = msg("34993", dup339); + +var msg36776 = msg("34994", dup339); + +var msg36777 = msg("34995", dup339); + +var msg36778 = msg("34996", dup339); + +var msg36779 = msg("34997", dup350); + +var msg36780 = msg("34998", dup339); + +var msg36781 = msg("34999", dup346); + +var msg36782 = msg("35000", dup346); + +var msg36783 = msg("35001", dup340); + +var msg36784 = msg("35002", dup340); + +var msg36785 = msg("35003", dup339); + +var msg36786 = msg("35004", dup339); + +var msg36787 = msg("35005", dup339); + +var msg36788 = msg("35006", dup347); + +var msg36789 = msg("35007", dup347); + +var msg36790 = msg("35008", dup347); + +var msg36791 = msg("35009", dup347); + +var msg36792 = msg("35010", dup347); + +var msg36793 = msg("35011", dup347); + +var msg36794 = msg("35012", dup342); + +var msg36795 = msg("35013", dup342); + +var msg36796 = msg("35014", dup346); + +var msg36797 = msg("35015", dup346); + +var msg36798 = msg("35016", dup346); + +var msg36799 = msg("35017", dup346); + +var msg36800 = msg("35018", dup341); + +var msg36801 = msg("35019", dup341); + +var msg36802 = msg("35020", dup341); + +var msg36803 = msg("35021", dup341); + +var msg36804 = msg("35022", dup340); + +var msg36805 = msg("35023", dup340); + +var msg36806 = msg("35024", dup348); + +var msg36807 = msg("35025", dup348); + +var msg36808 = msg("35026", dup348); + +var msg36809 = msg("35027", dup342); + +var msg36810 = msg("35028", dup339); + +var msg36811 = msg("35029", dup339); + +var msg36812 = msg("35030", dup339); + +var msg36813 = msg("35031", dup339); + +var msg36814 = msg("35032", dup340); + +var msg36815 = msg("35033", dup340); + +var msg36816 = msg("35034", dup339); + +var msg36817 = msg("35035", dup339); + +var msg36818 = msg("35036", dup339); + +var msg36819 = msg("35037", dup339); + +var msg36820 = msg("35038", dup340); + +var msg36821 = msg("35039", dup339); + +var msg36822 = msg("35040", dup347); + +var msg36823 = msg("35041", dup347); + +var msg36824 = msg("35042", dup340); + +var msg36825 = msg("35043", dup340); + +var msg36826 = msg("35044", dup347); + +var msg36827 = msg("35045", dup347); + +var msg36828 = msg("35046", dup339); + +var msg36829 = msg("35047", dup339); + +var msg36830 = msg("35048", dup340); + +var msg36831 = msg("35049", dup340); + +var msg36832 = msg("35050", dup339); + +var msg36833 = msg("35051", dup340); + +var msg36834 = msg("35052", dup340); + +var msg36835 = msg("35053", dup342); + +var msg36836 = msg("35062", dup339); + +var msg36837 = msg("35063", dup339); + +var msg36838 = msg("35064", dup339); + +var msg36839 = msg("35065", dup339); + +var msg36840 = msg("35066", dup339); + +var msg36841 = msg("35067", dup339); + +var msg36842 = msg("35068", dup339); + +var msg36843 = msg("35069", dup339); + +var msg36844 = msg("35070", dup340); + +var msg36845 = msg("35071", dup340); + +var msg36846 = msg("35072", dup340); + +var msg36847 = msg("35073", dup340); + +var msg36848 = msg("35074", dup340); + +var msg36849 = msg("35075", dup340); + +var msg36850 = msg("35076", dup339); + +var msg36851 = msg("35077", dup346); + +var msg36852 = msg("35078", dup346); + +var msg36853 = msg("35079", dup346); + +var msg36854 = msg("35080", dup339); + +var msg36855 = msg("35081", dup339); + +var msg36856 = msg("35082", dup339); + +var msg36857 = msg("35083", dup339); + +var msg36858 = msg("35084", dup347); + +var msg36859 = msg("35085", dup347); + +var msg36860 = msg("35086", dup347); + +var msg36861 = msg("35087", dup347); + +var msg36862 = msg("35088", dup347); + +var msg36863 = msg("35089", dup347); + +var msg36864 = msg("35090", dup341); + +var msg36865 = msg("35091", dup341); + +var msg36866 = msg("35092", dup341); + +var msg36867 = msg("35093", dup341); + +var msg36868 = msg("35094", dup343); + +var msg36869 = msg("35095", dup347); + +var msg36870 = msg("35096", dup347); + +var msg36871 = msg("35097", dup343); + +var msg36872 = msg("35098", dup343); + +var msg36873 = msg("35099", dup339); + +var msg36874 = msg("35100", dup339); + +var msg36875 = msg("35101", dup339); + +var msg36876 = msg("35102", dup339); + +var msg36877 = msg("35103", dup339); + +var msg36878 = msg("35104", dup339); + +var msg36879 = msg("35105", dup340); + +var msg36880 = msg("35106", dup340); + +var msg36881 = msg("35107", dup340); + +var msg36882 = msg("35108", dup340); + +var msg36883 = msg("35109", dup347); + +var msg36884 = msg("35110", dup347); + +var msg36885 = msg("35111", dup340); + +var msg36886 = msg("35112", dup343); + +var msg36887 = msg("35113", dup343); + +var msg36888 = msg("35114", dup347); + +var msg36889 = msg("35115", dup347); + +var msg36890 = msg("35116", dup342); + +var msg36891 = msg("35117", dup342); + +var msg36892 = msg("35118", dup340); + +var msg36893 = msg("35119", dup342); + +var msg36894 = msg("35120", dup342); + +var msg36895 = msg("35121", dup342); + +var msg36896 = msg("35122", dup342); + +var msg36897 = msg("35123", dup342); + +var msg36898 = msg("35124", dup342); + +var msg36899 = msg("35125", dup342); + +var msg36900 = msg("35126", dup342); + +var msg36901 = msg("35127", dup342); + +var msg36902 = msg("35128", dup342); + +var msg36903 = msg("35129", dup341); + +var msg36904 = msg("35130", dup341); + +var msg36905 = msg("35131", dup340); + +var msg36906 = msg("35132", dup340); + +var msg36907 = msg("35133", dup342); + +var msg36908 = msg("35134", dup342); + +var msg36909 = msg("35135", dup347); + +var msg36910 = msg("35136", dup347); + +var msg36911 = msg("35137", dup341); + +var msg36912 = msg("35138", dup341); + +var msg36913 = msg("35139", dup342); + +var msg36914 = msg("35140", dup342); + +var msg36915 = msg("35141", dup341); + +var msg36916 = msg("35142", dup341); + +var msg36917 = msg("35143", dup341); + +var msg36918 = msg("35144", dup341); + +var msg36919 = msg("35145", dup342); + +var msg36920 = msg("35146", dup342); + +var msg36921 = msg("35147", dup342); + +var msg36922 = msg("35148", dup342); + +var msg36923 = msg("35149", dup340); + +var msg36924 = msg("35150", dup340); + +var msg36925 = msg("35151", dup341); + +var msg36926 = msg("35152", dup342); + +var msg36927 = msg("35153", dup342); + +var msg36928 = msg("35154", dup342); + +var msg36929 = msg("35155", dup342); + +var msg36930 = msg("35156", dup342); + +var msg36931 = msg("35157", dup342); + +var msg36932 = msg("35158", dup342); + +var msg36933 = msg("35159", dup342); + +var msg36934 = msg("35160", dup341); + +var msg36935 = msg("35161", dup341); + +var msg36936 = msg("35162", dup341); + +var msg36937 = msg("35163", dup341); + +var msg36938 = msg("35164", dup342); + +var msg36939 = msg("35165", dup342); + +var msg36940 = msg("35166", dup341); + +var msg36941 = msg("35167", dup341); + +var msg36942 = msg("35168", dup341); + +var msg36943 = msg("35169", dup341); + +var msg36944 = msg("35170", dup342); + +var msg36945 = msg("35171", dup342); + +var msg36946 = msg("35172", dup342); + +var msg36947 = msg("35173", dup342); + +var msg36948 = msg("35174", dup351); + +var msg36949 = msg("35175", dup351); + +var msg36950 = msg("35176", dup341); + +var msg36951 = msg("35177", dup341); + +var msg36952 = msg("35178", dup342); + +var msg36953 = msg("35179", dup342); + +var msg36954 = msg("35180", dup340); + +var msg36955 = msg("35181", dup340); + +var msg36956 = msg("35182", dup342); + +var msg36957 = msg("35183", dup342); + +var msg36958 = msg("35184", dup342); + +var msg36959 = msg("35185", dup342); + +var msg36960 = msg("35186", dup342); + +var msg36961 = msg("35187", dup342); + +var msg36962 = msg("35188", dup342); + +var msg36963 = msg("35189", dup342); + +var msg36964 = msg("35190", dup341); + +var msg36965 = msg("35191", dup341); + +var msg36966 = msg("35192", dup342); + +var msg36967 = msg("35193", dup342); + +var msg36968 = msg("35194", dup342); + +var msg36969 = msg("35195", dup342); + +var msg36970 = msg("35196", dup342); + +var msg36971 = msg("35197", dup342); + +var msg36972 = msg("35198", dup346); + +var msg36973 = msg("35199", dup342); + +var msg36974 = msg("35200", dup342); + +var msg36975 = msg("35201", dup341); + +var msg36976 = msg("35202", dup341); + +var msg36977 = msg("35203", dup342); + +var msg36978 = msg("35204", dup342); + +var msg36979 = msg("35205", dup342); + +var msg36980 = msg("35206", dup342); + +var msg36981 = msg("35207", dup342); + +var msg36982 = msg("35208", dup342); + +var msg36983 = msg("35209", dup342); + +var msg36984 = msg("35210", dup342); + +var msg36985 = msg("35211", dup342); + +var msg36986 = msg("35212", dup342); + +var msg36987 = msg("35213", dup343); + +var msg36988 = msg("35214", dup343); + +var msg36989 = msg("35215", dup347); + +var msg36990 = msg("35216", dup347); + +var msg36991 = msg("35217", dup340); + +var msg36992 = msg("35218", dup340); + +var msg36993 = msg("35219", dup340); + +var msg36994 = msg("35220", dup340); + +var msg36995 = msg("35221", dup339); + +var msg36996 = msg("35222", dup342); + +var msg36997 = msg("35223", dup340); + +var msg36998 = msg("35224", dup340); + +var msg36999 = msg("35225", dup340); + +var msg37000 = msg("35226", dup340); + +var msg37001 = msg("35227", dup340); + +var msg37002 = msg("35228", dup340); + +var msg37003 = msg("35229", dup340); + +var msg37004 = msg("35230", dup340); + +var msg37005 = msg("35231", dup340); + +var msg37006 = msg("35232", dup340); + +var msg37007 = msg("35233", dup340); + +var msg37008 = msg("35234", dup340); + +var msg37009 = msg("35235", dup340); + +var msg37010 = msg("35236", dup340); + +var msg37011 = msg("35237", dup340); + +var msg37012 = msg("35238", dup340); + +var msg37013 = msg("35239", dup340); + +var msg37014 = msg("35240", dup340); + +var msg37015 = msg("35241", dup340); + +var msg37016 = msg("35242", dup340); + +var msg37017 = msg("35243", dup348); + +var msg37018 = msg("35244", dup348); + +var msg37019 = msg("35245", dup348); + +var msg37020 = msg("35246", dup348); + +var msg37021 = msg("35247", dup340); + +var msg37022 = msg("35248", dup340); + +var msg37023 = msg("35249", dup340); + +var msg37024 = msg("35250", dup340); + +var msg37025 = msg("35251", dup341); + +var msg37026 = msg("35252", dup341); + +var msg37027 = msg("35253", dup340); + +var msg37028 = msg("35254", dup339); + +var msg37029 = msg("35255", dup339); + +var msg37030 = msg("35256", dup347); + +var msg37031 = msg("35257", dup348); + +var msg37032 = msg("35258", dup348); + +var msg37033 = msg("35259", dup348); + +var msg37034 = msg("35260", dup348); + +var msg37035 = msg("35261", dup347); + +var msg37036 = msg("35262", dup347); + +var msg37037 = msg("35263", dup347); + +var msg37038 = msg("35264", dup347); + +var msg37039 = msg("35265", dup347); + +var msg37040 = msg("35266", dup347); + +var msg37041 = msg("35267", dup340); + +var msg37042 = msg("35268", dup340); + +var msg37043 = msg("35269", dup340); + +var msg37044 = msg("35270", dup340); + +var msg37045 = msg("35271", dup340); + +var msg37046 = msg("35272", dup340); + +var msg37047 = msg("35273", dup340); + +var msg37048 = msg("35274", dup340); + +var msg37049 = msg("35275", dup340); + +var msg37050 = msg("35276", dup340); + +var msg37051 = msg("35277", dup340); + +var msg37052 = msg("35278", dup340); + +var msg37053 = msg("35279", dup346); + +var msg37054 = msg("35280", dup346); + +var msg37055 = msg("35281", dup346); + +var msg37056 = msg("35282", dup340); + +var msg37057 = msg("35283", dup340); + +var msg37058 = msg("35284", dup340); + +var msg37059 = msg("35285", dup340); + +var msg37060 = msg("35286", dup340); + +var msg37061 = msg("35287", dup340); + +var msg37062 = msg("35288", dup340); + +var msg37063 = msg("35289", dup340); + +var msg37064 = msg("35290", dup340); + +var msg37065 = msg("35291", dup340); + +var msg37066 = msg("35292", dup340); + +var msg37067 = msg("35293", dup340); + +var msg37068 = msg("35294", dup340); + +var msg37069 = msg("35295", dup340); + +var msg37070 = msg("35296", dup340); + +var msg37071 = msg("35297", dup340); + +var msg37072 = msg("35298", dup340); + +var msg37073 = msg("35299", dup340); + +var msg37074 = msg("35300", dup339); + +var msg37075 = msg("35301", dup339); + +var msg37076 = msg("35302", dup340); + +var msg37077 = msg("35303", dup339); + +var msg37078 = msg("35304", dup341); + +var msg37079 = msg("35305", dup341); + +var msg37080 = msg("35306", dup339); + +var msg37081 = msg("35307", dup340); + +var msg37082 = msg("35308", dup341); + +var msg37083 = msg("35309", dup341); + +var msg37084 = msg("35310", dup348); + +var msg37085 = msg("35311", dup348); + +var msg37086 = msg("35312", dup339); + +var msg37087 = msg("35313", dup339); + +var msg37088 = msg("35314", dup350); + +var msg37089 = msg("35315", dup339); + +var msg37090 = msg("35316", dup342); + +var msg37091 = msg("35317", dup339); + +var msg37092 = msg("35318", dup339); + +var msg37093 = msg("35319", dup340); + +var msg37094 = msg("35320", dup340); + +var msg37095 = msg("35321", dup340); + +var msg37096 = msg("35322", dup340); + +var msg37097 = msg("35323", dup340); + +var msg37098 = msg("35324", dup340); + +var msg37099 = msg("35325", dup341); + +var msg37100 = msg("35326", dup341); + +var msg37101 = msg("35327", dup340); + +var msg37102 = msg("35328", dup340); + +var msg37103 = msg("35329", dup340); + +var msg37104 = msg("35330", dup340); + +var msg37105 = msg("35331", dup343); + +var msg37106 = msg("35332", dup343); + +var msg37107 = msg("35333", dup347); + +var msg37108 = msg("35334", dup347); + +var msg37109 = msg("35335", dup347); + +var msg37110 = msg("35336", dup352); + +var msg37111 = msg("35337", dup352); + +var msg37112 = msg("35338", dup352); + +var msg37113 = msg("35339", dup352); + +var msg37114 = msg("35340", dup352); + +var msg37115 = msg("35341", dup352); + +var msg37116 = msg("35342", dup352); + +var msg37117 = msg("35343", dup352); + +var msg37118 = msg("35344", dup339); + +var msg37119 = msg("35345", dup347); + +var msg37120 = msg("35346", dup347); + +var msg37121 = msg("35347", dup340); + +var msg37122 = msg("35348", dup339); + +var msg37123 = msg("35349", dup340); + +var msg37124 = msg("35350", dup340); + +var msg37125 = msg("35351", dup340); + +var msg37126 = msg("35352", dup340); + +var msg37127 = msg("35353", dup339); + +var msg37128 = msg("35354", dup346); + +var msg37129 = msg("35355", dup339); + +var msg37130 = msg("35356", dup344); + +var msg37131 = msg("35357", dup344); + +var msg37132 = msg("35358", dup340); + +var msg37133 = msg("35359", dup346); + +var msg37134 = msg("35360", dup341); + +var msg37135 = msg("35361", dup341); + +var msg37136 = msg("35362", dup341); + +var msg37137 = msg("35363", dup341); + +var msg37138 = msg("35364", dup340); + +var msg37139 = msg("35365", dup340); + +var msg37140 = msg("35366", dup340); + +var msg37141 = msg("35367", dup340); + +var msg37142 = msg("35368", dup339); + +var msg37143 = msg("35369", dup339); + +var msg37144 = msg("35370", dup339); + +var msg37145 = msg("35371", dup339); + +var msg37146 = msg("35372", dup348); + +var msg37147 = msg("35373", dup348); + +var msg37148 = msg("35374", dup348); + +var msg37149 = msg("35375", dup348); + +var msg37150 = msg("35376", dup340); + +var msg37151 = msg("35377", dup340); + +var msg37152 = msg("35378", dup340); + +var msg37153 = msg("35379", dup340); + +var msg37154 = msg("35380", dup343); + +var msg37155 = msg("35381", dup343); + +var msg37156 = msg("35382", dup343); + +var msg37157 = msg("35383", dup343); + +var msg37158 = msg("35384", dup339); + +var msg37159 = msg("35385", dup339); + +var msg37160 = msg("35386", dup339); + +var msg37161 = msg("35387", dup339); + +var msg37162 = msg("35388", dup339); + +var msg37163 = msg("35389", dup339); + +var msg37164 = msg("35390", dup339); + +var msg37165 = msg("35391", dup339); + +var msg37166 = msg("35392", dup339); + +var msg37167 = msg("35393", dup339); + +var msg37168 = msg("35394", dup339); + +var msg37169 = msg("35395", dup340); + +var msg37170 = msg("35396", dup340); + +var msg37171 = msg("35397", dup340); + +var msg37172 = msg("35398", dup340); + +var msg37173 = msg("35399", dup348); + +var msg37174 = msg("35400", dup339); + +var msg37175 = msg("35401", dup340); + +var msg37176 = msg("35402", dup340); + +var msg37177 = msg("35403", dup340); + +var msg37178 = msg("35404", dup340); + +var msg37179 = msg("35405", dup340); + +var msg37180 = msg("35406", dup341); + +var msg37181 = msg("35407", dup340); + +var msg37182 = msg("35408", dup340); + +var msg37183 = msg("35409", dup340); + +var msg37184 = msg("35410", dup340); + +var msg37185 = msg("35411", dup348); + +var msg37186 = msg("35412", dup348); + +var msg37187 = msg("35413", dup344); + +var msg37188 = msg("35414", dup344); + +var msg37189 = msg("35415", dup339); + +var msg37190 = msg("35416", dup339); + +var msg37191 = msg("35417", dup324); + +var msg37192 = msg("35418", dup324); + +var msg37193 = msg("35419", dup309); + +var msg37194 = msg("35420", dup309); + +var msg37195 = msg("35421", dup309); + +var msg37196 = msg("35422", dup309); + +var msg37197 = msg("35423", dup314); + +var msg37198 = msg("35424", dup324); + +var msg37199 = msg("35425", dup324); + +var msg37200 = msg("35426", dup321); + +var msg37201 = msg("35427", dup322); + +var msg37202 = msg("35428", dup322); + +var msg37203 = msg("35429", dup322); + +var msg37204 = msg("35430", dup314); + +var msg37205 = msg("35431", dup314); + +var msg37206 = msg("35432", dup314); + +var msg37207 = msg("35433", dup314); + +var msg37208 = msg("35434", dup309); + +var msg37209 = msg("35435", dup309); + +var msg37210 = msg("35436", dup321); + +var msg37211 = msg("35437", dup321); + +var msg37212 = msg("35438", dup307); + +var msg37213 = msg("35439", dup307); + +var msg37214 = msg("35440", dup309); + +var msg37215 = msg("35441", dup309); + +var msg37216 = msg("35442", dup309); + +var msg37217 = msg("35443", dup309); + +var msg37218 = msg("35444", dup314); + +var msg37219 = msg("35445", dup314); + +var msg37220 = msg("35446", dup314); + +var msg37221 = msg("35447", dup314); + +var msg37222 = msg("35448", dup321); + +var msg37223 = msg("35449", dup314); + +var msg37224 = msg("35450", dup314); + +var msg37225 = msg("35451", dup314); + +var msg37226 = msg("35452", dup314); + +var msg37227 = msg("35453", dup314); + +var msg37228 = msg("35454", dup314); + +var msg37229 = msg("35455", dup314); + +var msg37230 = msg("35456", dup314); + +var msg37231 = msg("35457", dup314); + +var msg37232 = msg("35458", dup314); + +var msg37233 = msg("35459", dup314); + +var msg37234 = msg("35460", dup311); + +var msg37235 = msg("35461", dup311); + +var msg37236 = msg("35462", dup321); + +var msg37237 = msg("35463", dup314); + +var msg37238 = msg("35464", dup314); + +var msg37239 = msg("35465", dup314); + +var msg37240 = msg("35466", dup314); + +var msg37241 = msg("35467", dup314); + +var msg37242 = msg("35468", dup314); + +var msg37243 = msg("35469", dup314); + +var msg37244 = msg("35470", dup321); + +var msg37245 = msg("35471", dup321); + +var msg37246 = msg("35472", dup321); + +var msg37247 = msg("35473", dup325); + +var msg37248 = msg("35474", dup325); + +var msg37249 = msg("35475", dup325); + +var msg37250 = msg("35476", dup325); + +var msg37251 = msg("35477", dup325); + +var msg37252 = msg("35478", dup325); + +var msg37253 = msg("35479", dup311); + +var msg37254 = msg("35480", dup311); + +var msg37255 = msg("35481", dup325); + +var msg37256 = msg("35482", dup325); + +var msg37257 = msg("35483", dup311); + +var msg37258 = msg("35484", dup311); + +var msg37259 = msg("35485", dup311); + +var msg37260 = msg("35486", dup311); + +var msg37261 = msg("35487", dup314); + +var msg37262 = msg("35488", dup314); + +var msg37263 = msg("35489", dup311); + +var msg37264 = msg("35490", dup311); + +var msg37265 = msg("35491", dup311); + +var msg37266 = msg("35492", dup311); + +var msg37267 = msg("35493", dup325); + +var msg37268 = msg("35494", dup325); + +var msg37269 = msg("35495", dup311); + +var msg37270 = msg("35496", dup311); + +var msg37271 = msg("35497", dup309); + +var msg37272 = msg("35498", dup309); + +var msg37273 = msg("35499", dup309); + +var msg37274 = msg("35500", dup309); + +var msg37275 = msg("35501", dup309); + +var msg37276 = msg("35502", dup309); + +var msg37277 = msg("35503", dup309); + +var msg37278 = msg("35504", dup309); + +var msg37279 = msg("35505", dup309); + +var msg37280 = msg("35506", dup309); + +var msg37281 = msg("35507", dup311); + +var msg37282 = msg("35508", dup311); + +var msg37283 = msg("35509", dup309); + +var msg37284 = msg("35510", dup309); + +var msg37285 = msg("35511", dup309); + +var msg37286 = msg("35512", dup309); + +var msg37287 = msg("35513", dup314); + +var msg37288 = msg("35514", dup314); + +var msg37289 = msg("35515", dup314); + +var msg37290 = msg("35516", dup314); + +var msg37291 = msg("35517", dup314); + +var msg37292 = msg("35518", dup314); + +var msg37293 = msg("35519", dup314); + +var msg37294 = msg("35520", dup314); + +var msg37295 = msg("35521", dup309); + +var msg37296 = msg("35522", dup309); + +var msg37297 = msg("35523", dup314); + +var msg37298 = msg("35524", dup314); + +var msg37299 = msg("35525", dup314); + +var msg37300 = msg("35526", dup314); + +var msg37301 = msg("35527", dup314); + +var msg37302 = msg("35528", dup314); + +var msg37303 = msg("35529", dup311); + +var msg37304 = msg("35530", dup311); + +var msg37305 = msg("35531", dup310); + +var msg37306 = msg("35532", dup310); + +var msg37307 = msg("35533", dup322); + +var msg37308 = msg("35534", dup322); + +var msg37309 = msg("35535", dup322); + +var msg37310 = msg("35536", dup311); + +var msg37311 = msg("35537", dup311); + +var msg37312 = msg("35538", dup314); + +var msg37313 = msg("35539", dup314); + +var msg37314 = msg("35540", dup322); + +var msg37315 = msg("35541", dup322); + +var msg37316 = msg("35542", dup311); + +var msg37317 = msg("35543", dup311); + +var msg37318 = msg("35544", dup311); + +var msg37319 = msg("35545", dup311); + +var msg37320 = msg("35546", dup311); + +var msg37321 = msg("35547", dup311); + +var msg37322 = msg("35548", dup311); + +var msg37323 = msg("35549", dup321); + +var msg37324 = msg("35550", dup311); + +var msg37325 = msg("35551", dup321); + +var msg37326 = msg("35552", dup311); + +var msg37327 = msg("35553", dup311); + +var msg37328 = msg("35554", dup311); + +var msg37329 = msg("35555", dup311); + +var msg37330 = msg("35556", dup314); + +var msg37331 = msg("35557", dup314); + +var msg37332 = msg("35558", dup314); + +var msg37333 = msg("35559", dup314); + +var msg37334 = msg("35560", dup314); + +var msg37335 = msg("35561", dup311); + +var msg37336 = msg("35562", dup311); + +var msg37337 = msg("35563", dup314); + +var msg37338 = msg("35564", dup314); + +var msg37339 = msg("35565", dup314); + +var msg37340 = msg("35566", dup314); + +var msg37341 = msg("35567", dup314); + +var msg37342 = msg("35568", dup314); + +var msg37343 = msg("35569", dup325); + +var msg37344 = msg("35570", dup321); + +var msg37345 = msg("35571", dup314); + +var msg37346 = msg("35572", dup314); + +var msg37347 = msg("35573", dup322); + +var msg37348 = msg("35574", dup314); + +var msg37349 = msg("35575", dup314); + +var msg37350 = msg("35576", dup314); + +var msg37351 = msg("35577", dup314); + +var msg37352 = msg("35578", dup309); + +var msg37353 = msg("35579", dup309); + +var msg37354 = msg("35580", dup309); + +var msg37355 = msg("35581", dup309); + +var msg37356 = msg("35582", dup311); + +var msg37357 = msg("35583", dup311); + +var msg37358 = msg("35584", dup314); + +var msg37359 = msg("35585", dup314); + +var msg37360 = msg("35586", dup314); + +var msg37361 = msg("35587", dup314); + +var msg37362 = msg("35588", dup314); + +var msg37363 = msg("35589", dup314); + +var msg37364 = msg("35590", dup314); + +var msg37365 = msg("35591", dup314); + +var msg37366 = msg("35592", dup309); + +var msg37367 = msg("35593", dup309); + +var msg37368 = msg("35594", dup309); + +var msg37369 = msg("35595", dup321); + +var msg37370 = msg("35596", dup321); + +var msg37371 = msg("35597", dup321); + +var msg37372 = msg("35598", dup314); + +var msg37373 = msg("35599", dup314); + +var msg37374 = msg("35600", dup314); + +var msg37375 = msg("35601", dup314); + +var msg37376 = msg("35602", dup314); + +var msg37377 = msg("35603", dup314); + +var msg37378 = msg("35604", dup314); + +var msg37379 = msg("35605", dup314); + +var msg37380 = msg("35606", dup314); + +var msg37381 = msg("35607", dup314); + +var msg37382 = msg("35608", dup314); + +var msg37383 = msg("35609", dup314); + +var msg37384 = msg("35610", dup314); + +var msg37385 = msg("35611", dup314); + +var msg37386 = msg("35612", dup314); + +var msg37387 = msg("35613", dup314); + +var msg37388 = msg("35614", dup311); + +var msg37389 = msg("35615", dup311); + +var msg37390 = msg("35616", dup311); + +var msg37391 = msg("35617", dup311); + +var msg37392 = msg("35618", dup323); + +var msg37393 = msg("35619", dup323); + +var msg37394 = msg("35620", dup323); + +var msg37395 = msg("35621", dup323); + +var msg37396 = msg("35622", dup323); + +var msg37397 = msg("35623", dup323); + +var msg37398 = msg("35628", dup309); + +var msg37399 = msg("35629", dup309); + +var msg37400 = msg("35630", dup324); + +var msg37401 = msg("35631", dup324); + +var msg37402 = msg("35632", dup314); + +var msg37403 = msg("35633", dup314); + +var msg37404 = msg("35634", dup314); + +var msg37405 = msg("35635", dup314); + +var msg37406 = msg("35636", dup309); + +var msg37407 = msg("35637", dup309); + +var msg37408 = msg("35638", dup314); + +var msg37409 = msg("35639", dup314); + +var msg37410 = msg("35640", dup314); + +var msg37411 = msg("35641", dup314); + +var msg37412 = msg("35642", dup314); + +var msg37413 = msg("35643", dup314); + +var msg37414 = msg("35644", dup314); + +var msg37415 = msg("35645", dup314); + +var msg37416 = msg("35646", dup314); + +var msg37417 = msg("35647", dup314); + +var msg37418 = msg("35648", dup314); + +var msg37419 = msg("35649", dup314); + +var msg37420 = msg("35650", dup314); + +var msg37421 = msg("35651", dup314); + +var msg37422 = msg("35652", dup314); + +var msg37423 = msg("35653", dup314); + +var msg37424 = msg("35654", dup314); + +var msg37425 = msg("35655", dup314); + +var msg37426 = msg("35656", dup314); + +var msg37427 = msg("35657", dup314); + +var msg37428 = msg("35658", dup314); + +var msg37429 = msg("35659", dup314); + +var msg37430 = msg("35660", dup314); + +var msg37431 = msg("35661", dup314); + +var msg37432 = msg("35662", dup314); + +var msg37433 = msg("35663", dup314); + +var msg37434 = msg("35664", dup314); + +var msg37435 = msg("35665", dup314); + +var msg37436 = msg("35666", dup311); + +var msg37437 = msg("35667", dup311); + +var msg37438 = msg("35668", dup311); + +var msg37439 = msg("35669", dup311); + +var msg37440 = msg("35670", dup314); + +var msg37441 = msg("35671", dup314); + +var msg37442 = msg("35672", dup314); + +var msg37443 = msg("35673", dup314); + +var msg37444 = msg("35674", dup314); + +var msg37445 = msg("35675", dup314); + +var msg37446 = msg("35676", dup314); + +var msg37447 = msg("35677", dup314); + +var msg37448 = msg("35678", dup314); + +var msg37449 = msg("35679", dup314); + +var msg37450 = msg("35680", dup314); + +var msg37451 = msg("35681", dup330); + +var msg37452 = msg("35682", dup314); + +var msg37453 = msg("35683", dup314); + +var msg37454 = msg("35684", dup314); + +var msg37455 = msg("35685", dup314); + +var msg37456 = msg("35686", dup314); + +var msg37457 = msg("35687", dup311); + +var msg37458 = msg("35691", dup314); + +var msg37459 = msg("35692", dup314); + +var msg37460 = msg("35693", dup314); + +var msg37461 = msg("35694", dup314); + +var msg37462 = msg("35695", dup314); + +var msg37463 = msg("35696", dup314); + +var msg37464 = msg("35697", dup314); + +var msg37465 = msg("35698", dup314); + +var msg37466 = msg("35699", dup314); + +var msg37467 = msg("35700", dup314); + +var msg37468 = msg("35701", dup322); + +var msg37469 = msg("35702", dup322); + +var msg37470 = msg("35703", dup322); + +var msg37471 = msg("35704", dup314); + +var msg37472 = msg("35705", dup314); + +var msg37473 = msg("35706", dup314); + +var msg37474 = msg("35707", dup314); + +var msg37475 = msg("35708", dup314); + +var msg37476 = msg("35709", dup314); + +var msg37477 = msg("35710", dup325); + +var msg37478 = msg("35719", dup311); + +var msg37479 = msg("35720", dup311); + +var msg37480 = msg("35723", dup311); + +var msg37481 = msg("35724", dup311); + +var msg37482 = msg("35731", dup311); + +var msg37483 = msg("35732", dup321); + +var msg37484 = msg("35733", dup321); + +var msg37485 = msg("35734", dup330); + +var msg37486 = msg("35735", dup314); + +var msg37487 = msg("35736", dup314); + +var msg37488 = msg("35737", dup307); + +var msg37489 = msg("35738", dup307); + +var msg37490 = msg("35739", dup307); + +var msg37491 = msg("35740", dup307); + +var msg37492 = msg("35741", dup314); + +var msg37493 = msg("35742", dup314); + +var msg37494 = msg("35743", dup314); + +var msg37495 = msg("35744", dup314); + +var msg37496 = msg("35745", dup311); + +var msg37497 = msg("35746", dup321); + +var msg37498 = msg("35747", dup325); + +var msg37499 = msg("35748", dup325); + +var msg37500 = msg("35749", dup321); + +var msg37501 = msg("35750", dup321); + +var msg37502 = msg("35751", dup309); + +var msg37503 = msg("35752", dup309); + +var msg37504 = msg("35753", dup314); + +var msg37505 = msg("35754", dup314); + +var msg37506 = msg("35755", dup314); + +var msg37507 = msg("35756", dup314); + +var msg37508 = msg("35757", dup314); + +var msg37509 = msg("35758", dup314); + +var msg37510 = msg("35759", dup314); + +var msg37511 = msg("35760", dup314); + +var msg37512 = msg("35761", dup314); + +var msg37513 = msg("35762", dup314); + +var msg37514 = msg("35763", dup324); + +var msg37515 = msg("35764", dup324); + +var msg37516 = msg("35765", dup324); + +var msg37517 = msg("35766", dup324); + +var msg37518 = msg("35767", dup314); + +var msg37519 = msg("35768", dup314); + +var msg37520 = msg("35769", dup321); + +var msg37521 = msg("35770", dup321); + +var msg37522 = msg("35771", dup325); + +var msg37523 = msg("35772", dup325); + +var msg37524 = msg("35779", dup314); + +var msg37525 = msg("35780", dup314); + +var msg37526 = msg("35781", dup314); + +var msg37527 = msg("35782", dup314); + +var msg37528 = msg("35783", dup321); + +var msg37529 = msg("35784", dup314); + +var msg37530 = msg("35785", dup314); + +var msg37531 = msg("35786", dup314); + +var msg37532 = msg("35787", dup314); + +var msg37533 = msg("35788", dup321); + +var msg37534 = msg("35789", dup321); + +var msg37535 = msg("35790", dup321); + +var msg37536 = msg("35791", dup321); + +var msg37537 = msg("35792", dup321); + +var msg37538 = msg("35793", dup321); + +var msg37539 = msg("35794", dup321); + +var msg37540 = msg("35795", dup314); + +var msg37541 = msg("35796", dup314); + +var msg37542 = msg("35797", dup314); + +var msg37543 = msg("35798", dup311); + +var msg37544 = msg("35799", dup311); + +var msg37545 = msg("35800", dup321); + +var msg37546 = msg("35801", dup321); + +var msg37547 = msg("35802", dup321); + +var msg37548 = msg("35803", dup321); + +var msg37549 = msg("35804", dup321); + +var msg37550 = msg("35805", dup311); + +var msg37551 = msg("35806", dup311); + +var msg37552 = msg("35807", dup314); + +var msg37553 = msg("35808", dup314); + +var msg37554 = msg("35809", dup323); + +var msg37555 = msg("35810", dup323); + +var msg37556 = msg("35811", dup323); + +var msg37557 = msg("35812", dup323); + +var msg37558 = msg("35813", dup314); + +var msg37559 = msg("35814", dup314); + +var msg37560 = msg("35815", dup314); + +var msg37561 = msg("35816", dup314); + +var msg37562 = msg("35817", dup314); + +var msg37563 = msg("35818", dup314); + +var msg37564 = msg("35819", dup322); + +var msg37565 = msg("35820", dup314); + +var msg37566 = msg("35821", dup314); + +var msg37567 = msg("35822", dup314); + +var msg37568 = msg("35823", dup314); + +var msg37569 = msg("35824", dup314); + +var msg37570 = msg("35825", dup314); + +var msg37571 = msg("35826", dup314); + +var msg37572 = msg("35827", dup314); + +var msg37573 = msg("35831", dup307); + +var msg37574 = msg("35836", dup325); + +var msg37575 = msg("35837", dup325); + +var msg37576 = msg("35838", dup321); + +var msg37577 = msg("35839", dup321); + +var msg37578 = msg("35840", dup321); + +var msg37579 = msg("35841", dup321); + +var msg37580 = msg("35842", dup321); + +var msg37581 = msg("35843", dup314); + +var msg37582 = msg("35844", dup314); + +var msg37583 = msg("35845", dup311); + +var msg37584 = msg("35846", dup311); + +var msg37585 = msg("35847", dup314); + +var msg37586 = msg("35848", dup309); + +var msg37587 = msg("35849", dup314); + +var msg37588 = msg("35850", dup314); + +var msg37589 = msg("35851", dup311); + +var msg37590 = msg("35852", dup314); + +var msg37591 = msg("35853", dup309); + +var msg37592 = msg("35854", dup309); + +var msg37593 = msg("35855", dup309); + +var msg37594 = msg("35856", dup309); + +var msg37595 = msg("35857", dup311); + +var msg37596 = msg("35858", dup311); + +var msg37597 = msg("35859", dup314); + +var msg37598 = msg("35860", dup314); + +var msg37599 = msg("35861", dup314); + +var msg37600 = msg("35862", dup314); + +var msg37601 = msg("35863", dup314); + +var msg37602 = msg("35864", dup314); + +var msg37603 = msg("35865", dup311); + +var msg37604 = msg("35866", dup311); + +var msg37605 = msg("35867", dup311); + +var msg37606 = msg("35868", dup325); + +var msg37607 = msg("35869", dup325); + +var msg37608 = msg("35870", dup325); + +var msg37609 = msg("35871", dup325); + +var msg37610 = msg("35872", dup314); + +var msg37611 = msg("35873", dup314); + +var msg37612 = msg("35874", dup314); + +var msg37613 = msg("35875", dup314); + +var msg37614 = msg("35876", dup311); + +var msg37615 = msg("35877", dup323); + +var msg37616 = msg("35878", dup323); + +var msg37617 = msg("35879", dup323); + +var msg37618 = msg("35880", dup323); + +var msg37619 = msg("35881", dup314); + +var msg37620 = msg("35882", dup314); + +var msg37621 = msg("35883", dup307); + +var msg37622 = msg("35884", dup314); + +var msg37623 = msg("35885", dup314); + +var msg37624 = msg("35886", dup314); + +var msg37625 = msg("35887", dup322); + +var msg37626 = msg("35888", dup314); + +var msg37627 = msg("35889", dup311); + +var msg37628 = msg("35890", dup322); + +var msg37629 = msg("35891", dup322); + +var msg37630 = msg("35892", dup314); + +var msg37631 = msg("35893", dup314); + +var msg37632 = msg("35894", dup316); + +var msg37633 = msg("35895", dup309); + +var msg37634 = msg("35896", dup309); + +var msg37635 = msg("35897", dup316); + +var msg37636 = msg("35898", dup309); + +var msg37637 = msg("35899", dup309); + +var msg37638 = msg("35900", dup309); + +var msg37639 = msg("35901", dup309); + +var msg37640 = msg("35902", dup316); + +var msg37641 = msg("35903", dup309); + +var msg37642 = msg("35904", dup309); + +var msg37643 = msg("35905", dup314); + +var msg37644 = msg("35906", dup309); + +var msg37645 = msg("35907", dup314); + +var msg37646 = msg("35908", dup309); + +var msg37647 = msg("35909", dup309); + +var msg37648 = msg("35910", dup314); + +var msg37649 = msg("35911", dup309); + +var msg37650 = msg("35912", dup309); + +var msg37651 = msg("35913", dup314); + +var msg37652 = msg("35914", dup314); + +var msg37653 = msg("35915", dup314); + +var msg37654 = msg("35916", dup314); + +var msg37655 = msg("35917", dup314); + +var msg37656 = msg("35918", dup309); + +var msg37657 = msg("35919", dup311); + +var msg37658 = msg("35920", dup314); + +var msg37659 = msg("35921", dup325); + +var msg37660 = msg("35922", dup309); + +var msg37661 = msg("35923", dup314); + +var msg37662 = msg("35924", dup311); + +var msg37663 = msg("35925", dup311); + +var msg37664 = msg("35926", dup330); + +var msg37665 = msg("35927", dup311); + +var msg37666 = msg("35928", dup311); + +var msg37667 = msg("35929", dup322); + +var msg37668 = msg("35930", dup322); + +var msg37669 = msg("35931", dup322); + +var msg37670 = msg("35932", dup322); + +var msg37671 = msg("35933", dup314); + +var msg37672 = msg("35934", dup314); + +var msg37673 = msg("35935", dup314); + +var msg37674 = msg("35936", dup314); + +var msg37675 = msg("35937", dup314); + +var msg37676 = msg("35938", dup314); + +var msg37677 = msg("35939", dup309); + +var msg37678 = msg("35940", dup309); + +var msg37679 = msg("35941", dup314); + +var msg37680 = msg("35942", dup324); + +var msg37681 = msg("35943", dup324); + +var msg37682 = msg("35944", dup309); + +var msg37683 = msg("35945", dup311); + +var msg37684 = msg("35946", dup311); + +var msg37685 = msg("35947", dup311); + +var msg37686 = msg("35948", dup311); + +var msg37687 = msg("35949", dup311); + +var msg37688 = msg("35950", dup311); + +var msg37689 = msg("35951", dup311); + +var msg37690 = msg("35952", dup311); + +var msg37691 = msg("35953", dup311); + +var msg37692 = msg("35954", dup311); + +var msg37693 = msg("35955", dup314); + +var msg37694 = msg("35956", dup314); + +var msg37695 = msg("35957", dup314); + +var msg37696 = msg("35958", dup314); + +var msg37697 = msg("35959", dup323); + +var msg37698 = msg("35960", dup323); + +var msg37699 = msg("35961", dup311); + +var msg37700 = msg("35962", dup311); + +var msg37701 = msg("35963", dup325); + +var msg37702 = msg("35964", dup325); + +var msg37703 = msg("35965", dup311); + +var msg37704 = msg("35966", dup311); + +var msg37705 = msg("35967", dup314); + +var msg37706 = msg("35968", dup314); + +var msg37707 = msg("35969", dup325); + +var msg37708 = msg("35970", dup325); + +var msg37709 = msg("35971", dup325); + +var msg37710 = msg("35972", dup325); + +var msg37711 = msg("35973", dup314); + +var msg37712 = msg("35974", dup314); + +var msg37713 = msg("35975", dup325); + +var msg37714 = msg("35976", dup325); + +var msg37715 = msg("35977", dup314); + +var msg37716 = msg("35978", dup314); + +var msg37717 = msg("35979", dup314); + +var msg37718 = msg("35980", dup314); + +var msg37719 = msg("35981", dup314); + +var msg37720 = msg("35982", dup311); + +var msg37721 = msg("35983", dup311); + +var msg37722 = msg("35984", dup324); + +var msg37723 = msg("35985", dup324); + +var msg37724 = msg("35986", dup314); + +var msg37725 = msg("35987", dup314); + +var msg37726 = msg("35988", dup309); + +var msg37727 = msg("35989", dup309); + +var msg37728 = msg("35990", dup311); + +var msg37729 = msg("35991", dup311); + +var msg37730 = msg("35992", dup325); + +var msg37731 = msg("35993", dup325); + +var msg37732 = msg("35994", dup314); + +var msg37733 = msg("35995", dup314); + +var msg37734 = msg("35996", dup309); + +var msg37735 = msg("35997", dup309); + +var msg37736 = msg("35998", dup311); + +var msg37737 = msg("35999", dup311); + +var msg37738 = msg("36000", dup309); + +var msg37739 = msg("36001", dup309); + +var msg37740 = msg("36002", dup309); + +var msg37741 = msg("36003", dup309); + +var msg37742 = msg("36004", dup325); + +var msg37743 = msg("36005", dup325); + +var msg37744 = msg("36006", dup325); + +var msg37745 = msg("36007", dup325); + +var msg37746 = msg("36008", dup325); + +var msg37747 = msg("36009", dup325); + +var msg37748 = msg("36010", dup314); + +var msg37749 = msg("36011", dup314); + +var msg37750 = msg("36012", dup314); + +var msg37751 = msg("36013", dup314); + +var msg37752 = msg("36014", dup309); + +var msg37753 = msg("36015", dup309); + +var msg37754 = msg("36016", dup314); + +var msg37755 = msg("36017", dup314); + +var msg37756 = msg("36018", dup325); + +var msg37757 = msg("36019", dup325); + +var msg37758 = msg("36020", dup325); + +var msg37759 = msg("36021", dup325); + +var msg37760 = msg("36022", dup314); + +var msg37761 = msg("36023", dup314); + +var msg37762 = msg("36024", dup314); + +var msg37763 = msg("36025", dup314); + +var msg37764 = msg("36026", dup309); + +var msg37765 = msg("36027", dup309); + +var msg37766 = msg("36028", dup314); + +var msg37767 = msg("36029", dup314); + +var msg37768 = msg("36030", dup316); + +var msg37769 = msg("36031", dup316); + +var msg37770 = msg("36032", dup316); + +var msg37771 = msg("36033", dup316); + +var msg37772 = msg("36034", dup314); + +var msg37773 = msg("36035", dup314); + +var msg37774 = msg("36036", dup314); + +var msg37775 = msg("36037", dup311); + +var msg37776 = msg("36038", dup311); + +var msg37777 = msg("36039", dup311); + +var msg37778 = msg("36040", dup311); + +var msg37779 = msg("36041", dup322); + +var msg37780 = msg("36042", dup322); + +var msg37781 = msg("36043", dup322); + +var msg37782 = msg("36044", dup321); + +var msg37783 = msg("36045", dup321); + +var msg37784 = msg("36046", dup321); + +var msg37785 = msg("36047", dup321); + +var msg37786 = msg("36048", dup321); + +var msg37787 = msg("36049", dup322); + +var msg37788 = msg("36050", dup322); + +var msg37789 = msg("36051", dup322); + +var msg37790 = msg("36052", dup314); + +var msg37791 = msg("36053", dup316); + +var msg37792 = msg("36054", dup321); + +var msg37793 = msg("36055", dup329); + +var msg37794 = msg("36056", dup329); + +var msg37795 = msg("36057", dup314); + +var msg37796 = msg("36058", dup314); + +var msg37797 = msg("36059", dup324); + +var msg37798 = msg("36060", dup321); + +var msg37799 = msg("36061", dup322); + +var msg37800 = msg("36062", dup314); + +var msg37801 = msg("36063", dup314); + +var msg37802 = msg("36064", dup321); + +var msg37803 = msg("36065", dup321); + +var msg37804 = msg("36066", dup321); + +var msg37805 = msg("36067", dup307); + +var msg37806 = msg("36068", dup309); + +var msg37807 = msg("36069", dup309); + +var msg37808 = msg("36070", dup314); + +var msg37809 = msg("36071", dup311); + +var msg37810 = msg("36072", dup324); + +var msg37811 = msg("36073", dup324); + +var msg37812 = msg("36074", dup324); + +var msg37813 = msg("36075", dup324); + +var msg37814 = msg("36076", dup324); + +var msg37815 = msg("36077", dup324); + +var msg37816 = msg("36078", dup324); + +var msg37817 = msg("36079", dup324); + +var msg37818 = msg("36080", dup324); + +var msg37819 = msg("36081", dup324); + +var msg37820 = msg("36082", dup324); + +var msg37821 = msg("36083", dup324); + +var msg37822 = msg("36084", dup324); + +var msg37823 = msg("36085", dup324); + +var msg37824 = msg("36086", dup324); + +var msg37825 = msg("36087", dup324); + +var msg37826 = msg("36088", dup324); + +var msg37827 = msg("36089", dup324); + +var msg37828 = msg("36090", dup324); + +var msg37829 = msg("36091", dup324); + +var msg37830 = msg("36092", dup324); + +var msg37831 = msg("36093", dup324); + +var msg37832 = msg("36094", dup324); + +var msg37833 = msg("36095", dup324); + +var msg37834 = msg("36096", dup324); + +var msg37835 = msg("36097", dup322); + +var msg37836 = msg("36098", dup322); + +var msg37837 = msg("36099", dup322); + +var msg37838 = msg("36100", dup314); + +var msg37839 = msg("36101", dup325); + +var msg37840 = msg("36102", dup325); + +var msg37841 = msg("36103", dup321); + +var msg37842 = msg("36104", dup314); + +var msg37843 = msg("36105", dup321); + +var msg37844 = msg("36106", dup321); + +var msg37845 = msg("36107", dup321); + +var msg37846 = msg("36108", dup321); + +var msg37847 = msg("36109", dup314); + +var msg37848 = msg("36110", dup314); + +var msg37849 = msg("36111", dup314); + +var msg37850 = msg("36112", dup314); + +var msg37851 = msg("36113", dup309); + +var msg37852 = msg("36114", dup309); + +var msg37853 = msg("36115", dup321); + +var msg37854 = msg("36116", dup314); + +var msg37855 = msg("36117", dup314); + +var msg37856 = msg("36118", dup314); + +var msg37857 = msg("36119", dup314); + +var msg37858 = msg("36120", dup309); + +var msg37859 = msg("36121", dup309); + +var msg37860 = msg("36122", dup309); + +var msg37861 = msg("36123", dup309); + +var msg37862 = msg("36124", dup314); + +var msg37863 = msg("36125", dup314); + +var msg37864 = msg("36126", dup314); + +var msg37865 = msg("36127", dup314); + +var msg37866 = msg("36128", dup314); + +var msg37867 = msg("36129", dup314); + +var msg37868 = msg("36130", dup329); + +var msg37869 = msg("36131", dup325); + +var msg37870 = msg("36132", dup321); + +var msg37871 = msg("36133", dup321); + +var msg37872 = msg("36134", dup321); + +var msg37873 = msg("36135", dup311); + +var msg37874 = msg("36136", dup311); + +var msg37875 = msg("36137", dup311); + +var msg37876 = msg("36138", dup311); + +var msg37877 = msg("36139", dup311); + +var msg37878 = msg("36140", dup311); + +var msg37879 = msg("36141", dup311); + +var msg37880 = msg("36142", dup311); + +var msg37881 = msg("36143", dup311); + +var msg37882 = msg("36144", dup311); + +var msg37883 = msg("36145", dup311); + +var msg37884 = msg("36146", dup311); + +var msg37885 = msg("36147", dup309); + +var msg37886 = msg("36148", dup309); + +var msg37887 = msg("36149", dup311); + +var msg37888 = msg("36150", dup311); + +var msg37889 = msg("36151", dup311); + +var msg37890 = msg("36152", dup311); + +var msg37891 = msg("36153", dup309); + +var msg37892 = msg("36154", dup314); + +var msg37893 = msg("36155", dup314); + +var msg37894 = msg("36156", dup314); + +var msg37895 = msg("36157", dup314); + +var msg37896 = msg("36158", dup311); + +var msg37897 = msg("36159", dup311); + +var msg37898 = msg("36160", dup309); + +var msg37899 = msg("36161", dup309); + +var msg37900 = msg("36162", dup309); + +var msg37901 = msg("36163", dup309); + +var msg37902 = msg("36164", dup309); + +var msg37903 = msg("36165", dup309); + +var msg37904 = msg("36166", dup309); + +var msg37905 = msg("36167", dup309); + +var msg37906 = msg("36168", dup309); + +var msg37907 = msg("36169", dup309); + +var msg37908 = msg("36170", dup309); + +var msg37909 = msg("36171", dup309); + +var msg37910 = msg("36172", dup309); + +var msg37911 = msg("36173", dup309); + +var msg37912 = msg("36174", dup309); + +var msg37913 = msg("36175", dup309); + +var msg37914 = msg("36176", dup309); + +var msg37915 = msg("36177", dup309); + +var msg37916 = msg("36178", dup316); + +var msg37917 = msg("36179", dup316); + +var msg37918 = msg("36180", dup316); + +var msg37919 = msg("36181", dup316); + +var msg37920 = msg("36182", dup311); + +var msg37921 = msg("36183", dup309); + +var msg37922 = msg("36184", dup311); + +var msg37923 = msg("36185", dup321); + +var msg37924 = msg("36186", dup321); + +var msg37925 = msg("36187", dup314); + +var msg37926 = msg("36188", dup314); + +var msg37927 = msg("36189", dup314); + +var msg37928 = msg("36190", dup314); + +var msg37929 = msg("36191", dup309); + +var msg37930 = msg("36192", dup309); + +var msg37931 = msg("36193", dup311); + +var msg37932 = msg("36194", dup309); + +var msg37933 = msg("36195", dup309); + +var msg37934 = msg("36196", dup309); + +var msg37935 = msg("36197", dup316); + +var msg37936 = msg("36198", dup321); + +var msg37937 = msg("36199", dup321); + +var msg37938 = msg("36200", dup321); + +var msg37939 = msg("36201", dup311); + +var msg37940 = msg("36202", dup321); + +var msg37941 = msg("36203", dup309); + +var msg37942 = msg("36204", dup309); + +var msg37943 = msg("36205", dup321); + +var msg37944 = msg("36206", dup321); + +var msg37945 = msg("36207", dup321); + +var msg37946 = msg("36208", dup314); + +var msg37947 = msg("36209", dup314); + +var msg37948 = msg("36224", dup323); + +var msg37949 = msg("36231", dup321); + +var msg37950 = msg("36232", dup321); + +var msg37951 = msg("36233", dup321); + +var msg37952 = msg("36234", dup321); + +var msg37953 = msg("36235", dup325); + +var msg37954 = msg("36236", dup325); + +var msg37955 = msg("36237", dup325); + +var msg37956 = msg("36238", dup325); + +var msg37957 = msg("36239", dup314); + +var msg37958 = msg("36240", dup314); + +var msg37959 = msg("36241", dup321); + +var msg37960 = msg("36242", dup314); + +var msg37961 = msg("36243", dup314); + +var msg37962 = msg("36244", dup309); + +var msg37963 = msg("36245", dup309); + +var msg37964 = msg("36246", dup323); + +var msg37965 = msg("36247", dup311); + +var msg37966 = msg("36248", dup311); + +var msg37967 = msg("36249", dup311); + +var msg37968 = msg("36250", dup309); + +var msg37969 = msg("36251", dup311); + +var msg37970 = msg("36252", dup324); + +var msg37971 = msg("36253", dup314); + +var msg37972 = msg("36254", dup311); + +var msg37973 = msg("36255", dup311); + +var msg37974 = msg("36256", dup314); + +var msg37975 = msg("36257", dup309); + +var msg37976 = msg("36258", dup309); + +var msg37977 = msg("36259", dup309); + +var msg37978 = msg("36260", dup309); + +var msg37979 = msg("36261", dup324); + +var msg37980 = msg("36262", dup324); + +var msg37981 = msg("36263", dup314); + +var msg37982 = msg("36264", dup314); + +var msg37983 = msg("36265", dup314); + +var msg37984 = msg("36266", dup314); + +var msg37985 = msg("36267", dup321); + +var msg37986 = msg("36268", dup321); + +var msg37987 = msg("36269", dup321); + +var msg37988 = msg("36270", dup316); + +var msg37989 = msg("36271", dup311); + +var msg37990 = msg("36272", dup314); + +var msg37991 = msg("36273", dup321); + +var msg37992 = msg("36274", dup321); + +var msg37993 = msg("36275", dup321); + +var msg37994 = msg("36276", dup321); + +var msg37995 = msg("36277", dup323); + +var msg37996 = msg("36278", dup323); + +var msg37997 = msg("36279", dup323); + +var msg37998 = msg("36280", dup323); + +var msg37999 = msg("36281", dup311); + +var msg38000 = msg("36282", dup314); + +var msg38001 = msg("36283", dup322); + +var msg38002 = msg("36284", dup322); + +var msg38003 = msg("36285", dup322); + +var msg38004 = msg("36286", dup311); + +var msg38005 = msg("36287", dup314); + +var msg38006 = msg("36288", dup314); + +var msg38007 = msg("36289", dup314); + +var msg38008 = msg("36290", dup314); + +var msg38009 = msg("36291", dup314); + +var msg38010 = msg("36292", dup314); + +var msg38011 = msg("36293", dup321); + +var msg38012 = msg("36294", dup321); + +var msg38013 = msg("36295", dup311); + +var msg38014 = msg("36296", dup311); + +var msg38015 = msg("36297", dup314); + +var msg38016 = msg("36298", dup314); + +var msg38017 = msg("36299", dup314); + +var msg38018 = msg("36300", dup314); + +var msg38019 = msg("36301", dup314); + +var msg38020 = msg("36302", dup314); + +var msg38021 = msg("36303", dup321); + +var msg38022 = msg("36304", dup321); + +var msg38023 = msg("36305", dup309); + +var msg38024 = msg("36306", dup309); + +var msg38025 = msg("36307", dup309); + +var msg38026 = msg("36308", dup309); + +var msg38027 = msg("36309", dup309); + +var msg38028 = msg("36310", dup309); + +var msg38029 = msg("36311", dup314); + +var msg38030 = msg("36312", dup314); + +var msg38031 = msg("36313", dup314); + +var msg38032 = msg("36314", dup314); + +var msg38033 = msg("36315", dup311); + +var msg38034 = msg("36316", dup314); + +var msg38035 = msg("36317", dup314); + +var msg38036 = msg("36318", dup314); + +var msg38037 = msg("36319", dup314); + +var msg38038 = msg("36320", dup314); + +var msg38039 = msg("36321", dup314); + +var msg38040 = msg("36322", dup314); + +var msg38041 = msg("36323", dup314); + +var msg38042 = msg("36324", dup314); + +var msg38043 = msg("36325", dup321); + +var msg38044 = msg("36326", dup321); + +var msg38045 = msg("36327", dup321); + +var msg38046 = msg("36328", dup321); + +var msg38047 = msg("36329", dup321); + +var msg38048 = msg("36330", dup314); + +var msg38049 = msg("36331", dup321); + +var msg38050 = msg("36332", dup311); + +var msg38051 = msg("36333", dup314); + +var msg38052 = msg("36334", dup314); + +var msg38053 = msg("36335", dup314); + +var msg38054 = msg("36336", dup314); + +var msg38055 = msg("36337", dup314); + +var msg38056 = msg("36338", dup310); + +var msg38057 = msg("36339", dup311); + +var msg38058 = msg("36340", dup311); + +var msg38059 = msg("36341", dup311); + +var msg38060 = msg("36342", dup311); + +var msg38061 = msg("36343", dup311); + +var msg38062 = msg("36344", dup311); + +var msg38063 = msg("36345", dup311); + +var msg38064 = msg("36346", dup311); + +var msg38065 = msg("36347", dup311); + +var msg38066 = msg("36348", dup311); + +var msg38067 = msg("36349", dup314); + +var msg38068 = msg("36350", dup314); + +var msg38069 = msg("36351", dup314); + +var msg38070 = msg("36352", dup314); + +var msg38071 = msg("36353", dup314); + +var msg38072 = msg("36354", dup314); + +var msg38073 = msg("36355", dup314); + +var msg38074 = msg("36356", dup314); + +var msg38075 = msg("36357", dup314); + +var msg38076 = msg("36358", dup314); + +var msg38077 = msg("36359", dup311); + +var msg38078 = msg("36360", dup311); + +var msg38079 = msg("36361", dup311); + +var msg38080 = msg("36362", dup311); + +var msg38081 = msg("36363", dup311); + +var msg38082 = msg("36364", dup311); + +var msg38083 = msg("36365", dup311); + +var msg38084 = msg("36366", dup311); + +var msg38085 = msg("36367", dup309); + +var msg38086 = msg("36368", dup309); + +var msg38087 = msg("36369", dup309); + +var msg38088 = msg("36370", dup309); + +var msg38089 = msg("36371", dup311); + +var msg38090 = msg("36372", dup311); + +var msg38091 = msg("36373", dup311); + +var msg38092 = msg("36374", dup311); + +var msg38093 = msg("36375", dup310); + +var msg38094 = msg("36376", dup309); + +var msg38095 = msg("36377", dup324); + +var msg38096 = msg("36378", dup324); + +var msg38097 = msg("36379", dup327); + +var msg38098 = msg("36380", dup314); + +var msg38099 = msg("36381", dup321); + +var msg38100 = msg("36382", dup321); + +var msg38101 = msg("36383", dup314); + +var msg38102 = msg("36384", dup314); + +var msg38103 = msg("36389", dup321); + +var msg38104 = msg("36390", dup321); + +var msg38105 = msg("36391", dup321); + +var msg38106 = msg("36392", dup321); + +var msg38107 = msg("36393", dup321); + +var msg38108 = msg("36394", dup321); + +var msg38109 = msg("36395", dup321); + +var msg38110 = msg("36396", dup321); + +var msg38111 = msg("36397", dup321); + +var msg38112 = msg("36398", dup311); + +var msg38113 = msg("36399", dup311); + +var msg38114 = msg("36400", dup311); + +var msg38115 = msg("36401", dup325); + +var msg38116 = msg("36402", dup325); + +var msg38117 = msg("36403", dup314); + +var msg38118 = msg("36404", dup314); + +var msg38119 = msg("36405", dup314); + +var msg38120 = msg("36406", dup314); + +var msg38121 = msg("36407", dup311); + +var msg38122 = msg("36408", dup311); + +var msg38123 = msg("36409", dup311); + +var msg38124 = msg("36410", dup311); + +var msg38125 = msg("36411", dup325); + +var msg38126 = msg("36412", dup325); + +var msg38127 = msg("36413", dup325); + +var msg38128 = msg("36414", dup325); + +var msg38129 = msg("36415", dup311); + +var msg38130 = msg("36416", dup311); + +var msg38131 = msg("36417", dup325); + +var msg38132 = msg("36418", dup325); + +var msg38133 = msg("36419", dup314); + +var msg38134 = msg("36420", dup314); + +var msg38135 = msg("36421", dup314); + +var msg38136 = msg("36422", dup314); + +var msg38137 = msg("36423", dup325); + +var msg38138 = msg("36424", dup325); + +var msg38139 = msg("36425", dup309); + +var msg38140 = msg("36426", dup309); + +var msg38141 = msg("36427", dup309); + +var msg38142 = msg("36428", dup309); + +var msg38143 = msg("36429", dup309); + +var msg38144 = msg("36430", dup309); + +var msg38145 = msg("36431", dup311); + +var msg38146 = msg("36432", dup311); + +var msg38147 = msg("36433", dup325); + +var msg38148 = msg("36434", dup325); + +var msg38149 = msg("36435", dup314); + +var msg38150 = msg("36436", dup325); + +var msg38151 = msg("36437", dup325); + +var msg38152 = msg("36438", dup325); + +var msg38153 = msg("36439", dup325); + +var msg38154 = msg("36440", dup325); + +var msg38155 = msg("36441", dup311); + +var msg38156 = msg("36442", dup311); + +var msg38157 = msg("36443", dup325); + +var msg38158 = msg("36444", dup325); + +var msg38159 = msg("36445", dup314); + +var msg38160 = msg("36446", dup314); + +var msg38161 = msg("36447", dup309); + +var msg38162 = msg("36448", dup309); + +var msg38163 = msg("36449", dup308); + +var msg38164 = msg("36450", dup325); + +var msg38165 = msg("36451", dup325); + +var msg38166 = msg("36452", dup311); + +var msg38167 = msg("36453", dup311); + +var msg38168 = msg("36454", dup311); + +var msg38169 = msg("36455", dup311); + +var msg38170 = msg("36456", dup309); + +var msg38171 = msg("36457", dup311); + +var msg38172 = msg("36458", dup323); + +var msg38173 = msg("36459", dup323); + +var msg38174 = msg("36460", dup321); + +var msg38175 = msg("36461", dup309); + +var msg38176 = msg("36462", dup309); + +var msg38177 = msg("36463", dup309); + +var msg38178 = msg("36464", dup321); + +var msg38179 = msg("36465", dup321); + +var msg38180 = msg("36466", dup321); + +var msg38181 = msg("36467", dup321); + +var msg38182 = msg("36468", dup321); + +var msg38183 = msg("36469", dup321); + +var msg38184 = msg("36470", dup321); + +var msg38185 = msg("36471", dup321); + +var msg38186 = msg("36472", dup314); + +var msg38187 = msg("36473", dup314); + +var msg38188 = msg("36474", dup314); + +var msg38189 = msg("36475", dup314); + +var msg38190 = msg("36476", dup314); + +var msg38191 = msg("36477", dup314); + +var msg38192 = msg("36478", dup314); + +var msg38193 = msg("36479", dup314); + +var msg38194 = msg("36480", dup314); + +var msg38195 = msg("36481", dup314); + +var msg38196 = msg("36482", dup314); + +var msg38197 = msg("36483", dup314); + +var msg38198 = msg("36484", dup314); + +var msg38199 = msg("36485", dup314); + +var msg38200 = msg("36486", dup314); + +var msg38201 = msg("36487", dup314); + +var msg38202 = msg("36488", dup314); + +var msg38203 = msg("36489", dup314); + +var msg38204 = msg("36490", dup314); + +var msg38205 = msg("36491", dup314); + +var msg38206 = msg("36492", dup311); + +var msg38207 = msg("36493", dup309); + +var msg38208 = msg("36494", dup323); + +var msg38209 = msg("36495", dup314); + +var msg38210 = msg("36496", dup314); + +var msg38211 = msg("36497", dup321); + +var msg38212 = msg("36498", dup309); + +var msg38213 = msg("36499", dup309); + +var msg38214 = msg("36500", dup309); + +var msg38215 = msg("36501", dup309); + +var msg38216 = msg("36502", dup314); + +var msg38217 = msg("36503", dup314); + +var msg38218 = msg("36504", dup314); + +var msg38219 = msg("36505", dup314); + +var msg38220 = msg("36506", dup321); + +var msg38221 = msg("36507", dup323); + +var msg38222 = msg("36508", dup323); + +var msg38223 = msg("36509", dup323); + +var msg38224 = msg("36510", dup323); + +var msg38225 = msg("36511", dup314); + +var msg38226 = msg("36512", dup314); + +var msg38227 = msg("36513", dup314); + +var msg38228 = msg("36514", dup314); + +var msg38229 = msg("36515", dup314); + +var msg38230 = msg("36516", dup314); + +var msg38231 = msg("36517", dup314); + +var msg38232 = msg("36518", dup321); + +var msg38233 = msg("36519", dup321); + +var msg38234 = msg("36520", dup321); + +var msg38235 = msg("36521", dup321); + +var msg38236 = msg("36522", dup321); + +var msg38237 = msg("36523", dup311); + +var msg38238 = msg("36524", dup309); + +var msg38239 = msg("36525", dup309); + +var msg38240 = msg("36526", dup321); + +var msg38241 = msg("36527", dup311); + +var msg38242 = msg("36528", dup311); + +var msg38243 = msg("36529", dup311); + +var msg38244 = msg("36530", dup311); + +var msg38245 = msg("36531", dup314); + +var msg38246 = msg("36532", dup311); + +var msg38247 = msg("36533", dup314); + +var msg38248 = msg("36534", dup314); + +var msg38249 = msg("36535", dup311); + +var msg38250 = msg("36536", dup309); + +var msg38251 = msg("36537", dup321); + +var msg38252 = msg("36538", dup321); + +var msg38253 = msg("36539", dup321); + +var msg38254 = msg("36540", dup321); + +var msg38255 = msg("36541", dup314); + +var msg38256 = msg("36542", dup309); + +var msg38257 = msg("36543", dup311); + +var msg38258 = msg("36544", dup323); + +var msg38259 = msg("36545", dup311); + +var msg38260 = msg("36546", dup311); + +var msg38261 = msg("36547", dup311); + +var msg38262 = msg("36548", dup311); + +var msg38263 = msg("36549", dup314); + +var msg38264 = msg("36550", dup314); + +var msg38265 = msg("36551", dup314); + +var msg38266 = msg("36552", dup314); + +var msg38267 = msg("36553", dup314); + +var msg38268 = msg("36554", dup314); + +var msg38269 = msg("36555", dup314); + +var msg38270 = msg("36556", dup314); + +var msg38271 = msg("36557", dup324); + +var msg38272 = msg("36558", dup324); + +var msg38273 = msg("36559", dup311); + +var msg38274 = msg("36560", dup311); + +var msg38275 = msg("36561", dup314); + +var msg38276 = msg("600009", dup196); + +var msg38277 = msg("600010", dup265); + +var msg38278 = msg("600015", dup265); + +var msg38279 = msg("6000022", dup353); + +var msg38280 = msg("600023", dup196); + +var msg38281 = msg("6000025", dup353); + +var msg38282 = msg("1000001", dup246); + +var msg38283 = msg("1000002", dup246); + +var msg38284 = msg("1000003", dup196); + +var all65 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var msg38285 = msg("1000003:01", all65); + +var select2443 = linear_select([ + msg38284, + msg38285, +]); + +var msg38286 = msg("1000004", dup196); + +var msg38287 = msg("1000005", dup196); + +var msg38288 = msg("1000007", dup265); + +var msg38289 = msg("1000010", dup230); + +var msg38290 = msg("1000012", dup196); + +var msg38291 = msg("1000014", dup265); + +var msg38292 = msg("1000015", dup297); + +var msg38293 = msg("1000016", dup242); + +var msg38294 = msg("1000020", dup192); + +var msg38295 = msg("1000021", dup276); + +var msg38296 = msg("1000022", dup276); + +var msg38297 = msg("1000023", dup196); + +var msg38298 = msg("1000024", dup196); + +var msg38299 = msg("1000026", dup192); + +var msg38300 = msg("1000028", dup196); + +var msg38301 = msg("1000029", dup265); + +var msg38302 = msg("1000030", dup196); + +var msg38303 = msg("1000031", dup265); + +var msg38304 = msg("1000032", dup285); + +var msg38305 = msg("1000033", dup265); + +var msg38306 = msg("1000034", dup265); + +var msg38307 = msg("1000035", dup265); + +var msg38308 = msg("1000036", dup196); + +var msg38309 = msg("1000037", dup196); + +var msg38310 = msg("1000038", dup196); + +var msg38311 = msg("1000039", dup265); + +var msg38312 = msg("1000040", dup265); + +var msg38313 = msg("1000041", dup196); + +var msg38314 = msg("1000043", dup265); + +var msg38315 = msg("1000044", dup196); + +var msg38316 = msg("1000045", dup196); + +var msg38317 = msg("1000046", dup196); + +var msg38318 = msg("1000047", dup196); + +var msg38319 = msg("1000048", dup196); + +var msg38320 = msg("1000049", dup265); + +var msg38321 = msg("1000050", dup265); + +var msg38322 = msg("1000054", dup196); + +var msg38323 = msg("1000055", dup196); + +var msg38324 = msg("1000056", dup196); + +var msg38325 = msg("1000057", dup196); + +var msg38326 = msg("2000480", dup230); + +var msg38327 = msg("2000538", dup194); + +var msg38328 = msg("2000540", dup194); + +var msg38329 = msg("2000562", dup263); + +var msg38330 = msg("2000648", dup196); + +var msg38331 = msg("2000716", dup248); + +var msg38332 = msg("2000969", dup265); + +var msg38333 = msg("2000971", dup265); + +var msg38334 = msg("2000974", dup265); + +var msg38335 = msg("2000976", dup265); + +var msg38336 = msg("2000977", dup265); + +var msg38337 = msg("2000987", dup265); + +var msg38338 = msg("2000990", dup265); + +var msg38339 = msg("2000993", dup265); + +var msg38340 = msg("2000997", dup265); + +var msg38341 = msg("2001002", dup265); + +var msg38342 = msg("2001010", dup265); + +var msg38343 = msg("2001012", dup265); + +var msg38344 = msg("2001013", dup265); + +var msg38345 = msg("2001023", dup265); + +var msg38346 = msg("2001025", dup265); + +var msg38347 = msg("2001030", dup265); + +var msg38348 = msg("2001040", dup265); + +var msg38349 = msg("2001042", dup196); + +var msg38350 = msg("2001244", dup265); + +var msg38351 = msg("2001245", dup265); + +var msg38352 = msg("2001286", dup265); + +var msg38353 = msg("2001287", dup265); + +var msg38354 = msg("2001288", dup265); + +var msg38355 = msg("2001367", dup265); + +var msg38356 = msg("2001400", dup265); + +var msg38357 = msg("2001402", dup265); + +var msg38358 = msg("2001411", dup242); + +var msg38359 = msg("2001417", dup242); + +var msg38360 = msg("2001419", dup242); + +var msg38361 = msg("2001567", dup265); + +var msg38362 = msg("2001568", dup265); + +var msg38363 = msg("2001569", dup194); + +var msg38364 = msg("2001579", dup194); + +var msg38365 = msg("2001581", dup194); + +var msg38366 = msg("2001726", dup265); + +var msg38367 = msg("2001801", dup267); + +var msg38368 = msg("2001852", dup265); + +var msg38369 = msg("2001893", dup242); + +var msg38370 = msg("2001904", dup194); + +var msg38371 = msg("2001945", dup265); + +var msg38372 = msg("2001970", dup297); + +var msg38373 = msg("2001972", dup194); + +var msg38374 = msg("2002032", dup192); + +var msg38375 = msg("2002134", dup265); + +var msg38376 = msg("2002170", dup196); + +var msg38377 = msg("2002176", dup265); + +var msg38378 = msg("2002190", dup265); + +var msg38379 = msg("2002196", dup196); + +var msg38380 = msg("2002200", dup265); + +var msg38381 = msg("2002205", dup303); + +var msg38382 = msg("2002910", dup194); + +var msg38383 = msg("2002911", dup194); + +var msg38384 = msg("2002992", dup194); + +var msg38385 = msg("2002993", dup194); + +var msg38386 = msg("2002994", dup194); + +var msg38387 = msg("2003157", dup192); + +var msg38388 = msg("2003183", dup192); + +var msg38389 = msg("2003380", dup192); + +var msg38390 = msg("2003642", dup192); + +var msg38391 = msg("2003870", dup194); + +var msg38392 = msg("2007142", dup192); + +var msg38393 = msg("2007585", dup192); + +var msg38394 = msg("2007588", dup192); + +var msg38395 = msg("2007594", dup192); + +var msg38396 = msg("2007688", dup192); + +var msg38397 = msg("2007702", dup192); + +var msg38398 = msg("2007724", dup192); + +var msg38399 = msg("2007920", dup192); + +var msg38400 = msg("2007962", dup192); + +var msg38401 = msg("2007963", dup265); + +var msg38402 = msg("2007964", dup192); + +var msg38403 = msg("2008010", dup192); + +var msg38404 = msg("2008056", dup192); + +var msg38405 = msg("2008059", dup192); + +var msg38406 = msg("2008082", dup192); + +var msg38407 = msg("2008109", dup192); + +var msg38408 = msg("2008124", dup192); + +var msg38409 = msg("2008143", dup192); + +var msg38410 = msg("2008182", dup192); + +var msg38411 = msg("2008194", dup192); + +var msg38412 = msg("2008335", dup192); + +var msg38413 = msg("2008373", dup196); + +var msg38414 = msg("2008384", dup192); + +var msg38415 = msg("2008386", dup192); + +var msg38416 = msg("2008420", dup192); + +var msg38417 = msg("2008475", dup196); + +var msg38418 = msg("2008480", dup192); + +var msg38419 = msg("2008505", dup196); + +var msg38420 = msg("2404003", dup196); + +var msg38421 = msg("2404011", dup196); + +var msg38422 = msg("2404013", dup196); + +var msg38423 = msg("2404015", dup196); + +var msg38424 = msg("2404016", dup196); + +var msg38425 = msg("3000005", dup194); + +var msg38426 = msg("3404269", dup194); + +var msg38427 = msg("3404272", dup194); + +var msg38428 = msg("8888888", dup314); + +var msg38429 = msg("8888889", dup314); + +var msg38430 = msg("100000121", dup265); + +var msg38431 = msg("100000122", dup267); + +var msg38432 = msg("100000137", dup287); + +var msg38433 = msg("100000138", dup265); + +var msg38434 = msg("100000160", dup197); + +var msg38435 = msg("100000161", dup287); + +var msg38436 = msg("100000185", dup265); + +var msg38437 = msg("100000211", dup265); + +var msg38438 = msg("100000213", dup265); + +var msg38439 = msg("100000219", dup250); + +var msg38440 = msg("100000241", dup196); + +var msg38441 = msg("100000262", dup196); + +var msg38442 = msg("100000266", dup196); + +var msg38443 = msg("100000272", dup196); + +var msg38444 = msg("100000273", dup196); + +var msg38445 = msg("100000274", dup194); + +var msg38446 = msg("100000275", dup194); + +var msg38447 = msg("100000277", dup196); + +var msg38448 = msg("100000278", dup196); + +var msg38449 = msg("100000550", dup265); + +var msg38450 = msg("100000687", dup198); + +var msg38451 = msg("100000689", dup250); + +var all66 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup127, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg38452 = msg("snort-sid-template", all66); + +var part13 = // "Pattern{Constant('PORTSCAN DETECTED from '), Field(p0,false)}" +match("MESSAGE#38452:spp_portscan/0", "nwparser.payload", "PORTSCAN DETECTED from %{p0}"); + +var part14 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(')(THRESHOLD '), Field(p0,false)}" +match("MESSAGE#38452:spp_portscan/1_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src})(THRESHOLD %{p0}"); + +var part15 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,false), Constant('(THRESHOLD '), Field(p0,false)}" +match("MESSAGE#38452:spp_portscan/1_1", "nwparser.p0", "%{saddr}:%{sport}(THRESHOLD %{p0}"); + +var part16 = // "Pattern{Field(saddr,false), Constant('(THRESHOLD '), Field(p0,false)}" +match("MESSAGE#38452:spp_portscan/1_2", "nwparser.p0", "%{saddr}(THRESHOLD %{p0}"); + +var select2444 = linear_select([ + part14, + part15, + part16, +]); + +var part17 = // "Pattern{Field(dclass_counter1,true), Constant(' connections exceeded in '), Field(duration,true), Constant(' seconds)')}" +match("MESSAGE#38452:spp_portscan/2", "nwparser.p0", "%{dclass_counter1->} connections exceeded in %{duration->} seconds)"); + +var all67 = all_match({ + processors: [ + part13, + select2444, + part17, + ], + on_success: processor_chain([ + dup61, + dup31, + dup128, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var msg38453 = msg("spp_portscan", all67); + +var part18 = // "Pattern{Constant('portscan status from '), Field(saddr,false), Constant(': '), Field(dclass_counter1,true), Constant(' connections across '), Field(fld1,true), Constant(' hosts: '), Field(fld2,false), Constant(', '), Field(fld3,false)}" +match("MESSAGE#38453:spp_portscan:01", "nwparser.payload", "portscan status from %{saddr}: %{dclass_counter1->} connections across %{fld1->} hosts: %{fld2}, %{fld3}", processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup128, +])); + +var msg38454 = msg("spp_portscan:01", part18); + +var part19 = // "Pattern{Constant('End of portscan from '), Field(saddr,false), Constant(': TOTAL time('), Field(fld1,false), Constant(') hosts('), Field(fld2,false), Constant(') '), Field(fld3,true), Constant(' '), Field(fld4,false)}" +match("MESSAGE#38454:spp_portscan:02", "nwparser.payload", "End of portscan from %{saddr}: TOTAL time(%{fld1}) hosts(%{fld2}) %{fld3->} %{fld4}", processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, +])); + +var msg38455 = msg("spp_portscan:02", part19); + +var msg38456 = msg("spp_portscan:03", dup194); + +var select2445 = linear_select([ + msg38453, + msg38454, + msg38455, + msg38456, +]); + +var part20 = // "Pattern{Constant('Portscan detected from '), Field(saddr,true), Constant(' Talker('), Field(fld1,false), Constant(') Scanner('), Field(fld2,false), Constant(')')}" +match("MESSAGE#38456:Portscan", "nwparser.payload", "Portscan detected from %{saddr->} Talker(%{fld1}) Scanner(%{fld2})", processor_chain([ + dup61, + dup31, + dup32, +])); + +var msg38457 = msg("Portscan", part20); + +var part21 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Hops: '), Field(result,false)}" +match("MESSAGE#38457:Hops_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Hops: %{result}", processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38458 = msg("Hops_Change", part21); + +var msg38459 = msg("MAC_Information_Change", dup354); + +var msg38460 = msg("Additional_MAC_Detected_for", dup354); + +var part22 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' NETBIOS Name: '), Field(result,false)}" +match("MESSAGE#38460:NETBIOS_Name_Change", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} NETBIOS Name: %{result}", processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38461 = msg("NETBIOS_Name_Change", part22); + +var part23 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Host Type: '), Field(p0,false)}" +match("MESSAGE#38461:New_Host/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Host Type: %{p0}"); + +var part24 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(p0,false)}" +match("MESSAGE#38461:New_Host/1_1", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{p0}"); + +var select2446 = linear_select([ + part23, + part24, +]); + +var part25 = // "Pattern{Field(fld7,false)}" +match_copy("MESSAGE#38461:New_Host/2", "nwparser.p0", "fld7"); + +var all68 = all_match({ + processors: [ + dup133, + select2446, + part25, + ], + on_success: processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var msg38462 = msg("New_Host", all68); + +var part26 = // "Pattern{Constant('MAC Address: '), Field(smacaddr,true), Constant(' Network Protocol: '), Field(p0,false)}" +match("MESSAGE#38462:New_Network_Protocol/1_0", "nwparser.p0", "MAC Address: %{smacaddr->} Network Protocol: %{p0}"); + +var part27 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Network Protocol: '), Field(p0,false)}" +match("MESSAGE#38462:New_Network_Protocol/1_1", "nwparser.p0", "IP Address: %{saddr->} Network Protocol: %{p0}"); + +var select2447 = linear_select([ + part26, + part27, +]); + +var all69 = all_match({ + processors: [ + dup133, + select2447, + dup134, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var msg38463 = msg("New_Network_Protocol", all69); + +var part28 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(protocol,false)}" +match("MESSAGE#38463:New_UDP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{protocol}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38464 = msg("New_UDP_Service", part28); + +var part29 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Transport Protocol: '), Field(protocol,false)}" +match("MESSAGE#38464:New_Transport_Protocol", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Transport Protocol: %{protocol}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38465 = msg("New_Transport_Protocol", part29); + +var msg38466 = msg("OS_Confidence_Update", dup183); + +var msg38467 = msg("OS_Information_Update", dup183); + +var msg38468 = msg("TCP_Service_Confidence_Update", dup184); + +var part30 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" +match("MESSAGE#38468:TCP_Service_Information_Update/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); + +var all70 = all_match({ + processors: [ + part30, + dup185, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var msg38469 = msg("TCP_Service_Information_Update", all70); + +var part31 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> MAC Address: '), Field(saddr,true), Constant(' VLAN ID: '), Field(sport,true), Constant(' Type: '), Field(protocol,true), Constant(' Priority: '), Field(threat_val,false)}" +match("MESSAGE#38469:VLAN_Tag_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> MAC Address: %{saddr->} VLAN ID: %{sport->} Type: %{protocol->} Priority: %{threat_val}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, + dup45, +])); + +var msg38470 = msg("VLAN_Tag_Information_Update", part31); + +var part32 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(p0,false)}" +match("MESSAGE#38470:New_OS/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{p0}"); + +var part33 = // "Pattern{Field(os,true), Constant(' Device Info: '), Field(fld7,false)}" +match("MESSAGE#38470:New_OS/1_0", "nwparser.p0", "%{os->} Device Info: %{fld7}"); + +var part34 = // "Pattern{Field(os,false)}" +match_copy("MESSAGE#38470:New_OS/1_1", "nwparser.p0", "os"); + +var select2448 = linear_select([ + part33, + part34, +]); + +var all71 = all_match({ + processors: [ + part32, + select2448, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var msg38471 = msg("New_OS", all71); + +var msg38472 = msg("New_Client_Application", dup186); + +var msg38473 = msg("Client_Application_Update", dup186); + +var msg38474 = msg("New_TCP_Service", dup187); + +var msg38475 = msg("TCP_Port_Closed", dup187); + +var msg38476 = msg("TCP_Port_Timeout", dup188); + +var part35 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' web browser '), Field(application,false)}" +match("MESSAGE#38476:Client_Application_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} web browser %{application}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38477 = msg("Client_Application_Timeout", part35); + +var msg38478 = msg("Host_Timeout", dup188); + +var part36 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS'), Field(os,false)}" +match("MESSAGE#38478:Identity_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS%{os}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38479 = msg("Identity_Timeout", part36); + +var part37 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Serv'), Field(p0,false)}" +match("MESSAGE#38479:Identity_Timeout:01/0", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Serv%{p0}"); + +var part38 = // "Pattern{Constant('ice'), Field(p0,false)}" +match("MESSAGE#38479:Identity_Timeout:01/1_0", "nwparser.p0", "ice%{p0}"); + +var part39 = // "Pattern{Constant('er'), Field(p0,false)}" +match("MESSAGE#38479:Identity_Timeout:01/1_1", "nwparser.p0", "er%{p0}"); + +var select2449 = linear_select([ + part38, + part39, +]); + +var part40 = // "Pattern{Field(,false), Constant('port: '), Field(sport,false), Constant('/'), Field(protocol,true), Constant(' '), Field(network_service,false)}" +match("MESSAGE#38479:Identity_Timeout:01/2", "nwparser.p0", "%{}port: %{sport}/%{protocol->} %{network_service}"); + +var all72 = all_match({ + processors: [ + part37, + select2449, + part40, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var msg38480 = msg("Identity_Timeout:01", all72); + +var select2450 = linear_select([ + msg38479, + msg38480, +]); + +var msg38481 = msg("UDP_Port_Timeout", dup188); + +var msg38482 = msg("UDP_Service_Confidence_Update", dup184); + +var part41 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,true), Constant(' Subtypes: '), Field(fld1,false)}" +match("MESSAGE#38482:UDP_Service_Information_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result->} Subtypes: %{fld1}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var msg38483 = msg("UDP_Service_Information_Update", part41); + +var msg38484 = msg("UDP_Service_Information_Update:01", dup184); + +var select2451 = linear_select([ + msg38483, + msg38484, +]); + +var part42 = // "Pattern{Field(context,true), Constant(' ['), Field(p0,false)}" +match("MESSAGE#38484:EmergingThreats/0", "nwparser.payload", "%{context->} [%{p0}"); + +var part43 = // "Pattern{Constant('Impact: '), Field(result,false), Constant('] From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" +match("MESSAGE#38484:EmergingThreats/1_0", "nwparser.p0", "Impact: %{result}] From \"%{sensor}\" at %{fld6->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{p0}"); + +var part44 = // "Pattern{Constant('Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(p0,false)}" +match("MESSAGE#38484:EmergingThreats/1_1", "nwparser.p0", "Classification: %{sigtype}] [Priority: %{p0}"); + +var part45 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(p0,false)}" +match("MESSAGE#38484:EmergingThreats/1_2", "nwparser.p0", "%{info}] [Priority: %{p0}"); + +var select2452 = linear_select([ + part43, + part44, + part45, +]); + +var part46 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" +match("MESSAGE#38484:EmergingThreats/2", "nwparser.p0", "%{threat_val->} ]%{p0}"); + +var all73 = all_match({ + processors: [ + part42, + select2452, + part46, + dup178, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + setf("sigid","hsigid"), + dup51, + dup76, + dup56, + ]), +}); + +var msg38485 = msg("EmergingThreats", all73); + +var part47 = // "Pattern{Constant('Pruned session from cache that was using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" +match("MESSAGE#38485:S5", "nwparser.payload", "Pruned session from cache that was using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ + dup127, + dup31, + dup32, +])); + +var msg38486 = msg("S5", part47); + +var part48 = // "Pattern{Constant('Session exceeded configured max bytes to queue '), Field(fld4,true), Constant(' using '), Field(bytes,true), Constant(' bytes ('), Field(result,false), Constant('). '), Field(saddr,true), Constant(' '), Field(fld1,true), Constant(' --> '), Field(daddr,true), Constant(' '), Field(fld2,true), Constant(' ('), Field(fld3,false), Constant(') : '), Field(info,false)}" +match("MESSAGE#38486:S5:01", "nwparser.payload", "Session exceeded configured max bytes to queue %{fld4->} using %{bytes->} bytes (%{result}). %{saddr->} %{fld1->} --> %{daddr->} %{fld2->} (%{fld3}) : %{info}", processor_chain([ + dup127, + dup31, + dup32, +])); + +var msg38487 = msg("S5:01", part48); + +var select2453 = linear_select([ + msg38486, + msg38487, +]); + +var part49 = // "Pattern{Constant('Login, Login Success'), Field(,false)}" +match("MESSAGE#38487:SystemSettings:01", "nwparser.payload", "Login, Login Success%{}", processor_chain([ + dup112, + dup31, + dup32, + dup137, + dup138, + dup139, + dup140, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38488 = msg("SystemSettings:01", part49); + +var part50 = // "Pattern{Constant('Logout, Logout Success'), Field(,false)}" +match("MESSAGE#38488:SystemSettings:02", "nwparser.payload", "Logout, Logout Success%{}", processor_chain([ + setc("eventcategory","1802000000"), + dup31, + dup32, + dup137, + dup144, + dup139, + dup140, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38489 = msg("SystemSettings:02", part50); + +var part51 = // "Pattern{Constant('System > '), Field(info,false)}" +match("MESSAGE#38489:SystemSettings:03", "nwparser.payload", "System > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","System"), +])); + +var msg38490 = msg("SystemSettings:03", part51); + +var part52 = // "Pattern{Constant('Policies > '), Field(info,false)}" +match("MESSAGE#38490:SystemSettings:04", "nwparser.payload", "Policies > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Policies"), +])); + +var msg38491 = msg("SystemSettings:04", part52); + +var part53 = // "Pattern{Constant('Object > '), Field(info,false)}" +match("MESSAGE#38491:SystemSettings:05", "nwparser.payload", "Object > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38492 = msg("SystemSettings:05", part53); + +var part54 = // "Pattern{Constant('Overview > '), Field(info,false)}" +match("MESSAGE#38492:SystemSettings:06", "nwparser.payload", "Overview > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38493 = msg("SystemSettings:06", part54); + +var part55 = // "Pattern{Constant('Task Queue, '), Field(info,false)}" +match("MESSAGE#38493:SystemSettings:07", "nwparser.payload", "Task Queue, %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Task Queue"), +])); + +var msg38494 = msg("SystemSettings:07", part55); + +var part56 = // "Pattern{Constant('Intrusion Policy > '), Field(info,false)}" +match("MESSAGE#38494:SystemSettings:08", "nwparser.payload", "Intrusion Policy > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Intrusion Policy"), +])); + +var msg38495 = msg("SystemSettings:08", part56); + +var part57 = // "Pattern{Constant('Analysis & Reporting '), Field(p0,false)}" +match("MESSAGE#38495:SystemSettings:09/0", "nwparser.payload", "Analysis \u0026 Reporting %{p0}"); + +var part58 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#38495:SystemSettings:09/1_1", "nwparser.p0", ",%{p0}"); + +var select2454 = linear_select([ + dup145, + part58, +]); + +var part59 = // "Pattern{Field(,true), Constant(' '), Field(info,false)}" +match("MESSAGE#38495:SystemSettings:09/2", "nwparser.p0", "%{} %{info}"); + +var all74 = all_match({ + processors: [ + part57, + select2454, + part59, + ], + on_success: processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Analysis \u0026 Reporting"), + ]), +}); + +var msg38496 = msg("SystemSettings:09", all74); + +var part60 = // "Pattern{Constant('Heartbeat, '), Field(info,false)}" +match("MESSAGE#38496:SystemSettings:10", "nwparser.payload", "Heartbeat, %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Heartbeat"), +])); + +var msg38497 = msg("SystemSettings:10", part60); + +var part61 = // "Pattern{Constant('FailD, '), Field(info,false)}" +match("MESSAGE#38497:SystemSettings:11", "nwparser.payload", "FailD, %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38498 = msg("SystemSettings:11", part61); + +var part62 = // "Pattern{Constant('Health > '), Field(info,false)}" +match("MESSAGE#38498:SystemSettings:12", "nwparser.payload", "Health > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Health"), +])); + +var msg38499 = msg("SystemSettings:12", part62); + +var part63 = // "Pattern{Constant('Session Expiration, '), Field(info,false)}" +match("MESSAGE#38499:SystemSettings:13", "nwparser.payload", "Session Expiration, %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + dup146, +])); + +var msg38500 = msg("SystemSettings:13", part63); + +var part64 = // "Pattern{Constant('Analysis '), Field(info,false)}" +match("MESSAGE#38500:SystemSettings:14", "nwparser.payload", "Analysis %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + dup146, +])); + +var msg38501 = msg("SystemSettings:14", part64); + +var part65 = // "Pattern{Constant('Devices '), Field(info,false)}" +match("MESSAGE#38501:SystemSettings:15", "nwparser.payload", "Devices %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + dup146, +])); + +var msg38502 = msg("SystemSettings:15", part65); + +var part66 = // "Pattern{Constant('Intrusion Events,'), Field(info,false)}" +match("MESSAGE#38502:SystemSettings:16", "nwparser.payload", "Intrusion Events,%{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, + setc("category","Intrusion Events"), +])); + +var msg38503 = msg("SystemSettings:16", part66); + +var part67 = // "Pattern{Constant('Login, Login Failed'), Field(,false)}" +match("MESSAGE#38503:SystemSettings:17", "nwparser.payload", "Login, Login Failed%{}", processor_chain([ + dup91, + dup31, + dup137, + dup138, + dup139, + setc("ec_outcome","Failure"), + dup32, + dup141, + dup47, + dup142, + dup143, + setc("event_description","Login Failed"), +])); + +var msg38504 = msg("SystemSettings:17", part67); + +var part68 = // "Pattern{Constant('Command Line,'), Field(info,false)}" +match("MESSAGE#38504:SystemSettings:18", "nwparser.payload", "Command Line,%{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38505 = msg("SystemSettings:18", part68); + +var part69 = // "Pattern{Constant('Access Control Policy > '), Field(info,false)}" +match("MESSAGE#38505:SystemSettings:19", "nwparser.payload", "Access Control Policy > %{info}", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38506 = msg("SystemSettings:19", part69); + +var part70 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#38506:SystemSettings:20", "nwparser.payload", "info", processor_chain([ + dup127, + dup31, + dup32, + dup141, + dup47, + dup142, + dup143, +])); + +var msg38507 = msg("SystemSettings:20", part70); + +var select2455 = linear_select([ + msg38488, + msg38489, + msg38490, + msg38491, + msg38492, + msg38493, + msg38494, + msg38495, + msg38496, + msg38497, + msg38498, + msg38499, + msg38500, + msg38501, + msg38502, + msg38503, + msg38504, + msg38505, + msg38506, + msg38507, +]); + +var msg38508 = msg("2100651", dup192); + +var msg38509 = msg("2101384", dup192); + +var msg38510 = msg("2101390", dup192); + +var msg38511 = msg("2101424", dup192); + +var msg38512 = msg("2101432", dup192); + +var msg38513 = msg("2101867", dup192); + +var msg38514 = msg("2101918", dup192); + +var part71 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(saddr,true), Constant(' -> '), Field(daddr,false), Constant(', type:'), Field(event_type,false), Constant(', code:'), Field(event_description,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{saddr->} -> %{daddr}, type:%{event_type}, code:%{event_description}"); + +var all75 = all_match({ + processors: [ + dup147, + dup189, + part71, + ], + on_success: processor_chain([ + dup150, + dup31, + dup32, + dup47, + dup151, + dup152, + ]), +}); + +var msg38515 = msg("Primary_Detection_Engine", all75); + +var part72 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(sbytes,false), Constant(', Context: '), Field(context,false), Constant(', SSL Rule Name: '), Field(fld9,false), Constant(', SSL Flow Status: '), Field(fld10,false), Constant(', SSL Cipher Suite: '), Field(fld11,false), Constant(', SSL Certificate: '), Field(fld12,false), Constant(', SSL Subject CN: '), Field(fld13,false), Constant(', SSL Subject Country: '), Field(fld14,false), Constant(', SSL Subject OU: '), Field(fld15,false), Constant(', SSL Subject Org: '), Field(fld16,false), Constant(', SSL Issuer CN: '), Field(fld17,false), Constant(', SSL Issuer Country: '), Field(fld18,false), Constant(', SSL Issuer OU: '), Field(fld19,false), Constant(', SSL Issuer Org: '), Field(fld20,false), Constant(', SSL Valid Start Date: '), Field(fld21,false), Constant(', SSL Valid End Date: '), Field(fld22,false), Constant(', SSL Version: '), Field(fld23,false), Constant(', SSL Server Certificate Status: '), Field(fld24,false), Constant(', SSL Actual Action: '), Field(fld25,false), Constant(', SSL Expected Action: '), Field(fld26,false), Constant(', SSL Server Name: '), Field(fld27,false), Constant(', SSL URL Category: '), Field(fld28,false), Constant(', SSL Session ID: '), Field(fld29,false), Constant(', SSL Ticket Id: '), Field(fld30,false), Constant(', {'), Field(protocol,false), Constant('} '), Field(p0,false)}" +match("MESSAGE#38515:Primary_Detection_Engine:01/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{sbytes}, Context: %{context}, SSL Rule Name: %{fld9}, SSL Flow Status: %{fld10}, SSL Cipher Suite: %{fld11}, SSL Certificate: %{fld12}, SSL Subject CN: %{fld13}, SSL Subject Country: %{fld14}, SSL Subject OU: %{fld15}, SSL Subject Org: %{fld16}, SSL Issuer CN: %{fld17}, SSL Issuer Country: %{fld18}, SSL Issuer OU: %{fld19}, SSL Issuer Org: %{fld20}, SSL Valid Start Date: %{fld21}, SSL Valid End Date: %{fld22}, SSL Version: %{fld23}, SSL Server Certificate Status: %{fld24}, SSL Actual Action: %{fld25}, SSL Expected Action: %{fld26}, SSL Server Name: %{fld27}, SSL URL Category: %{fld28}, SSL Session ID: %{fld29}, SSL Ticket Id: %{fld30}, {%{protocol}} %{p0}"); + +var all76 = all_match({ + processors: [ + dup147, + dup189, + part72, + dup173, + dup174, + ], + on_success: processor_chain([ + dup150, + dup31, + dup32, + dup47, + dup151, + dup152, + ]), +}); + +var msg38516 = msg("Primary_Detection_Engine:01", all76); + +var part73 = // "Pattern{Field(url,false), Constant(', Interface Ingress: '), Field(dinterface,false), Constant(', Interface Egress: '), Field(sinterface,false), Constant(', Security Zone Ingress: '), Field(dst_zone,false), Constant(', Security Zone Egress: '), Field(src_zone,false), Constant(', Security Intelligence Matching IP: '), Field(fld4,false), Constant(', Security Intelligence Category: '), Field(fld5,false), Constant(', Client Version: '), Field(version,false), Constant(', Number of File Events: '), Field(dclass_counter1,false), Constant(', Number of IPS Events: '), Field(dclass_counter2,false), Constant(', TCP Flags: '), Field(fld6,false), Constant(', NetBIOS Domain: '), Field(domain_id,false), Constant(', Initiator Packets: '), Field(fld7,false), Constant(', Responder Packets: '), Field(fld8,false), Constant(', Initiator Bytes: '), Field(rbytes,false), Constant(', Responder Bytes: '), Field(p0,false)}" +match("MESSAGE#38516:Primary_Detection_Engine:02/2", "nwparser.p0", "%{url}, Interface Ingress: %{dinterface}, Interface Egress: %{sinterface}, Security Zone Ingress: %{dst_zone}, Security Zone Egress: %{src_zone}, Security Intelligence Matching IP: %{fld4}, Security Intelligence Category: %{fld5}, Client Version: %{version}, Number of File Events: %{dclass_counter1}, Number of IPS Events: %{dclass_counter2}, TCP Flags: %{fld6}, NetBIOS Domain: %{domain_id}, Initiator Packets: %{fld7}, Responder Packets: %{fld8}, Initiator Bytes: %{rbytes}, Responder Bytes: %{p0}"); + +var part74 = // "Pattern{Field(sbytes,false), Constant(', Context: '), Field(context,true), Constant(' {'), Field(p0,false)}" +match("MESSAGE#38516:Primary_Detection_Engine:02/3_0", "nwparser.p0", "%{sbytes}, Context: %{context->} {%{p0}"); + +var part75 = // "Pattern{Field(sbytes,true), Constant(' {'), Field(p0,false)}" +match("MESSAGE#38516:Primary_Detection_Engine:02/3_1", "nwparser.p0", "%{sbytes->} {%{p0}"); + +var select2456 = linear_select([ + part74, + part75, +]); + +var all77 = all_match({ + processors: [ + dup147, + dup189, + part73, + select2456, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup150, + dup31, + dup32, + dup47, + dup151, + dup152, + ]), +}); + +var msg38517 = msg("Primary_Detection_Engine:02", all77); + +var part76 = // "Pattern{Constant('"'), Field(context,false), Constant('" [Classification:'), Field(sigtype,false), Constant('] User:'), Field(username,false), Constant(', Application:'), Field(application,false), Constant(', Client:'), Field(fld12,false), Constant(', App Protocol:'), Field(fld14,false), Constant(', Interface Ingress:'), Field(dinterface,false), Constant(', Interface Egress:'), Field(sinterface,false), Constant(', Security Zone Ingress:'), Field(dst_zone,false), Constant(', Security Zone Egress:'), Field(src_zone,false), Constant(', Context:'), Field(fld13,false), Constant(', SSL Flow Status:'), Field(fld1,false), Constant(', SSL Actual Action:'), Field(fld22,false), Constant(', SSL Certificate:'), Field(fld3,false), Constant(', SSL Subject CN:'), Field(fld4,false), Constant(', SSL Subject Country:'), Field(fld5,false), Constant(', SSL Subject OU:'), Field(fld6,false), Constant(', SSL Subject Org:'), Field(fld7,false), Constant(', SSL Issuer CN:'), Field(fld8,false), Constant(', SSL Issuer Country:'), Field(fld9,false), Constant(', SSL Issuer OU:'), Field(fld10,false), Constant(', SSL Issuer Org:'), Field(fld11,false), Constant(', SSL Valid Start Date:'), Field(fld12,false), Constant(', SSL Valid End Date:'), Field(fld13,false), Constant(', [Priority:'), Field(threat_val,false), Constant('] {'), Field(protocol,false), Constant('}'), Field(saddr,false), Constant(':'), Field(sport,false), Constant('->'), Field(daddr,false), Constant(':'), Field(dport,false)}" +match("MESSAGE#38517:Primary_Detection_Engine:03", "nwparser.payload", "\"%{context}\" [Classification:%{sigtype}] User:%{username}, Application:%{application}, Client:%{fld12}, App Protocol:%{fld14}, Interface Ingress:%{dinterface}, Interface Egress:%{sinterface}, Security Zone Ingress:%{dst_zone}, Security Zone Egress:%{src_zone}, Context:%{fld13}, SSL Flow Status:%{fld1}, SSL Actual Action:%{fld22}, SSL Certificate:%{fld3}, SSL Subject CN:%{fld4}, SSL Subject Country:%{fld5}, SSL Subject OU:%{fld6}, SSL Subject Org:%{fld7}, SSL Issuer CN:%{fld8}, SSL Issuer Country:%{fld9}, SSL Issuer OU:%{fld10}, SSL Issuer Org:%{fld11}, SSL Valid Start Date:%{fld12}, SSL Valid End Date:%{fld13}, [Priority:%{threat_val}] {%{protocol}}%{saddr}:%{sport}->%{daddr}:%{dport}", processor_chain([ + dup44, + dup31, + dup32, + dup48, + setf("sigid","id"), + setf("version","hfld3"), + dup45, +])); + +var msg38518 = msg("Primary_Detection_Engine:03", part76); + +var select2457 = linear_select([ + msg38515, + msg38516, + msg38517, + msg38518, +]); + +var part77 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC > Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('>'), Field(daddr,false)}" +match("MESSAGE#38518:Network_Based_Malware", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC > Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}>%{daddr}", processor_chain([ + dup100, + dup31, + dup129, + dup32, + dup47, +])); + +var msg38519 = msg("Network_Based_Malware", part77); + +var part78 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -'), Field(p0,false)}" +match("MESSAGE#38519:Network_Based_Malware:01/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -%{p0}"); + +var part79 = // "Pattern{Constant('*>'), Field(p0,false)}" +match("MESSAGE#38519:Network_Based_Malware:01/1_0", "nwparser.p0", "*>%{p0}"); + +var select2458 = linear_select([ + part79, + dup145, +]); + +var part80 = // "Pattern{Field(,true), Constant(' '), Field(space,false), Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" +match("MESSAGE#38519:Network_Based_Malware:01/2", "nwparser.p0", "%{} %{space}Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); + +var all78 = all_match({ + processors: [ + part78, + select2458, + part80, + ], + on_success: processor_chain([ + dup100, + dup31, + dup129, + dup32, + dup47, + ]), +}); + +var msg38520 = msg("Network_Based_Malware:01", all78); + +var part81 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" +match("MESSAGE#38520:Network_Based_Malware:02", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ + dup100, + dup31, + dup129, + dup32, + dup47, +])); + +var msg38521 = msg("Network_Based_Malware:02", part81); + +var select2459 = linear_select([ + msg38519, + msg38520, + msg38521, +]); + +var part82 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC %{p0}"); + +var part83 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/2", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{p0}"); + +var part84 = // "Pattern{Field(saddr,false), Constant('->'), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/3_0", "nwparser.p0", "%{saddr}->%{p0}"); + +var part85 = // "Pattern{Field(saddr,false), Constant('>'), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/3_1", "nwparser.p0", "%{saddr}>%{p0}"); + +var select2460 = linear_select([ + part84, + part85, +]); + +var all79 = all_match({ + processors: [ + part82, + dup190, + part83, + select2460, + dup43, + ], + on_success: processor_chain([ + dup100, + dup31, + dup129, + dup32, + dup47, + ]), +}); + +var msg38522 = msg("Network_Based_Retrospective", all79); + +var part86 = // "Pattern{Constant('Sha256: '), Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/4", "nwparser.p0", "Sha256: %{checksum->} Disposition: %{disposition->} Threat name: %{p0}"); + +var part87 = // "Pattern{Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/5_0", "nwparser.p0", "%{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}"); + +var part88 = // "Pattern{Field(threat_name,false)}" +match_copy("MESSAGE#38522:Network_Based_Retrospective:01/5_1", "nwparser.p0", "threat_name"); + +var select2461 = linear_select([ + part87, + part88, +]); + +var all80 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + part86, + select2461, + ], + on_success: processor_chain([ + dup100, + dup31, + dup129, + dup32, + dup47, + ]), +}); + +var msg38523 = msg("Network_Based_Retrospective:01", all80); + +var select2462 = linear_select([ + msg38522, + msg38523, +]); + +var part89 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(daddr,false), Constant('<<-'), Field(saddr,false)}" +match("MESSAGE#38523:MALWARE:02", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{daddr}\u003c\u003c-%{saddr}", processor_chain([ + dup100, + dup32, + dup47, + dup158, +])); + +var msg38524 = msg("MALWARE:02", part89); + +var part90 = // "Pattern{Field(checksum,true), Constant(' Disposition: '), Field(disposition,true), Constant(' Threat name: '), Field(threat_name,true), Constant(' IP Addresses: '), Field(saddr,false), Constant('->'), Field(daddr,false)}" +match("MESSAGE#38524:MALWARE:01", "nwparser.payload", "%{checksum->} Disposition: %{disposition->} Threat name: %{threat_name->} IP Addresses: %{saddr}->%{daddr}", processor_chain([ + dup100, + dup32, + dup47, + dup158, +])); + +var msg38525 = msg("MALWARE:01", part90); + +var part91 = // "Pattern{Field(threat_val,false)}" +match_copy("MESSAGE#38537:MALWARE", "nwparser.payload", "threat_val", processor_chain([ + dup71, + dup31, + dup45, + dup32, +])); + +var msg38526 = msg("MALWARE", part91); + +var select2463 = linear_select([ + msg38524, + msg38525, + msg38526, +]); + +var all81 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var msg38527 = msg("Snort_AlertLog", all81); + +var part92 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(p0,false)}" +match("MESSAGE#38526:New_TCP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{p0}"); + +var part93 = // "Pattern{Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38526:New_TCP_Port/5_0", "nwparser.p0", "%{sport->} Service: %{protocol->} Confidence: %{result}"); + +var part94 = // "Pattern{Field(sport,false)}" +match_copy("MESSAGE#38526:New_TCP_Port/5_1", "nwparser.p0", "sport"); + +var select2464 = linear_select([ + part93, + part94, +]); + +var all82 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + part92, + select2464, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var msg38528 = msg("New_TCP_Port", all82); + +var part95 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" +match("MESSAGE#38527:New_UDP_Port/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport}"); + +var all83 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + part95, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var msg38529 = msg("New_UDP_Port", all83); + +var msg38530 = msg("Client_Update", dup355); + +var msg38531 = msg("New_Client", dup355); + +var msg38532 = msg("UDP_Server_Information_Update", dup356); + +var msg38533 = msg("TCP_Server_Information_Update", dup356); + +var part96 = // "Pattern{Constant('From '), Field(sensor,true), Constant(' at '), Field(p0,false)}" +match("MESSAGE#38532:Client_Timeout/1_1", "nwparser.p0", "From %{sensor->} at %{p0}"); + +var select2465 = linear_select([ + dup155, + part96, + dup156, +]); + +var all84 = all_match({ + processors: [ + dup57, + select2465, + dup157, + dup190, + dup159, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var msg38534 = msg("Client_Timeout", all84); + +var part97 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Category: '), Field(category,true), Constant(' Event Type: '), Field(event_type,false)}" +match("MESSAGE#38533:Host_IOC_Set/4", "nwparser.p0", "IP Address: %{saddr->} Category: %{category->} Event Type: %{event_type}"); + +var all85 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + part97, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var msg38535 = msg("Host_IOC_Set", all85); + +var part98 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Host Type: '), Field(fld10,false)}" +match("MESSAGE#38534:Host_Type_Changed/4", "nwparser.p0", "IP Address: %{saddr->} Host Type: %{fld10}"); + +var all86 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + part98, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var msg38536 = msg("Host_Type_Changed", all86); + +var part99 = // "Pattern{Constant('Login Success'), Field(,false)}" +match("MESSAGE#38535:Login", "nwparser.payload", "Login Success%{}", processor_chain([ + dup112, + dup31, + dup32, + dup137, + dup138, + dup139, + dup140, + dup47, +])); + +var msg38537 = msg("Login", part99); + +var part100 = // "Pattern{Constant('Logout Success'), Field(,false)}" +match("MESSAGE#38536:Logout", "nwparser.payload", "Logout Success%{}", processor_chain([ + setc("eventcategory","1401070000"), + dup31, + dup32, + dup137, + dup144, + dup139, + dup140, + dup47, +])); + +var msg38538 = msg("Logout", part100); + +var part101 = tagval("MESSAGE#38538:connection_events", "nwparser.payload", tvm, { + "ACPolicy": "fld44", + "AccessControlRuleAction": "action", + "AccessControlRuleName": "rulename", + "AccessControlRuleReason": "result", + "ApplicationProtocol": "protocol", + "Classification": "risk_info", + "Client": "application", + "ClientVersion": "version", + "ConnectType": "event_state", + "DE": "fld16", + "DNSQuery": "obj_name", + "DNSRecordType": "obj_type", + "DNSResponseType": "fld17", + "DNS_TTL": "fld7", + "DstIP": "daddr", + "DstPort": "dport", + "EgressInterface": "sinterface", + "EgressZone": "src_zone", + "FileCount": "dclass_counter1", + "GID": "fld28", + "HTTPReferer": "web_ref_host", + "HTTPResponse": "resultcode", + "ICMPCode": "resultcode", + "ICMPType": "event_type", + "IPReputationSICategory": "threat_name", + "IngressInterface": "dinterface", + "IngressZone": "dst_zone", + "InitiatorBytes": "sbytes", + "InitiatorPackets": "fld14", + "Message": "fld49", + "NAPPolicy": "policyname", + "OriginalClientIP": "fld1", + "Policy": "policyname", + "Prefilter Policy": "fld2", + "Priority": "threat_val", + "ReferencedHost": "fld3", + "ResponderBytes": "rbytes", + "ResponderPackets": "fld13", + "Revision": "fld46", + "SID": "sid", + "Sinkhole": "fld15", + "SrcIP": "saddr", + "SrcPort": "sport", + "TCPFlags": "fld12", + "URL": "url", + "URLCategory": "category", + "URLReputation": "reputation_num", + "User": "fld48", + "UserAgent": "user_agent", + "UserName": "username", + "WebApplication": "application", +}, processor_chain([ + dup150, + dup31, + dup32, + dup47, + setc("dclass_counter1_string","Number of Files"), + setf("protocol","hprotocol"), + lookup({ + dest: "nwparser.event_cat", + map: map_getEventLegacyCategory, + key: field("sid"), + }), + lookup({ + dest: "nwparser.event_cat_name", + map: map_getEventLegacyCategoryName, + key: field("event_cat"), + }), + call({ + dest: "nwparser.info", + fn: RMQ, + args: [ + field("fld49"), + ], + }), + dup45, + fqdn("fqdn","url"), + path("directory","url"), + page("filename_tmp","url"), + ext("web_extension_tmp","url"), + query("web_query","url"), + call({ + dest: "nwparser.filename", + fn: STRCAT, + args: [ + field("filename_tmp"), + field("web_extension_tmp"), + ], + }), +])); + +var msg38539 = msg("connection_events", part101); + +var part102 = // "Pattern{Constant('SrcIP: '), Field(daddr,false), Constant(', DstIP: '), Field(saddr,false), Constant(', SrcPort: '), Field(dport,false), Constant(', DstPort: '), Field(sport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Download, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" +match("MESSAGE#38539:FTD_events_01", "nwparser.payload", "SrcIP: %{daddr}, DstIP: %{saddr}, SrcPort: %{dport}, DstPort: %{sport}, Protocol: %{protocol}, FileDirection: Download, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ + dup150, + dup161, + dup162, + dup163, + dup32, + dup164, + setc("context","Download"), +])); + +var msg38540 = msg("FTD_events_01", part102); + +var part103 = // "Pattern{Constant('SrcIP: '), Field(saddr,false), Constant(', DstIP: '), Field(daddr,false), Constant(', SrcPort: '), Field(sport,false), Constant(', DstPort: '), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', FileDirection: Upload, FileAction: '), Field(action,false), Constant(', FileSHA256: '), Field(checksum,false), Constant(', SHA_Disposition: '), Field(disposition,false), Constant(', SperoDisposition: '), Field(info,false), Constant(', ThreatName: '), Field(threat_name,false), Constant(', ThreatScore: '), Field(fld1,false), Constant(', FileName: '), Field(filename,false), Constant(', FileType: '), Field(filetype,false), Constant(', FileSize: '), Field(filename_size,false), Constant(', ApplicationProtocol: '), Field(protocol,false), Constant(', Client: '), Field(application,false), Constant(', User: '), Field(username,false), Constant(', FirstPacketSecond: '), Field(fld21,false), Constant(', FilePolicy: '), Field(policyname,false), Constant(', FileSandboxStatus: '), Field(result,false), Constant(', URI: '), Field(url,false)}" +match("MESSAGE#38540:FTD_events_02", "nwparser.payload", "SrcIP: %{saddr}, DstIP: %{daddr}, SrcPort: %{sport}, DstPort: %{dport}, Protocol: %{protocol}, FileDirection: Upload, FileAction: %{action}, FileSHA256: %{checksum}, SHA_Disposition: %{disposition}, SperoDisposition: %{info}, ThreatName: %{threat_name}, ThreatScore: %{fld1}, FileName: %{filename}, FileType: %{filetype}, FileSize: %{filename_size}, ApplicationProtocol: %{protocol}, Client: %{application}, User: %{username}, FirstPacketSecond: %{fld21}, FilePolicy: %{policyname}, FileSandboxStatus: %{result}, URI: %{url}", processor_chain([ + dup150, + dup161, + dup162, + dup163, + dup32, + dup164, + setc("context","Upload"), +])); + +var msg38541 = msg("FTD_events_02", part103); + +var part104 = // "Pattern{Constant('User ''), Field(username,false), Constant('' executed the ''), Field(fld1,false), Constant('' command.')}" +match("MESSAGE#38541:FTD_events_03", "nwparser.payload", "User '%{username}' executed the '%{fld1}' command.", processor_chain([ + dup150, + dup162, + dup32, + dup164, +])); + +var msg38542 = msg("FTD_events_03", part104); + +var part105 = // "Pattern{Constant('User ''), Field(username,false), Constant('', running ''), Field(application,false), Constant('' from IP'), Field(hostip,false), Constant(', executed ''), Field(fld1,false), Constant(''')}" +match("MESSAGE#38542:FTD_events_04", "nwparser.payload", "User '%{username}', running '%{application}' from IP%{hostip}, executed '%{fld1}'", processor_chain([ + dup150, + dup162, + dup32, + dup164, +])); + +var msg38543 = msg("FTD_events_04", part105); + +var part106 = // "Pattern{Field(dclass_counter1,false), Constant('in use,'), Field(fld2,false), Constant('most used')}" +match("MESSAGE#38543:FTD_events_05", "nwparser.payload", "%{dclass_counter1}in use,%{fld2}most used", processor_chain([ + dup150, + dup162, + dup32, + dup164, + setc("dclass_counter1_string","Number of Connections in use"), +])); + +var msg38544 = msg("FTD_events_05", part106); + +var part107 = // "Pattern{Constant('Offloaded TCP Flow for connection'), Field(connectionid,false), Constant('from'), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,false), Constant('('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to'), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,false), Constant('('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" +match("MESSAGE#38544:FTD_events_06", "nwparser.payload", "Offloaded TCP Flow for connection%{connectionid}from%{dinterface}:%{daddr}/%{dport}(%{dtransaddr}/%{dtransport}) to%{sinterface}:%{saddr}/%{sport}(%{stransaddr}/%{stransport})", processor_chain([ + dup150, + dup162, + dup32, + dup164, + setc("event_description","Offloaded TCP Flow for connection"), +])); + +var msg38545 = msg("FTD_events_06", part107); + +var part108 = // "Pattern{Constant('Failed to locate egress interface for '), Field(protocol,true), Constant(' from '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' to '), Field(daddr,false), Constant('/'), Field(dport,false)}" +match("MESSAGE#38545:FTD_events_07", "nwparser.payload", "Failed to locate egress interface for %{protocol->} from %{sinterface}:%{saddr}/%{sport->} to %{daddr}/%{dport}", processor_chain([ + setc("eventcategory","1801010000"), + dup162, + dup32, + dup164, + setc("event_description","Failed to locate egress interface"), +])); + +var msg38546 = msg("FTD_events_07", part108); + +var part109 = // "Pattern{Constant('TCP Flow is no longer offloaded for connection '), Field(connectionid,true), Constant(' from '), Field(dinterface,false), Constant(':'), Field(daddr,false), Constant('/'), Field(dport,true), Constant(' ('), Field(dtransaddr,false), Constant('/'), Field(dtransport,false), Constant(') to '), Field(sinterface,false), Constant(':'), Field(saddr,false), Constant('/'), Field(sport,true), Constant(' ('), Field(stransaddr,false), Constant('/'), Field(stransport,false), Constant(')')}" +match("MESSAGE#38546:FTD_events_08", "nwparser.payload", "TCP Flow is no longer offloaded for connection %{connectionid->} from %{dinterface}:%{daddr}/%{dport->} (%{dtransaddr}/%{dtransport}) to %{sinterface}:%{saddr}/%{sport->} (%{stransaddr}/%{stransport})", processor_chain([ + dup150, + dup162, + dup32, + dup164, + setc("event_description","TCP Flow is no longer offloaded for connection"), +])); + +var msg38547 = msg("FTD_events_08", part109); + +var part110 = // "Pattern{Constant('CLOCK: System clock set, source: '), Field(event_source,false), Constant(', IP: '), Field(hostip,false), Constant(', before: '), Field(change_old,false), Constant(', after: '), Field(change_new,false)}" +match("MESSAGE#38547:FTD_events_09", "nwparser.payload", "CLOCK: System clock set, source: %{event_source}, IP: %{hostip}, before: %{change_old}, after: %{change_new}", processor_chain([ + dup150, + dup162, + dup32, + dup164, + setc("change_attribute","Time"), +])); + +var msg38548 = msg("FTD_events_09", part110); + +var part111 = tagval("MESSAGE#38548:FTD_events", "nwparser.payload", tvm, { + "ACPolicy": "fld44", + "AccessControlRuleAction": "action", + "AccessControlRuleName": "rulename", + "AccessControlRuleReason": "result", + "ApplicationProtocol": "protocol", + "Classification": "risk_info", + "Client": "application", + "ClientVersion": "version", + "ConnectType": "event_state", + "ConnectionDuration": "duration", + "DE": "fld16", + "DNSQuery": "obj_name", + "DNSRecordType": "obj_type", + "DNSResponseType": "fld17", + "DNS_TTL": "fld7", + "DstIP": "daddr", + "DstPort": "dport", + "EgressInterface": "sinterface", + "EgressZone": "src_zone", + "FileAction": "action", + "FileDirection": "context", + "FileName": "filename", + "FilePolicy": "policyname", + "FileSHA256": "checksum", + "FileSandboxStatus": "result", + "FileSize": "filename_size", + "FileType": "filetype", + "FirstPacketSecond": "starttime", + "GID": "fld28", + "HTTPReferer": "web_ref_host", + "HTTPResponse": "resultcode", + "ICMPCode": "resultcode", + "ICMPType": "event_type", + "IPReputationSICategory": "threat_name", + "IngressInterface": "dinterface", + "IngressZone": "dst_zone", + "InitiatorBytes": "sbytes", + "InitiatorPackets": "fld14", + "Message": "fld49", + "NAPPolicy": "policyname", + "OriginalClientIP": "fld1", + "Policy": "policyname", + "Prefilter Policy": "fld2", + "Priority": "threat_val", + "Protocol": "protocol", + "ReferencedHost": "fld3", + "ResponderBytes": "rbytes", + "ResponderPackets": "fld13", + "Revision": "fld46", + "SHA_Disposition": "disposition", + "SID": "sid", + "Sinkhole": "fld15", + "SperoDisposition": "info", + "SrcIP": "saddr", + "SrcPort": "sport", + "TCPFlags": "fld12", + "ThreatName": "threat_name", + "ThreatScore": "fld76", + "URI": "url", + "URL": "url", + "URLCategory": "category", + "URLReputation": "reputation_num", + "User": "username", + "UserAgent": "user_agent", + "UserName": "username", + "WebApplication": "application", +}, processor_chain([ + dup150, + dup161, + dup162, + dup32, + dup164, +])); + +var msg38549 = msg("FTD_events", part111); + +var select2466 = linear_select([ + msg38540, + msg38541, + msg38542, + msg38543, + msg38544, + msg38545, + msg38546, + msg38547, + msg38548, + msg38549, +]); + +var part112 = // "Pattern{Constant('AccessControlRuleAction:'), Field(action,false), Constant(', AccessControlRuleReason:'), Field(result,false), Constant(', SrcIP:'), Field(saddr,false), Constant(', DstIP:'), Field(daddr,false), Constant(', SrcPort:'), Field(sport,false), Constant(', DstPort:'), Field(dport,false), Constant(', Protocol: '), Field(protocol,false), Constant(', IngressInterface: '), Field(dinterface,false), Constant(', IngressZone:'), Field(dst_zone,false), Constant(', ACPolicy:'), Field(fld44,false), Constant(', AccessControlRuleName:'), Field(rulename,false), Constant(', Prefilter Policy:'), Field(fld2,false), Constant(', User:'), Field(fld48,false), Constant(', Client:'), Field(application,false), Constant(', ApplicationProtocol:'), Field(protocol,false), Constant(', InitiatorPackets:'), Field(fld14,false), Constant(', ResponderPackets:'), Field(fld13,false), Constant(', InitiatorBytes:'), Field(sbytes,false), Constant(', ResponderBytes:'), Field(rbytes,false), Constant(', NAPPolicy:'), Field(policyname,false), Constant(', DNSQuery:'), Field(hostname,false), Constant(', DNSRecordType: a host address,'), Field(p0,false)}" +match("MESSAGE#38549:NGIPS_events_01/0", "nwparser.payload", "AccessControlRuleAction:%{action}, AccessControlRuleReason:%{result}, SrcIP:%{saddr}, DstIP:%{daddr}, SrcPort:%{sport}, DstPort:%{dport}, Protocol: %{protocol}, IngressInterface: %{dinterface}, IngressZone:%{dst_zone}, ACPolicy:%{fld44}, AccessControlRuleName:%{rulename}, Prefilter Policy:%{fld2}, User:%{fld48}, Client:%{application}, ApplicationProtocol:%{protocol}, InitiatorPackets:%{fld14}, ResponderPackets:%{fld13}, InitiatorBytes:%{sbytes}, ResponderBytes:%{rbytes}, NAPPolicy:%{policyname}, DNSQuery:%{hostname}, DNSRecordType: a host address,%{p0}"); + +var part113 = // "Pattern{Constant(' DNS_TTL: '), Field(fld7,false), Constant(','), Field(p0,false)}" +match("MESSAGE#38549:NGIPS_events_01/1_0", "nwparser.p0", " DNS_TTL: %{fld7},%{p0}"); + +var select2467 = linear_select([ + part113, + dup59, +]); + +var part114 = // "Pattern{Field(,false), Constant('DNSSICategory:'), Field(category,false)}" +match("MESSAGE#38549:NGIPS_events_01/2", "nwparser.p0", "%{}DNSSICategory:%{category}"); + +var all87 = all_match({ + processors: [ + part112, + select2467, + part114, + ], + on_success: processor_chain([ + dup150, + dup161, + dup32, + dup164, + ]), +}); + +var msg38550 = msg("NGIPS_events_01", all87); + +var part115 = tagval("MESSAGE#38550:NGIPS_events", "nwparser.payload", tvm, { + "ACPolicy": "fld44", + "AccessControlRuleAction": "action", + "AccessControlRuleName": "rulename", + "AccessControlRuleReason": "result", + "ApplicationProtocol": "protocol", + "Classification": "risk_info", + "Client": "application", + "ClientVersion": "version", + "ConnectType": "event_state", + "ConnectionDuration": "duration", + "DE": "fld16", + "DNSQuery": "obj_name", + "DNSRecordType": "obj_type", + "DNSResponseType": "fld17", + "DNSSICategory": "category", + "DNS_TTL": "fld7", + "DstIP": "daddr", + "DstPort": "dport", + "EgressInterface": "sinterface", + "EgressZone": "src_zone", + "GID": "fld28", + "HTTPReferer": "web_ref_host", + "HTTPResponse": "resultcode", + "ICMPCode": "resultcode", + "ICMPType": "event_type", + "IPReputationSICategory": "threat_name", + "IPSCount": "dclass_counter1", + "IngressInterface": "dinterface", + "IngressZone": "dst_zone", + "InitiatorBytes": "sbytes", + "InitiatorPackets": "fld14", + "InlineResult": "action", + "Message": "event_description", + "NAPPolicy": "policyname", + "OriginalClientIP": "fld1", + "Policy": "policyname", + "Prefilter Policy": "fld2", + "Priority": "threat_val", + "Protocol": "protocol", + "ReferencedHost": "fld3", + "ResponderBytes": "rbytes", + "ResponderPackets": "fld13", + "Revision": "fld46", + "SID": "sid", + "Sinkhole": "fld15", + "SrcIP": "saddr", + "SrcPort": "sport", + "TCPFlags": "fld12", + "URL": "url", + "URLCategory": "category", + "URLReputation": "reputation_num", + "URLSICategory": "category", + "User": "fld48", + "UserAgent": "user_agent", + "UserName": "username", + "VLAN_ID": "vlan", + "WebApplication": "application", +}, processor_chain([ + dup150, + dup161, + dup32, + dup164, + setc("dclass_counter1_string"," The number of intrusion events"), + setf("hostname","obj_name"), +])); + +var msg38551 = msg("NGIPS_events", part115); + +var select2468 = linear_select([ + msg38550, + msg38551, +]); + +var chain1 = processor_chain([ + select5, + msgid_select({ + "0": select6, + "1": select7, + "10": msg34, + "1000": select900, + "10000": msg12447, + "1000001": msg38282, + "100000121": msg38430, + "100000122": msg38431, + "100000137": msg38432, + "100000138": msg38433, + "100000160": msg38434, + "100000161": msg38435, + "100000185": msg38436, + "1000002": msg38283, + "100000211": msg38437, + "100000213": msg38438, + "100000219": msg38439, + "100000241": msg38440, + "100000262": msg38441, + "100000266": msg38442, + "100000272": msg38443, + "100000273": msg38444, + "100000274": msg38445, + "100000275": msg38446, + "100000277": msg38447, + "100000278": msg38448, + "1000003": select2443, + "1000004": msg38286, + "1000005": msg38287, + "100000550": msg38449, + "100000687": msg38450, + "100000689": msg38451, + "1000007": msg38288, + "1000010": msg38289, + "1000012": msg38290, + "1000014": msg38291, + "1000015": msg38292, + "1000016": msg38293, + "1000020": msg38294, + "1000021": msg38295, + "1000022": msg38296, + "1000023": msg38297, + "1000024": msg38298, + "1000026": msg38299, + "1000028": msg38300, + "1000029": msg38301, + "1000030": msg38302, + "1000031": msg38303, + "1000032": msg38304, + "1000033": msg38305, + "1000034": msg38306, + "1000035": msg38307, + "1000036": msg38308, + "1000037": msg38309, + "1000038": msg38310, + "1000039": msg38311, + "1000040": msg38312, + "1000041": msg38313, + "1000043": msg38314, + "1000044": msg38315, + "1000045": msg38316, + "1000046": msg38317, + "1000047": msg38318, + "1000048": msg38319, + "1000049": msg38320, + "1000050": msg38321, + "1000054": msg38322, + "1000055": msg38323, + "1000056": msg38324, + "1000057": msg38325, + "10001": msg12448, + "10002": msg12449, + "10003": msg12450, + "10004": msg12451, + "10005": msg12452, + "10006": msg12453, + "10007": msg12454, + "10008": msg12455, + "10009": msg12456, + "1001": select901, + "10010": msg12457, + "10011": msg12458, + "10012": msg12459, + "10013": msg12460, + "10014": msg12461, + "10015": msg12462, + "10016": msg12463, + "10017": msg12464, + "10018": msg12465, + "10019": msg12466, + "1002": select902, + "10020": msg12467, + "10021": msg12468, + "10022": msg12469, + "10023": msg12470, + "10024": msg12471, + "10025": msg12472, + "10026": msg12473, + "10027": msg12474, + "10028": msg12475, + "10029": msg12476, + "1003": select903, + "10030": msg12477, + "10031": msg12478, + "10032": msg12479, + "10033": msg12480, + "10034": msg12481, + "10035": msg12482, + "10036": msg12483, + "10037": msg12484, + "10038": msg12485, + "10039": msg12486, + "1004": select904, + "10040": msg12487, + "10041": msg12488, + "10042": msg12489, + "10043": msg12490, + "10044": msg12491, + "10045": msg12492, + "10046": msg12493, + "10047": msg12494, + "10048": msg12495, + "10049": msg12496, + "1005": select905, + "10050": msg12497, + "10051": msg12498, + "10052": msg12499, + "10053": msg12500, + "10054": msg12501, + "10055": msg12502, + "10056": msg12503, + "10057": msg12504, + "10058": msg12505, + "10059": msg12506, + "10060": msg12507, + "10061": msg12508, + "10062": msg12509, + "10063": msg12510, + "10064": msg12511, + "10065": msg12512, + "10066": msg12513, + "10067": msg12514, + "10068": msg12515, + "10069": msg12516, + "1007": select906, + "10070": msg12517, + "10071": msg12518, + "10072": msg12519, + "10073": msg12520, + "10074": msg12521, + "10075": msg12522, + "10076": msg12523, + "10077": msg12524, + "10078": msg12525, + "10079": msg12526, + "1008": select907, + "10080": msg12527, + "10081": msg12528, + "10082": msg12529, + "10083": msg12530, + "10084": msg12531, + "10085": msg12532, + "10086": msg12533, + "10087": msg12534, + "10088": msg12535, + "10089": msg12536, + "1009": select908, + "10090": msg12537, + "10091": msg12538, + "10092": msg12539, + "10093": msg12540, + "10094": msg12541, + "10095": msg12542, + "10096": msg12543, + "10097": msg12544, + "10098": msg12545, + "10099": msg12546, + "1010": select909, + "10100": msg12547, + "10101": msg12548, + "10102": msg12549, + "10103": msg12550, + "10104": msg12551, + "10105": msg12552, + "10106": msg12553, + "10107": msg12554, + "10108": msg12555, + "10109": msg12556, + "1011": select910, + "10110": msg12557, + "10111": msg12558, + "10112": msg12559, + "10113": msg12560, + "10114": msg12561, + "10115": msg12562, + "10116": msg12563, + "10117": msg12564, + "10118": msg12565, + "10119": msg12566, + "1012": select911, + "10120": msg12567, + "10121": msg12568, + "10122": msg12569, + "10123": msg12570, + "10124": msg12571, + "10125": msg12572, + "10126": msg12573, + "10127": msg12574, + "10128": msg12575, + "10129": msg12576, + "1013": select912, + "10130": msg12577, + "10131": msg12578, + "10132": msg12579, + "10133": msg12580, + "10134": msg12581, + "10135": msg12582, + "10136": msg12583, + "10137": msg12584, + "10138": msg12585, + "10139": msg12586, + "1014": select913, + "10140": msg12587, + "10141": msg12588, + "10142": msg12589, + "10143": msg12590, + "10144": msg12591, + "10145": msg12592, + "10146": msg12593, + "10147": msg12594, + "10148": msg12595, + "10149": msg12596, + "1015": select914, + "10150": msg12597, + "10151": msg12598, + "10152": msg12599, + "10153": msg12600, + "10154": msg12601, + "10155": msg12602, + "10156": msg12603, + "10157": msg12604, + "10158": msg12605, + "10159": msg12606, + "1016": select915, + "10160": msg12607, + "10161": msg12608, + "10162": msg12609, + "10163": msg12610, + "10164": msg12611, + "10165": msg12612, + "10166": msg12613, + "10167": msg12614, + "10168": msg12615, + "10169": msg12616, + "1017": select916, + "10170": msg12617, + "10171": msg12618, + "10172": msg12619, + "10173": msg12620, + "10174": msg12621, + "10175": msg12622, + "10176": msg12623, + "10177": msg12624, + "10178": msg12625, + "10179": msg12626, + "1018": select917, + "10180": msg12627, + "10181": msg12628, + "10182": msg12629, + "10183": msg12630, + "10184": msg12631, + "10185": msg12632, + "10186": msg12633, + "10187": msg12634, + "10188": msg12635, + "10189": msg12636, + "1019": select918, + "10190": msg12637, + "10191": msg12638, + "10192": msg12639, + "10193": msg12640, + "10194": msg12641, + "10195": msg12642, + "10196": msg12643, + "10197": msg12644, + "10198": msg12645, + "10199": msg12646, + "1020": select919, + "10200": msg12647, + "10201": msg12648, + "10202": msg12649, + "10203": msg12650, + "10204": msg12651, + "10205": msg12652, + "10206": msg12653, + "10207": msg12654, + "10208": msg12655, + "10209": msg12656, + "1021": select920, + "10210": msg12657, + "10211": msg12658, + "10212": msg12659, + "10213": msg12660, + "10214": msg12661, + "10215": msg12662, + "10216": msg12663, + "10217": msg12664, + "10218": msg12665, + "10219": msg12666, + "1022": select921, + "10220": msg12667, + "10221": msg12668, + "10222": msg12669, + "10223": msg12670, + "10224": msg12671, + "10225": msg12672, + "10226": msg12673, + "10227": msg12674, + "10228": msg12675, + "10229": msg12676, + "1023": select922, + "10230": msg12677, + "10231": msg12678, + "10232": msg12679, + "10233": msg12680, + "10234": msg12681, + "10235": msg12682, + "10236": msg12683, + "10237": msg12684, + "10238": msg12685, + "10239": msg12686, + "1024": select923, + "10240": msg12687, + "10241": msg12688, + "10242": msg12689, + "10243": msg12690, + "10244": msg12691, + "10245": msg12692, + "10246": msg12693, + "10247": msg12694, + "10248": msg12695, + "10249": msg12696, + "1025": select924, + "10250": msg12697, + "10251": msg12698, + "10252": msg12699, + "10253": msg12700, + "10254": msg12701, + "10255": msg12702, + "10256": msg12703, + "10257": msg12704, + "10258": msg12705, + "10259": msg12706, + "1026": select925, + "10260": msg12707, + "10261": msg12708, + "10262": msg12709, + "10263": msg12710, + "10264": msg12711, + "10265": msg12712, + "10266": msg12713, + "10267": msg12714, + "10268": msg12715, + "10269": msg12716, + "1027": select926, + "10270": msg12717, + "10271": msg12718, + "10272": msg12719, + "10273": msg12720, + "10274": msg12721, + "10275": msg12722, + "10276": msg12723, + "10277": msg12724, + "10278": msg12725, + "10279": msg12726, + "1028": select927, + "10280": msg12727, + "10281": msg12728, + "10282": msg12729, + "10283": msg12730, + "10284": msg12731, + "10285": msg12732, + "10286": msg12733, + "10287": msg12734, + "10288": msg12735, + "10289": msg12736, + "1029": select928, + "10290": msg12737, + "10291": msg12738, + "10292": msg12739, + "10293": msg12740, + "10294": msg12741, + "10295": msg12742, + "10296": msg12743, + "10297": msg12744, + "10298": msg12745, + "10299": msg12746, + "103": select31, + "1030": select929, + "10300": msg12747, + "10301": msg12748, + "10302": msg12749, + "10303": msg12750, + "10304": msg12751, + "10305": msg12752, + "10306": msg12753, + "10307": msg12754, + "10308": msg12755, + "10309": msg12756, + "1031": select930, + "10310": msg12757, + "10311": msg12758, + "10312": msg12759, + "10313": msg12760, + "10314": msg12761, + "10315": msg12762, + "10316": msg12763, + "10317": msg12764, + "10318": msg12765, + "10319": msg12766, + "1032": select931, + "10320": msg12767, + "10321": msg12768, + "10322": msg12769, + "10323": msg12770, + "10324": msg12771, + "10325": msg12772, + "10326": msg12773, + "10327": msg12774, + "10328": msg12775, + "10329": msg12776, + "1033": select932, + "10330": msg12777, + "10331": msg12778, + "10332": msg12779, + "10333": msg12780, + "10334": msg12781, + "10335": msg12782, + "10336": msg12783, + "10337": msg12784, + "10338": msg12785, + "10339": msg12786, + "1034": select933, + "10340": msg12787, + "10341": msg12788, + "10342": msg12789, + "10343": msg12790, + "10344": msg12791, + "10345": msg12792, + "10346": msg12793, + "10347": msg12794, + "10348": msg12795, + "10349": msg12796, + "1035": select934, + "10350": msg12797, + "10351": msg12798, + "10352": msg12799, + "10353": msg12800, + "10354": msg12801, + "10355": msg12802, + "10356": msg12803, + "10357": msg12804, + "10358": msg12805, + "10359": msg12806, + "1036": select935, + "10360": msg12807, + "10361": msg12808, + "10362": msg12809, + "10363": msg12810, + "10364": msg12811, + "10365": msg12812, + "10366": msg12813, + "10367": msg12814, + "10368": msg12815, + "10369": msg12816, + "1037": select936, + "10370": msg12817, + "10371": msg12818, + "10372": msg12819, + "10373": msg12820, + "10374": msg12821, + "10375": msg12822, + "10376": msg12823, + "10377": msg12824, + "10378": msg12825, + "10379": msg12826, + "1038": select937, + "10380": msg12827, + "10381": msg12828, + "10382": msg12829, + "10383": msg12830, + "10384": msg12831, + "10385": msg12832, + "10386": msg12833, + "10387": msg12834, + "10388": msg12835, + "10389": msg12836, + "1039": select938, + "10390": msg12837, + "10391": msg12838, + "10392": msg12839, + "10393": msg12840, + "10394": msg12841, + "10395": msg12842, + "10396": msg12843, + "10397": msg12844, + "10398": msg12845, + "10399": msg12846, + "104": select32, + "1040": select939, + "10400": msg12847, + "10401": msg12848, + "10402": msg12849, + "10403": msg12850, + "10404": msg12851, + "10405": msg12852, + "10406": msg12853, + "10407": msg12854, + "10408": msg12855, + "10409": msg12856, + "1041": select940, + "10410": msg12857, + "10411": msg12858, + "10412": msg12859, + "10413": msg12860, + "10414": msg12861, + "10415": msg12862, + "10416": msg12863, + "10417": msg12864, + "10418": msg12865, + "10419": msg12866, + "1042": select941, + "10420": msg12867, + "10421": msg12868, + "10422": msg12869, + "10423": msg12870, + "10424": msg12871, + "10425": msg12872, + "10426": msg12873, + "10427": msg12874, + "10428": msg12875, + "10429": msg12876, + "1043": select942, + "10430": msg12877, + "10431": msg12878, + "10432": msg12879, + "10433": msg12880, + "10434": msg12881, + "10435": msg12882, + "10436": msg12883, + "10437": msg12884, + "10438": msg12885, + "10439": msg12886, + "1044": select943, + "10440": msg12887, + "10441": msg12888, + "10442": msg12889, + "10443": msg12890, + "10444": msg12891, + "10445": msg12892, + "10446": msg12893, + "10447": msg12894, + "10448": msg12895, + "10449": msg12896, + "1045": select944, + "10450": msg12897, + "10451": msg12898, + "10452": msg12899, + "10453": msg12900, + "10454": msg12901, + "10455": msg12902, + "10456": msg12903, + "10457": msg12904, + "10458": msg12905, + "10459": msg12906, + "1046": select945, + "10460": msg12907, + "10461": msg12908, + "10462": msg12909, + "10463": msg12910, + "10464": msg12911, + "10465": msg12912, + "10466": msg12913, + "10467": msg12914, + "10468": msg12915, + "10469": msg12916, + "1047": select946, + "10470": msg12917, + "10471": msg12918, + "10472": msg12919, + "10473": msg12920, + "10474": msg12921, + "10475": msg12922, + "10476": msg12923, + "10477": msg12924, + "10478": msg12925, + "10479": msg12926, + "1048": select947, + "10480": msg12927, + "10481": msg12928, + "10482": msg12929, + "10483": msg12930, + "10484": msg12931, + "10485": msg12932, + "10486": msg12933, + "10487": msg12934, + "10488": msg12935, + "10489": msg12936, + "1049": select948, + "10490": msg12937, + "10491": msg12938, + "10492": msg12939, + "10493": msg12940, + "10494": msg12941, + "10495": msg12942, + "10496": msg12943, + "10497": msg12944, + "10498": msg12945, + "10499": msg12946, + "105": select33, + "105-1": msg86, + "105-2": msg87, + "105-3": msg88, + "105-4": msg89, + "1050": select949, + "10500": msg12947, + "10501": msg12948, + "10502": msg12949, + "10503": msg12950, + "10504": msg12951, + "10505": msg12952, + "10506": msg12953, + "10507": msg12954, + "10508": msg12955, + "10509": msg12956, + "1051": select950, + "10510": msg12957, + "10511": msg12958, + "10512": msg12959, + "10513": msg12960, + "10514": msg12961, + "10515": msg12962, + "10516": msg12963, + "10517": msg12964, + "10518": msg12965, + "10519": msg12966, + "1052": select951, + "10520": msg12967, + "10521": msg12968, + "10522": msg12969, + "10523": msg12970, + "10524": msg12971, + "10525": msg12972, + "10526": msg12973, + "10527": msg12974, + "10528": msg12975, + "10529": msg12976, + "1053": select952, + "10530": msg12977, + "10531": msg12978, + "10532": msg12979, + "10533": msg12980, + "10534": msg12981, + "10535": msg12982, + "10536": msg12983, + "10537": msg12984, + "10538": msg12985, + "10539": msg12986, + "1054": select953, + "10540": msg12987, + "10541": msg12988, + "10542": msg12989, + "10543": msg12990, + "10544": msg12991, + "10545": msg12992, + "10546": msg12993, + "10547": msg12994, + "10548": msg12995, + "10549": msg12996, + "1055": select954, + "10550": msg12997, + "10551": msg12998, + "10552": msg12999, + "10553": msg13000, + "10554": msg13001, + "10555": msg13002, + "10556": msg13003, + "10557": msg13004, + "10558": msg13005, + "10559": msg13006, + "1056": select955, + "10560": msg13007, + "10561": msg13008, + "10562": msg13009, + "10563": msg13010, + "10564": msg13011, + "10565": msg13012, + "10566": msg13013, + "10567": msg13014, + "10568": msg13015, + "10569": msg13016, + "1057": select956, + "10570": msg13017, + "10571": msg13018, + "10572": msg13019, + "10573": msg13020, + "10574": msg13021, + "10575": msg13022, + "10576": msg13023, + "10577": msg13024, + "10578": msg13025, + "10579": msg13026, + "1058": select957, + "10580": msg13027, + "10581": msg13028, + "10582": msg13029, + "10583": msg13030, + "10584": msg13031, + "10585": msg13032, + "10586": msg13033, + "10587": msg13034, + "10588": msg13035, + "10589": msg13036, + "1059": select958, + "10590": msg13037, + "10591": msg13038, + "10592": msg13039, + "10593": msg13040, + "10594": msg13041, + "10595": msg13042, + "10596": msg13043, + "10597": msg13044, + "10598": msg13045, + "10599": msg13046, + "106": select34, + "106-1": msg92, + "106-2": msg93, + "106-3": msg94, + "106-4": msg95, + "1060": select959, + "10600": msg13047, + "10601": msg13048, + "10602": msg13049, + "10603": msg13050, + "10604": msg13051, + "10605": msg13052, + "10606": msg13053, + "10607": msg13054, + "10608": msg13055, + "10609": msg13056, + "1061": select960, + "10610": msg13057, + "10611": msg13058, + "10612": msg13059, + "10613": msg13060, + "10614": msg13061, + "10615": msg13062, + "10616": msg13063, + "10617": msg13064, + "10618": msg13065, + "10619": msg13066, + "1062": select961, + "10620": msg13067, + "10621": msg13068, + "10622": msg13069, + "10623": msg13070, + "10624": msg13071, + "10625": msg13072, + "10626": msg13073, + "10627": msg13074, + "10628": msg13075, + "10629": msg13076, + "1063": select962, + "10630": msg13077, + "10631": msg13078, + "10632": msg13079, + "10633": msg13080, + "10634": msg13081, + "10635": msg13082, + "10636": msg13083, + "10637": msg13084, + "10638": msg13085, + "10639": msg13086, + "1064": select963, + "10640": msg13087, + "10641": msg13088, + "10642": msg13089, + "10643": msg13090, + "10644": msg13091, + "10645": msg13092, + "10646": msg13093, + "10647": msg13094, + "10648": msg13095, + "10649": msg13096, + "1065": select964, + "10650": msg13097, + "10651": msg13098, + "10652": msg13099, + "10653": msg13100, + "10654": msg13101, + "10655": msg13102, + "10656": msg13103, + "10657": msg13104, + "10658": msg13105, + "10659": msg13106, + "1066": select965, + "10660": msg13107, + "10661": msg13108, + "10662": msg13109, + "10663": msg13110, + "10664": msg13111, + "10665": msg13112, + "10666": msg13113, + "10667": msg13114, + "10668": msg13115, + "10669": msg13116, + "1067": select966, + "10670": msg13117, + "10671": msg13118, + "10672": msg13119, + "10673": msg13120, + "10674": msg13121, + "10675": msg13122, + "10676": msg13123, + "10677": msg13124, + "10678": msg13125, + "10679": msg13126, + "1068": select967, + "10680": msg13127, + "10681": msg13128, + "10682": msg13129, + "10683": msg13130, + "10684": msg13131, + "10685": msg13132, + "10686": msg13133, + "10687": msg13134, + "10688": msg13135, + "10689": msg13136, + "1069": select968, + "10690": msg13137, + "10691": msg13138, + "10692": msg13139, + "10693": msg13140, + "10694": msg13141, + "10695": msg13142, + "10696": msg13143, + "10697": msg13144, + "10698": msg13145, + "10699": msg13146, + "107": select35, + "1070": select969, + "10700": msg13147, + "10701": msg13148, + "10702": msg13149, + "10703": msg13150, + "10704": msg13151, + "10705": msg13152, + "10706": msg13153, + "10707": msg13154, + "10708": msg13155, + "10709": msg13156, + "1071": select970, + "10710": msg13157, + "10711": msg13158, + "10712": msg13159, + "10713": msg13160, + "10714": msg13161, + "10715": msg13162, + "10716": msg13163, + "10717": msg13164, + "10718": msg13165, + "10719": msg13166, + "1072": select971, + "10720": msg13167, + "10721": msg13168, + "10722": msg13169, + "10723": msg13170, + "10724": msg13171, + "10725": msg13172, + "10726": msg13173, + "10727": msg13174, + "10728": msg13175, + "10729": msg13176, + "1073": select972, + "10730": msg13177, + "10731": msg13178, + "10732": msg13179, + "10733": msg13180, + "10734": msg13181, + "10735": msg13182, + "10736": msg13183, + "10737": msg13184, + "10738": msg13185, + "10739": msg13186, + "10740": msg13187, + "10741": msg13188, + "10742": msg13189, + "10743": msg13190, + "10744": msg13191, + "10745": msg13192, + "10746": msg13193, + "10747": msg13194, + "10748": msg13195, + "10749": msg13196, + "1075": select973, + "10750": msg13197, + "10751": msg13198, + "10752": msg13199, + "10753": msg13200, + "10754": msg13201, + "10755": msg13202, + "10756": msg13203, + "10757": msg13204, + "10758": msg13205, + "10759": msg13206, + "1076": select974, + "10760": msg13207, + "10761": msg13208, + "10762": msg13209, + "10763": msg13210, + "10764": msg13211, + "10765": msg13212, + "10766": msg13213, + "10767": msg13214, + "10768": msg13215, + "10769": msg13216, + "1077": select975, + "10770": msg13217, + "10771": msg13218, + "10772": msg13219, + "10773": msg13220, + "10774": msg13221, + "10775": msg13222, + "10776": msg13223, + "10777": msg13224, + "10778": msg13225, + "10779": msg13226, + "1078": select976, + "10780": msg13227, + "10781": msg13228, + "10782": msg13229, + "10783": msg13230, + "10784": msg13231, + "10785": msg13232, + "10786": msg13233, + "10787": msg13234, + "10788": msg13235, + "10789": msg13236, + "1079": select977, + "10790": msg13237, + "10791": msg13238, + "10792": msg13239, + "10793": msg13240, + "10794": msg13241, + "10795": msg13242, + "10796": msg13243, + "10797": msg13244, + "10798": msg13245, + "10799": msg13246, + "108": select36, + "1080": select978, + "10800": msg13247, + "10801": msg13248, + "10802": msg13249, + "10803": msg13250, + "10804": msg13251, + "10805": msg13252, + "10806": msg13253, + "10807": msg13254, + "10808": msg13255, + "10809": msg13256, + "1081": select979, + "10810": msg13257, + "10811": msg13258, + "10812": msg13259, + "10813": msg13260, + "10814": msg13261, + "10815": msg13262, + "10816": msg13263, + "10817": msg13264, + "10818": msg13265, + "10819": msg13266, + "1082": select980, + "10820": msg13267, + "10821": msg13268, + "10822": msg13269, + "10823": msg13270, + "10824": msg13271, + "10825": msg13272, + "10826": msg13273, + "10827": msg13274, + "10828": msg13275, + "10829": msg13276, + "1083": select981, + "10830": msg13277, + "10831": msg13278, + "10832": msg13279, + "10833": msg13280, + "10834": msg13281, + "10835": msg13282, + "10836": msg13283, + "10837": msg13284, + "10838": msg13285, + "10839": msg13286, + "1084": select982, + "10840": msg13287, + "10841": msg13288, + "10842": msg13289, + "10843": msg13290, + "10844": msg13291, + "10845": msg13292, + "10846": msg13293, + "10847": msg13294, + "10848": msg13295, + "10849": msg13296, + "1085": select983, + "10850": msg13297, + "10851": msg13298, + "10852": msg13299, + "10853": msg13300, + "10854": msg13301, + "10855": msg13302, + "10856": msg13303, + "10857": msg13304, + "10858": msg13305, + "10859": msg13306, + "1086": select984, + "10860": msg13307, + "10861": msg13308, + "10862": msg13309, + "10863": msg13310, + "10864": msg13311, + "10865": msg13312, + "10866": msg13313, + "10867": msg13314, + "10868": msg13315, + "10869": msg13316, + "1087": select985, + "10870": msg13317, + "10871": msg13318, + "10872": msg13319, + "10873": msg13320, + "10874": msg13321, + "10875": msg13322, + "10876": msg13323, + "10877": msg13324, + "10878": msg13325, + "10879": msg13326, + "1088": select986, + "10880": msg13327, + "10881": msg13328, + "10882": msg13329, + "10883": msg13330, + "10884": msg13331, + "10885": msg13332, + "10886": msg13333, + "10887": msg13334, + "10888": msg13335, + "10889": msg13336, + "1089": select987, + "10890": msg13337, + "10891": msg13338, + "10892": msg13339, + "10893": msg13340, + "10894": msg13341, + "10895": msg13342, + "10896": msg13343, + "10897": msg13344, + "10898": msg13345, + "10899": msg13346, + "109": select37, + "1090": select988, + "10900": msg13347, + "10901": msg13348, + "10902": msg13349, + "10903": msg13350, + "10904": msg13351, + "10905": msg13352, + "10906": msg13353, + "10907": msg13354, + "10908": msg13355, + "10909": msg13356, + "1091": select989, + "10910": msg13357, + "10911": msg13358, + "10912": msg13359, + "10913": msg13360, + "10914": msg13361, + "10915": msg13362, + "10916": msg13363, + "10917": msg13364, + "10918": msg13365, + "10919": msg13366, + "1092": select990, + "10920": msg13367, + "10921": msg13368, + "10922": msg13369, + "10923": msg13370, + "10924": msg13371, + "10925": msg13372, + "10926": msg13373, + "10927": msg13374, + "10928": msg13375, + "10929": msg13376, + "1093": select991, + "10930": msg13377, + "10931": msg13378, + "10932": msg13379, + "10933": msg13380, + "10934": msg13381, + "10935": msg13382, + "10936": msg13383, + "10937": msg13384, + "10938": msg13385, + "10939": msg13386, + "1094": select992, + "10940": msg13387, + "10941": msg13388, + "10942": msg13389, + "10943": msg13390, + "10944": msg13391, + "10945": msg13392, + "10946": msg13393, + "10947": msg13394, + "10948": msg13395, + "10949": msg13396, + "1095": select993, + "10950": msg13397, + "10951": msg13398, + "10952": msg13399, + "10953": msg13400, + "10954": msg13401, + "10955": msg13402, + "10956": msg13403, + "10957": msg13404, + "10958": msg13405, + "10959": msg13406, + "1096": select994, + "10960": msg13407, + "10961": msg13408, + "10962": msg13409, + "10963": msg13410, + "10964": msg13411, + "10965": msg13412, + "10966": msg13413, + "10967": msg13414, + "10968": msg13415, + "10969": msg13416, + "1097": select995, + "10970": msg13417, + "10971": msg13418, + "10972": msg13419, + "10973": msg13420, + "10974": msg13421, + "10975": msg13422, + "10976": msg13423, + "10977": msg13424, + "10978": msg13425, + "10979": msg13426, + "1098": select996, + "10980": msg13427, + "10981": msg13428, + "10982": msg13429, + "10983": msg13430, + "10984": msg13431, + "10985": msg13432, + "10986": msg13433, + "10987": msg13434, + "10988": msg13435, + "10989": msg13436, + "1099": select997, + "10990": msg13437, + "10991": msg13438, + "10992": msg13439, + "10993": msg13440, + "10994": msg13441, + "10995": msg13442, + "10996": msg13443, + "10997": msg13444, + "10998": msg13445, + "10999": msg13446, + "11": msg35, + "110": select38, + "110-1": msg105, + "110-2": msg106, + "110-3": msg107, + "110-4": msg108, + "1100": select998, + "11000": msg13447, + "11001": msg13448, + "11002": msg13449, + "11003": msg13450, + "11004": msg13451, + "11005": msg13452, + "11006": msg13453, + "11007": msg13454, + "11008": msg13455, + "11009": msg13456, + "1101": select999, + "11010": msg13457, + "11011": msg13458, + "11012": msg13459, + "11013": msg13460, + "11014": msg13461, + "11015": msg13462, + "11016": msg13463, + "11017": msg13464, + "11018": msg13465, + "11019": msg13466, + "1102": select1000, + "11020": msg13467, + "11021": msg13468, + "11022": msg13469, + "11023": msg13470, + "11024": msg13471, + "11025": msg13472, + "11026": msg13473, + "11027": msg13474, + "11028": msg13475, + "11029": msg13476, + "1103": select1001, + "11030": msg13477, + "11031": msg13478, + "11032": msg13479, + "11033": msg13480, + "11034": msg13481, + "11035": msg13482, + "11036": msg13483, + "11037": msg13484, + "11038": msg13485, + "11039": msg13486, + "1104": select1002, + "11040": msg13487, + "11041": msg13488, + "11042": msg13489, + "11043": msg13490, + "11044": msg13491, + "11045": msg13492, + "11046": msg13493, + "11047": msg13494, + "11048": msg13495, + "11049": msg13496, + "1105": select1003, + "11050": msg13497, + "11051": msg13498, + "11052": msg13499, + "11053": msg13500, + "11054": msg13501, + "11055": msg13502, + "11056": msg13503, + "11057": msg13504, + "11058": msg13505, + "11059": msg13506, + "1106": select1004, + "11060": msg13507, + "11061": msg13508, + "11062": msg13509, + "11063": msg13510, + "11064": msg13511, + "11065": msg13512, + "11066": msg13513, + "11067": msg13514, + "11068": msg13515, + "11069": msg13516, + "1107": select1005, + "11070": msg13517, + "11071": msg13518, + "11072": msg13519, + "11073": msg13520, + "11074": msg13521, + "11075": msg13522, + "11076": msg13523, + "11077": msg13524, + "11078": msg13525, + "11079": msg13526, + "1108": select1006, + "11080": msg13527, + "11081": msg13528, + "11082": msg13529, + "11083": msg13530, + "11084": msg13531, + "11085": msg13532, + "11086": msg13533, + "11087": msg13534, + "11088": msg13535, + "11089": msg13536, + "1109": select1007, + "11090": msg13537, + "11091": msg13538, + "11092": msg13539, + "11093": msg13540, + "11094": msg13541, + "11095": msg13542, + "11096": msg13543, + "11097": msg13544, + "11098": msg13545, + "11099": msg13546, + "111": select39, + "111-1": msg111, + "111-10": msg112, + "111-11": msg113, + "111-12": msg114, + "111-13": msg115, + "111-14": msg116, + "111-15": msg117, + "111-16": msg118, + "111-17": msg119, + "111-2": msg120, + "111-3": msg121, + "111-4": msg122, + "111-5": msg123, + "111-6": msg124, + "111-7": msg125, + "111-8": msg126, + "111-9": msg127, + "1110": select1008, + "11100": msg13547, + "11101": msg13548, + "11102": msg13549, + "11103": msg13550, + "11104": msg13551, + "11105": msg13552, + "11106": msg13553, + "11107": msg13554, + "11108": msg13555, + "11109": msg13556, + "1111": select1009, + "11110": msg13557, + "11111": msg13558, + "11112": msg13559, + "11113": msg13560, + "11114": msg13561, + "11115": msg13562, + "11116": msg13563, + "11117": msg13564, + "11118": msg13565, + "11119": msg13566, + "1112": select1010, + "11120": msg13567, + "11121": msg13568, + "11122": msg13569, + "11123": msg13570, + "11124": msg13571, + "11125": msg13572, + "11126": msg13573, + "11127": msg13574, + "11128": msg13575, + "11129": msg13576, + "1113": select1011, + "11130": msg13577, + "11131": msg13578, + "11132": msg13579, + "11133": msg13580, + "11134": msg13581, + "11135": msg13582, + "11136": msg13583, + "11137": msg13584, + "11138": msg13585, + "11139": msg13586, + "1114": select1012, + "11140": msg13587, + "11141": msg13588, + "11142": msg13589, + "11143": msg13590, + "11144": msg13591, + "11145": msg13592, + "11146": msg13593, + "11147": msg13594, + "11148": msg13595, + "11149": msg13596, + "1115": select1013, + "11150": msg13597, + "11151": msg13598, + "11152": msg13599, + "11153": msg13600, + "11154": msg13601, + "11155": msg13602, + "11156": msg13603, + "11157": msg13604, + "11158": msg13605, + "11159": msg13606, + "1116": select1014, + "11160": msg13607, + "11161": msg13608, + "11162": msg13609, + "11163": msg13610, + "11164": msg13611, + "11165": msg13612, + "11166": msg13613, + "11167": msg13614, + "11168": msg13615, + "11169": msg13616, + "1117": select1015, + "11170": msg13617, + "11171": msg13618, + "11172": msg13619, + "11173": msg13620, + "11174": msg13621, + "11175": msg13622, + "11176": msg13623, + "11177": msg13624, + "11178": msg13625, + "11179": msg13626, + "1118": select1016, + "11180": msg13627, + "11181": msg13628, + "11182": msg13629, + "11183": msg13630, + "11184": msg13631, + "11185": msg13632, + "11186": msg13633, + "11187": msg13634, + "11188": msg13635, + "11189": msg13636, + "1119": select1017, + "11190": msg13637, + "11191": msg13638, + "11192": msg13639, + "11193": msg13640, + "11194": msg13641, + "11196": msg13642, + "11197": msg13643, + "11198": msg13644, + "11199": msg13645, + "112": select40, + "112-1": msg130, + "112-2": msg131, + "112-3": msg132, + "112-4": msg133, + "1120": select1018, + "11200": msg13646, + "11201": msg13647, + "11202": msg13648, + "11203": msg13649, + "11204": msg13650, + "11205": msg13651, + "11206": msg13652, + "11207": msg13653, + "11208": msg13654, + "11209": msg13655, + "1121": select1019, + "11210": msg13656, + "11211": msg13657, + "11212": msg13658, + "11213": msg13659, + "11214": msg13660, + "11215": msg13661, + "11216": msg13662, + "11217": msg13663, + "11218": msg13664, + "11219": msg13665, + "1122": select1020, + "11220": msg13666, + "11221": msg13667, + "11222": msg13668, + "11223": msg13669, + "11224": msg13670, + "11225": msg13671, + "11226": msg13672, + "11227": msg13673, + "11228": msg13674, + "11229": msg13675, + "1123": select1021, + "11230": msg13676, + "11231": msg13677, + "11232": msg13678, + "11233": msg13679, + "11234": msg13680, + "11235": msg13681, + "11236": msg13682, + "11237": msg13683, + "11238": msg13684, + "11239": msg13685, + "1124": select1022, + "11240": msg13686, + "11241": msg13687, + "11242": msg13688, + "11243": msg13689, + "11244": msg13690, + "11245": msg13691, + "11246": msg13692, + "11247": msg13693, + "11248": msg13694, + "11249": msg13695, + "1125": select1023, + "11250": msg13696, + "11251": msg13697, + "11252": msg13698, + "11253": msg13699, + "11254": msg13700, + "11255": msg13701, + "11256": msg13702, + "11257": msg13703, + "11258": msg13704, + "11259": msg13705, + "1126": select1024, + "11260": msg13706, + "11261": msg13707, + "11262": msg13708, + "11263": msg13709, + "11264": msg13710, + "11265": msg13711, + "11266": msg13712, + "11267": msg13713, + "11268": msg13714, + "11269": msg13715, + "1127": select1025, + "11270": msg13716, + "11271": msg13717, + "11272": msg13718, + "11273": msg13719, + "11274": msg13720, + "11275": msg13721, + "11276": msg13722, + "11277": msg13723, + "11278": msg13724, + "11279": msg13725, + "1128": select1026, + "11280": msg13726, + "11281": msg13727, + "11282": msg13728, + "11283": msg13729, + "11284": msg13730, + "11285": msg13731, + "11286": msg13732, + "11287": msg13733, + "11288": msg13734, + "11289": msg13735, + "1129": select1027, + "11290": msg13736, + "11291": msg13737, + "11292": msg13738, + "11293": msg13739, + "11294": msg13740, + "11295": msg13741, + "11296": msg13742, + "11297": msg13743, + "11298": msg13744, + "11299": msg13745, + "113": select41, + "1130": select1028, + "11300": msg13746, + "11301": msg13747, + "11302": msg13748, + "11303": msg13749, + "11304": msg13750, + "11305": msg13751, + "11306": msg13752, + "11307": msg13753, + "11308": msg13754, + "11309": msg13755, + "1131": select1029, + "11310": msg13756, + "11311": msg13757, + "11312": msg13758, + "11313": msg13759, + "11314": msg13760, + "11315": msg13761, + "11316": msg13762, + "11317": msg13763, + "11318": msg13764, + "11319": msg13765, + "1132": select1030, + "11320": msg13766, + "11321": msg13767, + "11322": msg13768, + "11323": msg13769, + "11324": msg13770, + "11325": msg13771, + "11326": msg13772, + "11327": msg13773, + "11328": msg13774, + "11329": msg13775, + "1133": select1031, + "11330": msg13776, + "11331": msg13777, + "11332": msg13778, + "11333": msg13779, + "11334": msg13780, + "11335": msg13781, + "11336": msg13782, + "11337": msg13783, + "11338": msg13784, + "11339": msg13785, + "1134": select1032, + "11340": msg13786, + "11341": msg13787, + "11342": msg13788, + "11343": msg13789, + "11344": msg13790, + "11345": msg13791, + "11346": msg13792, + "11347": msg13793, + "11348": msg13794, + "11349": msg13795, + "11350": msg13796, + "11351": msg13797, + "11352": msg13798, + "11353": msg13799, + "11354": msg13800, + "11355": msg13801, + "11356": msg13802, + "11357": msg13803, + "11358": msg13804, + "11359": msg13805, + "1136": select1033, + "11360": msg13806, + "11361": msg13807, + "11362": msg13808, + "11363": msg13809, + "11364": msg13810, + "11365": msg13811, + "11366": msg13812, + "11367": msg13813, + "11368": msg13814, + "11369": msg13815, + "1137": select1034, + "11370": msg13816, + "11371": msg13817, + "11372": msg13818, + "11373": msg13819, + "11374": msg13820, + "11375": msg13821, + "11376": msg13822, + "11377": msg13823, + "11378": msg13824, + "11379": msg13825, + "1138": select1035, + "11380": msg13826, + "11381": msg13827, + "11382": msg13828, + "11383": msg13829, + "11384": msg13830, + "11385": msg13831, + "11386": msg13832, + "11387": msg13833, + "11388": msg13834, + "11389": msg13835, + "1139": select1036, + "11390": msg13836, + "11391": msg13837, + "11392": msg13838, + "11393": msg13839, + "11394": msg13840, + "11395": msg13841, + "11396": msg13842, + "11397": msg13843, + "11398": msg13844, + "11399": msg13845, + "114": select42, + "1140": select1037, + "11400": msg13846, + "11401": msg13847, + "11402": msg13848, + "11403": msg13849, + "11404": msg13850, + "11405": msg13851, + "11406": msg13852, + "11407": msg13853, + "11408": msg13854, + "11409": msg13855, + "1141": select1038, + "11410": msg13856, + "11411": msg13857, + "11412": msg13858, + "11413": msg13859, + "11414": msg13860, + "11415": msg13861, + "11416": msg13862, + "11417": msg13863, + "11418": msg13864, + "11419": msg13865, + "1142": select1039, + "11420": msg13866, + "11421": msg13867, + "11422": msg13868, + "11423": msg13869, + "11424": msg13870, + "11425": msg13871, + "11426": msg13872, + "11427": msg13873, + "11428": msg13874, + "11429": msg13875, + "1143": select1040, + "11430": msg13876, + "11431": msg13877, + "11432": msg13878, + "11433": msg13879, + "11434": msg13880, + "11435": msg13881, + "11436": msg13882, + "11437": msg13883, + "11438": msg13884, + "11439": msg13885, + "1144": select1041, + "11440": msg13886, + "11441": msg13887, + "11442": msg13888, + "11443": msg13889, + "11444": msg13890, + "11445": msg13891, + "11446": msg13892, + "11447": msg13893, + "11448": msg13894, + "11449": msg13895, + "1145": select1042, + "11450": msg13896, + "11451": msg13897, + "11452": msg13898, + "11453": msg13899, + "11454": msg13900, + "11455": msg13901, + "11456": msg13902, + "11457": msg13903, + "11458": msg13904, + "11459": msg13905, + "1146": select1043, + "11460": msg13906, + "11461": msg13907, + "11462": msg13908, + "11463": msg13909, + "11464": msg13910, + "11465": msg13911, + "11466": msg13912, + "11467": msg13913, + "11468": msg13914, + "11469": msg13915, + "1147": select1044, + "11470": msg13916, + "11471": msg13917, + "11472": msg13918, + "11473": msg13919, + "11474": msg13920, + "11475": msg13921, + "11476": msg13922, + "11477": msg13923, + "11478": msg13924, + "11479": msg13925, + "1148": select1045, + "11480": msg13926, + "11481": msg13927, + "11482": msg13928, + "11483": msg13929, + "11484": msg13930, + "11485": msg13931, + "11486": msg13932, + "11487": msg13933, + "11488": msg13934, + "11489": msg13935, + "1149": select1046, + "11490": msg13936, + "11491": msg13937, + "11492": msg13938, + "11493": msg13939, + "11494": msg13940, + "11495": msg13941, + "11496": msg13942, + "11497": msg13943, + "11498": msg13944, + "11499": msg13945, + "115": select43, + "115-1": msg140, + "115-2": msg141, + "115-3": msg142, + "115-4": msg143, + "115-5": msg144, + "1150": select1047, + "11500": msg13946, + "11501": msg13947, + "11502": msg13948, + "11503": msg13949, + "11504": msg13950, + "11505": msg13951, + "11506": msg13952, + "11507": msg13953, + "11508": msg13954, + "11509": msg13955, + "1151": select1048, + "11510": msg13956, + "11511": msg13957, + "11512": msg13958, + "11513": msg13959, + "11514": msg13960, + "11515": msg13961, + "11516": msg13962, + "11517": msg13963, + "11518": msg13964, + "11519": msg13965, + "1152": select1049, + "11520": msg13966, + "11521": msg13967, + "11522": msg13968, + "11523": msg13969, + "11524": msg13970, + "11525": msg13971, + "11526": msg13972, + "11527": msg13973, + "11528": msg13974, + "11529": msg13975, + "1153": select1050, + "11530": msg13976, + "11531": msg13977, + "11532": msg13978, + "11533": msg13979, + "11534": msg13980, + "11535": msg13981, + "11536": msg13982, + "11537": msg13983, + "11538": msg13984, + "11539": msg13985, + "1154": select1051, + "11540": msg13986, + "11541": msg13987, + "11542": msg13988, + "11543": msg13989, + "11544": msg13990, + "11545": msg13991, + "11546": msg13992, + "11547": msg13993, + "11548": msg13994, + "11549": msg13995, + "1155": select1052, + "11550": msg13996, + "11551": msg13997, + "11552": msg13998, + "11553": msg13999, + "11554": msg14000, + "11555": msg14001, + "11556": msg14002, + "11557": msg14003, + "11558": msg14004, + "11559": msg14005, + "1156": select1053, + "11560": msg14006, + "11561": msg14007, + "11562": msg14008, + "11563": msg14009, + "11564": msg14010, + "11565": msg14011, + "11566": msg14012, + "11567": msg14013, + "11568": msg14014, + "11569": msg14015, + "1157": select1054, + "11570": msg14016, + "11571": msg14017, + "11572": msg14018, + "11573": msg14019, + "11574": msg14020, + "11575": msg14021, + "11576": msg14022, + "11577": msg14023, + "11578": msg14024, + "11579": msg14025, + "1158": select1055, + "11580": msg14026, + "11581": msg14027, + "11582": msg14028, + "11583": msg14029, + "11584": msg14030, + "11585": msg14031, + "11586": msg14032, + "11587": msg14033, + "11588": msg14034, + "11589": msg14035, + "1159": select1056, + "11590": msg14036, + "11591": msg14037, + "11592": msg14038, + "11593": msg14039, + "11594": msg14040, + "11595": msg14041, + "11596": msg14042, + "11597": msg14043, + "11598": msg14044, + "11599": msg14045, + "116": select44, + "116-5": msg147, + "1160": select1057, + "11600": msg14046, + "11601": msg14047, + "11602": msg14048, + "11603": msg14049, + "11604": msg14050, + "11605": msg14051, + "11606": msg14052, + "11607": msg14053, + "11608": msg14054, + "11609": msg14055, + "1161": select1058, + "11610": msg14056, + "11611": msg14057, + "11612": msg14058, + "11613": msg14059, + "11614": msg14060, + "11615": msg14061, + "11616": msg14062, + "11617": msg14063, + "11618": msg14064, + "11619": msg14065, + "1162": select1059, + "11620": msg14066, + "11621": msg14067, + "11622": msg14068, + "11623": msg14069, + "11624": msg14070, + "11625": msg14071, + "11626": msg14072, + "11627": msg14073, + "11628": msg14074, + "11629": msg14075, + "1163": select1060, + "11630": msg14076, + "11631": msg14077, + "11632": msg14078, + "11633": msg14079, + "11634": msg14080, + "11635": msg14081, + "11636": msg14082, + "11637": msg14083, + "11638": msg14084, + "11639": msg14085, + "1164": select1061, + "11640": msg14086, + "11641": msg14087, + "11642": msg14088, + "11643": msg14089, + "11644": msg14090, + "11645": msg14091, + "11646": msg14092, + "11647": msg14093, + "11648": msg14094, + "11649": msg14095, + "1165": select1062, + "11650": msg14096, + "11651": msg14097, + "11652": msg14098, + "11653": msg14099, + "11654": msg14100, + "11655": msg14101, + "11656": msg14102, + "11657": msg14103, + "11658": msg14104, + "11659": msg14105, + "1166": select1063, + "11660": msg14106, + "11661": msg14107, + "11662": msg14108, + "11663": msg14109, + "11664": msg14110, + "11665": msg14111, + "11666": msg14112, + "11667": msg14113, + "11668": msg14114, + "11669": msg14115, + "1167": select1064, + "11670": msg14116, + "11671": msg14117, + "11672": msg14118, + "11673": msg14119, + "11674": msg14120, + "11675": msg14121, + "11676": msg14122, + "11677": msg14123, + "11678": msg14124, + "11679": msg14125, + "1168": select1065, + "11680": msg14126, + "11681": msg14127, + "11682": msg14128, + "11683": msg14129, + "11684": msg14130, + "11685": msg14131, + "11686": msg14132, + "11687": msg14133, + "11688": msg14134, + "11689": msg14135, + "11690": msg14136, + "11691": msg14137, + "11692": msg14138, + "11693": msg14139, + "11694": msg14140, + "11695": msg14141, + "11696": msg14142, + "11697": msg14143, + "11698": msg14144, + "11699": msg14145, + "117": select45, + "11700": msg14146, + "11701": msg14147, + "11702": msg14148, + "11703": msg14149, + "11704": msg14150, + "11705": msg14151, + "11706": msg14152, + "11707": msg14153, + "11708": msg14154, + "11709": msg14155, + "1171": select1066, + "11710": msg14156, + "11711": msg14157, + "11712": msg14158, + "11713": msg14159, + "11714": msg14160, + "11715": msg14161, + "11716": msg14162, + "11717": msg14163, + "11718": msg14164, + "11719": msg14165, + "1172": select1067, + "11720": msg14166, + "11721": msg14167, + "11722": msg14168, + "11723": msg14169, + "11724": msg14170, + "11725": msg14171, + "11726": msg14172, + "11727": msg14173, + "11728": msg14174, + "11729": msg14175, + "1173": select1068, + "11730": msg14176, + "11731": msg14177, + "11732": msg14178, + "11733": msg14179, + "11734": msg14180, + "11735": msg14181, + "11736": msg14182, + "11737": msg14183, + "11738": msg14184, + "11739": msg14185, + "1174": select1069, + "11740": msg14186, + "11741": msg14187, + "11742": msg14188, + "11743": msg14189, + "11744": msg14190, + "11745": msg14191, + "11746": msg14192, + "11747": msg14193, + "11748": msg14194, + "11749": msg14195, + "1175": select1070, + "11750": msg14196, + "11751": msg14197, + "11752": msg14198, + "11753": msg14199, + "11754": msg14200, + "11755": msg14201, + "11756": msg14202, + "11757": msg14203, + "11758": msg14204, + "11759": msg14205, + "1176": select1071, + "11760": msg14206, + "11761": msg14207, + "11762": msg14208, + "11763": msg14209, + "11764": msg14210, + "11765": msg14211, + "11766": msg14212, + "11767": msg14213, + "11768": msg14214, + "11769": msg14215, + "1177": select1072, + "11770": msg14216, + "11771": msg14217, + "11772": msg14218, + "11773": msg14219, + "11774": msg14220, + "11775": msg14221, + "11776": msg14222, + "11777": msg14223, + "11778": msg14224, + "11779": msg14225, + "1178": select1073, + "11780": msg14226, + "11781": msg14227, + "11782": msg14228, + "11783": msg14229, + "11784": msg14230, + "11785": msg14231, + "11786": msg14232, + "11787": msg14233, + "11788": msg14234, + "11789": msg14235, + "1179": select1074, + "11790": msg14236, + "11791": msg14237, + "11792": msg14238, + "11793": msg14239, + "11794": msg14240, + "11795": msg14241, + "11796": msg14242, + "11797": msg14243, + "11798": msg14244, + "11799": msg14245, + "118": select46, + "1180": select1075, + "11800": msg14246, + "11801": msg14247, + "11802": msg14248, + "11803": msg14249, + "11804": msg14250, + "11805": msg14251, + "11806": msg14252, + "11807": msg14253, + "11808": msg14254, + "11809": msg14255, + "1181": select1076, + "11810": msg14256, + "11811": msg14257, + "11812": msg14258, + "11813": msg14259, + "11814": msg14260, + "11815": msg14261, + "11816": msg14262, + "11817": msg14263, + "11818": msg14264, + "11819": msg14265, + "1182": select1077, + "11820": msg14266, + "11821": msg14267, + "11822": msg14268, + "11823": msg14269, + "11824": msg14270, + "11825": msg14271, + "11826": msg14272, + "11827": msg14273, + "11828": msg14274, + "11829": msg14275, + "1183": select1078, + "11830": msg14276, + "11831": msg14277, + "11832": msg14278, + "11833": msg14279, + "11834": msg14280, + "11835": msg14281, + "11836": msg14282, + "11837": msg14283, + "11838": msg14284, + "11839": msg14285, + "1184": select1079, + "11840": msg14286, + "11841": msg14287, + "11842": msg14288, + "11843": msg14289, + "11844": msg14290, + "11845": msg14291, + "11846": msg14292, + "11847": msg14293, + "11848": msg14294, + "11849": msg14295, + "1185": select1080, + "11850": msg14296, + "11851": msg14297, + "11852": msg14298, + "11853": msg14299, + "11854": msg14300, + "11855": msg14301, + "11856": msg14302, + "11857": msg14303, + "11858": msg14304, + "11859": msg14305, + "1186": select1081, + "11860": msg14306, + "11861": msg14307, + "11862": msg14308, + "11863": msg14309, + "11864": msg14310, + "11865": msg14311, + "11866": msg14312, + "11867": msg14313, + "11868": msg14314, + "11869": msg14315, + "1187": select1082, + "11870": msg14316, + "11871": msg14317, + "11872": msg14318, + "11873": msg14319, + "11874": msg14320, + "11875": msg14321, + "11876": msg14322, + "11877": msg14323, + "11878": msg14324, + "11879": msg14325, + "1188": select1083, + "11880": msg14326, + "11881": msg14327, + "11882": msg14328, + "11883": msg14329, + "11884": msg14330, + "11885": msg14331, + "11886": msg14332, + "11887": msg14333, + "11888": msg14334, + "11889": msg14335, + "1189": select1084, + "11890": msg14336, + "11891": msg14337, + "11892": msg14338, + "11893": msg14339, + "11894": msg14340, + "11895": msg14341, + "11896": msg14342, + "11897": msg14343, + "11898": msg14344, + "11899": msg14345, + "119": select47, + "119-1": msg154, + "119-10": msg155, + "119-11": msg156, + "119-12": msg157, + "119-13": msg158, + "119-14": msg159, + "119-15": msg160, + "119-16": msg161, + "119-17": msg162, + "119-18": msg163, + "119-2": msg164, + "119-3": msg165, + "119-4": msg166, + "119-5": msg167, + "119-6": msg168, + "119-7": msg169, + "119-8": msg170, + "119-9": msg171, + "1190": select1085, + "11900": msg14346, + "11901": msg14347, + "11902": msg14348, + "11903": msg14349, + "11904": msg14350, + "11905": msg14351, + "11906": msg14352, + "11907": msg14353, + "11908": msg14354, + "11909": msg14355, + "1191": select1086, + "11910": msg14356, + "11911": msg14357, + "11912": msg14358, + "11913": msg14359, + "11914": msg14360, + "11915": msg14361, + "11916": msg14362, + "11917": msg14363, + "11918": msg14364, + "11919": msg14365, + "1192": select1087, + "11920": msg14366, + "11921": msg14367, + "11922": msg14368, + "11923": msg14369, + "11924": msg14370, + "11925": msg14371, + "11926": msg14372, + "11927": msg14373, + "11928": msg14374, + "11929": msg14375, + "1193": select1088, + "11930": msg14376, + "11931": msg14377, + "11932": msg14378, + "11933": msg14379, + "11934": msg14380, + "11935": msg14381, + "11936": msg14382, + "11937": msg14383, + "11938": msg14384, + "11939": msg14385, + "1194": select1089, + "11940": msg14386, + "11941": msg14387, + "11942": msg14388, + "11943": msg14389, + "11944": msg14390, + "11945": msg14391, + "11946": msg14392, + "11947": msg14393, + "11948": msg14394, + "11949": msg14395, + "1195": select1090, + "11950": msg14396, + "11951": msg14397, + "11952": msg14398, + "11953": msg14399, + "11954": msg14400, + "11955": msg14401, + "11956": msg14402, + "11957": msg14403, + "11958": msg14404, + "11959": msg14405, + "1196": select1091, + "11960": msg14406, + "11961": msg14407, + "11962": msg14408, + "11963": msg14409, + "11964": msg14410, + "11965": msg14411, + "11966": msg14412, + "11967": msg14413, + "11968": msg14414, + "11969": msg14415, + "1197": select1092, + "11970": msg14416, + "11971": msg14417, + "11972": msg14418, + "11973": msg14419, + "11974": msg14420, + "11975": msg14421, + "11976": msg14422, + "11977": msg14423, + "11978": msg14424, + "11979": msg14425, + "1198": select1093, + "11980": msg14426, + "11981": msg14427, + "11982": msg14428, + "11983": msg14429, + "11984": msg14430, + "11985": msg14431, + "11986": msg14432, + "11987": msg14433, + "11988": msg14434, + "11989": msg14435, + "1199": select1094, + "11990": msg14436, + "11991": msg14437, + "11992": msg14438, + "11993": msg14439, + "11994": msg14440, + "11995": msg14441, + "11996": msg14442, + "11997": msg14443, + "11998": msg14444, + "11999": msg14445, + "12": select14, + "120": select48, + "120-1": msg174, + "1200": select1095, + "12000": msg14446, + "12001": msg14447, + "12002": msg14448, + "12003": msg14449, + "12004": msg14450, + "12005": msg14451, + "12006": msg14452, + "12007": msg14453, + "12008": msg14454, + "12009": msg14455, + "1201": select1096, + "12010": msg14456, + "12011": msg14457, + "12012": msg14458, + "12013": msg14459, + "12014": msg14460, + "12015": msg14461, + "12016": msg14462, + "12017": msg14463, + "12018": msg14464, + "12019": msg14465, + "1202": select1097, + "12020": msg14466, + "12021": msg14467, + "12022": msg14468, + "12023": msg14469, + "12024": msg14470, + "12025": msg14471, + "12026": msg14472, + "12027": msg14473, + "12028": msg14474, + "12029": msg14475, + "12030": msg14476, + "12031": msg14477, + "12032": msg14478, + "12033": msg14479, + "12034": msg14480, + "12035": msg14481, + "12036": msg14482, + "12037": msg14483, + "12038": msg14484, + "12039": msg14485, + "1204": select1098, + "12040": msg14486, + "12041": msg14487, + "12042": msg14488, + "12043": msg14489, + "12044": msg14490, + "12045": msg14491, + "12046": msg14492, + "12047": msg14493, + "12048": msg14494, + "12049": msg14495, + "1205": select1099, + "12050": msg14496, + "12051": msg14497, + "12052": msg14498, + "12053": msg14499, + "12054": msg14500, + "12055": msg14501, + "12056": msg14502, + "12057": msg14503, + "12058": msg14504, + "12059": msg14505, + "1206": select1100, + "12060": msg14506, + "12061": msg14507, + "12062": msg14508, + "12063": msg14509, + "12064": msg14510, + "12065": msg14511, + "12066": msg14512, + "12067": msg14513, + "12068": msg14514, + "12069": msg14515, + "1207": select1101, + "12070": msg14516, + "12072": msg14517, + "12073": msg14518, + "12074": msg14519, + "12075": msg14520, + "12076": msg14521, + "12077": msg14522, + "12078": msg14523, + "12079": msg14524, + "1208": select1102, + "12080": msg14525, + "12081": msg14526, + "12082": msg14527, + "12083": msg14528, + "12084": msg14529, + "12085": msg14530, + "12086": msg14531, + "12087": msg14532, + "12088": msg14533, + "12089": msg14534, + "1209": select1103, + "12090": msg14535, + "12091": msg14536, + "12092": msg14537, + "12093": msg14538, + "12094": msg14539, + "12095": msg14540, + "12096": msg14541, + "12097": msg14542, + "12098": msg14543, + "12099": msg14544, + "121": select49, + "121-1": msg177, + "121-2": msg178, + "121-3": msg179, + "121-4": msg180, + "12100": msg14545, + "12101": msg14546, + "12102": msg14547, + "12103": msg14548, + "12104": msg14549, + "12105": msg14550, + "12106": msg14551, + "12107": msg14552, + "12108": msg14553, + "12109": msg14554, + "1211": select1104, + "12110": msg14555, + "12111": msg14556, + "12112": msg14557, + "12113": msg14558, + "12114": msg14559, + "12115": msg14560, + "12116": msg14561, + "12117": msg14562, + "12118": msg14563, + "12119": msg14564, + "1212": select1105, + "12120": msg14565, + "12121": msg14566, + "12122": msg14567, + "12123": msg14568, + "12124": msg14569, + "12125": msg14570, + "12126": msg14571, + "12127": msg14572, + "12128": msg14573, + "12129": msg14574, + "1213": select1106, + "12130": msg14575, + "12131": msg14576, + "12132": msg14577, + "12133": msg14578, + "12134": msg14579, + "12135": msg14580, + "12136": msg14581, + "12137": msg14582, + "12138": msg14583, + "12139": msg14584, + "1214": select1107, + "12140": msg14585, + "12141": msg14586, + "12142": msg14587, + "12143": msg14588, + "12144": msg14589, + "12145": msg14590, + "12146": msg14591, + "12147": msg14592, + "12148": msg14593, + "12149": msg14594, + "1215": select1108, + "12150": msg14595, + "12151": msg14596, + "12152": msg14597, + "12153": msg14598, + "12154": msg14599, + "12155": msg14600, + "12156": msg14601, + "12157": msg14602, + "12158": msg14603, + "12159": msg14604, + "1216": select1109, + "12160": msg14605, + "12161": msg14606, + "12162": msg14607, + "12163": msg14608, + "12164": msg14609, + "12165": msg14610, + "12166": msg14611, + "12167": msg14612, + "12168": msg14613, + "12169": msg14614, + "1217": select1110, + "12170": msg14615, + "12171": msg14616, + "12172": msg14617, + "12173": msg14618, + "12174": msg14619, + "12175": msg14620, + "12176": msg14621, + "12177": msg14622, + "12178": msg14623, + "12179": msg14624, + "1218": select1111, + "12180": msg14625, + "12181": msg14626, + "12182": msg14627, + "12183": msg14628, + "12184": msg14629, + "12185": msg14630, + "12186": msg14631, + "12187": msg14632, + "12188": msg14633, + "12189": msg14634, + "1219": select1112, + "12190": msg14635, + "12191": msg14636, + "12192": msg14637, + "12193": msg14638, + "12194": msg14639, + "12195": msg14640, + "12196": msg14641, + "12197": msg14642, + "12198": msg14643, + "12199": msg14644, + "122": select50, + "122-1": msg183, + "122-10": msg184, + "122-11": msg185, + "122-12": msg186, + "122-13": msg187, + "122-14": msg188, + "122-15": msg189, + "122-16": msg190, + "122-17": msg191, + "122-18": msg192, + "122-19": msg193, + "122-2": msg194, + "122-20": msg195, + "122-21": msg196, + "122-22": msg197, + "122-23": msg198, + "122-24": msg199, + "122-25": msg200, + "122-26": msg201, + "122-27": msg202, + "122-3": msg203, + "122-4": msg204, + "122-5": msg205, + "122-6": msg206, + "122-7": msg207, + "122-8": msg208, + "122-9": msg209, + "1220": select1113, + "12200": msg14645, + "12201": msg14646, + "12202": msg14647, + "12203": msg14648, + "12204": msg14649, + "12205": msg14650, + "12206": msg14651, + "12207": msg14652, + "12208": msg14653, + "12209": msg14654, + "1221": select1114, + "12210": msg14655, + "12211": msg14656, + "12212": msg14657, + "12213": msg14658, + "12214": msg14659, + "12215": msg14660, + "12216": msg14661, + "12217": msg14662, + "12218": msg14663, + "12219": msg14664, + "1222": select1115, + "12220": msg14665, + "12221": msg14666, + "12222": msg14667, + "12223": msg14668, + "12224": msg14669, + "12225": msg14670, + "12226": msg14671, + "12227": msg14672, + "12228": msg14673, + "12229": msg14674, + "12230": msg14675, + "12231": msg14676, + "12232": msg14677, + "12233": msg14678, + "12234": msg14679, + "12235": msg14680, + "12236": msg14681, + "12237": msg14682, + "12238": msg14683, + "12239": msg14684, + "1224": select1116, + "12240": msg14685, + "12241": msg14686, + "12242": msg14687, + "12243": msg14688, + "12244": msg14689, + "12245": msg14690, + "12246": msg14691, + "12247": msg14692, + "12248": msg14693, + "12249": msg14694, + "1225": select1117, + "12250": msg14695, + "12251": msg14696, + "12252": msg14697, + "12253": msg14698, + "12254": msg14699, + "12255": msg14700, + "12256": msg14701, + "12257": msg14702, + "12258": msg14703, + "12259": msg14704, + "1226": select1118, + "12260": msg14705, + "12261": msg14706, + "12262": msg14707, + "12263": msg14708, + "12264": msg14709, + "12265": msg14710, + "12266": msg14711, + "12267": msg14712, + "12268": msg14713, + "12269": msg14714, + "1227": select1119, + "12270": msg14715, + "12271": msg14716, + "12272": msg14717, + "12273": msg14718, + "12274": msg14719, + "12275": msg14720, + "12276": msg14721, + "12277": msg14722, + "12278": msg14723, + "12279": msg14724, + "1228": select1120, + "12280": msg14725, + "12281": msg14726, + "12282": msg14727, + "12283": msg14728, + "12284": msg14729, + "12285": msg14730, + "12286": msg14731, + "12287": msg14732, + "12288": msg14733, + "12289": msg14734, + "1229": select1121, + "12290": msg14735, + "12291": msg14736, + "12292": msg14737, + "12293": msg14738, + "12294": msg14739, + "12295": msg14740, + "12296": msg14741, + "12297": msg14742, + "12298": msg14743, + "12299": msg14744, + "123-10": msg210, + "123-9": msg211, + "1230": select1122, + "12300": msg14745, + "12301": msg14746, + "12302": msg14747, + "12303": msg14748, + "12304": msg14749, + "12305": msg14750, + "12306": msg14751, + "12307": msg14752, + "12308": msg14753, + "12309": msg14754, + "1231": select1123, + "12310": msg14755, + "12311": msg14756, + "12312": msg14757, + "12313": msg14758, + "12314": msg14759, + "12315": msg14760, + "12316": msg14761, + "12317": msg14762, + "12318": msg14763, + "12319": msg14764, + "1232": select1124, + "12320": msg14765, + "12321": msg14766, + "12322": msg14767, + "12323": msg14768, + "12324": msg14769, + "12325": msg14770, + "12326": msg14771, + "12327": msg14772, + "12328": msg14773, + "12329": msg14774, + "1233": select1125, + "12330": msg14775, + "12331": msg14776, + "12332": msg14777, + "12333": msg14778, + "12334": msg14779, + "12335": msg14780, + "12336": msg14781, + "12337": msg14782, + "12338": msg14783, + "12339": msg14784, + "1234": select1126, + "12340": msg14785, + "12341": msg14786, + "12342": msg14787, + "12343": msg14788, + "12344": msg14789, + "12345": msg14790, + "12346": msg14791, + "12347": msg14792, + "12348": msg14793, + "12349": msg14794, + "1235": select1127, + "12350": msg14795, + "12351": msg14796, + "12352": msg14797, + "12353": msg14798, + "12354": msg14799, + "12355": msg14800, + "12356": msg14801, + "12357": msg14802, + "12358": msg14803, + "12359": msg14804, + "1236": select1128, + "12360": msg14805, + "12361": msg14806, + "12362": msg14807, + "12363": msg14808, + "12364": msg14809, + "12365": msg14810, + "12366": msg14811, + "12367": msg14812, + "12368": msg14813, + "12369": msg14814, + "1237": select1129, + "12370": msg14815, + "12371": msg14816, + "12372": msg14817, + "12373": msg14818, + "12374": msg14819, + "12375": msg14820, + "12376": msg14821, + "12377": msg14822, + "12378": msg14823, + "12379": msg14824, + "1238": select1130, + "12380": msg14825, + "12381": msg14826, + "12382": msg14827, + "12383": msg14828, + "12384": msg14829, + "12385": msg14830, + "12386": msg14831, + "12387": msg14832, + "12388": msg14833, + "12389": msg14834, + "1239": select1131, + "12390": msg14835, + "12391": msg14836, + "12392": msg14837, + "12393": msg14838, + "12394": msg14839, + "12395": msg14840, + "12396": msg14841, + "12397": msg14842, + "12398": msg14843, + "12399": msg14844, + "124": select51, + "124-1": msg214, + "1240": select1132, + "12400": msg14845, + "12401": msg14846, + "12402": msg14847, + "12403": msg14848, + "12404": msg14849, + "12405": msg14850, + "12406": msg14851, + "12407": msg14852, + "12408": msg14853, + "12409": msg14854, + "1241": select1133, + "12410": msg14855, + "12411": msg14856, + "12412": msg14857, + "12413": msg14858, + "12414": msg14859, + "12415": msg14860, + "12416": msg14861, + "12417": msg14862, + "12418": msg14863, + "12419": msg14864, + "1242": select1134, + "12420": msg14865, + "12421": msg14866, + "12422": msg14867, + "12423": msg14868, + "12424": msg14869, + "12425": msg14870, + "12426": msg14871, + "12427": msg14872, + "12428": msg14873, + "12429": msg14874, + "1243": select1135, + "12430": msg14875, + "12431": msg14876, + "12432": msg14877, + "12433": msg14878, + "12434": msg14879, + "12435": msg14880, + "12436": msg14881, + "12437": msg14882, + "12438": msg14883, + "12439": msg14884, + "1244": select1136, + "12440": msg14885, + "12441": msg14886, + "12442": msg14887, + "12443": msg14888, + "12444": msg14889, + "12445": msg14890, + "12446": msg14891, + "12447": msg14892, + "12448": msg14893, + "12449": msg14894, + "1245": select1137, + "12450": msg14895, + "12451": msg14896, + "12452": msg14897, + "12453": msg14898, + "12454": msg14899, + "12455": msg14900, + "12456": msg14901, + "12457": msg14902, + "12458": msg14903, + "12459": msg14904, + "1246": select1138, + "12460": msg14905, + "12461": msg14906, + "12462": msg14907, + "12463": msg14908, + "12464": msg14909, + "12465": msg14910, + "12466": msg14911, + "12467": msg14912, + "12468": msg14913, + "12469": msg14914, + "1247": select1139, + "12470": msg14915, + "12471": msg14916, + "12472": msg14917, + "12473": msg14918, + "12474": msg14919, + "12475": msg14920, + "12476": msg14921, + "12477": msg14922, + "12478": msg14923, + "12479": msg14924, + "1248": select1140, + "12480": msg14925, + "12481": msg14926, + "12482": msg14927, + "12483": msg14928, + "12484": msg14929, + "12485": msg14930, + "12486": msg14931, + "12487": msg14932, + "12488": msg14933, + "12489": msg14934, + "1249": select1141, + "12490": msg14935, + "12491": msg14936, + "12492": msg14937, + "12493": msg14938, + "12494": msg14939, + "12495": msg14940, + "12496": msg14941, + "12497": msg14942, + "12498": msg14943, + "12499": msg14944, + "125": select52, + "125-3": msg217, + "125-5": msg218, + "125-6": msg219, + "125-8": msg220, + "1250": select1142, + "12500": msg14945, + "12501": msg14946, + "12502": msg14947, + "12503": msg14948, + "12504": msg14949, + "12505": msg14950, + "12506": msg14951, + "12507": msg14952, + "12508": msg14953, + "12509": msg14954, + "1251": select1143, + "12510": msg14955, + "12511": msg14956, + "12512": msg14957, + "12513": msg14958, + "12514": msg14959, + "12515": msg14960, + "12516": msg14961, + "12517": msg14962, + "12518": msg14963, + "12519": msg14964, + "1252": select1144, + "12520": msg14965, + "12521": msg14966, + "12522": msg14967, + "12523": msg14968, + "12524": msg14969, + "12525": msg14970, + "12526": msg14971, + "12527": msg14972, + "12528": msg14973, + "12529": msg14974, + "1253": select1145, + "12530": msg14975, + "12531": msg14976, + "12532": msg14977, + "12533": msg14978, + "12534": msg14979, + "12535": msg14980, + "12536": msg14981, + "12537": msg14982, + "12538": msg14983, + "12539": msg14984, + "1254": select1146, + "12540": msg14985, + "12541": msg14986, + "12542": msg14987, + "12543": msg14988, + "12544": msg14989, + "12545": msg14990, + "12546": msg14991, + "12547": msg14992, + "12548": msg14993, + "12549": msg14994, + "1255": select1147, + "12550": msg14995, + "12551": msg14996, + "12552": msg14997, + "12553": msg14998, + "12554": msg14999, + "12555": msg15000, + "12556": msg15001, + "12557": msg15002, + "12558": msg15003, + "12559": msg15004, + "1256": select1148, + "12560": msg15005, + "12561": msg15006, + "12562": msg15007, + "12563": msg15008, + "12564": msg15009, + "12565": msg15010, + "12566": msg15011, + "12567": msg15012, + "12568": msg15013, + "12569": msg15014, + "1257": select1149, + "12570": msg15015, + "12571": msg15016, + "12572": msg15017, + "12573": msg15018, + "12574": msg15019, + "12575": msg15020, + "12576": msg15021, + "12577": msg15022, + "12578": msg15023, + "12579": msg15024, + "1258": select1150, + "12580": msg15025, + "12581": msg15026, + "12582": msg15027, + "12583": msg15028, + "12584": msg15029, + "12585": msg15030, + "12586": msg15031, + "12587": msg15032, + "12588": msg15033, + "12589": msg15034, + "1259": select1151, + "12590": msg15035, + "12591": msg15036, + "12592": msg15037, + "12593": msg15038, + "12594": msg15039, + "12595": msg15040, + "12596": msg15041, + "12597": msg15042, + "12598": msg15043, + "12599": msg15044, + "126": select53, + "126-1": msg223, + "1260": select1152, + "12600": msg15045, + "12601": msg15046, + "12602": msg15047, + "12603": msg15048, + "12604": msg15049, + "12605": msg15050, + "12606": msg15051, + "12607": msg15052, + "12608": msg15053, + "12609": msg15054, + "1261": select1153, + "12610": msg15055, + "12611": msg15056, + "12612": msg15057, + "12613": msg15058, + "12614": msg15059, + "12615": msg15060, + "12616": msg15061, + "12617": msg15062, + "12618": msg15063, + "12619": msg15064, + "1262": select1154, + "12620": msg15065, + "12621": msg15066, + "12622": msg15067, + "12623": msg15068, + "12624": msg15069, + "12625": msg15070, + "12626": msg15071, + "12627": msg15072, + "12628": msg15073, + "12629": msg15074, + "1263": select1155, + "12630": msg15075, + "12631": msg15076, + "12632": msg15077, + "12633": msg15078, + "12634": msg15079, + "12635": msg15080, + "12636": msg15081, + "12637": msg15082, + "12638": msg15083, + "12639": msg15084, + "1264": select1156, + "12640": msg15085, + "12641": msg15086, + "12642": msg15087, + "12643": msg15088, + "12644": msg15089, + "12645": msg15090, + "12646": msg15091, + "12647": msg15092, + "12648": msg15093, + "12649": msg15094, + "1265": select1157, + "12650": msg15095, + "12651": msg15096, + "12652": msg15097, + "12653": msg15098, + "12654": msg15099, + "12655": msg15100, + "12656": msg15101, + "12657": msg15102, + "12658": msg15103, + "12659": msg15104, + "1266": select1158, + "12660": msg15105, + "12661": msg15106, + "12663": msg15107, + "12664": msg15108, + "12665": msg15109, + "12666": msg15110, + "12667": msg15111, + "12668": msg15112, + "12669": msg15113, + "1267": select1159, + "12670": msg15114, + "12671": msg15115, + "12672": msg15116, + "12673": msg15117, + "12674": msg15118, + "12675": msg15119, + "12676": msg15120, + "12677": msg15121, + "12678": msg15122, + "12679": msg15123, + "1268": select1160, + "12680": msg15124, + "12681": msg15125, + "12682": msg15126, + "12683": msg15127, + "12684": msg15128, + "12685": msg15129, + "12686": msg15130, + "12687": msg15131, + "12688": msg15132, + "12689": msg15133, + "1269": select1161, + "12690": msg15134, + "12691": msg15135, + "12692": msg15136, + "12693": msg15137, + "12694": msg15138, + "12695": msg15139, + "12696": msg15140, + "12697": msg15141, + "12698": msg15142, + "12699": msg15143, + "127": select54, + "1270": select1162, + "12700": msg15144, + "12701": msg15145, + "12702": msg15146, + "12703": msg15147, + "12704": msg15148, + "12705": msg15149, + "12706": msg15150, + "12707": msg15151, + "12708": msg15152, + "12709": msg15153, + "1271": select1163, + "12710": msg15154, + "12711": msg15155, + "12712": msg15156, + "12713": msg15157, + "12714": msg15158, + "12715": msg15159, + "12716": msg15160, + "12717": msg15161, + "12718": msg15162, + "12719": msg15163, + "1272": select1164, + "12720": msg15164, + "12721": msg15165, + "12722": msg15166, + "12723": msg15167, + "12724": msg15168, + "12725": msg15169, + "12726": msg15170, + "12727": msg15171, + "12728": msg15172, + "12729": msg15173, + "1273": select1165, + "12730": msg15174, + "12731": msg15175, + "12732": msg15176, + "12733": msg15177, + "12734": msg15178, + "12735": msg15179, + "12736": msg15180, + "12737": msg15181, + "12738": msg15182, + "12739": msg15183, + "1274": select1166, + "12740": msg15184, + "12741": msg15185, + "12742": msg15186, + "12743": msg15187, + "12744": msg15188, + "12745": msg15189, + "12746": msg15190, + "12747": msg15191, + "12748": msg15192, + "12749": msg15193, + "1275": select1167, + "12750": msg15194, + "12751": msg15195, + "12752": msg15196, + "12753": msg15197, + "12754": msg15198, + "12755": msg15199, + "12756": msg15200, + "12757": msg15201, + "12758": msg15202, + "12759": msg15203, + "1276": select1168, + "12760": msg15204, + "12761": msg15205, + "12762": msg15206, + "12763": msg15207, + "12764": msg15208, + "12765": msg15209, + "12766": msg15210, + "12767": msg15211, + "12768": msg15212, + "12769": msg15213, + "1277": select1169, + "12770": msg15214, + "12771": msg15215, + "12772": msg15216, + "12773": msg15217, + "12774": msg15218, + "12775": msg15219, + "12776": msg15220, + "12777": msg15221, + "12778": msg15222, + "12779": msg15223, + "1278": select1170, + "12780": msg15224, + "12781": msg15225, + "12782": msg15226, + "12783": msg15227, + "12784": msg15228, + "12785": msg15229, + "12786": msg15230, + "12787": msg15231, + "12788": msg15232, + "12789": msg15233, + "1279": select1171, + "12790": msg15234, + "12791": msg15235, + "12792": msg15236, + "12793": msg15237, + "12794": msg15238, + "12795": msg15239, + "12796": msg15240, + "12797": msg15241, + "12798": msg15242, + "12799": msg15243, + "128": select55, + "1280": select1172, + "12800": msg15244, + "12801": msg15245, + "12802": msg15246, + "12803": msg15247, + "12804": msg15248, + "12805": msg15249, + "12806": msg15250, + "12807": msg15251, + "12808": msg15252, + "12809": msg15253, + "1281": select1173, + "12810": msg15254, + "12811": msg15255, + "12812": msg15256, + "12813": msg15257, + "12814": msg15258, + "12815": msg15259, + "12816": msg15260, + "12817": msg15261, + "12818": msg15262, + "12819": msg15263, + "1282": select1174, + "12820": msg15264, + "12821": msg15265, + "12822": msg15266, + "12823": msg15267, + "12824": msg15268, + "12825": msg15269, + "12826": msg15270, + "12827": msg15271, + "12828": msg15272, + "12829": msg15273, + "1283": select1175, + "12830": msg15274, + "12831": msg15275, + "12832": msg15276, + "12833": msg15277, + "12834": msg15278, + "12835": msg15279, + "12836": msg15280, + "12837": msg15281, + "12838": msg15282, + "12839": msg15283, + "1284": select1176, + "12840": msg15284, + "12841": msg15285, + "12842": msg15286, + "12843": msg15287, + "12844": msg15288, + "12845": msg15289, + "12846": msg15290, + "12847": msg15291, + "12848": msg15292, + "12849": msg15293, + "1285": select1177, + "12850": msg15294, + "12851": msg15295, + "12852": msg15296, + "12853": msg15297, + "12854": msg15298, + "12855": msg15299, + "12856": msg15300, + "12857": msg15301, + "12858": msg15302, + "12859": msg15303, + "1286": select1178, + "12860": msg15304, + "12861": msg15305, + "12862": msg15306, + "12863": msg15307, + "12864": msg15308, + "12865": msg15309, + "12866": msg15310, + "12867": msg15311, + "12868": msg15312, + "12869": msg15313, + "1287": select1179, + "12870": msg15314, + "12871": msg15315, + "12872": msg15316, + "12873": msg15317, + "12874": msg15318, + "12875": msg15319, + "12876": msg15320, + "12877": msg15321, + "12878": msg15322, + "12879": msg15323, + "1288": select1180, + "12880": msg15324, + "12881": msg15325, + "12882": msg15326, + "12883": msg15327, + "12884": msg15328, + "12885": msg15329, + "12886": msg15330, + "12887": msg15331, + "12888": msg15332, + "12889": msg15333, + "1289": select1181, + "12890": msg15334, + "12891": msg15335, + "12892": msg15336, + "12893": msg15337, + "12894": msg15338, + "12895": msg15339, + "12896": msg15340, + "12897": msg15341, + "12898": msg15342, + "12899": msg15343, + "129": select56, + "129-2": msg230, + "129-6": msg231, + "1290": select1182, + "12900": msg15344, + "12901": msg15345, + "12902": msg15346, + "12903": msg15347, + "12904": msg15348, + "12905": msg15349, + "12906": msg15350, + "12907": msg15351, + "12908": msg15352, + "12909": msg15353, + "1291": select1183, + "12910": msg15354, + "12911": msg15355, + "12912": msg15356, + "12913": msg15357, + "12914": msg15358, + "12915": msg15359, + "12916": msg15360, + "12917": msg15361, + "12918": msg15362, + "12919": msg15363, + "1292": select1184, + "12920": msg15364, + "12921": msg15365, + "12922": msg15366, + "12923": msg15367, + "12924": msg15368, + "12925": msg15369, + "12926": msg15370, + "12927": msg15371, + "12928": msg15372, + "12929": msg15373, + "1293": select1185, + "12930": msg15374, + "12931": msg15375, + "12932": msg15376, + "12933": msg15377, + "12934": msg15378, + "12935": msg15379, + "12936": msg15380, + "12937": msg15381, + "12938": msg15382, + "12939": msg15383, + "1294": select1186, + "12940": msg15384, + "12941": msg15385, + "12942": msg15386, + "12943": msg15387, + "12944": msg15388, + "12945": msg15389, + "12946": msg15390, + "12947": msg15391, + "12948": msg15392, + "12949": msg15393, + "1295": select1187, + "12950": msg15394, + "12951": msg15395, + "12952": msg15396, + "12953": msg15397, + "12954": msg15398, + "12955": msg15399, + "12956": msg15400, + "12957": msg15401, + "12958": msg15402, + "12959": msg15403, + "1296": select1188, + "12960": msg15404, + "12961": msg15405, + "12962": msg15406, + "12963": msg15407, + "12964": msg15408, + "12965": msg15409, + "12966": msg15410, + "12967": msg15411, + "12968": msg15412, + "12969": msg15413, + "1297": select1189, + "12970": msg15414, + "12971": msg15415, + "12972": msg15416, + "12973": msg15417, + "12974": msg15418, + "12975": msg15419, + "12976": msg15420, + "12977": msg15421, + "12978": msg15422, + "12979": msg15423, + "1298": select1190, + "12980": msg15424, + "12981": msg15425, + "12982": msg15426, + "12983": msg15427, + "12984": msg15428, + "12985": msg15429, + "12986": msg15430, + "12987": msg15431, + "12988": msg15432, + "12989": msg15433, + "1299": select1191, + "12990": msg15434, + "12991": msg15435, + "12992": msg15436, + "12993": msg15437, + "12994": msg15438, + "12995": msg15439, + "12996": msg15440, + "12997": msg15441, + "12998": msg15442, + "12999": msg15443, + "13": select15, + "130": select57, + "1300": select1192, + "13000": msg15444, + "13001": msg15445, + "13002": msg15446, + "13003": msg15447, + "13004": msg15448, + "13005": msg15449, + "13006": msg15450, + "13007": msg15451, + "13008": msg15452, + "13009": msg15453, + "1301": select1193, + "13010": msg15454, + "13011": msg15455, + "13012": msg15456, + "13013": msg15457, + "13014": msg15458, + "13015": msg15459, + "13016": msg15460, + "13017": msg15461, + "13018": msg15462, + "13019": msg15463, + "1302": select1194, + "13020": msg15464, + "13021": msg15465, + "13022": msg15466, + "13023": msg15467, + "13024": msg15468, + "13025": msg15469, + "13026": msg15470, + "13027": msg15471, + "13028": msg15472, + "13029": msg15473, + "1303": select1195, + "13030": msg15474, + "13031": msg15475, + "13032": msg15476, + "13033": msg15477, + "13034": msg15478, + "13035": msg15479, + "13036": msg15480, + "13037": msg15481, + "13038": msg15482, + "13039": msg15483, + "1304": select1196, + "13040": msg15484, + "13041": msg15485, + "13042": msg15486, + "13043": msg15487, + "13044": msg15488, + "13045": msg15489, + "13046": msg15490, + "13047": msg15491, + "13048": msg15492, + "13049": msg15493, + "1305": select1197, + "13050": msg15494, + "13051": msg15495, + "13052": msg15496, + "13053": msg15497, + "13054": msg15498, + "13055": msg15499, + "13056": msg15500, + "13057": msg15501, + "13058": msg15502, + "13059": msg15503, + "1306": select1198, + "13060": msg15504, + "13061": msg15505, + "13062": msg15506, + "13063": msg15507, + "13064": msg15508, + "13065": msg15509, + "13066": msg15510, + "13067": msg15511, + "13068": msg15512, + "13069": msg15513, + "1307": select1199, + "13070": msg15514, + "13071": msg15515, + "13072": msg15516, + "13073": msg15517, + "13074": msg15518, + "13075": msg15519, + "13076": msg15520, + "13077": msg15521, + "13078": msg15522, + "13079": msg15523, + "1308": select1200, + "13080": msg15524, + "13081": msg15525, + "13082": msg15526, + "13083": msg15527, + "13084": msg15528, + "13085": msg15529, + "13086": msg15530, + "13087": msg15531, + "13088": msg15532, + "13089": msg15533, + "1309": select1201, + "13090": msg15534, + "13091": msg15535, + "13092": msg15536, + "13093": msg15537, + "13094": msg15538, + "13095": msg15539, + "13096": msg15540, + "13097": msg15541, + "13098": msg15542, + "13099": msg15543, + "131": select58, + "131-3": msg236, + "1310": select1202, + "13100": msg15544, + "13101": msg15545, + "13102": msg15546, + "13103": msg15547, + "13104": msg15548, + "13105": msg15549, + "13106": msg15550, + "13107": msg15551, + "13108": msg15552, + "13109": msg15553, + "1311": select1203, + "13110": msg15554, + "13111": msg15555, + "13112": msg15556, + "13113": msg15557, + "13114": msg15558, + "13115": msg15559, + "13116": msg15560, + "13117": msg15561, + "13118": msg15562, + "13119": msg15563, + "1312": select1204, + "13120": msg15564, + "13121": msg15565, + "13122": msg15566, + "13123": msg15567, + "13124": msg15568, + "13125": msg15569, + "13126": msg15570, + "13127": msg15571, + "13128": msg15572, + "13129": msg15573, + "1313": select1205, + "13130": msg15574, + "13131": msg15575, + "13132": msg15576, + "13133": msg15577, + "13134": msg15578, + "13135": msg15579, + "13136": msg15580, + "13137": msg15581, + "13138": msg15582, + "13139": msg15583, + "1314": select1206, + "13140": msg15584, + "13141": msg15585, + "13142": msg15586, + "13143": msg15587, + "13144": msg15588, + "13145": msg15589, + "13146": msg15590, + "13147": msg15591, + "13148": msg15592, + "13149": msg15593, + "1315": select1207, + "13150": msg15594, + "13151": msg15595, + "13152": msg15596, + "13153": msg15597, + "13154": msg15598, + "13155": msg15599, + "13156": msg15600, + "13157": msg15601, + "13158": msg15602, + "13159": msg15603, + "1316": select1208, + "13160": msg15604, + "13161": msg15605, + "13162": msg15606, + "13163": msg15607, + "13164": msg15608, + "13165": msg15609, + "13166": msg15610, + "13167": msg15611, + "13168": msg15612, + "13169": msg15613, + "1317": select1209, + "13170": msg15614, + "13171": msg15615, + "13172": msg15616, + "13173": msg15617, + "13174": msg15618, + "13175": msg15619, + "13176": msg15620, + "13177": msg15621, + "13178": msg15622, + "13179": msg15623, + "1318": select1210, + "13180": msg15624, + "13181": msg15625, + "13182": msg15626, + "13183": msg15627, + "13184": msg15628, + "13185": msg15629, + "13186": msg15630, + "13187": msg15631, + "13188": msg15632, + "13189": msg15633, + "1319": select1211, + "13190": msg15634, + "13191": msg15635, + "13192": msg15636, + "13193": msg15637, + "13194": msg15638, + "13195": msg15639, + "13196": msg15640, + "13197": msg15641, + "13198": msg15642, + "13199": msg15643, + "132": select59, + "1320": select1212, + "13200": msg15644, + "13201": msg15645, + "13202": msg15646, + "13203": msg15647, + "13204": msg15648, + "13205": msg15649, + "13206": msg15650, + "13207": msg15651, + "13208": msg15652, + "13209": msg15653, + "1321": select1213, + "13210": msg15654, + "13211": msg15655, + "13212": msg15656, + "13213": msg15657, + "13214": msg15658, + "13215": msg15659, + "13216": msg15660, + "13217": msg15661, + "13218": msg15662, + "13219": msg15663, + "1322": select1214, + "13220": msg15664, + "13221": msg15665, + "13222": msg15666, + "13223": msg15667, + "13224": msg15668, + "13225": msg15669, + "13226": msg15670, + "13227": msg15671, + "13228": msg15672, + "13229": msg15673, + "1323": select1215, + "13230": msg15674, + "13231": msg15675, + "13232": msg15676, + "13233": msg15677, + "13234": msg15678, + "13235": msg15679, + "13236": msg15680, + "13237": msg15681, + "13238": msg15682, + "13239": msg15683, + "1324": select1216, + "13240": msg15684, + "13241": msg15685, + "13242": msg15686, + "13243": msg15687, + "13244": msg15688, + "13245": msg15689, + "13246": msg15690, + "13247": msg15691, + "13248": msg15692, + "13249": msg15693, + "1325": select1217, + "13250": msg15694, + "13251": msg15695, + "13252": msg15696, + "13253": msg15697, + "13254": msg15698, + "13255": msg15699, + "13256": msg15700, + "13257": msg15701, + "13258": msg15702, + "13259": msg15703, + "1326": select1218, + "13260": msg15704, + "13261": msg15705, + "13262": msg15706, + "13263": msg15707, + "13264": msg15708, + "13265": msg15709, + "13266": msg15710, + "13267": msg15711, + "13268": msg15712, + "13269": msg15713, + "1327": select1219, + "13270": msg15714, + "13271": msg15715, + "13272": msg15716, + "13273": msg15717, + "13274": msg15718, + "13275": msg15719, + "13276": msg15720, + "13277": msg15721, + "13278": msg15722, + "13279": msg15723, + "1328": select1220, + "13280": msg15724, + "13281": msg15725, + "13282": msg15726, + "13283": msg15727, + "13284": msg15728, + "13285": msg15729, + "13286": msg15730, + "13287": msg15731, + "13288": msg15732, + "13289": msg15733, + "1329": select1221, + "13290": msg15734, + "13291": msg15735, + "13292": msg15736, + "13293": msg15737, + "13294": msg15738, + "13295": msg15739, + "13296": msg15740, + "13297": msg15741, + "13298": msg15742, + "13299": msg15743, + "133": select60, + "1330": select1222, + "13300": msg15744, + "13301": msg15745, + "13302": msg15746, + "13303": msg15747, + "13304": msg15748, + "13305": msg15749, + "13306": msg15750, + "13307": msg15751, + "13308": msg15752, + "13309": msg15753, + "1331": select1223, + "13310": msg15754, + "13311": msg15755, + "13312": msg15756, + "13313": msg15757, + "13314": msg15758, + "13315": msg15759, + "13316": msg15760, + "13317": msg15761, + "13318": msg15762, + "13319": msg15763, + "1332": select1224, + "13320": msg15764, + "13321": msg15765, + "13322": msg15766, + "13323": msg15767, + "13324": msg15768, + "13325": msg15769, + "13326": msg15770, + "13327": msg15771, + "13328": msg15772, + "13329": msg15773, + "1333": select1225, + "13330": msg15774, + "13331": msg15775, + "13332": msg15776, + "13333": msg15777, + "13334": msg15778, + "13335": msg15779, + "13336": msg15780, + "13337": msg15781, + "13338": msg15782, + "13339": msg15783, + "1334": select1226, + "13340": msg15784, + "13341": msg15785, + "13342": msg15786, + "13343": msg15787, + "13344": msg15788, + "13345": msg15789, + "13346": msg15790, + "13347": msg15791, + "13348": msg15792, + "13349": msg15793, + "1335": select1227, + "13350": msg15794, + "13351": msg15795, + "13352": msg15796, + "13353": msg15797, + "13354": msg15798, + "13355": msg15799, + "13356": msg15800, + "13357": msg15801, + "13358": msg15802, + "13359": msg15803, + "1336": select1228, + "13360": msg15804, + "13361": msg15805, + "13362": msg15806, + "13363": msg15807, + "13364": msg15808, + "13365": msg15809, + "13366": msg15810, + "13367": msg15811, + "13368": msg15812, + "13369": msg15813, + "1337": select1229, + "13370": msg15814, + "13371": msg15815, + "13372": msg15816, + "13373": msg15817, + "13374": msg15818, + "13375": msg15819, + "13376": msg15820, + "13377": msg15821, + "13378": msg15822, + "13379": msg15823, + "1338": select1230, + "13380": msg15824, + "13381": msg15825, + "13382": msg15826, + "13383": msg15827, + "13384": msg15828, + "13385": msg15829, + "13386": msg15830, + "13387": msg15831, + "13388": msg15832, + "13389": msg15833, + "1339": select1231, + "13390": msg15834, + "13391": msg15835, + "13392": msg15836, + "13393": msg15837, + "13394": msg15838, + "13395": msg15839, + "13396": msg15840, + "13397": msg15841, + "13398": msg15842, + "13399": msg15843, + "134": select61, + "1340": select1232, + "13400": msg15844, + "13401": msg15845, + "13402": msg15846, + "13403": msg15847, + "13404": msg15848, + "13405": msg15849, + "13406": msg15850, + "13407": msg15851, + "13408": msg15852, + "13409": msg15853, + "1341": select1233, + "13410": msg15854, + "13411": msg15855, + "13412": msg15856, + "13413": msg15857, + "13414": msg15858, + "13415": msg15859, + "13416": msg15860, + "13417": msg15861, + "13418": msg15862, + "13419": msg15863, + "1342": select1234, + "13420": msg15864, + "13421": msg15865, + "13422": msg15866, + "13423": msg15867, + "13424": msg15868, + "13425": msg15869, + "13426": msg15870, + "13427": msg15871, + "13428": msg15872, + "13429": msg15873, + "1343": select1235, + "13430": msg15874, + "13431": msg15875, + "13432": msg15876, + "13433": msg15877, + "13434": msg15878, + "13435": msg15879, + "13436": msg15880, + "13437": msg15881, + "13438": msg15882, + "13439": msg15883, + "1344": select1236, + "13440": msg15884, + "13441": msg15885, + "13442": msg15886, + "13443": msg15887, + "13444": msg15888, + "13445": msg15889, + "13446": msg15890, + "13447": msg15891, + "13448": msg15892, + "13449": msg15893, + "1345": select1237, + "13450": msg15894, + "13451": msg15895, + "13452": msg15896, + "13453": msg15897, + "13454": msg15898, + "13455": msg15899, + "13456": msg15900, + "13457": msg15901, + "13458": msg15902, + "13459": msg15903, + "1346": select1238, + "13460": msg15904, + "13465": msg15905, + "13466": msg15906, + "13467": msg15907, + "13468": msg15908, + "13469": msg15909, + "1347": select1239, + "13470": msg15910, + "13471": msg15911, + "13472": msg15912, + "13473": msg15913, + "13474": msg15914, + "13475": msg15915, + "13476": msg15916, + "13477": msg15917, + "13478": msg15918, + "13479": msg15919, + "1348": select1240, + "13480": msg15920, + "13481": msg15921, + "13482": msg15922, + "13483": msg15923, + "13484": msg15924, + "13485": msg15925, + "13486": msg15926, + "13487": msg15927, + "13488": msg15928, + "13489": msg15929, + "1349": select1241, + "13490": msg15930, + "13491": msg15931, + "13492": msg15932, + "13493": msg15933, + "13494": msg15934, + "13495": msg15935, + "13496": msg15936, + "13497": msg15937, + "13498": msg15938, + "13499": msg15939, + "135": select62, + "1350": select1242, + "13500": msg15940, + "13501": msg15941, + "13502": msg15942, + "13503": msg15943, + "13504": msg15944, + "13505": msg15945, + "13506": msg15946, + "13507": msg15947, + "13508": msg15948, + "13509": msg15949, + "1351": select1243, + "13510": msg15950, + "13511": msg15951, + "13512": msg15952, + "13513": msg15953, + "13514": msg15954, + "13515": msg15955, + "13516": msg15956, + "13517": msg15957, + "13518": msg15958, + "13519": msg15959, + "1352": select1244, + "13520": msg15960, + "13521": msg15961, + "13522": msg15962, + "13523": msg15963, + "13524": msg15964, + "13525": msg15965, + "13526": msg15966, + "13527": msg15967, + "13528": msg15968, + "13529": msg15969, + "1353": select1245, + "13530": msg15970, + "13531": msg15971, + "13532": msg15972, + "13533": msg15973, + "13534": msg15974, + "13535": msg15975, + "13536": msg15976, + "13537": msg15977, + "13538": msg15978, + "13539": msg15979, + "1354": select1246, + "13540": msg15980, + "13541": msg15981, + "13542": msg15982, + "13543": msg15983, + "13544": msg15984, + "13545": msg15985, + "13546": msg15986, + "13547": msg15987, + "13548": msg15988, + "13549": msg15989, + "1355": select1247, + "13550": msg15990, + "13551": msg15991, + "13552": msg15992, + "13553": msg15993, + "13554": msg15994, + "13555": msg15995, + "13556": msg15996, + "13557": msg15997, + "13558": msg15998, + "13559": msg15999, + "1356": select1248, + "13560": msg16000, + "13561": msg16001, + "13562": msg16002, + "13563": msg16003, + "13564": msg16004, + "13565": msg16005, + "13566": msg16006, + "13567": msg16007, + "13568": msg16008, + "13569": msg16009, + "1357": select1249, + "13570": msg16010, + "13571": msg16011, + "13572": msg16012, + "13573": msg16013, + "1358": select1250, + "13580": msg16014, + "13581": msg16015, + "13582": msg16016, + "13583": msg16017, + "13584": msg16018, + "13585": select2440, + "13586": msg16021, + "13587": msg16022, + "13588": msg16023, + "13589": msg16024, + "1359": select1251, + "13590": msg16025, + "13591": msg16026, + "13592": msg16027, + "13593": select2441, + "13594": msg16030, + "13595": msg16031, + "13596": msg16032, + "13597": msg16033, + "13598": msg16034, + "13599": msg16035, + "136": select63, + "1360": select1252, + "13600": msg16036, + "13601": msg16037, + "13602": msg16038, + "13603": msg16039, + "13604": msg16040, + "13605": msg16041, + "13606": msg16042, + "13607": msg16043, + "13608": msg16044, + "13609": msg16045, + "1361": select1253, + "13610": msg16046, + "13611": msg16047, + "13612": msg16048, + "13613": msg16049, + "13614": msg16050, + "13615": msg16051, + "13616": msg16052, + "13617": msg16053, + "13618": msg16054, + "13619": msg16055, + "1362": select1254, + "13620": msg16056, + "13621": msg16057, + "13622": msg16058, + "13623": msg16059, + "13624": msg16060, + "13625": msg16061, + "13626": msg16062, + "13627": msg16063, + "13628": select2442, + "13629": msg16066, + "1363": select1255, + "13630": msg16067, + "13631": msg16068, + "13632": msg16069, + "13633": msg16070, + "13634": msg16071, + "13635": msg16072, + "13636": msg16073, + "13637": msg16074, + "13638": msg16075, + "13639": msg16076, + "1364": select1256, + "13640": msg16077, + "13641": msg16078, + "13642": msg16079, + "13643": msg16080, + "13644": msg16081, + "13645": msg16082, + "13646": msg16083, + "13647": msg16084, + "13648": msg16085, + "13649": msg16086, + "1365": select1257, + "13650": msg16087, + "13651": msg16088, + "13652": msg16089, + "13653": msg16090, + "13654": msg16091, + "13655": msg16092, + "13656": msg16093, + "13657": msg16094, + "13658": msg16095, + "13659": msg16096, + "1366": select1258, + "13660": msg16097, + "13661": msg16098, + "13662": msg16099, + "13663": msg16100, + "13664": msg16101, + "13665": msg16102, + "13666": msg16103, + "13667": msg16104, + "13668": msg16105, + "13669": msg16106, + "1367": select1259, + "13670": msg16107, + "13671": msg16108, + "13672": msg16109, + "13673": msg16110, + "13674": msg16111, + "13675": msg16112, + "13676": msg16113, + "13677": msg16114, + "13678": msg16115, + "13679": msg16116, + "1368": select1260, + "13680": msg16117, + "13681": msg16118, + "13682": msg16119, + "13683": msg16120, + "13684": msg16121, + "13685": msg16122, + "13686": msg16123, + "13687": msg16124, + "13688": msg16125, + "13689": msg16126, + "1369": select1261, + "13690": msg16127, + "13691": msg16128, + "13692": msg16129, + "13693": msg16130, + "13694": msg16131, + "13695": msg16132, + "13696": msg16133, + "13697": msg16134, + "13698": msg16135, + "13699": msg16136, + "137": select64, + "1370": select1262, + "13700": msg16137, + "13709": msg16138, + "1371": select1263, + "13710": msg16139, + "13711": msg16140, + "13712": msg16141, + "13713": msg16142, + "13714": msg16143, + "13715": msg16144, + "13716": msg16145, + "13717": msg16146, + "13718": msg16147, + "13719": msg16148, + "1372": select1264, + "13720": msg16149, + "13721": msg16150, + "13722": msg16151, + "13723": msg16152, + "13724": msg16153, + "13725": msg16154, + "13726": msg16155, + "13727": msg16156, + "13728": msg16157, + "13729": msg16158, + "1373": select1265, + "13730": msg16159, + "13731": msg16160, + "13732": msg16161, + "13733": msg16162, + "13734": msg16163, + "13735": msg16164, + "13736": msg16165, + "13737": msg16166, + "13738": msg16167, + "13739": msg16168, + "1374": select1266, + "13740": msg16169, + "13741": msg16170, + "13742": msg16171, + "13743": msg16172, + "13744": msg16173, + "13745": msg16174, + "13746": msg16175, + "13747": msg16176, + "13748": msg16177, + "13749": msg16178, + "1375": select1267, + "13750": msg16179, + "13751": msg16180, + "13752": msg16181, + "13753": msg16182, + "13754": msg16183, + "13755": msg16184, + "13756": msg16185, + "13757": msg16186, + "13758": msg16187, + "13759": msg16188, + "1376": select1268, + "13760": msg16189, + "13761": msg16190, + "13762": msg16191, + "13763": msg16192, + "13764": msg16193, + "13765": msg16194, + "13766": msg16195, + "13767": msg16196, + "13768": msg16197, + "13769": msg16198, + "1377": select1269, + "13770": msg16199, + "13771": msg16200, + "13772": msg16201, + "13773": msg16202, + "13774": msg16203, + "13775": msg16204, + "13776": msg16205, + "13777": msg16206, + "13778": msg16207, + "13779": msg16208, + "1378": select1270, + "13780": msg16209, + "13781": msg16210, + "13782": msg16211, + "13783": msg16212, + "13784": msg16213, + "13785": msg16214, + "13786": msg16215, + "13787": msg16216, + "13788": msg16217, + "13789": msg16218, + "1379": select1271, + "13790": msg16219, + "13791": msg16220, + "13797": msg16221, + "13798": msg16222, + "13799": msg16223, + "138": select65, + "1380": select1272, + "13800": msg16224, + "13801": msg16225, + "13802": msg16226, + "13803": msg16227, + "13804": msg16228, + "13805": msg16229, + "13806": msg16230, + "13807": msg16231, + "13808": msg16232, + "13809": msg16233, + "1381": select1273, + "13810": msg16234, + "13811": msg16235, + "13812": msg16236, + "13813": msg16237, + "13814": msg16238, + "13815": msg16239, + "13816": msg16240, + "13817": msg16241, + "13818": msg16242, + "13819": msg16243, + "1382": select1274, + "13820": msg16244, + "13821": msg16245, + "13822": msg16246, + "13823": msg16247, + "13824": msg16248, + "13825": msg16249, + "13826": msg16250, + "13827": msg16251, + "13828": msg16252, + "13829": msg16253, + "1383": select1275, + "13830": msg16254, + "13831": msg16255, + "13832": msg16256, + "13833": msg16257, + "13834": msg16258, + "13835": msg16259, + "13838": msg16260, + "13839": msg16261, + "1384": select1276, + "13840": msg16262, + "13841": msg16263, + "13842": msg16264, + "13843": msg16265, + "13844": msg16266, + "13845": msg16267, + "13846": msg16268, + "13847": msg16269, + "13848": msg16270, + "13849": msg16271, + "1385": select1277, + "13850": msg16272, + "13851": msg16273, + "13852": msg16274, + "13853": msg16275, + "13854": msg16276, + "13855": msg16277, + "13856": msg16278, + "13857": msg16279, + "13858": msg16280, + "13859": msg16281, + "1386": select1278, + "13860": msg16282, + "13861": msg16283, + "13862": msg16284, + "13863": msg16285, + "13864": msg16286, + "13865": msg16287, + "13866": msg16288, + "13867": msg16289, + "13868": msg16290, + "13869": msg16291, + "1387": select1279, + "13870": msg16292, + "13871": msg16293, + "13872": msg16294, + "13873": msg16295, + "13874": msg16296, + "13875": msg16297, + "13876": msg16298, + "13877": msg16299, + "13878": msg16300, + "13879": msg16301, + "1388": select1280, + "13880": msg16302, + "13881": msg16303, + "13882": msg16304, + "13883": msg16305, + "13884": msg16306, + "13885": msg16307, + "13886": msg16308, + "13887": msg16309, + "13888": msg16310, + "13889": msg16311, + "1389": select1281, + "13890": msg16312, + "13891": msg16313, + "13892": msg16314, + "13893": msg16315, + "13894": msg16316, + "13895": msg16317, + "13896": msg16318, + "13897": msg16319, + "13898": msg16320, + "13899": msg16321, + "1390": select1282, + "13900": msg16322, + "13901": msg16323, + "13902": msg16324, + "13903": msg16325, + "13904": msg16326, + "13905": msg16327, + "13906": msg16328, + "13907": msg16329, + "13908": msg16330, + "13909": msg16331, + "1391": select1283, + "13910": msg16332, + "13911": msg16333, + "13912": msg16334, + "13913": msg16335, + "13914": msg16336, + "13915": msg16337, + "13916": msg16338, + "13917": msg16339, + "13918": msg16340, + "13919": msg16341, + "1392": select1284, + "13920": msg16342, + "13921": msg16343, + "13922": msg16344, + "13923": msg16345, + "13924": msg16346, + "13925": msg16347, + "13926": msg16348, + "13927": msg16349, + "13928": msg16350, + "13929": msg16351, + "1393": select1285, + "13930": msg16352, + "13931": msg16353, + "13932": msg16354, + "13933": msg16355, + "13934": msg16356, + "13935": msg16357, + "13936": msg16358, + "13937": msg16359, + "13938": msg16360, + "13939": msg16361, + "1394": select1286, + "13940": msg16362, + "13941": msg16363, + "13942": msg16364, + "13943": msg16365, + "13944": msg16366, + "13945": msg16367, + "13946": msg16368, + "13947": msg16369, + "13948": msg16370, + "13949": msg16371, + "1395": select1287, + "13950": msg16372, + "13951": msg16373, + "13952": msg16374, + "13953": msg16375, + "13954": msg16376, + "13958": msg16377, + "1396": select1288, + "13960": msg16378, + "13961": msg16379, + "13962": msg16380, + "13963": msg16381, + "13964": msg16382, + "13965": msg16383, + "13966": msg16384, + "13967": msg16385, + "13968": msg16386, + "13969": msg16387, + "1397": select1289, + "13970": msg16388, + "13971": msg16389, + "13972": msg16390, + "13973": msg16391, + "13974": msg16392, + "13975": msg16393, + "13976": msg16394, + "13977": msg16395, + "13978": msg16396, + "13979": msg16397, + "1398": select1290, + "13980": msg16398, + "13981": msg16399, + "13982": msg16400, + "13983": msg16401, + "13984": msg16402, + "13985": msg16403, + "13986": msg16404, + "13987": msg16405, + "13988": msg16406, + "13989": msg16407, + "1399": select1291, + "13990": msg16408, + "13991": msg16409, + "13992": msg16410, + "13993": msg16411, + "13994": msg16412, + "13995": msg16413, + "13996": msg16414, + "13997": msg16415, + "13998": msg16416, + "13999": msg16417, + "14": msg40, + "140": select66, + "1400": select1292, + "14000": msg16418, + "14001": msg16419, + "14002": msg16420, + "14003": msg16421, + "14004": msg16422, + "14005": msg16423, + "14006": msg16424, + "14007": msg16425, + "14008": msg16426, + "1401": select1293, + "14013": msg16427, + "14014": msg16428, + "14015": msg16429, + "14016": msg16430, + "14017": msg16431, + "14018": msg16432, + "14019": msg16433, + "1402": select1294, + "14020": msg16434, + "14021": msg16435, + "14022": msg16436, + "14023": msg16437, + "14024": msg16438, + "14025": msg16439, + "14026": msg16440, + "14027": msg16441, + "14028": msg16442, + "14029": msg16443, + "1403": select1295, + "14030": msg16444, + "14031": msg16445, + "14032": msg16446, + "14033": msg16447, + "14034": msg16448, + "14035": msg16449, + "14036": msg16450, + "14037": msg16451, + "14038": msg16452, + "14039": msg16453, + "1404": select1296, + "14040": msg16454, + "14041": msg16455, + "14042": msg16456, + "14043": msg16457, + "14044": msg16458, + "14045": msg16459, + "14046": msg16460, + "14047": msg16461, + "14048": msg16462, + "14049": msg16463, + "1405": select1297, + "14050": msg16464, + "14051": msg16465, + "14052": msg16466, + "14053": msg16467, + "14054": msg16468, + "14055": msg16469, + "14056": msg16470, + "14057": msg16471, + "14058": msg16472, + "14059": msg16473, + "1406": select1298, + "14060": msg16474, + "14061": msg16475, + "14062": msg16476, + "14063": msg16477, + "14064": msg16478, + "14065": msg16479, + "14066": msg16480, + "14067": msg16481, + "14068": msg16482, + "14069": msg16483, + "1407": select1299, + "14070": msg16484, + "14071": msg16485, + "14072": msg16486, + "14073": msg16487, + "14074": msg16488, + "14075": msg16489, + "14076": msg16490, + "14077": msg16491, + "14078": msg16492, + "14079": msg16493, + "1408": select1300, + "14080": msg16494, + "14081": msg16495, + "14082": msg16496, + "14083": msg16497, + "14084": msg16498, + "14085": msg16499, + "14086": msg16500, + "14087": msg16501, + "14088": msg16502, + "14089": msg16503, + "1409": select1301, + "14090": msg16504, + "14091": msg16505, + "14092": msg16506, + "14093": msg16507, + "14094": msg16508, + "14095": msg16509, + "14096": msg16510, + "14097": msg16511, + "14098": msg16512, + "14099": msg16513, + "141": select67, + "1410": select1302, + "14100": msg16514, + "14101": msg16515, + "14102": msg16516, + "14103": msg16517, + "14104": msg16518, + "14105": msg16519, + "14106": msg16520, + "14107": msg16521, + "14108": msg16522, + "14109": msg16523, + "1411": select1303, + "14110": msg16524, + "14111": msg16525, + "14112": msg16526, + "14113": msg16527, + "14114": msg16528, + "14115": msg16529, + "14116": msg16530, + "14117": msg16531, + "14118": msg16532, + "14119": msg16533, + "1412": select1304, + "14120": msg16534, + "14121": msg16535, + "14122": msg16536, + "14123": msg16537, + "14124": msg16538, + "14125": msg16539, + "14126": msg16540, + "14127": msg16541, + "14128": msg16542, + "14129": msg16543, + "1413": select1305, + "14130": msg16544, + "14131": msg16545, + "14132": msg16546, + "14133": msg16547, + "14134": msg16548, + "14135": msg16549, + "14136": msg16550, + "14137": msg16551, + "14138": msg16552, + "14139": msg16553, + "1414": select1306, + "14140": msg16554, + "14141": msg16555, + "14142": msg16556, + "14143": msg16557, + "14144": msg16558, + "14145": msg16559, + "14146": msg16560, + "14147": msg16561, + "14148": msg16562, + "14149": msg16563, + "1415": select1307, + "14150": msg16564, + "14151": msg16565, + "14152": msg16566, + "14153": msg16567, + "14154": msg16568, + "14155": msg16569, + "14156": msg16570, + "14157": msg16571, + "14158": msg16572, + "14159": msg16573, + "1416": select1308, + "14160": msg16574, + "14161": msg16575, + "14162": msg16576, + "14163": msg16577, + "14164": msg16578, + "14165": msg16579, + "14166": msg16580, + "14167": msg16581, + "14168": msg16582, + "14169": msg16583, + "1417": select1309, + "14170": msg16584, + "14171": msg16585, + "14172": msg16586, + "14173": msg16587, + "14174": msg16588, + "14175": msg16589, + "14176": msg16590, + "14177": msg16591, + "14178": msg16592, + "14179": msg16593, + "1418": select1310, + "14180": msg16594, + "14181": msg16595, + "14182": msg16596, + "14183": msg16597, + "14184": msg16598, + "14185": msg16599, + "14186": msg16600, + "14187": msg16601, + "14188": msg16602, + "14189": msg16603, + "1419": select1311, + "14190": msg16604, + "14191": msg16605, + "14192": msg16606, + "14193": msg16607, + "14194": msg16608, + "14195": msg16609, + "14196": msg16610, + "14197": msg16611, + "14198": msg16612, + "14199": msg16613, + "142": select68, + "1420": select1312, + "14200": msg16614, + "14201": msg16615, + "14202": msg16616, + "14203": msg16617, + "14204": msg16618, + "14205": msg16619, + "14206": msg16620, + "14207": msg16621, + "14208": msg16622, + "14209": msg16623, + "1421": select1313, + "14210": msg16624, + "14211": msg16625, + "14212": msg16626, + "14213": msg16627, + "14214": msg16628, + "14215": msg16629, + "14216": msg16630, + "14217": msg16631, + "14218": msg16632, + "14219": msg16633, + "1422": select1314, + "14220": msg16634, + "14221": msg16635, + "14222": msg16636, + "14223": msg16637, + "14224": msg16638, + "14225": msg16639, + "14226": msg16640, + "14227": msg16641, + "14228": msg16642, + "14229": msg16643, + "1423": select1315, + "14230": msg16644, + "14231": msg16645, + "14232": msg16646, + "14233": msg16647, + "14234": msg16648, + "14235": msg16649, + "14236": msg16650, + "14237": msg16651, + "14238": msg16652, + "14239": msg16653, + "1424": select1316, + "14240": msg16654, + "14241": msg16655, + "14242": msg16656, + "14243": msg16657, + "14244": msg16658, + "14245": msg16659, + "14246": msg16660, + "14247": msg16661, + "14248": msg16662, + "14249": msg16663, + "1425": select1317, + "14250": msg16664, + "14251": msg16665, + "14252": msg16666, + "14253": msg16667, + "14254": msg16668, + "14255": msg16669, + "14256": msg16670, + "14257": msg16671, + "14258": msg16672, + "14259": msg16673, + "1426": select1318, + "14260": msg16674, + "14261": msg16675, + "14262": msg16676, + "14263": msg16677, + "14264": msg16678, + "14265": msg16679, + "14266": msg16680, + "14267": msg16681, + "14268": msg16682, + "14269": msg16683, + "1427": select1319, + "14270": msg16684, + "14271": msg16685, + "14272": msg16686, + "14273": msg16687, + "14274": msg16688, + "14275": msg16689, + "14276": msg16690, + "14277": msg16691, + "14278": msg16692, + "14279": msg16693, + "1428": select1320, + "14280": msg16694, + "14281": msg16695, + "14282": msg16696, + "14283": msg16697, + "14284": msg16698, + "14285": msg16699, + "14286": msg16700, + "14287": msg16701, + "14288": msg16702, + "14289": msg16703, + "1429": select1321, + "14290": msg16704, + "14291": msg16705, + "14292": msg16706, + "14293": msg16707, + "14294": msg16708, + "14295": msg16709, + "14296": msg16710, + "14297": msg16711, + "14298": msg16712, + "14299": msg16713, + "143": select69, + "1430": select1322, + "14300": msg16714, + "14301": msg16715, + "14302": msg16716, + "14303": msg16717, + "14304": msg16718, + "14305": msg16719, + "14306": msg16720, + "14307": msg16721, + "14308": msg16722, + "14309": msg16723, + "1431": select1323, + "14310": msg16724, + "14311": msg16725, + "14312": msg16726, + "14313": msg16727, + "14314": msg16728, + "14315": msg16729, + "14316": msg16730, + "14317": msg16731, + "14318": msg16732, + "14319": msg16733, + "1432": select1324, + "14320": msg16734, + "14321": msg16735, + "14322": msg16736, + "14323": msg16737, + "14324": msg16738, + "14325": msg16739, + "14326": msg16740, + "14327": msg16741, + "14328": msg16742, + "14329": msg16743, + "1433": select1325, + "14330": msg16744, + "14331": msg16745, + "14332": msg16746, + "14333": msg16747, + "14334": msg16748, + "14335": msg16749, + "14336": msg16750, + "14337": msg16751, + "14338": msg16752, + "14339": msg16753, + "1434": select1326, + "14340": msg16754, + "14341": msg16755, + "14342": msg16756, + "14343": msg16757, + "14344": msg16758, + "14345": msg16759, + "14346": msg16760, + "14347": msg16761, + "14348": msg16762, + "14349": msg16763, + "1435": select1327, + "14350": msg16764, + "14351": msg16765, + "14352": msg16766, + "14353": msg16767, + "14354": msg16768, + "14355": msg16769, + "14356": msg16770, + "14357": msg16771, + "14358": msg16772, + "14359": msg16773, + "1436": select1328, + "14360": msg16774, + "14361": msg16775, + "14362": msg16776, + "14363": msg16777, + "14364": msg16778, + "14365": msg16779, + "14366": msg16780, + "14367": msg16781, + "14368": msg16782, + "14369": msg16783, + "1437": select1329, + "14370": msg16784, + "14371": msg16785, + "14372": msg16786, + "14373": msg16787, + "14374": msg16788, + "14375": msg16789, + "14376": msg16790, + "14377": msg16791, + "14378": msg16792, + "14379": msg16793, + "1438": select1330, + "14380": msg16794, + "14381": msg16795, + "14382": msg16796, + "14383": msg16797, + "14384": msg16798, + "14385": msg16799, + "14386": msg16800, + "14387": msg16801, + "14388": msg16802, + "14389": msg16803, + "1439": select1331, + "14390": msg16804, + "14391": msg16805, + "14392": msg16806, + "14393": msg16807, + "14394": msg16808, + "14395": msg16809, + "14396": msg16810, + "14397": msg16811, + "14398": msg16812, + "14399": msg16813, + "144": select70, + "1440": select1332, + "14400": msg16814, + "14401": msg16815, + "14402": msg16816, + "14403": msg16817, + "14404": msg16818, + "14405": msg16819, + "14406": msg16820, + "14407": msg16821, + "14408": msg16822, + "14409": msg16823, + "1441": select1333, + "14410": msg16824, + "14411": msg16825, + "14412": msg16826, + "14413": msg16827, + "14414": msg16828, + "14415": msg16829, + "14416": msg16830, + "14417": msg16831, + "14418": msg16832, + "14419": msg16833, + "1442": select1334, + "14420": msg16834, + "14421": msg16835, + "14422": msg16836, + "14423": msg16837, + "14424": msg16838, + "14425": msg16839, + "14426": msg16840, + "14427": msg16841, + "14428": msg16842, + "14429": msg16843, + "1443": select1335, + "14430": msg16844, + "14431": msg16845, + "14432": msg16846, + "14433": msg16847, + "14434": msg16848, + "14435": msg16849, + "14436": msg16850, + "14437": msg16851, + "14438": msg16852, + "14439": msg16853, + "1444": select1336, + "14440": msg16854, + "14441": msg16855, + "14442": msg16856, + "14443": msg16857, + "14444": msg16858, + "14445": msg16859, + "14446": msg16860, + "14447": msg16861, + "14448": msg16862, + "14449": msg16863, + "1445": select1337, + "14450": msg16864, + "14451": msg16865, + "14452": msg16866, + "14453": msg16867, + "14454": msg16868, + "14455": msg16869, + "14456": msg16870, + "14457": msg16871, + "14458": msg16872, + "14459": msg16873, + "1446": select1338, + "14460": msg16874, + "14461": msg16875, + "14462": msg16876, + "14463": msg16877, + "14464": msg16878, + "14465": msg16879, + "14466": msg16880, + "14467": msg16881, + "14468": msg16882, + "14469": msg16883, + "1447": select1339, + "14470": msg16884, + "14471": msg16885, + "14472": msg16886, + "14473": msg16887, + "14474": msg16888, + "14475": msg16889, + "14476": msg16890, + "14477": msg16891, + "14478": msg16892, + "14479": msg16893, + "1448": select1340, + "14480": msg16894, + "14481": msg16895, + "14482": msg16896, + "14483": msg16897, + "14484": msg16898, + "14485": msg16899, + "14486": msg16900, + "14487": msg16901, + "14488": msg16902, + "14489": msg16903, + "1449": select1341, + "14490": msg16904, + "14491": msg16905, + "14492": msg16906, + "14493": msg16907, + "14494": msg16908, + "14495": msg16909, + "14496": msg16910, + "14497": msg16911, + "14498": msg16912, + "14499": msg16913, + "145": select71, + "1450": select1342, + "14500": msg16914, + "14501": msg16915, + "14502": msg16916, + "14503": msg16917, + "14504": msg16918, + "14505": msg16919, + "14506": msg16920, + "14507": msg16921, + "14508": msg16922, + "14509": msg16923, + "1451": select1343, + "14510": msg16924, + "14511": msg16925, + "14512": msg16926, + "14513": msg16927, + "14514": msg16928, + "14515": msg16929, + "14516": msg16930, + "14517": msg16931, + "14518": msg16932, + "14519": msg16933, + "1452": select1344, + "14520": msg16934, + "14521": msg16935, + "14522": msg16936, + "14523": msg16937, + "14524": msg16938, + "14525": msg16939, + "14526": msg16940, + "14527": msg16941, + "14528": msg16942, + "14529": msg16943, + "1453": select1345, + "14530": msg16944, + "14531": msg16945, + "14532": msg16946, + "14533": msg16947, + "14534": msg16948, + "14535": msg16949, + "14536": msg16950, + "14537": msg16951, + "14538": msg16952, + "14539": msg16953, + "1454": select1346, + "14540": msg16954, + "14541": msg16955, + "14542": msg16956, + "14543": msg16957, + "14544": msg16958, + "14545": msg16959, + "14546": msg16960, + "14547": msg16961, + "14548": msg16962, + "14549": msg16963, + "1455": select1347, + "14550": msg16964, + "14551": msg16965, + "14552": msg16966, + "14553": msg16967, + "14554": msg16968, + "14555": msg16969, + "14556": msg16970, + "14557": msg16971, + "14558": msg16972, + "14559": msg16973, + "1456": select1348, + "14560": msg16974, + "14561": msg16975, + "14562": msg16976, + "14563": msg16977, + "14564": msg16978, + "14565": msg16979, + "14566": msg16980, + "14567": msg16981, + "14568": msg16982, + "14569": msg16983, + "1457": select1349, + "14570": msg16984, + "14571": msg16985, + "14572": msg16986, + "14573": msg16987, + "14574": msg16988, + "14575": msg16989, + "14576": msg16990, + "14577": msg16991, + "14578": msg16992, + "14579": msg16993, + "1458": select1350, + "14580": msg16994, + "14581": msg16995, + "14582": msg16996, + "14583": msg16997, + "14584": msg16998, + "14585": msg16999, + "14586": msg17000, + "14587": msg17001, + "14588": msg17002, + "14589": msg17003, + "1459": select1351, + "14590": msg17004, + "14591": msg17005, + "14592": msg17006, + "14593": msg17007, + "14594": msg17008, + "14595": msg17009, + "14596": msg17010, + "14597": msg17011, + "14598": msg17012, + "14599": msg17013, + "146": select72, + "1460": select1352, + "14600": msg17014, + "14601": msg17015, + "14602": msg17016, + "14603": msg17017, + "14604": msg17018, + "14605": msg17019, + "14606": msg17020, + "14607": msg17021, + "14608": msg17022, + "14609": msg17023, + "1461": select1353, + "14610": msg17024, + "14611": msg17025, + "14612": msg17026, + "14613": msg17027, + "14614": msg17028, + "14615": msg17029, + "14616": msg17030, + "14617": msg17031, + "14618": msg17032, + "14619": msg17033, + "1462": select1354, + "14620": msg17034, + "14621": msg17035, + "14622": msg17036, + "14623": msg17037, + "14624": msg17038, + "14625": msg17039, + "14626": msg17040, + "14627": msg17041, + "14628": msg17042, + "14629": msg17043, + "1463": select1355, + "14630": msg17044, + "14631": msg17045, + "14632": msg17046, + "14633": msg17047, + "14634": msg17048, + "14635": msg17049, + "14636": msg17050, + "14637": msg17051, + "14638": msg17052, + "14639": msg17053, + "1464": select1356, + "14640": msg17054, + "14641": msg17055, + "14642": msg17056, + "14643": msg17057, + "14644": msg17058, + "14645": msg17059, + "14646": msg17060, + "14647": msg17061, + "14648": msg17062, + "14649": msg17063, + "1465": select1357, + "14650": msg17064, + "14651": msg17065, + "14652": msg17066, + "14653": msg17067, + "14654": msg17068, + "14655": msg17069, + "14656": msg17070, + "14657": msg17071, + "1466": select1358, + "14661": msg17072, + "14662": msg17073, + "14663": msg17074, + "14664": msg17075, + "14665": msg17076, + "14666": msg17077, + "14667": msg17078, + "14668": msg17079, + "14669": msg17080, + "1467": select1359, + "14670": msg17081, + "14671": msg17082, + "14672": msg17083, + "14673": msg17084, + "14674": msg17085, + "14675": msg17086, + "14676": msg17087, + "14677": msg17088, + "14678": msg17089, + "14679": msg17090, + "1468": select1360, + "14680": msg17091, + "14681": msg17092, + "14682": msg17093, + "14683": msg17094, + "14684": msg17095, + "14685": msg17096, + "14686": msg17097, + "14687": msg17098, + "14688": msg17099, + "14689": msg17100, + "1469": select1361, + "14690": msg17101, + "14691": msg17102, + "14692": msg17103, + "14693": msg17104, + "14694": msg17105, + "14695": msg17106, + "14696": msg17107, + "14697": msg17108, + "14698": msg17109, + "14699": msg17110, + "147": select73, + "1470": select1362, + "14700": msg17111, + "14701": msg17112, + "14702": msg17113, + "14703": msg17114, + "14704": msg17115, + "14705": msg17116, + "14706": msg17117, + "14707": msg17118, + "14708": msg17119, + "14709": msg17120, + "1471": select1363, + "14710": msg17121, + "14711": msg17122, + "14712": msg17123, + "14713": msg17124, + "14714": msg17125, + "14715": msg17126, + "14716": msg17127, + "14717": msg17128, + "14718": msg17129, + "14719": msg17130, + "1472": select1364, + "14720": msg17131, + "14721": msg17132, + "14722": msg17133, + "14723": msg17134, + "14724": msg17135, + "14725": msg17136, + "14726": msg17137, + "14727": msg17138, + "14728": msg17139, + "14729": msg17140, + "1473": select1365, + "14730": msg17141, + "14731": msg17142, + "14732": msg17143, + "14733": msg17144, + "14734": msg17145, + "14735": msg17146, + "14736": msg17147, + "14737": msg17148, + "14738": msg17149, + "14739": msg17150, + "1474": select1366, + "14740": msg17151, + "14741": msg17152, + "14742": msg17153, + "14743": msg17154, + "14744": msg17155, + "14745": msg17156, + "14746": msg17157, + "14747": msg17158, + "14748": msg17159, + "14749": msg17160, + "1475": select1367, + "14750": msg17161, + "14751": msg17162, + "14752": msg17163, + "14753": msg17164, + "14754": msg17165, + "14755": msg17166, + "14756": msg17167, + "14757": msg17168, + "14758": msg17169, + "14759": msg17170, + "1476": select1368, + "14760": msg17171, + "14761": msg17172, + "14762": msg17173, + "14763": msg17174, + "14764": msg17175, + "14765": msg17176, + "14766": msg17177, + "14767": msg17178, + "14768": msg17179, + "14769": msg17180, + "1477": select1369, + "14770": msg17181, + "14771": msg17182, + "14772": msg17183, + "14773": msg17184, + "14774": msg17185, + "14775": msg17186, + "14776": msg17187, + "14777": msg17188, + "14778": msg17189, + "14779": msg17190, + "1478": select1370, + "14780": msg17191, + "14781": msg17192, + "14782": msg17193, + "14783": msg17194, + "14784": msg17195, + "14785": msg17196, + "14786": msg17197, + "14787": msg17198, + "14788": msg17199, + "14789": msg17200, + "1479": select1371, + "14790": msg17201, + "14791": msg17202, + "14792": msg17203, + "14793": msg17204, + "14794": msg17205, + "14795": msg17206, + "14796": msg17207, + "14797": msg17208, + "14798": msg17209, + "14799": msg17210, + "148": select74, + "1480": select1372, + "14800": msg17211, + "14801": msg17212, + "14802": msg17213, + "14803": msg17214, + "14804": msg17215, + "14805": msg17216, + "14806": msg17217, + "14807": msg17218, + "14808": msg17219, + "14809": msg17220, + "1481": select1373, + "14810": msg17221, + "14811": msg17222, + "14812": msg17223, + "14813": msg17224, + "14814": msg17225, + "14815": msg17226, + "14816": msg17227, + "14817": msg17228, + "14818": msg17229, + "14819": msg17230, + "1482": select1374, + "14820": msg17231, + "14821": msg17232, + "14822": msg17233, + "14823": msg17234, + "14824": msg17235, + "14825": msg17236, + "14826": msg17237, + "14827": msg17238, + "14828": msg17239, + "14829": msg17240, + "1483": select1375, + "14830": msg17241, + "14831": msg17242, + "14832": msg17243, + "14833": msg17244, + "14834": msg17245, + "14835": msg17246, + "14836": msg17247, + "14837": msg17248, + "14838": msg17249, + "14839": msg17250, + "1484": select1376, + "14840": msg17251, + "14841": msg17252, + "14842": msg17253, + "14843": msg17254, + "14844": msg17255, + "14845": msg17256, + "14846": msg17257, + "14847": msg17258, + "14848": msg17259, + "14849": msg17260, + "1485": select1377, + "14850": msg17261, + "14851": msg17262, + "14852": msg17263, + "14853": msg17264, + "14854": msg17265, + "14855": msg17266, + "14856": msg17267, + "14857": msg17268, + "14858": msg17269, + "14859": msg17270, + "1486": select1378, + "14860": msg17271, + "14861": msg17272, + "14862": msg17273, + "14863": msg17274, + "14864": msg17275, + "14865": msg17276, + "14866": msg17277, + "14867": msg17278, + "14868": msg17279, + "14869": msg17280, + "1487": select1379, + "14870": msg17281, + "14871": msg17282, + "1488": select1380, + "1489": select1381, + "14896": msg17283, + "14897": msg17284, + "14898": msg17285, + "14899": msg17286, + "149": select75, + "1490": select1382, + "14900": msg17287, + "1491": select1383, + "1492": select1384, + "1493": select1385, + "1494": select1386, + "1495": select1387, + "1496": select1388, + "1497": select1389, + "1498": select1390, + "14986": msg17288, + "14987": msg17289, + "14988": msg17290, + "14989": msg17291, + "1499": select1391, + "14990": msg17292, + "14991": msg17293, + "14992": msg17294, + "14993": msg17295, + "14994": msg17296, + "14995": msg17297, + "14996": msg17298, + "14997": msg17299, + "14998": msg17300, + "14999": msg17301, + "15": select16, + "150": select76, + "1500": select1392, + "15000": msg17302, + "15001": msg17303, + "15002": msg17304, + "15003": msg17305, + "15004": msg17306, + "15005": msg17307, + "15006": msg17308, + "15007": msg17309, + "15008": msg17310, + "15009": msg17311, + "1501": select1393, + "15010": msg17312, + "15011": msg17313, + "15012": msg17314, + "15013": msg17315, + "15014": msg17316, + "15015": msg17317, + "15016": msg17318, + "15017": msg17319, + "15018": msg17320, + "15019": msg17321, + "1502": select1394, + "15020": msg17322, + "15021": msg17323, + "15022": msg17324, + "15023": msg17325, + "15024": msg17326, + "15025": msg17327, + "15026": msg17328, + "15027": msg17329, + "15028": msg17330, + "15029": msg17331, + "1503": select1395, + "15030": msg17332, + "15031": msg17333, + "15032": msg17334, + "15033": msg17335, + "15034": msg17336, + "15035": msg17337, + "15036": msg17338, + "15037": msg17339, + "15038": msg17340, + "15039": msg17341, + "1504": select1396, + "15040": msg17342, + "15041": msg17343, + "15042": msg17344, + "15043": msg17345, + "15044": msg17346, + "15045": msg17347, + "15046": msg17348, + "15047": msg17349, + "15048": msg17350, + "15049": msg17351, + "1505": select1397, + "15050": msg17352, + "15051": msg17353, + "15052": msg17354, + "15053": msg17355, + "15054": msg17356, + "15055": msg17357, + "15056": msg17358, + "15057": msg17359, + "15058": msg17360, + "15059": msg17361, + "1506": select1398, + "15060": msg17362, + "15061": msg17363, + "15062": msg17364, + "15063": msg17365, + "15064": msg17366, + "15065": msg17367, + "15066": msg17368, + "15067": msg17369, + "15068": msg17370, + "15069": msg17371, + "1507": select1399, + "15070": msg17372, + "15071": msg17373, + "15072": msg17374, + "15073": msg17375, + "15074": msg17376, + "15075": msg17377, + "15076": msg17378, + "15077": msg17379, + "15078": msg17380, + "15079": msg17381, + "1508": select1400, + "15080": msg17382, + "15081": msg17383, + "15082": msg17384, + "15083": msg17385, + "15084": msg17386, + "15085": msg17387, + "15086": msg17388, + "15087": msg17389, + "15088": msg17390, + "15089": msg17391, + "1509": select1401, + "15090": msg17392, + "15091": msg17393, + "15092": msg17394, + "15093": msg17395, + "15094": msg17396, + "15095": msg17397, + "15096": msg17398, + "15097": msg17399, + "15098": msg17400, + "15099": msg17401, + "151": select77, + "1510": select1402, + "15100": msg17402, + "15101": msg17403, + "15102": msg17404, + "15103": msg17405, + "15104": msg17406, + "15105": msg17407, + "15106": msg17408, + "15107": msg17409, + "15108": msg17410, + "15109": msg17411, + "1511": select1403, + "15110": msg17412, + "15111": msg17413, + "15112": msg17414, + "15113": msg17415, + "15114": msg17416, + "15115": msg17417, + "15116": msg17418, + "15117": msg17419, + "15118": msg17420, + "15119": msg17421, + "1512": select1404, + "15120": msg17422, + "15121": msg17423, + "15122": msg17424, + "15123": msg17425, + "15124": msg17426, + "15125": msg17427, + "15126": msg17428, + "15127": msg17429, + "15128": msg17430, + "15129": msg17431, + "1513": select1405, + "15130": msg17432, + "15131": msg17433, + "15132": msg17434, + "15133": msg17435, + "15134": msg17436, + "15135": msg17437, + "15136": msg17438, + "15137": msg17439, + "15138": msg17440, + "15139": msg17441, + "1514": select1406, + "15140": msg17442, + "15141": msg17443, + "15142": msg17444, + "15143": msg17445, + "15144": msg17446, + "15145": msg17447, + "15146": msg17448, + "15147": msg17449, + "15148": msg17450, + "15149": msg17451, + "1515": select1407, + "15150": msg17452, + "15151": msg17453, + "15152": msg17454, + "15153": msg17455, + "15154": msg17456, + "15155": msg17457, + "15156": msg17458, + "15157": msg17459, + "15158": msg17460, + "15159": msg17461, + "1516": select1408, + "15160": msg17462, + "15161": msg17463, + "15162": msg17464, + "15163": msg17465, + "15164": msg17466, + "15165": msg17467, + "15166": msg17468, + "15167": msg17469, + "15168": msg17470, + "15169": msg17471, + "1517": select1409, + "15170": msg17472, + "15171": msg17473, + "15172": msg17474, + "15173": msg17475, + "15174": msg17476, + "15175": msg17477, + "15176": msg17478, + "15177": msg17479, + "15178": msg17480, + "15179": msg17481, + "1518": select1410, + "15180": msg17482, + "15181": msg17483, + "15182": msg17484, + "15183": msg17485, + "15184": msg17486, + "15185": msg17487, + "15186": msg17488, + "15187": msg17489, + "15188": msg17490, + "15189": msg17491, + "1519": select1411, + "15190": msg17492, + "15191": msg17493, + "15192": msg17494, + "15193": msg17495, + "15194": msg17496, + "15195": msg17497, + "15196": msg17498, + "15197": msg17499, + "15198": msg17500, + "15199": msg17501, + "152": select78, + "1520": select1412, + "15200": msg17502, + "15201": msg17503, + "15202": msg17504, + "15203": msg17505, + "15204": msg17506, + "15205": msg17507, + "15206": msg17508, + "15207": msg17509, + "15208": msg17510, + "15209": msg17511, + "1521": select1413, + "15210": msg17512, + "15211": msg17513, + "15212": msg17514, + "15213": msg17515, + "15214": msg17516, + "15215": msg17517, + "15216": msg17518, + "15217": msg17519, + "15218": msg17520, + "15219": msg17521, + "1522": select1414, + "15220": msg17522, + "15221": msg17523, + "15222": msg17524, + "15223": msg17525, + "15224": msg17526, + "15225": msg17527, + "15226": msg17528, + "15227": msg17529, + "15228": msg17530, + "15229": msg17531, + "1523": select1415, + "15230": msg17532, + "15231": msg17533, + "15232": msg17534, + "15233": msg17535, + "15234": msg17536, + "15235": msg17537, + "15236": msg17538, + "15237": msg17539, + "15238": msg17540, + "15239": msg17541, + "1524": select1416, + "15240": msg17542, + "15241": msg17543, + "15242": msg17544, + "15243": msg17545, + "15244": msg17546, + "15245": msg17547, + "15246": msg17548, + "15247": msg17549, + "15248": msg17550, + "15249": msg17551, + "1525": select1417, + "15250": msg17552, + "15251": msg17553, + "15252": msg17554, + "15253": msg17555, + "15254": msg17556, + "15255": msg17557, + "15256": msg17558, + "15257": msg17559, + "15258": msg17560, + "15259": msg17561, + "1526": select1418, + "15260": msg17562, + "15261": msg17563, + "15262": msg17564, + "15263": msg17565, + "15264": msg17566, + "15265": msg17567, + "15266": msg17568, + "15267": msg17569, + "15268": msg17570, + "15269": msg17571, + "1527": select1419, + "15270": msg17572, + "15271": msg17573, + "15272": msg17574, + "15273": msg17575, + "15274": msg17576, + "15275": msg17577, + "15276": msg17578, + "15277": msg17579, + "15278": msg17580, + "15279": msg17581, + "1528": select1420, + "15280": msg17582, + "15281": msg17583, + "15282": msg17584, + "15283": msg17585, + "15284": msg17586, + "15285": msg17587, + "15286": msg17588, + "15287": msg17589, + "15288": msg17590, + "15289": msg17591, + "1529": select1421, + "15290": msg17592, + "15291": msg17593, + "15292": msg17594, + "15293": msg17595, + "15294": msg17596, + "15295": msg17597, + "15296": msg17598, + "15297": msg17599, + "15298": msg17600, + "15299": msg17601, + "153": select79, + "1530": select1422, + "15300": msg17602, + "15301": msg17603, + "15302": msg17604, + "15303": msg17605, + "15304": msg17606, + "15305": msg17607, + "15306": msg17608, + "15307": msg17609, + "15308": msg17610, + "15309": msg17611, + "1531": select1423, + "15310": msg17612, + "15311": msg17613, + "15312": msg17614, + "15313": msg17615, + "15314": msg17616, + "15315": msg17617, + "15316": msg17618, + "15317": msg17619, + "15318": msg17620, + "15319": msg17621, + "1532": select1424, + "15320": msg17622, + "15321": msg17623, + "15322": msg17624, + "15323": msg17625, + "15324": msg17626, + "15325": msg17627, + "15326": msg17628, + "15327": msg17629, + "15328": msg17630, + "15329": msg17631, + "1533": select1425, + "15330": msg17632, + "15331": msg17633, + "15332": msg17634, + "15333": msg17635, + "15334": msg17636, + "15335": msg17637, + "15336": msg17638, + "15337": msg17639, + "15338": msg17640, + "15339": msg17641, + "1534": select1426, + "15340": msg17642, + "15341": msg17643, + "15342": msg17644, + "15343": msg17645, + "15344": msg17646, + "15345": msg17647, + "15346": msg17648, + "15347": msg17649, + "15348": msg17650, + "15349": msg17651, + "1535": select1427, + "15350": msg17652, + "15351": msg17653, + "15352": msg17654, + "15353": msg17655, + "15354": msg17656, + "15355": msg17657, + "15356": msg17658, + "15357": msg17659, + "15358": msg17660, + "15359": msg17661, + "1536": select1428, + "15360": msg17662, + "15361": msg17663, + "15362": msg17664, + "15363": msg17665, + "15364": msg17666, + "15365": msg17667, + "15366": msg17668, + "15367": msg17669, + "15368": msg17670, + "15369": msg17671, + "1537": select1429, + "15370": msg17672, + "15371": msg17673, + "15372": msg17674, + "15373": msg17675, + "15374": msg17676, + "15375": msg17677, + "15376": msg17678, + "15377": msg17679, + "15378": msg17680, + "15379": msg17681, + "1538": select1430, + "15380": msg17682, + "15381": msg17683, + "15382": msg17684, + "15383": msg17685, + "15384": msg17686, + "15385": msg17687, + "15386": msg17688, + "15387": msg17689, + "15388": msg17690, + "15389": msg17691, + "1539": select1431, + "15390": msg17692, + "15391": msg17693, + "15392": msg17694, + "15393": msg17695, + "15394": msg17696, + "15395": msg17697, + "15396": msg17698, + "15397": msg17699, + "15398": msg17700, + "15399": msg17701, + "154": select80, + "1540": select1432, + "15400": msg17702, + "15401": msg17703, + "15402": msg17704, + "15403": msg17705, + "15404": msg17706, + "15405": msg17707, + "15406": msg17708, + "15407": msg17709, + "15408": msg17710, + "15409": msg17711, + "1541": select1433, + "15410": msg17712, + "15411": msg17713, + "15412": msg17714, + "15413": msg17715, + "15414": msg17716, + "15415": msg17717, + "15416": msg17718, + "15417": msg17719, + "15418": msg17720, + "1542": select1434, + "15420": msg17721, + "15421": msg17722, + "15422": msg17723, + "15423": msg17724, + "15424": msg17725, + "15425": msg17726, + "15426": msg17727, + "15427": msg17728, + "15428": msg17729, + "15429": msg17730, + "1543": select1435, + "15430": msg17731, + "15431": msg17732, + "15432": msg17733, + "15433": msg17734, + "15434": msg17735, + "15435": msg17736, + "15436": msg17737, + "15437": msg17738, + "15438": msg17739, + "15439": msg17740, + "1544": select1436, + "15440": msg17741, + "15441": msg17742, + "15442": msg17743, + "15443": msg17744, + "15444": msg17745, + "15445": msg17746, + "15446": msg17747, + "15447": msg17748, + "15448": msg17749, + "15449": msg17750, + "1545": select1437, + "15450": msg17751, + "15451": msg17752, + "15452": msg17753, + "15453": msg17754, + "15454": msg17755, + "15455": msg17756, + "15456": msg17757, + "15457": msg17758, + "15458": msg17759, + "15459": msg17760, + "1546": select1438, + "15460": msg17761, + "15461": msg17762, + "15462": msg17763, + "15463": msg17764, + "15464": msg17765, + "15465": msg17766, + "15466": msg17767, + "15467": msg17768, + "15468": msg17769, + "15469": msg17770, + "1547": select1439, + "15470": msg17771, + "15471": msg17772, + "15472": msg17773, + "15473": msg17774, + "15474": msg17775, + "15475": msg17776, + "15476": msg17777, + "15477": msg17778, + "15478": msg17779, + "15479": msg17780, + "1548": select1440, + "15480": msg17781, + "15481": msg17782, + "15482": msg17783, + "15483": msg17784, + "15484": msg17785, + "15485": msg17786, + "15486": msg17787, + "15487": msg17788, + "15488": msg17789, + "15489": msg17790, + "1549": select1441, + "15490": msg17791, + "15491": msg17792, + "15492": msg17793, + "15493": msg17794, + "15494": msg17795, + "15495": msg17796, + "15496": msg17797, + "15497": msg17798, + "15498": msg17799, + "15499": msg17800, + "155": select81, + "1550": select1442, + "15500": msg17801, + "15501": msg17802, + "15502": msg17803, + "15503": msg17804, + "15504": msg17805, + "15505": msg17806, + "15506": msg17807, + "15507": msg17808, + "15508": msg17809, + "15509": msg17810, + "1551": select1443, + "15510": msg17811, + "15511": msg17812, + "15512": msg17813, + "15513": msg17814, + "15514": msg17815, + "15515": msg17816, + "15516": msg17817, + "15517": msg17818, + "15518": msg17819, + "15519": msg17820, + "1552": select1444, + "15520": msg17821, + "15521": msg17822, + "15522": msg17823, + "15523": msg17824, + "15524": msg17825, + "15525": msg17826, + "15526": msg17827, + "15527": msg17828, + "15528": msg17829, + "15529": msg17830, + "1553": select1445, + "15530": msg17831, + "15531": msg17832, + "15532": msg17833, + "15533": msg17834, + "15534": msg17835, + "15535": msg17836, + "15536": msg17837, + "15537": msg17838, + "15538": msg17839, + "15539": msg17840, + "1554": select1446, + "15540": msg17841, + "15541": msg17842, + "15542": msg17843, + "15543": msg17844, + "15544": msg17845, + "15545": msg17846, + "15546": msg17847, + "15547": msg17848, + "15548": msg17849, + "15549": msg17850, + "1555": select1447, + "15550": msg17851, + "15551": msg17852, + "15552": msg17853, + "15553": msg17854, + "15554": msg17855, + "15555": msg17856, + "15556": msg17857, + "15557": msg17858, + "15558": msg17859, + "15559": msg17860, + "1556": select1448, + "15560": msg17861, + "15561": msg17862, + "15562": msg17863, + "15563": msg17864, + "15564": msg17865, + "15565": msg17866, + "15566": msg17867, + "15567": msg17868, + "15568": msg17869, + "15569": msg17870, + "1557": select1449, + "15570": msg17871, + "15571": msg17872, + "15572": msg17873, + "15573": msg17874, + "15574": msg17875, + "15575": msg17876, + "15576": msg17877, + "15577": msg17878, + "15578": msg17879, + "15579": msg17880, + "1558": select1450, + "15580": msg17881, + "15581": msg17882, + "15582": msg17883, + "15583": msg17884, + "15584": msg17885, + "15585": msg17886, + "15586": msg17887, + "15587": msg17888, + "15588": msg17889, + "15589": msg17890, + "1559": select1451, + "15590": msg17891, + "15591": msg17892, + "15592": msg17893, + "15593": msg17894, + "15594": msg17895, + "15595": msg17896, + "15596": msg17897, + "15597": msg17898, + "15598": msg17899, + "15599": msg17900, + "156": select82, + "1560": select1452, + "15600": msg17901, + "15601": msg17902, + "15602": msg17903, + "15603": msg17904, + "15604": msg17905, + "15605": msg17906, + "15606": msg17907, + "15607": msg17908, + "15608": msg17909, + "15609": msg17910, + "1561": select1453, + "15610": msg17911, + "15611": msg17912, + "15612": msg17913, + "15613": msg17914, + "15614": msg17915, + "15615": msg17916, + "15616": msg17917, + "15617": msg17918, + "15618": msg17919, + "15619": msg17920, + "1562": select1454, + "15620": msg17921, + "15621": msg17922, + "15622": msg17923, + "15623": msg17924, + "15624": msg17925, + "15625": msg17926, + "15626": msg17927, + "15627": msg17928, + "15628": msg17929, + "15629": msg17930, + "1563": select1455, + "15630": msg17931, + "15631": msg17932, + "15632": msg17933, + "15633": msg17934, + "15634": msg17935, + "15635": msg17936, + "15636": msg17937, + "15637": msg17938, + "15638": msg17939, + "15639": msg17940, + "1564": select1456, + "15640": msg17941, + "15641": msg17942, + "15642": msg17943, + "15643": msg17944, + "15644": msg17945, + "15645": msg17946, + "15646": msg17947, + "15647": msg17948, + "15648": msg17949, + "15649": msg17950, + "1565": select1457, + "15650": msg17951, + "15651": msg17952, + "15652": msg17953, + "15653": msg17954, + "15654": msg17955, + "15655": msg17956, + "15656": msg17957, + "15657": msg17958, + "15658": msg17959, + "15659": msg17960, + "1566": select1458, + "15660": msg17961, + "15661": msg17962, + "15662": msg17963, + "15663": msg17964, + "15664": msg17965, + "15665": msg17966, + "15666": msg17967, + "15667": msg17968, + "15668": msg17969, + "15669": msg17970, + "1567": select1459, + "15670": msg17971, + "15671": msg17972, + "15672": msg17973, + "15673": msg17974, + "15674": msg17975, + "15675": msg17976, + "15676": msg17977, + "15677": msg17978, + "15678": msg17979, + "15679": msg17980, + "1568": select1460, + "15680": msg17981, + "15681": msg17982, + "15682": msg17983, + "15683": msg17984, + "15684": msg17985, + "15685": msg17986, + "15686": msg17987, + "15687": msg17988, + "15688": msg17989, + "15689": msg17990, + "1569": select1461, + "15690": msg17991, + "15691": msg17992, + "15692": msg17993, + "15693": msg17994, + "15694": msg17995, + "15695": msg17996, + "15696": msg17997, + "15697": msg17998, + "15698": msg17999, + "15699": msg18000, + "157": select83, + "1570": select1462, + "15700": msg18001, + "15701": msg18002, + "15702": msg18003, + "15703": msg18004, + "15704": msg18005, + "15705": msg18006, + "15706": msg18007, + "15707": msg18008, + "15708": msg18009, + "15709": msg18010, + "1571": select1463, + "15710": msg18011, + "15711": msg18012, + "15712": msg18013, + "15713": msg18014, + "15714": msg18015, + "15715": msg18016, + "15716": msg18017, + "15717": msg18018, + "15718": msg18019, + "15719": msg18020, + "1572": select1464, + "15720": msg18021, + "15721": msg18022, + "15722": msg18023, + "15723": msg18024, + "15724": msg18025, + "15725": msg18026, + "15726": msg18027, + "15727": msg18028, + "15728": msg18029, + "15729": msg18030, + "1573": select1465, + "15730": msg18031, + "15731": msg18032, + "15732": msg18033, + "15733": msg18034, + "15734": msg18035, + "1574": select1466, + "1575": select1467, + "1576": select1468, + "1577": select1469, + "1578": select1470, + "1579": select1471, + "158": select84, + "1580": select1472, + "1581": select1473, + "1582": select1474, + "1583": select1475, + "1584": select1476, + "15847": msg18036, + "15848": msg18037, + "15849": msg18038, + "1585": select1477, + "15850": msg18039, + "15851": msg18040, + "15852": msg18041, + "15853": msg18042, + "15854": msg18043, + "15855": msg18044, + "15856": msg18045, + "15857": msg18046, + "15858": msg18047, + "15859": msg18048, + "1586": select1478, + "15860": msg18049, + "15861": msg18050, + "15862": msg18051, + "15863": msg18052, + "15864": msg18053, + "15865": msg18054, + "15866": msg18055, + "15867": msg18056, + "15868": msg18057, + "15869": msg18058, + "1587": select1479, + "15870": msg18059, + "15871": msg18060, + "15872": msg18061, + "15873": msg18062, + "15874": msg18063, + "15875": msg18064, + "15876": msg18065, + "15877": msg18066, + "15878": msg18067, + "15879": msg18068, + "1588": select1480, + "15880": msg18069, + "15881": msg18070, + "15882": msg18071, + "15883": msg18072, + "15884": msg18073, + "15885": msg18074, + "15886": msg18075, + "15887": msg18076, + "15888": msg18077, + "15889": msg18078, + "1589": select1481, + "15890": msg18079, + "15891": msg18080, + "15892": msg18081, + "15893": msg18082, + "15894": msg18083, + "15895": msg18084, + "15896": msg18085, + "15897": msg18086, + "15898": msg18087, + "15899": msg18088, + "159": select85, + "1590": select1482, + "15900": msg18089, + "15901": msg18090, + "15902": msg18091, + "15903": msg18092, + "15904": msg18093, + "15905": msg18094, + "15906": msg18095, + "15907": msg18096, + "15908": msg18097, + "15909": msg18098, + "1591": select1483, + "15910": msg18099, + "15911": msg18100, + "15912": msg18101, + "15913": msg18102, + "15914": msg18103, + "15915": msg18104, + "15916": msg18105, + "15917": msg18106, + "15918": msg18107, + "15919": msg18108, + "1592": select1484, + "15920": msg18109, + "15921": msg18110, + "15922": msg18111, + "15923": msg18112, + "15924": msg18113, + "15925": msg18114, + "15926": msg18115, + "15927": msg18116, + "15928": msg18117, + "15929": msg18118, + "1593": select1485, + "15930": msg18119, + "15931": msg18120, + "15932": msg18121, + "15933": msg18122, + "15934": msg18123, + "15935": msg18124, + "15936": msg18125, + "15937": msg18126, + "15938": msg18127, + "15939": msg18128, + "1594": select1486, + "15940": msg18129, + "15941": msg18130, + "15942": msg18131, + "15943": msg18132, + "15944": msg18133, + "15945": msg18134, + "15946": msg18135, + "15947": msg18136, + "15948": msg18137, + "15949": msg18138, + "1595": select1487, + "15950": msg18139, + "15951": msg18140, + "15952": msg18141, + "15953": msg18142, + "15954": msg18143, + "15955": msg18144, + "15956": msg18145, + "15957": msg18146, + "15958": msg18147, + "15959": msg18148, + "15960": msg18149, + "15961": msg18150, + "15962": msg18151, + "15963": msg18152, + "15964": msg18153, + "15965": msg18154, + "15966": msg18155, + "15967": msg18156, + "15968": msg18157, + "15969": msg18158, + "1597": select1488, + "15970": msg18159, + "15971": msg18160, + "15972": msg18161, + "15973": msg18162, + "15974": msg18163, + "15975": msg18164, + "15976": msg18165, + "15977": msg18166, + "15978": msg18167, + "15979": msg18168, + "1598": select1489, + "15980": msg18169, + "15981": msg18170, + "15982": msg18171, + "15983": msg18172, + "15984": msg18173, + "15985": msg18174, + "15986": msg18175, + "15987": msg18176, + "15988": msg18177, + "15989": msg18178, + "1599": select1490, + "15990": msg18179, + "15991": msg18180, + "15992": msg18181, + "15993": msg18182, + "15994": msg18183, + "15995": msg18184, + "15996": msg18185, + "15997": msg18186, + "15998": msg18187, + "15999": msg18188, + "16": select17, + "160": select86, + "1600": select1491, + "16000": msg18189, + "16001": msg18190, + "16002": msg18191, + "16003": msg18192, + "16004": msg18193, + "16005": msg18194, + "16006": msg18195, + "16007": msg18196, + "16008": msg18197, + "16009": msg18198, + "1601": select1492, + "16010": msg18199, + "16011": msg18200, + "16012": msg18201, + "16013": msg18202, + "16014": msg18203, + "16015": msg18204, + "16016": msg18205, + "16017": msg18206, + "16018": msg18207, + "16019": msg18208, + "1602": select1493, + "16020": msg18209, + "16021": msg18210, + "16022": msg18211, + "16023": msg18212, + "16024": msg18213, + "16025": msg18214, + "16026": msg18215, + "16027": msg18216, + "16028": msg18217, + "16029": msg18218, + "1603": select1494, + "16030": msg18219, + "16031": msg18220, + "16032": msg18221, + "16033": msg18222, + "16034": msg18223, + "16035": msg18224, + "16036": msg18225, + "16037": msg18226, + "16038": msg18227, + "16039": msg18228, + "1604": select1495, + "16040": msg18229, + "16041": msg18230, + "16042": msg18231, + "16043": msg18232, + "16044": msg18233, + "16045": msg18234, + "16046": msg18235, + "16047": msg18236, + "16048": msg18237, + "16049": msg18238, + "1605": select1496, + "16050": msg18239, + "16051": msg18240, + "16052": msg18241, + "16053": msg18242, + "16054": msg18243, + "16055": msg18244, + "16056": msg18245, + "16057": msg18246, + "16058": msg18247, + "16059": msg18248, + "1606": select1497, + "16060": msg18249, + "16061": msg18250, + "16062": msg18251, + "16063": msg18252, + "16064": msg18253, + "16065": msg18254, + "16066": msg18255, + "16067": msg18256, + "16068": msg18257, + "16069": msg18258, + "1607": select1498, + "16070": msg18259, + "16071": msg18260, + "16072": msg18261, + "16073": msg18262, + "16074": msg18263, + "16075": msg18264, + "16076": msg18265, + "16077": msg18266, + "16078": msg18267, + "16079": msg18268, + "1608": select1499, + "16080": msg18269, + "16081": msg18270, + "16082": msg18271, + "16083": msg18272, + "16084": msg18273, + "16085": msg18274, + "16086": msg18275, + "16087": msg18276, + "16089": msg18277, + "1609": select1500, + "16090": msg18278, + "16091": msg18279, + "16092": msg18280, + "16093": msg18281, + "16094": msg18282, + "16095": msg18283, + "16096": msg18284, + "16097": msg18285, + "16098": msg18286, + "16099": msg18287, + "161": select87, + "1610": select1501, + "16100": msg18288, + "16101": msg18289, + "16102": msg18290, + "16103": msg18291, + "16104": msg18292, + "16105": msg18293, + "16106": msg18294, + "16107": msg18295, + "16108": msg18296, + "16109": msg18297, + "1611": select1502, + "16110": msg18298, + "16111": msg18299, + "16112": msg18300, + "16113": msg18301, + "16114": msg18302, + "16115": msg18303, + "16116": msg18304, + "16117": msg18305, + "16118": msg18306, + "16119": msg18307, + "1612": select1503, + "16120": msg18308, + "16121": msg18309, + "16122": msg18310, + "16123": msg18311, + "16124": msg18312, + "16125": msg18313, + "16126": msg18314, + "16127": msg18315, + "16128": msg18316, + "16129": msg18317, + "1613": select1504, + "16130": msg18318, + "16131": msg18319, + "16132": msg18320, + "16133": msg18321, + "16134": msg18322, + "16135": msg18323, + "16136": msg18324, + "16137": msg18325, + "16138": msg18326, + "16139": msg18327, + "1614": select1505, + "16140": msg18328, + "16141": msg18329, + "16142": msg18330, + "16143": msg18331, + "16144": msg18332, + "16145": msg18333, + "16146": msg18334, + "16147": msg18335, + "16148": msg18336, + "16149": msg18337, + "1615": select1506, + "16150": msg18338, + "16151": msg18339, + "16152": msg18340, + "16153": msg18341, + "16154": msg18342, + "16155": msg18343, + "16156": msg18344, + "16157": msg18345, + "16158": msg18346, + "16159": msg18347, + "1616": select1507, + "16160": msg18348, + "16161": msg18349, + "16162": msg18350, + "16163": msg18351, + "16164": msg18352, + "16165": msg18353, + "16166": msg18354, + "16167": msg18355, + "16168": msg18356, + "16169": msg18357, + "1617": select1508, + "16170": msg18358, + "16171": msg18359, + "16172": msg18360, + "16173": msg18361, + "16174": msg18362, + "16175": msg18363, + "16176": msg18364, + "16177": msg18365, + "16178": msg18366, + "16179": msg18367, + "1618": select1509, + "16180": msg18368, + "16181": msg18369, + "16182": msg18370, + "16183": msg18371, + "16184": msg18372, + "16185": msg18373, + "16186": msg18374, + "16187": msg18375, + "16188": msg18376, + "16189": msg18377, + "1619": select1510, + "16190": msg18378, + "16191": msg18379, + "16192": msg18380, + "16193": msg18381, + "16194": msg18382, + "16195": msg18383, + "16196": msg18384, + "16197": msg18385, + "16198": msg18386, + "16199": msg18387, + "162": select88, + "1620": select1511, + "16200": msg18388, + "16201": msg18389, + "16202": msg18390, + "16203": msg18391, + "16204": msg18392, + "16205": msg18393, + "16206": msg18394, + "16207": msg18395, + "16208": msg18396, + "16209": msg18397, + "1621": select1512, + "16210": msg18398, + "16211": msg18399, + "16212": msg18400, + "16213": msg18401, + "16214": msg18402, + "16215": msg18403, + "16216": msg18404, + "16217": msg18405, + "16218": msg18406, + "16219": msg18407, + "1622": select1513, + "16220": msg18408, + "16221": msg18409, + "16222": msg18410, + "16223": msg18411, + "16224": msg18412, + "16225": msg18413, + "16226": msg18414, + "16227": msg18415, + "16228": msg18416, + "16229": msg18417, + "1623": select1514, + "16230": msg18418, + "16231": msg18419, + "16232": msg18420, + "16233": msg18421, + "16234": msg18422, + "16235": msg18423, + "16236": msg18424, + "16237": msg18425, + "16238": msg18426, + "16239": msg18427, + "1624": select1515, + "16240": msg18428, + "16241": msg18429, + "16242": msg18430, + "16243": msg18431, + "16244": msg18432, + "16245": msg18433, + "16246": msg18434, + "16247": msg18435, + "16248": msg18436, + "16249": msg18437, + "1625": select1516, + "16250": msg18438, + "16251": msg18439, + "16252": msg18440, + "16253": msg18441, + "16254": msg18442, + "16255": msg18443, + "16256": msg18444, + "16257": msg18445, + "16258": msg18446, + "16259": msg18447, + "1626": select1517, + "16260": msg18448, + "16261": msg18449, + "16262": msg18450, + "16263": msg18451, + "16264": msg18452, + "16265": msg18453, + "16266": msg18454, + "16267": msg18455, + "16268": msg18456, + "16269": msg18457, + "1627": select1518, + "16270": msg18458, + "16271": msg18459, + "16272": msg18460, + "16273": msg18461, + "16274": msg18462, + "16275": msg18463, + "16276": msg18464, + "16277": msg18465, + "16278": msg18466, + "16279": msg18467, + "1628": select1519, + "16280": msg18468, + "16281": msg18469, + "16282": msg18470, + "16283": msg18471, + "16284": msg18472, + "16285": msg18473, + "16286": msg18474, + "16287": msg18475, + "16288": msg18476, + "16289": msg18477, + "1629": select1520, + "16290": msg18478, + "16291": msg18479, + "16292": msg18480, + "16293": msg18481, + "16294": msg18482, + "16295": msg18483, + "16296": msg18484, + "16297": msg18485, + "16298": msg18486, + "16299": msg18487, + "163": select89, + "1630": select1521, + "16300": msg18488, + "16301": msg18489, + "16302": msg18490, + "16303": msg18491, + "16304": msg18492, + "16305": msg18493, + "16306": msg18494, + "16307": msg18495, + "16308": msg18496, + "16309": msg18497, + "1631": select1522, + "16310": msg18498, + "16311": msg18499, + "16312": msg18500, + "16313": msg18501, + "16314": msg18502, + "16315": msg18503, + "16316": msg18504, + "16317": msg18505, + "16318": msg18506, + "16319": msg18507, + "1632": select1523, + "16320": msg18508, + "16321": msg18509, + "16322": msg18510, + "16323": msg18511, + "16324": msg18512, + "16325": msg18513, + "16326": msg18514, + "16327": msg18515, + "16328": msg18516, + "16329": msg18517, + "1633": select1524, + "16330": msg18518, + "16331": msg18519, + "16332": msg18520, + "16333": msg18521, + "16334": msg18522, + "16335": msg18523, + "16336": msg18524, + "16337": msg18525, + "16338": msg18526, + "16339": msg18527, + "1634": select1525, + "16340": msg18528, + "16341": msg18529, + "16342": msg18530, + "16343": msg18531, + "16344": msg18532, + "16345": msg18533, + "16346": msg18534, + "16347": msg18535, + "16348": msg18536, + "16349": msg18537, + "1635": select1526, + "16350": msg18538, + "16351": msg18539, + "16352": msg18540, + "16353": msg18541, + "16354": msg18542, + "16355": msg18543, + "16356": msg18544, + "16357": msg18545, + "16358": msg18546, + "16359": msg18547, + "1636": select1527, + "16360": msg18548, + "16361": msg18549, + "16362": msg18550, + "16363": msg18551, + "16364": msg18552, + "16365": msg18553, + "16366": msg18554, + "16367": msg18555, + "16368": msg18556, + "16369": msg18557, + "1637": select1528, + "16370": msg18558, + "16371": msg18559, + "16372": msg18560, + "16373": msg18561, + "16374": msg18562, + "16375": msg18563, + "16376": msg18564, + "16377": msg18565, + "16378": msg18566, + "16379": msg18567, + "1638": select1529, + "16380": msg18568, + "16381": msg18569, + "16382": msg18570, + "16383": msg18571, + "16384": msg18572, + "16385": msg18573, + "16386": msg18574, + "16387": msg18575, + "16388": msg18576, + "16389": msg18577, + "1639": select1530, + "16390": msg18578, + "16391": msg18579, + "16392": msg18580, + "16393": msg18581, + "16394": msg18582, + "16395": msg18583, + "16396": msg18584, + "16397": msg18585, + "16398": msg18586, + "16399": msg18587, + "164": select90, + "1640": select1531, + "16400": msg18588, + "16401": msg18589, + "16402": msg18590, + "16403": msg18591, + "16404": msg18592, + "16405": msg18593, + "16406": msg18594, + "16407": msg18595, + "16408": msg18596, + "16409": msg18597, + "1641": select1532, + "16410": msg18598, + "16411": msg18599, + "16412": msg18600, + "16413": msg18601, + "16414": msg18602, + "16415": msg18603, + "16416": msg18604, + "16417": msg18605, + "16418": msg18606, + "16419": msg18607, + "1642": select1533, + "16420": msg18608, + "16421": msg18609, + "16422": msg18610, + "16423": msg18611, + "16424": msg18612, + "16425": msg18613, + "16426": msg18614, + "16427": msg18615, + "16428": msg18616, + "16429": msg18617, + "1643": select1534, + "16430": msg18618, + "16431": msg18619, + "16432": msg18620, + "16433": msg18621, + "16434": msg18622, + "16435": msg18623, + "16436": msg18624, + "16437": msg18625, + "16438": msg18626, + "16439": msg18627, + "1644": select1535, + "16440": msg18628, + "16441": msg18629, + "16442": msg18630, + "16443": msg18631, + "16444": msg18632, + "16445": msg18633, + "16446": msg18634, + "16447": msg18635, + "16448": msg18636, + "16449": msg18637, + "1645": select1536, + "16450": msg18638, + "16451": msg18639, + "16452": msg18640, + "16453": msg18641, + "16454": msg18642, + "16455": msg18643, + "16456": msg18644, + "16457": msg18645, + "16458": msg18646, + "16459": msg18647, + "1646": select1537, + "16460": msg18648, + "16461": msg18649, + "16462": msg18650, + "16463": msg18651, + "16464": msg18652, + "16465": msg18653, + "16466": msg18654, + "16467": msg18655, + "16468": msg18656, + "16469": msg18657, + "1647": select1538, + "16470": msg18658, + "16471": msg18659, + "16472": msg18660, + "16473": msg18661, + "16474": msg18662, + "16475": msg18663, + "16476": msg18664, + "16477": msg18665, + "16478": msg18666, + "16479": msg18667, + "1648": select1539, + "16480": msg18668, + "16481": msg18669, + "16482": msg18670, + "16483": msg18671, + "16484": msg18672, + "16485": msg18673, + "16486": msg18674, + "16487": msg18675, + "16488": msg18676, + "16489": msg18677, + "1649": select1540, + "16490": msg18678, + "16492": msg18679, + "16493": msg18680, + "16494": msg18681, + "16495": msg18682, + "16496": msg18683, + "16497": msg18684, + "16498": msg18685, + "16499": msg18686, + "165": select91, + "1650": select1541, + "16500": msg18687, + "16501": msg18688, + "16502": msg18689, + "16503": msg18690, + "16504": msg18691, + "16505": msg18692, + "16506": msg18693, + "16507": msg18694, + "16508": msg18695, + "16509": msg18696, + "1651": select1542, + "16510": msg18697, + "16511": msg18698, + "16512": msg18699, + "16513": msg18700, + "16514": msg18701, + "16515": msg18702, + "16516": msg18703, + "16517": msg18704, + "16518": msg18705, + "16519": msg18706, + "1652": select1543, + "16520": msg18707, + "16521": msg18708, + "16522": msg18709, + "16523": msg18710, + "16524": msg18711, + "16525": msg18712, + "16526": msg18713, + "16527": msg18714, + "16528": msg18715, + "16529": msg18716, + "1653": select1544, + "16530": msg18717, + "16531": msg18718, + "16532": msg18719, + "16533": msg18720, + "16534": msg18721, + "16535": msg18722, + "16536": msg18723, + "16537": msg18724, + "16538": msg18725, + "16539": msg18726, + "1654": select1545, + "16540": msg18727, + "16541": msg18728, + "16542": msg18729, + "16543": msg18730, + "16544": msg18731, + "16545": msg18732, + "16546": msg18733, + "16547": msg18734, + "16548": msg18735, + "16549": msg18736, + "1655": select1546, + "16550": msg18737, + "16551": msg18738, + "16552": msg18739, + "16553": msg18740, + "16554": msg18741, + "16555": msg18742, + "16556": msg18743, + "16557": msg18744, + "16558": msg18745, + "16559": msg18746, + "1656": select1547, + "16560": msg18747, + "16561": msg18748, + "16562": msg18749, + "16563": msg18750, + "16564": msg18751, + "16565": msg18752, + "16566": msg18753, + "16567": msg18754, + "16568": msg18755, + "16569": msg18756, + "1657": select1548, + "16570": msg18757, + "16571": msg18758, + "16572": msg18759, + "16573": msg18760, + "16574": msg18761, + "16575": msg18762, + "16576": msg18763, + "16577": msg18764, + "16578": msg18765, + "16579": msg18766, + "1658": select1549, + "16580": msg18767, + "16581": msg18768, + "16582": msg18769, + "16583": msg18770, + "16584": msg18771, + "16585": msg18772, + "16586": msg18773, + "16587": msg18774, + "16588": msg18775, + "16589": msg18776, + "1659": select1550, + "16590": msg18777, + "16591": msg18778, + "16592": msg18779, + "16593": msg18780, + "16594": msg18781, + "16595": msg18782, + "16596": msg18783, + "16597": msg18784, + "16598": msg18785, + "16599": msg18786, + "166": select92, + "1660": select1551, + "16600": msg18787, + "16601": msg18788, + "16602": msg18789, + "16603": msg18790, + "16604": msg18791, + "16605": msg18792, + "16606": msg18793, + "16607": msg18794, + "16608": msg18795, + "16609": msg18796, + "1661": select1552, + "16610": msg18797, + "16611": msg18798, + "16612": msg18799, + "16613": msg18800, + "16614": msg18801, + "16615": msg18802, + "16616": msg18803, + "16617": msg18804, + "16618": msg18805, + "16619": msg18806, + "1662": select1553, + "16620": msg18807, + "16621": msg18808, + "16622": msg18809, + "16623": msg18810, + "16624": msg18811, + "16625": msg18812, + "16626": msg18813, + "16627": msg18814, + "16628": msg18815, + "16629": msg18816, + "1663": select1554, + "16630": msg18817, + "16631": msg18818, + "16632": msg18819, + "16633": msg18820, + "16634": msg18821, + "16635": msg18822, + "16636": msg18823, + "16637": msg18824, + "16638": msg18825, + "16639": msg18826, + "1664": select1555, + "16640": msg18827, + "16641": msg18828, + "16642": msg18829, + "16643": msg18830, + "16644": msg18831, + "16645": msg18832, + "16646": msg18833, + "16647": msg18834, + "16648": msg18835, + "16649": msg18836, + "1665": select1556, + "16650": msg18837, + "16651": msg18838, + "16652": msg18839, + "16653": msg18840, + "16654": msg18841, + "16655": msg18842, + "16656": msg18843, + "16657": msg18844, + "16658": msg18845, + "16659": msg18846, + "1666": select1557, + "16660": msg18847, + "16661": msg18848, + "16662": msg18849, + "16663": msg18850, + "16664": msg18851, + "16665": msg18852, + "16666": msg18853, + "16667": msg18854, + "16668": msg18855, + "16669": msg18856, + "1667": select1558, + "16670": msg18857, + "16671": msg18858, + "16672": msg18859, + "16673": msg18860, + "16674": msg18861, + "16675": msg18862, + "16676": msg18863, + "16677": msg18864, + "16678": msg18865, + "16679": msg18866, + "1668": select1559, + "16680": msg18867, + "16681": msg18868, + "16682": msg18869, + "16683": msg18870, + "16684": msg18871, + "16685": msg18872, + "16686": msg18873, + "16687": msg18874, + "16688": msg18875, + "16689": msg18876, + "1669": select1560, + "16690": msg18877, + "16691": msg18878, + "16692": msg18879, + "16693": msg18880, + "16694": msg18881, + "16695": msg18882, + "16696": msg18883, + "16697": msg18884, + "16698": msg18885, + "16699": msg18886, + "167": select93, + "1670": select1561, + "16700": msg18887, + "16701": msg18888, + "16702": msg18889, + "16703": msg18890, + "16704": msg18891, + "16705": msg18892, + "16706": msg18893, + "16707": msg18894, + "16708": msg18895, + "16709": msg18896, + "1671": select1562, + "16710": msg18897, + "16711": msg18898, + "16712": msg18899, + "16713": msg18900, + "16714": msg18901, + "16715": msg18902, + "16716": msg18903, + "16717": msg18904, + "16718": msg18905, + "16719": msg18906, + "1672": select1563, + "16720": msg18907, + "16721": msg18908, + "16722": msg18909, + "16723": msg18910, + "16724": msg18911, + "16725": msg18912, + "16726": msg18913, + "16727": msg18914, + "16728": msg18915, + "16729": msg18916, + "1673": select1564, + "16730": msg18917, + "16731": msg18918, + "16732": msg18919, + "16733": msg18920, + "16734": msg18921, + "16735": msg18922, + "16736": msg18923, + "16737": msg18924, + "16738": msg18925, + "16739": msg18926, + "1674": select1565, + "16740": msg18927, + "16741": msg18928, + "16742": msg18929, + "16743": msg18930, + "16744": msg18931, + "16745": msg18932, + "16746": msg18933, + "16747": msg18934, + "16748": msg18935, + "16749": msg18936, + "1675": select1566, + "16750": msg18937, + "16751": msg18938, + "16752": msg18939, + "16753": msg18940, + "16754": msg18941, + "16755": msg18942, + "16756": msg18943, + "16757": msg18944, + "16758": msg18945, + "16759": msg18946, + "1676": select1567, + "16760": msg18947, + "16761": msg18948, + "16762": msg18949, + "16763": msg18950, + "16764": msg18951, + "16765": msg18952, + "16766": msg18953, + "16767": msg18954, + "16768": msg18955, + "16769": msg18956, + "1677": select1568, + "16770": msg18957, + "16771": msg18958, + "16772": msg18959, + "16773": msg18960, + "16774": msg18961, + "16775": msg18962, + "16776": msg18963, + "16777": msg18964, + "16778": msg18965, + "16779": msg18966, + "1678": select1569, + "16780": msg18967, + "16781": msg18968, + "16782": msg18969, + "16783": msg18970, + "16784": msg18971, + "16785": msg18972, + "16786": msg18973, + "16787": msg18974, + "16788": msg18975, + "16789": msg18976, + "1679": select1570, + "16790": msg18977, + "16791": msg18978, + "16792": msg18979, + "16793": msg18980, + "16794": msg18981, + "16795": msg18982, + "16796": msg18983, + "16797": msg18984, + "16798": msg18985, + "16799": msg18986, + "168": select94, + "1680": select1571, + "16800": msg18987, + "16801": msg18988, + "16802": msg18989, + "16803": msg18990, + "16804": msg18991, + "16805": msg18992, + "16806": msg18993, + "16807": msg18994, + "16808": msg18995, + "16809": msg18996, + "1681": select1572, + "16810": msg18997, + "16811": msg18998, + "16812": msg18999, + "16813": msg19000, + "16814": msg19001, + "16815": msg19002, + "16816": msg19003, + "16817": msg19004, + "16818": msg19005, + "16819": msg19006, + "1682": select1573, + "16820": msg19007, + "16821": msg19008, + "16822": msg19009, + "16823": msg19010, + "16824": msg19011, + "16825": msg19012, + "16826": msg19013, + "16827": msg19014, + "16828": msg19015, + "16829": msg19016, + "1683": select1574, + "16830": msg19017, + "16831": msg19018, + "16832": msg19019, + "16833": msg19020, + "16834": msg19021, + "16835": msg19022, + "16836": msg19023, + "16837": msg19024, + "16838": msg19025, + "16839": msg19026, + "1684": select1575, + "16840": msg19027, + "16841": msg19028, + "16842": msg19029, + "16843": msg19030, + "16844": msg19031, + "16845": msg19032, + "16846": msg19033, + "16847": msg19034, + "16848": msg19035, + "16849": msg19036, + "1685": select1576, + "16850": msg19037, + "16851": msg19038, + "16852": msg19039, + "16853": msg19040, + "16854": msg19041, + "16855": msg19042, + "16856": msg19043, + "16857": msg19044, + "16858": msg19045, + "16859": msg19046, + "1686": select1577, + "16860": msg19047, + "16861": msg19048, + "16862": msg19049, + "16863": msg19050, + "16864": msg19051, + "16865": msg19052, + "16866": msg19053, + "16867": msg19054, + "16868": msg19055, + "16869": msg19056, + "1687": select1578, + "16870": msg19057, + "16871": msg19058, + "16872": msg19059, + "16873": msg19060, + "16874": msg19061, + "16875": msg19062, + "16876": msg19063, + "16877": msg19064, + "16878": msg19065, + "16879": msg19066, + "1688": select1579, + "16880": msg19067, + "16881": msg19068, + "16882": msg19069, + "16883": msg19070, + "16884": msg19071, + "16885": msg19072, + "16886": msg19073, + "16887": msg19074, + "16888": msg19075, + "16889": msg19076, + "1689": select1580, + "16890": msg19077, + "16891": msg19078, + "16892": msg19079, + "16893": msg19080, + "16894": msg19081, + "16895": msg19082, + "16896": msg19083, + "16897": msg19084, + "16898": msg19085, + "16899": msg19086, + "169": select95, + "1690": select1581, + "16900": msg19087, + "16901": msg19088, + "16902": msg19089, + "16903": msg19090, + "16904": msg19091, + "16905": msg19092, + "16906": msg19093, + "16907": msg19094, + "16908": msg19095, + "16909": msg19096, + "1691": select1582, + "16910": msg19097, + "16911": msg19098, + "16912": msg19099, + "16913": msg19100, + "16914": msg19101, + "16915": msg19102, + "16916": msg19103, + "16917": msg19104, + "16918": msg19105, + "16919": msg19106, + "1692": select1583, + "16920": msg19107, + "16921": msg19108, + "16922": msg19109, + "16923": msg19110, + "16924": msg19111, + "16925": msg19112, + "16926": msg19113, + "16927": msg19114, + "16928": msg19115, + "16929": msg19116, + "1693": select1584, + "16930": msg19117, + "16931": msg19118, + "16932": msg19119, + "16933": msg19120, + "16934": msg19121, + "16935": msg19122, + "16936": msg19123, + "16937": msg19124, + "16938": msg19125, + "16939": msg19126, + "1694": select1585, + "16940": msg19127, + "16941": msg19128, + "16942": msg19129, + "16943": msg19130, + "16944": msg19131, + "16945": msg19132, + "16946": msg19133, + "16947": msg19134, + "16948": msg19135, + "16949": msg19136, + "1695": select1586, + "16950": msg19137, + "16951": msg19138, + "16952": msg19139, + "16953": msg19140, + "16954": msg19141, + "16955": msg19142, + "16956": msg19143, + "16957": msg19144, + "16958": msg19145, + "16959": msg19146, + "1696": select1587, + "16960": msg19147, + "16961": msg19148, + "16962": msg19149, + "16963": msg19150, + "16964": msg19151, + "16965": msg19152, + "16966": msg19153, + "16967": msg19154, + "16968": msg19155, + "16969": msg19156, + "1697": select1588, + "16970": msg19157, + "16971": msg19158, + "16972": msg19159, + "16973": msg19160, + "16974": msg19161, + "16975": msg19162, + "16976": msg19163, + "16977": msg19164, + "16978": msg19165, + "16979": msg19166, + "1698": select1589, + "16980": msg19167, + "16981": msg19168, + "16982": msg19169, + "16983": msg19170, + "16984": msg19171, + "16985": msg19172, + "16986": msg19173, + "16987": msg19174, + "16988": msg19175, + "16989": msg19176, + "1699": select1590, + "16990": msg19177, + "16991": msg19178, + "16992": msg19179, + "16993": msg19180, + "16994": msg19181, + "16995": msg19182, + "16996": msg19183, + "16997": msg19184, + "16998": msg19185, + "16999": msg19186, + "17": select18, + "170": select96, + "1700": select1591, + "17000": msg19187, + "17001": msg19188, + "17002": msg19189, + "17003": msg19190, + "17004": msg19191, + "17005": msg19192, + "17006": msg19193, + "17007": msg19194, + "17008": msg19195, + "17009": msg19196, + "1701": select1592, + "17010": msg19197, + "17011": msg19198, + "17012": msg19199, + "17013": msg19200, + "17014": msg19201, + "17015": msg19202, + "17016": msg19203, + "17017": msg19204, + "17018": msg19205, + "17019": msg19206, + "1702": select1593, + "17020": msg19207, + "17021": msg19208, + "17022": msg19209, + "17023": msg19210, + "17024": msg19211, + "17025": msg19212, + "17026": msg19213, + "17027": msg19214, + "17028": msg19215, + "17029": msg19216, + "1703": select1594, + "17030": msg19217, + "17031": msg19218, + "17032": msg19219, + "17033": msg19220, + "17034": msg19221, + "17035": msg19222, + "17036": msg19223, + "17037": msg19224, + "17038": msg19225, + "17039": msg19226, + "1704": select1595, + "17041": msg19227, + "17042": msg19228, + "17043": msg19229, + "17044": msg19230, + "17045": msg19231, + "17046": msg19232, + "17047": msg19233, + "17048": msg19234, + "17049": msg19235, + "1705": select1596, + "17050": msg19236, + "17051": msg19237, + "17052": msg19238, + "17053": msg19239, + "17054": msg19240, + "17055": msg19241, + "17056": msg19242, + "17057": msg19243, + "17058": msg19244, + "17059": msg19245, + "1706": select1597, + "17060": msg19246, + "17061": msg19247, + "17062": msg19248, + "17063": msg19249, + "17064": msg19250, + "17065": msg19251, + "17066": msg19252, + "17067": msg19253, + "17068": msg19254, + "17069": msg19255, + "1707": select1598, + "17070": msg19256, + "17071": msg19257, + "17072": msg19258, + "17073": msg19259, + "17074": msg19260, + "17075": msg19261, + "17076": msg19262, + "17077": msg19263, + "17078": msg19264, + "17079": msg19265, + "1708": select1599, + "17080": msg19266, + "17081": msg19267, + "17082": msg19268, + "17083": msg19269, + "17084": msg19270, + "17085": msg19271, + "17086": msg19272, + "17087": msg19273, + "17088": msg19274, + "17089": msg19275, + "1709": select1600, + "17090": msg19276, + "17091": msg19277, + "17092": msg19278, + "17093": msg19279, + "17094": msg19280, + "17095": msg19281, + "17096": msg19282, + "17097": msg19283, + "17098": msg19284, + "17099": msg19285, + "171": select97, + "1710": select1601, + "17100": msg19286, + "17101": msg19287, + "17102": msg19288, + "17103": msg19289, + "17104": msg19290, + "17105": msg19291, + "17106": msg19292, + "17107": msg19293, + "17108": msg19294, + "17109": msg19295, + "1711": select1602, + "17110": msg19296, + "17111": msg19297, + "17112": msg19298, + "17113": msg19299, + "17114": msg19300, + "17115": msg19301, + "17116": msg19302, + "17117": msg19303, + "17118": msg19304, + "17119": msg19305, + "1712": select1603, + "17120": msg19306, + "17121": msg19307, + "17122": msg19308, + "17123": msg19309, + "17124": msg19310, + "17125": msg19311, + "17126": msg19312, + "17127": msg19313, + "17128": msg19314, + "17129": msg19315, + "1713": select1604, + "17130": msg19316, + "17131": msg19317, + "17132": msg19318, + "17133": msg19319, + "17134": msg19320, + "17135": msg19321, + "17136": msg19322, + "17137": msg19323, + "17138": msg19324, + "17139": msg19325, + "1714": select1605, + "17140": msg19326, + "17141": msg19327, + "17142": msg19328, + "17143": msg19329, + "17144": msg19330, + "17145": msg19331, + "17146": msg19332, + "17147": msg19333, + "17148": msg19334, + "17149": msg19335, + "1715": select1606, + "17150": msg19336, + "17151": msg19337, + "17152": msg19338, + "17153": msg19339, + "17154": msg19340, + "17155": msg19341, + "17156": msg19342, + "17157": msg19343, + "17158": msg19344, + "17159": msg19345, + "1716": select1607, + "17160": msg19346, + "17161": msg19347, + "17162": msg19348, + "17163": msg19349, + "17164": msg19350, + "17165": msg19351, + "17166": msg19352, + "17167": msg19353, + "17168": msg19354, + "17169": msg19355, + "1717": select1608, + "17170": msg19356, + "17171": msg19357, + "17172": msg19358, + "17173": msg19359, + "17174": msg19360, + "17175": msg19361, + "17176": msg19362, + "17177": msg19363, + "17178": msg19364, + "17179": msg19365, + "1718": select1609, + "17180": msg19366, + "17181": msg19367, + "17182": msg19368, + "17183": msg19369, + "17184": msg19370, + "17185": msg19371, + "17186": msg19372, + "17187": msg19373, + "17188": msg19374, + "17189": msg19375, + "1719": select1610, + "17190": msg19376, + "17191": msg19377, + "17192": msg19378, + "17193": msg19379, + "17194": msg19380, + "17195": msg19381, + "17196": msg19382, + "17197": msg19383, + "17198": msg19384, + "17199": msg19385, + "172": select98, + "1720": select1611, + "17200": msg19386, + "17201": msg19387, + "17202": msg19388, + "17203": msg19389, + "17204": msg19390, + "17205": msg19391, + "17206": msg19392, + "17207": msg19393, + "17208": msg19394, + "17209": msg19395, + "1721": select1612, + "17210": msg19396, + "17211": msg19397, + "17212": msg19398, + "17213": msg19399, + "17214": msg19400, + "17215": msg19401, + "17216": msg19402, + "17217": msg19403, + "17218": msg19404, + "17219": msg19405, + "1722": select1613, + "17220": msg19406, + "17221": msg19407, + "17222": msg19408, + "17223": msg19409, + "17224": msg19410, + "17225": msg19411, + "17226": msg19412, + "17227": msg19413, + "17228": msg19414, + "17229": msg19415, + "1723": select1614, + "17230": msg19416, + "17231": msg19417, + "17232": msg19418, + "17233": msg19419, + "17234": msg19420, + "17235": msg19421, + "17236": msg19422, + "17237": msg19423, + "17238": msg19424, + "17239": msg19425, + "1724": select1615, + "17240": msg19426, + "17241": msg19427, + "17242": msg19428, + "17243": msg19429, + "17244": msg19430, + "17245": msg19431, + "17246": msg19432, + "17247": msg19433, + "17248": msg19434, + "17249": msg19435, + "1725": select1616, + "17250": msg19436, + "17251": msg19437, + "17252": msg19438, + "17253": msg19439, + "17254": msg19440, + "17255": msg19441, + "17256": msg19442, + "17257": msg19443, + "17258": msg19444, + "17259": msg19445, + "1726": select1617, + "17260": msg19446, + "17261": msg19447, + "17262": msg19448, + "17263": msg19449, + "17264": msg19450, + "17265": msg19451, + "17266": msg19452, + "17267": msg19453, + "17268": msg19454, + "17269": msg19455, + "1727": select1618, + "17270": msg19456, + "17271": msg19457, + "17272": msg19458, + "17273": msg19459, + "17274": msg19460, + "17275": msg19461, + "17276": msg19462, + "17277": msg19463, + "17278": msg19464, + "17279": msg19465, + "1728": select1619, + "17280": msg19466, + "17281": msg19467, + "17282": msg19468, + "17283": msg19469, + "17284": msg19470, + "17285": msg19471, + "17286": msg19472, + "17287": msg19473, + "17288": msg19474, + "17289": msg19475, + "1729": select1620, + "17290": msg19476, + "17291": msg19477, + "17292": msg19478, + "17293": msg19479, + "17294": msg19480, + "17295": msg19481, + "17296": msg19482, + "17297": msg19483, + "17298": msg19484, + "17299": msg19485, + "173": select99, + "1730": select1621, + "17300": msg19486, + "17301": msg19487, + "17302": msg19488, + "17303": msg19489, + "17304": msg19490, + "17305": msg19491, + "17306": msg19492, + "17307": msg19493, + "17308": msg19494, + "17309": msg19495, + "1731": select1622, + "17310": msg19496, + "17311": msg19497, + "17312": msg19498, + "17313": msg19499, + "17314": msg19500, + "17315": msg19501, + "17316": msg19502, + "17317": msg19503, + "17318": msg19504, + "17319": msg19505, + "1732": select1623, + "17320": msg19506, + "17321": msg19507, + "17322": msg19508, + "17323": msg19509, + "17324": msg19510, + "17325": msg19511, + "17326": msg19512, + "17327": msg19513, + "17328": msg19514, + "17329": msg19515, + "1733": select1624, + "17330": msg19516, + "17331": msg19517, + "17332": msg19518, + "17333": msg19519, + "17334": msg19520, + "17335": msg19521, + "17336": msg19522, + "17337": msg19523, + "17338": msg19524, + "17339": msg19525, + "1734": select1625, + "17340": msg19526, + "17341": msg19527, + "17342": msg19528, + "17343": msg19529, + "17344": msg19530, + "17345": msg19531, + "17346": msg19532, + "17347": msg19533, + "17348": msg19534, + "17349": msg19535, + "1735": select1626, + "17350": msg19536, + "17351": msg19537, + "17352": msg19538, + "17353": msg19539, + "17354": msg19540, + "17355": msg19541, + "17356": msg19542, + "17357": msg19543, + "17358": msg19544, + "17359": msg19545, + "1736": select1627, + "17360": msg19546, + "17361": msg19547, + "17362": msg19548, + "17363": msg19549, + "17364": msg19550, + "17365": msg19551, + "17366": msg19552, + "17367": msg19553, + "17368": msg19554, + "17369": msg19555, + "1737": select1628, + "17370": msg19556, + "17371": msg19557, + "17372": msg19558, + "17373": msg19559, + "17374": msg19560, + "17375": msg19561, + "17376": msg19562, + "17377": msg19563, + "17378": msg19564, + "17379": msg19565, + "1738": select1629, + "17380": msg19566, + "17381": msg19567, + "17382": msg19568, + "17383": msg19569, + "17384": msg19570, + "17385": msg19571, + "17386": msg19572, + "17387": msg19573, + "17388": msg19574, + "17389": msg19575, + "1739": select1630, + "17390": msg19576, + "17391": msg19577, + "17392": msg19578, + "17393": msg19579, + "17394": msg19580, + "17395": msg19581, + "17396": msg19582, + "17397": msg19583, + "17398": msg19584, + "17399": msg19585, + "174": select100, + "1740": select1631, + "17400": msg19586, + "17401": msg19587, + "17402": msg19588, + "17403": msg19589, + "17404": msg19590, + "17405": msg19591, + "17406": msg19592, + "17407": msg19593, + "17408": msg19594, + "17409": msg19595, + "1741": select1632, + "17410": msg19596, + "17411": msg19597, + "17412": msg19598, + "17413": msg19599, + "17414": msg19600, + "17415": msg19601, + "17416": msg19602, + "17417": msg19603, + "17418": msg19604, + "17419": msg19605, + "1742": select1633, + "17420": msg19606, + "17421": msg19607, + "17422": msg19608, + "17423": msg19609, + "17424": msg19610, + "17425": msg19611, + "17426": msg19612, + "17427": msg19613, + "17428": msg19614, + "17429": msg19615, + "1743": select1634, + "17430": msg19616, + "17431": msg19617, + "17432": msg19618, + "17433": msg19619, + "17434": msg19620, + "17435": msg19621, + "17436": msg19622, + "17437": msg19623, + "17438": msg19624, + "17439": msg19625, + "1744": select1635, + "17440": msg19626, + "17441": msg19627, + "17442": msg19628, + "17443": msg19629, + "17444": msg19630, + "17445": msg19631, + "17446": msg19632, + "17447": msg19633, + "17448": msg19634, + "17449": msg19635, + "1745": select1636, + "17450": msg19636, + "17451": msg19637, + "17452": msg19638, + "17453": msg19639, + "17454": msg19640, + "17455": msg19641, + "17456": msg19642, + "17457": msg19643, + "17458": msg19644, + "17459": msg19645, + "1746": select1637, + "17460": msg19646, + "17461": msg19647, + "17462": msg19648, + "17463": msg19649, + "17464": msg19650, + "17465": msg19651, + "17466": msg19652, + "17467": msg19653, + "17468": msg19654, + "17469": msg19655, + "1747": select1638, + "17470": msg19656, + "17471": msg19657, + "17472": msg19658, + "17473": msg19659, + "17474": msg19660, + "17475": msg19661, + "17476": msg19662, + "17477": msg19663, + "17478": msg19664, + "17479": msg19665, + "1748": select1639, + "17480": msg19666, + "17481": msg19667, + "17482": msg19668, + "17483": msg19669, + "17484": msg19670, + "17485": msg19671, + "17486": msg19672, + "17487": msg19673, + "17488": msg19674, + "17489": msg19675, + "1749": select1640, + "17490": msg19676, + "17491": msg19677, + "17492": msg19678, + "17493": msg19679, + "17494": msg19680, + "17495": msg19681, + "17496": msg19682, + "17497": msg19683, + "17498": msg19684, + "17499": msg19685, + "175": select101, + "1750": select1641, + "17500": msg19686, + "17501": msg19687, + "17502": msg19688, + "17503": msg19689, + "17504": msg19690, + "17505": msg19691, + "17506": msg19692, + "17507": msg19693, + "17508": msg19694, + "17509": msg19695, + "1751": select1642, + "17510": msg19696, + "17511": msg19697, + "17512": msg19698, + "17513": msg19699, + "17514": msg19700, + "17515": msg19701, + "17516": msg19702, + "17517": msg19703, + "17518": msg19704, + "17519": msg19705, + "1752": select1643, + "17520": msg19706, + "17521": msg19707, + "17522": msg19708, + "17523": msg19709, + "17524": msg19710, + "17525": msg19711, + "17526": msg19712, + "17527": msg19713, + "17528": msg19714, + "17529": msg19715, + "1753": select1644, + "17530": msg19716, + "17531": msg19717, + "17532": msg19718, + "17533": msg19719, + "17534": msg19720, + "17535": msg19721, + "17536": msg19722, + "17537": msg19723, + "17538": msg19724, + "17539": msg19725, + "1754": select1645, + "17540": msg19726, + "17541": msg19727, + "17542": msg19728, + "17543": msg19729, + "17544": msg19730, + "17545": msg19731, + "17546": msg19732, + "17547": msg19733, + "17548": msg19734, + "17549": msg19735, + "1755": select1646, + "17550": msg19736, + "17551": msg19737, + "17552": msg19738, + "17553": msg19739, + "17554": msg19740, + "17555": msg19741, + "17556": msg19742, + "17557": msg19743, + "17558": msg19744, + "17559": msg19745, + "1756": select1647, + "17560": msg19746, + "17561": msg19747, + "17562": msg19748, + "17563": msg19749, + "17564": msg19750, + "17565": msg19751, + "17566": msg19752, + "17567": msg19753, + "17568": msg19754, + "17569": msg19755, + "1757": select1648, + "17570": msg19756, + "17571": msg19757, + "17572": msg19758, + "17573": msg19759, + "17574": msg19760, + "17575": msg19761, + "17576": msg19762, + "17577": msg19763, + "17578": msg19764, + "17579": msg19765, + "1758": select1649, + "17580": msg19766, + "17581": msg19767, + "17582": msg19768, + "17583": msg19769, + "17584": msg19770, + "17585": msg19771, + "17586": msg19772, + "17587": msg19773, + "17588": msg19774, + "17589": msg19775, + "1759": select1650, + "17590": msg19776, + "17591": msg19777, + "17592": msg19778, + "17593": msg19779, + "17594": msg19780, + "17595": msg19781, + "17596": msg19782, + "17597": msg19783, + "17598": msg19784, + "17599": msg19785, + "176": select102, + "1760": select1651, + "17600": msg19786, + "17601": msg19787, + "17602": msg19788, + "17603": msg19789, + "17604": msg19790, + "17605": msg19791, + "17606": msg19792, + "17607": msg19793, + "17608": msg19794, + "17609": msg19795, + "1761": select1652, + "17610": msg19796, + "17611": msg19797, + "17612": msg19798, + "17613": msg19799, + "17614": msg19800, + "17616": msg19801, + "17618": msg19802, + "17619": msg19803, + "1762": select1653, + "17620": msg19804, + "17621": msg19805, + "17622": msg19806, + "17623": msg19807, + "17624": msg19808, + "17625": msg19809, + "17626": msg19810, + "17628": msg19811, + "17629": msg19812, + "1763": select1654, + "17630": msg19813, + "17631": msg19814, + "17632": msg19815, + "17633": msg19816, + "17634": msg19817, + "17635": msg19818, + "17636": msg19819, + "17637": msg19820, + "17638": msg19821, + "17639": msg19822, + "1764": select1655, + "17640": msg19823, + "17641": msg19824, + "17642": msg19825, + "17643": msg19826, + "17644": msg19827, + "17645": msg19828, + "17646": msg19829, + "17647": msg19830, + "17648": msg19831, + "17649": msg19832, + "1765": select1656, + "17650": msg19833, + "17651": msg19834, + "17652": msg19835, + "17653": msg19836, + "17654": msg19837, + "17655": msg19838, + "17656": msg19839, + "17657": msg19840, + "17658": msg19841, + "17659": msg19842, + "1766": select1657, + "17660": msg19843, + "17661": msg19844, + "17662": msg19845, + "17663": msg19846, + "17664": msg19847, + "17665": msg19848, + "17666": msg19849, + "17667": msg19850, + "17668": msg19851, + "17669": msg19852, + "1767": select1658, + "17670": msg19853, + "17671": msg19854, + "17672": msg19855, + "17673": msg19856, + "17674": msg19857, + "17675": msg19858, + "17676": msg19859, + "17677": msg19860, + "17678": msg19861, + "17679": msg19862, + "1768": select1659, + "17680": msg19863, + "17685": msg19864, + "17686": msg19865, + "17687": msg19866, + "17688": msg19867, + "17689": msg19868, + "1769": select1660, + "17690": msg19869, + "17691": msg19870, + "17692": msg19871, + "17693": msg19872, + "17694": msg19873, + "17695": msg19874, + "17696": msg19875, + "17697": msg19876, + "17698": msg19877, + "17699": msg19878, + "177": select103, + "1770": select1661, + "17700": msg19879, + "17701": msg19880, + "17702": msg19881, + "17703": msg19882, + "17704": msg19883, + "17705": msg19884, + "17706": msg19885, + "17707": msg19886, + "17708": msg19887, + "17709": msg19888, + "1771": select1662, + "17710": msg19889, + "17711": msg19890, + "17712": msg19891, + "17713": msg19892, + "17714": msg19893, + "17715": msg19894, + "17716": msg19895, + "17717": msg19896, + "17718": msg19897, + "17719": msg19898, + "1772": select1663, + "17720": msg19899, + "17721": msg19900, + "17722": msg19901, + "17723": msg19902, + "17724": msg19903, + "17725": msg19904, + "17726": msg19905, + "17727": msg19906, + "17728": msg19907, + "17729": msg19908, + "1773": select1664, + "17730": msg19909, + "17731": msg19910, + "17732": msg19911, + "17733": msg19912, + "17734": msg19913, + "17735": msg19914, + "17736": msg19915, + "17737": msg19916, + "17738": msg19917, + "17739": msg19918, + "1774": select1665, + "17740": msg19919, + "17741": msg19920, + "17742": msg19921, + "17743": msg19922, + "17745": msg19923, + "17746": msg19924, + "17747": msg19925, + "17748": msg19926, + "17749": msg19927, + "1775": select1666, + "17750": msg19928, + "17751": msg19929, + "17752": msg19930, + "17753": msg19931, + "17754": msg19932, + "17755": msg19933, + "17756": msg19934, + "17757": msg19935, + "17758": msg19936, + "17759": msg19937, + "1776": select1667, + "17760": msg19938, + "17762": msg19939, + "17763": msg19940, + "17764": msg19941, + "17765": msg19942, + "17766": msg19943, + "17767": msg19944, + "17768": msg19945, + "17769": msg19946, + "1777": select1668, + "17770": msg19947, + "17771": msg19948, + "17772": msg19949, + "17773": msg19950, + "17774": msg19951, + "17775": msg19952, + "17776": msg19953, + "17777": msg19954, + "17778": msg19955, + "17779": msg19956, + "1778": select1669, + "17780": msg19957, + "17781": msg19958, + "17782": msg19959, + "17783": msg19960, + "17784": msg19961, + "17785": msg19962, + "17786": msg19963, + "17787": msg19964, + "17788": msg19965, + "17789": msg19966, + "1779": select1670, + "17790": msg19967, + "17791": msg19968, + "17792": msg19969, + "17793": msg19970, + "17794": msg19971, + "17795": msg19972, + "17796": msg19973, + "17797": msg19974, + "17798": msg19975, + "17799": msg19976, + "1780": select1671, + "17800": msg19977, + "17801": msg19978, + "17802": msg19979, + "17803": msg19980, + "17804": msg19981, + "17805": msg19982, + "17806": msg19983, + "17807": msg19984, + "17808": msg19985, + "17809": msg19986, + "1781": select1672, + "17810": msg19987, + "17811": msg19988, + "17812": msg19989, + "17813": msg19990, + "17814": msg19991, + "17815": msg19992, + "17816": msg19993, + "17817": msg19994, + "17818": msg19995, + "17819": msg19996, + "1782": select1673, + "17820": msg19997, + "17821": msg19998, + "17822": msg19999, + "17823": msg20000, + "17824": msg20001, + "17825": msg20002, + "17826": msg20003, + "17827": msg20004, + "17828": msg20005, + "17829": msg20006, + "1783": select1674, + "17830": msg20007, + "17831": msg20008, + "17832": msg20009, + "17833": msg20010, + "17834": msg20011, + "17835": msg20012, + "17836": msg20013, + "17837": msg20014, + "17838": msg20015, + "17839": msg20016, + "1784": select1675, + "17840": msg20017, + "17841": msg20018, + "17842": msg20019, + "17843": msg20020, + "17844": msg20021, + "17845": msg20022, + "17846": msg20023, + "17847": msg20024, + "17848": msg20025, + "17849": msg20026, + "1785": select1676, + "17850": msg20027, + "17851": msg20028, + "17852": msg20029, + "17853": msg20030, + "17854": msg20031, + "17855": msg20032, + "17856": msg20033, + "17857": msg20034, + "17858": msg20035, + "17859": msg20036, + "1786": select1677, + "17860": msg20037, + "17861": msg20038, + "17862": msg20039, + "17863": msg20040, + "17864": msg20041, + "17865": msg20042, + "17866": msg20043, + "17867": msg20044, + "17868": msg20045, + "17869": msg20046, + "1787": select1678, + "17870": msg20047, + "17871": msg20048, + "17872": msg20049, + "17873": msg20050, + "17874": msg20051, + "17875": msg20052, + "17876": msg20053, + "17877": msg20054, + "17878": msg20055, + "17879": msg20056, + "1788": select1679, + "17880": msg20057, + "17881": msg20058, + "17882": msg20059, + "17883": msg20060, + "17884": msg20061, + "17885": msg20062, + "17886": msg20063, + "17887": msg20064, + "17888": msg20065, + "17889": msg20066, + "1789": select1680, + "17890": msg20067, + "17891": msg20068, + "17892": msg20069, + "17893": msg20070, + "17894": msg20071, + "17895": msg20072, + "17896": msg20073, + "17897": msg20074, + "17898": msg20075, + "17899": msg20076, + "179": select104, + "1790": select1681, + "17900": msg20077, + "17901": msg20078, + "17902": msg20079, + "17903": msg20080, + "17904": msg20081, + "17905": msg20082, + "17906": msg20083, + "17907": msg20084, + "17908": msg20085, + "17909": msg20086, + "1791": select1682, + "17910": msg20087, + "17911": msg20088, + "17912": msg20089, + "17913": msg20090, + "17914": msg20091, + "17915": msg20092, + "17916": msg20093, + "17917": msg20094, + "17918": msg20095, + "17919": msg20096, + "1792": select1683, + "17920": msg20097, + "17921": msg20098, + "17922": msg20099, + "17923": msg20100, + "17924": msg20101, + "17925": msg20102, + "17926": msg20103, + "17927": msg20104, + "17928": msg20105, + "17929": msg20106, + "1793": select1684, + "17930": msg20107, + "17931": msg20108, + "17932": msg20109, + "17933": msg20110, + "17934": msg20111, + "17935": msg20112, + "17936": msg20113, + "17937": msg20114, + "17938": msg20115, + "17939": msg20116, + "1794": select1685, + "17940": msg20117, + "17941": msg20118, + "17942": msg20119, + "17943": msg20120, + "17944": msg20121, + "17945": msg20122, + "17946": msg20123, + "17947": msg20124, + "17948": msg20125, + "17949": msg20126, + "1795": select1686, + "17950": msg20127, + "17951": msg20128, + "17952": msg20129, + "17953": msg20130, + "17954": msg20131, + "17955": msg20132, + "17956": msg20133, + "17957": msg20134, + "17958": msg20135, + "17959": msg20136, + "1796": select1687, + "17960": msg20137, + "17961": msg20138, + "17962": msg20139, + "17963": msg20140, + "17964": msg20141, + "17965": msg20142, + "17966": msg20143, + "17967": msg20144, + "17968": msg20145, + "17969": msg20146, + "1797": select1688, + "17970": msg20147, + "17971": msg20148, + "17972": msg20149, + "17973": msg20150, + "17974": msg20151, + "17975": msg20152, + "17976": msg20153, + "17977": msg20154, + "17978": msg20155, + "17979": msg20156, + "1798": select1689, + "17980": msg20157, + "17981": msg20158, + "17982": msg20159, + "17983": msg20160, + "17984": msg20161, + "17985": msg20162, + "17986": msg20163, + "17987": msg20164, + "17988": msg20165, + "17989": msg20166, + "1799": select1690, + "17990": msg20167, + "17991": msg20168, + "17992": msg20169, + "17993": msg20170, + "17994": msg20171, + "17995": msg20172, + "17996": msg20173, + "17997": msg20174, + "17998": msg20175, + "17999": msg20176, + "18": select19, + "180": select105, + "1800": select1691, + "18000": msg20177, + "18001": msg20178, + "18002": msg20179, + "18003": msg20180, + "18004": msg20181, + "18005": msg20182, + "18006": msg20183, + "18007": msg20184, + "18008": msg20185, + "18009": msg20186, + "1801": select1692, + "18010": msg20187, + "18011": msg20188, + "18012": msg20189, + "18013": msg20190, + "18014": msg20191, + "18015": msg20192, + "18016": msg20193, + "18017": msg20194, + "18018": msg20195, + "18019": msg20196, + "1802": select1693, + "18020": msg20197, + "18021": msg20198, + "18022": msg20199, + "18023": msg20200, + "18024": msg20201, + "18025": msg20202, + "18026": msg20203, + "18027": msg20204, + "18028": msg20205, + "18029": msg20206, + "1803": select1694, + "18030": msg20207, + "18031": msg20208, + "18032": msg20209, + "18033": msg20210, + "18034": msg20211, + "18035": msg20212, + "18036": msg20213, + "18037": msg20214, + "18038": msg20215, + "18039": msg20216, + "1804": select1695, + "18040": msg20217, + "18041": msg20218, + "18042": msg20219, + "18043": msg20220, + "18044": msg20221, + "18045": msg20222, + "18046": msg20223, + "18047": msg20224, + "18048": msg20225, + "18049": msg20226, + "1805": select1696, + "18050": msg20227, + "18051": msg20228, + "18052": msg20229, + "18053": msg20230, + "18054": msg20231, + "18055": msg20232, + "18056": msg20233, + "18057": msg20234, + "18058": msg20235, + "18059": msg20236, + "1806": select1697, + "18060": msg20237, + "18061": msg20238, + "18062": msg20239, + "18063": msg20240, + "18064": msg20241, + "18065": msg20242, + "18066": msg20243, + "18067": msg20244, + "18068": msg20245, + "18069": msg20246, + "1807": select1698, + "18070": msg20247, + "18071": msg20248, + "18072": msg20249, + "18073": msg20250, + "18074": msg20251, + "18076": msg20252, + "18077": msg20253, + "18078": msg20254, + "18079": msg20255, + "1808": select1699, + "18080": msg20256, + "18081": msg20257, + "18082": msg20258, + "18083": msg20259, + "18084": msg20260, + "18085": msg20261, + "18086": msg20262, + "18087": msg20263, + "18088": msg20264, + "18089": msg20265, + "1809": select1700, + "18090": msg20266, + "18091": msg20267, + "18092": msg20268, + "18093": msg20269, + "18094": msg20270, + "18095": msg20271, + "18096": msg20272, + "18097": msg20273, + "18098": msg20274, + "18099": msg20275, + "181": select106, + "1810": select1701, + "18100": msg20276, + "18101": msg20277, + "18102": msg20278, + "18103": msg20279, + "18104": msg20280, + "18105": msg20281, + "18106": msg20282, + "18107": msg20283, + "18108": msg20284, + "18109": msg20285, + "1811": select1702, + "18110": msg20286, + "18111": msg20287, + "18112": msg20288, + "18113": msg20289, + "18114": msg20290, + "18115": msg20291, + "18116": msg20292, + "18117": msg20293, + "18118": msg20294, + "18119": msg20295, + "1812": select1703, + "18120": msg20296, + "18121": msg20297, + "18122": msg20298, + "18123": msg20299, + "18124": msg20300, + "18125": msg20301, + "18126": msg20302, + "18127": msg20303, + "18128": msg20304, + "18129": msg20305, + "1813": select1704, + "18130": msg20306, + "18131": msg20307, + "18132": msg20308, + "18133": msg20309, + "18134": msg20310, + "18135": msg20311, + "18136": msg20312, + "18137": msg20313, + "18138": msg20314, + "18139": msg20315, + "1814": select1705, + "18140": msg20316, + "18141": msg20317, + "18142": msg20318, + "18143": msg20319, + "18144": msg20320, + "18145": msg20321, + "18146": msg20322, + "18147": msg20323, + "18148": msg20324, + "18149": msg20325, + "1815": select1706, + "18150": msg20326, + "18151": msg20327, + "18152": msg20328, + "18153": msg20329, + "18154": msg20330, + "18155": msg20331, + "18156": msg20332, + "18157": msg20333, + "18158": msg20334, + "18159": msg20335, + "1816": select1707, + "18160": msg20336, + "18161": msg20337, + "18162": msg20338, + "18163": msg20339, + "18164": msg20340, + "18165": msg20341, + "18166": msg20342, + "18167": msg20343, + "18168": msg20344, + "18169": msg20345, + "1817": select1708, + "18170": msg20346, + "18171": msg20347, + "18172": msg20348, + "18173": msg20349, + "18174": msg20350, + "18175": msg20351, + "18176": msg20352, + "18177": msg20353, + "18178": msg20354, + "18179": msg20355, + "1818": select1709, + "18180": msg20356, + "18181": msg20357, + "18182": msg20358, + "18183": msg20359, + "18184": msg20360, + "18185": msg20361, + "18186": msg20362, + "18187": msg20363, + "18188": msg20364, + "18189": msg20365, + "1819": select1710, + "18190": msg20366, + "18191": msg20367, + "18192": msg20368, + "18193": msg20369, + "18194": msg20370, + "18195": msg20371, + "18196": msg20372, + "18197": msg20373, + "18198": msg20374, + "18199": msg20375, + "182": select107, + "1820": select1711, + "18200": msg20376, + "18201": msg20377, + "18202": msg20378, + "18203": msg20379, + "18204": msg20380, + "18205": msg20381, + "18206": msg20382, + "18207": msg20383, + "18208": msg20384, + "18209": msg20385, + "1821": select1712, + "18210": msg20386, + "18211": msg20387, + "18212": msg20388, + "18213": msg20389, + "18214": msg20390, + "18215": msg20391, + "18216": msg20392, + "18217": msg20393, + "18218": msg20394, + "18219": msg20395, + "1822": select1713, + "18220": msg20396, + "18221": msg20397, + "18222": msg20398, + "18223": msg20399, + "18224": msg20400, + "18225": msg20401, + "18226": msg20402, + "18227": msg20403, + "18228": msg20404, + "18229": msg20405, + "1823": select1714, + "18230": msg20406, + "18231": msg20407, + "18232": msg20408, + "18233": msg20409, + "18234": msg20410, + "18235": msg20411, + "18236": msg20412, + "18237": msg20413, + "18238": msg20414, + "18239": msg20415, + "1824": select1715, + "18240": msg20416, + "18241": msg20417, + "18242": msg20418, + "18243": msg20419, + "18244": msg20420, + "18245": msg20421, + "18246": msg20422, + "18247": msg20423, + "18248": msg20424, + "18249": msg20425, + "1825": select1716, + "18250": msg20426, + "18251": msg20427, + "18252": msg20428, + "18253": msg20429, + "18254": msg20430, + "18255": msg20431, + "18256": msg20432, + "18257": msg20433, + "18258": msg20434, + "18259": msg20435, + "1826": select1717, + "18260": msg20436, + "18261": msg20437, + "18262": msg20438, + "18263": msg20439, + "18264": msg20440, + "18265": msg20441, + "18266": msg20442, + "18267": msg20443, + "18268": msg20444, + "18269": msg20445, + "1827": select1718, + "18270": msg20446, + "18271": msg20447, + "18272": msg20448, + "18273": msg20449, + "18274": msg20450, + "18275": msg20451, + "18276": msg20452, + "18277": msg20453, + "18278": msg20454, + "18279": msg20455, + "1828": select1719, + "18280": msg20456, + "18281": msg20457, + "18282": msg20458, + "18283": msg20459, + "18284": msg20460, + "18285": msg20461, + "18286": msg20462, + "18287": msg20463, + "18288": msg20464, + "18289": msg20465, + "1829": select1720, + "18290": msg20466, + "18291": msg20467, + "18292": msg20468, + "18293": msg20469, + "18294": msg20470, + "18295": msg20471, + "18296": msg20472, + "18297": msg20473, + "18298": msg20474, + "18299": msg20475, + "183": select108, + "1830": select1721, + "18300": msg20476, + "18301": msg20477, + "18302": msg20478, + "18303": msg20479, + "18304": msg20480, + "18305": msg20481, + "18306": msg20482, + "18307": msg20483, + "18308": msg20484, + "18309": msg20485, + "1831": select1722, + "18310": msg20486, + "18311": msg20487, + "18312": msg20488, + "18313": msg20489, + "18314": msg20490, + "18315": msg20491, + "18316": msg20492, + "18317": msg20493, + "18318": msg20494, + "18319": msg20495, + "1832": select1723, + "18320": msg20496, + "18321": msg20497, + "18322": msg20498, + "18323": msg20499, + "18324": msg20500, + "18325": msg20501, + "18326": msg20502, + "18327": msg20503, + "18328": msg20504, + "18329": msg20505, + "1833": select1724, + "18330": msg20506, + "18331": msg20507, + "18332": msg20508, + "18333": msg20509, + "18334": msg20510, + "18335": msg20511, + "18336": msg20512, + "18337": msg20513, + "18338": msg20514, + "18339": msg20515, + "1834": select1725, + "18340": msg20516, + "18341": msg20517, + "18342": msg20518, + "18343": msg20519, + "18344": msg20520, + "18345": msg20521, + "18346": msg20522, + "18347": msg20523, + "18348": msg20524, + "18349": msg20525, + "1835": select1726, + "18350": msg20526, + "18351": msg20527, + "18352": msg20528, + "18353": msg20529, + "18354": msg20530, + "18355": msg20531, + "18356": msg20532, + "18357": msg20533, + "18358": msg20534, + "18359": msg20535, + "1836": select1727, + "18360": msg20536, + "18361": msg20537, + "18362": msg20538, + "18363": msg20539, + "18364": msg20540, + "18365": msg20541, + "18366": msg20542, + "18367": msg20543, + "18368": msg20544, + "18369": msg20545, + "1837": select1728, + "18370": msg20546, + "18371": msg20547, + "18372": msg20548, + "18373": msg20549, + "18374": msg20550, + "18375": msg20551, + "18376": msg20552, + "18377": msg20553, + "18378": msg20554, + "18379": msg20555, + "1838": select1729, + "18380": msg20556, + "18381": msg20557, + "18382": msg20558, + "18383": msg20559, + "18384": msg20560, + "18385": msg20561, + "18386": msg20562, + "18387": msg20563, + "18388": msg20564, + "18389": msg20565, + "1839": select1730, + "18390": msg20566, + "18391": msg20567, + "18392": msg20568, + "18393": msg20569, + "18394": msg20570, + "18395": msg20571, + "18396": msg20572, + "18397": msg20573, + "18398": msg20574, + "18399": msg20575, + "184": select109, + "1840": select1731, + "18400": msg20576, + "18401": msg20577, + "18402": msg20578, + "18403": msg20579, + "18404": msg20580, + "18405": msg20581, + "18406": msg20582, + "18407": msg20583, + "18408": msg20584, + "18409": msg20585, + "1841": select1732, + "18410": msg20586, + "18411": msg20587, + "18412": msg20588, + "18413": msg20589, + "18414": msg20590, + "18415": msg20591, + "18416": msg20592, + "18417": msg20593, + "18418": msg20594, + "18419": msg20595, + "1842": select1733, + "18420": msg20596, + "18421": msg20597, + "18422": msg20598, + "18423": msg20599, + "18424": msg20600, + "18425": msg20601, + "18426": msg20602, + "18427": msg20603, + "18428": msg20604, + "18429": msg20605, + "1843": select1734, + "18430": msg20606, + "18431": msg20607, + "18432": msg20608, + "18433": msg20609, + "18434": msg20610, + "18435": msg20611, + "18436": msg20612, + "18437": msg20613, + "18438": msg20614, + "18439": msg20615, + "1844": select1735, + "18440": msg20616, + "18441": msg20617, + "18442": msg20618, + "18443": msg20619, + "18444": msg20620, + "18445": msg20621, + "18446": msg20622, + "18447": msg20623, + "18448": msg20624, + "18449": msg20625, + "1845": select1736, + "18450": msg20626, + "18451": msg20627, + "18452": msg20628, + "18453": msg20629, + "18454": msg20630, + "18455": msg20631, + "18456": msg20632, + "18457": msg20633, + "18458": msg20634, + "18459": msg20635, + "1846": select1737, + "18460": msg20636, + "18461": msg20637, + "18462": msg20638, + "18463": msg20639, + "18464": msg20640, + "18465": msg20641, + "18466": msg20642, + "18467": msg20643, + "18468": msg20644, + "18469": msg20645, + "1847": select1738, + "18470": msg20646, + "18471": msg20647, + "18472": msg20648, + "18473": msg20649, + "18474": msg20650, + "18475": msg20651, + "18476": msg20652, + "18477": msg20653, + "18478": msg20654, + "18479": msg20655, + "1848": select1739, + "18480": msg20656, + "18481": msg20657, + "18482": msg20658, + "18483": msg20659, + "18484": msg20660, + "18485": msg20661, + "18486": msg20662, + "18487": msg20663, + "18488": msg20664, + "18489": msg20665, + "1849": select1740, + "18490": msg20666, + "18491": msg20667, + "18492": msg20668, + "18493": msg20669, + "18494": msg20670, + "18495": msg20671, + "18496": msg20672, + "18497": msg20673, + "18498": msg20674, + "18499": msg20675, + "185": select110, + "1850": select1741, + "18500": msg20676, + "18501": msg20677, + "18502": msg20678, + "18503": msg20679, + "18504": msg20680, + "18505": msg20681, + "18506": msg20682, + "18507": msg20683, + "18508": msg20684, + "18509": msg20685, + "1851": select1742, + "18510": msg20686, + "18511": msg20687, + "18512": msg20688, + "18513": msg20689, + "18514": msg20690, + "18515": msg20691, + "18516": msg20692, + "18517": msg20693, + "18518": msg20694, + "18519": msg20695, + "1852": select1743, + "18520": msg20696, + "18521": msg20697, + "18522": msg20698, + "18523": msg20699, + "18524": msg20700, + "18525": msg20701, + "18526": msg20702, + "18527": msg20703, + "18528": msg20704, + "18529": msg20705, + "1853": select1744, + "18530": msg20706, + "18531": msg20707, + "18532": msg20708, + "18533": msg20709, + "18534": msg20710, + "18535": msg20711, + "18536": msg20712, + "18537": msg20713, + "18538": msg20714, + "18539": msg20715, + "1854": select1745, + "18540": msg20716, + "18541": msg20717, + "18542": msg20718, + "18543": msg20719, + "18544": msg20720, + "18545": msg20721, + "18546": msg20722, + "18547": msg20723, + "18548": msg20724, + "18549": msg20725, + "1855": select1746, + "18550": msg20726, + "18551": msg20727, + "18552": msg20728, + "18553": msg20729, + "18554": msg20730, + "18555": msg20731, + "18556": msg20732, + "18557": msg20733, + "18558": msg20734, + "18559": msg20735, + "1856": select1747, + "18560": msg20736, + "18561": msg20737, + "18562": msg20738, + "18563": msg20739, + "18564": msg20740, + "18565": msg20741, + "18566": msg20742, + "18567": msg20743, + "18568": msg20744, + "18569": msg20745, + "1857": select1748, + "18570": msg20746, + "18571": msg20747, + "18572": msg20748, + "18573": msg20749, + "18574": msg20750, + "18575": msg20751, + "18576": msg20752, + "18577": msg20753, + "18578": msg20754, + "18579": msg20755, + "1858": select1749, + "18580": msg20756, + "18581": msg20757, + "18582": msg20758, + "18583": msg20759, + "18584": msg20760, + "18585": msg20761, + "18586": msg20762, + "18587": msg20763, + "18588": msg20764, + "18589": msg20765, + "1859": select1750, + "18590": msg20766, + "18591": msg20767, + "18592": msg20768, + "18593": msg20769, + "18594": msg20770, + "18595": msg20771, + "18596": msg20772, + "18597": msg20773, + "18598": msg20774, + "18599": msg20775, + "186": select111, + "1860": select1751, + "18600": msg20776, + "18601": msg20777, + "18602": msg20778, + "18603": msg20779, + "18604": msg20780, + "18605": msg20781, + "18606": msg20782, + "18607": msg20783, + "18608": msg20784, + "18609": msg20785, + "1861": select1752, + "18610": msg20786, + "18611": msg20787, + "18612": msg20788, + "18613": msg20789, + "18614": msg20790, + "18615": msg20791, + "18616": msg20792, + "18617": msg20793, + "18618": msg20794, + "18619": msg20795, + "1862": select1753, + "18620": msg20796, + "18621": msg20797, + "18622": msg20798, + "18623": msg20799, + "18624": msg20800, + "18625": msg20801, + "18626": msg20802, + "18627": msg20803, + "18628": msg20804, + "18629": msg20805, + "1863": select1754, + "18630": msg20806, + "18631": msg20807, + "18632": msg20808, + "18633": msg20809, + "18634": msg20810, + "18635": msg20811, + "18636": msg20812, + "18637": msg20813, + "18638": msg20814, + "18639": msg20815, + "1864": select1755, + "18640": msg20816, + "18641": msg20817, + "18642": msg20818, + "18643": msg20819, + "18644": msg20820, + "18645": msg20821, + "18646": msg20822, + "18647": msg20823, + "18648": msg20824, + "18649": msg20825, + "1865": select1756, + "18650": msg20826, + "18651": msg20827, + "18652": msg20828, + "18653": msg20829, + "18654": msg20830, + "18655": msg20831, + "18656": msg20832, + "18657": msg20833, + "18658": msg20834, + "18659": msg20835, + "1866": select1757, + "18660": msg20836, + "18661": msg20837, + "18662": msg20838, + "18663": msg20839, + "18664": msg20840, + "18665": msg20841, + "18666": msg20842, + "18667": msg20843, + "18668": msg20844, + "18669": msg20845, + "1867": select1758, + "18670": msg20846, + "18671": msg20847, + "18672": msg20848, + "18673": msg20849, + "18674": msg20850, + "18675": msg20851, + "18676": msg20852, + "18677": msg20853, + "18678": msg20854, + "18679": msg20855, + "1868": msg3638, + "18680": msg20856, + "18681": msg20857, + "18682": msg20858, + "18683": msg20859, + "18684": msg20860, + "18685": msg20861, + "18686": msg20862, + "18687": msg20863, + "18688": msg20864, + "18689": msg20865, + "1869": msg3639, + "18690": msg20866, + "18691": msg20867, + "187": select112, + "1870": select1759, + "18700": msg20868, + "18701": msg20869, + "18702": msg20870, + "18703": msg20871, + "18704": msg20872, + "18705": msg20873, + "18706": msg20874, + "18707": msg20875, + "18708": msg20876, + "18709": msg20877, + "1871": select1760, + "18710": msg20878, + "18711": msg20879, + "18712": msg20880, + "18713": msg20881, + "18714": msg20882, + "18715": msg20883, + "18716": msg20884, + "18717": msg20885, + "18718": msg20886, + "18719": msg20887, + "1872": select1761, + "18720": msg20888, + "18721": msg20889, + "18722": msg20890, + "18723": msg20891, + "18724": msg20892, + "18725": msg20893, + "18726": msg20894, + "18727": msg20895, + "18728": msg20896, + "18729": msg20897, + "1873": select1762, + "18730": msg20898, + "18731": msg20899, + "18732": msg20900, + "18733": msg20901, + "18734": msg20902, + "18735": msg20903, + "18736": msg20904, + "18737": msg20905, + "18738": msg20906, + "18739": msg20907, + "1874": select1763, + "18740": msg20908, + "18741": msg20909, + "18742": msg20910, + "18743": msg20911, + "18744": msg20912, + "18745": msg20913, + "18746": msg20914, + "18747": msg20915, + "18748": msg20916, + "18749": msg20917, + "1875": select1764, + "18750": msg20918, + "18751": msg20919, + "18752": msg20920, + "18753": msg20921, + "18754": msg20922, + "18755": msg20923, + "18756": msg20924, + "18757": msg20925, + "18758": msg20926, + "18759": msg20927, + "1876": select1765, + "18760": msg20928, + "18761": msg20929, + "18762": msg20930, + "18763": msg20931, + "18764": msg20932, + "18765": msg20933, + "18766": msg20934, + "18767": msg20935, + "18768": msg20936, + "18769": msg20937, + "1877": select1766, + "18770": msg20938, + "18771": msg20939, + "18772": msg20940, + "18773": msg20941, + "18774": msg20942, + "18775": msg20943, + "18776": msg20944, + "18777": msg20945, + "18778": msg20946, + "18779": msg20947, + "1878": select1767, + "18780": msg20948, + "18781": msg20949, + "18782": msg20950, + "18783": msg20951, + "18784": msg20952, + "18785": msg20953, + "18786": msg20954, + "18787": msg20955, + "18788": msg20956, + "18789": msg20957, + "1879": select1768, + "18790": msg20958, + "18791": msg20959, + "18792": msg20960, + "18793": msg20961, + "18794": msg20962, + "18795": msg20963, + "18796": msg20964, + "18797": msg20965, + "18798": msg20966, + "18799": msg20967, + "188": select113, + "1880": select1769, + "18800": msg20968, + "18801": msg20969, + "18802": msg20970, + "18803": msg20971, + "18804": msg20972, + "18805": msg20973, + "18806": msg20974, + "18807": msg20975, + "18808": msg20976, + "18809": msg20977, + "1881": select1770, + "18810": msg20978, + "18811": msg20979, + "18812": msg20980, + "18813": msg20981, + "18814": msg20982, + "18815": msg20983, + "18816": msg20984, + "18817": msg20985, + "18818": msg20986, + "18819": msg20987, + "1882": select1771, + "18820": msg20988, + "18821": msg20989, + "18822": msg20990, + "18823": msg20991, + "18824": msg20992, + "18825": msg20993, + "18826": msg20994, + "18827": msg20995, + "18828": msg20996, + "18829": msg20997, + "1883": select1772, + "18830": msg20998, + "18831": msg20999, + "18832": msg21000, + "18833": msg21001, + "18834": msg21002, + "18835": msg21003, + "18836": msg21004, + "18837": msg21005, + "18838": msg21006, + "18839": msg21007, + "1884": select1773, + "18840": msg21008, + "18841": msg21009, + "18842": msg21010, + "18843": msg21011, + "18844": msg21012, + "18845": msg21013, + "18846": msg21014, + "18847": msg21015, + "18848": msg21016, + "18849": msg21017, + "1885": select1774, + "18850": msg21018, + "18851": msg21019, + "18852": msg21020, + "18853": msg21021, + "18854": msg21022, + "18855": msg21023, + "18856": msg21024, + "18857": msg21025, + "18858": msg21026, + "18859": msg21027, + "1886": select1775, + "18860": msg21028, + "18861": msg21029, + "18862": msg21030, + "18863": msg21031, + "18864": msg21032, + "18865": msg21033, + "18866": msg21034, + "18867": msg21035, + "18868": msg21036, + "18869": msg21037, + "1887": select1776, + "18870": msg21038, + "18871": msg21039, + "18872": msg21040, + "18873": msg21041, + "18874": msg21042, + "18875": msg21043, + "18876": msg21044, + "18877": msg21045, + "18878": msg21046, + "18879": msg21047, + "1888": select1777, + "18880": msg21048, + "18881": msg21049, + "18882": msg21050, + "18883": msg21051, + "18884": msg21052, + "18885": msg21053, + "18886": msg21054, + "18887": msg21055, + "18888": msg21056, + "18889": msg21057, + "1889": select1778, + "18890": msg21058, + "18891": msg21059, + "18892": msg21060, + "18893": msg21061, + "18894": msg21062, + "18895": msg21063, + "18896": msg21064, + "18897": msg21065, + "18898": msg21066, + "18899": msg21067, + "189": select114, + "1890": select1779, + "18900": msg21068, + "18901": msg21069, + "18902": msg21070, + "18903": msg21071, + "18904": msg21072, + "18905": msg21073, + "18906": msg21074, + "18907": msg21075, + "18908": msg21076, + "18909": msg21077, + "1891": select1780, + "18910": msg21078, + "18911": msg21079, + "18912": msg21080, + "18913": msg21081, + "18914": msg21082, + "18915": msg21083, + "18916": msg21084, + "18917": msg21085, + "18918": msg21086, + "18919": msg21087, + "1892": msg3684, + "18920": msg21088, + "18921": msg21089, + "18922": msg21090, + "18923": msg21091, + "18924": msg21092, + "18925": msg21093, + "18926": msg21094, + "18927": msg21095, + "18928": msg21096, + "18929": msg21097, + "1893": select1781, + "18930": msg21098, + "18931": msg21099, + "18932": msg21100, + "18933": msg21101, + "18934": msg21102, + "18935": msg21103, + "18936": msg21104, + "18937": msg21105, + "18938": msg21106, + "18939": msg21107, + "1894": select1782, + "18940": msg21108, + "18941": msg21109, + "18942": msg21110, + "18943": msg21111, + "18944": msg21112, + "18945": msg21113, + "18946": msg21114, + "18947": msg21115, + "18948": msg21116, + "18949": msg21117, + "1895": select1783, + "18950": msg21118, + "18951": msg21119, + "18952": msg21120, + "18953": msg21121, + "18954": msg21122, + "18955": msg21123, + "18956": msg21124, + "18957": msg21125, + "18958": msg21126, + "18959": msg21127, + "1896": select1784, + "18960": msg21128, + "18961": msg21129, + "18962": msg21130, + "18963": msg21131, + "18964": msg21132, + "18965": msg21133, + "18966": msg21134, + "18967": msg21135, + "18968": msg21136, + "18969": msg21137, + "1897": select1785, + "18970": msg21138, + "18971": msg21139, + "18972": msg21140, + "18973": msg21141, + "18974": msg21142, + "18975": msg21143, + "18976": msg21144, + "18977": msg21145, + "18978": msg21146, + "18979": msg21147, + "1898": select1786, + "18980": msg21148, + "18981": msg21149, + "18982": msg21150, + "18983": msg21151, + "18984": msg21152, + "18985": msg21153, + "18986": msg21154, + "18987": msg21155, + "18988": msg21156, + "18989": msg21157, + "1899": select1787, + "18990": msg21158, + "18991": msg21159, + "18992": msg21160, + "18993": msg21161, + "18994": msg21162, + "18995": msg21163, + "18996": msg21164, + "18997": msg21165, + "18998": msg21166, + "18999": msg21167, + "19": select20, + "190": select115, + "1900": select1788, + "19000": msg21168, + "19001": msg21169, + "19002": msg21170, + "19003": msg21171, + "19004": msg21172, + "19005": msg21173, + "19006": msg21174, + "19007": msg21175, + "19008": msg21176, + "19009": msg21177, + "1901": select1789, + "19010": msg21178, + "19011": msg21179, + "19012": msg21180, + "19013": msg21181, + "19014": msg21182, + "19015": msg21183, + "19016": msg21184, + "19017": msg21185, + "19018": msg21186, + "19019": msg21187, + "1902": select1790, + "19020": msg21188, + "19021": msg21189, + "19022": msg21190, + "19023": msg21191, + "19024": msg21192, + "19025": msg21193, + "19026": msg21194, + "19027": msg21195, + "19028": msg21196, + "19029": msg21197, + "1903": select1791, + "19030": msg21198, + "19031": msg21199, + "19032": msg21200, + "19033": msg21201, + "19034": msg21202, + "19035": msg21203, + "19036": msg21204, + "19037": msg21205, + "19038": msg21206, + "19039": msg21207, + "1904": select1792, + "19040": msg21208, + "19041": msg21209, + "19042": msg21210, + "19043": msg21211, + "19044": msg21212, + "19045": msg21213, + "19046": msg21214, + "19047": msg21215, + "19048": msg21216, + "19049": msg21217, + "1905": select1793, + "19050": msg21218, + "19051": msg21219, + "19052": msg21220, + "19053": msg21221, + "19054": msg21222, + "19055": msg21223, + "19056": msg21224, + "19057": msg21225, + "19058": msg21226, + "19059": msg21227, + "1906": select1794, + "19060": msg21228, + "19061": msg21229, + "19062": msg21230, + "19063": msg21231, + "19064": msg21232, + "19065": msg21233, + "19066": msg21234, + "19067": msg21235, + "19068": msg21236, + "19069": msg21237, + "1907": select1795, + "19070": msg21238, + "19071": msg21239, + "19072": msg21240, + "19073": msg21241, + "19074": msg21242, + "19075": msg21243, + "19076": msg21244, + "19077": msg21245, + "19078": msg21246, + "19079": msg21247, + "1908": select1796, + "19080": msg21248, + "19081": msg21249, + "19082": msg21250, + "19083": msg21251, + "19084": msg21252, + "19085": msg21253, + "19086": msg21254, + "19087": msg21255, + "19088": msg21256, + "19089": msg21257, + "1909": select1797, + "19090": msg21258, + "19091": msg21259, + "19092": msg21260, + "19093": msg21261, + "19094": msg21262, + "19095": msg21263, + "19096": msg21264, + "19097": msg21265, + "19098": msg21266, + "19099": msg21267, + "191": select116, + "1910": select1798, + "19100": msg21268, + "19101": msg21269, + "19102": msg21270, + "19103": msg21271, + "19104": msg21272, + "19105": msg21273, + "19106": msg21274, + "19107": msg21275, + "19108": msg21276, + "19109": msg21277, + "1911": select1799, + "19110": msg21278, + "19111": msg21279, + "19112": msg21280, + "19113": msg21281, + "19114": msg21282, + "19115": msg21283, + "19116": msg21284, + "19117": msg21285, + "19118": msg21286, + "19119": msg21287, + "1912": select1800, + "19120": msg21288, + "19121": msg21289, + "19122": msg21290, + "19123": msg21291, + "19124": msg21292, + "19125": msg21293, + "19126": msg21294, + "19127": msg21295, + "19128": msg21296, + "19129": msg21297, + "1913": select1801, + "19130": msg21298, + "19131": msg21299, + "19132": msg21300, + "19133": msg21301, + "19134": msg21302, + "19135": msg21303, + "19136": msg21304, + "19137": msg21305, + "19138": msg21306, + "19139": msg21307, + "1914": select1802, + "19140": msg21308, + "19141": msg21309, + "19142": msg21310, + "19143": msg21311, + "19144": msg21312, + "19145": msg21313, + "19146": msg21314, + "19147": msg21315, + "19148": msg21316, + "19149": msg21317, + "1915": select1803, + "19150": msg21318, + "19151": msg21319, + "19152": msg21320, + "19153": msg21321, + "19154": msg21322, + "19155": msg21323, + "19156": msg21324, + "19157": msg21325, + "19158": msg21326, + "19159": msg21327, + "1916": select1804, + "19160": msg21328, + "19161": msg21329, + "19162": msg21330, + "19163": msg21331, + "19164": msg21332, + "19165": msg21333, + "19166": msg21334, + "19167": msg21335, + "19168": msg21336, + "19169": msg21337, + "1917": select1805, + "19170": msg21338, + "19171": msg21339, + "19172": msg21340, + "19173": msg21341, + "19174": msg21342, + "19175": msg21343, + "19176": msg21344, + "19177": msg21345, + "19178": msg21346, + "19179": msg21347, + "1918": select1806, + "19180": msg21348, + "19181": msg21349, + "19182": msg21350, + "19183": msg21351, + "19184": msg21352, + "19185": msg21353, + "19186": msg21354, + "19187": msg21355, + "19188": msg21356, + "19189": msg21357, + "1919": select1807, + "19190": msg21358, + "19191": msg21359, + "19192": msg21360, + "19193": msg21361, + "19194": msg21362, + "19195": msg21363, + "19196": msg21364, + "19197": msg21365, + "19198": msg21366, + "19199": msg21367, + "192": select117, + "1920": select1808, + "19200": msg21368, + "19201": msg21369, + "19202": msg21370, + "19203": msg21371, + "19204": msg21372, + "19205": msg21373, + "19206": msg21374, + "19207": msg21375, + "19208": msg21376, + "19209": msg21377, + "1921": select1809, + "19210": msg21378, + "19211": msg21379, + "19212": msg21380, + "19213": msg21381, + "19214": msg21382, + "19215": msg21383, + "19216": msg21384, + "19217": msg21385, + "19218": msg21386, + "19219": msg21387, + "1922": select1810, + "19220": msg21388, + "19221": msg21389, + "19222": msg21390, + "19223": msg21391, + "19224": msg21392, + "19225": msg21393, + "19226": msg21394, + "19227": msg21395, + "19228": msg21396, + "19229": msg21397, + "1923": select1811, + "19230": msg21398, + "19231": msg21399, + "19232": msg21400, + "19233": msg21401, + "19234": msg21402, + "19235": msg21403, + "19236": msg21404, + "19237": msg21405, + "19238": msg21406, + "19239": msg21407, + "1924": select1812, + "19240": msg21408, + "19241": msg21409, + "19242": msg21410, + "19243": msg21411, + "19244": msg21412, + "19245": msg21413, + "19246": msg21414, + "19247": msg21415, + "19248": msg21416, + "19249": msg21417, + "1925": select1813, + "19250": msg21418, + "19251": msg21419, + "19252": msg21420, + "19253": msg21421, + "19254": msg21422, + "19255": msg21423, + "19256": msg21424, + "19257": msg21425, + "19258": msg21426, + "19259": msg21427, + "1926": select1814, + "19260": msg21428, + "19261": msg21429, + "19262": msg21430, + "19263": msg21431, + "19264": msg21432, + "19265": msg21433, + "19266": msg21434, + "19267": msg21435, + "19268": msg21436, + "19269": msg21437, + "1927": select1815, + "19270": msg21438, + "19271": msg21439, + "19272": msg21440, + "19273": msg21441, + "19274": msg21442, + "19275": msg21443, + "19276": msg21444, + "19277": msg21445, + "19278": msg21446, + "19279": msg21447, + "1928": select1816, + "19280": msg21448, + "19281": msg21449, + "19282": msg21450, + "19283": msg21451, + "19284": msg21452, + "19285": msg21453, + "19286": msg21454, + "19287": msg21455, + "19288": msg21456, + "19289": msg21457, + "1929": select1817, + "19290": msg21458, + "19291": msg21459, + "19292": msg21460, + "19293": msg21461, + "19294": msg21462, + "19295": msg21463, + "19296": msg21464, + "19297": msg21465, + "19298": msg21466, + "19299": msg21467, + "193": select118, + "1930": select1818, + "19300": msg21468, + "19301": msg21469, + "19302": msg21470, + "19303": msg21471, + "19304": msg21472, + "19305": msg21473, + "19306": msg21474, + "19307": msg21475, + "19308": msg21476, + "19309": msg21477, + "1931": select1819, + "19310": msg21478, + "19311": msg21479, + "19312": msg21480, + "19313": msg21481, + "19314": msg21482, + "19315": msg21483, + "19316": msg21484, + "19317": msg21485, + "19318": msg21486, + "19319": msg21487, + "1932": select1820, + "19320": msg21488, + "19321": msg21489, + "19322": msg21490, + "19323": msg21491, + "19324": msg21492, + "19325": msg21493, + "19326": msg21494, + "19327": msg21495, + "19328": msg21496, + "19329": msg21497, + "1933": select1821, + "19330": msg21498, + "19331": msg21499, + "19332": msg21500, + "19333": msg21501, + "19334": msg21502, + "19335": msg21503, + "19336": msg21504, + "19337": msg21505, + "19338": msg21506, + "19339": msg21507, + "1934": select1822, + "19340": msg21508, + "19341": msg21509, + "19342": msg21510, + "19343": msg21511, + "19344": msg21512, + "19345": msg21513, + "19346": msg21514, + "19347": msg21515, + "19348": msg21516, + "19349": msg21517, + "1935": select1823, + "19350": msg21518, + "19351": msg21519, + "19352": msg21520, + "19353": msg21521, + "19354": msg21522, + "19355": msg21523, + "19356": msg21524, + "19357": msg21525, + "19358": msg21526, + "19359": msg21527, + "1936": select1824, + "19360": msg21528, + "19361": msg21529, + "19362": msg21530, + "19363": msg21531, + "19364": msg21532, + "19365": msg21533, + "19366": msg21534, + "19367": msg21535, + "19368": msg21536, + "19369": msg21537, + "1937": select1825, + "19370": msg21538, + "19371": msg21539, + "19372": msg21540, + "19373": msg21541, + "19374": msg21542, + "19375": msg21543, + "19376": msg21544, + "19377": msg21545, + "19378": msg21546, + "19379": msg21547, + "1938": select1826, + "19380": msg21548, + "19381": msg21549, + "19382": msg21550, + "19383": msg21551, + "19384": msg21552, + "19385": msg21553, + "19386": msg21554, + "19387": msg21555, + "19388": msg21556, + "19389": msg21557, + "1939": select1827, + "19390": msg21558, + "19391": msg21559, + "19392": msg21560, + "19393": msg21561, + "19394": msg21562, + "19395": msg21563, + "19396": msg21564, + "19397": msg21565, + "19398": msg21566, + "19399": msg21567, + "194": select119, + "1940": select1828, + "19400": msg21568, + "19401": msg21569, + "19402": msg21570, + "19403": msg21571, + "19404": msg21572, + "19405": msg21573, + "19406": msg21574, + "19407": msg21575, + "19408": msg21576, + "19409": msg21577, + "1941": select1829, + "19410": msg21578, + "19411": msg21579, + "19412": msg21580, + "19413": msg21581, + "19414": msg21582, + "19415": msg21583, + "19416": msg21584, + "19417": msg21585, + "19418": msg21586, + "19419": msg21587, + "1942": select1830, + "19420": msg21588, + "19421": msg21589, + "19422": msg21590, + "19423": msg21591, + "19424": msg21592, + "19425": msg21593, + "19426": msg21594, + "19427": msg21595, + "19428": msg21596, + "19429": msg21597, + "1943": select1831, + "19430": msg21598, + "19431": msg21599, + "19432": msg21600, + "19433": msg21601, + "19434": msg21602, + "19435": msg21603, + "19436": msg21604, + "19437": msg21605, + "19438": msg21606, + "19439": msg21607, + "1944": select1832, + "19440": msg21608, + "19441": msg21609, + "19442": msg21610, + "19443": msg21611, + "19444": msg21612, + "19445": msg21613, + "19446": msg21614, + "19447": msg21615, + "19448": msg21616, + "19449": msg21617, + "1945": select1833, + "19450": msg21618, + "19451": msg21619, + "19452": msg21620, + "19453": msg21621, + "19454": msg21622, + "19455": msg21623, + "19456": msg21624, + "19457": msg21625, + "19458": msg21626, + "19459": msg21627, + "1946": select1834, + "19460": msg21628, + "19461": msg21629, + "19462": msg21630, + "19463": msg21631, + "19464": msg21632, + "19465": msg21633, + "19466": msg21634, + "19467": msg21635, + "19468": msg21636, + "19469": msg21637, + "1947": select1835, + "19470": msg21638, + "19471": msg21639, + "19472": msg21640, + "19473": msg21641, + "19474": msg21642, + "19475": msg21643, + "19476": msg21644, + "19477": msg21645, + "19478": msg21646, + "19479": msg21647, + "1948": select1836, + "19480": msg21648, + "19481": msg21649, + "19482": msg21650, + "19483": msg21651, + "19484": msg21652, + "19485": msg21653, + "19486": msg21654, + "19487": msg21655, + "19488": msg21656, + "19489": msg21657, + "1949": select1837, + "19490": msg21658, + "19491": msg21659, + "19492": msg21660, + "19493": msg21661, + "19494": msg21662, + "19495": msg21663, + "19496": msg21664, + "19497": msg21665, + "19498": msg21666, + "19499": msg21667, + "195": select120, + "1950": select1838, + "19500": msg21668, + "19501": msg21669, + "19502": msg21670, + "19503": msg21671, + "19504": msg21672, + "19505": msg21673, + "19506": msg21674, + "19507": msg21675, + "19508": msg21676, + "19509": msg21677, + "1951": select1839, + "19510": msg21678, + "19511": msg21679, + "19512": msg21680, + "19513": msg21681, + "19514": msg21682, + "19515": msg21683, + "19516": msg21684, + "19517": msg21685, + "19518": msg21686, + "19519": msg21687, + "1952": select1840, + "19520": msg21688, + "19521": msg21689, + "19522": msg21690, + "19523": msg21691, + "19524": msg21692, + "19525": msg21693, + "19526": msg21694, + "19527": msg21695, + "19528": msg21696, + "19529": msg21697, + "1953": select1841, + "19530": msg21698, + "19531": msg21699, + "19532": msg21700, + "19533": msg21701, + "19534": msg21702, + "19535": msg21703, + "19536": msg21704, + "19537": msg21705, + "19538": msg21706, + "19539": msg21707, + "1954": select1842, + "19540": msg21708, + "19541": msg21709, + "19542": msg21710, + "19543": msg21711, + "19544": msg21712, + "19545": msg21713, + "19546": msg21714, + "19547": msg21715, + "19548": msg21716, + "19549": msg21717, + "1955": select1843, + "19550": msg21718, + "19551": msg21719, + "19552": msg21720, + "19553": msg21721, + "19554": msg21722, + "19555": msg21723, + "19556": msg21724, + "19557": msg21725, + "19558": msg21726, + "19559": msg21727, + "1956": select1844, + "19560": msg21728, + "19561": msg21729, + "19562": msg21730, + "19563": msg21731, + "19564": msg21732, + "19565": msg21733, + "19566": msg21734, + "19567": msg21735, + "19568": msg21736, + "19569": msg21737, + "1957": select1845, + "19570": msg21738, + "19571": msg21739, + "19572": msg21740, + "19573": msg21741, + "19574": msg21742, + "19575": msg21743, + "19576": msg21744, + "19577": msg21745, + "19578": msg21746, + "19579": msg21747, + "1958": select1846, + "19580": msg21748, + "19581": msg21749, + "19582": msg21750, + "19583": msg21751, + "19584": msg21752, + "19585": msg21753, + "19586": msg21754, + "19587": msg21755, + "19588": msg21756, + "19589": msg21757, + "1959": select1847, + "19590": msg21758, + "19591": msg21759, + "19592": msg21760, + "19593": msg21761, + "19594": msg21762, + "19595": msg21763, + "19596": msg21764, + "19597": msg21765, + "19598": msg21766, + "19599": msg21767, + "196": select121, + "1960": select1848, + "19600": msg21768, + "19601": msg21769, + "19602": msg21770, + "19603": msg21771, + "19604": msg21772, + "19605": msg21773, + "19606": msg21774, + "19607": msg21775, + "19608": msg21776, + "19609": msg21777, + "1961": select1849, + "19610": msg21778, + "19611": msg21779, + "19612": msg21780, + "19613": msg21781, + "19614": msg21782, + "19615": msg21783, + "19616": msg21784, + "19617": msg21785, + "19618": msg21786, + "19619": msg21787, + "1962": select1850, + "19620": msg21788, + "19621": msg21789, + "19622": msg21790, + "19623": msg21791, + "19624": msg21792, + "19625": msg21793, + "19626": msg21794, + "19627": msg21795, + "19628": msg21796, + "19629": msg21797, + "1963": select1851, + "19630": msg21798, + "19631": msg21799, + "19632": msg21800, + "19633": msg21801, + "19634": msg21802, + "19635": msg21803, + "19636": msg21804, + "19637": msg21805, + "19638": msg21806, + "19639": msg21807, + "1964": select1852, + "19640": msg21808, + "19641": msg21809, + "19642": msg21810, + "19643": msg21811, + "19644": msg21812, + "19645": msg21813, + "19646": msg21814, + "19647": msg21815, + "19648": msg21816, + "19649": msg21817, + "1965": select1853, + "19650": msg21818, + "19651": msg21819, + "19652": msg21820, + "19653": msg21821, + "19654": msg21822, + "19655": msg21823, + "19656": msg21824, + "19657": msg21825, + "19658": msg21826, + "19659": msg21827, + "1966": select1854, + "19660": msg21828, + "19661": msg21829, + "19662": msg21830, + "19663": msg21831, + "19664": msg21832, + "19665": msg21833, + "19666": msg21834, + "19667": msg21835, + "19668": msg21836, + "19669": msg21837, + "1967": select1855, + "19670": msg21838, + "19671": msg21839, + "19672": msg21840, + "19673": msg21841, + "19674": msg21842, + "19675": msg21843, + "19676": msg21844, + "19677": msg21845, + "19678": msg21846, + "19679": msg21847, + "1968": select1856, + "19680": msg21848, + "19681": msg21849, + "19682": msg21850, + "19683": msg21851, + "19684": msg21852, + "19685": msg21853, + "19686": msg21854, + "19687": msg21855, + "19688": msg21856, + "19689": msg21857, + "1969": select1857, + "19690": msg21858, + "19691": msg21859, + "19692": msg21860, + "19693": msg21861, + "19694": msg21862, + "19695": msg21863, + "19696": msg21864, + "19697": msg21865, + "19698": msg21866, + "19699": msg21867, + "197": select122, + "1970": select1858, + "19700": msg21868, + "19701": msg21869, + "19702": msg21870, + "19703": msg21871, + "19704": msg21872, + "19705": msg21873, + "19706": msg21874, + "19707": msg21875, + "19708": msg21876, + "19709": msg21877, + "1971": select1859, + "19710": msg21878, + "19711": msg21879, + "19712": msg21880, + "19713": msg21881, + "19714": msg21882, + "19715": msg21883, + "19716": msg21884, + "19717": msg21885, + "19718": msg21886, + "19719": msg21887, + "1972": select1860, + "19720": msg21888, + "19721": msg21889, + "19722": msg21890, + "19723": msg21891, + "19724": msg21892, + "19725": msg21893, + "19726": msg21894, + "19727": msg21895, + "19728": msg21896, + "19729": msg21897, + "1973": select1861, + "19730": msg21898, + "19731": msg21899, + "19732": msg21900, + "19733": msg21901, + "19734": msg21902, + "19735": msg21903, + "19736": msg21904, + "19737": msg21905, + "19738": msg21906, + "19739": msg21907, + "1974": select1862, + "19740": msg21908, + "19741": msg21909, + "19742": msg21910, + "19743": msg21911, + "19744": msg21912, + "19745": msg21913, + "19746": msg21914, + "19747": msg21915, + "19748": msg21916, + "19749": msg21917, + "1975": select1863, + "19750": msg21918, + "19751": msg21919, + "19752": msg21920, + "19753": msg21921, + "19754": msg21922, + "19755": msg21923, + "19756": msg21924, + "19757": msg21925, + "19758": msg21926, + "19759": msg21927, + "1976": select1864, + "19760": msg21928, + "19761": msg21929, + "19762": msg21930, + "19763": msg21931, + "19764": msg21932, + "19765": msg21933, + "19766": msg21934, + "19767": msg21935, + "19768": msg21936, + "19769": msg21937, + "1977": select1865, + "19770": msg21938, + "19771": msg21939, + "19772": msg21940, + "19773": msg21941, + "19774": msg21942, + "19775": msg21943, + "19776": msg21944, + "19777": msg21945, + "19778": msg21946, + "19779": msg21947, + "1978": select1866, + "19780": msg21948, + "19781": msg21949, + "19782": msg21950, + "19783": msg21951, + "19784": msg21952, + "19785": msg21953, + "19786": msg21954, + "19787": msg21955, + "19788": msg21956, + "19789": msg21957, + "1979": select1867, + "19790": msg21958, + "19791": msg21959, + "19792": msg21960, + "19793": msg21961, + "19794": msg21962, + "19795": msg21963, + "19796": msg21964, + "19797": msg21965, + "19798": msg21966, + "19799": msg21967, + "198": select123, + "1980": select1868, + "19800": msg21968, + "19801": msg21969, + "19802": msg21970, + "19803": msg21971, + "19804": msg21972, + "19805": msg21973, + "19806": msg21974, + "19807": msg21975, + "19808": msg21976, + "19809": msg21977, + "1981": select1869, + "19810": msg21978, + "19811": msg21979, + "19812": msg21980, + "19813": msg21981, + "19814": msg21982, + "19815": msg21983, + "19816": msg21984, + "19817": msg21985, + "19818": msg21986, + "19819": msg21987, + "1982": select1870, + "19820": msg21988, + "19821": msg21989, + "19822": msg21990, + "19823": msg21991, + "19824": msg21992, + "19825": msg21993, + "19826": msg21994, + "19827": msg21995, + "19828": msg21996, + "19829": msg21997, + "1983": select1871, + "19830": msg21998, + "19831": msg21999, + "19832": msg22000, + "19833": msg22001, + "19834": msg22002, + "19835": msg22003, + "19836": msg22004, + "19837": msg22005, + "19838": msg22006, + "19839": msg22007, + "1984": select1872, + "19840": msg22008, + "19841": msg22009, + "19842": msg22010, + "19843": msg22011, + "19844": msg22012, + "19845": msg22013, + "19846": msg22014, + "19847": msg22015, + "19848": msg22016, + "19849": msg22017, + "1985": select1873, + "19850": msg22018, + "19851": msg22019, + "19852": msg22020, + "19853": msg22021, + "19854": msg22022, + "19855": msg22023, + "19856": msg22024, + "19857": msg22025, + "19858": msg22026, + "19859": msg22027, + "1986": select1874, + "19860": msg22028, + "19861": msg22029, + "19862": msg22030, + "19863": msg22031, + "19864": msg22032, + "19865": msg22033, + "19866": msg22034, + "19867": msg22035, + "19868": msg22036, + "19869": msg22037, + "1987": select1875, + "19870": msg22038, + "19871": msg22039, + "19872": msg22040, + "19873": msg22041, + "19874": msg22042, + "19875": msg22043, + "19876": msg22044, + "19877": msg22045, + "19878": msg22046, + "19879": msg22047, + "1988": select1876, + "19880": msg22048, + "19881": msg22049, + "19882": msg22050, + "19883": msg22051, + "19884": msg22052, + "19885": msg22053, + "19886": msg22054, + "19887": msg22055, + "19888": msg22056, + "19889": msg22057, + "1989": select1877, + "19890": msg22058, + "19891": msg22059, + "19892": msg22060, + "19893": msg22061, + "19894": msg22062, + "19895": msg22063, + "19896": msg22064, + "19897": msg22065, + "19898": msg22066, + "19899": msg22067, + "199": select124, + "1990": select1878, + "19900": msg22068, + "19901": msg22069, + "19902": msg22070, + "19903": msg22071, + "19904": msg22072, + "19905": msg22073, + "19906": msg22074, + "19907": msg22075, + "19908": msg22076, + "19909": msg22077, + "1991": select1879, + "19910": msg22078, + "19911": msg22079, + "19912": msg22080, + "19914": msg22081, + "19915": msg22082, + "19916": msg22083, + "19917": msg22084, + "19918": msg22085, + "19919": msg22086, + "1992": select1880, + "19920": msg22087, + "19921": msg22088, + "19922": msg22089, + "19923": msg22090, + "19924": msg22091, + "19925": msg22092, + "19926": msg22093, + "19927": msg22094, + "19928": msg22095, + "19929": msg22096, + "1993": select1881, + "19930": msg22097, + "19931": msg22098, + "19932": msg22099, + "19933": msg22100, + "19934": msg22101, + "19935": msg22102, + "19936": msg22103, + "19937": msg22104, + "19938": msg22105, + "19939": msg22106, + "1994": select1882, + "19940": msg22107, + "19941": msg22108, + "19942": msg22109, + "19943": msg22110, + "19944": msg22111, + "19945": msg22112, + "19946": msg22113, + "19947": msg22114, + "19948": msg22115, + "19949": msg22116, + "1995": select1883, + "19950": msg22117, + "19951": msg22118, + "19952": msg22119, + "19953": msg22120, + "19954": msg22121, + "19955": msg22122, + "19956": msg22123, + "19957": msg22124, + "19958": msg22125, + "19959": msg22126, + "1996": select1884, + "19960": msg22127, + "19961": msg22128, + "19962": msg22129, + "19963": msg22130, + "19964": msg22131, + "19965": msg22132, + "19966": msg22133, + "19967": msg22134, + "19968": msg22135, + "19969": msg22136, + "1997": select1885, + "19970": msg22137, + "19971": msg22138, + "19972": msg22139, + "19973": msg22140, + "19974": msg22141, + "19975": msg22142, + "19976": msg22143, + "19977": msg22144, + "19978": msg22145, + "19979": msg22146, + "1998": select1886, + "19980": msg22147, + "19981": msg22148, + "19982": msg22149, + "19983": msg22150, + "19984": msg22151, + "19985": msg22152, + "19986": msg22153, + "19987": msg22154, + "19988": msg22155, + "19989": msg22156, + "1999": select1887, + "19990": msg22157, + "19991": msg22158, + "19992": msg22159, + "19993": msg22160, + "19994": msg22161, + "19995": msg22162, + "19996": msg22163, + "19997": msg22164, + "19998": msg22165, + "19999": msg22166, + "2": select8, + "20": select21, + "200": select125, + "2000": select1888, + "20000": msg22167, + "20001": msg22168, + "20002": msg22169, + "20003": msg22170, + "20004": msg22171, + "2000480": msg38326, + "20005": msg22172, + "2000538": msg38327, + "2000540": msg38328, + "2000562": msg38329, + "20006": msg22173, + "2000648": msg38330, + "20007": msg22174, + "2000716": msg38331, + "20008": msg22175, + "20009": msg22176, + "2000969": msg38332, + "2000971": msg38333, + "2000974": msg38334, + "2000976": msg38335, + "2000977": msg38336, + "2000987": msg38337, + "2000990": msg38338, + "2000993": msg38339, + "2000997": msg38340, + "2001": select1889, + "20010": msg22177, + "2001002": msg38341, + "2001010": msg38342, + "2001012": msg38343, + "2001013": msg38344, + "2001023": msg38345, + "2001025": msg38346, + "2001030": msg38347, + "2001040": msg38348, + "2001042": msg38349, + "20011": msg22178, + "20012": msg22179, + "2001244": msg38350, + "2001245": msg38351, + "2001286": msg38352, + "2001287": msg38353, + "2001288": msg38354, + "20013": msg22180, + "2001367": msg38355, + "20014": msg22181, + "2001400": msg38356, + "2001402": msg38357, + "2001411": msg38358, + "2001417": msg38359, + "2001419": msg38360, + "20015": msg22182, + "2001567": msg38361, + "2001568": msg38362, + "2001569": msg38363, + "2001579": msg38364, + "2001581": msg38365, + "20016": msg22183, + "20017": msg22184, + "2001726": msg38366, + "20018": msg22185, + "2001801": msg38367, + "2001852": msg38368, + "2001893": msg38369, + "20019": msg22186, + "2001904": msg38370, + "2001945": msg38371, + "2001970": msg38372, + "2001972": msg38373, + "2002": select1890, + "20020": msg22187, + "2002032": msg38374, + "20021": msg22188, + "2002134": msg38375, + "2002170": msg38376, + "2002176": msg38377, + "2002190": msg38378, + "2002196": msg38379, + "20022": msg22189, + "2002200": msg38380, + "2002205": msg38381, + "20023": msg22190, + "20024": msg22191, + "20025": msg22192, + "20026": msg22193, + "20027": msg22194, + "20028": msg22195, + "20029": msg22196, + "2002910": msg38382, + "2002911": msg38383, + "2002992": msg38384, + "2002993": msg38385, + "2002994": msg38386, + "2003": select1891, + "20030": msg22197, + "20031": msg22198, + "2003157": msg38387, + "2003183": msg38388, + "20032": msg22199, + "20033": msg22200, + "2003380": msg38389, + "20034": msg22201, + "20035": msg22202, + "20036": msg22203, + "2003642": msg38390, + "20037": msg22204, + "20038": msg22205, + "2003870": msg38391, + "20039": msg22206, + "2004": select1892, + "20040": msg22207, + "20041": msg22208, + "20042": msg22209, + "20043": msg22210, + "20044": msg22211, + "20045": msg22212, + "20046": msg22213, + "20047": msg22214, + "20048": msg22215, + "20049": msg22216, + "2005": select1893, + "20050": msg22217, + "20051": msg22218, + "20052": msg22219, + "20053": msg22220, + "20054": msg22221, + "20055": msg22222, + "20056": msg22223, + "20057": msg22224, + "20058": msg22225, + "20059": msg22226, + "2006": select1894, + "20060": msg22227, + "20061": msg22228, + "20062": msg22229, + "20063": msg22230, + "20064": msg22231, + "20065": msg22232, + "20066": msg22233, + "20067": msg22234, + "20068": msg22235, + "20069": msg22236, + "2007": select1895, + "20070": msg22237, + "20071": msg22238, + "2007142": msg38392, + "20072": msg22239, + "20073": msg22240, + "20074": msg22241, + "20075": msg22242, + "2007585": msg38393, + "2007588": msg38394, + "2007594": msg38395, + "20076": msg22243, + "2007688": msg38396, + "20077": msg22244, + "2007702": msg38397, + "2007724": msg38398, + "20078": msg22245, + "20079": msg22246, + "2007920": msg38399, + "2007962": msg38400, + "2007963": msg38401, + "2007964": msg38402, + "2008": select1896, + "20080": msg22247, + "2008010": msg38403, + "2008056": msg38404, + "2008059": msg38405, + "2008082": msg38406, + "20081": msg22248, + "2008109": msg38407, + "2008124": msg38408, + "2008143": msg38409, + "2008182": msg38410, + "2008194": msg38411, + "20082": msg22249, + "20083": msg22250, + "2008335": msg38412, + "2008373": msg38413, + "2008384": msg38414, + "2008386": msg38415, + "20084": msg22251, + "2008420": msg38416, + "2008475": msg38417, + "2008480": msg38418, + "20085": msg22252, + "2008505": msg38419, + "20086": msg22253, + "20087": msg22254, + "20088": msg22255, + "20089": msg22256, + "2009": select1897, + "20090": msg22257, + "20091": msg22258, + "20092": msg22259, + "20093": msg22260, + "20094": msg22261, + "20095": msg22262, + "20096": msg22263, + "20097": msg22264, + "20098": msg22265, + "20099": msg22266, + "201": select126, + "2010": select1898, + "20100": msg22267, + "20101": msg22268, + "20102": msg22269, + "20103": msg22270, + "20104": msg22271, + "20105": msg22272, + "20106": msg22273, + "20107": msg22274, + "20108": msg22275, + "20109": msg22276, + "2011": select1899, + "20110": msg22277, + "20111": msg22278, + "20112": msg22279, + "20113": msg22280, + "20114": msg22281, + "20115": msg22282, + "20116": msg22283, + "20117": msg22284, + "20118": msg22285, + "20119": msg22286, + "2012": select1900, + "20120": msg22287, + "20121": msg22288, + "20122": msg22289, + "20123": msg22290, + "20124": msg22291, + "20125": msg22292, + "20126": msg22293, + "20127": msg22294, + "20128": msg22295, + "20129": msg22296, + "2013": select1901, + "20130": msg22297, + "20131": msg22298, + "20132": msg22299, + "20133": msg22300, + "20134": msg22301, + "20135": msg22302, + "20136": msg22303, + "20137": msg22304, + "20138": msg22305, + "20139": msg22306, + "2014": select1902, + "20140": msg22307, + "20141": msg22308, + "20142": msg22309, + "20143": msg22310, + "20144": msg22311, + "20145": msg22312, + "20146": msg22313, + "20147": msg22314, + "20148": msg22315, + "20149": msg22316, + "2015": select1903, + "20150": msg22317, + "20151": msg22318, + "20152": msg22319, + "20153": msg22320, + "20154": msg22321, + "20155": msg22322, + "20156": msg22323, + "20157": msg22324, + "20158": msg22325, + "20159": msg22326, + "2016": select1904, + "20160": msg22327, + "20161": msg22328, + "20162": msg22329, + "20163": msg22330, + "20164": msg22331, + "20165": msg22332, + "20166": msg22333, + "20167": msg22334, + "20168": msg22335, + "20169": msg22336, + "2017": select1905, + "20170": msg22337, + "20171": msg22338, + "20172": msg22339, + "20173": msg22340, + "20174": msg22341, + "20175": msg22342, + "20176": msg22343, + "20177": msg22344, + "20178": msg22345, + "20179": msg22346, + "2018": select1906, + "20180": msg22347, + "20181": msg22348, + "20182": msg22349, + "20183": msg22350, + "20184": msg22351, + "20185": msg22352, + "20186": msg22353, + "20187": msg22354, + "20188": msg22355, + "20189": msg22356, + "2019": select1907, + "20190": msg22357, + "20191": msg22358, + "20192": msg22359, + "20193": msg22360, + "20194": msg22361, + "20195": msg22362, + "20196": msg22363, + "20197": msg22364, + "20198": msg22365, + "20199": msg22366, + "202": select127, + "2020": select1908, + "20200": msg22367, + "20201": msg22368, + "20202": msg22369, + "20203": msg22370, + "20204": msg22371, + "20205": msg22372, + "20206": msg22373, + "20207": msg22374, + "20208": msg22375, + "20209": msg22376, + "2021": select1909, + "20210": msg22377, + "20211": msg22378, + "20212": msg22379, + "20213": msg22380, + "20214": msg22381, + "20215": msg22382, + "20216": msg22383, + "20217": msg22384, + "20218": msg22385, + "20219": msg22386, + "2022": select1910, + "20220": msg22387, + "20221": msg22388, + "20222": msg22389, + "20223": msg22390, + "20224": msg22391, + "20225": msg22392, + "20226": msg22393, + "20227": msg22394, + "20228": msg22395, + "20229": msg22396, + "2023": select1911, + "20230": msg22397, + "20231": msg22398, + "20232": msg22399, + "20233": msg22400, + "20234": msg22401, + "20235": msg22402, + "20236": msg22403, + "20237": msg22404, + "20238": msg22405, + "20239": msg22406, + "2024": select1912, + "20240": msg22407, + "20241": msg22408, + "20242": msg22409, + "20243": msg22410, + "20244": msg22411, + "20245": msg22412, + "20246": msg22413, + "20247": msg22414, + "20248": msg22415, + "20249": msg22416, + "2025": select1913, + "20250": msg22417, + "20251": msg22418, + "20252": msg22419, + "20253": msg22420, + "20254": msg22421, + "20255": msg22422, + "20256": msg22423, + "20257": msg22424, + "20258": msg22425, + "20259": msg22426, + "2026": select1914, + "20260": msg22427, + "20261": msg22428, + "20262": msg22429, + "20263": msg22430, + "20264": msg22431, + "20265": msg22432, + "20266": msg22433, + "20267": msg22434, + "20268": msg22435, + "20269": msg22436, + "2027": select1915, + "20270": msg22437, + "20271": msg22438, + "20272": msg22439, + "20273": msg22440, + "20274": msg22441, + "20275": msg22442, + "20276": msg22443, + "20277": msg22444, + "20278": msg22445, + "20279": msg22446, + "2028": select1916, + "20280": msg22447, + "20281": msg22448, + "20282": msg22449, + "20283": msg22450, + "20284": msg22451, + "20285": msg22452, + "20286": msg22453, + "20287": msg22454, + "20288": msg22455, + "20289": msg22456, + "2029": select1917, + "20290": msg22457, + "20291": msg22458, + "20292": msg22459, + "20293": msg22460, + "20294": msg22461, + "20295": msg22462, + "20296": msg22463, + "20297": msg22464, + "20298": msg22465, + "20299": msg22466, + "203": select128, + "2030": select1918, + "20300": msg22467, + "20301": msg22468, + "20302": msg22469, + "20303": msg22470, + "20304": msg22471, + "20305": msg22472, + "20306": msg22473, + "20307": msg22474, + "20308": msg22475, + "20309": msg22476, + "2031": select1919, + "20310": msg22477, + "20311": msg22478, + "20312": msg22479, + "20313": msg22480, + "20314": msg22481, + "20315": msg22482, + "20316": msg22483, + "20317": msg22484, + "20318": msg22485, + "20319": msg22486, + "2032": select1920, + "20320": msg22487, + "20321": msg22488, + "20322": msg22489, + "20323": msg22490, + "20324": msg22491, + "20325": msg22492, + "20326": msg22493, + "20327": msg22494, + "20328": msg22495, + "20329": msg22496, + "2033": select1921, + "20330": msg22497, + "20331": msg22498, + "20332": msg22499, + "20333": msg22500, + "20334": msg22501, + "20335": msg22502, + "20336": msg22503, + "20337": msg22504, + "20338": msg22505, + "20339": msg22506, + "2034": select1922, + "20340": msg22507, + "20341": msg22508, + "20342": msg22509, + "20343": msg22510, + "20344": msg22511, + "20345": msg22512, + "20346": msg22513, + "20347": msg22514, + "20348": msg22515, + "20349": msg22516, + "2035": select1923, + "20350": msg22517, + "20351": msg22518, + "20352": msg22519, + "20353": msg22520, + "20354": msg22521, + "20355": msg22522, + "20356": msg22523, + "20357": msg22524, + "20358": msg22525, + "20359": msg22526, + "2036": select1924, + "20360": msg22527, + "20361": msg22528, + "20362": msg22529, + "20363": msg22530, + "20364": msg22531, + "20365": msg22532, + "20366": msg22533, + "20367": msg22534, + "20368": msg22535, + "20369": msg22536, + "2037": select1925, + "20370": msg22537, + "20371": msg22538, + "20372": msg22539, + "20373": msg22540, + "20374": msg22541, + "20375": msg22542, + "20376": msg22543, + "20377": msg22544, + "20378": msg22545, + "20379": msg22546, + "2038": select1926, + "20380": msg22547, + "20381": msg22548, + "20382": msg22549, + "20383": msg22550, + "20384": msg22551, + "20385": msg22552, + "20386": msg22553, + "20387": msg22554, + "20388": msg22555, + "20389": msg22556, + "2039": select1927, + "20390": msg22557, + "20391": msg22558, + "20392": msg22559, + "20393": msg22560, + "20394": msg22561, + "20395": msg22562, + "20396": msg22563, + "20397": msg22564, + "20398": msg22565, + "20399": msg22566, + "204": select129, + "2040": select1928, + "20400": msg22567, + "20401": msg22568, + "20402": msg22569, + "20403": msg22570, + "20404": msg22571, + "20405": msg22572, + "20406": msg22573, + "20407": msg22574, + "20408": msg22575, + "20409": msg22576, + "2041": select1929, + "20410": msg22577, + "20411": msg22578, + "20412": msg22579, + "20413": msg22580, + "20414": msg22581, + "20415": msg22582, + "20416": msg22583, + "20417": msg22584, + "20418": msg22585, + "20419": msg22586, + "2042": select1930, + "20420": msg22587, + "20421": msg22588, + "20422": msg22589, + "20423": msg22590, + "20424": msg22591, + "20425": msg22592, + "20426": msg22593, + "20427": msg22594, + "20428": msg22595, + "20429": msg22596, + "2043": select1931, + "20430": msg22597, + "20431": msg22598, + "20432": msg22599, + "20433": msg22600, + "20434": msg22601, + "20435": msg22602, + "20436": msg22603, + "20437": msg22604, + "20438": msg22605, + "20439": msg22606, + "2044": select1932, + "20440": msg22607, + "20441": msg22608, + "20442": msg22609, + "20443": msg22610, + "20444": msg22611, + "20445": msg22612, + "20446": msg22613, + "20447": msg22614, + "20448": msg22615, + "20449": msg22616, + "2045": select1933, + "20450": msg22617, + "20451": msg22618, + "20452": msg22619, + "20453": msg22620, + "20454": msg22621, + "20455": msg22622, + "20456": msg22623, + "20457": msg22624, + "20458": msg22625, + "20459": msg22626, + "2046": select1934, + "20460": msg22627, + "20461": msg22628, + "20462": msg22629, + "20463": msg22630, + "20464": msg22631, + "20465": msg22632, + "20466": msg22633, + "20467": msg22634, + "20468": msg22635, + "20469": msg22636, + "2047": select1935, + "20470": msg22637, + "20471": msg22638, + "20472": msg22639, + "20473": msg22640, + "20474": msg22641, + "20475": msg22642, + "20476": msg22643, + "20477": msg22644, + "20478": msg22645, + "20479": msg22646, + "2048": select1936, + "20480": msg22647, + "20481": msg22648, + "20482": msg22649, + "20483": msg22650, + "20484": msg22651, + "20485": msg22652, + "20486": msg22653, + "20487": msg22654, + "20488": msg22655, + "20489": msg22656, + "2049": select1937, + "20490": msg22657, + "20491": msg22658, + "20492": msg22659, + "20493": msg22660, + "20494": msg22661, + "20495": msg22662, + "20496": msg22663, + "20497": msg22664, + "20498": msg22665, + "20499": msg22666, + "205": select130, + "2050": select1938, + "20500": msg22667, + "20501": msg22668, + "20502": msg22669, + "20503": msg22670, + "20504": msg22671, + "20505": msg22672, + "20506": msg22673, + "20507": msg22674, + "20508": msg22675, + "20509": msg22676, + "2051": select1939, + "20510": msg22677, + "20511": msg22678, + "20512": msg22679, + "20513": msg22680, + "20514": msg22681, + "20515": msg22682, + "20516": msg22683, + "20517": msg22684, + "20518": msg22685, + "20519": msg22686, + "2052": select1940, + "20520": msg22687, + "20521": msg22688, + "20522": msg22689, + "20523": msg22690, + "20524": msg22691, + "20525": msg22692, + "20526": msg22693, + "20527": msg22694, + "20528": msg22695, + "20529": msg22696, + "2053": select1941, + "20530": msg22697, + "20531": msg22698, + "20532": msg22699, + "20533": msg22700, + "20534": msg22701, + "20535": msg22702, + "20536": msg22703, + "20537": msg22704, + "20538": msg22705, + "20539": msg22706, + "2054": select1942, + "20540": msg22707, + "20541": msg22708, + "20542": msg22709, + "20543": msg22710, + "20544": msg22711, + "20545": msg22712, + "20546": msg22713, + "20547": msg22714, + "20548": msg22715, + "20549": msg22716, + "2055": select1943, + "20550": msg22717, + "20551": msg22718, + "20552": msg22719, + "20553": msg22720, + "20554": msg22721, + "20555": msg22722, + "20556": msg22723, + "20557": msg22724, + "20558": msg22725, + "20559": msg22726, + "2056": select1944, + "20560": msg22727, + "20561": msg22728, + "20562": msg22729, + "20563": msg22730, + "20564": msg22731, + "20565": msg22732, + "20566": msg22733, + "20567": msg22734, + "20568": msg22735, + "20569": msg22736, + "2057": select1945, + "20570": msg22737, + "20571": msg22738, + "20572": msg22739, + "20573": msg22740, + "20574": msg22741, + "20575": msg22742, + "20576": msg22743, + "20577": msg22744, + "20578": msg22745, + "20579": msg22746, + "2058": select1946, + "20580": msg22747, + "20581": msg22748, + "20582": msg22749, + "20583": msg22750, + "20584": msg22751, + "20585": msg22752, + "20586": msg22753, + "20587": msg22754, + "20588": msg22755, + "20589": msg22756, + "2059": select1947, + "20590": msg22757, + "20591": msg22758, + "20592": msg22759, + "20593": msg22760, + "20594": msg22761, + "20595": msg22762, + "20596": msg22763, + "20597": msg22764, + "20598": msg22765, + "20599": msg22766, + "206": select131, + "2060": select1948, + "20600": msg22767, + "20601": msg22768, + "20602": msg22769, + "20603": msg22770, + "20604": msg22771, + "20605": msg22772, + "20606": msg22773, + "20607": msg22774, + "20608": msg22775, + "20609": msg22776, + "2061": select1949, + "20610": msg22777, + "20611": msg22778, + "20612": msg22779, + "20613": msg22780, + "20614": msg22781, + "20615": msg22782, + "20616": msg22783, + "20617": msg22784, + "20618": msg22785, + "20619": msg22786, + "2062": select1950, + "20620": msg22787, + "20621": msg22788, + "20622": msg22789, + "20623": msg22790, + "20624": msg22791, + "20625": msg22792, + "20626": msg22793, + "20627": msg22794, + "20628": msg22795, + "20629": msg22796, + "2063": select1951, + "20630": msg22797, + "20631": msg22798, + "20632": msg22799, + "20633": msg22800, + "20634": msg22801, + "20635": msg22802, + "20636": msg22803, + "20637": msg22804, + "20638": msg22805, + "20639": msg22806, + "2064": select1952, + "20640": msg22807, + "20641": msg22808, + "20642": msg22809, + "20643": msg22810, + "20644": msg22811, + "20645": msg22812, + "20646": msg22813, + "20647": msg22814, + "20648": msg22815, + "20649": msg22816, + "2065": select1953, + "20650": msg22817, + "20651": msg22818, + "20652": msg22819, + "20653": msg22820, + "20654": msg22821, + "20655": msg22822, + "20656": msg22823, + "20657": msg22824, + "20658": msg22825, + "20659": msg22826, + "2066": select1954, + "20660": msg22827, + "20661": msg22828, + "20662": msg22829, + "20663": msg22830, + "20664": msg22831, + "20665": msg22832, + "20666": msg22833, + "20667": msg22834, + "20668": msg22835, + "20669": msg22836, + "2067": select1955, + "20670": msg22837, + "20671": msg22838, + "20672": msg22839, + "20673": msg22840, + "20674": msg22841, + "20675": msg22842, + "20676": msg22843, + "20677": msg22844, + "20678": msg22845, + "20679": msg22846, + "2068": select1956, + "20680": msg22847, + "20681": msg22848, + "20682": msg22849, + "20683": msg22850, + "20684": msg22851, + "20685": msg22852, + "20686": msg22853, + "20687": msg22854, + "20688": msg22855, + "20689": msg22856, + "2069": select1957, + "20690": msg22857, + "20691": msg22858, + "20692": msg22859, + "20693": msg22860, + "20694": msg22861, + "20695": msg22862, + "20696": msg22863, + "20697": msg22864, + "20698": msg22865, + "20699": msg22866, + "207": select132, + "2070": select1958, + "20700": msg22867, + "20701": msg22868, + "20702": msg22869, + "20703": msg22870, + "20704": msg22871, + "20705": msg22872, + "20706": msg22873, + "20707": msg22874, + "20708": msg22875, + "20709": msg22876, + "2071": select1959, + "20710": msg22877, + "20711": msg22878, + "20712": msg22879, + "20713": msg22880, + "20714": msg22881, + "20715": msg22882, + "20716": msg22883, + "20717": msg22884, + "20718": msg22885, + "20719": msg22886, + "2072": select1960, + "20720": msg22887, + "20721": msg22888, + "20722": msg22889, + "20723": msg22890, + "20724": msg22891, + "20725": msg22892, + "20726": msg22893, + "20727": msg22894, + "20728": msg22895, + "20729": msg22896, + "2073": select1961, + "20730": msg22897, + "20731": msg22898, + "20732": msg22899, + "20733": msg22900, + "20734": msg22901, + "20735": msg22902, + "20736": msg22903, + "20737": msg22904, + "20738": msg22905, + "20739": msg22906, + "2074": select1962, + "20740": msg22907, + "20741": msg22908, + "20742": msg22909, + "20743": msg22910, + "20744": msg22911, + "20745": msg22912, + "20746": msg22913, + "20747": msg22914, + "20748": msg22915, + "20749": msg22916, + "2075": select1963, + "20750": msg22917, + "20751": msg22918, + "20752": msg22919, + "20753": msg22920, + "20754": msg22921, + "20755": msg22922, + "20756": msg22923, + "20757": msg22924, + "20758": msg22925, + "20759": msg22926, + "2076": select1964, + "20760": msg22927, + "20761": msg22928, + "20762": msg22929, + "20763": msg22930, + "20764": msg22931, + "20765": msg22932, + "20766": msg22933, + "20767": msg22934, + "20768": msg22935, + "20769": msg22936, + "2077": select1965, + "20770": msg22937, + "20771": msg22938, + "20772": msg22939, + "20773": msg22940, + "20774": msg22941, + "20775": msg22942, + "20776": msg22943, + "20777": msg22944, + "20778": msg22945, + "20779": msg22946, + "2078": select1966, + "20780": msg22947, + "20781": msg22948, + "20782": msg22949, + "20783": msg22950, + "20784": msg22951, + "20785": msg22952, + "20786": msg22953, + "20787": msg22954, + "20788": msg22955, + "20789": msg22956, + "2079": select1967, + "20790": msg22957, + "20791": msg22958, + "20792": msg22959, + "20793": msg22960, + "20794": msg22961, + "20795": msg22962, + "20796": msg22963, + "20797": msg22964, + "20798": msg22965, + "20799": msg22966, + "208": select133, + "2080": select1968, + "20800": msg22967, + "20801": msg22968, + "20802": msg22969, + "20803": msg22970, + "20804": msg22971, + "20805": msg22972, + "20806": msg22973, + "20807": msg22974, + "20808": msg22975, + "20809": msg22976, + "2081": select1969, + "20810": msg22977, + "20811": msg22978, + "20812": msg22979, + "20813": msg22980, + "20814": msg22981, + "20815": msg22982, + "20816": msg22983, + "20817": msg22984, + "20818": msg22985, + "20819": msg22986, + "2082": select1970, + "20820": msg22987, + "20821": msg22988, + "20822": msg22989, + "20823": msg22990, + "20824": msg22991, + "20825": msg22992, + "20826": msg22993, + "20827": msg22994, + "20828": msg22995, + "20829": msg22996, + "2083": select1971, + "20830": msg22997, + "20831": msg22998, + "20832": msg22999, + "20833": msg23000, + "20834": msg23001, + "20835": msg23002, + "20836": msg23003, + "20837": msg23004, + "20838": msg23005, + "20839": msg23006, + "2084": select1972, + "20840": msg23007, + "20841": msg23008, + "20842": msg23009, + "20843": msg23010, + "20844": msg23011, + "20845": msg23012, + "20846": msg23013, + "20847": msg23014, + "20848": msg23015, + "20849": msg23016, + "2085": select1973, + "20850": msg23017, + "20851": msg23018, + "20852": msg23019, + "20853": msg23020, + "20854": msg23021, + "20855": msg23022, + "20856": msg23023, + "20857": msg23024, + "20858": msg23025, + "20859": msg23026, + "2086": select1974, + "20860": msg23027, + "20861": msg23028, + "20862": msg23029, + "20863": msg23030, + "20864": msg23031, + "20865": msg23032, + "20866": msg23033, + "20867": msg23034, + "20868": msg23035, + "20869": msg23036, + "2087": select1975, + "20870": msg23037, + "20871": msg23038, + "20872": msg23039, + "20873": msg23040, + "20874": msg23041, + "20875": msg23042, + "20876": msg23043, + "20877": msg23044, + "20878": msg23045, + "20879": msg23046, + "2088": select1976, + "20880": msg23047, + "20881": msg23048, + "20882": msg23049, + "20883": msg23050, + "20884": msg23051, + "20885": msg23052, + "20886": msg23053, + "20887": msg23054, + "20888": msg23055, + "20889": msg23056, + "2089": select1977, + "20890": msg23057, + "20891": msg23058, + "20892": msg23059, + "20893": msg23060, + "20894": msg23061, + "20895": msg23062, + "20896": msg23063, + "20897": msg23064, + "20898": msg23065, + "20899": msg23066, + "209": select134, + "2090": select1978, + "20900": msg23067, + "20901": msg23068, + "20902": msg23069, + "20903": msg23070, + "20904": msg23071, + "20905": msg23072, + "20906": msg23073, + "20907": msg23074, + "20908": msg23075, + "20909": msg23076, + "2091": select1979, + "20910": msg23077, + "20911": msg23078, + "20912": msg23079, + "20913": msg23080, + "20914": msg23081, + "20915": msg23082, + "20916": msg23083, + "20917": msg23084, + "20918": msg23085, + "20919": msg23086, + "2092": select1980, + "20920": msg23087, + "20921": msg23088, + "20922": msg23089, + "20923": msg23090, + "20924": msg23091, + "20925": msg23092, + "20926": msg23093, + "20927": msg23094, + "20928": msg23095, + "20929": msg23096, + "2093": select1981, + "20930": msg23097, + "20931": msg23098, + "20932": msg23099, + "20933": msg23100, + "20934": msg23101, + "20935": msg23102, + "20936": msg23103, + "20937": msg23104, + "20938": msg23105, + "20939": msg23106, + "2094": select1982, + "20940": msg23107, + "20941": msg23108, + "20942": msg23109, + "20943": msg23110, + "20944": msg23111, + "20945": msg23112, + "20946": msg23113, + "20947": msg23114, + "20948": msg23115, + "20949": msg23116, + "2095": select1983, + "20950": msg23117, + "20951": msg23118, + "20952": msg23119, + "20953": msg23120, + "20954": msg23121, + "20955": msg23122, + "20956": msg23123, + "20957": msg23124, + "20958": msg23125, + "20959": msg23126, + "2096": select1984, + "20960": msg23127, + "20961": msg23128, + "20962": msg23129, + "20963": msg23130, + "20964": msg23131, + "20965": msg23132, + "20966": msg23133, + "20967": msg23134, + "20968": msg23135, + "20969": msg23136, + "2097": select1985, + "20970": msg23137, + "20971": msg23138, + "20972": msg23139, + "20973": msg23140, + "20974": msg23141, + "20975": msg23142, + "20976": msg23143, + "20977": msg23144, + "20978": msg23145, + "20979": msg23146, + "2098": select1986, + "20980": msg23147, + "20981": msg23148, + "20982": msg23149, + "20983": msg23150, + "20984": msg23151, + "20985": msg23152, + "20986": msg23153, + "20987": msg23154, + "20988": msg23155, + "20989": msg23156, + "2099": select1987, + "20990": msg23157, + "20991": msg23158, + "20992": msg23159, + "20993": msg23160, + "20994": msg23161, + "20995": msg23162, + "20996": msg23163, + "20997": msg23164, + "20998": msg23165, + "20999": msg23166, + "21": select22, + "210": select135, + "2100": select1988, + "21000": msg23167, + "21001": msg23168, + "21002": msg23169, + "21003": msg23170, + "21004": msg23171, + "21005": msg23172, + "21006": msg23173, + "2100651": msg38508, + "21007": msg23174, + "21008": msg23175, + "21009": msg23176, + "2101": select1989, + "21010": msg23177, + "21011": msg23178, + "21012": msg23179, + "21013": msg23180, + "2101384": msg38509, + "2101390": msg38510, + "21014": msg23181, + "2101424": msg38511, + "2101432": msg38512, + "21015": msg23182, + "21016": msg23183, + "21017": msg23184, + "21018": msg23185, + "2101867": msg38513, + "21019": msg23186, + "2101918": msg38514, + "2102": select1990, + "21020": msg23187, + "21021": msg23188, + "21022": msg23189, + "21023": msg23190, + "21024": msg23191, + "21025": msg23192, + "21026": msg23193, + "21027": msg23194, + "21028": msg23195, + "21029": msg23196, + "2103": select1991, + "21030": msg23197, + "21031": msg23198, + "21032": msg23199, + "21033": msg23200, + "21034": msg23201, + "21035": msg23202, + "21036": msg23203, + "21037": msg23204, + "21038": msg23205, + "21039": msg23206, + "2104": select1992, + "21040": msg23207, + "21041": msg23208, + "21042": msg23209, + "21043": msg23210, + "21044": msg23211, + "21045": msg23212, + "21046": msg23213, + "21047": msg23214, + "21048": msg23215, + "21049": msg23216, + "2105": select1993, + "21050": msg23217, + "21051": msg23218, + "21052": msg23219, + "21053": msg23220, + "21054": msg23221, + "21055": msg23222, + "21056": msg23223, + "21057": msg23224, + "21058": msg23225, + "21059": msg23226, + "2106": select1994, + "21060": msg23227, + "21061": msg23228, + "21062": msg23229, + "21063": msg23230, + "21064": msg23231, + "21065": msg23232, + "21066": msg23233, + "21067": msg23234, + "21068": msg23235, + "21069": msg23236, + "2107": select1995, + "21070": msg23237, + "21071": msg23238, + "21072": msg23239, + "21073": msg23240, + "21074": msg23241, + "21075": msg23242, + "21076": msg23243, + "21077": msg23244, + "21078": msg23245, + "21079": msg23246, + "2108": select1996, + "21080": msg23247, + "21081": msg23248, + "21082": msg23249, + "21083": msg23250, + "21084": msg23251, + "21085": msg23252, + "21086": msg23253, + "21087": msg23254, + "21088": msg23255, + "21089": msg23256, + "2109": select1997, + "21090": msg23257, + "21091": msg23258, + "21092": msg23259, + "21093": msg23260, + "21094": msg23261, + "21095": msg23262, + "21096": msg23263, + "21097": msg23264, + "21098": msg23265, + "21099": msg23266, + "211": select136, + "2110": select1998, + "21100": msg23267, + "21101": msg23268, + "21102": msg23269, + "21103": msg23270, + "21104": msg23271, + "21105": msg23272, + "21106": msg23273, + "21107": msg23274, + "21108": msg23275, + "21109": msg23276, + "2111": select1999, + "21110": msg23277, + "21111": msg23278, + "21112": msg23279, + "21113": msg23280, + "21114": msg23281, + "21115": msg23282, + "21116": msg23283, + "21117": msg23284, + "21118": msg23285, + "21119": msg23286, + "2112": select2000, + "21120": msg23287, + "21121": msg23288, + "21122": msg23289, + "21123": msg23290, + "21124": msg23291, + "21125": msg23292, + "21126": msg23293, + "21127": msg23294, + "21128": msg23295, + "21129": msg23296, + "2113": select2001, + "21130": msg23297, + "21131": msg23298, + "21132": msg23299, + "21133": msg23300, + "21134": msg23301, + "21135": msg23302, + "21136": msg23303, + "21137": msg23304, + "21138": msg23305, + "21139": msg23306, + "2114": select2002, + "21140": msg23307, + "21141": msg23308, + "21142": msg23309, + "21143": msg23310, + "21144": msg23311, + "21145": msg23312, + "21146": msg23313, + "21147": msg23314, + "21148": msg23315, + "21149": msg23316, + "2115": select2003, + "21150": msg23317, + "21151": msg23318, + "21152": msg23319, + "21153": msg23320, + "21154": msg23321, + "21155": msg23322, + "21156": msg23323, + "21157": msg23324, + "21158": msg23325, + "21159": msg23326, + "2116": select2004, + "21160": msg23327, + "21161": msg23328, + "21162": msg23329, + "21163": msg23330, + "21164": msg23331, + "21165": msg23332, + "21166": msg23333, + "21167": msg23334, + "21168": msg23335, + "21169": msg23336, + "2117": select2005, + "21170": msg23337, + "21171": msg23338, + "21172": msg23339, + "21173": msg23340, + "21174": msg23341, + "21175": msg23342, + "21176": msg23343, + "21177": msg23344, + "21178": msg23345, + "21179": msg23346, + "2118": select2006, + "21180": msg23347, + "21181": msg23348, + "21182": msg23349, + "21183": msg23350, + "21184": msg23351, + "21185": msg23352, + "21186": msg23353, + "21187": msg23354, + "21188": msg23355, + "21189": msg23356, + "2119": select2007, + "21190": msg23357, + "21191": msg23358, + "21192": msg23359, + "21193": msg23360, + "21194": msg23361, + "21195": msg23362, + "21196": msg23363, + "21197": msg23364, + "21198": msg23365, + "21199": msg23366, + "212": select137, + "2120": select2008, + "21200": msg23367, + "21201": msg23368, + "21202": msg23369, + "21203": msg23370, + "21204": msg23371, + "21205": msg23372, + "21206": msg23373, + "21207": msg23374, + "21208": msg23375, + "21209": msg23376, + "2121": select2009, + "21210": msg23377, + "21211": msg23378, + "21212": msg23379, + "21213": msg23380, + "21214": msg23381, + "21215": msg23382, + "21216": msg23383, + "21217": msg23384, + "21218": msg23385, + "21219": msg23386, + "2122": select2010, + "21220": msg23387, + "21221": msg23388, + "21222": msg23389, + "21223": msg23390, + "21224": msg23391, + "21225": msg23392, + "21226": msg23393, + "21227": msg23394, + "21228": msg23395, + "21229": msg23396, + "2123": select2011, + "21230": msg23397, + "21231": msg23398, + "21232": msg23399, + "21233": msg23400, + "21234": msg23401, + "21235": msg23402, + "21236": msg23403, + "21237": msg23404, + "21238": msg23405, + "21239": msg23406, + "2124": select2012, + "21240": msg23407, + "21241": msg23408, + "21242": msg23409, + "21243": msg23410, + "21244": msg23411, + "21245": msg23412, + "21246": msg23413, + "21247": msg23414, + "21248": msg23415, + "21249": msg23416, + "2125": select2013, + "21250": msg23417, + "21251": msg23418, + "21252": msg23419, + "21253": msg23420, + "21254": msg23421, + "21255": msg23422, + "21256": msg23423, + "21257": msg23424, + "21258": msg23425, + "21259": msg23426, + "2126": select2014, + "21260": msg23427, + "21261": msg23428, + "21262": msg23429, + "21263": msg23430, + "21264": msg23431, + "21265": msg23432, + "21266": msg23433, + "21267": msg23434, + "21268": msg23435, + "21269": msg23436, + "2127": select2015, + "21270": msg23437, + "21271": msg23438, + "21272": msg23439, + "21273": msg23440, + "21274": msg23441, + "21275": msg23442, + "21276": msg23443, + "21277": msg23444, + "21278": msg23445, + "21279": msg23446, + "2128": select2016, + "21280": msg23447, + "21281": msg23448, + "21282": msg23449, + "21283": msg23450, + "21284": msg23451, + "21285": msg23452, + "21286": msg23453, + "21287": msg23454, + "21288": msg23455, + "21289": msg23456, + "2129": select2017, + "21290": msg23457, + "21291": msg23458, + "21292": msg23459, + "21293": msg23460, + "21294": msg23461, + "21295": msg23462, + "21296": msg23463, + "21297": msg23464, + "21298": msg23465, + "21299": msg23466, + "213": select138, + "2130": select2018, + "21300": msg23467, + "21301": msg23468, + "21302": msg23469, + "21303": msg23470, + "21304": msg23471, + "21305": msg23472, + "21306": msg23473, + "21307": msg23474, + "21308": msg23475, + "21309": msg23476, + "2131": select2019, + "21310": msg23477, + "21311": msg23478, + "21312": msg23479, + "21313": msg23480, + "21314": msg23481, + "21315": msg23482, + "21316": msg23483, + "21317": msg23484, + "21318": msg23485, + "21319": msg23486, + "2132": select2020, + "21320": msg23487, + "21321": msg23488, + "21322": msg23489, + "21323": msg23490, + "21324": msg23491, + "21325": msg23492, + "21326": msg23493, + "21327": msg23494, + "21328": msg23495, + "21329": msg23496, + "2133": select2021, + "21330": msg23497, + "21331": msg23498, + "21332": msg23499, + "21333": msg23500, + "21334": msg23501, + "21335": msg23502, + "21336": msg23503, + "21337": msg23504, + "21338": msg23505, + "21339": msg23506, + "2134": select2022, + "21340": msg23507, + "21341": msg23508, + "21342": msg23509, + "21343": msg23510, + "21344": msg23511, + "21345": msg23512, + "21346": msg23513, + "21347": msg23514, + "21348": msg23515, + "21349": msg23516, + "2135": select2023, + "21350": msg23517, + "21351": msg23518, + "21352": msg23519, + "21353": msg23520, + "21354": msg23521, + "21355": msg23522, + "21356": msg23523, + "21357": msg23524, + "21358": msg23525, + "21359": msg23526, + "2136": select2024, + "21360": msg23527, + "21361": msg23528, + "21362": msg23529, + "21363": msg23530, + "21364": msg23531, + "21365": msg23532, + "21366": msg23533, + "21367": msg23534, + "21368": msg23535, + "21369": msg23536, + "2137": select2025, + "21370": msg23537, + "21371": msg23538, + "21372": msg23539, + "21373": msg23540, + "21374": msg23541, + "21375": msg23542, + "21376": msg23543, + "21377": msg23544, + "21378": msg23545, + "21379": msg23546, + "2138": select2026, + "21380": msg23547, + "21381": msg23548, + "21382": msg23549, + "21383": msg23550, + "21384": msg23551, + "21385": msg23552, + "21386": msg23553, + "21387": msg23554, + "21388": msg23555, + "21389": msg23556, + "2139": select2027, + "21390": msg23557, + "21391": msg23558, + "21392": msg23559, + "21393": msg23560, + "21394": msg23561, + "21395": msg23562, + "21396": msg23563, + "21397": msg23564, + "21398": msg23565, + "21399": msg23566, + "214": select139, + "2140": select2028, + "21400": msg23567, + "21401": msg23568, + "21402": msg23569, + "21403": msg23570, + "21404": msg23571, + "21405": msg23572, + "21406": msg23573, + "21407": msg23574, + "21408": msg23575, + "21409": msg23576, + "2141": select2029, + "21410": msg23577, + "21411": msg23578, + "21412": msg23579, + "21413": msg23580, + "21414": msg23581, + "21415": msg23582, + "21416": msg23583, + "21417": msg23584, + "21418": msg23585, + "21419": msg23586, + "2142": select2030, + "21420": msg23587, + "21421": msg23588, + "21422": msg23589, + "21423": msg23590, + "21424": msg23591, + "21425": msg23592, + "21426": msg23593, + "21427": msg23594, + "21428": msg23595, + "21429": msg23596, + "2143": select2031, + "21430": msg23597, + "21431": msg23598, + "21432": msg23599, + "21433": msg23600, + "21434": msg23601, + "21435": msg23602, + "21436": msg23603, + "21437": msg23604, + "21438": msg23605, + "21439": msg23606, + "2144": select2032, + "21440": msg23607, + "21441": msg23608, + "21442": msg23609, + "21443": msg23610, + "21444": msg23611, + "21445": msg23612, + "21446": msg23613, + "21447": msg23614, + "21448": msg23615, + "21449": msg23616, + "2145": select2033, + "21450": msg23617, + "21451": msg23618, + "21452": msg23619, + "21453": msg23620, + "21454": msg23621, + "21455": msg23622, + "21456": msg23623, + "21457": msg23624, + "21458": msg23625, + "21459": msg23626, + "2146": select2034, + "21460": msg23627, + "21461": msg23628, + "21462": msg23629, + "21463": msg23630, + "21464": msg23631, + "21465": msg23632, + "21466": msg23633, + "21467": msg23634, + "21468": msg23635, + "21469": msg23636, + "2147": select2035, + "21470": msg23637, + "21471": msg23638, + "21472": msg23639, + "21473": msg23640, + "21474": msg23641, + "21475": msg23642, + "21476": msg23643, + "21477": msg23644, + "21478": msg23645, + "21479": msg23646, + "2148": select2036, + "21480": msg23647, + "21481": msg23648, + "21482": msg23649, + "21483": msg23650, + "21484": msg23651, + "21485": msg23652, + "21486": msg23653, + "21487": msg23654, + "21488": msg23655, + "21489": msg23656, + "2149": select2037, + "21490": msg23657, + "21491": msg23658, + "21492": msg23659, + "21493": msg23660, + "21494": msg23661, + "21495": msg23662, + "21496": msg23663, + "21497": msg23664, + "21498": msg23665, + "21499": msg23666, + "215": select140, + "2150": select2038, + "21500": msg23667, + "21501": msg23668, + "21502": msg23669, + "21503": msg23670, + "21504": msg23671, + "21505": msg23672, + "21506": msg23673, + "21507": msg23674, + "21508": msg23675, + "21509": msg23676, + "2151": select2039, + "21510": msg23677, + "21511": msg23678, + "21512": msg23679, + "21513": msg23680, + "21514": msg23681, + "21515": msg23682, + "21516": msg23683, + "21517": msg23684, + "21518": msg23685, + "21519": msg23686, + "2152": select2040, + "21520": msg23687, + "21521": msg23688, + "21522": msg23689, + "21523": msg23690, + "21524": msg23691, + "21525": msg23692, + "21526": msg23693, + "21527": msg23694, + "21528": msg23695, + "21529": msg23696, + "2153": select2041, + "21530": msg23697, + "21531": msg23698, + "21532": msg23699, + "21533": msg23700, + "21534": msg23701, + "21535": msg23702, + "21536": msg23703, + "21537": msg23704, + "21538": msg23705, + "21539": msg23706, + "2154": select2042, + "21540": msg23707, + "21541": msg23708, + "21542": msg23709, + "21543": msg23710, + "21544": msg23711, + "21545": msg23712, + "21546": msg23713, + "21547": msg23714, + "21548": msg23715, + "21549": msg23716, + "2155": select2043, + "21550": msg23717, + "21551": msg23718, + "21552": msg23719, + "21553": msg23720, + "21554": msg23721, + "21555": msg23722, + "21556": msg23723, + "21557": msg23724, + "21558": msg23725, + "21559": msg23726, + "2156": select2044, + "21560": msg23727, + "21561": msg23728, + "21562": msg23729, + "21563": msg23730, + "21564": msg23731, + "21565": msg23732, + "21566": msg23733, + "21567": msg23734, + "21568": msg23735, + "21569": msg23736, + "2157": select2045, + "21570": msg23737, + "21571": msg23738, + "21572": msg23739, + "21573": msg23740, + "21574": msg23741, + "21575": msg23742, + "21576": msg23743, + "21577": msg23744, + "21578": msg23745, + "21579": msg23746, + "2158": select2046, + "21580": msg23747, + "21581": msg23748, + "21582": msg23749, + "21583": msg23750, + "21584": msg23751, + "21585": msg23752, + "21586": msg23753, + "21587": msg23754, + "21588": msg23755, + "21589": msg23756, + "2159": select2047, + "21590": msg23757, + "21591": msg23758, + "21592": msg23759, + "21593": msg23760, + "21594": msg23761, + "21595": msg23762, + "21596": msg23763, + "21597": msg23764, + "21598": msg23765, + "21599": msg23766, + "216": select141, + "2160": select2048, + "21600": msg23767, + "21601": msg23768, + "21602": msg23769, + "21603": msg23770, + "21604": msg23771, + "21605": msg23772, + "21606": msg23773, + "21607": msg23774, + "21608": msg23775, + "21609": msg23776, + "2161": select2049, + "21610": msg23777, + "21611": msg23778, + "21612": msg23779, + "21613": msg23780, + "21614": msg23781, + "21615": msg23782, + "21616": msg23783, + "21617": msg23784, + "21618": msg23785, + "21619": msg23786, + "2162": select2050, + "21620": msg23787, + "21621": msg23788, + "21622": msg23789, + "21623": msg23790, + "21624": msg23791, + "21625": msg23792, + "21626": msg23793, + "21627": msg23794, + "21628": msg23795, + "21629": msg23796, + "2163": select2051, + "21630": msg23797, + "21631": msg23798, + "21632": msg23799, + "21633": msg23800, + "21634": msg23801, + "21635": msg23802, + "21636": msg23803, + "21637": msg23804, + "21638": msg23805, + "21639": msg23806, + "2164": select2052, + "21640": msg23807, + "21641": msg23808, + "21642": msg23809, + "21643": msg23810, + "21644": msg23811, + "21645": msg23812, + "21646": msg23813, + "21647": msg23814, + "21648": msg23815, + "21649": msg23816, + "2165": select2053, + "21650": msg23817, + "21651": msg23818, + "21652": msg23819, + "21653": msg23820, + "21654": msg23821, + "21655": msg23822, + "21656": msg23823, + "21657": msg23824, + "21658": msg23825, + "21659": msg23826, + "2166": select2054, + "21660": msg23827, + "21661": msg23828, + "21662": msg23829, + "21663": msg23830, + "21664": msg23831, + "21665": msg23832, + "21666": msg23833, + "21667": msg23834, + "21668": msg23835, + "21669": msg23836, + "2167": select2055, + "21670": msg23837, + "21671": msg23838, + "21672": msg23839, + "21673": msg23840, + "21674": msg23841, + "21675": msg23842, + "21676": msg23843, + "21677": msg23844, + "21678": msg23845, + "21679": msg23846, + "2168": select2056, + "21680": msg23847, + "21681": msg23848, + "21682": msg23849, + "21683": msg23850, + "21684": msg23851, + "21685": msg23852, + "21686": msg23853, + "21687": msg23854, + "21688": msg23855, + "21689": msg23856, + "2169": select2057, + "21690": msg23857, + "21691": msg23858, + "21692": msg23859, + "21693": msg23860, + "21694": msg23861, + "21695": msg23862, + "21696": msg23863, + "21697": msg23864, + "21698": msg23865, + "21699": msg23866, + "217": select142, + "2170": select2058, + "21700": msg23867, + "21701": msg23868, + "21702": msg23869, + "21703": msg23870, + "21704": msg23871, + "21705": msg23872, + "21706": msg23873, + "21707": msg23874, + "21708": msg23875, + "21709": msg23876, + "2171": select2059, + "21710": msg23877, + "21711": msg23878, + "21712": msg23879, + "21713": msg23880, + "21714": msg23881, + "21715": msg23882, + "21716": msg23883, + "21717": msg23884, + "21718": msg23885, + "21719": msg23886, + "2172": select2060, + "21720": msg23887, + "21721": msg23888, + "21722": msg23889, + "21723": msg23890, + "21724": msg23891, + "21725": msg23892, + "21726": msg23893, + "21727": msg23894, + "21728": msg23895, + "21729": msg23896, + "2173": select2061, + "21730": msg23897, + "21731": msg23898, + "21732": msg23899, + "21733": msg23900, + "21734": msg23901, + "21735": msg23902, + "21736": msg23903, + "21737": msg23904, + "21738": msg23905, + "21739": msg23906, + "2174": select2062, + "21740": msg23907, + "21741": msg23908, + "21742": msg23909, + "21743": msg23910, + "21744": msg23911, + "21745": msg23912, + "21746": msg23913, + "21747": msg23914, + "21748": msg23915, + "21749": msg23916, + "2175": select2063, + "21750": msg23917, + "21751": msg23918, + "21752": msg23919, + "21753": msg23920, + "21754": msg23921, + "21755": msg23922, + "21756": msg23923, + "21757": msg23924, + "21758": msg23925, + "21759": msg23926, + "2176": select2064, + "21760": msg23927, + "21761": msg23928, + "21762": msg23929, + "21763": msg23930, + "21764": msg23931, + "21765": msg23932, + "21766": msg23933, + "21767": msg23934, + "21768": msg23935, + "21769": msg23936, + "2177": select2065, + "21770": msg23937, + "21771": msg23938, + "21772": msg23939, + "21773": msg23940, + "21774": msg23941, + "21775": msg23942, + "21776": msg23943, + "21777": msg23944, + "21778": msg23945, + "21779": msg23946, + "2178": select2066, + "21780": msg23947, + "21781": msg23948, + "21782": msg23949, + "21783": msg23950, + "21784": msg23951, + "21785": msg23952, + "21786": msg23953, + "21787": msg23954, + "21788": msg23955, + "21789": msg23956, + "2179": select2067, + "21790": msg23957, + "21791": msg23958, + "21792": msg23959, + "21793": msg23960, + "21794": msg23961, + "21795": msg23962, + "21796": msg23963, + "21797": msg23964, + "21798": msg23965, + "21799": msg23966, + "218": select143, + "2180": select2068, + "21800": msg23967, + "21801": msg23968, + "21802": msg23969, + "21803": msg23970, + "21804": msg23971, + "21805": msg23972, + "21806": msg23973, + "21807": msg23974, + "21808": msg23975, + "21809": msg23976, + "2181": select2069, + "21810": msg23977, + "21811": msg23978, + "21812": msg23979, + "21813": msg23980, + "21814": msg23981, + "21815": msg23982, + "21816": msg23983, + "21817": msg23984, + "21818": msg23985, + "21819": msg23986, + "2182": select2070, + "21820": msg23987, + "21821": msg23988, + "21822": msg23989, + "21823": msg23990, + "21824": msg23991, + "21825": msg23992, + "21826": msg23993, + "21827": msg23994, + "21828": msg23995, + "21829": msg23996, + "2183": select2071, + "21830": msg23997, + "21831": msg23998, + "21832": msg23999, + "21833": msg24000, + "21834": msg24001, + "21835": msg24002, + "21836": msg24003, + "21837": msg24004, + "21838": msg24005, + "21839": msg24006, + "2184": select2072, + "21840": msg24007, + "21841": msg24008, + "21842": msg24009, + "21843": msg24010, + "21844": msg24011, + "21845": msg24012, + "21846": msg24013, + "21847": msg24014, + "21848": msg24015, + "21849": msg24016, + "2185": select2073, + "21850": msg24017, + "21851": msg24018, + "21852": msg24019, + "21853": msg24020, + "21854": msg24021, + "21855": msg24022, + "21856": msg24023, + "21857": msg24024, + "21858": msg24025, + "21859": msg24026, + "2186": select2074, + "21860": msg24027, + "21861": msg24028, + "21862": msg24029, + "21863": msg24030, + "21864": msg24031, + "21865": msg24032, + "21866": msg24033, + "21867": msg24034, + "21868": msg24035, + "21869": msg24036, + "2187": select2075, + "21870": msg24037, + "21871": msg24038, + "21872": msg24039, + "21873": msg24040, + "21874": msg24041, + "21875": msg24042, + "21876": msg24043, + "21877": msg24044, + "21878": msg24045, + "21879": msg24046, + "2188": select2076, + "21880": msg24047, + "21881": msg24048, + "21882": msg24049, + "21883": msg24050, + "21884": msg24051, + "21885": msg24052, + "21886": msg24053, + "21887": msg24054, + "21888": msg24055, + "21889": msg24056, + "2189": select2077, + "21890": msg24057, + "21891": msg24058, + "21892": msg24059, + "21893": msg24060, + "21894": msg24061, + "21895": msg24062, + "21896": msg24063, + "21897": msg24064, + "21898": msg24065, + "21899": msg24066, + "219": select144, + "2190": select2078, + "21900": msg24067, + "21901": msg24068, + "21902": msg24069, + "21903": msg24070, + "21904": msg24071, + "21905": msg24072, + "21906": msg24073, + "21907": msg24074, + "21908": msg24075, + "21909": msg24076, + "2191": select2079, + "21910": msg24077, + "21911": msg24078, + "21912": msg24079, + "21913": msg24080, + "21914": msg24081, + "21915": msg24082, + "21916": msg24083, + "21917": msg24084, + "21918": msg24085, + "21919": msg24086, + "2192": select2080, + "21920": msg24087, + "21921": msg24088, + "21922": msg24089, + "21923": msg24090, + "21924": msg24091, + "21925": msg24092, + "21926": msg24093, + "21927": msg24094, + "21928": msg24095, + "21929": msg24096, + "2193": select2081, + "21930": msg24097, + "21931": msg24098, + "21932": msg24099, + "21933": msg24100, + "21934": msg24101, + "21935": msg24102, + "21937": msg24103, + "21938": msg24104, + "21939": msg24105, + "2194": select2082, + "21940": msg24106, + "21941": msg24107, + "21942": msg24108, + "21943": msg24109, + "21944": msg24110, + "21945": msg24111, + "21946": msg24112, + "21947": msg24113, + "21948": msg24114, + "21949": msg24115, + "2195": select2083, + "21950": msg24116, + "21951": msg24117, + "21952": msg24118, + "21953": msg24119, + "21954": msg24120, + "21955": msg24121, + "21956": msg24122, + "21957": msg24123, + "21958": msg24124, + "21959": msg24125, + "2196": select2084, + "21960": msg24126, + "21961": msg24127, + "21962": msg24128, + "21963": msg24129, + "21964": msg24130, + "21965": msg24131, + "21966": msg24132, + "21967": msg24133, + "21968": msg24134, + "21969": msg24135, + "2197": select2085, + "21970": msg24136, + "21971": msg24137, + "21972": msg24138, + "21973": msg24139, + "21974": msg24140, + "21975": msg24141, + "21976": msg24142, + "21977": msg24143, + "21978": msg24144, + "21979": msg24145, + "2198": select2086, + "21980": msg24146, + "21981": msg24147, + "21982": msg24148, + "21983": msg24149, + "21984": msg24150, + "21985": msg24151, + "21986": msg24152, + "21987": msg24153, + "21988": msg24154, + "21989": msg24155, + "2199": select2087, + "21990": msg24156, + "21991": msg24157, + "21992": msg24158, + "21993": msg24159, + "21994": msg24160, + "21995": msg24161, + "21996": msg24162, + "21997": msg24163, + "21998": msg24164, + "21999": msg24165, + "220": select145, + "2200": select2088, + "22000": msg24166, + "22001": msg24167, + "22002": msg24168, + "22003": msg24169, + "22004": msg24170, + "22005": msg24171, + "22006": msg24172, + "22007": msg24173, + "22008": msg24174, + "22009": msg24175, + "2201": select2089, + "22010": msg24176, + "22011": msg24177, + "22012": msg24178, + "22013": msg24179, + "22014": msg24180, + "22015": msg24181, + "22016": msg24182, + "22017": msg24183, + "22018": msg24184, + "22019": msg24185, + "2202": select2090, + "22020": msg24186, + "22021": msg24187, + "22022": msg24188, + "22023": msg24189, + "22024": msg24190, + "22025": msg24191, + "22026": msg24192, + "22027": msg24193, + "22028": msg24194, + "22029": msg24195, + "2203": select2091, + "22030": msg24196, + "22031": msg24197, + "22032": msg24198, + "22033": msg24199, + "22034": msg24200, + "22035": msg24201, + "22036": msg24202, + "22037": msg24203, + "22038": msg24204, + "22039": msg24205, + "2204": select2092, + "22040": msg24206, + "22041": msg24207, + "22042": msg24208, + "22043": msg24209, + "22044": msg24210, + "22045": msg24211, + "22046": msg24212, + "22047": msg24213, + "22048": msg24214, + "22049": msg24215, + "2205": select2093, + "22050": msg24216, + "22051": msg24217, + "22052": msg24218, + "22053": msg24219, + "22054": msg24220, + "22055": msg24221, + "22056": msg24222, + "22057": msg24223, + "22058": msg24224, + "22059": msg24225, + "2206": select2094, + "22060": msg24226, + "22061": msg24227, + "22062": msg24228, + "22063": msg24229, + "22064": msg24230, + "22065": msg24231, + "22066": msg24232, + "22067": msg24233, + "22068": msg24234, + "22069": msg24235, + "2207": select2095, + "22070": msg24236, + "22071": msg24237, + "22072": msg24238, + "22073": msg24239, + "22074": msg24240, + "22075": msg24241, + "22076": msg24242, + "22077": msg24243, + "22078": msg24244, + "22079": msg24245, + "2208": select2096, + "22080": msg24246, + "22081": msg24247, + "22082": msg24248, + "22083": msg24249, + "22084": msg24250, + "22085": msg24251, + "22086": msg24252, + "22087": msg24253, + "22088": msg24254, + "22089": msg24255, + "2209": select2097, + "22090": msg24256, + "22091": msg24257, + "22092": msg24258, + "22093": msg24259, + "22094": msg24260, + "22095": msg24261, + "22096": msg24262, + "22097": msg24263, + "22098": msg24264, + "22099": msg24265, + "221": select146, + "2210": select2098, + "22100": msg24266, + "22101": msg24267, + "22102": msg24268, + "22103": msg24269, + "22104": msg24270, + "22105": msg24271, + "22106": msg24272, + "22107": msg24273, + "22108": msg24274, + "22109": msg24275, + "2211": select2099, + "22110": msg24276, + "22111": msg24277, + "22112": msg24278, + "22113": msg24279, + "22114": msg24280, + "22115": msg24281, + "22116": msg24282, + "22117": msg24283, + "22118": msg24284, + "22119": msg24285, + "2212": select2100, + "22120": msg24286, + "22121": msg24287, + "22122": msg24288, + "22123": msg24289, + "22124": msg24290, + "22125": msg24291, + "22126": msg24292, + "22127": msg24293, + "22128": msg24294, + "22129": msg24295, + "2213": select2101, + "22130": msg24296, + "22131": msg24297, + "22132": msg24298, + "22133": msg24299, + "22134": msg24300, + "22135": msg24301, + "22136": msg24302, + "22137": msg24303, + "22138": msg24304, + "22139": msg24305, + "2214": select2102, + "22140": msg24306, + "22141": msg24307, + "22142": msg24308, + "22143": msg24309, + "22144": msg24310, + "22145": msg24311, + "22146": msg24312, + "22147": msg24313, + "22148": msg24314, + "22149": msg24315, + "2215": select2103, + "22150": msg24316, + "22151": msg24317, + "22152": msg24318, + "22153": msg24319, + "22154": msg24320, + "22155": msg24321, + "22156": msg24322, + "22157": msg24323, + "22158": msg24324, + "22159": msg24325, + "2216": select2104, + "22160": msg24326, + "22161": msg24327, + "22162": msg24328, + "22163": msg24329, + "22164": msg24330, + "22165": msg24331, + "22166": msg24332, + "22167": msg24333, + "22168": msg24334, + "22169": msg24335, + "2217": select2105, + "22170": msg24336, + "22171": msg24337, + "22172": msg24338, + "22173": msg24339, + "22174": msg24340, + "22175": msg24341, + "22176": msg24342, + "22177": msg24343, + "22178": msg24344, + "22179": msg24345, + "2218": select2106, + "22180": msg24346, + "22181": msg24347, + "22182": msg24348, + "22183": msg24349, + "22184": msg24350, + "22185": msg24351, + "22186": msg24352, + "22187": msg24353, + "22188": msg24354, + "22189": msg24355, + "2219": select2107, + "22190": msg24356, + "22191": msg24357, + "22192": msg24358, + "22193": msg24359, + "22194": msg24360, + "22195": msg24361, + "22196": msg24362, + "22197": msg24363, + "22198": msg24364, + "22199": msg24365, + "222": select147, + "2220": select2108, + "22200": msg24366, + "22201": msg24367, + "22202": msg24368, + "22203": msg24369, + "22204": msg24370, + "22205": msg24371, + "22206": msg24372, + "22207": msg24373, + "22208": msg24374, + "22209": msg24375, + "2221": select2109, + "22210": msg24376, + "22211": msg24377, + "22212": msg24378, + "22213": msg24379, + "22214": msg24380, + "22215": msg24381, + "22216": msg24382, + "22217": msg24383, + "22218": msg24384, + "22219": msg24385, + "2222": select2110, + "22220": msg24386, + "22221": msg24387, + "22222": msg24388, + "22223": msg24389, + "22224": msg24390, + "22225": msg24391, + "22226": msg24392, + "22227": msg24393, + "22228": msg24394, + "22229": msg24395, + "2223": select2111, + "22230": msg24396, + "22231": msg24397, + "22232": msg24398, + "22233": msg24399, + "22234": msg24400, + "22235": msg24401, + "22236": msg24402, + "22237": msg24403, + "22238": msg24404, + "22239": msg24405, + "2224": select2112, + "22240": msg24406, + "22241": msg24407, + "22242": msg24408, + "22243": msg24409, + "22244": msg24410, + "22245": msg24411, + "22246": msg24412, + "22247": msg24413, + "22248": msg24414, + "22249": msg24415, + "2225": select2113, + "22250": msg24416, + "22251": msg24417, + "22252": msg24418, + "22253": msg24419, + "22254": msg24420, + "22255": msg24421, + "22256": msg24422, + "22257": msg24423, + "22258": msg24424, + "22259": msg24425, + "2226": select2114, + "22260": msg24426, + "22261": msg24427, + "22262": msg24428, + "22263": msg24429, + "22264": msg24430, + "22265": msg24431, + "22266": msg24432, + "22267": msg24433, + "22268": msg24434, + "22269": msg24435, + "2227": select2115, + "22270": msg24436, + "22271": msg24437, + "22272": msg24438, + "22273": msg24439, + "22274": msg24440, + "22275": msg24441, + "22276": msg24442, + "22277": msg24443, + "22278": msg24444, + "22279": msg24445, + "2228": select2116, + "22280": msg24446, + "22281": msg24447, + "22282": msg24448, + "22283": msg24449, + "22284": msg24450, + "22285": msg24451, + "22286": msg24452, + "22287": msg24453, + "22288": msg24454, + "22289": msg24455, + "2229": select2117, + "22290": msg24456, + "22291": msg24457, + "22292": msg24458, + "22293": msg24459, + "22294": msg24460, + "22295": msg24461, + "22296": msg24462, + "22297": msg24463, + "22298": msg24464, + "22299": msg24465, + "223": select148, + "2230": select2118, + "22300": msg24466, + "22301": msg24467, + "22302": msg24468, + "22303": msg24469, + "22304": msg24470, + "22305": msg24471, + "22306": msg24472, + "22307": msg24473, + "22308": msg24474, + "22309": msg24475, + "2231": select2119, + "22310": msg24476, + "22311": msg24477, + "22312": msg24478, + "22313": msg24479, + "22314": msg24480, + "22315": msg24481, + "22316": msg24482, + "22317": msg24483, + "22318": msg24484, + "22319": msg24485, + "2232": select2120, + "22320": msg24486, + "22321": msg24487, + "22322": msg24488, + "22323": msg24489, + "22324": msg24490, + "22325": msg24491, + "22326": msg24492, + "22327": msg24493, + "22328": msg24494, + "22329": msg24495, + "2233": select2121, + "22330": msg24496, + "22331": msg24497, + "22332": msg24498, + "22333": msg24499, + "22334": msg24500, + "22335": msg24501, + "22336": msg24502, + "22337": msg24503, + "22338": msg24504, + "22339": msg24505, + "2234": select2122, + "22340": msg24506, + "22341": msg24507, + "22342": msg24508, + "22343": msg24509, + "22344": msg24510, + "22345": msg24511, + "22346": msg24512, + "22347": msg24513, + "22348": msg24514, + "22349": msg24515, + "2235": select2123, + "22350": msg24516, + "22351": msg24517, + "22352": msg24518, + "22353": msg24519, + "22354": msg24520, + "22355": msg24521, + "22356": msg24522, + "22357": msg24523, + "22358": msg24524, + "22359": msg24525, + "2236": select2124, + "22360": msg24526, + "22361": msg24527, + "22362": msg24528, + "22363": msg24529, + "22364": msg24530, + "22365": msg24531, + "22366": msg24532, + "22367": msg24533, + "22368": msg24534, + "22369": msg24535, + "2237": select2125, + "22370": msg24536, + "22371": msg24537, + "22372": msg24538, + "22373": msg24539, + "22374": msg24540, + "22375": msg24541, + "22376": msg24542, + "22377": msg24543, + "22378": msg24544, + "22379": msg24545, + "2238": select2126, + "22380": msg24546, + "22381": msg24547, + "22382": msg24548, + "22383": msg24549, + "22384": msg24550, + "22385": msg24551, + "22386": msg24552, + "22387": msg24553, + "22388": msg24554, + "22389": msg24555, + "2239": select2127, + "22390": msg24556, + "22391": msg24557, + "22392": msg24558, + "22393": msg24559, + "22394": msg24560, + "22395": msg24561, + "22396": msg24562, + "22397": msg24563, + "22398": msg24564, + "22399": msg24565, + "224": select149, + "2240": select2128, + "22400": msg24566, + "22401": msg24567, + "22402": msg24568, + "22403": msg24569, + "22404": msg24570, + "22405": msg24571, + "22406": msg24572, + "22407": msg24573, + "22408": msg24574, + "22409": msg24575, + "2241": select2129, + "22410": msg24576, + "22411": msg24577, + "22412": msg24578, + "22413": msg24579, + "22414": msg24580, + "22415": msg24581, + "22416": msg24582, + "22417": msg24583, + "22418": msg24584, + "22419": msg24585, + "2242": select2130, + "22420": msg24586, + "22421": msg24587, + "22422": msg24588, + "22423": msg24589, + "22424": msg24590, + "22425": msg24591, + "22426": msg24592, + "22427": msg24593, + "22428": msg24594, + "22429": msg24595, + "2243": select2131, + "22430": msg24596, + "22431": msg24597, + "22432": msg24598, + "22433": msg24599, + "22434": msg24600, + "22435": msg24601, + "22436": msg24602, + "22437": msg24603, + "22438": msg24604, + "22439": msg24605, + "2244": select2132, + "22440": msg24606, + "22441": msg24607, + "22442": msg24608, + "22443": msg24609, + "22444": msg24610, + "22445": msg24611, + "22446": msg24612, + "22447": msg24613, + "22448": msg24614, + "22449": msg24615, + "2245": select2133, + "22450": msg24616, + "22451": msg24617, + "22452": msg24618, + "22453": msg24619, + "22454": msg24620, + "22455": msg24621, + "22456": msg24622, + "22457": msg24623, + "22458": msg24624, + "22459": msg24625, + "2246": select2134, + "22460": msg24626, + "22461": msg24627, + "22462": msg24628, + "22463": msg24629, + "22464": msg24630, + "22465": msg24631, + "22466": msg24632, + "22467": msg24633, + "22468": msg24634, + "22469": msg24635, + "2247": select2135, + "22470": msg24636, + "22471": msg24637, + "22472": msg24638, + "22473": msg24639, + "22474": msg24640, + "22475": msg24641, + "22476": msg24642, + "22477": msg24643, + "22478": msg24644, + "22479": msg24645, + "2248": select2136, + "22480": msg24646, + "22481": msg24647, + "22482": msg24648, + "22483": msg24649, + "22484": msg24650, + "22485": msg24651, + "22486": msg24652, + "22487": msg24653, + "22488": msg24654, + "22489": msg24655, + "2249": select2137, + "22490": msg24656, + "22491": msg24657, + "22492": msg24658, + "22493": msg24659, + "22494": msg24660, + "22495": msg24661, + "22496": msg24662, + "22497": msg24663, + "22498": msg24664, + "22499": msg24665, + "225": select150, + "2250": select2138, + "22500": msg24666, + "22501": msg24667, + "22502": msg24668, + "22503": msg24669, + "22504": msg24670, + "22505": msg24671, + "22506": msg24672, + "22507": msg24673, + "22508": msg24674, + "22509": msg24675, + "2251": select2139, + "22510": msg24676, + "22511": msg24677, + "22512": msg24678, + "22513": msg24679, + "22514": msg24680, + "22515": msg24681, + "22516": msg24682, + "22517": msg24683, + "22518": msg24684, + "22519": msg24685, + "2252": select2140, + "22520": msg24686, + "22521": msg24687, + "22522": msg24688, + "22523": msg24689, + "22524": msg24690, + "22525": msg24691, + "22526": msg24692, + "22527": msg24693, + "22528": msg24694, + "22529": msg24695, + "2253": select2141, + "22530": msg24696, + "22531": msg24697, + "22532": msg24698, + "22533": msg24699, + "22534": msg24700, + "22535": msg24701, + "22536": msg24702, + "22537": msg24703, + "22538": msg24704, + "22539": msg24705, + "2254": select2142, + "22540": msg24706, + "22541": msg24707, + "22542": msg24708, + "22543": msg24709, + "22544": msg24710, + "22545": msg24711, + "22546": msg24712, + "22547": msg24713, + "22548": msg24714, + "22549": msg24715, + "2255": select2143, + "22550": msg24716, + "22551": msg24717, + "22552": msg24718, + "22553": msg24719, + "22554": msg24720, + "22555": msg24721, + "22556": msg24722, + "22557": msg24723, + "22558": msg24724, + "22559": msg24725, + "2256": select2144, + "22560": msg24726, + "22561": msg24727, + "22562": msg24728, + "22563": msg24729, + "22564": msg24730, + "22565": msg24731, + "22566": msg24732, + "22567": msg24733, + "22568": msg24734, + "22569": msg24735, + "2257": select2145, + "22570": msg24736, + "22571": msg24737, + "22572": msg24738, + "22573": msg24739, + "22574": msg24740, + "22575": msg24741, + "22576": msg24742, + "22577": msg24743, + "22578": msg24744, + "22579": msg24745, + "2258": select2146, + "22580": msg24746, + "22581": msg24747, + "22582": msg24748, + "22583": msg24749, + "22584": msg24750, + "22585": msg24751, + "22586": msg24752, + "22587": msg24753, + "22588": msg24754, + "22589": msg24755, + "2259": select2147, + "22590": msg24756, + "22591": msg24757, + "22592": msg24758, + "22593": msg24759, + "22594": msg24760, + "22595": msg24761, + "22596": msg24762, + "22597": msg24763, + "22598": msg24764, + "22599": msg24765, + "226": select151, + "2260": select2148, + "22600": msg24766, + "22601": msg24767, + "22602": msg24768, + "22603": msg24769, + "22604": msg24770, + "22605": msg24771, + "22606": msg24772, + "22607": msg24773, + "22608": msg24774, + "22609": msg24775, + "2261": select2149, + "22610": msg24776, + "22611": msg24777, + "22612": msg24778, + "22613": msg24779, + "22614": msg24780, + "22615": msg24781, + "22616": msg24782, + "22617": msg24783, + "22618": msg24784, + "22619": msg24785, + "2262": select2150, + "22620": msg24786, + "22621": msg24787, + "22622": msg24788, + "22623": msg24789, + "22624": msg24790, + "22625": msg24791, + "22626": msg24792, + "22627": msg24793, + "22628": msg24794, + "22629": msg24795, + "2263": select2151, + "22630": msg24796, + "22631": msg24797, + "22632": msg24798, + "22633": msg24799, + "22634": msg24800, + "22635": msg24801, + "22636": msg24802, + "22637": msg24803, + "22638": msg24804, + "22639": msg24805, + "2264": select2152, + "22640": msg24806, + "22641": msg24807, + "22642": msg24808, + "22643": msg24809, + "22644": msg24810, + "22645": msg24811, + "22646": msg24812, + "22647": msg24813, + "22648": msg24814, + "22649": msg24815, + "2265": select2153, + "22650": msg24816, + "22651": msg24817, + "22652": msg24818, + "22653": msg24819, + "22654": msg24820, + "22655": msg24821, + "22656": msg24822, + "22657": msg24823, + "22658": msg24824, + "22659": msg24825, + "2266": select2154, + "22660": msg24826, + "22661": msg24827, + "22662": msg24828, + "22663": msg24829, + "22664": msg24830, + "22665": msg24831, + "22666": msg24832, + "22667": msg24833, + "22668": msg24834, + "22669": msg24835, + "2267": select2155, + "22670": msg24836, + "22671": msg24837, + "22672": msg24838, + "22673": msg24839, + "22674": msg24840, + "22675": msg24841, + "22676": msg24842, + "22677": msg24843, + "22678": msg24844, + "22679": msg24845, + "2268": select2156, + "22680": msg24846, + "22681": msg24847, + "22682": msg24848, + "22683": msg24849, + "22684": msg24850, + "22685": msg24851, + "22686": msg24852, + "22687": msg24853, + "22688": msg24854, + "22689": msg24855, + "2269": select2157, + "22690": msg24856, + "22691": msg24857, + "22692": msg24858, + "22693": msg24859, + "22694": msg24860, + "22695": msg24861, + "22696": msg24862, + "22697": msg24863, + "22698": msg24864, + "22699": msg24865, + "227": select152, + "2270": select2158, + "22700": msg24866, + "22701": msg24867, + "22702": msg24868, + "22703": msg24869, + "22704": msg24870, + "22705": msg24871, + "22706": msg24872, + "22707": msg24873, + "22708": msg24874, + "22709": msg24875, + "2271": select2159, + "22710": msg24876, + "22711": msg24877, + "22712": msg24878, + "22713": msg24879, + "22714": msg24880, + "22715": msg24881, + "22716": msg24882, + "22717": msg24883, + "22718": msg24884, + "22719": msg24885, + "2272": select2160, + "22720": msg24886, + "22721": msg24887, + "22722": msg24888, + "22723": msg24889, + "22724": msg24890, + "22725": msg24891, + "22726": msg24892, + "22727": msg24893, + "22728": msg24894, + "22729": msg24895, + "2273": select2161, + "22730": msg24896, + "22731": msg24897, + "22732": msg24898, + "22733": msg24899, + "22734": msg24900, + "22735": msg24901, + "22736": msg24902, + "22737": msg24903, + "22738": msg24904, + "22739": msg24905, + "2274": select2162, + "22740": msg24906, + "22741": msg24907, + "22742": msg24908, + "22743": msg24909, + "22744": msg24910, + "22745": msg24911, + "22746": msg24912, + "22747": msg24913, + "22748": msg24914, + "22749": msg24915, + "2275": select2163, + "22750": msg24916, + "22751": msg24917, + "22752": msg24918, + "22753": msg24919, + "22754": msg24920, + "22755": msg24921, + "22756": msg24922, + "22757": msg24923, + "22758": msg24924, + "22759": msg24925, + "2276": select2164, + "22760": msg24926, + "22761": msg24927, + "22762": msg24928, + "22763": msg24929, + "22764": msg24930, + "22765": msg24931, + "22766": msg24932, + "22767": msg24933, + "22768": msg24934, + "22769": msg24935, + "2277": select2165, + "22770": msg24936, + "22771": msg24937, + "22772": msg24938, + "22773": msg24939, + "22774": msg24940, + "22775": msg24941, + "22776": msg24942, + "22777": msg24943, + "22778": msg24944, + "22779": msg24945, + "2278": select2166, + "22780": msg24946, + "22781": msg24947, + "22782": msg24948, + "22783": msg24949, + "22784": msg24950, + "22785": msg24951, + "22786": msg24952, + "22787": msg24953, + "22788": msg24954, + "22789": msg24955, + "2279": select2167, + "22790": msg24956, + "22791": msg24957, + "22792": msg24958, + "22793": msg24959, + "22794": msg24960, + "22795": msg24961, + "22796": msg24962, + "22797": msg24963, + "22798": msg24964, + "22799": msg24965, + "228": select153, + "2280": select2168, + "22800": msg24966, + "22801": msg24967, + "22802": msg24968, + "22803": msg24969, + "22804": msg24970, + "22805": msg24971, + "22806": msg24972, + "22807": msg24973, + "22808": msg24974, + "22809": msg24975, + "2281": select2169, + "22810": msg24976, + "22811": msg24977, + "22812": msg24978, + "22813": msg24979, + "22814": msg24980, + "22815": msg24981, + "22816": msg24982, + "22817": msg24983, + "22818": msg24984, + "22819": msg24985, + "2282": select2170, + "22820": msg24986, + "22821": msg24987, + "22822": msg24988, + "22823": msg24989, + "22824": msg24990, + "22825": msg24991, + "22826": msg24992, + "22827": msg24993, + "22828": msg24994, + "22829": msg24995, + "2283": select2171, + "22830": msg24996, + "22831": msg24997, + "22832": msg24998, + "22833": msg24999, + "22834": msg25000, + "22835": msg25001, + "22836": msg25002, + "22837": msg25003, + "22838": msg25004, + "22839": msg25005, + "2284": select2172, + "22840": msg25006, + "22841": msg25007, + "22842": msg25008, + "22843": msg25009, + "22844": msg25010, + "22845": msg25011, + "22846": msg25012, + "22847": msg25013, + "22848": msg25014, + "22849": msg25015, + "2285": select2173, + "22850": msg25016, + "22851": msg25017, + "22852": msg25018, + "22853": msg25019, + "22854": msg25020, + "22855": msg25021, + "22856": msg25022, + "22857": msg25023, + "22858": msg25024, + "22859": msg25025, + "2286": select2174, + "22860": msg25026, + "22861": msg25027, + "22862": msg25028, + "22863": msg25029, + "22864": msg25030, + "22865": msg25031, + "22866": msg25032, + "22867": msg25033, + "22868": msg25034, + "22869": msg25035, + "2287": select2175, + "22870": msg25036, + "22871": msg25037, + "22872": msg25038, + "22873": msg25039, + "22874": msg25040, + "22875": msg25041, + "22876": msg25042, + "22877": msg25043, + "22878": msg25044, + "22879": msg25045, + "2288": select2176, + "22880": msg25046, + "22881": msg25047, + "22882": msg25048, + "22883": msg25049, + "22884": msg25050, + "22885": msg25051, + "22886": msg25052, + "22887": msg25053, + "22888": msg25054, + "22889": msg25055, + "2289": select2177, + "22890": msg25056, + "22891": msg25057, + "22892": msg25058, + "22893": msg25059, + "22894": msg25060, + "22895": msg25061, + "22896": msg25062, + "22897": msg25063, + "22898": msg25064, + "22899": msg25065, + "229": select154, + "2290": select2178, + "22900": msg25066, + "22901": msg25067, + "22902": msg25068, + "22903": msg25069, + "22904": msg25070, + "22905": msg25071, + "22906": msg25072, + "22907": msg25073, + "22908": msg25074, + "22909": msg25075, + "2291": select2179, + "22910": msg25076, + "22911": msg25077, + "22912": msg25078, + "22913": msg25079, + "22914": msg25080, + "22915": msg25081, + "22916": msg25082, + "22917": msg25083, + "22918": msg25084, + "22919": msg25085, + "2292": select2180, + "22920": msg25086, + "22921": msg25087, + "22922": msg25088, + "22923": msg25089, + "22924": msg25090, + "22925": msg25091, + "22926": msg25092, + "22927": msg25093, + "22928": msg25094, + "22929": msg25095, + "2293": select2181, + "22930": msg25096, + "22931": msg25097, + "22932": msg25098, + "22933": msg25099, + "22934": msg25100, + "22935": msg25101, + "22936": msg25102, + "22937": msg25103, + "22938": msg25104, + "22939": msg25105, + "2294": select2182, + "22940": msg25106, + "22941": msg25107, + "22942": msg25108, + "22943": msg25109, + "22944": msg25110, + "22945": msg25111, + "22946": msg25112, + "22947": msg25113, + "22948": msg25114, + "22949": msg25115, + "2295": select2183, + "22950": msg25116, + "22951": msg25117, + "22952": msg25118, + "22953": msg25119, + "22954": msg25120, + "22955": msg25121, + "22956": msg25122, + "22957": msg25123, + "22958": msg25124, + "22959": msg25125, + "2296": select2184, + "22960": msg25126, + "22961": msg25127, + "22962": msg25128, + "22963": msg25129, + "22964": msg25130, + "22965": msg25131, + "22966": msg25132, + "22967": msg25133, + "22968": msg25134, + "22969": msg25135, + "2297": select2185, + "22970": msg25136, + "22971": msg25137, + "22972": msg25138, + "22973": msg25139, + "22974": msg25140, + "22975": msg25141, + "22976": msg25142, + "22977": msg25143, + "22978": msg25144, + "22979": msg25145, + "2298": select2186, + "22980": msg25146, + "22981": msg25147, + "22982": msg25148, + "22983": msg25149, + "22984": msg25150, + "22985": msg25151, + "22986": msg25152, + "22987": msg25153, + "22988": msg25154, + "22989": msg25155, + "2299": select2187, + "22990": msg25156, + "22991": msg25157, + "22992": msg25158, + "22993": msg25159, + "22994": msg25160, + "22995": msg25161, + "22996": msg25162, + "22997": msg25163, + "22998": msg25164, + "22999": msg25165, + "23": select23, + "230": select155, + "2300": select2188, + "23000": msg25166, + "23001": msg25167, + "23002": msg25168, + "23003": msg25169, + "23004": msg25170, + "23005": msg25171, + "23006": msg25172, + "23007": msg25173, + "23008": msg25174, + "23009": msg25175, + "2301": select2189, + "23010": msg25176, + "23011": msg25177, + "23012": msg25178, + "23013": msg25179, + "23014": msg25180, + "23015": msg25181, + "23016": msg25182, + "23017": msg25183, + "23018": msg25184, + "23019": msg25185, + "2302": select2190, + "23020": msg25186, + "23021": msg25187, + "23022": msg25188, + "23023": msg25189, + "23024": msg25190, + "23025": msg25191, + "23026": msg25192, + "23027": msg25193, + "23028": msg25194, + "23029": msg25195, + "2303": select2191, + "23030": msg25196, + "23031": msg25197, + "23032": msg25198, + "23033": msg25199, + "23034": msg25200, + "23035": msg25201, + "23036": msg25202, + "23037": msg25203, + "23038": msg25204, + "23039": msg25205, + "2304": select2192, + "23040": msg25206, + "23041": msg25207, + "23042": msg25208, + "23043": msg25209, + "23044": msg25210, + "23045": msg25211, + "23046": msg25212, + "23047": msg25213, + "23048": msg25214, + "23049": msg25215, + "2305": select2193, + "23050": msg25216, + "23051": msg25217, + "23054": msg25218, + "23055": msg25219, + "23056": msg25220, + "23057": msg25221, + "23058": msg25222, + "23059": msg25223, + "2306": select2194, + "23060": msg25224, + "23061": msg25225, + "23062": msg25226, + "23063": msg25227, + "23064": msg25228, + "23065": msg25229, + "23066": msg25230, + "23067": msg25231, + "23068": msg25232, + "23069": msg25233, + "2307": select2195, + "23070": msg25234, + "23071": msg25235, + "23072": msg25236, + "23073": msg25237, + "23074": msg25238, + "23075": msg25239, + "23076": msg25240, + "23077": msg25241, + "23078": msg25242, + "23079": msg25243, + "2308": select2196, + "23080": msg25244, + "23081": msg25245, + "23082": msg25246, + "23083": msg25247, + "23084": msg25248, + "23085": msg25249, + "23086": msg25250, + "23087": msg25251, + "23088": msg25252, + "23089": msg25253, + "2309": select2197, + "23090": msg25254, + "23091": msg25255, + "23092": msg25256, + "23093": msg25257, + "23094": msg25258, + "23095": msg25259, + "23096": msg25260, + "23097": msg25261, + "23098": msg25262, + "23099": msg25263, + "231": select156, + "2310": select2198, + "23100": msg25264, + "23101": msg25265, + "23102": msg25266, + "23103": msg25267, + "23104": msg25268, + "23105": msg25269, + "23106": msg25270, + "23107": msg25271, + "23108": msg25272, + "23109": msg25273, + "2311": select2199, + "23110": msg25274, + "23111": msg25275, + "23112": msg25276, + "23113": msg25277, + "23114": msg25278, + "23115": msg25279, + "23116": msg25280, + "23117": msg25281, + "23118": msg25282, + "23119": msg25283, + "2312": select2200, + "23120": msg25284, + "23121": msg25285, + "23122": msg25286, + "23123": msg25287, + "23124": msg25288, + "23125": msg25289, + "23126": msg25290, + "23127": msg25291, + "23128": msg25292, + "23129": msg25293, + "2313": select2201, + "23130": msg25294, + "23131": msg25295, + "23132": msg25296, + "23133": msg25297, + "23134": msg25298, + "23135": msg25299, + "23136": msg25300, + "23137": msg25301, + "23138": msg25302, + "23139": msg25303, + "2314": select2202, + "23140": msg25304, + "23141": msg25305, + "23142": msg25306, + "23143": msg25307, + "23144": msg25308, + "23145": msg25309, + "23146": msg25310, + "23147": msg25311, + "23148": msg25312, + "23149": msg25313, + "2315": select2203, + "23150": msg25314, + "23151": msg25315, + "23152": msg25316, + "23153": msg25317, + "23154": msg25318, + "23155": msg25319, + "23156": msg25320, + "23157": msg25321, + "23158": msg25322, + "23159": msg25323, + "2316": select2204, + "23160": msg25324, + "23161": msg25325, + "23162": msg25326, + "23163": msg25327, + "23164": msg25328, + "23165": msg25329, + "23166": msg25330, + "23167": msg25331, + "23168": msg25332, + "23169": msg25333, + "2317": select2205, + "23170": msg25334, + "23171": msg25335, + "23172": msg25336, + "23173": msg25337, + "23174": msg25338, + "23175": msg25339, + "23176": msg25340, + "23177": msg25341, + "23178": msg25342, + "23179": msg25343, + "2318": select2206, + "23180": msg25344, + "23181": msg25345, + "23182": msg25346, + "23183": msg25347, + "23184": msg25348, + "23185": msg25349, + "23186": msg25350, + "23187": msg25351, + "23188": msg25352, + "23189": msg25353, + "2319": select2207, + "23190": msg25354, + "23191": msg25355, + "23192": msg25356, + "23193": msg25357, + "23194": msg25358, + "23195": msg25359, + "23196": msg25360, + "23197": msg25361, + "23198": msg25362, + "23199": msg25363, + "232": select157, + "2320": select2208, + "23200": msg25364, + "23201": msg25365, + "23202": msg25366, + "23203": msg25367, + "23204": msg25368, + "23205": msg25369, + "23206": msg25370, + "23207": msg25371, + "23208": msg25372, + "23209": msg25373, + "2321": select2209, + "23210": msg25374, + "23211": msg25375, + "23212": msg25376, + "23213": msg25377, + "23214": msg25378, + "23215": msg25379, + "23216": msg25380, + "23217": msg25381, + "23218": msg25382, + "23219": msg25383, + "2322": select2210, + "23220": msg25384, + "23221": msg25385, + "23222": msg25386, + "23223": msg25387, + "23224": msg25388, + "23225": msg25389, + "23226": msg25390, + "23227": msg25391, + "23228": msg25392, + "23229": msg25393, + "2323": select2211, + "23230": msg25394, + "23231": msg25395, + "23232": msg25396, + "23233": msg25397, + "23234": msg25398, + "23235": msg25399, + "23236": msg25400, + "23237": msg25401, + "23238": msg25402, + "23239": msg25403, + "2324": select2212, + "23240": msg25404, + "23241": msg25405, + "23242": msg25406, + "23243": msg25407, + "23244": msg25408, + "23245": msg25409, + "23246": msg25410, + "23247": msg25411, + "23248": msg25412, + "23249": msg25413, + "2325": select2213, + "23250": msg25414, + "23251": msg25415, + "23252": msg25416, + "23253": msg25417, + "23254": msg25418, + "23255": msg25419, + "23256": msg25420, + "23257": msg25421, + "23258": msg25422, + "23259": msg25423, + "2326": select2214, + "23260": msg25424, + "23261": msg25425, + "23262": msg25426, + "23263": msg25427, + "23264": msg25428, + "23265": msg25429, + "23266": msg25430, + "23267": msg25431, + "23268": msg25432, + "23269": msg25433, + "2327": select2215, + "23270": msg25434, + "23271": msg25435, + "23272": msg25436, + "23273": msg25437, + "23274": msg25438, + "23275": msg25439, + "23276": msg25440, + "23277": msg25441, + "23278": msg25442, + "23279": msg25443, + "2328": select2216, + "23280": msg25444, + "23281": msg25445, + "23282": msg25446, + "23283": msg25447, + "23284": msg25448, + "23285": msg25449, + "23286": msg25450, + "23287": msg25451, + "23288": msg25452, + "23289": msg25453, + "2329": select2217, + "23290": msg25454, + "23291": msg25455, + "23292": msg25456, + "23293": msg25457, + "23294": msg25458, + "23295": msg25459, + "23296": msg25460, + "23297": msg25461, + "23298": msg25462, + "23299": msg25463, + "233": select158, + "2330": select2218, + "23300": msg25464, + "23301": msg25465, + "23302": msg25466, + "23303": msg25467, + "23304": msg25468, + "23305": msg25469, + "23306": msg25470, + "23307": msg25471, + "23308": msg25472, + "23309": msg25473, + "2331": select2219, + "23310": msg25474, + "23311": msg25475, + "23312": msg25476, + "23313": msg25477, + "23314": msg25478, + "23315": msg25479, + "23316": msg25480, + "23317": msg25481, + "23318": msg25482, + "23319": msg25483, + "2332": select2220, + "23320": msg25484, + "23321": msg25485, + "23322": msg25486, + "23323": msg25487, + "23324": msg25488, + "23325": msg25489, + "23326": msg25490, + "23327": msg25491, + "23328": msg25492, + "23329": msg25493, + "2333": select2221, + "23330": msg25494, + "23331": msg25495, + "23332": msg25496, + "23333": msg25497, + "23334": msg25498, + "23335": msg25499, + "23336": msg25500, + "23337": msg25501, + "23338": msg25502, + "23339": msg25503, + "2334": select2222, + "23340": msg25504, + "23341": msg25505, + "23342": msg25506, + "23343": msg25507, + "23344": msg25508, + "23345": msg25509, + "23346": msg25510, + "23347": msg25511, + "23348": msg25512, + "23349": msg25513, + "2335": select2223, + "23350": msg25514, + "23351": msg25515, + "23352": msg25516, + "23353": msg25517, + "23354": msg25518, + "23355": msg25519, + "23356": msg25520, + "23357": msg25521, + "23358": msg25522, + "23359": msg25523, + "2336": select2224, + "23360": msg25524, + "23361": msg25525, + "23362": msg25526, + "23363": msg25527, + "23364": msg25528, + "23365": msg25529, + "23366": msg25530, + "23367": msg25531, + "23368": msg25532, + "23369": msg25533, + "2337": select2225, + "23370": msg25534, + "23371": msg25535, + "23372": msg25536, + "23373": msg25537, + "23374": msg25538, + "23375": msg25539, + "23376": msg25540, + "23377": msg25541, + "23378": msg25542, + "23379": msg25543, + "2338": select2226, + "23380": msg25544, + "23381": msg25545, + "23382": msg25546, + "23383": msg25547, + "23384": msg25548, + "23385": msg25549, + "23386": msg25550, + "23387": msg25551, + "23388": msg25552, + "23389": msg25553, + "2339": select2227, + "23390": msg25554, + "23391": msg25555, + "23392": msg25556, + "23393": msg25557, + "23394": msg25558, + "23395": msg25559, + "23396": msg25560, + "23397": msg25561, + "23398": msg25562, + "23399": msg25563, + "234": select159, + "2340": select2228, + "23400": msg25564, + "23401": msg25565, + "23402": msg25566, + "23403": msg25567, + "23404": msg25568, + "23405": msg25569, + "23406": msg25570, + "23407": msg25571, + "23408": msg25572, + "23409": msg25573, + "2341": select2229, + "23410": msg25574, + "23411": msg25575, + "23412": msg25576, + "23413": msg25577, + "23414": msg25578, + "23415": msg25579, + "23416": msg25580, + "23417": msg25581, + "23418": msg25582, + "23419": msg25583, + "2342": select2230, + "23420": msg25584, + "23421": msg25585, + "23422": msg25586, + "23423": msg25587, + "23424": msg25588, + "23425": msg25589, + "23426": msg25590, + "23427": msg25591, + "23428": msg25592, + "23429": msg25593, + "2343": select2231, + "23430": msg25594, + "23431": msg25595, + "23432": msg25596, + "23433": msg25597, + "23434": msg25598, + "23435": msg25599, + "23436": msg25600, + "23437": msg25601, + "23438": msg25602, + "23439": msg25603, + "2344": select2232, + "23440": msg25604, + "23441": msg25605, + "23442": msg25606, + "23443": msg25607, + "23444": msg25608, + "23445": msg25609, + "23446": msg25610, + "23447": msg25611, + "23448": msg25612, + "23449": msg25613, + "2345": select2233, + "23450": msg25614, + "23451": msg25615, + "23452": msg25616, + "23453": msg25617, + "23454": msg25618, + "23455": msg25619, + "23456": msg25620, + "23457": msg25621, + "23458": msg25622, + "23459": msg25623, + "2346": select2234, + "23460": msg25624, + "23461": msg25625, + "23462": msg25626, + "23463": msg25627, + "23464": msg25628, + "23465": msg25629, + "23466": msg25630, + "23467": msg25631, + "23468": msg25632, + "23469": msg25633, + "2347": select2235, + "23470": msg25634, + "23471": msg25635, + "23472": msg25636, + "23473": msg25637, + "23474": msg25638, + "23475": msg25639, + "23476": msg25640, + "23477": msg25641, + "23478": msg25642, + "23479": msg25643, + "2348": select2236, + "23480": msg25644, + "23481": msg25645, + "23482": msg25646, + "23483": msg25647, + "23484": msg25648, + "23485": msg25649, + "23486": msg25650, + "23487": msg25651, + "23488": msg25652, + "23489": msg25653, + "2349": select2237, + "23490": msg25654, + "23491": msg25655, + "23492": msg25656, + "23493": msg25657, + "23494": msg25658, + "23495": msg25659, + "23496": msg25660, + "23497": msg25661, + "23498": msg25662, + "23499": msg25663, + "235": select160, + "2350": select2238, + "23500": msg25664, + "23501": msg25665, + "23502": msg25666, + "23503": msg25667, + "23504": msg25668, + "23505": msg25669, + "23506": msg25670, + "23507": msg25671, + "23508": msg25672, + "23509": msg25673, + "2351": select2239, + "23510": msg25674, + "23511": msg25675, + "23512": msg25676, + "23513": msg25677, + "23514": msg25678, + "23515": msg25679, + "23516": msg25680, + "23517": msg25681, + "23518": msg25682, + "23519": msg25683, + "2352": select2240, + "23520": msg25684, + "23521": msg25685, + "23522": msg25686, + "23523": msg25687, + "23524": msg25688, + "23525": msg25689, + "23526": msg25690, + "23527": msg25691, + "23528": msg25692, + "23529": msg25693, + "2353": select2241, + "23530": msg25694, + "23531": msg25695, + "23532": msg25696, + "23533": msg25697, + "23534": msg25698, + "23535": msg25699, + "23536": msg25700, + "23537": msg25701, + "23538": msg25702, + "23539": msg25703, + "2354": select2242, + "23540": msg25704, + "23541": msg25705, + "23542": msg25706, + "23543": msg25707, + "23544": msg25708, + "23545": msg25709, + "23546": msg25710, + "23547": msg25711, + "23548": msg25712, + "23549": msg25713, + "2355": select2243, + "23550": msg25714, + "23551": msg25715, + "23552": msg25716, + "23553": msg25717, + "23554": msg25718, + "23555": msg25719, + "23556": msg25720, + "23557": msg25721, + "23558": msg25722, + "23559": msg25723, + "2356": select2244, + "23560": msg25724, + "23561": msg25725, + "23562": msg25726, + "23563": msg25727, + "23564": msg25728, + "23565": msg25729, + "23566": msg25730, + "23567": msg25731, + "23568": msg25732, + "23569": msg25733, + "2357": select2245, + "23570": msg25734, + "23571": msg25735, + "23572": msg25736, + "23573": msg25737, + "23574": msg25738, + "23575": msg25739, + "23576": msg25740, + "23577": msg25741, + "23578": msg25742, + "23579": msg25743, + "2358": select2246, + "23580": msg25744, + "23581": msg25745, + "23582": msg25746, + "23583": msg25747, + "23584": msg25748, + "23585": msg25749, + "23586": msg25750, + "23587": msg25751, + "23588": msg25752, + "23589": msg25753, + "2359": select2247, + "23590": msg25754, + "23591": msg25755, + "23592": msg25756, + "23593": msg25757, + "23594": msg25758, + "23595": msg25759, + "23596": msg25760, + "23597": msg25761, + "23598": msg25762, + "23599": msg25763, + "236": select161, + "2360": select2248, + "23600": msg25764, + "23601": msg25765, + "23602": msg25766, + "23603": msg25767, + "23604": msg25768, + "23605": msg25769, + "23606": msg25770, + "23607": msg25771, + "23608": msg25772, + "23609": msg25773, + "2361": select2249, + "23610": msg25774, + "23611": msg25775, + "23612": msg25776, + "23613": msg25777, + "23614": msg25778, + "23615": msg25779, + "23616": msg25780, + "23617": msg25781, + "23618": msg25782, + "23619": msg25783, + "2362": select2250, + "23620": msg25784, + "23621": msg25785, + "23622": msg25786, + "23623": msg25787, + "23624": msg25788, + "23625": msg25789, + "23626": msg25790, + "23627": msg25791, + "23628": msg25792, + "23629": msg25793, + "2363": select2251, + "23630": msg25794, + "23631": msg25795, + "23632": msg25796, + "23633": msg25797, + "23634": msg25798, + "23635": msg25799, + "23636": msg25800, + "23637": msg25801, + "23638": msg25802, + "23639": msg25803, + "2364": select2252, + "23640": msg25804, + "23641": msg25805, + "23642": msg25806, + "23643": msg25807, + "23644": msg25808, + "23645": msg25809, + "23646": msg25810, + "23647": msg25811, + "23648": msg25812, + "23649": msg25813, + "2365": select2253, + "23650": msg25814, + "23651": msg25815, + "23652": msg25816, + "23653": msg25817, + "23654": msg25818, + "23655": msg25819, + "23656": msg25820, + "23657": msg25821, + "23658": msg25822, + "23659": msg25823, + "2366": select2254, + "23660": msg25824, + "23661": msg25825, + "23662": msg25826, + "23663": msg25827, + "23664": msg25828, + "23665": msg25829, + "23666": msg25830, + "23667": msg25831, + "23668": msg25832, + "23669": msg25833, + "2367": select2255, + "23670": msg25834, + "23671": msg25835, + "23672": msg25836, + "23673": msg25837, + "23674": msg25838, + "23675": msg25839, + "23676": msg25840, + "23677": msg25841, + "23678": msg25842, + "23679": msg25843, + "2368": select2256, + "23680": msg25844, + "23681": msg25845, + "23682": msg25846, + "23683": msg25847, + "23684": msg25848, + "23685": msg25849, + "23686": msg25850, + "23687": msg25851, + "23688": msg25852, + "23689": msg25853, + "2369": select2257, + "23690": msg25854, + "23691": msg25855, + "23692": msg25856, + "23693": msg25857, + "23694": msg25858, + "23695": msg25859, + "23696": msg25860, + "23697": msg25861, + "23698": msg25862, + "23699": msg25863, + "237": select162, + "2370": select2258, + "23700": msg25864, + "23701": msg25865, + "23702": msg25866, + "23703": msg25867, + "23704": msg25868, + "23705": msg25869, + "23706": msg25870, + "23707": msg25871, + "23708": msg25872, + "23709": msg25873, + "2371": select2259, + "23710": msg25874, + "23711": msg25875, + "23712": msg25876, + "23713": msg25877, + "23714": msg25878, + "23715": msg25879, + "23716": msg25880, + "23717": msg25881, + "23718": msg25882, + "23719": msg25883, + "2372": select2260, + "23720": msg25884, + "23721": msg25885, + "23722": msg25886, + "23723": msg25887, + "23724": msg25888, + "23725": msg25889, + "23726": msg25890, + "23727": msg25891, + "23728": msg25892, + "23729": msg25893, + "2373": select2261, + "23730": msg25894, + "23731": msg25895, + "23732": msg25896, + "23733": msg25897, + "23734": msg25898, + "23735": msg25899, + "23736": msg25900, + "23737": msg25901, + "23738": msg25902, + "23739": msg25903, + "2374": select2262, + "23740": msg25904, + "23741": msg25905, + "23742": msg25906, + "23743": msg25907, + "23744": msg25908, + "23745": msg25909, + "23746": msg25910, + "23747": msg25911, + "23748": msg25912, + "23749": msg25913, + "2375": select2263, + "23750": msg25914, + "23751": msg25915, + "23752": msg25916, + "23753": msg25917, + "23754": msg25918, + "23755": msg25919, + "23756": msg25920, + "23757": msg25921, + "23758": msg25922, + "23759": msg25923, + "2376": select2264, + "23760": msg25924, + "23761": msg25925, + "23762": msg25926, + "23763": msg25927, + "23764": msg25928, + "23765": msg25929, + "23766": msg25930, + "23767": msg25931, + "23768": msg25932, + "23769": msg25933, + "2377": select2265, + "23770": msg25934, + "23771": msg25935, + "23772": msg25936, + "23773": msg25937, + "23774": msg25938, + "23775": msg25939, + "23776": msg25940, + "23777": msg25941, + "23778": msg25942, + "23779": msg25943, + "2378": select2266, + "23780": msg25944, + "23781": msg25945, + "23782": msg25946, + "23783": msg25947, + "23784": msg25948, + "23785": msg25949, + "23786": msg25950, + "23787": msg25951, + "23788": msg25952, + "23789": msg25953, + "2379": select2267, + "23790": msg25954, + "23791": msg25955, + "23792": msg25956, + "23793": msg25957, + "23794": msg25958, + "23795": msg25959, + "23796": msg25960, + "23797": msg25961, + "23798": msg25962, + "23799": msg25963, + "238": select163, + "2380": select2268, + "23800": msg25964, + "23801": msg25965, + "23802": msg25966, + "23803": msg25967, + "23804": msg25968, + "23805": msg25969, + "23806": msg25970, + "23807": msg25971, + "23808": msg25972, + "23809": msg25973, + "2381": select2269, + "23810": msg25974, + "23811": msg25975, + "23812": msg25976, + "23813": msg25977, + "23814": msg25978, + "23815": msg25979, + "23816": msg25980, + "23817": msg25981, + "23818": msg25982, + "23819": msg25983, + "2382": select2270, + "23820": msg25984, + "23821": msg25985, + "23822": msg25986, + "23823": msg25987, + "23824": msg25988, + "23825": msg25989, + "23826": msg25990, + "23827": msg25991, + "23828": msg25992, + "23829": msg25993, + "2383": select2271, + "23830": msg25994, + "23831": msg25995, + "23832": msg25996, + "23833": msg25997, + "23834": msg25998, + "23835": msg25999, + "23836": msg26000, + "23837": msg26001, + "23838": msg26002, + "23839": msg26003, + "2384": select2272, + "23840": msg26004, + "23841": msg26005, + "23842": msg26006, + "23843": msg26007, + "23844": msg26008, + "23845": msg26009, + "23846": msg26010, + "23847": msg26011, + "23848": msg26012, + "23849": msg26013, + "2385": select2273, + "23850": msg26014, + "23851": msg26015, + "23852": msg26016, + "23853": msg26017, + "23854": msg26018, + "23855": msg26019, + "23856": msg26020, + "23857": msg26021, + "23858": msg26022, + "23859": msg26023, + "2386": select2274, + "23860": msg26024, + "23861": msg26025, + "23862": msg26026, + "23863": msg26027, + "23864": msg26028, + "23865": msg26029, + "23866": msg26030, + "23867": msg26031, + "23868": msg26032, + "23869": msg26033, + "2387": select2275, + "23870": msg26034, + "23871": msg26035, + "23872": msg26036, + "23873": msg26037, + "23874": msg26038, + "23875": msg26039, + "23876": msg26040, + "23877": msg26041, + "23878": msg26042, + "23879": msg26043, + "2388": select2276, + "23880": msg26044, + "23881": msg26045, + "23882": msg26046, + "23883": msg26047, + "23884": msg26048, + "23885": msg26049, + "23886": msg26050, + "23887": msg26051, + "23888": msg26052, + "23889": msg26053, + "2389": select2277, + "23890": msg26054, + "23891": msg26055, + "23892": msg26056, + "23893": msg26057, + "23894": msg26058, + "23895": msg26059, + "23896": msg26060, + "23897": msg26061, + "23898": msg26062, + "23899": msg26063, + "239": select164, + "2390": select2278, + "23900": msg26064, + "23901": msg26065, + "23902": msg26066, + "23903": msg26067, + "23904": msg26068, + "23905": msg26069, + "23906": msg26070, + "23907": msg26071, + "23908": msg26072, + "23909": msg26073, + "2391": select2279, + "23910": msg26074, + "23911": msg26075, + "23912": msg26076, + "23913": msg26077, + "23914": msg26078, + "23915": msg26079, + "23916": msg26080, + "23917": msg26081, + "23918": msg26082, + "23919": msg26083, + "2392": select2280, + "23920": msg26084, + "23921": msg26085, + "23922": msg26086, + "23923": msg26087, + "23924": msg26088, + "23925": msg26089, + "23926": msg26090, + "23927": msg26091, + "23928": msg26092, + "23929": msg26093, + "2393": select2281, + "23930": msg26094, + "23931": msg26095, + "23932": msg26096, + "23933": msg26097, + "23934": msg26098, + "23935": msg26099, + "23936": msg26100, + "23937": msg26101, + "23938": msg26102, + "23939": msg26103, + "2394": select2282, + "23940": msg26104, + "23941": msg26105, + "23942": msg26106, + "23943": msg26107, + "23944": msg26108, + "23945": msg26109, + "23946": msg26110, + "23947": msg26111, + "23948": msg26112, + "23949": msg26113, + "2395": select2283, + "23950": msg26114, + "23951": msg26115, + "23952": msg26116, + "23953": msg26117, + "23954": msg26118, + "23955": msg26119, + "23956": msg26120, + "23957": msg26121, + "23958": msg26122, + "23959": msg26123, + "2396": select2284, + "23960": msg26124, + "23961": msg26125, + "23962": msg26126, + "23963": msg26127, + "23964": msg26128, + "23965": msg26129, + "23966": msg26130, + "23967": msg26131, + "23968": msg26132, + "23969": msg26133, + "2397": select2285, + "23970": msg26134, + "23971": msg26135, + "23972": msg26136, + "23973": msg26137, + "23974": msg26138, + "23975": msg26139, + "23976": msg26140, + "23977": msg26141, + "23978": msg26142, + "23979": msg26143, + "2398": select2286, + "23980": msg26144, + "23981": msg26145, + "23982": msg26146, + "23983": msg26147, + "23984": msg26148, + "23985": msg26149, + "23986": msg26150, + "23987": msg26151, + "23988": msg26152, + "23989": msg26153, + "2399": select2287, + "23990": msg26154, + "23991": msg26155, + "23992": msg26156, + "23993": msg26157, + "23994": msg26158, + "23995": msg26159, + "23996": msg26160, + "23997": msg26161, + "23998": msg26162, + "23999": msg26163, + "24": msg57, + "240": select165, + "2400": select2288, + "24000": msg26164, + "24001": msg26165, + "24002": msg26166, + "24003": msg26167, + "24004": msg26168, + "24005": msg26169, + "24006": msg26170, + "24007": msg26171, + "24008": msg26172, + "24009": msg26173, + "2401": select2289, + "24010": msg26174, + "24011": msg26175, + "24012": msg26176, + "24013": msg26177, + "24014": msg26178, + "24015": msg26179, + "24016": msg26180, + "24017": msg26181, + "24018": msg26182, + "24019": msg26183, + "2402": select2290, + "24020": msg26184, + "24021": msg26185, + "24022": msg26186, + "24023": msg26187, + "24024": msg26188, + "24025": msg26189, + "24026": msg26190, + "24027": msg26191, + "24028": msg26192, + "24029": msg26193, + "2403": select2291, + "24030": msg26194, + "24031": msg26195, + "24032": msg26196, + "24033": msg26197, + "24034": msg26198, + "24035": msg26199, + "24036": msg26200, + "24037": msg26201, + "24038": msg26202, + "24039": msg26203, + "2404": select2292, + "24040": msg26204, + "2404003": msg38420, + "2404011": msg38421, + "2404013": msg38422, + "2404015": msg38423, + "2404016": msg38424, + "24041": msg26205, + "24042": msg26206, + "24043": msg26207, + "24044": msg26208, + "24045": msg26209, + "24046": msg26210, + "24047": msg26211, + "24048": msg26212, + "24049": msg26213, + "2405": select2293, + "24050": msg26214, + "24051": msg26215, + "24052": msg26216, + "24053": msg26217, + "24054": msg26218, + "24055": msg26219, + "24056": msg26220, + "24057": msg26221, + "24058": msg26222, + "24059": msg26223, + "2406": select2294, + "24060": msg26224, + "24061": msg26225, + "24062": msg26226, + "24063": msg26227, + "24064": msg26228, + "24065": msg26229, + "24066": msg26230, + "24067": msg26231, + "24068": msg26232, + "24069": msg26233, + "2407": select2295, + "24070": msg26234, + "24071": msg26235, + "24072": msg26236, + "24073": msg26237, + "24074": msg26238, + "24075": msg26239, + "24076": msg26240, + "24077": msg26241, + "24078": msg26242, + "24079": msg26243, + "2408": select2296, + "24080": msg26244, + "24081": msg26245, + "24082": msg26246, + "24083": msg26247, + "24084": msg26248, + "24085": msg26249, + "24086": msg26250, + "24087": msg26251, + "24088": msg26252, + "24089": msg26253, + "2409": select2297, + "24090": msg26254, + "24091": msg26255, + "24092": msg26256, + "24093": msg26257, + "24094": msg26258, + "24095": msg26259, + "24096": msg26260, + "24097": msg26261, + "24098": msg26262, + "24099": msg26263, + "241": select166, + "2410": select2298, + "24100": msg26264, + "24101": msg26265, + "24102": msg26266, + "24103": msg26267, + "24104": msg26268, + "24105": msg26269, + "24106": msg26270, + "24107": msg26271, + "24108": msg26272, + "24109": msg26273, + "2411": select2299, + "24110": msg26274, + "24111": msg26275, + "24112": msg26276, + "24113": msg26277, + "24114": msg26278, + "24115": msg26279, + "24116": msg26280, + "24117": msg26281, + "24118": msg26282, + "24119": msg26283, + "2412": select2300, + "24120": msg26284, + "24121": msg26285, + "24122": msg26286, + "24123": msg26287, + "24124": msg26288, + "24125": msg26289, + "24126": msg26290, + "24127": msg26291, + "24128": msg26292, + "24129": msg26293, + "2413": select2301, + "24130": msg26294, + "24131": msg26295, + "24132": msg26296, + "24133": msg26297, + "24134": msg26298, + "24135": msg26299, + "24136": msg26300, + "24137": msg26301, + "24138": msg26302, + "24139": msg26303, + "2414": select2302, + "24140": msg26304, + "24141": msg26305, + "24142": msg26306, + "24143": msg26307, + "24144": msg26308, + "24145": msg26309, + "24146": msg26310, + "24147": msg26311, + "24148": msg26312, + "24149": msg26313, + "2415": select2303, + "24150": msg26314, + "24151": msg26315, + "24152": msg26316, + "24153": msg26317, + "24154": msg26318, + "24155": msg26319, + "24156": msg26320, + "24157": msg26321, + "24158": msg26322, + "24159": msg26323, + "2416": select2304, + "24160": msg26324, + "24161": msg26325, + "24162": msg26326, + "24163": msg26327, + "24164": msg26328, + "24165": msg26329, + "24166": msg26330, + "24167": msg26331, + "24168": msg26332, + "24169": msg26333, + "2417": select2305, + "24170": msg26334, + "24171": msg26335, + "24172": msg26336, + "24173": msg26337, + "24174": msg26338, + "24175": msg26339, + "24176": msg26340, + "24177": msg26341, + "24178": msg26342, + "24179": msg26343, + "2418": select2306, + "24180": msg26344, + "24181": msg26345, + "24182": msg26346, + "24183": msg26347, + "24184": msg26348, + "24185": msg26349, + "24186": msg26350, + "24187": msg26351, + "24188": msg26352, + "24189": msg26353, + "2419": select2307, + "24190": msg26354, + "24191": msg26355, + "24192": msg26356, + "24193": msg26357, + "24194": msg26358, + "24195": msg26359, + "24196": msg26360, + "24197": msg26361, + "24198": msg26362, + "24199": msg26363, + "2420": select2308, + "24200": msg26364, + "24201": msg26365, + "24202": msg26366, + "24203": msg26367, + "24204": msg26368, + "24205": msg26369, + "24206": msg26370, + "24207": msg26371, + "24208": msg26372, + "24209": msg26373, + "2421": select2309, + "24210": msg26374, + "24211": msg26375, + "24212": msg26376, + "24213": msg26377, + "24214": msg26378, + "24215": msg26379, + "24216": msg26380, + "24217": msg26381, + "24218": msg26382, + "24219": msg26383, + "2422": select2310, + "24220": msg26384, + "24221": msg26385, + "24222": msg26386, + "24223": msg26387, + "24224": msg26388, + "24225": msg26389, + "24226": msg26390, + "24227": msg26391, + "24228": msg26392, + "24229": msg26393, + "2423": select2311, + "24230": msg26394, + "24231": msg26395, + "24232": msg26396, + "24233": msg26397, + "24234": msg26398, + "24235": msg26399, + "24236": msg26400, + "24237": msg26401, + "24238": msg26402, + "24239": msg26403, + "2424": select2312, + "24240": msg26404, + "24241": msg26405, + "24242": msg26406, + "24243": msg26407, + "24244": msg26408, + "24245": msg26409, + "24246": msg26410, + "24247": msg26411, + "24248": msg26412, + "24249": msg26413, + "2425": select2313, + "24250": msg26414, + "24251": msg26415, + "24252": msg26416, + "24253": msg26417, + "24254": msg26418, + "24255": msg26419, + "24256": msg26420, + "24257": msg26421, + "24258": msg26422, + "24259": msg26423, + "2426": select2314, + "24260": msg26424, + "24261": msg26425, + "24262": msg26426, + "24263": msg26427, + "24264": msg26428, + "24265": msg26429, + "24266": msg26430, + "24267": msg26431, + "24268": msg26432, + "24269": msg26433, + "2427": select2315, + "24270": msg26434, + "24271": msg26435, + "24272": msg26436, + "24273": msg26437, + "24274": msg26438, + "24275": msg26439, + "24276": msg26440, + "24277": msg26441, + "24278": msg26442, + "24279": msg26443, + "2428": select2316, + "24280": msg26444, + "24281": msg26445, + "24282": msg26446, + "24283": msg26447, + "24284": msg26448, + "24285": msg26449, + "24286": msg26450, + "24287": msg26451, + "24288": msg26452, + "24289": msg26453, + "2429": select2317, + "24290": msg26454, + "24291": msg26455, + "24292": msg26456, + "24293": msg26457, + "24294": msg26458, + "24295": msg26459, + "24296": msg26460, + "24297": msg26461, + "24298": msg26462, + "24299": msg26463, + "243": select167, + "2430": select2318, + "24300": msg26464, + "24301": msg26465, + "24302": msg26466, + "24303": msg26467, + "24304": msg26468, + "24305": msg26469, + "24306": msg26470, + "24307": msg26471, + "24308": msg26472, + "24309": msg26473, + "2431": select2319, + "24310": msg26474, + "24311": msg26475, + "24312": msg26476, + "24313": msg26477, + "24314": msg26478, + "24315": msg26479, + "24316": msg26480, + "24317": msg26481, + "24318": msg26482, + "24319": msg26483, + "2432": select2320, + "24320": msg26484, + "24321": msg26485, + "24322": msg26486, + "24323": msg26487, + "24324": msg26488, + "24325": msg26489, + "24326": msg26490, + "24327": msg26491, + "24328": msg26492, + "24329": msg26493, + "2433": select2321, + "24330": msg26494, + "24331": msg26495, + "24332": msg26496, + "24333": msg26497, + "24334": msg26498, + "24335": msg26499, + "24336": msg26500, + "24337": msg26501, + "24338": msg26502, + "24339": msg26503, + "2434": select2322, + "24340": msg26504, + "24341": msg26505, + "24342": msg26506, + "24343": msg26507, + "24344": msg26508, + "24345": msg26509, + "24346": msg26510, + "24347": msg26511, + "24348": msg26512, + "24349": msg26513, + "2435": select2323, + "24350": msg26514, + "24351": msg26515, + "24352": msg26516, + "24353": msg26517, + "24354": msg26518, + "24355": msg26519, + "24356": msg26520, + "24357": msg26521, + "24358": msg26522, + "24359": msg26523, + "2436": select2324, + "24360": msg26524, + "24361": msg26525, + "24362": msg26526, + "24363": msg26527, + "24364": msg26528, + "24365": msg26529, + "24366": msg26530, + "24367": msg26531, + "24368": msg26532, + "24369": msg26533, + "2437": select2325, + "24370": msg26534, + "24371": msg26535, + "24372": msg26536, + "24373": msg26537, + "24374": msg26538, + "24375": msg26539, + "24376": msg26540, + "24377": msg26541, + "24378": msg26542, + "24379": msg26543, + "2438": select2326, + "24380": msg26544, + "24381": msg26545, + "24382": msg26546, + "24383": msg26547, + "24384": msg26548, + "24385": msg26549, + "24386": msg26550, + "24387": msg26551, + "24388": msg26552, + "24389": msg26553, + "2439": select2327, + "24390": msg26554, + "24391": msg26555, + "24392": msg26556, + "24393": msg26557, + "24394": msg26558, + "24395": msg26559, + "24396": msg26560, + "24397": msg26561, + "24398": msg26562, + "24399": msg26563, + "244": select168, + "2440": select2328, + "24400": msg26564, + "24401": msg26565, + "24402": msg26566, + "24403": msg26567, + "24404": msg26568, + "24405": msg26569, + "24406": msg26570, + "24407": msg26571, + "24408": msg26572, + "24409": msg26573, + "2441": select2329, + "24410": msg26574, + "24411": msg26575, + "24412": msg26576, + "24413": msg26577, + "24414": msg26578, + "24415": msg26579, + "24416": msg26580, + "24417": msg26581, + "24418": msg26582, + "24419": msg26583, + "2442": select2330, + "24420": msg26584, + "24421": msg26585, + "24422": msg26586, + "24423": msg26587, + "24424": msg26588, + "24425": msg26589, + "24426": msg26590, + "24427": msg26591, + "24428": msg26592, + "24429": msg26593, + "2443": select2331, + "24430": msg26594, + "24431": msg26595, + "24432": msg26596, + "24433": msg26597, + "24434": msg26598, + "24435": msg26599, + "24436": msg26600, + "24437": msg26601, + "24438": msg26602, + "24439": msg26603, + "2444": select2332, + "24440": msg26604, + "24441": msg26605, + "24442": msg26606, + "24443": msg26607, + "24444": msg26608, + "24445": msg26609, + "24446": msg26610, + "24447": msg26611, + "24448": msg26612, + "24449": msg26613, + "2445": select2333, + "24450": msg26614, + "24451": msg26615, + "24452": msg26616, + "24453": msg26617, + "24454": msg26618, + "24455": msg26619, + "24456": msg26620, + "24457": msg26621, + "24458": msg26622, + "24459": msg26623, + "2446": select2334, + "24460": msg26624, + "24461": msg26625, + "24462": msg26626, + "24463": msg26627, + "24464": msg26628, + "24465": msg26629, + "24466": msg26630, + "24467": msg26631, + "24468": msg26632, + "24469": msg26633, + "2447": select2335, + "24470": msg26634, + "24471": msg26635, + "24472": msg26636, + "24473": msg26637, + "24474": msg26638, + "24475": msg26639, + "24476": msg26640, + "24477": msg26641, + "24478": msg26642, + "24479": msg26643, + "2448": select2336, + "24480": msg26644, + "24481": msg26645, + "24482": msg26646, + "24483": msg26647, + "24484": msg26648, + "24485": msg26649, + "24486": msg26650, + "24487": msg26651, + "24488": msg26652, + "24489": msg26653, + "2449": select2337, + "24490": msg26654, + "24491": msg26655, + "24492": msg26656, + "24493": msg26657, + "24494": msg26658, + "24495": msg26659, + "24496": msg26660, + "24497": msg26661, + "24498": msg26662, + "24499": msg26663, + "245": select169, + "2450": select2338, + "24500": msg26664, + "24501": msg26665, + "24502": msg26666, + "24503": msg26667, + "24504": msg26668, + "24505": msg26669, + "24506": msg26670, + "24507": msg26671, + "24508": msg26672, + "24509": msg26673, + "2451": select2339, + "24510": msg26674, + "24511": msg26675, + "24512": msg26676, + "24513": msg26677, + "24514": msg26678, + "24515": msg26679, + "24516": msg26680, + "24517": msg26681, + "24518": msg26682, + "24519": msg26683, + "2452": select2340, + "24520": msg26684, + "24521": msg26685, + "24522": msg26686, + "24523": msg26687, + "24524": msg26688, + "24525": msg26689, + "24526": msg26690, + "24527": msg26691, + "24528": msg26692, + "24529": msg26693, + "2453": select2341, + "24530": msg26694, + "24531": msg26695, + "24532": msg26696, + "24533": msg26697, + "24534": msg26698, + "24535": msg26699, + "24536": msg26700, + "24537": msg26701, + "24538": msg26702, + "24539": msg26703, + "2454": select2342, + "24540": msg26704, + "24541": msg26705, + "24542": msg26706, + "24543": msg26707, + "24544": msg26708, + "24545": msg26709, + "24546": msg26710, + "24547": msg26711, + "24548": msg26712, + "24549": msg26713, + "2455": select2343, + "24550": msg26714, + "24551": msg26715, + "24552": msg26716, + "24553": msg26717, + "24554": msg26718, + "24555": msg26719, + "24556": msg26720, + "24557": msg26721, + "24558": msg26722, + "24559": msg26723, + "2456": select2344, + "24560": msg26724, + "24561": msg26725, + "24562": msg26726, + "24563": msg26727, + "24564": msg26728, + "24565": msg26729, + "24566": msg26730, + "24567": msg26731, + "24568": msg26732, + "24569": msg26733, + "2457": select2345, + "24570": msg26734, + "24571": msg26735, + "24572": msg26736, + "24573": msg26737, + "24574": msg26738, + "24575": msg26739, + "24576": msg26740, + "24577": msg26741, + "24578": msg26742, + "24579": msg26743, + "2458": select2346, + "24580": msg26744, + "24581": msg26745, + "24582": msg26746, + "24583": msg26747, + "24584": msg26748, + "24585": msg26749, + "24586": msg26750, + "24587": msg26751, + "24588": msg26752, + "24589": msg26753, + "2459": select2347, + "24590": msg26754, + "24591": msg26755, + "24592": msg26756, + "24593": msg26757, + "24594": msg26758, + "24595": msg26759, + "24596": msg26760, + "24597": msg26761, + "24598": msg26762, + "24599": msg26763, + "246": select170, + "2460": select2348, + "24600": msg26764, + "24601": msg26765, + "24602": msg26766, + "24603": msg26767, + "24604": msg26768, + "24605": msg26769, + "24606": msg26770, + "24607": msg26771, + "24608": msg26772, + "24609": msg26773, + "2461": select2349, + "24610": msg26774, + "24611": msg26775, + "24612": msg26776, + "24613": msg26777, + "24614": msg26778, + "24615": msg26779, + "24616": msg26780, + "24617": msg26781, + "24618": msg26782, + "24619": msg26783, + "2462": select2350, + "24620": msg26784, + "24621": msg26785, + "24622": msg26786, + "24623": msg26787, + "24624": msg26788, + "24625": msg26789, + "24626": msg26790, + "24627": msg26791, + "24628": msg26792, + "24629": msg26793, + "2463": select2351, + "24630": msg26794, + "24631": msg26795, + "24632": msg26796, + "24633": msg26797, + "24634": msg26798, + "24635": msg26799, + "24636": msg26800, + "24637": msg26801, + "24638": msg26802, + "24639": msg26803, + "2464": select2352, + "24640": msg26804, + "24641": msg26805, + "24642": msg26806, + "24643": msg26807, + "24644": msg26808, + "24645": msg26809, + "24646": msg26810, + "24647": msg26811, + "24648": msg26812, + "24649": msg26813, + "2465": select2353, + "24650": msg26814, + "24651": msg26815, + "24652": msg26816, + "24653": msg26817, + "24654": msg26818, + "24655": msg26819, + "24656": msg26820, + "24657": msg26821, + "24658": msg26822, + "24659": msg26823, + "2466": select2354, + "24660": msg26824, + "24661": msg26825, + "24662": msg26826, + "24663": msg26827, + "24664": msg26828, + "24665": msg26829, + "24666": msg26830, + "24667": msg26831, + "24668": msg26832, + "24669": msg26833, + "2467": select2355, + "24670": msg26834, + "24671": msg26835, + "24672": msg26836, + "24673": msg26837, + "24674": msg26838, + "24675": msg26839, + "24676": msg26840, + "24677": msg26841, + "24678": msg26842, + "24679": msg26843, + "2468": select2356, + "24680": msg26844, + "24681": msg26845, + "24682": msg26846, + "24683": msg26847, + "24684": msg26848, + "24685": msg26849, + "24686": msg26850, + "24687": msg26851, + "24688": msg26852, + "24689": msg26853, + "2469": select2357, + "24690": msg26854, + "24691": msg26855, + "24692": msg26856, + "24693": msg26857, + "24694": msg26858, + "24695": msg26859, + "24696": msg26860, + "24697": msg26861, + "24698": msg26862, + "24699": msg26863, + "247": select171, + "2470": select2358, + "24700": msg26864, + "24701": msg26865, + "24702": msg26866, + "24703": msg26867, + "24704": msg26868, + "24705": msg26869, + "24706": msg26870, + "24707": msg26871, + "24708": msg26872, + "24709": msg26873, + "2471": select2359, + "24710": msg26874, + "24711": msg26875, + "24712": msg26876, + "24713": msg26877, + "24714": msg26878, + "24715": msg26879, + "24716": msg26880, + "24717": msg26881, + "24718": msg26882, + "24719": msg26883, + "2472": select2360, + "24720": msg26884, + "24721": msg26885, + "24722": msg26886, + "24723": msg26887, + "24724": msg26888, + "24725": msg26889, + "24726": msg26890, + "24727": msg26891, + "24728": msg26892, + "24729": msg26893, + "2473": select2361, + "24730": msg26894, + "24731": msg26895, + "24732": msg26896, + "24733": msg26897, + "24734": msg26898, + "24735": msg26899, + "24736": msg26900, + "24737": msg26901, + "24738": msg26902, + "24739": msg26903, + "2474": select2362, + "24740": msg26904, + "24741": msg26905, + "24742": msg26906, + "24743": msg26907, + "24744": msg26908, + "24745": msg26909, + "24746": msg26910, + "24747": msg26911, + "24748": msg26912, + "24749": msg26913, + "2475": select2363, + "24750": msg26914, + "24751": msg26915, + "24752": msg26916, + "24753": msg26917, + "24754": msg26918, + "24755": msg26919, + "24756": msg26920, + "24757": msg26921, + "24758": msg26922, + "24759": msg26923, + "2476": select2364, + "24760": msg26924, + "24761": msg26925, + "24762": msg26926, + "24763": msg26927, + "24764": msg26928, + "24765": msg26929, + "24766": msg26930, + "24767": msg26931, + "24768": msg26932, + "24769": msg26933, + "2477": select2365, + "24770": msg26934, + "24771": msg26935, + "24772": msg26936, + "24773": msg26937, + "24774": msg26938, + "24775": msg26939, + "24776": msg26940, + "24777": msg26941, + "24778": msg26942, + "24779": msg26943, + "2478": select2366, + "24780": msg26944, + "24781": msg26945, + "24782": msg26946, + "24783": msg26947, + "24784": msg26948, + "24785": msg26949, + "24786": msg26950, + "24787": msg26951, + "24788": msg26952, + "24789": msg26953, + "2479": select2367, + "24790": msg26954, + "24791": msg26955, + "24792": msg26956, + "24793": msg26957, + "24794": msg26958, + "24795": msg26959, + "24796": msg26960, + "24797": msg26961, + "24798": msg26962, + "24799": msg26963, + "248": select172, + "2480": select2368, + "24800": msg26964, + "24801": msg26965, + "24802": msg26966, + "24803": msg26967, + "24804": msg26968, + "24805": msg26969, + "24806": msg26970, + "24807": msg26971, + "24808": msg26972, + "24809": msg26973, + "2481": select2369, + "24810": msg26974, + "24811": msg26975, + "24812": msg26976, + "24813": msg26977, + "24814": msg26978, + "24815": msg26979, + "24816": msg26980, + "24817": msg26981, + "24818": msg26982, + "24819": msg26983, + "2482": select2370, + "24820": msg26984, + "24821": msg26985, + "24822": msg26986, + "24823": msg26987, + "24824": msg26988, + "24825": msg26989, + "24826": msg26990, + "24827": msg26991, + "24828": msg26992, + "24829": msg26993, + "2483": select2371, + "24830": msg26994, + "24831": msg26995, + "24832": msg26996, + "24833": msg26997, + "24834": msg26998, + "24835": msg26999, + "24836": msg27000, + "24837": msg27001, + "24838": msg27002, + "24839": msg27003, + "2484": select2372, + "24840": msg27004, + "24841": msg27005, + "24842": msg27006, + "24843": msg27007, + "24844": msg27008, + "24845": msg27009, + "24846": msg27010, + "24847": msg27011, + "24848": msg27012, + "24849": msg27013, + "2485": select2373, + "24850": msg27014, + "24851": msg27015, + "24852": msg27016, + "24853": msg27017, + "24854": msg27018, + "24855": msg27019, + "24856": msg27020, + "24857": msg27021, + "24858": msg27022, + "24859": msg27023, + "2486": select2374, + "24860": msg27024, + "24861": msg27025, + "24862": msg27026, + "24863": msg27027, + "24864": msg27028, + "24865": msg27029, + "24866": msg27030, + "24867": msg27031, + "24868": msg27032, + "24869": msg27033, + "2487": select2375, + "24870": msg27034, + "24871": msg27035, + "24872": msg27036, + "24873": msg27037, + "24874": msg27038, + "24875": msg27039, + "24876": msg27040, + "24877": msg27041, + "24878": msg27042, + "24879": msg27043, + "2488": select2376, + "24880": msg27044, + "24881": msg27045, + "24882": msg27046, + "24883": msg27047, + "24884": msg27048, + "24885": msg27049, + "24886": msg27050, + "24887": msg27051, + "24888": msg27052, + "24889": msg27053, + "2489": select2377, + "24890": msg27054, + "24891": msg27055, + "24892": msg27056, + "24893": msg27057, + "24894": msg27058, + "24895": msg27059, + "24896": msg27060, + "24897": msg27061, + "24898": msg27062, + "24899": msg27063, + "249": select173, + "2490": select2378, + "24900": msg27064, + "24901": msg27065, + "24902": msg27066, + "24903": msg27067, + "24904": msg27068, + "24905": msg27069, + "24906": msg27070, + "24907": msg27071, + "24908": msg27072, + "24909": msg27073, + "2491": select2379, + "24910": msg27074, + "24911": msg27075, + "24912": msg27076, + "24913": msg27077, + "24914": msg27078, + "24915": msg27079, + "24916": msg27080, + "24917": msg27081, + "24918": msg27082, + "2492": select2380, + "2493": select2381, + "2494": select2382, + "2495": select2383, + "24955": msg27083, + "24956": msg27084, + "24957": msg27085, + "24958": msg27086, + "24959": msg27087, + "2496": select2384, + "24960": msg27088, + "24961": msg27089, + "24962": msg27090, + "24963": msg27091, + "24964": msg27092, + "24965": msg27093, + "24966": msg27094, + "24967": msg27095, + "24968": msg27096, + "24969": msg27097, + "2497": select2385, + "24970": msg27098, + "24971": msg27099, + "24972": msg27100, + "24973": msg27101, + "24974": msg27102, + "24975": msg27103, + "24976": msg27104, + "24977": msg27105, + "24978": msg27106, + "24979": msg27107, + "2498": select2386, + "24980": msg27108, + "24981": msg27109, + "24982": msg27110, + "24983": msg27111, + "24984": msg27112, + "24985": msg27113, + "24986": msg27114, + "24987": msg27115, + "24988": msg27116, + "24989": msg27117, + "2499": select2387, + "24990": msg27118, + "24991": msg27119, + "24992": msg27120, + "24993": msg27121, + "24994": msg27122, + "24995": msg27123, + "24996": msg27124, + "24997": msg27125, + "24998": msg27126, + "24999": msg27127, + "25": select24, + "250": select174, + "2500": select2388, + "25000": msg27128, + "25001": msg27129, + "25002": msg27130, + "25003": msg27131, + "25004": msg27132, + "25005": msg27133, + "25006": msg27134, + "25007": msg27135, + "25008": msg27136, + "25009": msg27137, + "2501": select2389, + "25010": msg27138, + "25011": msg27139, + "25012": msg27140, + "25013": msg27141, + "25014": msg27142, + "25015": msg27143, + "25016": msg27144, + "25017": msg27145, + "25018": msg27146, + "25019": msg27147, + "2502": select2390, + "25020": msg27148, + "25021": msg27149, + "25022": msg27150, + "25023": msg27151, + "25024": msg27152, + "25025": msg27153, + "25026": msg27154, + "25027": msg27155, + "25028": msg27156, + "25029": msg27157, + "2503": select2391, + "25030": msg27158, + "25031": msg27159, + "25032": msg27160, + "25033": msg27161, + "25034": msg27162, + "25035": msg27163, + "25036": msg27164, + "25037": msg27165, + "25038": msg27166, + "25039": msg27167, + "2504": select2392, + "25040": msg27168, + "25041": msg27169, + "25042": msg27170, + "25043": msg27171, + "25044": msg27172, + "25045": msg27173, + "25046": msg27174, + "25047": msg27175, + "25048": msg27176, + "25049": msg27177, + "2505": select2393, + "25050": msg27178, + "25051": msg27179, + "25052": msg27180, + "25053": msg27181, + "25054": msg27182, + "25055": msg27183, + "25056": msg27184, + "25057": msg27185, + "25058": msg27186, + "25059": msg27187, + "2506": select2394, + "25060": msg27188, + "25061": msg27189, + "25062": msg27190, + "25063": msg27191, + "25064": msg27192, + "25065": msg27193, + "25066": msg27194, + "25067": msg27195, + "25068": msg27196, + "25069": msg27197, + "2507": select2395, + "25070": msg27198, + "25071": msg27199, + "25072": msg27200, + "25073": msg27201, + "25074": msg27202, + "25075": msg27203, + "25076": msg27204, + "25077": msg27205, + "25078": msg27206, + "25079": msg27207, + "2508": select2396, + "25080": msg27208, + "25081": msg27209, + "25082": msg27210, + "25083": msg27211, + "25084": msg27212, + "25085": msg27213, + "25086": msg27214, + "25087": msg27215, + "25088": msg27216, + "25089": msg27217, + "2509": select2397, + "25090": msg27218, + "25091": msg27219, + "25092": msg27220, + "25093": msg27221, + "25094": msg27222, + "25095": msg27223, + "25096": msg27224, + "25097": msg27225, + "25098": msg27226, + "25099": msg27227, + "251": select175, + "2510": select2398, + "25100": msg27228, + "25101": msg27229, + "25102": msg27230, + "25103": msg27231, + "25104": msg27232, + "25105": msg27233, + "25106": msg27234, + "25107": msg27235, + "25108": msg27236, + "25109": msg27237, + "2511": select2399, + "25110": msg27238, + "25111": msg27239, + "25112": msg27240, + "25113": msg27241, + "25114": msg27242, + "25115": msg27243, + "25116": msg27244, + "25117": msg27245, + "25118": msg27246, + "25119": msg27247, + "2512": select2400, + "25120": msg27248, + "25121": msg27249, + "25122": msg27250, + "25123": msg27251, + "25124": msg27252, + "25125": msg27253, + "25126": msg27254, + "25127": msg27255, + "25128": msg27256, + "25129": msg27257, + "2513": select2401, + "25130": msg27258, + "25131": msg27259, + "25132": msg27260, + "25133": msg27261, + "25134": msg27262, + "25135": msg27263, + "25136": msg27264, + "25137": msg27265, + "25138": msg27266, + "25139": msg27267, + "2514": select2402, + "25140": msg27268, + "25141": msg27269, + "25142": msg27270, + "25143": msg27271, + "25144": msg27272, + "25145": msg27273, + "25146": msg27274, + "25147": msg27275, + "25148": msg27276, + "25149": msg27277, + "2515": select2403, + "25150": msg27278, + "25151": msg27279, + "25152": msg27280, + "25153": msg27281, + "25154": msg27282, + "25155": msg27283, + "25156": msg27284, + "25157": msg27285, + "25158": msg27286, + "25159": msg27287, + "2516": select2404, + "25160": msg27288, + "25161": msg27289, + "25162": msg27290, + "25163": msg27291, + "25164": msg27292, + "25165": msg27293, + "25166": msg27294, + "25167": msg27295, + "25168": msg27296, + "25169": msg27297, + "2517": select2405, + "25170": msg27298, + "25171": msg27299, + "25172": msg27300, + "25173": msg27301, + "25174": msg27302, + "25175": msg27303, + "25176": msg27304, + "25177": msg27305, + "25178": msg27306, + "25179": msg27307, + "2518": select2406, + "25180": msg27308, + "25181": msg27309, + "25182": msg27310, + "25183": msg27311, + "25184": msg27312, + "25185": msg27313, + "25186": msg27314, + "25187": msg27315, + "25188": msg27316, + "25189": msg27317, + "2519": select2407, + "25190": msg27318, + "25191": msg27319, + "25192": msg27320, + "25193": msg27321, + "25194": msg27322, + "25195": msg27323, + "25196": msg27324, + "25197": msg27325, + "25198": msg27326, + "25199": msg27327, + "252": select176, + "2520": select2408, + "25200": msg27328, + "25201": msg27329, + "25202": msg27330, + "25203": msg27331, + "25204": msg27332, + "25205": msg27333, + "25206": msg27334, + "25207": msg27335, + "25208": msg27336, + "25209": msg27337, + "2521": select2409, + "25210": msg27338, + "25211": msg27339, + "25212": msg27340, + "25213": msg27341, + "25214": msg27342, + "25215": msg27343, + "25216": msg27344, + "25217": msg27345, + "25218": msg27346, + "25219": msg27347, + "2522": select2410, + "25220": msg27348, + "25221": msg27349, + "25222": msg27350, + "25223": msg27351, + "25224": msg27352, + "25225": msg27353, + "25226": msg27354, + "25227": msg27355, + "25228": msg27356, + "25229": msg27357, + "2523": select2411, + "25230": msg27358, + "25231": msg27359, + "25232": msg27360, + "25233": msg27361, + "25234": msg27362, + "25235": msg27363, + "25236": msg27364, + "25237": msg27365, + "25238": msg27366, + "25239": msg27367, + "2524": select2412, + "25240": msg27368, + "25241": msg27369, + "25242": msg27370, + "25243": msg27371, + "25244": msg27372, + "25245": msg27373, + "25246": msg27374, + "25247": msg27375, + "25248": msg27376, + "25249": msg27377, + "2525": select2413, + "25250": msg27378, + "25251": msg27379, + "25252": msg27380, + "25253": msg27381, + "25254": msg27382, + "25255": msg27383, + "25256": msg27384, + "25257": msg27385, + "25258": msg27386, + "25259": msg27387, + "2526": select2414, + "25260": msg27388, + "25261": msg27389, + "25262": msg27390, + "25263": msg27391, + "25264": msg27392, + "25265": msg27393, + "25266": msg27394, + "25267": msg27395, + "25268": msg27396, + "25269": msg27397, + "2527": select2415, + "25270": msg27398, + "25271": msg27399, + "25272": msg27400, + "25273": msg27401, + "25274": msg27402, + "25275": msg27403, + "25276": msg27404, + "25277": msg27405, + "25278": msg27406, + "25279": msg27407, + "2528": select2416, + "25280": msg27408, + "25281": msg27409, + "25282": msg27410, + "25283": msg27411, + "25284": msg27412, + "25285": msg27413, + "25286": msg27414, + "25287": msg27415, + "25288": msg27416, + "25289": msg27417, + "2529": select2417, + "25290": msg27418, + "25291": msg27419, + "25292": msg27420, + "25293": msg27421, + "25294": msg27422, + "25295": msg27423, + "25296": msg27424, + "25297": msg27425, + "25298": msg27426, + "25299": msg27427, + "253": select177, + "2530": select2418, + "25300": msg27428, + "25301": msg27429, + "25302": msg27430, + "25303": msg27431, + "25304": msg27432, + "25305": msg27433, + "25306": msg27434, + "25307": msg27435, + "25308": msg27436, + "25309": msg27437, + "2531": select2419, + "25310": msg27438, + "25311": msg27439, + "25312": msg27440, + "25313": msg27441, + "25314": msg27442, + "25315": msg27443, + "25316": msg27444, + "25317": msg27445, + "25318": msg27446, + "25319": msg27447, + "2532": select2420, + "25320": msg27448, + "25321": msg27449, + "25322": msg27450, + "25323": msg27451, + "25324": msg27452, + "25325": msg27453, + "25326": msg27454, + "25327": msg27455, + "25328": msg27456, + "25329": msg27457, + "2533": select2421, + "25330": msg27458, + "25331": msg27459, + "25332": msg27460, + "25333": msg27461, + "25334": msg27462, + "25335": msg27463, + "25336": msg27464, + "25337": msg27465, + "25338": msg27466, + "25339": msg27467, + "2534": select2422, + "25340": msg27468, + "25341": msg27469, + "25342": msg27470, + "25343": msg27471, + "25344": msg27472, + "25345": msg27473, + "25346": msg27474, + "25347": msg27475, + "25348": msg27476, + "25349": msg27477, + "2535": select2423, + "25350": msg27478, + "25351": msg27479, + "25352": msg27480, + "25353": msg27481, + "25354": msg27482, + "25355": msg27483, + "25356": msg27484, + "25357": msg27485, + "25358": msg27486, + "25359": msg27487, + "2536": select2424, + "25360": msg27488, + "25361": msg27489, + "25362": msg27490, + "25363": msg27491, + "25364": msg27492, + "25365": msg27493, + "25366": msg27494, + "25367": msg27495, + "25368": msg27496, + "25369": msg27497, + "2537": select2425, + "25370": msg27498, + "25371": msg27499, + "25372": msg27500, + "25373": msg27501, + "25374": msg27502, + "25375": msg27503, + "25376": msg27504, + "25377": msg27505, + "25378": msg27506, + "25379": msg27507, + "2538": select2426, + "25380": msg27508, + "25381": msg27509, + "25382": msg27510, + "25383": msg27511, + "25384": msg27512, + "25385": msg27513, + "25386": msg27514, + "25387": msg27515, + "25388": msg27516, + "25389": msg27517, + "2539": select2427, + "25390": msg27518, + "25391": msg27519, + "25392": msg27520, + "25393": msg27521, + "25394": msg27522, + "25395": msg27523, + "25396": msg27524, + "25397": msg27525, + "25398": msg27526, + "25399": msg27527, + "254": select178, + "2540": select2428, + "25400": msg27528, + "25401": msg27529, + "25402": msg27530, + "25403": msg27531, + "25404": msg27532, + "25405": msg27533, + "25406": msg27534, + "25407": msg27535, + "25408": msg27536, + "25409": msg27537, + "2541": select2429, + "25410": msg27538, + "25411": msg27539, + "25412": msg27540, + "25413": msg27541, + "25414": msg27542, + "25415": msg27543, + "25416": msg27544, + "25417": msg27545, + "25418": msg27546, + "25419": msg27547, + "2542": select2430, + "25420": msg27548, + "25421": msg27549, + "25422": msg27550, + "25423": msg27551, + "25424": msg27552, + "25425": msg27553, + "25426": msg27554, + "25427": msg27555, + "25428": msg27556, + "25429": msg27557, + "2543": select2431, + "25430": msg27558, + "25431": msg27559, + "25432": msg27560, + "25433": msg27561, + "25434": msg27562, + "25435": msg27563, + "25436": msg27564, + "25437": msg27565, + "25438": msg27566, + "25439": msg27567, + "2544": select2432, + "25440": msg27568, + "25441": msg27569, + "25442": msg27570, + "25443": msg27571, + "25444": msg27572, + "25445": msg27573, + "25446": msg27574, + "25447": msg27575, + "25448": msg27576, + "25449": msg27577, + "2545": select2433, + "25450": msg27578, + "25451": msg27579, + "25452": msg27580, + "25453": msg27581, + "25454": msg27582, + "25455": msg27583, + "25456": msg27584, + "25457": msg27585, + "25458": msg27586, + "25459": msg27587, + "2546": select2434, + "25460": msg27588, + "25461": msg27589, + "25462": msg27590, + "25463": msg27591, + "25464": msg27592, + "25465": msg27593, + "25466": msg27594, + "25467": msg27595, + "25468": msg27596, + "25469": msg27597, + "2547": select2435, + "25470": msg27598, + "25471": msg27599, + "25472": msg27600, + "25473": msg27601, + "25474": msg27602, + "25475": msg27603, + "25476": msg27604, + "25477": msg27605, + "25478": msg27606, + "25479": msg27607, + "2548": select2436, + "2549": select2437, + "255": select179, + "2550": select2438, + "25502": msg27608, + "25503": msg27609, + "25504": msg27610, + "25505": msg27611, + "25506": msg27612, + "25507": msg27613, + "25508": msg27614, + "25509": msg27615, + "2551": msg5001, + "25510": msg27616, + "25511": msg27617, + "25512": msg27618, + "25513": msg27619, + "25514": msg27620, + "25515": msg27621, + "25516": msg27622, + "25517": msg27623, + "25518": msg27624, + "25519": msg27625, + "2552": msg5002, + "25520": msg27626, + "25521": msg27627, + "25522": msg27628, + "25523": msg27629, + "25524": msg27630, + "25525": msg27631, + "25526": msg27632, + "25527": msg27633, + "25528": msg27634, + "25529": msg27635, + "2553": msg5003, + "25530": msg27636, + "25531": msg27637, + "25532": msg27638, + "25533": msg27639, + "25534": msg27640, + "25535": msg27641, + "25536": msg27642, + "25537": msg27643, + "25538": msg27644, + "25539": msg27645, + "2554": msg5004, + "25540": msg27646, + "25541": msg27647, + "25542": msg27648, + "25543": msg27649, + "25544": msg27650, + "25545": msg27651, + "25546": msg27652, + "25547": msg27653, + "25548": msg27654, + "25549": msg27655, + "2555": msg5005, + "25550": msg27656, + "25551": msg27657, + "25552": msg27658, + "25553": msg27659, + "25554": msg27660, + "25555": msg27661, + "25556": msg27662, + "25557": msg27663, + "25558": msg27664, + "25559": msg27665, + "2556": msg5006, + "25560": msg27666, + "25561": msg27667, + "25562": msg27668, + "25563": msg27669, + "25564": msg27670, + "25565": msg27671, + "25566": msg27672, + "25567": msg27673, + "25568": msg27674, + "25569": msg27675, + "2557": msg5007, + "25570": msg27676, + "25571": msg27677, + "25572": msg27678, + "25573": msg27679, + "25574": msg27680, + "25575": msg27681, + "25576": msg27682, + "25577": msg27683, + "25578": msg27684, + "25579": msg27685, + "2558": msg5008, + "25580": msg27686, + "25581": msg27687, + "25582": msg27688, + "25583": msg27689, + "25584": msg27690, + "25585": msg27691, + "25586": msg27692, + "25587": msg27693, + "25588": msg27694, + "25589": msg27695, + "2559": msg5009, + "25590": msg27696, + "25591": msg27697, + "25592": msg27698, + "25593": msg27699, + "25594": msg27700, + "25595": msg27701, + "25596": msg27702, + "25597": msg27703, + "25598": msg27704, + "25599": msg27705, + "256": select180, + "2560": msg5010, + "25600": msg27706, + "25601": msg27707, + "25602": msg27708, + "25603": msg27709, + "25604": msg27710, + "25605": msg27711, + "25606": msg27712, + "25607": msg27713, + "25608": msg27714, + "25609": msg27715, + "2561": msg5011, + "25610": msg27716, + "25611": msg27717, + "25612": msg27718, + "25613": msg27719, + "25614": msg27720, + "25615": msg27721, + "25616": msg27722, + "25617": msg27723, + "25618": msg27724, + "25619": msg27725, + "2562": msg5012, + "25620": msg27726, + "25621": msg27727, + "25622": msg27728, + "25623": msg27729, + "25624": msg27730, + "25625": msg27731, + "25626": msg27732, + "25627": msg27733, + "25628": msg27734, + "2563": msg5013, + "25630": msg27735, + "25631": msg27736, + "25632": msg27737, + "25633": msg27738, + "25634": msg27739, + "25635": msg27740, + "25636": msg27741, + "25637": msg27742, + "25638": msg27743, + "25639": msg27744, + "2564": msg5014, + "25640": msg27745, + "25641": msg27746, + "25642": msg27747, + "25643": msg27748, + "25644": msg27749, + "25645": msg27750, + "25646": msg27751, + "25647": msg27752, + "25648": msg27753, + "25649": msg27754, + "2565": msg5015, + "25650": msg27755, + "25651": msg27756, + "25652": msg27757, + "25653": msg27758, + "25654": msg27759, + "25655": msg27760, + "25656": msg27761, + "25657": msg27762, + "25658": msg27763, + "25659": msg27764, + "2566": msg5016, + "25660": msg27765, + "25661": msg27766, + "25662": msg27767, + "25663": msg27768, + "25664": msg27769, + "25665": msg27770, + "25666": msg27771, + "25667": msg27772, + "25668": msg27773, + "25669": msg27774, + "2567": msg5017, + "25670": msg27775, + "25671": msg27776, + "25672": msg27777, + "25673": msg27778, + "25674": msg27779, + "25675": msg27780, + "25676": msg27781, + "25677": msg27782, + "25678": msg27783, + "25679": msg27784, + "2568": msg5018, + "25680": msg27785, + "25681": msg27786, + "25682": msg27787, + "25683": msg27788, + "25684": msg27789, + "25685": msg27790, + "25686": msg27791, + "25687": msg27792, + "25688": msg27793, + "25689": msg27794, + "2569": msg5019, + "25690": msg27795, + "25691": msg27796, + "25692": msg27797, + "25693": msg27798, + "25694": msg27799, + "25695": msg27800, + "25696": msg27801, + "25697": msg27802, + "25698": msg27803, + "25699": msg27804, + "257": select181, + "2570": msg5020, + "25700": msg27805, + "25701": msg27806, + "25702": msg27807, + "25703": msg27808, + "25704": msg27809, + "25705": msg27810, + "25706": msg27811, + "25707": msg27812, + "25708": msg27813, + "25709": msg27814, + "2571": msg5021, + "25710": msg27815, + "25711": msg27816, + "25712": msg27817, + "25713": msg27818, + "25714": msg27819, + "25715": msg27820, + "25716": msg27821, + "25717": msg27822, + "25718": msg27823, + "25719": msg27824, + "2572": msg5022, + "25720": msg27825, + "25721": msg27826, + "25722": msg27827, + "25723": msg27828, + "25724": msg27829, + "25725": msg27830, + "25726": msg27831, + "25727": msg27832, + "25728": msg27833, + "25729": msg27834, + "2573": msg5023, + "25730": msg27835, + "25731": msg27836, + "25732": msg27837, + "25733": msg27838, + "25734": msg27839, + "25735": msg27840, + "25736": msg27841, + "25737": msg27842, + "25738": msg27843, + "25739": msg27844, + "2574": msg5024, + "25740": msg27845, + "25741": msg27846, + "25742": msg27847, + "25743": msg27848, + "25744": msg27849, + "25745": msg27850, + "25746": msg27851, + "25747": msg27852, + "25748": msg27853, + "25749": msg27854, + "2575": msg5025, + "25750": msg27855, + "25751": msg27856, + "25752": msg27857, + "25753": msg27858, + "25754": msg27859, + "25755": msg27860, + "25756": msg27861, + "25757": msg27862, + "25758": msg27863, + "25759": msg27864, + "2576": msg5026, + "25760": msg27865, + "25761": msg27866, + "25762": msg27867, + "25763": msg27868, + "25764": msg27869, + "25765": msg27870, + "25766": msg27871, + "25767": msg27872, + "25768": msg27873, + "25769": msg27874, + "2577": msg5027, + "25770": msg27875, + "25771": msg27876, + "25772": msg27877, + "25773": msg27878, + "25774": msg27879, + "25775": msg27880, + "25776": msg27881, + "25777": msg27882, + "25778": msg27883, + "25779": msg27884, + "2578": msg5028, + "25780": msg27885, + "25781": msg27886, + "25782": msg27887, + "25783": msg27888, + "25784": msg27889, + "25785": msg27890, + "25786": msg27891, + "25787": msg27892, + "25788": msg27893, + "25789": msg27894, + "2579": msg5029, + "25790": msg27895, + "25791": msg27896, + "25792": msg27897, + "25793": msg27898, + "25794": msg27899, + "25795": msg27900, + "25796": msg27901, + "25797": msg27902, + "25798": msg27903, + "25799": msg27904, + "258": select182, + "2580": msg5030, + "25800": msg27905, + "25801": msg27906, + "25802": msg27907, + "25803": msg27908, + "25804": msg27909, + "25805": msg27910, + "25806": msg27911, + "25807": msg27912, + "25808": msg27913, + "25809": msg27914, + "2581": msg5031, + "25810": msg27915, + "25811": msg27916, + "25812": msg27917, + "25813": msg27918, + "25814": msg27919, + "25815": msg27920, + "25816": msg27921, + "25817": msg27922, + "25818": msg27923, + "25819": msg27924, + "2582": msg5032, + "25820": msg27925, + "25821": msg27926, + "25822": msg27927, + "25823": msg27928, + "25824": msg27929, + "25825": msg27930, + "25826": msg27931, + "25827": msg27932, + "25828": msg27933, + "25829": msg27934, + "2583": msg5033, + "25830": msg27935, + "25831": msg27936, + "25832": msg27937, + "25833": msg27938, + "25834": msg27939, + "25835": msg27940, + "25836": msg27941, + "25837": msg27942, + "25838": msg27943, + "25839": msg27944, + "2584": msg5034, + "25840": msg27945, + "25841": msg27946, + "25842": msg27947, + "25843": msg27948, + "25844": msg27949, + "25845": msg27950, + "25846": msg27951, + "25847": msg27952, + "25848": msg27953, + "25849": msg27954, + "2585": msg5035, + "25850": msg27955, + "25851": msg27956, + "25852": msg27957, + "25853": msg27958, + "25854": msg27959, + "25855": msg27960, + "25856": msg27961, + "25857": msg27962, + "25858": msg27963, + "25859": msg27964, + "2586": msg5036, + "25860": msg27965, + "25861": msg27966, + "25862": msg27967, + "25863": msg27968, + "25864": msg27969, + "25865": msg27970, + "25866": msg27971, + "25867": msg27972, + "25868": msg27973, + "25869": msg27974, + "2587": msg5037, + "25870": msg27975, + "25871": msg27976, + "25872": msg27977, + "25873": msg27978, + "25874": msg27979, + "25875": msg27980, + "25876": msg27981, + "25877": msg27982, + "25878": msg27983, + "25879": msg27984, + "2588": msg5038, + "25880": msg27985, + "25881": msg27986, + "25882": msg27987, + "25883": msg27988, + "25884": msg27989, + "25885": msg27990, + "25886": msg27991, + "25887": msg27992, + "25888": msg27993, + "25889": msg27994, + "2589": msg5039, + "25890": msg27995, + "25891": msg27996, + "25892": msg27997, + "25893": msg27998, + "25894": msg27999, + "25895": msg28000, + "25896": msg28001, + "25897": msg28002, + "25898": msg28003, + "25899": msg28004, + "259": select183, + "2590": select2439, + "25900": msg28005, + "25901": msg28006, + "25902": msg28007, + "25903": msg28008, + "25904": msg28009, + "25905": msg28010, + "25906": msg28011, + "25907": msg28012, + "25908": msg28013, + "25909": msg28014, + "2591": msg5042, + "25910": msg28015, + "25911": msg28016, + "25912": msg28017, + "25913": msg28018, + "25914": msg28019, + "25915": msg28020, + "25916": msg28021, + "25917": msg28022, + "25918": msg28023, + "25919": msg28024, + "2592": msg5043, + "25920": msg28025, + "25921": msg28026, + "25922": msg28027, + "25923": msg28028, + "25924": msg28029, + "25925": msg28030, + "25926": msg28031, + "25927": msg28032, + "25928": msg28033, + "25929": msg28034, + "2593": msg5044, + "25930": msg28035, + "25931": msg28036, + "25932": msg28037, + "25933": msg28038, + "25934": msg28039, + "25935": msg28040, + "25936": msg28041, + "25937": msg28042, + "25938": msg28043, + "25939": msg28044, + "2594": msg5045, + "25940": msg28045, + "25941": msg28046, + "25942": msg28047, + "25943": msg28048, + "25944": msg28049, + "25945": msg28050, + "25946": msg28051, + "25947": msg28052, + "25948": msg28053, + "25949": msg28054, + "2595": msg5046, + "25950": msg28055, + "25951": msg28056, + "25952": msg28057, + "25953": msg28058, + "25954": msg28059, + "25955": msg28060, + "25956": msg28061, + "25957": msg28062, + "25958": msg28063, + "25959": msg28064, + "2596": msg5047, + "25960": msg28065, + "25961": msg28066, + "25962": msg28067, + "25963": msg28068, + "25964": msg28069, + "25965": msg28070, + "25966": msg28071, + "25967": msg28072, + "25968": msg28073, + "25969": msg28074, + "2597": msg5048, + "25970": msg28075, + "25971": msg28076, + "25972": msg28077, + "25973": msg28078, + "25974": msg28079, + "25975": msg28080, + "25976": msg28081, + "25977": msg28082, + "25978": msg28083, + "25979": msg28084, + "2598": msg5049, + "25980": msg28085, + "25981": msg28086, + "25982": msg28087, + "25983": msg28088, + "25984": msg28089, + "25985": msg28090, + "25986": msg28091, + "25987": msg28092, + "25988": msg28093, + "25989": msg28094, + "2599": msg5050, + "25990": msg28095, + "25991": msg28096, + "25992": msg28097, + "25993": msg28098, + "25994": msg28099, + "25995": msg28100, + "25996": msg28101, + "25997": msg28102, + "25998": msg28103, + "25999": msg28104, + "26": msg60, + "260": select184, + "2600": msg5051, + "26000": msg28105, + "26001": msg28106, + "26002": msg28107, + "26003": msg28108, + "26004": msg28109, + "26005": msg28110, + "26006": msg28111, + "26007": msg28112, + "26008": msg28113, + "26009": msg28114, + "2601": msg5052, + "26010": msg28115, + "26011": msg28116, + "26012": msg28117, + "26013": msg28118, + "26014": msg28119, + "26015": msg28120, + "26016": msg28121, + "26017": msg28122, + "26018": msg28123, + "26019": msg28124, + "2602": msg5053, + "26020": msg28125, + "26021": msg28126, + "26022": msg28127, + "26023": msg28128, + "26024": msg28129, + "26025": msg28130, + "26026": msg28131, + "26027": msg28132, + "26028": msg28133, + "26029": msg28134, + "2603": msg5054, + "26030": msg28135, + "26031": msg28136, + "26032": msg28137, + "26033": msg28138, + "26034": msg28139, + "26035": msg28140, + "26036": msg28141, + "26037": msg28142, + "26038": msg28143, + "26039": msg28144, + "2604": msg5055, + "26040": msg28145, + "26041": msg28146, + "26042": msg28147, + "26043": msg28148, + "26044": msg28149, + "26045": msg28150, + "26046": msg28151, + "26047": msg28152, + "26048": msg28153, + "26049": msg28154, + "2605": msg5056, + "26050": msg28155, + "26051": msg28156, + "26052": msg28157, + "26053": msg28158, + "26054": msg28159, + "26055": msg28160, + "26056": msg28161, + "26057": msg28162, + "26058": msg28163, + "26059": msg28164, + "2606": msg5057, + "26060": msg28165, + "26061": msg28166, + "26062": msg28167, + "26063": msg28168, + "26064": msg28169, + "26065": msg28170, + "26066": msg28171, + "26067": msg28172, + "26068": msg28173, + "26069": msg28174, + "2607": msg5058, + "26070": msg28175, + "26071": msg28176, + "26072": msg28177, + "26073": msg28178, + "26074": msg28179, + "26075": msg28180, + "26076": msg28181, + "26077": msg28182, + "26078": msg28183, + "26079": msg28184, + "2608": msg5059, + "26080": msg28185, + "26081": msg28186, + "26082": msg28187, + "26083": msg28188, + "26084": msg28189, + "26085": msg28190, + "26086": msg28191, + "26087": msg28192, + "26088": msg28193, + "26089": msg28194, + "2609": msg5060, + "26090": msg28195, + "26091": msg28196, + "26092": msg28197, + "26093": msg28198, + "26094": msg28199, + "26095": msg28200, + "26096": msg28201, + "26097": msg28202, + "26098": msg28203, + "26099": msg28204, + "261": select185, + "2610": msg5061, + "26100": msg28205, + "26101": msg28206, + "26102": msg28207, + "26103": msg28208, + "26104": msg28209, + "26105": msg28210, + "26106": msg28211, + "26107": msg28212, + "26108": msg28213, + "26109": msg28214, + "2611": msg5062, + "26110": msg28215, + "26111": msg28216, + "26112": msg28217, + "26113": msg28218, + "26114": msg28219, + "26115": msg28220, + "26116": msg28221, + "26117": msg28222, + "26118": msg28223, + "26119": msg28224, + "2612": msg5063, + "26120": msg28225, + "26121": msg28226, + "26122": msg28227, + "26123": msg28228, + "26124": msg28229, + "26125": msg28230, + "26126": msg28231, + "26127": msg28232, + "26128": msg28233, + "26129": msg28234, + "2613": msg5064, + "26130": msg28235, + "26131": msg28236, + "26132": msg28237, + "26133": msg28238, + "26134": msg28239, + "26135": msg28240, + "26136": msg28241, + "26137": msg28242, + "26138": msg28243, + "26139": msg28244, + "2614": msg5065, + "26140": msg28245, + "26141": msg28246, + "26142": msg28247, + "26143": msg28248, + "26144": msg28249, + "26145": msg28250, + "26146": msg28251, + "26147": msg28252, + "26148": msg28253, + "26149": msg28254, + "2615": msg5066, + "26150": msg28255, + "26151": msg28256, + "26152": msg28257, + "26153": msg28258, + "26154": msg28259, + "26155": msg28260, + "26156": msg28261, + "26157": msg28262, + "26158": msg28263, + "26159": msg28264, + "2616": msg5067, + "26160": msg28265, + "26161": msg28266, + "26162": msg28267, + "26163": msg28268, + "26164": msg28269, + "26165": msg28270, + "26166": msg28271, + "26167": msg28272, + "26168": msg28273, + "26169": msg28274, + "2617": msg5068, + "26170": msg28275, + "26171": msg28276, + "26172": msg28277, + "26173": msg28278, + "26174": msg28279, + "26175": msg28280, + "26176": msg28281, + "26177": msg28282, + "26178": msg28283, + "26179": msg28284, + "2618": msg5069, + "26180": msg28285, + "26181": msg28286, + "26182": msg28287, + "26183": msg28288, + "26184": msg28289, + "26185": msg28290, + "26186": msg28291, + "26187": msg28292, + "26188": msg28293, + "26189": msg28294, + "2619": msg5070, + "26190": msg28295, + "26191": msg28296, + "26192": msg28297, + "26193": msg28298, + "26194": msg28299, + "26195": msg28300, + "26196": msg28301, + "26197": msg28302, + "26198": msg28303, + "26199": msg28304, + "262": select186, + "2620": msg5071, + "26200": msg28305, + "26201": msg28306, + "26202": msg28307, + "26203": msg28308, + "26204": msg28309, + "26205": msg28310, + "26206": msg28311, + "26207": msg28312, + "26208": msg28313, + "26209": msg28314, + "2621": msg5072, + "26210": msg28315, + "26211": msg28316, + "26212": msg28317, + "26213": msg28318, + "26214": msg28319, + "26215": msg28320, + "26216": msg28321, + "26217": msg28322, + "26218": msg28323, + "26219": msg28324, + "2622": msg5073, + "26220": msg28325, + "26221": msg28326, + "26222": msg28327, + "26223": msg28328, + "26224": msg28329, + "26225": msg28330, + "26226": msg28331, + "26227": msg28332, + "26228": msg28333, + "26229": msg28334, + "2623": msg5074, + "26230": msg28335, + "26231": msg28336, + "26232": msg28337, + "26233": msg28338, + "26234": msg28339, + "26235": msg28340, + "26236": msg28341, + "26237": msg28342, + "26238": msg28343, + "26239": msg28344, + "2624": msg5075, + "26240": msg28345, + "26241": msg28346, + "26242": msg28347, + "26243": msg28348, + "26244": msg28349, + "26245": msg28350, + "26246": msg28351, + "26247": msg28352, + "26248": msg28353, + "26249": msg28354, + "2625": msg5076, + "26250": msg28355, + "26251": msg28356, + "26252": msg28357, + "26253": msg28358, + "26254": msg28359, + "26255": msg28360, + "26256": msg28361, + "26257": msg28362, + "26258": msg28363, + "26259": msg28364, + "2626": msg5077, + "26260": msg28365, + "26261": msg28366, + "26262": msg28367, + "26263": msg28368, + "26264": msg28369, + "26265": msg28370, + "26266": msg28371, + "26267": msg28372, + "26268": msg28373, + "26269": msg28374, + "2627": msg5078, + "26270": msg28375, + "26271": msg28376, + "26272": msg28377, + "26273": msg28378, + "26274": msg28379, + "26275": msg28380, + "26276": msg28381, + "26277": msg28382, + "26278": msg28383, + "26279": msg28384, + "2628": msg5079, + "26280": msg28385, + "26281": msg28386, + "26282": msg28387, + "26283": msg28388, + "26284": msg28389, + "26285": msg28390, + "26286": msg28391, + "26287": msg28392, + "26288": msg28393, + "26289": msg28394, + "2629": msg5080, + "26290": msg28395, + "26291": msg28396, + "26292": msg28397, + "26293": msg28398, + "26294": msg28399, + "26295": msg28400, + "26296": msg28401, + "26297": msg28402, + "26298": msg28403, + "26299": msg28404, + "2630": msg5081, + "26300": msg28405, + "26301": msg28406, + "26302": msg28407, + "26303": msg28408, + "26304": msg28409, + "26305": msg28410, + "26306": msg28411, + "26307": msg28412, + "26308": msg28413, + "26309": msg28414, + "2631": msg5082, + "26310": msg28415, + "26311": msg28416, + "26312": msg28417, + "26313": msg28418, + "26314": msg28419, + "26315": msg28420, + "26316": msg28421, + "26317": msg28422, + "26318": msg28423, + "26319": msg28424, + "2632": msg5083, + "26320": msg28425, + "26321": msg28426, + "26322": msg28427, + "26323": msg28428, + "26324": msg28429, + "26325": msg28430, + "26326": msg28431, + "26327": msg28432, + "26328": msg28433, + "26329": msg28434, + "2633": msg5084, + "26330": msg28435, + "26331": msg28436, + "26332": msg28437, + "26333": msg28438, + "26334": msg28439, + "26335": msg28440, + "26336": msg28441, + "26337": msg28442, + "26338": msg28443, + "26339": msg28444, + "2634": msg5085, + "26340": msg28445, + "26341": msg28446, + "26342": msg28447, + "26343": msg28448, + "26344": msg28449, + "26345": msg28450, + "26346": msg28451, + "26347": msg28452, + "26348": msg28453, + "26349": msg28454, + "2635": msg5086, + "26350": msg28455, + "26351": msg28456, + "26352": msg28457, + "26353": msg28458, + "26354": msg28459, + "26355": msg28460, + "26356": msg28461, + "26357": msg28462, + "26358": msg28463, + "26359": msg28464, + "2636": msg5087, + "26360": msg28465, + "26361": msg28466, + "26362": msg28467, + "26363": msg28468, + "26364": msg28469, + "26365": msg28470, + "26366": msg28471, + "26367": msg28472, + "26368": msg28473, + "26369": msg28474, + "2637": msg5088, + "26370": msg28475, + "26371": msg28476, + "26372": msg28477, + "26373": msg28478, + "26374": msg28479, + "26375": msg28480, + "26376": msg28481, + "26377": msg28482, + "26378": msg28483, + "26379": msg28484, + "2638": msg5089, + "26380": msg28485, + "26381": msg28486, + "26382": msg28487, + "26383": msg28488, + "26384": msg28489, + "26385": msg28490, + "26386": msg28491, + "26387": msg28492, + "26388": msg28493, + "26389": msg28494, + "2639": msg5090, + "26390": msg28495, + "26391": msg28496, + "26392": msg28497, + "26393": msg28498, + "26394": msg28499, + "26395": msg28500, + "26396": msg28501, + "26397": msg28502, + "26398": msg28503, + "26399": msg28504, + "264": select187, + "2640": msg5091, + "26400": msg28505, + "26401": msg28506, + "26402": msg28507, + "26403": msg28508, + "26404": msg28509, + "26405": msg28510, + "26406": msg28511, + "26407": msg28512, + "26408": msg28513, + "26409": msg28514, + "2641": msg5092, + "26410": msg28515, + "26411": msg28516, + "26412": msg28517, + "26413": msg28518, + "26414": msg28519, + "26415": msg28520, + "26416": msg28521, + "26417": msg28522, + "26418": msg28523, + "26419": msg28524, + "2642": msg5093, + "26420": msg28525, + "26421": msg28526, + "26422": msg28527, + "26423": msg28528, + "26424": msg28529, + "26425": msg28530, + "26426": msg28531, + "26427": msg28532, + "26428": msg28533, + "26429": msg28534, + "2643": msg5094, + "26430": msg28535, + "26431": msg28536, + "26432": msg28537, + "26433": msg28538, + "26434": msg28539, + "26435": msg28540, + "26436": msg28541, + "26437": msg28542, + "26438": msg28543, + "26439": msg28544, + "2644": msg5095, + "26440": msg28545, + "26441": msg28546, + "26442": msg28547, + "26443": msg28548, + "26444": msg28549, + "26445": msg28550, + "26446": msg28551, + "26447": msg28552, + "26448": msg28553, + "26449": msg28554, + "2645": msg5096, + "26450": msg28555, + "26451": msg28556, + "26452": msg28557, + "26453": msg28558, + "26454": msg28559, + "26455": msg28560, + "26456": msg28561, + "26457": msg28562, + "26458": msg28563, + "26459": msg28564, + "2646": msg5097, + "26460": msg28565, + "26461": msg28566, + "26462": msg28567, + "26463": msg28568, + "26464": msg28569, + "26465": msg28570, + "26466": msg28571, + "26467": msg28572, + "26468": msg28573, + "26469": msg28574, + "2647": msg5098, + "26470": msg28575, + "26471": msg28576, + "26472": msg28577, + "26473": msg28578, + "26474": msg28579, + "26475": msg28580, + "26476": msg28581, + "26477": msg28582, + "26478": msg28583, + "26479": msg28584, + "2648": msg5099, + "26480": msg28585, + "26481": msg28586, + "26482": msg28587, + "26483": msg28588, + "26484": msg28589, + "26485": msg28590, + "26486": msg28591, + "26487": msg28592, + "26488": msg28593, + "26489": msg28594, + "2649": msg5100, + "26490": msg28595, + "26491": msg28596, + "26492": msg28597, + "26493": msg28598, + "26494": msg28599, + "26495": msg28600, + "26496": msg28601, + "26497": msg28602, + "26498": msg28603, + "26499": msg28604, + "265": select188, + "2650": msg5101, + "26500": msg28605, + "26501": msg28606, + "26502": msg28607, + "26503": msg28608, + "26504": msg28609, + "26505": msg28610, + "26506": msg28611, + "26507": msg28612, + "26508": msg28613, + "26509": msg28614, + "2651": msg5102, + "26510": msg28615, + "26511": msg28616, + "26512": msg28617, + "26513": msg28618, + "26514": msg28619, + "26515": msg28620, + "26516": msg28621, + "26517": msg28622, + "26518": msg28623, + "26519": msg28624, + "2652": msg5103, + "26520": msg28625, + "26521": msg28626, + "26522": msg28627, + "26523": msg28628, + "26524": msg28629, + "26525": msg28630, + "26526": msg28631, + "26527": msg28632, + "26528": msg28633, + "26529": msg28634, + "2653": msg5104, + "26530": msg28635, + "26531": msg28636, + "26532": msg28637, + "26533": msg28638, + "26534": msg28639, + "26535": msg28640, + "26536": msg28641, + "26537": msg28642, + "26538": msg28643, + "26539": msg28644, + "2654": msg5105, + "26540": msg28645, + "26541": msg28646, + "26542": msg28647, + "26543": msg28648, + "26544": msg28649, + "26545": msg28650, + "26546": msg28651, + "26547": msg28652, + "26548": msg28653, + "26549": msg28654, + "2655": msg5106, + "26550": msg28655, + "26551": msg28656, + "26552": msg28657, + "26553": msg28658, + "26554": msg28659, + "26555": msg28660, + "26556": msg28661, + "26557": msg28662, + "26558": msg28663, + "26559": msg28664, + "2656": msg5107, + "26560": msg28665, + "26561": msg28666, + "26562": msg28667, + "26563": msg28668, + "26564": msg28669, + "26565": msg28670, + "26566": msg28671, + "26567": msg28672, + "26568": msg28673, + "26569": msg28674, + "2657": msg5108, + "26570": msg28675, + "26571": msg28676, + "26572": msg28677, + "26573": msg28678, + "26574": msg28679, + "26575": msg28680, + "26576": msg28681, + "26577": msg28682, + "26578": msg28683, + "26579": msg28684, + "2658": msg5109, + "26580": msg28685, + "26581": msg28686, + "26582": msg28687, + "26583": msg28688, + "26584": msg28689, + "26585": msg28690, + "26586": msg28691, + "26587": msg28692, + "26588": msg28693, + "26589": msg28694, + "2659": msg5110, + "26590": msg28695, + "26591": msg28696, + "26592": msg28697, + "26593": msg28698, + "26594": msg28699, + "26595": msg28700, + "26596": msg28701, + "26597": msg28702, + "26598": msg28703, + "26599": msg28704, + "266": select189, + "2660": msg5111, + "26600": msg28705, + "26601": msg28706, + "26602": msg28707, + "26603": msg28708, + "26604": msg28709, + "26605": msg28710, + "26606": msg28711, + "26607": msg28712, + "26608": msg28713, + "26609": msg28714, + "2661": msg5112, + "26610": msg28715, + "26611": msg28716, + "26612": msg28717, + "26613": msg28718, + "26614": msg28719, + "26615": msg28720, + "26616": msg28721, + "26617": msg28722, + "26618": msg28723, + "26619": msg28724, + "2662": msg5113, + "26620": msg28725, + "26621": msg28726, + "26622": msg28727, + "26623": msg28728, + "26624": msg28729, + "26625": msg28730, + "26626": msg28731, + "26627": msg28732, + "26628": msg28733, + "26629": msg28734, + "2663": msg5114, + "26630": msg28735, + "26631": msg28736, + "26632": msg28737, + "26633": msg28738, + "26634": msg28739, + "26635": msg28740, + "26636": msg28741, + "26637": msg28742, + "26638": msg28743, + "26639": msg28744, + "2664": msg5115, + "26640": msg28745, + "26641": msg28746, + "26642": msg28747, + "26643": msg28748, + "26644": msg28749, + "26645": msg28750, + "26646": msg28751, + "26647": msg28752, + "26648": msg28753, + "26649": msg28754, + "2665": msg5116, + "26650": msg28755, + "26651": msg28756, + "26652": msg28757, + "26653": msg28758, + "26654": msg28759, + "26655": msg28760, + "26656": msg28761, + "26657": msg28762, + "26658": msg28763, + "26659": msg28764, + "2666": msg5117, + "26660": msg28765, + "26661": msg28766, + "26662": msg28767, + "26663": msg28768, + "26664": msg28769, + "26665": msg28770, + "26666": msg28771, + "26667": msg28772, + "26668": msg28773, + "26669": msg28774, + "2667": msg5118, + "26670": msg28775, + "26671": msg28776, + "26672": msg28777, + "26673": msg28778, + "26674": msg28779, + "26675": msg28780, + "26676": msg28781, + "26677": msg28782, + "26678": msg28783, + "26679": msg28784, + "2668": msg5119, + "26680": msg28785, + "26681": msg28786, + "26682": msg28787, + "26683": msg28788, + "26684": msg28789, + "26685": msg28790, + "26686": msg28791, + "26687": msg28792, + "26688": msg28793, + "26689": msg28794, + "2669": msg5120, + "26690": msg28795, + "26691": msg28796, + "26692": msg28797, + "26693": msg28798, + "26694": msg28799, + "26695": msg28800, + "26696": msg28801, + "26697": msg28802, + "26698": msg28803, + "26699": msg28804, + "267": select190, + "2670": msg5121, + "26700": msg28805, + "26701": msg28806, + "26702": msg28807, + "26703": msg28808, + "26704": msg28809, + "26705": msg28810, + "26706": msg28811, + "26707": msg28812, + "26708": msg28813, + "26709": msg28814, + "2671": msg5122, + "26710": msg28815, + "26711": msg28816, + "26712": msg28817, + "26713": msg28818, + "26714": msg28819, + "26715": msg28820, + "26716": msg28821, + "26717": msg28822, + "26718": msg28823, + "26719": msg28824, + "2672": msg5123, + "26720": msg28825, + "26721": msg28826, + "26722": msg28827, + "26723": msg28828, + "26724": msg28829, + "26725": msg28830, + "26726": msg28831, + "26727": msg28832, + "26728": msg28833, + "26729": msg28834, + "2673": msg5124, + "26730": msg28835, + "26731": msg28836, + "26732": msg28837, + "26733": msg28838, + "26734": msg28839, + "26735": msg28840, + "26736": msg28841, + "26737": msg28842, + "26738": msg28843, + "26739": msg28844, + "2674": msg5125, + "26740": msg28845, + "26741": msg28846, + "26742": msg28847, + "26743": msg28848, + "26744": msg28849, + "26745": msg28850, + "26746": msg28851, + "26747": msg28852, + "26748": msg28853, + "26749": msg28854, + "2675": msg5126, + "26750": msg28855, + "26751": msg28856, + "26752": msg28857, + "26753": msg28858, + "26754": msg28859, + "26755": msg28860, + "26756": msg28861, + "26757": msg28862, + "26758": msg28863, + "26759": msg28864, + "2676": msg5127, + "26760": msg28865, + "26761": msg28866, + "26762": msg28867, + "26763": msg28868, + "26764": msg28869, + "26765": msg28870, + "26766": msg28871, + "26767": msg28872, + "26768": msg28873, + "26769": msg28874, + "2677": msg5128, + "26770": msg28875, + "26771": msg28876, + "26772": msg28877, + "26773": msg28878, + "26774": msg28879, + "26775": msg28880, + "26776": msg28881, + "26777": msg28882, + "26778": msg28883, + "26779": msg28884, + "2678": msg5129, + "26780": msg28885, + "26781": msg28886, + "26782": msg28887, + "26783": msg28888, + "26784": msg28889, + "26785": msg28890, + "26786": msg28891, + "26787": msg28892, + "26788": msg28893, + "26789": msg28894, + "2679": msg5130, + "26790": msg28895, + "26791": msg28896, + "26792": msg28897, + "26793": msg28898, + "26794": msg28899, + "26795": msg28900, + "26796": msg28901, + "26797": msg28902, + "26798": msg28903, + "26799": msg28904, + "268": select191, + "2680": msg5131, + "26800": msg28905, + "26801": msg28906, + "26802": msg28907, + "26803": msg28908, + "26804": msg28909, + "26805": msg28910, + "26806": msg28911, + "26807": msg28912, + "26808": msg28913, + "26809": msg28914, + "2681": msg5132, + "26810": msg28915, + "26811": msg28916, + "26812": msg28917, + "26813": msg28918, + "26814": msg28919, + "26815": msg28920, + "26816": msg28921, + "26817": msg28922, + "26818": msg28923, + "26819": msg28924, + "2682": msg5133, + "26820": msg28925, + "26821": msg28926, + "26822": msg28927, + "26823": msg28928, + "26824": msg28929, + "26825": msg28930, + "26826": msg28931, + "26827": msg28932, + "26828": msg28933, + "26829": msg28934, + "2683": msg5134, + "26830": msg28935, + "26831": msg28936, + "26832": msg28937, + "26833": msg28938, + "26834": msg28939, + "26835": msg28940, + "26836": msg28941, + "26837": msg28942, + "26838": msg28943, + "26839": msg28944, + "2684": msg5135, + "26840": msg28945, + "26841": msg28946, + "26842": msg28947, + "26843": msg28948, + "26844": msg28949, + "26845": msg28950, + "26846": msg28951, + "26847": msg28952, + "26848": msg28953, + "26849": msg28954, + "2685": msg5136, + "26850": msg28955, + "26851": msg28956, + "26852": msg28957, + "26853": msg28958, + "26854": msg28959, + "26855": msg28960, + "26856": msg28961, + "26857": msg28962, + "26858": msg28963, + "26859": msg28964, + "2686": msg5137, + "26860": msg28965, + "26861": msg28966, + "26862": msg28967, + "26863": msg28968, + "26864": msg28969, + "26865": msg28970, + "26866": msg28971, + "26867": msg28972, + "26868": msg28973, + "26869": msg28974, + "2687": msg5138, + "26870": msg28975, + "26871": msg28976, + "26872": msg28977, + "26873": msg28978, + "26874": msg28979, + "26875": msg28980, + "26876": msg28981, + "26877": msg28982, + "26878": msg28983, + "26879": msg28984, + "2688": msg5139, + "26880": msg28985, + "26881": msg28986, + "26882": msg28987, + "26883": msg28988, + "26884": msg28989, + "26885": msg28990, + "26886": msg28991, + "26887": msg28992, + "26888": msg28993, + "26889": msg28994, + "2689": msg5140, + "26890": msg28995, + "26891": msg28996, + "26892": msg28997, + "26893": msg28998, + "26894": msg28999, + "26895": msg29000, + "26896": msg29001, + "26897": msg29002, + "26898": msg29003, + "26899": msg29004, + "269": select192, + "2690": msg5141, + "26900": msg29005, + "26901": msg29006, + "26902": msg29007, + "26903": msg29008, + "26904": msg29009, + "26905": msg29010, + "26906": msg29011, + "26907": msg29012, + "26908": msg29013, + "26909": msg29014, + "2691": msg5142, + "26910": msg29015, + "26911": msg29016, + "26912": msg29017, + "26913": msg29018, + "26914": msg29019, + "26915": msg29020, + "26916": msg29021, + "26917": msg29022, + "26918": msg29023, + "26919": msg29024, + "2692": msg5143, + "26920": msg29025, + "26921": msg29026, + "26922": msg29027, + "26923": msg29028, + "26924": msg29029, + "26925": msg29030, + "26926": msg29031, + "26927": msg29032, + "26928": msg29033, + "26929": msg29034, + "2693": msg5144, + "26930": msg29035, + "26931": msg29036, + "26932": msg29037, + "26933": msg29038, + "26934": msg29039, + "26935": msg29040, + "26936": msg29041, + "26937": msg29042, + "26938": msg29043, + "26939": msg29044, + "2694": msg5145, + "26940": msg29045, + "26941": msg29046, + "26942": msg29047, + "26943": msg29048, + "26944": msg29049, + "26945": msg29050, + "26946": msg29051, + "26947": msg29052, + "26948": msg29053, + "26949": msg29054, + "2695": msg5146, + "26950": msg29055, + "26951": msg29056, + "26952": msg29057, + "26953": msg29058, + "26954": msg29059, + "26955": msg29060, + "26956": msg29061, + "26957": msg29062, + "26958": msg29063, + "26959": msg29064, + "2696": msg5147, + "26960": msg29065, + "26961": msg29066, + "26962": msg29067, + "26963": msg29068, + "26964": msg29069, + "26965": msg29070, + "26966": msg29071, + "26967": msg29072, + "26968": msg29073, + "26969": msg29074, + "2697": msg5148, + "26970": msg29075, + "26971": msg29076, + "26972": msg29077, + "26973": msg29078, + "26974": msg29079, + "26975": msg29080, + "26976": msg29081, + "26977": msg29082, + "26978": msg29083, + "26979": msg29084, + "2698": msg5149, + "26980": msg29085, + "26981": msg29086, + "26982": msg29087, + "26983": msg29088, + "26984": msg29089, + "26985": msg29090, + "26986": msg29091, + "26987": msg29092, + "26988": msg29093, + "26989": msg29094, + "2699": msg5150, + "26990": msg29095, + "26991": msg29096, + "26992": msg29097, + "26993": msg29098, + "26994": msg29099, + "26995": msg29100, + "26996": msg29101, + "26997": msg29102, + "26998": msg29103, + "26999": msg29104, + "27": msg61, + "270": select193, + "2700": msg5151, + "27000": msg29105, + "27001": msg29106, + "27002": msg29107, + "27003": msg29108, + "27004": msg29109, + "27005": msg29110, + "27006": msg29111, + "27007": msg29112, + "27008": msg29113, + "27009": msg29114, + "2701": msg5152, + "27010": msg29115, + "27011": msg29116, + "27012": msg29117, + "27013": msg29118, + "27014": msg29119, + "27015": msg29120, + "27016": msg29121, + "27017": msg29122, + "27018": msg29123, + "27019": msg29124, + "2702": msg5153, + "27020": msg29125, + "27021": msg29126, + "27022": msg29127, + "27023": msg29128, + "27024": msg29129, + "27025": msg29130, + "27026": msg29131, + "27027": msg29132, + "27028": msg29133, + "27029": msg29134, + "2703": msg5154, + "27030": msg29135, + "27031": msg29136, + "27032": msg29137, + "27033": msg29138, + "27034": msg29139, + "27035": msg29140, + "27036": msg29141, + "27037": msg29142, + "27038": msg29143, + "27039": msg29144, + "2704": msg5155, + "27040": msg29145, + "27041": msg29146, + "27042": msg29147, + "27043": msg29148, + "27044": msg29149, + "27045": msg29150, + "27046": msg29151, + "27047": msg29152, + "27048": msg29153, + "27049": msg29154, + "2705": msg5156, + "27050": msg29155, + "27051": msg29156, + "27052": msg29157, + "27053": msg29158, + "27054": msg29159, + "27055": msg29160, + "27056": msg29161, + "27057": msg29162, + "27058": msg29163, + "27059": msg29164, + "2706": msg5157, + "27060": msg29165, + "27061": msg29166, + "27062": msg29167, + "27063": msg29168, + "27064": msg29169, + "27065": msg29170, + "27066": msg29171, + "27067": msg29172, + "27068": msg29173, + "27069": msg29174, + "2707": msg5158, + "27070": msg29175, + "27071": msg29176, + "27072": msg29177, + "27073": msg29178, + "27074": msg29179, + "27075": msg29180, + "27076": msg29181, + "27077": msg29182, + "27078": msg29183, + "27079": msg29184, + "2708": msg5159, + "27080": msg29185, + "27081": msg29186, + "27082": msg29187, + "27083": msg29188, + "27084": msg29189, + "27085": msg29190, + "27086": msg29191, + "27087": msg29192, + "27088": msg29193, + "27089": msg29194, + "2709": msg5160, + "27090": msg29195, + "27091": msg29196, + "27092": msg29197, + "27093": msg29198, + "27094": msg29199, + "27095": msg29200, + "27096": msg29201, + "27097": msg29202, + "27098": msg29203, + "27099": msg29204, + "271": select194, + "2710": msg5161, + "27100": msg29205, + "27101": msg29206, + "27102": msg29207, + "27103": msg29208, + "27104": msg29209, + "27105": msg29210, + "27106": msg29211, + "27107": msg29212, + "27108": msg29213, + "27109": msg29214, + "2711": msg5162, + "27110": msg29215, + "27111": msg29216, + "27112": msg29217, + "27113": msg29218, + "27114": msg29219, + "27115": msg29220, + "27116": msg29221, + "27117": msg29222, + "27118": msg29223, + "27119": msg29224, + "2712": msg5163, + "27120": msg29225, + "27121": msg29226, + "27122": msg29227, + "27123": msg29228, + "27124": msg29229, + "27125": msg29230, + "27126": msg29231, + "27127": msg29232, + "27128": msg29233, + "27129": msg29234, + "2713": msg5164, + "27130": msg29235, + "27131": msg29236, + "27132": msg29237, + "27133": msg29238, + "27134": msg29239, + "27135": msg29240, + "27136": msg29241, + "27137": msg29242, + "27138": msg29243, + "27139": msg29244, + "2714": msg5165, + "27140": msg29245, + "27141": msg29246, + "27142": msg29247, + "27143": msg29248, + "27144": msg29249, + "27145": msg29250, + "27146": msg29251, + "27147": msg29252, + "27148": msg29253, + "27149": msg29254, + "2715": msg5166, + "27150": msg29255, + "27151": msg29256, + "27152": msg29257, + "27153": msg29258, + "27154": msg29259, + "27155": msg29260, + "27156": msg29261, + "27157": msg29262, + "27158": msg29263, + "27159": msg29264, + "2716": msg5167, + "27160": msg29265, + "27161": msg29266, + "27162": msg29267, + "27163": msg29268, + "27164": msg29269, + "27165": msg29270, + "27166": msg29271, + "27167": msg29272, + "27168": msg29273, + "27169": msg29274, + "2717": msg5168, + "27170": msg29275, + "27171": msg29276, + "27172": msg29277, + "27173": msg29278, + "27174": msg29279, + "27175": msg29280, + "27176": msg29281, + "27177": msg29282, + "27178": msg29283, + "27179": msg29284, + "2718": msg5169, + "27180": msg29285, + "27181": msg29286, + "27182": msg29287, + "27183": msg29288, + "27184": msg29289, + "27185": msg29290, + "27186": msg29291, + "27187": msg29292, + "27188": msg29293, + "27189": msg29294, + "2719": msg5170, + "27190": msg29295, + "27191": msg29296, + "27192": msg29297, + "27193": msg29298, + "27194": msg29299, + "27195": msg29300, + "27196": msg29301, + "27197": msg29302, + "27198": msg29303, + "27199": msg29304, + "272": select195, + "2720": msg5171, + "27200": msg29305, + "27201": msg29306, + "27202": msg29307, + "27203": msg29308, + "27204": msg29309, + "27205": msg29310, + "27206": msg29311, + "27207": msg29312, + "27208": msg29313, + "27209": msg29314, + "2721": msg5172, + "27210": msg29315, + "27211": msg29316, + "27212": msg29317, + "27213": msg29318, + "27214": msg29319, + "27215": msg29320, + "27216": msg29321, + "27217": msg29322, + "27218": msg29323, + "27219": msg29324, + "2722": msg5173, + "27220": msg29325, + "27221": msg29326, + "27222": msg29327, + "27223": msg29328, + "27224": msg29329, + "27225": msg29330, + "27226": msg29331, + "27227": msg29332, + "27228": msg29333, + "27229": msg29334, + "2723": msg5174, + "27230": msg29335, + "27231": msg29336, + "27232": msg29337, + "27233": msg29338, + "27234": msg29339, + "27235": msg29340, + "27236": msg29341, + "27237": msg29342, + "27238": msg29343, + "27239": msg29344, + "2724": msg5175, + "27240": msg29345, + "27241": msg29346, + "27242": msg29347, + "27243": msg29348, + "27244": msg29349, + "27245": msg29350, + "27246": msg29351, + "27247": msg29352, + "27248": msg29353, + "27249": msg29354, + "2725": msg5176, + "27250": msg29355, + "27251": msg29356, + "27252": msg29357, + "27253": msg29358, + "27254": msg29359, + "27255": msg29360, + "27256": msg29361, + "27257": msg29362, + "27258": msg29363, + "27259": msg29364, + "2726": msg5177, + "27260": msg29365, + "27261": msg29366, + "27262": msg29367, + "27263": msg29368, + "27264": msg29369, + "27265": msg29370, + "27266": msg29371, + "27267": msg29372, + "27268": msg29373, + "27269": msg29374, + "2727": msg5178, + "27270": msg29375, + "27271": msg29376, + "27272": msg29377, + "27273": msg29378, + "27274": msg29379, + "27275": msg29380, + "27276": msg29381, + "27277": msg29382, + "27278": msg29383, + "27279": msg29384, + "2728": msg5179, + "27280": msg29385, + "27281": msg29386, + "27282": msg29387, + "27283": msg29388, + "27284": msg29389, + "27285": msg29390, + "27286": msg29391, + "27287": msg29392, + "27288": msg29393, + "27289": msg29394, + "2729": msg5180, + "27290": msg29395, + "27291": msg29396, + "27292": msg29397, + "27293": msg29398, + "27294": msg29399, + "27295": msg29400, + "27296": msg29401, + "27297": msg29402, + "27298": msg29403, + "27299": msg29404, + "273": select196, + "2730": msg5181, + "27300": msg29405, + "27301": msg29406, + "27302": msg29407, + "27303": msg29408, + "27304": msg29409, + "27305": msg29410, + "27306": msg29411, + "27307": msg29412, + "27308": msg29413, + "27309": msg29414, + "2731": msg5182, + "27310": msg29415, + "27311": msg29416, + "27312": msg29417, + "27313": msg29418, + "27314": msg29419, + "27315": msg29420, + "27316": msg29421, + "27317": msg29422, + "27318": msg29423, + "27319": msg29424, + "2732": msg5183, + "27320": msg29425, + "27321": msg29426, + "27322": msg29427, + "27323": msg29428, + "27324": msg29429, + "27325": msg29430, + "27326": msg29431, + "27327": msg29432, + "27328": msg29433, + "27329": msg29434, + "2733": msg5184, + "27330": msg29435, + "27331": msg29436, + "27332": msg29437, + "27333": msg29438, + "27334": msg29439, + "27335": msg29440, + "27336": msg29441, + "27337": msg29442, + "27338": msg29443, + "27339": msg29444, + "2734": msg5185, + "27340": msg29445, + "27341": msg29446, + "27342": msg29447, + "27343": msg29448, + "27344": msg29449, + "27345": msg29450, + "27346": msg29451, + "27347": msg29452, + "27348": msg29453, + "27349": msg29454, + "2735": msg5186, + "27350": msg29455, + "27351": msg29456, + "27352": msg29457, + "27353": msg29458, + "27354": msg29459, + "27355": msg29460, + "27356": msg29461, + "27357": msg29462, + "27358": msg29463, + "27359": msg29464, + "2736": msg5187, + "27360": msg29465, + "27361": msg29466, + "27362": msg29467, + "27363": msg29468, + "27364": msg29469, + "27365": msg29470, + "27366": msg29471, + "27367": msg29472, + "27368": msg29473, + "27369": msg29474, + "2737": msg5188, + "27370": msg29475, + "27371": msg29476, + "27372": msg29477, + "27373": msg29478, + "27374": msg29479, + "27375": msg29480, + "27376": msg29481, + "27377": msg29482, + "27378": msg29483, + "27379": msg29484, + "2738": msg5189, + "27380": msg29485, + "27381": msg29486, + "27382": msg29487, + "27383": msg29488, + "27384": msg29489, + "27385": msg29490, + "27386": msg29491, + "27387": msg29492, + "27388": msg29493, + "27389": msg29494, + "2739": msg5190, + "27390": msg29495, + "27391": msg29496, + "27392": msg29497, + "27393": msg29498, + "27394": msg29499, + "27395": msg29500, + "27396": msg29501, + "27397": msg29502, + "27398": msg29503, + "27399": msg29504, + "274": select197, + "2740": msg5191, + "27400": msg29505, + "27401": msg29506, + "27402": msg29507, + "27403": msg29508, + "27404": msg29509, + "27405": msg29510, + "27406": msg29511, + "27407": msg29512, + "27408": msg29513, + "27409": msg29514, + "2741": msg5192, + "27410": msg29515, + "27411": msg29516, + "27412": msg29517, + "27413": msg29518, + "27414": msg29519, + "27415": msg29520, + "27416": msg29521, + "27417": msg29522, + "27418": msg29523, + "27419": msg29524, + "2742": msg5193, + "27420": msg29525, + "27421": msg29526, + "27422": msg29527, + "27423": msg29528, + "27424": msg29529, + "27425": msg29530, + "27426": msg29531, + "27427": msg29532, + "27428": msg29533, + "27429": msg29534, + "2743": msg5194, + "27430": msg29535, + "27431": msg29536, + "27432": msg29537, + "27433": msg29538, + "27434": msg29539, + "27435": msg29540, + "27436": msg29541, + "27437": msg29542, + "27438": msg29543, + "27439": msg29544, + "2744": msg5195, + "27440": msg29545, + "27441": msg29546, + "27442": msg29547, + "27443": msg29548, + "27444": msg29549, + "27445": msg29550, + "27446": msg29551, + "27447": msg29552, + "27448": msg29553, + "27449": msg29554, + "2745": msg5196, + "27450": msg29555, + "27451": msg29556, + "27452": msg29557, + "27453": msg29558, + "27454": msg29559, + "27455": msg29560, + "27456": msg29561, + "27457": msg29562, + "27458": msg29563, + "27459": msg29564, + "2746": msg5197, + "27460": msg29565, + "27461": msg29566, + "27462": msg29567, + "27463": msg29568, + "27464": msg29569, + "27465": msg29570, + "27466": msg29571, + "27467": msg29572, + "27468": msg29573, + "27469": msg29574, + "2747": msg5198, + "27470": msg29575, + "27471": msg29576, + "27472": msg29577, + "27473": msg29578, + "27474": msg29579, + "27475": msg29580, + "27476": msg29581, + "27477": msg29582, + "27478": msg29583, + "27479": msg29584, + "2748": msg5199, + "27480": msg29585, + "27481": msg29586, + "27482": msg29587, + "27483": msg29588, + "27484": msg29589, + "27485": msg29590, + "27486": msg29591, + "27487": msg29592, + "27488": msg29593, + "27489": msg29594, + "2749": msg5200, + "27490": msg29595, + "27491": msg29596, + "27492": msg29597, + "27493": msg29598, + "27494": msg29599, + "27495": msg29600, + "27496": msg29601, + "27497": msg29602, + "27498": msg29603, + "27499": msg29604, + "275": select198, + "2750": msg5201, + "27500": msg29605, + "27501": msg29606, + "27502": msg29607, + "27503": msg29608, + "27504": msg29609, + "27505": msg29610, + "27506": msg29611, + "27507": msg29612, + "27508": msg29613, + "27509": msg29614, + "2751": msg5202, + "27510": msg29615, + "27511": msg29616, + "27512": msg29617, + "27513": msg29618, + "27514": msg29619, + "27515": msg29620, + "27516": msg29621, + "27517": msg29622, + "27518": msg29623, + "27519": msg29624, + "2752": msg5203, + "27520": msg29625, + "27521": msg29626, + "27522": msg29627, + "27523": msg29628, + "27524": msg29629, + "27525": msg29630, + "27526": msg29631, + "27527": msg29632, + "27528": msg29633, + "27529": msg29634, + "2753": msg5204, + "27530": msg29635, + "27531": msg29636, + "27532": msg29637, + "27533": msg29638, + "27534": msg29639, + "27535": msg29640, + "27536": msg29641, + "27537": msg29642, + "27538": msg29643, + "27539": msg29644, + "2754": msg5205, + "27540": msg29645, + "27541": msg29646, + "27542": msg29647, + "27543": msg29648, + "27544": msg29649, + "27545": msg29650, + "27546": msg29651, + "27547": msg29652, + "27548": msg29653, + "27549": msg29654, + "2755": msg5206, + "27550": msg29655, + "27551": msg29656, + "27552": msg29657, + "27553": msg29658, + "27554": msg29659, + "27555": msg29660, + "27556": msg29661, + "27557": msg29662, + "27558": msg29663, + "27559": msg29664, + "2756": msg5207, + "27560": msg29665, + "27561": msg29666, + "27562": msg29667, + "27563": msg29668, + "27564": msg29669, + "27565": msg29670, + "27566": msg29671, + "27567": msg29672, + "27568": msg29673, + "27569": msg29674, + "2757": msg5208, + "27570": msg29675, + "27571": msg29676, + "27572": msg29677, + "27573": msg29678, + "27574": msg29679, + "27575": msg29680, + "27576": msg29681, + "27577": msg29682, + "27578": msg29683, + "27579": msg29684, + "2758": msg5209, + "27580": msg29685, + "27581": msg29686, + "27582": msg29687, + "27583": msg29688, + "27584": msg29689, + "27585": msg29690, + "27586": msg29691, + "27587": msg29692, + "27588": msg29693, + "27589": msg29694, + "2759": msg5210, + "27590": msg29695, + "27591": msg29696, + "27592": msg29697, + "27593": msg29698, + "27594": msg29699, + "27595": msg29700, + "27596": msg29701, + "27597": msg29702, + "27598": msg29703, + "27599": msg29704, + "276": select199, + "2760": msg5211, + "27600": msg29705, + "27601": msg29706, + "27602": msg29707, + "27603": msg29708, + "27604": msg29709, + "27605": msg29710, + "27606": msg29711, + "27607": msg29712, + "27608": msg29713, + "27609": msg29714, + "2761": msg5212, + "27610": msg29715, + "27611": msg29716, + "27612": msg29717, + "27613": msg29718, + "27614": msg29719, + "27615": msg29720, + "27616": msg29721, + "27617": msg29722, + "27618": msg29723, + "27619": msg29724, + "2762": msg5213, + "27620": msg29725, + "27621": msg29726, + "27622": msg29727, + "27623": msg29728, + "27624": msg29729, + "27625": msg29730, + "27626": msg29731, + "27627": msg29732, + "27628": msg29733, + "27629": msg29734, + "2763": msg5214, + "27630": msg29735, + "27631": msg29736, + "27632": msg29737, + "27633": msg29738, + "27634": msg29739, + "27635": msg29740, + "27636": msg29741, + "27637": msg29742, + "27638": msg29743, + "27639": msg29744, + "2764": msg5215, + "27640": msg29745, + "27641": msg29746, + "27642": msg29747, + "27643": msg29748, + "27644": msg29749, + "27645": msg29750, + "27646": msg29751, + "27647": msg29752, + "27648": msg29753, + "27649": msg29754, + "2765": msg5216, + "27650": msg29755, + "27651": msg29756, + "27652": msg29757, + "27653": msg29758, + "27654": msg29759, + "27655": msg29760, + "27656": msg29761, + "27657": msg29762, + "27658": msg29763, + "27659": msg29764, + "2766": msg5217, + "27660": msg29765, + "27661": msg29766, + "27662": msg29767, + "27663": msg29768, + "27664": msg29769, + "27665": msg29770, + "27666": msg29771, + "27667": msg29772, + "27668": msg29773, + "27669": msg29774, + "2767": msg5218, + "27670": msg29775, + "27671": msg29776, + "27672": msg29777, + "27673": msg29778, + "27674": msg29779, + "27675": msg29780, + "27676": msg29781, + "27677": msg29782, + "27678": msg29783, + "27679": msg29784, + "2768": msg5219, + "27680": msg29785, + "27681": msg29786, + "27682": msg29787, + "27683": msg29788, + "27684": msg29789, + "27685": msg29790, + "27686": msg29791, + "27687": msg29792, + "27688": msg29793, + "27689": msg29794, + "2769": msg5220, + "27690": msg29795, + "27691": msg29796, + "27692": msg29797, + "27693": msg29798, + "27694": msg29799, + "27695": msg29800, + "27696": msg29801, + "27697": msg29802, + "27698": msg29803, + "27699": msg29804, + "277": select200, + "2770": msg5221, + "27700": msg29805, + "27701": msg29806, + "27702": msg29807, + "27703": msg29808, + "27704": msg29809, + "27705": msg29810, + "27706": msg29811, + "27707": msg29812, + "27708": msg29813, + "27709": msg29814, + "2771": msg5222, + "27710": msg29815, + "27711": msg29816, + "27712": msg29817, + "27713": msg29818, + "27714": msg29819, + "27715": msg29820, + "27716": msg29821, + "27717": msg29822, + "27718": msg29823, + "27719": msg29824, + "2772": msg5223, + "27720": msg29825, + "27721": msg29826, + "27722": msg29827, + "27723": msg29828, + "27724": msg29829, + "27725": msg29830, + "27726": msg29831, + "27727": msg29832, + "27728": msg29833, + "27729": msg29834, + "2773": msg5224, + "27730": msg29835, + "27731": msg29836, + "27732": msg29837, + "27733": msg29838, + "27734": msg29839, + "27735": msg29840, + "27736": msg29841, + "27737": msg29842, + "27738": msg29843, + "27739": msg29844, + "2774": msg5225, + "27740": msg29845, + "27741": msg29846, + "27742": msg29847, + "27743": msg29848, + "27744": msg29849, + "27745": msg29850, + "27746": msg29851, + "27747": msg29852, + "27748": msg29853, + "27749": msg29854, + "2775": msg5226, + "27750": msg29855, + "27751": msg29856, + "27752": msg29857, + "27753": msg29858, + "27754": msg29859, + "27755": msg29860, + "27756": msg29861, + "27757": msg29862, + "27758": msg29863, + "27759": msg29864, + "2776": msg5227, + "27760": msg29865, + "27761": msg29866, + "27762": msg29867, + "27763": msg29868, + "27764": msg29869, + "27765": msg29870, + "27766": msg29871, + "27767": msg29872, + "27768": msg29873, + "27769": msg29874, + "2777": msg5228, + "27770": msg29875, + "27771": msg29876, + "27772": msg29877, + "27773": msg29878, + "27774": msg29879, + "27775": msg29880, + "27776": msg29881, + "27777": msg29882, + "27778": msg29883, + "27779": msg29884, + "2778": msg5229, + "27780": msg29885, + "27781": msg29886, + "27782": msg29887, + "27783": msg29888, + "27784": msg29889, + "27785": msg29890, + "27786": msg29891, + "27787": msg29892, + "27788": msg29893, + "27789": msg29894, + "2779": msg5230, + "27790": msg29895, + "27791": msg29896, + "27792": msg29897, + "27793": msg29898, + "27794": msg29899, + "27795": msg29900, + "27796": msg29901, + "27797": msg29902, + "27798": msg29903, + "27799": msg29904, + "278": select201, + "2780": msg5231, + "27800": msg29905, + "27801": msg29906, + "27802": msg29907, + "27803": msg29908, + "27804": msg29909, + "27805": msg29910, + "27806": msg29911, + "27807": msg29912, + "27808": msg29913, + "27809": msg29914, + "2781": msg5232, + "27810": msg29915, + "27811": msg29916, + "27812": msg29917, + "27813": msg29918, + "27814": msg29919, + "27815": msg29920, + "27816": msg29921, + "27817": msg29922, + "27818": msg29923, + "27819": msg29924, + "2782": msg5233, + "27820": msg29925, + "27821": msg29926, + "27822": msg29927, + "27823": msg29928, + "27824": msg29929, + "27825": msg29930, + "27826": msg29931, + "27827": msg29932, + "27828": msg29933, + "27829": msg29934, + "2783": msg5234, + "27830": msg29935, + "27831": msg29936, + "27832": msg29937, + "27833": msg29938, + "27834": msg29939, + "27835": msg29940, + "27836": msg29941, + "27837": msg29942, + "27838": msg29943, + "27839": msg29944, + "2784": msg5235, + "27840": msg29945, + "27841": msg29946, + "27842": msg29947, + "27843": msg29948, + "27844": msg29949, + "27845": msg29950, + "27846": msg29951, + "27847": msg29952, + "27848": msg29953, + "27849": msg29954, + "2785": msg5236, + "27850": msg29955, + "27851": msg29956, + "27852": msg29957, + "27853": msg29958, + "27854": msg29959, + "27855": msg29960, + "27856": msg29961, + "27857": msg29962, + "27858": msg29963, + "27859": msg29964, + "2786": msg5237, + "27860": msg29965, + "27861": msg29966, + "27862": msg29967, + "27863": msg29968, + "27864": msg29969, + "27865": msg29970, + "27866": msg29971, + "27867": msg29972, + "27868": msg29973, + "27869": msg29974, + "2787": msg5238, + "27870": msg29975, + "27871": msg29976, + "27872": msg29977, + "27873": msg29978, + "27874": msg29979, + "27875": msg29980, + "27876": msg29981, + "27877": msg29982, + "27878": msg29983, + "27879": msg29984, + "2788": msg5239, + "27880": msg29985, + "27881": msg29986, + "27882": msg29987, + "27883": msg29988, + "27884": msg29989, + "27885": msg29990, + "27886": msg29991, + "27887": msg29992, + "27888": msg29993, + "27889": msg29994, + "2789": msg5240, + "27890": msg29995, + "27891": msg29996, + "27892": msg29997, + "27893": msg29998, + "27894": msg29999, + "27895": msg30000, + "27896": msg30001, + "27897": msg30002, + "27898": msg30003, + "27899": msg30004, + "279": select202, + "2790": msg5241, + "27900": msg30005, + "27901": msg30006, + "27902": msg30007, + "27903": msg30008, + "27904": msg30009, + "27905": msg30010, + "27906": msg30011, + "27907": msg30012, + "27908": msg30013, + "27909": msg30014, + "2791": msg5242, + "27910": msg30015, + "27911": msg30016, + "27912": msg30017, + "27913": msg30018, + "27914": msg30019, + "27915": msg30020, + "27916": msg30021, + "27917": msg30022, + "27918": msg30023, + "27919": msg30024, + "2792": msg5243, + "27920": msg30025, + "27921": msg30026, + "27922": msg30027, + "27923": msg30028, + "27924": msg30029, + "27925": msg30030, + "27926": msg30031, + "27927": msg30032, + "27928": msg30033, + "27929": msg30034, + "2793": msg5244, + "27930": msg30035, + "27931": msg30036, + "27932": msg30037, + "27933": msg30038, + "27934": msg30039, + "27935": msg30040, + "27936": msg30041, + "27937": msg30042, + "27938": msg30043, + "27939": msg30044, + "2794": msg5245, + "27940": msg30045, + "27941": msg30046, + "27942": msg30047, + "27943": msg30048, + "27944": msg30049, + "27945": msg30050, + "27946": msg30051, + "27947": msg30052, + "27948": msg30053, + "27949": msg30054, + "2795": msg5246, + "27950": msg30055, + "27951": msg30056, + "27952": msg30057, + "27953": msg30058, + "27954": msg30059, + "27955": msg30060, + "27956": msg30061, + "27957": msg30062, + "27958": msg30063, + "27959": msg30064, + "2796": msg5247, + "27960": msg30065, + "27961": msg30066, + "27962": msg30067, + "27963": msg30068, + "27964": msg30069, + "27965": msg30070, + "27966": msg30071, + "27967": msg30072, + "27968": msg30073, + "27969": msg30074, + "2797": msg5248, + "27970": msg30075, + "27971": msg30076, + "27972": msg30077, + "27973": msg30078, + "27974": msg30079, + "27975": msg30080, + "27976": msg30081, + "27977": msg30082, + "27978": msg30083, + "27979": msg30084, + "2798": msg5249, + "27980": msg30085, + "27981": msg30086, + "27982": msg30087, + "27983": msg30088, + "27984": msg30089, + "27985": msg30090, + "27986": msg30091, + "27987": msg30092, + "27988": msg30093, + "27989": msg30094, + "2799": msg5250, + "27990": msg30095, + "27991": msg30096, + "27992": msg30097, + "27993": msg30098, + "27994": msg30099, + "27995": msg30100, + "27996": msg30101, + "27997": msg30102, + "27998": msg30103, + "27999": msg30104, + "28": msg62, + "280": select203, + "2800": msg5251, + "28000": msg30105, + "28001": msg30106, + "28002": msg30107, + "28003": msg30108, + "28004": msg30109, + "28005": msg30110, + "28006": msg30111, + "28007": msg30112, + "28008": msg30113, + "28009": msg30114, + "2801": msg5252, + "28010": msg30115, + "28011": msg30116, + "28012": msg30117, + "28013": msg30118, + "28014": msg30119, + "28015": msg30120, + "28016": msg30121, + "28017": msg30122, + "28018": msg30123, + "28019": msg30124, + "2802": msg5253, + "28020": msg30125, + "28021": msg30126, + "28022": msg30127, + "28023": msg30128, + "28024": msg30129, + "28025": msg30130, + "28026": msg30131, + "28027": msg30132, + "28028": msg30133, + "28029": msg30134, + "2803": msg5254, + "28030": msg30135, + "28031": msg30136, + "28032": msg30137, + "28033": msg30138, + "28034": msg30139, + "28035": msg30140, + "28036": msg30141, + "28037": msg30142, + "28038": msg30143, + "28039": msg30144, + "2804": msg5255, + "28040": msg30145, + "28041": msg30146, + "28042": msg30147, + "28043": msg30148, + "28044": msg30149, + "28045": msg30150, + "28046": msg30151, + "28047": msg30152, + "28048": msg30153, + "28049": msg30154, + "2805": msg5256, + "28050": msg30155, + "28051": msg30156, + "28052": msg30157, + "28053": msg30158, + "28054": msg30159, + "28055": msg30160, + "28056": msg30161, + "28057": msg30162, + "28058": msg30163, + "28059": msg30164, + "2806": msg5257, + "28060": msg30165, + "28061": msg30166, + "28062": msg30167, + "28063": msg30168, + "28064": msg30169, + "28065": msg30170, + "28066": msg30171, + "28067": msg30172, + "28068": msg30173, + "28069": msg30174, + "2807": msg5258, + "28070": msg30175, + "28071": msg30176, + "28072": msg30177, + "28073": msg30178, + "28074": msg30179, + "28075": msg30180, + "28076": msg30181, + "28077": msg30182, + "28078": msg30183, + "28079": msg30184, + "2808": msg5259, + "28080": msg30185, + "28081": msg30186, + "28082": msg30187, + "28083": msg30188, + "28084": msg30189, + "28085": msg30190, + "28086": msg30191, + "28087": msg30192, + "28088": msg30193, + "28089": msg30194, + "2809": msg5260, + "28090": msg30195, + "28093": msg30196, + "28094": msg30197, + "28095": msg30198, + "28096": msg30199, + "28097": msg30200, + "28098": msg30201, + "28099": msg30202, + "281": select204, + "2810": msg5261, + "28100": msg30203, + "28101": msg30204, + "28102": msg30205, + "28103": msg30206, + "28104": msg30207, + "28105": msg30208, + "28106": msg30209, + "28107": msg30210, + "28108": msg30211, + "28109": msg30212, + "2811": msg5262, + "28110": msg30213, + "28111": msg30214, + "28112": msg30215, + "28113": msg30216, + "28114": msg30217, + "28115": msg30218, + "28116": msg30219, + "28117": msg30220, + "28118": msg30221, + "28119": msg30222, + "2812": msg5263, + "28120": msg30223, + "28121": msg30224, + "28122": msg30225, + "28123": msg30226, + "28124": msg30227, + "28125": msg30228, + "28126": msg30229, + "28127": msg30230, + "28128": msg30231, + "28129": msg30232, + "2813": msg5264, + "28130": msg30233, + "28131": msg30234, + "28132": msg30235, + "28133": msg30236, + "28134": msg30237, + "28135": msg30238, + "28136": msg30239, + "28137": msg30240, + "28138": msg30241, + "28139": msg30242, + "2814": msg5265, + "28140": msg30243, + "28141": msg30244, + "28142": msg30245, + "28143": msg30246, + "28144": msg30247, + "28145": msg30248, + "28146": msg30249, + "28147": msg30250, + "28148": msg30251, + "28149": msg30252, + "2815": msg5266, + "28150": msg30253, + "28151": msg30254, + "28152": msg30255, + "28153": msg30256, + "28154": msg30257, + "28155": msg30258, + "28156": msg30259, + "28157": msg30260, + "28158": msg30261, + "28159": msg30262, + "2816": msg5267, + "28160": msg30263, + "28161": msg30264, + "28162": msg30265, + "28163": msg30266, + "28164": msg30267, + "28165": msg30268, + "28166": msg30269, + "28167": msg30270, + "28168": msg30271, + "28169": msg30272, + "2817": msg5268, + "28170": msg30273, + "28171": msg30274, + "28172": msg30275, + "28173": msg30276, + "28174": msg30277, + "28175": msg30278, + "28176": msg30279, + "28177": msg30280, + "28178": msg30281, + "28179": msg30282, + "2818": msg5269, + "28180": msg30283, + "28181": msg30284, + "28182": msg30285, + "28183": msg30286, + "28184": msg30287, + "28185": msg30288, + "28186": msg30289, + "28187": msg30290, + "28188": msg30291, + "28189": msg30292, + "2819": msg5270, + "28190": msg30293, + "28191": msg30294, + "28192": msg30295, + "28193": msg30296, + "28194": msg30297, + "28195": msg30298, + "28196": msg30299, + "28197": msg30300, + "28198": msg30301, + "28199": msg30302, + "282": select205, + "2820": msg5271, + "28200": msg30303, + "28201": msg30304, + "28202": msg30305, + "28203": msg30306, + "28204": msg30307, + "28205": msg30308, + "28206": msg30309, + "28207": msg30310, + "28208": msg30311, + "28209": msg30312, + "2821": msg5272, + "28210": msg30313, + "28211": msg30314, + "28212": msg30315, + "28213": msg30316, + "28214": msg30317, + "28215": msg30318, + "28216": msg30319, + "28217": msg30320, + "28218": msg30321, + "28219": msg30322, + "2822": msg5273, + "28220": msg30323, + "28221": msg30324, + "28222": msg30325, + "28223": msg30326, + "28224": msg30327, + "28225": msg30328, + "28226": msg30329, + "28227": msg30330, + "28228": msg30331, + "28229": msg30332, + "2823": msg5274, + "28230": msg30333, + "28231": msg30334, + "28232": msg30335, + "28233": msg30336, + "28234": msg30337, + "28235": msg30338, + "28236": msg30339, + "28237": msg30340, + "28238": msg30341, + "28239": msg30342, + "2824": msg5275, + "28240": msg30343, + "28241": msg30344, + "28242": msg30345, + "28243": msg30346, + "28244": msg30347, + "28245": msg30348, + "28246": msg30349, + "28247": msg30350, + "28248": msg30351, + "28249": msg30352, + "2825": msg5276, + "28250": msg30353, + "28251": msg30354, + "28252": msg30355, + "28253": msg30356, + "28254": msg30357, + "28255": msg30358, + "28256": msg30359, + "28257": msg30360, + "28258": msg30361, + "28259": msg30362, + "2826": msg5277, + "28260": msg30363, + "28261": msg30364, + "28262": msg30365, + "28263": msg30366, + "28264": msg30367, + "28265": msg30368, + "28266": msg30369, + "28267": msg30370, + "28268": msg30371, + "28269": msg30372, + "2827": msg5278, + "28270": msg30373, + "28271": msg30374, + "28272": msg30375, + "28273": msg30376, + "28274": msg30377, + "28275": msg30378, + "28276": msg30379, + "28277": msg30380, + "28278": msg30381, + "28279": msg30382, + "2828": msg5279, + "28280": msg30383, + "28281": msg30384, + "28282": msg30385, + "28283": msg30386, + "28284": msg30387, + "28285": msg30388, + "28286": msg30389, + "28287": msg30390, + "28288": msg30391, + "28289": msg30392, + "2829": msg5280, + "28290": msg30393, + "28291": msg30394, + "28292": msg30395, + "28293": msg30396, + "28294": msg30397, + "28295": msg30398, + "28296": msg30399, + "28297": msg30400, + "28298": msg30401, + "28299": msg30402, + "283": select206, + "2830": msg5281, + "28300": msg30403, + "28303": msg30404, + "28304": msg30405, + "28305": msg30406, + "28306": msg30407, + "28309": msg30408, + "2831": msg5282, + "28315": msg30409, + "2832": msg5283, + "28323": msg30410, + "28325": msg30411, + "28326": msg30412, + "28327": msg30413, + "28328": msg30414, + "28329": msg30415, + "2833": msg5284, + "28330": msg30416, + "28331": msg30417, + "28332": msg30418, + "28333": msg30419, + "28334": msg30420, + "28335": msg30421, + "28336": msg30422, + "28337": msg30423, + "28338": msg30424, + "28339": msg30425, + "2834": msg5285, + "28340": msg30426, + "28341": msg30427, + "28342": msg30428, + "28343": msg30429, + "28344": msg30430, + "28345": msg30431, + "28346": msg30432, + "28347": msg30433, + "28348": msg30434, + "28349": msg30435, + "2835": msg5286, + "28350": msg30436, + "28351": msg30437, + "28352": msg30438, + "28353": msg30439, + "28354": msg30440, + "28355": msg30441, + "28356": msg30442, + "28357": msg30443, + "28358": msg30444, + "28359": msg30445, + "2836": msg5287, + "28360": msg30446, + "28361": msg30447, + "28362": msg30448, + "28363": msg30449, + "28364": msg30450, + "28365": msg30451, + "28366": msg30452, + "28367": msg30453, + "28368": msg30454, + "28369": msg30455, + "2837": msg5288, + "28370": msg30456, + "28371": msg30457, + "28372": msg30458, + "28373": msg30459, + "28374": msg30460, + "28375": msg30461, + "28376": msg30462, + "28377": msg30463, + "28378": msg30464, + "28379": msg30465, + "2838": msg5289, + "28380": msg30466, + "28381": msg30467, + "28382": msg30468, + "28383": msg30469, + "28384": msg30470, + "28385": msg30471, + "28386": msg30472, + "28387": msg30473, + "28388": msg30474, + "28389": msg30475, + "2839": msg5290, + "28390": msg30476, + "28391": msg30477, + "28392": msg30478, + "28393": msg30479, + "28394": msg30480, + "28395": msg30481, + "28396": msg30482, + "28397": msg30483, + "28398": msg30484, + "28399": msg30485, + "284": select207, + "2840": msg5291, + "28400": msg30486, + "28401": msg30487, + "28402": msg30488, + "28403": msg30489, + "28404": msg30490, + "28405": msg30491, + "28406": msg30492, + "28407": msg30493, + "28408": msg30494, + "28409": msg30495, + "2841": msg5292, + "28410": msg30496, + "28411": msg30497, + "28412": msg30498, + "28413": msg30499, + "28414": msg30500, + "28415": msg30501, + "28416": msg30502, + "28417": msg30503, + "28418": msg30504, + "28419": msg30505, + "2842": msg5293, + "28420": msg30506, + "28421": msg30507, + "28422": msg30508, + "28423": msg30509, + "28424": msg30510, + "28425": msg30511, + "28426": msg30512, + "28427": msg30513, + "28428": msg30514, + "28429": msg30515, + "2843": msg5294, + "28430": msg30516, + "28431": msg30517, + "28432": msg30518, + "28433": msg30519, + "28434": msg30520, + "28435": msg30521, + "28436": msg30522, + "28437": msg30523, + "28438": msg30524, + "28439": msg30525, + "2844": msg5295, + "28440": msg30526, + "28441": msg30527, + "28442": msg30528, + "28443": msg30529, + "28444": msg30530, + "28445": msg30531, + "28446": msg30532, + "28447": msg30533, + "28448": msg30534, + "28449": msg30535, + "2845": msg5296, + "28450": msg30536, + "28451": msg30537, + "28452": msg30538, + "28453": msg30539, + "28454": msg30540, + "28455": msg30541, + "28456": msg30542, + "28457": msg30543, + "28458": msg30544, + "28459": msg30545, + "2846": msg5297, + "28460": msg30546, + "28461": msg30547, + "28462": msg30548, + "28463": msg30549, + "28464": msg30550, + "28465": msg30551, + "28466": msg30552, + "28467": msg30553, + "28468": msg30554, + "28469": msg30555, + "2847": msg5298, + "28470": msg30556, + "28471": msg30557, + "28472": msg30558, + "28473": msg30559, + "28474": msg30560, + "28475": msg30561, + "28476": msg30562, + "28477": msg30563, + "28478": msg30564, + "28479": msg30565, + "2848": msg5299, + "28480": msg30566, + "28481": msg30567, + "28482": msg30568, + "28483": msg30569, + "28484": msg30570, + "28485": msg30571, + "28486": msg30572, + "28487": msg30573, + "28488": msg30574, + "28489": msg30575, + "2849": msg5300, + "28490": msg30576, + "28491": msg30577, + "28492": msg30578, + "28493": msg30579, + "28494": msg30580, + "28495": msg30581, + "28496": msg30582, + "28497": msg30583, + "28498": msg30584, + "28499": msg30585, + "285": select208, + "2850": msg5301, + "28500": msg30586, + "28501": msg30587, + "28502": msg30588, + "28503": msg30589, + "28504": msg30590, + "28505": msg30591, + "28506": msg30592, + "28507": msg30593, + "28508": msg30594, + "28509": msg30595, + "2851": msg5302, + "28510": msg30596, + "28511": msg30597, + "28512": msg30598, + "28513": msg30599, + "28514": msg30600, + "28515": msg30601, + "28516": msg30602, + "28517": msg30603, + "28518": msg30604, + "28519": msg30605, + "2852": msg5303, + "28520": msg30606, + "28521": msg30607, + "28522": msg30608, + "28523": msg30609, + "28524": msg30610, + "28525": msg30611, + "28526": msg30612, + "28527": msg30613, + "28528": msg30614, + "28529": msg30615, + "2853": msg5304, + "28530": msg30616, + "28531": msg30617, + "28532": msg30618, + "28533": msg30619, + "28534": msg30620, + "28535": msg30621, + "28536": msg30622, + "28537": msg30623, + "28538": msg30624, + "28539": msg30625, + "2854": msg5305, + "28540": msg30626, + "28541": msg30627, + "28542": msg30628, + "28543": msg30629, + "28544": msg30630, + "28545": msg30631, + "28546": msg30632, + "28547": msg30633, + "28548": msg30634, + "28549": msg30635, + "2855": msg5306, + "28550": msg30636, + "28551": msg30637, + "28552": msg30638, + "28553": msg30639, + "28554": msg30640, + "28555": msg30641, + "28556": msg30642, + "28557": msg30643, + "28558": msg30644, + "28559": msg30645, + "2856": msg5307, + "28560": msg30646, + "28561": msg30647, + "28562": msg30648, + "28563": msg30649, + "28564": msg30650, + "28565": msg30651, + "28566": msg30652, + "28567": msg30653, + "28568": msg30654, + "28569": msg30655, + "2857": msg5308, + "28570": msg30656, + "28571": msg30657, + "28572": msg30658, + "28573": msg30659, + "28574": msg30660, + "28575": msg30661, + "28576": msg30662, + "28577": msg30663, + "28578": msg30664, + "28579": msg30665, + "2858": msg5309, + "28580": msg30666, + "28581": msg30667, + "28582": msg30668, + "28583": msg30669, + "28584": msg30670, + "28585": msg30671, + "28586": msg30672, + "28587": msg30673, + "28588": msg30674, + "28589": msg30675, + "2859": msg5310, + "28590": msg30676, + "28591": msg30677, + "28592": msg30678, + "28593": msg30679, + "28594": msg30680, + "28595": msg30681, + "28596": msg30682, + "28597": msg30683, + "28598": msg30684, + "28599": msg30685, + "286": select209, + "2860": msg5311, + "28600": msg30686, + "28601": msg30687, + "28602": msg30688, + "28603": msg30689, + "28604": msg30690, + "28605": msg30691, + "28606": msg30692, + "28607": msg30693, + "28608": msg30694, + "28609": msg30695, + "2861": msg5312, + "28610": msg30696, + "28611": msg30697, + "28612": msg30698, + "28613": msg30699, + "28614": msg30700, + "28615": msg30701, + "28616": msg30702, + "28617": msg30703, + "28618": msg30704, + "28619": msg30705, + "2862": msg5313, + "28620": msg30706, + "28621": msg30707, + "28622": msg30708, + "28623": msg30709, + "28624": msg30710, + "28625": msg30711, + "28626": msg30712, + "28627": msg30713, + "28628": msg30714, + "28629": msg30715, + "2863": msg5314, + "28630": msg30716, + "28631": msg30717, + "28632": msg30718, + "28633": msg30719, + "28634": msg30720, + "28635": msg30721, + "28636": msg30722, + "28637": msg30723, + "28638": msg30724, + "28639": msg30725, + "2864": msg5315, + "28640": msg30726, + "28641": msg30727, + "28642": msg30728, + "28643": msg30729, + "28644": msg30730, + "28645": msg30731, + "28646": msg30732, + "28647": msg30733, + "28648": msg30734, + "28649": msg30735, + "2865": msg5316, + "28650": msg30736, + "28651": msg30737, + "28652": msg30738, + "28653": msg30739, + "28654": msg30740, + "28655": msg30741, + "28656": msg30742, + "28657": msg30743, + "28658": msg30744, + "28659": msg30745, + "2866": msg5317, + "28660": msg30746, + "28661": msg30747, + "28662": msg30748, + "28663": msg30749, + "28664": msg30750, + "28665": msg30751, + "28666": msg30752, + "28667": msg30753, + "28668": msg30754, + "28669": msg30755, + "2867": msg5318, + "28670": msg30756, + "28671": msg30757, + "28672": msg30758, + "28673": msg30759, + "28674": msg30760, + "28675": msg30761, + "28676": msg30762, + "28677": msg30763, + "28678": msg30764, + "28679": msg30765, + "2868": msg5319, + "28680": msg30766, + "28681": msg30767, + "28682": msg30768, + "28683": msg30769, + "28684": msg30770, + "28685": msg30771, + "28686": msg30772, + "28687": msg30773, + "28688": msg30774, + "28689": msg30775, + "2869": msg5320, + "28690": msg30776, + "28691": msg30777, + "28692": msg30778, + "28693": msg30779, + "28694": msg30780, + "28695": msg30781, + "28696": msg30782, + "28697": msg30783, + "28698": msg30784, + "28699": msg30785, + "287": select210, + "2870": msg5321, + "28700": msg30786, + "28701": msg30787, + "28702": msg30788, + "28703": msg30789, + "28704": msg30790, + "28705": msg30791, + "28706": msg30792, + "28707": msg30793, + "28708": msg30794, + "28709": msg30795, + "2871": msg5322, + "28710": msg30796, + "28711": msg30797, + "28712": msg30798, + "28713": msg30799, + "28714": msg30800, + "28715": msg30801, + "28716": msg30802, + "28717": msg30803, + "28718": msg30804, + "28719": msg30805, + "2872": msg5323, + "28720": msg30806, + "28721": msg30807, + "28722": msg30808, + "28723": msg30809, + "28724": msg30810, + "28725": msg30811, + "28726": msg30812, + "28727": msg30813, + "28728": msg30814, + "28729": msg30815, + "2873": msg5324, + "28730": msg30816, + "28731": msg30817, + "28732": msg30818, + "28733": msg30819, + "28734": msg30820, + "28735": msg30821, + "28736": msg30822, + "28737": msg30823, + "28738": msg30824, + "28739": msg30825, + "2874": msg5325, + "28740": msg30826, + "28741": msg30827, + "28742": msg30828, + "28743": msg30829, + "28744": msg30830, + "28745": msg30831, + "28746": msg30832, + "28747": msg30833, + "28748": msg30834, + "28749": msg30835, + "2875": msg5326, + "28750": msg30836, + "28751": msg30837, + "28752": msg30838, + "28753": msg30839, + "28754": msg30840, + "28755": msg30841, + "28756": msg30842, + "28757": msg30843, + "28758": msg30844, + "28759": msg30845, + "2876": msg5327, + "28760": msg30846, + "28761": msg30847, + "28762": msg30848, + "28763": msg30849, + "28764": msg30850, + "28765": msg30851, + "28766": msg30852, + "28767": msg30853, + "28768": msg30854, + "28769": msg30855, + "2877": msg5328, + "28770": msg30856, + "28771": msg30857, + "28772": msg30858, + "28773": msg30859, + "28774": msg30860, + "28775": msg30861, + "28776": msg30862, + "28777": msg30863, + "28778": msg30864, + "28779": msg30865, + "2878": msg5329, + "28780": msg30866, + "28781": msg30867, + "28782": msg30868, + "28783": msg30869, + "28784": msg30870, + "28785": msg30871, + "28786": msg30872, + "28787": msg30873, + "28788": msg30874, + "28789": msg30875, + "2879": msg5330, + "28790": msg30876, + "28791": msg30877, + "28792": msg30878, + "28793": msg30879, + "28794": msg30880, + "28795": msg30881, + "28796": msg30882, + "28797": msg30883, + "28798": msg30884, + "28799": msg30885, + "288": select211, + "2880": msg5331, + "28800": msg30886, + "28801": msg30887, + "28802": msg30888, + "28803": msg30889, + "28804": msg30890, + "28805": msg30891, + "28806": msg30892, + "28807": msg30893, + "28808": msg30894, + "28809": msg30895, + "2881": msg5332, + "28810": msg30896, + "28811": msg30897, + "28812": msg30898, + "28813": msg30899, + "28814": msg30900, + "28815": msg30901, + "28816": msg30902, + "28817": msg30903, + "28818": msg30904, + "28819": msg30905, + "2882": msg5333, + "28820": msg30906, + "28821": msg30907, + "28822": msg30908, + "28823": msg30909, + "28824": msg30910, + "28825": msg30911, + "28826": msg30912, + "28827": msg30913, + "28828": msg30914, + "28829": msg30915, + "2883": msg5334, + "28830": msg30916, + "28831": msg30917, + "28832": msg30918, + "28833": msg30919, + "28834": msg30920, + "28835": msg30921, + "28836": msg30922, + "28837": msg30923, + "28838": msg30924, + "28839": msg30925, + "2884": msg5335, + "28840": msg30926, + "28841": msg30927, + "28842": msg30928, + "28843": msg30929, + "28844": msg30930, + "28845": msg30931, + "28846": msg30932, + "28847": msg30933, + "28848": msg30934, + "28849": msg30935, + "2885": msg5336, + "28850": msg30936, + "28851": msg30937, + "28852": msg30938, + "28853": msg30939, + "28854": msg30940, + "28855": msg30941, + "28856": msg30942, + "28857": msg30943, + "28858": msg30944, + "28859": msg30945, + "2886": msg5337, + "28860": msg30946, + "28861": msg30947, + "28862": msg30948, + "28863": msg30949, + "28864": msg30950, + "28865": msg30951, + "28866": msg30952, + "28867": msg30953, + "28868": msg30954, + "28869": msg30955, + "2887": msg5338, + "28870": msg30956, + "28871": msg30957, + "28872": msg30958, + "28873": msg30959, + "28874": msg30960, + "28875": msg30961, + "28876": msg30962, + "28877": msg30963, + "28878": msg30964, + "28879": msg30965, + "2888": msg5339, + "28880": msg30966, + "28881": msg30967, + "28882": msg30968, + "28883": msg30969, + "28884": msg30970, + "28885": msg30971, + "28886": msg30972, + "28887": msg30973, + "28888": msg30974, + "28889": msg30975, + "2889": msg5340, + "28890": msg30976, + "28891": msg30977, + "28892": msg30978, + "28893": msg30979, + "28894": msg30980, + "28895": msg30981, + "28896": msg30982, + "28897": msg30983, + "28898": msg30984, + "28899": msg30985, + "289": select212, + "2890": msg5341, + "28900": msg30986, + "28901": msg30987, + "28902": msg30988, + "28903": msg30989, + "28904": msg30990, + "28905": msg30991, + "28906": msg30992, + "28907": msg30993, + "28908": msg30994, + "28909": msg30995, + "2891": msg5342, + "28910": msg30996, + "28911": msg30997, + "28912": msg30998, + "28913": msg30999, + "28914": msg31000, + "28915": msg31001, + "28916": msg31002, + "28917": msg31003, + "28918": msg31004, + "28919": msg31005, + "2892": msg5343, + "28920": msg31006, + "28921": msg31007, + "28922": msg31008, + "28923": msg31009, + "28924": msg31010, + "28925": msg31011, + "28926": msg31012, + "28927": msg31013, + "28928": msg31014, + "28929": msg31015, + "2893": msg5344, + "28930": msg31016, + "28931": msg31017, + "28932": msg31018, + "28933": msg31019, + "28934": msg31020, + "28935": msg31021, + "28936": msg31022, + "28937": msg31023, + "28938": msg31024, + "28939": msg31025, + "2894": msg5345, + "28940": msg31026, + "28941": msg31027, + "28942": msg31028, + "28943": msg31029, + "28944": msg31030, + "28945": msg31031, + "28946": msg31032, + "28947": msg31033, + "28948": msg31034, + "28949": msg31035, + "2895": msg5346, + "28950": msg31036, + "28951": msg31037, + "28952": msg31038, + "28953": msg31039, + "28954": msg31040, + "28955": msg31041, + "28956": msg31042, + "28957": msg31043, + "28958": msg31044, + "28959": msg31045, + "2896": msg5347, + "28960": msg31046, + "28961": msg31047, + "28962": msg31048, + "28963": msg31049, + "28964": msg31050, + "28965": msg31051, + "28966": msg31052, + "28967": msg31053, + "28968": msg31054, + "28969": msg31055, + "2897": msg5348, + "28970": msg31056, + "28971": msg31057, + "28972": msg31058, + "28973": msg31059, + "28974": msg31060, + "28975": msg31061, + "28976": msg31062, + "28977": msg31063, + "28978": msg31064, + "28979": msg31065, + "2898": msg5349, + "28980": msg31066, + "28981": msg31067, + "28982": msg31068, + "28983": msg31069, + "28984": msg31070, + "28985": msg31071, + "28986": msg31072, + "28987": msg31073, + "28988": msg31074, + "28989": msg31075, + "2899": msg5350, + "28990": msg31076, + "28991": msg31077, + "28992": msg31078, + "28993": msg31079, + "28994": msg31080, + "28995": msg31081, + "28996": msg31082, + "28997": msg31083, + "28998": msg31084, + "28999": msg31085, + "29": msg63, + "290": select213, + "2900": msg5351, + "29000": msg31086, + "29001": msg31087, + "29002": msg31088, + "29003": msg31089, + "29004": msg31090, + "29005": msg31091, + "29006": msg31092, + "29007": msg31093, + "29008": msg31094, + "29009": msg31095, + "2901": msg5352, + "29010": msg31096, + "29011": msg31097, + "29012": msg31098, + "29013": msg31099, + "29014": msg31100, + "29015": msg31101, + "29016": msg31102, + "29017": msg31103, + "29018": msg31104, + "29019": msg31105, + "2902": msg5353, + "29020": msg31106, + "29021": msg31107, + "29022": msg31108, + "29023": msg31109, + "29024": msg31110, + "29025": msg31111, + "29026": msg31112, + "29027": msg31113, + "29028": msg31114, + "29029": msg31115, + "2903": msg5354, + "29030": msg31116, + "29031": msg31117, + "29032": msg31118, + "29033": msg31119, + "29034": msg31120, + "29035": msg31121, + "29036": msg31122, + "29037": msg31123, + "29038": msg31124, + "29039": msg31125, + "2904": msg5355, + "29040": msg31126, + "29041": msg31127, + "29042": msg31128, + "29043": msg31129, + "29044": msg31130, + "29045": msg31131, + "29046": msg31132, + "29047": msg31133, + "29048": msg31134, + "29049": msg31135, + "2905": msg5356, + "29050": msg31136, + "29051": msg31137, + "29052": msg31138, + "29053": msg31139, + "29054": msg31140, + "29055": msg31141, + "29056": msg31142, + "29057": msg31143, + "29058": msg31144, + "29059": msg31145, + "2906": msg5357, + "29060": msg31146, + "29061": msg31147, + "29062": msg31148, + "29063": msg31149, + "29064": msg31150, + "29065": msg31151, + "29066": msg31152, + "29067": msg31153, + "29068": msg31154, + "29069": msg31155, + "2907": msg5358, + "29070": msg31156, + "29071": msg31157, + "29072": msg31158, + "29073": msg31159, + "29074": msg31160, + "29075": msg31161, + "29076": msg31162, + "29077": msg31163, + "29078": msg31164, + "29079": msg31165, + "2908": msg5359, + "29080": msg31166, + "29081": msg31167, + "29082": msg31168, + "29083": msg31169, + "29084": msg31170, + "29085": msg31171, + "29086": msg31172, + "29087": msg31173, + "29088": msg31174, + "29089": msg31175, + "2909": msg5360, + "29090": msg31176, + "29091": msg31177, + "29092": msg31178, + "29093": msg31179, + "29094": msg31180, + "29095": msg31181, + "29096": msg31182, + "29097": msg31183, + "29098": msg31184, + "29099": msg31185, + "291": select214, + "2910": msg5361, + "29100": msg31186, + "29101": msg31187, + "29102": msg31188, + "29103": msg31189, + "29104": msg31190, + "29105": msg31191, + "29106": msg31192, + "29107": msg31193, + "29108": msg31194, + "29109": msg31195, + "2911": msg5362, + "29110": msg31196, + "29111": msg31197, + "29112": msg31198, + "29113": msg31199, + "29114": msg31200, + "29115": msg31201, + "29116": msg31202, + "29117": msg31203, + "29118": msg31204, + "29119": msg31205, + "2912": msg5363, + "29120": msg31206, + "29121": msg31207, + "29122": msg31208, + "29123": msg31209, + "29124": msg31210, + "29125": msg31211, + "29126": msg31212, + "29127": msg31213, + "29128": msg31214, + "29129": msg31215, + "2913": msg5364, + "29130": msg31216, + "29131": msg31217, + "29132": msg31218, + "29133": msg31219, + "29134": msg31220, + "29135": msg31221, + "29136": msg31222, + "29137": msg31223, + "29138": msg31224, + "29139": msg31225, + "2914": msg5365, + "29140": msg31226, + "29141": msg31227, + "29142": msg31228, + "29143": msg31229, + "29144": msg31230, + "29145": msg31231, + "29146": msg31232, + "29147": msg31233, + "29148": msg31234, + "29149": msg31235, + "2915": msg5366, + "29150": msg31236, + "29151": msg31237, + "29152": msg31238, + "29153": msg31239, + "29154": msg31240, + "29155": msg31241, + "29156": msg31242, + "29157": msg31243, + "29158": msg31244, + "29159": msg31245, + "2916": msg5367, + "29160": msg31246, + "29161": msg31247, + "29162": msg31248, + "29163": msg31249, + "29164": msg31250, + "29165": msg31251, + "29166": msg31252, + "29167": msg31253, + "29168": msg31254, + "29169": msg31255, + "2917": msg5368, + "29170": msg31256, + "29171": msg31257, + "29172": msg31258, + "29173": msg31259, + "29174": msg31260, + "29175": msg31261, + "29176": msg31262, + "29177": msg31263, + "29178": msg31264, + "29179": msg31265, + "2918": msg5369, + "29180": msg31266, + "29181": msg31267, + "29182": msg31268, + "29183": msg31269, + "29184": msg31270, + "29185": msg31271, + "29186": msg31272, + "29187": msg31273, + "29188": msg31274, + "29189": msg31275, + "2919": msg5370, + "29190": msg31276, + "29191": msg31277, + "29192": msg31278, + "29193": msg31279, + "29194": msg31280, + "29195": msg31281, + "29196": msg31282, + "29197": msg31283, + "29198": msg31284, + "29199": msg31285, + "292": select215, + "29200": msg31286, + "29201": msg31287, + "29202": msg31288, + "29203": msg31289, + "29204": msg31290, + "29205": msg31291, + "29206": msg31292, + "29207": msg31293, + "29208": msg31294, + "29209": msg31295, + "2921": msg5371, + "29210": msg31296, + "29211": msg31297, + "29212": msg31298, + "29213": msg31299, + "29214": msg31300, + "29215": msg31301, + "29216": msg31302, + "29217": msg31303, + "29218": msg31304, + "29219": msg31305, + "2922": msg5372, + "29220": msg31306, + "29221": msg31307, + "29222": msg31308, + "29223": msg31309, + "29224": msg31310, + "29225": msg31311, + "29226": msg31312, + "29227": msg31313, + "29228": msg31314, + "29229": msg31315, + "2923": msg5373, + "29230": msg31316, + "29231": msg31317, + "29232": msg31318, + "29233": msg31319, + "29234": msg31320, + "29235": msg31321, + "29236": msg31322, + "29237": msg31323, + "29238": msg31324, + "29239": msg31325, + "2924": msg5374, + "29240": msg31326, + "29241": msg31327, + "29242": msg31328, + "29243": msg31329, + "29244": msg31330, + "29245": msg31331, + "29246": msg31332, + "29247": msg31333, + "29248": msg31334, + "29249": msg31335, + "2925": msg5375, + "29250": msg31336, + "29251": msg31337, + "29252": msg31338, + "29253": msg31339, + "29254": msg31340, + "29255": msg31341, + "29256": msg31342, + "29257": msg31343, + "29258": msg31344, + "29259": msg31345, + "2926": msg5376, + "29260": msg31346, + "29261": msg31347, + "29262": msg31348, + "29263": msg31349, + "29264": msg31350, + "29265": msg31351, + "29266": msg31352, + "29267": msg31353, + "29268": msg31354, + "29269": msg31355, + "2927": msg5377, + "29270": msg31356, + "29271": msg31357, + "29272": msg31358, + "29273": msg31359, + "29274": msg31360, + "29275": msg31361, + "29276": msg31362, + "29277": msg31363, + "29278": msg31364, + "29279": msg31365, + "2928": msg5378, + "29280": msg31366, + "29281": msg31367, + "29282": msg31368, + "29283": msg31369, + "29284": msg31370, + "29285": msg31371, + "29286": msg31372, + "29287": msg31373, + "29288": msg31374, + "29289": msg31375, + "2929": msg5379, + "29290": msg31376, + "29291": msg31377, + "29292": msg31378, + "29293": msg31379, + "29294": msg31380, + "29295": msg31381, + "29296": msg31382, + "29297": msg31383, + "29298": msg31384, + "29299": msg31385, + "293": select216, + "2930": msg5380, + "29300": msg31386, + "29301": msg31387, + "29302": msg31388, + "29303": msg31389, + "29304": msg31390, + "29305": msg31391, + "29306": msg31392, + "29307": msg31393, + "2931": msg5381, + "29313": msg31394, + "29314": msg31395, + "29315": msg31396, + "29316": msg31397, + "29317": msg31398, + "29318": msg31399, + "29319": msg31400, + "2932": msg5382, + "29320": msg31401, + "29321": msg31402, + "29322": msg31403, + "29323": msg31404, + "29324": msg31405, + "29325": msg31406, + "29326": msg31407, + "29327": msg31408, + "29328": msg31409, + "29329": msg31410, + "2933": msg5383, + "29330": msg31411, + "29331": msg31412, + "29332": msg31413, + "29333": msg31414, + "29334": msg31415, + "29335": msg31416, + "29336": msg31417, + "29337": msg31418, + "29338": msg31419, + "29339": msg31420, + "2934": msg5384, + "29340": msg31421, + "29341": msg31422, + "29342": msg31423, + "29343": msg31424, + "29344": msg31425, + "29345": msg31426, + "29346": msg31427, + "29347": msg31428, + "29348": msg31429, + "29349": msg31430, + "2935": msg5385, + "29350": msg31431, + "29351": msg31432, + "29352": msg31433, + "29353": msg31434, + "29354": msg31435, + "29355": msg31436, + "29356": msg31437, + "29357": msg31438, + "29358": msg31439, + "29359": msg31440, + "2936": msg5386, + "29360": msg31441, + "29361": msg31442, + "29362": msg31443, + "29363": msg31444, + "29364": msg31445, + "29365": msg31446, + "29366": msg31447, + "29367": msg31448, + "29368": msg31449, + "29369": msg31450, + "2937": msg5387, + "29370": msg31451, + "29371": msg31452, + "29372": msg31453, + "29373": msg31454, + "29374": msg31455, + "29375": msg31456, + "29376": msg31457, + "29377": msg31458, + "29378": msg31459, + "29379": msg31460, + "2938": msg5388, + "29380": msg31461, + "29381": msg31462, + "29382": msg31463, + "29383": msg31464, + "29384": msg31465, + "29385": msg31466, + "29386": msg31467, + "29387": msg31468, + "29388": msg31469, + "29389": msg31470, + "2939": msg5389, + "29390": msg31471, + "29391": msg31472, + "29392": msg31473, + "29393": msg31474, + "29394": msg31475, + "29395": msg31476, + "29396": msg31477, + "29397": msg31478, + "29398": msg31479, + "29399": msg31480, + "2940": msg5390, + "29400": msg31481, + "29401": msg31482, + "29402": msg31483, + "29403": msg31484, + "29404": msg31485, + "29405": msg31486, + "29406": msg31487, + "29407": msg31488, + "29408": msg31489, + "29409": msg31490, + "2941": msg5391, + "29410": msg31491, + "29411": msg31492, + "29412": msg31493, + "29413": msg31494, + "29414": msg31495, + "29415": msg31496, + "29416": msg31497, + "29417": msg31498, + "29418": msg31499, + "29419": msg31500, + "2942": msg5392, + "29420": msg31501, + "29421": msg31502, + "29422": msg31503, + "29423": msg31504, + "29424": msg31505, + "29425": msg31506, + "29426": msg31507, + "29427": msg31508, + "29428": msg31509, + "29429": msg31510, + "2943": msg5393, + "29430": msg31511, + "29431": msg31512, + "29432": msg31513, + "29433": msg31514, + "29434": msg31515, + "29435": msg31516, + "29436": msg31517, + "29437": msg31518, + "29438": msg31519, + "29439": msg31520, + "2944": msg5394, + "29440": msg31521, + "29442": msg31522, + "29443": msg31523, + "29444": msg31524, + "29445": msg31525, + "29446": msg31526, + "29447": msg31527, + "29448": msg31528, + "29449": msg31529, + "2945": msg5395, + "29450": msg31530, + "29451": msg31531, + "29452": msg31532, + "29453": msg31533, + "29454": msg31534, + "29455": msg31535, + "29456": msg31536, + "29457": msg31537, + "29458": msg31538, + "29459": msg31539, + "2946": msg5396, + "29460": msg31540, + "29461": msg31541, + "29462": msg31542, + "29463": msg31543, + "29464": msg31544, + "29465": msg31545, + "29466": msg31546, + "29467": msg31547, + "29468": msg31548, + "29469": msg31549, + "2947": msg5397, + "29470": msg31550, + "29471": msg31551, + "29472": msg31552, + "29473": msg31553, + "29474": msg31554, + "29475": msg31555, + "29476": msg31556, + "29477": msg31557, + "29478": msg31558, + "29479": msg31559, + "2948": msg5398, + "29480": msg31560, + "29481": msg31561, + "29482": msg31562, + "29483": msg31563, + "29484": msg31564, + "29485": msg31565, + "29486": msg31566, + "29487": msg31567, + "29488": msg31568, + "29489": msg31569, + "2949": msg5399, + "29490": msg31570, + "29491": msg31571, + "29492": msg31572, + "29493": msg31573, + "29494": msg31574, + "29495": msg31575, + "29496": msg31576, + "29497": msg31577, + "29498": msg31578, + "29499": msg31579, + "295": select217, + "2950": msg5400, + "29500": msg31580, + "29501": msg31581, + "29502": msg31582, + "29503": msg31583, + "29504": msg31584, + "29505": msg31585, + "29506": msg31586, + "29507": msg31587, + "29508": msg31588, + "29509": msg31589, + "2951": msg5401, + "29510": msg31590, + "29511": msg31591, + "29512": msg31592, + "29513": msg31593, + "29514": msg31594, + "29515": msg31595, + "29516": msg31596, + "29517": msg31597, + "29518": msg31598, + "29519": msg31599, + "2952": msg5402, + "29520": msg31600, + "29521": msg31601, + "29522": msg31602, + "29523": msg31603, + "29524": msg31604, + "29525": msg31605, + "29526": msg31606, + "29527": msg31607, + "29528": msg31608, + "29529": msg31609, + "2953": msg5403, + "29530": msg31610, + "29531": msg31611, + "29532": msg31612, + "29533": msg31613, + "29534": msg31614, + "29535": msg31615, + "29536": msg31616, + "29537": msg31617, + "29538": msg31618, + "29539": msg31619, + "2954": msg5404, + "29540": msg31620, + "29541": msg31621, + "29542": msg31622, + "29543": msg31623, + "29544": msg31624, + "29545": msg31625, + "29546": msg31626, + "29547": msg31627, + "29548": msg31628, + "29549": msg31629, + "2955": msg5405, + "29550": msg31630, + "29551": msg31631, + "29552": msg31632, + "29553": msg31633, + "29554": msg31634, + "29555": msg31635, + "29556": msg31636, + "29557": msg31637, + "29558": msg31638, + "29559": msg31639, + "2956": msg5406, + "29560": msg31640, + "29561": msg31641, + "29562": msg31642, + "29563": msg31643, + "29564": msg31644, + "29565": msg31645, + "29566": msg31646, + "29567": msg31647, + "29568": msg31648, + "29569": msg31649, + "2957": msg5407, + "29570": msg31650, + "29571": msg31651, + "29572": msg31652, + "29573": msg31653, + "29574": msg31654, + "29575": msg31655, + "29576": msg31656, + "29577": msg31657, + "29578": msg31658, + "29579": msg31659, + "2958": msg5408, + "29580": msg31660, + "29581": msg31661, + "29582": msg31662, + "29583": msg31663, + "29584": msg31664, + "29585": msg31665, + "29586": msg31666, + "29587": msg31667, + "29588": msg31668, + "29589": msg31669, + "2959": msg5409, + "29590": msg31670, + "29591": msg31671, + "29592": msg31672, + "29593": msg31673, + "29594": msg31674, + "29595": msg31675, + "29596": msg31676, + "29597": msg31677, + "29598": msg31678, + "29599": msg31679, + "296": select218, + "2960": msg5410, + "29600": msg31680, + "29601": msg31681, + "29602": msg31682, + "29603": msg31683, + "29604": msg31684, + "29605": msg31685, + "29606": msg31686, + "29607": msg31687, + "29608": msg31688, + "29609": msg31689, + "2961": msg5411, + "29610": msg31690, + "29611": msg31691, + "29612": msg31692, + "29613": msg31693, + "29614": msg31694, + "29615": msg31695, + "29616": msg31696, + "29617": msg31697, + "29618": msg31698, + "29619": msg31699, + "2962": msg5412, + "29620": msg31700, + "29621": msg31701, + "29622": msg31702, + "29623": msg31703, + "29624": msg31704, + "29625": msg31705, + "29626": msg31706, + "29627": msg31707, + "29628": msg31708, + "29629": msg31709, + "2963": msg5413, + "29630": msg31710, + "29631": msg31711, + "29632": msg31712, + "29633": msg31713, + "29634": msg31714, + "29635": msg31715, + "29636": msg31716, + "29637": msg31717, + "29638": msg31718, + "29639": msg31719, + "2964": msg5414, + "29640": msg31720, + "29641": msg31721, + "29642": msg31722, + "29643": msg31723, + "29644": msg31724, + "29645": msg31725, + "29646": msg31726, + "29647": msg31727, + "29648": msg31728, + "29649": msg31729, + "2965": msg5415, + "29650": msg31730, + "29651": msg31731, + "29652": msg31732, + "29653": msg31733, + "29654": msg31734, + "29655": msg31735, + "29656": msg31736, + "29657": msg31737, + "29658": msg31738, + "29659": msg31739, + "2966": msg5416, + "29660": msg31740, + "29661": msg31741, + "29662": msg31742, + "29663": msg31743, + "29664": msg31744, + "29665": msg31745, + "29666": msg31746, + "29667": msg31747, + "29668": msg31748, + "29669": msg31749, + "2967": msg5417, + "29670": msg31750, + "29671": msg31751, + "29672": msg31752, + "29673": msg31753, + "29674": msg31754, + "29675": msg31755, + "29676": msg31756, + "29677": msg31757, + "29678": msg31758, + "29679": msg31759, + "2968": msg5418, + "29680": msg31760, + "29681": msg31761, + "29682": msg31762, + "29683": msg31763, + "29684": msg31764, + "29685": msg31765, + "29686": msg31766, + "29687": msg31767, + "29688": msg31768, + "29689": msg31769, + "2969": msg5419, + "29690": msg31770, + "29691": msg31771, + "29692": msg31772, + "29693": msg31773, + "29694": msg31774, + "29695": msg31775, + "29696": msg31776, + "29697": msg31777, + "29698": msg31778, + "29699": msg31779, + "297": select219, + "2970": msg5420, + "29700": msg31780, + "29701": msg31781, + "29702": msg31782, + "29703": msg31783, + "29704": msg31784, + "29705": msg31785, + "29706": msg31786, + "29707": msg31787, + "29708": msg31788, + "29709": msg31789, + "2971": msg5421, + "29710": msg31790, + "29711": msg31791, + "29712": msg31792, + "29713": msg31793, + "29714": msg31794, + "29715": msg31795, + "29716": msg31796, + "29717": msg31797, + "29718": msg31798, + "29719": msg31799, + "2972": msg5422, + "29720": msg31800, + "29721": msg31801, + "29722": msg31802, + "29723": msg31803, + "29724": msg31804, + "29725": msg31805, + "29726": msg31806, + "29727": msg31807, + "29728": msg31808, + "29729": msg31809, + "2973": msg5423, + "29730": msg31810, + "29731": msg31811, + "29732": msg31812, + "29733": msg31813, + "29734": msg31814, + "29735": msg31815, + "29736": msg31816, + "29737": msg31817, + "29738": msg31818, + "29739": msg31819, + "2974": msg5424, + "29740": msg31820, + "29741": msg31821, + "29742": msg31822, + "29743": msg31823, + "29744": msg31824, + "29745": msg31825, + "29746": msg31826, + "29747": msg31827, + "29748": msg31828, + "29749": msg31829, + "2975": msg5425, + "29750": msg31830, + "29751": msg31831, + "29752": msg31832, + "29753": msg31833, + "29754": msg31834, + "29755": msg31835, + "29756": msg31836, + "29757": msg31837, + "29758": msg31838, + "29759": msg31839, + "2976": msg5426, + "29760": msg31840, + "29761": msg31841, + "29762": msg31842, + "29763": msg31843, + "29764": msg31844, + "29765": msg31845, + "29766": msg31846, + "29767": msg31847, + "29768": msg31848, + "29769": msg31849, + "2977": msg5427, + "29770": msg31850, + "29771": msg31851, + "29772": msg31852, + "29773": msg31853, + "29774": msg31854, + "29775": msg31855, + "29776": msg31856, + "29777": msg31857, + "29778": msg31858, + "29779": msg31859, + "2978": msg5428, + "29780": msg31860, + "29781": msg31861, + "29782": msg31862, + "29783": msg31863, + "29784": msg31864, + "29785": msg31865, + "29786": msg31866, + "29787": msg31867, + "29788": msg31868, + "29789": msg31869, + "2979": msg5429, + "29790": msg31870, + "29791": msg31871, + "29792": msg31872, + "29793": msg31873, + "29794": msg31874, + "29795": msg31875, + "29796": msg31876, + "29797": msg31877, + "29798": msg31878, + "29799": msg31879, + "298": select220, + "2980": msg5430, + "29800": msg31880, + "29801": msg31881, + "29802": msg31882, + "29803": msg31883, + "29804": msg31884, + "29805": msg31885, + "29806": msg31886, + "29807": msg31887, + "29808": msg31888, + "29809": msg31889, + "2981": msg5431, + "29810": msg31890, + "29811": msg31891, + "29812": msg31892, + "29813": msg31893, + "29814": msg31894, + "29815": msg31895, + "29816": msg31896, + "29817": msg31897, + "29818": msg31898, + "29819": msg31899, + "2982": msg5432, + "29820": msg31900, + "29821": msg31901, + "29822": msg31902, + "29823": msg31903, + "29824": msg31904, + "29825": msg31905, + "29826": msg31906, + "29827": msg31907, + "29828": msg31908, + "29829": msg31909, + "2983": msg5433, + "29830": msg31910, + "29831": msg31911, + "29832": msg31912, + "29833": msg31913, + "29834": msg31914, + "29835": msg31915, + "29836": msg31916, + "29837": msg31917, + "29838": msg31918, + "29839": msg31919, + "2984": msg5434, + "29840": msg31920, + "29841": msg31921, + "29842": msg31922, + "29843": msg31923, + "29844": msg31924, + "29845": msg31925, + "29846": msg31926, + "29847": msg31927, + "29848": msg31928, + "29849": msg31929, + "2985": msg5435, + "29850": msg31930, + "29851": msg31931, + "29852": msg31932, + "29853": msg31933, + "29854": msg31934, + "29855": msg31935, + "29856": msg31936, + "29857": msg31937, + "29858": msg31938, + "29859": msg31939, + "2986": msg5436, + "29860": msg31940, + "29861": msg31941, + "29862": msg31942, + "29863": msg31943, + "29864": msg31944, + "29865": msg31945, + "29866": msg31946, + "29867": msg31947, + "29868": msg31948, + "29869": msg31949, + "2987": msg5437, + "29870": msg31950, + "29871": msg31951, + "29872": msg31952, + "29873": msg31953, + "29874": msg31954, + "29875": msg31955, + "29876": msg31956, + "29877": msg31957, + "29878": msg31958, + "29879": msg31959, + "2988": msg5438, + "29880": msg31960, + "29881": msg31961, + "29882": msg31962, + "29883": msg31963, + "29884": msg31964, + "29885": msg31965, + "29886": msg31966, + "29887": msg31967, + "29888": msg31968, + "29889": msg31969, + "2989": msg5439, + "29890": msg31970, + "29891": msg31971, + "29892": msg31972, + "29893": msg31973, + "29894": msg31974, + "29895": msg31975, + "29896": msg31976, + "29897": msg31977, + "29898": msg31978, + "29899": msg31979, + "299": select221, + "2990": msg5440, + "29900": msg31980, + "29901": msg31981, + "29902": msg31982, + "29903": msg31983, + "29904": msg31984, + "29905": msg31985, + "29906": msg31986, + "29907": msg31987, + "29909": msg31988, + "2991": msg5441, + "29910": msg31989, + "29911": msg31990, + "29912": msg31991, + "29913": msg31992, + "29914": msg31993, + "29915": msg31994, + "29916": msg31995, + "29917": msg31996, + "29918": msg31997, + "29919": msg31998, + "2992": msg5442, + "29920": msg31999, + "29921": msg32000, + "29922": msg32001, + "29923": msg32002, + "29924": msg32003, + "29925": msg32004, + "29926": msg32005, + "29927": msg32006, + "29928": msg32007, + "29929": msg32008, + "2993": msg5443, + "29930": msg32009, + "29931": msg32010, + "29932": msg32011, + "29933": msg32012, + "29934": msg32013, + "29935": msg32014, + "29936": msg32015, + "29937": msg32016, + "29938": msg32017, + "29939": msg32018, + "2994": msg5444, + "29940": msg32019, + "29941": msg32020, + "29942": msg32021, + "29943": msg32022, + "29944": msg32023, + "29945": msg32024, + "29946": msg32025, + "29947": msg32026, + "29948": msg32027, + "29949": msg32028, + "2995": msg5445, + "29950": msg32029, + "29951": msg32030, + "29952": msg32031, + "29953": msg32032, + "29954": msg32033, + "29955": msg32034, + "29956": msg32035, + "29957": msg32036, + "29958": msg32037, + "29959": msg32038, + "2996": msg5446, + "29960": msg32039, + "29961": msg32040, + "29962": msg32041, + "29963": msg32042, + "29964": msg32043, + "29965": msg32044, + "29966": msg32045, + "29967": msg32046, + "29968": msg32047, + "29969": msg32048, + "2997": msg5447, + "29970": msg32049, + "29971": msg32050, + "29972": msg32051, + "29973": msg32052, + "29974": msg32053, + "29975": msg32054, + "29976": msg32055, + "29977": msg32056, + "29978": msg32057, + "29979": msg32058, + "2998": msg5448, + "29980": msg32059, + "29981": msg32060, + "29982": msg32061, + "29983": msg32062, + "29984": msg32063, + "29985": msg32064, + "29986": msg32065, + "29987": msg32066, + "29988": msg32067, + "29989": msg32068, + "2999": msg5449, + "29990": msg32069, + "29991": msg32070, + "29992": msg32071, + "29993": msg32072, + "29994": msg32073, + "29995": msg32074, + "29996": msg32075, + "29997": msg32076, + "29998": msg32077, + "29999": msg32078, + "3": select9, + "3-10126": msg23, + "3-10127": msg10, + "3-10161": msg11, + "3-10480": msg12, + "3-10481": msg13, + "3-11619": msg14, + "3-11672": msg15, + "3-12028": msg16, + "3-12636": msg17, + "3-12692": msg18, + "3-7019": msg19, + "3-7196": msg20, + "3-8092": msg21, + "3-8351": msg22, + "30": msg64, + "300": select222, + "3000": msg5450, + "30000": msg32079, + "3000005": msg38425, + "30001": msg32080, + "30002": msg32081, + "30003": msg32082, + "30004": msg32083, + "30005": msg32084, + "30006": msg32085, + "30007": msg32086, + "30008": msg32087, + "30009": msg32088, + "3001": msg5451, + "30010": msg32089, + "30011": msg32090, + "30012": msg32091, + "30013": msg32092, + "30014": msg32093, + "30015": msg32094, + "30016": msg32095, + "30017": msg32096, + "30018": msg32097, + "30019": msg32098, + "3002": msg5452, + "30020": msg32099, + "30021": msg32100, + "30022": msg32101, + "30023": msg32102, + "30024": msg32103, + "30025": msg32104, + "30026": msg32105, + "30027": msg32106, + "30028": msg32107, + "30029": msg32108, + "3003": msg5453, + "30030": msg32109, + "30031": msg32110, + "30032": msg32111, + "30033": msg32112, + "30034": msg32113, + "30035": msg32114, + "30036": msg32115, + "30037": msg32116, + "30038": msg32117, + "30039": msg32118, + "3004": msg5454, + "30040": msg32119, + "30041": msg32120, + "30042": msg32121, + "30043": msg32122, + "30044": msg32123, + "30045": msg32124, + "30046": msg32125, + "30047": msg32126, + "30048": msg32127, + "30049": msg32128, + "3005": msg5455, + "30050": msg32129, + "30051": msg32130, + "30052": msg32131, + "30053": msg32132, + "30054": msg32133, + "30055": msg32134, + "30056": msg32135, + "30057": msg32136, + "30058": msg32137, + "30059": msg32138, + "3006": msg5456, + "30060": msg32139, + "30061": msg32140, + "30062": msg32141, + "30063": msg32142, + "30064": msg32143, + "30065": msg32144, + "30066": msg32145, + "30067": msg32146, + "30068": msg32147, + "30069": msg32148, + "3007": msg5457, + "30070": msg32149, + "30071": msg32150, + "30072": msg32151, + "30073": msg32152, + "30074": msg32153, + "30075": msg32154, + "30076": msg32155, + "30077": msg32156, + "30078": msg32157, + "30079": msg32158, + "3008": msg5458, + "30080": msg32159, + "30081": msg32160, + "30082": msg32161, + "30083": msg32162, + "30084": msg32163, + "30085": msg32164, + "30086": msg32165, + "30087": msg32166, + "30088": msg32167, + "30089": msg32168, + "3009": msg5459, + "30090": msg32169, + "30091": msg32170, + "30092": msg32171, + "30093": msg32172, + "30094": msg32173, + "30095": msg32174, + "30096": msg32175, + "30097": msg32176, + "30098": msg32177, + "30099": msg32178, + "301": select223, + "3010": msg5460, + "30100": msg32179, + "30101": msg32180, + "30102": msg32181, + "30103": msg32182, + "30104": msg32183, + "30105": msg32184, + "30106": msg32185, + "30107": msg32186, + "30108": msg32187, + "30109": msg32188, + "3011": msg5461, + "30110": msg32189, + "30111": msg32190, + "30112": msg32191, + "30113": msg32192, + "30114": msg32193, + "30115": msg32194, + "30116": msg32195, + "30117": msg32196, + "30118": msg32197, + "30119": msg32198, + "3012": msg5462, + "30120": msg32199, + "30121": msg32200, + "30122": msg32201, + "30123": msg32202, + "30124": msg32203, + "30125": msg32204, + "30126": msg32205, + "30127": msg32206, + "30128": msg32207, + "30129": msg32208, + "3013": msg5463, + "30130": msg32209, + "30131": msg32210, + "30132": msg32211, + "30133": msg32212, + "30134": msg32213, + "30135": msg32214, + "30136": msg32215, + "30137": msg32216, + "30138": msg32217, + "30139": msg32218, + "3014": msg5464, + "30140": msg32219, + "30141": msg32220, + "30142": msg32221, + "30143": msg32222, + "30144": msg32223, + "30145": msg32224, + "30146": msg32225, + "30147": msg32226, + "30148": msg32227, + "30149": msg32228, + "3015": msg5465, + "30150": msg32229, + "30151": msg32230, + "30152": msg32231, + "30153": msg32232, + "30154": msg32233, + "30155": msg32234, + "30156": msg32235, + "30157": msg32236, + "30158": msg32237, + "30159": msg32238, + "3016": msg5466, + "30160": msg32239, + "30161": msg32240, + "30162": msg32241, + "30163": msg32242, + "30164": msg32243, + "30165": msg32244, + "30166": msg32245, + "30167": msg32246, + "30168": msg32247, + "30169": msg32248, + "3017": msg5467, + "30170": msg32249, + "30171": msg32250, + "30172": msg32251, + "30173": msg32252, + "30174": msg32253, + "30175": msg32254, + "30176": msg32255, + "30177": msg32256, + "30178": msg32257, + "30179": msg32258, + "3018": msg5468, + "30180": msg32259, + "30181": msg32260, + "30182": msg32261, + "30183": msg32262, + "30184": msg32263, + "30185": msg32264, + "30186": msg32265, + "30187": msg32266, + "30188": msg32267, + "30189": msg32268, + "3019": msg5469, + "30190": msg32269, + "30191": msg32270, + "30192": msg32271, + "30193": msg32272, + "30194": msg32273, + "30195": msg32274, + "30196": msg32275, + "30197": msg32276, + "30198": msg32277, + "30199": msg32278, + "302": select224, + "3020": msg5470, + "30200": msg32279, + "30201": msg32280, + "30202": msg32281, + "30203": msg32282, + "30204": msg32283, + "30205": msg32284, + "30206": msg32285, + "30207": msg32286, + "30208": msg32287, + "30209": msg32288, + "3021": msg5471, + "30210": msg32289, + "30211": msg32290, + "30212": msg32291, + "30213": msg32292, + "30214": msg32293, + "30215": msg32294, + "30216": msg32295, + "30217": msg32296, + "30218": msg32297, + "30219": msg32298, + "3022": msg5472, + "30220": msg32299, + "30221": msg32300, + "30222": msg32301, + "30223": msg32302, + "30224": msg32303, + "30225": msg32304, + "30226": msg32305, + "30227": msg32306, + "30228": msg32307, + "30229": msg32308, + "3023": msg5473, + "30230": msg32309, + "30231": msg32310, + "30232": msg32311, + "30233": msg32312, + "30234": msg32313, + "30235": msg32314, + "30236": msg32315, + "30237": msg32316, + "30238": msg32317, + "30239": msg32318, + "3024": msg5474, + "30240": msg32319, + "30241": msg32320, + "30242": msg32321, + "30243": msg32322, + "30244": msg32323, + "30245": msg32324, + "30246": msg32325, + "30247": msg32326, + "30248": msg32327, + "30249": msg32328, + "3025": msg5475, + "30250": msg32329, + "30251": msg32330, + "30252": msg32331, + "30253": msg32332, + "30254": msg32333, + "30255": msg32334, + "30256": msg32335, + "30257": msg32336, + "30258": msg32337, + "30259": msg32338, + "3026": msg5476, + "30260": msg32339, + "30261": msg32340, + "30262": msg32341, + "30263": msg32342, + "30264": msg32343, + "30265": msg32344, + "30266": msg32345, + "30267": msg32346, + "30268": msg32347, + "30269": msg32348, + "3027": msg5477, + "30270": msg32349, + "30271": msg32350, + "30272": msg32351, + "30273": msg32352, + "30274": msg32353, + "30275": msg32354, + "30276": msg32355, + "30277": msg32356, + "30278": msg32357, + "30279": msg32358, + "3028": msg5478, + "30280": msg32359, + "30281": msg32360, + "30282": msg32361, + "30283": msg32362, + "30284": msg32363, + "30285": msg32364, + "30286": msg32365, + "30287": msg32366, + "30288": msg32367, + "30289": msg32368, + "3029": msg5479, + "30290": msg32369, + "30291": msg32370, + "30292": msg32371, + "30293": msg32372, + "30294": msg32373, + "30295": msg32374, + "30296": msg32375, + "30297": msg32376, + "30298": msg32377, + "30299": msg32378, + "303": select225, + "3030": msg5480, + "30300": msg32379, + "30301": msg32380, + "30302": msg32381, + "30303": msg32382, + "30304": msg32383, + "30305": msg32384, + "30306": msg32385, + "30307": msg32386, + "30308": msg32387, + "30309": msg32388, + "3031": msg5481, + "30310": msg32389, + "30311": msg32390, + "30312": msg32391, + "30313": msg32392, + "30314": msg32393, + "30315": msg32394, + "30316": msg32395, + "30317": msg32396, + "30318": msg32397, + "30319": msg32398, + "3032": msg5482, + "30320": msg32399, + "30321": msg32400, + "30322": msg32401, + "30323": msg32402, + "30324": msg32403, + "30325": msg32404, + "30326": msg32405, + "30327": msg32406, + "30328": msg32407, + "30329": msg32408, + "3033": msg5483, + "30330": msg32409, + "30331": msg32410, + "30332": msg32411, + "30333": msg32412, + "30334": msg32413, + "30335": msg32414, + "30336": msg32415, + "30337": msg32416, + "30338": msg32417, + "30339": msg32418, + "3034": msg5484, + "30340": msg32419, + "30341": msg32420, + "30342": msg32421, + "30343": msg32422, + "30344": msg32423, + "30345": msg32424, + "30347": msg32425, + "30348": msg32426, + "30349": msg32427, + "3035": msg5485, + "30350": msg32428, + "30351": msg32429, + "30352": msg32430, + "30353": msg32431, + "30354": msg32432, + "30355": msg32433, + "30356": msg32434, + "30357": msg32435, + "30358": msg32436, + "30359": msg32437, + "3036": msg5486, + "30360": msg32438, + "30361": msg32439, + "30362": msg32440, + "30363": msg32441, + "30364": msg32442, + "30365": msg32443, + "30366": msg32444, + "30367": msg32445, + "30368": msg32446, + "30369": msg32447, + "3037": msg5487, + "30370": msg32448, + "30371": msg32449, + "30372": msg32450, + "30373": msg32451, + "30374": msg32452, + "30375": msg32453, + "30376": msg32454, + "30377": msg32455, + "30378": msg32456, + "30379": msg32457, + "3038": msg5488, + "30380": msg32458, + "30381": msg32459, + "30382": msg32460, + "30383": msg32461, + "30384": msg32462, + "30385": msg32463, + "30386": msg32464, + "30387": msg32465, + "30388": msg32466, + "30389": msg32467, + "3039": msg5489, + "30390": msg32468, + "30391": msg32469, + "30392": msg32470, + "30393": msg32471, + "30394": msg32472, + "30395": msg32473, + "30396": msg32474, + "30397": msg32475, + "30398": msg32476, + "30399": msg32477, + "304": select226, + "3040": msg5490, + "30400": msg32478, + "30401": msg32479, + "30402": msg32480, + "30403": msg32481, + "30404": msg32482, + "30405": msg32483, + "30406": msg32484, + "30407": msg32485, + "30408": msg32486, + "30409": msg32487, + "3041": msg5491, + "30410": msg32488, + "30411": msg32489, + "30412": msg32490, + "30413": msg32491, + "30414": msg32492, + "30415": msg32493, + "30416": msg32494, + "30417": msg32495, + "30418": msg32496, + "30419": msg32497, + "3042": msg5492, + "30420": msg32498, + "30421": msg32499, + "30422": msg32500, + "30423": msg32501, + "30424": msg32502, + "30425": msg32503, + "30426": msg32504, + "30427": msg32505, + "30428": msg32506, + "30429": msg32507, + "3043": msg5493, + "30430": msg32508, + "30431": msg32509, + "30432": msg32510, + "30433": msg32511, + "30434": msg32512, + "30435": msg32513, + "30436": msg32514, + "30437": msg32515, + "30438": msg32516, + "30439": msg32517, + "3044": msg5494, + "30440": msg32518, + "30441": msg32519, + "30442": msg32520, + "30443": msg32521, + "30444": msg32522, + "30445": msg32523, + "30446": msg32524, + "30447": msg32525, + "30448": msg32526, + "30449": msg32527, + "3045": msg5495, + "30450": msg32528, + "30451": msg32529, + "30452": msg32530, + "30453": msg32531, + "30454": msg32532, + "30455": msg32533, + "30456": msg32534, + "30457": msg32535, + "30458": msg32536, + "30459": msg32537, + "3046": msg5496, + "30460": msg32538, + "30461": msg32539, + "30462": msg32540, + "30463": msg32541, + "30464": msg32542, + "30465": msg32543, + "30466": msg32544, + "30467": msg32545, + "30468": msg32546, + "30469": msg32547, + "3047": msg5497, + "30470": msg32548, + "30471": msg32549, + "30472": msg32550, + "30473": msg32551, + "30474": msg32552, + "30475": msg32553, + "30476": msg32554, + "30477": msg32555, + "30478": msg32556, + "30479": msg32557, + "3048": msg5498, + "30480": msg32558, + "30481": msg32559, + "30482": msg32560, + "30483": msg32561, + "30484": msg32562, + "30485": msg32563, + "30486": msg32564, + "30487": msg32565, + "30488": msg32566, + "30489": msg32567, + "3049": msg5499, + "30490": msg32568, + "30491": msg32569, + "30492": msg32570, + "30493": msg32571, + "30494": msg32572, + "30495": msg32573, + "30496": msg32574, + "30497": msg32575, + "30498": msg32576, + "30499": msg32577, + "305": select227, + "3050": msg5500, + "30500": msg32578, + "30501": msg32579, + "30502": msg32580, + "30503": msg32581, + "30504": msg32582, + "30505": msg32583, + "30506": msg32584, + "30507": msg32585, + "30508": msg32586, + "30509": msg32587, + "3051": msg5501, + "30510": msg32588, + "30511": msg32589, + "30512": msg32590, + "30513": msg32591, + "30514": msg32592, + "30515": msg32593, + "30516": msg32594, + "30517": msg32595, + "30518": msg32596, + "30519": msg32597, + "3052": msg5502, + "30520": msg32598, + "30521": msg32599, + "30522": msg32600, + "30523": msg32601, + "30524": msg32602, + "30525": msg32603, + "30526": msg32604, + "30527": msg32605, + "30528": msg32606, + "30529": msg32607, + "3053": msg5503, + "30530": msg32608, + "30531": msg32609, + "30532": msg32610, + "30533": msg32611, + "30534": msg32612, + "30535": msg32613, + "30536": msg32614, + "30537": msg32615, + "30538": msg32616, + "30539": msg32617, + "3054": msg5504, + "30540": msg32618, + "30541": msg32619, + "30542": msg32620, + "30543": msg32621, + "30544": msg32622, + "30545": msg32623, + "30546": msg32624, + "30547": msg32625, + "30548": msg32626, + "30549": msg32627, + "3055": msg5505, + "30550": msg32628, + "30551": msg32629, + "30552": msg32630, + "30553": msg32631, + "30554": msg32632, + "30555": msg32633, + "30556": msg32634, + "3056": msg5506, + "30562": msg32635, + "30566": msg32636, + "3057": msg5507, + "30570": msg32637, + "3058": msg5508, + "3059": msg5509, + "306": select228, + "3060": msg5510, + "3061": msg5511, + "3062": msg5512, + "3063": msg5513, + "3064": msg5514, + "3065": msg5515, + "3066": msg5516, + "3067": msg5517, + "3068": msg5518, + "3069": msg5519, + "307": select229, + "3070": msg5520, + "3071": msg5521, + "30711": msg32638, + "30712": msg32639, + "30713": msg32640, + "30714": msg32641, + "30715": msg32642, + "30716": msg32643, + "30717": msg32644, + "30718": msg32645, + "30719": msg32646, + "3072": msg5522, + "30720": msg32647, + "30721": msg32648, + "30722": msg32649, + "30723": msg32650, + "30724": msg32651, + "30725": msg32652, + "30726": msg32653, + "30727": msg32654, + "30728": msg32655, + "30729": msg32656, + "3073": msg5523, + "30730": msg32657, + "30731": msg32658, + "30732": msg32659, + "30733": msg32660, + "30734": msg32661, + "30735": msg32662, + "30736": msg32663, + "30737": msg32664, + "30738": msg32665, + "30739": msg32666, + "3074": msg5524, + "30740": msg32667, + "30741": msg32668, + "30742": msg32669, + "30743": msg32670, + "30744": msg32671, + "30745": msg32672, + "30746": msg32673, + "30747": msg32674, + "30748": msg32675, + "30749": msg32676, + "3075": msg5525, + "30750": msg32677, + "30751": msg32678, + "30752": msg32679, + "30753": msg32680, + "30754": msg32681, + "30755": msg32682, + "30756": msg32683, + "30757": msg32684, + "30758": msg32685, + "30759": msg32686, + "3076": msg5526, + "30760": msg32687, + "30761": msg32688, + "30762": msg32689, + "30763": msg32690, + "30764": msg32691, + "30765": msg32692, + "30766": msg32693, + "30767": msg32694, + "30768": msg32695, + "3077": msg5527, + "30777": msg32696, + "30778": msg32697, + "30779": msg32698, + "3078": msg5528, + "30780": msg32699, + "30781": msg32700, + "30782": msg32701, + "30783": msg32702, + "30784": msg32703, + "30785": msg32704, + "30786": msg32705, + "30787": msg32706, + "30788": msg32707, + "30789": msg32708, + "3079": msg5529, + "30790": msg32709, + "30791": msg32710, + "30792": msg32711, + "30793": msg32712, + "30794": msg32713, + "30795": msg32714, + "30796": msg32715, + "30797": msg32716, + "30798": msg32717, + "30799": msg32718, + "308": select230, + "3080": msg5530, + "30800": msg32719, + "30801": msg32720, + "30802": msg32721, + "30803": msg32722, + "30804": msg32723, + "30805": msg32724, + "30806": msg32725, + "30807": msg32726, + "30808": msg32727, + "30809": msg32728, + "3081": msg5531, + "30810": msg32729, + "30811": msg32730, + "30812": msg32731, + "30813": msg32732, + "30814": msg32733, + "30815": msg32734, + "30816": msg32735, + "30817": msg32736, + "30818": msg32737, + "30819": msg32738, + "3082": msg5532, + "30820": msg32739, + "30821": msg32740, + "30822": msg32741, + "30823": msg32742, + "30824": msg32743, + "30825": msg32744, + "30826": msg32745, + "30827": msg32746, + "30828": msg32747, + "30829": msg32748, + "3083": msg5533, + "30830": msg32749, + "30831": msg32750, + "30832": msg32751, + "30833": msg32752, + "30834": msg32753, + "30835": msg32754, + "30836": msg32755, + "30837": msg32756, + "30838": msg32757, + "30839": msg32758, + "3084": msg5534, + "30840": msg32759, + "30841": msg32760, + "30842": msg32761, + "30843": msg32762, + "30844": msg32763, + "30845": msg32764, + "30846": msg32765, + "30847": msg32766, + "30848": msg32767, + "30849": msg32768, + "3085": msg5535, + "30850": msg32769, + "30851": msg32770, + "30852": msg32771, + "30853": msg32772, + "30854": msg32773, + "30855": msg32774, + "30856": msg32775, + "30857": msg32776, + "30858": msg32777, + "30859": msg32778, + "3086": msg5536, + "30860": msg32779, + "30861": msg32780, + "30862": msg32781, + "30863": msg32782, + "30864": msg32783, + "30865": msg32784, + "30866": msg32785, + "30867": msg32786, + "30868": msg32787, + "30869": msg32788, + "3087": msg5537, + "30870": msg32789, + "30871": msg32790, + "30872": msg32791, + "30873": msg32792, + "30874": msg32793, + "30875": msg32794, + "30876": msg32795, + "30877": msg32796, + "30878": msg32797, + "30879": msg32798, + "3088": msg5538, + "30880": msg32799, + "30881": msg32800, + "30882": msg32801, + "30883": msg32802, + "30884": msg32803, + "30885": msg32804, + "30886": msg32805, + "30887": msg32806, + "30888": msg32807, + "30889": msg32808, + "3089": msg5539, + "30890": msg32809, + "30891": msg32810, + "30892": msg32811, + "30893": msg32812, + "30894": msg32813, + "30895": msg32814, + "30896": msg32815, + "30897": msg32816, + "30898": msg32817, + "30899": msg32818, + "309": select231, + "3090": msg5540, + "30900": msg32819, + "30901": msg32820, + "30902": msg32821, + "30903": msg32822, + "30904": msg32823, + "30905": msg32824, + "30906": msg32825, + "30907": msg32826, + "30908": msg32827, + "30909": msg32828, + "3091": msg5541, + "30910": msg32829, + "30911": msg32830, + "30912": msg32831, + "30913": msg32832, + "30914": msg32833, + "30915": msg32834, + "30916": msg32835, + "30917": msg32836, + "30918": msg32837, + "30919": msg32838, + "3092": msg5542, + "30920": msg32839, + "30921": msg32840, + "30922": msg32841, + "30923": msg32842, + "30924": msg32843, + "30925": msg32844, + "30926": msg32845, + "30927": msg32846, + "30928": msg32847, + "30929": msg32848, + "3093": msg5543, + "30930": msg32849, + "30931": msg32850, + "30932": msg32851, + "30933": msg32852, + "30934": msg32853, + "30935": msg32854, + "30936": msg32855, + "30937": msg32856, + "30938": msg32857, + "30939": msg32858, + "3094": msg5544, + "30940": msg32859, + "30941": msg32860, + "30942": msg32861, + "30943": msg32862, + "30944": msg32863, + "30945": msg32864, + "30946": msg32865, + "30947": msg32866, + "30948": msg32867, + "30949": msg32868, + "3095": msg5545, + "30950": msg32869, + "30951": msg32870, + "30952": msg32871, + "30953": msg32872, + "30954": msg32873, + "30955": msg32874, + "30956": msg32875, + "30957": msg32876, + "30958": msg32877, + "30959": msg32878, + "3096": msg5546, + "30960": msg32879, + "30961": msg32880, + "30962": msg32881, + "30963": msg32882, + "30964": msg32883, + "30965": msg32884, + "30966": msg32885, + "30967": msg32886, + "30968": msg32887, + "30969": msg32888, + "3097": msg5547, + "30970": msg32889, + "30971": msg32890, + "30972": msg32891, + "30973": msg32892, + "30974": msg32893, + "30975": msg32894, + "30976": msg32895, + "30977": msg32896, + "30978": msg32897, + "30979": msg32898, + "3098": msg5548, + "30980": msg32899, + "30981": msg32900, + "30982": msg32901, + "30983": msg32902, + "30984": msg32903, + "30985": msg32904, + "30986": msg32905, + "30987": msg32906, + "30988": msg32907, + "30989": msg32908, + "3099": msg5549, + "30990": msg32909, + "30991": msg32910, + "30992": msg32911, + "30993": msg32912, + "30994": msg32913, + "30995": msg32914, + "30996": msg32915, + "30997": msg32916, + "30998": msg32917, + "30999": msg32918, + "310": select232, + "3100": msg5550, + "31000": msg32919, + "31001": msg32920, + "31002": msg32921, + "31003": msg32922, + "31004": msg32923, + "31005": msg32924, + "31006": msg32925, + "31007": msg32926, + "31008": msg32927, + "31009": msg32928, + "3101": msg5551, + "31010": msg32929, + "31011": msg32930, + "31012": msg32931, + "31013": msg32932, + "31014": msg32933, + "31015": msg32934, + "31016": msg32935, + "31017": msg32936, + "31018": msg32937, + "31019": msg32938, + "3102": msg5552, + "31020": msg32939, + "31021": msg32940, + "31022": msg32941, + "31023": msg32942, + "31024": msg32943, + "31025": msg32944, + "31026": msg32945, + "31027": msg32946, + "31028": msg32947, + "31029": msg32948, + "3103": msg5553, + "31030": msg32949, + "31031": msg32950, + "31032": msg32951, + "31033": msg32952, + "31034": msg32953, + "31035": msg32954, + "31036": msg32955, + "31037": msg32956, + "31038": msg32957, + "31039": msg32958, + "3104": msg5554, + "31040": msg32959, + "31041": msg32960, + "31042": msg32961, + "31043": msg32962, + "31044": msg32963, + "31045": msg32964, + "31046": msg32965, + "31048": msg32966, + "31049": msg32967, + "3105": msg5555, + "31050": msg32968, + "31051": msg32969, + "31052": msg32970, + "31053": msg32971, + "31054": msg32972, + "31055": msg32973, + "31056": msg32974, + "31057": msg32975, + "31058": msg32976, + "31059": msg32977, + "3106": msg5556, + "31060": msg32978, + "31061": msg32979, + "31062": msg32980, + "31063": msg32981, + "31064": msg32982, + "31065": msg32983, + "31066": msg32984, + "31067": msg32985, + "31068": msg32986, + "31069": msg32987, + "3107": msg5557, + "31070": msg32988, + "31071": msg32989, + "31072": msg32990, + "31073": msg32991, + "31074": msg32992, + "31075": msg32993, + "31076": msg32994, + "31077": msg32995, + "31078": msg32996, + "31079": msg32997, + "3108": msg5558, + "31080": msg32998, + "31081": msg32999, + "31082": msg33000, + "31083": msg33001, + "31084": msg33002, + "31085": msg33003, + "31086": msg33004, + "31087": msg33005, + "31088": msg33006, + "31089": msg33007, + "3109": msg5559, + "31090": msg33008, + "31091": msg33009, + "31092": msg33010, + "31093": msg33011, + "31094": msg33012, + "31095": msg33013, + "31096": msg33014, + "31097": msg33015, + "31098": msg33016, + "31099": msg33017, + "311": select233, + "3110": msg5560, + "31100": msg33018, + "31101": msg33019, + "31102": msg33020, + "31103": msg33021, + "31104": msg33022, + "31105": msg33023, + "31106": msg33024, + "31107": msg33025, + "31108": msg33026, + "31109": msg33027, + "3111": msg5561, + "31110": msg33028, + "31111": msg33029, + "31112": msg33030, + "31113": msg33031, + "31114": msg33032, + "31115": msg33033, + "31116": msg33034, + "31117": msg33035, + "31118": msg33036, + "31119": msg33037, + "3112": msg5562, + "31120": msg33038, + "31121": msg33039, + "31122": msg33040, + "31123": msg33041, + "31124": msg33042, + "31125": msg33043, + "31126": msg33044, + "31127": msg33045, + "31128": msg33046, + "31129": msg33047, + "3113": msg5563, + "31130": msg33048, + "31131": msg33049, + "31132": msg33050, + "31133": msg33051, + "31134": msg33052, + "31135": msg33053, + "31136": msg33054, + "31137": msg33055, + "31138": msg33056, + "31139": msg33057, + "3114": msg5564, + "31140": msg33058, + "31141": msg33059, + "31142": msg33060, + "31143": msg33061, + "31144": msg33062, + "31145": msg33063, + "31146": msg33064, + "3115": msg5565, + "3116": msg5566, + "31167": msg33065, + "3117": msg5567, + "31176": msg33066, + "31177": msg33067, + "31178": msg33068, + "31179": msg33069, + "3118": msg5568, + "31180": msg33070, + "31181": msg33071, + "31182": msg33072, + "31183": msg33073, + "31184": msg33074, + "31185": msg33075, + "31186": msg33076, + "31187": msg33077, + "31188": msg33078, + "31189": msg33079, + "3119": msg5569, + "31190": msg33080, + "31191": msg33081, + "31192": msg33082, + "31193": msg33083, + "31194": msg33084, + "31195": msg33085, + "31196": msg33086, + "31197": msg33087, + "31198": msg33088, + "31199": msg33089, + "312": select234, + "3120": msg5570, + "31200": msg33090, + "31201": msg33091, + "31202": msg33092, + "31203": msg33093, + "31204": msg33094, + "31205": msg33095, + "31206": msg33096, + "31207": msg33097, + "31208": msg33098, + "31209": msg33099, + "3121": msg5571, + "31210": msg33100, + "31211": msg33101, + "31212": msg33102, + "31213": msg33103, + "31214": msg33104, + "31215": msg33105, + "31216": msg33106, + "31217": msg33107, + "31218": msg33108, + "31219": msg33109, + "3122": msg5572, + "31220": msg33110, + "31221": msg33111, + "31222": msg33112, + "31223": msg33113, + "31224": msg33114, + "31225": msg33115, + "31226": msg33116, + "31227": msg33117, + "31228": msg33118, + "31229": msg33119, + "3123": msg5573, + "31230": msg33120, + "31231": msg33121, + "31232": msg33122, + "31233": msg33123, + "31234": msg33124, + "31235": msg33125, + "31236": msg33126, + "31237": msg33127, + "31238": msg33128, + "31239": msg33129, + "3124": msg5574, + "31240": msg33130, + "31241": msg33131, + "31242": msg33132, + "31243": msg33133, + "31244": msg33134, + "31245": msg33135, + "31246": msg33136, + "31247": msg33137, + "31248": msg33138, + "31249": msg33139, + "3125": msg5575, + "31250": msg33140, + "31251": msg33141, + "31252": msg33142, + "31253": msg33143, + "31254": msg33144, + "31255": msg33145, + "31256": msg33146, + "31257": msg33147, + "31258": msg33148, + "31259": msg33149, + "3126": msg5576, + "31260": msg33150, + "31261": msg33151, + "31262": msg33152, + "31263": msg33153, + "31264": msg33154, + "31265": msg33155, + "31266": msg33156, + "31267": msg33157, + "31268": msg33158, + "31269": msg33159, + "3127": msg5577, + "31270": msg33160, + "31271": msg33161, + "31272": msg33162, + "31273": msg33163, + "31274": msg33164, + "31275": msg33165, + "31276": msg33166, + "31277": msg33167, + "31278": msg33168, + "31279": msg33169, + "3128": msg5578, + "31280": msg33170, + "31281": msg33171, + "31282": msg33172, + "31283": msg33173, + "31284": msg33174, + "31285": msg33175, + "31286": msg33176, + "31287": msg33177, + "31288": msg33178, + "31289": msg33179, + "3129": msg5579, + "31290": msg33180, + "31291": msg33181, + "31292": msg33182, + "31293": msg33183, + "31294": msg33184, + "31295": msg33185, + "31296": msg33186, + "31297": msg33187, + "31298": msg33188, + "31299": msg33189, + "313": select235, + "3130": msg5580, + "31300": msg33190, + "31301": msg33191, + "31302": msg33192, + "31303": msg33193, + "31304": msg33194, + "31305": msg33195, + "31306": msg33196, + "31307": msg33197, + "31308": msg33198, + "31309": msg33199, + "3131": msg5581, + "31310": msg33200, + "31311": msg33201, + "31312": msg33202, + "31313": msg33203, + "31314": msg33204, + "31315": msg33205, + "31316": msg33206, + "31317": msg33207, + "31318": msg33208, + "31319": msg33209, + "3132": msg5582, + "31320": msg33210, + "31321": msg33211, + "31322": msg33212, + "31323": msg33213, + "31324": msg33214, + "31325": msg33215, + "31326": msg33216, + "31327": msg33217, + "31328": msg33218, + "31329": msg33219, + "3133": msg5583, + "31330": msg33220, + "31331": msg33221, + "31332": msg33222, + "31333": msg33223, + "31334": msg33224, + "31335": msg33225, + "31336": msg33226, + "31337": msg33227, + "31338": msg33228, + "31339": msg33229, + "3134": msg5584, + "31340": msg33230, + "31341": msg33231, + "31342": msg33232, + "31343": msg33233, + "31344": msg33234, + "31345": msg33235, + "31346": msg33236, + "31347": msg33237, + "31348": msg33238, + "31349": msg33239, + "3135": msg5585, + "31350": msg33240, + "31351": msg33241, + "31352": msg33242, + "31353": msg33243, + "31354": msg33244, + "31355": msg33245, + "31356": msg33246, + "31357": msg33247, + "31358": msg33248, + "31359": msg33249, + "3136": msg5586, + "31360": msg33250, + "31361": msg33251, + "31362": msg33252, + "31363": msg33253, + "31364": msg33254, + "31365": msg33255, + "31366": msg33256, + "31367": msg33257, + "31368": msg33258, + "31369": msg33259, + "3137": msg5587, + "31370": msg33260, + "31371": msg33261, + "31372": msg33262, + "31373": msg33263, + "31374": msg33264, + "31375": msg33265, + "31376": msg33266, + "31377": msg33267, + "31378": msg33268, + "31379": msg33269, + "3138": msg5588, + "31380": msg33270, + "31381": msg33271, + "31382": msg33272, + "31383": msg33273, + "31384": msg33274, + "31385": msg33275, + "31386": msg33276, + "31387": msg33277, + "31388": msg33278, + "31389": msg33279, + "3139": msg5589, + "31390": msg33280, + "31391": msg33281, + "31392": msg33282, + "31393": msg33283, + "31394": msg33284, + "31395": msg33285, + "31396": msg33286, + "31397": msg33287, + "31398": msg33288, + "31399": msg33289, + "314": select236, + "3140": msg5590, + "31400": msg33290, + "31401": msg33291, + "31402": msg33292, + "31403": msg33293, + "31404": msg33294, + "31405": msg33295, + "31406": msg33296, + "31407": msg33297, + "31408": msg33298, + "31409": msg33299, + "3141": msg5591, + "31410": msg33300, + "31411": msg33301, + "31412": msg33302, + "31413": msg33303, + "31414": msg33304, + "31415": msg33305, + "31416": msg33306, + "31417": msg33307, + "31418": msg33308, + "31419": msg33309, + "3142": msg5592, + "31420": msg33310, + "31421": msg33311, + "31422": msg33312, + "31423": msg33313, + "31424": msg33314, + "31425": msg33315, + "31426": msg33316, + "31427": msg33317, + "31428": msg33318, + "31429": msg33319, + "3143": msg5593, + "31433": msg33320, + "31434": msg33321, + "31435": msg33322, + "31436": msg33323, + "31437": msg33324, + "31438": msg33325, + "31439": msg33326, + "3144": msg5594, + "31440": msg33327, + "31441": msg33328, + "31442": msg33329, + "31443": msg33330, + "31444": msg33331, + "31445": msg33332, + "31446": msg33333, + "31447": msg33334, + "31448": msg33335, + "31449": msg33336, + "3145": msg5595, + "31450": msg33337, + "31451": msg33338, + "31452": msg33339, + "31453": msg33340, + "31454": msg33341, + "31455": msg33342, + "31456": msg33343, + "31457": msg33344, + "31458": msg33345, + "31459": msg33346, + "3146": msg5596, + "31460": msg33347, + "31461": msg33348, + "31462": msg33349, + "31463": msg33350, + "31464": msg33351, + "31465": msg33352, + "31466": msg33353, + "31467": msg33354, + "31468": msg33355, + "31469": msg33356, + "3147": msg5597, + "31470": msg33357, + "31471": msg33358, + "31472": msg33359, + "31473": msg33360, + "31474": msg33361, + "31475": msg33362, + "31476": msg33363, + "31477": msg33364, + "31478": msg33365, + "31479": msg33366, + "3148": msg5598, + "31480": msg33367, + "31481": msg33368, + "31482": msg33369, + "31483": msg33370, + "31484": msg33371, + "31485": msg33372, + "31486": msg33373, + "31487": msg33374, + "31488": msg33375, + "31489": msg33376, + "3149": msg5599, + "31490": msg33377, + "31491": msg33378, + "31492": msg33379, + "31493": msg33380, + "31494": msg33381, + "31495": msg33382, + "31496": msg33383, + "31497": msg33384, + "31498": msg33385, + "31499": msg33386, + "315": select237, + "3150": msg5600, + "31500": msg33387, + "31501": msg33388, + "31502": msg33389, + "31503": msg33390, + "31504": msg33391, + "31505": msg33392, + "31506": msg33393, + "31507": msg33394, + "31508": msg33395, + "31509": msg33396, + "3151": msg5601, + "31510": msg33397, + "31511": msg33398, + "31512": msg33399, + "31513": msg33400, + "31514": msg33401, + "31515": msg33402, + "31516": msg33403, + "31517": msg33404, + "31518": msg33405, + "31519": msg33406, + "3152": msg5602, + "31520": msg33407, + "31521": msg33408, + "31522": msg33409, + "31523": msg33410, + "31524": msg33411, + "31525": msg33412, + "31526": msg33413, + "31527": msg33414, + "31528": msg33415, + "31529": msg33416, + "3153": msg5603, + "31530": msg33417, + "31531": msg33418, + "31532": msg33419, + "31533": msg33420, + "31534": msg33421, + "31535": msg33422, + "31536": msg33423, + "31537": msg33424, + "31538": msg33425, + "31539": msg33426, + "3154": msg5604, + "31540": msg33427, + "31541": msg33428, + "31542": msg33429, + "31543": msg33430, + "31544": msg33431, + "31545": msg33432, + "31546": msg33433, + "31547": msg33434, + "31548": msg33435, + "31549": msg33436, + "3155": msg5605, + "31550": msg33437, + "31551": msg33438, + "31552": msg33439, + "31553": msg33440, + "31554": msg33441, + "31555": msg33442, + "31556": msg33443, + "31557": msg33444, + "31558": msg33445, + "31559": msg33446, + "3156": msg5606, + "31560": msg33447, + "31561": msg33448, + "31562": msg33449, + "31563": msg33450, + "31564": msg33451, + "31565": msg33452, + "31566": msg33453, + "31567": msg33454, + "31568": msg33455, + "31569": msg33456, + "3157": msg5607, + "31570": msg33457, + "31571": msg33458, + "31572": msg33459, + "31573": msg33460, + "31574": msg33461, + "31575": msg33462, + "31576": msg33463, + "31577": msg33464, + "31578": msg33465, + "31579": msg33466, + "3158": msg5608, + "31580": msg33467, + "31581": msg33468, + "31582": msg33469, + "31583": msg33470, + "31584": msg33471, + "31585": msg33472, + "31586": msg33473, + "31587": msg33474, + "31588": msg33475, + "31589": msg33476, + "3159": msg5609, + "31590": msg33477, + "31591": msg33478, + "31592": msg33479, + "31593": msg33480, + "31594": msg33481, + "31595": msg33482, + "31596": msg33483, + "31597": msg33484, + "31598": msg33485, + "31599": msg33486, + "316": select238, + "3160": msg5610, + "31600": msg33487, + "31601": msg33488, + "31602": msg33489, + "31603": msg33490, + "31604": msg33491, + "31605": msg33492, + "31606": msg33493, + "31607": msg33494, + "31608": msg33495, + "31609": msg33496, + "3161": msg5611, + "31610": msg33497, + "31611": msg33498, + "31612": msg33499, + "31613": msg33500, + "31614": msg33501, + "31615": msg33502, + "31616": msg33503, + "31617": msg33504, + "31618": msg33505, + "31619": msg33506, + "3162": msg5612, + "31620": msg33507, + "31621": msg33508, + "31622": msg33509, + "31623": msg33510, + "31624": msg33511, + "31625": msg33512, + "31626": msg33513, + "31627": msg33514, + "31628": msg33515, + "31629": msg33516, + "3163": msg5613, + "31630": msg33517, + "31631": msg33518, + "31632": msg33519, + "31633": msg33520, + "31634": msg33521, + "31635": msg33522, + "31636": msg33523, + "31637": msg33524, + "31638": msg33525, + "31639": msg33526, + "3164": msg5614, + "31640": msg33527, + "31641": msg33528, + "31642": msg33529, + "31643": msg33530, + "31644": msg33531, + "31645": msg33532, + "31646": msg33533, + "31647": msg33534, + "31648": msg33535, + "31649": msg33536, + "3165": msg5615, + "31650": msg33537, + "31651": msg33538, + "31652": msg33539, + "31653": msg33540, + "31654": msg33541, + "31655": msg33542, + "31656": msg33543, + "31657": msg33544, + "31658": msg33545, + "31659": msg33546, + "3166": msg5616, + "31660": msg33547, + "31661": msg33548, + "31662": msg33549, + "31663": msg33550, + "31664": msg33551, + "31665": msg33552, + "31666": msg33553, + "31667": msg33554, + "31668": msg33555, + "31669": msg33556, + "3167": msg5617, + "31670": msg33557, + "31671": msg33558, + "31672": msg33559, + "31673": msg33560, + "31674": msg33561, + "31675": msg33562, + "31676": msg33563, + "31677": msg33564, + "31678": msg33565, + "31679": msg33566, + "3168": msg5618, + "31680": msg33567, + "31681": msg33568, + "31682": msg33569, + "31683": msg33570, + "31684": msg33571, + "31685": msg33572, + "31686": msg33573, + "31687": msg33574, + "31688": msg33575, + "31689": msg33576, + "3169": msg5619, + "31690": msg33577, + "31691": msg33578, + "31692": msg33579, + "31693": msg33580, + "31694": msg33581, + "31695": msg33582, + "31696": msg33583, + "31697": msg33584, + "31698": msg33585, + "31699": msg33586, + "317": select239, + "3170": msg5620, + "31700": msg33587, + "31701": msg33588, + "31702": msg33589, + "31703": msg33590, + "31704": msg33591, + "31705": msg33592, + "31706": msg33593, + "31707": msg33594, + "31708": msg33595, + "31709": msg33596, + "3171": msg5621, + "31710": msg33597, + "31711": msg33598, + "31712": msg33599, + "31713": msg33600, + "31714": msg33601, + "31715": msg33602, + "31716": msg33603, + "31717": msg33604, + "31718": msg33605, + "31719": msg33606, + "3172": msg5622, + "31720": msg33607, + "31721": msg33608, + "31722": msg33609, + "31723": msg33610, + "31724": msg33611, + "31725": msg33612, + "31726": msg33613, + "31727": msg33614, + "31728": msg33615, + "31729": msg33616, + "3173": msg5623, + "31730": msg33617, + "31731": msg33618, + "31732": msg33619, + "31733": msg33620, + "31734": msg33621, + "31735": msg33622, + "31736": msg33623, + "31737": msg33624, + "31738": msg33625, + "31739": msg33626, + "3174": msg5624, + "31740": msg33627, + "31741": msg33628, + "31742": msg33629, + "31743": msg33630, + "31744": msg33631, + "31745": msg33632, + "31746": msg33633, + "31747": msg33634, + "31748": msg33635, + "31749": msg33636, + "3175": msg5625, + "31750": msg33637, + "31751": msg33638, + "31752": msg33639, + "31753": msg33640, + "31754": msg33641, + "31755": msg33642, + "31756": msg33643, + "31757": msg33644, + "31758": msg33645, + "31759": msg33646, + "3176": msg5626, + "31760": msg33647, + "31761": msg33648, + "31762": msg33649, + "31763": msg33650, + "31764": msg33651, + "31765": msg33652, + "31766": msg33653, + "31767": msg33654, + "31768": msg33655, + "31769": msg33656, + "3177": msg5627, + "31770": msg33657, + "31771": msg33658, + "31772": msg33659, + "31773": msg33660, + "31774": msg33661, + "31775": msg33662, + "31776": msg33663, + "31777": msg33664, + "31778": msg33665, + "31779": msg33666, + "3178": msg5628, + "31780": msg33667, + "31781": msg33668, + "31782": msg33669, + "31783": msg33670, + "31784": msg33671, + "31785": msg33672, + "31786": msg33673, + "31787": msg33674, + "31788": msg33675, + "31789": msg33676, + "3179": msg5629, + "31790": msg33677, + "31791": msg33678, + "31792": msg33679, + "31793": msg33680, + "31794": msg33681, + "31795": msg33682, + "31796": msg33683, + "31797": msg33684, + "31798": msg33685, + "31799": msg33686, + "318": select240, + "3180": msg5630, + "31800": msg33687, + "31801": msg33688, + "31802": msg33689, + "31803": msg33690, + "31804": msg33691, + "31805": msg33692, + "31806": msg33693, + "31807": msg33694, + "31808": msg33695, + "31809": msg33696, + "3181": msg5631, + "31810": msg33697, + "31811": msg33698, + "31812": msg33699, + "31813": msg33700, + "31814": msg33701, + "31815": msg33702, + "31816": msg33703, + "31817": msg33704, + "31818": msg33705, + "31819": msg33706, + "3182": msg5632, + "31820": msg33707, + "31821": msg33708, + "31822": msg33709, + "31823": msg33710, + "31824": msg33711, + "31825": msg33712, + "31826": msg33713, + "31827": msg33714, + "31828": msg33715, + "31829": msg33716, + "3183": msg5633, + "31830": msg33717, + "31831": msg33718, + "31832": msg33719, + "31833": msg33720, + "31834": msg33721, + "31835": msg33722, + "31836": msg33723, + "31837": msg33724, + "31838": msg33725, + "31839": msg33726, + "3184": msg5634, + "31840": msg33727, + "31841": msg33728, + "31842": msg33729, + "31843": msg33730, + "31844": msg33731, + "31845": msg33732, + "31846": msg33733, + "31847": msg33734, + "31848": msg33735, + "31849": msg33736, + "3185": msg5635, + "31850": msg33737, + "31851": msg33738, + "31852": msg33739, + "31853": msg33740, + "31854": msg33741, + "31855": msg33742, + "31856": msg33743, + "31857": msg33744, + "31858": msg33745, + "31859": msg33746, + "3186": msg5636, + "31860": msg33747, + "31861": msg33748, + "31862": msg33749, + "31863": msg33750, + "31864": msg33751, + "31865": msg33752, + "31866": msg33753, + "31867": msg33754, + "31868": msg33755, + "31869": msg33756, + "3187": msg5637, + "31870": msg33757, + "31871": msg33758, + "31872": msg33759, + "31873": msg33760, + "31874": msg33761, + "31875": msg33762, + "31876": msg33763, + "31877": msg33764, + "31878": msg33765, + "31879": msg33766, + "3188": msg5638, + "31880": msg33767, + "31881": msg33768, + "31882": msg33769, + "31883": msg33770, + "31884": msg33771, + "31885": msg33772, + "31886": msg33773, + "31887": msg33774, + "31888": msg33775, + "31889": msg33776, + "3189": msg5639, + "31890": msg33777, + "31891": msg33778, + "31892": msg33779, + "31893": msg33780, + "31894": msg33781, + "31895": msg33782, + "31896": msg33783, + "31897": msg33784, + "31898": msg33785, + "31899": msg33786, + "319": select241, + "3190": msg5640, + "31900": msg33787, + "31901": msg33788, + "31902": msg33789, + "31903": msg33790, + "31904": msg33791, + "31905": msg33792, + "31906": msg33793, + "31907": msg33794, + "31908": msg33795, + "31909": msg33796, + "3191": msg5641, + "31910": msg33797, + "31911": msg33798, + "31912": msg33799, + "31913": msg33800, + "31914": msg33801, + "31915": msg33802, + "31916": msg33803, + "31917": msg33804, + "31918": msg33805, + "31919": msg33806, + "3192": msg5642, + "31920": msg33807, + "31921": msg33808, + "31922": msg33809, + "31923": msg33810, + "31924": msg33811, + "31925": msg33812, + "31926": msg33813, + "31927": msg33814, + "31928": msg33815, + "31929": msg33816, + "3193": msg5643, + "31930": msg33817, + "31931": msg33818, + "31932": msg33819, + "31933": msg33820, + "31934": msg33821, + "31935": msg33822, + "31936": msg33823, + "31937": msg33824, + "31938": msg33825, + "31939": msg33826, + "3194": msg5644, + "31940": msg33827, + "31941": msg33828, + "31942": msg33829, + "31943": msg33830, + "31944": msg33831, + "31945": msg33832, + "31946": msg33833, + "31947": msg33834, + "31948": msg33835, + "31949": msg33836, + "3195": msg5645, + "31950": msg33837, + "31951": msg33838, + "31952": msg33839, + "31953": msg33840, + "31954": msg33841, + "31955": msg33842, + "31956": msg33843, + "31957": msg33844, + "31958": msg33845, + "31959": msg33846, + "3196": msg5646, + "31960": msg33847, + "31961": msg33848, + "31962": msg33849, + "31963": msg33850, + "31964": msg33851, + "31965": msg33852, + "31966": msg33853, + "31967": msg33854, + "31968": msg33855, + "31969": msg33856, + "3197": msg5647, + "31970": msg33857, + "31971": msg33858, + "31972": msg33859, + "31973": msg33860, + "31974": msg33861, + "31975": msg33862, + "31976": msg33863, + "31977": msg33864, + "31978": msg33865, + "31979": msg33866, + "3198": msg5648, + "31980": msg33867, + "31981": msg33868, + "31982": msg33869, + "31983": msg33870, + "31984": msg33871, + "31985": msg33872, + "31986": msg33873, + "31987": msg33874, + "31988": msg33875, + "31989": msg33876, + "3199": msg5649, + "31990": msg33877, + "31991": msg33878, + "31992": msg33879, + "31993": msg33880, + "31994": msg33881, + "31995": msg33882, + "31996": msg33883, + "31997": msg33884, + "31998": msg33885, + "31999": msg33886, + "320": select242, + "3200": msg5650, + "32000": msg33887, + "32001": msg33888, + "32002": msg33889, + "32003": msg33890, + "32004": msg33891, + "32005": msg33892, + "32006": msg33893, + "32007": msg33894, + "32008": msg33895, + "32009": msg33896, + "3201": msg5651, + "32010": msg33897, + "32011": msg33898, + "32012": msg33899, + "32013": msg33900, + "32014": msg33901, + "32015": msg33902, + "32016": msg33903, + "32017": msg33904, + "32018": msg33905, + "32019": msg33906, + "3202": msg5652, + "32020": msg33907, + "32021": msg33908, + "32022": msg33909, + "32023": msg33910, + "32024": msg33911, + "32025": msg33912, + "32026": msg33913, + "32027": msg33914, + "32028": msg33915, + "32029": msg33916, + "3203": msg5653, + "32030": msg33917, + "32031": msg33918, + "32032": msg33919, + "32033": msg33920, + "32034": msg33921, + "32035": msg33922, + "32036": msg33923, + "32037": msg33924, + "32038": msg33925, + "32039": msg33926, + "3204": msg5654, + "32040": msg33927, + "32041": msg33928, + "32042": msg33929, + "32043": msg33930, + "32044": msg33931, + "32045": msg33932, + "32046": msg33933, + "32047": msg33934, + "32048": msg33935, + "32049": msg33936, + "3205": msg5655, + "32050": msg33937, + "32051": msg33938, + "32052": msg33939, + "32053": msg33940, + "32054": msg33941, + "32055": msg33942, + "32056": msg33943, + "32057": msg33944, + "32058": msg33945, + "32059": msg33946, + "3206": msg5656, + "32060": msg33947, + "32061": msg33948, + "32062": msg33949, + "32063": msg33950, + "32064": msg33951, + "32065": msg33952, + "32066": msg33953, + "32067": msg33954, + "32068": msg33955, + "32069": msg33956, + "3207": msg5657, + "32070": msg33957, + "32071": msg33958, + "32072": msg33959, + "32073": msg33960, + "32074": msg33961, + "32075": msg33962, + "32076": msg33963, + "32077": msg33964, + "32078": msg33965, + "32079": msg33966, + "3208": msg5658, + "32080": msg33967, + "32081": msg33968, + "32082": msg33969, + "32083": msg33970, + "32084": msg33971, + "32085": msg33972, + "32086": msg33973, + "32087": msg33974, + "32088": msg33975, + "32089": msg33976, + "3209": msg5659, + "32090": msg33977, + "32091": msg33978, + "32092": msg33979, + "32093": msg33980, + "32094": msg33981, + "32095": msg33982, + "32096": msg33983, + "32097": msg33984, + "32098": msg33985, + "32099": msg33986, + "321": select243, + "3210": msg5660, + "32100": msg33987, + "32101": msg33988, + "32102": msg33989, + "32103": msg33990, + "32104": msg33991, + "32105": msg33992, + "32106": msg33993, + "32107": msg33994, + "32108": msg33995, + "32109": msg33996, + "3211": msg5661, + "32110": msg33997, + "32111": msg33998, + "32112": msg33999, + "32113": msg34000, + "32114": msg34001, + "32115": msg34002, + "32116": msg34003, + "32117": msg34004, + "32118": msg34005, + "32119": msg34006, + "3212": msg5662, + "32120": msg34007, + "32121": msg34008, + "32122": msg34009, + "32123": msg34010, + "32124": msg34011, + "32125": msg34012, + "32126": msg34013, + "32127": msg34014, + "32128": msg34015, + "32129": msg34016, + "3213": msg5663, + "32130": msg34017, + "32131": msg34018, + "32132": msg34019, + "32133": msg34020, + "32134": msg34021, + "32135": msg34022, + "32136": msg34023, + "32137": msg34024, + "32138": msg34025, + "32139": msg34026, + "3214": msg5664, + "32140": msg34027, + "32141": msg34028, + "32142": msg34029, + "32143": msg34030, + "32144": msg34031, + "32145": msg34032, + "32146": msg34033, + "32147": msg34034, + "32148": msg34035, + "32149": msg34036, + "3215": msg5665, + "32150": msg34037, + "32151": msg34038, + "32152": msg34039, + "32153": msg34040, + "32154": msg34041, + "32155": msg34042, + "32156": msg34043, + "32157": msg34044, + "32158": msg34045, + "32159": msg34046, + "3216": msg5666, + "32160": msg34047, + "32161": msg34048, + "32162": msg34049, + "32163": msg34050, + "32164": msg34051, + "32165": msg34052, + "32166": msg34053, + "32167": msg34054, + "32168": msg34055, + "32169": msg34056, + "3217": msg5667, + "32170": msg34057, + "32171": msg34058, + "32172": msg34059, + "32173": msg34060, + "32174": msg34061, + "32175": msg34062, + "32176": msg34063, + "32177": msg34064, + "32178": msg34065, + "32179": msg34066, + "3218": msg5668, + "32180": msg34067, + "32181": msg34068, + "32182": msg34069, + "32183": msg34070, + "32184": msg34071, + "32185": msg34072, + "32186": msg34073, + "32187": msg34074, + "32188": msg34075, + "32189": msg34076, + "3219": msg5669, + "32190": msg34077, + "32191": msg34078, + "32192": msg34079, + "32193": msg34080, + "32194": msg34081, + "32195": msg34082, + "32196": msg34083, + "32197": msg34084, + "32198": msg34085, + "32199": msg34086, + "322": select244, + "3220": msg5670, + "32200": msg34087, + "32201": msg34088, + "32202": msg34089, + "32203": msg34090, + "32204": msg34091, + "32205": msg34092, + "32206": msg34093, + "32207": msg34094, + "32208": msg34095, + "32209": msg34096, + "3221": msg5671, + "32210": msg34097, + "32211": msg34098, + "32212": msg34099, + "32213": msg34100, + "32214": msg34101, + "32215": msg34102, + "32216": msg34103, + "32217": msg34104, + "32218": msg34105, + "32219": msg34106, + "3222": msg5672, + "32220": msg34107, + "32221": msg34108, + "32222": msg34109, + "32223": msg34110, + "32224": msg34111, + "32225": msg34112, + "32226": msg34113, + "32227": msg34114, + "32228": msg34115, + "32229": msg34116, + "3223": msg5673, + "32230": msg34117, + "32231": msg34118, + "32232": msg34119, + "32233": msg34120, + "32234": msg34121, + "32235": msg34122, + "32236": msg34123, + "32237": msg34124, + "32238": msg34125, + "32239": msg34126, + "3224": msg5674, + "32240": msg34127, + "32241": msg34128, + "32242": msg34129, + "32243": msg34130, + "32244": msg34131, + "32245": msg34132, + "32246": msg34133, + "32247": msg34134, + "32248": msg34135, + "32249": msg34136, + "3225": msg5675, + "32250": msg34137, + "32251": msg34138, + "32252": msg34139, + "32253": msg34140, + "32254": msg34141, + "32255": msg34142, + "32256": msg34143, + "32257": msg34144, + "32258": msg34145, + "32259": msg34146, + "3226": msg5676, + "32260": msg34147, + "32261": msg34148, + "32262": msg34149, + "32263": msg34150, + "32264": msg34151, + "32265": msg34152, + "32266": msg34153, + "32267": msg34154, + "32268": msg34155, + "32269": msg34156, + "3227": msg5677, + "32270": msg34157, + "32271": msg34158, + "32272": msg34159, + "32273": msg34160, + "32274": msg34161, + "32275": msg34162, + "32276": msg34163, + "32277": msg34164, + "32278": msg34165, + "32279": msg34166, + "3228": msg5678, + "32280": msg34167, + "32281": msg34168, + "32282": msg34169, + "32283": msg34170, + "32284": msg34171, + "32285": msg34172, + "32286": msg34173, + "32287": msg34174, + "32288": msg34175, + "32289": msg34176, + "3229": msg5679, + "32290": msg34177, + "32291": msg34178, + "32292": msg34179, + "32293": msg34180, + "32294": msg34181, + "32295": msg34182, + "32296": msg34183, + "32297": msg34184, + "32298": msg34185, + "32299": msg34186, + "323": select245, + "3230": msg5680, + "32300": msg34187, + "32301": msg34188, + "32302": msg34189, + "32303": msg34190, + "32304": msg34191, + "32305": msg34192, + "32306": msg34193, + "32307": msg34194, + "32308": msg34195, + "32309": msg34196, + "3231": msg5681, + "32310": msg34197, + "32311": msg34198, + "32312": msg34199, + "32313": msg34200, + "32314": msg34201, + "32315": msg34202, + "32316": msg34203, + "32319": msg34204, + "3232": msg5682, + "32320": msg34205, + "3233": msg5683, + "32334": msg34206, + "32335": msg34207, + "32336": msg34208, + "32337": msg34209, + "32338": msg34210, + "3234": msg5684, + "32342": msg34211, + "32343": msg34212, + "32344": msg34213, + "32345": msg34214, + "32346": msg34215, + "32347": msg34216, + "32348": msg34217, + "32349": msg34218, + "3235": msg5685, + "32350": msg34219, + "32351": msg34220, + "32352": msg34221, + "32353": msg34222, + "32354": msg34223, + "32355": msg34224, + "32356": msg34225, + "32357": msg34226, + "32358": msg34227, + "32359": msg34228, + "3236": msg5686, + "32360": msg34229, + "32361": msg34230, + "32362": msg34231, + "32363": msg34232, + "32364": msg34233, + "32365": msg34234, + "32366": msg34235, + "32367": msg34236, + "32368": msg34237, + "32369": msg34238, + "3237": msg5687, + "32370": msg34239, + "32371": msg34240, + "32372": msg34241, + "32373": msg34242, + "32374": msg34243, + "32375": msg34244, + "32376": msg34245, + "32377": msg34246, + "32378": msg34247, + "32379": msg34248, + "3238": msg5688, + "32380": msg34249, + "32381": msg34250, + "32382": msg34251, + "32383": msg34252, + "32384": msg34253, + "32385": msg34254, + "32386": msg34255, + "32387": msg34256, + "32388": msg34257, + "32389": msg34258, + "3239": msg5689, + "32390": msg34259, + "32391": msg34260, + "32392": msg34261, + "32393": msg34262, + "32394": msg34263, + "32395": msg34264, + "32396": msg34265, + "32397": msg34266, + "32398": msg34267, + "32399": msg34268, + "324": select246, + "3240": msg5690, + "32400": msg34269, + "32401": msg34270, + "32402": msg34271, + "32403": msg34272, + "32404": msg34273, + "32405": msg34274, + "32406": msg34275, + "32407": msg34276, + "32408": msg34277, + "32409": msg34278, + "3241": msg5691, + "32410": msg34279, + "32411": msg34280, + "32412": msg34281, + "32413": msg34282, + "32414": msg34283, + "32415": msg34284, + "32416": msg34285, + "32417": msg34286, + "32418": msg34287, + "32419": msg34288, + "3242": msg5692, + "32420": msg34289, + "32421": msg34290, + "32422": msg34291, + "32423": msg34292, + "32424": msg34293, + "32425": msg34294, + "32426": msg34295, + "32427": msg34296, + "32428": msg34297, + "32429": msg34298, + "3243": msg5693, + "32430": msg34299, + "32431": msg34300, + "32432": msg34301, + "32433": msg34302, + "32434": msg34303, + "32435": msg34304, + "32436": msg34305, + "32437": msg34306, + "32438": msg34307, + "32439": msg34308, + "3244": msg5694, + "32440": msg34309, + "32441": msg34310, + "32442": msg34311, + "32443": msg34312, + "32444": msg34313, + "32445": msg34314, + "32446": msg34315, + "32447": msg34316, + "32448": msg34317, + "32449": msg34318, + "3245": msg5695, + "32450": msg34319, + "32451": msg34320, + "32452": msg34321, + "32453": msg34322, + "32454": msg34323, + "32455": msg34324, + "32456": msg34325, + "32457": msg34326, + "32458": msg34327, + "32459": msg34328, + "3246": msg5696, + "32460": msg34329, + "32461": msg34330, + "32462": msg34331, + "32463": msg34332, + "32464": msg34333, + "32465": msg34334, + "32466": msg34335, + "32467": msg34336, + "32468": msg34337, + "32469": msg34338, + "3247": msg5697, + "32470": msg34339, + "32471": msg34340, + "32472": msg34341, + "32473": msg34342, + "32474": msg34343, + "32475": msg34344, + "32476": msg34345, + "32477": msg34346, + "32478": msg34347, + "32479": msg34348, + "3248": msg5698, + "32480": msg34349, + "32481": msg34350, + "32482": msg34351, + "32483": msg34352, + "32484": msg34353, + "32485": msg34354, + "32486": msg34355, + "32487": msg34356, + "32488": msg34357, + "32489": msg34358, + "3249": msg5699, + "32490": msg34359, + "32491": msg34360, + "32492": msg34361, + "32493": msg34362, + "32494": msg34363, + "32495": msg34364, + "32496": msg34365, + "32497": msg34366, + "32498": msg34367, + "32499": msg34368, + "325": select247, + "3250": msg5700, + "32500": msg34369, + "32501": msg34370, + "32502": msg34371, + "32503": msg34372, + "32504": msg34373, + "32505": msg34374, + "32506": msg34375, + "32507": msg34376, + "32508": msg34377, + "32509": msg34378, + "3251": msg5701, + "32510": msg34379, + "32511": msg34380, + "32512": msg34381, + "32513": msg34382, + "32514": msg34383, + "32515": msg34384, + "32516": msg34385, + "32517": msg34386, + "32518": msg34387, + "32519": msg34388, + "3252": msg5702, + "32520": msg34389, + "32521": msg34390, + "32522": msg34391, + "32523": msg34392, + "32524": msg34393, + "32525": msg34394, + "32526": msg34395, + "32527": msg34396, + "32528": msg34397, + "32529": msg34398, + "3253": msg5703, + "32530": msg34399, + "32531": msg34400, + "32532": msg34401, + "32533": msg34402, + "32534": msg34403, + "32535": msg34404, + "32536": msg34405, + "32537": msg34406, + "32538": msg34407, + "32539": msg34408, + "3254": msg5704, + "32540": msg34409, + "32541": msg34410, + "32542": msg34411, + "32543": msg34412, + "32544": msg34413, + "32545": msg34414, + "32546": msg34415, + "32547": msg34416, + "32548": msg34417, + "32549": msg34418, + "3255": msg5705, + "32550": msg34419, + "32551": msg34420, + "32552": msg34421, + "32553": msg34422, + "32554": msg34423, + "32555": msg34424, + "32556": msg34425, + "32557": msg34426, + "32558": msg34427, + "32559": msg34428, + "3256": msg5706, + "32560": msg34429, + "32561": msg34430, + "32562": msg34431, + "32563": msg34432, + "32564": msg34433, + "32565": msg34434, + "32566": msg34435, + "32567": msg34436, + "32568": msg34437, + "32569": msg34438, + "3257": msg5707, + "32570": msg34439, + "32571": msg34440, + "32572": msg34441, + "32573": msg34442, + "32574": msg34443, + "32575": msg34444, + "32576": msg34445, + "32577": msg34446, + "32578": msg34447, + "32579": msg34448, + "3258": msg5708, + "32580": msg34449, + "32581": msg34450, + "32582": msg34451, + "32583": msg34452, + "32584": msg34453, + "32585": msg34454, + "32586": msg34455, + "32587": msg34456, + "32588": msg34457, + "32589": msg34458, + "3259": msg5709, + "32590": msg34459, + "32591": msg34460, + "32592": msg34461, + "32593": msg34462, + "32594": msg34463, + "32595": msg34464, + "32596": msg34465, + "32597": msg34466, + "32598": msg34467, + "32599": msg34468, + "326": select248, + "3260": msg5710, + "32600": msg34469, + "32601": msg34470, + "32602": msg34471, + "32603": msg34472, + "32604": msg34473, + "32605": msg34474, + "32606": msg34475, + "32607": msg34476, + "32608": msg34477, + "32609": msg34478, + "3261": msg5711, + "32610": msg34479, + "32611": msg34480, + "32612": msg34481, + "32613": msg34482, + "32614": msg34483, + "32615": msg34484, + "32616": msg34485, + "32617": msg34486, + "32618": msg34487, + "32619": msg34488, + "3262": msg5712, + "32620": msg34489, + "32621": msg34490, + "32622": msg34491, + "32623": msg34492, + "32624": msg34493, + "32625": msg34494, + "32626": msg34495, + "32627": msg34496, + "32628": msg34497, + "32629": msg34498, + "3263": msg5713, + "32630": msg34499, + "32631": msg34500, + "32632": msg34501, + "32633": msg34502, + "32634": msg34503, + "32635": msg34504, + "32636": msg34505, + "32637": msg34506, + "32638": msg34507, + "32639": msg34508, + "3264": msg5714, + "32640": msg34509, + "32641": msg34510, + "32642": msg34511, + "32643": msg34512, + "32644": msg34513, + "32645": msg34514, + "32646": msg34515, + "32647": msg34516, + "32648": msg34517, + "32649": msg34518, + "3265": msg5715, + "32650": msg34519, + "32651": msg34520, + "32652": msg34521, + "32653": msg34522, + "32654": msg34523, + "32655": msg34524, + "32656": msg34525, + "32657": msg34526, + "32658": msg34527, + "32659": msg34528, + "3266": msg5716, + "32660": msg34529, + "32661": msg34530, + "32662": msg34531, + "32663": msg34532, + "32664": msg34533, + "32665": msg34534, + "32666": msg34535, + "32667": msg34536, + "32668": msg34537, + "32669": msg34538, + "3267": msg5717, + "32670": msg34539, + "32671": msg34540, + "32672": msg34541, + "32673": msg34542, + "32674": msg34543, + "32675": msg34544, + "32676": msg34545, + "32677": msg34546, + "32678": msg34547, + "32679": msg34548, + "3268": msg5718, + "32680": msg34549, + "32681": msg34550, + "32682": msg34551, + "32683": msg34552, + "32684": msg34553, + "32685": msg34554, + "32686": msg34555, + "32687": msg34556, + "32688": msg34557, + "32689": msg34558, + "3269": msg5719, + "32690": msg34559, + "32691": msg34560, + "32692": msg34561, + "32693": msg34562, + "32694": msg34563, + "32695": msg34564, + "32696": msg34565, + "32697": msg34566, + "32698": msg34567, + "32699": msg34568, + "327": select249, + "3270": msg5720, + "32700": msg34569, + "32701": msg34570, + "32702": msg34571, + "32703": msg34572, + "32704": msg34573, + "32705": msg34574, + "32706": msg34575, + "32707": msg34576, + "32708": msg34577, + "32709": msg34578, + "3271": msg5721, + "32710": msg34579, + "32711": msg34580, + "32712": msg34581, + "32713": msg34582, + "32714": msg34583, + "32715": msg34584, + "32716": msg34585, + "32717": msg34586, + "32718": msg34587, + "32719": msg34588, + "3272": msg5722, + "32720": msg34589, + "32721": msg34590, + "32722": msg34591, + "32723": msg34592, + "32724": msg34593, + "32725": msg34594, + "32726": msg34595, + "32727": msg34596, + "32728": msg34597, + "32729": msg34598, + "3273": msg5723, + "32730": msg34599, + "32731": msg34600, + "32732": msg34601, + "32733": msg34602, + "32734": msg34603, + "32735": msg34604, + "32736": msg34605, + "32737": msg34606, + "32738": msg34607, + "32739": msg34608, + "3274": msg5724, + "32740": msg34609, + "32741": msg34610, + "32742": msg34611, + "32743": msg34612, + "32744": msg34613, + "32745": msg34614, + "32746": msg34615, + "32747": msg34616, + "32748": msg34617, + "32749": msg34618, + "3275": msg5725, + "32750": msg34619, + "32751": msg34620, + "32752": msg34621, + "32753": msg34622, + "32754": msg34623, + "32755": msg34624, + "32756": msg34625, + "32757": msg34626, + "32758": msg34627, + "32759": msg34628, + "3276": msg5726, + "32760": msg34629, + "32761": msg34630, + "32762": msg34631, + "32763": msg34632, + "32764": msg34633, + "32765": msg34634, + "32766": msg34635, + "32767": msg34636, + "32768": msg34637, + "32769": msg34638, + "3277": msg5727, + "32770": msg34639, + "32771": msg34640, + "32772": msg34641, + "32773": msg34642, + "32774": msg34643, + "32775": msg34644, + "32776": msg34645, + "32777": msg34646, + "32778": msg34647, + "32779": msg34648, + "3278": msg5728, + "32780": msg34649, + "32781": msg34650, + "32782": msg34651, + "32783": msg34652, + "32784": msg34653, + "32785": msg34654, + "32786": msg34655, + "32787": msg34656, + "32788": msg34657, + "32789": msg34658, + "3279": msg5729, + "32790": msg34659, + "32791": msg34660, + "32792": msg34661, + "32793": msg34662, + "32794": msg34663, + "32795": msg34664, + "32796": msg34665, + "32797": msg34666, + "32798": msg34667, + "32799": msg34668, + "328": select250, + "3280": msg5730, + "32800": msg34669, + "32801": msg34670, + "32802": msg34671, + "32803": msg34672, + "32804": msg34673, + "32805": msg34674, + "32806": msg34675, + "32807": msg34676, + "32808": msg34677, + "32809": msg34678, + "3281": msg5731, + "32810": msg34679, + "32811": msg34680, + "32812": msg34681, + "32813": msg34682, + "32814": msg34683, + "32815": msg34684, + "32816": msg34685, + "32817": msg34686, + "32818": msg34687, + "32819": msg34688, + "3282": msg5732, + "32820": msg34689, + "32821": msg34690, + "32822": msg34691, + "32823": msg34692, + "32824": msg34693, + "32825": msg34694, + "32826": msg34695, + "32827": msg34696, + "32828": msg34697, + "32829": msg34698, + "3283": msg5733, + "32830": msg34699, + "32831": msg34700, + "32832": msg34701, + "32833": msg34702, + "32834": msg34703, + "32835": msg34704, + "32836": msg34705, + "32837": msg34706, + "32838": msg34707, + "32839": msg34708, + "3284": msg5734, + "32840": msg34709, + "32841": msg34710, + "32842": msg34711, + "32843": msg34712, + "32844": msg34713, + "32845": msg34714, + "32846": msg34715, + "32847": msg34716, + "32848": msg34717, + "32849": msg34718, + "3285": msg5735, + "32850": msg34719, + "32851": msg34720, + "32852": msg34721, + "32853": msg34722, + "32854": msg34723, + "32855": msg34724, + "32856": msg34725, + "32857": msg34726, + "32858": msg34727, + "32859": msg34728, + "3286": msg5736, + "32860": msg34729, + "32861": msg34730, + "32862": msg34731, + "32863": msg34732, + "32864": msg34733, + "32865": msg34734, + "32866": msg34735, + "32867": msg34736, + "32868": msg34737, + "32869": msg34738, + "3287": msg5737, + "32870": msg34739, + "32871": msg34740, + "32872": msg34741, + "32873": msg34742, + "32874": msg34743, + "32875": msg34744, + "32876": msg34745, + "32877": msg34746, + "32878": msg34747, + "32879": msg34748, + "3288": msg5738, + "32880": msg34749, + "32881": msg34750, + "32882": msg34751, + "32883": msg34752, + "32884": msg34753, + "32885": msg34754, + "32886": msg34755, + "32887": msg34756, + "32888": msg34757, + "32889": msg34758, + "3289": msg5739, + "32890": msg34759, + "32891": msg34760, + "32892": msg34761, + "32893": msg34762, + "32894": msg34763, + "32895": msg34764, + "32896": msg34765, + "32897": msg34766, + "32898": msg34767, + "32899": msg34768, + "329": select251, + "3290": msg5740, + "32900": msg34769, + "32901": msg34770, + "32902": msg34771, + "32903": msg34772, + "32904": msg34773, + "32905": msg34774, + "32906": msg34775, + "32907": msg34776, + "32908": msg34777, + "32909": msg34778, + "3291": msg5741, + "32910": msg34779, + "32911": msg34780, + "32912": msg34781, + "32913": msg34782, + "32914": msg34783, + "32915": msg34784, + "32916": msg34785, + "32917": msg34786, + "32918": msg34787, + "32919": msg34788, + "3292": msg5742, + "32920": msg34789, + "32921": msg34790, + "32922": msg34791, + "32923": msg34792, + "32924": msg34793, + "32925": msg34794, + "32926": msg34795, + "32927": msg34796, + "32928": msg34797, + "32929": msg34798, + "3293": msg5743, + "32930": msg34799, + "32931": msg34800, + "32932": msg34801, + "32933": msg34802, + "32934": msg34803, + "32935": msg34804, + "32936": msg34805, + "32937": msg34806, + "32938": msg34807, + "32939": msg34808, + "3294": msg5744, + "32940": msg34809, + "32941": msg34810, + "32942": msg34811, + "32943": msg34812, + "32944": msg34813, + "32945": msg34814, + "32946": msg34815, + "32947": msg34816, + "32948": msg34817, + "32949": msg34818, + "3295": msg5745, + "32950": msg34819, + "32951": msg34820, + "32952": msg34821, + "32953": msg34822, + "32954": msg34823, + "32955": msg34824, + "32956": msg34825, + "32957": msg34826, + "32958": msg34827, + "32959": msg34828, + "3296": msg5746, + "32960": msg34829, + "32961": msg34830, + "32962": msg34831, + "32963": msg34832, + "32964": msg34833, + "32965": msg34834, + "32966": msg34835, + "32967": msg34836, + "32968": msg34837, + "32969": msg34838, + "3297": msg5747, + "32970": msg34839, + "32971": msg34840, + "32972": msg34841, + "32973": msg34842, + "32974": msg34843, + "32975": msg34844, + "32976": msg34845, + "32977": msg34846, + "32978": msg34847, + "32979": msg34848, + "3298": msg5748, + "32980": msg34849, + "32981": msg34850, + "32982": msg34851, + "32983": msg34852, + "32984": msg34853, + "32985": msg34854, + "32986": msg34855, + "32987": msg34856, + "32988": msg34857, + "32989": msg34858, + "3299": msg5749, + "32990": msg34859, + "32991": msg34860, + "32992": msg34861, + "32993": msg34862, + "32994": msg34863, + "32995": msg34864, + "32996": msg34865, + "32997": msg34866, + "32998": msg34867, + "32999": msg34868, + "330": select252, + "3300": msg5750, + "33000": msg34869, + "33001": msg34870, + "33002": msg34871, + "33003": msg34872, + "33004": msg34873, + "33005": msg34874, + "33006": msg34875, + "33007": msg34876, + "33008": msg34877, + "33009": msg34878, + "3301": msg5751, + "33010": msg34879, + "33011": msg34880, + "33012": msg34881, + "33013": msg34882, + "33014": msg34883, + "33015": msg34884, + "33016": msg34885, + "33017": msg34886, + "33018": msg34887, + "33019": msg34888, + "3302": msg5752, + "33020": msg34889, + "33021": msg34890, + "33022": msg34891, + "33023": msg34892, + "33024": msg34893, + "33025": msg34894, + "33026": msg34895, + "33027": msg34896, + "33028": msg34897, + "33029": msg34898, + "3303": msg5753, + "33030": msg34899, + "33031": msg34900, + "33032": msg34901, + "33033": msg34902, + "33034": msg34903, + "33035": msg34904, + "33036": msg34905, + "33037": msg34906, + "33038": msg34907, + "33039": msg34908, + "3304": msg5754, + "33040": msg34909, + "33041": msg34910, + "33042": msg34911, + "33043": msg34912, + "33044": msg34913, + "33045": msg34914, + "33046": msg34915, + "33047": msg34916, + "33048": msg34917, + "33049": msg34918, + "3305": msg5755, + "33050": msg34919, + "33051": msg34920, + "33052": msg34921, + "33053": msg34922, + "33054": msg34923, + "33055": msg34924, + "33056": msg34925, + "33057": msg34926, + "33058": msg34927, + "33059": msg34928, + "3306": msg5756, + "33060": msg34929, + "33061": msg34930, + "33062": msg34931, + "33063": msg34932, + "33064": msg34933, + "33065": msg34934, + "33066": msg34935, + "33067": msg34936, + "33068": msg34937, + "33069": msg34938, + "3307": msg5757, + "33070": msg34939, + "33071": msg34940, + "33072": msg34941, + "33073": msg34942, + "33074": msg34943, + "33075": msg34944, + "33076": msg34945, + "33077": msg34946, + "33078": msg34947, + "33079": msg34948, + "3308": msg5758, + "33080": msg34949, + "33081": msg34950, + "33082": msg34951, + "33083": msg34952, + "33084": msg34953, + "33085": msg34954, + "33086": msg34955, + "33087": msg34956, + "33088": msg34957, + "33089": msg34958, + "3309": msg5759, + "33090": msg34959, + "33091": msg34960, + "33092": msg34961, + "33093": msg34962, + "33094": msg34963, + "33095": msg34964, + "33096": msg34965, + "33097": msg34966, + "33098": msg34967, + "33099": msg34968, + "331": select253, + "3310": msg5760, + "33100": msg34969, + "33101": msg34970, + "33102": msg34971, + "33103": msg34972, + "33104": msg34973, + "33105": msg34974, + "33106": msg34975, + "33107": msg34976, + "33108": msg34977, + "33109": msg34978, + "3311": msg5761, + "33110": msg34979, + "33111": msg34980, + "33112": msg34981, + "33113": msg34982, + "33114": msg34983, + "33115": msg34984, + "33116": msg34985, + "33117": msg34986, + "33118": msg34987, + "33119": msg34988, + "3312": msg5762, + "33120": msg34989, + "33121": msg34990, + "33122": msg34991, + "33123": msg34992, + "33124": msg34993, + "33125": msg34994, + "33126": msg34995, + "33127": msg34996, + "33128": msg34997, + "33129": msg34998, + "3313": msg5763, + "33130": msg34999, + "33131": msg35000, + "33132": msg35001, + "33133": msg35002, + "33134": msg35003, + "33135": msg35004, + "33136": msg35005, + "33137": msg35006, + "33138": msg35007, + "33139": msg35008, + "3314": msg5764, + "33140": msg35009, + "33141": msg35010, + "33142": msg35011, + "33143": msg35012, + "33144": msg35013, + "33145": msg35014, + "33146": msg35015, + "33147": msg35016, + "33148": msg35017, + "33149": msg35018, + "3315": msg5765, + "33150": msg35019, + "33151": msg35020, + "33152": msg35021, + "33153": msg35022, + "33154": msg35023, + "33155": msg35024, + "33156": msg35025, + "33157": msg35026, + "33158": msg35027, + "33159": msg35028, + "3316": msg5766, + "33160": msg35029, + "33161": msg35030, + "33162": msg35031, + "33163": msg35032, + "33164": msg35033, + "33165": msg35034, + "33166": msg35035, + "33167": msg35036, + "33168": msg35037, + "33169": msg35038, + "3317": msg5767, + "33170": msg35039, + "33171": msg35040, + "33172": msg35041, + "33173": msg35042, + "33174": msg35043, + "33175": msg35044, + "33176": msg35045, + "33177": msg35046, + "33178": msg35047, + "33179": msg35048, + "3318": msg5768, + "33180": msg35049, + "33181": msg35050, + "33182": msg35051, + "33183": msg35052, + "33184": msg35053, + "33185": msg35054, + "33186": msg35055, + "33187": msg35056, + "33188": msg35057, + "33189": msg35058, + "3319": msg5769, + "33190": msg35059, + "33191": msg35060, + "33192": msg35061, + "33193": msg35062, + "33194": msg35063, + "33195": msg35064, + "33196": msg35065, + "33197": msg35066, + "33198": msg35067, + "33199": msg35068, + "332": select254, + "3320": msg5770, + "33200": msg35069, + "33201": msg35070, + "33202": msg35071, + "33203": msg35072, + "33204": msg35073, + "33205": msg35074, + "33206": msg35075, + "33207": msg35076, + "33208": msg35077, + "33209": msg35078, + "3321": msg5771, + "33210": msg35079, + "33211": msg35080, + "33212": msg35081, + "33213": msg35082, + "33214": msg35083, + "33215": msg35084, + "33216": msg35085, + "33217": msg35086, + "33218": msg35087, + "33219": msg35088, + "3322": msg5772, + "33220": msg35089, + "33221": msg35090, + "33222": msg35091, + "33223": msg35092, + "33224": msg35093, + "33225": msg35094, + "33226": msg35095, + "33227": msg35096, + "33228": msg35097, + "33229": msg35098, + "3323": msg5773, + "33230": msg35099, + "33231": msg35100, + "33232": msg35101, + "33233": msg35102, + "33234": msg35103, + "33235": msg35104, + "33236": msg35105, + "33237": msg35106, + "33238": msg35107, + "33239": msg35108, + "3324": msg5774, + "33240": msg35109, + "33241": msg35110, + "33242": msg35111, + "33243": msg35112, + "33244": msg35113, + "33245": msg35114, + "33246": msg35115, + "33247": msg35116, + "33248": msg35117, + "33249": msg35118, + "3325": msg5775, + "33250": msg35119, + "33251": msg35120, + "33252": msg35121, + "33253": msg35122, + "33254": msg35123, + "33255": msg35124, + "33256": msg35125, + "33257": msg35126, + "33258": msg35127, + "33259": msg35128, + "3326": msg5776, + "33260": msg35129, + "33261": msg35130, + "33262": msg35131, + "33263": msg35132, + "33264": msg35133, + "33265": msg35134, + "33266": msg35135, + "33267": msg35136, + "33268": msg35137, + "33269": msg35138, + "3327": msg5777, + "33270": msg35139, + "33271": msg35140, + "33272": msg35141, + "33273": msg35142, + "33274": msg35143, + "33275": msg35144, + "33276": msg35145, + "33277": msg35146, + "33278": msg35147, + "33279": msg35148, + "3328": msg5778, + "33280": msg35149, + "33281": msg35150, + "33282": msg35151, + "33283": msg35152, + "33284": msg35153, + "33285": msg35154, + "33286": msg35155, + "33287": msg35156, + "33288": msg35157, + "33289": msg35158, + "3329": msg5779, + "33290": msg35159, + "33291": msg35160, + "33292": msg35161, + "33293": msg35162, + "33294": msg35163, + "33295": msg35164, + "33296": msg35165, + "33297": msg35166, + "33298": msg35167, + "33299": msg35168, + "333": select255, + "3330": msg5780, + "33300": msg35169, + "33301": msg35170, + "33302": msg35171, + "33303": msg35172, + "33304": msg35173, + "33305": msg35174, + "33306": msg35175, + "33307": msg35176, + "33308": msg35177, + "33309": msg35178, + "3331": msg5781, + "33310": msg35179, + "33311": msg35180, + "33312": msg35181, + "33313": msg35182, + "33314": msg35183, + "33315": msg35184, + "33316": msg35185, + "33317": msg35186, + "33318": msg35187, + "33319": msg35188, + "3332": msg5782, + "33320": msg35189, + "33321": msg35190, + "33322": msg35191, + "33323": msg35192, + "33324": msg35193, + "33325": msg35194, + "33326": msg35195, + "33327": msg35196, + "33328": msg35197, + "33329": msg35198, + "3333": msg5783, + "33330": msg35199, + "33331": msg35200, + "33332": msg35201, + "33333": msg35202, + "33334": msg35203, + "33335": msg35204, + "33336": msg35205, + "33337": msg35206, + "33338": msg35207, + "33339": msg35208, + "3334": msg5784, + "33340": msg35209, + "33341": msg35210, + "33342": msg35211, + "33343": msg35212, + "33344": msg35213, + "33345": msg35214, + "33346": msg35215, + "33347": msg35216, + "33348": msg35217, + "33349": msg35218, + "3335": msg5785, + "33350": msg35219, + "33351": msg35220, + "33352": msg35221, + "33353": msg35222, + "33354": msg35223, + "33355": msg35224, + "33356": msg35225, + "33357": msg35226, + "33358": msg35227, + "33359": msg35228, + "3336": msg5786, + "33360": msg35229, + "33361": msg35230, + "33362": msg35231, + "33363": msg35232, + "33364": msg35233, + "33365": msg35234, + "33366": msg35235, + "33367": msg35236, + "33368": msg35237, + "33369": msg35238, + "3337": msg5787, + "33370": msg35239, + "33371": msg35240, + "33372": msg35241, + "33373": msg35242, + "33374": msg35243, + "33375": msg35244, + "33376": msg35245, + "33377": msg35246, + "33378": msg35247, + "33379": msg35248, + "3338": msg5788, + "33380": msg35249, + "33381": msg35250, + "33382": msg35251, + "33383": msg35252, + "33384": msg35253, + "33385": msg35254, + "33386": msg35255, + "33387": msg35256, + "33388": msg35257, + "33389": msg35258, + "3339": msg5789, + "33390": msg35259, + "33391": msg35260, + "33392": msg35261, + "33393": msg35262, + "33394": msg35263, + "33395": msg35264, + "33396": msg35265, + "33397": msg35266, + "33398": msg35267, + "33399": msg35268, + "334": select256, + "3340": msg5790, + "33400": msg35269, + "33401": msg35270, + "33402": msg35271, + "33403": msg35272, + "33404": msg35273, + "33405": msg35274, + "33406": msg35275, + "33407": msg35276, + "33408": msg35277, + "33409": msg35278, + "3341": msg5791, + "33410": msg35279, + "33411": msg35280, + "33412": msg35281, + "33413": msg35282, + "33414": msg35283, + "33415": msg35284, + "33416": msg35285, + "33417": msg35286, + "33418": msg35287, + "33419": msg35288, + "3342": msg5792, + "33420": msg35289, + "33421": msg35290, + "33422": msg35291, + "33423": msg35292, + "33424": msg35293, + "33425": msg35294, + "33426": msg35295, + "33427": msg35296, + "33428": msg35297, + "33429": msg35298, + "3343": msg5793, + "33430": msg35299, + "33431": msg35300, + "33432": msg35301, + "33433": msg35302, + "33434": msg35303, + "33435": msg35304, + "33436": msg35305, + "33437": msg35306, + "33438": msg35307, + "33439": msg35308, + "3344": msg5794, + "33440": msg35309, + "33441": msg35310, + "33442": msg35311, + "33443": msg35312, + "33444": msg35313, + "33445": msg35314, + "33446": msg35315, + "33447": msg35316, + "33448": msg35317, + "33449": msg35318, + "3345": msg5795, + "33450": msg35319, + "33451": msg35320, + "33452": msg35321, + "33453": msg35322, + "33454": msg35323, + "33455": msg35324, + "33456": msg35325, + "33457": msg35326, + "33458": msg35327, + "33459": msg35328, + "3346": msg5796, + "33460": msg35329, + "33461": msg35330, + "33462": msg35331, + "33463": msg35332, + "33464": msg35333, + "33465": msg35334, + "33466": msg35335, + "33467": msg35336, + "33468": msg35337, + "33469": msg35338, + "3347": msg5797, + "33470": msg35339, + "33471": msg35340, + "33472": msg35341, + "33473": msg35342, + "33474": msg35343, + "33475": msg35344, + "33476": msg35345, + "33477": msg35346, + "33478": msg35347, + "3348": msg5798, + "3349": msg5799, + "335": select257, + "3350": msg5800, + "3351": msg5801, + "3352": msg5802, + "3353": msg5803, + "3354": msg5804, + "3355": msg5805, + "3356": msg5806, + "33564": msg35348, + "33565": msg35349, + "33566": msg35350, + "33567": msg35351, + "33568": msg35352, + "33569": msg35353, + "3357": msg5807, + "33570": msg35354, + "33571": msg35355, + "33572": msg35356, + "33573": msg35357, + "33574": msg35358, + "33575": msg35359, + "33576": msg35360, + "33577": msg35361, + "33578": msg35362, + "33579": msg35363, + "3358": msg5808, + "33580": msg35364, + "33581": msg35365, + "33582": msg35366, + "33583": msg35367, + "33584": msg35368, + "33585": msg35369, + "33586": msg35370, + "33587": msg35371, + "33588": msg35372, + "33589": msg35373, + "3359": msg5809, + "33590": msg35374, + "33591": msg35375, + "33592": msg35376, + "33593": msg35377, + "33594": msg35378, + "33595": msg35379, + "33596": msg35380, + "33597": msg35381, + "33598": msg35382, + "33599": msg35383, + "336": select258, + "3360": msg5810, + "33600": msg35384, + "33601": msg35385, + "33602": msg35386, + "33603": msg35387, + "33604": msg35388, + "33605": msg35389, + "33606": msg35390, + "33607": msg35391, + "33608": msg35392, + "33609": msg35393, + "3361": msg5811, + "33610": msg35394, + "33611": msg35395, + "33612": msg35396, + "33613": msg35397, + "33614": msg35398, + "33615": msg35399, + "33618": msg35400, + "33619": msg35401, + "3362": msg5812, + "33620": msg35402, + "33621": msg35403, + "33622": msg35404, + "33623": msg35405, + "33624": msg35406, + "33625": msg35407, + "33626": msg35408, + "33627": msg35409, + "33628": msg35410, + "33629": msg35411, + "3363": msg5813, + "33630": msg35412, + "33631": msg35413, + "33632": msg35414, + "33633": msg35415, + "33634": msg35416, + "33635": msg35417, + "33636": msg35418, + "33637": msg35419, + "33638": msg35420, + "33639": msg35421, + "3364": msg5814, + "33640": msg35422, + "33641": msg35423, + "33642": msg35424, + "33643": msg35425, + "33644": msg35426, + "33645": msg35427, + "33646": msg35428, + "33647": msg35429, + "33648": msg35430, + "33649": msg35431, + "3365": msg5815, + "33650": msg35432, + "33651": msg35433, + "33652": msg35434, + "33653": msg35435, + "33654": msg35436, + "33655": msg35437, + "33656": msg35438, + "33657": msg35439, + "33658": msg35440, + "33659": msg35441, + "3366": msg5816, + "33660": msg35442, + "33661": msg35443, + "33662": msg35444, + "33663": msg35445, + "33664": msg35446, + "33665": msg35447, + "33666": msg35448, + "33667": msg35449, + "33668": msg35450, + "33669": msg35451, + "3367": msg5817, + "33670": msg35452, + "33671": msg35453, + "33672": msg35454, + "33673": msg35455, + "33674": msg35456, + "33675": msg35457, + "33676": msg35458, + "33677": msg35459, + "33678": msg35460, + "33679": msg35461, + "3368": msg5818, + "33680": msg35462, + "33681": msg35463, + "33682": msg35464, + "33683": msg35465, + "33684": msg35466, + "33685": msg35467, + "33686": msg35468, + "33687": msg35469, + "33688": msg35470, + "33689": msg35471, + "3369": msg5819, + "33690": msg35472, + "33691": msg35473, + "33692": msg35474, + "33693": msg35475, + "33694": msg35476, + "33695": msg35477, + "33696": msg35478, + "33697": msg35479, + "33698": msg35480, + "33699": msg35481, + "337": select259, + "3370": msg5820, + "33700": msg35482, + "33701": msg35483, + "33702": msg35484, + "33703": msg35485, + "33704": msg35486, + "33705": msg35487, + "33706": msg35488, + "33707": msg35489, + "33708": msg35490, + "33709": msg35491, + "3371": msg5821, + "33710": msg35492, + "33711": msg35493, + "33712": msg35494, + "33713": msg35495, + "33714": msg35496, + "33715": msg35497, + "33716": msg35498, + "33717": msg35499, + "33718": msg35500, + "33719": msg35501, + "3372": msg5822, + "33720": msg35502, + "33721": msg35503, + "33722": msg35504, + "33723": msg35505, + "33724": msg35506, + "33725": msg35507, + "33726": msg35508, + "33727": msg35509, + "33728": msg35510, + "33729": msg35511, + "3373": msg5823, + "33730": msg35512, + "33731": msg35513, + "33732": msg35514, + "33733": msg35515, + "33734": msg35516, + "33735": msg35517, + "33736": msg35518, + "33737": msg35519, + "33738": msg35520, + "33739": msg35521, + "3374": msg5824, + "33740": msg35522, + "33741": msg35523, + "33742": msg35524, + "33743": msg35525, + "33744": msg35526, + "33745": msg35527, + "33746": msg35528, + "33747": msg35529, + "33748": msg35530, + "33749": msg35531, + "3375": msg5825, + "33750": msg35532, + "33751": msg35533, + "33752": msg35534, + "33753": msg35535, + "33754": msg35536, + "33755": msg35537, + "33756": msg35538, + "33757": msg35539, + "33758": msg35540, + "33759": msg35541, + "3376": msg5826, + "33760": msg35542, + "33761": msg35543, + "33762": msg35544, + "33763": msg35545, + "33764": msg35546, + "33765": msg35547, + "33766": msg35548, + "33767": msg35549, + "33768": msg35550, + "33769": msg35551, + "3377": msg5827, + "33770": msg35552, + "33771": msg35553, + "33772": msg35554, + "33773": msg35555, + "33774": msg35556, + "33775": msg35557, + "33776": msg35558, + "33777": msg35559, + "33778": msg35560, + "33779": msg35561, + "3378": msg5828, + "33780": msg35562, + "33781": msg35563, + "33782": msg35564, + "33783": msg35565, + "33784": msg35566, + "33785": msg35567, + "33786": msg35568, + "33787": msg35569, + "33788": msg35570, + "33789": msg35571, + "3379": msg5829, + "33790": msg35572, + "33791": msg35573, + "33792": msg35574, + "33793": msg35575, + "33794": msg35576, + "33795": msg35577, + "33796": msg35578, + "33797": msg35579, + "33798": msg35580, + "33799": msg35581, + "338": select260, + "3380": msg5830, + "33800": msg35582, + "33801": msg35583, + "33802": msg35584, + "33803": msg35585, + "33804": msg35586, + "33805": msg35587, + "33806": msg35588, + "33807": msg35589, + "33808": msg35590, + "33809": msg35591, + "3381": msg5831, + "33810": msg35592, + "33811": msg35593, + "33812": msg35594, + "33813": msg35595, + "33814": msg35596, + "33815": msg35597, + "33816": msg35598, + "33817": msg35599, + "33818": msg35600, + "33819": msg35601, + "3382": msg5832, + "33820": msg35602, + "33821": msg35603, + "33822": msg35604, + "33823": msg35605, + "33824": msg35606, + "33825": msg35607, + "33826": msg35608, + "33827": msg35609, + "33828": msg35610, + "33829": msg35611, + "3383": msg5833, + "33830": msg35612, + "33831": msg35613, + "33832": msg35614, + "33833": msg35615, + "33834": msg35616, + "33835": msg35617, + "33836": msg35618, + "33837": msg35619, + "33838": msg35620, + "33839": msg35621, + "3384": msg5834, + "33840": msg35622, + "33841": msg35623, + "33842": msg35624, + "33843": msg35625, + "33844": msg35626, + "33845": msg35627, + "33846": msg35628, + "33847": msg35629, + "33848": msg35630, + "33849": msg35631, + "3385": msg5835, + "33850": msg35632, + "33851": msg35633, + "33852": msg35634, + "33853": msg35635, + "33854": msg35636, + "33855": msg35637, + "33856": msg35638, + "33857": msg35639, + "33858": msg35640, + "33859": msg35641, + "3386": msg5836, + "33860": msg35642, + "33861": msg35643, + "33862": msg35644, + "33863": msg35645, + "33864": msg35646, + "33865": msg35647, + "33866": msg35648, + "33867": msg35649, + "33868": msg35650, + "33869": msg35651, + "3387": msg5837, + "33870": msg35652, + "33871": msg35653, + "33872": msg35654, + "33873": msg35655, + "33874": msg35656, + "33875": msg35657, + "33876": msg35658, + "33877": msg35659, + "33878": msg35660, + "33879": msg35661, + "3388": msg5838, + "33880": msg35662, + "33881": msg35663, + "33882": msg35664, + "33883": msg35665, + "33884": msg35666, + "33885": msg35667, + "33886": msg35668, + "33887": msg35669, + "33888": msg35670, + "33889": msg35671, + "3389": msg5839, + "33890": msg35672, + "33891": msg35673, + "33892": msg35674, + "33893": msg35675, + "33894": msg35676, + "33895": msg35677, + "33896": msg35678, + "33897": msg35679, + "33898": msg35680, + "33899": msg35681, + "339": select261, + "3390": msg5840, + "33900": msg35682, + "33901": msg35683, + "33902": msg35684, + "33903": msg35685, + "33904": msg35686, + "33905": msg35687, + "33906": msg35688, + "33907": msg35689, + "33908": msg35690, + "33909": msg35691, + "3391": msg5841, + "33910": msg35692, + "33911": msg35693, + "33912": msg35694, + "33913": msg35695, + "33914": msg35696, + "33915": msg35697, + "33916": msg35698, + "33917": msg35699, + "33918": msg35700, + "33919": msg35701, + "3392": msg5842, + "33920": msg35702, + "33921": msg35703, + "33922": msg35704, + "33923": msg35705, + "33924": msg35706, + "33925": msg35707, + "33926": msg35708, + "33927": msg35709, + "33928": msg35710, + "33929": msg35711, + "3393": msg5843, + "33930": msg35712, + "33931": msg35713, + "33932": msg35714, + "33933": msg35715, + "33934": msg35716, + "33935": msg35717, + "33936": msg35718, + "33937": msg35719, + "33938": msg35720, + "33939": msg35721, + "3394": msg5844, + "33940": msg35722, + "33941": msg35723, + "33942": msg35724, + "33943": msg35725, + "33944": msg35726, + "33945": msg35727, + "33946": msg35728, + "33947": msg35729, + "33948": msg35730, + "33949": msg35731, + "3395": msg5845, + "33950": msg35732, + "33951": msg35733, + "33952": msg35734, + "33953": msg35735, + "33954": msg35736, + "33955": msg35737, + "33956": msg35738, + "33957": msg35739, + "33958": msg35740, + "33959": msg35741, + "3396": msg5846, + "33960": msg35742, + "33961": msg35743, + "33962": msg35744, + "33963": msg35745, + "33964": msg35746, + "33965": msg35747, + "33966": msg35748, + "33967": msg35749, + "33968": msg35750, + "33969": msg35751, + "3397": msg5847, + "33970": msg35752, + "33971": msg35753, + "33972": msg35754, + "33973": msg35755, + "33974": msg35756, + "33975": msg35757, + "33976": msg35758, + "33977": msg35759, + "33978": msg35760, + "33979": msg35761, + "3398": msg5848, + "33980": msg35762, + "33981": msg35763, + "33982": msg35764, + "33983": msg35765, + "33984": msg35766, + "33985": msg35767, + "33986": msg35768, + "33987": msg35769, + "33988": msg35770, + "33989": msg35771, + "3399": msg5849, + "33990": msg35772, + "33991": msg35773, + "33992": msg35774, + "33993": msg35775, + "33994": msg35776, + "33995": msg35777, + "33996": msg35778, + "33997": msg35779, + "33998": msg35780, + "33999": msg35781, + "34": msg65, + "340": select262, + "3400": msg5850, + "34000": msg35782, + "34001": msg35783, + "34002": msg35784, + "34003": msg35785, + "34004": msg35786, + "34005": msg35787, + "34006": msg35788, + "34007": msg35789, + "34008": msg35790, + "34009": msg35791, + "3401": msg5851, + "34010": msg35792, + "34011": msg35793, + "34012": msg35794, + "34013": msg35795, + "34014": msg35796, + "34015": msg35797, + "34016": msg35798, + "34017": msg35799, + "34018": msg35800, + "34019": msg35801, + "3402": msg5852, + "34020": msg35802, + "34021": msg35803, + "34022": msg35804, + "34023": msg35805, + "34024": msg35806, + "34025": msg35807, + "34026": msg35808, + "34027": msg35809, + "34028": msg35810, + "34029": msg35811, + "3403": msg5853, + "34030": msg35812, + "34031": msg35813, + "34032": msg35814, + "34033": msg35815, + "34034": msg35816, + "34035": msg35817, + "34036": msg35818, + "34037": msg35819, + "34038": msg35820, + "34039": msg35821, + "3404": msg5854, + "34040": msg35822, + "34041": msg35823, + "34042": msg35824, + "3404269": msg38426, + "3404272": msg38427, + "34043": msg35825, + "34044": msg35826, + "34045": msg35827, + "34046": msg35828, + "34047": msg35829, + "34048": msg35830, + "34049": msg35831, + "3405": msg5855, + "34050": msg35832, + "34051": msg35833, + "34052": msg35834, + "34053": msg35835, + "34054": msg35836, + "34055": msg35837, + "34056": msg35838, + "34057": msg35839, + "34058": msg35840, + "34059": msg35841, + "3406": msg5856, + "34060": msg35842, + "34061": msg35843, + "34062": msg35844, + "34063": msg35845, + "34064": msg35846, + "34065": msg35847, + "34066": msg35848, + "34067": msg35849, + "34068": msg35850, + "34069": msg35851, + "3407": msg5857, + "34070": msg35852, + "34071": msg35853, + "34072": msg35854, + "34073": msg35855, + "34074": msg35856, + "34075": msg35857, + "34076": msg35858, + "34077": msg35859, + "34078": msg35860, + "34079": msg35861, + "3408": msg5858, + "34080": msg35862, + "34081": msg35863, + "34082": msg35864, + "34083": msg35865, + "34084": msg35866, + "34085": msg35867, + "34086": msg35868, + "34087": msg35869, + "34088": msg35870, + "34089": msg35871, + "3409": msg5859, + "34090": msg35872, + "34091": msg35873, + "34092": msg35874, + "34093": msg35875, + "34094": msg35876, + "34095": msg35877, + "34096": msg35878, + "34097": msg35879, + "34098": msg35880, + "34099": msg35881, + "341": select263, + "3410": msg5860, + "34100": msg35882, + "34101": msg35883, + "34102": msg35884, + "34103": msg35885, + "34104": msg35886, + "34105": msg35887, + "34106": msg35888, + "34107": msg35889, + "34108": msg35890, + "34109": msg35891, + "3411": msg5861, + "34110": msg35892, + "34111": msg35893, + "34112": msg35894, + "34113": msg35895, + "34114": msg35896, + "34115": msg35897, + "34116": msg35898, + "34117": msg35899, + "34118": msg35900, + "34119": msg35901, + "3412": msg5862, + "34120": msg35902, + "34121": msg35903, + "34122": msg35904, + "34123": msg35905, + "34124": msg35906, + "34125": msg35907, + "34126": msg35908, + "34127": msg35909, + "34128": msg35910, + "34129": msg35911, + "3413": msg5863, + "34130": msg35912, + "34131": msg35913, + "34132": msg35914, + "34133": msg35915, + "34134": msg35916, + "34135": msg35917, + "34136": msg35918, + "34137": msg35919, + "34138": msg35920, + "34139": msg35921, + "3414": msg5864, + "34140": msg35922, + "34141": msg35923, + "34142": msg35924, + "34143": msg35925, + "34144": msg35926, + "34145": msg35927, + "34146": msg35928, + "34147": msg35929, + "34148": msg35930, + "34149": msg35931, + "3415": msg5865, + "34150": msg35932, + "34151": msg35933, + "34152": msg35934, + "34153": msg35935, + "34154": msg35936, + "34155": msg35937, + "34156": msg35938, + "34157": msg35939, + "34158": msg35940, + "34159": msg35941, + "3416": msg5866, + "34160": msg35942, + "34161": msg35943, + "34162": msg35944, + "34163": msg35945, + "34164": msg35946, + "34165": msg35947, + "34166": msg35948, + "34167": msg35949, + "34168": msg35950, + "34169": msg35951, + "3417": msg5867, + "34170": msg35952, + "34171": msg35953, + "34172": msg35954, + "34173": msg35955, + "34174": msg35956, + "34175": msg35957, + "34176": msg35958, + "34177": msg35959, + "34178": msg35960, + "34179": msg35961, + "3418": msg5868, + "34180": msg35962, + "34181": msg35963, + "34182": msg35964, + "34183": msg35965, + "34184": msg35966, + "34185": msg35967, + "34186": msg35968, + "34187": msg35969, + "34188": msg35970, + "34189": msg35971, + "3419": msg5869, + "34190": msg35972, + "34191": msg35973, + "34192": msg35974, + "34193": msg35975, + "34194": msg35976, + "34195": msg35977, + "34196": msg35978, + "34197": msg35979, + "34198": msg35980, + "34199": msg35981, + "342": select264, + "3420": msg5870, + "34200": msg35982, + "34201": msg35983, + "34202": msg35984, + "34203": msg35985, + "34204": msg35986, + "34205": msg35987, + "34206": msg35988, + "34207": msg35989, + "34208": msg35990, + "34209": msg35991, + "3421": msg5871, + "34210": msg35992, + "34211": msg35993, + "34212": msg35994, + "34213": msg35995, + "34214": msg35996, + "34215": msg35997, + "34216": msg35998, + "34217": msg35999, + "34218": msg36000, + "34219": msg36001, + "3422": msg5872, + "34220": msg36002, + "34221": msg36003, + "34222": msg36004, + "34223": msg36005, + "34224": msg36006, + "34225": msg36007, + "34226": msg36008, + "34227": msg36009, + "34228": msg36010, + "34229": msg36011, + "3423": msg5873, + "34230": msg36012, + "34231": msg36013, + "34232": msg36014, + "34233": msg36015, + "34234": msg36016, + "34235": msg36017, + "34236": msg36018, + "34237": msg36019, + "34238": msg36020, + "34239": msg36021, + "3424": msg5874, + "34240": msg36022, + "34241": msg36023, + "34242": msg36024, + "34243": msg36025, + "34244": msg36026, + "34245": msg36027, + "34246": msg36028, + "34247": msg36029, + "34248": msg36030, + "34249": msg36031, + "3425": msg5875, + "34250": msg36032, + "34251": msg36033, + "34252": msg36034, + "34253": msg36035, + "34254": msg36036, + "34255": msg36037, + "34256": msg36038, + "34257": msg36039, + "34258": msg36040, + "34259": msg36041, + "3426": msg5876, + "34260": msg36042, + "34261": msg36043, + "34262": msg36044, + "34263": msg36045, + "34264": msg36046, + "34265": msg36047, + "34266": msg36048, + "34267": msg36049, + "34268": msg36050, + "34269": msg36051, + "3427": msg5877, + "34270": msg36052, + "34271": msg36053, + "34272": msg36054, + "34273": msg36055, + "34274": msg36056, + "34275": msg36057, + "34276": msg36058, + "34277": msg36059, + "34278": msg36060, + "34279": msg36061, + "3428": msg5878, + "34280": msg36062, + "34281": msg36063, + "34282": msg36064, + "34283": msg36065, + "34284": msg36066, + "34285": msg36067, + "34286": msg36068, + "34287": msg36069, + "34288": msg36070, + "34289": msg36071, + "3429": msg5879, + "34290": msg36072, + "34291": msg36073, + "34292": msg36074, + "34293": msg36075, + "34294": msg36076, + "34295": msg36077, + "34296": msg36078, + "34297": msg36079, + "34298": msg36080, + "34299": msg36081, + "343": select265, + "3430": msg5880, + "34300": msg36082, + "34301": msg36083, + "34302": msg36084, + "34303": msg36085, + "34304": msg36086, + "34305": msg36087, + "34306": msg36088, + "34307": msg36089, + "34308": msg36090, + "34309": msg36091, + "3431": msg5881, + "34310": msg36092, + "34311": msg36093, + "34312": msg36094, + "34313": msg36095, + "34314": msg36096, + "34315": msg36097, + "34316": msg36098, + "34317": msg36099, + "34318": msg36100, + "34319": msg36101, + "3432": msg5882, + "34320": msg36102, + "34321": msg36103, + "34322": msg36104, + "34323": msg36105, + "34324": msg36106, + "34325": msg36107, + "34326": msg36108, + "34327": msg36109, + "34328": msg36110, + "34329": msg36111, + "3433": msg5883, + "34330": msg36112, + "34331": msg36113, + "34332": msg36114, + "34333": msg36115, + "34334": msg36116, + "34335": msg36117, + "34336": msg36118, + "34337": msg36119, + "34338": msg36120, + "34339": msg36121, + "3434": msg5884, + "34340": msg36122, + "34341": msg36123, + "34342": msg36124, + "34343": msg36125, + "34344": msg36126, + "34345": msg36127, + "34346": msg36128, + "34347": msg36129, + "34348": msg36130, + "34349": msg36131, + "3435": msg5885, + "34350": msg36132, + "34351": msg36133, + "34352": msg36134, + "34353": msg36135, + "34354": msg36136, + "34355": msg36137, + "34356": msg36138, + "34357": msg36139, + "34358": msg36140, + "34359": msg36141, + "3436": msg5886, + "34360": msg36142, + "34361": msg36143, + "34362": msg36144, + "34363": msg36145, + "34364": msg36146, + "34365": msg36147, + "34366": msg36148, + "34367": msg36149, + "34368": msg36150, + "34369": msg36151, + "3437": msg5887, + "34370": msg36152, + "34371": msg36153, + "34372": msg36154, + "34373": msg36155, + "34374": msg36156, + "34375": msg36157, + "34376": msg36158, + "34377": msg36159, + "34378": msg36160, + "34379": msg36161, + "3438": msg5888, + "34380": msg36162, + "34381": msg36163, + "34382": msg36164, + "34383": msg36165, + "34384": msg36166, + "34385": msg36167, + "34386": msg36168, + "34387": msg36169, + "34388": msg36170, + "34389": msg36171, + "3439": msg5889, + "34390": msg36172, + "34391": msg36173, + "34392": msg36174, + "34393": msg36175, + "34394": msg36176, + "34395": msg36177, + "34396": msg36178, + "34397": msg36179, + "34398": msg36180, + "34399": msg36181, + "344": select266, + "3440": msg5890, + "34400": msg36182, + "34401": msg36183, + "34402": msg36184, + "34403": msg36185, + "34404": msg36186, + "34405": msg36187, + "34406": msg36188, + "34407": msg36189, + "34408": msg36190, + "34409": msg36191, + "3441": msg5891, + "34410": msg36192, + "34411": msg36193, + "34412": msg36194, + "34413": msg36195, + "34414": msg36196, + "34415": msg36197, + "34416": msg36198, + "34417": msg36199, + "34418": msg36200, + "34419": msg36201, + "3442": msg5892, + "34420": msg36202, + "34421": msg36203, + "34422": msg36204, + "34423": msg36205, + "34424": msg36206, + "34425": msg36207, + "34426": msg36208, + "34427": msg36209, + "34428": msg36210, + "34429": msg36211, + "3443": msg5893, + "34430": msg36212, + "34431": msg36213, + "34432": msg36214, + "34433": msg36215, + "34434": msg36216, + "34435": msg36217, + "34436": msg36218, + "34437": msg36219, + "34438": msg36220, + "34439": msg36221, + "3444": msg5894, + "34440": msg36222, + "34441": msg36223, + "34442": msg36224, + "34443": msg36225, + "34444": msg36226, + "34445": msg36227, + "34446": msg36228, + "34447": msg36229, + "34448": msg36230, + "34449": msg36231, + "3445": msg5895, + "34450": msg36232, + "34451": msg36233, + "34452": msg36234, + "34453": msg36235, + "34454": msg36236, + "34455": msg36237, + "34456": msg36238, + "34457": msg36239, + "34458": msg36240, + "34459": msg36241, + "3446": msg5896, + "34460": msg36242, + "34461": msg36243, + "34462": msg36244, + "34463": msg36245, + "34464": msg36246, + "34465": msg36247, + "34466": msg36248, + "34467": msg36249, + "34468": msg36250, + "34469": msg36251, + "3447": msg5897, + "34470": msg36252, + "34471": msg36253, + "34472": msg36254, + "34473": msg36255, + "34474": msg36256, + "34475": msg36257, + "34476": msg36258, + "34477": msg36259, + "34478": msg36260, + "34479": msg36261, + "3448": msg5898, + "34480": msg36262, + "34481": msg36263, + "34482": msg36264, + "34483": msg36265, + "34484": msg36266, + "34485": msg36267, + "34486": msg36268, + "34487": msg36269, + "34488": msg36270, + "34489": msg36271, + "3449": msg5899, + "34490": msg36272, + "34491": msg36273, + "34492": msg36274, + "34493": msg36275, + "34494": msg36276, + "34495": msg36277, + "34496": msg36278, + "34497": msg36279, + "34498": msg36280, + "34499": msg36281, + "345": select267, + "3450": msg5900, + "34500": msg36282, + "34501": msg36283, + "34502": msg36284, + "34503": msg36285, + "34504": msg36286, + "34505": msg36287, + "34506": msg36288, + "34507": msg36289, + "34508": msg36290, + "34509": msg36291, + "3451": msg5901, + "34510": msg36292, + "34511": msg36293, + "34512": msg36294, + "34513": msg36295, + "34514": msg36296, + "34515": msg36297, + "34516": msg36298, + "34517": msg36299, + "34518": msg36300, + "34519": msg36301, + "3452": msg5902, + "34520": msg36302, + "34521": msg36303, + "34522": msg36304, + "34523": msg36305, + "34524": msg36306, + "34525": msg36307, + "34526": msg36308, + "34527": msg36309, + "34528": msg36310, + "34529": msg36311, + "3453": msg5903, + "34530": msg36312, + "34531": msg36313, + "34532": msg36314, + "34533": msg36315, + "34534": msg36316, + "34535": msg36317, + "34536": msg36318, + "34537": msg36319, + "34538": msg36320, + "34539": msg36321, + "3454": msg5904, + "34540": msg36322, + "34541": msg36323, + "34542": msg36324, + "34543": msg36325, + "34544": msg36326, + "34545": msg36327, + "34546": msg36328, + "34547": msg36329, + "34548": msg36330, + "34549": msg36331, + "3455": msg5905, + "34550": msg36332, + "34551": msg36333, + "34552": msg36334, + "34553": msg36335, + "34554": msg36336, + "34555": msg36337, + "34556": msg36338, + "34557": msg36339, + "34558": msg36340, + "34559": msg36341, + "3456": msg5906, + "34560": msg36342, + "34561": msg36343, + "34562": msg36344, + "34563": msg36345, + "34564": msg36346, + "34565": msg36347, + "34566": msg36348, + "34567": msg36349, + "34568": msg36350, + "34569": msg36351, + "3457": msg5907, + "34570": msg36352, + "34571": msg36353, + "34572": msg36354, + "34573": msg36355, + "34574": msg36356, + "34575": msg36357, + "34576": msg36358, + "34577": msg36359, + "34578": msg36360, + "34579": msg36361, + "3458": msg5908, + "34580": msg36362, + "34581": msg36363, + "34582": msg36364, + "34583": msg36365, + "34584": msg36366, + "34585": msg36367, + "34586": msg36368, + "34587": msg36369, + "34588": msg36370, + "34589": msg36371, + "3459": msg5909, + "34590": msg36372, + "34591": msg36373, + "34592": msg36374, + "34593": msg36375, + "34594": msg36376, + "34595": msg36377, + "34596": msg36378, + "34597": msg36379, + "34598": msg36380, + "34599": msg36381, + "346": select268, + "3460": msg5910, + "34600": msg36382, + "34601": msg36383, + "34602": msg36384, + "34603": msg36385, + "34604": msg36386, + "34605": msg36387, + "34606": msg36388, + "34607": msg36389, + "34608": msg36390, + "34609": msg36391, + "3461": msg5911, + "34610": msg36392, + "34611": msg36393, + "34612": msg36394, + "34613": msg36395, + "34614": msg36396, + "34615": msg36397, + "34616": msg36398, + "34617": msg36399, + "34618": msg36400, + "34619": msg36401, + "3462": msg5912, + "34620": msg36402, + "34621": msg36403, + "34622": msg36404, + "34623": msg36405, + "34624": msg36406, + "34625": msg36407, + "34626": msg36408, + "34627": msg36409, + "34628": msg36410, + "34629": msg36411, + "3463": msg5913, + "34630": msg36412, + "34631": msg36413, + "34632": msg36414, + "34633": msg36415, + "34634": msg36416, + "34635": msg36417, + "34636": msg36418, + "34637": msg36419, + "34638": msg36420, + "34639": msg36421, + "3464": msg5914, + "34640": msg36422, + "34641": msg36423, + "34642": msg36424, + "34643": msg36425, + "34644": msg36426, + "34645": msg36427, + "34646": msg36428, + "34647": msg36429, + "34648": msg36430, + "34649": msg36431, + "3465": msg5915, + "34650": msg36432, + "34651": msg36433, + "34652": msg36434, + "34653": msg36435, + "34654": msg36436, + "34655": msg36437, + "34656": msg36438, + "34657": msg36439, + "34658": msg36440, + "34659": msg36441, + "3466": msg5916, + "34660": msg36442, + "34661": msg36443, + "34662": msg36444, + "34663": msg36445, + "34664": msg36446, + "34665": msg36447, + "34666": msg36448, + "34667": msg36449, + "34668": msg36450, + "34669": msg36451, + "3467": msg5917, + "34670": msg36452, + "34671": msg36453, + "34672": msg36454, + "34673": msg36455, + "34674": msg36456, + "34675": msg36457, + "34676": msg36458, + "34677": msg36459, + "34678": msg36460, + "34679": msg36461, + "3468": msg5918, + "34680": msg36462, + "34681": msg36463, + "34682": msg36464, + "34683": msg36465, + "34684": msg36466, + "34685": msg36467, + "34686": msg36468, + "34687": msg36469, + "34688": msg36470, + "34689": msg36471, + "3469": msg5919, + "34690": msg36472, + "34691": msg36473, + "34692": msg36474, + "34693": msg36475, + "34694": msg36476, + "34695": msg36477, + "34696": msg36478, + "34697": msg36479, + "34698": msg36480, + "34699": msg36481, + "347": select269, + "3470": msg5920, + "34700": msg36482, + "34701": msg36483, + "34702": msg36484, + "34703": msg36485, + "34704": msg36486, + "34705": msg36487, + "34706": msg36488, + "34707": msg36489, + "34708": msg36490, + "34709": msg36491, + "3471": msg5921, + "34710": msg36492, + "34711": msg36493, + "34712": msg36494, + "34713": msg36495, + "34714": msg36496, + "34715": msg36497, + "34716": msg36498, + "34717": msg36499, + "34718": msg36500, + "34719": msg36501, + "3472": msg5922, + "34720": msg36502, + "34721": msg36503, + "34722": msg36504, + "34723": msg36505, + "34724": msg36506, + "34725": msg36507, + "34726": msg36508, + "34727": msg36509, + "34728": msg36510, + "34729": msg36511, + "3473": msg5923, + "34730": msg36512, + "34731": msg36513, + "34732": msg36514, + "34733": msg36515, + "34734": msg36516, + "34735": msg36517, + "34736": msg36518, + "34737": msg36519, + "34738": msg36520, + "34739": msg36521, + "3474": msg5924, + "34740": msg36522, + "34741": msg36523, + "34742": msg36524, + "34743": msg36525, + "34744": msg36526, + "34745": msg36527, + "34746": msg36528, + "34747": msg36529, + "34748": msg36530, + "34749": msg36531, + "3475": msg5925, + "34750": msg36532, + "34751": msg36533, + "34752": msg36534, + "34753": msg36535, + "34754": msg36536, + "34755": msg36537, + "34756": msg36538, + "34757": msg36539, + "34758": msg36540, + "34759": msg36541, + "3476": msg5926, + "34760": msg36542, + "34761": msg36543, + "34762": msg36544, + "34763": msg36545, + "34764": msg36546, + "34765": msg36547, + "34766": msg36548, + "34767": msg36549, + "34768": msg36550, + "34769": msg36551, + "3477": msg5927, + "34770": msg36552, + "34771": msg36553, + "34772": msg36554, + "34773": msg36555, + "34774": msg36556, + "34775": msg36557, + "34776": msg36558, + "34777": msg36559, + "34778": msg36560, + "34779": msg36561, + "3478": msg5928, + "34780": msg36562, + "34781": msg36563, + "34782": msg36564, + "34783": msg36565, + "34784": msg36566, + "34785": msg36567, + "34786": msg36568, + "34787": msg36569, + "34788": msg36570, + "34789": msg36571, + "3479": msg5929, + "34790": msg36572, + "34791": msg36573, + "34792": msg36574, + "34793": msg36575, + "34794": msg36576, + "34795": msg36577, + "34796": msg36578, + "34797": msg36579, + "34798": msg36580, + "34799": msg36581, + "348": select270, + "3480": msg5930, + "34800": msg36582, + "34801": msg36583, + "34802": msg36584, + "34803": msg36585, + "34804": msg36586, + "34805": msg36587, + "34806": msg36588, + "34807": msg36589, + "34808": msg36590, + "34809": msg36591, + "3481": msg5931, + "34810": msg36592, + "34811": msg36593, + "34812": msg36594, + "34813": msg36595, + "34814": msg36596, + "34815": msg36597, + "34816": msg36598, + "34817": msg36599, + "34818": msg36600, + "34819": msg36601, + "3482": msg5932, + "34820": msg36602, + "34821": msg36603, + "34822": msg36604, + "34823": msg36605, + "34824": msg36606, + "34825": msg36607, + "34826": msg36608, + "34827": msg36609, + "34828": msg36610, + "34829": msg36611, + "3483": msg5933, + "34830": msg36612, + "34831": msg36613, + "34832": msg36614, + "34833": msg36615, + "34834": msg36616, + "34835": msg36617, + "34836": msg36618, + "34837": msg36619, + "34838": msg36620, + "34839": msg36621, + "3484": msg5934, + "34840": msg36622, + "34841": msg36623, + "34842": msg36624, + "34843": msg36625, + "34844": msg36626, + "34845": msg36627, + "34846": msg36628, + "34847": msg36629, + "34848": msg36630, + "34849": msg36631, + "3485": msg5935, + "34850": msg36632, + "34851": msg36633, + "34852": msg36634, + "34853": msg36635, + "34854": msg36636, + "34855": msg36637, + "34856": msg36638, + "34857": msg36639, + "34858": msg36640, + "34859": msg36641, + "3486": msg5936, + "34860": msg36642, + "34861": msg36643, + "34862": msg36644, + "34863": msg36645, + "34864": msg36646, + "34865": msg36647, + "34866": msg36648, + "34867": msg36649, + "34868": msg36650, + "34869": msg36651, + "3487": msg5937, + "34870": msg36652, + "34871": msg36653, + "34872": msg36654, + "34873": msg36655, + "34874": msg36656, + "34875": msg36657, + "34876": msg36658, + "34877": msg36659, + "34878": msg36660, + "34879": msg36661, + "3488": msg5938, + "34880": msg36662, + "34881": msg36663, + "34882": msg36664, + "34883": msg36665, + "34884": msg36666, + "34885": msg36667, + "34886": msg36668, + "34887": msg36669, + "34888": msg36670, + "34889": msg36671, + "3489": msg5939, + "34890": msg36672, + "34891": msg36673, + "34892": msg36674, + "34893": msg36675, + "34894": msg36676, + "34895": msg36677, + "34896": msg36678, + "34897": msg36679, + "34898": msg36680, + "34899": msg36681, + "349": select271, + "3490": msg5940, + "34900": msg36682, + "34901": msg36683, + "34902": msg36684, + "34903": msg36685, + "34904": msg36686, + "34905": msg36687, + "34906": msg36688, + "34907": msg36689, + "34908": msg36690, + "34909": msg36691, + "3491": msg5941, + "34910": msg36692, + "34911": msg36693, + "34912": msg36694, + "34913": msg36695, + "34914": msg36696, + "34915": msg36697, + "34916": msg36698, + "34917": msg36699, + "34918": msg36700, + "34919": msg36701, + "3492": msg5942, + "34920": msg36702, + "34921": msg36703, + "34922": msg36704, + "34923": msg36705, + "34924": msg36706, + "34925": msg36707, + "34926": msg36708, + "34927": msg36709, + "34928": msg36710, + "34929": msg36711, + "3493": msg5943, + "34930": msg36712, + "34931": msg36713, + "34932": msg36714, + "34933": msg36715, + "34934": msg36716, + "34935": msg36717, + "34936": msg36718, + "34937": msg36719, + "34938": msg36720, + "34939": msg36721, + "3494": msg5944, + "34940": msg36722, + "34941": msg36723, + "34942": msg36724, + "34943": msg36725, + "34944": msg36726, + "34945": msg36727, + "34946": msg36728, + "34947": msg36729, + "34948": msg36730, + "34949": msg36731, + "3495": msg5945, + "34950": msg36732, + "34951": msg36733, + "34952": msg36734, + "34953": msg36735, + "34954": msg36736, + "34955": msg36737, + "34956": msg36738, + "34957": msg36739, + "34958": msg36740, + "34959": msg36741, + "3496": msg5946, + "34960": msg36742, + "34961": msg36743, + "34962": msg36744, + "34963": msg36745, + "34964": msg36746, + "34965": msg36747, + "34966": msg36748, + "34967": msg36749, + "34968": msg36750, + "34969": msg36751, + "3497": msg5947, + "34970": msg36752, + "34971": msg36753, + "34972": msg36754, + "34973": msg36755, + "34974": msg36756, + "34975": msg36757, + "34976": msg36758, + "34977": msg36759, + "34978": msg36760, + "34979": msg36761, + "3498": msg5948, + "34980": msg36762, + "34981": msg36763, + "34982": msg36764, + "34983": msg36765, + "34984": msg36766, + "34985": msg36767, + "34986": msg36768, + "34987": msg36769, + "34988": msg36770, + "34989": msg36771, + "3499": msg5949, + "34990": msg36772, + "34991": msg36773, + "34992": msg36774, + "34993": msg36775, + "34994": msg36776, + "34995": msg36777, + "34996": msg36778, + "34997": msg36779, + "34998": msg36780, + "34999": msg36781, + "350": select272, + "3500": msg5950, + "35000": msg36782, + "35001": msg36783, + "35002": msg36784, + "35003": msg36785, + "35004": msg36786, + "35005": msg36787, + "35006": msg36788, + "35007": msg36789, + "35008": msg36790, + "35009": msg36791, + "3501": msg5951, + "35010": msg36792, + "35011": msg36793, + "35012": msg36794, + "35013": msg36795, + "35014": msg36796, + "35015": msg36797, + "35016": msg36798, + "35017": msg36799, + "35018": msg36800, + "35019": msg36801, + "3502": msg5952, + "35020": msg36802, + "35021": msg36803, + "35022": msg36804, + "35023": msg36805, + "35024": msg36806, + "35025": msg36807, + "35026": msg36808, + "35027": msg36809, + "35028": msg36810, + "35029": msg36811, + "3503": msg5953, + "35030": msg36812, + "35031": msg36813, + "35032": msg36814, + "35033": msg36815, + "35034": msg36816, + "35035": msg36817, + "35036": msg36818, + "35037": msg36819, + "35038": msg36820, + "35039": msg36821, + "3504": msg5954, + "35040": msg36822, + "35041": msg36823, + "35042": msg36824, + "35043": msg36825, + "35044": msg36826, + "35045": msg36827, + "35046": msg36828, + "35047": msg36829, + "35048": msg36830, + "35049": msg36831, + "3505": msg5955, + "35050": msg36832, + "35051": msg36833, + "35052": msg36834, + "35053": msg36835, + "3506": msg5956, + "35062": msg36836, + "35063": msg36837, + "35064": msg36838, + "35065": msg36839, + "35066": msg36840, + "35067": msg36841, + "35068": msg36842, + "35069": msg36843, + "3507": msg5957, + "35070": msg36844, + "35071": msg36845, + "35072": msg36846, + "35073": msg36847, + "35074": msg36848, + "35075": msg36849, + "35076": msg36850, + "35077": msg36851, + "35078": msg36852, + "35079": msg36853, + "3508": msg5958, + "35080": msg36854, + "35081": msg36855, + "35082": msg36856, + "35083": msg36857, + "35084": msg36858, + "35085": msg36859, + "35086": msg36860, + "35087": msg36861, + "35088": msg36862, + "35089": msg36863, + "3509": msg5959, + "35090": msg36864, + "35091": msg36865, + "35092": msg36866, + "35093": msg36867, + "35094": msg36868, + "35095": msg36869, + "35096": msg36870, + "35097": msg36871, + "35098": msg36872, + "35099": msg36873, + "351": select273, + "3510": msg5960, + "35100": msg36874, + "35101": msg36875, + "35102": msg36876, + "35103": msg36877, + "35104": msg36878, + "35105": msg36879, + "35106": msg36880, + "35107": msg36881, + "35108": msg36882, + "35109": msg36883, + "3511": msg5961, + "35110": msg36884, + "35111": msg36885, + "35112": msg36886, + "35113": msg36887, + "35114": msg36888, + "35115": msg36889, + "35116": msg36890, + "35117": msg36891, + "35118": msg36892, + "35119": msg36893, + "3512": msg5962, + "35120": msg36894, + "35121": msg36895, + "35122": msg36896, + "35123": msg36897, + "35124": msg36898, + "35125": msg36899, + "35126": msg36900, + "35127": msg36901, + "35128": msg36902, + "35129": msg36903, + "3513": msg5963, + "35130": msg36904, + "35131": msg36905, + "35132": msg36906, + "35133": msg36907, + "35134": msg36908, + "35135": msg36909, + "35136": msg36910, + "35137": msg36911, + "35138": msg36912, + "35139": msg36913, + "3514": msg5964, + "35140": msg36914, + "35141": msg36915, + "35142": msg36916, + "35143": msg36917, + "35144": msg36918, + "35145": msg36919, + "35146": msg36920, + "35147": msg36921, + "35148": msg36922, + "35149": msg36923, + "3515": msg5965, + "35150": msg36924, + "35151": msg36925, + "35152": msg36926, + "35153": msg36927, + "35154": msg36928, + "35155": msg36929, + "35156": msg36930, + "35157": msg36931, + "35158": msg36932, + "35159": msg36933, + "3516": msg5966, + "35160": msg36934, + "35161": msg36935, + "35162": msg36936, + "35163": msg36937, + "35164": msg36938, + "35165": msg36939, + "35166": msg36940, + "35167": msg36941, + "35168": msg36942, + "35169": msg36943, + "3517": msg5967, + "35170": msg36944, + "35171": msg36945, + "35172": msg36946, + "35173": msg36947, + "35174": msg36948, + "35175": msg36949, + "35176": msg36950, + "35177": msg36951, + "35178": msg36952, + "35179": msg36953, + "3518": msg5968, + "35180": msg36954, + "35181": msg36955, + "35182": msg36956, + "35183": msg36957, + "35184": msg36958, + "35185": msg36959, + "35186": msg36960, + "35187": msg36961, + "35188": msg36962, + "35189": msg36963, + "3519": msg5969, + "35190": msg36964, + "35191": msg36965, + "35192": msg36966, + "35193": msg36967, + "35194": msg36968, + "35195": msg36969, + "35196": msg36970, + "35197": msg36971, + "35198": msg36972, + "35199": msg36973, + "352": select274, + "3520": msg5970, + "35200": msg36974, + "35201": msg36975, + "35202": msg36976, + "35203": msg36977, + "35204": msg36978, + "35205": msg36979, + "35206": msg36980, + "35207": msg36981, + "35208": msg36982, + "35209": msg36983, + "3521": msg5971, + "35210": msg36984, + "35211": msg36985, + "35212": msg36986, + "35213": msg36987, + "35214": msg36988, + "35215": msg36989, + "35216": msg36990, + "35217": msg36991, + "35218": msg36992, + "35219": msg36993, + "3522": msg5972, + "35220": msg36994, + "35221": msg36995, + "35222": msg36996, + "35223": msg36997, + "35224": msg36998, + "35225": msg36999, + "35226": msg37000, + "35227": msg37001, + "35228": msg37002, + "35229": msg37003, + "3523": msg5973, + "35230": msg37004, + "35231": msg37005, + "35232": msg37006, + "35233": msg37007, + "35234": msg37008, + "35235": msg37009, + "35236": msg37010, + "35237": msg37011, + "35238": msg37012, + "35239": msg37013, + "3524": msg5974, + "35240": msg37014, + "35241": msg37015, + "35242": msg37016, + "35243": msg37017, + "35244": msg37018, + "35245": msg37019, + "35246": msg37020, + "35247": msg37021, + "35248": msg37022, + "35249": msg37023, + "3525": msg5975, + "35250": msg37024, + "35251": msg37025, + "35252": msg37026, + "35253": msg37027, + "35254": msg37028, + "35255": msg37029, + "35256": msg37030, + "35257": msg37031, + "35258": msg37032, + "35259": msg37033, + "3526": msg5976, + "35260": msg37034, + "35261": msg37035, + "35262": msg37036, + "35263": msg37037, + "35264": msg37038, + "35265": msg37039, + "35266": msg37040, + "35267": msg37041, + "35268": msg37042, + "35269": msg37043, + "3527": msg5977, + "35270": msg37044, + "35271": msg37045, + "35272": msg37046, + "35273": msg37047, + "35274": msg37048, + "35275": msg37049, + "35276": msg37050, + "35277": msg37051, + "35278": msg37052, + "35279": msg37053, + "3528": msg5978, + "35280": msg37054, + "35281": msg37055, + "35282": msg37056, + "35283": msg37057, + "35284": msg37058, + "35285": msg37059, + "35286": msg37060, + "35287": msg37061, + "35288": msg37062, + "35289": msg37063, + "3529": msg5979, + "35290": msg37064, + "35291": msg37065, + "35292": msg37066, + "35293": msg37067, + "35294": msg37068, + "35295": msg37069, + "35296": msg37070, + "35297": msg37071, + "35298": msg37072, + "35299": msg37073, + "353": select275, + "3530": msg5980, + "35300": msg37074, + "35301": msg37075, + "35302": msg37076, + "35303": msg37077, + "35304": msg37078, + "35305": msg37079, + "35306": msg37080, + "35307": msg37081, + "35308": msg37082, + "35309": msg37083, + "3531": msg5981, + "35310": msg37084, + "35311": msg37085, + "35312": msg37086, + "35313": msg37087, + "35314": msg37088, + "35315": msg37089, + "35316": msg37090, + "35317": msg37091, + "35318": msg37092, + "35319": msg37093, + "3532": msg5982, + "35320": msg37094, + "35321": msg37095, + "35322": msg37096, + "35323": msg37097, + "35324": msg37098, + "35325": msg37099, + "35326": msg37100, + "35327": msg37101, + "35328": msg37102, + "35329": msg37103, + "3533": msg5983, + "35330": msg37104, + "35331": msg37105, + "35332": msg37106, + "35333": msg37107, + "35334": msg37108, + "35335": msg37109, + "35336": msg37110, + "35337": msg37111, + "35338": msg37112, + "35339": msg37113, + "3534": msg5984, + "35340": msg37114, + "35341": msg37115, + "35342": msg37116, + "35343": msg37117, + "35344": msg37118, + "35345": msg37119, + "35346": msg37120, + "35347": msg37121, + "35348": msg37122, + "35349": msg37123, + "3535": msg5985, + "35350": msg37124, + "35351": msg37125, + "35352": msg37126, + "35353": msg37127, + "35354": msg37128, + "35355": msg37129, + "35356": msg37130, + "35357": msg37131, + "35358": msg37132, + "35359": msg37133, + "3536": msg5986, + "35360": msg37134, + "35361": msg37135, + "35362": msg37136, + "35363": msg37137, + "35364": msg37138, + "35365": msg37139, + "35366": msg37140, + "35367": msg37141, + "35368": msg37142, + "35369": msg37143, + "3537": msg5987, + "35370": msg37144, + "35371": msg37145, + "35372": msg37146, + "35373": msg37147, + "35374": msg37148, + "35375": msg37149, + "35376": msg37150, + "35377": msg37151, + "35378": msg37152, + "35379": msg37153, + "3538": msg5988, + "35380": msg37154, + "35381": msg37155, + "35382": msg37156, + "35383": msg37157, + "35384": msg37158, + "35385": msg37159, + "35386": msg37160, + "35387": msg37161, + "35388": msg37162, + "35389": msg37163, + "3539": msg5989, + "35390": msg37164, + "35391": msg37165, + "35392": msg37166, + "35393": msg37167, + "35394": msg37168, + "35395": msg37169, + "35396": msg37170, + "35397": msg37171, + "35398": msg37172, + "35399": msg37173, + "354": select276, + "3540": msg5990, + "35400": msg37174, + "35401": msg37175, + "35402": msg37176, + "35403": msg37177, + "35404": msg37178, + "35405": msg37179, + "35406": msg37180, + "35407": msg37181, + "35408": msg37182, + "35409": msg37183, + "3541": msg5991, + "35410": msg37184, + "35411": msg37185, + "35412": msg37186, + "35413": msg37187, + "35414": msg37188, + "35415": msg37189, + "35416": msg37190, + "35417": msg37191, + "35418": msg37192, + "35419": msg37193, + "3542": msg5992, + "35420": msg37194, + "35421": msg37195, + "35422": msg37196, + "35423": msg37197, + "35424": msg37198, + "35425": msg37199, + "35426": msg37200, + "35427": msg37201, + "35428": msg37202, + "35429": msg37203, + "3543": msg5993, + "35430": msg37204, + "35431": msg37205, + "35432": msg37206, + "35433": msg37207, + "35434": msg37208, + "35435": msg37209, + "35436": msg37210, + "35437": msg37211, + "35438": msg37212, + "35439": msg37213, + "3544": msg5994, + "35440": msg37214, + "35441": msg37215, + "35442": msg37216, + "35443": msg37217, + "35444": msg37218, + "35445": msg37219, + "35446": msg37220, + "35447": msg37221, + "35448": msg37222, + "35449": msg37223, + "3545": msg5995, + "35450": msg37224, + "35451": msg37225, + "35452": msg37226, + "35453": msg37227, + "35454": msg37228, + "35455": msg37229, + "35456": msg37230, + "35457": msg37231, + "35458": msg37232, + "35459": msg37233, + "3546": msg5996, + "35460": msg37234, + "35461": msg37235, + "35462": msg37236, + "35463": msg37237, + "35464": msg37238, + "35465": msg37239, + "35466": msg37240, + "35467": msg37241, + "35468": msg37242, + "35469": msg37243, + "3547": msg5997, + "35470": msg37244, + "35471": msg37245, + "35472": msg37246, + "35473": msg37247, + "35474": msg37248, + "35475": msg37249, + "35476": msg37250, + "35477": msg37251, + "35478": msg37252, + "35479": msg37253, + "3548": msg5998, + "35480": msg37254, + "35481": msg37255, + "35482": msg37256, + "35483": msg37257, + "35484": msg37258, + "35485": msg37259, + "35486": msg37260, + "35487": msg37261, + "35488": msg37262, + "35489": msg37263, + "3549": msg5999, + "35490": msg37264, + "35491": msg37265, + "35492": msg37266, + "35493": msg37267, + "35494": msg37268, + "35495": msg37269, + "35496": msg37270, + "35497": msg37271, + "35498": msg37272, + "35499": msg37273, + "355": select277, + "3550": msg6000, + "35500": msg37274, + "35501": msg37275, + "35502": msg37276, + "35503": msg37277, + "35504": msg37278, + "35505": msg37279, + "35506": msg37280, + "35507": msg37281, + "35508": msg37282, + "35509": msg37283, + "3551": msg6001, + "35510": msg37284, + "35511": msg37285, + "35512": msg37286, + "35513": msg37287, + "35514": msg37288, + "35515": msg37289, + "35516": msg37290, + "35517": msg37291, + "35518": msg37292, + "35519": msg37293, + "3552": msg6002, + "35520": msg37294, + "35521": msg37295, + "35522": msg37296, + "35523": msg37297, + "35524": msg37298, + "35525": msg37299, + "35526": msg37300, + "35527": msg37301, + "35528": msg37302, + "35529": msg37303, + "3553": msg6003, + "35530": msg37304, + "35531": msg37305, + "35532": msg37306, + "35533": msg37307, + "35534": msg37308, + "35535": msg37309, + "35536": msg37310, + "35537": msg37311, + "35538": msg37312, + "35539": msg37313, + "3554": msg6004, + "35540": msg37314, + "35541": msg37315, + "35542": msg37316, + "35543": msg37317, + "35544": msg37318, + "35545": msg37319, + "35546": msg37320, + "35547": msg37321, + "35548": msg37322, + "35549": msg37323, + "3555": msg6005, + "35550": msg37324, + "35551": msg37325, + "35552": msg37326, + "35553": msg37327, + "35554": msg37328, + "35555": msg37329, + "35556": msg37330, + "35557": msg37331, + "35558": msg37332, + "35559": msg37333, + "3556": msg6006, + "35560": msg37334, + "35561": msg37335, + "35562": msg37336, + "35563": msg37337, + "35564": msg37338, + "35565": msg37339, + "35566": msg37340, + "35567": msg37341, + "35568": msg37342, + "35569": msg37343, + "3557": msg6007, + "35570": msg37344, + "35571": msg37345, + "35572": msg37346, + "35573": msg37347, + "35574": msg37348, + "35575": msg37349, + "35576": msg37350, + "35577": msg37351, + "35578": msg37352, + "35579": msg37353, + "3558": msg6008, + "35580": msg37354, + "35581": msg37355, + "35582": msg37356, + "35583": msg37357, + "35584": msg37358, + "35585": msg37359, + "35586": msg37360, + "35587": msg37361, + "35588": msg37362, + "35589": msg37363, + "3559": msg6009, + "35590": msg37364, + "35591": msg37365, + "35592": msg37366, + "35593": msg37367, + "35594": msg37368, + "35595": msg37369, + "35596": msg37370, + "35597": msg37371, + "35598": msg37372, + "35599": msg37373, + "356": select278, + "3560": msg6010, + "35600": msg37374, + "35601": msg37375, + "35602": msg37376, + "35603": msg37377, + "35604": msg37378, + "35605": msg37379, + "35606": msg37380, + "35607": msg37381, + "35608": msg37382, + "35609": msg37383, + "3561": msg6011, + "35610": msg37384, + "35611": msg37385, + "35612": msg37386, + "35613": msg37387, + "35614": msg37388, + "35615": msg37389, + "35616": msg37390, + "35617": msg37391, + "35618": msg37392, + "35619": msg37393, + "3562": msg6012, + "35620": msg37394, + "35621": msg37395, + "35622": msg37396, + "35623": msg37397, + "35628": msg37398, + "35629": msg37399, + "3563": msg6013, + "35630": msg37400, + "35631": msg37401, + "35632": msg37402, + "35633": msg37403, + "35634": msg37404, + "35635": msg37405, + "35636": msg37406, + "35637": msg37407, + "35638": msg37408, + "35639": msg37409, + "3564": msg6014, + "35640": msg37410, + "35641": msg37411, + "35642": msg37412, + "35643": msg37413, + "35644": msg37414, + "35645": msg37415, + "35646": msg37416, + "35647": msg37417, + "35648": msg37418, + "35649": msg37419, + "3565": msg6015, + "35650": msg37420, + "35651": msg37421, + "35652": msg37422, + "35653": msg37423, + "35654": msg37424, + "35655": msg37425, + "35656": msg37426, + "35657": msg37427, + "35658": msg37428, + "35659": msg37429, + "3566": msg6016, + "35660": msg37430, + "35661": msg37431, + "35662": msg37432, + "35663": msg37433, + "35664": msg37434, + "35665": msg37435, + "35666": msg37436, + "35667": msg37437, + "35668": msg37438, + "35669": msg37439, + "3567": msg6017, + "35670": msg37440, + "35671": msg37441, + "35672": msg37442, + "35673": msg37443, + "35674": msg37444, + "35675": msg37445, + "35676": msg37446, + "35677": msg37447, + "35678": msg37448, + "35679": msg37449, + "3568": msg6018, + "35680": msg37450, + "35681": msg37451, + "35682": msg37452, + "35683": msg37453, + "35684": msg37454, + "35685": msg37455, + "35686": msg37456, + "35687": msg37457, + "3569": msg6019, + "35691": msg37458, + "35692": msg37459, + "35693": msg37460, + "35694": msg37461, + "35695": msg37462, + "35696": msg37463, + "35697": msg37464, + "35698": msg37465, + "35699": msg37466, + "357": select279, + "3570": msg6020, + "35700": msg37467, + "35701": msg37468, + "35702": msg37469, + "35703": msg37470, + "35704": msg37471, + "35705": msg37472, + "35706": msg37473, + "35707": msg37474, + "35708": msg37475, + "35709": msg37476, + "3571": msg6021, + "35710": msg37477, + "35719": msg37478, + "3572": msg6022, + "35720": msg37479, + "35723": msg37480, + "35724": msg37481, + "3573": msg6023, + "35731": msg37482, + "35732": msg37483, + "35733": msg37484, + "35734": msg37485, + "35735": msg37486, + "35736": msg37487, + "35737": msg37488, + "35738": msg37489, + "35739": msg37490, + "3574": msg6024, + "35740": msg37491, + "35741": msg37492, + "35742": msg37493, + "35743": msg37494, + "35744": msg37495, + "35745": msg37496, + "35746": msg37497, + "35747": msg37498, + "35748": msg37499, + "35749": msg37500, + "3575": msg6025, + "35750": msg37501, + "35751": msg37502, + "35752": msg37503, + "35753": msg37504, + "35754": msg37505, + "35755": msg37506, + "35756": msg37507, + "35757": msg37508, + "35758": msg37509, + "35759": msg37510, + "3576": msg6026, + "35760": msg37511, + "35761": msg37512, + "35762": msg37513, + "35763": msg37514, + "35764": msg37515, + "35765": msg37516, + "35766": msg37517, + "35767": msg37518, + "35768": msg37519, + "35769": msg37520, + "3577": msg6027, + "35770": msg37521, + "35771": msg37522, + "35772": msg37523, + "35779": msg37524, + "3578": msg6028, + "35780": msg37525, + "35781": msg37526, + "35782": msg37527, + "35783": msg37528, + "35784": msg37529, + "35785": msg37530, + "35786": msg37531, + "35787": msg37532, + "35788": msg37533, + "35789": msg37534, + "3579": msg6029, + "35790": msg37535, + "35791": msg37536, + "35792": msg37537, + "35793": msg37538, + "35794": msg37539, + "35795": msg37540, + "35796": msg37541, + "35797": msg37542, + "35798": msg37543, + "35799": msg37544, + "358": select280, + "3580": msg6030, + "35800": msg37545, + "35801": msg37546, + "35802": msg37547, + "35803": msg37548, + "35804": msg37549, + "35805": msg37550, + "35806": msg37551, + "35807": msg37552, + "35808": msg37553, + "35809": msg37554, + "3581": msg6031, + "35810": msg37555, + "35811": msg37556, + "35812": msg37557, + "35813": msg37558, + "35814": msg37559, + "35815": msg37560, + "35816": msg37561, + "35817": msg37562, + "35818": msg37563, + "35819": msg37564, + "3582": msg6032, + "35820": msg37565, + "35821": msg37566, + "35822": msg37567, + "35823": msg37568, + "35824": msg37569, + "35825": msg37570, + "35826": msg37571, + "35827": msg37572, + "3583": msg6033, + "35831": msg37573, + "35836": msg37574, + "35837": msg37575, + "35838": msg37576, + "35839": msg37577, + "3584": msg6034, + "35840": msg37578, + "35841": msg37579, + "35842": msg37580, + "35843": msg37581, + "35844": msg37582, + "35845": msg37583, + "35846": msg37584, + "35847": msg37585, + "35848": msg37586, + "35849": msg37587, + "3585": msg6035, + "35850": msg37588, + "35851": msg37589, + "35852": msg37590, + "35853": msg37591, + "35854": msg37592, + "35855": msg37593, + "35856": msg37594, + "35857": msg37595, + "35858": msg37596, + "35859": msg37597, + "3586": msg6036, + "35860": msg37598, + "35861": msg37599, + "35862": msg37600, + "35863": msg37601, + "35864": msg37602, + "35865": msg37603, + "35866": msg37604, + "35867": msg37605, + "35868": msg37606, + "35869": msg37607, + "3587": msg6037, + "35870": msg37608, + "35871": msg37609, + "35872": msg37610, + "35873": msg37611, + "35874": msg37612, + "35875": msg37613, + "35876": msg37614, + "35877": msg37615, + "35878": msg37616, + "35879": msg37617, + "3588": msg6038, + "35880": msg37618, + "35881": msg37619, + "35882": msg37620, + "35883": msg37621, + "35884": msg37622, + "35885": msg37623, + "35886": msg37624, + "35887": msg37625, + "35888": msg37626, + "35889": msg37627, + "3589": msg6039, + "35890": msg37628, + "35891": msg37629, + "35892": msg37630, + "35893": msg37631, + "35894": msg37632, + "35895": msg37633, + "35896": msg37634, + "35897": msg37635, + "35898": msg37636, + "35899": msg37637, + "359": select281, + "3590": msg6040, + "35900": msg37638, + "35901": msg37639, + "35902": msg37640, + "35903": msg37641, + "35904": msg37642, + "35905": msg37643, + "35906": msg37644, + "35907": msg37645, + "35908": msg37646, + "35909": msg37647, + "3591": msg6041, + "35910": msg37648, + "35911": msg37649, + "35912": msg37650, + "35913": msg37651, + "35914": msg37652, + "35915": msg37653, + "35916": msg37654, + "35917": msg37655, + "35918": msg37656, + "35919": msg37657, + "3592": msg6042, + "35920": msg37658, + "35921": msg37659, + "35922": msg37660, + "35923": msg37661, + "35924": msg37662, + "35925": msg37663, + "35926": msg37664, + "35927": msg37665, + "35928": msg37666, + "35929": msg37667, + "3593": msg6043, + "35930": msg37668, + "35931": msg37669, + "35932": msg37670, + "35933": msg37671, + "35934": msg37672, + "35935": msg37673, + "35936": msg37674, + "35937": msg37675, + "35938": msg37676, + "35939": msg37677, + "3594": msg6044, + "35940": msg37678, + "35941": msg37679, + "35942": msg37680, + "35943": msg37681, + "35944": msg37682, + "35945": msg37683, + "35946": msg37684, + "35947": msg37685, + "35948": msg37686, + "35949": msg37687, + "3595": msg6045, + "35950": msg37688, + "35951": msg37689, + "35952": msg37690, + "35953": msg37691, + "35954": msg37692, + "35955": msg37693, + "35956": msg37694, + "35957": msg37695, + "35958": msg37696, + "35959": msg37697, + "3596": msg6046, + "35960": msg37698, + "35961": msg37699, + "35962": msg37700, + "35963": msg37701, + "35964": msg37702, + "35965": msg37703, + "35966": msg37704, + "35967": msg37705, + "35968": msg37706, + "35969": msg37707, + "3597": msg6047, + "35970": msg37708, + "35971": msg37709, + "35972": msg37710, + "35973": msg37711, + "35974": msg37712, + "35975": msg37713, + "35976": msg37714, + "35977": msg37715, + "35978": msg37716, + "35979": msg37717, + "3598": msg6048, + "35980": msg37718, + "35981": msg37719, + "35982": msg37720, + "35983": msg37721, + "35984": msg37722, + "35985": msg37723, + "35986": msg37724, + "35987": msg37725, + "35988": msg37726, + "35989": msg37727, + "3599": msg6049, + "35990": msg37728, + "35991": msg37729, + "35992": msg37730, + "35993": msg37731, + "35994": msg37732, + "35995": msg37733, + "35996": msg37734, + "35997": msg37735, + "35998": msg37736, + "35999": msg37737, + "360": select282, + "3600": msg6050, + "36000": msg37738, + "36001": msg37739, + "36002": msg37740, + "36003": msg37741, + "36004": msg37742, + "36005": msg37743, + "36006": msg37744, + "36007": msg37745, + "36008": msg37746, + "36009": msg37747, + "3601": msg6051, + "36010": msg37748, + "36011": msg37749, + "36012": msg37750, + "36013": msg37751, + "36014": msg37752, + "36015": msg37753, + "36016": msg37754, + "36017": msg37755, + "36018": msg37756, + "36019": msg37757, + "3602": msg6052, + "36020": msg37758, + "36021": msg37759, + "36022": msg37760, + "36023": msg37761, + "36024": msg37762, + "36025": msg37763, + "36026": msg37764, + "36027": msg37765, + "36028": msg37766, + "36029": msg37767, + "3603": msg6053, + "36030": msg37768, + "36031": msg37769, + "36032": msg37770, + "36033": msg37771, + "36034": msg37772, + "36035": msg37773, + "36036": msg37774, + "36037": msg37775, + "36038": msg37776, + "36039": msg37777, + "3604": msg6054, + "36040": msg37778, + "36041": msg37779, + "36042": msg37780, + "36043": msg37781, + "36044": msg37782, + "36045": msg37783, + "36046": msg37784, + "36047": msg37785, + "36048": msg37786, + "36049": msg37787, + "3605": msg6055, + "36050": msg37788, + "36051": msg37789, + "36052": msg37790, + "36053": msg37791, + "36054": msg37792, + "36055": msg37793, + "36056": msg37794, + "36057": msg37795, + "36058": msg37796, + "36059": msg37797, + "3606": msg6056, + "36060": msg37798, + "36061": msg37799, + "36062": msg37800, + "36063": msg37801, + "36064": msg37802, + "36065": msg37803, + "36066": msg37804, + "36067": msg37805, + "36068": msg37806, + "36069": msg37807, + "3607": msg6057, + "36070": msg37808, + "36071": msg37809, + "36072": msg37810, + "36073": msg37811, + "36074": msg37812, + "36075": msg37813, + "36076": msg37814, + "36077": msg37815, + "36078": msg37816, + "36079": msg37817, + "3608": msg6058, + "36080": msg37818, + "36081": msg37819, + "36082": msg37820, + "36083": msg37821, + "36084": msg37822, + "36085": msg37823, + "36086": msg37824, + "36087": msg37825, + "36088": msg37826, + "36089": msg37827, + "3609": msg6059, + "36090": msg37828, + "36091": msg37829, + "36092": msg37830, + "36093": msg37831, + "36094": msg37832, + "36095": msg37833, + "36096": msg37834, + "36097": msg37835, + "36098": msg37836, + "36099": msg37837, + "361": select283, + "3610": msg6060, + "36100": msg37838, + "36101": msg37839, + "36102": msg37840, + "36103": msg37841, + "36104": msg37842, + "36105": msg37843, + "36106": msg37844, + "36107": msg37845, + "36108": msg37846, + "36109": msg37847, + "3611": msg6061, + "36110": msg37848, + "36111": msg37849, + "36112": msg37850, + "36113": msg37851, + "36114": msg37852, + "36115": msg37853, + "36116": msg37854, + "36117": msg37855, + "36118": msg37856, + "36119": msg37857, + "3612": msg6062, + "36120": msg37858, + "36121": msg37859, + "36122": msg37860, + "36123": msg37861, + "36124": msg37862, + "36125": msg37863, + "36126": msg37864, + "36127": msg37865, + "36128": msg37866, + "36129": msg37867, + "3613": msg6063, + "36130": msg37868, + "36131": msg37869, + "36132": msg37870, + "36133": msg37871, + "36134": msg37872, + "36135": msg37873, + "36136": msg37874, + "36137": msg37875, + "36138": msg37876, + "36139": msg37877, + "3614": msg6064, + "36140": msg37878, + "36141": msg37879, + "36142": msg37880, + "36143": msg37881, + "36144": msg37882, + "36145": msg37883, + "36146": msg37884, + "36147": msg37885, + "36148": msg37886, + "36149": msg37887, + "3615": msg6065, + "36150": msg37888, + "36151": msg37889, + "36152": msg37890, + "36153": msg37891, + "36154": msg37892, + "36155": msg37893, + "36156": msg37894, + "36157": msg37895, + "36158": msg37896, + "36159": msg37897, + "3616": msg6066, + "36160": msg37898, + "36161": msg37899, + "36162": msg37900, + "36163": msg37901, + "36164": msg37902, + "36165": msg37903, + "36166": msg37904, + "36167": msg37905, + "36168": msg37906, + "36169": msg37907, + "3617": msg6067, + "36170": msg37908, + "36171": msg37909, + "36172": msg37910, + "36173": msg37911, + "36174": msg37912, + "36175": msg37913, + "36176": msg37914, + "36177": msg37915, + "36178": msg37916, + "36179": msg37917, + "3618": msg6068, + "36180": msg37918, + "36181": msg37919, + "36182": msg37920, + "36183": msg37921, + "36184": msg37922, + "36185": msg37923, + "36186": msg37924, + "36187": msg37925, + "36188": msg37926, + "36189": msg37927, + "3619": msg6069, + "36190": msg37928, + "36191": msg37929, + "36192": msg37930, + "36193": msg37931, + "36194": msg37932, + "36195": msg37933, + "36196": msg37934, + "36197": msg37935, + "36198": msg37936, + "36199": msg37937, + "362": select284, + "3620": msg6070, + "36200": msg37938, + "36201": msg37939, + "36202": msg37940, + "36203": msg37941, + "36204": msg37942, + "36205": msg37943, + "36206": msg37944, + "36207": msg37945, + "36208": msg37946, + "36209": msg37947, + "3621": msg6071, + "3622": msg6072, + "36224": msg37948, + "3623": msg6073, + "36231": msg37949, + "36232": msg37950, + "36233": msg37951, + "36234": msg37952, + "36235": msg37953, + "36236": msg37954, + "36237": msg37955, + "36238": msg37956, + "36239": msg37957, + "3624": msg6074, + "36240": msg37958, + "36241": msg37959, + "36242": msg37960, + "36243": msg37961, + "36244": msg37962, + "36245": msg37963, + "36246": msg37964, + "36247": msg37965, + "36248": msg37966, + "36249": msg37967, + "3625": msg6075, + "36250": msg37968, + "36251": msg37969, + "36252": msg37970, + "36253": msg37971, + "36254": msg37972, + "36255": msg37973, + "36256": msg37974, + "36257": msg37975, + "36258": msg37976, + "36259": msg37977, + "3626": msg6076, + "36260": msg37978, + "36261": msg37979, + "36262": msg37980, + "36263": msg37981, + "36264": msg37982, + "36265": msg37983, + "36266": msg37984, + "36267": msg37985, + "36268": msg37986, + "36269": msg37987, + "3627": msg6077, + "36270": msg37988, + "36271": msg37989, + "36272": msg37990, + "36273": msg37991, + "36274": msg37992, + "36275": msg37993, + "36276": msg37994, + "36277": msg37995, + "36278": msg37996, + "36279": msg37997, + "3628": msg6078, + "36280": msg37998, + "36281": msg37999, + "36282": msg38000, + "36283": msg38001, + "36284": msg38002, + "36285": msg38003, + "36286": msg38004, + "36287": msg38005, + "36288": msg38006, + "36289": msg38007, + "3629": msg6079, + "36290": msg38008, + "36291": msg38009, + "36292": msg38010, + "36293": msg38011, + "36294": msg38012, + "36295": msg38013, + "36296": msg38014, + "36297": msg38015, + "36298": msg38016, + "36299": msg38017, + "363": select285, + "3630": msg6080, + "36300": msg38018, + "36301": msg38019, + "36302": msg38020, + "36303": msg38021, + "36304": msg38022, + "36305": msg38023, + "36306": msg38024, + "36307": msg38025, + "36308": msg38026, + "36309": msg38027, + "3631": msg6081, + "36310": msg38028, + "36311": msg38029, + "36312": msg38030, + "36313": msg38031, + "36314": msg38032, + "36315": msg38033, + "36316": msg38034, + "36317": msg38035, + "36318": msg38036, + "36319": msg38037, + "3632": msg6082, + "36320": msg38038, + "36321": msg38039, + "36322": msg38040, + "36323": msg38041, + "36324": msg38042, + "36325": msg38043, + "36326": msg38044, + "36327": msg38045, + "36328": msg38046, + "36329": msg38047, + "3633": msg6083, + "36330": msg38048, + "36331": msg38049, + "36332": msg38050, + "36333": msg38051, + "36334": msg38052, + "36335": msg38053, + "36336": msg38054, + "36337": msg38055, + "36338": msg38056, + "36339": msg38057, + "3634": msg6084, + "36340": msg38058, + "36341": msg38059, + "36342": msg38060, + "36343": msg38061, + "36344": msg38062, + "36345": msg38063, + "36346": msg38064, + "36347": msg38065, + "36348": msg38066, + "36349": msg38067, + "3635": msg6085, + "36350": msg38068, + "36351": msg38069, + "36352": msg38070, + "36353": msg38071, + "36354": msg38072, + "36355": msg38073, + "36356": msg38074, + "36357": msg38075, + "36358": msg38076, + "36359": msg38077, + "3636": msg6086, + "36360": msg38078, + "36361": msg38079, + "36362": msg38080, + "36363": msg38081, + "36364": msg38082, + "36365": msg38083, + "36366": msg38084, + "36367": msg38085, + "36368": msg38086, + "36369": msg38087, + "3637": msg6087, + "36370": msg38088, + "36371": msg38089, + "36372": msg38090, + "36373": msg38091, + "36374": msg38092, + "36375": msg38093, + "36376": msg38094, + "36377": msg38095, + "36378": msg38096, + "36379": msg38097, + "3638": msg6088, + "36380": msg38098, + "36381": msg38099, + "36382": msg38100, + "36383": msg38101, + "36384": msg38102, + "36389": msg38103, + "3639": msg6089, + "36390": msg38104, + "36391": msg38105, + "36392": msg38106, + "36393": msg38107, + "36394": msg38108, + "36395": msg38109, + "36396": msg38110, + "36397": msg38111, + "36398": msg38112, + "36399": msg38113, + "364": select286, + "3640": msg6090, + "36400": msg38114, + "36401": msg38115, + "36402": msg38116, + "36403": msg38117, + "36404": msg38118, + "36405": msg38119, + "36406": msg38120, + "36407": msg38121, + "36408": msg38122, + "36409": msg38123, + "3641": msg6091, + "36410": msg38124, + "36411": msg38125, + "36412": msg38126, + "36413": msg38127, + "36414": msg38128, + "36415": msg38129, + "36416": msg38130, + "36417": msg38131, + "36418": msg38132, + "36419": msg38133, + "3642": msg6092, + "36420": msg38134, + "36421": msg38135, + "36422": msg38136, + "36423": msg38137, + "36424": msg38138, + "36425": msg38139, + "36426": msg38140, + "36427": msg38141, + "36428": msg38142, + "36429": msg38143, + "3643": msg6093, + "36430": msg38144, + "36431": msg38145, + "36432": msg38146, + "36433": msg38147, + "36434": msg38148, + "36435": msg38149, + "36436": msg38150, + "36437": msg38151, + "36438": msg38152, + "36439": msg38153, + "3644": msg6094, + "36440": msg38154, + "36441": msg38155, + "36442": msg38156, + "36443": msg38157, + "36444": msg38158, + "36445": msg38159, + "36446": msg38160, + "36447": msg38161, + "36448": msg38162, + "36449": msg38163, + "3645": msg6095, + "36450": msg38164, + "36451": msg38165, + "36452": msg38166, + "36453": msg38167, + "36454": msg38168, + "36455": msg38169, + "36456": msg38170, + "36457": msg38171, + "36458": msg38172, + "36459": msg38173, + "3646": msg6096, + "36460": msg38174, + "36461": msg38175, + "36462": msg38176, + "36463": msg38177, + "36464": msg38178, + "36465": msg38179, + "36466": msg38180, + "36467": msg38181, + "36468": msg38182, + "36469": msg38183, + "3647": msg6097, + "36470": msg38184, + "36471": msg38185, + "36472": msg38186, + "36473": msg38187, + "36474": msg38188, + "36475": msg38189, + "36476": msg38190, + "36477": msg38191, + "36478": msg38192, + "36479": msg38193, + "3648": msg6098, + "36480": msg38194, + "36481": msg38195, + "36482": msg38196, + "36483": msg38197, + "36484": msg38198, + "36485": msg38199, + "36486": msg38200, + "36487": msg38201, + "36488": msg38202, + "36489": msg38203, + "3649": msg6099, + "36490": msg38204, + "36491": msg38205, + "36492": msg38206, + "36493": msg38207, + "36494": msg38208, + "36495": msg38209, + "36496": msg38210, + "36497": msg38211, + "36498": msg38212, + "36499": msg38213, + "365": select287, + "3650": msg6100, + "36500": msg38214, + "36501": msg38215, + "36502": msg38216, + "36503": msg38217, + "36504": msg38218, + "36505": msg38219, + "36506": msg38220, + "36507": msg38221, + "36508": msg38222, + "36509": msg38223, + "3651": msg6101, + "36510": msg38224, + "36511": msg38225, + "36512": msg38226, + "36513": msg38227, + "36514": msg38228, + "36515": msg38229, + "36516": msg38230, + "36517": msg38231, + "36518": msg38232, + "36519": msg38233, + "3652": msg6102, + "36520": msg38234, + "36521": msg38235, + "36522": msg38236, + "36523": msg38237, + "36524": msg38238, + "36525": msg38239, + "36526": msg38240, + "36527": msg38241, + "36528": msg38242, + "36529": msg38243, + "3653": msg6103, + "36530": msg38244, + "36531": msg38245, + "36532": msg38246, + "36533": msg38247, + "36534": msg38248, + "36535": msg38249, + "36536": msg38250, + "36537": msg38251, + "36538": msg38252, + "36539": msg38253, + "3654": msg6104, + "36540": msg38254, + "36541": msg38255, + "36542": msg38256, + "36543": msg38257, + "36544": msg38258, + "36545": msg38259, + "36546": msg38260, + "36547": msg38261, + "36548": msg38262, + "36549": msg38263, + "3655": msg6105, + "36550": msg38264, + "36551": msg38265, + "36552": msg38266, + "36553": msg38267, + "36554": msg38268, + "36555": msg38269, + "36556": msg38270, + "36557": msg38271, + "36558": msg38272, + "36559": msg38273, + "3656": msg6106, + "36560": msg38274, + "36561": msg38275, + "3657": msg6107, + "3658": msg6108, + "3659": msg6109, + "366": select288, + "3660": msg6110, + "3661": msg6111, + "3662": msg6112, + "3663": msg6113, + "3664": msg6114, + "3665": msg6115, + "3666": msg6116, + "3667": msg6117, + "3668": msg6118, + "3669": msg6119, + "3670": msg6120, + "3671": msg6121, + "3672": msg6122, + "3673": msg6123, + "3674": msg6124, + "3675": msg6125, + "3676": msg6126, + "3677": msg6127, + "3678": msg6128, + "3679": msg6129, + "368": select289, + "3680": msg6130, + "3681": msg6131, + "3682": msg6132, + "3683": msg6133, + "3684": msg6134, + "3685": msg6135, + "3686": msg6136, + "3687": msg6137, + "3688": msg6138, + "3689": msg6139, + "369": select290, + "3690": msg6140, + "3691": msg6141, + "3692": msg6142, + "3693": msg6143, + "3694": msg6144, + "3695": msg6145, + "3696": msg6146, + "3697": msg6147, + "3698": msg6148, + "3699": msg6149, + "370": select291, + "3700": msg6150, + "3701": msg6151, + "3702": msg6152, + "3703": msg6153, + "3704": msg6154, + "3705": msg6155, + "3706": msg6156, + "3707": msg6157, + "3708": msg6158, + "3709": msg6159, + "371": select292, + "3710": msg6160, + "3711": msg6161, + "3712": msg6162, + "3713": msg6163, + "3714": msg6164, + "3715": msg6165, + "3716": msg6166, + "3717": msg6167, + "3718": msg6168, + "3719": msg6169, + "372": select293, + "3720": msg6170, + "3721": msg6171, + "3722": msg6172, + "3723": msg6173, + "3724": msg6174, + "3725": msg6175, + "3726": msg6176, + "3727": msg6177, + "3728": msg6178, + "3729": msg6179, + "373": select294, + "3730": msg6180, + "3731": msg6181, + "3732": msg6182, + "3733": msg6183, + "3734": msg6184, + "3735": msg6185, + "3736": msg6186, + "3737": msg6187, + "3738": msg6188, + "3739": msg6189, + "374": select295, + "3740": msg6190, + "3741": msg6191, + "3742": msg6192, + "3743": msg6193, + "3744": msg6194, + "3745": msg6195, + "3746": msg6196, + "3747": msg6197, + "3748": msg6198, + "3749": msg6199, + "375": select296, + "3750": msg6200, + "3751": msg6201, + "3752": msg6202, + "3753": msg6203, + "3754": msg6204, + "3755": msg6205, + "3756": msg6206, + "3757": msg6207, + "3758": msg6208, + "3759": msg6209, + "376": select297, + "3760": msg6210, + "3761": msg6211, + "3762": msg6212, + "3763": msg6213, + "3764": msg6214, + "3765": msg6215, + "3766": msg6216, + "3767": msg6217, + "3768": msg6218, + "3769": msg6219, + "377": select298, + "3770": msg6220, + "3771": msg6221, + "3772": msg6222, + "3773": msg6223, + "3774": msg6224, + "3775": msg6225, + "3776": msg6226, + "3777": msg6227, + "3778": msg6228, + "3779": msg6229, + "378": select299, + "3780": msg6230, + "3781": msg6231, + "3782": msg6232, + "3783": msg6233, + "3784": msg6234, + "3785": msg6235, + "3786": msg6236, + "3787": msg6237, + "3788": msg6238, + "3789": msg6239, + "379": select300, + "3790": msg6240, + "3791": msg6241, + "3792": msg6242, + "3793": msg6243, + "3794": msg6244, + "3795": msg6245, + "3796": msg6246, + "3797": msg6247, + "3798": msg6248, + "3799": msg6249, + "380": select301, + "3800": msg6250, + "3801": msg6251, + "3802": msg6252, + "3803": msg6253, + "3804": msg6254, + "3805": msg6255, + "3806": msg6256, + "3807": msg6257, + "3808": msg6258, + "3809": msg6259, + "381": select302, + "3810": msg6260, + "3811": msg6261, + "3812": msg6262, + "3813": msg6263, + "3814": msg6264, + "3815": msg6265, + "3816": msg6266, + "3817": msg6267, + "3818": msg6268, + "3819": msg6269, + "382": select303, + "3820": msg6270, + "3821": msg6271, + "3822": msg6272, + "3823": msg6273, + "3824": msg6274, + "3825": msg6275, + "3826": msg6276, + "3827": msg6277, + "3828": msg6278, + "3829": msg6279, + "3830": msg6280, + "3831": msg6281, + "3832": msg6282, + "3833": msg6283, + "3834": msg6284, + "3835": msg6285, + "3836": msg6286, + "3837": msg6287, + "3838": msg6288, + "3839": msg6289, + "384": select304, + "3840": msg6290, + "3841": msg6291, + "3842": msg6292, + "3843": msg6293, + "3844": msg6294, + "3845": msg6295, + "3846": msg6296, + "3847": msg6297, + "3848": msg6298, + "3849": msg6299, + "385": select305, + "3850": msg6300, + "3851": msg6301, + "3852": msg6302, + "3853": msg6303, + "3854": msg6304, + "3855": msg6305, + "3856": msg6306, + "3857": msg6307, + "3858": msg6308, + "3859": msg6309, + "386": select306, + "3860": msg6310, + "3861": msg6311, + "3862": msg6312, + "3863": msg6313, + "3864": msg6314, + "3865": msg6315, + "3866": msg6316, + "3867": msg6317, + "3868": msg6318, + "3869": msg6319, + "387": select307, + "3870": msg6320, + "3871": msg6321, + "3872": msg6322, + "3873": msg6323, + "3874": msg6324, + "3875": msg6325, + "3876": msg6326, + "3877": msg6327, + "3878": msg6328, + "3879": msg6329, + "388": select308, + "3880": msg6330, + "3881": msg6331, + "3882": msg6332, + "3883": msg6333, + "3884": msg6334, + "3885": msg6335, + "3886": msg6336, + "3887": msg6337, + "3888": msg6338, + "3889": msg6339, + "389": select309, + "3890": msg6340, + "3891": msg6341, + "3892": msg6342, + "3893": msg6343, + "3894": msg6344, + "3895": msg6345, + "3896": msg6346, + "3897": msg6347, + "3898": msg6348, + "3899": msg6349, + "390": select310, + "3900": msg6350, + "3901": msg6351, + "3902": msg6352, + "3903": msg6353, + "3904": msg6354, + "3905": msg6355, + "3906": msg6356, + "3907": msg6357, + "3908": msg6358, + "3909": msg6359, + "391": select311, + "3910": msg6360, + "3911": msg6361, + "3912": msg6362, + "3913": msg6363, + "3914": msg6364, + "3915": msg6365, + "3916": msg6366, + "3917": msg6367, + "3918": msg6368, + "3919": msg6369, + "392": select312, + "3920": msg6370, + "3921": msg6371, + "3922": msg6372, + "3923": msg6373, + "3924": msg6374, + "3925": msg6375, + "3926": msg6376, + "3927": msg6377, + "3928": msg6378, + "3929": msg6379, + "393": select313, + "3930": msg6380, + "3931": msg6381, + "3932": msg6382, + "3933": msg6383, + "3934": msg6384, + "3935": msg6385, + "3936": msg6386, + "3937": msg6387, + "3938": msg6388, + "3939": msg6389, + "394": select314, + "3940": msg6390, + "3941": msg6391, + "3942": msg6392, + "3943": msg6393, + "3944": msg6394, + "3945": msg6395, + "3946": msg6396, + "3947": msg6397, + "3948": msg6398, + "3949": msg6399, + "395": select315, + "3950": msg6400, + "3951": msg6401, + "3952": msg6402, + "3953": msg6403, + "3954": msg6404, + "3955": msg6405, + "3956": msg6406, + "3957": msg6407, + "3958": msg6408, + "3959": msg6409, + "396": select316, + "3960": msg6410, + "3961": msg6411, + "3962": msg6412, + "3963": msg6413, + "3964": msg6414, + "3965": msg6415, + "3966": msg6416, + "3967": msg6417, + "3968": msg6418, + "3969": msg6419, + "397": select317, + "3970": msg6420, + "3971": msg6421, + "3972": msg6422, + "3973": msg6423, + "3974": msg6424, + "3975": msg6425, + "3976": msg6426, + "3977": msg6427, + "3978": msg6428, + "3979": msg6429, + "398": select318, + "3980": msg6430, + "3981": msg6431, + "3982": msg6432, + "3983": msg6433, + "3984": msg6434, + "3985": msg6435, + "3986": msg6436, + "3987": msg6437, + "3988": msg6438, + "3989": msg6439, + "399": select319, + "3990": msg6440, + "3991": msg6441, + "3992": msg6442, + "3993": msg6443, + "3994": msg6444, + "3995": msg6445, + "3996": msg6446, + "3997": msg6447, + "3998": msg6448, + "3999": msg6449, + "4": select10, + "400": select320, + "4000": msg6450, + "4001": msg6451, + "4002": msg6452, + "4003": msg6453, + "4004": msg6454, + "4005": msg6455, + "4006": msg6456, + "4007": msg6457, + "4008": msg6458, + "4009": msg6459, + "401": select321, + "4010": msg6460, + "4011": msg6461, + "4012": msg6462, + "4013": msg6463, + "4014": msg6464, + "4015": msg6465, + "4016": msg6466, + "4017": msg6467, + "4018": msg6468, + "4019": msg6469, + "402": select322, + "4020": msg6470, + "4021": msg6471, + "4022": msg6472, + "4023": msg6473, + "4024": msg6474, + "4025": msg6475, + "4026": msg6476, + "4027": msg6477, + "4028": msg6478, + "4029": msg6479, + "403": select323, + "4030": msg6480, + "4031": msg6481, + "4032": msg6482, + "4033": msg6483, + "4034": msg6484, + "4035": msg6485, + "4036": msg6486, + "4037": msg6487, + "4038": msg6488, + "4039": msg6489, + "404": select324, + "4040": msg6490, + "4041": msg6491, + "4042": msg6492, + "4043": msg6493, + "4044": msg6494, + "4045": msg6495, + "4046": msg6496, + "4047": msg6497, + "4048": msg6498, + "4049": msg6499, + "405": select325, + "4050": msg6500, + "4051": msg6501, + "4052": msg6502, + "4053": msg6503, + "4054": msg6504, + "4055": msg6505, + "4056": msg6506, + "4057": msg6507, + "4058": msg6508, + "4059": msg6509, + "406": select326, + "4060": msg6510, + "4061": msg6511, + "4062": msg6512, + "4063": msg6513, + "4064": msg6514, + "4065": msg6515, + "4066": msg6516, + "4067": msg6517, + "4068": msg6518, + "4069": msg6519, + "407": select327, + "4070": msg6520, + "4071": msg6521, + "4072": msg6522, + "4073": msg6523, + "4074": msg6524, + "4075": msg6525, + "4076": msg6526, + "4077": msg6527, + "4078": msg6528, + "4079": msg6529, + "408": select328, + "4080": msg6530, + "4081": msg6531, + "4082": msg6532, + "4083": msg6533, + "4084": msg6534, + "4085": msg6535, + "4086": msg6536, + "4087": msg6537, + "4088": msg6538, + "4089": msg6539, + "409": select329, + "4090": msg6540, + "4091": msg6541, + "4092": msg6542, + "4093": msg6543, + "4094": msg6544, + "4095": msg6545, + "4096": msg6546, + "4097": msg6547, + "4098": msg6548, + "4099": msg6549, + "410": select330, + "4100": msg6550, + "4101": msg6551, + "4102": msg6552, + "4103": msg6553, + "4104": msg6554, + "4105": msg6555, + "4106": msg6556, + "4107": msg6557, + "4108": msg6558, + "4109": msg6559, + "411": select331, + "4110": msg6560, + "4111": msg6561, + "4112": msg6562, + "4113": msg6563, + "4114": msg6564, + "4115": msg6565, + "4116": msg6566, + "4117": msg6567, + "4118": msg6568, + "4119": msg6569, + "412": select332, + "4120": msg6570, + "4121": msg6571, + "4122": msg6572, + "4123": msg6573, + "4124": msg6574, + "4125": msg6575, + "4126": msg6576, + "4127": msg6577, + "4128": msg6578, + "4129": msg6579, + "413": select333, + "4130": msg6580, + "4131": msg6581, + "4132": msg6582, + "4133": msg6583, + "4134": msg6584, + "4135": msg6585, + "4136": msg6586, + "414": select334, + "4140": msg6587, + "4141": msg6588, + "4142": msg6589, + "4143": msg6590, + "4144": msg6591, + "4145": msg6592, + "4146": msg6593, + "4147": msg6594, + "4148": msg6595, + "4149": msg6596, + "415": select335, + "4150": msg6597, + "4151": msg6598, + "4152": msg6599, + "4153": msg6600, + "4154": msg6601, + "4155": msg6602, + "4156": msg6603, + "4157": msg6604, + "4158": msg6605, + "4159": msg6606, + "416": select336, + "4160": msg6607, + "4161": msg6608, + "4162": msg6609, + "4163": msg6610, + "4164": msg6611, + "4165": msg6612, + "4166": msg6613, + "4167": msg6614, + "4168": msg6615, + "4169": msg6616, + "417": select337, + "4170": msg6617, + "4171": msg6618, + "4172": msg6619, + "4173": msg6620, + "4174": msg6621, + "4175": msg6622, + "4176": msg6623, + "4177": msg6624, + "4178": msg6625, + "4179": msg6626, + "418": select338, + "4180": msg6627, + "4181": msg6628, + "4182": msg6629, + "4183": msg6630, + "4184": msg6631, + "4185": msg6632, + "4186": msg6633, + "4187": msg6634, + "4188": msg6635, + "4189": msg6636, + "419": select339, + "4190": msg6637, + "4191": msg6638, + "4192": msg6639, + "4193": msg6640, + "4194": msg6641, + "4195": msg6642, + "4196": msg6643, + "4197": msg6644, + "4198": msg6645, + "4199": msg6646, + "420": select340, + "4200": msg6647, + "4201": msg6648, + "4202": msg6649, + "4203": msg6650, + "4204": msg6651, + "4205": msg6652, + "4206": msg6653, + "4207": msg6654, + "4208": msg6655, + "4209": msg6656, + "421": select341, + "4210": msg6657, + "4211": msg6658, + "4212": msg6659, + "4213": msg6660, + "4214": msg6661, + "4215": msg6662, + "4216": msg6663, + "4217": msg6664, + "4218": msg6665, + "4219": msg6666, + "422": select342, + "4220": msg6667, + "4221": msg6668, + "4222": msg6669, + "4223": msg6670, + "4224": msg6671, + "4225": msg6672, + "4226": msg6673, + "4227": msg6674, + "4228": msg6675, + "4229": msg6676, + "423": select343, + "4230": msg6677, + "4231": msg6678, + "4232": msg6679, + "4233": msg6680, + "4234": msg6681, + "4235": msg6682, + "4236": msg6683, + "4237": msg6684, + "4238": msg6685, + "4239": msg6686, + "424": select344, + "4240": msg6687, + "4241": msg6688, + "4242": msg6689, + "4243": msg6690, + "4244": msg6691, + "4245": msg6692, + "4246": msg6693, + "4247": msg6694, + "4248": msg6695, + "4249": msg6696, + "425": select345, + "4250": msg6697, + "4251": msg6698, + "4252": msg6699, + "4253": msg6700, + "4254": msg6701, + "4255": msg6702, + "4256": msg6703, + "4257": msg6704, + "4258": msg6705, + "4259": msg6706, + "426": select346, + "4260": msg6707, + "4261": msg6708, + "4262": msg6709, + "4263": msg6710, + "4264": msg6711, + "4265": msg6712, + "4266": msg6713, + "4267": msg6714, + "4268": msg6715, + "4269": msg6716, + "427": select347, + "4270": msg6717, + "4271": msg6718, + "4272": msg6719, + "4273": msg6720, + "4274": msg6721, + "4275": msg6722, + "4276": msg6723, + "4277": msg6724, + "4278": msg6725, + "4279": msg6726, + "428": select348, + "4280": msg6727, + "4281": msg6728, + "4282": msg6729, + "4283": msg6730, + "4284": msg6731, + "4285": msg6732, + "4286": msg6733, + "4287": msg6734, + "4288": msg6735, + "4289": msg6736, + "429": select349, + "4290": msg6737, + "4291": msg6738, + "4292": msg6739, + "4293": msg6740, + "4294": msg6741, + "4295": msg6742, + "4296": msg6743, + "4297": msg6744, + "4298": msg6745, + "4299": msg6746, + "430": select350, + "4300": msg6747, + "4301": msg6748, + "4302": msg6749, + "4303": msg6750, + "4304": msg6751, + "4305": msg6752, + "4306": msg6753, + "4307": msg6754, + "4308": msg6755, + "4309": msg6756, + "431": select351, + "4310": msg6757, + "4311": msg6758, + "4312": msg6759, + "4313": msg6760, + "4314": msg6761, + "4315": msg6762, + "4316": msg6763, + "4317": msg6764, + "4318": msg6765, + "4319": msg6766, + "432": select352, + "4320": msg6767, + "4321": msg6768, + "4322": msg6769, + "4323": msg6770, + "4324": msg6771, + "4325": msg6772, + "4326": msg6773, + "4327": msg6774, + "4328": msg6775, + "4329": msg6776, + "433": select353, + "4330": msg6777, + "4331": msg6778, + "4332": msg6779, + "4333": msg6780, + "4334": msg6781, + "4335": msg6782, + "4336": msg6783, + "4337": msg6784, + "4338": msg6785, + "4339": msg6786, + "4340": msg6787, + "4341": msg6788, + "4342": msg6789, + "4343": msg6790, + "4344": msg6791, + "4345": msg6792, + "4346": msg6793, + "4347": msg6794, + "4348": msg6795, + "4349": msg6796, + "4350": msg6797, + "4351": msg6798, + "4352": msg6799, + "4353": msg6800, + "4354": msg6801, + "4355": msg6802, + "4356": msg6803, + "4357": msg6804, + "4358": msg6805, + "4359": msg6806, + "436": select354, + "4360": msg6807, + "4361": msg6808, + "4362": msg6809, + "4363": msg6810, + "4364": msg6811, + "4365": msg6812, + "4366": msg6813, + "4367": msg6814, + "4368": msg6815, + "4369": msg6816, + "437": select355, + "4370": msg6817, + "4371": msg6818, + "4372": msg6819, + "4373": msg6820, + "4374": msg6821, + "4375": msg6822, + "4376": msg6823, + "4377": msg6824, + "4378": msg6825, + "4379": msg6826, + "438": select356, + "4380": msg6827, + "4381": msg6828, + "4382": msg6829, + "4383": msg6830, + "4384": msg6831, + "4385": msg6832, + "4386": msg6833, + "4387": msg6834, + "4388": msg6835, + "4389": msg6836, + "439": select357, + "4390": msg6837, + "4391": msg6838, + "4392": msg6839, + "4393": msg6840, + "4394": msg6841, + "4395": msg6842, + "4396": msg6843, + "4397": msg6844, + "4398": msg6845, + "4399": msg6846, + "440": select358, + "4400": msg6847, + "4401": msg6848, + "4402": msg6849, + "4403": msg6850, + "4404": msg6851, + "4405": msg6852, + "4406": msg6853, + "4407": msg6854, + "4408": msg6855, + "4409": msg6856, + "441": select359, + "4410": msg6857, + "4411": msg6858, + "4412": msg6859, + "4413": msg6860, + "4414": msg6861, + "4415": msg6862, + "4416": msg6863, + "4417": msg6864, + "4418": msg6865, + "4419": msg6866, + "4420": msg6867, + "4421": msg6868, + "4422": msg6869, + "4423": msg6870, + "4424": msg6871, + "4425": msg6872, + "4426": msg6873, + "4427": msg6874, + "4428": msg6875, + "4429": msg6876, + "443": select360, + "4430": msg6877, + "4431": msg6878, + "4432": msg6879, + "4433": msg6880, + "4434": msg6881, + "4435": msg6882, + "4436": msg6883, + "4437": msg6884, + "4438": msg6885, + "4439": msg6886, + "4440": msg6887, + "4441": msg6888, + "4442": msg6889, + "4443": msg6890, + "4444": msg6891, + "4445": msg6892, + "4446": msg6893, + "4447": msg6894, + "4448": msg6895, + "4449": msg6896, + "445": select361, + "4450": msg6897, + "4451": msg6898, + "4452": msg6899, + "4453": msg6900, + "4454": msg6901, + "4455": msg6902, + "4456": msg6903, + "4457": msg6904, + "4458": msg6905, + "4459": msg6906, + "446": select362, + "4460": msg6907, + "4461": msg6908, + "4462": msg6909, + "4463": msg6910, + "4464": msg6911, + "4465": msg6912, + "4466": msg6913, + "4467": msg6914, + "4468": msg6915, + "4469": msg6916, + "4470": msg6917, + "4471": msg6918, + "4472": msg6919, + "4473": msg6920, + "4474": msg6921, + "4475": msg6922, + "4476": msg6923, + "4477": msg6924, + "4478": msg6925, + "4479": msg6926, + "448": select363, + "4480": msg6927, + "4481": msg6928, + "4482": msg6929, + "4483": msg6930, + "4484": msg6931, + "4485": msg6932, + "4486": msg6933, + "4487": msg6934, + "4488": msg6935, + "4489": msg6936, + "449": select364, + "4490": msg6937, + "4491": msg6938, + "4492": msg6939, + "4493": msg6940, + "4494": msg6941, + "4495": msg6942, + "4496": msg6943, + "4497": msg6944, + "4498": msg6945, + "4499": msg6946, + "45": msg66, + "450": select365, + "4500": msg6947, + "4501": msg6948, + "4502": msg6949, + "4503": msg6950, + "4504": msg6951, + "4505": msg6952, + "4506": msg6953, + "4507": msg6954, + "4508": msg6955, + "4509": msg6956, + "451": select366, + "4510": msg6957, + "4511": msg6958, + "4512": msg6959, + "4513": msg6960, + "4514": msg6961, + "4515": msg6962, + "4516": msg6963, + "4517": msg6964, + "4518": msg6965, + "4519": msg6966, + "452": select367, + "4520": msg6967, + "4521": msg6968, + "4522": msg6969, + "4523": msg6970, + "4524": msg6971, + "4525": msg6972, + "4526": msg6973, + "4527": msg6974, + "4528": msg6975, + "4529": msg6976, + "453": select368, + "4530": msg6977, + "4531": msg6978, + "4532": msg6979, + "4533": msg6980, + "4534": msg6981, + "4535": msg6982, + "4536": msg6983, + "4537": msg6984, + "4538": msg6985, + "4539": msg6986, + "454": select369, + "4540": msg6987, + "4541": msg6988, + "4542": msg6989, + "4543": msg6990, + "4544": msg6991, + "4545": msg6992, + "4546": msg6993, + "4547": msg6994, + "4548": msg6995, + "4549": msg6996, + "455": select370, + "4550": msg6997, + "4551": msg6998, + "4552": msg6999, + "4553": msg7000, + "4554": msg7001, + "4555": msg7002, + "4556": msg7003, + "4557": msg7004, + "4558": msg7005, + "4559": msg7006, + "456": select371, + "4560": msg7007, + "4561": msg7008, + "4562": msg7009, + "4563": msg7010, + "4564": msg7011, + "4565": msg7012, + "4566": msg7013, + "4567": msg7014, + "4568": msg7015, + "4569": msg7016, + "457": select372, + "4570": msg7017, + "4571": msg7018, + "4572": msg7019, + "4573": msg7020, + "4574": msg7021, + "4575": msg7022, + "4576": msg7023, + "4577": msg7024, + "4578": msg7025, + "4579": msg7026, + "458": select373, + "4580": msg7027, + "4581": msg7028, + "4582": msg7029, + "4583": msg7030, + "4584": msg7031, + "4585": msg7032, + "4586": msg7033, + "4587": msg7034, + "4588": msg7035, + "4589": msg7036, + "459": select374, + "4590": msg7037, + "4591": msg7038, + "4592": msg7039, + "4593": msg7040, + "4594": msg7041, + "4595": msg7042, + "4596": msg7043, + "4597": msg7044, + "4598": msg7045, + "4599": msg7046, + "46": select25, + "460": select375, + "4600": msg7047, + "4601": msg7048, + "4602": msg7049, + "4603": msg7050, + "4604": msg7051, + "4605": msg7052, + "4606": msg7053, + "4607": msg7054, + "4608": msg7055, + "4609": msg7056, + "461": select376, + "4610": msg7057, + "4611": msg7058, + "4612": msg7059, + "4613": msg7060, + "4614": msg7061, + "4615": msg7062, + "4616": msg7063, + "4617": msg7064, + "4618": msg7065, + "4619": msg7066, + "462": select377, + "4620": msg7067, + "4621": msg7068, + "4622": msg7069, + "4623": msg7070, + "4624": msg7071, + "4625": msg7072, + "4626": msg7073, + "4627": msg7074, + "4628": msg7075, + "4629": msg7076, + "463": select378, + "4630": msg7077, + "4631": msg7078, + "4632": msg7079, + "4633": msg7080, + "4634": msg7081, + "4635": msg7082, + "4636": msg7083, + "4637": msg7084, + "4638": msg7085, + "4639": msg7086, + "4640": msg7087, + "4641": msg7088, + "4642": msg7089, + "4643": msg7090, + "4644": msg7091, + "4645": msg7092, + "4646": msg7093, + "4647": msg7094, + "4648": msg7095, + "4649": msg7096, + "465": select379, + "4650": msg7097, + "4651": msg7098, + "4652": msg7099, + "4653": msg7100, + "4654": msg7101, + "4655": msg7102, + "4656": msg7103, + "4657": msg7104, + "4658": msg7105, + "4659": msg7106, + "466": select380, + "4660": msg7107, + "4661": msg7108, + "4662": msg7109, + "4663": msg7110, + "4664": msg7111, + "4665": msg7112, + "4666": msg7113, + "4667": msg7114, + "4668": msg7115, + "4669": msg7116, + "467": select381, + "4670": msg7117, + "4671": msg7118, + "4672": msg7119, + "4673": msg7120, + "4674": msg7121, + "4675": msg7122, + "4676": msg7123, + "4677": msg7124, + "4678": msg7125, + "4679": msg7126, + "4680": msg7127, + "4681": msg7128, + "4682": msg7129, + "4683": msg7130, + "4684": msg7131, + "4685": msg7132, + "4686": msg7133, + "4687": msg7134, + "4688": msg7135, + "4689": msg7136, + "469": select382, + "4690": msg7137, + "4691": msg7138, + "4692": msg7139, + "4693": msg7140, + "4694": msg7141, + "4695": msg7142, + "4696": msg7143, + "4697": msg7144, + "4698": msg7145, + "4699": msg7146, + "47": select26, + "4700": msg7147, + "4701": msg7148, + "4702": msg7149, + "4703": msg7150, + "4704": msg7151, + "4705": msg7152, + "4706": msg7153, + "4707": msg7154, + "4708": msg7155, + "4709": msg7156, + "471": select383, + "4710": msg7157, + "4711": msg7158, + "4712": msg7159, + "4713": msg7160, + "4714": msg7161, + "4715": msg7162, + "4716": msg7163, + "4717": msg7164, + "4718": msg7165, + "4719": msg7166, + "472": select384, + "4720": msg7167, + "4721": msg7168, + "4722": msg7169, + "4723": msg7170, + "4724": msg7171, + "4725": msg7172, + "4726": msg7173, + "4727": msg7174, + "4728": msg7175, + "4729": msg7176, + "473": select385, + "4730": msg7177, + "4731": msg7178, + "4732": msg7179, + "4733": msg7180, + "4734": msg7181, + "4735": msg7182, + "4736": msg7183, + "4737": msg7184, + "4738": msg7185, + "4739": msg7186, + "474": select386, + "4740": msg7187, + "4741": msg7188, + "4742": msg7189, + "4743": msg7190, + "4744": msg7191, + "4745": msg7192, + "4746": msg7193, + "4747": msg7194, + "4748": msg7195, + "4749": msg7196, + "475": select387, + "4750": msg7197, + "4751": msg7198, + "4752": msg7199, + "4753": msg7200, + "4754": msg7201, + "4755": msg7202, + "4756": msg7203, + "4757": msg7204, + "4758": msg7205, + "4759": msg7206, + "476": select388, + "4760": msg7207, + "4761": msg7208, + "4762": msg7209, + "4763": msg7210, + "4764": msg7211, + "4765": msg7212, + "4766": msg7213, + "4767": msg7214, + "4768": msg7215, + "4769": msg7216, + "477": select389, + "4770": msg7217, + "4771": msg7218, + "4772": msg7219, + "4773": msg7220, + "4774": msg7221, + "4775": msg7222, + "4776": msg7223, + "4777": msg7224, + "4778": msg7225, + "4779": msg7226, + "478": select390, + "4780": msg7227, + "4781": msg7228, + "4782": msg7229, + "4783": msg7230, + "4784": msg7231, + "4785": msg7232, + "4786": msg7233, + "4787": msg7234, + "4788": msg7235, + "4789": msg7236, + "4790": msg7237, + "4791": msg7238, + "4792": msg7239, + "4793": msg7240, + "4794": msg7241, + "4795": msg7242, + "4796": msg7243, + "4797": msg7244, + "4798": msg7245, + "4799": msg7246, + "480": select391, + "4800": msg7247, + "4801": msg7248, + "4802": msg7249, + "4803": msg7250, + "4804": msg7251, + "4805": msg7252, + "4806": msg7253, + "4807": msg7254, + "4808": msg7255, + "4809": msg7256, + "481": select392, + "4810": msg7257, + "4811": msg7258, + "4812": msg7259, + "4813": msg7260, + "4814": msg7261, + "4815": msg7262, + "4816": msg7263, + "4817": msg7264, + "4818": msg7265, + "4819": msg7266, + "482": select393, + "4820": msg7267, + "4821": msg7268, + "4822": msg7269, + "4823": msg7270, + "4824": msg7271, + "4825": msg7272, + "4826": msg7273, + "4827": msg7274, + "4828": msg7275, + "4829": msg7276, + "483": select394, + "4830": msg7277, + "4831": msg7278, + "4832": msg7279, + "4833": msg7280, + "4834": msg7281, + "4835": msg7282, + "4836": msg7283, + "4837": msg7284, + "4838": msg7285, + "4839": msg7286, + "484": select395, + "4840": msg7287, + "4841": msg7288, + "4842": msg7289, + "4843": msg7290, + "4844": msg7291, + "4845": msg7292, + "4846": msg7293, + "4847": msg7294, + "4848": msg7295, + "4849": msg7296, + "485": select396, + "4850": msg7297, + "4851": msg7298, + "4852": msg7299, + "4853": msg7300, + "4854": msg7301, + "4855": msg7302, + "4856": msg7303, + "4857": msg7304, + "4858": msg7305, + "4859": msg7306, + "486": select397, + "4860": msg7307, + "4861": msg7308, + "4862": msg7309, + "4863": msg7310, + "4864": msg7311, + "4865": msg7312, + "4866": msg7313, + "4867": msg7314, + "4868": msg7315, + "4869": msg7316, + "487": select398, + "4870": msg7317, + "4871": msg7318, + "4872": msg7319, + "4873": msg7320, + "4874": msg7321, + "4875": msg7322, + "4876": msg7323, + "4877": msg7324, + "4878": msg7325, + "4879": msg7326, + "488": select399, + "4880": msg7327, + "4881": msg7328, + "4882": msg7329, + "4883": msg7330, + "4884": msg7331, + "4885": msg7332, + "4886": msg7333, + "4887": msg7334, + "4888": msg7335, + "4889": msg7336, + "489": select400, + "4890": msg7337, + "4891": msg7338, + "4892": msg7339, + "4893": msg7340, + "4894": msg7341, + "4895": msg7342, + "4896": msg7343, + "4897": msg7344, + "4898": msg7345, + "4899": msg7346, + "490": select401, + "4900": msg7347, + "4901": msg7348, + "4902": msg7349, + "4903": msg7350, + "4904": msg7351, + "4905": msg7352, + "4906": msg7353, + "4907": msg7354, + "4908": msg7355, + "4909": msg7356, + "491": msg923, + "4910": msg7357, + "4911": msg7358, + "4912": msg7359, + "4913": msg7360, + "4914": msg7361, + "4915": msg7362, + "4916": msg7363, + "4917": msg7364, + "4918": msg7365, + "4919": msg7366, + "492": select402, + "4920": msg7367, + "4921": msg7368, + "4922": msg7369, + "4923": msg7370, + "4924": msg7371, + "4925": msg7372, + "4926": msg7373, + "4927": msg7374, + "4928": msg7375, + "4929": msg7376, + "493": select403, + "4930": msg7377, + "4931": msg7378, + "4932": msg7379, + "4933": msg7380, + "4934": msg7381, + "4935": msg7382, + "4936": msg7383, + "4937": msg7384, + "4938": msg7385, + "4939": msg7386, + "494": select404, + "4940": msg7387, + "4941": msg7388, + "4942": msg7389, + "4943": msg7390, + "4944": msg7391, + "4945": msg7392, + "4946": msg7393, + "4947": msg7394, + "4948": msg7395, + "4949": msg7396, + "495": select405, + "4950": msg7397, + "4951": msg7398, + "4952": msg7399, + "4953": msg7400, + "4954": msg7401, + "4955": msg7402, + "4956": msg7403, + "4957": msg7404, + "4958": msg7405, + "4959": msg7406, + "496": select406, + "4960": msg7407, + "4961": msg7408, + "4962": msg7409, + "4963": msg7410, + "4964": msg7411, + "4965": msg7412, + "4966": msg7413, + "4967": msg7414, + "4968": msg7415, + "4969": msg7416, + "497": select407, + "4970": msg7417, + "4971": msg7418, + "4972": msg7419, + "4973": msg7420, + "4974": msg7421, + "4975": msg7422, + "4976": msg7423, + "4977": msg7424, + "4978": msg7425, + "4979": msg7426, + "498": select408, + "4980": msg7427, + "4981": msg7428, + "4982": msg7429, + "4983": msg7430, + "4984": msg7431, + "4985": msg7432, + "4986": msg7433, + "4987": msg7434, + "4988": msg7435, + "4989": msg7436, + "499": select409, + "4990": msg7437, + "4991": msg7438, + "4992": msg7439, + "4993": msg7440, + "4994": msg7441, + "4995": msg7442, + "4996": msg7443, + "4997": msg7444, + "4998": msg7445, + "4999": msg7446, + "5": msg26, + "500": select410, + "5000": msg7447, + "5001": msg7448, + "5002": msg7449, + "5003": msg7450, + "5004": msg7451, + "5005": msg7452, + "5006": msg7453, + "5007": msg7454, + "5008": msg7455, + "5009": msg7456, + "501": select411, + "5010": msg7457, + "5011": msg7458, + "5012": msg7459, + "5013": msg7460, + "5014": msg7461, + "5015": msg7462, + "5016": msg7463, + "5017": msg7464, + "5018": msg7465, + "5019": msg7466, + "502": select412, + "5020": msg7467, + "5021": msg7468, + "5022": msg7469, + "5023": msg7470, + "5024": msg7471, + "5025": msg7472, + "5026": msg7473, + "5027": msg7474, + "5028": msg7475, + "5029": msg7476, + "503": select413, + "5030": msg7477, + "5031": msg7478, + "5032": msg7479, + "5033": msg7480, + "5034": msg7481, + "5035": msg7482, + "5036": msg7483, + "5037": msg7484, + "5038": msg7485, + "5039": msg7486, + "504": select414, + "5040": msg7487, + "5041": msg7488, + "5042": msg7489, + "5043": msg7490, + "5044": msg7491, + "5045": msg7492, + "5046": msg7493, + "5047": msg7494, + "5048": msg7495, + "5049": msg7496, + "505": select415, + "5050": msg7497, + "5051": msg7498, + "5052": msg7499, + "5053": msg7500, + "5054": msg7501, + "5055": msg7502, + "5056": msg7503, + "5057": msg7504, + "5058": msg7505, + "5059": msg7506, + "506": select416, + "5060": msg7507, + "5061": msg7508, + "5062": msg7509, + "5063": msg7510, + "5064": msg7511, + "5065": msg7512, + "5066": msg7513, + "5067": msg7514, + "5068": msg7515, + "5069": msg7516, + "507": select417, + "5070": msg7517, + "5071": msg7518, + "5072": msg7519, + "5073": msg7520, + "5074": msg7521, + "5075": msg7522, + "5076": msg7523, + "5077": msg7524, + "5078": msg7525, + "5079": msg7526, + "508": select418, + "5080": msg7527, + "5081": msg7528, + "5082": msg7529, + "5083": msg7530, + "5084": msg7531, + "5085": msg7532, + "5086": msg7533, + "5087": msg7534, + "5088": msg7535, + "5089": msg7536, + "509": select419, + "5090": msg7537, + "5091": msg7538, + "5092": msg7539, + "5093": msg7540, + "5094": msg7541, + "5095": msg7542, + "5096": msg7543, + "5097": msg7544, + "5098": msg7545, + "5099": msg7546, + "510": select420, + "5100": msg7547, + "5101": msg7548, + "5102": msg7549, + "5103": msg7550, + "5104": msg7551, + "5105": msg7552, + "5106": msg7553, + "5107": msg7554, + "5108": msg7555, + "5109": msg7556, + "511": select421, + "5110": msg7557, + "5111": msg7558, + "5112": msg7559, + "5113": msg7560, + "5114": msg7561, + "5115": msg7562, + "5116": msg7563, + "5117": msg7564, + "5118": msg7565, + "5119": msg7566, + "512": select422, + "5120": msg7567, + "5121": msg7568, + "5122": msg7569, + "5123": msg7570, + "5124": msg7571, + "5125": msg7572, + "5126": msg7573, + "5127": msg7574, + "5128": msg7575, + "5129": msg7576, + "513": select423, + "5130": msg7577, + "5131": msg7578, + "5132": msg7579, + "5133": msg7580, + "5134": msg7581, + "5135": msg7582, + "5136": msg7583, + "5137": msg7584, + "5138": msg7585, + "5139": msg7586, + "514": select424, + "5140": msg7587, + "5141": msg7588, + "5142": msg7589, + "5143": msg7590, + "5144": msg7591, + "5145": msg7592, + "5146": msg7593, + "5147": msg7594, + "5148": msg7595, + "5149": msg7596, + "5150": msg7597, + "5151": msg7598, + "5152": msg7599, + "5153": msg7600, + "5154": msg7601, + "5155": msg7602, + "5156": msg7603, + "5157": msg7604, + "5158": msg7605, + "5159": msg7606, + "516": select425, + "5160": msg7607, + "5161": msg7608, + "5162": msg7609, + "5163": msg7610, + "5164": msg7611, + "5165": msg7612, + "5166": msg7613, + "5167": msg7614, + "5168": msg7615, + "5169": msg7616, + "517": select426, + "5170": msg7617, + "5171": msg7618, + "5172": msg7619, + "5173": msg7620, + "5174": msg7621, + "5175": msg7622, + "5176": msg7623, + "5177": msg7624, + "5178": msg7625, + "5179": msg7626, + "518": select427, + "5180": msg7627, + "5181": msg7628, + "5182": msg7629, + "5183": msg7630, + "5184": msg7631, + "5185": msg7632, + "5186": msg7633, + "5187": msg7634, + "5188": msg7635, + "5189": msg7636, + "519": select428, + "5190": msg7637, + "5191": msg7638, + "5192": msg7639, + "5193": msg7640, + "5194": msg7641, + "5195": msg7642, + "5196": msg7643, + "5197": msg7644, + "5198": msg7645, + "5199": msg7646, + "520": select429, + "5200": msg7647, + "5201": msg7648, + "5202": msg7649, + "5203": msg7650, + "5204": msg7651, + "5205": msg7652, + "5206": msg7653, + "5207": msg7654, + "5208": msg7655, + "5209": msg7656, + "521": select430, + "5210": msg7657, + "5211": msg7658, + "5212": msg7659, + "5213": msg7660, + "5214": msg7661, + "5215": msg7662, + "5216": msg7663, + "5217": msg7664, + "5218": msg7665, + "5219": msg7666, + "522": select431, + "5220": msg7667, + "5221": msg7668, + "5222": msg7669, + "5223": msg7670, + "5224": msg7671, + "5225": msg7672, + "5226": msg7673, + "5227": msg7674, + "5228": msg7675, + "5229": msg7676, + "523": select432, + "5230": msg7677, + "5231": msg7678, + "5232": msg7679, + "5233": msg7680, + "5234": msg7681, + "5235": msg7682, + "5236": msg7683, + "5237": msg7684, + "5238": msg7685, + "5239": msg7686, + "524": select433, + "5240": msg7687, + "5241": msg7688, + "5242": msg7689, + "5243": msg7690, + "5244": msg7691, + "5245": msg7692, + "5246": msg7693, + "5247": msg7694, + "5248": msg7695, + "5249": msg7696, + "525": select434, + "5250": msg7697, + "5251": msg7698, + "5252": msg7699, + "5253": msg7700, + "5254": msg7701, + "5255": msg7702, + "5256": msg7703, + "5257": msg7704, + "5258": msg7705, + "5259": msg7706, + "526": select435, + "5260": msg7707, + "5261": msg7708, + "5262": msg7709, + "5263": msg7710, + "5264": msg7711, + "5265": msg7712, + "5266": msg7713, + "5267": msg7714, + "5268": msg7715, + "5269": msg7716, + "527": select436, + "5270": msg7717, + "5271": msg7718, + "5272": msg7719, + "5273": msg7720, + "5274": msg7721, + "5275": msg7722, + "5276": msg7723, + "5277": msg7724, + "5278": msg7725, + "5279": msg7726, + "528": select437, + "5280": msg7727, + "5281": msg7728, + "5282": msg7729, + "5283": msg7730, + "5284": msg7731, + "5285": msg7732, + "5286": msg7733, + "5287": msg7734, + "5288": msg7735, + "5289": msg7736, + "529": select438, + "5290": msg7737, + "5291": msg7738, + "5292": msg7739, + "5293": msg7740, + "5294": msg7741, + "5295": msg7742, + "5296": msg7743, + "5297": msg7744, + "5298": msg7745, + "5299": msg7746, + "530": select439, + "5300": msg7747, + "5301": msg7748, + "5302": msg7749, + "5303": msg7750, + "5304": msg7751, + "5305": msg7752, + "5306": msg7753, + "5307": msg7754, + "5308": msg7755, + "5309": msg7756, + "5310": msg7757, + "5311": msg7758, + "5312": msg7759, + "5313": msg7760, + "5314": msg7761, + "5315": msg7762, + "5316": msg7763, + "5317": msg7764, + "5318": msg7765, + "5319": msg7766, + "532": select440, + "5320": msg7767, + "5321": msg7768, + "5322": msg7769, + "5323": msg7770, + "5324": msg7771, + "5325": msg7772, + "5326": msg7773, + "5327": msg7774, + "5328": msg7775, + "5329": msg7776, + "533": select441, + "5330": msg7777, + "5331": msg7778, + "5332": msg7779, + "5333": msg7780, + "5334": msg7781, + "5335": msg7782, + "5336": msg7783, + "5337": msg7784, + "5338": msg7785, + "5339": msg7786, + "534": select442, + "5340": msg7787, + "5341": msg7788, + "5342": msg7789, + "5343": msg7790, + "5344": msg7791, + "5345": msg7792, + "5346": msg7793, + "5347": msg7794, + "5348": msg7795, + "5349": msg7796, + "535": select443, + "5350": msg7797, + "5351": msg7798, + "5352": msg7799, + "5353": msg7800, + "5354": msg7801, + "5355": msg7802, + "5356": msg7803, + "5357": msg7804, + "5358": msg7805, + "5359": msg7806, + "536": select444, + "5360": msg7807, + "5361": msg7808, + "5362": msg7809, + "5363": msg7810, + "5364": msg7811, + "5365": msg7812, + "5366": msg7813, + "5367": msg7814, + "5368": msg7815, + "5369": msg7816, + "537": select445, + "5370": msg7817, + "5371": msg7818, + "5372": msg7819, + "5373": msg7820, + "5374": msg7821, + "5375": msg7822, + "5376": msg7823, + "5377": msg7824, + "5378": msg7825, + "5379": msg7826, + "538": select446, + "5380": msg7827, + "5381": msg7828, + "5382": msg7829, + "5383": msg7830, + "5384": msg7831, + "5385": msg7832, + "5386": msg7833, + "5387": msg7834, + "5388": msg7835, + "5389": msg7836, + "539": select447, + "5390": msg7837, + "5391": msg7838, + "5392": msg7839, + "5393": msg7840, + "5394": msg7841, + "5395": msg7842, + "5396": msg7843, + "5397": msg7844, + "5398": msg7845, + "5399": msg7846, + "54": select27, + "540": select448, + "5400": msg7847, + "5401": msg7848, + "5402": msg7849, + "5403": msg7850, + "5404": msg7851, + "5405": msg7852, + "5406": msg7853, + "5407": msg7854, + "5408": msg7855, + "5409": msg7856, + "541": select449, + "5410": msg7857, + "5411": msg7858, + "5412": msg7859, + "5413": msg7860, + "5414": msg7861, + "5415": msg7862, + "5416": msg7863, + "5417": msg7864, + "5418": msg7865, + "5419": msg7866, + "542": select450, + "5420": msg7867, + "5421": msg7868, + "5422": msg7869, + "5423": msg7870, + "5424": msg7871, + "5425": msg7872, + "5426": msg7873, + "5427": msg7874, + "5428": msg7875, + "5429": msg7876, + "543": select451, + "5430": msg7877, + "5431": msg7878, + "5432": msg7879, + "5433": msg7880, + "5434": msg7881, + "5435": msg7882, + "5436": msg7883, + "5437": msg7884, + "5438": msg7885, + "5439": msg7886, + "544": select452, + "5440": msg7887, + "5441": msg7888, + "5442": msg7889, + "5443": msg7890, + "5444": msg7891, + "5445": msg7892, + "5446": msg7893, + "5447": msg7894, + "5448": msg7895, + "5449": msg7896, + "545": select453, + "5450": msg7897, + "5451": msg7898, + "5452": msg7899, + "5453": msg7900, + "5454": msg7901, + "5455": msg7902, + "5456": msg7903, + "5457": msg7904, + "5458": msg7905, + "5459": msg7906, + "546": select454, + "5460": msg7907, + "5461": msg7908, + "5462": msg7909, + "5463": msg7910, + "5464": msg7911, + "5465": msg7912, + "5466": msg7913, + "5467": msg7914, + "5468": msg7915, + "5469": msg7916, + "547": select455, + "5470": msg7917, + "5471": msg7918, + "5472": msg7919, + "5473": msg7920, + "5474": msg7921, + "5475": msg7922, + "5476": msg7923, + "5477": msg7924, + "5478": msg7925, + "5479": msg7926, + "548": select456, + "5480": msg7927, + "5481": msg7928, + "5482": msg7929, + "5483": msg7930, + "5484": msg7931, + "5485": msg7932, + "5486": msg7933, + "5487": msg7934, + "5488": msg7935, + "5489": msg7936, + "549": select457, + "5490": msg7937, + "5491": msg7938, + "5492": msg7939, + "5493": msg7940, + "5494": msg7941, + "5495": msg7942, + "5496": msg7943, + "5497": msg7944, + "5498": msg7945, + "5499": msg7946, + "55": select28, + "550": select458, + "5500": msg7947, + "5501": msg7948, + "5502": msg7949, + "5503": msg7950, + "5504": msg7951, + "5505": msg7952, + "5506": msg7953, + "5507": msg7954, + "5508": msg7955, + "5509": msg7956, + "551": select459, + "5510": msg7957, + "5511": msg7958, + "5512": msg7959, + "5513": msg7960, + "5514": msg7961, + "5515": msg7962, + "5516": msg7963, + "5517": msg7964, + "5518": msg7965, + "5519": msg7966, + "552": select460, + "5520": msg7967, + "5521": msg7968, + "5522": msg7969, + "5523": msg7970, + "5524": msg7971, + "5525": msg7972, + "5526": msg7973, + "5527": msg7974, + "5528": msg7975, + "5529": msg7976, + "553": select461, + "5530": msg7977, + "5531": msg7978, + "5532": msg7979, + "5533": msg7980, + "5534": msg7981, + "5535": msg7982, + "5536": msg7983, + "5537": msg7984, + "5538": msg7985, + "5539": msg7986, + "554": select462, + "5540": msg7987, + "5541": msg7988, + "5542": msg7989, + "5543": msg7990, + "5544": msg7991, + "5545": msg7992, + "5546": msg7993, + "5547": msg7994, + "5548": msg7995, + "5549": msg7996, + "555": select463, + "5550": msg7997, + "5551": msg7998, + "5552": msg7999, + "5553": msg8000, + "5554": msg8001, + "5555": msg8002, + "5556": msg8003, + "5557": msg8004, + "5558": msg8005, + "5559": msg8006, + "556": select464, + "5560": msg8007, + "5561": msg8008, + "5562": msg8009, + "5563": msg8010, + "5564": msg8011, + "5565": msg8012, + "5566": msg8013, + "5567": msg8014, + "5568": msg8015, + "5569": msg8016, + "557": select465, + "5570": msg8017, + "5571": msg8018, + "5572": msg8019, + "5573": msg8020, + "5574": msg8021, + "5575": msg8022, + "5576": msg8023, + "5577": msg8024, + "5578": msg8025, + "5579": msg8026, + "558": select466, + "5580": msg8027, + "5581": msg8028, + "5582": msg8029, + "5583": msg8030, + "5584": msg8031, + "5585": msg8032, + "5586": msg8033, + "5587": msg8034, + "5588": msg8035, + "5589": msg8036, + "559": select467, + "5590": msg8037, + "5591": msg8038, + "5592": msg8039, + "5593": msg8040, + "5594": msg8041, + "5595": msg8042, + "5596": msg8043, + "5597": msg8044, + "5598": msg8045, + "5599": msg8046, + "560": select468, + "5600": msg8047, + "5601": msg8048, + "5602": msg8049, + "5603": msg8050, + "5604": msg8051, + "5605": msg8052, + "5606": msg8053, + "5607": msg8054, + "5608": msg8055, + "5609": msg8056, + "561": select469, + "5610": msg8057, + "5611": msg8058, + "5612": msg8059, + "5613": msg8060, + "5614": msg8061, + "5615": msg8062, + "5616": msg8063, + "5617": msg8064, + "5618": msg8065, + "5619": msg8066, + "562": select470, + "5620": msg8067, + "5621": msg8068, + "5622": msg8069, + "5623": msg8070, + "5624": msg8071, + "5625": msg8072, + "5626": msg8073, + "5627": msg8074, + "5628": msg8075, + "5629": msg8076, + "563": select471, + "5630": msg8077, + "5631": msg8078, + "5632": msg8079, + "5633": msg8080, + "5634": msg8081, + "5635": msg8082, + "5636": msg8083, + "5637": msg8084, + "5638": msg8085, + "5639": msg8086, + "564": select472, + "5640": msg8087, + "5641": msg8088, + "5642": msg8089, + "5643": msg8090, + "5644": msg8091, + "5645": msg8092, + "5646": msg8093, + "5647": msg8094, + "5648": msg8095, + "5649": msg8096, + "565": select473, + "5650": msg8097, + "5651": msg8098, + "5652": msg8099, + "5653": msg8100, + "5654": msg8101, + "5655": msg8102, + "5656": msg8103, + "5657": msg8104, + "5658": msg8105, + "5659": msg8106, + "566": select474, + "5660": msg8107, + "5661": msg8108, + "5662": msg8109, + "5663": msg8110, + "5664": msg8111, + "5665": msg8112, + "5666": msg8113, + "5667": msg8114, + "5668": msg8115, + "5669": msg8116, + "567": select475, + "5670": msg8117, + "5671": msg8118, + "5672": msg8119, + "5673": msg8120, + "5674": msg8121, + "5675": msg8122, + "5676": msg8123, + "5677": msg8124, + "5678": msg8125, + "5679": msg8126, + "568": select476, + "5680": msg8127, + "5681": msg8128, + "5682": msg8129, + "5683": msg8130, + "5684": msg8131, + "5685": msg8132, + "5686": msg8133, + "5687": msg8134, + "5688": msg8135, + "5689": msg8136, + "569": select477, + "5690": msg8137, + "5691": msg8138, + "5692": msg8139, + "5693": msg8140, + "5694": msg8141, + "5695": msg8142, + "5696": msg8143, + "5697": msg8144, + "5698": msg8145, + "5699": msg8146, + "570": select478, + "5700": msg8147, + "5701": msg8148, + "5702": msg8149, + "5703": msg8150, + "5704": msg8151, + "5705": msg8152, + "5706": msg8153, + "5707": msg8154, + "5708": msg8155, + "5709": msg8156, + "571": select479, + "5710": msg8157, + "5711": msg8158, + "5712": msg8159, + "5713": msg8160, + "5714": msg8161, + "5715": msg8162, + "5716": msg8163, + "5717": msg8164, + "5718": msg8165, + "5719": msg8166, + "572": select480, + "5720": msg8167, + "5721": msg8168, + "5722": msg8169, + "5723": msg8170, + "5724": msg8171, + "5725": msg8172, + "5726": msg8173, + "5727": msg8174, + "5728": msg8175, + "5729": msg8176, + "573": select481, + "5730": msg8177, + "5731": msg8178, + "5732": msg8179, + "5733": msg8180, + "5734": msg8181, + "5735": msg8182, + "5736": msg8183, + "5737": msg8184, + "5738": msg8185, + "5739": msg8186, + "574": select482, + "5740": msg8187, + "5741": msg8188, + "5742": msg8189, + "5743": msg8190, + "5744": msg8191, + "5745": msg8192, + "5746": msg8193, + "5747": msg8194, + "5748": msg8195, + "5749": msg8196, + "575": select483, + "5750": msg8197, + "5751": msg8198, + "5752": msg8199, + "5753": msg8200, + "5754": msg8201, + "5755": msg8202, + "5756": msg8203, + "5757": msg8204, + "5758": msg8205, + "5759": msg8206, + "576": select484, + "5760": msg8207, + "5761": msg8208, + "5762": msg8209, + "5763": msg8210, + "5764": msg8211, + "5765": msg8212, + "5766": msg8213, + "5767": msg8214, + "5768": msg8215, + "5769": msg8216, + "577": select485, + "5770": msg8217, + "5771": msg8218, + "5772": msg8219, + "5773": msg8220, + "5774": msg8221, + "5775": msg8222, + "5776": msg8223, + "5777": msg8224, + "5778": msg8225, + "5779": msg8226, + "578": select486, + "5780": msg8227, + "5781": msg8228, + "5782": msg8229, + "5783": msg8230, + "5784": msg8231, + "5785": msg8232, + "5786": msg8233, + "5787": msg8234, + "5788": msg8235, + "5789": msg8236, + "579": select487, + "5790": msg8237, + "5791": msg8238, + "5792": msg8239, + "5793": msg8240, + "5794": msg8241, + "5795": msg8242, + "5796": msg8243, + "5797": msg8244, + "5798": msg8245, + "5799": msg8246, + "58": select29, + "580": select488, + "5800": msg8247, + "5801": msg8248, + "5802": msg8249, + "5803": msg8250, + "5804": msg8251, + "5805": msg8252, + "5806": msg8253, + "5807": msg8254, + "5808": msg8255, + "5809": msg8256, + "581": select489, + "5810": msg8257, + "5811": msg8258, + "5812": msg8259, + "5813": msg8260, + "5814": msg8261, + "5815": msg8262, + "5816": msg8263, + "5817": msg8264, + "5818": msg8265, + "5819": msg8266, + "582": select490, + "5820": msg8267, + "5821": msg8268, + "5822": msg8269, + "5823": msg8270, + "5824": msg8271, + "5825": msg8272, + "5826": msg8273, + "5827": msg8274, + "5828": msg8275, + "5829": msg8276, + "583": select491, + "5830": msg8277, + "5831": msg8278, + "5832": msg8279, + "5833": msg8280, + "5834": msg8281, + "5835": msg8282, + "5836": msg8283, + "5837": msg8284, + "5838": msg8285, + "5839": msg8286, + "584": select492, + "5840": msg8287, + "5841": msg8288, + "5842": msg8289, + "5843": msg8290, + "5844": msg8291, + "5845": msg8292, + "5846": msg8293, + "5847": msg8294, + "5848": msg8295, + "5849": msg8296, + "585": select493, + "5850": msg8297, + "5851": msg8298, + "5852": msg8299, + "5853": msg8300, + "5854": msg8301, + "5855": msg8302, + "5856": msg8303, + "5857": msg8304, + "5858": msg8305, + "5859": msg8306, + "586": select494, + "5860": msg8307, + "5861": msg8308, + "5862": msg8309, + "5863": msg8310, + "5864": msg8311, + "5865": msg8312, + "5866": msg8313, + "5867": msg8314, + "5868": msg8315, + "5869": msg8316, + "587": select495, + "5870": msg8317, + "5871": msg8318, + "5872": msg8319, + "5873": msg8320, + "5874": msg8321, + "5875": msg8322, + "5876": msg8323, + "5877": msg8324, + "5878": msg8325, + "5879": msg8326, + "588": select496, + "5880": msg8327, + "5881": msg8328, + "5882": msg8329, + "5883": msg8330, + "5884": msg8331, + "5885": msg8332, + "5886": msg8333, + "5887": msg8334, + "5888": msg8335, + "5889": msg8336, + "589": select497, + "5890": msg8337, + "5891": msg8338, + "5892": msg8339, + "5893": msg8340, + "5894": msg8341, + "5895": msg8342, + "5896": msg8343, + "5897": msg8344, + "5898": msg8345, + "5899": msg8346, + "590": select498, + "5900": msg8347, + "5901": msg8348, + "5902": msg8349, + "5903": msg8350, + "5904": msg8351, + "5905": msg8352, + "5906": msg8353, + "5907": msg8354, + "5908": msg8355, + "5909": msg8356, + "591": select499, + "5910": msg8357, + "5911": msg8358, + "5912": msg8359, + "5913": msg8360, + "5914": msg8361, + "5915": msg8362, + "5916": msg8363, + "5917": msg8364, + "5918": msg8365, + "5919": msg8366, + "592": select500, + "5920": msg8367, + "5921": msg8368, + "5922": msg8369, + "5923": msg8370, + "5924": msg8371, + "5925": msg8372, + "5926": msg8373, + "5927": msg8374, + "5928": msg8375, + "5929": msg8376, + "593": select501, + "5930": msg8377, + "5931": msg8378, + "5932": msg8379, + "5933": msg8380, + "5934": msg8381, + "5935": msg8382, + "5936": msg8383, + "5937": msg8384, + "5938": msg8385, + "5939": msg8386, + "594": select502, + "5940": msg8387, + "5941": msg8388, + "5942": msg8389, + "5943": msg8390, + "5944": msg8391, + "5945": msg8392, + "5946": msg8393, + "5947": msg8394, + "5948": msg8395, + "5949": msg8396, + "595": select503, + "5950": msg8397, + "5951": msg8398, + "5952": msg8399, + "5953": msg8400, + "5954": msg8401, + "5955": msg8402, + "5956": msg8403, + "5957": msg8404, + "5958": msg8405, + "5959": msg8406, + "596": select504, + "5960": msg8407, + "5961": msg8408, + "5962": msg8409, + "5963": msg8410, + "5964": msg8411, + "5965": msg8412, + "5966": msg8413, + "5967": msg8414, + "5968": msg8415, + "5969": msg8416, + "597": select505, + "5970": msg8417, + "5971": msg8418, + "5972": msg8419, + "5973": msg8420, + "5974": msg8421, + "5975": msg8422, + "5976": msg8423, + "5977": msg8424, + "5978": msg8425, + "5979": msg8426, + "598": select506, + "5980": msg8427, + "5981": msg8428, + "5982": msg8429, + "5983": msg8430, + "5984": msg8431, + "5985": msg8432, + "5986": msg8433, + "5987": msg8434, + "5988": msg8435, + "5989": msg8436, + "599": select507, + "5990": msg8437, + "5991": msg8438, + "5992": msg8439, + "5993": msg8440, + "5994": msg8441, + "5995": msg8442, + "5996": msg8443, + "5997": msg8444, + "5998": msg8445, + "5999": msg8446, + "6": select11, + "600": select508, + "6000": msg8447, + "6000022": msg38279, + "6000025": msg38281, + "600009": msg38276, + "600010": msg38277, + "600015": msg38278, + "600023": msg38280, + "6001": msg8448, + "6002": msg8449, + "6003": msg8450, + "6004": msg8451, + "6005": msg8452, + "6006": msg8453, + "6007": msg8454, + "6008": msg8455, + "6009": msg8456, + "601": select509, + "6010": msg8457, + "6011": msg8458, + "6012": msg8459, + "6013": msg8460, + "6014": msg8461, + "6015": msg8462, + "6016": msg8463, + "6017": msg8464, + "6018": msg8465, + "6019": msg8466, + "602": select510, + "6020": msg8467, + "6021": msg8468, + "6022": msg8469, + "6023": msg8470, + "6024": msg8471, + "6025": msg8472, + "6026": msg8473, + "6027": msg8474, + "6028": msg8475, + "6029": msg8476, + "603": select511, + "6030": msg8477, + "6031": msg8478, + "6032": msg8479, + "6033": msg8480, + "6034": msg8481, + "6035": msg8482, + "6036": msg8483, + "6037": msg8484, + "6038": msg8485, + "6039": msg8486, + "604": select512, + "6040": msg8487, + "6041": msg8488, + "6042": msg8489, + "6043": msg8490, + "6044": msg8491, + "6045": msg8492, + "6046": msg8493, + "6047": msg8494, + "6048": msg8495, + "6049": msg8496, + "605": select513, + "6050": msg8497, + "6051": msg8498, + "6052": msg8499, + "6053": msg8500, + "6054": msg8501, + "6055": msg8502, + "6056": msg8503, + "6057": msg8504, + "6058": msg8505, + "6059": msg8506, + "606": select514, + "6060": msg8507, + "6061": msg8508, + "6062": msg8509, + "6063": msg8510, + "6064": msg8511, + "6065": msg8512, + "6066": msg8513, + "6067": msg8514, + "6068": msg8515, + "6069": msg8516, + "607": select515, + "6070": msg8517, + "6071": msg8518, + "6072": msg8519, + "6073": msg8520, + "6074": msg8521, + "6075": msg8522, + "6076": msg8523, + "6077": msg8524, + "6078": msg8525, + "6079": msg8526, + "608": select516, + "6080": msg8527, + "6081": msg8528, + "6082": msg8529, + "6083": msg8530, + "6084": msg8531, + "6085": msg8532, + "6086": msg8533, + "6087": msg8534, + "6088": msg8535, + "6089": msg8536, + "609": select517, + "6090": msg8537, + "6091": msg8538, + "6092": msg8539, + "6093": msg8540, + "6094": msg8541, + "6095": msg8542, + "6096": msg8543, + "6097": msg8544, + "6098": msg8545, + "6099": msg8546, + "610": select518, + "6100": msg8547, + "6101": msg8548, + "6102": msg8549, + "6103": msg8550, + "6104": msg8551, + "6105": msg8552, + "6106": msg8553, + "6107": msg8554, + "6108": msg8555, + "6109": msg8556, + "611": select519, + "6110": msg8557, + "6111": msg8558, + "6112": msg8559, + "6113": msg8560, + "6114": msg8561, + "6115": msg8562, + "6116": msg8563, + "6117": msg8564, + "6118": msg8565, + "6119": msg8566, + "612": select520, + "6120": msg8567, + "6121": msg8568, + "6122": msg8569, + "6123": msg8570, + "6124": msg8571, + "6125": msg8572, + "6126": msg8573, + "6127": msg8574, + "6128": msg8575, + "6129": msg8576, + "613": select521, + "6130": msg8577, + "6131": msg8578, + "6132": msg8579, + "6133": msg8580, + "6134": msg8581, + "6135": msg8582, + "6136": msg8583, + "6137": msg8584, + "6138": msg8585, + "6139": msg8586, + "614": select522, + "6140": msg8587, + "6141": msg8588, + "6142": msg8589, + "6143": msg8590, + "6144": msg8591, + "6145": msg8592, + "6146": msg8593, + "6147": msg8594, + "6148": msg8595, + "6149": msg8596, + "615": select523, + "6150": msg8597, + "6151": msg8598, + "6152": msg8599, + "6153": msg8600, + "6154": msg8601, + "6155": msg8602, + "6156": msg8603, + "6157": msg8604, + "6158": msg8605, + "6159": msg8606, + "616": select524, + "6160": msg8607, + "6161": msg8608, + "6162": msg8609, + "6163": msg8610, + "6164": msg8611, + "6165": msg8612, + "6166": msg8613, + "6167": msg8614, + "6168": msg8615, + "6169": msg8616, + "617": select525, + "6170": msg8617, + "6171": msg8618, + "6172": msg8619, + "6173": msg8620, + "6174": msg8621, + "6175": msg8622, + "6176": msg8623, + "6177": msg8624, + "6178": msg8625, + "6179": msg8626, + "618": select526, + "6180": msg8627, + "6181": msg8628, + "6182": msg8629, + "6183": msg8630, + "6184": msg8631, + "6185": msg8632, + "6186": msg8633, + "6187": msg8634, + "6188": msg8635, + "6189": msg8636, + "619": select527, + "6190": msg8637, + "6191": msg8638, + "6192": msg8639, + "6193": msg8640, + "6194": msg8641, + "6195": msg8642, + "6196": msg8643, + "6197": msg8644, + "6198": msg8645, + "6199": msg8646, + "620": select528, + "6200": msg8647, + "6201": msg8648, + "6202": msg8649, + "6203": msg8650, + "6204": msg8651, + "6205": msg8652, + "6206": msg8653, + "6207": msg8654, + "6208": msg8655, + "6209": msg8656, + "621": select529, + "6210": msg8657, + "6211": msg8658, + "6212": msg8659, + "6213": msg8660, + "6214": msg8661, + "6215": msg8662, + "6216": msg8663, + "6217": msg8664, + "6218": msg8665, + "6219": msg8666, + "622": select530, + "6220": msg8667, + "6221": msg8668, + "6222": msg8669, + "6223": msg8670, + "6224": msg8671, + "6225": msg8672, + "6226": msg8673, + "6227": msg8674, + "6228": msg8675, + "6229": msg8676, + "623": select531, + "6230": msg8677, + "6231": msg8678, + "6232": msg8679, + "6233": msg8680, + "6234": msg8681, + "6235": msg8682, + "6236": msg8683, + "6237": msg8684, + "6238": msg8685, + "6239": msg8686, + "624": select532, + "6240": msg8687, + "6241": msg8688, + "6242": msg8689, + "6243": msg8690, + "6244": msg8691, + "6245": msg8692, + "6246": msg8693, + "6247": msg8694, + "6248": msg8695, + "6249": msg8696, + "625": select533, + "6250": msg8697, + "6251": msg8698, + "6252": msg8699, + "6253": msg8700, + "6254": msg8701, + "6255": msg8702, + "6256": msg8703, + "6257": msg8704, + "6258": msg8705, + "6259": msg8706, + "626": select534, + "6260": msg8707, + "6261": msg8708, + "6262": msg8709, + "6263": msg8710, + "6264": msg8711, + "6265": msg8712, + "6266": msg8713, + "6267": msg8714, + "6268": msg8715, + "6269": msg8716, + "627": select535, + "6270": msg8717, + "6271": msg8718, + "6272": msg8719, + "6273": msg8720, + "6274": msg8721, + "6275": msg8722, + "6276": msg8723, + "6277": msg8724, + "6278": msg8725, + "6279": msg8726, + "628": select536, + "6280": msg8727, + "6281": msg8728, + "6282": msg8729, + "6283": msg8730, + "6284": msg8731, + "6285": msg8732, + "6286": msg8733, + "6287": msg8734, + "6288": msg8735, + "6289": msg8736, + "629": select537, + "6290": msg8737, + "6291": msg8738, + "6292": msg8739, + "6293": msg8740, + "6294": msg8741, + "6295": msg8742, + "6296": msg8743, + "6297": msg8744, + "6298": msg8745, + "6299": msg8746, + "630": select538, + "6300": msg8747, + "6301": msg8748, + "6302": msg8749, + "6303": msg8750, + "6304": msg8751, + "6305": msg8752, + "6306": msg8753, + "6307": msg8754, + "6308": msg8755, + "6309": msg8756, + "631": select539, + "6310": msg8757, + "6311": msg8758, + "6312": msg8759, + "6313": msg8760, + "6314": msg8761, + "6315": msg8762, + "6316": msg8763, + "6317": msg8764, + "6318": msg8765, + "6319": msg8766, + "632": select540, + "6320": msg8767, + "6321": msg8768, + "6322": msg8769, + "6323": msg8770, + "6324": msg8771, + "6325": msg8772, + "6326": msg8773, + "6327": msg8774, + "6328": msg8775, + "6329": msg8776, + "6330": msg8777, + "6331": msg8778, + "6332": msg8779, + "6333": msg8780, + "6334": msg8781, + "6335": msg8782, + "6336": msg8783, + "6337": msg8784, + "6338": msg8785, + "6339": msg8786, + "634": select541, + "6340": msg8787, + "6341": msg8788, + "6342": msg8789, + "6343": msg8790, + "6344": msg8791, + "6345": msg8792, + "6346": msg8793, + "6347": msg8794, + "6348": msg8795, + "6349": msg8796, + "635": select542, + "6350": msg8797, + "6351": msg8798, + "6352": msg8799, + "6353": msg8800, + "6354": msg8801, + "6355": msg8802, + "6356": msg8803, + "6357": msg8804, + "6358": msg8805, + "6359": msg8806, + "636": select543, + "6360": msg8807, + "6361": msg8808, + "6362": msg8809, + "6363": msg8810, + "6364": msg8811, + "6365": msg8812, + "6366": msg8813, + "6367": msg8814, + "6368": msg8815, + "6369": msg8816, + "637": select544, + "6370": msg8817, + "6371": msg8818, + "6372": msg8819, + "6373": msg8820, + "6374": msg8821, + "6375": msg8822, + "6376": msg8823, + "6377": msg8824, + "6378": msg8825, + "6379": msg8826, + "638": select545, + "6380": msg8827, + "6381": msg8828, + "6382": msg8829, + "6383": msg8830, + "6384": msg8831, + "6385": msg8832, + "6386": msg8833, + "6387": msg8834, + "6388": msg8835, + "6389": msg8836, + "639": select546, + "6390": msg8837, + "6391": msg8838, + "6392": msg8839, + "6393": msg8840, + "6394": msg8841, + "6395": msg8842, + "6396": msg8843, + "6397": msg8844, + "6398": msg8845, + "6399": msg8846, + "640": select547, + "6400": msg8847, + "6401": msg8848, + "6402": msg8849, + "6403": msg8850, + "6404": msg8851, + "6405": msg8852, + "6406": msg8853, + "6407": msg8854, + "6408": msg8855, + "6409": msg8856, + "641": select548, + "6410": msg8857, + "6411": msg8858, + "6412": msg8859, + "6413": msg8860, + "6414": msg8861, + "6415": msg8862, + "6416": msg8863, + "6417": msg8864, + "6418": msg8865, + "6419": msg8866, + "642": select549, + "6420": msg8867, + "6421": msg8868, + "6422": msg8869, + "6423": msg8870, + "6424": msg8871, + "6425": msg8872, + "6426": msg8873, + "6427": msg8874, + "6428": msg8875, + "6429": msg8876, + "643": select550, + "6430": msg8877, + "6431": msg8878, + "6432": msg8879, + "6433": msg8880, + "6434": msg8881, + "6435": msg8882, + "6436": msg8883, + "6437": msg8884, + "6438": msg8885, + "6439": msg8886, + "644": select551, + "6440": msg8887, + "6441": msg8888, + "6442": msg8889, + "6443": msg8890, + "6444": msg8891, + "6445": msg8892, + "6446": msg8893, + "6447": msg8894, + "6448": msg8895, + "6449": msg8896, + "645": select552, + "6450": msg8897, + "6451": msg8898, + "6452": msg8899, + "6453": msg8900, + "6454": msg8901, + "6455": msg8902, + "6456": msg8903, + "6457": msg8904, + "6458": msg8905, + "6459": msg8906, + "646": select553, + "6460": msg8907, + "6461": msg8908, + "6462": msg8909, + "6463": msg8910, + "6464": msg8911, + "6465": msg8912, + "6466": msg8913, + "6467": msg8914, + "6468": msg8915, + "6469": msg8916, + "647": select554, + "6470": msg8917, + "6471": msg8918, + "6472": msg8919, + "6473": msg8920, + "6474": msg8921, + "6475": msg8922, + "6476": msg8923, + "6477": msg8924, + "6478": msg8925, + "6479": msg8926, + "648": select555, + "6480": msg8927, + "6481": msg8928, + "6482": msg8929, + "6483": msg8930, + "6484": msg8931, + "6485": msg8932, + "6486": msg8933, + "6487": msg8934, + "6488": msg8935, + "6489": msg8936, + "649": select556, + "6490": msg8937, + "6491": msg8938, + "6492": msg8939, + "6493": msg8940, + "6494": msg8941, + "6495": msg8942, + "6496": msg8943, + "6497": msg8944, + "6498": msg8945, + "6499": msg8946, + "650": select557, + "6500": msg8947, + "6501": msg8948, + "6502": msg8949, + "6503": msg8950, + "6504": msg8951, + "6505": msg8952, + "6506": msg8953, + "6507": msg8954, + "6508": msg8955, + "6509": msg8956, + "651": select558, + "6510": msg8957, + "6511": msg8958, + "6512": msg8959, + "6513": msg8960, + "6514": msg8961, + "6515": msg8962, + "6516": msg8963, + "6517": msg8964, + "6518": msg8965, + "6519": msg8966, + "652": select559, + "6520": msg8967, + "6521": msg8968, + "6522": msg8969, + "6523": msg8970, + "6524": msg8971, + "6525": msg8972, + "6526": msg8973, + "6527": msg8974, + "6528": msg8975, + "6529": msg8976, + "653": select560, + "6530": msg8977, + "6531": msg8978, + "6532": msg8979, + "6533": msg8980, + "6534": msg8981, + "6535": msg8982, + "6536": msg8983, + "6537": msg8984, + "6538": msg8985, + "6539": msg8986, + "654": select561, + "6540": msg8987, + "6541": msg8988, + "6542": msg8989, + "6543": msg8990, + "6544": msg8991, + "6545": msg8992, + "6546": msg8993, + "6547": msg8994, + "6548": msg8995, + "6549": msg8996, + "655": select562, + "6550": msg8997, + "6551": msg8998, + "6552": msg8999, + "6553": msg9000, + "6554": msg9001, + "6555": msg9002, + "6556": msg9003, + "6557": msg9004, + "6558": msg9005, + "6559": msg9006, + "656": select563, + "6560": msg9007, + "6561": msg9008, + "6562": msg9009, + "6563": msg9010, + "6564": msg9011, + "6565": msg9012, + "6566": msg9013, + "6567": msg9014, + "6568": msg9015, + "6569": msg9016, + "657": select564, + "6570": msg9017, + "6571": msg9018, + "6572": msg9019, + "6573": msg9020, + "6574": msg9021, + "6575": msg9022, + "6576": msg9023, + "6577": msg9024, + "6578": msg9025, + "6579": msg9026, + "658": select565, + "6580": msg9027, + "6581": msg9028, + "6582": msg9029, + "6583": msg9030, + "6584": msg9031, + "6585": msg9032, + "6586": msg9033, + "6587": msg9034, + "6588": msg9035, + "6589": msg9036, + "659": select566, + "6590": msg9037, + "6591": msg9038, + "6592": msg9039, + "6593": msg9040, + "6594": msg9041, + "6595": msg9042, + "6596": msg9043, + "6597": msg9044, + "6598": msg9045, + "6599": msg9046, + "660": select567, + "6600": msg9047, + "6601": msg9048, + "6602": msg9049, + "6603": msg9050, + "6604": msg9051, + "6605": msg9052, + "6606": msg9053, + "6607": msg9054, + "6608": msg9055, + "6609": msg9056, + "661": select568, + "6610": msg9057, + "6611": msg9058, + "6612": msg9059, + "6613": msg9060, + "6614": msg9061, + "6615": msg9062, + "6616": msg9063, + "6617": msg9064, + "6618": msg9065, + "6619": msg9066, + "662": select569, + "6620": msg9067, + "6621": msg9068, + "6622": msg9069, + "6623": msg9070, + "6624": msg9071, + "6625": msg9072, + "6626": msg9073, + "6627": msg9074, + "6628": msg9075, + "6629": msg9076, + "663": select570, + "6630": msg9077, + "6631": msg9078, + "6632": msg9079, + "6633": msg9080, + "6634": msg9081, + "6635": msg9082, + "6636": msg9083, + "6637": msg9084, + "6638": msg9085, + "6639": msg9086, + "664": select571, + "6640": msg9087, + "6641": msg9088, + "6642": msg9089, + "6643": msg9090, + "6644": msg9091, + "6645": msg9092, + "6646": msg9093, + "6647": msg9094, + "6648": msg9095, + "6649": msg9096, + "665": select572, + "6650": msg9097, + "6651": msg9098, + "6652": msg9099, + "6653": msg9100, + "6654": msg9101, + "6655": msg9102, + "6656": msg9103, + "6657": msg9104, + "6658": msg9105, + "6659": msg9106, + "666": select573, + "6660": msg9107, + "6661": msg9108, + "6662": msg9109, + "6663": msg9110, + "6664": msg9111, + "6665": msg9112, + "6666": msg9113, + "6667": msg9114, + "6668": msg9115, + "6669": msg9116, + "667": select574, + "6670": msg9117, + "6671": msg9118, + "6672": msg9119, + "6673": msg9120, + "6674": msg9121, + "6675": msg9122, + "6676": msg9123, + "6677": msg9124, + "6678": msg9125, + "6679": msg9126, + "668": select575, + "6680": msg9127, + "6681": msg9128, + "6682": msg9129, + "6683": msg9130, + "6684": msg9131, + "6685": msg9132, + "6686": msg9133, + "6687": msg9134, + "6688": msg9135, + "6689": msg9136, + "669": select576, + "6690": msg9137, + "6691": msg9138, + "6692": msg9139, + "6693": msg9140, + "6694": msg9141, + "6695": msg9142, + "6696": msg9143, + "6697": msg9144, + "6698": msg9145, + "6699": msg9146, + "670": select577, + "6700": msg9147, + "6701": msg9148, + "6702": msg9149, + "6703": msg9150, + "6704": msg9151, + "6705": msg9152, + "6706": msg9153, + "6707": msg9154, + "6708": msg9155, + "6709": msg9156, + "671": select578, + "6710": msg9157, + "6711": msg9158, + "6712": msg9159, + "6713": msg9160, + "6714": msg9161, + "6715": msg9162, + "6716": msg9163, + "6717": msg9164, + "6718": msg9165, + "6719": msg9166, + "672": select579, + "6720": msg9167, + "6721": msg9168, + "6722": msg9169, + "6723": msg9170, + "6724": msg9171, + "6725": msg9172, + "6726": msg9173, + "6727": msg9174, + "6728": msg9175, + "6729": msg9176, + "673": select580, + "6730": msg9177, + "6731": msg9178, + "6732": msg9179, + "6733": msg9180, + "6734": msg9181, + "6735": msg9182, + "6736": msg9183, + "6737": msg9184, + "6738": msg9185, + "6739": msg9186, + "674": select581, + "6740": msg9187, + "6741": msg9188, + "6742": msg9189, + "6743": msg9190, + "6744": msg9191, + "6745": msg9192, + "6746": msg9193, + "6747": msg9194, + "6748": msg9195, + "6749": msg9196, + "675": select582, + "6750": msg9197, + "6751": msg9198, + "6752": msg9199, + "6753": msg9200, + "6754": msg9201, + "6755": msg9202, + "6756": msg9203, + "6757": msg9204, + "6758": msg9205, + "6759": msg9206, + "676": select583, + "6760": msg9207, + "6761": msg9208, + "6762": msg9209, + "6763": msg9210, + "6764": msg9211, + "6765": msg9212, + "6766": msg9213, + "6767": msg9214, + "6768": msg9215, + "6769": msg9216, + "677": select584, + "6770": msg9217, + "6771": msg9218, + "6772": msg9219, + "6773": msg9220, + "6774": msg9221, + "6775": msg9222, + "6776": msg9223, + "6777": msg9224, + "6778": msg9225, + "6779": msg9226, + "678": select585, + "6780": msg9227, + "6781": msg9228, + "6782": msg9229, + "6783": msg9230, + "6784": msg9231, + "6785": msg9232, + "6786": msg9233, + "6787": msg9234, + "6788": msg9235, + "6789": msg9236, + "679": select586, + "6790": msg9237, + "6791": msg9238, + "6792": msg9239, + "6793": msg9240, + "6794": msg9241, + "6795": msg9242, + "6796": msg9243, + "6797": msg9244, + "6798": msg9245, + "6799": msg9246, + "680": select587, + "6800": msg9247, + "6801": msg9248, + "6802": msg9249, + "6803": msg9250, + "6804": msg9251, + "6805": msg9252, + "6806": msg9253, + "6807": msg9254, + "6808": msg9255, + "6809": msg9256, + "681": select588, + "6810": msg9257, + "6811": msg9258, + "6812": msg9259, + "6813": msg9260, + "6814": msg9261, + "6815": msg9262, + "6816": msg9263, + "6817": msg9264, + "6818": msg9265, + "6819": msg9266, + "682": select589, + "6820": msg9267, + "6821": msg9268, + "6822": msg9269, + "6823": msg9270, + "6824": msg9271, + "6825": msg9272, + "6826": msg9273, + "6827": msg9274, + "6828": msg9275, + "6829": msg9276, + "683": select590, + "6830": msg9277, + "6831": msg9278, + "6832": msg9279, + "6833": msg9280, + "6834": msg9281, + "6835": msg9282, + "6836": msg9283, + "6837": msg9284, + "6838": msg9285, + "6839": msg9286, + "684": select591, + "6840": msg9287, + "6841": msg9288, + "6842": msg9289, + "6843": msg9290, + "6844": msg9291, + "6845": msg9292, + "6846": msg9293, + "6847": msg9294, + "6848": msg9295, + "6849": msg9296, + "685": select592, + "6850": msg9297, + "6851": msg9298, + "6852": msg9299, + "6853": msg9300, + "6854": msg9301, + "6855": msg9302, + "6856": msg9303, + "6857": msg9304, + "6858": msg9305, + "6859": msg9306, + "686": select593, + "6860": msg9307, + "6861": msg9308, + "6862": msg9309, + "6863": msg9310, + "6864": msg9311, + "6865": msg9312, + "6866": msg9313, + "6867": msg9314, + "6868": msg9315, + "6869": msg9316, + "687": select594, + "6870": msg9317, + "6871": msg9318, + "6872": msg9319, + "6873": msg9320, + "6874": msg9321, + "6875": msg9322, + "6876": msg9323, + "6877": msg9324, + "6878": msg9325, + "6879": msg9326, + "688": select595, + "6880": msg9327, + "6881": msg9328, + "6882": msg9329, + "6883": msg9330, + "6884": msg9331, + "6885": msg9332, + "6886": msg9333, + "6887": msg9334, + "6888": msg9335, + "6889": msg9336, + "689": select596, + "6890": msg9337, + "6891": msg9338, + "6892": msg9339, + "6893": msg9340, + "6894": msg9341, + "6895": msg9342, + "6896": msg9343, + "6897": msg9344, + "6898": msg9345, + "6899": msg9346, + "690": select597, + "6900": msg9347, + "6901": msg9348, + "6902": msg9349, + "6903": msg9350, + "6904": msg9351, + "6905": msg9352, + "6906": msg9353, + "6907": msg9354, + "6908": msg9355, + "6909": msg9356, + "691": select598, + "6910": msg9357, + "6911": msg9358, + "6912": msg9359, + "6913": msg9360, + "6914": msg9361, + "6915": msg9362, + "6916": msg9363, + "6917": msg9364, + "6918": msg9365, + "6919": msg9366, + "692": select599, + "6920": msg9367, + "6921": msg9368, + "6922": msg9369, + "6923": msg9370, + "6924": msg9371, + "6925": msg9372, + "6926": msg9373, + "6927": msg9374, + "6928": msg9375, + "6929": msg9376, + "693": select600, + "6930": msg9377, + "6931": msg9378, + "6932": msg9379, + "6933": msg9380, + "6934": msg9381, + "6935": msg9382, + "6936": msg9383, + "6937": msg9384, + "6938": msg9385, + "6939": msg9386, + "694": select601, + "6940": msg9387, + "6941": msg9388, + "6942": msg9389, + "6943": msg9390, + "6944": msg9391, + "6945": msg9392, + "6946": msg9393, + "6947": msg9394, + "6948": msg9395, + "6949": msg9396, + "695": select602, + "6950": msg9397, + "6951": msg9398, + "6952": msg9399, + "6953": msg9400, + "6954": msg9401, + "6955": msg9402, + "6956": msg9403, + "6957": msg9404, + "6958": msg9405, + "6959": msg9406, + "696": select603, + "6960": msg9407, + "6961": msg9408, + "6962": msg9409, + "6963": msg9410, + "6964": msg9411, + "6965": msg9412, + "6966": msg9413, + "6967": msg9414, + "6968": msg9415, + "6969": msg9416, + "697": select604, + "6970": msg9417, + "6971": msg9418, + "6972": msg9419, + "6973": msg9420, + "6974": msg9421, + "6975": msg9422, + "6976": msg9423, + "6977": msg9424, + "6978": msg9425, + "6979": msg9426, + "698": select605, + "6980": msg9427, + "6981": msg9428, + "6982": msg9429, + "6983": msg9430, + "6984": msg9431, + "6985": msg9432, + "6986": msg9433, + "6987": msg9434, + "6988": msg9435, + "6989": msg9436, + "699": select606, + "6990": msg9437, + "6991": msg9438, + "6992": msg9439, + "6993": msg9440, + "6994": msg9441, + "6995": msg9442, + "6996": msg9443, + "6997": msg9444, + "6998": msg9445, + "6999": msg9446, + "7": select12, + "700": select607, + "7000": msg9447, + "7001": msg9448, + "7002": msg9449, + "7003": msg9450, + "7004": msg9451, + "7005": msg9452, + "7006": msg9453, + "7007": msg9454, + "7008": msg9455, + "7009": msg9456, + "701": select608, + "7010": msg9457, + "7011": msg9458, + "7012": msg9459, + "7013": msg9460, + "7014": msg9461, + "7015": msg9462, + "7016": msg9463, + "7017": msg9464, + "7018": msg9465, + "7019": msg9466, + "702": select609, + "7020": msg9467, + "7021": msg9468, + "7022": msg9469, + "7023": msg9470, + "7024": msg9471, + "7025": msg9472, + "7026": msg9473, + "7027": msg9474, + "7028": msg9475, + "7029": msg9476, + "703": select610, + "7030": msg9477, + "7031": msg9478, + "7032": msg9479, + "7033": msg9480, + "7034": msg9481, + "7035": msg9482, + "7036": msg9483, + "7037": msg9484, + "7038": msg9485, + "7039": msg9486, + "704": select611, + "7040": msg9487, + "7041": msg9488, + "7042": msg9489, + "7043": msg9490, + "7044": msg9491, + "7045": msg9492, + "7046": msg9493, + "7047": msg9494, + "7048": msg9495, + "7049": msg9496, + "705": select612, + "7050": msg9497, + "7051": msg9498, + "7052": msg9499, + "7053": msg9500, + "7054": msg9501, + "7055": msg9502, + "7056": msg9503, + "7057": msg9504, + "7058": msg9505, + "7059": msg9506, + "706": select613, + "7060": msg9507, + "7061": msg9508, + "7062": msg9509, + "7063": msg9510, + "7064": msg9511, + "7065": msg9512, + "7066": msg9513, + "7067": msg9514, + "7068": msg9515, + "7069": msg9516, + "707": select614, + "7070": msg9517, + "7071": msg9518, + "7072": msg9519, + "7073": msg9520, + "7074": msg9521, + "7075": msg9522, + "7076": msg9523, + "7077": msg9524, + "7078": msg9525, + "7079": msg9526, + "708": select615, + "7080": msg9527, + "7081": msg9528, + "7082": msg9529, + "7083": msg9530, + "7084": msg9531, + "7085": msg9532, + "7086": msg9533, + "7087": msg9534, + "7088": msg9535, + "7089": msg9536, + "709": select616, + "7090": msg9537, + "7091": msg9538, + "7092": msg9539, + "7093": msg9540, + "7094": msg9541, + "7095": msg9542, + "7096": msg9543, + "7097": msg9544, + "7098": msg9545, + "7099": msg9546, + "710": select617, + "7100": msg9547, + "7101": msg9548, + "7102": msg9549, + "7103": msg9550, + "7104": msg9551, + "7105": msg9552, + "7106": msg9553, + "7107": msg9554, + "7108": msg9555, + "7109": msg9556, + "711": select618, + "7110": msg9557, + "7111": msg9558, + "7112": msg9559, + "7113": msg9560, + "7114": msg9561, + "7115": msg9562, + "7116": msg9563, + "7117": msg9564, + "7118": msg9565, + "7119": msg9566, + "712": select619, + "7120": msg9567, + "7121": msg9568, + "7122": msg9569, + "7123": msg9570, + "7124": msg9571, + "7125": msg9572, + "7126": msg9573, + "7127": msg9574, + "7128": msg9575, + "7129": msg9576, + "713": select620, + "7130": msg9577, + "7131": msg9578, + "7132": msg9579, + "7133": msg9580, + "7134": msg9581, + "7135": msg9582, + "7136": msg9583, + "7137": msg9584, + "7138": msg9585, + "7139": msg9586, + "714": select621, + "7140": msg9587, + "7141": msg9588, + "7142": msg9589, + "7143": msg9590, + "7144": msg9591, + "7145": msg9592, + "7146": msg9593, + "7147": msg9594, + "7148": msg9595, + "7149": msg9596, + "715": select622, + "7150": msg9597, + "7151": msg9598, + "7152": msg9599, + "7153": msg9600, + "7154": msg9601, + "7155": msg9602, + "7156": msg9603, + "7157": msg9604, + "7158": msg9605, + "7159": msg9606, + "716": select623, + "7160": msg9607, + "7161": msg9608, + "7162": msg9609, + "7163": msg9610, + "7164": msg9611, + "7165": msg9612, + "7166": msg9613, + "7167": msg9614, + "7168": msg9615, + "7169": msg9616, + "717": select624, + "7170": msg9617, + "7171": msg9618, + "7172": msg9619, + "7173": msg9620, + "7174": msg9621, + "7175": msg9622, + "7176": msg9623, + "7177": msg9624, + "7178": msg9625, + "7179": msg9626, + "718": select625, + "7180": msg9627, + "7181": msg9628, + "7182": msg9629, + "7183": msg9630, + "7184": msg9631, + "7185": msg9632, + "7186": msg9633, + "7187": msg9634, + "7188": msg9635, + "7189": msg9636, + "719": select626, + "7190": msg9637, + "7191": msg9638, + "7192": msg9639, + "7193": msg9640, + "7194": msg9641, + "7195": msg9642, + "7196": msg9643, + "7197": msg9644, + "7198": msg9645, + "7199": msg9646, + "720": select627, + "7200": msg9647, + "7201": msg9648, + "7202": msg9649, + "7203": msg9650, + "7204": msg9651, + "7205": msg9652, + "7206": msg9653, + "7207": msg9654, + "7208": msg9655, + "7209": msg9656, + "721": select628, + "7210": msg9657, + "7211": msg9658, + "7212": msg9659, + "7213": msg9660, + "7214": msg9661, + "7215": msg9662, + "7216": msg9663, + "7217": msg9664, + "7218": msg9665, + "7219": msg9666, + "722": select629, + "7220": msg9667, + "7221": msg9668, + "7222": msg9669, + "7223": msg9670, + "7224": msg9671, + "7225": msg9672, + "7226": msg9673, + "7227": msg9674, + "7228": msg9675, + "7229": msg9676, + "723": select630, + "7230": msg9677, + "7231": msg9678, + "7232": msg9679, + "7233": msg9680, + "7234": msg9681, + "7235": msg9682, + "7236": msg9683, + "7237": msg9684, + "7238": msg9685, + "7239": msg9686, + "724": select631, + "7240": msg9687, + "7241": msg9688, + "7242": msg9689, + "7243": msg9690, + "7244": msg9691, + "7245": msg9692, + "7246": msg9693, + "7247": msg9694, + "7248": msg9695, + "7249": msg9696, + "725": select632, + "7250": msg9697, + "7251": msg9698, + "7252": msg9699, + "7253": msg9700, + "7254": msg9701, + "7255": msg9702, + "7256": msg9703, + "7257": msg9704, + "7258": msg9705, + "7259": msg9706, + "726": select633, + "7260": msg9707, + "7261": msg9708, + "7262": msg9709, + "7263": msg9710, + "7264": msg9711, + "7265": msg9712, + "7266": msg9713, + "7267": msg9714, + "7268": msg9715, + "7269": msg9716, + "727": select634, + "7270": msg9717, + "7271": msg9718, + "7272": msg9719, + "7273": msg9720, + "7274": msg9721, + "7275": msg9722, + "7276": msg9723, + "7277": msg9724, + "7278": msg9725, + "7279": msg9726, + "728": select635, + "7280": msg9727, + "7281": msg9728, + "7282": msg9729, + "7283": msg9730, + "7284": msg9731, + "7285": msg9732, + "7286": msg9733, + "7287": msg9734, + "7288": msg9735, + "7289": msg9736, + "729": select636, + "7290": msg9737, + "7291": msg9738, + "7292": msg9739, + "7293": msg9740, + "7294": msg9741, + "7295": msg9742, + "7296": msg9743, + "7297": msg9744, + "7298": msg9745, + "7299": msg9746, + "730": select637, + "7300": msg9747, + "7301": msg9748, + "7302": msg9749, + "7303": msg9750, + "7304": msg9751, + "7305": msg9752, + "7306": msg9753, + "7307": msg9754, + "7308": msg9755, + "7309": msg9756, + "731": select638, + "7310": msg9757, + "7311": msg9758, + "7312": msg9759, + "7313": msg9760, + "7314": msg9761, + "7315": msg9762, + "7316": msg9763, + "7317": msg9764, + "7318": msg9765, + "7319": msg9766, + "732": select639, + "7320": msg9767, + "7321": msg9768, + "7322": msg9769, + "7323": msg9770, + "7324": msg9771, + "7325": msg9772, + "7326": msg9773, + "7327": msg9774, + "7328": msg9775, + "7329": msg9776, + "733": select640, + "7330": msg9777, + "7331": msg9778, + "7332": msg9779, + "7333": msg9780, + "7334": msg9781, + "7335": msg9782, + "7336": msg9783, + "7337": msg9784, + "7338": msg9785, + "7339": msg9786, + "734": select641, + "7340": msg9787, + "7341": msg9788, + "7342": msg9789, + "7343": msg9790, + "7344": msg9791, + "7345": msg9792, + "7346": msg9793, + "7347": msg9794, + "7348": msg9795, + "7349": msg9796, + "735": select642, + "7350": msg9797, + "7351": msg9798, + "7352": msg9799, + "7353": msg9800, + "7354": msg9801, + "7355": msg9802, + "7356": msg9803, + "7357": msg9804, + "7358": msg9805, + "7359": msg9806, + "736": select643, + "7360": msg9807, + "7361": msg9808, + "7362": msg9809, + "7363": msg9810, + "7364": msg9811, + "7365": msg9812, + "7366": msg9813, + "7367": msg9814, + "7368": msg9815, + "7369": msg9816, + "737": select644, + "7370": msg9817, + "7371": msg9818, + "7372": msg9819, + "7373": msg9820, + "7374": msg9821, + "7375": msg9822, + "7376": msg9823, + "7377": msg9824, + "7378": msg9825, + "7379": msg9826, + "738": select645, + "7380": msg9827, + "7381": msg9828, + "7382": msg9829, + "7383": msg9830, + "7384": msg9831, + "7385": msg9832, + "7386": msg9833, + "7387": msg9834, + "7388": msg9835, + "7389": msg9836, + "739": select646, + "7390": msg9837, + "7391": msg9838, + "7392": msg9839, + "7393": msg9840, + "7394": msg9841, + "7395": msg9842, + "7396": msg9843, + "7397": msg9844, + "7398": msg9845, + "7399": msg9846, + "740": select647, + "7400": msg9847, + "7401": msg9848, + "7402": msg9849, + "7403": msg9850, + "7404": msg9851, + "7405": msg9852, + "7406": msg9853, + "7407": msg9854, + "7408": msg9855, + "7409": msg9856, + "741": select648, + "7410": msg9857, + "7411": msg9858, + "7412": msg9859, + "7413": msg9860, + "7414": msg9861, + "7415": msg9862, + "7416": msg9863, + "7417": msg9864, + "7418": msg9865, + "7419": msg9866, + "742": select649, + "7420": msg9867, + "7421": msg9868, + "7422": msg9869, + "7423": msg9870, + "7424": msg9871, + "7425": msg9872, + "7426": msg9873, + "7427": msg9874, + "7428": msg9875, + "7429": msg9876, + "743": select650, + "7430": msg9877, + "7431": msg9878, + "7432": msg9879, + "7433": msg9880, + "7434": msg9881, + "7435": msg9882, + "7436": msg9883, + "7437": msg9884, + "7438": msg9885, + "7439": msg9886, + "744": select651, + "7440": msg9887, + "7441": msg9888, + "7442": msg9889, + "7443": msg9890, + "7444": msg9891, + "7445": msg9892, + "7446": msg9893, + "7447": msg9894, + "7448": msg9895, + "7449": msg9896, + "745": select652, + "7450": msg9897, + "7451": msg9898, + "7452": msg9899, + "7453": msg9900, + "7454": msg9901, + "7455": msg9902, + "7456": msg9903, + "7457": msg9904, + "7458": msg9905, + "7459": msg9906, + "746": select653, + "7460": msg9907, + "7461": msg9908, + "7462": msg9909, + "7463": msg9910, + "7464": msg9911, + "7465": msg9912, + "7466": msg9913, + "7467": msg9914, + "7468": msg9915, + "7469": msg9916, + "747": select654, + "7470": msg9917, + "7471": msg9918, + "7472": msg9919, + "7473": msg9920, + "7474": msg9921, + "7475": msg9922, + "7476": msg9923, + "7477": msg9924, + "7478": msg9925, + "7479": msg9926, + "748": select655, + "7480": msg9927, + "7481": msg9928, + "7482": msg9929, + "7483": msg9930, + "7484": msg9931, + "7485": msg9932, + "7486": msg9933, + "7487": msg9934, + "7488": msg9935, + "7489": msg9936, + "749": select656, + "7490": msg9937, + "7491": msg9938, + "7492": msg9939, + "7493": msg9940, + "7494": msg9941, + "7495": msg9942, + "7496": msg9943, + "7497": msg9944, + "7498": msg9945, + "7499": msg9946, + "7500": msg9947, + "7501": msg9948, + "7502": msg9949, + "7503": msg9950, + "7504": msg9951, + "7505": msg9952, + "7506": msg9953, + "7507": msg9954, + "7508": msg9955, + "7509": msg9956, + "751": select657, + "7510": msg9957, + "7511": msg9958, + "7512": msg9959, + "7513": msg9960, + "7514": msg9961, + "7515": msg9962, + "7516": msg9963, + "7517": msg9964, + "7518": msg9965, + "7519": msg9966, + "752": select658, + "7520": msg9967, + "7521": msg9968, + "7522": msg9969, + "7523": msg9970, + "7524": msg9971, + "7525": msg9972, + "7526": msg9973, + "7527": msg9974, + "7528": msg9975, + "7529": msg9976, + "753": select659, + "7530": msg9977, + "7531": msg9978, + "7532": msg9979, + "7533": msg9980, + "7534": msg9981, + "7535": msg9982, + "7536": msg9983, + "7537": msg9984, + "7538": msg9985, + "7539": msg9986, + "754": select660, + "7540": msg9987, + "7541": msg9988, + "7542": msg9989, + "7543": msg9990, + "7544": msg9991, + "7545": msg9992, + "7546": msg9993, + "7547": msg9994, + "7548": msg9995, + "7549": msg9996, + "755": select661, + "7550": msg9997, + "7551": msg9998, + "7552": msg9999, + "7553": msg10000, + "7554": msg10001, + "7555": msg10002, + "7556": msg10003, + "7557": msg10004, + "7558": msg10005, + "7559": msg10006, + "756": select662, + "7560": msg10007, + "7561": msg10008, + "7562": msg10009, + "7563": msg10010, + "7564": msg10011, + "7565": msg10012, + "7566": msg10013, + "7567": msg10014, + "7568": msg10015, + "7569": msg10016, + "757": select663, + "7570": msg10017, + "7571": msg10018, + "7572": msg10019, + "7573": msg10020, + "7574": msg10021, + "7575": msg10022, + "7576": msg10023, + "7577": msg10024, + "7578": msg10025, + "7579": msg10026, + "758": select664, + "7580": msg10027, + "7581": msg10028, + "7582": msg10029, + "7583": msg10030, + "7584": msg10031, + "7585": msg10032, + "7586": msg10033, + "7587": msg10034, + "7588": msg10035, + "7589": msg10036, + "759": select665, + "7590": msg10037, + "7591": msg10038, + "7592": msg10039, + "7593": msg10040, + "7594": msg10041, + "7595": msg10042, + "7596": msg10043, + "7597": msg10044, + "7598": msg10045, + "7599": msg10046, + "760": select666, + "7600": msg10047, + "7601": msg10048, + "7602": msg10049, + "7603": msg10050, + "7604": msg10051, + "7605": msg10052, + "7606": msg10053, + "7607": msg10054, + "7608": msg10055, + "7609": msg10056, + "761": select667, + "7610": msg10057, + "7611": msg10058, + "7612": msg10059, + "7613": msg10060, + "7614": msg10061, + "7615": msg10062, + "7616": msg10063, + "7617": msg10064, + "7618": msg10065, + "7619": msg10066, + "762": select668, + "7620": msg10067, + "7621": msg10068, + "7622": msg10069, + "7623": msg10070, + "7624": msg10071, + "7625": msg10072, + "7626": msg10073, + "7627": msg10074, + "7628": msg10075, + "7629": msg10076, + "763": select669, + "7630": msg10077, + "7631": msg10078, + "7632": msg10079, + "7633": msg10080, + "7634": msg10081, + "7635": msg10082, + "7636": msg10083, + "7637": msg10084, + "7638": msg10085, + "7639": msg10086, + "764": select670, + "7640": msg10087, + "7641": msg10088, + "7642": msg10089, + "7643": msg10090, + "7644": msg10091, + "7645": msg10092, + "7646": msg10093, + "7647": msg10094, + "7648": msg10095, + "7649": msg10096, + "765": select671, + "7650": msg10097, + "7651": msg10098, + "7652": msg10099, + "7653": msg10100, + "7654": msg10101, + "7655": msg10102, + "7656": msg10103, + "7657": msg10104, + "7658": msg10105, + "7659": msg10106, + "766": select672, + "7660": msg10107, + "7661": msg10108, + "7662": msg10109, + "7663": msg10110, + "7664": msg10111, + "7665": msg10112, + "7666": msg10113, + "7667": msg10114, + "7668": msg10115, + "7669": msg10116, + "767": select673, + "7670": msg10117, + "7671": msg10118, + "7672": msg10119, + "7673": msg10120, + "7674": msg10121, + "7675": msg10122, + "7676": msg10123, + "7677": msg10124, + "7678": msg10125, + "7679": msg10126, + "768": select674, + "7680": msg10127, + "7681": msg10128, + "7682": msg10129, + "7683": msg10130, + "7684": msg10131, + "7685": msg10132, + "7686": msg10133, + "7687": msg10134, + "7688": msg10135, + "7689": msg10136, + "769": select675, + "7690": msg10137, + "7691": msg10138, + "7692": msg10139, + "7693": msg10140, + "7694": msg10141, + "7695": msg10142, + "7696": msg10143, + "7697": msg10144, + "7698": msg10145, + "7699": msg10146, + "770": select676, + "7700": msg10147, + "7701": msg10148, + "7702": msg10149, + "7703": msg10150, + "7704": msg10151, + "7705": msg10152, + "7706": msg10153, + "7707": msg10154, + "7708": msg10155, + "7709": msg10156, + "771": select677, + "7710": msg10157, + "7711": msg10158, + "7712": msg10159, + "7713": msg10160, + "7714": msg10161, + "7715": msg10162, + "7716": msg10163, + "7717": msg10164, + "7718": msg10165, + "7719": msg10166, + "772": select678, + "7720": msg10167, + "7721": msg10168, + "7722": msg10169, + "7723": msg10170, + "7724": msg10171, + "7725": msg10172, + "7726": msg10173, + "7727": msg10174, + "7728": msg10175, + "7729": msg10176, + "773": select679, + "7730": msg10177, + "7731": msg10178, + "7732": msg10179, + "7733": msg10180, + "7734": msg10181, + "7735": msg10182, + "7736": msg10183, + "7737": msg10184, + "7738": msg10185, + "7739": msg10186, + "774": select680, + "7740": msg10187, + "7741": msg10188, + "7742": msg10189, + "7743": msg10190, + "7744": msg10191, + "7745": msg10192, + "7746": msg10193, + "7747": msg10194, + "7748": msg10195, + "7749": msg10196, + "775": select681, + "7750": msg10197, + "7751": msg10198, + "7752": msg10199, + "7753": msg10200, + "7754": msg10201, + "7755": msg10202, + "7756": msg10203, + "7757": msg10204, + "7758": msg10205, + "7759": msg10206, + "776": select682, + "7760": msg10207, + "7761": msg10208, + "7762": msg10209, + "7763": msg10210, + "7764": msg10211, + "7765": msg10212, + "7766": msg10213, + "7767": msg10214, + "7768": msg10215, + "7769": msg10216, + "777": select683, + "7770": msg10217, + "7771": msg10218, + "7772": msg10219, + "7773": msg10220, + "7774": msg10221, + "7775": msg10222, + "7776": msg10223, + "7777": msg10224, + "7778": msg10225, + "7779": msg10226, + "778": select684, + "7780": msg10227, + "7781": msg10228, + "7782": msg10229, + "7783": msg10230, + "7784": msg10231, + "7785": msg10232, + "7786": msg10233, + "7787": msg10234, + "7788": msg10235, + "7789": msg10236, + "779": select685, + "7790": msg10237, + "7791": msg10238, + "7792": msg10239, + "7793": msg10240, + "7794": msg10241, + "7795": msg10242, + "7796": msg10243, + "7797": msg10244, + "7798": msg10245, + "7799": msg10246, + "780": select686, + "7800": msg10247, + "7801": msg10248, + "7802": msg10249, + "7803": msg10250, + "7804": msg10251, + "7805": msg10252, + "7806": msg10253, + "7807": msg10254, + "7808": msg10255, + "7809": msg10256, + "781": select687, + "7810": msg10257, + "7811": msg10258, + "7812": msg10259, + "7813": msg10260, + "7814": msg10261, + "7815": msg10262, + "7816": msg10263, + "7817": msg10264, + "7818": msg10265, + "7819": msg10266, + "782": select688, + "7820": msg10267, + "7821": msg10268, + "7822": msg10269, + "7823": msg10270, + "7824": msg10271, + "7825": msg10272, + "7826": msg10273, + "7827": msg10274, + "7828": msg10275, + "7829": msg10276, + "783": select689, + "7830": msg10277, + "7831": msg10278, + "7832": msg10279, + "7833": msg10280, + "7834": msg10281, + "7835": msg10282, + "7836": msg10283, + "7837": msg10284, + "7838": msg10285, + "7839": msg10286, + "784": select690, + "7840": msg10287, + "7841": msg10288, + "7842": msg10289, + "7843": msg10290, + "7844": msg10291, + "7845": msg10292, + "7846": msg10293, + "7847": msg10294, + "7848": msg10295, + "7849": msg10296, + "785": select691, + "7850": msg10297, + "7851": msg10298, + "7852": msg10299, + "7853": msg10300, + "7854": msg10301, + "7855": msg10302, + "7856": msg10303, + "7857": msg10304, + "7858": msg10305, + "7859": msg10306, + "786": select692, + "7860": msg10307, + "7861": msg10308, + "7862": msg10309, + "7863": msg10310, + "7864": msg10311, + "7865": msg10312, + "7866": msg10313, + "7867": msg10314, + "7868": msg10315, + "7869": msg10316, + "787": select693, + "7870": msg10317, + "7871": msg10318, + "7872": msg10319, + "7873": msg10320, + "7874": msg10321, + "7875": msg10322, + "7876": msg10323, + "7877": msg10324, + "7878": msg10325, + "7879": msg10326, + "788": select694, + "7880": msg10327, + "7881": msg10328, + "7882": msg10329, + "7883": msg10330, + "7884": msg10331, + "7885": msg10332, + "7886": msg10333, + "7887": msg10334, + "7888": msg10335, + "7889": msg10336, + "789": select695, + "7890": msg10337, + "7891": msg10338, + "7892": msg10339, + "7893": msg10340, + "7894": msg10341, + "7895": msg10342, + "7896": msg10343, + "7897": msg10344, + "7898": msg10345, + "7899": msg10346, + "790": select696, + "7900": msg10347, + "7901": msg10348, + "7902": msg10349, + "7903": msg10350, + "7904": msg10351, + "7905": msg10352, + "7906": msg10353, + "7907": msg10354, + "7908": msg10355, + "7909": msg10356, + "791": select697, + "7910": msg10357, + "7911": msg10358, + "7912": msg10359, + "7913": msg10360, + "7914": msg10361, + "7915": msg10362, + "7916": msg10363, + "7917": msg10364, + "7918": msg10365, + "7919": msg10366, + "792": select698, + "7920": msg10367, + "7921": msg10368, + "7922": msg10369, + "7923": msg10370, + "7924": msg10371, + "7925": msg10372, + "7926": msg10373, + "7927": msg10374, + "7928": msg10375, + "7929": msg10376, + "793": select699, + "7930": msg10377, + "7931": msg10378, + "7932": msg10379, + "7933": msg10380, + "7934": msg10381, + "7935": msg10382, + "7936": msg10383, + "7937": msg10384, + "7938": msg10385, + "7939": msg10386, + "794": select700, + "7940": msg10387, + "7941": msg10388, + "7942": msg10389, + "7943": msg10390, + "7944": msg10391, + "7945": msg10392, + "7946": msg10393, + "7947": msg10394, + "7948": msg10395, + "7949": msg10396, + "795": select701, + "7950": msg10397, + "7951": msg10398, + "7952": msg10399, + "7953": msg10400, + "7954": msg10401, + "7955": msg10402, + "7956": msg10403, + "7957": msg10404, + "7958": msg10405, + "7959": msg10406, + "796": select702, + "7960": msg10407, + "7961": msg10408, + "7962": msg10409, + "7963": msg10410, + "7964": msg10411, + "7965": msg10412, + "7966": msg10413, + "7967": msg10414, + "7968": msg10415, + "7969": msg10416, + "797": select703, + "7970": msg10417, + "7971": msg10418, + "7972": msg10419, + "7973": msg10420, + "7974": msg10421, + "7975": msg10422, + "7976": msg10423, + "7977": msg10424, + "7978": msg10425, + "7979": msg10426, + "798": select704, + "7980": msg10427, + "7981": msg10428, + "7982": msg10429, + "7983": msg10430, + "7984": msg10431, + "7985": msg10432, + "7986": msg10433, + "7987": msg10434, + "7988": msg10435, + "7989": msg10436, + "799": select705, + "7990": msg10437, + "7991": msg10438, + "7992": msg10439, + "7993": msg10440, + "7994": msg10441, + "7995": msg10442, + "7996": msg10443, + "7997": msg10444, + "7998": msg10445, + "7999": msg10446, + "8": select13, + "800": select706, + "8000": msg10447, + "8001": msg10448, + "8002": msg10449, + "8003": msg10450, + "8004": msg10451, + "8005": msg10452, + "8006": msg10453, + "8007": msg10454, + "8008": msg10455, + "8009": msg10456, + "801": select707, + "8010": msg10457, + "8011": msg10458, + "8012": msg10459, + "8013": msg10460, + "8014": msg10461, + "8015": msg10462, + "8016": msg10463, + "8017": msg10464, + "8018": msg10465, + "8019": msg10466, + "802": select708, + "8020": msg10467, + "8021": msg10468, + "8022": msg10469, + "8023": msg10470, + "8024": msg10471, + "8025": msg10472, + "8026": msg10473, + "8027": msg10474, + "8028": msg10475, + "8029": msg10476, + "803": select709, + "8030": msg10477, + "8031": msg10478, + "8032": msg10479, + "8033": msg10480, + "8034": msg10481, + "8035": msg10482, + "8036": msg10483, + "8037": msg10484, + "8038": msg10485, + "8039": msg10486, + "804": select710, + "8040": msg10487, + "8041": msg10488, + "8042": msg10489, + "8043": msg10490, + "8044": msg10491, + "8045": msg10492, + "8046": msg10493, + "8047": msg10494, + "8048": msg10495, + "8049": msg10496, + "805": select711, + "8050": msg10497, + "8051": msg10498, + "8052": msg10499, + "8053": msg10500, + "8054": msg10501, + "8055": msg10502, + "8056": msg10503, + "8057": msg10504, + "8058": msg10505, + "8059": msg10506, + "806": select712, + "8060": msg10507, + "8061": msg10508, + "8062": msg10509, + "8063": msg10510, + "8064": msg10511, + "8065": msg10512, + "8066": msg10513, + "8067": msg10514, + "8068": msg10515, + "8069": msg10516, + "807": select713, + "8070": msg10517, + "8071": msg10518, + "8072": msg10519, + "8073": msg10520, + "8074": msg10521, + "8075": msg10522, + "8076": msg10523, + "8077": msg10524, + "8078": msg10525, + "8079": msg10526, + "808": select714, + "8080": msg10527, + "8081": msg10528, + "8082": msg10529, + "8083": msg10530, + "8084": msg10531, + "8085": msg10532, + "8086": msg10533, + "8087": msg10534, + "8088": msg10535, + "8089": msg10536, + "809": select715, + "8090": msg10537, + "8091": msg10538, + "8092": msg10539, + "8093": msg10540, + "8094": msg10541, + "8095": msg10542, + "8096": msg10543, + "8097": msg10544, + "8098": msg10545, + "8099": msg10546, + "810": select716, + "8100": msg10547, + "8101": msg10548, + "8102": msg10549, + "8103": msg10550, + "8104": msg10551, + "8105": msg10552, + "8106": msg10553, + "8107": msg10554, + "8108": msg10555, + "8109": msg10556, + "811": select717, + "8110": msg10557, + "8111": msg10558, + "8112": msg10559, + "8113": msg10560, + "8114": msg10561, + "8115": msg10562, + "8116": msg10563, + "8117": msg10564, + "8118": msg10565, + "8119": msg10566, + "812": select718, + "8120": msg10567, + "8121": msg10568, + "8122": msg10569, + "8123": msg10570, + "8124": msg10571, + "8125": msg10572, + "8126": msg10573, + "8127": msg10574, + "8128": msg10575, + "8129": msg10576, + "813": select719, + "8130": msg10577, + "8131": msg10578, + "8132": msg10579, + "8133": msg10580, + "8134": msg10581, + "8135": msg10582, + "8136": msg10583, + "8137": msg10584, + "8138": msg10585, + "8139": msg10586, + "8140": msg10587, + "8141": msg10588, + "8142": msg10589, + "8143": msg10590, + "8144": msg10591, + "8145": msg10592, + "8146": msg10593, + "8147": msg10594, + "8148": msg10595, + "8149": msg10596, + "815": select720, + "8150": msg10597, + "8151": msg10598, + "8152": msg10599, + "8153": msg10600, + "8154": msg10601, + "8155": msg10602, + "8156": msg10603, + "8157": msg10604, + "8158": msg10605, + "8159": msg10606, + "8160": msg10607, + "8161": msg10608, + "8162": msg10609, + "8163": msg10610, + "8164": msg10611, + "8165": msg10612, + "8166": msg10613, + "8167": msg10614, + "8168": msg10615, + "8169": msg10616, + "817": select721, + "8170": msg10617, + "8171": msg10618, + "8172": msg10619, + "8173": msg10620, + "8174": msg10621, + "8175": msg10622, + "8176": msg10623, + "8177": msg10624, + "8178": msg10625, + "8179": msg10626, + "818": select722, + "8180": msg10627, + "8181": msg10628, + "8182": msg10629, + "8183": msg10630, + "8184": msg10631, + "8185": msg10632, + "8186": msg10633, + "8187": msg10634, + "8188": msg10635, + "8189": msg10636, + "819": select723, + "8190": msg10637, + "8191": msg10638, + "8192": msg10639, + "8193": msg10640, + "8194": msg10641, + "8195": msg10642, + "8196": msg10643, + "8197": msg10644, + "8198": msg10645, + "8199": msg10646, + "820": select724, + "8200": msg10647, + "8201": msg10648, + "8202": msg10649, + "8203": msg10650, + "8204": msg10651, + "8205": msg10652, + "8206": msg10653, + "8207": msg10654, + "8208": msg10655, + "8209": msg10656, + "821": select725, + "8210": msg10657, + "8211": msg10658, + "8212": msg10659, + "8213": msg10660, + "8214": msg10661, + "8215": msg10662, + "8216": msg10663, + "8217": msg10664, + "8218": msg10665, + "8219": msg10666, + "8220": msg10667, + "8221": msg10668, + "8222": msg10669, + "8223": msg10670, + "8224": msg10671, + "8225": msg10672, + "8226": msg10673, + "8227": msg10674, + "8228": msg10675, + "8229": msg10676, + "823": select726, + "8230": msg10677, + "8231": msg10678, + "8232": msg10679, + "8233": msg10680, + "8234": msg10681, + "8235": msg10682, + "8236": msg10683, + "8237": msg10684, + "8238": msg10685, + "8239": msg10686, + "824": select727, + "8240": msg10687, + "8241": msg10688, + "8242": msg10689, + "8243": msg10690, + "8244": msg10691, + "8245": msg10692, + "8246": msg10693, + "8247": msg10694, + "8248": msg10695, + "8249": msg10696, + "825": select728, + "8250": msg10697, + "8251": msg10698, + "8252": msg10699, + "8253": msg10700, + "8254": msg10701, + "8255": msg10702, + "8256": msg10703, + "8257": msg10704, + "8258": msg10705, + "8259": msg10706, + "826": select729, + "8260": msg10707, + "8261": msg10708, + "8262": msg10709, + "8263": msg10710, + "8264": msg10711, + "8265": msg10712, + "8266": msg10713, + "8267": msg10714, + "8268": msg10715, + "8269": msg10716, + "827": select730, + "8270": msg10717, + "8271": msg10718, + "8272": msg10719, + "8273": msg10720, + "8274": msg10721, + "8275": msg10722, + "8276": msg10723, + "8277": msg10724, + "8278": msg10725, + "8279": msg10726, + "828": select731, + "8280": msg10727, + "8281": msg10728, + "8282": msg10729, + "8283": msg10730, + "8284": msg10731, + "8285": msg10732, + "8286": msg10733, + "8287": msg10734, + "8288": msg10735, + "8289": msg10736, + "829": select732, + "8290": msg10737, + "8291": msg10738, + "8292": msg10739, + "8293": msg10740, + "8294": msg10741, + "8295": msg10742, + "8296": msg10743, + "8297": msg10744, + "8298": msg10745, + "8299": msg10746, + "830": select733, + "8300": msg10747, + "8301": msg10748, + "8302": msg10749, + "8303": msg10750, + "8304": msg10751, + "8305": msg10752, + "8306": msg10753, + "8307": msg10754, + "8308": msg10755, + "8309": msg10756, + "8310": msg10757, + "8311": msg10758, + "8312": msg10759, + "8313": msg10760, + "8314": msg10761, + "8315": msg10762, + "8316": msg10763, + "8317": msg10764, + "8318": msg10765, + "8319": msg10766, + "832": select734, + "8320": msg10767, + "8321": msg10768, + "8322": msg10769, + "8323": msg10770, + "8324": msg10771, + "8325": msg10772, + "8326": msg10773, + "8327": msg10774, + "8328": msg10775, + "8329": msg10776, + "833": select735, + "8330": msg10777, + "8331": msg10778, + "8332": msg10779, + "8333": msg10780, + "8334": msg10781, + "8335": msg10782, + "8336": msg10783, + "8337": msg10784, + "8338": msg10785, + "8339": msg10786, + "834": select736, + "8340": msg10787, + "8341": msg10788, + "8342": msg10789, + "8343": msg10790, + "8344": msg10791, + "8345": msg10792, + "8346": msg10793, + "8347": msg10794, + "8348": msg10795, + "8349": msg10796, + "835": select737, + "8350": msg10797, + "8351": msg10798, + "8352": msg10799, + "8353": msg10800, + "8354": msg10801, + "8355": msg10802, + "8356": msg10803, + "8357": msg10804, + "8358": msg10805, + "8359": msg10806, + "836": select738, + "8360": msg10807, + "8361": msg10808, + "8362": msg10809, + "8363": msg10810, + "8364": msg10811, + "8365": msg10812, + "8366": msg10813, + "8367": msg10814, + "8368": msg10815, + "8369": msg10816, + "837": select739, + "8370": msg10817, + "8371": msg10818, + "8372": msg10819, + "8373": msg10820, + "8374": msg10821, + "8375": msg10822, + "8376": msg10823, + "8377": msg10824, + "8378": msg10825, + "8379": msg10826, + "838": select740, + "8380": msg10827, + "8381": msg10828, + "8382": msg10829, + "8383": msg10830, + "8384": msg10831, + "8385": msg10832, + "8386": msg10833, + "8387": msg10834, + "8388": msg10835, + "8389": msg10836, + "839": select741, + "8390": msg10837, + "8391": msg10838, + "8392": msg10839, + "8393": msg10840, + "8394": msg10841, + "8395": msg10842, + "8396": msg10843, + "8397": msg10844, + "8398": msg10845, + "8399": msg10846, + "840": select742, + "8400": msg10847, + "8401": msg10848, + "8402": msg10849, + "8403": msg10850, + "8404": msg10851, + "8405": msg10852, + "8406": msg10853, + "8407": msg10854, + "8408": msg10855, + "8409": msg10856, + "841": select743, + "8410": msg10857, + "8411": msg10858, + "8412": msg10859, + "8413": msg10860, + "8414": msg10861, + "8415": msg10862, + "8416": msg10863, + "8417": msg10864, + "8418": msg10865, + "8419": msg10866, + "842": select744, + "8420": msg10867, + "8421": msg10868, + "8422": msg10869, + "8423": msg10870, + "8424": msg10871, + "8425": msg10872, + "8426": msg10873, + "8427": msg10874, + "8428": msg10875, + "8429": msg10876, + "843": select745, + "8430": msg10877, + "8431": msg10878, + "8432": msg10879, + "8433": msg10880, + "8434": msg10881, + "8435": msg10882, + "8436": msg10883, + "8437": msg10884, + "8438": msg10885, + "8439": msg10886, + "844": select746, + "8440": msg10887, + "8441": msg10888, + "8442": msg10889, + "8443": msg10890, + "8444": msg10891, + "8445": msg10892, + "8446": msg10893, + "8447": msg10894, + "8448": msg10895, + "8449": msg10896, + "845": select747, + "8450": msg10897, + "8451": msg10898, + "8452": msg10899, + "8453": msg10900, + "8454": msg10901, + "8455": msg10902, + "8456": msg10903, + "8457": msg10904, + "8458": msg10905, + "8459": msg10906, + "846": select748, + "8460": msg10907, + "8461": msg10908, + "8462": msg10909, + "8463": msg10910, + "8464": msg10911, + "8465": msg10912, + "8466": msg10913, + "8467": msg10914, + "8468": msg10915, + "8469": msg10916, + "847": select749, + "8470": msg10917, + "8471": msg10918, + "8472": msg10919, + "8473": msg10920, + "8474": msg10921, + "8475": msg10922, + "8476": msg10923, + "8477": msg10924, + "8478": msg10925, + "8479": msg10926, + "848": select750, + "8480": msg10927, + "8481": msg10928, + "8482": msg10929, + "8483": msg10930, + "8484": msg10931, + "8485": msg10932, + "8486": msg10933, + "8487": msg10934, + "8488": msg10935, + "8489": msg10936, + "849": select751, + "8490": msg10937, + "8491": msg10938, + "8492": msg10939, + "8493": msg10940, + "8494": msg10941, + "8495": msg10942, + "8496": msg10943, + "8497": msg10944, + "8498": msg10945, + "8499": msg10946, + "850": select752, + "8500": msg10947, + "8501": msg10948, + "8502": msg10949, + "8503": msg10950, + "8504": msg10951, + "8505": msg10952, + "8506": msg10953, + "8507": msg10954, + "8508": msg10955, + "8509": msg10956, + "851": select753, + "8510": msg10957, + "8511": msg10958, + "8512": msg10959, + "8513": msg10960, + "8514": msg10961, + "8515": msg10962, + "8516": msg10963, + "8517": msg10964, + "8518": msg10965, + "8519": msg10966, + "852": select754, + "8520": msg10967, + "8521": msg10968, + "8522": msg10969, + "8523": msg10970, + "8524": msg10971, + "8525": msg10972, + "8526": msg10973, + "8527": msg10974, + "8528": msg10975, + "8529": msg10976, + "853": select755, + "8530": msg10977, + "8531": msg10978, + "8532": msg10979, + "8533": msg10980, + "8534": msg10981, + "8535": msg10982, + "8536": msg10983, + "8537": msg10984, + "8538": msg10985, + "8539": msg10986, + "854": select756, + "8540": msg10987, + "8541": msg10988, + "8542": msg10989, + "8543": msg10990, + "8544": msg10991, + "8545": msg10992, + "8546": msg10993, + "8547": msg10994, + "8548": msg10995, + "8549": msg10996, + "855": select757, + "8550": msg10997, + "8551": msg10998, + "8552": msg10999, + "8553": msg11000, + "8554": msg11001, + "8555": msg11002, + "8556": msg11003, + "8557": msg11004, + "8558": msg11005, + "8559": msg11006, + "856": select758, + "8560": msg11007, + "8561": msg11008, + "8562": msg11009, + "8563": msg11010, + "8564": msg11011, + "8565": msg11012, + "8566": msg11013, + "8567": msg11014, + "8568": msg11015, + "8569": msg11016, + "857": select759, + "8570": msg11017, + "8571": msg11018, + "8572": msg11019, + "8573": msg11020, + "8574": msg11021, + "8575": msg11022, + "8576": msg11023, + "8577": msg11024, + "8578": msg11025, + "8579": msg11026, + "858": select760, + "8580": msg11027, + "8581": msg11028, + "8582": msg11029, + "8583": msg11030, + "8584": msg11031, + "8585": msg11032, + "8586": msg11033, + "8587": msg11034, + "8588": msg11035, + "8589": msg11036, + "859": select761, + "8590": msg11037, + "8591": msg11038, + "8592": msg11039, + "8593": msg11040, + "8594": msg11041, + "8595": msg11042, + "8596": msg11043, + "8597": msg11044, + "8598": msg11045, + "8599": msg11046, + "860": select762, + "8600": msg11047, + "8601": msg11048, + "8602": msg11049, + "8603": msg11050, + "8604": msg11051, + "8605": msg11052, + "8606": msg11053, + "8607": msg11054, + "8608": msg11055, + "8609": msg11056, + "861": select763, + "8610": msg11057, + "8611": msg11058, + "8612": msg11059, + "8613": msg11060, + "8614": msg11061, + "8615": msg11062, + "8616": msg11063, + "8617": msg11064, + "8618": msg11065, + "8619": msg11066, + "862": select764, + "8620": msg11067, + "8621": msg11068, + "8622": msg11069, + "8623": msg11070, + "8624": msg11071, + "8625": msg11072, + "8626": msg11073, + "8627": msg11074, + "8628": msg11075, + "8629": msg11076, + "863": select765, + "8630": msg11077, + "8631": msg11078, + "8632": msg11079, + "8633": msg11080, + "8634": msg11081, + "8635": msg11082, + "8636": msg11083, + "8637": msg11084, + "8638": msg11085, + "8639": msg11086, + "864": select766, + "8640": msg11087, + "8641": msg11088, + "8642": msg11089, + "8643": msg11090, + "8644": msg11091, + "8645": msg11092, + "8646": msg11093, + "8647": msg11094, + "8648": msg11095, + "8649": msg11096, + "865": select767, + "8650": msg11097, + "8651": msg11098, + "8652": msg11099, + "8653": msg11100, + "8654": msg11101, + "8655": msg11102, + "8656": msg11103, + "8657": msg11104, + "8658": msg11105, + "8659": msg11106, + "866": select768, + "8660": msg11107, + "8661": msg11108, + "8662": msg11109, + "8663": msg11110, + "8664": msg11111, + "8665": msg11112, + "8666": msg11113, + "8667": msg11114, + "8668": msg11115, + "8669": msg11116, + "867": select769, + "8670": msg11117, + "8671": msg11118, + "8672": msg11119, + "8673": msg11120, + "8674": msg11121, + "8675": msg11122, + "8676": msg11123, + "8677": msg11124, + "8678": msg11125, + "8679": msg11126, + "868": select770, + "8680": msg11127, + "8681": msg11128, + "8682": msg11129, + "8683": msg11130, + "8684": msg11131, + "8685": msg11132, + "8686": msg11133, + "8687": msg11134, + "8688": msg11135, + "8689": msg11136, + "869": select771, + "8690": msg11137, + "8691": msg11138, + "8692": msg11139, + "8693": msg11140, + "8694": msg11141, + "8695": msg11142, + "8696": msg11143, + "8697": msg11144, + "8698": msg11145, + "8699": msg11146, + "870": select772, + "8700": msg11147, + "8701": msg11148, + "8702": msg11149, + "8703": msg11150, + "8704": msg11151, + "8705": msg11152, + "8706": msg11153, + "8707": msg11154, + "8708": msg11155, + "8709": msg11156, + "871": select773, + "8710": msg11157, + "8711": msg11158, + "8712": msg11159, + "8713": msg11160, + "8714": msg11161, + "8715": msg11162, + "8716": msg11163, + "8717": msg11164, + "8718": msg11165, + "8719": msg11166, + "872": select774, + "8720": msg11167, + "8721": msg11168, + "8722": msg11169, + "8723": msg11170, + "8724": msg11171, + "8725": msg11172, + "8726": msg11173, + "8727": msg11174, + "8728": msg11175, + "8729": msg11176, + "873": select775, + "8730": msg11177, + "8731": msg11178, + "8732": msg11179, + "8733": msg11180, + "8734": msg11181, + "8735": msg11182, + "8736": msg11183, + "8737": msg11184, + "8738": msg11185, + "8739": msg11186, + "874": select776, + "8740": msg11187, + "8741": msg11188, + "8742": msg11189, + "8743": msg11190, + "8744": msg11191, + "8745": msg11192, + "8746": msg11193, + "8747": msg11194, + "8748": msg11195, + "8749": msg11196, + "875": select777, + "8750": msg11197, + "8751": msg11198, + "8752": msg11199, + "8753": msg11200, + "8754": msg11201, + "8755": msg11202, + "8756": msg11203, + "8757": msg11204, + "8758": msg11205, + "8759": msg11206, + "876": select778, + "8760": msg11207, + "8761": msg11208, + "8762": msg11209, + "8763": msg11210, + "8764": msg11211, + "8765": msg11212, + "8766": msg11213, + "8767": msg11214, + "8768": msg11215, + "8769": msg11216, + "877": select779, + "8770": msg11217, + "8771": msg11218, + "8772": msg11219, + "8773": msg11220, + "8774": msg11221, + "8775": msg11222, + "8776": msg11223, + "8777": msg11224, + "8778": msg11225, + "8779": msg11226, + "878": select780, + "8780": msg11227, + "8781": msg11228, + "8782": msg11229, + "8783": msg11230, + "8784": msg11231, + "8785": msg11232, + "8786": msg11233, + "8787": msg11234, + "8788": msg11235, + "8789": msg11236, + "879": select781, + "8790": msg11237, + "8791": msg11238, + "8792": msg11239, + "8793": msg11240, + "8794": msg11241, + "8795": msg11242, + "8796": msg11243, + "8797": msg11244, + "8798": msg11245, + "8799": msg11246, + "880": select782, + "8800": msg11247, + "8801": msg11248, + "8802": msg11249, + "8803": msg11250, + "8804": msg11251, + "8805": msg11252, + "8806": msg11253, + "8807": msg11254, + "8808": msg11255, + "8809": msg11256, + "881": select783, + "8810": msg11257, + "8811": msg11258, + "8812": msg11259, + "8813": msg11260, + "8814": msg11261, + "8815": msg11262, + "8816": msg11263, + "8817": msg11264, + "8818": msg11265, + "8819": msg11266, + "882": select784, + "8820": msg11267, + "8821": msg11268, + "8822": msg11269, + "8823": msg11270, + "8824": msg11271, + "8825": msg11272, + "8826": msg11273, + "8827": msg11274, + "8828": msg11275, + "8829": msg11276, + "883": select785, + "8830": msg11277, + "8831": msg11278, + "8832": msg11279, + "8833": msg11280, + "8834": msg11281, + "8835": msg11282, + "8836": msg11283, + "8837": msg11284, + "8838": msg11285, + "8839": msg11286, + "884": select786, + "8840": msg11287, + "8841": msg11288, + "8842": msg11289, + "8843": msg11290, + "8844": msg11291, + "8845": msg11292, + "8846": msg11293, + "8847": msg11294, + "8848": msg11295, + "8849": msg11296, + "885": select787, + "8850": msg11297, + "8851": msg11298, + "8852": msg11299, + "8853": msg11300, + "8854": msg11301, + "8855": msg11302, + "8856": msg11303, + "8857": msg11304, + "8858": msg11305, + "8859": msg11306, + "886": select788, + "8860": msg11307, + "8861": msg11308, + "8862": msg11309, + "8863": msg11310, + "8864": msg11311, + "8865": msg11312, + "8866": msg11313, + "8867": msg11314, + "8868": msg11315, + "8869": msg11316, + "887": select789, + "8870": msg11317, + "8871": msg11318, + "8872": msg11319, + "8873": msg11320, + "8874": msg11321, + "8875": msg11322, + "8876": msg11323, + "8877": msg11324, + "8878": msg11325, + "8879": msg11326, + "888": select790, + "8880": msg11327, + "8881": msg11328, + "8882": msg11329, + "8883": msg11330, + "8884": msg11331, + "8885": msg11332, + "8886": msg11333, + "8887": msg11334, + "8888": msg11335, + "8888888": msg38428, + "8888889": msg38429, + "8889": msg11336, + "889": select791, + "8890": msg11337, + "8891": msg11338, + "8892": msg11339, + "8893": msg11340, + "8894": msg11341, + "8895": msg11342, + "8896": msg11343, + "8897": msg11344, + "8898": msg11345, + "8899": msg11346, + "890": select792, + "8900": msg11347, + "8901": msg11348, + "8902": msg11349, + "8903": msg11350, + "8904": msg11351, + "8905": msg11352, + "8906": msg11353, + "8907": msg11354, + "8908": msg11355, + "8909": msg11356, + "891": select793, + "8910": msg11357, + "8911": msg11358, + "8912": msg11359, + "8913": msg11360, + "8914": msg11361, + "8915": msg11362, + "8916": msg11363, + "8917": msg11364, + "8918": msg11365, + "8919": msg11366, + "892": select794, + "8920": msg11367, + "8921": msg11368, + "8922": msg11369, + "8923": msg11370, + "8924": msg11371, + "8925": msg11372, + "8926": msg11373, + "8927": msg11374, + "8928": msg11375, + "8929": msg11376, + "893": select795, + "8930": msg11377, + "8931": msg11378, + "8932": msg11379, + "8933": msg11380, + "8934": msg11381, + "8935": msg11382, + "8936": msg11383, + "8937": msg11384, + "8938": msg11385, + "8939": msg11386, + "894": select796, + "8940": msg11387, + "8941": msg11388, + "8942": msg11389, + "8943": msg11390, + "8944": msg11391, + "8945": msg11392, + "8946": msg11393, + "8947": msg11394, + "8948": msg11395, + "8949": msg11396, + "895": select797, + "8950": msg11397, + "8951": msg11398, + "8952": msg11399, + "8953": msg11400, + "8954": msg11401, + "8955": msg11402, + "8956": msg11403, + "8957": msg11404, + "8958": msg11405, + "8959": msg11406, + "896": select798, + "8960": msg11407, + "8961": msg11408, + "8962": msg11409, + "8963": msg11410, + "8964": msg11411, + "8965": msg11412, + "8966": msg11413, + "8967": msg11414, + "8968": msg11415, + "8969": msg11416, + "897": select799, + "8970": msg11417, + "8971": msg11418, + "8972": msg11419, + "8973": msg11420, + "8974": msg11421, + "8975": msg11422, + "8976": msg11423, + "8977": msg11424, + "8978": msg11425, + "8979": msg11426, + "898": select800, + "8980": msg11427, + "8981": msg11428, + "8982": msg11429, + "8983": msg11430, + "8984": msg11431, + "8985": msg11432, + "8986": msg11433, + "8987": msg11434, + "8988": msg11435, + "8989": msg11436, + "899": select801, + "8990": msg11437, + "8991": msg11438, + "8992": msg11439, + "8993": msg11440, + "8994": msg11441, + "8995": msg11442, + "8996": msg11443, + "8997": msg11444, + "8998": msg11445, + "8999": msg11446, + "9": msg33, + "900": select802, + "9000": msg11447, + "9001": msg11448, + "9002": msg11449, + "9003": msg11450, + "9004": msg11451, + "9005": msg11452, + "9006": msg11453, + "9007": msg11454, + "9008": msg11455, + "9009": msg11456, + "901": select803, + "9010": msg11457, + "9011": msg11458, + "9012": msg11459, + "9013": msg11460, + "9014": msg11461, + "9015": msg11462, + "9016": msg11463, + "9017": msg11464, + "9018": msg11465, + "9019": msg11466, + "902": select804, + "9020": msg11467, + "9021": msg11468, + "9022": msg11469, + "9023": msg11470, + "9024": msg11471, + "9025": msg11472, + "9026": msg11473, + "9027": msg11474, + "9028": msg11475, + "9029": msg11476, + "903": select805, + "9030": msg11477, + "9031": msg11478, + "9032": msg11479, + "9033": msg11480, + "9034": msg11481, + "9035": msg11482, + "9036": msg11483, + "9037": msg11484, + "9038": msg11485, + "9039": msg11486, + "904": select806, + "9040": msg11487, + "9041": msg11488, + "9042": msg11489, + "9043": msg11490, + "9044": msg11491, + "9045": msg11492, + "9046": msg11493, + "9047": msg11494, + "9048": msg11495, + "9049": msg11496, + "905": select807, + "9050": msg11497, + "9051": msg11498, + "9052": msg11499, + "9053": msg11500, + "9054": msg11501, + "9055": msg11502, + "9056": msg11503, + "9057": msg11504, + "9058": msg11505, + "9059": msg11506, + "906": select808, + "9060": msg11507, + "9061": msg11508, + "9062": msg11509, + "9063": msg11510, + "9064": msg11511, + "9065": msg11512, + "9066": msg11513, + "9067": msg11514, + "9068": msg11515, + "9069": msg11516, + "907": select809, + "9070": msg11517, + "9071": msg11518, + "9072": msg11519, + "9073": msg11520, + "9074": msg11521, + "9075": msg11522, + "9076": msg11523, + "9077": msg11524, + "9078": msg11525, + "9079": msg11526, + "908": select810, + "9080": msg11527, + "9081": msg11528, + "9082": msg11529, + "9083": msg11530, + "9084": msg11531, + "9085": msg11532, + "9086": msg11533, + "9087": msg11534, + "9088": msg11535, + "9089": msg11536, + "909": select811, + "9090": msg11537, + "9091": msg11538, + "9092": msg11539, + "9093": msg11540, + "9094": msg11541, + "9095": msg11542, + "9096": msg11543, + "9097": msg11544, + "9098": msg11545, + "9099": msg11546, + "910": select812, + "9100": msg11547, + "9101": msg11548, + "9102": msg11549, + "9103": msg11550, + "9104": msg11551, + "9105": msg11552, + "9106": msg11553, + "9107": msg11554, + "9108": msg11555, + "9109": msg11556, + "911": select813, + "9110": msg11557, + "9111": msg11558, + "9112": msg11559, + "9113": msg11560, + "9114": msg11561, + "9115": msg11562, + "9116": msg11563, + "9117": msg11564, + "9118": msg11565, + "9119": msg11566, + "912": select814, + "9120": msg11567, + "9121": msg11568, + "9122": msg11569, + "9123": msg11570, + "9124": msg11571, + "9125": msg11572, + "9126": msg11573, + "9127": msg11574, + "9128": msg11575, + "9129": msg11576, + "913": select815, + "9130": msg11577, + "9131": msg11578, + "9132": msg11579, + "9133": msg11580, + "9134": msg11581, + "9135": msg11582, + "9136": msg11583, + "9137": msg11584, + "9138": msg11585, + "9139": msg11586, + "914": select816, + "9140": msg11587, + "9141": msg11588, + "9142": msg11589, + "9143": msg11590, + "9144": msg11591, + "9145": msg11592, + "9146": msg11593, + "9147": msg11594, + "9148": msg11595, + "9149": msg11596, + "915": select817, + "9150": msg11597, + "9151": msg11598, + "9152": msg11599, + "9153": msg11600, + "9154": msg11601, + "9155": msg11602, + "9156": msg11603, + "9157": msg11604, + "9158": msg11605, + "9159": msg11606, + "916": select818, + "9160": msg11607, + "9161": msg11608, + "9162": msg11609, + "9163": msg11610, + "9164": msg11611, + "9165": msg11612, + "9166": msg11613, + "9167": msg11614, + "9168": msg11615, + "9169": msg11616, + "917": select819, + "9170": msg11617, + "9171": msg11618, + "9172": msg11619, + "9173": msg11620, + "9174": msg11621, + "9175": msg11622, + "9176": msg11623, + "9177": msg11624, + "9178": msg11625, + "9179": msg11626, + "918": select820, + "9180": msg11627, + "9181": msg11628, + "9182": msg11629, + "9183": msg11630, + "9184": msg11631, + "9185": msg11632, + "9186": msg11633, + "9187": msg11634, + "9188": msg11635, + "9189": msg11636, + "919": select821, + "9190": msg11637, + "9191": msg11638, + "9192": msg11639, + "9193": msg11640, + "9194": msg11641, + "9195": msg11642, + "9196": msg11643, + "9197": msg11644, + "9198": msg11645, + "9199": msg11646, + "920": select822, + "9200": msg11647, + "9201": msg11648, + "9202": msg11649, + "9203": msg11650, + "9204": msg11651, + "9205": msg11652, + "9206": msg11653, + "9207": msg11654, + "9208": msg11655, + "9209": msg11656, + "921": select823, + "9210": msg11657, + "9211": msg11658, + "9212": msg11659, + "9213": msg11660, + "9214": msg11661, + "9215": msg11662, + "9216": msg11663, + "9217": msg11664, + "9218": msg11665, + "9219": msg11666, + "922": select824, + "9220": msg11667, + "9221": msg11668, + "9222": msg11669, + "9223": msg11670, + "9224": msg11671, + "9225": msg11672, + "9226": msg11673, + "9227": msg11674, + "9228": msg11675, + "9229": msg11676, + "923": select825, + "9230": msg11677, + "9231": msg11678, + "9232": msg11679, + "9233": msg11680, + "9234": msg11681, + "9235": msg11682, + "9236": msg11683, + "9237": msg11684, + "9238": msg11685, + "9239": msg11686, + "924": select826, + "9240": msg11687, + "9241": msg11688, + "9242": msg11689, + "9243": msg11690, + "9244": msg11691, + "9245": msg11692, + "9246": msg11693, + "9247": msg11694, + "9248": msg11695, + "9249": msg11696, + "925": select827, + "9250": msg11697, + "9251": msg11698, + "9252": msg11699, + "9253": msg11700, + "9254": msg11701, + "9255": msg11702, + "9256": msg11703, + "9257": msg11704, + "9258": msg11705, + "9259": msg11706, + "926": select828, + "9260": msg11707, + "9261": msg11708, + "9262": msg11709, + "9263": msg11710, + "9264": msg11711, + "9265": msg11712, + "9266": msg11713, + "9267": msg11714, + "9268": msg11715, + "9269": msg11716, + "927": select829, + "9270": msg11717, + "9271": msg11718, + "9272": msg11719, + "9273": msg11720, + "9274": msg11721, + "9275": msg11722, + "9276": msg11723, + "9277": msg11724, + "9278": msg11725, + "9279": msg11726, + "928": select830, + "9280": msg11727, + "9281": msg11728, + "9282": msg11729, + "9283": msg11730, + "9284": msg11731, + "9285": msg11732, + "9286": msg11733, + "9287": msg11734, + "9288": msg11735, + "9289": msg11736, + "929": select831, + "9290": msg11737, + "9291": msg11738, + "9292": msg11739, + "9293": msg11740, + "9294": msg11741, + "9295": msg11742, + "9296": msg11743, + "9297": msg11744, + "9298": msg11745, + "9299": msg11746, + "930": select832, + "9300": msg11747, + "9301": msg11748, + "9302": msg11749, + "9303": msg11750, + "9304": msg11751, + "9305": msg11752, + "9306": msg11753, + "9307": msg11754, + "9308": msg11755, + "9309": msg11756, + "931": select833, + "9310": msg11757, + "9311": msg11758, + "9312": msg11759, + "9313": msg11760, + "9314": msg11761, + "9315": msg11762, + "9316": msg11763, + "9317": msg11764, + "9318": msg11765, + "9319": msg11766, + "932": select834, + "9320": msg11767, + "9321": msg11768, + "9322": msg11769, + "9323": msg11770, + "9324": msg11771, + "9325": msg11772, + "9326": msg11773, + "9327": msg11774, + "9328": msg11775, + "9329": msg11776, + "933": select835, + "9330": msg11777, + "9331": msg11778, + "9332": msg11779, + "9333": msg11780, + "9334": msg11781, + "9335": msg11782, + "9336": msg11783, + "9337": msg11784, + "9338": msg11785, + "9339": msg11786, + "9340": msg11787, + "9341": msg11788, + "9342": msg11789, + "9343": msg11790, + "9344": msg11791, + "9345": msg11792, + "9346": msg11793, + "9347": msg11794, + "9348": msg11795, + "9349": msg11796, + "935": select836, + "9350": msg11797, + "9351": msg11798, + "9352": msg11799, + "9353": msg11800, + "9354": msg11801, + "9355": msg11802, + "9356": msg11803, + "9357": msg11804, + "9358": msg11805, + "9359": msg11806, + "936": select837, + "9360": msg11807, + "9361": msg11808, + "9362": msg11809, + "9363": msg11810, + "9364": msg11811, + "9365": msg11812, + "9366": msg11813, + "9367": msg11814, + "9368": msg11815, + "9369": msg11816, + "937": select838, + "9370": msg11817, + "9371": msg11818, + "9372": msg11819, + "9373": msg11820, + "9374": msg11821, + "9375": msg11822, + "9376": msg11823, + "9377": msg11824, + "9378": msg11825, + "9379": msg11826, + "9380": msg11827, + "9381": msg11828, + "9382": msg11829, + "9383": msg11830, + "9384": msg11831, + "9385": msg11832, + "9386": msg11833, + "9387": msg11834, + "9388": msg11835, + "9389": msg11836, + "939": select839, + "9390": msg11837, + "9391": msg11838, + "9392": msg11839, + "9393": msg11840, + "9394": msg11841, + "9395": msg11842, + "9396": msg11843, + "9397": msg11844, + "9398": msg11845, + "9399": msg11846, + "940": select840, + "9400": msg11847, + "9401": msg11848, + "9402": msg11849, + "9403": msg11850, + "9404": msg11851, + "9405": msg11852, + "9406": msg11853, + "9407": msg11854, + "9408": msg11855, + "9409": msg11856, + "941": select841, + "9410": msg11857, + "9411": msg11858, + "9412": msg11859, + "9413": msg11860, + "9414": msg11861, + "9415": msg11862, + "9416": msg11863, + "9417": msg11864, + "9418": msg11865, + "9419": msg11866, + "942": select842, + "9420": msg11867, + "9421": msg11868, + "9422": msg11869, + "9423": msg11870, + "9424": msg11871, + "9425": msg11872, + "9426": msg11873, + "9427": msg11874, + "9428": msg11875, + "9429": msg11876, + "943": select843, + "9430": msg11877, + "9431": msg11878, + "9432": msg11879, + "9433": msg11880, + "9434": msg11881, + "9435": msg11882, + "9436": msg11883, + "9437": msg11884, + "9438": msg11885, + "9439": msg11886, + "944": select844, + "9440": msg11887, + "9441": msg11888, + "9442": msg11889, + "9443": msg11890, + "9444": msg11891, + "9445": msg11892, + "9446": msg11893, + "9447": msg11894, + "9448": msg11895, + "9449": msg11896, + "945": select845, + "9450": msg11897, + "9451": msg11898, + "9452": msg11899, + "9453": msg11900, + "9454": msg11901, + "9455": msg11902, + "9456": msg11903, + "9457": msg11904, + "9458": msg11905, + "9459": msg11906, + "946": select846, + "9460": msg11907, + "9461": msg11908, + "9462": msg11909, + "9463": msg11910, + "9464": msg11911, + "9465": msg11912, + "9466": msg11913, + "9467": msg11914, + "9468": msg11915, + "9469": msg11916, + "947": select847, + "9470": msg11917, + "9471": msg11918, + "9472": msg11919, + "9473": msg11920, + "9474": msg11921, + "9475": msg11922, + "9476": msg11923, + "9477": msg11924, + "9478": msg11925, + "9479": msg11926, + "948": select848, + "9480": msg11927, + "9481": msg11928, + "9482": msg11929, + "9483": msg11930, + "9484": msg11931, + "9485": msg11932, + "9486": msg11933, + "9487": msg11934, + "9488": msg11935, + "9489": msg11936, + "949": select849, + "9490": msg11937, + "9491": msg11938, + "9492": msg11939, + "9493": msg11940, + "9494": msg11941, + "9495": msg11942, + "9496": msg11943, + "9497": msg11944, + "9498": msg11945, + "9499": msg11946, + "950": select850, + "9500": msg11947, + "9501": msg11948, + "9502": msg11949, + "9503": msg11950, + "9504": msg11951, + "9505": msg11952, + "9506": msg11953, + "9507": msg11954, + "9508": msg11955, + "9509": msg11956, + "951": select851, + "9510": msg11957, + "9511": msg11958, + "9512": msg11959, + "9513": msg11960, + "9514": msg11961, + "9515": msg11962, + "9516": msg11963, + "9517": msg11964, + "9518": msg11965, + "9519": msg11966, + "952": select852, + "9520": msg11967, + "9521": msg11968, + "9522": msg11969, + "9523": msg11970, + "9524": msg11971, + "9525": msg11972, + "9526": msg11973, + "9527": msg11974, + "9528": msg11975, + "9529": msg11976, + "953": select853, + "9530": msg11977, + "9531": msg11978, + "9532": msg11979, + "9533": msg11980, + "9534": msg11981, + "9535": msg11982, + "9536": msg11983, + "9537": msg11984, + "9538": msg11985, + "9539": msg11986, + "954": select854, + "9540": msg11987, + "9541": msg11988, + "9542": msg11989, + "9543": msg11990, + "9544": msg11991, + "9545": msg11992, + "9546": msg11993, + "9547": msg11994, + "9548": msg11995, + "9549": msg11996, + "955": select855, + "9550": msg11997, + "9551": msg11998, + "9552": msg11999, + "9553": msg12000, + "9554": msg12001, + "9555": msg12002, + "9556": msg12003, + "9557": msg12004, + "9558": msg12005, + "9559": msg12006, + "956": select856, + "9560": msg12007, + "9561": msg12008, + "9562": msg12009, + "9563": msg12010, + "9564": msg12011, + "9565": msg12012, + "9566": msg12013, + "9567": msg12014, + "9568": msg12015, + "9569": msg12016, + "957": select857, + "9570": msg12017, + "9571": msg12018, + "9572": msg12019, + "9573": msg12020, + "9574": msg12021, + "9575": msg12022, + "9576": msg12023, + "9577": msg12024, + "9578": msg12025, + "9579": msg12026, + "958": select858, + "9580": msg12027, + "9581": msg12028, + "9582": msg12029, + "9583": msg12030, + "9584": msg12031, + "9585": msg12032, + "9586": msg12033, + "9587": msg12034, + "9588": msg12035, + "9589": msg12036, + "959": select859, + "9590": msg12037, + "9591": msg12038, + "9592": msg12039, + "9593": msg12040, + "9594": msg12041, + "9595": msg12042, + "9596": msg12043, + "9597": msg12044, + "9598": msg12045, + "9599": msg12046, + "96": msg77, + "960": select860, + "9600": msg12047, + "9601": msg12048, + "9602": msg12049, + "9603": msg12050, + "9604": msg12051, + "9605": msg12052, + "9606": msg12053, + "9607": msg12054, + "9608": msg12055, + "9609": msg12056, + "961": select861, + "9610": msg12057, + "9611": msg12058, + "9612": msg12059, + "9613": msg12060, + "9614": msg12061, + "9615": msg12062, + "9616": msg12063, + "9617": msg12064, + "9618": msg12065, + "9619": msg12066, + "962": select862, + "9620": msg12067, + "9621": msg12068, + "9622": msg12069, + "9623": msg12070, + "9624": msg12071, + "9625": msg12072, + "9626": msg12073, + "9627": msg12074, + "9628": msg12075, + "9629": msg12076, + "963": select863, + "9630": msg12077, + "9631": msg12078, + "9632": msg12079, + "9633": msg12080, + "9634": msg12081, + "9635": msg12082, + "9636": msg12083, + "9637": msg12084, + "9638": msg12085, + "9639": msg12086, + "964": select864, + "9640": msg12087, + "9641": msg12088, + "9642": msg12089, + "9643": msg12090, + "9644": msg12091, + "9645": msg12092, + "9646": msg12093, + "9647": msg12094, + "9648": msg12095, + "9649": msg12096, + "965": select865, + "9650": msg12097, + "9651": msg12098, + "9652": msg12099, + "9653": msg12100, + "9654": msg12101, + "9655": msg12102, + "9656": msg12103, + "9657": msg12104, + "9658": msg12105, + "9659": msg12106, + "966": select866, + "9660": msg12107, + "9661": msg12108, + "9662": msg12109, + "9663": msg12110, + "9664": msg12111, + "9665": msg12112, + "9666": msg12113, + "9667": msg12114, + "9668": msg12115, + "9669": msg12116, + "967": select867, + "9670": msg12117, + "9671": msg12118, + "9672": msg12119, + "9673": msg12120, + "9674": msg12121, + "9675": msg12122, + "9676": msg12123, + "9677": msg12124, + "9678": msg12125, + "9679": msg12126, + "968": select868, + "9680": msg12127, + "9681": msg12128, + "9682": msg12129, + "9683": msg12130, + "9684": msg12131, + "9685": msg12132, + "9686": msg12133, + "9687": msg12134, + "9688": msg12135, + "9689": msg12136, + "969": select869, + "9690": msg12137, + "9691": msg12138, + "9692": msg12139, + "9693": msg12140, + "9694": msg12141, + "9695": msg12142, + "9696": msg12143, + "9697": msg12144, + "9698": msg12145, + "9699": msg12146, + "97": select30, + "970": select870, + "9700": msg12147, + "9701": msg12148, + "9702": msg12149, + "9703": msg12150, + "9704": msg12151, + "9705": msg12152, + "9706": msg12153, + "9707": msg12154, + "9708": msg12155, + "9709": msg12156, + "971": select871, + "9710": msg12157, + "9711": msg12158, + "9712": msg12159, + "9713": msg12160, + "9714": msg12161, + "9715": msg12162, + "9716": msg12163, + "9717": msg12164, + "9718": msg12165, + "9719": msg12166, + "972": select872, + "9720": msg12167, + "9721": msg12168, + "9722": msg12169, + "9723": msg12170, + "9724": msg12171, + "9725": msg12172, + "9726": msg12173, + "9727": msg12174, + "9728": msg12175, + "9729": msg12176, + "973": select873, + "9730": msg12177, + "9731": msg12178, + "9732": msg12179, + "9733": msg12180, + "9734": msg12181, + "9735": msg12182, + "9736": msg12183, + "9737": msg12184, + "9738": msg12185, + "9739": msg12186, + "974": select874, + "9740": msg12187, + "9741": msg12188, + "9742": msg12189, + "9743": msg12190, + "9744": msg12191, + "9745": msg12192, + "9746": msg12193, + "9747": msg12194, + "9748": msg12195, + "9749": msg12196, + "975": select875, + "9750": msg12197, + "9751": msg12198, + "9752": msg12199, + "9753": msg12200, + "9754": msg12201, + "9755": msg12202, + "9756": msg12203, + "9757": msg12204, + "9758": msg12205, + "9759": msg12206, + "976": select876, + "9760": msg12207, + "9761": msg12208, + "9762": msg12209, + "9763": msg12210, + "9764": msg12211, + "9765": msg12212, + "9766": msg12213, + "9767": msg12214, + "9768": msg12215, + "9769": msg12216, + "977": select877, + "9770": msg12217, + "9771": msg12218, + "9772": msg12219, + "9773": msg12220, + "9774": msg12221, + "9775": msg12222, + "9776": msg12223, + "9777": msg12224, + "9778": msg12225, + "9779": msg12226, + "978": select878, + "9780": msg12227, + "9781": msg12228, + "9782": msg12229, + "9783": msg12230, + "9784": msg12231, + "9785": msg12232, + "9786": msg12233, + "9787": msg12234, + "9788": msg12235, + "9789": msg12236, + "979": select879, + "9790": msg12237, + "9791": msg12238, + "9792": msg12239, + "9793": msg12240, + "9794": msg12241, + "9795": msg12242, + "9796": msg12243, + "9797": msg12244, + "9798": msg12245, + "9799": msg12246, + "980": select880, + "9800": msg12247, + "9801": msg12248, + "9802": msg12249, + "9803": msg12250, + "9804": msg12251, + "9805": msg12252, + "9806": msg12253, + "9807": msg12254, + "9808": msg12255, + "9809": msg12256, + "981": select881, + "9810": msg12257, + "9811": msg12258, + "9812": msg12259, + "9813": msg12260, + "9814": msg12261, + "9815": msg12262, + "9816": msg12263, + "9817": msg12264, + "9818": msg12265, + "9819": msg12266, + "982": select882, + "9820": msg12267, + "9821": msg12268, + "9822": msg12269, + "9823": msg12270, + "9824": msg12271, + "9825": msg12272, + "9826": msg12273, + "9827": msg12274, + "9828": msg12275, + "9829": msg12276, + "983": select883, + "9830": msg12277, + "9831": msg12278, + "9832": msg12279, + "9833": msg12280, + "9834": msg12281, + "9835": msg12282, + "9836": msg12283, + "9837": msg12284, + "9838": msg12285, + "9839": msg12286, + "984": select884, + "9840": msg12287, + "9841": msg12288, + "9842": msg12289, + "9843": msg12290, + "9844": msg12291, + "9845": msg12292, + "9846": msg12293, + "9847": msg12294, + "9848": msg12295, + "9849": msg12296, + "985": select885, + "9850": msg12297, + "9851": msg12298, + "9852": msg12299, + "9853": msg12300, + "9854": msg12301, + "9855": msg12302, + "9856": msg12303, + "9857": msg12304, + "9858": msg12305, + "9859": msg12306, + "986": select886, + "9860": msg12307, + "9861": msg12308, + "9862": msg12309, + "9863": msg12310, + "9864": msg12311, + "9865": msg12312, + "9866": msg12313, + "9867": msg12314, + "9868": msg12315, + "9869": msg12316, + "987": select887, + "9870": msg12317, + "9871": msg12318, + "9872": msg12319, + "9873": msg12320, + "9874": msg12321, + "9875": msg12322, + "9876": msg12323, + "9877": msg12324, + "9878": msg12325, + "9879": msg12326, + "988": select888, + "9880": msg12327, + "9881": msg12328, + "9882": msg12329, + "9883": msg12330, + "9884": msg12331, + "9885": msg12332, + "9886": msg12333, + "9887": msg12334, + "9888": msg12335, + "9889": msg12336, + "989": select889, + "9890": msg12337, + "9891": msg12338, + "9892": msg12339, + "9893": msg12340, + "9894": msg12341, + "9895": msg12342, + "9896": msg12343, + "9897": msg12344, + "9898": msg12345, + "9899": msg12346, + "990": select890, + "9900": msg12347, + "9901": msg12348, + "9902": msg12349, + "9903": msg12350, + "9904": msg12351, + "9905": msg12352, + "9906": msg12353, + "9907": msg12354, + "9908": msg12355, + "9909": msg12356, + "991": select891, + "9910": msg12357, + "9911": msg12358, + "9912": msg12359, + "9913": msg12360, + "9914": msg12361, + "9915": msg12362, + "9916": msg12363, + "9917": msg12364, + "9918": msg12365, + "9919": msg12366, + "992": select892, + "9920": msg12367, + "9921": msg12368, + "9922": msg12369, + "9923": msg12370, + "9924": msg12371, + "9925": msg12372, + "9926": msg12373, + "9927": msg12374, + "9928": msg12375, + "9929": msg12376, + "993": select893, + "9930": msg12377, + "9931": msg12378, + "9932": msg12379, + "9933": msg12380, + "9934": msg12381, + "9935": msg12382, + "9936": msg12383, + "9937": msg12384, + "9938": msg12385, + "9939": msg12386, + "994": select894, + "9940": msg12387, + "9941": msg12388, + "9942": msg12389, + "9943": msg12390, + "9944": msg12391, + "9945": msg12392, + "9946": msg12393, + "9947": msg12394, + "9948": msg12395, + "9949": msg12396, + "995": select895, + "9950": msg12397, + "9951": msg12398, + "9952": msg12399, + "9953": msg12400, + "9954": msg12401, + "9955": msg12402, + "9956": msg12403, + "9957": msg12404, + "9958": msg12405, + "9959": msg12406, + "996": select896, + "9960": msg12407, + "9961": msg12408, + "9962": msg12409, + "9963": msg12410, + "9964": msg12411, + "9965": msg12412, + "9966": msg12413, + "9967": msg12414, + "9968": msg12415, + "9969": msg12416, + "997": select897, + "9970": msg12417, + "9971": msg12418, + "9972": msg12419, + "9973": msg12420, + "9974": msg12421, + "9975": msg12422, + "9976": msg12423, + "9977": msg12424, + "9978": msg12425, + "9979": msg12426, + "998": select898, + "9980": msg12427, + "9981": msg12428, + "9982": msg12429, + "9983": msg12430, + "9984": msg12431, + "9985": msg12432, + "9986": msg12433, + "9987": msg12434, + "9988": msg12435, + "9989": msg12436, + "999": select899, + "9990": msg12437, + "9991": msg12438, + "9992": msg12439, + "9993": msg12440, + "9994": msg12441, + "9995": msg12442, + "9996": msg12443, + "9997": msg12444, + "9998": msg12445, + "9999": msg12446, + "Additional_MAC_Detected_for": msg38460, + "Client_Application_Timeout": msg38477, + "Client_Application_Update": msg38473, + "Client_Timeout": msg38534, + "Client_Update": msg38530, + "ET": msg38485, + "FTD_events": select2466, + "HMNOTIFY": msg1, + "Hops_Change": msg38458, + "Host_IOC_Set": msg38535, + "Host_Timeout": msg38478, + "Host_Type_Changed": msg38536, + "Identity_Timeout": select2450, + "Login": msg38537, + "Logout": msg38538, + "MAC_Information_Change": msg38459, + "MALWARE": select2463, + "NETBIOS_Name_Change": msg38461, + "NGIPS_events": select2468, + "Network_Based_Malware": select2459, + "Network_Based_Retrospective": select2462, + "New_Client": msg38531, + "New_Client_Application": msg38472, + "New_Host": msg38462, + "New_Network_Protocol": msg38463, + "New_OS": msg38471, + "New_TCP_Port": msg38528, + "New_TCP_Service": msg38474, + "New_Transport_Protocol": msg38465, + "New_UDP_Port": msg38529, + "New_UDP_Service": msg38464, + "OS_Confidence_Update": msg38466, + "OS_Information_Update": msg38467, + "Portscan": msg38457, + "Primary_Detection_Engine": select2457, + "S5": select2453, + "Snort_AlertLog": msg38527, + "SystemSettings": select2455, + "TCP_Port_Closed": msg38475, + "TCP_Port_Timeout": msg38476, + "TCP_Server_Information_Update": msg38533, + "TCP_Service_Confidence_Update": msg38468, + "TCP_Service_Information_Update": msg38469, + "UDP_Port_Timeout": msg38481, + "UDP_Server_Information_Update": msg38532, + "UDP_Service_Confidence_Update": msg38482, + "UDP_Service_Information_Update": select2451, + "VLAN_Tag_Information_Update": msg38470, + "connection_events": msg38539, + "snort-sid-template": msg38452, + "spp_portscan": select2445, + }), +]); + +var hdr35 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#2:00010/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var part116 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Impact: '), Field(p0,false)}" +match("HEADER#2:00010/1_0", "nwparser.p0", "\"%{hfld10}\" [Impact: %{p0}"); + +var part117 = // "Pattern{Field(hfld10,true), Constant(' [Impact: '), Field(p0,false)}" +match("HEADER#2:00010/1_1", "nwparser.p0", "%{hfld10->} [Impact: %{p0}"); + +var part118 = // "Pattern{Field(result,false), Constant('] From '), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#3:00011/2", "nwparser.p0", "%{result}] From %{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var part119 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" [Classification: '), Field(p0,false)}" +match("HEADER#4:00012/1_0", "nwparser.p0", "\"%{hfld10}\" [Classification: %{p0}"); + +var part120 = // "Pattern{Field(hfld10,true), Constant(' [Classification: '), Field(p0,false)}" +match("HEADER#4:00012/1_1", "nwparser.p0", "%{hfld10->} [Classification: %{p0}"); + +var part121 = // "Pattern{Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#4:00012/2", "nwparser.p0", "%{sigtype}] [Priority: %{payload}"); + +var part122 = // "Pattern{Constant('"'), Field(hfld10,false), Constant('" ['), Field(p0,false)}" +match("HEADER#5:00013/1_0", "nwparser.p0", "\"%{hfld10}\" [%{p0}"); + +var part123 = // "Pattern{Field(hfld10,true), Constant(' ['), Field(p0,false)}" +match("HEADER#5:00013/1_1", "nwparser.p0", "%{hfld10->} [%{p0}"); + +var part124 = // "Pattern{Field(info,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#5:00013/2", "nwparser.p0", "%{info}] [Priority: %{payload}"); + +var hdr36 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort['), Field(hpid,false), Constant(']: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#7:00020/0", "message", "%{month->} %{day->} %{time->} snort[%{hpid}]: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var part125 = // "Pattern{Field(result,false), Constant('] From '), Field(group_object,false), Constant('/'), Field(hfld11,true), Constant(' at '), Field(fld9,true), Constant(' '), Field(event_time_string,true), Constant(' [Classification: '), Field(sigtype,false), Constant('] [Priority: '), Field(payload,false)}" +match("HEADER#7:00020/2", "nwparser.p0", "%{result}] From %{group_object}/%{hfld11->} at %{fld9->} %{event_time_string->} [Classification: %{sigtype}] [Priority: %{payload}"); + +var hdr37 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' snort: ['), Field(hevent_source,false), Constant(':'), Field(messageid,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#11:00030/0", "message", "%{month->} %{day->} %{time->} snort: [%{hevent_source}:%{messageid}:%{hversion}] %{p0}"); + +var part126 = // "Pattern{Constant('at'), Field(p0,false)}" +match("HEADER#26:0011/1_1", "nwparser.p0", "at%{p0}"); + +var part127 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("HEADER#26:0011/2", "nwparser.p0", "%{} %{p0}"); + +var part128 = // "Pattern{Constant('['), Field(hpid,false), Constant(']: ['), Field(p0,false)}" +match("HEADER#41:0024/1_0", "nwparser.p0", "[%{hpid}]: [%{p0}"); + +var part129 = // "Pattern{Constant(': ['), Field(p0,false)}" +match("HEADER#41:0024/1_1", "nwparser.p0", ": [%{p0}"); + +var part130 = // "Pattern{Constant(']'), Field(hversion,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hevent_source,true), Constant(' '), Field(payload,false)}" +match("HEADER#41:0024/2", "nwparser.p0", "]%{hversion}:%{hfld2}:%{hevent_source->} %{payload}"); + +var hdr38 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': ['), Field(hevent_source,false), Constant(':'), Field(hfld2,false), Constant(':'), Field(hversion,false), Constant('] '), Field(p0,false)}" +match("HEADER#43:0023/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: [%{hevent_source}:%{hfld2}:%{hversion}] %{p0}"); + +var part131 = // "Pattern{Field(threat_val,true), Constant(' ]:alert {'), Field(p0,false)}" +match("MESSAGE#1:0/0_0", "nwparser.payload", "%{threat_val->} ]:alert {%{p0}"); + +var part132 = // "Pattern{Field(threat_val,true), Constant(' ]: '), Field(fld1,true), Constant(' {'), Field(p0,false)}" +match("MESSAGE#1:0/0_1", "nwparser.payload", "%{threat_val->} ]: %{fld1->} {%{p0}"); + +var part133 = // "Pattern{Field(threat_val,false), Constant(']: {'), Field(p0,false)}" +match("MESSAGE#1:0/0_2", "nwparser.payload", "%{threat_val}]: {%{p0}"); + +var part134 = // "Pattern{Field(threat_val,true), Constant(' ] {'), Field(p0,false)}" +match("MESSAGE#1:0/0_3", "nwparser.payload", "%{threat_val->} ] {%{p0}"); + +var part135 = // "Pattern{Field(protocol,false), Constant('} '), Field(p0,false)}" +match("MESSAGE#1:0/1", "nwparser.p0", "%{protocol}} %{p0}"); + +var part136 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(location_src,false), Constant(') -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_0", "nwparser.p0", "%{saddr}:%{sport->} (%{location_src}) -> %{p0}"); + +var part137 = // "Pattern{Field(saddr,false), Constant(':'), Field(sport,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_1", "nwparser.p0", "%{saddr}:%{sport->} -> %{p0}"); + +var part138 = // "Pattern{Field(saddr,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#1:0/2_2", "nwparser.p0", "%{saddr->} -> %{p0}"); + +var part139 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(location_dst,false), Constant(')')}" +match("MESSAGE#1:0/3_0", "nwparser.p0", "%{daddr}:%{dport->} (%{location_dst})"); + +var part140 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false)}" +match("MESSAGE#1:0/3_1", "nwparser.p0", "%{daddr}:%{dport}"); + +var part141 = // "Pattern{Field(daddr,false)}" +match_copy("MESSAGE#1:0/3_2", "nwparser.p0", "daddr"); + +var part142 = // "Pattern{Field(context,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#2:0:01/0", "nwparser.payload", "%{context->} %{p0}"); + +var part143 = // "Pattern{Constant('<<'), Field(interface,false), Constant('> '), Field(p0,false)}" +match("MESSAGE#2:0:01/1_0", "nwparser.p0", "\u003c\u003c%{interface}> %{p0}"); + +var part144 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#2:0:01/1_1", "nwparser.p0", "p0"); + +var part145 = // "Pattern{Constant('{'), Field(protocol,false), Constant('} '), Field(p0,false)}" +match("MESSAGE#2:0:01/2", "nwparser.p0", "{%{protocol}} %{p0}"); + +var part146 = // "Pattern{Field(threat_val,true), Constant(' ]'), Field(p0,false)}" +match("MESSAGE#33:10/0", "nwparser.payload", "%{threat_val->} ]%{p0}"); + +var part147 = // "Pattern{Constant(' <<'), Field(interface,false), Constant('> '), Field(p0,false)}" +match("MESSAGE#33:10/1_0", "nwparser.p0", " \u003c\u003c%{interface}> %{p0}"); + +var part148 = // "Pattern{Constant(': '), Field(p0,false)}" +match("MESSAGE#33:10/1_1", "nwparser.p0", ": %{p0}"); + +var part149 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#33:10/1_2", "nwparser.p0", " %{p0}"); + +var part150 = // "Pattern{Field(context,true), Constant(' <<'), Field(interface,false), Constant('> '), Field(protocol,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#80:103:01/0", "nwparser.payload", "%{context->} \u003c\u003c%{interface}> %{protocol->} %{p0}"); + +var part151 = // "Pattern{Field(threat_val,true), Constant(' ]:alert '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_0", "nwparser.payload", "%{threat_val->} ]:alert %{p0}"); + +var part152 = // "Pattern{Field(threat_val,false), Constant(']: '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_1", "nwparser.payload", "%{threat_val}]: %{p0}"); + +var part153 = // "Pattern{Field(threat_val,true), Constant(' ] '), Field(p0,false)}" +match("MESSAGE#5535:3086/0_2", "nwparser.payload", "%{threat_val->} ] %{p0}"); + +var part154 = // "Pattern{Constant(''), Field(p0,false)}" +match("MESSAGE#5535:3086/1", "nwparser.p0", "%{p0}"); + +var part155 = // "Pattern{Constant(':alert '), Field(p0,false)}" +match("MESSAGE#30119:28015/1_1", "nwparser.p0", ":alert %{p0}"); + +var part156 = // "Pattern{Constant(''), Field(saddr,true), Constant(' -> '), Field(p0,false)}" +match("MESSAGE#36377:34596/3_1", "nwparser.p0", "%{saddr->} -> %{p0}"); + +var part157 = // "Pattern{Constant(''), Field(daddr,false)}" +match("MESSAGE#36377:34596/4_1", "nwparser.p0", "%{daddr}"); + +var part158 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' MAC: '), Field(smacaddr,true), Constant(' TTL '), Field(p0,false)}" +match("MESSAGE#38458:MAC_Information_Change/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} MAC: %{smacaddr->} TTL %{p0}"); + +var part159 = // "Pattern{Field(sinterface,true), Constant(' ('), Field(protocol,true), Constant(' detected)')}" +match("MESSAGE#38458:MAC_Information_Change/1_0", "nwparser.p0", "%{sinterface->} (%{protocol->} detected)"); + +var part160 = // "Pattern{Field(sinterface,false)}" +match_copy("MESSAGE#38458:MAC_Information_Change/1_1", "nwparser.p0", "sinterface"); + +var part161 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> '), Field(p0,false)}" +match("MESSAGE#38461:New_Host/0", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> %{p0}"); + +var part162 = // "Pattern{Field(protocol,false)}" +match_copy("MESSAGE#38462:New_Network_Protocol/2", "nwparser.p0", "protocol"); + +var part163 = // "Pattern{Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38468:TCP_Service_Information_Update/1_0", "nwparser.p0", "%{protocol->} Confidence: %{result}"); + +var part164 = // "Pattern{Constant('>'), Field(p0,false)}" +match("MESSAGE#38495:SystemSettings:09/1_0", "nwparser.p0", ">%{p0}"); + +var part165 = // "Pattern{Field(fld1,false), Constant(']['), Field(policyname,false), Constant('] Connection Type: '), Field(event_state,false), Constant(', User: '), Field(username,false), Constant(', Client: '), Field(application,false), Constant(', Application Protocol: '), Field(protocol,false), Constant(', Web App: '), Field(application,false), Constant(', Access Control Rule Name: '), Field(rulename,false), Constant(', Access Control Rule Action: '), Field(action,false), Constant(', Access Control Rule Reasons: '), Field(result,false), Constant(', URL Category: '), Field(category,false), Constant(', URL Reputation: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/0", "nwparser.payload", "%{fld1}][%{policyname}] Connection Type: %{event_state}, User: %{username}, Client: %{application}, Application Protocol: %{protocol}, Web App: %{application}, Access Control Rule Name: %{rulename}, Access Control Rule Action: %{action}, Access Control Rule Reasons: %{result}, URL Category: %{category}, URL Reputation: %{p0}"); + +var part166 = // "Pattern{Constant('Risk unknown, URL: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/1_0", "nwparser.p0", "Risk unknown, URL: %{p0}"); + +var part167 = // "Pattern{Field(reputation_num,false), Constant(', URL: '), Field(p0,false)}" +match("MESSAGE#38514:Primary_Detection_Engine/1_1", "nwparser.p0", "%{reputation_num}, URL: %{p0}"); + +var part168 = // "Pattern{Constant('-*> '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/1_0", "nwparser.p0", "-*> %{p0}"); + +var part169 = // "Pattern{Constant('> '), Field(p0,false)}" +match("MESSAGE#38521:Network_Based_Retrospective/1_1", "nwparser.p0", "> %{p0}"); + +var part170 = // "Pattern{Constant('From "'), Field(sensor,false), Constant('" at '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/1_0", "nwparser.p0", "From \"%{sensor}\" at %{p0}"); + +var part171 = // "Pattern{Constant('at '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/1_1", "nwparser.p0", "at %{p0}"); + +var part172 = // "Pattern{Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC '), Field(p0,false)}" +match("MESSAGE#38522:Network_Based_Retrospective:01/2", "nwparser.p0", "%{fld6->} %{event_time_string->} UTC %{p0}"); + +var part173 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' '), Field(network_service,false)}" +match("MESSAGE#38528:Client_Update/4", "nwparser.p0", "IP Address: %{saddr->} %{network_service}"); + +var part174 = // "Pattern{Constant('IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(p0,false)}" +match("MESSAGE#38530:UDP_Server_Information_Update/4", "nwparser.p0", "IP Address: %{saddr->} Port: %{sport->} Service: %{p0}"); + +var select2469 = linear_select([ + dup3, + dup4, +]); + +var select2470 = linear_select([ + dup6, + dup7, +]); + +var select2471 = linear_select([ + dup9, + dup10, +]); + +var hdr39 = // "Pattern{Field(month,true), Constant(' '), Field(day,true), Constant(' '), Field(time,true), Constant(' '), Field(host,true), Constant(' '), Field(hfld1,false), Constant(': <<*- '), Field(msgIdPart1,true), Constant(' '), Field(msgIdPart2,true), Constant(' '), Field(msgIdPart3,true), Constant(' '), Field(p0,false)}" +match("HEADER#26:0011/0", "message", "%{month->} %{day->} %{time->} %{host->} %{hfld1}: \u003c\u003c*- %{msgIdPart1->} %{msgIdPart2->} %{msgIdPart3->} %{p0}", processor_chain([ + dup19, +])); + +var select2472 = linear_select([ + dup26, + dup27, +]); + +var select2473 = linear_select([ + dup33, + dup34, + dup35, + dup36, +]); + +var select2474 = linear_select([ + dup38, + dup39, + dup40, +]); + +var select2475 = linear_select([ + dup41, + dup42, + dup43, +]); + +var select2476 = linear_select([ + dup58, + dup59, +]); + +var select2477 = linear_select([ + dup67, + dup68, + dup69, +]); + +var select2478 = linear_select([ + dup113, + dup114, + dup115, +]); + +var select2479 = linear_select([ + dup68, + dup69, +]); + +var select2480 = linear_select([ + dup67, + dup124, + dup68, + dup69, +]); + +var select2481 = linear_select([ + dup39, + dup125, +]); + +var select2482 = linear_select([ + dup42, + dup126, +]); + +var select2483 = linear_select([ + dup131, + dup132, +]); + +var part175 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' OS: '), Field(version,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38465:OS_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} OS: %{version->} Confidence: %{result}", processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, +])); + +var part176 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,true), Constant(' Service: '), Field(protocol,true), Constant(' Confidence: '), Field(result,false)}" +match("MESSAGE#38467:TCP_Service_Confidence_Update", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport->} Service: %{protocol->} Confidence: %{result}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var select2484 = linear_select([ + dup136, + dup134, +]); + +var part177 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' '), Field(product,false)}" +match("MESSAGE#38471:New_Client_Application", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} %{product}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var part178 = // "Pattern{Field(context,true), Constant(' From "'), Field(sensor,false), Constant('" at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,true), Constant(' Port: '), Field(sport,false)}" +match("MESSAGE#38473:New_TCP_Service", "nwparser.payload", "%{context->} From \"%{sensor}\" at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr->} Port: %{sport}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var part179 = // "Pattern{Field(context,true), Constant(' From '), Field(sensor,true), Constant(' at '), Field(fld6,true), Constant(' '), Field(event_time_string,true), Constant(' UTC -*> IP Address: '), Field(saddr,false)}" +match("MESSAGE#38475:TCP_Port_Timeout", "nwparser.payload", "%{context->} From %{sensor->} at %{fld6->} %{event_time_string->} UTC -*> IP Address: %{saddr}", processor_chain([ + dup135, + dup31, + dup32, + dup47, + dup129, +])); + +var select2485 = linear_select([ + dup148, + dup149, +]); + +var select2486 = linear_select([ + dup153, + dup154, +]); + +var select2487 = linear_select([ + dup155, + dup156, +]); + +var all88 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all89 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var all90 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all91 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var all92 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all93 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all94 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all95 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all96 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all97 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all98 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all99 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all100 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all101 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all102 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all103 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all104 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all105 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all106 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all107 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all108 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all109 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup82, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all110 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all111 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup85, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all112 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup85, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all113 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all114 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup86, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all115 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup86, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all116 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all117 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all118 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all119 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all120 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup87, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all121 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup88, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all122 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup88, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all123 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all124 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all125 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all126 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all127 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all128 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all129 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all130 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all131 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all132 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup91, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all133 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup91, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all134 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all135 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all136 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all137 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all138 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all139 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all140 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all141 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup62, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all142 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup95, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all143 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup95, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all144 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup96, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all145 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup96, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all146 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all147 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all148 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all149 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all150 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all151 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all152 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all153 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all154 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all155 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all156 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all157 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all158 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup44, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all159 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all160 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all161 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all162 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all163 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all164 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all165 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all166 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all167 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup103, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all168 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup103, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all169 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all170 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all171 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all172 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all173 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all174 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup106, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all175 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup106, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all176 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup98, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all177 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup107, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all178 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup107, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all179 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all180 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup72, + dup84, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all181 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all182 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all183 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all184 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all185 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all186 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup92, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all187 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all188 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup72, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all189 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all190 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup80, + dup31, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all191 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup109, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all192 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup109, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all193 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup110, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all194 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup111, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all195 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup111, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all196 = all_match({ + processors: [ + dup75, + dup173, + dup174, + ], + on_success: processor_chain([ + dup110, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup76, + dup50, + dup51, + ]), +}); + +var all197 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup112, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all198 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all199 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup117, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all200 = all_match({ + processors: [ + dup177, + dup116, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all201 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup118, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all202 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all203 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all204 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all205 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all206 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all207 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all208 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup119, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all209 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup120, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all210 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all211 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup94, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all212 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all213 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup121, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all214 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup77, + dup73, + dup74, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all215 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup122, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all216 = all_match({ + processors: [ + dup172, + dup37, + dup173, + dup174, + ], + on_success: processor_chain([ + dup123, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all217 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all218 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all219 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all220 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all221 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all222 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup119, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all223 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup121, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all224 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup93, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all225 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup120, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all226 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup108, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all227 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all228 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup90, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all229 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all230 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup89, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all231 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup97, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all232 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup61, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all233 = all_match({ + processors: [ + dup66, + dup179, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all234 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup118, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all235 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup100, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all236 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup71, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all237 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup63, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all238 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup102, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all239 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup79, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all240 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup70, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all241 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup64, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all242 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup99, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all243 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup101, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all244 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup65, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all245 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup105, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all246 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup81, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all247 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup78, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all248 = all_match({ + processors: [ + dup66, + dup176, + dup60, + dup180, + dup181, + ], + on_success: processor_chain([ + dup104, + dup31, + dup45, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + dup52, + dup53, + dup54, + dup55, + dup56, + ]), +}); + +var all249 = all_match({ + processors: [ + dup57, + dup175, + dup60, + dup173, + dup174, + ], + on_success: processor_chain([ + dup83, + dup31, + dup32, + dup46, + dup47, + dup48, + dup49, + dup50, + dup51, + ]), +}); + +var all250 = all_match({ + processors: [ + dup130, + dup182, + ], + on_success: processor_chain([ + dup127, + dup31, + dup32, + dup47, + dup129, + ]), +}); + +var all251 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + dup159, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); + +var all252 = all_match({ + processors: [ + dup57, + dup191, + dup157, + dup190, + dup160, + dup185, + ], + on_success: processor_chain([ + dup135, + dup31, + dup32, + dup47, + ]), +}); diff --git a/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml similarity index 82% rename from x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml rename to x-pack/filebeat/module/snort/log/ingest/pipeline.yml index d558e7071ea..640c5b2556a 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -1,7 +1,11 @@ --- -description: Pipeline for Rapid7 NeXpose +description: Pipeline for Snort/Sourcefire processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/rapid7/nexpose/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml similarity index 89% rename from x-pack/filebeat/module/rapid7/nexpose/manifest.yml rename to x-pack/filebeat/module/snort/log/manifest.yml index a011a93d869..a02cbe98ed6 100644 --- a/x-pack/filebeat/module/rapid7/nexpose/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -3,11 +3,11 @@ module_version: "1.0" var: - name: paths - name: tags - default: ["rapid7.nexpose", "forwarded"] + default: ["snort.log", "forwarded"] - name: syslog_host default: localhost - name: syslog_port - default: 9517 + default: 9532 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/snort/log/test/generated.log b/x-pack/filebeat/module/snort/log/test/generated.log new file mode 100644 index 00000000000..8ecab402325 --- /dev/null +++ b/x-pack/filebeat/module/snort/log/test/generated.log @@ -0,0 +1,100 @@ +Jan 29 2016 06:09:59 quid2184.invalid: %FTD-enim-dqu:CLOCK: System clock set, source: veri, IP: 10.202.72.124, before: inv, after: emo +2016-2-12T13:12:33Z inBCSedu5722.internal.lan nimadmin %NGIPS-medium-uam:AccessControlRuleAction:deny, AccessControlRuleReason:success, SrcIP:10.38.77.13, DstIP:10.212.11.114, SrcPort:3971, DstPort:3716, Protocol: tcp, IngressInterface: eth4091, IngressZone:isiu, ACPolicy:nimadmi, AccessControlRuleName:iatisu, Prefilter Policy:iat, User:tevelit, Client:nsequat, ApplicationProtocol:igmp, InitiatorPackets:llam, ResponderPackets:llamcorp, InitiatorBytes:4512, ResponderBytes:3676, NAPPolicy:eataevit, DNSQuery:uptatev4292.www.invalid, DNSRecordType: a host address, DNSSICategory:atat +Feb 26 20:15:08 tlabo6088.www.localdomain Lor: HMNOTIFY: itecto (Sensor erc): Severity:medium: failure +Mar 12 03:17:42 eporroqu4200.domain atquovo: HMNOTIFY: suntinc (Sensor xeac): Severity:medium: success +Mar 26 10:20:16 eirure: conseq557.mail.lan: aaliquaU@ntor, Analysis & Reporting > lpaqui +2016-4-9T17:22:51Z ationemu5040.www.lan utei %NGIPS-low-oei:AccessControlRuleAction:block, AccessControlRuleReason:unknown, SrcIP:10.182.199.231, DstIP:10.24.67.250, SrcPort:4478, DstPort:2026, Protocol: igmp, IngressInterface: enp0s5361, IngressZone:commod, ACPolicy:adol, AccessControlRuleName:doloremi, Prefilter Policy:luptasn, User:hitect, Client:dol, ApplicationProtocol:ipv6-icmp, InitiatorPackets:modocon, ResponderPackets:que, InitiatorBytes:651, ResponderBytes:3365, NAPPolicy:nsecte, DNSQuery:itame189.domain, DNSRecordType: a host address, DNSSICategory:exercit +Apr 24 00:25:25 uscipit: vitaedi1318.corp: temqu@edol, FailD, colab +May 8 07:27:59 nimid: itatione1916.www.host: oluptate@issus, Analysis & Reporting > osamn +May 22 14:30:33 its7829.localhost datatno: [siutali:5979:1.4418] usmodte [Impact: failure] From esciuntN/idunt at ptasnu May 22 14:30:33 2016 UTC [Classification: rQu] [Priority: oremeu ]:alert {ipv6} 10.110.31.190 -> 10.157.18.252:5300 (eeufugia) +Jun 5 21:33:08 aec3673.internal.host ccaeca: HMNOTIFY: niamq (Sensor lapariat): Severity:medium: failure +Jun 20 04:35:42 admin: stenatu inibu2292.www.invalid: isetquas@ute, Login, Login Success +Jul 4 11:38:16 ori1241.www.corp : HMNOTIFY: ercit (Sensor eporroq): Severity:very-high: failure +Jul 18 18:40:50 atuse: ueipsa748.localdomain: aparia@tatnon, Heartbeat, leumiur +Aug 2 01:43:25 oluptat548.www5.invalid edolorin: HMNOTIFY: dolorem (Sensor tem): Severity:very-high: failure +Aug 16 08:45:59 imadmi: isnis loremag6816.www5.lan: inrepreh@quovo, System > urExcep +Aug 30 15:48:33 tionemu5269.internal.localhost : HMNOTIFY: occaec (Sensor acommodi): Severity:medium: failure +Sep 13 22:51:07 isiutali: lumqu onulamco7734.www.local: uptat@unt, Analysis & Reporting , tass +2016-9-28T05:53:42Z luptatem3834.lan edq %NGIPS-medium-tise:AccessControlRuleAction:block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: ipiscive,URL: https://www.example.org/etdolor/uat.gif?mmod=iti#nimadm,HTTPResponse: nculp,HTTPReferer: asp,IPReputationSICategory: eacom,DNS_TTL: mag,DNSRecordType: gelitse,DNSQuery: oremqu,GID: idex,SID: radip,Revision: upta,Message: tetura,Classification: rumet,User: uptasnul,Priority: antiumdo, ACPolicy: ecill, ConnectionDuration: 56.481000,Protocol: ipv6,VLAN_ID: 3302,IPSCount: 6436,InlineResult: allow, DNSSICategory: nostrud, URLSICategory: cteturad +Oct 12 2016 12:56:16 exercita2068.api.invalid %FTD-veleumi-nsequatu:CLOCK: System clock set, source: nula, IP: 10.169.84.140, before: santi, after: ritati +Oct 26 2016 19:58:50 orumS757.www5.corp: %FTD-eursint-orio:CLOCK: System clock set, source: gna, IP: 10.130.231.129, before: olu, after: iameaque +2016-11-10T03:01:24Z sedquian4212.www5.domain magnaa %NGIPS-medium-eca:AccessControlRuleAction:allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its, ACPolicy: uptasnul, ConnectionDuration: 115.011000,Protocol: rdp,VLAN_ID: 7541,IPSCount: 239,InlineResult: deny, DNSSICategory: nse, URLSICategory: miurere +Nov 24 10:03:59 ntor: oinBCSed3444.api.local: smodtem@roquisqu, Logout, Logout Success +Dec 8 17:06:33 apari5002.api.test orum: [nsequat:27813:1.6724] auto [Impact: failure] From sci at periam Dec 8 17:06:33 2016 UTC [Classification: fugiatnu] [Priority: dolor ]: {icmp} 10.182.213.195:7119 (tur) -> 10.9.200.197 +2016-12-23T00:09:07Z audant3412.www.local remeum %NGIPS-medium-animi:AccessControlRuleAction:allow, AccessControlRuleReason:failure, SrcIP:10.210.180.142, DstIP:10.111.33.70, SrcPort:3015, DstPort:3758, Protocol: ggp, IngressInterface: enp0s6049, IngressZone:amcolabo, ACPolicy:orsitvol, AccessControlRuleName:eriam, Prefilter Policy:anonn, User:utpers, Client:num, ApplicationProtocol:tcp, InitiatorPackets:iaturE, ResponderPackets:epor, InitiatorBytes:3465, ResponderBytes:3813, NAPPolicy:amnih, DNSQuery:tper4341.lan, DNSRecordType: a host address, DNSSICategory:nulamc +Jan 6 07:11:41 antiu3533.internal.domain iatquovo: HMNOTIFY: lapari (Sensor Mal): Severity:medium: success +Jan 20 14:14:16 cidu921.internal.lan quamq: Sha256:usan Disposition: Malware Threat name: tdolo IP Addresses: 10.222.183.123<<-10.165.33.19 +Feb 3 21:16:50 unturmag6190.api.lan remeum: [etur:16539:1.890] "Quisa" [Impact: unknown] From dolo at modoco Feb 3 21:16:50 2017 UTC [Classification: Finibus] [Priority: uisautei]: {rdp} 10.52.190.18:4411 -> 10.238.223.171 +Feb 18 04:19:24 conseq6079.www.corp tiu: [wri:26992:1.3902] asper [Impact: unknown] From orem/inibus at secte Feb 18 04:19:24 2017 UTC [Classification: ctobeat] [Priority: onsec ]: {udp} 10.68.233.163 -> 10.160.178.109:1934 +Mar 4 2017 11:21:59 tvol3402.www.local %FTD-ollita-qua:CLOCK: System clock set, source: ionula, IP: 10.162.109.83, before: nderi, after: tem +Mar 18 2017 18:24:33 xcep3783.internal.localhost %FTD-ercitati-atem:User 'serro' executed the 'lumquid' command. +Apr 2 01:27:07 ciatisun7378.www5.invalid didun: HMNOTIFY: riaturEx (Sensor nde): Severity:low: unknown +Apr 16 08:29:41 iqu4858.mail.invalid audant: [obeata:11634:1.6627] "minimve" [Impact: unknown] From "toditau/uiad" at nvolupta Apr 16 08:29:41 2017 UTC [Classification: exercit] [Priority: dexer ]:alert {igmp} 10.116.175.84 -> 10.213.100.153 +Apr 30 15:32:16 lumqui: ectet ionu3320.api.localhost: estq@quasiarc, Command Line,aliquaU +May 14 22:34:50 tvolu: imve ollitan5079.www.lan: deriti@edictasu, Health > eturadi +May 29 05:37:24 nihilmol1849.api.local eporroq: Protocol: tcp, AccessControlRuleAction:block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0],ReferencedHost: tate,URL: https://internal.example.com/uun/amrem.gif?umq=ita#ipsaquae,HTTPResponse: olu,HTTPReferer: exerci,IPReputationSICategory: isnostru,DNS_TTL: iad,DNSRecordType: ngelits,DNSQuery: volupt,GID: billoi,SID: 38352,Revision: utaliqui,Message: uov,Classification: pariat,User: icaboNe,Priority: boreetd, ACPolicy: uir +Jun 12 12:39:58 ipsu: [oremip] ota4562.local: epteurs@itse, Task Queue, rever +Jun 26 19:42:33 eiu: [maliquam] gnama5033.www5.home: ction@emveleum, Object > siuta +Jul 11 02:45:07 sum6106.www.home ulamc: HMNOTIFY: doe (Sensor eiusm): Severity:very-high: failure +Jul 25 09:47:41 ugiatn: squa2763.www.lan: trude@snulap, Task Queue, onsequat +2017-8-8T16:50:15Z aturvel1847.mail.localdomain sedquia %NGIPS-high-ostrudex:AccessControlRuleAction:cancel, AccessControlRuleReason:unknown, SrcIP:10.240.144.78, DstIP:10.251.159.118, SrcPort:2998, DstPort:2795, Protocol: ipv6, IngressInterface: lo6367, IngressZone:ptatems, ACPolicy:tenima, AccessControlRuleName:emagnam, Prefilter Policy:iaco, User:urQuisa, Client:ipi, ApplicationProtocol:ipv6-icmp, InitiatorPackets:amali, ResponderPackets:onula, InitiatorBytes:1580, ResponderBytes:4902, NAPPolicy:por, DNSQuery:stiae3403.internal.localhost, DNSRecordType: a host address, DNSSICategory:Ute +Aug 22 23:52:50 setq5996.corp : HMNOTIFY: odi (Sensor tper): Severity:medium: success +Sep 6 06:55:24 quiano3025.api.localhost oluptat: HMNOTIFY: sequatD (Sensor emap): Severity:very-high: unknown +Sep 20 13:57:58 qui7797.www.host : HMNOTIFY: umet (Sensor psaquaea): Severity:low: failure +2017-10-4T21:00:32Z Utenim3707.www5.host iamquisn %NGIPS-low-lor:AccessControlRuleAction:cancel, AccessControlRuleReason:success, SrcIP:10.140.209.249, DstIP:10.201.132.114, SrcPort:1801, DstPort:639, Protocol: ggp, IngressInterface: lo3580, IngressZone:eacommo, ACPolicy:litani, AccessControlRuleName:temse, Prefilter Policy:samvo, User:itsedd, Client:icta, ApplicationProtocol:igmp, InitiatorPackets:labori, ResponderPackets:ditau, InitiatorBytes:470, ResponderBytes:5413, NAPPolicy:olest, DNSQuery:urau1660.www.lan, DNSRecordType: a host address, DNSSICategory:Neq +Oct 19 04:03:07 Nequepor: [aUten] edutpers3482.www5.corp: mnisis@onsequa, Access Control Policy > sunt +Nov 2 11:05:41 nofde7732.internal.test emp: [emoeni:13228:1.2633] taliqui [Impact: failure] From labo at ssecill Nov 2 11:05:41 2017 UTC [Classification: umquam] [Priority: onev ]: atu {ipv6} 10.198.44.231 -> 10.36.122.169:6751 (ariatu) +2017-11-16T18:08:15Z byCicero7475.www.localhost abillo %NGIPS-medium-eav:AccessControlRuleAction:block, AccessControlRuleReason:failure, SrcIP:10.77.86.215, DstIP:10.144.162.122, SrcPort:5913, DstPort:2080, Protocol: udp, IngressInterface: lo5079, IngressZone:sequine, ACPolicy:minimv, AccessControlRuleName:ffici, Prefilter Policy:rsintoc, User:boreetd, Client:rehende, ApplicationProtocol:icmp, InitiatorPackets:erspic, ResponderPackets:orincidi, InitiatorBytes:3273, ResponderBytes:6430, NAPPolicy:quipe, DNSQuery:evita850.localdomain, DNSRecordType: a host address, DNSSICategory:tiu +Dec 1 01:10:49 acons: [enbyCic] aturau3002.api.corp: sci@psamvolu, itsedqui +2017-12-15T08:13:24Z ntiumt238.internal.corp isc %NGIPS-high-odite:AccessControlRuleAction:cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30,ReferencedHost: nsecte,URL: https://api.example.org/tat/pitlabor.gif?rrorsi=loremqu#busBono,HTTPResponse: mnisiut,HTTPReferer: eabil,IPReputationSICategory: olu,DNS_TTL: uaUte,DNSRecordType: empor,DNSQuery: ate,GID: eca,SID: inre,Revision: aliqu,Message: orem,Classification: dquian,User: isaute,Priority: rumetMa, ACPolicy: utfugit, ConnectionDuration: 95.196000,Protocol: ggp,VLAN_ID: 5189,IPSCount: 1350,InlineResult: allow, DNSSICategory: ntocca, URLSICategory: emquelau +Dec 29 15:15:58 atu2951.test : HMNOTIFY: pitlab (Sensor riosamn): Severity:medium: success +Jan 12 22:18:32 mini: tutl uipe5295.api.localhost: mwrit@dminimve, Access Control Policy > madminim +2018-1-27T05:21:06Z tatiset5041.www5.local tevelit %NGIPS-low-Utenim:AccessControlRuleAction:deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91,ReferencedHost: todit,URL: https://www.example.com/fug/ulpaq.gif?piscivel=ueporr#udex,HTTPResponse: ipexeac,HTTPReferer: uin,IPReputationSICategory: isci,DNS_TTL: archi,DNSRecordType: rsitame,DNSQuery: qui,GID: umdolo,SID: tate,Revision: sintocca,Message: ugiat,Classification: asuntex,User: uovolup,Priority: expl, ACPolicy: animi, ConnectionDuration: 63.677000,Protocol: ipv6,VLAN_ID: 3389,IPSCount: 1457,InlineResult: cancel, DNSSICategory: taliqui, URLSICategory: doloremi +Feb 10 12:23:41 atevel: [oloremeu] esse2198.mail.example: uaturvel@quisqua, System > sedquian +Feb 24 2018 19:26:15 pitlab5165.localdomain %FTD-uptate-tevelite:CLOCK: System clock set, source: cto, IP: 10.17.172.91, before: agn, after: dip +Mar 11 02:28:49 acomm: [edquia] uinesci6041.api.local: pers@lpaquiof, Analysis isisten +Mar 25 09:31:24 uovol2459.www5.invalid volup: [nimi:5155:1.2115] lillum [Impact: success] From suntin at consequa Mar 25 09:31:24 2018 UTC [Classification: tionu] [Priority: umqua ]:alert {tcp} 10.28.105.106 -> 10.60.137.215:3266 (icons) +Apr 8 16:33:58 ptate7215.www5.home mquiado: HMNOTIFY: ssequa (Sensor nisist): Severity:low: failure +Apr 22 23:36:32 metc7395.lan ataevit: Protocol: rdp, AccessControlRuleAction:deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: umtota,URL: https://internal.example.com/xplic/isn.html?ame=tenat#etur,HTTPResponse: uisnost,HTTPReferer: snul,IPReputationSICategory: quasia,DNS_TTL: ihilmol,DNSRecordType: seosqui,DNSQuery: tiset,GID: ciade,SID: 31978,Revision: equ,Message: rror,Classification: Exce,User: uae,Priority: tut, ACPolicy: umdol +May 7 2018 06:39:06 Loremips5368.www5.corp: %FTD-ficiade-nemull:Offloaded TCP Flow for connectiontrumexfromenp0s484:10.49.190.163/4220(10.20.167.114/6975) tolo7626:10.166.40.137/5279(10.65.144.119/6233) +May 21 13:41:41 mexer1548.www5.example uidexea: Sha256:emu Disposition: Malware Threat name: asia IP Addresses: 10.162.128.87<<-10.104.78.147 +Jun 4 20:44:15 emulla6625.www5.corp oditaut: Sha256:oloremqu Disposition: Malware Threat name: untNeque IP Addresses: 10.82.180.46<<-10.237.43.87 +Jun 19 03:46:49 magn3657.api.invalid tquiine: [ill:5315:1.4189] "mquisn" [Impact: success] From nby/uames at dolo Jun 19 03:46:49 2018 UTC [Classification: mnihil] [Priority: aturQui ]: umqua {icmp} 10.234.234.205:5714 (eos) -> 10.180.28.156:4665 (quovol) +Jul 3 10:49:23 nis3942.mail.example edutpe: HMNOTIFY: architec (Sensor incul): Severity:high: success +2018-7-17T17:51:58Z iscing6960.api.invalid emipsu %NGIPS-very-high-temUte:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.40.250.209, DstIP:10.166.10.187, SrcPort:3941, DstPort:793, Protocol: udp, IngressInterface: lo2032, IngressZone:nculpaq, ACPolicy:mides, AccessControlRuleName:iconseq, Prefilter Policy:nidolo, User:runtmoll, Client:tuserror, ApplicationProtocol:igmp, InitiatorPackets:adipis, ResponderPackets:tet, InitiatorBytes:1259, ResponderBytes:4280, NAPPolicy:inv, DNSQuery:upta788.invalid, DNSRecordType: a host address, DNS_TTL: olupta, DNSSICategory:raincidu +Aug 1 00:54:32 consequu3962.api.localdomain Maloru: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36,ReferencedHost: temporai,URL: https://example.com/emeumf/res.txt?ptasn=ima#emUte,HTTPResponse: atnonp,HTTPReferer: imaven,IPReputationSICategory: cia,DNS_TTL: doconseq,DNSRecordType: quia,DNSQuery: veleum,GID: emUten,SID: 31978,Revision: proiden,Message: cita,Classification: iac,User: ntincul,Priority: mnisiste, ACPolicy: uptas +Aug 15 07:57:06 ita7851.localhost dictas: Sha256:equaturv Disposition: Malware Threat name: rsi IP Addresses: 10.78.180.219<<-10.198.202.72 +Aug 29 14:59:40 laparia5374.api.domain norumet: [tconse:26152:1.2390] "tam" [Impact: success] From "inc/riaturEx" at eleumiur Aug 29 14:59:40 2018 UTC [Classification: eufugi] [Priority: ionu ] < {ggp} 10.147.155.100 -> 10.232.67.182:2086 (maccusan) +Sep 12 22:02:15 onse3711.api.domain aliquaUt: [boreet:9193:1.1034] vol [Impact: unknown] From "nof/boNe" at ovolu Sep 12 22:02:15 2018 UTC [Classification: cid] [Priority: periam ] {ggp} 10.4.147.70:3210 -> 10.95.152.78:1267 +Sep 27 05:04:49 elite: nde iac7016.api.lan: antiu@llumquid, FailD, paq +Oct 11 12:07:23 sit: tte4006.www5.test: lors@isautem, Intrusion Events,metco +2018-10-25T19:09:57Z equatD1241.www5.host rpo %NGIPS-low-econs:AccessControlRuleAction:cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36,ReferencedHost: atae,URL: https://www5.example.net/boNemo/duntutla.html?tmollit=ptat#nnumqu,HTTPResponse: billoi,HTTPReferer: ciatisu,IPReputationSICategory: evelites,DNS_TTL: vol,DNSRecordType: ommodi,DNSQuery: ritat,GID: dipi,SID: asnulapa,Revision: atev,Message: onsequa,Classification: seddoe,User: quisnost,Priority: tionu, ACPolicy: ciades, ConnectionDuration: 116.537000,Protocol: icmp,VLAN_ID: 764,IPSCount: 5618,InlineResult: accept, DNSSICategory: nvolupt, URLSICategory: stia +Nov 9 02:12:32 essequ121.localdomain uaturQui: Sha256:emi Disposition: Malware Threat name: mipsumq IP Addresses: 10.216.14.36<<-10.224.250.83 +Nov 23 09:15:06 borios1685.www.localhost umfu: [inesc:10329:1.6298] "olupt" [Impact: failure] From otamr/nonnu at riamea Nov 23 09:15:06 2018 UTC [Classification: taliquip] [Priority: upt ]:alert {ggp} 10.38.22.60:653 (ipi) -> 10.231.10.63 +2018-12-7T16:17:40Z odt2318.localdomain dut %NGIPS-high-remape:AccessControlRuleAction:cancel, AccessControlRuleReason:failure, SrcIP:10.46.57.181, DstIP:10.29.231.11, SrcPort:3760, DstPort:2231, Protocol: ggp, IngressInterface: eth1891, IngressZone:orsitam, ACPolicy:olupt, AccessControlRuleName:tlab, Prefilter Policy:str, User:sit, Client:atat, ApplicationProtocol:tcp, InitiatorPackets:isnos, ResponderPackets:emp, InitiatorBytes:42, ResponderBytes:560, NAPPolicy:sciveli, DNSQuery:Bonoru5658.mail.invalid, DNSRecordType: a host address, DNSSICategory:omm +Dec 21 23:20:14 dolores: oin ueipsa6797.mail.home: agnaal@itaut, Access Control Policy > Bonoru +Jan 5 06:22:49 ntinculp: uptatemU iono5161.www5.localhost: ita@olupt, System > orisnisi +Jan 19 13:25:23 untut3537.domain sit: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: vol,URL: https://api.example.com/non/quaturQu.gif?etura=taedi#edi,HTTPResponse: quiacon,HTTPReferer: udexerc,IPReputationSICategory: volu,DNS_TTL: tassit,DNSRecordType: metconse,DNSQuery: remeum,GID: equaturQ,SID: 38469,Revision: mollita,Message: eserun,Classification: sBono,User: icab,Priority: iquaUten, ACPolicy: oluptasn +2019-2-2T20:27:57Z atio5250.api.localhost idolo %NGIPS-low-ritat:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.107.144.80, DstIP:10.135.250.25, SrcPort:703, DstPort:1306, Protocol: icmp, IngressInterface: lo3342, IngressZone:emquiavo, ACPolicy:nsequ, AccessControlRuleName:Secti, Prefilter Policy:utlabore, User:suscipi, Client:tlabor, ApplicationProtocol:ggp, InitiatorPackets:dolore, ResponderPackets:xer, InitiatorBytes:4673, ResponderBytes:1881, NAPPolicy:msequine, DNSQuery:reetd7201.invalid, DNSRecordType: a host address, DNS_TTL: ugiatquo, DNSSICategory:ende +Feb 17 03:30:32 tnula4380.mail.test edolo: HMNOTIFY: olupta (Sensor volu): Severity:low: failure +Mar 3 10:33:06 ugiat: [quiin] apar2567.www.localhost: iscing@ser, Policies > nama +Mar 17 2019 17:35:40 onsecte5119.www.invalid %FTD-dolore-iineavol:Failed to locate egress interface for icmp from enp0s3923:10.198.207.31/579 to 10.5.88.183/7518 +Apr 1 00:38:14 uis: [oluptat] iutali3143.host: ect@fdeFi, Analysis & Reporting , eritat +Apr 15 07:40:49 prehende: [spern] orro7466.www5.lan: issu@accusant, rrorsitv +Apr 29 14:43:23 quii: [dantiu] epre7710.www.domain: aria@ugi, Heartbeat, econ +May 13 21:45:57 tio: [tlabori] nsequatu2799.www5.invalid: mape@aboree, Task Queue, eumiurer +2019-5-28T04:48:31Z scingel1634.api.home orsit %NGIPS-high-meaq:AccessControlRuleAction:block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36,ReferencedHost: untu,URL: https://mail.example.net/quunturm/upta.gif?exer=mvolup#litseddo,HTTPResponse: ccaeca,HTTPReferer: snostr,IPReputationSICategory: ratvol,DNS_TTL: olaboris,DNSRecordType: smodite,DNSQuery: eataevi,GID: conseq,SID: quo,Revision: texplica,Message: urQuis,Classification: umetMa,User: tisetqua,Priority: lore, ACPolicy: taedicta, ConnectionDuration: 141.678000,Protocol: udp,VLAN_ID: 2110,IPSCount: 7554,InlineResult: cancel, DNSSICategory: tmollita, URLSICategory: turQuis +2019-6-11T11:51:06Z inBCSe364.www.corp ntore %NGIPS-very-high-tsedquia:AccessControlRuleAction:deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;],ReferencedHost: peria,URL: https://api.example.com/uscip/uptatem.txt?eetd=orin#remag,HTTPResponse: conse,HTTPReferer: ate,IPReputationSICategory: iamq,DNS_TTL: tationul,DNSRecordType: qui,DNSQuery: porissu,GID: one,SID: mqu,Revision: iofficia,Message: uisnostr,Classification: lit,User: stlabo,Priority: uaer, ACPolicy: ectob, ConnectionDuration: 159.885000,Protocol: rdp,VLAN_ID: 350,IPSCount: 7423,InlineResult: allow, DNSSICategory: orema, URLSICategory: enderit +2019-6-25T18:53:40Z uaeratv2083.internal.localhost essecil %NGIPS-medium-uptate:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.154.87.98, DstIP:10.186.68.87, SrcPort:2632, DstPort:2129, Protocol: igmp, IngressInterface: eth2658, IngressZone:suscipi, ACPolicy:eirure, AccessControlRuleName:itsed, Prefilter Policy:fugiat, User:ore, Client:labo, ApplicationProtocol:ipv6-icmp, InitiatorPackets:nisi, ResponderPackets:pidatatn, InitiatorBytes:2005, ResponderBytes:4560, NAPPolicy:odico, DNSQuery:onofdeFi1149.www5.domain, DNSRecordType: a host address, DNSSICategory:ioffici +2019-7-10T01:56:14Z nvo2629.example onsequ %NGIPS-medium-itess:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.35.59.140, DstIP:10.67.211.63, SrcPort:1832, DstPort:7478, Protocol: udp, IngressInterface: eth3613, IngressZone:temqu, ACPolicy:emse, AccessControlRuleName:dantiu, Prefilter Policy:oluptate, User:onnu, Client:Ciceroin, ApplicationProtocol:udp, InitiatorPackets:itempora, ResponderPackets:uovol, InitiatorBytes:4338, ResponderBytes:584, NAPPolicy:bore, DNSQuery:lumdol5252.internal.test, DNSRecordType: a host address, DNS_TTL: seosq, DNSSICategory:orain +Jul 24 08:58:48 quianonn2762.api.localhost : HMNOTIFY: eeufugia (Sensor mquis): Severity:very-high: unknown +Aug 7 16:01:23 ver: [quaturv] atn2219.api.invalid: radip@ipsum, Heartbeat, itesse +Aug 21 23:03:57 equu1159.internal.localhost psumdol: HMNOTIFY: atcup (Sensor urautodi): Severity:medium: failure +Sep 5 06:06:31 dexer: [tionofde] urQuisau2442.mail.invalid: uptate@itesse, Login, Login Success +Sep 19 13:09:05 cididu3187.home asperna: Sha256:llumdolo Disposition: Malware Threat name: sequines IP Addresses: 10.14.46.141->10.179.27.185 +Oct 3 20:11:40 lorem: aliqua4025.www.localdomain: deFinibu@pitlab, Logout, Logout Success +Oct 18 03:14:14 ntutlab: aecatcup citati1297.api.domain: emp@uptate, Policies > olupta +Nov 1 10:16:48 nreprehe2138.www5.domain : HMNOTIFY: eursi (Sensor aute): Severity:medium: success +Nov 15 17:19:22 pari: [ent] idolore6589.api.localdomain: ctobea@audanti, Logout, Logout Success +Nov 30 2019 00:21:57 erunt3957.internal.lan %FTD-aut-iono:TCP Flow is no longer offloaded for connection runtmo from lo2571:10.118.103.185/1333 (10.240.77.10/2226) to lo5895:10.125.130.61/6154 (10.32.195.34/135) +Dec 14 07:24:31 ntNe7144.api.lan oremips: Sha256:numqu Disposition: Malware Threat name: sed IP Addresses: 10.111.130.177<<-10.188.88.133 diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json new file mode 100644 index 00000000000..f0150dcb87f --- /dev/null +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -0,0 +1,3907 @@ +[ + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 29 2016 06:09:59 quid2184.invalid: %FTD-enim-dqu:CLOCK: System clock set, source: veri, IP: 10.202.72.124, before: inv, after: emo", + "fileset.name": "log", + "host.ip": "10.202.72.124", + "host.name": "quid2184.invalid", + "input.type": "log", + "log.offset": 0, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "quid2184.invalid" + ], + "related.ip": [ + "10.202.72.124" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "dqu", + "rsa.misc.change_attrib": "Time", + "rsa.misc.change_new": "emo", + "rsa.misc.change_old": "inv", + "rsa.misc.event_source": "veri", + "rsa.network.alias_host": [ + "quid2184.invalid" + ], + "rsa.time.day": "29", + "rsa.time.month": "Jan", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 3676, + "destination.ip": [ + "10.212.11.114" + ], + "destination.port": 3716, + "event.action": "deny", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2016-2-12T13:12:33Z inBCSedu5722.internal.lan nimadmin %NGIPS-medium-uam:AccessControlRuleAction:deny, AccessControlRuleReason:success, SrcIP:10.38.77.13, DstIP:10.212.11.114, SrcPort:3971, DstPort:3716, Protocol: tcp, IngressInterface: eth4091, IngressZone:isiu, ACPolicy:nimadmi, AccessControlRuleName:iatisu, Prefilter Policy:iat, User:tevelit, Client:nsequat, ApplicationProtocol:igmp, InitiatorPackets:llam, ResponderPackets:llamcorp, InitiatorBytes:4512, ResponderBytes:3676, NAPPolicy:eataevit, DNSQuery:uptatev4292.www.invalid, DNSRecordType: a host address, DNSSICategory:atat", + "fileset.name": "log", + "host.name": "uptatev4292.www.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 135, + "network.application": "nsequat", + "network.protocol": "igmp", + "observer.egress.interface.name": "eth4091", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "uptatev4292.www.invalid" + ], + "related.ip": [ + "10.212.11.114", + "10.38.77.13" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "uam", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "atat", + "rsa.misc.policy_name": "eataevit", + "rsa.misc.result": "success", + "rsa.misc.rule_name": "iatisu", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "uptatev4292.www.invalid" + ], + "rsa.network.dinterface": "eth4091", + "rsa.network.zone_dst": "isiu", + "rsa.time.day": "12", + "rule.name": "iatisu", + "service.type": "snort", + "source.bytes": 4512, + "source.ip": [ + "10.38.77.13" + ], + "source.port": 3971, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "itecto", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 26 20:15:08 tlabo6088.www.localdomain Lor: HMNOTIFY: itecto (Sensor erc): Severity:medium: failure", + "fileset.name": "log", + "host.name": "tlabo6088.www.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 721, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "itecto", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "erc", + "rsa.misc.severity": "medium", + "rsa.time.day": "26", + "rsa.time.month": "Feb", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "suntinc", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 12 03:17:42 eporroqu4200.domain atquovo: HMNOTIFY: suntinc (Sensor xeac): Severity:medium: success", + "fileset.name": "log", + "host.name": "eporroqu4200.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 824, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "eporroqu4200.domain" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "suntinc", + "rsa.misc.result": "success", + "rsa.misc.sensor": "xeac", + "rsa.misc.severity": "medium", + "rsa.time.day": "12", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 26 10:20:16 eirure: conseq557.mail.lan: aaliquaU@ntor, Analysis & Reporting > lpaqui", + "file.name": "eirure", + "fileset.name": "log", + "host.name": "conseq557.mail.lan", + "input.type": "log", + "log.offset": 927, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "conseq557.mail.lan" + ], + "related.user": [ + "aaliquaU" + ], + "rsa.db.index": "lpaqui", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Analysis & Reporting", + "rsa.network.alias_host": [ + "conseq557.mail.lan" + ], + "rsa.time.day": "26", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "aaliquaU" + }, + { + "destination.bytes": 3365, + "destination.ip": [ + "10.24.67.250" + ], + "destination.port": 2026, + "event.action": "block", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2016-4-9T17:22:51Z ationemu5040.www.lan utei %NGIPS-low-oei:AccessControlRuleAction:block, AccessControlRuleReason:unknown, SrcIP:10.182.199.231, DstIP:10.24.67.250, SrcPort:4478, DstPort:2026, Protocol: igmp, IngressInterface: enp0s5361, IngressZone:commod, ACPolicy:adol, AccessControlRuleName:doloremi, Prefilter Policy:luptasn, User:hitect, Client:dol, ApplicationProtocol:ipv6-icmp, InitiatorPackets:modocon, ResponderPackets:que, InitiatorBytes:651, ResponderBytes:3365, NAPPolicy:nsecte, DNSQuery:itame189.domain, DNSRecordType: a host address, DNSSICategory:exercit", + "fileset.name": "log", + "host.name": "itame189.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 1016, + "network.application": "dol", + "network.protocol": "ipv6-icmp", + "observer.egress.interface.name": "enp0s5361", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "itame189.domain" + ], + "related.ip": [ + "10.24.67.250", + "10.182.199.231" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "oei", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "exercit", + "rsa.misc.policy_name": "nsecte", + "rsa.misc.result": "unknown", + "rsa.misc.rule_name": "doloremi", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "itame189.domain" + ], + "rsa.network.dinterface": "enp0s5361", + "rsa.network.zone_dst": "commod", + "rsa.time.day": "9", + "rule.name": "doloremi", + "service.type": "snort", + "source.bytes": 651, + "source.ip": [ + "10.182.199.231" + ], + "source.port": 4478, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 24 00:25:25 uscipit: vitaedi1318.corp: temqu@edol, FailD, colab", + "file.name": "uscipit", + "fileset.name": "log", + "host.name": "vitaedi1318.corp", + "input.type": "log", + "log.offset": 1590, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "vitaedi1318.corp" + ], + "related.user": [ + "temqu" + ], + "rsa.db.index": "colab", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "vitaedi1318.corp" + ], + "rsa.time.day": "24", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "temqu" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 8 07:27:59 nimid: itatione1916.www.host: oluptate@issus, Analysis & Reporting > osamn", + "file.name": "nimid", + "fileset.name": "log", + "host.name": "itatione1916.www.host", + "input.type": "log", + "log.offset": 1658, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "itatione1916.www.host" + ], + "related.user": [ + "oluptate" + ], + "rsa.db.index": "osamn", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Analysis & Reporting", + "rsa.network.alias_host": [ + "itatione1916.www.host" + ], + "rsa.time.day": "8", + "rsa.time.month": "May", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "oluptate" + }, + { + "destination.geo.country_name": "eeufugia", + "destination.ip": [ + "10.157.18.252" + ], + "destination.port": 5300, + "event.code": "5979", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 22 14:30:33 its7829.localhost datatno: [siutali:5979:1.4418] usmodte [Impact: failure] From esciuntN/idunt at ptasnu May 22 14:30:33 2016 UTC [Classification: rQu] [Priority: oremeu ]:alert {ipv6} 10.110.31.190 -> 10.157.18.252:5300 (eeufugia)", + "fileset.name": "log", + "host.name": "its7829.localhost", + "input.type": "log", + "log.level": "oremeu", + "log.offset": 1748, + "network.protocol": "ipv6", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.4418", + "related.hosts": [ + "its7829.localhost" + ], + "related.ip": [ + "10.157.18.252", + "10.110.31.190" + ], + "rsa.crypto.sig_type": "rQu", + "rsa.internal.messageid": "5979", + "rsa.misc.context": "usmodte", + "rsa.misc.event_log": "datatno", + "rsa.misc.group_object": "esciuntN", + "rsa.misc.policy_name": "usmodte", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "idunt", + "rsa.misc.severity": "oremeu", + "rsa.misc.sig_id": 5979, + "rsa.misc.version": "1.4418", + "rsa.network.alias_host": [ + "its7829.localhost" + ], + "rsa.threat.threat_desc": "oremeu", + "rsa.time.day": "22", + "rsa.time.event_time_str": "May 22 14:30:33 2016 UTC", + "rsa.time.month": "May", + "service.type": "snort", + "source.ip": [ + "10.110.31.190" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "niamq", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 5 21:33:08 aec3673.internal.host ccaeca: HMNOTIFY: niamq (Sensor lapariat): Severity:medium: failure", + "fileset.name": "log", + "host.name": "aec3673.internal.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 1996, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "aec3673.internal.host" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "niamq", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "lapariat", + "rsa.misc.severity": "medium", + "rsa.time.day": "5", + "rsa.time.month": "Jun", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 20 04:35:42 admin: stenatu inibu2292.www.invalid: isetquas@ute, Login, Login Success", + "event.outcome": "success", + "file.name": "admin", + "fileset.name": "log", + "host.name": "inibu2292.www.invalid", + "input.type": "log", + "log.offset": 2101, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "inibu2292.www.invalid" + ], + "related.user": [ + "isetquas" + ], + "rsa.internal.messageid": "SystemSettings", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.network.alias_host": [ + "inibu2292.www.invalid" + ], + "rsa.time.day": "20", + "rsa.time.month": "Jun", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "isetquas" + }, + { + "event.action": "ercit", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 4 11:38:16 ori1241.www.corp : HMNOTIFY: ercit (Sensor eporroq): Severity:very-high: failure", + "fileset.name": "log", + "host.name": "ori1241.www.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2190, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ori1241.www.corp" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "ercit", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "eporroq", + "rsa.misc.severity": "very-high", + "rsa.time.day": "4", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 18 18:40:50 atuse: ueipsa748.localdomain: aparia@tatnon, Heartbeat, leumiur", + "file.name": "atuse", + "fileset.name": "log", + "host.name": "ueipsa748.localdomain", + "input.type": "log", + "log.offset": 2286, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa748.localdomain" + ], + "related.user": [ + "aparia" + ], + "rsa.db.index": "leumiur", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Heartbeat", + "rsa.network.alias_host": [ + "ueipsa748.localdomain" + ], + "rsa.time.day": "18", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "aparia" + }, + { + "event.action": "dolorem", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 2 01:43:25 oluptat548.www5.invalid edolorin: HMNOTIFY: dolorem (Sensor tem): Severity:very-high: failure", + "fileset.name": "log", + "host.name": "oluptat548.www5.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2366, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "oluptat548.www5.invalid" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "dolorem", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "tem", + "rsa.misc.severity": "very-high", + "rsa.time.day": "2", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 16 08:45:59 imadmi: isnis loremag6816.www5.lan: inrepreh@quovo, System > urExcep", + "file.name": "imadmi", + "fileset.name": "log", + "host.name": "loremag6816.www5.lan", + "input.type": "log", + "log.offset": 2475, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "loremag6816.www5.lan" + ], + "related.user": [ + "inrepreh" + ], + "rsa.db.index": "urExcep", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "System", + "rsa.network.alias_host": [ + "loremag6816.www5.lan" + ], + "rsa.time.day": "16", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "inrepreh" + }, + { + "event.action": "occaec", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 30 15:48:33 tionemu5269.internal.localhost : HMNOTIFY: occaec (Sensor acommodi): Severity:medium: failure", + "fileset.name": "log", + "host.name": "tionemu5269.internal.localhost", + "input.type": "log", + "log.level": "medium", + "log.offset": 2560, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tionemu5269.internal.localhost" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "occaec", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "acommodi", + "rsa.misc.severity": "medium", + "rsa.time.day": "30", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 13 22:51:07 isiutali: lumqu onulamco7734.www.local: uptat@unt, Analysis & Reporting , tass", + "file.name": "isiutali", + "fileset.name": "log", + "host.name": "onulamco7734.www.local", + "input.type": "log", + "log.offset": 2670, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "onulamco7734.www.local" + ], + "related.user": [ + "uptat" + ], + "rsa.db.index": "tass", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Analysis & Reporting", + "rsa.network.alias_host": [ + "onulamco7734.www.local" + ], + "rsa.time.day": "13", + "rsa.time.month": "Sep", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "uptat" + }, + { + "event.action": "block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2016-9-28T05:53:42Z luptatem3834.lan edq %NGIPS-medium-tise:AccessControlRuleAction:block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: ipiscive,URL: https://www.example.org/etdolor/uat.gif?mmod=iti#nimadm,HTTPResponse: nculp,HTTPReferer: asp,IPReputationSICategory: eacom,DNS_TTL: mag,DNSRecordType: gelitse,DNSQuery: oremqu,GID: idex,SID: radip,Revision: upta,Message: tetura,Classification: rumet,User: uptasnul,Priority: antiumdo, ACPolicy: ecill, ConnectionDuration: 56.481000,Protocol: ipv6,VLAN_ID: 3302,IPSCount: 6436,InlineResult: allow, DNSSICategory: nostrud, URLSICategory: cteturad", + "fileset.name": "log", + "host.name": "luptatem3834.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 2765, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "luptatem3834.lan" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "tise", + "rsa.misc.action": [ + "block,AccessControlRuleName:tnul,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:ess,ConnectType:quiad,DE:ihilmole,DNSResponseType:saquaea,DstIP:10.80.151.37,DstPort:535,ICMPCode:modico,ICMPType:metco,InitiatorBytes:410,InitiatorPackets:porinc,NAPPolicy:riame,Policy:riat,ResponderBytes:181,ResponderPackets:rumSec,Sinkhole:orp,SrcIP:10.213.109.180,SrcPort:6536,TCPFlags:essequam,URLCategory:ueporro,URLReputation:84.488000,UserName:etcon,ClientVersion:1.4438,WebApplication:orum,OriginalClientIP: Bonoru,IngressInterface: lo5284,EgressInterface: enp0s73,IngressZone: emacc,EgressZone: emp,Prefilter Policy: lamcola,UserAgent: Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML" + ], + "rsa.misc.category": "cteturad", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "luptatem3834.lan" + ], + "rsa.time.day": "28", + "rsa.time.duration_time": 56.481, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 12 2016 12:56:16 exercita2068.api.invalid %FTD-veleumi-nsequatu:CLOCK: System clock set, source: nula, IP: 10.169.84.140, before: santi, after: ritati", + "fileset.name": "log", + "host.ip": "10.169.84.140", + "host.name": "exercita2068.api.invalid", + "input.type": "log", + "log.offset": 4085, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "exercita2068.api.invalid" + ], + "related.ip": [ + "10.169.84.140" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "nsequatu", + "rsa.misc.change_attrib": "Time", + "rsa.misc.change_new": "ritati", + "rsa.misc.change_old": "santi", + "rsa.misc.event_source": "nula", + "rsa.network.alias_host": [ + "exercita2068.api.invalid" + ], + "rsa.time.day": "12", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 26 2016 19:58:50 orumS757.www5.corp: %FTD-eursint-orio:CLOCK: System clock set, source: gna, IP: 10.130.231.129, before: olu, after: iameaque", + "fileset.name": "log", + "host.ip": "10.130.231.129", + "host.name": "orumS757.www5.corp", + "input.type": "log", + "log.offset": 4240, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "orumS757.www5.corp" + ], + "related.ip": [ + "10.130.231.129" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "orio", + "rsa.misc.change_attrib": "Time", + "rsa.misc.change_new": "iameaque", + "rsa.misc.change_old": "olu", + "rsa.misc.event_source": "gna", + "rsa.network.alias_host": [ + "orumS757.www5.corp" + ], + "rsa.time.day": "26", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2016-11-10T03:01:24Z sedquian4212.www5.domain magnaa %NGIPS-medium-eca:AccessControlRuleAction:allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its, ACPolicy: uptasnul, ConnectionDuration: 115.011000,Protocol: rdp,VLAN_ID: 7541,IPSCount: 239,InlineResult: deny, DNSSICategory: nse, URLSICategory: miurere", + "fileset.name": "log", + "host.name": "sedquian4212.www5.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 4386, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "sedquian4212.www5.domain" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "eca", + "rsa.misc.action": [ + "allow,AccessControlRuleName:tes,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:isi,ConnectType:iaecon,DE:aevitaed,DNSResponseType:byCic,DstIP:10.62.8.123,DstPort:5725,ICMPCode:siarc,ICMPType:fdeFin,InitiatorBytes:4053,InitiatorPackets:tobeata,NAPPolicy:nesciun,Policy:amcolab,ResponderBytes:4306,ResponderPackets:isnisiut,Sinkhole:atatnon,SrcIP:10.143.37.32,SrcPort:209,TCPFlags:uisnos,URLCategory:olores,URLReputation:174.651000,UserName:epo,ClientVersion:1.745,WebApplication:borisnis,OriginalClientIP: onorumet,IngressInterface: enp0s6017,EgressInterface: enp0s2440,IngressZone: ipsumq,EgressZone: evit,Prefilter Policy: tno,UserAgent: Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10,ReferencedHost: psumq,URL: https://internal.example.com/atu/teturad.htm?msequ=nvol#enimadmi,HTTPResponse: tateveli,HTTPReferer: osa,IPReputationSICategory: mini,DNS_TTL: rors,DNSRecordType: ssusci,DNSQuery: ames,GID: inimve,SID: uio,Revision: mexercit,Message: byC,Classification: uae,User: oremip,Priority: its" + ], + "rsa.misc.category": "miurere", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "sedquian4212.www5.domain" + ], + "rsa.time.day": "10", + "rsa.time.duration_time": 115.011, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 24 10:03:59 ntor: oinBCSed3444.api.local: smodtem@roquisqu, Logout, Logout Success", + "event.outcome": "success", + "file.name": "ntor", + "fileset.name": "log", + "host.name": "oinBCSed3444.api.local", + "input.type": "log", + "log.offset": 5754, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "oinBCSed3444.api.local" + ], + "related.user": [ + "smodtem" + ], + "rsa.internal.messageid": "SystemSettings", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.network.alias_host": [ + "oinBCSed3444.api.local" + ], + "rsa.time.day": "24", + "rsa.time.month": "Nov", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "smodtem" + }, + { + "destination.ip": [ + "10.9.200.197" + ], + "event.code": "27813", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Dec 8 17:06:33 apari5002.api.test orum: [nsequat:27813:1.6724] auto [Impact: failure] From sci at periam Dec 8 17:06:33 2016 UTC [Classification: fugiatnu] [Priority: dolor ]: {icmp} 10.182.213.195:7119 (tur) -> 10.9.200.197", + "fileset.name": "log", + "host.name": "apari5002.api.test", + "input.type": "log", + "log.level": "dolor", + "log.offset": 5841, + "network.protocol": "icmp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.6724", + "related.hosts": [ + "apari5002.api.test" + ], + "related.ip": [ + "10.9.200.197", + "10.182.213.195" + ], + "rsa.crypto.sig_type": "fugiatnu", + "rsa.internal.messageid": "27813", + "rsa.misc.context": "auto", + "rsa.misc.event_log": "orum", + "rsa.misc.policy_name": "auto", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "sci", + "rsa.misc.severity": "dolor", + "rsa.misc.sig_id": 27813, + "rsa.misc.version": "1.6724", + "rsa.network.alias_host": [ + "apari5002.api.test" + ], + "rsa.threat.threat_desc": "dolor", + "rsa.time.day": "8", + "rsa.time.event_time_str": "Dec 8 17:06:33 2016 UTC", + "rsa.time.month": "Dec", + "service.type": "snort", + "source.geo.country_name": "tur", + "source.ip": [ + "10.182.213.195" + ], + "source.port": 7119, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 3813, + "destination.ip": [ + "10.111.33.70" + ], + "destination.port": 3758, + "event.action": "allow", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2016-12-23T00:09:07Z audant3412.www.local remeum %NGIPS-medium-animi:AccessControlRuleAction:allow, AccessControlRuleReason:failure, SrcIP:10.210.180.142, DstIP:10.111.33.70, SrcPort:3015, DstPort:3758, Protocol: ggp, IngressInterface: enp0s6049, IngressZone:amcolabo, ACPolicy:orsitvol, AccessControlRuleName:eriam, Prefilter Policy:anonn, User:utpers, Client:num, ApplicationProtocol:tcp, InitiatorPackets:iaturE, ResponderPackets:epor, InitiatorBytes:3465, ResponderBytes:3813, NAPPolicy:amnih, DNSQuery:tper4341.lan, DNSRecordType: a host address, DNSSICategory:nulamc", + "fileset.name": "log", + "host.name": "tper4341.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 6066, + "network.application": "num", + "network.protocol": "tcp", + "observer.egress.interface.name": "enp0s6049", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tper4341.lan" + ], + "related.ip": [ + "10.111.33.70", + "10.210.180.142" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "animi", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "nulamc", + "rsa.misc.policy_name": "amnih", + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "eriam", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "tper4341.lan" + ], + "rsa.network.dinterface": "enp0s6049", + "rsa.network.zone_dst": "amcolabo", + "rsa.time.day": "23", + "rule.name": "eriam", + "service.type": "snort", + "source.bytes": 3465, + "source.ip": [ + "10.210.180.142" + ], + "source.port": 3015, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "lapari", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 6 07:11:41 antiu3533.internal.domain iatquovo: HMNOTIFY: lapari (Sensor Mal): Severity:medium: success", + "fileset.name": "log", + "host.name": "antiu3533.internal.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 6639, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "antiu3533.internal.domain" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "lapari", + "rsa.misc.result": "success", + "rsa.misc.sensor": "Mal", + "rsa.misc.severity": "medium", + "rsa.time.day": "6", + "rsa.time.month": "Jan", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.222.183.123" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 20 14:14:16 cidu921.internal.lan quamq: Sha256:usan Disposition: Malware Threat name: tdolo IP Addresses: 10.222.183.123<<-10.165.33.19", + "fileset.name": "log", + "host.name": "cidu921.internal.lan", + "input.type": "log", + "log.offset": 6746, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "cidu921.internal.lan" + ], + "related.ip": [ + "10.222.183.123", + "10.165.33.19" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "usan", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "cidu921.internal.lan" + ], + "rsa.threat.threat_category": "tdolo", + "rsa.time.day": "20", + "rsa.time.month": "Jan", + "service.type": "snort", + "source.ip": [ + "10.165.33.19" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.238.223.171" + ], + "event.code": "16539", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 3 21:16:50 unturmag6190.api.lan remeum: [etur:16539:1.890] \"Quisa\" [Impact: unknown] From dolo at modoco Feb 3 21:16:50 2017 UTC [Classification: Finibus] [Priority: uisautei]: {rdp} 10.52.190.18:4411 -> 10.238.223.171", + "fileset.name": "log", + "host.name": "unturmag6190.api.lan", + "input.type": "log", + "log.level": "uisautei", + "log.offset": 6886, + "network.protocol": "rdp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.890", + "related.hosts": [ + "unturmag6190.api.lan" + ], + "related.ip": [ + "10.52.190.18", + "10.238.223.171" + ], + "rsa.crypto.sig_type": "Finibus", + "rsa.internal.messageid": "16539", + "rsa.misc.context": "Quisa", + "rsa.misc.event_log": "remeum", + "rsa.misc.policy_name": "Quisa", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "dolo", + "rsa.misc.severity": "uisautei", + "rsa.misc.sig_id": 16539, + "rsa.misc.version": "1.890", + "rsa.network.alias_host": [ + "unturmag6190.api.lan" + ], + "rsa.threat.threat_desc": "uisautei", + "rsa.time.day": "3", + "rsa.time.event_time_str": "Feb 3 21:16:50 2017 UTC", + "rsa.time.month": "Feb", + "service.type": "snort", + "source.ip": [ + "10.52.190.18" + ], + "source.port": 4411, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.160.178.109" + ], + "destination.port": 1934, + "event.code": "26992", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 18 04:19:24 conseq6079.www.corp tiu: [wri:26992:1.3902] asper [Impact: unknown] From orem/inibus at secte Feb 18 04:19:24 2017 UTC [Classification: ctobeat] [Priority: onsec ]: {udp} 10.68.233.163 -> 10.160.178.109:1934", + "fileset.name": "log", + "host.name": "conseq6079.www.corp", + "input.type": "log", + "log.level": "onsec", + "log.offset": 7109, + "network.protocol": "udp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.3902", + "related.hosts": [ + "conseq6079.www.corp" + ], + "related.ip": [ + "10.68.233.163", + "10.160.178.109" + ], + "rsa.crypto.sig_type": "ctobeat", + "rsa.internal.messageid": "26992", + "rsa.misc.context": "asper", + "rsa.misc.event_log": "tiu", + "rsa.misc.group_object": "orem", + "rsa.misc.policy_name": "asper", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "inibus", + "rsa.misc.severity": "onsec", + "rsa.misc.sig_id": 26992, + "rsa.misc.version": "1.3902", + "rsa.network.alias_host": [ + "conseq6079.www.corp" + ], + "rsa.threat.threat_desc": "onsec", + "rsa.time.day": "18", + "rsa.time.event_time_str": "Feb 18 04:19:24 2017 UTC", + "rsa.time.month": "Feb", + "service.type": "snort", + "source.ip": [ + "10.68.233.163" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 4 2017 11:21:59 tvol3402.www.local %FTD-ollita-qua:CLOCK: System clock set, source: ionula, IP: 10.162.109.83, before: nderi, after: tem", + "fileset.name": "log", + "host.ip": "10.162.109.83", + "host.name": "tvol3402.www.local", + "input.type": "log", + "log.offset": 7333, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tvol3402.www.local" + ], + "related.ip": [ + "10.162.109.83" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "qua", + "rsa.misc.change_attrib": "Time", + "rsa.misc.change_new": "tem", + "rsa.misc.change_old": "nderi", + "rsa.misc.event_source": "ionula", + "rsa.network.alias_host": [ + "tvol3402.www.local" + ], + "rsa.time.day": "4", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 18 2017 18:24:33 xcep3783.internal.localhost %FTD-ercitati-atem:User 'serro' executed the 'lumquid' command.", + "fileset.name": "log", + "host.name": "xcep3783.internal.localhost", + "input.type": "log", + "log.offset": 7474, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "xcep3783.internal.localhost" + ], + "related.user": [ + "serro" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "atem", + "rsa.network.alias_host": [ + "xcep3783.internal.localhost" + ], + "rsa.time.day": "18", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "serro" + }, + { + "event.action": "riaturEx", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 2 01:27:07 ciatisun7378.www5.invalid didun: HMNOTIFY: riaturEx (Sensor nde): Severity:low: unknown", + "fileset.name": "log", + "host.name": "ciatisun7378.www5.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 7587, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ciatisun7378.www5.invalid" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "riaturEx", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "nde", + "rsa.misc.severity": "low", + "rsa.time.day": "2", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.213.100.153" + ], + "event.code": "11634", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 16 08:29:41 iqu4858.mail.invalid audant: [obeata:11634:1.6627] \"minimve\" [Impact: unknown] From \"toditau/uiad\" at nvolupta Apr 16 08:29:41 2017 UTC [Classification: exercit] [Priority: dexer ]:alert {igmp} 10.116.175.84 -> 10.213.100.153", + "fileset.name": "log", + "host.name": "iqu4858.mail.invalid", + "input.type": "log", + "log.level": "dexer", + "log.offset": 7690, + "network.protocol": "igmp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.6627", + "related.hosts": [ + "iqu4858.mail.invalid" + ], + "related.ip": [ + "10.213.100.153", + "10.116.175.84" + ], + "rsa.crypto.sig_type": "exercit", + "rsa.internal.messageid": "11634", + "rsa.misc.context": "minimve", + "rsa.misc.event_log": "audant", + "rsa.misc.group_object": "toditau", + "rsa.misc.policy_name": "minimve", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "uiad", + "rsa.misc.severity": "dexer", + "rsa.misc.sig_id": 11634, + "rsa.misc.version": "1.6627", + "rsa.network.alias_host": [ + "iqu4858.mail.invalid" + ], + "rsa.threat.threat_desc": "dexer", + "rsa.time.day": "16", + "rsa.time.event_time_str": "Apr 16 08:29:41 2017 UTC", + "rsa.time.month": "Apr", + "service.type": "snort", + "source.ip": [ + "10.116.175.84" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 30 15:32:16 lumqui: ectet ionu3320.api.localhost: estq@quasiarc, Command Line,aliquaU", + "file.name": "lumqui", + "fileset.name": "log", + "host.name": "ionu3320.api.localhost", + "input.type": "log", + "log.offset": 7932, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ionu3320.api.localhost" + ], + "related.user": [ + "estq" + ], + "rsa.db.index": "aliquaU", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "ionu3320.api.localhost" + ], + "rsa.time.day": "30", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "estq" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 14 22:34:50 tvolu: imve ollitan5079.www.lan: deriti@edictasu, Health > eturadi", + "file.name": "tvolu", + "fileset.name": "log", + "host.name": "ollitan5079.www.lan", + "input.type": "log", + "log.offset": 8022, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ollitan5079.www.lan" + ], + "related.user": [ + "deriti" + ], + "rsa.db.index": "eturadi", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Health", + "rsa.network.alias_host": [ + "ollitan5079.www.lan" + ], + "rsa.time.day": "14", + "rsa.time.month": "May", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "deriti" + }, + { + "event.action": "block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML", + "event.code": "connection_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 29 05:37:24 nihilmol1849.api.local eporroq: Protocol: tcp, AccessControlRuleAction:block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0],ReferencedHost: tate,URL: https://internal.example.com/uun/amrem.gif?umq=ita#ipsaquae,HTTPResponse: olu,HTTPReferer: exerci,IPReputationSICategory: isnostru,DNS_TTL: iad,DNSRecordType: ngelits,DNSQuery: volupt,GID: billoi,SID: 38352,Revision: utaliqui,Message: uov,Classification: pariat,User: icaboNe,Priority: boreetd, ACPolicy: uir", + "fileset.name": "log", + "host.name": "nihilmol1849.api.local", + "input.type": "log", + "log.offset": 8105, + "network.protocol": "tcp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "nihilmol1849.api.local" + ], + "rsa.counters.dclass_c1_str": "Number of Files", + "rsa.internal.messageid": "connection_events", + "rsa.misc.action": [ + "block,AccessControlRuleName:iatn,AccessControlRuleReason:unknown,ApplicationProtocol:igmp,Client:eli,ConnectType:rissusci,DE:ectetur,DNSResponseType:dictasun,DstIP:10.26.95.225,DstPort:4196,FileCount:3674,ICMPCode:oluptate,ICMPType:ntut,InitiatorBytes:5153,InitiatorPackets:scipit,NAPPolicy:litess,Policy:tore,ResponderBytes:5269,ResponderPackets:quunturm,Sinkhole:quovo,SrcIP:10.143.219.250,SrcPort:1444,TCPFlags:conse,URLCategory:aturve,URLReputation:8.942000,UserName:fdeFin,ClientVersion:1.2871,WebApplication:psu,OriginalClientIP: strud,IngressInterface: eth6386,EgressInterface: lo7421,IngressZone: ratv,EgressZone: veni,Prefilter Policy: metM,UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML" + ], + "rsa.network.alias_host": [ + "nihilmol1849.api.local" + ], + "rsa.time.day": "29", + "rsa.time.month": "May", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 12 12:39:58 ipsu: [oremip] ota4562.local: epteurs@itse, Task Queue, rever", + "file.name": "ipsu", + "fileset.name": "log", + "host.name": "ota4562.local", + "input.type": "log", + "log.offset": 9464, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ota4562.local" + ], + "related.user": [ + "epteurs" + ], + "rsa.db.index": "rever", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Task Queue", + "rsa.network.alias_host": [ + "ota4562.local" + ], + "rsa.time.day": "12", + "rsa.time.month": "Jun", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "epteurs" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 26 19:42:33 eiu: [maliquam] gnama5033.www5.home: ction@emveleum, Object > siuta", + "file.name": "eiu", + "fileset.name": "log", + "host.name": "gnama5033.www5.home", + "input.type": "log", + "log.offset": 9542, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "gnama5033.www5.home" + ], + "related.user": [ + "ction" + ], + "rsa.db.index": "siuta", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "gnama5033.www5.home" + ], + "rsa.time.day": "26", + "rsa.time.month": "Jun", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "ction" + }, + { + "event.action": "doe", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 11 02:45:07 sum6106.www.home ulamc: HMNOTIFY: doe (Sensor eiusm): Severity:very-high: failure", + "fileset.name": "log", + "host.name": "sum6106.www.home", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9626, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "sum6106.www.home" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "doe", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "eiusm", + "rsa.misc.severity": "very-high", + "rsa.time.day": "11", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 25 09:47:41 ugiatn: squa2763.www.lan: trude@snulap, Task Queue, onsequat", + "file.name": "ugiatn", + "fileset.name": "log", + "host.name": "squa2763.www.lan", + "input.type": "log", + "log.offset": 9724, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "squa2763.www.lan" + ], + "related.user": [ + "trude" + ], + "rsa.db.index": "onsequat", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Task Queue", + "rsa.network.alias_host": [ + "squa2763.www.lan" + ], + "rsa.time.day": "25", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "trude" + }, + { + "destination.bytes": 4902, + "destination.ip": [ + "10.251.159.118" + ], + "destination.port": 2795, + "event.action": "cancel", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2017-8-8T16:50:15Z aturvel1847.mail.localdomain sedquia %NGIPS-high-ostrudex:AccessControlRuleAction:cancel, AccessControlRuleReason:unknown, SrcIP:10.240.144.78, DstIP:10.251.159.118, SrcPort:2998, DstPort:2795, Protocol: ipv6, IngressInterface: lo6367, IngressZone:ptatems, ACPolicy:tenima, AccessControlRuleName:emagnam, Prefilter Policy:iaco, User:urQuisa, Client:ipi, ApplicationProtocol:ipv6-icmp, InitiatorPackets:amali, ResponderPackets:onula, InitiatorBytes:1580, ResponderBytes:4902, NAPPolicy:por, DNSQuery:stiae3403.internal.localhost, DNSRecordType: a host address, DNSSICategory:Ute", + "fileset.name": "log", + "host.name": "stiae3403.internal.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 9801, + "network.application": "ipi", + "network.protocol": "ipv6-icmp", + "observer.egress.interface.name": "lo6367", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "stiae3403.internal.localhost" + ], + "related.ip": [ + "10.251.159.118", + "10.240.144.78" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "ostrudex", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "Ute", + "rsa.misc.policy_name": "por", + "rsa.misc.result": "unknown", + "rsa.misc.rule_name": "emagnam", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "stiae3403.internal.localhost" + ], + "rsa.network.dinterface": "lo6367", + "rsa.network.zone_dst": "ptatems", + "rsa.time.day": "8", + "rule.name": "emagnam", + "service.type": "snort", + "source.bytes": 1580, + "source.ip": [ + "10.240.144.78" + ], + "source.port": 2998, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "odi", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 22 23:52:50 setq5996.corp : HMNOTIFY: odi (Sensor tper): Severity:medium: success", + "fileset.name": "log", + "host.name": "setq5996.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 10398, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "setq5996.corp" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "odi", + "rsa.misc.result": "success", + "rsa.misc.sensor": "tper", + "rsa.misc.severity": "medium", + "rsa.time.day": "22", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "sequatD", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 6 06:55:24 quiano3025.api.localhost oluptat: HMNOTIFY: sequatD (Sensor emap): Severity:very-high: unknown", + "fileset.name": "log", + "host.name": "quiano3025.api.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10484, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "quiano3025.api.localhost" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "sequatD", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "emap", + "rsa.misc.severity": "very-high", + "rsa.time.day": "6", + "rsa.time.month": "Sep", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "umet", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 20 13:57:58 qui7797.www.host : HMNOTIFY: umet (Sensor psaquaea): Severity:low: failure", + "fileset.name": "log", + "host.name": "qui7797.www.host", + "input.type": "log", + "log.level": "low", + "log.offset": 10594, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "qui7797.www.host" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "umet", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "psaquaea", + "rsa.misc.severity": "low", + "rsa.time.day": "20", + "rsa.time.month": "Sep", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 5413, + "destination.ip": [ + "10.201.132.114" + ], + "destination.port": 639, + "event.action": "cancel", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2017-10-4T21:00:32Z Utenim3707.www5.host iamquisn %NGIPS-low-lor:AccessControlRuleAction:cancel, AccessControlRuleReason:success, SrcIP:10.140.209.249, DstIP:10.201.132.114, SrcPort:1801, DstPort:639, Protocol: ggp, IngressInterface: lo3580, IngressZone:eacommo, ACPolicy:litani, AccessControlRuleName:temse, Prefilter Policy:samvo, User:itsedd, Client:icta, ApplicationProtocol:igmp, InitiatorPackets:labori, ResponderPackets:ditau, InitiatorBytes:470, ResponderBytes:5413, NAPPolicy:olest, DNSQuery:urau1660.www.lan, DNSRecordType: a host address, DNSSICategory:Neq", + "fileset.name": "log", + "host.name": "urau1660.www.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 10685, + "network.application": "icta", + "network.protocol": "igmp", + "observer.egress.interface.name": "lo3580", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "urau1660.www.lan" + ], + "related.ip": [ + "10.201.132.114", + "10.140.209.249" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "lor", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "Neq", + "rsa.misc.policy_name": "olest", + "rsa.misc.result": "success", + "rsa.misc.rule_name": "temse", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "urau1660.www.lan" + ], + "rsa.network.dinterface": "lo3580", + "rsa.network.zone_dst": "eacommo", + "rsa.time.day": "4", + "rule.name": "temse", + "service.type": "snort", + "source.bytes": 470, + "source.ip": [ + "10.140.209.249" + ], + "source.port": 1801, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 19 04:03:07 Nequepor: [aUten] edutpers3482.www5.corp: mnisis@onsequa, Access Control Policy > sunt", + "file.name": "Nequepor", + "fileset.name": "log", + "host.name": "edutpers3482.www5.corp", + "input.type": "log", + "log.offset": 11253, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "edutpers3482.www5.corp" + ], + "related.user": [ + "mnisis" + ], + "rsa.db.index": "sunt", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "edutpers3482.www5.corp" + ], + "rsa.time.day": "19", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "mnisis" + }, + { + "destination.geo.country_name": "ariatu", + "destination.ip": [ + "10.36.122.169" + ], + "destination.port": 6751, + "event.code": "13228", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 2 11:05:41 nofde7732.internal.test emp: [emoeni:13228:1.2633] taliqui [Impact: failure] From labo at ssecill Nov 2 11:05:41 2017 UTC [Classification: umquam] [Priority: onev ]: atu {ipv6} 10.198.44.231 -> 10.36.122.169:6751 (ariatu)", + "fileset.name": "log", + "host.name": "nofde7732.internal.test", + "input.type": "log", + "log.level": "onev", + "log.offset": 11356, + "network.protocol": "ipv6", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.2633", + "related.hosts": [ + "nofde7732.internal.test" + ], + "related.ip": [ + "10.198.44.231", + "10.36.122.169" + ], + "rsa.crypto.sig_type": "umquam", + "rsa.internal.messageid": "13228", + "rsa.misc.context": "taliqui", + "rsa.misc.event_log": "emp", + "rsa.misc.policy_name": "taliqui", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "labo", + "rsa.misc.severity": "onev", + "rsa.misc.sig_id": 13228, + "rsa.misc.version": "1.2633", + "rsa.network.alias_host": [ + "nofde7732.internal.test" + ], + "rsa.threat.threat_desc": "onev", + "rsa.time.day": "2", + "rsa.time.event_time_str": "Nov 2 11:05:41 2017 UTC", + "rsa.time.month": "Nov", + "service.type": "snort", + "source.ip": [ + "10.198.44.231" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 6430, + "destination.ip": [ + "10.144.162.122" + ], + "destination.port": 2080, + "event.action": "block", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2017-11-16T18:08:15Z byCicero7475.www.localhost abillo %NGIPS-medium-eav:AccessControlRuleAction:block, AccessControlRuleReason:failure, SrcIP:10.77.86.215, DstIP:10.144.162.122, SrcPort:5913, DstPort:2080, Protocol: udp, IngressInterface: lo5079, IngressZone:sequine, ACPolicy:minimv, AccessControlRuleName:ffici, Prefilter Policy:rsintoc, User:boreetd, Client:rehende, ApplicationProtocol:icmp, InitiatorPackets:erspic, ResponderPackets:orincidi, InitiatorBytes:3273, ResponderBytes:6430, NAPPolicy:quipe, DNSQuery:evita850.localdomain, DNSRecordType: a host address, DNSSICategory:tiu", + "fileset.name": "log", + "host.name": "evita850.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 11593, + "network.application": "rehende", + "network.protocol": "icmp", + "observer.egress.interface.name": "lo5079", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "evita850.localdomain" + ], + "related.ip": [ + "10.77.86.215", + "10.144.162.122" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "eav", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "tiu", + "rsa.misc.policy_name": "quipe", + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "ffici", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "evita850.localdomain" + ], + "rsa.network.dinterface": "lo5079", + "rsa.network.zone_dst": "sequine", + "rsa.time.day": "16", + "rule.name": "ffici", + "service.type": "snort", + "source.bytes": 3273, + "source.ip": [ + "10.77.86.215" + ], + "source.port": 5913, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Dec 1 01:10:49 acons: [enbyCic] aturau3002.api.corp: sci@psamvolu, itsedqui", + "file.name": "acons", + "fileset.name": "log", + "host.name": "aturau3002.api.corp", + "input.type": "log", + "log.offset": 12181, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "aturau3002.api.corp" + ], + "related.user": [ + "sci" + ], + "rsa.db.index": "itsedqui", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "aturau3002.api.corp" + ], + "rsa.time.day": "1", + "rsa.time.month": "Dec", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "sci" + }, + { + "event.action": "cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2017-12-15T08:13:24Z ntiumt238.internal.corp isc %NGIPS-high-odite:AccessControlRuleAction:cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30,ReferencedHost: nsecte,URL: https://api.example.org/tat/pitlabor.gif?rrorsi=loremqu#busBono,HTTPResponse: mnisiut,HTTPReferer: eabil,IPReputationSICategory: olu,DNS_TTL: uaUte,DNSRecordType: empor,DNSQuery: ate,GID: eca,SID: inre,Revision: aliqu,Message: orem,Classification: dquian,User: isaute,Priority: rumetMa, ACPolicy: utfugit, ConnectionDuration: 95.196000,Protocol: ggp,VLAN_ID: 5189,IPSCount: 1350,InlineResult: allow, DNSSICategory: ntocca, URLSICategory: emquelau", + "fileset.name": "log", + "host.name": "ntiumt238.internal.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 12257, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ntiumt238.internal.corp" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "odite", + "rsa.misc.action": [ + "cancel,AccessControlRuleName:ostr,AccessControlRuleReason:unknown,ApplicationProtocol:tcp,Client:itan,ConnectType:olorin,DE:oluptat,DNSResponseType:olors,DstIP:10.85.61.13,DstPort:6593,ICMPCode:quian,ICMPType:xerci,InitiatorBytes:5178,InitiatorPackets:upt,NAPPolicy:uovolu,Policy:itten,ResponderBytes:4805,ResponderPackets:abo,Sinkhole:orisnis,SrcIP:10.212.37.178,SrcPort:76,TCPFlags:aconseq,URLCategory:isnos,URLReputation:132.397000,UserName:lit,ClientVersion:1.4,WebApplication:odic,OriginalClientIP: ono,IngressInterface: eth1462,EgressInterface: enp0s3976,IngressZone: ine,EgressZone: hend,Prefilter Policy: rcit,UserAgent: Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML" + ], + "rsa.misc.category": "emquelau", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ntiumt238.internal.corp" + ], + "rsa.time.day": "15", + "rsa.time.duration_time": 95.196, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "pitlab", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Dec 29 15:15:58 atu2951.test : HMNOTIFY: pitlab (Sensor riosamn): Severity:medium: success", + "fileset.name": "log", + "host.name": "atu2951.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 13585, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "atu2951.test" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "pitlab", + "rsa.misc.result": "success", + "rsa.misc.sensor": "riosamn", + "rsa.misc.severity": "medium", + "rsa.time.day": "29", + "rsa.time.month": "Dec", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 12 22:18:32 mini: tutl uipe5295.api.localhost: mwrit@dminimve, Access Control Policy > madminim", + "file.name": "mini", + "fileset.name": "log", + "host.name": "uipe5295.api.localhost", + "input.type": "log", + "log.offset": 13676, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "uipe5295.api.localhost" + ], + "related.user": [ + "mwrit" + ], + "rsa.db.index": "madminim", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "uipe5295.api.localhost" + ], + "rsa.time.day": "12", + "rsa.time.month": "Jan", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "mwrit" + }, + { + "event.action": "deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2018-1-27T05:21:06Z tatiset5041.www5.local tevelit %NGIPS-low-Utenim:AccessControlRuleAction:deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91,ReferencedHost: todit,URL: https://www.example.com/fug/ulpaq.gif?piscivel=ueporr#udex,HTTPResponse: ipexeac,HTTPReferer: uin,IPReputationSICategory: isci,DNS_TTL: archi,DNSRecordType: rsitame,DNSQuery: qui,GID: umdolo,SID: tate,Revision: sintocca,Message: ugiat,Classification: asuntex,User: uovolup,Priority: expl, ACPolicy: animi, ConnectionDuration: 63.677000,Protocol: ipv6,VLAN_ID: 3389,IPSCount: 1457,InlineResult: cancel, DNSSICategory: taliqui, URLSICategory: doloremi", + "fileset.name": "log", + "host.name": "tatiset5041.www5.local", + "input.type": "log", + "log.level": "low", + "log.offset": 13776, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tatiset5041.www5.local" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "Utenim", + "rsa.misc.action": [ + "deny,AccessControlRuleName:uisa,AccessControlRuleReason:unknown,ApplicationProtocol:ggp,Client:siutal,ConnectType:umetMalo,DE:onevolu,DNSResponseType:itautfug,DstIP:10.236.221.212,DstPort:5294,ICMPCode:nsequatD,ICMPType:amcorp,InitiatorBytes:1539,InitiatorPackets:idolor,NAPPolicy:umdo,Policy:sequatu,ResponderBytes:7142,ResponderPackets:ecillu,Sinkhole:ipsaqu,SrcIP:10.31.46.127,SrcPort:7526,TCPFlags:magn,URLCategory:amcola,URLReputation:173.477000,UserName:sno,ClientVersion:1.6406,WebApplication:ntiu,OriginalClientIP: tametco,IngressInterface: lo6910,EgressInterface: eth6946,IngressZone: non,EgressZone: pta,Prefilter Policy: asnul,UserAgent: Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML" + ], + "rsa.misc.category": "doloremi", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "tatiset5041.www5.local" + ], + "rsa.time.day": "27", + "rsa.time.duration_time": 63.677, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 10 12:23:41 atevel: [oloremeu] esse2198.mail.example: uaturvel@quisqua, System > sedquian", + "file.name": "atevel", + "fileset.name": "log", + "host.name": "esse2198.mail.example", + "input.type": "log", + "log.offset": 15178, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "esse2198.mail.example" + ], + "related.user": [ + "uaturvel" + ], + "rsa.db.index": "sedquian", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "System", + "rsa.network.alias_host": [ + "esse2198.mail.example" + ], + "rsa.time.day": "10", + "rsa.time.month": "Feb", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "uaturvel" + }, + { + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 24 2018 19:26:15 pitlab5165.localdomain %FTD-uptate-tevelite:CLOCK: System clock set, source: cto, IP: 10.17.172.91, before: agn, after: dip", + "fileset.name": "log", + "host.ip": "10.17.172.91", + "host.name": "pitlab5165.localdomain", + "input.type": "log", + "log.offset": 15272, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "pitlab5165.localdomain" + ], + "related.ip": [ + "10.17.172.91" + ], + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "tevelite", + "rsa.misc.change_attrib": "Time", + "rsa.misc.change_new": "dip", + "rsa.misc.change_old": "agn", + "rsa.misc.event_source": "cto", + "rsa.network.alias_host": [ + "pitlab5165.localdomain" + ], + "rsa.time.day": "24", + "rsa.time.month": "Feb", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 11 02:28:49 acomm: [edquia] uinesci6041.api.local: pers@lpaquiof, Analysis isisten", + "file.name": "acomm", + "fileset.name": "log", + "host.name": "uinesci6041.api.local", + "input.type": "log", + "log.offset": 15417, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "uinesci6041.api.local" + ], + "related.user": [ + "pers" + ], + "rsa.db.index": "isisten", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Session Expiration", + "rsa.network.alias_host": [ + "uinesci6041.api.local" + ], + "rsa.time.day": "11", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "pers" + }, + { + "destination.geo.country_name": "icons", + "destination.ip": [ + "10.60.137.215" + ], + "destination.port": 3266, + "event.code": "5155", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 25 09:31:24 uovol2459.www5.invalid volup: [nimi:5155:1.2115] lillum [Impact: success] From suntin at consequa Mar 25 09:31:24 2018 UTC [Classification: tionu] [Priority: umqua ]:alert {tcp} 10.28.105.106 -> 10.60.137.215:3266 (icons)", + "fileset.name": "log", + "host.name": "uovol2459.www5.invalid", + "input.type": "log", + "log.level": "umqua", + "log.offset": 15504, + "network.protocol": "tcp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.2115", + "related.hosts": [ + "uovol2459.www5.invalid" + ], + "related.ip": [ + "10.60.137.215", + "10.28.105.106" + ], + "rsa.crypto.sig_type": "tionu", + "rsa.internal.messageid": "5155", + "rsa.misc.context": "lillum", + "rsa.misc.event_log": "volup", + "rsa.misc.policy_name": "lillum", + "rsa.misc.result": "success", + "rsa.misc.sensor": "suntin", + "rsa.misc.severity": "umqua", + "rsa.misc.sig_id": 5155, + "rsa.misc.version": "1.2115", + "rsa.network.alias_host": [ + "uovol2459.www5.invalid" + ], + "rsa.threat.threat_desc": "umqua", + "rsa.time.day": "25", + "rsa.time.event_time_str": "Mar 25 09:31:24 2018 UTC", + "rsa.time.month": "Mar", + "service.type": "snort", + "source.ip": [ + "10.28.105.106" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "ssequa", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 8 16:33:58 ptate7215.www5.home mquiado: HMNOTIFY: ssequa (Sensor nisist): Severity:low: failure", + "fileset.name": "log", + "host.name": "ptate7215.www5.home", + "input.type": "log", + "log.level": "low", + "log.offset": 15742, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ptate7215.www5.home" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "ssequa", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "nisist", + "rsa.misc.severity": "low", + "rsa.time.day": "8", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML", + "event.code": "connection_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 22 23:36:32 metc7395.lan ataevit: Protocol: rdp, AccessControlRuleAction:deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: umtota,URL: https://internal.example.com/xplic/isn.html?ame=tenat#etur,HTTPResponse: uisnost,HTTPReferer: snul,IPReputationSICategory: quasia,DNS_TTL: ihilmol,DNSRecordType: seosqui,DNSQuery: tiset,GID: ciade,SID: 31978,Revision: equ,Message: rror,Classification: Exce,User: uae,Priority: tut, ACPolicy: umdol", + "fileset.name": "log", + "host.name": "metc7395.lan", + "input.type": "log", + "log.offset": 15842, + "network.protocol": "rdp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "metc7395.lan" + ], + "rsa.counters.dclass_c1_str": "Number of Files", + "rsa.internal.messageid": "connection_events", + "rsa.misc.action": [ + "deny,AccessControlRuleName:toditaut,AccessControlRuleReason:success,ApplicationProtocol:ipv6-icmp,Client:didu,ConnectType:emporain,DE:ovo,DNSResponseType:aeabillo,DstIP:10.53.0.68,DstPort:7066,FileCount:4405,ICMPCode:rehen,ICMPType:sitasp,InitiatorBytes:933,InitiatorPackets:exeacom,NAPPolicy:teir,Policy:suntin,ResponderBytes:4053,ResponderPackets:upta,Sinkhole:iaeconse,SrcIP:10.235.102.51,SrcPort:1905,TCPFlags:uscip,URLCategory:ptasn,URLReputation:163.091000,UserName:san,ClientVersion:1.1124,WebApplication:amqui,OriginalClientIP: itatise,IngressInterface: lo6252,EgressInterface: enp0s6516,IngressZone: liqu,EgressZone: cons,Prefilter Policy: apar,UserAgent: Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML" + ], + "rsa.network.alias_host": [ + "metc7395.lan" + ], + "rsa.time.day": "22", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.49.190.163" + ], + "destination.nat.ip": "10.20.167.114", + "destination.nat.port": 6975, + "destination.port": 4220, + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 7 2018 06:39:06 Loremips5368.www5.corp: %FTD-ficiade-nemull:Offloaded TCP Flow for connectiontrumexfromenp0s484:10.49.190.163/4220(10.20.167.114/6975) tolo7626:10.166.40.137/5279(10.65.144.119/6233)", + "fileset.name": "log", + "host.name": "Loremips5368.www5.corp", + "input.type": "log", + "log.offset": 17035, + "observer.egress.interface.name": "enp0s484", + "observer.ingress.interface.name": "lo7626", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "Loremips5368.www5.corp" + ], + "related.ip": [ + "10.49.190.163", + "10.166.40.137", + "10.65.144.119", + "10.20.167.114" + ], + "rsa.internal.event_desc": "Offloaded TCP Flow for connection", + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "nemull", + "rsa.misc.connection_id": "trumex", + "rsa.network.alias_host": [ + "Loremips5368.www5.corp" + ], + "rsa.network.dinterface": "enp0s484", + "rsa.network.sinterface": "lo7626", + "rsa.time.day": "7", + "rsa.time.month": "May", + "service.type": "snort", + "source.ip": [ + "10.166.40.137" + ], + "source.nat.ip": "10.65.144.119", + "source.nat.port": 6233, + "source.port": 5279, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.162.128.87" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 21 13:41:41 mexer1548.www5.example uidexea: Sha256:emu Disposition: Malware Threat name: asia IP Addresses: 10.162.128.87<<-10.104.78.147", + "fileset.name": "log", + "host.name": "mexer1548.www5.example", + "input.type": "log", + "log.offset": 17238, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "mexer1548.www5.example" + ], + "related.ip": [ + "10.104.78.147", + "10.162.128.87" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "emu", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "mexer1548.www5.example" + ], + "rsa.threat.threat_category": "asia", + "rsa.time.day": "21", + "rsa.time.month": "May", + "service.type": "snort", + "source.ip": [ + "10.104.78.147" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.82.180.46" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 4 20:44:15 emulla6625.www5.corp oditaut: Sha256:oloremqu Disposition: Malware Threat name: untNeque IP Addresses: 10.82.180.46<<-10.237.43.87", + "fileset.name": "log", + "host.name": "emulla6625.www5.corp", + "input.type": "log", + "log.offset": 17380, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "emulla6625.www5.corp" + ], + "related.ip": [ + "10.237.43.87", + "10.82.180.46" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "oloremqu", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "emulla6625.www5.corp" + ], + "rsa.threat.threat_category": "untNeque", + "rsa.time.day": "4", + "rsa.time.month": "Jun", + "service.type": "snort", + "source.ip": [ + "10.237.43.87" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.geo.country_name": "quovol", + "destination.ip": [ + "10.180.28.156" + ], + "destination.port": 4665, + "event.code": "5315", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jun 19 03:46:49 magn3657.api.invalid tquiine: [ill:5315:1.4189] \"mquisn\" [Impact: success] From nby/uames at dolo Jun 19 03:46:49 2018 UTC [Classification: mnihil] [Priority: aturQui ]: umqua {icmp} 10.234.234.205:5714 (eos) -> 10.180.28.156:4665 (quovol)", + "fileset.name": "log", + "host.name": "magn3657.api.invalid", + "input.type": "log", + "log.level": "aturQui", + "log.offset": 17526, + "network.protocol": "icmp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.4189", + "related.hosts": [ + "magn3657.api.invalid" + ], + "related.ip": [ + "10.180.28.156", + "10.234.234.205" + ], + "rsa.crypto.sig_type": "mnihil", + "rsa.internal.messageid": "5315", + "rsa.misc.context": "mquisn", + "rsa.misc.event_log": "tquiine", + "rsa.misc.group_object": "nby", + "rsa.misc.policy_name": "mquisn", + "rsa.misc.result": "success", + "rsa.misc.sensor": "uames", + "rsa.misc.severity": "aturQui", + "rsa.misc.sig_id": 5315, + "rsa.misc.version": "1.4189", + "rsa.network.alias_host": [ + "magn3657.api.invalid" + ], + "rsa.threat.threat_desc": "aturQui", + "rsa.time.day": "19", + "rsa.time.event_time_str": "Jun 19 03:46:49 2018 UTC", + "rsa.time.month": "Jun", + "service.type": "snort", + "source.geo.country_name": "eos", + "source.ip": [ + "10.234.234.205" + ], + "source.port": 5714, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "architec", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 3 10:49:23 nis3942.mail.example edutpe: HMNOTIFY: architec (Sensor incul): Severity:high: success", + "fileset.name": "log", + "host.name": "nis3942.mail.example", + "input.type": "log", + "log.level": "high", + "log.offset": 17782, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "nis3942.mail.example" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "architec", + "rsa.misc.result": "success", + "rsa.misc.sensor": "incul", + "rsa.misc.severity": "high", + "rsa.time.day": "3", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 4280, + "destination.ip": [ + "10.166.10.187" + ], + "destination.port": 793, + "event.action": "block", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2018-7-17T17:51:58Z iscing6960.api.invalid emipsu %NGIPS-very-high-temUte:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.40.250.209, DstIP:10.166.10.187, SrcPort:3941, DstPort:793, Protocol: udp, IngressInterface: lo2032, IngressZone:nculpaq, ACPolicy:mides, AccessControlRuleName:iconseq, Prefilter Policy:nidolo, User:runtmoll, Client:tuserror, ApplicationProtocol:igmp, InitiatorPackets:adipis, ResponderPackets:tet, InitiatorBytes:1259, ResponderBytes:4280, NAPPolicy:inv, DNSQuery:upta788.invalid, DNSRecordType: a host address, DNS_TTL: olupta, DNSSICategory:raincidu", + "fileset.name": "log", + "host.name": "upta788.invalid", + "input.type": "log", + "log.level": "very", + "log.offset": 17884, + "network.application": "tuserror", + "network.protocol": "igmp", + "observer.egress.interface.name": "lo2032", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "upta788.invalid" + ], + "related.ip": [ + "10.166.10.187", + "10.40.250.209" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "high-temUte", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "raincidu", + "rsa.misc.policy_name": "inv", + "rsa.misc.result": "success", + "rsa.misc.rule_name": "iconseq", + "rsa.misc.severity": "very", + "rsa.network.alias_host": [ + "upta788.invalid" + ], + "rsa.network.dinterface": "lo2032", + "rsa.network.zone_dst": "nculpaq", + "rsa.time.day": "17", + "rule.name": "iconseq", + "service.type": "snort", + "source.bytes": 1259, + "source.ip": [ + "10.40.250.209" + ], + "source.port": 3941, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML", + "event.code": "connection_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 1 00:54:32 consequu3962.api.localdomain Maloru: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36,ReferencedHost: temporai,URL: https://example.com/emeumf/res.txt?ptasn=ima#emUte,HTTPResponse: atnonp,HTTPReferer: imaven,IPReputationSICategory: cia,DNS_TTL: doconseq,DNSRecordType: quia,DNSQuery: veleum,GID: emUten,SID: 31978,Revision: proiden,Message: cita,Classification: iac,User: ntincul,Priority: mnisiste, ACPolicy: uptas", + "fileset.name": "log", + "host.name": "consequu3962.api.localdomain", + "input.type": "log", + "log.offset": 18484, + "network.protocol": "ggp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "consequu3962.api.localdomain" + ], + "rsa.counters.dclass_c1_str": "Number of Files", + "rsa.internal.messageid": "connection_events", + "rsa.misc.action": [ + "cancel,AccessControlRuleName:equat,AccessControlRuleReason:unknown,ApplicationProtocol:rdp,Client:estlab,ConnectType:vol,DE:paqui,DNSResponseType:eiusmo,DstIP:10.33.37.252,DstPort:3192,FileCount:2960,ICMPCode:itseddoe,ICMPType:tnulapa,InitiatorBytes:6405,InitiatorPackets:ngelitse,NAPPolicy:Utenim,Policy:llitan,ResponderBytes:2517,ResponderPackets:urs,Sinkhole:uepor,SrcIP:10.52.109.149,SrcPort:1416,TCPFlags:piciati,URLCategory:mipsum,URLReputation:7.706000,UserName:ditaut,ClientVersion:1.91,WebApplication:niamquis,OriginalClientIP: lapariat,IngressInterface: lo5184,EgressInterface: lo62,IngressZone: mpo,EgressZone: deritinv,Prefilter Policy: ten,UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML" + ], + "rsa.network.alias_host": [ + "consequu3962.api.localdomain" + ], + "rsa.time.day": "1", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.78.180.219" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 15 07:57:06 ita7851.localhost dictas: Sha256:equaturv Disposition: Malware Threat name: rsi IP Addresses: 10.78.180.219<<-10.198.202.72", + "fileset.name": "log", + "host.name": "ita7851.localhost", + "input.type": "log", + "log.offset": 19724, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ita7851.localhost" + ], + "related.ip": [ + "10.78.180.219", + "10.198.202.72" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "equaturv", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "ita7851.localhost" + ], + "rsa.threat.threat_category": "rsi", + "rsa.time.day": "15", + "rsa.time.month": "Aug", + "service.type": "snort", + "source.ip": [ + "10.198.202.72" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.geo.country_name": "maccusan", + "destination.ip": [ + "10.232.67.182" + ], + "destination.port": 2086, + "event.code": "26152", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 29 14:59:40 laparia5374.api.domain norumet: [tconse:26152:1.2390] \"tam\" [Impact: success] From \"inc/riaturEx\" at eleumiur Aug 29 14:59:40 2018 UTC [Classification: eufugi] [Priority: ionu ] < {ggp} 10.147.155.100 -> 10.232.67.182:2086 (maccusan)", + "fileset.name": "log", + "host.name": "laparia5374.api.domain", + "input.type": "log", + "log.level": "ionu", + "log.offset": 19864, + "network.interface.name": "enp0s2413", + "network.protocol": "ggp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.2390", + "related.hosts": [ + "laparia5374.api.domain" + ], + "related.ip": [ + "10.147.155.100", + "10.232.67.182" + ], + "rsa.crypto.sig_type": "eufugi", + "rsa.internal.messageid": "26152", + "rsa.misc.context": "tam", + "rsa.misc.event_log": "norumet", + "rsa.misc.group_object": "inc", + "rsa.misc.policy_name": "tam", + "rsa.misc.result": "success", + "rsa.misc.sensor": "riaturEx", + "rsa.misc.severity": "ionu", + "rsa.misc.sig_id": 26152, + "rsa.misc.version": "1.2390", + "rsa.network.alias_host": [ + "laparia5374.api.domain" + ], + "rsa.network.interface": "enp0s2413", + "rsa.threat.threat_desc": "ionu", + "rsa.time.day": "29", + "rsa.time.event_time_str": "Aug 29 14:59:40 2018 UTC", + "rsa.time.month": "Aug", + "service.type": "snort", + "source.ip": [ + "10.147.155.100" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.95.152.78" + ], + "destination.port": 1267, + "event.code": "9193", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 12 22:02:15 onse3711.api.domain aliquaUt: [boreet:9193:1.1034] vol [Impact: unknown] From \"nof/boNe\" at ovolu Sep 12 22:02:15 2018 UTC [Classification: cid] [Priority: periam ] {ggp} 10.4.147.70:3210 -> 10.95.152.78:1267", + "fileset.name": "log", + "host.name": "onse3711.api.domain", + "input.type": "log", + "log.level": "periam", + "log.offset": 20125, + "network.protocol": "ggp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.1034", + "related.hosts": [ + "onse3711.api.domain" + ], + "related.ip": [ + "10.4.147.70", + "10.95.152.78" + ], + "rsa.crypto.sig_type": "cid", + "rsa.internal.messageid": "9193", + "rsa.misc.context": "vol", + "rsa.misc.event_log": "aliquaUt", + "rsa.misc.group_object": "nof", + "rsa.misc.policy_name": "vol", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "boNe", + "rsa.misc.severity": "periam", + "rsa.misc.sig_id": 9193, + "rsa.misc.version": "1.1034", + "rsa.network.alias_host": [ + "onse3711.api.domain" + ], + "rsa.threat.threat_desc": "periam", + "rsa.time.day": "12", + "rsa.time.event_time_str": "Sep 12 22:02:15 2018 UTC", + "rsa.time.month": "Sep", + "service.type": "snort", + "source.ip": [ + "10.4.147.70" + ], + "source.port": 3210, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 27 05:04:49 elite: nde iac7016.api.lan: antiu@llumquid, FailD, paq", + "file.name": "elite", + "fileset.name": "log", + "host.name": "iac7016.api.lan", + "input.type": "log", + "log.offset": 20350, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "iac7016.api.lan" + ], + "related.user": [ + "antiu" + ], + "rsa.db.index": "paq", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "iac7016.api.lan" + ], + "rsa.time.day": "27", + "rsa.time.month": "Sep", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "antiu" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 11 12:07:23 sit: tte4006.www5.test: lors@isautem, Intrusion Events,metco", + "file.name": "sit", + "fileset.name": "log", + "host.name": "tte4006.www5.test", + "input.type": "log", + "log.offset": 20421, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tte4006.www5.test" + ], + "related.user": [ + "lors" + ], + "rsa.db.index": "metco", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Intrusion Events", + "rsa.network.alias_host": [ + "tte4006.www5.test" + ], + "rsa.time.day": "11", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "lors" + }, + { + "event.action": "cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2018-10-25T19:09:57Z equatD1241.www5.host rpo %NGIPS-low-econs:AccessControlRuleAction:cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36,ReferencedHost: atae,URL: https://www5.example.net/boNemo/duntutla.html?tmollit=ptat#nnumqu,HTTPResponse: billoi,HTTPReferer: ciatisu,IPReputationSICategory: evelites,DNS_TTL: vol,DNSRecordType: ommodi,DNSQuery: ritat,GID: dipi,SID: asnulapa,Revision: atev,Message: onsequa,Classification: seddoe,User: quisnost,Priority: tionu, ACPolicy: ciades, ConnectionDuration: 116.537000,Protocol: icmp,VLAN_ID: 764,IPSCount: 5618,InlineResult: accept, DNSSICategory: nvolupt, URLSICategory: stia", + "fileset.name": "log", + "host.name": "equatD1241.www5.host", + "input.type": "log", + "log.level": "low", + "log.offset": 20498, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "equatD1241.www5.host" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "econs", + "rsa.misc.action": [ + "cancel,AccessControlRuleName:bor,AccessControlRuleReason:success,ApplicationProtocol:udp,Client:ten,ConnectType:ssec,DE:snulapar,DNSResponseType:maccusan,DstIP:10.54.49.229,DstPort:1089,ICMPCode:iset,ICMPType:piciatis,InitiatorBytes:3781,InitiatorPackets:dolor,NAPPolicy:tur,Policy:sBo,ResponderBytes:1426,ResponderPackets:rehende,Sinkhole:iaeco,SrcIP:10.204.18.92,SrcPort:4216,TCPFlags:psamvolu,URLCategory:odte,URLReputation:12.264000,UserName:aparia,ClientVersion:1.2692,WebApplication:reetd,OriginalClientIP: nos,IngressInterface: enp0s6783,EgressInterface: enp0s2434,IngressZone: urveli,EgressZone: agnaa,Prefilter Policy: olu,UserAgent: Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML" + ], + "rsa.misc.category": "stia", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "equatD1241.www5.host" + ], + "rsa.time.day": "25", + "rsa.time.duration_time": 116.537, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.216.14.36" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 9 02:12:32 essequ121.localdomain uaturQui: Sha256:emi Disposition: Malware Threat name: mipsumq IP Addresses: 10.216.14.36<<-10.224.250.83", + "fileset.name": "log", + "host.name": "essequ121.localdomain", + "input.type": "log", + "log.offset": 21841, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "essequ121.localdomain" + ], + "related.ip": [ + "10.216.14.36", + "10.224.250.83" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "emi", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "essequ121.localdomain" + ], + "rsa.threat.threat_category": "mipsumq", + "rsa.time.day": "9", + "rsa.time.month": "Nov", + "service.type": "snort", + "source.ip": [ + "10.224.250.83" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.231.10.63" + ], + "event.code": "10329", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 23 09:15:06 borios1685.www.localhost umfu: [inesc:10329:1.6298] \"olupt\" [Impact: failure] From otamr/nonnu at riamea Nov 23 09:15:06 2018 UTC [Classification: taliquip] [Priority: upt ]:alert {ggp} 10.38.22.60:653 (ipi) -> 10.231.10.63", + "fileset.name": "log", + "host.name": "borios1685.www.localhost", + "input.type": "log", + "log.level": "upt", + "log.offset": 21984, + "network.protocol": "ggp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "observer.version": "1.6298", + "related.hosts": [ + "borios1685.www.localhost" + ], + "related.ip": [ + "10.231.10.63", + "10.38.22.60" + ], + "rsa.crypto.sig_type": "taliquip", + "rsa.internal.messageid": "10329", + "rsa.misc.context": "olupt", + "rsa.misc.event_log": "umfu", + "rsa.misc.group_object": "otamr", + "rsa.misc.policy_name": "olupt", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "nonnu", + "rsa.misc.severity": "upt", + "rsa.misc.sig_id": 10329, + "rsa.misc.version": "1.6298", + "rsa.network.alias_host": [ + "borios1685.www.localhost" + ], + "rsa.threat.threat_desc": "upt", + "rsa.time.day": "23", + "rsa.time.event_time_str": "Nov 23 09:15:06 2018 UTC", + "rsa.time.month": "Nov", + "service.type": "snort", + "source.geo.country_name": "ipi", + "source.ip": [ + "10.38.22.60" + ], + "source.port": 653, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 560, + "destination.ip": [ + "10.29.231.11" + ], + "destination.port": 2231, + "event.action": "cancel", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2018-12-7T16:17:40Z odt2318.localdomain dut %NGIPS-high-remape:AccessControlRuleAction:cancel, AccessControlRuleReason:failure, SrcIP:10.46.57.181, DstIP:10.29.231.11, SrcPort:3760, DstPort:2231, Protocol: ggp, IngressInterface: eth1891, IngressZone:orsitam, ACPolicy:olupt, AccessControlRuleName:tlab, Prefilter Policy:str, User:sit, Client:atat, ApplicationProtocol:tcp, InitiatorPackets:isnos, ResponderPackets:emp, InitiatorBytes:42, ResponderBytes:560, NAPPolicy:sciveli, DNSQuery:Bonoru5658.mail.invalid, DNSRecordType: a host address, DNSSICategory:omm", + "fileset.name": "log", + "host.name": "Bonoru5658.mail.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 22224, + "network.application": "atat", + "network.protocol": "tcp", + "observer.egress.interface.name": "eth1891", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "Bonoru5658.mail.invalid" + ], + "related.ip": [ + "10.29.231.11", + "10.46.57.181" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "remape", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.category": "omm", + "rsa.misc.policy_name": "sciveli", + "rsa.misc.result": "failure", + "rsa.misc.rule_name": "tlab", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "Bonoru5658.mail.invalid" + ], + "rsa.network.dinterface": "eth1891", + "rsa.network.zone_dst": "orsitam", + "rsa.time.day": "7", + "rule.name": "tlab", + "service.type": "snort", + "source.bytes": 42, + "source.ip": [ + "10.46.57.181" + ], + "source.port": 3760, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Dec 21 23:20:14 dolores: oin ueipsa6797.mail.home: agnaal@itaut, Access Control Policy > Bonoru", + "file.name": "dolores", + "fileset.name": "log", + "host.name": "ueipsa6797.mail.home", + "input.type": "log", + "log.offset": 22784, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa6797.mail.home" + ], + "related.user": [ + "agnaal" + ], + "rsa.db.index": "Bonoru", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "ueipsa6797.mail.home" + ], + "rsa.time.day": "21", + "rsa.time.month": "Dec", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "agnaal" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 5 06:22:49 ntinculp: uptatemU iono5161.www5.localhost: ita@olupt, System > orisnisi", + "file.name": "ntinculp", + "fileset.name": "log", + "host.name": "iono5161.www5.localhost", + "input.type": "log", + "log.offset": 22880, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "iono5161.www5.localhost" + ], + "related.user": [ + "ita" + ], + "rsa.db.index": "orisnisi", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "System", + "rsa.network.alias_host": [ + "iono5161.www5.localhost" + ], + "rsa.time.day": "5", + "rsa.time.month": "Jan", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "ita" + }, + { + "event.action": "cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML", + "event.code": "connection_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jan 19 13:25:23 untut3537.domain sit: Protocol: ggp, AccessControlRuleAction:cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36,ReferencedHost: vol,URL: https://api.example.com/non/quaturQu.gif?etura=taedi#edi,HTTPResponse: quiacon,HTTPReferer: udexerc,IPReputationSICategory: volu,DNS_TTL: tassit,DNSRecordType: metconse,DNSQuery: remeum,GID: equaturQ,SID: 38469,Revision: mollita,Message: eserun,Classification: sBono,User: icab,Priority: iquaUten, ACPolicy: oluptasn", + "fileset.name": "log", + "host.name": "untut3537.domain", + "input.type": "log", + "log.offset": 22968, + "network.protocol": "ggp", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "untut3537.domain" + ], + "rsa.counters.dclass_c1_str": "Number of Files", + "rsa.internal.messageid": "connection_events", + "rsa.misc.action": [ + "cancel,AccessControlRuleName:uia,AccessControlRuleReason:unknown,ApplicationProtocol:ipv6-icmp,Client:nostrume,ConnectType:corpori,DE:unti,DNSResponseType:tena,DstIP:10.199.173.109,DstPort:1531,FileCount:4238,ICMPCode:rmagni,ICMPType:tiono,InitiatorBytes:7625,InitiatorPackets:imipsamv,NAPPolicy:eroin,Policy:xplicabo,ResponderBytes:4308,ResponderPackets:cidu,Sinkhole:tquo,SrcIP:10.20.64.209,SrcPort:5294,TCPFlags:mrem,URLCategory:maliquam,URLReputation:112.060000,UserName:eiusmo,ClientVersion:1.3720,WebApplication:its,OriginalClientIP: prehende,IngressInterface: eth685,EgressInterface: lo919,IngressZone: uiration,EgressZone: secte,Prefilter Policy: ulapari,UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML" + ], + "rsa.network.alias_host": [ + "untut3537.domain" + ], + "rsa.time.day": "19", + "rsa.time.month": "Jan", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 1881, + "destination.ip": [ + "10.135.250.25" + ], + "destination.port": 1306, + "event.action": "block", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2019-2-2T20:27:57Z atio5250.api.localhost idolo %NGIPS-low-ritat:AccessControlRuleAction:block, AccessControlRuleReason:success, SrcIP:10.107.144.80, DstIP:10.135.250.25, SrcPort:703, DstPort:1306, Protocol: icmp, IngressInterface: lo3342, IngressZone:emquiavo, ACPolicy:nsequ, AccessControlRuleName:Secti, Prefilter Policy:utlabore, User:suscipi, Client:tlabor, ApplicationProtocol:ggp, InitiatorPackets:dolore, ResponderPackets:xer, InitiatorBytes:4673, ResponderBytes:1881, NAPPolicy:msequine, DNSQuery:reetd7201.invalid, DNSRecordType: a host address, DNS_TTL: ugiatquo, DNSSICategory:ende", + "fileset.name": "log", + "host.name": "reetd7201.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 24183, + "network.application": "tlabor", + "network.protocol": "ggp", + "observer.egress.interface.name": "lo3342", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "reetd7201.invalid" + ], + "related.ip": [ + "10.135.250.25", + "10.107.144.80" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "ritat", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "ende", + "rsa.misc.policy_name": "msequine", + "rsa.misc.result": "success", + "rsa.misc.rule_name": "Secti", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "reetd7201.invalid" + ], + "rsa.network.dinterface": "lo3342", + "rsa.network.zone_dst": "emquiavo", + "rsa.time.day": "2", + "rule.name": "Secti", + "service.type": "snort", + "source.bytes": 4673, + "source.ip": [ + "10.107.144.80" + ], + "source.port": 703, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "olupta", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Feb 17 03:30:32 tnula4380.mail.test edolo: HMNOTIFY: olupta (Sensor volu): Severity:low: failure", + "fileset.name": "log", + "host.name": "tnula4380.mail.test", + "input.type": "log", + "log.level": "low", + "log.offset": 24777, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "tnula4380.mail.test" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "olupta", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "volu", + "rsa.misc.severity": "low", + "rsa.time.day": "17", + "rsa.time.month": "Feb", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 3 10:33:06 ugiat: [quiin] apar2567.www.localhost: iscing@ser, Policies > nama", + "file.name": "ugiat", + "fileset.name": "log", + "host.name": "apar2567.www.localhost", + "input.type": "log", + "log.offset": 24874, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "apar2567.www.localhost" + ], + "related.user": [ + "iscing" + ], + "rsa.db.index": "nama", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Policies", + "rsa.network.alias_host": [ + "apar2567.www.localhost" + ], + "rsa.time.day": "3", + "rsa.time.month": "Mar", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "iscing" + }, + { + "destination.ip": [ + "10.5.88.183" + ], + "destination.port": 7518, + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Mar 17 2019 17:35:40 onsecte5119.www.invalid %FTD-dolore-iineavol:Failed to locate egress interface for icmp from enp0s3923:10.198.207.31/579 to 10.5.88.183/7518", + "fileset.name": "log", + "host.name": "onsecte5119.www.invalid", + "input.type": "log", + "log.offset": 24956, + "network.protocol": "icmp", + "observer.ingress.interface.name": "enp0s3923", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "onsecte5119.www.invalid" + ], + "related.ip": [ + "10.198.207.31", + "10.5.88.183" + ], + "rsa.internal.event_desc": "Failed to locate egress interface", + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "iineavol", + "rsa.network.alias_host": [ + "onsecte5119.www.invalid" + ], + "rsa.network.sinterface": "enp0s3923", + "rsa.time.day": "17", + "rsa.time.month": "Mar", + "service.type": "snort", + "source.ip": [ + "10.198.207.31" + ], + "source.port": 579, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 1 00:38:14 uis: [oluptat] iutali3143.host: ect@fdeFi, Analysis & Reporting , eritat", + "file.name": "uis", + "fileset.name": "log", + "host.name": "iutali3143.host", + "input.type": "log", + "log.offset": 25118, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "iutali3143.host" + ], + "related.user": [ + "ect" + ], + "rsa.db.index": "eritat", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Analysis & Reporting", + "rsa.network.alias_host": [ + "iutali3143.host" + ], + "rsa.time.day": "1", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "ect" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 15 07:40:49 prehende: [spern] orro7466.www5.lan: issu@accusant, rrorsitv", + "file.name": "prehende", + "fileset.name": "log", + "host.name": "orro7466.www5.lan", + "input.type": "log", + "log.offset": 25206, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "orro7466.www5.lan" + ], + "related.user": [ + "issu" + ], + "rsa.db.index": "rrorsitv", + "rsa.internal.messageid": "SystemSettings", + "rsa.network.alias_host": [ + "orro7466.www5.lan" + ], + "rsa.time.day": "15", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "issu" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Apr 29 14:43:23 quii: [dantiu] epre7710.www.domain: aria@ugi, Heartbeat, econ", + "file.name": "quii", + "fileset.name": "log", + "host.name": "epre7710.www.domain", + "input.type": "log", + "log.offset": 25283, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "epre7710.www.domain" + ], + "related.user": [ + "aria" + ], + "rsa.db.index": "econ", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Heartbeat", + "rsa.network.alias_host": [ + "epre7710.www.domain" + ], + "rsa.time.day": "29", + "rsa.time.month": "Apr", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "aria" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "May 13 21:45:57 tio: [tlabori] nsequatu2799.www5.invalid: mape@aboree, Task Queue, eumiurer", + "file.name": "tio", + "fileset.name": "log", + "host.name": "nsequatu2799.www5.invalid", + "input.type": "log", + "log.offset": 25361, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "nsequatu2799.www5.invalid" + ], + "related.user": [ + "mape" + ], + "rsa.db.index": "eumiurer", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Task Queue", + "rsa.network.alias_host": [ + "nsequatu2799.www5.invalid" + ], + "rsa.time.day": "13", + "rsa.time.month": "May", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "mape" + }, + { + "event.action": "block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2019-5-28T04:48:31Z scingel1634.api.home orsit %NGIPS-high-meaq:AccessControlRuleAction:block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36,ReferencedHost: untu,URL: https://mail.example.net/quunturm/upta.gif?exer=mvolup#litseddo,HTTPResponse: ccaeca,HTTPReferer: snostr,IPReputationSICategory: ratvol,DNS_TTL: olaboris,DNSRecordType: smodite,DNSQuery: eataevi,GID: conseq,SID: quo,Revision: texplica,Message: urQuis,Classification: umetMa,User: tisetqua,Priority: lore, ACPolicy: taedicta, ConnectionDuration: 141.678000,Protocol: udp,VLAN_ID: 2110,IPSCount: 7554,InlineResult: cancel, DNSSICategory: tmollita, URLSICategory: turQuis", + "fileset.name": "log", + "host.name": "scingel1634.api.home", + "input.type": "log", + "log.level": "high", + "log.offset": 25453, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "scingel1634.api.home" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "meaq", + "rsa.misc.action": [ + "block,AccessControlRuleName:uaUten,AccessControlRuleReason:failure,ApplicationProtocol:icmp,Client:aec,ConnectType:issus,DE:ica,DNSResponseType:scingeli,DstIP:10.10.40.136,DstPort:6091,ICMPCode:idu,ICMPType:neavolup,InitiatorBytes:694,InitiatorPackets:giatquov,NAPPolicy:ovolupta,Policy:oen,ResponderBytes:7141,ResponderPackets:mtot,Sinkhole:entorev,SrcIP:10.34.89.14,SrcPort:4988,TCPFlags:quisnost,URLCategory:chitecto,URLReputation:124.035000,UserName:quelauda,ClientVersion:1.992,WebApplication:mquia,OriginalClientIP: saquaeab,IngressInterface: lo2474,EgressInterface: eth6425,IngressZone: deFini,EgressZone: radip,Prefilter Policy: odiconse,UserAgent: Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML" + ], + "rsa.misc.category": "turQuis", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "scingel1634.api.home" + ], + "rsa.time.day": "28", + "rsa.time.duration_time": 141.678, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2019-6-11T11:51:06Z inBCSe364.www.corp ntore %NGIPS-very-high-tsedquia:AccessControlRuleAction:deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;],ReferencedHost: peria,URL: https://api.example.com/uscip/uptatem.txt?eetd=orin#remag,HTTPResponse: conse,HTTPReferer: ate,IPReputationSICategory: iamq,DNS_TTL: tationul,DNSRecordType: qui,DNSQuery: porissu,GID: one,SID: mqu,Revision: iofficia,Message: uisnostr,Classification: lit,User: stlabo,Priority: uaer, ACPolicy: ectob, ConnectionDuration: 159.885000,Protocol: rdp,VLAN_ID: 350,IPSCount: 7423,InlineResult: allow, DNSSICategory: orema, URLSICategory: enderit", + "fileset.name": "log", + "host.name": "inBCSe364.www.corp", + "input.type": "log", + "log.level": "very", + "log.offset": 26810, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "inBCSe364.www.corp" + ], + "rsa.counters.dclass_c1_str": " The number of intrusion events", + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "high-tsedquia", + "rsa.misc.action": [ + "deny,AccessControlRuleName:mea,AccessControlRuleReason:success,ApplicationProtocol:rdp,Client:illoinv,ConnectType:euf,DE:turveli,DNSResponseType:onofdeFi,DstIP:10.197.182.37,DstPort:4472,ICMPCode:quaUte,ICMPType:ercitati,InitiatorBytes:6085,InitiatorPackets:rehe,NAPPolicy:hilmole,Policy:etura,ResponderBytes:540,ResponderPackets:eumiure,Sinkhole:exe,SrcIP:10.182.121.165,SrcPort:4822,TCPFlags:tate,URLCategory:tev,URLReputation:46.627000,UserName:uira,ClientVersion:1.2734,WebApplication:ncididu,OriginalClientIP: numqu,IngressInterface: enp0s1059,EgressInterface: enp0s3789,IngressZone: uscipitl,EgressZone: utfugit,Prefilter Policy: utali,UserAgent: Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML" + ], + "rsa.misc.category": "enderit", + "rsa.misc.severity": "very", + "rsa.network.alias_host": [ + "inBCSe364.www.corp" + ], + "rsa.time.day": "11", + "rsa.time.duration_time": 159.885, + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 4560, + "destination.ip": [ + "10.186.68.87" + ], + "destination.port": 2129, + "event.action": "allow", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2019-6-25T18:53:40Z uaeratv2083.internal.localhost essecil %NGIPS-medium-uptate:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.154.87.98, DstIP:10.186.68.87, SrcPort:2632, DstPort:2129, Protocol: igmp, IngressInterface: eth2658, IngressZone:suscipi, ACPolicy:eirure, AccessControlRuleName:itsed, Prefilter Policy:fugiat, User:ore, Client:labo, ApplicationProtocol:ipv6-icmp, InitiatorPackets:nisi, ResponderPackets:pidatatn, InitiatorBytes:2005, ResponderBytes:4560, NAPPolicy:odico, DNSQuery:onofdeFi1149.www5.domain, DNSRecordType: a host address, DNSSICategory:ioffici", + "fileset.name": "log", + "host.name": "onofdeFi1149.www5.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 28227, + "network.application": "labo", + "network.protocol": "ipv6-icmp", + "observer.egress.interface.name": "eth2658", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "onofdeFi1149.www5.domain" + ], + "related.ip": [ + "10.186.68.87", + "10.154.87.98" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "uptate", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "ioffici", + "rsa.misc.policy_name": "odico", + "rsa.misc.result": "unknown", + "rsa.misc.rule_name": "itsed", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "onofdeFi1149.www5.domain" + ], + "rsa.network.dinterface": "eth2658", + "rsa.network.zone_dst": "suscipi", + "rsa.time.day": "25", + "rule.name": "itsed", + "service.type": "snort", + "source.bytes": 2005, + "source.ip": [ + "10.154.87.98" + ], + "source.port": 2632, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.bytes": 584, + "destination.ip": [ + "10.67.211.63" + ], + "destination.port": 7478, + "event.action": "allow", + "event.code": "NGIPS_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "2019-7-10T01:56:14Z nvo2629.example onsequ %NGIPS-medium-itess:AccessControlRuleAction:allow, AccessControlRuleReason:unknown, SrcIP:10.35.59.140, DstIP:10.67.211.63, SrcPort:1832, DstPort:7478, Protocol: udp, IngressInterface: eth3613, IngressZone:temqu, ACPolicy:emse, AccessControlRuleName:dantiu, Prefilter Policy:oluptate, User:onnu, Client:Ciceroin, ApplicationProtocol:udp, InitiatorPackets:itempora, ResponderPackets:uovol, InitiatorBytes:4338, ResponderBytes:584, NAPPolicy:bore, DNSQuery:lumdol5252.internal.test, DNSRecordType: a host address, DNS_TTL: seosq, DNSSICategory:orain", + "fileset.name": "log", + "host.name": "lumdol5252.internal.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 28825, + "network.application": "Ciceroin", + "network.protocol": "udp", + "observer.egress.interface.name": "eth3613", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "lumdol5252.internal.test" + ], + "related.ip": [ + "10.35.59.140", + "10.67.211.63" + ], + "rsa.internal.messageid": "NGIPS_events", + "rsa.internal.msg_id": "itess", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "orain", + "rsa.misc.policy_name": "bore", + "rsa.misc.result": "unknown", + "rsa.misc.rule_name": "dantiu", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "lumdol5252.internal.test" + ], + "rsa.network.dinterface": "eth3613", + "rsa.network.zone_dst": "temqu", + "rsa.time.day": "10", + "rule.name": "dantiu", + "service.type": "snort", + "source.bytes": 4338, + "source.ip": [ + "10.35.59.140" + ], + "source.port": 1832, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.action": "eeufugia", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Jul 24 08:58:48 quianonn2762.api.localhost : HMNOTIFY: eeufugia (Sensor mquis): Severity:very-high: unknown", + "fileset.name": "log", + "host.name": "quianonn2762.api.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 29416, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "quianonn2762.api.localhost" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "eeufugia", + "rsa.misc.result": "unknown", + "rsa.misc.sensor": "mquis", + "rsa.misc.severity": "very-high", + "rsa.time.day": "24", + "rsa.time.month": "Jul", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 7 16:01:23 ver: [quaturv] atn2219.api.invalid: radip@ipsum, Heartbeat, itesse", + "file.name": "ver", + "fileset.name": "log", + "host.name": "atn2219.api.invalid", + "input.type": "log", + "log.offset": 29524, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "atn2219.api.invalid" + ], + "related.user": [ + "radip" + ], + "rsa.db.index": "itesse", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Heartbeat", + "rsa.network.alias_host": [ + "atn2219.api.invalid" + ], + "rsa.time.day": "7", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "radip" + }, + { + "event.action": "atcup", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Aug 21 23:03:57 equu1159.internal.localhost psumdol: HMNOTIFY: atcup (Sensor urautodi): Severity:medium: failure", + "fileset.name": "log", + "host.name": "equu1159.internal.localhost", + "input.type": "log", + "log.level": "medium", + "log.offset": 29606, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "equu1159.internal.localhost" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "atcup", + "rsa.misc.result": "failure", + "rsa.misc.sensor": "urautodi", + "rsa.misc.severity": "medium", + "rsa.time.day": "21", + "rsa.time.month": "Aug", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 5 06:06:31 dexer: [tionofde] urQuisau2442.mail.invalid: uptate@itesse, Login, Login Success", + "event.outcome": "success", + "file.name": "dexer", + "fileset.name": "log", + "host.name": "urQuisau2442.mail.invalid", + "input.type": "log", + "log.offset": 29719, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "urQuisau2442.mail.invalid" + ], + "related.user": [ + "uptate" + ], + "rsa.internal.messageid": "SystemSettings", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.network.alias_host": [ + "urQuisau2442.mail.invalid" + ], + "rsa.time.day": "5", + "rsa.time.month": "Sep", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "uptate" + }, + { + "destination.ip": [ + "10.179.27.185" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Sep 19 13:09:05 cididu3187.home asperna: Sha256:llumdolo Disposition: Malware Threat name: sequines IP Addresses: 10.14.46.141->10.179.27.185", + "fileset.name": "log", + "host.name": "cididu3187.home", + "input.type": "log", + "log.offset": 29815, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "cididu3187.home" + ], + "related.ip": [ + "10.14.46.141", + "10.179.27.185" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "llumdolo", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "cididu3187.home" + ], + "rsa.threat.threat_category": "sequines", + "rsa.time.day": "19", + "rsa.time.month": "Sep", + "service.type": "snort", + "source.ip": [ + "10.14.46.141" + ], + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 3 20:11:40 lorem: aliqua4025.www.localdomain: deFinibu@pitlab, Logout, Logout Success", + "event.outcome": "success", + "file.name": "lorem", + "fileset.name": "log", + "host.name": "aliqua4025.www.localdomain", + "input.type": "log", + "log.offset": 29957, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "aliqua4025.www.localdomain" + ], + "related.user": [ + "deFinibu" + ], + "rsa.internal.messageid": "SystemSettings", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.network.alias_host": [ + "aliqua4025.www.localdomain" + ], + "rsa.time.day": "3", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "deFinibu" + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Oct 18 03:14:14 ntutlab: aecatcup citati1297.api.domain: emp@uptate, Policies > olupta", + "file.name": "ntutlab", + "fileset.name": "log", + "host.name": "citati1297.api.domain", + "input.type": "log", + "log.offset": 30047, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "citati1297.api.domain" + ], + "related.user": [ + "emp" + ], + "rsa.db.index": "olupta", + "rsa.internal.messageid": "SystemSettings", + "rsa.misc.category": "Policies", + "rsa.network.alias_host": [ + "citati1297.api.domain" + ], + "rsa.time.day": "18", + "rsa.time.month": "Oct", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "emp" + }, + { + "event.action": "eursi", + "event.code": "HMNOTIFY", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 1 10:16:48 nreprehe2138.www5.domain : HMNOTIFY: eursi (Sensor aute): Severity:medium: success", + "fileset.name": "log", + "host.name": "nreprehe2138.www5.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 30134, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "nreprehe2138.www5.domain" + ], + "rsa.internal.messageid": "HMNOTIFY", + "rsa.misc.event_type": "eursi", + "rsa.misc.result": "success", + "rsa.misc.sensor": "aute", + "rsa.misc.severity": "medium", + "rsa.time.day": "1", + "rsa.time.month": "Nov", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "event.code": "SystemSettings", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 15 17:19:22 pari: [ent] idolore6589.api.localdomain: ctobea@audanti, Logout, Logout Success", + "event.outcome": "success", + "file.name": "pari", + "fileset.name": "log", + "host.name": "idolore6589.api.localdomain", + "input.type": "log", + "log.offset": 30232, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "idolore6589.api.localdomain" + ], + "related.user": [ + "ctobea" + ], + "rsa.internal.messageid": "SystemSettings", + "rsa.investigations.ec_activity": "Logoff", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.network.alias_host": [ + "idolore6589.api.localdomain" + ], + "rsa.time.day": "15", + "rsa.time.month": "Nov", + "service.type": "snort", + "tags": [ + "snort.log", + "forwarded" + ], + "user.name": "ctobea" + }, + { + "destination.ip": [ + "10.118.103.185" + ], + "destination.nat.ip": "10.240.77.10", + "destination.nat.port": 2226, + "destination.port": 1333, + "event.code": "FTD_events", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Nov 30 2019 00:21:57 erunt3957.internal.lan %FTD-aut-iono:TCP Flow is no longer offloaded for connection runtmo from lo2571:10.118.103.185/1333 (10.240.77.10/2226) to lo5895:10.125.130.61/6154 (10.32.195.34/135)", + "fileset.name": "log", + "host.name": "erunt3957.internal.lan", + "input.type": "log", + "log.offset": 30328, + "observer.egress.interface.name": "lo2571", + "observer.ingress.interface.name": "lo5895", + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "erunt3957.internal.lan" + ], + "related.ip": [ + "10.118.103.185", + "10.32.195.34", + "10.240.77.10", + "10.125.130.61" + ], + "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", + "rsa.internal.messageid": "FTD_events", + "rsa.internal.msg_id": "iono", + "rsa.misc.connection_id": "runtmo", + "rsa.network.alias_host": [ + "erunt3957.internal.lan" + ], + "rsa.network.dinterface": "lo2571", + "rsa.network.sinterface": "lo5895", + "rsa.time.day": "30", + "rsa.time.month": "Nov", + "service.type": "snort", + "source.ip": [ + "10.125.130.61" + ], + "source.nat.ip": "10.32.195.34", + "source.nat.port": 135, + "source.port": 6154, + "tags": [ + "snort.log", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.111.130.177" + ], + "event.code": "MALWARE", + "event.dataset": "snort.log", + "event.module": "snort", + "event.original": "Dec 14 07:24:31 ntNe7144.api.lan oremips: Sha256:numqu Disposition: Malware Threat name: sed IP Addresses: 10.111.130.177<<-10.188.88.133", + "fileset.name": "log", + "host.name": "ntNe7144.api.lan", + "input.type": "log", + "log.offset": 30540, + "observer.product": "IDS", + "observer.type": "IDS", + "observer.vendor": "Snort", + "related.hosts": [ + "ntNe7144.api.lan" + ], + "related.ip": [ + "10.111.130.177", + "10.188.88.133" + ], + "rsa.internal.messageid": "MALWARE", + "rsa.misc.checksum": "numqu", + "rsa.misc.disposition": "Malware", + "rsa.network.alias_host": [ + "ntNe7144.api.lan" + ], + "rsa.threat.threat_category": "sed", + "rsa.time.day": "14", + "rsa.time.month": "Dec", + "service.type": "snort", + "source.ip": [ + "10.188.88.133" + ], + "tags": [ + "snort.log", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc index 6b882920797..9b6620f4e77 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 91bbc2d960f..b0bed38d214 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 75670b6f441..01202648b26 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Sonicwall-FW processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,26 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 6892f63bb1c..5b84648b930 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -18,9 +18,13 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "nostrud4819.mail.test", + "oreetdol1714.internal.corp" + ], "related.ip": [ - "10.92.136.230", - "10.49.111.67" + "10.49.111.67", + "10.92.136.230" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -81,9 +85,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.227.15.1", "10.149.203.46", - "10.150.156.22", - "10.227.15.1" + "10.150.156.22" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -416,9 +420,12 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "fugi4637.www.lan" + ], "related.ip": [ - "10.30.196.102", - "10.241.178.107" + "10.241.178.107", + "10.30.196.102" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -471,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.157.161.103", - "10.78.151.178" + "10.78.151.178", + "10.157.161.103" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -504,8 +511,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.204.11.20", - "10.239.201.234" + "10.239.201.234", + "10.204.11.20" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -545,8 +552,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.34.161.166", - "10.219.116.137", - "10.245.200.97" + "10.245.200.97", + "10.219.116.137" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -781,8 +788,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.135.187.104" + "10.135.187.104", + "10.237.163.139" ], "rsa.internal.messageid": "882", "rsa.internal.msg": "itatio", @@ -838,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -965,8 +972,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.126.34.82", - "10.14.1.45" + "10.14.1.45", + "10.126.34.82" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", @@ -999,8 +1006,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.20.13", - "10.101.74.44" + "10.101.74.44", + "10.251.20.13" ], "related.user": [ "rsitv" @@ -1173,8 +1180,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.54.14.189", - "10.216.125.252" + "10.216.125.252", + "10.54.14.189" ], "rsa.internal.messageid": "402", "rsa.internal.msg": "tvol", @@ -1207,6 +1214,10 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "tiaec5551.www.local", + "ise5905.www.local" + ], "related.ip": [ "10.97.124.211", "10.53.113.23" @@ -1304,8 +1315,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.249.60", - "10.76.110.144" + "10.76.110.144", + "10.108.249.60" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "qua", @@ -1378,8 +1389,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.147.88.219", - "10.31.190.145" + "10.31.190.145", + "10.147.88.219" ], "related.user": [ "corpori" @@ -1421,8 +1432,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.108.84.24", - "10.113.100.237", - "10.251.248.228" + "10.251.248.228", + "10.113.100.237" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1635,8 +1646,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.104.49.142", - "10.102.166.19" + "10.102.166.19", + "10.104.49.142" ], "rsa.internal.messageid": "252", "rsa.internal.msg": "eprehend", @@ -1766,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.191.242.168", - "10.165.48.224" + "10.165.48.224", + "10.191.242.168" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1820,8 +1831,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.116.173.79", - "10.185.37.32" + "10.185.37.32", + "10.116.173.79" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -1852,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.42.212", - "10.57.85.98" + "10.57.85.98", + "10.219.42.212" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1906,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.195.223.82", - "10.135.70.159" + "10.135.70.159", + "10.195.223.82" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2057,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.12.54.142", - "10.56.10.84" + "10.56.10.84", + "10.12.54.142" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2094,8 +2105,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.117.63.181", + "10.222.169.140" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2176,8 +2187,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.255.4", - "10.200.122.184" + "10.200.122.184", + "10.57.255.4" ], "rsa.identity.user_sid_dst": "sBon", "rsa.internal.event_desc": "fic", @@ -2449,8 +2460,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.245.216.15", - "10.110.208.170" + "10.110.208.170", + "10.245.216.15" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "aecatcup", @@ -2571,8 +2582,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.143.0.78", - "10.250.149.166" + "10.250.149.166", + "10.143.0.78" ], "rsa.internal.messageid": "713", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml new file mode 100644 index 00000000000..5388cbdfcbc --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -0,0 +1,43 @@ +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + + utm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9533 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc new file mode 100644 index 00000000000..58d9add8037 --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -0,0 +1,188 @@ +[role="xpack"] + +:modulename: sophos +:has-dashboards: false + +== Sophos module + +This is a module for Sophos Products, currently it accepts +logs in syslog format or from a file for the following devices: + +- `xg` fileset: supports Sophos XG SFOS logs. +- `utm` fileset: supports Sophos UTM logs. + +To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. + +The syslog format choosen should be `Default`. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been tested against SFOS version 17.5.x and 18.0.x. +Versions above this are expected to work but have not been tested. + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: xg + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `xg` fileset settings + +The Sophos XG firewalls do not include hostname in either the syslog header or body, and the only unique identifier for each firewall is the related serial number. + +Below you will see an example configuration file, that sets the default hostname (if no serial number is included in the config file), and example on how to map serial numbers to a hostname + +[source,yaml] +---- +- module: sophos + xg: + enabled: true + var.input: udp + var.syslog_host: 0.0.0.0 + var.syslog_port: 9005 + var.default_host_name: firewall.localgroup.local + var.known_devices: + - serial_number: "1234567890123457" + hostname: "a.host.local" + - serial_number: "1234234590678557" + hostname: "b.host.local" +---- + +include::../include/var-paths.asciidoc[] + +*`var.input`*:: + +The input to use, can be either the value `tcp`, `udp` or `file`. + +*`var.syslog_host`*:: + +The interface to listen to all syslog traffic. Defaults to localhost. +Set to 0.0.0.0 to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to 9005. + +*`var.host_name`*:: + +Host name / Observer name, since SophosXG does not provide this in the syslog file. +Default to `firewall.localgroup.local` + + +[float] +==== SophosXG ECS fields + +This is a list of SophosXG fields that are mapped to ECS. + +[options="header"] +|============================================================== +| SophosXG Fields | ECS Fields | +| application | network.protocol | +| classification | rule.category | +| device_id | observer.serial_number | +| domainname | url.domain | +| dst_host | destination.address | +| dst_int | observer.egress.interface.name | +| dstzonetype | observer.egress.zone | +| dst_ip | destination.ip | +| destinationip | destination.ip | +| dst_mac | destination.mac | +| dstname | destination.address | +| dst_port | destination.port | +| dst_domainname | url.domain | +| duration | event.duration | +| filename | file.name | +| filetype | file.extension | +| file_size | file.size | +| file_path | file.directory | +| fw_rule_id | rule.id | +| from_email_address | source.user.email | +| httpstatus | http.response.status_code | +| in_interface | observer.ingress.interface.name| +| log_id | event.code | +| log_subtype | event.action | +| message | message | +| method | http.request.method | +| policy_type | rule.ruleset | +| protocol | network.transport | +| recv_bytes | destination.bytes | +| recv_pkts | destination.packets | +| referer | http.request.referrer | +| sent_bytes | source.bytes | +| sent_pkts | source.packets | +| sha1sum | file.hash.sha1 | +| srczonetype | observer.ingress.zone | +| src_ip | source.ip | +| src_domainname | url.domain | +| sourceip | source.ip | +| src_mac | source.mac | +| src_port | source.port | +| status_code | http.response.status_code | +| time_zone | event.timezone | +| to_email_address | destination.user.email | +| tran_dst_ip | destination.nat.ip | +| tran_dst_port | destination.nat.port | +| tran_src_ip | source.nat.ip | +| tran_src_port | source.nat.port | +| url | url.original | +| user_agent | user_agent.original | +| useragent | user_agent.original | +| user_gp | source.user.group | +| user_name | source.user.name | +| ws_protocol | http.version | +|============================================================== + +:has-dashboards!: + +:fileset_ex!: + +[float] +==== `utm` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "astarosg" device revision 123. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9533` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/sophos/_meta/fields.yml b/x-pack/filebeat/module/sophos/_meta/fields.yml new file mode 100644 index 00000000000..6e703a48600 --- /dev/null +++ b/x-pack/filebeat/module/sophos/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: sophos + title: "sophos" + description: > + sophos Module + fields: diff --git a/x-pack/filebeat/module/sophos/fields.go b/x-pack/filebeat/module/sophos/fields.go new file mode 100644 index 00000000000..b8320ff3f9b --- /dev/null +++ b/x-pack/filebeat/module/sophos/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sophos + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "sophos", asset.ModuleFieldsPri, AssetSophos); err != nil { + panic(err) + } +} + +// AssetSophos returns asset data. +// This is the base64 encoded gzipped contents of module/sophos. +func AssetSophos() string { + return "eJzsvd1yGzmWLnrfT4FTE3HK7nDJZVd1zWmfnjmhllRdOmO5NJLsmtjRERkgcpFECwmkASQp+qrfYd/OvFw/yQ78ZDJ/kCRFApQ8e/dETJRFcuHDArCwsH6/Q/eweoeUKOdC/Q4hTTWDd+gb94dvfodQDopIWmoq+Dv0r79DCPlvoyuRVwx+h9CUAsvVO/uZ+d93iOMC3iEOeink/QnlGuQUEzgxf2++hpBYgFxKquEd0rJqf6JXJbwz2JZC5q2/5zDFFdOZHfIdmmKmoPPxAGz9vw+4ACSmSM+hBoYaYGg5Bwn2My3xdEoJmmOFJgAciYkCuYD8ZDA/qfAjJjOToip3n0qfqethLWqOWWd646OPjR8aYj1IoWadv28eYXzBBqtyN6fKfA9RhSoFOdICEVzqyvNf4iUqQCk8M//GGhFRgDKTFubzHmmE3osZOgcicpDhiThatA9q3+nUdGEBXGdmapEJe8CJue9ZrizPieAauFbmfFCuNOa6hqGCGDUt9gGYY93/YIiOOkxmCIQ1Ws4pmSOMFChFBUdzqhXC6APo36jmoFS9+ieDrdFMVs1FxXLEYQESTaDZdyWWCtAVaGygYTSVomgN9eK9mKnX15jcg1YvB+TPqQSi2eoV0h43RjfghIXb4bwF8yTISAYLYHtwkgneP58dTp5DKYFg7ZHkMKUcciQ4s7A0njBABS7DqAo1y6IdmA1rfOXP+eX5G7TArPInnubANZ1SvzvhARONmJi59ZKDhbCzo4a83y32e2Y5Siw1JRXD0v7eL+zJ6M4YkN5rp4R2xoDy+E4ZXZLFcdfk7f9Zk81rYkZNsyCHHV8x+VtmJ9JflmeDboH3EXrJoUlQopIk0d17ONtSnf/DkCmNNRTA9XMEh6uc6oww3DvDzwQecC1XzxHY3OhUzxEY5fsBS6sx1ZLj+e60HPA+0iMt26YAecw31IheE3pntr5YmwUMmoEeMlASDntF9PSQAfUtr4hxLvZMK0fiIm9ZVYLsc+waTDMS+1CAg49mHzmGWl1x+rmCtRotm/n7P626j9ozwYm5HLAWz/1lOyJuFjStOGxz98wMQ6eU4PZ5fi9m6GIBXKNbK5xRxXOQ5gkiwQuqwdSn9AFypEAbIp0fd8dQ4w+WehEGtA9+sDSLMCD9qEUZWgLj25f225iDeT2CJ4/jwVyoRPpqe1/+IpRui0jW35EKeE75rP5QhbZNy4b09fCX7rPBBj8aZezl9eJHhPNcGlk5dtz7zB3MXouvlbmLn1Kz96f/fdlruJVeNvTlgjOkta1lOcJoRhfAGyPZ16sIGBbtZ79I+wLJn6Py93V4NEYNGqJcZRI+J1jrtvPQLrCd92RluXzhhkbX9iC98tZsjdHdqgRE8FCCTAAB1XOQ6OMl129+QkKin5nA+oe3aIKV3UW1g2xKZ5W0qt+Wee+j7n7F87Zu0HSPzwj2BfPrmUhlZtv0Oq5H/uoNDEIuscyTKXUtidaadpuTl9efOvoeRhIY7i8pQmqlNBT+EvWwDbU5uJ2qHPPMv4WkM8oxq3/T1Va28CGV/rUhMOLy+tNPARZ4+ANOHM6CBtGQyzFun/VGHSqO+94+c8A5yKP4rn+xQ6HL80O8pA5v21lqyeznK33WRjZGsuR2NlwrWpdrRcseFPN0OROMAdFCfo0C2HDvCWJuzJ6jChHHOsgN0o6i+l701Ra0gdHP8MVXkMlzUVULoWywWyE4mqwGi4aQhM8VKG0IKlqUbOXXyXzZCHoEmMyRojmgF98jPZcVevuHP7xES6yQAuDNKBs48SyU1x04oUrBFaRjBflqdgURFdeNTaEqJk7omaOsghTQCzwRC2gxg/JgZGUt3pSWgIvR80O+mm3zxKyCnFZ9PS0Go74JaY6NYYFOEdV/rd5+/+aPyon016UVoDXovw5m81fzHnyPVyDRW3TBCS5VxZxnxTwpHyXXQ9QPdH4EYitDo/zwFv2Lme4r9MMP6F8QEdLoy3YWftBX6P9m+v81X6QKdZnyTXAJucjh2b51+RIyghmbYHKfVgN24LjQ9thg7d4VhonA81JQru3TREM4wNlujgykFIni09b6oCqBUMwsYotUaSGNZs1XTuswHywwo7nbGCFQCE1FxXNzwzCw4CmfeeVoa/Bi90QMKMfwBfrjsMFtNLIKKyZw/lzuOQ8HKfoFUAFaUhJ4dfincPvL9i3srvtaCJtrH+u1Rium9bKdoF/E0izN8M1JORLSPMa0QPcA5RamPYsb7ythmhQElMoWNM/yVF7Xi1ryzICDxNoe8txwsPUuXFCpK8zMo71je+cBEwctqHl2W1+5ZYabhT/ql+dIGmmtrEHFMg3LGejma1s5oWSioKcn54SLhNvMCZnEFTQU/Jfnte31BgqhAd36/U4k2It2shoTlOZ/tSPmK3C8+JEyVTKaMrLhWT/nFR2o/c9CNzMyN+F+t6fO3AF+r9e7rn61+Cvkv4eH0YmXKWVP4KM3o5rH0fXZ6bXXfQnmhj20KIXsa7zIXpFfXRhE9TzMHx/dVWUf4vbpHjKldp/y1fon6we703Psy/wEvf3DT2hp+V4A5ggzFrYVWKO+VZPW9iO0BAmOLNaIAVYaCd5LF+ky8cnVxK+biYGzmsJt63n3m5C5ZZyNagIy54KJ2arviJtSOdBiEfoDInMsMdGOieZQryx+azTnqOI+pod1bOajGbWxE7qdoz6lE2GD79K+KAqjZApeuxEkXo7KNCtZe2olJlZjdT4K7m0OgpBK1hSVxjzHMkdcyAIz+iUU3ytkEeRP7qMc9maRqCaDK+lRTFqjbsC8ZnQKdsaBB74CIng+omCvlztTOqWdZcOEKCeiKBno4AYYNaJiq8BrSXtisJVvJvUTbeRbM3ZwO49t5e7OHN1+heB6HmmZ1vmpsWJe1lFO+RMx/oLnKdhuSH4RPHW1hQ1i0Yxeq5guvPauz+GBiEp2ok+RhgftDx9agFStdIp8UxxYYH0P3WwrwLGmuU7TI0LmkKe7B32Qjb+mVDNirWPUkTbNF9v+9eFtJUVxYqlWNilfEeBYUuHU+qJimn6nKUiEy5LV2S/rWjYF5ngWSs1FiFn3Tv1edKAcVoWo/lYhseTOM6ZxUfYtgx6xGc1AHJ4+rRCZU/O6ETmoE3RVKW2fSW2i5lRiPRKXizXsuUgbBdh0anAv4BiakF3kekDHOwlTkMCJ2xDYqNY5XdDcaDZ2P4QF2W0tyO56zAtP8qGk8mgzXK+n8wU9mJ1INVu5ySoj9Iy+ZkDZDbrZNhpx0UdNOK+MNG7k2clgyCacTFSxJVAxUOQOpdjwP/ZRsRrk5wqqo20ls7vdLlrLxyVWyILIR/aNBfcmNlMjKgUdhiaQabNCJ7h9Z0UKrGWWAGqZpdCey5iiqEv0bXSqCXSl1i3yNE/I3vMxeMcMrstH3Tn7is1tcm0fZ8H6guhVQ4htCMJkoMTHUKxVxVK7nUZeUaLSRBTw2mFoHi82KltMBzsEc8+CzgNyZIPAAiTVKVNHNkysHt0nAbY8O5tMPmmTFwe1A90t3WS6GGrW71QCoVO6fviEtVvnzBmrqeJ15fTRTIEFaEyMNF8nTNQmqtw7WYK4/bP5WIvwqftKb78EhUS/3vrQWKrqgIC+Xc2OX6/QWJakKoWiEQXHTnvLPqd57ipM2VD++uyOVuGpmM7SlS56pCjiVQGSksfKouDcjpDFtmFi7Uy25mQ4seTO92BqC+C5kD5gduPMxORvT1C9pnbtisnfgITf0QZY+lzwAbuNBN0MzEn6lLXqvhkeSJ/178WMt3LNcRNbzIVGGM19xYtwAC0Ts6wOVHkSoV5vxEcL9WPUTOnIvr/YcCtbtdqKj7DiLxglq9SnZ4NcuLYAfHFtzlYjcrliKeOmwwy8qRhYYGFxKriGh9QaawPokjt73boeKs5zZf6fvVQxqwGFCsBsuZzJHPMZZByWqWXBmOMSli1Xv1VCtJZ0UmloSYhhjL5y0I223r7+wqJDlTiasGs4x2iyspWbmGYfgv34Igemrb8FHrc2A8wwrC44qNYxX3IB8gTdgluUSoE8wTOwpbx9pPtUyBrDgHZNxuntxP4eud+36lYIiSZSLM1n9V+9rumeXaP1pC/zayx1bDNdQzi2RcWfKTHIDj3WmRIsb9TGVEdKlOAdiqnu4lOOMAOpm+giuR7U/825t7z4aBUBsEFIAYU5R1zw7ySUYF8ym6If7LPhmFcOqaQ0B6Z5r9iVtHrca+o8bLX7ZzCzJdVzryw7WY/O7YATm23CkeDfzYT57w03gVVSsoDimHDeuOUMfG0BGJBiiox00BTUCbpdy5R+Y4N2ZlUaxGcuna9S5hHjUkZdsE3uxa9nPEaEVUrXG9L/Y7BM9idUmZX0OdHevmEUX/vpuAp0dO3HnbDwi96VZUqnlH277eFlUJ5bFAgrJQi19lKzGsH3pF2w9/Qe3iGMyvlKUYIZyqm6f4VKaXuivEKgybdhRRlLvE/u5SMvepdnI3EBGqRCJVa2ipeyhRxcLQIiisJIMdFx2g9Ta0CTjeqeuw+eSuNrrWGCi8mJbyKKshqewQTLhtGS8lwsfTwtEZxAqV81kRSjzBhMc1oxtkKfK8yc8TMXBabcSw3eGoiJkaurbfWMpS5tmLpRCd9Tfg+5zwWqA9GxstYp/0Axn3zTQDuh+aaFY4OqEElFXbuzkzNL9AHU8H69fSpcv5be8opuh+V6GqczyIL2GzulNrH6MS1at/83a9o/RNa0p5SlP+PNlH+2ozXHWEJeEUC15wjC5jYFkmKWBW7TZJfIrR2yVpv792PrAjQ3zKhdAMi92qvkQAyLsR/dXHRzrObNCTVqYSDLsCJzF/lb59g0aYZnNaVeiTAzkWaYEyWJ+VXz72GmKTLynCNqY+4qThhgaf5kC+GtofkEQm/tlHVi53bvgxN+1bDO07O+sYgoJpQ3dbPbF5ZPG5WPuL0WVFbq2Ja+tjZiAYxb/I7jIA0ciTM3uqvJOG4pdS+45Kbxhn3Oynx5jj44SfPCF25ArtueT/o12F6G9WpngH4KW37L/Hx5blnqU94aMTG0HnQ9ci4M0E3hxG0iIwuWVIUfqQu1SlnLvuvV9QnaTl3YaMfm7vF9xF1jWH/WDIwuz7dqsrHsc1s0WQPsLc/XGu0JOnP5mb7eKXMfbNZmLUDZ/cabb7w5blLpJnNT6OYyqjgD5Tgj3IWyFGiBJcUTNsgCdEUZKEclwyOCQAFXSeujdBa0raq6kU+MpDIaRp1fSM06376+vO7r0MiXjHUWhbG87D0bCu6cC7n2tDiQ6JJrdEtnHFthMbJFSyFTFq/9diC/zCa9rnU3Yas62v80QFpn2e6yXAQ2zodf7xDlhFU5GHHmG9man5+gFxcPuCgZvEPXziDiyFrpfRK2i1jP3NF9m9Y4tb5awsioujcq9x64HpGK1zJjfvBXww1V9xtcrlrS2QxkuhZ2YZZ9avsCPAarnc4lqLlgudk97q0+0mm043o/gmVh6Hv3UvnFjdMxXjbFOC7Pw2kkO3vniSjK7MhxV3ZVfOyVbePq7Huqmnxn4Ahu81Ontt2MyCsy9krzaukTRY21kTfSUkhbecDI9RrfSJc4LPMllk8ToTesqm+kK/YXkZnESGnkF0aIYnSFSV1POazcGhF01HeM4N/VCqrcLIXcWzN6U2sJWEWPDVYa6yqW4tzYozBlT/bsMINPxAOi+evx+8vcrNUxEBpEHweFj91ZMCjCR7e+xxJ33xts8vNh3719rjPKRRXLx9nKI1Gz6GfKSNKYRoeBRfbHyIRTV2bsbIlTxozcQ6oiBJSaVgxdmPERETkosyXqYr/hlwXlOTxEZgCjSu+neR4oW+zA9ikmaxATkNa/WWBJmY3gCVjwnP+dzxC2TPzO/DY4M55gH4qJKy70RBqxHx29aOI5S5Cq9Em3TsIMWOZVhHVAfF3h6eVIkqEzcw3v49QBJU75aoK8vK3Kfdt8iClXKAeNKQsYGSai0q3fjUxNsKPHZtYWW9zEsVkc4xephqJkyaJ5TlEOU+xdQL7yZe3D99GaRitegGR4ZRO5tPCXK3oROJHmA/vq9r+GaZ0F7mz1SlNd2cKMKDix9dtgWLDp0OMa1YvVsu8QHBtpAllFRFGY85RmG5056oi2gn1LKRY0d/azuopcAWo0ECoXZH9H4+OtZT9TttYaSTsuL6waPJQ26OlpZH09elpZ/zcx2dPutPf0/n8x8Q6Y8OkqabrCuec2oNit/O31JbocKFRtGMmq1vrsks0IIiZ2Ndmws6gP6cfYw3xsdVi5dyIim4g8dcbXIOOur3R4LMhgGVGP5vGrJTiXwREyz1smYJ867AJoG38IndG8ceWMGPGK2K/GQRp4hJs/npLXzLusUl5TdXfv64+uek7tiLLBGg9AqrYVwYV+TSCU3lpXYdoUuHEEQ0jQKp53DSJNdiVeYMrw0JGBGlM4svmVU5BypNOCO0P72Prj+d38Y6XwBaCcA3YwJR9uoOjsZEQi0iKbVHm+im6foUUWNQ+oRbdSsF+h841WqvgUJRURqxz0UuwyVR0jIYGqdvSqq7mKq5zqJrNuXRfNIwo1tltnbDhRsnYvbJ6kixKLzcHF0V7lZ58u0AufK/GpYkZXnlBmEzhsHNjFQymU+eZL9N3Q0MD7Xph7Lpa88xBSQCpbzGLRpT7SaZPgI5jg+mGhZ3WW+wefmvQeZpis0MfR5xqjE4mfIinfD9xhMeWowJRPJS5gYzhGiaXt2pu+TkJHuby2w6IPInfB0euygK2oswAotEX7sqEChhGpXkjdunEfYIl+qbh9Sl6JHBh6Qfni5PevEBXkFZqY/wfm/2GO2UpRdfL7sH9RkzKbMjzonB9bh+pq+GfXyA5qbV1WTq7q5ldiurFQgxZJkbq/TjzOugyCAmk2chDQoogrd3vIPl39hiWgOxcA/Pvff7r67fTm4ve/dzG3CywxHd2TSyHvY6Ysbz1gv9UDtj1so0YwzGMrET5nJ26VkuY6wMRcF6sET5ipkMAVJTEFSMuUlABxEd8KEvAPxCKaLTEdNic+2Dpga5/HJmqOT+wUdVVNEh0KPcmVlrEz322+djKDWPsujXaP1jkf6Yyk+ya7rBuDDVQan2yyznvx+S6GxJSOGprqqSYzxO471WA1osA0++k9YaG8dz3BxxsuDHiv/98MR12rzK7z35Nssbxlo/dANoJ8ks1R+3E34RPiCEFbnZVtvUtf6CaivY6ys3UyX1qz22DnbvdM1yWr6TH8YTbpa4opM7yui7lce5lxed7ObbOVuMxzUMMsUMJgPKqwjrnOjIq4x3z2Cby24dY+++hMFEXF+5aoATq+X+GmQ9F9gAf9Fwjr1A02tZ9mfSi2W8zzP4uw12yNTWNN95EMB6MbDtwBpypVUkJFtCjRY73gLfollnzodHju0BUvykykEsa3H66u0a/OjroOSg0D+XzUUILbf3+PPlcgR2q3VoxnEvqVOtMGN7QMoit0UyedBcO6Gi2dRLxI20RF7DYChmi5l+FoG1UdcI4dTDeP36ABMyyLBKtlyCYwL+AyYgJyQ7TKo3Wl7dCMW+2qQzrHuq8VHkp3ApzMCyxjpZU0dFclHrQvPtj7hMkgnCoKzWwefS8QmMZNoGoIT2e21FICsmLytwRUSxy9E4arOBV9e1mne0ZjXzi+clsBRvWMDppnmNjGKPHTTwxtxSM+3luEJ7Ny8SN/0PPo9zvhGdEyy1XUuust6obyfp6nHQgvGI4uMXgGfEZ5xKTIIekUsdE8m2ZqSTWJLj94NmViqXARP3alTZvrRTrqCbwuhGeUpxQnlJcgi8kqWsD7gHZJ7tMQX2CWYq/QMiul0CKL75Ky1Bc/ZtbiGJ82S3Y2mZhleQpmG8Lx498Izwr8kGkdy2zQJWx2NIMEl0JBeSLQlKcDXTKVsQnLYrtFO7S/T0g8emXwFu3YtRDbtGNn9bZp/yEh7Z8S0v7nhLT/n4S0/5iGthYlwxNIIVIa6vGfZzwrKmaV78kqwT1ZEy/vE+glRcXorCjTaN9Gy8RsFjsIyVOmKZQSBZ9JfNsIz5QLSEywgkqSNK9JQzjNa1KtVFUm6EVKeJNWneSpqoU2Tw94SCBCtNDmYZaKtn3WJCFecfrAMRcKSIJNuPjJcCXRpbD4SZR6DjhPYFYTRZkRlsCGbQgncJJYunKy0vHNooaySkK5rLIEPg0iqaYEswQJRCrDM+BkFTHqqk2bY7b6AvkkBe5FZsuAJqHsysGkQe0Ca5NQn8zKxU9pbNAqm1D9xySFxojK4vaK6xGWIrqoVkmOuaUKRMbPclPOxh+t11aLMOi5s/PHN4444lbtS0LcVZOPV0GuRXtKGaR4w6hsmmIR6TRmcnaXcArdQGW0tEGKWRJRR8vFj7nS5aCYfyTaSpIktBmdQopnjLKG5gJyGi1htEub8jS7pBB5xUARkYLbnjidJZBNolRLrKP2/G9RD0WQRyEsYUaVlji+JWRNO4HGJ6FMxWqZjNfKViKXieSri8x3WzwBdS0BFwkUSZcKlAp2OuV6ORdUZa7DbHzqKyxxkg2ejyTCxqC8cP3tY9OlSmMevc9xrvSkkrGaBdZUwfUKSkG1io41vh5d5yTHJms7N0zjN7vet9LAJpoznOexzwDNY7tV69JBCe4iWmREClEkqUpkCCd4ptEiSxMc6SsepWBzeR+9PFOp4pcspaUqJY1MlGFNdRU9+oxRDvFK7KypqqgddRq6Nvk2vlmLCVf1NJsyEf06b4gnCPk3b97oUscQTSBxzBs6AdTosQlMzJJsXT5LcoBLIWMLsGJSzVIcs4IqkkIsFCrJhk3RB4KDtsWVotONLsNdAejYEX+OauxwPL5cxn6BJMkoE64BdPSXqIivGQlJZ1mgH9fBdJccZPw7q8xcU97oZKN2pl6TdS1ek2yyBImbvidObGHgycaWBmXmDEnR4WKlzIcZmcfK8x+QhoeSRncElCCLmcRcD2ruxqC8TEI4/tXrKpF9/NjrAhqBsBSzDKsyYsOANmmJY1OVgFkK/U4CsXxwVUcTEY/PZEM5bgnXFmUh8wSI4xsyVQLbsHK24QTxAApiBwK4hscJHicKPsffAKECrdGoJnhKKTpLIHhVGdvKpiRJcQ4kyaMr0kqSUFXcCIR1vBZbbZqVil5Vc0F47ESJYLfYQ4m6Ip2xp69nOv62ckTje/Sanp6x6a7K6NVaq3ySJA69kizBXVgpkFlOY2e9J2lbUXuGUrBBE6VxEdsavMgoVxpPE2gGCyp1CjV8UfIEpZu0kBWPaWYNlUULVBQ9rbRANxVHg6Gb6JGEzfI+YUZzdCYhpxqdYZn7aobKln8Pw3GdsxJyaaxDqCVjm+gjW9+ACIZCqTpNPATl6Th3UZRMrGDQWHAr/6aiilbUe8c9ZnjobEa235mEGTygAvcLLax9sXxW9ZuBJAfJqLLNGerR/dLbAkpIVWUppEbDwqMILedYI6pRKWE6thUOCMt9TBOKEOP9q6OBgCj3ld1H6kIzylN35G9BNaO1cSqkxQz0HOTJ+vtqLqrBjYYQhwXIph2RFqjEUgG6Ao1tR3B3VnHDghfvxUy9vnZpry/RuW/x9QrpeaBLkS0GfAO+9bGFzdEH0L9RzUGF13m4qZMwb2pbdjenyA7uJqsASzI/oZwG8dmeu0eor90Tn7YXhg2GeM1wxW2v31ll+7jWRdzDBdx79do3zCl9Oe5mTk0Rbt+/eOSxbxYii5jTtFvlVTssuoMHbU/FmLngGN2oRwTSunHdB9uhmrORjpe2em7CduC2fq4CjSR8rkDpDUW7949WfnytfKcy2LY8blQnsfsWqSbutGtO2YTJIbK+sc7fbYV29S4485i9/7f3NzSDXZ7XQsGOHd4b9tUQL4j3kVvYXC4TrAC5cO0GDRqcqmaV/C+eBi9vWsE3yIV05euDbEQIK6QAbLszvLlflcRcYXKE9r6DCtNuaG7V3vWmIZW0HdA2gS5BFtSpG8cCvR7SNeagC8pgBojBAhjCStEZdwu37tcf3vq2JPMTym87/oadPnmSTs8GWcXp5wr6bRJx+PC18O5XMXG/Lii1RkNzdyCJ4BxsbAVaUj0fExQIBTJDGo1dwl7pRY9+Whh2WnnSXFFMzCjBDBkEI08fi+Jp0dmhRto0Ph3vyvlKheG1wtmWohfVGvuCx4xilc1F8jeBe8Q1zzXbS2Xd1MhIxXYLnnA9AOQOjUFr7zTfiIUwwPLklClhHuKd83ZuneXoF/+LE3TKV82/BtS1fcsrrhHOT4goykqDDIvhJGZ8M7F0z7Nv+mtheyx2FoTqv1Zvv3/zR/P2PW8tR82xb4Kw/T7N4nrMdjXc4BVI9M+NTU699jAsuPCpj53/k37P8zXmzq7fuB57Bi9vk23f9hummHFO0Idf7y7M3EGCM55Ye2lOFZFQYk5WRqv06hnrx4Igy6FX6O7qHbrk+oe3r9Dlh/OL/3iHPl5y/dOP6MVyvkIcqJ6DRGQulG+VJqQEou233vz0//1fL78NcgT0PKGM6/PDytSTAofb8ajEu++Rx/zW7cXLGlT4iOfPC3RbNm1BvmfBuJ0v+BDenmK6fp18olJXmKH3px+CYL8IDulsWfvtjP8hOJyEeWvgfjUi1E5ku/C0S/Ac7+AN6zDDGpb4CVqk2919jU7zXFo7rdvlITjN1UuKcl8/56G+kMuzq2t3K426xwqsjuj96BiVnKbq7250eW2gjFi/DA/37AQRhYdm7HEe1ppY5rprHVdAtODiPKfmy5itHbatXv7he+6IG8A8Ce0BF/6En3e3wADKOtY6iV6365WG0QeP8FpI3YjkgdDNrYPNLgDVq+2SVx2Z924+lM/qy6Se1tUY4zmE3o3HsuJ6dPbli5UShBqV09mNBjoOMnJZYj6Dk+bpRASf0lklIUeTlaUJPLdRQ2E5U+5ZemCQNDqiLQcHnSaod8Ai6v7tFK7oBgAJhdCQ+cju+HFG8Vmbc5XhzIXiJyBdapmG+DTBlpgmyBZmKY5DqvonZQKm4jyrLXHp1PL+C97M46Q/WtuY8AQa7IWeg+Sg0d2qhFfoY32NvbcGsB/QdW0AG9wEv45panWrniMoEyNP4xq0t4u/QpixoDJRrr9oA9ywtIF5C5DmDqRcC6S0vcwpRx8vRwUKsQGyyeRVdJFtiIoyQds3Q1iCih3Ra8gmSHFxN2LsUHRrb0+A1rVWyBjwWfROkRazUT4SaqEjGqhTeTBrOWA4IjacYIow+lnIJZb5sE83QqczG+wlETYn/sHG0k1ALwF4WPWMXDXxsT5uoTFru+ocGGRLxtvIiMEMKfdxrjYsoaDaiCXfYiM8xQXD/Bh+/B0MlHWASMtEOZhg12S59qQszAt2Zh+w3ZsntqcSiK1CsIhXD243jz2WmpKKYYlsvWhUg3hx8fDuvZiJ6TTc/R1IpueQfHk7YO/MgO40tnBfGNwG7mml58C1DxYfha2qmJUTdgvocUOOQ/+oQI4CFpUm4ric9kOOA76tCAGlRjDbyuP7FUfbL/DE4kJGxZ0JuUKBxIQBtmMIpw5G6GE0Usk6+FQpuLlXjNwKKYfND9FAUerOahGvHt3IvYmRq1pqcwYYhbyZj7fD9PRhypGiugrIT2STC8CLaE91jhXCuSjN7aLnQCUSS75eMsc4jR8EF8VIXK3tyaGoK1F/XCXCKPeU50b+CKkaBmD0M2WATj2wkwEbdjH28mZi7kyOBow383+ScIVRFtz6qIW4XAjNMcCImPnuBzDCxevd+nyN2JwYDwidiJTZA4HJT2COF1RUVrskoiilKOhIhCIcG9wFxxNmk8im6GwzNsoXjdhJCLKPsKN1oiCADsKozWX2ABgYv8GXenVbt+z6vI1uu3WaZcV1P50ttkaf2zTwjOzzrN9JC7L38Qw4SErqKVmG2EC/fmgB1XN71YZ6uyEP9oS8OVFajjs/6zntU3bryeb0dvOcvHrhxko4r+DTtHmEa1qAMnLdaXsSShh1IvlViFYUYutC2MKDBy6D3HFr7VO7+8m21g+7zelNpqI1Od15at5gvG2Gg7nZGa8Fwg7C4Oud3duts5NHXTt30KLMTW5fuWi1VI8jQLbI8UaAfL3b8YftSxartcFxlmw3+SiPKkFinrEd5MdRt2PMuQ02Y6PU2xS0np06euZOpedZAXounsBLgjuWZORg+K+NLritpSRFUqvTBq/OjWDeXmuAbNiXiSwh/3Hyh++/Ry/en59ev0TnVGnKZxVVc8htKnwQCxMzkbwu0CZPmI2WnTocfpntF0cixqRIbFXclP9pVjWEoDkx1iIfrenzY44LsWH/Td5vy/BnMYV8ppiHyqSvI8Uwi1WdrjeRG5zTSrkRkJBI0YIyLJ14MmLTnCFi7/VwepU954rmx6w00o6U/2g2Qm1F7NXFXB/ydHkWp3zTWbduDZ9p2LL/eiOR/WSwF7zhBlppGXnYlClkysCAgcvGslrIGeb0y4aoap5uK+zK7D043d5TI+yeUhnMJU1U9ednM5y9LVyJL1e7qBPV/AtgpucES0ClhFwUlONgwl1LPF1jTYFrtTU8nuFjzvY9ftLJutKPUCbauObofGsEV4mltsWQ1lPdLFaPWOzIC5tdJOoUcpBYQ55FCyrbsD+M8Pm5HrFxnl1LsaB5UzzMfw+XJfOa6mBj+OI/5lrr6rRhBWc9SZofaZbNkL7Wn16NTDPYPNRGTi6o857P+4r7SAm4RumM2RT8sZonPFidqfWjVib0LDBRp6NajRUrpLSQTuIbagVobEf71n7rxHzr2/DsC5rnDI4n5a7seLvKucDytuTeXnKubo9xnOle+9FaFYb4qvbOvkIlw2bJzP0sJAJO5Kocs/LbUMgjvCd3iKCTzdvyF6E0usJkTvnIky7HiSTHN31ef+Q20r+UYMSH0Y9ckTN1gt7nuESf7D+cfpQL7vJO/zq8PNEcL8BoTgywRJ8rkCtkaxCqUnAFtUYVTk41883sb44jL30NPGIoS1pXgeRu+q4u3zjOekpHgLreQDe+OOquSG2Xp7QGs/4er0tLd4oYmbehv3ipQrLiPPiOVa+am8d5nl0ZqZEcO08x8y/M9AuB0ZLyXCwVUiUQOqXEfPIqlCfo42SHB8RMz+Fdx9ygF7YiLHCyvoas6/Jli1uo4vYefw8zTFboo+oWvm08sEU/kTZ6dK0Z4QgP9pHbvv3UslBsrprdZOZGHHC8qQMQyP7vZJradJ4h+7rTTq9Qj1Xndep1YMZ2hsGN5n+zx2SPE9c7NlUf4etN77Wsu7BTH68COpzNcQx2jcOguzbrgEy3DIMVChek2J78bNMGYrYEHM1ws1POYUq5t9Vb4WSr+hW4HCk6aNHtlSiWCNvaANNT/2ILxsZmm3ruvpbSSG3KxoatNSbz4sgl8NejWoajweuovRxJmrxMKI/XQSzq2TBTtkmFaS/PgJBqp+3YZXFltNfp/YGunQPUae++LahLLOs9Zf78aj2V5ZwOSqkjczrMW9YFv+80PR29Z4krayHkKt2C/0mVmP/r1ooxNZBuFfVaPQ9dTYYtf3ptqW+Z25OpRINZ1fXWN89qdBdkwLUU5T6iIxfVZGBc2GmP+zHNaxu2pCNYjC6747jn8EwUJear5jzaY2fb6bv3ygKkuYYyyqcirBRgdZ86R2iL/Oi9ImtkS0hbFX36OVWMwM8VYyv07xVmdEohR+c279kZB4NQljDJiBD39Imc7r/BBLnx1+9nzMa0+ejVZtfu8LLSVuXes4Xp9rN+0wzhu+x4c7SzyZ+gu1Xppr62HBjmuBUcXzwJ0yxqMdkebIPBGSLktypUtrYP5himuka57KJzlsVSyNrab13MN+9HlrxVKyfydqp5UabtQ7SBFWbkrZb7GqYUIpEm0gVlxjHrgUqsw6ZJwjOsYnr7W4SlT6ePTLmSLOIyt6hGXJXmMZpVMpY1pEVTgczwLN6bck06+vXUJR01/LFL2u/6BIIFHjRwq1rFf5wY+tF2c6PozSX0QmVia1RuiGPkEnZk7p0d1qpXr/1/n3kIr/1/+LimkNkfM5Dh6Dw/nSf0nrvJtJ3n1uLaarU2mE7uG6KZJxXlU5ByxO86nPdR5tVW/LeyPmiePQLIui7xtLUMgSNl3doi6ZEKDHG07Xfh/PZm293ZCGLZ/tO/wTBAa7zhJy3nII9jjzA6u494enFmWz++RGd2/DA0kPpIxVJG+HwG0jf/hE4U5obivJDUddxiZGvBzaDfqlal6I0rTb/sa5V8fGmU8GqjW/olbK2h94lkyuW/XSAOM6GpW8ByjtVIByhFjl1WqLWUbvDx5oJmqZN1gBoEuPT2WF04vc6/CQekKDo7RkZFt75R0/XwbrTRspEmVKkqutJpKdtgqXTWusN8KBYhSJnUBjpYlLb0vDCDo1vrnN4knY4SIdFUBvde5Be3NrRz82XUkp77gXy89NyAcVyEKsWyRcobve9S9YbsIJg8M1sPV9HLNKpUhOk9+Bd1ouIG36zblbQvJCtbf0TK+uuERJe3p/92dY2uzT2FfuUj3VfWaBNlUu+D9m4pwmitGCJzIPdqLyPybkI4bQ2yUNO5pl5nUyLMhoH6FoRrKbhBywVJB0Uhn0DJdTiaqiCjjwaLWWNdHa3DZxvlAjOau40YANEXhEerar1JEFqO3cNK9cV2pJ1fB5BGpj3XulQZtT1ok5C2S5mCIQQ/g9NEZ7zOfBGS6tWWE0VEUSStE7cjbofDG4TCKfhLKoH1X5qxTSxLhnmm1FM1vDUjOxn+m59tnaMVROtSjbNS0GOEVYcAOwTIIrCgwq8By1Yyx5wPCmekLjflR7VARny2Ryrb3Fwsvufhb+9PP/h773Vv+OZC0UL2bf/Ra7ZRdZ8tBKtSMeC07uPMfZ+bpjN23c634lQr9MKBUC9ttQ6b2Ft31O2RRxZ0cDasSiTN3nusHznVPlzgpJt0sABpIwWmFUNEcAKlNg/lW7eGI+UVlsuU0tcx3jzY6xbaBmgppEbC8PeXP5+GQnCDbI+974ScHT/Asp9g0DGxTrArdhIsFPOXi1+vL6/RFX4oKM+btt7hZTVzO3oYZqeJ4si0/DQGs9s0rUZ9CqcsRg/PdlmO2fR4CZtPnYRfTzm52tExlnmpfHnuq/R6FBsRsuMtyhPXCqhnXPy3zxtuEnN4PtQkY59uay8xT+gnim707artK75x6hYuufcVUlUgRB0r9CelpeCzf50wTO4ZVRryP732f3vVfEr5FEj4oymVsMQsqMjgCWv9BmGeIyXQyLaUMKNKy5V52R9TWJRYz32x/gYD6mMYgLRGqWPBdInQLl+LCNmqQt7okw1y4LoVk9Ko26Kci/YjIbzDOzjaYffDjV9TfpjtdHLMmw8reIcmoLvWhBymuGI6s0O8Q1PMeinNo6DM/65EXjGwAqTEUrkOmWauDzOkVoqJ2cnWE9x6MUCgyv7mpduCz32hQ3Vs7KHkaAJ+Qx9tHfbcyIEXq9Vq9V1RfJfnL9eZqK4ssSBWZuTbkGlaQKB99sF8uaMFoBfz+buieKfU3vAce0Pv3IMRXokc2s2V1s2PdwQ10HsOhnTbtSo/BhMTswSAPjpl681bROZYYqJBKtd1+cX3b8z/vXm5C7CAl/vwDeYrArr9BCezE1RfV+5vuwAjoigFHwacHozurCZcF6egEy/JmJjNjCSziH+uEcuK7bTEqpqkYOZtNXEFa2qGbsMyn2TuYRUbyS+ApZ4A1n2PxQiQUlJrMY5/FBdgLdEMFsDsWZR4OqVkG6Cgt+fwg8g0Layp3JJv4UH/+Pv/RKeMiaV5Lkt0DpzuIFcrGa5DNWq63OVSqiSeUNtku4XvhQIieK62SorpMjPHYFyMjRVc2gqsOWY3Rp+4PHdZndb+5ZsjeTvDjmtsA9VT3ElDwpsQDDWxCBD+Yog6o6cWnlFNVdMJmJ2x9VDSQWWhg2Fdcu26zp7WtntGycqs5X5LSEuVORoJ9tvl9e3BAD24FNL+2kGzAr8G5x9JO4LDZTmlTINMx8PTdbE89LMdq2bpfvxsFd/LOti/IuCxN0Ib6i5Sp83DFOLvEDyy71uJgOeGqnuvALQdQGO1HHdAqYHMuWBiFl1huWsoN7kJ+0EcyX2JurhUGb1YsIWrEaGaqFQhkVpxMpeC0y+QP3IONc3Js+NuRlVGmKiiv9B6XD3rjDF29/FsrPN+nHvaELaPHcqJKGzJTyfrXtlnzyt0LaRGp9twikofC6io9EyMAf3zVp1fkoyOqTyBD7aC+7XucO09Y5fX66pcu79EJMkK3HfnHcy4Prar07M9wdlCdXKVBbrKR3iA542h3I/T1WfXnN1Rqc2VTrTIbdfuXittoD0pM3sz2JGjpRRaEDF0Lxyq33q6bUPa7ruyFIOkwoN1wv6ZcbEMU3R3dm09Jx/Prx+z1kkhttfyAJyUFGWS18vl2dV1Y6xy/3gEohTHw4Ig/ow8BpECrrPyflBK4DAzzJ3QHSOyL1dgR9uGSAIBuoD8eKjqEXfi1WSlB21T4sKyI+zKqsXRAO3KJVcg0Yix0JW0/111Z+gym1Y1VElCCtTuQFMIsyFcK8n2Bxr98m8hHLn+DwObmKuDS2IftEqSL4JDSu+QX30zTK3Svz/9sCOw2KA++MIBLVA73PapWdReyjafftvOJ48uFZ/6yLbCoTLL6aDrx+GcurZ3lS9MQQU/QddCOZeeC99494+//6eQs3/8/b9eoX/8/T8llGxV/+Mff/+vbcCJ4LzrdouE/MI523mjqlOFmJghqlxd4U7j4g3gEth3vWu5CfH1vcA5B7KLTWWRCNZZgwCtM/oKrDTIR6CjeXks78KBrqwW0hQW3RZW61KiJ3Ay+OOBU2ish/EDINbp8q1mQ1thFGqo9x3qjm6AFKBUpzr/2LFlWCmXqJTAc7DGMzLOmNJcMchS+eyvPV37DGv22DZIJcN6KmQ/z/ZwNJ5uU4PH7eaTrQuXyP5uOLI2tNejbIXjivk+F+bYWzJ+nNPp3bW9K0HvcNChzKoqPoYLH8iMPn7cjsEVdErig7u7DlEfE3pWlX1+tu+W6vhMbbZMzCi36cgpVtBSRx3qm05UiveFgeGC8zrUx2A8AKms/3FQ0zMWlnqEbtXQETx4kVItusJsiSUgRbBrvxNRHZpKUWSunwwOVLmKgP4WeA6y25Fkq8ASaTHdgBFDYOTno3CFy6YdLswthj7xEQzmu4F6Bwc/FAZ0x95SVMaPWLREd4ri+PnuOlBO9mAAP99d2xrBtt6kO1MO0xIrlIslZwLn25+/Bl3z8I+N8bwmbC4OA9ga8KYg36GPpcFnIzo91q0HnzJIsY1u6Zdee4851rajELa1tbrbZwO4FJL9Gut5B5zHZYTqzsBSiPif6/40CCslCLVm0yXV83UWxFZouiSiKDCPrmuareZJ+1yjOfDW8ZiKim/dbwnObITz6uqwp1hR3wPhQHyfKywx1/2unBHw2aNgVrTe0p1zsR53u6tNkiwdG7324AbY6YLIlU6I58a51h6FSAJW8W+DG0sVLecrn7BIhMzd9gJtczRtQ+ESF68LzCihYrt4C5cPjwC1S3ZsJ5W4CHRHigDgtsQFOt3JGGvUoPjP9R7Vrac9S7Nn/r0ZoL8px5bEJpAkiYO4dbkpHdIjKMQCpKQ5ZFrch/pLHhii5qmjLvURLEQ8Q/9GwyBfE+tL/DPccCkwxNgrzqin7kBHP1F3a9ot18vpJ/tI3moYrKy6nNkuVimsGV4dd/rvDvaMNp4Ut1Ybzy431lzrsm4qveHs7xezUsc+/XJ3d40GravHOGRTmJ4kf2lnG3zSzNWmCKbtveyhLmGiqAY0xYxtD0n1Wme6bV+/PXff+PBAwBKMbVF4T5VuglBtbVQzFqtyl0OwhElr7O0rLLhOZPis19dFy9phdpb2KURFI+d3Sqkhmi6oXqUA8htMmlQoP4yzJRRYk7nRbnmOCHYFUOZQf1fatvRbV7R7GNI8ANuHYSf3yBy/GZbwPVzR+uX0DarrA9dbjWoo0ARsHU2O2erL9odeAdaVnKBwwJWjvIM3zahE8cfvhHHsyIZEPNgqMF3r95R26Nvd7ND24KQw0llb2C5el1zpYB+9w49uy1133h1hEzNSmFMtM253MMu3lO0EJ7Srbm/D4tWSBDdCh+ymtUhlpN1Fjvv2+VkpYUofEggroySg6y71sTuFakiWpHlrdM+zPvEtXFHVNBVXHjS67VIfkxzUbmUs0zhszxvyNjp1Fy0qvq3HRXPuZvRKEVjwcYdwgnpPWJUu1Za46hAf3RGpnXZbd0Gl5xlhg/KUETCcVnqOzrqkN6EogMwxpyq6KmqBDKlvUPYc71Ic0rMw9REsrm8vB70UMnrlgDDxESRMEMxmWMMSRxfo70O0N+FIxJD3Idpbd0mK5/lZmPoIFsHyULuKCDh+HVIewcBhmQjDhyHlEQy0TBS4czkgPLYrrLTL6irfqQKJnFBtionvGkfk0Y11N4sFy9DfzUOJl1mOdb+5x+GOP7xEHboj418l8C9d7eBY8k1lU9Rm7BMeQ6Cx1JqOboH9Cn7eDqhuvNbiJiveWJqoVYF9ZHADUGk8aCd92NyHVEeGv12p92KW3V7cfLq4yT6cXl1E3wV2BORGQJ0RRjBNMLmvyqxIcB7+bEmjYpdjEWpDfDg3ulRHj6RcxH+M3Hapjoxt5GXskX9p0xw9hc4JtkEO7OdquwkRHtWjAg3vD55+j+rI2J8rkCs1bGMZAUCI9AgKeNAy+hXYJToy8vUv17cXt7cty1qk0YeEN91DWZqLCO2y/VxmQezxnRFkt5swT2A3vbk438FeOpGYk3kSTfDPlvROZqiqNDzOo+oCQ5pjL4acQUbKamTsKROD/pM7DG+oon/6p62bf6U0FPGHd3S38l2BfMKxo8cydWiOjctp9Ju2Q3NM5RQas6yAYtwavn/BC1uL5apLewTHVEJ0V1GH5tj8JeaqoFpDbhtXR38QtwZAvRFGBa8rVpMGT039kWDuJzRyRaMGSJf09nWKD6W9Ro9Fk0tRpkPTpb5ljeJDadZoJxxEMEbVhtilfcPjBmTH7sxU1S6HhEcQnAk+pbPN1eH3vL/CpEdwoBsohRw9JntCGFAdGb0pbxB3+CHZkfHvYNSEsufQHYob1Jbo4rpLdExdG/auPXjgDs2RcePXqcdbuewsxSqzBWxSTNwP0HKjOF78rwAAAP//MgoL8g==" +} diff --git a/x-pack/filebeat/module/sophos/module.yml b/x-pack/filebeat/module/sophos/module.yml new file mode 100644 index 00000000000..73b314ff7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophos/module.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/utm/_meta/fields.yml b/x-pack/filebeat/module/sophos/utm/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml new file mode 100644 index 00000000000..865b6e27119 --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Sophos" + product: "UTM" + type: "Firewall" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/sophos/utm/config/liblogparser.js + - ${path.home}/module/sophos/utm/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sophos/utm/config/liblogparser.js b/x-pack/filebeat/module/sophos/utm/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0001"), +])); + +var hdr2 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" +match("HEADER#1:0002", "message", "%{hfld1->} %{hostname->} %{messageid}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0002"), +])); + +var hdr3 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' reverseproxy: '), Field(payload,false)}" +match("HEADER#2:0003", "message", "%{hfld1->} %{hostname->} reverseproxy: %{payload}", processor_chain([ + setc("header_id","0003"), + setc("messageid","reverseproxy"), +])); + +var hdr4 = // "Pattern{Field(hfld1,true), Constant(' '), Field(hostname,true), Constant(' '), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#3:0005", "message", "%{hfld1->} %{hostname->} %{messageid}: %{payload}", processor_chain([ + setc("header_id","0005"), +])); + +var hdr5 = // "Pattern{Field(hfld1,true), Constant(' '), Field(id,false), Constant('['), Field(process_id,false), Constant(']: '), Field(payload,false)}" +match("HEADER#4:0004", "message", "%{hfld1->} %{id}[%{process_id}]: %{payload}", processor_chain([ + setc("header_id","0004"), + setc("messageid","astarosg_TVM"), +])); + +var hdr6 = // "Pattern{Constant('device="'), Field(product,false), Constant('" date='), Field(hdate,true), Constant(' time='), Field(htime,true), Constant(' timezone="'), Field(timezone,false), Constant('" device_name="'), Field(device,false), Constant('" device_id='), Field(hardware_id,true), Constant(' log_id='), Field(id,true), Constant(' '), Field(payload,false)}" +match("HEADER#5:0006", "message", "device=\"%{product}\" date=%{hdate->} time=%{htime->} timezone=\"%{timezone}\" device_name=\"%{device}\" device_id=%{hardware_id->} log_id=%{id->} %{payload}", processor_chain([ + setc("header_id","0006"), + setc("messageid","Sophos_Firewall"), +])); + +var select1 = linear_select([ + hdr1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, +]); + +var part1 = // "Pattern{Constant('received control channel command ''), Field(action,false), Constant(''')}" +match("MESSAGE#0:named:01", "nwparser.payload", "received control channel command '%{action}'", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg1 = msg("named:01", part1); + +var part2 = // "Pattern{Constant('flushing caches in all views '), Field(disposition,false)}" +match("MESSAGE#1:named:02", "nwparser.payload", "flushing caches in all views %{disposition}", processor_chain([ + dup1, + dup2, + dup3, +])); + +var msg2 = msg("named:02", part2); + +var part3 = // "Pattern{Constant('error ('), Field(result,false), Constant(') resolving ''), Field(dhost,false), Constant('': '), Field(daddr,false), Constant('#'), Field(dport,false)}" +match("MESSAGE#2:named:03", "nwparser.payload", "error (%{result}) resolving '%{dhost}': %{daddr}#%{dport}", processor_chain([ + dup4, + dup2, + dup3, +])); + +var msg3 = msg("named:03", part3); + +var part4 = // "Pattern{Constant('received '), Field(action,true), Constant(' signal to '), Field(fld3,false)}" +match("MESSAGE#3:named:04", "nwparser.payload", "received %{action->} signal to %{fld3}", processor_chain([ + dup5, + dup2, + dup3, +])); + +var msg4 = msg("named:04", part4); + +var part5 = // "Pattern{Constant('loading configuration from ''), Field(filename,false), Constant(''')}" +match("MESSAGE#4:named:05", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup6, + dup2, + dup3, +])); + +var msg5 = msg("named:05", part5); + +var part6 = // "Pattern{Constant('no '), Field(protocol,true), Constant(' interfaces found')}" +match("MESSAGE#5:named:06", "nwparser.payload", "no %{protocol->} interfaces found", processor_chain([ + setc("eventcategory","1804000000"), + dup2, + dup3, +])); + +var msg6 = msg("named:06", part6); + +var part7 = // "Pattern{Constant('sizing zone task pool based on '), Field(fld3,true), Constant(' zones')}" +match("MESSAGE#6:named:07", "nwparser.payload", "sizing zone task pool based on %{fld3->} zones", processor_chain([ + dup7, + dup2, + dup3, +])); + +var msg7 = msg("named:07", part7); + +var part8 = // "Pattern{Constant('automatic empty zone: view '), Field(fld3,false), Constant(': '), Field(dns_ptr_record,false)}" +match("MESSAGE#7:named:08", "nwparser.payload", "automatic empty zone: view %{fld3}: %{dns_ptr_record}", processor_chain([ + dup8, + dup2, + dup3, +])); + +var msg8 = msg("named:08", part8); + +var part9 = // "Pattern{Constant('reloading '), Field(obj_type,true), Constant(' '), Field(disposition,false)}" +match("MESSAGE#8:named:09", "nwparser.payload", "reloading %{obj_type->} %{disposition}", processor_chain([ + dup7, + dup2, + dup3, + setc("action","reloading"), +])); + +var msg9 = msg("named:09", part9); + +var part10 = // "Pattern{Constant('zone '), Field(dhost,false), Constant('/'), Field(fld3,false), Constant(': loaded serial '), Field(operation_id,false)}" +match("MESSAGE#9:named:10", "nwparser.payload", "zone %{dhost}/%{fld3}: loaded serial %{operation_id}", processor_chain([ + dup7, + dup9, + dup2, + dup3, +])); + +var msg10 = msg("named:10", part10); + +var part11 = // "Pattern{Constant('all zones loaded'), Field(,false)}" +match("MESSAGE#10:named:11", "nwparser.payload", "all zones loaded%{}", processor_chain([ + dup7, + dup9, + dup2, + dup3, + setc("action","all zones loaded"), +])); + +var msg11 = msg("named:11", part11); + +var part12 = // "Pattern{Constant('running'), Field(,false)}" +match("MESSAGE#11:named:12", "nwparser.payload", "running%{}", processor_chain([ + dup7, + setc("disposition","running"), + dup2, + dup3, + setc("action","running"), +])); + +var msg12 = msg("named:12", part12); + +var part13 = // "Pattern{Constant('using built-in root key for view '), Field(fld3,false)}" +match("MESSAGE#12:named:13", "nwparser.payload", "using built-in root key for view %{fld3}", processor_chain([ + dup7, + setc("context","built-in root key"), + dup2, + dup3, +])); + +var msg13 = msg("named:13", part13); + +var part14 = // "Pattern{Constant('zone '), Field(dns_ptr_record,false), Constant('/'), Field(fld3,false), Constant(': ('), Field(username,false), Constant(') '), Field(action,false)}" +match("MESSAGE#13:named:14", "nwparser.payload", "zone %{dns_ptr_record}/%{fld3}: (%{username}) %{action}", processor_chain([ + dup8, + dup2, + dup3, +])); + +var msg14 = msg("named:14", part14); + +var part15 = // "Pattern{Constant('too many timeouts resolving ''), Field(fld3,false), Constant('' ('), Field(fld4,false), Constant('): disabling EDNS')}" +match("MESSAGE#14:named:15", "nwparser.payload", "too many timeouts resolving '%{fld3}' (%{fld4}): disabling EDNS", processor_chain([ + dup10, + setc("event_description","named:too many timeouts resolving DNS."), + dup11, + dup2, +])); + +var msg15 = msg("named:15", part15); + +var part16 = // "Pattern{Constant('FORMERR resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" +match("MESSAGE#15:named:16", "nwparser.payload", "FORMERR resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:FORMERR resolving DNS."), + dup11, + dup2, +])); + +var msg16 = msg("named:16", part16); + +var part17 = // "Pattern{Constant('unexpected RCODE (SERVFAIL) resolving ''), Field(hostname,false), Constant('': '), Field(saddr,false), Constant('#'), Field(fld3,false)}" +match("MESSAGE#16:named:17", "nwparser.payload", "unexpected RCODE (SERVFAIL) resolving '%{hostname}': %{saddr}#%{fld3}", processor_chain([ + dup10, + setc("event_description","named:unexpected RCODE (SERVFAIL) resolving DNS."), + dup11, + dup2, +])); + +var msg17 = msg("named:17", part17); + +var select2 = linear_select([ + msg1, + msg2, + msg3, + msg4, + msg5, + msg6, + msg7, + msg8, + msg9, + msg10, + msg11, + msg12, + msg13, + msg14, + msg15, + msg16, + msg17, +]); + +var part18 = // "Pattern{Constant('Integrated HTTP-Proxy '), Field(version,false)}" +match("MESSAGE#17:httpproxy:09", "nwparser.payload", "Integrated HTTP-Proxy %{version}", processor_chain([ + dup12, + setc("event_description","httpproxy:Integrated HTTP-Proxy."), + dup11, + dup2, +])); + +var msg18 = msg("httpproxy:09", part18); + +var part19 = // "Pattern{Constant('['), Field(fld2,false), Constant('] parse_address ('), Field(fld3,false), Constant(') getaddrinfo: passthrough.fw-notify.net: Name or service not known')}" +match("MESSAGE#18:httpproxy:10", "nwparser.payload", "[%{fld2}] parse_address (%{fld3}) getaddrinfo: passthrough.fw-notify.net: Name or service not known", processor_chain([ + dup10, + setc("event_description","httpproxy:Name or service not known."), + dup11, + dup2, +])); + +var msg19 = msg("httpproxy:10", part19); + +var part20 = // "Pattern{Constant('['), Field(fld2,false), Constant('] confd_config_filter ('), Field(fld3,false), Constant(') failed to resolve passthrough.fw-notify.net, using '), Field(saddr,false)}" +match("MESSAGE#19:httpproxy:11", "nwparser.payload", "[%{fld2}] confd_config_filter (%{fld3}) failed to resolve passthrough.fw-notify.net, using %{saddr}", processor_chain([ + dup10, + setc("event_description","httpproxy:failed to resolve passthrough."), + dup11, + dup2, +])); + +var msg20 = msg("httpproxy:11", part20); + +var part21 = // "Pattern{Constant('['), Field(fld2,false), Constant('] ssl_log_errors ('), Field(fld3,false), Constant(') '), Field(fld4,false), Constant('ssl handshake failure'), Field(fld5,false)}" +match("MESSAGE#20:httpproxy:12", "nwparser.payload", "[%{fld2}] ssl_log_errors (%{fld3}) %{fld4}ssl handshake failure%{fld5}", processor_chain([ + dup10, + setc("event_description","httpproxy:ssl handshake failure."), + dup11, + dup2, +])); + +var msg21 = msg("httpproxy:12", part21); + +var part22 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_decrypt ('), Field(fld3,false), Constant(') EVP_DecryptFinal failed')}" +match("MESSAGE#21:httpproxy:13", "nwparser.payload", "[%{fld2}] sc_decrypt (%{fld3}) EVP_DecryptFinal failed", processor_chain([ + dup10, + setc("event_description","httpproxy:EVP_DecryptFinal failed."), + dup11, + dup2, +])); + +var msg22 = msg("httpproxy:13", part22); + +var part23 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_server_cmd ('), Field(fld3,false), Constant(') decrypt failed')}" +match("MESSAGE#22:httpproxy:14", "nwparser.payload", "[%{fld2}] sc_server_cmd (%{fld3}) decrypt failed", processor_chain([ + dup10, + setc("event_description","httpproxy:decrypt failed."), + dup11, + dup2, +])); + +var msg23 = msg("httpproxy:14", part23); + +var part24 = // "Pattern{Constant('['), Field(fld2,false), Constant('] clamav_reload ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#23:httpproxy:15", "nwparser.payload", "[%{fld2}] clamav_reload (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:reloading av pattern"), + dup11, + dup2, +])); + +var msg24 = msg("httpproxy:15", part24); + +var part25 = // "Pattern{Constant('['), Field(fld2,false), Constant('] sc_check_servers ('), Field(fld3,false), Constant(') server ''), Field(hostname,false), Constant('' access time: '), Field(fld4,false)}" +match("MESSAGE#24:httpproxy:16", "nwparser.payload", "[%{fld2}] sc_check_servers (%{fld3}) server '%{hostname}' access time: %{fld4}", processor_chain([ + dup12, + setc("event_description","httpproxy:sc_check_servers.Server checked."), + dup11, + dup2, +])); + +var msg25 = msg("httpproxy:16", part25); + +var part26 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') shutdown finished, exiting')}" +match("MESSAGE#25:httpproxy:17", "nwparser.payload", "[%{fld2}] main (%{fld3}) shutdown finished, exiting", processor_chain([ + dup12, + setc("event_description","httpproxy:shutdown finished, exiting."), + dup11, + dup2, +])); + +var msg26 = msg("httpproxy:17", part26); + +var part27 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading configuration')}" +match("MESSAGE#26:httpproxy:18", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading configuration", processor_chain([ + dup12, + setc("event_description","httpproxy:"), + dup11, + dup2, +])); + +var msg27 = msg("httpproxy:18", part27); + +var part28 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') reading profiles')}" +match("MESSAGE#27:httpproxy:19", "nwparser.payload", "[%{fld2}] main (%{fld3}) reading profiles", processor_chain([ + dup12, + setc("event_description","httpproxy:reading profiles"), + dup11, + dup2, +])); + +var msg28 = msg("httpproxy:19", part28); + +var part29 = // "Pattern{Constant('['), Field(fld2,false), Constant('] main ('), Field(fld3,false), Constant(') finished startup')}" +match("MESSAGE#28:httpproxy:20", "nwparser.payload", "[%{fld2}] main (%{fld3}) finished startup", processor_chain([ + dup12, + setc("event_description","httpproxy:finished startup"), + dup11, + dup2, +])); + +var msg29 = msg("httpproxy:20", part29); + +var part30 = // "Pattern{Constant('['), Field(fld2,false), Constant('] read_request_headers ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#29:httpproxy:21", "nwparser.payload", "[%{fld2}] read_request_headers (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:read_request_headers related message."), + dup11, + dup2, +])); + +var msg30 = msg("httpproxy:21", part30); + +var part31 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_loop ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#30:httpproxy:22", "nwparser.payload", "[%{fld2}] epoll_loop (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_loop related message."), + dup11, + dup2, +])); + +var msg31 = msg("httpproxy:22", part31); + +var part32 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scan_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#31:httpproxy:23", "nwparser.payload", "[%{fld2}] scan_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scan_exit related message."), + dup11, + dup2, +])); + +var msg32 = msg("httpproxy:23", part32); + +var part33 = // "Pattern{Constant('['), Field(fld2,false), Constant('] epoll_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#32:httpproxy:24", "nwparser.payload", "[%{fld2}] epoll_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:epoll_exit related message."), + dup11, + dup2, +])); + +var msg33 = msg("httpproxy:24", part33); + +var part34 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_exit ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#33:httpproxy:25", "nwparser.payload", "[%{fld2}] disk_cache_exit (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_exit related message."), + dup11, + dup2, +])); + +var msg34 = msg("httpproxy:25", part34); + +var part35 = // "Pattern{Constant('['), Field(fld2,false), Constant('] disk_cache_zap ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#34:httpproxy:26", "nwparser.payload", "[%{fld2}] disk_cache_zap (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:disk_cache_zap related message."), + dup11, + dup2, +])); + +var msg35 = msg("httpproxy:26", part35); + +var part36 = // "Pattern{Constant('['), Field(fld2,false), Constant('] scanner_init ('), Field(fld3,false), Constant(') '), Field(info,false)}" +match("MESSAGE#35:httpproxy:27", "nwparser.payload", "[%{fld2}] scanner_init (%{fld3}) %{info}", processor_chain([ + dup12, + setc("event_description","httpproxy:scanner_init related message."), + dup11, + dup2, +])); + +var msg36 = msg("httpproxy:27", part36); + +var part37 = tagval("MESSAGE#36:httpproxy:01", "nwparser.payload", tvm, { + "action": "action", + "ad_domain": "fld1", + "app-id": "fld18", + "application": "fld17", + "auth": "fld10", + "authtime": "fld4", + "avscantime": "fld7", + "cached": "fld2", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld6", + "content-type": "content_type", + "device": "fld9", + "dnstime": "fld5", + "dstip": "daddr", + "error": "result", + "exceptions": "fld12", + "extension": "fld13", + "file": "filename", + "filename": "filename", + "filteraction": "fld3", + "fullreqtime": "fld8", + "function": "action", + "group": "group", + "id": "rule", + "line": "fld14", + "message": "context", + "method": "web_method", + "name": "event_description", + "profile": "policyname", + "reason": "rule_group", + "referer": "web_referer", + "reputation": "fld16", + "request": "connectionid", + "severity": "severity", + "size": "rbytes", + "srcip": "saddr", + "statuscode": "resultcode", + "sub": "network_service", + "sys": "vsys", + "time": "fld15", + "ua": "fld11", + "url": "url", + "user": "username", +}, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, +])); + +var msg37 = msg("httpproxy:01", part37); + +var select3 = linear_select([ + msg18, + msg19, + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, +]); + +var part38 = // "Pattern{Constant('T='), Field(fld3,true), Constant(' ------ 1 - [exit] '), Field(action,false), Constant(': '), Field(disposition,false)}" +match("MESSAGE#37:URID:01", "nwparser.payload", "T=%{fld3->} ------ 1 - [exit] %{action}: %{disposition}", processor_chain([ + dup16, + dup2, + dup3, +])); + +var msg38 = msg("URID:01", part38); + +var part39 = tagval("MESSAGE#38:ulogd:01", "nwparser.payload", tvm, { + "action": "action", + "code": "fld30", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "fwrule": "policy_id", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "name": "event_description", + "outitf": "dinterface", + "prec": "fld27", + "proto": "fld24", + "seq": "fld23", + "severity": "severity", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "sub": "network_service", + "sys": "vsys", + "tcpflags": "fld29", + "tos": "fld26", + "ttl": "fld28", + "type": "fld31", +}, processor_chain([ + dup13, + setc("ec_subject","NetworkComm"), + setc("ec_activity","Scan"), + setc("ec_theme","TEV"), + dup11, + dup2, + dup45, + dup46, +])); + +var msg39 = msg("ulogd:01", part39); + +var part40 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity for Apache/'), Field(fld5,true), Constant(' ('), Field(fld6,false), Constant(') configured.')}" +match("MESSAGE#39:reverseproxy:01", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity for Apache/%{fld5->} (%{fld6}) configured.", processor_chain([ + dup6, + setc("disposition","configured"), + dup2, + dup3, +])); + +var msg40 = msg("reverseproxy:01", part40); + +var part41 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"; loaded version="'), Field(fld7,false), Constant('"')}" +match("MESSAGE#40:reverseproxy:02", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"; loaded version=\"%{fld7}\"", processor_chain([ + dup17, + dup2, + dup3, +])); + +var msg41 = msg("reverseproxy:02", part41); + +var part42 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ModSecurity: '), Field(fld5,true), Constant(' compiled version="'), Field(fld6,false), Constant('"')}" +match("MESSAGE#41:reverseproxy:03", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] ModSecurity: %{fld5->} compiled version=\"%{fld6}\"", processor_chain([ + dup17, + dup2, + dup3, +])); + +var msg42 = msg("reverseproxy:03", part42); + +var part43 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] '), Field(fld5,true), Constant(' configured -- '), Field(disposition,true), Constant(' normal operations')}" +match("MESSAGE#42:reverseproxy:04", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] %{fld5->} configured -- %{disposition->} normal operations", processor_chain([ + dup17, + setc("event_id","AH00292"), + dup2, + dup3, +])); + +var msg43 = msg("reverseproxy:04", part43); + +var part44 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] ['), Field(fld5,false), Constant('] Hostname in '), Field(network_service,true), Constant(' request ('), Field(fld6,false), Constant(') does not match the server name ('), Field(ddomain,false), Constant(')')}" +match("MESSAGE#43:reverseproxy:06", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [%{fld5}] Hostname in %{network_service->} request (%{fld6}) does not match the server name (%{ddomain})", processor_chain([ + setc("eventcategory","1805010000"), + dup18, + dup2, + dup3, +])); + +var msg44 = msg("reverseproxy:06", part44); + +var part45 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00297: '), Field(action,true), Constant(' received. Doing'), Field(p0,false)}" +match("MESSAGE#44:reverseproxy:07/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00297: %{action->} received. Doing%{p0}"); + +var select4 = linear_select([ + dup19, +]); + +var part46 = // "Pattern{Field(,false), Constant('graceful '), Field(disposition,false)}" +match("MESSAGE#44:reverseproxy:07/2", "nwparser.p0", "%{}graceful %{disposition}"); + +var all1 = all_match({ + processors: [ + part45, + select4, + part46, + ], + on_success: processor_chain([ + dup5, + setc("event_id","AH00297"), + dup2, + dup3, + ]), +}); + +var msg45 = msg("reverseproxy:07", all1); + +var part47 = // "Pattern{Constant('AH00112: Warning: DocumentRoot ['), Field(web_root,false), Constant('] does not exist')}" +match("MESSAGE#45:reverseproxy:08", "nwparser.payload", "AH00112: Warning: DocumentRoot [%{web_root}] does not exist", processor_chain([ + dup4, + setc("event_id","AH00112"), + dup2, + dup3, +])); + +var msg46 = msg("reverseproxy:08", part47); + +var part48 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00094: Command line: ''), Field(web_root,false), Constant(''')}" +match("MESSAGE#46:reverseproxy:09", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00094: Command line: '%{web_root}'", processor_chain([ + setc("eventcategory","1605010000"), + setc("event_id","AH00094"), + dup2, + dup3, +])); + +var msg47 = msg("reverseproxy:09", part48); + +var part49 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00291: long lost child came home! (pid '), Field(fld5,false), Constant(')')}" +match("MESSAGE#47:reverseproxy:10", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00291: long lost child came home! (pid %{fld5})", processor_chain([ + dup12, + setc("event_id","AH00291"), + dup2, + dup3, +])); + +var msg48 = msg("reverseproxy:10", part49); + +var part50 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02572: Failed to configure at least one certificate and key for '), Field(fld5,false), Constant(':'), Field(fld6,false)}" +match("MESSAGE#48:reverseproxy:11", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02572: Failed to configure at least one certificate and key for %{fld5}:%{fld6}", processor_chain([ + dup20, + setc("event_id","AH02572"), + dup2, + dup3, +])); + +var msg49 = msg("reverseproxy:11", part50); + +var part51 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] SSL Library Error: error:'), Field(resultcode,false), Constant(':'), Field(result,false)}" +match("MESSAGE#49:reverseproxy:12", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] SSL Library Error: error:%{resultcode}:%{result}", processor_chain([ + dup20, + setc("context","SSL Library Error"), + dup2, + dup3, +])); + +var msg50 = msg("reverseproxy:12", part51); + +var part52 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH02312: Fatal error initialising mod_ssl, '), Field(disposition,false), Constant('.')}" +match("MESSAGE#50:reverseproxy:13", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH02312: Fatal error initialising mod_ssl, %{disposition}.", processor_chain([ + dup20, + setc("result","Fatal error"), + setc("event_id","AH02312"), + dup2, + dup3, +])); + +var msg51 = msg("reverseproxy:13", part52); + +var part53 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00020: Configuration Failed, '), Field(disposition,false)}" +match("MESSAGE#51:reverseproxy:14", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00020: Configuration Failed, %{disposition}", processor_chain([ + dup20, + setc("result","Configuration Failed"), + setc("event_id","AH00020"), + dup2, + dup3, +])); + +var msg52 = msg("reverseproxy:14", part53); + +var part54 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00098: pid file '), Field(filename,true), Constant(' overwritten -- Unclean shutdown of previous Apache run?')}" +match("MESSAGE#52:reverseproxy:15", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00098: pid file %{filename->} overwritten -- Unclean shutdown of previous Apache run?", processor_chain([ + setc("eventcategory","1609000000"), + setc("context","Unclean shutdown"), + setc("event_id","AH00098"), + dup2, + dup3, +])); + +var msg53 = msg("reverseproxy:15", part54); + +var part55 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00295: caught '), Field(action,false), Constant(', '), Field(disposition,false)}" +match("MESSAGE#53:reverseproxy:16", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00295: caught %{action}, %{disposition}", processor_chain([ + dup16, + setc("event_id","AH00295"), + dup2, + dup3, +])); + +var msg54 = msg("reverseproxy:16", part55); + +var part56 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" +match("MESSAGE#54:reverseproxy:17/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{result}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"]%{p0}"); + +var part57 = // "Pattern{Constant(' [rev "'), Field(fld6,false), Constant('"]'), Field(p0,false)}" +match("MESSAGE#54:reverseproxy:17/1_0", "nwparser.p0", " [rev \"%{fld6}\"]%{p0}"); + +var select5 = linear_select([ + part57, + dup19, +]); + +var part58 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "'), Field(daddr,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld7,false), Constant('"] [accuracy "'), Field(fld8,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#54:reverseproxy:17/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"%{daddr}\"] [severity \"%{severity}\"] [ver \"%{policyname}\"] [maturity \"%{fld7}\"] [accuracy \"%{fld8}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + +var all2 = all_match({ + processors: [ + part56, + select5, + part58, + ], + on_success: processor_chain([ + dup21, + dup2, + dup3, + ]), +}); + +var msg55 = msg("reverseproxy:17", all2); + +var part59 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] No signature found, cookie: '), Field(fld5,false)}" +match("MESSAGE#55:reverseproxy:18", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] No signature found, cookie: %{fld5}", processor_chain([ + dup4, + dup22, + dup2, + dup3, +])); + +var msg56 = msg("reverseproxy:18", part59); + +var part60 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] '), Field(disposition,true), Constant(' ''), Field(fld5,false), Constant('' from request due to missing/invalid signature')}" +match("MESSAGE#56:reverseproxy:19", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] %{disposition->} '%{fld5}' from request due to missing/invalid signature", processor_chain([ + dup23, + dup22, + dup2, + dup3, +])); + +var msg57 = msg("reverseproxy:19", part60); + +var part61 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [msg "'), Field(comments,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#57:reverseproxy:20", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [msg \"%{comments}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, +])); + +var msg58 = msg("reverseproxy:20", part61); + +var part62 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01909: '), Field(daddr,false), Constant(':'), Field(dport,false), Constant(':'), Field(fld5,true), Constant(' server certificate does NOT include an ID which matches the server name')}" +match("MESSAGE#58:reverseproxy:21", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01909: %{daddr}:%{dport}:%{fld5->} server certificate does NOT include an ID which matches the server name", processor_chain([ + dup20, + dup18, + setc("event_id","AH01909"), + dup2, + dup3, +])); + +var msg59 = msg("reverseproxy:21", part62); + +var part63 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH01915: Init: ('), Field(daddr,false), Constant(':'), Field(dport,false), Constant(') You configured '), Field(network_service,false), Constant('('), Field(fld5,false), Constant(') on the '), Field(fld6,false), Constant('('), Field(fld7,false), Constant(') port!')}" +match("MESSAGE#59:reverseproxy:22", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH01915: Init: (%{daddr}:%{dport}) You configured %{network_service}(%{fld5}) on the %{fld6}(%{fld7}) port!", processor_chain([ + dup20, + setc("comments","Invalid port configuration"), + dup2, + dup3, +])); + +var msg60 = msg("reverseproxy:22", part63); + +var part64 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Rule '), Field(rulename,true), Constant(' [id "'), Field(rule,false), Constant('"][file "'), Field(filename,false), Constant('"][line "'), Field(fld5,false), Constant('"] - Execution error - PCRE limits exceeded ('), Field(fld6,false), Constant('): ('), Field(fld7,false), Constant('). [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#60:reverseproxy:23", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: Rule %{rulename->} [id \"%{rule}\"][file \"%{filename}\"][line \"%{fld5}\"] - Execution error - PCRE limits exceeded (%{fld6}): (%{fld7}). [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, +])); + +var msg61 = msg("reverseproxy:23", part64); + +var part65 = // "Pattern{Constant('rManage\\x22,\\x22manageLiveSystemSettings\\x22,\\x22accessViewJobs\\x22,\\x22exportList\\..."] [ver "'), Field(policyname,false), Constant('"] [maturity "'), Field(fld3,false), Constant('"] [accuracy "'), Field(fld4,false), Constant('"] '), Field(context,true), Constant(' [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#61:reverseproxy:24", "nwparser.payload", "rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"%{policyname}\"] [maturity \"%{fld3}\"] [accuracy \"%{fld4}\"] %{context->} [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, +])); + +var msg62 = msg("reverseproxy:24", part65); + +var part66 = // "Pattern{Constant('ARGS:userPermissions: [\\x22dashletAccessAlertingRecentAlertsPanel\\x22,\\x22dashletAccessAlerterTopAlertsDashlet\\x22,\\x22accessViewRules\\x22,\\x22deployLiveResources\\x22,\\x22vi..."] [severity [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#62:reverseproxy:25", "nwparser.payload", "ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]", processor_chain([ + dup21, + dup2, + dup3, +])); + +var msg63 = msg("reverseproxy:25", part66); + +var part67 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: '), Field(disposition,true), Constant(' with code '), Field(resultcode,true), Constant(' ('), Field(fld5,false), Constant('). '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld6,false), Constant('"] [id "'), Field(rule,false), Constant('"]'), Field(p0,false)}" +match("MESSAGE#63:reverseproxy:26/0", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] ModSecurity: %{disposition->} with code %{resultcode->} (%{fld5}). %{rulename->} [file \"%{filename}\"] [line \"%{fld6}\"] [id \"%{rule}\"]%{p0}"); + +var part68 = // "Pattern{Constant(' [rev "'), Field(fld7,false), Constant('"]'), Field(p0,false)}" +match("MESSAGE#63:reverseproxy:26/1_0", "nwparser.p0", " [rev \"%{fld7}\"]%{p0}"); + +var select6 = linear_select([ + part68, + dup19, +]); + +var part69 = // "Pattern{Field(,false), Constant('[msg "'), Field(comments,false), Constant('"] [data "Last Matched Data: '), Field(p0,false)}" +match("MESSAGE#63:reverseproxy:26/2", "nwparser.p0", "%{}[msg \"%{comments}\"] [data \"Last Matched Data: %{p0}"); + +var part70 = // "Pattern{Field(daddr,false), Constant(':'), Field(dport,false), Constant('"] [hostname "'), Field(p0,false)}" +match("MESSAGE#63:reverseproxy:26/3_0", "nwparser.p0", "%{daddr}:%{dport}\"] [hostname \"%{p0}"); + +var part71 = // "Pattern{Field(daddr,false), Constant('"] [hostname "'), Field(p0,false)}" +match("MESSAGE#63:reverseproxy:26/3_1", "nwparser.p0", "%{daddr}\"] [hostname \"%{p0}"); + +var select7 = linear_select([ + part70, + part71, +]); + +var part72 = // "Pattern{Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]')}" +match("MESSAGE#63:reverseproxy:26/4", "nwparser.p0", "%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]"); + +var all3 = all_match({ + processors: [ + part67, + select6, + part69, + select7, + part72, + ], + on_success: processor_chain([ + dup24, + dup2, + dup3, + ]), +}); + +var msg64 = msg("reverseproxy:26", all3); + +var part73 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] '), Field(disposition,true), Constant(' while reading reply from cssd, referer: '), Field(web_referer,false)}" +match("MESSAGE#64:reverseproxy:27", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] %{disposition->} while reading reply from cssd, referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, +])); + +var msg65 = msg("reverseproxy:27", part73); + +var part74 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon error found in request '), Field(web_root,false), Constant(', referer: '), Field(web_referer,false)}" +match("MESSAGE#65:reverseproxy:28", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon error found in request %{web_root}, referer: %{web_referer}", processor_chain([ + dup26, + setc("result","virus daemon error"), + dup2, + dup3, +])); + +var msg66 = msg("reverseproxy:28", part74); + +var part75 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found, referer: '), Field(web_referer,false)}" +match("MESSAGE#66:reverseproxy:29", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found, referer: %{web_referer}", processor_chain([ + dup27, + setc("result","virus found"), + dup2, + dup3, +])); + +var msg67 = msg("reverseproxy:29", part75); + +var part76 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' (), referer: '), Field(web_referer,false)}" +match("MESSAGE#67:reverseproxy:30", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} (), referer: %{web_referer}", processor_chain([ + dup24, + dup28, + dup2, + dup3, +])); + +var msg68 = msg("reverseproxy:30", part76); + +var part77 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot read reply: Operation now in progress (115), referer: '), Field(web_referer,false)}" +match("MESSAGE#68:reverseproxy:31", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot read reply: Operation now in progress (115), referer: %{web_referer}", processor_chain([ + dup25, + setc("result","Cannot read reply"), + dup2, + dup3, +])); + +var msg69 = msg("reverseproxy:31", part77); + +var part78 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111), referer: '), Field(web_referer,false)}" +match("MESSAGE#69:reverseproxy:32", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111), referer: %{web_referer}", processor_chain([ + dup25, + dup2, + dup3, +])); + +var msg70 = msg("reverseproxy:32", part78); + +var part79 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] cannot connect: '), Field(result,true), Constant(' (111)')}" +match("MESSAGE#70:reverseproxy:33", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] cannot connect: %{result->} (111)", processor_chain([ + dup25, + dup2, + dup3, +])); + +var msg71 = msg("reverseproxy:33", part79); + +var part80 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false), Constant(', referer: '), Field(web_referer,false)}" +match("MESSAGE#71:reverseproxy:34", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}, referer: %{web_referer}", processor_chain([ + dup26, + dup29, + dup2, + dup3, +])); + +var msg72 = msg("reverseproxy:34", part80); + +var part81 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] virus daemon connection problem found in request '), Field(url,false)}" +match("MESSAGE#72:reverseproxy:35", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] virus daemon connection problem found in request %{url}", processor_chain([ + dup26, + dup29, + dup2, + dup3, +])); + +var msg73 = msg("reverseproxy:35", part81); + +var part82 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] mod_avscan_input_filter: virus found')}" +match("MESSAGE#73:reverseproxy:36", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] mod_avscan_input_filter: virus found", processor_chain([ + dup27, + setc("result","Virus found"), + dup2, + dup3, +])); + +var msg74 = msg("reverseproxy:36", part82); + +var part83 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (13)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] AH01095: prefetch request body failed to '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' ('), Field(fld5,false), Constant(') from '), Field(fld6,true), Constant(' ()')}" +match("MESSAGE#74:reverseproxy:37", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (13)%{result}: [client %{gateway}] AH01095: prefetch request body failed to %{saddr}:%{sport->} (%{fld5}) from %{fld6->} ()", processor_chain([ + dup24, + dup28, + dup2, + dup3, +])); + +var msg75 = msg("reverseproxy:37", part83); + +var part84 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Invalid signature, cookie: JSESSIONID')}" +match("MESSAGE#75:reverseproxy:38", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Invalid signature, cookie: JSESSIONID", processor_chain([ + dup25, + dup2, + dup3, +])); + +var msg76 = msg("reverseproxy:38", part84); + +var part85 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] Form validation failed: Received unhardened form data, referer: '), Field(web_referer,false)}" +match("MESSAGE#76:reverseproxy:39", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] Form validation failed: Received unhardened form data, referer: %{web_referer}", processor_chain([ + dup23, + setc("result","Form validation failed"), + dup2, + dup3, +])); + +var msg77 = msg("reverseproxy:39", part85); + +var part86 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] sending trickle failed: 103')}" +match("MESSAGE#77:reverseproxy:40", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] sending trickle failed: 103", processor_chain([ + dup25, + setc("result","Sending trickle failed"), + dup2, + dup3, +])); + +var msg78 = msg("reverseproxy:40", part86); + +var part87 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] client requesting '), Field(web_root,true), Constant(' has '), Field(disposition,false)}" +match("MESSAGE#78:reverseproxy:41", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] client requesting %{web_root->} has %{disposition}", processor_chain([ + dup30, + dup2, + dup3, +])); + +var msg79 = msg("reverseproxy:41", part87); + +var part88 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] mod_avscan_check_file_single_part() called with parameter filename='), Field(filename,false)}" +match("MESSAGE#79:reverseproxy:42", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] mod_avscan_check_file_single_part() called with parameter filename=%{filename}", processor_chain([ + setc("eventcategory","1603050000"), + dup2, + dup3, +])); + +var msg80 = msg("reverseproxy:42", part88); + +var part89 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (70007)The '), Field(disposition,true), Constant(' specified has expired: [client '), Field(gateway,false), Constant('] AH01110: error reading response')}" +match("MESSAGE#80:reverseproxy:43", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (70007)The %{disposition->} specified has expired: [client %{gateway}] AH01110: error reading response", processor_chain([ + dup30, + setc("event_id","AH01110"), + setc("result","Error reading response"), + dup2, + dup3, +])); + +var msg81 = msg("reverseproxy:43", part89); + +var part90 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (22)'), Field(result,false), Constant(': [client '), Field(gateway,false), Constant('] No form context found when parsing '), Field(fld5,true), Constant(' tag, referer: '), Field(web_referer,false)}" +match("MESSAGE#81:reverseproxy:44", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (22)%{result}: [client %{gateway}] No form context found when parsing %{fld5->} tag, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1601020000"), + setc("result","No form context found"), + dup2, + dup3, +])); + +var msg82 = msg("reverseproxy:44", part90); + +var part91 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] (111)'), Field(result,false), Constant(': AH00957: '), Field(network_service,false), Constant(': attempt to connect to '), Field(daddr,false), Constant(':'), Field(dport,true), Constant(' ('), Field(fld5,false), Constant(') failed')}" +match("MESSAGE#82:reverseproxy:45", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] (111)%{result}: AH00957: %{network_service}: attempt to connect to %{daddr}:%{dport->} (%{fld5}) failed", processor_chain([ + dup25, + setc("event_id","AH00957"), + dup2, + dup3, +])); + +var msg83 = msg("reverseproxy:45", part91); + +var part92 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] AH00959: ap_proxy_connect_backend disabling worker for ('), Field(daddr,false), Constant(') for '), Field(processing_time,false), Constant('s')}" +match("MESSAGE#83:reverseproxy:46", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] AH00959: ap_proxy_connect_backend disabling worker for (%{daddr}) for %{processing_time}s", processor_chain([ + dup16, + setc("event_id","AH00959"), + setc("result","disabling worker"), + dup2, + dup3, +])); + +var msg84 = msg("reverseproxy:46", part92); + +var part93 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ['), Field(fld5,false), Constant('] not all the file sent to the client: '), Field(fld6,false), Constant(', referer: '), Field(web_referer,false)}" +match("MESSAGE#84:reverseproxy:47", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] [%{fld5}] not all the file sent to the client: %{fld6}, referer: %{web_referer}", processor_chain([ + setc("eventcategory","1801000000"), + setc("context","Not all file sent to client"), + dup2, + dup3, +])); + +var msg85 = msg("reverseproxy:47", part93); + +var part94 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false), Constant(', referer: '), Field(web_referer,false)}" +match("MESSAGE#85:reverseproxy:48", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}, referer: %{web_referer}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, +])); + +var msg86 = msg("reverseproxy:48", part94); + +var part95 = // "Pattern{Constant('['), Field(fld3,false), Constant('] ['), Field(event_log,false), Constant(':'), Field(severity,false), Constant('] [pid '), Field(process_id,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] AH01114: '), Field(network_service,false), Constant(': failed to make connection to backend: '), Field(daddr,false)}" +match("MESSAGE#86:reverseproxy:49", "nwparser.payload", "[%{fld3}] [%{event_log}:%{severity}] [pid %{process_id}:%{fld4}] [client %{gateway}] AH01114: %{network_service}: failed to make connection to backend: %{daddr}", processor_chain([ + dup25, + dup31, + dup32, + dup2, + dup3, +])); + +var msg87 = msg("reverseproxy:49", part95); + +var part96 = tagval("MESSAGE#87:reverseproxy:05", "nwparser.payload", tvm, { + "cookie": "web_cookie", + "exceptions": "policy_waiver", + "extra": "info", + "host": "dhost", + "id": "policy_id", + "localip": "fld3", + "method": "web_method", + "reason": "comments", + "referer": "web_referer", + "server": "daddr", + "set-cookie": "fld5", + "size": "fld4", + "srcip": "saddr", + "statuscode": "resultcode", + "time": "processing_time", + "url": "web_root", + "user": "username", +}, processor_chain([ + setc("eventcategory","1802000000"), + dup2, + dup3, +])); + +var msg88 = msg("reverseproxy:05", part96); + +var select8 = linear_select([ + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, + msg67, + msg68, + msg69, + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, +]); + +var part97 = tagval("MESSAGE#88:confd-sync", "nwparser.payload", tvm, { + "id": "fld5", + "name": "event_description", + "severity": "severity", + "sub": "service", + "sys": "fld2", +}, processor_chain([ + dup1, + dup11, + dup2, +])); + +var msg89 = msg("confd-sync", part97); + +var part98 = tagval("MESSAGE#89:confd:01", "nwparser.payload", tvm, { + "account": "logon_id", + "attributes": "obj_name", + "class": "group_object", + "client": "fld3", + "count": "fld4", + "facility": "logon_type", + "id": "fld1", + "name": "event_description", + "node": "node", + "object": "fld6", + "severity": "severity", + "srcip": "saddr", + "storage": "directory", + "sub": "service", + "sys": "fld2", + "type": "obj_type", + "user": "username", + "version": "version", +}, processor_chain([ + dup1, + dup11, + dup2, +])); + +var msg90 = msg("confd:01", part98); + +var part99 = // "Pattern{Constant('Frox started'), Field(,false)}" +match("MESSAGE#90:frox", "nwparser.payload", "Frox started%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy Frox started."), + dup11, + dup2, +])); + +var msg91 = msg("frox", part99); + +var part100 = // "Pattern{Constant('Listening on '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#91:frox:01", "nwparser.payload", "Listening on %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy listening on port."), + dup11, + dup2, +])); + +var msg92 = msg("frox:01", part100); + +var part101 = // "Pattern{Constant('Dropped privileges'), Field(,false)}" +match("MESSAGE#92:frox:02", "nwparser.payload", "Dropped privileges%{}", processor_chain([ + dup12, + setc("event_description","frox:FTP Proxy dropped priveleges."), + dup11, + dup2, +])); + +var msg93 = msg("frox:02", part101); + +var select9 = linear_select([ + msg91, + msg92, + msg93, +]); + +var part102 = // "Pattern{Constant('Classifier configuration reloaded successfully'), Field(,false)}" +match("MESSAGE#93:afcd", "nwparser.payload", "Classifier configuration reloaded successfully%{}", processor_chain([ + dup12, + setc("event_description","afcd: IM/P2P Classifier configuration reloaded successfully."), + dup11, + dup2, +])); + +var msg94 = msg("afcd", part102); + +var part103 = // "Pattern{Constant('Starting strongSwan '), Field(fld2,true), Constant(' IPsec [starter]...')}" +match("MESSAGE#94:ipsec_starter", "nwparser.payload", "Starting strongSwan %{fld2->} IPsec [starter]...", processor_chain([ + dup12, + setc("event_description","ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]..."), + dup11, + dup2, +])); + +var msg95 = msg("ipsec_starter", part103); + +var part104 = // "Pattern{Constant('IP address or index of physical interface changed -> reinit of ipsec interface'), Field(,false)}" +match("MESSAGE#95:ipsec_starter:01", "nwparser.payload", "IP address or index of physical interface changed -> reinit of ipsec interface%{}", processor_chain([ + dup12, + setc("event_description","ipsec_starter: IP address or index of physical interface changed."), + dup11, + dup2, +])); + +var msg96 = msg("ipsec_starter:01", part104); + +var select10 = linear_select([ + msg95, + msg96, +]); + +var part105 = // "Pattern{Constant('Starting Pluto ('), Field(info,false), Constant(')')}" +match("MESSAGE#96:pluto", "nwparser.payload", "Starting Pluto (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: Starting Pluto."), + dup11, + dup2, +])); + +var msg97 = msg("pluto", part105); + +var part106 = // "Pattern{Constant('including NAT-Traversal patch ('), Field(info,false), Constant(')')}" +match("MESSAGE#97:pluto:01", "nwparser.payload", "including NAT-Traversal patch (%{info})", processor_chain([ + dup12, + setc("event_description","pluto: including NAT-Traversal patch."), + dup11, + dup2, +])); + +var msg98 = msg("pluto:01", part106); + +var part107 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' encryption: Ok')}" +match("MESSAGE#98:pluto:02", "nwparser.payload", "ike_alg: Activating %{info->} encryption: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating encryption algorithm."), + dup11, + dup2, +])); + +var msg99 = msg("pluto:02", part107); + +var part108 = // "Pattern{Constant('ike_alg: Activating '), Field(info,true), Constant(' hash: Ok')}" +match("MESSAGE#99:pluto:03", "nwparser.payload", "ike_alg: Activating %{info->} hash: Ok", processor_chain([ + dup33, + setc("event_description","pluto: Activating hash algorithm."), + dup11, + dup2, +])); + +var msg100 = msg("pluto:03", part108); + +var part109 = // "Pattern{Constant('Testing registered IKE encryption algorithms:'), Field(,false)}" +match("MESSAGE#100:pluto:04", "nwparser.payload", "Testing registered IKE encryption algorithms:%{}", processor_chain([ + dup12, + setc("event_description","pluto: Testing registered IKE encryption algorithms"), + dup11, + dup2, +])); + +var msg101 = msg("pluto:04", part109); + +var part110 = // "Pattern{Field(info,true), Constant(' self-test not available')}" +match("MESSAGE#101:pluto:05", "nwparser.payload", "%{info->} self-test not available", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test not available."), + dup11, + dup2, +])); + +var msg102 = msg("pluto:05", part110); + +var part111 = // "Pattern{Field(info,true), Constant(' self-test passed')}" +match("MESSAGE#102:pluto:06", "nwparser.payload", "%{info->} self-test passed", processor_chain([ + dup12, + setc("event_description","pluto: Algorithm self-test passed."), + dup11, + dup2, +])); + +var msg103 = msg("pluto:06", part111); + +var part112 = // "Pattern{Constant('Using KLIPS IPsec interface code'), Field(,false)}" +match("MESSAGE#103:pluto:07", "nwparser.payload", "Using KLIPS IPsec interface code%{}", processor_chain([ + dup12, + setc("event_description","pluto: Using KLIPS IPsec interface code"), + dup11, + dup2, +])); + +var msg104 = msg("pluto:07", part112); + +var part113 = // "Pattern{Constant('adding interface '), Field(interface,true), Constant(' '), Field(saddr,false), Constant(':'), Field(sport,false)}" +match("MESSAGE#104:pluto:08", "nwparser.payload", "adding interface %{interface->} %{saddr}:%{sport}", processor_chain([ + dup12, + setc("event_description","pluto: adding interface"), + dup11, + dup2, +])); + +var msg105 = msg("pluto:08", part113); + +var part114 = // "Pattern{Constant('loading secrets from "'), Field(filename,false), Constant('"')}" +match("MESSAGE#105:pluto:09", "nwparser.payload", "loading secrets from \"%{filename}\"", processor_chain([ + dup34, + setc("event_description","pluto: loading secrets"), + dup11, + dup2, +])); + +var msg106 = msg("pluto:09", part114); + +var part115 = // "Pattern{Constant('loaded private key file ''), Field(filename,false), Constant('' ('), Field(filename_size,true), Constant(' bytes)')}" +match("MESSAGE#106:pluto:10", "nwparser.payload", "loaded private key file '%{filename}' (%{filename_size->} bytes)", processor_chain([ + dup34, + setc("event_description","pluto: loaded private key file"), + dup11, + dup2, +])); + +var msg107 = msg("pluto:10", part115); + +var part116 = // "Pattern{Constant('added connection description "'), Field(fld2,false), Constant('"')}" +match("MESSAGE#107:pluto:11", "nwparser.payload", "added connection description \"%{fld2}\"", processor_chain([ + dup12, + setc("event_description","pluto: added connection description"), + dup11, + dup2, +])); + +var msg108 = msg("pluto:11", part116); + +var part117 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': initiating Main Mode')}" +match("MESSAGE#108:pluto:12", "nwparser.payload", "\"%{fld2}\" #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, +])); + +var msg109 = msg("pluto:12", part117); + +var part118 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld4,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" +match("MESSAGE#109:pluto:13", "nwparser.payload", "\"%{fld2}\" #%{fld3}: max number of retransmissions (%{fld4}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup10, + dup36, + dup11, + dup2, +])); + +var msg110 = msg("pluto:13", part118); + +var part119 = // "Pattern{Constant('"'), Field(fld2,false), Constant('" #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld4,true), Constant(' of an unlimited number')}" +match("MESSAGE#110:pluto:14", "nwparser.payload", "\"%{fld2}\" #%{fld3}: starting keying attempt %{fld4->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, +])); + +var msg111 = msg("pluto:14", part119); + +var part120 = // "Pattern{Constant('forgetting secrets'), Field(,false)}" +match("MESSAGE#111:pluto:15", "nwparser.payload", "forgetting secrets%{}", processor_chain([ + dup12, + setc("event_description","pluto:forgetting secrets"), + dup11, + dup2, +])); + +var msg112 = msg("pluto:15", part120); + +var part121 = // "Pattern{Constant('Changing to directory ''), Field(directory,false), Constant(''')}" +match("MESSAGE#112:pluto:17", "nwparser.payload", "Changing to directory '%{directory}'", processor_chain([ + dup12, + setc("event_description","pluto:Changing to directory"), + dup11, + dup2, +])); + +var msg113 = msg("pluto:17", part121); + +var part122 = // "Pattern{Constant('| *time to handle event'), Field(,false)}" +match("MESSAGE#113:pluto:18", "nwparser.payload", "| *time to handle event%{}", processor_chain([ + dup12, + setc("event_description","pluto:*time to handle event"), + dup11, + dup2, +])); + +var msg114 = msg("pluto:18", part122); + +var part123 = // "Pattern{Constant('| *received kernel message'), Field(,false)}" +match("MESSAGE#114:pluto:19", "nwparser.payload", "| *received kernel message%{}", processor_chain([ + dup12, + setc("event_description","pluto:*received kernel message"), + dup11, + dup2, +])); + +var msg115 = msg("pluto:19", part123); + +var part124 = // "Pattern{Constant('| rejected packet:'), Field(,false)}" +match("MESSAGE#115:pluto:20", "nwparser.payload", "| rejected packet:%{}", processor_chain([ + dup25, + setc("event_description","pluto:rejected packet"), + dup11, + dup2, +])); + +var msg116 = msg("pluto:20", part124); + +var part125 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" +match("MESSAGE#116:pluto:21", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg117 = msg("pluto:21", part125); + +var part126 = // "Pattern{Constant('| next event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" +match("MESSAGE#117:pluto:22", "nwparser.payload", "| next event %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg118 = msg("pluto:22", part126); + +var part127 = // "Pattern{Constant('| inserting event '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds for #'), Field(fld3,false)}" +match("MESSAGE#118:pluto:23", "nwparser.payload", "| inserting event %{event_type->} in %{fld2->} seconds for #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg119 = msg("pluto:23", part127); + +var part128 = // "Pattern{Constant('| event after this is '), Field(event_type,true), Constant(' in '), Field(fld2,true), Constant(' seconds')}" +match("MESSAGE#119:pluto:24", "nwparser.payload", "| event after this is %{event_type->} in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg120 = msg("pluto:24", part128); + +var part129 = // "Pattern{Constant('| recent '), Field(action,true), Constant(' activity '), Field(fld2,true), Constant(' seconds ago, '), Field(info,false)}" +match("MESSAGE#120:pluto:25", "nwparser.payload", "| recent %{action->} activity %{fld2->} seconds ago, %{info}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg121 = msg("pluto:25", part129); + +var part130 = // "Pattern{Constant('| *received '), Field(rbytes,true), Constant(' bytes from '), Field(saddr,false), Constant(':'), Field(sport,true), Constant(' on '), Field(dinterface,false)}" +match("MESSAGE#121:pluto:26", "nwparser.payload", "| *received %{rbytes->} bytes from %{saddr}:%{sport->} on %{dinterface}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg122 = msg("pluto:26", part130); + +var part131 = // "Pattern{Constant('| received '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" +match("MESSAGE#122:pluto:27", "nwparser.payload", "| received %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg123 = msg("pluto:27", part131); + +var part132 = // "Pattern{Constant('| sent '), Field(action,true), Constant(' notification '), Field(msg,true), Constant(' with seqno = '), Field(fld2,false)}" +match("MESSAGE#123:pluto:28", "nwparser.payload", "| sent %{action->} notification %{msg->} with seqno = %{fld2}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg124 = msg("pluto:28", part132); + +var part133 = // "Pattern{Constant('| inserting event '), Field(event_type,false), Constant(', timeout in '), Field(fld2,true), Constant(' seconds')}" +match("MESSAGE#124:pluto:29", "nwparser.payload", "| inserting event %{event_type}, timeout in %{fld2->} seconds", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg125 = msg("pluto:29", part133); + +var part134 = // "Pattern{Constant('| handling event '), Field(event_type,true), Constant(' for '), Field(saddr,true), Constant(' "'), Field(fld2,false), Constant('" #'), Field(fld3,false)}" +match("MESSAGE#125:pluto:30", "nwparser.payload", "| handling event %{event_type->} for %{saddr->} \"%{fld2}\" #%{fld3}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg126 = msg("pluto:30", part134); + +var part135 = // "Pattern{Constant('| '), Field(event_description,false)}" +match("MESSAGE#126:pluto:31", "nwparser.payload", "| %{event_description}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg127 = msg("pluto:31", part135); + +var part136 = // "Pattern{Field(fld2,false), Constant(': asynchronous network error report on '), Field(interface,true), Constant(' for message to '), Field(daddr,true), Constant(' port '), Field(dport,false), Constant(', complainant '), Field(saddr,false), Constant(': Connection refused [errno '), Field(fld4,false), Constant(', origin ICMP type '), Field(icmptype,true), Constant(' code '), Field(icmpcode,true), Constant(' (not authenticated)]')}" +match("MESSAGE#127:pluto:32", "nwparser.payload", "%{fld2}: asynchronous network error report on %{interface->} for message to %{daddr->} port %{dport}, complainant %{saddr}: Connection refused [errno %{fld4}, origin ICMP type %{icmptype->} code %{icmpcode->} (not authenticated)]", processor_chain([ + dup12, + setc("event_description","not authenticated"), + dup11, + dup2, +])); + +var msg128 = msg("pluto:32", part136); + +var part137 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': initiating Main Mode')}" +match("MESSAGE#128:pluto:33", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: initiating Main Mode", processor_chain([ + dup12, + dup35, + dup11, + dup2, +])); + +var msg129 = msg("pluto:33", part137); + +var part138 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': max number of retransmissions ('), Field(fld5,false), Constant(') reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message')}" +match("MESSAGE#129:pluto:34", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: max number of retransmissions (%{fld5}) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message", processor_chain([ + dup12, + dup36, + dup11, + dup2, +])); + +var msg130 = msg("pluto:34", part138); + +var part139 = // "Pattern{Constant('"'), Field(fld2,false), Constant('"['), Field(fld4,false), Constant('] '), Field(saddr,true), Constant(' #'), Field(fld3,false), Constant(': starting keying attempt '), Field(fld5,true), Constant(' of an unlimited number')}" +match("MESSAGE#130:pluto:35", "nwparser.payload", "\"%{fld2}\"[%{fld4}] %{saddr->} #%{fld3}: starting keying attempt %{fld5->} of an unlimited number", processor_chain([ + dup12, + dup37, + dup11, + dup2, +])); + +var msg131 = msg("pluto:35", part139); + +var select11 = linear_select([ + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, + msg124, + msg125, + msg126, + msg127, + msg128, + msg129, + msg130, + msg131, +]); + +var part140 = // "Pattern{Constant('This binary does not support kernel L2TP.'), Field(,false)}" +match("MESSAGE#131:xl2tpd", "nwparser.payload", "This binary does not support kernel L2TP.%{}", processor_chain([ + setc("eventcategory","1607000000"), + setc("event_description","xl2tpd:This binary does not support kernel L2TP."), + dup11, + dup2, +])); + +var msg132 = msg("xl2tpd", part140); + +var part141 = // "Pattern{Constant('xl2tpd version '), Field(version,true), Constant(' started on PID:'), Field(fld2,false)}" +match("MESSAGE#132:xl2tpd:01", "nwparser.payload", "xl2tpd version %{version->} started on PID:%{fld2}", processor_chain([ + dup12, + setc("event_description","xl2tpd:xl2tpd started."), + dup11, + dup2, +])); + +var msg133 = msg("xl2tpd:01", part141); + +var part142 = // "Pattern{Constant('Written by '), Field(info,false)}" +match("MESSAGE#133:xl2tpd:02", "nwparser.payload", "Written by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, +])); + +var msg134 = msg("xl2tpd:02", part142); + +var part143 = // "Pattern{Constant('Forked by '), Field(info,false)}" +match("MESSAGE#134:xl2tpd:03", "nwparser.payload", "Forked by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, +])); + +var msg135 = msg("xl2tpd:03", part143); + +var part144 = // "Pattern{Constant('Inherited by '), Field(info,false)}" +match("MESSAGE#135:xl2tpd:04", "nwparser.payload", "Inherited by %{info}", processor_chain([ + dup12, + dup38, + dup11, + dup2, +])); + +var msg136 = msg("xl2tpd:04", part144); + +var part145 = // "Pattern{Constant('Listening on IP address '), Field(saddr,false), Constant(', port '), Field(sport,false)}" +match("MESSAGE#136:xl2tpd:05", "nwparser.payload", "Listening on IP address %{saddr}, port %{sport}", processor_chain([ + dup12, + dup38, + dup11, + dup2, +])); + +var msg137 = msg("xl2tpd:05", part145); + +var select12 = linear_select([ + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, +]); + +var part146 = // "Pattern{Constant('Exiting'), Field(,false)}" +match("MESSAGE#137:barnyard:01", "nwparser.payload", "Exiting%{}", processor_chain([ + dup12, + setc("event_description","barnyard: Exiting"), + dup11, + dup2, +])); + +var msg138 = msg("barnyard:01", part146); + +var part147 = // "Pattern{Constant('Initializing daemon mode'), Field(,false)}" +match("MESSAGE#138:barnyard:02", "nwparser.payload", "Initializing daemon mode%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Initializing daemon mode"), + dup11, + dup2, +])); + +var msg139 = msg("barnyard:02", part147); + +var part148 = // "Pattern{Constant('Opened spool file ''), Field(filename,false), Constant(''')}" +match("MESSAGE#139:barnyard:03", "nwparser.payload", "Opened spool file '%{filename}'", processor_chain([ + dup12, + setc("event_description","barnyard:Opened spool file."), + dup11, + dup2, +])); + +var msg140 = msg("barnyard:03", part148); + +var part149 = // "Pattern{Constant('Waiting for new data'), Field(,false)}" +match("MESSAGE#140:barnyard:04", "nwparser.payload", "Waiting for new data%{}", processor_chain([ + dup12, + setc("event_description","barnyard:Waiting for new data"), + dup11, + dup2, +])); + +var msg141 = msg("barnyard:04", part149); + +var select13 = linear_select([ + msg138, + msg139, + msg140, + msg141, +]); + +var part150 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' closed by QUIT')}" +match("MESSAGE#141:exim:01", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from localhost (%{hostname}) [%{saddr}]:%{sport->} closed by QUIT", processor_chain([ + dup12, + setc("event_description","exim:SMTP connection from localhost closed by QUIT"), + dup11, + dup2, +])); + +var msg142 = msg("exim:01", part150); + +var part151 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' ['), Field(saddr,false), Constant('] F=<<'), Field(from,false), Constant('> R=<<'), Field(to,false), Constant('> Accepted: '), Field(info,false)}" +match("MESSAGE#142:exim:02", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} [%{saddr}] F=\u003c\u003c%{from}> R=\u003c\u003c%{to}> Accepted: %{info}", processor_chain([ + setc("eventcategory","1207010000"), + setc("event_description","exim:e-mail accepted from relay."), + dup11, + dup2, +])); + +var msg143 = msg("exim:02", part151); + +var part152 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' <<= '), Field(from,true), Constant(' H=localhost ('), Field(hostname,false), Constant(') ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' P='), Field(protocol,true), Constant(' S='), Field(fld9,true), Constant(' id='), Field(info,false)}" +match("MESSAGE#143:exim:03", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} \u003c\u003c= %{from->} H=localhost (%{hostname}) [%{saddr}]:%{sport->} P=%{protocol->} S=%{fld9->} id=%{info}", processor_chain([ + setc("eventcategory","1207000000"), + setc("event_description","exim: e-mail sent."), + dup11, + dup2, +])); + +var msg144 = msg("exim:03", part152); + +var part153 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' R=dnslookup defer ('), Field(fld9,false), Constant('): host lookup did not complete')}" +match("MESSAGE#144:exim:04", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} R=dnslookup defer (%{fld9}): host lookup did not complete", processor_chain([ + dup39, + setc("event_description","exim: e-mail host lookup did not complete in DNS."), + dup11, + dup2, +])); + +var msg145 = msg("exim:04", part153); + +var part154 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld8,true), Constant(' == '), Field(from,true), Constant(' routing defer ('), Field(fld9,false), Constant('): retry time not reached')}" +match("MESSAGE#145:exim:05", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld8->} == %{from->} routing defer (%{fld9}): retry time not reached", processor_chain([ + dup39, + setc("event_description","exim: e-mail routing defer:retry time not reached."), + dup11, + dup2, +])); + +var msg146 = msg("exim:05", part154); + +var part155 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' exim '), Field(version,true), Constant(' daemon started: pid='), Field(fld8,false), Constant(', no queue runs, listening for SMTP on port '), Field(sport,true), Constant(' ('), Field(info,false), Constant(') port '), Field(fld9,true), Constant(' ('), Field(fld10,false), Constant(') and for SMTPS on port '), Field(fld11,true), Constant(' ('), Field(fld12,false), Constant(')')}" +match("MESSAGE#146:exim:06", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} exim %{version->} daemon started: pid=%{fld8}, no queue runs, listening for SMTP on port %{sport->} (%{info}) port %{fld9->} (%{fld10}) and for SMTPS on port %{fld11->} (%{fld12})", processor_chain([ + dup12, + setc("event_description","exim: exim daemon started."), + dup11, + dup2, +])); + +var msg147 = msg("exim:06", part155); + +var part156 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' Start queue run: pid='), Field(fld8,false)}" +match("MESSAGE#147:exim:07", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} Start queue run: pid=%{fld8}", processor_chain([ + dup12, + setc("event_description","exim: Start queue run."), + dup11, + dup2, +])); + +var msg148 = msg("exim:07", part156); + +var part157 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' pid '), Field(fld8,false), Constant(': SIGHUP received: re-exec daemon')}" +match("MESSAGE#148:exim:08", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} pid %{fld8}: SIGHUP received: re-exec daemon", processor_chain([ + dup12, + setc("event_description","exim: SIGHUP received: re-exec daemon."), + dup11, + dup2, +])); + +var msg149 = msg("exim:08", part157); + +var part158 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" +match("MESSAGE#149:exim:09", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim: SMTP connection from host."), + dup11, + dup2, +])); + +var msg150 = msg("exim:09", part158); + +var part159 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' rejected EHLO from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" +match("MESSAGE#150:exim:10", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} rejected EHLO from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:rejected EHLO from host."), + dup11, + dup2, +])); + +var msg151 = msg("exim:10", part159); + +var part160 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' SMTP protocol synchronization error ('), Field(result,false), Constant('): '), Field(fld8,true), Constant(' H=['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" +match("MESSAGE#151:exim:11", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} SMTP protocol synchronization error (%{result}): %{fld8->} H=[%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:SMTP protocol synchronization error rejected connection from host."), + dup11, + dup2, +])); + +var msg152 = msg("exim:11", part160); + +var part161 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' TLS error on connection from ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" +match("MESSAGE#152:exim:12", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} TLS error on connection from [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + setc("event_description","exim:TLS error on connection from host."), + dup11, + dup2, +])); + +var msg153 = msg("exim:12", part161); + +var part162 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' == '), Field(hostname,true), Constant(' R='), Field(fld8,true), Constant(' T='), Field(fld9,false), Constant(': '), Field(info,false)}" +match("MESSAGE#153:exim:13", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} == %{hostname->} R=%{fld8->} T=%{fld9}: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, +])); + +var msg154 = msg("exim:13", part162); + +var part163 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' '), Field(fld10,true), Constant(' '), Field(hostname,true), Constant(' ['), Field(saddr,false), Constant(']:'), Field(sport,true), Constant(' '), Field(info,false)}" +match("MESSAGE#154:exim:14", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} %{fld10->} %{hostname->} [%{saddr}]:%{sport->} %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, +])); + +var msg155 = msg("exim:14", part163); + +var part164 = // "Pattern{Field(fld2,false), Constant('-'), Field(fld3,false), Constant('-'), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(':'), Field(fld6,false), Constant(':'), Field(fld7,true), Constant(' End queue run: '), Field(info,false)}" +match("MESSAGE#155:exim:15", "nwparser.payload", "%{fld2}-%{fld3}-%{fld4->} %{fld5}:%{fld6}:%{fld7->} End queue run: %{info}", processor_chain([ + dup12, + dup40, + dup11, + dup2, +])); + +var msg156 = msg("exim:15", part164); + +var part165 = // "Pattern{Field(fld2,true), Constant(' '), Field(fld3,false)}" +match("MESSAGE#156:exim:16", "nwparser.payload", "%{fld2->} %{fld3}", processor_chain([ + dup12, + dup11, + dup2, +])); + +var msg157 = msg("exim:16", part165); + +var select14 = linear_select([ + msg142, + msg143, + msg144, + msg145, + msg146, + msg147, + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, + msg155, + msg156, + msg157, +]); + +var part166 = // "Pattern{Constant('QMGR['), Field(fld2,false), Constant(']: '), Field(fld3,true), Constant(' moved to work queue')}" +match("MESSAGE#157:smtpd:01", "nwparser.payload", "QMGR[%{fld2}]: %{fld3->} moved to work queue", processor_chain([ + dup12, + setc("event_description","smtpd: Process moved to work queue."), + dup11, + dup2, +])); + +var msg158 = msg("smtpd:01", part166); + +var part167 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: id="1000" severity="'), Field(severity,false), Constant('" sys="'), Field(fld4,false), Constant('" sub="'), Field(service,false), Constant('" name="'), Field(event_description,false), Constant('" srcip="'), Field(saddr,false), Constant('" from="'), Field(from,false), Constant('" to="'), Field(to,false), Constant('" subject="'), Field(subject,false), Constant('" queueid="'), Field(fld5,false), Constant('" size="'), Field(rbytes,false), Constant('"')}" +match("MESSAGE#158:smtpd:02", "nwparser.payload", "SCANNER[%{fld3}]: id=\"1000\" severity=\"%{severity}\" sys=\"%{fld4}\" sub=\"%{service}\" name=\"%{event_description}\" srcip=\"%{saddr}\" from=\"%{from}\" to=\"%{to}\" subject=\"%{subject}\" queueid=\"%{fld5}\" size=\"%{rbytes}\"", processor_chain([ + setc("eventcategory","1207010100"), + dup11, + dup2, +])); + +var msg159 = msg("smtpd:02", part167); + +var part168 = // "Pattern{Constant('SCANNER['), Field(fld3,false), Constant(']: Nothing to do, exiting.')}" +match("MESSAGE#159:smtpd:03", "nwparser.payload", "SCANNER[%{fld3}]: Nothing to do, exiting.", processor_chain([ + dup12, + setc("event_description","smtpd: SCANNER: Nothing to do,exiting."), + dup11, + dup2, +])); + +var msg160 = msg("smtpd:03", part168); + +var part169 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status two set to 'disabled'')}" +match("MESSAGE#160:smtpd:04", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status two set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status two set to disabled."), + dup11, + dup2, +])); + +var msg161 = msg("smtpd:04", part169); + +var part170 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: QR globally disabled, status one set to 'disabled'')}" +match("MESSAGE#161:smtpd:07", "nwparser.payload", "MASTER[%{fld3}]: QR globally disabled, status one set to 'disabled'", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:QR globally disabled, status one set to disabled."), + dup11, + dup2, +])); + +var msg162 = msg("smtpd:07", part170); + +var part171 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: (Re-)loading configuration from Confd')}" +match("MESSAGE#162:smtpd:05", "nwparser.payload", "MASTER[%{fld3}]: (Re-)loading configuration from Confd", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:(Re-)loading configuration from Confd."), + dup11, + dup2, +])); + +var msg163 = msg("smtpd:05", part171); + +var part172 = // "Pattern{Constant('MASTER['), Field(fld3,false), Constant(']: Sending QR one')}" +match("MESSAGE#163:smtpd:06", "nwparser.payload", "MASTER[%{fld3}]: Sending QR one", processor_chain([ + dup12, + setc("event_description","smtpd: MASTER:Sending QR one."), + dup11, + dup2, +])); + +var msg164 = msg("smtpd:06", part172); + +var select15 = linear_select([ + msg158, + msg159, + msg160, + msg161, + msg162, + msg163, + msg164, +]); + +var part173 = // "Pattern{Constant('Did not receive identification string from '), Field(fld18,false)}" +match("MESSAGE#164:sshd:01", "nwparser.payload", "Did not receive identification string from %{fld18}", processor_chain([ + dup10, + setc("event_description","sshd: Did not receive identification string."), + dup11, + dup2, +])); + +var msg165 = msg("sshd:01", part173); + +var part174 = // "Pattern{Constant('Received SIGHUP; restarting.'), Field(,false)}" +match("MESSAGE#165:sshd:02", "nwparser.payload", "Received SIGHUP; restarting.%{}", processor_chain([ + dup12, + setc("event_description","sshd:Received SIGHUP restarting."), + dup11, + dup2, +])); + +var msg166 = msg("sshd:02", part174); + +var part175 = // "Pattern{Constant('Server listening on '), Field(saddr,true), Constant(' port '), Field(sport,false), Constant('.')}" +match("MESSAGE#166:sshd:03", "nwparser.payload", "Server listening on %{saddr->} port %{sport}.", processor_chain([ + dup12, + setc("event_description","sshd:Server listening; restarting."), + dup11, + dup2, +])); + +var msg167 = msg("sshd:03", part175); + +var part176 = // "Pattern{Constant('Invalid user admin from '), Field(fld18,false)}" +match("MESSAGE#167:sshd:04", "nwparser.payload", "Invalid user admin from %{fld18}", processor_chain([ + dup41, + setc("event_description","sshd:Invalid user admin."), + dup11, + dup2, +])); + +var msg168 = msg("sshd:04", part176); + +var part177 = // "Pattern{Constant('Failed none for invalid user admin from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" +match("MESSAGE#168:sshd:05", "nwparser.payload", "Failed none for invalid user admin from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed none for invalid user admin."), + dup11, + dup2, +])); + +var msg169 = msg("sshd:05", part177); + +var part178 = // "Pattern{Constant('error: Could not get shadow information for NOUSER'), Field(,false)}" +match("MESSAGE#169:sshd:06", "nwparser.payload", "error: Could not get shadow information for NOUSER%{}", processor_chain([ + dup10, + setc("event_description","sshd:error:Could not get shadow information for NOUSER"), + dup11, + dup2, +])); + +var msg170 = msg("sshd:06", part178); + +var part179 = // "Pattern{Constant('Failed password for root from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" +match("MESSAGE#170:sshd:07", "nwparser.payload", "Failed password for root from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + dup41, + setc("event_description","sshd:Failed password for root."), + dup11, + dup2, +])); + +var msg171 = msg("sshd:07", part179); + +var part180 = // "Pattern{Constant('Accepted password for loginuser from '), Field(saddr,true), Constant(' port '), Field(sport,true), Constant(' '), Field(fld3,false)}" +match("MESSAGE#171:sshd:08", "nwparser.payload", "Accepted password for loginuser from %{saddr->} port %{sport->} %{fld3}", processor_chain([ + setc("eventcategory","1302000000"), + setc("event_description","sshd:Accepted password for loginuser."), + dup11, + dup2, +])); + +var msg172 = msg("sshd:08", part180); + +var part181 = // "Pattern{Constant('subsystem request for sftp failed, subsystem not found'), Field(,false)}" +match("MESSAGE#172:sshd:09", "nwparser.payload", "subsystem request for sftp failed, subsystem not found%{}", processor_chain([ + dup10, + setc("event_description","sshd:subsystem request for sftp failed,subsystem not found."), + dup11, + dup2, +])); + +var msg173 = msg("sshd:09", part181); + +var select16 = linear_select([ + msg165, + msg166, + msg167, + msg168, + msg169, + msg170, + msg171, + msg172, + msg173, +]); + +var part182 = tagval("MESSAGE#173:aua:01", "nwparser.payload", tvm, { + "caller": "fld4", + "engine": "fld5", + "id": "fld1", + "name": "event_description", + "severity": "severity", + "srcip": "saddr", + "sub": "service", + "sys": "fld2", + "user": "username", +}, processor_chain([ + dup13, + dup11, + dup2, + dup45, + dup46, +])); + +var msg174 = msg("aua:01", part182); + +var part183 = // "Pattern{Constant('created new negotiatorchild'), Field(,false)}" +match("MESSAGE#174:sockd:01", "nwparser.payload", "created new negotiatorchild%{}", processor_chain([ + dup12, + setc("event_description","sockd: created new negotiatorchild."), + dup11, + dup2, +])); + +var msg175 = msg("sockd:01", part183); + +var part184 = // "Pattern{Constant('dante/server '), Field(version,true), Constant(' running')}" +match("MESSAGE#175:sockd:02", "nwparser.payload", "dante/server %{version->} running", processor_chain([ + dup12, + setc("event_description","sockd:dante/server running."), + dup11, + dup2, +])); + +var msg176 = msg("sockd:02", part184); + +var part185 = // "Pattern{Constant('sockdexit(): terminating on signal '), Field(fld2,false)}" +match("MESSAGE#176:sockd:03", "nwparser.payload", "sockdexit(): terminating on signal %{fld2}", processor_chain([ + dup12, + setc("event_description","sockd:sockdexit():terminating on signal."), + dup11, + dup2, +])); + +var msg177 = msg("sockd:03", part185); + +var select17 = linear_select([ + msg175, + msg176, + msg177, +]); + +var part186 = // "Pattern{Constant('Master started'), Field(,false)}" +match("MESSAGE#177:pop3proxy", "nwparser.payload", "Master started%{}", processor_chain([ + dup12, + setc("event_description","pop3proxy:Master started."), + dup11, + dup2, +])); + +var msg178 = msg("pop3proxy", part186); + +var part187 = tagval("MESSAGE#178:astarosg_TVM", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "url": "url", + "user": "username", + "version": "version", +}, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, +])); + +var msg179 = msg("astarosg_TVM", part187); + +var part188 = tagval("MESSAGE#179:httpd", "nwparser.payload", tvm, { + "account": "logon_id", + "action": "action", + "ad_domain": "fld5", + "app-id": "fld20", + "application": "fld19", + "attributes": "obj_name", + "auth": "fld15", + "authtime": "fld9", + "avscantime": "fld12", + "cached": "fld7", + "caller": "fld30", + "category": "policy_id", + "categoryname": "info", + "cattime": "fld11", + "class": "group_object", + "client": "fld3", + "content-type": "content_type", + "cookie": "web_cookie", + "count": "fld4", + "device": "fld14", + "dnstime": "fld10", + "dstip": "daddr", + "dstmac": "dmacaddr", + "dstport": "dport", + "engine": "fld31", + "error": "comments", + "exceptions": "fld17", + "extension": "web_extension", + "extra": "info", + "facility": "logon_type", + "file": "filename", + "filename": "filename", + "filteraction": "policyname", + "fullreqtime": "fld13", + "function": "action", + "fwrule": "policy_id", + "group": "group", + "host": "dhost", + "id": "rule", + "info": "context", + "initf": "sinterface", + "length": "fld25", + "line": "fld22", + "localip": "fld31", + "message": "context", + "method": "web_method", + "name": "event_description", + "node": "node", + "object": "fld6", + "outitf": "dinterface", + "port": "network_port", + "prec": "fld30", + "profile": "owner", + "proto": "fld24", + "query": "web_query", + "reason": "comments", + "referer": "web_referer", + "reputation": "fld18", + "request": "fld8", + "seq": "fld23", + "server": "daddr", + "set-cookie": "fld32", + "severity": "severity", + "size": "filename_size", + "srcip": "saddr", + "srcmac": "smacaddr", + "srcport": "sport", + "statuscode": "resultcode", + "storage": "directory", + "sub": "service", + "sys": "vsys", + "tcpflags": "fld29", + "time": "fld21", + "tos": "fld26", + "ttl": "fld28", + "type": "obj_type", + "ua": "fld16", + "uid": "uid", + "url": "url", + "user": "username", + "version": "version", +}, processor_chain([ + dup12, + dup11, + dup2, + dup45, + dup46, +])); + +var msg180 = msg("httpd", part188); + +var part189 = // "Pattern{Constant('['), Field(event_log,false), Constant(':'), Field(result,false), Constant('] [pid '), Field(fld3,false), Constant(':'), Field(fld4,false), Constant('] [client '), Field(gateway,false), Constant('] ModSecurity: Warning. '), Field(rulename,true), Constant(' [file "'), Field(filename,false), Constant('"] [line "'), Field(fld5,false), Constant('"] [id "'), Field(rule,false), Constant('"] [rev "'), Field(fld2,false), Constant('"] [msg "'), Field(event_description,false), Constant('"] [severity "'), Field(severity,false), Constant('"] [ver "'), Field(version,false), Constant('"] [maturity "'), Field(fld22,false), Constant('"] [accuracy "'), Field(fld23,false), Constant('"] [tag "'), Field(fld24,false), Constant('"] [hostname "'), Field(dhost,false), Constant('"] [uri "'), Field(web_root,false), Constant('"] [unique_id "'), Field(operation_id,false), Constant('"]'), Field(fld25,false)}" +match("MESSAGE#180:httpd:01", "nwparser.payload", "[%{event_log}:%{result}] [pid %{fld3}:%{fld4}] [client %{gateway}] ModSecurity: Warning. %{rulename->} [file \"%{filename}\"] [line \"%{fld5}\"] [id \"%{rule}\"] [rev \"%{fld2}\"] [msg \"%{event_description}\"] [severity \"%{severity}\"] [ver \"%{version}\"] [maturity \"%{fld22}\"] [accuracy \"%{fld23}\"] [tag \"%{fld24}\"] [hostname \"%{dhost}\"] [uri \"%{web_root}\"] [unique_id \"%{operation_id}\"]%{fld25}", processor_chain([ + setc("eventcategory","1502000000"), + dup2, + dup3, +])); + +var msg181 = msg("httpd:01", part189); + +var select18 = linear_select([ + msg180, + msg181, +]); + +var part190 = tagval("MESSAGE#181:Sophos_Firewall", "nwparser.payload", tvm, { + "activityname": "fld9", + "appfilter_policy_id": "fld10", + "application": "application", + "application_category": "fld23", + "application_risk": "risk_num", + "application_technology": "fld11", + "appresolvedby": "fld22", + "category": "fld4", + "category_type": "fld5", + "connevent": "fld19", + "connid": "connectionid", + "contenttype": "content_type", + "dir_disp": "fld18", + "domain": "fqdn", + "dst_country_code": "location_dst", + "dst_ip": "daddr", + "dst_port": "dport", + "dstzone": "dst_zone", + "dstzonetype": "fld17", + "duration": "duration", + "exceptions": "fld8", + "fw_rule_id": "rule_uid", + "hb_health": "fld21", + "httpresponsecode": "fld7", + "iap": "id1", + "in_interface": "sinterface", + "ips_policy_id": "policy_id", + "log_component": "event_source", + "log_subtype": "category", + "log_type": "event_type", + "message": "info", + "out_interface": "dinterface", + "override_token": "fld6", + "policy_type": "fld23", + "priority": "severity", + "protocol": "protocol", + "reason": "result", + "recv_bytes": "rbytes", + "recv_pkts": "fld15", + "referer": "web_referer", + "sent_bytes": "sbytes", + "sent_pkts": "fld14", + "src_country_code": "location_src", + "src_ip": "saddr", + "src_mac": "smacaddr", + "src_port": "sport", + "srczone": "src_zone", + "srczonetype": "fld16", + "status": "event_state", + "status_code": "resultcode", + "tran_dst_ip": "dtransaddr", + "tran_dst_port": "dtransport", + "tran_src_ip": "stransaddr", + "tran_src_port": "stransport", + "transactionid": "id2", + "url": "url", + "user_agent": "user_agent", + "user_gp": "group", + "user_name": "username", + "vconnid": "fld20", +}, processor_chain([ + setc("eventcategory","1204000000"), + dup2, + date_time({ + dest: "event_time", + args: ["hdate","htime"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dS], + ], + }), +])); + +var msg182 = msg("Sophos_Firewall", part190); + +var chain1 = processor_chain([ + select1, + msgid_select({ + "Sophos_Firewall": msg182, + "URID": msg38, + "afcd": msg94, + "astarosg_TVM": msg179, + "aua": msg174, + "barnyard": select13, + "confd": msg90, + "confd-sync": msg89, + "exim": select14, + "frox": select9, + "httpd": select18, + "httpproxy": select3, + "ipsec_starter": select10, + "named": select2, + "pluto": select11, + "pop3proxy": msg178, + "reverseproxy": select8, + "smtpd": select15, + "sockd": select17, + "sshd": select16, + "ulogd": msg39, + "xl2tpd": select12, + }), +]); + +var part191 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#44:reverseproxy:07/1_0", "nwparser.p0", "p0"); diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml new file mode 100644 index 00000000000..62aaa2a3c30 --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml @@ -0,0 +1,69 @@ +--- +description: Pipeline for Astaro Security Gateway + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/sophos/utm/manifest.yml b/x-pack/filebeat/module/sophos/utm/manifest.yml new file mode 100644 index 00000000000..bdf9d503458 --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["sophos.utm", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9533 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log b/x-pack/filebeat/module/sophos/utm/test/generated.log new file mode 100644 index 00000000000..65a20d4f428 --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log @@ -0,0 +1,100 @@ +2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled' +2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu +2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin +2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq +2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations +2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled' +2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff +2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port! +2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode +2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version="rsi"; loaded version="taliqui" +2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run? +2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem) +2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno +2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed +2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676 +2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip +2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn +2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully +2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe +2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti +2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195. +2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau. +2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name +2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting +2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713 +2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri +2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide. +2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp +2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat +2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme +2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\x22dashletAccessAlertingRecentAlertsPanel\\x22,\\x22dashletAccessAlerterTopAlertsDashlet\\x22,\\x22accessViewRules\\x22,\\x22deployLiveResources\\x22,\\x22vi..."] [severity [hostname "iscivel3512.invalid"] [uri "atcupi"] [unique_id "eriti"] +2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running +2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully +2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit +2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem +2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version="everi"; loaded version="squ" +2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7 +2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\x22,\\x22manageLiveSystemSettings\\x22,\\x22accessViewJobs\\x22,\\x22exportList\\..."] [ver "olor"] [maturity "corpo"] [accuracy "commod"] iumd [hostname "ntore4333.api.invalid"] [uri "sitv"] [unique_id "equam"] +2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits +2017:8:8-16:50:15 elillu5777.www5.lan pluto: "elaudant"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number +2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide +2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]... +2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve +2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running +2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse +2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt +2017:11:16-18:08:15 named[1900]: reloading eddoei iono +2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response +2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started +2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip +2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD) +2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco +2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque +2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu +2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups +2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae +2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide +2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure +2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file "runtmoll"] [line "tuserror"] [id "utlabo"] [rev "scip"] [msg "imvenia"] [severity "low"] [ver "1.6420"] [maturity "nisi"] [accuracy "seq"] [tag "ors"] [hostname "olupta3647.host"] [uri "uaUteni"] [unique_id "gitsedqu"]amqu +2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit +2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas +2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274 +2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid +2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID +2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec +2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER +2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo +2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx +2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce +2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru +2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt +2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506. +2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface +2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi. +2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr +2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface +2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file "apa"] [line "tani"] [id "per"] [rev "ngelitse"] [msg "olorsita"] [severity "medium"] [ver "1.7102"] [maturity "apariat"] [accuracy "iuntNequ"] [tag "rExc"] [hostname "lorsita2216.www5.example"] [uri "turvelil"] [unique_id "velitsed"]rau +2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae +2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu +2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133 +2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111) +2019:4:1-00:38:14 pop3proxy[6854]: Master started +2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started +2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file "alorumw"] [line "nibus"] [id "eiusmo"] [msg "rci"] [hostname "seosquir715.local"] [uri "ercitati"] [unique_id "uiration"] +2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111) +2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor +2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul +2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 "econse" #otamr +2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured. +2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run? +2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu +2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati +2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele +2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs +2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq +2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori () +2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat +2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud +2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico +2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json new file mode 100644 index 00000000000..b57ab7067ab --- /dev/null +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -0,0 +1,3727 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "event.code": "smtpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:1:29-06:09:59 smtpd[905]: MASTER[nnumqua]: QR globally disabled, status one set to 'disabled'", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 0, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 905, + "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", + "rsa.internal.messageid": "smtpd", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", + "destination.address": "ercit2385.internal.home", + "destination.ip": [ + "10.47.202.102" + ], + "destination.mac": "01:00:5e:de:94:f6", + "destination.port": 3920, + "event.action": "block", + "event.code": "astarosg_TVM", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:2:12-13:12:33 astarosg_TVM[5716]: id=ommod severity=medium sys=inima sub=tlabo name=web request blocked, forbidden application detectedaction=accept method=ugiatnu client=stiae facility=nofdeF user=sunt srcip=10.57.170.140 dstip=10.213.231.72 version=1.5102 storage=emips ad_domain=imadmi object=ostrume class=molest type=upt attributes=uiineavocount=tisetq node=irati account=icistatuscode=giatquov cached=eritquii profile=dexeac filteraction=iscinge size=6992 request=oreseos url=https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu referer=https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac error=nidolo authtime=tatn dnstime=eli cattime=nnu avscantime=dolo fullreqtime=Loremip device=idolor auth=emeumfu ua=CSed exceptions=lupt group=psaquae category=oinBCSe categoryname=mnisist content-type=sedd reputation=uatD application=iunt app-id=temveleu reason=colabo filename=eme file=numqu extension=qui time=civeli function=block line=agnaali message=gnam fwrule=tat seq=ipitla initf=enp0s7281 outitf=enp0s7084 dstmac=01:00:5e:de:94:f6 srcmac=01:00:5e:1d:c1:c0 proto=den length=tutla tos=olorema prec=;iades ttl=siarchi srcport=2289 dstport=3920 tcpflags=mqu info=apariat prec=tlabore caller=untmolli engine=remi localip=saute host=ercit2385.internal.home extra=run server=10.47.202.102 cookie=quirat set-cookie=llu", + "file.directory": "emips", + "file.extension": "qui", + "file.name": "numqu", + "file.size": 6992, + "fileset.name": "utm", + "group.name": "psaquae", + "http.request.referrer": "https://www5.example.org/eporroqu/uat.txt?atquovo=suntinc#xeac", + "input.type": "log", + "log.level": "medium", + "log.offset": 99, + "observer.egress.interface.name": "enp0s7084", + "observer.ingress.interface.name": "enp0s7281", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.5102", + "process.pid": 5716, + "related.hosts": [ + "ercit2385.internal.home" + ], + "related.ip": [ + "10.47.202.102", + "10.57.170.140" + ], + "related.user": [ + "sunt", + "icistatuscode=giatquov", + "dexeac" + ], + "rsa.db.index": "run", + "rsa.identity.logon_type": "nofdeF", + "rsa.internal.event_desc": "web", + "rsa.internal.messageid": "astarosg_TVM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "block", + "ugiatnu" + ], + "rsa.misc.comments": "colabo", + "rsa.misc.content_type": "sedd", + "rsa.misc.context": "apariat", + "rsa.misc.group": "psaquae", + "rsa.misc.group_object": "molest", + "rsa.misc.node": "irati", + "rsa.misc.obj_name": "uiineavocount=tisetq", + "rsa.misc.obj_type": "upt", + "rsa.misc.policy_id": "tat", + "rsa.misc.policy_name": "iscinge", + "rsa.misc.rule": "ommod", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5102", + "rsa.misc.vsys": "inima", + "rsa.network.dinterface": "enp0s7084", + "rsa.network.host_dst": "ercit2385.internal.home", + "rsa.network.sinterface": "enp0s7281", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "rsa.web.web_cookie": "quirat", + "service.name": "tlabo", + "service.type": "sophos", + "source.ip": [ + "10.57.170.140" + ], + "source.mac": "01:00:5e:1d:c1:c0", + "source.port": 2289, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://mail.example.net/tati/utaliqu.html?iquaUten=santium#iciatisu", + "user.name": "sunt" + }, + { + "@timestamp": "2016-02-26T22:15:08.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:2:26-20:15:08 eirure7587.internal.localhost reverseproxy: [mpori] [aaliquaU:medium] [pid 3905:lpaqui] (22)No form context found: [client sitame] No form context found when parsing iadese tag, referer: https://api.example.com/utla/utei.htm?oei=tlabori#oin", + "fileset.name": "utm", + "host.name": "eirure7587.internal.localhost", + "http.request.referrer": "https://api.example.com/utla/utei.htm?oei=tlabori#oin", + "input.type": "log", + "log.level": "medium", + "log.offset": 1448, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3905, + "related.hosts": [ + "eirure7587.internal.localhost" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "aaliquaU", + "rsa.misc.result": "No form context found", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "eirure7587.internal.localhost" + ], + "rsa.network.gateway": "sitame", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:3:12-03:17:42 data4478.api.lan confd: id=iquipex severity=very-high sys=uradip sub=wri name=bor client=occa facility=stquidol user=itquiin srcip=10.106.239.55 version=1.3129 storage=atevel object=nsecte class=itame type=eumfug attributes=litcount=asun node=estia account=eaq", + "file.directory": "atevel", + "fileset.name": "utm", + "host.name": "data4478.api.lan", + "input.type": "log", + "log.level": "very-high", + "log.offset": 1708, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.3129", + "related.hosts": [ + "data4478.api.lan" + ], + "related.ip": [ + "10.106.239.55" + ], + "related.user": [ + "itquiin", + "eaq" + ], + "rsa.identity.logon_type": "stquidol", + "rsa.internal.event_desc": "bor", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "itame", + "rsa.misc.node": "estia", + "rsa.misc.obj_name": "litcount=asun", + "rsa.misc.obj_type": "eumfug", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.3129", + "rsa.network.alias_host": [ + "data4478.api.lan" + ], + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "service.name": "wri", + "service.type": "sophos", + "source.ip": [ + "10.106.239.55" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "itquiin" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:3:26-10:20:16 ctetura3009.www5.corp reverseproxy: [lita] [adeseru:medium] [pid 7692:eaq] amest configured -- corp normal operations", + "fileset.name": "utm", + "host.name": "ctetura3009.www5.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 1988, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7692, + "related.hosts": [ + "ctetura3009.www5.corp" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "corp", + "rsa.misc.event_id": "AH00292", + "rsa.misc.event_log": "adeseru", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "ctetura3009.www5.corp" + ], + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-09T19:22:51.000Z", + "event.code": "smtpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:4:9-17:22:51 smtpd[1411]: MASTER[inculpa]: QR globally disabled, status one set to 'disabled'", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 2125, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1411, + "rsa.internal.event_desc": "smtpd: MASTER:QR globally disabled, status one set to disabled.", + "rsa.internal.messageid": "smtpd", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-04-24T02:25:25.000Z", + "event.code": "httpproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:4:24-00:25:25 httpproxy[176]: [nse] disk_cache_zap (non) paquioff", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 2224, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 176, + "rsa.db.index": "paquioff", + "rsa.internal.event_desc": "httpproxy:disk_cache_zap related message.", + "rsa.internal.messageid": "httpproxy", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.ip": [ + "10.18.13.211" + ], + "destination.port": 205, + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:5:8-07:27:59 ptasnu6684.mail.lan reverseproxy: [orumSe] [boree:low] [pid 945:rQuisau] AH01915: Init: (10.18.13.211:205) You configured ofdeFini(irat) on the onev(aturauto) port!", + "fileset.name": "utm", + "host.name": "ptasnu6684.mail.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 2295, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 945, + "related.hosts": [ + "ptasnu6684.mail.lan" + ], + "related.ip": [ + "10.18.13.211" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.comments": "Invalid port configuration", + "rsa.misc.event_log": "boree", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "ptasnu6684.mail.lan" + ], + "rsa.network.network_service": "ofdeFini", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-05-22T16:30:33.000Z", + "event.code": "barnyard", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:5:22-14:30:33 ssecillu7166.internal.lan barnyard: Initializing daemon mode", + "fileset.name": "utm", + "host.name": "ssecillu7166.internal.lan", + "input.type": "log", + "log.offset": 2478, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "ssecillu7166.internal.lan" + ], + "rsa.internal.event_desc": "barnyard:Initializing daemon mode", + "rsa.internal.messageid": "barnyard", + "rsa.network.alias_host": [ + "ssecillu7166.internal.lan" + ], + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-05T23:33:08.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:6:5-21:33:08 ore5643.api.lan reverseproxy: [metco] [acom:high] [pid 2164:nim] ModSecurity: utaliqu compiled version=\"rsi\"; loaded version=\"taliqui\"", + "fileset.name": "utm", + "host.name": "ore5643.api.lan", + "input.type": "log", + "log.level": "high", + "log.offset": 2558, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2164, + "related.hosts": [ + "ore5643.api.lan" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "acom", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ore5643.api.lan" + ], + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:6:20-04:35:42 ciun39.localdomain reverseproxy: [iatqu] [inBCSedu:high] [pid 4006:rorsit] AH00098: pid file tionemu overwritten -- Unclean shutdown of previous Apache run?", + "file.name": "tionemu", + "fileset.name": "utm", + "host.name": "ciun39.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 2711, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 4006, + "related.hosts": [ + "ciun39.localdomain" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.context": "Unclean shutdown", + "rsa.misc.event_id": "AH00098", + "rsa.misc.event_log": "inBCSedu", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ciun39.localdomain" + ], + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:7:4-11:38:16 atatnon6064.www.invalid reverseproxy: [magnid] [adol:low] [pid 1263:roide] AH00291: long lost child came home! (pid tem)", + "fileset.name": "utm", + "host.name": "atatnon6064.www.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 2887, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1263, + "related.hosts": [ + "atatnon6064.www.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH00291", + "rsa.misc.event_log": "adol", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "atatnon6064.www.invalid" + ], + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-18T20:40:50.000Z", + "event.code": "aua", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:7:18-18:40:50 gitse2463.www5.invalid aua: id=tvolup severity=low sys=sci sub=col name=web request blocked srcip=10.42.252.243 user=agnaaliq caller=est engine=mquisno", + "fileset.name": "utm", + "host.name": "gitse2463.www5.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 3026, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "gitse2463.www5.invalid" + ], + "related.user": [ + "agnaaliq" + ], + "rsa.internal.event_desc": "web", + "rsa.internal.messageid": "aua", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "gitse2463.www5.invalid" + ], + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", + "service.name": "col", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "agnaaliq" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "event.code": "httpproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:8:2-01:43:25 httpproxy[2078]: [mol] sc_server_cmd (umdolors) decrypt failed", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 3197, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2078, + "rsa.internal.event_desc": "httpproxy:decrypt failed.", + "rsa.internal.messageid": "httpproxy", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "event.code": "frox", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:8:16-08:45:59 oriosam6277.mail.localdomain frox: Listening on 10.169.5.162:6676", + "fileset.name": "utm", + "host.name": "oriosam6277.mail.localdomain", + "input.type": "log", + "log.offset": 3278, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "oriosam6277.mail.localdomain" + ], + "related.ip": [ + "10.169.5.162" + ], + "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", + "rsa.internal.messageid": "frox", + "rsa.network.alias_host": [ + "oriosam6277.mail.localdomain" + ], + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "service.type": "sophos", + "source.ip": [ + "10.169.5.162" + ], + "source.port": 6676, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-08-30T17:48:33.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:8:30-15:48:33 ptate3830.internal.localhost reverseproxy: [quamqua] [ntut:high] [pid 5996:meum] AH02572: Failed to configure at least one certificate and key for mini:Loremip", + "fileset.name": "utm", + "host.name": "ptate3830.internal.localhost", + "input.type": "log", + "log.level": "high", + "log.offset": 3363, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5996, + "related.hosts": [ + "ptate3830.internal.localhost" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH02572", + "rsa.misc.event_log": "ntut", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ptate3830.internal.localhost" + ], + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-14T00:51:07.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:9:13-22:51:07 nvo6105.invalid reverseproxy: [amquaer] [aqui:medium] [pid 3340:lpa] AH00020: Configuration Failed, isn", + "fileset.name": "utm", + "host.name": "nvo6105.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 3542, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3340, + "related.hosts": [ + "nvo6105.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "isn", + "rsa.misc.event_id": "AH00020", + "rsa.misc.event_log": "aqui", + "rsa.misc.result": "Configuration Failed", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "nvo6105.invalid" + ], + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "event.code": "afcd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:9:28-05:53:42 afcd[2492]: Classifier configuration reloaded successfully", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 3665, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2492, + "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", + "rsa.internal.messageid": "afcd", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:10:12-12:56:16 edic2758.api.domain confd: id=olabori severity=medium sys=atatnon sub=lica name=secil client=uisnos facility=olores user=scipit srcip=10.54.169.175 version=1.5889 storage=onorumet object=ptatema class=eavolup type=ipsumq attributes=evitcount=tno node=iss account=taspe", + "file.directory": "onorumet", + "fileset.name": "utm", + "host.name": "edic2758.api.domain", + "input.type": "log", + "log.level": "medium", + "log.offset": 3743, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.5889", + "related.hosts": [ + "edic2758.api.domain" + ], + "related.ip": [ + "10.54.169.175" + ], + "related.user": [ + "taspe", + "scipit" + ], + "rsa.identity.logon_type": "olores", + "rsa.internal.event_desc": "secil", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "eavolup", + "rsa.misc.node": "iss", + "rsa.misc.obj_name": "evitcount=tno", + "rsa.misc.obj_type": "ipsumq", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.5889", + "rsa.network.alias_host": [ + "edic2758.api.domain" + ], + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "service.name": "lica", + "service.type": "sophos", + "source.ip": [ + "10.54.169.175" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "scipit" + }, + { + "@timestamp": "2016-10-26T21:58:50.000Z", + "event.code": "aua", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:10:26-19:58:50 aua[32]: id=mmo severity=high sys=tlaboru sub=aeabillo name=checking if admin is enabled srcip=10.26.228.145 user=eruntmo caller=nimve engine=usanti", + "fileset.name": "utm", + "input.type": "log", + "log.level": "high", + "log.offset": 4032, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 32, + "related.user": [ + "eruntmo" + ], + "rsa.internal.event_desc": "checking", + "rsa.internal.messageid": "aua", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "service.name": "aeabillo", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "eruntmo" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:11:10-03:01:24 sshd[2051]: Server listening on 10.59.215.207 port 6195.", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 4201, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2051, + "related.ip": [ + "10.59.215.207" + ], + "rsa.internal.event_desc": "sshd:Server listening; restarting.", + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "service.type": "sophos", + "source.ip": [ + "10.59.215.207" + ], + "source.port": 6195, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:11:24-10:03:59 ectobeat3157.mail.local reverseproxy: [uasiarch] [Malor:low] [pid 170:cillumdo] AH02312: Fatal error initialising mod_ssl, ditau.", + "fileset.name": "utm", + "host.name": "ectobeat3157.mail.local", + "input.type": "log", + "log.level": "low", + "log.offset": 4278, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 170, + "related.hosts": [ + "ectobeat3157.mail.local" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "ditau", + "rsa.misc.event_id": "AH02312", + "rsa.misc.event_log": "Malor", + "rsa.misc.result": "Fatal error", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "ectobeat3157.mail.local" + ], + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", + "destination.ip": [ + "10.144.21.112" + ], + "destination.port": 90, + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:12:8-17:06:33 ident2323.internal.corp reverseproxy: [hend] [remagna:high] [pid 873:aparia] AH01909: 10.144.21.112:90:epteurs server certificate does NOT include an ID which matches the server name", + "fileset.name": "utm", + "host.name": "ident2323.internal.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 4428, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 873, + "related.hosts": [ + "ident2323.internal.corp" + ], + "related.ip": [ + "10.144.21.112" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.comments": "server certificate has a different hostname from actual hostname", + "rsa.misc.event_id": "AH01909", + "rsa.misc.event_log": "remagna", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ident2323.internal.corp" + ], + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-23T02:09:07.000Z", + "event.code": "httpproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2016:12:23-00:09:07 ttenb4581.www.host httpproxy: [rem] main (exer) shutdown finished, exiting", + "fileset.name": "utm", + "host.name": "ttenb4581.www.host", + "input.type": "log", + "log.offset": 4630, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "ttenb4581.www.host" + ], + "rsa.internal.event_desc": "httpproxy:shutdown finished, exiting.", + "rsa.internal.messageid": "httpproxy", + "rsa.network.alias_host": [ + "ttenb4581.www.host" + ], + "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "event.code": "frox", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:1:6-07:11:41 lapari5763.api.invalid frox: Listening on 10.103.2.48:4713", + "fileset.name": "utm", + "host.name": "lapari5763.api.invalid", + "input.type": "log", + "log.offset": 4725, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "lapari5763.api.invalid" + ], + "related.ip": [ + "10.103.2.48" + ], + "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", + "rsa.internal.messageid": "frox", + "rsa.network.alias_host": [ + "lapari5763.api.invalid" + ], + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "service.type": "sophos", + "source.ip": [ + "10.103.2.48" + ], + "source.port": 4713, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-20T16:14:16.000Z", + "destination.ip": [ + "10.52.190.18" + ], + "destination.mac": "01:00:5e:51:b9:4d", + "destination.port": 165, + "event.code": "ulogd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:1:20-14:14:16 elites4713.www.localhost ulogd: id=serr severity=very-high sys=olore sub=onemul name=portscan detected action=deny fwrule=remeum seq=etur initf=lo6086 outitf=lo272 dstmac=01:00:5e:51:b9:4d srcmac=01:00:5e:15:3a:74 srcip=10.161.51.135 dstip=10.52.190.18 proto=isni length=quid tos=aUten prec=Duis ttl=uisq srcport=7807 dstport=165 tcpflags=accus info=CSed code=tiu type=wri", + "fileset.name": "utm", + "host.name": "elites4713.www.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 4802, + "observer.egress.interface.name": "lo272", + "observer.ingress.interface.name": "lo6086", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "elites4713.www.localhost" + ], + "related.ip": [ + "10.161.51.135", + "10.52.190.18" + ], + "rsa.internal.event_desc": "portscan", + "rsa.internal.messageid": "ulogd", + "rsa.investigations.ec_activity": "Scan", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "TEV", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.context": "CSed", + "rsa.misc.policy_id": "remeum", + "rsa.misc.rule": "serr", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "olore", + "rsa.network.alias_host": [ + "elites4713.www.localhost" + ], + "rsa.network.dinterface": "lo272", + "rsa.network.network_service": "onemul", + "rsa.network.sinterface": "lo6086", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "service.type": "sophos", + "source.ip": [ + "10.161.51.135" + ], + "source.mac": "01:00:5e:15:3a:74", + "source.port": 7807, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-03T23:16:50.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:2:3-21:16:50 sam1795.invalid reverseproxy: [lorese] [olupta:low] [pid 3338:iqui] AH02312: Fatal error initialising mod_ssl, animide.", + "fileset.name": "utm", + "host.name": "sam1795.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 5194, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3338, + "related.hosts": [ + "sam1795.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "animide", + "rsa.misc.event_id": "AH02312", + "rsa.misc.event_log": "olupta", + "rsa.misc.result": "Fatal error", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "sam1795.invalid" + ], + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:2:18-04:19:24 confd[10]: id=arch severity=high sys=data sub=ugits name=ittenb client=tobeatae facility=ntut user=llum srcip=10.232.108.32 version=1.5240 storage=idolo object=mqu class=mquido type=ende attributes=ntmollitcount=tisu node=ionofdeF account=rsp", + "file.directory": "idolo", + "fileset.name": "utm", + "input.type": "log", + "log.level": "high", + "log.offset": 5332, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.5240", + "process.pid": 10, + "related.ip": [ + "10.232.108.32" + ], + "related.user": [ + "rsp", + "llum" + ], + "rsa.identity.logon_type": "ntut", + "rsa.internal.event_desc": "ittenb", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "mquido", + "rsa.misc.node": "ionofdeF", + "rsa.misc.obj_name": "ntmollitcount=tisu", + "rsa.misc.obj_type": "ende", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5240", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "service.name": "ugits", + "service.type": "sophos", + "source.ip": [ + "10.232.108.32" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "llum" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.address": "Duis583.api.local", + "destination.ip": [ + "10.17.51.153" + ], + "destination.mac": "01:00:5e:8c:f2:06", + "destination.port": 1525, + "event.action": "deny", + "event.code": "astarosg_TVM", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:3:4-11:21:59 nostrum6305.internal.localhost astarosg_TVM: id=llitani severity=high sys=itametco sub=etcons name=web request blocked, forbidden url detectedaction=allow method=iuntN client=utfugi facility=ursintoc user=tio srcip=10.89.41.97 dstip=10.231.116.175 version=1.5146 storage=lup ad_domain=mipsamv object=exeacomm class=sequines type=cto attributes=cusacount=nderi node=tem account=tcustatuscode=eumiu cached=nim profile=pteurs filteraction=ercitati size=835 request=ptat url=https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn referer=https://example.com/taliqui/idi.txt?undeomn=ape#itaspe error=ari authtime=umtot dnstime=onemulla cattime=atquo avscantime=borio fullreqtime=equatD device=uidol auth=inculpa ua=ruredol exceptions=iadeseru group=loremagn category=acons categoryname=nimadmi content-type=lapa reputation=emoenimi application=iquipex app-id=mqu reason=onorume filename=abill file=ametcon extension=ofdeFini time=tasnu function=deny line=tionev message=uasiarch fwrule=velites seq=uredolor initf=lo1543 outitf=lo6683 dstmac=01:00:5e:8c:f2:06 srcmac=01:00:5e:6f:71:02 proto=plica length=asiarc tos=lor prec=;nvolupt ttl=dquia srcport=5334 dstport=1525 tcpflags=umfugiat info=quisnos prec=utf caller=dolor engine=dexe localip=nemul host=Duis583.api.local extra=eavolupt server=10.17.51.153 cookie=aperiame set-cookie=stenat", + "file.directory": "lup", + "file.extension": "ofdeFini", + "file.name": "ametcon", + "file.size": 835, + "fileset.name": "utm", + "group.name": "loremagn", + "host.name": "nostrum6305.internal.localhost", + "http.request.referrer": "https://example.com/taliqui/idi.txt?undeomn=ape#itaspe", + "input.type": "log", + "log.level": "high", + "log.offset": 5594, + "observer.egress.interface.name": "lo6683", + "observer.ingress.interface.name": "lo1543", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.5146", + "related.hosts": [ + "nostrum6305.internal.localhost", + "Duis583.api.local" + ], + "related.ip": [ + "10.17.51.153", + "10.89.41.97" + ], + "related.user": [ + "tcustatuscode=eumiu", + "tio", + "pteurs" + ], + "rsa.db.index": "eavolupt", + "rsa.identity.logon_type": "ursintoc", + "rsa.internal.event_desc": "web", + "rsa.internal.messageid": "astarosg_TVM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "iuntN", + "deny" + ], + "rsa.misc.comments": "onorume", + "rsa.misc.content_type": "lapa", + "rsa.misc.context": "quisnos", + "rsa.misc.group": "loremagn", + "rsa.misc.group_object": "sequines", + "rsa.misc.node": "tem", + "rsa.misc.obj_name": "cusacount=nderi", + "rsa.misc.obj_type": "cto", + "rsa.misc.policy_id": "velites", + "rsa.misc.policy_name": "ercitati", + "rsa.misc.rule": "llitani", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.5146", + "rsa.misc.vsys": "itametco", + "rsa.network.alias_host": [ + "nostrum6305.internal.localhost" + ], + "rsa.network.dinterface": "lo6683", + "rsa.network.host_dst": "Duis583.api.local", + "rsa.network.sinterface": "lo1543", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.web.web_cookie": "aperiame", + "service.name": "etcons", + "service.type": "sophos", + "source.ip": [ + "10.89.41.97" + ], + "source.mac": "01:00:5e:6f:71:02", + "source.port": 5334, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://mail.example.net/velillu/ecatcupi.txt?rsitamet=leumiur#ssequamn", + "user.name": "tio" + }, + { + "@timestamp": "2017-03-18T20:24:33.000Z", + "event.code": "aua", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:3:18-18:24:33 xeaco7887.www.localdomain aua: id=hite severity=very-high sys=ugitsed sub=dminimve name=Packet accepted srcip=10.137.165.144 user=uptate caller=tot engine=reme", + "fileset.name": "utm", + "host.name": "xeaco7887.www.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 6963, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], + "related.user": [ + "uptate" + ], + "rsa.internal.event_desc": "Packet", + "rsa.internal.messageid": "aua", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "xeaco7887.www.localdomain" + ], + "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "service.name": "dminimve", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "uptate" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.address": "iscivel3512.invalid", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:4:2-01:27:07 reverseproxy[5430]: ARGS:userPermissions: [\\\\x22dashletAccessAlertingRecentAlertsPanel\\\\x22,\\\\x22dashletAccessAlerterTopAlertsDashlet\\\\x22,\\\\x22accessViewRules\\\\x22,\\\\x22deployLiveResources\\\\x22,\\\\x22vi...\"] [severity [hostname \"iscivel3512.invalid\"] [uri \"atcupi\"] [unique_id \"eriti\"]", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 7142, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5430, + "related.hosts": [ + "iscivel3512.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.operation_id": "eriti", + "rsa.network.host_dst": "iscivel3512.invalid", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "atcupi" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "sockd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:4:16-08:29:41 sockd[6181]: dante/server 1.202 running", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 7446, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.202", + "process.pid": 6181, + "rsa.internal.event_desc": "sockd:dante/server running.", + "rsa.internal.messageid": "sockd", + "rsa.misc.version": "1.202", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-04-30T17:32:16.000Z", + "event.code": "afcd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:4:30-15:32:16 dolor5799.home afcd: Classifier configuration reloaded successfully", + "fileset.name": "utm", + "host.name": "dolor5799.home", + "input.type": "log", + "log.offset": 7505, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "dolor5799.home" + ], + "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", + "rsa.internal.messageid": "afcd", + "rsa.network.alias_host": [ + "dolor5799.home" + ], + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:5:14-22:34:50 oreseosq1859.api.lan reverseproxy: [mmodic] [essequam:low] [pid 6691:ficiade] [client uiinea] [uianonn] virus daemon connection problem found in request https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure, referer: https://example.com/adeser/mSe.gif?aute=rchite#rcit", + "fileset.name": "utm", + "host.name": "oreseosq1859.api.lan", + "http.request.referrer": "https://example.com/adeser/mSe.gif?aute=rchite#rcit", + "input.type": "log", + "log.level": "low", + "log.offset": 7592, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6691, + "related.hosts": [ + "oreseosq1859.api.lan" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "essequam", + "rsa.misc.result": "Virus daemon connection problem", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "oreseosq1859.api.lan" + ], + "rsa.network.gateway": "uiinea", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://www5.example.com/dantium/ors.htm?sinto=edi#eumiure" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "confd-sync", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:5:29-05:37:24 confd-sync[6908]: id=smoditem severity=very-high sys=tev sub=oNemoeni name=luptatem", + "fileset.name": "utm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 7885, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6908, + "rsa.internal.event_desc": "luptatem", + "rsa.internal.messageid": "confd-sync", + "rsa.misc.severity": "very-high", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "service.name": "oNemoeni", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:6:12-12:39:58 autodit272.www.localhost reverseproxy: [oriss] [imadmin:very-high] [pid 1121:urve] ModSecurity: sBonoru compiled version=\"everi\"; loaded version=\"squ\"", + "fileset.name": "utm", + "host.name": "autodit272.www.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 7988, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1121, + "related.hosts": [ + "autodit272.www.localhost" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "imadmin", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "autodit272.www.localhost" + ], + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-06-26T21:42:33.000Z", + "destination.ip": [ + "10.148.21.7" + ], + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:6:26-19:42:33 rporis6787.www5.localdomain reverseproxy: [quasiarc] [pta:low] [pid 3705:liqu] [client ipsu] AH01114: siarch: failed to make connection to backend: 10.148.21.7", + "fileset.name": "utm", + "host.name": "rporis6787.www5.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 8158, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3705, + "related.hosts": [ + "rporis6787.www5.localdomain" + ], + "related.ip": [ + "10.148.21.7" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH01114", + "rsa.misc.event_log": "pta", + "rsa.misc.result": "Backend connection failed", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "rporis6787.www5.localdomain" + ], + "rsa.network.gateway": "ipsu", + "rsa.network.network_service": "siarch", + "rsa.time.event_time": "2017-06-26T21:42:33.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.address": "ntore4333.api.invalid", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:7:11-02:45:07 reprehe5661.www.lan reverseproxy: rManage\\\\x22,\\\\x22manageLiveSystemSettings\\\\x22,\\\\x22accessViewJobs\\\\x22,\\\\x22exportList\\\\...\"] [ver \"olor\"] [maturity \"corpo\"] [accuracy \"commod\"] iumd [hostname \"ntore4333.api.invalid\"] [uri \"sitv\"] [unique_id \"equam\"]", + "fileset.name": "utm", + "host.name": "reprehe5661.www.lan", + "input.type": "log", + "log.offset": 8337, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "reprehe5661.www.lan", + "ntore4333.api.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.context": "iumd", + "rsa.misc.operation_id": "equam", + "rsa.misc.policy_name": "olor", + "rsa.network.alias_host": [ + "reprehe5661.www.lan" + ], + "rsa.network.host_dst": "ntore4333.api.invalid", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "sitv" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "event.code": "exim", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:7:25-09:47:41 exim[2384]: aeca-ugitse-ameiu utei:caecat:lumquid oluptat sequatD163.internal.example [10.151.206.38]:5794 lits", + "fileset.name": "utm", + "host.name": "sequatD163.internal.example", + "input.type": "log", + "log.offset": 8611, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2384, + "related.hosts": [ + "sequatD163.internal.example" + ], + "related.ip": [ + "10.151.206.38" + ], + "rsa.db.index": "lits", + "rsa.internal.event_desc": "exim:connection service message.", + "rsa.internal.messageid": "exim", + "rsa.network.alias_host": [ + "sequatD163.internal.example" + ], + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "service.type": "sophos", + "source.ip": [ + "10.151.206.38" + ], + "source.port": 5794, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-08T18:50:15.000Z", + "event.code": "pluto", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:8:8-16:50:15 elillu5777.www5.lan pluto: \"elaudant\"[olup] 10.230.4.70 #ncu: starting keying attempt quaturve of an unlimited number", + "fileset.name": "utm", + "host.name": "elillu5777.www5.lan", + "input.type": "log", + "log.offset": 8742, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "elillu5777.www5.lan" + ], + "related.ip": [ + "10.230.4.70" + ], + "rsa.internal.event_desc": "pluto: starting keying attempt of an unlimited number", + "rsa.internal.messageid": "pluto", + "rsa.network.alias_host": [ + "elillu5777.www5.lan" + ], + "rsa.time.event_time": "2017-08-08T18:50:15.000Z", + "service.type": "sophos", + "source.ip": [ + "10.230.4.70" + ], + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-08-23T01:52:50.000Z", + "event.code": "xl2tpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:8:22-23:52:50 ecatcup3022.mail.invalid xl2tpd: Inherited by nproide", + "fileset.name": "utm", + "host.name": "ecatcup3022.mail.invalid", + "input.type": "log", + "log.offset": 8878, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "ecatcup3022.mail.invalid" + ], + "rsa.db.index": "nproide", + "rsa.internal.event_desc": "xl2tpd:xl2tpd Software copyright.", + "rsa.internal.messageid": "xl2tpd", + "rsa.network.alias_host": [ + "ecatcup3022.mail.invalid" + ], + "rsa.time.event_time": "2017-08-23T01:52:50.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "event.code": "ipsec_starter", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:9:6-06:55:24 qui7797.www.host ipsec_starter: Starting strongSwan umet IPsec [starter]...", + "fileset.name": "utm", + "host.name": "qui7797.www.host", + "input.type": "log", + "log.offset": 8951, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "qui7797.www.host" + ], + "rsa.internal.event_desc": "ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]...", + "rsa.internal.messageid": "ipsec_starter", + "rsa.network.alias_host": [ + "qui7797.www.host" + ], + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-09-20T15:57:58.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:9:20-13:57:58 nofdeFin2037.mail.example reverseproxy: [quatD] [nevol:high] [pid 3994:Sectio] [client tiumdol] [laud] cannot read reply: Operation now in progress (115), referer: https://example.org/tquov/natu.jpg?uianonnu=por#nve", + "fileset.name": "utm", + "host.name": "nofdeFin2037.mail.example", + "http.request.referrer": "https://example.org/tquov/natu.jpg?uianonnu=por#nve", + "input.type": "log", + "log.level": "high", + "log.offset": 9045, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3994, + "related.hosts": [ + "nofdeFin2037.mail.example" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "nevol", + "rsa.misc.result": "Cannot read reply", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "nofdeFin2037.mail.example" + ], + "rsa.network.gateway": "tiumdol", + "rsa.time.event_time": "2017-09-20T15:57:58.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-04T23:00:32.000Z", + "event.code": "sockd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:10:4-21:00:32 sockd[7264]: dante/server 1.3714 running", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 9280, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.3714", + "process.pid": 7264, + "rsa.internal.event_desc": "sockd:dante/server running.", + "rsa.internal.messageid": "sockd", + "rsa.misc.version": "1.3714", + "rsa.time.event_time": "2017-10-04T23:00:32.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:10:19-04:03:07 eFinib2403.api.example reverseproxy: [utaliq] [sun:high] [pid 4074:uredol] [client quatD] [enimad] ecatcu while reading reply from cssd, referer: https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", + "fileset.name": "utm", + "host.name": "eFinib2403.api.example", + "http.request.referrer": "https://mail.example.org/urautod/eveli.html?rese=nonproi#doconse", + "input.type": "log", + "log.level": "high", + "log.offset": 9340, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 4074, + "related.hosts": [ + "eFinib2403.api.example" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "ecatcu", + "rsa.misc.event_log": "sun", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "eFinib2403.api.example" + ], + "rsa.network.gateway": "quatD", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:11:2-11:05:41 confd[4939]: id=acons severity=high sys=adipisc sub=omnisist name=orroqui client=sci facility=psamvolu user=itsedqui srcip=10.244.96.61 version=1.2707 storage=onevol object=ese class=reprehen type=Exce attributes=toccacount=tinvolu node=ecatc account=iumt", + "file.directory": "onevol", + "fileset.name": "utm", + "input.type": "log", + "log.level": "high", + "log.offset": 9571, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.2707", + "process.pid": 4939, + "related.ip": [ + "10.244.96.61" + ], + "related.user": [ + "itsedqui", + "iumt" + ], + "rsa.identity.logon_type": "psamvolu", + "rsa.internal.event_desc": "orroqui", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "reprehen", + "rsa.misc.node": "ecatc", + "rsa.misc.obj_name": "toccacount=tinvolu", + "rsa.misc.obj_type": "Exce", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2707", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "service.name": "omnisist", + "service.type": "sophos", + "source.ip": [ + "10.244.96.61" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "itsedqui" + }, + { + "@timestamp": "2017-11-16T20:08:15.000Z", + "event.action": "reloading", + "event.code": "named", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:11:16-18:08:15 named[1900]: reloading eddoei iono", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 9846, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1900, + "rsa.internal.messageid": "named", + "rsa.misc.action": [ + "reloading" + ], + "rsa.misc.disposition": "iono", + "rsa.misc.obj_type": "eddoei", + "rsa.time.event_time": "2017-11-16T20:08:15.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:12:1-01:10:49 obeatae2042.www.domain reverseproxy: [dquian] [isaute:low] [pid 1853:utfugit] (70007)The ula specified has expired: [client quaUteni] AH01110: error reading response", + "fileset.name": "utm", + "host.name": "obeatae2042.www.domain", + "input.type": "log", + "log.level": "low", + "log.offset": 9901, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1853, + "related.hosts": [ + "obeatae2042.www.domain" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "ula", + "rsa.misc.event_id": "AH01110", + "rsa.misc.event_log": "isaute", + "rsa.misc.result": "Error reading response", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "obeatae2042.www.domain" + ], + "rsa.network.gateway": "quaUteni", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "event.code": "pop3proxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:12:15-08:13:24 aerat1267.www5.example pop3proxy: Master started", + "fileset.name": "utm", + "host.name": "aerat1267.www5.example", + "input.type": "log", + "log.offset": 10086, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "aerat1267.www5.example" + ], + "rsa.internal.event_desc": "pop3proxy:Master started.", + "rsa.internal.messageid": "pop3proxy", + "rsa.network.alias_host": [ + "aerat1267.www5.example" + ], + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2017-12-29T17:15:58.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2017:12:29-15:15:58 writt2238.internal.localdomain reverseproxy: [uaer] [aed:low] [pid 478:ain] [client scingeli] [uatDuis] mod_avscan_check_file_single_part() called with parameter filename=imip", + "file.name": "imip", + "fileset.name": "utm", + "host.name": "writt2238.internal.localdomain", + "input.type": "log", + "log.level": "low", + "log.offset": 10155, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 478, + "related.hosts": [ + "writt2238.internal.localdomain" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "aed", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "writt2238.internal.localdomain" + ], + "rsa.network.gateway": "scingeli", + "rsa.time.event_time": "2017-12-29T17:15:58.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-13T00:18:32.000Z", + "destination.domain": "uatD", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:1:12-22:18:32 siutaliq4937.api.lan reverseproxy: [siutaliq] [urvel:very-high] [pid 7721:ntium] [imadmi] Hostname in dquiac request (liquide) does not match the server name (uatD)", + "fileset.name": "utm", + "host.name": "siutaliq4937.api.lan", + "input.type": "log", + "log.level": "very-high", + "log.offset": 10351, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7721, + "related.hosts": [ + "siutaliq4937.api.lan" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.comments": "server certificate has a different hostname from actual hostname", + "rsa.misc.event_log": "urvel", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "siutaliq4937.api.lan" + ], + "rsa.network.network_service": "dquiac", + "rsa.time.event_time": "2018-01-13T00:18:32.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "event.action": "accept", + "event.code": "URID", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:1:27-05:21:06 URID[7596]: T=BCSedut ------ 1 - [exit] accept: ametco", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 10535, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7596, + "rsa.internal.messageid": "URID", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "ametco", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.address": "tenbyCi4371.www5.localdomain", + "destination.ip": [ + "10.98.126.206" + ], + "destination.mac": "01:00:5e:2f:c3:3e", + "destination.port": 2390, + "event.action": "block", + "event.code": "astarosg_TVM", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:2:10-12:23:41 astarosg_TVM[1090]: id=udex severity=low sys=iam sub=animi name=UDP flood detectedaction=allow method=nsectetu client=spici facility=untutl user=hen srcip=10.214.167.164 dstip=10.76.98.53 version=1.3726 storage=uovolup ad_domain=expl object=animi class=mdoloree type=mullamco attributes=tnulcount=ons node=radip account=amremapstatuscode=dolorsit cached=atisund profile=isnostru filteraction=quepo size=5693 request=nisi url=https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi referer=https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi error=nculp authtime=quamnihi dnstime=nimadmi cattime=mquiado avscantime=agn fullreqtime=dip device=urmag auth=nim ua=laboreet exceptions=tutlabo group=incid category=der categoryname=totamrem content-type=eaqu reputation=itani application=mni app-id=runtmol reason=uaer filename=nor file=saut extension=olest time=volu function=block line=osam message=ncid fwrule=loremagn seq=uisau initf=lo1255 outitf=eth965 dstmac=01:00:5e:2f:c3:3e srcmac=01:00:5e:65:2d:fe proto=ictasun length=iumto tos=ciun prec=;prehe ttl=essec srcport=4562 dstport=2390 tcpflags=uaera info=nsequa prec=yCicero caller=orporis engine=oluptate localip=tesseq host=tenbyCi4371.www5.localdomain extra=spernatu server=10.98.126.206 cookie=tion set-cookie=tNeque", + "file.directory": "uovolup", + "file.extension": "olest", + "file.name": "saut", + "file.size": 5693, + "fileset.name": "utm", + "group.name": "incid", + "http.request.referrer": "https://example.com/eetdol/aut.jpg?pitlab=tutlabor#imadmi", + "input.type": "log", + "log.level": "low", + "log.offset": 10609, + "observer.egress.interface.name": "eth965", + "observer.ingress.interface.name": "lo1255", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.3726", + "process.pid": 1090, + "related.hosts": [ + "tenbyCi4371.www5.localdomain" + ], + "related.ip": [ + "10.98.126.206", + "10.214.167.164" + ], + "related.user": [ + "hen", + "isnostru", + "amremapstatuscode=dolorsit" + ], + "rsa.db.index": "spernatu", + "rsa.identity.logon_type": "untutl", + "rsa.internal.event_desc": "UDP", + "rsa.internal.messageid": "astarosg_TVM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "nsectetu", + "block" + ], + "rsa.misc.comments": "uaer", + "rsa.misc.content_type": "eaqu", + "rsa.misc.context": "nsequa", + "rsa.misc.group": "incid", + "rsa.misc.group_object": "mdoloree", + "rsa.misc.node": "radip", + "rsa.misc.obj_name": "tnulcount=ons", + "rsa.misc.obj_type": "mullamco", + "rsa.misc.policy_id": "loremagn", + "rsa.misc.policy_name": "quepo", + "rsa.misc.rule": "udex", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3726", + "rsa.misc.vsys": "iam", + "rsa.network.dinterface": "eth965", + "rsa.network.host_dst": "tenbyCi4371.www5.localdomain", + "rsa.network.sinterface": "lo1255", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.web.web_cookie": "tion", + "service.name": "animi", + "service.type": "sophos", + "source.ip": [ + "10.214.167.164" + ], + "source.mac": "01:00:5e:65:2d:fe", + "source.port": 4562, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://api.example.org/iono/secillum.txt?apariat=tse#enbyCi", + "user.name": "hen" + }, + { + "@timestamp": "2018-02-24T21:26:15.000Z", + "destination.ip": [ + "10.32.236.117" + ], + "destination.mac": "01:00:5e:9a:fe:91", + "destination.port": 5550, + "event.code": "ulogd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:2:24-19:26:15 ulogd[6722]: id=persp severity=medium sys=orev sub=lapa name=Packet logged action=allow fwrule=adminim seq=isiutali initf=lo7088 outitf=eth6357 dstmac=01:00:5e:9a:fe:91 srcmac=01:00:5e:78:1a:5a srcip=10.203.157.250 dstip=10.32.236.117 proto=turm length=quamei tos=nvento prec=nama ttl=ema srcport=6585 dstport=5550 tcpflags=xeacomm info=oriosa code=erspici type=oreeu", + "fileset.name": "utm", + "input.type": "log", + "log.level": "medium", + "log.offset": 11911, + "observer.egress.interface.name": "eth6357", + "observer.ingress.interface.name": "lo7088", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6722, + "related.ip": [ + "10.32.236.117", + "10.203.157.250" + ], + "rsa.internal.event_desc": "Packet", + "rsa.internal.messageid": "ulogd", + "rsa.investigations.ec_activity": "Scan", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "TEV", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.context": "oriosa", + "rsa.misc.policy_id": "adminim", + "rsa.misc.rule": "persp", + "rsa.misc.severity": "medium", + "rsa.misc.vsys": "orev", + "rsa.network.dinterface": "eth6357", + "rsa.network.network_service": "lapa", + "rsa.network.sinterface": "lo7088", + "rsa.time.event_time": "2018-02-24T21:26:15.000Z", + "service.type": "sophos", + "source.ip": [ + "10.203.157.250" + ], + "source.mac": "01:00:5e:78:1a:5a", + "source.port": 6585, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.ip": [ + "10.231.77.26" + ], + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:3:11-02:28:49 ectob5542.www5.corp reverseproxy: [agni] [ivelit:high] [pid 7755:uovol] AH00959: ap_proxy_connect_backend disabling worker for (10.231.77.26) for volups", + "fileset.name": "utm", + "host.name": "ectob5542.www5.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 12298, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7755, + "related.hosts": [ + "ectob5542.www5.corp" + ], + "related.ip": [ + "10.231.77.26" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH00959", + "rsa.misc.event_log": "ivelit", + "rsa.misc.result": "disabling worker", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ectob5542.www5.corp" + ], + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.time.process_time": "volup", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.address": "tenima5715.api.example", + "destination.ip": [ + "10.92.93.236" + ], + "destination.mac": "01:00:5e:0a:8f:6c", + "destination.port": 6939, + "event.action": "block", + "event.code": "httpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:3:25-09:31:24 iusmo901.www.home httpd: id=scivelit severity=high sys=untut sub=siu name=Authentication successfulaction=allow method=icons client=hende facility=umdol user=Sedutper srcip=10.2.24.156 dstip=10.113.78.101 version=1.2707 storage=amqua ad_domain=nsequatu object=aboNemoe class=mqu type=tse attributes=ntiumdcount=ueip node=amvo account=dolorsistatuscode=acc cached=quinesc profile=ulpaq filteraction=usa size=5474 request=tob url=https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru referer=https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo error=avolup authtime=litse dnstime=archit cattime=nde avscantime=tNequepo fullreqtime=byCicer device=imvenia auth=ipit ua=tdolorem exceptions=nderitin group=mquiado category=ssequa categoryname=nisist content-type=temvele reputation=ofd application=quam app-id=umdol reason=porincid filename=tisetqu file=pici extension=erit time=ehenderi function=block line=fugiatqu message=Duisaute fwrule=uptat seq=hende initf=lo3680 outitf=lo4358 dstmac=01:00:5e:0a:8f:6c srcmac=01:00:5e:34:8c:d2 proto=mnis length=ainci tos=aturve prec=;tiumdol ttl=mporain srcport=6938 dstport=6939 tcpflags=dut info=aecons prec=tionemu caller=edictasu engine=quipexea localip=orsit host=tenima5715.api.example extra=snisiut server=10.92.93.236 cookie=amr set-cookie=mfug port=7174 query=exerc uid=ntoccae", + "file.directory": "amqua", + "file.extension": "erit", + "file.name": "pici", + "file.size": 5474, + "fileset.name": "utm", + "group.name": "mquiado", + "host.name": "iusmo901.www.home", + "http.request.referrer": "https://mail.example.org/natuser/olupt.txt?ipsumqu=nsec#smo", + "input.type": "log", + "log.level": "high", + "log.offset": 12470, + "observer.egress.interface.name": "lo4358", + "observer.ingress.interface.name": "lo3680", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.2707", + "related.hosts": [ + "iusmo901.www.home", + "tenima5715.api.example" + ], + "related.ip": [ + "10.2.24.156", + "10.92.93.236" + ], + "related.user": [ + "ulpaq", + "Sedutper", + "dolorsistatuscode=acc", + "ntoccae" + ], + "rsa.db.index": "snisiut", + "rsa.identity.logon_type": "umdol", + "rsa.internal.event_desc": "Authentication", + "rsa.internal.messageid": "httpd", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "icons", + "block" + ], + "rsa.misc.comments": "porincid", + "rsa.misc.content_type": "temvele", + "rsa.misc.context": "aecons", + "rsa.misc.group": "mquiado", + "rsa.misc.group_object": "mqu", + "rsa.misc.node": "amvo", + "rsa.misc.obj_name": "ntiumdcount=ueip", + "rsa.misc.obj_type": "tse", + "rsa.misc.policy_id": "uptat", + "rsa.misc.policy_name": "usa", + "rsa.misc.rule": "scivelit", + "rsa.misc.severity": "high", + "rsa.misc.version": "1.2707", + "rsa.misc.vsys": "untut", + "rsa.network.alias_host": [ + "iusmo901.www.home" + ], + "rsa.network.dinterface": "lo4358", + "rsa.network.host_dst": "tenima5715.api.example", + "rsa.network.network_port": 7174, + "rsa.network.sinterface": "lo3680", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.web.web_cookie": "amr", + "service.name": "siu", + "service.type": "sophos", + "source.ip": [ + "10.2.24.156" + ], + "source.mac": "01:00:5e:34:8c:d2", + "source.port": 6938, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://www.example.org/imipsamv/doeiu.jpg?nderit=ficia#tru", + "url.query": "exerc", + "user.name": "Sedutper" + }, + { + "@timestamp": "2018-04-08T18:33:58.000Z", + "destination.address": "mni4032.lan", + "destination.ip": [ + "10.202.65.2" + ], + "destination.mac": "01:00:5e:2c:9d:65", + "destination.port": 1402, + "event.action": "cancel", + "event.code": "astarosg_TVM", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:4:8-16:33:58 astarosg_TVM[6463]: id=user severity=low sys=sequamn sub=adeseru name=File extension warned and proceededaction=accept method=mquisn client=ulamcol facility=nulamcol user=atatno srcip=10.180.169.49 dstip=10.206.69.71 version=1.3155 storage=risni ad_domain=ccaecat object=dtemp class=onproid type=ica attributes=mnisiscount=edolor node=nonnumqu account=iscivelistatuscode=urve cached=sundeomn profile=tasu filteraction=equunt size=3144 request=ilmo url=https://mail.example.net/isqua/deF.html?iameaq=orainci#adm referer=https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria error=tessec authtime=cupida dnstime=ciade cattime=busBonor avscantime=enima fullreqtime=emseq device=osamni auth=umetMa ua=equatDui exceptions=its group=setquas category=nti categoryname=osamnis content-type=atisetqu reputation=ciduntut application=atisu app-id=edutpe reason=architec filename=incul file=tevelit extension=emse time=eipsaqua function=cancel line=suntincu message=lore fwrule=equatu seq=enbyCi initf=enp0s566 outitf=lo2179 dstmac=01:00:5e:2c:9d:65 srcmac=01:00:5e:1a:03:f5 proto=orema length=iusmo tos=uunturm prec=;mSect ttl=avolupta srcport=3308 dstport=1402 tcpflags=dolo info=tsed prec=corpori caller=cillumd engine=umdol localip=turmagn host=mni4032.lan extra=amrem server=10.202.65.2 cookie=queporr set-cookie=oide", + "file.directory": "risni", + "file.extension": "emse", + "file.name": "tevelit", + "file.size": 3144, + "fileset.name": "utm", + "group.name": "setquas", + "http.request.referrer": "https://api.example.org/mremap/ate.htm?tlabor=cidunt#ria", + "input.type": "log", + "log.level": "low", + "log.offset": 13825, + "observer.egress.interface.name": "lo2179", + "observer.ingress.interface.name": "enp0s566", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.3155", + "process.pid": 6463, + "related.hosts": [ + "mni4032.lan" + ], + "related.ip": [ + "10.180.169.49", + "10.202.65.2" + ], + "related.user": [ + "atatno", + "iscivelistatuscode=urve", + "tasu" + ], + "rsa.db.index": "amrem", + "rsa.identity.logon_type": "nulamcol", + "rsa.internal.event_desc": "File", + "rsa.internal.messageid": "astarosg_TVM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "mquisn", + "cancel" + ], + "rsa.misc.comments": "architec", + "rsa.misc.content_type": "atisetqu", + "rsa.misc.context": "tsed", + "rsa.misc.group": "setquas", + "rsa.misc.group_object": "onproid", + "rsa.misc.node": "nonnumqu", + "rsa.misc.obj_name": "mnisiscount=edolor", + "rsa.misc.obj_type": "ica", + "rsa.misc.policy_id": "equatu", + "rsa.misc.policy_name": "equunt", + "rsa.misc.rule": "user", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.3155", + "rsa.misc.vsys": "sequamn", + "rsa.network.dinterface": "lo2179", + "rsa.network.host_dst": "mni4032.lan", + "rsa.network.sinterface": "enp0s566", + "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "rsa.web.web_cookie": "queporr", + "service.name": "adeseru", + "service.type": "sophos", + "source.ip": [ + "10.180.169.49" + ], + "source.mac": "01:00:5e:1a:03:f5", + "source.port": 3308, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://mail.example.net/isqua/deF.html?iameaq=orainci#adm", + "user.name": "atatno" + }, + { + "@timestamp": "2018-04-23T01:36:32.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:4:22-23:36:32 iscing6960.api.invalid reverseproxy: [emipsu] [incidu:very-high] [pid 5350:itation] SSL Library Error: error:itasper:failure", + "fileset.name": "utm", + "host.name": "iscing6960.api.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 15157, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5350, + "related.hosts": [ + "iscing6960.api.invalid" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.context": "SSL Library Error", + "rsa.misc.event_log": "incidu", + "rsa.misc.result": "failure", + "rsa.misc.result_code": "itasper", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "iscing6960.api.invalid" + ], + "rsa.time.event_time": "2018-04-23T01:36:32.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.address": "olupta3647.host", + "event.code": "httpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:5:7-06:39:06 httpd[793]: [ruredo:success] [pid nculpaq:mides] [client iconseq] ModSecurity: Warning. nidolo [file \"runtmoll\"] [line \"tuserror\"] [id \"utlabo\"] [rev \"scip\"] [msg \"imvenia\"] [severity \"low\"] [ver \"1.6420\"] [maturity \"nisi\"] [accuracy \"seq\"] [tag \"ors\"] [hostname \"olupta3647.host\"] [uri \"uaUteni\"] [unique_id \"gitsedqu\"]amqu", + "file.name": "runtmoll", + "fileset.name": "utm", + "input.type": "log", + "log.level": "low", + "log.offset": 15301, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.6420", + "process.pid": 793, + "related.hosts": [ + "olupta3647.host" + ], + "rsa.internal.event_desc": "imvenia", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_log": "ruredo", + "rsa.misc.operation_id": "gitsedqu", + "rsa.misc.result": "success", + "rsa.misc.rule": "utlabo", + "rsa.misc.rule_name": "nidolo", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.6420", + "rsa.network.gateway": "iconseq", + "rsa.network.host_dst": "olupta3647.host", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rule.name": "nidolo", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "uaUteni" + }, + { + "@timestamp": "2018-05-21T15:41:41.000Z", + "event.code": "named", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:5:21-13:41:41 named[6633]: FORMERR resolving 'iavolu7814.www5.localhost': 10.194.12.83#elit", + "fileset.name": "utm", + "host.name": "iavolu7814.www5.localhost", + "input.type": "log", + "log.offset": 15644, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6633, + "related.hosts": [ + "iavolu7814.www5.localhost" + ], + "related.ip": [ + "10.194.12.83" + ], + "rsa.internal.event_desc": "named:FORMERR resolving DNS.", + "rsa.internal.messageid": "named", + "rsa.network.alias_host": [ + "iavolu7814.www5.localhost" + ], + "rsa.time.event_time": "2018-05-21T15:41:41.000Z", + "service.type": "sophos", + "source.ip": [ + "10.194.12.83" + ], + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T22:44:15.000Z", + "destination.address": "obea2960.mail.corp", + "destination.ip": [ + "10.45.12.53" + ], + "destination.mac": "01:00:5e:24:b8:9f", + "destination.port": 6937, + "event.action": "cancel", + "event.code": "astarosg_TVM", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:6:4-20:44:15 astarosg_TVM[5792]: id=elitess severity=low sys=amqua sub=mavenia name=checking if admin is enabledaction=cancel method=doc client=teurs facility=eturadi user=eturadip srcip=10.33.138.154 dstip=10.254.28.41 version=1.4256 storage=volupta ad_domain=dolor object=dolorsit class=tfugits type=lor attributes=oremcount=utper node=ueips account=umqustatuscode=ntexpli cached=siuta profile=porincid filteraction=itame size=1026 request=fugiat url=https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf referer=https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol error=emul authtime=ariatu dnstime=luptate cattime=umdolore avscantime=iutaliq fullreqtime=oriosamn device=oluptate auth=tcu ua=mmodo exceptions=rauto group=lup category=orem categoryname=tutl content-type=iusmo reputation=uiavolu application=eri app-id=pis reason=riosam filename=isa file=nonnum extension=Nemoenim time=itati function=cancel line=nes message=atvolupt fwrule=umwritt seq=uae initf=enp0s3792 outitf=lo2114 dstmac=01:00:5e:24:b8:9f srcmac=01:00:5e:a1:a3:9f proto=bil length=itten tos=icer prec=;dolo ttl=siutaliq srcport=1455 dstport=6937 tcpflags=pexeaco info=ercitati prec=dexea caller=tasnul engine=onu localip=orisnisi host=obea2960.mail.corp extra=dolor server=10.45.12.53 cookie=etdo set-cookie=edictas", + "file.directory": "volupta", + "file.extension": "Nemoenim", + "file.name": "nonnum", + "file.size": 1026, + "fileset.name": "utm", + "group.name": "lup", + "http.request.referrer": "https://internal.example.org/eddoei/iatqu.htm?itessec=dat#tdol", + "input.type": "log", + "log.level": "low", + "log.offset": 15741, + "observer.egress.interface.name": "lo2114", + "observer.ingress.interface.name": "enp0s3792", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.4256", + "process.pid": 5792, + "related.hosts": [ + "obea2960.mail.corp" + ], + "related.ip": [ + "10.33.138.154", + "10.45.12.53" + ], + "related.user": [ + "eturadip", + "umqustatuscode=ntexpli", + "porincid" + ], + "rsa.db.index": "dolor", + "rsa.identity.logon_type": "eturadi", + "rsa.internal.event_desc": "checking", + "rsa.internal.messageid": "astarosg_TVM", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "doc", + "cancel" + ], + "rsa.misc.comments": "riosam", + "rsa.misc.content_type": "iusmo", + "rsa.misc.context": "ercitati", + "rsa.misc.group": "lup", + "rsa.misc.group_object": "tfugits", + "rsa.misc.node": "ueips", + "rsa.misc.obj_name": "oremcount=utper", + "rsa.misc.obj_type": "lor", + "rsa.misc.policy_id": "umwritt", + "rsa.misc.policy_name": "itame", + "rsa.misc.rule": "elitess", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.4256", + "rsa.misc.vsys": "amqua", + "rsa.network.dinterface": "lo2114", + "rsa.network.host_dst": "obea2960.mail.corp", + "rsa.network.sinterface": "enp0s3792", + "rsa.time.event_time": "2018-06-04T22:44:15.000Z", + "rsa.web.web_cookie": "etdo", + "service.name": "mavenia", + "service.type": "sophos", + "source.ip": [ + "10.33.138.154" + ], + "source.mac": "01:00:5e:a1:a3:9f", + "source.port": 1455, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://www5.example.org/etcons/aecatc.jpg?ditem=tut#oditautf", + "user.name": "eturadip" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "event.code": "frox", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:6:19-03:46:49 frox[7744]: Listening on 10.99.134.49:2274", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 17056, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7744, + "related.ip": [ + "10.99.134.49" + ], + "rsa.internal.event_desc": "frox:FTP Proxy listening on port.", + "rsa.internal.messageid": "frox", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "service.type": "sophos", + "source.ip": [ + "10.99.134.49" + ], + "source.port": 2274, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:7:3-10:49:23 olli5982.www.test reverseproxy: [asp] [uatDui:medium] [pid 212:unde] [client raut] [suscip] virus daemon error found in request ectetu, referer: https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", + "fileset.name": "utm", + "host.name": "olli5982.www.test", + "http.request.referrer": "https://example.com/ariat/ptatemU.txt?cusan=ueipsaq#upid", + "input.type": "log", + "log.level": "medium", + "log.offset": 17118, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 212, + "related.hosts": [ + "olli5982.www.test" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "uatDui", + "rsa.misc.result": "virus daemon error", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "olli5982.www.test" + ], + "rsa.network.gateway": "raut", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "ectetu" + }, + { + "@timestamp": "2018-07-17T19:51:58.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:7:17-17:51:58 nsecte3644.internal.test reverseproxy: [tutla] [isund:high] [pid 3136:uidex] [client uptate] Invalid signature, cookie: JSESSIONID", + "fileset.name": "utm", + "host.name": "nsecte3644.internal.test", + "input.type": "log", + "log.level": "high", + "log.offset": 17338, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3136, + "related.hosts": [ + "nsecte3644.internal.test" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "isund", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "nsecte3644.internal.test" + ], + "rsa.network.gateway": "uptate", + "rsa.time.event_time": "2018-07-17T19:51:58.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-01T02:54:32.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:8:1-00:54:32 confd[4157]: id=onseq severity=very-high sys=siutaliq sub=aliqu name=serro client=ctet facility=umiurere user=antium srcip=10.32.85.21 version=1.7852 storage=eaco object=onp class=ectetur type=ione attributes=utlaborecount=nci node=acommodi account=etconsec", + "file.directory": "eaco", + "fileset.name": "utm", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17488, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.7852", + "process.pid": 4157, + "related.ip": [ + "10.32.85.21" + ], + "related.user": [ + "antium", + "etconsec" + ], + "rsa.identity.logon_type": "umiurere", + "rsa.internal.event_desc": "serro", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "ectetur", + "rsa.misc.node": "acommodi", + "rsa.misc.obj_name": "utlaborecount=nci", + "rsa.misc.obj_type": "ione", + "rsa.misc.severity": "very-high", + "rsa.misc.version": "1.7852", + "rsa.time.event_time": "2018-08-01T02:54:32.000Z", + "service.name": "aliqu", + "service.type": "sophos", + "source.ip": [ + "10.32.85.21" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "antium" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:8:15-07:57:06 econseq7119.www.home sshd: error: Could not get shadow information for NOUSER", + "fileset.name": "utm", + "host.name": "econseq7119.www.home", + "input.type": "log", + "log.offset": 17764, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "econseq7119.www.home" + ], + "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", + "rsa.internal.messageid": "sshd", + "rsa.network.alias_host": [ + "econseq7119.www.home" + ], + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-08-29T16:59:40.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:8:29-14:59:40 ant2543.www5.lan reverseproxy: [uaturve] [lapa:high] [pid 3669:idu] [client sed] [utem] cannot read reply: Operation now in progress (115), referer: https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", + "fileset.name": "utm", + "host.name": "ant2543.www5.lan", + "http.request.referrer": "https://example.com/oremagn/ehenderi.htm?mdolo=ionul#oeiusmo", + "input.type": "log", + "log.level": "high", + "log.offset": 17861, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 3669, + "related.hosts": [ + "ant2543.www5.lan" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "lapa", + "rsa.misc.result": "Cannot read reply", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ant2543.www5.lan" + ], + "rsa.network.gateway": "sed", + "rsa.time.event_time": "2018-08-29T16:59:40.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-13T00:02:15.000Z", + "event.action": "accept", + "event.code": "pluto", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:9:12-22:02:15 pluto[7138]: | sent accept notification olore with seqno = urEx", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 18090, + "log.original": "olore", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7138, + "rsa.internal.messageid": "pluto", + "rsa.internal.msg": "olore", + "rsa.misc.action": [ + "accept" + ], + "rsa.time.event_time": "2018-09-13T00:02:15.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.address": "nisiuta4810.api.test", + "destination.ip": [ + "10.85.200.58" + ], + "destination.mac": "01:00:5e:b3:e3:90", + "destination.port": 605, + "event.action": "cancel", + "event.code": "httpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:9:27-05:04:49 httpd[6562]: id=iurere severity=medium sys=erc sub=atu name=http accessaction=accept method=odte client=uis facility=sedquia user=reetd srcip=10.210.175.52 dstip=10.87.14.186 version=1.7641 storage=tasu ad_domain=mquae object=CSedu class=atae type=aeconseq attributes=boNemocount=duntutla node=mqu account=inimastatuscode=emipsum cached=venia profile=Loremi filteraction=uisnostr size=849 request=vol url=https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq referer=https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid error=mipsa authtime=teturad dnstime=nimide cattime=spernat avscantime=nevolu fullreqtime=itectobe device=rroq auth=itessequ ua=uunt exceptions=pic group=unt category=emUt categoryname=eiru content-type=sauteir reputation=pic application=caecatc app-id=iarc reason=emquia filename=duntutl file=idi extension=reetdo time=pidatatn function=cancel line=ncul message=mcorpor fwrule=ofd seq=lapariat initf=eth65 outitf=lo3615 dstmac=01:00:5e:b3:e3:90 srcmac=01:00:5e:0e:b3:8e proto=consequ length=min tos=riame prec=;gnaal ttl=nti srcport=1125 dstport=605 tcpflags=utlab info=colabo prec=ditem caller=did engine=BCS localip=idex host=nisiuta4810.api.test extra=apa server=10.85.200.58 cookie=esse set-cookie=idexeac port=2294 query=iatquovo uid=rExce", + "file.directory": "tasu", + "file.extension": "reetdo", + "file.name": "idi", + "file.size": 849, + "fileset.name": "utm", + "group.name": "unt", + "http.request.referrer": "https://api.example.org/Bonorume/emeumfu.txt?iuntNequ=ender#quid", + "input.type": "log", + "log.level": "medium", + "log.offset": 18173, + "observer.egress.interface.name": "lo3615", + "observer.ingress.interface.name": "eth65", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.7641", + "process.pid": 6562, + "related.hosts": [ + "nisiuta4810.api.test" + ], + "related.ip": [ + "10.85.200.58", + "10.210.175.52" + ], + "related.user": [ + "Loremi", + "rExce", + "reetd", + "inimastatuscode=emipsum" + ], + "rsa.db.index": "apa", + "rsa.identity.logon_type": "sedquia", + "rsa.internal.event_desc": "http", + "rsa.internal.messageid": "httpd", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.action": [ + "cancel", + "odte" + ], + "rsa.misc.comments": "emquia", + "rsa.misc.content_type": "sauteir", + "rsa.misc.context": "colabo", + "rsa.misc.group": "unt", + "rsa.misc.group_object": "atae", + "rsa.misc.node": "mqu", + "rsa.misc.obj_name": "boNemocount=duntutla", + "rsa.misc.obj_type": "aeconseq", + "rsa.misc.policy_id": "ofd", + "rsa.misc.policy_name": "uisnostr", + "rsa.misc.rule": "iurere", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7641", + "rsa.misc.vsys": "erc", + "rsa.network.dinterface": "lo3615", + "rsa.network.host_dst": "nisiuta4810.api.test", + "rsa.network.network_port": 2294, + "rsa.network.sinterface": "eth65", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.web.web_cookie": "esse", + "service.name": "atu", + "service.type": "sophos", + "source.ip": [ + "10.210.175.52" + ], + "source.mac": "01:00:5e:0e:b3:8e", + "source.port": 1125, + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.original": "https://internal.example.com/ritat/dipi.jpg?aliquide=aliqui#agnaaliq", + "url.query": "iatquovo", + "user.name": "reetd" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.ip": [ + "10.115.166.48" + ], + "destination.mac": "01:00:5e:c3:8a:24", + "destination.port": 4884, + "event.code": "ulogd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:10:11-12:07:23 itametc1599.api.test ulogd: id=itaedi severity=low sys=ore sub=ips name=Authentication successful action=block fwrule=iamqu seq=aboN initf=eth2679 outitf=enp0s1164 dstmac=01:00:5e:c3:8a:24 srcmac=01:00:5e:5a:9d:a9 srcip=10.133.45.45 dstip=10.115.166.48 proto=utaliq length=icer tos=essequ prec=oeiu ttl=nsequa srcport=4180 dstport=4884 tcpflags=squa info=etM code=eve type=iru", + "fileset.name": "utm", + "host.name": "itametc1599.api.test", + "input.type": "log", + "log.level": "low", + "log.offset": 19485, + "observer.egress.interface.name": "enp0s1164", + "observer.ingress.interface.name": "eth2679", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "itametc1599.api.test" + ], + "related.ip": [ + "10.133.45.45", + "10.115.166.48" + ], + "rsa.internal.event_desc": "Authentication", + "rsa.internal.messageid": "ulogd", + "rsa.investigations.ec_activity": "Scan", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "TEV", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.context": "etM", + "rsa.misc.policy_id": "iamqu", + "rsa.misc.rule": "itaedi", + "rsa.misc.severity": "low", + "rsa.misc.vsys": "ore", + "rsa.network.alias_host": [ + "itametc1599.api.test" + ], + "rsa.network.dinterface": "enp0s1164", + "rsa.network.network_service": "ips", + "rsa.network.sinterface": "eth2679", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "service.type": "sophos", + "source.ip": [ + "10.133.45.45" + ], + "source.mac": "01:00:5e:5a:9d:a9", + "source.port": 4180, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-10-25T21:09:57.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:10:25-19:09:57 tiumt5462.mail.localhost sshd: Invalid user admin from runt", + "fileset.name": "utm", + "host.name": "tiumt5462.mail.localhost", + "input.type": "log", + "log.offset": 19882, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "tiumt5462.mail.localhost" + ], + "rsa.internal.event_desc": "sshd:Invalid user admin.", + "rsa.internal.messageid": "sshd", + "rsa.network.alias_host": [ + "tiumt5462.mail.localhost" + ], + "rsa.time.event_time": "2018-10-25T21:09:57.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:11:9-02:12:32 vol1450.internal.host sshd: Server listening on 10.71.184.162 port 3506.", + "fileset.name": "utm", + "host.name": "vol1450.internal.host", + "input.type": "log", + "log.offset": 19962, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "vol1450.internal.host" + ], + "related.ip": [ + "10.71.184.162" + ], + "rsa.internal.event_desc": "sshd:Server listening; restarting.", + "rsa.internal.messageid": "sshd", + "rsa.network.alias_host": [ + "vol1450.internal.host" + ], + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "service.type": "sophos", + "source.ip": [ + "10.71.184.162" + ], + "source.port": 3506, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "event.code": "ipsec_starter", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:11:23-09:15:06 ipsec_starter[178]: IP address or index of physical interface changed -> reinit of ipsec interface", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 20054, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 178, + "rsa.internal.event_desc": "ipsec_starter: IP address or index of physical interface changed.", + "rsa.internal.messageid": "ipsec_starter", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-07T18:17:40.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:12:7-16:17:40 rporissu573.api.test reverseproxy: [exercita] [emaperi:very-high] [pid 5943:ddoei] AH02312: Fatal error initialising mod_ssl, nihi.", + "fileset.name": "utm", + "host.name": "rporissu573.api.test", + "input.type": "log", + "log.level": "very-high", + "log.offset": 20173, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5943, + "related.hosts": [ + "rporissu573.api.test" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "nihi", + "rsa.misc.event_id": "AH02312", + "rsa.misc.event_log": "emaperi", + "rsa.misc.result": "Fatal error", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "rporissu573.api.test" + ], + "rsa.time.event_time": "2018-12-07T18:17:40.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2018-12-22T01:20:14.000Z", + "event.action": "allow", + "event.code": "URID", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2018:12:21-23:20:14 nostru774.corp URID: T=tatnonp ------ 1 - [exit] allow: natuserr", + "fileset.name": "utm", + "host.name": "nostru774.corp", + "input.type": "log", + "log.offset": 20324, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "nostru774.corp" + ], + "rsa.internal.messageid": "URID", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.disposition": "natuserr", + "rsa.network.alias_host": [ + "nostru774.corp" + ], + "rsa.time.event_time": "2018-12-22T01:20:14.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "event.code": "ipsec_starter", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:1:5-06:22:49 ipsec_starter[6226]: IP address or index of physical interface changed -> reinit of ipsec interface", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 20409, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6226, + "rsa.internal.event_desc": "ipsec_starter: IP address or index of physical interface changed.", + "rsa.internal.messageid": "ipsec_starter", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-01-19T15:25:23.000Z", + "destination.address": "lorsita2216.www5.example", + "event.code": "httpd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:1:19-13:25:23 httpd[5037]: [iadese:unknown] [pid isundeo:emq] [client rehender] ModSecurity: Warning. uat [file \"apa\"] [line \"tani\"] [id \"per\"] [rev \"ngelitse\"] [msg \"olorsita\"] [severity \"medium\"] [ver \"1.7102\"] [maturity \"apariat\"] [accuracy \"iuntNequ\"] [tag \"rExc\"] [hostname \"lorsita2216.www5.example\"] [uri \"turvelil\"] [unique_id \"velitsed\"]rau", + "file.name": "apa", + "fileset.name": "utm", + "input.type": "log", + "log.level": "medium", + "log.offset": 20527, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.7102", + "process.pid": 5037, + "related.hosts": [ + "lorsita2216.www5.example" + ], + "rsa.internal.event_desc": "olorsita", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_log": "iadese", + "rsa.misc.operation_id": "velitsed", + "rsa.misc.result": "unknown", + "rsa.misc.rule": "per", + "rsa.misc.rule_name": "uat", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.7102", + "rsa.network.gateway": "rehender", + "rsa.network.host_dst": "lorsita2216.www5.example", + "rsa.time.event_time": "2019-01-19T15:25:23.000Z", + "rule.name": "uat", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "turvelil" + }, + { + "@timestamp": "2019-02-02T22:27:57.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:2:2-20:27:57 sum2208.host reverseproxy: [eir] [nia:medium] [pid 4346:mco] [client ritinvol] [quioffi] mod_avscan_check_file_single_part() called with parameter filename=quamquae", + "file.name": "quamquae", + "fileset.name": "utm", + "host.name": "sum2208.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 20882, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 4346, + "related.hosts": [ + "sum2208.host" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "nia", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "sum2208.host" + ], + "rsa.network.gateway": "ritinvol", + "rsa.time.event_time": "2019-02-02T22:27:57.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:2:17-03:30:32 ore6843.local reverseproxy: [usmodite] [aveniam:medium] [pid 5126:xplicab] [client taev] No signature found, cookie: dictasu", + "fileset.name": "utm", + "host.name": "ore6843.local", + "input.type": "log", + "log.level": "medium", + "log.offset": 21065, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5126, + "related.hosts": [ + "ore6843.local" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.comments": "No signature on cookie", + "rsa.misc.event_log": "aveniam", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "ore6843.local" + ], + "rsa.network.gateway": "taev", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.ip": [ + "10.177.35.133" + ], + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:3:3-10:33:06 Sedu1610.mail.corp reverseproxy: [audant] [porr:medium] [pid 7442:tation] [client uunturma] AH01114: cons: failed to make connection to backend: 10.177.35.133", + "fileset.name": "utm", + "host.name": "Sedu1610.mail.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 21209, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7442, + "related.hosts": [ + "Sedu1610.mail.corp" + ], + "related.ip": [ + "10.177.35.133" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH01114", + "rsa.misc.event_log": "porr", + "rsa.misc.result": "Backend connection failed", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "Sedu1610.mail.corp" + ], + "rsa.network.gateway": "uunturma", + "rsa.network.network_service": "cons", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-03-17T19:35:40.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:3:17-17:35:40 corpo6737.example reverseproxy: [officiad] [aliquide:very-high] [pid 6600:errorsi] [client raincidu] [orincidi] cannot connect: failure (111)", + "fileset.name": "utm", + "host.name": "corpo6737.example", + "input.type": "log", + "log.level": "very-high", + "log.offset": 21386, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6600, + "related.hosts": [ + "corpo6737.example" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "aliquide", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "corpo6737.example" + ], + "rsa.network.gateway": "raincidu", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-01T02:38:14.000Z", + "event.code": "pop3proxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:4:1-00:38:14 pop3proxy[6854]: Master started", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 21547, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6854, + "rsa.internal.event_desc": "pop3proxy:Master started.", + "rsa.internal.messageid": "pop3proxy", + "rsa.time.event_time": "2019-04-01T02:38:14.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "event.code": "pop3proxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:4:15-07:40:49 eratvol314.www.home pop3proxy: Master started", + "fileset.name": "utm", + "host.name": "eratvol314.www.home", + "input.type": "log", + "log.offset": 21597, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "eratvol314.www.home" + ], + "rsa.internal.event_desc": "pop3proxy:Master started.", + "rsa.internal.messageid": "pop3proxy", + "rsa.network.alias_host": [ + "eratvol314.www.home" + ], + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-04-29T16:43:23.000Z", + "destination.address": "seosquir715.local", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:4:29-14:43:23 utemvele1838.mail.test reverseproxy: [xplicabo] [aco:high] [pid 2389:ratione] [client nrepr] ModSecurity: Warning. uipex [file \"alorumw\"] [line \"nibus\"] [id \"eiusmo\"] [msg \"rci\"] [hostname \"seosquir715.local\"] [uri \"ercitati\"] [unique_id \"uiration\"]", + "file.name": "alorumw", + "fileset.name": "utm", + "host.name": "utemvele1838.mail.test", + "input.type": "log", + "log.level": "high", + "log.offset": 21662, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2389, + "related.hosts": [ + "utemvele1838.mail.test", + "seosquir715.local" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.comments": "rci", + "rsa.misc.event_log": "aco", + "rsa.misc.operation_id": "uiration", + "rsa.misc.result": "high", + "rsa.misc.rule": "eiusmo", + "rsa.misc.rule_name": "uipex", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "utemvele1838.mail.test" + ], + "rsa.network.gateway": "nrepr", + "rsa.network.host_dst": "seosquir715.local", + "rsa.time.event_time": "2019-04-29T16:43:23.000Z", + "rule.name": "uipex", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ], + "url.path": "ercitati" + }, + { + "@timestamp": "2019-05-13T23:45:57.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:5:13-21:45:57 ulapari2656.local reverseproxy: [itessec] [non:very-high] [pid 2237:licaboN] [client nvol] [moenimip] cannot connect: failure (111)", + "fileset.name": "utm", + "host.name": "ulapari2656.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 21931, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2237, + "related.hosts": [ + "ulapari2656.local" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_log": "non", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "ulapari2656.local" + ], + "rsa.network.gateway": "nvol", + "rsa.time.event_time": "2019-05-13T23:45:57.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:5:28-04:48:31 reverseproxy[4278]: [ritat] [iscinge:very-high] [pid 4264:rroquisq] [client tnonpro] [nimv] erunt while reading reply from cssd, referer: https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", + "fileset.name": "utm", + "http.request.referrer": "https://example.org/etcon/ipitlab.gif?utlabore=suscipi#tlabor", + "input.type": "log", + "log.level": "very-high", + "log.offset": 22082, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 4264, + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "erunt", + "rsa.misc.event_log": "iscinge", + "rsa.misc.severity": "very-high", + "rsa.network.gateway": "tnonpro", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "event.action": "cancel", + "event.code": "URID", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:6:11-11:51:06 URID[7418]: T=xer ------ 1 - [exit] cancel: onemul", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 22301, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7418, + "rsa.internal.messageid": "URID", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.disposition": "onemul", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-06-25T20:53:40.000Z", + "event.action": "ips", + "event.code": "pluto", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:6:25-18:53:40 pluto[7201]: | handling event ips for 10.165.217.56 \"econse\" #otamr", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 22371, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7201, + "related.ip": [ + "10.165.217.56" + ], + "rsa.internal.messageid": "pluto", + "rsa.misc.event_type": "ips", + "rsa.time.event_time": "2019-06-25T20:53:40.000Z", + "service.type": "sophos", + "source.ip": [ + "10.165.217.56" + ], + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:7:10-01:56:14 stla2856.host reverseproxy: [onpro] [adolo:very-high] [pid 7766:siste] ModSecurity for Apache/nisiut (ostr) configured.", + "fileset.name": "utm", + "host.name": "stla2856.host", + "input.type": "log", + "log.level": "very-high", + "log.offset": 22458, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7766, + "related.hosts": [ + "stla2856.host" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.disposition": "configured", + "rsa.misc.event_log": "adolo", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "stla2856.host" + ], + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:7:24-08:58:48 peri6748.www5.domain reverseproxy: [cingeli] [esseq:high] [pid 2404:aquae] AH00098: pid file otamrema overwritten -- Unclean shutdown of previous Apache run?", + "file.name": "otamrema", + "fileset.name": "utm", + "host.name": "peri6748.www5.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 22597, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2404, + "related.hosts": [ + "peri6748.www5.domain" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.context": "Unclean shutdown", + "rsa.misc.event_id": "AH00098", + "rsa.misc.event_log": "esseq", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "peri6748.www5.domain" + ], + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-07T18:01:23.000Z", + "event.action": "accept", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:8:7-16:01:23 tnon5442.internal.test reverseproxy: [ive] [tquido:very-high] [pid 6108:taliquip] AH00295: caught accept, ectetu", + "fileset.name": "utm", + "host.name": "tnon5442.internal.test", + "input.type": "log", + "log.level": "very-high", + "log.offset": 22774, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 6108, + "related.hosts": [ + "tnon5442.internal.test" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "ectetu", + "rsa.misc.event_id": "AH00295", + "rsa.misc.event_log": "tquido", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "tnon5442.internal.test" + ], + "rsa.time.event_time": "2019-08-07T18:01:23.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-08-22T01:03:57.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:8:21-23:03:57 ariatu2606.www.host reverseproxy: [quamestq] [umquid:very-high] [pid 7690:rem] [client its] [inv] not all the file sent to the client: rin, referer: https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", + "fileset.name": "utm", + "host.name": "ariatu2606.www.host", + "http.request.referrer": "https://example.org/tation/tutlabo.jpg?amvo=ullamco#tati", + "input.type": "log", + "log.level": "very-high", + "log.offset": 22905, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7690, + "related.hosts": [ + "ariatu2606.www.host" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.context": "Not all file sent to client", + "rsa.misc.event_log": "umquid", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "ariatu2606.www.host" + ], + "rsa.network.gateway": "its", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.ip": [ + "10.248.62.55" + ], + "destination.mac": "01:00:5e:d6:f3:bc", + "destination.port": 4206, + "event.code": "ulogd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:9:5-06:06:31 imv1805.api.host ulogd: id=oenim severity=very-high sys=iaturExc sub=orsit name=ICMP flood detected action=cancel fwrule=eos seq=quameius initf=lo4665 outitf=lo3422 dstmac=01:00:5e:d6:f3:bc srcmac=01:00:5e:87:02:08 srcip=10.96.243.231 dstip=10.248.62.55 proto=ugiat length=quiin tos=apar prec=eleumiur ttl=chite srcport=5632 dstport=4206 tcpflags=tevelit info=etc code=lorem type=temvele", + "fileset.name": "utm", + "host.name": "imv1805.api.host", + "input.type": "log", + "log.level": "very-high", + "log.offset": 23130, + "observer.egress.interface.name": "lo3422", + "observer.ingress.interface.name": "lo4665", + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "imv1805.api.host" + ], + "related.ip": [ + "10.248.62.55", + "10.96.243.231" + ], + "rsa.internal.event_desc": "ICMP", + "rsa.internal.messageid": "ulogd", + "rsa.investigations.ec_activity": "Scan", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "TEV", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.context": "etc", + "rsa.misc.policy_id": "eos", + "rsa.misc.rule": "oenim", + "rsa.misc.severity": "very-high", + "rsa.misc.vsys": "iaturExc", + "rsa.network.alias_host": [ + "imv1805.api.host" + ], + "rsa.network.dinterface": "lo3422", + "rsa.network.network_service": "orsit", + "rsa.network.sinterface": "lo4665", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "service.type": "sophos", + "source.ip": [ + "10.96.243.231" + ], + "source.mac": "01:00:5e:87:02:08", + "source.port": 5632, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-09-19T15:09:05.000Z", + "destination.ip": [ + "10.132.101.158" + ], + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:9:19-13:09:05 rita600.www5.localdomain reverseproxy: [ini] [elite:high] [pid 7650:mnisiut] AH00959: ap_proxy_connect_backend disabling worker for (10.132.101.158) for cipitlabs", + "fileset.name": "utm", + "host.name": "rita600.www5.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 23536, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 7650, + "related.hosts": [ + "rita600.www5.localdomain" + ], + "related.ip": [ + "10.132.101.158" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH00959", + "rsa.misc.event_log": "elite", + "rsa.misc.result": "disabling worker", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "rita600.www5.localdomain" + ], + "rsa.time.event_time": "2019-09-19T15:09:05.000Z", + "rsa.time.process_time": "cipitlab", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-03T22:11:40.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:10:3-20:11:40 sshd[2014]: Did not receive identification string from rroq", + "fileset.name": "utm", + "input.type": "log", + "log.offset": 23718, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 2014, + "rsa.internal.event_desc": "sshd: Did not receive identification string.", + "rsa.internal.messageid": "sshd", + "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "event.code": "reverseproxy", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:10:18-03:14:14 admini1122.www.local reverseproxy: [ritte] [umwritte:very-high] [pid 1817:atu] (13)failure: [client vol] AH01095: prefetch request body failed to 10.96.193.132:5342 (orumwr) from bori ()", + "fileset.name": "utm", + "host.name": "admini1122.www.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 23797, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 1817, + "related.hosts": [ + "admini1122.www.local" + ], + "related.ip": [ + "10.96.193.132" + ], + "rsa.internal.messageid": "reverseproxy", + "rsa.misc.event_id": "AH01095", + "rsa.misc.event_log": "umwritte", + "rsa.misc.result": "failure", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "admini1122.www.local" + ], + "rsa.network.gateway": "vol", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "service.type": "sophos", + "source.ip": [ + "10.96.193.132" + ], + "source.port": 5342, + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "event.code": "confd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:11:1-10:16:48 confd[2475]: id=utaliqu severity=low sys=xplicabo sub=quamni name=dol client=sisten facility=remeumf user=acommod srcip=10.96.200.83 version=1.7416 storage=sper object=asia class=roident type=olorem attributes=teursintcount=evelites node=nostr account=lapariat", + "file.directory": "sper", + "fileset.name": "utm", + "input.type": "log", + "log.level": "low", + "log.offset": 24004, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "observer.version": "1.7416", + "process.pid": 2475, + "related.ip": [ + "10.96.200.83" + ], + "related.user": [ + "lapariat", + "acommod" + ], + "rsa.identity.logon_type": "remeumf", + "rsa.internal.event_desc": "dol", + "rsa.internal.messageid": "confd", + "rsa.misc.group_object": "roident", + "rsa.misc.node": "nostr", + "rsa.misc.obj_name": "teursintcount=evelites", + "rsa.misc.obj_type": "olorem", + "rsa.misc.severity": "low", + "rsa.misc.version": "1.7416", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "service.name": "quamni", + "service.type": "sophos", + "source.ip": [ + "10.96.200.83" + ], + "tags": [ + "sophos.utm", + "forwarded" + ], + "user.name": "acommod" + }, + { + "@timestamp": "2019-11-15T19:19:22.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:11:15-17:19:22 emvel4391.localhost sshd: Did not receive identification string from quelaud", + "fileset.name": "utm", + "host.name": "emvel4391.localhost", + "input.type": "log", + "log.offset": 24284, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "emvel4391.localhost" + ], + "rsa.internal.event_desc": "sshd: Did not receive identification string.", + "rsa.internal.messageid": "sshd", + "rsa.network.alias_host": [ + "emvel4391.localhost" + ], + "rsa.time.event_time": "2019-11-15T19:19:22.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-11-30T02:21:57.000Z", + "event.code": "confd-sync", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:11:30-00:21:57 confd-sync[5454]: id=smodite severity=high sys=utpersp sub=rnatu name=ico", + "fileset.name": "utm", + "input.type": "log", + "log.level": "high", + "log.offset": 24381, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "process.pid": 5454, + "rsa.internal.event_desc": "ico", + "rsa.internal.messageid": "confd-sync", + "rsa.misc.severity": "high", + "rsa.time.event_time": "2019-11-30T02:21:57.000Z", + "service.name": "rnatu", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "event.code": "sshd", + "event.dataset": "sophos.utm", + "event.module": "sophos", + "event.original": "2019:12:14-07:24:31 untinc5531.www5.test sshd: error: Could not get shadow information for NOUSER", + "fileset.name": "utm", + "host.name": "untinc5531.www5.test", + "input.type": "log", + "log.offset": 24475, + "observer.product": "UTM", + "observer.type": "Firewall", + "observer.vendor": "Sophos", + "related.hosts": [ + "untinc5531.www5.test" + ], + "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", + "rsa.internal.messageid": "sshd", + "rsa.network.alias_host": [ + "untinc5531.www5.test" + ], + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "service.type": "sophos", + "tags": [ + "sophos.utm", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/_meta/fields.yml b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml new file mode 100644 index 00000000000..dca81ddc4e6 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/_meta/fields.yml @@ -0,0 +1,940 @@ +- name: sophos + type: group + description: > + fields: + - name: xg + type: group + release: beta + default_field: false + description: > + Module for parsing sophosxg syslog. + fields: + - name: device + type: keyword + description: > + device + + - name: date + type: date + description: > + Date (yyyy-mm-dd) when the event occurred + + - name: timezone + type: keyword + description: > + Time (hh:mm:ss) when the event occurred + + - name: device_name + type: keyword + description: > + Model number of the device + + - name: device_id + type: keyword + description: > + Serial number of the device + + - name: log_id + type: keyword + description: > + Unique 12 characters code (0101011) + + - name: log_type + type: keyword + description: > + Type of event e.g. firewall event + + - name: log_component + type: keyword + description: > + Component responsible for logging e.g. Firewall rule + + - name: log_subtype + type: keyword + description: > + Sub type of event + + - name: hb_health + type: keyword + description: > + Heartbeat status + + - name: priority + type: keyword + description: > + Severity level of traffic + + - name: status + type: keyword + description: > + Ultimate status of traffic – Allowed or Denied + + - name: duration + type: long + description: > + Durability of traffic (seconds) + + - name: fw_rule_id + type: integer + description: > + Firewall Rule ID which is applied on the traffic + + - name: user_name + type: keyword + description: > + user_name + + - name: user_group + type: keyword + description: > + Group name to which the user belongs + + - name: iap + type: keyword + description: > + Internet Access policy ID applied on the traffic + + - name: ips_policy_id + type: integer + description: > + IPS policy ID applied on the traffic + + - name: policy_type + type: keyword + description: > + Policy type applied to the traffic + + - name: appfilter_policy_id + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application_filter_policy + type: integer + description: > + Application Filter policy applied on the traffic + + - name: application + type: keyword + description: > + Application name + + - name: application_name + type: keyword + description: > + Application name + + - name: application_risk + type: keyword + description: > + Risk level assigned to the application + + - name: application_technology + type: keyword + description: > + Technology of the application + + - name: application_category + type: keyword + description: > + Application is resolved by signature or synchronized application + + - name: appresolvedby + type: keyword + description: > + Technology of the application + + - name: app_is_cloud + type: keyword + description: > + Application is Cloud + + - name: in_interface + type: keyword + description: > + Interface for incoming traffic, e.g., Port A + + - name: out_interface + type: keyword + description: > + Interface for outgoing traffic, e.g., Port B + + - name: src_ip + type: ip + description: > + Original source IP address of traffic + + - name: src_mac + type: keyword + description: > + Original source MAC address of traffic + + - name: src_country_code + type: keyword + description: > + Code of the country to which the source IP belongs + + - name: dst_ip + type: ip + description: > + Original destination IP address of traffic + + - name: dst_country_code + type: keyword + description: > + Code of the country to which the destination IP belongs + + - name: protocol + type: keyword + description: > + Protocol number of traffic + + - name: src_port + type: integer + description: > + Original source port of TCP and UDP traffic + + - name: dst_port + type: integer + description: > + Original destination port of TCP and UDP traffic + + - name: icmp_type + type: keyword + description: > + ICMP type of ICMP traffic + + - name: icmp_code + type: keyword + description: > + ICMP code of ICMP traffic + + - name: sent_pkts + type: long + description: > + Total number of packets sent + + - name: received_pkts + type: long + description: > + Total number of packets received + + - name: sent_bytes + type: long + description: > + Total number of bytes sent + + - name: recv_bytes + type: long + description: > + Total number of bytes received + + - name: trans_src_ ip + type: ip + description: > + Translated source IP address for outgoing traffic + + - name: trans_src_port + type: integer + description: > + Translated source port for outgoing traffic + + - name: trans_dst_ip + type: ip + description: > + Translated destination IP address for outgoing traffic + + - name: trans_dst_port + type: integer + description: > + Translated destination port for outgoing traffic + + - name: srczonetype + type: keyword + description: > + Type of source zone, e.g., LAN + + - name: srczone + type: keyword + description: > + Name of source zone + + - name: dstzonetype + type: keyword + description: > + Type of destination zone, e.g., WAN + + - name: dstzone + type: keyword + description: > + Name of destination zone + + - name: dir_disp + type: keyword + description: > + TPacket direction. Possible values:“org”, “reply”, “” + + - name: connevent + type: keyword + description: > + Event on which this log is generated + + - name: conn_id + type: integer + description: > + Unique identifier of connection + + - name: vconn_id + type: integer + description: > + Connection ID of the master connection + + - name: idp_policy_id + type: integer + description: > + IPS policy ID which is applied on the traffic + + - name: idp_policy_name + type: keyword + description: > + IPS policy name i.e. IPS policy name which is applied on the traffic + + - name: signature_id + type: keyword + description: > + Signature ID + + - name: signature_msg + type: keyword + description: > + Signature messsage + + - name: classification + type: keyword + description: > + Signature classification + + - name: rule_priority + type: keyword + description: > + Priority of IPS policy + + - name: platform + type: keyword + description: > + Platform of the traffic. + + - name: category + type: keyword + description: > + IPS signature category. + + - name: target + type: keyword + description: > + Platform of the traffic. + + - name: eventid + type: keyword + description: > + ATP Evenet ID + + - name: ep_uuid + type: keyword + description: > + Endpoint UUID + + - name: threatname + type: keyword + description: > + ATP threatname + + - name: sourceip + type: ip + description: > + Original source IP address of traffic + + - name: destinationip + type: ip + description: > + Original destination IP address of traffic + + - name: login_user + type: keyword + description: > + ATP login user + + - name: eventtype + type: keyword + description: > + ATP event type + + - name: execution_path + type: keyword + description: > + ATP execution path + + - name: av_policy_name + type: keyword + description: > + Malware scanning policy name which is applied on the traffic + + - name: from_email_address + type: keyword + description: > + Sender email address + + - name: to_email_address + type: keyword + description: > + Receipeint email address + + - name: subject + type: keyword + description: > + Email subject + + - name: mailsize + type: integer + description: > + mailsize + + - name: virus + type: keyword + description: > + virus name + + - name: FTP_url + type: keyword + description: > + FTP URL from which virus was downloaded + + - name: FTP_direction + type: keyword + description: > + Direction of FTP transfer: Upload or Download + + - name: filesize + type: integer + description: > + Size of the file that contained virus + + - name: filepath + type: keyword + description: > + Path of the file containing virus + + - name: filename + type: keyword + description: > + File name associated with the event + + - name: ftpcommand + type: keyword + description: > + FTP command used when virus was found + + - name: url + type: keyword + description: > + URL from which virus was downloaded + + - name: domainname + type: keyword + description: > + Domain from which virus was downloaded + + - name: quarantine + type: keyword + description: > + Path and filename of the file quarantined + + - name: src_domainname + type: keyword + description: > + Sender domain name + + - name: dst_domainname + type: keyword + description: > + Receiver domain name + + - name: reason + type: keyword + description: > + Reason why the record was detected as spam/malicious + + - name: referer + type: keyword + description: > + Referer + + - name: spamaction + type: keyword + description: > + Spam Action + + - name: mailid + type: keyword + description: > + mailid + + - name: quarantine_reason + type: keyword + description: > + Quarantine reason + + - name: status_code + type: keyword + description: > + Status code + + - name: override_token + type: keyword + description: > + Override token + + - name: con_id + type: integer + description: > + Unique identifier of connection + + - name: override_authorizer + type: keyword + description: > + Override authorizer + + - name: transactionid + type: keyword + description: > + Transaction ID of the AV scan. + + - name: upload_file_type + type: keyword + description: > + Upload file type + + - name: upload_file_name + type: keyword + description: > + Upload file name + + - name: httpresponsecode + type: long + description: > + code of HTTP response + + - name: user_gp + type: keyword + description: > + Group name to which the user belongs. + + - name: category_type + type: keyword + description: > + Type of category under which website falls + + - name: download_file_type + type: keyword + description: > + Download file type + + - name: exceptions + type: keyword + description: > + List of the checks excluded by web exceptions. + + - name: contenttype + type: keyword + description: > + Type of the content + + - name: override_name + type: keyword + description: > + Override name + + - name: activityname + type: keyword + description: > + Web policy activity that matched and caused the policy result. + + - name: download_file_name + type: keyword + description: > + Download file name + + - name: sha1sum + type: keyword + description: > + SHA1 checksum of the item being analyzed + + - name: message_id + type: keyword + description: > + Message ID + + - name: connid + type: keyword + description: > + Connection ID + + - name: message + type: keyword + description: > + Message + + - name: email_subject + type: keyword + description: > + Email Subject + + - name: file_path + type: keyword + description: > + File path + + - name: dstdomain + type: keyword + description: > + Destination Domain + + - name: file_size + type: integer + description: > + File Size + + - name: transaction_id + type: keyword + description: > + Transaction ID + + - name: website + type: keyword + description: > + Website + + - name: file_name + type: keyword + description: > + Filename + + - name: context_prefix + type: keyword + description: > + Content Prefix + + - name: site_category + type: keyword + description: > + Site Category + + - name: context_suffix + type: keyword + description: > + Context Suffix + + - name: dictionary_name + type: keyword + description: > + Dictionary Name + + - name: action + type: keyword + description: > + Event Action + + - name: user + type: keyword + description: > + User + + - name: context_match + type: keyword + description: > + Context Match + + - name: direction + type: keyword + description: > + Direction + + - name: auth_client + type: keyword + description: > + Auth Client + + - name: auth_mechanism + type: keyword + description: > + Auth mechanism + + - name: connectionname + type: keyword + description: > + Connectionname + + - name: remotenetwork + type: keyword + description: > + remotenetwork + + - name: localgateway + type: keyword + description: > + Localgateway + + - name: localnetwork + type: keyword + description: > + Localnetwork + + - name: connectiontype + type: keyword + description: > + Connectiontype + + - name: oldversion + type: keyword + description: > + Oldversion + + - name: newversion + type: keyword + description: > + Newversion + + - name: ipaddress + type: keyword + description: > + Ipaddress + + - name: client_physical_address + type: keyword + description: > + Client physical address + + - name: client_host_name + type: keyword + description: > + Client host name + + - name: raw_data + type: keyword + description: > + Raw data + + - name: Mode + type: keyword + description: > + Mode + + - name: sessionid + type: keyword + description: > + Sessionid + + - name: starttime + type: date + description: > + Starttime + + - name: remote_ip + type: ip + description: > + Remote IP + + - name: timestamp + type: date + description: > + timestamp + + - name: SysLog_SERVER_NAME + type: keyword + description: > + SysLog SERVER NAME + + - name: backup_mode + type: keyword + description: > + Backup mode + + - name: source + type: keyword + description: > + Source + + - name: server + type: keyword + description: > + Server + + - name: host + type: keyword + description: > + Host + + - name: responsetime + type: long + description: > + Responsetime + + - name: cookie + type: keyword + description: > + cookie + + - name: querystring + type: keyword + description: > + querystring + + - name: extra + type: keyword + description: > + extra + + - name: PHPSESSID + type: keyword + description: > + PHPSESSID + + - name: start_time + type: date + description: > + Start time + + - name: eventtime + type: date + description: > + Event time + + - name: red_id + type: keyword + description: > + RED ID + + - name: branch_name + type: keyword + description: > + Branch Name + + - name: updatedip + type: ip + description: > + updatedip + + - name: idle_cpu + type: float + description: > + idle ## + + - name: system_cpu + type: float + description: > + system + + - name: user_cpu + type: float + description: > + system + + - name: used + type: integer + description: > + used + + - name: unit + type: keyword + description: > + unit + + - name: total_memory + type: integer + description: > + Total Memory + + - name: free + type: integer + description: > + free + + - name: transmittederrors + type: keyword + description: > + transmitted errors + + - name: receivederrors + type: keyword + description: > + received errors + + - name: receivedkbits + type: long + description: > + received kbits + + - name: transmittedkbits + type: long + description: > + transmitted kbits + + - name: transmitteddrops + type: long + description: > + transmitted drops + + - name: receiveddrops + type: long + description: > + received drops + + - name: collisions + type: long + description: > + collisions + + - name: interface + type: keyword + description: > + interface + + - name: Configuration + type: float + description: > + Configuration + + - name: Reports + type: float + description: > + Reports + + - name: Signature + type: float + description: > + Signature + + - name: Temp + type: float + description: > + Temp + + - name: users + type: keyword + description: > + users + + - name: ssid + type: keyword + description: > + ssid + + - name: ap + type: keyword + description: > + ap + + - name: clients_conn_ssid + type: keyword + description: > + clients connection ssid diff --git a/x-pack/filebeat/module/sophos/xg/config/config.yml b/x-pack/filebeat/module/sophos/xg/config/config.yml new file mode 100644 index 00000000000..86c12e9ec08 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/config/config.yml @@ -0,0 +1,40 @@ +{{ if eq .input "tcp" }} + +type: tcp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "udp" }} + +type: udp +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} + +exclude_files: [".gz$"] + +{{ end }} + +tags: {{ .tags | tojson }} + +processors: + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - add_fields: + target: '_conf' + fields: + default: {{ .default_host_name | printf "%q" }} + mappings: +{{ range $i, $entry := .known_devices }} + - serial: {{$entry.serial_number | printf "%q"}} + hostname: {{$entry.hostname | printf "%q"}} +{{ end }} + diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml new file mode 100644 index 00000000000..dc58149d7c7 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/antispam.yml @@ -0,0 +1,240 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + ignore_empty_value: true +- set: + field: event.outcome + value: success + ignore_empty_value: true +- set: + field: event.kind + value: alert + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: malware + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: "ctx.sophos?.xg?.message_id == '13012'" +- append: + field: event.category + value: network +- append: + field: event.type + value: + - allowed + - connection + if: '["13003", "13007", "13008", "13010", "13013", "14003", "15003", "18035"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - info + - denied + - connection + if: '["13001", "13002", "13004", "13005", "13006", "13009", "13012", "13014", "14001", "14002", "15001", "15002"].contains(ctx.sophos?.xg?.message_id)' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + ignore_empty_value: true +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + ignore_empty_value: true +- convert: + field: server.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + ignore_empty_value: true +- convert: + field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + ignore_empty_value: true +- convert: + field: client.port + type: long + ignore_failure: true + ignore_missing: true +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + ignore_empty_value: true +- convert: + field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true +- rename: + field: sophos.xg.src_domainname + target_field: source.domain + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml new file mode 100644 index 00000000000..bb2548bf941 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/antivirus.yml @@ -0,0 +1,346 @@ +description: Pipeline for parsing sophos firewall logs (antivirus pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - malware + - network + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Virus'" +- set: + field: event.kind + value: event + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - allowed + - connection + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: network + if: '["09002"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- rename: + field: sophos.xg.to_email_address + target_field: destination.user.email + ignore_missing: true + if: "ctx.sophos?.xg?.to_email_address != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.from_email_address + target_field: source.user.email + ignore_missing: true + if: "ctx.sophos?.xg?.from_email_address != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domainname != null" +- rename: + field: sophos.xg.dst_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.dst_domainname != null && ctx?.url?.domain == null" +- rename: + field: sophos.xg.src_domainname + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.src_domainname != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.user_agent != null" +- convert: + field: sophos.xg.status_code + target_field: http.response.status_code + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: "ctx.sophos?.xg?.filename != null" +- convert: + field: sophos.xg.file_size + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.file_size != null" +- rename: + field: sophos.xg.file_path + target_field: file.directory + ignore_missing: true + if: "ctx.sophos?.xg?.file_path != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + - sophos.xg.status_code + - sophos.xg.file_size + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/atp.yml b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml new file mode 100644 index 00000000000..df6ed8b35ca --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/atp.yml @@ -0,0 +1,242 @@ +description: Pipeline for parsing sophos firewall logs (atp pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["18009", "18010"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" +- rename: + field: sophos.xg.eventid + target_field: event.id + ignore_missing: true + if: "ctx.sophos?.xg?.eventid != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.original + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml new file mode 100644 index 00000000000..a9dedb4070f --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/cfilter.yml @@ -0,0 +1,272 @@ +description: Pipeline for parsing sophos firewall logs (cfilter pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: + - allowed + - connection + if: '["Allowed", "Warned"].contains(ctx.sophos?.xg?.log_subtype)' +- append: + field: event.type + value: + - info + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.full + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- rename: + field: sophos.xg.status_code + target_field: http.response.status_code + ignore_missing: true + if: "ctx.sophos?.xg?.status_code != null" +- rename: + field: sophos.xg.user_agent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.user_agent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + - sophos.xg.recv_bytes + - sophos.xg.sent_bytes + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/event.yml b/x-pack/filebeat/module/sophos/xg/ingest/event.yml new file mode 100644 index 00000000000..2565434a6f0 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/event.yml @@ -0,0 +1,273 @@ +description: Pipeline for parsing sophos firewall logs (event pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Successful"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication" && ctx?.sophos?.xg?.status == "Failed"' +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Successful" && ctx?.sophos?.xg?.message_id == "17507"' +- set: + field: event.outcome + value: failure + if: 'ctx?.sophos?.xg?.log_subtype == "Admin" && ctx?.sophos?.xg?.status == "Failed" && ctx?.sophos?.xg?.message_id == "17507"' +- append: + field: event.type + value: + - user + - start + if: "['17701', '17704', '17707', '17710', '17713'].contains(ctx.sophos?.xg?.message_id)" +- append: + field: event.type + value: + - user + - end + if: "['17703', '17706', '17709', '17712', '17715'].contains(ctx.sophos?.xg?.message_id)" +- append: + field: event.type + value: connection + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: network + if: "['SSLVPN', 'IPSec', 'Thin Client', 'Radius SSO'].contains(ctx.sophos?.xg?.auth_client)" +- append: + field: event.category + value: authentication + if: 'ctx?.sophos?.xg?.log_subtype == "Authentication"' +- append: + field: event.type + value: info + if: 'ctx?.sophos?.xg?.message_id == "17819"' +- append: + field: event.category + value: + - host + - malware + if: 'ctx?.sophos?.xg?.message_id == "17819"' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- rename: + field: sophos.xg.localinterfaceip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localinterfaceip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- rename: + field: sophos.xg.remoteinterfaceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.remoteinterfaceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophos?.xg?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- set: + field: source.user.name + value: '{{sophos.xg.name}}' + if: "ctx.sophos?.xg?.name != null" +- rename: + field: sophos.xg.usergroupname + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.usergroupname != null" + +######################### +## ECS Message Mapping ## +######################### +- rename: + field: sophos.xg.message + target_field: message + ignore_missing: true + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.recv_bytes + - sophos.xg.src_port + - sophos.xg.sent_bytes + - sophos.xg.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' + diff --git a/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml new file mode 100644 index 00000000000..193af05b836 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/firewall.yml @@ -0,0 +1,444 @@ +description: Pipeline for parsing sophos firewall logs (firewall pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: intrusion_detection + if: '["03001", "05001", "05151", "00003", "00004"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.category + value: network +- append: + field: event.type + value: + - start + - allowed + - connection + if: "['Start', 'Interim'].contains(ctx.sophos?.xg?.connevent)" +- append: + field: event.type + value: + - end + - allowed + - connection + if: "ctx.sophos?.xg?.connevent == 'Stop'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.status == 'Deny'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- rename: + field: sophos.xg.tran_dst_ip + target_field: destination.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_ip != null" +- rename: + field: sophos.xg.destinationip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.destinationip !=null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" +- convert: + field: sophos.xg.tran_dst_port + target_field: destination.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_dst_port != null" +- set: + field: server.nat.port + value: '{{destination.nat.port}}' + if: "ctx.destination?.nat?.port != null" +- convert: + field: server.nat.port + target_field: server.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.nat?.port != null" +- rename: + field: sophos.xg.dst_mac + target_field: destination.mac + ignore_missing: true + if: "ctx.sophos?.xg?.dst_mac != null" +- set: + field: server.mac + value: '{{destination.mac}}' + if: "ctx.destination?.mac != null" +- convert: + field: sophos.xg.recv_bytes + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_bytes != null" +- set: + field: server.bytes + value: '{{destination.bytes}}' + if: "ctx.destination?.bytes != null" +- convert: + field: server.bytes + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.bytes != null" +- convert: + field: sophos.xg.recv_pkts + target_field: destination.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.recv_pkts !=null" +- set: + field: server.packets + value: '{{destination.packets}}' + if: "ctx.destination?.packets != null" +- convert: + field: server.packets + target_field: server.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.packets != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.tran_src_ip + target_field: source.nat.ip + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_ip != null" +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- convert: + field: sophos.xg.tran_src_port + target_field: source.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.tran_src_port != null" +- set: + field: client.nat.port + value: '{{source.nat.port}}' + if: "ctx.source?.nat?.port != null" +- convert: + field: client.nat.port + target_field: client.nat.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.nat?.port != null" +- rename: + field: sophos.xg.src_mac + target_field: source.mac + ignore_missing: true + if: "ctx.sophos?.xg?.src_mac != null" +- set: + field: client.mac + value: '{{source.mac}}' + if: "ctx.source?.mac != null" +- convert: + field: sophos.xg.sent_bytes + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_bytes != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- trim: + field: sophos.xg.sent_pkts +- convert: + field: sophos.xg.sent_pkts + target_field: source.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.sent_pkts != null" +- set: + field: client.packets + value: '{{source.packets}}' + if: "ctx.source?.packets != null" +- convert: + field: client.packets + target_field: client.packets + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.packets != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.fw_rule_id + target_field: rule.id + ignore_missing: true + if: "ctx.rule?.id == null" +- rename: + field: sophos.xg.policy_type + target_field: rule.ruleset + ignore_missing: true + if: "ctx.sophos?.xg?.policy_type != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.application + target_field: network.protocol + ignore_missing: true + if: "ctx.sophos?.xg?.application != null" +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- set: + field: network.direction + value: inbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone) && ctx?.observer?.ingress?.zone == 'WAN'" +- set: + field: network.direction + value: outbound + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ctx?.observer?.egress?.zone == 'WAN'" +- set: + field: network.direction + value: internal + if: "['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.ingress?.zone) && ['LAN', 'DMZ', 'VPN', 'WiFi'].contains(ctx?.observer?.egress?.zone)" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.ip + value: '{{source.nat.ip}}' + if: 'ctx?.source?.nat?.ip != null' +- append: + field: related.ip + value: '{{destination.nat.ip}}' + if: 'ctx?.destination?.nat?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: network.transport + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.tran_dst_port + - sophos.xg.recv_bytes + - sophos.xg.recv_pkts + - sophos.xg.src_port + - sophos.xg.tran_src_port + - sophos.xg.sent_bytes + - sophos.xg.sent_pkts + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/idp.yml b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml new file mode 100644 index 00000000000..f10f964eb13 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/idp.yml @@ -0,0 +1,238 @@ +description: Pipeline for parsing sophos firewall logs (ipd pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: alert +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- append: + field: event.category + value: + - intrusion_detection + - network + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' +- append: + field: event.type + value: + - denied + - connection + if: '["06001", "06002", "07001", "07002"].contains(ctx.sophos?.xg?.message_id)' +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.sophos?.xg?.log_id != null" + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.dst_ip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.dst_ip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.dst_port + target_field: destination.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.dst_port != null" +- set: + field: server.port + value: '{{destination.port}}' + if: "ctx.destination?.port != null" +- convert: + field: server.port + target_field: server.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.server?.port != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.src_port + target_field: source.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.src_port != null" +- set: + field: client.port + value: '{{source.port}}' + if: "ctx.source?.port != null" +- convert: + field: client.port + target_field: client.port + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.port != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +###################### +## ECS Rule Mapping ## +###################### +- rename: + field: sophos.xg.signature_id + target_field: rule.id + ignore_missing: true + if: "ctx.sophos?.xg?.signature_id != null" +- rename: + field: sophos.xg.signature_msg + target_field: rule.name + ignore_missing: true + if: "ctx.sophos?.xg?.signature_msg != null" +- rename: + field: sophos.xg.classification + target_field: rule.category + ignore_missing: true + if: "ctx.sophos?.xg?.classification != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- rename: + field: sophos.xg.protocol + target_field: network.transport + ignore_missing: true + if: "ctx.sophos?.xg?.protocol != null" +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +######################### +## ECS Related Mapping ## +######################### +- append: + if: 'ctx?.source?.ip != null' + field: related.ip + value: + - '{{source.ip}}' +- append: + if: 'ctx?.destination?.ip != null' + field: related.ip + value: + - '{{destination.ip}}' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- lowercase: + field: network.protocol + ignore_failure: true +- lowercase: + field: event.action + ignore_failure: true +- lowercase: + field: event.info + ignore_failure: true +- remove: + field: + - sophos.xg.dst_port + - sophos.xg.src_port + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml new file mode 100644 index 00000000000..8102bb92514 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/pipeline.yml @@ -0,0 +1,260 @@ +description: Pipeline for parsing sophosxg firewall logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- grok: + field: message + patterns: + - '%{SYSLOG5424PRI}%{GREEDYDATA:log.original}$' + +# optimize fields / strings in log.original for KV processor +- gsub: + field: log.original + pattern: "clients_conn_SSID" + replacement: 'clients_conn_ssid' + +# split Sophos-XG fields +- kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "sophos.xg." + ignore_missing: true + ignore_failure: false + trim_value: "\"" + +# Parse the date +- set: + field: _temp_.time + value: "{{sophos.xg.date}} {{sophos.xg.time}}" +- date: + if: "ctx.event.timezone == null" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 +- date: + if: "ctx.event.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.time + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss Z + - yyyy-MM-dd HH:mm:ss z + - ISO8601 + +# Sets starts, end and duration when start and duration is known +- script: + lang: painless + if: ctx?.sophos?.xg?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.sophos.xg.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + +# Removes all empty fields +- script: + lang: painless + params: + values: + - "" + - "-" + - "N/A" + source: >- + ctx?.sophos?.xg.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.module + value: sophos +- set: + field: event.dataset + value: sophos.xg +- set: + field: event.severity + value: "{{sophos.xg.log_id}}" +- rename: + field: log.original + target_field: event.original + ignore_missing: true + +# extract from event_severity from log_id, example: 010101600001" +- gsub: + field: event.severity + pattern: "(^.{1,6})" + replacement: "" +- gsub: + field: event.severity + pattern: "(.{1,5}$)" + replacement: "" + +##################### +## ECS Log Mapping ## +##################### +- set: + field: "log.level" + if: "ctx.event.severity == '0' " + value: unknown +- set: + field: "log.level" + if: "ctx.event.severity == '1' " + value: alert +- set: + field: "log.level" + if: "ctx.event.severity == '2' " + value: critical +- set: + field: "log.level" + if: "ctx.event.severity == '3' " + value: error +- set: + field: "log.level" + if: "ctx.event.severity == '4' " + value: warning +- set: + field: "log.level" + if: "ctx.event.severity == '5' " + value: notification +- set: + field: "log.level" + if: "ctx.event.severity == '6' " + value: informational +- set: + field: "log.level" + if: "ctx.event.severity == '7' " + value: debug + +########################## +## ECS Observer Mapping ## +########################## +- set: + field: observer.vendor + value: Sophos +- set: + field: observer.product + value: XG +- set: + field: observer.type + value: firewall +- rename: + field: sophos.xg.device_id + target_field: observer.serial_number + ignore_missing: true +- rename: + field: sophos.xg.out_interface + target_field: observer.egress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.in_interface + target_field: observer.ingress.interface.name + ignore_missing: true +- rename: + field: sophos.xg.srczonetype + target_field: observer.ingress.zone + ignore_missing: true +- rename: + field: sophos.xg.dstzonetype + target_field: observer.egress.zone + ignore_missing: true + +# extract from log_id the new field "sophos.xg.message_id" +- set: + field: sophos.xg.message_id + value: "{{sophos.xg.log_id}}" + ignore_empty_value: true +- gsub: + field: sophos.xg.message_id + pattern: "(^.{1,7})" + replacement: "" + ignore_failure: true +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + +################### +## Set host.name ## +################### +- script: + lang: painless + if: ctx?.observer?.serial_number != null + source: >- + def conf = ctx['_conf']; + if (conf == null) return; + def serial = ctx.observer.serial_number; + def name = conf['default']; + for (def item : conf.mappings) { + if (item.serial == serial) { + name = item.hostname; + break; + } + } + ctx["host"]["name"] = name; + +############# +## Cleanup ## +############# +- remove: + field: + - message + - _temp_ + - _conf + - sophos.xg.date + - sophos.xg.time + - sophos.xg.duration + - sophos.xg.timezone + - sophos.xg.dir_disp + - sophos.xg.srczone + - sophos.xg.dstzone + - syslog5424_pri + ignore_missing: true + +############################### +## Product Speific Pipelines ## +############################### +- pipeline: + name: '{< IngestPipeline "firewall" >}' + if: "ctx.sophos?.xg?.log_type == 'Firewall'" +- pipeline: + name: '{< IngestPipeline "idp" >}' + if: "ctx.sophos?.xg?.log_type == 'IDP'" +- pipeline: + name: '{< IngestPipeline "atp" >}' + if: "ctx.sophos?.xg?.log_type == 'ATP'" +- pipeline: + name: '{< IngestPipeline "antivirus" >}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Virus'" +- pipeline: + name: '{< IngestPipeline "sandstorm" >}' + if: "ctx.sophos?.xg?.log_type == 'Sandbox'" +- pipeline: + name: '{< IngestPipeline "cfilter" >}' + if: "ctx.sophos?.xg?.log_type == 'Content Filtering'" +- pipeline: + name: '{< IngestPipeline "event" >}' + if: "ctx.sophos?.xg?.log_type == 'Event'" +- pipeline: + name: '{< IngestPipeline "waf" >}' + if: "ctx.sophos?.xg?.log_type == 'WAF'" +- pipeline: + name: '{< IngestPipeline "antispam" >}' + if: "ctx.sophos?.xg?.log_type == 'Anti-Spam'" +- pipeline: + name: '{< IngestPipeline "systemhealth" >}' + if: "ctx.sophos?.xg?.log_type == 'System Health'" +- pipeline: + name: '{< IngestPipeline "wifi" >}' + if: "ctx.sophos?.xg?.log_type == 'Wireless Protection'" + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml new file mode 100644 index 00000000000..dce06fd1776 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/sandstorm.yml @@ -0,0 +1,128 @@ +description: Pipeline for parsing sophos firewall logs (sandbox pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: "{{sophos.xg.log_subtype}}" + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.log_subtype != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.log_subtype == "Denied"' +- append: + field: event.category + value: network + if: "ctx.sophos?.xg?.log_subtype != 'Denied'" +- append: + field: event.type + value: allowed + if: "['Allowed'].contains(ctx.sophos?.xg?.log_subtype)" +- append: + field: event.type + value: + - start + - connection + if: "['pending'].contains(ctx.sophos?.xg?.reason)" +- append: + field: event.type + value: + - end + - connection + if: "ctx.sophos?.xg?.reason == 'eligible'" +- append: + field: event.type + value: + - denied + - connection + if: "ctx.sophos?.xg?.log_subtype == 'Denied'" +- rename: + field: sophos.xg.log_id + target_field: event.code + ignore_missing: true + if: "ctx.event?.code == null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.src_ip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.src_ip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" + +###################### +## ECS File Mapping ## +###################### +- rename: + field: sophos.xg.filename + target_field: file.name + ignore_missing: true + if: "ctx.sopho?.xg?.filename != null" +- convert: + field: sophos.xg.filesize + target_field: file.size + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.filesize != null" +- rename: + field: sophos.xg.filetype + target_field: file.mime_type + ignore_missing: true + if: "ctx.sophos?.xg?.filetype != null" +- rename: + field: sophos.xg.sha1sum + target_field: file.hash.sha1 + ignore_missing: true + if: "ctx.sophos?.xg?.sha1sum != null" + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx.file?.hash?.sha1 != null" +- remove: + field: + - sophos.xg.filesize + ignore_missing: true +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/waf.yml b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml new file mode 100644 index 00000000000..3cbf1383467 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/waf.yml @@ -0,0 +1,275 @@ +description: Pipeline for parsing sophos firewall logs (waf pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.action + value: allowed + if: 'ctx.sophos?.xg?.reason == "-"' +- set: + field: event.action + value: denied + if: 'ctx.sophos?.xg?.reason != "-"' +- set: + field: event.outcome + value: success + if: "ctx.sophos?.xg?.reason != null" +- set: + field: event.kind + value: alert + if: 'ctx.sophos?.xg?.reason != "-"' +- append: + field: event.category + value: + - malware + - network + if: 'ctx.sophos?.xg?.reason == "Antivirus"' +- append: + field: event.category + value: + - intrusion_detection + - network + if: "ctx.sophos?.xg?.reason != 'Antivirus' && ctx.sophos?.xg?.reason != '-'" +- append: + field: event.type + value: + - allowed + - connection + if: 'ctx.sophos?.xg?.reason == "-"' +- append: + field: event.type + value: + - denied + - connection + if: 'ctx.sophos?.xg?.reason != "-"' + +#################################### +## ECS Server/Destination Mapping ## +#################################### +- rename: + field: sophos.xg.localip + target_field: destination.ip + ignore_missing: true + if: "ctx.sophos?.xg?.localip != null" +- set: + field: server.ip + value: '{{destination.ip}}' + if: "ctx.destination?.ip != null" +- convert: + field: sophos.xg.bytessent + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytessent != null" +- convert: + field: sophos.xg.bytessent + target_field: server.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytessent != null" + +############################### +## ECS Client/Source Mapping ## +############################### +- rename: + field: sophos.xg.sourceip + target_field: source.ip + ignore_missing: true + if: "ctx.sophos?.xg?.sourceip != null" +- set: + field: client.ip + value: '{{source.ip}}' + if: "ctx.source?.ip != null" +- convert: + field: sophos.xg.bytesrcv + target_field: source.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.bytesrcv != null" +- set: + field: client.bytes + value: '{{source.bytes}}' + if: "ctx.source?.bytes != null" +- convert: + field: client.bytes + target_field: client.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.client?.bytes != null" +- rename: + field: sophos.xg.user_name + target_field: source.user.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_name != null" +- rename: + field: sophos.xg.user_gp + target_field: source.user.group.name + ignore_missing: true + if: "ctx.sophos?.xg?.user_gp != null" + +##################### +## ECS URL Mapping ## +##################### +- rename: + field: sophos.xg.url + target_field: url.full + ignore_missing: true + if: "ctx.sophos?.xg?.url != null" +- rename: + field: sophos.xg.domain + target_field: url.domain + ignore_missing: true + if: "ctx.sophos?.xg?.domain != null" + +############################ +## ECS User Agent Mapping ## +############################ +- rename: + field: sophos.xg.referer + target_field: http.request.referrer + ignore_missing: true + if: "ctx.sophos?.xg?.referer != null" +- convert: + field: sophos.xg.httpstatus + target_field: destination.bytes + type: long + ignore_failure: true + ignore_missing: true + if: "ctx.sophos?.xg?.httpstatus != null" +- rename: + field: sophos.xg.method + target_field: http.request.method + ignore_missing: true + if: "ctx.sophos?.xg?.method != null" +- rename: + field: sophos.xg.ws_protocol + target_field: http.version + ignore_missing: true + if: "ctx.sophos?.xg?.ws_protocol != null" +- rename: + field: sophos.xg.useragent + target_field: user_agent.original + ignore_missing: true + if: "ctx.sophos?.xg?.useragent != null" + +############################# +## ECS Network/Geo Mapping ## +############################# +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true + +######################### +## ECS Related Mapping ## +######################### +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" + +############# +## Cleanup ## +############# +- remove: + field: + - sophos.xg.bytesrcv + - sophos.xg.bytessent + - sophos.xg.httpstatus + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml new file mode 100644 index 00000000000..a5ddc7859bb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/ingest/wifi.yml @@ -0,0 +1,20 @@ +description: Pipeline for parsing sophos firewall logs (wifi pipeline) +processors: +####################### +## ECS Event Mapping ## +####################### +- set: + field: event.kind + value: event +- set: + field: event.outcome + value: success + if: 'ctx?.sophos?.xg?.log_type == "Wireless Protection"' + +############# +## Cleanup ## +############# +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/sophos/xg/manifest.yml b/x-pack/filebeat/module/sophos/xg/manifest.yml new file mode 100644 index 00000000000..5bf74158cee --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/manifest.yml @@ -0,0 +1,38 @@ +module_version: 1.0 + +var: + - name: syslog_host + default: localhost + - name: tags + default: [sophos-xg, forwarded] + - name: syslog_port + default: 9005 + - name: input + default: udp + - name: default_host_name + default: firewall.localgroup.local + - name: known_devices + default: + - serial_number: "1234567890123456" + hostname: "my_fancy_host" + - serial_number: "1234567890123457" + hostname: "some_other_host.local" + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/firewall.yml + - ingest/idp.yml + - ingest/atp.yml + - ingest/antivirus.yml + - ingest/sandstorm.yml + - ingest/cfilter.yml + - ingest/event.yml + - ingest/waf.yml + - ingest/antispam.yml + - ingest/wifi.yml + +input: config/config.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log new file mode 100644 index 00000000000..71fc6033800 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log @@ -0,0 +1,11 @@ +<30>device="SFW" date=2020-05-18 time=14:38:48 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041101618035 log_type="Anti-Spam" log_component="SMTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="firewall@firewallgate.com" to_email_address="Sysadmin@elasticuser.com" email_subject="*ALERT* Sophos XG Firewall" mailid="qkW2Y6-LxBk6U-vH-1590055245" mailsize=19728 spamaction="QUEUED" reason="Email has been accepted by Device and queued for scanning." src_domainname="elasticuser.com" dst_domainname="" src_ip="" src_country_code="" dst_ip="" dst_country_code="" protocol="TCP" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2020-05-18 time=14:38:49 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=041105613003 log_type="Anti-Spam" log_component="SMTP" log_subtype="Clean" status="" priority=Information fw_rule_id=22 user_name="" av_policy_name="Default" from_email_address="telekommunikation@constant-big.email" to_email_address="info@pelasticuser.com" email_subject="Telefonservice statt Anrufbeantworter" mailid="device="SFW" date=2020-05-18 time=14:38:50 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=041107413001 log_type="Anti-Spam" log_component="SMTP" log_subtype="Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="Spam" from_email_address="ripxfc@17buddies.net" to_email_address="hein.mueck@elasticuser.de" email_subject="nimm dringend Geld" mailid="device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=045908413004 log_type="Anti-Spam" log_component="SMTPS" log_subtype="Probable Spam" status="" priority=Warning fw_rule_id=22 user_name="" av_policy_name="rule3" from_email_address="SHERIF.TOBGI@ELTOBGI.COM" to_email_address="info@elasticuser.com" email_subject="09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20" mailid="<20200518070235.C1623996C64F9957@ELTOBGI.COM>" mailsize=1032152 spamaction="Prefix Subject" reason="Sender IP address is blacklisted." src_domainname="ELTOBGI.COM" dst_domainname="" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol="TCP" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="RBL" +<30>device="SFW" date=2017-01-31 time=18:34:41 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041113413005 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="Gaurav123" from_email_address="gaurav1@iview.com" to_email_address=" gaurav2@iview.com" email_subject="RPD Spam Test: Spam" mailid="" mailsize=405 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=11:10:11 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041114413006 log_type="Anti-Spam" log_component="SMTP" log_subtype="Outbound Probable Spam" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="rule 8" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="RPD Spam test: Bulk" mailid="" mailsize=439 spamaction="Drop" reason="Mail detected as OUTBOUND PROBABLE SPAM." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Spam" +<30>device="SFW" date=2018-06-06 time=12:50:07 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041121613009 log_type="Anti-Spam" log_component="SMTP" log_subtype="DLP" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman. local" email_subject="Fwd: TESt" mailid="c0000002-1528269606" mailsize=5041 spamaction="DROP" reason="Email containing confidential data detected. Relevant Data Protection Policy applied." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="DLP" +<30>device="SFW" date=2018-06-06 time=12:51:34 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041122613010 log_type="Anti-Spam" log_component="SMTP" log_subtype="SPX" status="" priority=Information fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil1@Postman.local" email_subject="[secure:pankhil]" mailid="c0000003-1528269693" mailsize=442 spamaction="Accept" reason="SPX Template of type Specified by Sender successfully applied on Email." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol="TCP" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:53:39 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041123413012 log_type="Anti-Spam" log_component="SMTP" log_subtype="Dos" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="" to_email_address="" email_subject="" mailid="" mailsize=0 spamaction="TMPREJECT" reason="SMTP DoS" src_domainname="" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=12:56:53 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=041102413014 log_type="Anti-Spam" log_component="SMTP" log_subtype="Denied" status="" priority=Warning fw_rule_id=0 user_name="" av_policy_name="postman" from_email_address="pankhil1@postman.local" to_email_address="pankhil@postman. local" email_subject="Fwd: test sand" mailid="c0000008-1528270010" mailsize=419835 spamaction="DROP" reason="Email is marked Malicious by Sophos Sandstorm." src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol="TCP" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2017-01-31 time=18:31:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=041207414001 log_type="Anti-Spam" log_component="POP3" log_subtype="Spam" status="" priority=Warning fw_rule_id=0 user_name="gaurav" av_policy_name="GauravPatel" from_email_address="gaurav1@iview.com" to_email_address="gaurav2@iview. com" email_subject="RPD Spam Test: Spam" mailid="<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>" mailsize=574 spamaction="Accept" reason="" src_domainname=" iview.com" dst_domainname="iview.com" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol="TCP" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json new file mode 100644 index 00000000000..90a40d0b095 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -0,0 +1,784 @@ +[ + { + "@timestamp": "2020-05-18T14:38:48.000-02:00", + "client.bytes": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.port": 0, + "destination.user.email": "Sysadmin@elasticuser.com", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "041101618035", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:48 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=041101618035 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"firewall@firewallgate.com\" to_email_address=\"Sysadmin@elasticuser.com\" email_subject=\"*ALERT* Sophos XG Firewall\" mailid=\"qkW2Y6-LxBk6U-vH-1590055245\" mailsize=19728 spamaction=\"QUEUED\" reason=\"Email has been accepted by Device and queued for scanning.\" src_domainname=\"elasticuser.com\" dst_domainname=\"\" src_ip=\"\" src_country_code=\"\" dst_ip=\"\" dst_country_code=\"\" protocol=\"TCP\" src_port=0 dst_port=0 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.email_subject": "*ALERT* Sophos XG Firewall", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "qkW2Y6-LxBk6U-vH-1590055245", + "sophos.xg.mailsize": "19728", + "sophos.xg.message_id": "18035", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "Email has been accepted by Device and queued for scanning.", + "sophos.xg.spamaction": "QUEUED", + "source.bytes": 0, + "source.domain": "elasticuser.com", + "source.port": 0, + "source.user.email": "firewall@firewallgate.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:49.000-02:00", + "client.bytes": 0, + "client.ip": "92.38.133.63", + "client.port": 52742, + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 0, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.194", + "destination.port": 25, + "destination.user.email": "info@pelasticuser.com", + "event.action": "Clean", + "event.category": [ + "network" + ], + "event.code": "041105613003", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:49 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=041105613003 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Clean\" status=\"\" priority=Information fw_rule_id=22 user_name=\"\" av_policy_name=\"Default\" from_email_address=\"telekommunikation@constant-big.email\" to_email_address=\"info@pelasticuser.com\" email_subject=\"Telefonservice statt Anrufbeantworter\" mailid=\"\" mailsize=1032152 spamaction=\"Prefix Subject\" reason=\"Sender IP address is blacklisted.\" src_domainname=\"ELTOBGI.COM\" dst_domainname=\"\" src_ip=77.72.3.56 src_country_code=GBR dst_ip=185.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=55002 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"RBL\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2295, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "185.8.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.email_subject": "09F1A19017 - 65T BP LNG Hybrid - TS-V-061-01 - HVAC Package - RFQ - BCD - 27-May-20", + "sophos.xg.fw_rule_id": "22", + "sophos.xg.log_component": "SMTPS", + "sophos.xg.log_subtype": "Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<20200518070235.C1623996C64F9957@ELTOBGI.COM>", + "sophos.xg.mailsize": "1032152", + "sophos.xg.message_id": "13004", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "RBL", + "sophos.xg.reason": "Sender IP address is blacklisted.", + "sophos.xg.spamaction": "Prefix Subject", + "sophos.xg.src_country_code": "GBR", + "source.as.number": 12488, + "source.as.organization.name": "Krystal Hosting Ltd", + "source.bytes": 0, + "source.domain": "ELTOBGI.COM", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "77.72.3.56", + "source.port": 55002, + "source.user.email": "SHERIF.TOBGI@ELTOBGI.COM", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:34:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22420, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 25, + "destination.user.email": " gaurav2@iview.com", + "event.action": "Outbound Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041113413005", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:34:41 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041113413005 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"Gaurav123\" from_email_address=\"gaurav1@iview.com\" to_email_address=\" gaurav2@iview.com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"\" mailsize=405 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22420 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3123, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "Gaurav123", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "405", + "sophos.xg.message_id": "13005", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22420, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:10:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 58043, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "Outbound Probable Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041114413006", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:10:11 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041114413006 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Outbound Probable Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"rule 8\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"RPD Spam test: Bulk\" mailid=\"\" mailsize=439 spamaction=\"Drop\" reason=\"Mail detected as OUTBOUND PROBABLE SPAM.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=58043 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Spam\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 3852, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "rule 8", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "RPD Spam test: Bulk", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Outbound Probable Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "439", + "sophos.xg.message_id": "13006", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Spam", + "sophos.xg.reason": "Mail detected as OUTBOUND PROBABLE SPAM.", + "sophos.xg.spamaction": "Drop", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 58043, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:50:07.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60134, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman. local", + "event.action": "DLP", + "event.category": [ + "malware", + "network" + ], + "event.code": "041121613009", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:50:07 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041121613009 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"DLP\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman. local\" email_subject=\"Fwd: TESt\" mailid=\"c0000002-1528269606\" mailsize=5041 spamaction=\"DROP\" reason=\"Email containing confidential data detected. Relevant Data Protection Policy applied.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60134 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"DLP\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4627, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: TESt", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "DLP", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000002-1528269606", + "sophos.xg.mailsize": "5041", + "sophos.xg.message_id": "13009", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "DLP", + "sophos.xg.reason": "Email containing confidential data detected. Relevant Data Protection Policy applied.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60134, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:51:34.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60298, + "destination.bytes": 0, + "destination.ip": "10.198.16.204", + "destination.port": 25, + "destination.user.email": "pankhil1@Postman.local", + "event.action": "SPX", + "event.category": [ + "network" + ], + "event.code": "041122613010", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:51:34 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041122613010 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"SPX\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil1@Postman.local\" email_subject=\"[secure:pankhil]\" mailid=\"c0000003-1528269693\" mailsize=442 spamaction=\"Accept\" reason=\"SPX Template of type Specified by Sender successfully applied on Email.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.16.204 dst_country_code=R1 protocol=\"TCP\" src_port=60298 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5389, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.16.204", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "[secure:pankhil]", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "SPX", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000003-1528269693", + "sophos.xg.mailsize": "442", + "sophos.xg.message_id": "13010", + "sophos.xg.priority": "Information", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SPX Template of type Specified by Sender successfully applied on Email.", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60298, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:53:39.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60392, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "event.action": "Dos", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "041123413012", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:53:39 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041123413012 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Dos\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"\" to_email_address=\"\" email_subject=\"\" mailid=\"\" mailsize=0 spamaction=\"TMPREJECT\" reason=\"SMTP DoS\" src_domainname=\"\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60392 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6143, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Dos", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "13012", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.reason": "SMTP DoS", + "sophos.xg.spamaction": "TMPREJECT", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 60392, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T12:56:53.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 60608, + "destination.bytes": 0, + "destination.ip": "10.198.17.121", + "destination.port": 25, + "destination.user.email": "pankhil@postman. local", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "041102413014", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=12:56:53 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=041102413014 log_type=\"Anti-Spam\" log_component=\"SMTP\" log_subtype=\"Denied\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"\" av_policy_name=\"postman\" from_email_address=\"pankhil1@postman.local\" to_email_address=\"pankhil@postman. local\" email_subject=\"Fwd: test sand\" mailid=\"c0000008-1528270010\" mailsize=419835 spamaction=\"DROP\" reason=\"Email is marked Malicious by Sophos Sandstorm.\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.17.121 dst_country_code=R1 protocol=\"TCP\" src_port=60608 dst_port=25 sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 6740, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.17.121", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "postman", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.email_subject": "Fwd: test sand", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "c0000008-1528270010", + "sophos.xg.mailsize": "419835", + "sophos.xg.message_id": "13014", + "sophos.xg.priority": "Warning", + "sophos.xg.reason": "Email is marked Malicious by Sophos Sandstorm.", + "sophos.xg.spamaction": "DROP", + "sophos.xg.src_country_code": "R1", + "source.bytes": 0, + "source.domain": "postman.local", + "source.ip": "10.198.16.121", + "source.port": 60608, + "source.user.email": "pankhil1@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T18:31:11.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.47.71", + "client.port": 22333, + "destination.bytes": 0, + "destination.ip": "10.198.233.61", + "destination.port": 110, + "destination.user.email": "gaurav2@iview. com", + "event.action": "Spam", + "event.category": [ + "malware", + "network" + ], + "event.code": "041207414001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:31:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=041207414001 log_type=\"Anti-Spam\" log_component=\"POP3\" log_subtype=\"Spam\" status=\"\" priority=Warning fw_rule_id=0 user_name=\"gaurav\" av_policy_name=\"GauravPatel\" from_email_address=\"gaurav1@iview.com\" to_email_address=\"gaurav2@iview. com\" email_subject=\"RPD Spam Test: Spam\" mailid=\"<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>\" mailsize=574 spamaction=\"Accept\" reason=\"\" src_domainname=\" iview.com\" dst_domainname=\"iview.com\" src_ip=10.198.47.71 src_country_code=R1 dst_ip=10.198.233.61 dst_country_code=R1 protocol=\"TCP\" src_port=22333 dst_port=110 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 7445, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "server.bytes": 0, + "server.ip": "10.198.233.61", + "server.port": 110, + "service.type": "sophos", + "sophos.xg.av_policy_name": "GauravPatel", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.dst_domainname": "iview.com", + "sophos.xg.email_subject": "RPD Spam Test: Spam", + "sophos.xg.fw_rule_id": "0", + "sophos.xg.log_component": "POP3", + "sophos.xg.log_subtype": "Spam", + "sophos.xg.log_type": "Anti-Spam", + "sophos.xg.mailid": "<2a2dd5d4-1a30-617b-27b1-7961ad07cf07@iview.com>", + "sophos.xg.mailsize": "574", + "sophos.xg.message_id": "14001", + "sophos.xg.priority": "Warning", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.spamaction": "Accept", + "sophos.xg.src_country_code": "R1", + "sophos.xg.user_name": "gaurav", + "source.bytes": 0, + "source.domain": " iview.com", + "source.ip": "10.198.47.71", + "source.port": 22333, + "source.user.email": "gaurav1@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log new file mode 100644 index 00000000000..9b6236d28c8 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log @@ -0,0 +1,9 @@ +<30>device="SFW" date=2020-05-18 time=14:38:33 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="Sandstorm" url="http://sophostest.com/Sandstorm/SBTestFile1.pdf" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol="TCP" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="" iap=13 av_policy_name="" virus="EICAR-AV-Test" url="http://sophostest.com/eicar/index.html" domainname="sophostest.com" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol="TCP" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" status_code=403 +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="info@farasamed.com" to_email_address="info@elastic-user.local" subject="ZAHLUNG (PROFORMA INVOICE)" mailid="<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr" mailsize=2254721 virus="TR/AD.AgentTesla.eaz" filename="" quarantine="" src_domainname="farasamed.com" dst_domainname="" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol="TCP" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=031106210001 log_type="Anti-Virus" log_component="SMTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=22 user_name="" av_policy_name="default-smtp-av" from_email_address="spedizioni@divella.it" to_email_address="info@elastic-user.local" subject="Re: NEW PRO-FORMA INVOICE" mailid="<20200519072944.AFCA295AF2A037A6@divella.it>" mailsize=537457 virus="Mal/BredoZp-B" filename="" quarantine="" src_domainname="divella.it" dst_domainname="" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol="TCP" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason="Infected" +<30>device="SFW" date=2018-06-06 time=10:51:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036106211001 log_type="Anti-Virus" log_component="POPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="pankhil@postman.local" subject="EICAR" mailid="" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-06 time=10:58:29 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=036206212001 log_type="Anti-Virus" log_component="IMAPS" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" av_policy_name="None" from_email_address="pankhil@postman.local" to_email_address="ganga@postman.local" subject="EICAR test email" mailid="<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>" mailsize=0 virus="EICAR-AV-Test" filename="" quarantine="" src_domainname="postman.local" dst_domainname="" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol="TCP" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason="Other" +<30>device="SFW" date=2018-06-21 time=19:50:23 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031006209001 log_type="Anti-Virus" log_component="FTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=0 user_name="" virus="EICAR-AV-Test" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Upload" filename=" /home/ftp-user/ta_test_file_1ta-cl1-46" file_size=0 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="STOR" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol="TCP" src_port=39910 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=0 +<30>device="SFW" date=2018-06-21 time=19:50:48 timezone="CEST" device_name="SF01V" device_id=SFDemo-2df0960 log_id=031001609002 log_type="Anti-Virus" log_component="FTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=0 user_name="" virus="" FTP_url="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" FTP_direction="Download" filename="/home/ftp-user /ta_test_file_1ta-cl1-46" file_size=19926248 file_path="/var/www//home/ftp-user/ta_test_file_1ta-cl1-46" ftpcommand="RETR" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol="TCP" src_port=39936 dst_port=21 dstdomain="" sent_bytes=0 recv_bytes=19926248 + diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json new file mode 100644 index 00000000000..a78e27fa46e --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -0,0 +1,597 @@ +[ + { + "@timestamp": "2020-05-18T14:38:33.000-02:00", + "client.bytes": 550, + "client.ip": "172.16.34.24", + "client.port": 57695, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 1616, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.93", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:33 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"Sandstorm\" url=\"http://sophostest.com/Sandstorm/SBTestFile1.pdf\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.93 dst_country_code=USA protocol=\"TCP\" src_port=57695 dst_port=80 sent_bytes=550 recv_bytes=1616 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.93" + ], + "rule.id": "2", + "server.bytes": 1616, + "server.ip": "13.226.155.93", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "Sandstorm", + "source.bytes": 550, + "source.ip": "172.16.34.24", + "source.port": 57695, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/Sandstorm/SBTestFile1.pdf", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.bytes": 541, + "client.ip": "172.16.34.24", + "client.port": 57835, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.bytes": 553, + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.18", + "destination.port": 80, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "030906208001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=030906208001 log_type=\"Anti-Virus\" log_component=\"HTTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=2 user_name=\"\" iap=13 av_policy_name=\"\" virus=\"EICAR-AV-Test\" url=\"http://sophostest.com/eicar/index.html\" domainname=\"sophostest.com\" src_ip=172.16.34.24 src_country_code=R1 dst_ip=13.226.155.18 dst_country_code=USA protocol=\"TCP\" src_port=57835 dst_port=80 sent_bytes=541 recv_bytes=553 user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36\" status_code=403", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": 403, + "input.type": "log", + "log.level": "critical", + "log.offset": 673, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.18" + ], + "rule.id": "2", + "server.bytes": 553, + "server.ip": "13.226.155.18", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "08001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 541, + "source.ip": "172.16.34.24", + "source.port": 57835, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "sophostest.com", + "url.original": "http://sophostest.com/eicar/index.html", + "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.bytes": 0, + "client.ip": "82.165.194.211", + "client.port": 56336, + "destination.as.number": 19422, + "destination.as.organization.name": "Telefonica Moviles del Uruguay SA", + "destination.bytes": 0, + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "UY", + "destination.geo.location.lat": -33.0, + "destination.geo.location.lon": -56.0, + "destination.ip": "186.8.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"info@farasamed.com\" to_email_address=\"info@elastic-user.local\" subject=\"ZAHLUNG (PROFORMA INVOICE)\" mailid=\"<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr\" mailsize=2254721 virus=\"TR/AD.AgentTesla.eaz\" filename=\"\" quarantine=\"\" src_domainname=\"farasamed.com\" dst_domainname=\"\" src_ip=82.165.194.211 src_country_code=DEU dst_ip=186.8.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=56336 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1340, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "82.165.194.211", + "186.8.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "186.8.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200520004312.Horde.lEUeVf2I6PwO5K5TtMndnC7@webmail.sevengayr", + "sophos.xg.mailsize": "2254721", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.subject": "ZAHLUNG (PROFORMA INVOICE)", + "sophos.xg.virus": "TR/AD.AgentTesla.eaz", + "source.as.number": 8560, + "source.as.organization.name": "1&1 Ionos Se", + "source.bytes": 0, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "82.165.194.211", + "source.port": 56336, + "source.user.email": "info@farasamed.com", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "farasamed.com" + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.bytes": 0, + "client.ip": "23.254.247.78", + "client.port": 54693, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.194", + "destination.port": 25, + "destination.user.email": "info@elastic-user.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031106210001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=031106210001 log_type=\"Anti-Virus\" log_component=\"SMTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=22 user_name=\"\" av_policy_name=\"default-smtp-av\" from_email_address=\"spedizioni@divella.it\" to_email_address=\"info@elastic-user.local\" subject=\"Re: NEW PRO-FORMA INVOICE\" mailid=\"<20200519072944.AFCA295AF2A037A6@divella.it>\" mailsize=537457 virus=\"Mal/BredoZp-B\" filename=\"\" quarantine=\"\" src_domainname=\"divella.it\" dst_domainname=\"\" src_ip=23.254.247.78 src_country_code=USA dst_ip=185.7.209.194 dst_country_code=DEU protocol=\"TCP\" src_port=54693 dst_port=25 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Infected\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "critical", + "log.offset": 2118, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "23.254.247.78", + "185.7.209.194" + ], + "rule.id": "22", + "server.bytes": 0, + "server.ip": "185.7.209.194", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.av_policy_name": "default-smtp-av", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "DEU", + "sophos.xg.log_component": "SMTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<20200519072944.AFCA295AF2A037A6@divella.it>", + "sophos.xg.mailsize": "537457", + "sophos.xg.message_id": "10001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Infected", + "sophos.xg.src_country_code": "USA", + "sophos.xg.subject": "Re: NEW PRO-FORMA INVOICE", + "sophos.xg.virus": "Mal/BredoZp-B", + "source.as.number": 54290, + "source.as.organization.name": "Hostwinds LLC.", + "source.bytes": 0, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 47.4902, + "source.geo.location.lon": -122.3004, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "23.254.247.78", + "source.port": 54693, + "source.user.email": "spedizioni@divella.it", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "divella.it" + }, + { + "@timestamp": "2018-06-06T10:51:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56653, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 995, + "destination.user.email": "pankhil@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036106211001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:51:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036106211001 log_type=\"Anti-Virus\" log_component=\"POPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"pankhil@postman.local\" subject=\"EICAR\" mailid=\"\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56653 dst_port=995 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2867, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 995, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "POPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "11001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56653, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-06T10:58:29.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.16.121", + "client.port": 56632, + "destination.bytes": 0, + "destination.ip": "10.198.234.240", + "destination.port": 993, + "destination.user.email": "ganga@postman.local", + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "036206212001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=10:58:29 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=036206212001 log_type=\"Anti-Virus\" log_component=\"IMAPS\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" av_policy_name=\"None\" from_email_address=\"pankhil@postman.local\" to_email_address=\"ganga@postman.local\" subject=\"EICAR test email\" mailid=\"<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>\" mailsize=0 virus=\"EICAR-AV-Test\" filename=\"\" quarantine=\"\" src_domainname=\"postman.local\" dst_domainname=\"\" src_ip=10.198.16.121 src_country_code=R1 dst_ip=10.198.234.240 dst_country_code=R1 protocol=\"TCP\" src_port=56632 dst_port=993 sent_bytes=0 recv_bytes=0 quarantine_reason=\"Other\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 3583, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.16.121", + "10.198.234.240" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.198.234.240", + "server.port": 993, + "service.type": "sophos", + "sophos.xg.av_policy_name": "None", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.log_component": "IMAPS", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.mailid": "<2ca37b7c-e93a-743a-99c4-a0796f0bbb79@postman.local>", + "sophos.xg.mailsize": "0", + "sophos.xg.message_id": "12001", + "sophos.xg.priority": "Critical", + "sophos.xg.quarantine_reason": "Other", + "sophos.xg.src_country_code": "R1", + "sophos.xg.subject": "EICAR test email", + "sophos.xg.virus": "EICAR-AV-Test", + "source.bytes": 0, + "source.ip": "10.198.16.121", + "source.port": 56632, + "source.user.email": "pankhil@postman.local", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "postman.local" + }, + { + "@timestamp": "2018-06-21T19:50:23.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39910, + "destination.bytes": 0, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Virus", + "event.category": [ + "malware", + "network" + ], + "event.code": "031006209001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:23 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031006209001 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Virus\" status=\"\" priority=Critical fw_rule_id=0 user_name=\"\" virus=\"EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload\" filename=\" /home/ftp-user/ta_test_file_1ta-cl1-46\" file_size=0 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"STOR\" src_ip=10.146.13.49 src_country_code=R1 dst_ip=10.8.142.181 dst_country_code=R1 protocol=\"TCP\" src_port=39910 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=0", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": " /home/ftp-user/ta_test_file_1ta-cl1-46", + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 4309, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 0, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.ftpcommand": "STOR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Virus", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09001", + "sophos.xg.priority": "Critical", + "sophos.xg.src_country_code": "R1", + "sophos.xg.virus": "EICAR-AV-Test\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Upload", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39910, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-21T19:50:48.000-02:00", + "client.bytes": 0, + "client.ip": "10.146.13.49", + "client.port": 39936, + "destination.bytes": 19926248, + "destination.ip": "10.8.142.181", + "destination.port": 21, + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "031001609002", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-21 time=19:50:48 timezone=\"CEST\" device_name=\"SF01V\" device_id=SFDemo-2df0960 log_id=031001609002 log_type=\"Anti-Virus\" log_component=\"FTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=0 user_name=\"\" virus=\"\" FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download\" filename=\"/home/ftp-user /ta_test_file_1ta-cl1-46\" file_size=19926248 file_path=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" ftpcommand=\"RETR\" src_ip=10.146.13.49 src_country_code= dst_ip=10.8.142.181 dst_country_code= protocol=\"TCP\" src_port=39936 dst_port=21 dstdomain=\"\" sent_bytes=0 recv_bytes=19926248", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "file.directory": "/var/www//home/ftp-user/ta_test_file_1ta-cl1-46", + "file.name": "/home/ftp-user /ta_test_file_1ta-cl1-46", + "file.size": 19926248, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 4959, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-2df0960", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.146.13.49", + "10.8.142.181" + ], + "rule.id": "0", + "server.bytes": 19926248, + "server.ip": "10.8.142.181", + "server.port": 21, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.ftpcommand": "RETR", + "sophos.xg.log_component": "FTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Anti-Virus", + "sophos.xg.message_id": "09002", + "sophos.xg.priority": "Information", + "sophos.xg.virus": " FTP_url=\"/var/www//home/ftp-user/ta_test_file_1ta-cl1-46\" FTP_direction=\"Download", + "source.bytes": 0, + "source.ip": "10.146.13.49", + "source.port": 39936, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log b/x-pack/filebeat/module/sophos/xg/test/atp.log new file mode 100644 index 00000000000..10f65b6bd5a --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2017-01-31 time=18:44:31 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=086304418010 log_type="ATP" log_component="Firewall" log_subtype="Drop" priority=Warning user_name="jsmith" protocol="TCP" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:34 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2020-05-18 time=14:38:35 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=086504418010 log_type="ATP" log_component="Web" log_subtype="Drop" priority=Warning user_name="" protocol="TCP" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype="Standard" login_user="" process_user="" ep_uuid="" execution_path="" +<30>device="SFW" date=2018-06-05 time=08:49:00 timezone="BST" device_name="XG310" device_id=C30006T22TGR89B log_id=086320518009 log_type="ATP" log_component="Firewall" log_subtype="Alert" priority=Notice user_name="" protocol="ICMP" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype="Standard" login_user="" process_user="" ep_uuid= execution_path="" + diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json new file mode 100644 index 00000000000..7dbb6289456 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -0,0 +1,268 @@ +[ + { + "@timestamp": "2017-01-31T18:44:31.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 22623, + "destination.as.number": 44050, + "destination.as.organization.name": "Petersburg Internet Network ltd.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.location.lat": 55.7386, + "destination.geo.location.lon": 37.6068, + "destination.ip": "46.161.30.47", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086304418010", + "event.dataset": "sophos.xg", + "event.id": "C366ACFB-7A6F-4870-B359-A6CFDA8C85F7", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=18:44:31 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=086304418010 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Drop\" priority=Warning user_name=\"jsmith\" protocol=\"TCP\" src_port=22623 dst_port=80 sourceip=10.198.47.71 destinationip=46.161.30.47 url=46.161.30.47 threatname=C2/Generic-A eventid=C366ACFB-7A6F-4870-B359-A6CFDA8C85F7 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "46.161.30.47" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "46.161.30.47", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "10.198.47.71", + "source.port": 22623, + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "46.161.30.47" + }, + { + "@timestamp": "2020-05-18T14:38:34.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57579, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophos.xg", + "event.id": "E91DAD80-BDE4-4682-B7E8-FE394B70A36C", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:34 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57579 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=E91DAD80-BDE4-4682-B7E8-FE394B70A36C eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 489, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57579, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2020-05-18T14:38:35.000-02:00", + "client.ip": "172.16.34.24", + "client.port": 57540, + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Seattle", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 47.6348, + "destination.geo.location.lon": -122.3451, + "destination.geo.region_iso_code": "US-WA", + "destination.geo.region_name": "Washington", + "destination.ip": "13.226.155.22", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086504418010", + "event.dataset": "sophos.xg", + "event.id": "34AC8531-E7C0-4368-9978-5740952EE9AB", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:35 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=086504418010 log_type=\"ATP\" log_component=\"Web\" log_subtype=\"Drop\" priority=Warning user_name=\"\" protocol=\"TCP\" src_port=57540 dst_port=80 sourceip=172.16.34.24 destinationip=13.226.155.22 url=http://sophostest.com/callhome/index.html threatname=C2/Generic-A eventid=34AC8531-E7C0-4368-9978-5740952EE9AB eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid=\"\" execution_path=\"\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 991, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.24", + "13.226.155.22" + ], + "server.ip": "13.226.155.22", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18010", + "sophos.xg.priority": "Warning", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "172.16.34.24", + "source.port": 57540, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "http://sophostest.com/callhome/index.html" + }, + { + "@timestamp": "2018-06-05T08:49:00.000-02:00", + "client.ip": "10.198.32.89", + "client.port": 0, + "destination.as.number": 31400, + "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "82.211.30.202", + "destination.port": 0, + "event.action": "alert", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "086320518009", + "event.dataset": "sophos.xg", + "event.id": "C7E26E6F-0097-4EA2-89DE-C31C40636CB2", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-05 time=08:49:00 timezone=\"BST\" device_name=\"XG310\" device_id=C30006T22TGR89B log_id=086320518009 log_type=\"ATP\" log_component=\"Firewall\" log_subtype=\"Alert\" priority=Notice user_name=\"\" protocol=\"ICMP\" src_port=0 dst_port=0 sourceip=10.198.32.89 destinationip=82.211.30.202 url=82.211.30.202 threatname=C2/Generic-A eventid=C7E26E6F-0097-4EA2-89DE-C31C40636CB2 eventtype=\"Standard\" login_user=\"\" process_user=\"\" ep_uuid= execution_path=\"\"", + "event.outcome": "success", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 1493, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "C30006T22TGR89B", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.89", + "82.211.30.202" + ], + "server.ip": "82.211.30.202", + "server.port": 0, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.eventtype": "Standard", + "sophos.xg.log_component": "Firewall", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "ATP", + "sophos.xg.message_id": "18009", + "sophos.xg.priority": "Notice", + "sophos.xg.threatname": "C2/Generic-A", + "source.ip": "10.198.32.89", + "source.port": 0, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.original": "82.211.30.202" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log b/x-pack/filebeat/module/sophos/xg/test/cfilter.log new file mode 100644 index 00000000000..2e4796c3541 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log @@ -0,0 +1,10 @@ +<30>device="SFW" date=2017-01-31 time=14:03:33 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="jsmith" user_gp="Open Group" iap=1 category="Entertainment" category_type="Unproductive" url="https://r8---sn-ci5gup-qxas.googlevideo.com/" contenttype="" override_token="" httpresponsecode="" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol="TCP" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname="" reason="" +<30>device="SFW" date=2017-02-01 time=18:20:21 timezone="IST" device_name="SG115" device_id=S110000E28BA631 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=1 user_name="" user_gp="" iap=13 category="Religion & Spirituality" category_type="Unproductive" url="http://hanuman.com/" contenttype="" override_token="" httpresponsecode="" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol="TCP" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname="" +<30>device="SFW" date=2017-02-01 time=18:13:29 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=054402617051 log_type="Content Filtering" log_component="Application" log_subtype="Denied" priority=Information fw_rule_id=1 user_name="" user_gp="" application_filter_policy=8 category="Mobile Applications" application_name="Gtalk Android" application_risk=4 application_technology="Client Server" application_category="Mobile Applications" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol="TCP" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status="Deny" message="" +<30>device="SFW" date=2020-05-18 time=14:38:51 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol="TCP" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions="" activityname="" reason="" user_agent="" status_code="400" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=80042000 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:52 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=050902616002 log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" priority=Information fw_rule_id=51 user_name="" user_gp="" iap=2 category="IPAddress" category_type="Acceptable" url="https://40.90.137.127/" contenttype="" override_token="" httpresponsecode="" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol="TCP" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions="" activityname="" reason="" user_agent="" status_code="200" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=642960832 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2020-05-18 time=14:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=050901616001 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="" user_gp="" iap=13 category="Information Technology" category_type="Acceptable" url="http://update.eset.com/eset_upd/ep7/dll/update.ver.signed" contenttype="" override_token="" httpresponsecode="" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol="TCP" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname="" reason="" user_agent="EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " status_code="304" transactionid="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id=248426360 application="" app_is_cloud=0 override_name="" override_authorizer="" +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SF01V" device_id=1234567890123456 log_id=058420116010 log_type="Content Filtering" log_component="Web Content Policy" log_subtype="Alert" user="gi123456" src_ip=10.108.108.49 transaction_id="e4a127f7-a850-477c-920e-a471b38727c1" dictionary_name="complicated_Custom" site_category=Information Technology website="ta-web-static-testing.qa. astaro.de" direction="in" action="Deny" file_name="cgi_echo.pl" context_match="Not" context_prefix="blah blah hello " context_suffix=" hello blah " +<30>device="SFW" date=2016-12-02 time=18:50:20 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050927616005 log_type="Content Filtering" log_component="HTTP" log_subtype="Warned" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.com/" contenttype="" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol="TCP" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=" Search" reason="" +<30>device="SFW" date=2016-12-02 time=18:50:22 timezone="GMT" device_name="SFVUNL" device_id=C01001K234RXPA1 log_id=050901616006 log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" priority=Information fw_rule_id=2 user_name="rich" user_gp="Clientless Open Group" iap=13 category="Search Engines" category_type="Acceptable" url="http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" contenttype="text/html" override_token="" httpresponsecode="" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol="TCP" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname="Search" reason="not eligible" + diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json new file mode 100644 index 00000000000..a82d4550f57 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -0,0 +1,637 @@ +[ + { + "@timestamp": "2017-01-31T14:03:33.000-02:00", + "client.ip": "10.198.47.71", + "client.port": 9444, + "destination.as.number": 9498, + "destination.as.organization.name": "BHARTI Airtel Ltd.", + "destination.geo.continent_name": "Asia", + "destination.geo.country_iso_code": "IN", + "destination.geo.location.lat": 20.0, + "destination.geo.location.lon": 77.0, + "destination.ip": "182.79.221.19", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:03:33 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"jsmith\" user_gp=\"Open Group\" iap=1 category=\"Entertainment\" category_type=\"Unproductive\" url=\"https://r8---sn-ci5gup-qxas.googlevideo.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=10.198.47.71 dst_ip=182.79.221.19 protocol=\"TCP\" src_port=9444 dst_port=443 sent_bytes=0 recv_bytes=319007 domain=r8---sn-ci5gup-qxas.googlevideo.com exceptions= activityname=\"\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.47.71", + "182.79.221.19" + ], + "related.user": [ + "jsmith" + ], + "server.ip": "182.79.221.19", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.category": "Entertainment", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "1", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "10.198.47.71", + "source.port": 9444, + "source.user.group.name": "Open Group", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "r8---sn-ci5gup-qxas.googlevideo.com", + "url.full": "https://r8---sn-ci5gup-qxas.googlevideo.com/" + }, + { + "@timestamp": "2017-02-01T18:20:21.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 46719, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "216.58.197.44", + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:20:21 timezone=\"IST\" device_name=\"SG115\" device_id=S110000E28BA631 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" iap=13 category=\"Religion & Spirituality\" category_type=\"Unproductive\" url=\"http://hanuman.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=5.5.5.15 dst_ip=216.58.197.44 protocol=\"TCP\" src_port=46719 dst_port=80 sent_bytes=0 recv_bytes=0 domain=hanuman.com exceptions= activityname=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 654, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110000E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "216.58.197.44" + ], + "server.ip": "216.58.197.44", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "Religion & Spirituality", + "sophos.xg.category_type": "Unproductive", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 46719, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "hanuman.com", + "url.full": "http://hanuman.com/" + }, + { + "@timestamp": "2017-02-01T18:13:29.000-02:00", + "client.ip": "5.5.5.15", + "client.port": 49128, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.125.130.188", + "destination.port": 5228, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "054402617051", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=18:13:29 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=054402617051 log_type=\"Content Filtering\" log_component=\"Application\" log_subtype=\"Denied\" priority=Information fw_rule_id=1 user_name=\"\" user_gp=\"\" application_filter_policy=8 category=\"Mobile Applications\" application_name=\"Gtalk Android\" application_risk=4 application_technology=\"Client Server\" application_category=\"Mobile Applications\" src_ip=5.5.5.15 src_country_code=DEU dst_ip=74.125.130.188 dst_country_code=USA protocol=\"TCP\" src_port=49128 dst_port=5228 sent_bytes=0 recv_bytes=0 status=\"Deny\" message=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1224, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "5.5.5.15", + "74.125.130.188" + ], + "server.ip": "74.125.130.188", + "server.port": 5228, + "service.type": "sophos", + "sophos.xg.application_category": "Mobile Applications", + "sophos.xg.application_filter_policy": "8", + "sophos.xg.application_name": "Gtalk Android", + "sophos.xg.application_risk": "4", + "sophos.xg.application_technology": "Client Server", + "sophos.xg.category": "Mobile Applications", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.dst_country_code": "USA", + "sophos.xg.fw_rule_id": "1", + "sophos.xg.log_component": "Application", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "17051", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "DEU", + "sophos.xg.status": "Deny", + "source.as.number": 6805, + "source.as.organization.name": "Telefonica Germany", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 51.2993, + "source.geo.location.lon": 9.491, + "source.ip": "5.5.5.15", + "source.port": 49128, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:51.000-02:00", + "client.ip": "172.17.34.10", + "client.port": 62851, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "13.79.168.201", + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:51 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.10 dst_ip=13.79.168.201 protocol=\"TCP\" src_port=62851 dst_port=443 sent_bytes=259 recv_bytes=168 domain=his-eur1-neur1.servicebus.windows.net exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"400\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=80042000 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": "400", + "input.type": "log", + "log.level": "informational", + "log.offset": 1857, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.10", + "13.79.168.201" + ], + "server.ip": "13.79.168.201", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "80042000", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "172.17.34.10", + "source.port": 62851, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "his-eur1-neur1.servicebus.windows.net", + "url.full": "https://his-eur1-neur1.servicebus.windows.net/$servicebus/websocket" + }, + { + "@timestamp": "2020-05-18T14:38:52.000-02:00", + "client.ip": "172.16.34.15", + "client.port": 60471, + "destination.as.number": 8075, + "destination.as.organization.name": "Microsoft Corporation", + "destination.geo.city_name": "Washington", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 38.7095, + "destination.geo.location.lon": -78.1539, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "40.90.137.127", + "destination.port": 443, + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "050902616002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:52 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=050902616002 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Denied\" status=\"\" priority=Information fw_rule_id=51 user_name=\"\" user_gp=\"\" iap=2 category=\"IPAddress\" category_type=\"Acceptable\" url=\"https://40.90.137.127/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.16.34.15 dst_ip=40.90.137.127 protocol=\"TCP\" src_port=60471 dst_port=443 sent_bytes=0 recv_bytes=0 domain=40.90.137.127 exceptions=\"\" activityname=\"\" reason=\"\" user_agent=\"\" status_code=\"200\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=642960832 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.response.status_code": "200", + "input.type": "log", + "log.level": "informational", + "log.offset": 2752, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.34.15", + "40.90.137.127" + ], + "server.ip": "40.90.137.127", + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "IPAddress", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "642960832", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "51", + "sophos.xg.iap": "2", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16002", + "sophos.xg.priority": "Information", + "source.ip": "172.16.34.15", + "source.port": 60471, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "40.90.137.127", + "url.full": "https://40.90.137.127/" + }, + { + "@timestamp": "2020-05-18T14:38:53.000-02:00", + "client.ip": "172.17.34.15", + "client.port": 65391, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.133", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616001", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=050901616001 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"\" user_gp=\"\" iap=13 category=\"Information Technology\" category_type=\"Acceptable\" url=\"http://update.eset.com/eset_upd/ep7/dll/update.ver.signed\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=172.17.34.15 dst_ip=91.228.167.133 protocol=\"TCP\" src_port=65391 dst_port=80 sent_bytes=980 recv_bytes=295 domain=update.eset.com exceptions=av,https,sandstorm activityname=\"\" reason=\"\" user_agent=\"EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; \" status_code=\"304\" transactionid=\"\" referer=\"\" download_file_name=\"\" download_file_type=\"\" upload_file_name=\"\" upload_file_type=\"\" con_id=248426360 application=\"\" app_is_cloud=0 override_name=\"\" override_authorizer=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.response.status_code": "304", + "input.type": "log", + "log.level": "informational", + "log.offset": 3561, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.133" + ], + "server.ip": "91.228.167.133", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.category": "Information Technology", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.con_id": "248426360", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.exceptions": "av,https,sandstorm", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16001", + "sophos.xg.priority": "Information", + "source.ip": "172.17.34.15", + "source.port": 65391, + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "update.eset.com", + "url.full": "http://update.eset.com/eset_upd/ep7/dll/update.ver.signed", + "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "10.108.108.49", + "event.action": "alert", + "event.category": [ + "network" + ], + "event.code": "058420116010", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SF01V\" device_id=1234567890123456 log_id=058420116010 log_type=\"Content Filtering\" log_component=\"Web Content Policy\" log_subtype=\"Alert\" user=\"gi123456\" src_ip=10.108.108.49 transaction_id=\"e4a127f7-a850-477c-920e-a471b38727c1\" dictionary_name=\"complicated_Custom\" site_category=Information Technology website=\"ta-web-static-testing.qa. astaro.de\" direction=\"in\" action=\"Deny\" file_name=\"cgi_echo.pl\" context_match=\"Not\" context_prefix=\"blah blah hello \" context_suffix=\" hello blah \"", + "event.outcome": "success", + "event.severity": "1", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "alert", + "log.offset": 4696, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.108.108.49" + ], + "service.type": "sophos", + "sophos.xg.action": "Deny", + "sophos.xg.context_match": "Not", + "sophos.xg.context_prefix": "blah blah hello ", + "sophos.xg.context_suffix": " hello blah ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SF01V", + "sophos.xg.dictionary_name": "complicated_Custom", + "sophos.xg.direction": "in", + "sophos.xg.file_name": "cgi_echo.pl", + "sophos.xg.log_component": "Web Content Policy", + "sophos.xg.log_subtype": "Alert", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16010", + "sophos.xg.site_category": "Information Technology", + "sophos.xg.transaction_id": "e4a127f7-a850-477c-920e-a471b38727c1", + "sophos.xg.user": "gi123456", + "sophos.xg.website": "ta-web-static-testing.qa. astaro.de", + "source.ip": "10.108.108.49", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-02T18:50:20.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 37832, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.189.147", + "destination.port": 80, + "event.action": "warned", + "event.category": [ + "network" + ], + "event.code": "050927616005", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:20 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050927616005 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Warned\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.com/\" contenttype=\"\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.189.147 protocol=\"TCP\" src_port=37832 dst_port=80 sent_bytes=0 recv_bytes=0 domain=www.google.com exceptions= activityname=\" Search\" reason=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5258, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.189.147" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.189.147", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.activityname": " Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Warned", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16005", + "sophos.xg.priority": "Information", + "source.ip": "192.168.73.220", + "source.port": 37832, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "www.google.com", + "url.full": "http://www.google.com/" + }, + { + "@timestamp": "2016-12-02T18:50:22.000-02:00", + "client.ip": "192.168.73.220", + "client.port": 46322, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "64.233.188.94", + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "050901616006", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2016-12-02 time=18:50:22 timezone=\"GMT\" device_name=\"SFVUNL\" device_id=C01001K234RXPA1 log_id=050901616006 log_type=\"Content Filtering\" log_component=\"HTTP\" log_subtype=\"Allowed\" status=\"\" priority=Information fw_rule_id=2 user_name=\"rich\" user_gp=\"Clientless Open Group\" iap=13 category=\"Search Engines\" category_type=\"Acceptable\" url=\"http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw\" contenttype=\"text/html\" override_token=\"\" httpresponsecode=\"\" src_ip=192.168.73.220 dst_ip=64.233.188.94 protocol=\"TCP\" src_port=46322 dst_port=80 sent_bytes=0 recv_bytes=619 domain=www.google.ca exceptions= activityname=\"Search\" reason=\"not eligible\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 5873, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "C01001K234RXPA1", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.73.220", + "64.233.188.94" + ], + "related.user": [ + "rich" + ], + "server.ip": "64.233.188.94", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.activityname": "Search", + "sophos.xg.category": "Search Engines", + "sophos.xg.category_type": "Acceptable", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SFVUNL", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.iap": "13", + "sophos.xg.log_component": "HTTP", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Content Filtering", + "sophos.xg.message_id": "16006", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "not eligible", + "source.ip": "192.168.73.220", + "source.port": 46322, + "source.user.group.name": "Clientless Open Group", + "source.user.name": "rich", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.domain": "www.google.ca", + "url.full": "http://www.google.ca/?gfe_rd=cr&ei=ojxHWP3WC4WN8QeRioDABw" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log b/x-pack/filebeat/module/sophos/xg/test/event.log new file mode 100644 index 00000000000..d345122ad5a --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/event.log @@ -0,0 +1,20 @@ +<30>device="SFW" date=2020-05-18 time=14:38:57 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062910617701 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="Open Group" auth_client="CTA" auth_mechanism="AD" reason="" src_ip=172.17.35.116 message="User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116" name="elastic.user@elastic.test.com" src_mac= +<30>device="SFW" date=2020-05-18 time=14:38:58 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511418055 log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" priority=Warning user_name="elastic.user@elastic.test.com" connectionname="Location-1" connectiontype="0" localinterfaceip=214.167.51.66 localgateway="" localnetwork="172.17.32.0/19" remoteinterfaceip=83.20.132.250 remotenetwork="10.84.234.5/32" message="location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)" +<30>device="SFW" date=2020-05-18 time=14:38:59 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062511318057 log_type="Event" log_component="IPSec" log_subtype="System" status="Expire" priority=Error user_name="" connectionname="" connectiontype="0" localinterfaceip="" localgateway="" localnetwork="" remoteinterfaceip="" remotenetwork="" message="IKE_SA timed out before it could be established" +<30>device="SFW" date=2020-05-18 time=14:39:00 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063210617704 log_type="Event" log_component="My Account Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="Local" reason="" src_ip=83.9.140.96 message="User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:01 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=064011517819 log_type="Event" log_component="Anti-Virus" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.407794 newversion=1.0.407795 message="Avira AV definitions upgraded from 1.0.407794 to 1.0.407795." +<30>device="SFW" date=2020-05-18 time=14:39:02 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=063411660022 log_type="Event" log_component="DHCP Server" log_subtype="System" status="Expire" priority=Information ipaddress="192.168.110.10" client_physical_address="-" client_host_name="" message="Lease 192.168.110.10 expired" raw_data="192.168.110.10" +<30>device="SFW" date=2020-05-18 time=14:39:03 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063110617710 log_type="Event" log_component="SSL VPN Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="" auth_client="N/A" auth_mechanism="AD" reason="" src_ip=217.250.157.135 message="User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:04 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062811617824 log_type="Event" log_component="SSL VPN" log_subtype="System" priority=Information Mode="Remote Access" sessionid="" starttime=0 user_name="elastic.user@elastic.test.com" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status="Established" message="SSL VPN User 'elastic.user@elastic.test.com' connected " timestamp=1589960866 connectionname="" remote_ip=10.82.234.12 +<30>device="SFW" date=2020-05-18 time=14:39:05 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063010517708 log_type="Event" log_component="VPN Authentication" log_subtype="Authentication" status="Failed" priority=Notice user_name="hendrikl" usergroupname="" auth_client="N/A" auth_mechanism="AD,AD,Local" reason="wrong credentials" src_ip=91.67.201.4 message="User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials" name="" src_mac= +<30>device="SFW" date=2020-05-18 time=14:39:06 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=066911518017 log_type="Event" log_component="ATP" log_subtype="System" priority=Notice status="Successful" oldversion=1.0.0297 newversion=1.0.0298 message="ATP definitions upgraded from 1.0.0297 to 1.0.0298." +<30>device="SFW" date=2020-05-18 time=14:39:07 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062009617502 log_type="Event" log_component="GUI" log_subtype="Admin" status="Successful" priority=Information user_name="admin" src_ip=10.83.234.5 SysLog_SERVER_NAME='Logstash' message="SysLog Server 'Logstash' settings were changed by 'admin' from '10.83.234.5' using 'GUI'" +<30>device="SFW" date=2020-05-18 time=14:39:08 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=062109517507 log_type="Event" log_component="CLI" log_subtype="Admin" status="Failed" priority=Notice user_name="root" src_ip=172.66.35.15 message="User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials" +<30>device="SFW" date=2020-05-18 time=14:39:09 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063911517818 log_type="Event" log_component="IPS" log_subtype="System" priority=Notice status="Successful" oldversion=9.17.09 newversion=9.17.10 message="IPS definitions upgraded from 9.17.09 to 9.17.10." +<30>device="SFW" date=2020-05-18 time=14:39:10 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=063311617923 log_type="Event" log_component="Appliance" log_subtype="System" priority=Information backup_mode='appliance' message="Scheduled backup to appliance is successful." +<30>device="SFW" date=2020-05-18 time=14:39:20 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="elastic.user@elastic.test.com" usergroupname="VPN.SSL.Users.elastic" auth_client="IPSec" auth_mechanism="N/A" reason="" src_ip=10.84.234.38 src_mac="" start_time=1591086575 sent_bytes=0 recv_bytes=0 message="User elastic.user@elastic.test.com was logged out of firewall" name="elastic.user@elastic.test.com" timestamp=1591086576 +<30>device="SFW" date=2017-03-16 time=12:56:01 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Connected" eventtime="2017-03-16 12:56:01 IST" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message="A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms" +<30>device="SFW" date=2017-03-16 time=12:53:27 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Disconnected" eventtime="2017-03-16 12:53:27 IST" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message="A350196C47072B0/Gaurav Patel is now disconnected" +<30>device="SFW" date=2017-03-16 time=12:46:26 timezone="IST" device_name="XG125w" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type="Event" log_component="RED" log_subtype="System" priority=Information red_id=A350196C47072B0 status="Interim" eventtime="2017-03-16 12:46:26 IST" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message="A350196C47072B0/NY transfered bytes TX: 0 RX: 0" +<30>device="SFW" date=2018-06-06 time=11:12:10 timezone="IST" device_name="SG430" device_id=S4000806149EE49 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason="" message="DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86." + diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json new file mode 100644 index 00000000000..d14c2bb9924 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -0,0 +1,697 @@ +[ + { + "@timestamp": "2020-05-18T14:38:57.000-02:00", + "client.ip": "172.17.35.116", + "event.category": [ + "authentication" + ], + "event.code": "062910617701", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:57 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062910617701 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"Open Group\" auth_client=\"CTA\" auth_mechanism=\"AD\" reason=\"\" src_ip=172.17.35.116 message=\"User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116\" name=\"elastic.user@elastic.test.com\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "message": "User elastic.user@elastic.test.com of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.17.35.116", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.116" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_client": "CTA", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17701", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.ip": "172.17.35.116", + "source.user.group.name": "Open Group", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:58.000-02:00", + "client.ip": "83.20.132.250", + "destination.as.number": 721, + "destination.as.organization.name": "DoD Network Information Center", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "214.167.51.66", + "event.code": "062511418055", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:58 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511418055 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Failed\" priority=Warning user_name=\"elastic.user@elastic.test.com\" connectionname=\"Location-1\" connectiontype=\"0\" localinterfaceip=214.167.51.66 localgateway=\"\" localnetwork=\"172.17.32.0/19\" remoteinterfaceip=83.20.132.250 remotenetwork=\"10.84.234.5/32\" message=\"location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)\"", + "event.severity": "4", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 597, + "message": "location-1 - IKE message retransmission timed out (Remote: 83.20.132.250)", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.20.132.250", + "214.167.51.66" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.ip": "214.167.51.66", + "service.type": "sophos", + "sophos.xg.connectionname": "Location-1", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.localnetwork": "172.17.32.0/19", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18055", + "sophos.xg.priority": "Warning", + "sophos.xg.remotenetwork": "10.84.234.5/32", + "sophos.xg.status": "Failed", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "Elblag", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.172, + "source.geo.location.lon": 19.4195, + "source.geo.region_iso_code": "PL-28", + "source.geo.region_name": "Warmia-Masuria", + "source.ip": "83.20.132.250", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:59.000-02:00", + "event.code": "062511318057", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:59 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062511318057 log_type=\"Event\" log_component=\"IPSec\" log_subtype=\"System\" status=\"Expire\" priority=Error user_name=\"\" connectionname=\"\" connectiontype=\"0\" localinterfaceip=\"\" localgateway=\"\" localnetwork=\"\" remoteinterfaceip=\"\" remotenetwork=\"\" message=\"IKE_SA timed out before it could be established\"", + "event.severity": "3", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "error", + "log.offset": 1134, + "message": "IKE_SA timed out before it could be established", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.connectiontype": "0", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPSec", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18057", + "sophos.xg.priority": "Error", + "sophos.xg.status": "Expire", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:00.000-02:00", + "client.ip": "83.9.140.96", + "event.category": [ + "authentication" + ], + "event.code": "063210617704", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:00 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063210617704 log_type=\"Event\" log_component=\"My Account Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"Local\" reason=\"\" src_ip=83.9.140.96 message=\"User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1554, + "message": "User elastic.user@elastic.test.com logged in successfully to MyAccount through Local authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.9.140.96" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "My Account Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17704", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.as.number": 5617, + "source.as.organization.name": "Orange Polska Spolka Akcyjna", + "source.geo.city_name": "August\u00f3w", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 53.845, + "source.geo.location.lon": 22.985, + "source.geo.region_iso_code": "PL-20", + "source.geo.region_name": "Podlasie", + "source.ip": "83.9.140.96", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:01.000-02:00", + "event.category": [ + "host", + "malware" + ], + "event.code": "064011517819", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:01 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=064011517819 log_type=\"Event\" log_component=\"Anti-Virus\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.407794 newversion=1.0.407795 message=\"Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 2080, + "message": "Avira AV definitions upgraded from 1.0.407794 to 1.0.407795.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Anti-Virus", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17819", + "sophos.xg.newversion": "1.0.407795 ", + "sophos.xg.oldversion": "1.0.407794", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:02.000-02:00", + "event.code": "063411660022", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:02 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=063411660022 log_type=\"Event\" log_component=\"DHCP Server\" log_subtype=\"System\" status=\"Expire\" priority=Information ipaddress=\"192.168.110.10\" client_physical_address=\"-\" client_host_name=\"\" message=\"Lease 192.168.110.10 expired\" raw_data=\"192.168.110.10\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 2428, + "message": "Lease 192.168.110.10 expired", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "192.168.110.10", + "sophos.xg.log_component": "DHCP Server", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "60022", + "sophos.xg.priority": "Information", + "sophos.xg.raw_data": "192.168.110.10", + "sophos.xg.status": "Expire", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:03.000-02:00", + "client.ip": "217.250.157.135", + "event.category": [ + "authentication" + ], + "event.code": "063110617710", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:03 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063110617710 log_type=\"Event\" log_component=\"SSL VPN Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD\" reason=\"\" src_ip=217.250.157.135 message=\"User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism\" name=\"\" src_mac=", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "start" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2802, + "message": "User elastic.user@elastic.test.com authenticated successfully to login to SSLVPN through AD authentication mechanism", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "217.250.157.135" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "SSL VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17710", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Successful", + "source.as.number": 3320, + "source.as.organization.name": "Deutsche Telekom AG", + "source.geo.city_name": "Schleidweiler", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.8808, + "source.geo.location.lon": 6.6593, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "217.250.157.135", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:04.000-02:00", + "client.bytes": 0, + "destination.bytes": 0, + "event.code": "062811617824", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:04 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062811617824 log_type=\"Event\" log_component=\"SSL VPN\" log_subtype=\"System\" priority=Information Mode=\"Remote Access\" sessionid=\"\" starttime=0 user_name=\"elastic.user@elastic.test.com\" ipaddress=10.82.234.5 sent_bytes=0 recv_bytes=0 status=\"Established\" message=\"SSL VPN User 'elastic.user@elastic.test.com' connected \" timestamp=1589960866 connectionname=\"\" remote_ip=10.82.234.12", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 3333, + "message": "SSL VPN User 'elastic.user@elastic.test.com' connected ", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.ipaddress": "10.82.234.5", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17824", + "sophos.xg.priority": "Information Mode=\"Remote Access", + "sophos.xg.remote_ip": "10.82.234.12", + "sophos.xg.starttime": "0", + "sophos.xg.status": "Established", + "sophos.xg.timestamp": "1589960866", + "source.bytes": 0, + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:05.000-02:00", + "client.ip": "91.67.201.4", + "event.category": [ + "authentication" + ], + "event.code": "063010517708", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:05 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063010517708 log_type=\"Event\" log_component=\"VPN Authentication\" log_subtype=\"Authentication\" status=\"Failed\" priority=Notice user_name=\"hendrikl\" usergroupname=\"\" auth_client=\"N/A\" auth_mechanism=\"AD,AD,Local\" reason=\"wrong credentials\" src_ip=91.67.201.4 message=\"User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials\" name=\"\" src_mac=", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 3832, + "message": "User elastic01 failed to login to VPN through AD,AD,Local authentication mechanism because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "91.67.201.4" + ], + "related.user": [ + "hendrikl" + ], + "service.type": "sophos", + "sophos.xg.auth_mechanism": "AD,AD,Local", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "VPN Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17708", + "sophos.xg.priority": "Notice", + "sophos.xg.reason": "wrong credentials", + "sophos.xg.status": "Failed", + "source.as.number": 31334, + "source.as.organization.name": "Vodafone Kabel Deutschland GmbH", + "source.geo.city_name": "Fell", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "DE", + "source.geo.location.lat": 49.7667, + "source.geo.location.lon": 6.7833, + "source.geo.region_iso_code": "DE-RP", + "source.geo.region_name": "Rheinland-Pfalz", + "source.ip": "91.67.201.4", + "source.user.name": "hendrikl", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:06.000-02:00", + "event.code": "066911518017", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:06 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=066911518017 log_type=\"Event\" log_component=\"ATP\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=1.0.0297 newversion=1.0.0298 message=\"ATP definitions upgraded from 1.0.0297 to 1.0.0298.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 4346, + "message": "ATP definitions upgraded from 1.0.0297 to 1.0.0298.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "ATP", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "18017", + "sophos.xg.newversion": "1.0.0298 ", + "sophos.xg.oldversion": "1.0.0297", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:08.000-02:00", + "client.ip": "172.66.35.15", + "event.code": "062109517507", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:08 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=062109517507 log_type=\"Event\" log_component=\"CLI\" log_subtype=\"Admin\" status=\"Failed\" priority=Notice user_name=\"root\" src_ip=172.66.35.15 message=\"User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials\"", + "event.outcome": "failure", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5069, + "message": "User 'root' failed to login from '172.66.35.15' using ssh because of wrong credentials", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.66.35.15" + ], + "related.user": [ + "root" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "CLI", + "sophos.xg.log_subtype": "Admin", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17507", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Failed", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "172.66.35.15", + "source.user.name": "root", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:09.000-02:00", + "event.code": "063911517818", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:09 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063911517818 log_type=\"Event\" log_component=\"IPS\" log_subtype=\"System\" priority=Notice status=\"Successful\" oldversion=9.17.09 newversion=9.17.10 message=\"IPS definitions upgraded from 9.17.09 to 9.17.10.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "notification", + "log.offset": 5423, + "message": "IPS definitions upgraded from 9.17.09 to 9.17.10.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "IPS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17818", + "sophos.xg.newversion": "9.17.10 ", + "sophos.xg.oldversion": "9.17.09", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Successful", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:10.000-02:00", + "event.code": "063311617923", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:10 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=063311617923 log_type=\"Event\" log_component=\"Appliance\" log_subtype=\"System\" priority=Information backup_mode='appliance' message=\"Scheduled backup to appliance is successful.\"", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 5747, + "message": "Scheduled backup to appliance is successful.", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.backup_mode": "'appliance' ", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Appliance", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17923", + "sophos.xg.priority": "Information", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:39:20.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.38", + "destination.bytes": 0, + "event.category": [ + "network", + "authentication" + ], + "event.code": "062910617703", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:39:20 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=062910617703 log_type=\"Event\" log_component=\"Firewall Authentication\" log_subtype=\"Authentication\" status=\"Successful\" priority=Information user_name=\"elastic.user@elastic.test.com\" usergroupname=\"VPN.SSL.Users.elastic\" auth_client=\"IPSec\" auth_mechanism=\"N/A\" reason=\"\" src_ip=10.84.234.38 src_mac=\"\" start_time=1591086575 sent_bytes=0 recv_bytes=0 message=\"User elastic.user@elastic.test.com was logged out of firewall\" name=\"elastic.user@elastic.test.com\" timestamp=1591086576", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "user", + "end", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 6045, + "message": "User elastic.user@elastic.test.com was logged out of firewall", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.38" + ], + "related.user": [ + "elastic.user@elastic.test.com" + ], + "server.bytes": 0, + "service.type": "sophos", + "sophos.xg.auth_client": "IPSec", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.log_component": "Firewall Authentication", + "sophos.xg.log_subtype": "Authentication", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17703", + "sophos.xg.priority": "Information", + "sophos.xg.start_time": "1591086575", + "sophos.xg.status": "Successful", + "sophos.xg.timestamp": "1591086576", + "source.bytes": 0, + "source.ip": "10.84.234.38", + "source.user.group.name": "VPN.SSL.Users.elastic", + "source.user.name": "elastic.user@elastic.test.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-06T11:12:10.000-02:00", + "event.code": "063711517815", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-06 time=11:12:10 timezone=\"IST\" device_name=\"SG430\" device_id=S4000806149EE49 log_id=063711517815 log_type=\"Event\" log_component=\"DDNS\" log_subtype=\"System\" status=\"Success\" priority=Notice host=test1. customtest.dyndns.org updatedip=10.198.232.86 reason=\"\" message=\"DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.\"", + "event.severity": "5", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 7886, + "message": "DDNS update for host test1.customtest.dyndns.org was Successful. Updated with IP 10.198.232.86.", + "observer.product": "XG", + "observer.serial_number": "S4000806149EE49", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG430", + "sophos.xg.host": "test1. customtest.dyndns.org", + "sophos.xg.log_component": "DDNS", + "sophos.xg.log_subtype": "System", + "sophos.xg.log_type": "Event", + "sophos.xg.message_id": "17815", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Success", + "sophos.xg.updatedip": "10.198.232.86", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log b/x-pack/filebeat/module/sophos/xg/test/firewall.log new file mode 100644 index 00000000000..5308affaf8e --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log @@ -0,0 +1,21 @@ +<30>device="SFW" date=2020-05-18 time=14:38:37 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol="TCP" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="1617925280" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:38 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=15 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port3.400" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol="UDP" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="DMZ" srczone="DMZ" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="3360392048" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:39 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code="" dst_ip=172.20.4.52 dst_country_code="" protocol="TCP" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:40 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="Port1" src_mac="" src_ip=10.82.234.6 src_country_code="" dst_ip=192.168.0.1 dst_country_code="" protocol="TCP" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:41 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2" out_interface="" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code="" dst_ip=185.7.209.207 dst_country_code="" protocol="TCP" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:42 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010102600002 log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name="elastic@user.local" user_gp="elastic.group.local" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="Port2" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code="" dst_ip=192.168.5.11 dst_country_code="" protocol="TCP" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:43 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code="" dst_ip=10.84.234.14 dst_country_code="" protocol="UDP" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:44 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=012802605201 log_type="Firewall" log_component="SSL VPN" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="tun0" out_interface="" src_mac="" src_ip=10.82.234.9 src_country_code="" dst_ip=10.82.234.11 dst_country_code="" protocol="TCP" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name="elastic@user.local" user_gp="elastic.group.local" iap=0 ips_policy_id=11 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port2" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol="TCP" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="VPN" srczone="VPN" dstzonetype="VPN" dstzone="VPN" dir_disp="" connevent="Start" connid="1615935064" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-05-18 time=14:38:45 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=018201500005 log_type="Firewall" log_component="ICMP ERROR MESSAGE" log_subtype="Allowed" status="Allow" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code="" dst_ip=172.17.32.19 dst_country_code="" protocol="ICMP" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip="" tran_src_port=0 tran_dst_ip="" tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connevent="Interim" connid="2685668438" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2020-06-05 time=12:38:53 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=17 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="ipsec0" out_interface="Port1" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol="TCP" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype="VPN" srczone="VPN" dstzonetype="LAN" dstzone="LAN" dir_disp="" connevent="Stop" connid="1617126256" vconnid="" hb_health="NoHeartbeat" message="" appresolvedby="Signature" app_is_cloud=0" +<30>device="SFW" date=2018-05-30 time=13:26:37 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010202601001 log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="UDP" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="Invalid UDP destination." appresolvedby=" Signature" +<30>device="SFW" date=2018-06-04 time=17:20:24 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011402601301 log_type="Firewall" log_component="Fragmented Traffic" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol="0" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:01:32 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010302602002 log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.611" out_interface="" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol="UDP" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=14:17:17 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010402403001 log_type="Firewall" log_component="DoS Attack" log_subtype="Denied" status="Deny" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port1" out_interface="" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol="TCP" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-06-05 time=14:30:31 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010502604001 log_type="Firewall" log_component="ICMP Redirection" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol="ICMP" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby=" Signature" +<30>device="SFW" date=2018-05-31 time=17:05:14 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=010602605001 log_type="Firewall" log_component="Source Routed" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="" out_interface="" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol="TCP" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-05-30 time=15:09:51 timezone="IST" device_name="XG125w" device_id=SFDemo-763180a log_id=011702605051 log_type="Firewall" log_component="MAC Filter" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name="" user_gp="" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port2.531" out_interface="" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol="UDP" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature" +<30>device="SFW" date=2018-06-01 time=10:57:55 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600006 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 +<30>device="SFW" date=2018-06-01 time=10:55:41 timezone="BST" device_name="XG310" device_id=SFDemo-9a04c43 log_id=016602600003 log_type="Firewall" log_component="Heartbeat" log_subtype="Denied" status="Deny" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name="" user_gp="" iap=2 ips_policy_id=0 appfilter_policy_id=0 application="" application_risk=0 application_technology="" application_category="" in_interface="Port3.611" out_interface="" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol="ICMP" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="" srczone="" dstzonetype="" dstzone="" dir_disp="" connid="" vconnid="" hb_health="Red" message="" appresolvedby="Signature" app_is_cloud=0 + diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json new file mode 100644 index 00000000000..d392790d795 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -0,0 +1,1768 @@ +[ + { + "@timestamp": "2020-05-18T14:38:37.000-02:00", + "client.bytes": 459, + "client.ip": "172.17.34.15", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 62841, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 606, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.167.86", + "destination.nat.port": 0, + "destination.packets": 5, + "destination.port": 80, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 11000000000, + "event.end": "2020-05-18T14:38:48.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:37 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=11 fw_rule_id=21 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"HTTP\" application_risk=1 application_technology=\"Browser Based\" application_category=\"General Internet\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.17.34.15 src_country_code=R1 dst_ip=91.228.167.86 dst_country_code=SVK protocol=\"TCP\" src_port=62841 dst_port=80 sent_pkts=6 recv_pkts=5 sent_bytes=459 recv_bytes=606 tran_src_ip=213.167.51.66 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"LAN\" srczone=\"LAN\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617925280\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:37.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.bytes": 1065, + "network.direction": "outbound", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port1", + "observer.ingress.zone": "LAN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.34.15", + "91.228.167.86", + "213.167.51.66" + ], + "rule.id": "21", + "rule.ruleset": "1", + "server.bytes": 606, + "server.ip": "91.228.167.86", + "server.nat.port": 0, + "server.packets": 5, + "server.port": 80, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "General Internet", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Browser Based", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617925280", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.as.number": 8905, + "source.as.organization.name": "Digit One LLC", + "source.bytes": 459, + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7386, + "source.geo.location.lon": 37.6068, + "source.ip": "172.17.34.15", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "213.167.51.66", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 62841, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:38.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.66.155", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 49144, + "destination.as.number": 50881, + "destination.as.organization.name": "ESET, spol. s r.o.", + "destination.bytes": 0, + "destination.geo.city_name": "Bratislava", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "SK", + "destination.geo.location.lat": 48.15, + "destination.geo.location.lon": 17.1078, + "destination.geo.region_iso_code": "SK-BL", + "destination.geo.region_name": "Bratislava", + "destination.ip": "91.228.165.117", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:38.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:38 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=67 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=15 appfilter_policy_id=0 application=\"DNS\" application_risk=1 application_technology=\"Network Protocol\" application_category=\"Infrastructure\" in_interface=\"Port3.400\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=172.16.66.155 src_country_code=R1 dst_ip=91.228.165.117 dst_country_code=SVK protocol=\"UDP\" src_port=49144 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=185.8.209.194 tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"DMZ\" srczone=\"DMZ\" dstzonetype=\"WAN\" dstzone=\"WAN\" dir_disp=\"\" connevent=\"Start\" connid=\"3360392048\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:38.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 986, + "network.bytes": 0, + "network.direction": "outbound", + "network.packets": 0, + "network.protocol": "dns", + "network.transport": "udp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "WAN", + "observer.ingress.interface.name": "Port3.400", + "observer.ingress.zone": "DMZ", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.66.155", + "91.228.165.117", + "185.8.209.194" + ], + "rule.id": "67", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "91.228.165.117", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_category": "Infrastructure", + "sophos.xg.application_risk": "1", + "sophos.xg.application_technology": "Network Protocol", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "3360392048", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "SVK", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "15", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.as.number": 199567, + "source.as.organization.name": "Fr. Sauter AG", + "source.bytes": 0, + "source.geo.city_name": "Saint-Prex", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.location.lat": 46.4796, + "source.geo.location.lon": 6.4599, + "source.geo.region_iso_code": "CH-VD", + "source.geo.region_name": "Vaud", + "source.ip": "172.16.66.155", + "source.mac": "00:00:00:00:00:00", + "source.nat.ip": "185.8.209.194", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 49144, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:39.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.113", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 53287, + "destination.bytes": 0, + "destination.ip": "172.20.4.52", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 4980, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:39.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:39 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.113 src_country_code=\"\" dst_ip=172.20.4.52 dst_country_code=\"\" protocol=\"TCP\" src_port=53287 dst_port=4980 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:39.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 1975, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.113", + "172.20.4.52" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.20.4.52", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 4980, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.113", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 53287, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:40.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.6", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 60102, + "destination.bytes": 0, + "destination.ip": "192.168.0.1", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 53, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:40.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:40 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"Port1\" src_mac=\"\" src_ip=10.82.234.6 src_country_code=\"\" dst_ip=192.168.0.1 dst_country_code=\"\" protocol=\"TCP\" src_port=60102 dst_port=53 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:40.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 2871, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.6", + "192.168.0.1" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.0.1", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 53, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.6", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 60102, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:41.000-02:00", + "client.bytes": 0, + "client.ip": "51.77.56.9", + "client.mac": "c4:f7:d5:b5:47:f4", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 55039, + "destination.as.number": 42652, + "destination.as.organization.name": "inexio Informationstechnologie und Telekommunikation Gmbh", + "destination.bytes": 0, + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.location.lat": 51.2993, + "destination.geo.location.lon": 9.491, + "destination.ip": "185.7.209.207", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 18, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:41.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:41 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2\" out_interface=\"\" src_mac=c4:f7:d5:b5:47:f4 src_ip=51.77.56.9 src_country_code=\"\" dst_ip=185.7.209.207 dst_country_code=\"\" protocol=\"TCP\" src_port=55039 dst_port=18 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:41.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 3784, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port2", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "51.77.56.9", + "185.7.209.207" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "185.7.209.207", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 18, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.as.number": 16276, + "source.as.organization.name": "OVH SAS", + "source.bytes": 0, + "source.geo.city_name": "Warsaw", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 52.25, + "source.geo.location.lon": 21.0, + "source.geo.region_iso_code": "PL-14", + "source.geo.region_name": "Mazovia", + "source.ip": "51.77.56.9", + "source.mac": "c4:f7:d5:b5:47:f4", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 55039, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:42.000-02:00", + "client.bytes": 0, + "client.ip": "172.17.35.101", + "client.mac": "24:01:c7:07:2b:a2", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 51826, + "destination.bytes": 0, + "destination.ip": "192.168.5.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 1109, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010102600002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:42.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:42 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010102600002 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=29 policy_type=1 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"Port2\" src_mac=24:01:c7:07:2b:a2 src_ip=172.17.35.101 src_country_code=\"\" dst_ip=192.168.5.11 dst_country_code=\"\" protocol=\"TCP\" src_port=51826 dst_port=1109 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:42.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 4674, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.101", + "192.168.5.11" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "29", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "192.168.5.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 1109, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "2", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.17.35.101", + "source.mac": "24:01:c7:07:2b:a2", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 51826, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:43.000-02:00", + "client.bytes": 0, + "client.ip": "172.16.36.105", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 3389, + "destination.bytes": 0, + "destination.ip": "10.84.234.14", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 64465, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:43.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:43 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=172.16.36.105 src_country_code=\"\" dst_ip=10.84.234.14 dst_country_code=\"\" protocol=\"UDP\" src_port=3389 dst_port=64465 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2020-05-18T14:38:43.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 5608, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.16.36.105", + "10.84.234.14" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.84.234.14", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 64465, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "172.16.36.105", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 3389, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:44.000-02:00", + "client.bytes": 0, + "client.ip": "10.82.234.9", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58331, + "destination.bytes": 0, + "destination.ip": "10.82.234.11", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 56267, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "012802605201", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:44.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:44 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=012802605201 log_type=\"Firewall\" log_component=\"SSL VPN\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"tun0\" out_interface=\"\" src_mac=\"\" src_ip=10.82.234.9 src_country_code=\"\" dst_ip=10.82.234.11 dst_country_code=\"\" protocol=\"TCP\" src_port=58331 dst_port=56267 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:44.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 6492, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "tun0", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.82.234.9", + "10.82.234.11" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.82.234.11", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 56267, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "SSL VPN", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05201", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.82.234.9", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58331, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "10.84.234.7", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 58543, + "destination.bytes": 0, + "destination.ip": "172.16.34.50", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 443, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=0 fw_rule_id=61 policy_type=2 user_name=\"elastic@user.local\" user_gp=\"elastic.group.local\" iap=0 ips_policy_id=11 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port2\" src_mac=00:00:00:00:00:00 src_ip=10.84.234.7 src_country_code=R1 dst_ip=172.16.34.50 dst_country_code=R1 protocol=\"TCP\" src_port=58543 dst_port=443 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"VPN\" dstzone=\"VPN\" dir_disp=\"\" connevent=\"Start\" connid=\"1615935064\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-05-18T14:38:45.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "informational", + "log.offset": 7360, + "network.bytes": 0, + "network.direction": "internal", + "network.packets": 0, + "network.transport": "tcp", + "observer.egress.interface.name": "Port2", + "observer.egress.zone": "VPN", + "observer.ingress.interface.name": "ipsec0", + "observer.ingress.zone": "VPN", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.84.234.7", + "172.16.34.50" + ], + "related.user": [ + "elastic@user.local" + ], + "rule.id": "61", + "rule.ruleset": "2", + "server.bytes": 0, + "server.ip": "172.16.34.50", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 443, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Start", + "sophos.xg.connid": "1615935064", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "11", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "10.84.234.7", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 58543, + "source.user.group.name": "elastic.group.local", + "source.user.name": "elastic@user.local", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:45.000-02:00", + "client.bytes": 0, + "client.ip": "192.168.1.254", + "client.mac": "34:db:fd:83:d8:09", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "172.17.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "018201500005", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2020-05-18T14:38:45.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:45 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=018201500005 log_type=\"Firewall\" log_component=\"ICMP ERROR MESSAGE\" log_subtype=\"Allowed\" status=\"Allow\" priority=Notice duration=0 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=34:db:fd:83:d8:09 src_ip=192.168.1.254 src_country_code=\"\" dst_ip=172.17.32.19 dst_country_code=\"\" protocol=\"ICMP\" icmp_type=3 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=\"\" tran_src_port=0 tran_dst_ip=\"\" tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connevent=\"Interim\" connid=\"2685668438\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "5", + "event.start": "2020-05-18T14:38:45.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "start", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "notification", + "log.offset": 8335, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "192.168.1.254", + "172.17.32.19" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "172.17.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Interim", + "sophos.xg.connid": "2685668438", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "3", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "ICMP ERROR MESSAGE", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00005", + "sophos.xg.priority": "Notice", + "sophos.xg.status": "Allow", + "source.bytes": 0, + "source.ip": "192.168.1.254", + "source.mac": "34:db:fd:83:d8:09", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-05T12:38:53.000-02:00", + "client.bytes": 1802, + "client.ip": "172.17.35.119", + "client.mac": "00:00:00:00:00:00", + "client.nat.port": 0, + "client.packets": 6, + "client.port": 61925, + "destination.bytes": 1732, + "destination.ip": "172.16.34.10", + "destination.packets": 6, + "destination.port": 88, + "event.action": "allowed", + "event.category": [ + "network" + ], + "event.code": "010101600001", + "event.dataset": "sophos.xg", + "event.duration": 10000000000, + "event.end": "2020-06-05T12:39:03.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-06-05 time=12:38:53 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=010101600001 log_type=\"Firewall\" log_component=\"Firewall Rule\" log_subtype=\"Allowed\" status=\"Allow\" priority=Information duration=10 fw_rule_id=60 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=17 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"ipsec0\" out_interface=\"Port1\" src_mac=00:00:00:00:00:00 src_ip=172.17.35.119 src_country_code=R1 dst_ip=172.16.34.10 dst_country_code=R1 protocol=\"TCP\" src_port=61925 dst_port=88 sent_pkts=6 recv_pkts=6 sent_bytes=1802 recv_bytes=1732 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0srczonetype=\"VPN\" srczone=\"VPN\" dstzonetype=\"LAN\" dstzone=\"LAN\" dir_disp=\"\" connevent=\"Stop\" connid=\"1617126256\" vconnid=\"\" hb_health=\"NoHeartbeat\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2020-06-05T12:38:53.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "end", + "allowed", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 9256, + "network.bytes": 3534, + "network.packets": 12, + "network.transport": "tcp", + "observer.egress.interface.name": "Port1", + "observer.egress.zone": "LAN", + "observer.ingress.interface.name": "ipsec0", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "172.17.35.119", + "172.16.34.10" + ], + "rule.id": "60", + "rule.ruleset": "1", + "server.bytes": 1732, + "server.ip": "172.16.34.10", + "server.packets": 6, + "server.port": 88, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.connevent": "Stop", + "sophos.xg.connid": "1617126256", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.hb_health": "NoHeartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "17", + "sophos.xg.log_component": "Firewall Rule", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00001", + "sophos.xg.priority": "Information", + "sophos.xg.src_country_code": "R1", + "sophos.xg.status": "Allow", + "source.bytes": 1802, + "source.ip": "172.17.35.119", + "source.mac": "00:00:00:00:00:00", + "source.nat.port": 0, + "source.packets": 6, + "source.port": 61925, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T13:26:37.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1353, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010202601001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T13:26:37.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=13:26:37 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010202601001 log_type=\"Firewall\" log_component=\"Invalid Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.32.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"UDP\" src_port=1353 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"Invalid UDP destination.\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T13:26:37.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 10196, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "8.8.8.8" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Invalid Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message": "Invalid UDP destination.", + "sophos.xg.message_id": "01001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1353, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-04T17:20:24.000-02:00", + "client.bytes": 0, + "client.ip": "0.0.0.0", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 0, + "destination.bytes": 0, + "destination.ip": "0.0.0.0", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011402601301", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-04T17:20:24.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-04 time=17:20:24 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011402601301 log_type=\"Firewall\" log_component=\"Fragmented Traffic\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=0.0.0.0 src_country_code= dst_ip=0.0.0.0 dst_country_code= protocol=\"0\" src_port=0 dst_port=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-04T17:20:24.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11056, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "0", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "0.0.0.0", + "0.0.0.0" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "0.0.0.0", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Fragmented Traffic", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "01301", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "0.0.0.0", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:01:32.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.38.184", + "client.mac": "c8:5b:76:ab:72:d3", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 137, + "destination.bytes": 0, + "destination.ip": "10.198.39.255", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 137, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010302602002", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:01:32.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:01:32 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=2 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.611\" out_interface=\"\" src_mac=c8:5b:76:ab:72:d3 src_ip=10.198.38.184 src_country_code= dst_ip=10.198.39.255 dst_country_code= protocol=\"UDP\" src_port=137 dst_port=137 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T14:01:32.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 11884, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.38.184", + "10.198.39.255" + ], + "rule.id": "2", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.39.255", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 137, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Appliance Access", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "02002", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.38.184", + "source.mac": "c8:5b:76:ab:72:d3", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 137, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T14:17:17.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.32.19", + "client.mac": "b8:97:5a:5b:0f:fd", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 41960, + "destination.bytes": 0, + "destination.ip": "10.198.32.48", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 22, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010402403001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T14:17:17.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=14:17:17 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010402403001 log_type=\"Firewall\" log_component=\"DoS Attack\" log_subtype=\"Denied\" status=\"Deny\" priority=Warning duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port1\" out_interface=\"\" src_mac=b8:97:5a:5b:0f:fd src_ip=10.198.32.19 src_country_code= dst_ip=10.198.32.48 dst_country_code= protocol=\"TCP\" src_port=41960 dst_port=22 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "4", + "event.start": "2018-05-30T14:17:17.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 12754, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.ingress.interface.name": "Port1", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.32.19", + "10.198.32.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.32.48", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 22, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "DoS Attack", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "03001", + "sophos.xg.priority": "Warning", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.32.19", + "source.mac": "b8:97:5a:5b:0f:fd", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 41960, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-05T14:30:31.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.23", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.36.48", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "010502604001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-05T14:30:31.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-05 time=14:30:31 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010502604001 log_type=\"Firewall\" log_component=\"ICMP Redirection\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.37.23 src_country_code= dst_ip=10.198.36.48 dst_country_code= protocol=\"ICMP\" icmp_type=5 icmp_code=1 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\" Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-05T14:30:31.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 13610, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.23", + "10.198.36.48" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "10.198.36.48", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": " Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.icmp_code": "1", + "sophos.xg.icmp_type": "5", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "ICMP Redirection", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "04001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.23", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-31T17:05:14.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.12.19", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 1571, + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 0, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 80, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "010602605001", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-31T17:05:14.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-31 time=17:05:14 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=010602605001 log_type=\"Firewall\" log_component=\"Source Routed\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=1 policy_type=1 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"\" out_interface=\"\" src_mac= src_ip=10.198.12.19 src_country_code= dst_ip=8.8.8.8 dst_country_code= protocol=\"TCP\" src_port=1571 dst_port=80 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-31T17:05:14.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 14452, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "tcp", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.12.19", + "8.8.8.8" + ], + "rule.id": "1", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "8.8.8.8", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 80, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Source Routed", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05001", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.12.19", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 1571, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-30T15:09:51.000-02:00", + "client.bytes": 0, + "client.ip": "fe80::59f5:3ce8:c98e:5062", + "client.mac": "1e:3a:5a:5b:23:ab", + "client.nat.port": 0, + "client.packets": 0, + "client.port": 546, + "destination.bytes": 0, + "destination.ip": "ff02::1:2", + "destination.nat.port": 0, + "destination.packets": 0, + "destination.port": 547, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "011702605051", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-05-30T15:09:51.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-30 time=15:09:51 timezone=\"IST\" device_name=\"XG125w\" device_id=SFDemo-763180a log_id=011702605051 log_type=\"Firewall\" log_component=\"MAC Filter\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 policy_type=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port2.531\" out_interface=\"\" src_mac=1e:3a:5a:5b:23:ab src_ip=fe80::59f5:3ce8:c98e:5062 src_country_code= dst_ip=ff02::1:2 dst_country_code= protocol=\"UDP\" src_port=546 dst_port=547 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"No Heartbeat\" message=\"\" appresolvedby=\"Signature\"", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-05-30T15:09:51.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 15286, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "udp", + "observer.ingress.interface.name": "Port2.531", + "observer.product": "XG", + "observer.serial_number": "SFDemo-763180a", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "fe80::59f5:3ce8:c98e:5062", + "ff02::1:2" + ], + "rule.id": "0", + "rule.ruleset": "0", + "server.bytes": 0, + "server.ip": "ff02::1:2", + "server.nat.port": 0, + "server.packets": 0, + "server.port": 547, + "service.type": "sophos", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG125w", + "sophos.xg.hb_health": "No Heartbeat", + "sophos.xg.iap": "0", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "MAC Filter", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "05051", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "fe80::59f5:3ce8:c98e:5062", + "source.mac": "1e:3a:5a:5b:23:ab", + "source.nat.port": 0, + "source.packets": 0, + "source.port": 546, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:57:55.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.bytes": 0, + "destination.ip": "10.198.32.19", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "network" + ], + "event.code": "016602600006", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:57:55.000-02:00", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:57:55 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600006 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=10.198.32.19 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T10:57:55.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 16158, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "10.198.32.19" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "10.198.32.19", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00006", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-06-01T10:55:41.000-02:00", + "client.bytes": 0, + "client.ip": "10.198.37.57", + "client.mac": "08:00:27:4c:49:e3", + "client.nat.port": 0, + "client.packets": 0, + "destination.as.number": 109, + "destination.as.organization.name": "Cisco Systems, Inc.", + "destination.bytes": 0, + "destination.geo.city_name": "Richardson", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 32.9473, + "destination.geo.location.lon": -96.7028, + "destination.geo.region_iso_code": "US-TX", + "destination.geo.region_name": "Texas", + "destination.ip": "72.163.4.185", + "destination.nat.port": 0, + "destination.packets": 0, + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "016602600003", + "event.dataset": "sophos.xg", + "event.duration": 0, + "event.end": "2018-06-01T10:55:41.000-02:00", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-06-01 time=10:55:41 timezone=\"BST\" device_name=\"XG310\" device_id=SFDemo-9a04c43 log_id=016602600003 log_type=\"Firewall\" log_component=\"Heartbeat\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=16 policy_type=1 user_name=\"\" user_gp=\"\" iap=2 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"Port3.611\" out_interface=\"\" src_mac=08:00:27:4c:49:e3 src_ip=10.198.37.57 src_country_code= dst_ip=72.163.4.185 dst_country_code= protocol=\"ICMP\" icmp_type=8 icmp_code=0 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\" hb_health=\"Red\" message=\"\" appresolvedby=\"Signature\" app_is_cloud=0", + "event.outcome": "success", + "event.severity": "6", + "event.start": "2018-06-01T10:55:41.000-02:00", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 17024, + "network.bytes": 0, + "network.packets": 0, + "network.transport": "icmp", + "observer.ingress.interface.name": "Port3.611", + "observer.product": "XG", + "observer.serial_number": "SFDemo-9a04c43", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.37.57", + "72.163.4.185" + ], + "rule.id": "16", + "rule.ruleset": "1", + "server.bytes": 0, + "server.ip": "72.163.4.185", + "server.nat.port": 0, + "server.packets": 0, + "service.type": "sophos", + "sophos.xg.app_is_cloud": "0", + "sophos.xg.appfilter_policy_id": "0", + "sophos.xg.application_risk": "0", + "sophos.xg.appresolvedby": "Signature", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG310", + "sophos.xg.hb_health": "Red", + "sophos.xg.iap": "2", + "sophos.xg.icmp_code": "0", + "sophos.xg.icmp_type": "8", + "sophos.xg.ips_policy_id": "0", + "sophos.xg.log_component": "Heartbeat", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Firewall", + "sophos.xg.message_id": "00003", + "sophos.xg.priority": "Information", + "sophos.xg.status": "Deny", + "source.bytes": 0, + "source.ip": "10.198.37.57", + "source.mac": "08:00:27:4c:49:e3", + "source.nat.port": 0, + "source.packets": 0, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log b/x-pack/filebeat/module/sophos/xg/test/idp.log new file mode 100644 index 00000000000..dd9e406f077 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2020-05-18 time=14:38:54 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=1881 signature_msg="SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack" classification="access to a potentially vulnerable web application" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=41528 dst_port=80 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:55 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name="" signature_id=1616 signature_msg="PROTOCOL-DNS named version attempt" classification="Attempted Information Leak" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol="UDP" src_port=58914 dst_port=53 platform="BSD,Linux,Mac,Other,Solaris,Unix,Windows" category="protocol-dns" target="Server" +<30>device="SFW" date=2020-05-18 time=14:38:56 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=020804407002 log_type="IDP" log_component="Signatures" log_subtype="Drop" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name="" signature_id=53589 signature_msg="SERVER-WEBAPP DrayTek multiple products command injection attempt" classification="Web Application Attack" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol="TCP" src_port=59476 dst_port=80 platform="Linux,Mac,Other,Unix,Windows" category="server-webapp" target="Server" +<30>device="SFW" date=2018-05-23 time=16:20:34 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020703406001 log_type="IDP" log_component="Anomaly" log_subtype="Detect" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol="TCP" src_port=28938 dst_port=25 platform="Windows" category="Malware Communication" target="Server" +<30>device="SFW" date=2018-05-23 time=16:16:43 timezone="BST" device_name="XG750" device_id=SFDemo-f64dd6be log_id=020704406002 log_type="IDP" log_component="Anomaly" log_subtype="Drop" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name="" signature_id=26022 signature_msg="FILE-PDF EmbeddedFile contained within a PDF" classification="A Network Trojan was detected" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol="TCP" src_port=40140 dst_port=25 platform="Windows" category="Malware Communication" target="Server" + diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json new file mode 100644 index 00000000000..7caee4d72eb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -0,0 +1,347 @@ +[ + { + "@timestamp": "2020-05-18T14:38:54.000-02:00", + "client.ip": "89.40.182.58", + "client.port": 41528, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:54 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=1881 signature_msg=\"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack\" classification=\"access to a potentially vulnerable web application\" rule_priority=2 src_ip=89.40.182.58 src_country_code=ROU dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=41528 dst_port=80 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 0, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.40.182.58", + "172.16.68.20" + ], + "rule.category": "access to a potentially vulnerable web application", + "rule.id": "1881", + "rule.name": "SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "ROU", + "sophos.xg.target": "Server", + "source.as.number": 28684, + "source.as.organization.name": "Bestnet Service SRL", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 46.0, + "source.geo.location.lon": 25.0, + "source.ip": "89.40.182.58", + "source.port": 41528, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:55.000-02:00", + "client.ip": "117.50.11.192", + "client.port": 58914, + "destination.ip": "172.16.66.155", + "destination.port": 53, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:55 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=23 user_name=\"\" signature_id=1616 signature_msg=\"PROTOCOL-DNS named version attempt\" classification=\"Attempted Information Leak\" rule_priority=1 src_ip=117.50.11.192 src_country_code=CHN dst_ip=172.16.66.155 dst_country_code=R1 protocol=\"UDP\" src_port=58914 dst_port=53 platform=\"BSD,Linux,Mac,Other,Solaris,Unix,Windows\" category=\"protocol-dns\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "input.type": "log", + "log.level": "warning", + "log.offset": 645, + "network.transport": "UDP", + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "117.50.11.192", + "172.16.66.155" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "1616", + "rule.name": "PROTOCOL-DNS named version attempt", + "server.ip": "172.16.66.155", + "server.port": 53, + "service.type": "sophos", + "sophos.xg.category": "protocol-dns", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "23", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "BSD,Linux,Mac,Other,Solaris,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "CHN", + "sophos.xg.target": "Server", + "source.as.number": 4808, + "source.as.organization.name": "China Unicom Beijing Province Network", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "CN", + "source.geo.location.lat": 31.0449, + "source.geo.location.lon": 121.4012, + "source.geo.region_iso_code": "CN-SH", + "source.geo.region_name": "Shanghai", + "source.ip": "117.50.11.192", + "source.port": 58914, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:56.000-02:00", + "client.ip": "77.61.185.101", + "client.port": 59476, + "destination.ip": "172.16.68.20", + "destination.port": 80, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020804407002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:56 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=020804407002 log_type=\"IDP\" log_component=\"Signatures\" log_subtype=\"Drop\" priority=Warning idp_policy_id=7 fw_rule_id=25 user_name=\"\" signature_id=53589 signature_msg=\"SERVER-WEBAPP DrayTek multiple products command injection attempt\" classification=\"Web Application Attack\" rule_priority=2 src_ip=77.61.185.101 src_country_code=NLD dst_ip=172.16.68.20 dst_country_code=R1 protocol=\"TCP\" src_port=59476 dst_port=80 platform=\"Linux,Mac,Other,Unix,Windows\" category=\"server-webapp\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1243, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "77.61.185.101", + "172.16.68.20" + ], + "rule.category": "Web Application Attack", + "rule.id": "53589", + "rule.name": "SERVER-WEBAPP DrayTek multiple products command injection attempt", + "server.ip": "172.16.68.20", + "server.port": 80, + "service.type": "sophos", + "sophos.xg.category": "server-webapp", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "25", + "sophos.xg.idp_policy_id": "7", + "sophos.xg.log_component": "Signatures", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "07002", + "sophos.xg.platform": "Linux,Mac,Other,Unix,Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "2", + "sophos.xg.src_country_code": "NLD", + "sophos.xg.target": "Server", + "source.as.number": 1136, + "source.as.organization.name": "KPN B.V.", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "NL", + "source.geo.location.lat": 52.3824, + "source.geo.location.lon": 4.8995, + "source.ip": "77.61.185.101", + "source.port": 59476, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:20:34.000-02:00", + "client.ip": "10.0.0.168", + "client.port": 28938, + "destination.ip": "10.1.1.234", + "destination.port": 25, + "event.action": "detect", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020703406001", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:20:34 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020703406001 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Detect\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.0.168 src_country_code=R1 dst_ip=10.1.1.234 dst_country_code=R1 protocol=\"TCP\" src_port=28938 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 1857, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.0.168", + "10.1.1.234" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.1.234", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Detect", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06001", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", + "source.ip": "10.0.0.168", + "source.port": 28938, + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2018-05-23T16:16:43.000-02:00", + "client.ip": "10.0.1.31", + "client.port": 40140, + "destination.ip": "10.1.0.115", + "destination.port": 25, + "event.action": "drop", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "020704406002", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2018-05-23 time=16:16:43 timezone=\"BST\" device_name=\"XG750\" device_id=SFDemo-f64dd6be log_id=020704406002 log_type=\"IDP\" log_component=\"Anomaly\" log_subtype=\"Drop\" priority=Warning idp_policy_id=1 fw_rule_id=2 user_name=\"\" signature_id=26022 signature_msg=\"FILE-PDF EmbeddedFile contained within a PDF\" classification=\"A Network Trojan was detected\" rule_priority=1 src_ip=10.0.1.31 src_country_code=R1 dst_ip=10.1.0.115 dst_country_code=R1 protocol=\"TCP\" src_port=40140 dst_port=25 platform=\"Windows\" category=\"Malware Communication\" target=\"Server\"", + "event.outcome": "success", + "event.severity": "4", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "warning", + "log.offset": 2434, + "network.transport": "TCP", + "observer.product": "XG", + "observer.serial_number": "SFDemo-f64dd6be", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.0.1.31", + "10.1.0.115" + ], + "rule.category": "A Network Trojan was detected", + "rule.id": "26022", + "rule.name": "FILE-PDF EmbeddedFile contained within a PDF", + "server.ip": "10.1.0.115", + "server.port": 25, + "service.type": "sophos", + "sophos.xg.category": "Malware Communication", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG750", + "sophos.xg.dst_country_code": "R1", + "sophos.xg.fw_rule_id": "2", + "sophos.xg.idp_policy_id": "1", + "sophos.xg.log_component": "Anomaly", + "sophos.xg.log_subtype": "Drop", + "sophos.xg.log_type": "IDP", + "sophos.xg.message_id": "06002", + "sophos.xg.platform": "Windows", + "sophos.xg.priority": "Warning", + "sophos.xg.rule_priority": "1", + "sophos.xg.src_country_code": "R1", + "sophos.xg.target": "Server", + "source.ip": "10.0.1.31", + "source.port": 40140, + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log b/x-pack/filebeat/module/sophos/xg/test/sandbox.log new file mode 100644 index 00000000000..bd64715de04 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log @@ -0,0 +1,6 @@ +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138301618041 log_type="Sandbox" log_component="Mail" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=14:52:11 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=138302218042 log_type="Sandbox" log_component="Mail" log_subtype="Denied" priority=Critical user_name="jsmith@iview.com" src_ip=10.198.47.112 filename="1.exe" filetype="application/octet-stream" filesize=153006 sha1sum="83cd339302bf5e8ed5240ca6383418089c337a81" source="jsmith@iview.com" reason="cached malicious" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44313350024-P29PUA log_id=136501618041 log_type="Sandbox" log_component="Web" log_subtype="Allowed" priority=Information user_name="" src_ip= filename="" filetype="" filesize=0 sha1sum="" source="" reason="eligible" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136528618043 log_type="Sandbox" log_component="Web" log_subtype="Pending" priority=Information user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="pending" destination="" subject="" +<30>device="SFW" date=2017-01-31 time=15:28:25 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="jsmith" src_ip=10.198.47.112 filename="19.exe" filetype="application/octet-stream" filesize=153010 sha1sum="3ce799580908df9ca0dc649aa8c2d06ab267e8c8" source="10.198.241.50" reason="cloud malicious" destination="" subject=" +<30>device="SFW" date=2020-05-18 time=14:38:36 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=136502218042 log_type="Sandbox" log_component="Web" log_subtype="Denied" priority=Critical user_name="" src_ip=172.16.34.24 filename="SBTestFile1.pdf" filetype="application/pdf" filesize=1124 sha1sum="d910c4a81122c360fe57f67a04999425a65249db" source="sophostest.com" reason="cached malicious" destination="" subject="" diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json new file mode 100644 index 00000000000..ed32ee3f213 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -0,0 +1,319 @@ +[ + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "138301618041", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138301618041 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T14:52:11.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "138302218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=14:52:11 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=138302218042 log_type=\"Sandbox\" log_component=\"Mail\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith@iview.com\" src_ip=10.198.47.112 filename=\"1.exe\" filetype=\"application/octet-stream\" filesize=153006 sha1sum=\"83cd339302bf5e8ed5240ca6383418089c337a81\" source=\"jsmith@iview.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "83cd339302bf5e8ed5240ca6383418089c337a81", + "file.mime_type": "application/octet-stream", + "file.size": 153006, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 343, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "83cd339302bf5e8ed5240ca6383418089c337a81" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith@iview.com" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "1.exe", + "sophos.xg.log_component": "Mail", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "jsmith@iview.com", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith@iview.com", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "event.action": "Allowed", + "event.category": [ + "network" + ], + "event.code": "136501618041", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44313350024-P29PUA log_id=136501618041 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Allowed\" priority=Information user_name=\"\" src_ip= filename=\"\" filetype=\"\" filesize=0 sha1sum=\"\" source=\"\" reason=\"eligible\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "end", + "connection" + ], + "file.size": 0, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 809, + "observer.product": "XG", + "observer.serial_number": "C44313350024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Allowed", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18041", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "eligible", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Pending", + "event.category": [ + "network" + ], + "event.code": "136528618043", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136528618043 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Pending\" priority=Information user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"pending\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "start", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 1151, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Pending", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18043", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "pending", + "sophos.xg.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-01-31T15:28:25.000-02:00", + "client.ip": "10.198.47.112", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-01-31 time=15:28:25 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"jsmith\" src_ip=10.198.47.112 filename=\"19.exe\" filetype=\"application/octet-stream\" filesize=153010 sha1sum=\"3ce799580908df9ca0dc649aa8c2d06ab267e8c8\" source=\"10.198.241.50\" reason=\"cloud malicious\" destination=\"\" subject=\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "3ce799580908df9ca0dc649aa8c2d06ab267e8c8", + "file.mime_type": "application/octet-stream", + "file.size": 153010, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 1599, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "3ce799580908df9ca0dc649aa8c2d06ab267e8c8" + ], + "related.ip": [ + "10.198.47.112" + ], + "related.user": [ + "jsmith" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "19.exe", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cloud malicious", + "sophos.xg.source": "10.198.241.50", + "source.ip": "10.198.47.112", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-18T14:38:36.000-02:00", + "client.ip": "172.16.34.24", + "event.action": "Denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "136502218042", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:36 timezone=\"IST\" device_name=\"CR750iNG-XP\" device_id=C44310050024-P29PUA log_id=136502218042 log_type=\"Sandbox\" log_component=\"Web\" log_subtype=\"Denied\" priority=Critical user_name=\"\" src_ip=172.16.34.24 filename=\"SBTestFile1.pdf\" filetype=\"application/pdf\" filesize=1124 sha1sum=\"d910c4a81122c360fe57f67a04999425a65249db\" source=\"sophostest.com\" reason=\"cached malicious\" destination=\"\" subject=\"\"", + "event.outcome": "success", + "event.severity": "2", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "file.hash.sha1": "d910c4a81122c360fe57f67a04999425a65249db", + "file.mime_type": "application/pdf", + "file.size": 1124, + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "critical", + "log.offset": 2050, + "observer.product": "XG", + "observer.serial_number": "C44310050024-P29PUA", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.hash": [ + "d910c4a81122c360fe57f67a04999425a65249db" + ], + "related.ip": [ + "172.16.34.24" + ], + "service.type": "sophos", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "CR750iNG-XP", + "sophos.xg.filename": "SBTestFile1.pdf", + "sophos.xg.log_component": "Web", + "sophos.xg.log_subtype": "Denied", + "sophos.xg.log_type": "Sandbox", + "sophos.xg.message_id": "18042", + "sophos.xg.priority": "Critical", + "sophos.xg.reason": "cached malicious", + "sophos.xg.source": "sophostest.com", + "source.ip": "172.16.34.24", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log b/x-pack/filebeat/module/sophos/xg/test/waf.log new file mode 100644 index 00000000000..519a84ca2fb --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log @@ -0,0 +1,5 @@ +<30>device="SFW" date=2020-05-18 time=14:38:46 timezone="CEST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL" referer=- method=POST httpstatus=401 reason="-" extra="-" contenttype="-" useragent="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79 +<30>device="SFW" date=2020-05-18 time=14:38:47 timezone="CEST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol="HTTP/1.1" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie="MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M" referer=- method=POST httpstatus=200 reason="-" extra="-" contenttype="application/mapi-http" useragent="Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79 +<30>device="SFW" date=2020-05-19 time=17:20:29 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/ querystring= cookie="-" referer=- method=GET httpstatus=403 reason="Static URL Hardening" extra="No signature found" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3 +<30>device="SFW" date=2020-05-19 time=18:03:30 timezone="IST" device_name="XG230" device_id=1234567890123456 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="jsmith" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol="HTTP/1.1" url=/download/eicarcom2.zip querystring= cookie="; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason="Antivirus" extra="EICAR-AV-Test" contenttype="text/html" useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6 +<30>device="SFW" date=2020-05-20 time=18:03:31 timezone="IST" device_name="XG230" device_id=1234567890123457 log_id=075000617071 log_type="WAF" log_component="Web Application Firewall" priority=Information user_name="-" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol="HTTP/1.0" url=/ querystring="" cookie="-" referer="-" method=GET httpstatus=403 reason="WAF Anomaly" extra="Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header" contenttype="text/html" useragent="-" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3 diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json new file mode 100644 index 00000000000..fe6af644611 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -0,0 +1,373 @@ +[ + { + "@timestamp": "2020-05-18T14:38:46.000-02:00", + "client.bytes": 1419, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 401, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:46 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL\" referer=- method=POST httpstatus=401 reason=\"-\" extra=\"-\" contenttype=\"-\" useragent=\"Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=11199 bytessent=5669 bytesrcv=1419 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 5669, + "server.ip": "185.8.209.207", + "service.type": "sophos", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsxYNAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDoAitM4bv3XCA==;MapiSequence=10-GtgsIA==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7PxcrL", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "11199", + "sophos.xg.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1419, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-18T14:38:47.000-02:00", + "client.bytes": 1774, + "client.ip": "89.68.140.204", + "destination.as.number": 199567, + "destination.as.organization.name": "Fr. Sauter AG", + "destination.bytes": 200, + "destination.geo.city_name": "Saint-Prex", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.location.lat": 46.4796, + "destination.geo.location.lon": 6.4599, + "destination.geo.region_iso_code": "CH-VD", + "destination.geo.region_name": "Vaud", + "destination.ip": "185.8.209.207", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-18 time=14:38:47 timezone=\"CEST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=webmail.elasticuser.com sourceip=89.68.140.204 localip=185.8.209.207 ws_protocol=\"HTTP/1.1\" url=/mapi/nspi/ querystring=?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com cookie=\"MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M\" referer=- method=POST httpstatus=200 reason=\"-\" extra=\"-\" contenttype=\"application/mapi-http\" useragent=\"Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)\" host=89.68.140.204 responsetime=14086 bytessent=1357 bytesrcv=1774 fw_rule_id=79", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "POST", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 993, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "89.68.140.204", + "185.8.209.207" + ], + "server.bytes": 1357, + "server.ip": "185.8.209.207", + "service.type": "sophos", + "sophos.xg.contenttype": "application/mapi-http", + "sophos.xg.cookie": "MapiContext=MAPIAAAAAPaw98Xx0uDQ4tL/z/rX59b2x/LI+8z2x/+lhrKGtIO7jbmBsw0NAAAAAAAA;MapiRouting=UlVNOjdmNWY0OGE3LTM5OWItNDc4Yi04ZDgwLWFmZTRmMzAyZTViMDpeyft5bv3XCA==;MapiSequence=9-Km2JMg==;X-BackEndCookie=642ea57c-90ab-4571-8e05-c6997b2256f8=u56Lnp2ejJqByZrHyZ7Mys7Sm8zJnNLLnM3J0sbJxsvSnZzIxs2ans+ezMrLgYHNz83P0s/J0s3Pq87Pxc7Oxc3M", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.fw_rule_id": "79", + "sophos.xg.host": "89.68.140.204", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.querystring": "?MailboxId=642ea57c-90ab-4571-8e05-c6997b2256f8@elastic.user.com", + "sophos.xg.responsetime": "14086", + "sophos.xg.server": "webmail.elasticuser.com", + "source.as.number": 6830, + "source.as.organization.name": "Liberty Global B.V.", + "source.bytes": 1774, + "source.geo.city_name": "Gdynia", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "PL", + "source.geo.location.lat": 54.5055, + "source.geo.location.lon": 18.5403, + "source.geo.region_iso_code": "PL-22", + "source.geo.region_name": "Pomerania", + "source.ip": "89.68.140.204", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/mapi/nspi/", + "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" + }, + { + "@timestamp": "2020-05-19T17:20:29.000-02:00", + "client.bytes": 510, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-19 time=17:20:29 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8989 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/ querystring= cookie=\"-\" referer=- method=GET httpstatus=403 reason=\"Static URL Hardening\" extra=\"No signature found\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=19310 bytessent=726 bytesrcv=510 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2004, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 726, + "server.ip": "10.198.233.48", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "No signature found", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Static URL Hardening", + "sophos.xg.responsetime": "19310", + "sophos.xg.server": "www.iviewtest.com:8989", + "source.bytes": 510, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-19T18:03:30.000-02:00", + "client.bytes": 715, + "client.ip": "10.198.235.254", + "destination.bytes": 403, + "destination.ip": "10.198.233.48", + "event.action": "denied", + "event.category": [ + "malware", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-19 time=18:03:30 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123456 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"jsmith\" server=www.iviewtest.com:8990 sourceip=10.198.235.254 localip=10.198.233.48 ws_protocol=\"HTTP/1.1\" url=/download/eicarcom2.zip querystring= cookie=\"; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*\" referer=http://www.iviewtest.com:8990/85-0-Download.html method=GET httpstatus=403 reason=\"Antivirus\" extra=\"EICAR-AV-Test\" contenttype=\"text/html\" useragent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0\" host=10.198.235.254 responsetime=403214 bytessent=739 bytesrcv=715 fw_rule_id=6", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "my_fancy_host", + "http.request.method": "GET", + "http.request.referrer": "http://www.iviewtest.com:8990/85-0-Download.html", + "http.version": "HTTP/1.1", + "input.type": "log", + "log.level": "informational", + "log.offset": 2640, + "observer.product": "XG", + "observer.serial_number": "1234567890123456", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "10.198.235.254", + "10.198.233.48" + ], + "related.user": [ + "jsmith" + ], + "server.bytes": 739, + "server.ip": "10.198.233.48", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.cookie": "; PHPSESSID=jetkd9iadd969hsr77jpj4q974; _pk_id.1.fc3a=3a6250e215194a92.1485866024.1.1485866069.1485866024.; _pk_ses.1.fc3a=*", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "EICAR-AV-Test", + "sophos.xg.fw_rule_id": "6", + "sophos.xg.host": "10.198.235.254", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "Antivirus", + "sophos.xg.responsetime": "403214", + "sophos.xg.server": "www.iviewtest.com:8990", + "source.bytes": 715, + "source.ip": "10.198.235.254", + "source.user.name": "jsmith", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/download/eicarcom2.zip", + "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" + }, + { + "@timestamp": "2020-05-20T18:03:31.000-02:00", + "client.bytes": 295, + "client.ip": "83.97.20.30", + "destination.as.number": 2914, + "destination.as.organization.name": "NTT America, Inc.", + "destination.bytes": 403, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "216.167.51.72", + "event.action": "denied", + "event.category": [ + "intrusion_detection", + "network" + ], + "event.code": "075000617071", + "event.dataset": "sophos.xg", + "event.kind": "alert", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2020-05-20 time=18:03:31 timezone=\"IST\" device_name=\"XG230\" device_id=1234567890123457 log_id=075000617071 log_type=\"WAF\" log_component=\"Web Application Firewall\" priority=Information user_name=\"-\" server=- sourceip=83.97.20.30 localip=216.167.51.72 ws_protocol=\"HTTP/1.0\" url=/ querystring=\"\" cookie=\"-\" referer=\"-\" method=GET httpstatus=403 reason=\"WAF Anomaly\" extra=\"Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header\" contenttype=\"text/html\" useragent=\"-\" host=83.97.20.30 responsetime=608 bytessent=5353 bytesrcv=295 fw_rule_id=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], + "fileset.name": "xg", + "host.name": "some_other_host.local", + "http.request.method": "GET", + "http.version": "HTTP/1.0", + "input.type": "log", + "log.level": "informational", + "log.offset": 3453, + "observer.product": "XG", + "observer.serial_number": "1234567890123457", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "related.ip": [ + "83.97.20.30", + "216.167.51.72" + ], + "server.bytes": 5353, + "server.ip": "216.167.51.72", + "service.type": "sophos", + "sophos.xg.contenttype": "text/html", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "XG230", + "sophos.xg.extra": "Inbound Anomaly Score Exceeded (Total Score: 7, SQLi=, XSS=): Last Matched Message: Request Missing a User Agent Header", + "sophos.xg.fw_rule_id": "3", + "sophos.xg.host": "83.97.20.30", + "sophos.xg.log_component": "Web Application Firewall", + "sophos.xg.log_type": "WAF", + "sophos.xg.message_id": "17071", + "sophos.xg.priority": "Information", + "sophos.xg.reason": "WAF Anomaly", + "sophos.xg.responsetime": "608", + "source.as.number": 9009, + "source.as.organization.name": "M247 Ltd", + "source.bytes": 295, + "source.geo.city_name": "Bucharest", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RO", + "source.geo.location.lat": 44.4176, + "source.geo.location.lon": 26.1708, + "source.geo.region_iso_code": "RO-B", + "source.geo.region_name": "Bucuresti", + "source.ip": "83.97.20.30", + "tags": [ + "sophos-xg", + "forwarded" + ], + "url.full": "/" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log b/x-pack/filebeat/module/sophos/xg/test/wifi.log new file mode 100644 index 00000000000..33ad52c65aa --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log @@ -0,0 +1,2 @@ +<30>device="SFW" date=2017-02-01 time=14:17:35 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=2 +<30>device="SFW" date=2017-02-01 time=14:19:47 timezone="IST" device_name="SG115" device_id=S110016E28BA631 log_id=106025618011 log_type="Wireless Protection" log_component="Wireless Protection" log_subtype="Information" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_SSID=3 diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json new file mode 100644 index 00000000000..64aa8a24494 --- /dev/null +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2017-02-01T14:17:35.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:17:35 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=2", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "2", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", + "tags": [ + "sophos-xg", + "forwarded" + ] + }, + { + "@timestamp": "2017-02-01T14:19:47.000-02:00", + "event.code": "106025618011", + "event.dataset": "sophos.xg", + "event.kind": "event", + "event.module": "sophos", + "event.original": "device=\"SFW\" date=2017-02-01 time=14:19:47 timezone=\"IST\" device_name=\"SG115\" device_id=S110016E28BA631 log_id=106025618011 log_type=\"Wireless Protection\" log_component=\"Wireless Protection\" log_subtype=\"Information\" priority=Information ap=A40024A636F7862 ssid=SPIDIGO2015 clients_conn_ssid=3", + "event.outcome": "success", + "event.severity": "6", + "event.timezone": "-02:00", + "fileset.name": "xg", + "host.name": "firewall.localgroup.local", + "input.type": "log", + "log.level": "informational", + "log.offset": 298, + "observer.product": "XG", + "observer.serial_number": "S110016E28BA631", + "observer.type": "firewall", + "observer.vendor": "Sophos", + "service.type": "sophos", + "sophos.xg.ap": "A40024A636F7862", + "sophos.xg.clients_conn_ssid": "3", + "sophos.xg.device": "SFW", + "sophos.xg.device_name": "SG115", + "sophos.xg.log_component": "Wireless Protection", + "sophos.xg.log_subtype": "Information", + "sophos.xg.log_type": "Wireless Protection", + "sophos.xg.message_id": "18011", + "sophos.xg.priority": "Information", + "sophos.xg.ssid": "SPIDIGO2015", + "tags": [ + "sophos-xg", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/_meta/docs.asciidoc b/x-pack/filebeat/module/squid/_meta/docs.asciidoc index 798af71b303..dcb5161fda7 100644 --- a/x-pack/filebeat/module/squid/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/squid/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index ac392325320..5ce8949c381 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml index caeba41fcbc..9a8f547c6d1 100644 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Squid processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null && ctx.server?.domain != '' + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 5f0e879398a..26b891ba4f1 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -21,9 +21,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -82,6 +85,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -145,6 +151,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -158,8 +167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -196,6 +205,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -208,8 +220,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -246,6 +258,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ "10.105.21.199" ], @@ -307,6 +322,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -367,6 +385,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ "10.105.21.199", "66.102.9.147" @@ -430,6 +451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -493,6 +517,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -506,8 +533,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -556,9 +583,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -569,8 +599,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -607,6 +637,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -619,8 +652,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -669,9 +702,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "as.casalemedia.com" + ], "related.ip": [ - "209.85.16.38", - "10.105.21.199" + "10.105.21.199", + "209.85.16.38" ], "related.user": [ "badeyek" @@ -726,6 +762,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.21.199", "68.142.213.132" @@ -738,8 +777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -785,9 +824,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "impgb.tradedoubler.com" + ], "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" ], "related.user": [ "badeyek" @@ -798,8 +840,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -848,9 +890,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -899,6 +944,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -911,8 +959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -961,6 +1009,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -1024,9 +1075,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1037,8 +1091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1082,6 +1136,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ "10.105.21.199", "64.127.126.178" @@ -1145,6 +1202,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "ff.connextra.com" + ], "related.ip": [ "213.160.98.161", "10.105.21.199" @@ -1158,8 +1218,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1208,6 +1268,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "dd.connextra.com" + ], "related.ip": [ "213.160.98.160", "10.105.21.199" @@ -1258,6 +1321,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1270,8 +1336,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1316,6 +1382,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ "209.73.177.115", "10.105.21.199" @@ -1366,6 +1435,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "update.messenger.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -1424,9 +1496,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1436,8 +1511,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1485,9 +1560,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1548,6 +1626,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218", "204.13.51.238" @@ -1607,6 +1688,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "10.105.33.214", "216.155.194.239" @@ -1657,6 +1741,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "rms.adobe.com" + ], "related.ip": [ "10.105.37.58" ], @@ -1707,6 +1794,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1719,8 +1809,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1757,6 +1847,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1818,6 +1911,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "204.13.51.238", "10.105.47.218" @@ -1881,6 +1977,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218", "204.13.51.238" @@ -1940,9 +2039,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1952,8 +2054,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1996,6 +2098,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.194.14" @@ -2009,8 +2114,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2056,9 +2161,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2069,8 +2177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2115,9 +2223,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2172,9 +2283,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "address.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "209.191.93.51" + "209.191.93.51", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2185,8 +2299,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2235,9 +2349,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "fxfeeds.mozilla.org" + ], "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -2248,8 +2365,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2294,6 +2411,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "68.142.231.252", "10.105.33.214" @@ -2307,8 +2427,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2351,9 +2471,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2401,6 +2524,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2412,8 +2538,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2450,6 +2576,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2461,8 +2590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2499,6 +2628,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2510,8 +2642,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2547,6 +2679,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2605,9 +2740,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2655,6 +2793,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2666,8 +2807,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2713,6 +2854,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -2772,9 +2916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2784,8 +2931,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2831,6 +2978,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -2891,6 +3041,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -2904,8 +3057,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2942,6 +3095,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -2953,8 +3109,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2991,6 +3147,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -3049,9 +3208,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3109,9 +3271,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3122,8 +3287,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3169,6 +3334,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3182,8 +3350,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3229,6 +3397,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3242,8 +3413,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3280,6 +3451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3330,6 +3504,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3380,6 +3557,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3439,6 +3619,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "newsrss.bbc.co.uk" + ], "related.ip": [ "212.58.226.33", "10.105.21.199" @@ -3452,8 +3635,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3499,6 +3682,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "68.142.231.252", "10.105.33.214" @@ -3550,6 +3736,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.ent1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3600,6 +3789,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3612,8 +3804,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3659,6 +3851,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3671,8 +3866,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3721,9 +3916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3734,8 +3932,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3781,6 +3979,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3794,8 +3995,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3841,6 +4042,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -3854,8 +4058,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3901,9 +4105,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3952,6 +4159,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -4002,6 +4212,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -4014,8 +4227,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4064,9 +4277,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4124,9 +4340,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4184,9 +4403,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4197,8 +4419,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4247,9 +4469,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.a2.yimg.com" + ], "related.ip": [ - "213.160.98.152", - "10.105.33.214" + "10.105.33.214", + "213.160.98.152" ], "related.user": [ "adeolaegbedokun" @@ -4260,8 +4485,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4307,6 +4532,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -4365,6 +4593,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.213.132" @@ -4378,8 +4609,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4423,6 +4654,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.194.14" @@ -4436,8 +4670,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4480,9 +4714,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "pclick.internal.yahoo.com" + ], "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" ], "related.user": [ "adeolaegbedokun" @@ -4530,6 +4767,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4592,6 +4832,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4605,8 +4848,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4655,6 +4898,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4668,8 +4914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4714,9 +4960,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -4726,8 +4975,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4776,9 +5025,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -4789,8 +5041,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4839,6 +5091,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "213.160.98.159", "10.105.33.214" @@ -4852,8 +5107,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4890,6 +5145,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4902,8 +5160,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4952,6 +5210,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.167" @@ -5015,6 +5276,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "213.160.98.159", "10.105.33.214" @@ -5078,6 +5342,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.167" @@ -5129,6 +5396,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5141,8 +5411,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5179,6 +5449,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -5236,9 +5509,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "launch.adserver.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.109.125.112" + "216.109.125.112", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5296,9 +5572,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "uk.f250.mail.yahoo.com" + ], "related.ip": [ - "10.105.21.199", - "217.12.10.96" + "217.12.10.96", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5346,6 +5625,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.live.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5407,6 +5689,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "213.160.98.169", "10.105.21.199" @@ -5420,8 +5705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_SWAPFAIL_MISS", - "GET" + "GET", + "TCP_SWAPFAIL_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5458,6 +5743,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5470,8 +5758,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5520,6 +5808,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199", "213.160.98.169" @@ -5533,8 +5824,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5571,6 +5862,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5621,6 +5915,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5671,6 +5968,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5683,8 +5983,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json similarity index 59% rename from x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json rename to x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json index c2c7d067e68..bf71ad88838 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json @@ -1,5 +1,200 @@ { "objects": [ + { + "attributes": { + "description": "Overview of the Suricata Alerts dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 23, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "2", + "w": 25, + "x": 23, + "y": 0 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "3", + "w": 48, + "x": 0, + "y": 41 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 38.548165423046584, + -6.328125000000001 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "4", + "w": 23, + "x": 0, + "y": 26 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 41.77131167976407, + 1.9335937500000002 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "5", + "w": 25, + "x": 23, + "y": 26 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "7", + "w": 12, + "x": 11, + "y": 14 + }, + "panelIndex": "7", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "8", + "w": 11, + "x": 0, + "y": 14 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Alert Overview", + "version": 1 + }, + "id": "05268ee0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "search" + }, + { + "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:13:51.743Z", + "version": "WzEwMTUsMV0=" + }, { "attributes": { "description": "", @@ -12,8 +207,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Top Alerting Hosts [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Alerting Hosts [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -29,11 +224,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -82,6 +283,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -97,6 +301,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -123,14 +334,27 @@ } ] }, - "title": "Top Alerting Hosts [Filebeat Suricata] ECS", + "title": "Top Alerting Hosts [Filebeat Suricata]", "type": "histogram" } }, "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:09:55.677Z", + "version": "WzkwNCwxXQ==" }, { "attributes": { @@ -144,8 +368,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Top Alert Signatures [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Alert Signatures [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -171,14 +395,14 @@ "id": "2", "params": { "customLabel": "Alert Signature", - "field": "suricata.eve.alert.signature", + "field": "rule.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", "orderBy": "1", "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 15 }, "schema": "bucket", "type": "terms" @@ -188,7 +412,7 @@ "id": "3", "params": { "customLabel": "Alert Category", - "field": "suricata.eve.alert.category", + "field": "rule.category", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -203,6 +427,7 @@ ], "params": { "perPage": 10, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -212,14 +437,27 @@ }, "totalFunc": "sum" }, - "title": "Top Alert Signatures [Filebeat Suricata] ECS", + "title": "Top Alert Signatures [Filebeat Suricata]", "type": "table" } }, "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:11:35.746Z", + "version": "Wzk0MywxXQ==" }, { "attributes": { @@ -245,22 +483,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", "negate": false, "params": { - "query": "alert", - "type": "phrase" + "query": "alert" }, - "type": "phrase", - "value": "alert" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "alert", - "type": "phrase" - } + "match_phrase": { + "event.kind": "alert" } } }, @@ -271,15 +504,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -292,7 +523,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -301,16 +532,41 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Alerts [Filebeat Suricata] ECS", + "title": "Alerts [Filebeat Suricata]", "version": 1 }, "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T18:46:18.887Z", + "version": "WzYyNiwxXQ==" }, { "attributes": { @@ -324,8 +580,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alert - Source Location [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alert - Source Location [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -344,11 +600,6 @@ "autoPrecision": true, "field": "source.geo.location", "isFilteredByCollar": true, - "mapCenter": [ - 0, - 0 - ], - "mapZoom": 2, "precision": 2, "useGeocentroid": true }, @@ -395,14 +646,27 @@ ] } }, - "title": "Alert - Source Location [Filebeat Suricata] ECS", + "title": "Alert - Source Location [Filebeat Suricata]", "type": "tile_map" } }, "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:13:13.311Z", + "version": "Wzk5MCwxXQ==" }, { "attributes": { @@ -416,8 +680,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alert - Destination Location [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alert - Destination Location [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -436,11 +700,6 @@ "autoPrecision": true, "field": "destination.geo.location", "isFilteredByCollar": true, - "mapCenter": [ - 0, - 0 - ], - "mapZoom": 2, "precision": 2, "useGeocentroid": true }, @@ -487,14 +746,27 @@ ] } }, - "title": "Alert - Destination Location [Filebeat Suricata] ECS", + "title": "Alert - Destination Location [Filebeat Suricata]", "type": "tile_map" } }, "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:13:34.582Z", + "version": "WzEwMDQsMV0=" }, { "attributes": { @@ -508,8 +780,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alerts - Top Destination Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -550,6 +822,7 @@ ], "params": { "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -559,14 +832,27 @@ }, "totalFunc": "sum" }, - "title": "Alerts - Top Destination Countries [Filebeat Suricata] ECS", + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", "type": "table" } }, "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:12:34.381Z", + "version": "Wzk2OSwxXQ==" }, { "attributes": { @@ -580,8 +866,8 @@ } } }, - "savedSearchId": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "title": "Alerts - Top Source Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Alerts - Top Source Countries [Filebeat Suricata]", "uiStateJSON": { "vis": { "params": { @@ -622,6 +908,7 @@ ], "params": { "perPage": 5, + "percentageCol": "", "showMetricsAtAllLevels": false, "showPartialRows": false, "showTotal": false, @@ -631,156 +918,66 @@ }, "totalFunc": "sum" }, - "title": "Alerts - Top Source Countries [Filebeat Suricata] ECS", + "title": "Alerts - Top Source Countries [Filebeat Suricata]", "type": "table" } }, "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "updated_at": "2020-07-30T19:12:12.735Z", + "version": "Wzk1NCwxXQ==" }, { "attributes": { - "description": "Overview of the Suricata Alerts dashboard.", - "hits": 0, + "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "highlightAll": true, "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "1", - "w": 23, - "x": 0, - "y": 0 - }, - "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "1", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 22, - "i": "2", - "w": 25, - "x": 23, - "y": 0 - }, - "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "2", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 16, - "i": "3", - "w": 48, - "x": 0, - "y": 37 - }, - "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "3", - "type": "search", - "version": "6.3.0" - }, - { - "embeddableConfig": { - "mapCenter": [ - 38.548165423046584, - -6.328125000000001 - ], - "mapZoom": 2 - }, - "gridData": { - "h": 15, - "i": "4", - "w": 23, - "x": 0, - "y": 22 - }, - "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "4", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": { - "mapCenter": [ - 41.77131167976407, - 1.9335937500000002 - ], - "mapZoom": 2 - }, - "gridData": { - "h": 15, - "i": "5", - "w": 25, - "x": 23, - "y": 22 - }, - "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "5", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "7", - "w": 12, - "x": 11, - "y": 10 - }, - "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "7", - "type": "visualization", - "version": "6.3.0" + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "8", - "w": 11, - "x": 0, - "y": 10 - }, - "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "8", - "type": "visualization", - "version": "6.3.0" - } - ], - "timeRestore": false, - "title": "[Filebeat Suricata] Alert Overview ECS", - "version": 1 + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } }, - "id": "05268ee0-86d1-11e8-b59d-21efb914e65c-ecs", - "type": "dashboard", - "updated_at": "2018-11-07T22:56:23.933Z", - "version": 1 + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" } ], - "version": "6.4.3" -} + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json similarity index 51% rename from x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json rename to x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json index 0ef910161a7..908f98394cb 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json @@ -1,5 +1,244 @@ { "objects": [ + { + "attributes": { + "description": "Overview of the Surcata events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "2", + "w": 9, + "x": 0, + "y": 24 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "3", + "w": 11, + "x": 19, + "y": 24 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "5", + "w": 48, + "x": 0, + "y": 38 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "6", + "w": 9, + "x": 30, + "y": 24 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "7", + "w": 9, + "x": 39, + "y": 24 + }, + "panelIndex": "7", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "8", + "w": 10, + "x": 9, + "y": 24 + }, + "panelIndex": "8", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "9", + "w": 48, + "x": 0, + "y": 57 + }, + "panelIndex": "9", + "panelRefName": "panel_8", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 4, + "i": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "panelRefName": "panel_9", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "panelRefName": "panel_10", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Events Overview", + "version": 1 + }, + "id": "78289c40-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "search" + }, + { + "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "name": "panel_8", + "type": "search" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "name": "panel_10", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:08:06.676Z", + "version": "Wzg3MiwxXQ==" + }, { "attributes": { "description": "", @@ -12,8 +251,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Activity Types over Time [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Activity Types over Time [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -29,11 +268,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -82,6 +327,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -97,6 +345,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -123,14 +378,27 @@ } ] }, - "title": "Activity Types over Time [Filebeat Suricata] ECS", + "title": "Activity Types over Time [Filebeat Suricata]", "type": "histogram" } }, "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:59:25.617Z", + "version": "Wzc2OCwxXQ==" }, { "attributes": { @@ -144,8 +412,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Event Types [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Event Types [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -161,7 +429,8 @@ "enabled": true, "id": "2", "params": { - "field": "suricata.eve.event_type", + "customLabel": "ECS Event Type", + "field": "event.type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -172,6 +441,23 @@ }, "schema": "segment", "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Suricata Event Type", + "field": "suricata.eve.event_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" } ], "params": { @@ -187,14 +473,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Event Types [Filebeat Suricata] ECS", + "title": "Event Types [Filebeat Suricata]", "type": "pie" } }, "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T19:06:59.207Z", + "version": "Wzg1OCwxXQ==" }, { "attributes": { @@ -208,8 +507,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Application Protocols [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Network Protocols [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -251,14 +550,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Top Application Protocols [Filebeat Suricata] ECS", + "title": "Top Network Protocols [Filebeat Suricata]", "type": "pie" } }, "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:49:07.711Z", + "version": "WzY3NSwxXQ==" }, { "attributes": { @@ -272,8 +584,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Hosts Generating Events [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Hosts Generating Events [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -289,11 +601,17 @@ "enabled": true, "id": "2", "params": { - "customInterval": "2h", + "drop_partials": false, "extended_bounds": {}, "field": "@timestamp", "interval": "auto", - "min_doc_count": 1 + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true }, "schema": "segment", "type": "date_histogram" @@ -342,6 +660,9 @@ "color": "#eee" } }, + "labels": { + "show": false + }, "legendPosition": "right", "seriesParams": [ { @@ -357,6 +678,13 @@ "valueAxis": "ValueAxis-1" } ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, "times": [], "type": "histogram", "valueAxes": [ @@ -383,20 +711,32 @@ } ] }, - "title": "Top Hosts Generating Events [Filebeat Suricata] ECS", + "title": "Top Hosts Generating Events [Filebeat Suricata]", "type": "histogram" } }, "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:59:45.518Z", + "version": "Wzc4MCwxXQ==" }, { "attributes": { "columns": [ "host.name", - "suricata.eve.event_type", "suricata.eve.flow_id", "network.transport", "source.ip", @@ -418,22 +758,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", - "negate": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, "params": { - "query": "stats", - "type": "phrase" + "query": "event" }, - "type": "phrase", - "value": "stats" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "stats", - "type": "phrase" - } + "match_phrase": { + "event.kind": "event" } } }, @@ -444,15 +779,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -465,7 +798,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -474,16 +807,41 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Events [Filebeat Suricata] ECS", + "title": "Events [Filebeat Suricata]", "version": 1 }, "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:45:13.363Z", + "version": "WzYyMCwxXQ==" }, { "attributes": { @@ -497,8 +855,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Connection Source Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Connection Source Countries [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -533,16 +891,29 @@ "minFontSize": 18, "orientation": "single", "scale": "linear", - "showLabel": true + "showLabel": false }, - "title": "Top Connection Source Countries [Filebeat Suricata] ECS", + "title": "Top Connection Source Countries [Filebeat Suricata]", "type": "tagcloud" } }, "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:49:36.842Z", + "version": "WzY4OCwxXQ==" }, { "attributes": { @@ -556,8 +927,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Connection Destination Countries [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Connection Destination Countries [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -592,16 +963,29 @@ "minFontSize": 18, "orientation": "single", "scale": "linear", - "showLabel": true + "showLabel": false }, - "title": "Top Connection Destination Countries [Filebeat Suricata] ECS", + "title": "Top Connection Destination Countries [Filebeat Suricata]", "type": "tagcloud" } }, "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:50:04.448Z", + "version": "WzcwNSwxXQ==" }, { "attributes": { @@ -615,8 +999,8 @@ } } }, - "savedSearchId": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "title": "Top Network Protocols [Filebeat Suricata] ECS", + "savedSearchRefName": "search_0", + "title": "Top Transport Protocols [Filebeat Suricata]", "uiStateJSON": {}, "version": 1, "visState": { @@ -658,14 +1042,27 @@ "legendPosition": "bottom", "type": "pie" }, - "title": "Top Network Protocols [Filebeat Suricata] ECS", + "title": "Top Transport Protocols [Filebeat Suricata]", "type": "pie" } }, "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], "type": "visualization", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:48:19.957Z", + "version": "WzY0NiwxXQ==" }, { "attributes": { @@ -690,22 +1087,17 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", - "key": "suricata.eve.event_type", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", "negate": false, "params": { - "query": "stats", - "type": "phrase" + "query": "metric" }, - "type": "phrase", - "value": "stats" + "type": "phrase" }, "query": { - "match": { - "suricata.eve.event_type": { - "query": "stats", - "type": "phrase" - } + "match_phrase": { + "event.kind": "metric" } } }, @@ -716,15 +1108,13 @@ "meta": { "alias": null, "disabled": false, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "event.module", "negate": false, "params": { - "query": "suricata", - "type": "phrase" + "query": "suricata" }, - "type": "phrase", - "value": "suricata" + "type": "phrase" }, "query": { "match": { @@ -737,7 +1127,7 @@ } ], "highlightAll": true, - "index": "filebeat-*", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" @@ -746,174 +1136,158 @@ } }, "sort": [ - "@timestamp", - "desc" + [ + "@timestamp", + "desc" + ] ], - "title": "Host Stats [Filebeat Suricata] ECS", + "title": "Host Stats [Filebeat Suricata]", "version": 1 }, "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], "type": "search", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "updated_at": "2020-07-30T18:45:50.678Z", + "version": "WzYyMywxXQ==" }, { "attributes": { - "description": "Overview of the Surcata events dashboard.", - "hits": 0, + "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "highlightAll": true, "query": { "language": "kuery", "query": "" - }, - "version": true + } } }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "1", - "w": 48, - "x": 0, - "y": 0 - }, - "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "1", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "2", - "w": 9, - "x": 0, - "y": 20 - }, - "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "2", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "3", - "w": 11, - "x": 19, - "y": 20 - }, - "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "3", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 10, - "i": "4", - "w": 48, - "x": 0, - "y": 10 - }, - "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "4", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 19, - "i": "5", - "w": 48, - "x": 0, - "y": 34 - }, - "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "5", - "type": "search", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "6", - "w": 9, - "x": 30, - "y": 20 - }, - "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "6", - "type": "visualization", - "version": "6.3.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "7", - "w": 9, - "x": 39, - "y": 20 - }, - "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "7", - "type": "visualization", - "version": "6.3.0" + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false }, - { - "embeddableConfig": {}, - "gridData": { - "h": 14, - "i": "8", - "w": 10, - "x": 9, - "y": 20 + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } + }, + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Event Count [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false }, - "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "8", - "type": "visualization", - "version": "6.3.0" + "type": "metric" }, - { - "embeddableConfig": {}, - "gridData": { - "h": 16, - "i": "9", - "w": 48, - "x": 0, - "y": 53 - }, - "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", - "panelIndex": "9", - "type": "search", - "version": "6.3.0" - } - ], - "timeRestore": false, - "title": "[Filebeat Suricata] Events Overview ECS", - "version": 1 + "title": "Event Count [Filebeat Suricata]", + "type": "metric" + } }, - "id": "78289c40-86da-11e8-b59d-21efb914e65c-ecs", - "type": "dashboard", - "updated_at": "2018-11-07T22:56:24.962Z", - "version": 1 + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:02:39.133Z", + "version": "WzgyNCwxXQ==" } ], - "version": "6.4.3" -} + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 438c30e6373..879bcdd8e35 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -16,7 +16,7 @@ processors: target: suricata.eve - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: rename fields: - {from: suricata.eve.src_ip, to: source.address} @@ -26,7 +26,7 @@ processors: - {from: suricata.eve.proto, to: network.transport} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: source.address, to: source.ip, type: ip} @@ -48,7 +48,7 @@ processors: then: - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.id, to: dns.id, type: string} @@ -57,7 +57,7 @@ processors: - convert: when.equals.dns.type: query ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} @@ -69,7 +69,7 @@ processors: then: - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: suricata.eve.dns.rrname, to: dns.question.name} @@ -384,8 +384,6 @@ processors: - {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1} - {from: suricata.eve.tls.sni, to: tls.client.server_name} - {from: suricata.eve.tls.sni, to: destination.domain} - - {from: suricata.eve.tls.notbefore, to: tls.server.not_before} - - {from: suricata.eve.tls.notafter, to: tls.server.not_after} - {from: suricata.eve.tls.ja3s.hash, to: tls.server.ja3s} - {from: suricata.eve.tls.ja3.hash, to: tls.client.ja3} - {from: suricata.eve.tls.certificate, to: tls.server.certificate} @@ -404,4 +402,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 7f0b1983fab..01ed5accbe6 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -2,6 +2,9 @@ description: Pipeline for parsing Suricata EVE logs processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - set: value: "{{suricata.eve.http.http_method}}" field: http.request.method @@ -231,6 +234,110 @@ processors: field: related.hash value: "{{tls.server.hash.sha1}}" if: "ctx?.tls?.server?.hash?.sha1 != null" + - gsub: + field: suricata.eve.tls.issuerdn + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.issuerdn + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_issuerdn + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.C + target_field: file.x509.issuer.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.CN + target_field: file.x509.issuer.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.L + target_field: file.x509.issuer.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.O + target_field: file.x509.issuer.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.OU + target_field: file.x509.issuer.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.ST + target_field: file.x509.issuer.state_or_province + ignore_missing: true + - gsub: + field: suricata.eve.tls.subject + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.subject + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_subject + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.C + target_field: file.x509.subject.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.CN + target_field: file.x509.subject.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.L + target_field: file.x509.subject.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.O + target_field: file.x509.subject.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.OU + target_field: file.x509.subject.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.ST + target_field: file.x509.subject.state_or_province + ignore_missing: true + - set: + field: file.x509.serial_number + value: '{{suricata.eve.tls.serial}}' + ignore_empty_value: true + - gsub: + field: file.x509.serial_number + pattern: ':' + replacement: '' + ignore_missing: true + - date: + field: suricata.eve.tls.notafter + target_field: tls.server.not_after + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notafter != null + - date: + field: suricata.eve.tls.notbefore + target_field: tls.server.not_before + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notbefore != null + - set: + field: file.x509.not_after + value: '{{tls.server.not_after}}' + ignore_empty_value: true + - set: + field: file.x509.not_before + value: '{{tls.server.not_before}}' + ignore_empty_value: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx.url?.domain != null && ctx.url?.domain != '' + allow_duplicates: false - remove: field: - suricata.eve.app_proto @@ -238,6 +345,8 @@ processors: - suricata.eve.flow.start - suricata.eve.http.http_method - suricata.eve.http.http_user_agent + - suricata.eve.tls.kv_issuerdn + - suricata.eve.tls.kv_subject ignore_missing: true on_failure: - set: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log index 6587a913f52..915a6facbba 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log @@ -18,5 +18,5 @@ {"timestamp":"2018-10-04T09:35:00.897009+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":7,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/binary-amd64\/by-hash\/SHA256\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2687},"app_proto":"http","flow":{"pkts_toserver":330,"pkts_toclient":591,"bytes_toserver":23758,"bytes_toclient":884342,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.362208+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":8,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/i18n\/by-hash\/SHA256\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":524,"pkts_toclient":979,"bytes_toserver":36819,"bytes_toclient":1467603,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.575088+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/multiverse\/binary-amd64\/by-hash\/SHA256\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":575,"pkts_toclient":1079,"bytes_toserver":40452,"bytes_toclient":1618380,"start":"2018-10-04T09:34:58.926006+0000"}} -{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN","subject":"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"} +{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"C=US, O=Google Inc, CN=Google Internet Authority G2","subject":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"} {"flow":{"start":"2020-06-26T11:00:02.970011-0400","bytes_toclient":4660,"bytes_toserver":1074,"pkts_toclient":8,"pkts_toserver":7},"app_proto":"tls","tls":{"ja3s":{"string":"742,48172,30210-30","hash":"391231ba5675e42807b9e1f457b2614e"},"ja3":{"string":"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3","hash":"3f1ea03f5822e8021b60cc3e4b233181"},"notafter":"2026-06-25T17:36:29","notbefore":"2016-06-27T17:36:29","version":"TLS 1.2","sni":"host.domain.net","fingerprint":"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc","serial":"72:A9:2C:51","issuerdn":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown","subject":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown"},"alert":{"severity":3,"category":"","signature":"SURICATA TLS on unusual port","rev":1,"signature_id":2610003,"gid":1,"action":"allowed"},"proto":"TCP","dest_port":8443,"dest_ip":"10.128.2.48","src_port":64389,"src_ip":"10.137.3.54","event_type":"alert","in_iface":"enp0s31f6","flow_id":991192778198299,"timestamp":"2020-06-26T11:00:03.342282-0400"} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 6e06de5c66e..68412b504dc 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -41,6 +41,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -118,6 +121,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -195,6 +201,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -272,6 +281,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -349,6 +361,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -426,6 +441,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -503,6 +521,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -580,6 +601,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -657,6 +681,9 @@ "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -734,6 +761,9 @@ "network.packets": 126, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -811,6 +841,9 @@ "network.packets": 185, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -888,6 +921,9 @@ "network.packets": 377, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -965,6 +1001,9 @@ "network.packets": 131, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1042,6 +1081,9 @@ "network.packets": 210, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1119,6 +1161,9 @@ "network.packets": 412, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1196,6 +1241,9 @@ "network.packets": 504, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1273,6 +1321,9 @@ "network.packets": 916, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1350,6 +1401,9 @@ "network.packets": 921, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1426,6 +1480,9 @@ "network.packets": 1503, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1502,6 +1559,9 @@ "network.packets": 1654, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1549,10 +1609,21 @@ "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", - "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN\",\"subject\":\"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", + "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", "event.type": [ "protocol" ], + "file.x509.issuer.common_name": "Google Internet Authority G2", + "file.x509.issuer.country": "US", + "file.x509.issuer.organization": "Google Inc", + "file.x509.not_after": "2024-07-16T14:52:35.000Z", + "file.x509.not_before": "2019-07-17T14:52:35.000Z", + "file.x509.serial_number": "001122334455667788", + "file.x509.subject.common_name": "*.google.com", + "file.x509.subject.country": "US", + "file.x509.subject.locality": "Mountain View", + "file.x509.subject.organization": "Google Inc", + "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 16546, @@ -1574,7 +1645,7 @@ "suricata.eve.flow_id": 1091813059495729, "suricata.eve.in_iface": "enp5s0", "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", - "suricata.eve.tls.issuerdn": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "suricata.eve.tls.issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2", "suricata.eve.tls.ja3.hash": "d92325c876e7279f4eb8c62415e3a6b7", "suricata.eve.tls.ja3.string": "001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0", "suricata.eve.tls.ja3s.hash": "0993626a07ad09e1ce91293be7aa5721", @@ -1583,7 +1654,7 @@ "suricata.eve.tls.notbefore": "2019-07-17T14:52:35", "suricata.eve.tls.serial": "00:11:22:33:44:55:66:77:88", "suricata.eve.tls.sni": "hostname.domain.net", - "suricata.eve.tls.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "suricata.eve.tls.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" @@ -1591,11 +1662,11 @@ "tls.client.ja3": "d92325c876e7279f4eb8c62415e3a6b7", "tls.client.server_name": "hostname.domain.net", "tls.server.hash.sha1": "00112233445566778899AABBCCDDEEFF00112233", - "tls.server.issuer": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "tls.server.issuer": "C=US, O=Google Inc, CN=Google Internet Authority G2", "tls.server.ja3s": "0993626a07ad09e1ce91293be7aa5721", - "tls.server.not_after": "2024-07-16T14:52:35", - "tls.server.not_before": "2019-07-17T14:52:35", - "tls.server.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "tls.server.not_after": "2024-07-16T14:52:35.000Z", + "tls.server.not_before": "2019-07-17T14:52:35.000Z", + "tls.server.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", "tls.version": "1.2", "tls.version_protocol": "tls" }, @@ -1620,9 +1691,24 @@ "event.type": [ "allowed" ], + "file.x509.issuer.common_name": "Unknown", + "file.x509.issuer.country": "Unknown", + "file.x509.issuer.locality": "Unknown", + "file.x509.issuer.organization": "Unknown", + "file.x509.issuer.organizational_unit": "Unknown", + "file.x509.issuer.state_or_province": "Unknown", + "file.x509.not_after": "2026-06-25T17:36:29.000Z", + "file.x509.not_before": "2016-06-27T17:36:29.000Z", + "file.x509.serial_number": "72A92C51", + "file.x509.subject.common_name": "Unknown", + "file.x509.subject.country": "Unknown", + "file.x509.subject.locality": "Unknown", + "file.x509.subject.organization": "Unknown", + "file.x509.subject.organizational_unit": "Unknown", + "file.x509.subject.state_or_province": "Unknown", "fileset.name": "eve", "input.type": "log", - "log.offset": 17606, + "log.offset": 17541, "message": "", "network.bytes": 5734, "network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=", @@ -1672,8 +1758,8 @@ "tls.server.hash.sha1": "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC", "tls.server.issuer": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", "tls.server.ja3s": "391231ba5675e42807b9e1f457b2614e", - "tls.server.not_after": "2026-06-25T17:36:29", - "tls.server.not_before": "2016-06-27T17:36:29", + "tls.server.not_after": "2026-06-25T17:36:29.000Z", + "tls.server.not_before": "2016-06-27T17:36:29.000Z", "tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log b/x-pack/filebeat/module/suricata/eve/test/eve-small.log index 2902334be8b..45163a617e9 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log @@ -4,5 +4,5 @@ {"timestamp":"2018-07-05T15:44:33.222441-0400","flow_id":2211411903323127,"in_iface":"en0","event_type":"fileinfo","src_ip":"192.168.86.28","src_port":8008,"dest_ip":"192.168.86.85","dest_port":56118,"proto":"TCP","http":{"hostname":"192.168.86.28","url":"\/ssdp\/device-desc.xml","http_user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/67.0.3396.99 Safari\/537.36","http_content_type":"application\/xml","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1071},"app_proto":"http","fileinfo":{"filename":"\/ssdp\/device-desc.xml","gaps":false,"state":"CLOSED","md5":"427b7337ff37eeb24d74f47d8e04cf21","sha1":"313573490192c685e9e53abef25453ed0d5e2aee","sha256":"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b","stored":false,"size":1071,"tx_id":0}} {"timestamp":"2018-07-05T15:51:20.213418-0400","flow_id":1684780223079543,"in_iface":"en0","event_type":"dns","src_ip":"192.168.86.1","src_port":53,"dest_ip":"192.168.86.85","dest_port":39464,"proto":"UDP","dns":{"type":"answer","id":12308,"rcode":"NOERROR","rrname":"clients.l.google.com","rrtype":"A","ttl":299,"rdata":"172.217.13.110"}} {"timestamp":"2018-07-05T15:51:23.009510-0400","event_type":"stats","stats":{"uptime":5400,"capture":{"kernel_packets":430313,"kernel_drops":0,"kernel_ifdrops":0},"decoder":{"pkts":430313,"bytes":335138381,"invalid":2,"ipv4":425873,"ipv6":3785,"ethernet":430313,"raw":0,"null":0,"sll":0,"tcp":370093,"udp":58337,"sctp":0,"icmpv4":186,"icmpv6":1019,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"ieee8021ah":0,"teredo":1,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":778,"max_pkt_size":1514,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"tcp":1113,"udp":1881,"icmpv4":0,"icmpv6":677,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":11537312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":842,"ssn_memcap_drop":0,"pseudo":0,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":1138,"synack":656,"rst":1165,"segment_memcap_drop":0,"stream_depth_reached":63,"reassembly_gap":0,"overlap":5979,"overlap_diff_data":0,"insert_data_normal_fail":0,"insert_data_overlap_fail":0,"insert_list_fail":0,"memuse":4587520,"reassembly_memuse":768000},"detect":{"alert":2},"app_layer":{"flow":{"http":22,"ftp":0,"smtp":0,"tls":560,"ssh":4,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":2,"dcerpc_udp":0,"dns_udp":762,"failed_udp":1119},"tx":{"http":25,"ftp":0,"smtp":0,"tls":0,"ssh":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"dcerpc_udp":0,"dns_udp":762}},"flow_mgr":{"closed_pruned":729,"new_pruned":1879,"est_pruned":975,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":8,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":2},"file_store":{"open_files":0},"dns":{"memuse":7749,"memcap_state":0,"memcap_global":0},"http":{"memuse":17861,"memcap":0}}} -{"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com\/OU=management:idms.group.506364\/O=Apple Inc.\/ST=California\/C=US","issuerdn":"CN=Apple IST CA 2 - G1\/OU=Certification Authority\/O=Apple Inc.\/C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} +{"timestamp":"2018-07-05T15:51:50.666597-0400","flow_id":89751777876473,"in_iface":"en0","event_type":"tls","src_ip":"192.168.86.85","src_port":56187,"dest_ip":"17.142.164.13","dest_port":443,"proto":"TCP","tls":{"subject":"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US","issuerdn":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","serial":"5C:9C:E1:09:78:87:F8:07","fingerprint":"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47","sni":"p33-btmmdns.icloud.com.","version":"TLS 1.2","notbefore":"2017-02-27T17:54:31","notafter":"2019-03-29T17:54:31"}} {"timestamp":"2018-07-05T15:51:54.001329-0400","flow_id":1828507008887644,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fada:0cff:fedc:87f1","src_port":546,"dest_ip":"ff02:0000:0000:0000:0000:0000:0001:0002","dest_port":547,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":110,"bytes_toclient":0,"start":"2018-07-05T15:51:23.453468-0400","end":"2018-07-05T15:51:23.453468-0400","age":0,"state":"new","reason":"timeout","alerted":false}} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d44c5bd12f..5d113c8d370 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -130,6 +130,9 @@ "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.85", "192.168.86.28" @@ -150,7 +153,7 @@ "url.domain": "192.168.86.28", "url.original": "/dd.xml", "url.path": "/dd.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -182,6 +185,9 @@ "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.28", "192.168.86.85" @@ -208,7 +214,7 @@ "url.domain": "192.168.86.28", "url.original": "/ssdp/device-desc.xml", "url.path": "/ssdp/device-desc.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -419,10 +425,22 @@ "event.dataset": "suricata.eve", "event.kind": "event", "event.module": "suricata", - "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com\\/OU=management:idms.group.506364\\/O=Apple Inc.\\/ST=California\\/C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1\\/OU=Certification Authority\\/O=Apple Inc.\\/C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", "event.type": [ "protocol" ], + "file.x509.issuer.common_name": "Apple IST CA 2 - G1", + "file.x509.issuer.country": "US", + "file.x509.issuer.organization": "Apple Inc.", + "file.x509.issuer.organizational_unit": "Certification Authority", + "file.x509.not_after": "2019-03-29T17:54:31.000Z", + "file.x509.not_before": "2017-02-27T17:54:31.000Z", + "file.x509.serial_number": "5C9CE1097887F807", + "file.x509.subject.common_name": "*.icloud.com", + "file.x509.subject.country": "US", + "file.x509.subject.organization": "Apple Inc.", + "file.x509.subject.organizational_unit": "management:idms.group.506364", + "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, @@ -444,22 +462,22 @@ "suricata.eve.flow_id": 89751777876473, "suricata.eve.in_iface": "en0", "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", - "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", + "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", "suricata.eve.tls.notafter": "2019-03-29T17:54:31", "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", "suricata.eve.tls.sni": "p33-btmmdns.icloud.com", - "suricata.eve.tls.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "suricata.eve.tls.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", "suricata.eve.tls.version": "TLS 1.2", "tags": [ "suricata" ], "tls.client.server_name": "p33-btmmdns.icloud.com", "tls.server.hash.sha1": "6AFFACA65F8A05E7A98C7629B908C769ADDC7247", - "tls.server.issuer": "CN=Apple IST CA 2 - G1/OU=Certification Authority/O=Apple Inc./C=US", - "tls.server.not_after": "2019-03-29T17:54:31", - "tls.server.not_before": "2017-02-27T17:54:31", - "tls.server.subject": "CN=*.icloud.com/OU=management:idms.group.506364/O=Apple Inc./ST=California/C=US", + "tls.server.issuer": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", + "tls.server.not_after": "2019-03-29T17:54:31.000Z", + "tls.server.not_before": "2017-02-27T17:54:31.000Z", + "tls.server.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", "tls.version": "1.2", "tls.version_protocol": "tls" }, diff --git a/x-pack/filebeat/module/suricata/module.yml b/x-pack/filebeat/module/suricata/module.yml index 9e114208933..d3747be1f4d 100644 --- a/x-pack/filebeat/module/suricata/module.yml +++ b/x-pack/filebeat/module/suricata/module.yml @@ -1,5 +1,5 @@ dashboards: -- id: 78289c40-86da-11e8-b59d-21efb914e65c - file: Filebeat-Suricata-Overview.json -- id: 05268ee0-86d1-11e8-b59d-21efb914e65c - file: Filebeat-Suricata-Alert-Overview.json +- id: 78289c40-86da-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-event-overview.json +- id: 05268ee0-86d1-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-alert-overview.json diff --git a/x-pack/filebeat/module/symantec/README.md b/x-pack/filebeat/module/symantec/README.md new file mode 100644 index 00000000000..d90bb91be55 --- /dev/null +++ b/x-pack/filebeat/module/symantec/README.md @@ -0,0 +1,7 @@ +# symantec module + +This is a module for Symantec AntiVirus/Endpoint Protection logs. + +Autogenerated from RSA NetWitness log parser 2.0 XML symantecav version 134 +at 2020-09-01 14:18:50.728147 +0000 UTC. + diff --git a/x-pack/filebeat/module/symantec/_meta/config.yml b/x-pack/filebeat/module/symantec/_meta/config.yml new file mode 100644 index 00000000000..482804f3f94 --- /dev/null +++ b/x-pack/filebeat/module/symantec/_meta/config.yml @@ -0,0 +1,19 @@ +- module: symantec + endpointprotection: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9534 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/module/symantec/_meta/docs.asciidoc b/x-pack/filebeat/module/symantec/_meta/docs.asciidoc new file mode 100644 index 00000000000..b73aa478f51 --- /dev/null +++ b/x-pack/filebeat/module/symantec/_meta/docs.asciidoc @@ -0,0 +1,66 @@ +[role="xpack"] + +:modulename: symantec +:has-dashboards: false + +== Symantec module + +experimental[] + +This is a module for receiving Symantec AntiVirus/Endpoint Protection logs over Syslog or a file. + +include::../include/gs-link.asciidoc[] + +include::../include/configuring-intro.asciidoc[] + +:fileset_ex: endpointprotection + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `endpointprotection` fileset settings + +experimental[] + +NOTE: This was converted from RSA NetWitness log parser XML "symantecav" device revision 134. + +*`var.input`*:: + +The input from which messages are read. One of `file`, `tcp` or `udp`. + +*`var.syslog_host`*:: + +The address to listen to UDP or TCP based syslog traffic. +Defaults to `localhost`. +Set to `0.0.0.0` to bind to all available interfaces. + +*`var.syslog_port`*:: + +The port to listen for syslog traffic. Defaults to `9534` + +NOTE: Ports below 1024 require Filebeat to run as root. + +*`var.tz_offset`*:: + +By default, datetimes in the logs will be interpreted as relative to +the timezone configured in the host where {beatname_uc} is running. If ingesting +logs from a host on a different timezone, use this field to set the timezone +offset so that datetimes are correctly parsed. Valid values are in the form +±HH:mm, for example, `-07:00` for `UTC-7`. + +*`var.rsa_fields`*:: + +Flag to control the addition of non-ECS fields to the event. Defaults to true, +which causes both ECS and custom fields under `rsa` to be added. + +*`var.keep_raw_fields`*:: + +Flag to control the addition of the raw parser fields to the event. This fields +will be found under `rsa.raw`. The default is false. + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/x-pack/filebeat/module/symantec/_meta/fields.yml b/x-pack/filebeat/module/symantec/_meta/fields.yml new file mode 100644 index 00000000000..bd9d0428f06 --- /dev/null +++ b/x-pack/filebeat/module/symantec/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: symantec + title: Symantec AntiVirus/Endpoint Protection + description: > + symantec fields. + fields: diff --git a/x-pack/filebeat/module/symantec/endpointprotection/_meta/fields.yml b/x-pack/filebeat/module/symantec/endpointprotection/_meta/fields.yml new file mode 100644 index 00000000000..ecf61b431da --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/_meta/fields.yml @@ -0,0 +1,2637 @@ +- name: network.interface.name + overwrite: true + type: keyword + default_field: false + description: > + Name of the network interface where the traffic has been observed. +- name: rsa + overwrite: true + type: group + default_field: false + fields: + - name: internal + overwrite: true + type: group + fields: + - name: msg + overwrite: true + type: keyword + description: This key is used to capture the raw message that comes into the + Log Decoder + - name: messageid + overwrite: true + type: keyword + - name: event_desc + overwrite: true + type: keyword + - name: message + overwrite: true + type: keyword + description: This key captures the contents of instant messages + - name: time + overwrite: true + type: date + description: This is the time at which a session hits a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness. + - name: level + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: msg_id + overwrite: true + type: keyword + description: This is the Message ID1 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: msg_vid + overwrite: true + type: keyword + description: This is the Message ID2 value that identifies the exact log parser + definition which parses a particular log session. This key should never be + used to parse Meta data from a session (Logs/Packets) Directly, this is a + Reserved key in NetWitness + - name: data + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_server + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_val + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: resource + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: obj_id + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: statement + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: audit_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: entry + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: hcode + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: inode + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: resource_class + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: dead + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: feed_desc + overwrite: true + type: keyword + description: This is used to capture the description of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: feed_name + overwrite: true + type: keyword + description: This is used to capture the name of the feed. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: cid + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Concentrator. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_class + overwrite: true + type: keyword + description: This is the Classification of the Log Event Source under a predefined + fixed set of Event Source Classifications. This key should never be used to + parse Meta data from a session (Logs/Packets) Directly, this is a Reserved + key in NetWitness + - name: device_group + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_host + overwrite: true + type: keyword + description: This is the Hostname of the log Event Source sending the logs to + NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ip + overwrite: true + type: ip + description: This is the IPv4 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_ipv6 + overwrite: true + type: ip + description: This is the IPv6 address of the Log Event Source sending the logs + to NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: device_type + overwrite: true + type: keyword + description: This is the name of the log parser which parsed a given session. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: device_type_id + overwrite: true + type: long + description: Deprecated key defined only in table map. + - name: did + overwrite: true + type: keyword + description: This is the unique identifier used to identify a NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: entropy_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: entropy_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the Meta Type can + be either UInt16 or Float32 based on the configuration + - name: event_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: feed_category + overwrite: true + type: keyword + description: This is used to capture the category of the feed. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: forward_ip + overwrite: true + type: ip + description: This key should be used to capture the IPV4 address of a relay + system which forwarded the events from the original system to NetWitness. + - name: forward_ipv6 + overwrite: true + type: ip + description: This key is used to capture the IPV6 address of a relay system + which forwarded the events from the original system to NetWitness. This key + should never be used to parse Meta data from a session (Logs/Packets) Directly, + this is a Reserved key in NetWitness + - name: header_id + overwrite: true + type: keyword + description: This is the Header ID value that identifies the exact log parser + header definition that parses a particular log session. This key should never + be used to parse Meta data from a session (Logs/Packets) Directly, this is + a Reserved key in NetWitness + - name: lc_cid + overwrite: true + type: keyword + description: This is a unique Identifier of a Log Collector. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: lc_ctime + overwrite: true + type: date + description: This is the time at which a log is collected in a NetWitness Log + Collector. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: mcb_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + request is simply which byte for each side (0 thru 255) was seen the most + - name: mcb_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + response is simply which byte for each side (0 thru 255) was seen the most + - name: mcbc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: mcbc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the most common byte + count is the number of times the most common byte (above) was seen in the + session streams + - name: medium + overwrite: true + type: long + description: "This key is used to identify if it\u2019s a log/packet session\ + \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ + \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ + \ 32 = log, 33 = correlation session, < 32 is packet session" + - name: node_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: nwe_callback_id + overwrite: true + type: keyword + description: This key denotes that event is endpoint related + - name: parse_error + overwrite: true + type: keyword + description: This is a special key that stores any Meta key validation error + found while parsing a log session. This key should never be used to parse + Meta data from a session (Logs/Packets) Directly, this is a Reserved key in + NetWitness + - name: payload_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: payload_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, the payload size metrics + are the payload sizes of each session side at the time of parsing. However, + in order to keep + - name: process_vid_dst + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the target process. + - name: process_vid_src + overwrite: true + type: keyword + description: Endpoint generates and uses a unique virtual ID to identify any + similar group of process. This ID represents the source process. + - name: rid + overwrite: true + type: long + description: This is a special ID of the Remote Session created by NetWitness + Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: session_split + overwrite: true + type: keyword + description: This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: site + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: size + overwrite: true + type: long + description: This is the size of the session as seen by the NetWitness Decoder. + This key should never be used to parse Meta data from a session (Logs/Packets) + Directly, this is a Reserved key in NetWitness + - name: sourcefile + overwrite: true + type: keyword + description: This is the name of the log file or PCAPs that can be imported + into NetWitness. This key should never be used to parse Meta data from a session + (Logs/Packets) Directly, this is a Reserved key in NetWitness + - name: ubc_req + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: ubc_res + overwrite: true + type: long + description: This key is only used by the Entropy Parser, Unique byte count + is the number of unique bytes seen in each stream. 256 would mean all byte + values of 0 thru 255 were seen at least once + - name: word + overwrite: true + type: keyword + description: This is used by the Word Parsing technology to capture the first + 5 character of every word in an unparsed log + - name: time + overwrite: true + type: group + fields: + - name: event_time + overwrite: true + type: date + description: This key is used to capture the time mentioned in a raw session + that represents the actual time an event occured in a standard normalized + form + - name: duration_time + overwrite: true + type: double + description: This key is used to capture the normalized duration/lifetime in + seconds. + - name: event_time_str + overwrite: true + type: keyword + description: This key is used to capture the incomplete time mentioned in a + session as a string + - name: starttime + overwrite: true + type: date + description: This key is used to capture the Start time mentioned in a session + in a standard form + - name: month + overwrite: true + type: keyword + - name: day + overwrite: true + type: keyword + - name: endtime + overwrite: true + type: date + description: This key is used to capture the End time mentioned in a session + in a standard form + - name: timezone + overwrite: true + type: keyword + description: This key is used to capture the timezone of the Event Time + - name: duration_str + overwrite: true + type: keyword + description: A text string version of the duration + - name: date + overwrite: true + type: keyword + - name: year + overwrite: true + type: keyword + - name: recorded_time + overwrite: true + type: date + description: The event time as recorded by the system the event is collected + from. The usage scenario is a multi-tier application where the management + layer of the system records it's own timestamp at the time of collection from + its child nodes. Must be in timestamp format. + - name: datetime + overwrite: true + type: keyword + - name: effective_time + overwrite: true + type: date + description: This key is the effective time referenced by an individual event + in a Standard Timestamp format + - name: expire_time + overwrite: true + type: date + description: This key is the timestamp that explicitly refers to an expiration. + - name: process_time + overwrite: true + type: keyword + description: Deprecated, use duration.time + - name: hour + overwrite: true + type: keyword + - name: min + overwrite: true + type: keyword + - name: timestamp + overwrite: true + type: keyword + - name: event_queue_time + overwrite: true + type: date + description: This key is the Time that the event was queued. + - name: p_time1 + overwrite: true + type: keyword + - name: tzone + overwrite: true + type: keyword + - name: eventtime + overwrite: true + type: keyword + - name: gmtdate + overwrite: true + type: keyword + - name: gmttime + overwrite: true + type: keyword + - name: p_date + overwrite: true + type: keyword + - name: p_month + overwrite: true + type: keyword + - name: p_time + overwrite: true + type: keyword + - name: p_time2 + overwrite: true + type: keyword + - name: p_year + overwrite: true + type: keyword + - name: expire_time_str + overwrite: true + type: keyword + description: This key is used to capture incomplete timestamp that explicitly + refers to an expiration. + - name: stamp + overwrite: true + type: date + description: Deprecated key defined only in table map. + - name: misc + overwrite: true + type: group + fields: + - name: action + overwrite: true + type: keyword + - name: result + overwrite: true + type: keyword + description: This key is used to capture the outcome/result string value of + an action in a session. + - name: severity + overwrite: true + type: keyword + description: This key is used to capture the severity given the session + - name: event_type + overwrite: true + type: keyword + description: This key captures the event category type as specified by the event + source. + - name: reference_id + overwrite: true + type: keyword + description: This key is used to capture an event id from the session directly + - name: version + overwrite: true + type: keyword + description: This key captures Version of the application or OS which is generating + the event. + - name: disposition + overwrite: true + type: keyword + description: This key captures the The end state of an action. + - name: result_code + overwrite: true + type: keyword + description: This key is used to capture the outcome/result numeric value of + an action in a session + - name: category + overwrite: true + type: keyword + description: This key is used to capture the category of an event given by the + vendor in the session + - name: obj_name + overwrite: true + type: keyword + description: This is used to capture name of object + - name: obj_type + overwrite: true + type: keyword + description: This is used to capture type of object + - name: event_source + overwrite: true + type: keyword + description: "This key captures Source of the event that\u2019s not a hostname" + - name: log_session_id + overwrite: true + type: keyword + description: This key is used to capture a sessionid from the session directly + - name: group + overwrite: true + type: keyword + description: This key captures the Group Name value + - name: policy_name + overwrite: true + type: keyword + description: This key is used to capture the Policy Name only. + - name: rule_name + overwrite: true + type: keyword + description: This key captures the Rule Name + - name: context + overwrite: true + type: keyword + description: This key captures Information which adds additional context to + the event. + - name: change_new + overwrite: true + type: keyword + description: "This key is used to capture the new values of the attribute that\u2019\ + s changing in a session" + - name: space + overwrite: true + type: keyword + - name: client + overwrite: true + type: keyword + description: This key is used to capture only the name of the client application + requesting resources of the server. See the user.agent meta key for capture + of the specific user agent identifier or browser identification string. + - name: msgIdPart1 + overwrite: true + type: keyword + - name: msgIdPart2 + overwrite: true + type: keyword + - name: change_old + overwrite: true + type: keyword + description: "This key is used to capture the old value of the attribute that\u2019\ + s changing in a session" + - name: operation_id + overwrite: true + type: keyword + description: An alert number or operation number. The values should be unique + and non-repeating. + - name: event_state + overwrite: true + type: keyword + description: This key captures the current state of the object/item referenced + within the event. Describing an on-going event. + - name: group_object + overwrite: true + type: keyword + description: This key captures a collection/grouping of entities. Specific usage + - name: node + overwrite: true + type: keyword + description: Common use case is the node name within a cluster. The cluster + name is reflected by the host name. + - name: rule + overwrite: true + type: keyword + description: This key captures the Rule number + - name: device_name + overwrite: true + type: keyword + description: 'This is used to capture name of the Device associated with the + node Like: a physical disk, printer, etc' + - name: param + overwrite: true + type: keyword + description: This key is the parameters passed as part of a command or application, + etc. + - name: change_attrib + overwrite: true + type: keyword + description: "This key is used to capture the name of the attribute that\u2019\ + s changing in a session" + - name: event_computer + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + fully qualified domain name in a windows log. + - name: reference_id1 + overwrite: true + type: keyword + description: This key is for Linked ID to be used as an addition to "reference.id" + - name: event_log + overwrite: true + type: keyword + description: This key captures the Name of the event log + - name: OS + overwrite: true + type: keyword + description: This key captures the Name of the Operating System + - name: terminal + overwrite: true + type: keyword + description: This key captures the Terminal Names only + - name: msgIdPart3 + overwrite: true + type: keyword + - name: filter + overwrite: true + type: keyword + description: This key captures Filter used to reduce result set + - name: serial_number + overwrite: true + type: keyword + description: This key is the Serial number associated with a physical asset. + - name: checksum + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the entity + such as a file or process. Checksum should be used over checksum.src or checksum.dst + when it is unclear whether the entity is a source or target of an action. + - name: event_user + overwrite: true + type: keyword + description: This key is a windows only concept, where this key is used to capture + combination of domain name and username in a windows log. + - name: virusname + overwrite: true + type: keyword + description: This key captures the name of the virus + - name: content_type + overwrite: true + type: keyword + description: This key is used to capture Content Type only. + - name: group_id + overwrite: true + type: keyword + description: This key captures Group ID Number (related to the group name) + - name: policy_id + overwrite: true + type: keyword + description: This key is used to capture the Policy ID only, this should be + a numeric value, use policy.name otherwise + - name: vsys + overwrite: true + type: keyword + description: This key captures Virtual System Name + - name: connection_id + overwrite: true + type: keyword + description: This key captures the Connection ID + - name: reference_id2 + overwrite: true + type: keyword + description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" + or "reference.id1" value but should not be used unless the other two variables + are in play. + - name: sensor + overwrite: true + type: keyword + description: This key captures Name of the sensor. Typically used in IDS/IPS + based devices + - name: sig_id + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID + - name: port_name + overwrite: true + type: keyword + description: 'This key is used for Physical or logical port connection but does + NOT include a network port. (Example: Printer port name).' + - name: rule_group + overwrite: true + type: keyword + description: This key captures the Rule group name + - name: risk_num + overwrite: true + type: double + description: This key captures a Numeric Risk value + - name: trigger_val + overwrite: true + type: keyword + description: This key captures the Value of the trigger or threshold condition. + - name: log_session_id1 + overwrite: true + type: keyword + description: This key is used to capture a Linked (Related) Session ID from + the session directly + - name: comp_version + overwrite: true + type: keyword + description: This key captures the Version level of a sub-component of a product. + - name: content_version + overwrite: true + type: keyword + description: This key captures Version level of a signature or database content. + - name: hardware_id + overwrite: true + type: keyword + description: This key is used to capture unique identifier for a device or system + (NOT a Mac address) + - name: risk + overwrite: true + type: keyword + description: This key captures the non-numeric risk value + - name: event_id + overwrite: true + type: keyword + - name: reason + overwrite: true + type: keyword + - name: status + overwrite: true + type: keyword + - name: mail_id + overwrite: true + type: keyword + description: This key is used to capture the mailbox id/name + - name: rule_uid + overwrite: true + type: keyword + description: This key is the Unique Identifier for a rule. + - name: trigger_desc + overwrite: true + type: keyword + description: This key captures the Description of the trigger or threshold condition. + - name: inout + overwrite: true + type: keyword + - name: p_msgid + overwrite: true + type: keyword + - name: data_type + overwrite: true + type: keyword + - name: msgIdPart4 + overwrite: true + type: keyword + - name: error + overwrite: true + type: keyword + description: This key captures All non successful Error codes or responses + - name: index + overwrite: true + type: keyword + - name: listnum + overwrite: true + type: keyword + description: This key is used to capture listname or listnumber, primarily for + collecting access-list + - name: ntype + overwrite: true + type: keyword + - name: observed_val + overwrite: true + type: keyword + description: This key captures the Value observed (from the perspective of the + device generating the log). + - name: policy_value + overwrite: true + type: keyword + description: This key captures the contents of the policy. This contains details + about the policy + - name: pool_name + overwrite: true + type: keyword + description: This key captures the name of a resource pool + - name: rule_template + overwrite: true + type: keyword + description: A default set of parameters which are overlayed onto a rule (or + rulename) which efffectively constitutes a template + - name: count + overwrite: true + type: keyword + - name: number + overwrite: true + type: keyword + - name: sigcat + overwrite: true + type: keyword + - name: type + overwrite: true + type: keyword + - name: comments + overwrite: true + type: keyword + description: Comment information provided in the log message + - name: doc_number + overwrite: true + type: long + description: This key captures File Identification number + - name: expected_val + overwrite: true + type: keyword + description: This key captures the Value expected (from the perspective of the + device generating the log). + - name: job_num + overwrite: true + type: keyword + description: This key captures the Job Number + - name: spi_dst + overwrite: true + type: keyword + description: Destination SPI Index + - name: spi_src + overwrite: true + type: keyword + description: Source SPI Index + - name: code + overwrite: true + type: keyword + - name: agent_id + overwrite: true + type: keyword + description: This key is used to capture agent id + - name: message_body + overwrite: true + type: keyword + description: This key captures the The contents of the message body. + - name: phone + overwrite: true + type: keyword + - name: sig_id_str + overwrite: true + type: keyword + description: This key captures a string object of the sigid variable. + - name: cmd + overwrite: true + type: keyword + - name: misc + overwrite: true + type: keyword + - name: name + overwrite: true + type: keyword + - name: cpu + overwrite: true + type: long + description: This key is the CPU time used in the execution of the event being + recorded. + - name: event_desc + overwrite: true + type: keyword + description: This key is used to capture a description of an event available + directly or inferred + - name: sig_id1 + overwrite: true + type: long + description: This key captures IDS/IPS Int Signature ID. This must be linked + to the sig.id + - name: im_buddyid + overwrite: true + type: keyword + - name: im_client + overwrite: true + type: keyword + - name: im_userid + overwrite: true + type: keyword + - name: pid + overwrite: true + type: keyword + - name: priority + overwrite: true + type: keyword + - name: context_subject + overwrite: true + type: keyword + description: This key is to be used in an audit context where the subject is + the object being identified + - name: context_target + overwrite: true + type: keyword + - name: cve + overwrite: true + type: keyword + description: This key captures CVE (Common Vulnerabilities and Exposures) - + an identifier for known information security vulnerabilities. + - name: fcatnum + overwrite: true + type: keyword + description: This key captures Filter Category Number. Legacy Usage + - name: library + overwrite: true + type: keyword + description: This key is used to capture library information in mainframe devices + - name: parent_node + overwrite: true + type: keyword + description: This key captures the Parent Node Name. Must be related to node + variable. + - name: risk_info + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: tcp_flags + overwrite: true + type: long + description: This key is captures the TCP flags set in any packet of session + - name: tos + overwrite: true + type: long + description: This key describes the type of service + - name: vm_target + overwrite: true + type: keyword + description: VMWare Target **VMWARE** only varaible. + - name: workspace + overwrite: true + type: keyword + description: This key captures Workspace Description + - name: command + overwrite: true + type: keyword + - name: event_category + overwrite: true + type: keyword + - name: facilityname + overwrite: true + type: keyword + - name: forensic_info + overwrite: true + type: keyword + - name: jobname + overwrite: true + type: keyword + - name: mode + overwrite: true + type: keyword + - name: policy + overwrite: true + type: keyword + - name: policy_waiver + overwrite: true + type: keyword + - name: second + overwrite: true + type: keyword + - name: space1 + overwrite: true + type: keyword + - name: subcategory + overwrite: true + type: keyword + - name: tbdstr2 + overwrite: true + type: keyword + - name: alert_id + overwrite: true + type: keyword + description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: checksum_dst + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the the target + entity such as a process or file. + - name: checksum_src + overwrite: true + type: keyword + description: This key is used to capture the checksum or hash of the source + entity such as a file or process. + - name: fresult + overwrite: true + type: long + description: This key captures the Filter Result + - name: payload_dst + overwrite: true + type: keyword + description: This key is used to capture destination payload + - name: payload_src + overwrite: true + type: keyword + description: This key is used to capture source payload + - name: pool_id + overwrite: true + type: keyword + description: This key captures the identifier (typically numeric field) of a + resource pool + - name: process_id_val + overwrite: true + type: keyword + description: This key is a failure key for Process ID when it is not an integer + value + - name: risk_num_comm + overwrite: true + type: double + description: This key captures Risk Number Community + - name: risk_num_next + overwrite: true + type: double + description: This key captures Risk Number NextGen + - name: risk_num_sand + overwrite: true + type: double + description: This key captures Risk Number SandBox + - name: risk_num_static + overwrite: true + type: double + description: This key captures Risk Number Static + - name: risk_suspicious + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: risk_warning + overwrite: true + type: keyword + description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + - name: snmp_oid + overwrite: true + type: keyword + description: SNMP Object Identifier + - name: sql + overwrite: true + type: keyword + description: This key captures the SQL query + - name: vuln_ref + overwrite: true + type: keyword + description: This key captures the Vulnerability Reference details + - name: acl_id + overwrite: true + type: keyword + - name: acl_op + overwrite: true + type: keyword + - name: acl_pos + overwrite: true + type: keyword + - name: acl_table + overwrite: true + type: keyword + - name: admin + overwrite: true + type: keyword + - name: alarm_id + overwrite: true + type: keyword + - name: alarmname + overwrite: true + type: keyword + - name: app_id + overwrite: true + type: keyword + - name: audit + overwrite: true + type: keyword + - name: audit_object + overwrite: true + type: keyword + - name: auditdata + overwrite: true + type: keyword + - name: benchmark + overwrite: true + type: keyword + - name: bypass + overwrite: true + type: keyword + - name: cache + overwrite: true + type: keyword + - name: cache_hit + overwrite: true + type: keyword + - name: cefversion + overwrite: true + type: keyword + - name: cfg_attr + overwrite: true + type: keyword + - name: cfg_obj + overwrite: true + type: keyword + - name: cfg_path + overwrite: true + type: keyword + - name: changes + overwrite: true + type: keyword + - name: client_ip + overwrite: true + type: keyword + - name: clustermembers + overwrite: true + type: keyword + - name: cn_acttimeout + overwrite: true + type: keyword + - name: cn_asn_src + overwrite: true + type: keyword + - name: cn_bgpv4nxthop + overwrite: true + type: keyword + - name: cn_ctr_dst_code + overwrite: true + type: keyword + - name: cn_dst_tos + overwrite: true + type: keyword + - name: cn_dst_vlan + overwrite: true + type: keyword + - name: cn_engine_id + overwrite: true + type: keyword + - name: cn_engine_type + overwrite: true + type: keyword + - name: cn_f_switch + overwrite: true + type: keyword + - name: cn_flowsampid + overwrite: true + type: keyword + - name: cn_flowsampintv + overwrite: true + type: keyword + - name: cn_flowsampmode + overwrite: true + type: keyword + - name: cn_inacttimeout + overwrite: true + type: keyword + - name: cn_inpermbyts + overwrite: true + type: keyword + - name: cn_inpermpckts + overwrite: true + type: keyword + - name: cn_invalid + overwrite: true + type: keyword + - name: cn_ip_proto_ver + overwrite: true + type: keyword + - name: cn_ipv4_ident + overwrite: true + type: keyword + - name: cn_l_switch + overwrite: true + type: keyword + - name: cn_log_did + overwrite: true + type: keyword + - name: cn_log_rid + overwrite: true + type: keyword + - name: cn_max_ttl + overwrite: true + type: keyword + - name: cn_maxpcktlen + overwrite: true + type: keyword + - name: cn_min_ttl + overwrite: true + type: keyword + - name: cn_minpcktlen + overwrite: true + type: keyword + - name: cn_mpls_lbl_1 + overwrite: true + type: keyword + - name: cn_mpls_lbl_10 + overwrite: true + type: keyword + - name: cn_mpls_lbl_2 + overwrite: true + type: keyword + - name: cn_mpls_lbl_3 + overwrite: true + type: keyword + - name: cn_mpls_lbl_4 + overwrite: true + type: keyword + - name: cn_mpls_lbl_5 + overwrite: true + type: keyword + - name: cn_mpls_lbl_6 + overwrite: true + type: keyword + - name: cn_mpls_lbl_7 + overwrite: true + type: keyword + - name: cn_mpls_lbl_8 + overwrite: true + type: keyword + - name: cn_mpls_lbl_9 + overwrite: true + type: keyword + - name: cn_mplstoplabel + overwrite: true + type: keyword + - name: cn_mplstoplabip + overwrite: true + type: keyword + - name: cn_mul_dst_byt + overwrite: true + type: keyword + - name: cn_mul_dst_pks + overwrite: true + type: keyword + - name: cn_muligmptype + overwrite: true + type: keyword + - name: cn_sampalgo + overwrite: true + type: keyword + - name: cn_sampint + overwrite: true + type: keyword + - name: cn_seqctr + overwrite: true + type: keyword + - name: cn_spackets + overwrite: true + type: keyword + - name: cn_src_tos + overwrite: true + type: keyword + - name: cn_src_vlan + overwrite: true + type: keyword + - name: cn_sysuptime + overwrite: true + type: keyword + - name: cn_template_id + overwrite: true + type: keyword + - name: cn_totbytsexp + overwrite: true + type: keyword + - name: cn_totflowexp + overwrite: true + type: keyword + - name: cn_totpcktsexp + overwrite: true + type: keyword + - name: cn_unixnanosecs + overwrite: true + type: keyword + - name: cn_v6flowlabel + overwrite: true + type: keyword + - name: cn_v6optheaders + overwrite: true + type: keyword + - name: comp_class + overwrite: true + type: keyword + - name: comp_name + overwrite: true + type: keyword + - name: comp_rbytes + overwrite: true + type: keyword + - name: comp_sbytes + overwrite: true + type: keyword + - name: cpu_data + overwrite: true + type: keyword + - name: criticality + overwrite: true + type: keyword + - name: cs_agency_dst + overwrite: true + type: keyword + - name: cs_analyzedby + overwrite: true + type: keyword + - name: cs_av_other + overwrite: true + type: keyword + - name: cs_av_primary + overwrite: true + type: keyword + - name: cs_av_secondary + overwrite: true + type: keyword + - name: cs_bgpv6nxthop + overwrite: true + type: keyword + - name: cs_bit9status + overwrite: true + type: keyword + - name: cs_context + overwrite: true + type: keyword + - name: cs_control + overwrite: true + type: keyword + - name: cs_data + overwrite: true + type: keyword + - name: cs_datecret + overwrite: true + type: keyword + - name: cs_dst_tld + overwrite: true + type: keyword + - name: cs_eth_dst_ven + overwrite: true + type: keyword + - name: cs_eth_src_ven + overwrite: true + type: keyword + - name: cs_event_uuid + overwrite: true + type: keyword + - name: cs_filetype + overwrite: true + type: keyword + - name: cs_fld + overwrite: true + type: keyword + - name: cs_if_desc + overwrite: true + type: keyword + - name: cs_if_name + overwrite: true + type: keyword + - name: cs_ip_next_hop + overwrite: true + type: keyword + - name: cs_ipv4dstpre + overwrite: true + type: keyword + - name: cs_ipv4srcpre + overwrite: true + type: keyword + - name: cs_lifetime + overwrite: true + type: keyword + - name: cs_log_medium + overwrite: true + type: keyword + - name: cs_loginname + overwrite: true + type: keyword + - name: cs_modulescore + overwrite: true + type: keyword + - name: cs_modulesign + overwrite: true + type: keyword + - name: cs_opswatresult + overwrite: true + type: keyword + - name: cs_payload + overwrite: true + type: keyword + - name: cs_registrant + overwrite: true + type: keyword + - name: cs_registrar + overwrite: true + type: keyword + - name: cs_represult + overwrite: true + type: keyword + - name: cs_rpayload + overwrite: true + type: keyword + - name: cs_sampler_name + overwrite: true + type: keyword + - name: cs_sourcemodule + overwrite: true + type: keyword + - name: cs_streams + overwrite: true + type: keyword + - name: cs_targetmodule + overwrite: true + type: keyword + - name: cs_v6nxthop + overwrite: true + type: keyword + - name: cs_whois_server + overwrite: true + type: keyword + - name: cs_yararesult + overwrite: true + type: keyword + - name: description + overwrite: true + type: keyword + - name: devvendor + overwrite: true + type: keyword + - name: distance + overwrite: true + type: keyword + - name: dstburb + overwrite: true + type: keyword + - name: edomain + overwrite: true + type: keyword + - name: edomaub + overwrite: true + type: keyword + - name: euid + overwrite: true + type: keyword + - name: facility + overwrite: true + type: keyword + - name: finterface + overwrite: true + type: keyword + - name: flags + overwrite: true + type: keyword + - name: gaddr + overwrite: true + type: keyword + - name: id3 + overwrite: true + type: keyword + - name: im_buddyname + overwrite: true + type: keyword + - name: im_croomid + overwrite: true + type: keyword + - name: im_croomtype + overwrite: true + type: keyword + - name: im_members + overwrite: true + type: keyword + - name: im_username + overwrite: true + type: keyword + - name: ipkt + overwrite: true + type: keyword + - name: ipscat + overwrite: true + type: keyword + - name: ipspri + overwrite: true + type: keyword + - name: latitude + overwrite: true + type: keyword + - name: linenum + overwrite: true + type: keyword + - name: list_name + overwrite: true + type: keyword + - name: load_data + overwrite: true + type: keyword + - name: location_floor + overwrite: true + type: keyword + - name: location_mark + overwrite: true + type: keyword + - name: log_id + overwrite: true + type: keyword + - name: log_type + overwrite: true + type: keyword + - name: logid + overwrite: true + type: keyword + - name: logip + overwrite: true + type: keyword + - name: logname + overwrite: true + type: keyword + - name: longitude + overwrite: true + type: keyword + - name: lport + overwrite: true + type: keyword + - name: mbug_data + overwrite: true + type: keyword + - name: misc_name + overwrite: true + type: keyword + - name: msg_type + overwrite: true + type: keyword + - name: msgid + overwrite: true + type: keyword + - name: netsessid + overwrite: true + type: keyword + - name: num + overwrite: true + type: keyword + - name: number1 + overwrite: true + type: keyword + - name: number2 + overwrite: true + type: keyword + - name: nwwn + overwrite: true + type: keyword + - name: object + overwrite: true + type: keyword + - name: operation + overwrite: true + type: keyword + - name: opkt + overwrite: true + type: keyword + - name: orig_from + overwrite: true + type: keyword + - name: owner_id + overwrite: true + type: keyword + - name: p_action + overwrite: true + type: keyword + - name: p_filter + overwrite: true + type: keyword + - name: p_group_object + overwrite: true + type: keyword + - name: p_id + overwrite: true + type: keyword + - name: p_msgid1 + overwrite: true + type: keyword + - name: p_msgid2 + overwrite: true + type: keyword + - name: p_result1 + overwrite: true + type: keyword + - name: password_chg + overwrite: true + type: keyword + - name: password_expire + overwrite: true + type: keyword + - name: permgranted + overwrite: true + type: keyword + - name: permwanted + overwrite: true + type: keyword + - name: pgid + overwrite: true + type: keyword + - name: policyUUID + overwrite: true + type: keyword + - name: prog_asp_num + overwrite: true + type: keyword + - name: program + overwrite: true + type: keyword + - name: real_data + overwrite: true + type: keyword + - name: rec_asp_device + overwrite: true + type: keyword + - name: rec_asp_num + overwrite: true + type: keyword + - name: rec_library + overwrite: true + type: keyword + - name: recordnum + overwrite: true + type: keyword + - name: ruid + overwrite: true + type: keyword + - name: sburb + overwrite: true + type: keyword + - name: sdomain_fld + overwrite: true + type: keyword + - name: sec + overwrite: true + type: keyword + - name: sensorname + overwrite: true + type: keyword + - name: seqnum + overwrite: true + type: keyword + - name: session + overwrite: true + type: keyword + - name: sessiontype + overwrite: true + type: keyword + - name: sigUUID + overwrite: true + type: keyword + - name: spi + overwrite: true + type: keyword + - name: srcburb + overwrite: true + type: keyword + - name: srcdom + overwrite: true + type: keyword + - name: srcservice + overwrite: true + type: keyword + - name: state + overwrite: true + type: keyword + - name: status1 + overwrite: true + type: keyword + - name: svcno + overwrite: true + type: keyword + - name: system + overwrite: true + type: keyword + - name: tbdstr1 + overwrite: true + type: keyword + - name: tgtdom + overwrite: true + type: keyword + - name: tgtdomain + overwrite: true + type: keyword + - name: threshold + overwrite: true + type: keyword + - name: type1 + overwrite: true + type: keyword + - name: udb_class + overwrite: true + type: keyword + - name: url_fld + overwrite: true + type: keyword + - name: user_div + overwrite: true + type: keyword + - name: userid + overwrite: true + type: keyword + - name: username_fld + overwrite: true + type: keyword + - name: utcstamp + overwrite: true + type: keyword + - name: v_instafname + overwrite: true + type: keyword + - name: virt_data + overwrite: true + type: keyword + - name: vpnid + overwrite: true + type: keyword + - name: autorun_type + overwrite: true + type: keyword + description: This is used to capture Auto Run type + - name: cc_number + overwrite: true + type: long + description: Valid Credit Card Numbers only + - name: content + overwrite: true + type: keyword + description: This key captures the content type from protocol headers + - name: ein_number + overwrite: true + type: long + description: Employee Identification Numbers only + - name: found + overwrite: true + type: keyword + description: This is used to capture the results of regex match + - name: language + overwrite: true + type: keyword + description: This is used to capture list of languages the client support and + what it prefers + - name: lifetime + overwrite: true + type: long + description: This key is used to capture the session lifetime in seconds. + - name: link + overwrite: true + type: keyword + description: This key is used to link the sessions together. This key should + never be used to parse Meta data from a session (Logs/Packets) Directly, this + is a Reserved key in NetWitness + - name: match + overwrite: true + type: keyword + description: This key is for regex match name from search.ini + - name: param_dst + overwrite: true + type: keyword + description: This key captures the command line/launch argument of the target + process or file + - name: param_src + overwrite: true + type: keyword + description: This key captures source parameter + - name: search_text + overwrite: true + type: keyword + description: This key captures the Search Text used + - name: sig_name + overwrite: true + type: keyword + description: This key is used to capture the Signature Name only. + - name: snmp_value + overwrite: true + type: keyword + description: SNMP set request value + - name: streams + overwrite: true + type: long + description: This key captures number of streams in session + - name: db + overwrite: true + type: group + fields: + - name: index + overwrite: true + type: keyword + description: This key captures IndexID of the index. + - name: instance + overwrite: true + type: keyword + description: This key is used to capture the database server instance name + - name: database + overwrite: true + type: keyword + description: This key is used to capture the name of a database or an instance + as seen in a session + - name: transact_id + overwrite: true + type: keyword + description: This key captures the SQL transantion ID of the current session + - name: permissions + overwrite: true + type: keyword + description: This key captures permission or privilege level assigned to a resource. + - name: table_name + overwrite: true + type: keyword + description: This key is used to capture the table name + - name: db_id + overwrite: true + type: keyword + description: This key is used to capture the unique identifier for a database + - name: db_pid + overwrite: true + type: long + description: This key captures the process id of a connection with database + server + - name: lread + overwrite: true + type: long + description: This key is used for the number of logical reads + - name: lwrite + overwrite: true + type: long + description: This key is used for the number of logical writes + - name: pread + overwrite: true + type: long + description: This key is used for the number of physical writes + - name: network + overwrite: true + type: group + fields: + - name: alias_host + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a hostname is not clear.Also it captures the Device Hostname. Any Hostname + that isnt ad.computer. + - name: domain + overwrite: true + type: keyword + - name: host_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Hostname" + - name: network_service + overwrite: true + type: keyword + description: This is used to capture layer 7 protocols/service names + - name: interface + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of an interface is not clear + - name: network_port + overwrite: true + type: long + description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently + used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + - name: eth_host + overwrite: true + type: keyword + description: Deprecated, use alias.mac + - name: sinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Interface" + - name: dinterface + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Interface" + - name: vlan + overwrite: true + type: long + description: This key should only be used to capture the ID of the Virtual LAN + - name: zone_src + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Source Zone." + - name: zone + overwrite: true + type: keyword + description: This key should be used when the source or destination context + of a Zone is not clear + - name: zone_dst + overwrite: true + type: keyword + description: "This key should only be used when it\u2019s a Destination Zone." + - name: gateway + overwrite: true + type: keyword + description: This key is used to capture the IP Address of the gateway + - name: icmp_type + overwrite: true + type: long + description: This key is used to capture the ICMP type only + - name: mask + overwrite: true + type: keyword + description: This key is used to capture the device network IPmask. + - name: icmp_code + overwrite: true + type: long + description: This key is used to capture the ICMP code only + - name: protocol_detail + overwrite: true + type: keyword + description: This key should be used to capture additional protocol information + - name: dmask + overwrite: true + type: keyword + description: This key is used for Destionation Device network mask + - name: port + overwrite: true + type: long + description: This key should only be used to capture a Network Port when the + directionality is not clear + - name: smask + overwrite: true + type: keyword + description: This key is used for capturing source Network Mask + - name: netname + overwrite: true + type: keyword + description: This key is used to capture the network name associated with an + IP range. This is configured by the end user. + - name: paddr + overwrite: true + type: ip + description: Deprecated + - name: faddr + overwrite: true + type: keyword + - name: lhost + overwrite: true + type: keyword + - name: origin + overwrite: true + type: keyword + - name: remote_domain_id + overwrite: true + type: keyword + - name: addr + overwrite: true + type: keyword + - name: dns_a_record + overwrite: true + type: keyword + - name: dns_ptr_record + overwrite: true + type: keyword + - name: fhost + overwrite: true + type: keyword + - name: fport + overwrite: true + type: keyword + - name: laddr + overwrite: true + type: keyword + - name: linterface + overwrite: true + type: keyword + - name: phost + overwrite: true + type: keyword + - name: ad_computer_dst + overwrite: true + type: keyword + description: Deprecated, use host.dst + - name: eth_type + overwrite: true + type: long + description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols + Only + - name: ip_proto + overwrite: true + type: long + description: This key should be used to capture the Protocol number, all the + protocol nubers are converted into string in UI + - name: dns_cname_record + overwrite: true + type: keyword + - name: dns_id + overwrite: true + type: keyword + - name: dns_opcode + overwrite: true + type: keyword + - name: dns_resp + overwrite: true + type: keyword + - name: dns_type + overwrite: true + type: keyword + - name: domain1 + overwrite: true + type: keyword + - name: host_type + overwrite: true + type: keyword + - name: packet_length + overwrite: true + type: keyword + - name: host_orig + overwrite: true + type: keyword + description: This is used to capture the original hostname in case of a Forwarding + Agent or a Proxy in between. + - name: rpayload + overwrite: true + type: keyword + description: This key is used to capture the total number of payload bytes seen + in the retransmitted packets. + - name: vlan_name + overwrite: true + type: keyword + description: This key should only be used to capture the name of the Virtual + LAN + - name: investigations + overwrite: true + type: group + fields: + - name: ec_activity + overwrite: true + type: keyword + description: This key captures the particular event activity(Ex:Logoff) + - name: ec_theme + overwrite: true + type: keyword + description: This key captures the Theme of a particular Event(Ex:Authentication) + - name: ec_subject + overwrite: true + type: keyword + description: This key captures the Subject of a particular Event(Ex:User) + - name: ec_outcome + overwrite: true + type: keyword + description: This key captures the outcome of a particular Event(Ex:Success) + - name: event_cat + overwrite: true + type: long + description: This key captures the Event category number + - name: event_cat_name + overwrite: true + type: keyword + description: This key captures the event category name corresponding to the + event cat code + - name: event_vcat + overwrite: true + type: keyword + description: This is a vendor supplied category. This should be used in situations + where the vendor has adopted their own event_category taxonomy. + - name: analysis_file + overwrite: true + type: keyword + description: This is used to capture all indicators used in a File Analysis. + This key should be used to capture an analysis of a file + - name: analysis_service + overwrite: true + type: keyword + description: This is used to capture all indicators used in a Service Analysis. + This key should be used to capture an analysis of a service + - name: analysis_session + overwrite: true + type: keyword + description: This is used to capture all indicators used for a Session Analysis. + This key should be used to capture an analysis of a session + - name: boc + overwrite: true + type: keyword + description: This is used to capture behaviour of compromise + - name: eoc + overwrite: true + type: keyword + description: This is used to capture Enablers of Compromise + - name: inv_category + overwrite: true + type: keyword + description: This used to capture investigation category + - name: inv_context + overwrite: true + type: keyword + description: This used to capture investigation context + - name: ioc + overwrite: true + type: keyword + description: This is key capture indicator of compromise + - name: counters + overwrite: true + type: group + fields: + - name: dclass_c1 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c1.str only + - name: dclass_c2 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c2.str only + - name: event_counter + overwrite: true + type: long + description: This is used to capture the number of times an event repeated + - name: dclass_r1 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r1.str only + - name: dclass_c3 + overwrite: true + type: long + description: This is a generic counter key that should be used with the label + dclass.c3.str only + - name: dclass_c1_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c1 only + - name: dclass_c2_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c2 only + - name: dclass_r1_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r1 only + - name: dclass_r2 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r2.str only + - name: dclass_c3_str + overwrite: true + type: keyword + description: This is a generic counter string key that should be used with the + label dclass.c3 only + - name: dclass_r3 + overwrite: true + type: keyword + description: This is a generic ratio key that should be used with the label + dclass.r3.str only + - name: dclass_r2_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r2 only + - name: dclass_r3_str + overwrite: true + type: keyword + description: This is a generic ratio string key that should be used with the + label dclass.r3 only + - name: identity + overwrite: true + type: group + fields: + - name: auth_method + overwrite: true + type: keyword + description: This key is used to capture authentication methods used only + - name: user_role + overwrite: true + type: keyword + description: This key is used to capture the Role of a user only + - name: dn + overwrite: true + type: keyword + description: X.500 (LDAP) Distinguished Name + - name: logon_type + overwrite: true + type: keyword + description: This key is used to capture the type of logon method used. + - name: profile + overwrite: true + type: keyword + description: This key is used to capture the user profile + - name: accesses + overwrite: true + type: keyword + description: This key is used to capture actual privileges used in accessing + an object + - name: realm + overwrite: true + type: keyword + description: Radius realm or similar grouping of accounts + - name: user_sid_dst + overwrite: true + type: keyword + description: This key captures Destination User Session ID + - name: dn_src + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that is used in a context that + indicates a Source dn + - name: org + overwrite: true + type: keyword + description: This key captures the User organization + - name: dn_dst + overwrite: true + type: keyword + description: An X.500 (LDAP) Distinguished name that used in a context that + indicates a Destination dn + - name: firstname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: lastname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: user_dept + overwrite: true + type: keyword + description: User's Department Names only + - name: user_sid_src + overwrite: true + type: keyword + description: This key captures Source User Session ID + - name: federated_sp + overwrite: true + type: keyword + description: This key is the Federated Service Provider. This is the application + requesting authentication. + - name: federated_idp + overwrite: true + type: keyword + description: This key is the federated Identity Provider. This is the server + providing the authentication. + - name: logon_type_desc + overwrite: true + type: keyword + description: This key is used to capture the textual description of an integer + logon type as stored in the meta key 'logon.type'. + - name: middlename + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: password + overwrite: true + type: keyword + description: This key is for Passwords seen in any session, plain text or encrypted + - name: host_role + overwrite: true + type: keyword + description: This key should only be used to capture the role of a Host Machine + - name: ldap + overwrite: true + type: keyword + description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ + t have a clear query or response context" + - name: ldap_query + overwrite: true + type: keyword + description: This key is the Search criteria from an LDAP search + - name: ldap_response + overwrite: true + type: keyword + description: This key is to capture Results from an LDAP search + - name: owner + overwrite: true + type: keyword + description: This is used to capture username the process or service is running + as, the author of the task + - name: service_account + overwrite: true + type: keyword + description: This key is a windows specific key, used for capturing name of + the account a service (referenced in the event) is running under. Legacy Usage + - name: email + overwrite: true + type: group + fields: + - name: email_dst + overwrite: true + type: keyword + description: This key is used to capture the Destination email address only, + when the destination context is not clear use email + - name: email_src + overwrite: true + type: keyword + description: This key is used to capture the source email address only, when + the source context is not clear use email + - name: subject + overwrite: true + type: keyword + description: This key is used to capture the subject string from an Email only. + - name: email + overwrite: true + type: keyword + description: This key is used to capture a generic email address where the source + or destination context is not clear + - name: trans_from + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: trans_to + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: file + overwrite: true + type: group + fields: + - name: privilege + overwrite: true + type: keyword + description: Deprecated, use permissions + - name: attachment + overwrite: true + type: keyword + description: This key captures the attachment file name + - name: filesystem + overwrite: true + type: keyword + - name: binary + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: filename_dst + overwrite: true + type: keyword + description: This is used to capture name of the file targeted by the action + - name: filename_src + overwrite: true + type: keyword + description: This is used to capture name of the parent filename, the file which + performed the action + - name: filename_tmp + overwrite: true + type: keyword + - name: directory_dst + overwrite: true + type: keyword + description: This key is used to capture the directory of the target process + or file + - name: directory_src + overwrite: true + type: keyword + description: This key is used to capture the directory of the source process + or file + - name: file_entropy + overwrite: true + type: double + description: This is used to capture entropy vale of a file + - name: file_vendor + overwrite: true + type: keyword + description: This is used to capture Company name of file located in version_info + - name: task_name + overwrite: true + type: keyword + description: This is used to capture name of the task + - name: web + overwrite: true + type: group + fields: + - name: fqdn + overwrite: true + type: keyword + description: Fully Qualified Domain Names + - name: web_cookie + overwrite: true + type: keyword + description: This key is used to capture the Web cookies specifically. + - name: alias_host + overwrite: true + type: keyword + - name: reputation_num + overwrite: true + type: double + description: Reputation Number of an entity. Typically used for Web Domains + - name: web_ref_domain + overwrite: true + type: keyword + description: Web referer's domain + - name: web_ref_query + overwrite: true + type: keyword + description: This key captures Web referer's query portion of the URL + - name: remote_domain + overwrite: true + type: keyword + - name: web_ref_page + overwrite: true + type: keyword + description: This key captures Web referer's page information + - name: web_ref_root + overwrite: true + type: keyword + description: Web referer's root URL path + - name: cn_asn_dst + overwrite: true + type: keyword + - name: cn_rpackets + overwrite: true + type: keyword + - name: urlpage + overwrite: true + type: keyword + - name: urlroot + overwrite: true + type: keyword + - name: p_url + overwrite: true + type: keyword + - name: p_user_agent + overwrite: true + type: keyword + - name: p_web_cookie + overwrite: true + type: keyword + - name: p_web_method + overwrite: true + type: keyword + - name: p_web_referer + overwrite: true + type: keyword + - name: web_extension_tmp + overwrite: true + type: keyword + - name: web_page + overwrite: true + type: keyword + - name: threat + overwrite: true + type: group + fields: + - name: threat_category + overwrite: true + type: keyword + description: This key captures Threat Name/Threat Category/Categorization of + alert + - name: threat_desc + overwrite: true + type: keyword + description: This key is used to capture the threat description from the session + directly or inferred + - name: alert + overwrite: true + type: keyword + description: This key is used to capture name of the alert + - name: threat_source + overwrite: true + type: keyword + description: This key is used to capture source of the threat + - name: crypto + overwrite: true + type: group + fields: + - name: crypto + overwrite: true + type: keyword + description: This key is used to capture the Encryption Type or Encryption Key + only + - name: cipher_src + overwrite: true + type: keyword + description: This key is for Source (Client) Cipher + - name: cert_subject + overwrite: true + type: keyword + description: This key is used to capture the Certificate organization only + - name: peer + overwrite: true + type: keyword + description: This key is for Encryption peer's IP Address + - name: cipher_size_src + overwrite: true + type: long + description: This key captures Source (Client) Cipher Size + - name: ike + overwrite: true + type: keyword + description: IKE negotiation phase. + - name: scheme + overwrite: true + type: keyword + description: This key captures the Encryption scheme used + - name: peer_id + overwrite: true + type: keyword + description: "This key is for Encryption peer\u2019s identity" + - name: sig_type + overwrite: true + type: keyword + description: This key captures the Signature Type + - name: cert_issuer + overwrite: true + type: keyword + - name: cert_host_name + overwrite: true + type: keyword + description: Deprecated key defined only in table map. + - name: cert_error + overwrite: true + type: keyword + description: This key captures the Certificate Error String + - name: cipher_dst + overwrite: true + type: keyword + description: This key is for Destination (Server) Cipher + - name: cipher_size_dst + overwrite: true + type: long + description: This key captures Destination (Server) Cipher Size + - name: ssl_ver_src + overwrite: true + type: keyword + description: Deprecated, use version + - name: d_certauth + overwrite: true + type: keyword + - name: s_certauth + overwrite: true + type: keyword + - name: ike_cookie1 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" + - name: ike_cookie2 + overwrite: true + type: keyword + description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" + - name: cert_checksum + overwrite: true + type: keyword + - name: cert_host_cat + overwrite: true + type: keyword + description: This key is used for the hostname category value of a certificate + - name: cert_serial + overwrite: true + type: keyword + description: This key is used to capture the Certificate serial number only + - name: cert_status + overwrite: true + type: keyword + description: This key captures Certificate validation status + - name: ssl_ver_dst + overwrite: true + type: keyword + description: Deprecated, use version + - name: cert_keysize + overwrite: true + type: keyword + - name: cert_username + overwrite: true + type: keyword + - name: https_insact + overwrite: true + type: keyword + - name: https_valid + overwrite: true + type: keyword + - name: cert_ca + overwrite: true + type: keyword + description: This key is used to capture the Certificate signing authority only + - name: cert_common + overwrite: true + type: keyword + description: This key is used to capture the Certificate common name only + - name: wireless + overwrite: true + type: group + fields: + - name: wlan_ssid + overwrite: true + type: keyword + description: This key is used to capture the ssid of a Wireless Session + - name: access_point + overwrite: true + type: keyword + description: This key is used to capture the access point name. + - name: wlan_channel + overwrite: true + type: long + description: This is used to capture the channel names + - name: wlan_name + overwrite: true + type: keyword + description: This key captures either WLAN number/name + - name: storage + overwrite: true + type: group + fields: + - name: disk_volume + overwrite: true + type: keyword + description: A unique name assigned to logical units (volumes) within a physical + disk + - name: lun + overwrite: true + type: keyword + description: Logical Unit Number.This key is a very useful concept in Storage. + - name: pwwn + overwrite: true + type: keyword + description: This uniquely identifies a port on a HBA. + - name: physical + overwrite: true + type: group + fields: + - name: org_dst + overwrite: true + type: keyword + description: This is used to capture the destination organization based on the + GEOPIP Maxmind database. + - name: org_src + overwrite: true + type: keyword + description: This is used to capture the source organization based on the GEOPIP + Maxmind database. + - name: healthcare + overwrite: true + type: group + fields: + - name: patient_fname + overwrite: true + type: keyword + description: This key is for First Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_id + overwrite: true + type: keyword + description: This key captures the unique ID for a patient + - name: patient_lname + overwrite: true + type: keyword + description: This key is for Last Names only, this is used for Healthcare predominantly + to capture Patients information + - name: patient_mname + overwrite: true + type: keyword + description: This key is for Middle Names only, this is used for Healthcare + predominantly to capture Patients information + - name: endpoint + overwrite: true + type: group + fields: + - name: host_state + overwrite: true + type: keyword + description: This key is used to capture the current state of the machine, such + as blacklisted, infected, firewall + disabled and so on + - name: registry_key + overwrite: true + type: keyword + description: This key captures the path to the registry key + - name: registry_value + overwrite: true + type: keyword + description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml new file mode 100644 index 00000000000..b888ca3989d --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml @@ -0,0 +1,45 @@ +{{ if eq .input "file" }} + +type: log +paths: + {{ range $i, $path := .paths }} +- {{$path}} + {{ end }} +exclude_files: [".gz$"] + +{{ else }} + +type: {{.input}} +host: "{{.syslog_host}}:{{.syslog_port}}" + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: "Symantec" + product: "Endpoint" + type: "Anti-Virus" + +processors: +- script: + lang: javascript + params: + ecs: true + rsa: {{.rsa_fields}} + tz_offset: {{.tz_offset}} + keep_raw: {{.keep_raw_fields}} + debug: {{.debug}} + files: + - ${path.home}/module/symantec/endpointprotection/config/liblogparser.js + - ${path.home}/module/symantec/endpointprotection/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} +- add_fields: + target: '' + fields: + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js b/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js new file mode 100644 index 00000000000..6cdb48abb26 --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js @@ -0,0 +1,2510 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +/* jshint -W014,-W016,-W097,-W116 */ + +var processor = require("processor"); +var console = require("console"); + +var FLAG_FIELD = "log.flags"; +var FIELDS_OBJECT = "nwparser"; +var FIELDS_PREFIX = FIELDS_OBJECT + "."; + +var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true +}; + +var saved_flags = null; +var debug; +var map_ecs; +var map_rsa; +var keep_raw; +var device; +var tz_offset; +var strip_priority; + +// Register params from configuration. +function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); +} + +function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } +} + +function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); +} + +function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); +} + +function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; +} + +function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; +} + +function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; +} + +var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); +})(); + +function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; +} + +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + +function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; +} + +function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; +} + +function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; +} + +function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; +} + +var start; + +function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); +} + +function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); +} + +function constant(value) { + return function (evt) { + return value; + }; +} + +function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; +} + +function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; +} + +// TODO: Implement +function DIRCHK(args) { + unimplemented("DIRCHK"); +} + +function strictToInt(str) { + return str * 1; +} + +function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; +} + +var quoteChars = "\"'`"; +function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; +} + +function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; +} + +function nop(evt) { +} + +function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); +} + +function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); +} + +function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; +} + +function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); +} + +function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; +} + +function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; +} + +function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; +} + +function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; +} + +function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; +} + +function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; +} + +// Make two-digit dates 00-69 interpreted as 2000-2069 +// and dates 70-99 translated to 1970-1999. +var twoDigitYearEpoch = 70; +var twoDigitYearCentury = 2000; + +// This is to accept dates up to 2 days in the future, only used when +// no year is specified in a date. 2 days should be enough to account for +// time differences between systems and different tz offsets. +var maxFutureDelta = 2*24*60*60*1000; + +// DateContainer stores date fields and then converts those fields into +// a Date. Necessary because building a Date using its set() methods gives +// different results depending on the order of components. +function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; +} + +DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } +} + +function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; +} + +function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; +} + +function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; +} + +var uA = 60 * 60 * 24; +var uD = 60 * 60 * 24; +var uF = 60 * 60; +var uG = 60 * 60 * 24 * 30; +var uH = 60 * 60; +var uI = 60 * 60; +var uJ = 60 * 60 * 24; +var uM = 60 * 60 * 24 * 30; +var uN = 60 * 60; +var uO = 1; +var uS = 1; +var uT = 60; +var uU = 60; +var uc = dc; + +function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; +} + +function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], +}; + +// var dC = undefined; +var dR = dateMonthName(true); +var dB = dateMonthName(false); +var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); +var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); +var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); +var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); +var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); +var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 +var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); +var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); +var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); +var dP = parseAMPM; // AM|PM +var dQ = parseAMPM; // A.M.|P.M +var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); +var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); +var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); +var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); +var dZ = parseHMS; +var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + +// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. +// Only works if this modifier appears after the hour has been read from logs +// which is always the case in the 300 devices. +function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; +} + +function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); +} + +function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; +} + +function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; +} + +function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; +} + +function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; +} + +function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; +} + +// Short month name (Jan..Dec). +function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; +} + +function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.error(fn.name + " failed for '" + value + "'"); + } + }; +} + +// The following regular expression for parsing URLs from: +// https://github.com/wizard04wsu/URI_Parsing +// +// The MIT License (MIT) +// +// Copyright (c) 2014 Andrew Harrison +// +// Permission is hereby granted, free of charge, to any person obtaining a copy of +// this software and associated documentation files (the "Software"), to deal in +// the Software without restriction, including without limitation the rights to +// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +// the Software, and to permit persons to whom the Software is furnished to do so, +// subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in all +// copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + +var uriScheme = 1; +var uriDomain = 5; +var uriPort = 6; +var uriPath = 7; +var uriPathAlt = 9; +var uriQuery = 11; + +function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); +} + +function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; +} + +function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; +} + +var extFromPage = /\.[^.]+$/; +function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } +} + +function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); +} + +function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); +} + +var pageFromPathRegExp = /\/([^\/]+)$/; +var pageName = 1; + +function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; +} + +function page(dst, src) { + return url_wrapper(dst, src, extract_page); +} + +function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; +} + +function path(dst, src) { + return url_wrapper(dst, src, extract_path); +} + +// Map common schemes to their default port. +// port has to be a string (will be converted at a later stage). +var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", +}; + +function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } +} + +function port(dst, src) { + return url_wrapper(dst, src, extract_port); +} + +function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; +} + +function query(dst, src) { + return url_wrapper(dst, src, extract_query); +} + +function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } +} + +function root(dst, src) { + return url_wrapper(dst, src, extract_root); +} + +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + +var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "log.original", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, +}; + +var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, +}; + +function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } +} + +// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. +var maxSafeInt = Math.pow(2, 53) - 1; +var minSafeInt = -maxSafeInt; + +function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; +} + +function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); +} + +var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; +var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + +function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; +} + +function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; +} + +function to_double(value) { + return parseFloat(value); +} + +function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; +} + +function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; +} + +function fld_set(dst, value) { + dst[this.field] = { v: value }; +} + +function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } +} + +function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } +} + +var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true +}; + +function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } +} + +function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } +} + +function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); +} + +var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, +]; + +function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var dup82 = setc("result","Traffic has not been blocked from application."); + +var dup83 = setc("result","Traffic has been blocked from application."); + +var dup84 = setc("eventcategory","1002000000"); + +var dup85 = setc("event_description","Denial of Service 'Smurf' attack detected."); + +var dup86 = setc("eventcategory","1603000000"); + +var dup87 = setf("hostip","hhostip"); + +var dup88 = setc("event_description","Host Integrity check passed"); + +var dup89 = setc("event_description","Host Integrity check failed."); + +var dup90 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); + +var dup91 = // "Pattern{}" +match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); + +var dup92 = setc("eventcategory","1702010000"); + +var dup93 = date_time({ + dest: "event_time", + args: ["fld17","fld18"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup94 = setf("hostip","hhost"); + +var dup95 = setc("eventcategory","1701010000"); + +var dup96 = setc("ec_activity","Create"); + +var dup97 = setc("ec_theme","Configuration"); + +var dup98 = // "Pattern{Constant('"Location: '), Field(p0,false)}" +match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); + +var dup99 = // "Pattern{Constant('Location: '), Field(p0,false)}" +match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); + +var dup100 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); + +var dup101 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" +match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); + +var dup102 = // "Pattern{Constant('Local:'), Field(p0,false)}" +match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); + +var dup103 = setc("event_description","Active Response"); + +var dup104 = setc("dclass_counter1_string","Occurrences"); + +var dup105 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" +match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); + +var dup106 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" +match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); + +var dup107 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" +match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); + +var dup108 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); + +var dup109 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" +match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); + +var dup110 = setc("eventcategory","1003010000"); + +var dup111 = call({ + dest: "nwparser.sigid_string", + fn: STRCAT, + args: [ + field("fld28"), + constant("CVE-"), + field("cve"), + ], +}); + +var dup112 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" +match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); + +var dup113 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" +match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); + +var dup114 = // "Pattern{Field(fld25,false)}" +match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); + +var dup115 = setc("ec_subject","Virus"); + +var dup116 = setc("ec_activity","Detect"); + +var dup117 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var dup118 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var dup119 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); + +var dup120 = setc("eventcategory","1801000000"); + +var dup121 = setc("eventcategory","1401010000"); + +var dup122 = setf("shost","hsource"); + +var dup123 = setc("event_description","File Read Begin."); + +var dup124 = setc("ec_subject","File"); + +var dup125 = setc("action","Read"); + +var dup126 = setc("event_description","Create Process."); + +var dup127 = setc("event_description","File Write."); + +var dup128 = setc("action","Write"); + +var dup129 = setf("saddr","hsaddr"); + +var dup130 = setc("event_description","File Read."); + +var dup131 = setc("action","Delete"); + +var dup132 = setf("process","filename"); + +var dup133 = setc("event_description","File Write Begin."); + +var dup134 = date_time({ + dest: "starttime", + args: ["fld2","fld3"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup135 = date_time({ + dest: "endtime", + args: ["fld4","fld5"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup136 = setc("eventcategory","1701020000"); + +var dup137 = setf("domain","hdomain"); + +var dup138 = setc("event_description","The client has downloaded file successfully."); + +var dup139 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); + +var dup140 = // "Pattern{Constant('.,'), Field(p0,false)}" +match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); + +var dup141 = // "Pattern{Constant(' . ,'), Field(p0,false)}" +match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); + +var dup142 = setf("shost","hclient"); + +var dup143 = setc("event_description","The client will block traffic."); + +var dup144 = setc("event_description","The client has successfully downloaded and applied a license file"); + +var dup145 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); + +var dup146 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); + +var dup147 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); + +var dup148 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var dup149 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); + +var dup150 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); + +var dup151 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var dup152 = setf("threat_name","virusname"); + +var dup153 = date_time({ + dest: "recorded_time", + args: ["fld19"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup154 = date_time({ + dest: "endtime", + args: ["fld51"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup155 = setc("event_description","Commercial application detected"); + +var dup156 = setc("eventcategory","1701030000"); + +var dup157 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); + +var dup158 = setf("administrator","husername"); + +var dup159 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" +match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); + +var dup160 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); + +var dup161 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var dup162 = setc("event_description","Security risk found"); + +var dup163 = date_time({ + dest: "event_time", + args: ["fld5","fld6"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup164 = date_time({ + dest: "recorded_time", + args: ["fld12"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup165 = setc("eventcategory","1701000000"); + +var dup166 = date_time({ + dest: "event_time", + args: ["fld5","fld6"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup167 = setc("event_description","Could not start service engine."); + +var dup168 = setc("eventcategory","1603040000"); + +var dup169 = setc("event_description","Disconnected from Symantec Endpoint Protection Manager."); + +var dup170 = setc("eventcategory","1402020200"); + +var dup171 = setc("eventcategory","1402020100"); + +var dup172 = setc("ec_activity","Enable"); + +var dup173 = setc("event_description","Failed to connect to the server."); + +var dup174 = setc("eventcategory","1301000000"); + +var dup175 = setc("event_description","Failed to Login to Remote Site"); + +var dup176 = // "Pattern{Constant('"'), Field(,false)}" +match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); + +var dup177 = setc("ec_subject","Group"); + +var dup178 = setc("ec_theme","UserGroup"); + +var dup179 = setc("eventcategory","1701070000"); + +var dup180 = setc("event_description","Host Integrity check is disabled."); + +var dup181 = setc("event_description","Host Integrity failed but reported as pass"); + +var dup182 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" +match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); + +var dup183 = // "Pattern{Constant('is '), Field(p0,false)}" +match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); + +var dup184 = setc("event_description","LiveUpdate"); + +var dup185 = setc("event_description","Submitting information to Symantec failed."); + +var dup186 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); + +var dup187 = setc("ec_outcome","Error"); + +var dup188 = setc("event_description","LiveUpdate encountered an error."); + +var dup189 = setf("hostid","hhost"); + +var dup190 = setc("event_description","The latest SONAR Definitions update failed to load."); + +var dup191 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); + +var dup192 = date_time({ + dest: "event_time", + args: ["fld5","fld6"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], + ], +}); + +var dup193 = setc("event_description","Virus Found"); + +var dup194 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); + +var dup195 = setc("event_description","Virus Definition File Update"); + +var dup196 = setf("event_description","hfld1"); + +var dup197 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); + +var dup198 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); + +var dup199 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); + +var dup200 = setc("event_description","Virus found"); + +var dup201 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" +match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); + +var dup202 = // "Pattern{Constant('Source: '), Field(p0,false)}" +match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); + +var dup203 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); + +var dup204 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); + +var dup205 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); + +var dup206 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" +match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); + +var dup207 = // "Pattern{Field(filename_size,false)}" +match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); + +var dup208 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); + +var dup209 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); + +var dup210 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); + +var dup211 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); + +var dup212 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); + +var dup213 = setc("eventcategory","1701060000"); + +var dup214 = setc("event_description","Network Audit Search Unagented Hosts From NST Finished Abnormally."); + +var dup215 = setc("event_description","Network Intrusion Prevention is malfunctioning"); + +var dup216 = // "Pattern{Constant(' by policy'), Field(,false)}" +match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); + +var dup217 = setc("event_description","Generic Exploit Mitigation"); + +var dup218 = setc("event_description","No objects got swept."); + +var dup219 = setc("event_description","Organization importing finished successfully."); + +var dup220 = setc("event_description","Organization importing started."); + +var dup221 = setc("event_description","Number of Group Update Providers"); + +var dup222 = setf("shost","hhostid"); + +var dup223 = setc("ec_theme","Policy"); + +var dup224 = setc("event_description","Policy has been added"); + +var dup225 = setc("event_description","Policy has been edited"); + +var dup226 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); + +var dup227 = setc("event_description","Potential risk found"); + +var dup228 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" +match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); + +var dup229 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var dup230 = date_time({ + dest: "recorded_time", + args: ["fld20"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup231 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); + +var dup232 = setc("eventcategory","1606000000"); + +var dup233 = setc("event_description","Retry."); + +var dup234 = setc("event_description","Successfully deleted the client install package"); + +var dup235 = setc("event_description","Risk Repair Failed"); + +var dup236 = setc("event_description","Risk Repaired"); + +var dup237 = setc("event_description","Scan Start/Stop"); + +var dup238 = setc("event_description","Scan Start"); + +var dup239 = setc("dclass_counter1_string","Infected Count."); + +var dup240 = setc("dclass_counter2_string","Total File Count."); + +var dup241 = setc("dclass_counter3_string","Threat Count."); + +var dup242 = date_time({ + dest: "starttime", + args: ["fld1"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], +}); + +var dup243 = setc("event_description","Scan"); + +var dup244 = setc("dclass_counter1_string","Infected"); + +var dup245 = setc("dclass_counter2_string","Files scanned"); + +var dup246 = setc("dclass_counter3_string","Threats"); + +var dup247 = setc("dclass_counter1_string","Risk Count."); + +var dup248 = setc("dclass_counter2_string","Scan Count."); + +var dup249 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" +match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); + +var dup250 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" +match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); + +var dup251 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); + +var dup252 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" +match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); + +var dup253 = setc("event_description","Compressed File"); + +var dup254 = setc("event_description","Stop serving as the Group Update Provider (proxy server)."); + +var dup255 = setc("event_description","Symantec AntiVirus Startup/Shutdown"); + +var dup256 = setc("eventcategory","1611000000"); + +var dup257 = setc("eventcategory","1610000000"); + +var dup258 = setc("event_description","services failed to start"); + +var dup259 = setc("eventcategory","1608010000"); + +var dup260 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); + +var dup261 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); + +var dup262 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); + +var dup263 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); + +var dup264 = // "Pattern{Constant('detection'), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); + +var dup265 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); + +var dup266 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); + +var dup267 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); + +var dup268 = setc("ec_theme","Communication"); + +var dup269 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); + +var dup270 = setc("event_description","Traffic from IP address is blocked."); + +var dup271 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); + +var dup272 = setc("event_description","Unexpected server error."); + +var dup273 = setc("event_description","Unsolicited incoming ARP reply detected."); + +var dup274 = setc("event_description","Windows Version info."); + +var dup275 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); + +var dup276 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); + +var dup277 = setc("event_description","File Write"); + +var dup278 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); + +var dup279 = setc("event_description","File Delete"); + +var dup280 = setc("event_description","File Delete Begin."); + +var dup281 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" +match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); + +var dup282 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" +match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); + +var dup283 = setc("dclass_counter1_string","Virus Count."); + +var dup284 = date_time({ + dest: "event_time", + args: ["fld1","fld2","fld3"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dY,dN,dc(":"),dU,dP], + ], +}); + +var dup285 = setc("event_description","Backup succeeded and finished."); + +var dup286 = setc("event_description","Backup started."); + +var dup287 = date_time({ + dest: "event_time", + args: ["fld8"], + fmts: [ + [dX], + ], +}); + +var dup288 = setc("ec_subject","Configuration"); + +var dup289 = setc("eventcategory","1801030000"); + +var dup290 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); + +var dup291 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); + +var dup292 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); + +var dup293 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); + +var dup294 = setc("eventcategory","1803000000"); + +var dup295 = setc("ec_subject","NetworkComm"); + +var dup296 = field("fld17"); + +var dup297 = setc("event_description","Block all other IP traffic and log"); + +var dup298 = setc("rulename","Block all other IP traffic and log"); + +var dup299 = field("fld13"); + +var dup300 = date_time({ + dest: "starttime", + args: ["fld15"], + fmts: [ + [dX], + ], +}); + +var dup301 = date_time({ + dest: "endtime", + args: ["fld16"], + fmts: [ + [dX], + ], +}); + +var dup302 = setc("dclass_counter1_string","No. of attacks"); + +var dup303 = setc("event_description","Block Local File Sharing to external computers"); + +var dup304 = setc("event_description","Block all other traffic"); + +var dup305 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); + +var dup306 = field("fld11"); + +var dup307 = setc("dclass_counter1_string","No. of events repeated"); + +var dup308 = setf("filename","parent_process"); + +var dup309 = constant("Allow"); + +var dup310 = constant("Deny"); + +var dup311 = linear_select([ + dup9, + dup10, +]); + +var dup312 = lookup({ + dest: "nwparser.direction", + map: map_Direction, + key: dup49, +}); + +var dup313 = linear_select([ + dup50, + dup10, +]); + +var dup314 = linear_select([ + dup59, + dup60, + dup61, +]); + +var dup315 = linear_select([ + dup63, + dup64, +]); + +var dup316 = linear_select([ + dup76, + dup77, +]); + +var dup317 = linear_select([ + dup79, + dup80, +]); + +var dup318 = linear_select([ + dup90, + dup91, +]); + +var dup319 = linear_select([ + dup98, + dup99, +]); + +var dup320 = linear_select([ + dup101, + dup102, +]); + +var dup321 = linear_select([ + dup105, + dup106, +]); + +var dup322 = linear_select([ + dup108, + dup109, +]); + +var dup323 = linear_select([ + dup112, + dup113, +]); + +var dup324 = linear_select([ + dup140, + dup141, +]); + +var dup325 = linear_select([ + dup146, + dup147, +]); + +var dup326 = linear_select([ + dup149, + dup150, +]); + +var dup327 = linear_select([ + dup159, + dup160, +]); + +var dup328 = linear_select([ + dup198, + dup199, +]); + +var dup329 = linear_select([ + dup201, + dup202, +]); + +var dup330 = linear_select([ + dup203, + dup204, +]); + +var dup331 = linear_select([ + dup206, + dup207, +]); + +var dup332 = linear_select([ + dup209, + dup210, +]); + +var dup333 = linear_select([ + dup211, + dup212, +]); + +var dup334 = linear_select([ + dup216, + dup91, +]); + +var dup335 = linear_select([ + dup249, + dup226, +]); + +var dup336 = linear_select([ + dup252, + dup207, +]); + +var dup337 = linear_select([ + dup262, + dup261, +]); + +var dup338 = linear_select([ + dup264, + dup265, +]); + +var dup339 = linear_select([ + dup266, + dup191, + dup267, + dup176, + dup91, +]); + +var dup340 = linear_select([ + dup275, + dup276, +]); + +var dup341 = linear_select([ + dup281, + dup282, +]); + +var dup342 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" +match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ + dup53, + dup15, +])); + +var dup343 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" +match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ + dup43, + dup15, +])); + +var dup344 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup43, + dup15, + dup287, +])); + +var dup345 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup43, + dup15, + dup287, +])); + +var dup346 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup74, + dup15, + dup287, +])); + +var dup347 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup74, + dup15, + dup287, +])); + +var dup348 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup168, + dup15, + dup287, +])); + +var dup349 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup168, + dup15, + dup287, +])); + +var dup350 = linear_select([ + dup290, + dup291, + dup292, +]); + +var dup351 = lookup({ + dest: "nwparser.ec_activity", + map: map_Activity, + key: dup296, +}); + +var dup352 = lookup({ + dest: "nwparser.protocol", + map: map_Protocol, + key: dup299, +}); + +var dup353 = lookup({ + dest: "nwparser.protocol", + map: map_Protocol, + key: dup49, +}); + +var dup354 = lookup({ + dest: "nwparser.direction", + map: map_Direction, + key: dup299, +}); + +var dup355 = lookup({ + dest: "nwparser.action", + map: map_Action, + key: dup306, +}); + +var dup356 = lookup({ + dest: "nwparser.ec_activity", + map: map_Activity, + key: dup306, +}); + +var dup357 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var dup358 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var dup359 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup43, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var dup360 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" +match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ + dup43, + dup15, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); + +var dup361 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" +match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ + dup43, + dup15, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); + +var hdr1 = // "Pattern{Constant('%SYMANTECAV '), Field(p0,false)}" +match("HEADER#0:0001/0", "message", "%SYMANTECAV %{p0}"); + +var part1 = // "Pattern{Constant('Delete '), Field(p0,false)}" +match("HEADER#0:0001/1_0", "nwparser.p0", "Delete %{p0}"); + +var part2 = // "Pattern{Constant('Leave Alone '), Field(p0,false)}" +match("HEADER#0:0001/1_1", "nwparser.p0", "Leave Alone %{p0}"); + +var part3 = // "Pattern{Constant('Quarantine '), Field(p0,false)}" +match("HEADER#0:0001/1_2", "nwparser.p0", "Quarantine %{p0}"); + +var part4 = // "Pattern{Constant('Undefined '), Field(p0,false)}" +match("HEADER#0:0001/1_3", "nwparser.p0", "Undefined %{p0}"); + +var select1 = linear_select([ + part1, + part2, + part3, + part4, +]); + +var part5 = // "Pattern{Field(,false), Constant('..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" +match("HEADER#0:0001/2", "nwparser.p0", "%{}..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ + dup1, +])); + +var all1 = all_match({ + processors: [ + hdr1, + select1, + part5, + ], + on_success: processor_chain([ + setc("header_id","0001"), + ]), +}); + +var hdr2 = // "Pattern{Constant('%SYMANTECAV Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" +match("HEADER#1:0002", "message", "%SYMANTECAV Alert: %{messageid->} %{data}..%{p0}", processor_chain([ + setc("header_id","0002"), + dup1, +])); + +var hdr3 = // "Pattern{Constant('%SYMANTECAV ..'), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" +match("HEADER#2:0003", "message", "%SYMANTECAV ..%{messageid->} %{data}..%{p0}", processor_chain([ + setc("header_id","0003"), + dup1, +])); + +var hdr4 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' ..'), Field(messageid,true), Constant(' '), Field(hfld2,false), Constant('.. '), Field(p0,false)}" +match("HEADER#3:0004", "message", "%SYMANTECAV %{hfld1->} ..%{messageid->} %{hfld2}.. %{p0}", processor_chain([ + setc("header_id","0004"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld2"), + constant(".. "), + field("p0"), + ], + }), +])); + +var hdr5 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(messageid,true), Constant(' Found '), Field(p0,false)}" +match("HEADER#4:0005", "message", "%SYMANTECAV %{hfld1->} %{messageid->} Found %{p0}", processor_chain([ + setc("header_id","0005"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" Found "), + field("p0"), + ], + }), +])); + +var hdr6 = // "Pattern{Constant('%SYMANTECAV '), Field(messageid,true), Constant(' '), Field(hfld1,false), Constant('..'), Field(p0,false)}" +match("HEADER#5:0006", "message", "%SYMANTECAV %{messageid->} %{hfld1}..%{p0}", processor_chain([ + setc("header_id","0006"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("hfld1"), + constant(".."), + field("p0"), + ], + }), +])); + +var hdr7 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#6:00081", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00081"), + dup2, +])); + +var hdr8 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#7:0008", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},%{messageid->} %{p0}", processor_chain([ + setc("header_id","0008"), + dup2, +])); + +var hdr9 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#8:00091", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","00091"), + dup2, +])); + +var hdr10 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#9:0009", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","0009"), + dup2, +])); + +var hdr11 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#10:00421", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","00421"), + dup2, +])); + +var hdr12 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(',Admin: '), Field(husername,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#11:0042", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},Admin: %{husername},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","0042"), + dup2, +])); + +var hdr13 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#12:99991", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ + setc("header_id","99991"), + dup2, +])); + +var hdr14 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',Domain: '), Field(hdomain,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#13:9999", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},Domain: %{hdomain},%{messageid->} %{p0}", processor_chain([ + setc("header_id","9999"), + dup2, +])); + +var hdr15 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#14:00101", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","00101"), + dup2, +])); + +var hdr16 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#15:0010", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","0010"), + dup2, +])); + +var hdr17 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("HEADER#16:00111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ + setc("header_id","00111"), + dup3, +])); + +var hdr18 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("HEADER#17:0011", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid}.%{fld2->} %{p0}", processor_chain([ + setc("header_id","0011"), + dup3, +])); + +var hdr19 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#18:00121", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00121"), + dup2, +])); + +var hdr20 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#19:0012", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{messageid->} %{p0}", processor_chain([ + setc("header_id","0012"), + dup2, +])); + +var hdr21 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#20:11111", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","11111"), + dup2, +])); + +var hdr22 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(','), Field(fld20,true), Constant(' '), Field(fld21,true), Constant(' '), Field(fld23,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#21:1111", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},%{fld20->} %{fld21->} %{fld23->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","1111"), + dup2, +])); + +var hdr23 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#22:13131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","13131"), + dup2, +])); + +var hdr24 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#23:1313", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","1313"), + dup2, +])); + +var hdr25 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#24:00131", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00131"), + dup2, +])); + +var hdr26 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#25:0013", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{messageid->} %{p0}", processor_chain([ + setc("header_id","0013"), + dup2, +])); + +var hdr27 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#26:13142", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ + setc("header_id","13142"), + dup2, +])); + +var hdr28 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#27:13141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ + setc("header_id","13141"), + dup2, +])); + +var hdr29 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"[SID: '), Field(hfld1,false), Constant('] '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#28:1314", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"[SID: %{hfld1}] %{messageid->} %{p0}", processor_chain([ + setc("header_id","1314"), + dup2, +])); + +var hdr30 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#29:00141", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ + setc("header_id","00141"), + dup4, +])); + +var hdr31 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',[SID: '), Field(hdata,false), Constant('] '), Field(hfld1,false), Constant('. Traffic has been '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#30:0014", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},[SID: %{hdata}] %{hfld1}. Traffic has been %{messageid->} %{p0}", processor_chain([ + setc("header_id","0014"), + dup4, +])); + +var hdr32 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#31:00161", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{messageid->} %{p0}", processor_chain([ + setc("header_id","00161"), + dup2, +])); + +var hdr33 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#32:0016", "message", "%{htime->} SymantecServer %{hhost}: %{messageid->} %{p0}", processor_chain([ + setc("header_id","0016"), + dup2, +])); + +var hdr34 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#33:29292", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{fld1->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","29292"), + dup5, +])); + +var hdr35 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#34:29291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","29291"), + dup5, +])); + +var hdr36 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#35:2929", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{fld1->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","2929"), + dup5, +])); + +var hdr37 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#36:00291", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{fld1->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","00291"), + dup5, +])); + +var hdr38 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(fld1,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#37:0029", "message", "%{htime->} SymantecServer %{hhost}: %{fld1->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0029"), + dup5, +])); + +var hdr39 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhostip,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#38:00173", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhostip->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00173"), + dup2, +])); + +var hdr40 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#39:00172", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},SHA-256:%{checksum},MD-5:%{checksum},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00172"), + dup2, +])); + +var hdr41 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#40:00171", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00171"), + dup2, +])); + +var hdr42 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#41:0017", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid->} %{p0}", processor_chain([ + setc("header_id","0017"), + dup2, +])); + +var hdr43 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#42:00151", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00151"), + dup6, +])); + +var hdr44 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(hname,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#43:0015", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{hname},%{messageid->} %{p0}", processor_chain([ + setc("header_id","0015"), + dup6, +])); + +var hdr45 = // "Pattern{Constant('%SYMANTECAV Actual Name: '), Field(hfld1,true), Constant(' ..Alert: '), Field(messageid,true), Constant(' '), Field(data,false), Constant('..'), Field(p0,false)}" +match("HEADER#44:0018", "message", "%SYMANTECAV Actual Name: %{hfld1->} ..Alert: %{messageid->} %{data}..%{p0}", processor_chain([ + setc("header_id","0018"), + dup1, +])); + +var hdr46 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(p0,false)}" +match("HEADER#45:0021", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{messageid->} %{hfld3->} %{p0}", processor_chain([ + setc("header_id","0021"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld3"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr47 = // "Pattern{Constant('%SYMANTECAV '), Field(hfld1,true), Constant(' '), Field(hfld2,true), Constant(' '), Field(hfld3,true), Constant(' '), Field(messageid,true), Constant(' '), Field(hfld4,true), Constant(' '), Field(p0,false)}" +match("HEADER#46:0022", "message", "%SYMANTECAV %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} %{hfld4->} %{p0}", processor_chain([ + setc("header_id","0022"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(" "), + field("hfld2"), + constant(" "), + field("hfld3"), + constant(" "), + field("messageid"), + constant(" "), + field("hfld4"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr48 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#47:00191", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","00191"), + dup7, +])); + +var hdr49 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',Category: '), Field(hdata,false), Constant(','), Field(hfld1,false), Constant(','), Field(fld40,true), Constant(' '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#48:0019", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},Category: %{hdata},%{hfld1},%{fld40->} %{messageid->} %{p0}", processor_chain([ + setc("header_id","0019"), + dup7, +])); + +var hdr50 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#49:00201", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","00201"), + dup2, +])); + +var hdr51 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hurl,false), Constant(',Server: '), Field(hhostid,false), Constant(',The '), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#50:0020", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hurl},Server: %{hhostid},The %{messageid->} %{p0}", processor_chain([ + setc("header_id","0020"), + dup2, +])); + +var hdr52 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#51:00231", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","00231"), + dup2, +])); + +var hdr53 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#52:0023", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{messageid->} %{p0}", processor_chain([ + setc("header_id","0023"), + dup2, +])); + +var hdr54 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" +match("HEADER#53:00241", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid},%{payload}", processor_chain([ + setc("header_id","00241"), +])); + +var hdr55 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" +match("HEADER#54:0024", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid},%{payload}", processor_chain([ + setc("header_id","0024"), +])); + +var hdr56 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" +match("HEADER#55:00261", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ + setc("header_id","00261"), +])); + +var hdr57 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' """"'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" +match("HEADER#56:0026", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"\"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ + setc("header_id","0026"), +])); + +var hdr58 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" +match("HEADER#57:00371", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ + setc("header_id","00371"), +])); + +var hdr59 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(',"'), Field(haction,true), Constant(' ""'), Field(messageid,true), Constant(' of Death"" '), Field(payload,false)}" +match("HEADER#58:0037", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},\"%{haction->} \"\"%{messageid->} of Death\"\" %{payload}", processor_chain([ + setc("header_id","0037"), +])); + +var hdr60 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" +match("HEADER#59:00271", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ + setc("header_id","00271"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" SymantecServer: Site: "), + field("hsite"), + constant(","), + field("messageid"), + constant(": "), + field("p0"), + ], + }), +])); + +var hdr61 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': Site: '), Field(hsite,false), Constant(','), Field(messageid,false), Constant(': '), Field(p0,false)}" +match("HEADER#60:0027", "message", "%{htime->} SymantecServer %{hhost}: Site: %{hsite},%{messageid}: %{p0}", processor_chain([ + setc("header_id","0027"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(": Site: "), + field("hsite"), + constant(","), + field("messageid"), + constant(": "), + field("p0"), + ], + }), +])); + +var hdr62 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#61:00301", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{messageid}: %{payload}", processor_chain([ + setc("header_id","00301"), +])); + +var hdr63 = // "Pattern{Field(htime,true), Constant(' SymantecServer '), Field(hhost,false), Constant(': '), Field(hshost,false), Constant(','), Field(messageid,false), Constant(': '), Field(payload,false)}" +match("HEADER#62:0030", "message", "%{htime->} SymantecServer %{hhost}: %{hshost},%{messageid}: %{payload}", processor_chain([ + setc("header_id","0030"), +])); + +var hdr64 = // "Pattern{Field(hmonth,true), Constant(' '), Field(hday,true), Constant(' '), Field(hhour,false), Constant(':'), Field(hmin,false), Constant(':'), Field(hsec,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" +match("HEADER#63:00242", "message", "%{hmonth->} %{hday->} %{hhour}:%{hmin}:%{hsec->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ + setc("header_id","00242"), +])); + +var hdr65 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(hfld1,false), Constant(','), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#64:00243", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{hfld1},%{messageid->} %{p0}", processor_chain([ + setc("header_id","00243"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld1"), + constant(","), + field("messageid"), + constant(" "), + field("p0"), + ], + }), +])); + +var hdr66 = // "Pattern{Field(htime,true), Constant(' '), Field(hhost,true), Constant(' SymantecServer: '), Field(hshost,false), Constant(','), Field(hsaddr,false), Constant(','), Field(messageid,false), Constant(','), Field(payload,false)}" +match("HEADER#65:00244", "message", "%{htime->} %{hhost->} SymantecServer: %{hshost},%{hsaddr},%{messageid},%{payload}", processor_chain([ + setc("header_id","00244"), +])); + +var hdr67 = // "Pattern{Constant('%SymantecEP: '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" +match("HEADER#66:0031", "message", "%SymantecEP: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ + setc("header_id","0031"), + dup8, +])); + +var hdr68 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,true), Constant(' '), Field(p0,false)}" +match("HEADER#67:0032", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid->} %{p0}", processor_chain([ + setc("header_id","0032"), + dup2, +])); + +var hdr69 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#68:0040", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0040"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("hfld5"), + constant("^^"), + field("hfld6"), + constant("^^"), + field("hfld7"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr70 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(messageid,false), Constant('.'), Field(fld2,true), Constant(' '), Field(p0,false)}" +match("HEADER#69:0033", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{fld1}^^%{messageid}.%{fld2->} %{p0}", processor_chain([ + setc("header_id","0033"), + dup3, +])); + +var hdr71 = // "Pattern{Constant('%SymantecEP-'), Field(hevent,false), Constant(': '), Field(hdomain,false), Constant('^^'), Field(hlevel,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#70:0034", "message", "%SymantecEP-%{hevent}: %{hdomain}^^%{hlevel}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0034"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr72 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(messageid,false), Constant('^^'), Field(hhost,false), Constant('^^'), Field(p0,false)}" +match("HEADER#71:0035", "message", "%SymantecEP-%{hfld1}: %{messageid}^^%{hhost}^^%{p0}", processor_chain([ + setc("header_id","0035"), + dup8, +])); + +var hdr73 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#72:0038", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0038"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("hfld5"), + constant("^^"), + field("hfld6"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr74 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#73:0041", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0041"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr75 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#74:0043", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0043"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("hfld7"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr76 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld5,false), Constant('^^'), Field(hfld6,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#75:0039", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld5}^^%{hfld6}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0039"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("hfld5"), + constant("^^"), + field("hfld6"), + constant("^^"), + field("hfld7"), + constant("^^"), + field("hfld8"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr77 = // "Pattern{Constant('%SymantecEP-'), Field(hfld1,false), Constant(': '), Field(hfld2,false), Constant('^^'), Field(hfld3,false), Constant('^^'), Field(hfld4,false), Constant('^^'), Field(hfld7,false), Constant('^^'), Field(hfld8,false), Constant('^^'), Field(messageid,false), Constant('^^'), Field(p0,false)}" +match("HEADER#76:0044", "message", "%SymantecEP-%{hfld1}: %{hfld2}^^%{hfld3}^^%{hfld4}^^%{hfld7}^^%{hfld8}^^%{messageid}^^%{p0}", processor_chain([ + setc("header_id","0044"), + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hfld2"), + constant("^^"), + field("hfld3"), + constant("^^"), + field("hfld4"), + constant("^^"), + field("hfld7"), + constant("^^"), + field("hfld8"), + constant("^^"), + field("messageid"), + constant("^^"), + field("p0"), + ], + }), +])); + +var hdr78 = // "Pattern{Constant('%NICWIN-4-'), Field(msgIdPart1,false), Constant('_'), Field(msgIdPart2,false), Constant('_Symantec: '), Field(payload,false)}" +match("HEADER#77:0045", "message", "%NICWIN-4-%{msgIdPart1}_%{msgIdPart2}_Symantec: %{payload}", processor_chain([ + setc("header_id","0045"), + call({ + dest: "nwparser.messageid", + fn: STRCAT, + args: [ + field("msgIdPart1"), + constant("_"), + field("msgIdPart2"), + ], + }), +])); + +var hdr79 = // "Pattern{Constant('%NICWIN-4-'), Field(messageid,false), Constant('_'), Field(hfld2,false), Constant('_Symantec AntiVirus: '), Field(payload,false)}" +match("HEADER#78:0046", "message", "%NICWIN-4-%{messageid}_%{hfld2}_Symantec AntiVirus: %{payload}", processor_chain([ + setc("header_id","0046"), +])); + +var select2 = linear_select([ + all1, + hdr2, + hdr3, + hdr4, + hdr5, + hdr6, + hdr7, + hdr8, + hdr9, + hdr10, + hdr11, + hdr12, + hdr13, + hdr14, + hdr15, + hdr16, + hdr17, + hdr18, + hdr19, + hdr20, + hdr21, + hdr22, + hdr23, + hdr24, + hdr25, + hdr26, + hdr27, + hdr28, + hdr29, + hdr30, + hdr31, + hdr32, + hdr33, + hdr34, + hdr35, + hdr36, + hdr37, + hdr38, + hdr39, + hdr40, + hdr41, + hdr42, + hdr43, + hdr44, + hdr45, + hdr46, + hdr47, + hdr48, + hdr49, + hdr50, + hdr51, + hdr52, + hdr53, + hdr54, + hdr55, + hdr56, + hdr57, + hdr58, + hdr59, + hdr60, + hdr61, + hdr62, + hdr63, + hdr64, + hdr65, + hdr66, + hdr67, + hdr68, + hdr69, + hdr70, + hdr71, + hdr72, + hdr73, + hdr74, + hdr75, + hdr76, + hdr77, + hdr78, + hdr79, +]); + +var part6 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(fld2,true), Constant(' second(s).,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" +match("MESSAGE#0:Active/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{fld2->} second(s).,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); + +var all2 = all_match({ + processors: [ + part6, + dup311, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + dup18, + dup19, + ]), +}); + +var msg1 = msg("Active", all2); + +var part7 = // "Pattern{Constant('Active Response that started at '), Field(fld1,true), Constant(' is disengaged. The traffic from IP address '), Field(hostip,true), Constant(' was blocked for '), Field(duration,true), Constant(' second(s). ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(','), Field(direction,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" +match("MESSAGE#1:Active:01/0", "nwparser.payload", "Active Response that started at %{fld1->} is disengaged. The traffic from IP address %{hostip->} was blocked for %{duration->} second(s). ,Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},%{direction},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); + +var all3 = all_match({ + processors: [ + part7, + dup311, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + dup18, + dup19, + ]), +}); + +var msg2 = msg("Active:01", all3); + +var select3 = linear_select([ + msg1, + msg2, +]); + +var part8 = // "Pattern{Constant('Administrator logout'), Field(,false)}" +match("MESSAGE#2:Administrator", "nwparser.payload", "Administrator logout%{}", processor_chain([ + setc("eventcategory","1401070000"), + dup12, + dup13, + dup20, + setc("ec_activity","Logoff"), + dup21, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Administrator logout."), +])); + +var msg3 = msg("Administrator", part8); + +var part9 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on failed')}" +match("MESSAGE#3:Administrator:01", "nwparser.payload", "Administrator%{space}log on failed", processor_chain([ + setc("eventcategory","1401030000"), + dup12, + dup13, + dup20, + dup24, + dup21, + dup25, + dup14, + dup15, + dup23, + setc("event_description","Administrator log on failed."), +])); + +var msg4 = msg("Administrator:01", part9); + +var part10 = // "Pattern{Constant('Administrator'), Field(space,false), Constant('log on succeeded')}" +match("MESSAGE#4:Administrator:02", "nwparser.payload", "Administrator%{space}log on succeeded", processor_chain([ + setc("eventcategory","1401060000"), + dup12, + dup13, + dup20, + dup24, + dup21, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Administrator log on succeeded."), +])); + +var msg5 = msg("Administrator:02", part10); + +var select4 = linear_select([ + msg3, + msg4, + msg5, +]); + +var part11 = // "Pattern{Constant('password of System administrator ''), Field(username,false), Constant('' has been changed.')}" +match("MESSAGE#5:Administrator:03", "nwparser.payload", "password of System administrator '%{username}' has been changed.", processor_chain([ + dup26, + dup12, + dup13, + dup20, + dup27, + dup28, + dup22, + dup14, + dup15, + dup23, + dup29, +])); + +var msg6 = msg("Administrator:03", part11); + +var part12 = // "Pattern{Constant('password of administrator "'), Field(c_username,false), Constant('" was changed')}" +match("MESSAGE#290:password", "nwparser.payload", "password of administrator \"%{c_username}\" was changed", processor_chain([ + dup26, + dup12, + dup13, + dup20, + dup30, + dup31, + dup22, + dup14, + dup15, + setc("event_description","Password of administrator changed."), + dup23, +])); + +var msg7 = msg("password", part12); + +var part13 = // "Pattern{Constant('password of System administrator "'), Field(c_username,false), Constant('" has been changed')}" +match("MESSAGE#291:password:01", "nwparser.payload", "password of System administrator \"%{c_username}\" has been changed", processor_chain([ + dup26, + dup12, + dup13, + dup20, + dup30, + dup31, + dup22, + dup14, + dup15, + dup29, + dup23, +])); + +var msg8 = msg("password:01", part13); + +var select5 = linear_select([ + msg6, + msg7, + msg8, +]); + +var part14 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#6:allowed", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + dup33, + dup19, + dup34, +])); + +var msg9 = msg("allowed", part14); + +var part15 = // "Pattern{Field(fld6,true), Constant(' detected. Traffic has been allowed from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#7:allowed:11", "nwparser.payload", "%{fld6->} detected. Traffic has been allowed from this application: %{fld1},Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup15, + dup16, + dup17, + dup33, + dup19, + dup35, +])); + +var msg10 = msg("allowed:11", part15); + +var select6 = linear_select([ + msg9, + msg10, +]); + +var part16 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" +match("MESSAGE#8:Malicious", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{daddr},Local: %{fld7},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ + dup36, + dup12, + dup13, + dup37, + dup38, + dup14, + dup15, + dup16, + dup17, + dup39, + dup19, + dup34, +])); + +var msg11 = msg("Malicious", part16); + +var part17 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',"!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant('",!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld33,false)}" +match("MESSAGE#9:Malicious:01", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID:%{fld23},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},\"!ExternalLoggingTask.strcidssignid! %{sigid_string}\",!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld33}", processor_chain([ + dup36, + dup12, + dup13, + dup37, + dup38, + dup14, + dup15, + dup16, + dup17, + dup39, + dup19, + dup35, +])); + +var msg12 = msg("Malicious:01", part17); + +var part18 = // "Pattern{Constant('Malicious Site: Malicious Web Site, Domain, or URL ('), Field(fld11,false), Constant(') attack blocked. Traffic has been blocked for this application: '), Field(fld12,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld7,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(p0,false)}" +match("MESSAGE#10:Malicious:02/0", "nwparser.payload", "Malicious Site: Malicious Web Site, Domain, or URL (%{fld11}) attack blocked. Traffic has been blocked for this application: %{fld12}\",Local: %{saddr},Local: %{fld7},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Inbound,%{p0}"); + +var part19 = // "Pattern{Field(protocol,false), Constant(',Intrusion ID:'), Field(fld23,false), Constant(',Begin: '), Field(p0,false)}" +match("MESSAGE#10:Malicious:02/1_0", "nwparser.p0", "%{protocol},Intrusion ID:%{fld23},Begin: %{p0}"); + +var part20 = // "Pattern{Field(protocol,false), Constant(',Begin: '), Field(p0,false)}" +match("MESSAGE#10:Malicious:02/1_1", "nwparser.p0", "%{protocol},Begin: %{p0}"); + +var select7 = linear_select([ + part19, + part20, +]); + +var part21 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld39,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',"CIDS Signature string: '), Field(sigid_string,false), Constant('",CIDS Signature SubID: '), Field(fld29,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#10:Malicious:02/2", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld39},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},\"CIDS Signature string: %{sigid_string}\",CIDS Signature SubID: %{fld29},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}"); + +var all4 = all_match({ + processors: [ + part18, + select7, + part21, + ], + on_success: processor_chain([ + dup36, + dup12, + dup13, + dup40, + dup41, + dup42, + dup15, + dup19, + dup34, + setc("event_description","Malicious Site: Malicious Web Site, Domain, or URL attcak blocked"), + ]), +}); + +var msg13 = msg("Malicious:02", all4); + +var select8 = linear_select([ + msg11, + msg12, + msg13, +]); + +var part22 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' failed to update.')}" +match("MESSAGE#11:Antivirus", "nwparser.payload", "%{product->} definitions %{info->} failed to update.", processor_chain([ + dup43, + dup12, + dup13, + dup44, + dup45, + dup30, + dup25, + dup14, + dup15, + setc("event_description","Product definition failed to update."), +])); + +var msg14 = msg("Antivirus", part22); + +var part23 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' is up-to-date.')}" +match("MESSAGE#12:Antivirus:01", "nwparser.payload", "%{product->} definitions %{info->} is up-to-date.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Product definitions are up-to-date."), +])); + +var msg15 = msg("Antivirus:01", part23); + +var part24 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,true), Constant(' was successfully updated.')}" +match("MESSAGE#13:Antivirus:02", "nwparser.payload", "%{product->} definitions %{info->} was successfully updated.", processor_chain([ + dup43, + dup44, + dup45, + dup30, + dup22, + dup15, + setc("event_description","Product definitions was successfully updated."), +])); + +var msg16 = msg("Antivirus:02", part24); + +var select9 = linear_select([ + msg14, + msg15, + msg16, +]); + +var part25 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',1,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" +match("MESSAGE#14:Somebody/0", "nwparser.payload", "%{event_description}\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},1,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); + +var all5 = all_match({ + processors: [ + part25, + dup311, + ], + on_success: processor_chain([ + dup46, + dup12, + dup13, + dup16, + dup17, + dup15, + dup47, + dup48, + dup312, + dup14, + ]), +}); + +var msg17 = msg("Somebody", all5); + +var part26 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',0,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" +match("MESSAGE#15:Somebody:01/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},0,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); + +var all6 = all_match({ + processors: [ + part26, + dup313, + ], + on_success: processor_chain([ + dup46, + dup12, + dup13, + dup16, + dup17, + dup15, + dup47, + dup51, + dup312, + dup14, + ]), +}); + +var msg18 = msg("Somebody:01", all6); + +var part27 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',2,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(p0,false)}" +match("MESSAGE#16:Somebody:02/0", "nwparser.payload", "%{event_description}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},2,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username}, Domain: %{p0}"); + +var all7 = all_match({ + processors: [ + part27, + dup313, + ], + on_success: processor_chain([ + dup46, + dup12, + dup13, + dup16, + dup17, + dup15, + dup47, + dup52, + dup312, + dup14, + ]), +}); + +var msg19 = msg("Somebody:02", all7); + +var select10 = linear_select([ + msg17, + msg18, + msg19, +]); + +var part28 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control is ready,'), Field(fld8,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" +match("MESSAGE#17:Application/0", "nwparser.payload", "%{fld44},Application and Device Control is ready,%{fld8},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{p0}"); + +var part29 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#17:Application/1_0", "nwparser.p0", "%{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); + +var select11 = linear_select([ + part29, + dup10, +]); + +var all8 = all_match({ + processors: [ + part28, + select11, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup41, + dup42, + dup15, + dup54, + ]), +}); + +var msg20 = msg("Application", all8); + +var part30 = // "Pattern{Field(fld44,false), Constant(',Application and Device Control engine is not verified,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#18:Application:01", "nwparser.payload", "%{fld44},Application and Device Control engine is not verified,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + setc("event_description","Application and Device Control engine is not verified."), +])); + +var msg21 = msg("Application:01", part30); + +var part31 = // "Pattern{Field(fld44,false), Constant('Blocked,['), Field(fld5,false), Constant('] '), Field(event_description,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld45,false)}" +match("MESSAGE#19:Application:02", "nwparser.payload", "%{fld44}Blocked,[%{fld5}] %{event_description->} - Caller MD5=%{fld6},Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld45}", processor_chain([ + dup53, + dup12, + dup13, + dup37, + dup14, + dup41, + dup42, + dup15, +])); + +var msg22 = msg("Application:02", part31); + +var part32 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, Scan Complete: Risks: '), Field(fld7,true), Constant(' Scanned: '), Field(fld8,true), Constant(' Omitted: '), Field(fld9,true), Constant(' Trusted Files Skipped: '), Field(fld10,false)}" +match("MESSAGE#683:Application:03", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, Scan Complete: Risks: %{fld7->} Scanned: %{fld8->} Omitted: %{fld9->} Trusted Files Skipped: %{fld10}", processor_chain([ + dup43, + dup15, + dup55, +])); + +var msg23 = msg("Application:03", part32); + +var part33 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(event_description,false), Constant(',, '), Field(info,false), Constant('.')}" +match("MESSAGE#684:Application:04", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{event_description},, %{info}.", processor_chain([ + dup43, + dup15, + dup55, +])); + +var msg24 = msg("Application:04", part33); + +var part34 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,'), Field(hostname,false), Constant(',Classic,'), Field(shost,false), Constant(','), Field(fld22,false), Constant(',,'), Field(space,false), Constant('Proactive Threat Protection has been disabled')}" +match("MESSAGE#685:Application:05", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,%{hostname},Classic,%{shost},%{fld22},,%{space}Proactive Threat Protection has been disabled", processor_chain([ + dup43, + dup56, + dup15, + dup57, + dup55, +])); + +var msg25 = msg("Application:05", part34); + +var select12 = linear_select([ + msg20, + msg21, + msg22, + msg23, + msg24, + msg25, +]); + +var part35 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id:'), Field(process_id,true), Constant(' Filename: '), Field(fld8,true), Constant(' The change was denied by user.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld11,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#20:Application:07", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id:%{process_id->} Filename: %{fld8->} The change was denied by user.\",Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld11},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup53, + dup34, + dup58, + dup12, + dup13, + dup41, + dup42, + dup15, + dup54, + dup47, +])); + +var msg26 = msg("Application:07", part35); + +var part36 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' '), Field(fld1,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#27:Application:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} %{fld1}\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all9 = all_match({ + processors: [ + part36, + dup314, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup35, + dup58, + ]), +}); + +var msg27 = msg("Application:06", all9); + +var part37 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',REMEDIATION WAS NEEDED - '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#28:REMEDIATION/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},REMEDIATION WAS NEEDED - %{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all10 = all_match({ + processors: [ + part37, + dup314, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + ]), +}); + +var msg28 = msg("REMEDIATION", all10); + +var part38 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#29:blocked:06/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all11 = all_match({ + processors: [ + part38, + dup314, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup62, + dup19, + dup34, + ]), +}); + +var msg29 = msg("blocked:06", all11); + +var part39 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#30:blocked:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all12 = all_match({ + processors: [ + part39, + dup314, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup16, + dup17, + dup15, + dup62, + dup19, + dup35, + dup40, + ]), +}); + +var msg30 = msg("blocked:16", all12); + +var part40 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#31:scanning:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all13 = all_match({ + processors: [ + part40, + dup315, + ], + on_success: processor_chain([ + dup65, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup66, + dup35, + ]), +}); + +var msg31 = msg("scanning:01", all13); + +var part41 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,"Somebody is scanning your computer. Your computer's TCP ports: '), Field(fld60,false), Constant(', '), Field(fld61,false), Constant(', '), Field(fld62,false), Constant(', '), Field(fld63,true), Constant(' and '), Field(fld64,true), Constant(' have been scanned from '), Field(fld65,false), Constant('.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#32:scanning/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,\"Somebody is scanning your computer. Your computer's TCP ports: %{fld60}, %{fld61}, %{fld62}, %{fld63->} and %{fld64->} have been scanned from %{fld65}.\",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all14 = all_match({ + processors: [ + part41, + dup315, + ], + on_success: processor_chain([ + dup65, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup66, + dup34, + ]), +}); + +var msg32 = msg("scanning", all14); + +var part42 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" +match("MESSAGE#33:Informational/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},%{p0}"); + +var part43 = // "Pattern{Constant(' Domain: '), Field(p0,false)}" +match("MESSAGE#33:Informational/1_0", "nwparser.p0", " Domain: %{p0}"); + +var select13 = linear_select([ + part43, + dup67, +]); + +var part44 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#33:Informational/2", "nwparser.p0", "%{} %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all15 = all_match({ + processors: [ + part42, + select13, + part44, + dup315, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup68, + dup34, + ]), +}); + +var msg33 = msg("Informational", all15); + +var part45 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Informational: File Download Hash,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#34:Informational:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,Informational: File Download Hash,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all16 = all_match({ + processors: [ + part45, + dup315, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup68, + dup35, + ]), +}); + +var msg34 = msg("Informational:01", all16); + +var part46 = // "Pattern{Field(shost,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',CCD Notification: REMEDIATION NOT REQUIRED,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote:'), Field(fld2,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application:'), Field(fld6,false), Constant(',Location: '), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(', Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string:'), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:')}" +match("MESSAGE#35:SHA-256::01", "nwparser.payload", "%{shost}, SHA-256:%{checksum},MD-5:%{checksum},CCD Notification: REMEDIATION NOT REQUIRED,Local: %{saddr},Local: %{fld1},Remote:%{fld2},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application:%{fld6},Location: %{fld7},User: %{username}, Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string:%{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:", processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup41, + dup42, + dup15, + dup19, + setc("event_description","CCD Notification: REMEDIATION NOT REQUIRED"), + setc("direction","Unknown"), +])); + +var msg35 = msg("SHA-256::01", part46); + +var part47 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#36:Web_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all17 = all_match({ + processors: [ + part47, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup70, + dup34, + ]), +}); + +var msg36 = msg("Web_Attack", all17); + +var part48 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Flash Player Download '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#37:Web_Attack:13/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Flash Player Download %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all18 = all_match({ + processors: [ + part48, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Web Attack : Fake Flash Player Download"), + dup34, + ]), +}); + +var msg37 = msg("Web_Attack:13", all18); + +var part49 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack'), Field(p0,false)}" +match("MESSAGE#38:Web_Attack:16/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack%{p0}"); + +var part50 = // "Pattern{Constant(' : '), Field(p0,false)}" +match("MESSAGE#38:Web_Attack:16/1_0", "nwparser.p0", " : %{p0}"); + +var select14 = linear_select([ + part50, + dup71, +]); + +var part51 = // "Pattern{Field(,false), Constant('JSCoinminer Download '), Field(fld21,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#38:Web_Attack:16/2", "nwparser.p0", "%{}JSCoinminer Download %{fld21->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); + +var all19 = all_match({ + processors: [ + part49, + select14, + part51, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","JSCoinminer Download attack blocked."), + dup34, + ]), +}); + +var msg38 = msg("Web_Attack:16", all19); + +var part52 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,[SID: '), Field(fld26,false), Constant('] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#39:Web_Attack:03", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum->} ,[SID: %{fld26}] Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked. %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Web Attack: Apache Struts2 devMode OGNL Execution attack detected but not blocked."), + dup35, +])); + +var msg39 = msg("Web_Attack:03", part52); + +var part53 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] Web Attack : Malvertisement Website Redirect '), Field(fld2,true), Constant(' attack blocked. Traffic has been blocked for this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#40:Web_Attack:15", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] Web Attack : Malvertisement Website Redirect %{fld2->} attack blocked. Traffic has been blocked for this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,OTHERS,,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}", processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Malvertisement Website Redirect "), + dup34, +])); + +var msg40 = msg("Web_Attack:15", part53); + +var part54 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#41:Web_Attack:11/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack : Malvertisement Website Redirect %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all20 = all_match({ + processors: [ + part54, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup70, + dup35, + ]), +}); + +var msg41 = msg("Web_Attack:11", all20); + +var part55 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#42:Web_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all21 = all_match({ + processors: [ + part55, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup72, + dup34, + ]), +}); + +var msg42 = msg("Web_Attack:01", all21); + +var part56 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#43:Web_Attack:12/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Web Attack: Mass Injection Website %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all22 = all_match({ + processors: [ + part56, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup72, + dup35, + ]), +}); + +var msg43 = msg("Web_Attack:12", all22); + +var part57 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Mass Injection Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#44:Web_Attack:14/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Mass Injection Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all23 = all_match({ + processors: [ + part57, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Web Attack : Mass Injection Website"), + dup34, + ]), +}); + +var msg44 = msg("Web_Attack:14", all23); + +var part58 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack : Malvertisement Website Redirect '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#45:Web_Attack:17/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack : Malvertisement Website Redirect %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all24 = all_match({ + processors: [ + part58, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Web Attack: Malvertisement Website Redirect."), + dup34, + ]), +}); + +var msg45 = msg("Web_Attack:17", all24); + +var part59 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Web Attack: Fake Tech Support Website '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#46:Web_Attack:18/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Web Attack: Fake Tech Support Website %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all25 = all_match({ + processors: [ + part59, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + setc("event_description","Web Attack: Fake Tech Support Website"), + dup34, + ]), +}); + +var msg46 = msg("Web_Attack:18", all25); + +var part60 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#47:App_Attack/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all26 = all_match({ + processors: [ + part60, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup73, + dup35, + ]), +}); + +var msg47 = msg("App_Attack", all26); + +var part61 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#48:App_Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Fake App Attack: Misleading Application Website%{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all27 = all_match({ + processors: [ + part61, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup73, + dup35, + ]), +}); + +var msg48 = msg("App_Attack:02", all27); + +var part62 = // "Pattern{Field(fld3,false), Constant(', SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,true), Constant(' ,Fake App Attack: Misleading Application Website'), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#49:App_Attack:01/0", "nwparser.payload", "%{fld3}, SHA-256:%{checksum},MD-5:%{checksum->} ,Fake App Attack: Misleading Application Website%{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all28 = all_match({ + processors: [ + part62, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup73, + dup34, + ]), +}); + +var msg49 = msg("App_Attack:01", all28); + +var part63 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#50:Host_Integrity/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all29 = all_match({ + processors: [ + part63, + dup315, + ], + on_success: processor_chain([ + dup74, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup75, + ]), +}); + +var msg50 = msg("Host_Integrity", all29); + +var part64 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',"'), Field(p0,false)}" +match("MESSAGE#307:process:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},\"%{p0}"); + +var part65 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile'), Field(fld6,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#307:process:12/2", "nwparser.p0", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile%{fld6}\"%{p0}"); + +var all30 = all_match({ + processors: [ + part64, + dup316, + part65, + dup316, + dup78, + dup317, + dup81, + dup315, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup16, + dup17, + dup15, + dup19, + dup34, + dup40, + ]), +}); + +var msg51 = msg("process:12", all30); + +var part66 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#461:Audit:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all31 = all_match({ + processors: [ + part66, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup82, + dup19, + dup34, + ]), +}); + +var msg52 = msg("Audit:01", all31); + +var part67 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('attack detected but not blocked. Application path:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#462:Audit:11/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}attack detected but not blocked. Application path:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all32 = all_match({ + processors: [ + part67, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup16, + dup17, + dup15, + dup82, + dup19, + dup35, + dup40, + ]), +}); + +var msg53 = msg("Audit:11", all32); + +var part68 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#463:Audit:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all33 = all_match({ + processors: [ + part68, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup83, + dup19, + dup34, + ]), +}); + +var msg54 = msg("Audit:02", all33); + +var part69 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,false), Constant('. Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#464:Audit:12/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld26}] %{category}: %{event_description}. Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all34 = all_match({ + processors: [ + part69, + dup315, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup16, + dup17, + dup15, + dup83, + dup19, + dup35, + dup40, + ]), +}); + +var msg55 = msg("Audit:12", all34); + +var part70 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#507:Attack:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all35 = all_match({ + processors: [ + part70, + dup314, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup34, + ]), +}); + +var msg56 = msg("Attack:03", all35); + +var part71 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',[SID: '), Field(fld111,false), Constant('] '), Field(category,false), Constant(':'), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#508:Attack:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},[SID: %{fld111}] %{category}:%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all36 = all_match({ + processors: [ + part71, + dup314, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup35, + ]), +}); + +var msg57 = msg("Attack:02", all36); + +var part72 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Auto-Block Event,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#710:Auto-block/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Auto-Block Event,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all37 = all_match({ + processors: [ + part72, + dup314, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup34, + ]), +}); + +var msg58 = msg("Auto-block", all37); + +var part73 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#711:Denial/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all38 = all_match({ + processors: [ + part73, + dup314, + ], + on_success: processor_chain([ + dup84, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup35, + dup85, + ]), +}); + +var msg59 = msg("Denial", all38); + +var part74 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Denial of Service 'Smurf' attack detected. Description: '), Field(info,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#712:Denial:01/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Denial of Service 'Smurf' attack detected. Description: %{info},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all39 = all_match({ + processors: [ + part74, + dup314, + ], + on_success: processor_chain([ + dup84, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup34, + dup85, + ]), +}); + +var msg60 = msg("Denial:01", all39); + +var part75 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#713:Denial:02/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all40 = all_match({ + processors: [ + part75, + dup314, + ], + on_success: processor_chain([ + dup84, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup35, + dup85, + ]), +}); + +var msg61 = msg("Denial:02", all40); + +var part76 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Denial of Service ''Smurf'' attack detected. Description: '), Field(info,false), Constant('',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#714:Denial:03/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Denial of Service ''Smurf'' attack detected. Description: %{info}',Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all41 = all_match({ + processors: [ + part76, + dup314, + ], + on_success: processor_chain([ + dup84, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup34, + dup85, + ]), +}); + +var msg62 = msg("Denial:03", all41); + +var part77 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check passed'), Field(space,false), Constant('Requirement: '), Field(fld11,true), Constant(' passed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#715:Host:18", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check passed%{space}Requirement: %{fld11->} passed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup86, + dup87, + dup12, + dup13, + dup22, + dup14, + dup15, + dup88, + dup19, +])); + +var msg63 = msg("Host:18", part77); + +var part78 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(','Host Integrity check failed Requirement: '''), Field(fld11,false), Constant(''' passed Requirement: '''), Field(fld12,false), Constant(''' failed ',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#716:Host:19", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},'Host Integrity check failed Requirement: ''%{fld11}'' passed Requirement: ''%{fld12}'' failed ',Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup86, + dup12, + dup13, + dup25, + dup14, + dup15, + dup89, + dup19, +])); + +var msg64 = msg("Host:19", part78); + +var part79 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',DLP version is latest,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld41,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld55,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#719:DLP_version", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},DLP version is latest,Local: %{saddr},Local: %{fld3},Remote: %{fld41},Remote: %{daddr},Remote: %{fld55},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup53, + dup12, + dup13, + dup40, + dup41, + dup42, + dup15, + dup19, + dup34, + setc("event_description","DLP version is latest"), +])); + +var msg65 = msg("DLP_version", part79); + +var part80 = // "Pattern{Constant('SHA-256:'), Field(checksum,false), Constant(',MD-5:'), Field(checksum,false), Constant(',Brute force remote login,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld27,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#720:Brute_force/0", "nwparser.payload", "SHA-256:%{checksum},MD-5:%{checksum},Brute force remote login,Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld27},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all42 = all_match({ + processors: [ + part80, + dup314, + ], + on_success: processor_chain([ + setc("eventcategory","1101010000"), + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup34, + setc("event_description","Brute force remote login"), + ]), +}); + +var msg66 = msg("Brute_force", all42); + +var select15 = linear_select([ + msg26, + msg27, + msg28, + msg29, + msg30, + msg31, + msg32, + msg33, + msg34, + msg35, + msg36, + msg37, + msg38, + msg39, + msg40, + msg41, + msg42, + msg43, + msg44, + msg45, + msg46, + msg47, + msg48, + msg49, + msg50, + msg51, + msg52, + msg53, + msg54, + msg55, + msg56, + msg57, + msg58, + msg59, + msg60, + msg61, + msg62, + msg63, + msg64, + msg65, + msg66, +]); + +var part81 = // "Pattern{Constant('Applied new policy with '), Field(info,false), Constant('successfully.'), Field(p0,false)}" +match("MESSAGE#21:Applied/0", "nwparser.payload", "Applied new policy with %{info}successfully.%{p0}"); + +var all43 = all_match({ + processors: [ + part81, + dup318, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Applied new policy successfully."), + ]), +}); + +var msg67 = msg("Applied", all43); + +var part82 = // "Pattern{Constant('Applied new profile with serial number '), Field(fld23,true), Constant(' successfully.')}" +match("MESSAGE#700:Smc:04", "nwparser.payload", "Applied new profile with serial number %{fld23->} successfully.", processor_chain([ + dup53, + dup94, + dup13, + dup14, + dup15, + setc("event_description","Applied new profile successfully."), +])); + +var msg68 = msg("Smc:04", part82); + +var select16 = linear_select([ + msg67, + msg68, +]); + +var part83 = // "Pattern{Constant('Add shared policy upon system install,LiveUpdate Settings policy'), Field(,false)}" +match("MESSAGE#22:Add", "nwparser.payload", "Add shared policy upon system install,LiveUpdate Settings policy%{}", processor_chain([ + dup95, + dup12, + dup13, + dup96, + dup97, + dup14, + dup15, + dup23, + setc("event_description","Add shared policy upon system install,LiveUpdate Settings policy."), +])); + +var msg69 = msg("Add", part83); + +var part84 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#23:blocked:01/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part85 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#23:blocked:01/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); + +var all44 = all_match({ + processors: [ + part84, + dup319, + part85, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup35, + ]), +}); + +var msg70 = msg("blocked:01", all44); + +var part86 = // "Pattern{Constant('System Infected: '), Field(threat_name,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#24:blocked:12/0", "nwparser.payload", "System Infected: %{threat_name->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part87 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#24:blocked:12/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); + +var all45 = all_match({ + processors: [ + part86, + dup319, + part87, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup34, + ]), +}); + +var msg71 = msg("blocked:12", all45); + +var part88 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#25:blocked:05/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{daddr},Remote: %{fld15},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part89 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#25:blocked:05/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var all46 = all_match({ + processors: [ + part88, + dup319, + part89, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup35, + ]), +}); + +var msg72 = msg("blocked:05", all46); + +var part90 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#26:blocked:15/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{saddr},Remote: %{fld15},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part91 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#26:blocked:15/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var all47 = all_match({ + processors: [ + part90, + dup319, + part91, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup34, + ]), +}); + +var msg73 = msg("blocked:15", all47); + +var part92 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#52:blocked/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{saddr},Local: %{fld12},Remote: %{fld15},Remote: %{daddr},Remote: %{fld51},Outbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var all48 = all_match({ + processors: [ + part92, + dup319, + dup100, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup35, + ]), +}); + +var msg74 = msg("blocked", all48); + +var part93 = // "Pattern{Field(fld28,true), Constant(' detected. Traffic has been blocked from this application: '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld52,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#53:blocked:11/0", "nwparser.payload", "%{fld28->} detected. Traffic has been blocked from this application: %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},Intrusion ID: %{fld52},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var all49 = all_match({ + processors: [ + part93, + dup319, + dup100, + ], + on_success: processor_chain([ + dup32, + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + dup62, + dup19, + dup34, + ]), +}); + +var msg75 = msg("blocked:11", all49); + +var select17 = linear_select([ + msg70, + msg71, + msg72, + msg73, + msg74, + msg75, +]); + +var part94 = // "Pattern{Constant('The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Unknown,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#51:Host_Integrity:01/0", "nwparser.payload", "The most recent Host Integrity content has not completed a download or cannot be authenticated.,Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Unknown,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all50 = all_match({ + processors: [ + part94, + dup315, + ], + on_success: processor_chain([ + dup74, + dup12, + dup13, + dup40, + dup16, + dup17, + dup15, + dup19, + dup75, + ]), +}); + +var msg76 = msg("Host_Integrity:01", all50); + +var part95 = // "Pattern{Field(,true), Constant(' '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#190:Local::01/1", "nwparser.p0", "%{} %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); + +var all51 = all_match({ + processors: [ + dup320, + part95, + ], + on_success: processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup103, + dup104, + dup34, + ]), +}); + +var msg77 = msg("Local::01", all51); + +var part96 = // "Pattern{Field(,true), Constant(' '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Rule: '), Field(rulename,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#191:Local::13/1", "nwparser.p0", "%{} %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Rule: %{rulename},Location: %{fld11},User: %{username},Domain: %{domain},Action: %{action}"); + +var all52 = all_match({ + processors: [ + dup320, + part96, + ], + on_success: processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup103, + dup104, + dup35, + ]), +}); + +var msg78 = msg("Local::13", all52); + +var part97 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Outbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" +match("MESSAGE#192:Local:/0", "nwparser.payload", "Local: %{saddr},Local: %{sport},Local: %{fld12},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Remote: %{fld15},%{protocol},Outbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); + +var all53 = all_match({ + processors: [ + part97, + dup321, + dup107, + dup322, + ], + on_success: processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup103, + dup104, + dup35, + ]), +}); + +var msg79 = msg("Local:", all53); + +var part98 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',Inbound,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(','), Field(p0,false)}" +match("MESSAGE#193:Local:11/0", "nwparser.payload", "Local: %{daddr},Local: %{dport},Local: %{fld12},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Remote: %{fld15},%{protocol},Inbound,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},%{p0}"); + +var all54 = all_match({ + processors: [ + part98, + dup321, + dup107, + dup322, + ], + on_success: processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup103, + dup104, + dup34, + ]), +}); + +var msg80 = msg("Local:11", all54); + +var part99 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#194:Local::09", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup111, + dup34, +])); + +var msg81 = msg("Local::09", part99); + +var part100 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,true), Constant(' CVE-'), Field(cve,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#195:Local::20", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string->} CVE-%{cve},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup111, + dup35, +])); + +var msg82 = msg("Local::20", part100); + +var part101 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#196:Local::08", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, +])); + +var msg83 = msg("Local::08", part101); + +var part102 = // "Pattern{Constant('[SID: '), Field(fld26,false), Constant('] '), Field(category,false), Constant(': '), Field(event_description,true), Constant(' Traffic has been blocked for this application:'), Field(fld27,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#197:Local::18", "nwparser.payload", "[SID: %{fld26}] %{category}: %{event_description->} Traffic has been blocked for this application:%{fld27},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, +])); + +var msg84 = msg("Local::18", part102); + +var part103 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#198:Local::04/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all55 = all_match({ + processors: [ + part103, + dup323, + dup114, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, + ]), +}); + +var msg85 = msg("Local::04", all55); + +var part104 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(','), Field(p0,false)}" +match("MESSAGE#199:Local::17/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},%{p0}"); + +var all56 = all_match({ + processors: [ + part104, + dup323, + dup114, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, + ]), +}); + +var msg86 = msg("Local::17", all56); + +var part105 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(dport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(sport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" +match("MESSAGE#200:Local::06", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol}Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{dport},!ExternalLoggingTask.remoteport! %{sport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, +])); + +var msg87 = msg("Local::06", part105); + +var part106 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',!ExternalLoggingTask.localport! '), Field(sport,false), Constant(',!ExternalLoggingTask.remoteport! '), Field(dport,false), Constant(',!ExternalLoggingTask.cidssignid! '), Field(sigid,false), Constant(',!ExternalLoggingTask.strcidssignid! '), Field(sigid_string,false), Constant(',!ExternalLoggingTask.cidssignsubid! '), Field(sigid1,false), Constant(',!ExternalLoggingTask.intrusionurl! '), Field(url,false), Constant(',!ExternalLoggingTask.intrusionpayloadurl! '), Field(fld23,false)}" +match("MESSAGE#201:Local::16", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},!ExternalLoggingTask.localport! %{sport},!ExternalLoggingTask.remoteport! %{dport},!ExternalLoggingTask.cidssignid! %{sigid},!ExternalLoggingTask.strcidssignid! %{sigid_string},!ExternalLoggingTask.cidssignsubid! %{sigid1},!ExternalLoggingTask.intrusionurl! %{url},!ExternalLoggingTask.intrusionpayloadurl! %{fld23}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, +])); + +var msg88 = msg("Local::16", part106); + +var part107 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',0,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#202:Local::02", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},0,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup51, + dup312, +])); + +var msg89 = msg("Local::02", part107); + +var part108 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',1,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#203:Local::22", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},%{protocol},1,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup48, + dup312, +])); + +var msg90 = msg("Local::22", part108); + +var part109 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(','), Field(protocol,false), Constant(',2,Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#204:Local::23", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},%{protocol},2,Intrusion ID: %{fld33},Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup52, + dup312, +])); + +var msg91 = msg("Local::23", part109); + +var part110 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#205:Local::07/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var all57 = all_match({ + processors: [ + dup117, + dup319, + part110, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, + ]), +}); + +var msg92 = msg("Local::07", all57); + +var part111 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(': '), Field(fld22,true), Constant(' CVE-'), Field(cve,true), Constant(' '), Field(fld26,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#206:Local::19/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string}: %{fld22->} CVE-%{cve->} %{fld26},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var all58 = all_match({ + processors: [ + dup118, + dup319, + part111, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, + ]), +}); + +var msg93 = msg("Local::19", all58); + +var part112 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#207:Local::05/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); + +var all59 = all_match({ + processors: [ + dup117, + dup319, + part112, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, + ]), +}); + +var msg94 = msg("Local::05", all59); + +var part113 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#208:Local::15/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}"); + +var all60 = all_match({ + processors: [ + dup118, + dup319, + part113, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, + ]), +}); + +var msg95 = msg("Local::15", all60); + +var all61 = all_match({ + processors: [ + dup117, + dup319, + dup119, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup34, + ]), +}); + +var msg96 = msg("Local::03", all61); + +var all62 = all_match({ + processors: [ + dup118, + dup319, + dup119, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup115, + dup116, + dup38, + dup15, + dup16, + dup17, + dup14, + dup104, + dup35, + ]), +}); + +var msg97 = msg("Local::14", all62); + +var part114 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(dport,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(sport,false), Constant(',Inbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#211:Local::10", "nwparser.payload", "Local: %{daddr},Local: %{dport},Remote: %{saddr},Remote: %{fld13},Remote: %{sport},Inbound,Application: %{application},Action: %{action}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup40, + dup103, + dup34, +])); + +var msg98 = msg("Local::10", part114); + +var part115 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(sport,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(dport,false), Constant(',Outbound,Application: '), Field(application,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#212:Local::21", "nwparser.payload", "Local: %{saddr},Local: %{sport},Remote: %{daddr},Remote: %{fld13},Remote: %{dport},Outbound,Application: %{application},Action: %{action}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup103, + dup35, + dup40, +])); + +var msg99 = msg("Local::21", part115); + +var part116 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local Host MAC: '), Field(dmacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(saddr,false), Constant(',Remote Host MAC: '), Field(smacaddr,false), Constant(',Inbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(dport,false), Constant(',Remote Port: '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" +match("MESSAGE#213:Local::24", "nwparser.payload", "Event Description: %{event_description},Local: %{daddr},Local Host MAC: %{dmacaddr},Remote Host Name: %{fld3},Remote Host IP: %{saddr},Remote Host MAC: %{smacaddr},Inbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{dport},Remote Port: %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ + dup120, + dup12, + dup13, + dup15, + dup34, + dup40, +])); + +var msg100 = msg("Local::24", part116); + +var part117 = // "Pattern{Constant('Event Description: '), Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(',Outbound,'), Field(protocol,false), Constant(',Intrusion ID: 0,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" +match("MESSAGE#214:Local::25", "nwparser.payload", "Event Description: %{event_description},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},Outbound,%{protocol},Intrusion ID: 0,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ + dup36, + dup12, + dup13, + dup15, + dup35, + dup40, +])); + +var msg101 = msg("Local::25", part117); + +var part118 = // "Pattern{Constant('Event Description: '), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant(',Local: '), Field(saddr,false), Constant(',Local Host MAC: '), Field(smacaddr,false), Constant(',Remote Host Name: '), Field(fld3,false), Constant(',Remote Host IP: '), Field(daddr,false), Constant(',Remote Host MAC: '), Field(dmacaddr,false), Constant(','), Field(direction,false), Constant(','), Field(fld2,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port: '), Field(sport,false), Constant(',Remote Port: '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL: '), Field(fld12,false), Constant(',SHA-256: '), Field(checksum,false), Constant(',MD-5: '), Field(checksum,false)}" +match("MESSAGE#215:Local::26", "nwparser.payload", "Event Description: %{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses},Local: %{saddr},Local Host MAC: %{smacaddr},Remote Host Name: %{fld3},Remote Host IP: %{daddr},Remote Host MAC: %{dmacaddr},%{direction},%{fld2},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port: %{sport},Remote Port: %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL: %{fld12},SHA-256: %{checksum},MD-5: %{checksum}", processor_chain([ + dup53, + dup12, + dup13, + dup15, + dup40, +])); + +var msg102 = msg("Local::26", part118); + +var select18 = linear_select([ + msg76, + msg77, + msg78, + msg79, + msg80, + msg81, + msg82, + msg83, + msg84, + msg85, + msg86, + msg87, + msg88, + msg89, + msg90, + msg91, + msg92, + msg93, + msg94, + msg95, + msg96, + msg97, + msg98, + msg99, + msg100, + msg101, + msg102, +]); + +var part119 = // "Pattern{Constant('Blocked Attack: Memory Heap Spray attack against '), Field(fld1,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld15,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld51,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#54:Blocked:13/0", "nwparser.payload", "Blocked Attack: Memory Heap Spray attack against %{fld1},Local: %{daddr},Local: %{fld12},Remote: %{fld15},Remote: %{saddr},Remote: %{fld51},Inbound,%{protocol},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld2},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all63 = all_match({ + processors: [ + part119, + dup315, + ], + on_success: processor_chain([ + setc("eventcategory","1001020300"), + dup12, + dup13, + dup14, + dup16, + dup17, + dup15, + setc("event_description","Attack: Memory Heap Spray attack"), + dup19, + dup34, + ]), +}); + +var msg103 = msg("Blocked:13", all63); + +var part120 = // "Pattern{Constant('"'), Field(fld23,false), Constant(',",File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#483:File:01", "nwparser.payload", "\"%{fld23},\",File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + dup123, + dup124, + dup125, +])); + +var msg104 = msg("File:01", part120); + +var part121 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#484:File:11", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup126, +])); + +var msg105 = msg("File:11", part121); + +var part122 = // "Pattern{Constant('"'), Field(info,false), Constant('",Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld1,false), Constant(','), Field(process,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(application,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#485:File:02", "nwparser.payload", "\"%{info}\",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld1},%{process},%{fld3},%{fld4},%{application},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup126, +])); + +var msg106 = msg("File:02", part122); + +var part123 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#486:File:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup127, + dup124, + dup128, +])); + +var msg107 = msg("File:03", part123); + +var part124 = // "Pattern{Field(info,false), Constant('.'), Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#487:Blocked:04", "nwparser.payload", "%{info}.%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup129, + dup14, + dup41, + dup42, + dup122, + dup130, + dup124, + dup125, +])); + +var msg108 = msg("Blocked:04", part124); + +var part125 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" +match("MESSAGE#488:File:05", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup130, + dup124, + dup125, +])); + +var msg109 = msg("File:05", part125); + +var part126 = // "Pattern{Constant('"'), Field(fld23,false), Constant('",,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#489:File:04", "nwparser.payload", "\"%{fld23}\",,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + dup123, +])); + +var msg110 = msg("File:04", part126); + +var part127 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#490:File:06", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup127, + dup124, + dup128, +])); + +var msg111 = msg("File:06", part127); + +var part128 = // "Pattern{Constant('''), Field(fld23,false), Constant('',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#491:File:07", "nwparser.payload", "'%{fld23}',,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + dup123, +])); + +var msg112 = msg("File:07", part128); + +var part129 = // "Pattern{Field(fld23,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#492:File:12", "nwparser.payload", "%{fld23},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{process_id},%{process},%{fld4},,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup41, + dup42, + dup15, +])); + +var msg113 = msg("File:12", part129); + +var part130 = // "Pattern{Field(fld1,false), Constant(','), Field(fld7,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',"Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#493:File:08", "nwparser.payload", "%{fld1},%{fld7},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},\"Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup127, +])); + +var msg114 = msg("File:08", part130); + +var part131 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#494:File:09", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + setc("event_description","File Delete."), + dup124, + dup131, +])); + +var msg115 = msg("File:09", part131); + +var part132 = // "Pattern{Constant('Unauthorized NT call rejected by protection driver.,'), Field(fld22,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(fld23,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#496:Blocked", "nwparser.payload", "Unauthorized NT call rejected by protection driver.,%{fld22},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{fld23},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup132, + dup122, + setc("event_description","Unauthorized NT call rejected by protection driver."), +])); + +var msg116 = msg("Blocked", part132); + +var part133 = // "Pattern{Constant(',Create Process,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" +match("MESSAGE#497:Blocked:01", "nwparser.payload", ",Create Process,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, +])); + +var msg117 = msg("Blocked:01", part133); + +var part134 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',Registry Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#498:Blocked:02", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},Registry Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup133, +])); + +var msg118 = msg("Blocked:02", part134); + +var part135 = // "Pattern{Field(fld21,true), Constant(' - Caller MD5='), Field(fld22,false), Constant(',Create Process'), Field(p0,false)}" +match("MESSAGE#499:Blocked:03/0_0", "nwparser.payload", "%{fld21->} - Caller MD5=%{fld22},Create Process%{p0}"); + +var part136 = // "Pattern{Field(fld23,false), Constant(',Load Dll'), Field(p0,false)}" +match("MESSAGE#499:Blocked:03/0_1", "nwparser.payload", "%{fld23},Load Dll%{p0}"); + +var select19 = linear_select([ + part135, + part136, +]); + +var part137 = // "Pattern{Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld24,false), Constant(','), Field(process,false), Constant(','), Field(fld25,false), Constant(','), Field(fld26,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" +match("MESSAGE#499:Blocked:03/1", "nwparser.p0", ",Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld24},%{process},%{fld25},%{fld26},%{filename},User: %{username},Domain: %{domain},Action Type: %{fld8},File size (bytes):%{filename_size},Device ID:%{device}"); + +var all64 = all_match({ + processors: [ + select19, + part137, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + setc("event_description","Block from loading other DLLs/processes."), + ]), +}); + +var msg119 = msg("Blocked:03", all64); + +var part138 = // "Pattern{Field(event_description,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(sdomain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID:')}" +match("MESSAGE#500:Blocked:05", "nwparser.payload", "%{event_description->} - Caller MD5=%{checksum},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{sdomain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID:", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup15, + dup134, + dup135, +])); + +var msg120 = msg("Blocked:05", part138); + +var part139 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,true), Constant(' - '), Field(fld11,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#501:Blocked:06", "nwparser.payload", "[%{id}] %{event_description->} - %{fld11},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup40, + dup15, + dup134, + dup135, +])); + +var msg121 = msg("Blocked:06", part139); + +var part140 = // "Pattern{Constant('['), Field(id,false), Constant('] '), Field(event_description,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#502:Blocked:07", "nwparser.payload", "[%{id}] %{event_description},%{fld1},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup15, + dup134, + dup135, +])); + +var msg122 = msg("Blocked:07", part140); + +var part141 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('/service''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_0", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}/service'%{fld33->} ,Create Process,Begin: %{p0}"); + +var part142 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('chrome-extension:'), Field(fld99,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_1", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}chrome-extension:%{fld99}'%{fld33->} ,Create Process,Begin: %{p0}"); + +var part143 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('''), Field(fld33,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_2", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}'%{fld33->} ,Create Process,Begin: %{p0}"); + +var part144 = // "Pattern{Constant('- Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,false), Constant('-ServerName:'), Field(hostid,false), Constant('' ,Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_3", "nwparser.payload", "- Target MD5=%{fld6->} - Target Arguments=%{fld7}-ServerName:%{hostid}' ,Create Process,Begin: %{p0}"); + +var part145 = // "Pattern{Field(fld11,true), Constant(' - Target MD5='), Field(fld6,true), Constant(' - Target Arguments='), Field(fld7,true), Constant(' ,Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_4", "nwparser.payload", "%{fld11->} - Target MD5=%{fld6->} - Target Arguments=%{fld7->} ,Create Process,Begin: %{p0}"); + +var part146 = // "Pattern{Constant('- Target MD5='), Field(fld6,false), Constant(',Create Process,Begin: '), Field(p0,false)}" +match("MESSAGE#504:Blocked:09/0_5", "nwparser.payload", "- Target MD5=%{fld6},Create Process,Begin: %{p0}"); + +var select20 = linear_select([ + part141, + part142, + part143, + part144, + part145, + part146, +]); + +var part147 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,true), Constant(' ,File size ('), Field(fld10,false), Constant('):'), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#504:Blocked:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44->} ,File size (%{fld10}):%{filename_size},Device ID: %{device}"); + +var all65 = all_match({ + processors: [ + select20, + part147, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup129, + dup14, + dup41, + dup42, + dup15, + ]), +}); + +var msg123 = msg("Blocked:09", all65); + +var select21 = linear_select([ + msg103, + msg104, + msg105, + msg106, + msg107, + msg108, + msg109, + msg110, + msg111, + msg112, + msg113, + msg114, + msg115, + msg116, + msg117, + msg118, + msg119, + msg120, + msg121, + msg122, + msg123, +]); + +var part148 = // "Pattern{Constant('Changed value ''), Field(change_attribute,false), Constant('' from ''), Field(change_old,false), Constant('' to ''), Field(change_new,false), Constant('''), Field(p0,false)}" +match("MESSAGE#55:Changed/0", "nwparser.payload", "Changed value '%{change_attribute}' from '%{change_old}' to '%{change_new}'%{p0}"); + +var all66 = all_match({ + processors: [ + part148, + dup318, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup137, + setc("event_description","Changed value"), + dup15, + dup93, + ]), +}); + +var msg124 = msg("Changed", all66); + +var part149 = // "Pattern{Constant('Cleaned up '), Field(dclass_counter1,true), Constant(' LiveUpdate downloaded content')}" +match("MESSAGE#56:Cleaned", "nwparser.payload", "Cleaned up %{dclass_counter1->} LiveUpdate downloaded content", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Cleaned up downloaded content."), + setc("dclass_counter1_string","Number of Virus Cleaned."), +])); + +var msg125 = msg("Cleaned", part149); + +var part150 = // "Pattern{Constant('Client has downloaded the issued Command,'), Field(username,false)}" +match("MESSAGE#57:Client", "nwparser.payload", "Client has downloaded the issued Command,%{username}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup137, + dup15, + setc("event_description","Client has downloaded the issued command."), +])); + +var msg126 = msg("Client", part150); + +var part151 = // "Pattern{Field(event_description,false), Constant(', type SymDelta version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#58:Client:01/0_0", "nwparser.payload", "%{event_description}, type SymDelta version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); + +var part152 = // "Pattern{Field(event_description,false), Constant(', type full version'), Field(version,true), Constant(' filesize'), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#58:Client:01/0_1", "nwparser.payload", "%{event_description}, type full version%{version->} filesize%{filename_size}.\",Event time:%{fld17->} %{fld18}"); + +var part153 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#58:Client:01/0_2", "nwparser.payload", "event_description"); + +var select22 = linear_select([ + part151, + part152, + part153, +]); + +var all67 = all_match({ + processors: [ + select22, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup93, + ]), +}); + +var msg127 = msg("Client:01", all67); + +var select23 = linear_select([ + msg126, + msg127, +]); + +var part154 = // "Pattern{Constant('client has downloaded the '), Field(p0,false)}" +match("MESSAGE#59:client/0", "nwparser.payload", "client has downloaded the %{p0}"); + +var part155 = // "Pattern{Constant('content package'), Field(p0,false)}" +match("MESSAGE#59:client/1_0", "nwparser.p0", "content package%{p0}"); + +var part156 = // "Pattern{Constant('policy'), Field(p0,false)}" +match("MESSAGE#59:client/1_1", "nwparser.p0", "policy%{p0}"); + +var part157 = // "Pattern{Constant('Intrusion Prevention policy'), Field(p0,false)}" +match("MESSAGE#59:client/1_2", "nwparser.p0", "Intrusion Prevention policy%{p0}"); + +var select24 = linear_select([ + part155, + part156, + part157, +]); + +var part158 = // "Pattern{Field(,false), Constant('successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#59:client/2", "nwparser.p0", "%{}successfully,%{shost},%{username},%{group}"); + +var all68 = all_match({ + processors: [ + part154, + select24, + part158, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client has downloaded the policy successfully."), + ]), +}); + +var msg128 = msg("client", all68); + +var part159 = // "Pattern{Constant('client has reconnected with the management server,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#60:client:01", "nwparser.payload", "client has reconnected with the management server,%{shost},%{username},%{group}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client has reconnected with the management server."), +])); + +var msg129 = msg("client:01", part159); + +var part160 = // "Pattern{Constant('client has downloaded '), Field(filename,true), Constant(' successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#61:client:02", "nwparser.payload", "client has downloaded %{filename->} successfully,%{shost},%{username},%{group}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup138, +])); + +var msg130 = msg("client:02", part160); + +var part161 = // "Pattern{Constant('client registered with the management server successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#62:client:03", "nwparser.payload", "client registered with the management server successfully,%{shost},%{username},%{group}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client registered with the management server successfully"), +])); + +var msg131 = msg("client:03", part161); + +var part162 = // "Pattern{Constant('client has downloaded '), Field(filename,false), Constant(','), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#63:client:04", "nwparser.payload", "client has downloaded %{filename},%{shost},%{username},%{group}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup138, +])); + +var msg132 = msg("client:04", part162); + +var part163 = // "Pattern{Constant('Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" +match("MESSAGE#64:client:05/2", "nwparser.p0", "Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); + +var all69 = all_match({ + processors: [ + dup139, + dup324, + part163, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup142, + dup19, + dup143, + dup34, + ]), +}); + +var msg133 = msg("client:05", all69); + +var part164 = // "Pattern{Constant('Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" +match("MESSAGE#65:client:15/2", "nwparser.p0", "Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}"); + +var all70 = all_match({ + processors: [ + dup139, + dup324, + part164, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup142, + dup19, + dup143, + dup35, + ]), +}); + +var msg134 = msg("client:15", all70); + +var part165 = // "Pattern{Constant('client computer has been added to the group,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#66:client:06", "nwparser.payload", "client computer has been added to the group,%{shost},%{username},%{group}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Client computer has been added to the group."), +])); + +var msg135 = msg("client:06", part165); + +var part166 = // "Pattern{Constant('client computer has been renamed,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(sdomain,false)}" +match("MESSAGE#67:client:07", "nwparser.payload", "client computer has been renamed,%{shost},%{username},%{sdomain}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client computer has been renamed"), +])); + +var msg136 = msg("client:07", part166); + +var part167 = // "Pattern{Constant('The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#68:client:08", "nwparser.payload", "The client does not have a paid license. The current license cannot be used to obtain a client authentication token.,Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client does not have a paid license"), +])); + +var msg137 = msg("client:08", part167); + +var part168 = // "Pattern{Constant('The client has successfully downloaded and applied a license from the server.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#69:client:09", "nwparser.payload", "The client has successfully downloaded and applied a license from the server.,Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + date_time({ + dest: "event_time", + args: ["event_time_string"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dH,dc(":"),dU,dc(":"),dO], + ], + }), + dup15, + setc("event_description","The client has successfully downloaded and applied a license from the server"), +])); + +var msg138 = msg("client:09", part168); + +var part169 = // "Pattern{Constant('The client opted to download a full definitions package for AV definitions from the management server or GUP '), Field(p0,false)}" +match("MESSAGE#693:SYLINK:01/0", "nwparser.payload", "The client opted to download a full definitions package for AV definitions from the management server or GUP %{p0}"); + +var part170 = // "Pattern{Constant('because LiveUpdate had no AV updates available'), Field(p0,false)}" +match("MESSAGE#693:SYLINK:01/1_0", "nwparser.p0", "because LiveUpdate had no AV updates available%{p0}"); + +var part171 = // "Pattern{Constant('rather than download a large package from LiveUpdate'), Field(p0,false)}" +match("MESSAGE#693:SYLINK:01/1_1", "nwparser.p0", "rather than download a large package from LiveUpdate%{p0}"); + +var select25 = linear_select([ + part170, + part171, +]); + +var part172 = // "Pattern{Constant('.'), Field(p0,false)}" +match("MESSAGE#693:SYLINK:01/2", "nwparser.p0", ".%{p0}"); + +var all71 = all_match({ + processors: [ + part169, + select25, + part172, + dup318, + ], + on_success: processor_chain([ + dup43, + dup15, + dup93, + setc("event_description","The client opted to download a full definitions package for AV definitions from the management server or GUP"), + ]), +}); + +var msg139 = msg("SYLINK:01", all71); + +var part173 = // "Pattern{Constant('The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.'), Field(,false)}" +match("MESSAGE#694:SYLINK:02", "nwparser.payload", "The client opted to download an update for AV definitions from LiveUpdate rather than download a full definitions package from the management server or GUP.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","The client opted to download an update for AV definitions from LiveUpdate"), +])); + +var msg140 = msg("SYLINK:02", part173); + +var part174 = // "Pattern{Constant('The client has obtained an invalid license file ('), Field(filename,false), Constant(') from the server.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#695:SYLINK:04", "nwparser.payload", "The client has obtained an invalid license file (%{filename}) from the server.,Event time:%{fld17->} %{fld18}", processor_chain([ + dup121, + dup12, + dup13, + dup15, + dup93, + setc("event_description","The client has obtained an invalid license file from the server."), +])); + +var msg141 = msg("SYLINK:04", part174); + +var part175 = // "Pattern{Constant('The client has successfully downloaded a license file ('), Field(filename,false), Constant(') from the server.')}" +match("MESSAGE#697:Smc", "nwparser.payload", "The client has successfully downloaded a license file (%{filename}) from the server.", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The client has successfully downloaded a license file"), +])); + +var msg142 = msg("Smc", part175); + +var part176 = // "Pattern{Constant('The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(') from the server.'), Field(p0,false)}" +match("MESSAGE#698:Smc:01/0", "nwparser.payload", "The client has successfully downloaded and applied a license file (%{filename}) from the server.%{p0}"); + +var all72 = all_match({ + processors: [ + part176, + dup318, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup15, + dup93, + dup144, + ]), +}); + +var msg143 = msg("Smc:01", all72); + +var part177 = // "Pattern{Constant('"The client has successfully downloaded and applied a license file ('), Field(filename,false), Constant(', Serial: '), Field(serial_number,false), Constant(') from the server."'), Field(p0,false)}" +match("MESSAGE#701:Smc:05/0", "nwparser.payload", "\"The client has successfully downloaded and applied a license file (%{filename}, Serial: %{serial_number}) from the server.\"%{p0}"); + +var all73 = all_match({ + processors: [ + part177, + dup318, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup93, + dup144, + ]), +}); + +var msg144 = msg("Smc:05", all73); + +var select26 = linear_select([ + msg128, + msg129, + msg130, + msg131, + msg132, + msg133, + msg134, + msg135, + msg136, + msg137, + msg138, + msg139, + msg140, + msg141, + msg142, + msg143, + msg144, +]); + +var all74 = all_match({ + processors: [ + dup145, + dup325, + dup148, + dup326, + dup151, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup132, + dup93, + dup153, + dup154, + dup155, + dup15, + dup19, + ]), +}); + +var msg145 = msg("Commercial", all74); + +var part178 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Application name: '), Field(p0,false)}" +match("MESSAGE#71:Commercial:02/2_0", "nwparser.p0", "%{severity},First Seen: %{fld50},Application name: %{p0}"); + +var part179 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(p0,false)}" +match("MESSAGE#71:Commercial:02/2_1", "nwparser.p0", "%{severity},Application name: %{p0}"); + +var select27 = linear_select([ + part178, + part179, +]); + +var part180 = // "Pattern{Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#71:Commercial:02/3", "nwparser.p0", "%{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var all75 = all_match({ + processors: [ + dup145, + dup325, + select27, + part180, + dup326, + dup151, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup132, + dup93, + dup153, + dup154, + dup155, + dup15, + dup19, + ]), +}); + +var msg146 = msg("Commercial:02", all75); + +var part181 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#72:Commercial:01/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all76 = all_match({ + processors: [ + dup145, + dup325, + dup148, + dup326, + part181, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup132, + dup93, + dup153, + dup154, + dup155, + dup15, + dup19, + ]), +}); + +var msg147 = msg("Commercial:01", all76); + +var select28 = linear_select([ + msg145, + msg146, + msg147, +]); + +var part182 = // "Pattern{Constant('Computer has been deleted'), Field(,false)}" +match("MESSAGE#73:Computer:deleted", "nwparser.payload", "Computer has been deleted%{}", processor_chain([ + dup156, + dup12, + dup13, + dup27, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Computer has been deleted."), +])); + +var msg148 = msg("Computer:deleted", part182); + +var part183 = // "Pattern{Constant('Computer has been moved'), Field(,false)}" +match("MESSAGE#74:Computer:moved", "nwparser.payload", "Computer has been moved%{}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Computer has been moved."), +])); + +var msg149 = msg("Computer:moved", part183); + +var part184 = // "Pattern{Constant('Computer properties have been changed'), Field(,false)}" +match("MESSAGE#75:Computer:propertieschanged", "nwparser.payload", "Computer properties have been changed%{}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Computer properties have been changed."), +])); + +var msg150 = msg("Computer:propertieschanged", part184); + +var part185 = // "Pattern{Constant('"'), Field(filename,false), Constant('","'), Field(p0,false)}" +match("MESSAGE#76:Computer/1_0", "nwparser.p0", "\"%{filename}\",\"%{p0}"); + +var part186 = // "Pattern{Field(filename,false), Constant(',"'), Field(p0,false)}" +match("MESSAGE#76:Computer/1_1", "nwparser.p0", "%{filename},\"%{p0}"); + +var select29 = linear_select([ + part185, + part186, +]); + +var part187 = // "Pattern{Field(fld1,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" +match("MESSAGE#76:Computer/2", "nwparser.p0", "%{fld1}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); + +var all77 = all_match({ + processors: [ + dup157, + select29, + part187, + ], + on_success: processor_chain([ + dup136, + dup12, + dup132, + dup14, + dup15, + dup158, + ]), +}); + +var msg151 = msg("Computer", all77); + +var part188 = // "Pattern{Constant('"'), Field(filename,false), Constant('",''), Field(p0,false)}" +match("MESSAGE#77:Computer:01/1_0", "nwparser.p0", "\"%{filename}\",'%{p0}"); + +var part189 = // "Pattern{Field(filename,false), Constant(',''), Field(p0,false)}" +match("MESSAGE#77:Computer:01/1_1", "nwparser.p0", "%{filename},'%{p0}"); + +var select30 = linear_select([ + part188, + part189, +]); + +var part190 = // "Pattern{Field(fld1,false), Constant('',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" +match("MESSAGE#77:Computer:01/2", "nwparser.p0", "%{fld1}',Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); + +var all78 = all_match({ + processors: [ + dup157, + select30, + part190, + ], + on_success: processor_chain([ + dup136, + dup12, + dup132, + dup14, + dup15, + dup158, + ]), +}); + +var msg152 = msg("Computer:01", all78); + +var part191 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld55,false), Constant(',Certificate issuer: '), Field(cert_subject,false), Constant(',Certificate signer: '), Field(fld68,false), Constant(',Certificate thumbprint: '), Field(fld57,false), Constant(',Signing timestamp: '), Field(fld69,false), Constant(',Certificate serial number: '), Field(cert.serial,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#78:Computer:03/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Intensive Protection Level: %{fld55},Certificate issuer: %{cert_subject},Certificate signer: %{fld68},Certificate thumbprint: %{fld57},Signing timestamp: %{fld69},Certificate serial number: %{cert.serial},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); + +var part192 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld52,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(','), Field(fld67,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false), Constant(',Location:'), Field(fld65,false)}" +match("MESSAGE#78:Computer:03/2", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld52},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},%{fld67},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type},Location:%{fld65}"); + +var all79 = all_match({ + processors: [ + part191, + dup327, + part192, + ], + on_success: processor_chain([ + setc("eventcategory","1003000000"), + dup12, + dup132, + dup15, + dup93, + dup47, + ]), +}); + +var msg153 = msg("Computer:03", all79); + +var part193 = // "Pattern{Constant('Computer name: '), Field(p0,false)}" +match("MESSAGE#79:Computer:02/0", "nwparser.payload", "Computer name: %{p0}"); + +var all80 = all_match({ + processors: [ + part193, + dup325, + dup161, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup132, + dup152, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, + ]), +}); + +var msg154 = msg("Computer:02", all80); + +var select31 = linear_select([ + msg148, + msg149, + msg150, + msg151, + msg152, + msg153, + msg154, +]); + +var part194 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(event_description,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#80:Configuration", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{event_description->} ..Severity: %{severity}..Source: %{product}", processor_chain([ + dup165, + dup166, + dup15, +])); + +var msg155 = msg("Configuration", part194); + +var part195 = // "Pattern{Constant('Configuration Change..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..')}" +match("MESSAGE#81:Configuration:01", "nwparser.payload", "Configuration Change..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6->} %{fld7}..", processor_chain([ + dup165, + dup166, + setc("event_description","Configuration Change"), + dup15, +])); + +var msg156 = msg("Configuration:01", part195); + +var part196 = // "Pattern{Constant('Configuration Change..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#82:Configuration:02", "nwparser.payload", "Configuration Change..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup165, + dup166, + dup15, +])); + +var msg157 = msg("Configuration:02", part196); + +var select32 = linear_select([ + msg155, + msg156, + msg157, +]); + +var part197 = // "Pattern{Constant('Connected to Symantec Endpoint Protection Manager '), Field(p0,false)}" +match("MESSAGE#83:Connected/0", "nwparser.payload", "Connected to Symantec Endpoint Protection Manager %{p0}"); + +var part198 = // "Pattern{Field(fld11,true), Constant(' ,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#83:Connected/1_0", "nwparser.p0", "%{fld11->} ,Event time: %{fld17->} %{fld18}"); + +var part199 = // "Pattern{Constant(''), Field(fld11,false)}" +match("MESSAGE#83:Connected/1_1", "nwparser.p0", "%{fld11}"); + +var select33 = linear_select([ + part198, + part199, +]); + +var all81 = all_match({ + processors: [ + part197, + select33, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup93, + dup15, + setc("event_description","Connected to Symantec Endpoint Protection Manager"), + ]), +}); + +var msg158 = msg("Connected", all81); + +var part200 = // "Pattern{Constant('Connected to Management Server '), Field(hostip,false), Constant('.')}" +match("MESSAGE#686:Connected:01", "nwparser.payload", "Connected to Management Server %{hostip}.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Connected to Management Server"), +])); + +var msg159 = msg("Connected:01", part200); + +var select34 = linear_select([ + msg158, + msg159, +]); + +var part201 = // "Pattern{Constant('Connection reset'), Field(,false)}" +match("MESSAGE#84:Connection", "nwparser.payload", "Connection reset%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Connection reset."), +])); + +var msg160 = msg("Connection", part201); + +var part202 = // "Pattern{Constant('Could '), Field(space,false), Constant('not start Service Engine err='), Field(resultcode,false)}" +match("MESSAGE#85:Could", "nwparser.payload", "Could %{space}not start Service Engine err=%{resultcode}", processor_chain([ + dup86, + dup12, + dup13, + dup14, + dup15, + dup167, +])); + +var msg161 = msg("Could", part202); + +var part203 = // "Pattern{Constant('Could not scan '), Field(dclass_counter1,true), Constant(' files inside '), Field(directory,true), Constant(' due to extraction errors encountered by the Decomposer Engines.')}" +match("MESSAGE#86:Could:01", "nwparser.payload", "Could not scan %{dclass_counter1->} files inside %{directory->} due to extraction errors encountered by the Decomposer Engines.", processor_chain([ + dup86, + dup12, + dup13, + dup14, + dup15, + setc("dclass_counter1_string","Number of Files"), + dup167, +])); + +var msg162 = msg("Could:01", part203); + +var select35 = linear_select([ + msg161, + msg162, +]); + +var part204 = // "Pattern{Constant('Create trident engine failed.'), Field(,false)}" +match("MESSAGE#87:Create", "nwparser.payload", "Create trident engine failed.%{}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Create trident engine failed."), +])); + +var msg163 = msg("Create", part204); + +var part205 = // "Pattern{Constant('Database Maintenance Finished Successfully'), Field(,false)}" +match("MESSAGE#88:Database", "nwparser.payload", "Database Maintenance Finished Successfully%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Database Maintenance Finished Successfully"), +])); + +var msg164 = msg("Database", part205); + +var part206 = // "Pattern{Constant('Database maintenance started.'), Field(,false)}" +match("MESSAGE#89:Database:01", "nwparser.payload", "Database maintenance started.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","Database maintenance started."), +])); + +var msg165 = msg("Database:01", part206); + +var part207 = // "Pattern{Constant('Database maintenance finished successfully.'), Field(,false)}" +match("MESSAGE#90:Database:02", "nwparser.payload", "Database maintenance finished successfully.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","Database maintenance finished successfully."), +])); + +var msg166 = msg("Database:02", part207); + +var part208 = // "Pattern{Constant('Database properties are changed'), Field(,false)}" +match("MESSAGE#91:Database:03", "nwparser.payload", "Database properties are changed%{}", processor_chain([ + dup43, + dup15, + setc("event_description","Database properties are changed"), +])); + +var msg167 = msg("Database:03", part208); + +var select36 = linear_select([ + msg164, + msg165, + msg166, + msg167, +]); + +var part209 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager. --- server address : '), Field(hostid,false)}" +match("MESSAGE#92:Disconnected", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager. --- server address : %{hostid}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup169, +])); + +var msg168 = msg("Disconnected", part209); + +var part210 = // "Pattern{Constant('Disconnected from Symantec Endpoint Protection Manager ('), Field(hostip,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#93:Disconnected:01/0", "nwparser.payload", "Disconnected from Symantec Endpoint Protection Manager (%{hostip})%{p0}"); + +var all82 = all_match({ + processors: [ + part210, + dup318, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup14, + dup15, + dup93, + dup169, + ]), +}); + +var msg169 = msg("Disconnected:01", all82); + +var part211 = // "Pattern{Constant('Disconnected to Management Server '), Field(hostip,false), Constant('.')}" +match("MESSAGE#687:Disconnected:02", "nwparser.payload", "Disconnected to Management Server %{hostip}.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Disconnected to Management Server"), +])); + +var msg170 = msg("Disconnected:02", part211); + +var select37 = linear_select([ + msg168, + msg169, + msg170, +]); + +var part212 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#94:Decomposer", "nwparser.payload", "event_description", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, +])); + +var msg171 = msg("Decomposer", part212); + +var part213 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was added')}" +match("MESSAGE#95:Domain:added", "nwparser.payload", "Domain \"%{domain}\" was added", processor_chain([ + dup95, + dup12, + dup13, + dup96, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Domain was added."), +])); + +var msg172 = msg("Domain:added", part213); + +var part214 = // "Pattern{Constant('Domain "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" +match("MESSAGE#96:Domain:renamed", "nwparser.payload", "Domain \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Domain was renamed."), + setc("change_attribute","domain name"), +])); + +var msg173 = msg("Domain:renamed", part214); + +var part215 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was deleted!')}" +match("MESSAGE#97:Domain:deleted", "nwparser.payload", "Domain \"%{domain}\" was deleted!", processor_chain([ + dup156, + dup12, + dup13, + dup27, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Domain was deleted."), +])); + +var msg174 = msg("Domain:deleted", part215); + +var part216 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was added')}" +match("MESSAGE#98:Domain:administratoradded", "nwparser.payload", "Domain administrator \"%{username}\" was added", processor_chain([ + dup170, + dup12, + dup13, + dup20, + dup96, + dup28, + dup22, + dup14, + dup15, + dup158, + setc("event_description","Domain administrator was added."), +])); + +var msg175 = msg("Domain:administratoradded", part216); + +var part217 = // "Pattern{Constant('Domain administrator "'), Field(username,false), Constant('" was deleted')}" +match("MESSAGE#99:Domain:administratordeleted", "nwparser.payload", "Domain administrator \"%{username}\" was deleted", processor_chain([ + dup171, + dup12, + dup13, + dup20, + dup27, + dup28, + dup22, + dup14, + dup15, + dup158, + setc("event_description","Domain administrator deleted."), +])); + +var msg176 = msg("Domain:administratordeleted", part217); + +var part218 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was disabled')}" +match("MESSAGE#100:Domain:disabled", "nwparser.payload", "Domain \"%{domain}\" was disabled", processor_chain([ + dup136, + dup12, + dup13, + dup56, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Domain disabled"), +])); + +var msg177 = msg("Domain:disabled", part218); + +var part219 = // "Pattern{Constant('Domain "'), Field(domain,false), Constant('" was enabled')}" +match("MESSAGE#101:Domain:enabled", "nwparser.payload", "Domain \"%{domain}\" was enabled", processor_chain([ + dup136, + dup12, + dup13, + dup172, + dup97, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Domain enabled"), +])); + +var msg178 = msg("Domain:enabled", part219); + +var select38 = linear_select([ + msg172, + msg173, + msg174, + msg175, + msg176, + msg177, + msg178, +]); + +var part220 = // "Pattern{Constant('Failed to connect to the server. '), Field(action,false), Constant('. ErrorCode: '), Field(resultcode,false)}" +match("MESSAGE#102:Failed", "nwparser.payload", "Failed to connect to the server. %{action}. ErrorCode: %{resultcode}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + dup173, +])); + +var msg179 = msg("Failed", part220); + +var part221 = // "Pattern{Constant('Failed to contact server for more than '), Field(p0,false)}" +match("MESSAGE#103:Failed:01/0", "nwparser.payload", "Failed to contact server for more than %{p0}"); + +var part222 = // "Pattern{Constant(''), Field(fld1,true), Constant(' times.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#103:Failed:01/1_0", "nwparser.p0", "%{fld1->} times.,Event time:%{fld17->} %{fld18}"); + +var part223 = // "Pattern{Field(fld1,true), Constant(' times.')}" +match("MESSAGE#103:Failed:01/1_1", "nwparser.p0", "%{fld1->} times."); + +var select39 = linear_select([ + part222, + part223, +]); + +var all83 = all_match({ + processors: [ + part221, + select39, + ], + on_success: processor_chain([ + dup74, + dup12, + dup13, + dup14, + dup15, + dup93, + dup173, + ]), +}); + +var msg180 = msg("Failed:01", all83); + +var part224 = // "Pattern{Constant('Failed to disable Windows firewall'), Field(,false)}" +match("MESSAGE#104:Failed:02", "nwparser.payload", "Failed to disable Windows firewall%{}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Failed to disable Windows firewall."), +])); + +var msg181 = msg("Failed:02", part224); + +var part225 = // "Pattern{Constant('Failed to install teefer driver'), Field(,false)}" +match("MESSAGE#105:Failed:03", "nwparser.payload", "Failed to install teefer driver%{}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Failed to install teefer driver."), +])); + +var msg182 = msg("Failed:03", part225); + +var part226 = // "Pattern{Constant('Failed to connect to '), Field(fld22,false), Constant('. Make sure the server can ping or resolve this domain. ErrorCode: '), Field(resultcode,false)}" +match("MESSAGE#106:Failed:04", "nwparser.payload", "Failed to connect to %{fld22}. Make sure the server can ping or resolve this domain. ErrorCode: %{resultcode}", processor_chain([ + dup168, + dup14, + dup15, + setc("event_description","Failed to connect."), +])); + +var msg183 = msg("Failed:04", part226); + +var part227 = // "Pattern{Constant('Failed to download new client upgrade package from the management server. New Version: '), Field(version,true), Constant(' Package size: '), Field(filename_size,true), Constant(' bytes. Package url: '), Field(url,false)}" +match("MESSAGE#107:Failed:05", "nwparser.payload", "Failed to download new client upgrade package from the management server. New Version: %{version->} Package size: %{filename_size->} bytes. Package url: %{url}", processor_chain([ + dup168, + dup12, + dup13, + setc("ec_subject","Agent"), + dup97, + dup25, + dup14, + dup15, + setc("event_description","Failed to download new client upgrade package from the management server."), +])); + +var msg184 = msg("Failed:05", part227); + +var part228 = // "Pattern{Constant('Failed to import server policy.'), Field(,false)}" +match("MESSAGE#108:Failed:06", "nwparser.payload", "Failed to import server policy.%{}", processor_chain([ + dup168, + dup12, + dup13, + dup97, + dup25, + dup14, + dup15, + setc("event_description","Failed to import server policy."), +])); + +var msg185 = msg("Failed:06", part228); + +var part229 = // "Pattern{Constant('Failed to load plugin:'), Field(filename,false)}" +match("MESSAGE#109:Failed:07", "nwparser.payload", "Failed to load plugin:%{filename}", processor_chain([ + dup168, + dup12, + dup13, + dup97, + dup25, + dup14, + dup15, + setc("event_description","Failed to load plugin"), +])); + +var msg186 = msg("Failed:07", part229); + +var part230 = // "Pattern{Constant('Failed to clean up LiveUpdate downloaded content'), Field(,false)}" +match("MESSAGE#110:Failed:08", "nwparser.payload", "Failed to clean up LiveUpdate downloaded content%{}", processor_chain([ + dup168, + dup12, + dup13, + dup97, + dup25, + dup14, + dup15, + setc("event_description","Failed to clean up LiveUpdate downloaded content"), +])); + +var msg187 = msg("Failed:08", part230); + +var part231 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.')}" +match("MESSAGE#111:Failed:09", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Failed to connect to the server. Make sure that the server is running and your session has not timed out. If you can reach the server but cannot log on, make sure that you provided the correct parameters. If you are experiencing network issues, contact your system administrator.", processor_chain([ + dup174, + dup12, + dup13, + dup97, + dup25, + dup14, + dup15, + dup175, +])); + +var msg188 = msg("Failed:09", part231); + +var part232 = // "Pattern{Constant('Failed to Login to Remote Site ['), Field(node,false), Constant('] Replication partnership has been deleted from remote site.')}" +match("MESSAGE#112:Failed:10", "nwparser.payload", "Failed to Login to Remote Site [%{node}] Replication partnership has been deleted from remote site.", processor_chain([ + dup174, + dup12, + dup13, + dup97, + dup25, + dup14, + dup15, + dup175, +])); + +var msg189 = msg("Failed:10", part232); + +var part233 = // "Pattern{Constant('Failed to import new policy.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#113:Failed:11", "nwparser.payload", "Failed to import new policy.,Event time: %{event_time_string}", processor_chain([ + setc("eventcategory","1601000000"), + dup12, + dup13, + dup15, + setc("event_description","Failed to import new policy."), +])); + +var msg190 = msg("Failed:11", part233); + +var part234 = // "Pattern{Constant('Failed to set a custom action for IPS signature '), Field(sigid,true), Constant(' (errcode=0x'), Field(resultcode,false), Constant('). Most probably, this IPS signature was removed from the IPS content.'), Field(p0,false)}" +match("MESSAGE#250:Network:24/0", "nwparser.payload", "Failed to set a custom action for IPS signature %{sigid->} (errcode=0x%{resultcode}). Most probably, this IPS signature was removed from the IPS content.%{p0}"); + +var select40 = linear_select([ + dup176, + dup91, +]); + +var all84 = all_match({ + processors: [ + part234, + select40, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Failed to set a custom action for IPS signature"), + ]), +}); + +var msg191 = msg("Network:24", all84); + +var part235 = // "Pattern{Constant('Failed to connect to all GUPs, now trying to connect SEPM"'), Field(,false)}" +match("MESSAGE#696:SYLINK:03", "nwparser.payload", "Failed to connect to all GUPs, now trying to connect SEPM\"%{}", processor_chain([ + dup74, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Failed to connect to all GUPs."), +])); + +var msg192 = msg("SYLINK:03", part235); + +var select41 = linear_select([ + msg179, + msg180, + msg181, + msg182, + msg183, + msg184, + msg185, + msg186, + msg187, + msg188, + msg189, + msg190, + msg191, + msg192, +]); + +var part236 = // "Pattern{Constant('Firewall driver failed to '), Field(info,false)}" +match("MESSAGE#114:Firewall", "nwparser.payload", "Firewall driver failed to %{info}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Firewall driver failed."), +])); + +var msg193 = msg("Firewall", part236); + +var part237 = // "Pattern{Constant('Firewall is enabled,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#115:Firewall:01", "nwparser.payload", "Firewall is enabled,Event time: %{event_time_string}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Firewall is enabled"), +])); + +var msg194 = msg("Firewall:01", part237); + +var part238 = // "Pattern{Constant('Firewall is disabled by policy,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#116:Firewall:02", "nwparser.payload", "Firewall is disabled by policy,Event time: %{event_time_string}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Firewall is disabled by policy"), +])); + +var msg195 = msg("Firewall:02", part238); + +var part239 = // "Pattern{Constant('Firewall is disabled,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#117:Firewall:03", "nwparser.payload", "Firewall is disabled,Event time: %{event_time_string}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Firewall is disabled"), +])); + +var msg196 = msg("Firewall:03", part239); + +var select42 = linear_select([ + msg193, + msg194, + msg195, + msg196, +]); + +var part240 = // "Pattern{Constant('Group has been created'), Field(,false)}" +match("MESSAGE#118:Group:created", "nwparser.payload", "Group has been created%{}", processor_chain([ + dup95, + dup12, + dup13, + dup177, + dup96, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group has been created"), +])); + +var msg197 = msg("Group:created", part240); + +var part241 = // "Pattern{Constant('Group has been deleted'), Field(,false)}" +match("MESSAGE#119:Group:deleted", "nwparser.payload", "Group has been deleted%{}", processor_chain([ + dup156, + dup12, + dup13, + dup177, + dup27, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group has been deleted"), +])); + +var msg198 = msg("Group:deleted", part241); + +var part242 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was deleted')}" +match("MESSAGE#120:Group:deleted_01", "nwparser.payload", "Group '%{group}' was deleted", processor_chain([ + dup156, + dup12, + dup13, + dup177, + dup27, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group was deleted"), +])); + +var msg199 = msg("Group:deleted_01", part242); + +var part243 = // "Pattern{Constant('Group has been moved'), Field(,false)}" +match("MESSAGE#121:Group:moved", "nwparser.payload", "Group has been moved%{}", processor_chain([ + dup136, + dup12, + dup13, + dup177, + dup30, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group has been moved"), +])); + +var msg200 = msg("Group:moved", part243); + +var part244 = // "Pattern{Constant('Group has been renamed'), Field(,false)}" +match("MESSAGE#122:Group:renamed", "nwparser.payload", "Group has been renamed%{}", processor_chain([ + dup136, + dup12, + dup13, + dup177, + dup30, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group has been renamed"), +])); + +var msg201 = msg("Group:renamed", part244); + +var part245 = // "Pattern{Constant('Group ''), Field(group,false), Constant('' was added')}" +match("MESSAGE#123:Group:added", "nwparser.payload", "Group '%{group}' was added", processor_chain([ + dup95, + dup12, + dup13, + dup177, + dup30, + dup178, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Group was added"), +])); + +var msg202 = msg("Group:added", part245); + +var select43 = linear_select([ + msg197, + msg198, + msg199, + msg200, + msg201, + msg202, +]); + +var part246 = // "Pattern{Constant('Host Integrity check is disabled. '), Field(info,true), Constant(' by the '), Field(username,false)}" +match("MESSAGE#124:Host", "nwparser.payload", "Host Integrity check is disabled. %{info->} by the %{username}", processor_chain([ + dup179, + dup12, + dup13, + dup56, + dup97, + dup22, + dup14, + dup15, + dup180, +])); + +var msg203 = msg("Host", part246); + +var part247 = // "Pattern{Field(info,true), Constant(' up-to-date')}" +match("MESSAGE#125:Host:01", "nwparser.payload", "%{info->} up-to-date", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Component is up-to-date"), +])); + +var msg204 = msg("Host:01", part247); + +var part248 = // "Pattern{Constant('Host Integrity check failed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" failed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#126:Host:02", "nwparser.payload", "Host Integrity check failed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" failed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ + dup179, + dup12, + dup13, + dup25, + dup14, + dup15, + dup89, +])); + +var msg205 = msg("Host:02", part248); + +var part249 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" failed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#127:Host:05", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" failed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup12, + dup13, + dup25, + dup14, + dup15, + dup181, +])); + +var msg206 = msg("Host:05", part249); + +var part250 = // "Pattern{Constant('Host Integrity failed but reported as pass Requirement: "'), Field(fld11,false), Constant('" '), Field(fld18,true), Constant(' Requirement: "'), Field(fld12,false), Constant('" '), Field(fld17,true), Constant(' Requirement: "'), Field(fld13,false), Constant('" '), Field(fld16,true), Constant(' Requirement: "'), Field(fld14,false), Constant('" '), Field(fld15,true), Constant(' '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#128:Host:06", "nwparser.payload", "Host Integrity failed but reported as pass Requirement: \"%{fld11}\" %{fld18->} Requirement: \"%{fld12}\" %{fld17->} Requirement: \"%{fld13}\" %{fld16->} Requirement: \"%{fld14}\" %{fld15->} %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup12, + dup13, + dup25, + dup14, + dup15, + dup181, +])); + +var msg207 = msg("Host:06", part250); + +var part251 = // "Pattern{Constant('Host Integrity check failed '), Field(result,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#129:Host:04", "nwparser.payload", "Host Integrity check failed %{result},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup12, + dup13, + dup25, + dup14, + dup15, + setc("event_description","Host Integrity check failed"), +])); + +var msg208 = msg("Host:04", part251); + +var part252 = // "Pattern{Constant('Host Integrity check passed Requirement: "'), Field(fld11,false), Constant('" passed Requirement: "'), Field(fld12,false), Constant('" passed Requirement: "'), Field(fld13,false), Constant('" passed Requirement: "'), Field(fld14,false), Constant('" passed '), Field(fld44,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#130:Host:03", "nwparser.payload", "Host Integrity check passed Requirement: \"%{fld11}\" passed Requirement: \"%{fld12}\" passed Requirement: \"%{fld13}\" passed Requirement: \"%{fld14}\" passed %{fld44},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup12, + dup13, + dup22, + dup14, + dup15, + dup88, +])); + +var msg209 = msg("Host:03", part252); + +var part253 = // "Pattern{Constant('Host Integrity check passed'), Field(space,false), Constant('Requirement: ''), Field(fld11,false), Constant('' passed '), Field(fld12,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#132:Host:07", "nwparser.payload", "Host Integrity check passed%{space}Requirement: '%{fld11}' passed %{fld12},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup87, + dup12, + dup13, + dup22, + dup14, + dup15, + dup88, +])); + +var msg210 = msg("Host:07", part253); + +var part254 = // "Pattern{Field(shost,false), Constant(', Host Integrity check passed '), Field(p0,false)}" +match("MESSAGE#133:Host:08/0_0", "nwparser.payload", "%{shost}, Host Integrity check passed %{p0}"); + +var part255 = // "Pattern{Constant('Host Integrity check passed'), Field(p0,false)}" +match("MESSAGE#133:Host:08/0_1", "nwparser.payload", "Host Integrity check passed%{p0}"); + +var select44 = linear_select([ + part254, + part255, +]); + +var part256 = // "Pattern{Field(,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#133:Host:08/1", "nwparser.p0", "%{},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); + +var all85 = all_match({ + processors: [ + select44, + part256, + ], + on_success: processor_chain([ + dup53, + dup12, + dup22, + dup15, + dup88, + dup40, + dup41, + dup42, + dup47, + ]), +}); + +var msg211 = msg("Host:08", all85); + +var part257 = // "Pattern{Field(shost,false), Constant(', Host Integrity check pass.'), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" +match("MESSAGE#134:Host:09/0", "nwparser.payload", "%{shost}, Host Integrity check pass.%{info},Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); + +var select45 = linear_select([ + dup67, + dup182, +]); + +var part258 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#134:Host:09/2", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}"); + +var all86 = all_match({ + processors: [ + part257, + select45, + part258, + ], + on_success: processor_chain([ + dup179, + dup12, + dup15, + dup40, + dup41, + dup42, + dup47, + ]), +}); + +var msg212 = msg("Host:09", all86); + +var part259 = // "Pattern{Constant('Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#702:Smc:06", "nwparser.payload", "Host Integrity check is disabled. Only do Host Integrity checking when connected to the Symantec Endpoint Protection Manager is checked.,Event time: %{fld17->} %{fld18}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup93, + dup180, +])); + +var msg213 = msg("Smc:06", part259); + +var select46 = linear_select([ + msg203, + msg204, + msg205, + msg206, + msg207, + msg208, + msg209, + msg210, + msg211, + msg212, + msg213, +]); + +var part260 = // "Pattern{Field(fld31,true), Constant(' ??????????????? ??: "'), Field(fld11,false), Constant('"?? ??: "'), Field(fld12,false), Constant('"?? ??: "'), Field(fld13,false), Constant('"?? ??: "'), Field(fld14,false), Constant('"??,??????????? ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#131:??:", "nwparser.payload", "%{fld31->} ??????????????? ??: \"%{fld11}\"?? ??: \"%{fld12}\"?? ??: \"%{fld13}\"?? ??: \"%{fld14}\"??,??????????? ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld25}", processor_chain([ + dup179, + dup12, + dup13, + dup14, + dup15, +])); + +var msg214 = msg("??:", part260); + +var part261 = // "Pattern{Field(info,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#135:Intrusion/0", "nwparser.payload", "%{info->} %{p0}"); + +var part262 = // "Pattern{Constant('was '), Field(p0,false)}" +match("MESSAGE#135:Intrusion/1_1", "nwparser.p0", "was %{p0}"); + +var select47 = linear_select([ + dup183, + part262, +]); + +var part263 = // "Pattern{Constant(''), Field(action,false)}" +match("MESSAGE#135:Intrusion/2", "nwparser.p0", "%{action}"); + +var all87 = all_match({ + processors: [ + part261, + select47, + part263, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + setc("event_description","Intrusion Prevention signatures is up-to-date."), + dup15, + ]), +}); + +var msg215 = msg("Intrusion", all87); + +var part264 = // "Pattern{Field(info,true), Constant(' failed to update')}" +match("MESSAGE#136:Intrusion:01", "nwparser.payload", "%{info->} failed to update", processor_chain([ + dup92, + dup12, + dup13, + dup14, + setc("event_description"," Failed to update Signature"), + dup15, +])); + +var msg216 = msg("Intrusion:01", part264); + +var select48 = linear_select([ + msg215, + msg216, +]); + +var part265 = // "Pattern{Constant('Invalid log record:'), Field(info,false)}" +match("MESSAGE#137:Invalid", "nwparser.payload", "Invalid log record:%{info}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Invalid log record"), +])); + +var msg217 = msg("Invalid", part265); + +var part266 = // "Pattern{Constant('Limited Administrator administrator "'), Field(change_old,false), Constant('" was renamed to "'), Field(change_new,false), Constant('"')}" +match("MESSAGE#138:Limited", "nwparser.payload", "Limited Administrator administrator \"%{change_old}\" was renamed to \"%{change_new}\"", processor_chain([ + setc("eventcategory","1402020300"), + dup12, + dup13, + dup30, + dup22, + dup14, + dup15, + setc("event_description","Limited Administrator renamed"), + dup23, + setc("change_attribute","limited administrator username."), +])); + +var msg218 = msg("Limited", part266); + +var part267 = // "Pattern{Constant('LiveUpdate will start next on '), Field(info,true), Constant(' on '), Field(product,false)}" +match("MESSAGE#139:LiveUpdate:08", "nwparser.payload", "LiveUpdate will start next on %{info->} on %{product}", processor_chain([ + dup43, + dup15, + dup184, +])); + +var msg219 = msg("LiveUpdate:08", part267); + +var part268 = // "Pattern{Constant('LiveUpdate '), Field(info,true), Constant(' on '), Field(product,false), Constant('"')}" +match("MESSAGE#140:LiveUpdate:01", "nwparser.payload", "LiveUpdate %{info->} on %{product}\"", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup184, +])); + +var msg220 = msg("LiveUpdate:01", part268); + +var part269 = // "Pattern{Constant('LiveUpdate failed.'), Field(,false)}" +match("MESSAGE#141:LiveUpdate", "nwparser.payload", "LiveUpdate failed.%{}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","LiveUpdate failed."), +])); + +var msg221 = msg("LiveUpdate", part269); + +var part270 = // "Pattern{Constant('LiveUpdate encountered one or more errors. Return code = '), Field(resultcode,false)}" +match("MESSAGE#142:LiveUpdate:04", "nwparser.payload", "LiveUpdate encountered one or more errors. Return code = %{resultcode}", processor_chain([ + dup168, + dup15, + setc("event_description","LiveUpdate encountered one or more errors"), +])); + +var msg222 = msg("LiveUpdate:04", part270); + +var part271 = // "Pattern{Constant('LiveUpdate succeeded'), Field(,false)}" +match("MESSAGE#143:LiveUpdate:02", "nwparser.payload", "LiveUpdate succeeded%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","LiveUpdate succeeded"), +])); + +var msg223 = msg("LiveUpdate:02", part271); + +var part272 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.')}" +match("MESSAGE#144:LiveUpdate:09", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Submitting information to Symantec failed.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup185, +])); + +var msg224 = msg("LiveUpdate:09", part272); + +var part273 = // "Pattern{Constant('LiveUpdate encountered an error: Failed to connect to the LiveUpdate server ('), Field(resultcode,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#145:LiveUpdate:10/0", "nwparser.payload", "LiveUpdate encountered an error: Failed to connect to the LiveUpdate server (%{resultcode})%{p0}"); + +var select49 = linear_select([ + dup186, + dup91, +]); + +var all88 = all_match({ + processors: [ + part273, + select49, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Failed to connect to the LiveUpdate server"), + ]), +}); + +var msg225 = msg("LiveUpdate:10", all88); + +var part274 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"An update for '), Field(application,true), Constant(' failed to install. Error: '), Field(resultcode,false), Constant(', DuResult:'), Field(fld23,false), Constant('."'), Field(p0,false)}" +match("MESSAGE#146:LiveUpdate:11/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"An update for %{application->} failed to install. Error: %{resultcode}, DuResult:%{fld23}.\"%{p0}"); + +var all89 = all_match({ + processors: [ + part274, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","An update failed to install"), + ]), +}); + +var msg226 = msg("LiveUpdate:11", all89); + +var part275 = // "Pattern{Constant('LiveUpdate re-run triggered by the download of content catalog.'), Field(,false)}" +match("MESSAGE#147:LiveUpdate:12", "nwparser.payload", "LiveUpdate re-run triggered by the download of content catalog.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","LiveUpdate re-run triggered by the download of content catalog."), +])); + +var msg227 = msg("LiveUpdate:12", part275); + +var part276 = // "Pattern{Constant('LiveUpdate cannot be run because all licenses have expired.'), Field(,false)}" +match("MESSAGE#148:LiveUpdate:13", "nwparser.payload", "LiveUpdate cannot be run because all licenses have expired.%{}", processor_chain([ + dup43, + dup14, + dup15, + setc("event_description","LiveUpdate cannot be run because all licenses have expired."), +])); + +var msg228 = msg("LiveUpdate:13", part276); + +var part277 = // "Pattern{Constant('LiveUpdate started.'), Field(,false)}" +match("MESSAGE#149:LiveUpdate::05", "nwparser.payload", "LiveUpdate started.%{}", processor_chain([ + dup43, + dup15, + setc("action","LiveUpdate started."), +])); + +var msg229 = msg("LiveUpdate::05", part277); + +var part278 = // "Pattern{Constant('LiveUpdate retry started.'), Field(,false)}" +match("MESSAGE#150:LiveUpdate::06", "nwparser.payload", "LiveUpdate retry started.%{}", processor_chain([ + dup43, + dup15, + setc("action","LiveUpdate retry started."), +])); + +var msg230 = msg("LiveUpdate::06", part278); + +var part279 = // "Pattern{Constant('LiveUpdate retry succeeded.'), Field(,false)}" +match("MESSAGE#151:LiveUpdate::07", "nwparser.payload", "LiveUpdate retry succeeded.%{}", processor_chain([ + dup43, + dup15, + setc("action","LiveUpdate retry succeeded."), +])); + +var msg231 = msg("LiveUpdate::07", part279); + +var part280 = // "Pattern{Constant('LiveUpdate retry failed. Will try again.'), Field(,false)}" +match("MESSAGE#152:LiveUpdate::08", "nwparser.payload", "LiveUpdate retry failed. Will try again.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("action","LiveUpdate retry failed."), +])); + +var msg232 = msg("LiveUpdate::08", part280); + +var part281 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#153:LiveUpdate:14", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Centralized Reputation Settings from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","An update for Centralized Reputation Settings from LiveUpdate failed to install."), +])); + +var msg233 = msg("LiveUpdate:14", part281); + +var part282 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#154:LiveUpdate:15", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Intrusion Prevention Signatures (hub) from LiveUpdate failed to install."), +])); + +var msg234 = msg("LiveUpdate:15", part282); + +var part283 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#155:LiveUpdate:16", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Intrusion Prevention Signatures from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Intrusion Prevention Signatures from LiveUpdate failed to install."), +])); + +var msg235 = msg("LiveUpdate:16", part283); + +var part284 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#156:LiveUpdate:17", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Revocation Data from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","An update for Revocation Data from LiveUpdate failed to install."), +])); + +var msg236 = msg("LiveUpdate:17", part284); + +var part285 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#157:LiveUpdate:18/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for SONAR Definitions from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); + +var all90 = all_match({ + processors: [ + part285, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","An update for SONAR Definitions from LiveUpdate failed to install."), + ]), +}); + +var msg237 = msg("LiveUpdate:18", all90); + +var part286 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#158:LiveUpdate:19/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Symantec Whitelist from LiveUpdate failed to install. Error:%{result}(%{resultcode})%{p0}"); + +var all91 = all_match({ + processors: [ + part286, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","An update for Symantec Whitelist from LiveUpdate failed to install."), + ]), +}); + +var msg238 = msg("LiveUpdate:19", all91); + +var part287 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#159:LiveUpdate:20", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install."), +])); + +var msg239 = msg("LiveUpdate:20", part287); + +var part288 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#160:LiveUpdate:21", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Virus and Spyware Definitions Win32 from LiveUpdate failed to install."), +])); + +var msg240 = msg("LiveUpdate:21", part288); + +var part289 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#161:LiveUpdate:22", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup12, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Virus and Spyware Definitions Win64 (hub) from LiveUpdate failed to install."), +])); + +var msg241 = msg("LiveUpdate:22", part289); + +var part290 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:'), Field(result,false), Constant('('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#162:LiveUpdate:23", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install. Error:%{result}(%{resultcode})", processor_chain([ + dup43, + dup94, + dup13, + dup45, + dup38, + dup25, + dup14, + dup15, + setc("event_description","An update for Virus and Spyware Definitions Win64 from LiveUpdate failed to install."), +])); + +var msg242 = msg("LiveUpdate:23", part290); + +var part291 = // "Pattern{Constant('LiveUpdate encountered an error: '), Field(result,true), Constant(' ('), Field(resultcode,false), Constant(').'), Field(p0,false)}" +match("MESSAGE#163:LiveUpdate:24/0", "nwparser.payload", "LiveUpdate encountered an error: %{result->} (%{resultcode}).%{p0}"); + +var all92 = all_match({ + processors: [ + part291, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup38, + dup187, + dup14, + dup15, + dup93, + dup188, + ]), +}); + +var msg243 = msg("LiveUpdate:24", all92); + +var part292 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.')}" +match("MESSAGE#164:LiveUpdate:25", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The latest Revocation Data update failed to load. The component has no valid content and will not function correctly until it is updated."), +])); + +var msg244 = msg("LiveUpdate:25", part292); + +var part293 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.')}" +match("MESSAGE#165:LiveUpdate:26", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The latest Symantec Whitelist update failed to load. The component has no valid content and will not function correctly until it is updated."), +])); + +var msg245 = msg("LiveUpdate:26", part293); + +var part294 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,A LiveUpdate session encountered errors. '), Field(fld1,true), Constant(' update(s) were available. '), Field(fld2,true), Constant(' update(s) installed successfully. '), Field(fld3,true), Constant(' update(s) failed to install.'), Field(p0,false)}" +match("MESSAGE#166:LiveUpdate:27/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,A LiveUpdate session encountered errors. %{fld1->} update(s) were available. %{fld2->} update(s) installed successfully. %{fld3->} update(s) failed to install.%{p0}"); + +var all93 = all_match({ + processors: [ + part294, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","LiveUpdate session encountered errors"), + ]), +}); + +var msg246 = msg("LiveUpdate:27", all93); + +var part295 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" +match("MESSAGE#167:LiveUpdate:28/0", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Revocation Data update failed to load. The component will continue to use its previous content.%{p0}"); + +var all94 = all_match({ + processors: [ + part295, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","The latest Revocation Data update failed to load."), + ]), +}); + +var msg247 = msg("LiveUpdate:28", all94); + +var part296 = // "Pattern{Field(fld11,false), Constant(': Impossible de se connecter au serveur LiveUpdate '), Field(fld12,false), Constant('.')}" +match("MESSAGE#168:LiveUpdate:29", "nwparser.payload", "%{fld11}: Impossible de se connecter au serveur LiveUpdate %{fld12}.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","LiveUpdate a rencontr� une erreur"), +])); + +var msg248 = msg("LiveUpdate:29", part296); + +var part297 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' was successfully installed.'), Field(space,false), Constant('The new sequence number is '), Field(fld23,false), Constant('.'), Field(p0,false)}" +match("MESSAGE#169:LiveUpdate:30/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} was successfully installed.%{space}The new sequence number is %{fld23}.%{p0}"); + +var part298 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#169:LiveUpdate:30/1_0", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport}).,Event time:%{fld17->} %{fld18}"); + +var part299 = // "Pattern{Field(space,false), Constant('Content was downloaded from '), Field(url,true), Constant(' ('), Field(sport,false), Constant(').')}" +match("MESSAGE#169:LiveUpdate:30/1_1", "nwparser.p0", "%{space}Content was downloaded from %{url->} (%{sport})."); + +var select50 = linear_select([ + part298, + part299, + dup90, + dup91, +]); + +var all95 = all_match({ + processors: [ + part297, + select50, + ], + on_success: processor_chain([ + dup43, + dup189, + dup13, + dup14, + dup15, + dup93, + setc("event_description","An update from LiveUpdate Manager installed successfully"), + ]), +}); + +var msg249 = msg("LiveUpdate:30", all95); + +var part300 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest '), Field(application,true), Constant(' update failed to load. The component will continue to use its previous content.'), Field(p0,false)}" +match("MESSAGE#170:LiveUpdate:31/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest %{application->} update failed to load. The component will continue to use its previous content.%{p0}"); + +var all96 = all_match({ + processors: [ + part300, + dup318, + ], + on_success: processor_chain([ + dup43, + dup189, + dup13, + dup14, + dup15, + dup93, + setc("event_description","The latest update from LiveUpdate Manager failed to load."), + ]), +}); + +var msg250 = msg("LiveUpdate:31", all96); + +var part301 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate switched to '), Field(change_new,false), Constant('.')}" +match("MESSAGE#171:LiveUpdate:32", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate switched to %{change_new}.", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","Scheduled LiveUpdate interval switched."), +])); + +var msg251 = msg("LiveUpdate:32", part301); + +var part302 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from LiveUpdate failed to install. Error: '), Field(result,false), Constant('('), Field(resultcode,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#172:LiveUpdate:33/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from LiveUpdate failed to install. Error: %{result}(%{resultcode})%{p0}"); + +var all97 = all_match({ + processors: [ + part302, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","An update from LiveUpdate Manager failed to install."), + ]), +}); + +var msg252 = msg("LiveUpdate:33", all97); + +var part303 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,An update for '), Field(application,true), Constant(' from Intelligent Updater was already installed.')}" +match("MESSAGE#173:LiveUpdate:34", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,An update for %{application->} from Intelligent Updater was already installed.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","An update from Intelligent Updater already installed."), +])); + +var msg253 = msg("LiveUpdate:34", part303); + +var part304 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,'), Field(p0,false)}" +match("MESSAGE#174:LiveUpdate:35/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,%{p0}"); + +var part305 = // "Pattern{Constant('A '), Field(p0,false)}" +match("MESSAGE#174:LiveUpdate:35/1_0", "nwparser.p0", "A %{p0}"); + +var part306 = // "Pattern{Constant(' The'), Field(p0,false)}" +match("MESSAGE#174:LiveUpdate:35/1_1", "nwparser.p0", " The%{p0}"); + +var select51 = linear_select([ + part305, + part306, +]); + +var part307 = // "Pattern{Field(,false), Constant('LiveUpdate session '), Field(p0,false)}" +match("MESSAGE#174:LiveUpdate:35/2", "nwparser.p0", "%{}LiveUpdate session %{p0}"); + +var part308 = // "Pattern{Constant('was'), Field(p0,false)}" +match("MESSAGE#174:LiveUpdate:35/3_1", "nwparser.p0", "was%{p0}"); + +var select52 = linear_select([ + dup183, + part308, +]); + +var part309 = // "Pattern{Field(,false), Constant('cancelled.')}" +match("MESSAGE#174:LiveUpdate:35/4", "nwparser.p0", "%{}cancelled."); + +var all98 = all_match({ + processors: [ + part304, + select51, + part307, + select52, + part309, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","A LiveUpdate session from LiveUpdate Manager was cancelled."), + ]), +}); + +var msg254 = msg("LiveUpdate:35", all98); + +var part310 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped."'), Field(p0,false)}" +match("MESSAGE#175:LiveUpdate:36/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"A LiveUpdate session is already running, so the scheduled LiveUpdate was skipped.\"%{p0}"); + +var all99 = all_match({ + processors: [ + part310, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","A LiveUpdate session from LiveUpdate Manager is running, LiveUpdate skipped."), + ]), +}); + +var msg255 = msg("LiveUpdate:36", all99); + +var part311 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for '), Field(fld23,true), Constant(' times.')}" +match("MESSAGE#176:LiveUpdate:37", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,Scheduled LiveUpdate keep trying to connect to Server for %{fld23->} times.", processor_chain([ + dup43, + dup94, + dup13, + dup14, + dup15, + setc("event_description","LiveUpdate is trying to connect to Server."), +])); + +var msg256 = msg("LiveUpdate:37", part311); + +var part312 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,A LiveUpdate session ran successfully. '), Field(p0,false)}" +match("MESSAGE#177:LiveUpdate:38/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,A LiveUpdate session ran successfully. %{p0}"); + +var part313 = // "Pattern{Constant(''), Field(fld23,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#177:LiveUpdate:38/1_0", "nwparser.p0", "%{fld23},Event time:%{fld17->} %{fld18}"); + +var part314 = // "Pattern{Field(fld23,false)}" +match_copy("MESSAGE#177:LiveUpdate:38/1_1", "nwparser.p0", "fld23"); + +var select53 = linear_select([ + part313, + part314, +]); + +var all100 = all_match({ + processors: [ + part312, + select53, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup93, + dup15, + setc("event_description","A LiveUpdate session from LiveUpdate Manager ran successfully."), + ]), +}); + +var msg257 = msg("LiveUpdate:38", all100); + +var part315 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.'), Field(p0,false)}" +match("MESSAGE#178:LiveUpdate:39/0", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,[LiveUpdate error submission] Information submitted to Symantec.%{p0}"); + +var all101 = all_match({ + processors: [ + part315, + dup318, + ], + on_success: processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","LiveUpdate error submission to Symantec."), + ]), +}); + +var msg258 = msg("LiveUpdate:39", all101); + +var part316 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.')}" +match("MESSAGE#180:LiveUpdate:41", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Submission Control Thresholds update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The latest Submission Control Thresholds update failed to load."), +])); + +var msg259 = msg("LiveUpdate:41", part316); + +var part317 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.')}" +match("MESSAGE#181:LiveUpdate:42", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest SONAR Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup190, +])); + +var msg260 = msg("LiveUpdate:42", part317); + +var part318 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#182:LiveUpdate:43", "nwparser.payload", "Category: %{fld11},LiveUpdate Manager,The latest Endpoint Detection and Response update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup190, +])); + +var msg261 = msg("LiveUpdate:43", part318); + +var part319 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : ''), Field(result,false), Constant('''), Field(fld23,false), Constant('",Event time: '), Field(event_time_string,false)}" +match("MESSAGE#183:LiveUpdate:44", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,\"[LiveUpdate error submission] Submitting information to Symantec failed. Network error : '%{result}'%{fld23}\",Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup185, +])); + +var msg262 = msg("LiveUpdate:44", part319); + +var part320 = // "Pattern{Constant('LiveUpdate encountered an error.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#184:LiveUpdate:45", "nwparser.payload", "LiveUpdate encountered an error.,Event time: %{fld17->} %{fld18}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + dup188, + dup93, +])); + +var msg263 = msg("LiveUpdate:45", part320); + +var part321 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#185:LiveUpdate:46", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest AP Portal List update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","The latest AP Portal List update failed to load."), +])); + +var msg264 = msg("LiveUpdate:46", part321); + +var part322 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#186:LiveUpdate:47", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Centralized Reputation Settings update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","The latest Centralized Reputation Settings update failed to load."), +])); + +var msg265 = msg("LiveUpdate:47", part322); + +var part323 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#187:LiveUpdate:48", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Power Eraser Definitions update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","The latest Power Eraser Definitions update failed to load."), +])); + +var msg266 = msg("LiveUpdate:48", part323); + +var part324 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#188:LiveUpdate:49", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Common Network Transport Library and Configuration update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","The latest Common Network Transport Library and Configuration update failed to load."), +])); + +var msg267 = msg("LiveUpdate:49", part324); + +var part325 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#189:LiveUpdate:50", "nwparser.payload", "Category: %{fld22},LiveUpdate Manager,The latest Extended File Attributes and Signatures update failed to load. The component has no valid content and will not function correctly until it is updated.,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","The latest Extended File Attributes and Signatures update failed to load."), +])); + +var msg268 = msg("LiveUpdate:50", part325); + +var select54 = linear_select([ + msg219, + msg220, + msg221, + msg222, + msg223, + msg224, + msg225, + msg226, + msg227, + msg228, + msg229, + msg230, + msg231, + msg232, + msg233, + msg234, + msg235, + msg236, + msg237, + msg238, + msg239, + msg240, + msg241, + msg242, + msg243, + msg244, + msg245, + msg246, + msg247, + msg248, + msg249, + msg250, + msg251, + msg252, + msg253, + msg254, + msg255, + msg256, + msg257, + msg258, + msg259, + msg260, + msg261, + msg262, + msg263, + msg264, + msg265, + msg266, + msg267, + msg268, +]); + +var part326 = // "Pattern{Constant('Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.'), Field(p0,false)}" +match("MESSAGE#179:LiveUpdate:40/0", "nwparser.payload", "Virus and Spyware Definitions were updated recently, so the scheduled LiveUpdate was skipped.%{p0}"); + +var select55 = linear_select([ + dup191, + dup91, +]); + +var all102 = all_match({ + processors: [ + part326, + select55, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","The scheduled LiveUpdate from LiveUpdate Manager was skipped."), + ]), +}); + +var msg269 = msg("LiveUpdate:40", all102); + +var part327 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Virus Name: '), Field(virusname,false), Constant('..Path: '), Field(filename,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#430:Virus", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Virus Name: %{virusname}..Path: %{filename}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup192, + dup15, + dup193, +])); + +var msg270 = msg("Virus", part327); + +var part328 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#431:Virus:01", "nwparser.payload", "Virus Found..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup110, + dup192, + dup15, + dup193, +])); + +var msg271 = msg("Virus:01", part328); + +var part329 = // "Pattern{Constant('Virus Definition File Update..'), Field(fld4,false), Constant('..'), Field(fld5,false), Constant('..Update to computer '), Field(shost,true), Constant(' of virus definition file '), Field(fld6,true), Constant(' failed. Status '), Field(fld7,true), Constant(' ..'), Field(p0,false)}" +match("MESSAGE#432:Virus:02/0", "nwparser.payload", "Virus Definition File Update..%{fld4}..%{fld5}..Update to computer %{shost->} of virus definition file %{fld6->} failed. Status %{fld7->} ..%{p0}"); + +var part330 = // "Pattern{Constant('. '), Field(p0,false)}" +match("MESSAGE#432:Virus:02/1_0", "nwparser.p0", ". %{p0}"); + +var select56 = linear_select([ + part330, + dup194, +]); + +var part331 = // "Pattern{Constant(''), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld8,false)}" +match("MESSAGE#432:Virus:02/2", "nwparser.p0", "%{severity}..%{product}..%{fld8}"); + +var all103 = all_match({ + processors: [ + part329, + select56, + part331, + ], + on_success: processor_chain([ + dup43, + dup44, + dup45, + dup30, + dup25, + date_time({ + dest: "event_time", + args: ["fld5","fld8"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], + ], + }), + dup15, + dup195, + ]), +}); + +var msg272 = msg("Virus:02", all103); + +var part332 = // "Pattern{Constant('Virus Definition File Update..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" +match("MESSAGE#433:Virus:03", "nwparser.payload", "Virus Definition File Update..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ + dup43, + dup44, + dup45, + dup30, + dup22, + dup192, + dup15, + dup195, +])); + +var msg273 = msg("Virus:03", part332); + +var part333 = // "Pattern{Constant('Virus Found..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('.....'), Field(info,false), Constant('..'), Field(action,false), Constant('....'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" +match("MESSAGE#434:Virus:09", "nwparser.payload", "Virus Found..%{shost}..%{fld5}..%{filename}.....%{info}..%{action}....%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup192, + dup15, + dup196, +])); + +var msg274 = msg("Virus:09", part333); + +var part334 = // "Pattern{Constant('Virus Found..'), Field(fld12,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" +match("MESSAGE#435:Virus:04", "nwparser.payload", "Virus Found..%{fld12}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup192, + dup15, + dup196, +])); + +var msg275 = msg("Virus:04", part334); + +var part335 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" +match("MESSAGE#436:Virus:12/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); + +var all104 = all_match({ + processors: [ + dup197, + dup328, + part335, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg276 = msg("Virus:12", all104); + +var part336 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#437:Virus:15/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); + +var part337 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#437:Virus:15/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); + +var part338 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(url,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(filename,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" +match("MESSAGE#437:Virus:15/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{url},Web domain: %{fld45},Downloaded by: %{filename},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{event_type}"); + +var all105 = all_match({ + processors: [ + part336, + dup329, + part337, + dup328, + part338, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg277 = msg("Virus:15", all105); + +var part339 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" +match("MESSAGE#438:Virus:13/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},%{p0}"); + +var all106 = all_match({ + processors: [ + dup197, + dup328, + part339, + dup330, + dup205, + dup331, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg278 = msg("Virus:13", all106); + +var part340 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" +match("MESSAGE#439:Virus:10/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}"); + +var all107 = all_match({ + processors: [ + dup197, + dup328, + part340, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg279 = msg("Virus:10", all107); + +var part341 = // "Pattern{Constant('"'), Field(fld22,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#440:Virus:14/1_0", "nwparser.p0", "\"%{fld22}\",Actual action: %{p0}"); + +var part342 = // "Pattern{Field(fld22,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#440:Virus:14/1_1", "nwparser.p0", "%{fld22},Actual action: %{p0}"); + +var select57 = linear_select([ + part341, + part342, +]); + +var part343 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld58,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" +match("MESSAGE#440:Virus:14/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},First Seen: %{fld50},Sensitivity: %{fld58},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}"); + +var all108 = all_match({ + processors: [ + dup208, + select57, + part343, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg280 = msg("Virus:14", all108); + +var all109 = all_match({ + processors: [ + dup208, + dup332, + dup151, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg281 = msg("Virus:05", all109); + +var part344 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',"Group: '), Field(group,false), Constant('",Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#442:Virus:11/2", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},\"Group: %{group}\",Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all110 = all_match({ + processors: [ + dup208, + dup332, + part344, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup93, + dup153, + dup154, + dup15, + dup47, + dup200, + ]), +}); + +var msg282 = msg("Virus:11", all110); + +var part345 = // "Pattern{Constant('Virus Found..Computer: '), Field(shost,false), Constant('..'), Field(p0,false)}" +match("MESSAGE#443:Virus:06/0", "nwparser.payload", "Virus Found..Computer: %{shost}..%{p0}"); + +var part346 = // "Pattern{Constant('Date: '), Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" +match("MESSAGE#443:Virus:06/1_0", "nwparser.p0", "Date: %{fld5}..File Path:%{p0}"); + +var part347 = // "Pattern{Field(fld5,false), Constant('..File Path:'), Field(p0,false)}" +match("MESSAGE#443:Virus:06/1_1", "nwparser.p0", "%{fld5}..File Path:%{p0}"); + +var select58 = linear_select([ + part346, + part347, +]); + +var part348 = // "Pattern{Field(filename,false), Constant('..'), Field(info,false), Constant('..Requested Action:'), Field(action,false), Constant('..Severity:'), Field(severity,false), Constant('..Source:'), Field(product,false), Constant('..Time:'), Field(fld6,false), Constant('..User:'), Field(username,false)}" +match("MESSAGE#443:Virus:06/2", "nwparser.p0", "%{filename}..%{info}..Requested Action:%{action}..Severity:%{severity}..Source:%{product}..Time:%{fld6}..User:%{username}"); + +var all111 = all_match({ + processors: [ + part345, + select58, + part348, + ], + on_success: processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup192, + dup15, + dup196, + ]), +}); + +var msg283 = msg("Virus:06", all111); + +var part349 = // "Pattern{Field(fld1,true), Constant(' Virus Found '), Field(shost,true), Constant(' '), Field(fld5,true), Constant(' '), Field(filename,true), Constant(' Forward from '), Field(info,true), Constant(' '), Field(action,true), Constant(' '), Field(severity,true), Constant(' '), Field(product,true), Constant(' Edition '), Field(version,true), Constant(' '), Field(virusname,false)}" +match("MESSAGE#444:Virus:07", "nwparser.payload", "%{fld1->} Virus Found %{shost->} %{fld5->} %{filename->} Forward from %{info->} %{action->} %{severity->} %{product->} Edition %{version->} %{virusname}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup15, + dup132, + dup196, +])); + +var msg284 = msg("Virus:07", part349); + +var part350 = // "Pattern{Field(product,true), Constant(' definitions '), Field(info,false)}" +match("MESSAGE#445:Virus:08", "nwparser.payload", "%{product->} definitions %{info}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Product successfully updated."), +])); + +var msg285 = msg("Virus:08", part350); + +var select59 = linear_select([ + msg269, + msg270, + msg271, + msg272, + msg273, + msg274, + msg275, + msg276, + msg277, + msg278, + msg279, + msg280, + msg281, + msg282, + msg283, + msg284, + msg285, +]); + +var part351 = // "Pattern{Field(shost,false), Constant(', Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#216:Local:01", "nwparser.payload", "%{shost}, Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup53, + dup12, + dup15, + dup40, +])); + +var msg286 = msg("Local:01", part351); + +var part352 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#217:Local:02", "nwparser.payload", "Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup53, + dup12, + dup13, + dup15, + dup40, +])); + +var msg287 = msg("Local:02", part352); + +var select60 = linear_select([ + msg286, + msg287, +]); + +var part353 = // "Pattern{Constant('Location has been '), Field(p0,false)}" +match("MESSAGE#218:Location/0", "nwparser.payload", "Location has been %{p0}"); + +var part354 = // "Pattern{Constant('changed '), Field(p0,false)}" +match("MESSAGE#218:Location/1_0", "nwparser.p0", "changed %{p0}"); + +var part355 = // "Pattern{Constant('switched'), Field(p0,false)}" +match("MESSAGE#218:Location/1_1", "nwparser.p0", "switched%{p0}"); + +var select61 = linear_select([ + part354, + part355, +]); + +var part356 = // "Pattern{Field(,false), Constant('to '), Field(p0,false)}" +match("MESSAGE#218:Location/2", "nwparser.p0", "%{}to %{p0}"); + +var all112 = all_match({ + processors: [ + part353, + select61, + part356, + dup333, + ], + on_success: processor_chain([ + dup136, + dup94, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + dup93, + setc("event_description","Location has been changed or switched"), + ]), +}); + +var msg288 = msg("Location", all112); + +var part357 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#219:LUALL", "nwparser.payload", "event_description", processor_chain([ + dup43, + dup12, + dup13, + dup15, +])); + +var msg289 = msg("LUALL", part357); + +var part358 = // "Pattern{Constant('Management server started up successfully'), Field(,false)}" +match("MESSAGE#220:Management", "nwparser.payload", "Management server started up successfully%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Management server started up successfully."), +])); + +var msg290 = msg("Management", part358); + +var part359 = // "Pattern{Constant('Management server shut down gracefully'), Field(,false)}" +match("MESSAGE#221:Management:01", "nwparser.payload", "Management server shut down gracefully%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Management server shut down gracefully"), +])); + +var msg291 = msg("Management:01", part359); + +var part360 = // "Pattern{Constant('Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:'), Field(fld12,false)}" +match("MESSAGE#222:Management:02", "nwparser.payload", "Management Server has detected and ignored one or more duplicate entries.Please check the following entries in your directory server:%{fld12}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Management Server has detected and ignored one or more duplicate entries."), +])); + +var msg292 = msg("Management:02", part360); + +var select62 = linear_select([ + msg290, + msg291, + msg292, +]); + +var part361 = // "Pattern{Constant('management server received the client log successfully,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#223:management", "nwparser.payload", "management server received the client log successfully,%{shost},%{username},%{group}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The management server received the client log successfully."), +])); + +var msg293 = msg("management", part361); + +var part362 = // "Pattern{Constant('management server received a report that the client computer changed its hardware identity,'), Field(shost,false), Constant(','), Field(username,false), Constant(','), Field(group,false)}" +match("MESSAGE#224:management:01", "nwparser.payload", "management server received a report that the client computer changed its hardware identity,%{shost},%{username},%{group}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The management server received a report that the client computer changed its hardware identity."), +])); + +var msg294 = msg("management:01", part362); + +var select63 = linear_select([ + msg293, + msg294, +]); + +var part363 = // "Pattern{Constant('Network Threat Protection --'), Field(p0,false)}" +match("MESSAGE#225:Network/0", "nwparser.payload", "Network Threat Protection --%{p0}"); + +var part364 = // "Pattern{Constant('-- Engine version'), Field(p0,false)}" +match("MESSAGE#225:Network/1_0", "nwparser.p0", "-- Engine version%{p0}"); + +var part365 = // "Pattern{Constant(' Engine version'), Field(p0,false)}" +match("MESSAGE#225:Network/1_1", "nwparser.p0", " Engine version%{p0}"); + +var select64 = linear_select([ + part364, + part365, +]); + +var part366 = // "Pattern{Field(,false), Constant(': '), Field(version,true), Constant(' Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(info,false)}" +match("MESSAGE#225:Network/2", "nwparser.p0", "%{}: %{version->} Windows Version info: Operating System: %{os->} Network info:%{info}"); + +var all113 = all_match({ + processors: [ + part363, + select64, + part366, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Threat Protection information."), + ]), +}); + +var msg295 = msg("Network", all113); + +var part367 = // "Pattern{Constant('Network Threat Protection has been activated'), Field(,false)}" +match("MESSAGE#226:Network:01", "nwparser.payload", "Network Threat Protection has been activated%{}", processor_chain([ + dup213, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","Network Threat Protection has been activated"), +])); + +var msg296 = msg("Network:01", part367); + +var part368 = // "Pattern{Constant('Network Threat Protection applied a new IPS '), Field(p0,false)}" +match("MESSAGE#227:Network:02/0", "nwparser.payload", "Network Threat Protection applied a new IPS %{p0}"); + +var part369 = // "Pattern{Constant('Library'), Field(p0,false)}" +match("MESSAGE#227:Network:02/1_0", "nwparser.p0", "Library%{p0}"); + +var part370 = // "Pattern{Constant('library'), Field(p0,false)}" +match("MESSAGE#227:Network:02/1_1", "nwparser.p0", "library%{p0}"); + +var select65 = linear_select([ + part369, + part370, +]); + +var part371 = // "Pattern{Field(,false), Constant('.')}" +match("MESSAGE#227:Network:02/2", "nwparser.p0", "%{}."); + +var all114 = all_match({ + processors: [ + part368, + select65, + part371, + ], + on_success: processor_chain([ + dup110, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Threat Protection applied a new IPS Library."), + ]), +}); + +var msg297 = msg("Network:02", all114); + +var part372 = // "Pattern{Constant('The Network Threat Protection already has the newest policy.'), Field(,false)}" +match("MESSAGE#228:Network:03", "nwparser.payload", "The Network Threat Protection already has the newest policy.%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The Network Threat Protection already has the newest policy."), +])); + +var msg298 = msg("Network:03", part372); + +var part373 = // "Pattern{Constant('The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" +match("MESSAGE#229:Network:04", "nwparser.payload", "The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The Network Threat Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager."), +])); + +var msg299 = msg("Network:04", part373); + +var part374 = // "Pattern{Constant('Network Threat Protection's firewall and Intrusion Prevention features are disabled'), Field(,false)}" +match("MESSAGE#230:Network:05", "nwparser.payload", "Network Threat Protection's firewall and Intrusion Prevention features are disabled%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Threat Protection's firewall and Intrusion Prevention features are disabled"), +])); + +var msg300 = msg("Network:05", part374); + +var part375 = // "Pattern{Constant('The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" +match("MESSAGE#231:Network:06", "nwparser.payload", "The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","The Network Threat Protection is unable to communicate with the Symantec Endpoint Protection Manager."), +])); + +var msg301 = msg("Network:06", part375); + +var part376 = // "Pattern{Constant('Network Audit Search Unagented Hosts Started'), Field(,false)}" +match("MESSAGE#232:Network:07", "nwparser.payload", "Network Audit Search Unagented Hosts Started%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Audit Search Unagented Hosts Started."), +])); + +var msg302 = msg("Network:07", part376); + +var part377 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Abnormally'), Field(,false)}" +match("MESSAGE#233:Network:08", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Abnormally%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup214, +])); + +var msg303 = msg("Network:08", part377); + +var part378 = // "Pattern{Constant('Network Audit Search Unagented Hosts From NST Finished Normally'), Field(,false)}" +match("MESSAGE#234:Network:09", "nwparser.payload", "Network Audit Search Unagented Hosts From NST Finished Normally%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup214, +])); + +var msg304 = msg("Network:09", part378); + +var part379 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Started'), Field(,false)}" +match("MESSAGE#235:Network:10", "nwparser.payload", "Network Audit Client Remote Pushing Install Started%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Audit Client Remote Pushing Install Started."), +])); + +var msg305 = msg("Network:10", part379); + +var part380 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Normally'), Field(,false)}" +match("MESSAGE#236:Network:11", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Normally%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Audit Client Remote Pushing Install Finished Normally."), +])); + +var msg306 = msg("Network:11", part380); + +var part381 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning, '), Field(result,false), Constant('"')}" +match("MESSAGE#237:Network:12", "nwparser.payload", "Network Intrusion Prevention is malfunctioning, %{result}\"", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + dup215, +])); + +var msg307 = msg("Network:12", part381); + +var part382 = // "Pattern{Constant('Category: '), Field(fld11,false), Constant(',Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: '), Field(obj_name,false), Constant('.Try to update the signatures Browser path: '), Field(filename,false)}" +match("MESSAGE#238:Network:13", "nwparser.payload", "Category: %{fld11},Network Intrusion Protection Sys,Browser Intrusion Prevention is malfunctioning. Browser type: %{obj_name}.Try to update the signatures Browser path: %{filename}", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + setc("event_description","Browser Intrusion Prevention is malfunctioning."), +])); + +var msg308 = msg("Network:13", part382); + +var part383 = // "Pattern{Constant('Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically'), Field(,false)}" +match("MESSAGE#241:Network:16", "nwparser.payload", "Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed. The IPS content is going to be installed automatically%{}", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + setc("event_description","Network Intrusion Prevention and Browser Intrusion Prevention are malfunctioning because their content is not installed."), +])); + +var msg309 = msg("Network:16", part383); + +var part384 = // "Pattern{Constant('Network Intrusion Prevention is malfunctioning'), Field(,false)}" +match("MESSAGE#242:Network:17", "nwparser.payload", "Network Intrusion Prevention is malfunctioning%{}", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + dup215, +])); + +var msg310 = msg("Network:17", part384); + +var part385 = // "Pattern{Constant('Network Intrusion Prevention is not protecting machine because its driver was unloaded'), Field(,false)}" +match("MESSAGE#243:Network:18", "nwparser.payload", "Network Intrusion Prevention is not protecting machine because its driver was unloaded%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Intrusion Prevention is not protecting machine because its driver was unloaded"), +])); + +var msg311 = msg("Network:18", part385); + +var part386 = // "Pattern{Constant('Network Threat Protection's firewall is disabled by policy'), Field(,false)}" +match("MESSAGE#244:Network:19", "nwparser.payload", "Network Threat Protection's firewall is disabled by policy%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Threat Protection's firewall is disabled"), +])); + +var msg312 = msg("Network:19", part386); + +var part387 = // "Pattern{Field(service,true), Constant(' has been restored and '), Field(result,false)}" +match("MESSAGE#246:Network:21", "nwparser.payload", "%{service->} has been restored and %{result}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Intrusion Prevention has been restored"), +])); + +var msg313 = msg("Network:21", part387); + +var part388 = // "Pattern{Field(service,true), Constant(' is not protecting machine because its driver was disabled,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#247:Network:33", "nwparser.payload", "%{service->} is not protecting machine because its driver was disabled,Event time: %{event_time_string}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","Network Intrusion Prevention is not protecting machine because its driver was disabled"), +])); + +var msg314 = msg("Network:33", part388); + +var part389 = // "Pattern{Constant('Network Threat Protection's firewall is enabled'), Field(p0,false)}" +match("MESSAGE#251:Network:25/0", "nwparser.payload", "Network Threat Protection's firewall is enabled%{p0}"); + +var all115 = all_match({ + processors: [ + part389, + dup318, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Network Threat Protection's firewall is enabled"), + ]), +}); + +var msg315 = msg("Network:25", all115); + +var part390 = // "Pattern{Constant('Network Intrusion Prevention disabled'), Field(p0,false)}" +match("MESSAGE#253:Network:27/0", "nwparser.payload", "Network Intrusion Prevention disabled%{p0}"); + +var all116 = all_match({ + processors: [ + part390, + dup334, + ], + on_success: processor_chain([ + dup92, + dup94, + dup13, + dup14, + dup15, + setc("event_description","Network Intrusion Prevention disabled"), + ]), +}); + +var msg316 = msg("Network:27", all116); + +var part391 = // "Pattern{Constant('Network Intrusion Prevention enabled'), Field(p0,false)}" +match("MESSAGE#254:Network:28/0", "nwparser.payload", "Network Intrusion Prevention enabled%{p0}"); + +var all117 = all_match({ + processors: [ + part391, + dup318, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Network Intrusion Prevention enabled"), + ]), +}); + +var msg317 = msg("Network:28", all117); + +var part392 = // "Pattern{Constant('Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage'), Field(,false)}" +match("MESSAGE#257:Network:30", "nwparser.payload", "Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage%{}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Network Audit Client Remote Pushing Install Finished Abnormally in Pusing Stage"), +])); + +var msg318 = msg("Network:30", part392); + +var select66 = linear_select([ + msg295, + msg296, + msg297, + msg298, + msg299, + msg300, + msg301, + msg302, + msg303, + msg304, + msg305, + msg306, + msg307, + msg308, + msg309, + msg310, + msg311, + msg312, + msg313, + msg314, + msg315, + msg316, + msg317, + msg318, +]); + +var part393 = // "Pattern{Constant('Firefox Browser Intrusion Prevention is malfunctioning'), Field(,false)}" +match("MESSAGE#239:Network:14", "nwparser.payload", "Firefox Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + setc("event_description","Firefox Browser Intrusion Prevention is malfunctioning."), +])); + +var msg319 = msg("Network:14", part393); + +var part394 = // "Pattern{Constant('Firefox Browser Intrusion Prevention disabled'), Field(p0,false)}" +match("MESSAGE#245:Network:20/0", "nwparser.payload", "Firefox Browser Intrusion Prevention disabled%{p0}"); + +var all118 = all_match({ + processors: [ + part394, + dup334, + ], + on_success: processor_chain([ + dup92, + dup94, + dup13, + dup14, + dup15, + setc("event_description","Firefox Browser Intrusion Prevention disabled"), + ]), +}); + +var msg320 = msg("Network:20", all118); + +var part395 = // "Pattern{Constant('Firefox Browser Intrusion Prevention enabled'), Field(p0,false)}" +match("MESSAGE#252:Network:26/0", "nwparser.payload", "Firefox Browser Intrusion Prevention enabled%{p0}"); + +var all119 = all_match({ + processors: [ + part395, + dup318, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Firefox Browser Intrusion Prevention enabled"), + ]), +}); + +var msg321 = msg("Network:26", all119); + +var select67 = linear_select([ + msg319, + msg320, + msg321, +]); + +var part396 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention is malfunctioning'), Field(,false)}" +match("MESSAGE#240:Network:15", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention is malfunctioning%{}", processor_chain([ + dup92, + dup12, + dup13, + dup187, + dup14, + dup15, + setc("event_description","Internet Explorer Browser Intrusion Prevention is malfunctioning."), +])); + +var msg322 = msg("Network:15", part396); + +var part397 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention enabled'), Field(p0,false)}" +match("MESSAGE#248:Network:22/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention enabled%{p0}"); + +var all120 = all_match({ + processors: [ + part397, + dup318, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Internet Explorer Browser Intrusion Prevention enabled"), + ]), +}); + +var msg323 = msg("Network:22", all120); + +var part398 = // "Pattern{Constant('Internet Explorer Browser Intrusion Prevention disabled'), Field(p0,false)}" +match("MESSAGE#249:Network:23/0", "nwparser.payload", "Internet Explorer Browser Intrusion Prevention disabled%{p0}"); + +var all121 = all_match({ + processors: [ + part398, + dup334, + ], + on_success: processor_chain([ + dup92, + dup94, + dup13, + dup14, + dup15, + setc("event_description","Internet Explorer Browser Intrusion Prevention disabled"), + ]), +}); + +var msg324 = msg("Network:23", all121); + +var select68 = linear_select([ + msg322, + msg323, + msg324, +]); + +var part399 = // "Pattern{Constant('Generic Exploit Mitigation '), Field(p0,false)}" +match("MESSAGE#255:Network:29/0", "nwparser.payload", "Generic Exploit Mitigation %{p0}"); + +var part400 = // "Pattern{Constant('enabled'), Field(p0,false)}" +match("MESSAGE#255:Network:29/1_0", "nwparser.p0", "enabled%{p0}"); + +var part401 = // "Pattern{Constant('disabled'), Field(p0,false)}" +match("MESSAGE#255:Network:29/1_1", "nwparser.p0", "disabled%{p0}"); + +var part402 = // "Pattern{Constant('is malfunctioning'), Field(p0,false)}" +match("MESSAGE#255:Network:29/1_2", "nwparser.p0", "is malfunctioning%{p0}"); + +var select69 = linear_select([ + part400, + part401, + part402, +]); + +var part403 = // "Pattern{Constant(',Event time: '), Field(event_time_string,false)}" +match("MESSAGE#255:Network:29/2", "nwparser.p0", ",Event time: %{event_time_string}"); + +var all122 = all_match({ + processors: [ + part399, + select69, + part403, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup217, + ]), +}); + +var msg325 = msg("Network:29", all122); + +var part404 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Generic Exploit Mitigation Syste,Already running process (PID:'), Field(process_id,false), Constant(') ''), Field(process,false), Constant('' is affected by a change to the application rules.,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#256:Network:31", "nwparser.payload", "Category: %{fld22},Generic Exploit Mitigation Syste,Already running process (PID:%{process_id}) '%{process}' is affected by a change to the application rules.,Event time: %{event_time_string}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup217, +])); + +var msg326 = msg("Network:31", part404); + +var select70 = linear_select([ + msg325, + msg326, +]); + +var part405 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(event_time_string,false)}" +match("MESSAGE#258:Network:32", "nwparser.payload", "%{event_description},Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, +])); + +var msg327 = msg("Network:32", part405); + +var part406 = // "Pattern{Constant('New virus definition file loaded. Version: '), Field(p0,false)}" +match("MESSAGE#259:New/0", "nwparser.payload", "New virus definition file loaded. Version: %{p0}"); + +var part407 = // "Pattern{Field(version,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#259:New/1_0", "nwparser.p0", "%{version},Event time:%{fld17->} %{fld18}"); + +var part408 = // "Pattern{Field(version,false)}" +match_copy("MESSAGE#259:New/1_1", "nwparser.p0", "version"); + +var select71 = linear_select([ + part407, + part408, +]); + +var all123 = all_match({ + processors: [ + part406, + select71, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup44, + dup45, + dup30, + dup22, + dup14, + dup15, + dup93, + setc("event_description","New virus definition file loaded."), + ]), +}); + +var msg328 = msg("New", all123); + +var part409 = // "Pattern{Constant('New Value ''), Field(change_attribute,false), Constant('' = ''), Field(change_new,false), Constant('''), Field(p0,false)}" +match("MESSAGE#260:New:01/0", "nwparser.payload", "New Value '%{change_attribute}' = '%{change_new}'%{p0}"); + +var all124 = all_match({ + processors: [ + part409, + dup318, + ], + on_success: processor_chain([ + dup95, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup137, + dup15, + dup93, + setc("event_description","New value"), + ]), +}); + +var msg329 = msg("New:01", all124); + +var part410 = // "Pattern{Constant('New AgentGUID = '), Field(fld22,false)}" +match("MESSAGE#261:New:02", "nwparser.payload", "New AgentGUID = %{fld22}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup137, + dup15, + setc("event_description","New AgentGUID"), +])); + +var msg330 = msg("New:02", part410); + +var part411 = // "Pattern{Constant('New policy has been imported.'), Field(,false)}" +match("MESSAGE#262:New:03", "nwparser.payload", "New policy has been imported.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup137, + dup15, + setc("event_description","New policy has been imported."), +])); + +var msg331 = msg("New:03", part411); + +var part412 = // "Pattern{Constant('New content update failed to download from the management server. Remote file path: '), Field(p0,false)}" +match("MESSAGE#263:New:04/0", "nwparser.payload", "New content update failed to download from the management server. Remote file path: %{p0}"); + +var part413 = // "Pattern{Field(url,false), Constant(',Event time: '), Field(event_time_string,false)}" +match("MESSAGE#263:New:04/1_0", "nwparser.p0", "%{url},Event time: %{event_time_string}"); + +var select72 = linear_select([ + part413, + dup64, +]); + +var all125 = all_match({ + processors: [ + part412, + select72, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup137, + dup15, + setc("event_description","New content update failed to download from the management server"), + ]), +}); + +var msg332 = msg("New:04", all125); + +var part414 = // "Pattern{Constant('New content update failed to download from Group Update Provider. Remote file path: '), Field(url,false)}" +match("MESSAGE#264:New:05", "nwparser.payload", "New content update failed to download from Group Update Provider. Remote file path: %{url}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup137, + dup15, + setc("event_description","New content update failed to download from Group Update Provider"), +])); + +var msg333 = msg("New:05", part414); + +var select73 = linear_select([ + msg328, + msg329, + msg330, + msg331, + msg332, + msg333, +]); + +var part415 = // "Pattern{Constant('No '), Field(virusname,true), Constant(' virus found events got swept.')}" +match("MESSAGE#265:No", "nwparser.payload", "No %{virusname->} virus found events got swept.", processor_chain([ + dup43, + dup12, + dup13, + dup152, + dup14, + dup15, + setc("event_description","No virus found events got swept."), +])); + +var msg334 = msg("No", part415); + +var part416 = // "Pattern{Constant('No clients got swept.'), Field(,false)}" +match("MESSAGE#266:No:01", "nwparser.payload", "No clients got swept.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","No clients got swept."), +])); + +var msg335 = msg("No:01", part416); + +var part417 = // "Pattern{Constant('No objects got swept.'), Field(,false)}" +match("MESSAGE#267:No:02", "nwparser.payload", "No objects got swept.%{}", processor_chain([ + dup43, + dup15, + dup218, +])); + +var msg336 = msg("No:02", part417); + +var part418 = // "Pattern{Constant('No clients got swept [Domain: '), Field(sdomain,false), Constant('].')}" +match("MESSAGE#268:No:06", "nwparser.payload", "No clients got swept [Domain: %{sdomain}].", processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup218, +])); + +var msg337 = msg("No:06", part418); + +var part419 = // "Pattern{Constant('No old risk events got swept.'), Field(,false)}" +match("MESSAGE#269:No:03", "nwparser.payload", "No old risk events got swept.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","No old risk events got swept."), +])); + +var msg338 = msg("No:03", part419); + +var part420 = // "Pattern{Constant('No physical files got swept.'), Field(,false)}" +match("MESSAGE#270:No:04", "nwparser.payload", "No physical files got swept.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","No physical files got swept."), +])); + +var msg339 = msg("No:04", part420); + +var part421 = // "Pattern{Constant('No risk events from deleted clients got swept.'), Field(,false)}" +match("MESSAGE#271:No:05", "nwparser.payload", "No risk events from deleted clients got swept.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","No risk events from deleted clients got swept."), +])); + +var msg340 = msg("No:05", part421); + +var part422 = // "Pattern{Constant('No updates found for '), Field(application,false), Constant('.')}" +match("MESSAGE#272:No:07", "nwparser.payload", "No updates found for %{application}.", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","No updates found."), +])); + +var msg341 = msg("No:07", part422); + +var select74 = linear_select([ + msg334, + msg335, + msg336, + msg337, + msg338, + msg339, + msg340, + msg341, +]); + +var part423 = // "Pattern{Constant('Organization Unit or Container importing finished successfully'), Field(,false)}" +match("MESSAGE#273:Organization:03", "nwparser.payload", "Organization Unit or Container importing finished successfully%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Organization Unit or Container importing finished successfully"), +])); + +var msg342 = msg("Organization:03", part423); + +var part424 = // "Pattern{Constant('Organization Unit or Container importing started'), Field(,false)}" +match("MESSAGE#274:Organization:02", "nwparser.payload", "Organization Unit or Container importing started%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Organization Unit or Container importing started."), +])); + +var msg343 = msg("Organization:02", part424); + +var part425 = // "Pattern{Constant('Organization importing finished successfully'), Field(,false)}" +match("MESSAGE#275:Organization:01", "nwparser.payload", "Organization importing finished successfully%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup219, +])); + +var msg344 = msg("Organization:01", part425); + +var part426 = // "Pattern{Constant('Organization importing started'), Field(,false)}" +match("MESSAGE#276:Organization", "nwparser.payload", "Organization importing started%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup220, +])); + +var msg345 = msg("Organization", part426); + +var select75 = linear_select([ + msg342, + msg343, + msg344, + msg345, +]); + +var part427 = // "Pattern{Constant('Number of '), Field(virusname,true), Constant(' virus found events swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#277:Number:01", "nwparser.payload", "Number of %{virusname->} virus found events swept: %{dclass_counter1}", processor_chain([ + dup43, + dup152, + dup15, + setc("event_description","Number of virus found events swept."), + setc("dclass_counter1_string","Virus found events swept count."), +])); + +var msg346 = msg("Number:01", part427); + +var part428 = // "Pattern{Constant('Number of virus definition records swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#278:Number", "nwparser.payload", "Number of virus definition records swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Number of virus definition records swept."), + setc("dclass_counter1_string","Virus definition records swept."), +])); + +var msg347 = msg("Number", part428); + +var part429 = // "Pattern{Constant('Number of scan events swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#279:Number:02", "nwparser.payload", "Number of scan events swept: %{dclass_counter1}", processor_chain([ + dup43, + dup15, + setc("event_description","Number of scan events swept."), + setc("dclass_counter1_string","scan events swept"), +])); + +var msg348 = msg("Number:02", part429); + +var part430 = // "Pattern{Constant('Number of clients swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#280:Number:04", "nwparser.payload", "Number of clients swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of clients swept."), + setc("dclass_counter1_string","clients swept"), +])); + +var msg349 = msg("Number:04", part430); + +var part431 = // "Pattern{Constant('Number of old risk events swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#281:Number:05", "nwparser.payload", "Number of old risk events swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of old risk events swept."), + setc("dclass_counter1_string","old risk events swept"), +])); + +var msg350 = msg("Number:05", part431); + +var part432 = // "Pattern{Constant('Number of unacknowledged notifications swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#282:Number:06", "nwparser.payload", "Number of unacknowledged notifications swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of unacknowledged notification swept."), + setc("dclass_counter1_string","unacknowledged notifications swept"), +])); + +var msg351 = msg("Number:06", part432); + +var part433 = // "Pattern{Constant('Number of objects swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#283:Number:07", "nwparser.payload", "Number of objects swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of objects swept."), + setc("dclass_counter1_string","Number of objects swept"), +])); + +var msg352 = msg("Number:07", part433); + +var part434 = // "Pattern{Constant('Number of risk events from deleted clients swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#284:Number:08", "nwparser.payload", "Number of risk events from deleted clients swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of risk events swept."), + setc("dclass_counter1_string","Deleted clients swept"), +])); + +var msg353 = msg("Number:08", part434); + +var part435 = // "Pattern{Constant('Number of old risk events compressed: '), Field(dclass_counter1,false)}" +match("MESSAGE#285:Number:09", "nwparser.payload", "Number of old risk events compressed: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of old risk events compressed."), + setc("dclass_counter1_string","old risk events compressed"), +])); + +var msg354 = msg("Number:09", part435); + +var part436 = // "Pattern{Constant('Number of compressed risk events swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#286:Number:10", "nwparser.payload", "Number of compressed risk events swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Number of compressed risk events swept."), + setc("dclass_counter1_string","compressed risk events swept"), +])); + +var msg355 = msg("Number:10", part436); + +var part437 = // "Pattern{Constant('Number of '), Field(info,true), Constant(' in the policy: '), Field(p0,false)}" +match("MESSAGE#287:Number:11/0", "nwparser.payload", "Number of %{info->} in the policy: %{p0}"); + +var part438 = // "Pattern{Field(dclass_counter1,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#287:Number:11/1_0", "nwparser.p0", "%{dclass_counter1},Event time:%{fld17->} %{fld18}"); + +var part439 = // "Pattern{Field(dclass_counter1,false)}" +match_copy("MESSAGE#287:Number:11/1_1", "nwparser.p0", "dclass_counter1"); + +var select76 = linear_select([ + part438, + part439, +]); + +var all126 = all_match({ + processors: [ + part437, + select76, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup221, + setc("dclass_counter1_string","Group Update Providers"), + dup93, + ]), +}); + +var msg356 = msg("Number:11", all126); + +var part440 = // "Pattern{Constant('Number of physical files swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#288:Number:12", "nwparser.payload", "Number of physical files swept: %{dclass_counter1}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup221, + setc("dclass_counter1_string","Number of physical files swept"), +])); + +var msg357 = msg("Number:12", part440); + +var part441 = // "Pattern{Constant('Number of '), Field(fld1,true), Constant(' swept: '), Field(dclass_counter1,false)}" +match("MESSAGE#289:Number:13", "nwparser.payload", "Number of %{fld1->} swept: %{dclass_counter1}", processor_chain([ + dup43, + dup15, + dup12, + dup222, + setc("a","Number of "), + call({ + dest: "nwparser.event_description", + fn: STRCAT, + args: [ + constant("a"), + field("fld1"), + constant("\t"), + field("swept."), + ], + }), + call({ + dest: "nwparser.dclass_counter1_string", + fn: STRCAT, + args: [ + field("fld1"), + constant("\t"), + field("swept"), + ], + }), +])); + +var msg358 = msg("Number:13", part441); + +var select77 = linear_select([ + msg346, + msg347, + msg348, + msg349, + msg350, + msg351, + msg352, + msg353, + msg354, + msg355, + msg356, + msg357, + msg358, +]); + +var part442 = // "Pattern{Constant('Policy has been added,'), Field(info,false)}" +match("MESSAGE#292:Policy:added", "nwparser.payload", "Policy has been added,%{info}", processor_chain([ + dup95, + dup12, + dup13, + dup96, + dup223, + dup22, + dup14, + dup15, + dup23, + dup224, +])); + +var msg359 = msg("Policy:added", part442); + +var part443 = // "Pattern{Constant('Policy has been added:'), Field(info,false)}" +match("MESSAGE#293:Policy:added_01", "nwparser.payload", "Policy has been added:%{info}", processor_chain([ + dup95, + dup12, + dup13, + dup96, + dup223, + dup22, + dup14, + dup15, + dup23, + dup224, +])); + +var msg360 = msg("Policy:added_01", part443); + +var part444 = // "Pattern{Constant('Policy has been edited,'), Field(info,false)}" +match("MESSAGE#294:Policy:edited", "nwparser.payload", "Policy has been edited,%{info}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup223, + dup22, + dup14, + dup15, + dup23, + dup225, +])); + +var msg361 = msg("Policy:edited", part444); + +var part445 = // "Pattern{Constant('Policy has been edited:'), Field(info,false), Constant(','), Field(fld1,false)}" +match("MESSAGE#295:Policy:edited_01", "nwparser.payload", "Policy has been edited:%{info},%{fld1}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup223, + dup22, + dup14, + dup15, + dup23, + dup225, +])); + +var msg362 = msg("Policy:edited_01", part445); + +var part446 = // "Pattern{Constant('Policy has been deleted'), Field(p0,false)}" +match("MESSAGE#296:Policy:deleted/0", "nwparser.payload", "Policy has been deleted%{p0}"); + +var select78 = linear_select([ + dup226, + dup71, +]); + +var all127 = all_match({ + processors: [ + part446, + select78, + dup212, + ], + on_success: processor_chain([ + dup156, + dup12, + dup13, + dup27, + dup223, + dup22, + dup14, + dup15, + dup23, + setc("event_description","Policy has been deleted"), + ]), +}); + +var msg363 = msg("Policy:deleted", all127); + +var select79 = linear_select([ + msg359, + msg360, + msg361, + msg362, + msg363, +]); + +var part447 = // "Pattern{Constant('Potential risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Last update time: '), Field(fld53,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld100,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false), Constant(',Location:'), Field(fld55,false)}" +match("MESSAGE#297:Potential:03", "nwparser.payload", "Potential risk found,IP Address: %{saddr},Computer name: %{shost},Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Last update time: %{fld53},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld100},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size},Category set: %{category},Category type: %{vendor_event_cat},Location:%{fld55}", processor_chain([ + dup110, + dup12, + dup152, + dup132, + dup93, + dup153, + dup154, + dup227, + dup15, + dup19, +])); + +var msg364 = msg("Potential:03", part447); + +var part448 = // "Pattern{Field(severity,false), Constant(',First Seen:'), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(',Detection Submissions No,Permitted application reason: '), Field(fld42,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#298:Potential:02/2", "nwparser.p0", "%{severity},First Seen:%{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},COH Engine Version: %{fld41},Detection Submissions No,Permitted application reason: %{fld42},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); + +var part449 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#298:Potential:02/4", "nwparser.p0", "%{fld1},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all128 = all_match({ + processors: [ + dup228, + dup325, + part448, + dup327, + part449, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup132, + dup93, + dup153, + dup154, + dup227, + dup15, + dup19, + ]), +}); + +var msg365 = msg("Potential:02", all128); + +var part450 = // "Pattern{Field(fld23,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#299:Potential/2", "nwparser.p0", "%{fld23},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var all129 = all_match({ + processors: [ + dup228, + dup325, + part450, + dup326, + dup229, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup132, + dup230, + dup154, + dup15, + dup227, + dup19, + ]), +}); + +var msg366 = msg("Potential", all129); + +var part451 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#300:Potential:01/0", "nwparser.payload", "Potential risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var all130 = all_match({ + processors: [ + part451, + dup326, + dup229, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup93, + dup230, + dup154, + dup132, + dup15, + dup227, + dup19, + ]), +}); + +var msg367 = msg("Potential:01", all130); + +var select80 = linear_select([ + msg364, + msg365, + msg366, + msg367, +]); + +var part452 = // "Pattern{Constant('Previous virus definition file loaded. Version: '), Field(version,false)}" +match("MESSAGE#301:Previous", "nwparser.payload", "Previous virus definition file loaded. Version: %{version}", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Previous virus definition file loaded."), +])); + +var msg368 = msg("Previous", part452); + +var part453 = // "Pattern{Constant('Proactive Threat Scan '), Field(info,true), Constant(' failed to update.')}" +match("MESSAGE#302:Proactive", "nwparser.payload", "Proactive Threat Scan %{info->} failed to update.", processor_chain([ + setc("eventcategory","1703020000"), + dup12, + dup13, + dup14, + dup15, + setc("event_description","Proactive Threat Scan failed to update."), +])); + +var msg369 = msg("Proactive", part453); + +var part454 = // "Pattern{Constant('Proactive Threat Scan whitelist '), Field(info,true), Constant(' is up-to-date.')}" +match("MESSAGE#303:Proactive:01", "nwparser.payload", "Proactive Threat Scan whitelist %{info->} is up-to-date.", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Proactive Threat Scan whitelist is up-to-date."), +])); + +var msg370 = msg("Proactive:01", part454); + +var part455 = // "Pattern{Constant('Proactive Threat Protection has been enabled'), Field(p0,false)}" +match("MESSAGE#399:Symantec:38/0", "nwparser.payload", "Proactive Threat Protection has been enabled%{p0}"); + +var all131 = all_match({ + processors: [ + part455, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","Proactive Threat Protection has been enabled"), + ]), +}); + +var msg371 = msg("Symantec:38", all131); + +var part456 = // "Pattern{Constant('Proactive Threat Protection has been disabled'), Field(,false)}" +match("MESSAGE#400:Symantec:42", "nwparser.payload", "Proactive Threat Protection has been disabled%{}", processor_chain([ + dup43, + dup56, + dup12, + dup13, + dup15, + dup57, +])); + +var msg372 = msg("Symantec:42", part456); + +var select81 = linear_select([ + msg369, + msg370, + msg371, + msg372, +]); + +var part457 = // "Pattern{Constant('process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(info,true), Constant(' since '), Field(fld50,false), Constant('.')}" +match("MESSAGE#304:process", "nwparser.payload", "process %{process->} can not lock the process status table. The process status has been locked by the server %{info->} since %{fld50}.", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Cannot lock process status table since it has been locked by server."), +])); + +var msg373 = msg("process", part457); + +var part458 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" +match("MESSAGE#305:process:01", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ + dup168, + dup12, + dup13, + dup40, + dup41, + dup42, + dup15, + dup142, + dup19, + dup35, +])); + +var msg374 = msg("process:01", part458); + +var part459 = // "Pattern{Constant('"Application has changed since the last time you opened it, process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was allowed by profile.",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" +match("MESSAGE#306:process:11", "nwparser.payload", "\"Application has changed since the last time you opened it, process id: %{process_id->} Filename: %{filename->} The change was allowed by profile.\",Local: %{daddr},Local: %{fld1},Remote: %{fld25},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ + dup168, + dup12, + dup13, + dup41, + dup42, + dup15, + dup142, + dup19, + dup34, + dup40, +])); + +var msg375 = msg("process:11", part459); + +var part460 = // "Pattern{Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" +match("MESSAGE#308:process:03/2", "nwparser.p0", ",Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{protocol},%{p0}"); + +var part461 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#308:process:03/4", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var all132 = all_match({ + processors: [ + dup231, + dup316, + part460, + dup317, + part461, + dup315, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup16, + dup17, + dup15, + dup19, + dup35, + dup40, + ]), +}); + +var msg376 = msg("process:03", all132); + +var all133 = all_match({ + processors: [ + dup231, + dup316, + dup78, + dup317, + dup81, + dup315, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup16, + dup17, + dup15, + dup19, + dup34, + dup40, + ]), +}); + +var msg377 = msg("process:13", all133); + +var select82 = linear_select([ + msg373, + msg374, + msg375, + msg376, + msg377, +]); + +var part462 = // "Pattern{Constant('properties of domain '), Field(p0,false)}" +match("MESSAGE#310:properties/0", "nwparser.payload", "properties of domain %{p0}"); + +var part463 = // "Pattern{Constant('"'), Field(domain,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#310:properties/1_0", "nwparser.p0", "\"%{domain}\"%{p0}"); + +var part464 = // "Pattern{Constant('''), Field(domain,false), Constant('''), Field(p0,false)}" +match("MESSAGE#310:properties/1_1", "nwparser.p0", "'%{domain}'%{p0}"); + +var select83 = linear_select([ + part463, + part464, +]); + +var part465 = // "Pattern{Field(,false), Constant('were changed')}" +match("MESSAGE#310:properties/2", "nwparser.p0", "%{}were changed"); + +var all134 = all_match({ + processors: [ + part462, + select83, + part465, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","The properties of domain were changed"), + ]), +}); + +var msg378 = msg("properties", all134); + +var part466 = // "Pattern{Constant('properties for system administrator '), Field(p0,false)}" +match("MESSAGE#311:properties:01/0", "nwparser.payload", "properties for system administrator %{p0}"); + +var part467 = // "Pattern{Constant('"'), Field(c_username,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#311:properties:01/1_0", "nwparser.p0", "\"%{c_username}\"%{p0}"); + +var part468 = // "Pattern{Constant('''), Field(c_username,false), Constant('''), Field(p0,false)}" +match("MESSAGE#311:properties:01/1_1", "nwparser.p0", "'%{c_username}'%{p0}"); + +var select84 = linear_select([ + part467, + part468, +]); + +var part469 = // "Pattern{Field(,false), Constant('have been changed')}" +match("MESSAGE#311:properties:01/2", "nwparser.p0", "%{}have been changed"); + +var all135 = all_match({ + processors: [ + part466, + select84, + part469, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","The properties of system administrator have been changed"), + ]), +}); + +var msg379 = msg("properties:01", all135); + +var select85 = linear_select([ + msg378, + msg379, +]); + +var part470 = // "Pattern{Constant('PTS has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" +match("MESSAGE#312:PTS", "nwparser.payload", "PTS has generated an error: code %{resultcode}: description: %{info}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","PTS has generated an error"), +])); + +var msg380 = msg("PTS", part470); + +var part471 = // "Pattern{Constant('Received a new policy with '), Field(p0,false)}" +match("MESSAGE#313:Received/0", "nwparser.payload", "Received a new policy with %{p0}"); + +var part472 = // "Pattern{Field(info,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#313:Received/1_0", "nwparser.p0", "%{info},Event time: %{fld17->} %{fld18}"); + +var select86 = linear_select([ + part472, + dup212, +]); + +var all136 = all_match({ + processors: [ + part471, + select86, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Received a new policy."), + ]), +}); + +var msg381 = msg("Received", all136); + +var part473 = // "Pattern{Constant('Received a new profile with serial number '), Field(fld23,true), Constant(' from Symantec Endpoint Protection Manager.')}" +match("MESSAGE#699:Smc:03", "nwparser.payload", "Received a new profile with serial number %{fld23->} from Symantec Endpoint Protection Manager.", processor_chain([ + dup53, + dup94, + dup13, + dup14, + dup15, + setc("event_description","Received a new profile from Symantec Endpoint Protection Manager."), +])); + +var msg382 = msg("Smc:03", part473); + +var select87 = linear_select([ + msg381, + msg382, +]); + +var part474 = // "Pattern{Constant('Reconfiguring Symantec Management Client....'), Field(,false)}" +match("MESSAGE#314:Reconfiguring", "nwparser.payload", "Reconfiguring Symantec Management Client....%{}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","Reconfiguring Symantec Management Client."), +])); + +var msg383 = msg("Reconfiguring", part474); + +var part475 = // "Pattern{Constant('Reconnected to server after server was unreacheable.'), Field(p0,false)}" +match("MESSAGE#315:Reconnected/0", "nwparser.payload", "Reconnected to server after server was unreacheable.%{p0}"); + +var all137 = all_match({ + processors: [ + part475, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Reconnected to server after server was unreachable."), + ]), +}); + +var msg384 = msg("Reconnected", all137); + +var part476 = // "Pattern{Constant('Please restart your computer to enable '), Field(info,true), Constant(' changes.'), Field(p0,false)}" +match("MESSAGE#316:restart/0", "nwparser.payload", "Please restart your computer to enable %{info->} changes.%{p0}"); + +var all138 = all_match({ + processors: [ + part476, + dup318, + ], + on_success: processor_chain([ + dup232, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Please restart your computer to enable changes."), + ]), +}); + +var msg385 = msg("restart", all138); + +var part477 = // "Pattern{Constant('Retry '), Field(info,false), Constant('"')}" +match("MESSAGE#317:Retry", "nwparser.payload", "Retry %{info}\"", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup233, +])); + +var msg386 = msg("Retry", part477); + +var part478 = // "Pattern{Constant('Retry timestamp is equal or over the next schedule time, switching to regular schedule run.'), Field(,false)}" +match("MESSAGE#318:Retry:01", "nwparser.payload", "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.%{}", processor_chain([ + dup43, + dup15, + setc("action","Retry timestamp is equal or over the next schedule time, switching to regular schedule run."), +])); + +var msg387 = msg("Retry:01", part478); + +var part479 = // "Pattern{Constant('Retry timestamp is over the maximum retry window, switching to regular schedule run.'), Field(,false)}" +match("MESSAGE#319:Retry:02", "nwparser.payload", "Retry timestamp is over the maximum retry window, switching to regular schedule run.%{}", processor_chain([ + dup43, + dup233, + dup15, +])); + +var msg388 = msg("Retry:02", part479); + +var select88 = linear_select([ + msg386, + msg387, + msg388, +]); + +var part480 = // "Pattern{Constant('Successfully downloaded the '), Field(application,true), Constant(' security definitions from LiveUpdate. The security definitions are now available for deployment.')}" +match("MESSAGE#320:Successfully", "nwparser.payload", "Successfully downloaded the %{application->} security definitions from LiveUpdate. The security definitions are now available for deployment.", processor_chain([ + dup43, + setc("event_description","Successfully Downloaded."), + dup15, +])); + +var msg389 = msg("Successfully", part480); + +var part481 = // "Pattern{Constant('Successfully deleted the client install package ''), Field(info,false), Constant(''.')}" +match("MESSAGE#321:Successfully:01", "nwparser.payload", "Successfully deleted the client install package '%{info}'.", processor_chain([ + dup43, + dup234, + dup15, +])); + +var msg390 = msg("Successfully:01", part481); + +var part482 = // "Pattern{Constant('Successfully imported the Symantec Endpoint Protection version '), Field(version,true), Constant(' for '), Field(fld3,true), Constant(' package during the server upgrade. This package is now available for deployment.')}" +match("MESSAGE#322:Successfully:02", "nwparser.payload", "Successfully imported the Symantec Endpoint Protection version %{version->} for %{fld3->} package during the server upgrade. This package is now available for deployment.", processor_chain([ + dup43, + dup234, + dup15, +])); + +var msg391 = msg("Successfully:02", part482); + +var select89 = linear_select([ + msg389, + msg390, + msg391, +]); + +var part483 = // "Pattern{Constant('Risk Repair Failed..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,true), Constant(' ..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#323:Risk:01", "nwparser.payload", "Risk Repair Failed..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7->} ..Severity: %{severity}..Source: %{product}", processor_chain([ + dup110, + dup166, + dup15, + dup235, +])); + +var msg392 = msg("Risk:01", part483); + +var part484 = // "Pattern{Constant('Risk Repair Failed..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" +match("MESSAGE#324:Risk:02", "nwparser.payload", "Risk Repair Failed..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ + dup110, + dup152, + dup166, + dup15, + dup235, +])); + +var msg393 = msg("Risk:02", part484); + +var part485 = // "Pattern{Constant('Risk Repaired..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#325:Risk:03", "nwparser.payload", "Risk Repaired..Computer: %{shost}..Date: %{fld5}..Time: %{fld6->} %{fld7}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup110, + dup166, + dup15, + dup236, +])); + +var msg394 = msg("Risk:03", part485); + +var part486 = // "Pattern{Constant('Risk Repaired..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(action,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,true), Constant(' '), Field(fld7,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" +match("MESSAGE#326:Risk:04", "nwparser.payload", "Risk Repaired..%{shost}..%{fld5}..%{filename}..%{info}..%{action}..%{severity}..%{product}..%{fld6->} %{fld7}..%{username}..%{virusname}", processor_chain([ + dup110, + dup152, + dup166, + dup15, + dup236, +])); + +var msg395 = msg("Risk:04", part486); + +var part487 = // "Pattern{Constant('Risk sample submitted to Symantec,Computer name: '), Field(p0,false)}" +match("MESSAGE#327:Risk:05/0", "nwparser.payload", "Risk sample submitted to Symantec,Computer name: %{p0}"); + +var part488 = // "Pattern{Field(event_type,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#327:Risk:05/2", "nwparser.p0", "%{event_type},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var part489 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld16,true), Constant(' '), Field(fld17,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#327:Risk:05/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld16->} %{fld17},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all139 = all_match({ + processors: [ + part487, + dup325, + part488, + dup326, + part489, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup132, + date_time({ + dest: "event_time", + args: ["fld16","fld17"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup230, + dup154, + dup15, + dup19, + setc("event_description","Risk sample submitted to Symantec."), + ]), +}); + +var msg396 = msg("Risk:05", all139); + +var select90 = linear_select([ + msg392, + msg393, + msg394, + msg395, + msg396, +]); + +var part490 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(filename,false), Constant('..'), Field(info,false), Constant('..'), Field(fld22,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false), Constant('..'), Field(virusname,false)}" +match("MESSAGE#328:Scan", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{filename}..%{info}..%{fld22}..%{severity}..%{product}..%{fld6}..%{username}..%{virusname}", processor_chain([ + dup43, + dup152, + dup166, + dup15, + dup237, +])); + +var msg397 = msg("Scan", part490); + +var part491 = // "Pattern{Constant('Scan Start/Stop..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(info,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false), Constant('..'), Field(username,false)}" +match("MESSAGE#329:Scan:01", "nwparser.payload", "Scan Start/Stop..%{shost}..%{fld5}..%{info}..%{severity}..%{product}..%{fld6}..%{username}", processor_chain([ + dup43, + dup166, + dup15, + dup237, +])); + +var msg398 = msg("Scan:01", part491); + +var part492 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',"'), Field(info,false), Constant('","'), Field(context,false), Constant('",Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant('Domain: '), Field(domain,false), Constant('Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#330:Scan:02", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},\"%{info}\",\"%{context}\",Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr}Domain: %{domain}Group: %{group},Server: %{hostid}", processor_chain([ + dup43, + dup12, + dup14, + dup238, + dup41, + dup15, + dup239, + dup240, + dup241, +])); + +var msg399 = msg("Scan:02", part492); + +var part493 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(fld22,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',"Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#331:Scan:09", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{fld22},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},\"Group: %{group},Server: %{hostid}", processor_chain([ + dup43, + dup12, + dup14, + dup242, + dup15, + dup243, + dup244, + dup245, + dup246, +])); + +var msg400 = msg("Scan:09", part493); + +var part494 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld22,false), Constant(','), Field(info,false), Constant(',Command: Not a command scan (),Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld21,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" +match("MESSAGE#332:Scan:03/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld22},%{info},Command: Not a command scan (),Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld21}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},%{p0}"); + +var part495 = // "Pattern{Field(hostid,false)}" +match_copy("MESSAGE#332:Scan:03/2", "nwparser.p0", "hostid"); + +var all140 = all_match({ + processors: [ + part494, + dup330, + part495, + ], + on_success: processor_chain([ + dup43, + dup12, + dup14, + dup41, + dup15, + dup243, + setc("dclass_counter1_string","Infected Count"), + setc("dclass_counter2_string","Total File Count"), + setc("dclass_counter3_string","Total Threat Count"), + ]), +}); + +var msg401 = msg("Scan:03", all140); + +var part496 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld1,false), Constant(',End: '), Field(fld2,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(',Files scanned: '), Field(dclass_counter2,false), Constant(',,Command: '), Field(fld4,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(fld5,false), Constant(',Omitted: '), Field(fld21,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#333:Scan:08", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld1},End: %{fld2},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},Files scanned: %{dclass_counter2},,Command: %{fld4},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{fld5},Omitted: %{fld21},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}", processor_chain([ + dup43, + dup12, + dup14, + dup242, + dup15, + dup243, + dup244, + dup245, + dup246, +])); + +var msg402 = msg("Scan:08", part496); + +var part497 = // "Pattern{Constant('Scan Delayed: Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(p0,false)}" +match("MESSAGE#334:Scan:04/0", "nwparser.payload", "Scan Delayed: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{p0}"); + +var part498 = // "Pattern{Field(dclass_counter3,true), Constant(' Trusted Files Skipped: '), Field(fld1,false)}" +match("MESSAGE#334:Scan:04/1_0", "nwparser.p0", "%{dclass_counter3->} Trusted Files Skipped: %{fld1}"); + +var part499 = // "Pattern{Field(dclass_counter3,false)}" +match_copy("MESSAGE#334:Scan:04/1_1", "nwparser.p0", "dclass_counter3"); + +var select91 = linear_select([ + part498, + part499, +]); + +var all141 = all_match({ + processors: [ + part497, + select91, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup14, + dup15, + setc("event_description","Scan Delayed."), + dup247, + dup248, + setc("dclass_counter3_string","Omitted Count."), + ]), +}); + +var msg403 = msg("Scan:04", all141); + +var part500 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant(': Risks: '), Field(dclass_counter1,true), Constant(' Scanned: '), Field(dclass_counter2,true), Constant(' Files/Folders/Drives Omitted: '), Field(dclass_counter3,false), Constant('..Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#335:Scan:05", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}: Risks: %{dclass_counter1->} Scanned: %{dclass_counter2->} Files/Folders/Drives Omitted: %{dclass_counter3}..Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup43, + dup166, + dup15, + dup247, + dup248, + setc("dclass_counter3_string","Ommitted count."), +])); + +var msg404 = msg("Scan:05", part500); + +var part501 = // "Pattern{Field(action,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Description: '), Field(event_description,false), Constant('...Time: '), Field(fld6,true), Constant(' '), Field(fld4,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#336:Scan:06", "nwparser.payload", "%{action}..Computer: %{shost}..Date: %{fld5}..Description: %{event_description}...Time: %{fld6->} %{fld4}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup43, + dup166, + dup15, +])); + +var msg405 = msg("Scan:06", part501); + +var part502 = // "Pattern{Constant('Scan started on all drives and all extensions.'), Field(,false)}" +match("MESSAGE#337:Scan:07", "nwparser.payload", "Scan started on all drives and all extensions.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Scan started on all drives and all extensions."), +])); + +var msg406 = msg("Scan:07", part502); + +var part503 = // "Pattern{Constant('Scan Suspended: '), Field(info,false)}" +match("MESSAGE#338:Scan:11", "nwparser.payload", "Scan Suspended: %{info}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Scan Suspended."), +])); + +var msg407 = msg("Scan:11", part503); + +var part504 = // "Pattern{Constant('Scan resumed on all drives and all extensions.'), Field(,false)}" +match("MESSAGE#339:Scan:10", "nwparser.payload", "Scan resumed on all drives and all extensions.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Scan resumed on all drives and all extensions."), +])); + +var msg408 = msg("Scan:10", part504); + +var part505 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2: '), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" +match("MESSAGE#340:Scan:12/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2: %{fld3},'%{info}',%{p0}"); + +var part506 = // "Pattern{Constant('Command: Update Content and Scan Active,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#340:Scan:12/2", "nwparser.p0", "Command: Update Content and Scan Active,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); + +var all142 = all_match({ + processors: [ + part505, + dup335, + part506, + ], + on_success: processor_chain([ + dup43, + dup94, + dup14, + dup238, + dup41, + dup15, + dup239, + dup240, + dup241, + ]), +}); + +var msg409 = msg("Scan:12", all142); + +var part507 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(uid,false), Constant(',User2:'), Field(fld3,false), Constant(',''), Field(info,false), Constant('','), Field(p0,false)}" +match("MESSAGE#341:Scan:13/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End:%{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{uid},User2:%{fld3},'%{info}',%{p0}"); + +var part508 = // "Pattern{Constant('Command: Full Scan,Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant('Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#341:Scan:13/2", "nwparser.p0", "Command: Full Scan,Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4}Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); + +var all143 = all_match({ + processors: [ + part507, + dup335, + part508, + ], + on_success: processor_chain([ + dup43, + dup94, + dup14, + dup238, + dup41, + dup15, + dup239, + dup240, + dup241, + ]), +}); + +var msg410 = msg("Scan:13", all143); + +var part509 = // "Pattern{Constant('Scan ID: '), Field(fld11,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,false), Constant(','), Field(disposition,false), Constant(',Duration (seconds): '), Field(duration_string,false), Constant(',User1: '), Field(username,false), Constant(',User2: '), Field(fld3,false), Constant(','), Field(p0,false)}" +match("MESSAGE#342:Scan:14/0", "nwparser.payload", "Scan ID: %{fld11},Begin: %{fld50->} %{fld52},End: %{fld51},%{disposition},Duration (seconds): %{duration_string},User1: %{username},User2: %{fld3},%{p0}"); + +var part510 = // "Pattern{Field(info,false), Constant('","'), Field(p0,false)}" +match("MESSAGE#342:Scan:14/2_0", "nwparser.p0", "%{info}\",\"%{p0}"); + +var part511 = // "Pattern{Field(info,false), Constant(','), Field(p0,false)}" +match("MESSAGE#342:Scan:14/2_1", "nwparser.p0", "%{info},%{p0}"); + +var select92 = linear_select([ + part510, + part511, +]); + +var part512 = // "Pattern{Field(context,false), Constant('",'), Field(p0,false)}" +match("MESSAGE#342:Scan:14/3_0", "nwparser.p0", "%{context}\",%{p0}"); + +var part513 = // "Pattern{Field(context,false), Constant(','), Field(p0,false)}" +match("MESSAGE#342:Scan:14/3_1", "nwparser.p0", "%{context},%{p0}"); + +var select93 = linear_select([ + part512, + part513, +]); + +var part514 = // "Pattern{Constant('Command: '), Field(fld10,false), Constant(',Threats: '), Field(dclass_counter3,false), Constant(',Infected: '), Field(dclass_counter1,false), Constant(',Total files: '), Field(dclass_counter2,false), Constant(',Omitted: '), Field(fld4,false), Constant(',Computer: '), Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false)}" +match("MESSAGE#342:Scan:14/4", "nwparser.p0", "Command: %{fld10},Threats: %{dclass_counter3},Infected: %{dclass_counter1},Total files: %{dclass_counter2},Omitted: %{fld4},Computer: %{shost},IP Address: %{saddr},Domain: %{domain},Group: %{group},Server: %{hostid}"); + +var all144 = all_match({ + processors: [ + part509, + dup316, + select92, + select93, + part514, + ], + on_success: processor_chain([ + dup43, + dup12, + dup14, + setf("event_description","fld10"), + dup41, + dup15, + dup239, + dup240, + dup241, + ]), +}); + +var msg411 = msg("Scan:14", all144); + +var select94 = linear_select([ + msg397, + msg398, + msg399, + msg400, + msg401, + msg402, + msg403, + msg404, + msg405, + msg406, + msg407, + msg408, + msg409, + msg410, + msg411, +]); + +var part515 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#343:Security:03/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all145 = all_match({ + processors: [ + dup250, + dup325, + part515, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup132, + dup152, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, + ]), +}); + +var msg412 = msg("Security:03", all145); + +var all146 = all_match({ + processors: [ + dup250, + dup325, + dup161, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup132, + dup152, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, + ]), +}); + +var msg413 = msg("Security:06", all146); + +var part516 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie:'), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,true), Constant(' ,'), Field(p0,false)}" +match("MESSAGE#345:Security:05/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie:%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain->} ,%{p0}"); + +var part517 = // "Pattern{Constant('" '), Field(p0,false)}" +match("MESSAGE#345:Security:05/3_0", "nwparser.p0", "\" %{p0}"); + +var select95 = linear_select([ + part517, + dup194, +]); + +var part518 = // "Pattern{Constant('Group: '), Field(group,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#345:Security:05/4", "nwparser.p0", "Group: %{group->} %{p0}"); + +var part519 = // "Pattern{Constant('", '), Field(p0,false)}" +match("MESSAGE#345:Security:05/5_0", "nwparser.p0", "\", %{p0}"); + +var part520 = // "Pattern{Constant(', '), Field(p0,false)}" +match("MESSAGE#345:Security:05/5_1", "nwparser.p0", ", %{p0}"); + +var select96 = linear_select([ + part519, + part520, +]); + +var part521 = // "Pattern{Constant('Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" +match("MESSAGE#345:Security:05/6", "nwparser.p0", "Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); + +var all147 = all_match({ + processors: [ + dup251, + dup329, + part516, + select95, + part518, + select96, + part521, + dup336, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, + ]), +}); + +var msg414 = msg("Security:05", all147); + +var part522 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(',0,Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(filename_size,false)}" +match("MESSAGE#346:Security:04", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},0,Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{filename_size}", processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, +])); + +var msg415 = msg("Security:04", part522); + +var part523 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Last update time: '), Field(fld57,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(', File size (bytes): '), Field(p0,false)}" +match("MESSAGE#347:Security:07/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Last update time: %{fld57},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type}, File size (bytes): %{p0}"); + +var all148 = all_match({ + processors: [ + dup251, + dup329, + part523, + dup336, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup132, + dup162, + dup163, + dup164, + dup154, + dup15, + dup19, + ]), +}); + +var msg416 = msg("Security:07", all148); + +var part524 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#348:Security:13/0", "nwparser.payload", "Security risk found,Computer name: %{shost},%{p0}"); + +var part525 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(','), Field(p0,false)}" +match("MESSAGE#348:Security:13/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},%{p0}"); + +var select97 = linear_select([ + part525, + dup77, +]); + +var part526 = // "Pattern{Constant('IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(severity,false), Constant(',First Seen: '), Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,true), Constant(' ,Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld3,true), Constant(' ,File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld4,false), Constant(',Detection score: '), Field(fld5,false), Constant(',COH Engine Version: '), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',Permitted application reason: '), Field(fld8,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld10,false), Constant(',Web domain:'), Field(fld11,true), Constant(' ,Downloaded by: '), Field(fld12,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld15,false), Constant(',Risk Level: '), Field(fld16,false), Constant(',Risk type: '), Field(fld17,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name:'), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld18,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld19,true), Constant(' '), Field(fld20,false), Constant(',Inserted: '), Field(fld21,false), Constant(',End: '), Field(fld22,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld23,false), Constant(',Source IP: '), Field(fld24,false)}" +match("MESSAGE#348:Security:13/2", "nwparser.p0", "IP Address: %{saddr},Detection type: %{severity},First Seen: %{fld1},Application name: %{application},Application type: %{obj_type},Application version:%{version->} ,Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld3->} ,File size (bytes): %{filename_size},Sensitivity: %{fld4},Detection score: %{fld5},COH Engine Version: %{fld6},%{fld7},Permitted application reason: %{fld8},Disposition: %{result},Download site: %{fld10},Web domain:%{fld11->} ,Downloaded by: %{fld12},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld15},Risk Level: %{fld16},Risk type: %{fld17},Source: %{event_source},Risk name:%{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld18},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld19->} %{fld20},Inserted: %{fld21},End: %{fld22},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld23},Source IP: %{fld24}"); + +var all149 = all_match({ + processors: [ + part524, + select97, + part526, + ], + on_success: processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup162, + date_time({ + dest: "event_time", + args: ["fld19","fld20"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + date_time({ + dest: "recorded_time", + args: ["fld21"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + date_time({ + dest: "endtime", + args: ["fld22"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup15, + dup19, + ]), +}); + +var msg417 = msg("Security:13", all149); + +var part527 = // "Pattern{Constant('Security risk found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#349:Security", "nwparser.payload", "Security risk found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup162, + dup132, + dup163, + dup164, + dup154, + dup15, + dup19, +])); + +var msg418 = msg("Security", part527); + +var part528 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Cookie: '), Field(fld1,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" +match("MESSAGE#350:Security:01", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},Cookie: %{fld1},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup163, + dup164, + dup154, + dup15, + dup47, + dup162, +])); + +var msg419 = msg("Security:01", part528); + +var part529 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" +match("MESSAGE#351:Security:02", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ + dup110, + dup12, + dup115, + dup116, + dup38, + dup152, + dup162, + dup132, + dup163, + dup164, + dup154, + dup15, + dup19, +])); + +var msg420 = msg("Security:02", part529); + +var select98 = linear_select([ + msg412, + msg413, + msg414, + msg415, + msg416, + msg417, + msg418, + msg419, + msg420, +]); + +var part530 = // "Pattern{Constant('Compressed File,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#352:Compressed", "nwparser.payload", "Compressed File,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}", processor_chain([ + dup110, + dup12, + dup152, + dup163, + dup164, + dup132, + dup154, + dup15, + dup253, + dup19, +])); + +var msg421 = msg("Compressed", part530); + +var part531 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#353:Compressed:02/0", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},%{p0}"); + +var part532 = // "Pattern{Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(','), Field(p0,false)}" +match("MESSAGE#353:Compressed:02/2", "nwparser.p0", "%{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},%{p0}"); + +var all150 = all_match({ + processors: [ + part531, + dup329, + part532, + dup330, + dup205, + dup331, + ], + on_success: processor_chain([ + dup110, + dup12, + dup152, + dup163, + dup164, + dup132, + dup154, + dup15, + dup253, + dup19, + ]), +}); + +var msg422 = msg("Compressed:02", all150); + +var part533 = // "Pattern{Constant('Compressed File,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(info,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false)}" +match("MESSAGE#354:Compressed:01", "nwparser.payload", "Compressed File,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{info},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31}", processor_chain([ + dup110, + dup12, + dup152, + dup163, + dup164, + dup132, + dup154, + dup15, + dup253, + dup19, +])); + +var msg423 = msg("Compressed:01", part533); + +var select99 = linear_select([ + msg421, + msg422, + msg423, +]); + +var part534 = // "Pattern{Constant('Stop serving as the Group Update Provider (proxy server)'), Field(,false)}" +match("MESSAGE#355:Stop", "nwparser.payload", "Stop serving as the Group Update Provider (proxy server)%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup254, +])); + +var msg424 = msg("Stop", part534); + +var part535 = // "Pattern{Constant('Stop Symantec Network Access Control client.'), Field(,false)}" +match("MESSAGE#356:Stop:01", "nwparser.payload", "Stop Symantec Network Access Control client.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup254, +])); + +var msg425 = msg("Stop:01", part535); + +var part536 = // "Pattern{Constant('Stop using Group Update Provider (proxy server) @ '), Field(saddr,false), Constant(':'), Field(sport,false), Constant('.')}" +match("MESSAGE#357:Stop:02", "nwparser.payload", "Stop using Group Update Provider (proxy server) @ %{saddr}:%{sport}.", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Stop using Group Update Provider (proxy server)."), +])); + +var msg426 = msg("Stop:02", part536); + +var select100 = linear_select([ + msg424, + msg425, + msg426, +]); + +var part537 = // "Pattern{Constant('Stopping Symantec Management Client....'), Field(p0,false)}" +match("MESSAGE#358:Stopping/0", "nwparser.payload", "Stopping Symantec Management Client....%{p0}"); + +var all151 = all_match({ + processors: [ + part537, + dup318, + ], + on_success: processor_chain([ + dup136, + dup12, + dup13, + setc("ec_activity","Stop"), + dup97, + dup22, + dup14, + dup15, + dup93, + setc("event_description","Stopping Symantec Management Client"), + ]), +}); + +var msg427 = msg("Stopping", all151); + +var part538 = // "Pattern{Constant('Submission Control signatures '), Field(version,true), Constant(' is up-to-date.')}" +match("MESSAGE#359:Submission", "nwparser.payload", "Submission Control signatures %{version->} is up-to-date.", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Submission Control signatures is up to date"), +])); + +var msg428 = msg("Submission", part538); + +var part539 = // "Pattern{Constant('Switched to server control.'), Field(,false)}" +match("MESSAGE#360:Switched", "nwparser.payload", "Switched to server control.%{}", processor_chain([ + dup136, + dup12, + dup13, + dup30, + dup97, + dup22, + dup14, + dup15, + setc("event_description","Switched to server control."), +])); + +var msg429 = msg("Switched", part539); + +var part540 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' is up-to-date.')}" +match("MESSAGE#361:Symantec:18", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} is up-to-date.", processor_chain([ + dup86, + dup15, + setc("event_description","Symantec Endpoint Protection Manager Content Catalog is up to date."), +])); + +var msg430 = msg("Symantec:18", part540); + +var part541 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list '), Field(application,false), Constant('.')}" +match("MESSAGE#362:Symantec:33", "nwparser.payload", "Symantec Endpoint Protection Manager could not update TruScan proactive threat scan commercial application list %{application}.", processor_chain([ + dup43, + dup15, + setc("event_description","Symantec Endpoint Protection Manager could not update TruScan proactive threat scan."), +])); + +var msg431 = msg("Symantec:33", part541); + +var part542 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') is up-to-date.')}" +match("MESSAGE#363:Symantec:17", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) is up-to-date.", processor_chain([ + dup86, + dup15, + setc("event_description","Symantec Endpoint Protection is up to date."), +])); + +var msg432 = msg("Symantec:17", part542); + +var part543 = // "Pattern{Constant('Symantec Endpoint Protection '), Field(application,true), Constant(' '), Field(version,true), Constant(' ('), Field(info,false), Constant(') failed to update.')}" +match("MESSAGE#364:Symantec:20", "nwparser.payload", "Symantec Endpoint Protection %{application->} %{version->} (%{info}) failed to update.", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","Symantec Endpoint Protection failed to update."), +])); + +var msg433 = msg("Symantec:20", part543); + +var part544 = // "Pattern{Constant('Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled'), Field(p0,false)}" +match("MESSAGE#365:Symantec:16/0", "nwparser.payload", "Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled%{p0}"); + +var all152 = all_match({ + processors: [ + part544, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup93, + setc("event_description","Symantec Endpoint Protection Microsoft Exchange E-mail Auto-Protect Disabled"), + ]), +}); + +var msg434 = msg("Symantec:16", all152); + +var part545 = // "Pattern{Constant('Symantec Network Access Control client started.'), Field(,false)}" +match("MESSAGE#366:Symantec:15", "nwparser.payload", "Symantec Network Access Control client started.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + setc("event_description","Symantec Network Access Control client started."), +])); + +var msg435 = msg("Symantec:15", part545); + +var part546 = // "Pattern{Constant('Symantec Endpoint Protection Tamper Protection Disabled'), Field(,false)}" +match("MESSAGE#367:Symantec:11", "nwparser.payload", "Symantec Endpoint Protection Tamper Protection Disabled%{}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Tamper Protection disabled"), +])); + +var msg436 = msg("Symantec:11", part546); + +var part547 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld5,false), Constant('..Time: '), Field(fld6,false), Constant('..Description: '), Field(info,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#368:Symantec", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..Computer: %{shost}..Date: %{fld5}..Time: %{fld6}..Description: %{info}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup43, + dup166, + dup15, + dup255, +])); + +var msg437 = msg("Symantec", part547); + +var part548 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('........'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" +match("MESSAGE#369:Symantec:01", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}........%{severity}..%{product}..%{fld6}", processor_chain([ + dup43, + dup166, + dup15, + dup255, +])); + +var msg438 = msg("Symantec:01", part548); + +var part549 = // "Pattern{Constant('Symantec AntiVirus Startup/Shutdown..'), Field(shost,false), Constant('..'), Field(fld5,false), Constant('..'), Field(severity,false), Constant('..'), Field(product,false), Constant('..'), Field(fld6,false)}" +match("MESSAGE#370:Symantec:02", "nwparser.payload", "Symantec AntiVirus Startup/Shutdown..%{shost}..%{fld5}..%{severity}..%{product}..%{fld6}", processor_chain([ + dup43, + dup166, + dup15, + dup255, +])); + +var msg439 = msg("Symantec:02", part549); + +var part550 = // "Pattern{Constant('Symantec Endpoint Protection Manager Content Catalog '), Field(version,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#371:Symantec:03/0", "nwparser.payload", "Symantec Endpoint Protection Manager Content Catalog %{version->} %{p0}"); + +var part551 = // "Pattern{Constant('is up-to-date '), Field(p0,false)}" +match("MESSAGE#371:Symantec:03/1_0", "nwparser.p0", "is up-to-date %{p0}"); + +var part552 = // "Pattern{Constant('was successfully updated '), Field(p0,false)}" +match("MESSAGE#371:Symantec:03/1_1", "nwparser.p0", "was successfully updated %{p0}"); + +var select101 = linear_select([ + part551, + part552, +]); + +var part553 = // "Pattern{Constant('.'), Field(,false)}" +match("MESSAGE#371:Symantec:03/2", "nwparser.p0", ".%{}"); + +var all153 = all_match({ + processors: [ + part550, + select101, + part553, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Symantec Endpoint Protection Manager Content Catalog is up to date or successfully updated."), + ]), +}); + +var msg440 = msg("Symantec:03", all153); + +var part554 = // "Pattern{Constant('Symantec Endpoint Protection services shutdown was successful.'), Field(p0,false)}" +match("MESSAGE#372:Symantec:04/0", "nwparser.payload", "Symantec Endpoint Protection services shutdown was successful.%{p0}"); + +var all154 = all_match({ + processors: [ + part554, + dup318, + ], + on_success: processor_chain([ + dup256, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Symantec Endpoint Protection services shutdown was successful."), + ]), +}); + +var msg441 = msg("Symantec:04", all154); + +var part555 = // "Pattern{Constant('Symantec Endpoint Protection services startup was successful.'), Field(p0,false)}" +match("MESSAGE#373:Symantec:05/0", "nwparser.payload", "Symantec Endpoint Protection services startup was successful.%{p0}"); + +var all155 = all_match({ + processors: [ + part555, + dup318, + ], + on_success: processor_chain([ + dup257, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Symantec Endpoint Protection services startup was successful."), + ]), +}); + +var msg442 = msg("Symantec:05", all155); + +var part556 = // "Pattern{Constant('Symantec Management Client is stopped.'), Field(p0,false)}" +match("MESSAGE#374:Symantec:06/0", "nwparser.payload", "Symantec Management Client is stopped.%{p0}"); + +var all156 = all_match({ + processors: [ + part556, + dup318, + ], + on_success: processor_chain([ + dup256, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Symantec Management Client is stopped."), + ]), +}); + +var msg443 = msg("Symantec:06", all156); + +var part557 = // "Pattern{Constant('Symantec Management Client has been '), Field(p0,false)}" +match("MESSAGE#375:Symantec:07/0", "nwparser.payload", "Symantec Management Client has been %{p0}"); + +var part558 = // "Pattern{Constant('started'), Field(p0,false)}" +match("MESSAGE#375:Symantec:07/1_0", "nwparser.p0", "started%{p0}"); + +var part559 = // "Pattern{Constant('activated'), Field(p0,false)}" +match("MESSAGE#375:Symantec:07/1_1", "nwparser.p0", "activated%{p0}"); + +var select102 = linear_select([ + part558, + part559, +]); + +var part560 = // "Pattern{Constant(' .'), Field(,false)}" +match("MESSAGE#375:Symantec:07/2_1", "nwparser.p0", " .%{}"); + +var select103 = linear_select([ + dup186, + part560, +]); + +var all157 = all_match({ + processors: [ + part557, + select102, + select103, + ], + on_success: processor_chain([ + dup257, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Symantec Management Client has been started or activated."), + ]), +}); + +var msg444 = msg("Symantec:07", all157); + +var part561 = // "Pattern{Constant('Symantec Management Client has been '), Field(info,false)}" +match("MESSAGE#376:Symantec:08", "nwparser.payload", "Symantec Management Client has been %{info}", processor_chain([ + dup257, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Symantec Management Client has been activated."), +])); + +var msg445 = msg("Symantec:08", part561); + +var part562 = // "Pattern{Constant('Symantec Endpoint Protection Auto-Protect failed to load.'), Field(,false)}" +match("MESSAGE#377:Symantec:09", "nwparser.payload", "Symantec Endpoint Protection Auto-Protect failed to load.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Symantec Endpoint Protection Auto-Protect failed to load."), +])); + +var msg446 = msg("Symantec:09", part562); + +var part563 = // "Pattern{Constant('Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. '), Field(p0,false)}" +match("MESSAGE#378:Symantec:10/0", "nwparser.payload", "Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. %{p0}"); + +var all158 = all_match({ + processors: [ + part563, + dup333, + ], + on_success: processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","virus definitions are missing on this computer"), + ]), +}); + +var msg447 = msg("Symantec:10", all158); + +var part564 = // "Pattern{Constant('Symantec AntiVirus services startup was successful'), Field(,false)}" +match("MESSAGE#379:Symantec:12", "nwparser.payload", "Symantec AntiVirus services startup was successful%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","services startup was successful"), +])); + +var msg448 = msg("Symantec:12", part564); + +var part565 = // "Pattern{Constant('Symantec AntiVirus services shutdown was successful'), Field(,false)}" +match("MESSAGE#380:Symantec:13", "nwparser.payload", "Symantec AntiVirus services shutdown was successful%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","services shutdown was successful"), +])); + +var msg449 = msg("Symantec:13", part565); + +var part566 = // "Pattern{Constant('Symantec AntiVirus services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#381:Symantec:14", "nwparser.payload", "Symantec AntiVirus services failed to start. %{space->} (%{resultcode})", processor_chain([ + dup86, + dup12, + dup13, + dup14, + dup15, + dup258, +])); + +var msg450 = msg("Symantec:14", part566); + +var part567 = // "Pattern{Constant('Symantec Endpoint Protection services failed to start. '), Field(space,true), Constant(' ('), Field(resultcode,false), Constant(')')}" +match("MESSAGE#382:Symantec:19", "nwparser.payload", "Symantec Endpoint Protection services failed to start. %{space->} (%{resultcode})", processor_chain([ + dup86, + dup12, + dup13, + dup14, + dup15, + dup258, +])); + +var msg451 = msg("Symantec:19", part567); + +var part568 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with trial license.'), Field(,false)}" +match("MESSAGE#383:Symantec:21", "nwparser.payload", "Symantec Endpoint Protection Manager server started with trial license.%{}", processor_chain([ + dup43, + dup15, + setc("event_description","Symantec Endpoint Protection Manager server started with trial license."), +])); + +var msg452 = msg("Symantec:21", part568); + +var part569 = // "Pattern{Constant('Symantec trial license has expired.'), Field(,false)}" +match("MESSAGE#384:Symantec:22", "nwparser.payload", "Symantec trial license has expired.%{}", processor_chain([ + dup259, + dup15, + setc("event_description","Symantec trial license has expired."), +])); + +var msg453 = msg("Symantec:22", part569); + +var part570 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,"Reputation check timed out during unproven file evaluation, likely due to network delays."')}" +match("MESSAGE#385:Symantec:23", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,\"Reputation check timed out during unproven file evaluation, likely due to network delays.\"", processor_chain([ + dup259, + dup12, + dup13, + dup15, + setc("event_description","Reputation check timed out"), +])); + +var msg454 = msg("Symantec:23", part570); + +var part571 = // "Pattern{Constant('Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled'), Field(,false)}" +match("MESSAGE#386:Symantec:24", "nwparser.payload", "Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Symantec Endpoint Protection Lotus Notes E-mail Auto-Protect Disabled"), +])); + +var msg455 = msg("Symantec:24", part571); + +var part572 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : ''), Field(filename,false), Constant(''.')}" +match("MESSAGE#387:Symantec:25", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,[Antivirus advanced heuristic detection submission] Submitting file to Symantec failed. File : '%{filename}'.", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Submitting file to Symantec failed"), +])); + +var msg456 = msg("Symantec:25", part572); + +var select104 = linear_select([ + dup261, + dup262, +]); + +var part573 = // "Pattern{Field(,false), Constant('advanced heuristic detection submission] Submitting information to Symantec about file failed. File : ''), Field(filename,false), Constant(''.'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/2", "nwparser.p0", "%{}advanced heuristic detection submission] Submitting information to Symantec about file failed. File : '%{filename}'.%{p0}"); + +var part574 = // "Pattern{Constant(' Network error : ''), Field(fld56,false), Constant(''.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#388:Symantec:26/3_0", "nwparser.p0", " Network error : '%{fld56}'.,Event time: %{fld17->} %{fld18}"); + +var select105 = linear_select([ + part574, + dup176, + dup91, +]); + +var all159 = all_match({ + processors: [ + dup260, + select104, + part573, + select105, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","Submitting information to Symantec about file failed"), + ]), +}); + +var msg457 = msg("Symantec:26", all159); + +var part575 = // "Pattern{Field(,false), Constant('submission] Information submitted to Symantec about file. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/4", "nwparser.p0", "%{}submission] Information submitted to Symantec about file. File : '%{filename}',%{p0}"); + +var all160 = all_match({ + processors: [ + dup260, + dup337, + dup263, + dup338, + part575, + dup339, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","Information submitted to Symantec about file."), + ]), +}); + +var msg458 = msg("Symantec:39", all160); + +var part576 = // "Pattern{Field(,false), Constant('submission] File submitted to Symantec for analysis. File : ''), Field(filename,false), Constant('','), Field(p0,false)}" +match("MESSAGE#390:Symantec:40/4", "nwparser.p0", "%{}submission] File submitted to Symantec for analysis. File : '%{filename}',%{p0}"); + +var all161 = all_match({ + processors: [ + dup260, + dup337, + dup263, + dup338, + part576, + dup339, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","File submitted to Symantec for analysis."), + ]), +}); + +var msg459 = msg("Symantec:40", all161); + +var part577 = // "Pattern{Constant('Symantec Endpoint Protection Manager server started with paid license.'), Field(,false)}" +match("MESSAGE#391:Symantec:27", "nwparser.payload", "Symantec Endpoint Protection Manager server started with paid license.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Symantec Endpoint Protection Manager server started with paid license."), +])); + +var msg460 = msg("Symantec:27", part577); + +var part578 = // "Pattern{Constant('Uninstalling Symantec Management Client....'), Field(,false)}" +match("MESSAGE#392:Symantec:28", "nwparser.payload", "Uninstalling Symantec Management Client....%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Uninstalling Symantec Management Client"), +])); + +var msg461 = msg("Symantec:28", part578); + +var part579 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(result,false)}" +match("MESSAGE#393:Symantec:29", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has generated an error: code %{resultcode}: description: %{result}", processor_chain([ + dup43, + dup12, + dup13, + dup187, + dup15, + setc("event_description","SONAR has generated an error"), +])); + +var msg462 = msg("Symantec:29", part579); + +var part580 = // "Pattern{Constant('Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. '), Field(result,false), Constant('.')}" +match("MESSAGE#394:Symantec:30", "nwparser.payload", "Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager. %{result}.", processor_chain([ + dup43, + dup12, + dup13, + dup268, + dup187, + dup15, + setc("event_description","Symantec Endpoint Protection cannot connect to Symantec Endpoint Protection Manager."), +])); + +var msg463 = msg("Symantec:30", part580); + +var part581 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.'), Field(,false)}" +match("MESSAGE#395:Symantec:31", "nwparser.payload", "The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup268, + dup187, + dup15, + setc("event_description","The Symantec Endpoint Protection is unable to communicate with the Symantec Endpoint Protection Manager."), +])); + +var msg464 = msg("Symantec:31", part581); + +var part582 = // "Pattern{Constant('The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.'), Field(,false)}" +match("MESSAGE#396:Symantec:32", "nwparser.payload", "The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","The Symantec Endpoint Protection is unable to download the newest policy from the Symantec Endpoint Protection Manager."), +])); + +var msg465 = msg("Symantec:32", part582); + +var part583 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled'), Field(p0,false)}" +match("MESSAGE#397:Symantec:36/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SymELAM Protection has been enabled%{p0}"); + +var all162 = all_match({ + processors: [ + part583, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","SymELAM Protection has been enabled"), + ]), +}); + +var msg466 = msg("Symantec:36", all162); + +var part584 = // "Pattern{Constant('Category: 2,Symantec Endpoint Protection,SONAR has been enabled'), Field(p0,false)}" +match("MESSAGE#398:Symantec:37/0", "nwparser.payload", "Category: 2,Symantec Endpoint Protection,SONAR has been enabled%{p0}"); + +var all163 = all_match({ + processors: [ + part584, + dup318, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, + setc("event_description","SONAR has been enabled"), + ]), +}); + +var msg467 = msg("Symantec:37", all163); + +var part585 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,SONAR has been disabled')}" +match("MESSAGE#401:Symantec:41", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,SONAR has been disabled", processor_chain([ + dup43, + dup56, + dup12, + dup13, + dup15, + setc("event_description","SONAR has been disabled"), +])); + +var msg468 = msg("Symantec:41", part585); + +var part586 = // "Pattern{Constant('Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: '), Field(event_time_string,false)}" +match("MESSAGE#403:Symantec:44", "nwparser.payload", "Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled,Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Symantec Endpoint Protection Internet E-mail Auto-Protect Disabled"), +])); + +var msg469 = msg("Symantec:44", part586); + +var part587 = // "Pattern{Constant('Symantec Network Access Control is overdeployed'), Field(,false)}" +match("MESSAGE#511:Server:02", "nwparser.payload", "Symantec Network Access Control is overdeployed%{}", processor_chain([ + dup86, + dup12, + dup222, + dup14, + dup15, +])); + +var msg470 = msg("Server:02", part587); + +var part588 = // "Pattern{Constant('Symantec Endpoint Protection is overdeployed'), Field(,false)}" +match("MESSAGE#513:Server:04", "nwparser.payload", "Symantec Endpoint Protection is overdeployed%{}", processor_chain([ + dup86, + dup12, + dup222, + setc("event_description","Symantec Endpoint Protection is overdeployed"), + dup40, + dup15, +])); + +var msg471 = msg("Server:04", part588); + +var part589 = // "Pattern{Constant('Symantec Endpoint Protection Manager could not update '), Field(application,false), Constant('.')}" +match("MESSAGE#688:Symantec:34", "nwparser.payload", "Symantec Endpoint Protection Manager could not update %{application}.", processor_chain([ + dup43, + dup14, + dup15, + setc("event_description","Symantec Endpoint Protection Manager could not update."), +])); + +var msg472 = msg("Symantec:34", part589); + +var part590 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(', Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#689:Symantec:35/0_0", "nwparser.payload", "%{event_description}. File : %{filename}, Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); + +var part591 = // "Pattern{Field(event_description,false), Constant('. File : '), Field(filename,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#689:Symantec:35/0_1", "nwparser.payload", "%{event_description}. File : %{filename},Event time:%{fld17->} %{fld18}"); + +var part592 = // "Pattern{Field(event_description,false), Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#689:Symantec:35/0_2", "nwparser.payload", "%{event_description}.,Event time:%{fld17->} %{fld18}"); + +var part593 = // "Pattern{Field(event_description,false), Constant('Operating System: '), Field(os,false), Constant('Network info:'), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#689:Symantec:35/0_3", "nwparser.payload", "%{event_description}Operating System: %{os}Network info:%{info},Event time:%{fld17->} %{fld18}"); + +var part594 = // "Pattern{Field(event_description,false), Constant('.')}" +match("MESSAGE#689:Symantec:35/0_4", "nwparser.payload", "%{event_description}."); + +var select106 = linear_select([ + part590, + part591, + part592, + part593, + part594, +]); + +var all164 = all_match({ + processors: [ + select106, + ], + on_success: processor_chain([ + dup43, + dup94, + dup13, + dup14, + dup15, + dup93, + ]), +}); + +var msg473 = msg("Symantec:35", all164); + +var part595 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec Endpoint Protection,'), Field(event_description,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#690:Symantec:45", "nwparser.payload", "Category: %{fld22},Symantec Endpoint Protection,%{event_description},Event time:%{fld17->} %{fld18}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + dup93, +])); + +var msg474 = msg("Symantec:45", part595); + +var part596 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#691:Server:05", "nwparser.payload", "event_description", processor_chain([ + dup53, + dup12, + dup222, + dup40, + dup15, +])); + +var msg475 = msg("Server:05", part596); + +var select107 = linear_select([ + msg430, + msg431, + msg432, + msg433, + msg434, + msg435, + msg436, + msg437, + msg438, + msg439, + msg440, + msg441, + msg442, + msg443, + msg444, + msg445, + msg446, + msg447, + msg448, + msg449, + msg450, + msg451, + msg452, + msg453, + msg454, + msg455, + msg456, + msg457, + msg458, + msg459, + msg460, + msg461, + msg462, + msg463, + msg464, + msg465, + msg466, + msg467, + msg468, + msg469, + msg470, + msg471, + msg472, + msg473, + msg474, + msg475, +]); + +var part597 = // "Pattern{Constant('Suspicious Behavior Detection has been '), Field(fld2,false), Constant(',Event time: '), Field(event_time_string,false)}" +match("MESSAGE#402:Symantec:43", "nwparser.payload", "Suspicious Behavior Detection has been %{fld2},Event time: %{event_time_string}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("a","Suspicious Behavior Detection has been "), + call({ + dest: "nwparser.event_description", + fn: STRCAT, + args: [ + constant("a"), + field("fld2"), + ], + }), +])); + +var msg476 = msg("Symantec:43", part597); + +var part598 = // "Pattern{Constant('System has been restarted '), Field(info,false), Constant('.')}" +match("MESSAGE#404:System", "nwparser.payload", "System has been restarted %{info}.", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","System has been restarted"), +])); + +var msg477 = msg("System", part598); + +var part599 = // "Pattern{Constant('System client-server activity logs have been swept.'), Field(,false)}" +match("MESSAGE#405:System:01", "nwparser.payload", "System client-server activity logs have been swept.%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","System client-server activity logs have been swept."), +])); + +var msg478 = msg("System:01", part599); + +var part600 = // "Pattern{Constant('System server activity logs have been swept.'), Field(,false)}" +match("MESSAGE#406:System:02", "nwparser.payload", "System server activity logs have been swept.%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","System server activity logs have been swept."), +])); + +var msg479 = msg("System:02", part600); + +var part601 = // "Pattern{Constant('System administrative logs have been swept.'), Field(,false)}" +match("MESSAGE#407:System:03", "nwparser.payload", "System administrative logs have been swept.%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","System administrative logs have been swept."), +])); + +var msg480 = msg("System:03", part601); + +var part602 = // "Pattern{Constant('System enforcer activity logs have been swept.'), Field(,false)}" +match("MESSAGE#408:System:04", "nwparser.payload", "System enforcer activity logs have been swept.%{}", processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","System enforcer activity logs have been swept."), +])); + +var msg481 = msg("System:04", part602); + +var part603 = // "Pattern{Constant('System administrator "'), Field(username,false), Constant('" was added')}" +match("MESSAGE#409:System:05", "nwparser.payload", "System administrator \"%{username}\" was added", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, +])); + +var msg482 = msg("System:05", part603); + +var select108 = linear_select([ + msg477, + msg478, + msg479, + msg480, + msg481, + msg482, +]); + +var part604 = // "Pattern{Constant('- Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" +match("MESSAGE#410:Terminated/0_0", "nwparser.payload", "- Caller MD5=%{fld6},%{p0}"); + +var select109 = linear_select([ + part604, + dup269, +]); + +var part605 = // "Pattern{Field(action,false), Constant(',Begin:'), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End:'), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule:'), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User:'), Field(username,false), Constant(',Domain:'), Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" +match("MESSAGE#410:Terminated/1", "nwparser.p0", "%{action},Begin:%{fld50->} %{fld52},End:%{fld51->} %{fld53},Rule:%{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User:%{username},Domain:%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); + +var all165 = all_match({ + processors: [ + select109, + part605, + ], + on_success: processor_chain([ + dup36, + dup12, + dup13, + dup129, + dup37, + dup14, + dup41, + dup42, + dup15, + setc("event_state","Terminated"), + ]), +}); + +var msg483 = msg("Terminated", all165); + +var part606 = // "Pattern{Constant('Compliance '), Field(p0,false)}" +match("MESSAGE#411:Compliance/0", "nwparser.payload", "Compliance %{p0}"); + +var part607 = // "Pattern{Constant('server '), Field(p0,false)}" +match("MESSAGE#411:Compliance/1_0", "nwparser.p0", "server %{p0}"); + +var part608 = // "Pattern{Constant('client '), Field(p0,false)}" +match("MESSAGE#411:Compliance/1_1", "nwparser.p0", "client %{p0}"); + +var part609 = // "Pattern{Constant('traffic '), Field(p0,false)}" +match("MESSAGE#411:Compliance/1_2", "nwparser.p0", "traffic %{p0}"); + +var part610 = // "Pattern{Constant('criteria '), Field(p0,false)}" +match("MESSAGE#411:Compliance/1_3", "nwparser.p0", "criteria %{p0}"); + +var select110 = linear_select([ + part607, + part608, + part609, + part610, +]); + +var part611 = // "Pattern{Constant('logs have been swept.'), Field(,false)}" +match("MESSAGE#411:Compliance/2", "nwparser.p0", "logs have been swept.%{}"); + +var all166 = all_match({ + processors: [ + part606, + select110, + part611, + ], + on_success: processor_chain([ + dup53, + dup14, + dup15, + setc("event_description","Compliance logs have been swept."), + ]), +}); + +var msg484 = msg("Compliance", all166); + +var part612 = // "Pattern{Constant('Download started.'), Field(,false)}" +match("MESSAGE#412:Download", "nwparser.payload", "Download started.%{}", processor_chain([ + dup43, + dup14, + dup15, + setc("event_description","Download started."), +])); + +var msg485 = msg("Download", part612); + +var part613 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#413:Traffic", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup270, + dup19, + dup34, +])); + +var msg486 = msg("Traffic", part613); + +var part614 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld14,true), Constant(' to '), Field(fld15,false), Constant('.,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld10,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#414:Traffic:11", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld14->} to %{fld15}.,Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld10},User: %{username},Domain: %{domain}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup270, + dup19, + dup35, +])); + +var msg487 = msg("Traffic:11", part614); + +var part615 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',1,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#415:Traffic:01", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},1,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup270, + dup19, +])); + +var msg488 = msg("Traffic:01", part615); + +var part616 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(daddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Inbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#416:Traffic:02/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{daddr},Local: %{fld3},Remote: %{fld4},Remote: %{saddr},Remote: %{fld5},Inbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var all167 = all_match({ + processors: [ + part616, + dup319, + dup271, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup270, + dup19, + dup34, + ]), +}); + +var msg489 = msg("Traffic:02", all167); + +var part617 = // "Pattern{Constant('Traffic from IP address '), Field(hostip,true), Constant(' is blocked from '), Field(fld1,true), Constant(' to '), Field(fld2,false), Constant('. ,Local: '), Field(saddr,false), Constant(',Local: '), Field(fld3,false), Constant(',Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Outbound,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#417:Traffic:12/0", "nwparser.payload", "Traffic from IP address %{hostip->} is blocked from %{fld1->} to %{fld2}. ,Local: %{saddr},Local: %{fld3},Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Outbound,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var all168 = all_match({ + processors: [ + part617, + dup319, + dup271, + ], + on_success: processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup270, + dup19, + dup35, + ]), +}); + +var msg490 = msg("Traffic:12", all168); + +var part618 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection disabled.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#717:Traffic:13", "nwparser.payload", "%{fld1->} Traffic Redirection disabled.,Event time: %{fld17->} %{fld18}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","Traffic Redirection disabled."), + dup93, +])); + +var msg491 = msg("Traffic:13", part618); + +var part619 = // "Pattern{Field(fld1,true), Constant(' Traffic Redirection is malfunctioning.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#718:Traffic:14", "nwparser.payload", "%{fld1->} Traffic Redirection is malfunctioning.,Event time: %{fld17->} %{fld18}", processor_chain([ + dup86, + dup12, + dup13, + dup15, + setc("event_description","Traffic Redirection is malfunctioning."), + dup93, +])); + +var msg492 = msg("Traffic:14", part619); + +var select111 = linear_select([ + msg486, + msg487, + msg488, + msg489, + msg490, + msg491, + msg492, +]); + +var part620 = // "Pattern{Constant('TruScan has generated an error: code '), Field(resultcode,false), Constant(': description: '), Field(info,false)}" +match("MESSAGE#418:TruScan", "nwparser.payload", "TruScan has generated an error: code %{resultcode}: description: %{info}", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","TruScan has generated an error"), +])); + +var msg493 = msg("TruScan", part620); + +var part621 = // "Pattern{Constant('Forced TruScan proactive threat detected,Computer name: '), Field(p0,false)}" +match("MESSAGE#419:TruScan:01/0", "nwparser.payload", "Forced TruScan proactive threat detected,Computer name: %{p0}"); + +var part622 = // "Pattern{Field(fld1,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version: '), Field(version,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld13,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score: '), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(',"'), Field(fld12,false), Constant('",Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld15,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#419:TruScan:01/2", "nwparser.p0", "%{fld1},Application name: %{application},Application type: %{obj_type},Application version: %{version},Hash type: %{encryption_type},Application hash: %{checksum},Company name: %{fld13},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score: %{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},\"%{fld12}\",Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld15},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var all169 = all_match({ + processors: [ + part621, + dup325, + part622, + ], + on_success: processor_chain([ + setc("eventcategory","1001030200"), + dup12, + dup152, + dup93, + date_time({ + dest: "recorded_time", + args: ["fld15"], + fmts: [ + [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], + ], + }), + dup132, + dup154, + dup15, + setc("event_description"," TruScan proactive threat detected"), + dup19, + ]), +}); + +var msg494 = msg("TruScan:01", all169); + +var part623 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#420:TruScan:update/0", "nwparser.payload", "TruScan %{info->} %{p0}"); + +var part624 = // "Pattern{Constant('was successfully updated'), Field(,false)}" +match("MESSAGE#420:TruScan:update/1_0", "nwparser.p0", "was successfully updated%{}"); + +var part625 = // "Pattern{Constant('is up-to-date'), Field(,false)}" +match("MESSAGE#420:TruScan:update/1_1", "nwparser.p0", "is up-to-date%{}"); + +var select112 = linear_select([ + part624, + part625, +]); + +var all170 = all_match({ + processors: [ + part623, + select112, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Truscan was successfully updated or is up-to-date."), + ]), +}); + +var msg495 = msg("TruScan:update", all170); + +var part626 = // "Pattern{Constant('TruScan '), Field(info,true), Constant(' failed to update.')}" +match("MESSAGE#421:TruScan:updatefailed", "nwparser.payload", "TruScan %{info->} failed to update.", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Truscan failed to update."), +])); + +var msg496 = msg("TruScan:updatefailed", part626); + +var select113 = linear_select([ + msg493, + msg494, + msg495, + msg496, +]); + +var part627 = // "Pattern{Constant('Unexpected server error. ErrorCode: '), Field(resultcode,false)}" +match("MESSAGE#422:Unexpected", "nwparser.payload", "Unexpected server error. ErrorCode: %{resultcode}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup272, +])); + +var msg497 = msg("Unexpected", part627); + +var part628 = // "Pattern{Constant('Unexpected server error.'), Field(,false)}" +match("MESSAGE#423:Unexpected:01", "nwparser.payload", "Unexpected server error.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + dup272, +])); + +var msg498 = msg("Unexpected:01", part628); + +var select114 = linear_select([ + msg497, + msg498, +]); + +var part629 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Inbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#424:Unsolicited", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{daddr},Local: %{fld16},Remote: %{fld17},Remote: %{saddr},Remote: %{fld18},Inbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup273, + dup19, + dup34, +])); + +var msg499 = msg("Unsolicited", part629); + +var part630 = // "Pattern{Constant('Unsolicited incoming ARP reply detected,'), Field(info,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld16,false), Constant(',Remote: '), Field(fld17,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld18,false), Constant(',Outbound,'), Field(fld19,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld20,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#425:Unsolicited:01", "nwparser.payload", "Unsolicited incoming ARP reply detected,%{info}\",Local: %{saddr},Local: %{fld16},Remote: %{fld17},Remote: %{daddr},Remote: %{fld18},Outbound,%{fld19},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld20},User: %{username},Domain: %{domain}", processor_chain([ + dup11, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup273, + dup19, + dup35, +])); + +var msg500 = msg("Unsolicited:01", part630); + +var select115 = linear_select([ + msg499, + msg500, +]); + +var part631 = // "Pattern{Constant('User is attempting to terminate Symantec Management Client'), Field(p0,false)}" +match("MESSAGE#426:User/0", "nwparser.payload", "User is attempting to terminate Symantec Management Client%{p0}"); + +var part632 = // "Pattern{Constant('....,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#426:User/1_0", "nwparser.p0", "....,Event time:%{fld17->} %{fld18}"); + +var select116 = linear_select([ + part632, + dup91, +]); + +var all171 = all_match({ + processors: [ + part631, + select116, + ], + on_success: processor_chain([ + setc("eventcategory","1401040000"), + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","User is attempting to terminate Symantec Management Client."), + ]), +}); + +var msg501 = msg("User", all171); + +var part633 = // "Pattern{Field(fld44,false), Constant(',User - Kernel Hook Error,'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#427:User:01", "nwparser.payload", "%{fld44},User - Kernel Hook Error,%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{fld4},%{fld5},%{fld6},%{fld7},User: %{username},Domain: %{domain}", processor_chain([ + dup171, + dup12, + dup13, + dup20, + dup97, + dup187, + dup14, + dup41, + dup42, + dup15, + setc("event_description"," User - Kernel Hook Error"), +])); + +var msg502 = msg("User:01", part633); + +var part634 = // "Pattern{Constant('User has been created'), Field(,false)}" +match("MESSAGE#428:User:created", "nwparser.payload", "User has been created%{}", processor_chain([ + dup170, + dup12, + dup13, + dup20, + dup96, + dup28, + dup22, + dup14, + dup15, + dup23, + setc("event_description","User has been created."), +])); + +var msg503 = msg("User:created", part634); + +var part635 = // "Pattern{Constant('User has been deleted'), Field(,false)}" +match("MESSAGE#429:User:deleted", "nwparser.payload", "User has been deleted%{}", processor_chain([ + dup171, + dup12, + dup13, + dup20, + dup27, + dup28, + dup22, + dup14, + dup15, + dup23, + setc("event_description","User has been deleted."), +])); + +var msg504 = msg("User:deleted", part635); + +var select117 = linear_select([ + msg501, + msg502, + msg503, + msg504, +]); + +var part636 = // "Pattern{Constant('Windows Version info: Operating System: '), Field(os,true), Constant(' Network info:'), Field(p0,false)}" +match("MESSAGE#446:Windows/0", "nwparser.payload", "Windows Version info: Operating System: %{os->} Network info:%{p0}"); + +var part637 = // "Pattern{Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#446:Windows/1_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); + +var select118 = linear_select([ + part637, + dup212, +]); + +var all172 = all_match({ + processors: [ + part636, + select118, + ], + on_success: processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup93, + dup274, + ]), +}); + +var msg505 = msg("Windows", all172); + +var part638 = // "Pattern{Constant('Windows Host Integrity Content '), Field(version,true), Constant(' was successfully updated.')}" +match("MESSAGE#447:Windows:01", "nwparser.payload", "Windows Host Integrity Content %{version->} was successfully updated.", processor_chain([ + dup92, + dup12, + dup13, + dup14, + dup15, + dup274, +])); + +var msg506 = msg("Windows:01", part638); + +var select119 = linear_select([ + msg505, + msg506, +]); + +var part639 = // "Pattern{Constant('"=======EXCEPTION:'), Field(event_description,false), Constant('"')}" +match("MESSAGE#448:\"=======EXCEPTION:", "nwparser.payload", "\"=======EXCEPTION:%{event_description}\"", processor_chain([ + dup168, + dup12, + dup13, + dup14, + dup15, +])); + +var msg507 = msg("\"=======EXCEPTION:", part639); + +var part640 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#449:Allowed:08", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup132, + dup15, +])); + +var msg508 = msg("Allowed:08", part640); + +var part641 = // "Pattern{Constant('Sysfer exception: '), Field(info,false), Constant(',Sysfer exception,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(','), Field(event_description,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#450:Allowed", "nwparser.payload", "Sysfer exception: %{info},Sysfer exception,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},%{event_description},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup132, + dup15, +])); + +var msg509 = msg("Allowed", part641); + +var part642 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" +match("MESSAGE#451:Allowed:05", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, +])); + +var msg510 = msg("Allowed:05", part642); + +var part643 = // "Pattern{Constant('"'), Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" +match("MESSAGE#452:Allowed:06", "nwparser.payload", "\"%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, +])); + +var msg511 = msg("Allowed:06", part643); + +var part644 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#453:Allowed:01", "nwparser.payload", "\"%{filename}\",%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, +])); + +var msg512 = msg("Allowed:01", part644); + +var part645 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(p0,false)}" +match("MESSAGE#454:Allowed:02/0", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{p0}"); + +var part646 = // "Pattern{Field(domain,false), Constant(',Action Type:'), Field(fld45,false), Constant(',File size (bytes):'), Field(filename_size,false), Constant(',Device ID:'), Field(device,false)}" +match("MESSAGE#454:Allowed:02/1_0", "nwparser.p0", "%{domain},Action Type:%{fld45},File size (bytes):%{filename_size},Device ID:%{device}"); + +var select120 = linear_select([ + part646, + dup10, +]); + +var all173 = all_match({ + processors: [ + part645, + select120, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup14, + setc("event_description","File Read"), + dup41, + dup42, + dup132, + dup15, + dup124, + dup125, + ]), +}); + +var msg513 = msg("Allowed:02", all173); + +var part647 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/0_0", "nwparser.payload", "- Caller MD5=%{checksum},File Write,Begin: %{p0}"); + +var part648 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/0_1", "nwparser.payload", "%{fld1},File Write,Begin: %{p0}"); + +var select121 = linear_select([ + part647, + part648, +]); + +var part649 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/1", "nwparser.p0", "%{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); + +var part650 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#455:Allowed:09/3", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); + +var all174 = all_match({ + processors: [ + select121, + part649, + dup340, + part650, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup129, + dup41, + dup42, + dup277, + dup15, + dup124, + dup128, + ]), +}); + +var msg514 = msg("Allowed:09", all174); + +var part651 = // "Pattern{Field(fld1,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" +match("MESSAGE#456:Allowed:03", "nwparser.payload", "%{fld1},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup277, + dup132, + dup15, + dup124, + dup128, +])); + +var msg515 = msg("Allowed:03", part651); + +var part652 = // "Pattern{Constant('- Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" +match("MESSAGE#457:Allowed:10/0", "nwparser.payload", "- Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); + +var part653 = // "Pattern{Constant('User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" +match("MESSAGE#457:Allowed:10/2", "nwparser.p0", "User: %{username},Domain: %{domain},Action Type:%{p0}"); + +var part654 = // "Pattern{Field(fld46,false)}" +match_copy("MESSAGE#457:Allowed:10/3_1", "nwparser.p0", "fld46"); + +var select122 = linear_select([ + dup278, + part654, +]); + +var all175 = all_match({ + processors: [ + part652, + dup327, + part653, + select122, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup124, + dup27, + dup14, + dup41, + dup42, + dup279, + dup15, + dup131, + ]), +}); + +var msg516 = msg("Allowed:10", all175); + +var part655 = // "Pattern{Field(fld1,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(filename,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(directory,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld46,false)}" +match("MESSAGE#458:Allowed:04", "nwparser.payload", "%{fld1},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{filename},%{fld4},No Module Name,%{directory},User: %{username},Domain: %{domain},Action Type:%{fld46}", processor_chain([ + dup121, + dup12, + dup13, + dup124, + dup27, + dup14, + dup41, + dup42, + dup132, + dup279, + dup15, + dup131, +])); + +var msg517 = msg("Allowed:04", part655); + +var part656 = // "Pattern{Field(filename,false), Constant(','), Field(fld1,false), Constant(',Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld4,false), Constant(','), Field(process,false), Constant(','), Field(fld5,false), Constant(','), Field(fld6,false), Constant(','), Field(info,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld8,false)}" +match("MESSAGE#459:Allowed:07", "nwparser.payload", "%{filename},%{fld1},Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld4},%{process},%{fld5},%{fld6},%{info},User: %{username},Domain: %{domain},Action Type: %{fld8}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, +])); + +var msg518 = msg("Allowed:07", part656); + +var select123 = linear_select([ + msg508, + msg509, + msg510, + msg511, + msg512, + msg513, + msg514, + msg515, + msg516, + msg517, + msg518, +]); + +var part657 = // "Pattern{Constant('Audit logs have been swept.'), Field(,false)}" +match("MESSAGE#460:Audit", "nwparser.payload", "Audit logs have been swept.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Audit logs have been swept."), +])); + +var msg519 = msg("Audit", part657); + +var part658 = // "Pattern{Field(fld24,false), Constant(','), Field(fld1,false), Constant(',FATAL: '), Field(event_description,false)}" +match("MESSAGE#465:Category", "nwparser.payload", "%{fld24},%{fld1},FATAL: %{event_description}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, +])); + +var msg520 = msg("Category", part658); + +var part659 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(event_description,true), Constant(' Remote file path:'), Field(p0,false)}" +match("MESSAGE#466:Category:03/0", "nwparser.payload", "%{fld1},%{fld2},%{event_description->} Remote file path:%{p0}"); + +var part660 = // "Pattern{Field(url,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#466:Category:03/1_0", "nwparser.p0", "%{url},Event time:%{fld17->} %{fld18}"); + +var select124 = linear_select([ + part660, + dup64, +]); + +var all176 = all_match({ + processors: [ + part659, + select124, + ], + on_success: processor_chain([ + dup43, + fqdn("daddr","url"), + port("dport","url"), + dup12, + dup13, + dup14, + dup93, + dup15, + ]), +}); + +var msg521 = msg("Category:03", all176); + +var part661 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(',Downloaded content from GUP '), Field(daddr,false), Constant(': '), Field(p0,false)}" +match("MESSAGE#467:Category:02/0", "nwparser.payload", "%{fld1},%{fld2},Downloaded content from GUP %{daddr}: %{p0}"); + +var part662 = // "Pattern{Field(dport,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#467:Category:02/1_0", "nwparser.p0", "%{dport},Event time:%{fld17->} %{fld18}"); + +var part663 = // "Pattern{Field(dport,false)}" +match_copy("MESSAGE#467:Category:02/1_1", "nwparser.p0", "dport"); + +var select125 = linear_select([ + part662, + part663, +]); + +var all177 = all_match({ + processors: [ + part661, + select125, + ], + on_success: processor_chain([ + dup43, + setc("event_description","Downloaded content from GUP"), + dup12, + dup13, + dup14, + dup15, + dup93, + ]), +}); + +var msg522 = msg("Category:02", all177); + +var part664 = // "Pattern{Field(fld1,false), Constant(','), Field(fld2,false), Constant(','), Field(p0,false)}" +match("MESSAGE#468:Category:01/0", "nwparser.payload", "%{fld1},%{fld2},%{p0}"); + +var part665 = // "Pattern{Field(event_description,false), Constant('. File : ''), Field(filename,false), Constant('',",Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#468:Category:01/1_0", "nwparser.p0", "%{event_description}. File : '%{filename}',\",Event time: %{fld17->} %{fld18}"); + +var part666 = // "Pattern{Field(event_description,false), Constant('Size (bytes): '), Field(filename_size,false), Constant('.,Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#468:Category:01/1_1", "nwparser.p0", "%{event_description}Size (bytes): %{filename_size}.,Event time: %{fld17->} %{fld18}"); + +var part667 = // "Pattern{Field(event_description,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#468:Category:01/1_2", "nwparser.p0", "%{event_description},Event time: %{fld17->} %{fld18}"); + +var part668 = // "Pattern{Field(event_description,false), Constant('. Size (bytes):'), Field(filename_size,false), Constant('.')}" +match("MESSAGE#468:Category:01/1_3", "nwparser.p0", "%{event_description}. Size (bytes):%{filename_size}."); + +var part669 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant('',"')}" +match("MESSAGE#468:Category:01/1_4", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}',\""); + +var part670 = // "Pattern{Field(event_description,false), Constant('. '), Field(space,true), Constant(' File : ''), Field(filename,false), Constant(''')}" +match("MESSAGE#468:Category:01/1_5", "nwparser.p0", "%{event_description}. %{space->} File : '%{filename}'"); + +var part671 = // "Pattern{Field(event_description,false)}" +match_copy("MESSAGE#468:Category:01/1_6", "nwparser.p0", "event_description"); + +var select126 = linear_select([ + part665, + part666, + part667, + part668, + part669, + part670, + part671, +]); + +var all178 = all_match({ + processors: [ + part664, + select126, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup93, + dup15, + ]), +}); + +var msg523 = msg("Category:01", all178); + +var select127 = linear_select([ + msg520, + msg521, + msg522, + msg523, +]); + +var part672 = // "Pattern{Constant('Default '), Field(info,false), Constant('..Computer: '), Field(shost,false), Constant('..Date: '), Field(fld2,false), Constant('..Failed Alert Name: '), Field(action,false), Constant('..Time: '), Field(fld3,true), Constant(' '), Field(fld1,false), Constant('..Severity: '), Field(severity,false), Constant('..Source: '), Field(product,false)}" +match("MESSAGE#469:Default", "nwparser.payload", "Default %{info}..Computer: %{shost}..Date: %{fld2}..Failed Alert Name: %{action}..Time: %{fld3->} %{fld1}..Severity: %{severity}..Source: %{product}", processor_chain([ + dup43, + date_time({ + dest: "event_time", + args: ["fld2","fld3","fld1"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dW,dN,dc(":"),dU,dc(":"),dO,dP], + ], + }), + setc("event_description","Default Alert"), + dup15, +])); + +var msg524 = msg("Default", part672); + +var part673 = // "Pattern{Constant('Default Group blocks new clients. The client cannot register with the Default Group.'), Field(,false)}" +match("MESSAGE#470:Default:01", "nwparser.payload", "Default Group blocks new clients. The client cannot register with the Default Group.%{}", processor_chain([ + dup43, + dup12, + dup13, + dup15, + setc("event_description","Default Group blocks new clients. The client cannot register with the Default Group."), +])); + +var msg525 = msg("Default:01", part673); + +var select128 = linear_select([ + msg524, + msg525, +]); + +var part674 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(fld24,false), Constant(',Intrusion Payload URL:'), Field(fld12,false)}" +match("MESSAGE#471:Device:01", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{fld24},Intrusion Payload URL:%{fld12}", processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup142, + dup19, +])); + +var msg526 = msg("Device:01", part674); + +var part675 = // "Pattern{Field(action,false), Constant('. '), Field(info,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld25,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(','), Field(direction,false), Constant(','), Field(fld5,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld8,false), Constant(','), Field(p0,false)}" +match("MESSAGE#472:Device/0", "nwparser.payload", "%{action}. %{info},Local: %{saddr},Local: %{fld1},Remote: %{fld25},Remote: %{daddr},Remote: %{fld3},%{direction},%{fld5},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld8},%{p0}"); + +var part676 = // "Pattern{Constant('"User:'), Field(username,false), Constant('",Domain:'), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld26,false)}" +match("MESSAGE#472:Device/1_0", "nwparser.p0", "\"User:%{username}\",Domain:%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld26}"); + +var part677 = // "Pattern{Constant(' User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#472:Device/1_1", "nwparser.p0", " User: %{username},Domain: %{domain}"); + +var select129 = linear_select([ + part676, + part677, +]); + +var all179 = all_match({ + processors: [ + part675, + select129, + ], + on_success: processor_chain([ + dup43, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup142, + dup19, + ]), +}); + +var msg527 = msg("Device", all179); + +var select130 = linear_select([ + msg526, + msg527, +]); + +var part678 = // "Pattern{Constant('Email sending failed'), Field(,false)}" +match("MESSAGE#473:Email", "nwparser.payload", "Email sending failed%{}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + setc("event_description","Email sending failed"), +])); + +var msg528 = msg("Email", part678); + +var part679 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" +match("MESSAGE#474:FileWrite:02/0", "nwparser.payload", "%{fld5->} - Caller MD5=%{checksum},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); + +var part680 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(p0,false)}" +match("MESSAGE#474:FileWrite:02/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{p0}"); + +var part681 = // "Pattern{Field(fld44,false)}" +match_copy("MESSAGE#474:FileWrite:02/3_1", "nwparser.p0", "fld44"); + +var select131 = linear_select([ + dup278, + part681, +]); + +var all180 = all_match({ + processors: [ + part679, + dup340, + part680, + select131, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup133, + dup124, + dup128, + ]), +}); + +var msg529 = msg("FileWrite:02", all180); + +var part682 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#475:FileWrite:01", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup133, + dup124, + dup128, +])); + +var msg530 = msg("FileWrite:01", part682); + +var part683 = // "Pattern{Field(fld5,false), Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#476:FileWrite:03", "nwparser.payload", "%{fld5},File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup133, + dup124, + dup128, +])); + +var msg531 = msg("FileWrite:03", part683); + +var part684 = // "Pattern{Constant(',File Write,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#477:FileWrite", "nwparser.payload", ",File Write,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup133, + dup124, + dup128, +])); + +var msg532 = msg("FileWrite", part684); + +var part685 = // "Pattern{Constant('[AC5-1.1] Log files written to Removable Media,File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#478:FileDelete", "nwparser.payload", "[AC5-1.1] Log files written to Removable Media,File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup280, + dup124, + dup131, +])); + +var msg533 = msg("FileDelete", part685); + +var part686 = // "Pattern{Field(info,true), Constant(' - Caller MD5='), Field(checksum,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(p0,false)}" +match("MESSAGE#479:Continue/0", "nwparser.payload", "%{info->} - Caller MD5=%{checksum},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{p0}"); + +var part687 = // "Pattern{Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#479:Continue/2", "nwparser.p0", "%{username},Domain: %{domain},Action Type:%{fld44},File size (bytes): %{filename_size},Device ID: %{device}"); + +var all181 = all_match({ + processors: [ + part686, + dup340, + part687, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup129, + dup14, + dup41, + dup42, + dup15, + dup280, + dup124, + dup131, + ]), +}); + +var msg534 = msg("Continue", all181); + +var part688 = // "Pattern{Field(fld5,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#480:FileDelete:01", "nwparser.payload", "%{fld5->} - Caller MD5=%{fld6},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup280, + dup124, + dup131, +])); + +var msg535 = msg("FileDelete:01", part688); + +var part689 = // "Pattern{Field(fld5,false), Constant(',File Delete,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(',No Module Name,'), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#481:FileDelete:02", "nwparser.payload", "%{fld5},File Delete,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},No Module Name,%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup280, + dup124, + dup131, +])); + +var msg536 = msg("FileDelete:02", part689); + +var part690 = // "Pattern{Field(fld5,false), Constant(',System,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld6,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld44,false)}" +match("MESSAGE#482:System:06", "nwparser.payload", "%{fld5},System,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld6},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld44}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, +])); + +var msg537 = msg("System:06", part690); + +var part691 = // "Pattern{Field(fld1,false), Constant(',File Read,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(fld3,false), Constant(','), Field(process,false), Constant(','), Field(fld4,false), Constant(','), Field(fld5,false), Constant(','), Field(filename,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type:'), Field(fld6,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#495:File:10", "nwparser.payload", "%{fld1},File Read,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Rule: %{rulename},%{fld3},%{process},%{fld4},%{fld5},%{filename},User: %{username},Domain: %{domain},Action Type:%{fld6},File size (bytes): %{filename_size},Device ID: %{device}", processor_chain([ + dup121, + dup12, + dup13, + dup14, + dup41, + dup42, + dup122, + dup130, + dup124, + dup125, +])); + +var msg538 = msg("File:10", part691); + +var part692 = // "Pattern{Field(fld11,true), Constant(' - Caller MD5='), Field(fld6,false), Constant(','), Field(p0,false)}" +match("MESSAGE#503:Blocked:08/0_0", "nwparser.payload", "%{fld11->} - Caller MD5=%{fld6},%{p0}"); + +var select132 = linear_select([ + part692, + dup269, +]); + +var part693 = // "Pattern{Field(action,false), Constant(',Begin: '), Field(fld2,true), Constant(' '), Field(fld3,false), Constant(',End: '), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(',Rule: '), Field(rulename,false), Constant(','), Field(process_id,false), Constant(','), Field(process,false), Constant(','), Field(fld6,false), Constant(','), Field(fld7,false), Constant(','), Field(fld8,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Action Type: '), Field(fld9,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#503:Blocked:08/1", "nwparser.p0", "%{action},Begin: %{fld2->} %{fld3},End: %{fld4->} %{fld5},Rule: %{rulename},%{process_id},%{process},%{fld6},%{fld7},%{fld8},User: %{username},Domain: %{domain},Action Type: %{fld9},File size (%{fld10}): %{filename_size},Device ID: %{device}"); + +var all182 = all_match({ + processors: [ + select132, + part693, + ], + on_success: processor_chain([ + dup121, + dup12, + dup13, + dup129, + dup15, + dup134, + dup135, + ]), +}); + +var msg539 = msg("Blocked:08", all182); + +var select133 = linear_select([ + msg529, + msg530, + msg531, + msg532, + msg533, + msg534, + msg535, + msg536, + msg537, + msg538, + msg539, +]); + +var part694 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(daddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Inbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" +match("MESSAGE#505:Ping/1", "nwparser.p0", "%{event_description}\",Local: %{daddr},Local: %{fld1},Remote: %{fld9},Remote: %{saddr},Remote: %{fld3},Inbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); + +var all183 = all_match({ + processors: [ + dup341, + part694, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + dup19, + dup34, + ]), +}); + +var msg540 = msg("Ping", all183); + +var part695 = // "Pattern{Field(event_description,false), Constant('",Local: '), Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Outbound,'), Field(protocol,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(fld7,false)}" +match("MESSAGE#506:Ping:01/1", "nwparser.p0", "%{event_description}\",Local: %{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Outbound,%{protocol},,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{fld7}"); + +var all184 = all_match({ + processors: [ + dup341, + part695, + ], + on_success: processor_chain([ + dup69, + dup12, + dup13, + dup14, + dup41, + dup42, + dup15, + dup122, + dup19, + dup35, + ]), +}); + +var msg541 = msg("Ping:01", all184); + +var select134 = linear_select([ + msg540, + msg541, +]); + +var part696 = // "Pattern{Field(fld1,false), Constant(': Site: '), Field(fld2,false), Constant(',Server: '), Field(hostid,false), Constant(','), Field(directory,true), Constant(' '), Field(event_description,false)}" +match("MESSAGE#509:Server", "nwparser.payload", "%{fld1}: Site: %{fld2},Server: %{hostid},%{directory->} %{event_description}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, +])); + +var msg542 = msg("Server", part696); + +var part697 = // "Pattern{Constant('Server returned HTTP response code: '), Field(resultcode,true), Constant(' for URL: '), Field(url,false)}" +match("MESSAGE#510:Server:01", "nwparser.payload", "Server returned HTTP response code: %{resultcode->} for URL: %{url}", processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, +])); + +var msg543 = msg("Server:01", part697); + +var part698 = // "Pattern{Constant('Server security validation failed.'), Field(,false)}" +match("MESSAGE#512:Server:03", "nwparser.payload", "Server security validation failed.%{}", processor_chain([ + dup174, + dup94, + setf("saddr","hhostid"), + dup14, + dup15, +])); + +var msg544 = msg("Server:03", part698); + +var select135 = linear_select([ + msg542, + msg543, + msg544, +]); + +var part699 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#514:1", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup200, + dup15, + dup283, +])); + +var msg545 = msg("1", part699); + +var part700 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#515:2", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup162, + dup15, + dup283, +])); + +var msg546 = msg("2", part700); + +var part701 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#516:3", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","FW Violation Event"), + dup15, + dup283, +])); + +var msg547 = msg("3", part701); + +var part702 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#517:4", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","IDS Event"), + dup15, + dup283, +])); + +var msg548 = msg("4", part702); + +var part703 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#518:5", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","CAL Event"), + dup15, + dup283, +])); + +var msg549 = msg("5", part703); + +var part704 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#519:6", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","Forced Detection Event"), + dup15, + dup283, +])); + +var msg550 = msg("6", part704); + +var part705 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#520:7", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","Detection Whitelisted"), + dup15, + dup283, +])); + +var msg551 = msg("7", part705); + +var part706 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#521:8", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup227, + dup15, + dup283, +])); + +var msg552 = msg("8", part706); + +var part707 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#522:9", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + setc("event_description","Risk submitted"), + dup15, + dup283, +])); + +var msg553 = msg("9", part707); + +var part708 = // "Pattern{Field(hostip,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(username,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(virusname,false), Constant('^^'), Field(info,false), Constant('^^'), Field(disposition,false), Constant('^^'), Field(action,false), Constant('^^'), Field(recorded_time,false), Constant('^^'), Field(fld33,false), Constant('^^'), Field(fld1,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(filename,false), Constant('^^'), Field(fld2,false)}" +match("MESSAGE#523:10", "nwparser.payload", "%{hostip}^^%{hostname}^^%{domain}^^%{username}^^%{shost}^^%{saddr}^^%{event_source}^^%{virusname}^^%{info}^^%{disposition}^^%{action}^^%{recorded_time}^^%{fld33}^^%{fld1}^^%{dclass_counter1}^^%{filename}^^%{fld2}", processor_chain([ + dup110, + dup115, + dup116, + dup38, + dup152, + dup253, + dup15, + dup283, +])); + +var msg554 = msg("10", part708); + +var msg555 = msg("1281", dup342); + +var msg556 = msg("257", dup342); + +var msg557 = msg("259", dup342); + +var part709 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing started')}" +match("MESSAGE#527:264", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing started", processor_chain([ + dup53, + dup284, + dup15, + dup220, +])); + +var msg558 = msg("264", part709); + +var part710 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Organization importing finished successfully')}" +match("MESSAGE#528:265", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Organization importing finished successfully", processor_chain([ + dup53, + dup284, + dup15, + dup219, +])); + +var msg559 = msg("265", part710); + +var msg560 = msg("273", dup342); + +var part711 = // "Pattern{Field(id,false), Constant('^^The process '), Field(process,true), Constant(' can not lock the process status table. The process status has been locked by the server '), Field(shost,true), Constant(' ('), Field(fld22,false), Constant(') since '), Field(recorded_time,false), Constant('.')}" +match("MESSAGE#530:275", "nwparser.payload", "%{id}^^The process %{process->} can not lock the process status table. The process status has been locked by the server %{shost->} (%{fld22}) since %{recorded_time}.", processor_chain([ + dup53, + dup15, + setc("event_description","The process can not lock the process status table"), +])); + +var msg561 = msg("275", part711); + +var msg562 = msg("769", dup342); + +var msg563 = msg("772", dup342); + +var msg564 = msg("773", dup342); + +var msg565 = msg("778", dup342); + +var msg566 = msg("779", dup342); + +var msg567 = msg("782", dup342); + +var part712 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup succeeded and finished at '), Field(fld4,true), Constant(' '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant('. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" +match("MESSAGE#537:1029", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup succeeded and finished at %{fld4->} %{fld5->} %{fld6}. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ + dup53, + dup284, + date_time({ + dest: "recorded_time", + args: ["fld4","fld5","fld6"], + fmts: [ + [dG,dc("/"),dF,dc("/"),dY,dN,dc(":"),dU,dP], + ], + }), + dup15, + dup285, +])); + +var msg568 = msg("1029", part712); + +var part713 = // "Pattern{Field(id,false), Constant('^^Backup succeeded and finished. The backup file resides at the following location on the server '), Field(shost,false), Constant(': '), Field(directory,false)}" +match("MESSAGE#538:1029:01", "nwparser.payload", "%{id}^^Backup succeeded and finished. The backup file resides at the following location on the server %{shost}: %{directory}", processor_chain([ + dup53, + dup15, + dup285, +])); + +var msg569 = msg("1029:01", part713); + +var select136 = linear_select([ + msg568, + msg569, +]); + +var part714 = // "Pattern{Field(id,false), Constant('^^'), Field(fld1,true), Constant(' '), Field(fld2,true), Constant(' '), Field(fld3,true), Constant(' Backup started')}" +match("MESSAGE#539:1030", "nwparser.payload", "%{id}^^%{fld1->} %{fld2->} %{fld3->} Backup started", processor_chain([ + dup53, + dup284, + dup15, + dup286, +])); + +var msg570 = msg("1030", part714); + +var part715 = // "Pattern{Field(id,false), Constant('^^Backup started')}" +match("MESSAGE#540:1030:01", "nwparser.payload", "%{id}^^Backup started", processor_chain([ + dup53, + dup15, + dup286, +])); + +var msg571 = msg("1030:01", part715); + +var select137 = linear_select([ + msg570, + msg571, +]); + +var msg572 = msg("4097", dup342); + +var msg573 = msg("4353", dup342); + +var msg574 = msg("5121", dup342); + +var msg575 = msg("5122", dup342); + +var part716 = // "Pattern{Field(id,false), Constant('^^Sending Email Failed for following email address ['), Field(user_address,false), Constant('].')}" +match("MESSAGE#545:4609", "nwparser.payload", "%{id}^^Sending Email Failed for following email address [%{user_address}].", processor_chain([ + setc("eventcategory","1207010200"), + setc("event_description","Sending Email Failed"), + dup15, +])); + +var msg576 = msg("4609", part716); + +var msg577 = msg("4868", dup343); + +var msg578 = msg("5377", dup343); + +var msg579 = msg("5378", dup343); + +var msg580 = msg("302449153", dup344); + +var msg581 = msg("302449153:01", dup345); + +var select138 = linear_select([ + msg580, + msg581, +]); + +var msg582 = msg("302449154", dup344); + +var msg583 = msg("302449154:01", dup345); + +var select139 = linear_select([ + msg582, + msg583, +]); + +var msg584 = msg("302449155", dup346); + +var msg585 = msg("302449155:01", dup347); + +var select140 = linear_select([ + msg584, + msg585, +]); + +var msg586 = msg("302449156", dup346); + +var msg587 = msg("302449156:01", dup347); + +var select141 = linear_select([ + msg586, + msg587, +]); + +var msg588 = msg("302449158", dup344); + +var msg589 = msg("302449158:01", dup345); + +var select142 = linear_select([ + msg588, + msg589, +]); + +var part717 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#559:302449166", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup165, + dup15, + dup287, +])); + +var msg590 = msg("302449166", part717); + +var part718 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#560:302449166:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup165, + dup15, + dup287, +])); + +var msg591 = msg("302449166:01", part718); + +var select143 = linear_select([ + msg590, + msg591, +]); + +var part719 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#561:302449168", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup136, + dup288, + dup56, + dup22, + dup15, + dup287, +])); + +var msg592 = msg("302449168", part719); + +var part720 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#562:302449168:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup136, + dup288, + dup56, + dup22, + dup15, + dup287, +])); + +var msg593 = msg("302449168:01", part720); + +var select144 = linear_select([ + msg592, + msg593, +]); + +var msg594 = msg("302449169", dup344); + +var msg595 = msg("302449169:01", dup345); + +var select145 = linear_select([ + msg594, + msg595, +]); + +var part721 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#565:302449176", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup213, + dup288, + dup172, + dup22, + dup15, + dup287, +])); + +var msg596 = msg("302449176", part721); + +var part722 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#566:302449176:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup213, + dup288, + dup172, + dup22, + dup15, + dup287, +])); + +var msg597 = msg("302449176:01", part722); + +var select146 = linear_select([ + msg596, + msg597, +]); + +var part723 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#567:302449178", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup256, + dup15, + dup287, +])); + +var msg598 = msg("302449178", part723); + +var part724 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#568:302449178:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup256, + dup15, + dup287, +])); + +var msg599 = msg("302449178:01", part724); + +var select147 = linear_select([ + msg598, + msg599, +]); + +var msg600 = msg("302449409", dup344); + +var msg601 = msg("302449409:01", dup345); + +var select148 = linear_select([ + msg600, + msg601, +]); + +var msg602 = msg("302449410", dup346); + +var msg603 = msg("302449410:01", dup347); + +var select149 = linear_select([ + msg602, + msg603, +]); + +var part725 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#573:302449412", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup289, + dup15, + dup287, +])); + +var msg604 = msg("302449412", part725); + +var part726 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#574:302449412:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup289, + dup15, + dup287, +])); + +var msg605 = msg("302449412:01", part726); + +var select150 = linear_select([ + msg604, + msg605, +]); + +var part727 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#575:302449413", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup232, + dup15, + dup287, +])); + +var msg606 = msg("302449413", part727); + +var part728 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#576:302449413:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup232, + dup15, + dup287, +])); + +var msg607 = msg("302449413:01", part728); + +var select151 = linear_select([ + msg606, + msg607, +]); + +var msg608 = msg("302449414", dup344); + +var msg609 = msg("302449414:01", dup345); + +var select152 = linear_select([ + msg608, + msg609, +]); + +var msg610 = msg("302449415", dup344); + +var msg611 = msg("302449415:01", dup345); + +var select153 = linear_select([ + msg610, + msg611, +]); + +var msg612 = msg("302449418", dup344); + +var msg613 = msg("302449418:01", dup345); + +var select154 = linear_select([ + msg612, + msg613, +]); + +var msg614 = msg("302449420", dup344); + +var msg615 = msg("302449420:01", dup345); + +var select155 = linear_select([ + msg614, + msg615, +]); + +var msg616 = msg("302450432", dup348); + +var msg617 = msg("302450432:01", dup349); + +var select156 = linear_select([ + msg616, + msg617, +]); + +var msg618 = msg("302450688", dup344); + +var msg619 = msg("302450688:01", dup345); + +var select157 = linear_select([ + msg618, + msg619, +]); + +var msg620 = msg("302450944", dup344); + +var msg621 = msg("302450944:01", dup345); + +var select158 = linear_select([ + msg620, + msg621, +]); + +var msg622 = msg("302452736", dup344); + +var msg623 = msg("302452736:01", dup345); + +var select159 = linear_select([ + msg622, + msg623, +]); + +var msg624 = msg("302452743", dup344); + +var msg625 = msg("302452743:01", dup345); + +var select160 = linear_select([ + msg624, + msg625, +]); + +var msg626 = msg("302452758", dup348); + +var msg627 = msg("302452758:01", dup349); + +var select161 = linear_select([ + msg626, + msg627, +]); + +var msg628 = msg("302452801", dup348); + +var msg629 = msg("302452801:01", dup349); + +var select162 = linear_select([ + msg628, + msg629, +]); + +var msg630 = msg("302452802", dup344); + +var msg631 = msg("302452802:01", dup345); + +var select163 = linear_select([ + msg630, + msg631, +]); + +var msg632 = msg("302452807", dup344); + +var msg633 = msg("302452807:01", dup345); + +var select164 = linear_select([ + msg632, + msg633, +]); + +var msg634 = msg("302452808", dup348); + +var msg635 = msg("302452808:01", dup349); + +var select165 = linear_select([ + msg634, + msg635, +]); + +var msg636 = msg("302452816", dup344); + +var msg637 = msg("302452816:01", dup345); + +var select166 = linear_select([ + msg636, + msg637, +]); + +var msg638 = msg("302452817", dup344); + +var msg639 = msg("302452817:01", dup345); + +var select167 = linear_select([ + msg638, + msg639, +]); + +var msg640 = msg("302452819", dup344); + +var msg641 = msg("302452819:01", dup345); + +var select168 = linear_select([ + msg640, + msg641, +]); + +var msg642 = msg("302710785", dup348); + +var msg643 = msg("302710785:01", dup349); + +var select169 = linear_select([ + msg642, + msg643, +]); + +var msg644 = msg("302710786", dup344); + +var msg645 = msg("302710786:01", dup345); + +var select170 = linear_select([ + msg644, + msg645, +]); + +var msg646 = msg("302710790", dup344); + +var msg647 = msg("302710790:01", dup345); + +var select171 = linear_select([ + msg646, + msg647, +]); + +var msg648 = msg("302710791", dup348); + +var msg649 = msg("302710791:01", dup349); + +var select172 = linear_select([ + msg648, + msg649, +]); + +var msg650 = msg("302776321", dup348); + +var msg651 = msg("302776321:01", dup349); + +var select173 = linear_select([ + msg650, + msg651, +]); + +var msg652 = msg("302776322", dup348); + +var msg653 = msg("302776322:01", dup349); + +var select174 = linear_select([ + msg652, + msg653, +]); + +var msg654 = msg("302776576", dup344); + +var msg655 = msg("302776576:01", dup345); + +var select175 = linear_select([ + msg654, + msg655, +]); + +var msg656 = msg("302776834", dup344); + +var msg657 = msg("302776834:01", dup345); + +var select176 = linear_select([ + msg656, + msg657, +]); + +var msg658 = msg("303077785", dup348); + +var msg659 = msg("303077785:01", dup349); + +var select177 = linear_select([ + msg658, + msg659, +]); + +var msg660 = msg("303169538", dup348); + +var msg661 = msg("303169538:01", dup349); + +var select178 = linear_select([ + msg660, + msg661, +]); + +var msg662 = msg("303235073", dup348); + +var msg663 = msg("303235073:01", dup349); + +var select179 = linear_select([ + msg662, + msg663, +]); + +var msg664 = msg("303235074", dup348); + +var msg665 = msg("303235074:01", dup349); + +var select180 = linear_select([ + msg664, + msg665, +]); + +var msg666 = msg("303235075", dup344); + +var msg667 = msg("303235075:01", dup345); + +var select181 = linear_select([ + msg666, + msg667, +]); + +var msg668 = msg("303235079", dup344); + +var msg669 = msg("303235079:01", dup345); + +var select182 = linear_select([ + msg668, + msg669, +]); + +var part729 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); + +var all185 = all_match({ + processors: [ + part729, + dup350, + dup293, + ], + on_success: processor_chain([ + dup43, + dup15, + dup287, + ]), +}); + +var msg670 = msg("303235080", all185); + +var part730 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#640:303235080:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{p0}"); + +var all186 = all_match({ + processors: [ + part730, + dup350, + dup293, + ], + on_success: processor_chain([ + dup43, + dup15, + dup287, + ]), +}); + +var msg671 = msg("303235080:01", all186); + +var select183 = linear_select([ + msg670, + msg671, +]); + +var msg672 = msg("303235081", dup344); + +var msg673 = msg("303235081:01", dup345); + +var select184 = linear_select([ + msg672, + msg673, +]); + +var msg674 = msg("303235082", dup344); + +var msg675 = msg("303235082:01", dup345); + +var select185 = linear_select([ + msg674, + msg675, +]); + +var msg676 = msg("303235083", dup344); + +var msg677 = msg("303235083:01", dup345); + +var select186 = linear_select([ + msg676, + msg677, +]); + +var msg678 = msg("302452762", dup344); + +var msg679 = msg("303235076", dup344); + +var msg680 = msg("303235076:01", dup345); + +var select187 = linear_select([ + msg679, + msg680, +]); + +var msg681 = msg("302448900", dup345); + +var part731 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#651:301", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup351, + dup268, + dup297, + dup298, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg682 = msg("301", part731); + +var part732 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#652:301:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup351, + dup268, + dup297, + dup298, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg683 = msg("301:01", part732); + +var part733 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#653:301:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup120, + dup295, + dup268, + dup351, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg684 = msg("301:02", part733); + +var select188 = linear_select([ + msg682, + msg683, + msg684, +]); + +var part734 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#654:302", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup303, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg685 = msg("302", part734); + +var part735 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#655:302:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup303, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg686 = msg("302:01", part735); + +var select189 = linear_select([ + msg685, + msg686, +]); + +var part736 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#656:306", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup297, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg687 = msg("306", part736); + +var part737 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#657:306:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup297, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg688 = msg("306:01", part737); + +var select190 = linear_select([ + msg687, + msg688, +]); + +var part738 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#658:307", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup304, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg689 = msg("307", part738); + +var part739 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#659:307:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup304, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg690 = msg("307:01", part739); + +var select191 = linear_select([ + msg689, + msg690, +]); + +var part740 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#660:308", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup297, + dup298, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg691 = msg("308", part740); + +var part741 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^Block all other IP traffic and log^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#661:308:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^Block all other IP traffic and log^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup297, + dup298, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg692 = msg("308:01", part741); + +var part742 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#662:308:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{id}^^%{saddr_v6}^^%{daddr_v6}^^%{saddr}^^%{daddr}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{sport}^^%{dport}^^%{fld14}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{fld17}^^%{rule}^^%{rulename}^^%{fld18}^^%{fld19}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup120, + dup295, + dup351, + dup268, + dup15, + dup352, + dup312, + dup287, + dup300, + dup301, + dup302, +])); + +var msg693 = msg("308:02", part742); + +var select192 = linear_select([ + msg691, + msg692, + msg693, +]); + +var part743 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#663:202", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup36, + dup295, + setc("ec_activity","Scan"), + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var msg694 = msg("202", part743); + +var msg695 = msg("206", dup357); + +var msg696 = msg("206:01", dup358); + +var select193 = linear_select([ + msg695, + msg696, +]); + +var msg697 = msg("207", dup357); + +var msg698 = msg("207:01", dup358); + +var select194 = linear_select([ + msg697, + msg698, +]); + +var part744 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#668:208", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup36, + dup295, + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var msg699 = msg("208", part744); + +var msg700 = msg("210", dup359); + +var part745 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#670:210:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup43, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var msg701 = msg("210:01", part745); + +var select195 = linear_select([ + msg700, + msg701, +]); + +var msg702 = msg("211", dup357); + +var msg703 = msg("211:01", dup358); + +var select196 = linear_select([ + msg702, + msg703, +]); + +var msg704 = msg("221", dup359); + +var part746 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#674:238/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); + +var all187 = all_match({ + processors: [ + dup305, + dup350, + part746, + ], + on_success: processor_chain([ + dup43, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, + ]), +}); + +var msg705 = msg("238", all187); + +var part747 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#675:238:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); + +var part748 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#675:238:01/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); + +var all188 = all_match({ + processors: [ + part747, + dup350, + part748, + ], + on_success: processor_chain([ + dup43, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, + ]), +}); + +var msg706 = msg("238:01", all188); + +var select197 = linear_select([ + msg705, + msg706, +]); + +var msg707 = msg("501", dup360); + +var msg708 = msg("501:01", dup361); + +var select198 = linear_select([ + msg707, + msg708, +]); + +var part749 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" +match("MESSAGE#678:502", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ + dup43, + dup15, + dup356, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); + +var msg709 = msg("502", part749); + +var part750 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" +match("MESSAGE#679:502:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ + dup43, + dup15, + dup356, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); + +var msg710 = msg("502:01", part750); + +var select199 = linear_select([ + msg709, + msg710, +]); + +var msg711 = msg("999", dup360); + +var msg712 = msg("999:01", dup361); + +var select200 = linear_select([ + msg711, + msg712, +]); + +var part751 = // "Pattern{Constant('Application,rn='), Field(fld1,true), Constant(' cid='), Field(fld2,true), Constant(' eid='), Field(fld3,false), Constant(','), Field(fld4,true), Constant(' '), Field(fld5,false), Constant(','), Field(fld6,false), Constant(',Symantec AntiVirus,SYSTEM,Information,'), Field(shost,false), Constant(','), Field(event_description,false), Constant('. string-data=[ Scan type: '), Field(event_type,true), Constant(' Event: '), Field(result,true), Constant(' Security risk detected: '), Field(directory,true), Constant(' File: '), Field(filename,true), Constant(' Location: '), Field(fld7,true), Constant(' Computer: '), Field(fld8,true), Constant(' User: '), Field(username,true), Constant(' Action taken:'), Field(action,true), Constant(' Date found: '), Field(fld9,false), Constant(']')}" +match("MESSAGE#682:Application_45", "nwparser.payload", "Application,rn=%{fld1->} cid=%{fld2->} eid=%{fld3},%{fld4->} %{fld5},%{fld6},Symantec AntiVirus,SYSTEM,Information,%{shost},%{event_description}. string-data=[ Scan type: %{event_type->} Event: %{result->} Security risk detected: %{directory->} File: %{filename->} Location: %{fld7->} Computer: %{fld8->} User: %{username->} Action taken:%{action->} Date found: %{fld9}]", processor_chain([ + dup43, + dup15, + dup55, +])); + +var msg713 = msg("Application_45", part751); + +var part752 = // "Pattern{Constant('Using Group Update Provider type: '), Field(p0,false)}" +match("MESSAGE#692:SYLINK/0", "nwparser.payload", "Using Group Update Provider type: %{p0}"); + +var part753 = // "Pattern{Constant('Single Group Update Provider,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#692:SYLINK/1_0", "nwparser.p0", "Single Group Update Provider,Event time:%{fld17->} %{fld18}"); + +var part754 = // "Pattern{Constant('Multiple Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#692:SYLINK/1_1", "nwparser.p0", "Multiple Group Update Providers,Event time:%{fld17->} %{fld18}"); + +var part755 = // "Pattern{Constant('Mapped Group Update Providers,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#692:SYLINK/1_2", "nwparser.p0", "Mapped Group Update Providers,Event time:%{fld17->} %{fld18}"); + +var part756 = // "Pattern{Constant('Single Group Update Provider'), Field(,false)}" +match("MESSAGE#692:SYLINK/1_3", "nwparser.p0", "Single Group Update Provider%{}"); + +var part757 = // "Pattern{Constant('Multiple Group Update Providers'), Field(,false)}" +match("MESSAGE#692:SYLINK/1_4", "nwparser.p0", "Multiple Group Update Providers%{}"); + +var part758 = // "Pattern{Constant('Mapped Group Update Providers'), Field(,false)}" +match("MESSAGE#692:SYLINK/1_5", "nwparser.p0", "Mapped Group Update Providers%{}"); + +var select201 = linear_select([ + part753, + part754, + part755, + part756, + part757, + part758, +]); + +var all189 = all_match({ + processors: [ + part752, + select201, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup14, + dup15, + dup93, + setc("event_description","Using Group Update Provider."), + ]), +}); + +var msg714 = msg("SYLINK", all189); + +var part759 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#703:242", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup53, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var msg715 = msg("242", part759); + +var part760 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' ['), Field(p0,false)}" +match("MESSAGE#704:242:01/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [%{p0}"); + +var part761 = // "Pattern{Constant('Device]: '), Field(device,true), Constant(' [guid]: '), Field(hardware_id,true), Constant(' [Volume]:'), Field(p0,false)}" +match("MESSAGE#704:242:01/1_0", "nwparser.p0", "Device]: %{device->} [guid]: %{hardware_id->} [Volume]:%{p0}"); + +var part762 = // "Pattern{Constant('Volume]:'), Field(p0,false)}" +match("MESSAGE#704:242:01/1_1", "nwparser.p0", "Volume]:%{p0}"); + +var select202 = linear_select([ + part761, + part762, +]); + +var part763 = // "Pattern{Field(,true), Constant(' '), Field(disk_volume,true), Constant(' [Vendor]:'), Field(devvendor,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#704:242:01/2", "nwparser.p0", "%{} %{disk_volume->} [Vendor]:%{devvendor->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); + +var all190 = all_match({ + processors: [ + part760, + select202, + part763, + ], + on_success: processor_chain([ + dup53, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, + ]), +}); + +var msg716 = msg("242:01", all190); + +var part764 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,true), Constant(' [Volume]: '), Field(disk_volume,true), Constant(' [Model]: '), Field(product,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#705:242:02", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description->} [Volume]: %{disk_volume->} [Model]: %{product->} [Access]: %{accesses}^^%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup53, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var msg717 = msg("242:02", part764); + +var part765 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,true), Constant(' [Access]: '), Field(accesses,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#706:242:03/1_0", "nwparser.p0", "%{event_description}. %{info->} [Access]: %{accesses}^^%{p0}"); + +var part766 = // "Pattern{Constant(' '), Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#706:242:03/1_1", "nwparser.p0", " %{event_description}. %{info}^^%{p0}"); + +var part767 = // "Pattern{Constant(' '), Field(event_description,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#706:242:03/1_2", "nwparser.p0", " %{event_description}^^%{p0}"); + +var select203 = linear_select([ + part765, + part766, + part767, +]); + +var part768 = // "Pattern{Field(fld79,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#706:242:03/2", "nwparser.p0", "%{fld79}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}"); + +var all191 = all_match({ + processors: [ + dup305, + select203, + part768, + ], + on_success: processor_chain([ + dup53, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, + ]), +}); + +var msg718 = msg("242:03", all191); + +var select204 = linear_select([ + msg715, + msg716, + msg717, + msg718, +]); + +var part769 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#707:303169540", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + setc("eventcategory","1801010000"), + dup15, + dup287, +])); + +var msg719 = msg("303169540", part769); + +var part770 = // "Pattern{Field(shost,false), Constant(', Remote: '), Field(fld4,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld5,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL:'), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#708:Remote::01", "nwparser.payload", "%{shost}, Remote: %{fld4},Remote: %{daddr},Remote: %{fld5},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},Domain: %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL:%{url},Intrusion Payload URL:%{fld25}", processor_chain([ + dup53, + dup12, + dup15, + dup40, + dup41, + dup42, + dup47, +])); + +var msg720 = msg("Remote::01", part770); + +var part771 = // "Pattern{Constant('"'), Field(info,false), Constant('",Local: '), Field(p0,false)}" +match("MESSAGE#709:Notification::01/0_0", "nwparser.payload", "\"%{info}\",Local: %{p0}"); + +var part772 = // "Pattern{Field(info,false), Constant(',Local: '), Field(p0,false)}" +match("MESSAGE#709:Notification::01/0_1", "nwparser.payload", "%{info},Local: %{p0}"); + +var select205 = linear_select([ + part771, + part772, +]); + +var part773 = // "Pattern{Field(saddr,false), Constant(',Local: '), Field(fld1,false), Constant(',Remote: '), Field(fld9,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld3,false), Constant(',Unknown,OTHERS,,Begin: '), Field(fld50,true), Constant(' '), Field(fld52,false), Constant(',End: '), Field(fld51,true), Constant(' '), Field(fld53,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" +match("MESSAGE#709:Notification::01/1", "nwparser.p0", "%{saddr},Local: %{fld1},Remote: %{fld9},Remote: %{daddr},Remote: %{fld3},Unknown,OTHERS,,Begin: %{fld50->} %{fld52},End: %{fld51->} %{fld53},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld6},User: %{username},%{p0}"); + +var select206 = linear_select([ + dup182, + dup67, +]); + +var part774 = // "Pattern{Field(,true), Constant(' '), Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#709:Notification::01/3", "nwparser.p0", "%{} %{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var all192 = all_match({ + processors: [ + select205, + part773, + select206, + part774, + ], + on_success: processor_chain([ + dup53, + dup12, + dup13, + dup15, + dup14, + dup40, + dup41, + dup42, + dup47, + ]), +}); + +var msg721 = msg("Notification::01", all192); + +var chain1 = processor_chain([ + select2, + msgid_select({ + "\"=======EXCEPTION:": msg507, + "1": msg545, + "10": msg554, + "1029": select136, + "1030": select137, + "1281": msg555, + "2": msg546, + "202": msg694, + "206": select193, + "207": select194, + "208": msg699, + "210": select195, + "211": select196, + "221": msg704, + "238": select197, + "242": select204, + "257": msg556, + "259": msg557, + "264": msg558, + "265": msg559, + "273": msg560, + "275": msg561, + "3": msg547, + "301": select188, + "302": select189, + "302448900": msg681, + "302449153": select138, + "302449154": select139, + "302449155": select140, + "302449156": select141, + "302449158": select142, + "302449166": select143, + "302449168": select144, + "302449169": select145, + "302449176": select146, + "302449178": select147, + "302449409": select148, + "302449410": select149, + "302449412": select150, + "302449413": select151, + "302449414": select152, + "302449415": select153, + "302449418": select154, + "302449420": select155, + "302450432": select156, + "302450688": select157, + "302450944": select158, + "302452736": select159, + "302452743": select160, + "302452758": select161, + "302452762": msg678, + "302452801": select162, + "302452802": select163, + "302452807": select164, + "302452808": select165, + "302452816": select166, + "302452817": select167, + "302452819": select168, + "302710785": select169, + "302710786": select170, + "302710790": select171, + "302710791": select172, + "302776321": select173, + "302776322": select174, + "302776576": select175, + "302776834": select176, + "303077785": select177, + "303169538": select178, + "303169540": msg719, + "303235073": select179, + "303235074": select180, + "303235075": select181, + "303235076": select187, + "303235079": select182, + "303235080": select183, + "303235081": select184, + "303235082": select185, + "303235083": select186, + "306": select190, + "307": select191, + "308": select192, + "4": msg548, + "4097": msg572, + "4353": msg573, + "4609": msg576, + "4868": msg577, + "5": msg549, + "501": select198, + "502": select199, + "5121": msg574, + "5122": msg575, + "5377": msg578, + "5378": msg579, + "6": msg550, + "7": msg551, + "769": msg562, + "772": msg563, + "773": msg564, + "778": msg565, + "779": msg566, + "782": msg567, + "8": msg552, + "9": msg553, + "999": select200, + "??:": msg214, + "Active": select3, + "Add": msg69, + "Administrator": select4, + "Allowed": select123, + "Antivirus": select9, + "Application": select12, + "Application_45": msg713, + "Applied": select16, + "Audit": msg519, + "Blocked": select21, + "Category": select127, + "Changed": msg124, + "Cleaned": msg125, + "Client": select23, + "Commercial": select28, + "Compliance": msg484, + "Compressed": select99, + "Computer": select31, + "Configuration": select32, + "Connected": select34, + "Connection": msg160, + "Continue": select133, + "Could": select35, + "Create": msg163, + "Database": select36, + "Decomposer": msg171, + "Default": select128, + "Device": select130, + "Disconnected": select37, + "Domain": select38, + "Download": msg485, + "Email": msg528, + "Failed": select41, + "Firefox": select67, + "Firewall": select42, + "Generic": select70, + "Group": select43, + "Host": select46, + "Internet": select68, + "Intrusion": select48, + "Invalid": msg217, + "LUALL": msg289, + "Limited": msg218, + "LiveUpdate": select54, + "Local": select60, + "Local:": select18, + "Location": msg288, + "Malicious": select8, + "Management": select62, + "Memory": msg327, + "Network": select66, + "New": select73, + "No": select74, + "Notification:": msg721, + "Number": select77, + "Organization": select75, + "PTS": msg380, + "Ping": select134, + "Policy": select79, + "Potential": select80, + "Previous": msg368, + "Proactive": select81, + "Received": select87, + "Reconfiguring": msg383, + "Reconnected": msg384, + "Remote:": msg720, + "Retry": select88, + "Risk": select90, + "SHA-256:": select15, + "Scan": select94, + "Security": select98, + "Server": select135, + "Somebody": select10, + "Stop": select100, + "Stopping": msg427, + "Submission": msg428, + "Successfully": select89, + "Suspicious": msg476, + "Switched": msg429, + "Symantec": select107, + "System": select108, + "Terminated": msg483, + "Traffic": select111, + "TruScan": select113, + "Unexpected": select114, + "Unsolicited": select115, + "User": select117, + "Using": msg714, + "Virus": select59, + "Windows": select119, + "allowed": select6, + "blocked": select17, + "client": select26, + "management": select63, + "password": select5, + "process": select82, + "properties": select85, + "restart": msg385, + }), +]); + +var part775 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#0:Active/1_0", "nwparser.p0", "%{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var part776 = // "Pattern{Field(domain,false)}" +match_copy("MESSAGE#0:Active/1_1", "nwparser.p0", "domain"); + +var part777 = // "Pattern{Field(domain,false), Constant(',Local Port '), Field(sport,false), Constant(',Remote Port '), Field(dport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#15:Somebody:01/1_0", "nwparser.p0", "%{domain},Local Port %{sport},Remote Port %{dport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var part778 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#27:Application:06/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{fld25}"); + +var part779 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#27:Application:06/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{fld25}"); + +var part780 = // "Pattern{Constant('Intrusion URL: '), Field(url,false)}" +match("MESSAGE#27:Application:06/1_2", "nwparser.p0", "Intrusion URL: %{url}"); + +var part781 = // "Pattern{Field(url,false), Constant(',Intrusion Payload URL:'), Field(fld25,false)}" +match("MESSAGE#31:scanning:01/1_0", "nwparser.p0", "%{url},Intrusion Payload URL:%{fld25}"); + +var part782 = // "Pattern{Field(url,false)}" +match_copy("MESSAGE#31:scanning:01/1_1", "nwparser.p0", "url"); + +var part783 = // "Pattern{Constant('Domain:'), Field(p0,false)}" +match("MESSAGE#33:Informational/1_1", "nwparser.p0", "Domain:%{p0}"); + +var part784 = // "Pattern{Constant(':'), Field(p0,false)}" +match("MESSAGE#38:Web_Attack:16/1_1", "nwparser.p0", ":%{p0}"); + +var part785 = // "Pattern{Constant('"'), Field(p0,false)}" +match("MESSAGE#307:process:12/1_0", "nwparser.p0", "\"%{p0}"); + +var part786 = // "Pattern{Field(p0,false)}" +match_copy("MESSAGE#307:process:12/1_1", "nwparser.p0", "p0"); + +var part787 = // "Pattern{Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(protocol,false), Constant(','), Field(p0,false)}" +match("MESSAGE#307:process:12/4", "nwparser.p0", ",Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{protocol},%{p0}"); + +var part788 = // "Pattern{Constant('Intrusion ID: '), Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" +match("MESSAGE#307:process:12/5_0", "nwparser.p0", "Intrusion ID: %{fld33},Begin: %{p0}"); + +var part789 = // "Pattern{Field(fld33,false), Constant(',Begin: '), Field(p0,false)}" +match("MESSAGE#307:process:12/5_1", "nwparser.p0", "%{fld33},Begin: %{p0}"); + +var part790 = // "Pattern{Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(',Location: '), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false), Constant(',Local Port '), Field(dport,false), Constant(',Remote Port '), Field(sport,false), Constant(',CIDS Signature ID: '), Field(sigid,false), Constant(',CIDS Signature string: '), Field(sigid_string,false), Constant(',CIDS Signature SubID: '), Field(fld23,false), Constant(',Intrusion URL: '), Field(p0,false)}" +match("MESSAGE#307:process:12/6", "nwparser.p0", "%{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application},Location: %{fld11},User: %{username},Domain: %{domain},Local Port %{dport},Remote Port %{sport},CIDS Signature ID: %{sigid},CIDS Signature string: %{sigid_string},CIDS Signature SubID: %{fld23},Intrusion URL: %{p0}"); + +var part791 = // "Pattern{Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#21:Applied/1_0", "nwparser.p0", ",Event time:%{fld17->} %{fld18}"); + +var part792 = // "Pattern{}" +match_copy("MESSAGE#21:Applied/1_1", "nwparser.p0", ""); + +var part793 = // "Pattern{Constant('"Location: '), Field(p0,false)}" +match("MESSAGE#23:blocked:01/1_0", "nwparser.p0", "\"Location: %{p0}"); + +var part794 = // "Pattern{Constant('Location: '), Field(p0,false)}" +match("MESSAGE#23:blocked:01/1_1", "nwparser.p0", "Location: %{p0}"); + +var part795 = // "Pattern{Constant(''), Field(fld2,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#52:blocked/2", "nwparser.p0", "%{fld2},User: %{username},Domain: %{domain}"); + +var part796 = // "Pattern{Field(fld4,false), Constant(',MD-5:'), Field(fld5,false), Constant(',Local:'), Field(p0,false)}" +match("MESSAGE#190:Local::01/0_0", "nwparser.payload", "%{fld4},MD-5:%{fld5},Local:%{p0}"); + +var part797 = // "Pattern{Constant('Local:'), Field(p0,false)}" +match("MESSAGE#190:Local::01/0_1", "nwparser.payload", "Local:%{p0}"); + +var part798 = // "Pattern{Constant('Rule: '), Field(rulename,false), Constant(',Location: '), Field(p0,false)}" +match("MESSAGE#192:Local:/1_0", "nwparser.p0", "Rule: %{rulename},Location: %{p0}"); + +var part799 = // "Pattern{Constant(' "Rule: '), Field(rulename,false), Constant('",Location: '), Field(p0,false)}" +match("MESSAGE#192:Local:/1_1", "nwparser.p0", " \"Rule: %{rulename}\",Location: %{p0}"); + +var part800 = // "Pattern{Field(fld11,false), Constant(',User: '), Field(username,false), Constant(','), Field(p0,false)}" +match("MESSAGE#192:Local:/2", "nwparser.p0", "%{fld11},User: %{username},%{p0}"); + +var part801 = // "Pattern{Constant('Domain: '), Field(domain,false), Constant(',Action: '), Field(action,false)}" +match("MESSAGE#192:Local:/3_0", "nwparser.p0", "Domain: %{domain},Action: %{action}"); + +var part802 = // "Pattern{Constant(' Domain: '), Field(domain,false)}" +match("MESSAGE#192:Local:/3_1", "nwparser.p0", " Domain: %{domain}"); + +var part803 = // "Pattern{Constant('"Intrusion URL: '), Field(url,false), Constant('",Intrusion Payload URL:'), Field(p0,false)}" +match("MESSAGE#198:Local::04/1_0", "nwparser.p0", "\"Intrusion URL: %{url}\",Intrusion Payload URL:%{p0}"); + +var part804 = // "Pattern{Constant('Intrusion URL: '), Field(url,false), Constant(',Intrusion Payload URL:'), Field(p0,false)}" +match("MESSAGE#198:Local::04/1_1", "nwparser.p0", "Intrusion URL: %{url},Intrusion Payload URL:%{p0}"); + +var part805 = // "Pattern{Field(fld25,false)}" +match_copy("MESSAGE#198:Local::04/2", "nwparser.p0", "fld25"); + +var part806 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(daddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(saddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Inbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#205:Local::07/0", "nwparser.payload", "%{event_description},Local: %{daddr},Local: %{fld12},Remote: %{fld13},Remote: %{saddr},Remote: %{fld15},Inbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part807 = // "Pattern{Field(event_description,false), Constant(',Local: '), Field(saddr,false), Constant(',Local: '), Field(fld12,false), Constant(',Remote: '), Field(fld13,false), Constant(',Remote: '), Field(daddr,false), Constant(',Remote: '), Field(fld15,false), Constant(',Outbound,'), Field(network_service,false), Constant(',,Begin: '), Field(fld50,true), Constant(' '), Field(fld54,false), Constant(',End: '), Field(fld16,true), Constant(' '), Field(fld19,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(',Application: '), Field(application,false), Constant(', '), Field(p0,false)}" +match("MESSAGE#206:Local::19/0", "nwparser.payload", "%{event_description},Local: %{saddr},Local: %{fld12},Remote: %{fld13},Remote: %{daddr},Remote: %{fld15},Outbound,%{network_service},,Begin: %{fld50->} %{fld54},End: %{fld16->} %{fld19},Occurrences: %{dclass_counter1},Application: %{application}, %{p0}"); + +var part808 = // "Pattern{Constant(''), Field(fld11,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#209:Local::03/2", "nwparser.p0", "%{fld11},User: %{username},Domain: %{domain}"); + +var part809 = // "Pattern{Constant('The client will block traffic from IP address '), Field(fld14,true), Constant(' for the next '), Field(duration_string,true), Constant(' (from '), Field(fld13,false), Constant(')'), Field(p0,false)}" +match("MESSAGE#64:client:05/0", "nwparser.payload", "The client will block traffic from IP address %{fld14->} for the next %{duration_string->} (from %{fld13})%{p0}"); + +var part810 = // "Pattern{Constant('.,'), Field(p0,false)}" +match("MESSAGE#64:client:05/1_0", "nwparser.p0", ".,%{p0}"); + +var part811 = // "Pattern{Constant(' . ,'), Field(p0,false)}" +match("MESSAGE#64:client:05/1_1", "nwparser.p0", " . ,%{p0}"); + +var part812 = // "Pattern{Constant('Commercial application detected,Computer name: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/0", "nwparser.payload", "Commercial application detected,Computer name: %{p0}"); + +var part813 = // "Pattern{Field(shost,false), Constant(',IP Address: '), Field(saddr,false), Constant(',Detection type: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/1_0", "nwparser.p0", "%{shost},IP Address: %{saddr},Detection type: %{p0}"); + +var part814 = // "Pattern{Field(shost,false), Constant(',Detection type: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/1_1", "nwparser.p0", "%{shost},Detection type: %{p0}"); + +var part815 = // "Pattern{Field(severity,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld6,false), Constant(',Detection score:'), Field(fld7,false), Constant(',Submission recommendation: '), Field(fld8,false), Constant(',Permitted application reason: '), Field(fld9,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(fld1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#70:Commercial/2", "nwparser.p0", "%{severity},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld6},Detection score:%{fld7},Submission recommendation: %{fld8},Permitted application reason: %{fld9},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{fld1},%{p0}"); + +var part816 = // "Pattern{Constant('"'), Field(filename,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/3_0", "nwparser.p0", "\"%{filename}\",Actual action: %{p0}"); + +var part817 = // "Pattern{Field(filename,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#70:Commercial/3_1", "nwparser.p0", "%{filename},Actual action: %{p0}"); + +var part818 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld19,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#70:Commercial/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld19},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var part819 = // "Pattern{Constant('IP Address: '), Field(hostip,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(p0,false)}" +match("MESSAGE#76:Computer/0", "nwparser.payload", "IP Address: %{hostip},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{p0}"); + +var part820 = // "Pattern{Constant('"'), Field(filename,false), Constant('",'), Field(p0,false)}" +match("MESSAGE#78:Computer:03/1_0", "nwparser.p0", "\"%{filename}\",%{p0}"); + +var part821 = // "Pattern{Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#78:Computer:03/1_1", "nwparser.p0", "%{filename},%{p0}"); + +var part822 = // "Pattern{Field(severity,false), Constant(',First Seen: '), Field(fld55,false), Constant(',Application name: '), Field(application,false), Constant(',Application type: '), Field(obj_type,false), Constant(',Application version:'), Field(version,false), Constant(',Hash type:'), Field(encryption_type,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Company name: '), Field(fld11,false), Constant(',File size (bytes): '), Field(filename_size,false), Constant(',Sensitivity: '), Field(fld13,false), Constant(',Detection score:'), Field(fld7,false), Constant(',COH Engine Version: '), Field(fld41,false), Constant(','), Field(fld53,false), Constant(',Permitted application reason: '), Field(fld54,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',Risk Level: '), Field(fld50,false), Constant(',Detection Source: '), Field(fld52,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(fld22,false), Constant(',Actual action: '), Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld5,true), Constant(' '), Field(fld6,false), Constant(',Inserted:'), Field(fld12,false), Constant(',End:'), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#79:Computer:02/2", "nwparser.p0", "%{severity},First Seen: %{fld55},Application name: %{application},Application type: %{obj_type},Application version:%{version},Hash type:%{encryption_type},Application hash: %{checksum},Company name: %{fld11},File size (bytes): %{filename_size},Sensitivity: %{fld13},Detection score:%{fld7},COH Engine Version: %{fld41},%{fld53},Permitted application reason: %{fld54},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},Risk Level: %{fld50},Detection Source: %{fld52},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{fld22},Actual action: %{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld5->} %{fld6},Inserted:%{fld12},End:%{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var part823 = // "Pattern{Constant('"'), Field(,false)}" +match("MESSAGE#250:Network:24/1_0", "nwparser.p0", "\"%{}"); + +var part824 = // "Pattern{Constant(' Domain:'), Field(p0,false)}" +match("MESSAGE#134:Host:09/1_1", "nwparser.p0", " Domain:%{p0}"); + +var part825 = // "Pattern{Constant('is '), Field(p0,false)}" +match("MESSAGE#135:Intrusion/1_0", "nwparser.p0", "is %{p0}"); + +var part826 = // "Pattern{Constant('.,Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#145:LiveUpdate:10/1_0", "nwparser.p0", ".,Event time:%{fld17->} %{fld18}"); + +var part827 = // "Pattern{Constant('",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#179:LiveUpdate:40/1_0", "nwparser.p0", "\",Event time:%{fld17->} %{fld18}"); + +var part828 = // "Pattern{Constant(' '), Field(p0,false)}" +match("MESSAGE#432:Virus:02/1_1", "nwparser.p0", " %{p0}"); + +var part829 = // "Pattern{Constant('Virus found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#436:Virus:12/0", "nwparser.payload", "Virus found,IP Address: %{saddr},Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); + +var part830 = // "Pattern{Constant('"'), Field(fld1,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#436:Virus:12/1_0", "nwparser.p0", "\"%{fld1}\",Actual action: %{p0}"); + +var part831 = // "Pattern{Field(fld1,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#436:Virus:12/1_1", "nwparser.p0", "%{fld1},Actual action: %{p0}"); + +var part832 = // "Pattern{Constant('Intensive Protection Level: '), Field(fld61,false), Constant(',Certificate issuer: '), Field(fld60,false), Constant(',Certificate signer: '), Field(fld62,false), Constant(',Certificate thumbprint: '), Field(fld63,false), Constant(',Signing timestamp: '), Field(fld64,false), Constant(',Certificate serial number: '), Field(fld65,false), Constant(',Source: '), Field(p0,false)}" +match("MESSAGE#437:Virus:15/1_0", "nwparser.p0", "Intensive Protection Level: %{fld61},Certificate issuer: %{fld60},Certificate signer: %{fld62},Certificate thumbprint: %{fld63},Signing timestamp: %{fld64},Certificate serial number: %{fld65},Source: %{p0}"); + +var part833 = // "Pattern{Constant('Source: '), Field(p0,false)}" +match("MESSAGE#437:Virus:15/1_1", "nwparser.p0", "Source: %{p0}"); + +var part834 = // "Pattern{Constant('"Group: '), Field(group,false), Constant('",Server: '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/3_0", "nwparser.p0", "\"Group: %{group}\",Server: %{p0}"); + +var part835 = // "Pattern{Constant('Group: '), Field(group,false), Constant(',Server: '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/3_1", "nwparser.p0", "Group: %{group},Server: %{p0}"); + +var part836 = // "Pattern{Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(fld31,false), Constant(',Disposition: '), Field(result,false), Constant(',Download site: '), Field(fld44,false), Constant(',Web domain: '), Field(fld45,false), Constant(',Downloaded by: '), Field(fld46,false), Constant(',Prevalence: '), Field(info,false), Constant(',Confidence: '), Field(context,false), Constant(',URL Tracking Status: '), Field(fld49,false), Constant(',,First Seen: '), Field(fld50,false), Constant(',Sensitivity: '), Field(fld52,false), Constant(','), Field(fld56,false), Constant(',Application hash: '), Field(checksum,false), Constant(',Hash type: '), Field(encryption_type,false), Constant(',Company name: '), Field(fld54,false), Constant(',Application name: '), Field(application,false), Constant(',Application version: '), Field(version,false), Constant(',Application type: '), Field(obj_type,false), Constant(',File size (bytes): '), Field(p0,false)}" +match("MESSAGE#438:Virus:13/4", "nwparser.p0", "%{hostid},User: %{username},Source computer: %{fld29},Source IP: %{fld31},Disposition: %{result},Download site: %{fld44},Web domain: %{fld45},Downloaded by: %{fld46},Prevalence: %{info},Confidence: %{context},URL Tracking Status: %{fld49},,First Seen: %{fld50},Sensitivity: %{fld52},%{fld56},Application hash: %{checksum},Hash type: %{encryption_type},Company name: %{fld54},Application name: %{application},Application version: %{version},Application type: %{obj_type},File size (bytes): %{p0}"); + +var part837 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(event_type,false)}" +match("MESSAGE#438:Virus:13/5_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{event_type}"); + +var part838 = // "Pattern{Field(filename_size,false)}" +match_copy("MESSAGE#438:Virus:13/5_1", "nwparser.p0", "filename_size"); + +var part839 = // "Pattern{Constant('Virus found,Computer name: '), Field(shost,false), Constant(',Source: '), Field(event_source,false), Constant(',Risk name: '), Field(virusname,false), Constant(',Occurrences: '), Field(dclass_counter1,false), Constant(','), Field(filename,false), Constant(','), Field(p0,false)}" +match("MESSAGE#440:Virus:14/0", "nwparser.payload", "Virus found,Computer name: %{shost},Source: %{event_source},Risk name: %{virusname},Occurrences: %{dclass_counter1},%{filename},%{p0}"); + +var part840 = // "Pattern{Constant('"'), Field(info,false), Constant('",Actual action: '), Field(p0,false)}" +match("MESSAGE#441:Virus:05/1_0", "nwparser.p0", "\"%{info}\",Actual action: %{p0}"); + +var part841 = // "Pattern{Field(info,false), Constant(',Actual action: '), Field(p0,false)}" +match("MESSAGE#441:Virus:05/1_1", "nwparser.p0", "%{info},Actual action: %{p0}"); + +var part842 = // "Pattern{Constant(''), Field(info,false), Constant(',Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#218:Location/3_0", "nwparser.p0", "%{info},Event time:%{fld17->} %{fld18}"); + +var part843 = // "Pattern{Field(info,false)}" +match_copy("MESSAGE#218:Location/3_1", "nwparser.p0", "info"); + +var part844 = // "Pattern{Constant(' by policy'), Field(,false)}" +match("MESSAGE#253:Network:27/1_0", "nwparser.p0", " by policy%{}"); + +var part845 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#296:Policy:deleted/1_0", "nwparser.p0", ",%{p0}"); + +var part846 = // "Pattern{Constant('Potential risk found,Computer name: '), Field(p0,false)}" +match("MESSAGE#298:Potential:02/0", "nwparser.payload", "Potential risk found,Computer name: %{p0}"); + +var part847 = // "Pattern{Field(action,false), Constant(',Requested action: '), Field(disposition,false), Constant(',Secondary action: '), Field(event_state,false), Constant(',Event time: '), Field(fld17,true), Constant(' '), Field(fld18,false), Constant(',Inserted: '), Field(fld20,false), Constant(',End: '), Field(fld51,false), Constant(',Domain: '), Field(domain,false), Constant(',Group: '), Field(group,false), Constant(',Server: '), Field(hostid,false), Constant(',User: '), Field(username,false), Constant(',Source computer: '), Field(fld29,false), Constant(',Source IP: '), Field(saddr,false)}" +match("MESSAGE#299:Potential/4", "nwparser.p0", "%{action},Requested action: %{disposition},Secondary action: %{event_state},Event time: %{fld17->} %{fld18},Inserted: %{fld20},End: %{fld51},Domain: %{domain},Group: %{group},Server: %{hostid},User: %{username},Source computer: %{fld29},Source IP: %{saddr}"); + +var part848 = // "Pattern{Field(event_description,false), Constant(', process id: '), Field(process_id,true), Constant(' Filename: '), Field(filename,true), Constant(' The change was denied by user'), Field(fld6,false), Constant('"'), Field(p0,false)}" +match("MESSAGE#308:process:03/0", "nwparser.payload", "%{event_description}, process id: %{process_id->} Filename: %{filename->} The change was denied by user%{fld6}\"%{p0}"); + +var part849 = // "Pattern{Constant('''), Field(context,false), Constant('','), Field(p0,false)}" +match("MESSAGE#340:Scan:12/1_0", "nwparser.p0", "'%{context}',%{p0}"); + +var part850 = // "Pattern{Constant('Security risk found,Computer name: '), Field(p0,false)}" +match("MESSAGE#343:Security:03/0", "nwparser.payload", "Security risk found,Computer name: %{p0}"); + +var part851 = // "Pattern{Constant('Security risk found,IP Address: '), Field(saddr,false), Constant(',Computer name: '), Field(shost,false), Constant(','), Field(p0,false)}" +match("MESSAGE#345:Security:05/0", "nwparser.payload", "Security risk found,IP Address: %{saddr},Computer name: %{shost},%{p0}"); + +var part852 = // "Pattern{Field(filename_size,false), Constant(',Category set: '), Field(category,false), Constant(',Category type: '), Field(vendor_event_cat,false)}" +match("MESSAGE#345:Security:05/7_0", "nwparser.p0", "%{filename_size},Category set: %{category},Category type: %{vendor_event_cat}"); + +var part853 = // "Pattern{Constant('Category: '), Field(fld22,false), Constant(',Symantec AntiVirus,'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/0", "nwparser.payload", "Category: %{fld22},Symantec AntiVirus,%{p0}"); + +var part854 = // "Pattern{Constant('[Antivirus'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/1_0", "nwparser.p0", "[Antivirus%{p0}"); + +var part855 = // "Pattern{Constant('"[Antivirus'), Field(p0,false)}" +match("MESSAGE#388:Symantec:26/1_1", "nwparser.p0", "\"[Antivirus%{p0}"); + +var part856 = // "Pattern{Field(,true), Constant(' '), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/2", "nwparser.p0", "%{} %{p0}"); + +var part857 = // "Pattern{Constant('detection'), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/3_0", "nwparser.p0", "detection%{p0}"); + +var part858 = // "Pattern{Constant('advanced heuristic detection'), Field(p0,false)}" +match("MESSAGE#389:Symantec:39/3_1", "nwparser.p0", "advanced heuristic detection%{p0}"); + +var part859 = // "Pattern{Constant(' Size (bytes): '), Field(filename_size,false), Constant('.",Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#389:Symantec:39/5_0", "nwparser.p0", " Size (bytes): %{filename_size}.\",Event time:%{fld17->} %{fld18}"); + +var part860 = // "Pattern{Constant('Event time:'), Field(fld17,true), Constant(' '), Field(fld18,false)}" +match("MESSAGE#389:Symantec:39/5_2", "nwparser.p0", "Event time:%{fld17->} %{fld18}"); + +var part861 = // "Pattern{Constant(','), Field(p0,false)}" +match("MESSAGE#410:Terminated/0_1", "nwparser.payload", ",%{p0}"); + +var part862 = // "Pattern{Constant(''), Field(fld6,false), Constant(',User: '), Field(username,false), Constant(',Domain: '), Field(domain,false)}" +match("MESSAGE#416:Traffic:02/2", "nwparser.p0", "%{fld6},User: %{username},Domain: %{domain}"); + +var part863 = // "Pattern{Constant('"'), Field(filename,false), Constant('",User: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/2_0", "nwparser.p0", "\"%{filename}\",User: %{p0}"); + +var part864 = // "Pattern{Field(filename,false), Constant(',User: '), Field(p0,false)}" +match("MESSAGE#455:Allowed:09/2_1", "nwparser.p0", "%{filename},User: %{p0}"); + +var part865 = // "Pattern{Field(fld46,false), Constant(',File size ('), Field(fld10,false), Constant('): '), Field(filename_size,false), Constant(',Device ID: '), Field(device,false)}" +match("MESSAGE#457:Allowed:10/3_0", "nwparser.p0", "%{fld46},File size (%{fld10}): %{filename_size},Device ID: %{device}"); + +var part866 = // "Pattern{Constant('""'), Field(action,true), Constant(' . Description: '), Field(p0,false)}" +match("MESSAGE#505:Ping/0_0", "nwparser.payload", "\"\"%{action->} . Description: %{p0}"); + +var part867 = // "Pattern{Field(action,true), Constant(' . Description: '), Field(p0,false)}" +match("MESSAGE#505:Ping/0_1", "nwparser.payload", "%{action->} . Description: %{p0}"); + +var part868 = // "Pattern{Field(event_description,true), Constant(' [name]:'), Field(obj_name,true), Constant(' [class]:'), Field(obj_type,true), Constant(' [guid]:'), Field(hardware_id,true), Constant(' [deviceID]:'), Field(info,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_0", "nwparser.p0", "%{event_description->} [name]:%{obj_name->} [class]:%{obj_type->} [guid]:%{hardware_id->} [deviceID]:%{info}^^%{p0}"); + +var part869 = // "Pattern{Field(event_description,false), Constant('. '), Field(info,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_1", "nwparser.p0", "%{event_description}. %{info}^^%{p0}"); + +var part870 = // "Pattern{Field(event_description,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#639:303235080/1_2", "nwparser.p0", "%{event_description}^^%{p0}"); + +var part871 = // "Pattern{Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#639:303235080/2", "nwparser.p0", "%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}"); + +var part872 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(p0,false)}" +match("MESSAGE#674:238/0", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{p0}"); + +var select207 = linear_select([ + dup9, + dup10, +]); + +var select208 = linear_select([ + dup50, + dup10, +]); + +var select209 = linear_select([ + dup59, + dup60, + dup61, +]); + +var select210 = linear_select([ + dup63, + dup64, +]); + +var select211 = linear_select([ + dup76, + dup77, +]); + +var select212 = linear_select([ + dup79, + dup80, +]); + +var select213 = linear_select([ + dup90, + dup91, +]); + +var select214 = linear_select([ + dup98, + dup99, +]); + +var select215 = linear_select([ + dup101, + dup102, +]); + +var select216 = linear_select([ + dup105, + dup106, +]); + +var select217 = linear_select([ + dup108, + dup109, +]); + +var select218 = linear_select([ + dup112, + dup113, +]); + +var select219 = linear_select([ + dup140, + dup141, +]); + +var select220 = linear_select([ + dup146, + dup147, +]); + +var select221 = linear_select([ + dup149, + dup150, +]); + +var select222 = linear_select([ + dup159, + dup160, +]); + +var select223 = linear_select([ + dup198, + dup199, +]); + +var select224 = linear_select([ + dup201, + dup202, +]); + +var select225 = linear_select([ + dup203, + dup204, +]); + +var select226 = linear_select([ + dup206, + dup207, +]); + +var select227 = linear_select([ + dup209, + dup210, +]); + +var select228 = linear_select([ + dup211, + dup212, +]); + +var select229 = linear_select([ + dup216, + dup91, +]); + +var select230 = linear_select([ + dup249, + dup226, +]); + +var select231 = linear_select([ + dup252, + dup207, +]); + +var select232 = linear_select([ + dup262, + dup261, +]); + +var select233 = linear_select([ + dup264, + dup265, +]); + +var select234 = linear_select([ + dup266, + dup191, + dup267, + dup176, + dup91, +]); + +var select235 = linear_select([ + dup275, + dup276, +]); + +var select236 = linear_select([ + dup281, + dup282, +]); + +var part873 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" +match("MESSAGE#524:1281", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ + dup53, + dup15, +])); + +var part874 = // "Pattern{Field(id,false), Constant('^^'), Field(event_description,false)}" +match("MESSAGE#546:4868", "nwparser.payload", "%{id}^^%{event_description}", processor_chain([ + dup43, + dup15, +])); + +var part875 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#549:302449153", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup43, + dup15, + dup287, +])); + +var part876 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#550:302449153:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup43, + dup15, + dup287, +])); + +var part877 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#553:302449155", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup74, + dup15, + dup287, +])); + +var part878 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#554:302449155:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup74, + dup15, + dup287, +])); + +var part879 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#585:302450432", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup168, + dup15, + dup287, +])); + +var part880 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(id,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(event_source,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#586:302450432:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{id}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{event_source}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup168, + dup15, + dup287, +])); + +var select237 = linear_select([ + dup290, + dup291, + dup292, +]); + +var part881 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#664:206", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var part882 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false)}" +match("MESSAGE#665:206:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}", processor_chain([ + dup294, + dup295, + dup37, + dup268, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var part883 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(daddr,false), Constant('^^'), Field(smacaddr,false), Constant('^^'), Field(dmacaddr,false), Constant('^^'), Field(zone,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(dhost,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(application,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(fld19,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(saddr_v6,false), Constant('^^'), Field(daddr_v6,false), Constant('^^'), Field(sport,false), Constant('^^'), Field(dport,false), Constant('^^'), Field(sigid,false), Constant('^^'), Field(sigid_string,false), Constant('^^'), Field(sigid1,false), Constant('^^'), Field(url,false), Constant('^^'), Field(web_referer,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(version,false), Constant('^^'), Field(policy_id,false)}" +match("MESSAGE#669:210", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{id}^^%{saddr}^^%{daddr}^^%{smacaddr}^^%{dmacaddr}^^%{zone}^^%{username}^^%{sdomain}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{dhost}^^%{fld13}^^%{fld14}^^%{fld29}^^%{fld15}^^%{fld16}^^%{dclass_counter1}^^%{application}^^%{event_description}^^%{fld17}^^%{fld18}^^%{fld19}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{saddr_v6}^^%{daddr_v6}^^%{sport}^^%{dport}^^%{sigid}^^%{sigid_string}^^%{sigid1}^^%{url}^^%{web_referer}^^%{fld30}^^%{version}^^%{policy_id}", processor_chain([ + dup43, + dup15, + dup353, + dup354, + dup287, + dup300, + dup301, + dup302, +])); + +var part884 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(saddr,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(hostname,false), Constant('^^'), Field(group,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false), Constant('^^'), Field(fld31,false), Constant('^^'), Field(filename_size,false), Constant('^^'), Field(fld32,false), Constant('^^'), Field(fld33,false)}" +match("MESSAGE#676:501", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{saddr}^^%{username}^^%{sdomain}^^%{hostname}^^%{group}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}^^%{fld31}^^%{filename_size}^^%{fld32}^^%{fld33}", processor_chain([ + dup43, + dup15, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); + +var part885 = // "Pattern{Field(fld1,false), Constant('^^'), Field(domain,false), Constant('^^'), Field(fld3,false), Constant('^^'), Field(id,false), Constant('^^'), Field(username,false), Constant('^^'), Field(sdomain,false), Constant('^^'), Field(fld6,false), Constant('^^'), Field(fld7,false), Constant('^^'), Field(fld8,false), Constant('^^'), Field(severity,false), Constant('^^'), Field(fld9,false), Constant('^^'), Field(fld10,false), Constant('^^'), Field(shost,false), Constant('^^'), Field(fld11,false), Constant('^^'), Field(fld12,false), Constant('^^'), Field(event_description,false), Constant('^^'), Field(fld13,false), Constant('^^'), Field(fld14,false), Constant('^^'), Field(fld15,false), Constant('^^'), Field(fld16,false), Constant('^^'), Field(rule,false), Constant('^^'), Field(rulename,false), Constant('^^'), Field(parent_pid,false), Constant('^^'), Field(parent_process,false), Constant('^^'), Field(fld17,false), Constant('^^'), Field(fld18,false), Constant('^^'), Field(param,false), Constant('^^'), Field(fld20,false), Constant('^^'), Field(fld21,false), Constant('^^'), Field(fld22,false), Constant('^^'), Field(fld23,false), Constant('^^'), Field(fld24,false), Constant('^^'), Field(fld25,false), Constant('^^'), Field(fld26,false), Constant('^^'), Field(fld27,false), Constant('^^'), Field(fld28,false), Constant('^^'), Field(fld29,false), Constant('^^'), Field(dclass_counter1,false), Constant('^^'), Field(fld30,false)}" +match("MESSAGE#677:501:01", "nwparser.payload", "%{fld1}^^%{domain}^^%{fld3}^^%{id}^^%{username}^^%{sdomain}^^%{fld6}^^%{fld7}^^%{fld8}^^%{severity}^^%{fld9}^^%{fld10}^^%{shost}^^%{fld11}^^%{fld12}^^%{event_description}^^%{fld13}^^%{fld14}^^%{fld15}^^%{fld16}^^%{rule}^^%{rulename}^^%{parent_pid}^^%{parent_process}^^%{fld17}^^%{fld18}^^%{param}^^%{fld20}^^%{fld21}^^%{fld22}^^%{fld23}^^%{fld24}^^%{fld25}^^%{fld26}^^%{fld27}^^%{fld28}^^%{fld29}^^%{dclass_counter1}^^%{fld30}", processor_chain([ + dup43, + dup15, + dup355, + dup287, + dup300, + dup301, + dup307, + dup308, +])); diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml new file mode 100644 index 00000000000..cf257ba5d64 --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml @@ -0,0 +1,79 @@ +--- +description: Pipeline for Symantec AntiVirus/Endpoint Protection + +processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + # User agent + - user_agent: + field: user_agent.original + ignore_missing: true + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null && ctx.source?.address != '' + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null && ctx.destination?.address != '' +on_failure: + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml b/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml new file mode 100644 index 00000000000..84ea3fb0f0c --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml @@ -0,0 +1,31 @@ +module_version: "1.0" + +var: + - name: paths + - name: tags + default: ["symantec.endpointprotection", "forwarded"] + - name: syslog_host + default: localhost + - name: syslog_port + default: 9534 + - name: input + default: udp + - name: community_id + default: true + - name: tz_offset + default: local + - name: rsa_fields + default: true + - name: keep_raw_fields + default: false + - name: debug + default: false + +ingest_pipeline: ingest/pipeline.yml +input: config/input.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log new file mode 100644 index 00000000000..b184d76ca14 --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log @@ -0,0 +1,100 @@ +06:09:59 SymantecServer proident2802.home: Site: https://www.example.com/tia/oloremqu.txt?quis=orisn#cca,Server: dolo1720.api.example,Domain: roinBCS1133.lan,Admin: eataevi,302776834 ^^byC4864.www.host^^nevolu^^equat^^atemsequ^^nci^^1454047799^^high^^eFini^^amco^^exe7309.internal.local^^orsitame^^reprehe^^rsitam^^ommodic^^mipsu^^consec^^taliquip^^psumq^^atcup^^snos^^iquaUte^^tconsec^^nsequat^^taev +%SymantecEP: 303235083^^reetdolo2451.www.example^^rumet5772.mail.corp^^nido^^llam2073.internal.localdomain^^iqu^^ollit^^usan^^aper^^1455282753^^very-high^^olo^^uaera^^sitas4259.mail.corp^^atquovo^^iumto^^aboreetd^^sun^^essecill^^Duisau^^psum^^eriame^^lorema^^avol^^labor^^atuse^^ddoeiu^^enb +February 26 20:15:08 luptat6494.www.example SymantecServer: Site: https://example.org/umdolo/onproide.jpg?oloremi=pitla#ccu,Server: urE6771.www5.example,Domain: agna7678.internal.host,The 302450432 ^^equa3653.internal.host^^errorsi^^des^^rehe^^ume^^1456517708^^medium^^ono^^stru^^olupt3702.www.localhost^^tinvol^^tectobe^^colabor^^iusmodt^^etdolo^^inv^^agnaali^^llitani^^inima^^tlabo^^suntexp^^ugiatnu^^stiae^^nofdeF +03:17:42 SymantecServer onse254.www5.localdomain: tat6349.internal.lan,"[SID: upt] Invalid log record:uiineavo +March 26 10:20:16 emeumfu7783.www5.localhost SymantecServer: utlabore5937.api.localhost,Category: mnisist,sedd,782 ^^uatD +%SymantecEP: 302449409^^rehend1098.host^^numqu3768.internal.lan^^equi^^agnaali^^gnam^^tat^^1460222571^^medium^^lumqui^^itinvo^^mdolore2062.mail.host^^iavolu^^den^^tutla^^olorema^^iades^^siarchi^^datatn^^mqu^^apariat^^tlabore^^untmolli^^remi^^saute^^ercit +%NICWIN-4-Application_45_Symantec: Application,rn=mveleu cid=nofdeFin eid=sequam,temvel Apr 24 00:25:25 2016,ris,Symantec AntiVirus,SYSTEM,Information,nisi6901.mail.home,ecte. string-data=[ Scan type: tinvolu Event: unknown Security risk detected: ntiumdo File: autfu Location: gnaaliq Computer: mni User: rem Action taken:block Date found: icabo] +May 8 07:27:59 uamei2389.internal.example SymantecServer: Site: https://www.example.net/eFi/mexe.html?rpori=ice#oles,Server: edic1626.internal.domain,Domain: ame6223.www5.localhost,Admin: meius,303235076 ^^billo2947.internal.localhost^^umdolo^^uptate^^amc^^cusant^^1462692479^^medium^^orsitam^^siutaliq^^dutp6197.www.test^^nts^^siut^^tconsect^^aquae^^boreetdo^^aturve^^ditemp^^edqui^^nre^^veli^^volupta^^rnatu^^elitse^^ima +14:30:33 SymantecServer tdol6162.internal.localdomain: 302449410 ^^nea2083.www5.localhost^^ncididun^^umSe1918.local^^itau^^apariat^^vitaedi^^lorsita^^1463927433^^medium^^dolore^^onsecte^^nBCSedut1502.www5.example^^gitsed^^fugia^^oditautf^^quatu^^veli^^tenim^^rumet^^verita^^sectet^^etdo^^par^^lorin^^pitl^^por +June 5 21:33:08 niamq2003.mail.local SymantecServer: 302449169 ^^oreetd7668.www5.localdomain^^moenimi^^olupt2189.lan^^con^^preh^^ercit^^etMal^^1465162388^^low^^qui^^ritin^^temporin7150.mail.local^^miu^^rationev^^rem^^asper^^idunt^^luptat^^eveli^^plicab^^oremq^^dicta^^taedicta^^ritt^^iaeco^^equaturv +%NICWIN-4-Application_45_Symantec: Application,rn=liquaUte cid=alorum eid=obeataev,tempor Jun 20 04:35:42 2016,mUten,Symantec AntiVirus,SYSTEM,Information,emq6633.domain,naaliq. string-data=[ Scan type: remeu Event: failure Security risk detected: dtempo File: tin Location: fugitse Computer: imad User: tinvolup Action taken:block Date found: Sedutpe] +11:38:16 SymantecServer rcit2807.mail.invalid: Site: https://www5.example.net/tempor/citatio.jpg?incidid=rure#asiarchi,Server: eaqueips6396.internal.lan,"302452736 ^^utfug7095.api.corp^^iumtot^^lupta^^rsintoc^^reetdo^^1467632296^^high^^mnisiut^^avolu^^Except6889.www.corp^^umetMal^^asper^^umq^^naal^^equun^^sitvo^^temquiav^^obeata^^tatemU^^mad^^onse^^redol^^gnaa^^mod +18:40:50 SymantecServer toditaut7889.internal.invalid: Site: https://api.example.org/eprehend/asnu.htm?mveleum=tamet#perspici,Server: ationul7731.internal.home,Domain: uto5324.lan,Admin: ccae,302452802 ^^orroqu472.www.localhost^^ver^^erc^^umf^^quames^^1468867250^^medium^^esseq^^aincidun^^quatD1370.invalid^^oloreseo^^iruredol^^veniamqu^^licaboN^^atquo^^cupi^^strude^^eritin^^udan^^yCic^^nder^^mdolore^^Cic^^olorema +August 2 01:43:25 oluptat548.www5.invalid SymantecServer: edolorin2164.example,SHA-256:utaliqu,MD-5:rsi,"[SID: taliqui] 303235080 ^^mides4759.api.local^^tcu^^iatqu6203.mail.corp^^urExcep^^ema^^suntex^^iacons^^1470102205^^medium^^esci^^uov^^quaeab2653.mail.localdomain^^dipiscin^^olup^^aco [name]:inimav [class]:acomm [guid]:iutali [deviceID]:itat^^stlaboru^^ate^^mporainc^^xea^^taed^^umdolo^^ntiu^^radipisc^^Cice^^taedi^^tquido +August 16 08:45:59 uptate1049.www.corp SymantecServer: Site: https://www.example.org/tetura/imadmini.jpg?eavol=osamnis#temaccu,Server: scipitl1247.www5.host,Domain: caboNem1043.internal.home,The 302450688 ^^litesseq6785.host^^tob^^dolores^^equamnih^^taliqui^^1471337159^^low^^itempo^^orumw^^redol124.mail.invalid^^radipis^^ctetu^^orinrep^^quiavol^^nrepreh^^ratv^^alorum^^mquisn^^atq^^erspi^^iqu^^niamqu^^equamnih^^icab +15:48:33 SymantecServer tobeatae2512.api.local: Site: https://www.example.org/luptat/deriti.gif?uradi=velitsed#magnaali,Server: mwrit4009.www.localdomain,Domain: equatDu1710.internal.host,303169538 ^^prehe1037.api.example^^eiusmod^^itation^^veleum^^piciatis^^1472572113^^low^^henderi^^iusmodt^^enim5999.mail.localhost^^ersp^^iame^^orroquis^^aquio^^riatu^^loinve^^tanimid^^isnostru^^nofdeFi^^aquioff^^saqu^^remips^^illoi^^reetdolo +September 13 22:51:07 otamrem6743.www5.domain SymantecServer: Site: https://internal.example.com/consecte/pteurs.gif?onulamco=ons#tiaecon,Server: uaturve3425.www.lan,Domain: tiumdol6695.internal.local,The 302449410 ^^CSe4501.example^^nculpaq^^reseosqu1629.mail.lan^^utemvel^^epteur^^ommo^^iame^^1473807067^^medium^^busBonor^^stquido^^rsitvolu3596.www.test^^uameiusm^^adm^^gelitsed^^tiumto^^cor^^odoco^^oin^^itseddoe^^elites^^rum^^erc^^ehende^^tutla^^licaboNe +September 28 05:53:42 nat4367.www5.example SymantecServer: atiset4383.mail.localhost,SHA-256:isiut,MD-5:dtemp,"[SID: ici] 303235081 ^^nisiuta7623.www.local^^dtempo^^atnula^^ditautf^^itametc^^1475042022^^high^^olup^^remipsu^^tan3170.api.example^^doconse^^etdol^^dolorsi^^nturmag^^tura^^osquirat^^equat^^aliquid^^usantiu^^idunt^^atqu^^naturau^^olorsita^^lor +12:56:16 SymantecServer eseruntm4247.mail.local: magnaal5792.www5.domain,Category: nula,quiacons,Cleaned up 7519 LiveUpdate downloaded content +19:58:50 SymantecServer luptatem3834.lan: edq5397.www.test,"[SID: ntut] 302452801 ^^emullam7151.lan^^quiad^^ihilmole^^saquaea^^ons^^1477511930^^high^^quas^^gia^^itatio6735.api.example^^eddoei^^rsin^^rumSec^^orp^^iaturE^^imve^^essequam^^ueporro^^aliqu^^upt^^orum^^Bonoru^^madminim^^ents +November 10 03:01:24 veli578.www.localhost SymantecServer: etdolor1236.mail.invalid,"[SID: mmod] 302449166 ^^iti7029.www.test^^lorsitam^^tanimid^^onpr^^litseddo^^1478746884^^high^^oremqu^^idex^^radip163.mail.invalid^^eiusmo^^ainc^^miurerep^^lestia^^nde^^snu^^inibusB^^nostrud^^cteturad^^ore^^esse^^veniam^^edquian^^sus +10:03:59 SymantecServer vol866.api.domain: bore5546.www.local,Category: labo,lpaquiof,"Active Response that started at quu is disengaged. The traffic from IP address 10.207.125.114 was blocked for 150.301000 second(s). ,Local: 10.175.83.138,Local: scip,Remote: Finibus,Remote: 10.7.164.113,Remote: ncididun,tcp,outbound,,Begin: 2016-11-24 10:03:59,End: 2016-11-24 10:03:59,Occurrences: 1901,Application: est,Location: ali,User: remip, Domain: rere228.invalid +December 8 17:06:33 ent4487.api.test SymantecServer: Site: https://example.org/ulamc/cept.html?radip=rchitect#Dui,Server: iameaqu2429.api.invalid,"302452817 ^^asnulap2567.www5.invalid^^ender^^inc5923.www.test^^oluptat^^roinBCSe^^maperiam^^mSec^^1481216793^^medium^^nseq^^borumSec^^tatemseq5797.home^^tam^^oremip^^eufugi^^dunt^^ames^^amni^^tatio^^amquisno^^modoc^^magnam^^uinesc^^cid^^emi^^Bonorum +00:09:07 SymantecServer enima7673.api.localhost: sequ6424.www.invalid,Category: its,dolor,Local: ,Local: 10.217.91.49,Local: mquis,Remote: lab,Remote: 10.139.207.36,Remote: mwrit,ipv6-icmp,1,Intrusion ID: itse,Begin: 2016-12-23 12:09:07,End: 2016-12-23 12:09:07,Occurrences: 4319,Application: conse,Location: nimadmin,User: lumqui,Domain: quiavolu6301.www5.localhost +January 6 07:11:41 ames645.mail.localhost SymantecServer: Site: https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul,Server: aliqui7541.www5.localdomain,Domain: nse4444.www5.test,Admin: tlabo,501 ^^tatemse4493.mail.local^^lamco^^tion^^10.249.243.41^^ven^^mquisnos^^tnulapa7580.www.domain^^adeser^^uasiarc^^doeiu^^1483686701^^very-high^^uian^^atuserro^^madminim6826.www.host^^3^^onnumqua^^quioff^^iuntN^^ipis^^1483686701^^1483686701^^itautfu^^nesci^^5040^^mquis^^lorsi^^tetura^^eeufug^^edutper^^tevelite^^tocca^^orsitvol^^ntor^^oinBCSed^^oid^^rchit^^tasu^^obeatae^^1886^^midestl^^quatu^^1016^^mqu^^pteursi +January 20 14:14:16 laboree3880.api.invalid SymantecServer: Site: https://www5.example.com/stiaecon/usBono.html?itl=ttenb#olor,Server: quiav6648.lan,302449415 ^^eumfu2149.internal.home^^upidata^^ici182.invalid^^con^^tore^^sequatD^^ercitati^^1484921656^^low^^rinrep^^temse^^caecat4678.www.home^^tatemac^^quisn^^rem^^ulamcola^^remagnaa^^lamcolab^^ceroinB^^umqui^^citation^^temsequi^^mquia^^omnisi^^etMalor^^mco +21:16:50 SymantecServer scipit730.api.example: eruntmo2894.mail.localdomain,"[SID: natus] 302449410 ^^boreet2051.internal.localdomain^^iavo^^ore^^aincidu^^xerc^^1486156610^^very-high^^macc^^ria^^beat2952.internal.localhost^^uisau^^qua^^iarchite^^emsequi^^ueporroq^^ute^^mexer^^iam^^Bonoru^^rcitati^^nula^^ameaquei^^gnama^^esciun +%SymantecEP: 302776321^^eleumi4584.www5.example^^imip7160.www.invalid^^uptateve^^ured3428.www.corp^^abo^^etMa^^cul^^iinea^^1487391564^^very-high^^ditau^^moenimip^^uames7663.internal.local^^lor^^oreeu^^taspe^^eritqui^^atquovol^^evel^^edol^^sequuntu^^quameius^^litse^^san^^apari^^iarchit^^sBonorum +11:21:59 SymantecServer iutal3376.api.corp: Site: https://example.com/idexeac/ntu.txt?ctionofd=mpori#olupt,Server: ola3373.www5.domain,"302449153 ^^qua948.mail.local^^tlaboru^^tec^^itaspe^^con^^1488626519^^high^^amremap^^antiu^^velillum6639.www5.local^^lapari^^Mal^^itinvo^^snulap^^cidu^^hilmol^^oluptate^^todi^^emvel^^pta^^dolo^^itaedi^^hend^^remagna +March 18 18:24:33 dolo5649.www.corp SymantecServer: Site: https://example.org/tMal/porin.gif?isni=quid#aUten,Server: Duis3517.www5.invalid,Domain: conseq6079.www.corp,303235079 ^^tiu3570.www.invalid^^asper^^dictasun3408.internal.invalid^^secte^^ctobeat^^onsec^^idestl^^1489861473^^medium^^pid^^itanimi^^onoru5767.internal.domain^^eosqui^^dipisciv^^uam^^quis^^exe^^naa^^equat^^estiaec^^pitlabo^^tas^^rcitat^^ree^^itten^^quipexea +April 2 01:27:07 ruredol1763.www.local SymantecServer: numq601.api.localhost,"[SID: lapa] 1281 ^^emoenimi +08:29:41 SymantecServer olorsit6165.example: Site: https://www5.example.com/nturm/seq.html?dquia=ora#umfugiat,Server: quisnos7704.api.invalid,Domain: ite5245.mail.lan,The 306 ^^Duis583.api.local^^eavolupt^^uipe6805.www5.domain^^stenat^^uianonnu^^2001:db8::b810cc6d:451c392b^^2001:db8::4f2735dc:6d3ce756^^10.185.64.46^^10.209.205.25^^ptat^^saq^^1492331381^^high^^quame^^orumwri^^atisu6579.test^^rad^^iat^^tqui1142.www5.domain^^4^^2250^^4616^^2^^1492331381^^1492331381^^2536^^niam^^ivelitse^^tatis^^nula^^ptate^^volupta^^01:00:5e:2d:45:c3^^01:00:5e:e5:88:35^^uaerat^^iduntu^^samvol^^equa^^apari^^tsunt^^caecat^^uel^^fficiad^^teirured^^nostru^^rcit +%SymantecEP: 773^^catcupid^^ritquiin +May 14 22:34:50 eumfugia5915.internal.corp SymantecServer: Site: https://internal.example.net/uptat/toditau.htm?quuntur=olup#aeab,Server: uradipis4058.www.domain,Domain: uira3387.internal.localhost,242 ^^quinesc4724.www5.host^^ali^^udexerci6630.mail.test^^osqu^^ptatemse^^itationu^^setquas^^10.202.55.203^^10.35.89.51^^01:00:5e:5f:46:e1^^01:00:5e:14:33:0e^^ameaq^^Quis^^lupta^^1494801290^^very-high^^iav^^umiure^^isiut4530.localdomain^^imvenia^^culp^^deomn904.www.home^^2^^3^^eetdolor^^1494801290^^1494801290^^735^^tla^^iaconseq [Volume]: sed [Model]: sedd [Access]: atione^^tvolup^^oremeu^^lab^^lla^^urau^^aeca^^oNem^^itaedict^^eroi^^onemull^^mdo^^labore^^2001:db8::b54ff32d:af0de540^^2001:db8::11b63689:727d1f3e^^5757^^3320^^7756^^des^^4965^^https://www5.example.org/aliquaU/lits.html?atisetqu=squir#gnaaliq^^https://www.example.com/deriti/edictasu.htm?utlabore=edquiano#mSecti^^henderi^^1.7457^^uel +05:37:24 SymantecServer niamqui7696.mail.test: taliqu701.www.localhost,Category: umfugi,abor,"Traffic Traffic Redirection disabled.,Event time: 2017-5-29 5:37:24 +June 12 12:39:58 aturve1922.internal.test SymantecServer: Site: https://internal.example.com/ore/lors.htm?fdeFi=ratv#veni,Server: metM4820.www.local,Domain: udanti6912.api.localhost,999 ^^cteturad6288.api.home^^nge^^psum^^10.139.89.148^^isnostru^^iad^^ngelits6213.internal.test^^orissusc^^utaliqui^^uov^^1497271198^^medium^^dipisc^^litsed^^lumd4298.mail.localdomain^^3^^iamquisn^^tamrem^^doloremi^^imadm^^1497271198^^1497271198^^ibus^^lumdol^^724^^onnu^^reprehe^^metMa^^emoen^^ptate^^mipsumqu^^turad^^dol^^ntutla^^des^^iciatis^^agn^^cul^^tate^^133^^ipisc^^iatnulap^^7662^^idents^^uine +19:42:33 SymantecServer ction491.www5.local: Site: https://mail.example.net/ate/epteur.htm?ill=imveniam#sunte,Server: exerc121.www5.invalid,Domain: eir4356.www5.host,Admin: undeom,Retry timestamp is equal or over the next schedule time, switching to regular schedule run. +July 11 02:45:07 issu1852.mail.local SymantecServer: atuse559.www.home,Category: tvo,ema,"207 ^^uaera2917.internal.test^^iqua^^ciunt^^exea^^ostrumex^^10.247.21.74^^10.87.92.95^^01:00:5e:80:64:29^^01:00:5e:2c:5b:14^^nim^^Sedutper^^ati^^1499741107^^low^^teturad^^ritq^^tuserror810.www5.corp^^equamni^^fugia^^uptate5787.api.local^^0^^2^^suntincu^^1499741107^^1499741107^^7120^^isiutali^^mdolo^^nof^^usantiu^^periam^^remip^^dexea^^aturExc^^antiumto^^cto^^quamqua^^ulapari^^rittenby^^smoditem +%NICWIN-4-303235080_hen_Symantec AntiVirus: riameaqu^^etd4695.mail.lan^^conse^^ruredolo7392.internal.host^^olors^^roid^^lorum^^iin^^1500976061^^very-high^^lorsita^^naturaut^^mipsu3757.www5.home^^llu^^quaUt^^labor. oris^^tatemse^^uta^^tsun^^samvolu^^dip^^iquaUte^^remi^^modic^^uptatem^^olo^^tametc +16:50:15 SymantecServer iquam1090.api.local: Site: https://example.net/orumSect/preh.txt?iatisund=rnatu#atnonpro,Server: isu3102.mail.test,"5378 ^^sed +23:52:50 SymantecServer prehen4320.api.home: umdolo988.api.corp,Category: eaco,empor,302449158 ^^mvele7557.corp^^Nequepor^^luptate^^aturvel^^ostrumex^^1503445970^^high^^sedquia^^litesse^^ntmo4076.lan^^olore^^ationula^^doconse^^volupta^^ptat^^oreverit^^nimides^^remipsum^^elit^^ites^^uptatema^^amali^^onula^^ostru +September 6 06:55:24 commod6637.api.host SymantecServer: Site: https://example.org/amestqu/aliqua.gif?teirure=dolorsi#dipisciv,Server: nsequun300.internal.lan,Domain: ngelitse7535.internal.lan,The 5377 ^^icta +13:57:58 SymantecServer lup5199.api.example: tectobe1414.www5.localhost,Category: illoin,rinre,"302710785 ^^henderit3374.internal.invalid^^mquae^^amni48.internal.localdomain^^con^^enimadmi^^elit^^uia^^1505915878^^high^^oditautf^^nula^^alo6036.www5.local^^ntiumt^^mdolore^^ita^^aeratvol^^odite^^atn^^sectet^^boreetd^^ueporro^^cto^^essequa^^gnidolor^^itlabori^^amestqui +%NICWIN-4-303235082_turmag_Symantec AntiVirus: dutper^^ingelit3629.mail.domain^^ntin^^tenatus4129.www.local^^intocca^^equuntu^^ntutlab^^eaq^^1507150832^^high^^rcit^^secte^^uredo4613.home^^pitlabor^^upi^^olupta^^ape^^amestqu^^luptas^^ariatu^^psumqui^^trude^^ccusa^^ndeomni^^chite^^obeatae^^rehen +October 19 04:03:07 yCiceroi166.test SymantecServer: Site: https://www5.example.org/colab/itte.html?orumS=tesseq#exeacomm,Server: uptat982.localdomain,Domain: ptatema5373.www5.test,273 ^^tat +%SymantecEP: 302452819^^ptassita3664.api.test^^uovo5035.api.example^^tNequ^^eca^^nev^^sequatu^^1509620741^^high^^iduntut^^admini^^mini3181.api.test^^iamqu^^ommodoc^^mwrit^^dminimve^^madminim^^onse^^ulap^^itaspe^^remagn^^iatisun^^lupta^^stena^^tquid^^liquaUt +18:08:15 SymantecServer rsitam2337.mail.localdomain: tquidolo6928.internal.corp,Category: eetdolo,issuscip,"Commercial application detected,Computer name: iduntu7302.www.invalid,Detection type: medium,Application name: queip,Application type: nsequunt,Application version:1.3638,Hash type:ercitati,Application hash: lapa,Company name: enia,File size (bytes): 7843,Sensitivity: deserun,Detection score:ugia,Submission recommendation: isiuta,Permitted application reason: eFi,Source: elitsedd,Risk name: isqu,Occurrences: 7744,eumfu,"remap",Actual action: accept,Requested action: yCicero,Secondary action: dqui,Event time: 2017-11-16 6:08:15,Inserted: 2017-11-16 6:08:15,End: 2017-11-16 6:08:15,Domain: ema7531.api.example,"Group: eiusm,Server: assit1598.www5.invalid,User: archite,Source computer: eruntm,Source IP: 10.8.143.229 +December 1 01:10:49 acomm6048.internal.host SymantecServer: liquid1981.www.home,"[SID: sequatu] 302449178 ^^icero1297.internal.domain^^asun^^rsitam^^magn^^amcola^^1512090649^^medium^^sno^^stiaeco^^equu7361.www5.localdomain^^nto^^non^^pta^^asnul^^uirati^^chitect^^uam^^tisunde^^porr^^piscivel^^ueporr^^udex^^ipexeac^^uin +08:13:24 SymantecServer nsectetu3212.test: umdolo4405.local,Category: econ,equat,501 ^^bor5601.www.invalid^^animi^^mdoloree^^10.137.5.67^^taliqui^^doloremi^^uisno4545.www5.corp^^atisund^^isnostru^^quepo^^1513325604^^very-high^^nisi^^onsecte^^iono5777.invalid^^1^^Nequepo^^veleum^^eturad^^tor^^1513325604^^1513325604^^hender^^moditemp^^885^^ipsum^^com^^uptate^^tevelite^^cto^^borisn^^assitasp^^nima^^abore^^tur^^tlaboru^^erun^^mquid^^imipsamv^^3758^^totamrem^^eaqu^^5072^^uunturma^^namaliqu +15:15:58 SymantecServer upidatat5004.internal.test: Site: https://example.com/tatem/umexe.gif?lor=busBo#turm,Server: quamei7815.api.home,Domain: qua6831.internal.test,Admin: xeacomm,5122 ^^oriosa +22:18:32 SymantecServer ecatcup2068.invalid: quinesc2102.www.invalid,Category: asiarch,tob,4609 ^^Sending Email Failed for following email address [tiae]. +January 27 05:21:06 ainci5661.internal.local SymantecServer: ntu1279.mail.lan,SHA-256:dut,MD-5:aecons,"[SID: tionemu] 207 ^^edictasu3521.invalid^^eFini^^mnis^^tametco^^snisiut^^10.92.93.236^^10.66.203.117^^01:00:5e:54:c0:38^^01:00:5e:94:22:bc^^oloremag^^uisa^^umquidol^^1517030466^^medium^^erit^^uaea^^adminima6097.corp^^sitvolup^^tionem^^agnamali3222.example^^2^^2^^onsequ^^1517030466^^1517030466^^3168^^ehen^^remap^^mUt^^admi^^siarch^^oloremi^^ididu^^uov^^ncidid^^audantiu^^lmolest^^miurerep^^orsitame^^Sed +February 10 12:23:41 cons4129.api.corp SymantecServer: Site: https://internal.example.org/ssecil/xplic.htm?cipitl=ame#tenat,Server: etur5170.mail.localdomain,Domain: oquisq4993.api.domain,302452807 ^^seosqui7376.internal.home^^edolori^^equ2353.internal.local^^utlab^^entoreve^^lmolest^^ser^^1518265421^^low^^autodita^^loreme^^eratv6521.example^^meaqu^^tlaboree^^dolorsi^^etdolore^^taevita^^rationev^^catcup^^ectetur^^cons^^spiciati^^upidata^^utlabo^^lillumq^^erc +19:26:15 SymantecServer nonnumqu2938.mail.localdomain: Site: https://www5.example.net/uasiarch/tru.txt?eetdolo=erro#uptat,Server: con594.www5.home,Domain: ididu284.api.home,302776321 ^^pre865.www5.home^^prehe^^bori7611.invalid^^neavolu^^mexe^^xcep^^uscipi^^1519500375^^very-high^^tNeq^^nimi^^iset1992.internal.example^^sequu^^ffic^^imadmini^^isnostru^^ostr^^tinvo^^lorumwr^^iaco^^sumdol^^riat^^nim^^imven^^isci^^iusmo +%NICWIN-4-No_bill_Symantec AntiVirus: No old risk events got swept. +09:31:24 SymantecServer tsed6598.mail.test: scipit581.api.example,Category: mni,nti,302449413 ^^iste5901.mail.localhost^^exer^^paqui^^Cice^^liqui^^1521970284^^very-high^^Dui^^tam^^ntin2655.www.localdomain^^itation^^itasper^^epo^^mmodico^^moll^^meaqueip^^nculpaq^^mides^^iconseq^^nidolo^^runtmoll^^tuserror^^utlabo^^scip +16:33:58 SymantecServer utfugi6811.mail.host: Site: https://www.example.org/amqua/mavenia.txt?atnu=ssuscipi#evita,Server: tconsect7649.internal.domain,Domain: lors1204.corp,Admin: volupta,302449414 ^^dolor1769.lan^^dminimav^^odtem^^tati^^suscip^^1523205238^^high^^umqu^^ntexpli^^siuta395.home^^lorumwr^^fugiat^^iumdolor^^etcons^^aecatc^^agnaa^^minimven^^pisciv^^equamnih^^rationev^^etco^^usanti^^itessec^^dat +23:36:32 SymantecServer nimadmi5274.api.localdomain: Configuration Change..umdolore5014.api.lan..4/22/2018........low..oluptate..11:36:32 tcu.. +06:39:06 SymantecServer ept2114.corp: tiumdo6437.internal.invalid,Category: ssusci,snostrud,"2 ^^tisund4302.www5.local^^obeata796.www.localhost^^olo^^vel1911.lan^^10.147.225.53^^itaspern^^lupta^^dolor^^tNeque^^accept^^2018-05-07T06:39:06Z^^etdo^^edictas^^1554^^corpor^^urerepr +%SymantecEP-ctetura: equamn6846.www5.invalid^^3210^^ssecillu^^773 ^^oeius +20:44:15 SymantecServer pisci6637.www.test: Site: https://www.example.org/dolo/orem.html?elite=nde#iac,Server: turve824.mail.corp,Domain: llumquid5568.internal.host,5377 ^^adolors +03:46:49 SymantecServer nemulla5602.mail.localhost: 303169540 ^^emipsum4052.internal.invalid^^ciatisu^^evelites2448.www.host^^uid^^Bono^^citatio^^aliquide^^1529380009^^medium^^onsequa^^seddoe^^quisnost7124.api.domain^^tla^^uidexea^^odtem^^nvolupt^^stia^^neavolu^^tsedqui^^ueporroq^^writ^^ema^^ioffici^^agni^^tat^^metconse +10:49:23 SymantecServer riame5318.www5.example: Site: https://internal.example.com/itinvolu/urerepre.jpg?ditem=did#BCS,Server: idex58.api.host,Domain: iaturEx4974.api.localdomain,207 ^^ita2191.www5.invalid^^amquis^^iatquovo4868.test^^uraut^^reetdol^^umtotam^^itaedi^^10.72.200.11^^10.132.171.142^^01:00:5e:ef:6c:af^^01:00:5e:5b:b9:9d^^tsunti^^ero^^iusmodi^^1530614963^^high^^caecat^^oreetd^^madmi2948.internal.lan^^eleumiur^^ididun^^edi6108.internal.domain^^1^^3^^squa^^1530614963^^1530614963^^4662^^atisetq^^emagnama^^stqui^^itemp^^ipsa^^ipsumqui^^tisu^^nse^^sci^^itse^^tco^^nnumqua^^erit^^lorsitam^^2001:db8::325d4a06:86d5f940^^2001:db8::d5c0e730:7529c510^^4574^^1953^^7096^^quaera^^5100^^https://mail.example.com/ulamc/ncid.jpg?emipsu=icaboNem#Except^^https://internal.example.org/maliquam/mav.gif?ecill=ventore#imi^^uptatemU^^1.132^^liqua +%NICWIN-4-Application_45_Symantec: Application,rn=nesciu cid=cer eid=molestia,volu Jul 17 17:51:58 2018,occ,Symantec AntiVirus,SYSTEM,Information,reverita794.mail.domain,ten. string-data=[ Scan type: cola Event: success Security risk detected: ame File: que Location: sect Computer: ing User: nis Action taken:cancel Date found: billoinv] +August 1 00:54:32 col6521.mail.domain SymantecServer: Site: https://mail.example.com/enby/teveli.html?dolor=CSedut#atatn,Server: utal7661.www.test,Domain: caecatcu5496.www.test,The 302452743 ^^tec4011.mail.home^^ate^^uptatem^^siarchi^^dminim^^1533084872^^very-high^^Nemo^^itse^^lillumq4387.www5.localhost^^Qui^^turExce^^sse^^quine^^utemvel^^exercita^^emaperi^^aspernat^^ddoei^^nihi^^umfu^^inesc^^uiavolu^^loremagn +%NICWIN-4-Application_45_Symantec: Application,rn=nostru cid=edd eid=nisi,sciun Aug 15 07:57:06 2018,natuserr,Symantec AntiVirus,SYSTEM,Information,ipi563.api.lan,asnulap. string-data=[ Scan type: atnula Event: failure Security risk detected: dutpe File: modtem Location: eriameaq Computer: irured User: anti Action taken:accept Date found: tani] +14:59:40 SymantecServer uptatemU1147.mail.corp: mqu3327.internal.host,Category: plic,oremq,"Connection reset +22:02:15 SymantecServer remape5128.internal.home: Site: https://www5.example.org/eosq/tanimi.htm?lumdolo=volu#eser,Server: quisn1387.invalid,302452736 ^^sit3373.api.localdomain^^isnos^^emp42.mail.test^^ipisc^^roinB^^olori^^omm^^1536789735^^medium^^rissus^^abo^^ecatcupi4759.internal.local^^atevelit^^tenb^^ritati^^architec^^era^^ptatem^^remaperi^^isi^^ssecill^^tisetq^^mmodico^^mquae^^sunde^^sum +September 27 05:04:49 tatema826.www.localhost SymantecServer: mco1751.www.localdomain,SHA-256:tation,MD-5:tot,"[SID: veleumi] 5377 ^^iumt +October 11 12:07:23 sciun6000.www.test SymantecServer: dictasu7340.internal.invalid,"[SID: Cicero] 302450944 ^^antiu4203.www.host^^asnulapa^^hende^^olesti^^ntmolli^^1539259643^^low^^eufu^^tame^^ipsu7538.www5.host^^acom^^lamc^^squa^^Cic^^aturveli^^lica^^Exc^^amvolup^^velill^^oidentsu^^uaea^^rehender^^rep^^iusmod +19:09:57 SymantecServer aevitaed6618.localhost: labor3547.www5.localhost,"[SID: erci] 257 ^^quovolup +November 9 02:12:32 tlaborio5210.www5.lan SymantecServer: seq3479.internal.domain,SHA-256:uto,MD-5:eetdo,"[SID: untincul] 301 ^^upta3770.internal.localhost^^ore^^onse^^10.40.133.90^^10.171.13.85^^tateveli^^sequatu^^1541729552^^medium^^dex^^rsintocc^^iusmo5734.internal.invalid^^tion^^itae^^dita2048.www5.home^^4^^1467^^5002^^1^^1541729552^^1541729552^^5934^^usci^^3^^rittenby^^Block all other IP traffic and log^^gni^^ritq^^01:00:5e:57:68:87^^01:00:5e:31:f2:97^^mqu^^bor^^piscinge^^ectobe^^uisaute^^orema^^poris^^uptat^^colabor^^bor^^sequ^^noru +November 23 09:15:06 cons392.domain SymantecServer: Site: https://www.example.com/aecatcu/sed.html?eroi=snu#tconsect,Server: stru3362.corp,"Retry timestamp is over the maximum retry window, switching to regular schedule run. +16:17:40 SymantecServer tionevol7606.www.localhost: Site: https://api.example.net/sunti/dipiscin.htm?ovolup=olest#veniamq,Server: uisno561.internal.home,"302452816 ^^omm3591.internal.invalid^^edq^^ngelits2743.www5.host^^incidunt^^tatnonp^^abi^^nimave^^1544199460^^high^^idexeaco^^siu^^inrepr7369.www.domain^^ore^^lore^^tatemac^^tamet^^laparia^^quid^^ehen^^eseru^^aperiam^^uioffic^^atis^^ectobe^^rehender^^corpori +December 21 23:20:14 cons7043.api.lan SymantecServer: Site: https://api.example.net/utlab/hilm.txt?lor=untutla#ons,Server: uam6380.internal.lan,302452808 ^^sed1665.internal.local^^rainci^^olupt717.invalid^^iano^^dexerci^^fdeFi^^tlabori^^1545434414^^very-high^^ritquiin^^untutl^^alorum1804.mail.test^^sequatur^^psum^^ano^^ame^^cipitlab^^venia^^rroquis^^tisu^^ratione^^aturvel^^Neque^^ueipsa^^assit^^ffici +%NICWIN-4-Application_45_Symantec: Application,rn=itquii cid=umdolore eid=iuntNequ,corp Jan 5 06:22:49 2019,trudexe,Symantec AntiVirus,SYSTEM,Information,queporr7029.internal.test,quidex. string-data=[ Scan type: iatqu Event: unknown Security risk detected: ips File: modo Location: ela Computer: con User: unti Action taken:block Date found: tcupidat] +13:25:23 SymantecServer veli765.www.corp: Site: https://www.example.net/queip/antiu.txt?nisiuta=cipitla#ditautf,Server: oluptasn909.www5.example,Domain: imadm2803.api.local,Admin: eet,5121 ^^onpro +%SymantecEP: 302^^exea6833.www.example^^ictas1247.www5.example^^incul^^iadol^^10.31.231.57^^10.155.163.6^^que^^urQui^^1549139277^^low^^taliquip^^maliquam^^upidat1328.internal.localhost^^odico^^sistenat^^urExcep6087.www5.localhost^^1^^6324^^558^^1^^1549139277^^1549139277^^2952^^mqu^^doloremq^^velil^^mdolo^^poris^^amvo^^01:00:5e:fc:5b:c7^^01:00:5e:e9:19:80^^imv^^norumetM^^iac^^itessequ^^iaturExc^^orsit^^tamrema^^eos^^quameius^^ciati^^nemullam^^sequu +%SymantecEP-eleumiur: chite5632.test^^1981^^etc^^4097 ^^lorem +10:33:06 SymantecServer mveleum2688.api.host: 302452816 ^^nisiut1750.internal.invalid^^oen^^tsunti^^alorum^^aeratvo^^1551609186^^high^^les^^paquioff^^tesseci33.internal.example^^Bonorum^^met^^nost^^sequa^^dquiaco^^mmodoco^^emagn^^susci^^eursin^^siutali^^osa^^olabor^^ent^^secil +17:35:40 SymantecServer stiaecon2284.www5.host: Site: https://internal.example.net/agnama/commodi.gif?snost=nsequun#quovo,Server: amquaera63.www5.lan,Domain: audant2228.invalid,302452736 ^^ptasnula2158.internal.host^^uptasnul^^redol^^esciu^^dolorinr^^1552844140^^very-high^^auto^^edquian^^alo7567.www5.test^^umquid^^proident^^quisnos^^umet^^nima^^aria^^ugi^^econ^^aaliquaU^^sitvol^^temse^^henderi^^Sedu^^dolore +00:38:14 SymantecServer metMal6112.mail.test: Site: https://api.example.net/orsit/ntium.html?rudexer=Exc#atvol,Server: onse3264.example,Domain: scingeli5972.invalid,The 275 ^^The process sumq.exe can not lock the process status table. The process status has been locked by the server idest4209.api.domain (mdolorem) since 2019-04-01T00:38:14Z. +April 15 07:40:49 amqu4988.www5.example SymantecServer: Site: https://www5.example.net/scinge/ofde.html?oinvento=amcorpor#sumqu,Server: sundeomn1396.mail.corp,Domain: odiconse1995.www.home,The 301 ^^emvel4391.localhost^^quelaud^^exer3621.www5.test^^uaerat^^animid^^2001:db8::dc285270:4466123b^^2001:db8::3d31ae1d:efe5bf87^^10.216.134.62^^10.134.6.246^^rnatu^^ico^^1555314049^^medium^^urQuis^^umetMa^^tisetqua6007.api.home^^dun^^nonpro^^its1301.www.test^^1^^6252^^998^^2^^1555314049^^1555314049^^4304^^quuntu^^0^^uaera^^iatisund^^ist^^equatur^^01:00:5e:78:f9:ee^^01:00:5e:db:43:45^^oin^^ntexpl^^oquisqua^^ovo^^lupta^^stenatus^^tiumtota^^itation^^eturad^^rumS^^nihil^^psu +Apr 29 2:43:23 ventorev7571.www5.corp SymantecServer: Site: https://www5.example.com/quamni/ents.gif?leum=olabor#modte,Server: uianonn4552.internal.invalid,Domain: quaUteni2026.lan,Remote: , Remote: untmoll,Remote: 10.202.96.232,Remote: ngeli,Unknown,OTHERS,,Begin: 2019-4-29 2:43:23,End: 2019-4-29 2:43:23,Occurrences: 569,Application: exerc,Location: boNemo,User: nat,Domain: atnu2000.internal.corp,Local Port 4012,Remote Port 5074,CIDS Signature ID: 5057,CIDS Signature string: tobe,CIDS Signature SubID: equep,Intrusion URL:https://internal.example.com/umiu/veritat.jpg?conse=equamni#ursin,Intrusion Payload URL:orissus +21:45:57 SymantecServer uelaud897.mail.example: Site: https://example.org/etcon/its.html?imven=eddoeius#eniamqu,Server: mdoloree4076.lan,"302449156 ^^uamestqu7272.internal.host^^ectetur^^umSectio5136.www.local^^omn^^imidestl^^sequat^^lmol^^1557783957^^very-high^^olorinre^^quiacons^^untexpli391.internal.domain^^Finibus^^num^^ipitlabo^^sumqu^^epreh^^urs^^stquidol^^doconse^^taspern^^cit^^isautemv^^tatemse^^uradi^^velit +04:48:31 SymantecServer reetdo5853.test: entsun4896.www5.localdomain,Category: uepo,eomni,"308 ^^cepteur6876.internal.host^^iutaliq^^quide2790.mail.invalid^^epre^^quis^^2001:db8::7d97d66e:3eeaa2cc^^2001:db8::81638ee3:4962a1e4^^10.56.95.160^^10.29.149.77^^siutaliq^^liquaUt^^1559018911^^low^^modo^^sequ^^eniamqu1863.api.lan^^utal^^maccusa^^quipex2615.www5.localhost^^3^^2305^^5823^^1^^1559018911^^1559018911^^3992^^Section^^ididunt^^luptatem^^Block all other IP traffic and log^^onofdeFi^^xeacom^^01:00:5e:9f:99:04^^01:00:5e:96:a7:ec^^aveni^^rema^^nby^^nofde^^ritinvol^^mSecti^^tionula^^adolors^^cididunt^^dolore^^sunte^^imadm +11:51:06 SymantecServer uscipitl2176.api.test: Site: https://mail.example.com/peria/nculpaq.gif?roquisqu=acommod#eetd,Server: orin7130.www5.test,Domain: ratione4963.www.example,301 ^^tationul5346.internal.localdomain^^edquiano^^ugia146.www5.corp^^uisnostr^^lit^^2001:db8::f3063373:92b97c88^^2001:db8::5b387f17:aa0c6698^^10.70.185.238^^10.173.98.74^^orsitame^^quame^^1560253866^^high^^tempora^^liquip^^tionul7555.www5.lan^^cin^^itsedqu^^remipsum5485.api.local^^2^^1775^^5161^^2^^1560253866^^1560253866^^2128^^lupta^^0^^reetdo^^Block all other IP traffic and log^^gnaal^^ntsunt^^01:00:5e:a7:37:7d^^01:00:5e:f3:43:d1^^nvo^^tenby^^aaliqu^^quaeabil^^umq^^ptate^^ade^^eip^^entor^^turExce^^ncidid^^modi +%NICWIN-4-Application_45_Symantec: Application,rn=nisiutal cid=ptassi eid=mtota,lit Jun 25 18:53:40 2019,odite,Symantec AntiVirus,SYSTEM,Information,ilmoles4582.api.lan,tqui. string-data=[ Scan type: tautfug Event: success Security risk detected: metMalo File: uatur Location: uia Computer: upid User: dolor Action taken:allow Date found: itsed] +01:56:14 SymantecServer giatquo3267.www.lan: quiado6095.mail.localhost,Category: ioffici,proide,"Connected to Management Server 10.8.24.150. +July 24 08:58:48 aut1615.mail.example SymantecServer: tatis3791.www5.test,SHA-256:iceroinB,MD-5:lab,"[SID: tobe] 2 ^^odite7850.internal.corp^^asnula6304.internal.example^^elitse^^cidun7605.www5.example^^10.201.112.171^^rinrepre^^modicons^^uidolor^^tenatu^^deny^^2019-07-24T08:58:48Z^^rrorsit^^eprehen^^1470^^diconseq^^runtm +%SymantecEP: 302448900^^tion595.internal.corp^^laboru6211.mail.local^^emporai^^mqu^^ationu^^gna^^1565193683^^medium^^temUt^^quaturQ^^ssitasp7492.test^^veri^^ssitaspe^^eserun^^niamqu^^quianonn^^uines^^rat^^mSect^^perspic^^mulla^^vol^^consect^^iqu^^uptate +23:03:57 SymantecServer ntsun948.home: ima1551.www.invalid,"[SID: atemse] 302452802 ^^ntiumtot6232.api.corp^^npro^^estq2131.api.localdomain^^atn^^luptasnu^^tasu^^exeac^^1566428637^^very-high^^itesse^^gitse^^rem6392.internal.domain^^amea^^upt^^did^^rspiciat^^iaec^^lab^^nimi^^uscipit^^tuserror^^ionul^^exercit^^tetur^^ion^^olu +06:06:31 SymantecServer ididuntu2165.api.host: Site: https://internal.example.net/ommo/ddoeius.htm?ten=turadipi#liquide,Server: remipsum2332.api.domain,Domain: gel3984.mail.example,The 303235079 ^^ree4785.internal.localdomain^^edolori^^giatq7007.www.domain^^ntinc^^ptatev^^orumSec^^totamr^^1567663591^^very-high^^pidatat^^perna^^upi3.www.home^^temUten^^iquaUt^^caecatc^^ationula^^abo^^onofde^^eriame^^sunde^^otamrema^^madminim^^orsitam^^tiumto^^psumdol^^atcup +%SymantecEP-orem: 10.90.66.238^^itess2258.api.lan^^eprehend3993.internal.test^^nulap^^ianonnu4387.www.domain^^10.59.140.108^^5^^^^llumdolo^^sequines^^reprehe^^block^^2019-09-19T13:09:05Z^^agna^^laud^^5043^^abor^^esse +October 3 20:11:40 identsu4913.mail.localdomain SymantecServer: Site: https://api.example.com/uptatemq/ctionof.jpg?risni=ovolupt#tionu,Server: ntium1347.www.test,Domain: econse4373.www.invalid,221 ^^tdo6940.mail.local^^fugiat^^epteur5858.www5.local^^rissus^^consequa^^idolor^^ratvo^^10.38.136.160^^10.45.116.216^^01:00:5e:b5:7b:f4^^01:00:5e:38:9e:75^^psu^^epr^^citat^^1570133500^^low^^imad^^vol^^rin5257.www5.test^^psa^^sumquia^^ess3012.mail.test^^1^^1^^mnisiste^^1570133500^^1570133500^^490^^elitess^^emeumfu^^tMalorum^^oremip^^orsitvo^^eacomm^^iuntNeq^^uiadolor^^emUt^^epreh^^eritq^^uaeratv^^quiaco^^todi^^2001:db8::655ca99c:30b2c2da^^2001:db8::16767bb2:194dacee^^4364^^7638^^1297^^osam^^2852^^https://mail.example.com/quaeabil/uredolo.htm?atnul=eroinB#beataev^^https://internal.example.org/aaliqua/atiset.txt?tat=uamestq#eri^^amv^^1.6400^^mveni +October 18 03:14:14 quiadolo7345.www5.example SymantecServer: Site: https://www.example.com/cte/ntu.gif?ercitati=dolo#iutaliq,Server: inimv3115.api.local,"302449409 ^^eumfug6647.home^^equ^^ptatemse^^onulamc^^itanim^^1571368454^^low^^metco^^oremeumf^^aed3193.api.lan^^animid^^sunti^^equa^^rure^^quat^^inim^^corp^^inBCSedu^^ptassita^^ritt^^magna^^tatemq^^sequ^^quii +November 1 10:16:48 eritin5441.api.example SymantecServer: Site: https://www5.example.org/cid/aturauto.gif?ciduntut=ita#identsu,Server: uep5156.mail.invalid,257 ^^atemq +November 15 17:19:22 udexerci658.mail.test SymantecServer: aveniamq3804.api.corp,Category: quaturQ,tenat,"302449166 ^^lillumqu7256.www5.invalid^^audantiu^^pici^^deFinibu^^pitlab^^1573838362^^low^^sum^^tamre^^rumSec5271.home^^erspi^^evolupt^^unt^^emaper^^nse^^temUt^^onseq^^icia^^amnihilm^^isquames^^evelite^^eumfugia^^roquis^^porinci +%NICWIN-4-Application_45_Symantec: Application,rn=eaco cid=piscing eid=reseosqu,acommo Nov 30 00:21:57 2019,tiaecons,Symantec AntiVirus,SYSTEM,Information,volu7499.www5.localhost,edutpe. string-data=[ Scan type: uip Event: unknown Security risk detected: redolori File: Uteni Location: sitamet Computer: duntu User: sedqui Action taken:block Date found: rnatu] +07:24:31 SymantecServer seosq1937.internal.localdomain: Site: https://internal.example.net/eca/uidolor.gif?nostru=tatemacc#cididu,Server: hil1908.mail.localdomain,Domain: porissu4165.example,Admin: dolore,302449409 ^^mol400.domain^^aud^^oNem5850.www.example^^yCiceroi^^atis^^esciuntN^^tNequepo^^1576308271^^very-high^^mnisi^^emporai^^gnama2349.mail.domain^^eritinvo^^ntiu^^ccusan^^ura^^pida^^remeumf^^ipexeaco^^itvo^^psumquia^^nisisten^^quamqu^^ecillumd^^tatisetq^^con diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json new file mode 100644 index 00000000000..9b9183fe35a --- /dev/null +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -0,0 +1,3759 @@ +[ + { + "event.code": "atemsequ", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "06:09:59 SymantecServer proident2802.home: Site: https://www.example.com/tia/oloremqu.txt?quis=orisn#cca,Server: dolo1720.api.example,Domain: roinBCS1133.lan,Admin: eataevi,302776834 ^^byC4864.www.host^^nevolu^^equat^^atemsequ^^nci^^1454047799^^high^^eFini^^amco^^exe7309.internal.local^^orsitame^^reprehe^^rsitam^^ommodic^^mipsu^^consec^^taliquip^^psumq^^atcup^^snos^^iquaUte^^tconsec^^nsequat^^taev", + "fileset.name": "endpointprotection", + "host.hostname": "exe7309.internal.local", + "input.type": "log", + "log.level": "high", + "log.offset": 0, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "exe7309.internal.local" + ], + "rsa.internal.event_desc": "rsitam", + "rsa.internal.messageid": "302776834", + "rsa.misc.event_source": "reprehe", + "rsa.misc.reference_id": "atemsequ", + "rsa.misc.severity": "high", + "rsa.network.domain": "byC4864.www.host", + "server.domain": "byC4864.www.host", + "service.type": "symantec", + "source.address": "exe7309.internal.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "usan", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 303235083^^reetdolo2451.www.example^^rumet5772.mail.corp^^nido^^llam2073.internal.localdomain^^iqu^^ollit^^usan^^aper^^1455282753^^very-high^^olo^^uaera^^sitas4259.mail.corp^^atquovo^^iumto^^aboreetd^^sun^^essecill^^Duisau^^psum^^eriame^^lorema^^avol^^labor^^atuse^^ddoeiu^^enb", + "fileset.name": "endpointprotection", + "group.name": "iqu", + "host.hostname": "sitas4259.mail.corp", + "host.name": "llam2073.internal.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 401, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "llam2073.internal.localdomain", + "sitas4259.mail.corp" + ], + "rsa.internal.event_desc": "aboreetd", + "rsa.internal.messageid": "303235083", + "rsa.misc.event_source": "iumto", + "rsa.misc.group": "iqu", + "rsa.misc.reference_id": "usan", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "llam2073.internal.localdomain" + ], + "rsa.network.domain": "rumet5772.mail.corp", + "server.domain": "rumet5772.mail.corp", + "service.type": "symantec", + "source.address": "sitas4259.mail.corp", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "rehe", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "February 26 20:15:08 luptat6494.www.example SymantecServer: Site: https://example.org/umdolo/onproide.jpg?oloremi=pitla#ccu,Server: urE6771.www5.example,Domain: agna7678.internal.host,The 302450432 ^^equa3653.internal.host^^errorsi^^des^^rehe^^ume^^1456517708^^medium^^ono^^stru^^olupt3702.www.localhost^^tinvol^^tectobe^^colabor^^iusmodt^^etdolo^^inv^^agnaali^^llitani^^inima^^tlabo^^suntexp^^ugiatnu^^stiae^^nofdeF", + "fileset.name": "endpointprotection", + "host.hostname": "olupt3702.www.localhost", + "input.type": "log", + "log.level": "medium", + "log.offset": 692, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "olupt3702.www.localhost" + ], + "rsa.internal.event_desc": "colabor", + "rsa.internal.messageid": "302450432", + "rsa.misc.event_source": "tectobe", + "rsa.misc.reference_id": "rehe", + "rsa.misc.severity": "medium", + "rsa.network.domain": "equa3653.internal.host", + "server.domain": "equa3653.internal.host", + "service.type": "symantec", + "source.address": "olupt3702.www.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "Invalid", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "03:17:42 SymantecServer onse254.www5.localdomain: tat6349.internal.lan,\"[SID: upt] Invalid log record:uiineavo", + "fileset.name": "endpointprotection", + "host.hostname": "tat6349.internal.lan", + "host.name": "onse254.www5.localdomain", + "input.type": "log", + "log.offset": 1109, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "onse254.www5.localdomain", + "tat6349.internal.lan" + ], + "rsa.db.index": "uiineavo", + "rsa.internal.event_desc": "Invalid log record", + "rsa.internal.messageid": "Invalid", + "rsa.network.alias_host": [ + "onse254.www5.localdomain" + ], + "rsa.time.event_time_str": "03:17:42", + "service.type": "symantec", + "source.address": "tat6349.internal.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "782", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "March 26 10:20:16 emeumfu7783.www5.localhost SymantecServer: utlabore5937.api.localhost,Category: mnisist,sedd,782 ^^uatD", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 1220, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "uatD", + "rsa.internal.messageid": "782", + "rsa.misc.reference_id": "782", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "gnam", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 302449409^^rehend1098.host^^numqu3768.internal.lan^^equi^^agnaali^^gnam^^tat^^1460222571^^medium^^lumqui^^itinvo^^mdolore2062.mail.host^^iavolu^^den^^tutla^^olorema^^iades^^siarchi^^datatn^^mqu^^apariat^^tlabore^^untmolli^^remi^^saute^^ercit", + "fileset.name": "endpointprotection", + "host.hostname": "mdolore2062.mail.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 1342, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "mdolore2062.mail.host" + ], + "rsa.internal.event_desc": "tutla", + "rsa.internal.messageid": "302449409", + "rsa.misc.event_source": "den", + "rsa.misc.reference_id": "gnam", + "rsa.misc.severity": "medium", + "rsa.network.domain": "numqu3768.internal.lan", + "server.domain": "numqu3768.internal.lan", + "service.type": "symantec", + "source.address": "mdolore2062.mail.host", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=mveleu cid=nofdeFin eid=sequam,temvel Apr 24 00:25:25 2016,ris,Symantec AntiVirus,SYSTEM,Information,nisi6901.mail.home,ecte. string-data=[ Scan type: tinvolu Event: unknown Security risk detected: ntiumdo File: autfu Location: gnaaliq Computer: mni User: rem Action taken:block Date found: icabo]", + "file.directory": "ntiumdo", + "file.name": "autfu", + "fileset.name": "endpointprotection", + "host.hostname": "nisi6901.mail.home", + "input.type": "log", + "log.offset": 1597, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "nisi6901.mail.home" + ], + "related.user": [ + "rem" + ], + "rsa.internal.event_desc": "ecte", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "tinvolu", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "unknown", + "service.type": "symantec", + "source.address": "nisi6901.mail.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "rem" + }, + { + "event.code": "amc", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "May 8 07:27:59 uamei2389.internal.example SymantecServer: Site: https://www.example.net/eFi/mexe.html?rpori=ice#oles,Server: edic1626.internal.domain,Domain: ame6223.www5.localhost,Admin: meius,303235076 ^^billo2947.internal.localhost^^umdolo^^uptate^^amc^^cusant^^1462692479^^medium^^orsitam^^siutaliq^^dutp6197.www.test^^nts^^siut^^tconsect^^aquae^^boreetdo^^aturve^^ditemp^^edqui^^nre^^veli^^volupta^^rnatu^^elitse^^ima", + "fileset.name": "endpointprotection", + "host.hostname": "dutp6197.www.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 1945, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "dutp6197.www.test" + ], + "rsa.internal.event_desc": "tconsect", + "rsa.internal.messageid": "303235076", + "rsa.misc.event_source": "siut", + "rsa.misc.reference_id": "amc", + "rsa.misc.severity": "medium", + "rsa.network.domain": "billo2947.internal.localhost", + "server.domain": "billo2947.internal.localhost", + "service.type": "symantec", + "source.address": "dutp6197.www.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "vitaedi", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "14:30:33 SymantecServer tdol6162.internal.localdomain: 302449410 ^^nea2083.www5.localhost^^ncididun^^umSe1918.local^^itau^^apariat^^vitaedi^^lorsita^^1463927433^^medium^^dolore^^onsecte^^nBCSedut1502.www5.example^^gitsed^^fugia^^oditautf^^quatu^^veli^^tenim^^rumet^^verita^^sectet^^etdo^^par^^lorin^^pitl^^por", + "fileset.name": "endpointprotection", + "group.name": "itau", + "host.hostname": "nBCSedut1502.www5.example", + "host.name": "umSe1918.local", + "input.type": "log", + "log.level": "medium", + "log.offset": 2368, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "umSe1918.local", + "nBCSedut1502.www5.example" + ], + "rsa.internal.event_desc": "oditautf", + "rsa.internal.messageid": "302449410", + "rsa.misc.event_source": "fugia", + "rsa.misc.group": "itau", + "rsa.misc.reference_id": "vitaedi", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "umSe1918.local" + ], + "rsa.network.domain": "nea2083.www5.localhost", + "server.domain": "nea2083.www5.localhost", + "service.type": "symantec", + "source.address": "nBCSedut1502.www5.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "ercit", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "June 5 21:33:08 niamq2003.mail.local SymantecServer: 302449169 ^^oreetd7668.www5.localdomain^^moenimi^^olupt2189.lan^^con^^preh^^ercit^^etMal^^1465162388^^low^^qui^^ritin^^temporin7150.mail.local^^miu^^rationev^^rem^^asper^^idunt^^luptat^^eveli^^plicab^^oremq^^dicta^^taedicta^^ritt^^iaeco^^equaturv", + "fileset.name": "endpointprotection", + "group.name": "con", + "host.hostname": "temporin7150.mail.local", + "host.name": "olupt2189.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 2678, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "olupt2189.lan", + "temporin7150.mail.local" + ], + "rsa.internal.event_desc": "rem", + "rsa.internal.messageid": "302449169", + "rsa.misc.event_source": "rationev", + "rsa.misc.group": "con", + "rsa.misc.reference_id": "ercit", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "olupt2189.lan" + ], + "rsa.network.domain": "oreetd7668.www5.localdomain", + "server.domain": "oreetd7668.www5.localdomain", + "service.type": "symantec", + "source.address": "temporin7150.mail.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=liquaUte cid=alorum eid=obeataev,tempor Jun 20 04:35:42 2016,mUten,Symantec AntiVirus,SYSTEM,Information,emq6633.domain,naaliq. string-data=[ Scan type: remeu Event: failure Security risk detected: dtempo File: tin Location: fugitse Computer: imad User: tinvolup Action taken:block Date found: Sedutpe]", + "file.directory": "dtempo", + "file.name": "tin", + "fileset.name": "endpointprotection", + "host.hostname": "emq6633.domain", + "input.type": "log", + "log.offset": 2978, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "emq6633.domain" + ], + "related.user": [ + "tinvolup" + ], + "rsa.internal.event_desc": "naaliq", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "remeu", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "failure", + "service.type": "symantec", + "source.address": "emq6633.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "tinvolup" + }, + { + "event.code": "rsintoc", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "11:38:16 SymantecServer rcit2807.mail.invalid: Site: https://www5.example.net/tempor/citatio.jpg?incidid=rure#asiarchi,Server: eaqueips6396.internal.lan,\"302452736 ^^utfug7095.api.corp^^iumtot^^lupta^^rsintoc^^reetdo^^1467632296^^high^^mnisiut^^avolu^^Except6889.www.corp^^umetMal^^asper^^umq^^naal^^equun^^sitvo^^temquiav^^obeata^^tatemU^^mad^^onse^^redol^^gnaa^^mod", + "fileset.name": "endpointprotection", + "host.hostname": "Except6889.www.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 3331, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "Except6889.www.corp" + ], + "rsa.internal.event_desc": "umq", + "rsa.internal.messageid": "302452736", + "rsa.misc.event_source": "asper", + "rsa.misc.reference_id": "rsintoc", + "rsa.misc.severity": "high", + "rsa.network.domain": "utfug7095.api.corp", + "server.domain": "utfug7095.api.corp", + "service.type": "symantec", + "source.address": "Except6889.www.corp", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "umf", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "18:40:50 SymantecServer toditaut7889.internal.invalid: Site: https://api.example.org/eprehend/asnu.htm?mveleum=tamet#perspici,Server: ationul7731.internal.home,Domain: uto5324.lan,Admin: ccae,302452802 ^^orroqu472.www.localhost^^ver^^erc^^umf^^quames^^1468867250^^medium^^esseq^^aincidun^^quatD1370.invalid^^oloreseo^^iruredol^^veniamqu^^licaboN^^atquo^^cupi^^strude^^eritin^^udan^^yCic^^nder^^mdolore^^Cic^^olorema", + "fileset.name": "endpointprotection", + "host.hostname": "quatD1370.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 3699, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "quatD1370.invalid" + ], + "rsa.internal.event_desc": "veniamqu", + "rsa.internal.messageid": "302452802", + "rsa.misc.event_source": "iruredol", + "rsa.misc.reference_id": "umf", + "rsa.misc.severity": "medium", + "rsa.network.domain": "orroqu472.www.localhost", + "server.domain": "orroqu472.www.localhost", + "service.type": "symantec", + "source.address": "quatD1370.invalid", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "suntex", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "August 2 01:43:25 oluptat548.www5.invalid SymantecServer: edolorin2164.example,SHA-256:utaliqu,MD-5:rsi,\"[SID: taliqui] 303235080 ^^mides4759.api.local^^tcu^^iatqu6203.mail.corp^^urExcep^^ema^^suntex^^iacons^^1470102205^^medium^^esci^^uov^^quaeab2653.mail.localdomain^^dipiscin^^olup^^aco [name]:inimav [class]:acomm [guid]:iutali [deviceID]:itat^^stlaboru^^ate^^mporainc^^xea^^taed^^umdolo^^ntiu^^radipisc^^Cice^^taedi^^tquido", + "fileset.name": "endpointprotection", + "group.name": "urExcep", + "host.hostname": "quaeab2653.mail.localdomain", + "host.name": "iatqu6203.mail.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 4115, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "iatqu6203.mail.corp", + "quaeab2653.mail.localdomain" + ], + "rsa.db.index": "itat", + "rsa.internal.event_desc": "aco", + "rsa.internal.messageid": "303235080", + "rsa.misc.checksum": "rsi", + "rsa.misc.event_source": "olup", + "rsa.misc.group": "urExcep", + "rsa.misc.hardware_id": "iutali", + "rsa.misc.obj_name": "inimav", + "rsa.misc.obj_type": "acomm", + "rsa.misc.reference_id": "suntex", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "iatqu6203.mail.corp" + ], + "rsa.network.domain": "mides4759.api.local", + "server.domain": "mides4759.api.local", + "service.type": "symantec", + "source.address": "quaeab2653.mail.localdomain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "equamnih", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "August 16 08:45:59 uptate1049.www.corp SymantecServer: Site: https://www.example.org/tetura/imadmini.jpg?eavol=osamnis#temaccu,Server: scipitl1247.www5.host,Domain: caboNem1043.internal.home,The 302450688 ^^litesseq6785.host^^tob^^dolores^^equamnih^^taliqui^^1471337159^^low^^itempo^^orumw^^redol124.mail.invalid^^radipis^^ctetu^^orinrep^^quiavol^^nrepreh^^ratv^^alorum^^mquisn^^atq^^erspi^^iqu^^niamqu^^equamnih^^icab", + "fileset.name": "endpointprotection", + "host.hostname": "redol124.mail.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 4543, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "redol124.mail.invalid" + ], + "rsa.internal.event_desc": "orinrep", + "rsa.internal.messageid": "302450688", + "rsa.misc.event_source": "ctetu", + "rsa.misc.reference_id": "equamnih", + "rsa.misc.severity": "low", + "rsa.network.domain": "litesseq6785.host", + "server.domain": "litesseq6785.host", + "service.type": "symantec", + "source.address": "redol124.mail.invalid", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "veleum", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "15:48:33 SymantecServer tobeatae2512.api.local: Site: https://www.example.org/luptat/deriti.gif?uradi=velitsed#magnaali,Server: mwrit4009.www.localdomain,Domain: equatDu1710.internal.host,303169538 ^^prehe1037.api.example^^eiusmod^^itation^^veleum^^piciatis^^1472572113^^low^^henderi^^iusmodt^^enim5999.mail.localhost^^ersp^^iame^^orroquis^^aquio^^riatu^^loinve^^tanimid^^isnostru^^nofdeFi^^aquioff^^saqu^^remips^^illoi^^reetdolo", + "fileset.name": "endpointprotection", + "host.hostname": "enim5999.mail.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 4962, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "enim5999.mail.localhost" + ], + "rsa.internal.event_desc": "orroquis", + "rsa.internal.messageid": "303169538", + "rsa.misc.event_source": "iame", + "rsa.misc.reference_id": "veleum", + "rsa.misc.severity": "low", + "rsa.network.domain": "prehe1037.api.example", + "server.domain": "prehe1037.api.example", + "service.type": "symantec", + "source.address": "enim5999.mail.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "ommo", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "September 13 22:51:07 otamrem6743.www5.domain SymantecServer: Site: https://internal.example.com/consecte/pteurs.gif?onulamco=ons#tiaecon,Server: uaturve3425.www.lan,Domain: tiumdol6695.internal.local,The 302449410 ^^CSe4501.example^^nculpaq^^reseosqu1629.mail.lan^^utemvel^^epteur^^ommo^^iame^^1473807067^^medium^^busBonor^^stquido^^rsitvolu3596.www.test^^uameiusm^^adm^^gelitsed^^tiumto^^cor^^odoco^^oin^^itseddoe^^elites^^rum^^erc^^ehende^^tutla^^licaboNe", + "fileset.name": "endpointprotection", + "group.name": "utemvel", + "host.hostname": "rsitvolu3596.www.test", + "host.name": "reseosqu1629.mail.lan", + "input.type": "log", + "log.level": "medium", + "log.offset": 5392, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "reseosqu1629.mail.lan", + "rsitvolu3596.www.test" + ], + "rsa.internal.event_desc": "gelitsed", + "rsa.internal.messageid": "302449410", + "rsa.misc.event_source": "adm", + "rsa.misc.group": "utemvel", + "rsa.misc.reference_id": "ommo", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "reseosqu1629.mail.lan" + ], + "rsa.network.domain": "CSe4501.example", + "server.domain": "CSe4501.example", + "service.type": "symantec", + "source.address": "rsitvolu3596.www.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "ditautf", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "September 28 05:53:42 nat4367.www5.example SymantecServer: atiset4383.mail.localhost,SHA-256:isiut,MD-5:dtemp,\"[SID: ici] 303235081 ^^nisiuta7623.www.local^^dtempo^^atnula^^ditautf^^itametc^^1475042022^^high^^olup^^remipsu^^tan3170.api.example^^doconse^^etdol^^dolorsi^^nturmag^^tura^^osquirat^^equat^^aliquid^^usantiu^^idunt^^atqu^^naturau^^olorsita^^lor", + "fileset.name": "endpointprotection", + "host.hostname": "tan3170.api.example", + "input.type": "log", + "log.level": "high", + "log.offset": 5851, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "tan3170.api.example" + ], + "rsa.internal.event_desc": "dolorsi", + "rsa.internal.messageid": "303235081", + "rsa.misc.checksum": "dtemp", + "rsa.misc.event_source": "etdol", + "rsa.misc.reference_id": "ditautf", + "rsa.misc.severity": "high", + "rsa.network.domain": "nisiuta7623.www.local", + "server.domain": "nisiuta7623.www.local", + "service.type": "symantec", + "source.address": "tan3170.api.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "Cleaned", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "12:56:16 SymantecServer eseruntm4247.mail.local: magnaal5792.www5.domain,Category: nula,quiacons,Cleaned up 7519 LiveUpdate downloaded content", + "fileset.name": "endpointprotection", + "host.hostname": "magnaal5792.www5.domain", + "host.name": "eseruntm4247.mail.local", + "input.type": "log", + "log.offset": 6207, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "eseruntm4247.mail.local", + "magnaal5792.www5.domain" + ], + "rsa.counters.dclass_c1": 7519, + "rsa.counters.dclass_c1_str": "Number of Virus Cleaned.", + "rsa.internal.event_desc": "Cleaned up downloaded content.", + "rsa.internal.messageid": "Cleaned", + "rsa.network.alias_host": [ + "eseruntm4247.mail.local" + ], + "rsa.time.event_time_str": "12:56:16", + "service.type": "symantec", + "source.address": "magnaal5792.www5.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "saquaea", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "19:58:50 SymantecServer luptatem3834.lan: edq5397.www.test,\"[SID: ntut] 302452801 ^^emullam7151.lan^^quiad^^ihilmole^^saquaea^^ons^^1477511930^^high^^quas^^gia^^itatio6735.api.example^^eddoei^^rsin^^rumSec^^orp^^iaturE^^imve^^essequam^^ueporro^^aliqu^^upt^^orum^^Bonoru^^madminim^^ents", + "fileset.name": "endpointprotection", + "host.hostname": "itatio6735.api.example", + "input.type": "log", + "log.level": "high", + "log.offset": 6350, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "itatio6735.api.example" + ], + "rsa.internal.event_desc": "rumSec", + "rsa.internal.messageid": "302452801", + "rsa.misc.event_source": "rsin", + "rsa.misc.reference_id": "saquaea", + "rsa.misc.severity": "high", + "rsa.network.domain": "emullam7151.lan", + "server.domain": "emullam7151.lan", + "service.type": "symantec", + "source.address": "itatio6735.api.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "onpr", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "November 10 03:01:24 veli578.www.localhost SymantecServer: etdolor1236.mail.invalid,\"[SID: mmod] 302449166 ^^iti7029.www.test^^lorsitam^^tanimid^^onpr^^litseddo^^1478746884^^high^^oremqu^^idex^^radip163.mail.invalid^^eiusmo^^ainc^^miurerep^^lestia^^nde^^snu^^inibusB^^nostrud^^cteturad^^ore^^esse^^veniam^^edquian^^sus", + "fileset.name": "endpointprotection", + "host.hostname": "radip163.mail.invalid", + "input.type": "log", + "log.level": "high", + "log.offset": 6636, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "radip163.mail.invalid" + ], + "rsa.internal.event_desc": "miurerep", + "rsa.internal.messageid": "302449166", + "rsa.misc.event_source": "ainc", + "rsa.misc.reference_id": "onpr", + "rsa.misc.severity": "high", + "rsa.network.domain": "iti7029.www.test", + "server.domain": "iti7029.www.test", + "service.type": "symantec", + "source.address": "radip163.mail.invalid", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.7.164.113" + ], + "event.code": "Active", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "10:03:59 SymantecServer vol866.api.domain: bore5546.www.local,Category: labo,lpaquiof,\"Active Response that started at quu is disengaged. The traffic from IP address 10.207.125.114 was blocked for 150.301000 second(s). ,Local: 10.175.83.138,Local: scip,Remote: Finibus,Remote: 10.7.164.113,Remote: ncididun,tcp,outbound,,Begin: 2016-11-24 10:03:59,End: 2016-11-24 10:03:59,Occurrences: 1901,Application: est,Location: ali,User: remip, Domain: rere228.invalid", + "fileset.name": "endpointprotection", + "host.hostname": "bore5546.www.local", + "host.ip": "10.207.125.114", + "host.name": "vol866.api.domain", + "input.type": "log", + "log.offset": 6955, + "network.application": "est", + "network.direction": "outbound", + "network.protocol": "tcp", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "vol866.api.domain", + "bore5546.www.local" + ], + "related.ip": [ + "10.7.164.113", + "10.175.83.138", + "10.207.125.114" + ], + "related.user": [ + "remip" + ], + "rsa.counters.dclass_c1": 1901, + "rsa.counters.dclass_c1_str": "Occurences.", + "rsa.internal.event_desc": "Traffic from IP address blocked.", + "rsa.internal.messageid": "Active", + "rsa.network.alias_host": [ + "vol866.api.domain" + ], + "rsa.network.domain": "rere228.invalid", + "rsa.time.duration_time": 150.301, + "rsa.time.endtime": "2016-11-24T12:03:59.000Z", + "rsa.time.event_time_str": "10:03:59", + "rsa.time.starttime": "2016-11-24T12:03:59.000Z", + "server.domain": "rere228.invalid", + "service.type": "symantec", + "source.address": "bore5546.www.local", + "source.ip": [ + "10.175.83.138" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "remip" + }, + { + "event.code": "maperiam", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "December 8 17:06:33 ent4487.api.test SymantecServer: Site: https://example.org/ulamc/cept.html?radip=rchitect#Dui,Server: iameaqu2429.api.invalid,\"302452817 ^^asnulap2567.www5.invalid^^ender^^inc5923.www.test^^oluptat^^roinBCSe^^maperiam^^mSec^^1481216793^^medium^^nseq^^borumSec^^tatemseq5797.home^^tam^^oremip^^eufugi^^dunt^^ames^^amni^^tatio^^amquisno^^modoc^^magnam^^uinesc^^cid^^emi^^Bonorum", + "fileset.name": "endpointprotection", + "group.name": "oluptat", + "host.hostname": "tatemseq5797.home", + "host.name": "inc5923.www.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 7414, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "inc5923.www.test", + "tatemseq5797.home" + ], + "rsa.internal.event_desc": "eufugi", + "rsa.internal.messageid": "302452817", + "rsa.misc.event_source": "oremip", + "rsa.misc.group": "oluptat", + "rsa.misc.reference_id": "maperiam", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "inc5923.www.test" + ], + "rsa.network.domain": "asnulap2567.www5.invalid", + "server.domain": "asnulap2567.www5.invalid", + "service.type": "symantec", + "source.address": "tatemseq5797.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.ip": [ + "10.217.91.49" + ], + "event.code": "Local:", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "00:09:07 SymantecServer enima7673.api.localhost: sequ6424.www.invalid,Category: its,dolor,Local: ,Local: 10.217.91.49,Local: mquis,Remote: lab,Remote: 10.139.207.36,Remote: mwrit,ipv6-icmp,1,Intrusion ID: itse,Begin: 2016-12-23 12:09:07,End: 2016-12-23 12:09:07,Occurrences: 4319,Application: conse,Location: nimadmin,User: lumqui,Domain: quiavolu6301.www5.localhost", + "fileset.name": "endpointprotection", + "host.hostname": "sequ6424.www.invalid", + "host.name": "enima7673.api.localhost", + "input.type": "log", + "log.offset": 7811, + "network.application": "conse", + "network.direction": "inbound", + "network.protocol": "ipv6-icmp", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "enima7673.api.localhost", + "sequ6424.www.invalid" + ], + "related.ip": [ + "10.139.207.36", + "10.217.91.49" + ], + "related.user": [ + "lumqui" + ], + "rsa.counters.dclass_c1": 4319, + "rsa.counters.dclass_c1_str": "Occurrences", + "rsa.internal.event_desc": "Local:", + "rsa.internal.messageid": "Local:", + "rsa.network.alias_host": [ + "enima7673.api.localhost" + ], + "rsa.network.domain": "quiavolu6301.www5.localhost", + "rsa.time.endtime": "2016-12-23T14:09:07.000Z", + "rsa.time.event_time_str": "00:09:07", + "rsa.time.starttime": "2016-12-23T14:09:07.000Z", + "server.domain": "quiavolu6301.www5.localhost", + "service.type": "symantec", + "source.address": "sequ6424.www.invalid", + "source.ip": [ + "10.139.207.36" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "lumqui" + }, + { + "event.action": "Continue", + "event.code": "tion", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "January 6 07:11:41 ames645.mail.localhost SymantecServer: Site: https://example.org/tmo/onofdeF.txt?oremip=its#uptasnul,Server: aliqui7541.www5.localdomain,Domain: nse4444.www5.test,Admin: tlabo,501 ^^tatemse4493.mail.local^^lamco^^tion^^10.249.243.41^^ven^^mquisnos^^tnulapa7580.www.domain^^adeser^^uasiarc^^doeiu^^1483686701^^very-high^^uian^^atuserro^^madminim6826.www.host^^3^^onnumqua^^quioff^^iuntN^^ipis^^1483686701^^1483686701^^itautfu^^nesci^^5040^^mquis^^lorsi^^tetura^^eeufug^^edutper^^tevelite^^tocca^^orsitvol^^ntor^^oinBCSed^^oid^^rchit^^tasu^^obeatae^^1886^^midestl^^quatu^^1016^^mqu^^pteursi", + "file.name": "mquis", + "file.size": 1016, + "fileset.name": "endpointprotection", + "group.name": "adeser", + "host.hostname": "madminim6826.www.host", + "host.name": "tnulapa7580.www.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8178, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "process.parent.name": "mquis", + "process.ppid": 5040, + "related.hosts": [ + "tnulapa7580.www.domain", + "madminim6826.www.host" + ], + "related.ip": [ + "10.249.243.41" + ], + "related.user": [ + "ven" + ], + "rsa.counters.dclass_c1": 1886, + "rsa.counters.dclass_c1_str": "No. of events repeated", + "rsa.internal.event_desc": "quioff", + "rsa.internal.messageid": "501", + "rsa.misc.action": [ + "Continue" + ], + "rsa.misc.group": "adeser", + "rsa.misc.param": "eeufug", + "rsa.misc.reference_id": "tion", + "rsa.misc.rule": "itautfu", + "rsa.misc.rule_name": "nesci", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "tnulapa7580.www.domain" + ], + "rsa.network.domain": "tatemse4493.mail.local", + "rsa.time.endtime": "2017-01-06T07:11:41.000Z", + "rsa.time.starttime": "2017-01-06T07:11:41.000Z", + "rule.name": "nesci", + "server.domain": "tatemse4493.mail.local", + "service.type": "symantec", + "source.address": "madminim6826.www.host", + "source.domain": "mquisnos", + "source.ip": [ + "10.249.243.41" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "ven" + }, + { + "event.code": "sequatD", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "January 20 14:14:16 laboree3880.api.invalid SymantecServer: Site: https://www5.example.com/stiaecon/usBono.html?itl=ttenb#olor,Server: quiav6648.lan,302449415 ^^eumfu2149.internal.home^^upidata^^ici182.invalid^^con^^tore^^sequatD^^ercitati^^1484921656^^low^^rinrep^^temse^^caecat4678.www.home^^tatemac^^quisn^^rem^^ulamcola^^remagnaa^^lamcolab^^ceroinB^^umqui^^citation^^temsequi^^mquia^^omnisi^^etMalor^^mco", + "fileset.name": "endpointprotection", + "group.name": "con", + "host.hostname": "caecat4678.www.home", + "host.name": "ici182.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 8786, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ici182.invalid", + "caecat4678.www.home" + ], + "rsa.internal.event_desc": "rem", + "rsa.internal.messageid": "302449415", + "rsa.misc.event_source": "quisn", + "rsa.misc.group": "con", + "rsa.misc.reference_id": "sequatD", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "ici182.invalid" + ], + "rsa.network.domain": "eumfu2149.internal.home", + "server.domain": "eumfu2149.internal.home", + "service.type": "symantec", + "source.address": "caecat4678.www.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "aincidu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "21:16:50 SymantecServer scipit730.api.example: eruntmo2894.mail.localdomain,\"[SID: natus] 302449410 ^^boreet2051.internal.localdomain^^iavo^^ore^^aincidu^^xerc^^1486156610^^very-high^^macc^^ria^^beat2952.internal.localhost^^uisau^^qua^^iarchite^^emsequi^^ueporroq^^ute^^mexer^^iam^^Bonoru^^rcitati^^nula^^ameaquei^^gnama^^esciun", + "fileset.name": "endpointprotection", + "host.hostname": "beat2952.internal.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9195, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "beat2952.internal.localhost" + ], + "rsa.internal.event_desc": "iarchite", + "rsa.internal.messageid": "302449410", + "rsa.misc.event_source": "qua", + "rsa.misc.reference_id": "aincidu", + "rsa.misc.severity": "very-high", + "rsa.network.domain": "boreet2051.internal.localdomain", + "server.domain": "boreet2051.internal.localdomain", + "service.type": "symantec", + "source.address": "beat2952.internal.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "cul", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 302776321^^eleumi4584.www5.example^^imip7160.www.invalid^^uptateve^^ured3428.www.corp^^abo^^etMa^^cul^^iinea^^1487391564^^very-high^^ditau^^moenimip^^uames7663.internal.local^^lor^^oreeu^^taspe^^eritqui^^atquovol^^evel^^edol^^sequuntu^^quameius^^litse^^san^^apari^^iarchit^^sBonorum", + "fileset.name": "endpointprotection", + "group.name": "abo", + "host.hostname": "uames7663.internal.local", + "host.name": "ured3428.www.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 9524, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ured3428.www.corp", + "uames7663.internal.local" + ], + "rsa.internal.event_desc": "taspe", + "rsa.internal.messageid": "302776321", + "rsa.misc.event_source": "oreeu", + "rsa.misc.group": "abo", + "rsa.misc.reference_id": "cul", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "ured3428.www.corp" + ], + "rsa.network.domain": "imip7160.www.invalid", + "server.domain": "imip7160.www.invalid", + "service.type": "symantec", + "source.address": "uames7663.internal.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "itaspe", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "11:21:59 SymantecServer iutal3376.api.corp: Site: https://example.com/idexeac/ntu.txt?ctionofd=mpori#olupt,Server: ola3373.www5.domain,\"302449153 ^^qua948.mail.local^^tlaboru^^tec^^itaspe^^con^^1488626519^^high^^amremap^^antiu^^velillum6639.www5.local^^lapari^^Mal^^itinvo^^snulap^^cidu^^hilmol^^oluptate^^todi^^emvel^^pta^^dolo^^itaedi^^hend^^remagna", + "fileset.name": "endpointprotection", + "host.hostname": "velillum6639.www5.local", + "input.type": "log", + "log.level": "high", + "log.offset": 9820, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "velillum6639.www5.local" + ], + "rsa.internal.event_desc": "itinvo", + "rsa.internal.messageid": "302449153", + "rsa.misc.event_source": "Mal", + "rsa.misc.reference_id": "itaspe", + "rsa.misc.severity": "high", + "rsa.network.domain": "qua948.mail.local", + "server.domain": "qua948.mail.local", + "service.type": "symantec", + "source.address": "velillum6639.www5.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "onsec", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "March 18 18:24:33 dolo5649.www.corp SymantecServer: Site: https://example.org/tMal/porin.gif?isni=quid#aUten,Server: Duis3517.www5.invalid,Domain: conseq6079.www.corp,303235079 ^^tiu3570.www.invalid^^asper^^dictasun3408.internal.invalid^^secte^^ctobeat^^onsec^^idestl^^1489861473^^medium^^pid^^itanimi^^onoru5767.internal.domain^^eosqui^^dipisciv^^uam^^quis^^exe^^naa^^equat^^estiaec^^pitlabo^^tas^^rcitat^^ree^^itten^^quipexea", + "fileset.name": "endpointprotection", + "group.name": "secte", + "host.hostname": "onoru5767.internal.domain", + "host.name": "dictasun3408.internal.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 10172, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "dictasun3408.internal.invalid", + "onoru5767.internal.domain" + ], + "rsa.internal.event_desc": "uam", + "rsa.internal.messageid": "303235079", + "rsa.misc.event_source": "dipisciv", + "rsa.misc.group": "secte", + "rsa.misc.reference_id": "onsec", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "dictasun3408.internal.invalid" + ], + "rsa.network.domain": "tiu3570.www.invalid", + "server.domain": "tiu3570.www.invalid", + "service.type": "symantec", + "source.address": "onoru5767.internal.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "1281", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "April 2 01:27:07 ruredol1763.www.local SymantecServer: numq601.api.localhost,\"[SID: lapa] 1281 ^^emoenimi", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 10600, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "emoenimi", + "rsa.internal.messageid": "1281", + "rsa.misc.reference_id": "1281", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "tqui1142.www5.domain", + "destination.ip": [ + "10.209.205.25" + ], + "destination.mac": "01:00:5e:e5:88:35", + "destination.port": 4616, + "event.code": "uianonnu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "08:29:41 SymantecServer olorsit6165.example: Site: https://www5.example.com/nturm/seq.html?dquia=ora#umfugiat,Server: quisnos7704.api.invalid,Domain: ite5245.mail.lan,The 306 ^^Duis583.api.local^^eavolupt^^uipe6805.www5.domain^^stenat^^uianonnu^^2001:db8::b810cc6d:451c392b^^2001:db8::4f2735dc:6d3ce756^^10.185.64.46^^10.209.205.25^^ptat^^saq^^1492331381^^high^^quame^^orumwri^^atisu6579.test^^rad^^iat^^tqui1142.www5.domain^^4^^2250^^4616^^2^^1492331381^^1492331381^^2536^^niam^^ivelitse^^tatis^^nula^^ptate^^volupta^^01:00:5e:2d:45:c3^^01:00:5e:e5:88:35^^uaerat^^iduntu^^samvol^^equa^^apari^^tsunt^^caecat^^uel^^fficiad^^teirured^^nostru^^rcit", + "fileset.name": "endpointprotection", + "group.name": "stenat", + "host.hostname": "atisu6579.test", + "host.name": "uipe6805.www5.domain", + "input.type": "log", + "log.level": "high", + "log.offset": 10706, + "network.application": "niam", + "network.direction": "outbound", + "network.protocol": "ICMP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "uipe6805.www5.domain", + "atisu6579.test", + "tqui1142.www5.domain" + ], + "related.ip": [ + "10.209.205.25", + "10.185.64.46" + ], + "related.user": [ + "iduntu" + ], + "rsa.counters.dclass_c1": 2536, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "Block all other IP traffic and log", + "rsa.internal.messageid": "306", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.group": "stenat", + "rsa.misc.reference_id": "uianonnu", + "rsa.misc.rule": "tatis", + "rsa.misc.rule_name": "nula", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "uipe6805.www5.domain" + ], + "rsa.network.domain": "Duis583.api.local", + "rsa.network.host_dst": "tqui1142.www5.domain", + "rsa.network.zone": "uaerat", + "rsa.time.endtime": "2017-04-16T08:29:41.000Z", + "rsa.time.starttime": "2017-04-16T08:29:41.000Z", + "rule.name": "nula", + "server.domain": "Duis583.api.local", + "service.type": "symantec", + "source.address": "atisu6579.test", + "source.domain": "samvol", + "source.ip": [ + "10.185.64.46" + ], + "source.mac": "01:00:5e:2d:45:c3", + "source.port": 2250, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "iduntu" + }, + { + "event.code": "catcupid", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 773^^catcupid^^ritquiin", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 11352, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "ritquiin", + "rsa.internal.messageid": "773", + "rsa.misc.reference_id": "catcupid", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "deomn904.www.home", + "destination.ip": [ + "10.35.89.51" + ], + "destination.mac": "01:00:5e:14:33:0e", + "destination.port": 3320, + "event.code": "setquas", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "May 14 22:34:50 eumfugia5915.internal.corp SymantecServer: Site: https://internal.example.net/uptat/toditau.htm?quuntur=olup#aeab,Server: uradipis4058.www.domain,Domain: uira3387.internal.localhost,242 ^^quinesc4724.www5.host^^ali^^udexerci6630.mail.test^^osqu^^ptatemse^^itationu^^setquas^^10.202.55.203^^10.35.89.51^^01:00:5e:5f:46:e1^^01:00:5e:14:33:0e^^ameaq^^Quis^^lupta^^1494801290^^very-high^^iav^^umiure^^isiut4530.localdomain^^imvenia^^culp^^deomn904.www.home^^2^^3^^eetdolor^^1494801290^^1494801290^^735^^tla^^iaconseq [Volume]: sed [Model]: sedd [Access]: atione^^tvolup^^oremeu^^lab^^lla^^urau^^aeca^^oNem^^itaedict^^eroi^^onemull^^mdo^^labore^^2001:db8::b54ff32d:af0de540^^2001:db8::11b63689:727d1f3e^^5757^^3320^^7756^^des^^4965^^https://www5.example.org/aliquaU/lits.html?atisetqu=squir#gnaaliq^^https://www.example.com/deriti/edictasu.htm?utlabore=edquiano#mSecti^^henderi^^1.7457^^uel", + "fileset.name": "endpointprotection", + "group.name": "osqu", + "host.hostname": "isiut4530.localdomain", + "host.name": "udexerci6630.mail.test", + "http.request.referrer": "https://www.example.com/deriti/edictasu.htm?utlabore=edquiano#mSecti", + "input.type": "log", + "log.level": "very-high", + "log.offset": 11389, + "network.application": "tla", + "network.direction": "outbound", + "network.protocol": "UDP", + "observer.product": "sedd", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "observer.version": "1.7457", + "related.hosts": [ + "udexerci6630.mail.test", + "isiut4530.localdomain", + "deomn904.www.home" + ], + "related.ip": [ + "10.202.55.203", + "10.35.89.51" + ], + "related.user": [ + "Quis" + ], + "rsa.counters.dclass_c1": 735, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.identity.accesses": "atione", + "rsa.internal.event_desc": "iaconseq", + "rsa.internal.messageid": "242", + "rsa.misc.group": "osqu", + "rsa.misc.policy_id": "uel", + "rsa.misc.reference_id": "setquas", + "rsa.misc.severity": "very-high", + "rsa.misc.sig_id": 7756, + "rsa.misc.sig_id1": 4965, + "rsa.misc.sig_id_str": "des", + "rsa.misc.version": "1.7457", + "rsa.network.alias_host": [ + "udexerci6630.mail.test" + ], + "rsa.network.domain": "quinesc4724.www5.host", + "rsa.network.host_dst": "deomn904.www.home", + "rsa.network.zone": "ameaq", + "rsa.storage.disk_volume": "sed", + "rsa.time.endtime": "2017-05-14T22:34:50.000Z", + "rsa.time.starttime": "2017-05-14T22:34:50.000Z", + "server.domain": "quinesc4724.www5.host", + "service.type": "symantec", + "source.address": "isiut4530.localdomain", + "source.domain": "lupta", + "source.ip": [ + "10.202.55.203" + ], + "source.mac": "01:00:5e:5f:46:e1", + "source.port": 5757, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "url.original": "https://www5.example.org/aliquaU/lits.html?atisetqu=squir#gnaaliq", + "user.name": "Quis" + }, + { + "event.code": "Traffic", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "05:37:24 SymantecServer niamqui7696.mail.test: taliqu701.www.localhost,Category: umfugi,abor,\"Traffic Traffic Redirection disabled.,Event time: 2017-5-29 5:37:24", + "fileset.name": "endpointprotection", + "host.hostname": "taliqu701.www.localhost", + "host.name": "niamqui7696.mail.test", + "input.type": "log", + "log.offset": 12291, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "niamqui7696.mail.test", + "taliqu701.www.localhost" + ], + "rsa.internal.event_desc": "Traffic Redirection disabled.", + "rsa.internal.messageid": "Traffic", + "rsa.network.alias_host": [ + "niamqui7696.mail.test" + ], + "service.type": "symantec", + "source.address": "taliqu701.www.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "Continue", + "event.code": "psum", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "June 12 12:39:58 aturve1922.internal.test SymantecServer: Site: https://internal.example.com/ore/lors.htm?fdeFi=ratv#veni,Server: metM4820.www.local,Domain: udanti6912.api.localhost,999 ^^cteturad6288.api.home^^nge^^psum^^10.139.89.148^^isnostru^^iad^^ngelits6213.internal.test^^orissusc^^utaliqui^^uov^^1497271198^^medium^^dipisc^^litsed^^lumd4298.mail.localdomain^^3^^iamquisn^^tamrem^^doloremi^^imadm^^1497271198^^1497271198^^ibus^^lumdol^^724^^onnu^^reprehe^^metMa^^emoen^^ptate^^mipsumqu^^turad^^dol^^ntutla^^des^^iciatis^^agn^^cul^^tate^^133^^ipisc^^iatnulap^^7662^^idents^^uine", + "file.name": "onnu", + "file.size": 7662, + "fileset.name": "endpointprotection", + "group.name": "orissusc", + "host.hostname": "lumd4298.mail.localdomain", + "host.name": "ngelits6213.internal.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 12453, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "process.parent.name": "onnu", + "process.ppid": 724, + "related.hosts": [ + "ngelits6213.internal.test", + "lumd4298.mail.localdomain" + ], + "related.ip": [ + "10.139.89.148" + ], + "related.user": [ + "isnostru" + ], + "rsa.counters.dclass_c1": 133, + "rsa.counters.dclass_c1_str": "No. of events repeated", + "rsa.internal.event_desc": "tamrem", + "rsa.internal.messageid": "999", + "rsa.misc.action": [ + "Continue" + ], + "rsa.misc.group": "orissusc", + "rsa.misc.param": "emoen", + "rsa.misc.reference_id": "psum", + "rsa.misc.rule": "ibus", + "rsa.misc.rule_name": "lumdol", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "ngelits6213.internal.test" + ], + "rsa.network.domain": "cteturad6288.api.home", + "rsa.time.endtime": "2017-06-12T12:39:58.000Z", + "rsa.time.starttime": "2017-06-12T12:39:58.000Z", + "rule.name": "lumdol", + "server.domain": "cteturad6288.api.home", + "service.type": "symantec", + "source.address": "lumd4298.mail.localdomain", + "source.domain": "iad", + "source.ip": [ + "10.139.89.148" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "isnostru" + }, + { + "event.action": "Retry timestamp is equal or over the next schedule time, switching to regular schedule run.", + "event.code": "Retry", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "19:42:33 SymantecServer ction491.www5.local: Site: https://mail.example.net/ate/epteur.htm?ill=imveniam#sunte,Server: exerc121.www5.invalid,Domain: eir4356.www5.host,Admin: undeom,Retry timestamp is equal or over the next schedule time, switching to regular schedule run.", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 13038, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.messageid": "Retry", + "rsa.misc.action": [ + "Retry timestamp is equal or over the next schedule time, switching to regular schedule run." + ], + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "uptate5787.api.local", + "destination.ip": [ + "10.87.92.95" + ], + "destination.mac": "01:00:5e:2c:5b:14", + "event.code": "ostrumex", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "July 11 02:45:07 issu1852.mail.local SymantecServer: atuse559.www.home,Category: tvo,ema,\"207 ^^uaera2917.internal.test^^iqua^^ciunt^^exea^^ostrumex^^10.247.21.74^^10.87.92.95^^01:00:5e:80:64:29^^01:00:5e:2c:5b:14^^nim^^Sedutper^^ati^^1499741107^^low^^teturad^^ritq^^tuserror810.www5.corp^^equamni^^fugia^^uptate5787.api.local^^0^^2^^suntincu^^1499741107^^1499741107^^7120^^isiutali^^mdolo^^nof^^usantiu^^periam^^remip^^dexea^^aturExc^^antiumto^^cto^^quamqua^^ulapari^^rittenby^^smoditem", + "fileset.name": "endpointprotection", + "host.hostname": "tuserror810.www5.corp", + "input.type": "log", + "log.level": "low", + "log.offset": 13310, + "network.application": "isiutali", + "network.direction": "Unknown", + "network.protocol": "TCP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "tuserror810.www5.corp", + "uptate5787.api.local" + ], + "related.ip": [ + "10.247.21.74", + "10.87.92.95" + ], + "related.user": [ + "Sedutper" + ], + "rsa.counters.dclass_c1": 7120, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "mdolo", + "rsa.internal.messageid": "207", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.reference_id": "ostrumex", + "rsa.misc.severity": "low", + "rsa.network.domain": "uaera2917.internal.test", + "rsa.network.host_dst": "uptate5787.api.local", + "rsa.network.zone": "nim", + "rsa.time.endtime": "2017-07-11T02:45:07.000Z", + "rsa.time.starttime": "2017-07-11T02:45:07.000Z", + "server.domain": "uaera2917.internal.test", + "service.type": "symantec", + "source.address": "tuserror810.www5.corp", + "source.domain": "ati", + "source.ip": [ + "10.247.21.74" + ], + "source.mac": "01:00:5e:80:64:29", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "Sedutper" + }, + { + "event.code": "lorum", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-303235080_hen_Symantec AntiVirus: riameaqu^^etd4695.mail.lan^^conse^^ruredolo7392.internal.host^^olors^^roid^^lorum^^iin^^1500976061^^very-high^^lorsita^^naturaut^^mipsu3757.www5.home^^llu^^quaUt^^labor. oris^^tatemse^^uta^^tsun^^samvolu^^dip^^iquaUte^^remi^^modic^^uptatem^^olo^^tametc", + "fileset.name": "endpointprotection", + "group.name": "olors", + "host.hostname": "mipsu3757.www5.home", + "host.name": "ruredolo7392.internal.host", + "input.type": "log", + "log.level": "very-high", + "log.offset": 13798, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ruredolo7392.internal.host", + "mipsu3757.www5.home" + ], + "rsa.db.index": "oris", + "rsa.internal.event_desc": "labor", + "rsa.internal.messageid": "303235080", + "rsa.misc.event_source": "quaUt", + "rsa.misc.group": "olors", + "rsa.misc.reference_id": "lorum", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "ruredolo7392.internal.host" + ], + "rsa.network.domain": "etd4695.mail.lan", + "server.domain": "etd4695.mail.lan", + "service.type": "symantec", + "source.address": "mipsu3757.www5.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "5378", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "16:50:15 SymantecServer iquam1090.api.local: Site: https://example.net/orumSect/preh.txt?iatisund=rnatu#atnonpro,Server: isu3102.mail.test,\"5378 ^^sed", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 14095, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "sed", + "rsa.internal.messageid": "5378", + "rsa.misc.reference_id": "5378", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "aturvel", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "23:52:50 SymantecServer prehen4320.api.home: umdolo988.api.corp,Category: eaco,empor,302449158 ^^mvele7557.corp^^Nequepor^^luptate^^aturvel^^ostrumex^^1503445970^^high^^sedquia^^litesse^^ntmo4076.lan^^olore^^ationula^^doconse^^volupta^^ptat^^oreverit^^nimides^^remipsum^^elit^^ites^^uptatema^^amali^^onula^^ostru", + "fileset.name": "endpointprotection", + "host.hostname": "ntmo4076.lan", + "input.type": "log", + "log.level": "high", + "log.offset": 14246, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ntmo4076.lan" + ], + "rsa.internal.event_desc": "doconse", + "rsa.internal.messageid": "302449158", + "rsa.misc.event_source": "ationula", + "rsa.misc.reference_id": "aturvel", + "rsa.misc.severity": "high", + "rsa.network.domain": "mvele7557.corp", + "server.domain": "mvele7557.corp", + "service.type": "symantec", + "source.address": "ntmo4076.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "5377", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "September 6 06:55:24 commod6637.api.host SymantecServer: Site: https://example.org/amestqu/aliqua.gif?teirure=dolorsi#dipisciv,Server: nsequun300.internal.lan,Domain: ngelitse7535.internal.lan,The 5377 ^^icta", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 14559, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "icta", + "rsa.internal.messageid": "5377", + "rsa.misc.reference_id": "5377", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "elit", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "13:57:58 SymantecServer lup5199.api.example: tectobe1414.www5.localhost,Category: illoin,rinre,\"302710785 ^^henderit3374.internal.invalid^^mquae^^amni48.internal.localdomain^^con^^enimadmi^^elit^^uia^^1505915878^^high^^oditautf^^nula^^alo6036.www5.local^^ntiumt^^mdolore^^ita^^aeratvol^^odite^^atn^^sectet^^boreetd^^ueporro^^cto^^essequa^^gnidolor^^itlabori^^amestqui", + "fileset.name": "endpointprotection", + "group.name": "con", + "host.hostname": "alo6036.www5.local", + "host.name": "amni48.internal.localdomain", + "input.type": "log", + "log.level": "high", + "log.offset": 14768, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "amni48.internal.localdomain", + "alo6036.www5.local" + ], + "rsa.internal.event_desc": "ita", + "rsa.internal.messageid": "302710785", + "rsa.misc.event_source": "mdolore", + "rsa.misc.group": "con", + "rsa.misc.reference_id": "elit", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "amni48.internal.localdomain" + ], + "rsa.network.domain": "henderit3374.internal.invalid", + "server.domain": "henderit3374.internal.invalid", + "service.type": "symantec", + "source.address": "alo6036.www5.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "ntutlab", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-303235082_turmag_Symantec AntiVirus: dutper^^ingelit3629.mail.domain^^ntin^^tenatus4129.www.local^^intocca^^equuntu^^ntutlab^^eaq^^1507150832^^high^^rcit^^secte^^uredo4613.home^^pitlabor^^upi^^olupta^^ape^^amestqu^^luptas^^ariatu^^psumqui^^trude^^ccusa^^ndeomni^^chite^^obeatae^^rehen", + "fileset.name": "endpointprotection", + "group.name": "intocca", + "host.hostname": "uredo4613.home", + "host.name": "tenatus4129.www.local", + "input.type": "log", + "log.level": "high", + "log.offset": 15136, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "tenatus4129.www.local", + "uredo4613.home" + ], + "rsa.internal.event_desc": "olupta", + "rsa.internal.messageid": "303235082", + "rsa.misc.event_source": "upi", + "rsa.misc.group": "intocca", + "rsa.misc.reference_id": "ntutlab", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "tenatus4129.www.local" + ], + "rsa.network.domain": "ingelit3629.mail.domain", + "server.domain": "ingelit3629.mail.domain", + "service.type": "symantec", + "source.address": "uredo4613.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "273", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "October 19 04:03:07 yCiceroi166.test SymantecServer: Site: https://www5.example.org/colab/itte.html?orumS=tesseq#exeacomm,Server: uptat982.localdomain,Domain: ptatema5373.www5.test,273 ^^tat", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 15431, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "tat", + "rsa.internal.messageid": "273", + "rsa.misc.reference_id": "273", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "nev", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 302452819^^ptassita3664.api.test^^uovo5035.api.example^^tNequ^^eca^^nev^^sequatu^^1509620741^^high^^iduntut^^admini^^mini3181.api.test^^iamqu^^ommodoc^^mwrit^^dminimve^^madminim^^onse^^ulap^^itaspe^^remagn^^iatisun^^lupta^^stena^^tquid^^liquaUt", + "fileset.name": "endpointprotection", + "host.hostname": "mini3181.api.test", + "input.type": "log", + "log.level": "high", + "log.offset": 15622, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "mini3181.api.test" + ], + "rsa.internal.event_desc": "mwrit", + "rsa.internal.messageid": "302452819", + "rsa.misc.event_source": "ommodoc", + "rsa.misc.reference_id": "nev", + "rsa.misc.severity": "high", + "rsa.network.domain": "uovo5035.api.example", + "server.domain": "uovo5035.api.example", + "service.type": "symantec", + "source.address": "mini3181.api.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "Commercial", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "18:08:15 SymantecServer rsitam2337.mail.localdomain: tquidolo6928.internal.corp,Category: eetdolo,issuscip,\"Commercial application detected,Computer name: iduntu7302.www.invalid,Detection type: medium,Application name: queip,Application type: nsequunt,Application version:1.3638,Hash type:ercitati,Application hash: lapa,Company name: enia,File size (bytes): 7843,Sensitivity: deserun,Detection score:ugia,Submission recommendation: isiuta,Permitted application reason: eFi,Source: elitsedd,Risk name: isqu,Occurrences: 7744,eumfu,\"remap\",Actual action: accept,Requested action: yCicero,Secondary action: dqui,Event time: 2017-11-16 6:08:15,Inserted: 2017-11-16 6:08:15,End: 2017-11-16 6:08:15,Domain: ema7531.api.example,\"Group: eiusm,Server: assit1598.www5.invalid,User: archite,Source computer: eruntm,Source IP: 10.8.143.229", + "file.name": "remap", + "file.size": 7843, + "fileset.name": "endpointprotection", + "group.name": "eiusm", + "host.hostname": "iduntu7302.www.invalid", + "host.name": "rsitam2337.mail.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 15880, + "network.application": "queip", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "observer.version": "1.3638", + "process.name": "remap", + "related.hosts": [ + "rsitam2337.mail.localdomain", + "iduntu7302.www.invalid" + ], + "related.ip": [ + "10.8.143.229" + ], + "related.user": [ + "archite" + ], + "rsa.counters.dclass_c1": 7744, + "rsa.counters.dclass_c1_str": "Occurences.", + "rsa.crypto.crypto": "ercitati", + "rsa.internal.event_desc": "Commercial application detected", + "rsa.internal.messageid": "Commercial", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "lapa", + "rsa.misc.disposition": "yCicero", + "rsa.misc.event_source": "elitsedd", + "rsa.misc.event_state": "dqui", + "rsa.misc.group": "eiusm", + "rsa.misc.obj_type": "nsequunt", + "rsa.misc.severity": "medium", + "rsa.misc.version": "1.3638", + "rsa.misc.virusname": "isqu", + "rsa.network.alias_host": [ + "assit1598.www5.invalid", + "rsitam2337.mail.localdomain" + ], + "rsa.network.domain": "ema7531.api.example", + "rsa.threat.threat_category": "isqu", + "rsa.time.endtime": "2017-11-16T08:08:15.000Z", + "rsa.time.recorded_time": "2017-11-16T08:08:15.000Z", + "server.domain": "ema7531.api.example", + "service.type": "symantec", + "source.address": "iduntu7302.www.invalid", + "source.ip": [ + "10.8.143.229" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "archite" + }, + { + "event.code": "magn", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "December 1 01:10:49 acomm6048.internal.host SymantecServer: liquid1981.www.home,\"[SID: sequatu] 302449178 ^^icero1297.internal.domain^^asun^^rsitam^^magn^^amcola^^1512090649^^medium^^sno^^stiaeco^^equu7361.www5.localdomain^^nto^^non^^pta^^asnul^^uirati^^chitect^^uam^^tisunde^^porr^^piscivel^^ueporr^^udex^^ipexeac^^uin", + "fileset.name": "endpointprotection", + "host.hostname": "equu7361.www5.localdomain", + "input.type": "log", + "log.level": "medium", + "log.offset": 16709, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "equu7361.www5.localdomain" + ], + "rsa.internal.event_desc": "pta", + "rsa.internal.messageid": "302449178", + "rsa.misc.event_source": "non", + "rsa.misc.reference_id": "magn", + "rsa.misc.severity": "medium", + "rsa.network.domain": "icero1297.internal.domain", + "server.domain": "icero1297.internal.domain", + "service.type": "symantec", + "source.address": "equu7361.www5.localdomain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "Block", + "event.code": "mdoloree", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "08:13:24 SymantecServer nsectetu3212.test: umdolo4405.local,Category: econ,equat,501 ^^bor5601.www.invalid^^animi^^mdoloree^^10.137.5.67^^taliqui^^doloremi^^uisno4545.www5.corp^^atisund^^isnostru^^quepo^^1513325604^^very-high^^nisi^^onsecte^^iono5777.invalid^^1^^Nequepo^^veleum^^eturad^^tor^^1513325604^^1513325604^^hender^^moditemp^^885^^ipsum^^com^^uptate^^tevelite^^cto^^borisn^^assitasp^^nima^^abore^^tur^^tlaboru^^erun^^mquid^^imipsamv^^3758^^totamrem^^eaqu^^5072^^uunturma^^namaliqu", + "file.name": "ipsum", + "file.size": 5072, + "fileset.name": "endpointprotection", + "group.name": "atisund", + "host.hostname": "iono5777.invalid", + "host.name": "uisno4545.www5.corp", + "input.type": "log", + "log.level": "very-high", + "log.offset": 17029, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "process.parent.name": "ipsum", + "process.ppid": 885, + "related.hosts": [ + "uisno4545.www5.corp", + "iono5777.invalid" + ], + "related.ip": [ + "10.137.5.67" + ], + "related.user": [ + "taliqui" + ], + "rsa.counters.dclass_c1": 3758, + "rsa.counters.dclass_c1_str": "No. of events repeated", + "rsa.internal.event_desc": "veleum", + "rsa.internal.messageid": "501", + "rsa.misc.action": [ + "Block" + ], + "rsa.misc.group": "atisund", + "rsa.misc.param": "tevelite", + "rsa.misc.reference_id": "mdoloree", + "rsa.misc.rule": "hender", + "rsa.misc.rule_name": "moditemp", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "uisno4545.www5.corp" + ], + "rsa.network.domain": "bor5601.www.invalid", + "rsa.time.endtime": "2017-12-15T08:13:24.000Z", + "rsa.time.starttime": "2017-12-15T08:13:24.000Z", + "rule.name": "moditemp", + "server.domain": "bor5601.www.invalid", + "service.type": "symantec", + "source.address": "iono5777.invalid", + "source.domain": "doloremi", + "source.ip": [ + "10.137.5.67" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "taliqui" + }, + { + "event.code": "5122", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "15:15:58 SymantecServer upidatat5004.internal.test: Site: https://example.com/tatem/umexe.gif?lor=busBo#turm,Server: quamei7815.api.home,Domain: qua6831.internal.test,Admin: xeacomm,5122 ^^oriosa", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 17519, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "oriosa", + "rsa.internal.messageid": "5122", + "rsa.misc.reference_id": "5122", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "4609", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "22:18:32 SymantecServer ecatcup2068.invalid: quinesc2102.www.invalid,Category: asiarch,tob,4609 ^^Sending Email Failed for following email address [tiae].", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 17715, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.email.email": [ + "tiae" + ], + "rsa.internal.event_desc": "Sending Email Failed", + "rsa.internal.messageid": "4609", + "rsa.misc.reference_id": "4609", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "agnamali3222.example", + "destination.ip": [ + "10.66.203.117" + ], + "destination.mac": "01:00:5e:94:22:bc", + "event.code": "snisiut", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "January 27 05:21:06 ainci5661.internal.local SymantecServer: ntu1279.mail.lan,SHA-256:dut,MD-5:aecons,\"[SID: tionemu] 207 ^^edictasu3521.invalid^^eFini^^mnis^^tametco^^snisiut^^10.92.93.236^^10.66.203.117^^01:00:5e:54:c0:38^^01:00:5e:94:22:bc^^oloremag^^uisa^^umquidol^^1517030466^^medium^^erit^^uaea^^adminima6097.corp^^sitvolup^^tionem^^agnamali3222.example^^2^^2^^onsequ^^1517030466^^1517030466^^3168^^ehen^^remap^^mUt^^admi^^siarch^^oloremi^^ididu^^uov^^ncidid^^audantiu^^lmolest^^miurerep^^orsitame^^Sed", + "fileset.name": "endpointprotection", + "host.hostname": "adminima6097.corp", + "input.type": "log", + "log.level": "medium", + "log.offset": 17870, + "network.application": "ehen", + "network.direction": "outbound", + "network.protocol": "TCP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "adminima6097.corp", + "agnamali3222.example" + ], + "related.ip": [ + "10.66.203.117", + "10.92.93.236" + ], + "related.user": [ + "uisa" + ], + "rsa.counters.dclass_c1": 3168, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "remap", + "rsa.internal.messageid": "207", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.checksum": "aecons", + "rsa.misc.reference_id": "snisiut", + "rsa.misc.severity": "medium", + "rsa.network.domain": "edictasu3521.invalid", + "rsa.network.host_dst": "agnamali3222.example", + "rsa.network.zone": "oloremag", + "rsa.time.endtime": "2018-01-27T05:21:06.000Z", + "rsa.time.starttime": "2018-01-27T05:21:06.000Z", + "server.domain": "edictasu3521.invalid", + "service.type": "symantec", + "source.address": "adminima6097.corp", + "source.domain": "umquidol", + "source.ip": [ + "10.92.93.236" + ], + "source.mac": "01:00:5e:54:c0:38", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "uisa" + }, + { + "event.code": "lmolest", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "February 10 12:23:41 cons4129.api.corp SymantecServer: Site: https://internal.example.org/ssecil/xplic.htm?cipitl=ame#tenat,Server: etur5170.mail.localdomain,Domain: oquisq4993.api.domain,302452807 ^^seosqui7376.internal.home^^edolori^^equ2353.internal.local^^utlab^^entoreve^^lmolest^^ser^^1518265421^^low^^autodita^^loreme^^eratv6521.example^^meaqu^^tlaboree^^dolorsi^^etdolore^^taevita^^rationev^^catcup^^ectetur^^cons^^spiciati^^upidata^^utlabo^^lillumq^^erc", + "fileset.name": "endpointprotection", + "group.name": "utlab", + "host.hostname": "eratv6521.example", + "host.name": "equ2353.internal.local", + "input.type": "log", + "log.level": "low", + "log.offset": 18379, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "equ2353.internal.local", + "eratv6521.example" + ], + "rsa.internal.event_desc": "dolorsi", + "rsa.internal.messageid": "302452807", + "rsa.misc.event_source": "tlaboree", + "rsa.misc.group": "utlab", + "rsa.misc.reference_id": "lmolest", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "equ2353.internal.local" + ], + "rsa.network.domain": "seosqui7376.internal.home", + "server.domain": "seosqui7376.internal.home", + "service.type": "symantec", + "source.address": "eratv6521.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "xcep", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "19:26:15 SymantecServer nonnumqu2938.mail.localdomain: Site: https://www5.example.net/uasiarch/tru.txt?eetdolo=erro#uptat,Server: con594.www5.home,Domain: ididu284.api.home,302776321 ^^pre865.www5.home^^prehe^^bori7611.invalid^^neavolu^^mexe^^xcep^^uscipi^^1519500375^^very-high^^tNeq^^nimi^^iset1992.internal.example^^sequu^^ffic^^imadmini^^isnostru^^ostr^^tinvo^^lorumwr^^iaco^^sumdol^^riat^^nim^^imven^^isci^^iusmo", + "fileset.name": "endpointprotection", + "group.name": "neavolu", + "host.hostname": "iset1992.internal.example", + "host.name": "bori7611.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 18842, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "bori7611.invalid", + "iset1992.internal.example" + ], + "rsa.internal.event_desc": "imadmini", + "rsa.internal.messageid": "302776321", + "rsa.misc.event_source": "ffic", + "rsa.misc.group": "neavolu", + "rsa.misc.reference_id": "xcep", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "bori7611.invalid" + ], + "rsa.network.domain": "pre865.www5.home", + "server.domain": "pre865.www5.home", + "service.type": "symantec", + "source.address": "iset1992.internal.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "No", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-No_bill_Symantec AntiVirus: No old risk events got swept.", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 19260, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "No old risk events got swept.", + "rsa.internal.messageid": "No", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "Cice", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "09:31:24 SymantecServer tsed6598.mail.test: scipit581.api.example,Category: mni,nti,302449413 ^^iste5901.mail.localhost^^exer^^paqui^^Cice^^liqui^^1521970284^^very-high^^Dui^^tam^^ntin2655.www.localdomain^^itation^^itasper^^epo^^mmodico^^moll^^meaqueip^^nculpaq^^mides^^iconseq^^nidolo^^runtmoll^^tuserror^^utlabo^^scip", + "fileset.name": "endpointprotection", + "host.hostname": "ntin2655.www.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 19328, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ntin2655.www.localdomain" + ], + "rsa.internal.event_desc": "epo", + "rsa.internal.messageid": "302449413", + "rsa.misc.event_source": "itasper", + "rsa.misc.reference_id": "Cice", + "rsa.misc.severity": "very-high", + "rsa.network.domain": "iste5901.mail.localhost", + "server.domain": "iste5901.mail.localhost", + "service.type": "symantec", + "source.address": "ntin2655.www.localdomain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "tati", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "16:33:58 SymantecServer utfugi6811.mail.host: Site: https://www.example.org/amqua/mavenia.txt?atnu=ssuscipi#evita,Server: tconsect7649.internal.domain,Domain: lors1204.corp,Admin: volupta,302449414 ^^dolor1769.lan^^dminimav^^odtem^^tati^^suscip^^1523205238^^high^^umqu^^ntexpli^^siuta395.home^^lorumwr^^fugiat^^iumdolor^^etcons^^aecatc^^agnaa^^minimven^^pisciv^^equamnih^^rationev^^etco^^usanti^^itessec^^dat", + "fileset.name": "endpointprotection", + "host.hostname": "siuta395.home", + "input.type": "log", + "log.level": "high", + "log.offset": 19648, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "siuta395.home" + ], + "rsa.internal.event_desc": "iumdolor", + "rsa.internal.messageid": "302449414", + "rsa.misc.event_source": "fugiat", + "rsa.misc.reference_id": "tati", + "rsa.misc.severity": "high", + "rsa.network.domain": "dolor1769.lan", + "server.domain": "dolor1769.lan", + "service.type": "symantec", + "source.address": "siuta395.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "Configuration", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "23:36:32 SymantecServer nimadmi5274.api.localdomain: Configuration Change..umdolore5014.api.lan..4/22/2018........low..oluptate..11:36:32 tcu..", + "fileset.name": "endpointprotection", + "host.hostname": "umdolore5014.api.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 20057, + "observer.product": "oluptate", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "umdolore5014.api.lan" + ], + "rsa.internal.event_desc": "Configuration Change", + "rsa.internal.messageid": "Configuration", + "rsa.misc.severity": "low", + "service.type": "symantec", + "source.address": "umdolore5014.api.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "2", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "06:39:06 SymantecServer ept2114.corp: tiumdo6437.internal.invalid,Category: ssusci,snostrud,\"2 ^^tisund4302.www5.local^^obeata796.www.localhost^^olo^^vel1911.lan^^10.147.225.53^^itaspern^^lupta^^dolor^^tNeque^^accept^^2018-05-07T06:39:06Z^^etdo^^edictas^^1554^^corpor^^urerepr", + "file.name": "corpor", + "fileset.name": "endpointprotection", + "host.hostname": "vel1911.lan", + "host.name": "tisund4302.www5.local", + "input.type": "log", + "log.offset": 20201, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "tisund4302.www5.local", + "vel1911.lan" + ], + "related.ip": [ + "10.147.225.53" + ], + "related.user": [ + "olo" + ], + "rsa.counters.dclass_c1": 1554, + "rsa.counters.dclass_c1_str": "Virus Count.", + "rsa.db.index": "dolor", + "rsa.internal.event_desc": "Security risk found", + "rsa.internal.messageid": "2", + "rsa.investigations.ec_activity": "Detect", + "rsa.investigations.ec_subject": "Virus", + "rsa.investigations.ec_theme": "TEV", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.disposition": "tNeque", + "rsa.misc.event_source": "itaspern", + "rsa.misc.virusname": "lupta", + "rsa.network.alias_host": [ + "tisund4302.www5.local" + ], + "rsa.network.domain": "obeata796.www.localhost", + "rsa.threat.threat_category": "lupta", + "rsa.time.recorded_time": "2018-05-07T06:39:06.000Z", + "server.domain": "obeata796.www.localhost", + "service.type": "symantec", + "source.address": "vel1911.lan", + "source.ip": [ + "10.147.225.53" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "olo" + }, + { + "event.code": "773", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP-ctetura: equamn6846.www5.invalid^^3210^^ssecillu^^773 ^^oeius", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 20478, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "oeius", + "rsa.internal.messageid": "773", + "rsa.misc.reference_id": "773", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "5377", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "20:44:15 SymantecServer pisci6637.www.test: Site: https://www.example.org/dolo/orem.html?elite=nde#iac,Server: turve824.mail.corp,Domain: llumquid5568.internal.host,5377 ^^adolors", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 20552, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "adolors", + "rsa.internal.messageid": "5377", + "rsa.misc.reference_id": "5377", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "citatio", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "03:46:49 SymantecServer nemulla5602.mail.localhost: 303169540 ^^emipsum4052.internal.invalid^^ciatisu^^evelites2448.www.host^^uid^^Bono^^citatio^^aliquide^^1529380009^^medium^^onsequa^^seddoe^^quisnost7124.api.domain^^tla^^uidexea^^odtem^^nvolupt^^stia^^neavolu^^tsedqui^^ueporroq^^writ^^ema^^ioffici^^agni^^tat^^metconse", + "fileset.name": "endpointprotection", + "group.name": "uid", + "host.hostname": "quisnost7124.api.domain", + "host.name": "evelites2448.www.host", + "input.type": "log", + "log.level": "medium", + "log.offset": 20732, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "evelites2448.www.host", + "quisnost7124.api.domain" + ], + "rsa.internal.event_desc": "odtem", + "rsa.internal.messageid": "303169540", + "rsa.misc.event_source": "uidexea", + "rsa.misc.group": "uid", + "rsa.misc.reference_id": "citatio", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "evelites2448.www.host" + ], + "rsa.network.domain": "emipsum4052.internal.invalid", + "server.domain": "emipsum4052.internal.invalid", + "service.type": "symantec", + "source.address": "quisnost7124.api.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "edi6108.internal.domain", + "destination.ip": [ + "10.132.171.142" + ], + "destination.mac": "01:00:5e:5b:b9:9d", + "destination.port": 1953, + "event.code": "itaedi", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "10:49:23 SymantecServer riame5318.www5.example: Site: https://internal.example.com/itinvolu/urerepre.jpg?ditem=did#BCS,Server: idex58.api.host,Domain: iaturEx4974.api.localdomain,207 ^^ita2191.www5.invalid^^amquis^^iatquovo4868.test^^uraut^^reetdol^^umtotam^^itaedi^^10.72.200.11^^10.132.171.142^^01:00:5e:ef:6c:af^^01:00:5e:5b:b9:9d^^tsunti^^ero^^iusmodi^^1530614963^^high^^caecat^^oreetd^^madmi2948.internal.lan^^eleumiur^^ididun^^edi6108.internal.domain^^1^^3^^squa^^1530614963^^1530614963^^4662^^atisetq^^emagnama^^stqui^^itemp^^ipsa^^ipsumqui^^tisu^^nse^^sci^^itse^^tco^^nnumqua^^erit^^lorsitam^^2001:db8::325d4a06:86d5f940^^2001:db8::d5c0e730:7529c510^^4574^^1953^^7096^^quaera^^5100^^https://mail.example.com/ulamc/ncid.jpg?emipsu=icaboNem#Except^^https://internal.example.org/maliquam/mav.gif?ecill=ventore#imi^^uptatemU^^1.132^^liqua", + "fileset.name": "endpointprotection", + "group.name": "uraut", + "host.hostname": "madmi2948.internal.lan", + "host.name": "iatquovo4868.test", + "http.request.referrer": "https://internal.example.org/maliquam/mav.gif?ecill=ventore#imi", + "input.type": "log", + "log.level": "high", + "log.offset": 21054, + "network.application": "atisetq", + "network.direction": "inbound", + "network.protocol": "UDP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "observer.version": "1.132", + "related.hosts": [ + "iatquovo4868.test", + "madmi2948.internal.lan", + "edi6108.internal.domain" + ], + "related.ip": [ + "10.72.200.11", + "10.132.171.142" + ], + "related.user": [ + "ero" + ], + "rsa.counters.dclass_c1": 4662, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "emagnama", + "rsa.internal.messageid": "207", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.group": "uraut", + "rsa.misc.policy_id": "liqua", + "rsa.misc.reference_id": "itaedi", + "rsa.misc.severity": "high", + "rsa.misc.sig_id": 7096, + "rsa.misc.sig_id1": 5100, + "rsa.misc.sig_id_str": "quaera", + "rsa.misc.version": "1.132", + "rsa.network.alias_host": [ + "iatquovo4868.test" + ], + "rsa.network.domain": "ita2191.www5.invalid", + "rsa.network.host_dst": "edi6108.internal.domain", + "rsa.network.zone": "tsunti", + "rsa.time.endtime": "2018-07-03T10:49:23.000Z", + "rsa.time.starttime": "2018-07-03T10:49:23.000Z", + "server.domain": "ita2191.www5.invalid", + "service.type": "symantec", + "source.address": "madmi2948.internal.lan", + "source.domain": "iusmodi", + "source.ip": [ + "10.72.200.11" + ], + "source.mac": "01:00:5e:ef:6c:af", + "source.port": 4574, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "url.original": "https://mail.example.com/ulamc/ncid.jpg?emipsu=icaboNem#Except", + "user.name": "ero" + }, + { + "event.action": "cancel", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=nesciu cid=cer eid=molestia,volu Jul 17 17:51:58 2018,occ,Symantec AntiVirus,SYSTEM,Information,reverita794.mail.domain,ten. string-data=[ Scan type: cola Event: success Security risk detected: ame File: que Location: sect Computer: ing User: nis Action taken:cancel Date found: billoinv]", + "file.directory": "ame", + "file.name": "que", + "fileset.name": "endpointprotection", + "host.hostname": "reverita794.mail.domain", + "input.type": "log", + "log.offset": 21897, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "reverita794.mail.domain" + ], + "related.user": [ + "nis" + ], + "rsa.internal.event_desc": "ten", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "cola", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "success", + "service.type": "symantec", + "source.address": "reverita794.mail.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "nis" + }, + { + "event.code": "siarchi", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "August 1 00:54:32 col6521.mail.domain SymantecServer: Site: https://mail.example.com/enby/teveli.html?dolor=CSedut#atatn,Server: utal7661.www.test,Domain: caecatcu5496.www.test,The 302452743 ^^tec4011.mail.home^^ate^^uptatem^^siarchi^^dminim^^1533084872^^very-high^^Nemo^^itse^^lillumq4387.www5.localhost^^Qui^^turExce^^sse^^quine^^utemvel^^exercita^^emaperi^^aspernat^^ddoei^^nihi^^umfu^^inesc^^uiavolu^^loremagn", + "fileset.name": "endpointprotection", + "host.hostname": "lillumq4387.www5.localhost", + "input.type": "log", + "log.level": "very-high", + "log.offset": 22236, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "lillumq4387.www5.localhost" + ], + "rsa.internal.event_desc": "sse", + "rsa.internal.messageid": "302452743", + "rsa.misc.event_source": "turExce", + "rsa.misc.reference_id": "siarchi", + "rsa.misc.severity": "very-high", + "rsa.network.domain": "tec4011.mail.home", + "server.domain": "tec4011.mail.home", + "service.type": "symantec", + "source.address": "lillumq4387.www5.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "accept", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=nostru cid=edd eid=nisi,sciun Aug 15 07:57:06 2018,natuserr,Symantec AntiVirus,SYSTEM,Information,ipi563.api.lan,asnulap. string-data=[ Scan type: atnula Event: failure Security risk detected: dutpe File: modtem Location: eriameaq Computer: irured User: anti Action taken:accept Date found: tani]", + "file.directory": "dutpe", + "file.name": "modtem", + "fileset.name": "endpointprotection", + "host.hostname": "ipi563.api.lan", + "input.type": "log", + "log.offset": 22650, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ipi563.api.lan" + ], + "related.user": [ + "anti" + ], + "rsa.internal.event_desc": "asnulap", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "atnula", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "failure", + "service.type": "symantec", + "source.address": "ipi563.api.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "anti" + }, + { + "event.code": "Connection", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "14:59:40 SymantecServer uptatemU1147.mail.corp: mqu3327.internal.host,Category: plic,oremq,\"Connection reset", + "fileset.name": "endpointprotection", + "host.hostname": "mqu3327.internal.host", + "host.name": "uptatemU1147.mail.corp", + "input.type": "log", + "log.offset": 22997, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "uptatemU1147.mail.corp", + "mqu3327.internal.host" + ], + "rsa.internal.event_desc": "Connection reset.", + "rsa.internal.messageid": "Connection", + "rsa.network.alias_host": [ + "uptatemU1147.mail.corp" + ], + "rsa.time.event_time_str": "14:59:40", + "service.type": "symantec", + "source.address": "mqu3327.internal.host", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "olori", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "22:02:15 SymantecServer remape5128.internal.home: Site: https://www5.example.org/eosq/tanimi.htm?lumdolo=volu#eser,Server: quisn1387.invalid,302452736 ^^sit3373.api.localdomain^^isnos^^emp42.mail.test^^ipisc^^roinB^^olori^^omm^^1536789735^^medium^^rissus^^abo^^ecatcupi4759.internal.local^^atevelit^^tenb^^ritati^^architec^^era^^ptatem^^remaperi^^isi^^ssecill^^tisetq^^mmodico^^mquae^^sunde^^sum", + "fileset.name": "endpointprotection", + "group.name": "ipisc", + "host.hostname": "ecatcupi4759.internal.local", + "host.name": "emp42.mail.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 23106, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "emp42.mail.test", + "ecatcupi4759.internal.local" + ], + "rsa.internal.event_desc": "ritati", + "rsa.internal.messageid": "302452736", + "rsa.misc.event_source": "tenb", + "rsa.misc.group": "ipisc", + "rsa.misc.reference_id": "olori", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "emp42.mail.test" + ], + "rsa.network.domain": "sit3373.api.localdomain", + "server.domain": "sit3373.api.localdomain", + "service.type": "symantec", + "source.address": "ecatcupi4759.internal.local", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "5377", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "September 27 05:04:49 tatema826.www.localhost SymantecServer: mco1751.www.localdomain,SHA-256:tation,MD-5:tot,\"[SID: veleumi] 5377 ^^iumt", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 23502, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "iumt", + "rsa.internal.messageid": "5377", + "rsa.misc.checksum": "tot", + "rsa.misc.reference_id": "5377", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "olesti", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "October 11 12:07:23 sciun6000.www.test SymantecServer: dictasu7340.internal.invalid,\"[SID: Cicero] 302450944 ^^antiu4203.www.host^^asnulapa^^hende^^olesti^^ntmolli^^1539259643^^low^^eufu^^tame^^ipsu7538.www5.host^^acom^^lamc^^squa^^Cic^^aturveli^^lica^^Exc^^amvolup^^velill^^oidentsu^^uaea^^rehender^^rep^^iusmod", + "fileset.name": "endpointprotection", + "host.hostname": "ipsu7538.www5.host", + "input.type": "log", + "log.level": "low", + "log.offset": 23640, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ipsu7538.www5.host" + ], + "rsa.internal.event_desc": "squa", + "rsa.internal.messageid": "302450944", + "rsa.misc.event_source": "lamc", + "rsa.misc.reference_id": "olesti", + "rsa.misc.severity": "low", + "rsa.network.domain": "antiu4203.www.host", + "server.domain": "antiu4203.www.host", + "service.type": "symantec", + "source.address": "ipsu7538.www5.host", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "257", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "19:09:57 SymantecServer aevitaed6618.localhost: labor3547.www5.localhost,\"[SID: erci] 257 ^^quovolup", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 23953, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "quovolup", + "rsa.internal.messageid": "257", + "rsa.misc.reference_id": "257", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "dita2048.www5.home", + "destination.ip": [ + "10.171.13.85" + ], + "destination.mac": "01:00:5e:31:f2:97", + "destination.port": 5002, + "event.code": "onse", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "November 9 02:12:32 tlaborio5210.www5.lan SymantecServer: seq3479.internal.domain,SHA-256:uto,MD-5:eetdo,\"[SID: untincul] 301 ^^upta3770.internal.localhost^^ore^^onse^^10.40.133.90^^10.171.13.85^^tateveli^^sequatu^^1541729552^^medium^^dex^^rsintocc^^iusmo5734.internal.invalid^^tion^^itae^^dita2048.www5.home^^4^^1467^^5002^^1^^1541729552^^1541729552^^5934^^usci^^3^^rittenby^^Block all other IP traffic and log^^gni^^ritq^^01:00:5e:57:68:87^^01:00:5e:31:f2:97^^mqu^^bor^^piscinge^^ectobe^^uisaute^^orema^^poris^^uptat^^colabor^^bor^^sequ^^noru", + "fileset.name": "endpointprotection", + "host.hostname": "iusmo5734.internal.invalid", + "input.type": "log", + "log.level": "medium", + "log.offset": 24054, + "network.application": "usci", + "network.direction": "inbound", + "network.protocol": "ICMP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "iusmo5734.internal.invalid", + "dita2048.www5.home" + ], + "related.ip": [ + "10.171.13.85", + "10.40.133.90" + ], + "related.user": [ + "bor" + ], + "rsa.counters.dclass_c1": 5934, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "Block all other IP traffic and log", + "rsa.internal.messageid": "301", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.checksum": "eetdo", + "rsa.misc.reference_id": "onse", + "rsa.misc.rule": "rittenby", + "rsa.misc.rule_name": "Block all other IP traffic and log", + "rsa.misc.severity": "medium", + "rsa.network.domain": "upta3770.internal.localhost", + "rsa.network.host_dst": "dita2048.www5.home", + "rsa.network.zone": "mqu", + "rsa.time.endtime": "2018-11-09T02:12:32.000Z", + "rsa.time.starttime": "2018-11-09T02:12:32.000Z", + "rule.name": "Block all other IP traffic and log", + "server.domain": "upta3770.internal.localhost", + "service.type": "symantec", + "source.address": "iusmo5734.internal.invalid", + "source.domain": "piscinge", + "source.ip": [ + "10.40.133.90" + ], + "source.mac": "01:00:5e:57:68:87", + "source.port": 1467, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "bor" + }, + { + "event.code": "Retry", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "November 23 09:15:06 cons392.domain SymantecServer: Site: https://www.example.com/aecatcu/sed.html?eroi=snu#tconsect,Server: stru3362.corp,\"Retry timestamp is over the maximum retry window, switching to regular schedule run.", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 24599, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "Retry.", + "rsa.internal.messageid": "Retry", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "abi", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "16:17:40 SymantecServer tionevol7606.www.localhost: Site: https://api.example.net/sunti/dipiscin.htm?ovolup=olest#veniamq,Server: uisno561.internal.home,\"302452816 ^^omm3591.internal.invalid^^edq^^ngelits2743.www5.host^^incidunt^^tatnonp^^abi^^nimave^^1544199460^^high^^idexeaco^^siu^^inrepr7369.www.domain^^ore^^lore^^tatemac^^tamet^^laparia^^quid^^ehen^^eseru^^aperiam^^uioffic^^atis^^ectobe^^rehender^^corpori", + "fileset.name": "endpointprotection", + "group.name": "incidunt", + "host.hostname": "inrepr7369.www.domain", + "host.name": "ngelits2743.www5.host", + "input.type": "log", + "log.level": "high", + "log.offset": 24824, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ngelits2743.www5.host", + "inrepr7369.www.domain" + ], + "rsa.internal.event_desc": "tatemac", + "rsa.internal.messageid": "302452816", + "rsa.misc.event_source": "lore", + "rsa.misc.group": "incidunt", + "rsa.misc.reference_id": "abi", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ngelits2743.www5.host" + ], + "rsa.network.domain": "omm3591.internal.invalid", + "server.domain": "omm3591.internal.invalid", + "service.type": "symantec", + "source.address": "inrepr7369.www.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "fdeFi", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "December 21 23:20:14 cons7043.api.lan SymantecServer: Site: https://api.example.net/utlab/hilm.txt?lor=untutla#ons,Server: uam6380.internal.lan,302452808 ^^sed1665.internal.local^^rainci^^olupt717.invalid^^iano^^dexerci^^fdeFi^^tlabori^^1545434414^^very-high^^ritquiin^^untutl^^alorum1804.mail.test^^sequatur^^psum^^ano^^ame^^cipitlab^^venia^^rroquis^^tisu^^ratione^^aturvel^^Neque^^ueipsa^^assit^^ffici", + "fileset.name": "endpointprotection", + "group.name": "iano", + "host.hostname": "alorum1804.mail.test", + "host.name": "olupt717.invalid", + "input.type": "log", + "log.level": "very-high", + "log.offset": 25237, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "olupt717.invalid", + "alorum1804.mail.test" + ], + "rsa.internal.event_desc": "ano", + "rsa.internal.messageid": "302452808", + "rsa.misc.event_source": "psum", + "rsa.misc.group": "iano", + "rsa.misc.reference_id": "fdeFi", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "olupt717.invalid" + ], + "rsa.network.domain": "sed1665.internal.local", + "server.domain": "sed1665.internal.local", + "service.type": "symantec", + "source.address": "alorum1804.mail.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=itquii cid=umdolore eid=iuntNequ,corp Jan 5 06:22:49 2019,trudexe,Symantec AntiVirus,SYSTEM,Information,queporr7029.internal.test,quidex. string-data=[ Scan type: iatqu Event: unknown Security risk detected: ips File: modo Location: ela Computer: con User: unti Action taken:block Date found: tcupidat]", + "file.directory": "ips", + "file.name": "modo", + "fileset.name": "endpointprotection", + "host.hostname": "queporr7029.internal.test", + "input.type": "log", + "log.offset": 25641, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "queporr7029.internal.test" + ], + "related.user": [ + "unti" + ], + "rsa.internal.event_desc": "quidex", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "iatqu", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "unknown", + "service.type": "symantec", + "source.address": "queporr7029.internal.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "unti" + }, + { + "event.code": "5121", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "13:25:23 SymantecServer veli765.www.corp: Site: https://www.example.net/queip/antiu.txt?nisiuta=cipitla#ditautf,Server: oluptasn909.www5.example,Domain: imadm2803.api.local,Admin: eet,5121 ^^onpro", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 25994, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "onpro", + "rsa.internal.messageid": "5121", + "rsa.misc.reference_id": "5121", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "urExcep6087.www5.localhost", + "destination.ip": [ + "10.155.163.6" + ], + "destination.mac": "01:00:5e:e9:19:80", + "destination.port": 558, + "event.code": "iadol", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 302^^exea6833.www.example^^ictas1247.www5.example^^incul^^iadol^^10.31.231.57^^10.155.163.6^^que^^urQui^^1549139277^^low^^taliquip^^maliquam^^upidat1328.internal.localhost^^odico^^sistenat^^urExcep6087.www5.localhost^^1^^6324^^558^^1^^1549139277^^1549139277^^2952^^mqu^^doloremq^^velil^^mdolo^^poris^^amvo^^01:00:5e:fc:5b:c7^^01:00:5e:e9:19:80^^imv^^norumetM^^iac^^itessequ^^iaturExc^^orsit^^tamrema^^eos^^quameius^^ciati^^nemullam^^sequu", + "fileset.name": "endpointprotection", + "host.hostname": "upidat1328.internal.localhost", + "input.type": "log", + "log.level": "low", + "log.offset": 26191, + "network.application": "mqu", + "network.direction": "inbound", + "network.protocol": "Others", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "upidat1328.internal.localhost", + "urExcep6087.www5.localhost" + ], + "related.ip": [ + "10.155.163.6", + "10.31.231.57" + ], + "related.user": [ + "norumetM" + ], + "rsa.counters.dclass_c1": 2952, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "Block Local File Sharing to external computers", + "rsa.internal.messageid": "302", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.reference_id": "iadol", + "rsa.misc.rule": "velil", + "rsa.misc.rule_name": "mdolo", + "rsa.misc.severity": "low", + "rsa.network.domain": "ictas1247.www5.example", + "rsa.network.host_dst": "urExcep6087.www5.localhost", + "rsa.network.zone": "imv", + "rsa.time.endtime": "2019-02-02T20:27:57.000Z", + "rsa.time.starttime": "2019-02-02T20:27:57.000Z", + "rule.name": "mdolo", + "server.domain": "ictas1247.www5.example", + "service.type": "symantec", + "source.address": "upidat1328.internal.localhost", + "source.domain": "iac", + "source.ip": [ + "10.31.231.57" + ], + "source.mac": "01:00:5e:fc:5b:c7", + "source.port": 6324, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "norumetM" + }, + { + "event.code": "4097", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP-eleumiur: chite5632.test^^1981^^etc^^4097 ^^lorem", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 26643, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "lorem", + "rsa.internal.messageid": "4097", + "rsa.misc.reference_id": "4097", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "alorum", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "10:33:06 SymantecServer mveleum2688.api.host: 302452816 ^^nisiut1750.internal.invalid^^oen^^tsunti^^alorum^^aeratvo^^1551609186^^high^^les^^paquioff^^tesseci33.internal.example^^Bonorum^^met^^nost^^sequa^^dquiaco^^mmodoco^^emagn^^susci^^eursin^^siutali^^osa^^olabor^^ent^^secil", + "fileset.name": "endpointprotection", + "host.hostname": "tesseci33.internal.example", + "input.type": "log", + "log.level": "high", + "log.offset": 26705, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "tesseci33.internal.example" + ], + "rsa.internal.event_desc": "nost", + "rsa.internal.messageid": "302452816", + "rsa.misc.event_source": "met", + "rsa.misc.reference_id": "alorum", + "rsa.misc.severity": "high", + "rsa.network.domain": "nisiut1750.internal.invalid", + "server.domain": "nisiut1750.internal.invalid", + "service.type": "symantec", + "source.address": "tesseci33.internal.example", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "esciu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "17:35:40 SymantecServer stiaecon2284.www5.host: Site: https://internal.example.net/agnama/commodi.gif?snost=nsequun#quovo,Server: amquaera63.www5.lan,Domain: audant2228.invalid,302452736 ^^ptasnula2158.internal.host^^uptasnul^^redol^^esciu^^dolorinr^^1552844140^^very-high^^auto^^edquian^^alo7567.www5.test^^umquid^^proident^^quisnos^^umet^^nima^^aria^^ugi^^econ^^aaliquaU^^sitvol^^temse^^henderi^^Sedu^^dolore", + "fileset.name": "endpointprotection", + "host.hostname": "alo7567.www5.test", + "input.type": "log", + "log.level": "very-high", + "log.offset": 26983, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "alo7567.www5.test" + ], + "rsa.internal.event_desc": "quisnos", + "rsa.internal.messageid": "302452736", + "rsa.misc.event_source": "proident", + "rsa.misc.reference_id": "esciu", + "rsa.misc.severity": "very-high", + "rsa.network.domain": "ptasnula2158.internal.host", + "server.domain": "ptasnula2158.internal.host", + "service.type": "symantec", + "source.address": "alo7567.www5.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "275", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "00:38:14 SymantecServer metMal6112.mail.test: Site: https://api.example.net/orsit/ntium.html?rudexer=Exc#atvol,Server: onse3264.example,Domain: scingeli5972.invalid,The 275 ^^The process sumq.exe can not lock the process status table. The process status has been locked by the server idest4209.api.domain (mdolorem) since 2019-04-01T00:38:14Z.", + "fileset.name": "endpointprotection", + "host.hostname": "idest4209.api.domain", + "input.type": "log", + "log.offset": 27394, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "process.name": "sumq.exe", + "related.hosts": [ + "idest4209.api.domain" + ], + "rsa.internal.event_desc": "The process can not lock the process status table", + "rsa.internal.messageid": "275", + "rsa.misc.reference_id": "275", + "rsa.time.recorded_time": "2019-04-01T00:38:14.000Z", + "service.type": "symantec", + "source.address": "idest4209.api.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "its1301.www.test", + "destination.ip": [ + "10.134.6.246" + ], + "destination.mac": "01:00:5e:db:43:45", + "destination.port": 998, + "event.code": "animid", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "April 15 07:40:49 amqu4988.www5.example SymantecServer: Site: https://www5.example.net/scinge/ofde.html?oinvento=amcorpor#sumqu,Server: sundeomn1396.mail.corp,Domain: odiconse1995.www.home,The 301 ^^emvel4391.localhost^^quelaud^^exer3621.www5.test^^uaerat^^animid^^2001:db8::dc285270:4466123b^^2001:db8::3d31ae1d:efe5bf87^^10.216.134.62^^10.134.6.246^^rnatu^^ico^^1555314049^^medium^^urQuis^^umetMa^^tisetqua6007.api.home^^dun^^nonpro^^its1301.www.test^^1^^6252^^998^^2^^1555314049^^1555314049^^4304^^quuntu^^0^^uaera^^iatisund^^ist^^equatur^^01:00:5e:78:f9:ee^^01:00:5e:db:43:45^^oin^^ntexpl^^oquisqua^^ovo^^lupta^^stenatus^^tiumtota^^itation^^eturad^^rumS^^nihil^^psu", + "fileset.name": "endpointprotection", + "group.name": "uaerat", + "host.hostname": "tisetqua6007.api.home", + "host.name": "exer3621.www5.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 27738, + "network.application": "quuntu", + "network.direction": "outbound", + "network.protocol": "Others", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "exer3621.www5.test", + "tisetqua6007.api.home", + "its1301.www.test" + ], + "related.ip": [ + "10.134.6.246", + "10.216.134.62" + ], + "related.user": [ + "ntexpl" + ], + "rsa.counters.dclass_c1": 4304, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.messageid": "301", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.group": "uaerat", + "rsa.misc.reference_id": "animid", + "rsa.misc.rule": "uaera", + "rsa.misc.rule_name": "iatisund", + "rsa.misc.severity": "medium", + "rsa.network.alias_host": [ + "exer3621.www5.test" + ], + "rsa.network.domain": "emvel4391.localhost", + "rsa.network.host_dst": "its1301.www.test", + "rsa.network.zone": "oin", + "rsa.time.endtime": "2019-04-15T07:40:49.000Z", + "rsa.time.starttime": "2019-04-15T07:40:49.000Z", + "rule.name": "iatisund", + "server.domain": "emvel4391.localhost", + "service.type": "symantec", + "source.address": "tisetqua6007.api.home", + "source.domain": "oquisqua", + "source.ip": [ + "10.216.134.62" + ], + "source.mac": "01:00:5e:78:f9:ee", + "source.port": 6252, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "ntexpl" + }, + { + "destination.ip": [ + "10.202.96.232" + ], + "destination.port": 5074, + "event.code": "Remote:", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "Apr 29 2:43:23 ventorev7571.www5.corp SymantecServer: Site: https://www5.example.com/quamni/ents.gif?leum=olabor#modte,Server: uianonn4552.internal.invalid,Domain: quaUteni2026.lan,Remote: , Remote: untmoll,Remote: 10.202.96.232,Remote: ngeli,Unknown,OTHERS,,Begin: 2019-4-29 2:43:23,End: 2019-4-29 2:43:23,Occurrences: 569,Application: exerc,Location: boNemo,User: nat,Domain: atnu2000.internal.corp,Local Port 4012,Remote Port 5074,CIDS Signature ID: 5057,CIDS Signature string: tobe,CIDS Signature SubID: equep,Intrusion URL:https://internal.example.com/umiu/veritat.jpg?conse=equamni#ursin,Intrusion Payload URL:orissus", + "fileset.name": "endpointprotection", + "host.hostname": "Remote:", + "host.name": "ventorev7571.www5.corp", + "input.type": "log", + "log.offset": 28408, + "network.application": "exerc", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ventorev7571.www5.corp", + "Remote:" + ], + "related.ip": [ + "10.202.96.232" + ], + "related.user": [ + "nat" + ], + "rsa.counters.dclass_c1": 569, + "rsa.counters.dclass_c1_str": "Occurences", + "rsa.internal.messageid": "Remote:", + "rsa.misc.sig_id": 5057, + "rsa.misc.sig_id_str": "tobe", + "rsa.network.alias_host": [ + "ventorev7571.www5.corp" + ], + "rsa.network.domain": "atnu2000.internal.corp", + "rsa.time.endtime": "2019-04-29T04:43:23.000Z", + "rsa.time.starttime": "2019-04-29T04:43:23.000Z", + "server.domain": "atnu2000.internal.corp", + "service.type": "symantec", + "source.address": "Remote:", + "source.port": 4012, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "url.original": "https://internal.example.com/umiu/veritat.jpg?conse=equamni#ursin", + "user.name": "nat" + }, + { + "event.code": "sequat", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "21:45:57 SymantecServer uelaud897.mail.example: Site: https://example.org/etcon/its.html?imven=eddoeius#eniamqu,Server: mdoloree4076.lan,\"302449156 ^^uamestqu7272.internal.host^^ectetur^^umSectio5136.www.local^^omn^^imidestl^^sequat^^lmol^^1557783957^^very-high^^olorinre^^quiacons^^untexpli391.internal.domain^^Finibus^^num^^ipitlabo^^sumqu^^epreh^^urs^^stquidol^^doconse^^taspern^^cit^^isautemv^^tatemse^^uradi^^velit", + "fileset.name": "endpointprotection", + "group.name": "omn", + "host.hostname": "untexpli391.internal.domain", + "host.name": "umSectio5136.www.local", + "input.type": "log", + "log.level": "very-high", + "log.offset": 29032, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "umSectio5136.www.local", + "untexpli391.internal.domain" + ], + "rsa.internal.event_desc": "ipitlabo", + "rsa.internal.messageid": "302449156", + "rsa.misc.event_source": "num", + "rsa.misc.group": "omn", + "rsa.misc.reference_id": "sequat", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "umSectio5136.www.local" + ], + "rsa.network.domain": "uamestqu7272.internal.host", + "server.domain": "uamestqu7272.internal.host", + "service.type": "symantec", + "source.address": "untexpli391.internal.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "destination.address": "quipex2615.www5.localhost", + "destination.ip": [ + "10.29.149.77" + ], + "destination.mac": "01:00:5e:96:a7:ec", + "destination.port": 5823, + "event.code": "quis", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "04:48:31 SymantecServer reetdo5853.test: entsun4896.www5.localdomain,Category: uepo,eomni,\"308 ^^cepteur6876.internal.host^^iutaliq^^quide2790.mail.invalid^^epre^^quis^^2001:db8::7d97d66e:3eeaa2cc^^2001:db8::81638ee3:4962a1e4^^10.56.95.160^^10.29.149.77^^siutaliq^^liquaUt^^1559018911^^low^^modo^^sequ^^eniamqu1863.api.lan^^utal^^maccusa^^quipex2615.www5.localhost^^3^^2305^^5823^^1^^1559018911^^1559018911^^3992^^Section^^ididunt^^luptatem^^Block all other IP traffic and log^^onofdeFi^^xeacom^^01:00:5e:9f:99:04^^01:00:5e:96:a7:ec^^aveni^^rema^^nby^^nofde^^ritinvol^^mSecti^^tionula^^adolors^^cididunt^^dolore^^sunte^^imadm", + "fileset.name": "endpointprotection", + "group.name": "epre", + "host.hostname": "eniamqu1863.api.lan", + "host.name": "quide2790.mail.invalid", + "input.type": "log", + "log.level": "low", + "log.offset": 29452, + "network.application": "Section", + "network.direction": "inbound", + "network.protocol": "UDP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "quide2790.mail.invalid", + "eniamqu1863.api.lan", + "quipex2615.www5.localhost" + ], + "related.ip": [ + "10.56.95.160", + "10.29.149.77" + ], + "related.user": [ + "rema" + ], + "rsa.counters.dclass_c1": 3992, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "Block all other IP traffic and log", + "rsa.internal.messageid": "308", + "rsa.investigations.ec_activity": "Deny", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.group": "epre", + "rsa.misc.reference_id": "quis", + "rsa.misc.rule": "luptatem", + "rsa.misc.rule_name": "Block all other IP traffic and log", + "rsa.misc.severity": "low", + "rsa.network.alias_host": [ + "quide2790.mail.invalid" + ], + "rsa.network.domain": "cepteur6876.internal.host", + "rsa.network.host_dst": "quipex2615.www5.localhost", + "rsa.network.zone": "aveni", + "rsa.time.endtime": "2019-05-28T04:48:31.000Z", + "rsa.time.starttime": "2019-05-28T04:48:31.000Z", + "rule.name": "Block all other IP traffic and log", + "server.domain": "cepteur6876.internal.host", + "service.type": "symantec", + "source.address": "eniamqu1863.api.lan", + "source.domain": "nby", + "source.ip": [ + "10.56.95.160" + ], + "source.mac": "01:00:5e:9f:99:04", + "source.port": 2305, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "rema" + }, + { + "destination.address": "remipsum5485.api.local", + "destination.ip": [ + "10.173.98.74" + ], + "destination.mac": "01:00:5e:f3:43:d1", + "destination.port": 5161, + "event.code": "lit", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "11:51:06 SymantecServer uscipitl2176.api.test: Site: https://mail.example.com/peria/nculpaq.gif?roquisqu=acommod#eetd,Server: orin7130.www5.test,Domain: ratione4963.www.example,301 ^^tationul5346.internal.localdomain^^edquiano^^ugia146.www5.corp^^uisnostr^^lit^^2001:db8::f3063373:92b97c88^^2001:db8::5b387f17:aa0c6698^^10.70.185.238^^10.173.98.74^^orsitame^^quame^^1560253866^^high^^tempora^^liquip^^tionul7555.www5.lan^^cin^^itsedqu^^remipsum5485.api.local^^2^^1775^^5161^^2^^1560253866^^1560253866^^2128^^lupta^^0^^reetdo^^Block all other IP traffic and log^^gnaal^^ntsunt^^01:00:5e:a7:37:7d^^01:00:5e:f3:43:d1^^nvo^^tenby^^aaliqu^^quaeabil^^umq^^ptate^^ade^^eip^^entor^^turExce^^ncidid^^modi", + "fileset.name": "endpointprotection", + "group.name": "uisnostr", + "host.hostname": "tionul7555.www5.lan", + "host.name": "ugia146.www5.corp", + "input.type": "log", + "log.level": "high", + "log.offset": 30078, + "network.application": "lupta", + "network.direction": "outbound", + "network.protocol": "TCP", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ugia146.www5.corp", + "tionul7555.www5.lan", + "remipsum5485.api.local" + ], + "related.ip": [ + "10.173.98.74", + "10.70.185.238" + ], + "related.user": [ + "tenby" + ], + "rsa.counters.dclass_c1": 2128, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "Block all other IP traffic and log", + "rsa.internal.messageid": "301", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "Communication", + "rsa.misc.group": "uisnostr", + "rsa.misc.reference_id": "lit", + "rsa.misc.rule": "reetdo", + "rsa.misc.rule_name": "Block all other IP traffic and log", + "rsa.misc.severity": "high", + "rsa.network.alias_host": [ + "ugia146.www5.corp" + ], + "rsa.network.domain": "tationul5346.internal.localdomain", + "rsa.network.host_dst": "remipsum5485.api.local", + "rsa.network.zone": "nvo", + "rsa.time.endtime": "2019-06-11T11:51:06.000Z", + "rsa.time.starttime": "2019-06-11T11:51:06.000Z", + "rule.name": "Block all other IP traffic and log", + "server.domain": "tationul5346.internal.localdomain", + "service.type": "symantec", + "source.address": "tionul7555.www5.lan", + "source.domain": "aaliqu", + "source.ip": [ + "10.70.185.238" + ], + "source.mac": "01:00:5e:a7:37:7d", + "source.port": 1775, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "tenby" + }, + { + "event.action": "allow", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=nisiutal cid=ptassi eid=mtota,lit Jun 25 18:53:40 2019,odite,Symantec AntiVirus,SYSTEM,Information,ilmoles4582.api.lan,tqui. string-data=[ Scan type: tautfug Event: success Security risk detected: metMalo File: uatur Location: uia Computer: upid User: dolor Action taken:allow Date found: itsed]", + "file.directory": "metMalo", + "file.name": "uatur", + "fileset.name": "endpointprotection", + "host.hostname": "ilmoles4582.api.lan", + "input.type": "log", + "log.offset": 30774, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ilmoles4582.api.lan" + ], + "related.user": [ + "dolor" + ], + "rsa.internal.event_desc": "tqui", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "tautfug", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "success", + "service.type": "symantec", + "source.address": "ilmoles4582.api.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "dolor" + }, + { + "event.code": "Connected", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "01:56:14 SymantecServer giatquo3267.www.lan: quiado6095.mail.localhost,Category: ioffici,proide,\"Connected to Management Server 10.8.24.150.", + "fileset.name": "endpointprotection", + "host.hostname": "quiado6095.mail.localhost", + "host.name": "giatquo3267.www.lan", + "input.type": "log", + "log.offset": 31120, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "giatquo3267.www.lan", + "quiado6095.mail.localhost" + ], + "rsa.internal.event_desc": "Connected to Management Server", + "rsa.internal.messageid": "Connected", + "rsa.network.alias_host": [ + "giatquo3267.www.lan" + ], + "rsa.time.event_time_str": "01:56:14", + "service.type": "symantec", + "source.address": "quiado6095.mail.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "deny", + "event.code": "2", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "July 24 08:58:48 aut1615.mail.example SymantecServer: tatis3791.www5.test,SHA-256:iceroinB,MD-5:lab,\"[SID: tobe] 2 ^^odite7850.internal.corp^^asnula6304.internal.example^^elitse^^cidun7605.www5.example^^10.201.112.171^^rinrepre^^modicons^^uidolor^^tenatu^^deny^^2019-07-24T08:58:48Z^^rrorsit^^eprehen^^1470^^diconseq^^runtm", + "file.name": "diconseq", + "fileset.name": "endpointprotection", + "host.hostname": "cidun7605.www5.example", + "host.name": "odite7850.internal.corp", + "input.type": "log", + "log.offset": 31261, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "odite7850.internal.corp", + "cidun7605.www5.example" + ], + "related.ip": [ + "10.201.112.171" + ], + "related.user": [ + "elitse" + ], + "rsa.counters.dclass_c1": 1470, + "rsa.counters.dclass_c1_str": "Virus Count.", + "rsa.db.index": "uidolor", + "rsa.internal.event_desc": "Security risk found", + "rsa.internal.messageid": "2", + "rsa.investigations.ec_activity": "Detect", + "rsa.investigations.ec_subject": "Virus", + "rsa.investigations.ec_theme": "TEV", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "lab", + "rsa.misc.disposition": "tenatu", + "rsa.misc.event_source": "rinrepre", + "rsa.misc.virusname": "modicons", + "rsa.network.alias_host": [ + "odite7850.internal.corp" + ], + "rsa.network.domain": "asnula6304.internal.example", + "rsa.threat.threat_category": "modicons", + "rsa.time.recorded_time": "2019-07-24T08:58:48.000Z", + "server.domain": "asnula6304.internal.example", + "service.type": "symantec", + "source.address": "cidun7605.www5.example", + "source.ip": [ + "10.201.112.171" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "elitse" + }, + { + "event.code": "ationu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP: 302448900^^tion595.internal.corp^^laboru6211.mail.local^^emporai^^mqu^^ationu^^gna^^1565193683^^medium^^temUt^^quaturQ^^ssitasp7492.test^^veri^^ssitaspe^^eserun^^niamqu^^quianonn^^uines^^rat^^mSect^^perspic^^mulla^^vol^^consect^^iqu^^uptate", + "fileset.name": "endpointprotection", + "host.hostname": "ssitasp7492.test", + "input.type": "log", + "log.level": "medium", + "log.offset": 31585, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "ssitasp7492.test" + ], + "rsa.internal.event_desc": "eserun", + "rsa.internal.messageid": "302448900", + "rsa.misc.event_source": "ssitaspe", + "rsa.misc.reference_id": "ationu", + "rsa.misc.severity": "medium", + "rsa.network.domain": "laboru6211.mail.local", + "server.domain": "laboru6211.mail.local", + "service.type": "symantec", + "source.address": "ssitasp7492.test", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "tasu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "23:03:57 SymantecServer ntsun948.home: ima1551.www.invalid,\"[SID: atemse] 302452802 ^^ntiumtot6232.api.corp^^npro^^estq2131.api.localdomain^^atn^^luptasnu^^tasu^^exeac^^1566428637^^very-high^^itesse^^gitse^^rem6392.internal.domain^^amea^^upt^^did^^rspiciat^^iaec^^lab^^nimi^^uscipit^^tuserror^^ionul^^exercit^^tetur^^ion^^olu", + "fileset.name": "endpointprotection", + "group.name": "atn", + "host.hostname": "rem6392.internal.domain", + "host.name": "estq2131.api.localdomain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 31839, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "estq2131.api.localdomain", + "rem6392.internal.domain" + ], + "rsa.internal.event_desc": "did", + "rsa.internal.messageid": "302452802", + "rsa.misc.event_source": "upt", + "rsa.misc.group": "atn", + "rsa.misc.reference_id": "tasu", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "estq2131.api.localdomain" + ], + "rsa.network.domain": "ntiumtot6232.api.corp", + "server.domain": "ntiumtot6232.api.corp", + "service.type": "symantec", + "source.address": "rem6392.internal.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "orumSec", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "06:06:31 SymantecServer ididuntu2165.api.host: Site: https://internal.example.net/ommo/ddoeius.htm?ten=turadipi#liquide,Server: remipsum2332.api.domain,Domain: gel3984.mail.example,The 303235079 ^^ree4785.internal.localdomain^^edolori^^giatq7007.www.domain^^ntinc^^ptatev^^orumSec^^totamr^^1567663591^^very-high^^pidatat^^perna^^upi3.www.home^^temUten^^iquaUt^^caecatc^^ationula^^abo^^onofde^^eriame^^sunde^^otamrema^^madminim^^orsitam^^tiumto^^psumdol^^atcup", + "fileset.name": "endpointprotection", + "group.name": "ntinc", + "host.hostname": "upi3.www.home", + "host.name": "giatq7007.www.domain", + "input.type": "log", + "log.level": "very-high", + "log.offset": 32165, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "giatq7007.www.domain", + "upi3.www.home" + ], + "rsa.internal.event_desc": "caecatc", + "rsa.internal.messageid": "303235079", + "rsa.misc.event_source": "iquaUt", + "rsa.misc.group": "ntinc", + "rsa.misc.reference_id": "orumSec", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "giatq7007.www.domain" + ], + "rsa.network.domain": "ree4785.internal.localdomain", + "server.domain": "ree4785.internal.localdomain", + "service.type": "symantec", + "source.address": "upi3.www.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "reprehe", + "event.code": "5", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%SymantecEP-orem: 10.90.66.238^^itess2258.api.lan^^eprehend3993.internal.test^^nulap^^ianonnu4387.www.domain^^10.59.140.108^^5^^^^llumdolo^^sequines^^reprehe^^block^^2019-09-19T13:09:05Z^^agna^^laud^^5043^^abor^^esse", + "file.name": "5043", + "fileset.name": "endpointprotection", + "host.hostname": "ianonnu4387.www.domain", + "host.ip": "10.90.66.238", + "host.name": "itess2258.api.lan", + "input.type": "log", + "log.offset": 32625, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "itess2258.api.lan", + "ianonnu4387.www.domain" + ], + "related.ip": [ + "10.90.66.238", + "10.59.140.108" + ], + "related.user": [ + "nulap" + ], + "rsa.counters.dclass_c1_str": "Virus Count.", + "rsa.db.index": "llumdolo", + "rsa.internal.event_desc": "CAL Event", + "rsa.internal.messageid": "5", + "rsa.investigations.ec_activity": "Detect", + "rsa.investigations.ec_subject": "Virus", + "rsa.investigations.ec_theme": "TEV", + "rsa.misc.action": [ + "reprehe" + ], + "rsa.misc.disposition": "sequines", + "rsa.misc.event_source": "5", + "rsa.misc.virusname": "", + "rsa.network.alias_host": [ + "itess2258.api.lan" + ], + "rsa.network.domain": "eprehend3993.internal.test", + "rsa.threat.threat_category": "", + "server.domain": "eprehend3993.internal.test", + "service.type": "symantec", + "source.address": "ianonnu4387.www.domain", + "source.ip": [ + "10.59.140.108" + ], + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "nulap" + }, + { + "destination.address": "ess3012.mail.test", + "destination.ip": [ + "10.45.116.216" + ], + "destination.mac": "01:00:5e:38:9e:75", + "destination.port": 7638, + "event.code": "ratvo", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "October 3 20:11:40 identsu4913.mail.localdomain SymantecServer: Site: https://api.example.com/uptatemq/ctionof.jpg?risni=ovolupt#tionu,Server: ntium1347.www.test,Domain: econse4373.www.invalid,221 ^^tdo6940.mail.local^^fugiat^^epteur5858.www5.local^^rissus^^consequa^^idolor^^ratvo^^10.38.136.160^^10.45.116.216^^01:00:5e:b5:7b:f4^^01:00:5e:38:9e:75^^psu^^epr^^citat^^1570133500^^low^^imad^^vol^^rin5257.www5.test^^psa^^sumquia^^ess3012.mail.test^^1^^1^^mnisiste^^1570133500^^1570133500^^490^^elitess^^emeumfu^^tMalorum^^oremip^^orsitvo^^eacomm^^iuntNeq^^uiadolor^^emUt^^epreh^^eritq^^uaeratv^^quiaco^^todi^^2001:db8::655ca99c:30b2c2da^^2001:db8::16767bb2:194dacee^^4364^^7638^^1297^^osam^^2852^^https://mail.example.com/quaeabil/uredolo.htm?atnul=eroinB#beataev^^https://internal.example.org/aaliqua/atiset.txt?tat=uamestq#eri^^amv^^1.6400^^mveni", + "fileset.name": "endpointprotection", + "group.name": "rissus", + "host.hostname": "rin5257.www5.test", + "host.name": "epteur5858.www5.local", + "http.request.referrer": "https://internal.example.org/aaliqua/atiset.txt?tat=uamestq#eri", + "input.type": "log", + "log.level": "low", + "log.offset": 32842, + "network.application": "elitess", + "network.direction": "inbound", + "network.protocol": "Others", + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "observer.version": "1.6400", + "related.hosts": [ + "epteur5858.www5.local", + "rin5257.www5.test", + "ess3012.mail.test" + ], + "related.ip": [ + "10.38.136.160", + "10.45.116.216" + ], + "related.user": [ + "epr" + ], + "rsa.counters.dclass_c1": 490, + "rsa.counters.dclass_c1_str": "No. of attacks", + "rsa.internal.event_desc": "emeumfu", + "rsa.internal.messageid": "221", + "rsa.misc.group": "rissus", + "rsa.misc.policy_id": "mveni", + "rsa.misc.reference_id": "ratvo", + "rsa.misc.severity": "low", + "rsa.misc.sig_id": 1297, + "rsa.misc.sig_id1": 2852, + "rsa.misc.sig_id_str": "osam", + "rsa.misc.version": "1.6400", + "rsa.network.alias_host": [ + "epteur5858.www5.local" + ], + "rsa.network.domain": "tdo6940.mail.local", + "rsa.network.host_dst": "ess3012.mail.test", + "rsa.network.zone": "psu", + "rsa.time.endtime": "2019-10-03T20:11:40.000Z", + "rsa.time.starttime": "2019-10-03T20:11:40.000Z", + "server.domain": "tdo6940.mail.local", + "service.type": "symantec", + "source.address": "rin5257.www5.test", + "source.domain": "citat", + "source.ip": [ + "10.38.136.160" + ], + "source.mac": "01:00:5e:b5:7b:f4", + "source.port": 4364, + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "url.original": "https://mail.example.com/quaeabil/uredolo.htm?atnul=eroinB#beataev", + "user.name": "epr" + }, + { + "event.code": "onulamc", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "October 18 03:14:14 quiadolo7345.www5.example SymantecServer: Site: https://www.example.com/cte/ntu.gif?ercitati=dolo#iutaliq,Server: inimv3115.api.local,\"302449409 ^^eumfug6647.home^^equ^^ptatemse^^onulamc^^itanim^^1571368454^^low^^metco^^oremeumf^^aed3193.api.lan^^animid^^sunti^^equa^^rure^^quat^^inim^^corp^^inBCSedu^^ptassita^^ritt^^magna^^tatemq^^sequ^^quii", + "fileset.name": "endpointprotection", + "host.hostname": "aed3193.api.lan", + "input.type": "log", + "log.level": "low", + "log.offset": 33690, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "aed3193.api.lan" + ], + "rsa.internal.event_desc": "equa", + "rsa.internal.messageid": "302449409", + "rsa.misc.event_source": "sunti", + "rsa.misc.reference_id": "onulamc", + "rsa.misc.severity": "low", + "rsa.network.domain": "eumfug6647.home", + "server.domain": "eumfug6647.home", + "service.type": "symantec", + "source.address": "aed3193.api.lan", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "257", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "November 1 10:16:48 eritin5441.api.example SymantecServer: Site: https://www5.example.org/cid/aturauto.gif?ciduntut=ita#identsu,Server: uep5156.mail.invalid,257 ^^atemq", + "fileset.name": "endpointprotection", + "input.type": "log", + "log.offset": 34054, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "rsa.internal.event_desc": "atemq", + "rsa.internal.messageid": "257", + "rsa.misc.reference_id": "257", + "service.type": "symantec", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.code": "deFinibu", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "November 15 17:19:22 udexerci658.mail.test SymantecServer: aveniamq3804.api.corp,Category: quaturQ,tenat,\"302449166 ^^lillumqu7256.www5.invalid^^audantiu^^pici^^deFinibu^^pitlab^^1573838362^^low^^sum^^tamre^^rumSec5271.home^^erspi^^evolupt^^unt^^emaper^^nse^^temUt^^onseq^^icia^^amnihilm^^isquames^^evelite^^eumfugia^^roquis^^porinci", + "fileset.name": "endpointprotection", + "host.hostname": "rumSec5271.home", + "input.type": "log", + "log.level": "low", + "log.offset": 34223, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "rumSec5271.home" + ], + "rsa.internal.event_desc": "unt", + "rsa.internal.messageid": "302449166", + "rsa.misc.event_source": "evolupt", + "rsa.misc.reference_id": "deFinibu", + "rsa.misc.severity": "low", + "rsa.network.domain": "lillumqu7256.www5.invalid", + "server.domain": "lillumqu7256.www5.invalid", + "service.type": "symantec", + "source.address": "rumSec5271.home", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + }, + { + "event.action": "block", + "event.code": "Application_45", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "%NICWIN-4-Application_45_Symantec: Application,rn=eaco cid=piscing eid=reseosqu,acommo Nov 30 00:21:57 2019,tiaecons,Symantec AntiVirus,SYSTEM,Information,volu7499.www5.localhost,edutpe. string-data=[ Scan type: uip Event: unknown Security risk detected: redolori File: Uteni Location: sitamet Computer: duntu User: sedqui Action taken:block Date found: rnatu]", + "file.directory": "redolori", + "file.name": "Uteni", + "fileset.name": "endpointprotection", + "host.hostname": "volu7499.www5.localhost", + "input.type": "log", + "log.offset": 34557, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "volu7499.www5.localhost" + ], + "related.user": [ + "sedqui" + ], + "rsa.internal.event_desc": "edutpe", + "rsa.internal.messageid": "Application_45", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.event_type": "uip", + "rsa.misc.msgIdPart1": "Application", + "rsa.misc.msgIdPart2": "45", + "rsa.misc.result": "unknown", + "service.type": "symantec", + "source.address": "volu7499.www5.localhost", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ], + "user.name": "sedqui" + }, + { + "event.code": "esciuntN", + "event.dataset": "symantec.endpointprotection", + "event.module": "symantec", + "event.original": "07:24:31 SymantecServer seosq1937.internal.localdomain: Site: https://internal.example.net/eca/uidolor.gif?nostru=tatemacc#cididu,Server: hil1908.mail.localdomain,Domain: porissu4165.example,Admin: dolore,302449409 ^^mol400.domain^^aud^^oNem5850.www.example^^yCiceroi^^atis^^esciuntN^^tNequepo^^1576308271^^very-high^^mnisi^^emporai^^gnama2349.mail.domain^^eritinvo^^ntiu^^ccusan^^ura^^pida^^remeumf^^ipexeaco^^itvo^^psumquia^^nisisten^^quamqu^^ecillumd^^tatisetq^^con", + "fileset.name": "endpointprotection", + "group.name": "yCiceroi", + "host.hostname": "gnama2349.mail.domain", + "host.name": "oNem5850.www.example", + "input.type": "log", + "log.level": "very-high", + "log.offset": 34918, + "observer.product": "Endpoint", + "observer.type": "Anti-Virus", + "observer.vendor": "Symantec", + "related.hosts": [ + "oNem5850.www.example", + "gnama2349.mail.domain" + ], + "rsa.internal.event_desc": "ccusan", + "rsa.internal.messageid": "302449409", + "rsa.misc.event_source": "ntiu", + "rsa.misc.group": "yCiceroi", + "rsa.misc.reference_id": "esciuntN", + "rsa.misc.severity": "very-high", + "rsa.network.alias_host": [ + "oNem5850.www.example" + ], + "rsa.network.domain": "mol400.domain", + "server.domain": "mol400.domain", + "service.type": "symantec", + "source.address": "gnama2349.mail.domain", + "tags": [ + "symantec.endpointprotection", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/symantec/fields.go b/x-pack/filebeat/module/symantec/fields.go new file mode 100644 index 00000000000..d3b0ee3cbca --- /dev/null +++ b/x-pack/filebeat/module/symantec/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package symantec + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "symantec", asset.ModuleFieldsPri, AssetSymantec); err != nil { + panic(err) + } +} + +// AssetSymantec returns asset data. +// This is the base64 encoded gzipped contents of module/symantec. +func AssetSymantec() string { + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JWVdUWmB/IcRyK+A1uQx/IW+k5Z+5bsyLM1nWiktLLrSywCxX8i+ElGCY5rX712vyb38hhHTQyIyDKM3kLyT812v82P3vOyJpBa+JBLtS+mrCpQU9owwm7u/d1whRS9ArzS28JlY3/U/suobXDv2V0mXv7yXMaCNsgUu+JjMqDGx9PMC3/d97WgFRM2IX0CJGOsTIagEa8DOr6WzGGVlQQ6YAkqipAb2EcjKgTxt6B2LmWjX17UnZZepmWcRaUrFF3vjqY+vHltgsUpn51t/3rzC+YYNd+bjgxn2PcEMaAyWxijBa2ybwX9MVqcAYOnf/ppYwVYFxRCv3+Q5oQt6qOTkFpkrQcUI8LL6L1KHktHBhCdIWjrTEgAPCmbkfWG6Q50xJC9Iadz+4NJZK26JhojhaXh2CYEnt7gdD7LjHyS1BqCWrBWcLQokBY7iSZMGtIZS8B/s7txKMaXd/MjgaHbFmoRpREglL0GQK3bmrqTZA3oGlDjVKZlpVvaWevlVz8+KCsiuw5tkA/CnXwKxYPyc24E3JB/DCwp9w2UNzEmWkgCWIAzgplNy9n1ucPIVaA6M2YFLCjEsoiZIC0bJ0KoBUtI5jVZl5kezC7Nnjd+Gen5/+QJZUNOHG8xKk5TMeTidcU2aJUHO/X3qwEUgdd+DDacHvue2oqbacNYJq/H3Y2MnoyRiAPuikxE7GAPL4SRndkuVx9+Tl/9+T/XviVs2zIfe7vmr6R4GE7G7Lo8FuSQ8RetlR02BUo1mmt/f+bMt1/++HmbHUQgXSPkbkaFNyWzBBd+7wI0EPpNXrx4jYwulUjxExLg9DLK/G1EqOx3vSSqCHSI+8bJsBlCltqBG9JmZn9r7YugUcNgM9ZKAk3M+K2NFDBtBvsCLGubjjWjkSF2XPqxJln2fXgMxE7CMRDt6ZfewYanUj+ZcGNmq07ugPf1pvG7UnSjL3OFCrHrtlOyJuljyvOOxz98Qtw2ec0f59fqvm5GwJ0pJLFM6kkSVoZ4JoCIJqQPqMX0NJDFgHZOvH22uYcYOl3YQB7HsbLN0mDEDfaVOGnsD0/qXDDuaArjvw5G48WCiTSV/tn8tflbF9ESl2T6QBWXI5bz80sWPT8yF9PfzlhxywwY9GGXt+sfyJ0LLUTlaOXfdd5g6ot+prZe7yVW72vvp/l72OW/llw65c8I60vresJJTM+RJk5yT7ehUBx6LD/Bd5LZDyMSp/X0dEY9Shoep1oeFLhr3uBw9xg5Hu6Rq5fOaXJhd4kZ4Hb7al5OO6BsLoUIJMgQC3C9Dk07m0P7wiSpNfhKL2x5dkSg2eojZANuPzRlO7K4iGdB+i7n7FdGMYNJ/xmcC/4H49V7ncbPus43blr97BoPSK6jKbUteTaD2y+5w8v/i8pe9RokHQ3S0lxKyNhSo8ogFtB20B/qQazzz3b6X5nEsq2t9says38CGX/rUnMeL84vOrCAsC+gNO3J8FHUZDLqd4fTYHdag4Hvr6LICWoI8Su/4VlyLnp/eJknp8+8FSBHNYrPRRO9kEK7L72WiraJ1vFC28KM50OVFCALNKf40C2HHvAXJu3JnjhjDPOigdpluK6lu1q7aQPYx+hBZfxaaPRVWtlMFkt0pJMl0PNo0QDV8aMNYBNLyqxTrsk/uyE/QEKFsQw0sgT78ndqEb8vLnn5+RFTXEAMhulT2ceBTK6y04YWolDeRjBftqTgVTjbSdT6Gppl7ouatsohDIUzpVS+gxg8toZmUr3ozVQKvR+8O+mmPzwKyCkje7eloKRn0T0xw7xwKfEW7/2bz8/oe/Gi/SX9QoQFuk/zmg5p/OHnxL16DJS3ImGa1NI3xkxZmUd5LrMej3DH5Ecitjq/z4kvyrI/c5+fFH8q+EKe30ZaQiLPqc/Hdh/6f7IjdkmynfRLdQqhIera0rV1AwKsSUsqu8GrBHTiqL14Zab1c4JkJbRYCshniCMx6OArRWmfLTNvqgqYFxKhBjxNRYpZ1mLdde63AfLKngpT8YMaQImalGlu6FEYDIczkPytGNyYvbN2IAOUUsMFyHPWGjkV1YC0XLx/LOBXSI4X8CqcBqziJWRzCF+19GW9g/960Qds8+tRuNVs3abZuQX9XKbc3Q5uSSKO2MMavIFUB9A9MexYv3lTBNKwbGFEteFmWuqGtXvzQHCZpavOSl42DPLlxybRsqnNG+5XuXERcHr7gzuzFWjszwVISrfn5KtJPWBh0qyDSq52C7r93ICaMzJT09OCd8Jtx+TugsoaCh4D8/bX2vH6BSFshlOO9MAz600/WYoHT/awMxX0HgJaxUmFrwnJkNj9qcN3yg9j8K3czJ3IznHW+dewPCWW9PXWu1hCfkv0aE0YuXGRcPEKN3qzrj6OLkzUXQfRmVjj28qpXe1XgJPpFfXRpE8zjcH5/8U4WGOJruMVfqtinfbH6yMdi9noOW+YS8/PkVWSHfK6CSUCHivgJ06qOatPEfkRVo8GCpJQKosUTJnXKRbSY+uJr4dTMxcldzhG0D735XukTGYVYTsIVUQs3Xu4G4GdcDLZaQnwlbUE2Z9Ux0l3qN+KPTXJJGhpweseUzH62oTV3Q7QP1OYMIe2KXaFFUTslUsg0jaLoalWkoWXfUSspQY/UxChl8DoqxRrcQjaWypLokUumKCv5nLL9X6SrKnzJkORzMItVMB0/SnZi0wbpD5oXgM0CKIwa+AaZkOaJgb7a7MDann2UPQVwyVdUCbPQAjDpRKSrwVvMdMdirN9P2gQ7ypVs7epzHjvL2yRw9fpWSdpFomzb1qalyXjZZTuUDMf5MljnY7kD+qWTubgt7xKJbvVUxfXrtx10OD0RUthv9hli4tuHykSVo0yunKPflgUX2976HbQ00FZmbMj2mdAllvncwJNmEZ8p0K7Y6Rptp032xH18fvlZaVROE2mBRvmEgqebKq/VVIyz/znLQhNa1aKtfNr1sKirpPFaaS4jA8E5rL3qkPK6GcPvEELWSPjJmaVXvegYDxm41h+Lw9llD2II760aVYCbkXWMsmkl9oO5WUjuSl0stHLhJewXYbObwXsIxNCHc5HZBzzsNM9AgmT8Q1KnWJV/y0mk2eB7iguyyFWQfd5gXJ/K65vpoFG7208eCrt1J5FasPbHGCT2nrzmk8IDu940m3PRRF85zJ407eTYZLNmlk6kmtQSqBorcfSF2/E99VVCD/NJAc7Sj5E63P0Ub+biihiAS5ci5QeR+SM3UhErBFkMzyLR5ZTO8vvMqB651kQHVusihPdcpRdE20JfJoWbQlXqvyMOYkDvmY/SNGTyXd3pzDhWbN8m1Q4IFmwdipxtCakcQZQMlPoVibRqRO+w0YkWpxjJVwQuPQ2e8YFa2mg1OCJWBBVsG5MgBgSVobnOWjuwhrF09FAH2Ijv7XD55ixcHvQP9K91VujhoGHeqgfEZ3xg+ce3WB3PGeqoEXTl/NlNkAzoXIy83BROti6oMQZYo3sFsPtYmfN620vuWoNLkt8uQGstNmxCw61fD9dsdGquSNLUyPKHguNXZQnNalr7DFKbyt3d3tAtPI2yRr3XRHUWRbCrQnN1VFkVpO0IV2x7C+pVs3c3wYsnf7wFpS5Cl0iFhdi9lavrHA3SvaUO7avoHsLgd7RDLXws+YLeToPsR85I+Z6+6b4YXMlT9BzETvFwL2uUWS2UJJYvQ8SKeQCvUvGgTVR5EqLcH8c5C/Rg9U7Zk398x3Qq7VqP4iCv+SnC2zn179siFC0QgNNeWYj0ilxuRM286zsAPjQBELC5OlbRwnVtj7RA6l95ft+mHSsvSuP/DR5WKFqFYA5gbHme2oHIOhYRVblkwFriEVS/Uj0qItZpPGws9CTHM0Tcedaet95+/uOgwNU0m7DrOCZ6tbeU+pqEhuJtf5JHp628R4xYrwBzD2oaDZpPzpZegJ+QS/KY0BvSEzgFbeYdM95nSLQ4D2C0Yr7cz/D3xv+/1rVCaTLVauc/avwZd05tdo/2kz8sLqm1qN10HOLVHJdwpNagOPdadUqLs1MZcV0rVEAKKud7iN5JQAdp22UV6s2j4mw9vBfHRawKASUgRhbkkUsnvNNSAlsy+7Ac0G4755LBGa3dhOnsFdxL1uBfcR9ja8M+AshW3i6Ase1lPTnHBKVabSKLkd3Pl/nvPS4BKShFRHDPSTXvBwBeIgENSzYiTDpaDmZDLjUzZHWzQr6zKg/GJL+drjDNifMmoT7Ypg/gNjKeEicbY9kCGfwy2CX/CjdvJUBMd/BtO8cVPx1Wgo2s//obFLXrflimfUvbkJsPLYXmKWBBqjGIc/aVuN6L2JG7YW34Frwkl9WJtOKOClNxcPSe1xpkozwlY9iSuKFNND6m9vOND7+tsNK3Agjakpga7eBls5OB7ETBVVU6Kqa2g/bC0Bizbq+759+ChNL7eHmZ4mLz4Zqqqm+EdzLBtlKy4LNUq5NMyJRnU9nmXSTHKjAGZs0aINfnSUOGdn6WqKJdBasjeQkKNPF19r2cqdWkP6U4lfMvlFZShFqhNRKcGvVPBQHGffNOhNuHlvo0Tg64QWUVdf7KTd0vsItCi99vlQ+H1Wx08r+Ry2K6nCzqDrvjuYKfcLtawJmLrz/9+TfvHxJr2jIv8d7wj+RdcrbvGGsqGAWkjRxB3txnQnIoi8ppme0QucclWbd59H3sPoHthRv0CwK7MQS0HUniMw+ruoVtQs+huqFMLI1WGDVv4zN+2xqYrMzxpIe20CHOEdMtMjGbuV92/h5WmxMlzSTjm3DWSCaDa/Qkb4W1QCwWEwdup28LOm6MPXvg1wz5Pj/rFYqqactn1ze4/WKFsVN/h9Vpy3Zhje/r62ggiMO7xO06ANHIlTvzqvifjuKfUW3DZXeMd+7yX+fyUvPeS5mlo3ED8tL1Q9OtwexbXq70D+iF8+T338/kpsjSUvHViYug92I7I+TRAT8LEHyInC1bcxI3UpVnn7GW/HdUNBdpeXdjrx5be+D7iqXGsP+kWJuenN2qyqfxzN2iyDrGXstxotBNy4uszQ79T4T/Yr80ignr7Gz98E9xx08Z2lZvKdo9RIwUYzxnlH5SVIkuqOZ2KQRWgb8rAJakFHREEBqTJ2h9la0P7qqpfeeIkldMw2vpC7vb58sX5xa4OTULLWO9RGKvLPnCg4K1rITeRFo8kOZeWXPK5pCgsRo5orXTO5rVPBvLLHdKLVndT2NUR/9Mh0rvLeMpKFTk473/7SLhkoinBibMwyNb9fEKenl3Tqhbwmlx4h4gHi9J7EveLYGTu6LFNdE5tnpY4ZtxcOZX7ALzuUIrXc2O+D0/DB26u9oRcrebzOeh8I+ziLPvcjwUEHFA7XWgwCyVKd3q8rT4yaXQr9H4Ez8Iw9h6k8tMPXsd41jXjOD+Nl5HcOjrPVFUXR867wl0JuVc4xtX790wz/c6hoyTWp85w3IwqGzZmpQW19IGyxvqYd9JSaew84OR6i9/IlDiqyxXVD5OhN+yq76QrDQ+RI2KkNfJTJ0QpeUdZ2085rtw6EXRUO0bJ71oFVe+XQt7WTD7UWgM1yXODjaW2SaU4d/4oysWDmR1u8am6Jrx8Mf5+uZe1OQaGDqNPg8bH/i44LOJXt33HMk/fGxzy0+HcvUOeMy5VkyrG2asjMfPkd8pJ0pROh4FH9qfEgHN3Ztw6Em+EcHKPmIYxMGbWCHLm1idMlWDckWib/cYtCy5LuE7MAMGNPUzzvKdswYXRFNMtElPQGN+sqOYCM3giHjwff5dzQpGJ37nfRimTGc6hmvrmQg+kEYfVydMun7MGbepQdOslzIBlQUXYJMS3HZ6ejRQZejfX8D3OnVDila8uySv4qvy33YeUS0NKsJSLiJNhqhrb+90IaUocPTez9djSLo8N8Rh/SC1UtciWzfOGlDCjIQQUOl+2MfyQrem04iVoQddYyGVVeFzJ08iNdB+g1R1+DbO2Ctz76o3ltsHGjCRK2MY2GDZsuu91TRrF6vl3GE2NaQZZxVRVufuU5xideOiE95J9a62WvPT+s7aLXAVmNBGqVOzwQOPdvWW/cLHRGlk/Ly+uGlzXmPT0MLK+XT2vrP9DTQ/0Ox1M3v9W0xCAid+umudrnHuKCcV+5y8vzsn5QKHqo5Gta22oLtmPQcLCrq4adp7UkL6LPyzkVseVey8iiqkqc1d8DSrudpWOgAtxuIyoR4v03RJ8yOAIlec9F3AoHfYJtF08hM952YVyRpx4VWqrcVAGnuDlT6fkdXTXTc5nqp3uffHJd89pA1GYrHENrOl7EXzq1xRi5a1tF6Z9iRtHcIREveLltkOkq66kS8oFHQYySOcKJ1hfOQOtRyYt+Dt0iK8/XdwtGCtVaADlA7ADkkK6geHzyYhE5FUxbcpyndw/w6siaR1QD25j4LBG53u9VOkhaq4SdjnYKbErTHOMggRu+tmrvucqbUpuu8q6TV+0gFFssN2mYsOLkk14YT+RPkssNQeXR7PKTz6fkaehVuJzI5yuPOUCCzgwD+zsulbGffMZ+W7oaJC7UZgrqVZyyxAywBpsZrHchj4yaZPRI7jgdtNCT9oq9/ehNOktzClbk0+j5prgU00foig/LLzFYi5JRbmcaVrB3nSMmmqc2pu/T8KWcnmBy5L3qvTJ0Zu2gL2sswhS5AbtC1MFHCNyWUjbfePew4r82kg0Jd+pEgR5yuVy8u1zwhV7Tqbu/8D9H5VUrA03k2/j8UXL6mIm6GByfmodalvDP7kguCj6ulBOrtvhV2q2t1GDVVkx9X+dBjzbNggGtDvIUYSWVVq5u4PZ53e/Uw3ko08A/vbbz+9+f/Ph7Ntvfc7tkmrKR8/kSumrlCXLN16w39sF+xG2UScYlamViFCzk7ZLSfccUOaei3UGE2amNEjDWUoB0nMlZcC4Su8FicQHUgEtVpQPhxPf2zuAvc9TA3XXJ3WJummmmS6FnZbG6tSV71ivnc0h1n9Lk72jbc1HPifpocUum8FgA5UmFJts6l5CvYsDMeOjjqaW1GyO2ENJjXYjipC5W94TF8oH9xO8u+PCIR/0/w/DVTcqs5/89yBHrOz56AMie5F8kMPRxnH34afUEZK2tna2Z5c+tV1Ge5tlh30yn6HbbXByb45Mty2r+THiYVj0NaNcOF63zVwugsw4P+3XtmEnLmcOWphHWhiMZxW2OdeFUxEPoOeQxGtMtw7VRyeqqhq564kaYCcPa9x0X+zew7X9O8R16g43c5hmfV/cLqks/13Fo2Yb3Cy1/BDJcG/shgtvIWcaU3PGVbIs0WNZ8Ij9imo5DDo8dtSNrOpC5RLGl+/fXZDfvB91k5QaR+TLUVMJLv/jLfnSgB7p3doIWWjY7dSZN7mh5xBdkw9t0Vk0ravT0lnCh7QPVKUeI+CA1gc5jm6CaiPBsXvDLdMPaKCC6irDbjmwGdwLtE5YgNwBbcpkU2m3YKbtdrUFuqR2Vyu8L9wpSLaoqE5VVtLBXdd0ML743tEnygbpVElgFovkZ4HBLG0BVQd4NsdWSxnAqukfGaDWNPkkDN9xKvnxwqB7wVM/OKFzWwVO9UyOtCwow8Eo6ctPHGwjExrvPcDTeb38SV7bRfL3ncmCWV2UJmnf9R50B/mwyNMtAC8FTS4xZAFyzmXCosgh6By50bKYFWbFLUsuP2QxE2plaJU+d6UPW9plPugZoi5MFlzmFCdc1qCr6TpZwvsAds2u8gBfUpHjrPC6qLWyqkgfkkLoy58K9Dimhy2y3U2h5kWZg9kOcPr8NyaLil4X1qZyG2wDdidaQIZHoeIyE9Jc5kO6FqYQU1GkDotuwf4+I/DkncF7sFP3QuzDTl3V24f9c0bYrzLC/peMsP9HRth/zQPbqlrQKeQQKR309OaZLKpGoPI9XWd4J1vg9VUGvaRqBJ9XdR7t22mZVMxTJyEFyDyHUmLgC0vvG5GF8QmJGXbQaJbHmnSA81iTZm2aOsMsUia7suospqpV1pkecJ1BhFhlnWGWCzaaNVmAN5JfSyqVAZbhEC5fOa5kehSWr1RtF0DLDG41VdUFExl82A5whiAJwtXTtU3vFnWQTRbIdVNkiGkwzS1nVGQoIDIFnYNk64RZV33Ykor1n1BOc+C9LLANaBbIvh1MHqx9Ym0W6NN5vXyVxwdtiim3f83SaIyZIu2suB3AWiUX1SbLNUeowHT6KjfjffzJZm31AINdeD9/eueIB45qXxbgvpt8ug5yPdgzLiCHDWOKWY5N5LOUxdnbgHPoBqbgNSYpFllEHa+XP5XG1oNm/olgG82ywBZ8BjnMGIOO5gpKnqxgdBs2l3lOSaXKRoBhKge3A3A+zyCbVG1W1Cad+d+DHssgTwJYw5wbq2l6T8gGdgaNT0Odi9U6G68NdiLXmeSrz8z3RzwDdKuBVhkUSV8KlAvtfMr1aqG4KfyE2fTQ11TTLAe8HCmETQF56efbp4bLjaUy+Zzj0thpo1MNC2yhgp8VlANqkxzX9Hp0W5OcGixObpilH3Z9aKeBfTDntCxT3wFepg6rtq2DMrxFvCqYVqrK0pXIAc5gpvGqyJMcGToe5WBzfZW8PVNt0rcs5bWpNU8MVFDLbZM8+0xwCela7GygmqQTdTq4WHyb3q0llO96WsyESv6cd8AzpPw7mze51HFAM0gcZ0NnQDV5boJQ8yxHV86zXOBa6dQCrJo28xzXrOKG5RALlclyYHPMgZBgsblScrjJZbhvAJ06489DTZ2OJ1er1BZIlooy5QdAJ7dEVXrNSGk+LyLzuO4NdyVBp3+z6sIP5U0ONulk6g1YP+I1yyHLULgZZuKkFgYBbGppUBfekZQcXWqM+7Bgi1R1/gPQcF3z5IGAGnQ111TaQc/dFJBXWQCnf3p9J7JPn3amgCYArNW8oKZOODCgD1rT1FA1UJFDv9PAkA++62gm4OmZ7CCnbeHag6x0mQHj9I5Mk8E3bLxvOEM+gIHUiQB+4HEG48TAl/QHINagNRnUDKaU4fMMgtfUqb1sRrMc90CzMrkibTSLdcVNANimG7HVh9mY5F01l0ymLpSITou9L1DfpDM1+XZu0x8rDzR9RK+b6Zka7rpO3q21KadZ8tAbLTK8hY0BXZQ8ddV7lrEVbWQoBxssM5ZWqb3By4JLY+ksg2aw5NrmUMOXtczQuskq3ciUbtZYW7RIR9E3jVXkQyPJYOkueyTjsLzPVPCSnGgouSUnVJehm6HB9u9xdPzkrIxcGpsQimBwiD7B/gZMCRIr1enyIbjMx7mzqhZqDYPBgjfyb6aaZE29b3nGHA+9zwjnnWmYwzWp6G6jhU0sVs6b3WEg2ZEU3OBwhnb1sPXYQImYpq6VtmTYeJSQ1YJawi2pNczGjsI90nLvMoQixvhgdXQoEC5DZ/eRvtCCy9wT+XuoutX6eBpi1RzsAvRk832zUM3gRSNEwhJ0N47IKlJTbYC8A0txIri/q7RjwdO3am5eXPiy12fkNIz4ek7sIjKlCJsBf4Aw+hjRluQ92N+5lWDi+zw81FmYN8OR3d0twsU9sQaoZosJlzyKH87cPUJ/7R3xibMwMBnihaCNxFm/8wbnuLZN3OMN3Hf6te+hKX877o6mrgl3mF88Yuy7jSgS1jTdrvMqLks+wrXFWzHmLjjGNOoRgbQZXPceJ1RLMTLxErvnZhwHjv1zDVii4UsDxu5p2n14tvLde+V7lQHH8vhVvcTe9Uh1eafb7pR9OHmMMDa29Xfs0G5eRylPOfv/5vmGbrHz01Yo4Nrxs4FWQ7ok3jseYfe4TKkB4tO1O2zI4FZ1uxR+8TD4ym4UfIe50r59fZSNhFBDDACOO6P751VpKg1lRxjvO+gw7ZeWqPZuDg1rNE5A24d0DbriXt04FtKbJf1gDr7kAuZABCxBEGoMn0u/cZt5/fGjjy2ZH1B+4/p7Tvr0QSY9O8wayb80sDsmkcYvXw/fwzomHjYFpdVoeOkvJFNSAuZWkBW3izFBQUikMqTT2DUcVF50Z9PCsRPlSfdECTXnjAriMBgxfRCLh8UOlxoZ0/hwvKsXaxNHr5fOtlI7Wa2pH3gqODXFQmW3CbwR15lrOEtlM9TIScX+CJ54PwDiL43DFt+0MIiFCaB68kYY5Qzxrft2isFy8mv4xYS8kevuXwPoFm15Iy2h5YSpqm4s6LgYzuLGd4TlM8++2d0LnLG4tSHc/rN5+f0Pf3W272lvO1qOfRNFO5zTIm3E7LaOG7oGTf6l88mZFwENRC5+61PX/+Q/83KD89ap37sfByYv3yTbnuwOTHHrTMj73z6eOdpBg3eeoL+05IZpqKlka6dVBvVM7OaCEOTQc/Lx3WtyLu2PL5+T8/enZ//5mnw6l/bVT+TparEmErhdgCZsoUwYlaa0BmbxWz+8+l//7dmTKEfALjLKuF1+oEydVDQ+jsdkPn13vOaX/iyet0jFr3j5uJDuy6YbMD+wYdytH/gYvjuK6cY6+cy1baggb9+8jyL7p5KQz5d12Mn4P0rCJM5bh+5XI0KRkJuFJ27BY3yD9+zDnFpY0QcYkY6n+4K8KUuNflp/ymPodE8vq+pD45z3jYWcn7y78K/SaHisouaI0Y8tp5LXVMPbTc4vHCoj3i/HwwMnQSThoVt7nIetJlb46VrHFRA9dGlZcvdlKjYB294s//g7d8QD4ExCvOAq3PDT7SMwQGWTa51Fr7vtk0bJ+4DhhdK2E8kDoVtigA03gNv1zZLXHJn3nh4u5+1j0pL1bozxEmJ247G8uAE7tHypMYpxp3J6v9FAxyFOLmsq5zDpTCem5IzPGw0lma4RJsgSs4bicqY+sPXAoGh0RFuOLjrL0O9AJNT9+yVcyR0AGiploQiZ3enzjNKztpSmoIVPxc8AurY6D/BZhiMxy1AtLHJch1z9T+oMTKVl0Xri8qnluxa8o2Oyu1rfmfAAGuyZXYCWYMnHdQ3Pyaf2GXuLDrAfyUXrABu8BL+NaWrtqJ4jKBMjpnGLdPCLPydUiKgyUW++iAluVGNi3hK0ewO5tIoYi485l+TT+ahAYZggm01eJRfZDqiqM4x9c4A1mNQZvQ5shhIX/yKmTkVHf3sGbP1ohUKAnCefFIk4O+UjoxY6ooF6lYeKXgBGEobpBDNCyS9Kr6guh3O6CXkzx2QvTai78deYSzcFuwKQcdUzcdfEu8a4laWiH6rzyBBsGY+ZEQMKuQx5rpiWUHHrxFIYsREncSmoPEYc/xYOyjZBpOeiHBC47bLcRFKWzoKdowG7/fKkjlQCwy4Ey3T94G4XsafactYIqgn2iyYtEk/Prl+/VXM1m8WnvwMr7AKyb+8Wsh/dgv429vA+c3g7dN80dgHShmTxUbRNk7Jzwu0SevyS46h/MqBHEVaNZeq4nA5LjiN82TAGxozgjJ3HD2uOdljiCeJFnIo7V3pNIoUJA9yOIZy2cIQdHJ1UwgCfqZV074qTWzHlsPshGShK21Qt0/WjG3k3KfFdS7FmQHAoO3qCH2ZHH+aSGG6biPwkWFwAQUQHqAtqCC1V7V4XuwCuiVrJzZZ5xll6raSqRvJqcSaH4b5F/XGVCKfcc1k6+aO06RhAyS9cAHkTEJsM2HAbZ6/sCPN3cjRhvKP/QdIVRllwGbIW0nIhRmOEESnr3e/BCJ+vdxnqNVJzYjwhdKpyVg9EiJ/Cgi65alC7ZKqqtar4SIYiHBu5M0mnAovIZuRkP25cLjuxkxHJXQy3tE4SRWALw6TDZQ5AMLJ+h1/u3e29spv7NnrsNmWWjbS75WypNfoSy8ALdohZfystCN/jOUjQnLUkIUMw0W83tYDbBT61sdluJCA7YT9MjNXjwc+WpkPabj0YTS/30xTUC79WRrqipmlnhFtegXFy3Wt7GmoYDSKFXUjWFOLGjcDGg/fcBn3Lo3VI7+4HO1o/3o6mHwqTbMjprUkLDuObKBzQhhRvBMIthMHXS93LG6nTR907f9GS0KZv3rlkvVSPI0BukOOdAPl6j+OPN29ZqtEGx9my28lHfVQJkvKO3UJ+HPU4pqRtcBg7pR5L0Hb81Mkrdxq7KCqwC/UAURK65UkmHo3wtdENx15KWmX1Ou2J6nxQIvhrHSJ7zmUmT8h/Tn7+/nvy9O3pm4tn5JQby+W84WYBJZbCR3ERaq6y9wXaFwnDbNmZxyNsM35xJGNMq8xexX31n25XYxh0NwY98smGPt/lujBM++/qfnuOP8QpFjOlMtYmfZMpRkWq7nQ7hHygJW+MX4EoTQyvuKDaiycnNt0dYviux8ur8J4bXh6z00g/U/6TOwitF3GnL+bmkuers3gj9911DGuESsOe/zc4ifCTwVkIjhvolWWUcVem0jkTAwYhG2S10nMq+Z97sqplvqNwW2YfwOn+mRph94zraC1ppq4/v7jl8LXwLb5876KtrOZfgQq7YFQDqTWUquKSRgvueuLpgloO0pob0+MFPSa1b+mDEutbP0Kd6eC6q/PECa6aaovNkDak7herR2x2FITNbSTqDErQ1EJZJEsq23M+nPD5pV2xC55daLXkZdc8LHyP1rUImurgYITmP+5Z29Zp4wrOhkheHonKbsnQ68+uR8iMDg/FzMkl99Hzxa7iPtICrlM6Uw4Fv6vmCdeoM/V+1KuEnkcI9ToqaqzUEGOV9hLfQavAUlztCX5r4r71JE59xctSwPGk3Dtc77ZyLrK9Pbl3kJxrx2Mch9yLsFqvw5Bct9HZ56QW1G2Ze5+VJiCZXtdjXn5MhTyCPXmLDDrd2Za/KmPJO8oWXI6YdCXNJDm+2eX1J4mZ/rUGJz6cfuSbnJkJeVvSmnzGf3j9qFTS153+c/h4kgVdgtOcBFBNvjSg1wR7EJpaSQOtRhUvTnX0Fvib48jL0AOPOciat10gpSff9+Ubx7Ml6Qiobg7Qh9Ac9baY4pSnvA6z3TPetpbeamLkbMPw8HJDdCNl1I41z7uXx0eefRupkRq7ALEIFmb+jaBkxWWpVoaYGhifceY+eR6rEwx5ssML4sjz+G5ybshT7AgLkm2eIQxdPutxizQS3/G3MKdsTT6Z7ca3XQS22i2kTZ5d61Y4gsE+8tr3TS1EBWvV8JC5F3HA8a4PQKT6f6vSFMt5huzbJju/Qj3Wnder1xGKkcLoQQu/OYDY4+T1jpEaMnyD672VdWdI+ngX0CE1x3HYdQGD7b3ZJGT6bRjsULwhxc3Fz1g2kHIk4GiFG5JcwozL4KtH4YRd/SpajzQdROwOKhTLhNvGAbOj/qUWjJ3PNjftoZfSSG/KzodtLWWL6sgt8DerIsPJwDrqb0eWIS9TLtNNEEt6NxzJWFSY9/GMCKl+2Q5ui2+jvSnvj0ztHGCd9+27Aeua6vZMuT8/35CyWvBBK3XiboezZX3y+63Is8lnlvi2Fkqv823430xN5b/d2DGmRWS7i3qrnseeJseWv71A6DfQ9mAq0YCqtt/6fqpGT0EB0mpVHyI6StVMB86FW53xsKaztuGGcgTE0Vd3HPcenqiqpnLd3Ue8djhO39srS9DuGSq4nKm4UkDNVe4aoRvkx44V2WK2grxd0WdfcuUI/NIIsSb/0VDBZxxKcop1z945GEVlBdOCKXXFHyjo/jtMiV9/Yz9TMabNJ+82uwmH141FlfvAEaY33/UP3RJhyk5wR3uf/IR8XNee9I3nwDHH7+D45mmYFUmbye6g7XDwjgj9xMTa1u4icwxXXadcbmPnPYu10q23H0PMH96ObHmvV07i49Tyos47h2gPK9zKN3ruWzS1Upk0kW2k3DpuP0hNbdw1yWRBTcpofw+wDuX0iSE3WiTc5h7UhLvSGaNFo1N5Q3owDeiCztPZlBvQyZ+nbdBJ0x+3QYdTn0GwwLUFiapVeuPEwU92mjtFb6FhJ1UmtUbllzhGLeGWzP2Iy6J69SL890lA4UX4j5DXFHP7UwE6np0XyHnA6Lknph88R49rb9TagJwyDERzJhWXM9B6JO46pPsodPUV/xtZH3XPHgHJti/xrLcNkSuFYW2V9UpFljja8TvzcXt37D5iBrHu/+kfMEzQGh/4yesF6OP4I5zOHjKenp7g6Mdn5ATXj6MG2h6pWcoIn09Ah+GfsJWFuac5L2QNHfcY2dtwt+gT0+sUvXen+Z+HeiXv3holvtvkkv8Z99bwq0wy5fwfZ0TCXFnuN7BeUDMyAcqwY7cV6m2lX3x8uKDb6mwToAYJLjtnrG2c3tbfxBNSDJ8fo6Jiu79RN/Xw4+igZSdNuDFNcqUTIWOyVD5v3f1iKIghaJ3VBzrYlL70PHOLk0sMTu+TTkfJkOg6g4co8tNLTO3c/xj1pOdhSN5deu7BcVyEGiOKZc4XfTekGhzZUWTKwh092iRv02hyAeZXECzqTM0NvtmMK+k/SChbfyIG43VKk/PLN/94d0Eu3DtFfpMj01c22GaqpD4E248rFccWxRBbALsyBzmRbyeE8/Ygiw2d6/p1di3CMA00jCDcSME9Wi5oPmgK+QBKrsej6woyajQgzpba5mgTPvtYLqngpT+IESR2BeHRulrvE4TIsStYm12xnejktwmkiWEvrK1NwXEGbRbQuJU5GMLoI7hNfC7byheluV3fcKOYqqqsfeJuibfHIziE4iX4K65B7FqaqV0sK0FlYcxDDbx1K3sZ/nugtq3RimLrS42LWvFjpFXHEPYYEMQAkYpbA8hWtqBSDhpn5G43FVZFREZitkdq29w9LGHm4e9v37wP796LneW7B8Uqvev7T96zjZurYqlEk4sBb9o5zjLMuekmY7fjfBvJrSFPPRLmGXbrwMLedqLuDniCSEepEU0mafY24PpJchvSBSbbRQdL0JgpMGsEYUoyqK0zlC/9Ho60V1itckpfz3hnsLcjtB2itdKWKMffX//9TSwFN8r21OdO6fnxEyx3Cwy2XKxT6pudRBvF/P3st4vzC/KOXldclt1Y7/i2OtqOnoa5NURxhKxAxoC6fWR16lO8ZDF5eravcixmxyvYfOgi/Jbk7GrHlrMsSOXz09ClN2CxF0NxvE154F4BLcXVf/m64a4wR5ZDTTL17UZ/iTOhHyi7MYyrRiu+C+pWvrj3OTFNJEWdGvI3Y7WS83+bCsquBDcWyr+9CH973n3K5QxY/KMZ17CiIqrI0Kno/YZQWRKjyMix1DDnxuq1s+yPKSxqahehWX+HA9nFYYAkOqWOhaYvhPb1WkzpXhfyTp/sMAdp9fov/zcAAP//XljEyg==" +} diff --git a/x-pack/filebeat/module/tenable/README.md b/x-pack/filebeat/module/tenable/README.md deleted file mode 100644 index 5900664019f..00000000000 --- a/x-pack/filebeat/module/tenable/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# tenable module - -This is a module for Tenable Network Security Nessus logs. - -Autogenerated from RSA NetWitness log parser 2.0 XML nessusvs version 0 -at 2020-07-13 17:55:39.468229 +0000 UTC. - diff --git a/x-pack/filebeat/module/tenable/_meta/fields.yml b/x-pack/filebeat/module/tenable/_meta/fields.yml deleted file mode 100644 index 1c69ddd4b1f..00000000000 --- a/x-pack/filebeat/module/tenable/_meta/fields.yml +++ /dev/null @@ -1,5 +0,0 @@ -- key: tenable - title: Tenable Network Security Nessus - description: > - tenable fields. - fields: diff --git a/x-pack/filebeat/module/tenable/fields.go b/x-pack/filebeat/module/tenable/fields.go deleted file mode 100644 index 884611ba842..00000000000 --- a/x-pack/filebeat/module/tenable/fields.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. - -package tenable - -import ( - "github.com/elastic/beats/v7/libbeat/asset" -) - -func init() { - if err := asset.SetFields("filebeat", "tenable", asset.ModuleFieldsPri, AssetTenable); err != nil { - panic(err) - } -} - -// AssetTenable returns asset data. -// This is the base64 encoded gzipped contents of module/tenable. -func AssetTenable() string { - return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb9+78pOUjW5tR8+ynVdXWzUFYpokIgwwBjCkmL/+Cg3McMjBUBIFUPK72w9bsUg2uhtAo3/3d+QK1q+JBUmnAv5CiOVWwGvy0f+BvAe7UvqKXAJrNLdr8h6MacxfCCnBMM1ry5V8Tf7tL4SQFgqZcRClmfyFhP96jZ+6/31HJK3gNZEe7IRLC3pGGUzc37uvEaKWoFeaW3hNrG76n9h1Da8d1iuly97fS5jRRtgCl3xNZlQY2Pp4gG77v/e0AqJmxC6gRYx0iJHVAjTgZ1bT2YwzsqCGTAEkUVMDegnlZECfNvQOxMy1aurbk7LL1M2yiLWkYou88dXH1o8tsVmkMvOtv+9fYXzDBrvyccGN+x7hhjQGSmIVYbS2TeC/pitSgTF07v5NLWGqAuOIVu7zHdCEvFVzcgpMlaDjhHhYfBepQ8lp4cISpC0caYkBB4Qzcz+w3CDPmZIWpDXufnBpLJW2RcNEcbS8OgTBktrdD4bYcY+TW4JQS1YLzhaEEgPGcCXJgltDqBNZv3MrwZh29yeDo9ERaxaqESWRsARNptCdu5pqA+QdWOpQo2SmVdVb6ulbNTcvLii7AmueDcCfcg3MivVzYgPelHwALyz8CZc9NCdRRgpYgjiAk0LJ3fu5xclTqDUwagMmJcy4hJIoKRAtixK8onUcq8rMi2QXZs8evwv3/Pz0B7Kkogk3npcgLZ/xcDrhmjJLhJr7/dKDjUDquAMfTgt+z21HTbXlrBFU4+/Dxk5GT8YA9EEnJXYyBpDHT8roliyPuycv//+e7N8Tt2qeDbnf9VXTPwokZHdbHg12S3qI0MuOmgajGs0yvb33Z1uu+38/zIylFiqQ9jEiR5uS24IJunOHHwl6IK1eP0bEFk6neoyIcXkYYnk1plZyPN6TVgI9RHrkZdsMoExpQ43oNTE7s/fF1i3gsBnoIQMl4X5WxI4eMoB+gxUxzsUd18qRuCh7XpUo+zy7BmQmYh+JcPDO7GPHUKsbyb80sFGjdUd/+NN626g9UZK5x4Fa9dgt2xFxs+R5xWGfuyduGT7jjPbv81s1J2dLkJZconAmjSxBOxNEQxBUA9Jn/BpKYsA6IFs/3l7DjBss7SYMYN/bYOk2YQD6Tpsy9ASm9y8ddjAHdN2BJ3fjwUKZTPpq/1z+qozti0ixeyINyJLLefuhiR2bng/p6+EvP+SADX40ytjzi+VPhJaldrJy7LrvMndAvVVfK3OXr3Kz99X/u+x13MovG3blgnek9b1lJaFkzpcgOyfZ16sIOBYd5r/Ia4GUj1H5+zoiGqMODVWvCw1fMux1P3iIG4x0T9fI5TO/NLnAi/Q8eLMtJR/XNRBGhxJkCgS4XYAmn86l/eEVUZr8IhS1P74kU2rwFLUBshmfNxpVvxvoPkTd/YrpxjBoPuMzgX/B/XqucrnZ9lnH7cpfvYNB6RXVZTalrifRemT3OXl+8XlL36NEg6C7W0qIWRsLVXhEA9oO2gL8STWeee7fSvM5l1S0v9nWVm7gQy79a09ixPnF51cRFgT0B5y4Pws6jIZcTvH6bA7qUHE89PVZAC1BHyV2/SsuRc5P7xMl9fj2g6UI5rBY6aN2sglWZPez0VbROt8oWnhRnOlyooQAZpX+GgWw494D5Ny4M8cNYZ51UDpMtxTVt2pXbSF7GP0ILb6KTR+Lqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92Un6AlQtiCGl0Cefk/sQjfk5c8/PyMraogBkN0qezjxKJTXW3DC1EoayMcK9tWcCqYaaTufQlNNvdBzV9lEIZCndKqW0GMGl9HMyla8GauBVqP3h301x+aBWQUlb3b1tBSM+iamOXaOBT4j3P6zefn9D381XqS/qFGAtkj/c0DNP509+JauQZOX5EwyWptG+MiKMynvJNdj0O8Z/IjkVsZW+fEl+VdH7nPy44/kXwlT2unLSEVY9Dn578L+T/dFbsg2U76JbqFUJTxaW1euoGBUiCllV3k1YI+cVBavDbXernBMBFnWikuLpomFeIIzHo4CtFaZ8tM2+qCpgXEqEGPE1FilnWYt117rcB8sqeClPxgxpAiZqUaW7oURgMhzOQ/K0Y3Ji9s3YgA5RSwwXIc9YaORXVgLRcvH8s4FdIjhfwKpwGrOIlZHMIX7X0Zb2D/3rRB2zz61G41Wzdptm5Bf1cptzdDm5JIo7Ywxq8gVQH0D0x7Fi/eVME0rBsYUS14WZa6o61kreeYgQVOLl7x0HOzZhUuubUOFM9q3fO8y4uLgFXdmN8bKkRmeinDVz0+JdtLaoEMFmUb1HGz3tRs5YXSmpKcH54TPhNvPCZ0lFDQU/Oenre/1A1TKArkM551pwId2uh4TlO5/bSDmKwi8hJUKUwueM7PhUZvzhg/U/kehmzmZm/G8461zb0A46+2pa62W8IT814gwevEy4+IBYvRuVWccXZy8uQi6L6PSsYdXtdK7Gi/BJ/KrS4NoHof745N/qtAQR9M95krdNuWbzU82BrvXc9Ayn5CXP78iK+R7BVQSKkTcV4BOfVSTNv4jsgINHiy1RAA1lii5Uy6yzcQHVxO/biZG7mqOsG3g3e9Kl8g4zGoCtpBKqPl6NxA343qgxRLyM2ELqimznonuUq8Rf3SaS9LIkNMjtnzmoxW1qQu6faA+ZxBhT+wSLYrKKZlKtmEETVejMg0l645aSRlqrD5GIYPPQTHW6BaisVSWVJdEKl1Rwf+M5fcqXUX5U4Ysh4NZpJrp4Em6E5M2WHfIvBB8BkhxxMA3wJQsRxTszXYXxub0s+whiEumqlqAjR6AUScqRQXear4jBnv1Zto+0EG+dGtHj/PYUd4+maPHr1LSLhJt06Y+NVXOyybLqXwgxp/JMgfbHcg/lczdbWGPWHSrtyqmT6/9uMvhgYjKdqPfEAvXNlw+sgRteuUU5b48sMj+3vewrYGmInNTpseULqHM9w6GJJvwTJluxVbHaDNtui/24+vD10qraoJQGyzKNwwk1Vx5tb5qhOXfWQ6a0LoWbfXLppdNRSWdx0pzCREY3mntRY+Ux9UQbp8YolbSR8Ysrepdz2DA2K3mUBzePmsIW3Bn3agSzIS8a4xFM6kP1N1KakfycqmFAzdprwCbzRzeSziGJoSb3C7oeadhBhok8weCOtW65EteOs0Gz0NckF22guzjDvPiRF7XXB+Nws1++ljQtTuJ3Iq1J9Y4oef0NYcUHtD9vtGEmz7qwnnupHEnzyaDJbt0MtWklkDVQJG7L8SO/6mvCmqQXxpojnaU3On2p2gjH1fUEESiHDk3iNwPqZmaUCnYYmgGmTavbIbXd17lwLUuMqBaFzm05zqlKNoG+jI51Ay6Uu8VeRgTcsd8jL4xg+fyTm/OoWLzJrl2SLBg80DsdENI7QiibKDEp1CsTSNyh51GrCjVWKYqeOFx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKFwcN4041MD7jG8Mnrt36YM5YT5WgK+fPZopsQOdi5OWmYKJ1UZUhyBLFO5jNx9qEz9tWet8SVJr8dhlSY7lpEwJ2/Wq4frtDY1WSplaGJxQctzpbaE7L0neYwlT+9u6OduFphC3ytS66oyiSTQWas7vKoihtR6hi20NYv5KtuxleLPn7PSBtCbJUOiTM7qVMTf94gO41bWhXTf8AFrejHWL5a8EH7HYSdD9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyoMI9fYg3lmoH6Nnypbs+zumW2HXahQfccVfCc7WuW/PHrlwgQiE5tpSrEfkciNy5k3HGfihEYCIxcWpkhauc2usHULn0vvrNv1QaVka93/4qFLRIhRrAHPD48wWVM6hkLDKLQvGApew6oX6UQmxVvNpY6EnIYY5+saj7rT1/vMXFx2mpsmEXcc5wbO1rdzHNDQEd/OLPDJ9/S1i3GIFmGNY23DQbHK+9BL0hFyC35TGgJ7QOWAr75DpPlO6xWEAuwXj9XaGvyf+972+FUqTqVYr91n716BrerNrtJ/0eXlBtU3tpusAp/aohDulBtWhx7pTSpSd2pjrSqkaQkAx11v8RhIqQNsuu0hvFg1/8+GtID56TQAwCSmiMJdEKvmdhhrQktmX/YBmwzGfHNZo7S5MZ6/gTqIe94L7CFsb/hlQtuJ2EZRlL+vJKS44xWoTSZT8bq7cf+95CVBJKSKKY0a6aS8Y+AIRcEiqGXHSwXIwE3K5kSm7gw36lVV5MD7x5XyNcUaMLxn1yTZlEL+B8ZQw0RjbHsjwj8E24U+4cTsZaqKDf8MpvvjpuAp0dO3H37C4Re/bMuVTyp7cZHg5LE8RC0KNUYyjv9TtRtSexA17y6/gNaGkXqwNZ1SQkpur56TWOBPlOQHLnsQVZarpIbWXd3zofZ2NphVY0IbU1GAXL4ONHHwvAqaqykkxtRW0H5bWgGV71T3/HjyUxtfbwwwPkxffTFV1M7yDGbaNkhWXpVqFfFqmJIPaPu8yKUaZMSBz1gixJl8aKrzzs1QV5TJIDdlbSKiRp6vv9UylLu0h3amEb7m8gjLUArWJ6NSgdyoYKO6TbzrUJrzct3Fi0BUiq6jrT3byboldBFr0frt8KLx+q4PnlVwO2/V0QWfQFd8d7JTbxRrWRGz9+d+vaf+YWNOecZH/jnck/4KrdddYQ9kwIG3kCOLuNgOaU1FEXtNsj8glLtmqzbvvY+8BdC/MqF8A2JU5qOVACo9xWN09dAtqFt0NdWphpMqwYQuf+dvW2HRlhictpJ0WYY6QbpmJ0cz9qvv3sNKUOHkuCcecu0YyAVS7P2EjvA1qoYAweDt1W9h5c/TBC79m2OfpUb9YTFVTLru+2f0HK5SN6ju8XkuuG3NsT19fG0EExj1+xwmQRq7EiV/d92Qc95R6Cy67a7xjn/cyn5+S917SPA2NG4iftheKfh1uz+J6tXdAP4Qvv+d+Pj9FloaSt05MDL0H2xE5nwboSZj4Q+RkwYqbuJG6NOucvey3o7qhQNurC3v92NIb30c8NY71J93C5Pz0Rk02lX/uBk3WIfZSlhuNdkJOfH1m6Hcq/Af7tVlEUG9/44dvgjtu2tiuclPZ7jFqpADjOaP8g7JSZEk1p1MxqAL0TRm4JLWgI4LAgDRZ+6NsbWhfVfUrT5ykchpGW1/I3T5fvji/2NWhSWgZ6z0KY3XZBw4UvHUt5CbS4pEk59KSSz6XFIXFyBGtlc7ZvPbJQH65Q3rR6m4KuzrifzpEencZT1mpIgfn/W8fCZdMNCU4cRYG2bqfT8jTs2ta1QJekwvvEPFgUXpP4n4RjMwdPbaJzqnN0xLHjJsrp3IfgNcdSvF6bsz34Wn4wM3VnpCr1Xw+B51vhF2cZZ/7sYCAA2qnCw1moUTpTo+31UcmjW6F3o/gWRjG3oNUfvrB6xjPumYc56fxMpJbR+eZquriyHlXuCsh9wrHuHr/nmmm3zl0lMT61BmOm1Flw8astKCWPlDWWB/zTloqjZ0HnFxv8RuZEkd1uaL6YTL0hl31nXSl4SFyRIy0Rn7qhCgl7yhr+ynHlVsngo5qxyj5Xaug6v1SyNuayYdaa6AmeW6wsdQ2qRTnzh9FuXgws8MtPlXXhJcvxt8v97I2x8DQYfRp0PjY3wWHRfzqtu9Y5ul7g0N+Opy7d8hzxqVqUsU4e3UkZp78TjlJmtLpMPDI/pQYcO7OjFtH4o0QTu4R0zAGxswaQc7c+oSpEow7Em2z37hlwWUJ14kZILixh2me95QtuDCaYrpFYgoa45sV1VxgBk/Eg+fj73JOKDLxO/fbKGUywzlUU99c6IE04rA6edrlc9agTR2Kbr2EGbAsqAibhPi2w9OzkSJD7+Yavse5E0q88tUleQVflf+2+5ByaUgJlnIRcTJMVWN7vxshTYmj52a2Hlva5bEhHuMPqYWqFtmyed6QEmY0hIBC58s2hh+yNZ1WvAQt6BoLuawKjyt5GrmR7gO0usOvYdZWgXtfvbHcNtiYkUQJ29gGw4ZN972uSaNYPf8Oo6kxzSCrmKoqd5/yHKMTD53wXrJvrdWSl95/1naRq8CMJkKVih0eaLy7t+wXLjZaI+vn5cVVg+sak54eRta3q+eV9X+o6YF+p4PJ+99qGgIw8dtV83yNc08xodjv/OXFOTkfKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0nfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGRyh8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9Lz757jltIAqTNa6BNX0vgk/9mkKsvLXtwrQvceMIjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4cO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNbofK+XKj1EzVXCLgc7JXaFaY5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyaFb5yecz8jTUSnxuhNOVp1xgAQfmgZ1d18q4bz4j3w0dDXI3CnMl1UpuGUIGWIPNLJbb0EcmbTJ6BBfcblroSVvl/j6UJr2FOWVr8mnUXBN8qulDFOWHhbdYzCWpKJczTSvYm45RU41Te/P3SdhSLi9wWfJelT45etMWsJd1FkGK3KB9YaqAY0QuC2m7b9x7WJFfG4mm5DtVgiBPuVxOvn1OuGLPydT9H7j/o5KKteFm8m08vmhZXcwEHUzOT61DbWv4JxcEF0VfF8rJdTv8Ss32NmqwKium/q/TgGfbBsGAdgc5itCySit3dzD7/O53qoF89AnA3377+d3vbz6cffutz7ldUk356JlcKX2VsmT5xgv2e7tgP8I26gSjMrUSEWp20nYp6Z4Dytxzsc5gwsyUBmk4SylAeq6kDBhX6b0gkfhAKqDFivLhcOJ7ewew93lqoO76pC5RN80006Ww09JYnbryHeu1sznE+m9psne0rfnI5yQ9tNhlMxhsoNKEYpNN3Uuod3EgZnzU0dSSms0Reyip0W5EETJ3y3viQvngfoJ3d1w45IP+/2G46kZl9pP/HuSIlT0ffUBkL5IPcjjaOO4+/JQ6QtLW1s727NKntstob7PssE/mM3S7DU7uzZHptmU1P0Y8DIu+ZpQLx+u2mctFkBnnp/3aNuzE5cxBC/NIC4PxrMI257pwKuIB9BySeI3p1qH66ERVVSN3PVED7ORhjZvui917uLZ/h7hO3eFmDtOs74vbJZXlv6t41GyDm6WWHyIZ7o3dcOEt5Exjas64SpYleiwLHrFfUS2HQYfHjrqRVV2oXML48v27C/Kb96NuklLjiHw5airB5X+8JV8a0CO9WxshCw27nTrzJjf0HKJr8qEtOoumdXVaOkv4kPaBqtRjBBzQ+iDH0U1QbSQ4dm+4ZfoBDVRQXWXYLQc2g3uB1gkLkDugTZlsKu0WzLTdrrZAl9TuaoX3hTsFyRYV1anKSjq465oOxhffO/pE2SCdKgnMYpH8LDCYpS2g6gDP5thqKQNYNf0jA9SaJp+E4TtOJT9eGHQveOoHJ3Ruq8CpnsmRlgVlOBglffmJg21kQuO9B3g6r5c/yWu7SP6+M1kwq4vSJO273oPuIB8WeboF4KWgySWGLEDOuUxYFDkEnSM3Whazwqy4ZcnlhyxmQq0MrdLnrvRhS7vMBz1D1IXJgsuc4oTLGnQ1XSdLeB/ArtlVHuBLKnKcFV4XtVZWFelDUgh9+VOBHsf0sEW2uynUvChzMNsBTp//xmRR0evC2lRug23A7kQLyPAoVFxmQprLfEjXwhRiKorUYdEt2N9nBJ68M3gPdupeiH3Yqat6+7B/zgj7VUbY/5IR9v/ICPuveWBbVQs6hRwipYOe3jyTRdUIVL6n6wzvZAu8vsqgl1SN4POqzqN9Oy2TinnqJKQAmedQSgx8Yel9I7IwPiExww4azfJYkw5wHmvSrE1TZ5hFymRXVp3FVLXKOtMDrjOIEKusM8xywUazJgvwRvJrSaUywDIcwuUrx5VMj8LylartAmiZwa2mqrpgIoMP2wHOECRBuHq6tundog6yyQK5booMMQ2mueWMigwFRKagc5BsnTDrqg9bUrH+E8ppDryXBbYBzQLZt4PJg7VPrM0CfTqvl6/y+KBNMeX2r1kajTFTpJ0VtwNYq+Si2mS55ggVmE5f5Wa8jz/ZrK0eYLAL7+dP7xzxwFHtywLcd5NP10GuB3vGBeSwYUwxy7GJfJayOHsbcA7dwBS8xiTFIouo4/Xyp9LYetDMPxFso1kW2ILPIIcZY9DRXEHJkxWMbsPmMs8pqVTZCDBM5eB2AM7nGWSTqs2K2qQz/3vQYxnkSQBrmHNjNU3vCdnAzqDxaahzsVpn47XBTuQ6k3z1mfn+iGeAbjXQKoMi6UuBcqGdT7leLRQ3hZ8wmx76mmqa5YCXI4WwKSAv/Xz71HC5sVQmn3NcGjttdKphgS1U8LOCckBtkuOaXo9ua5JTg8XJDbP0w64P7TSwD+aclmXqO8DL1GHVtnVQhreIVwXTSlVZuhI5wBnMNF4VeZIjQ8ejHGyur5K3Z6pN+palvDa15omBCmq5bZJnnwkuIV2LnQ1Uk3SiTgcXi2/Tu7WE8l1Pi5lQyZ/zDniGlH9n8yaXOg5oBonjbOgMqCbPTRBqnuXoynmWC1wrnVqAVdNmnuOaVdywHGKhMlkObI45EBIsNldKDje5DPcNoFNn/HmoqdPx5GqV2gLJUlGm/ADo5JaoSq8ZKc3nRWQe173hriTo9G9WXfihvMnBJp1MvQHrR7xmOWQZCjfDTJzUwiCATS0N6sI7kpKjS41xHxZskarOfwAarmuePBBQg67mmko76LmbAvIqC+D0T6/vRPbp084U0ASAtZoX1NQJBwb0QWuaGqoGKnLodxoY8sF3Hc0EPD2THeS0LVx7kJUuM2Cc3pFpMviGjfcNZ8gHMJA6EcAPPM5gnBj4kv4AxBq0JoOawZQyfJ5B8Jo6tZfNaJbjHmhWJlekjWaxrrgJANt0I7b6MBuTvKvmksnUhRLRabH3BeqbdKYm385t+mPlgaaP6HUzPVPDXdfJu7U25TRLHnqjRYa3sDGgi5KnrnrPMraijQzlYINlxtIqtTd4WXBpLJ1l0AyWXNscaviylhlaN1mlG5nSzRprixbpKPqmsYp8aCQZLN1lj2QclveZCl6SEw0lt+SE6jJ0MzTY/j2Ojp+clZFLYxNCEQwO0SfY34ApQWKlOl0+BJf5OHdW1UKtYTBY8Eb+zVSTrKn3Lc+Y46H3GeG8Mw1zuCYV3W20sInFynmzOwwkO5KCGxzO0K4eth4bKBHT1LXSlgwbjxKyWlBLuCW1htnYUbhHWu5dhlDEGB+sjg4FwmXo7D7SF1pwmXsifw9Vt1ofT0OsmoNdgJ5svm8Wqhm8aIRIWILuxhFZRWqqDZB3YClOBPd3lXYsePpWzc2LC1/2+oychhFfz4ldRKYUYTPgDxBGHyPakrwH+zu3Ekx8n4eHOgvzZjiyu7tFuLgn1gDVbDHhkkfxw5m7R+ivvSM+cRYGJkO8ELSROOt33uAc17aJe7yB+06/9j005W/H3dHUNeEO84tHjH23EUXCmqbbdV7FZclHuLZ4K8bcBceYRj0ikDaD697jhGopRiZeYvfcjOPAsX+uAUs0fGnA2D1Nuw/PVr57r3yvMuBYHr+ql9i7Hqku73TbnbIPJ48Rxsa2/o4d2s3rKOUpZ//fPN/QLXZ+2goFXDt+NtBqSJfEe8cj7B6XKTVAfLp2hw0Z3Kpul8IvHgZf2Y2C7zBX2revj7KREGqIAcBxZ3T/vCpNpaHsCON9Bx2m/dIS1d7NoWGNxglo+5CuQVfcqxvHQnqzpB/MwZdcwByIgCUIQo3hc+k3bjOvP370sSXzA8pvXH/PSZ8+yKRnh1kj+ZcGdsck0vjl6+F7WMfEw6agtBoNL/2FZEpKwNwKsuJ2MSYoCIlUhnQau4aDyovubFo4dqI86Z4ooeacUUEcBiOmD2LxsNjhUiNjGh+Od/VibeLo9dLZVmonqzX1A08Fp6ZYqOw2gTfiOnMNZ6lshho5qdgfwRPvB0D8pXHY4psWBrEwAVRP3gijnCG+dd9OMVhOfg2/mJA3ct39awDdoi1vpCW0nDBV1Y0FHRfDWdz4jrB85tk3u3uBMxa3NoTbfzYvv//hr872Pe1tR8uxb6Joh3NapI2Y3dZxQ9egyb90PjnzIqCByMVvfer6n/xnXm5w3jr1e/fjwOTlm2Tbk92BKW6dCXn/28czRzto8M4T9JeW3DANNZVs7bTKoJ6J3VwQghx6Tj6+e03Opf3x5XNy/v707D9fk0/n0r76iTxdLdZEArcL0IQtlAmj0pTWwCx+64dX/+u/PXsS5QjYRUYZt8sPlKmTisbH8ZjMp++O1/zSn8XzFqn4FS8fF9J92XQD5gc2jLv1Ax/Dd0cx3Vgnn7m2DRXk7Zv3UWT/VBLy+bIOOxn/R0mYxHnr0P1qRCgScrPwxC14jG/wnn2YUwsr+gAj0vF0X5A3ZanRT+tPeQyd7ullVX1onPO+sZDzk3cX/lUaDY9V1Bwx+rHlVPKaani7yfmFQ2XE++V4eOAkiCQ8dGuP87DVxAo/Xeu4AqKHLi1L7r5MxSZg25vlH3/njngAnEmIF1yFG366fQQGqGxyrbPodbd90ih5HzC8UNp2InkgdEsMsOEGcLu+WfKaI/Pe08PlvH1MWrLejTFeQsxuPJYXN2CHli81RjHuVE7vNxroOMTJZU3lHCad6cSUnPF5o6Ek0zXCBFli1lBcztQHth4YFI2OaMvRRWcZ+h2IhLp/v4QruQNAQ6UsFCGzO32eUXrWltIUtPCp+BlA11bnAT7LcCRmGaqFRY7rkKv/SZ2BqbQsWk9cPrV814J3dEx2V+s7Ex5Agz2zC9ASLPm4ruE5+dQ+Y2/RAfYjuWgdYIOX4LcxTa0d1XMEZWLENG6RDn7x54QKEVUm6s0XMcGNakzMW4J2byCXVhFj8THnknw6HxUoDBNks8mr5CLbAVV1hrFvDrAGkzqj14HNUOLiX8TUqejob8+ArR+tUAiQ8+STIhFnp3xk1EJHNFCv8lDRC8BIwjCdYEYo+UXpFdXlcE43IW/mmOylCXU3/hpz6aZgVwAyrnom7pp41xi3slT0Q3UeGYIt4zEzYkAhlyHPFdMSKm6dWAojNuIkLgWVx4jj38JB2SaI9FyUAwK3XZabSMrSWbBzNGC3X57UkUpg2IVgma4f3O0i9lRbzhpBNcF+0aRF4unZ9eu3aq5ms/j0d2CFXUD27d1C9qNb0N/GHt5nDm+H7pvGLkDakCw+irZpUnZOuF1Cj19yHPVPBvQowqqxTB2X02HJcYQvG8bAmBGcsfP4Yc3RDks8QbyIU3HnSq9JpDBhgNsxhNMWjrCDo5NKGOAztZLuXXFyK6Ycdj8kA0Vpm6plun50I+8mJb5rKdYMCA5lR0/ww+zow1wSw20TkZ8EiwsgiOgAdUENoaWq3etiF8A1USu52TLPOEuvlVTVSF4tzuQw3LeoP64S4ZR7Lksnf5Q2HQMo+YULIG8CYpMBG27j7JUdYf5OjiaMd/Q/SLrCKAsuQ9ZCWi7EaIwwImW9+z0Y4fP1LkO9RmpOjCeETlXO6oEI8VNY0CVXDWqXTFW1VhUfyVCEYyN3JulUYBHZjJzsx43LZSd2MiK5i+GW1kmiCGxhmHS4zAEIRtbv8Mu9u71XdnPfRo/dpsyykXa3nC21Rl9iGXjBDjHrb6UF4Xs8Bwmas5YkZAgm+u2mFnC7wKc2NtuNBGQn7IeJsXo8+NnSdEjbrQej6eV+moJ64dfKSFfUNO2McMsrME6ue21PQw2jQaSwC8maQty4Edh48J7boG95tA7p3f1gR+vH29H0Q2GSDTm9NWnBYXwThQPakOKNQLiFMPh6qXt5I3X6qHvnL1oS2vTNO5esl+pxBMgNcrwTIF/vcfzx5i1LNdrgOFt2O/mojypBUt6xW8iPox7HlLQNDmOn1GMJ2o6fOnnlTmMXRQV2oR4gSkK3PMnEoxG+Nrrh2EtJq6xepz1RnQ9KBH+tQ2TPuczkCfnPyc/ff0+evj19c/GMnHJjuZw33CygxFL4KC5CzVX2vkD7ImGYLTvzeIRtxi+OZIxpldmruK/+0+1qDIPuxqBHPtnQ57tcF4Zp/13db8/xhzjFYqZUxtqkbzLFqEjVnW6HkA+05I3xKxClieEVF1R78eTEprtDDN/1eHkV3nPDy2N2Gulnyn9yB6H1Iu70xdxc8nx1Fm/kvruOYY1Qadjz/wYnEX4yOAvBcQO9sowy7spUOmdiwCBkg6xWek4l/3NPVrXMdxRuy+wDON0/UyPsnnEdrSXN1PXnF7ccvha+xZfvXbSV1fwrUGEXjGogtYZSVVzSaMFdTzxdUMtBWnNjerygx6T2LX1QYn3rR6gzHVx3dZ44wVVTbbEZ0obU/WL1iM2OgrC5jUSdQQmaWiiLZElle86HEz6/tCt2wbMLrZa87JqHhe/RuhZBUx0cjND8xz1r2zptXMHZEMnLI1HZLRl6/dn1CJnR4aGYObnkPnq+2FXcR1rAdUpnyqHgd9U84Rp1pt6PepXQ8wihXkdFjZUaYqzSXuI7aBVYiqs9wW9N3LeexKmveFkKOJ6Ue4fr3VbORba3J/cOknPteIzjkHsRVut1GJLrNjr7nNSCui1z77PSBCTT63rMy4+pkEewJ2+RQac72/JXZSx5R9mCyxGTrqSZJMc3u7z+JDHTv9bgxIfTj3yTMzMhb0tak8/4D68flUr6utN/Dh9PsqBLcJqTAKrJlwb0mmAPQlMraaDVqOLFqY7eAn9zHHkZeuAxB1nztguk9OT7vnzjeLYkHQHVzQH6EJqj3hZTnPKU12G2e8bb1tJbTYycbRgeXm6IbqSM2rHmeffy+MizbyM1UmMXIBbBwsy/EZSsuCzVyhBTA+Mzztwnz2N1giFPdnhBHHke303ODXmKHWFBss0zhKHLZz1ukUbiO/4W5pStySez3fi2i8BWu4W0ybNr3QpHMNhHXvu+qYWoYK0aHjL3Ig443vUBiFT/b1WaYjnPkH3bZOdXqMe683r1OkIxUhg9aOE3BxB7nLzeMVJDhm9wvbey7gxJH+8COqTmOA67LmCwvTebhEy/DYMdijekuLn4GcsGUo4EHK1wQ5JLmHEZfPUonLCrX0XrkaaDiN1BhWKZcNs4YHbUv9SCsfPZ5qY99FIa6U3Z+bCtpWxRHbkF/mZVZDgZWEf97cgy5GXKZboJYknvhiMZiwrzPp4RIdUv28Ft8W20N+X9kamdA6zzvn03YF1T3Z4p9+fnG1JWCz5opU7c7XC2rE9+vxV5NvnMEt/WQul1vg3/m6mp/LcbO8a0iGx3UW/V89jT5NjytxcI/QbaHkwlGlDV9lvfT9XoKShAWq3qQ0RHqZrpwLlwqzMe1nTWNtxQjoA4+uqO497DE1XVVK67+4jXDsfpe3tlCdo9QwWXMxVXCqi5yl0jdIP82LEiW8xWkLcr+uxLrhyBXxoh1uQ/Gir4jENJTrHu2TsHo6isYFowpa74AwXdf4cp8etv7GcqxrT55N1mN+HwurGoch84wvTmu/6hWyJM2QnuaO+Tn5CP69qTvvEcOOb4HRzfPA2zImkz2R20HQ7eEaGfmFjb2l1kjuGq65TLbey8Z7FWuvX2Y4j5w9uRLe/1ykl8nFpe1HnnEO1hhVv5Rs99i6ZWKpMmso2UW8ftB6mpjbsmmSyoSRnt7wHWoZw+MeRGi4Tb3IOacFc6Y7RodCpvSA+mAV3QeTqbcgM6+fO0DTpp+uM26HDqMwgWuLYgUbVKb5w4+MlOc6foLTTspMqk1qj8EseoJdySuR9xWVSvXoT/PgkovAj/EfKaYm5/KkDHs/MCOQ8YPffE9IPn6HHtjVobkFOGgWjOpOJyBlqPxF2HdB+Frr7ifyPro+7ZIyDZ9iWe9bYhcqUwrK2yXqnIEkc7fmc+bu+O3UfMINb9P/0Dhgla4wM/eb0AfRx/hNPZQ8bT0xMc/fiMnOD6cdRA2yM1Sxnh8wnoMPwTtrIw9zTnhayh4x4jexvuFn1iep2i9+40//NQr+TdW6PEd5tc8j/j3hp+lUmmnP/jjEiYK8v9BtYLakYmQBl27LZCva30i48PF3RbnW0C1CDBZeeMtY3T2/qbeEKK4fNjVFRs9zfqph5+HB207KQJN6ZJrnQiZEyWyuetu18MBTEErbP6QAeb0peeZ25xconB6X3S6SgZEl1n8BBFfnqJqZ37H6Oe9DwMybtLzz04jotQY0SxzPmi74ZUgyM7ikxZuKNHm+RtGk0uwPwKgkWdqbnBN5txJf0HCWXrT8RgvE5pcn755h/vLsiFe6fIb3Jk+soG20yV1Idg+3Gl4tiiGGILYFfmICfy7YRw3h5ksaFzXb/OrkUYpoGGEYQbKbhHywXNB00hH0DJ9Xh0XUFGjQbE2VLbHG3CZx/LJRW89AcxgsSuIDxaV+t9ghA5dgVrsyu2E538NoE0MeyFtbUpOM6gzQIatzIHQxh9BLeJz2Vb+aI0t+sbbhRTVZW1T9wt8fZ4BIdQvAR/xTWIXUsztYtlJagsjHmogbduZS/Dfw/UtjVaUWx9qXFRK36MtOoYwh4DghggUnFrANnKFlTKQeOM3O2mwqqIyEjM9khtm7uHJcw8/P3tm/fh3Xuxs3z3oFild33/yXu2cXNVLJVocjHgTTvHWYY5N91k7HacbyO5NeSpR8I8w24dWNjbTtTdAU8Q6Sg1oskkzd4GXD9JbkO6wGS76GAJGjMFZo0gTEkGtXWG8qXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj767+/iaXgRtme+twpPT9+guVugcGWi3VKfbOTaKOYv5/9dnF+Qd7R64rLshvrHd9WR9vR0zC3hiiOkBXIGFC3j6xOfYqXLCZPz/ZVjsXseAWbD12E35KcXe3YcpYFqXx+Grr0Biz2YiiOtykP3Cugpbj6L1833BXmyHKoSaa+3egvcSb0A2U3hnHVaMV3Qd3KF/c+J6aJpKhTQ/5mrFZy/m9TQdmV4MZC+bcX4W/Pu0+5nAGLfzTjGlZURBUZOhW93xAqS2IUGTmWGubcWL12lv0xhUVN7SI06+9wILs4DJBEp9Sx0PSF0L5eiynd60Le6ZMd5iCtXv/l/wYAAP//FuPA1g==" -} diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/input.yml b/x-pack/filebeat/module/tenable/nessus_security/config/input.yml deleted file mode 100644 index b91f14239e9..00000000000 --- a/x-pack/filebeat/module/tenable/nessus_security/config/input.yml +++ /dev/null @@ -1,45 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "Tenable" - product: "Nessus" - type: "Vulnerability" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/tenable/nessus_security/config/liblogparser.js - - ${path.home}/module/tenable/nessus_security/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- add_fields: - target: '' - fields: - ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js b/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js deleted file mode 100644 index c8cf5e2ee06..00000000000 --- a/x-pack/filebeat/module/tenable/nessus_security/config/liblogparser.js +++ /dev/null @@ -1,2344 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.error(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %NESSUSVS-%{messageid}: %{payload}", processor_chain([ - setc("header_id","0001"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(": "), - field("payload"), - ], - }), -])); - -var hdr2 = match("HEADER#1:0002", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{messageid->} %{payload}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr3 = match("HEADER#2:0003", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant(": "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr4 = match("HEADER#3:0004", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4}: %{hfld5->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant(": "), - field("hfld5"), - constant(" "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr5 = match("HEADER#4:0005", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} %{messageid->} %{payload}", processor_chain([ - setc("header_id","0005"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant(" "), - field("messageid"), - constant(" "), - field("payload"), - ], - }), -])); - -var hdr6 = match("HEADER#5:0006", "message", "%NESSUSVS-%{hfld49}: [%{hfld20->} %{hfld21->} %{hfld22->} %{hfld23->} %{hfld24}][%{hfld2}.%{hfld3}] %{hfld4->} (%{messageid->} %{hfld5}) %{hfld6->} %{payload}", processor_chain([ - setc("header_id","0006"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("hfld4"), - constant(" ("), - field("messageid"), - constant(" "), - field("hfld5"), - constant(") "), - field("hfld6"), - constant(" "), - field("payload"), - ], - }), -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, -]); - -var part1 = match("MESSAGE#0:REPORTITEM", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^Host_start=%{fld30}^^Host_end=%{fld31}^^Severity=%{severity}^^Risk_factor=%{risk}^^Service_name=%{service}^^Protocol=%{protocol}^^Vulnerability_refs=%{vuln_ref}^^CVSS_base_score=%{risk_num}^^CVSS_vector=%{fld32}^^PluginID=%{rule}^^Plugin_name=%{rulename}^^Plugin Family=%{rule_group}^^Synopsis=%{event_description}", processor_chain([ - dup1, - dup2, -])); - -var msg1 = msg("REPORTITEM", part1); - -var part2 = match("MESSAGE#1:REPORTITEM:01", "nwparser.payload", "%{fld1}:Hostname=%{hostname}^^Host_ip=%{hostip}^^FQDN=%{fqdn}^^Port=%{network_port}^^OS=%{os}^^MAC_address=%{macaddr}^^%{event_description}", processor_chain([ - dup1, - dup2, -])); - -var msg2 = msg("REPORTITEM:01", part2); - -var select2 = linear_select([ - msg1, - msg2, -]); - -var part3 = match("MESSAGE#2:connection", "nwparser.payload", "connection from %{hostip}", processor_chain([ - dup3, - dup2, - dup4, - setc("action","connecting"), -])); - -var msg3 = msg("connection", part3); - -var part4 = match("MESSAGE#3:Deleting", "nwparser.payload", "Deleting user %{username}", processor_chain([ - dup3, - setc("ec_subject","User"), - setc("ec_activity","Delete"), - dup2, - dup4, - setc("action","Deleting"), -])); - -var msg4 = msg("Deleting", part4); - -var part5 = match("MESSAGE#4:Finished", "nwparser.payload", "Finished testing %{hostip}. %{fld5}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","Finished testing"), -])); - -var msg5 = msg("Finished", part5); - -var part6 = match("MESSAGE#5:Finished:01", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","Finished"), -])); - -var msg6 = msg("Finished:01", part6); - -var select3 = linear_select([ - msg5, - msg6, -]); - -var part7 = match("MESSAGE#6:finished", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","finished"), -])); - -var msg7 = msg("finished", part7); - -var part8 = match("MESSAGE#7:user", "nwparser.payload", "user %{username->} : test complete", processor_chain([ - dup1, - dup2, - dup4, - setc("action","Test Complete"), -])); - -var msg8 = msg("user", part8); - -var part9 = match("MESSAGE#8:user:01", "nwparser.payload", "user %{username->} : testing %{hostname->} (%{hostip}) %{fld1}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","testing"), -])); - -var msg9 = msg("user:01", part9); - -var part10 = match("MESSAGE#21:user:02", "nwparser.payload", "user %{username->} starts a new scan. Target(s) : %{hostname}, %{info}", processor_chain([ - dup5, - dup2, - dup4, - dup6, -])); - -var msg10 = msg("user:02", part10); - -var part11 = match("MESSAGE#26:user_launching", "nwparser.payload", "user %{username->} : launching %{rulename->} against %{url->} [%{process_id}]", processor_chain([ - setc("eventcategory","1401000000"), - dup2, - dup4, - setc("event_description","User launched rule scan"), -])); - -var msg11 = msg("user_launching", part11); - -var part12 = match("MESSAGE#27:user_not_launching", "nwparser.payload", "user %{username->} : Not launching %{rulename->} against %{url->} %{reason}", processor_chain([ - dup7, - dup2, - dup4, -])); - -var msg12 = msg("user_not_launching", part12); - -var select4 = linear_select([ - msg8, - msg9, - msg10, - msg11, - msg12, -]); - -var part13 = match("MESSAGE#9:Scan", "nwparser.payload", "Scan done: %{info}", processor_chain([ - dup5, - dup2, - dup4, - setc("action","Scan complete"), -])); - -var msg13 = msg("Scan", part13); - -var msg14 = msg("Total", dup14); - -var msg15 = msg("Task", dup14); - -var msg16 = msg("started", dup15); - -var part14 = match("MESSAGE#13:failed", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","failed"), -])); - -var msg17 = msg("failed", part14); - -var part15 = match("MESSAGE#14:Nessus", "nwparser.payload", "%{event_description->} (pid=%{process_id})", processor_chain([ - dup1, - dup2, - dup4, -])); - -var msg18 = msg("Nessus", part15); - -var part16 = match("MESSAGE#15:Reloading", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","Reloading"), -])); - -var msg19 = msg("Reloading", part16); - -var part17 = match("MESSAGE#16:New", "nwparser.payload", "New connection timeout -- closing the socket%{}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","connection timeout"), -])); - -var msg20 = msg("New", part17); - -var part18 = match("MESSAGE#17:Invalid", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - setc("action","Invalid"), -])); - -var msg21 = msg("Invalid", part18); - -var msg22 = msg("Client", dup14); - -var msg23 = msg("auth_check_user", dup14); - -var part19 = match("MESSAGE#20:bad", "nwparser.payload", "bad login attempt from %{hostip}", processor_chain([ - dup9, - dup2, - dup4, - dup10, -])); - -var msg24 = msg("bad", part19); - -var msg25 = msg("Reducing", dup14); - -var msg26 = msg("Redirecting", dup14); - -var msg27 = msg("Missing", dup14); - -var part20 = match("MESSAGE#25:User", "nwparser.payload", "User '%{username}' %{event_description}", processor_chain([ - setc("eventcategory","1401060000"), - dup2, - dup4, -])); - -var msg28 = msg("User", part20); - -var part21 = match("MESSAGE#32:User:01", "nwparser.payload", "User %{username->} starts a new scan (%{fld25})", processor_chain([ - dup5, - dup2, - dup4, - dup6, -])); - -var msg29 = msg("User:01", part21); - -var select5 = linear_select([ - msg28, - msg29, -]); - -var part22 = match("MESSAGE#28:Plugins", "nwparser.payload", "%{event_description}, as %{reason}", processor_chain([ - dup1, - dup11, - dup2, - dup4, -])); - -var msg30 = msg("Plugins", part22); - -var part23 = match("MESSAGE#29:process_finished", "nwparser.payload", "%{rulename->} (process %{process_id}) finished its job in %{duration->} seconds", processor_chain([ - dup1, - dup12, - setc("ec_outcome","Success"), - dup2, - dup4, - setc("event_description","Rule scan finished"), -])); - -var msg31 = msg("process_finished", part23); - -var part24 = match("MESSAGE#30:process_notfinished_killed", "nwparser.payload", "%{rulename->} (pid %{process_id}) is slow to finish - killing it", processor_chain([ - dup7, - dup12, - dup11, - dup2, - dup4, - setc("event_description","Rule scan killed due to slow response"), -])); - -var msg32 = msg("process_notfinished_killed", part24); - -var part25 = match("MESSAGE#31:TCP", "nwparser.payload", "%{fld1->} TCP sessions in parallel", processor_chain([ - dup1, - dup2, - dup4, - setc("event_description","TCP sessions in parallel"), -])); - -var msg33 = msg("TCP", part25); - -var msg34 = msg("nessusd", dup14); - -var msg35 = msg("installation", dup14); - -var msg36 = msg("Running", dup14); - -var msg37 = msg("started.", dup15); - -var msg38 = msg("scanner", dup14); - -var part26 = match("MESSAGE#38:Another", "nwparser.payload", "%{event_description->} (pid %{process_id})", processor_chain([ - dup1, - dup2, - dup4, -])); - -var msg39 = msg("Another", part26); - -var part27 = match("MESSAGE#39:Bad", "nwparser.payload", "Bad login attempt for user '%{username}' %{info}", processor_chain([ - dup9, - dup2, - dup4, - dup10, -])); - -var msg40 = msg("Bad", part27); - -var msg41 = msg("Full", dup14); - -var msg42 = msg("System", dup14); - -var msg43 = msg("Initial", dup14); - -var part28 = match("MESSAGE#43:Adding", "nwparser.payload", "Adding new user '%{username}'", processor_chain([ - setc("eventcategory","1402020200"), - dup2, - dup4, -])); - -var msg44 = msg("Adding", part28); - -var part29 = match("MESSAGE#44:Granting", "nwparser.payload", "Granting admin privileges to user '%{username}'", processor_chain([ - setc("eventcategory","1402030000"), - dup2, - dup4, -])); - -var msg45 = msg("Granting", part29); - -var msg46 = msg("Could", dup16); - -var msg47 = msg("depends", dup16); - -var msg48 = msg("Converting", dup14); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "Adding": msg44, - "Another": msg39, - "Bad": msg40, - "Client": msg22, - "Converting": msg48, - "Could": msg46, - "Deleting": msg4, - "Finished": select3, - "Full": msg41, - "Granting": msg45, - "Initial": msg43, - "Invalid": msg21, - "Missing": msg27, - "Nessus": msg18, - "New": msg20, - "Plugins": msg30, - "REPORTITEM": select2, - "Redirecting": msg26, - "Reducing": msg25, - "Reloading": msg19, - "Running": msg36, - "Scan": msg13, - "System": msg42, - "TCP": msg33, - "Task": msg15, - "Total": msg14, - "User": select5, - "auth_check_user": msg23, - "bad": msg24, - "connection": msg3, - "depends": msg47, - "failed": msg17, - "finished": msg7, - "installation": msg35, - "nessusd": msg34, - "pid": msg32, - "process": msg31, - "scanner": msg38, - "started": msg16, - "started.": msg37, - "user": select4, - }), -]); - -var part30 = match("MESSAGE#10:Total", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, -])); - -var part31 = match("MESSAGE#12:started", "nwparser.payload", "%{event_description}", processor_chain([ - dup1, - dup2, - dup4, - dup8, -])); - -var part32 = match("MESSAGE#45:Could", "nwparser.payload", "%{event_description}", processor_chain([ - dup13, - dup2, - dup4, -])); diff --git a/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml b/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml deleted file mode 100644 index 7482d9c4c9d..00000000000 --- a/x-pack/filebeat/module/tenable/nessus_security/ingest/pipeline.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for Tenable Network Security Nessus - -processors: - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/tenable/nessus_security/manifest.yml b/x-pack/filebeat/module/tenable/nessus_security/manifest.yml deleted file mode 100644 index eeaa83f86c5..00000000000 --- a/x-pack/filebeat/module/tenable/nessus_security/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["tenable.nessus_security", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9516 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc index c68f663b190..985a8925a84 100644 --- a/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/tomcat/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index 256f657133f..d9f1e4a1452 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml index e5cd87682ea..64e1d82943a 100644 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Apache Tomcat processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,21 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' + - append: + field: related.hosts + value: '{{rsa.web.web_ref_domain}}' + allow_duplicates: false + if: ctx?.rsa?.web?.web_ref_domain != null && ctx.rsa?.web?.web_ref_domain != '' + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index 4df04b99e4d..51d46cc753a 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -14,6 +14,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/illumqui/ventore.html?min=ite#utl", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.251.224.219" ], @@ -45,7 +50,7 @@ "url.domain": "example.com", "url.query": "amremap", "user.name": "rci", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -68,6 +73,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "mail.example.com", + "www5.example.net" + ], "related.ip": [ "10.196.153.12" ], @@ -121,6 +131,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "www.example.com", + "internal.example.com" + ], "related.ip": [ "10.156.194.38" ], @@ -177,6 +192,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "mail.example.com", + "www5.example.org" + ], "related.ip": [ "10.196.118.192" ], @@ -208,7 +228,7 @@ "url.domain": "www5.example.org", "url.query": "con", "user.name": "tur", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -231,6 +251,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.246.209.145" ], @@ -285,6 +310,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "www5.example.org", + "internal.example.com" + ], "related.ip": [ "10.114.191.225" ], @@ -340,6 +370,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "api.example.com", + "www5.example.net" + ], "related.ip": [ "10.38.77.13" ], @@ -397,6 +432,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "mail.example.org", + "www.example.org" + ], "related.ip": [ "10.11.201.109" ], @@ -453,6 +493,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "example.org", + "api.example.org" + ], "related.ip": [ "10.182.166.181" ], @@ -507,6 +552,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.185.126.247" ], @@ -560,6 +610,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.72.114.23" ], @@ -617,6 +672,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "internal.example.net", + "example.net" + ], "related.ip": [ "10.129.241.147" ], @@ -674,6 +734,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "internal.example.net", + "www5.example.com" + ], "related.ip": [ "10.185.101.76" ], @@ -730,6 +795,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "www.example.org", + "example.net" + ], "related.ip": [ "10.57.170.140" ], @@ -784,6 +854,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.33.153.47" ], @@ -839,6 +914,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "internal.example.net" + ], "related.ip": [ "10.116.104.101" ], @@ -872,7 +951,7 @@ "url.domain": "internal.example.net", "url.query": "iades", "user.name": "tat", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -895,6 +974,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.202.194.67" ], @@ -950,6 +1034,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "www.example.com", + "www5.example.com" + ], "related.ip": [ "10.153.111.103" ], @@ -1006,6 +1095,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "internal.example.net", + "www5.example.org" + ], "related.ip": [ "10.52.186.29" ], @@ -1061,6 +1155,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "example.net", + "www.example.org" + ], "related.ip": [ "10.209.182.237" ], @@ -1118,6 +1217,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "api.example.org", + "mail.example.net" + ], "related.ip": [ "10.63.194.87" ], @@ -1174,6 +1278,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "www5.example.org", + "www.example.org" + ], "related.ip": [ "10.62.191.18" ], @@ -1228,6 +1337,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "example.org", + "example.net" + ], "related.ip": [ "10.238.164.29" ], @@ -1282,6 +1396,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.155.230.17" ], @@ -1313,7 +1432,7 @@ "url.domain": "internal.example.com", "url.query": "tet", "user.name": "ionevo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1337,6 +1456,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/officiad/itam.html?madmi=tur#roi", + "mail.example.net", + "example.net" + ], "related.ip": [ "10.102.229.102" ], @@ -1370,7 +1494,7 @@ "url.domain": "example.net", "url.query": "orem", "user.name": "tenbyCi", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1394,6 +1518,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "www5.example.org", + "mail.example.org" + ], "related.ip": [ "10.194.14.7" ], @@ -1450,6 +1579,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "example.com", + "api.example.net" + ], "related.ip": [ "10.99.0.226" ], @@ -1504,6 +1638,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.107.174.213" ], @@ -1559,6 +1698,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "www.example.org", + "mail.example.org" + ], "related.ip": [ "10.84.25.23" ], @@ -1615,6 +1759,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.193.143.108" ], @@ -1670,6 +1819,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/mexe/its.htm?ice=oles#edic", + "example.org", + "example.com" + ], "related.ip": [ "10.190.51.22" ], @@ -1703,7 +1857,7 @@ "url.domain": "example.com", "url.query": "tutlab", "user.name": "siut", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1727,6 +1881,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "www5.example.com", + "www.example.com" + ], "related.ip": [ "10.194.90.130" ], @@ -1779,6 +1938,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "internal.example.com", + "www.example.org" + ], "related.ip": [ "10.10.213.83" ], @@ -1834,6 +1998,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "mail.example.net", + "api.example.org" + ], "related.ip": [ "10.52.125.9" ], @@ -1890,6 +2059,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.19.17.202" ], @@ -1921,7 +2095,7 @@ "url.domain": "api.example.net", "url.query": "tincu", "user.name": "mve", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1945,6 +2119,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "api.example.com", + "mail.example.org" + ], "related.ip": [ "10.195.64.5" ], @@ -1978,7 +2157,7 @@ "url.domain": "mail.example.org", "url.query": "rsita", "user.name": "uat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2002,6 +2181,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "mail.example.com", + "internal.example.com" + ], "related.ip": [ "10.209.77.194" ], @@ -2058,6 +2242,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "mail.example.org", + "example.net" + ], "related.ip": [ "10.168.6.90" ], @@ -2112,6 +2301,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "api.example.org", + "mail.example.com" + ], "related.ip": [ "10.89.137.238" ], @@ -2143,7 +2337,7 @@ "url.domain": "mail.example.com", "url.query": "uptatemU", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -2166,6 +2360,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "www5.example.net", + "example.org" + ], "related.ip": [ "10.246.61.213" ], @@ -2221,6 +2420,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "www5.example.net", + "www.example.org" + ], "related.ip": [ "10.117.44.138" ], @@ -2277,6 +2481,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "www.example.net", + "example.net" + ], "related.ip": [ "10.69.30.196" ], @@ -2329,6 +2538,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "example.org", + "api.example.com" + ], "related.ip": [ "10.135.91.88" ], @@ -2360,7 +2574,7 @@ "url.domain": "api.example.com", "url.query": "urExce", "user.name": "eporroq", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2384,6 +2598,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "api.example.org", + "example.net" + ], "related.ip": [ "10.81.45.174" ], @@ -2417,7 +2636,7 @@ "url.domain": "example.net", "url.query": "erun", "user.name": "fugitse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2440,6 +2659,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "www.example.org" + ], "related.ip": [ "10.87.179.233" ], @@ -2494,6 +2717,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "example.com", + "api.example.net" + ], "related.ip": [ "10.198.57.130" ], @@ -2548,6 +2776,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "www.example.org", + "www.example.net" + ], "related.ip": [ "10.218.0.197" ], @@ -2579,7 +2812,7 @@ "url.domain": "www.example.net", "url.query": "quasiar", "user.name": "econs", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2603,6 +2836,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "example.com", + "mail.example.com" + ], "related.ip": [ "10.123.199.198" ], @@ -2660,6 +2898,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "example.org", + "internal.example.net" + ], "related.ip": [ "10.29.119.245" ], @@ -2693,7 +2936,7 @@ "url.domain": "internal.example.net", "url.query": "taliqui", "user.name": "leumiur", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -2717,6 +2960,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "www.example.org", + "mail.example.net" + ], "related.ip": [ "10.130.175.17" ], @@ -2750,7 +2998,7 @@ "url.domain": "mail.example.net", "url.query": "atnulapa", "user.name": "quaU", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2773,6 +3021,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "internal.example.org", + "mail.example.net" + ], "related.ip": [ "10.166.90.130" ], @@ -2828,6 +3081,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "internal.example.org", + "api.example.org" + ], "related.ip": [ "10.248.111.207" ], @@ -2861,7 +3119,7 @@ "url.domain": "api.example.org", "url.query": "incidid", "user.name": "tiumto", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2884,6 +3142,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "api.example.net", + "internal.example.net" + ], "related.ip": [ "10.185.37.32" ], @@ -2938,6 +3201,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.5.194.202" ], @@ -2969,7 +3237,7 @@ "url.domain": "example.org", "url.query": "atem", "user.name": "ntmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -2993,6 +3261,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "www.example.org", + "www5.example.com" + ], "related.ip": [ "10.183.34.1" ], @@ -3049,6 +3322,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.101.163.40" ], @@ -3104,6 +3382,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "internal.example.com", + "www5.example.com" + ], "related.ip": [ "10.216.188.152" ], @@ -3160,6 +3443,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "mail.example.net", + "www5.example.org" + ], "related.ip": [ "10.94.140.77" ], @@ -3212,6 +3500,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "mail.example.org", + "www.example.com" + ], "related.ip": [ "10.223.205.204" ], @@ -3267,6 +3560,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "example.com", + "mail.example.org" + ], "related.ip": [ "10.85.137.156" ], @@ -3324,6 +3622,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "www5.example.net", + "mail.example.com" + ], "related.ip": [ "10.12.54.142" ], @@ -3380,6 +3683,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/labori/porai.gif?utali=sed#xeac", + "internal.example.org", + "example.net" + ], "related.ip": [ "10.158.6.52" ], @@ -3435,6 +3743,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "example.com", + "www5.example.org" + ], "related.ip": [ "10.195.160.182" ], @@ -3491,6 +3804,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "example.net", + "mail.example.com" + ], "related.ip": [ "10.20.68.117" ], @@ -3546,6 +3864,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "www5.example.org", + "www5.example.com" + ], "related.ip": [ "10.94.136.235" ], @@ -3603,6 +3926,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "example.com", + "www.example.net" + ], "related.ip": [ "10.152.11.26" ], @@ -3656,6 +3984,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "www5.example.com" + ], "related.ip": [ "10.82.118.95" ], @@ -3689,7 +4021,7 @@ "url.domain": "www5.example.com", "url.query": "Utenimad", "user.name": "ptate", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -3712,6 +4044,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "www5.example.net", + "www.example.net" + ], "related.ip": [ "10.187.152.213" ], @@ -3743,7 +4080,7 @@ "url.domain": "www.example.net", "url.query": "aqui", "user.name": "ventor", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -3767,6 +4104,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "internal.example.net", + "www.example.net" + ], "related.ip": [ "10.98.71.45" ], @@ -3823,6 +4165,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "www5.example.org", + "www5.example.net" + ], "related.ip": [ "10.86.123.33" ], @@ -3877,6 +4224,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "api.example.net", + "www5.example.net" + ], "related.ip": [ "10.6.112.183" ], @@ -3908,7 +4260,7 @@ "url.domain": "www5.example.net", "url.query": "oremip", "user.name": "oluptat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -3932,6 +4284,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "www5.example.org", + "example.net" + ], "related.ip": [ "10.227.156.143" ], @@ -3985,6 +4342,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "example.net", + "example.org" + ], "related.ip": [ "10.124.129.248" ], @@ -4042,6 +4404,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "www5.example.net", + "www5.example.org" + ], "related.ip": [ "10.173.125.112" ], @@ -4098,6 +4465,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "api.example.net", + "www.example.org" + ], "related.ip": [ "10.37.156.140" ], @@ -4150,6 +4522,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "www5.example.org", + "example.com" + ], "related.ip": [ "10.121.225.135" ], @@ -4181,7 +4558,7 @@ "url.domain": "example.com", "url.query": "miurere", "user.name": "cin", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4204,6 +4581,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "mail.example.net", + "www.example.org" + ], "related.ip": [ "10.123.68.56" ], @@ -4259,6 +4641,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "mail.example.net", + "api.example.net" + ], "related.ip": [ "10.63.56.164" ], @@ -4316,6 +4703,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "example.com", + "example.net" + ], "related.ip": [ "10.62.10.137" ], @@ -4373,6 +4765,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "api.example.net", + "example.org" + ], "related.ip": [ "10.89.154.115" ], @@ -4429,6 +4826,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "api.example.org", + "www5.example.com" + ], "related.ip": [ "10.122.252.130" ], @@ -4460,7 +4862,7 @@ "url.domain": "www5.example.com", "url.query": "luptasnu", "user.name": "mmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4483,6 +4885,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "www.example.net", + "api.example.com" + ], "related.ip": [ "10.195.152.53" ], @@ -4534,6 +4941,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "mail.example.com" + ], "related.ip": [ "10.9.255.204" ], @@ -4591,6 +5002,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "internal.example.net", + "www.example.org" + ], "related.ip": [ "10.214.235.133" ], @@ -4648,6 +5064,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "api.example.org", + "api.example.com" + ], "related.ip": [ "10.5.134.204" ], @@ -4704,6 +5125,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.144.111.42" ], @@ -4758,6 +5184,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "www.example.com", + "example.net" + ], "related.ip": [ "10.122.0.80" ], @@ -4813,6 +5244,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "www.example.net", + "mail.example.com" + ], "related.ip": [ "10.165.33.19" ], @@ -4870,6 +5306,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "internal.example.org", + "mail.example.org" + ], "related.ip": [ "10.87.92.17" ], @@ -4926,6 +5367,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "internal.example.org", + "example.com" + ], "related.ip": [ "10.51.52.203" ], @@ -4981,6 +5427,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "internal.example.net" + ], "related.ip": [ "10.0.211.86" ], @@ -5037,6 +5487,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "example.net", + "mail.example.net" + ], "related.ip": [ "10.106.34.244" ], @@ -5091,6 +5546,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "example.net", + "www.example.org" + ], "related.ip": [ "10.191.210.188" ], @@ -5145,6 +5605,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "www.example.org", + "www.example.com" + ], "related.ip": [ "10.2.38.49" ], @@ -5196,6 +5661,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.66.92.90" ], @@ -5253,6 +5723,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.97.108.108" ], @@ -5310,6 +5785,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.147.147.248" ], @@ -5343,7 +5823,7 @@ "url.domain": "api.example.net", "url.query": "aborio", "user.name": "uira", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -5367,6 +5847,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.152.190.61" ], @@ -5424,6 +5909,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.129.232.105" ], @@ -5480,6 +5970,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "api.example.net", + "internal.example.org" + ], "related.ip": [ "10.12.173.112" ], @@ -5511,7 +6006,7 @@ "url.domain": "internal.example.org", "url.query": "nidol", "user.name": "mco", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc index e9b4bc6627d..7784857b260 100644 --- a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc @@ -5,8 +5,8 @@ == Zeek (Bro) Module -This is a module for Zeek, which used to be called Bro. It parses logs that are in the -https://www.zeek.org/manual/release/logs/index.html[Zeek JSON format]. +This is a module for https://zeek.org/[Zeek], which used to be called Bro. It +parses logs that are in the Zeek JSON format. include::../include/gs-link.asciidoc[] @@ -16,8 +16,8 @@ include::../include/gs-link.asciidoc[] This module has been developed against Zeek 2.6.1, but is expected to work with other versions of Zeek. -Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X. -Find out how to use Zeek here: https://www.zeek.org/ +Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, +and Mac OS X. [float] === Example dashboard diff --git a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml index 3c6171bc045..76e5178572e 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek capture_loss.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.capture_loss.ts formats: diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index b13737a882d..8a79295724f 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.orig_bytes","json.resp_bytes","json.tunnel_parents"] + ignore_missing: true - rename: fields: - from: "json" @@ -89,7 +90,6 @@ processors: kind: event category: - network -{{ if .community_id }} - if: equals.network.transport: icmp then: @@ -99,7 +99,6 @@ processors: icmp_code: zeek.connection.icmp.code else: community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index b660079324a..9cd654edd51 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek conn.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.connection.ts formats: @@ -27,18 +30,14 @@ processors: - script: source: if (ctx.zeek.connection.local_resp) ctx.tags.add("local_resp"); if: ctx.zeek.connection.local_resp != null -- set: - field: source.ip - value: '{{source.address}}' - append: field: related.ip - value: '{{source.address}}' -- set: - field: destination.ip - value: '{{destination.address}}' + value: '{{source.ip}}' + if: ctx?.source?.ip != null - append: field: related.ip - value: '{{destination.address}}' + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - script: source: ctx.network.packets = ctx.source.packets + ctx.destination.packets ignore_failure: true @@ -98,12 +97,6 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true -- set: - field: event.kind - value: event -- append: - field: event.category - value: network - script: params: S0: diff --git a/x-pack/filebeat/module/zeek/connection/manifest.yml b/x-pack/filebeat/module/zeek/connection/manifest.yml index 0acad34d69c..08f79bc28ca 100644 --- a/x-pack/filebeat/module/zeek/connection/manifest.yml +++ b/x-pack/filebeat/module/zeek/connection/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/conn.log - name: tags default: [zeek.connection] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/connection.yml diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 35a539b1493..ccb28ef2f92 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -7,7 +7,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -66,7 +65,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -124,7 +122,6 @@ "destination.packets": 1, "destination.port": 53, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", @@ -180,7 +177,6 @@ "destination.ip": "198.51.100.249", "destination.packets": 0, "event.category": [ - "network", "network" ], "event.dataset": "zeek.connection", diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index e99deb6c68f..45010e08973 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -54,9 +54,7 @@ processors: - connection - protocol - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index 1ecda252cc8..f0a837709dc 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dce_rpc.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dce_rpc.ts formats: @@ -12,6 +15,7 @@ processors: - append: field: related.ip value: '{{source.ip}}' + if: ctx?.source?.ip != null - geoip: field: source.ip target_field: source.geo @@ -34,6 +38,7 @@ processors: - append: field: related.ip value: '{{destination.ip}}' + if: ctx?.destination?.ip != null - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml index 21ba27eac96..01bef572b67 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/dce_rpc.log - name: tags default: [zeek.dce_rpc] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/dce_rpc.yml diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index e0eb1831b77..f1a2f0ced3a 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -116,9 +116,7 @@ processors: - connection - protocol - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49df687ecc3..49216c077c2 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dhcp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dhcp.ts formats: diff --git a/x-pack/filebeat/module/zeek/dhcp/manifest.yml b/x-pack/filebeat/module/zeek/dhcp/manifest.yml index 7cb434b1955..ee4a7c24f3b 100644 --- a/x-pack/filebeat/module/zeek/dhcp/manifest.yml +++ b/x-pack/filebeat/module/zeek/dhcp/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/dhcp.log - name: tags default: [zeek.dhcp] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/dhcp.yml diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 33890a55071..7730d2b6d85 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -64,9 +64,7 @@ processors: - connection - protocol - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index ad4670dc350..e104312e1e1 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dnp3.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dnp3.ts formats: @@ -58,6 +61,14 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/dnp3/manifest.yml b/x-pack/filebeat/module/zeek/dnp3/manifest.yml index 98de1c3af82..97829b3d0d0 100644 --- a/x-pack/filebeat/module/zeek/dnp3/manifest.yml +++ b/x-pack/filebeat/module/zeek/dnp3/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/dnp3.log - name: tags default: [zeek.dnp3] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/dnp3.yml diff --git a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json index fa386feb1ce..c9397cc7b9f 100644 --- a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -23,6 +23,10 @@ "network.community_id": "1:E57Z1w3RrSdR+fi6rSZblbQVhzY=", "network.protocol": "dnp3", "network.transport": "tcp", + "related.ip": [ + "127.0.0.1", + "127.0.0.1" + ], "service.type": "zeek", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index a6457935937..86a2022d695 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -179,7 +179,6 @@ processors: - {from: source.address, to: source.ip, type: ip} - {from: destination.address, to: destination.ip, type: ip} - {from: zeek.session_id, to: event.id} - - {from: '@timestamp', to: event.created} - {from: zeek.dns.trans_id, to: dns.id} - {from: zeek.dns.query, to: dns.question.name} - {from: zeek.dns.qtype_name, to: dns.question.type} @@ -194,21 +193,13 @@ processors: - connection - info - protocol -{{ if .community_id }} - community_id: -{{ end }} - - timestamp: - ignore_missing: true - field: zeek.dns.ts - layouts: - - UNIX - drop_fields: ignore_missing: true fields: - zeek.dns.Z - zeek.dns.auth - zeek.dns.addl - - zeek.dns.ts - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index db603d93dbb..6d9ed369ea8 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -2,6 +2,19 @@ description: Pipeline for Filebeat Zeek dns.log processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.dns.ts + formats: + - UNIX + - remove: + field: zeek.dns.ts + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/zeek/dns/manifest.yml b/x-pack/filebeat/module/zeek/dns/manifest.yml index 0c81ed95c2d..4ff46df94b9 100644 --- a/x-pack/filebeat/module/zeek/dns/manifest.yml +++ b/x-pack/filebeat/module/zeek/dns/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/dns.log - name: tags default: [zeek.dns] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/dns.yml diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 49e69972ef6..acc6defd4df 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -53,9 +53,7 @@ processors: type: - connection - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index f30ff172fa8..32d1852c3e2 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek dpd.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.dpd.ts formats: diff --git a/x-pack/filebeat/module/zeek/dpd/manifest.yml b/x-pack/filebeat/module/zeek/dpd/manifest.yml index aeba0ef31fc..854eadbf491 100644 --- a/x-pack/filebeat/module/zeek/dpd/manifest.yml +++ b/x-pack/filebeat/module/zeek/dpd/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/dpd.log - name: tags default: [zeek.dpd] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/dpd.yml diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 9f2046e7822..65c067609c9 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.x509"] + ignore_missing: true - rename: fields: - from: "json" diff --git a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml index 0d5abf9bdda..754720e9209 100644 --- a/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/files/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek files.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.files.ts formats: @@ -47,7 +50,7 @@ processors: - set: field: client.ip value: "{{zeek.files.rx_host}}" - if: "ctx?.zeek?.files?.rx_host != null" + if: "ctx?.zeek?.files?.rx_host != null" - append: field: related.hash value: "{{file.hash.md5}}" diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index 9be20cbd85b..51a3c053576 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -82,9 +82,7 @@ processors: - connection - info - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index 7c15dce3ac5..f1f7d0b4f52 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ftp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ftp.ts formats: diff --git a/x-pack/filebeat/module/zeek/ftp/manifest.yml b/x-pack/filebeat/module/zeek/ftp/manifest.yml index cf51575cf84..1f37ead03d0 100644 --- a/x-pack/filebeat/module/zeek/ftp/manifest.yml +++ b/x-pack/filebeat/module/zeek/ftp/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/ftp.log - name: tags default: [zeek.ftp] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/ftp.yml diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 6f517c69320..4c7c812d0cc 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -89,9 +89,7 @@ processors: - connection - info - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a382c25a74d..a2c4a85b994 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek http.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.http.ts formats: diff --git a/x-pack/filebeat/module/zeek/http/manifest.yml b/x-pack/filebeat/module/zeek/http/manifest.yml index ddd253bb218..acf134c2333 100644 --- a/x-pack/filebeat/module/zeek/http/manifest.yml +++ b/x-pack/filebeat/module/zeek/http/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/http.log - name: tags default: [zeek.http] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/http.yml diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 9293393192f..5b73833ea35 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -14,10 +14,6 @@ processors: - decode_json_fields: fields: [event.original] target: zeek.intel - - timestamp: - field: zeek.intel.ts - layouts: [UNIX] - test: "1573030980.989353" - convert: ignore_missing: true fields: @@ -57,7 +53,6 @@ processors: - drop_fields: ignore_missing: true fields: - - zeek.intel.ts - zeek.intel.id.orig_h - zeek.intel.id.orig_p - zeek.intel.id.resp_h @@ -68,9 +63,7 @@ processors: kind: alert type: - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index 6a2bd6382ad..f7009431131 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -1,10 +1,18 @@ --- description: Pipeline for normalizing Zeek intel.log. processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' - set: field: event.created - value: "{{_ingest.timestamp}}" - + value: '{{@timestamp}}' + - date: + field: zeek.intel.ts + formats: + - UNIX + - remove: + field: zeek.intel.ts # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/intel/manifest.yml b/x-pack/filebeat/module/zeek/intel/manifest.yml index 281f6ed65fe..a84788f4d75 100644 --- a/x-pack/filebeat/module/zeek/intel/manifest.yml +++ b/x-pack/filebeat/module/zeek/intel/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/intel.log - name: tags default: [zeek.intel] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/intel.yml diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 5125e82fac2..54aaa9d4f4b 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -68,9 +68,7 @@ processors: - connection - protocol - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index ec04f4e7c93..dd1e37a7035 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek irc.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.irc.ts formats: diff --git a/x-pack/filebeat/module/zeek/irc/manifest.yml b/x-pack/filebeat/module/zeek/irc/manifest.yml index 3bf899fd2c0..36cf10a5bb3 100644 --- a/x-pack/filebeat/module/zeek/irc/manifest.yml +++ b/x-pack/filebeat/module/zeek/irc/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/irc.log - name: tags default: [zeek.irc] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/irc.yml diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 79b6b6c94c0..f557da8ba7f 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -100,10 +100,8 @@ processors: tokenizer: "%{user.name}/%{user.domain}" field: zeek.kerberos.client target_prefix: "" -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index 05005491115..e0f45f71585 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek kerberos.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.kerberos.ts formats: @@ -84,6 +87,82 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" +- gsub: + field: zeek.kerberos.cert.client.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.client.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.C + target_field: tls.client.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.CN + target_field: tls.client.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.L + target_field: tls.client.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.O + target_field: tls.client.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.OU + target_field: tls.client.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.ST + target_field: tls.client.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- gsub: + field: zeek.kerberos.cert.server.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.server.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.C + target_field: tls.server.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.CN + target_field: tls.server.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.L + target_field: tls.server.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.O + target_field: tls.server.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.OU + target_field: tls.server.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.ST + target_field: tls.server.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/kerberos/manifest.yml b/x-pack/filebeat/module/zeek/kerberos/manifest.yml index 4a94434f1d4..3f527b15013 100644 --- a/x-pack/filebeat/module/zeek/kerberos/manifest.yml +++ b/x-pack/filebeat/module/zeek/kerberos/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/kerberos.log - name: tags default: [zeek.kerberos] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/kerberos.yml diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log index 416f2a09c3e..bb5b2c52004 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log @@ -1 +1 @@ -{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true} +{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"} diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json index e01e42a4036..686322c4057 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -40,8 +40,20 @@ "tags": [ "zeek.kerberos" ], + "tls.client.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.client.x509.subject.country": "US", + "tls.client.x509.subject.locality": "Mountain View", + "tls.client.x509.subject.organization": "Elasticsearch Inc.", + "tls.client.x509.subject.state_or_province": "California", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "user.domain": "CONTOSO.LOCAL", "user.name": "RonHD", + "zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", "zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96", "zeek.kerberos.client": "RonHD/CONTOSO.LOCAL", "zeek.kerberos.forwardable": true, diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index c6a6c3bf9e1..d656ad0ab6a 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -69,9 +69,7 @@ processors: target: event fields: outcome: success -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d053a541ef5..d918b2de09a 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek modbus.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.modbus.ts formats: diff --git a/x-pack/filebeat/module/zeek/modbus/manifest.yml b/x-pack/filebeat/module/zeek/modbus/manifest.yml index e20412fadc6..c4afd6315d4 100644 --- a/x-pack/filebeat/module/zeek/modbus/manifest.yml +++ b/x-pack/filebeat/module/zeek/modbus/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/modbus.log - name: tags default: [zeek.modbus] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/modbus.yml diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index b3fd2c5484f..4c6e70d9f1c 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -68,9 +68,7 @@ processors: target: event fields: outcome: failure -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index ca2c6c57172..ce2de353549 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek mysql.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.mysql.ts formats: diff --git a/x-pack/filebeat/module/zeek/mysql/manifest.yml b/x-pack/filebeat/module/zeek/mysql/manifest.yml index 1b7ec4edb19..bba253a418e 100644 --- a/x-pack/filebeat/module/zeek/mysql/manifest.yml +++ b/x-pack/filebeat/module/zeek/mysql/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/mysql.log - name: tags default: [zeek.mysql] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/mysql.yml diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 71eef51d512..649d3f3ba97 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -12,6 +12,7 @@ json.keys_under_root: false processors: - drop_fields: fields: ["json.actions"] + ignore_missing: true - rename: fields: - from: "json" @@ -79,6 +80,7 @@ processors: - drop_fields: fields: ["zeek.notice.remote_location", "zeek.notice.f"] + ignore_missing: true - convert: fields: - {from: "zeek.session_id", to: "event.id"} @@ -98,9 +100,7 @@ processors: - intrusion_detection type: - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c4dee6b78f2..c741d355361 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek notice.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.notice.ts formats: diff --git a/x-pack/filebeat/module/zeek/notice/manifest.yml b/x-pack/filebeat/module/zeek/notice/manifest.yml index e2bdf695027..e14f7222065 100644 --- a/x-pack/filebeat/module/zeek/notice/manifest.yml +++ b/x-pack/filebeat/module/zeek/notice/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/notice.log - name: tags default: [zeek.notice] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/notice.yml diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index dcf1cb46f6f..c67f66b54b9 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -82,9 +82,7 @@ processors: target: event fields: outcome: failure -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 9f76d461392..690fd54a54b 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ntlm.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ntlm.ts formats: diff --git a/x-pack/filebeat/module/zeek/ntlm/manifest.yml b/x-pack/filebeat/module/zeek/ntlm/manifest.yml index 545bef85aaa..e16e6ec8b3a 100644 --- a/x-pack/filebeat/module/zeek/ntlm/manifest.yml +++ b/x-pack/filebeat/module/zeek/ntlm/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/ntlm.log - name: tags default: [zeek.ntlm] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/ntlm.yml diff --git a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml index 63a878825d7..462c1f36612 100644 --- a/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ocsp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ocsp.ts formats: diff --git a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml index 6a7fa7dca87..6e1272a8ab2 100644 --- a/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek pe.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.pe.ts formats: diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index d133dbc014c..66fccaa3f5c 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -54,9 +54,7 @@ processors: type: - info - connection -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index c69dfaefbb4..acc7fad2f03 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek radius.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.radius.ts formats: diff --git a/x-pack/filebeat/module/zeek/radius/manifest.yml b/x-pack/filebeat/module/zeek/radius/manifest.yml index f881f404d7a..d3bdee065b0 100644 --- a/x-pack/filebeat/module/zeek/radius/manifest.yml +++ b/x-pack/filebeat/module/zeek/radius/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/radius.log - name: tags default: [zeek.radius] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/radius.yml diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index 1ea1c28520c..de71448fb1b 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -84,9 +84,7 @@ processors: type: - protocol - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index d6b70dd92e6..bbe4abcee9f 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek rdp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.rdp.ts formats: diff --git a/x-pack/filebeat/module/zeek/rdp/manifest.yml b/x-pack/filebeat/module/zeek/rdp/manifest.yml index b0c76c9f3a3..0a2bc7b77ec 100644 --- a/x-pack/filebeat/module/zeek/rdp/manifest.yml +++ b/x-pack/filebeat/module/zeek/rdp/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/rdp.log - name: tags default: [zeek.rdp] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/rdp.yml diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index d0eade39d0e..3adb14c55bf 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -69,9 +69,7 @@ processors: type: - connection - info -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 8cf2cebdf4d..2ce5fda4e16 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek rfb.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.rfb.ts formats: diff --git a/x-pack/filebeat/module/zeek/rfb/manifest.yml b/x-pack/filebeat/module/zeek/rfb/manifest.yml index 2b9daaab107..4bba4f4f37c 100644 --- a/x-pack/filebeat/module/zeek/rfb/manifest.yml +++ b/x-pack/filebeat/module/zeek/rfb/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/rfb.log - name: tags default: [zeek.rfb] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/rfb.yml diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 7355ba353c7..7aa30034de2 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -91,9 +91,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 9982cb82d87..d8408c51133 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek sip.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.sip.ts formats: diff --git a/x-pack/filebeat/module/zeek/sip/manifest.yml b/x-pack/filebeat/module/zeek/sip/manifest.yml index 8da0cc443dd..2186e6b0f3f 100644 --- a/x-pack/filebeat/module/zeek/sip/manifest.yml +++ b/x-pack/filebeat/module/zeek/sip/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/sip.log - name: tags default: [zeek.sip] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/sip.yml diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 693c439454a..763379a7d88 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -97,9 +97,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 838e9f2e8bc..0a853104351 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_cmd.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_cmd.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml index a4ad3a78ce1..331cafae30f 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/smb_cmd.log - name: tags default: [zeek.smb_cmd] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/smb_cmd.yml diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 16fb3d36964..c5f7c2e53e7 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -57,9 +57,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b2c7f52a29b..b1c0d3a6992 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_files.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_files.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_files/manifest.yml b/x-pack/filebeat/module/zeek/smb_files/manifest.yml index f59a04153a5..bdbf0324fd9 100644 --- a/x-pack/filebeat/module/zeek/smb_files/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_files/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/smb_files.log - name: tags default: [zeek.smb_files] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/smb_files.yml diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index 168458ba1d0..624454ed171 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -53,9 +53,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index b5752120267..e116e1bfb60 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smb_mapping.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smb_mapping.ts formats: diff --git a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml index 7382e529b27..f4afd881b54 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/smb_mapping.log - name: tags default: [zeek.smb_mapping] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/smb_mapping.yml diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index acc02bf91df..5b2f6595df2 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -63,9 +63,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 4424d3674ff..03e2ffb6a25 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek smtp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.smtp.ts formats: diff --git a/x-pack/filebeat/module/zeek/smtp/manifest.yml b/x-pack/filebeat/module/zeek/smtp/manifest.yml index 6d69b3b5e3e..bc0d180278b 100644 --- a/x-pack/filebeat/module/zeek/smtp/manifest.yml +++ b/x-pack/filebeat/module/zeek/smtp/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/smtp.log - name: tags default: [zeek.smtp] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/smtp.yml diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 684ecd01d06..0c7e05ce6db 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -65,9 +65,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index f0070ef790d..1aefc539733 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek snmp.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.snmp.ts formats: diff --git a/x-pack/filebeat/module/zeek/snmp/manifest.yml b/x-pack/filebeat/module/zeek/snmp/manifest.yml index b980b6fb82e..e25fb364b1e 100644 --- a/x-pack/filebeat/module/zeek/snmp/manifest.yml +++ b/x-pack/filebeat/module/zeek/snmp/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/snmp.log - name: tags default: [zeek.snmp] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/snmp.yml diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 9ce64d99076..f834e5d1bcc 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -63,9 +63,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index 04a84b13177..e64c5ec9eb3 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek socks.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.socks.ts formats: @@ -68,11 +71,11 @@ processors: field: event.type value: error if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" -- append: +- set: field: event.outcome value: success if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" -- append: +- set: field: event.outcome value: failure if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" diff --git a/x-pack/filebeat/module/zeek/socks/manifest.yml b/x-pack/filebeat/module/zeek/socks/manifest.yml index 68fea837fde..55c4a387524 100644 --- a/x-pack/filebeat/module/zeek/socks/manifest.yml +++ b/x-pack/filebeat/module/zeek/socks/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/socks.log - name: tags default: [zeek.socks] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/socks.yml diff --git a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json index c8172d23d1a..0a45d16a569 100644 --- a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json @@ -11,9 +11,7 @@ "event.id": "Cmz4Cb4qCw1hGqYw1c", "event.kind": "event", "event.module": "zeek", - "event.outcome": [ - "success" - ], + "event.outcome": "success", "event.type": [ "connection", "protocol" diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index 453c6b0fae5..c855d49dff2 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -72,9 +72,7 @@ processors: type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 019a44b89e0..26980d26f3d 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek ssh.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ssh.ts formats: diff --git a/x-pack/filebeat/module/zeek/ssh/manifest.yml b/x-pack/filebeat/module/zeek/ssh/manifest.yml index 60249e25c21..9d2f39212b5 100644 --- a/x-pack/filebeat/module/zeek/ssh/manifest.yml +++ b/x-pack/filebeat/module/zeek/ssh/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/ssh.log - name: tags default: [zeek.ssh] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/ssh.yml diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index e140ba94e2c..c3ecbd94be9 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -72,13 +72,11 @@ processors: kind: event category: - network - kind: + type: - connection - protocol -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index bbeaa24d1bd..ad8edd5392f 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -2,8 +2,11 @@ description: Pipeline for normalizing Zeek ssl.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.ssl.ts formats: @@ -62,7 +65,7 @@ processors: - kv: field: zeek.ssl.issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.issuer ignore_missing: true - rename: @@ -73,26 +76,50 @@ processors: field: zeek.ssl.server.issuer.C target_field: zeek.ssl.server.issuer.country ignore_missing: true +- set: + field: tls.server.x509.issuer.country + value: '{{zeek.ssl.server.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.CN target_field: zeek.ssl.server.issuer.common_name ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: '{{zeek.ssl.server.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.L target_field: zeek.ssl.server.issuer.locality ignore_missing: true +- set: + field: tls.server.x509.issuer.locality + value: '{{zeek.ssl.server.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.O target_field: zeek.ssl.server.issuer.organization ignore_missing: true +- set: + field: tls.server.x509.issuer.organization + value: '{{zeek.ssl.server.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.OU target_field: zeek.ssl.server.issuer.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.issuer.organizational_unit + value: '{{zeek.ssl.server.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.ST target_field: zeek.ssl.server.issuer.state ignore_missing: true +- set: + field: tls.server.x509.issuer.state_or_province + value: '{{zeek.ssl.server.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.subject pattern: \\, @@ -101,7 +128,7 @@ processors: - kv: field: zeek.ssl.subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.server.subject ignore_missing: true - remove: @@ -111,26 +138,50 @@ processors: field: zeek.ssl.server.subject.C target_field: zeek.ssl.server.subject.country ignore_missing: true +- set: + field: tls.server.x509.subject.country + value: '{{zeek.ssl.server.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.CN target_field: zeek.ssl.server.subject.common_name ignore_missing: true +- set: + field: tls.server.x509.subject.common_name + value: '{{zeek.ssl.server.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.L target_field: zeek.ssl.server.subject.locality ignore_missing: true +- set: + field: tls.server.x509.subject.locality + value: '{{zeek.ssl.server.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.O target_field: zeek.ssl.server.subject.organization ignore_missing: true +- set: + field: tls.server.x509.subject.organization + value: '{{zeek.ssl.server.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.OU target_field: zeek.ssl.server.subject.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.subject.organizational_unit + value: '{{zeek.ssl.server.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.ST target_field: zeek.ssl.server.subject.state ignore_missing: true +- set: + field: tls.server.x509.subject.state_or_province + value: '{{zeek.ssl.server.subject.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_issuer pattern: \\, @@ -139,7 +190,7 @@ processors: - kv: field: zeek.ssl.client_issuer field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.issuer ignore_missing: true - rename: @@ -150,26 +201,50 @@ processors: field: zeek.ssl.client.issuer.C target_field: zeek.ssl.client.issuer.country ignore_missing: true +- set: + field: tls.client.x509.issuer.country + value: '{{zeek.ssl.client.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.CN target_field: zeek.ssl.client.issuer.common_name ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: '{{zeek.ssl.client.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.L target_field: zeek.ssl.client.issuer.locality ignore_missing: true +- set: + field: tls.client.x509.issuer.locality + value: '{{zeek.ssl.client.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.O target_field: zeek.ssl.client.issuer.organization ignore_missing: true +- set: + field: tls.client.x509.issuer.organization + value: '{{zeek.ssl.client.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.OU target_field: zeek.ssl.client.issuer.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.issuer.organizational_unit + value: '{{zeek.ssl.client.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.ST target_field: zeek.ssl.client.issuer.state ignore_missing: true +- set: + field: tls.client.x509.issuer.state_or_province + value: '{{zeek.ssl.client.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_subject pattern: \\, @@ -178,7 +253,7 @@ processors: - kv: field: zeek.ssl.client_subject field_split: ',' - value_split: = + value_split: '=' target_field: zeek.ssl.client.subject ignore_missing: true - remove: @@ -188,26 +263,50 @@ processors: field: zeek.ssl.client.subject.C target_field: zeek.ssl.client.subject.country ignore_missing: true +- set: + field: tls.client.x509.subject.country + value: '{{zeek.ssl.client.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.CN target_field: zeek.ssl.client.subject.common_name ignore_missing: true +- set: + field: tls.client.x509.subject.common_name + value: '{{zeek.ssl.client.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.L target_field: zeek.ssl.client.subject.locality ignore_missing: true +- set: + field: tls.client.x509.subject.locality + value: '{{zeek.ssl.client.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.O target_field: zeek.ssl.client.subject.organization ignore_missing: true +- set: + field: tls.client.x509.subject.organization + value: '{{zeek.ssl.client.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.OU target_field: zeek.ssl.client.subject.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.subject.organizational_unit + value: '{{zeek.ssl.client.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.ST target_field: zeek.ssl.client.subject.state ignore_missing: true +- set: + field: tls.client.x509.subject.state_or_province + value: '{{zeek.ssl.client.subject.state}}' + ignore_empty_value: true - set: field: tls.cipher value: '{{zeek.ssl.cipher}}' diff --git a/x-pack/filebeat/module/zeek/ssl/manifest.yml b/x-pack/filebeat/module/zeek/ssl/manifest.yml index 0b3da1331ff..49e474dfadc 100644 --- a/x-pack/filebeat/module/zeek/ssl/manifest.yml +++ b/x-pack/filebeat/module/zeek/ssl/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/ssl.log - name: tags default: [zeek.ssl] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/ssl.yml diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 526a43a350b..805d20d2a54 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -19,11 +19,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "CAOvs1BMFCX2Eh0Y3", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 0, @@ -46,6 +47,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "CAOvs1BMFCX2Eh0Y3", @@ -90,11 +99,12 @@ ], "event.dataset": "zeek.ssl", "event.id": "C3mki91FnnNtm0u1ok", - "event.kind": [ + "event.kind": "event", + "event.module": "zeek", + "event.type": [ "connection", "protocol" ], - "event.module": "zeek", "fileset.name": "ssl", "input.type": "log", "log.offset": 635, @@ -117,6 +127,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "C3mki91FnnNtm0u1ok", diff --git a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml index c0347161190..04e851e14a9 100644 --- a/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek stats.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.stats.ts formats: diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 16c6ebb6187..a89601cb717 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -53,9 +53,7 @@ processors: target: event fields: kind: event -{{ if .community_id }} - community_id: -{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 7fd848682b1..5f3432ec488 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek syslog.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.syslog.ts formats: diff --git a/x-pack/filebeat/module/zeek/syslog/manifest.yml b/x-pack/filebeat/module/zeek/syslog/manifest.yml index 8db76ab5b36..03a80586303 100644 --- a/x-pack/filebeat/module/zeek/syslog/manifest.yml +++ b/x-pack/filebeat/module/zeek/syslog/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/syslog.log - name: tags default: [zeek.syslog] - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/syslog.yml diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index 6fa5a0bc993..f4744c540d7 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek traceroute.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.traceroute.ts formats: diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 402bce5fa5d..9ca83da3305 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek tunnel.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.tunnel.ts formats: diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index e0325d9a1c5..d791eb77a09 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -1,8 +1,11 @@ description: Pipeline for normalizing Zeek weird.log processors: - set: - field: event.created + field: event.ingested value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' - date: field: zeek.weird.ts formats: diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index 34ab8fc651f..80e53a3c90c 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json deleted file mode 100644 index e35b8bbbafc..00000000000 --- a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.json +++ /dev/null @@ -1,231 +0,0 @@ -{ - "description": "Pipeline for normalizing Zeek x509.log", - "processors": [ - { - "set": { - "field": "event.created", - "value": "{{_ingest.timestamp}}" - } - }, - { - "date": { - "field": "zeek.x509.ts", - "formats": ["UNIX"] - } - }, - { - "remove": { - "field": "zeek.x509.ts" - } - }, - { - "set": { - "field": "event.id", - "value": "{{zeek.session_id}}", - "if": "ctx.zeek.session_id != null" - } - }, - { - "dot_expander": { - "field": "certificate.exponent", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.serial", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "certificate.version", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.dns", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.uri", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.email", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.ip", - "path": "zeek.x509" - } - }, - { - "dot_expander": { - "field": "san.other_fields", - "path": "zeek.x509" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.from", - "target_field": "zeek.x509.certificate.valid.from", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.from != null" - } - }, - { - "date": { - "field": "zeek.x509.certificate.valid.until", - "target_field": "zeek.x509.certificate.valid.until", - "formats": ["UNIX"], - "if": "ctx.zeek.x509.certificate?.valid?.until != null" - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.iss", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.iss", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.issuer", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.iss", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.C", - "target_field": "zeek.x509.certificate.issuer.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.CN", - "target_field": "zeek.x509.certificate.issuer.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.L", - "target_field": "zeek.x509.certificate.issuer.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.O", - "target_field": "zeek.x509.certificate.issuer.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.OU", - "target_field": "zeek.x509.certificate.issuer.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.issuer.ST", - "target_field": "zeek.x509.certificate.issuer.state", - "ignore_missing": true - } - }, - - { - "gsub": { - "field": "zeek.x509.certificate.sub", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.x509.certificate.sub", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.x509.certificate.subject", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.x509.certificate.sub", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.C", - "target_field": "zeek.x509.certificate.subject.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.CN", - "target_field": "zeek.x509.certificate.subject.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.L", - "target_field": "zeek.x509.certificate.subject.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.O", - "target_field": "zeek.x509.certificate.subject.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.OU", - "target_field": "zeek.x509.certificate.subject.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.x509.certificate.subject.ST", - "target_field": "zeek.x509.certificate.subject.state", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml new file mode 100644 index 00000000000..db9317cca6e --- /dev/null +++ b/x-pack/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -0,0 +1,274 @@ +--- +description: Pipeline for normalizing Zeek x509.log +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.x509.ts + formats: + - UNIX + - remove: + field: zeek.x509.ts + - set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null + - set: + field: file.x509.signature_algorithm + value: '{{zeek.x509.certificate.signature_algorithm}}' + ignore_empty_value: true + - script: + lang: painless + params: + "md2WithRSAEncryption": MD2-RSA + "md5WithRSAEncryption": MD5-RSA + "sha-1WithRSAEncryption": SHA1-RSA + "sha256WithRSAEncryption": SHA256-RSA + "sha384WithRSAEncryption": SHA384-RSA + "sha512WithRSAEncryption": SHA512-RSA + "dsaWithSha1": DSA-SHA1 + "dsaWithSha256": DSA-SHA256 + "ecdsa-with-SHA1": ECDSA-SHA1 + "ecdsa-with-SHA256": ECDSA-SHA256 + "ecdsa-with-SHA384": ECDSA-SHA384 + "ecdsa-with-SHA512": ECDSA-SHA512 + "id-Ed25519": Ed25519 + source: | + String algo = params.get(ctx.file.x509.signature_algorithm); + if (algo != null) { + ctx.file.x509.signature_algorithm = algo; + } + if: ctx?.file?.x509?.signature_algorithm != null + - set: + field: file.x509.public_key_algorithm + value: '{{zeek.x509.certificate.key.algorithm}}' + ignore_empty_value: true + - convert: + field: zeek.x509.certificate.key.length + target_field: file.x509.public_key_size + type: long + ignore_missing: true + - dot_expander: + field: certificate.exponent + path: zeek.x509 + - convert: + field: zeek.x509.certificate.exponent + target_field: file.x509.public_key_exponent + type: long + ignore_missing: true + - dot_expander: + field: certificate.serial + path: zeek.x509 + - set: + field: file.x509.serial_number + value: '{{zeek.x509.certificate.serial}}' + ignore_empty_value: true + - dot_expander: + field: certificate.version + path: zeek.x509 + - set: + field: file.x509.version_number + value: '{{zeek.x509.certificate.version}}' + ignore_empty_value: true + - dot_expander: + field: san.dns + path: zeek.x509 + - foreach: + field: zeek.x509.san.dns + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.uri + path: zeek.x509 + - foreach: + field: zeek.x509.san.uri + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.email + path: zeek.x509 + - foreach: + field: zeek.x509.san.email + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.ip + path: zeek.x509 + - foreach: + field: zeek.x509.san.ip + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.other_fields + path: zeek.x509 + - foreach: + field: zeek.x509.san.other_fields + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - date: + field: zeek.x509.certificate.valid.from + target_field: zeek.x509.certificate.valid.from + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.from != null + - set: + field: file.x509.not_before + value: '{{zeek.x509.certificate.valid.from}}' + ignore_empty_value: true + - date: + field: zeek.x509.certificate.valid.until + target_field: zeek.x509.certificate.valid.until + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.until != null + - set: + field: file.x509.not_after + value: '{{zeek.x509.certificate.valid.until}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.iss + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.iss + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.issuer + ignore_missing: true + - remove: + field: zeek.x509.certificate.iss + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.C + target_field: zeek.x509.certificate.issuer.country + ignore_missing: true + - set: + field: file.x509.issuer.country + value: '{{zeek.x509.certificate.issuer.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.CN + target_field: zeek.x509.certificate.issuer.common_name + ignore_missing: true + - set: + field: file.x509.issuer.common_name + value: '{{zeek.x509.certificate.issuer.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.L + target_field: zeek.x509.certificate.issuer.locality + ignore_missing: true + - set: + field: file.x509.issuer.locality + value: '{{zeek.x509.certificate.issuer.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.O + target_field: zeek.x509.certificate.issuer.organization + ignore_missing: true + - set: + field: file.x509.issuer.organization + value: '{{zeek.x509.certificate.issuer.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.OU + target_field: zeek.x509.certificate.issuer.organizational_unit + ignore_missing: true + - set: + field: file.x509.issuer.organizational_unit + value: '{{zeek.x509.certificate.issuer.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.ST + target_field: zeek.x509.certificate.issuer.state + ignore_missing: true + - set: + field: file.x509.issuer.state_or_province + value: '{{zeek.x509.certificate.issuer.state}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.sub + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.sub + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.subject + ignore_missing: true + - remove: + field: zeek.x509.certificate.sub + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.C + target_field: zeek.x509.certificate.subject.country + ignore_missing: true + - set: + field: file.x509.subject.country + value: '{{zeek.x509.certificate.subject.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.CN + target_field: zeek.x509.certificate.subject.common_name + ignore_missing: true + - set: + field: file.x509.subject.common_name + value: '{{zeek.x509.certificate.subject.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.L + target_field: zeek.x509.certificate.subject.locality + ignore_missing: true + - set: + field: file.x509.subject.locality + value: '{{zeek.x509.certificate.subject.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.O + target_field: zeek.x509.certificate.subject.organization + ignore_missing: true + - set: + field: file.x509.subject.organization + value: '{{zeek.x509.certificate.subject.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.OU + target_field: zeek.x509.certificate.subject.organizational_unit + ignore_missing: true + - set: + field: file.x509.subject.organizational_unit + value: '{{zeek.x509.certificate.subject.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.ST + target_field: zeek.x509.certificate.subject.state + ignore_missing: true + - set: + field: file.x509.subject.state_or_province + value: '{{zeek.x509.certificate.subject.state}}' + ignore_empty_value: true +on_failure: + - set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/x-pack/filebeat/module/zeek/x509/manifest.yml b/x-pack/filebeat/module/zeek/x509/manifest.yml index 5d3747af787..a183f7dbc3d 100644 --- a/x-pack/filebeat/module/zeek/x509/manifest.yml +++ b/x-pack/filebeat/module/zeek/x509/manifest.yml @@ -10,8 +10,6 @@ var: - /usr/local/var/logs/current/x509.log - name: tags default: [zeek.x509] - - name: community_id - default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/x509.yml diff --git a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json index fff83c5969e..603a125ee62 100644 --- a/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/x509/test/x509-json.log-expected.json @@ -8,6 +8,95 @@ "event.type": [ "info" ], + "file.x509.alternative_names": [ + "www.bing.com", + "dict.bing.com.cn", + "*.platform.bing.com", + "*.bing.com", + "bing.com", + "ieonline.microsoft.com", + "*.windowssearch.com", + "cn.ieonline.microsoft.com", + "*.origin.bing.com", + "*.mm.bing.net", + "*.api.bing.com", + "ecn.dev.virtualearth.net", + "*.cn.bing.net", + "*.cn.bing.com", + "ssl-api.bing.com", + "ssl-api.bing.net", + "*.api.bing.net", + "*.bingapis.com", + "bingsandbox.com", + "feedback.microsoft.com", + "insertmedia.bing.office.net", + "r.bat.bing.com", + "*.r.bat.bing.com", + "*.dict.bing.com.cn", + "*.dict.bing.com", + "*.ssl.bing.com", + "*.appex.bing.com", + "*.platform.cn.bing.com", + "wp.m.bing.com", + "*.m.bing.com", + "global.bing.com", + "windowssearch.com", + "search.msn.com", + "*.bingsandbox.com", + "*.api.tiles.ditu.live.com", + "*.ditu.live.com", + "*.t0.tiles.ditu.live.com", + "*.t1.tiles.ditu.live.com", + "*.t2.tiles.ditu.live.com", + "*.t3.tiles.ditu.live.com", + "*.tiles.ditu.live.com", + "3d.live.com", + "api.search.live.com", + "beta.search.live.com", + "cnweb.search.live.com", + "dev.live.com", + "ditu.live.com", + "farecast.live.com", + "image.live.com", + "images.live.com", + "local.live.com.au", + "localsearch.live.com", + "ls4d.search.live.com", + "mail.live.com", + "mapindia.live.com", + "local.live.com", + "maps.live.com", + "maps.live.com.au", + "mindia.live.com", + "news.live.com", + "origin.cnweb.search.live.com", + "preview.local.live.com", + "search.live.com", + "test.maps.live.com", + "video.live.com", + "videos.live.com", + "virtualearth.live.com", + "wap.live.com", + "webmaster.live.com", + "webmasters.live.com", + "www.local.live.com.au", + "www.maps.live.com.au" + ], + "file.x509.issuer.common_name": "Microsoft IT TLS CA 5", + "file.x509.issuer.country": "US", + "file.x509.issuer.locality": "Redmond", + "file.x509.issuer.organization": "Microsoft Corporation", + "file.x509.issuer.organizational_unit": "Microsoft IT", + "file.x509.issuer.state_or_province": "Washington", + "file.x509.not_after": "2019-07-10T17:47:08.000Z", + "file.x509.not_before": "2017-07-20T17:47:08.000Z", + "file.x509.public_key_algorithm": "rsaEncryption", + "file.x509.public_key_exponent": 65537, + "file.x509.public_key_size": 2048, + "file.x509.serial_number": "2D00003299D7071DB7D1708A42000000003299", + "file.x509.signature_algorithm": "SHA256-RSA", + "file.x509.subject.common_name": "www.bing.com", + "file.x509.version_number": "3", "fileset.name": "x509", "input.type": "log", "log.offset": 0, diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml new file mode 100644 index 00000000000..43c8ed43628 --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc new file mode 100644 index 00000000000..e0b467fc63a --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc @@ -0,0 +1,56 @@ +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: diff --git a/x-pack/filebeat/module/zoom/_meta/fields.yml b/x-pack/filebeat/module/zoom/_meta/fields.yml new file mode 100644 index 00000000000..effe0e74b04 --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zoom + title: Zoom + description: > + Module for handling incoming Zoom webhook requests + fields: diff --git a/x-pack/filebeat/module/zoom/fields.go b/x-pack/filebeat/module/zoom/fields.go new file mode 100644 index 00000000000..7a2df6de41f --- /dev/null +++ b/x-pack/filebeat/module/zoom/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zoom + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zoom", asset.ModuleFieldsPri, AssetZoom); err != nil { + panic(err) + } +} + +// AssetZoom returns asset data. +// This is the base64 encoded gzipped contents of module/zoom. +func AssetZoom() string { + return "eJzUnF9v27oVwN/vpyD6lAJpit5hA5aHAUXSu2VL7+3SZgXui0BTRxYbilRJyq7z6Qf+k2RblmSH9N36UMSOcvjjIXl4/lB8g55gc42ehah+QkhTzeAa/e4+5aCIpLWmgl+jv/2EEEIfRd4wQIWQqMQ8Z5QvEeVEVOYH82doDYtSiCck4XsDSqufECoosFxdWwHm3xvEcQVto+Gf3tRwjZZSNHXvWwkMsIJrtACNe9/nUOCG6cwKv0YFZgq2fr3HHv71+lBjqVry95/u0FdHr656f7GL3+9ChZUGmWFCRMN1RvOtp0KfnmCzFnL3dyOIFtOKRu+daKMHrCFHWiCMVA2EFpSgz80iPDHIp5pFErgHTzPVvqhBYi1k1MYfFci7W6RLrJGWdLkEaRRTAoIVTIDEpTCy336oMGX98TEkjQJ5HGHKYfKyjdLEBIamFSiNq3qQIscajkP4EuTtaugwApGAjbjMtBlPGTdeLNoTuzMEV2LNIcmUFUU3OdalUGAWaGgWrbFyfYf8bU4VVkoQaj6NwoKZfvFIx2YzIEysBg1pDbIQsoIcCT5Dm0kwU+gzrEPzbTzeryVwhHnLZqQjqlBTmyWVXyJdUmW+MP3hsEYrzBpACkaNRQuLGcUqHa0VHxFXNXUtZGod91tJAB95Rh+it828AJ+UWGekxJwDu4qr8C8GwCjXr0Pfitv3SqzQAkyf8hzyt5XIaUHNSgQGh9bgFmtM+2tIO/sblzPuLvVlU1t9BsahXfMK3WCOFoDeXdzxFdXw5jfONq8v0c8XnyRdYQ2vkZDoTxefmgWj5PXhPlSgFF5CVF0/cvq96as7dMG0iHyL00hp1OqlXyLiNAhUlyDRKy0yIrjGRL8yqrOf3Qi8mkZVoJTxV2Jq8bOTeXdrA5X+rN2ZEbMV6vuXZifGeS5BqUHHQQHPTZR1Em0CL2wBTPClJepRSiBAV+ZbfASlG5OolDdO5t3t6SPtqeJae8/lLP6paEMPvojqPVJamlGzE4byMNGKhrGA5Qy9cQfVoZijAtCUL89jCH1joyBNE3v/e3w8jaQUKu4ytDBbARERvKDLRnZEyLQ6iqVFTUlEKCPuFPWk2qecGnz8MkqgNJY6M4F7pJj9FmtAmOc2GeDXt8OxTU3gmD96FjyqY09JiYJc6wsryNuNMcC1qQs1ypc30uYBBvnMznD8bA4izcjhlodyVFHeaBjnoUo1ED14C5uaiSGUiStsM2hNddlX2qXVIvzAVc3gGr165ErjBQOEm5wK9L3BjOrNsA8UOlBjpQYwX9CFT17i/jZzeD3WpeCpHNkw02wbxj8kgq9Aqv15tE1jxiCFB7PDs+Z2qHsJ4hvMGLoXS7QAtzea4T20cB1rLtacCZxnjYzoHd56qejx4b7FXglK9r3QbRyzp1O+zKIbN7NeW0uB1m6xmNa00aVxEsAuAarKbuIRzBgMuzcOlwjOgWjI0wDnWxY5FjTmag3ybMSByfK6tkdnpHk2A56fEw14Ps10nmgZs7H1EXkXu93awdoFOrWHdUoBGdf2bvuHtoHd3aClfDuhK8+Xyhp7yBqkEhytrbNCOdXUwXr+aT7eVAuQkase1tx5p9I10OY+3l3ccQ2SY2bTRT9ffPjhP85gTZpI7K+BcbPraOyHzHUvohdid9dfrdTxmThvfOGHBq7iF7Y+BLntQPdId8bcrIFL+7t/N9DAJcKNFg9AwEqnSpuZoEos4Z5y+PtOMX6yY7GHoOsaHxiGabL4sciXEIUcSZLDihKIPPK3VqgbdhsSLTZHQEX2lvct9l6a6DiLnc5/HjQzO1vfTMT/JUMI/0dbCJzbaO9Nxnnj+wcYbTiD0YY/ymifOAxnMuQn0p3fuB8LamKedCnCHWvl0hKHD/hIIELmZ0u3t81NwMRNuQ+l2+eSRE+5b+97Rnz4uU2ehhKJozgQBHeIKdPvgWlnis/VXpqMfCu/NctVwzStWbc52oMY6hLV9sgqIiWQJ3e2NBekqYDrwwnDDv+c6Zi21dHMfk+18c2wT8dZU7yV1u/Y9rq8D5YwHbLNMpEQ6Q2j2Y/jJlNt4ezh3qZ4CQGljlsWQmOWKfo8PHonVD6MQGQEDqppsZlWUvtTtn+G+HSwzvvrgArKYO94wlzVdZhGTO+jXTXJlukpK/QgKvDh/SQ+aEG5zUPP2eSSHkbpb3fDlaSZ255xwFMEy0OnZQ67TZaioFLFPjhpaJAVPHi4Yw4Ww2mojNyToSJPLgsEB89HT8DE9Uosi/U7TkBJE3lbJOf6+7jvZDS7GchNZDYvFRGRn6Q2Iqoa8/hUVupJyqpo7OGzNQzMWvt4mpFqFGSH4BZCMMC7jtoE3F0RTjSUWKFPH+8QcLxgY+a6piSu9/VLw1hwv2y9RwqzxaKaEt3I7RjdEBxGW2FO9Sayufy1lzbcG0ZpgpBTjFa6tEvvzFfw+Me1xjBfNlHPDt57icezWN/lCSLagn8YJ+UJNkiBngkhBYsciPX0YITP5MihHvaBY3DkUBu31wTPM3FqCQo4AeOc6ybiwaqbRkqDERpArgGz6CaI/HLMuNgNiV6W6w7L3Mpt1fM4CkMYBa5jlwjCWwtW+J4pbF9YWEixtsnsCpNLtKb8EtH2UBXmuRR0xKSvQKpDMf5J2P9xAtsU8DD9INAaFpTjyFHB3oGzYLJ9a6Mk3wTlafINveWoBTLtWLg5UAlyqqfoJlVCtX03o9NQP7k6By1yIvVjCGyHzjPP4kliGLz0cJ65NQj+/Zs/X3x1D7y+RH+5eADSSHuoP/zZmupSNBoV9Ae4nIOtN/71wKP950Y7e85cawAcy+O0g5DO79rKsRrUvazYnFmSON8adDWRbQ00eAk8x8l8ECf+mEWd8Ej0tjHu5YHncMU+a/7eBq61MBPanTBXCC/MSsXdGKreI9y9vWrv1BgkfRaiMtFK2tKgLcrI7ftHBhjMf5HDtJ2p1T/sMROKYGamo4z9epcX+yKkpIMWWtly0GYS2jj3THi2LdRdN9C9dGFhH6bVWWK+hLjx5b9g0+rtIyVSKFGYUEbkDdEKUa5h6W2wzYlLcGGOVv37Zladw4zbDk+sIVCikQTSpvqHtN0OCOWm68fOmHPjtlyIagWsmDCPxtgmMuSYgdTKOFjepO84CB2peUQrBN8bWleHMkkts5UbOfJ8z93cBenvQWgnbngTNFTnbetX1gAz6nx0+5V9QIWifiEa7vcpmFu77xauqGrBd/Vwpv61g+BeUPIkl1sdbr+O2Gk3qk/0QH0xTq9VKda2rryzL/khbC9x8PHEu4sv4dolfzDxhgE2nwb7ImFJlZaY67Ruh38nzzQG0r+A3r0vKOSoD9eDjJ3Z+twmsgxla+17uAPe/gBX8kt+IuguRQH1l652Gpk2QV31Hidi9ZtbRCuwXcePxUmojuhY3VC9iU4Yu/5540ufkTmf6fA1cScx/k5rV5pNYCwjLh9jK6Mz2hx4xGRBvwofGZXyvFFRJ2e4pTBIjk0s5G426gWwv8kl5vTZRUpDFdUIwN/EIrNXscbD/qdYuNtdo8/cRpISK8qXNo2aFTLypTNCKODIN+POito2YndECgYZ5VloKaulIFG3s9AXW1qlHOGuV76tVBOKi0wUGVQ1ExuImf/rTlq2whHx3exV0OLsiZUJSGKOh5eIGBQ6Nm66apy7VdZWdUJrNo5rzOqYWZ6rsdSU0Dp5xNNraPuGitGrPHp0qV/ajsIX/+Bj3z9/MaOdi0mLXHgL0rQH+RGADPAq6utJU4R2xc/nUyU2tiDLQWPK1BWj/Clzac14w/4RdClyM+i+OZcazKWoF+JHP0N7NC8RXEfNSrXnPZzg3gVrJT54qccIYEEZZEarcc2lPZ9nxL4YcPz9uZMrsu4SGpt08WM+Vh0eA4w9G1v1OcE7ChzEEyzP3CtQgxgFw1oDhyNB7jhhTQ6uxilY7t+ycnV1eyeuu7NRLL4B0YjRp/DCbHvFVbhSd2L3VqDN81HpbbnPnxvDRNMVtM1s2/Lj8P8bAAD//+6SIKA=" +} diff --git a/x-pack/filebeat/module/zoom/module.yml b/x-pack/filebeat/module/zoom/module.yml new file mode 100644 index 00000000000..ed97d539c09 --- /dev/null +++ b/x-pack/filebeat/module/zoom/module.yml @@ -0,0 +1 @@ +--- diff --git a/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml new file mode 100644 index 00000000000..62f1c447f00 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml @@ -0,0 +1,619 @@ +- name: zoom + type: group + release: beta + default_field: false + description: > + Module for parsing Zoom API Webhooks. + fields: + - name: master_account_id + type: keyword + description: > + Master Account related to a specific Sub Account + - name: sub_account_id + type: keyword + description: > + Related Sub Account + - name: operator_id + type: keyword + description: > + UserID that triggered the event + - name: operator + type: keyword + description: > + Username/Email related to the user that triggered the event + - name: account_id + type: keyword + description: > + Related accountID to the event + - name: timestamp + type: date + description: > + Timestamp related to the event + - name: creation_type + type: keyword + description: > + Creation type + - name: account.owner_id + type: keyword + description: > + UserID of the user whose sub account was created/disassociated + - name: account.email + type: keyword + description: > + Email related to the user the action was performed on + - name: account.owner_email + type: keyword + description: > + Email of the user whose sub account was created/disassociated + - name: account.account_name + type: keyword + description: > + When an account name is updated, this is the new value set + - name: account.account_alias + type: keyword + description: > + When an account alias is updated, this is the new value set + - name: account.account_support_name + type: keyword + description: > + When an account support_name is updated, this is the new value set + - name: account.account_support_email + type: keyword + description: > + When an account support_email is updated, this is the new value set + - name: chat_channel.name + type: keyword + description: > + The name of the channel that has been added/modified/deleted + - name: chat_channel.id + type: keyword + description: > + The ID of the channel that has been added/modified/deleted + - name: chat_channel.type + type: keyword + description: > + Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) + - name: chat_message.id + type: keyword + description: > + Unique ID of the related chat message + - name: chat_message.type + type: keyword + description: > + Type of message, can be either "to_contact" or "to_channel" + - name: chat_message.session_id + type: keyword + description: > + SessionID for the channel related to the message + - name: chat_message.contact_email + type: keyword + description: > + Email address related to the user sending the message + - name: chat_message.contact_id + type: keyword + description: > + UserID belonging to the user receiving a message + - name: chat_message.channel_id + type: keyword + description: > + ChannelID related to the message + - name: chat_message.channel_name + type: keyword + description: > + Channel name related to the message + - name: chat_message.message + type: keyword + description: > + A string containing the full message that was sent + - name: meeting.id + type: keyword + description: > + Unique ID of the related meeting + - name: meeting.uuid + type: keyword + description: > + The UUID of the related meeting + - name: meeting.host_id + type: keyword + description: > + The UserID of the configured meeting host + - name: meeting.topic + type: keyword + description: > + Topic of the related meeting + - name: meeting.type + type: keyword + description: > + Type of meeting created + - name: meeting.start_time + type: date + description: > + Date and time the meeting started + - name: meeting.timezone + type: keyword + description: > + Which timezone is used for the meeting timestamps + - name: meeting.duration + type: long + description: > + The duration of a meeting in minutes + - name: meeting.issues + type: keyword + description: > + When a user reports an issue with the meeting, for example: "Unstable audio quality" + - name: meeting.password + type: keyword + description: > + Password related to the meeting + - name: phone.id + type: keyword + description: > + Unique ID for the phone or conversation + - name: phone.user_id + type: keyword + description: > + UserID for the phone owner related to a Call Log being completed + - name: phone.download_url + type: keyword + description: > + Download URL for the voicemail + - name: phone.ringing_start_time + type: date + description: > + The timestamp when a ringtone was established to the callee + - name: phone.connected_start_time + type: date + description: > + The date and time when a ringtone was established to the callee + - name: phone.answer_start_time + type: date + description: > + The date and time when the call was answered + - name: phone.call_end_time + type: date + description: > + The date and time when the call ended + - name: phone.call_id + type: keyword + description: > + Unique ID of the related call + - name: phone.duration + type: long + description: > + Duration of a voicemail in minutes + - name: phone.caller.id + type: keyword + description: > + UserID of the caller related to the voicemail/call + - name: phone.caller.user_id + type: keyword + description: > + UserID of the person which initiated the call + - name: phone.caller.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.caller.name + type: keyword + description: > + The name of the related callee + - name: phone.caller.phone_number + type: keyword + description: > + Phone Number of the caller related to the call + - name: phone.caller.extension_type + type: keyword + description: > + Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.caller.extension_number + type: keyword + description: > + Extension number of the caller + - name: phone.caller.timezone + type: keyword + description: > + Timezone of the caller + - name: phone.caller.device_type + type: keyword + description: > + Device type used by the caller + - name: phone.callee.id + type: keyword + description: > + UserID of the callee related to the voicemail/call + - name: phone.callee.user_id + type: keyword + description: > + UserID of the related callee of a voicemail/call + - name: phone.callee.name + type: keyword + description: > + The name of the related callee + - name: phone.callee.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.callee.phone_number + type: keyword + description: > + Phone Number of the callee related to the call + - name: phone.callee.extension_type + type: keyword + description: > + Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.callee.extension_number + type: keyword + description: > + Extension number of the callee related to the call + - name: phone.callee.timezone + type: keyword + description: > + Timezone of the callee related to the call + - name: phone.callee.device_type + type: keyword + description: > + Device type used by the callee related to the call + - name: phone.date_time + type: date + description: > + Date and time of the related phone event + - name: recording.id + type: keyword + description: > + Unique ID of the related recording + - name: recording.uuid + type: keyword + description: > + UUID of the related recording + - name: recording.host_id + type: keyword + description: > + UserID of the host of the meeting that was recorded + - name: recording.topic + type: keyword + description: > + Topic of the meeting related to the recording + - name: recording.type + type: keyword + description: > + Type of recording, can be multiple type of values, please check Zoom documentation + - name: recording.start_time + type: date + description: > + The date and time when the recording started + - name: recording.timezone + type: keyword + description: > + The timezone used for the recording date + - name: recording.duration + type: long + description: > + Duration of the recording in minutes + - name: recording.share_url + type: keyword + description: > + The URL to access the recording + - name: recording.total_size + type: long + description: > + Total size of the recording in bytes + - name: recording.recording_count + type: long + description: > + Number of recording files related to the recording + - name: recording.recording_file.recording_start + type: date + description: > + The date and time the recording started + - name: recording.recording_file.recording_end + type: date + description: > + The date and time the recording finished + - name: recording.host_email + type: keyword + description: > + Email address of the host related to the meeting that was recorded + - name: user.id + type: keyword + description: > + UserID related to the user event + - name: user.first_name + type: keyword + description: > + User first name related to the user event + - name: user.last_name + type: keyword + description: > + User last name related to the user event + - name: user.email + type: keyword + description: > + User email related to the user event + - name: user.type + type: keyword + description: > + User type related to the user event + - name: user.phone_number + type: keyword + description: > + User phone number related to the user event + - name: user.phone_country + type: keyword + description: > + User country code related to the user event + - name: user.company + type: keyword + description: > + User company related to the user event + - name: user.pmi + type: keyword + description: > + User personal meeting ID related to the user event + - name: user.use_pmi + type: boolean + description: > + If a user has PMI enabled + - name: user.pic_url + type: keyword + description: > + Full URL to the profile picture used by the user + - name: user.vanity_name + type: keyword + description: > + Name of the personal meeting room related to the user event + - name: user.timezone + type: keyword + description: > + Timezone configured for the user + - name: user.language + type: keyword + description: > + Language configured for the user + - name: user.host_key + type: keyword + description: > + Host key set for the user + - name: user.role + type: keyword + description: > + The configured role for the user + - name: user.dept + type: keyword + description: > + The configured departement for the user + - name: user.presence_status + type: keyword + description: > + Current presence status of user + - name: user.personal_notes + type: keyword + description: > + Personal notes for the User + - name: user.client_type + type: keyword + description: > + Type of client used by the user. Can be browser, mac, win, iphone or android + - name: user.version + type: keyword + description: > + Version of the client used by the user + - name: webinar.id + type: keyword + description: > + Unique ID for the related webinar + - name: webinar.join_url + type: keyword + description: > + The URL configured to join the webinar + - name: webinar.uuid + type: keyword + description: > + UUID for the related webinar + - name: webinar.host_id + type: keyword + description: > + UserID for the configured host of the webinar + - name: webinar.topic + type: keyword + description: > + Meeting topic of the related webinar + - name: webinar.type + type: keyword + description: > + Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) + - name: webinar.start_time + type: date + description: > + The date and time when the webinar started + - name: webinar.timezone + type: keyword + description: > + Timezone used for the dates related to the webinar + - name: webinar.duration + type: long + description: > + Duration of the webinar in minutes + - name: webinar.agenda + type: keyword + description: > + The configured agenda of the webinar + - name: webinar.password + type: keyword + description: > + Password configured to access the webinar + - name: webinar.issues + type: keyword + description: > + Any reported issues about a webinar is reported in this field + - name: zoomroom.id + type: keyword + description: > + Unique ID of the Zoom room + - name: zoomroom.room_name + type: keyword + description: > + The configured name of the Zoom room + - name: zoomroom.calendar_name + type: keyword + description: > + Calendar name of the Zoom room + - name: zoomroom.calendar_id + type: keyword + description: > + Unique ID of the calendar used by the Zoom room + - name: zoomroom.event_id + type: keyword + description: > + Unique ID of the calendar event associated with the Zoom Room + - name: zoomroom.change_key + type: keyword + description: > + Key used by Microsoft products integration that represents a specific version of a calendar + - name: zoomroom.resource_email + type: keyword + description: > + Email address associated with the calendar in use by the Zoom room + - name: zoomroom.email + type: keyword + description: > + Email address associated with the Zoom room itself + - name: zoomroom.issue + type: keyword + description: > + Any reported alerts or issues related to the Zoom room or its equipment + - name: zoomroom.alert_type + type: keyword + description: > + An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation + - name: zoomroom.component + type: keyword + description: > + An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation + - name: zoomroom.alert_kind + type: keyword + description: > + An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) + - name: registrant.id + type: keyword + description: > + Unique ID of the user registering to a meeting or webinar + - name: registrant.status + type: keyword + description: > + Status of the specific user registration + - name: registrant.email + type: keyword + description: > + Email of the user registering to a meeting or webinar + - name: registrant.first_name + type: keyword + description: > + First name of the user registering to a meeting or webinar + - name: registrant.last_name + type: keyword + description: > + Last name of the user registering to a meeting or webinar + - name: registrant.address + type: keyword + description: > + Address of the user registering to a meeting or webinar + - name: registrant.city + type: keyword + description: > + City of the user registering to a meeting or webinar + - name: registrant.country + type: keyword + description: > + Country of the user registering to a meeting or webinar + - name: registrant.zip + type: keyword + description: > + Zip code of the user registering to a meeting or webinar + - name: registrant.state + type: keyword + description: > + State of the user registering to a meeting or webinar + - name: registrant.phone + type: keyword + description: > + Phone number of the user registering to a meeting or webinar + - name: registrant.industry + type: keyword + description: > + Related industry of the user registering to a meeting or webinar + - name: registrant.org + type: keyword + description: > + Organization related to the user registering to a meeting or webinar + - name: registrant.job_title + type: keyword + description: > + Job title of the user registering to a meeting or webinar + - name: registrant.purchasing_time_frame + type: keyword + description: > + Choosen purchase timeframe of the user registering to a meeting or webinar + - name: registrant.role_in_purchase_process + type: keyword + description: > + Choosen role in a purchase process related to the user registering to a meeting or webinar + - name: registrant.no_of_employees + type: keyword + description: > + Number of employees choosen by the user registering to a meeting or webinar + - name: registrant.comments + type: keyword + description: > + Comments left by the user registering to a meeting or webinar + - name: registrant.join_url + type: keyword + description: > + The URL that the registrant can use to join the webinar + - name: participant.id + type: keyword + description: > + Unique ID of the participant related to a meeting + - name: participant.user_id + type: keyword + description: > + UserID of the participant related to a meeting + - name: participant.user_name + type: keyword + description: > + Username of the participant related to a meeting + - name: participant.join_time + type: date + description: > + The date and time a participant joined a meeting + - name: participant.leave_time + type: date + description: > + The date and time a participant left a meeting + - name: participant.sharing_details.link_source + type: keyword + description: > + Method of sharing with dropbox integration + - name: participant.sharing_details.content + type: keyword + description: > + Type of content that was shared + - name: participant.sharing_details.file_link + type: keyword + description: > + The file link that was shared + - name: participant.sharing_details.date_time + type: keyword + description: > + Timestamp the sharing started + - name: participant.sharing_details.source + type: keyword + description: > + The file source that was share + - name: old_values + type: flattened + description: > + Includes the old values when updating a object like user, meeting, account or webinar + - name: settings + type: flattened + description: > + The current active settings related to a object like user, meeting, account or webinar diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml new file mode 100644 index 00000000000..207da5447e1 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -0,0 +1,36 @@ +{{ if eq .input "http_endpoint" }} + +type: http_endpoint +listen_address: {{ .listen_address }} +listen_port: {{ .listen_port }} +prefix: {{ .prefix }} +basic_auth: {{ .basic_auth }} +username: {{ .username }} +username: {{ .password }} +content_type: "{{ .content_type }}" +secret: {{ .secret | tojson }} +ssl: {{ .ssl | tojson }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: zoom + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml new file mode 100644 index 00000000000..a873c6ae62c --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml @@ -0,0 +1,46 @@ +description: Pipeline for parsing Zoom account webhooks +processors: +- append: + field: event.category + value: iam +- append: + field: event.type + value: user +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'account.created' +- append: + field: event.type + value: change + if: "['account.updated', 'account.settings_updated', 'account.disassociated'].contains(ctx?.event?.action)" +- rename: + field: zoom.account_id + target_field: zoom.master_account_id + ignore_missing: true +- rename: + field: zoom.object.id + target_field: zoom.sub_account_id + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.time_stamp != null + ignore_failure: true +- rename: + field: zoom.object + target_field: zoom.account + ignore_missing: true +- append: + field: related.user + value: "{{zoom.account.owner_id}}" + if: ctx?.zoom?.account?.owner_id != null +- remove: + field: zoom.time_stamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml new file mode 100644 index 00000000000..8f3140d2799 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml @@ -0,0 +1,58 @@ +description: Pipeline for parsing Zoom chat_channel webhooks +processors: +- append: + field: event.type + value: user + if: "['chat_channel.member_invited', 'chat_channel.member_joined', 'chat_channel.member_left'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_channel.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_channel.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_channel.updated' +- rename: + field: zoom.object + target_field: zoom.chat_channel + ignore_missing: true +- date: + field: zoom.chat_channel.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_channel?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_channel.date_time + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- date: + field: zoom.chat_channel.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.chat_channel?.date_time != null && ctx?.zoom?.chat_channel?.timestamp == null" + ignore_failure: true +- remove: + field: zoom.chat_channel.timestamp + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- foreach: + field: zoom.chat_channel.members + processor: + append: + field: related.user + value: "{{_ingest._value.id}}" +# Removing to prevent nested values, added to related.user above +- remove: + field: zoom.chat_channel.members + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml new file mode 100644 index 00000000000..0e686080294 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml @@ -0,0 +1,50 @@ +description: Pipeline for parsing Zoom chat_message webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_message.sent' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_message.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_message.updated' +- rename: + field: zoom.object + target_field: zoom.chat_message + ignore_missing: true +- append: + field: related.user + value: "{{zoom.chat_message.contact_id}}" + if: "ctx?.zoom?.chat_message?.contact_id != null" +- date: + field: zoom.chat_message.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_message?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_message.date_time + ignore_missing: true + if: ctx?.zoom?.chat_message?.timestamp != null +- date: + field: zoom.chat_message.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.zoom?.chat_message?.timestamp == null + ignore_failure: true +- remove: + field: zoom.chat_message.timestamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml new file mode 100644 index 00000000000..e0012edf8e4 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml @@ -0,0 +1,130 @@ +description: Pipeline for parsing Zoom meeting webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'meeting.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'meeting.alert' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'meeting.registration_approved' +- append: + field: event.type + value: creation + if: "['meeting.registration_created', 'meeting.created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'meeting.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'meeting.updated' +- append: + field: event.type + value: start + if: "['meeting.started', 'meeting.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.meeting + ignore_missing: true +- rename: + field: zoom.meeting.join_url + target_field: url.full + ignore_missing: true +- rename: + field: zoom.registrant.join_url + target_field: url.full + ignore_missing: true + if: ctx?.url?.full == null +- append: + field: related.user + value: "{{zoom.meeting.host_id}}" + if: ctx?.zoom?.meeting?.host_id != null +- date: + field: zoom.meeting.start_time + target_field: event.start + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.started' + ignore_failure: true +- date: + field: zoom.participant.sharing_details.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.sharing_started' + ignore_failure: true +- date: + field: zoom.participant.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_left' + ignore_failure: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.updated' + ignore_failure: true +- script: + lang: painless + if: ctx?.zoom?.meeting?.duration != null + source: >- + ctx.event.duration = ctx.zoom.meeting.duration * 60L * 1000000000L; +- remove: + field: zoom.meeting.start_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.started' +- remove: + field: zoom.meeting.duration + ignore_missing: true + if: ctx?.event?.duration != null +- remove: + field: zoom.participant.sharing_details.date_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.sharing_started' +- remove: + field: zoom.participant.date_time + ignore_missing: true + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" +- remove: + field: zoom.participant.join_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_joined' +- remove: + field: zoom.participant.leave_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_left' +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'meeting.updated' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml new file mode 100644 index 00000000000..2e363e3da42 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml @@ -0,0 +1,159 @@ +description: Pipeline for parsing Zoom phone webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.phone + ignore_missing: true +- rename: + field: zoom.phone.download_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.phone.ringing_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.connected_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.caller_connected' + ignore_failure: true +- date: + field: zoom.phone.answer_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.phone.answer_start_time != null && ctx?.event?.action == 'phone.callee_answered'" + ignore_failure: true +- date: + field: zoom.phone.call_end_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended', 'phone.callee_rejected'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.voicemail_received' + ignore_failure: true +# Calculates duration when duration is unknown but start and end time is known (with ringing_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time != null && ctx?.zoom?.phone?.answer_start_time == null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.ringing_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Calculates duration when duration is unknown but start and end time is known (with answer_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time == null && ctx?.zoom?.phone?.answer_start_time != null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.answer_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Duration is in minutes, so multiply by seconds and then multiply again to convert seconds to nano +- script: + lang: painless + if: ctx?.zoom?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.zoom.duration) * 60L * 1000000000L; + +# Moving all voicemail related fields to their proper nested fields +# that already exists for all other phone webhooks +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.callee_id + target_field: zoom.phone.callee.id + ignore_missing: true +- rename: + field: zoom.phone.callee_name + target_field: zoom.phone.callee.name + ignore_missing: true +- rename: + field: zoom.phone.callee_number + target_field: zoom.phone.callee.phone_number + ignore_missing: true +- rename: + field: zoom.phone.callee_number_type + target_field: zoom.phone.callee.number_type + ignore_missing: true +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.caller_id + target_field: zoom.phone.caller.id + ignore_missing: true +- rename: + field: zoom.phone.caller_name + target_field: zoom.phone.caller.name + ignore_missing: true +- rename: + field: zoom.phone.caller_number + target_field: zoom.phone.caller.phone_number + ignore_missing: true +- rename: + field: zoom.phone.caller_number_type + target_field: zoom.phone.caller.number_type + ignore_missing: true +- append: + field: related.user + value: "{{zoom.phone.callee.user_id}}" + if: ctx?.zoom?.phone?.callee?.user_id != null +- append: + field: related.user + value: "{{zoom.phone.callee_user_id}}" + if: ctx?.zoom?.phone?.callee_user_id != null +- append: + field: related.user + value: "{{zoom.phone.caller.user_id}}" + if: ctx?.zoom?.phone?.caller?.user_id != null +- remove: + field: zoom.phone.date_time + ignore_missing: true + if: ctx?.event?.action == 'phone.voicemail_received' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml new file mode 100644 index 00000000000..95c95cba215 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml @@ -0,0 +1,96 @@ +description: Initial pipeline for parsing Zoom webhooks +processors: +- set: + field: observer.vendor + value: Zoom +- set: + field: observer.product + value: Webhook +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- append: + field: event.kind + value: event +- rename: + field: zoom.event + target_field: event.action + ignore_missing: true +- rename: + field: zoom.payload + target_field: _temp_.payload +- remove: + field: zoom +- rename: + field: _temp_.payload + target_field: zoom +- rename: + field: zoom.old_object + target_field: zoom.old_values + ignore_missing: true +- rename: + field: zoom.object.participant + target_field: zoom.participant + ignore_missing: true +- rename: + field: zoom.object.settings + target_field: zoom.settings + ignore_missing: true +- rename: + field: zoom.object.registrant + target_field: zoom.registrant + ignore_missing: true +- append: + field: related.user + value: "{{zoom.operator_id}}" + if: "ctx?.zoom?.operator_id != null" +# Removing some fields that have complex nested arrays that might impact performance +- remove: + field: + - message + - _temp_ + - zoom.object.occurrences + - zoom.old_values.occurrences + - zoom.object.recurrence + - zoom.old_values.recurrence + - zoom.object.managed_domains + - zoom.old_values.managed_domains + - zoom.registrant.custom_questions + - zoom.old_values.registrant.custom_questions + - zoom.object.call_logs + - zoom.old_values.call_logs + - zoom.object.recording_files + - zoom.old_values.recording_files + - zoom.object.call_logs + ignore_missing: true +- pipeline: + name: '{< IngestPipeline "meeting" >}' + if: "ctx?.event?.action.startsWith('meeting')" +- pipeline: + name: '{< IngestPipeline "account" >}' + if: "ctx?.event?.action.startsWith('account')" +- pipeline: + name: '{< IngestPipeline "chat_message" >}' + if: "ctx?.event?.action.startsWith('chat_message')" +- pipeline: + name: '{< IngestPipeline "chat_channel" >}' + if: "ctx?.event?.action.startsWith('chat_channel')" +- pipeline: + name: '{< IngestPipeline "phone" >}' + if: "ctx?.event?.action.startsWith('phone')" +- pipeline: + name: '{< IngestPipeline "recording" >}' + if: "ctx?.event?.action.startsWith('recording')" +- pipeline: + name: '{< IngestPipeline "user" >}' + if: "ctx?.event?.action.startsWith('user')" +- pipeline: + name: '{< IngestPipeline "webinar" >}' + if: "ctx?.event?.action.startsWith('webinar')" +- pipeline: + name: '{< IngestPipeline "zoomroom" >}' + if: "ctx?.event?.action.startsWith('zoomroom')" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml new file mode 100644 index 00000000000..9e5ba923b12 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml @@ -0,0 +1,86 @@ +description: Pipeline for parsing Zoom recording webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'recording.registration_created' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'recording.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'recording.registration_denied' +- append: + field: event.type + value: deletion + if: "['recording.deleted', 'recording.trashed'].contains(ctx?.event?.action)" +- append: + field: event.type + value: change + if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'recording.started' +- append: + field: event.type + value: end + if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.recording + ignore_missing: true +- rename: + field: zoom.recording.share_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'recording.renamed' + ignore_failure: true +- set: + field: event.start + value: '{{ zoom.recording.recording_file.recording_start }}' + if: ctx?.event?.action == 'recording.started' +- set: + field: event.end + value: '{{ zoom.recording.recording_file.recording_end }}' + if: ctx?.event?.action == 'recording.stopped' +- script: + lang: painless + if: "ctx?.event?.end != null && ctx?.event?.start != null && ctx?.event?.action == 'recording.stopped'" + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); +- date: + field: zoom.recording.recording_file.recording_start + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.recording?.recording_file?.recording_start != null && ctx?.event?.action == 'recording.started'" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.recording.host_id}}" + if: "ctx?.zoom?.recording?.host_id != null" +- append: + field: related.user + value: "{{zoom.recording.registrant.id}}" + if: "ctx?.zoom?.recording?.registrant?.id != null" +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'recording.renamed' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml new file mode 100644 index 00000000000..02afc6d6636 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml @@ -0,0 +1,61 @@ +description: Pipeline for parsing Zoom user webhooks +processors: +- append: + field: event.type + value: iam + if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: authentication + if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action != 'user.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'user.deleted' +- append: + field: event.type + value: change + if: "['user.updated', 'user.settings_updated', 'user.deactivated', 'user.activated', 'user.disassociated', 'user.presence_status_updated', 'user.personal_notes_updated'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'user.signed_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'user.signed_out' +- rename: + field: zoom.object + target_field: zoom.user + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: "['user.updated', 'user.settings_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.user.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['user.signed_in', 'user.signed_out', 'user.personal_notes_updated', 'user.presence_status_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +- remove: + field: + - zoom.time_stamp + - zoom.user.date_time + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml new file mode 100644 index 00000000000..f136fab304e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml @@ -0,0 +1,82 @@ +description: Pipeline for parsing Zoom webinar webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'webinar.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'webinar.alert' +- append: + field: event.type + value: creation + if: "['webinar.created', 'webinar.registration_created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'webinar.deleted' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'webinar.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'webinar.registration_denied' +- append: + field: event.type + value: change + if: "['webinar.updated', 'webinar.registration_approved', 'webinar.registration_denied', 'webinar.registration_cancelled'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['webinar.started', 'webinar.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.webinar + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'webinar.updated' + ignore_failure: true +- date: + field: zoom.webinar.start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.started' + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_left' + ignore_failure: true +- append: + field: related.user + value: "{{zoom.webinar.host_id}}" + if: "ctx?.zoom?.webinar?.host_id != null" +- append: + field: related.user + value: "{{zoom.webinar.participant.user_id}}" + if: "ctx?.zoom?.webinar?.participant?.user_id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml new file mode 100644 index 00000000000..5c464b8ddd5 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml @@ -0,0 +1,26 @@ +description: Pipeline for parsing Zoom zoom_room webhooks +processors: +- append: + field: event.type + value: info + if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'zoomroom.checked_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'zoomroom.checked_out' +- rename: + field: zoom.object + target_field: zoom.zoomroom + ignore_missing: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/manifest.yml b/x-pack/filebeat/module/zoom/webhook/manifest.yml new file mode 100644 index 00000000000..31f78e24e25 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/manifest.yml @@ -0,0 +1,43 @@ +module_version: 1.0 + +var: + - name: listen_address + default: localhost + - name: listen_port + default: 80 + - name: input + default: http_endpoint + - name: content_type + default: "" + - name: response_code + - name: response_body + - name: url + - name: prefix + default: zoom + - name: basic_auth + default: false + - name: username + default: "" + - name: password + default: "" + - name: secret + default: + header: Authorization + value: "" + + - name: tags + default: [zoom-webhook, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/account.yml + - ingest/chat_channel.yml + - ingest/chat_message.yml + - ingest/meeting.yml + - ingest/phone.yml + - ingest/recording.yml + - ingest/user.yml + - ingest/webinar.yml + - ingest/zoomroom.yml + +input: config/webhook.yml diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log new file mode 100644 index 00000000000..b71f418e22c --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log @@ -0,0 +1,3 @@ +{"event":"account.created","payload":{"account_id":"lq8KK_EoRCq6ByEyA73qCA","operator":"youramazingemailhere@somemail.com","operator_id":"uLohghhRgfgrbTayCX6r2Q_qQsQ","object":{"id":"aIxE1yiRR8WghhUIO6eu9L","owner_id":"e2ZHO5RSGqyfrmFnElxw","owner_email":"thesubaccountowneremail@somemail.com"}}} +{"event":"account.updated","payload":{"account_id":"abKKcd_IGRCq63yEy673lCA","operator":"theoperatoremail@someemail.com","operator_id":"iKoRgfbaTazDX6r2Q_eQsQL","object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Michael Harris","account_alias":"MH"},"old_object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Mike Harris","account_alias":""},"time_stamp":1562000584527}} +{"event":"account.disassociated","payload":{"account_id":"aBcd_dgfoeq6ByEyA73qCA","operator":"youremail@someemail.com","operator_id":"gdjfdhjLsuhfvhjd","object":{"id":"LdjkfxE1yiRR8Wdfggeu9LfBQ","owner_id":"eZbcHO5RSGqyKAUmFnElxw","owner_email":"theowneremail@someemail.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json new file mode 100644 index 00000000000..34d5e7363e7 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json @@ -0,0 +1,112 @@ +[ + { + "event.action": "account.created", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "e2ZHO5RSGqyfrmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "thesubaccountowneremail@somemail.com", + "zoom.account.owner_id": "e2ZHO5RSGqyfrmFnElxw", + "zoom.master_account_id": "lq8KK_EoRCq6ByEyA73qCA", + "zoom.operator": "youramazingemailhere@somemail.com", + "zoom.operator_id": "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "zoom.sub_account_id": "aIxE1yiRR8WghhUIO6eu9L" + }, + { + "event.action": "account.updated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 297, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "iKoRgfbaTazDX6r2Q_eQsQL" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.account_alias": "MH", + "zoom.account.account_name": "Michael Harris", + "zoom.master_account_id": "abKKcd_IGRCq63yEy673lCA", + "zoom.old_values.account_alias": "", + "zoom.old_values.account_name": "Mike Harris", + "zoom.old_values.id": "eFs_EGRCq6ByEyA73qCA", + "zoom.operator": "theoperatoremail@someemail.com", + "zoom.operator_id": "iKoRgfbaTazDX6r2Q_eQsQL", + "zoom.sub_account_id": "eFs_EGRCq6ByEyA73qCA" + }, + { + "event.action": "account.disassociated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 670, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "gdjfdhjLsuhfvhjd", + "eZbcHO5RSGqyKAUmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "theowneremail@someemail.com", + "zoom.account.owner_id": "eZbcHO5RSGqyKAUmFnElxw", + "zoom.master_account_id": "aBcd_dgfoeq6ByEyA73qCA", + "zoom.operator": "youremail@someemail.com", + "zoom.operator_id": "gdjfdhjLsuhfvhjd", + "zoom.sub_account_id": "LdjkfxE1yiRR8Wdfggeu9LfBQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log new file mode 100644 index 00000000000..3da7af8f760 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log @@ -0,0 +1,6 @@ +{"event":"chat_channel.created","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"z8dfgdfguQrdfgdf","display_name":"Maya Jung"},{"id":"sdfdsfdsKIrrCYw","display_name":"Matt Yank"}]}}} +{"event":"chat_channel.updated","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.deleted","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.member_invited","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"s0hhFOCYw","display_name":"Matt Y"}]}}} +{"event":"chat_channel.member_joined","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} +{"event":"chat_channel.member_left","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json new file mode 100644 index 00000000000..100d3fbeea9 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json @@ -0,0 +1,67 @@ +[ + { + "event.action": "chat_channel.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "z8dfgdfguQrdfgdf", + "sdfdsfdsKIrrCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.member_invited", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 963, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "s0hhFOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log new file mode 100644 index 00000000000..45c38b08004 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log @@ -0,0 +1,3 @@ +{"event":"chat_message.sent","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"EwwwwA-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"asd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581458531930}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"gfd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":null,"channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json new file mode 100644 index 00000000000..86cf03b6423 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json @@ -0,0 +1,107 @@ +[ + { + "event.action": "chat_message.sent", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "EwwwwA-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "asd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 434, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "gfd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 871, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": null, + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log new file mode 100644 index 00000000000..5215e857972 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log @@ -0,0 +1,15 @@ +{"event":"meeting.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"meeting.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"participant_video":false,"join_before_host":false,"use_pmi":true}},"old_object":{"id":155184668,"type":8,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false},"recurrence":{"type":2,"repeat_interval":1,"weekly_days":"5","end_date_time":"2019-08-23T06:59:00Z"}},"time_stamp":1562791953209}} +{"event":"meeting.deleted","payload":{"account_id":"AAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"uuid":"KJpz1gbpTC8ke68xXmQa0==","id":809321987,"host_id":"BBBBBBBBBB","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":10,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"meeting.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":60,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.sharing_ended","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.participant_jbh_waiting","payload":{"account_id":"EPeQti9EQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5590000000","type":2,"uuid":"WnxYNY9mQu6aSa/kYLu1lA==","host_id":"z8yCxjjyTAAAA2QgCfp8uQ","participant":{"user_name":"Shrijana Shrijana"}}}} +{"event":"meeting.participant_jbh_joined","payload":{"account_id":"APeeQti9ErttQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5594913504","type":2,"uuid":"WnxYNryyY9mQu6aSa/kYLu1lA==","host_id":"zf8yCxjjyTSdteriw02QgCfp8uQ","participant":{"user_name":"Tom Harry"}}}} +{"event":"meeting.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"meeting.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json new file mode 100644 index 00000000000..858f739d55a --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json @@ -0,0 +1,586 @@ +[ + { + "event.action": "meeting.alert", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.issues": "Unstable audio quality", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "meeting.created", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 317, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": 111111111, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ" + }, + { + "event.action": "meeting.updated", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 674, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/j/00000000", + "zoom.account_id": "AAAAAAAAAAA", + "zoom.meeting.id": 155184668, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.type": 2, + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.type": 8, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.join_before_host": false, + "zoom.settings.participant_video": false, + "zoom.settings.use_pmi": true + }, + { + "event.action": "meeting.deleted", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2049, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB", + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAA", + "zoom.meeting.host_id": "BBBBBBBBBB", + "zoom.meeting.id": 809321987, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "KJpz1gbpTC8ke68xXmQa0==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB" + }, + { + "event.action": "meeting.started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2370, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.ended", + "event.dataset": "zoom.webhook", + "event.duration": 600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2657, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.registration_created", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2942, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/w/someendpointhere", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "" + }, + { + "event.action": "meeting.registration_approved", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3634, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4105, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.sharing_started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4545, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.sharing_ended", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5067, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.participant_jbh_waiting", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5587, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjjyTAAAA2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQti9EQsiyO30GVYxHMA", + "zoom.meeting.host_id": "z8yCxjjyTAAAA2QgCfp8uQ", + "zoom.meeting.id": "5590000000", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Shrijana Shrijana" + }, + { + "event.action": "meeting.participant_jbh_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5907, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zf8yCxjjyTSdteriw02QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "APeeQti9ErttQsiyO30GVYxHMA", + "zoom.meeting.host_id": "zf8yCxjjyTSdteriw02QgCfp8uQ", + "zoom.meeting.id": "5594913504", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNryyY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Tom Harry" + }, + { + "event.action": "meeting.participant_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6230, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + }, + { + "event.action": "meeting.participant_left", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6650, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log new file mode 100644 index 00000000000..30931c4b742 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log @@ -0,0 +1,11 @@ +{"event":"phone.caller_ringing","payload":{"account_id":"EPeQ33fdf34YxHMA","object":{"call_id":"ddd5540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cadsd32wA","timezone":"America/Los_Angeles","device_type":"Android_Phone(5.1.2)"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z"}}} +{"event":"phone.caller_connected","payload":{"account_id":"EPeQdfg34VYxHMA","object":{"call_id":"684445540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cajhdsf3wA","timezone":"America/Los_Angeles","device_type":"Android_Phone"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z","connected_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.caller_ringing","payload":{"account_id":"cbvxnYyO30GVYxHMA","object":{"call_id":"68sdsasdda7","caller":{"extension_number":10800,"phone_number":"+1200000001","user_id":"z8yCxjgjsuyd58uQ","timezone":"America/Los_Angeles","device_type":"MAC_Client(5.1.2856436)"},"callee":{"phone_number":"16654444444444446"},"ringing_start_time":"2020-07-22T01:38:40Z"}}} +{"event":"phone.callee_answered","payload":{"account_id":"EPsjdhgffgHMA","object":{"call_id":"685dfvhzsza5540","caller":{"extension_number":10803,"phone_number":"10803"},"callee":{"extension_number":10800,"phone_number":"10800","user_id":"z8yCDSSQWSSWuQ","timezone":"America/Los_Angeles","device_type":"MAC_Client"},"ringing_start_time":"2020-07-22T01:41:56Z","answer_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.callee_missed","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.caller_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_rejected","payload":{"object":{"caller":{"phone_number":"+12044444444"},"callee":{"user_id":"sfcg43FOCYw","extension_number":"9001","timezone":"America/Los_Angeles"},"call_id":"6dfhggtrh93","ringing_start_time":"2020-07-22T21:06:33Z","call_end_time":"2020-07-22T21:06:39Z"},"account_id":"MKDRWo34535wow"}} +{"event":"phone.voicemail_received","payload":{"account_id":"test","object":{"id":"235435","date_time":"2020-07-22T21:06:39Z","download_url":"https://testurl.com/file.mp4","duration":"1235","caller_number":"+12044444444","caller_number_type":"3","caller_name":"Testaccount","callee_user_id":"543234","callee_number":"+12044444444","callee_number_type":"2","callee_name":"Testaccount2","callee_extension_type":"2","callee_id":"1234"}}} +{"event":"phone.caller_call_log_completed","payload":{"account_id":"EPebnxvbdn342MA","object":{"call_logs":[{"id":"02dfdfsd9e33","caller_number":"10803","caller_number_type":1,"caller_name":"Shree","callee_number":"10800","callee_number_type":1,"callee_name":"Maya","direction":"outbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:55Z"}],"user_id":"caddsfsdfv_VaHE53wA"}}} +{"event":"phone.callee_call_log_completed","payload":{"account_id":"EPeQt3543hvxzc","object":{"call_logs":[{"id":"1585adsfsdfec39404b","caller_number":"10803","caller_number_type":1,"caller_name":"Shrye","callee_number":"10800","callee_number_type":1,"callee_name":"Ryhee","direction":"inbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:56Z"}],"user_id":"z8sdfsdfds3uQ"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json new file mode 100644 index 00000000000..c5ef97dac47 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json @@ -0,0 +1,376 @@ +[ + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cadsd32wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQ33fdf34YxHMA", + "zoom.phone.call_id": "ddd5540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone(5.1.2)", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cadsd32wA", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_connected", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 362, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cajhdsf3wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQdfg34VYxHMA", + "zoom.phone.call_id": "684445540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cajhdsf3wA", + "zoom.phone.connected_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 767, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjgjsuyd58uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "cbvxnYyO30GVYxHMA", + "zoom.phone.call_id": "68sdsasdda7", + "zoom.phone.callee.phone_number": "16654444444444446", + "zoom.phone.caller.device_type": "MAC_Client(5.1.2856436)", + "zoom.phone.caller.extension_number": 10800, + "zoom.phone.caller.phone_number": "+1200000001", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "z8yCxjgjsuyd58uQ", + "zoom.phone.ringing_start_time": "2020-07-22T01:38:40Z" + }, + { + "event.action": "phone.callee_answered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1137, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCDSSQWSSWuQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsjdhgffgHMA", + "zoom.phone.answer_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.call_id": "685dfvhzsza5540", + "zoom.phone.callee.device_type": "MAC_Client", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z8yCDSSQWSSWuQ", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:56Z" + }, + { + "event.action": "phone.callee_missed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1543, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1838, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.caller_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2175, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_rejected", + "event.dataset": "zoom.webhook", + "event.duration": 6000000000, + "event.end": "2020-07-22T21:06:39Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:06:33Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2512, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sfcg43FOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "MKDRWo34535wow", + "zoom.phone.call_end_time": "2020-07-22T21:06:39Z", + "zoom.phone.call_id": "6dfhggtrh93", + "zoom.phone.callee.extension_number": "9001", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "sfcg43FOCYw", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.ringing_start_time": "2020-07-22T21:06:33Z" + }, + { + "event.action": "phone.voicemail_received", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2841, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "543234" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://testurl.com/file.mp4", + "zoom.account_id": "test", + "zoom.phone.callee.extension_type": "2", + "zoom.phone.callee.id": "1234", + "zoom.phone.callee.name": "Testaccount2", + "zoom.phone.callee.number_type": "2", + "zoom.phone.callee.phone_number": "+12044444444", + "zoom.phone.callee.user_id": "543234", + "zoom.phone.caller.name": "Testaccount", + "zoom.phone.caller.number_type": "3", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.duration": "1235", + "zoom.phone.id": "235435" + }, + { + "event.action": "phone.caller_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3276, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPebnxvbdn342MA", + "zoom.phone.user_id": "caddsfsdfv_VaHE53wA" + }, + { + "event.action": "phone.callee_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3677, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQt3543hvxzc", + "zoom.phone.user_id": "z8sdfsdfds3uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log new file mode 100644 index 00000000000..1b270331d00 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log @@ -0,0 +1,13 @@ +{"event":"recording.started","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.paused","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.resumed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:45:02Z","recording_end":""}}}} +{"event":"recording.stopped","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":8,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":"2019-07-31T22:43:29Z"}}}} +{"event":"recording.completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","host_email":"somemeail@someemailservice.fjdjf","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.renamed","payload":{"account_id":"EPhgfhfghfYxHMA","operator":"shrifdfdh@kjdmail.com","operator_id":"zdhghgCfp8uQ","object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"Edited Recording Title","type":1},"old_object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"My Fancy Recording Title","type":1},"time_stamp":1575500457395}} +{"event":"recording.trashed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.deleted","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.recovered","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.transcript_completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"296cdfgdfg-768a838","meeting_id":"Buyiz+Ow==","recording_start":"2019-11-23T01:56:08Z","recording_end":"2019-11-23T01:57:44Z","file_type":"TRANSCRIPT","file_size":142,"play_url":"https://zoom.us/recording/play/ytutuytuyu","download_url":"https://zoom.us/recording/download/ytutuytuyu","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json new file mode 100644 index 00000000000..f7a97693de5 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json @@ -0,0 +1,385 @@ +[ + { + "event.action": "recording.stopped", + "event.dataset": "zoom.webhook", + "event.end": "2019-07-31T22:43:29Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1076, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 8, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_end": "2019-07-31T22:43:29Z", + "zoom.recording.recording_file.recording_start": "2019-07-31T22:41:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1455, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_email": "somemeail@someemailservice.fjdjf", + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.renamed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3433, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zdhghgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPhgfhfghfYxHMA", + "zoom.old_values.id": 7000000, + "zoom.old_values.topic": "My Fancy Recording Title", + "zoom.old_values.type": 1, + "zoom.old_values.uuid": "9xxxkifpPUz+Ow==", + "zoom.operator": "shrifdfdh@kjdmail.com", + "zoom.operator_id": "zdhghgCfp8uQ", + "zoom.recording.id": 7000000, + "zoom.recording.topic": "Edited Recording Title", + "zoom.recording.type": 1, + "zoom.recording.uuid": "9xxxkifpPUz+Ow==" + }, + { + "event.action": "recording.trashed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3787, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5715, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.recovered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 7643, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.transcript_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 9573, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10346, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10753, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 11161, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log new file mode 100644 index 00000000000..26aaee344d4 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log @@ -0,0 +1,13 @@ +{"event":"user.created","payload":{"account_id":"AAAAAA","operator":"anawesomeuser@email.com","creation_type":"create","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.invitation_accepted","payload":{"account_id":"EPjyjVYxHMA","object":{"id":"sbyjt3ODg","first_name":"Maria","last_name":"CoolPerson","email":"maria@maria.developer.dfgfdgf","type":1}}} +{"event":"user.updated","payload":{"account_id":"lAA_EBBBBBBB","operator":"shrija2016+dev_ma@gmail.com","operator_id":"uLobbbbbbbb_qQsQ","object":{"id":"uLobbbbbbbb_qQsQ","company":"Zoom"},"old_object":{"id":"uLobbbbbbbb_qQsQ","company":"NotZoom"},"time_stamp":1563559854861}} +{"event":"user.settings_updated","payload":{"account_id":"CAl6ByEyAq8KK_CCCCCC","operator":"iamtheoperator@gmail.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":false}}},"old_object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":true}}},"time_stamp":1563572826929}} +{"event":"user.settings_updated","payload":{"account_id":"EPbbbbb@@@@@2sfdfdA","operator":"somememail@randommailer28.com","operator_id":"fdhjfdhsj536274gfd","object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":false}},"old_object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":true}},"time_stamp":1593451939427}} +{"event":"user.deactivated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":1}}} +{"event":"user.activated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.disassociated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.deleted","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.presence_status_updated","payload":{"account_id":"EPjfyjxHMA","object":{"date_time":"2019-11-26T20:13:57Z","email":"sfdhfghfgh@dkjdfd.com","id":"z8ycx1223fq","presence_status":"Available"}}} +{"event":"user.personal_notes_updated","payload":{"account_id":"EPfhhdrYxHMA","object":{"date_time":"2019-11-26T21:29:08Z","email":"sdfsgdfg@fjghg.ghm","id":"z8aggp8uq","personal_notes":"Out of Office until February 31"},"old_object":{"personal_notes":"this is the old note"}}} +{"event":"user.signed_in","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} +{"event":"user.signed_out","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json new file mode 100644 index 00000000000..3ca08b077f0 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -0,0 +1,443 @@ +[ + { + "event.action": "user.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAA", + "zoom.creation_type": "create", + "zoom.operator": "anawesomeuser@email.com", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.invitation_accepted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 236, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sbyjt3ODg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjyjVYxHMA", + "zoom.user.email": "maria@maria.developer.dfgfdgf", + "zoom.user.first_name": "Maria", + "zoom.user.id": "sbyjt3ODg", + "zoom.user.last_name": "CoolPerson", + "zoom.user.type": 1 + }, + { + "event.action": "user.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 435, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbb_qQsQ", + "uLobbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAA_EBBBBBBB", + "zoom.old_values.company": "NotZoom", + "zoom.old_values.id": "uLobbbbbbbb_qQsQ", + "zoom.operator": "shrija2016+dev_ma@gmail.com", + "zoom.operator_id": "uLobbbbbbbb_qQsQ", + "zoom.user.company": "Zoom", + "zoom.user.id": "uLobbbbbbbb_qQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 712, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uL34AAbbbbAAAAAAQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "CAl6ByEyAq8KK_CCCCCC", + "zoom.old_values.id": "uL34AAbbbbAAAAAAQsQ", + "zoom.old_values.settings.in_meeting.private_chat": true, + "zoom.operator": "iamtheoperator@gmail.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.settings.in_meeting.private_chat": false, + "zoom.user.id": "uL34AAbbbbAAAAAAQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "fdhjfdhsj536274gfd", + "fdhjfdhsj536274gfd" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPbbbbb@@@@@2sfdfdA", + "zoom.old_values.id": "fdhjfdhsj536274gfd", + "zoom.old_values.settings.meeting_authentication": true, + "zoom.operator": "somememail@randommailer28.com", + "zoom.operator_id": "fdhjfdhsj536274gfd", + "zoom.settings.meeting_authentication": false, + "zoom.user.id": "fdhjfdhsj536274gfd" + }, + { + "event.action": "user.deactivated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1426, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 1 + }, + { + "event.action": "user.activated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.disassociated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1930, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2185, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.presence_status_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2436, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8ycx1223fq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjfyjxHMA", + "zoom.user.email": "sfdhfghfgh@dkjdfd.com", + "zoom.user.id": "z8ycx1223fq", + "zoom.user.presence_status": "Available" + }, + { + "event.action": "user.personal_notes_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2642, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8aggp8uq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPfhhdrYxHMA", + "zoom.old_values.personal_notes": "this is the old note", + "zoom.user.email": "sdfsgdfg@fjghg.ghm", + "zoom.user.id": "z8aggp8uq", + "zoom.user.personal_notes": "Out of Office until February 31" + }, + { + "event.action": "user.signed_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2920, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + }, + { + "event.action": "user.signed_out", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3157, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log new file mode 100644 index 00000000000..41782df2405 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log @@ -0,0 +1,14 @@ +{"event":"webinar.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"host_video":"false"}},"old_object":{"id":155184668,"type":9,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false}, "time_stamp": 1562791953209}}} +{"event":"webinar.deleted","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Webinar","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"webinar.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"webinar.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json new file mode 100644 index 00000000000..1bef0aa4e15 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json @@ -0,0 +1,568 @@ +[ + { + "event.action": "webinar.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 357, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAAA", + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.time_stamp": 1562791953209, + "zoom.old_values.type": 9, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.host_video": "false", + "zoom.webinar.duration": 120, + "zoom.webinar.id": 155184668, + "zoom.webinar.join_url": "https://zoom.us/j/00000000", + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.type": 5 + }, + { + "event.action": "webinar.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1588, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1945, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.ended", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2262, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2577, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.issues": "Unstable audio quality", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Webinar", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2894, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3416, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3938, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.join_url": "https://zoom.us/w/someendpointhere", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4630, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5102, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5539, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.participant_joined", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5979, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.join_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.participant_left", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6431, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.leave_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log new file mode 100644 index 00000000000..03fda8d1b28 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log @@ -0,0 +1,4 @@ +{"event":"zoomroom.alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.delayed_alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json new file mode 100644 index 00000000000..0d567d8ccd6 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json @@ -0,0 +1,122 @@ +[ + { + "event.action": "zoomroom.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.delayed_alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 337, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 682, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1221, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc index 48199b9c7f3..2528f83da67 100644 --- a/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zscaler/_meta/docs.asciidoc @@ -51,7 +51,7 @@ offset so that datetimes are correctly parsed. Valid values are in the form *`var.rsa_fields`*:: Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. +which causes both ECS and custom fields under `rsa` to be added. *`var.keep_raw_fields`*:: diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index 05e5f5c886e..f2963a231f1 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml index 3354fb0674a..f60a8a2e9de 100644 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -2,6 +2,10 @@ description: Pipeline for Zscaler NSS processors: + # ECS event.ingested + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # User agent - user_agent: field: user_agent.original @@ -49,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 2df5f4bcff8..b7bd436496b 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -22,6 +22,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rci737.www5.example" + ], "related.ip": [ "10.176.10.114", "10.206.191.17" @@ -93,9 +96,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eosquir5191.www.example" + ], "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -166,6 +172,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orsitame3262.domain" + ], "related.ip": [ "10.254.146.57", "10.204.86.149" @@ -182,8 +191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -208,7 +217,7 @@ ], "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", "user.name": "tenima", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -239,9 +248,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tempor4496.www.localdomain" + ], "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -255,8 +267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "Allowed", - "llam" + "llam", + "Allowed" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -281,7 +293,7 @@ ], "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", "user.name": "equun", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -312,6 +324,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ore2933.www.test" + ], "related.ip": [ "10.61.78.108", "10.136.153.149" @@ -385,6 +400,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ollit4105.mail.localdomain" + ], "related.ip": [ "10.183.16.166", "10.66.250.92" @@ -401,8 +419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -458,9 +476,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cup1793.local" + ], "related.ip": [ - "10.123.104.59", - "10.243.224.205" + "10.243.224.205", + "10.123.104.59" ], "related.user": [ "xercitat" @@ -474,8 +495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "dun", - "Blocked" + "Blocked", + "dun" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -531,6 +552,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icab4668.local" + ], "related.ip": [ "10.74.17.5", "10.119.185.63" @@ -604,6 +628,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aperia4409.www5.invalid" + ], "related.ip": [ "10.78.151.178", "10.25.192.202" @@ -677,9 +704,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitvolup368.internal.host" + ], "related.ip": [ - "10.71.170.37", - "10.135.225.244" + "10.135.225.244", + "10.71.170.37" ], "related.user": [ "atu" @@ -693,8 +723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -719,7 +749,7 @@ ], "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", "user.name": "atu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -750,6 +780,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ite2026.www.invalid" + ], "related.ip": [ "10.19.145.131", "10.223.247.86" @@ -766,8 +799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "emseq", - "Allowed" + "Allowed", + "emseq" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -823,6 +856,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "radipisc7020.home" + ], "related.ip": [ "10.2.53.125", "10.181.80.139" @@ -865,7 +901,7 @@ ], "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", "user.name": "ihilmo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -896,6 +932,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2493.www.test" + ], "related.ip": [ "10.31.240.6", "10.167.98.76" @@ -969,6 +1008,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ "10.135.160.125", "10.0.55.9" @@ -985,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1042,6 +1084,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "spi3544.www.host" + ], "related.ip": [ "10.63.250.128", "10.111.187.12" @@ -1115,6 +1160,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tlab5981.www.host" + ], "related.ip": [ "10.5.126.127", "10.252.124.150" @@ -1131,8 +1179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1188,6 +1236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "upida508.example" + ], "related.ip": [ "10.201.171.120", "10.91.126.231" @@ -1204,8 +1255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "Blocked", - "orumSe" + "orumSe", + "Blocked" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1261,6 +1312,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oditem5255.api.localdomain" + ], "related.ip": [ "10.107.251.87", "10.135.82.97" @@ -1334,6 +1388,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2389.internal.example" + ], "related.ip": [ "10.215.205.216", "10.31.198.58" @@ -1407,9 +1464,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eacommod1930.internal.lan" + ], "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1480,9 +1540,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tem6984.www5.domain" + ], "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1553,9 +1616,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapariat7287.internal.host" + ], "related.ip": [ - "10.7.200.140", - "10.203.65.161" + "10.203.65.161", + "10.7.200.140" ], "related.user": [ "snost" @@ -1626,9 +1692,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "licabo1493.api.corp" + ], "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" ], "related.user": [ "olori" @@ -1642,8 +1711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1699,9 +1768,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "stenatu4844.www.invalid" + ], "related.ip": [ - "10.24.111.229", - "10.39.31.115" + "10.39.31.115", + "10.24.111.229" ], "related.user": [ "fugi" @@ -1741,7 +1813,7 @@ ], "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", "user.name": "fugi", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1772,6 +1844,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitam5077.internal.host" + ], "related.ip": [ "10.32.39.220", "10.179.210.218" @@ -1788,8 +1863,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "Blocked", - "risnis" + "risnis", + "Blocked" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1845,6 +1920,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dquia107.www.test" + ], "related.ip": [ "10.128.173.19", "10.88.172.34" @@ -1861,8 +1939,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "Blocked", - "dtempo" + "dtempo", + "Blocked" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1918,6 +1996,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lloin4019.www.localhost" + ], "related.ip": [ "10.130.241.232", "10.238.224.49" @@ -1934,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "Allowed", - "mod" + "mod", + "Allowed" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -1960,7 +2041,7 @@ ], "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", "user.name": "onse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1991,9 +2072,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamet6317.www.host" + ], "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "related.user": [ "Cic" @@ -2007,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2033,7 +2117,7 @@ ], "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", "user.name": "Cic", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2064,9 +2148,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "saquaea6344.www.invalid" + ], "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2106,7 +2193,7 @@ ], "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", "user.name": "ueipsa", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2137,6 +2224,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "utaliqu4248.www.localhost" + ], "related.ip": [ "10.18.226.72", "10.101.85.169" @@ -2153,8 +2243,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2179,7 +2269,7 @@ ], "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", "user.name": "rroqu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2210,9 +2300,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdolore473.internal.test" + ], "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "related.user": [ "stenatus" @@ -2283,6 +2376,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tatio6513.www.invalid" + ], "related.ip": [ "10.80.57.247", "10.229.242.223" @@ -2356,9 +2452,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapar1599.www.lan" + ], "related.ip": [ - "10.106.77.138", - "10.193.66.155" + "10.193.66.155", + "10.106.77.138" ], "related.user": [ "iusmodt" @@ -2429,9 +2528,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquioff3853.www.localdomain" + ], "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2445,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2502,6 +2604,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ura675.mail.localdomain" + ], "related.ip": [ "10.131.246.134", "10.49.242.174" @@ -2575,6 +2680,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iamea478.www5.host" + ], "related.ip": [ "10.142.120.198", "10.166.10.42" @@ -2648,6 +2756,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eaque6543.api.domain" + ], "related.ip": [ "10.128.184.241", "10.138.188.201" @@ -2721,6 +2832,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eufug1756.mail.corp" + ], "related.ip": [ "10.53.101.131", "10.213.57.165" @@ -2737,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "litanim", - "Allowed" + "Allowed", + "litanim" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2794,9 +2908,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orp5697.www.invalid" + ], "related.ip": [ - "10.55.81.14", - "10.243.6.41" + "10.243.6.41", + "10.55.81.14" ], "related.user": [ "eiusmo" @@ -2810,8 +2927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2867,9 +2984,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pariatur7238.www5.invalid" + ], "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -2940,6 +3060,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fficia2304.www5.home" + ], "related.ip": [ "10.20.124.138", "10.158.18.51" @@ -2956,8 +3079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "Allowed", - "quid" + "quid", + "Allowed" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -2982,7 +3105,7 @@ ], "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", "user.name": "CSe", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3013,6 +3136,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mquisnos7453.home" + ], "related.ip": [ "10.134.128.27", "10.118.177.136" @@ -3029,8 +3155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3086,9 +3212,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquio748.www.localhost" + ], "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" ], "related.user": [ "reet" @@ -3102,8 +3231,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3159,6 +3288,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remagnam796.mail.corp" + ], "related.ip": [ "10.137.164.122", "10.143.0.78" @@ -3175,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3232,6 +3364,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "etdolore4227.internal.corp" + ], "related.ip": [ "10.30.87.51", "10.156.177.53" @@ -3248,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "Blocked", - "ptatev" + "ptatev", + "Blocked" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3305,9 +3440,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rors1935.api.domain" + ], "related.ip": [ - "10.111.249.184", - "10.83.138.34" + "10.83.138.34", + "10.111.249.184" ], "related.user": [ "dentsunt" @@ -3321,8 +3459,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3378,6 +3516,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "idexeac1655.internal.test" + ], "related.ip": [ "10.141.195.13", "10.180.150.47" @@ -3451,6 +3592,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "laboree3880.api.invalid" + ], "related.ip": [ "10.255.40.12", "10.166.195.20" @@ -3467,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3522,9 +3666,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tecto708.www5.example" + ], "related.ip": [ - "10.100.143.226", - "10.22.122.43" + "10.22.122.43", + "10.100.143.226" ], "related.user": [ "ute" @@ -3538,8 +3685,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Blocked", - "Bonoru" + "Bonoru", + "Blocked" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3564,7 +3711,7 @@ ], "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", "user.name": "ute", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -3595,9 +3742,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ine3181.www.invalid" + ], "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -3668,9 +3818,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tsunt3403.www5.test" + ], "related.ip": [ - "10.237.0.173", - "10.31.153.177" + "10.31.153.177", + "10.237.0.173" ], "related.user": [ "sci" @@ -3684,8 +3837,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "Blocked", - "dolor" + "dolor", + "Blocked" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3739,9 +3892,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pitl6126.www.localdomain" + ], "related.ip": [ - "10.243.182.229", - "10.229.102.140" + "10.229.102.140", + "10.243.182.229" ], "related.user": [ "duntut" @@ -3808,9 +3964,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remaper3297.internal.test" + ], "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3850,7 +4009,7 @@ ], "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", "user.name": "picia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3881,6 +4040,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamr1693.api.home" + ], "related.ip": [ "10.53.191.49", "10.133.102.57" @@ -3897,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3954,6 +4116,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cia5990.api.localdomain" + ], "related.ip": [ "10.89.41.97", "10.91.2.225" @@ -4027,6 +4192,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "riatu2467.lan" + ], "related.ip": [ "10.221.20.165", "10.7.18.226" @@ -4100,9 +4268,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pici1525.www5.corp" + ], "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4173,9 +4344,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dolo6418.internal.host" + ], "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4189,8 +4363,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4244,9 +4418,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "imveni193.www5.host" + ], "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" ], "related.user": [ "oremeu" @@ -4260,8 +4437,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4317,9 +4494,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ionu3320.api.localhost" + ], "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4359,7 +4539,7 @@ ], "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", "user.name": "tsedquia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -4390,6 +4570,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remips1499.www.local" + ], "related.ip": [ "10.252.164.230", "10.60.52.219" @@ -4459,9 +4642,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdoloree96.domain" + ], "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "related.user": [ "emoen" @@ -4532,9 +4718,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iatnulap7662.internal.local" + ], "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -4603,6 +4792,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sBonoru1929.example" + ], "related.ip": [ "10.51.161.245", "10.15.254.181" @@ -4619,8 +4811,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "uteiru", - "Allowed" + "Allowed", + "uteiru" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4645,7 +4837,7 @@ ], "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", "user.name": "abo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4676,6 +4868,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onorumet4871.lan" + ], "related.ip": [ "10.7.152.238", "10.129.66.196" @@ -4749,6 +4944,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onproi4354.www5.invalid" + ], "related.ip": [ "10.185.107.27", "10.29.162.157" @@ -4765,8 +4963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4822,6 +5020,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "beataevi7552.api.test" + ], "related.ip": [ "10.215.63.248", "10.138.0.214" @@ -4864,7 +5065,7 @@ ], "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", "user.name": "eavolupt", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4895,9 +5096,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rvelill1981.www.invalid" + ], "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -4911,8 +5115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4968,6 +5172,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "quia7214.example" + ], "related.ip": [ "10.91.20.27", "10.193.152.42" @@ -5041,6 +5248,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aturExc7343.invalid" + ], "related.ip": [ "10.146.69.38", "10.55.192.102" @@ -5114,6 +5324,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "olo7317.www5.localhost" + ], "related.ip": [ "10.249.1.143", "10.124.177.226" @@ -5130,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "Allowed", - "onevo" + "onevo", + "Allowed" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5156,7 +5369,7 @@ ], "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", "user.name": "isciveli", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -5187,6 +5400,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uiin1342.mail.invalid" + ], "related.ip": [ "10.146.228.249", "10.167.176.220" @@ -5260,6 +5476,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "agna5654.www.corp" + ], "related.ip": [ "10.203.47.23", "10.200.74.101" @@ -5276,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5333,9 +5552,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ites5711.internal.host" + ], "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "related.user": [ "ntore" @@ -5375,7 +5597,7 @@ ], "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", "user.name": "ntore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5406,9 +5628,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oluptat2848.api.home" + ], "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5422,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "umet", - "Allowed" + "Allowed", + "umet" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5448,7 +5673,7 @@ ], "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", "user.name": "squir", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5479,9 +5704,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ngelitse7535.internal.lan" + ], "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "related.user": [ "mes" @@ -5495,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5521,7 +5749,7 @@ ], "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", "user.name": "mes", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5552,9 +5780,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tiumtot3611.internal.localdomain" + ], "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" ], "related.user": [ "sequatDu" @@ -5568,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5625,6 +5856,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "gnaa4656.api.example" + ], "related.ip": [ "10.124.119.48", "10.26.222.144" @@ -5641,8 +5875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5698,6 +5932,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "psaqu6066.www5.localhost" + ], "related.ip": [ "10.164.190.2", "10.223.11.164" @@ -5740,7 +5977,7 @@ ], "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", "user.name": "ten", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -5771,9 +6008,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iavol5202.api.example" + ], "related.ip": [ - "10.14.37.8", - "10.121.181.243" + "10.121.181.243", + "10.14.37.8" ], "related.user": [ "umwr" @@ -5844,9 +6084,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uame1361.api.local" + ], "related.ip": [ - "10.10.93.133", - "10.90.20.202" + "10.90.20.202", + "10.10.93.133" ], "related.user": [ "evita" @@ -5917,6 +6160,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rsitame4049.internal.corp" + ], "related.ip": [ "10.77.102.206", "10.34.98.144" @@ -5933,8 +6179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "ulapa", - "Allowed" + "Allowed", + "ulapa" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -5959,7 +6205,7 @@ ], "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", "user.name": "tectobe", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -5990,6 +6236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "elit912.www5.test" + ], "related.ip": [ "10.176.233.249", "10.75.144.118" @@ -6006,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "odic", - "Blocked" + "Blocked", + "odic" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6063,6 +6312,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tat6671.www.local" + ], "related.ip": [ "10.149.6.107", "10.236.55.236" @@ -6079,8 +6331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "mvele", - "Allowed" + "Allowed", + "mvele" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6105,7 +6357,7 @@ ], "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", "user.name": "redolo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6136,9 +6388,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uis5050.www.local" + ], "related.ip": [ - "10.13.125.101", - "10.97.202.149" + "10.97.202.149", + "10.13.125.101" ], "related.user": [ "colab" @@ -6152,8 +6407,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "Blocked", - "uaUten" + "uaUten", + "Blocked" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6209,9 +6464,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ficiad1312.api.host" + ], "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" ], "related.user": [ "umdolo" @@ -6282,6 +6540,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "itaspe921.mail.invalid" + ], "related.ip": [ "10.10.25.145", "10.224.249.228" @@ -6298,8 +6559,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6324,7 +6585,7 @@ ], "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", "user.name": "mnisiuta", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6355,6 +6616,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "archite4407.mail.invalid" + ], "related.ip": [ "10.247.255.107", "10.234.34.40" @@ -6397,7 +6661,7 @@ ], "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", "user.name": "aeabillo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -6428,6 +6692,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aria1424.mail.home" + ], "related.ip": [ "10.250.102.42", "10.124.81.20" @@ -6444,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6501,9 +6768,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "Bonoru7444.www5.example" + ], "related.ip": [ - "10.154.188.132", - "10.166.205.159" + "10.166.205.159", + "10.154.188.132" ], "related.user": [ "uptat" @@ -6570,9 +6840,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icero1297.internal.domain" + ], "related.ip": [ - "10.138.193.38", - "10.46.71.46" + "10.46.71.46", + "10.138.193.38" ], "related.user": [ "sintocca" @@ -6639,6 +6912,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oloremeu5047.www5.invalid" + ], "related.ip": [ "10.172.159.251", "10.254.119.31" @@ -6712,6 +6988,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "edutpe1255.internal.lan" + ], "related.ip": [ "10.195.62.230", "10.98.126.206" @@ -6785,9 +7064,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nderit1171.www5.domain" + ], "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -6801,8 +7083,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6827,7 +7109,7 @@ ], "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", "user.name": "eroi", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -6858,6 +7140,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nos4114.api.lan" + ], "related.ip": [ "10.31.58.6", "10.198.84.190" @@ -6874,8 +7159,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "qua", - "Allowed" + "Allowed", + "qua" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6931,9 +7216,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremeum4231.internal.host" + ], "related.ip": [ - "10.131.81.172", - "10.139.90.218" + "10.139.90.218", + "10.131.81.172" ], "related.user": [ "hende" @@ -6947,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7004,6 +7292,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ueip6097.api.host" + ], "related.ip": [ "10.152.217.174", "10.128.43.71" @@ -7046,7 +7337,7 @@ ], "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", "user.name": "mquiado", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -7077,9 +7368,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fugiatqu7793.www.localdomain" + ], "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7150,6 +7444,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onsequ3168.www.corp" + ], "related.ip": [ "10.172.17.6", "10.109.192.53" @@ -7166,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7223,9 +7520,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremquel3120.internal.localhost" + ], "related.ip": [ - "10.119.106.108", - "10.135.38.213" + "10.135.38.213", + "10.119.106.108" ], "related.user": [ "ore" @@ -7265,7 +7565,7 @@ ], "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 423d10f5ac2..bdf9957b55d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -17,6 +17,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "" + ], "related.user": [ "" ], @@ -28,8 +31,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", diff --git a/x-pack/filebeat/modules.d/aws.yml.disabled b/x-pack/filebeat/modules.d/aws.yml.disabled index 7a0da775c8d..0fe8465211b 100644 --- a/x-pack/filebeat/modules.d/aws.yml.disabled +++ b/x-pack/filebeat/modules.d/aws.yml.disabled @@ -8,6 +8,18 @@ # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + # Process CloudTrail logs + # default is true, set to false to skip Cloudtrail logs + # var.process_cloudtrail_logs: false + + # Process CloudTrail Digest logs + # default true, set to false to skip CloudTrail Digest logs + # var.process_digest_logs: false + + # Process CloudTrail Insight logs + # default true, set to false to skip CloudTrail Insight logs + # var.process_insight_logs: false + # Filename of AWS credential file # If not set "$HOME/.aws/credentials" is used on Linux/Mac # "%UserProfile%\.aws\credentials" is used on Windows diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled index a10208c0533..20552d4c503 100644 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -20,3 +20,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + spamfirewall: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9524 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 4f398958101..a2795fac8fc 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -73,3 +73,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + meraki: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9525 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/citrix.yml.disabled b/x-pack/filebeat/modules.d/citrix.yml.disabled index 9356b52952c..f530eeafb14 100644 --- a/x-pack/filebeat/modules.d/citrix.yml.disabled +++ b/x-pack/filebeat/modules.d/citrix.yml.disabled @@ -2,13 +2,13 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-citrix.html - module: citrix - virtualapps: + netscaler: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9507 + # var.syslog_port: 9526 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/modules.d/kaspersky.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled similarity index 82% rename from x-pack/filebeat/modules.d/kaspersky.yml.disabled rename to x-pack/filebeat/modules.d/cyberark.yml.disabled index 5a0db0982e9..b4a887b686f 100644 --- a/x-pack/filebeat/modules.d/kaspersky.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberark.yml.disabled @@ -1,14 +1,14 @@ -# Module: kaspersky -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-kaspersky.html +# Module: cyberark +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-cyberark.html -- module: kaspersky - av: +- module: cyberark + corepas: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9514 + # var.syslog_port: 9527 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index 633a0c5636a..fdf357dae44 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -21,13 +21,13 @@ # "+02:00" for GMT+02:00 # var.tz_offset: local - firepass: + bigipafm: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9509 + # var.syslog_port: 9528 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index a1197485d81..12f4b4dcdea 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -33,3 +33,41 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + fortimail: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9529 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local + + fortimanager: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9530 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index efb79107ef4..d003ecbc7d3 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -2,8 +2,51 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html - module: gsuite - # All logs saml: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h user_accounts: enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 3118b60ac28..e3359756d90 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -20,3 +20,22 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local + + netscreen: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9523 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 9ea082817cf..09c7211e179 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -2,6 +2,20 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-microsoft.html - module: microsoft + # ATP configuration + defender_atp: + enabled: true + # How often the API should be polled + #var.interval: 5m + + # Oauth Client ID + #var.oauth2.client.id: "" + + # Oauth Client Secret + #var.oauth2.client.secret: "" + + # Oauth Token URL, should include the tenant ID + #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" dhcp: enabled: true diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled new file mode 100644 index 00000000000..b0f94ac3022 --- /dev/null +++ b/x-pack/filebeat/modules.d/proofpoint.yml.disabled @@ -0,0 +1,22 @@ +# Module: proofpoint +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-proofpoint.html + +- module: proofpoint + emailsecurity: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9531 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/rapid7.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled similarity index 83% rename from x-pack/filebeat/modules.d/rapid7.yml.disabled rename to x-pack/filebeat/modules.d/snort.yml.disabled index 8d24b0bce82..b8abbd3e370 100644 --- a/x-pack/filebeat/modules.d/rapid7.yml.disabled +++ b/x-pack/filebeat/modules.d/snort.yml.disabled @@ -1,14 +1,14 @@ -# Module: rapid7 -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-rapid7.html +# Module: snort +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-snort.html -- module: rapid7 - nexpose: +- module: snort + log: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9517 + # var.syslog_port: 9532 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled new file mode 100644 index 00000000000..d0a7b23c632 --- /dev/null +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -0,0 +1,46 @@ +# Module: sophos +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-sophos.html + +- module: sophos + xg: + enabled: true + + # Set which input to use between tcp, udp (default) or file. + #var.input: udp + + # The interface to listen to syslog traffic. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.syslog_host: localhost + + # The port to listen for syslog traffic. Defaults to 9004. + #var.syslog_port: 9005 + + # firewall default hostname + #var.default_host_name: firewall.localgroup.local + + # known firewalls + #var.known_devices: + #- serial_number: "1234567890123457" + # hostname: "a.host.local" + #- serial_number: "1234234590678557" + # hostname: "b.host.local" + + + utm: + enabled: true + + # Set which input to use between udp (default), tcp or file. + # var.input: udp + # var.syslog_host: localhost + # var.syslog_port: 9533 + + # Set paths for the log files when file input is used. + # var.paths: + + # Toggle output of non-ECS fields (default true). + # var.rsa_fields: true + + # Set custom timezone offset. + # "local" (default) for system timezone. + # "+02:00" for GMT+02:00 + # var.tz_offset: local diff --git a/x-pack/filebeat/modules.d/tenable.yml.disabled b/x-pack/filebeat/modules.d/symantec.yml.disabled similarity index 81% rename from x-pack/filebeat/modules.d/tenable.yml.disabled rename to x-pack/filebeat/modules.d/symantec.yml.disabled index 57ef8ee2536..133ee297662 100644 --- a/x-pack/filebeat/modules.d/tenable.yml.disabled +++ b/x-pack/filebeat/modules.d/symantec.yml.disabled @@ -1,14 +1,14 @@ -# Module: tenable -# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-tenable.html +# Module: symantec +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-symantec.html -- module: tenable - nessus_security: +- module: symantec + endpointprotection: enabled: true # Set which input to use between udp (default), tcp or file. # var.input: udp # var.syslog_host: localhost - # var.syslog_port: 9516 + # var.syslog_port: 9534 # Set paths for the log files when file input is used. # var.paths: diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled new file mode 100644 index 00000000000..f5320d112b9 --- /dev/null +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -0,0 +1,22 @@ +# Module: zoom +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-zoom.html + +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index c2c6776dcdb..a0e39c27b4c 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -105,6 +105,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05.000 MST", "Jan _2 15:04:05.000 Z0700", "Jan _2 15:04:05.000 Z07:00", + "Jan _2 15:04:05.000 GMT-07:00", // MMM dd HH:mm:sss.SSS "Jan _2 15:04:05.000", @@ -113,6 +114,7 @@ var timeLayouts = []string{ "Jan _2 15:04:05 MST", "Jan _2 15:04:05 Z0700", "Jan _2 15:04:05 Z07:00", + "Jan _2 15:04:05 GMT-07:00", // MMM dd HH:mm:ss "Jan _2 15:04:05", @@ -121,6 +123,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05.000 MST", "Jan _2 2006 15:04:05.000 Z0700", "Jan _2 2006 15:04:05.000 Z07:00", + "Jan _2 2006 15:04:05.000 GMT-07:00", // MMM dd yyyy HH:mm:ss.SSS "Jan _2 2006 15:04:05.000", @@ -129,6 +132,7 @@ var timeLayouts = []string{ "Jan _2 2006 15:04:05 MST", "Jan _2 2006 15:04:05 Z0700", "Jan _2 2006 15:04:05 Z07:00", + "Jan _2 2006 15:04:05 GMT-07:00", // MMM dd yyyy HH:mm:ss "Jan _2 2006 15:04:05", diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go index 142538eece4..fe44c13abb8 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -21,6 +21,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24.000 +05", "Jun 23 17:37:24.000 +0500", "Jun 23 17:37:24.000 +05:00", + "Jun 23 17:37:24.000 GMT+05:00", // MMM dd HH:mm:sss.SSS "Jun 23 17:37:24.000", @@ -31,6 +32,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 17:37:24 +05", "Jun 23 17:37:24 +0500", "Jun 23 17:37:24 +05:00", + "Jun 23 17:37:24 GMT+05:00", // MMM dd HH:mm:ss "Jun 23 17:37:24", @@ -41,6 +43,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24.000 +05", "Jun 23 2020 17:37:24.000 +0500", "Jun 23 2020 17:37:24.000 +05:00", + "Jun 23 2020 17:37:24.000 GMT+05:00", // MMM dd yyyy HH:mm:ss.SSS "Jun 23 2020 17:37:24.000", @@ -51,6 +54,7 @@ func TestToTimestamp(t *testing.T) { "Jun 23 2020 17:37:24 +05", "Jun 23 2020 17:37:24 +0500", "Jun 23 2020 17:37:24 +05:00", + "Jun 23 2020 17:37:24 GMT+05:00", // MMM dd yyyy HH:mm:ss "Jun 23 2020 17:37:24", diff --git a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc index 3078bf3477b..4666100a39e 100644 --- a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc +++ b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc @@ -28,7 +28,7 @@ The `decode_cef` processor has the following configuration settings. .Decode CEF options [options="header"] |====== -| Name | Required | Default | Description +| Name | Required | Default | Description | | `field` | no | message | Source field containing the CEF message to be parsed. | | `target_field` | no | cef | Target field where the parsed CEF object will be written. | | `ecs` | no | true | Generate Elastic Common Schema (ECS) fields from the CEF data. diff --git a/x-pack/filebeat/tests/system/test_filebeat_xpack.py b/x-pack/filebeat/tests/system/test_filebeat_xpack.py new file mode 100644 index 00000000000..7da62ca7264 --- /dev/null +++ b/x-pack/filebeat/tests/system/test_filebeat_xpack.py @@ -0,0 +1,27 @@ +import jinja2 +import os +import sys +from beat import common_tests +from filebeat import BaseTest as FilebeatTest + + +class FilebeatXPackTest(FilebeatTest, common_tests.TestExportsMixin): + + @classmethod + def setUpClass(self): + self.beat_name = "filebeat" + self.beat_path = os.path.abspath( + os.path.join(os.path.dirname(__file__), "../../")) + + super(FilebeatTest, self).setUpClass() + + def setUp(self): + super(FilebeatTest, self).setUp() + + # Hack to make jinja2 have the right paths + self.template_env = jinja2.Environment( + loader=jinja2.FileSystemLoader([ + os.path.abspath(os.path.join(self.beat_path, "../../filebeat")), + os.path.abspath(os.path.join(self.beat_path, "../../libbeat")) + ]) + ) diff --git a/x-pack/filebeat/tests/system/test_http_endpoint.py b/x-pack/filebeat/tests/system/test_http_endpoint.py index 8d0b863b70b..cfb8aa37ebf 100644 --- a/x-pack/filebeat/tests/system/test_http_endpoint.py +++ b/x-pack/filebeat/tests/system/test_http_endpoint.py @@ -3,11 +3,8 @@ import sys import os import json -from requests.auth import HTTPBasicAuth - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../filebeat/tests/system')) - from filebeat import BaseTest +from requests.auth import HTTPBasicAuth class Test(BaseTest): @@ -79,9 +76,11 @@ def test_http_endpoint_request(self): output = self.read_output() + print("response:", r.status_code, r.text) + + assert r.text == '{"message": "success"}' assert output[0]["input.type"] == "http_endpoint" assert output[0]["json.{}".format(self.prefix)] == message - assert r.text == '{"message": "success"}' def test_http_endpoint_wrong_content_header(self): """ @@ -98,6 +97,8 @@ def test_http_endpoint_wrong_content_header(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 415 assert r.text == '{"message": "Wrong Content-Type header, expecting application/json"}' @@ -109,6 +110,20 @@ def test_http_endpoint_missing_auth_value(self): basic_auth: true username: testuser password: +""" + self.get_config(options) + filebeat = self.start_beat() + self.wait_until(lambda: self.log_contains("Username and password required when basicauth is enabled")) + filebeat.kill_and_wait() + + def test_http_endpoint_wrong_auth_value(self): + """ + Test http_endpoint input with wrong basic auth values. + """ + options = """ + basic_auth: true + username: testuser + password: testpassword """ self.get_config(options) filebeat = self.start_beat() @@ -117,22 +132,22 @@ def test_http_endpoint_missing_auth_value(self): message = "somerandommessage" payload = {self.prefix: message} headers = {"Content-Type": "application/json", "Accept": "application/json"} - r = requests.post(self.url, headers=headers, data=json.dumps( - payload), auth=HTTPBasicAuth('testuser', 'something')) + r = requests.post(self.url, headers=headers, data=json.dumps(payload), auth=HTTPBasicAuth('testuser', 'qwerty')) filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 401 - assert r.text == '{"message": "Username and password required when basicauth is enabled"}' + assert r.text == '{"message": "Incorrect username or password"}' - def test_http_endpoint_wrong_auth_value(self): + def test_http_endpoint_wrong_auth_header(self): """ - Test http_endpoint input with wrong basic auth values. + Test http_endpoint input with wrong auth header and secret. """ options = """ - basic_auth: true - username: testuser - password: testpassword + secret.header: Authorization + secret.value: 123password """ self.get_config(options) filebeat = self.start_beat() @@ -140,13 +155,39 @@ def test_http_endpoint_wrong_auth_value(self): message = "somerandommessage" payload = {self.prefix: message} - headers = {"Content-Type": "application/json", "Accept": "application/json"} - r = requests.post(self.url, headers=headers, data=json.dumps(payload), auth=HTTPBasicAuth('testuser', 'qwerty')) + headers = {"Content-Type": "application/json", "Authorization": "password123"} + r = requests.post(self.url, headers=headers, data=json.dumps(payload)) filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 401 - assert r.text == '{"message": "Incorrect username or password"}' + assert r.text == '{"message": "Incorrect header or header secret"}' + + def test_http_endpoint_correct_auth_header(self): + """ + Test http_endpoint input with correct auth header and secret. + """ + options = """ + secret.header: Authorization + secret.value: 123password +""" + self.get_config(options) + filebeat = self.start_beat() + self.wait_until(lambda: self.log_contains("Starting HTTP server on {}:{}".format(self.host, self.port))) + + message = "somerandommessage" + payload = {self.prefix: message} + headers = {"Content-Type": "application/json", "Authorization": "123password"} + r = requests.post(self.url, headers=headers, data=json.dumps(payload)) + + filebeat.check_kill_and_wait() + output = self.read_output() + + assert r.text == '{"message": "success"}' + assert output[0]["input.type"] == "http_endpoint" + assert output[0]["json.{}".format(self.prefix)] == message def test_http_endpoint_empty_body(self): """ @@ -161,6 +202,8 @@ def test_http_endpoint_empty_body(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 406 assert r.text == '{"message": "Body cannot be empty"}' @@ -178,8 +221,10 @@ def test_http_endpoint_malformed_json(self): filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 400 - assert r.text == '{"message": "Malformed JSON body"}' + assert r.text.startswith('{"message": "Malformed JSON body:') def test_http_endpoint_get_request(self): """ @@ -193,8 +238,9 @@ def test_http_endpoint_get_request(self): payload = {self.prefix: message} headers = {"Content-Type": "application/json", "Accept": "application/json"} r = requests.get(self.url, headers=headers, data=json.dumps(payload)) - filebeat.check_kill_and_wait() + print("response:", r.status_code, r.text) + assert r.status_code == 405 assert r.text == '{"message": "Only POST requests supported"}' diff --git a/x-pack/filebeat/tests/system/test_xpack_modules.py b/x-pack/filebeat/tests/system/test_xpack_modules.py index 566850a4720..e0397a99811 100644 --- a/x-pack/filebeat/tests/system/test_xpack_modules.py +++ b/x-pack/filebeat/tests/system/test_xpack_modules.py @@ -1,8 +1,5 @@ import os import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../filebeat/tests/system')) - import test_modules diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 844d810830d..3abd7b67c5e 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/functionbeat/Jenkinsfile.yml b/x-pack/functionbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..f3428ae7cc8 --- /dev/null +++ b/x-pack/functionbeat/Jenkinsfile.yml @@ -0,0 +1,32 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/functionbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/functionbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-functionbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-functionbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test && GO_VERSION=1.13.1 mage testGCPFunctions" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/functionbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl b/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl index c306fb0ac2a..b0ec63db137 100644 --- a/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl +++ b/x-pack/functionbeat/_meta/config/beat.reference.yml.tmpl @@ -196,7 +196,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -206,6 +206,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -263,7 +267,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -273,6 +277,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false diff --git a/x-pack/functionbeat/_meta/config/beat.yml.tmpl b/x-pack/functionbeat/_meta/config/beat.yml.tmpl index 533d33dc599..00caf63d94c 100644 --- a/x-pack/functionbeat/_meta/config/beat.yml.tmpl +++ b/x-pack/functionbeat/_meta/config/beat.yml.tmpl @@ -170,7 +170,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -180,6 +180,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Create a function that accepts Cloudwatch logs from Kinesis streams. - name: cloudwatch-logs-kinesis enabled: false @@ -233,7 +237,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -243,6 +247,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Configure functions to run on Google Cloud Platform, currently we assume that the credentials # are present in the environment to correctly create the function when using the CLI. # diff --git a/x-pack/functionbeat/conftest.py b/x-pack/functionbeat/conftest.py new file mode 100644 index 00000000000..8e1002b41e5 --- /dev/null +++ b/x-pack/functionbeat/conftest.py @@ -0,0 +1,5 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/functionbeat/dev-tools/packaging/packages.yml b/x-pack/functionbeat/dev-tools/packaging/packages.yml index 47379c8793e..e6c3346bf1a 100644 --- a/x-pack/functionbeat/dev-tools/packaging/packages.yml +++ b/x-pack/functionbeat/dev-tools/packaging/packages.yml @@ -65,6 +65,12 @@ shared: pkg/functionbeat-aws: source: 'provider/aws/build/golang-crossbuild/aws-linux-amd64' mode: 0755 + pkg/pubsub/vendor: + source: 'provider/gcp/build/pubsub/vendor' + mode: 0644 + pkg/storage/vendor: + source: 'provider/gcp/build/storage/vendor' + mode: 0644 pkg/pubsub/pubsub.go: source: 'provider/gcp/pubsub/pubsub.go' mode: 0655 diff --git a/x-pack/functionbeat/docs/config-options-aws.asciidoc b/x-pack/functionbeat/docs/config-options-aws.asciidoc index fe2550c12d7..dd52ef21ad1 100644 --- a/x-pack/functionbeat/docs/config-options-aws.asciidoc +++ b/x-pack/functionbeat/docs/config-options-aws.asciidoc @@ -176,7 +176,7 @@ Set this option to an ARN that points to an SQS queue. [id="{beatname_lc}-batch-size"] ==== `batch_size` -The number of events to read from a Kinesis stream, the minimal values is 100 and the maximun is +The number of events to read from a Kinesis stream, the minimum value is 100 and the maximum is 10000. The default is 100. [float] @@ -186,6 +186,13 @@ The number of events to read from a Kinesis stream, the minimal values is 100 an The starting position to read from a Kinesis stream, valids values are `trim_horizon` and `latest`. The default is trim_horizon. +[float] +[id="{beatname_lc}-parallelization-factor"] +==== `parallelization_factor` + +The number of batches to process from each shard concurrently, the minimum value is 1 and the maximum is 10 +The default is 1. + [float] [id="{beatname_lc}-keep-null"] ==== `keep_null` diff --git a/x-pack/functionbeat/docs/configuring-howto.asciidoc b/x-pack/functionbeat/docs/configuring-howto.asciidoc index ff0525cecb0..192cb79fea3 100644 --- a/x-pack/functionbeat/docs/configuring-howto.asciidoc +++ b/x-pack/functionbeat/docs/configuring-howto.asciidoc @@ -21,6 +21,7 @@ include::{libbeat-dir}/shared/configuring-intro.asciidoc[] * <> * <> * <> +* <> * <<{beatname_lc}-reference-yml>> -- @@ -57,5 +58,8 @@ include::{libbeat-dir}/loggingconfig.asciidoc[] [role="xpack"] include::{libbeat-dir}/regexp.asciidoc[] +[role="xpack"] +include::{libbeat-dir}/shared-instrumentation.asciidoc[] + [role="xpack"] include::{libbeat-dir}/reference-yml.asciidoc[] diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 631e9a7780f..73c93e39a61 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -95,16 +95,6 @@ Metadata from cloud providers added by the add_cloud_metadata processor. -*`cloud.project.id`*:: -+ --- -Name of the project in Google Cloud. - - -example: project-x - --- - *`cloud.image.id`*:: + -- @@ -289,6 +279,18 @@ The agent fields contain the data about the software entity, if any, that collec Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`agent.build.original`*:: ++ +-- +Extended build information for the agent. +This field is intended to contain any build information that a data source may provide, no specific formatting is required. + +type: keyword + +example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] + +-- + *`agent.ephemeral_id`*:: + -- @@ -330,7 +332,7 @@ example: foo + -- Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. type: keyword @@ -546,8 +548,7 @@ example: Quebec *`client.ip`*:: + -- -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the client (IPv4 or IPv6). type: ip @@ -610,19 +611,19 @@ format: string + -- The highest registered client domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`client.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -709,7 +710,7 @@ type: keyword *`client.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -733,6 +734,17 @@ type: text -- +*`client.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === cloud @@ -751,6 +763,18 @@ example: 666777888999 -- +*`cloud.account.name`*:: ++ +-- +The cloud account name or alias used to identify different entities in a multi-tenant environment. +Examples: AWS account name, Google Cloud ORG display name. + +type: keyword + +example: elastic-dev + +-- + *`cloud.availability_zone`*:: + -- @@ -793,6 +817,30 @@ example: t2.medium -- +*`cloud.project.id`*:: ++ +-- +The cloud project identifier. +Examples: Google Cloud Project id, Azure Project id. + +type: keyword + +example: my-project + +-- + +*`cloud.project.name`*:: ++ +-- +The cloud project name. +Examples: Google Cloud Project name, Azure Project name. + +type: keyword + +example: my project + +-- + *`cloud.provider`*:: + -- @@ -1103,8 +1151,7 @@ example: Quebec *`destination.ip`*:: + -- -IP address of the destination. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the destination (IPv4 or IPv6). type: ip @@ -1167,19 +1214,19 @@ format: string + -- The highest registered destination domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`destination.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1266,7 +1313,7 @@ type: keyword *`destination.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -1290,6 +1337,17 @@ type: text -- +*`destination.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === dll @@ -1418,6 +1476,17 @@ example: C:\Windows\System32\kernel32.dll -- +*`dll.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`dll.pe.company`*:: + -- @@ -1451,6 +1520,18 @@ example: 6.3.9600.17415 -- +*`dll.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`dll.pe.original_file_name`*:: + -- @@ -1522,7 +1603,7 @@ If a chain of CNAME is being resolved, each answer's `name` should be the one th type: keyword -example: www.google.com +example: www.example.com -- @@ -1601,7 +1682,7 @@ If the name field contains non-printable characters (below 32 or above 126), tho type: keyword -example: www.google.com +example: www.example.com -- @@ -1609,12 +1690,12 @@ example: www.google.com + -- The highest registered domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -1633,7 +1714,7 @@ example: www *`dns.question.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -1750,6 +1831,8 @@ The stack trace of this error in plain text. type: keyword +Field is not indexed. + -- *`error.stack_trace.text`*:: @@ -1932,6 +2015,8 @@ type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 +Field is not indexed. + -- *`event.outcome`*:: @@ -1961,6 +2046,18 @@ example: kernel -- +*`event.reason`*:: ++ +-- +Reason why this event happened, according to the source. +This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). + +type: keyword + +example: Terminated an unexpected process + +-- + *`event.reference`*:: + -- @@ -1969,7 +2066,7 @@ This URL links to a static definition of the this event. Alert events, indicated type: keyword -example: https://system.vendor.com/event/#0001234 +example: https://system.example.com/event/#0001234 -- @@ -2053,11 +2150,11 @@ type: keyword + -- URL linking to an external system to continue investigation of this event. -This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. +This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. type: keyword -example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe +example: https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe -- @@ -2351,6 +2448,17 @@ type: text -- +*`file.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`file.pe.company`*:: + -- @@ -2384,6 +2492,18 @@ example: 6.3.9600.17415 -- +*`file.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`file.pe.original_file_name`*:: + -- @@ -2456,211 +2576,278 @@ example: 1001 -- -[float] -=== geo +*`file.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. -Geo fields can carry data about a specific location related to an event. -This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. +type: keyword +example: *.elastic.co -*`geo.city_name`*:: +-- + +*`file.x509.issuer.common_name`*:: + -- -City name. +List of common name (CN) of issuing certificate authority. type: keyword -example: Montreal +example: Example SHA2 High Assurance Server CA -- -*`geo.continent_name`*:: +*`file.x509.issuer.country`*:: + -- -Name of the continent. +List of country (C) codes type: keyword -example: North America +example: US -- -*`geo.country_iso_code`*:: +*`file.x509.issuer.distinguished_name`*:: + -- -Country ISO code. +Distinguished name (DN) of issuing certificate authority. type: keyword -example: CA +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`geo.country_name`*:: +*`file.x509.issuer.locality`*:: + -- -Country name. +List of locality names (L) type: keyword -example: Canada +example: Mountain View -- -*`geo.location`*:: +*`file.x509.issuer.organization`*:: + -- -Longitude and latitude. +List of organizations (O) of issuing certificate authority. -type: geo_point +type: keyword -example: { "lon": -73.614830, "lat": 45.505918 } +example: Example Inc -- -*`geo.name`*:: +*`file.x509.issuer.organizational_unit`*:: + -- -User-defined description of a location, at the level of granularity they care about. -Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. -Not typically used in automated geolocation. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: boston-dc +example: www.example.com -- -*`geo.region_iso_code`*:: +*`file.x509.issuer.state_or_province`*:: + -- -Region ISO code. +List of state or province names (ST, S, or P) type: keyword -example: CA-QC +example: California -- -*`geo.region_name`*:: +*`file.x509.not_after`*:: + -- -Region name. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: Quebec +example: 2020-07-16 03:15:39+00:00 -- -[float] -=== group +*`file.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. -The group fields are meant to represent groups that are relevant to the event. +type: date +example: 2019-08-16 01:40:25+00:00 -*`group.domain`*:: +-- + +*`file.x509.public_key_algorithm`*:: + -- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. +Algorithm used to generate the public key. type: keyword +example: RSA + -- -*`group.id`*:: +*`file.x509.public_key_curve`*:: + -- -Unique identifier for the group on the system/platform. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. type: keyword +example: nistp521 + -- -*`group.name`*:: +*`file.x509.public_key_exponent`*:: + -- -Name of the group. +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`file.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`file.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword +example: 55FBB9C7DEBF09809D12CCAA + -- -[float] -=== hash +*`file.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. -The hash fields represent different hash algorithms and their values. -Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). +type: keyword +example: SHA256-RSA -*`hash.md5`*:: +-- + +*`file.x509.subject.common_name`*:: + -- -MD5 hash. +List of common names (CN) of subject. type: keyword +example: shared.global.example.net + -- -*`hash.sha1`*:: +*`file.x509.subject.country`*:: + -- -SHA1 hash. +List of country (C) code type: keyword +example: US + -- -*`hash.sha256`*:: +*`file.x509.subject.distinguished_name`*:: + -- -SHA256 hash. +Distinguished name (DN) of the certificate subject entity. type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + -- -*`hash.sha512`*:: +*`file.x509.subject.locality`*:: + -- -SHA512 hash. +List of locality names (L) type: keyword +example: San Francisco + -- -[float] -=== host +*`file.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. -A host is defined as a general computing instance. -ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. +type: keyword +example: Example, Inc. -*`host.architecture`*:: +-- + +*`file.x509.subject.organizational_unit`*:: + -- -Operating system architecture. +List of organizational units (OU) of subject. type: keyword -example: x86_64 +-- + +*`file.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California -- -*`host.domain`*:: +*`file.x509.version_number`*:: + -- -Name of the domain of which the host is a member. -For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. +Version of x509 format. type: keyword -example: CONTOSO +example: 3 -- -*`host.geo.city_name`*:: +[float] +=== geo + +Geo fields can carry data about a specific location related to an event. +This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. + + +*`geo.city_name`*:: + -- City name. @@ -2671,7 +2858,7 @@ example: Montreal -- -*`host.geo.continent_name`*:: +*`geo.continent_name`*:: + -- Name of the continent. @@ -2682,7 +2869,7 @@ example: North America -- -*`host.geo.country_iso_code`*:: +*`geo.country_iso_code`*:: + -- Country ISO code. @@ -2693,7 +2880,7 @@ example: CA -- -*`host.geo.country_name`*:: +*`geo.country_name`*:: + -- Country name. @@ -2704,7 +2891,7 @@ example: Canada -- -*`host.geo.location`*:: +*`geo.location`*:: + -- Longitude and latitude. @@ -2715,7 +2902,7 @@ example: { "lon": -73.614830, "lat": 45.505918 } -- -*`host.geo.name`*:: +*`geo.name`*:: + -- User-defined description of a location, at the level of granularity they care about. @@ -2728,7 +2915,7 @@ example: boston-dc -- -*`host.geo.region_iso_code`*:: +*`geo.region_iso_code`*:: + -- Region ISO code. @@ -2739,7 +2926,7 @@ example: CA-QC -- -*`host.geo.region_name`*:: +*`geo.region_name`*:: + -- Region name. @@ -2750,20 +2937,217 @@ example: Quebec -- -*`host.hostname`*:: +[float] +=== group + +The group fields are meant to represent groups that are relevant to the event. + + +*`group.domain`*:: + -- -Hostname of the host. -It normally contains what the `hostname` command returns on the host machine. +Name of the directory the group is a member of. +For example, an LDAP or Active Directory domain name. type: keyword -- -*`host.id`*:: +*`group.id`*:: + -- -Unique host id. +Unique identifier for the group on the system/platform. + +type: keyword + +-- + +*`group.name`*:: ++ +-- +Name of the group. + +type: keyword + +-- + +[float] +=== hash + +The hash fields represent different hash algorithms and their values. +Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512). + + +*`hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +[float] +=== host + +A host is defined as a general computing instance. +ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. + + +*`host.architecture`*:: ++ +-- +Operating system architecture. + +type: keyword + +example: x86_64 + +-- + +*`host.domain`*:: ++ +-- +Name of the domain of which the host is a member. +For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. + +type: keyword + +example: CONTOSO + +-- + +*`host.geo.city_name`*:: ++ +-- +City name. + +type: keyword + +example: Montreal + +-- + +*`host.geo.continent_name`*:: ++ +-- +Name of the continent. + +type: keyword + +example: North America + +-- + +*`host.geo.country_iso_code`*:: ++ +-- +Country ISO code. + +type: keyword + +example: CA + +-- + +*`host.geo.country_name`*:: ++ +-- +Country name. + +type: keyword + +example: Canada + +-- + +*`host.geo.location`*:: ++ +-- +Longitude and latitude. + +type: geo_point + +example: { "lon": -73.614830, "lat": 45.505918 } + +-- + +*`host.geo.name`*:: ++ +-- +User-defined description of a location, at the level of granularity they care about. +Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. +Not typically used in automated geolocation. + +type: keyword + +example: boston-dc + +-- + +*`host.geo.region_iso_code`*:: ++ +-- +Region ISO code. + +type: keyword + +example: CA-QC + +-- + +*`host.geo.region_name`*:: ++ +-- +Region name. + +type: keyword + +example: Quebec + +-- + +*`host.hostname`*:: ++ +-- +Hostname of the host. +It normally contains what the `hostname` command returns on the host machine. + +type: keyword + +-- + +*`host.id`*:: ++ +-- +Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. @@ -2978,7 +3362,7 @@ type: keyword *`host.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -3002,6 +3386,17 @@ type: text -- +*`host.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === http @@ -3056,11 +3451,13 @@ format: bytes + -- HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". +Prior to ECS 1.6.0 the following guidance was provided: +"The field value must be normalized to lowercase for querying." +As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 type: keyword -example: get, post, put +example: GET, POST, PUT, PoST -- @@ -3190,6 +3587,18 @@ The log.* fields are typically populated with details about the logging mechanis The details specific to your event source are typically not logged under `log.*`, but rather in `event.*` or in other ECS fields. +*`log.file.path`*:: ++ +-- +Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. +If the event wasn't read from a log file, do not populate this field. + +type: keyword + +example: /var/log/fun-times.log + +-- + *`log.level`*:: + -- @@ -3228,7 +3637,8 @@ example: 42 *`log.origin.file.name`*:: + -- -The name of the file containing the source code which originated the log event. Note that this is not the name of the log file. +The name of the file containing the source code which originated the log event. +Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. type: keyword @@ -3258,6 +3668,8 @@ type: keyword example: Sep 19 08:26:10 localhost My log +Field is not indexed. + -- *`log.syslog`*:: @@ -4226,6 +4638,17 @@ example: 1.12.9 These fields contain Windows Portable Executable (PE) metadata. +*`pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`pe.company`*:: + -- @@ -4259,6 +4682,18 @@ example: 6.3.9600.17415 -- +*`pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`pe.original_file_name`*:: + -- @@ -4490,12 +4925,12 @@ type: text *`process.parent.args`*:: + -- -Array of process arguments. +Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: ['ssh', '-l', 'user', '10.0.0.16'] +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- @@ -4686,49 +5121,127 @@ type: text -- -*`process.parent.pgid`*:: +*`process.parent.pe.architecture`*:: + -- -Identifier of the group of processes the process belongs to. +CPU architecture target for the file. -type: long +type: keyword -format: string +example: x64 -- -*`process.parent.pid`*:: +*`process.parent.pe.company`*:: + -- -Process id. - -type: long +Internal company name of the file, provided at compile-time. -example: 4242 +type: keyword -format: string +example: Microsoft Corporation -- -*`process.parent.ppid`*:: +*`process.parent.pe.description`*:: + -- -Parent process' pid. - -type: long +Internal description of the file, provided at compile-time. -example: 4241 +type: keyword -format: string +example: Paint -- -*`process.parent.start`*:: +*`process.parent.pe.file_version`*:: + -- -The time the process started. +Internal version of the file, provided at compile-time. -type: date +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.parent.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + +*`process.parent.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.parent.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`process.parent.pgid`*:: ++ +-- +Identifier of the group of processes the process belongs to. + +type: long + +format: string + +-- + +*`process.parent.pid`*:: ++ +-- +Process id. + +type: long + +example: 4242 + +format: string + +-- + +*`process.parent.ppid`*:: ++ +-- +Parent process' pid. + +type: long + +example: 4241 + +format: string + +-- + +*`process.parent.start`*:: ++ +-- +The time the process started. + +type: date example: 2016-05-23T08:05:34.853Z @@ -4804,6 +5317,17 @@ type: text -- +*`process.pe.architecture`*:: ++ +-- +CPU architecture target for the file. + +type: keyword + +example: x64 + +-- + *`process.pe.company`*:: + -- @@ -4837,6 +5361,18 @@ example: 6.3.9600.17415 -- +*`process.pe.imphash`*:: ++ +-- +A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. +Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. + +type: keyword + +example: 0c6803c4e922103c4dca5963aad36ddf + +-- + *`process.pe.original_file_name`*:: + -- @@ -5079,6 +5615,15 @@ type: keyword -- +*`related.hosts`*:: ++ +-- +All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. + +type: keyword + +-- + *`related.ip`*:: + -- @@ -5377,8 +5922,7 @@ example: Quebec *`server.ip`*:: + -- -IP address of the server. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the server (IPv4 or IPv6). type: ip @@ -5441,19 +5985,19 @@ format: string + -- The highest registered server domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`server.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5540,7 +6084,7 @@ type: keyword *`server.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -5564,6 +6108,17 @@ type: text -- +*`server.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === service @@ -5817,8 +6372,7 @@ example: Quebec *`source.ip`*:: + -- -IP address of the source. -Can be one or multiple IPv4 or IPv6 addresses. +IP address of the source (IPv4 or IPv6). type: ip @@ -5881,19 +6435,19 @@ format: string + -- The highest registered source domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- *`source.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -5980,7 +6534,7 @@ type: keyword *`source.user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6004,10 +6558,21 @@ type: text -- +*`source.user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === threat -Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework. +Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework. These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service"). @@ -6025,7 +6590,7 @@ example: MITRE ATT&CK *`threat.tactic.id`*:: + -- -The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6036,7 +6601,7 @@ example: TA0040 *`threat.tactic.name`*:: + -- -Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/) type: keyword @@ -6047,7 +6612,7 @@ example: impact *`threat.tactic.reference`*:: + -- -The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) +The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ ) type: keyword @@ -6058,7 +6623,7 @@ example: https://attack.mitre.org/tactics/TA0040/ *`threat.technique.id`*:: + -- -The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword @@ -6069,11 +6634,11 @@ example: T1499 *`threat.technique.name`*:: + -- -The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/) type: keyword -example: endpoint denial of service +example: Endpoint Denial of Service -- @@ -6087,7 +6652,7 @@ type: text *`threat.technique.reference`*:: + -- -The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) +The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ ) type: keyword @@ -6174,7 +6739,7 @@ Distinguished name of subject of the issuer of the x.509 certificate presented b type: keyword -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com -- @@ -6214,7 +6779,7 @@ example: 1970-01-01T00:00:00.000Z *`tls.client.server_name`*:: + -- -Also called an SNI, this tells the server which hostname to which the client is attempting to connect. When this value is available, it should get copied to `destination.domain`. +Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. type: keyword @@ -6229,7 +6794,7 @@ Distinguished name of subject of the x.509 certificate presented by the client. type: keyword -example: CN=myclient, OU=Documentation Team, DC=mydomain, DC=com +example: CN=myclient, OU=Documentation Team, DC=example, DC=com -- @@ -6244,319 +6809,859 @@ example: ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256 -- -*`tls.curve`*:: +*`tls.client.x509.alternative_names`*:: + -- -String indicating the curve used for the given cipher, when applicable. +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. type: keyword -example: secp256r1 +example: *.elastic.co -- -*`tls.established`*:: +*`tls.client.x509.issuer.common_name`*:: + -- -Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +List of common name (CN) of issuing certificate authority. -type: boolean +type: keyword + +example: Example SHA2 High Assurance Server CA -- -*`tls.next_protocol`*:: +*`tls.client.x509.issuer.country`*:: + -- -String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. +List of country (C) codes type: keyword -example: http/1.1 +example: US -- -*`tls.resumed`*:: +*`tls.client.x509.issuer.distinguished_name`*:: + -- -Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +Distinguished name (DN) of issuing certificate authority. -type: boolean +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA -- -*`tls.server.certificate`*:: +*`tls.client.x509.issuer.locality`*:: + -- -PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. +List of locality names (L) type: keyword -example: MII... +example: Mountain View -- -*`tls.server.certificate_chain`*:: +*`tls.client.x509.issuer.organization`*:: + -- -Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. +List of organizations (O) of issuing certificate authority. type: keyword -example: ['MII...', 'MII...'] +example: Example Inc -- -*`tls.server.hash.md5`*:: +*`tls.client.x509.issuer.organizational_unit`*:: + -- -Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of organizational units (OU) of issuing certificate authority. type: keyword -example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC +example: www.example.com -- -*`tls.server.hash.sha1`*:: +*`tls.client.x509.issuer.state_or_province`*:: + -- -Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +List of state or province names (ST, S, or P) type: keyword -example: 9E393D93138888D288266C2D915214D1D1CCEB2A +example: California -- -*`tls.server.hash.sha256`*:: +*`tls.client.x509.not_after`*:: + -- -Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. +Time at which the certificate is no longer considered valid. -type: keyword +type: date -example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 +example: 2020-07-16 03:15:39+00:00 -- -*`tls.server.issuer`*:: +*`tls.client.x509.not_before`*:: + -- -Subject of the issuer of the x.509 certificate presented by the server. +Time at which the certificate is first considered valid. -type: keyword +type: date -example: CN=MyDomain Root CA, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2019-08-16 01:40:25+00:00 -- -*`tls.server.ja3s`*:: +*`tls.client.x509.public_key_algorithm`*:: + -- -A hash that identifies servers based on how they perform an SSL/TLS handshake. +Algorithm used to generate the public key. type: keyword -example: 394441ab65754e2207b1e1b457b3641d +example: RSA -- -*`tls.server.not_after`*:: +*`tls.client.x509.public_key_curve`*:: + -- -Timestamp indicating when server certificate is no longer considered valid. +The curve used by the elliptic curve public key algorithm. This is algorithm specific. -type: date +type: keyword -example: 2021-01-01T00:00:00.000Z +example: nistp521 -- -*`tls.server.not_before`*:: +*`tls.client.x509.public_key_exponent`*:: + -- -Timestamp indicating when server certificate is first considered valid. +Exponent used to derive the public key. This is algorithm specific. -type: date +type: long -example: 1970-01-01T00:00:00.000Z +example: 65537 + +Field is not indexed. -- -*`tls.server.subject`*:: +*`tls.client.x509.public_key_size`*:: + -- -Subject of the x.509 certificate presented by the server. +The size of the public key space in bits. -type: keyword +type: long -example: CN=www.mydomain.com, OU=Infrastructure Team, DC=mydomain, DC=com +example: 2048 -- -*`tls.version`*:: +*`tls.client.x509.serial_number`*:: + -- -Numeric part of the version parsed from the original string. +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. type: keyword -example: 1.2 +example: 55FBB9C7DEBF09809D12CCAA -- -*`tls.version_protocol`*:: +*`tls.client.x509.signature_algorithm`*:: + -- -Normalized lowercase protocol name parsed from original string. +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. type: keyword -example: tls +example: SHA256-RSA -- -[float] -=== tracing - -Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. - - -*`tracing.trace.id`*:: +*`tls.client.x509.subject.common_name`*:: + -- -Unique identifier of the trace. -A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. +List of common names (CN) of subject. type: keyword -example: 4bf92f3577b34da6a3ce929d0e0e4736 +example: shared.global.example.net -- -*`tracing.transaction.id`*:: +*`tls.client.x509.subject.country`*:: + -- -Unique identifier of the transaction. -A transaction is the highest level of work measured within a service, such as a request to a server. +List of country (C) code type: keyword -example: 00f067aa0ba902b7 +example: US -- -[float] -=== url +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. -URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. +type: keyword +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net -*`url.domain`*:: +-- + +*`tls.client.x509.subject.locality`*:: + -- -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. +List of locality names (L) type: keyword -example: www.elastic.co +example: San Francisco -- -*`url.extension`*:: +*`tls.client.x509.subject.organization`*:: + -- -The field contains the file extension from the original request url. -The file extension is only set if it exists, as not every url has a file extension. -The leading period must not be included. For example, the value must be "png", not ".png". +List of organizations (O) of subject. type: keyword -example: png +example: Example, Inc. -- -*`url.fragment`*:: +*`tls.client.x509.subject.organizational_unit`*:: + -- -Portion of the url after the `#`, such as "top". -The `#` is not part of the fragment. +List of organizational units (OU) of subject. type: keyword -- -*`url.full`*:: +*`tls.client.x509.subject.state_or_province`*:: + -- -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. +List of state or province names (ST, S, or P) type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top +example: California -- -*`url.full.text`*:: +*`tls.client.x509.version_number`*:: + -- -type: text +Version of x509 format. + +type: keyword + +example: 3 -- -*`url.original`*:: +*`tls.curve`*:: + -- -Unmodified original url as seen in the event source. -Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. -This field is meant to represent the URL as it was observed, complete or not. +String indicating the curve used for the given cipher, when applicable. type: keyword -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch +example: secp256r1 -- -*`url.original.text`*:: +*`tls.established`*:: + -- -type: text +Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. + +type: boolean -- -*`url.password`*:: +*`tls.next_protocol`*:: + -- -Password of the request. +String indicating the protocol being tunneled. Per the values in the IANA registry (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. type: keyword +example: http/1.1 + -- -*`url.path`*:: +*`tls.resumed`*:: + -- -Path of the request, such as "/search". +Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. -type: keyword +type: boolean -- -*`url.port`*:: +*`tls.server.certificate`*:: + -- -Port of the request, such as 443. - -type: long +PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. -example: 443 +type: keyword -format: string +example: MII... -- -*`url.query`*:: +*`tls.server.certificate_chain`*:: ++ +-- +Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. + +type: keyword + +example: ['MII...', 'MII...'] + +-- + +*`tls.server.hash.md5`*:: ++ +-- +Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC + +-- + +*`tls.server.hash.sha1`*:: ++ +-- +Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 9E393D93138888D288266C2D915214D1D1CCEB2A + +-- + +*`tls.server.hash.sha256`*:: ++ +-- +Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. + +type: keyword + +example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 + +-- + +*`tls.server.issuer`*:: ++ +-- +Subject of the issuer of the x.509 certificate presented by the server. + +type: keyword + +example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.ja3s`*:: ++ +-- +A hash that identifies servers based on how they perform an SSL/TLS handshake. + +type: keyword + +example: 394441ab65754e2207b1e1b457b3641d + +-- + +*`tls.server.not_after`*:: ++ +-- +Timestamp indicating when server certificate is no longer considered valid. + +type: date + +example: 2021-01-01T00:00:00.000Z + +-- + +*`tls.server.not_before`*:: ++ +-- +Timestamp indicating when server certificate is first considered valid. + +type: date + +example: 1970-01-01T00:00:00.000Z + +-- + +*`tls.server.subject`*:: ++ +-- +Subject of the x.509 certificate presented by the server. + +type: keyword + +example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`tls.server.x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.version`*:: ++ +-- +Numeric part of the version parsed from the original string. + +type: keyword + +example: 1.2 + +-- + +*`tls.version_protocol`*:: ++ +-- +Normalized lowercase protocol name parsed from original string. + +type: keyword + +example: tls + +-- + +[float] +=== tracing + +Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services. + + +*`tracing.span.id`*:: ++ +-- +Unique identifier of the span within the scope of its trace. +A span represents an operation within a transaction, such as a request to another service, or a database query. + +type: keyword + +example: 3ff9a8981b7ccd5a + +-- + +*`tracing.trace.id`*:: ++ +-- +Unique identifier of the trace. +A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services. + +type: keyword + +example: 4bf92f3577b34da6a3ce929d0e0e4736 + +-- + +*`tracing.transaction.id`*:: ++ +-- +Unique identifier of the transaction within the scope of its trace. +A transaction is the highest level of work measured within a service, such as a request to a server. + +type: keyword + +example: 00f067aa0ba902b7 + +-- + +[float] +=== url + +URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. + + +*`url.domain`*:: ++ +-- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + +type: keyword + +example: www.elastic.co + +-- + +*`url.extension`*:: ++ +-- +The field contains the file extension from the original request url. +The file extension is only set if it exists, as not every url has a file extension. +The leading period must not be included. For example, the value must be "png", not ".png". + +type: keyword + +example: png + +-- + +*`url.fragment`*:: ++ +-- +Portion of the url after the `#`, such as "top". +The `#` is not part of the fragment. + +type: keyword + +-- + +*`url.full`*:: ++ +-- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top + +-- + +*`url.full.text`*:: ++ +-- +type: text + +-- + +*`url.original`*:: ++ +-- +Unmodified original url as seen in the event source. +Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. +This field is meant to represent the URL as it was observed, complete or not. + +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + +-- + +*`url.original.text`*:: ++ +-- +type: text + +-- + +*`url.password`*:: ++ +-- +Password of the request. + +type: keyword + +-- + +*`url.path`*:: ++ +-- +Path of the request, such as "/search". + +type: keyword + +-- + +*`url.port`*:: ++ +-- +Port of the request, such as 443. + +type: long + +example: 443 + +format: string + +-- + +*`url.query`*:: + -- The query field describes the query string of the request, such as "q=elasticsearch". @@ -6570,12 +7675,12 @@ type: keyword + -- The highest registered url domain, stripped of the subdomain. -For example, the registered domain for "foo.google.com" is "google.com". +For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". type: keyword -example: google.com +example: example.com -- @@ -6594,7 +7699,7 @@ example: https *`url.top_level_domain`*:: + -- -The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for google.com is "com". +The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". type: keyword @@ -6697,7 +7802,7 @@ type: keyword *`user.id`*:: + -- -Unique identifiers of the user. +Unique identifier of the user. type: keyword @@ -6721,6 +7826,17 @@ type: text -- +*`user.roles`*:: ++ +-- +Array of user roles at the time of the event. + +type: keyword + +example: ["kibana_admin", "reporting_user"] + +-- + [float] === user_agent @@ -7049,6 +8165,276 @@ example: Critical -- +[float] +=== x509 + +This implements the common core fields for x509 certificates. This information is likely logged with TLS sessions, digital signatures found in executable binaries, S/MIME information in email bodies, or analysis of files on disk. When only a single certificate is logged in an event, it should be nested under `file`. When hashes of the DER-encoded certificate are available, the `hash` data set should be populated as well (e.g. `file.hash.sha256`). For events that contain certificate information for both sides of the connection, the x509 object could be nested under the respective side of the connection information (e.g. `tls.server.x509`). + + +*`x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + +*`x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA + +-- + +*`x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: Example Inc + +-- + +*`x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.example.com + +-- + +*`x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39+00:00 + +-- + +*`x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25+00:00 + +-- + +*`x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`x509.public_key_curve`*:: ++ +-- +The curve used by the elliptic curve public key algorithm. This is algorithm specific. + +type: keyword + +example: nistp521 + +-- + +*`x509.public_key_exponent`*:: ++ +-- +Exponent used to derive the public key. This is algorithm specific. + +type: long + +example: 65537 + +Field is not indexed. + +-- + +*`x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. We recommend using names found in Go Lang Crypto library. See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353. + +type: keyword + +example: SHA256-RSA + +-- + +*`x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: shared.global.example.net + +-- + +*`x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net + +-- + +*`x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Example, Inc. + +-- + +*`x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + [[exported-fields-functionbeat]] == Functionbeat fields diff --git a/x-pack/functionbeat/docs/index.asciidoc b/x-pack/functionbeat/docs/index.asciidoc index a26eca95a12..2fc5cdc9853 100644 --- a/x-pack/functionbeat/docs/index.asciidoc +++ b/x-pack/functionbeat/docs/index.asciidoc @@ -58,4 +58,4 @@ include::./troubleshooting.asciidoc[] include::./faq.asciidoc[] -include::{libbeat-dir}/shared/redirects.asciidoc[] + diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 0eaca6d83e0..a55fcc56e23 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -196,7 +196,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -206,6 +206,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -263,7 +267,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -273,6 +277,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Set to true to publish fields with null values in events. #keep_null: false @@ -754,10 +762,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -870,20 +886,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -893,7 +916,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -1028,6 +1051,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default functionbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "functionbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "functionbeat-%{[agent.version]}" @@ -1131,20 +1159,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1163,6 +1202,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1313,17 +1363,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1346,6 +1403,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/functionbeat/functionbeat.yml b/x-pack/functionbeat/functionbeat.yml index ed637679c85..21109c351bc 100644 --- a/x-pack/functionbeat/functionbeat.yml +++ b/x-pack/functionbeat/functionbeat.yml @@ -170,7 +170,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -180,6 +180,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Create a function that accepts Cloudwatch logs from Kinesis streams. - name: cloudwatch-logs-kinesis enabled: false @@ -233,7 +237,7 @@ functionbeat.provider.aws.functions: # List of Kinesis streams. triggers: # Arn for the Kinesis stream. - - event_source_arn: arn:aws:sqs:us-east-1:xxxxx:myevents + - event_source_arn: arn:aws:kinesis:us-east-1:xxxxx:myevents # batch_size is the number of events read in a batch. # Default is 10. @@ -243,6 +247,10 @@ functionbeat.provider.aws.functions: # Default is trim_horizon. #starting_position: "trim_horizon" + # parallelization_factor is the number of batches to process from each shard concurrently. + # Default is 1. + #parallelization_factor: 1 + # Configure functions to run on Google Cloud Platform, currently we assume that the credentials # are present in the environment to correctly create the function when using the CLI. # diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 152797a9721..1424767ae21 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n71qY2cqXh7+dXqMiHwCl7sI1tIG/l3QLbbHg2hDwx7J46W1uOPCPbCjOjiTSDw/76p9S6jOZisAkO2VS2UlvYnlFL3a1Wd6svUDXbLetYUOxnzM+EMfzzGrSm4COiqSDhDHQyCp2UoChleIfwLaNQf78ZkCRd2AKducKmpvDF67WOjbJOeKoUNdX5dYPedD5NFlvrxDBWXbxoHIASqautKpCKzYKM2691CK6D0orAezuejAbDN6PJh/HJ5I/zqzeTk9F40u4cTQang8n4zUmn1//XAxLGrlxVsHBwtyUsvB9dNE0POpHiOGjikMWkQDUGwfW20r2eG7jKLeuDDaSiKqNM1fVski9+mAl6CwLyY3VJE3+BafwRCRr72uPttihC6ppA5YDZkpEhFdU4nYvzc89bu5HIqplsCcUnpoGPi2sHeCU6voD93LRZQDTmalo8igZ5wLOhAk71/UcxeWxGuUgLbGEyYRY2oKymo0OBMs3HEWqBxcKLgt6W6DMoCKh4TnjC5YmYl2C+GPZQQMFMZDM0HH2wZCxGeENC3ho750xlVQgqUhL7+jZJFd0Fv6Nq8NRwzjJ7KZUTRXkG806KWZIQDlkogK/yFmmdHfYHh2edQa93ejY8HB6Njk6PzrqnZ6dnrcHxaPAYmogFbj8bUcZvTtr/eKocjw6OD4bHB+2Do6Ojo2Hn6KjT7w86w+N2r9PuDtvD9mAwOu2cPJI6+YnzLPTp9Pr1FLI4dHIKvp5C+aiKUk+zb/pHh2f9fv+k1euOztqHJ62jUees0+53Rien3cHpoDXs9Huj9vDw6LB3Ojrsnp4dDA7bncHJcWd4crZ2awq9RipEtjWVZ5jnaJnmk1Lfz6afiG+v1tUMzCfQ5GrPI11aukKlMgIH715f3A3VFdgHxlI0OGmgy+vX5/GMY5HyzAff6hXBUQMNB6+jOxM4Mhy8NnEM6yPwEz7Y1jmuL4UgtTgPz1dwdd6pVKoXbKliNBPCJbNJJhuP3+7nijZCCxwHYoFvqneiQZf0pu2joD/t9fzDduewc3R80Om0/eP+FHe6m/JTzNIJnqVrsdSqXvpDnJL9KxoRV1mGlr26nnlBKxAoZhDPRPRmDeRWdvdmTf//l51Wp91syX9XrdYr+Oe1Wq3/rt1z1lnvFFI/v+GCtW609mLbx4etp1isquj2xMEDpXZ1giEfh6EUlzEavzvXUjUlYVgol6/uRhZMpLHu71ftDKKxRwXCqseVvrjSVpWH/pA4dqS2fLLQuKXU/HhOJNoTqpOE3Jg8nSZUQf5yufR0xp7ns00RrkTlc4rnikDOBbFFy4MCObozHTovr18PC/10nkoOiyxRlzcTZVJvKxXOWlcaTL3uULDl1TcLEoZspd2ywprv9PqTXwcX0po/OOrWPD0aDNd4/qXneetv9oyXG1Fv2wkiIeZtWOCqErLfFY4bShbq3oh1gT2C+Emn1+drd54hIsXTEBh/jZVOGQsJjusWdKp+QrMQF5ZFZ8bZhWIyZylV3L7EEBfnEyFmWYhw7OS0cxwL6G+lfWoxIrHP76AzX5rFMQnXNmRj8iWdGPfaNyWl9emp1jpq3iTw0HuiCKubCTtBkpBfePLuJO+wvmv8mFJ4UhyrVlZYCDqPpeQQ+2komrASqc3LNTTVuCt/8L4s0ih8gcMkbpo5Nmkg9kr2le61n6vvIVvCzbKocp2c5f6DrYHcOGmRRVtlOCpKjlhgOA0XwidyX1esPF3y3RKXrs1muursd+k11HPb1GtYXdJzeQ1XzWTb59oWvIYuLR5Fg+/aa6in+8N4DQ21/sleQ5cmP4bX8Dmp8tRewxJ1fhCv4ZoUco31f5zXUK9xq17D8Ub+wYpfMD8qnJr4z+Af1OA/4YOtmaL1DkLd5fOpHIQHx91ut42n/d5hr0s6ndbhtE3a027vcHrQ77aDDfHxFA7CKxpJAy5KKv4y7Rz6HhyEznq/2kG46YK/uYNQL3a7/qrx2p6pkkiuEQHSsjQ72/NZtBURsN3+tu8yqBNSyFM0J1WCuTD1x+T3jNM5jXGo7dsaDvA6axNbA9m2g+EdFPakf5NAGeFw+ln/Argr3WU+tMT0oW7+Nh6KY98kP5qYKOer1XFRw7zIqBmkvmYthDH9TYw8xsqk4SybL1hmdg9GEfU5sxWWub+gKVGcicNQGjbSBL6lZJlbVnnAv94EzsSRkzqBOPmcEWmxNnMmMd17l2Rqfjfm04yzOG2SOCjVxmvK5XzOCJcHD7TP1+vIazZMsX/jvrlBPJac/RaDXlcXR1aA83yqE/WNmq7I16YTZFRGbt54WNvKUyJPHZSyOZHaH2iGdsg8k0/ldRmEy4M4VMRzCk+mhDe1V4c4mKyk1Hans+PO7KB3eDg96Aa4jw98ctw5DlqkRbqHB/0yem2r5OdBsgVfQrX53uRjm6R/W6cGcjIigkXGddkGSPCxhZ1F5lwFSQ3a4heiFfW5UEFfqzVr9Q8xbk3xcaszPXSkQsZDVyJcf3j7gDS4/vDWxD+a0qL6jgKc3LBPSUp0m3vYeNcf3ooGhEHqJ43EkjiYcgJJ2Shgy1iyBEPCX5CINGzlgwSnC/0+Q8aPt85G227Gq1a2TRYbDxt5bnjxemynWOdWsIjoSrMY8BnhOxWsqx3k5+/lavclCiVeVTpteNcAjmBZaqsK2lFVBv+5vvWTY6sUfqcmjarEOWem8sZHfbWniwhWmKbmhs9eMxhP9LZQe7XQQbYmn1NoN5gUTgZ4jRqgd4NFS8bDUhXV0hBUqBqdgkCdc5pqj2dDUjFmqRSF/A7ipxew34rvlwYPCYYkwoRwygIUZSKFQaZS1vlhFpCgpsyCspHh4SlBO0k838n9HPL1HU9+V6VQok9AJ2ltHuXFYZ6cKu8ZT51iqRIpYPIodnrx0eH/lCU7JeR8fPFRGS3FEhRm0qXs21kWPqEC9my5DeczlcUvRSAkQ9JIbmmdEAmN3TNB8g175/hKoBhobuPQGH2U/CzH+wh3h+B7gQ2vC5wLxIm0jkDVl0YyN7aDUXiKdUvdqjc14fZFCfCq2z3YV9V5f/n8ulCt90XKkgL1zIb8ASj48jqOWACV4nM5A6wvkCAkLmC2WvHLaaMQ2+qjEYtpyqQ6ryQAm8LJHdjDYEqkqNGM01D1yLFwWQHDZSvUaVZjyFchgyAlMfqUQSmh3HAE2SXP0XKNFss5NkvXvmaHxaDpL7GwE20UzvnaZiCPYiI52oqfC/yVYCEcrnnyezk9fMmq8EpzSLdVQuE9Thcl2I5s1QjaKU1nC5XK3ApZlXl0uwcVydHtHhQmJU2ou20qCQBAM7GtuQjzVb/oe++6Nbh69E6J2Spn1y9wdsF9XuA6IFwoUINfKXRWa4mZfBd2qJOopnx3ztxNmxquYrUA3jRL7VMNB5harFJT7IiqkFKMSJSk+Xxg6urJj/rtUgH5QscHNCXpkpBiCEO6ZEpXLR3Qz10dTYrgn6XRvp/SaMpo2xYTjGH01TIRTpud0rmrsiA/vqrVO9V8V5xbRX/Cz6Jv6GfRt0cVfdtiSPG1Hr5GR3FnUHDumM8PdOUDx125Y0ShhpLtGgGPKvUWMmfJLbb2hfYzFLtI6CRbyR/QQgfa00EhbLcgrvyGEqFPVFNJCkUMqtVg5SKmgTGTjSMKxwhDvI9WuOG0Fo5/ONqgBMwPW6/vOUv1/azSV1ul70cv0PcPqM333GX5flbke7Ai37MX4/tZh08pFRM8N25ER7VA+bdrKBhqDKNm5H1oWUR0QTw05Wzp3CG61fXutKNLLNgSSeEVw/WuuVWG9mU+i6RyaG11faue2akaO3kDnYDYRpTfQEpoaGWS0PcL06BpNWNuZUI56iqTGuMZ5rQwqe/eCVySAw5/TAr8UV7rBfubhiHe73kttKuo8f/Q4P21pgy6HKN2Z9JWxs0F9uUX/9lDJ0kSkj/I9Dea7vdbPa/ttXt2eru/vbm6eNtQ7/xK/Bu2h3Rzuv12x2uhCzalIdlv90bt7pFG936/1dV5GhbpwpvhiIbb8rpdjpEaH+0am4iTYIHTBgrIlOK4gWackKkIGmhJ44AtxV41OReerMz7x7jyuUwIx06hRKMbgjVi4nNt6C2HNikr2jop1rlgn/AtKWPrhvCYbEuNr6xBQbPTVqEHeLlqh3S9rtdqttud5pzEhFO/PPsfxARYQWtzTe9QehVx/1PGjNFOvxVlDTy9n30Sp0w0UDbN4jS7bw9jvqSVPbzd0MDK5Nflx3bLa5cl5XanWmoses/JKaW7o1/dhloyas3q97cn79bRqeRzxeacysNvG88ftTpe+zNK8XxX7Ll9Po0XBQvl/sIC0XgOMSNSNSfqTxgfC8F8lU2n2jnH5koQ7AUwKOSqbYlhp++pAqY7IdvqX/q5d+pm1JOrr1sFJz7jgRyOxvNQrzbFcyg1C1eoGQQiQPKgIZ7TTvpzk8bNz4jEPk5EpmYpGtrcqZsZKtx22lZcemi3MC6217qCxIJxXYn4v4TcNNAflBOxwPxmD+4soRSursdrOitzPJtRv4IJGseEr6SqGgKph/TicgILtGtcaXpU/Vtx/XsrFnn/8gpFqTdd5T3LK9QkgKAcc08lLdEgoJqzzHwKvAJtkAIVLq3RkeL5HGSBHvJyarI8HOY23Ou5XK5zeWv4zzyuh7S87ZqzEL9ud4UOpTRGcECFzwkY3eUdpseEGTjjraKL075J925qKIvO7fK0gWmzNecMLOh8qDRFXYhax7Fb7Ffl9b8eOIi/geVzmaiCjWoFYDJvsgaWpYIG5P6FWKmfhTHheEpD06LQiP/KD6vPAXkMFAZaw4mPa0CjikffJO7f2gNsrbqTupD8luhTaKeuFQIpz92IclhIWsELhtsdW3vcFOzXoTdGJWra/b07c32gQzBfJKzx9Xi0J/8ANReH8KAdNH8Bp3gKJxFHZ3rf7hXu3vLaAJ8zHN6JeYZ54Km/PZ9F+5+XZLogYbI/YxOIIAv3b2K2DEkwJ3Lo/cICJ6YuKxHeIo3+/F8YyE6siIz82b/2aqODTGiiuV6p3n69/HPHrGvnrw3K79QUn99GIdwiIJtUUsCC8BnPNcsCcXIj3Q1qgmQkqODg3wqxXylaO/h9PF4XE86Mv1urqILVUv/VKkph8+kzS9gjHIdwGrrQ6t5esT38W+LU/wUZtj/Dn4HNwxf+LZnAbeLEmZyY+JzglAR/DqBRhgXrylZK1Fk8+pIwISXH4PeRu8K/KvQ9j1GE/csxUmlwqOO1O16/4YbxFNGhAwU/vB9skIVP4iwCo2erG8RIUecGxSlbQ8U9pKlujjoS1eyO0boo2HJ1eLViLRp2z4d7JnBCd5RP8qjn+sMSqQtsD527d866B30ZgB7U3E9V8Vo+PdZl/eUCpxMqJnIL0GBP83qZx+3oFV4/H/5VQ6Nmp9U+brZardYG5WC2W9n8BHFieoiuEjAF/VlLG5VBEtGUzpX5Y3FhiGG5PyjRpYyYeor4c9qc0lh+C+48f05/kX+8tnjst9sboFEy3mSrzK+tSMaR8HFcz6qVxcuVtFvtI28TppDjx4R7tyQO2LYy7K+K7borBzxMAakpVOuOkxhPwwfUdXdBjBNPal5rLGYWMlzbjP3lWA6jwmE4juf66qvltaTG3W55LeVMhD9N7akFQRETKRLklnA31vxUqphCj8ik9Sk1NiGIEBHctYHUTkJGU4OUiKSc+gLtqtL66Bau8vP0ExXm/QUalSec3tKQzIlO5tK3xCnhKqttr6E7qeSjune+cgw7rnxtzmFYaMOloiZgTns61ctnCVmhBNSoX0ZVB9ZtBroW315FU+15vc1ITOJbyhnU51rrKusb0XrkTushouP4DtkkBuASTaEGegyF4EKWcgI1y74DEqUkShj/nqhzpWf0EGHg7ifCaaYQLVEa6JJ6sIpG4bw2tPKfbl+sieHt+srBkH+HjbelILWt6bz77vfhXn7YS9OYpjilt25llFvCgT9xfEPjObiod96y5U4D7VyQgGbRjuLmnTd0vtgBEkgzDd12JFGt+LQjAieIsgNSlWCwsFIAlY914LV0ZO4d+BADMqNxMZFLjpA/XKCRw0XwBBWILWOoGxugCMd4rnxPZ+cfxlfeJZ830Hnse2gXvpDCE12Pm6pISsygKuCMOqYWn+PYtmtZLpgUBlSYZMiUoQUJE5D74FEXxAfmlJotyAmpfSUsdlvEEBwJhH3OhFKcl4yHwQoWjW8DL6Yi9ebsFnwWTS2KgF2rwkBdjqzHqpokW9QuLNVrNQwIapXYA0FhDkHT/oXnoRBInqWM01QTAnEyx6r/pCMCHofBihIvwfgWdC0WmxIhr9BUtdPEsb9gXH1s+sZk1v7IU/VMATP/H8YemJwX3Y5yCk0N9dWFiYqErRSGOltOEgOccHXeQ3VbZiohF8iHQ2qz4RKcLszDzoM1E5T/DUnCiQ/NdZqQeZm/CL5D+ESLF2dSbM/zGGYzvyk0vqQR+dtE46yennKclh6O6FwZ9q9QyjNSHF1hpDAsc4vQqA+TOnZesXRLH9Db4CyZZxyIooDVrW8N1EsKuc/duywY9LE0vXdkiVwBBTs8GosU5wbogziCEuXqXWTeRTQw28IPWRbkO2AgP5qDiMttjgOc4vpNcaF/VdqEX3gVLNb8IgEHwQQemJgh5ZM+EUJZK2aPFFYNL3gJZ5Ib8gDbPEVc/dL8cj9vuEFe+hW5U3+FdA+1YmUw1QCnEZ6TGtA4ok089YN256BWnubQz+UI6HxoDXGFJ0MKzZcv0IlkEXiIhYG7Q8yEJOI8ixJA8gM8VvvwvXzmwDATzI30+8HYBdnnN4a0xrYpwVp3/zjQIuwvaExAuKwFTL/gOS+sC8u1KyZrSNL731oXqubxdQlX2V/rwuFknqvN98MoPFo7vpFHAfNvgFe1QBqazzXbS/2GRIrhEjoMVaUdkEbqN7mvxYLxdKKOhFyzMnqAgte0wmjFeW2nhWquB4uvFISIOpbcXuv1yHIQVv9KLdJWgJISZ3NoIOmcDbUh1NKb6wF9PDid7IleoKvL4eUr9IYtpV4TYShzLMgvlbkUNAx0v5aBVstzZGW6moJnOFce/DnfvlGfagY5j2fM5VZ9LMjXkZE1DoPK72vZU58bo8HYjaGhJmrEI77w7iJdf/6FvgTGuiO6NJ7yN0vJGswWmVnN6atJU8ioqC+O/hB6ZzlG4KopJ3sVLhPeNKNhFWSVovb03mkfDdut4531pnM5RgDBdbzXT8RnAandB/fNRaScpP5i/ckYKColK76zHHiTTQmPSQo3IZoPf3O/qxk3/90qe0XNLR8UuVx4v1TNX3pQshYmfT/PlTGesKBe7Gy0mR0MJEy1VKkSV4LKamT4YyG9ZwG6Ph9WAcn/iwT7T7eofMQqMBZURP5XAjPx3lVgWlz++6sFs/PzJMJJQuO5fnbn32vuImfG+iCJcFKdMuRtqfu0727eztzqJ88JtF4RJH1aEufjriB0QJKQ3UUl+/brAefjrgAsFUEyy8InX7Iz8ArQD+hBjwVsh30QbL3S9/Vw1bj6gNGyPD9d3tsvasbVP+bnijVq686BfGy00SFAvqyrdmoIHvlC/Cx17kNRjeqpV/yJheyG4ibOUhZQAVcd+fL/R/2KhvqXO+Q+hxzL+0HvSc1Q7ims52GHXOVX1M95yr1UvNnYwJ1mAvx1QAeb2Qk4Yf71MOl9zugV4EbYX+isRVWI0IaX6JZxuuIGoVAVzkYK64ZdIsU8zRLj41EDqZI3kYpssQ7BVBdaxhFJ5cK4vu0CupEUVHJVmAG+kB8bOnwCpgY+chxCyRGh3Obn7xvGtQTsToMG5CHD9VdhSuAsTwVgph6FOto24SzI/HRzREI8oN27ehipJtq13Qf20exSAPtS2MyVXQfy3gOgndCJDSGrdw2q8+U7vCAQz+JYtb6qn4cpFbsx9OsPb3WxfmmqADjNrTCT+5DuZ3z9HlI51D9scUSzviUWlsW1SYmzdEHi1EaFqkJ2RqzNshiiGvSliBZnZ8VvXfCOuPm/AAAA///MajSm" + return "eJzs/XtTHDmWMIz/359CPzbih5ktkipuxrzvRDw00N3E2pgxeHqnxxugylRVaciUsiUluPqJ/e5v6BxJqbwAhU3Zbg+zz+OmqjKlo6Ojc9O5/Af59eDd6cnpz/8/ciSJkIawjBtiZlyTCc8ZybhiqcnnA8INuaWaTJlgihqWkfGcmBkjx4fnpFTyXyw1gx/+g4ypZhmRAr6/YUpzKcgo2U2GyQ//Qc5yRjUjN1xzQ2bGlHp/Y2PKzawaJ6ksNlhOteHpBks1MZLoajpl2pB0RsWUwVd22AlneaaTH35YJ9dsvk9Yqn8gxHCTs337wA+EZEynipeGSwFfkZ/cO8S9vf8DIetE0ILtk9X/Y3jBtKFFufoDIYTk7Ibl+ySVisFnxX6vuGLZPjGqwq/MvGT7JKMGPzbmWz2ihm3YMcntjAlAE7thwhCp+JQLi77kB3iPkAuLa67hoSy8xz4aRVOL5omSRT3CwE7MU5rnc6JYqZhmwnAxhYnciPV0vRumZaVSFuY/mUQv4G9kRjUR0kObk4CeAZLGDc0rBkAHYEpZVrmdxg3rJptwpQ283wJLsZTxmxqqkpcs56KG653DOe4XmUhFaJ7jCDrBfWIfaVHaTV/dHI5214c765tbF8O9/eHO/tZ2srez9dtqtM05HbNc924w7qYcWyqGL/DPS/z+ms1vpcp6Nvqw0kYW9oENxElJudJhDYdUkDEjlT0SRhKaZaRghhIuJlIV1A5iv3drIuczWeUZHMNUCkO5IIJpu3UIDpCv/d9BnuMeaEIVI9pIiyiqPaQBgGOPoKtMptdMXREqMnJ1vaevHDo6mPy/K7Qsc54CdCv7ZGUi5fqYqpUBWWHixn5TKplVKfz+vzGCC6Y1nbJ7MGzYR9ODxp+kIrmcOkQAPbix3O47dOBP9kn384DI0vCC/xHoztLJDWe39kxwQSg8bb9gKmDFTqeNqlJTWbzlcqrJLTczWRlCRU32DRgGRJoZU459kBS3NpUipYaJiPKNtEAUhJJZVVCxrhjN6DhnRFdFQdWcyOjExcewqHLDyzysXRP2kWt75GdsXk9YjLlgGeHCSCJFeLq9kb+wPJfkV6nyLNoiQ6f3nYCY0vlUSMUu6VjesH0yGm5ud3fuNdfGrse9pwOpGzoljKYzv8omjf0zJiGkq82V/4lJiU6ZQEpxbP0gfDFVsir3yWYPHV3MGL4ZdskdI8dcKaFju8nIBifm1p4ey0CNFXATtxVUzC3OqT2FeW7P3YBkzOAfUhE51kzd2O1BcpWWzGbS7pRUxNBrpknBqK4UK+wDbtjwWPt0asJFmlcZIz8yavkArFWTgs4JzbUkqhL2bTev0glINFho8he3VDeknlkmOWY1PwbKtvBTnmtPe4gkVQlhz4lEBFnYovUpN+TtjKmYe89oWTJLgXaxcFLDUoGzWwQIR40TKY2Qxu65X+w+OcHpUqsJyAkuGs6tPYiDGr7EkgJxmsiYUZNE5/fg7A3oJE5yNhfkdpyW5YZdCk9ZQmraiLlvJplHHbBdUDQInyC1cE2sfCVmpmQ1nZHfK1bZ8fVcG1ZokvNrRv6LTq7pgLxjGUf6KJVMmdZcTP2muMd1lc4sl34tp9pQPSO4DnIO6HYow4MIRI4oDOpKfTrGFc+zxPMpN0v7RPed6TtPdfskHX80TGRWPNupGiibuH3HPfK07BQZZNdWoxFuACPDKaRi3jMenDSKCEf9IwxpT0Cp5A3P2MAqJLpkKZ/wlODboPhwHdQzh8GI0xTMKJ5a2gm66Euri5IXtMh2t9cGJOdj+Bm//ucu3dxie5O9ydZwsjMcjsZ0a3ubbbOd7Wwve5WO9zbT8Wj4Mg0g2vUYsjncHK4PN9eHO2Rza3803B8NyX8Oh8MheX9x+D8BwxNa5eYScLRPJjTXrLGtrJyxgimaX/KsuanMbccTbKyfg/DMcr4JZwq5AtfufLzgExAsIH30WnuLudVQVAFan1fMaaqkthuhDVWWTY4rQ66QQnh2BcfMHrDuDu3RbYvoSQMR7eU/DU2/F/x3q7Y+ft1BjbKcB/kVvHcL+tqYEeBOvIcA3fKyxvLsv8tYoNNGgW3GjL6zg5pQfAqlHGoWU37DQB2lwr2GT7ufZywvJ1VueaPlAG6FYWBzK8lPjk8TLrShInXqaUvMaDsxyBpLJE5LIrWWxEqqgDOEsbkmgrEM7crbGU9n3akCw05lYSezZlO07pOJ5R9eoMBSUdL4r+TEMEFyNjGEFaWZd7dyImVjF+1GLWMXL+blPdvnhZidgND8ls410cb+G3BrVXw986SJ2+qsLHzXKmlJjRoRRHHAav0skribaMzqR0Az4ZPGxtc71iaAxuYXNJ1ZU6+L4ngcj2fHuJeA6r87kdBEdgum3WSYDNdVuhlrp7qhmlZGClnISpNzkPQPqKkHgtD6FVQOyIuD8zU8mE7pdIClUggGjoATYZgSzJAzJY1MpZf7L07O1oiSFUjDUrEJ/8g0qUTGUE5b6atkbgez3E0qUkjFiGDmVqprIkumqJHK6rHedmczmk/sC5RYNSZnhGYFF1wbezJvvM5sx8pkgQo2NcS5I3ARRSHFgKQ5oyqf1xIQbJcArcx5Ogd7YcZAZbALTBbWg0RVjIOeep+ozGVQxhpb4UQCjkNonssUdGYHUWebnBoZvg4E73bRDfTi4Px0jVQweD6vJY5GmyigHs/ESWPdEemNdka7rxoLlmpKBf8D2GPSFSOfoyaA9XkZYzlidd5sJ11LnoDqrAodazTkPnWntQdvozXBfB08/CylpcHXrw+jM5jmvGUiHtbf3GMjHrg37WHz9Ei1I0BuuD0LSPp+m9wRdLqvBw5tP8WmVGVgE1iVXwo9iJ5He2DM0YvKpaA5meTyliiWWnO54ZG4ODxzo6JkqsHswGa/sI9HkMEB1EwES9A+c/6PU1LS9JqZF3otgVnQiVE6FtKZCr2FVrVrTOpNWAW6NtMWDmdkeSwZRYWmAExCzmXBgtlTaTQfDVMFWfEuUKlWaoeJYhPPrRwoorVAjUfP/ezMe9zZMQvmLZj3EQLcsbRgianf5nqKGH50VDgi8hNY6VXpyiLEjVrb1VxY8P5VCdwAMLPRcPYO6p7BavwKaTpDWsUK92sdTrT3DAZ/Io634ecJHmA4PKiq0SwjmhVUGJ4C72cfjdPq2EfU1weoRHmOoINuZyS54Xa5/A9W+0zsQpkCC05zU1G3HScTMpeVCnNMaJ574vMSwXLTqVTzgX3UKyXa8DwnTOhKOQ3UuZ2t4pIxbSx5WJRahE14ngeGRstSyVJxalg+f4S9TLNMMa2XZVMBtaNzxNGWm9DpP4HNFGM+rWSl8zlSM7wTGOatRYuWBQN3O8m5BnfkydnAmscoZ6Ui1AqWj0RLSycJIf+oMRv0wVo7wnOg6K2HydP9VeK+uEKUNbVMQbiJlMisQpcwisarhJdXFpSrBMG6GpCMlUxkTs1HHV2KGgjw1Lgdq7Wo5N9OgFOdPMvw2JM1N0w/oNpHe49+n+ZrDUB+tD+g0y5cnLkz6UgCWWd3q/a2G4AhYS/B6HA8HMdPGnNOmUxSbuaXS3IQHFqdvXd33lgbgTlXYgMcKQwXTJhlwXQaOSvCZB34TqUyM3JQMMVT2gNkJYyaX3ItL1OZLQV1OAU5OX9L7BQdCA8P7gRrWbvpQOrd0EMqaNbFFLDHh43pKZOXpeRBNjXvfKSYclNlKK9zauBDB4LV/0tWcrhBXH+5leyOtve2hgOyklOzsk+2d5Kd4c6r0R7539UOkE/LE1s+QM3UupfH0U+o8Xv0DIjzgaAWJidkqqiocqq4mceCdU5SK+BB7YwE6KGXm8HDhBTOFWpUKbMSwynfk1xK5QTPADwqM16rtrWEQvByUs7mmts//MVV6o+1jkA4lSa6nYdrOY5+hwIE5JRJv9quH2YstZFiPUs7e6PYlEuxzJP2Dma476Ct/+3wLriWdNQcTL0n7W8VG7Mmonj5AAzhgcYsJ2dBR/MMEWXFi5Ozm22rb52c3eyuNWVGQdMlLPjNwWE/LM3JBTVJe7G9Z7V/wasX1mZE0+fkzE7kDAEMIjo9uAhWNXnBkmniXEQ0j61/giak9x417ivCAYgMSWupgk9RTEkuaUbGNKcihfM44YrdWjsGDHclK3tMW2qrXXQplXmc1uo1F20U71dlY2zY8f8s+ECD9RFKXGPVZ/j2J6lsm004OnuyiCZ5936cuT24i/gty9GGKZZd9imLTyezrMUy49MZ0yaa1OMI5x7AQsqSZR5kXY29jhn2/6f64gZlTzScMzAnUkHIT+KeS1JZrBCuyUr8RftGCYOf3E1RxgxTBUjYUrGUa2tCgXuEolEL1+YQ9FWNc54SXU0m/GMYEZ55MTOm3N/YwEfwCWs6rSXkQs0trRqJ/oCP3Eo0lJrjOdG8KPM5MfS63lc0gnOqDVxXYOQT2ttCGgK23C3Lc1j9xeuj+qp+JZVJdb3SFZERNhpUYWR5CRTwBYiCTSb2DN8wO6vTVdw2vmAXr4/WBnhLcy3krfDerwZYxOF+4N2MgKOS1pTvxgPR16Wf9rxh2OiK0KIICOjPTThANHfRTL0Ti1EPfN+gm0ozlSyXZGJTCz3SUqGf106Ol08FA/+HnNzFNaggr48OziB0BVd8FIaKaWW1uzpWUJ4vaXFWrycwgddbki4AkyrPe1TEP6XHxS54VRO7JJgOLAd6Q3lOx3lXSz3Ix0wZcsyFNsyRWAM34ED9agQIsy+fAnGRSwuu6QaY+FgpXJ+/AwdX40aZU2O1kB5CRTiXaAfHO4GTdYGYUT1bmhmOmAK+Y+fBKDGlmFV/O9Fm1DEoQaiQYh6H+6IiF5HKe81clMoVrIJn6KmGD3Z1VyEcLZVigntF88acVGRWJNU3NMRHcfcR1VKCle6IVUKU9WzW0xm+X42jnc+swo3eEogF5aK76IilUWBpXVQombddyk9GuAdKUQjgBoKEmbyrCHIcmqHdLYBX/7lyzcdU0EuIplgZkBXFrNXCxfTSDogh0PfgrL77lhUCHq6+/Rd333xjBgzBMxZuSGAoAte5E0VDVHy9DLzCwqgqbztBbBW5M753Qt7UcZdcxwFgVJDjw00M/7LHbMJMOmMa3GLR6IQb7UKqayDtEW1mAjRCurkOgUVNENy4qhIuVluxQpoQhkRkZTTPWDRTGzKEiRIXTOwX5ElH1K86l14zaQEHrQeCqGk3ubdv7bBc16A6hD3mkjMFh/PyxNvqRY0gnAuixeOrH56FDADHuuYk45MJU7F3AhyXHOLercC3DGfdMEGFIUzccCVF0Qx7q2nr4NfzMDnPBv5aCeifvH33MznJMEYfwhyqNhftauK7u7svX77c29t79epVLzqX6Y3uItSzP5pzqu/BZcBhwNHn4RJVyA42M67LnM5jhSq2gTFbbz1jN/fzrQirqKHynJv55R/1DfGTM+poHmLnsfjBa2ngFMCAatbU4dWVXmdUm/VRy7Pr4hqXd8hOfDzryZGXJgCrZ21tQPn6aHNre2f35d6rIR2nGZsM+yFeIh0HmOPI4y7UkcsavuwG0D4ZRG88d41iae9Fo9lMCpbxqunMcXmtX4SlurliZtV3aBtH9Cy8MyAHf1ixXX/TkwwxX3eTLHpa/fq/DA/0GMBrlkXXjpyrufp+dlXMyePXf8OzhQJUPvvu26MAJkz8quM0T3qrB4TahQ7INC0HAUNSkYxPuaG5TBkVXU35VjeWhZdlS1qUuyv7RHYbK7kyY5eaTwW1CmlD25UZI+eNX+5Wey9mTLN2PmDD2gP9ccwFVXOYlIRJ9eKhyJg08oAJNpYyZ1T0oe1H/AkMYVqCCs4x/trBYtHnov26loVRFXvAdqhB1YaaamnBcAdZxl2oaxfLQOlMWf6WWksfQenJT6nQjHdZgVOrDKdqXho5VbSc8ZQwpaTCtN3OqDc051l8Uy8VMarSxs9HXjN6w0glomhOPIb+1foVfz7r8cOwt1ZFE+mMpdd9yWfH7969fXf5/vTi3fvzi+Ojy3dv314svEcVJqAv6UL7HIdvCOxA+oHf1eFBPFVSy4khh1KVspGe8+BSAI1sEQl6z/FYPTdSMbT64q3s2R6Szpq3Xn+3e0ohArh+/a73IOcQ86x9yOMA7EHLx8KQaOC5+Egp8nkz5XY8J0bKXLvcRvBSQrYcS6/R4kM67JDM4w4yEOtn4rWf76CHFkRKkwPdMGV1k4zQqTVtI2/QjNU8VJimzdF73GgD+Q+cpUUQUwsOYPKOjIPMiL+8Jz8gPNiMAXfR2Z3yDVFCuUtOdUAGKJAI3P2au9CXk3iQqBZIJKtmLC8jpyi4DzAQIAytnWNCzK1kNTxoPYtIrGX6LevF86yp/POCTpdqjMRKFUwWQgsRIEtomLQrRR9ohk6XBFlNWQ4uOm3dUkUVSu6fPqpUck+tkraZBrO6sh+NeZe4HfWi6+ipoIcizS5LEcXRSUEFnSLz57omhI4ShRVSIj4SpSLEnOSo9fU9vCR69P6UFWS40dMQjoiRNRvNQiE9Y0ZZKg/lpyD7cfkp32ICRSP/Y6EsiiBlXHGhJ8qiCMNCNsVzFsVzFsW/dxZFfDB9XJ6rJNbery+VShGzwud8iud8iqcB6TmfYnGcPedTPOdT/InyKWIZ9k0kVUQALS2zgpd2tnjpD6QTsEYeQan4DTWMHL35ba0vkwCOAhgX31QyBUTvRx4Xt1Lww9S4MZKM54CJIwZl4p5+hctIj3iELvblciTupOWvnSiRddTE52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ52yJ7zVbIstRjvr7u9ev4eP9deQXiRmDiJmcjxVVnGmSzQUt0Gb0CJU086X6XVVwcCq5n99QMXf1N+Oq4q4YniQrekYh07sxz4qr6B5CwcFV5aMBx1Vo3wIhKszgeNA8hea5R/pE5rm85WK676H5CznCBaznXFy7+ebkxVWS5fnVmivp6e1hKcivXGTyVtfvnyO4bzG26MVVomXfe+8F/7gOymln7R1YGmDMcz7uG7Cg6dvzxS8zm4GFyZ8ocq8F+XMg37cfyNfesu8nrq+1sucwv2WF+bUQ/Rz1dweerGqcFNnOkhjim6MdnOJR8OgZHS0JoPNfDkafBtHmzu7yYNrc2f00qHacs3opUO2MNh8H1ZI4dMOsd8pNW2zWRYILWmrv4Y95OvTmk4JkXF93j801U4LlW5uJ13wXSXWhZln2609VniPEdpLO2lvAH+5/cIrlB6ymv7X54ZMWxBKq0hk3LA1ZIksIbzx7T+JpiKFqykxwZdhld5b4cXf7EauwIoqK+ZIWcBIqiOE0HTIb+KSkjEBHrKLkOVuHWOMnVSdKlkSALXu1rVCFT1jsGY3jOR5enB3+sreXxdOv7qbZ2OKRK9tNtpJXu8NhMnq5Pdp5xBJ5US7TDXaAzq8Q211KZVwO+dkxnjRyIIiDgqyvQ1kDeIxEcBH7S9rszDjhYspUqbhwmWDctXcjdGKg0DpizAXn+vxyq5lhpfZaI1JU6GAtaTKzOpBM00opq2JiTCc2VXHNxqAbh1E0WFsAPeb9NbUpJfBhWvdOvb29TSZcMTYHRrExzuV0w8wUo2bdmpyWN21sDkfbG8PRhlE0veZiul7Q/JYqto7IWbcTcjFNZqbIu9JkmO7uDbfSbfZqc3Nk/8hSuvNqd4vSbGs3yyaPIBDfsewSDsNSM5LdSfgcbnZ+dnByepEc//fxI5boGhsue11ums9Z30pg1x8+Hhx7bw78/Tb4ZVAEr9yPgOBoE42+OEen5/DxHkfbT42geDvh0ek5+b1icACtPUaFvmVRS1X7u6tL4uwyxuEshl4IddMaP9aclIpLcKlNGXaNc8O6QV9cZUJDPvo+PH+15pobzv0k8ehwi+R7KaD7u24z6UbEaUOMv8bLT6pjF5yDAa3HW6ZYvXeoPnCN43ShxFev1h4Twt9Y8cLJJS0WLAgFp65bMaLSvYF3uzSdubmIdr1JFDOVEtEthO9E7Op6RtovI3Aldc3mDi919LzfAMSzZr4pbiM5YDwnx4fndXOrd9hoBccCXgwcNHZoFfVy8Ec/uSC39q3jw3M3fDse0O6lpbGodSH2FoNfmgke9jlPy+TAkIILXlTFwH0ZxvWLKiptGu1Lr+wsVxY4KG/TWQbX9YXmwBoOYUhqR0tBcHLje2hTTUqpNR/jJWEGfUOs/kdrt59zgPssgH5AqSYp9p1rZJW0yC5Jc7q0/BEsIUAxrC5siM/0yZBioE+kCwbD9jsdjnhy2gt6VJtoKYEpAG3EAjHUqNWm2x0ORrEwkI9qxVdLJjLtL0yxM5zlSh4l8YB+7R0xPxom/v/1YmHZNSCiy2hLcVHxgBbopMRmNLrZ3o86x56ckMPTgzfH9kCMmUWWfT+/sdpXxJxWVzW5whvOmsWYKJtICt8eUSrFdCktioOXOhoEzmVCTgKvEtL48Jj2mL6z9BU0UfKpK1dWvDDoCt/ZFqvg3RU95bfGmEUCRe4KMbzw13EQ/XkD7n7LumHBgIHeXfAOVJrOYs7OJsCYGmlPXKdUZSxLyG9MSV/SogAH5MxdCCIPrRE4rrGGU/SkmfQT6hLLylzM6pIyn8hjgDab7i9GM6YuJ7lvzb0M08nfxG6SnBlr0Vg2iTMTmLlRcKXEjoN17ZF9cnAwIBeHA/LuaEDeHQzIwdGAHB4NyNHbDs26j+vk3VH9ZzOdY2lBJXaH7NIw6jaOCKAa7kAyr3yUSk4VLZAC0eNmIkK2j4Dyhblu0UCQRFryOj0OuYPuMaQ3R6NRY92y7Anzf/LFu2tVKfDuB/UozE53dyvXXEDoK6qpDc2VhIbyccwhdMI2Hnd1DzfM88BhUBMGzMCNdzzmnTj62/vjd/9o4Ciwxi+mMrhufE5coPXxoHbQ4ODLFIwgEVugxYIv+IZbVQeFFOvg0YC2uumMKpoaa2+8GLNc3pKtTciDtRCQ0ebu2iCifakbb9S8PNhB2DWR6ZSW9kxRzchoCCJkCnN8ODo6Wqv18B9pek10TvXM2XW/VxJyDMPIbqiEXNCxHpCUKsXplDnjQaOSmvMoG3bCWBaPkEpxw5QL6/9gBuSDwrc+CKA/5i7oHidkwz5/9TD259D1byl0PdBFwP8y6SFMAnZe7UNwK6y7/XaotMss3EAzsAtzw8vcJeYBMwwzDWrc6Gq8adc5ahDLoIH0GsLGrbk3YesxVgZII0ISoyjPoREwU1z2a7/9SH9OHEAW+Jw48LjEgZqAvoyV4Iyl+zWLg4ODpnrsLdbLz0kBPOg46vKcnJxZRY5Bfb6r2MFx1fI0+B+vvMPP0Q6fTHha5eBHqjQbkDFLaaWDE/qGKs7M3FtIMaUW1GhrGdqhHFgJOf5olG/PC/BFVT88oGbGFDgFwAEaIeeq1lnpNYPBvVMLWyBl7KN9u7BUEg+NegG+BL8zqjkEXYYR60a4qK5YDXciuxWEg4nTdqA0vxu1NxjU4S9hDfi5+tN/T99CdFsDuiWejdX4cARfvg9CygYO0VYxBfprSi/oN1yX0IruAiA4a8pvmIZOw9EtQqP1MDyWKhYH/2VCh1EmCFv7OmBRKGoAvG/fef4bQLTml8LXvimZcut/IUv0weZzO4SWMggWZ7Lh6VhLyIHIoDJ5KkVtvTqsNs/+3XcS3qtvjTnHEzq8NLh/Q8XLtHHbc3z40G3PG2boeuyy9hXTnE968WKbvdfoUXiOYr9XXLEMig8+QczO8eF5uFMHORbwaxejiZEJuWKpTtxDV5ic48GomSBoRsB6Km2wZihcYOedVt+E/DpjAvcMNjBVUkcKGxcZT5km6+vOVequMSxAFp8659OZyfvKr0ergfejcPGcwY26YVPl7q9p9i8Lqs8yTmesoC38k0Ygfw/pjJJhMowpRynZKM53HL5YOCifiuhOzsUQA/nOwbkR8Pgem88XqD/gc+4yqCwZFFnKGRb7t2j2jADyZ1JqpdAtSp/gzMC950azfFJb21Tg6I+4kVtSwQdAJnp+WpcKCOC9jrglpeP4cKgeCJy36QEwosSZnsV6j1VjYG1oen1ptYvvIYPxAsOJ02sCKwo3QIBRS6xlDjeF7GNIMgD1p7ci65fRfcOGD2I7BeOxwfUWBy+wjykr69oBEff4F72hSU7FNDmt8vxMwjXFsX88Ziuhm75nK+GL+9mKO9J99T4hqvmjuSMDIpfegsHSoIqnDfYQuNCBfZRAGRpXxA45RltMe+EMrT8LZmZ4dAO7qo2H1zIwK5AlXKR55ZqYwG0ONeEODYwvMa3HCDXV7UT1Itx4fijqc5Ys4UHeFbZPwb4sNNRvc752tHFCoQo3pr8YB3MwLsUwwCp8fpC6ISkZM3NrNX/qW1xSp+Kom3D/jJNxwQ2HyHK7VbnUdm0HficeRrdVvaQfEm7URYU1sXJSMKorxQpsgQOZAX2YjR6DaHZDr1mg4RjNMXnUOC5YISE+hWk7jB8uqzENc2dQncSfTlaAg79SLCHnDPf8CrPorOy7wmVz4+qwA5/wsRiQIRqu+MMRjkMVHKR2Xm2s6d6Q64u1olmgKNYnmw84erAZ/KVEs0ymc3yEsk8YMxjHS4joLXICFXqBBGqtdEaFx2tKDZtKMAX8+GFzLcO4AoSs0yy7GpArd27W4dww+GrCc7aOmn92hXdK/malISBA5Y+iWVyoYw4U1tfAptJMrZdUa4vMdQxKaqoZDvTlbAdmecFBmpCJtYysenmIc/pahhjmhUY3KK7U4I7U/jGwX5yTy22NHcgDT2acKarSWRws396bWiPE7V4Z8ykZV1BBZ8XCF43ImW462iIlPTdMOW7XmmLf7ewVmTthETR3bKzlHF/usTAm5AZxM3d3aqhsc408K5/HTbncjHZTrny8KHetgGhcvUxXYw9Wm+rD+N6yc/OCW43muby1EFpzM21ulJM7bkmRd44aq0fA1gQTJMJk11qszMxqf1F5vLvV3qfzLpw4lTONrj9DLB0sCio/gMkNaZ8R5qIitD6Wq9IsCI2M6UYrJqdzalKJqCLtgCg2pSrL490H7g9PE6vHVPYPqYhdHph2YGKhoJE3TIGUgVBmrzJ5ZY/HW8J8yCbqOeTkqLsN27vbe03kIwd6gBdktX+iiV93GnCQTi82tgHy8dYaroG3glSccBVljSlGgbdZ6pzCnkhlP4NjpeQly6FFzx00nXGrQ6SuHNb/gTK/hhYlsg1q4q9M3PDcxJ7zIM0ZOiCtvufLa4UwnbZIORGksCJZc1OhfTxwsYjmVpIwrTtoY9ZjhSPr9x/TOMqlEZGe0jyFrDlXWyuHcBtUjGIHlItccIGYSOI1k4jVFtgWeBWQjnsS0tIzwo3jEi1ICim4kXXgXz3E6ipYyn7H7EffcstIcs1YSaoSbxbgpfhwNbFqLW2EtIlHK1rxxKU0H8Q7W1/7RpUm4tTBzeFod324s765dTHc2x/u7G9tJ3s7L39rhidm1FDNHqqJ9vn1W3CaVsSaaGAEb1vgghxTAqz6IaMmVtaEkMqLG6zYR9OGnMnldOBMwlxO1wbx5EGKGOl0nHldYjo6r6ksoiqZ2OuxBhs2HdIhCuDZUHBASBOcXTC81Xsac4OpF6LnCplVeU36WJEHKxKg1kNJJrH3o+gM0yNsSprOWBLhImxvpRapz9pT8671JhdlZS79j4IK6SLkvP1XmfgBqt/wPOe9z+CdG9DIqJdwjtzUDbcagdvBMG2TkpBPIdbtmcfPzJpNirl7SVPfAzYCHvt4kWc0MLvIvClg95R3agUxsUgw110ipQa1I03aggTpzQpO/71XqwLgVtbANaIcg7nYaj6xxOykX6iekRclUzNaanv4tLHfRIlFa3AfSG+dJDPSbgDFq6rIHVRIoY2yyweXAfhirebYJvq67V/fXwc/Hh59MUffyZFdTehscHdNlz26PdkZDrMmZGLKupUDFtdJLoJMALoIXJUqxW98ZCaDGsGK5i7Q1EjV0TBAt/BFVUAZuKoFTqyLt+jSqwv5PCR6JY5T1pI417IzekObiicoGBUmTs7H9B4rr6OGGSQoUETT214b+EQ4o9KeLjT6rRmmdVVYjUFIYtcG1s4gaApO9vrbqpmSQuZy2qhsY0WNvPaRAlzvN3BF/t/24upv/HZfLSSzd5LRcPTbwiUArnmbGX1jdq6P6/okQxedO3jJaAda96O0fZOQt+LVhvhn02mX4bkuBuVAJzz040V3c8bVkg93pLXfpNeCdnHD3mpBfodq+7TiekZozpTxigychYZ3rBWKgEKrOVpLR8U1kpm8dfq4RRVA0MgViwQcmVGR5RBvOGNzuD27taayMNExVcyuGZyV9ZeoZgBClMzrVXMDo8BJh95NEJSljSWG2xmDJLUQ6Y79tOHuz8BN4bTKqQoh+LXpqKxy1aPy5O1qXg2dammKLM4SJZ9ANDSspa0puotyZz6AgYK8qioxc9eRVcpKCIPCodGiyKspaAJdT0p9U0/hJAivPaM+fACqIMjftYE/NzjyVSskrWEK1lcR4Aa0z9+lZzaw7nn/MvD+zjJ19tEE54ElZ2G4CqfvvSP/e7SGO4xoq7HD/RBD7S6T6WXUajTj2momGThGsbgfmLOQT8yymuit9u9CeiA62CjObrwtfXWJe9PD6s9ZSUavyHBvf3N3fzRET/fh8U/7w///f4w2t/+fc5ZWdgH4iWBGM3RyYgq/GyXu0dHQ/VFrgZYX6ArO6aSyclkbWZYs8y/gf7VK/zoaJvb/RiTT5q+bySjZTDZ1af462tzaDKr/HddosjLWVvqm5Y21qD5V3Lj1XfmQvYwJiNmOmRkKkcjvSj3i4XqnNiMpz60iE3wsJVM+IjuIFOi/gD4czG9mWa9WcyqNy2pAjc/n+0LuvbsdiHz/WcNriQwEc8FastCyb1+sKGL4tThrIWYA7dPRiYdiktdukmiBEegHVjqIAL/XTSkG0IFcKGXlTTjyIqwNP7uENBTZYdA6ihe1NLdGMP/rSoB1Im2oxxQMchSxdvRIROoQl4W8Wt5AVZp4gxfa1ps4+MRtbBzY9VOlgJ5qtAiXXOuYPXjTIHnXKrxay9Rd+uE+3KGFmAbDq2vq2MFrFExaN7eWMvysZhZ74/etknHV6LpMxTxoMWCXcsgv9ICRTDJktQW9rndHM6F7pItDa4PFLLkB9ep5iGLrO2foV4ZThRLbB9yez7VzRnXd0K/lNHK7Fqg/NWRtHTrnbTUvZnpavBAtJ+aWKnZfopY7LKABnM91YRW2mTFltgauZThZuhq77mRu4HbxyTDiCyw3NKjr2ay7Ja57sbR+UFlrSkzX7qq+1NhGxaheWtWX1XcwOrmdzePgNH/Z32VSXQ9sz1WpHc01IVSGp6CdOtZqMeoIPNzBNm5Tw7i/QuiUO0P49lWTp7ghA/9wdzTuFcTbVU/zHlysq7pnFx+u3lvlr8ktG9tj9NGHuIsWPNGQ9vRmTHAndhSDaPFaqw+yoQVeYKONfUYgkSivxrlMr1lGNDfsqodoLiAiHzgSFaQSzOdgNvXfBw1gqPUa+fKWQGxuAvL+3WuSc3HtY/3vLxfq6bJNdX4UrE8LAQc8jQMY3GmNRiAHkfk4CIpPo7xEZDHvg61khbViKGELKeBqD8RuuB7E/o2dnfGVdlznwyjbAhtzbvzHcAiOt4W3iOvrSx3piXdpjpNc0t6gt3dcXxMYAYwlxaXiGHLfZoba8SuiZV6B9yfKyXuvmbtKgqXBZY67+EJ9wJ7e5A7YL4VUxQJEduciVk/BMcX/YBkM+8CCBhgRo1MK96FhEUNLN6PhsMeZV1DuqgS7GudzWcG+N69XnFRAbgJJwjoCSDdv0+wQt845p5mlJ1EvA7HmInVBU8Kqxi2HubZ8ZbEj+rieR+duYN9/8w6xDqGErUchXhnh99dQcBGjO5fiA7gTpNfNygbsI00NkSpzkRPB8RLdjsd34+FYB+dtuBbpYOuGRW3inqRtEebVYqhXmKB5fhpC877by19DBYNgMIQR40oHUQINPuUvWXywAY3i9z130om7catKL7yjYKCwExA65mblzoRPpdBcm1j3dpQZ+91AHbDaVm+5EafnhfWMmUUz1Fy7yuU00fB74n9PUpmxq8QzX/91LWJj13YdvY2lgNwUHWWlcUWKXM233aqP5snR+Vri8xsbbwQV3JE14UYTeSvCjJiaYWV8nXMRxk1liSFYdy83itkJC+5KkZdNmjZ0oZZn91+a4Y3cg9dmLggtvjiLKAIv0OogjTtuzuw5/aNuRbyEtKD7DdXGkuyBqBmH3eGwIPRruVBYB3NTH8kVo5nXy5yw9oRe335EYhIPoCcOrPx3y3XDqk9TVmKefZjUJ7xB9Qxqj78UYP6dHLnJV44rJUu2cVBow1RGi5UoB5+Ox4rdoJ3rHz+/WFlDs5P88st+UdTMhNPcP7U+3NkfDlfWWmy0G/P9jXmqzIyrTwwAhFi5phOqFde2oqvxOkYCroCkHyBJYVRdJDtIrcx3oguRPJGnDwgTdr91FC7o+GoGt+0ycn7hoiAZtlR2S0HpdI4dn2foGufd4a9daiCf8y3NS9ZWVSq1rBZUq23zQcDYUNzQa2TSdTCu7BG+YdrwqV9d08uzgGUhsGKnGxpzerhYz1hpZp3RUSS5G7Da4YOXuyLOvnDZiwKMT1LmNGV32id32CX1kf8s+6SY91goMMXGzubLUcay8fpkZzxc394c7a3vvZwM17dpur33cki39ibsfuvF08OEuysml2Hxk/98T4LFAdZ+bkXjQzmZzu0kJDpoMrZ6UTNU0SUM2F8hctOHyNux3cL9/v8ExbFdeTqndkVeQzjgcN/gd8jnIPjPVGQbUtWLJY2Yq4GrjxJc1OM5Tnnib13Im/rO658/nbz5H1+uU9fZBlbI8pTptQRfdsknzuHXisgHTwnkvrMMsdlajz+OUUyC82o+KmofIwE/QzFZfU1djIILWcixxr8futeJ77299VZqDB6EerXghUKHc0/wETVG8XHVaX+/hNJZiPcwXyz+w5fYiwfZ8w1Vc0sboXMZ+YUpDJKE2jzs44xWGjzlUFFBTpxsaXJryxWCN8hnc7jjCZXHb9gArg0gsz0b1L3irIyCXivxhR37yNLKsAGZ8SxjYgDBuPivFPl84DjkgNwqbnq81Kv/XPHPrgzICj79YCum5+Y7z813zHPzHfLcfOe5+c732XynN7HkcboD6EEwDiiDULN8QXUB4jmR2BrvN5WFNAqefCrtplYInM5FMb4L8vD69R38LdRVhmHcBqLmUJXgx7kq7FRXzuTj9qwwTa5gFdG1lUs1wSwirPsevHr20YG1NNMwnLcmPdxx9fgWvhpZp08t4rDhvguD0K2LYXNX6xSd0SaIXtlZFpShWW4oAxHMmVwC64pL/8ZZ2JniN1EgDpRddW6HyBXQWeHGTBZsg+Ye82GldrhLHOZzF9tL3EcKVFEsD3vPapuOCWDMiuXshkae5ro7ZG8sZ5S8U5ZMWTsXBUDDfQfiMw8XAnER3UW5EqBmiR1XgGWFSTp7WTq/kgdnurS6t2eKF1YQYOvkkyPy4ueTo7V7j9LqaDgcNQ98bR8uG8J234qefrXtA/BF27t9pR5uX7FR21fsxlZngiwvNfjEjl37iL2iitxNhL+9K6l9VjZ3drf2tpqnpeAFu1xiLZU3J2+OMYrfSxefewzQglHYbAiniDaKUQhxGs9N5EqoNBQAiboGcSpoItV0A++8If14o2AZp+vgCY7/Tj7OTJH/8+Tg9KBm8ZMJTznN0W/8PwMnMnz9vQTrV/VkMlr9owS9f+zqW4YxMbk2ZB5ES/d5nosy/mJ5lPTGElKMdi6ITK3aHqiL9hayWR3ubg9bJPSZGmmPQho0SQqB7GA6NI/ZEgtWn7Z7FKIwDwWovKSss03Q7HFKVgdl3pfdFqTyViwtKBLdx3aCVfCgKEg6fVg+PW0Hxa9WaAq6NUKjxsg+GbQ2EvYWi9V2lN+GfZpFSuXjlN+Nu/b+ubHjc2PHu1f73NjxubHjc2PH58aOz40dn6CxYxSxxv94ZLxqj2/XDmKPNZgm0Ql4G/uQUEmAemkusIdrsmI/9hR4H+1u7W03AEUxffmdKGMXqHSAOgYxQ/MCQlpawXnLs0Fh38AQe4FUmHEFgRgOkrUO9YWoiRBDtNRmT1ZBB3/Xe/B3qTrkPSo/++K85QxD/X4Rl9jHneGrhOZwOg2/Qea2rGvf1y4OwF1UkmheF1nw4vzgdC1BOwsM7xBm0He1Siszw1B66M0U3f3Alo4r48KN6gJZrTL5R6fnJF4xIS8gn53nWUpVptfQb8sKyvP6vS5i/5KwnGrD0ySVC98pAe651hVTCcK5TNHike8CsIABvzg8BbqxQMDteYTCgNzOal1lSPCxkV/4dEYOtK4UFSkj51DFlBwefBoSKmGWdtdRIwBmIS8O17DuXXt9788/BfioAATLlrmRR/FEbh+PPmUfD//6/nxA3v7V7+eJSAfk7fu/ttpFDcjh6V/v2fNwdD5r73OZ0ryTB/Hkm++n8fzm9VpHfbLkYTnF3zm7/ZSVSDWlwgWqLnk18VSavHj7GYf5RKSfu1iaX1aCL0uF7FszzYmd0S79/Sesva8v2iPXDxWEL6W6BPV1eYmJQXRCxWLIIsP5guC8GJBzUF3OOiR9SHM+kUpw+qglCmkuwYxcYE13eXAvOhWl462BSh2gVYNRKjTPoIcbhKF0tmtzuDlcH75cH+2S4db+aGd/69V/Dof7w+GjV4VtXJe5LEw2WWBJo1frwz1Y0mh/e7i/ufMJS8ImVZfXbH5J86ml9dkiuYufQocHfvzggvAp61gfATtqXbPuYXt3/ji5EC0qrdTNMiv6w/i4IF9sO8/tA6n7qV4WCQjGSIEg/KBvnceNv+PpIEFwbcqdzdGnYoJ9LKWoc94+xVY9dkOEDcwYOLFb2xeCLBdY1e7OztZLj/V2OZlPWOVnWuOQAGptcWcRRbunS5qijc5NV43fHLpywovCrJniNL/EJNMlEagrQohT1fmsuqqptV/aQaWAkCaZzqNSXpO4XCbscTmjLmF00OxujS5BH4gvwaTKoXOOyOrwljB03VW1g92dnZ9+/PHV4cuj4x9/Gr7aG746Gm0eHh48jiuE0MGlc7qTZnuXRkByiF+MuMGvrK4bi/fRtY8ERPQECt9wQX6W5DUVU3IIscok52NF1Rx7HXj/6JSbWTUG1+hU5lRMN6ZyY5zL8cZUjpLR9oZW6QYGO29YxMA/yVT+x+utrZfrr7d2tjr4x5CI9cfyYWesfx0LVQcT1YPRXpWeUcWyZJrLMc2DNifYwlccrUV+DQv0Mw1QD/y3YIF2YvedqweLX91hgp5f/LVWUQfk9V/PqSA/WeOS61RGJurAmikJGKRPu+/fjPXZWPknLeVrm593HdTGFn72yr4BW7O10Met5Xu2G90t7nLVor/XV8V2UqendKhu637IQ2Qow8Pm8j5/dh/vSfv8mcm4WV9KlZpjyVBMYqJ1oBeEFltYozYoIXeimdsLSveUyfBKnB0V+htj4WcscMHSGSiIdfUyC9nJmdf2pHL3xWpdV2WZ85ALsVAPP27my8onOvSMsHuDKYVRjDaLjGGuNBNLy286beQ1ucm6DWWlMjNygG20WgCCVL/kWvb0vX0alDnF4eT8bX+728ODXpCWtYMOnN5NPKSCtrIZPFU/AMqUyctSxlEqMUOTYsoN9G8TGcmpgQ/dG5n/S1ZyKVb2yfrLrWR3tL23NRyQlZyalX2yvZPsDHdejfbI/zZvw5aoM62+t0fQp4i3wnhoQM3A57dgUQU5IVNFRZVTFacqmhmbW5bDkNlEd82HceuD6JKdK1eYGSrrYF8XMsmlVM6kHASrsFuNDsHLSTmbayzACdrcANgDCpJmJlBUIRG8DFxYu1QWwP0i9ta98R5LbaRYz9LGvig2tQJliSfrHcxw38Fa/9thH0xLOloOnt6T9beKjVn6Q19eg5df4Yu7JdjFjLlkhagxZE/5InhG18narWSYuIzR4h2OG33+n/yoNVrThAwnExYM1cAK5oqIxaVaG7UVBXl9dHBmJegBVnyts6UQ/rhfy12NKJ7aD9TTdRYXheXvXX77RsjK/1L8LcY5AJT80NOYxNHnL/7zA41LZ9hjBMizpsi6xhj8HnwwoY8lV+0wNKjPE/wwyrsY7PvM9xp6c7QzgISVNaDzUjHHrRNykGUejEkocYGhdG6I8RxqUauUah9E3AQOmTH1viFXPR9qAmpWUkWNVJ7jUt2opvNCC3qN5VIGBOsezujW5c5oc+0RqtyXTi368llFXyeh6EvmEoXzJHWjE/Av/vO9dWqgKEy7To0rHA0hd5XBpg3aUBEVyzs+PId3k7/4Q3Bnse1uXReYFMr3upuy2O6JqvhKhQbNQ61nYa0uNqgZkT+jKrulig3IDVemojkpaDrjAuJ8ZHqNV4yGcgEKkD2K/1WNmRIMKpvIjD2qB+ydMfpPIv/ftqo3N+brBubv7V7ubn8tCYuyUE6ivfOk5sXsXTK2TqRF3TON1Vc7yOqqvkv6hhGlIqfM/Hjy9rwhl2Gm11xUH3vGroGOZgojgtz3xcl78nPfnl68PX8bMPOAU2TKZPINGdIAzrduTCOQ35xBHYP1jRjVFqRv3rC2QD4b19+mcW335ls0sCO4vqaR3dS6lgTJ6i9u7FgiNfqS1t3TQ0XcW1+a+cpDdgWGjT2/iplKCe2tQpDHTh16wGB9mvU4axX1gLhOzIEOePSNmmh+S+eaVPDKAEpDusrSwelQMCq4mEKhc9fll4kbriQkdsc9PULHAYzrURjp4tpLXY0ZNcCIrtpYKB/AQnig2RYT1le2Q8ODzUXTJSD3F7eZd826LBo9vZc+4RbEBdkDZUZUGVHje8E/+sLxjlFCC6vfK5pDMncYM9LlwDygyHLdtUod/VJpphJX9d0a1SRjKc+gkZNVR4GUauYu7fOtzZc6mdCC58u6/n17TnB88sJf0iiWQZnejI05FQMyUYyNdTYgt6gOdxNP8MkO3FX+hCVsv1oiUMfcwV1vZmWH7FBMYLxD5aWpxfcb+S96w9rYinrXLGGX22vA2QLYYG4reusK93cg3062k+H6aLS5DjY5T9vQP60C9a3tdVwxwaHsrs397zZmvLfzS+2sn8+dZ6v3ST0g1bgSprrvDFN1yztneLnJ1R3gF6XH0TAZbSejBrRLK7Pumrm2xIq14A9zWWXBGPd+grqZltNqMOULGvZemc2kYBmviitomnBTtLqmNTwBwSc0AM9w7ZrwydLxFXyth4QR+/SRVpXxcsEyKHcFtJ5jU/RakwtFpNHN3ty2rc2d5vRWPn6tCxfIX1zmfQusDvLzlrQ4a1o2EwCTLgBWDD9xxN1X4892wasa1DIvhieE3lCe03FPUZCDfMyUIcdcaMNazA1wg7dB3++NX7TIb/ryL4LzS98DtoBYZrENhyngO3ADB20WFIZeNXj5BGwKZFCCUCHFvOB/RAYIojB8fB8abV3BKnh2ZSkFP3jrG+2fVIoJ7lW7wLXIXL/hMKwv/dVDVEsxzbuk5HYLpuwC8XTW5FfjaOczqXzJCSgVXnv+60U3il+N2+3H4Tkl86Xlxoc6/ECQMJP3VkIBtGazsxbAq/9cueZjKuglzQouVgZkRbFSKqv2XdoBH6xgH3xcxjQiSX65uDiDz3ffLP7k7+dDcKN9KfRegjbe6KaqVO7bzGiGPeZMREt2O1TuV+raUy4eU+JfGMtsnsTlAR/ZgS5+tUlGcX2PFpgEZm3vy97ey7tBdJXsvgON4cJ5cXDj78XILyzPJbmVKs/6MbOEfbuQWHT8nt17YYEF7jxj1JoZXdtttL3Vv5kFMzO5LMG/2kApThXJpDPFJfTJOz48J6NkNxm64pl5Lm+tzTeteAaFGW5p6L6S7dcDrMDe1Z2fSFFp6IUf9X00MsS2YL+e3yum5tZkXGn4deWkBgNde2F2uPkoFXONglhKK8cUQk9O3yS8UTAT1uvr6ftOlyCsCwot2w2DNrcJIW8bA/my4QUVWaN5KhcA5GYyTIadC5Kfjy8G5Oztuf33vf1Hnl/07jn0oVVLC25/54avuyPFZNAhTZ80Ns7ltNEfqQW7LqXQ7IszSJx2UQ4ZA/n9ssj7cHI3j/S4+dJM0kH7aVzSAY39KnquFz+/M2wTp66rR+8t4/awGSWzXNcbwHWXL3MErrW6NrRhakJdHpBTvk4aX94fyhsGiMN5fYq3YqlUGeFiqpjGMEmGfzbnJQ1jBSqVoR6Jty1U+PaZqt2qlChZQQ3UXNKMjGlu2b5aC6MGVxv7GIo6h7FmVGS5lVY09CpLpRCBtZ+411FCuDGp7zAYhqlRgMD5sTQTWirXYLmkgtgVrWFp/xiOxOGnBxU9AW+LK6Y053RZZkMgEZwFr5bqHaudAoOesAG/e7Vw9M13XUofOEQtKjnUsRgQWRn3hyJZ8QfYUinYuB4MQYs+Z7J78X4j5AtEUdf4OjlqI6tB3jW2zk/fnHXOCSEnRz3cb+G6HUv0wJzEe8HupohuNWozewD+OpFnGvOp1+7jPdGnR53A0NDq1rfuKlg6o4LrgkT9vKAsqYU+SpFj9tc6GNUyunq3HgxI7UznxvW8Ejv9+CaJYf7I+m46DbFrcpgIe0j7MeE+Om6u/JerxkL8W3VR+J5u3K0VCmlgESyLx/9L6LQ5rgxR1F1d+I6cfwFfFRfuTsOqwIi+R4S8Qs3Kp6082aqi2a7NbREL9Qwb3UgLBqHCrevhcDDvK969UNHu+ojHDbdvqRarqwZaCWKoMg3wDUgmsQu3o757W5pu3FC1kcvpxqQSUOJUJ/5ALcA54rK9T3oHFwwou6oQIee3od2D1uGm2dMIMeXMTO0Q5IZSoE1XVskMrclNq4IOSGPhuiZNJatbscMgeJ0H5yNqfw67ggdobt+uL/t85/OyMvGpCmfacp/QmR3aO6Di0OoLvxYt+xy6DuNOIuu5uqVKXA3IFVPK/ofDP7XuQPOefunQmLC5rfZEqyXs60UzVtFN5CQ6tMrCbhWoa9WtFStgNvHBikdJc6p9hA0X3HDvKwgzgI7g29OStNJGFv0hG1JNfflMLPycjKU02ihaJj/6vxrIQqcBlCZPcr5Q23YrwGsEdzBkR/HFdeJCqs6j70NQHNlB+Aku3vkvYhdD68i0Vru9eedSlhkh2yaDp1pd+L5uAGcaHbQsWwxphb4hYMzcMXYL7mhSg+/Vk/W/YscFthBEUs8ZC6ST/Ive0F6kVyJdYpmMDsrddK6T3kxmHSw/QDvcl7xoLoQuRR54VtDw0lnYCqYhoBIus3wwqo/ki58I24j19oguc24wx8iQqmw0aS+pMnGg8wlGEyroAIPawJUb1t8hIPLiuEPssg4FqDIYsdlKncXADWI6bSzDL3bQWVDiAh3DmFAln+ZWJ5hjR3rsSZM6A4pixQWMS2EilaCtSEUEuwWeY5XzQt6wJslD/8yqbIN8Z/t87CuXsY8sg13JZHrpQmitiMq4puOcZURLi/mUgsgcM3DkxiGXYx9/Ba5gx7wVM4qzUHHi6hLZRM+JO2clGb0iw739zd390RAD2yFg5c2c1CpOp0RcSKUDubvAacTu53edOSe+Q7PKWDkZ+F6kQalDdaDgJmZyN5y6YRJyljOqGdGMkXc/HWqys725bbdwa7S7nfTAn0xoynNu5skyfF2r0QpdxTbiJ+zoa+3QjbC+gzSVCjVnGa3K0o5d1iCuD1f7PqjwYpSMmbllTJBhGNK+u7nVJYrNrXtxtESZF2HKqp7rY2pNvIWR1VoHEPPLvrWUiku1WPGox211a5v9PF2C/sQtZvWQXJM98pcaOf8ZtN+kyXNCAUL7vkK+Hvq3Q6yFY8WOegKhwMyjV6OeLgdbO31oDQA8/hg9eGKC1r/wiWnYgk5RgsKS0IIkYhix+VNnqrcnrjkNYKntTT05Ol8bxJaONVU6wLuTOZUW8c7Q9z9eJfeCbg0nEBvecLLAasNFaiL7zBpQVgrIEi2ZvIY7lSU6k1rGUi8onS3v5Qlhw5etB39tYggTNnMTFiICcKDfQQGRofwVNz+Cotvt3tm9wQ2KLvrYmXgaffVAeQjv4G/mtONNQ1FUwqlh6FKSN9D316qMtE6gJ6iM4ThxTrpu+OncE5+UAe9H9wExbliqtUx5/aLVXW/q4OGFLhZqy31Zx+UALZgpv2EC65bFszrfTqmkkanMnfvAG/1qzI2iikeEg804rRTGi20x1agbF9DTh6kbnjI9AEWU5lrCZHM0AOqH9fW8jNw8PP19YCUXG0t5PSDm1upyygFzG/fXtBaH5qZy2nndBfqGiSwU9iDYZwVgqYuuWSmUhSJrWHwt2MwbGdOGnJxh4xU9gCsmPSDRmLdcsVClLpKpnxF+ARVjMZs9rcK1TRhb4wUaWTnx1zqWOR0fnvd0GqK8aJBWzxVzx6p8zPXyKt4v470y9hpjSuGOjKU9NxBpa7elyWevEMF4530FSsSVRba1l7kU4XvFyLWQt2JArvxhdT+hqsLrndBV0SORdvcaCHAcxMwvl3YXFTWG845+AdnLfnHk5Awvax01UU1uWZ47JhfW449fnQ7c5H9RLW9ipMzX6VRIbazkM1RkVAGN+e67YdhJ3uxv3t/ILSpUbAkk59OZ2QjIW+fZuhUyPUrf/uztf+rT7V/+883PO2/+sbE3O1H/ffZ7uv3b3/4Y/rWxFYE0luDlWDnyg3vp79m1UXQy4WnyQbzzZZ1ZRmqrev+DIB8Ccj6QvxAuxrIS2QdByF+IrEz0ibv+Z/jJUlD9qRJAuB/EB/HrjIl4zIKWpT2zIBi0v3WwwssZM4UU3EgFLS/wcn3QdwcRjxk4FxS90AQKAtjF33B2myAMd0zsUSMVKZniBTNMISANoBeDqQakAYH9L6g8brJ45DBpstL1jAG2G3QzkeqWqoxll5+T3Vs3jMKroshRGv3k/GSlkh+7AT2jV5vJKBklTc8vp4Iut0bqycHpATnz3OEULbcXD3bJ9vxkHYHrfoH9stdqJfPc8RGQV7krOevf0o7/0JxPheNgoPGcMvNTLm+Bw2n4y8UQh3FzOfWXDD5esG9N3YYETUSLxbop3+1VcjppAiPF9840yxzLzbANpuWkXv7c5FS4h2Pvni8BgR5JGBIag//99cEpktjv61ys/45fGIrX1VwTV/8sIQe5VQiiRAUEyN9xEjtxwtEVCH+721CAPoKqdbFsxUetrlhANBOZu4W3vBC3Lbhs94abyeh3wkRKS13lTqmySmIr9KZl4fzG2PWA/MoV0zOqrpO1gPKHokLsAhK3uiWdGUB6NzakESfUOd8Lh31EK1iikfvWWWy4mLuiQO5cziNjdZadTIS2x3hOJGSySgU05pRbXZdg8ceuvZyfIXT6Vz7hDbBLml4z8wgdt0+fdYN8kkbr3u3RaetferRa/2Nt/jj9tl+v3WwGPHqmvARVavX1S88oa5UUOQ/7mIDCOCA5MOx/0dQaaiG2JhiQ355hFBJiQpiwh3oZKDx3Z9VvdqQjoFEMWZbUF5G0S/wvnCc+hsTrsjWGczq3sr/KygExaTkgvLzZXedpUQ4IM2my9u1h3qQtxC8p99xFl749PyFvZMZy1FFv4xxxT9avLRYTi7ttxGDkhCg1Swek5AUg9NtDpwW6gc8/sxz9HiRouMN3o8DTzgn6Nv7uvqKeUchqu7InOHdp7nnJILQOxmo6Hd9hxsDhVbcFMyw1Az8+hvNgbOSDI643FXlnRVo5VzCjeKqbDQ9CPYYQJ+RreeKgkEIE2bpuqRBmEoogQLbttFL1vkuiKrE4AoiWE2OnS3z9qHZtUe+U1wNyy8Zg5nGmB9auVxVU0wipSBulgvXCuL7OkdeHa9v4B3+CrYLsho1BimaES+xcarAAOkNbrB6cvXGoCW23LmL6jNzWFPOi7vBaO7nhQ8b5hFARGocB1nGdOtCF9pGySBu6Vv7vwTeswo2KwTCKpwl54wJLfq9YhQOT44vXUJoWWtbp4OEqlUyZ1pGLIgwTiigrBnccUQ9Gjw/tssAe4WpncWbApxmR/kwnLvViJtFoq7MMwLkdhdKjwW7RAHUYAtu33A83/g8pmkntRhKMzeOTuc/x8J4sQs4xY4KqouE7quWJ8263DbhW7oS//cAUCmuZ35FC4QK4DJtKxf9gAZJF2TwuIAkoSZ5TKR5tnnVw+N3nVnRW/OdMtugs6M+ssMVL+JPrbZ1FWSa8LAeIY8PA5+Uk3CoEj9w9qyNGhgMV82BIO6nvmKhiECLnhIUf2XUaOHEXFwNy7C4tajF09Oa3Afnl3YC8ZlP7hLUj2xg9w66uOMzizfmeS2Y/l8x+PEi9G/pcMvu5ZPZzyezvr2R2u2J2U6jXFy5PaLj5/PnlW25+pj+v6eZGe7bdyOekwXeQ+N0bb90l/9mtN7+iP7P51ljDd2O/+VV9QQOOi1QWcUjFpxlwdWEAiqM2jbfEs6uO8QZGWxj1AePt6M1vC6Py0yKs6giqutxQvyBfTiuFNweHdwPQmH+ZqvhhnRzdRULYrDqIEx4Eb7yLTo7Ds8ObjWDsGcvLSZXHJa5rcTepY3rCtUO4CqCY1MjyuqIQZlrGzdGbEQ5CxvnekKDIWMYyp+VjxiXClbOJIawozbwnRPQSwunOf25sxHOzBvfDt1bA/7lZw3OzhudmDU8M/Oc0ayiVzKr0CasndrJr3Qx3SK4WiHpzOGzAp5niNF9uCLS33d1kzjJvqhZLa2oxc10p2vXuwAVPDSUQ+wDq4ETJohn9plx/rKgRcQitrkeal0wnfVVpfPC7uqrVvSsv3aFETabhPyX8ByQt/CHznEEhG/Qf2L/q8IKelL6G9VzXVYzyqZ4SqX+HgRcjuPN5QYVpeaR6z+/TtGz1mxIxxLpOR60rwbs+zqf9/QMZj/E4PqaDCcXTGRIUBHM0Cs6HNMRUFiUVXmuyaiA4TRvE2MpJjFMgdSgsaVVJSA6lSlExhcicCc8Ncy5dqOntlUSo9QDBuwIe9IpmAKNez2NKkX2FRgtNdZcszTT4eqI+pi2vrtWSr0G2QUydg5h6gHQvILzS04+vENBPprIlARcvs/mntAqeTYIWju42Cf7E9sD3wiGe2Bj4E1sC37wZEKe5+FJcjnufRV/dy7RrmX83zwYZrw3Nsb4UxtH6WT18J6ausAXno90WB4fyrw3CbRYSWMQ4NP8jHhVqBIShHSA4pgtprcfCNioqXG0/ooDznb3+n2zH3Z48us3/uOJ5drlcalw9cMmNvbtmTz1AUW/TxGU2OrIIfCZQRfgmqqQbMjxTWRTckPNfDjAUQWA8OYOEZz9ET/7+ZHvyku29yrLd0Xj4am9vPNpkbDgcjl/tvdrd3dt9+XI0TLMfHmB5If9/xtJrXS2LNx264TvI8isEvfOGqVBMrpvkujfe2nyV0Vd7r7bY1vbw1av0ZbZHs510/Cp9td20taPJl7Sio2YICWRDN7lAgPxtyUQom6PkVNECjOCcimll126kIykNV7EbiuWcjnO2wSYTnvI6eJzUoftN+wDRealT2bbtn/DyMIOtEVMyk7fxgqGsXNhRF0lXaabWIW5lQKa5HNO8gxf8um8hbBF7J6Omv/eEZXyQz9sLXxNzOU+Z0Eu76niNw7vK1Zja3cacP+zN3muEEh36eDmcQmCSGzE22ZQsyPnZ0X8TP91rrg2We6mZkdSaj3NWJ8TrMvsIyfBuSL2x1uUzByVNZywMvJkMl6jp9YqIaIqacmRTsVpeke4zamZR4Ry/b7xDUHHB60qrDSD9jUOW51RtTOXGKBltJq/aLWqgQla6LBT+IgsLMvoswmTk/bvX4brLazDQsoLrWiXhdSXRu4sEhqoo0vIyS0yLyhur2Cyw6kcVEPQU0+jq0pUjm5tbD3X5fcL6a84h2tUF4LrShSd5fTMmMSwEPy/ZwJe3NzPafKSggtZFnonLPvY5XftElcWAZOX1dEDGit0OiLBfTFkxIKKCr/9FVffMq7JYdBuXq4n5DW3OEreU2Uxexcp/U+8/Jr9A355P0fx/ReOInEllLOmT448srfDPF2fHa6Hc6jelVh+evW9MQwxVU2aCUw/qR3fU7N3thbXEhlN1KeFJ0NIMp2m4vbHvgG/pRqiBp3jOoKVA1wCHAmtyYsihVKVUzczPB5a5fO0xLDXrqpGPXOkZjcO1H1iZHXvJ5lNYWss+euSydpOt5NXucJiMXm6PdhZdHy/KZXbbrSuYgRFTQKEyLEF2duyqux8IDwVZX4cuJPAYieAi9hcXEeLzjydcTJkqFReGjLmgijNsAULoxDAFPa0sutAWDd3aU5mx9bhHBnHFObzZqrFot0zTSimrnaMSivn+6QxuNKDImVE0mL0APdb+erAi2u3tbTLhirE5NuEb53K6YWaKUbOuGHY42NgcjrY3hqMNo2h6zcV0vaC51TvWETnrdkIupsnMFHlXIA3T3b3hVrrNXm1ujuwfWUp3Xu1uUZpt7WbZZFHq8JXOL+EYLDvQ0iLyczjY+dnByelFcvzfx4uub7k34GFRfdfgj1zcSuDPHz4eHHtpC3+3L1tW7l99tPbUh3N7BSD66v6LxoU8f36K/mtCe5zDVWHdgdslaTcbzUH9Uz8c4dlGRIpRq51QhR9ulK789CV04p4YJog2dK59uzmcinCjWT4hVITdtasqObIZ+yDa3b4sHVxPILh1Sshi+sx0WfHtq6E9tEcSVVMoCKIHdtHQ6RnxaBdEx1rmlWG+mVLNCmeMsKC4RazsDbZYxXtcxEyppNWaII+AQzf8aM86PMl9XEdjb8zFhg7sfZ2s5+HPSgcFfZ2Mhon9v9FuB5GXkDP2OIuo5WpgYmqCbPLEYseGm+t5fzeFWgr5cElfjMWVPbQosJ/GVXrNDKGC5nPNNZGCzORtGLKw+lrYJHJrDebADaDzNVXxGSJvQIyEF1zP26jXBHf+JtQgdKVLnnJZ6brTdkdOPEKPzdil5lNBwfHMPnL9YGmssZQ5o6IP9z/iT3H7Fj6Bjo1uhricXRvoVaMq9kC78jshx+afSzuFDznCU6YMemx9H9KeAN6ItnwzulTNSyOnipYznmJ3KF0f53jUG5rzLM69gyZ1lTZ+PquV3DBSibrEh2t54V+tX/HZpvX4YdhbqkklwAvOenqYHb979/bd5fvTi3fvzy+Ojy7fvX178albVkHm1bIy1s5x+IZwhutnqEStntROaq0MkLyQ6/aes7R6bqRi2tXzqje6Z/Os+srjWOy/2x1H3aF+/a73PMuxegpUarHKMRVZs0uba9+PbhpIImtUkxnPocSwxvB04Ewsn+NtCjrYkEo7BPVZpx4o+zPR3M+zIDqKTzk2R464F17NWM1uSrnQpiFiwV6ZE9e+umkxdM8mbezFAwfvsXgqCiqyywWbpH2dAISeJpAObmzLBqQE8tI1yHIysx1f4rWeMFfcSrLWepCoaZ7X0rbd4K8jhj9dL2roQ2QdinSrlt6zSKkJCNZbYi3yuwPf2lo+at/NHElkKijeXC/TOp8JowLhug+LGOo4XLUWZBNyCzktjYr9cNMAmeUeEIywgcPz/v3J0cCaRYUU3rohP78/OdKDWD7SqM56YY+fXWo+DyXPsVR1KDIFt87dVR9KoY2qUoOdqtFoyOduuBhzkKRjSVgKUirLBFO40yy44dNYyJ6dHBHFKs0apd3rWuy+itsEuv/g8qCPhbUhB4RaUaXbMZXEpwdb7Eltephtuplu7+xkryavXm293Fn4Trw+Q98sL1k8mOmgZSPFtN6wke45zy3scPMJ7e27Qb52IFRRmrZLXRIBS/kza4hEBdV6q6dG3bvGVt12Qi1El9eT+fOOXVCwVHPsRLD/Ay7ccys6cl3/FyAiexSTIttZEiN7c7SDU3Qn1TM6WtKs578cjO6ZdnNnd3kTb+7s3jP1zmhzeVPvjDZ7pv5Ooh1XvUDBONWGhgBdm0nqInYwhMVZGIpoXvC87x6xzTFKquyxffYbfabfaBFPcI3qZ8/Sl/QsOcT/eR1M/Qt49jN9+36mO3bu+3E39S/w2eu0LK9TP76fnU8PoevZB/Vd+KDcfj67op5dUV/dFeVp8dv3SC3H6fQYFD27pRbH1hf1Tj0SrC/nv3o8YF/Qw/V44L6gD2xx4L5pL9kXcoQtjq2SJd9BuHi9mH+TwPF6wd9vCHm9xu89mLxe6XNY+XNY+SJ08t0HmIeV/juGmnfxMF3IK/CoJMaT2ph164Uo7OhOi+mGGTVmdnxrvD5WJSvb0N/XDnaB9MsQz94tF7O5vflY4DrQPUWCqB3aY26VlP2gjh4JKphjC8B6Z8L6jGG1jnhbnfOte5uzORztrg931je3LoZ7+8Od/a3tZG9n67fH+imBl2aLVeh+FJYvYGBycvQUZOCgXCIrdeD2VmfC2dcXrhvugebmz+KhCcYOwNzyXVhahO8H6L5D6yeUSaY6UCtmHh9SgSVqxoxkfAL55mY/DBkVYyaUjJW81VCp0gAL5sYB4f1E0HmSThkBFUOYHFpii8hRv+h+VKWF/HF03rR7WSpF1uS7oR9nVXbrEm1tPlbLvJXKajCX2EZbqie0lZZJP5ZMHOgkgN4OFWijZ2MmC7ZBc56yhbH0fRjE/z6W8HdtAv8b2L7PRi95NnrvJ5Dv3tr9tzdzv0X7NgD35a3XMPXXtk1DFaVvyPIMGuVXtCtbMHwLVmMA6Zu2CT8hTPzPZzB6/Hw9c9BD8Ocx9hYnjCewBOu6eFOujcOKK+bxLv7u7moeP2E1Dqy+Acqgr+TlB/Al16XQi9fugkpfUE9uWerwW6dMYdU6cqu4MczVChlTzXa3CROpzKAMcticn6QKC1TdBdbVgM+Z+bvVQY8/QijeOzb9W8XU3H03aIafQj0QXSKNyzqSDDoDY3TZVV5e2u+ukhB/LX0zu3FlvN5SjzlmxqveN0zRMc+5mQMsdWxMHalpT/67458vfzw5PXj3D1w5y7wa3VFqf/vbj9XB4fDg73/78eLg4OAAPuP//rqosgNbjNLnoUj9T+t6hgGqWJnUbi/Uu4b5XF+TelvPAiKoJpZHQlpL35uwL26PPAEkQBYaOqiGId3zgUhgSvLCIvn8twEg+/i/zw5Ojy7Pf1tDeoijlgIM3NSWlxTMV+bGKdnvFRMptpZzEwIB29HfvH99cQJzwdh+uDwn4xrKG6qg8i3JIecEhxUVtP+GtdYUbcc8+vXtuyMk6OOfL/9mPzVAj6gvIq6QAJCxlBc0J4q53Ak0CF+wZEquVkYrVz0xVqv/XDnc/6AM/aBYdmlM+WHMxYdiTssyYR/Zyv8s7JwEgltSM55zQ0VGVdbcbxSojov4iGndXiGSxKKrmPGbZSzgYDxW7AZ7s4BV5F1wdr6OGPnlv16/WRTgazZfAry/8Bu2jkWUbly4o5zYkboy7/ztTxe/Hrw7/lBbbJ6Fn158OETd5e/o8/lwUliF5iceKlBaAsW2ofrDLRcWUEt3C5t0nVK5T7J8iCC3Y8cB4narBnY4OKHAu/s27sNnIyQc8x7EfDhi42paV0l9uKRpBOdToug0su1hDi/ju31IF4K4VpaAqzV1pfqrewufhWQ9zYwV4QWjwoAHjaZWQFPDSMlvJAZeK1mJjFBScpbapXj4oAqq+wCx/PCAxk6tdTqXc9JpqyRDIoyYkzKn9klsnnR8eO5CaMlFDIIbGt1f0D0MeUExwOZLtXSSE0gygClQV3CykatIqantS1w8F+TKYTG5Cis5sAwyVcyEgHmLobiDq/f/ee8j1PieSW0GoUnXwEff1xRhXLTwgKQ5Z8IMiH8U+qdjA93E9zPLLnmZkJMJdqAqS+byKE7OPN82soael1cDLECHlYKFQxpgjLq+qSdnxCh+w2mezwdESFJQUM3ieuHcwGQUvJzjeZ26GU21P3q1mQyTzWS0c/WIsnFL9Ckf5DnKCKpnTCMZSGERojxhOc0K81c8+UOj1pqLVBrNS8gurfHnRg2F/rggmpvKeYaxRvhcVqvKkoKuFIOkitrecoARmk+l4mZWWHp6gblfTLGJhDcsQVmWCUIvALC2cGwH5B0sEb92fDuTrv3m9qsoCaMf8cftLrzR8ygyGPnpb0enekAyWVCOPbnsGZPqWpu6TZeGNvTQ976u7v3ohs29OOlv2mxX7fj2yVnv4preBb207o6eviGfCTfhLmgeFhuV2wwvM/znewSGfcbXuwzdkaMcPnD0uKwZTOYR87p5Y2iQSKfWDrIAuAxGn1ZEaM6UiShLSKy4DQurDSRf4dxOEaU4udHwOsar+2gZRYA7Ytv3rNYDlRVcwzWb1YuVzEP7JD3wj1rAgNhPjs43Ts7O6x9CH+kBuWVjP2SJKZ7YvDA8UKncJbfpAWEiA6uaZMywFNOehVXbraTSjLw4Pnq35toihdQqZtLH1OmszKzdnPLpGr5Dd4q4WSAcz1KzKpNiHhq+IBBwcuEvyzAlSRWjJuqYE/bKU1agDGDWDfruVFQ4N1Stv64X8HC1MGwyv6y7+IO6iz3SAGp9bihcosvTc70pUfB4JASsWOFTk4fP9+tFBjkwhhWltZpOItXrNaPXC5ulS7+2vwDTu3NjDxvvNtzjoX+RP+YyvSaK/V4xbUDFK6txzlNydHqOWXq/XFycnZMNcvH6HJJHZSpzvbCsWFaq5wGu8eQIGRXXPoPxlpuZq+ILLXyQdyKjjJTJ2vHiGWQv4TyKYEbDhcMdl9srJ7aP8jva5tzNGwJqMG/O2jI0Y/e0LnGNbXxDmwWWv9TbJNa4+4V1gg/PZ8Evdi5evz38r8uj0/NLewguL16fL7q2ZXeiWX3X6D5jpLWi7q/5Ee912N1eeRB+tWi0w1sVHaWq84xif+bVVU0ymVZ17nRzNrCz7MlcXa3pSUhTU9HAWgVpdGlFSc7FNawHgzl8uz+4h0IUjL2xUYs51xQG1J2ui9FHgzCR3PJrXrKMU2jUZD9tfNL2Wl2LLSuM4bRFuZqZASllztP5AHUT1AnwhttLXWs/wcl+lPTHpNuC1W3NY8+a83penjmWf/kT6lmL4qmqvhHeDw4ZqUJsRMARiARdywS0hiJhwJleSBw0GWZXLIyGQ/z/i+JuucFwF1FD3Q2i2A3XbdVhzOyqgXbA3eHqSXWXljywphBdARiOjaTz+pt7zKQD95zdZN/Knmp3RQMeKPubIDSYD6kUwm3PJKjqaPQQxaZUgT9VMzBQ9CB6Hvd/zPHGFfnpJJe3cNGmstpm+kkqcnF45kYdIL0FMBG2lPGbOi6HC244zcn5P06h4xQzL/Sa+9ENagesYcHbGqTFoHS1Z3IMMp938PFDzQU8XiD8jrrBwbXoLCFCU1NhDQjXRtMwVZCVMN6K5R8g1aJhPRSiBbhOgL7cz85OdMyb+c6qtbBwI7petdSVpdCtKeJ1OB/IeWMCtKBhFW7EqFINmKH/qgQSBdxYobvQvd03WI1aIU1nyAmwYLuNGOPYNqoPcfgNv4TmpRj6vWiWEc0KKgxP8f7oI8hYKgj7iAGQgwZT59g/f1Ll9rEbbpfL/2D1lbJdKFPQcqN2pnmHpwpzTKzp7McUyEK9IEGPp7ur1IbnOWHof8MqNth401rVkfcVEDbhUatJWpZKlopTw/L5Y8xrdAcvS3ECqkfR5zYm+J9hDYHBFGM+rWSl8zlSM7wTuDxctOqQwZ5zDb2MT84GhHqHG/iIK8E/Ei0tnSSE/KPGLM1v6Vyjx70psumth8nT/VXivrhClDV1NGG1qPpuOat8JSzwZSe8vLKgXCUI1tWAZKxk4LYn0ukMRIrIlWjFaSvGh+pEVFZJWGBf7grzcYV5cBxCc+ikXLdRoZWRQhay0r53P+C9/joA6NuH40AvDs5P1zqlcCBEmaaz2teEqMQYUdYjoXdGu6/aa44dMd92yYXFA4veRmvqD7j7Wcppzsjr14cNfPTE6ywSIxq/1qzCCJE5UL4FuvRE/N6RBLLo7lbtNbtYI2E/ANknXfsjNDh+0y09ZTJJuZkvqxDgITfz/t15I4VRrNXoF8CRwnDBxNKKE542ihK6yTrwnUplZuQAYkxoD5CVMGp+ybXsKSv0NKjDKcjJ+VvIQfj/2PsWpkZy5M+vovBEXMOeXdjG5tEXcxu0DTvc9msbeuZ/O7Nh5CrZ1lCWakoq3MzFffd/KPUo1cNgaKqhGTomJrBdJSlTqVSm9MvMyghHR2uH1dRsmiHVTugIMxxVOWULzd8ynDnhE3DO6/p9y9mcyizS+3WMJXyoQpH/H2rFnLVeo87+brDXGxzsdtuoFWPZeo0Gw2DYHR72DtD/f1UZZIOHOK8+C5J27H5cOuDErg5/G2F95KCtMD5D8xSzLMapn35ULsg1CiH7mjI7C8nQzL4pi4dGNNUWVUiYvlqAIIKYawDVlKR54ipr2uY7lB5ejJLFtaDqD32w2EahXdY+PO09l4pP6kFtgYPBqja+JWyQc8IttdXTjSkXkrNOFFbmJiVzylmTK+0T9HDTQuv8a7RuXA0tNTOm2pX2r4xMSZFR5YvMyhjqLzFz3IIr/az3iq3Tj1cDZW+dfrza2y7uGUscNkDwu6NR/VjKadVl8BW3tq/Ole9ovCkIL/Gt/ylWQvv+6Nw51SbVGjXmVr4QOUpSeoUlQeN3/972DNniAgAXLeY4QlMcYxbCEvRu/XiKUp6plVmyVBWdCd8ojONO4RI+AyBo7umyQLuldzDVKlWiibyfYVaK66lMw1fGFBm2rxNxDc4kKYkmdSbhA1YhB+DkfEGE9Dq1PNJ9t4GQJCGRG3I2tZakm/KTPCSj7YGOoTnjRs54ilozzgPzXBDyZQtRgVr+F+UE3vpy1ECpIqLTKkKSNRJSoRwlUzYTXNeYXpqgJX3xJ7LZjH5xLcIzWwspk9c7O/oR/YRykLYDdK7BTJJrr/8LXbpT5uk1EnSZxNdI4st8XrWrG2MhkVxxFOMpiYX2qhmXAFLRaUQV9edvx8LhlFshD7LLVnUj9LhRkArJkwlIwDcQCjKbEUgfrXo1FomZxi1y/na83dZXHZeMr5g94yoMCxnet+0xIvAowbnke3CeoCo/5X5ds17wj2IRCND3LTggNOtkJp+JzaQHvi/ITSZIGjQrMr5Dlcf4OEiSdzeD+Gyd1sAMvR0ffVTbwZGmeOya8mXlVZU6ssQ0bog4Zb0j6MBaJ1VcVzDL4viBI50f7VxFEfxKIEUSdAf+wQ0X5vGUpBIdUyYkMSJW4A0ckz6aAOqbssYlUBPZ2C3h+lzg5ibQXBTCgeKORajVCKoeZ4Perj8TurPqIJpMH2E4BXoHYLWSe2W3fUiBxj5rBcUQZpxdL+mfHupMs9B9/KzriNAZugAqoNx2aj4o6i5clfCQs5meqzKMgUEBnPweBtn8FHVCdWsk+8OIkpkt6LI6iIdzbx9No50tlMHNTDremM8pqxLtqTQMKq3KipTHjQV6ugpVIJDQkz0Qgkh8M976W/lXv7Yu6RQzPMHRkrJWG7VSorwWyuYT1eCt4Wf+3bZNv+Rdbtuvbi6Xb9+uXJVK/zcN9wSHLEdwRVhiM8IVFijkcUxCyDZgvi0U1XcF9WeURXpRuSUe87kwa9tl6rd9Q7yRRgvc4SaPJAuyJCmOGyz2cGz7qCxMKtzwt+gMYit12ajtSq2jCJYJON760lXYggQpgewNQld7uDANggqLOBHK7qyakgd4MBt2u7MCMxrRSTW1LhyCgzGNcdAj1lCsXJqogPQnKRWe4uYzHUXEeETMgWeB5PyO0aUgAIEBAzwi1SJSLhi5UqjCH4wJeV7iSyIQlSjhQtCpzkPg5DN3KZScKoFcEpnSUMssRM6WpLYYi6MWjPKiaJjFOIXxuibJkkpbmKWMgXvPpbn4pjpoiBFTJ42Q/AWh12VhGIBs5wW254hT74pdY9e1KYIlulDvmX1RbZPwUXEfDEVcU1Yn2t0nQzKdkS4me+HgcL8fTcnhrNvbH+De3u7+dHrQH+zP9gry2NDpa8GitMKmkQmedgJulYCGrOZFKOZgVibod4i4MvKC45iv9PRHVMiUTjMf+27aMEEMaQZhHbbAiA7rKdo4+vTF4kWExBB5Dcd6+Qph7prAG/6p/jbEAig4Vt4pDU2oU2EVWXMHElwZo0efp2VCust15Dn3bwiWoq4R7SKbbQmqtCQuPYR7VE3kRW6Y6fC8mVoYwG6/xk3NgYpPR8cst6IQ8Yg0egVkpQk7kYAuS3rGkwS54loXOVFSLdiXrVa0Zr/6DZapB4n1U6dAvDTAEHQ8WdubBEu6U4v5Dc7UVuZxjZrtxI3Mxg7a1jaTpZJK9oZQlajSANSzes49fGRRUI0MBmoIqnsbg1dYyZwI9upVbl9CAjdzHxySRGriXG96xMBia0aaQZqIKz/VXG7HcljRlM0zKhZu1vJFCUta7RcoSwpbvdnnuFBDRb67YBJoGL4wIuzxvFMJefMlLVSUmlzBWOnZRh2tFRyPDVFLzDSoTpAaM8H21+maf72ihhZerO6D3kXrAHDdfonWoh/TUDIFMHktZvvO+wS8WEpQqJ35Gnu2YCe4HdozzC0lXifHdoJOZ7oRnro2cEpKoyuv0DWqd2Utp4uCVr24ResWpqMWEfwwM/JzMSWmnRAHKyz4FtVZyXWw5Cjm/FK5YNjEEhKpSy6WfAsvC6fT7lVu7Ab9YOD7WYA+LLhZ+Tc3eFn6qduxqBbeqCunwU3YTtEkLLbkgU5vgZv6d4UGc/okQZEG3vkCinwBRb6AIp8IKFKvSZs6LFckj4iM1EN6QUa+ICMfZkgvyMjNefaCjHxBRn5PyEi9VzwNZCSMpWFkpCH4FkQgjg2MLl+K3IEFa1GBXoQdkikGD4rNnzxKci07gq/kxxNESW5uqX1DqGSNzD86VNK3H1+gki9QyReo5AtU8gUq+QKVfIFKvkAlX6CSL1DJF6jkc4VK6vpr8Ky5wjvPv1l/hdcypUjUYouxEHR2bbFXGJI4Q6pTHIZcZ/eBHGK6LyTxF8748vo3M8LfnJGjCH53ev7pGB2dn/+P0T+hwNcsxUsCaaN/YwX8JCQ54SkwsDCSvGEzDvAIsct0S1OXU1W7vKfjszZ6/4+TX9qQfXTbwjIwCvlyqXStGXKQNw2330BQIHEoaRj8DUbksoz7eWOVz2WsW5chzEywbiNvV4/otxZdJjiUv7W2g0JXJFzAeg7+5rOh0ilcmeWNXlIG3hwYqzhcQIYul6ITjgalvk3W/bRhwsKQL5OYCg2bmnMc69Hl7f7W8lK8MqX8+MxeH6uh62Jsm9ypuln+BtuUkUPXZV5aMUt1rUSb2lSfR1u5KljyetLhdzcpDu8Ja9FxM0AnrivTFi2cmSPrtriCeAAmg6RmbO4S5CKifBxdOUUiyubKjVfKQp+rEJlykWjnIfYGi+dzTZ7NiVRSJv6KKzqgWq4bM3JaSrCpPmbQ3CzIpGXe/zUp3zNBEK7oh98cob+ZVtoFlxFtkS+ByzqIpcThZbCkMiWQdVC/InbOj7rdQXcHbbfK7NG/1DGmQauqVZBXi87ZlEk+Tyr69OuZVOWRVlZ1PGo69ybIkOsE0k8/IU75zVe5tmkrRb66HeCbrEun2r52adqG7sZO+5bYOe8NDg9rRA++X8OhZ+KgtwqI7DvPiD8NvnQ3NSPH1iQYO5PAj76pTtMj6YiNGekzsCrlD8XI++qKcju+cW/SClrL3uTUvUuBQQxZxv00mAUbfMbDTNjTiDxnr02QiagUJJ6BlUShIBck8YyvEb7iFOoVdCKSyIVLaJqbUHoIX4Jh99C0GpJUatNJFxC+Q4nDkCaLxipXnOlicJRFYNaZ7LS6Sy1cUZa6rw3g12NpRaW9PZscj8Y/HU8+nR1Nfjk9/2lydHw26fUPJqM3o8nZT0f94d7N7p1HuU4O4vGuIS58PH7XsaUMhcQs6uCYM1KYNQ5QflcZwIwNzu+d9INrojGcy0znQe2QL2GcCXoFGvCiStIkXGDKLpCgLDTH8H6lK6QvL3TEmUuxGVNR9azfnZ4GwcaFV9aNpOkzA5/XXucVLH6B+7mzsQDs5/q5uNcc5PBqOwtYmkuZYqjajKZCFsTCxt0sHHytpgJGYWY695uoBRaLYBkNG5qfUUFB5WX685TV78ZDFFFw3PgMjY8/uWks4skh/G+DlXOiYzgEFZKw0FxxmcJFeWn+tue5upuyfFL0cWVekDNLEpJCzAvwq7xEuif7e6P9k/5oOHxzMt4fHxwfvDk4Gbw5eXPSHR0ej+4zJ2KBe482KWc/HfW++1k5PN493B0f7vZ2Dw4ODsb9g4P+3t6oPz7sDfu9wbg37o1Gx2/6R/ecnXzHeZT56Q/36mfI8dCLYPj6Gcpb1TP1MOtm72D/ZG9v76g7HByf9PaPugfH/ZN+b69/fPRmMHoz6o77e8Pj3nj/YH/45nh/8OZkd7Tf64+ODvvjo5ONS3kYGqkQWWMmzziPCLM1TPkMiWz6Owndhb8egf0EllztfmRScVdmqczA0fsfTTgQ+sS5RKOjNvrw+cdTNkuxkGkWwtHnOcHLNhqPfnTXfOPRjxZbsTn7fse7Te3i5p4KwpjzUADdr4lxVSb1gq80HjQhqRI1JWJnZ293cjMboQVmkVjgy+o1bTQgw2nvINqbDofhfq+/3z843O33e+Hh3hT3B3eVJsblBM/kRgIV5ZNbFBosyc45XRLfVIa6zyb7e8EmEIhxgFkRs1QjtZD9lUmj6sVIv9vvdbrqv/Nu9zX8F3S73X9vXLjYo3cKYabfkGBjGW1MbO9wv/sQxOpUeQ+MZygV9xMchTiOlbJk6Oz9qdGpksRxobiADvaxhRiVC1qto2K4RwXCuiKYuWIyPhWSPEC/KDZ7als9XKh0UyqiPSeK8wk1MUk+WtBEJVX4v1qtAhMgGIT8rjzXuvIx9XNFI+ea2LHlVo28vLaVXj98/nFcKED0QJpYZIm+Tplol7rxG1nTTb3tUPDl9TcLEsd8rd+yxpvvD/cm/xi9U9787sGg5unj0XiD518FQXDX5f5l2D0McAwwX0mvCCz8prj6lmqbzcqe168OMEBbZ0fvtwN9QyehcP8VTq8V1+uMBV1hkUpdd9sXXrgmmWbSXNpqiDbAM4p1jcfvz5BPMdJ1alc0jkKcRmJbFysuQMBI9drs1d+8xX+vKdD2UaCH26T2tXNgbrNBHWyN3kO9GzUIKJjvcdLxuEK0tb+USY5+ovMFOhIiS7Fy+E1+/tFdXYwiLyAAqXE+6DCnrdE2BISIMpmfNy4+VkND5OveJqe1Rslvje8zq6MfP5+10QdnXZ+yENQ5bHA59LbtW+A1EuDW00NIAgQm5aFRTYmC7cbqorfbZea8U8KitMjPlKy+giA/ULdhovyuBNr68BUL/ZSFD0QzjicZo00ZPHWk4xipHhUHPt+DBSXp/wo2QHKPCU8ngO9o7qLL7bU6mUiKbH9upz1vozNAi3ysyPkIx3TGU0bxfSh9CP8QPCUsvYR6GziEa3yjfrff7XT3O7091N193Ru+3j38n+Ag3Ze4r3YGb6Wu7P2tpax32OkeAGW914Pu6/7w/pTp0IbJJbmeuMr9jbmApv26CpguDuOSVBfip7N7bSQebWGWXjW16M71pd4VKRa9jmP1QGh+yqlDjs/Vey/3k0vMUuEFo0Imw/7GhSvXMIR8STjLo/vukyvj2DThpjMiKb2qTKa7UNqAuL3hcHffMp9F5EsZFHE/YgX9c5PJX0co5ASlfzo4ljeXIsEhXF9NaQ2wrt8dHNxn6IKkFMeTjbOZfAUqXHdl85TAdpX7u7W7ZPnoPL/FsGHm+XlLnCwwyyDDQruYASY/Ol9RueDgtMXKWFGelztHd02HC5ziEMJGy0weDk/evDkc7Y+P35x0Dw+6h+NefzQ6upfGcBWpG1eGp8XADp/VeVlsT1P8AhVM+XJJFH+EH1amt/YZzwBjgf7B0VvM5miUXieSo5hOU5xeB+iMEAcimVO5yKbKqNmZ8xiz+c6c70xjPt2Z817QG+yINNwJoYEdxRj4XzDnP7zd3d3vvN0d7larE8MdTeeeqtocDjyOKyycL2yHUSZOLHBKomAe8ymOnU2YV5G5J62P4eo+jKdraXgKrm5ZVdmDJp3KYo2ve3b+Y27vttHbH88wQyfKi6Ui5J4v3FYeUACebyNS8GTc3AIDvoaix/Zz1y3iwoQ+FIFPwKkt0Xsvkv4CDqrBBzRrVXmZG1WnxsypiOLuxgQ06LesQS3mnoyLOIXkuPpSpK2vL3ECCfzqwoMFCZP+cC/d2EMhQuJpDIp9A0qnnMcEszqC3uif0CzGBbLozKJTESNzLqm+nVphiK4PiRCzLFaGpzOpoDI7VU8ZECxDhIE9pD5njJF44+XGyBc5sXjYbzqVDoQ7JfAVjJtEAfpI9MRqcAvyci1A+sGj90cmm4eyG6zNuFqtAooZBtAxFspKXRImxY6MRQcoUZKvaOjodtf+EHxZyGX8A44T1rFj7NBIbJcAUTqfiuc0xHwFwVmiKnVqlDu9YGOhS4nIlo0KHBUl5DQInOkXIhIdtVBgXhs4ZSndWMxMBb4nCfM1Y7srzLdK0mPBfNeNpCEWNwnz9efiXnPwpGG+ZrjPBuZrZ+t7hvn6c/I8YL6POSsPDfMtzc4zgfluOEN5q98hzNfQ2CjM9+xOgN4KkDffKrz6wN8c0Gs6/x3vNoYcq0f06o4fDNG7ezgYDHp4ujfcHw5Iv9/dn/ZIbzoY7k939wa96I78eKgbWyHxMqkAXA2a8ykgej16H+QS9y4Ef3NEryG2WXTp2cY40pJCrlEAFYxRYwrgBfb4eLBHfwr+6rDHWl58Z7DHGhqewl3QdwZ7rOHik7kPuhfssYagx74Oahz2eAvNT+CG6JvAHmvY8ExvlXxKnx3ssUzc84E9+pQ9N9jjGtr+urDHNQx5nrDHNcR+D7BHf+gvsMdvCHssMP4F9vjtYI8Fxj9z2GM9rd8X7LGOhqfg6n4/sMc6Dj4ZN/desMc6ih7bz31Q2ONtBD4Bp/ausMc6kv4CDup3CXusra39cKnAtWlWqE1kr5UTnApbS1x9z1M6p0r4NBit5sIm6G98CG7nomE04HvF/Zj+SSKNmIOragcGhE3EJ/M2Em0S0bUEumyjKQ6thWYzjnpfrc86qna5lE4zQFfqNwDcJJTxnHAh6DQmGoeJ4+s/ib0+xRp/lPJsrmxpM0qMljRMua2ajtNwQSUJjWkZK2ORM4KuKFl5XprLdW8cAW/gyCsdgFLyR0aEFKiTCwllFAp/rMjU/m6xTrOUM9lR1muxzn1HkfNHRlJKBFriyNGhswwnMUFTHF76b94h26lIMGsuPfSrtRVFVL+2dgJ8DrnOXK4Ut2KpX9n/SD+eEnNZCNgKnpDUwHNtCQYA42KAULZdpQjsGC25axEzDe0wDGvr8uYRlniqloBi93VNUfvZ7BAfHB70pvthGA031rKankfgcpWR8I2WCZELkKnHoSud5Uw06MEpUY4/knxOFNPAwXVN5hWSTHkSw+wFZlGsV4jrBopCdgzOlXjiWuH0YDo77M92h/v7091BhPfwbkgO+4dRl3TJYH93r8xeO+JHYrLt/g4S7b9lyuDZcouu7C+UgVgSLLLUnAOAmDuhVSKei3RR1M1zJK0yt9uddff2Me5O8WG3P933FHOWxr5S/vzp7S0K+fOntzbBs6lIgUwSJu22K1VJjCWDU9B9nz+9FfoC2TxpNw3Fg2lKoBQeiviKKYHhSIQLsiRtV3MywXJh3ufI4p430XXN1hkb6ypgtnhQGucqqFVM/+XXIzxlSPAlAai6mkDFzyW+1jnITUDB6UdF7Y5ioeKrLmIWX7fdyRAuF0JkUDjx1GQ1U23ryolejd8VHDTNua15emFSl2nOVYWmJoOZC8uwyP2mWHu+MFnELV5BGNiwUl228xpLzKwGx5YsjQulICtNUIEAFiGIRFStXIMQb6tZZFwqRZleQ1r4Bay34vulxmOCoaJRQlLKI7TMhIRGpkoThnEWkaimuqU+HISHpwS1EjZv5SeI6vVWoL6rzlBijBCvTs58udkJ9r1m5SNPpTHljcQjuN/S4vTDhSf/kietEnMufrjQF1bFyp920KWaZ7MsfkAb+NHKM5zOdO1EpQKhGhNdqiVtKjJd8wySwOcL9to7EBaS+6gwytCFkmfV3gXEWoFBAwterxUq4ESUaXQUibQ3CQaUtTlh33dN+vWGa+oJFDXA68Fgd0cQZTP//Y8fzff68w+SJ4XZswvyGczgq89sySO1/0e5ngHRF0gQwgqcdRx13bzn0sRBUIYYkXqH54xKrjwqrQH4FHbuyG0GU6JUjREcmOuUYOGLAobgNBTzuSnrr16FEgmSMPR7BkWcc6gd6C61j5Yr4zrJcWXC3GuuWQzO1goLN9B2YZ9nXFaV072ESLW25ueCfCVYCE9qHjyOyTRfcuyC0hhkU4UrP2K5KPXt6VbDoFZpOA3UiPdrk1fGMRhUrzwGg93CoMCtatJIgA6MEOtfp0TbCvoXEydYR4NvR7dKwlbZu/4OexfEP0X+GZDfS6C0vTbonNXCuHoXVmia6x6N2/DGDq/CM7o6repvmkn3VNvrTBOrzRTXoi5fzRBZJjIfDwxdP3lh3jbF5NwFNYXgCCYplgRNiVwRUgz5lCuubdXSBv3YdemVCn4pSv+kitJrv60pOTiD1terRdhwWqWtV0MVLl7Xmp56vGu2ruKBw0u5ffRSbv9+5fYbvAL+bJqvsVP8ERQOeOzn9Sc8IIVwtGfOeezGWqxePeWZdGWTjYkL5cHIFXY+hjlrMJWKzZemkpiSjwW+InDkTuBKnqfeESWTKSXC7Kq2hjdacqibi/VJPY2sq2wPozBDGGKkjdENO7bwjumXZuIe/wBpfaF6XYi8wTr1EMnRoFQWQ0WCimv/wMCIR/MOFa2vhHbVVHdtRGd5LYGKfXwExcTRMWVCEiNYdpy6QP5jSRz03qjIafoaO66vnta7HDVAmqlDqOsl7yQxlrqkf3WIDSpsn/+6s0L/XtxxU7cZVo8udE2MVNdSLGj2GVyNaRXEEGacXS/pn95JlGac+/hZkFkWK8G/gMr4NLpQoqE/KMIuXNRZyNlMzxCOi7sJi9R+wHi+Lo2XUpKisvyEOQL9IWXHHnEKG5joUvZUhOO+I3g0nXW2UG69thtSFPO5d4khagIxMSitovPH48aiI12GE327qHpCWFsakubLx5gUpbG++rV1SaeY4QmOlpS12qilC65TNp+oBlv/uQWS4RtOEzy3x6We+YTybzcwonQb1pRigL+AOMwl0ccIGE1TvvJuUt3SOl+Qa3OgJxZ8hZSCZoAksACGmM+FakoZwO5MwgA4MjdUex5wB7uHqOa/lSY0vZXnkn5ccEZuWX2NDChnXRXUi2c4pYVBPfnD7pKu8+RjUpCPMq3v+J80jvHOMOiiLT0b/wuNPn42M4M+nKFef9LTDtw7HKov/msbHSVJTH4h039SubPXHQa9oDd0w9v650/n79629Tv/IOEl37YQsZ1eP+iid3xKY7LTGx73BgeG3Tt73YHJ3+WYLoIZXtK4qdPFD2dIt4+2rN+XkmiBZRtFZEoxa6NZSshURG20oiziK7FdrbMGT1bG/Tyutj5oOA6bG5vK2r/gcdm8LS4lSwpQa20XVuRMi847/ju+ImVuXZKUkaZclQoNujc3bA2xwKt1K2QQDIJup9frdyBwi4bl0T8TN2fNXFs4gjfT6yb3v8qcsRb4t5pZ259ZzyFhkos2yqYZk9lNaxinK1pZw82iUCuD31Qee92gV9aUzQ7Vg/fesnMq7e7ZV1ex0YzGsvr57dH7TWwq9Zy1pnCa32QY4/0aHXT7Qe8PJPF8SwAaHKMEh5dE2pMiLPQRHxaIsjlgYyC5hf4T2sdC8JAaEL1qgtmrT/CJwGlSVDuAIXYRfKYzrfHyMu7muff6BjhQ1NdRkZKQp5FqjrJ5bKiVeA54RbgqzgBwAUkl7eQtNIBADfSPDmWdPxBhIU5Epkcp2salqxsZKtzqyuuEhso+NU2bQzUA9WF3fS0IEzxFWySYB+jfhFy20S80JWKB08ttuJulVyS+Rs7yBuc7xTMIcCxxgjJG0rWzqptA+iFDXD7BAm3Z40LTqvmtSP/2GiJvJk/TZ9q9K5U3kFeoLQngI3sfp7ztKKJGsux4CrKiBF0nFyKWHRLP56ALTJMfpjb7lyfcVnoDX8pNjtca+bOPmyadbPsuO2Q2cqvCAEqtox9REaYEDhbKK8y0CSPw2ls3LzOakhWOY9FGKQi/aGu3FUdoimPMQpKKO7g2jR1AAUGnY20p6qKUNmzUcb+qr292Rr+J5/MhMUE0QAGcC9yFBp5JQaNbApKd1s9iRlI8pS7Ay6r/yg/r9wG1DRQa2uCiAtd0jSq3Fjahc362sIlIqdU4580CHSCTE59Zg0Dpcz94AQiRFb5guMFyEcJwpCCIhRhZk6jj1vfWzD/nHYP7ovo6+3x2vK3+0PkJYnjQNZq/YOH0PEUnZt1uFy4Y85zRf2Q4vhbzDKdRoP+G4Ns/VmS6IHGyM+MTQMrFO5eMr2ISzYlqeqdA4MSwnhIRLOTy139BQ25gRWbkz/5nuxYFZSGY9gqpesP36teWpevWgyQ/1bzaLCAWszlDDHIuFDpy8UsFLoiQp7llWZic3En3wVuQgwMye4dXQuxUY9B+Pts4YNYb8ZP1iipc9b6oZyksPrNnCbeF4xh2Q7+3urfXLI/wigRLKlOic6orHbYzw3+AmMc/hFdkAjemE29wYhKmBEsS/TqCSG7Xra9bKdF78fGXhAulOUY/H/sU/qcyv6cMLXH44QzpdC+oH/T6wV7bhysV2WEAkZ8+ju6QnZlAUoSmF4jVot5Jv1fOgIobpqa6OOqmqGZ1HG/KgsYsE0W5pdiohq3T8bZFh5hMF0mO7q7fLJG+pA/QqX+vjrLi5YnpwDRq7+CqfC3vHpuK/mqB5YSKiVoCNNo2sl6Wcdd6RdZPx/+pmaOOTiHU7XbvUCYAkHONBQYfoZRoOPF6BVOwn4220ZEySyrpXLs/jhd2Mpz0R6V5KTOmfkbCOe1MKVPfwnFeOKd/V3/86Pi41+vdgY1K8CaNCr/xInmKRIhZvajWJpXqdXsHwV2EQrXPSBpcERbxpkKqFUk+7Ke8wcMQkB5ChaxzwvA03jx/UMhTEkzzzDM3ETOLOZa1JuyZakZDflLM5ubqqxt0lcXd6wZdfZgIf9qaJAuCllxIJMgVSX1M/RtlYgrTIlfep7LYhCBCLOGuDbR2EnMqLVOWRKY0FGgLS4nDS3QFcIU8zEbD2b9Qed1GSUqvaEzmxAStmZtwSVIdvbfdRnSZ4FDmrfr32qoN1656bZ5Cs6opgwyBMZmcqhA1uMYIqDG/rKkOotuJeJgpkrcrluowGN5tigm7oimHui0bXWV9o7k+9od126Rjdo1csAZIiZmhNrrPDMGFLE0J1LJ5AlMkyTLh6VOanXMzotsmBu5+llhmmtGKpZEptQRUtAv7tZ2r8OHWxYYcbvasHBz59zZlSeHEI3edt97/PN7ON3vlGlMJuaEdj2AaQD4xu6RsDkfUrbd81Wqj1jsS0WzZ0tLc+onOFy2YAuWmoau+mlSnPl2LIAmifACpk3O7viR0lbe1G3QN/PgazhAjMqOsGLCmWsgfLsyRJ0XwBBWIrxiJtPWCGZ7rs6eT009n58GHdK6z1KAt+EIpT/T5rKPT5zMO1aJm1HO1vPwwbbRacKUMqLBBn5KjBYkT0Ptwoi5ICMKpLFvQE8r6SjjzLsskwUuBcJhyoQ3nFU/jaI2IsqsoYFTIYM6v4MyiY1QRiGtVGejLkc1E1UxJg9aFm/VaCwOAu4p7oCjsJogh2RpkMo8dz5KU8pRKMxEoJXOcwuWwpwLux8GKEa+6CV3Xt5xDfhl2D/3jR0hNMyrlVr/pBJIKZQTEem/QVzDaEVHryp5HqrXypZT/XhRyXPoHlVTnY4ivUczncxP/D0W/lC7VFzkRnVPYCG1GvDzNnWMICTOpTDw0pQynVJkxZzvvTt8dF3tjBqM75RE8A/snjq8FRBFCoLMdJYcD/csA/QJn/iy+zm+oShlbzdABOKjPUYtpDk2LjAhJIpSxiKToQvV1YVpfYLEgwgqeX4inkHwxJTnMtu1Ocwm6UO9fQGIPCOrOw2kTnmQxNsGQcAGoL7Cgd7/IzcW276Caiw1wwRyMsVC4qoicnHK5QAJ0t83E5i7b/IGCXHCdly20YyywRSP6ldIEjK1qs9pkjRwZsmQsAi/b08X25gfaL4UQHqUQwl+9+MH3WvDgpciB+XffGX8yGR/vVdjgr1LM4C9cwOB5Fy14doUKnldxgudWkOClCEGRCc+z8MD3V2zgpcDANysw8FJU4BsWFXjuhQS+1+IBLwUDvmK2n4zLeL8iAc+yMMAzKQbwvAsAfDdJ/zuq59doSuAiG7NwwVP9sRNafKO5vXmjnykM4X9D2yObiM3sSep1F2di7w/gtiKOTQpHOGZWQ609GYfQpgUX0lPUmk84pi5FY4Llwj7sPVgzQPVvTJKUhHA10YF0oPmLcCsDn2gxygkzG2ZVGJ+iL5B0Sf60odPrh6dR7qWHl3SuUZivkUwzUmxdc6TQLPdrSesPkzq5WUO6mx8A2cDF/zxLYVJ0Z3X0bcB6NUP+czeSBY3ed05vbFkxV0Ai/4AyIb3D0lt5BMcP+l1k30U0sssijHkW5StgpD5a1ECKlkTiCEtcvyjemV819CMsvArwwtwfwVE0gQcmtkn1ZEiE0NAyf40UKIeXArrEcy8Pfp5SYkk7eBpGvf5urf7IBeRUtYBOxw68qIdrOWLE4wd0pGYKHuJx5AuqHZAaf6BHZWm9ZaprH75xur0+7ABzYOPN3TiC3PN37mkD6S31takYe70tcbigjMAa36gz80LgvbBpXz4Wa7KBQrv5rU17TVIOWmzDiTOP333eUjLPrb6b+yg8Wtu+VQsRDy9BVo1eGNvPNctL/wZ2h9of41jXaACloH9TK1wseConWjPn9oTdjnV/HacT1mybblio5ga6+EpBiejdAXIKuR/rmOUxrP6VWqat6UppnLv3BprOW1B37LX05mad3r87kwYU/YDOP4w/vEY/8ZUyL5Y4UUpWkL9XxlLY6NHNmz1ar8+R0+l6CIGVXLX/5nL7k/5U08gpm3FfWs22oF5HVtd4Aqq+rxVPs28cj878uGNqI20DEorgehkH5jkdOIdTfabKOOvkb5aSeHFXgGC9pK+fmkKmLdvElPOYYLYhe2c5RyA8J5/2ar9cBNOMxtUuqzPqdu9W72Dc6x62NhvOhzMEPfgYlfqBhDwitevgprEImRIZLjYfjO1Fp+pj104CL7MpSRmRAAUwcvhP/7uadvPfnc1VNKDyRpEvhTdr1fylWzVrYdA3y1yZ4wmP6tXOnRazx4GE62Ol6uSqrrIaHX7fnj7yCH0+HVc7Apc5weHDEZW3WO2MRxWV/5Wd2Rw51c6MuvzbVytm7+fJEicJZXPzbOtvG64ib8RmI1nipDpkyOenD5ye3Li9sdUPPiVJTEMsiHzYKc7bXTPREUlifr0suZlf33He7pqO4QBqlsUPTrLX8Jqub7GD7tuxa/bWbuuNvq/vV7drNhijy/Pd5aP7oqZd82O+rzintm4fyNtGd9oEyJdNzU7TQ5ADjG8wPQ3Fv/OYX1LcwZnkERUQHpKT/3/0r2hsfrlG/nPI87xvPcSoacrfhc04XJPrjvfMc4E+5SlGg9zhVMsef5orXj5zA/BSI9X3SW86fF3T3TEOFybToy5S5UJyDXjFZGInFCoGuewqUaYzAUicyiyx90C6IV0OYamjgd25nDR1UPGSSEVYaiKEYN6IBJNcJ+yGL9THtgk5haFBXAGOIRe90Df7px/1E0a8EI3agAGHkKHCkCDAQArgTD0LDdw5SXmUhfLujDzX0Gqzdk0zykx0tN3U7b3FpdDtK+GyfW15PW/f0rUXbnrHnvW7HrLckO/JgkBpxpiaaMrqx2HLCN6598+f3qKFcj4XylWB7oy0wkhuYnqYpaWriqKbtKbXX1zhLEvfCgsn4salxJlcECZdJg1d5MiqtVnGAHxv7iaMOjspfut376mb/w4AAP//vrji0A==" } diff --git a/x-pack/functionbeat/magefile.go b/x-pack/functionbeat/magefile.go index e1982b66400..a317bd0cb71 100644 --- a/x-pack/functionbeat/magefile.go +++ b/x-pack/functionbeat/magefile.go @@ -159,9 +159,11 @@ func BuildPkgForFunctions() error { err := os.RemoveAll("pkg") filesToCopy := map[string]string{ - filepath.Join("provider", "aws", "functionbeat-aws"): filepath.Join("pkg", "functionbeat-aws"), - filepath.Join("provider", "gcp", "pubsub", "pubsub.go"): filepath.Join("pkg", "pubsub", "pubsub.go"), - filepath.Join("provider", "gcp", "storage", "storage.go"): filepath.Join("pkg", "storage", "storage.go"), + filepath.Join("provider", "aws", "functionbeat-aws"): filepath.Join("pkg", "functionbeat-aws"), + filepath.Join("provider", "gcp", "pubsub", "pubsub.go"): filepath.Join("pkg", "pubsub", "pubsub.go"), + filepath.Join("provider", "gcp", "storage", "storage.go"): filepath.Join("pkg", "storage", "storage.go"), + filepath.Join("provider", "gcp", "build", "pubsub", "vendor"): filepath.Join("pkg", "pubsub", "vendor"), + filepath.Join("provider", "gcp", "build", "storage", "vendor"): filepath.Join("pkg", "storage", "vendor"), } for src, dest := range filesToCopy { c := &devtools.CopyTask{ diff --git a/x-pack/functionbeat/manager/gcp/cli_manager.go b/x-pack/functionbeat/manager/gcp/cli_manager.go index f0cf31cc301..d286f1e465a 100644 --- a/x-pack/functionbeat/manager/gcp/cli_manager.go +++ b/x-pack/functionbeat/manager/gcp/cli_manager.go @@ -76,14 +76,19 @@ func (c *CLIManager) deploy(update bool, name string) error { executer.Add(newOpEnsureBucket(c.log, c.config)) executer.Add(newOpUploadToBucket(c.log, c.config, name, functionData.raw)) + token, err := c.getTokenSrc() + if err != nil { + return err + } + ctx := &functionContext{} if update { - executer.Add(newOpUpdateFunction(ctx, c.log, c.tokenSrc, functionData.function.Name, functionData.function)) + executer.Add(newOpUpdateFunction(ctx, c.log, token, functionData.function.Name, functionData.function)) } else { - executer.Add(newOpCreateFunction(ctx, c.log, c.tokenSrc, c.location, name, functionData.function)) + executer.Add(newOpCreateFunction(ctx, c.log, token, c.location, name, functionData.function)) } - executer.Add(newOpWaitForFunction(ctx, c.log, c.tokenSrc)) + executer.Add(newOpWaitForFunction(ctx, c.log, token)) if err := executer.Execute(nil); err != nil { if rollbackErr := executer.Rollback(nil); rollbackErr != nil { @@ -104,9 +109,14 @@ func (c *CLIManager) Remove(name string) error { return err } + token, err := c.getTokenSrc() + if err != nil { + return err + } + ctx := &functionContext{} executer := executor.NewExecutor(c.log) - executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, c.tokenSrc)) + executer.Add(newOpDeleteFunction(ctx, c.log, c.location, functionData.function.Name, token)) executer.Add(newOpDeleteFromBucket(c.log, c.config, name)) if err := executer.Execute(nil); err != nil { @@ -151,6 +161,20 @@ func (c *CLIManager) Package(outputPattern string) error { return nil } +func (c *CLIManager) getTokenSrc() (oauth2.TokenSource, error) { + if c.tokenSrc != nil { + return c.tokenSrc, nil + } + + var err error + c.tokenSrc, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform") + if err != nil { + return nil, fmt.Errorf("error while creating CLIManager: %+v", err) + } + + return c.tokenSrc, nil +} + // NewCLI returns the interface to manage functions on Google Cloud Platform. func NewCLI( log *logp.Logger, @@ -173,16 +197,10 @@ func NewCLI( location := fmt.Sprintf(locationTemplate, config.ProjectID, config.Location) - tokenSrc, err := google.DefaultTokenSource(context.TODO(), "https://www.googleapis.com/auth/cloud-platform") - if err != nil { - return nil, fmt.Errorf("error while creating CLIManager: %+v", err) - } - return &CLIManager{ config: config, log: logp.NewLogger("gcp"), location: location, - tokenSrc: tokenSrc, templateBuilder: templateBuilder, }, nil } diff --git a/x-pack/functionbeat/manager/gcp/template_builder.go b/x-pack/functionbeat/manager/gcp/template_builder.go index da468abee30..c6f1292ce15 100644 --- a/x-pack/functionbeat/manager/gcp/template_builder.go +++ b/x-pack/functionbeat/manager/gcp/template_builder.go @@ -190,5 +190,6 @@ func zipResources() map[string][]bundle.Resource { func zipResourcesOfFunc(typeName string) []bundle.Resource { root := filepath.Join("pkg", typeName) - return []bundle.Resource{&bundle.LocalFile{Path: filepath.Join(root, typeName+".go"), FileMode: 0755}} + vendor := bundle.Folder(filepath.Join("pkg", typeName, "vendor"), filepath.Join("pkg", typeName), 0644) + return append(vendor, &bundle.LocalFile{Path: filepath.Join(root, typeName+".go"), FileMode: 0755}) } diff --git a/x-pack/functionbeat/provider/aws/aws/config.go b/x-pack/functionbeat/provider/aws/aws/config.go index 604035522b5..932b8a1bc52 100644 --- a/x-pack/functionbeat/provider/aws/aws/config.go +++ b/x-pack/functionbeat/provider/aws/aws/config.go @@ -153,6 +153,12 @@ func (b *bucket) Unpack(s string) error { return fmt.Errorf("bucket name '%s' is too short, name need to be at least %d chars long", s, min) } + const bucketNamePattern = "^[a-z0-9][a-z0-9.\\-]{1,61}[a-z0-9]$" + var bucketRE = regexp.MustCompile(bucketNamePattern) + if !bucketRE.MatchString(s) { + return fmt.Errorf("invalid bucket name: '%s', bucket name must match pattern: '%s'", s, bucketNamePattern) + } + *b = bucket(s) return nil } diff --git a/x-pack/functionbeat/provider/aws/aws/config_test.go b/x-pack/functionbeat/provider/aws/aws/config_test.go index ac8e325804e..ef1045f188e 100644 --- a/x-pack/functionbeat/provider/aws/aws/config_test.go +++ b/x-pack/functionbeat/provider/aws/aws/config_test.go @@ -66,6 +66,36 @@ func TestBucket(t *testing.T) { err := b.Unpack("he") assert.Error(t, err) }) + + t.Run("bucket regex pattern, disallows semi-colon", func(t *testing.T) { + b := bucket("") + err := b.Unpack("asdfdaf;dfadsfadsf") + assert.Error(t, err) + }) + + t.Run("bucket regex pattern, disallows slash", func(t *testing.T) { + b := bucket("") + err := b.Unpack("asdfdaf/dfadsfadsf") + assert.Error(t, err) + }) + + t.Run("bucket regex pattern, allows dots", func(t *testing.T) { + b := bucket("") + err := b.Unpack("this.is.a.bucket") + if !assert.NoError(t, err) { + return + } + assert.Equal(t, bucket("this.is.a.bucket"), b) + }) + + t.Run("bucket regex pattern, allows hyphens", func(t *testing.T) { + b := bucket("") + err := b.Unpack("this-is-a-bucket") + if !assert.NoError(t, err) { + return + } + assert.Equal(t, bucket("this-is-a-bucket"), b) + }) } func TestNormalize(t *testing.T) { diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis.go b/x-pack/functionbeat/provider/aws/aws/kinesis.go index 6c96285bf7f..86d1d92959a 100644 --- a/x-pack/functionbeat/provider/aws/aws/kinesis.go +++ b/x-pack/functionbeat/provider/aws/aws/kinesis.go @@ -70,7 +70,7 @@ func (s *startingPosition) Unpack(str string) error { func (s *startingPosition) String() string { v, ok := mapStartingPositionReverse[*s] if !ok { - panic("unknown starting position: " + string(*s)) + panic("unknown starting position: " + fmt.Sprint(*s)) } return v } @@ -93,17 +93,19 @@ func (cfg *KinesisConfig) Validate() error { // KinesisTriggerConfig configuration for the current trigger. type KinesisTriggerConfig struct { - EventSourceArn string `config:"event_source_arn" validate:"required"` - BatchSize int `config:"batch_size" validate:"min=100,max=10000"` - StartingPosition startingPosition `config:"starting_position"` + EventSourceArn string `config:"event_source_arn" validate:"required"` + BatchSize int `config:"batch_size" validate:"min=100,max=10000"` + StartingPosition startingPosition `config:"starting_position"` + ParallelizationFactor int `config:"parallelization_factor" validate:"min=1,max=10"` } // Unpack unpacks the trigger and make sure the defaults settings are correctly sets. func (c *KinesisTriggerConfig) Unpack(cfg *common.Config) error { type tmpConfig KinesisTriggerConfig config := tmpConfig{ - BatchSize: 100, - StartingPosition: trimHorizonPos, + BatchSize: 100, + StartingPosition: trimHorizonPos, + ParallelizationFactor: 1, } if err := cfg.Unpack(&config); err != nil { return err @@ -176,10 +178,11 @@ func (k *Kinesis) Template() *cloudformation.Template { for _, trigger := range k.config.Triggers { resourceName := prefix(k.Name() + trigger.EventSourceArn) template.Resources[resourceName] = &lambda.EventSourceMapping{ - BatchSize: trigger.BatchSize, - EventSourceArn: trigger.EventSourceArn, - FunctionName: cloudformation.GetAtt(prefix(""), "Arn"), - StartingPosition: trigger.StartingPosition.String(), + BatchSize: trigger.BatchSize, + ParallelizationFactor: trigger.ParallelizationFactor, + EventSourceArn: trigger.EventSourceArn, + FunctionName: cloudformation.GetAtt(prefix(""), "Arn"), + StartingPosition: trigger.StartingPosition.String(), } } diff --git a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go index 6f54c1bf061..762cce1006d 100644 --- a/x-pack/functionbeat/provider/aws/aws/kinesis_test.go +++ b/x-pack/functionbeat/provider/aws/aws/kinesis_test.go @@ -39,7 +39,7 @@ func TestKinesis(t *testing.T) { assert.NoError(t, err) }) - t.Run("when publish is not succesful", func(t *testing.T) { + t.Run("when publish is not successful", func(t *testing.T) { e := errors.New("something bad") client := &arrayBackedClient{err: e} @@ -141,6 +141,32 @@ func testKinesisConfig(t *testing.T) { }, }, }, + "test upper bound parallelization factor limit": { + valid: false, + rawConfig: map[string]interface{}{ + "name": "mysuperfunctionname", + "description": "mylong description", + "triggers": []map[string]interface{}{ + map[string]interface{}{ + "event_source_arn": "abc123", + "parallelization_factor": 13, + }, + }, + }, + }, + "test lower bound parallelization factor limit": { + valid: false, + rawConfig: map[string]interface{}{ + "name": "mysuperfunctionname", + "description": "mylong description", + "triggers": []map[string]interface{}{ + map[string]interface{}{ + "event_source_arn": "abc123", + "parallelization_factor": 0, + }, + }, + }, + }, "test default values": { valid: true, rawConfig: map[string]interface{}{ @@ -158,9 +184,10 @@ func testKinesisConfig(t *testing.T) { LambdaConfig: DefaultLambdaConfig, Triggers: []*KinesisTriggerConfig{ &KinesisTriggerConfig{ - EventSourceArn: "abc123", - BatchSize: 100, - StartingPosition: trimHorizonPos, + EventSourceArn: "abc123", + BatchSize: 100, + StartingPosition: trimHorizonPos, + ParallelizationFactor: 1, }, }, }, diff --git a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go index d96cc878c92..44657582a01 100644 --- a/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go +++ b/x-pack/functionbeat/provider/aws/aws/transformer/transformer_test.go @@ -35,7 +35,7 @@ func TestCloudwatch(t *testing.T) { assert.Equal(t, 1, len(events)) expectedTime, err := time.ParseInLocation(time.RFC3339, "2019-08-27T12:24:51.193+00:00", time.UTC) - assert.Nil(t, err) + assert.NoError(t, err) expectedEvent := beat.Event{ Timestamp: expectedTime, @@ -139,7 +139,7 @@ ciJ9XX0=`), } events, err := CloudwatchKinesisEvent(request, true, false) - assert.Nil(t, err) + assert.NoError(t, err) assert.Equal(t, 3, len(events)) envelopeFields := common.MapStr{ diff --git a/x-pack/functionbeat/scripts/mage/update.go b/x-pack/functionbeat/scripts/mage/update.go index 468bdafbe0f..59b56cb6bed 100644 --- a/x-pack/functionbeat/scripts/mage/update.go +++ b/x-pack/functionbeat/scripts/mage/update.go @@ -5,9 +5,13 @@ package mage import ( + "os" + "path/filepath" + "github.com/magefile/mage/mg" devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/dev-tools/mage/gotool" ) // Update target namespace. @@ -20,7 +24,7 @@ var Aliases = map[string]interface{}{ // All updates all generated content. func (Update) All() { - mg.Deps(Update.Fields, Update.IncludeFields, Update.Config, Update.FieldDocs) + mg.Deps(Update.Fields, Update.IncludeFields, Update.Config, Update.FieldDocs, Update.VendorBeats) } // Config generates both the short and reference configs. @@ -46,3 +50,39 @@ func (Update) IncludeFields() error { return devtools.GenerateAllInOneFieldsGo() } + +// VendorBeats collects the vendor folder required to deploy the function for GCP. +func (Update) VendorBeats() error { + for _, f := range []string{"pubsub", "storage"} { + gcpVendorPath := filepath.Join("provider", "gcp", "build", f, "vendor") + err := os.RemoveAll(gcpVendorPath) + if err != nil { + return err + } + + deps, err := gotool.ListDepsLocation("github.com/elastic/beats/v7/x-pack/functionbeat/provider/gcp/" + f) + if err != nil { + return err + } + + for importPath, location := range deps { + cp := &devtools.CopyTask{ + Source: location, + Dest: filepath.Join(gcpVendorPath, importPath), + Mode: 0600, + DirMode: os.ModeDir | 0750, + Exclude: []string{ + ".*_test.go$", + ".*.yml", + }, + } + err = cp.Execute() + if err != nil { + return err + } + } + + } + + return nil +} diff --git a/x-pack/functionbeat/tests/system/functionbeat.py b/x-pack/functionbeat/tests/system/functionbeat.py index b2af1dbb11a..24327363aef 100644 --- a/x-pack/functionbeat/tests/system/functionbeat.py +++ b/x-pack/functionbeat/tests/system/functionbeat.py @@ -1,7 +1,5 @@ import os import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../libbeat/tests/system')) from beat.beat import TestCase diff --git a/x-pack/functionbeat/tests/system/test_base.py b/x-pack/functionbeat/tests/system/test_base.py index b351ed63340..39a1051f806 100644 --- a/x-pack/functionbeat/tests/system/test_base.py +++ b/x-pack/functionbeat/tests/system/test_base.py @@ -3,9 +3,10 @@ import json import os import unittest +from beat import common_tests -class Test(BaseTest): +class Test(BaseTest, common_tests.TestExportsMixin): @unittest.skip("temporarily disabled") def test_base(self): """ @@ -112,6 +113,6 @@ def _get_generated_function_template(self): log = self.get_log() # Trim the extra output from the Go test wrapper (like PASS/FAIL and # coverage information). - log = log[:log.rindex('}')+1] + log = log[:log.rindex('}') + 1] function_template = json.loads(log) return function_template diff --git a/x-pack/heartbeat/Makefile b/x-pack/heartbeat/Makefile new file mode 100644 index 00000000000..019d3b9309a --- /dev/null +++ b/x-pack/heartbeat/Makefile @@ -0,0 +1,3 @@ +ES_BEATS ?= ../.. + +include $(ES_BEATS)/dev-tools/make/mage.mk diff --git a/x-pack/heartbeat/heartbeat.docker.yml b/x-pack/heartbeat/heartbeat.docker.yml new file mode 100644 index 00000000000..92c05b65ded --- /dev/null +++ b/x-pack/heartbeat/heartbeat.docker.yml @@ -0,0 +1,32 @@ +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + + +heartbeat.monitors: +- type: http + schedule: '@every 5s' + urls: + - http://elasticsearch:9200 + - http://kibana:5601 + +- type: icmp + schedule: '@every 5s' + hosts: + - elasticsearch + - kibana + +processors: + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + +output.elasticsearch: + hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}' + username: '${ELASTICSEARCH_USERNAME:}' + password: '${ELASTICSEARCH_PASSWORD:}' diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml new file mode 100644 index 00000000000..687552ef33b --- /dev/null +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -0,0 +1,1783 @@ +################### Heartbeat Configuration Example ######################### + +# This file is a full configuration example documenting all non-deprecated +# options in comments. For a shorter configuration example, that contains +# only some common options, please see heartbeat.yml in the same directory. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/heartbeat/index.html + +############################# Heartbeat ###################################### + + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + +# Configure monitors +heartbeat.monitors: +- type: icmp # monitor type `icmp` (requires root) uses ICMP Echo Request to ping + # configured hosts + + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: my-icmp-monitor + + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + # service_name: my-apm-service-name + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule using cron-like syntax + schedule: '*/5 * * * * * *' # exactly every 5 seconds like 10:00:00, 10:00:05, ... + + # List of hosts to ping + hosts: ["localhost"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # Total running time per ping test. + timeout: 16s + + # Waiting duration until another ICMP Echo Request is emitted. + wait: 1s + + # The tags of the monitors are included in their own field with each + # transaction published. Tags make it easy to group servers by different + # logical properties. + #tags: ["service-X", "web-tier"] + + # Optional fields that you can specify to add additional information to the + # monitor output. Fields can be scalar values, arrays, dictionaries, or any nested + # combination of these. + #fields: + # env: staging + + # If this option is set to true, the custom fields are stored as top-level + # fields in the output document instead of being grouped under a fields + # sub-dictionary. Default is false. + #fields_under_root: false + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +# heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + #path: /path/to/my/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + #reload.enabled: true + # How often to check for changes + #reload.period: 1s + +- type: tcp # monitor type `tcp`. Connect via TCP and optionally verify endpoint + # by sending/receiving a custom payload + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: my-tcp-monitor + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule + schedule: '@every 5s' # every 5 seconds from start of beat + + # configure hosts to ping. + # Entries can be: + # - plain host name or IP like `localhost`: + # Requires ports configs to be checked. If ssl is configured, + # a SSL/TLS based connection will be established. Otherwise plain tcp connection + # will be established + # - hostname + port like `localhost:12345`: + # Connect to port on given host. If ssl is configured, + # a SSL/TLS based connection will be established. Otherwise plain tcp connection + # will be established + # - full url syntax. `scheme://:[port]`. The `` can be one of + # `tcp`, `plain`, `ssl` and `tls`. If `tcp`, `plain` is configured, a plain + # tcp connection will be established, even if ssl is configured. + # Using `tls`/`ssl`, an SSL connection is established. If no ssl is configured, + # system defaults will be used (not supported on windows). + # If `port` is missing in url, the ports setting is required. + hosts: ["localhost:9200"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # List of ports to ping if host does not contain a port number + # ports: [80, 9200, 5044] + + # Total test connection and data exchange timeout + #timeout: 16s + + # Optional payload string to send to remote and expected answer. If none is + # configured, the endpoint is expected to be up if connection attempt was + # successful. If only `send_string` is configured, any response will be + # accepted as ok. If only `receive_string` is configured, no payload will be + # send, but client expects to receive expected payload on connect. + #check: + #send: '' + #receive: '' + + # SOCKS5 proxy url + # proxy_url: '' + + # Resolve hostnames locally instead on SOCKS5 server: + #proxy_use_local_resolver: false + + # TLS/SSL connection settings: + #ssl: + # Certificate Authorities + #certificate_authorities: [''] + + # Required TLS protocols + #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +- type: http # monitor type `http`. Connect via HTTP an optionally verify response + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-http-monitor + + # Human readable display name for this service in Uptime UI and elsewhere + name: My Monitor + + # Enable/Disable monitor + #enabled: true + + # Configure task schedule + schedule: '@every 5s' # every 5 seconds from start of beat + + # Configure URLs to ping + urls: ["http://localhost:9200"] + + # Configure IP protocol types to ping on if hostnames are configured. + # Ping all resolvable IPs if `mode` is `all`, or only one IP if `mode` is `any`. + ipv4: true + ipv6: true + mode: any + + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # Optional HTTP proxy url. + #proxy_url: '' + + # Total test connection and data exchange timeout + #timeout: 16s + + # Optional Authentication Credentials + #username: '' + #password: '' + + # TLS/SSL connection settings for use with HTTPS endpoint. If not configured + # system defaults will be used. + #ssl: + # Certificate Authorities + #certificate_authorities: [''] + + # Required TLS protocols + #supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"] + + # Request settings: + #check.request: + # Configure HTTP method to use. Only 'HEAD', 'GET' and 'POST' methods are allowed. + #method: "GET" + + # Dictionary of additional HTTP headers to send: + #headers: + + # Optional request body content + #body: + + # Expected response settings + #check.response: + # Expected status code. If not configured or set to 0 any status code not + # being 404 is accepted. + #status: 0 + + # Required response headers. + #headers: + + # Required response contents. + #body: + + # Parses the body as JSON, then checks against the given condition expression + #json: + #- description: Explanation of what the check does + # condition: + # equals: + # myField: expectedValue + + + # NOTE: THIS FEATURE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE + # Configure file json file to be watched for changes to the monitor: + #watch.poll_file: + # Path to check for updates. + #path: + + # Interval between file file changed checks. + #interval: 5s + + # The Ingest Node pipeline ID associated with this input. If this is set, it + # overwrites the pipeline option from the Elasticsearch output. + #pipeline: + + # The index name associated with this input. If this is set, it + # overwrites the index option from the Elasticsearch output. + #index: + + # Set to true to publish fields with null values in events. + #keep_null: false + +heartbeat.scheduler: + # Limit number of concurrent tasks executed by heartbeat. The task limit if + # disabled if set to 0. The default is 0. + #limit: 0 + + # Set the scheduler it's time zone + #location: '' + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +# If this options is not defined, the hostname is used. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. Tags make it easy to group servers by different +# logical properties. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. Fields can be scalar values, arrays, dictionaries, or any nested +# combination of these. +#fields: +# env: staging + +# If this option is set to true, the custom fields are stored as top-level +# fields in the output document instead of being grouped under a fields +# sub-dictionary. Default is false. +#fields_under_root: false + +# Internal queue configuration for buffering events to be published. +#queue: + # Queue type by name (default 'mem') + # The memory queue will present all available events (up to the outputs + # bulk_max_size) to the output, the moment the output is ready to server + # another batch of events. + #mem: + # Max number of events the queue can buffer. + #events: 4096 + + # Hints the minimum number of events stored in the queue, + # before providing a batch of events to the outputs. + # The default value is set to 2048. + # A value of 0 ensures events are immediately available + # to be sent to the outputs. + #flush.min_events: 2048 + + # Maximum duration after which events are available to the outputs, + # if the number of events stored in the queue is < `flush.min_events`. + #flush.timeout: 1s + + # The spool queue will store events in a local spool file, before + # forwarding the events to the outputs. + # + # Beta: spooling to disk is currently a beta feature. Use with care. + # + # The spool file is a circular buffer, which blocks once the file/buffer is full. + # Events are put into a write buffer and flushed once the write buffer + # is full or the flush_timeout is triggered. + # Once ACKed by the output, events are removed immediately from the queue, + # making space for new events to be persisted. + #spool: + # The file namespace configures the file path and the file creation settings. + # Once the file exists, the `size`, `page_size` and `prealloc` settings + # will have no more effect. + #file: + # Location of spool file. The default value is ${path.data}/spool.dat. + #path: "${path.data}/spool.dat" + + # Configure file permissions if file is created. The default value is 0600. + #permissions: 0600 + + # File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB. + #size: 100MiB + + # The files page size. A file is split into multiple pages of the same size. The default value is 4KiB. + #page_size: 4KiB + + # If prealloc is set, the required space for the file is reserved using + # truncate. The default value is true. + #prealloc: true + + # Spool writer settings + # Events are serialized into a write buffer. The write buffer is flushed if: + # - The buffer limit has been reached. + # - The configured limit of buffered events is reached. + # - The flush timeout is triggered. + #write: + # Sets the write buffer size. + #buffer_size: 1MiB + + # Maximum duration after which events are flushed if the write buffer + # is not full yet. The default value is 1s. + #flush.timeout: 1s + + # Number of maximum buffered events. The write buffer is flushed once the + # limit is reached. + #flush.events: 16384 + + # Configure the on-disk event encoding. The encoding can be changed + # between restarts. + # Valid encodings are: json, ubjson, and cbor. + #codec: cbor + #read: + # Reader flush timeout, waiting for more events to become available, so + # to fill a complete batch as required by the outputs. + # If flush_timeout is 0, all available events are forwarded to the + # outputs immediately. + # The default value is 0s. + #flush.timeout: 0s + +# Sets the maximum number of CPUs that can be executing simultaneously. The +# default is the number of logical CPUs available in the system. +#max_procs: + +# ================================= Processors ================================= + +# Processors are used to reduce the number of fields in the exported event or to +# enhance the event with external metadata. This section defines a list of +# processors that are applied one by one and the first one receives the initial +# event: +# +# event -> filter1 -> event1 -> filter2 ->event2 ... +# +# The supported processors are drop_fields, drop_event, include_fields, +# decode_json_fields, and add_cloud_metadata. +# +# For example, you can use the following processors to keep the fields that +# contain CPU load percentages, but remove the fields that contain CPU ticks +# values: +# +#processors: +# - include_fields: +# fields: ["cpu"] +# - drop_fields: +# fields: ["cpu.user", "cpu.system"] +# +# The following example drops the events that have the HTTP response code 200: +# +#processors: +# - drop_event: +# when: +# equals: +# http.code: 200 +# +# The following example renames the field a to b: +# +#processors: +# - rename: +# fields: +# - from: "a" +# to: "b" +# +# The following example tokenizes the string into fields: +# +#processors: +# - dissect: +# tokenizer: "%{key1} - %{key2}" +# field: "message" +# target_prefix: "dissect" +# +# The following example enriches each event with metadata from the cloud +# provider about the host machine. It works on EC2, GCE, DigitalOcean, +# Tencent Cloud, and Alibaba Cloud. +# +#processors: +# - add_cloud_metadata: ~ +# +# The following example enriches each event with the machine's local time zone +# offset from UTC. +# +#processors: +# - add_locale: +# format: offset +# +# The following example enriches each event with docker metadata, it matches +# given fields to an existing container id and adds info from that container: +# +#processors: +# - add_docker_metadata: +# host: "unix:///var/run/docker.sock" +# match_fields: ["system.process.cgroup.id"] +# match_pids: ["process.pid", "process.ppid"] +# match_source: true +# match_source_index: 4 +# match_short_id: false +# cleanup_timeout: 60 +# labels.dedot: false +# # To connect to Docker over TLS you must specify a client and CA certificate. +# #ssl: +# # certificate_authority: "/etc/pki/root/ca.pem" +# # certificate: "/etc/pki/client/cert.pem" +# # key: "/etc/pki/client/cert.key" +# +# The following example enriches each event with docker metadata, it matches +# container id from log path available in `source` field (by default it expects +# it to be /var/lib/docker/containers/*/*.log). +# +#processors: +# - add_docker_metadata: ~ +# +# The following example enriches each event with host metadata. +# +#processors: +# - add_host_metadata: ~ +# +# The following example enriches each event with process metadata using +# process IDs included in the event. +# +#processors: +# - add_process_metadata: +# match_pids: ["system.process.ppid"] +# target: system.process.parent +# +# The following example decodes fields containing JSON strings +# and replaces the strings with valid JSON objects. +# +#processors: +# - decode_json_fields: +# fields: ["field1", "field2", ...] +# process_array: false +# max_depth: 1 +# target: "" +# overwrite_keys: false +# +#processors: +# - decompress_gzip_field: +# from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true +# +# The following example copies the value of message to message_copied +# +#processors: +# - copy_fields: +# fields: +# - from: message +# to: message_copied +# fail_on_error: true +# ignore_missing: false +# +# The following example truncates the value of message to 1024 bytes +# +#processors: +# - truncate_fields: +# fields: +# - message +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true +# +# The following example preserves the raw message under event.original +# +#processors: +# - copy_fields: +# fields: +# - from: message +# to: event.original +# fail_on_error: false +# ignore_missing: true +# - truncate_fields: +# fields: +# - event.original +# max_bytes: 1024 +# fail_on_error: false +# ignore_missing: true +# +# The following example URL-decodes the value of field1 to field2 +# +#processors: +# - urldecode: +# fields: +# - from: "field1" +# to: "field2" +# ignore_missing: false +# fail_on_error: true + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + hosts: ["localhost:9200"] + + # Set gzip compression level. + #compression_level: 0 + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "elastic" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the URL with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Number of workers per Elasticsearch host. + #worker: 1 + + # Optional index name. The default is "heartbeat" plus date + # and generates [heartbeat-]YYYY.MM.DD keys. + # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly. + #index: "heartbeat-%{[agent.version]}-%{+yyyy.MM.dd}" + + # Optional ingest node pipeline. By default no pipeline will be used. + #pipeline: "" + + # Optional HTTP path + #path: "/elasticsearch" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server URL + #proxy_url: http://proxy:3128 + + # Whether to disable proxy settings for outgoing connections. If true, this + # takes precedence over both the proxy_url field and any environment settings + # (HTTP_PROXY, HTTPS_PROXY). The default is false. + #proxy_disable: false + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure HTTP request timeout before failing a request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/elastic.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # Boolean flag to enable or disable the output module. + #enabled: true + + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Number of workers per Logstash host. + #worker: 1 + + # Set gzip compression level. + #compression_level: 3 + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Optional maximum time to live for a connection to Logstash, after which the + # connection will be re-established. A value of `0s` (the default) will + # disable this feature. + # + # Not yet supported for async connections (i.e. with the "pipelining" option set) + #ttl: 30s + + # Optionally load-balance events between Logstash hosts. Default is false. + #loadbalance: false + + # Number of batches to be sent asynchronously to Logstash while processing + # new batches. + #pipelining: 2 + + # If enabled only a subset of events in a batch of events is transferred per + # transaction. The number of events to be sent increases up to `bulk_max_size` + # if no error is encountered. + #slow_start: false + + # The number of seconds to wait before trying to reconnect to Logstash + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Logstash after a network error. The default is 60s. + #backoff.max: 60s + + # Optional index name. The default index name is set to heartbeat + # in all lowercase. + #index: 'heartbeat' + + # SOCKS5 proxy server URL + #proxy_url: socks5://user:password@socks5-server:2233 + + # Resolve names locally when using a proxy server. Defaults to false. + #proxy_use_local_resolver: false + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting + # and retry until all events are published. Set max_retries to a value less + # than 0 to retry until all events are published. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Logstash request. The + # default is 2048. + #bulk_max_size: 2048 + + # The number of seconds to wait for responses from the Logstash server before + # timing out. The default is 30s. + #timeout: 30s + +# -------------------------------- Kafka Output -------------------------------- +#output.kafka: + # Boolean flag to enable or disable the output module. + #enabled: true + + # The list of Kafka broker addresses from which to fetch the cluster metadata. + # The cluster metadata contain the actual Kafka brokers events are published + # to. + #hosts: ["localhost:9092"] + + # The Kafka topic used for produced events. The setting can be a format string + # using any event field. To set the topic from document type use `%{[type]}`. + #topic: beats + + # The Kafka event key setting. Use format string to create a unique event key. + # By default no event key will be generated. + #key: '' + + # The Kafka event partitioning strategy. Default hashing strategy is `hash` + # using the `output.kafka.key` setting or randomly distributes events if + # `output.kafka.key` is not configured. + #partition.hash: + # If enabled, events will only be published to partitions with reachable + # leaders. Default is false. + #reachable_only: false + + # Configure alternative event field names used to compute the hash value. + # If empty `output.kafka.key` setting will be used. + # Default value is empty list. + #hash: [] + + # Authentication details. Password is required if username is set. + #username: '' + #password: '' + + # Kafka version Heartbeat is assumed to run against. Defaults to the "1.0.0". + #version: '1.0.0' + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Metadata update configuration. Metadata contains leader information + # used to decide which broker to use when publishing. + #metadata: + # Max metadata request retry attempts when cluster is in middle of leader + # election. Defaults to 3 retries. + #retry.max: 3 + + # Wait time between retries during leader elections. Default is 250ms. + #retry.backoff: 250ms + + # Refresh metadata interval. Defaults to every 10 minutes. + #refresh_frequency: 10m + + # Strategy for fetching the topics metadata from the broker. Default is false. + #full: false + + # The number of concurrent load-balanced Kafka output workers. + #worker: 1 + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The number of seconds to wait before trying to republish to Kafka + # after a network error. After waiting backoff.init seconds, the Beat + # tries to republish. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful publish, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to republish to + # Kafka after a network error. The default is 60s. + #backoff.max: 60s + + # The maximum number of events to bulk in a single Kafka request. The default + # is 2048. + #bulk_max_size: 2048 + + # Duration to wait before sending bulk Kafka request. 0 is no delay. The default + # is 0. + #bulk_flush_frequency: 0s + + # The number of seconds to wait for responses from the Kafka brokers before + # timing out. The default is 30s. + #timeout: 30s + + # The maximum duration a broker will wait for number of required ACKs. The + # default is 10s. + #broker_timeout: 10s + + # The number of messages buffered for each Kafka broker. The default is 256. + #channel_buffer_size: 256 + + # The keep-alive period for an active network connection. If 0s, keep-alives + # are disabled. The default is 0 seconds. + #keep_alive: 0 + + # Sets the output compression codec. Must be one of none, snappy and gzip. The + # default is gzip. + #compression: gzip + + # Set the compression level. Currently only gzip provides a compression level + # between 0 and 9. The default value is chosen by the compression algorithm. + #compression_level: 4 + + # The maximum permitted size of JSON-encoded messages. Bigger messages will be + # dropped. The default value is 1000000 (bytes). This value should be equal to + # or less than the broker's message.max.bytes. + #max_message_bytes: 1000000 + + # The ACK reliability level required from broker. 0=no response, 1=wait for + # local commit, -1=wait for all replicas to commit. The default is 1. Note: + # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently + # on error. + #required_acks: 1 + + # The configurable ClientID used for logging, debugging, and auditing + # purposes. The default is "beats". + #client_id: beats + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/security/keytabs/kafka.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # The service name. Service principal name is contructed from + # service_name/hostname@realm. + #kerberos.service_name: kafka + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + +# -------------------------------- Redis Output -------------------------------- +#output.redis: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty print json event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # The list of Redis servers to connect to. If load-balancing is enabled, the + # events are distributed to the servers in the list. If one server becomes + # unreachable, the events are distributed to the reachable servers only. + # The hosts setting supports redis and rediss urls with custom password like + # redis://:password@localhost:6379. + #hosts: ["localhost:6379"] + + # The name of the Redis list or channel the events are published to. The + # default is heartbeat. + #key: heartbeat + + # The password to authenticate to Redis with. The default is no authentication. + #password: + + # The Redis database number where the events are published. The default is 0. + #db: 0 + + # The Redis data type to use for publishing events. If the data type is list, + # the Redis RPUSH command is used. If the data type is channel, the Redis + # PUBLISH command is used. The default value is list. + #datatype: list + + # The number of workers to use for each host configured to publish events to + # Redis. Use this setting along with the loadbalance option. For example, if + # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each + # host). + #worker: 1 + + # If set to true and multiple hosts or workers are configured, the output + # plugin load balances published events onto all Redis hosts. If set to false, + # the output plugin sends all events to only one host (determined at random) + # and will switch to another host if the currently selected one becomes + # unreachable. The default value is true. + #loadbalance: true + + # The Redis connection timeout in seconds. The default is 5 seconds. + #timeout: 5s + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The number of seconds to wait before trying to reconnect to Redis + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Redis after a network error. The default is 60s. + #backoff.max: 60s + + # The maximum number of events to bulk in a single Redis request or pipeline. + # The default is 2048. + #bulk_max_size: 2048 + + # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The + # value must be a URL with a scheme of socks5://. + #proxy_url: + + # This option determines whether Redis hostnames are resolved locally when + # using a proxy. The default value is false, which means that name resolution + # occurs on the proxy server. + #proxy_use_local_resolver: false + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + +# -------------------------------- File Output --------------------------------- +#output.file: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + + # Path to the directory where to save the generated files. The option is + # mandatory. + #path: "/tmp/heartbeat" + + # Name of the generated files. The default is `heartbeat` and it generates + # files: `heartbeat`, `heartbeat.1`, `heartbeat.2`, etc. + #filename: heartbeat + + # Maximum size in kilobytes of each file. When this size is reached, and on + # every Heartbeat restart, the files are rotated. The default value is 10240 + # kB. + #rotate_every_kb: 10000 + + # Maximum number of files under path. When this number of files is reached, + # the oldest file is deleted and the rest are shifted from last to first. The + # default is 7 files. + #number_of_files: 7 + + # Permissions to use for file creation. The default is 0600. + #permissions: 0600 + +# ------------------------------- Console Output ------------------------------- +#output.console: + # Boolean flag to enable or disable the output module. + #enabled: true + + # Configure JSON encoding + #codec.json: + # Pretty-print JSON event + #pretty: false + + # Configure escaping HTML symbols in strings. + #escape_html: false + +# =================================== Paths ==================================== + +# The home path for the Heartbeat installation. This is the default base path +# for all other path settings and for miscellaneous files that come with the +# distribution (for example, the sample dashboards). +# If not set by a CLI flag or in the configuration file, the default for the +# home path is the location of the binary. +#path.home: + +# The configuration path for the Heartbeat installation. This is the default +# base path for configuration files, including the main YAML configuration file +# and the Elasticsearch template file. If not set by a CLI flag or in the +# configuration file, the default for the configuration path is the home path. +#path.config: ${path.home} + +# The data path for the Heartbeat installation. This is the default base path +# for all the files in which Heartbeat needs to store its data. If not set by a +# CLI flag or in the configuration file, the default for the data path is a data +# subdirectory inside the home path. +#path.data: ${path.home}/data + +# The logs path for a Heartbeat installation. This is the default location for +# the Beat's log files. If not set by a CLI flag or in the configuration file, +# the default for the logs path is a logs subdirectory inside the home path. +#path.logs: ${path.home}/logs + +# ================================== Keystore ================================== + +# Location of the Keystore containing the keys and their sensitive values. +#keystore.path: "${path.config}/beats.keystore" + +# ================================= Dashboards ================================= + +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards are disabled by default and can be enabled either by setting the +# options here, or by using the `-setup` CLI flag or the `setup` command. +#setup.dashboards.enabled: false + +# The directory from where to read the dashboards. The default is the `kibana` +# folder in the home path. +#setup.dashboards.directory: ${path.home}/kibana + +# The URL from where to download the dashboards archive. It is used instead of +# the directory if it has a value. +#setup.dashboards.url: + +# The file archive (zip file) from where to read the dashboards. It is used instead +# of the directory when it has a value. +#setup.dashboards.file: + +# In case the archive contains the dashboards from multiple Beats, this lets you +# select which one to load. You can load all the dashboards in the archive by +# setting this to the empty string. +#setup.dashboards.beat: heartbeat + +# The name of the Kibana index to use for setting the configuration. Default is ".kibana" +#setup.dashboards.kibana_index: .kibana + +# The Elasticsearch index name. This overwrites the index name defined in the +# dashboards and index pattern. Example: testbeat-* +#setup.dashboards.index: + +# Always use the Kibana API for loading the dashboards instead of autodetecting +# how to install the dashboards by first querying Elasticsearch. +#setup.dashboards.always_kibana: false + +# If true and Kibana is not reachable at the time when dashboards are loaded, +# it will retry to reconnect to Kibana instead of exiting with an error. +#setup.dashboards.retry.enabled: false + +# Duration interval between Kibana connection retries. +#setup.dashboards.retry.interval: 1s + +# Maximum number of retries before exiting with an error, 0 for unlimited retrying. +#setup.dashboards.retry.maximum: 0 + +# ================================== Template ================================== + +# A template is used to set the mapping in Elasticsearch +# By default template loading is enabled and the template is loaded. +# These settings can be adjusted to load your own template or overwrite existing ones. + +# Set to false to disable template loading. +#setup.template.enabled: true + +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default heartbeat uses the legacy index templates. +#setup.template.type: legacy + +# Template name. By default the template name is "heartbeat-%{[agent.version]}" +# The template name and pattern has to be set in case the Elasticsearch index pattern is modified. +#setup.template.name: "heartbeat-%{[agent.version]}" + +# Template pattern. By default the template pattern is "-%{[agent.version]}-*" to apply to the default index settings. +# The first part is the version of the beat and then -* is used to match all daily indices. +# The template name and pattern has to be set in case the Elasticsearch index pattern is modified. +#setup.template.pattern: "heartbeat-%{[agent.version]}-*" + +# Path to fields.yml file to generate the template +#setup.template.fields: "${path.config}/fields.yml" + +# A list of fields to be added to the template and Kibana index pattern. Also +# specify setup.template.overwrite: true to overwrite the existing template. +#setup.template.append_fields: +#- name: field_name +# type: field_type + +# Enable JSON template loading. If this is enabled, the fields.yml is ignored. +#setup.template.json.enabled: false + +# Path to the JSON template file +#setup.template.json.path: "${path.config}/template.json" + +# Name under which the template is stored in Elasticsearch +#setup.template.json.name: "" + +# Overwrite existing template +#setup.template.overwrite: false + +# Elasticsearch template settings +setup.template.settings: + + # A dictionary of settings to place into the settings.index dictionary + # of the Elasticsearch template. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html + #index: + #number_of_shards: 1 + #codec: best_compression + + # A dictionary of settings for the _source field. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html + #_source: + #enabled: false + +# ====================== Index Lifecycle Management (ILM) ====================== + +# Configure index lifecycle management (ILM). These settings create a write +# alias and add additional settings to the index template. When ILM is enabled, +# output.elasticsearch.index is ignored, and the write alias is used to set the +# index name. + +# Enable ILM support. Valid values are true, false, and auto. When set to auto +# (the default), the Beat uses index lifecycle management when it connects to a +# cluster that supports ILM; otherwise, it creates daily indices. +#setup.ilm.enabled: auto + +# Set the prefix used in the index lifecycle write alias name. The default alias +# name is 'heartbeat-%{[agent.version]}'. +#setup.ilm.rollover_alias: 'heartbeat' + +# Set the rollover index pattern. The default is "%{now/d}-000001". +#setup.ilm.pattern: "{now/d}-000001" + +# Set the lifecycle policy name. The default policy name is +# 'beatname'. +#setup.ilm.policy_name: "mypolicy" + +# The path to a JSON file that contains a lifecycle policy configuration. Used +# to load your own lifecycle policy. +#setup.ilm.policy_file: + +# Disable the check for an existing lifecycle policy. The default is true. If +# you disable this check, set setup.ilm.overwrite: true so the lifecycle policy +# can be installed. +#setup.ilm.check_exists: true + +# Overwrite the lifecycle policy at startup. The default is false. +#setup.ilm.overwrite: false + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Optional HTTP path + #path: "" + + # Optional Kibana space ID. + #space.id: "" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + +# ================================== Logging =================================== + +# There are four options for the log output: file, stderr, syslog, eventlog +# The file output is the default. + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: info + +# Enable debug output for selected components. To enable all selectors use ["*"] +# Other available selectors are "beat", "publish", "service" +# Multiple selectors can be chained. +#logging.selectors: [ ] + +# Send all logging output to stderr. The default is false. +#logging.to_stderr: false + +# Send all logging output to syslog. The default is false. +#logging.to_syslog: false + +# Send all logging output to Windows Event Logs. The default is false. +#logging.to_eventlog: false + +# If enabled, Heartbeat periodically logs its internal metrics that have changed +# in the last period. For each metric that changed, the delta from the value at +# the beginning of the period is logged. Also, the total values for +# all non-zero internal metrics are logged on shutdown. The default is true. +#logging.metrics.enabled: true + +# The period after which to log the internal metrics. The default is 30s. +#logging.metrics.period: 30s + +# Logging to rotating files. Set logging.to_files to false to disable logging to +# files. +logging.to_files: true +logging.files: + # Configure the path where the logs are written. The default is the logs directory + # under the home path (the binary location). + #path: /var/log/heartbeat + + # The name of the files where the logs are written to. + #name: heartbeat + + # Configure log file size limit. If limit is reached, log file will be + # automatically rotated + #rotateeverybytes: 10485760 # = 10MB + + # Number of rotated log files to keep. Oldest files will be deleted first. + #keepfiles: 7 + + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 + + # Enable log file rotation on time intervals in addition to size-based rotation. + # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h + # are boundary-aligned with minutes, hours, days, weeks, months, and years as + # reported by the local system clock. All other intervals are calculated from the + # Unix epoch. Defaults to disabled. + #interval: 0 + + # Rotate existing logs on startup rather than appending to the existing + # file. Defaults to true. + # rotateonstartup: true + +# Set to true to log messages in JSON format. +#logging.json: false + +# Set to true, to log messages with minimal required Elastic Common Schema (ECS) +# information. Recommended to use in combination with `logging.json=true` +# Defaults to false. +#logging.ecs: false + +# ============================= X-Pack Monitoring ============================== +# Heartbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + #hosts: ["localhost:9200"] + + # Set gzip compression level. + #compression_level: 0 + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "beats_system" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the URL with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server url + #proxy_url: http://proxy:3128 + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, the Beat + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure HTTP request timeout before failing an request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. + #ssl.enabled: true + + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions from 1.1 + # up to 1.3 are enabled. + #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client certificate key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the certificate key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE-based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. + #kerberos.enabled: true + + # Authentication type to use with Kerberos. Available options: keytab, password. + #kerberos.auth_type: password + + # Path to the keytab file. It is used when auth_type is set to keytab. + #kerberos.keytab: /etc/elastic.keytab + + # Path to the Kerberos configuration. + #kerberos.config_path: /etc/krb5.conf + + # Name of the Kerberos user. + #kerberos.username: elastic + + # Password of the Kerberos user. It is used when auth_type is set to password. + #kerberos.password: changeme + + # Kerberos realm. + #kerberos.realm: ELASTIC + + #metrics.period: 10s + #state.period: 1m + +# The `monitoring.cloud.id` setting overwrites the `monitoring.elasticsearch.hosts` +# setting. You can find the value for this setting in the Elastic Cloud web UI. +#monitoring.cloud.id: + +# The `monitoring.cloud.auth` setting overwrites the `monitoring.elasticsearch.username` +# and `monitoring.elasticsearch.password` settings. The format is `:`. +#monitoring.cloud.auth: + +# =============================== HTTP Endpoint ================================ + +# Each beat can expose internal metrics through a HTTP endpoint. For security +# reasons the endpoint is disabled by default. This feature is currently experimental. +# Stats can be access through http://localhost:5066/stats . For pretty JSON output +# append ?pretty to the URL. + +# Defines if the HTTP endpoint is enabled. +#http.enabled: false + +# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe. +# When using IP addresses, it is recommended to only use localhost. +#http.host: localhost + +# Port on which the HTTP endpoint will bind. Default is 5066. +#http.port: 5066 + +# Define which user should be owning the named pipe. +#http.named_pipe.user: + +# Define which the permissions that should be applied to the named pipe, use the Security +# Descriptor Definition Language (SDDL) to define the permission. This option cannot be used with +# `http.user`. +#http.named_pipe.security_descriptor: + +# ============================== Process Security ============================== + +# Enable or disable seccomp system call filtering on Linux. Default is enabled. +#seccomp.enabled: true + +# ============================== Instrumentation =============================== + +# Instrumentation support for the heartbeat. +#instrumentation: + # Set to true to enable instrumentation of heartbeat. + #enabled: false + + # Environment in which heartbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + # Enable profiling of the server, recording profile samples as events. + # + # This feature is experimental. + #profiling: + #cpu: + # Set to true to enable CPU profiling. + #enabled: false + #interval: 60s + #duration: 10s + #heap: + # Set to true to enable heap profiling. + #enabled: false + #interval: 60s + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: false + diff --git a/x-pack/heartbeat/heartbeat.yml b/x-pack/heartbeat/heartbeat.yml new file mode 100644 index 00000000000..19c3f79e968 --- /dev/null +++ b/x-pack/heartbeat/heartbeat.yml @@ -0,0 +1,194 @@ +################### Heartbeat Configuration Example ######################### + +# This file is an example configuration file highlighting only some common options. +# The heartbeat.reference.yml file in the same directory contains all the supported options +# with detailed comments. You can use it for reference. +# +# You can find the full configuration reference here: +# https://www.elastic.co/guide/en/beats/heartbeat/index.html + +############################# Heartbeat ###################################### + +# Define a directory to load monitor definitions from. Definitions take the form +# of individual yaml files. +heartbeat.config.monitors: + # Directory + glob pattern to search for configuration files + path: ${path.config}/monitors.d/*.yml + # If enabled, heartbeat will periodically check the config.monitors path for changes + reload.enabled: false + # How often to check for changes + reload.period: 5s + +# Configure monitors inline +heartbeat.monitors: +- type: http + # ID used to uniquely identify this monitor in elasticsearch even if the config changes + id: my-monitor + # Human readable display name for this service in Uptime UI and elsewhere + name: My Monitor + # List or urls to query + urls: ["http://localhost:9200"] + # Configure task schedule + schedule: '@every 10s' + # Total test connection and data exchange timeout + #timeout: 16s + # Name of corresponding APM service, if Elastic APM is in use for the monitored service. + #service_name: my-apm-service-name + +# ======================= Elasticsearch template setting ======================= + +setup.template.settings: + index.number_of_shards: 1 + index.codec: best_compression + #_source.enabled: false + +# ================================== General =================================== + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# The tags of the shipper are included in their own field with each +# transaction published. +#tags: ["service-X", "web-tier"] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging + + +# =================================== Kibana =================================== + +# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. +# This requires a Kibana endpoint configuration. +setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Kibana Space ID + # ID of the Kibana Space into which the dashboards should be loaded. By default, + # the Default Space will be used. + #space.id: + +# =============================== Elastic Cloud ================================ + +# These settings simplify using Heartbeat with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +# ================================== Outputs =================================== + +# Configure what output to use when sending the data collected by the beat. + +# ---------------------------- Elasticsearch Output ---------------------------- +output.elasticsearch: + # Array of hosts to connect to. + hosts: ["localhost:9200"] + + # Protocol - either `http` (default) or `https`. + #protocol: "https" + + # Authentication credentials - either API key or username/password. + #api_key: "id:api_key" + #username: "elastic" + #password: "changeme" + +# ------------------------------ Logstash Output ------------------------------- +#output.logstash: + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Optional SSL. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + +# ================================= Processors ================================= + +processors: + - add_observer_metadata: + # Optional, but recommended geo settings for the location Heartbeat is running in + #geo: + # Token describing this location + #name: us-east-1a + # Lat, Lon " + #location: "37.926868, -78.024902" + + +# ================================== Logging =================================== + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: debug + +# At debug level, you can selectively enable logging only for some components. +# To enable all selectors use ["*"]. Examples of other selectors are "beat", +# "publish", "service". +#logging.selectors: ["*"] + +# ============================= X-Pack Monitoring ============================== +# Heartbeat can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#monitoring.enabled: false + +# Sets the UUID of the Elasticsearch cluster under which monitoring data for this +# Heartbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch +# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. +#monitoring.cluster_uuid: + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. +# Note that the settings should point to your Elasticsearch *monitoring* cluster. +# Any setting that is not set is automatically inherited from the Elasticsearch +# output configuration, so if you have the Elasticsearch output configured such +# that it is pointing to your Elasticsearch monitoring cluster, you can simply +# uncomment the following line. +#monitoring.elasticsearch: + +# ============================== Instrumentation =============================== + +# Instrumentation support for the heartbeat. +#instrumentation: + # Set to true to enable instrumentation of heartbeat. + #enabled: false + + # Environment in which heartbeat is running on (eg: staging, production, etc.) + #environment: "" + + # APM Server hosts to report instrumentation results to. + #hosts: + # - http://localhost:8200 + + # API Key for the APM Server(s). + # If api_key is set then secret_token will be ignored. + #api_key: + + # Secret token for the APM Server(s). + #secret_token: + + +# ================================= Migration ================================== + +# This allows to enable 6.7 migration aliases +#migration.6_to_7.enabled: true + diff --git a/x-pack/heartbeat/magefile.go b/x-pack/heartbeat/magefile.go new file mode 100644 index 00000000000..83f3593c117 --- /dev/null +++ b/x-pack/heartbeat/magefile.go @@ -0,0 +1,83 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build mage + +package main + +import ( + "fmt" + "os" + "time" + + "github.com/magefile/mage/mg" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/generator/common/beatgen" + heartbeat "github.com/elastic/beats/v7/heartbeat/scripts/mage" + + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/common" + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/build" + // mage:import + "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" + // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest/notests" + // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" +) + +func init() { + common.RegisterCheckDeps(Update) + unittest.RegisterPythonTestDeps(Fields) + + devtools.BeatLicense = "Elastic License" +} + +// VendorUpdate updates elastic/beats/v7 in the vendor dir +func VendorUpdate() error { + return beatgen.VendorUpdate() +} + +// Package packages the Beat for distribution. +// Use SNAPSHOT=true to build snapshots. +// Use PLATFORMS to control the target platforms. +// Use VERSION_QUALIFIER to control the version qualifier. +func Package() { + start := time.Now() + defer func() { fmt.Println("package ran for", time.Since(start)) }() + + if v, found := os.LookupEnv("AGENT_PACKAGING"); found && v != "" { + devtools.UseElasticBeatXPackReducedPackaging() + } else { + devtools.UseElasticBeatXPackPackaging() + } + + devtools.PackageKibanaDashboardsFromBuildDir() + heartbeat.CustomizePackaging() + + mg.Deps(Update) + mg.Deps(build.CrossBuild, build.CrossBuildGoDaemon) + mg.SerialDeps(devtools.Package, TestPackages) +} + +// TestPackages tests the generated packages (i.e. file modes, owners, groups). +func TestPackages() error { + return devtools.TestPackages(devtools.WithMonitorsD()) +} + +func Fields() error { + return heartbeat.Fields() +} + +// Update updates the generated files (aka make update). +func Update() { + mg.SerialDeps(Fields, Config) +} + +// Config generates both the short/reference/docker configs. +func Config() error { + return devtools.Config(devtools.AllConfigTypes, heartbeat.ConfigFileParams(), ".") +} diff --git a/x-pack/heartbeat/main_test.go b/x-pack/heartbeat/main_test.go index ec6f7a06faa..19d61ffe0f6 100644 --- a/x-pack/heartbeat/main_test.go +++ b/x-pack/heartbeat/main_test.go @@ -1,6 +1,7 @@ // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. + package main // This file is mandatory as otherwise the heartbeat.test binary is not generated correctly. diff --git a/x-pack/heartbeat/make.bat b/x-pack/heartbeat/make.bat new file mode 100644 index 00000000000..12cf4ea7327 --- /dev/null +++ b/x-pack/heartbeat/make.bat @@ -0,0 +1,11 @@ +@echo off + +REM Windows wrapper for Mage (https://magefile.org/) that installs it +REM to %GOPATH%\bin from the Beats vendor directory. +REM +REM After running this once you may invoke mage.exe directly. + +WHERE mage +IF %ERRORLEVEL% NEQ 0 go get github.com/magefile/mage + +mage %* diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index ac25e26ac2b..40977aa6cf9 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.4 +FROM golang:1.14.7 RUN \ apt-get update \ @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/libbeat/Jenkinsfile.yml b/x-pack/libbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..87019f071a0 --- /dev/null +++ b/x-pack/libbeat/Jenkinsfile.yml @@ -0,0 +1,17 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/libbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/libbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-libbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-libbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + mage: "mage build test" diff --git a/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go b/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go index 06b153626fe..029a54d5403 100644 --- a/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go +++ b/x-pack/libbeat/autodiscover/providers/aws/ec2/provider.go @@ -37,7 +37,13 @@ type Provider struct { } // AutodiscoverBuilder is the main builder for this provider. -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { cfgwarn.Experimental("aws_ec2 autodiscover is experimental") config := awsauto.DefaultConfig() diff --git a/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go b/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go index 54021a8db88..b0617baad4d 100644 --- a/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go +++ b/x-pack/libbeat/autodiscover/providers/aws/elb/provider.go @@ -39,7 +39,13 @@ type Provider struct { } // AutodiscoverBuilder is the main builder for this provider. -func AutodiscoverBuilder(bus bus.Bus, uuid uuid.UUID, c *common.Config, keystore keystore.Keystore) (autodiscover.Provider, error) { +func AutodiscoverBuilder( + beatName string, + bus bus.Bus, + uuid uuid.UUID, + c *common.Config, + keystore keystore.Keystore, +) (autodiscover.Provider, error) { cfgwarn.Experimental("aws_elb autodiscover is experimental") config := awsauto.DefaultConfig() diff --git a/x-pack/libbeat/common/cloudfoundry/events.go b/x-pack/libbeat/common/cloudfoundry/events.go index f134585ac65..3a0f1756b6e 100644 --- a/x-pack/libbeat/common/cloudfoundry/events.go +++ b/x-pack/libbeat/common/cloudfoundry/events.go @@ -492,15 +492,21 @@ func envelopMap(evt Event) common.MapStr { func baseMap(evt Event) common.MapStr { return common.MapStr{ "cloudfoundry": common.MapStr{ - "type": evt.String(), - evt.String(): common.MapStr{ - "timestamp": evt.Timestamp(), - }, + "type": evt.String(), "envelope": envelopMap(evt), + "tags": dedotedTags(evt.Tags()), }, } } +func dedotedTags(tags map[string]string) common.MapStr { + result := common.MapStr{} + for name, value := range tags { + result[common.DeDot(name)] = value + } + return result +} + func baseMapWithApp(evt EventWithAppID) common.MapStr { base := baseMap(evt) appID := evt.AppGuid() diff --git a/x-pack/libbeat/common/cloudfoundry/events_test.go b/x-pack/libbeat/common/cloudfoundry/events_test.go index e4fe6f39caf..7dfd9bdcbd7 100644 --- a/x-pack/libbeat/common/cloudfoundry/events_test.go +++ b/x-pack/libbeat/common/cloudfoundry/events_test.go @@ -76,9 +76,6 @@ func TestEventTypeHttpAccess(t *testing.T) { assert.Equal(t, common.MapStr{ "cloudfoundry": common.MapStr{ "type": "access", - "access": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), - }, "envelope": common.MapStr{ "origin": "origin", "deployment": "deployment", @@ -89,6 +86,9 @@ func TestEventTypeHttpAccess(t *testing.T) { "app": common.MapStr{ "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479", }, + "tags": common.MapStr{ + "tag": "value", + }, }, "http": common.MapStr{ "response": common.MapStr{ @@ -148,7 +148,6 @@ func TestEventTypeLog(t *testing.T) { "cloudfoundry": common.MapStr{ "type": "log", "log": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), "source": common.MapStr{ "instance": evt.SourceID(), "type": evt.SourceType(), @@ -164,6 +163,9 @@ func TestEventTypeLog(t *testing.T) { "app": common.MapStr{ "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479", }, + "tags": common.MapStr{ + "tag": "value", + }, }, "message": "log message", "stream": "stdout", @@ -200,10 +202,9 @@ func TestEventCounter(t *testing.T) { "cloudfoundry": common.MapStr{ "type": "counter", "counter": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), - "name": "name", - "delta": uint64(10), - "total": uint64(999), + "name": "name", + "delta": uint64(10), + "total": uint64(999), }, "envelope": common.MapStr{ "origin": "origin", @@ -212,6 +213,9 @@ func TestEventCounter(t *testing.T) { "job": "job", "index": "index", }, + "tags": common.MapStr{ + "tag": "value", + }, }, }, evt.ToFields()) } @@ -246,10 +250,9 @@ func TestEventValueMetric(t *testing.T) { "cloudfoundry": common.MapStr{ "type": "value", "value": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), - "name": "name", - "value": 10.1, - "unit": "unit", + "name": "name", + "value": 10.1, + "unit": "unit", }, "envelope": common.MapStr{ "origin": "origin", @@ -258,6 +261,9 @@ func TestEventValueMetric(t *testing.T) { "job": "job", "index": "index", }, + "tags": common.MapStr{ + "tag": "value", + }, }, }, evt.ToFields()) } @@ -304,7 +310,6 @@ func TestEventContainerMetric(t *testing.T) { "cloudfoundry": common.MapStr{ "type": "container", "container": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), "instance_index": int32(1), "cpu.pct": 0.2, "memory.bytes": uint64(1024), @@ -322,6 +327,9 @@ func TestEventContainerMetric(t *testing.T) { "app": common.MapStr{ "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479", }, + "tags": common.MapStr{ + "tag": "value", + }, }, }, evt.ToFields()) } @@ -356,8 +364,7 @@ func TestEventError(t *testing.T) { "cloudfoundry": common.MapStr{ "type": "error", "error": common.MapStr{ - "timestamp": time.Unix(0, 1587469726082), - "source": "source", + "source": "source", }, "envelope": common.MapStr{ "origin": "origin", @@ -366,6 +373,9 @@ func TestEventError(t *testing.T) { "job": "job", "index": "index", }, + "tags": common.MapStr{ + "tag": "value", + }, }, "message": "message", "code": int32(100), diff --git a/x-pack/libbeat/conftest.py b/x-pack/libbeat/conftest.py new file mode 100644 index 00000000000..8c3ec5a61c5 --- /dev/null +++ b/x-pack/libbeat/conftest.py @@ -0,0 +1,4 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) diff --git a/x-pack/libbeat/docker-compose.yml b/x-pack/libbeat/docker-compose.yml index 75a58c145b1..db68149aacc 100644 --- a/x-pack/libbeat/docker-compose.yml +++ b/x-pack/libbeat/docker-compose.yml @@ -29,7 +29,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: elasticsearch healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://myelastic:changeme@localhost:9200/_cluster/health"); data = json.loads(response.read()); exit(1) if data["status"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -u myelastic:changeme -f http://localhost:9200/_cat/health?h=status | grep -q green"] retries: 1200 interval: 5s start_period: 60s @@ -50,7 +50,7 @@ services: file: ${ES_BEATS}/testing/environments/${TESTING_ENVIRONMENT}.yml service: kibana healthcheck: - test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://myelastic:changeme@localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] + test: ["CMD-SHELL", "curl -u myelastic:changeme -f http://localhost:5601/api/status | grep -q 'Looking good'"] retries: 1200 interval: 5s start_period: 60s diff --git a/x-pack/libbeat/docs/aws-credentials-config.asciidoc b/x-pack/libbeat/docs/aws-credentials-config.asciidoc index be536f433ab..db661dcc627 100644 --- a/x-pack/libbeat/docs/aws-credentials-config.asciidoc +++ b/x-pack/libbeat/docs/aws-credentials-config.asciidoc @@ -38,7 +38,8 @@ given, the default profile will be used. `shared_credential_file` is optional to specify the directory of your shared credentials file. If it's empty, the default directory will be used. In Windows, shared credentials file is at `C:\Users\\.aws\credentials`. -For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. Please see +For Linux, macOS or Unix, the file is located at `~/.aws/credentials`. When running as a service, +the home path depends on the user that manages the service, so the `shared_credential_file` parameter can be used to avoid ambiguity. Please see https://docs.aws.amazon.com/ses/latest/DeveloperGuide/create-shared-credentials-file.html[Create Shared Credentials File] for more details. diff --git a/x-pack/libbeat/magefile.go b/x-pack/libbeat/magefile.go index 01e9b4d7f2d..2b8d8f35d8e 100644 --- a/x-pack/libbeat/magefile.go +++ b/x-pack/libbeat/magefile.go @@ -12,10 +12,10 @@ import ( // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/common" // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" - // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" // mage:import + _ "github.com/elastic/beats/v7/dev-tools/mage/target/integtest" + // mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" ) diff --git a/x-pack/libbeat/management/api/enroll_test.go b/x-pack/libbeat/management/api/enroll_test.go index c10d925bd1e..a120fb8a2e8 100644 --- a/x-pack/libbeat/management/api/enroll_test.go +++ b/x-pack/libbeat/management/api/enroll_test.go @@ -101,7 +101,7 @@ func TestEnrollError(t *testing.T) { "thisismyenrollmenttoken", ) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, "", accessToken) }) } diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml b/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml index bd6e158bb36..33d63e362f8 100644 --- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml +++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml @@ -11,29 +11,63 @@ - name: app.id type: keyword description: > - Cloud Foundry application ID + Cloud Foundry application identifier. - name: app.name type: keyword description: > - Cloud Foundry application name + Cloud Foundry application name. - name: space.id type: keyword description: > - Cloud Foundry space name + Cloud Foundry space identifier. - name: space.name type: keyword description: > - Cloud Foundry space name + Cloud Foundry space name. - name: org.id type: keyword description: > - Cloud Foundry organization ID + Cloud Foundry organization identifier. - name: org.name type: keyword description: > - Cloud Foundry organization name + Cloud Foundry organization name. + + - name: tags.* + type: object + object_type: keyword + description: > + Cloud Foundry tags. + + - name: envelope + type: group + fields: + - name: deployment + type: keyword + description: > + Identifier of the Cloud Foundry deployment where this event was created. + + - name: index + type: keyword + description: > + Envelope index. + + - name: ip + type: ip + description: > + IP address of the node where the job that created this event is running. + + - name: job + type: keyword + description: > + Job name. + + - name: origin + type: keyword + description: > + Name of the deployment that created this event. diff --git a/x-pack/libbeat/tests/system/base.py b/x-pack/libbeat/tests/system/base.py index 287a13f3502..ac2fdb84858 100644 --- a/x-pack/libbeat/tests/system/base.py +++ b/x-pack/libbeat/tests/system/base.py @@ -1,11 +1,5 @@ import sys import os - - -sys.path.append(os.path.join(os.path.dirname(__file__), - '../../../../libbeat/tests/system')) - - from beat.beat import TestCase diff --git a/x-pack/libbeat/tests/system/test_management.py b/x-pack/libbeat/tests/system/test_management.py index c3a9e6532f2..35a4f9949f9 100644 --- a/x-pack/libbeat/tests/system/test_management.py +++ b/x-pack/libbeat/tests/system/test_management.py @@ -271,7 +271,8 @@ def create_and_assing_tag(self, blocks): assert r.status_code == 200 def get_elasticsearch_url(self): - return 'http://' + self.es_user + ":" + self.es_pass + '@' + os.getenv('ES_HOST', 'localhost') + ':' + os.getenv('ES_PORT', '5601') + return 'http://' + self.es_user + ":" + self.es_pass + '@' + \ + os.getenv('ES_HOST', 'localhost') + ':' + os.getenv('ES_PORT', '5601') def get_kibana_url(self): return 'http://' + os.getenv('KIBANA_HOST', 'kibana') + ':' + os.getenv('KIBANA_PORT', '5601') @@ -283,7 +284,7 @@ def check_document_count(self, index, count): try: self.es.indices.refresh(index=index) return self.es.search(index=index, body={"query": {"match_all": {}}})['hits']['total']['value'] >= count - except: + except BaseException: return False def wait_documents(self, index, count): diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..2448d43d85b --- /dev/null +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -0,0 +1,35 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/metricbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/metricbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-metricbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-metricbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + build: + cloud: "mage build test" + withModule: true ## run the ITs only if the changeset affects a specific module. + dirs: ## run the cloud tests for the given modules. + - "x-pack/metricbeat/module/aws" + macos: + mage: "mage build unitTest" + platforms: ## override default label in this specific stage. + - "macosx" + when: ## Aggregate when with the top-level one. + comments: + - "/test x-pack/metricbeat for macos" + labels: + - "macOS" + parameters: + - "macosTest" + windows: + mage: "mage build unitTest" + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/metricbeat/conftest.py b/x-pack/metricbeat/conftest.py new file mode 100644 index 00000000000..c4b7e3833d2 --- /dev/null +++ b/x-pack/metricbeat/conftest.py @@ -0,0 +1,6 @@ +import os +import sys + +sys.path.append(os.path.join(os.path.dirname(__file__), '../../metricbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), '../../libbeat/tests/system')) +sys.path.append(os.path.join(os.path.dirname(__file__), './tests/system')) diff --git a/x-pack/metricbeat/docker-compose.yml b/x-pack/metricbeat/docker-compose.yml index b5e752886d6..ad95961aada 100644 --- a/x-pack/metricbeat/docker-compose.yml +++ b/x-pack/metricbeat/docker-compose.yml @@ -24,11 +24,11 @@ services: kibana: # Copied configuration from OSS metricbeat because services with depends_on # cannot be extended with extends - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ../../metricbeat/module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: diff --git a/x-pack/metricbeat/include/list.go b/x-pack/metricbeat/include/list.go index 71876550fc8..053385e2e79 100644 --- a/x-pack/metricbeat/include/list.go +++ b/x-pack/metricbeat/include/list.go @@ -12,6 +12,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/appsearch" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/appsearch/stats" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/billing" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/cloudwatch" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/ec2" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/rds" @@ -21,8 +22,6 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/app_insights" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/billing" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/compute_vm" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/compute_vm_scaleset" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/storage" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/cloudfoundry" @@ -33,7 +32,8 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/coredns" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/coredns/stats" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/billing" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/iis" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/iis/application_pool" @@ -53,6 +53,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/oracle/tablespace" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/remote_write" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/redisenterprise" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/sql" _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/sql/query" diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go index 317caa7eef1..4f15998df17 100644 --- a/x-pack/metricbeat/magefile.go +++ b/x-pack/metricbeat/magefile.go @@ -152,19 +152,18 @@ func GoIntegTest(ctx context.Context) error { // PythonIntegTest executes the python system tests in the integration // environment (Docker). // Use MODULE=module to run only tests for `module`. -// Use NOSE_TESTMATCH=pattern to only run tests matching the specified pattern. -// Use any other NOSE_* environment variable to influence the behavior of -// nosetests. +// Use PYTEST_ADDOPTS="-k pattern" to only run tests matching the specified pattern. +// Use any other PYTEST_* environment variable to influence the behavior of pytest. func PythonIntegTest(ctx context.Context) error { if !devtools.IsInIntegTestEnv() { mg.SerialDeps(Fields, Dashboards) } - runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("NOSE_")...) + runner, err := devtools.NewDockerIntegrationRunner(devtools.ListMatchingEnvVars("PYTEST_")...) if err != nil { return err } return runner.Test("pythonIntegTest", func() error { mg.Deps(devtools.BuildSystemTestBinary) - return devtools.PythonNoseTestForModule(devtools.DefaultPythonTestIntegrationArgs()) + return devtools.PythonTest(devtools.DefaultPythonTestIntegrationArgs()) }) } diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index ee5d7893bc0..ff9bffda33e 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -340,7 +340,8 @@ metricbeat.modules: period: 300s application_id: '' api_key: '' - + metrics: + - id: ["requests/count", "requests/duration"] #--------------------------------- Beat Module --------------------------------- - module: beat @@ -482,12 +483,9 @@ metricbeat.modules: #password: "changeme" #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - # Set to false to fetch all entries #index_recovery.active_only: true - - # Set to true to send data collected by module to X-Pack - # Monitoring instead of metricbeat-* indices. #xpack.enabled: false + #scope: node #------------------------------ Envoyproxy Module ------------------------------ - module: envoyproxy @@ -543,7 +541,7 @@ metricbeat.modules: - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -557,6 +555,16 @@ metricbeat.modules: - "instance/cpu/utilization" - "instance/uptime" +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" + #------------------------------- Graphite Module ------------------------------- - module: graphite metricsets: ["server"] @@ -803,6 +811,7 @@ metricbeat.modules: enabled: true metricsets: - state_node + - state_daemonset - state_deployment - state_replicaset - state_statefulset @@ -969,8 +978,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -1105,6 +1116,18 @@ metricbeat.modules: #ssl.certificate: "/etc/pki/server/cert.pem" #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] @@ -1704,10 +1727,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -1820,20 +1851,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1843,7 +1881,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2006,30 +2044,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -2042,6 +2087,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -2149,42 +2200,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -2317,6 +2382,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default metricbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "metricbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "metricbeat-%{[agent.version]}" @@ -2420,20 +2490,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2452,6 +2533,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -2602,17 +2694,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -2635,6 +2734,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/metricbeat/module/activemq/test_activemq.py b/x-pack/metricbeat/module/activemq/test_activemq.py index 278752b3089..8b3f9694964 100644 --- a/x-pack/metricbeat/module/activemq/test_activemq.py +++ b/x-pack/metricbeat/module/activemq/test_activemq.py @@ -4,8 +4,6 @@ import string import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/appsearch/test_appsearch.py b/x-pack/metricbeat/module/appsearch/test_appsearch.py index e9f72a23123..276c4e47f8f 100644 --- a/x-pack/metricbeat/module/appsearch/test_appsearch.py +++ b/x-pack/metricbeat/module/appsearch/test_appsearch.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/aws/_meta/config.yml b/x-pack/metricbeat/module/aws/_meta/config.yml index 34d2d9f5c55..618ed4cd854 100644 --- a/x-pack/metricbeat/module/aws/_meta/config.yml +++ b/x-pack/metricbeat/module/aws/_meta/config.yml @@ -30,11 +30,16 @@ - sns - sqs - module: aws - period: 12h + period: 24h metricsets: - billing - regions: - - us-east-1 + cost_explorer_config: + group_by_dimension_keys: + - "AZ" + - "INSTANCE_TYPE" + - "SERVICE" +# group_by_tag_keys: +# - "aws:createdBy" - module: aws period: 24h metricsets: diff --git a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc index 32afafebf86..fe9aeea007f 100644 --- a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc @@ -2,10 +2,12 @@ This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -188,6 +190,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-billing-overview.json b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-billing-overview.json index 2f0b054ebe7..6a601bc7471 100644 --- a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-billing-overview.json +++ b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-billing-overview.json @@ -25,62 +25,126 @@ "gridData": { "h": 5, "i": "89dccfe8-a25e-44ea-afdb-ff01ab1f05d6", - "w": 16, + "w": 9, "x": 0, "y": 0 }, "panelIndex": "89dccfe8-a25e-44ea-afdb-ff01ab1f05d6", "panelRefName": "panel_0", "title": "AWS Account Filter", - "version": "7.4.0" + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Estimated Billing Chart" + "title": "Current Total Unblended Cost" }, "gridData": { - "h": 16, - "i": "26670498-b079-4447-bbc8-e4ca8215898c", - "w": 32, - "x": 16, + "h": 18, + "i": "f1db16b5-ce0a-4f21-885f-434c16346c26", + "w": 8, + "x": 9, "y": 0 }, - "panelIndex": "26670498-b079-4447-bbc8-e4ca8215898c", + "panelIndex": "f1db16b5-ce0a-4f21-885f-434c16346c26", "panelRefName": "panel_1", - "title": "Estimated Billing Chart", - "version": "7.4.0" + "title": "Current Total Unblended Cost", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Total Estimated Charges" + "title": "Availability Zone Utilization" }, "gridData": { - "h": 11, + "h": 18, + "i": "57912f48-42ec-4d3e-ba54-bf94757d1eec", + "w": 31, + "x": 17, + "y": 0 + }, + "panelIndex": "57912f48-42ec-4d3e-ba54-bf94757d1eec", + "panelRefName": "panel_2", + "title": "Availability Zone Utilization", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total Estimated Charges For This Month" + }, + "gridData": { + "h": 13, "i": "221aab02-2747-4d84-9dde-028ccd51bdce", - "w": 16, + "w": 9, "x": 0, "y": 5 }, "panelIndex": "221aab02-2747-4d84-9dde-028ccd51bdce", - "panelRefName": "panel_2", - "title": "Total Estimated Charges", - "version": "7.4.0" + "panelRefName": "panel_3", + "title": "Total Estimated Charges For This Month", + "version": "7.9.0" }, { "embeddableConfig": { - "title": "Top 10 Estimated Billing Per Service Name" + "title": "Cost Per Service Per User" }, "gridData": { - "h": 15, - "i": "21e91e6b-0ff0-42ba-9132-6f30c5c6bbb7", - "w": 48, + "h": 20, + "i": "376f236b-1365-4e80-8076-eec88c1a67bd", + "w": 24, "x": 0, - "y": 16 + "y": 18 }, - "panelIndex": "21e91e6b-0ff0-42ba-9132-6f30c5c6bbb7", - "panelRefName": "panel_3", - "title": "Top 10 Estimated Billing Per Service Name", - "version": "7.4.0" + "panelIndex": "376f236b-1365-4e80-8076-eec88c1a67bd", + "panelRefName": "panel_4", + "title": "Cost Per Service Per User", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "High Spenders" + }, + "gridData": { + "h": 20, + "i": "dd5220c2-dc8a-4d3e-964b-6137d1e447ad", + "w": 24, + "x": 24, + "y": 18 + }, + "panelIndex": "dd5220c2-dc8a-4d3e-964b-6137d1e447ad", + "panelRefName": "panel_5", + "title": "High Spenders", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top 10 Estimated Charges per Service Name" + }, + "gridData": { + "h": 18, + "i": "1de716e2-bad9-4fe3-ba49-0e2ea2a59bb4", + "w": 24, + "x": 0, + "y": 38 + }, + "panelIndex": "1de716e2-bad9-4fe3-ba49-0e2ea2a59bb4", + "panelRefName": "panel_6", + "title": "Top 10 Estimated Charges per Service Name", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Daily Unblended Cost" + }, + "gridData": { + "h": 18, + "i": "60181fec-fea9-4f99-b5f9-a53ffbc2ac65", + "w": 24, + "x": 24, + "y": 38 + }, + "panelIndex": "60181fec-fea9-4f99-b5f9-a53ffbc2ac65", + "panelRefName": "panel_7", + "title": "Daily Unblended Cost", + "version": "7.9.0" } ], "timeRestore": false, @@ -91,6 +155,9 @@ "migrationVersion": { "dashboard": "7.3.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "deab0260-2981-11e9-86eb-a3a07a77f530", @@ -98,24 +165,44 @@ "type": "visualization" }, { - "id": "749cd470-1530-11ea-841c-01bf20a6c8ba", + "id": "1731c440-e649-11ea-a838-3f4a45f85600", "name": "panel_1", "type": "visualization" }, { - "id": "83f08eb0-1532-11ea-841c-01bf20a6c8ba", + "id": "a5670a20-e65a-11ea-a838-3f4a45f85600", "name": "panel_2", "type": "visualization" }, { - "id": "31a4ea90-152b-11ea-841c-01bf20a6c8ba", + "id": "83f08eb0-1532-11ea-841c-01bf20a6c8ba", "name": "panel_3", "type": "visualization" + }, + { + "id": "b3da5ac0-e6f1-11ea-a5b5-d5a0accaec95", + "name": "panel_4", + "type": "lens" + }, + { + "id": "d7b399c0-e6f1-11ea-a5b5-d5a0accaec95", + "name": "panel_5", + "type": "lens" + }, + { + "id": "cde34840-e6f2-11ea-a5b5-d5a0accaec95", + "name": "panel_6", + "type": "lens" + }, + { + "id": "3e091620-e64b-11ea-a838-3f4a45f85600", + "name": "panel_7", + "type": "visualization" } ], "type": "dashboard", - "updated_at": "2020-02-04T15:57:47.353Z", - "version": "WzY3NjQsMV0=" + "updated_at": "2020-09-14T04:08:21.260Z", + "version": "WzcyNjksOF0=" }, { "attributes": { @@ -162,8 +249,11 @@ }, "id": "deab0260-2981-11e9-86eb-a3a07a77f530", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -172,8 +262,8 @@ } ], "type": "visualization", - "updated_at": "2020-01-27T21:33:20.219Z", - "version": "WzQ2OTAsMV0=" + "updated_at": "2020-09-14T04:04:04.990Z", + "version": "WzY2MDYsOF0=" }, { "attributes": { @@ -181,61 +271,132 @@ "kibanaSavedObjectMeta": { "searchSourceJSON": { "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" } } }, - "title": "Estimated Billing Pie Chart [Metricbeat AWS]", - "uiStateJSON": { - "vis": { - "colors": { - "16": "#629E51", - "272": "#DEDAF7", - "80": "#E24D42", - "running": "#7EB26D", - "stopped": "#E24D42" + "title": "Total Unblended Cost [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "cf04e620-e648-11ea-bdad-df8839db1393" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "aws.billing.group_definition.key : \"AZ\"" }, - "legendOpen": true + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "\u003e=2d", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "aws.billing.group_definition.key : \"AZ\"" + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Total Unblended Cost", + "line_width": 1, + "metrics": [ + { + "field": "aws.billing.UnblendedCost.amount", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "override_index_pattern": 1, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "metricbeat-*", + "series_interval": "\u003e=2d", + "series_time_field": "@timestamp", + "split_color_mode": "kibana", + "split_mode": "filter", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", + "type": "metric" + }, + "title": "Total Unblended Cost [Metricbeat AWS]", + "type": "metrics" + } + }, + "id": "1731c440-e649-11ea-a838-3f4a45f85600", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NjksOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } } }, + "title": "Availability Zone Utilization [Metricbeat AWS]", + "uiStateJSON": {}, "version": 1, "visState": { "aggs": [ { "enabled": true, "id": "1", - "params": { - "customLabel": "", - "field": "aws.billing.metrics.EstimatedCharges.max" - }, + "params": {}, "schema": "metric", - "type": "sum" + "type": "count" }, { "enabled": true, "id": "2", "params": { - "customLabel": "", - "field": "aws.dimensions.ServiceName", + "exclude": "NoAZ", + "field": "aws.billing.group_by.AZ", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", - "orderAgg": { - "enabled": true, - "id": "2-orderAgg", - "params": { - "field": "aws.billing.metrics.EstimatedCharges.max" - }, - "schema": "orderAgg", - "type": "avg" - }, - "orderBy": "custom", - "otherBucket": true, + "orderBy": "1", + "otherBucket": false, "otherBucketLabel": "Other", - "size": 10 + "size": 20 }, "schema": "segment", "type": "terms" @@ -244,32 +405,7 @@ "params": { "addLegend": true, "addTooltip": true, - "dimensions": { - "buckets": [ - { - "accessor": 0, - "aggType": "terms", - "format": { - "id": "terms", - "params": { - "id": "string", - "missingBucketLabel": "Missing", - "otherBucketLabel": "Other" - } - }, - "params": {} - } - ], - "metric": { - "accessor": 1, - "aggType": "sum", - "format": { - "id": "number" - }, - "params": {} - } - }, - "isDonut": false, + "isDonut": true, "labels": { "last_level": true, "show": true, @@ -279,14 +415,17 @@ "legendPosition": "right", "type": "pie" }, - "title": "Estimated Billing Pie Chart [Metricbeat AWS]", + "title": "Availability Zone Utilization [Metricbeat AWS]", "type": "pie" } }, - "id": "749cd470-1530-11ea-841c-01bf20a6c8ba", + "id": "a5670a20-e65a-11ea-a838-3f4a45f85600", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -295,8 +434,8 @@ } ], "type": "visualization", - "updated_at": "2020-01-27T21:33:08.924Z", - "version": "WzQ1ODAsMV0=" + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzAsOF0=" }, { "attributes": { @@ -332,6 +471,10 @@ "default_index_pattern": "metricbeat-*", "default_timefield": "@timestamp", "drop_last_bucket": 0, + "filter": { + "language": "kuery", + "query": "aws.billing.EstimatedCharges : * and not (aws.billing.ServiceName : * )" + }, "gauge_color_rules": [ { "id": "e8a045e0-1531-11ea-961e-c1db9cc6166e" @@ -342,7 +485,7 @@ "gauge_width": 10, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metricbeat-*", - "interval": "12h", + "interval": "\u003e=1d", "isModelInvalid": false, "series": [ { @@ -352,7 +495,7 @@ "fill": 0.5, "filter": { "language": "kuery", - "query": "not aws.dimensions.ServiceName : * " + "query": "aws.billing.EstimatedCharges : * and not (aws.billing.ServiceName : * )" }, "formatter": "number", "id": "61ca57f1-469d-11e7-af02-69e470af7417", @@ -360,16 +503,19 @@ "line_width": 1, "metrics": [ { - "field": "aws.billing.metrics.EstimatedCharges.max", + "field": "aws.billing.EstimatedCharges", "id": "61ca57f2-469d-11e7-af02-69e470af7417", "type": "sum" } ], - "override_index_pattern": 0, + "override_index_pattern": 1, "point_size": 1, "separate_axis": 0, "series_drop_last_bucket": 0, - "series_interval": "12h", + "series_index_pattern": "metricbeat-*", + "series_interval": "\u003e=1d", + "series_time_field": "@timestamp", + "split_color_mode": "gradient", "split_mode": "filter", "stacked": "none", "time_range_mode": "last_value", @@ -379,6 +525,8 @@ "show_grid": 1, "show_legend": 1, "time_field": "@timestamp", + "time_range_mode": "last_value", + "tooltip_mode": "show_all", "type": "metric" }, "title": "Total Estimated Charges [Metricbeat AWS]", @@ -387,12 +535,333 @@ }, "id": "83f08eb0-1532-11ea-841c-01bf20a6c8ba", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-02-03T23:52:07.805Z", - "version": "WzY3NDUsMV0=" + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzEsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"5d850e8e-f3e0-4ad2-9697-b8c00c03f753\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.group_by.SERVICE\\\",\\\"orderBy\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":5,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.group_by.aws:createdBy\\\",\\\"orderBy\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.UnblendedCost.amount\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-5d850e8e-f3e0-4ad2-9697-b8c00c03f753\\\":{\\\"label\\\":\\\"Service Name\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"aws.billing.group_by.SERVICE\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":5,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"5d850e8e-f3e0-4ad2-9697-b8c00c03f753\\\"},\\\"col-2-a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\":{\\\"label\\\":\\\"Top values of aws.billing.group_by.aws:createdBy\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"aws.billing.group_by.aws:createdBy\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\"},\\\"col-3-75188758-7734-4fc3-af1d-297c455715f0\\\":{\\\"label\\\":\\\"Total Unblended Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"aws.billing.UnblendedCost.amount\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\"}}\"}\n| lens_xy_chart xTitle=\"Service Name\" yTitle=\"Total Unblended Cost\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3\" hide=false xAccessor=\"5d850e8e-f3e0-4ad2-9697-b8c00c03f753\" yScaleType=\"linear\" xScaleType=\"ordinal\" isHistogram=false splitAccessor=\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\" seriesType=\"bar_stacked\" accessors=\"75188758-7734-4fc3-af1d-297c455715f0\" columnToLabel=\"{\\\"75188758-7734-4fc3-af1d-297c455715f0\\\":\\\"Total Unblended Cost\\\",\\\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\":\\\"Top values of aws.billing.group_by.aws:createdBy\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3": { + "columnOrder": [ + "5d850e8e-f3e0-4ad2-9697-b8c00c03f753", + "a1f5b3b8-41da-452b-8683-7a9ca6b6267f", + "75188758-7734-4fc3-af1d-297c455715f0" + ], + "columns": { + "5d850e8e-f3e0-4ad2-9697-b8c00c03f753": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service Name", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "75188758-7734-4fc3-af1d-297c455715f0", + "type": "column" + }, + "orderDirection": "desc", + "size": 5 + }, + "scale": "ordinal", + "sourceField": "aws.billing.group_by.SERVICE" + }, + "75188758-7734-4fc3-af1d-297c455715f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Unblended Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "aws.billing.UnblendedCost.amount" + }, + "a1f5b3b8-41da-452b-8683-7a9ca6b6267f": { + "dataType": "string", + "isBucketed": true, + "label": "Top values of aws.billing.group_by.aws:createdBy", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "75188758-7734-4fc3-af1d-297c455715f0", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.billing.group_by.aws:createdBy", + "suggestedPriority": 0 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "75188758-7734-4fc3-af1d-297c455715f0" + ], + "layerId": "cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3", + "seriesType": "bar_stacked", + "splitAccessor": "a1f5b3b8-41da-452b-8683-7a9ca6b6267f", + "xAccessor": "5d850e8e-f3e0-4ad2-9697-b8c00c03f753" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked" + } + }, + "title": "Cost Per Service Per User [Metricbeat AWS]", + "visualizationType": "lnsXY" + }, + "id": "b3da5ac0-e6f1-11ea-a5b5-d5a0accaec95", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzIsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.group_by.aws:createdBy\\\",\\\"orderBy\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.UnblendedCost.amount\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\":{\\\"label\\\":\\\"Top Users\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"aws.billing.group_by.aws:createdBy\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\\\"},\\\"col-1-75188758-7734-4fc3-af1d-297c455715f0\\\":{\\\"label\\\":\\\"Total Unblended Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"aws.billing.UnblendedCost.amount\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"75188758-7734-4fc3-af1d-297c455715f0\\\"}}\"}\n| lens_xy_chart xTitle=\"Top Users\" yTitle=\"Total Unblended Cost\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3\" hide=false xAccessor=\"a1f5b3b8-41da-452b-8683-7a9ca6b6267f\" yScaleType=\"linear\" xScaleType=\"ordinal\" isHistogram=false seriesType=\"bar_horizontal\" accessors=\"75188758-7734-4fc3-af1d-297c455715f0\" columnToLabel=\"{\\\"75188758-7734-4fc3-af1d-297c455715f0\\\":\\\"Total Unblended Cost\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3": { + "columnOrder": [ + "a1f5b3b8-41da-452b-8683-7a9ca6b6267f", + "75188758-7734-4fc3-af1d-297c455715f0" + ], + "columns": { + "75188758-7734-4fc3-af1d-297c455715f0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Unblended Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "aws.billing.UnblendedCost.amount" + }, + "a1f5b3b8-41da-452b-8683-7a9ca6b6267f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top Users", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "75188758-7734-4fc3-af1d-297c455715f0", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.billing.group_by.aws:createdBy", + "suggestedPriority": 0 + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "75188758-7734-4fc3-af1d-297c455715f0" + ], + "layerId": "cbffa0b1-50bb-40fe-bd8d-6a26d2b58fb3", + "seriesType": "bar_horizontal", + "xAccessor": "a1f5b3b8-41da-452b-8683-7a9ca6b6267f" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal" + } + }, + "title": "High Spenders [Metricbeat AWS]", + "visualizationType": "lnsXY" + }, + "id": "d7b399c0-e6f1-11ea-a5b5-d5a0accaec95", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzMsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"dc597043-d867-4f94-ae90-f31ffc0c2674\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"ea87bf3d-0a35-424b-b00b-3614c431b135\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.ServiceName\\\",\\\"orderBy\\\":\\\"d54f4e58-d8dd-4404-8da9-12b667dd7910\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"faa5dba4-1fab-4f88-b67f-28bafa26a32d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1d\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"d54f4e58-d8dd-4404-8da9-12b667dd7910\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"avg\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"aws.billing.EstimatedCharges\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-ea87bf3d-0a35-424b-b00b-3614c431b135\\\":{\\\"label\\\":\\\"Service Names\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"suggestedPriority\\\":0,\\\"sourceField\\\":\\\"aws.billing.ServiceName\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"d54f4e58-d8dd-4404-8da9-12b667dd7910\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"ea87bf3d-0a35-424b-b00b-3614c431b135\\\"},\\\"col-2-faa5dba4-1fab-4f88-b67f-28bafa26a32d\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1d\\\"},\\\"id\\\":\\\"faa5dba4-1fab-4f88-b67f-28bafa26a32d\\\"},\\\"col-3-d54f4e58-d8dd-4404-8da9-12b667dd7910\\\":{\\\"label\\\":\\\"Estimated Charges\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"avg\\\",\\\"sourceField\\\":\\\"aws.billing.EstimatedCharges\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"d54f4e58-d8dd-4404-8da9-12b667dd7910\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp\" yTitle=\"Estimated Charges\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"dc597043-d867-4f94-ae90-f31ffc0c2674\" hide=false xAccessor=\"faa5dba4-1fab-4f88-b67f-28bafa26a32d\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"ea87bf3d-0a35-424b-b00b-3614c431b135\" seriesType=\"line\" accessors=\"d54f4e58-d8dd-4404-8da9-12b667dd7910\" columnToLabel=\"{\\\"d54f4e58-d8dd-4404-8da9-12b667dd7910\\\":\\\"Estimated Charges\\\",\\\"ea87bf3d-0a35-424b-b00b-3614c431b135\\\":\\\"Service Names\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "dc597043-d867-4f94-ae90-f31ffc0c2674": { + "columnOrder": [ + "ea87bf3d-0a35-424b-b00b-3614c431b135", + "faa5dba4-1fab-4f88-b67f-28bafa26a32d", + "d54f4e58-d8dd-4404-8da9-12b667dd7910" + ], + "columns": { + "d54f4e58-d8dd-4404-8da9-12b667dd7910": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Estimated Charges", + "operationType": "avg", + "scale": "ratio", + "sourceField": "aws.billing.EstimatedCharges" + }, + "ea87bf3d-0a35-424b-b00b-3614c431b135": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Service Names", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "d54f4e58-d8dd-4404-8da9-12b667dd7910", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "aws.billing.ServiceName", + "suggestedPriority": 0 + }, + "faa5dba4-1fab-4f88-b67f-28bafa26a32d": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1d" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "d54f4e58-d8dd-4404-8da9-12b667dd7910" + ], + "layerId": "dc597043-d867-4f94-ae90-f31ffc0c2674", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "ea87bf3d-0a35-424b-b00b-3614c431b135", + "xAccessor": "faa5dba4-1fab-4f88-b67f-28bafa26a32d" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line" + } + }, + "title": "Top 10 Estimated Charges per Service Name [Metricbeat AWS]", + "visualizationType": "lnsXY" + }, + "id": "cde34840-e6f2-11ea-a5b5-d5a0accaec95", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzQsOF0=" }, { "attributes": { @@ -406,14 +875,13 @@ } } }, - "title": "Top 10 Billing per Service Name [Metricbeat AWS]", + "title": "Daily Unblended Cost [Metricbeat AWS]", "uiStateJSON": {}, "version": 1, "visState": { "aggs": [], "params": { "axis_formatter": "number", - "axis_min": 0, "axis_position": "left", "axis_scale": "normal", "default_index_pattern": "metricbeat-*", @@ -421,67 +889,64 @@ "drop_last_bucket": 0, "filter": { "language": "kuery", - "query": "" + "query": "aws.billing.group_definition.key : \"AZ\"" }, - "id": "729af8b0-152a-11ea-ae8f-79fec1a0d4d3", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metricbeat-*", - "interval": "12h", + "interval": "\u003e=1d", "isModelInvalid": false, "series": [ { "axis_position": "right", - "chart_type": "line", - "color": "#3185FC", - "fill": 0, + "chart_type": "bar", + "color": "rgba(118,208,7,1)", + "fill": "1", "filter": { "language": "kuery", - "query": "" + "query": "aws.billing.group_definition.key : \"AZ\"" }, "formatter": "number", - "id": "729b1fc0-152a-11ea-ae8f-79fec1a0d4d3", - "label": "avg(aws.billing.metrics.EstimatedCharges.max)", - "line_width": 2, + "hide_in_legend": 1, + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "Total Unblended Cost", + "line_width": 1, "metrics": [ { - "field": "aws.billing.metrics.EstimatedCharges.max", - "id": "729b1fc1-152a-11ea-ae8f-79fec1a0d4d3", + "field": "aws.billing.UnblendedCost.amount", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", "type": "sum" } ], - "override_index_pattern": 0, - "point_size": "4", + "point_size": 1, "separate_axis": 0, - "series_drop_last_bucket": 0, - "split_color_mode": "rainbow", - "split_mode": "terms", + "split_color_mode": "kibana", + "split_mode": "filter", "stacked": "none", - "steps": 0, - "terms_field": "aws.dimensions.ServiceName", - "terms_include": "", - "terms_order_by": "729b1fc1-152a-11ea-ae8f-79fec1a0d4d3", - "terms_size": "10", - "type": "timeseries", - "value_template": "${{value}}" + "type": "timeseries" } ], - "show_grid": 1, + "show_grid": 0, "show_legend": 1, "time_field": "@timestamp", + "tooltip_mode": "show_all", "type": "timeseries" }, - "title": "Top 10 Billing per Service Name [Metricbeat AWS]", + "title": "Daily Unblended Cost [Metricbeat AWS]", "type": "metrics" } }, - "id": "31a4ea90-152b-11ea-841c-01bf20a6c8ba", + "id": "3e091620-e64b-11ea-a838-3f4a45f85600", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-02-04T13:56:47.812Z", - "version": "WzY3NjMsMV0=" + "updated_at": "2020-09-14T04:03:51.696Z", + "version": "WzY0NzUsOF0=" } ], - "version": "7.4.0" + "version": "7.9.0" } diff --git a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json index 33dee279f76..faf25066393 100644 --- a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json +++ b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json @@ -1,778 +1,944 @@ { - "objects": [ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" - } - ], - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "0", - "filter": "", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "AWS EC2 DiskIO Write Bytes", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.diskio.write.bytes", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } - ], - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 1, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "steps": 0, - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "terms_size": "5" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries" - }, - "title": "AWS EC2 DiskIO Write Bytes", - "type": "metrics" - } + "objects": [ + { + "attributes": { + "description": "Overview of AWS EC2 Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "DiskIO Write Bytes" + }, + "gridData": { + "h": 15, + "i": "3", + "w": 24, + "x": 24, + "y": 16 + }, + "panelIndex": "3", + "panelRefName": "panel_0", + "title": "DiskIO Write Bytes", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "Status Check" + }, + "gridData": { + "h": 5, + "i": "5", + "w": 18, + "x": 6, + "y": 11 + }, + "panelIndex": "5", + "panelRefName": "panel_1", + "title": "Status Check", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "Network In Bytes" + }, + "gridData": { + "h": 15, + "i": "11", + "w": 24, + "x": 0, + "y": 31 + }, + "panelIndex": "11", + "panelRefName": "panel_2", + "title": "Network In Bytes", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "Network Out Bytes" + }, + "gridData": { + "h": 15, + "i": "12", + "w": 24, + "x": 24, + "y": 31 + }, + "panelIndex": "12", + "panelRefName": "panel_3", + "title": "Network Out Bytes", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "DiskIO Read Bytes" + }, + "gridData": { + "h": 15, + "i": "15", + "w": 24, + "x": 0, + "y": 16 + }, + "panelIndex": "15", + "panelRefName": "panel_4", + "title": "DiskIO Read Bytes", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "CPU Utilization" + }, + "gridData": { + "h": 16, + "i": "17", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "17", + "panelRefName": "panel_5", + "title": "CPU Utilization", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "Filters" + }, + "gridData": { + "h": 16, + "i": "18", + "w": 6, + "x": 0, + "y": 0 + }, + "panelIndex": "18", + "panelRefName": "panel_6", + "title": "Filters", + "version": "7.9.1" + }, + { + "embeddableConfig": { + "title": "Instance State" }, - "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "gridData": { + "h": 11, + "i": "19", + "w": 18, + "x": 6, + "y": 0 + }, + "panelIndex": "19", + "panelRefName": "panel_7", + "title": "Instance State", + "version": "7.9.1" + } + ], + "timeRestore": false, + "title": "[Metricbeat AWS] EC2 Overview", + "version": 1 + }, + "id": "c5846400-f7fb-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs", + "name": "panel_0", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 Status Check Failed [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "d13f6b50-f7f6-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "ad6d62d0-f7f7-11e8-bff8-21537b07dd44" - } - ], - "gauge_color_rules": [ - { - "id": "b0c5b590-f7f7-11e8-bff8-21537b07dd44" - } - ], - "gauge_inner_width": 10, - "gauge_style": "half", - "gauge_width": 10, - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "auto", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "#68BC00", - "fill": 0.5, - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "EC2 Status Check Failed", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.status.check_failed", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "sum" - } - ], - "point_size": 1, - "separate_axis": 0, - "split_mode": "everything", - "stacked": "none", - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "metric" - }, - "title": "AWS EC2 Status Check Failed", - "type": "metrics" - } - }, - "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs", + "name": "panel_1", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 Network In Bytes [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" - } - ], - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "0", - "filter": "", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "AWS EC2 Network In Bytes", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.network.in.bytes", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } - ], - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 1, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "steps": 0, - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "terms_size": "5" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries" - }, - "title": "AWS EC2 Network In Bytes", - "type": "metrics" - } - }, - "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs", + "name": "panel_2", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 Network Out Bytes [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" - } - ], - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "0", - "filter": "", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "AWS EC2 Network Out Bytes", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.network.out.bytes", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } - ], - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 1, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "steps": 0, - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "terms_size": "5" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries" - }, - "title": "AWS EC2 Network Out Bytes", - "type": "metrics" - } - }, - "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs", + "name": "panel_3", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" - } - ], - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "0", - "filter": "", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "AWS EC2 DiskIO Read Bytes", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.diskio.read.bytes", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } - ], - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 1, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "steps": 0, - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "terms_size": "5" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries" - }, - "title": "AWS EC2 DiskIO Read Bytes", - "type": "metrics" - } - }, - "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs", + "name": "panel_4", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 CPU Utilization [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "annotations": [], - "axis_formatter": "number", - "axis_position": "left", - "axis_scale": "normal", - "background_color_rules": [ - { - "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" - } - ], - "bar_color_rules": [ - { - "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" - } - ], - "id": "61ca57f0-469d-11e7-af02-69e470af7417", - "index_pattern": "metricbeat-*", - "interval": "5m", - "series": [ - { - "axis_position": "right", - "chart_type": "line", - "color": "rgba(104,188,0,1)", - "fill": "0", - "filter": "", - "formatter": "number", - "id": "61ca57f1-469d-11e7-af02-69e470af7417", - "label": "AWS EC2 CPU Utilization", - "line_width": 1, - "metrics": [ - { - "field": "aws.ec2.cpu.total.pct", - "id": "61ca57f2-469d-11e7-af02-69e470af7417", - "type": "avg" - } - ], - "point_size": 1, - "separate_axis": 0, - "series_drop_last_bucket": 1, - "split_color_mode": "rainbow", - "split_mode": "terms", - "stacked": "none", - "steps": 0, - "terms_field": "cloud.instance.id", - "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", - "terms_size": "5" - } - ], - "show_grid": 1, - "show_legend": 1, - "time_field": "@timestamp", - "type": "timeseries" - }, - "title": "AWS EC2 CPU Utilization", - "type": "metrics" - } - }, - "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs", - "type": "visualization", - "updated_at": "2019-02-08T23:15:16.726Z", - "version": 6 + "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs", + "name": "panel_5", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "Filters [Metricbeat AWS]", - "uiStateJSON": {}, - "version": 1, - "visState": { - "aggs": [], - "params": { - "controls": [ - { - "fieldName": "cloud.region", - "id": "1549397251041", - "indexPattern": "metricbeat-*", - "label": "region", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "cloud.availability_zone", - "id": "1549512126406", - "indexPattern": "metricbeat-*", - "label": "availability zone", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "cloud.machine.type", - "id": "1549512142947", - "indexPattern": "metricbeat-*", - "label": "machine type", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - } - ], - "pinFilters": false, - "updateFiltersOnChange": true, - "useTimeFilter": false - }, - "title": "AWS Filters", - "type": "input_control_vis" - } - }, - "id": "deab0260-2981-11e9-86eb-a3a07a77f530", - "type": "visualization", - "updated_at": "2019-02-08T23:32:53.876Z", - "version": 12 + "id": "deab0260-2981-11e9-86eb-a3a07a77f530", + "name": "panel_6", + "type": "visualization" }, { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "index": "metricbeat-*", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "EC2 Instance State [Metricbeat AWS]", - "uiStateJSON": { - "vis": { - "colors": { - "16": "#629E51", - "272": "#DEDAF7", - "80": "#E24D42", - "running": "#7EB26D", - "stopped": "#E24D42" - }, - "legendOpen": true - } + "id": "09db13f0-2bdd-11e9-9fe1-cde861544141", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-15T16:57:30.054Z", + "version": "WzEyNjksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "5m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": "", + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "AWS EC2 DiskIO Write Bytes", + "line_width": "2", + "metrics": [ + { + "field": "aws.ec2.diskio.write.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "avg" + } + ], + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 1, + "split_color_mode": "rainbow", + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "terms_size": "10" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]", + "type": "metrics" + } + }, + "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:55:57.556Z", + "version": "WzEyNTQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 Status Check Failed [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "d13f6b50-f7f6-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "ad6d62d0-f7f7-11e8-bff8-21537b07dd44" + } + ], + "gauge_color_rules": [ + { + "id": "b0c5b590-f7f7-11e8-bff8-21537b07dd44" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "EC2 Status Check Failed", + "line_width": 1, + "metrics": [ + { + "field": "aws.ec2.status.check_failed", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "sum" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "metric" + }, + "title": "AWS EC2 Status Check Failed", + "type": "metrics" + } + }, + "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:01:03.887Z", + "version": "WzEwMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 Network In Bytes [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": "", + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "AWS EC2 Network In Bytes", + "line_width": "2", + "metrics": [ + { + "field": "aws.ec2.network.in.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "avg" + } + ], + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 1, + "split_color_mode": "rainbow", + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "terms_size": "10" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "EC2 Network In Bytes [Metricbeat AWS]", + "type": "metrics" + } + }, + "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:50:36.078Z", + "version": "WzExOTEsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 Network Out Bytes [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": "", + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "AWS EC2 Network Out Bytes", + "line_width": "2", + "metrics": [ + { + "field": "aws.ec2.network.out.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "avg" + } + ], + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 1, + "split_color_mode": "rainbow", + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "terms_size": "10" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "EC2 Network Out Bytes [Metricbeat AWS]", + "type": "metrics" + } + }, + "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:50:59.719Z", + "version": "WzExOTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "" }, - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "EC2 Instance State" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "", - "field": "aws.ec2.instance.state.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "isDonut": false, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "type": "pie" - }, - "title": "AWS EC2 Instance State", - "type": "pie" - } - }, - "id": "09db13f0-2bdd-11e9-9fe1-cde861544141", - "type": "visualization", - "updated_at": "2019-02-09T00:03:45.800Z", - "version": 5 + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "AWS EC2 DiskIO Read Bytes", + "line_width": "2", + "metrics": [ + { + "field": "aws.ec2.diskio.read.bytes", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "avg" + } + ], + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 1, + "split_color_mode": "rainbow", + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "terms_size": "10" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]", + "type": "metrics" + } + }, + "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:55:49.460Z", + "version": "WzEyNTMsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, - { - "attributes": { - "description": "Overview of AWS EC2 Metrics", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } + "title": "EC2 CPU Utilization [Metricbeat AWS] ECS", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "annotations": [], + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "23428b30-f7f2-11e8-bff8-21537b07dd44" + } + ], + "bar_color_rules": [ + { + "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": "", + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "AWS EC2 CPU Utilization ECS", + "line_width": "2", + "metrics": [ + { + "field": "aws.ec2.cpu.total.pct", + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "avg" + } + ], + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 1, + "split_color_mode": "rainbow", + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloud.instance.id", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "terms_size": "10" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "EC2 CPU Utilization [Metricbeat AWS] ECS", + "type": "metrics" + } + }, + "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-15T16:57:23.961Z", + "version": "WzEyNjgsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "AWS Account Filter [Metricbeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "cloud.account.name", + "id": "1549397251041", + "indexPatternRefName": "control_0_index_pattern", + "label": "account name", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true + "parent": "", + "type": "list" + }, + { + "fieldName": "cloud.region", + "id": "1600187617334", + "indexPatternRefName": "control_1_index_pattern", + "label": "region", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" }, - "panelsJSON": [ - { - "embeddableConfig": {}, - "gridData": { - "h": 15, - "i": "3", - "w": 24, - "x": 24, - "y": 27 - }, - "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs", - "panelIndex": "3", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "5", - "w": 12, - "x": 36, - "y": 0 - }, - "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs", - "panelIndex": "5", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 15, - "i": "11", - "w": 24, - "x": 0, - "y": 42 - }, - "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs", - "panelIndex": "11", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 15, - "i": "12", - "w": 24, - "x": 24, - "y": 42 - }, - "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs", - "panelIndex": "12", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 15, - "i": "15", - "w": 24, - "x": 0, - "y": 27 - }, - "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs", - "panelIndex": "15", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 15, - "i": "17", - "w": 48, - "x": 0, - "y": 12 - }, - "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs", - "panelIndex": "17", - "type": "visualization", - "version": "6.5.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "18", - "w": 17, - "x": 0, - "y": 0 - }, - "id": "deab0260-2981-11e9-86eb-a3a07a77f530", - "panelIndex": "18", - "type": "visualization", - "version": "6.6.0" - }, - { - "embeddableConfig": {}, - "gridData": { - "h": 12, - "i": "19", - "w": 19, - "x": 17, - "y": 0 - }, - "id": "09db13f0-2bdd-11e9-9fe1-cde861544141", - "panelIndex": "19", - "type": "visualization", - "version": "6.6.0" - } - ], - "timeRestore": false, - "title": "[Metricbeat AWS] EC2 Overview", - "version": 1 + "parent": "", + "type": "list" + }, + { + "fieldName": "cloud.instance.name", + "id": "1600187931107", + "indexPatternRefName": "control_2_index_pattern", + "label": "instance name", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "AWS Account Filter [Metricbeat AWS]", + "type": "input_control_vis" + } + }, + "id": "deab0260-2981-11e9-86eb-a3a07a77f530", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-15T16:39:11.261Z", + "version": "WzEwNjYsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "EC2 Instance State [Metricbeat AWS] ECS", + "uiStateJSON": { + "vis": { + "colors": { + "16": "#629E51", + "272": "#DEDAF7", + "80": "#E24D42", + "running": "#7EB26D", + "stopped": "#E24D42" + }, + "legendOpen": true + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "EC2 Instance State" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "", + "field": "aws.ec2.instance.state.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": false, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true }, - "id": "c5846400-f7fb-11e8-af03-c999c9dea608-ecs", - "type": "dashboard", - "updated_at": "2019-02-09T00:05:11.360Z", - "version": 9 + "legendPosition": "right", + "type": "pie" + }, + "title": "EC2 Instance State [Metricbeat AWS] ECS", + "type": "pie" + } + }, + "id": "09db13f0-2bdd-11e9-9fe1-cde861544141", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" } - ], - "version": "6.6.0" + ], + "type": "visualization", + "updated_at": "2020-09-15T16:01:08.017Z", + "version": "WzE0MywxXQ==" + } + ], + "version": "7.9.1" } diff --git a/x-pack/metricbeat/module/aws/aws.go b/x-pack/metricbeat/module/aws/aws.go index 983d44ee47b..f7b744c27cb 100644 --- a/x-pack/metricbeat/module/aws/aws.go +++ b/x-pack/metricbeat/module/aws/aws.go @@ -12,6 +12,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/ec2" "github.com/aws/aws-sdk-go-v2/service/ec2/ec2iface" "github.com/aws/aws-sdk-go-v2/service/iam" + "github.com/aws/aws-sdk-go-v2/service/iam/iamiface" "github.com/aws/aws-sdk-go-v2/service/rds" "github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi" "github.com/aws/aws-sdk-go-v2/service/sts" @@ -92,6 +93,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { base.Logger().Debug("Metricset level config for period: ", metricSet.Period) base.Logger().Debug("Metricset level config for tags filter: ", metricSet.TagsFilter) + base.Logger().Warn("extra charges on AWS API requests will be generated by this metricset") // Get IAM account name, set region by aws_partition, default is aws global partition // refer https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html @@ -103,20 +105,6 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { default: awsConfig.Region = "us-east-1" } - svcIam := iam.New(awscommon.EnrichAWSConfigWithEndpoint( - config.AWSConfig.Endpoint, "iam", "", awsConfig)) - req := svcIam.ListAccountAliasesRequest(&iam.ListAccountAliasesInput{}) - output, err := req.Send(context.TODO()) - if err != nil { - base.Logger().Warn("failed to list account aliases, please check permission setting: ", err) - } else { - // There can be more than one aliases for each account, for now we are only - // collecting the first one. - if output.AccountAliases != nil { - metricSet.AccountName = output.AccountAliases[0] - base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) - } - } // Get IAM account id svcSts := sts.New(awscommon.EnrichAWSConfigWithEndpoint( @@ -130,6 +118,11 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { base.Logger().Debug("AWS Credentials belong to account ID: ", metricSet.AccountID) } + // Get account name/alias + svcIam := iam.New(awscommon.EnrichAWSConfigWithEndpoint( + config.AWSConfig.Endpoint, "iam", "", awsConfig)) + metricSet.AccountName = getAccountName(svcIam, base, metricSet) + // Construct MetricSet with a full regions list if config.Regions == nil { svcEC2 := ec2.New(awscommon.EnrichAWSConfigWithEndpoint( @@ -164,6 +157,30 @@ func getRegions(svc ec2iface.ClientAPI) (completeRegionsList []string, err error return } +func getAccountName(svc iamiface.ClientAPI, base mb.BaseMetricSet, metricSet MetricSet) string { + req := svc.ListAccountAliasesRequest(&iam.ListAccountAliasesInput{}) + output, err := req.Send(context.TODO()) + + accountName := metricSet.AccountID + if err != nil { + base.Logger().Warn("failed to list account aliases, please check permission setting: ", err) + return accountName + } + + // When there is no account alias, account ID will be used as cloud.account.name + if len(output.AccountAliases) == 0 { + accountName = metricSet.AccountID + base.Logger().Debug("AWS Credentials belong to account ID: ", metricSet.AccountID) + return accountName + } + + // There can be more than one aliases for each account, for now we are only + // collecting the first one. + accountName = output.AccountAliases[0] + base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) + return accountName +} + // StringInSlice checks if a string is already exists in list and its location func StringInSlice(str string, list []string) (bool, int) { for idx, v := range list { diff --git a/x-pack/metricbeat/module/aws/billing/_meta/data.json b/x-pack/metricbeat/module/aws/billing/_meta/data.json index df5fece2194..46b66885830 100644 --- a/x-pack/metricbeat/module/aws/billing/_meta/data.json +++ b/x-pack/metricbeat/module/aws/billing/_meta/data.json @@ -2,18 +2,35 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "aws": { "billing": { - "metrics": { - "EstimatedCharges": { - "max": 0 - } - } - }, - "cloudwatch": { - "namespace": "AWS/Billing" - }, - "dimensions": { - "Currency": "USD", - "ServiceName": "AmazonSNS" + "AmortizedCost": { + "amount": 0.6949203833, + "unit": "USD" + }, + "BlendedCost": { + "amount": 0.6949203833, + "unit": "USD" + }, + "NormalizedUsageAmount": { + "amount": 12, + "unit": "N/A" + }, + "UnblendedCost": { + "amount": 0.6949203833, + "unit": "USD" + }, + "UsageQuantity": { + "amount": 312.7086043154, + "unit": "N/A" + }, + "end_date": "2020-08-24", + "group_by": { + "AZ": "eu-central-1" + }, + "group_definition": { + "key": "AZ", + "type": "DIMENSION" + }, + "start_date": "2020-08-23" } }, "cloud": { @@ -21,8 +38,7 @@ "id": "428152502467", "name": "elastic-beats" }, - "provider": "aws", - "region": "us-east-1" + "provider": "aws" }, "event": { "dataset": "aws.billing", diff --git a/x-pack/metricbeat/module/aws/billing/_meta/data_cloudwatch.json b/x-pack/metricbeat/module/aws/billing/_meta/data_cloudwatch.json new file mode 100644 index 00000000000..4ee0ef22520 --- /dev/null +++ b/x-pack/metricbeat/module/aws/billing/_meta/data_cloudwatch.json @@ -0,0 +1,29 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "aws": { + "billing": { + "Currency": "USD", + "EstimatedCharges": 0, + "ServiceName": "AmazonDynamoDB" + } + }, + "cloud": { + "account": { + "id": "428152502467", + "name": "elastic-beats" + }, + "provider": "aws" + }, + "event": { + "dataset": "aws.billing", + "duration": 115000, + "module": "aws" + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "aws" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/aws/billing/_meta/data_group_by_instance_type.json b/x-pack/metricbeat/module/aws/billing/_meta/data_group_by_instance_type.json new file mode 100644 index 00000000000..a5109dd8e54 --- /dev/null +++ b/x-pack/metricbeat/module/aws/billing/_meta/data_group_by_instance_type.json @@ -0,0 +1,55 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "aws": { + "billing": { + "AmortizedCost": { + "amount": 44.64, + "unit": "USD" + }, + "BlendedCost": { + "amount": 44.64, + "unit": "USD" + }, + "NormalizedUsageAmount": { + "amount": 576, + "unit": "N/A" + }, + "UnblendedCost": { + "amount": 44.64, + "unit": "USD" + }, + "UsageQuantity": { + "amount": 144, + "unit": "N/A" + }, + "end_date": "2020-08-24", + "group_by": { + "INSTANCE_TYPE": "db.r5.large" + }, + "group_definition": { + "key": "INSTANCE_TYPE", + "type": "DIMENSION" + }, + "start_date": "2020-08-23" + } + }, + "cloud": { + "account": { + "id": "428152502467", + "name": "elastic-beats" + }, + "provider": "aws" + }, + "event": { + "dataset": "aws.billing", + "duration": 115000, + "module": "aws" + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "aws" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc index 0e0b4ffb624..90b8f88da87 100644 --- a/x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/billing/_meta/docs.asciidoc @@ -1,13 +1,8 @@ -You can monitor your estimated AWS charges by using Amazon CloudWatch. When you -enable the monitoring of estimated charges for your AWS account, the estimated -charges are calculated and sent several times daily to CloudWatch as metric data. +You can monitor your estimated AWS charges by using Amazon CloudWatch and Cost +Explorer. -Billing metric data is stored in the US East (N. Virginia) Region and represents -worldwide charges. This data includes the estimated charges for every service in -AWS that you use, in addition to the estimated overall total of your AWS charges. - -This aws `billing` metricset collects these Cloudwatch metrics for monitoring -purposes. +This aws `billing` metricset collects metrics both from Cloudwatch and cost +explorer for monitoring purposes. [float] === AWS Permissions @@ -19,6 +14,7 @@ cloudwatch:ListMetrics tag:getResources sts:GetCallerIdentity iam:ListAccountAliases +ce:GetCostAndUsage ---- [float] @@ -33,18 +29,28 @@ image::./images/metricbeat-aws-billing-overview.png[] [source,yaml] ---- - module: aws - period: 12h + period: 24h metricsets: - billing - # This module uses the aws cloudwatch metricset, all - # the options for this metricset are also available here. + credential_profile_name: elastic-beats + cost_explorer_config: + group_by_dimension_keys: + - "AZ" + - "INSTANCE_TYPE" + - "SERVICE" + group_by_tag_keys: + - "aws:createdBy" ---- [float] -=== Metrics -|=== -|Metric Name|Statistic Method -|EstimatedCharges | Maximum -|=== +=== Metricset-specific configuration notes +When querying AWS Cost Explorer API, you can group AWS costs using up to two +different groups, either dimensions, tag keys, or both. Right now we support +group by type dimension and type tag with separate config parameters: + +* *group_by_dimension_keys*: A list of keys used in Cost Explorer to group by +dimensions. Valid values are AZ, INSTANCE_TYPE, LEGAL_ENTITY_NAME, +LINKED_ACCOUNT, OPERATION, PLATFORM, PURCHASE_TYPE, SERVICE, TAGS, TENANCY, and +USAGE_TYPE. -Supported dimensions for billing metrics: Currency and ServiceName. +* *group_by_tag_keys*: A list of keys used in Cost Explorer to group by tags. diff --git a/x-pack/metricbeat/module/aws/billing/_meta/fields.yml b/x-pack/metricbeat/module/aws/billing/_meta/fields.yml index 2b246415653..0452be75ab4 100644 --- a/x-pack/metricbeat/module/aws/billing/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/billing/_meta/fields.yml @@ -4,9 +4,78 @@ `billing` contains the estimated charges for your AWS account in Cloudwatch. release: beta fields: - - name: metrics + - name: EstimatedCharges + type: long + description: Maximum estimated charges for AWS acccount. + - name: Currency + type: keyword + description: Estimated charges currency unit. + - name: ServiceName + type: keyword + description: Service name for the maximum estimated charges. + - name: AmortizedCost type: group fields: - - name: EstimatedCharges.max - type: long - description: Maximum estimated charges for AWS acccount. + - name: amount + type: double + description: Amortized cost amount + - name: unit + type: keyword + description: Amortized cost unit + - name: BlendedCost + type: group + fields: + - name: amount + type: double + description: Blended cost amount + - name: unit + type: keyword + description: Blended cost unit + - name: NormalizedUsageAmount + type: group + fields: + - name: amount + type: double + description: Normalized usage amount + - name: unit + type: keyword + description: Normalized usage amount unit + - name: UnblendedCost + type: group + fields: + - name: amount + type: double + description: Unblended cost amount + - name: unit + type: keyword + description: Unblended cost unit + - name: UsageQuantity + type: group + fields: + - name: amount + type: double + description: Usage quantity amount + - name: unit + type: keyword + description: Usage quantity unit + - name: start_date + type: keyword + description: Start date for retrieving AWS costs + - name: end_date + type: keyword + description: End date for retrieving AWS costs + - name: group_definition + type: group + fields: + - name: key + type: keyword + description: The string that represents a key for a specified group + - name: type + type: keyword + description: The string that represents the type of group + - name: group_by.* + type: object + object_type: keyword + object_type_mapping_type: "*" + description: > + Cost explorer group by key values diff --git a/x-pack/metricbeat/module/aws/billing/billing.go b/x-pack/metricbeat/module/aws/billing/billing.go new file mode 100644 index 00000000000..2eb2bd2854a --- /dev/null +++ b/x-pack/metricbeat/module/aws/billing/billing.go @@ -0,0 +1,407 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "fmt" + "strconv" + "strings" + "time" + + awssdk "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/cloudwatch" + "github.com/aws/aws-sdk-go-v2/service/cloudwatch/cloudwatchiface" + "github.com/aws/aws-sdk-go-v2/service/costexplorer" + "github.com/aws/aws-sdk-go-v2/service/costexplorer/costexploreriface" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" + awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" +) + +var ( + metricsetName = "billing" + regionName = "us-east-1" + labelSeparator = "|" + + // This list is from https://github.com/aws/aws-sdk-go-v2/blob/master/service/costexplorer/api_enums.go#L60-L90 + supportedDimensionKeys = []string{ + "AZ", "INSTANCE_TYPE", "LINKED_ACCOUNT", "OPERATION", "PURCHASE_TYPE", + "REGION", "SERVICE", "USAGE_TYPE", "USAGE_TYPE_GROUP", "RECORD_TYPE", + "OPERATING_SYSTEM", "TENANCY", "SCOPE", "PLATFORM", "SUBSCRIPTION_ID", + "LEGAL_ENTITY_NAME", "DEPLOYMENT_OPTION", "DATABASE_ENGINE", + "CACHE_ENGINE", "INSTANCE_TYPE_FAMILY", "BILLING_ENTITY", + "RESERVATION_ID", + } + + dateLayout = "2006-01-02" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet(aws.ModuleName, metricsetName, New, + mb.DefaultMetricSet(), + ) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + *aws.MetricSet + logger *logp.Logger + CostExplorerConfig CostExplorerConfig `config:"cost_explorer_config"` +} + +// Config holds a configuration specific for billing metricset. +type CostExplorerConfig struct { + GroupByDimensionKeys []string `config:"group_by_dimension_keys"` + GroupByTagKeys []string `config:"group_by_tag_keys"` +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + logger := logp.NewLogger(metricsetName) + metricSet, err := aws.NewMetricSet(base) + if err != nil { + return nil, fmt.Errorf("error creating aws metricset: %w", err) + } + + config := struct { + CostExplorerConfig CostExplorerConfig `config:"cost_explorer_config"` + }{} + + err = base.Module().UnpackConfig(&config) + if err != nil { + return nil, fmt.Errorf("error unpack raw module config using UnpackConfig: %w", err) + } + + logger.Debugf("cost explorer config = %s", config) + + return &MetricSet{ + MetricSet: metricSet, + logger: logger, + CostExplorerConfig: config.CostExplorerConfig, + }, nil +} + +// Validate checks if given dimension keys are supported. +func (c CostExplorerConfig) Validate() error { + for _, key := range c.GroupByDimensionKeys { + supported, _ := aws.StringInSlice(key, supportedDimensionKeys) + if !supported { + return fmt.Errorf("costexplorer GetCostAndUsageRequest does not support dimension key: %s", key) + } + } + return nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(report mb.ReporterV2) error { + // Get startDate and endDate + startDate, endDate := getStartDateEndDate(m.Period) + + // Get startTime and endTime + startTime, endTime := aws.GetStartTimeEndTime(m.Period) + + // get cost metrics from cost explorer + awsConfig := m.MetricSet.AwsConfig.Copy() + svcCostExplorer := costexplorer.New(awscommon.EnrichAWSConfigWithEndpoint( + m.Endpoint, "monitoring", "", awsConfig)) + + awsConfig.Region = regionName + svcCloudwatch := cloudwatch.New(awscommon.EnrichAWSConfigWithEndpoint( + m.Endpoint, "monitoring", regionName, awsConfig)) + + timePeriod := costexplorer.DateInterval{ + Start: awssdk.String(startDate), + End: awssdk.String(endDate), + } + + var events []mb.Event + + // Get estimated charges from CloudWatch + eventsCW := m.getCloudWatchBillingMetrics(svcCloudwatch, startTime, endTime) + events = append(events, eventsCW...) + + // Get total cost from Cost Explorer GetCostAndUsage with group by type "DIMENSION" and "TAG" + eventsCE := m.getCostGroupBy(svcCostExplorer, m.CostExplorerConfig.GroupByDimensionKeys, m.CostExplorerConfig.GroupByTagKeys, timePeriod, startDate, endDate) + events = append(events, eventsCE...) + + // report events + for _, event := range events { + if reported := report.Event(event); !reported { + m.Logger().Debug("Fetch interrupted, failed to emit event") + return nil + } + } + return nil +} + +func (m *MetricSet) getCloudWatchBillingMetrics( + svcCloudwatch cloudwatchiface.ClientAPI, + startTime time.Time, + endTime time.Time) []mb.Event { + var events []mb.Event + namespace := "AWS/Billing" + listMetricsOutput, err := aws.GetListMetricsOutput(namespace, regionName, svcCloudwatch) + if err != nil { + m.Logger().Error(err.Error()) + return nil + } + + if listMetricsOutput == nil || len(listMetricsOutput) == 0 { + return events + } + + metricDataQueriesTotal := constructMetricQueries(listMetricsOutput, m.Period) + metricDataOutput, err := aws.GetMetricDataResults(metricDataQueriesTotal, svcCloudwatch, startTime, endTime) + if err != nil { + err = fmt.Errorf("aws GetMetricDataResults failed with %w, skipping region %s", err, regionName) + m.Logger().Error(err.Error()) + return nil + } + + // Find a timestamp for all metrics in output + timestamp := aws.FindTimestamp(metricDataOutput) + if !timestamp.IsZero() { + for _, output := range metricDataOutput { + if len(output.Values) == 0 { + continue + } + exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) + if exists { + labels := strings.Split(*output.Label, labelSeparator) + + event := aws.InitEvent("", m.AccountName, m.AccountID) + event.MetricSetFields.Put(labels[0], output.Values[timestampIdx]) + + i := 1 + for i < len(labels)-1 { + event.MetricSetFields.Put(labels[i], labels[i+1]) + i += 2 + } + event.Timestamp = endTime + events = append(events, event) + } + } + } + return events +} + +func (m *MetricSet) getCostGroupBy(svcCostExplorer costexploreriface.ClientAPI, groupByDimKeys []string, groupByTags []string, timePeriod costexplorer.DateInterval, startDate string, endDate string) []mb.Event { + var events []mb.Event + + groupBys := getGroupBys(groupByTags, groupByDimKeys) + for _, groupBy := range groupBys { + var groupDefs []costexplorer.GroupDefinition + + if groupBy.dimension != "" { + groupDefs = append(groupDefs, costexplorer.GroupDefinition{ + Key: awssdk.String(groupBy.dimension), + Type: costexplorer.GroupDefinitionTypeDimension, + }) + } + + if groupBy.tag != "" { + groupDefs = append(groupDefs, costexplorer.GroupDefinition{ + Key: awssdk.String(groupBy.tag), + Type: costexplorer.GroupDefinitionTypeTag, + }) + } + + groupByCostInput := costexplorer.GetCostAndUsageInput{ + Granularity: costexplorer.GranularityDaily, + // no permission for "NetAmortizedCost" and "NetUnblendedCost" + Metrics: []string{"AmortizedCost", "BlendedCost", + "NormalizedUsageAmount", "UnblendedCost", "UsageQuantity"}, + TimePeriod: &timePeriod, + // Only two values for GroupBy are allowed + GroupBy: groupDefs, + } + + groupByCostReq := svcCostExplorer.GetCostAndUsageRequest(&groupByCostInput) + groupByOutput, err := groupByCostReq.Send(context.Background()) + if err != nil { + err = fmt.Errorf("costexplorer GetCostAndUsageRequest failed: %w", err) + m.Logger().Errorf(err.Error()) + return nil + } + + if len(groupByOutput.ResultsByTime) > 0 { + costResultGroups := groupByOutput.ResultsByTime[0].Groups + for _, group := range costResultGroups { + event := m.addCostMetrics(group.Metrics, groupByOutput.GroupDefinitions[0], startDate, endDate) + + // generate unique event ID for each event + eventID := startDate + endDate + *groupByOutput.GroupDefinitions[0].Key + string(groupByOutput.GroupDefinitions[0].Type) + for _, key := range group.Keys { + eventID += key + // key value like db.t2.micro or Amazon Simple Queue Service belongs to dimension + if !strings.Contains(key, "$") { + event.MetricSetFields.Put("group_by."+groupBy.dimension, key) + continue + } + + // tag key value is separated by $ + tagKey, tagValue := parseGroupKey(key) + if tagValue != "" { + event.MetricSetFields.Put("group_by."+tagKey, tagValue) + } + } + + t, err := time.Parse(dateLayout, endDate) + if err == nil { + event.Timestamp = t + } + + event.ID = generateEventID(eventID) + events = append(events, event) + } + } + } + return events +} + +func (m *MetricSet) addCostMetrics(metrics map[string]costexplorer.MetricValue, groupDefinition costexplorer.GroupDefinition, startDate string, endDate string) mb.Event { + event := aws.InitEvent("", m.AccountName, m.AccountID) + + // add group definition + event.MetricSetFields.Put("group_definition", common.MapStr{ + "key": *groupDefinition.Key, + "type": groupDefinition.Type, + }) + + for metricName, metricValues := range metrics { + cost := metricValues + costFloat, err := strconv.ParseFloat(*cost.Amount, 64) + if err != nil { + err = fmt.Errorf("strconv ParseFloat failed: %w", err) + m.Logger().Errorf(err.Error()) + continue + } + + value := common.MapStr{ + "amount": costFloat, + "unit": &cost.Unit, + } + + event.MetricSetFields.Put(metricName, value) + event.MetricSetFields.Put("start_date", startDate) + event.MetricSetFields.Put("end_date", endDate) + } + return event +} + +func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, period time.Duration) []cloudwatch.MetricDataQuery { + var metricDataQueries []cloudwatch.MetricDataQuery + metricDataQueryEmpty := cloudwatch.MetricDataQuery{} + for i, listMetric := range listMetricsOutput { + metricDataQuery := createMetricDataQuery(listMetric, i, period) + if metricDataQuery == metricDataQueryEmpty { + continue + } + metricDataQueries = append(metricDataQueries, metricDataQuery) + } + return metricDataQueries +} + +func createMetricDataQuery(metric cloudwatch.Metric, index int, period time.Duration) (metricDataQuery cloudwatch.MetricDataQuery) { + statistic := "Maximum" + periodInSeconds := int64(period.Seconds()) + id := metricsetName + strconv.Itoa(index) + metricDims := metric.Dimensions + metricName := *metric.MetricName + + label := metricName + labelSeparator + for _, dim := range metricDims { + label += *dim.Name + labelSeparator + *dim.Value + labelSeparator + } + + metricDataQuery = cloudwatch.MetricDataQuery{ + Id: &id, + MetricStat: &cloudwatch.MetricStat{ + Period: &periodInSeconds, + Stat: &statistic, + Metric: &metric, + }, + Label: &label, + } + return +} + +func getStartDateEndDate(period time.Duration) (startDate string, endDate string) { + currentTime := time.Now() + startTime := currentTime.Add(period * -1) + startDate = startTime.Format(dateLayout) + endDate = currentTime.Format(dateLayout) + return +} + +func parseGroupKey(groupKey string) (tagKey string, tagValue string) { + keys := strings.Split(groupKey, "$") + if len(keys) == 2 { + tagKey = keys[0] + tagValue = keys[1] + } else if len(keys) > 2 { + tagKey = keys[0] + tagValue = keys[1] + for i := 2; i < len(keys); i++ { + tagValue = tagValue + "$" + keys[i] + } + } else { + tagKey = keys[0] + tagValue = "" + } + return +} + +type groupBy struct { + tag string + dimension string +} + +func getGroupBys(groupByTags []string, groupByDimKeys []string) []groupBy { + var groupBys []groupBy + + if len(groupByTags) == 0 { + groupByTags = []string{""} + } + if len(groupByDimKeys) == 0 { + groupByDimKeys = []string{""} + } + + for _, tagKey := range groupByTags { + for _, dimKey := range groupByDimKeys { + groupBy := groupBy{ + tag: tagKey, + dimension: dimKey, + } + groupBys = append(groupBys, groupBy) + } + } + return groupBys +} + +func generateEventID(eventID string) string { + // create eventID using hash of startDate + endDate + groupDefinitionKey + groupDefinitionType + values + // This will prevent more than one billing metric getting collected in the same day. + h := sha256.New() + h.Write([]byte(eventID)) + prefix := hex.EncodeToString(h.Sum(nil)) + return prefix[:20] +} diff --git a/x-pack/metricbeat/module/aws/billing/billing_integration_test.go b/x-pack/metricbeat/module/aws/billing/billing_integration_test.go index 3d8cbff0598..af603626ffb 100644 --- a/x-pack/metricbeat/module/aws/billing/billing_integration_test.go +++ b/x-pack/metricbeat/module/aws/billing/billing_integration_test.go @@ -8,15 +8,56 @@ package billing import ( + "fmt" + "strconv" "testing" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/mtest" ) func TestData(t *testing.T) { - config := mtest.GetConfigForTest(t, "billing", "300s") + resultTypeIs := func(resultType string) func(e common.MapStr) bool { + return func(e common.MapStr) bool { + v, err := e.GetValue("aws.billing.group_definition.key") + if err == nil { + // Check for Cost Explorer billing metrics + k, _ := e.GetValue("aws.billing.group_by." + v.(string)) + exists, _ := aws.StringInSlice(k.(string), []string{"NoAZ", "NoInstanceType"}) + if !exists { + return v == resultType + } + } + // Check for CloudWatch billing metrics + exists, err := e.HasKey("aws.billing.EstimatedCharges") + return err == nil && strconv.FormatBool(exists) == resultType + } + } - metricSet := mbtest.NewFetcher(t, config) - metricSet.WriteEvents(t, "/") + dataFiles := []struct { + resultType string + path string + }{ + {"AZ", "./_meta/data.json"}, + {"INSTANCE_TYPE", "./_meta/data_group_by_instance_type.json"}, + {"true", "./_meta/data_cloudwatch.json"}, + } + + config := mtest.GetConfigForTest(t, "billing", "24h") + config = addCostExplorerToConfig(config) + for _, df := range dataFiles { + metricSet := mbtest.NewFetcher(t, config) + t.Run(fmt.Sprintf("result type: %s", df.resultType), func(t *testing.T) { + metricSet.WriteEventsCond(t, df.path, resultTypeIs(df.resultType)) + }) + } +} + +func addCostExplorerToConfig(config map[string]interface{}) map[string]interface{} { + costExplorerConfig := map[string]interface{}{} + costExplorerConfig["group_by_dimension_keys"] = []string{"AZ", "INSTANCE_TYPE"} + config["cost_explorer_config"] = costExplorerConfig + return config } diff --git a/x-pack/metricbeat/module/aws/billing/billing_test.go b/x-pack/metricbeat/module/aws/billing/billing_test.go index 664eeea5103..2ecd511109d 100644 --- a/x-pack/metricbeat/module/aws/billing/billing_test.go +++ b/x-pack/metricbeat/module/aws/billing/billing_test.go @@ -2,20 +2,104 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. +// +build !integration + package billing import ( - "os" - - "github.com/elastic/beats/v7/metricbeat/mb" + "testing" + "time" - // Register input module and metricset - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws/cloudwatch" + "github.com/stretchr/testify/assert" ) -func init() { - // To be moved to some kind of helper - os.Setenv("BEAT_STRICT_PERMS", "false") - mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) +func TestGetStartDateEndDate(t *testing.T) { + startDate, endDate := getStartDateEndDate(time.Duration(24) * time.Hour) + assert.NotEmpty(t, startDate) + assert.NotEmpty(t, endDate) +} + +func TestParseGroupKey(t *testing.T) { + cases := []struct { + title string + groupKey string + expectedTagKey string + expectedTagValue string + }{ + { + "empty tag value", + "aws:createdBy$", + "aws:createdBy", + "", + }, + { + "with a tag value of assumed role", + "aws:createdBy$AssumedRole:AROAWHL7AXDB:158385", + "aws:createdBy", + "AssumedRole:AROAWHL7AXDB:158385", + }, + { + "with a tag value of IAM user", + "aws:createdBy$IAMUser:AIDAWHL7AXDB:foo@test.com", + "aws:createdBy", + "IAMUser:AIDAWHL7AXDB:foo@test.com", + }, + { + "tag value with $", + "aws:createdBy$IAMUser:AIDAWH$L7AXDB:foo@test.com", + "aws:createdBy", + "IAMUser:AIDAWH$L7AXDB:foo@test.com", + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + tagKey, tagValue := parseGroupKey(c.groupKey) + assert.Equal(t, c.expectedTagKey, tagKey) + assert.Equal(t, c.expectedTagValue, tagValue) + }) + } +} + +func TestGetGroupBys(t *testing.T) { + cases := []struct { + title string + groupByTags []string + groupByDimKeys []string + expectedGroupBys []groupBy + }{ + { + "test with both tags and dimKeys", + []string{"createdBy"}, + []string{"AZ", "INSTANCE_TYPE"}, + []groupBy{ + {"createdBy", "AZ"}, + {"createdBy", "INSTANCE_TYPE"}, + }, + }, + { + "test with only dimKeys", + []string{}, + []string{"AZ", "INSTANCE_TYPE"}, + []groupBy{ + {"", "AZ"}, + {"", "INSTANCE_TYPE"}, + }, + }, + { + "test with only tags", + []string{"createdBy"}, + []string{}, + []groupBy{ + {"createdBy", ""}, + }, + }, + } + + for _, c := range cases { + t.Run(c.title, func(t *testing.T) { + groupBys := getGroupBys(c.groupByTags, c.groupByDimKeys) + assert.Equal(t, c.expectedGroupBys, groupBys) + }) + } } diff --git a/x-pack/metricbeat/module/aws/billing/manifest.yml b/x-pack/metricbeat/module/aws/billing/manifest.yml deleted file mode 100644 index cca412df649..00000000000 --- a/x-pack/metricbeat/module/aws/billing/manifest.yml +++ /dev/null @@ -1,10 +0,0 @@ -default: true -input: - module: aws - metricset: cloudwatch - defaults: - regions: - - us-east-1 - metrics: - - namespace: AWS/Billing - statistic: ["Maximum"] diff --git a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go index 509d32eb3c5..42d68acb3af 100644 --- a/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go +++ b/x-pack/metricbeat/module/aws/cloudwatch/cloudwatch.go @@ -652,7 +652,7 @@ func insertTags(events map[string]mb.Event, identifier string, resourceTagMap ma tags := resourceTagMap[v] // some metric dimension values are arn format, eg: AWS/DDOS namespace metric if len(tags) == 0 && strings.HasPrefix(v, "arn:") { - resourceID, err := aws.FindIdentifierFromARN(v) + resourceID, err := aws.FindShortIdentifierFromARN(v) if err == nil { tags = resourceTagMap[resourceID] } diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/data.json b/x-pack/metricbeat/module/aws/ec2/_meta/data.json index e1726219cf6..d807de2f1f6 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/data.json +++ b/x-pack/metricbeat/module/aws/ec2/_meta/data.json @@ -3,12 +3,12 @@ "aws": { "ec2": { "cpu": { - "credit_balance": 576, - "credit_usage": 0.217777, + "credit_balance": 1944, + "credit_usage": 0.019738, "surplus_credit_balance": 0, "surplus_credits_charged": 0, "total": { - "pct": 2.1374965268131265 + "pct": 0.054166666666484745 } }, "diskio": { @@ -27,21 +27,21 @@ }, "instance": { "core": { - "count": 2 + "count": 8 }, "image": { - "id": "ami-f920cd94" + "id": "ami-0b418580298265d5c" }, "monitoring": { "state": "disabled" }, "private": { - "dns_name": "ip-10-0-0-148.ec2.internal", - "ip": "10.0.0.148" + "dns_name": "ip-172-31-47-161.eu-central-1.compute.internal", + "ip": "172.31.47.161" }, "public": { - "dns_name": "ec2-54-226-109-162.compute-1.amazonaws.com", - "ip": "54.226.109.162" + "dns_name": "ec2-3-126-207-95.eu-central-1.compute.amazonaws.com", + "ip": "3.126.207.95" }, "state": { "code": 16, @@ -51,16 +51,16 @@ }, "network": { "in": { - "bytes": 1510123.4, - "bytes_per_sec": 5033.7446666666665, - "packets": 3126.4, - "packets_per_sec": 10.421333333333333 + "bytes": 420, + "bytes_per_sec": 1.4, + "packets": 10, + "packets_per_sec": 0.03333333333333333 }, "out": { - "bytes": 464863, - "bytes_per_sec": 1549.5433333333333, - "packets": 3031.2, - "packets_per_sec": 10.104 + "bytes": 280, + "bytes_per_sec": 0.9333333333333333, + "packets": 10, + "packets_per_sec": 0.03333333333333333 } }, "status": { @@ -68,32 +68,50 @@ "check_failed_instance": 0, "check_failed_system": 0 } - }, - "tags": { - "Cost": "$614.01", - "Name": "container-registry-test-ui.elastic.co" } }, "cloud": { "account": { - "id": "627959692251", - "name": "elastic-test" + "id": "428152502467", + "name": "elastic-beats" }, - "availability_zone": "us-east-1b", + "availability_zone": "eu-central-1b", "instance": { - "id": "i-77f84332" + "id": "i-061884169c1e2ba3f" }, "machine": { - "type": "t2.medium" + "type": "t2.2xlarge" }, "provider": "aws", - "region": "us-east-1" + "region": "eu-central-1" }, "event": { "dataset": "aws.ec2", "duration": 115000, "module": "aws" }, + "host": { + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 0 + } + }, + "id": "i-061884169c1e2ba3f", + "name": "i-061884169c1e2ba3f", + "network": { + "in": { + "bytes": 420, + "packets": 10 + }, + "out": { + "bytes": 280, + "packets": 10 + } + } + }, "metricset": { "name": "ec2", "period": 10000 diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml index 75fe4e9bf39..c7280fce998 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/ec2/_meta/fields.yml @@ -27,59 +27,59 @@ - name: network.in.packets type: long description: > - The number of packets received on all network interfaces by the instance. + The total number of packets received on all network interfaces by the instance in collection period. - name: network.in.packets_per_sec - type: long + type: scaled_float description: > The number of packets per second sent out on all network interfaces by the instance. - name: network.out.packets type: long description: > - The number of packets sent out on all network interfaces by the instance. + The total number of packets sent out on all network interfaces by the instance in collection period. - name: network.out.packets_per_sec - type: long + type: scaled_float description: > The number of packets per second sent out on all network interfaces by the instance. - name: network.in.bytes type: long format: bytes description: > - The number of bytes received on all network interfaces by the instance. + The total number of bytes received on all network interfaces by the instance in collection period. - name: network.in.bytes_per_sec - type: long + type: scaled_float description: > The number of bytes per second received on all network interfaces by the instance. - name: network.out.bytes type: long format: bytes description: > - The number of bytes sent out on all network interfaces by the instance. + The total number of bytes sent out on all network interfaces by the instance in collection period. - name: network.out.bytes_per_sec - type: long + type: scaled_float description: > The number of bytes per second sent out on all network interfaces by the instance. - name: diskio.read.bytes type: long format: bytes description: > - Bytes read from all instance store volumes available to the instance. + Total bytes read from all instance store volumes available to the instance in collection period. - name: diskio.read.bytes_per_sec - type: long + type: scaled_float description: > Bytes read per second from all instance store volumes available to the instance. - name: diskio.write.bytes type: long format: bytes description: > - Bytes written to all instance store volumes available to the instance. + Total bytes written to all instance store volumes available to the instance in collection period. - name: diskio.write.bytes_per_sec - type: long + type: scaled_float description: > Bytes written per second to all instance store volumes available to the instance. - name: diskio.read.ops type: long description: > - Completed read operations from all instance store volumes available to the instance in a specified period of time. + Total completed read operations from all instance store volumes available to the instance in collection period. - name: diskio.read.ops_per_sec type: long description: > @@ -87,7 +87,7 @@ - name: diskio.write.ops type: long description: > - Completed write operations to all instance store volumes available to the instance in a specified period of time. + Total completed write operations to all instance store volumes available to the instance in collection period. - name: diskio.write.ops_per_sec type: long description: > diff --git a/x-pack/metricbeat/module/aws/ec2/data.go b/x-pack/metricbeat/module/aws/ec2/data.go index 0e496c4edb1..6dbc8749b35 100644 --- a/x-pack/metricbeat/module/aws/ec2/data.go +++ b/x-pack/metricbeat/module/aws/ec2/data.go @@ -10,7 +10,7 @@ import ( ) var ( - schemaMetricSetFields = s.Schema{ + schemaMetricSetFieldsAverage = s.Schema{ "cpu": s.Object{ "total": s.Object{ "pct": c.Float("CPUUtilization"), @@ -20,6 +20,14 @@ var ( "surplus_credit_balance": c.Float("CPUSurplusCreditBalance"), "surplus_credits_charged": c.Float("CPUSurplusCreditsCharged"), }, + "status": s.Object{ + "check_failed": c.Int("StatusCheckFailed"), + "check_failed_instance": c.Int("StatusCheckFailed_Instance"), + "check_failed_system": c.Int("StatusCheckFailed_System"), + }, + } + + schemaMetricSetFieldsSum = s.Schema{ "diskio": s.Object{ "read": s.Object{ "bytes": c.Float("DiskReadBytes"), @@ -40,10 +48,5 @@ var ( "packets": c.Float("NetworkPacketsOut"), }, }, - "status": s.Object{ - "check_failed": c.Int("StatusCheckFailed"), - "check_failed_instance": c.Int("StatusCheckFailed_Instance"), - "check_failed_system": c.Int("StatusCheckFailed_System"), - }, } ) diff --git a/x-pack/metricbeat/module/aws/ec2/ec2.go b/x-pack/metricbeat/module/aws/ec2/ec2.go index 6e597c61c25..36ad9a1ca02 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2.go @@ -6,9 +6,9 @@ package ec2 import ( "context" + "encoding/json" "fmt" "strconv" - "strings" "time" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" @@ -17,18 +17,28 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" awscommon "github.com/elastic/beats/v7/x-pack/libbeat/common/aws" "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" ) var ( - metricsetName = "ec2" - instanceIDIdx = 0 - metricNameIdx = 1 - labelSeparator = "|" + metricsetName = "ec2" + statistics = []string{"Average", "Sum"} ) +type label struct { + InstanceID string + MetricName string + Statistic string +} + +type idStat struct { + instanceID string + statistic string +} + // init registers the MetricSet with the central registry as soon as the program // starts. The New function will be called later to instantiate an instance of // the MetricSet for each host defined in the module's configuration. After the @@ -45,11 +55,13 @@ func init() { // interface methods except for Fetch. type MetricSet struct { *aws.MetricSet + logger *logp.Logger } // New creates a new instance of the MetricSet. New is responsible for unpacking // any MetricSet specific configuration options if there are any. func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + logger := logp.NewLogger(metricsetName) metricSet, err := aws.NewMetricSet(base) if err != nil { return nil, errors.Wrap(err, "error creating aws metricset") @@ -62,11 +74,12 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { err := errors.New("period needs to be set to 60s (or a multiple of 60s) if detailed monitoring is " + "enabled for EC2 instances or set to 300s (or a multiple of 300s) if EC2 instances has basic monitoring. " + "To avoid data missing or extra costs, please make sure period is set correctly in config.yml") - base.Logger().Info(err) + logger.Info(err) } return &MetricSet{ MetricSet: metricSet, + logger: logger, }, nil } @@ -87,7 +100,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { instanceIDs, instancesOutputs, err := getInstancesPerRegion(svcEC2) if err != nil { err = errors.Wrap(err, "getInstancesPerRegion failed, skipping region "+regionName) - m.Logger().Errorf(err.Error()) + m.logger.Errorf(err.Error()) report.Error(err) continue } @@ -98,7 +111,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { namespace := "AWS/EC2" listMetricsOutput, err := aws.GetListMetricsOutput(namespace, regionName, svcCloudwatch) if err != nil { - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -118,7 +131,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { metricDataOutput, err = aws.GetMetricDataResults(metricDataQueriesTotal, svcCloudwatch, startTime, endTime) if err != nil { err = errors.Wrap(err, "GetMetricDataResults failed, skipping region "+regionName) - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -126,7 +139,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { // Create Cloudwatch Events for EC2 events, err := m.createCloudWatchEvents(metricDataOutput, instancesOutputs, regionName) if err != nil { - m.Logger().Error(err.Error()) + m.logger.Error(err.Error()) report.Error(err) continue } @@ -134,7 +147,7 @@ func (m *MetricSet) Fetch(report mb.ReporterV2) error { for _, event := range events { if len(event.MetricSetFields) != 0 { if reported := report.Event(event); !reported { - m.Logger().Debug("Fetch interrupted, failed to emit event") + m.logger.Debug("Fetch interrupted, failed to emit event") return nil } } @@ -149,11 +162,13 @@ func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, instanceID st var metricDataQueries []cloudwatch.MetricDataQuery metricDataQueryEmpty := cloudwatch.MetricDataQuery{} for i, listMetric := range listMetricsOutput { - metricDataQuery := createMetricDataQuery(listMetric, instanceID, i, period) - if metricDataQuery == metricDataQueryEmpty { - continue + for _, statistic := range statistics { + metricDataQuery := createMetricDataQuery(listMetric, instanceID, i, period, statistic) + if metricDataQuery == metricDataQueryEmpty { + continue + } + metricDataQueries = append(metricDataQueries, metricDataQuery) } - metricDataQueries = append(metricDataQueries, metricDataQuery) } return metricDataQueries } @@ -161,10 +176,12 @@ func constructMetricQueries(listMetricsOutput []cloudwatch.Metric, instanceID st func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.MetricDataResult, instanceOutput map[string]ec2.Instance, regionName string) (map[string]mb.Event, error) { // Initialize events and metricSetFieldResults per instanceID events := map[string]mb.Event{} - metricSetFieldResults := map[string]map[string]interface{}{} + metricSetFieldResults := map[idStat]map[string]interface{}{} for instanceID := range instanceOutput { - events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID) - metricSetFieldResults[instanceID] = map[string]interface{}{} + for _, statistic := range statistics { + events[instanceID] = aws.InitEvent(regionName, m.AccountName, m.AccountID) + metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}] = map[string]interface{}{} + } } // monitoring state for each instance @@ -180,8 +197,14 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met exists, timestampIdx := aws.CheckTimestampInArray(timestamp, output.Timestamps) if exists { - labels := strings.Split(*output.Label, labelSeparator) - instanceID := labels[instanceIDIdx] + label, err := newLabelFromJSON(*output.Label) + if err != nil { + m.logger.Errorf("convert cloudwatch MetricDataResult label failed for label = %s: %w", *output.Label, err) + continue + } + + instanceID := label.InstanceID + statistic := label.Statistic // Add tags tags := instanceOutput[instanceID].Tags @@ -201,6 +224,11 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met // Note: tag values are not dedotted. for _, tag := range tags { events[instanceID].ModuleFields.Put("tags."+common.DeDot(*tag.Key), *tag.Value) + // add cloud.instance.name and host.name into ec2 events + if *tag.Key == "Name" { + events[instanceID].RootFields.Put("cloud.instance.name", *tag.Value) + events[instanceID].RootFields.Put("host.name", *tag.Value) + } } machineType, err := instanceOutput[instanceID].InstanceType.MarshalValue() @@ -217,7 +245,7 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met } if len(output.Values) > timestampIdx { - metricSetFieldResults[instanceID][labels[metricNameIdx]] = fmt.Sprint(output.Values[timestampIdx]) + metricSetFieldResults[idStat{instanceID: instanceID, statistic: statistic}][label.MetricName] = fmt.Sprint(output.Values[timestampIdx]) } instanceStateName, err := instanceOutput[instanceID].State.Name.MarshalValue() @@ -258,22 +286,33 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met } } - for instanceID, metricSetFieldsPerInstance := range metricSetFieldResults { + for idStat, metricSetFieldsPerInstance := range metricSetFieldResults { + instanceID := idStat.instanceID + statistic := idStat.statistic + + var resultMetricsetFields common.MapStr + var err error + if len(metricSetFieldsPerInstance) != 0 { - resultMetricsetFields, err := aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFields) + if statistic == "Average" { + // Use "Average" statistic method for CPU and status metrics + resultMetricsetFields, err = aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFieldsAverage) + } else if statistic == "Sum" { + // Use "Sum" statistic method for disk and network metrics + resultMetricsetFields, err = aws.EventMapping(metricSetFieldsPerInstance, schemaMetricSetFieldsSum) + } + if err != nil { return events, errors.Wrap(err, "EventMapping failed") } + // add host cpu/network/disk fields and host.id + addHostFields(resultMetricsetFields, events[instanceID].RootFields, instanceID) + // add rate metrics calculateRate(resultMetricsetFields, monitoringStates[instanceID]) events[instanceID].MetricSetFields.Update(resultMetricsetFields) - if len(events[instanceID].MetricSetFields) < 5 { - m.Logger().Info("Missing Cloudwatch data, this is expected for non-running instances" + - " or a new instance during the first data collection. If this shows up multiple times," + - " please recheck the period setting in config. Instance ID: " + instanceID) - } } } @@ -305,6 +344,42 @@ func calculateRate(resultMetricsetFields common.MapStr, monitoringState string) } } +func addHostFields(resultMetricsetFields common.MapStr, rootFields common.MapStr, instanceID string) { + rootFields.Put("host.id", instanceID) + + // If there is no instance name, use instance ID as the host.name + hostName, err := rootFields.GetValue("host.name") + if err == nil && hostName != nil { + rootFields.Put("host.name", hostName) + } else { + rootFields.Put("host.name", instanceID) + } + + hostFieldTable := map[string]string{ + "cpu.total.pct": "host.cpu.pct", + "network.in.bytes": "host.network.in.bytes", + "network.out.bytes": "host.network.out.bytes", + "network.in.packets": "host.network.in.packets", + "network.out.packets": "host.network.out.packets", + "diskio.read.bytes": "host.disk.read.bytes", + "diskio.write.bytes": "host.disk.write.bytes", + } + + for ec2MetricName, hostMetricName := range hostFieldTable { + metricValue, err := resultMetricsetFields.GetValue(ec2MetricName) + if err != nil { + continue + } + + if value, ok := metricValue.(float64); ok { + if ec2MetricName == "cpu.total.pct" { + value = value / 100 + } + rootFields.Put(hostMetricName, value) + } + } +} + func getInstancesPerRegion(svc ec2iface.ClientAPI) (instanceIDs []string, instancesOutputs map[string]ec2.Instance, err error) { instancesOutputs = map[string]ec2.Instance{} output := ec2.DescribeInstancesOutput{NextToken: nil} @@ -329,16 +404,15 @@ func getInstancesPerRegion(svc ec2iface.ClientAPI) (instanceIDs []string, instan return } -func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index int, period time.Duration) (metricDataQuery cloudwatch.MetricDataQuery) { - statistic := "Average" +func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index int, period time.Duration, statistic string) (metricDataQuery cloudwatch.MetricDataQuery) { periodInSeconds := int64(period.Seconds()) - id := metricsetName + strconv.Itoa(index) + id := metricsetName + statistic + strconv.Itoa(index) metricDims := metric.Dimensions for _, dim := range metricDims { if *dim.Name == "InstanceId" && *dim.Value == instanceID { metricName := *metric.MetricName - label := instanceID + labelSeparator + metricName + label := newLabel(instanceID, metricName, statistic).JSON() metricDataQuery = cloudwatch.MetricDataQuery{ Id: &id, MetricStat: &cloudwatch.MetricStat{ @@ -353,3 +427,23 @@ func createMetricDataQuery(metric cloudwatch.Metric, instanceID string, index in } return } + +func newLabel(instanceID string, metricName string, statistic string) *label { + return &label{InstanceID: instanceID, MetricName: metricName, Statistic: statistic} +} + +// JSON is a method of label object for converting label to string +func (l *label) JSON() string { + // Ignore error, this cannot fail + out, _ := json.Marshal(l) + return string(out) +} + +func newLabelFromJSON(labelJSON string) (label, error) { + labelStruct := label{} + err := json.Unmarshal([]byte(labelJSON), &labelStruct) + if err != nil { + return labelStruct, fmt.Errorf("json.Unmarshal failed: %w", err) + } + return labelStruct, nil +} diff --git a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go index baaf6e563e1..121df878b27 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2_integration_test.go @@ -17,6 +17,7 @@ import ( ) func TestFetch(t *testing.T) { + t.Skip("flaky test: https://github.com/elastic/beats/issues/20951") config := mtest.GetConfigForTest(t, "ec2", "300s") metricSet := mbtest.NewReportingMetricSetV2Error(t, config) diff --git a/x-pack/metricbeat/module/aws/ec2/ec2_test.go b/x-pack/metricbeat/module/aws/ec2/ec2_test.go index 49757a621c6..6fdf98c635d 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2_test.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2_test.go @@ -11,8 +11,6 @@ import ( "testing" "time" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" - awssdk "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" "github.com/aws/aws-sdk-go-v2/service/ec2" @@ -20,7 +18,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/aws" ) // MockEC2Client struct is used for unit tests. @@ -32,22 +32,23 @@ var ( regionName = "us-west-1" instanceID = "i-123" namespace = "AWS/EC2" + statistic = "Average" id1 = "cpu1" metricName1 = "CPUUtilization" - label1 = instanceID + labelSeparator + metricName1 + label1 = newLabel(instanceID, metricName1, statistic).JSON() id2 = "status1" metricName2 = "StatusCheckFailed" - label2 = instanceID + labelSeparator + metricName2 + label2 = newLabel(instanceID, metricName2, statistic).JSON() id3 = "status2" metricName3 = "StatusCheckFailed_System" - label3 = instanceID + labelSeparator + metricName3 + label3 = newLabel(instanceID, metricName3, statistic).JSON() id4 = "status3" metricName4 = "StatusCheckFailed_Instance" - label4 = instanceID + labelSeparator + metricName4 + label4 = newLabel(instanceID, metricName4, statistic).JSON() ) func (m *MockEC2Client) DescribeRegionsRequest(input *ec2.DescribeRegionsInput) ec2.DescribeRegionsRequest { @@ -82,6 +83,10 @@ func (m *MockEC2Client) DescribeInstancesRequest(input *ec2.DescribeInstancesInp Key: awssdk.String("helm.sh/chart"), Value: awssdk.String("foo-chart"), }, + { + Key: awssdk.String("Name"), + Value: awssdk.String("test-instance"), + }, } instance := ec2.Instance{ @@ -144,10 +149,15 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { "cloud": common.MapStr{ "region": regionName, "provider": "aws", - "instance": common.MapStr{"id": "i-123"}, + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, "machine": common.MapStr{"type": "t2.medium"}, "availability_zone": "us-west-1a", }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.0025}, + "id": "i-123", + "name": "test-instance", + }, }, MetricSetFields: common.MapStr{ "cpu": common.MapStr{ @@ -171,6 +181,7 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { "tags": common.MapStr{ "app_kubernetes_io/name": "foo", "helm_sh/chart": "foo-chart", + "Name": "test-instance", }, }, } @@ -211,7 +222,9 @@ func TestCreateCloudWatchEventsDedotTags(t *testing.T) { metricSet := MetricSet{ &aws.MetricSet{}, + logp.NewLogger("test"), } + events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") assert.NoError(t, err) assert.Equal(t, 1, len(events)) @@ -227,10 +240,15 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { "cloud": common.MapStr{ "region": regionName, "provider": "aws", - "instance": common.MapStr{"id": "i-123"}, + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, "machine": common.MapStr{"type": "t2.medium"}, "availability_zone": "us-west-1a", }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.0025}, + "id": "i-123", + "name": "test-instance", + }, }, MetricSetFields: common.MapStr{ "cpu": common.MapStr{ @@ -254,6 +272,7 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { "tags": common.MapStr{ "app_kubernetes_io/name": "foo", "helm_sh/chart": "foo-chart", + "Name": "test-instance", }, }, } @@ -300,6 +319,7 @@ func TestCreateCloudWatchEventsWithTagsFilter(t *testing.T) { Value: "foo", }}, }, + logp.NewLogger("test"), } events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") @@ -354,6 +374,7 @@ func TestCreateCloudWatchEventsWithNotMatchingTagsFilter(t *testing.T) { Value: "not_foo", }}, }, + logp.NewLogger("test"), } events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") assert.NoError(t, err) @@ -375,8 +396,8 @@ func TestConstructMetricQueries(t *testing.T) { listMetricsOutput := []cloudwatch.Metric{listMetric} metricDataQuery := constructMetricQueries(listMetricsOutput, instanceID, 5*time.Minute) - assert.Equal(t, 1, len(metricDataQuery)) - assert.Equal(t, "i-123|CPUUtilization", *metricDataQuery[0].Label) + assert.Equal(t, 2, len(metricDataQuery)) + assert.Equal(t, "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}", *metricDataQuery[0].Label) assert.Equal(t, "Average", *metricDataQuery[0].MetricStat.Stat) assert.Equal(t, metricName1, *metricDataQuery[0].MetricStat.Metric.MetricName) assert.Equal(t, namespace, *metricDataQuery[0].MetricStat.Metric.Namespace) @@ -455,3 +476,80 @@ func TestCalculateRate(t *testing.T) { assert.Equal(t, c.rateMetricValueDetailed, output) } } + +func TestCreateCloudWatchEventsWithInstanceName(t *testing.T) { + expectedEvent := mb.Event{ + RootFields: common.MapStr{ + "cloud": common.MapStr{ + "region": regionName, + "provider": "aws", + "instance": common.MapStr{"id": "i-123", "name": "test-instance"}, + "machine": common.MapStr{"type": "t2.medium"}, + "availability_zone": "us-west-1a", + }, + "host": common.MapStr{ + "cpu": common.MapStr{"pct": 0.25}, + "id": "i-123", + }, + }, + MetricSetFields: common.MapStr{ + "tags": common.MapStr{ + "app_kubernetes_io/name": "foo", + "helm_sh/chart": "foo-chart", + "Name": "test-instance", + }, + }, + } + svcEC2Mock := &MockEC2Client{} + instanceIDs, instancesOutputs, err := getInstancesPerRegion(svcEC2Mock) + assert.NoError(t, err) + assert.Equal(t, 1, len(instanceIDs)) + instanceID := instanceIDs[0] + assert.Equal(t, instanceID, instanceID) + timestamp := time.Now() + + getMetricDataOutput := []cloudwatch.MetricDataResult{ + { + Id: &id1, + Label: &label1, + Values: []float64{0.25}, + Timestamps: []time.Time{timestamp}, + }, + } + + metricSet := MetricSet{ + &aws.MetricSet{}, + logp.NewLogger("test"), + } + + events, err := metricSet.createCloudWatchEvents(getMetricDataOutput, instancesOutputs, "us-west-1") + assert.NoError(t, err) + assert.Equal(t, 1, len(events)) + + assert.Equal(t, expectedEvent.MetricSetFields["tags"], events[instanceID].ModuleFields["tags"]) + + hostID, err := events[instanceID].RootFields.GetValue("host.id") + assert.NoError(t, err) + assert.Equal(t, "i-123", hostID) + + instanceName, err := events[instanceID].RootFields.GetValue("cloud.instance.name") + assert.NoError(t, err) + assert.Equal(t, "test-instance", instanceName) +} + +func TestNewLabel(t *testing.T) { + instanceID := "i-123" + metricName := "CPUUtilization" + statistic := "Average" + label := newLabel(instanceID, metricName, statistic).JSON() + assert.Equal(t, "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}", label) +} + +func TestConvertLabel(t *testing.T) { + labelStr := "{\"InstanceID\":\"i-123\",\"MetricName\":\"CPUUtilization\",\"Statistic\":\"Average\"}" + label, err := newLabelFromJSON(labelStr) + assert.NoError(t, err) + assert.Equal(t, "i-123", label.InstanceID) + assert.Equal(t, "CPUUtilization", label.MetricName) + assert.Equal(t, "Average", label.Statistic) +} diff --git a/x-pack/metricbeat/module/aws/fields.go b/x-pack/metricbeat/module/aws/fields.go index 32fb4eb68c2..31a766459c7 100644 --- a/x-pack/metricbeat/module/aws/fields.go +++ b/x-pack/metricbeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzsfd9zIzfu53v+Cta+xE7Z2slMsnWVh6uyLc/G9/V4HMuzkzct1Q1JXLPJHpItW6n9468Ikv1LrR8tdcueq5uHrY0lkR+AIACCIHBOnmD5G6HP+gdCDDMcfiN/u/g6+tsPhMSgI8VSw6T4jfzvHwgh5N/0Wf+bJDLOOJBIcg6R0eTi64gkUjAjFRMzkoBRLNJkqmSCn11xmcXP1ETzwQ+EKOBANfxGZvQHQqYMeKx/w9HPiaAJBDT2n1mm9otKZqn/SwOo6iDlgQyd6cFP+Z/DeHLyH4hM6c/uD2P36RMsn6WKmz8eJzRNmZj57/7tp7+VvteIzf17pDM7MFlQngFJKVOeP/RZEwVaZioCPVihQH8YTLLoCczA/vcKJatYN2C4owkQOSWUjD4QP+rKhDFLQGgmxRth3CcUpjKsFcg//jTwIjf4afDTjy1RxzKbcOgDtCZmTg1RYDIlIHbrXewFcnF/Q75loJarJE0Y50zMVkgp74QtGP7tx/g3iaQwlAkLBwhowxJqICbRnKoZaDKViixlpnCr0iiSmTCEidquDf/y3TsBQ0t/r2/BMjV+dSqfraNo3Vjl8a4DDVeOhEFCX1a+HCbgssLHRs59oi8syZI1zPF8QcasLlWUs+mg1SqGqS1YUpalZ1BAdKRoGuQp169fUaae5yyaFwM0aGUNwpDJksRsOgVl/8PSoVNa0T91Nb3LMufjNC70qnbYwhL773EOxbBEpxCxKYOYPM9BuL1T4j+hKWtQaEtBExlPDlqdMMiR1sb+cIhTDi/f2uYbZVEEWk8z/gDfMtDmlhoQ0XJAF037bI2S3YHp4Z+VAboARWdAuJvLWjGd4yDKAdHEyJxtxG7chP4lRfGnkVFAkzorPJAMV8KuaiFmhiVAUlBMxoP2DNmklQ5lSOI11ltkyGfBmYAbEcPLPagIhKEzuFdypkDrXsUkzaezDIlkknKwv3H6ghIBz2TG5YRyoiGSIqZqSZgFSpgmE7AE0zi2hEpCiaETDuvpvFdywaxPAvFXxQxc0ZRGzCy/CGb6pVNkyQSUpTEtMJBnC4JEHgXJLAw0YJ4Sgv+3mf6dqHwAGr82kQpo3DmNV1LoLDk2gUGpFYQ2ERd5bEQuQK3fjmeN02hpXTsSUUGMotETmctnkmTR3M6GTl+Zt2auZDabp5mx2yHTsGGTr2eZzpKDnLH1DNNZ8p1y6cj6YVWyGnXD98e03mXre+LTA6ScRdRSdkwfDDhNdaB8AuYZrG0VJEtjPDoxAwmhaQoUHQgmkGO5z6HR57A6u3EmKYAoR5jT6GeEith52KsjUyHNHFT+Cz+Z1/9b7HcD/47hsv0/w79HRYWmkaX7SoopZ5HpTQAvvPAp+A9EgUvnHBZQ8nbjDKzjZgpclNvNi9B0zutIiihT9ujbOFU+nHTM0DQBnE63Y0VPukoayt8qGy5ckGSdy2gYZ3/hfjuKoqqeBrY5kRmig9ievy29tB7w2U5s1WC9GWobbVprckdLbSC5VkqqPu1wy6OrU2wzEKCoaeIisar198fHe/Lru3dEG2oya9BjOOCAeyVFzNy+uppD9PSRMm5F3SHvkTmFPzfFKQk1BpLUcSsFNZUqsfs6oHNLv2HD3oOImZiVLOEVSsExSEBr5IyeX0aqABEbEJagVVPWOOokM+7nc7oAIqQhSzBkYlVcabADPQUaP86VNIbD9QJEb4v80CT9SBy8RID+IazXZI1DdnREDuT3LeatOVDymDlLmGmOZklBaH7PRk609b+prrBEOBacrucB6ve3KQdVHd+nIHiz94m+2F1x+N3Ldod5c3wEuWJPVxPA85I1aFSst2dudKadtJBYgkalQdOUL53aOY8hQafZcklbNjUzaZNmLdj0aEe5tS7aG2ZYIRGO1OajbC1mKqdlTpOPUq0yzxSsjmjqr00czjVuJ42DE+AB7yCuSE+mN6jwpvX46qzjMRek0Rd72yviIPe6JG96IV5fl3yiL6VTBsrvunNVnwGMw85Tczabg24+a66MVZP9LXLehnFrz2ivw7m6GDYzrfyTDXt0T64FbsGk7Du1vySHiT7i/fj15eiwdIWuL8b/JXmW4Ma8XFptdvihPwS9NPsLBQdoNHf7Q6b2vMukKJ9ifRQaXcTUWJd3gZC0PSbSaB6uNe+YUfJ8Qq2CY0IbKiI4I89zuz6mFFFQkCqwLNeVPzcEwbcdmB1rcOv1yhu3Db5L5li5+Zx2wRmrcAxGCWt+YM4XjaHfFYj2i4YlGyx2aR37w1pbxAPB/pFBBrcgZmbeEd4aV61xr8tdHsR6psygBErrUviEBJSsA0h6zE+8RXpFR7RVDdXN3z+X1yEF5U0KObn5fD86JTFwtgAFDnq+lvbDipWbuvO1j+FdX4785huQL3afPTMzL+cZuAFGo2G+R6Xgy21sKd9I9yKiNMHUyA0Lr8mJkCqhzoYbSd7/+o//qTlGp8V14mYp6IY3l5nS5pJyq8c64EaB6Z8Yc+XkPlOp1ICQTmbp+9MzUggo+ZwaliA3fh8OyYk2P5+6C6krycPfop9Pq8Q4emOwW39q+Ymbik4kRvqapDRSEFun88RKmgVhvaBSZKjyuTY/IwScWEFCmShdtE0sw1bSo5tFDi9jMDhoF2xTKGh/deh2nLZy4pwfyvmKPncHl47UiwXgQl1HpmplN3VJ1k3Mj0HQRowuD01Iv35qlWLnJGeThBlTvvvPffTo/WE+evT+mD761fvDfPQozQbI6UEa1Y+OjngdUQ7xeMolrX9hh9ziqiahnMsI7+Cvr96j3GUGyqEBqoD4O1NuD1Uk0xDuR4OzOFhLiFNC40zTWXOKdEOMY5f86FwGr+6/5Jou31hlbGiI7bey0sF3G96JMx69IAaKLyPKwB2jRYF5TrU9s6oMYqKZ/Qsz5Jlqwmkm0HFHnU6VqSfLlInRmUp5psdHIMpPVaUIL6fwUqpQeYJkAiNHpbOGUxH2Z1f3X65wBG+9/dshpslfoOSulOqxe8pQjxt0RCrS0kiw3StCGpJSFpNYPgtL8up6O2/AqRUzz6wCjTL0FmmcX2M6EppJFmCepXoaMDFIqTXazSf6Qyn1YxMFEbCFFTqBNstPT5gwoKY0Al3fdLvCHqegxhqiXuGXfHhU1Nal6ogSmZmjrECPuL/3JWBiMFka2Jn/zrn+jTT9qBVtOEAfewMH7nVZHPTSonRNhZWv11yVPvbLKyxLV2TETD8xObAe+NGW5dJvD+qdaos/N/jaSAVFNHJBGcc4vpH7UNPxopSQl9aiHyLwMHTkNSlnCPVITy+rErCXFqYPMlC2ZNqVUb/Kj/P1IMbeUtUmMLCGuI4XaD2RXeyiA+h1MtnHaq4Gb/aTxS6I6201V4g8fO/tQ69LYx1Ec4iexi4VtCNSHyCVymh7CsV0yQpSexJPqcbECGnm1Q9Daq3F5J8cANGYNFz9zMdZOdWGJExkZncix268I9PaByFhnlcgpXnFdiUmNxmRVPZ/spXnA44G65bNoP5GpX04SypfhWG7vco/ZQmdwYA174m96xDcDMMtF47vEoSM9GGoNviKqOnArkGH9RJuRMwiTKgOkhCDcanipVAt0wSE1UVr4mU50FSxBTUwiIUe1+rPdMBQPzoZ3o1w4sDeFc9+R5SsnrHhJbH+5xbQbu4XvxAaxwq0JlRrGTGMD+MN2F5YswlnUV8MxcFX+LmjVHpoHXIxMM7juLbKhUXk5j7/5MQy+JRMZOYM6D4sxS00iGTczM29FRGOW+fhmcsa//kf5xNmSCY0mwmM3uIkOyHtft0bkZKT1D3uIP8lKhPC/T89z4xhYnaOEdn/EgMqYQJl+r/WY8FyR+H/Qny6hSIzt/6t87esqu7LFPh50N0KZqHhcowfVuUF+DELvFzfNtd2ebUEtksaPYGIr6QQgM8GO3rsVV3KKB++zFYhTamACV8S0IZOONNz62z6F4vooEgaE397o3I/U8GMaYOZKEE2N+TT/v74eH8lYxh7isfv//yzYyrxxdn7P/8kCnQqhQb35iw8VMMEzwNBf+gH9IdeQf/SD+hfegX9az+gf+0F9PXtZZ9cjjizOgysakDQuop6ZY/uCLlHHmtQC1CdQPbvsrp5JFlPJvQ5g0W+C8IttGVC171aRVdpQfmG17sp41wuQHUHfTXHNLxZy7V6/kx9AhHNtMug1ZmaAfmWgbvMtup+g4wA5Wa+/F0Gph/6RqTK9Lkbvthg5V2HTj5W6NhROkaWsnLCaRdg17L5BAWcW7QC1GldWk4er8qf5nfywStUMgupqXSFD+tp/CJ6XpJMdLso3ZVGKVYDc7l8HY8zwkTI/jpzbiFmwtqvrDos6ACa4p27Y3+DqieZMIyvBGyUcUEHDbnn4w3IHGgMaoOFyKtmXtxeXkSGLaDw9NxCdsOioohmxenzeVPEimVZTilCcYxzxkWHk+Cqr5ezt/qR/T5VMzA7kh9ShW+vvnSVItxEdRVk7X3Uye3Vl9PyK7OLNH+ET27tLy+3ynaZpjt4Pt56CnheWciyx3681bxX0h4aoLNHN+tI9hfSYbrdFy2val189dCDanWoI55ZS+S+ueNrs07rw9N5A9rsCsd+vB3dwUwaRvPjeh+u6ePtqEIkE8ywsvfsDwUocTGL8TSfqwNCiQatsQxnCJtWCfYFiyhOhG765kPD+CN7gXj84E3fuA+ap3aK89y60pWIRRGt2AL2AWKmIDK9wFR+8E4AflF8fMsSZsbXWGUC4iNijmTGY/GjqT6UKh8cvjzchmuqfF0wYduKlnN/7IGC272j7KCC/K//2fH4+eHPP3uhtRRScURbrO4MilRLxWYYf12jDHY/8PcHf82xv0v8v/aJf00MoFP87971iP/dux6Bv+8T+PsegX/oE/iHHoH/0ifwX7oEfnO/+EfNwe7Dn2pwrVedBHxZbQFthttjhM4OX4Rf8jThdhHEhmNaHyx99QPaWxObX5CgzfLz4MOVfSzQtguwxlBplZQ5VkZytQqY0Q1FbUpDv24Mu1iUVvzPOFwvKM9ccl3X4DK+XVxmbAGuVJwLzymrNn1xB08MFWQusw1bvIfo0l4xpU1R0lpS/6EBiWKYIwYj7tykbzQQ8ZHL5y7DcBuCEFMunzU5qV4AnK7q+G06uwZ8/Hh13z94a6V6I+B2dAQCbke9EfBleIQV+DLsbgW+B923grn/WFqd+1Zm5lTEek6fgpvuS/r6C15RYCmKxIdjuDWlLloWLvg2OpyFKurL1VwjPhs9TidKIaKzU+HlMi24uXtzndfv6a5peiOO8hlhIuIZXg0/Xt3//eZ++41iFXpvC9IAvyz6m8ry43p8Fzu7TJHf306aNlB3dT92umv8ABq6DDCvJh1oMOTkYfR4Wn2H7d4w5RcAckfY17eXr4J537wfi9kJ06uz2rHXsdqx/dWyZ4K6K2qjSKFZjHkMPonjFRNJNqHLk0xWT0ScJpOYHnQackMc8SR0ixM2noJesVPkjVj425nuXUFrWrXz8qaZKK5V8G3LC0SZcZk5waSVmiO6j91trYjL/+nb9eqMG/cqLx96y6WkT5TumkhWMHB/bEOg8S0YA6ozlB+lIlQvRTRXUkis2RKAnrknHLV1cvJZ6VaBCUxUEFjkhiMGGp9zhOrTAyeZM54bTPwQtGEC5x66aoTLj5TxTHWSDNIbpTnonWjMVFd9ZPBZTl7H0CepUdO0k3QKIs79LmyN6YnY3iWiz71QSzSlWJjVN6fYcDdgrOGX6qKTWplWLtx6+o4SvlF4vk9DpQfXrUs7YfFlxvJ3lgoiqeJwWtjC2qv8wH6da6zOuZxLQJF7WSSOFoIArvfFBttuvRi1wFB6H6g/+oKiX0fkAWYNu9EhLMC73q6VM0Sg1X8rluJHX6YrgC+CJNEGR6ZUnLOR2m69mlYrRKSo1GHdm55o51Lpu1CEq0cWoDApyP4HZ9TvEVfkTE63sZXEbMHiwpGvl2hdQ3ZR468tA8reTLcXE7v4Mh2uZP4U4PUpshIcU1VdIdermfO1S8i0L73YcJ1BzYwaeKbLw64z8mHWOPGo26+KzvOu3V70RLC4o2XB3cUj8WNYZ5y6WiDOWjT32X9FTx3jNzfio5JJyZ/qWChqNcL8vi3zKb9uLvlHGyobF6BHyNbXwRvCf0w4gf/X/dUWzJ8z8yj75nNeLstXQV4B7y/9d2c1wu6R0/5pxEa0rZhdXONfOHe839v8wunHh1prKNkF7nURYu47AaEczW6NGA+U91KZCx7yMHsxJHVhwFRR12jHW3NCgyOeSrXBiQ5FoGXWszB4rwx7sGIVUyhl0/gkcfdsP5QDirn/ywZ77sKBQyXTPtCHaGOs8O1/g8bbCq1vG7JShfVgK1IB3ot22xlzK+XmcfdsS1ZqrnZhTcrQe+V45xal+YlJH688S9fzXlvUs/m2ausAWsWHtXVS8THbOj0MD2zrdFDJ+FBP0teF/2HDqu1SUL5tqfX/Xxr+2KXhY2rohGoYl7ZWL+SEiWoPqVY7JObIJnmRuAFVohHUXhWDfBeeh9AM944mcHLxcHeKIuB6jMV6O6iIU93Mq71gXZU1TLl8VejDQEVMEkikWhapP4ghfHF4ua2gaQk9i0EYNmUrdYm6IIHaZVXnOktTziAuFr+YdeAaRxZ/IMyRngn2LQMLwMl7/g07bCsSXX2/7sgb+XoTDmcwT6XiU0znlK6v0znGq51xDKmZN2Lbs5VHsdVkZjCwZE3MzWdNThTQ+O+VNqb6tNyai+LdoHNgmH5qxh4qUH7jY/eYaExnIMz4P3LSj8bwWSOjP27JyL1eurATEjthuQzI1pKNUwVAJxzGbvcctRh5EZAtCqAqKmKZBK57UGuRj7WRis6OVxh6HWyPg+h0bU06n5E/zjTEYzz7uSeOYxZ3KSMh8b80A7kZhj4j2rUZsRgG7sE24D3kvdRmpmD0x20zeMmt9z72DfIRtubSjDmdDZJJh/A5nc3wTt63bnQPOl1b/vAZuplS4123AZWgkv96cYsKJj9KtaLPaoExk1vrA++pf0IHyJLJZ/rJXQWubaS3DikyAznfoopxkPnYXxcfIvZ4M0zJg0X/4NemZHzsOlk5m7NQ6Nf5EmX7VF6bT8vRH7dn5BNVjA4vXc+XYr0q06zxPPQzTZ1//EqKwAJwe98lGfu2TxWK0aS7U4015xihyvWH9a4KZd5MZVlncDnTY5+wtrqah2xAFMwSKfYoUFIlduJWOwtN6/G3lrPoLffWtwwU21189kLn5yiuuraBioHGXEZP/cLKZwkZB7lbug2fK2KOZu21dp83vpX8/otMSVXRS1iMCSfbRIir+s9aVMHvriUL4zx0BahJbp5Km2kDykM9s8ZAYtUnasiv587Pywu+bSbT1cN/FTrd3sRtWiMzj7sdTia6h1xGlL+ykxiks6rsDSSpVFQtQ/N/a/Wsct0mpVzOmMBK8ZnqWVX5QwbOWFxgbdMHRWfVQSSThDXH2TrT9m6ONlq+BDAGDmtKrHdnjnCOXO+3QRfzfqENh7elZ7ktgCU9A2NCgzL6jGRpTA34RoCOk62QuoGOAXafBfYvYzuFl+udUCq91OkYG3PkV03Oplgf3fp3rqms1cDh1gNbMkbzSjMSq529ZUW33dpXr60LxbUHC8YeVZesYCKSiT0vnjy4wU8Lnig6nbKowU8v54Uju6JMG5mAKhyi8GPLuhAvHY7yP6MXYlV86TKDYuu4/Oy8M1fCynTJFpmZmUS2PPrRvx++WNeoj81cz3qmT7511qqTshWjBg5rLpc6Uzlujn1UjlOo/aJzc+yDDj3DfsFN6q3dcIm3YeS+UGxLj6bLqIuHgFtoxelB5ZswzpmvNruZjDaeRV80YLAuhikWDJSCcCpmmV2rk+Hw9jT3S9pS1sI16Yuyjd5LS3paOjD9khS2dEsaWmntDijoSqkH/C01el9rUFX6Ldegpd7vi4aqaWhJQzvr8AYFqeVxszfNWzmR7rgIeD3rY+wMA9CvFE8pBahlFGUpc0G/CRNULTGEEtzXhNpzyepdg4uwqY1XCiVy65de3V54NcTbSxMSOyGZMg7tou4l+PVrg97hH3RdUPqxHrjstl5jXCFToTxvePYrZthPWoQTb5GpEU7EW13bMjUTLqOnzppxNpNTIaMeyS8evDkk268eSgkj8WTsD/rjPtJj9kx4CZFi3+4kopw7HecPoMUtgP/mdkKVXHlieABdw0tiB9SEsycgXx9uHq8fiFTk4fpieP1w1iVwEDMmoOPWgdc0mlcud1UmPO/dfGeOsvolbukCFx/Sm6iZAIp0jr1JGZdut7vcJ/Wra1XcWgcJCm3wCt5jQXJnMCKZpNSwCePMLDfcb29cK0/qjMsJ5eN4khsWiMf5LWkrm7qF9Juy8vonTkuGXhnU38Q23pcWAIvE+VSxxBra4nlt862Nb12M2qX6/R25Y9WWC4BNQR2ZL4XAKIiltWLuuBrgqDJHnJtRY8hBpJc9Dsyw6Yry8DR6J9I5nbn3ljkcMQtH2k3ysKND6an2gw96pNMnjxxGX+UWeR/qxgl96Y7CcqpXlaRyQ8Q6eKeLrUpfvR4P7kItor8fqUx0TCoTb4HUCY2e8C3vOJpTMYOxq9KgB5ECt13VulP2oRmf+dTETe0LRGiCU4f6s1O2AJ/v6TpjYy7ENsu0lixsU9+pxxqZrFq/bR1ZlWSO3Ql4ZiKWzwM3T6fnnOkUFFjhKUudL7hVUOHmz3uPenrrn+9KBV8X+ztUmsLbSWo2wbReuE4o56FlxiaSp1i4wdVIdnUNw0RrkvZcXoRPHKLRU5aOFRjr30sx9pURuzT7jw2VINy8eY5GfoMZ+rfrLE2lckxKJRPmnIlzdCIV4OYgU6AmU4DeYvWCtBDaH3WYKCdwoyBUWKMFTfVcmlfjReTLtmJXK84DeQGX0zO04ciCyfYsBixI3ooBEY3mMJ4zM0ZXdDDJ7O7rkPbqU6zVokG+xot/B+Wmd6h2A+yKcY01dLl924F+QAgazCbc/syYpbhPW+QTtz915cqm8kIL09H92avcLXFN8nOsx0aOvceRujOm/sbHe2ZFtwyhzkoAW7iOD8NR+Tyc028kkWYOigjsx+G1x1ZDl6Uho23sMgbH7knja+kHu/3dO86lzFx8ySUyli3CjvEMv7I+p5TD1PREnIKEMjzwlx5xYBgTs/MakhAToDpzXTjr+Xm53v4wjinjy7A+P9SxtnlaWx+s9s4WP8sXo89Xt6MPhz26nWTRE5iBZn+9Vgomnt1zeXVOrYtPeGyNuJ23NJbTsZz8ByLT/d4qPUtzMzRgc7uI83yp8VnjGunzNuFQufPDlCQutLx4y3IWDKJ74d3jYmE3pdz8uoIuEj0gF7sdffBrd0YUzKiKOfiHqMt0jR3Osc869RhqmP95/VjDbYUryB4TTTRswZtmPeK9/9I53g1XsJ1AHl7fXj9ed416vi6DohPMv19fDHeS522yIHWfwvB5VJeGvVBuyOY4FGeBZHR9e331SD7jouPbb6voOpYKR8lYR1SIIz++qefTBSPrsbi7k53ZcQj1Ckym3gr5Acwx6Oesz91WPV3auXy9BYSOFG/2nmL5LLik8eusjFuWAgNutt1M9vMcFFQbybrUZ7xznsh4zXv0LH1tcgOC0DMX3a5SvzKL/ay95gRXGvyXl3olow7F7ZeXl2obWVefwhUG3WXd3I6jRYlYYHi0fkekIj9vJOzXPgn79eWl2l/2GISFfLMpU9qMrXC0uI05POssBXUeZA5DP3lEJPRuLkQSSy+Xq581scBIF22pbEos3YM5RRPIFe9mfqAjH043R2UJcJpql3GzhjW4VriRC3aE3ps0fKJDlfhNezc/D4rDantpcczaXqO75tper1j59j7D6pcj9lcXZeGtGISqFgloTWegSZr5Apvr68qNPo1GrkHFAzVdAVG+Lk+p9cXo0yjgIrHrlsDqj1DLuO5Q0X2efvK03OekdFuwb5VXdge4N95+D9yNiJEpi3ZAeycNplthgotvCtEf5IK9fBmYGnZLMwXu0mlih55grXYR471TW9I+4tvdvuhCBVDC7l8KGxmIbIuWcWM58znrum5pFXKtm+4ysBp/SqaIgqSSs2gn0V9Hw/mNWFDO4gtjFJtkXbVu64SqSg/hMM6PhOZQMYLPHAHk3NV9e6HWbp9Vfpv/gvyf0ec7V3g9kkpBZFwqY0LNxlL6W7l4J71u+W746FpECFliZ0v6HyBWbAHiUQ75t16pRah4/ZZI72w0tNnZS+08Sk9G/1RguWfxo/Uk96Rj9Gn0SQozf5RDamCUgjBfRsNOQEdzqmau2YFjd7UeJeaOWi82r2bok9EjykHEFJ/Kmrl//ONq1pWsdNMVwLcDXb5vR3X5/jiwnKuvSub5MaazVlfYHTyvSVMlX1iCRcaL/j0OFhFSnLtwc5w7Vv6Ot0EkCyfWL24MnC67S75as4nKgIpMAj83pjGtFqpSQFEWWZJAzKgBviYkktMipBkvmGar3mk3R+2qTnAGjEw5m83XxDRyZEdBVWefUQwWlBeHvx3lwYpSv0iDvLZCFs6r/ULLY6uTpVWQPK8W5Ks7eF+BuNcvWyDr1QLOXa95HAdjtIGHkKRmGYpf9FMqtMaei/ubwD7sbMXcDnfcJTQQsCYxDUShbo9+ob9yet6Nx+6jbp/FjP4YeZ1ZGbfy7ot10m6oOtTeLYf8MN9d26Gj9O2pMWe9rxh63fTX4yZXvDtjyptUHKk1RVtg3bOr0sJhP1R5m5RLTqOnueR9tZnI+6UUp8UlSewmte4VmYTpiZIrNZo3wL6TD/j9I4IOlgLBE1oHnF+D6UMT33CEvRWdlgng6eLNarYrynkfLXr8U1KI0cZXC+JZy+vyyjDsSKMIAazFGBoA9IETj7051nyZ8heYdZA+XzN8zZ1PpkwUKilmCQjtujZrLSOGpg0vzgrhWRXVRSoOEtRFKvYW03/d3719G/yYCQF8ZLq7dyg1BABicPgBvtazH7DIskWfkXeEiRgfnmoy/Pz1Ds+hP5f++OXe/eryn/f+J+VPr0ePF5e3N6Pfr4f4y3eE6aL8GOXcp10jmA0BOkf+kBq6xbjuTn/N/yj36bES4TmyA6JtVrUtpJV2SGU4/zcAAP//E71G2g==" + return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc44cuKgq7Fyp/NDO8I2o1VOx9vnoniUAVvtnyDKDOuLidsaKVnHt3H7qxWxOX/9M/z6owbdycvH3rLkaQvkx6aSFYwcH9sl0DjGzAG1GAoP0hFqF6LaKmkkNh9JgA9cRc4anJy2ll5dwPLl6ggsMq3jRho/IYjVF8cOMvc1rlhg78EbZjAuS9dX8X1B8p4pgYpBRmN0hz0TjRmaqgXcfBSTt6R0ZeoUdO2knQKIs69Lnzk0xOx/b2LMddCrcyUYotZ/8zGhpMBY7d9qc4G6fpp9cLJ07+N4R/Qztdp6BDh3h3TTll8w7T8lqWCSKo4xApbWHuRh+tXucUanMu5BhSVl0XZaKEI4F7x2LCzWx9GrTCRPgbqD7416pcJuYdFy2p0CAvw7pXaSgQRaPXfiqX40TccC+CLFEm0wY0ptRltpXZYn6aXhIgUlY6ye9MT7dz0fReKUHpkBQpLgux/cEb9GnHt2uR8G1tJzFYsLtz4erPZDrKLboV9GVD2ZoY9ltjFlxlQkvlFgOenyGpwTFVVQu7Vac47Rci0byLZcphBzYIaeKLrww4z8mE6XHi07RfFG/ru4cDokWCbSsuC27MH4sewrjh1bUDcbqFb/fRnfJ0eszfX4oOSScmfGlgpah3K/Lot8yk/bC75Rxt6NBegJ8jW58Ebkn9MOIX/593FFsyfMvMgx+Zz3mzL93NugPdH/ruzGmGPyGl/MWIj2l7MLg7xz5w7Pu5ZfuH04zWtDkp2gXtVJJjHLj8o57J7I8aA8k4qc8ZDFeYoG0ldGbBQ1D0Z5HdzQoMjnkq1wYkO7axlNrIyeK8MX5PFfqxQqqXxJeLu0n5oBhRz/5cN+7lLBl4qmY6BPuQaY4U3/1ss3lZoY+8hjU6yB+8iFeCjWLedMfcybh73yHtJoynsELtJGfqoHB98R2m/YDLGHc/S4by3FvVavq3WOoBW8WEPVKn4mA9U3V8e+EDVQc3vQ6tJ3+H+hw1S26U1ft+m8f+/yf2xm9zH1NAZ1TAtLa1RyAkT1a5RNd96zJHN8hZxp1SJVlB79Qvy7wndh2d9b2kCr87ub1+jCrjX0mK9HVTEqW7n1V6wLsoWpty8KrwoQUVMEkikWheFP4ghfPHyfFsj0xJ6FoMwbM4aXYmGIIFasao3OktTziAuhF/MeuqewCz+QJgjPRPsawYWgNP3/Bt22F4kuu5+w5E38d0mHM6wPZVaTzGdU9rdpXOKRzvTGFKzbMV2cONpmRlMLNkt5vqTJq8U0Pi/Kg+y6tflR8Yong06B4bpx3bsof/kVz51V4mmdAHCTP8tZ+NYDF8zMvnjhkzc3aUzOyGxE5abgGxt2DhXAHTGYepWz1G7nRcJ2aL9qaIilkngugfViXyqjVR0ccSe0R2wPQ6i086OdL4ef5ppiKcY+7kLjlMWD6kjoey/NAO5vgwvpmj3YIrFcOquawOeQ95JbRYKJn/ctIOX3HrvU//UP8LWXJopp4vTZDYgfE4XCzyT949QuuucOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt3YH3tD/hLcvSls/0ozsK7HwSsAspMgM536OHcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPPrfIny/lSWzcf15I+bE/KRKkYvz93rNYW8KtN0eB76iabOP34mQ2ABuLXvSoz9A1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+XK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2thjtvac60+v/lWqvvPMiVVxS5hKyacbBMhruE/69EA/0A6SkcdjPPwIEBNc/NC2kwbUB7qid0MJPZ8oob8+sb5eXm7t81kum74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXti3pUbWuO6TUu5XDCBfeIzNbKp8kEGzlgcYG2zB8UbsaeRTBLWnmcbzNq7OfpY+RLAGDh0NFgfbjvCOXK73wddzMeFdnl5U7qU2wNYMjIwJjQoo09IlsbUgH/S0HGyF1I30DHA7iNgfy92UHi53QmN0ktvNuOzHPlRk9tTrI9u/Tv3PK61wOHUAx+XjJaVp0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DZdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+Z1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjvTcU8TaM3LeJ7enRDJl18RBwCTWcHjS+CeOc+V6zm8no41mMRQMm62KYY7tAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA16hFiHiLSo0QEW91bcvUzLiMHgd7irOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1jJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPxx4RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhEbyC99iO3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+4WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/h1gH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOnSfnbMV+HpP9y421kJs25k6ycJH6gf1WCOTVbu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5dlsFFW7+/OVRT2/9812p4F25v0O1KdydpGYTTOuF64RyHh7M2ETyHBs3uA7JrqthmKijaM/VRfjCIRo9ZulUgbH+vRRT3xdxyG3/oaUThJs3r9HITzDD6+06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReSbtuKbVpwH8gIuZ2doS8iCxfYsBmxH3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5XfSuwofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMDXOLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuDc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhwYuXrGdhQ3Q3vEcUFr6llG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUZWVf6jGfOMxl33EfP0ucmNyAIL+ai21V6rcxiP+lvOcG1Bv/lW72T0YDq9su3b9VHZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36uuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLLzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgRXt6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHX3tJdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKiH2wahqvKCcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//yKjLyM=" } diff --git a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml index 91becec6fef..74db186c905 100644 --- a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml +++ b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml @@ -2,7 +2,7 @@ type: group description: > `lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda. - release: beta + release: ga fields: - name: metrics type: group diff --git a/x-pack/metricbeat/module/aws/module.yml b/x-pack/metricbeat/module/aws/module.yml index ce356c38e32..0be20d1d484 100644 --- a/x-pack/metricbeat/module/aws/module.yml +++ b/x-pack/metricbeat/module/aws/module.yml @@ -3,7 +3,6 @@ metricsets: - elb - ebs - usage - - billing - sns - lambda - dynamodb diff --git a/x-pack/metricbeat/module/aws/utils.go b/x-pack/metricbeat/module/aws/utils.go index 4c92cb140c6..67e5809bc8e 100644 --- a/x-pack/metricbeat/module/aws/utils.go +++ b/x-pack/metricbeat/module/aws/utils.go @@ -188,18 +188,28 @@ func GetResourcesTags(svc resourcegroupstaggingapiiface.ClientAPI, resourceTypeF } for _, resourceTag := range output.ResourceTagMappingList { - identifier, err := FindIdentifierFromARN(*resourceTag.ResourceARN) - if err != nil { - err = errors.Wrap(err, "error FindIdentifierFromARN") + shortIdentifier, err := FindShortIdentifierFromARN(*resourceTag.ResourceARN) + if err == nil { + resourceTagMap[shortIdentifier] = resourceTag.Tags + } else { + err = errors.Wrap(err, "error occurs when proccessing shortIdentifier") + return nil, err + } + + wholeIdentifier, err := FindWholeIdentifierFromARN(*resourceTag.ResourceARN) + if err == nil { + resourceTagMap[wholeIdentifier] = resourceTag.Tags + } else { + err = errors.Wrap(err, "error occurs when proccessing longIdentifier") return nil, err } - resourceTagMap[identifier] = resourceTag.Tags } } return resourceTagMap, nil } -func FindIdentifierFromARN(resourceARN string) (string, error) { +// FindShortIdentifierFromARN function extracts short resource id from resource filed of ARN. +func FindShortIdentifierFromARN(resourceARN string) (string, error) { arnParsed, err := arn.Parse(resourceARN) if err != nil { err = errors.Wrap(err, "error Parse arn") @@ -218,3 +228,13 @@ func FindIdentifierFromARN(resourceARN string) (string, error) { } return strings.Join(resourceARNSplit[1:], "/"), nil } + +// FindWholeIdentifierFromARN funtion extracts whole resource filed of ARN +func FindWholeIdentifierFromARN(resourceARN string) (string, error) { + arnParsed, err := arn.Parse(resourceARN) + if err != nil { + err = errors.Wrap(err, "error Parse arn") + return "", err + } + return arnParsed.Resource, nil +} diff --git a/x-pack/metricbeat/module/aws/utils_test.go b/x-pack/metricbeat/module/aws/utils_test.go index 4270d52b6ef..aef35f57e61 100644 --- a/x-pack/metricbeat/module/aws/utils_test.go +++ b/x-pack/metricbeat/module/aws/utils_test.go @@ -351,35 +351,45 @@ func TestFindTimestamp(t *testing.T) { func TestFindIdentifierFromARN(t *testing.T) { cases := []struct { - resourceARN string - expectedIdentifier string + resourceARN string + expectedShortIdentifier string + expectedWholeIdentifier string }{ { "arn:aws:rds:eu-west-1:123456789012:db:mysql-db", "mysql-db", + "db:mysql-db", }, { "arn:aws:ec2:us-east-1:123456789012:instance/i-123", "i-123", + "instance/i-123", }, { "arn:aws:sns:us-east-1:627959692251:notification-topic-1", "notification-topic-1", + "notification-topic-1", }, { "arn:aws:elasticloadbalancing:eu-central-1:627959692251:loadbalancer/app/ece-ui/b195d6cf21493989", "app/ece-ui/b195d6cf21493989", + "loadbalancer/app/ece-ui/b195d6cf21493989", }, { "arn:aws:elasticloadbalancing:eu-central-1:627959692251:loadbalancer/net/ece-es-clusters-nlb/0c5bdb3b96cf1552", "net/ece-es-clusters-nlb/0c5bdb3b96cf1552", + "loadbalancer/net/ece-es-clusters-nlb/0c5bdb3b96cf1552", }, } for _, c := range cases { - identifier, err := FindIdentifierFromARN(c.resourceARN) + shortIdentifier, err := FindShortIdentifierFromARN(c.resourceARN) + assert.NoError(t, err) + assert.Equal(t, c.expectedShortIdentifier, shortIdentifier) + + wholeIdentifier, err := FindWholeIdentifierFromARN(c.resourceARN) assert.NoError(t, err) - assert.Equal(t, c.expectedIdentifier, identifier) + assert.Equal(t, c.expectedWholeIdentifier, wholeIdentifier) } } @@ -388,7 +398,7 @@ func TestGetResourcesTags(t *testing.T) { mockSvc := &MockResourceGroupsTaggingClient{} resourceTagMap, err := GetResourcesTags(mockSvc, []string{"rds"}) assert.NoError(t, err) - assert.Equal(t, 2, len(resourceTagMap)) + assert.Equal(t, 4, len(resourceTagMap)) expectedResourceTagMap := map[string][]resourcegroupstaggingapi.Tag{} expectedResourceTagMap["mysql-db-1"] = []resourcegroupstaggingapi.Tag{ @@ -411,5 +421,25 @@ func TestGetResourcesTags(t *testing.T) { Value: awssdk.String("boo"), }, } + expectedResourceTagMap["db:mysql-db-1"] = []resourcegroupstaggingapi.Tag{ + { + Key: awssdk.String("organization"), + Value: awssdk.String("engineering"), + }, + { + Key: awssdk.String("owner"), + Value: awssdk.String("foo"), + }, + } + expectedResourceTagMap["db:mysql-db-2"] = []resourcegroupstaggingapi.Tag{ + { + Key: awssdk.String("organization"), + Value: awssdk.String("finance"), + }, + { + Key: awssdk.String("owner"), + Value: awssdk.String("boo"), + }, + } assert.Equal(t, expectedResourceTagMap, resourceTagMap) } diff --git a/x-pack/metricbeat/module/azure/_meta/config.reference.yml b/x-pack/metricbeat/module/azure/_meta/config.reference.yml index 129384d1498..1f9ac04529e 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.reference.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.reference.yml @@ -100,4 +100,5 @@ period: 300s application_id: '' api_key: '' - + metrics: + - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/module/azure/_meta/config.yml b/x-pack/metricbeat/module/azure/_meta/config.yml index 914f5ed5774..0f497af6fb4 100644 --- a/x-pack/metricbeat/module/azure/_meta/config.yml +++ b/x-pack/metricbeat/module/azure/_meta/config.yml @@ -109,3 +109,5 @@ # period: 300s # application_id: '' # api_key: '' +# metrics: +# - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc index 38e11f24a85..b0f76ecb623 100644 --- a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc @@ -8,7 +8,9 @@ The azure monitor metrics are numerical values that describe some aspect of a sy The azure module will periodically retrieve the azure monitor metrics using the Azure REST APIs as MetricList. Additional azure API calls will be executed in order to retrieve information regarding the resources targeted by the user. -The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` + +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. [float] === Dashboards @@ -111,6 +113,7 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. diff --git a/x-pack/metricbeat/module/azure/_meta/fields.yml b/x-pack/metricbeat/module/azure/_meta/fields.yml index f24d54bcd7f..c6471dc108d 100644 --- a/x-pack/metricbeat/module/azure/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/_meta/fields.yml @@ -45,3 +45,9 @@ object_type_mapping_type: "*" description: > Azure metric dimensions. + - name: metrics.*.* + type: object + object_type: float + object_type_mapping_type: "*" + description: > + Metrics returned. diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json index b8ebdbdaf3c..0776c3128e3 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-billing-overview.json @@ -238,7 +238,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_4_index_pattern", "label": "Resource Name", @@ -483,7 +483,7 @@ "enabled": true, "id": "2", "params": { - "field": "cloud.instance.name", + "field": "azure.resource.name", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json index 711976480a1..f29311dfbf8 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-blob-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -765,7 +765,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1048,7 +1048,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json index 5a6fbac9863..92555a11e4d 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-instance-overview.json @@ -233,7 +233,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -306,7 +306,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -372,7 +372,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", @@ -471,7 +471,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -544,7 +544,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json index 030c9ec8b28..61516d560b7 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-registry-overview.json @@ -233,7 +233,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -301,7 +301,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -367,7 +367,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", @@ -461,7 +461,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -529,7 +529,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json index 6d69131430b..46ff5161f28 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-container-service-overview.json @@ -254,7 +254,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -322,7 +322,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries" } ], @@ -388,7 +388,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json index 32baee889f8..c0552fd8e8f 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-database-account-overview.json @@ -438,7 +438,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1584710535722", "indexPatternRefName": "control_2_index_pattern", "label": "Resource", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json index 05e8f11b280..b58598e3838 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-file-storage-overview.json @@ -520,7 +520,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -550,7 +550,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -653,7 +653,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -756,7 +756,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -908,7 +908,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1165,7 +1165,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1195,7 +1195,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -1272,7 +1272,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1302,7 +1302,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json index dc7b93f557d..6226342295c 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-queue-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -716,7 +716,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -868,7 +868,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json index 67157dd83ce..0ad7aa93d44 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-storage-overview.json @@ -474,7 +474,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -504,7 +504,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -607,7 +607,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -710,7 +710,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -861,7 +861,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", @@ -1118,7 +1118,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -1148,7 +1148,7 @@ "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json index 8ee38360976..87d5bba8410 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-table-storage-overview.json @@ -480,7 +480,7 @@ "index_pattern": "metricbeat-*", "interval": "60m", "isModelInvalid": false, - "pivot_id": "cloud.instance.name", + "pivot_id": "azure.resource.name", "pivot_label": "Resource Name", "pivot_rows": "30", "pivot_type": "string", @@ -510,7 +510,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -613,7 +613,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -716,7 +716,7 @@ "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "terms_order_by": "61fb4192-32e4-11ea-b9f8-4d0b340ad993", "type": "timeseries", "value_template": "{{value}}" @@ -868,7 +868,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1578578146383", "indexPatternRefName": "control_2_index_pattern", "label": "Resource Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json index 0613a7e4a8e..873616c609c 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-guestmetrics-overview.json @@ -251,7 +251,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1570774891724", "indexPatternRefName": "control_2_index_pattern", "label": "VM Name", diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json index 08b5b044633..78660789d5b 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json @@ -19,7 +19,9 @@ }, "panelsJSON": [ { - "embeddableConfig": {}, + "embeddableConfig": { + "title": "VM Filters" + }, "gridData": { "h": 12, "i": "aa881f9d-28d3-4722-822e-3e670021cf52", @@ -29,7 +31,8 @@ }, "panelIndex": "aa881f9d-28d3-4722-822e-3e670021cf52", "panelRefName": "panel_0", - "version": "7.4.0" + "title": "VM Filters", + "version": "7.9.1" }, { "embeddableConfig": { @@ -45,7 +48,7 @@ "panelIndex": "e673f70c-f811-4290-9087-578c7dd13675", "panelRefName": "panel_1", "title": "VM CPU Utilization", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -61,7 +64,7 @@ "panelIndex": "2473ef72-c56c-4783-a36a-f4b8efd66ab7", "panelRefName": "panel_2", "title": "VM Available Memory", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": {}, @@ -74,7 +77,7 @@ }, "panelIndex": "14e225ef-6417-4377-b2cb-6b46b6693b78", "panelRefName": "panel_3", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -90,7 +93,7 @@ "panelIndex": "535d70b3-3f3c-4a84-85ba-ab671b6d144f", "panelRefName": "panel_4", "title": "VM Network In Total", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -106,7 +109,7 @@ "panelIndex": "6903a45e-bf11-4db2-9497-fd9692e83448", "panelRefName": "panel_5", "title": "VM Network Out Total", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -122,7 +125,7 @@ "panelIndex": "aa57fa8f-f6ea-45e3-9b2c-ba948d625813", "panelRefName": "panel_6", "title": "VM Disk Writes", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -138,7 +141,7 @@ "panelIndex": "8879143b-ed83-45ec-8c58-b10dc1597c22", "panelRefName": "panel_7", "title": "VM Disk Read Operations/s", - "version": "7.4.0" + "version": "7.9.1" }, { "embeddableConfig": { @@ -154,7 +157,7 @@ "panelIndex": "4071f2bf-1794-45ff-b76d-58864226d8b7", "panelRefName": "panel_8", "title": "VM Disk Write Operations/s", - "version": "7.4.0" + "version": "7.9.1" } ], "timeRestore": false, @@ -165,6 +168,9 @@ "migrationVersion": { "dashboard": "7.3.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "5031b220-eb61-11e9-90ec-112a988266d5", @@ -213,8 +219,8 @@ } ], "type": "dashboard", - "updated_at": "2019-10-15T11:53:03.300Z", - "version": "WzMxOTAsMV0=" + "updated_at": "2020-09-15T16:10:59.501Z", + "version": "Wzg4NSwxXQ==" }, { "attributes": { @@ -266,7 +272,7 @@ "type": "list" }, { - "fieldName": "cloud.instance.name", + "fieldName": "azure.resource.name", "id": "1570774891724", "indexPatternRefName": "control_2_index_pattern", "label": "VM Name", @@ -291,8 +297,11 @@ }, "id": "5031b220-eb61-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -311,8 +320,8 @@ } ], "type": "visualization", - "updated_at": "2019-10-11T06:35:45.645Z", - "version": "WzE0ODMsMV0=" + "updated_at": "2020-09-15T16:21:47.113Z", + "version": "WzkyNywxXQ==" }, { "attributes": { @@ -372,7 +381,7 @@ "split_color_mode": "rainbow", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}%" } ], @@ -387,12 +396,15 @@ }, "id": "db9a3490-ea8f-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:52:01.637Z", - "version": "WzMxODQsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzMywxXQ==" }, { "attributes": { @@ -445,9 +457,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -462,12 +475,15 @@ }, "id": "7205a4f0-ea95-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:52:22.085Z", - "version": "WzMxODYsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzNCwxXQ==" }, { "attributes": { @@ -520,9 +536,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -538,12 +555,15 @@ }, "id": "e8ca65c0-eb45-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:50:30.820Z", - "version": "WzMxNzgsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzNSwxXQ==" }, { "attributes": { @@ -596,9 +616,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -613,12 +634,15 @@ }, "id": "8b6b9450-ea99-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:52:40.578Z", - "version": "WzMxODgsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzNiwxXQ==" }, { "attributes": { @@ -671,9 +695,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -689,12 +714,15 @@ }, "id": "abd32c30-ea99-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:49:45.582Z", - "version": "WzMxNzQsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzNywxXQ==" }, { "attributes": { @@ -747,9 +775,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -765,12 +794,15 @@ }, "id": "5c016810-ea9a-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:50:07.876Z", - "version": "WzMxNzYsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzOCwxXQ==" }, { "attributes": { @@ -823,9 +855,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -841,12 +874,15 @@ }, "id": "3a50e950-eb46-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:50:55.337Z", - "version": "WzMxODAsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzMzOSwxXQ==" }, { "attributes": { @@ -899,9 +935,10 @@ ], "point_size": 0, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -917,13 +954,16 @@ }, "id": "0892eaa0-ea9a-11e9-90ec-112a988266d5", "migrationVersion": { - "visualization": "7.3.1" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2019-10-15T11:51:33.545Z", - "version": "WzMxODIsMV0=" + "updated_at": "2020-09-15T16:01:27.530Z", + "version": "WzM0MCwxXQ==" } ], - "version": "7.4.0" + "version": "7.9.1" } diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json index 7e8ed312b79..fe615da131f 100644 --- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json +++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vmss-overview.json @@ -374,7 +374,7 @@ "split_color_mode": "rainbow", "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -449,7 +449,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "value_template": "{{value}}" } ], @@ -524,7 +524,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -600,7 +600,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -676,7 +676,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -752,7 +752,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -828,7 +828,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } @@ -904,7 +904,7 @@ "separate_axis": 0, "split_mode": "terms", "stacked": "none", - "terms_field": "cloud.instance.name", + "terms_field": "azure.resource.name", "type": "timeseries", "value_template": "{{value}}" } diff --git a/x-pack/metricbeat/module/azure/add_metadata.go b/x-pack/metricbeat/module/azure/add_metadata.go new file mode 100644 index 00000000000..ba8f35c7db6 --- /dev/null +++ b/x-pack/metricbeat/module/azure/add_metadata.go @@ -0,0 +1,50 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/mb" +) + +func addHostMetadata(event *mb.Event, metricList common.MapStr) { + hostFieldTable := map[string]string{ + "percentage_cpu.avg": "host.cpu.pct", + "network_in_total.total": "host.network.in.bytes", + "network_in.total": "host.network.in.packets", + "network_out_total.total": "host.network.out.bytes", + "network_out.total": "host.network.out.packets", + "disk_read_bytes.total": "host.disk.read.bytes", + "disk_write_bytes.total": "host.disk.write.bytes", + } + + for metricName, hostName := range hostFieldTable { + metricValue, err := metricList.GetValue(metricName) + if err != nil { + continue + } + + if value, ok := metricValue.(float64); ok { + if metricName == "percentage_cpu.avg" { + value = value / 100 + } + event.RootFields.Put(hostName, value) + } + } +} + +func addCloudVMMetadata(event *mb.Event, vm VmResource) { + if vm.Name != "" { + event.RootFields.Put("cloud.instance.name", vm.Name) + event.RootFields.Put("host.name", vm.Name) + } + if vm.Id != "" { + event.RootFields.Put("cloud.instance.id", vm.Id) + event.RootFields.Put("host.id", vm.Id) + } + if vm.Size != "" { + event.RootFields.Put("cloud.machine.type", vm.Size) + } +} diff --git a/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc index 2ba1150078b..2b587acbbdd 100644 --- a/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/app_insights/_meta/docs.asciidoc @@ -45,17 +45,15 @@ This value is only valid when segment is specified. `filter`:: (_string_) An expression used to filter the results. This value should be a valid OData filter expression where the keys of each clause should be applicable dimensions for the metric you are retrieving. -Users can select the options to retrieve all metrics from a specific namespace using the following: +Example configuration: ["source","yaml"] ---- - metrics: - - id: ["*"] - timespan: "Microsoft.Storage/storageAccounts" +metrics: + - id: ["requests/count", "requests/failed"] + segment: "request/name" + aggregation: ["sum"] ---- -A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or a multiply of it. - - diff --git a/x-pack/metricbeat/module/azure/app_insights/app_insights.go b/x-pack/metricbeat/module/azure/app_insights/app_insights.go index e3a087ad7ce..8ffe02eb860 100644 --- a/x-pack/metricbeat/module/azure/app_insights/app_insights.go +++ b/x-pack/metricbeat/module/azure/app_insights/app_insights.go @@ -22,7 +22,7 @@ type Config struct { ApplicationId string `config:"application_id" validate:"required"` ApiKey string `config:"api_key" validate:"required"` Period time.Duration `config:"period" validate:"nonzero,required"` - Metrics []Metric `config:"metrics"` + Metrics []Metric `config:"metrics" validate:"required"` } // Metric struct used for configuration options diff --git a/x-pack/metricbeat/module/azure/app_insights/data.go b/x-pack/metricbeat/module/azure/app_insights/data.go index 62afa32163f..df7efdbeaba 100644 --- a/x-pack/metricbeat/module/azure/app_insights/data.go +++ b/x-pack/metricbeat/module/azure/app_insights/data.go @@ -8,6 +8,8 @@ import ( "fmt" "strings" + "github.com/Azure/go-autorest/autorest/date" + "github.com/Azure/azure-sdk-for-go/services/preview/appinsights/v1/insights" "github.com/elastic/beats/v7/libbeat/common" @@ -19,45 +21,80 @@ func EventsMapping(metricValues insights.ListMetricsResultsItem, applicationId s if metricValues.Value == nil { return events } + groupedAddProp := make(map[string][]insights.MetricsResultInfo) for _, item := range *metricValues.Value { if item.Body != nil && item.Body.Value != nil { if item.Body.Value.AdditionalProperties != nil { - events = append(events, createEvent(*item.Body.Value, insights.MetricsSegmentInfo{}, applicationId)) + groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)] = + append(groupedAddProp[fmt.Sprintf("%sTO%s", item.Body.Value.Start, item.Body.Value.End)], *item.Body.Value) } else if item.Body.Value.Segments != nil { for _, segment := range *item.Body.Value.Segments { - events = append(events, createEvent(*item.Body.Value, segment, applicationId)) + event, ok := createSegmentEvent(*item.Body.Value.Start, *item.Body.Value.End, segment, applicationId) + if ok { + events = append(events, event) + } } } } } + if len(groupedAddProp) > 0 { + for _, val := range groupedAddProp { + event, ok := createEvent(val, applicationId) + if ok { + events = append(events, event) + } + } + } return events } -func createEvent(value insights.MetricsResultInfo, segment insights.MetricsSegmentInfo, applicationId string) mb.Event { +func createSegmentEvent(start date.Time, end date.Time, segment insights.MetricsSegmentInfo, applicationId string) (mb.Event, bool) { metricList := common.MapStr{} - if value.AdditionalProperties != nil { + metrics := getMetric(segment.AdditionalProperties) + if len(metrics) == 0 { + return mb.Event{}, false + } + for key, metric := range metrics { + metricList.Put(key, metric) + } + event := mb.Event{ + MetricSetFields: common.MapStr{ + "start_date": start, + "end_date": end, + "application_id": applicationId, + }, + Timestamp: end.Time, + } + event.RootFields = common.MapStr{} + event.RootFields.Put("cloud.provider", "azure") + event.MetricSetFields.Put("metrics", metricList) + return event, true +} + +func createEvent(values []insights.MetricsResultInfo, applicationId string) (mb.Event, bool) { + metricList := common.MapStr{} + for _, value := range values { metrics := getMetric(value.AdditionalProperties) for key, metric := range metrics { metricList.Put(key, metric) } - } else { - metrics := getMetric(segment.AdditionalProperties) - for key, metric := range metrics { - metricList.Put(key, metric) - } } + if len(metricList) == 0 { + return mb.Event{}, false + } + event := mb.Event{ MetricSetFields: common.MapStr{ - "start_date": value.Start, - "end_date": value.End, + "start_date": values[0].Start, + "end_date": values[0].End, "application_id": applicationId, }, - Timestamp: value.End.Time, + Timestamp: values[0].End.Time, } event.RootFields = common.MapStr{} event.RootFields.Put("cloud.provider", "azure") event.MetricSetFields.Put("metrics", metricList) - return event + return event, true } func getMetric(addProp map[string]interface{}) map[string]interface{} { @@ -66,7 +103,9 @@ func getMetric(addProp map[string]interface{}) map[string]interface{} { switch val.(type) { case map[string]interface{}: for subKey, subVal := range val.(map[string]interface{}) { - metricNames[cleanMetricNames(fmt.Sprintf("%s.%s", key, subKey))] = subVal + if subVal != nil { + metricNames[cleanMetricNames(fmt.Sprintf("%s.%s", key, subKey))] = subVal + } } default: metricNames[cleanMetricNames(key)] = val diff --git a/x-pack/metricbeat/module/azure/azure.go b/x-pack/metricbeat/module/azure/azure.go index 44f098c9619..38db7f7c6d7 100644 --- a/x-pack/metricbeat/module/azure/azure.go +++ b/x-pack/metricbeat/module/azure/azure.go @@ -6,50 +6,12 @@ package azure import ( "fmt" - "time" "github.com/pkg/errors" "github.com/elastic/beats/v7/metricbeat/mb" ) -// Config options -type Config struct { - ClientId string `config:"client_id"` - ClientSecret string `config:"client_secret"` - TenantId string `config:"tenant_id"` - SubscriptionId string `config:"subscription_id"` - Period time.Duration `config:"period" validate:"nonzero,required"` - Resources []ResourceConfig `config:"resources"` - RefreshListInterval time.Duration `config:"refresh_list_interval"` - DefaultResourceType string `config:"default_resource_type"` -} - -// ResourceConfig contains resource and metric list specific configuration. -type ResourceConfig struct { - Id []string `config:"resource_id"` - Group []string `config:"resource_group"` - Metrics []MetricConfig `config:"metrics"` - Type string `config:"resource_type"` - Query string `config:"resource_query"` - ServiceType []string `config:"service_type"` -} - -// MetricConfig contains metric specific configuration. -type MetricConfig struct { - Name []string `config:"name"` - Namespace string `config:"namespace"` - Aggregations []string `config:"aggregations"` - Dimensions []DimensionConfig `config:"dimensions"` - Timegrain string `config:"timegrain"` -} - -// DimensionConfig contains dimensions specific configuration. -type DimensionConfig struct { - Name string `config:"name"` - Value string `config:"value"` -} - func init() { // Register the ModuleFactory function for the "azure" module. if err := mb.Registry.AddModule("azure", newModule); err != nil { @@ -127,20 +89,20 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { // It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - err := m.Client.InitResources(m.MapMetrics, report) + err := m.Client.InitResources(m.MapMetrics) if err != nil { return err } - if len(m.Client.Resources.Metrics) == 0 { + if len(m.Client.ResourceConfigurations.Metrics) == 0 { // error message is previously logged in the InitResources, no error event should be created return nil } // retrieve metrics - groupedMetrics := groupMetricsByResource(m.Client.Resources.Metrics) + groupedMetrics := groupMetricsByResource(m.Client.ResourceConfigurations.Metrics) for _, metrics := range groupedMetrics { results := m.Client.GetMetricValues(metrics, report) - err := EventsMapping(results, m.BaseMetricSet.Name(), report) + err := EventsMapping(results, m.Client, report) if err != nil { return errors.Wrap(err, "error running EventsMapping") } @@ -160,19 +122,3 @@ func hasConfigOptions(config []string) bool { } return true } - -func (conf *Config) Validate() error { - if conf.SubscriptionId == "" { - return errors.New("no subscription ID has been configured") - } - if conf.ClientSecret == "" { - return errors.New("no client secret has been configured") - } - if conf.ClientId == "" { - return errors.New("no client ID has been configured") - } - if conf.TenantId == "" { - return errors.New("no tenant ID has been configured") - } - return nil -} diff --git a/x-pack/metricbeat/module/azure/client.go b/x-pack/metricbeat/module/azure/client.go index 57da9c3b23d..e488fab98b6 100644 --- a/x-pack/metricbeat/module/azure/client.go +++ b/x-pack/metricbeat/module/azure/client.go @@ -20,10 +20,11 @@ import ( // Client represents the azure client which will make use of the azure sdk go metrics related clients type Client struct { - AzureMonitorService Service - Config Config - Resources ResourceConfiguration - Log *logp.Logger + AzureMonitorService Service + Config Config + ResourceConfigurations ResourceConfiguration + Log *logp.Logger + Resources []Resource } // mapResourceMetrics function type will map the configuration options to client metrics (depending on the metricset) @@ -40,21 +41,23 @@ func NewClient(config Config) (*Client, error) { Config: config, Log: logp.NewLogger("azure monitor client"), } - client.Resources.RefreshInterval = config.RefreshListInterval + client.ResourceConfigurations.RefreshInterval = config.RefreshListInterval return client, nil } // InitResources function will retrieve and validate the resources configured by the users and then map the information configured to client metrics. // the mapMetric function sent in this case will handle the mapping part as different metric and aggregation options work for different metricsets -func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) error { +func (client *Client) InitResources(fn mapResourceMetrics) error { if len(client.Config.Resources) == 0 { return errors.New("no resource options defined") } // check if refresh interval has been set and if it has expired - if !client.Resources.Expired() { + if !client.ResourceConfigurations.Expired() { return nil } var metrics []Metric + //reset client resources + client.Resources = []Resource{} for _, resource := range client.Config.Resources { // retrieve azure resources information resourceList, err := client.AzureMonitorService.GetResourceDefinitions(resource.Id, resource.Group, resource.Type, resource.Query) @@ -68,6 +71,19 @@ func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) client.Log.Error(err) continue } + //map resources to the client + for _, resource := range resourceList.Values() { + if !containsResource(*resource.ID, client.Resources) { + client.Resources = append(client.Resources, Resource{ + Id: *resource.ID, + Name: *resource.Name, + Location: *resource.Location, + Type: *resource.Type, + Group: getResourceGroupFromId(*resource.ID), + Tags: mapTags(resource.Tags), + Subscription: client.Config.SubscriptionId}) + } + } resourceMetrics, err := fn(client, resourceList.Values(), resource) if err != nil { return err @@ -79,7 +95,7 @@ func (client *Client) InitResources(fn mapResourceMetrics, report mb.ReporterV2) if len(metrics) == 0 { client.Log.Debug("no resources were found based on all the configurations options entered") } - client.Resources.Metrics = metrics + client.ResourceConfigurations.Metrics = metrics return nil } @@ -107,21 +123,21 @@ func (client *Client) GetMetricValues(metrics []Metric, report mb.ReporterV2) [] } filter = strings.Join(filterList, " AND ") } - resp, timegrain, err := client.AzureMonitorService.GetMetricValues(metric.Resource.SubId, metric.Namespace, metric.TimeGrain, timespan, metric.Names, + resp, timegrain, err := client.AzureMonitorService.GetMetricValues(metric.ResourceSubId, metric.Namespace, metric.TimeGrain, timespan, metric.Names, metric.Aggregations, filter) if err != nil { - err = errors.Wrapf(err, "error while listing metric values by resource ID %s and namespace %s", metric.Resource.SubId, metric.Namespace) + err = errors.Wrapf(err, "error while listing metric values by resource ID %s and namespace %s", metric.ResourceSubId, metric.Namespace) client.Log.Error(err) report.Error(err) } else { - for i, currentMetric := range client.Resources.Metrics { + for i, currentMetric := range client.ResourceConfigurations.Metrics { if matchMetrics(currentMetric, metric) { current := mapMetricValues(resp, currentMetric.Values, endTime.Truncate(time.Minute).Add(interval*(-1)), endTime.Truncate(time.Minute)) - client.Resources.Metrics[i].Values = current - if client.Resources.Metrics[i].TimeGrain == "" { - client.Resources.Metrics[i].TimeGrain = timegrain + client.ResourceConfigurations.Metrics[i].Values = current + if client.ResourceConfigurations.Metrics[i].TimeGrain == "" { + client.ResourceConfigurations.Metrics[i].TimeGrain = timegrain } - resultedMetrics = append(resultedMetrics, client.Resources.Metrics[i]) + resultedMetrics = append(resultedMetrics, client.ResourceConfigurations.Metrics[i]) } } } @@ -130,26 +146,20 @@ func (client *Client) GetMetricValues(metrics []Metric, report mb.ReporterV2) [] } // CreateMetric function will create a client metric based on the resource and metrics configured -func (client *Client) CreateMetric(selectedResourceID string, resource resources.GenericResource, resourceSize string, namespace string, metrics []string, aggregations string, dimensions []Dimension, timegrain string) Metric { +func (client *Client) CreateMetric(resourceId string, subResourceId string, namespace string, metrics []string, aggregations string, dimensions []Dimension, timegrain string) Metric { + if subResourceId == "" { + subResourceId = resourceId + } met := Metric{ - Resource: Resource{ - SubId: selectedResourceID, - Id: *resource.ID, - Name: *resource.Name, - Location: *resource.Location, - Type: *resource.Type, - Group: getResourceGroupFromId(*resource.ID), - Tags: mapTags(resource.Tags), - Subscription: client.Config.SubscriptionId, - Size: resourceSize, - }, - Namespace: namespace, - Names: metrics, - Dimensions: dimensions, - Aggregations: aggregations, - TimeGrain: timegrain, - } - for _, prevMet := range client.Resources.Metrics { + ResourceId: resourceId, + ResourceSubId: subResourceId, + Namespace: namespace, + Names: metrics, + Dimensions: dimensions, + Aggregations: aggregations, + TimeGrain: timegrain, + } + for _, prevMet := range client.ResourceConfigurations.Metrics { if len(prevMet.Values) != 0 && matchMetrics(prevMet, met) { met.Values = prevMet.Values } @@ -158,7 +168,7 @@ func (client *Client) CreateMetric(selectedResourceID string, resource resources } // MapMetricByPrimaryAggregation will map the primary aggregation of the metric definition to the client metric -func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDefinition, resource resources.GenericResource, selectedResourceID string, resourceSize string, namespace string, dim []Dimension, timegrain string) []Metric { +func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDefinition, resourceId string, subResourceId string, namespace string, dim []Dimension, timegrain string) []Metric { var clientMetrics []Metric metricGroups := make(map[string][]insights.MetricDefinition) @@ -170,10 +180,84 @@ func (client *Client) MapMetricByPrimaryAggregation(metrics []insights.MetricDef for _, metricName := range metricGroup { metricNames = append(metricNames, *metricName.Name.Value) } - if selectedResourceID == "" { - selectedResourceID = *resource.ID - } - clientMetrics = append(clientMetrics, client.CreateMetric(selectedResourceID, resource, resourceSize, namespace, metricNames, key, dim, timegrain)) + clientMetrics = append(clientMetrics, client.CreateMetric(resourceId, subResourceId, namespace, metricNames, key, dim, timegrain)) } return clientMetrics } + +// GetVMForMetaData func will retrieve the vm details in order to fill in the cloud metadata and also update the client resources +func (client *Client) GetVMForMetaData(resource *Resource, metricValues []MetricValue) VmResource { + var vm VmResource + resourceName := resource.Name + resourceId := resource.Id + // check first if this is a vm scaleset and the instance name is stored in the dimension value + if dimension, ok := getDimension("VMName", metricValues[0].dimensions); ok { + instanceId := getInstanceId(dimension.Value) + if instanceId != "" { + resourceId += fmt.Sprintf("/virtualMachines/%s", instanceId) + resourceName = dimension.Value + } + } + // if vm has been already added to the resource then it should be returned + if existingVM, ok := getVM(resourceName, resource.Vms); ok { + return existingVM + } + // an additional call is necessary in order to retrieve the vm specific details + expandedResource, err := client.AzureMonitorService.GetResourceDefinitionById(resourceId) + if err != nil { + client.Log.Error(err, "could not retrieve the resource details by resource ID %s", resourceId) + return VmResource{} + } + vm.Name = *expandedResource.Name + if expandedResource.Properties != nil { + if properties, ok := expandedResource.Properties.(map[string]interface{}); ok { + if hardware, ok := properties["hardwareProfile"]; ok { + if vmSz, ok := hardware.(map[string]interface{})["vmSize"]; ok { + vm.Size = vmSz.(string) + } + if vmID, ok := properties["vmId"]; ok { + vm.Id = vmID.(string) + } + } + } + } + if len(vm.Size) == 0 && expandedResource.Sku != nil && expandedResource.Sku.Name != nil { + vm.Size = *expandedResource.Sku.Name + } + // the client resource and selected resources are being updated in order to avoid additional calls + client.AddVmToResource(resource.Id, vm) + resource.Vms = append(resource.Vms, vm) + return vm +} + +// GetResourceForMetaData will retrieve resource details for the selected metric configuration +func (client *Client) GetResourceForMetaData(grouped Metric) Resource { + for _, res := range client.Resources { + if res.Id == grouped.ResourceId { + return res + } + } + return Resource{} +} + +// AddVmToResource will add the vm details to the resource +func (client *Client) AddVmToResource(resourceId string, vm VmResource) { + if len(vm.Id) > 0 && len(vm.Name) > 0 { + for i, res := range client.Resources { + if res.Id == resourceId { + client.Resources[i].Vms = append(client.Resources[i].Vms, vm) + } + } + } +} + +// NewMockClient instantiates a new client with the mock azure service +func NewMockClient() *Client { + azureMockService := new(MockService) + client := &Client{ + AzureMonitorService: azureMockService, + Config: Config{}, + Log: logp.NewLogger("test azure monitor"), + } + return client +} diff --git a/x-pack/metricbeat/module/azure/client_test.go b/x-pack/metricbeat/module/azure/client_test.go index 970a3d6e794..47b88f99cce 100644 --- a/x-pack/metricbeat/module/azure/client_test.go +++ b/x-pack/metricbeat/module/azure/client_test.go @@ -43,8 +43,7 @@ func mockMapResourceMetrics(client *Client, resources []resources.GenericResourc func TestInitResources(t *testing.T) { t.Run("return error when no resource options were configured", func(t *testing.T) { client := NewMockClient() - mr := MockReporterV2{} - err := client.InitResources(mockMapResourceMetrics, &mr) + err := client.InitResources(mockMapResourceMetrics) assert.Error(t, err, "no resource options were configured") }) t.Run("return error no resources were found", func(t *testing.T) { @@ -55,9 +54,9 @@ func TestInitResources(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - err := client.InitResources(mockMapResourceMetrics, &mr) + err := client.InitResources(mockMapResourceMetrics) assert.Error(t, err, "no resources were found based on all the configurations options entered") - assert.Equal(t, len(client.Resources.Metrics), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics), 0) m.AssertExpectations(t) }) } @@ -67,7 +66,7 @@ func TestGetMetricValues(t *testing.T) { client.Config = resourceIDConfig t.Run("return no error when no metric values are returned but log and send event", func(t *testing.T) { - client.Resources = ResourceConfiguration{ + client.ResourceConfigurations = ResourceConfiguration{ Metrics: []Metric{ { Namespace: "namespace", @@ -83,13 +82,13 @@ func TestGetMetricValues(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - metrics := client.GetMetricValues(client.Resources.Metrics, &mr) + metrics := client.GetMetricValues(client.ResourceConfigurations.Metrics, &mr) assert.Equal(t, len(metrics), 0) - assert.Equal(t, len(client.Resources.Metrics[0].Values), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics[0].Values), 0) m.AssertExpectations(t) }) t.Run("return metric values", func(t *testing.T) { - client.Resources = ResourceConfiguration{ + client.ResourceConfigurations = ResourceConfiguration{ Metrics: []Metric{ { Namespace: "namespace", @@ -105,9 +104,9 @@ func TestGetMetricValues(t *testing.T) { client.AzureMonitorService = m mr := MockReporterV2{} mr.On("Error", mock.Anything).Return(true) - metricValues := client.GetMetricValues(client.Resources.Metrics, &mr) + metricValues := client.GetMetricValues(client.ResourceConfigurations.Metrics, &mr) assert.Equal(t, len(metricValues), 0) - assert.Equal(t, len(client.Resources.Metrics[0].Values), 0) + assert.Equal(t, len(client.ResourceConfigurations.Metrics[0].Values), 0) m.AssertExpectations(t) }) } diff --git a/x-pack/metricbeat/module/azure/client_utils.go b/x-pack/metricbeat/module/azure/client_utils.go index ebf2f7fc812..abfccfa75ec 100644 --- a/x-pack/metricbeat/module/azure/client_utils.go +++ b/x-pack/metricbeat/module/azure/client_utils.go @@ -5,8 +5,8 @@ package azure import ( - "fmt" "reflect" + "regexp" "strings" "time" @@ -16,6 +16,8 @@ import ( // DefaultTimeGrain is set as default timegrain for the azure metrics const DefaultTimeGrain = "PT5M" +var instanceIdRegex = regexp.MustCompile(`.*?(\d+)$`) + // mapMetricValues should map the metric values func mapMetricValues(metrics []insights.Metric, previousMetrics []MetricValue, startTime time.Time, endTime time.Time) []MetricValue { var currentMetrics []MetricValue @@ -87,7 +89,7 @@ func metricIsEmpty(metric insights.MetricValue) bool { // matchMetrics will compare current metrics func matchMetrics(prevMet Metric, met Metric) bool { - if prevMet.Namespace == met.Namespace && reflect.DeepEqual(prevMet.Names, met.Names) && prevMet.Resource.Id == met.Resource.Id && + if prevMet.Namespace == met.Namespace && reflect.DeepEqual(prevMet.Names, met.Names) && prevMet.ResourceId == met.ResourceId && prevMet.Aggregations == met.Aggregations && prevMet.TimeGrain == met.TimeGrain { return true } @@ -105,27 +107,6 @@ func getResourceGroupFromId(path string) string { return "" } -// getResourceTypeFromId maps resource group from resource ID -func getResourceTypeFromId(path string) string { - params := strings.Split(path, "/") - for i, param := range params { - if param == "providers" { - return fmt.Sprintf("%s/%s", params[i+1], params[i+2]) - } - } - return "" -} - -// getResourceNameFormId maps resource group from resource ID -func getResourceNameFromId(path string) string { - params := strings.Split(path, "/") - if strings.HasSuffix(path, "/") { - return params[len(params)-2] - } - return params[len(params)-1] - -} - // mapTags maps resource tags func mapTags(azureTags map[string]*string) map[string]string { if len(azureTags) == 0 { @@ -181,20 +162,49 @@ func convertTimegrainToDuration(timegrain string) time.Duration { func groupMetricsByResource(metrics []Metric) map[string][]Metric { grouped := make(map[string][]Metric) for _, metric := range metrics { - if _, ok := grouped[metric.Resource.Id]; !ok { - grouped[metric.Resource.Id] = make([]Metric, 0) + if _, ok := grouped[metric.ResourceId]; !ok { + grouped[metric.ResourceId] = make([]Metric, 0) } - grouped[metric.Resource.Id] = append(grouped[metric.Resource.Id], metric) + grouped[metric.ResourceId] = append(grouped[metric.ResourceId], metric) } return grouped } -// ContainsDimension will check if the dimension value is found in the list -func ContainsDimension(dimension string, dimensions []insights.LocalizableString) bool { +// getDimension will check if the dimension value is found in the list +func getDimension(dimension string, dimensions []Dimension) (Dimension, bool) { for _, dim := range dimensions { - if *dim.Value == dimension { + if strings.ToLower(dim.Name) == strings.ToLower(dimension) { + return dim, true + } + } + return Dimension{}, false +} + +func containsResource(resourceId string, resources []Resource) bool { + for _, res := range resources { + if res.Id == resourceId { return true } } return false } + +func getInstanceId(dimensionValue string) string { + matches := instanceIdRegex.FindStringSubmatch(dimensionValue) + if len(matches) == 2 { + return matches[1] + } + return "" +} + +func getVM(vmName string, vms []VmResource) (VmResource, bool) { + if len(vms) == 0 { + return VmResource{}, false + } + for _, vm := range vms { + if vm.Name == vmName { + return vm, true + } + } + return VmResource{}, false +} diff --git a/x-pack/metricbeat/module/azure/client_utils_test.go b/x-pack/metricbeat/module/azure/client_utils_test.go index 323175c468e..37528540f70 100644 --- a/x-pack/metricbeat/module/azure/client_utils_test.go +++ b/x-pack/metricbeat/module/azure/client_utils_test.go @@ -60,7 +60,7 @@ func TestMetricExists(t *testing.T) { func TestMatchMetrics(t *testing.T) { prev := Metric{ - Resource: Resource{Name: "vm", Group: "group", Id: "id"}, + ResourceId: "id", Namespace: "namespace", Names: []string{"TotalRequests,Capacity"}, Aggregations: "Average,Total", @@ -69,7 +69,7 @@ func TestMatchMetrics(t *testing.T) { TimeGrain: "1PM", } current := Metric{ - Resource: Resource{Name: "vm", Group: "group", Id: "id"}, + ResourceId: "id", Namespace: "namespace", Names: []string{"TotalRequests,Capacity"}, Aggregations: "Average,Total", @@ -79,7 +79,7 @@ func TestMatchMetrics(t *testing.T) { } result := matchMetrics(prev, current) assert.True(t, result) - current.Resource.Id = "id1" + current.ResourceId = "id1" result = matchMetrics(prev, current) assert.False(t, result) } @@ -111,18 +111,6 @@ func TestGetResourceGroupFromID(t *testing.T) { assert.Equal(t, group, "obs-infrastructure") } -func TestGetResourceTypeFromID(t *testing.T) { - path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" - rType := getResourceTypeFromId(path) - assert.Equal(t, rType, "Microsoft.Compute/virtualMachines") -} - -func TestGetResourceNameFromID(t *testing.T) { - path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" - name := getResourceNameFromId(path) - assert.Equal(t, name, "obstestmemleak") -} - func TestExpired(t *testing.T) { resConfig := ResourceConfiguration{} result := resConfig.Expired() @@ -143,28 +131,94 @@ func TestCompareMetricValues(t *testing.T) { assert.True(t, result) } -func TestContainsDimension(t *testing.T) { +func TestGetDimension(t *testing.T) { dimension := "VMName" dim1 := "SlotID" dim2 := "VNU" dim3 := "VMName" - dimensionList := []insights.LocalizableString{ + dimensionList := []Dimension{ { - Value: &dim1, - LocalizedValue: &dim1, + Name: dim1, + Value: dim1, }, { - Value: &dim2, - LocalizedValue: &dim2, + Name: dim2, + Value: dim2, }, { - Value: &dim3, - LocalizedValue: &dim3, + Name: dim3, + Value: dim3, }, } - result := ContainsDimension(dimension, dimensionList) - assert.True(t, result) + result, ok := getDimension(dimension, dimensionList) + assert.True(t, ok) + assert.Equal(t, result.Name, dim3) + assert.Equal(t, result.Value, dim3) dimension = "VirtualMachine" - result = ContainsDimension(dimension, dimensionList) - assert.False(t, result) + result, ok = getDimension(dimension, dimensionList) + assert.False(t, ok) + assert.Equal(t, result.Name, "") + assert.Equal(t, result.Value, "") +} + +func TestContainsResource(t *testing.T) { + resourceId := "resId" + resourceList := []Resource{ + { + Name: "resource name", + Id: "resId", + }, + { + Name: "resource name1", + Id: "resId1", + }, + { + Name: "resource name2", + Id: "resId2", + }, + } + ok := containsResource(resourceId, resourceList) + assert.True(t, ok) + resourceId = "ressId" + ok = containsResource(resourceId, resourceList) + assert.False(t, ok) +} + +func TestGetVM(t *testing.T) { + vmName := "resource name1" + vmResourceList := []VmResource{ + { + Name: "resource name", + Id: "resId", + }, + { + Name: "resource name1", + Id: "resId1", + }, + { + Name: "resource name2", + Id: "resId2", + }, + } + vm, ok := getVM(vmName, vmResourceList) + assert.True(t, ok) + assert.Equal(t, vm.Name, vmName) + assert.Equal(t, vm.Id, "resId1") + vmName = "resource name3" + vm, ok = getVM(vmName, vmResourceList) + assert.False(t, ok) + assert.Equal(t, vm.Name, "") + assert.Equal(t, vm.Id, "") +} + +func TestGetInstanceId(t *testing.T) { + dimensionValue := "sfjsfjghhbsjsjskjkf" + result := getInstanceId(dimensionValue) + assert.Empty(t, result) + dimensionValue = "fjsfhfhsjhjsfs_34" + result = getInstanceId(dimensionValue) + assert.Equal(t, result, "34") + dimensionValue = "fjsfhfhsjhjsfs_34sjsjfhsfsjjsjf_242" + result = getInstanceId(dimensionValue) + assert.Equal(t, result, "242") } diff --git a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json index 5858cf0407e..1da5cfb63ab 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm/_meta/data.json @@ -2,554 +2,90 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { "compute_vm": { - "asp_net_application_restarts": { - "avg": 0 - }, - "asp_net_applications_anonymous_requests": { - "avg": 0 - }, - "asp_net_applications_anonymous_requests_per_sec": { - "avg": 0 - }, - "asp_net_applications_cache_api_entries": { - "avg": 0 - }, - "asp_net_applications_cache_api_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_cache_api_hits": { - "avg": 0 - }, - "asp_net_applications_cache_api_misses": { - "avg": 0 - }, - "asp_net_applications_cache_api_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_cache_total_entries": { - "avg": 0 - }, - "asp_net_applications_cache_total_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_cache_total_hits": { - "avg": 0 - }, - "asp_net_applications_cache_total_misses": { - "avg": 0 - }, - "asp_net_applications_cache_total_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_compilations_total": { - "avg": 0 - }, - "asp_net_applications_debugging_requests": { - "avg": 0 - }, - "asp_net_applications_errors_during_compilation": { - "avg": 0 - }, - "asp_net_applications_errors_during_execution": { - "avg": 0 - }, - "asp_net_applications_errors_during_preprocessing": { - "avg": 0 - }, - "asp_net_applications_errors_total": { - "avg": 0 - }, - "asp_net_applications_errors_total_per_sec": { - "avg": 0 - }, - "asp_net_applications_errors_unhandled_during_execution": { - "avg": 0 - }, - "asp_net_applications_errors_unhandled_during_execution_per_sec": { - "avg": 0 - }, - "asp_net_applications_output_cache_entries": { - "avg": 0 - }, - "asp_net_applications_output_cache_hit_ratio": { - "avg": 0 - }, - "asp_net_applications_output_cache_hits": { - "avg": 0 - }, - "asp_net_applications_output_cache_misses": { - "avg": 0 - }, - "asp_net_applications_output_cache_turnover_rate": { - "avg": 0 - }, - "asp_net_applications_pipeline_instance_count": { - "avg": 0 - }, - "asp_net_applications_request_bytes_in_total": { - "avg": 0 - }, - "asp_net_applications_request_bytes_out_total": { - "avg": 0 - }, - "asp_net_applications_requests_executing": { - "avg": 0 - }, - "asp_net_applications_requests_failed": { - "avg": 0 - }, - "asp_net_applications_requests_in_application_queue": { - "avg": 0 - }, - "asp_net_applications_requests_not_authorized": { - "avg": 0 - }, - "asp_net_applications_requests_not_found": { - "avg": 0 - }, - "asp_net_applications_requests_per_sec": { - "avg": 0 - }, - "asp_net_applications_requests_succeeded": { - "avg": 0 + "disk_read_operations_per_sec": { + "avg": 3.3875 }, - "asp_net_applications_requests_timed_out": { - "avg": 0 + "disk_write_operations_per_sec": { + "avg": 0.6705 }, - "asp_net_applications_requests_total": { - "avg": 0 + "inbound_flows": { + "avg": 28.4 }, - "asp_net_applications_running": { - "avg": 0 + "inbound_flows_maximum_creation_rate": { + "avg": 10.4 }, - "asp_net_applications_sessions_abandoned": { - "avg": 0 + "os_disk_queue_depth": { + "avg": 0.00125 }, - "asp_net_applications_sessions_active": { - "avg": 0 + "os_disk_read_bytes_per_sec": { + "avg": 602589.1825 }, - "asp_net_applications_sessions_timed_out": { - "avg": 0 + "os_disk_read_operations_per_sec": { + "avg": 5.28375 }, - "asp_net_applications_sessions_total": { - "avg": 0 + "os_disk_write_bytes_per_sec": { + "avg": 14137.59375 }, - "asp_net_applications_transactions_aborted": { - "avg": 0 + "os_disk_write_operations_per_sec": { + "avg": 1.46875 }, - "asp_net_applications_transactions_committed": { - "avg": 0 + "os_per_disk_qd": { + "avg": 0.00125 }, - "asp_net_applications_transactions_pending": { - "avg": 0 + "os_per_disk_read_bytes_per_sec": { + "avg": 602589.1825 }, - "asp_net_applications_transactions_per_sec": { - "avg": 0 + "os_per_disk_read_operations_per_sec": { + "avg": 5.28375 }, - "asp_net_applications_transactions_total": { - "avg": 0 + "os_per_disk_write_bytes_per_sec": { + "avg": 14137.59375 }, - "asp_net_apps_v4_0_30319_anonymous_requests": { - "avg": 0 + "os_per_disk_write_operations_per_sec": { + "avg": 1.46875 }, - "asp_net_apps_v4_0_30319_anonymous_requests_per_sec": { - "avg": 0 + "outbound_flows": { + "avg": 28.4 }, - "asp_net_apps_v4_0_30319_cache_api_entries": { - "avg": 0 + "outbound_flows_maximum_creation_rate": { + "avg": 10.4 }, - "asp_net_apps_v4_0_30319_cache_api_hit_ratio": { - "avg": 0 + "per_disk_qd": { + "avg": 0.0025 }, - "asp_net_apps_v4_0_30319_cache_api_hits": { - "avg": 0 + "per_disk_read_bytes_per_sec": { + "avg": 51985.035 }, - "asp_net_apps_v4_0_30319_cache_api_misses": { - "avg": 0 + "per_disk_read_operations_per_sec": { + "avg": 2.92875 }, - "asp_net_apps_v4_0_30319_cache_api_turnover_rate": { + "per_disk_write_bytes_per_sec": { "avg": 0 }, - "asp_net_apps_v4_0_30319_cache_total_entries": { + "per_disk_write_operations_per_sec": { "avg": 0 }, - "asp_net_apps_v4_0_30319_cache_total_hit_ratio": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_hits": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_misses": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_cache_total_turnover_rate": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_compilations_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_debugging_requests": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_compilation": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_execution": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_during_preprocessing": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_total_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_unhandled_during_execution": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_errors_unhandled_during_execution_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_entries": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_hit_ratio": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_hits": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_misses": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_output_cache_turnover_rate": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_pipeline_instance_count": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_request_bytes_in_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_request_bytes_out_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_executing": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_failed": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_in_application_queue": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_not_authorized": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_not_found": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_succeeded": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_timed_out": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_requests_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_abandoned": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_active": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_timed_out": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_sessions_total": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_aborted": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_committed": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_pending": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_per_sec": { - "avg": 0 - }, - "asp_net_apps_v4_0_30319_transactions_total": { - "avg": 0 - }, - "asp_net_request_execution_time": { - "avg": 0 - }, - "asp_net_request_wait_time": { - "avg": 0 - }, - "asp_net_requests_current": { - "avg": 0 - }, - "asp_net_requests_disconnected": { - "avg": 0 - }, - "asp_net_requests_queued": { - "avg": 0 - }, - "asp_net_requests_rejected": { - "avg": 0 - }, - "asp_net_v4_0_30319_application_restarts": { - "avg": 0 - }, - "asp_net_v4_0_30319_applications_running": { - "avg": 0 - }, - "asp_net_v4_0_30319_request_execution_time": { - "avg": 0 - }, - "asp_net_v4_0_30319_request_wait_time": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_current": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_disconnected": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_queued": { - "avg": 0 - }, - "asp_net_v4_0_30319_requests_rejected": { - "avg": 0 - }, - "asp_net_v4_0_30319_worker_process_restarts": { - "avg": 0 - }, - "asp_net_v4_0_30319_worker_processes_running": { - "avg": 0 - }, - "asp_net_worker_process_restarts": { - "avg": 0 - }, - "asp_net_worker_processes_running": { - "avg": 0 - }, - "logical_disk_avg_disk_queue_length": { - "avg": 0 - }, - "logical_disk_avg_disk_read_queue_length": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_read": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_transfer": { - "avg": 0 - }, - "logical_disk_avg_disk_sec_per_write": { - "avg": 0 - }, - "logical_disk_avg_disk_write_queue_length": { - "avg": 0 - }, - "logical_disk_disk_bytes_per_sec": { - "avg": 449380 - }, - "logical_disk_disk_read_bytes_per_sec": { - "avg": 4783 - }, - "logical_disk_disk_reads_per_sec": { - "avg": 0 - }, - "logical_disk_disk_transfers_per_sec": { - "avg": 6.6 - }, - "logical_disk_disk_write_bytes_per_sec": { - "avg": 444596.8 - }, - "logical_disk_disk_writes_per_sec": { - "avg": 6.4 - }, - "logical_disk_free_megabytes": { - "avg": 10433 - }, - "logical_disk_pct_disk_read_time": { - "avg": 0 - }, - "logical_disk_pct_disk_time": { - "avg": 1.6 - }, - "logical_disk_pct_disk_write_time": { - "avg": 1.6 - }, - "logical_disk_pct_free_space": { - "avg": 22 - }, - "logical_disk_pct_idle_time": { - "avg": 98.6 - }, - "memory_available_bytes": { - "avg": 2951829094.4 - }, - "memory_cache_bytes": { - "avg": 60126003.2 - }, - "memory_committed_bytes": { - "avg": 8922399539.2 - }, - "memory_page_faults_per_sec": { - "avg": 1484.2 - }, - "memory_pages_per_sec": { - "avg": 6 - }, - "memory_pct_committed_bytes_in_use": { - "avg": 82.4 - }, - "memory_pool_nonpaged_bytes": { - "avg": 204028313.6 - }, - "memory_pool_paged_bytes": { - "avg": 359613235.2 - }, - "network_interface_bytes_received_per_sec": { - "avg": 7922.333333333333 - }, - "network_interface_bytes_sent_per_sec": { - "avg": 60510.666666666664 - }, - "network_interface_bytes_total_per_sec": { - "avg": 68433.26666666666 - }, - "network_interface_packets_outbound_errors": { - "avg": 0 - }, - "network_interface_packets_per_sec": { - "avg": 43.4 - }, - "network_interface_packets_received_errors": { - "avg": 0 - }, - "network_interface_packets_received_per_sec": { - "avg": 27.533333333333335 - }, - "network_interface_packets_sent_per_sec": { - "avg": 15.733333333333333 - }, - "process_handle_count": { - "avg": 119553 - }, - "process_thread_count": { - "avg": 1705.8 - }, - "process_working_set": { - "avg": 5566961254.4 - }, - "process_working_set_private": { - "avg": 4168472985.6 - }, - "processor_information_pct_privileged_time": { - "avg": 2.6 - }, - "processor_information_pct_processor_time": { - "avg": 6.4 - }, - "processor_information_pct_user_time": { - "avg": 3.4 - }, - "processor_information_processor_frequency": { - "avg": 2295 - }, - "sqlserver_buffer_manager_buffer_cache_hit_ratio": { - "avg": 100 - }, - "sqlserver_buffer_manager_checkpoint_pages_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_database_pages": { - "avg": 1483 - }, - "sqlserver_buffer_manager_lazy_writes_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_page_reads_per_sec": { - "avg": 0 - }, - "sqlserver_buffer_manager_page_writes_per_sec": { - "avg": 0 - }, - "sqlserver_general_statistics_user_connections": { - "avg": 1 - }, - "sqlserver_memory_manager_memory_grants_pending": { - "avg": 0 - }, - "sqlserver_memory_manager_total_server_memory": { - "avg": 317976 - }, - "sqlserver_sql_statistics_batch_requests_per_sec": { - "avg": 0 - }, - "sqlserver_sql_statistics_sql_compilations_per_sec": { - "avg": 0 - }, - "sqlserver_sql_statistics_sql_re-compilations_per_sec": { - "avg": 0 - }, - "system_context_switches_per_sec": { - "avg": 7782.6 - }, - "system_processes": { - "avg": 114 - }, - "system_processor_queue_length": { - "avg": 0.2 - }, - "system_system_up_time": { - "avg": 12530764 - }, - "web_service_bytes_total_per_sec": { - "avg": 0 - }, - "web_service_current_connections": { - "avg": 0 - }, - "web_service_isapi_extension_requests_per_sec": { - "avg": 0 - }, - "web_service_total_method_requests_per_sec": { - "avg": 0 + "percentage_cpu": { + "avg": 9.747 } }, - "namespace": "Azure.VM.Windows.GuestMetrics", + "namespace": "Microsoft.Compute/virtualMachines", "resource": { "group": "obs-infrastructure", - "tags": { - "vmtest": "value1, value 2", - "vmtest1": "value3" - }, + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obslinux", + "name": "obslinux", "type": "Microsoft.Compute/virtualMachines" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak", - "name": "obstestmemleak" + "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", + "name": "obslinux" }, "machine": { - "type": "Standard_B2ms" + "type": "Basic_A0" }, "provider": "azure", "region": "westeurope" @@ -559,6 +95,13 @@ "duration": 115000, "module": "azure" }, + "host": { + "cpu": { + "pct": 0.09747 + }, + "id": "d5d9444a-1964-4d23-9c62-5463ecb16fe0", + "name": "obslinux" + }, "metricset": { "name": "compute_vm", "period": 10000 diff --git a/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc index e704e9ec664..2322de020c5 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc @@ -8,7 +8,7 @@ include::../../_meta/shared-azure.asciidoc[] ==== Config options to identify resources `resource_id`:: (_[]string_) The fully qualified ID's of the resource, including the resource name and resource type. Has the format /subscriptions/{guid}/resourceGroups/{resource-group-name}/providers/{resource-provider-namespace}/{resource-type}/{resource-name}. - Should return a list of resources. +Should return a list of resources. `resource_group`:: (_[]string_) This option will select all virtual machines inside the resource group. @@ -16,4 +16,8 @@ If none of the options are entered then all virtual machine inside the subscript For each metric the primary aggregation assigned will be retrieved. A default non configurable timegrain of 5 min is set so users are advised to configure an interval of 300s or a multiply of it. +To populate the VM Guest Metrics Overview dashboard, users will have to enable the Virtual Machine Guest namespace for the monitored resources. +More on sending guest OS metrics to Azure Monitor here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/collect-custom-metrics-guestos-resource-manager-vm. + +image::./images/metricbeat-azure-vm-guestmetrics-overview.png[] diff --git a/x-pack/metricbeat/module/azure/compute_vm/client_helper.go b/x-pack/metricbeat/module/azure/compute_vm/client_helper.go deleted file mode 100644 index dee4755d02b..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/client_helper.go +++ /dev/null @@ -1,71 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -// mapMetrics should validate and map the metric related configuration to relevant azure monitor api parameters -func mapMetrics(client *azure.Client, resources []resources.GenericResource, resourceConfig azure.ResourceConfig) ([]azure.Metric, error) { - var metrics []azure.Metric - if len(resourceConfig.Metrics) == 0 { - return nil, nil - } - for _, resource := range resources { - // return resource size - resourceSize := mapResourceSize(resource, client) - // return all namespaces supported for this resource - namespaces, err := client.AzureMonitorService.GetMetricNamespaces(*resource.ID) - if err != nil { - return nil, errors.Wrapf(err, "no metric namespaces were found for resource %s", *resource.ID) - } - for _, namespace := range *namespaces.Value { - // get all metric definitions supported by the namespace provided - metricDefinitions, err := client.AzureMonitorService.GetMetricDefinitions(*resource.ID, *namespace.Properties.MetricNamespaceName) - if err != nil { - return nil, errors.Wrapf(err, "no metric definitions were found for resource %s and namespace %s.", *resource.ID, *namespace.Properties.MetricNamespaceName) - } - if len(*metricDefinitions.Value) == 0 { - return nil, errors.Errorf("no metric definitions were found for resource %s and namespace %s.", *resource.ID, *namespace.Properties.MetricNamespaceName) - } - var filteredMetricDefinitions []insights.MetricDefinition - for _, metricDefinition := range *metricDefinitions.Value { - filteredMetricDefinitions = append(filteredMetricDefinitions, metricDefinition) - } - // map azure metric definitions to client metrics - metrics = append(metrics, client.MapMetricByPrimaryAggregation(filteredMetricDefinitions, resource, "", resourceSize, *namespace.Properties.MetricNamespaceName, nil, azure.DefaultTimeGrain)...) - } - } - return metrics, nil -} - -// mapResourceSize func will try to map if existing the resource size -func mapResourceSize(resource resources.GenericResource, client *azure.Client) string { - if resource.Sku != nil && resource.Sku.Name != nil { - return *resource.Sku.Name - } - if resource.Sku == nil && resource.Properties == nil { - expandedResource, err := client.AzureMonitorService.GetResourceDefinitionById(*resource.ID) - if err != nil { - client.Log.Error(err, "could not retrieve the resource details by resource ID %s", *resource.ID) - return "" - } - if expandedResource.Properties != nil { - if properties, ok := expandedResource.Properties.(map[string]interface{}); ok { - if hardware, ok := properties["hardwareProfile"]; ok { - if vmSize, ok := hardware.(map[string]interface{})["vmSize"]; ok { - return vmSize.(string) - } - } - } - } - } - return "" -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go b/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go deleted file mode 100644 index 39ffbbc5091..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/client_helper_test.go +++ /dev/null @@ -1,141 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "testing" - - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/mock" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -func MockResource() resources.GenericResource { - id := "123" - name := "resourceName" - location := "resourceLocation" - rType := "resourceType" - return resources.GenericResource{ - ID: &id, - Name: &name, - Location: &location, - Type: &rType, - } -} - -func MockNamespace() insights.MetricNamespaceCollection { - name := "namespace" - property := insights.MetricNamespaceName{ - MetricNamespaceName: &name, - } - namespace := insights.MetricNamespace{ - Name: &name, - Properties: &property, - } - list := []insights.MetricNamespace{namespace} - return insights.MetricNamespaceCollection{ - Value: &list, - } -} - -func MockMetricDefinitions() *[]insights.MetricDefinition { - metric1 := "TotalRequests" - metric2 := "Capacity" - metric3 := "BytesRead" - defs := []insights.MetricDefinition{ - { - Name: &insights.LocalizableString{Value: &metric1}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Maximum, insights.Count, insights.Total, insights.Average}, - }, - { - Name: &insights.LocalizableString{Value: &metric2}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - { - Name: &insights.LocalizableString{Value: &metric3}, - PrimaryAggregationType: insights.Minimum, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - } - return &defs -} - -func TestMapMetric(t *testing.T) { - resource := MockResource() - namespace := MockNamespace() - metricDefinitions := insights.MetricDefinitionCollection{ - Value: MockMetricDefinitions(), - } - emptyList := []insights.MetricDefinition{} - emptyMetricDefinitions := insights.MetricDefinitionCollection{ - Value: &emptyList, - } - metricConfig := azure.MetricConfig{Name: []string{"*"}} - var resourceConfig = azure.ResourceConfig{Metrics: []azure.MetricConfig{metricConfig}} - client := azure.NewMockClient() - res := resource - res.Properties = map[string]interface{}{"hardwareProfile": map[string]interface{}{"vmSize": "A1Basic"}} - t.Run("return error when the metric namespaces api call returns an error", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(insights.MetricNamespaceCollection{}, errors.New("invalid resource ID")) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric namespaces were found for resource 123: invalid resource ID") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return error when no metric definitions were found", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(namespace, nil) - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace.") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return mapped metrics correctly", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetResourceDefinitionById", mock.Anything).Return(res, nil) - m.On("GetMetricNamespaces", mock.Anything).Return(namespace, nil) - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) - client.AzureMonitorService = m - metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[0].Namespace, "namespace") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[1].Resource.Size, "A1Basic") - assert.Equal(t, metrics[1].Namespace, "namespace") - assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) - assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) - - //order of elements can be different when running the test - if metrics[0].Aggregations == "Average" { - assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity"}) - } else { - assert.Equal(t, metrics[0].Names, []string{"BytesRead"}) - assert.Equal(t, metrics[0].Aggregations, "Minimum") - } - - m.AssertExpectations(t) - }) -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go deleted file mode 100644 index a432ed610e7..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm.go +++ /dev/null @@ -1,63 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm - -import ( - "fmt" - - "github.com/elastic/beats/v7/metricbeat/mb" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -const defaultVMNamespace = "Microsoft.Compute/virtualMachines" - -// init registers the MetricSet with the central registry as soon as the program -// starts. The New function will be called later to instantiate an instance of -// the MetricSet for each host defined in the module's configuration. After the -// MetricSet has been created then Fetch will begin to be called periodically. -func init() { - mb.Registry.MustAddMetricSet("azure", "compute_vm", New) -} - -// MetricSet holds any configuration or state information. It must implement -// the mb.MetricSet interface. And this is best achieved by embedding -// mb.BaseMetricSet because it implements all of the required mb.MetricSet -// interface methods except for Fetch. -type MetricSet struct { - *azure.MetricSet -} - -// New creates a new instance of the MetricSet. New is responsible for unpacking -// any MetricSet specific configuration options if there are any. -func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - ms, err := azure.NewMetricSet(base) - if err != nil { - return nil, err - } - // if no options are entered we will retrieve all the vm's from the entire subscription - if len(ms.Client.Config.Resources) == 0 { - ms.Client.Config.Resources = []azure.ResourceConfig{ - { - Query: fmt.Sprintf("resourceType eq '%s'", defaultVMNamespace), - }, - } - } - for index := range ms.Client.Config.Resources { - // if any resource groups were configured the resource type should be added - if len(ms.Client.Config.Resources[index].Group) > 0 { - ms.Client.Config.Resources[index].Type = defaultVMNamespace - } - // one metric configuration will be added containing all metrics names - ms.Client.Config.Resources[index].Metrics = []azure.MetricConfig{ - { - Name: []string{"*"}, - }, - } - } - ms.MapMetrics = mapMetrics - return &MetricSet{ - MetricSet: ms, - }, nil -} diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go index 2da62daaeec..929e4e98a82 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_integration_test.go @@ -15,6 +15,9 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" ) func TestFetchMetricset(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go index 76bd8f005cf..5c456aab861 100644 --- a/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm/compute_vm_test.go @@ -5,70 +5,13 @@ package compute_vm import ( - "fmt" - "testing" + "os" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" ) -var ( - missingResourcesConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - } - - resourceConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - "resources": []common.MapStr{ - { - "resource_id": "test", - "metrics": []map[string]interface{}{ - { - "name": []string{"*"}, - }}, - }}, - } -) - -func TestFetch(t *testing.T) { - c, err := common.NewConfigFrom(missingResourcesConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err := mb.NewModule(c, mb.Registry) - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - assert.Nil(t, err) - ms, ok := metricsets[0].(*MetricSet) - assert.Equal(t, len(ms.Client.Config.Resources), 1) - assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultVMNamespace)) - - c, err = common.NewConfigFrom(resourceConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err = mb.NewModule(c, mb.Registry) - if err != nil { - t.Fatal(err) - } - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - ms, ok = metricsets[0].(*MetricSet) - require.True(t, ok, "metricset must be MetricSet") - assert.NotNil(t, ms) +func init() { + // To be moved to some kind of helper + os.Setenv("BEAT_STRICT_PERMS", "false") + mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) } diff --git a/x-pack/metricbeat/module/azure/compute_vm/manifest.yml b/x-pack/metricbeat/module/azure/compute_vm/manifest.yml new file mode 100644 index 00000000000..95421a31ef2 --- /dev/null +++ b/x-pack/metricbeat/module/azure/compute_vm/manifest.yml @@ -0,0 +1,28 @@ +default: false +input: + module: azure + metricset: monitor + defaults: + default_resource_type: "Microsoft.Compute/virtualMachines" + add_cloud_metadata: true + resources: + - resource_group: "" + resource_type: "Microsoft.Compute/virtualMachines" + metrics: + - name: "*" + namespace: "Microsoft.Compute/virtualMachines" + timegrain: "PT5M" + - name: "*" + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + ignore_unsupported: true + - resource_id: "" + timegrain: "PT5M" + metrics: + - name: "*" + namespace: "Microsoft.Compute/virtualMachines" + timegrain: "PT5M" + - name: "*" + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + ignore_unsupported: true diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json index 8edb9c5b69a..e8f59859d8b 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/data.json @@ -2,12 +2,6 @@ "@timestamp": "2017-10-12T08:05:34.853Z", "azure": { "compute_vm_scaleset": { - "cpu_credits_consumed": { - "avg": 0.019 - }, - "cpu_credits_remaining": { - "avg": 97.99 - }, "os_per_disk_qd": { "avg": 0 }, @@ -18,36 +12,44 @@ "avg": 0 }, "os_per_disk_write_bytes_per_sec": { - "avg": 19201.653 + "avg": 1872.1200000000001 }, "os_per_disk_write_operations_per_sec": { - "avg": 1.0366666666666666 + "avg": 0.296 } }, "namespace": "Microsoft.Compute/virtualMachineScaleSets", "resource": { - "group": "obs-infrastructure", + "group": "testgroup", + "id": "/subscriptions/70bd6e23-e3er3-4835-6785-db77b8eef364/resourceGroups/testgroup/providers/Microsoft.Compute/virtualMachineScaleSets/vmscaleset", + "name": "vmscaleset", + "tags": { + "environment": "staging", + "role": "allocator" + }, "type": "Microsoft.Compute/virtualMachineScaleSets" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e23-e3er3-4835-6785-db77b8eef364", "timegrain": "PT5M" }, "cloud": { "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachineScaleSets/obslinuxvmss", - "name": "obslinuxvmss" + "name": "vmscaleset" }, "machine": { - "type": "Standard_B1ls" + "type": "Standard_D4s_v3" }, "provider": "azure", - "region": "westeurope" + "region": "eastus2" }, "event": { "dataset": "azure.compute_vm_scaleset", "duration": 115000, "module": "azure" }, + "host": { + "name": "vmscaleset" + }, "metricset": { "name": "compute_vm_scaleset", "period": 10000 diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go deleted file mode 100644 index f45896dce8e..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper.go +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm_scaleset - -import ( - "strings" - - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -const ( - defaultVMDimension = "VMName" - customVMDimension = "VirtualMachine" - defaultSlotIDDimension = "SlotId" -) - -// mapMetrics should validate and map the metric related configuration to relevant azure monitor api parameters -func mapMetrics(client *azure.Client, resources []resources.GenericResource, resourceConfig azure.ResourceConfig) ([]azure.Metric, error) { - var metrics []azure.Metric - for _, resource := range resources { - // return resource size - resourceSize := mapResourceSize(resource) - for _, metric := range resourceConfig.Metrics { - metricDefinitions, err := client.AzureMonitorService.GetMetricDefinitions(*resource.ID, metric.Namespace) - if err != nil { - return nil, errors.Wrapf(err, "no metric definitions were found for resource %s and namespace %s", *resource.ID, metric.Namespace) - } - if len(*metricDefinitions.Value) == 0 && metric.Namespace != customVMNamespace { - return nil, errors.Errorf("no metric definitions were found for resource %s and namespace %s.", *resource.ID, metric.Namespace) - } - var supportedMetricNames []insights.MetricDefinition - if strings.Contains(strings.Join(metric.Name, " "), "*") { - for _, definition := range *metricDefinitions.Value { - supportedMetricNames = append(supportedMetricNames, definition) - } - } else { - // verify if configured metric names are valid, return log error event for the invalid ones, map only the valid metric names - for _, name := range metric.Name { - for _, metricDefinition := range *metricDefinitions.Value { - if name == *metricDefinition.Name.Value { - supportedMetricNames = append(supportedMetricNames, metricDefinition) - } - } - } - } - if len(supportedMetricNames) == 0 { - continue - } - groupedMetrics := make(map[string][]insights.MetricDefinition) - var vmdim string - if metric.Namespace == defaultVMScalesetNamespace { - vmdim = defaultVMDimension - } else if metric.Namespace == customVMNamespace { - vmdim = customVMDimension - } - for _, metricName := range supportedMetricNames { - if metricName.Dimensions == nil || len(*metricName.Dimensions) == 0 { - groupedMetrics[azure.NoDimension] = append(groupedMetrics[azure.NoDimension], metricName) - } else if azure.ContainsDimension(vmdim, *metricName.Dimensions) { - groupedMetrics[vmdim] = append(groupedMetrics[vmdim], metricName) - } else if azure.ContainsDimension(defaultSlotIDDimension, *metricName.Dimensions) { - groupedMetrics[defaultSlotIDDimension] = append(groupedMetrics[defaultSlotIDDimension], metricName) - } - } - for key, metricGroup := range groupedMetrics { - var metricNameList []string - for _, metricName := range metricGroup { - metricNameList = append(metricNameList, *metricName.Name.Value) - } - var dimensions []azure.Dimension - if key != azure.NoDimension { - dimensions = []azure.Dimension{{Name: key, Value: "*"}} - } - metrics = append(metrics, client.MapMetricByPrimaryAggregation(metricGroup, resource, "", resourceSize, metric.Namespace, dimensions, azure.DefaultTimeGrain)...) - } - } - } - return metrics, nil -} - -// mapResourceSize func will try to map if existing the resource size, for the vmss it seems that SKU is populated and resource size is mapped in the name -func mapResourceSize(resource resources.GenericResource) string { - if resource.Sku != nil && resource.Sku.Name != nil { - return *resource.Sku.Name - } - return "" -} diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go deleted file mode 100644 index 6fba1dab50f..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/client_helper_test.go +++ /dev/null @@ -1,124 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm_scaleset - -import ( - "testing" - - "github.com/Azure/azure-sdk-for-go/services/preview/monitor/mgmt/2019-06-01/insights" - "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" - "github.com/pkg/errors" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/mock" - - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -func MockResource() resources.GenericResource { - id := "123" - name := "resourceName" - location := "resourceLocation" - rType := "resourceType" - skuName := "standard" - sku := resources.Sku{ - Name: &skuName, - } - return resources.GenericResource{ - ID: &id, - Name: &name, - Location: &location, - Type: &rType, - Sku: &sku, - } -} - -func MockMetricDefinitions() *[]insights.MetricDefinition { - metric1 := "TotalRequests" - metric2 := "Capacity" - metric3 := "BytesRead" - defs := []insights.MetricDefinition{ - { - Name: &insights.LocalizableString{Value: &metric1}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Maximum, insights.Count, insights.Total, insights.Average}, - }, - { - Name: &insights.LocalizableString{Value: &metric2}, - PrimaryAggregationType: insights.Average, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - { - Name: &insights.LocalizableString{Value: &metric3}, - PrimaryAggregationType: insights.Minimum, - SupportedAggregationTypes: &[]insights.AggregationType{insights.Average, insights.Count, insights.Minimum}, - }, - } - return &defs -} - -func TestMapMetric(t *testing.T) { - resource := MockResource() - metricDefinitions := insights.MetricDefinitionCollection{ - Value: MockMetricDefinitions(), - } - var emptyList []insights.MetricDefinition - emptyMetricDefinitions := insights.MetricDefinitionCollection{ - Value: &emptyList, - } - metricConfig := azure.MetricConfig{Name: []string{"*"}, Namespace: "namespace"} - var resourceConfig = azure.ResourceConfig{Metrics: []azure.MetricConfig{metricConfig}} - client := azure.NewMockClient() - t.Run("return error when the metric metric definition api call returns an error", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, errors.New("invalid resource ID")) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace: invalid resource ID") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return error when no metric definitions were found", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) - client.AzureMonitorService = m - metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) - assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace namespace.") - assert.Equal(t, metric, []azure.Metric(nil)) - m.AssertExpectations(t) - }) - t.Run("return mapped metrics correctly", func(t *testing.T) { - m := &azure.MockService{} - m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) - client.AzureMonitorService = m - metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, len(metrics), 2) - - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[0].Namespace, "namespace") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") - assert.Equal(t, metrics[1].Resource.Size, "standard") - assert.Equal(t, metrics[1].Namespace, "namespace") - assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) - assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) - - //order of elements can be different when running the test - if metrics[0].Aggregations == "Average" { - assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity"}) - } else { - assert.Equal(t, metrics[0].Names, []string{"BytesRead"}) - assert.Equal(t, metrics[0].Aggregations, "Minimum") - } - m.AssertExpectations(t) - }) -} diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset.go deleted file mode 100644 index b2755eeabf0..00000000000 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset.go +++ /dev/null @@ -1,73 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -package compute_vm_scaleset - -import ( - "fmt" - - "github.com/elastic/beats/v7/metricbeat/mb" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" -) - -// init registers the MetricSet with the central registry as soon as the program -// starts. The New function will be called later to instantiate an instance of -// the MetricSet for each host defined in the module's configuration. After the -// MetricSet has been created then Fetch will begin to be called periodically. -func init() { - mb.Registry.MustAddMetricSet("azure", "compute_vm_scaleset", New) -} - -// MetricSet holds any configuration or state information. It must implement -// the mb.MetricSet interface. And this is best achieved by embedding -// mb.BaseMetricSet because it implements all of the required mb.MetricSet -// interface methods except for Fetch. -type MetricSet struct { - *azure.MetricSet -} - -const ( - defaultVMScalesetNamespace = "Microsoft.Compute/virtualMachineScaleSets" - customVMNamespace = "Azure.VM.Windows.GuestMetrics" -) - -var memoryMetrics = []string{"Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"} - -// New creates a new instance of the MetricSet. New is responsible for unpacking -// any MetricSet specific configuration options if there are any. -func New(base mb.BaseMetricSet) (mb.MetricSet, error) { - ms, err := azure.NewMetricSet(base) - if err != nil { - return nil, err - } - // if no options are entered we will retrieve all the vm's from the entire subscription - if len(ms.Client.Config.Resources) == 0 { - ms.Client.Config.Resources = []azure.ResourceConfig{ - { - Query: fmt.Sprintf("resourceType eq '%s'", defaultVMScalesetNamespace), - }, - } - } - for index := range ms.Client.Config.Resources { - // add the default vm scaleset type if groups are defined - if len(ms.Client.Config.Resources[index].Group) > 0 { - ms.Client.Config.Resources[index].Type = defaultVMScalesetNamespace - } - // add the default metrics for each resource option - ms.Client.Config.Resources[index].Metrics = []azure.MetricConfig{ - { - Name: []string{"*"}, - Namespace: defaultVMScalesetNamespace, - }, - { - Name: memoryMetrics, - Namespace: customVMNamespace, - }, - } - } - ms.MapMetrics = mapMetrics - return &MetricSet{ - MetricSet: ms, - }, nil -} diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_integration_test.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_integration_test.go index 7403203ad12..0a4a8df5e6b 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_integration_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_integration_test.go @@ -15,6 +15,9 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" ) func TestFetchMetricset(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go index d7c4101ed23..2c5c7f04c8f 100644 --- a/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/compute_vm_scaleset_test.go @@ -5,69 +5,13 @@ package compute_vm_scaleset import ( - "fmt" - "testing" + "os" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" ) -var ( - missingResourcesConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm_scaleset"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - } - - resourceConfig = common.MapStr{ - "module": "azure", - "period": "60s", - "metricsets": []string{"compute_vm_scaleset"}, - "client_secret": "unique identifier", - "client_id": "unique identifier", - "subscription_id": "unique identifier", - "tenant_id": "unique identifier", - "resources": []common.MapStr{ - { - "resource_id": "test", - "metrics": []map[string]interface{}{ - { - "name": []string{"*"}, - }}, - }}, - } -) - -func TestFetch(t *testing.T) { - c, err := common.NewConfigFrom(missingResourcesConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err := mb.NewModule(c, mb.Registry) - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - assert.Nil(t, err) - ms, ok := metricsets[0].(*MetricSet) - assert.Equal(t, len(ms.Client.Config.Resources), 1) - assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultVMScalesetNamespace)) - c, err = common.NewConfigFrom(resourceConfig) - if err != nil { - t.Fatal(err) - } - module, metricsets, err = mb.NewModule(c, mb.Registry) - if err != nil { - t.Fatal(err) - } - assert.NotNil(t, module) - assert.NotNil(t, metricsets) - ms, ok = metricsets[0].(*MetricSet) - require.True(t, ok, "metricset must be MetricSet") - assert.NotNil(t, ms) +func init() { + // To be moved to some kind of helper + os.Setenv("BEAT_STRICT_PERMS", "false") + mb.Registry.SetSecondarySource(mb.NewLightModulesSource("../../../module")) } diff --git a/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml b/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml new file mode 100644 index 00000000000..9369a36b79e --- /dev/null +++ b/x-pack/metricbeat/module/azure/compute_vm_scaleset/manifest.yml @@ -0,0 +1,66 @@ +default: false +input: + module: azure + metricset: monitor + defaults: + default_resource_type: "Microsoft.Compute/virtualMachineScaleSets" + add_cloud_metadata: true + resources: + - resource_group: "" + resource_type: "Microsoft.Compute/virtualMachineScaleSets" + metrics: + - name: ["CPU Credits Remaining", "CPU Credits Consumed", "OS Per Disk Read Bytes/sec", "OS Per Disk Write Bytes/sec", "OS Per Disk Read Operations/Sec", "OS Per Disk Write Operations/Sec", "OS Per Disk QD"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + - name: ["Per Disk Read Bytes/sec", "Per Disk Write Bytes/sec", "Per Disk Read Operations/Sec", "Per Disk Write Operations/Sec", "Per Disk QD"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + dimensions: + - name: "SlotId" + value: "*" + - name: ["Network In", "Percentage CPU", "Network Out", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Network Out Total", + "Network In Total", "VM Uncached IOPS Consumed Percentange", "VM Uncached Bandwidth Consumed Percentange", "VM Cached IOPS Consumed Percentange", "VM Cached Bandwidth Consumed Percentange", "Premium OS Disk Cache Read Miss", + "Premium OS Disk Cache Read Hit", "Premium Data Disk Cache Read Miss", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage", + "Premium Data Disk Cache Read Hit", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows", "OS Disk IOPS Consumed Percentage", "OS Disk Bandwidth Consumed Percentage", + "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec", "Data Disk IOPS Consumed Percentage"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + dimensions: + - name: "VMName" + value: "*" + - name: ["Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"] + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + dimensions: + - name: "VirtualMachine" + value: "*" + ignore_unsupported: true + - resource_id: "" + timegrain: "PT5M" + metrics: + - name: ["CPU Credits Remaining", "CPU Credits Consumed", "OS Per Disk Read Bytes/sec", "OS Per Disk Write Bytes/sec", "OS Per Disk Read Operations/Sec", "OS Per Disk Write Operations/Sec", "OS Per Disk QD"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + - name: ["Per Disk Read Bytes/sec", "Per Disk Write Bytes/sec", "Per Disk Read Operations/Sec", "Per Disk Write Operations/Sec", "Per Disk QD"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + dimensions: + - name: "SlotId" + value: "*" + - name: ["Network In", "Percentage CPU", "Network Out", "Disk Read Bytes", "Disk Write Bytes", "Disk Read Operations/Sec", "Disk Write Operations/Sec", "Data Disk Read Bytes/sec", "Data Disk Write Bytes/sec", "Network Out Total", + "Network In Total", "VM Uncached IOPS Consumed Percentange", "VM Uncached Bandwidth Consumed Percentange", "VM Cached IOPS Consumed Percentange", "VM Cached Bandwidth Consumed Percentange", "Premium OS Disk Cache Read Miss", + "Premium OS Disk Cache Read Hit", "Premium Data Disk Cache Read Miss", "Data Disk Read Operations/Sec", "Data Disk Write Operations/Sec", "Data Disk Queue Depth", "Data Disk Bandwidth Consumed Percentage", + "Premium Data Disk Cache Read Hit", "Outbound Flows Maximum Creation Rate", "Inbound Flows Maximum Creation Rate", "Outbound Flows", "Inbound Flows", "OS Disk IOPS Consumed Percentage", "OS Disk Bandwidth Consumed Percentage", + "OS Disk Queue Depth", "OS Disk Write Operations/Sec", "OS Disk Read Operations/Sec", "OS Disk Write Bytes/sec", "OS Disk Read Bytes/sec", "Data Disk IOPS Consumed Percentage"] + namespace: "Microsoft.Compute/virtualMachineScaleSets" + timegrain: "PT5M" + dimensions: + - name: "VMName" + value: "*" + - name: ["Memory\\Commit Limit", "Memory\\Committed Bytes", "Memory\\% Committed Bytes In Use", "Memory\\Available Bytes"] + namespace: "Azure.VM.Windows.GuestMetrics" + timegrain: "PT5M" + dimensions: + - name: "VirtualMachine" + value: "*" + ignore_unsupported: true diff --git a/x-pack/metricbeat/module/azure/config.go b/x-pack/metricbeat/module/azure/config.go new file mode 100644 index 00000000000..63bb5450b57 --- /dev/null +++ b/x-pack/metricbeat/module/azure/config.go @@ -0,0 +1,68 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "time" + + "github.com/pkg/errors" +) + +// Config options +type Config struct { + ClientId string `config:"client_id"` + ClientSecret string `config:"client_secret"` + TenantId string `config:"tenant_id"` + SubscriptionId string `config:"subscription_id"` + Period time.Duration `config:"period" validate:"nonzero,required"` + Resources []ResourceConfig `config:"resources"` + RefreshListInterval time.Duration `config:"refresh_list_interval"` + DefaultResourceType string `config:"default_resource_type"` + AddCloudMetadata bool `config:"add_cloud_metadata"` +} + +// ResourceConfig contains resource and metric list specific configuration. +type ResourceConfig struct { + Id []string `config:"resource_id"` + Group []string `config:"resource_group"` + Metrics []MetricConfig `config:"metrics"` + Type string `config:"resource_type"` + Query string `config:"resource_query"` + ServiceType []string `config:"service_type"` +} + +// MetricConfig contains metric specific configuration. +type MetricConfig struct { + Name []string `config:"name"` + Namespace string `config:"namespace"` + Aggregations []string `config:"aggregations"` + Dimensions []DimensionConfig `config:"dimensions"` + Timegrain string `config:"timegrain"` + // namespaces can be unsupported by some resources and supported in some, this configuration option makes sure no error messages are returned if namespace is unsupported + // info messages will be logged instead + IgnoreUnsupported bool `config:"ignore_unsupported"` +} + +// DimensionConfig contains dimensions specific configuration. +type DimensionConfig struct { + Name string `config:"name"` + Value string `config:"value"` +} + +func (conf *Config) Validate() error { + if conf.SubscriptionId == "" { + return errors.New("no subscription ID has been configured") + } + if conf.ClientSecret == "" { + return errors.New("no client secret has been configured") + } + if conf.ClientId == "" { + return errors.New("no client ID has been configured") + } + if conf.TenantId == "" { + return errors.New("no tenant ID has been configured") + } + return nil +} diff --git a/x-pack/metricbeat/module/azure/container_instance/_meta/data.json b/x-pack/metricbeat/module/azure/container_instance/_meta/data.json index aec7b3bdffb..945e31e3ac9 100644 --- a/x-pack/metricbeat/module/azure/container_instance/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_instance/_meta/data.json @@ -6,28 +6,23 @@ "avg": 0 }, "memory_usage": { - "avg": 0 + "avg": 2666496 } }, "dimensions": { - "container_name": "testcontainergroup" + "container_name": "anothercontainer" }, "namespace": "Microsoft.ContainerInstance/containerGroups", "resource": { "group": "obs-infrastructure", - "tags": { - "tag1": "value1" - }, + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerInstance/containerGroups/anothercontainer", + "name": "anothercontainer", "type": "Microsoft.ContainerInstance/containerGroups" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerInstance/containerGroups/testcontainergroup", - "name": "testcontainergroup" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/container_registry/_meta/data.json b/x-pack/metricbeat/module/azure/container_registry/_meta/data.json index 0ae5b5f3e25..6b57c49b4eb 100644 --- a/x-pack/metricbeat/module/azure/container_registry/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_registry/_meta/data.json @@ -18,16 +18,14 @@ "namespace": "Microsoft.ContainerRegistry/registries", "resource": { "group": "obs-infrastructure", - "type": "Microsoft.ContainerRegistry/registries" + "type": "Microsoft.ContainerRegistry/registries", + "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerRegistry/registries/obstest", + "name": "obstest" }, "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerRegistry/registries/obstest", - "name": "obstest" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/container_service/_meta/data.json b/x-pack/metricbeat/module/azure/container_service/_meta/data.json index 07d8025c93d..66cdca124df 100644 --- a/x-pack/metricbeat/module/azure/container_service/_meta/data.json +++ b/x-pack/metricbeat/module/azure/container_service/_meta/data.json @@ -7,21 +7,21 @@ } }, "dimensions": { - "status": "true" + "condition": "PIDPressure", + "node": "aks-agentpool-38582116-vmss000000", + "status": "false" }, "namespace": "Microsoft.ContainerService/managedClusters", "resource": { "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerService/managedClusters/obskube", + "name": "obskube", "type": "Microsoft.ContainerService/managedClusters" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.ContainerService/managedClusters/obskube", - "name": "obskube" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/data.go b/x-pack/metricbeat/module/azure/data.go index 23a043ae6f9..bf77f657416 100644 --- a/x-pack/metricbeat/module/azure/data.go +++ b/x-pack/metricbeat/module/azure/data.go @@ -23,7 +23,7 @@ const ( ) // EventsMapping will map metric values to beats events -func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) error { +func EventsMapping(metrics []Metric, client *Client, report mb.ReporterV2) error { // metrics and metric values are currently grouped relevant to the azure REST API calls (metrics with the same aggregations per call) // multiple metrics can be mapped in one event depending on the resource, namespace, dimensions and timestamp @@ -35,7 +35,7 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err continue } // build a resource key with unique resource namespace combination - resNamkey := fmt.Sprintf("%s,%s", metric.Resource.Id, metric.Namespace) + resNamkey := fmt.Sprintf("%s,%s", metric.ResourceId, metric.Namespace) groupByResourceNamespace[resNamkey] = append(groupByResourceNamespace[resNamkey], metric) } // grouping metrics by the dimensions configured @@ -58,6 +58,7 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err // grouping metric values by timestamp and creating events (for each metric the REST api can retrieve multiple metric values for same aggregation but different timeframes) for _, grouped := range groupByDimensions { defaultMetric := grouped[0] + resource := client.GetResourceForMetaData(defaultMetric) groupByTimeMetrics := make(map[time.Time][]MetricValue) for _, metric := range grouped { for _, m := range metric.Values { @@ -67,6 +68,7 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err for timestamp, groupTimeValues := range groupByTimeMetrics { var event mb.Event var metricList common.MapStr + var vm VmResource // group events by dimension values exists, validDimensions := returnAllDimensions(defaultMetric.Dimensions) if exists { @@ -77,13 +79,21 @@ func EventsMapping(metrics []Metric, metricset string, report mb.ReporterV2) err groupByDimensions[dimKey] = append(groupByDimensions[dimKey], dimGroupValue) } for _, groupDimValues := range groupByDimensions { - event, metricList = createEvent(timestamp, defaultMetric, groupDimValues) + event, metricList = createEvent(timestamp, defaultMetric, resource, groupDimValues) + if client.Config.AddCloudMetadata { + vm = client.GetVMForMetaData(&resource, groupDimValues) + addCloudVMMetadata(&event, vm) + } } } } else { - event, metricList = createEvent(timestamp, defaultMetric, groupTimeValues) + event, metricList = createEvent(timestamp, defaultMetric, resource, groupTimeValues) + if client.Config.AddCloudMetadata { + vm = client.GetVMForMetaData(&resource, groupTimeValues) + addCloudVMMetadata(&event, vm) + } } - if metricset == nativeMetricset { + if client.Config.DefaultResourceType == "" { event.ModuleFields.Put("metrics", metricList) } else { for key, metric := range metricList { @@ -142,23 +152,37 @@ func replaceUpperCase(src string) string { } // createEvent will create a new base event -func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) (mb.Event, common.MapStr) { +func createEvent(timestamp time.Time, metric Metric, resource Resource, metricValues []MetricValue) (mb.Event, common.MapStr) { + event := mb.Event{ ModuleFields: common.MapStr{ "timegrain": metric.TimeGrain, + "namespace": metric.Namespace, "resource": common.MapStr{ - "type": metric.Resource.Type, - "group": metric.Resource.Group, + "type": resource.Type, + "group": resource.Group, + "name": resource.Name, }, - "subscription_id": metric.Resource.Subscription, - "namespace": metric.Namespace, + "subscription_id": resource.Subscription, }, MetricSetFields: common.MapStr{}, Timestamp: timestamp, + RootFields: common.MapStr{ + "cloud": common.MapStr{ + "provider": "azure", + "region": resource.Location, + }, + }, + } + if metric.ResourceSubId != "" { + event.ModuleFields.Put("resource.id", metric.ResourceSubId) + } else { + event.ModuleFields.Put("resource.id", resource.Id) } - if len(metric.Resource.Tags) > 0 { - event.ModuleFields.Put("resource.tags", metric.Resource.Tags) + if len(resource.Tags) > 0 { + event.ModuleFields.Put("resource.tags", resource.Tags) } + if len(metric.Dimensions) > 0 { for _, dimension := range metric.Dimensions { if dimension.Value == "*" { @@ -169,18 +193,7 @@ func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) } } - event.RootFields = common.MapStr{} - event.RootFields.Put("cloud.provider", "azure") - event.RootFields.Put("cloud.region", metric.Resource.Location) - event.RootFields.Put("cloud.instance.name", metric.Resource.Name) - if metric.Resource.SubId != "" { - event.RootFields.Put("cloud.instance.id", metric.Resource.SubId) - } else { - event.RootFields.Put("cloud.instance.id", metric.Resource.Id) - } - if metric.Resource.Size != "" { - event.RootFields.Put("cloud.machine.type", metric.Resource.Size) - } + metricList := common.MapStr{} for _, value := range metricValues { metricNameString := fmt.Sprintf("%s", managePropertyName(value.name)) @@ -200,6 +213,8 @@ func createEvent(timestamp time.Time, metric Metric, metricValues []MetricValue) metricList.Put(fmt.Sprintf("%s.%s", metricNameString, "count"), *value.count) } } + addHostMetadata(&event, metricList) + return event, metricList } diff --git a/x-pack/metricbeat/module/azure/data_test.go b/x-pack/metricbeat/module/azure/data_test.go index 1ef042b12c2..cdfad1965f8 100644 --- a/x-pack/metricbeat/module/azure/data_test.go +++ b/x-pack/metricbeat/module/azure/data_test.go @@ -73,16 +73,17 @@ func TestCreateEvent(t *testing.T) { if !assert.NoError(t, err) { t.Fatal(err) } + resource := Resource{ + Id: "resId", + Name: "res", + Location: "west_europe", + Type: "resType", + Group: "resGroup", + Tags: nil, + Subscription: "subId", + } metric := Metric{ - Resource: Resource{ - Id: "resId", - Name: "res", - Location: "west_europe", - Type: "resType", - Group: "resGroup", - Tags: nil, - Subscription: "subId", - }, + ResourceId: "resId", Namespace: "namespace1", Names: []string{"Percentage CPU"}, Aggregations: "", @@ -103,7 +104,7 @@ func TestCreateEvent(t *testing.T) { dimensions: nil, }, } - event, list := createEvent(createTime, metric, metricValues) + event, list := createEvent(createTime, metric, resource, metricValues) assert.NotNil(t, event) assert.NotNil(t, list) assert.Equal(t, event.Timestamp, createTime) @@ -111,7 +112,7 @@ func TestCreateEvent(t *testing.T) { if !assert.NoError(t, err) { t.Fatal(err) } - assert.Equal(t, sub, metric.Resource.Subscription) + assert.Equal(t, sub, resource.Subscription) namespace, err := event.ModuleFields.GetValue("namespace") if !assert.NoError(t, err) { t.Fatal(err) diff --git a/x-pack/metricbeat/module/azure/database_account/_meta/data.json b/x-pack/metricbeat/module/azure/database_account/_meta/data.json index 68dbb92043c..35ee448fd4d 100644 --- a/x-pack/metricbeat/module/azure/database_account/_meta/data.json +++ b/x-pack/metricbeat/module/azure/database_account/_meta/data.json @@ -1,40 +1,38 @@ { - "@timestamp" : "2020-02-25T08:53:00.000Z", - "cloud" : { - "provider" : "azure", - "region" : "westeurope" - }, - "event" : { - "module" : "azure", - "duration" : 4877063600, - "dataset" : "azure.database_account" - }, - "metricset" : { - "name" : "database_account", - "period" : 300000 - }, - "azure" : { - "timegrain" : "PT5M", - "dimensions" : { - "database_name" : "testdb" - }, - "database_account" : { - "provisioned_throughput" : { - "max" : 400 + "@timestamp": "2017-10-12T08:05:34.853Z", + "azure": { + "database_account": { + "service_availability": { + "avg": 100 } }, - "resource" : { - "group" : "obs-test", - "tags" : { - "defaultExperience" : "Core (SQL)" + "namespace": "Microsoft.DocumentDb/databaseAccounts", + "resource": { + "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", + "name": "obsaccount", + "tags": { + "defaultExperience": "Core (SQL)" }, - "name" : "obsaccount", - "type" : "Microsoft.DocumentDb/databaseAccounts" + "type": "Microsoft.DocumentDb/databaseAccounts" }, - "subscription_id" : "123456-qwer-1234-5678-12345678", - "namespace" : "Microsoft.DocumentDb/databaseAccounts" + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", + "timegrain": "PT1H" + }, + "cloud": { + "provider": "azure", + "region": "westeurope" + }, + "event": { + "dataset": "azure.database_account", + "duration": 115000, + "module": "azure" + }, + "metricset": { + "name": "database_account", + "period": 10000 }, - "service" : { - "type" : "azure" + "service": { + "type": "azure" } } diff --git a/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go b/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go index 6fa35ee4698..4c00bd03af0 100644 --- a/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go +++ b/x-pack/metricbeat/module/azure/database_account/database_account_integration_test.go @@ -15,6 +15,9 @@ import ( "github.com/stretchr/testify/assert" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + + // Register input module and metricset + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure/monitor" ) func TestFetchMetricset(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/fields.go b/x-pack/metricbeat/module/azure/fields.go index 1c8cd1527b4..4c0ad95ad98 100644 --- a/x-pack/metricbeat/module/azure/fields.go +++ b/x-pack/metricbeat/module/azure/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAzure returns asset data. // This is the base64 encoded gzipped contents of module/azure. func AssetAzure() string { - return "eJzUV71u2zAQ3v0UB48BkgfwUCBolw7dugtn8qywkUiCPKV1n77QD2lKlGWnVgDHQ4CI5Pej+3ikHuGVjjvAv42jDQArrmgH2+f2/+0GQJIXTllWRu/gywYA+rlQG9lU7RJHFaGnHZS4ATgoqqTfdRMfQWNNJ/D2x0fbTnWmscOTGYYxTArFqqbSodJxJEC+0vG3cTJ5Pgvc/36+EDz3NoidEjO4gdGRN40TlBGmHq6gCzjgLQl1UJRKndodWT5aGg2cd3xBRpDSLgdzAE5kzVJPLa7AHV9Djh0NY+mfHmZpzf4XCZ4M9Q+LJWHJlKJGa5Uuh/nbh+37TPSxiTY6sVlo2r/e4kxq3h3TCAWeKhKc5Caw+WYfIQolb+dMAeH7t4xQqpq0V0aP63SmRhfqc21tFjSPtnIiLhOO1hZKe1W+sL+4oWNj2xPjdULQ2koJ7N7bDM/SNk+Wjmu4VMcLckI9U1lJOVN6z+i4kMjzvWZm4AreDjRfGzhJy7UZScvzfH1A/NPDf3eXQ2VwYcKNvaU1MGjMkrtXVaV0+RGhHaABtYTGY0kgiVFV1yZXNM6RFsd1MzuLGiitI8Y/hTB+Wo3zdbrA+XWKFZsdWXRck+aifbCuyxM4ZOAns0Y2WS5vJB5A89tFYO2SUHQ7eMX92efrQl/oqUnPd8FbiBfbw7APCktOGbl6Ew7brIeHCXw8BoQwzYdELW7znuF83lBwg9Wqm6s7hDpYyGAD7cE4Euh5deIAfJ66D9zKR9HQStO1sWOa2jZMxVs9OYvG31JjFcv3qum7WeFWdVK5YKDwAivyxJ/DSZQbx2e8aUalybU3RUYt6L6tDWohqF0w5KhUnt3xcxgKahcMeXJv6rMUaBCbf00h4x49FUNnvmc3QWs4RTIztdGKjbv+nlpeeUvNgZfupPd+1YcfvUBwxI3TJJ/ONyTPxmF51yEfJMZU/AsAAP//G9NOsw==" + return "eJzUV8tu2zoQ3fsrBl4GSD7AiwsEt5suuuteGJNjhY1EEuQorfv1hR6kKVHyo1aKxIsAEcnzEM8MqUd4peMO8HfjaAPAiivawfa5/X+7AZDkhVOWldE7+G8DAP1cqI1sqnaJo4rQ0w5K3AAcFFXS77qJj6CxphN4++Ojbac609jhyQzDGCaFYlVT6VDpOBIgX+n40ziZPJ8F7n/fXwieexvETokZ3MDoyJvGCcoIUw9X0AUc8JaEOihKpU7tjiwfLY0Glh1fkBGktMvBHIATWbPUU4srcMfXkGNHw1j6p4dZWrP/QYInQ/3D4pywZEpRo7VKl8P87cP2NhN9bKKNTmwWmvavtziTmptjGqHAU0WCk9wENt/sI0Sh5P2cKSB8/ZIRSlWT9sro8T4t7NGF/bl2b85oHpVyIi4T3k/xTw836z5UBhcG/1b1t14MOOLGaZK5XLS2UNqr8oX9xf4T+/CeGK9TgNZWSmC3zTM857pSsnQcObi/R6SykvSl9J7RcSGR51vjzMAVvB1ovjZwkpZrM5KWy3zzYYUbmuE0tLBqK2wNDBqz5O5VVSldvkdoB2hALaHxWBJIYlTVtckVjXOkxXHdzM6iBkrriPFXIYyf7sbyPl3g/H+KFXszWXRck+aifbCuyxM4ZOAns0Y2WS7vJB5A88tQYO2SUHQVvGJ99vm60Bd6atLzXfAe4rPtYaiDwpJTRq7ehEOZ9fAwgY/HgBCmeZeoxTLvGZbzhoIbrFYtru4Q6mAhgw20B+NIoOfViQPwMnUfuJWPoqGVpmtjxzS1bZiKt3pyFo0//cYq/vl16qTyjIHCC6zIE38OJ1FuHJ/xphmVJtfeFBm1oI9tbVALQe0ZQ45K5dkdP4ehoPaMIU/uTX2WDRrE5h9/yLhHT8XQmT+ym6A1nCL5B6HRio27/p5aXnlLzYGnd9LlkvZsHJYfOiaDxPhe/wQAAP//ZxBMvQ==" } diff --git a/x-pack/metricbeat/module/azure/mock_service.go b/x-pack/metricbeat/module/azure/mock_service.go index 4d2dcd73f6e..f6f54c300e0 100644 --- a/x-pack/metricbeat/module/azure/mock_service.go +++ b/x-pack/metricbeat/module/azure/mock_service.go @@ -9,7 +9,6 @@ import ( "github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2019-03-01/resources" "github.com/stretchr/testify/mock" - "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/metricbeat/mb" ) @@ -64,14 +63,3 @@ func (reporter *MockReporterV2) Error(err error) bool { args := reporter.Called(err) return args.Get(0).(bool) } - -// NewMockClient instantiates a new client with the mock azure service -func NewMockClient() *Client { - azureMockService := new(MockService) - client := &Client{ - AzureMonitorService: azureMockService, - Config: Config{}, - Log: logp.NewLogger("test azure monitor"), - } - return client -} diff --git a/x-pack/metricbeat/module/azure/module.yml b/x-pack/metricbeat/module/azure/module.yml index cc106a3c59b..a51b202612b 100644 --- a/x-pack/metricbeat/module/azure/module.yml +++ b/x-pack/metricbeat/module/azure/module.yml @@ -4,3 +4,5 @@ metricsets: - container_instance - container_service - database_account + - compute_vm + - compute_vm_scaleset diff --git a/x-pack/metricbeat/module/azure/monitor/_meta/data.json b/x-pack/metricbeat/module/azure/monitor/_meta/data.json index 67f5b91b62b..16d7f82b8d8 100644 --- a/x-pack/metricbeat/module/azure/monitor/_meta/data.json +++ b/x-pack/metricbeat/module/azure/monitor/_meta/data.json @@ -3,31 +3,29 @@ "azure": { "metrics": { "data_usage": { - "total": 0 + "total": 131072 }, "document_count": { - "total": 0 + "total": 2 }, "document_quota": { - "total": 53687091200 + "total": 107374182400 } }, "namespace": "Microsoft.DocumentDb/databaseAccounts", "resource": { "group": "obs-infrastructure", + "id": "/subscriptions/70bd6e64-4b1e-4835-8896-db77b8eef364/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", + "name": "obsaccount", "tags": { "defaultExperience": "Core (SQL)" }, "type": "Microsoft.DocumentDb/databaseAccounts" }, - "subscription_id": "fd675b6f-b5e5-426e-ac45-d1f876d0ffa6", + "subscription_id": "70bd6e64-4b1e-4835-8896-db77b8eef364", "timegrain": "PT5M" }, "cloud": { - "instance": { - "id": "/subscriptions/fd675b6f-b5e5-426e-ac45-d1f876d0ffa6/resourceGroups/obs-infrastructure/providers/Microsoft.DocumentDb/databaseAccounts/obsaccount", - "name": "obsaccount" - }, "provider": "azure", "region": "westeurope" }, diff --git a/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml b/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml index 139b2c38047..a6288fef7f7 100644 --- a/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml +++ b/x-pack/metricbeat/module/azure/monitor/_meta/fields.yml @@ -4,10 +4,5 @@ description: > monitor fields: - - name: metrics.*.* - type: object - object_type: float - object_type_mapping_type: "*" - description: > - Metrics returned. + diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper.go b/x-pack/metricbeat/module/azure/monitor/client_helper.go index 4d00bcd64de..82875f46de5 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper.go @@ -16,6 +16,8 @@ import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/azure" ) +const missingNamespace = "no metric definitions were found for resource %s and namespace %s. Verify if the namespace is spelled correctly or if it is supported by the resource in case." + // mapMetrics should validate and map the metric related configuration to relevant azure monitor api parameters func mapMetrics(client *azure.Client, resources []resources.GenericResource, resourceConfig azure.ResourceConfig) ([]azure.Metric, error) { var metrics []azure.Metric @@ -27,7 +29,11 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res return nil, errors.Wrapf(err, "no metric definitions were found for resource %s and namespace %s.", *resource.ID, metric.Namespace) } if len(*metricDefinitions.Value) == 0 { - return nil, errors.Errorf("no metric definitions were found for resource %s and namespace %s.", *resource.ID, metric.Namespace) + if metric.IgnoreUnsupported { + client.Log.Infof(missingNamespace, *resource.ID, metric.Namespace) + continue + } + return nil, errors.Errorf(missingNamespace, *resource.ID, metric.Namespace) } // validate metric names and filter on the supported metrics @@ -54,7 +60,7 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res for _, metricName := range metricGroup { metricNames = append(metricNames, *metricName.Name.Value) } - metrics = append(metrics, client.CreateMetric(*resource.ID, resource, "", metric.Namespace, metricNames, key, dim, metric.Timegrain)) + metrics = append(metrics, client.CreateMetric(*resource.ID, "", metric.Namespace, metricNames, key, dim, metric.Timegrain)) } } } diff --git a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go index 8765d589e84..a15ee0089b9 100644 --- a/x-pack/metricbeat/module/azure/monitor/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/monitor/client_helper_test.go @@ -67,7 +67,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(insights.MetricDefinitionCollection{}, errors.New("invalid resource ID")) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) }) @@ -78,11 +78,8 @@ func TestMapMetric(t *testing.T) { metricConfig.Name = []string{"*"} resourceConfig.Metrics = []azure.MetricConfig{metricConfig} metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.NoError(t, err) + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "namespace") assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity", "BytesRead"}) assert.Equal(t, metrics[0].Aggregations, "Average") @@ -97,13 +94,10 @@ func TestMapMetric(t *testing.T) { metricConfig.Aggregations = []string{"Average"} resourceConfig.Metrics = []azure.MetricConfig{metricConfig} metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) + assert.NoError(t, err) assert.True(t, len(metrics) > 0) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "namespace") assert.Equal(t, metrics[0].Names, []string{"TotalRequests", "Capacity"}) assert.Equal(t, metrics[0].Aggregations, "Average") @@ -144,7 +138,6 @@ func TestIntersections(t *testing.T) { intersection, difference = intersections(firstStr, sercondStr) assert.Equal(t, len(intersection), 0) assert.Equal(t, difference, []string{"test4", "test5"}) - } func TestGetMetricDefinitionsByNames(t *testing.T) { diff --git a/x-pack/metricbeat/module/azure/monitor_service.go b/x-pack/metricbeat/module/azure/monitor_service.go index 4657e3bc43d..053da3db05b 100644 --- a/x-pack/metricbeat/module/azure/monitor_service.go +++ b/x-pack/metricbeat/module/azure/monitor_service.go @@ -124,3 +124,24 @@ func (service *MonitorService) GetMetricValues(resourceId string, namespace stri } return metrics, interval, nil } + +// getResourceNameFormId maps resource group from resource ID +func getResourceNameFromId(path string) string { + params := strings.Split(path, "/") + if strings.HasSuffix(path, "/") { + return params[len(params)-2] + } + return params[len(params)-1] + +} + +// getResourceTypeFromId maps resource group from resource ID +func getResourceTypeFromId(path string) string { + params := strings.Split(path, "/") + for i, param := range params { + if param == "providers" { + return fmt.Sprintf("%s/%s", params[i+1], params[i+2]) + } + } + return "" +} diff --git a/x-pack/metricbeat/module/azure/monitor_service_test.go b/x-pack/metricbeat/module/azure/monitor_service_test.go new file mode 100644 index 00000000000..7855f554e1e --- /dev/null +++ b/x-pack/metricbeat/module/azure/monitor_service_test.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package azure + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetResourceTypeFromID(t *testing.T) { + path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" + rType := getResourceTypeFromId(path) + assert.Equal(t, rType, "Microsoft.Compute/virtualMachines") +} + +func TestGetResourceNameFromID(t *testing.T) { + path := "subscriptions/qw3e45r6t-23ws-1234-6587-1234ed4532/resourceGroups/obs-infrastructure/providers/Microsoft.Compute/virtualMachines/obstestmemleak" + name := getResourceNameFromId(path) + assert.Equal(t, name, "obstestmemleak") +} diff --git a/x-pack/metricbeat/module/azure/resources.go b/x-pack/metricbeat/module/azure/resources.go index c55757d24ac..0a723c82bd5 100644 --- a/x-pack/metricbeat/module/azure/resources.go +++ b/x-pack/metricbeat/module/azure/resources.go @@ -11,27 +11,35 @@ import ( // Resource will contain the main azure resource details type Resource struct { - // SubId is used for the metric values api as namespaces can apply to sub resrouces ex. storage account: container, blob, vm scaleset: vms - SubId string Id string Name string Location string - Type string Group string Tags map[string]string Subscription string - Size string + Type string + // will be filled if cloud data is necessary, atm only in case of compute_vm and compute_vm_scaleset + Vms []VmResource +} + +// VmResource contains details specific to a vm type of resource +type VmResource struct { + Size string + Id string + Name string } // Metric will contain the main azure metric details type Metric struct { - Resource Resource Namespace string Names []string Aggregations string Dimensions []Dimension Values []MetricValue TimeGrain string + ResourceId string + // ResourceSubId is used for the metric values api as namespaces can apply to sub resrouces ex. storage account: container, blob, vm scaleset: vms + ResourceSubId string } // Dimension represents the azure metric dimension details diff --git a/x-pack/metricbeat/module/azure/storage/client_helper.go b/x-pack/metricbeat/module/azure/storage/client_helper.go index 3fa8bb7e4b9..44e49831790 100644 --- a/x-pack/metricbeat/module/azure/storage/client_helper.go +++ b/x-pack/metricbeat/module/azure/storage/client_helper.go @@ -61,7 +61,7 @@ func mapMetrics(client *azure.Client, resources []resources.GenericResource, res if dimension != azure.NoDimension { dimensions = []azure.Dimension{{Name: dimension, Value: "*"}} } - metrics = append(metrics, client.MapMetricByPrimaryAggregation(mets, resource, resourceID, "", namespace, dimensions, time)...) + metrics = append(metrics, client.MapMetricByPrimaryAggregation(mets, *resource.ID, resourceID, namespace, dimensions, time)...) } } } diff --git a/x-pack/metricbeat/module/azure/storage/client_helper_test.go b/x-pack/metricbeat/module/azure/storage/client_helper_test.go index 24fea2facf6..0aab2a2395f 100644 --- a/x-pack/metricbeat/module/azure/storage/client_helper_test.go +++ b/x-pack/metricbeat/module/azure/storage/client_helper_test.go @@ -98,7 +98,7 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(emptyMetricDefinitions, nil) client.AzureMonitorService = m metric, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.NotNil(t, err) + assert.Error(t, err) assert.Equal(t, err.Error(), "no metric definitions were found for resource 123 and namespace Microsoft.Storage/storageAccounts.") assert.Equal(t, metric, []azure.Metric(nil)) m.AssertExpectations(t) @@ -108,16 +108,10 @@ func TestMapMetric(t *testing.T) { m.On("GetMetricDefinitions", mock.Anything, mock.Anything).Return(metricDefinitions, nil) client.AzureMonitorService = m metrics, err := mapMetrics(client, []resources.GenericResource{resource}, resourceConfig) - assert.Nil(t, err) - assert.Equal(t, metrics[0].Resource.Id, "123") - assert.Equal(t, metrics[0].Resource.Name, "resourceName") - assert.Equal(t, metrics[0].Resource.Type, "resourceType") - assert.Equal(t, metrics[0].Resource.Location, "resourceLocation") + assert.NoError(t, err) + assert.Equal(t, metrics[0].ResourceId, "123") assert.Equal(t, metrics[0].Namespace, "Microsoft.Storage/storageAccounts") - assert.Equal(t, metrics[1].Resource.Id, "123") - assert.Equal(t, metrics[1].Resource.Name, "resourceName") - assert.Equal(t, metrics[1].Resource.Type, "resourceType") - assert.Equal(t, metrics[1].Resource.Location, "resourceLocation") + assert.Equal(t, metrics[1].ResourceId, "123") assert.Equal(t, metrics[1].Namespace, "Microsoft.Storage/storageAccounts") assert.Equal(t, metrics[0].Dimensions, []azure.Dimension(nil)) assert.Equal(t, metrics[1].Dimensions, []azure.Dimension(nil)) diff --git a/x-pack/metricbeat/module/azure/storage/storage_test.go b/x-pack/metricbeat/module/azure/storage/storage_test.go index b491b53d99f..2512ab6660e 100644 --- a/x-pack/metricbeat/module/azure/storage/storage_test.go +++ b/x-pack/metricbeat/module/azure/storage/storage_test.go @@ -53,7 +53,7 @@ func TestFetch(t *testing.T) { module, metricsets, err := mb.NewModule(c, mb.Registry) assert.NotNil(t, module) assert.NotNil(t, metricsets) - assert.Nil(t, err) + assert.NoError(t, err) ms, ok := metricsets[0].(*MetricSet) assert.Equal(t, len(ms.Client.Config.Resources), 1) assert.Equal(t, ms.Client.Config.Resources[0].Query, fmt.Sprintf("resourceType eq '%s'", defaultStorageAccountNamespace)) diff --git a/x-pack/metricbeat/module/cloudfoundry/_meta/docs.asciidoc b/x-pack/metricbeat/module/cloudfoundry/_meta/docs.asciidoc index b36a41bf891..4d908802358 100644 --- a/x-pack/metricbeat/module/cloudfoundry/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/cloudfoundry/_meta/docs.asciidoc @@ -7,6 +7,22 @@ The cloudfoundry module metrics are numerical values that describe some aspect o The cloudfoundry module mericsets are `container`, `counter` and `value`. +[float] +=== Dashboards + +The Cloud Foundry module includes some dashboards. + +The overview dashboard can be used to visualize the current status of your Cloud +Foundry deployments. + +image::./images/metricbeat-cloudfoundry-overview.png[] + +The platform health dashboard includes visualizations that help diagnosting +issues related to the applications deployed in Cloud Foundry. + +image::./images/metricbeat-cloudfoundry-platform-health.png[] + + [float] === Module-specific configuration notes diff --git a/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-overview.json b/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-overview.json new file mode 100644 index 00000000000..4d7fd18d965 --- /dev/null +++ b/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-overview.json @@ -0,0 +1,3992 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of Cloud Foundry", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 2, + "i": "614e3c18-7b1d-4510-9308-a7c64077076b", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "614e3c18-7b1d-4510-9308-a7c64077076b", + "panelRefName": "panel_0", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Components health" + }, + "gridData": { + "h": 1, + "i": "efc5cc53-f0f5-4d09-850f-36baed6cea70", + "w": 15, + "x": 0, + "y": 2 + }, + "panelIndex": "efc5cc53-f0f5-4d09-850f-36baed6cea70", + "panelRefName": "panel_1", + "title": "Components health", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Job queue length" + }, + "gridData": { + "h": 7, + "i": "77151f90-5dd1-4c52-bbc8-eae071029c74", + "w": 14, + "x": 15, + "y": 2 + }, + "panelIndex": "77151f90-5dd1-4c52-bbc8-eae071029c74", + "panelRefName": "panel_2", + "title": "Job queue length", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top CPU usage" + }, + "gridData": { + "h": 13, + "i": "e3830a7f-00ba-4133-9be0-5bf881956830", + "w": 7, + "x": 29, + "y": 2 + }, + "panelIndex": "e3830a7f-00ba-4133-9be0-5bf881956830", + "panelRefName": "panel_3", + "title": "Top CPU usage", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top ephemeral disk usage" + }, + "gridData": { + "h": 13, + "i": "f9d0d4bf-f7b3-45f1-9bde-2ed389ecffe0", + "w": 6, + "x": 36, + "y": 2 + }, + "panelIndex": "f9d0d4bf-f7b3-45f1-9bde-2ed389ecffe0", + "panelRefName": "panel_4", + "title": "Top ephemeral disk usage", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top persistent disk usage" + }, + "gridData": { + "h": 13, + "i": "e00759d3-5853-4e0e-bb74-9c6be0f0cafe", + "w": 6, + "x": 42, + "y": 2 + }, + "panelIndex": "e00759d3-5853-4e0e-bb74-9c6be0f0cafe", + "panelRefName": "panel_5", + "title": "Top persistent disk usage", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "8ba21983-ee6b-464a-b9e6-083b8f9af911", + "w": 3, + "x": 0, + "y": 3 + }, + "panelIndex": "8ba21983-ee6b-464a-b9e6-083b8f9af911", + "panelRefName": "panel_6", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "ffb54b2e-36b9-477e-a722-96d4c4c6f493", + "w": 3, + "x": 3, + "y": 3 + }, + "panelIndex": "ffb54b2e-36b9-477e-a722-96d4c4c6f493", + "panelRefName": "panel_7", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "1695ac40-80fd-4164-8db3-41b31604c757", + "w": 3, + "x": 6, + "y": 3 + }, + "panelIndex": "1695ac40-80fd-4164-8db3-41b31604c757", + "panelRefName": "panel_8", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "8f111936-e953-45c2-859f-7adc28161741", + "w": 3, + "x": 9, + "y": 3 + }, + "panelIndex": "8f111936-e953-45c2-859f-7adc28161741", + "panelRefName": "panel_9", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "040843ca-cc51-4b6e-b15f-6cf8684ee63d", + "w": 3, + "x": 12, + "y": 3 + }, + "panelIndex": "040843ca-cc51-4b6e-b15f-6cf8684ee63d", + "panelRefName": "panel_10", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Outstanding requests" + }, + "gridData": { + "h": 7, + "i": "207fe6aa-ca8e-4931-abae-7c2b0f78cc1d", + "w": 14, + "x": 15, + "y": 9 + }, + "panelIndex": "207fe6aa-ca8e-4931-abae-7c2b0f78cc1d", + "panelRefName": "panel_11", + "title": "Outstanding requests", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "c4e3338c-f3d9-4c7d-bac7-e784f706bb57", + "w": 5, + "x": 0, + "y": 10 + }, + "panelIndex": "c4e3338c-f3d9-4c7d-bac7-e784f706bb57", + "panelRefName": "panel_12", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "30ed1180-cf4b-41b2-a60a-5332de7f6e46", + "w": 5, + "x": 5, + "y": 10 + }, + "panelIndex": "30ed1180-cf4b-41b2-a60a-5332de7f6e46", + "panelRefName": "panel_13", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "d77bfe2e-7057-4cfb-829b-c4011640ae2d", + "w": 5, + "x": 10, + "y": 10 + }, + "panelIndex": "d77bfe2e-7057-4cfb-829b-c4011640ae2d", + "panelRefName": "panel_14", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "b1ba0667-de29-4458-95d6-49217a6875cb", + "w": 5, + "x": 0, + "y": 15 + }, + "panelIndex": "b1ba0667-de29-4458-95d6-49217a6875cb", + "panelRefName": "panel_15", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "ff23d11d-8396-4245-a334-ddafc5cbc198", + "w": 5, + "x": 5, + "y": 15 + }, + "panelIndex": "ff23d11d-8396-4245-a334-ddafc5cbc198", + "panelRefName": "panel_16", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 5, + "i": "ee0d79d3-92f8-4360-b724-e9ebfd73b53e", + "w": 5, + "x": 10, + "y": 15 + }, + "panelIndex": "ee0d79d3-92f8-4360-b724-e9ebfd73b53e", + "panelRefName": "panel_17", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "GoRouter latency PAS" + }, + "gridData": { + "h": 8, + "i": "da31ae1e-e713-4d4f-b225-59824b203797", + "w": 19, + "x": 29, + "y": 15 + }, + "panelIndex": "da31ae1e-e713-4d4f-b225-59824b203797", + "panelRefName": "panel_18", + "title": "GoRouter latency PAS", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Diego cell time to sync" + }, + "gridData": { + "h": 7, + "i": "a7138e23-fa21-42b8-8d09-d124c2640293", + "w": 14, + "x": 15, + "y": 16 + }, + "panelIndex": "a7138e23-fa21-42b8-8d09-d124c2640293", + "panelRefName": "panel_19", + "title": "Diego cell time to sync", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 3, + "i": "2b4f53d8-a91c-447d-a8e4-f94589abe07f", + "w": 7, + "x": 0, + "y": 20 + }, + "panelIndex": "2b4f53d8-a91c-447d-a8e4-f94589abe07f", + "panelRefName": "panel_20", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 3, + "i": "fdd1c5d5-bd8f-41db-8d16-9d0b8adcb3a4", + "w": 8, + "x": 7, + "y": 20 + }, + "panelIndex": "fdd1c5d5-bd8f-41db-8d16-9d0b8adcb3a4", + "panelRefName": "panel_21", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Maximum CPU utilization" + }, + "gridData": { + "h": 10, + "i": "e2291bb2-2b6d-452b-8bb0-652ed6b4ea7b", + "w": 7, + "x": 0, + "y": 23 + }, + "panelIndex": "e2291bb2-2b6d-452b-8bb0-652ed6b4ea7b", + "panelRefName": "panel_22", + "title": "Maximum CPU utilization", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Available disk space" + }, + "gridData": { + "h": 10, + "i": "5db37b04-577a-4703-a8ef-07d70299023e", + "w": 8, + "x": 7, + "y": 23 + }, + "panelIndex": "5db37b04-577a-4703-a8ef-07d70299023e", + "panelRefName": "panel_23", + "title": "Available disk space", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Available memory by cell" + }, + "gridData": { + "h": 10, + "i": "dfb10794-82ba-4da3-80b7-5e4aa82dfd5c", + "w": 14, + "x": 15, + "y": 23 + }, + "panelIndex": "dfb10794-82ba-4da3-80b7-5e4aa82dfd5c", + "panelRefName": "panel_24", + "title": "Available memory by cell", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total routes in GoRouter" + }, + "gridData": { + "h": 10, + "i": "a6c34327-7e71-4bf3-a057-f43de540247c", + "w": 19, + "x": 29, + "y": 23 + }, + "panelIndex": "a6c34327-7e71-4bf3-a057-f43de540247c", + "panelRefName": "panel_25", + "title": "Total routes in GoRouter", + "version": "7.9.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-15m", + "timeRestore": true, + "timeTo": "now", + "title": "[Metricbeat Cloud Foundry] Overview", + "version": 1 + }, + "id": "9c81cf34-f84e-11ea-a49d-f3f94f5e4fac", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "435133e4-f8d2-11ea-a49e-d36460a01dbe", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "9ca39c36-f84e-11ea-9b0e-af32e8072a87", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "9ca9737c-f84e-11ea-b8a5-9f245d6f7121", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "9c9f12b0-f84e-11ea-bfe0-8f64de3dbbbd", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "9c5e5c7a-f84e-11ea-9c79-3f5f46484ce3", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "9c975020-f84e-11ea-9d35-0ba5b289cee7", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "9caafdaa-f84e-11ea-8c78-43aac4b09aa5", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "9c7b602c-f84e-11ea-8762-e7aef60b5522", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "9cb33038-f84e-11ea-8929-07701f2b1c26", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "9ca526aa-f84e-11ea-aad5-ef2777854f3d", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "9caf798e-f84e-11ea-ac4b-4795663aee6b", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "9cbb8cd8-f84e-11ea-9a20-af708256c3a9", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "9c69684a-f84e-11ea-bf59-4bba486da283", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "9c93270c-f84e-11ea-8b23-c7a1cc31369e", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "9c7328ee-f84e-11ea-9259-772ddb1805fb", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "9c99314c-f84e-11ea-92d5-9bcd6abdce0f", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "9c635824-f84e-11ea-9b02-735b8407166a", + "name": "panel_16", + "type": "visualization" + }, + { + "id": "9caddb24-f84e-11ea-b008-df9bd2aed7cc", + "name": "panel_17", + "type": "visualization" + }, + { + "id": "9c58b248-f84e-11ea-87a9-67d346210280", + "name": "panel_18", + "type": "visualization" + }, + { + "id": "9ca805fa-f84e-11ea-ab90-2b00dd50450c", + "name": "panel_19", + "type": "visualization" + }, + { + "id": "9c89336e-f84e-11ea-bbcd-23e329286ac7", + "name": "panel_20", + "type": "visualization" + }, + { + "id": "9c9d9c14-f84e-11ea-a575-a30e017a09e9", + "name": "panel_21", + "type": "visualization" + }, + { + "id": "9c8ed8fa-f84e-11ea-b20d-bb82d7a8e05d", + "name": "panel_22", + "type": "visualization" + }, + { + "id": "9c948fb6-f84e-11ea-96f5-dff115716ba4", + "name": "panel_23", + "type": "visualization" + }, + { + "id": "9cac69e2-f84e-11ea-b8d4-4b40313a5eb0", + "name": "panel_24", + "type": "visualization" + }, + { + "id": "9c77cf84-f84e-11ea-a3ff-7f7f73eabd57", + "name": "panel_25", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-17T10:38:25.337Z", + "version": "WzE5MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Navigation Overview [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Overview** | [Platform Health](#/dashboard/94364424-f851-11ea-8206-7b08cd60917a)", + "openLinksInNewTab": false + }, + "title": "Dashboards Navigation [Metricbeat Cloud Foundry]", + "type": "markdown" + } + }, + "id": "435133e4-f8d2-11ea-a49e-d36460a01dbe", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:37:54.081Z", + "version": "WzE4MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Components health title [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "", + "openLinksInNewTab": false + }, + "title": "Components health title [Metricbeat Cloud Foundry]", + "type": "markdown" + } + }, + "id": "9ca39c36-f84e-11ea-9b0e-af32e8072a87", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk0LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Job Queue [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"cc\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(188,0,19,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"failed_job_count.total\" " + }, + "formatter": "number", + "hide_in_legend": 1, + "id": "9c9054dc-f84e-11ea-920b-1f1a72488310", + "label": "Avg Failed Job Count", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c91bfd4-f84e-11ea-a2df-b7ca8c11c9b1", + "type": "avg" + } + ], + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "cloudfoundry.envelope.deployment", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"job_queue_length.total\" " + }, + "formatter": "number", + "hide_in_legend": 1, + "id": "9c837802-f84e-11ea-8b5e-ef886d2383c6", + "label": "Avg Job Queue Length", + "line_width": 1, + "metrics": [ + { + "id": "9c84e098-f84e-11ea-b8dc-ff0b80823e94", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "cloudfoundry.value.value", + "terms_order_by": "_count" + } + ], + "show_grid": 1, + "show_legend": 0, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Job queue [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9ca9737c-f84e-11ea-b8a5-9f245d6f7121", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk1LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell Top CPU user usage [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "bar_color": "rgba(104,188,0,1)", + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401", + "operator": "lt", + "value": 65 + }, + { + "bar_color": "rgba(252,220,0,1)", + "id": "9c87c1f0-f84e-11ea-abf6-9bcf7a4dd500", + "operator": "gte", + "value": 65 + }, + { + "bar_color": "rgba(244,78,59,1)", + "id": "9c95f1b2-f84e-11ea-9ca9-53ceca17b640", + "operator": "gt", + "value": 75 + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drilldown_url": "", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.cpu.user\" " + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max CPU utilization (Load)", + "line_width": "2", + "metrics": [ + { + "agg_with": "avg", + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "order": "desc", + "size": 1, + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.job", + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "top_n" + }, + "title": "Top CPU user usage [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c9f12b0-f84e-11ea-bfe0-8f64de3dbbbd", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk2LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top ephemeral disk usage [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "bar_color": "rgba(104,188,0,1)", + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401", + "operator": "lt", + "value": 65 + }, + { + "bar_color": "rgba(252,220,0,1)", + "id": "9c87c1f0-f84e-11ea-abf6-9bcf7a4dd500", + "operator": "gte", + "value": 65 + }, + { + "bar_color": "rgba(244,78,59,1)", + "id": "9c95f1b2-f84e-11ea-9ca9-53ceca17b640", + "operator": "gt", + "value": 75 + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drilldown_url": "", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.disk.ephemeral.percent\" " + }, + "formatter": "00.00", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Top Max Ephemeral Disk Usage (%)", + "line_width": "2", + "metrics": [ + { + "agg_with": "avg", + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "order": "desc", + "size": 1, + "type": "max" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.job", + "terms_include": "", + "terms_order_by": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "timeseries", + "value_template": "{{value}} %" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "top_n" + }, + "title": "Top ephemeral disk usage [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c5e5c7a-f84e-11ea-9c79-3f5f46484ce3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk3LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top persistent disk usage [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "bar_color": "rgba(104,188,0,1)", + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401", + "operator": "lt", + "value": 65 + }, + { + "bar_color": "rgba(252,220,0,1)", + "id": "9c87c1f0-f84e-11ea-abf6-9bcf7a4dd500", + "operator": "gte", + "value": 65 + }, + { + "bar_color": "rgba(244,78,59,1)", + "id": "9c95f1b2-f84e-11ea-9ca9-53ceca17b640", + "operator": "gt", + "value": 75 + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drilldown_url": "", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.disk.persistent.percent\" " + }, + "formatter": "00.00", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Top Max Ephemeral Disk Usage (%)", + "line_width": "2", + "metrics": [ + { + "agg_with": "avg", + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "order": "desc", + "size": 1, + "type": "max" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.job", + "terms_include": "", + "terms_order_by": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "timeseries", + "value_template": "{{value}} %" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "top_n" + }, + "title": "Top persistent disk usage [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c975020-f84e-11ea-9d35-0ba5b289cee7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk4LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Doppler health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 1 + }, + { + "id": "9c6cce9a-f84e-11ea-9fea-039104d18522", + "operator": "lt", + "value": 1 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\" and cloudfoundry.envelope.job :\"doppler\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.healthy\"" + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Doppler", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "metric" + }, + "title": "Doppler health [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9caafdaa-f84e-11ea-8c78-43aac4b09aa5", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "Wzk5LDFd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Router health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 1 + }, + { + "id": "9c6cce9a-f84e-11ea-9fea-039104d18522", + "operator": "lt", + "value": 1 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\" and cloudfoundry.envelope.job :\"router\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.healthy\"" + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Router", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Router health [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c7b602c-f84e-11ea-8762-e7aef60b5522", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Backup-Restore health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 1 + }, + { + "id": "9c6cce9a-f84e-11ea-9fea-039104d18522", + "operator": "lt", + "value": 1 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\" and cloudfoundry.envelope.job :\"backup_restore\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.healthy\"" + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Backup-Restore", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Backup-Restore health [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9cb33038-f84e-11ea-8929-07701f2b1c26", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwMSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego Brain health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 1 + }, + { + "id": "9c6cce9a-f84e-11ea-9fea-039104d18522", + "operator": "lt", + "value": 1 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\" and cloudfoundry.envelope.job :\"diego_brain\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.healthy\"" + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Diego Brain", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego Brain health [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9ca526aa-f84e-11ea-aad5-ef2777854f3d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 1 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": null, + "id": "9c6cce9a-f84e-11ea-9fea-039104d18522", + "operator": "lt", + "value": 1 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9cb7224c-f84e-11ea-aedc-27587a803e41", + "operator": "lt", + "value": 0.5 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\" and cloudfoundry.envelope.job :\"diego_cell\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.healthy\"" + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Diego cell", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell health [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9caf798e-f84e-11ea-ac4b-4795663aee6b", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Outstanding Requests [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"cc\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"requests.outstanding\"" + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Avg Oustanding Requests", + "line_width": "1", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Outstanding Requests [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9cbb8cd8-f84e-11ea-9a20-af708256c3a9", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell time to sync [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "lt", + "value": 10000000000 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "gte", + "value": 10000000000 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "gt", + "value": 15000000000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: cloudfoundry and cloudfoundry.envelope.origin :\"rep\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"RepBulkSyncDuration\"" + }, + "formatter": "ns,s,2", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max Cell Rep Time to Sync", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "max" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell time to sync [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c69684a-f84e-11ea-bf59-4bba486da283", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell Missing LRPs [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "lt", + "value": 5 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "gte", + "value": 5 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "gt", + "value": 10 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"bbs\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"LRPsMissing\" " + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max Missing LRPs", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell Missing LRPs [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c93270c-f84e-11ea-8b23-c7a1cc31369e", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell fetch state times [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "lt", + "value": 5000000000 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "gte", + "value": 5000000000 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "gt", + "value": 10000000000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"auctioneer\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"AuctioneerFetchStatesDuration\" " + }, + "formatter": "ns,s,", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max fetch cell state times", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "max" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell fetch state times [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c7328ee-f84e-11ea-9259-772ddb1805fb", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwNywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell Apps domain freshness [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gte", + "value": 0.9 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "lte", + "value": 0.9 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "lt", + "value": 0.8 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"bbs\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Domain.cf-apps\" " + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Avg 'cf-apps' Domain Freshness", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": null, + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego-cell Apps domain freshness [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c99314c-f84e-11ea-92d5-9bcd6abdce0f", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwOCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell Router emitter sync duration [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "lt", + "value": 10000000000 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "gte", + "value": 10000000000 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "gt", + "value": 20000000000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"route_emitter\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"RouteEmitterSyncDuration\" " + }, + "formatter": "ns,s,", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max Router emitter sync duration", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "max" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell Router emitter sync duration [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c635824-f84e-11ea-9b02-735b8407166a", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzEwOSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell convergence LRP duration [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(104,188,0,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "lt", + "value": 10000000000 + }, + { + "background_color": "rgba(252,220,0,1)", + "id": "9cb134b8-f84e-11ea-9fd8-cb6a1b33696f", + "operator": "gte", + "value": 10000000000 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9cb588d8-f84e-11ea-af5a-c3012766d944", + "operator": "gt", + "value": 20000000000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"bbs\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"ConvergenceLRPDuration\" " + }, + "formatter": "ns,s,", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max Convergence LRP Duration", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "max" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cf.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Diego cell convergence LRP duration [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9caddb24-f84e-11ea-b008-df9bd2aed7cc", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "GoRouter latency PAS [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"gorouter\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(123,100,255,1)", + "fill": "0.2", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"latency\"" + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "GoRouter latency", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} ms" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "GoRouter latency PAS [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c58b248-f84e-11ea-87a9-67d346210280", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExMSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell rep time to sync [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"rep\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"RepBulkSyncDuration\"" + }, + "formatter": "ns,ms,2", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Cell Rep Time to Sync", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.deployment", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} ms" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Diego cell rep time to sync [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9ca805fa-f84e-11ea-ab90-2b00dd50450c", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell total disk [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "id": "9c8666fc-f84e-11ea-a43e-0f7a3a14396c" + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"rep\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"CapacityTotalDisk\" " + }, + "formatter": "0,0", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Total Disk", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.ip", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}} MiB" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "metric" + }, + "title": "Diego cell total disk [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c89336e-f84e-11ea-bbcd-23e329286ac7", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell total memory [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "id": "9c8666fc-f84e-11ea-a43e-0f7a3a14396c" + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"rep\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"CapacityTotalMemory\" " + }, + "formatter": "bytes", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Total Memory", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + }, + { + "id": "9c9ac4da-f84e-11ea-8efa-7393d43821d0", + "script": "params.megabytes * 1024 * 1024", + "type": "math", + "variables": [ + { + "field": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "id": "9c9c36e4-f84e-11ea-bba1-abb4ba65473f", + "name": "megabytes" + } + ] + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.value.value", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "metric" + }, + "title": "Diego cell total memory [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c9d9c14-f84e-11ea-a575-a30e017a09e9", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell CPU utilization load [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"bosh-system-metrics-forwarder\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.cpu.user\" " + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Max CPU utilization Load", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "max" + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": null, + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Diego cell CPU utilization load [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c8ed8fa-f84e-11ea-b20d-bb82d7a8e05d", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell remaining disk [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "id": "9c8666fc-f84e-11ea-a43e-0f7a3a14396c" + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin : \"rep\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"CapacityRemainingDisk\" " + }, + "formatter": "bytes", + "hidden": false, + "hide_in_legend": 1, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Remaining Disk", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + }, + { + "id": "9c79728a-f84e-11ea-a0b0-cbbc2af24ed3", + "script": "params.megabytes * 1024 * 1024", + "type": "math", + "variables": [ + { + "field": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "id": "9c8030c0-f84e-11ea-acf6-13a6b4ddcd67", + "name": "megabytes" + } + ] + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.ip", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Diego cell remaining disk [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c948fb6-f84e-11ea-96f5-dff115716ba4", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Diego cell available memory by cell [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"rep\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"CapacityRemainingMemory\"" + }, + "formatter": "bytes", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Available memory by cell", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "avg" + }, + { + "id": "9ca088ac-f84e-11ea-86ca-0f96c7565718", + "script": "params.megabytes*1024*1024", + "type": "math", + "variables": [ + { + "field": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "id": "9ca214c4-f84e-11ea-a6d7-0b115dba93eb", + "name": "megabytes" + } + ] + } + ], + "offset_time": "", + "point_size": "4", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_direction": "asc", + "terms_field": "cloudfoundry.envelope.ip", + "terms_include": "", + "terms_order_by": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 0, + "show_legend": 0, + "time_field": "@timestamp", + "tooltip_mode": "show_all", + "type": "timeseries" + }, + "title": "Diego cell available memory by cell [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9cac69e2-f84e-11ea-b8d4-4b40313a5eb0", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExNywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "GoRouter total routes [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "9c7cf130-f84e-11ea-bdee-833d96fe1a00", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9cb8a18a-f84e-11ea-bd11-836ecccfc401" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and cloudfoundry.envelope.origin :\"gorouter\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "9ca68d56-f84e-11ea-a6bb-f3164c0bb859", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "9c8aab7c-f84e-11ea-b4a3-e31a518913fa", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(123,100,255,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"total_routes\"" + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "9c8c18f4-f84e-11ea-97ff-b32117553dae", + "label": "Total routes (ISO)", + "line_width": "01", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9c8d7514-f84e-11ea-9457-93fdc9395544", + "type": "sum" + } + ], + "offset_time": "", + "point_size": "1.5", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9c753c7e-f84e-11ea-96e9-33ff984da2c7", + "label": "" + } + ], + "split_mode": "terms", + "stacked": "none", + "steps": 0, + "terms_field": "cloudfoundry.envelope.index", + "terms_include": "", + "terms_order_by": "_key", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "GoRouter total routes [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9c77cf84-f84e-11ea-a3ff-7f7f73eabd57", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:06.273Z", + "version": "WzExOCwxXQ==" + } + ], + "version": "7.9.0" +} diff --git a/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-platform-health.json b/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-platform-health.json new file mode 100644 index 00000000000..e95d7a62450 --- /dev/null +++ b/x-pack/metricbeat/module/cloudfoundry/_meta/kibana/7/dashboard/Metricbeat-cloudfoundry-platform-health.json @@ -0,0 +1,4385 @@ +{ + "objects": [ + { + "attributes": { + "description": "Cloud Foundry platform health", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 8, + "i": "1", + "w": 4, + "x": 15, + "y": 2 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 9, + "i": "8", + "w": 5, + "x": 38, + "y": 36 + }, + "panelIndex": "8", + "panelRefName": "panel_1", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 9, + "i": "9", + "w": 5, + "x": 33, + "y": 36 + }, + "panelIndex": "9", + "panelRefName": "panel_2", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 9, + "i": "11", + "w": 5, + "x": 43, + "y": 36 + }, + "panelIndex": "11", + "panelRefName": "panel_3", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 8, + "i": "13", + "w": 15, + "x": 0, + "y": 2 + }, + "panelIndex": "13", + "panelRefName": "panel_4", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "14", + "w": 7, + "x": 26, + "y": 10 + }, + "panelIndex": "14", + "panelRefName": "panel_5", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "15", + "w": 7, + "x": 19, + "y": 23 + }, + "panelIndex": "15", + "panelRefName": "panel_6", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "16", + "w": 5, + "x": 0, + "y": 27 + }, + "panelIndex": "16", + "panelRefName": "panel_7", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "17", + "w": 5, + "x": 10, + "y": 27 + }, + "panelIndex": "17", + "panelRefName": "panel_8", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "18", + "w": 5, + "x": 5, + "y": 27 + }, + "panelIndex": "18", + "panelRefName": "panel_9", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Applications availability" + }, + "gridData": { + "h": 10, + "i": "19", + "w": 19, + "x": 0, + "y": 17 + }, + "panelIndex": "19", + "panelRefName": "panel_10", + "title": "Applications availability", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 8, + "i": "26", + "w": 14, + "x": 19, + "y": 2 + }, + "panelIndex": "26", + "panelRefName": "panel_11", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Director health check" + }, + "gridData": { + "h": 9, + "i": "28", + "w": 14, + "x": 19, + "y": 36 + }, + "panelIndex": "28", + "panelRefName": "panel_12", + "title": "Director health check", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Test results" + }, + "gridData": { + "h": 12, + "i": "29", + "w": 19, + "x": 0, + "y": 33 + }, + "panelIndex": "29", + "panelRefName": "panel_13", + "title": "Test results", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top CPU user deployment" + }, + "gridData": { + "h": 16, + "i": "30", + "w": 15, + "x": 33, + "y": 2 + }, + "panelIndex": "30", + "panelRefName": "panel_14", + "title": "Top CPU user deployment", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Top persistent disk deployment" + }, + "gridData": { + "h": 18, + "i": "31", + "w": 15, + "x": 33, + "y": 18 + }, + "panelIndex": "31", + "panelRefName": "panel_15", + "title": "Top persistent disk deployment", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "36", + "w": 7, + "x": 19, + "y": 10 + }, + "panelIndex": "36", + "panelRefName": "panel_16", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "37", + "w": 7, + "x": 26, + "y": 23 + }, + "panelIndex": "37", + "panelRefName": "panel_17", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "38", + "w": 4, + "x": 24, + "y": 17 + }, + "panelIndex": "38", + "panelRefName": "panel_18", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "39", + "w": 4, + "x": 24, + "y": 30 + }, + "panelIndex": "39", + "panelRefName": "panel_19", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "41", + "w": 5, + "x": 19, + "y": 30 + }, + "panelIndex": "41", + "panelRefName": "panel_20", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "42", + "w": 5, + "x": 28, + "y": 30 + }, + "panelIndex": "42", + "panelRefName": "panel_21", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "43", + "w": 5, + "x": 28, + "y": 17 + }, + "panelIndex": "43", + "panelRefName": "panel_22", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "44", + "w": 5, + "x": 19, + "y": 17 + }, + "panelIndex": "44", + "panelRefName": "panel_23", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "46", + "w": 5, + "x": 0, + "y": 10 + }, + "panelIndex": "46", + "panelRefName": "panel_24", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "47", + "w": 5, + "x": 10, + "y": 10 + }, + "panelIndex": "47", + "panelRefName": "panel_25", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "48", + "w": 5, + "x": 5, + "y": 10 + }, + "panelIndex": "48", + "panelRefName": "panel_26", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 2, + "i": "f770c0d9-bc9a-4250-ad73-35a8cae0bcda", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "f770c0d9-bc9a-4250-ad73-35a8cae0bcda", + "panelRefName": "panel_27", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 7, + "i": "8a83ab84-5aa6-4e68-97cc-fd8be2b65eb5", + "w": 4, + "x": 15, + "y": 10 + }, + "panelIndex": "8a83ab84-5aa6-4e68-97cc-fd8be2b65eb5", + "panelRefName": "panel_28", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 6, + "i": "fbd35912-3c3a-4ab9-878c-b68b598df8f0", + "w": 4, + "x": 15, + "y": 27 + }, + "panelIndex": "fbd35912-3c3a-4ab9-878c-b68b598df8f0", + "panelRefName": "panel_29", + "version": "7.9.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-1h", + "timeRestore": true, + "timeTo": "now", + "title": "[Metricbeat Cloud Foundry] Platform Health", + "version": 1 + }, + "id": "94364424-f851-11ea-8206-7b08cd60917a", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "93acc294-f851-11ea-a97a-53f837470423", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "93f27abe-f851-11ea-90c1-670adf08e026", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "93d1bce8-f851-11ea-9e6c-e3a6ffa65309", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "93f86eec-f851-11ea-9ae8-ff70f6c28f02", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "93f59bb8-f851-11ea-ab86-6757c64f8446", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "93d3c40c-f851-11ea-ab6c-2b7686d129ce", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "93edb394-f851-11ea-af40-bbda53487783", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "9398519c-f851-11ea-9d16-0345f5e91a95", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "93c2c184-f851-11ea-93fb-fb88ecfdafdb", + "name": "panel_8", + "type": "visualization" + }, + { + "id": "94200db2-f851-11ea-a8fa-9bfadc17852f", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "93d9d39c-f851-11ea-b957-3f002cacae67", + "name": "panel_10", + "type": "visualization" + }, + { + "id": "939a9380-f851-11ea-9a72-a3f185bef2c4", + "name": "panel_11", + "type": "visualization" + }, + { + "id": "943dcad2-f851-11ea-8923-93b64d3cea46", + "name": "panel_12", + "type": "visualization" + }, + { + "id": "93c03f18-f851-11ea-8da1-eb649369fefa", + "name": "panel_13", + "type": "visualization" + }, + { + "id": "9430406a-f851-11ea-a96e-efef958606c3", + "name": "panel_14", + "type": "visualization" + }, + { + "id": "93fd890e-f851-11ea-96db-8342eb689011", + "name": "panel_15", + "type": "visualization" + }, + { + "id": "93dcb238-f851-11ea-8c49-fb9deba7fc48", + "name": "panel_16", + "type": "visualization" + }, + { + "id": "93e0d7d2-f851-11ea-a8ea-ab5761cc3b1c", + "name": "panel_17", + "type": "visualization" + }, + { + "id": "94402c0a-f851-11ea-b3d4-f3815d5ef910", + "name": "panel_18", + "type": "visualization" + }, + { + "id": "937d5f4a-f851-11ea-9321-07e4098558b1", + "name": "panel_19", + "type": "visualization" + }, + { + "id": "93deea94-f851-11ea-8186-777cfa34f466", + "name": "panel_20", + "type": "visualization" + }, + { + "id": "938e9490-f851-11ea-9fc4-93d53dd1c7c1", + "name": "panel_21", + "type": "visualization" + }, + { + "id": "943b6bf2-f851-11ea-99e0-b300881da4b1", + "name": "panel_22", + "type": "visualization" + }, + { + "id": "9417ef10-f851-11ea-bc5c-cbb3bfb4dc2a", + "name": "panel_23", + "type": "visualization" + }, + { + "id": "9398519c-f851-11ea-9d16-0345f5e91a95", + "name": "panel_24", + "type": "visualization" + }, + { + "id": "93a42468-f851-11ea-8393-7791ef366bdd", + "name": "panel_25", + "type": "visualization" + }, + { + "id": "9379c90c-f851-11ea-8313-f3c659aaac21", + "name": "panel_26", + "type": "visualization" + }, + { + "id": "f771b65c-f8d0-11ea-bf74-8bbda818957f", + "name": "panel_27", + "type": "visualization" + }, + { + "id": "9410e9ea-f851-11ea-b70d-9bda9c286e02", + "name": "panel_28", + "type": "visualization" + }, + { + "id": "93911f12-f851-11ea-9a0a-bb5ff28cf81a", + "name": "panel_29", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-09-17T10:34:14.592Z", + "version": "WzE1MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Average push time [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.pushTime\"" + }, + "formatter": "ms,s,2", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Avg Push Time", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}} s" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "metric" + }, + "title": "Average push time [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93acc294-f851-11ea-a97a-53f837470423", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "VM ephemeral disk used [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93d69f74-f851-11ea-b007-0bb1f816b4f3", + "operator": "gt", + "value": 70 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93a1a36e-f851-11ea-840a-4ff3b85fd2ce", + "operator": "gt", + "value": 50 + }, + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "93ce25ba-f851-11ea-a28d-3339e0be69a9", + "operator": "lte", + "value": 50 + } + ], + "bar_color_rules": [ + { + "id": "93a6b4d0-f851-11ea-9ff5-af33dba0a2b7" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93941cda-f851-11ea-8449-bf49cca008e8", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"system.disk.ephemeral.percent\"" + }, + "formatter": "00.00", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Ephemeral Disk Used", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9377407e-f851-11ea-a918-ab9d33748fd4" + } + ], + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} %" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "VM ephemeral disk used [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93f27abe-f851-11ea-90c1-670adf08e026", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyMSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "VM disk used [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93d69f74-f851-11ea-b007-0bb1f816b4f3", + "operator": "gt", + "value": 70 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93a1a36e-f851-11ea-840a-4ff3b85fd2ce", + "operator": "gt", + "value": 50 + }, + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "93ce25ba-f851-11ea-a28d-3339e0be69a9", + "operator": "lte", + "value": 50 + } + ], + "bar_color_rules": [ + { + "id": "93a6b4d0-f851-11ea-9ff5-af33dba0a2b7" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93941cda-f851-11ea-8449-bf49cca008e8", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"system.disk.system.percent\"" + }, + "formatter": "00.00", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "VM Disk Used", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9377407e-f851-11ea-a918-ab9d33748fd4" + } + ], + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} %" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "VM disk used [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93d1bce8-f851-11ea-9e6c-e3a6ffa65309", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "VM persistent disk used [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93d69f74-f851-11ea-b007-0bb1f816b4f3", + "operator": "gt", + "value": 70 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93a1a36e-f851-11ea-840a-4ff3b85fd2ce", + "operator": "gt", + "value": 50 + }, + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "93ce25ba-f851-11ea-a28d-3339e0be69a9", + "operator": "lte", + "value": 50 + } + ], + "bar_color_rules": [ + { + "id": "93a6b4d0-f851-11ea-9ff5-af33dba0a2b7" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93941cda-f851-11ea-8449-bf49cca008e8", + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "1", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"system.disk.persistent.percent\"" + }, + "formatter": "00.00", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Persistent Disk Used", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "9377407e-f851-11ea-a918-ab9d33748fd4" + } + ], + "split_mode": "everything", + "stacked": "none", + "value_template": "{{value}} %" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "VM persistent disk used [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93f86eec-f851-11ea-9ae8-ff70f6c28f02", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Average push time line [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.pushTime\" " + }, + "formatter": "ms,s,2", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Avg Push Time", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}} s" + }, + { + "axis_max": "1", + "axis_min": "-1", + "axis_position": "left", + "chart_type": "line", + "color": "rgba(101,50,148,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.push\"" + }, + "formatter": "number", + "id": "93e9e1c4-f851-11ea-a721-73ca515dcf70", + "label": "Push Success", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93ebe050-f851-11ea-ba43-0f6c8946c755", + "type": "avg" + } + ], + "point_size": "2", + "separate_axis": 1, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Average push time line [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93f59bb8-f851-11ea-ab86-6757c64f8446", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Total disk 6GB free chunks [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 100 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 100 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93cfeee0-f851-11ea-b302-1f22d9deae5a", + "operator": "lte", + "value": 50 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.AvailableFreeChunksDisk\"" + }, + "formatter": "'0,0'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Available 6GB Free Disk Chunks", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Total disk 6GB disk chunks [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93d3c40c-f851-11ea-ab6c-2b7686d129ce", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ISO memory 4GB free chunks [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 20 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 20 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "9374752e-f851-11ea-ad9f-cfee9493e6eb", + "operator": "lte", + "value": 15 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.AvailableFreeChunks\" and cloudfoundry.envelope.deployment: p-isolation-segment*" + }, + "formatter": "'0,0'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "ISO 4GB Free Memory Chunks", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "min" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "type": "metric" + }, + "title": "ISO memory 4GB free chunks [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93edb394-f851-11ea-af40-bbda53487783", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pushes past hour [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.CanaryApp.available\" " + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Past Hour", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "1h", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Pushes past hour [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9398519c-f851-11ea-9d16-0345f5e91a95", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyNywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Applications availability past month [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.CanaryApp.available\"" + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Past Month", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "1M", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Applications availability past month [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93c2c184-f851-11ea-93fb-fb88ecfdafdb", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyOCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Applications availability past day [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.CanaryApp.available\"" + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Past Day", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "1d", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Applications availability past day [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "94200db2-f851-11ea-a8fa-9bfadc17852f", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEyOSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Applications availability line [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_max": "1", + "axis_min": "", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.CanaryApp.available\"" + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "App Availability", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 0, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Applications availability line [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93d9d39c-f851-11ea-b957-3f002cacae67", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "System CPU load [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(244,78,59,1)", + "color": null, + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 60000 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"system.cpu.sys\" " + }, + "formatter": "number", + "hidden": false, + "hide_in_legend": 0, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "System CPU Load", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "rainbow", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "System CPU load [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "939a9380-f851-11ea-9a72-a3f185bef2c4", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzMSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Director health check [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_max": "1", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(30,125,77,0.84)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.bosh.director.probe.available\" " + }, + "formatter": "percent", + "hidden": false, + "hide_in_legend": 0, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Director Probe Availability", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "type": "timeseries", + "value_template": "{{value}}" + } + ], + "show_grid": 0, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Director health check [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "943dcad2-f851-11ea-8923-93b64d3cea46", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzMiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Test results [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_max": "1", + "axis_min": "", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_max": "1", + "axis_min": "-1", + "axis_position": "left", + "chart_type": "line", + "color": "rgba(30,125,77,0.84)", + "fill": "", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.delete\"" + }, + "formatter": "number", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Can Delete", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "type": "timeseries", + "value_template": "" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(226,115,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"health.check.cliCommand.login\" " + }, + "formatter": "number", + "id": "942618ec-f851-11ea-b48a-5b9430e2ce44", + "label": "Can Login", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "942c9cc6-f851-11ea-bf29-8bf7fdb78fbd", + "type": "avg" + } + ], + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"health.check.cliCommand.push\" " + }, + "formatter": "number", + "id": "937fd70c-f851-11ea-a061-4fce22c4bd01", + "label": "Can Push", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "9381bac2-f851-11ea-8141-4fa88748817f", + "type": "avg" + } + ], + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(176,0,188,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"health.check.cliCommand.logs\" " + }, + "formatter": "number", + "id": "938694d4-f851-11ea-9158-3fa2819fcf4a", + "label": "Receiving Logs", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93893126-f851-11ea-a544-3bbd4ce64fdd", + "type": "avg" + } + ], + "point_size": "2", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "everything", + "stacked": "none", + "type": "timeseries", + "value_template": "" + } + ], + "show_grid": 0, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Test results [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93c03f18-f851-11ea-8da1-eb649369fefa", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top CPU user deployment [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "93965a18-f851-11ea-a8db-cf27e7c12197" + } + ], + "bar_color_rules": [ + { + "bar_color": "rgba(244,78,59,1)", + "id": "93bd39a8-f851-11ea-9b4f-0bee117f7e32", + "operator": "gte", + "value": 70 + }, + { + "bar_color": "rgba(252,220,0,1)", + "id": "93cc3e94-f851-11ea-8e33-6f86d8899090", + "operator": "lt", + "value": 70 + }, + { + "bar_color": "rgba(105,192,111,1)", + "id": "93e2a558-f851-11ea-a583-8ba487ea9a5e", + "operator": "lt", + "value": 50 + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drilldown_url": "", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "id": "93e46942-f851-11ea-b627-9f9d893aa443" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"system.cpu.user\" " + }, + "formatter": "number", + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Top CPU Users by Deployment", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "max" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "cloudfoundry.envelope.deployment", + "terms_order_by": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "top_n" + }, + "title": "Top CPU user deployment [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9430406a-f851-11ea-a96e-efef958606c3", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top persistent disk deployment [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "93965a18-f851-11ea-a8db-cf27e7c12197" + } + ], + "bar_color_rules": [ + { + "bar_color": "rgba(244,78,59,1)", + "id": "93bd39a8-f851-11ea-9b4f-0bee117f7e32", + "operator": "gte", + "value": 70 + }, + { + "bar_color": "rgba(252,220,0,1)", + "id": "93cc3e94-f851-11ea-8e33-6f86d8899090", + "operator": "lt", + "value": 70 + }, + { + "bar_color": "rgba(105,192,111,1)", + "id": "93e2a558-f851-11ea-a583-8ba487ea9a5e", + "operator": "lt", + "value": 50 + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drilldown_url": "", + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "index_pattern": "metricbeat-*", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name:\"system.disk.persistent.percent\"" + }, + "formatter": "number", + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Top CPU Users by Deployment", + "line_width": 1, + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "max" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_color_mode": "gradient", + "split_mode": "terms", + "stacked": "none", + "terms_field": "cloudfoundry.envelope.deployment", + "terms_order_by": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "value_template": "" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "top_n" + }, + "title": "Top persistent disk deployment [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93fd890e-f851-11ea-96db-8342eb689011", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Memory 4GB free chunks [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 20 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 20 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93aa1f08-f851-11ea-8561-cf622005b51f", + "operator": "lte", + "value": 10 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.AvailableFreeChunks\" and cloudfoundry.envelope.deployment: cf*" + }, + "formatter": "'0,0'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "CF 4GB Free Memory Chunks", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "metric" + }, + "title": "Memory 4GB free chunks [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93dcb238-f851-11ea-8c49-fb9deba7fc48", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ISO disk 6GB free chunks [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 100 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 100 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "938c1710-f851-11ea-aacc-e3f9d23bdead", + "operator": "lte", + "value": 50 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=5m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.AvailableFreeChunksDisk\" and cloudfoundry.envelope.deployment: p-isolation-segment*" + }, + "formatter": "'0,0'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "ISO 6GB Free Disk Chunks", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "min" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "last_value", + "type": "metric" + }, + "title": "ISO disk 6GB free chunks [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93e0d7d2-f851-11ea-a8ea-ab5761cc3b1c", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzNywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Disk capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.TotalPercentageAvailableDiskCapacity.5M\" AND cloudfoundry.envelope.deployment: cf*" + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "CF Disk Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Disk capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "94402c0a-f851-11ea-b3d4-f3815d5ef910", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzOCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ISO disk capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.TotalPercentageAvailableDiskCapacity.5M\" and cloudfoundry.envelope.deployment: p-isolation-segment*" + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "ISO Disk Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "ISO disk capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "937d5f4a-f851-11ea-9321-07e4098558b1", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzEzOSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ISO memory capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.TotalPercentageAvailableMemoryCapacity.5M\" and cloudfoundry.envelope.deployment: p-isolation-segment*" + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "ISO Memory Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "ISO memory capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93deea94-f851-11ea-8186-777cfa34f466", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "ISO container capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset:\"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.TotalPercentageAvailableContainerCapacity.5M\" and cloudfoundry.envelope.deployment: p-isolation-segment*" + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "ISO Container Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "ISO container capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "938e9490-f851-11ea-9fc4-93d53dd1c7c1", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0MSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Container capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\"" + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"Diego.TotalPercentageAvailableContainerCapacity.5M\" AND cloudfoundry.envelope.deployment: cf*" + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "CF Container Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Container capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "943b6bf2-f851-11ea-99e0-b300881da4b1", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Memory capacity [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.4 + }, + { + "background_color": "rgba(252,220,0,1)", + "color": "rgba(255,255,255,1)", + "id": "93e80d0e-f851-11ea-ae0c-6f6e897b08b1", + "operator": "lte", + "value": 0.4 + }, + { + "background_color": "rgba(244,78,59,1)", + "id": "93c50fb6-f851-11ea-9589-1bd31d6a8c71", + "operator": "lte", + "value": 0.35 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset: \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.envelope.deployment:cf* and cloudfoundry.value.name: \"Diego.TotalPercentageAvailableMemoryCapacity.5M\" " + }, + "formatter": "'0.0%'", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "CF Memory Capacity", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Memory capacity [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9417ef10-f851-11ea-bc5c-cbb3bfb4dc2a", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pushes past month [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.push\" " + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Past Month", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "1M", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Pushes past month [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "93a42468-f851-11ea-8393-7791ef366bdd", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pushes past day [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "background_color": null, + "background_color_rules": [ + { + "background_color": "rgba(105,192,111,1)", + "color": "rgba(255,255,255,1)", + "id": "939ee5ac-f851-11ea-9c98-1b6b4c058d58", + "operator": "gt", + "value": 0.95 + }, + { + "background_color": "rgba(244,78,59,1)", + "color": "rgba(255,255,255,1)", + "id": "93c76824-f851-11ea-b59a-ebcfb7da714a", + "operator": "lte", + "value": 0.95 + } + ], + "bar_color_rules": [ + { + "id": "9438fb38-f851-11ea-8cbf-2be67ccd287b" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "drop_last_bucket": 1, + "filter": { + "language": "kuery", + "query": "event.module: \"cloudfoundry\" and event.dataset : \"cloudfoundry.value\" " + }, + "gauge_color_rules": [ + { + "gauge": null, + "id": "93f0138c-f851-11ea-bbaa-dfc0137bc600", + "text": null, + "value": 0 + } + ], + "gauge_inner_width": 10, + "gauge_max": "300000", + "gauge_style": "half", + "gauge_width": 10, + "id": "93aed944-f851-11ea-ba70-fbde5471d6c0", + "ignore_global_filter": 0, + "index_pattern": "metricbeat-*", + "interval": "\u003e=1m", + "isModelInvalid": false, + "legend_position": "bottom", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(0,156,224,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "cloudfoundry.value.name: \"health.check.cliCommand.push\" " + }, + "formatter": "percent", + "hidden": false, + "id": "93b3d516-f851-11ea-b4ca-c32dfcb647e2", + "label": "Past Day", + "line_width": "2", + "metrics": [ + { + "field": "cloudfoundry.value.value", + "id": "93b9bc2e-f851-11ea-8d20-9b7927512450", + "type": "avg" + } + ], + "offset_time": "1d", + "point_size": "1", + "separate_axis": 0, + "split_color_mode": "gradient", + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "" + }, + "id": "93842b7c-f851-11ea-8281-37e3b8318172", + "label": "" + } + ], + "split_mode": "everything", + "stacked": "none", + "steps": 0, + "terms_field": "name.keyword", + "terms_include": "", + "value_template": "{{value}}" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "type": "metric" + }, + "title": "Pushes past day [Metricbeat Cloud Foundry]", + "type": "metrics" + } + }, + "id": "9379c90c-f851-11ea-8313-f3c659aaac21", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Dashboards Navigation Platform Health [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "[Overview](#/dashboard/9c81cf34-f84e-11ea-a49d-f3f94f5e4fac) | **Platform Health**", + "openLinksInNewTab": false + }, + "title": "Dashboards Navigation [Metricbeat Cloud Foundry]", + "type": "markdown" + } + }, + "id": "f771b65c-f8d0-11ea-bf74-8bbda818957f", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:37:54.081Z", + "version": "WzE4MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pushes md-2 [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 15, + "markdown": "**CF Push**\n**(99.0%)**", + "openLinksInNewTab": false + }, + "title": "Pushes md-2 [Metricbeat Cloud Foundry]", + "type": "markdown" + } + }, + "id": "9410e9ea-f851-11ea-b70d-9bda9c286e02", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0NiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Pushes application availability md-2 [Metricbeat Cloud Foundry]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 15, + "markdown": "**App Avail**\n**(99.9%)**", + "openLinksInNewTab": false + }, + "title": "Pushes application availability md-2 [Metricbeat Cloud Foundry]", + "type": "markdown" + } + }, + "id": "93911f12-f851-11ea-9a0a-bb5ff28cf81a", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-09-17T10:33:07.259Z", + "version": "WzE0NywxXQ==" + } + ], + "version": "7.9.0" +} diff --git a/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json index 3d1f51694e4..16a4f1ef128 100644 --- a/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json +++ b/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json @@ -1,35 +1,31 @@ { - "@timestamp": "2020-02-27T18:09:35.583Z", + "@timestamp": "2017-10-12T08:05:34.853Z", "cloudfoundry": { + "app": { + "id": "3ce55e14-de73-49af-836d-adc93f3fee39" + }, "container": { + "cpu.pct": 0.19431789913648675, + "disk.bytes": 16678912, + "disk.quota.bytes": 33554432, "instance_index": 0, - "cpu.pct": 0.18815706013687805, - "memory.bytes": 23320985, - "memory.quota.bytes": 134217728, - "disk.bytes": 186187776, - "timestamp": "2020-02-27T18:09:35.583Z", - "type": "container", - "disk.quota.bytes": 2122136037 + "memory.bytes": 8529920, + "memory.quota.bytes": 33554432 }, "envelope": { - "origin": "rep", - "deployment": "cf", - "ip": "10.144.0.13", - "job": "diego-cell", - "index": "3a0034ac-59ef-43e2-8b06-b14b32fe62f0" + "deployment": "cf-6b7aee31c8d07637ad78", + "index": "c2bcf5d6-7ff9-4876-890f-6f8fc6c58668", + "ip": "192.168.16.51", + "job": "diego_cell", + "origin": "rep" }, - "app": { - "id": "8cfc6857-3576-45a9-b1cd-890b28aa9c4a" - } - }, - "event": { - "dataset": "cloudfoundry.container", - "module": "cloudfoundry" - }, - "metricset": { - "name": "container" + "tags": { + "product": "Pivotal Application Service", + "source_id": "3ce55e14-de73-49af-836d-adc93f3fee39" + }, + "type": "container" }, "service": { "type": "cloudfoundry" } -} +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go index e871a5823fc..605f7145f64 100644 --- a/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go +++ b/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go @@ -49,5 +49,6 @@ func TestData(t *testing.T) { require.NotEmpty(t, events) beatEvent := mbtest.StandardizeEvent(ms, events[0]) + mtest.CleanFields(beatEvent) mbtest.WriteEventToDataJSON(t, beatEvent, "") } diff --git a/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json index d6f155213af..5889e632b6b 100644 --- a/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json +++ b/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json @@ -1,29 +1,27 @@ { - "@timestamp": "2020-02-24T18:49:02.674Z", + "@timestamp": "2017-10-12T08:05:34.853Z", "cloudfoundry": { "counter": { - "total": 0, - "name": "promhttp_metric_handler_errors_total", "delta": 0, - "timestamp": "2020-02-24T18:49:02.674Z", - "type": "counter" + "name": "dropped", + "total": 0 }, "envelope": { - "origin": "loggregator_forwarder_agent", - "deployment": "cf", - "ip": "10.144.0.13", - "job": "diego-cell", - "index": "1e58e943-a498-4339-9d5f-2885bf223db9" - } - }, - "event": { - "dataset": "cloudfoundry.counter", - "module": "cloudfoundry" - }, - "metricset": { - "name": "counter" + "deployment": "cf-6b7aee31c8d07637ad78", + "index": "995eb273-f871-4fea-a834-dbc0a4a72efc", + "ip": "192.168.16.37", + "job": "syslog_adapter", + "origin": "loggregator.metron" + }, + "tags": { + "direction": "ingress", + "metric_version": "2.0", + "product": "Pivotal Application Service", + "source_id": "metron" + }, + "type": "counter" }, "service": { "type": "cloudfoundry" } -} +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go index 44cb4935e70..f7c13b1a603 100644 --- a/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go +++ b/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go @@ -49,5 +49,6 @@ func TestData(t *testing.T) { require.NotEmpty(t, events) beatEvent := mbtest.StandardizeEvent(ms, events[0]) + mtest.CleanFields(beatEvent) mbtest.WriteEventToDataJSON(t, beatEvent, "") } diff --git a/x-pack/metricbeat/module/cloudfoundry/mtest/config.go b/x-pack/metricbeat/module/cloudfoundry/mtest/config.go index c0756c57cca..8f98d528f58 100644 --- a/x-pack/metricbeat/module/cloudfoundry/mtest/config.go +++ b/x-pack/metricbeat/module/cloudfoundry/mtest/config.go @@ -7,6 +7,7 @@ package mtest import ( "testing" + "github.com/elastic/beats/v7/libbeat/beat" cftest "github.com/elastic/beats/v7/x-pack/libbeat/common/cloudfoundry/test" ) @@ -19,3 +20,8 @@ func GetConfig(t *testing.T, metricset string) map[string]interface{} { return config } + +// CleanFields removes fields that can contain data of real deployments +func CleanFields(e beat.Event) { + e.Fields.Delete("cloudfoundry.tags.system_domain") +} diff --git a/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json index bf70762fd38..1d17070a200 100644 --- a/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json +++ b/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json @@ -1,29 +1,24 @@ { - "@timestamp": "2020-02-27T18:20:48.379Z", + "@timestamp": "2017-10-12T08:05:34.853Z", "cloudfoundry": { - "value": { - "unit": "", - "value": 5.125735912782789e-05, - "timestamp": "2020-02-27T18:20:48.379Z", - "type": "value", - "name": "go_memstats_gc_cpu_fraction" - }, "envelope": { - "origin": "loggregator_forwarder_agent", - "deployment": "cf", - "ip": "10.144.0.11", - "job": "scheduler", - "index": "d6b7bb59-ac57-4ed5-a0a7-0b23e19d9f8f" + "deployment": "cf-6b7aee31c8d07637ad78", + "index": "dffd1799-d03a-405a-9309-3fcce23f536f", + "ip": "192.168.16.15", + "job": "diego_database", + "origin": "silk-controller" + }, + "tags": { + "source_id": "silk-controller" + }, + "type": "value", + "value": { + "name": "LeasesIndexRequestTime", + "unit": "ms", + "value": 0.681265 } }, - "event": { - "dataset": "cloudfoundry.value", - "module": "cloudfoundry" - }, - "metricset": { - "name": "value" - }, "service": { "type": "cloudfoundry" } -} +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go index 610a0a8e029..af815a3d4b7 100644 --- a/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go +++ b/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go @@ -49,5 +49,6 @@ func TestData(t *testing.T) { require.NotEmpty(t, events) beatEvent := mbtest.StandardizeEvent(ms, events[0]) + mtest.CleanFields(beatEvent) mbtest.WriteEventToDataJSON(t, beatEvent, "") } diff --git a/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py b/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py index 72c3517c04e..b348388e8f4 100644 --- a/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py +++ b/x-pack/metricbeat/module/cockroachdb/test_cockroachdb.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/coredns/test_coredns.py b/x-pack/metricbeat/module/coredns/test_coredns.py index e453fcdf183..b885934ea13 100644 --- a/x-pack/metricbeat/module/coredns/test_coredns.py +++ b/x-pack/metricbeat/module/coredns/test_coredns.py @@ -1,9 +1,6 @@ import os import sys import unittest -from xpack_metricbeat import XPackTest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/googlecloud/_meta/config.yml b/x-pack/metricbeat/module/googlecloud/_meta/config.yml index 87691d3a75b..b6f24962b29 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/config.yml +++ b/x-pack/metricbeat/module/googlecloud/_meta/config.yml @@ -27,7 +27,7 @@ - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -40,3 +40,13 @@ - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" diff --git a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc index 817045af6f8..d2e74d0122f 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc @@ -1,6 +1,9 @@ This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -128,16 +131,28 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations. [float] == Metricsets -Currently, we have `compute`, `loadbalancing`, `pubsub`, `stackdriver` and +Currently, we have `billing`, `compute`, `loadbalancing`, `pubsub`, `metrics` and `storage` metricset in `googlecloud` module. +[float] +=== `billing` +This metricset fetches billing metrics from https://cloud.google.com/bigquery[GCP BigQuery] +Cloud Billing allows users to export billing data into BigQuery automatically +throughout the day. This metricset gets access to the daily cost detail table +periodically to export billing metrics for further analysis. + +The `billing` metricset comes with a predefined dashboard: + +image::./images/metricbeat-googlecloud-billing-overview.png[] + [float] === `compute` This metricset fetches metrics from https://cloud.google.com/compute/[Compute Engine] @@ -186,10 +201,11 @@ The `pubsub` metricset comes with a predefined dashboard: image::./images/metricbeat-googlecloud-pubsub-overview.png[] [float] -=== `stackdriver` -Stackdriver provides visibility into the performance, uptime, and overall health -of cloud-powered applications. It collects metrics, events, and metadata from -different services from Google Cloud. +=== `metrics` +`metrics` metricset uses Google Cloud Operations/Stackdriver, which provides +visibility into the performance, uptime, and overall health of cloud-powered +applications. It collects metrics, events, and metadata from different services +from Google Cloud. This metricset is to collect https://cloud.google.com/monitoring/api/metrics_gcp[monitoring metrics] from Google Cloud using `ListTimeSeries` API. diff --git a/x-pack/metricbeat/module/googlecloud/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/_meta/fields.yml index 3ab4238b736..84e340de576 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/fields.yml +++ b/x-pack/metricbeat/module/googlecloud/_meta/fields.yml @@ -24,9 +24,9 @@ - name: system.* type: object object_type: keyword - - name: "stackdriver.*.*.*.*" + - name: "metrics.*.*.*.*" type: object object_type: double object_type_mapping_type: "*" description: > - Metrics that returned from StackDriver API query. + Metrics that returned from Google Cloud API query. diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json new file mode 100644 index 00000000000..4387e827748 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-billing-overview.json @@ -0,0 +1,773 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of Google Cloud Billing Metrics", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "title": "Filters" + }, + "gridData": { + "h": 14, + "i": "2552123b-6ad6-4d63-89c3-0672ab428580", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "2552123b-6ad6-4d63-89c3-0672ab428580", + "panelRefName": "panel_0", + "title": "Filters", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Month" + }, + "gridData": { + "h": 20, + "i": "2d3d3b79-0656-45c2-b051-4489484b625c", + "w": 10, + "x": 8, + "y": 0 + }, + "panelIndex": "2d3d3b79-0656-45c2-b051-4489484b625c", + "panelRefName": "panel_1", + "title": "Cost Per Month", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Project ID" + }, + "gridData": { + "h": 20, + "i": "b737e597-cc4d-4437-859c-6d491679599d", + "w": 30, + "x": 18, + "y": 0 + }, + "panelIndex": "b737e597-cc4d-4437-859c-6d491679599d", + "panelRefName": "panel_2", + "title": "Cost Per Project ID", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total Number Of Projects" + }, + "gridData": { + "h": 6, + "i": "9eedb0c7-2089-4e0f-af98-721034203aad", + "w": 8, + "x": 0, + "y": 14 + }, + "panelIndex": "9eedb0c7-2089-4e0f-af98-721034203aad", + "panelRefName": "panel_3", + "title": "Total Number Of Projects", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Cost Per Invoice Month" + }, + "gridData": { + "h": 15, + "i": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "f4d0ebcb-ac15-4c31-ab57-7f22e0c3e02a", + "panelRefName": "panel_4", + "title": "Cost Per Invoice Month", + "version": "7.9.0" + }, + { + "embeddableConfig": { + "title": "Total Billing Cost" + }, + "gridData": { + "h": 15, + "i": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "991e60a8-68eb-4c2b-ac9a-b553e90dd49d", + "panelRefName": "panel_5", + "title": "Total Billing Cost", + "version": "7.9.0" + } + ], + "timeRestore": false, + "title": "[Metricbeat Googlecloud] Billing Overview", + "version": 1 + }, + "id": "76c9e920-e890-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "5d2f9160-e88e-11ea-bf8c-d13ebf358a78", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "520c6f10-ec8a-11ea-a0ed-7fe6b565d158", + "name": "panel_1", + "type": "lens" + }, + { + "id": "057de170-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_2", + "type": "lens" + }, + { + "id": "dd835300-e88f-11ea-bf8c-d13ebf358a78", + "name": "panel_3", + "type": "lens" + }, + { + "id": "e6933020-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_4", + "type": "lens" + }, + { + "id": "73346db0-e88d-11ea-bf8c-d13ebf358a78", + "name": "panel_5", + "type": "lens" + } + ], + "type": "dashboard", + "updated_at": "2020-09-01T19:41:37.582Z", + "version": "WzYwNDMsOF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Account ID Filter [Metricbeat Googlecloud]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "cloud.provider", + "id": "1598550838945", + "indexPatternRefName": "control_0_index_pattern", + "label": "Cloud Provider ", + "options": { + "dynamicOptions": true, + "multiselect": false, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "cloud.account.id", + "id": "1598893530938", + "indexPatternRefName": "control_1_index_pattern", + "label": "Account ID", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "1598550838945", + "type": "list" + }, + { + "fieldName": "googlecloud.billing.invoice_month", + "id": "1598988595566", + "indexPatternRefName": "control_2_index_pattern", + "label": "Invoice Month", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": false, + "useTimeFilter": false + }, + "title": "Account ID Filter [Metricbeat Googlecloud]", + "type": "input_control_vis" + } + }, + "id": "5d2f9160-e88e-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "metricbeat-*", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "metricbeat-*", + "name": "control_2_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-09-01T19:30:18.073Z", + "version": "WzU3NDMsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"e12171da-25a4-41ea-86d3-8fd71205c263\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"6011e524-4646-410b-8d1c-06c281e8f7ed\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"orderBy\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":12,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-6011e524-4646-410b-8d1c-06c281e8f7ed\\\":{\\\"label\\\":\\\"Invoice Month\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":12,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"6011e524-4646-410b-8d1c-06c281e8f7ed\\\"},\\\"col-1-f8ab301c-f139-4573-b233-ed8a3f717e24\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"f8ab301c-f139-4573-b233-ed8a3f717e24\\\"}}\"}\n| lens_datatable \n columns={lens_datatable_columns columnIds=\"6011e524-4646-410b-8d1c-06c281e8f7ed\" columnIds=\"f8ab301c-f139-4573-b233-ed8a3f717e24\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "e12171da-25a4-41ea-86d3-8fd71205c263": { + "columnOrder": [ + "6011e524-4646-410b-8d1c-06c281e8f7ed", + "f8ab301c-f139-4573-b233-ed8a3f717e24" + ], + "columns": { + "6011e524-4646-410b-8d1c-06c281e8f7ed": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Invoice Month", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "f8ab301c-f139-4573-b233-ed8a3f717e24", + "type": "column" + }, + "orderDirection": "desc", + "size": 12 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.invoice_month" + }, + "f8ab301c-f139-4573-b233-ed8a3f717e24": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "columns": [ + "6011e524-4646-410b-8d1c-06c281e8f7ed", + "f8ab301c-f139-4573-b233-ed8a3f717e24" + ], + "layerId": "e12171da-25a4-41ea-86d3-8fd71205c263" + } + ] + } + }, + "title": "Total Cost Table [Metricbeat Googlecloud]", + "visualizationType": "lnsDatatable" + }, + "id": "520c6f10-ec8a-11ea-a0ed-7fe6b565d158", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-01T19:35:41.441Z", + "version": "WzU5MDEsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"2477291e-9021-4eb2-9fce-8da1ee792c49\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":20,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-2477291e-9021-4eb2-9fce-8da1ee792c49\\\":{\\\"label\\\":\\\"Cost Per Project ID\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":20,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"2477291e-9021-4eb2-9fce-8da1ee792c49\\\"},\\\"col-1-10b91492-efef-490d-bc7a-c2074b2eae84\\\":{\\\"label\\\":\\\"Maximum of googlecloud.billing.total\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"max\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"}}\"}\n| lens_pie shape=\"pie\" hideLabels=false groups=\"2477291e-9021-4eb2-9fce-8da1ee792c49\" metric=\"10b91492-efef-490d-bc7a-c2074b2eae84\" numberDisplay=\"percent\" categoryDisplay=\"default\" legendDisplay=\"default\" percentDecimals=3 nestedLegend=false", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "2477291e-9021-4eb2-9fce-8da1ee792c49", + "10b91492-efef-490d-bc7a-c2074b2eae84" + ], + "columns": { + "10b91492-efef-490d-bc7a-c2074b2eae84": { + "dataType": "number", + "isBucketed": false, + "label": "Maximum of googlecloud.billing.total", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "2477291e-9021-4eb2-9fce-8da1ee792c49": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cost Per Project ID", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", + "type": "column" + }, + "orderDirection": "desc", + "size": 20 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "2477291e-9021-4eb2-9fce-8da1ee792c49" + ], + "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", + "legendDisplay": "default", + "metric": "10b91492-efef-490d-bc7a-c2074b2eae84", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "Cost Per Project ID [Metricbeat Googlecloud]", + "visualizationType": "lnsPie" + }, + "id": "057de170-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T02:45:59.906Z", + "version": "WzUxODksOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4cb00ce3-c62e-46f3-90ce-b69c876b9605\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"2f66b924-5392-4e5e-93fe-5b23a87068c1\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"cardinality\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-2f66b924-5392-4e5e-93fe-5b23a87068c1\\\":{\\\"label\\\":\\\"\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"cardinality\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"2f66b924-5392-4e5e-93fe-5b23a87068c1\\\"}}\"}\n| lens_metric_chart title=\"\" accessor=\"2f66b924-5392-4e5e-93fe-5b23a87068c1\" mode=\"full\"", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4cb00ce3-c62e-46f3-90ce-b69c876b9605": { + "columnOrder": [ + "2f66b924-5392-4e5e-93fe-5b23a87068c1" + ], + "columns": { + "2f66b924-5392-4e5e-93fe-5b23a87068c1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "", + "operationType": "cardinality", + "scale": "ratio", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "2f66b924-5392-4e5e-93fe-5b23a87068c1", + "layerId": "4cb00ce3-c62e-46f3-90ce-b69c876b9605" + } + }, + "title": "Total Number Of Projects [Metricbeat Googlecloud]", + "visualizationType": "lnsMetric" + }, + "id": "dd835300-e88f-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T02:50:27.115Z", + "version": "WzUzMTgsOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true aggConfigs=\"[{\\\"id\\\":\\\"e25f49de-f161-4be8-a8fc-519188a7776c\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"orderBy\\\":\\\"_key\\\",\\\"order\\\":\\\"asc\\\",\\\"size\\\":5,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-e25f49de-f161-4be8-a8fc-519188a7776c\\\":{\\\"label\\\":\\\"Monthly Cost\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"type\\\":\\\"column\\\",\\\"columnId\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"e25f49de-f161-4be8-a8fc-519188a7776c\\\"},\\\"col-2-b92edf5e-58bc-4382-9cd5-19db2c332c93\\\":{\\\"label\\\":\\\"Invoice Month\\\",\\\"dataType\\\":\\\"string\\\",\\\"operationType\\\":\\\"terms\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"sourceField\\\":\\\"googlecloud.billing.invoice_month\\\",\\\"isBucketed\\\":true,\\\"params\\\":{\\\"size\\\":5,\\\"orderBy\\\":{\\\"type\\\":\\\"alphabetical\\\"},\\\"orderDirection\\\":\\\"asc\\\"},\\\"customLabel\\\":true,\\\"id\\\":\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\"},\\\"col-3-af747bf6-66e9-4760-bbd8-3dae9c97159d\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"max\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\"}}\"}\n| lens_xy_chart xTitle=\"Monthly Cost\" yTitle=\"Total Billing Cost\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\" hide=false xAccessor=\"e25f49de-f161-4be8-a8fc-519188a7776c\" yScaleType=\"linear\" xScaleType=\"ordinal\" isHistogram=false splitAccessor=\"b92edf5e-58bc-4382-9cd5-19db2c332c93\" seriesType=\"bar_stacked\" accessors=\"af747bf6-66e9-4760-bbd8-3dae9c97159d\" columnToLabel=\"{\\\"af747bf6-66e9-4760-bbd8-3dae9c97159d\\\":\\\"Total Billing Cost\\\",\\\"b92edf5e-58bc-4382-9cd5-19db2c332c93\\\":\\\"Invoice Month\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "e25f49de-f161-4be8-a8fc-519188a7776c", + "b92edf5e-58bc-4382-9cd5-19db2c332c93", + "af747bf6-66e9-4760-bbd8-3dae9c97159d" + ], + "columns": { + "af747bf6-66e9-4760-bbd8-3dae9c97159d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "b92edf5e-58bc-4382-9cd5-19db2c332c93": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Invoice Month", + "operationType": "terms", + "params": { + "orderBy": { + "type": "alphabetical" + }, + "orderDirection": "asc", + "size": 5 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.invoice_month" + }, + "e25f49de-f161-4be8-a8fc-519188a7776c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Monthly Cost", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "af747bf6-66e9-4760-bbd8-3dae9c97159d", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "af747bf6-66e9-4760-bbd8-3dae9c97159d" + ], + "layerId": "4ca843af-63d7-46b9-a719-51a81eebf1f7", + "seriesType": "bar_stacked", + "splitAccessor": "b92edf5e-58bc-4382-9cd5-19db2c332c93", + "xAccessor": "e25f49de-f161-4be8-a8fc-519188a7776c" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked" + } + }, + "title": "Monthly Cost Per Project [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "e6933020-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-08-31T17:12:47.088Z", + "version": "WzU1NjksOF0=" + }, + { + "attributes": { + "description": "", + "expression": "kibana\n| kibana_context query=\"{\\\"query\\\":\\\"\\\",\\\"language\\\":\\\"kuery\\\"}\" filters=\"[]\"\n| lens_merge_tables layerIds=\"4ca843af-63d7-46b9-a719-51a81eebf1f7\"\n layerIds=\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\" \n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"1164563d-d2b3-4067-bc7b-d694179182ed\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1d\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"sum\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-1164563d-d2b3-4067-bc7b-d694179182ed\\\":{\\\"label\\\":\\\"@timestamp\\\",\\\"dataType\\\":\\\"date\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"scale\\\":\\\"interval\\\",\\\"params\\\":{\\\"interval\\\":\\\"1d\\\"},\\\"id\\\":\\\"1164563d-d2b3-4067-bc7b-d694179182ed\\\"},\\\"col-1-10b91492-efef-490d-bc7a-c2074b2eae84\\\":{\\\"label\\\":\\\"Total Billing Cost\\\",\\\"dataType\\\":\\\"number\\\",\\\"operationType\\\":\\\"sum\\\",\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"scale\\\":\\\"ratio\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"10b91492-efef-490d-bc7a-c2074b2eae84\\\"}}\"}\n tables={esaggs index=\"metricbeat-*\" metricsAtAllLevels=true partialRows=true includeFormatHints=true timeFields=\"@timestamp\" aggConfigs=\"[{\\\"id\\\":\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"terms\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.project_id\\\",\\\"orderBy\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"order\\\":\\\"desc\\\",\\\"size\\\":10,\\\"otherBucket\\\":false,\\\"otherBucketLabel\\\":\\\"Other\\\",\\\"missingBucket\\\":false,\\\"missingBucketLabel\\\":\\\"Missing\\\"}},{\\\"id\\\":\\\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"date_histogram\\\",\\\"schema\\\":\\\"segment\\\",\\\"params\\\":{\\\"field\\\":\\\"@timestamp\\\",\\\"useNormalizedEsInterval\\\":true,\\\"interval\\\":\\\"1d\\\",\\\"drop_partials\\\":false,\\\"min_doc_count\\\":0,\\\"extended_bounds\\\":{}}},{\\\"id\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"enabled\\\":true,\\\"type\\\":\\\"max\\\",\\\"schema\\\":\\\"metric\\\",\\\"params\\\":{\\\"field\\\":\\\"googlecloud.billing.total\\\",\\\"missing\\\":0}}]\" | lens_rename_columns idMap=\"{\\\"col-0-faaaaf23-f362-4a00-be9e-8a155208a39e\\\":{\\\"sourceField\\\":\\\"googlecloud.billing.project_id\\\",\\\"isBucketed\\\":true,\\\"dataType\\\":\\\"string\\\",\\\"scale\\\":\\\"ordinal\\\",\\\"operationType\\\":\\\"terms\\\",\\\"label\\\":\\\"Project ID\\\",\\\"customLabel\\\":true,\\\"params\\\":{\\\"size\\\":10,\\\"orderBy\\\":{\\\"columnId\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\",\\\"type\\\":\\\"column\\\"},\\\"orderDirection\\\":\\\"desc\\\"},\\\"id\\\":\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\"},\\\"col-2-c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\":{\\\"sourceField\\\":\\\"@timestamp\\\",\\\"isBucketed\\\":true,\\\"dataType\\\":\\\"date\\\",\\\"scale\\\":\\\"interval\\\",\\\"operationType\\\":\\\"date_histogram\\\",\\\"label\\\":\\\"@timestamp\\\",\\\"params\\\":{\\\"interval\\\":\\\"1d\\\"},\\\"id\\\":\\\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\\\"},\\\"col-3-3041fc1b-ceb8-4188-b55d-d354819f267e\\\":{\\\"sourceField\\\":\\\"googlecloud.billing.total\\\",\\\"isBucketed\\\":false,\\\"dataType\\\":\\\"number\\\",\\\"scale\\\":\\\"ratio\\\",\\\"operationType\\\":\\\"max\\\",\\\"label\\\":\\\"Total Billing\\\",\\\"customLabel\\\":true,\\\"id\\\":\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\"}}\"}\n| lens_xy_chart xTitle=\"@timestamp [1]\" yTitle=\"Total Billing\" legend={lens_xy_legendConfig isVisible=true position=\"right\"} fittingFunction=\"None\" \n layers={lens_xy_layer layerId=\"325e60ce-0fbd-42b0-82f6-b10df31fef6c\" hide=false xAccessor=\"c4bc659c-3e7c-41f2-bc38-32d9edee95e8\" yScaleType=\"linear\" xScaleType=\"time\" isHistogram=true splitAccessor=\"faaaaf23-f362-4a00-be9e-8a155208a39e\" seriesType=\"bar_stacked\" accessors=\"3041fc1b-ceb8-4188-b55d-d354819f267e\" columnToLabel=\"{\\\"3041fc1b-ceb8-4188-b55d-d354819f267e\\\":\\\"Total Billing\\\",\\\"faaaaf23-f362-4a00-be9e-8a155208a39e\\\":\\\"Project ID\\\"}\"}", + "state": { + "datasourceMetaData": { + "filterableIndexPatterns": [ + { + "id": "metricbeat-*", + "title": "metricbeat-*" + } + ] + }, + "datasourceStates": { + "indexpattern": { + "currentIndexPatternId": "metricbeat-*", + "layers": { + "325e60ce-0fbd-42b0-82f6-b10df31fef6c": { + "columnOrder": [ + "faaaaf23-f362-4a00-be9e-8a155208a39e", + "c4bc659c-3e7c-41f2-bc38-32d9edee95e8", + "3041fc1b-ceb8-4188-b55d-d354819f267e" + ], + "columns": { + "3041fc1b-ceb8-4188-b55d-d354819f267e": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing", + "operationType": "max", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "c4bc659c-3e7c-41f2-bc38-32d9edee95e8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1d" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "faaaaf23-f362-4a00-be9e-8a155208a39e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Project ID", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "3041fc1b-ceb8-4188-b55d-d354819f267e", + "type": "column" + }, + "orderDirection": "desc", + "size": 10 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + }, + "4ca843af-63d7-46b9-a719-51a81eebf1f7": { + "columnOrder": [ + "1164563d-d2b3-4067-bc7b-d694179182ed", + "10b91492-efef-490d-bc7a-c2074b2eae84" + ], + "columns": { + "10b91492-efef-490d-bc7a-c2074b2eae84": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Billing Cost", + "operationType": "sum", + "scale": "ratio", + "sourceField": "googlecloud.billing.total" + }, + "1164563d-d2b3-4067-bc7b-d694179182ed": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "interval": "1d" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e25f49de-f161-4be8-a8fc-519188a7776c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cost", + "operationType": "terms", + "params": { + "orderBy": { + "columnId": "10b91492-efef-490d-bc7a-c2074b2eae84", + "type": "column" + }, + "orderDirection": "desc", + "size": 15 + }, + "scale": "ordinal", + "sourceField": "googlecloud.billing.project_id" + } + }, + "indexPatternId": "metricbeat-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "fittingFunction": "None", + "layers": [ + { + "accessors": [ + "3041fc1b-ceb8-4188-b55d-d354819f267e" + ], + "layerId": "325e60ce-0fbd-42b0-82f6-b10df31fef6c", + "seriesType": "bar_stacked", + "splitAccessor": "faaaaf23-f362-4a00-be9e-8a155208a39e", + "xAccessor": "c4bc659c-3e7c-41f2-bc38-32d9edee95e8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked" + } + }, + "title": "Total Cost Bar Chart [Metricbeat Googlecloud]", + "visualizationType": "lnsXY" + }, + "id": "73346db0-e88d-11ea-bf8c-d13ebf358a78", + "migrationVersion": { + "lens": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "lens", + "updated_at": "2020-09-01T19:36:43.994Z", + "version": "WzU5MzgsOF0=" + } + ], + "version": "7.9.0" +} diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json index 1f6d0b16891..185905f94ae 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json +++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json @@ -32,7 +32,7 @@ "panelIndex": "28706ab2-1142-401d-9143-f4176a034c10", "panelRefName": "panel_0", "title": "Filters", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -48,7 +48,7 @@ "panelIndex": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05", "panelRefName": "panel_1", "title": "Instance Uptime", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -64,7 +64,7 @@ "panelIndex": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f", "panelRefName": "panel_2", "title": "CPU Utilization", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -80,7 +80,7 @@ "panelIndex": "9c6f36f5-c2b2-40f5-8ee3-af6131168842", "panelRefName": "panel_3", "title": "Read I/O", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -96,7 +96,7 @@ "panelIndex": "93906f63-42c9-4f30-9b2c-05041a9e1efe", "panelRefName": "panel_4", "title": "Write I/O", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -112,7 +112,7 @@ "panelIndex": "e1a4e862-dd00-409f-8746-8a8e4bc82807", "panelRefName": "panel_5", "title": "Network Sent Bytes", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -128,7 +128,7 @@ "panelIndex": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce", "panelRefName": "panel_6", "title": "Network Received Bytes", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -144,7 +144,7 @@ "panelIndex": "00689e12-4cb3-49ad-ac33-dbe4279f446e", "panelRefName": "panel_7", "title": "Firewall Dropped Bytes", - "version": "7.6.1" + "version": "7.9.1" }, { "embeddableConfig": { @@ -160,7 +160,7 @@ "panelIndex": "901e7bf5-35f5-4c1a-9627-27f6c20d2514", "panelRefName": "panel_8", "title": "Firewall Dropped Packets", - "version": "7.6.1" + "version": "7.9.1" } ], "timeRestore": false, @@ -171,6 +171,9 @@ "migrationVersion": { "dashboard": "7.3.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "3aa96470-5fc4-11ea-a4f6-717338406083", @@ -219,8 +222,8 @@ } ], "type": "dashboard", - "updated_at": "2020-03-17T15:46:32.321Z", - "version": "WzgwNiwyXQ==" + "updated_at": "2020-09-15T16:22:48.674Z", + "version": "Wzk1NCwxXQ==" }, { "attributes": { @@ -297,8 +300,11 @@ }, "id": "3aa96470-5fc4-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [ { "id": "metricbeat-*", @@ -317,14 +323,20 @@ } ], "type": "visualization", - "updated_at": "2020-03-11T21:52:40.506Z", - "version": "Wzc4NywyXQ==" + "updated_at": "2020-09-15T16:22:42.806Z", + "version": "Wzk1MSwxXQ==" }, { "attributes": { "description": "", "kibanaSavedObjectMeta": { - "searchSourceJSON": {} + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } }, "title": "Compute Instance Uptime Gauge [Metricbeat Googlecloud]", "uiStateJSON": {}, @@ -347,7 +359,7 @@ ], "default_index_pattern": "metricbeat-*", "default_timefield": "@timestamp", - "drop_last_bucket": 1, + "drop_last_bucket": 0, "filter": { "language": "kuery", "query": "" @@ -364,7 +376,7 @@ "gauge_width": 10, "id": "61ca57f0-469d-11e7-af02-69e470af7417", "index_pattern": "metricbeat-*", - "interval": "5m", + "interval": "\u003e=5m", "isModelInvalid": false, "series": [ { @@ -393,7 +405,7 @@ }, { "id": "81dc6000-63e7-11ea-994d-3b2599babc53", - "script": "params.uptime /60\n", + "script": "params.uptime / 60\n", "type": "math", "variables": [ { @@ -407,6 +419,7 @@ "override_index_pattern": 0, "point_size": 1, "separate_axis": 0, + "split_color_mode": "gradient", "split_mode": "everything", "stacked": "none", "terms_field": "cloud.instance.name", @@ -416,7 +429,9 @@ ], "show_grid": 1, "show_legend": 1, - "time_field": "", + "time_field": "@timestamp", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", "type": "gauge" }, "title": "Compute Instance Uptime Gauge [Metricbeat Googlecloud]", @@ -425,12 +440,15 @@ }, "id": "da5bc460-63e1-11ea-b0ac-95d4ecb1fecd", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-11T22:29:03.883Z", - "version": "WzgwMiwyXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzNCwxXQ==" }, { "attributes": { @@ -492,12 +510,15 @@ }, "id": "3f472ea0-5e47-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T17:22:26.247Z", - "version": "WzcwNCwxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzNSwxXQ==" }, { "attributes": { @@ -558,12 +579,15 @@ }, "id": "89513bc0-5e48-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T15:57:30.034Z", - "version": "WzM1NiwxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzNiwxXQ==" }, { "attributes": { @@ -624,12 +648,15 @@ }, "id": "95e1f050-5e48-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T15:57:30.034Z", - "version": "WzM1NywxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzNywxXQ==" }, { "attributes": { @@ -690,12 +717,15 @@ }, "id": "6f795e70-5e49-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T15:57:30.034Z", - "version": "WzM1OCwxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzOCwxXQ==" }, { "attributes": { @@ -756,12 +786,15 @@ }, "id": "43f45ba0-5e4a-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T15:57:30.034Z", - "version": "WzM1OSwxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQzOSwxXQ==" }, { "attributes": { @@ -841,12 +874,15 @@ }, "id": "9d919d00-5e4d-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-11T22:23:01.173Z", - "version": "Wzc5NywyXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQ0MCwxXQ==" }, { "attributes": { @@ -927,13 +963,16 @@ }, "id": "ef1508c0-5e4c-11ea-a4f6-717338406083", "migrationVersion": { - "visualization": "7.4.2" + "visualization": "7.8.0" }, + "namespaces": [ + "default" + ], "references": [], "type": "visualization", - "updated_at": "2020-03-09T15:57:30.034Z", - "version": "WzM2MSwxXQ==" + "updated_at": "2020-09-15T16:01:39.831Z", + "version": "WzQ0MSwxXQ==" } ], - "version": "7.6.1" + "version": "7.9.1" } diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json b/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json new file mode 100644 index 00000000000..92ee77fb15b --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/data.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-bi", + "name": "elastic-bi" + }, + "provider": "googlecloud" + }, + "event": { + "dataset": "googlecloud.billing", + "duration": 115000, + "module": "googlecloud" + }, + "googlecloud": { + "billing": { + "cost_type": "regular", + "invoice_month": "202008", + "project_id": "elastic-fin-bi", + "total": 170.811692 + } + }, + "metricset": { + "name": "billing", + "period": 10000 + }, + "service": { + "type": "googlecloud" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc new file mode 100644 index 00000000000..ccf26a17600 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/docs.asciidoc @@ -0,0 +1,39 @@ +`billing` metricset is designed for collecting billing metrics from Google Cloud +BigQuery daily cost detail table. BigQuery is a fully-managed, serverless data +warehouse. +Cloud Billing export to BigQuery enables you to export detailed Google Cloud +billing data (such as usage, cost estimates, and pricing data) automatically +throughout the day to a BigQuery dataset that you specify. Then you can access +your Cloud Billing data from BigQuery for detailed analysis using Metricbeat. +Please see https://cloud.google.com/billing/docs/how-to/export-data-bigquery[export +cloud billing data to BigQuery] for more details on how to export billing data. + +In BigQuery dataset, detailed Google Cloud daily cost data is loaded into a data +table named `gcp_billing_export_v1_`. There is a defined +schema for Google Cloud daily cost data that is exported to BigQuery. Please see +https://cloud.google.com/billing/docs/how-to/export-data-bigquery-tables#data-schema[ +daily cost detail data schema] for more details. + +[float] +=== Metricset-specific configuration notes +* *dataset_id*: (Required) Dataset ID that points to the top-level container which contains +the actual billing tables. +* *table_pattern*: (Optional) Daily cost detail billing table name prefix. +Default to `gcp_billing_export_v1`. +* *cost_type*: (Optional) The type of cost this line item represents: regular, +tax, adjustment, or rounding error. Default to `regular`. + +[float] +=== Configuration example +[source,yaml] +---- +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" +---- diff --git a/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml new file mode 100644 index 00000000000..56608ad00a7 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/_meta/fields.yml @@ -0,0 +1,17 @@ +- name: billing + release: beta + type: group + description: Google Cloud Billing metrics + fields: + - name: cost_type + type: keyword + description: Cost types include regular, tax, adjustment, and rounding_error. + - name: invoice_month + type: keyword + description: Billing report month. + - name: project_id + type: keyword + description: Project ID of the billing report belongs to. + - name: total + type: float + description: Total billing amount. diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing.go b/x-pack/metricbeat/module/googlecloud/billing/billing.go new file mode 100644 index 00000000000..a314df78100 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing.go @@ -0,0 +1,305 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "fmt" + "strings" + "time" + + "cloud.google.com/go/bigquery" + "google.golang.org/api/iterator" + "google.golang.org/api/option" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" +) + +const ( + // metricsetName is the name of this metricset + metricsetName = "billing" +) + +// init registers the MetricSet with the central registry as soon as the program +// starts. The New function will be called later to instantiate an instance of +// the MetricSet for each host defined in the module's configuration. After the +// MetricSet has been created then Fetch will begin to be called periodically. +func init() { + mb.Registry.MustAddMetricSet(googlecloud.ModuleName, metricsetName, New) +} + +// MetricSet holds any configuration or state information. It must implement +// the mb.MetricSet interface. And this is best achieved by embedding +// mb.BaseMetricSet because it implements all of the required mb.MetricSet +// interface methods except for Fetch. +type MetricSet struct { + mb.BaseMetricSet + config config + logger *logp.Logger +} + +type config struct { + Period time.Duration `config:"period" validate:"required"` + ProjectID string `config:"project_id" validate:"required"` + CredentialsFilePath string `config:"credentials_file_path" validate:"required"` + DatasetID string `config:"dataset_id" validate:"required"` + TablePattern string `config:"table_pattern"` + CostType string `config:"cost_type"` +} + +// Validate checks for deprecated config options +func (c config) Validate() error { + if c.CostType != "" { + // cost_type can only be regular, tax, adjustment, or rounding error + costTypes := []string{"regular", "tax", "adjustment", "rounding error"} + if stringInSlice(c.CostType, costTypes) { + return nil + } + return fmt.Errorf("given cost_type %s is not in supported list %s", c.CostType, costTypes) + } + + if c.Period.Hours() < 24 { + return fmt.Errorf("collection period for billing metricset %s cannot be less than 24 hours", c.Period) + } + return nil +} + +func stringInSlice(a string, list []string) bool { + for _, b := range list { + if b == a { + return true + } + } + return false +} + +// New creates a new instance of the MetricSet. New is responsible for unpacking +// any MetricSet specific configuration options if there are any. +func New(base mb.BaseMetricSet) (mb.MetricSet, error) { + cfgwarn.Beta("The gcp '%s' metricset is beta.", metricsetName) + + m := &MetricSet{ + BaseMetricSet: base, + logger: logp.NewLogger(metricsetName), + } + + if err := base.Module().UnpackConfig(&m.config); err != nil { + return nil, fmt.Errorf("unpack billing config failed: %w", err) + } + + m.Logger().Debugf("metricset config: %v", m.config) + return m, nil +} + +// Fetch methods implements the data gathering and data conversion to the right +// format. It publishes the event which is then forwarded to the output. In case +// of an error set the Error field of mb.Event or simply call report.Error(). +func (m *MetricSet) Fetch(ctx context.Context, reporter mb.ReporterV2) (err error) { + // find current month + month := getCurrentMonth() + + opt := []option.ClientOption{option.WithCredentialsFile(m.config.CredentialsFilePath)} + client, err := bigquery.NewClient(ctx, m.config.ProjectID, opt...) + if err != nil { + return fmt.Errorf("gerror creating bigquery client: %w", err) + } + + defer client.Close() + + // default table_pattern for query is "gcp_billing_export_v1" + if m.config.TablePattern == "" { + m.logger.Warn("table_pattern is not set in config, \"gcp_billing_export_v1\" will be used by default.") + m.config.TablePattern = "gcp_billing_export_v1" + } + + // default cost_type for query is "regular" + if m.config.CostType == "" { + m.logger.Warn("cost_type is not set in config, \"regular\" will be used by default.") + m.config.CostType = "regular" + } + + tableMetas, err := getTables(ctx, client, m.config.DatasetID, m.config.TablePattern) + if err != nil { + return fmt.Errorf("getTables failed: %w", err) + } + + var events []mb.Event + for _, tableMeta := range tableMetas { + eventsPerQuery, err := m.queryBigQuery(ctx, client, tableMeta, month, m.config.CostType) + if err != nil { + return fmt.Errorf("queryBigQuery failed: %w", err) + } + + events = append(events, eventsPerQuery...) + } + + m.Logger().Debugf("Total %d of events are created for billing", len(events)) + for _, event := range events { + reporter.Event(event) + } + return nil +} + +func getCurrentMonth() string { + currentTime := time.Now() + return fmt.Sprintf("%04d%02d", currentTime.Year(), int(currentTime.Month())) +} + +type tableMeta struct { + tableFullID string + location string +} + +func getTables(ctx context.Context, client *bigquery.Client, datasetID string, tablePattern string) ([]tableMeta, error) { + dit := client.Datasets(ctx) + var tables []tableMeta + + for { + dataset, err := dit.Next() + if err == iterator.Done { + break + } + if err != nil { + return tables, err + } + + meta, err := client.Dataset(dataset.DatasetID).Metadata(ctx) + if err != nil { + return tables, err + } + + // compare with given dataset_id + if dataset.DatasetID != datasetID { + continue + } + + tit := dataset.Tables(ctx) + for { + var tableMeta tableMeta + table, err := tit.Next() + if err == iterator.Done { + break + } + if err != nil { + return tables, err + } + + // make sure table ID fits the given table_pattern + if strings.HasPrefix(table.TableID, tablePattern) { + tableMeta.tableFullID = table.ProjectID + "." + table.DatasetID + "." + table.TableID + tableMeta.location = meta.Location + tables = append(tables, tableMeta) + } + } + } + return tables, nil +} + +func (m *MetricSet) queryBigQuery(ctx context.Context, client *bigquery.Client, tableMeta tableMeta, month string, costType string) ([]mb.Event, error) { + var events []mb.Event + query := fmt.Sprintf(` + SELECT + invoice.month, + project.id, + cost_type, + (SUM(CAST(cost * 1000000 AS int64)) + + SUM(IFNULL((SELECT SUM(CAST(c.amount * 1000000 as int64)) FROM UNNEST(credits) c), 0))) / 1000000 + AS total_exact + FROM %s + WHERE project.id IS NOT NULL + AND invoice.month = '%s' + AND cost_type = '%s' + GROUP BY 1, 2, 3 + ORDER BY 1 ASC, 2 ASC, 3 ASC;`, tableMeta.tableFullID, month, costType) + + q := client.Query(query) + m.logger.Debug("bigquery query = ", query) + + // Location must match that of the dataset(s) referenced in the query. + q.Location = tableMeta.location + + // Run the query and print results when the query job is completed. + job, err := q.Run(ctx) + if err != nil { + err = fmt.Errorf("bigquery Run failed: %w", err) + m.logger.Error(err) + return events, err + } + + status, err := job.Wait(ctx) + if err != nil { + err = fmt.Errorf("bigquery Wait failed: %w", err) + m.logger.Error(err) + return events, err + } + + if err := status.Err(); err != nil { + err = fmt.Errorf("bigquery status error: %w", err) + m.logger.Error(err) + return events, err + } + + it, err := job.Read(ctx) + for { + var row []bigquery.Value + err := it.Next(&row) + if err == iterator.Done { + break + } + + if err != nil { + err = fmt.Errorf("bigquery RowIterator Next failed: %w", err) + m.logger.Error(err) + return events, err + } + + if len(row) == 4 { + events = append(events, createEvents(row, m.config.ProjectID)) + } + } + return events, nil +} + +func createEvents(rowItems []bigquery.Value, accountID string) mb.Event { + event := mb.Event{} + event.MetricSetFields = common.MapStr{ + "invoice_month": rowItems[0], + "project_id": rowItems[1], + "cost_type": rowItems[2], + "total": rowItems[3], + } + + event.RootFields = common.MapStr{ + "cloud.provider": "googlecloud", + "cloud.account.id": accountID, + "cloud.account.name": accountID, + } + + // create eventID for each current_date + invoice_month + project_id + cost_type + currentDate := getCurrentDate() + event.ID = generateEventID(currentDate, rowItems) + return event +} + +func getCurrentDate() string { + currentTime := time.Now() + return fmt.Sprintf("%04d%02d%02d", currentTime.Year(), int(currentTime.Month()), currentTime.Day()) +} + +func generateEventID(currentDate string, rowItems []bigquery.Value) string { + // create eventID using hash of current_date + invoice_month + project_id + cost_type + // This will prevent more than one billing metric getting collected in the same day. + eventID := currentDate + rowItems[0].(string) + rowItems[1].(string) + rowItems[2].(string) + h := sha256.New() + h.Write([]byte(eventID)) + prefix := hex.EncodeToString(h.Sum(nil)) + return prefix[:20] +} diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go b/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go new file mode 100644 index 00000000000..0a4af506057 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing_integration_test.go @@ -0,0 +1,24 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build integration +// +build googlecloud + +package billing + +import ( + "testing" + + mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" +) + +func TestData(t *testing.T) { + config := metrics.GetConfigForTest(t, "billing") + config["period"] = "24h" + config["dataset_id"] = "master_gcp" + + metricSet := mbtest.NewFetcher(t, config) + metricSet.WriteEvents(t, "/") +} diff --git a/x-pack/metricbeat/module/googlecloud/billing/billing_test.go b/x-pack/metricbeat/module/googlecloud/billing/billing_test.go new file mode 100644 index 00000000000..885a2fc9786 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/billing/billing_test.go @@ -0,0 +1,18 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package billing + +import ( + "strconv" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetCurrentMonth(t *testing.T) { + currentMonth := getCurrentMonth() + _, err := strconv.ParseInt(currentMonth, 0, 64) + assert.NoError(t, err) +} diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json index 13c4958d13f..36c46744b50 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "2438671519308240892", + "name": "heartbeat-mumbai" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-south1-c", + "cloud.region": "asia-south1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,50 +24,37 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 171 + "value": 435 }, "dropped_packets_count": { - "value": 4 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.1803964574089818 + "value": 0.8653667340986431 }, "utilization": { - "value": 0.001503303811741515 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416518144 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07211389450822024 } }, "uptime": { - "value": 60.000000000000455 + "value": 60 } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07211389450822024 + }, + "id": "2438671519308240892", + "name": "heartbeat-mumbai" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json index 13c4958d13f..b43490d1915 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_cpu.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,50 +24,37 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 171 + "value": 422 }, "dropped_packets_count": { - "value": 4 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.1803964574089818 + "value": 0.8921228461549617 }, "utilization": { - "value": 0.001503303811741515 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416518144 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07434357051291347 } }, "uptime": { - "value": 60.000000000000455 + "value": 60 } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07434357051291347 + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json index 38b0e2a5b4f..7a8f923569e 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_disk.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -30,25 +31,34 @@ "value": 0 }, "write_bytes_count": { - "value": 158506 + "value": 0 }, "write_ops_count": { - "value": 25 + "value": 0 } } } }, "labels": { "metrics": { - "device_name": "instance-test-ks", + "device_name": "disk-1", "device_type": "permanent", "storage_type": "pd-standard" - }, - "user": { - "created-by": "ks" } } }, + "host": { + "disk": { + "read": { + "bytes": 0 + }, + "write": { + "bytes": 0 + } + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" + }, "metricset": { "name": "compute", "period": 10000 diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json index f147f276f32..b43490d1915 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_firewall.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -23,38 +24,22 @@ "compute": { "firewall": { "dropped_bytes_count": { - "value": 277 + "value": 422 }, "dropped_packets_count": { - "value": 5 + "value": 7 } }, "instance": { "cpu": { "reserved_cores": { - "value": 2 + "value": 0.2 }, "usage_time": { - "value": 0.18404532833979204 + "value": 0.8921228461549617 }, "utilization": { - "value": 0.001533711069498267 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416260096 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } + "value": 0.07434357051291347 } }, "uptime": { @@ -62,11 +47,14 @@ } } }, - "labels": { - "user": { - "created-by": "ks" - } - } + "labels": {} + }, + "host": { + "cpu": { + "pct": 0.07434357051291347 + }, + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "metricset": { "name": "compute", diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json deleted file mode 100644 index f147f276f32..00000000000 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_memory.json +++ /dev/null @@ -1,78 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" - }, - "machine": { - "type": "e2-standard-2" - }, - "provider": "googlecloud" - }, - "cloud.availability_zone": "us-central1-a", - "event": { - "dataset": "googlecloud.compute", - "duration": 115000, - "module": "googlecloud" - }, - "googlecloud": { - "compute": { - "firewall": { - "dropped_bytes_count": { - "value": 277 - }, - "dropped_packets_count": { - "value": 5 - } - }, - "instance": { - "cpu": { - "reserved_cores": { - "value": 2 - }, - "usage_time": { - "value": 0.18404532833979204 - }, - "utilization": { - "value": 0.001533711069498267 - } - }, - "memory": { - "balloon": { - "ram_size": { - "value": 7896264704 - }, - "ram_used": { - "value": 416260096 - }, - "swap_in_bytes_count": { - "value": 0 - }, - "swap_out_bytes_count": { - "value": 0 - } - } - }, - "uptime": { - "value": 60 - } - } - }, - "labels": { - "user": { - "created-by": "ks" - } - } - }, - "metricset": { - "name": "compute", - "period": 10000 - }, - "service": { - "type": "googlecloud" - } -} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json index 1b86e390e16..22257a87521 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json +++ b/x-pack/metricbeat/module/googlecloud/compute/_meta/data_network.json @@ -5,15 +5,16 @@ "id": "elastic-observability" }, "instance": { - "id": "7692260917184259934", - "name": "instance-test-ks" + "id": "7925831082803123728", + "name": "heartbeat-tokyo" }, "machine": { - "type": "e2-standard-2" + "type": "f1-micro" }, "provider": "googlecloud" }, - "cloud.availability_zone": "us-central1-a", + "cloud.availability_zone": "asia-northeast1-b", + "cloud.region": "asia-northeast1", "event": { "dataset": "googlecloud.compute", "duration": 115000, @@ -24,16 +25,16 @@ "instance": { "network": { "received_bytes_count": { - "value": 13073 + "value": 2866053 }, "received_packets_count": { - "value": 95 + "value": 2449 }, "sent_bytes_count": { - "value": 0 + "value": 119338 }, "sent_packets_count": { - "value": 0 + "value": 695 } } } @@ -41,9 +42,20 @@ "labels": { "metrics": { "loadbalanced": "false" + } + } + }, + "host": { + "id": "7925831082803123728", + "name": "heartbeat-tokyo", + "network": { + "in": { + "bytes": 119338, + "packets": 695 }, - "user": { - "created-by": "ks" + "out": { + "bytes": 2866053, + "packets": 2449 } } }, diff --git a/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go b/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go index 275016a383d..99f76e47c20 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/compute/compute_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -36,7 +37,7 @@ func TestData(t *testing.T) { {"googlecloud.compute.instance.memory", "./_meta/data_memory.json"}, } - config := stackdriver.GetConfigForTest(t, "compute") + config := metrics.GetConfigForTest(t, "compute") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/compute/compute_test.go b/x-pack/metricbeat/module/googlecloud/compute/compute_test.go index d3a4f2fdf06..38519f6a51a 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/compute_test.go +++ b/x-pack/metricbeat/module/googlecloud/compute/compute_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/compute/manifest.yml b/x-pack/metricbeat/module/googlecloud/compute/manifest.yml index efd7be143d3..1c688a57e78 100644 --- a/x-pack/metricbeat/module/googlecloud/compute/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/compute/manifest.yml @@ -1,7 +1,7 @@ default: true input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: compute diff --git a/x-pack/metricbeat/module/googlecloud/constants.go b/x-pack/metricbeat/module/googlecloud/constants.go index 19b7e27c53d..7840b3bffc4 100644 --- a/x-pack/metricbeat/module/googlecloud/constants.go +++ b/x-pack/metricbeat/module/googlecloud/constants.go @@ -42,8 +42,9 @@ const ( ECSCloudRegion = "region" - ECSCloudAccount = "account" - ECSCloudAccountID = "id" + ECSCloudAccount = "account" + ECSCloudAccountID = "id" + ECSCloudAccountName = "name" ECSCloudInstance = "instance" ECSCloudInstanceKey = ECSCloud + "." + ECSCloudInstance diff --git a/x-pack/metricbeat/module/googlecloud/fields.go b/x-pack/metricbeat/module/googlecloud/fields.go index e847ccdafb1..d74009bff14 100644 --- a/x-pack/metricbeat/module/googlecloud/fields.go +++ b/x-pack/metricbeat/module/googlecloud/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGooglecloud returns asset data. // This is the base64 encoded gzipped contents of module/googlecloud. func AssetGooglecloud() string { - return "eJzcXEtv2zoW3udXHHTTdpC6wMyuGFwg18XcW6CZCZC0W4Gijm2OKVLlIx731w9ISrIkW7IsS0pz001tS+T3nfc5enyALe4/wVrKNUfKpU1uAAwzHD/B2z/8t7B0X8MDJ2YlVfr2BkAhR6LxE8RoyA1AgpoqlhkmxSf47QYA4I/lA6QysRxvAFYMeaI/+R8+gCApNrd0f2afue+VtFn+TfW86rmcxMh1+XVxqoz/i9RUvj6Bq/jLufn9IZWCGamYWEOKRjGqj7doYqnisRrV4m+1n1oxub/wZRSO2OJ+J1VycuEUDUmIIVMt7qhOsrbea4PpaEsXy77RhtBtotizE3j49+a8HdTWTqSNvVWe+DVKSZYxsc4PfVNbvMOa7nOrMRtiQKGxSmACKyVTeHSIP3vEcPfwBX5YVPvFETMq08yaKqymk9U5Vt3kCFzNcZdh5ULdPU2aCW2IoHhSgc3N2xarLrhiCneE86MDuhbtWri6eKJklmESxXuDOqLSCrN4Jtw24dd35FKsWw6oifOLoDJ1wcEvX2wG8R7MBruIHQPMCN2imRBivkFvkKX9ZXYSzSjUqJ4xiahUqHswPnLPVs7/tmmMCuQK/NrlViCF57yR2rhf3f9bzLmO1RrG2U/iVh8V6JNTgCLUfSoAEc4lJQYTWD58C3GDaaBWKRSG74EJl1UKKv3ga7LGyLAUR0X/zS0LK6kc5lzUTIBGKkWiWw0qYXo7kUWRqRx96dZzGgqO7nYKQbyFTAOUzCaE5CAERF/+AzJD5e30WP5VVDvFDM4jK7eVQQFGnhdWgDW9tPw+Z8RVOk/W6TidMGoQ/pQ7f5z32+/3sCEaYkQBygrBxPq2j/MINDuppvIfiux5smR55ENht+BHTibt3E5gnCpfliiLfDkMp0Zh5pGj2wmkKyIvwjab/PrhO7QeqVT7ReyyoBTTmDlJI81+9smFfUm7PG6kIRxIWvAPTJxPB39fwNOG6bzYdildCr4H8kwYJzEPefT7fd4pxBgihfQn499hRVLGK91BGzGrMRmR2H0gcag+3PpzctI7kkVMTORKTm9HGvOplIkc59qiNsH3mdEgd8JjAp0RijPxl3aqWHJSAEXGLgNekIGRk0ugHONIksSEE0FZjcdYne9XSRL4vdjgwgZ4Y0zWTNDtUekKEG1AqmBiF2VFEin84ZTUy0z6lyzOPETZTFXyDXF50e+og5n8+fT08PHRKw6C5lzAlwU+fWzlbQymwV6izTvBeF9Ccz+fgt8O+aWFTTlDYbST7zDgs8n4Ung6k0L3a0zGEmzY8owZ5xJfnAwI/B8LJgwqQZpTlJnDQgEI1wq17iHFDhn2k6AX2pevvxfOdJAVvHOh/2n5ACsudxqYeavBYznMy6QAkmWcUd+CgTYKSeozyPumkTSo9aleh5Grla0d9PJpjSPXhpWJefWQIzOyBnkaPRTc5lTESX6nXdLQLNKaR5mS/9v/Krmacqn9vFMI9CO/9qln/+BWnXWW64Zya4cKwaBKmfDzRN+EPS0fPj4+fgUvmfZQ3DuEDMPaNN3v9xXXstrPq7sB9neucRAejO/7fT+EAncz65oqvFjRMkMxMsxl6BYrviyt0YaIxEmtDl1Ju974SNqCt8CZ2VjbeIJe4MHGjza+sAfQNi7XGxZeHm35wVHxehsWVgjdRilqP+Mfyw+WNrWcGPaMIVeE7tDvod2GQu44JutQ5N0dPpc14G2QQDggQc6eUe09gO5OgMt1cOkx6j4/kXGrgWY/sUjZVtQIlLTekcV2QRYFjPKH98AEkJrKO5zeplHF2gvFjOv9JeRcsOgLkzrEtxoyqzeAIskkE+YWYmtASAN7NDUVdpOxotxkGjKTqkPyxPU7fo8DgYisxxjo360R3h1m9u8LAwubthBr43URrcxyHlX9vryOMWkEqPAp6RyuoNRcXqG23CzgX1IBgQRXTLDiKuepUzVW4vHHQ0CuCeRjKhNPO0GScCawlf95yY3dCp+T18nAmEupG+28OnZbvmrlzqFYL6SBGtWbmSDqDRBjMM1OQ4RvgrMtei761gcuf44f3ihgacYxRWFCT5hI1D57xMTQjb+vrYzIC3iUgIRuCpGEITCVwhAmXHuJtRMWvtOrbqacOYRGFJWSytmMS2hr9oyidi5Q4ptVJApSyw3LOIJhKXZMGGsyd5WWoGyUJPaZaaNYbAvb95QKGZQb+RyRMqpkkSgushh/tW7W+s43PfG+4bJGFu7qEnc+EBtS5oXxgiuOXiiNPRYAHpwb/wWS2gmJzhFiym3r8RB2zGxASPHBxZ59TcAsuSxcNpjNaycNfnMZxz+pTPC3QSbSV47loH1W88gn7RcZgGMccTQG1bxBMLMxZ3oTWiuHAgIKMDJj9CIOrdqbhchuIzVCsTfsiAabJX7eEO/hXiZstb+j28/FAdd08L1D2TScj8n089n+fOYIqz1Vcg573voqdEUYeh5zd8An+98C0IA2vp1LFO8jheuu+3NfitUtxEpu0ZXQO3Eoq3K0AyYXc3JtmWGMRbKh0IkHf6fnTEPs8RTuUdUyEoOBatGIM1WQiNvOJrV3YfiyiafeURwH8IHp5xzJX6jIP+YcLltcxNfZe0SlHp1LeNyjqoUUibYq+EwIO+FGNqbDLY5GFofADysNqT0C0n6FV4oVW0ehvhrvquQpvYStbCAEdEOECwUrqcIkph4FKjooheD3ByKSs2opctBsYa7tksA18a28M8CV78Mu2T25U6+8WPdqGzGNIpl9FO1bsFc7lZnirsYuOU3TJvxipXXefv9Fa+pr2P3KRek1vEatCq4rBSpFgE+1vjTouPLw0vXAtZm/8BCn7mkumNQjvN/H+45XxPtXUpJcat1lhhAk0xvZHNv2vYMoP/vKiiQPirMOhlqmJjmhswH8hQJ3N+qh0W2em57ahgVnRV7DN4ennUE6UMzCphPfi3WpYKuIRpVrb2wDRfnaktqH1ltF/RuOKi+OuWninuJdKodOUCqynuK9Lo9h5QtvaSUZ652Huh8/6dPz9H0m4DNyQw4GcffwBSjxN6xUjMCFDfdLimYjE4+isATf6QKVCZ5OwcSazc8reVdvxeVRTDQmUf7qIEIp6vF8pCGNchiXv13I2b13cZG/ughidG3/WhHhCoSABrTkyPeQWHS1bX7k3fJrRyHriB1q5tH4hDeIOL0uv1Zq8mZc6r7omItaZ0jZitHIYU2tGXc+0ZB8MW9LSVIVYoHhhDS7X+Aw3OQuemnDYL6NVzY0H+e/1hthyJsTriRz8r0EY4WV4+B+nZZzGx/tiUhfelWez/DLa8hQQWzpFk1NEDkboJzoojv2IMA/+p23z1JQ9CskZH/rBeUEWB6nMAtPpxCTj6hJmnEXnvzDk8+EF4+DSGv8qQnpeG7Fv27B20mUl+uv2uoPdMZrAoqqmnBeajh/dcMvpuT/BwAA//9F+FKY" + return "eJzcXF9v2zgSf++nGOxLt4fUBe7eisMCXRe3G6C5C5BsXwWKGtvcUKTKP/Gqn/5AUpIlWZJlW1KabZ9iW5zfb/5xZijpPTxh/hG2Um45Ui5t8gbAMMPxI7z9zX8Ka/cx3HNiNlKlb98AKORINH6EGA15A5CgpoplhknxEX55AwDw2/oeUplYjm8ANgx5oj/6L96DICm2Rbp/Js/c50rarPikfl39Wk5i5Lr6uLxUxn8iNbWPO3CV/wpuXj6kUjAjFRNbSNEoRvWxiDaWOh6rUa3+0fiqF5P7Fz6Mwi+eMN9LlXQunKIhCTFkrsUd1VnW1rk2mE62dLnsTxXm8P+n0z7QWDeRNvYe2fFtlJIsY2Jb/PSnxuIDnnRXeIzZEQMKjVUCE9gomUIjgD7d38I3iypfHdGKGedMbGvLtiOsSbIeI0foGkJ/DSuXth7pz1TqoJNO83XZvYVhLbXxv9bABOU2QVC4tZyoGzDkrxsgyZ9WmxSFuQEiElDSisQpH5WSatWJiolnyShGqRRmdymyUiEKM6kM+LW6xWVKet9g7fVGy7oPK8DtZ5AbMDssDV1Kj5FLsdVgZDcEIw3hndI3XJJ2BDVkP7pLK3kklVaYY8ejMs2swRkcbx1WPtPxmNCGCNrtd23hfYvVF9wwhXvC20ocXnRo4friiZJZhkkU5wZ1RL2Knwm3bfhNic7kPT9oqPNWUJk64/nlS2EQ596TBogdA8wIfUIzI8RCwGiQlf9ldhbLKNSonjGJqFSoRzA+2hh6Of/XpjEqF9B+7UoUSOE571zqK8K9x52bWK1hnH0nbvVJgT46AyhC3V8lIMK5pMRgAuv7P8KOxTRQqxQKw3NgwtUyJZVx8DXZYmRYipOi/8MtCxupHOZC1UyARipFonsdKmH6aSaPInMF+tqt5ywUAt1JCuVDD5kWKJnNCMlBCIhu/wcyQ+X99Fj/dVR7xQwuoysnyqAAI08rK8CaX1tezgl1VcGTDQbOIIwGhN/l3v/Ox+3XO9gRDTGiAGWFYGJ7MyZ4BJq9VHPFD0X2PNtmeRRDQVqII6eTfm4dGOfaLyuU5X55GU6NwiyjRycJ5DOq87Atpr9x+A4NbypVvordLijFPG5O0kiz72P2wrGk3T7uG4Giinf8AxMX0yHeV/C4Y7oott2WLgXPgTwTxknMwz769a7oUUPX4XKmuxj/CRuSMp6vThKzGpMJid0FEofqw62/JCe9J1nExEyh5Ox2ZDG/lTJR4Nxa1CbEPjMa5F54TKAzQnEh/tLOlUs6FVDu2FXCCzowcnYNVMNDSZKYcCLoPCOXL5Ik8Gsp4MwGeGdM1t6g+7PSFSD6gNTBxC7LiiRS+M0ZaZSbjC9ZnHuIqpmq7TfE7Yteog5u8vvj4/2HB284CJZzCV+W+PSxl/cxmAd7hbboBOO8gua+7oLfD/mllU05Q2G00+9lwBfT8bnwdCaFHteYTKXYIPKEGxca7x4B8n+tmDCoRM8gcLG0UALCrUKtR2hxQIfjNOiVdvvl1zKYDrqCn13qf1zfw4bLvQZm3mrwWA7zMimAZBln1LdgoI1Ckvod5F3bSVrUxlSvl5FrlK0D9IppjSPXh5WJZe1QIDOyAXkeO5TcljREJ7+eqTzNIq15lCn5V/6j7NWUS+3nnUKgH/n1Tz3HJ7f6rLNaN5Rbe1QIBlXKhJ8n+ibscX3/4eHhC3jN9Kfi0SnkMqxt1/16Vwstq/28ehjg+OCaBuHB+b7ejUMocL+wranCsw0tMxQTw1yHbrEWy9IabYg/PWxBV9Judz6T9uB931v0+7sijiNxvlOw6tTRxtrGM7Ql9zZ+sPGZ7Yi2cbXeZZnuwVZ/OCrehS7LcIQ+RSlqf9wwVUiubWo5MewZw7YVGlUvQzuBQu45JttQb346/F2VozdBA+EHCXL2jCr3AIabEi63IbtMUYKGo97cIGj2HcvqwYoGgYrWz2T1tCKrEkb1xTtgAkjD5AP5x6ZRLfBKw0ybiCrIhWLR10hNiG81ZFbvAEWSSSbMDcTWgJAGcjQNEw6TsaISMg+ZWc0heeJaLy/jQCAi2ynOFj5tEX4+HB+8Kx0sCO0h1sfrLFqZ5Tyqx311pDJrBqjxqegcDnMaIa9QW25W8B+pgECCGyZYeeDadanGWj7+cEjIDYV8SGXiaSdIEs4E9vI/rbmpu/JT+upMjIWWhtEua2Mn8lUbdwnDeiVdaFG9Wwii3gExBtOsGyL8ITh7Qs9F3/jE5a/xcyQFLM04pihMaE8TidrvHjExdOdv7Kwy8goeJCChu1IlYR5NpTCECdfpYuOClW8668KUc4fQE/v73JzPuA1ty55RNK4FSnzfjERBarlhGUcwLMWBYWdD567SEpRNsol9ZtooFtvS9z2lUgeVIL9HpIwqWW4UZ3mMPzhctL7z/Vect0LWyDJc3cZdzOYuKfPCpMMVRy+0jT2UAO5dGP8NNrUOjS6RYiqxzXwIe2Z2IKR473JP3lAwS85Lly1my/pJi99SzvFvKhP85SIXGavHaua/qHsUQ/+zHMAxjjgag2rZJJjZmDO9C62VQwEBBRiZMXoWh17rLUJkv5MaoZQNe6LBZomfN8Q53MmEbfJP9Olz+YNrOvjRqWwezsdkxsXseD5LpNWRJjmFvWh9FboiDD2PpTvgzv63BHRBG9/PJYrzSOF26Fbhl2J1A7GST+hK6L04lFUF2gsmF0ty7ZlhTEWyZdCZB3/dc6ZL/LEL96RmmYjBhWbRiAtVkIhPg03q6MLwZTeeZkdxnMAv3H5OkfyBivxjzuHY4iy+zt8jKvXkXMKTJ3UrpEi0VSFmQtoJ99QxHe62NLL8CXyz0pDG0yj9h81SbNg2CvXVdAekXXYJomwgBHRHhEsFG6nCJKaZBWo2qJTg5YdnDE+YpdyDFktzfUcC1+S3w6ODGaOXHdk9ukuvPKx7tY2YRpEsPor2LdirncrMcYPlkJ7maRN+sNK6aL//pjX1Nex+5KL0Gl6TVgXXlQK1IsBvtb40GDh5eOl64Nqdv4wQZ+55DkyaGd7L8bHjDfHulZQk53p3tUMIkumdbI9tx95BVFx9ZUVSJMVFB0M9U5OC0MkE/kKJexj1pdltmZue+oYFJ1XewLdEpJ1AeqGahU1nvhfrXMXWEU2q19HYLlTla9vUDq2XVGQ7xztdHsLKZ95DSjI2OvEPP3oypskY+zzAZ+SGHCzw6f4WKPF3iNS07uLUfZOi2cnEoyhV71tLoDLB7j2PWLP7fiXv+r2vPIqJxiQqXlhFKEU9nVO2tFFNv4p3WjlH8zElihdmQYyuz94qItyOHNCAlhx5DolFV0wWv/y0/jJQOTpihyJ1Mj7h7SHOrusvtSK4nQiGT/kKVesMKdswGjmsqTXTDgRami8HXClJ6kosMXRoc/jlDZe73FkvbLiYb+t1De1H+a+NRrjkrQlXkul8J8FUaeU4uV9n5cLHJ3sa0tc6tWcz/PIaMlQQW/qEpqGIgg1QTnTZjnoQ4B/7LvpVKSj6FRKSh7fFOQVWv1OYhSdTiClmwiTN/FvP/IOTz4SXj4JIa/ylCRl4ZsW/asH7SVTUx6/a6w90pqu6yzKWcF5ZuHhtww9m5P8HAAD//wY8Aj8=" } diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go index c070d96a736..e95dede2a29 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.loadbalancing.tcp_ssl_proxy", "./_meta/data_tcp_ssl_proxy.json"}, } - config := stackdriver.GetConfigForTest(t, "loadbalancing") + config := metrics.GetConfigForTest(t, "loadbalancing") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go index a2d91a7a3bb..5f7ee66969d 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/loadbalancing_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml b/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml index 9ee42ad5948..20a41824fe3 100644 --- a/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/loadbalancing/manifest.yml @@ -1,7 +1,7 @@ default: false input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: loadbalancing diff --git a/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json b/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json new file mode 100644 index 00000000000..c14017dd7df --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/data.json @@ -0,0 +1,36 @@ +{ + "@timestamp": "2017-10-12T08:05:34.853Z", + "cloud": { + "account": { + "id": "elastic-apm" + }, + "instance": { + "id": "8867356942891823986", + "name": "apm-ui-dev" + }, + "provider": "googlecloud" + }, + "cloud.availability_zone": "europe-west4-a", + "event": { + "dataset": "googlecloud.metrics", + "duration": 115000, + "module": "googlecloud" + }, + "googlecloud": { + "labels": {}, + "metrics": { + "instance": { + "uptime": { + "value": 60 + } + } + } + }, + "metricset": { + "name": "metrics", + "period": 10000 + }, + "service": { + "type": "googlecloud" + } +} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc similarity index 91% rename from x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc rename to x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc index 2f42a919e3d..981c1675095 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/docs.asciidoc @@ -1,11 +1,11 @@ -Stackdriver provides visibility into the performance, uptime, and overall health +Operations monitoring provides visibility into the performance, uptime, and overall health of cloud-powered applications. It collects metrics, events, and metadata from different services from Google Cloud. This metricset is to collect monitoring metrics from Google Cloud using `ListTimeSeries` API. The full list of metric types that Google Cloud monitoring supports can be found in https://cloud.google.com/monitoring/api/metrics_gcp#gcp[Google Cloud Metrics]. -Each monitoring metric from stackdriver has a sample period and/or ingest delay. +Each monitoring metric from Google Cloud has a sample period and/or ingest delay. Sample period is the time interval between consecutive data points for metrics that are written periodically. Ingest delay represents the time for data points older than this value are guaranteed to be available to read. Sample period and @@ -32,7 +32,7 @@ for the full list of aligners. [float] === Example Configuration -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation @@ -45,7 +45,7 @@ given aggregation aligner applied for each metric type. ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" @@ -64,7 +64,7 @@ given aggregation aligner applied for each metric type. ---- -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. Two sets of metrics are specified: first one is to collect CPU usage time and utilization with aggregation aligner ALIGN_MEAN; second one is to collect uptime with aggregation @@ -78,7 +78,7 @@ ignored. ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" @@ -96,7 +96,7 @@ ignored. - "instance/uptime" ---- -* `stackdriver` metricset is enabled to collect metrics from all zones under +* `metrics` metricset is enabled to collect metrics from all zones under `europe-west1-c` region in `elastic-observability` project. One set of metrics will be collected: metric types that starts with `instance/cpu` under `compute` service with aligner ALIGN_NONE. These metric types all have 240 seconds ingest @@ -112,7 +112,7 @@ every minute with no aggregation. The metric types in `compute` service with ---- - module: googlecloud metricsets: - - stackdriver + - metrics zone: "europe-west1-c" project_id: elastic-observability credentials_file_path: "your JSON credentials file path" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml b/x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml similarity index 81% rename from x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml rename to x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml index e8cfd56f26f..03016c6de5d 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/fields.yml +++ b/x-pack/metricbeat/module/googlecloud/metrics/_meta/fields.yml @@ -1,5 +1,5 @@ - release: beta - key: stackdriver + key: metrics type: group description: Google Cloud Compute metrics fields: diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/identity.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/identity.go similarity index 100% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/identity.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/identity.go diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go index 8bce49d12ff..67584bc002c 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata.go @@ -27,7 +27,7 @@ func NewMetadataService(projectID, zone string, region string, opt ...option.Cli region: region, opt: opt, instanceCache: common.NewCache(30*time.Second, 13), - logger: logp.NewLogger("stackdriver-compute"), + logger: logp.NewLogger("metrics-compute"), }, nil } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata_test.go b/x-pack/metricbeat/module/googlecloud/metrics/compute/metadata_test.go similarity index 100% rename from x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/compute/metadata_test.go diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/integration.go b/x-pack/metricbeat/module/googlecloud/metrics/integration.go similarity index 74% rename from x-pack/metricbeat/module/googlecloud/stackdriver/integration.go rename to x-pack/metricbeat/module/googlecloud/metrics/integration.go index 44e9405f0ce..cfb8b38a828 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/integration.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/integration.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "os" @@ -18,9 +18,7 @@ func GetConfigForTest(t *testing.T, metricSetName string) map[string]interface{} credentialsFilePath, okCredentialsFilePath := os.LookupEnv("GCP_CREDENTIALS_FILE_PATH") config := map[string]interface{}{} - if !okRegion || region == "" { - t.Fatal("$GCP_REGION not set or set to empty") - } else if !okProjectID || projectID == "" { + if !okProjectID || projectID == "" { t.Fatal("$GCP_PROJECT_ID not set or set to empty") } else if !okCredentialsFilePath || credentialsFilePath == "" { t.Fatal("$GCP_CREDENTIALS_FILE_PATH not set or set to empty") @@ -31,16 +29,20 @@ func GetConfigForTest(t *testing.T, metricSetName string) map[string]interface{} "metricsets": []string{metricSetName}, "project_id": projectID, "credentials_file_path": credentialsFilePath, - "region": region, } - if metricSetName == "stackdriver" { - stackDriverConfig := stackDriverConfig{ - ServiceName: "compute", - Aligner: "ALIGN_NONE", - MetricTypes: []string{"instance/uptime"}, + if okRegion { + config["region"] = region + } + + if metricSetName == "metrics" { + config["metrics"] = []metricsConfig{ + { + ServiceName: "compute", + Aligner: "ALIGN_NONE", + MetricTypes: []string{"instance/uptime"}, + }, } - config["metrics"] = stackDriverConfig } } return config diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go b/x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go similarity index 94% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go rename to x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go index b45e83b134d..717faed4854 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metadata_services.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metadata_services.go @@ -2,11 +2,11 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver/compute" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics/compute" ) // NewMetadataServiceForConfig returns a service to fetch metadata from a config struct. It must return the Compute diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go similarity index 87% rename from x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go index fd11a50c6e9..c73c3dbb023 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/stackdriver_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_integration_test.go @@ -5,7 +5,7 @@ // +build integration // +build googlecloud -package stackdriver +package metrics import ( "testing" @@ -14,7 +14,7 @@ import ( ) func TestData(t *testing.T) { - config := GetConfigForTest(t, "stackdriver") + config := GetConfigForTest(t, "metrics") metricSet := mbtest.NewFetcher(t, config) metricSet.WriteEvents(t, "/") } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go similarity index 91% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go index a3f9a325038..a8be20ab2f5 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" @@ -23,7 +23,7 @@ import ( "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" ) -type stackdriverMetricsRequester struct { +type metricsRequester struct { config config client *monitoring.MetricClient @@ -36,7 +36,7 @@ type timeSeriesWithAligner struct { aligner string } -func (r *stackdriverMetricsRequester) Metric(ctx context.Context, metricType string, timeInterval *monitoringpb.TimeInterval, aligner string) (out timeSeriesWithAligner) { +func (r *metricsRequester) Metric(ctx context.Context, metricType string, timeInterval *monitoringpb.TimeInterval, aligner string) (out timeSeriesWithAligner) { timeSeries := make([]*monitoringpb.TimeSeries, 0) req := &monitoringpb.ListTimeSeriesRequest{ @@ -70,7 +70,7 @@ func (r *stackdriverMetricsRequester) Metric(ctx context.Context, metricType str return } -func (r *stackdriverMetricsRequester) Metrics(ctx context.Context, sdc stackDriverConfig, metricsMeta map[string]metricMeta) ([]timeSeriesWithAligner, error) { +func (r *metricsRequester) Metrics(ctx context.Context, sdc metricsConfig, metricsMeta map[string]metricMeta) ([]timeSeriesWithAligner, error) { var lock sync.Mutex var wg sync.WaitGroup results := make([]timeSeriesWithAligner, 0) @@ -100,7 +100,7 @@ var serviceRegexp = regexp.MustCompile(`^(?P[a-z]+)\.googleapis.com.*`) // getFilterForMetric returns the filter associated with the corresponding filter. Some services like Pub/Sub fails // if they have a region specified. -func (r *stackdriverMetricsRequester) getFilterForMetric(m string) (f string) { +func (r *metricsRequester) getFilterForMetric(m string) (f string) { f = fmt.Sprintf(`metric.type="%s"`, m) if r.config.Zone == "" && r.config.Region == "" { return diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go similarity index 81% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go index c256b9c0dfb..185bc8f464f 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metrics_requester_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metrics_requester_test.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "testing" @@ -19,79 +19,79 @@ func TestGetFilterForMetric(t *testing.T) { cases := []struct { title string m string - r stackdriverMetricsRequester + r metricsRequester expectedFilter string }{ { "compute service with zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-central1-a\")", }, { "pubsub service with zone in config", "pubsub.googleapis.com/subscription/ack_message_count", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"pubsub.googleapis.com/subscription/ack_message_count\"", }, { "loadbalancing service with zone in config", "loadbalancing.googleapis.com/https/backend_latencies", - stackdriverMetricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Zone: "us-central1-a"}, logger: logger}, "metric.type=\"loadbalancing.googleapis.com/https/backend_latencies\"", }, { "compute service with region in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-east1\")", }, { "pubsub service with region in config", "pubsub.googleapis.com/subscription/ack_message_count", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"pubsub.googleapis.com/subscription/ack_message_count\"", }, { "loadbalancing service with region in config", "loadbalancing.googleapis.com/https/backend_latencies", - stackdriverMetricsRequester{config: config{Region: "us-east1"}, logger: logger}, + metricsRequester{config: config{Region: "us-east1"}, logger: logger}, "metric.type=\"loadbalancing.googleapis.com/https/backend_latencies\"", }, { "compute service with both region and zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{Region: "us-central1", Zone: "us-central1-a"}, logger: logger}, + metricsRequester{config: config{Region: "us-central1", Zone: "us-central1-a"}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\" AND resource.labels.zone = starts_with(\"us-central1\")", }, { "compute uptime with partial region", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Region: "us-west"}, logger: logger}, + metricsRequester{config: config{Region: "us-west"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west\")", }, { "compute uptime with partial zone", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Zone: "us-west1-"}, logger: logger}, + metricsRequester{config: config{Zone: "us-west1-"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west1-\")", }, { "compute uptime with wildcard in region", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Region: "us-*"}, logger: logger}, + metricsRequester{config: config{Region: "us-*"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-\")", }, { "compute uptime with wildcard in zone", "compute.googleapis.com/instance/uptime", - stackdriverMetricsRequester{config: config{Zone: "us-west1-*"}, logger: logger}, + metricsRequester{config: config{Zone: "us-west1-*"}, logger: logger}, "metric.type=\"compute.googleapis.com/instance/uptime\" AND resource.labels.zone = starts_with(\"us-west1-\")", }, { "compute service with no region/zone in config", "compute.googleapis.com/firewall/dropped_bytes_count", - stackdriverMetricsRequester{config: config{}, logger: logger}, + metricsRequester{config: config{}, logger: logger}, "metric.type=\"compute.googleapis.com/firewall/dropped_bytes_count\"", }, } diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go b/x-pack/metricbeat/module/googlecloud/metrics/metricset.go similarity index 77% rename from x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go rename to x-pack/metricbeat/module/googlecloud/metrics/metricset.go index a81bca2b86e..b0823feeace 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/metricset.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/metricset.go @@ -2,13 +2,15 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" "fmt" "time" + "github.com/elastic/beats/v7/libbeat/logp" + monitoring "cloud.google.com/go/monitoring/apiv3" "github.com/golang/protobuf/ptypes/duration" "github.com/pkg/errors" @@ -25,7 +27,7 @@ import ( const ( // MetricsetName is the name of this Metricset - MetricsetName = "stackdriver" + MetricsetName = "metrics" ) // init registers the MetricSet with the central registry as soon as the program @@ -42,14 +44,14 @@ func init() { // interface methods except for Fetch. type MetricSet struct { mb.BaseMetricSet - config config - metricsMeta map[string]metricMeta - requester *stackdriverMetricsRequester - stackDriverConfig []stackDriverConfig `config:"metrics" validate:"nonzero,required"` + config config + metricsMeta map[string]metricMeta + requester *metricsRequester + MetricsConfig []metricsConfig `config:"metrics" validate:"nonzero,required"` } -//stackDriverConfig holds a configuration specific for stackdriver metricset. -type stackDriverConfig struct { +//metricsConfig holds a configuration specific for metrics metricset. +type metricsConfig struct { ServiceName string `config:"service" validate:"required"` MetricTypes []string `config:"metric_types" validate:"required"` Aligner string `config:"aligner"` @@ -82,15 +84,15 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } - stackDriverConfigs := struct { - StackDriverMetrics []stackDriverConfig `config:"metrics" validate:"nonzero,required"` + metricsConfigs := struct { + Metrics []metricsConfig `config:"metrics" validate:"nonzero,required"` }{} - if err := base.Module().UnpackConfig(&stackDriverConfigs); err != nil { + if err := base.Module().UnpackConfig(&metricsConfigs); err != nil { return nil, err } - m.stackDriverConfig = stackDriverConfigs.StackDriverMetrics + m.MetricsConfig = metricsConfigs.Metrics m.config.opt = []option.ClientOption{option.WithCredentialsFile(m.config.CredentialsFilePath)} m.config.period = &duration.Duration{ Seconds: int64(m.Module().Config().Period.Seconds()), @@ -112,11 +114,12 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, errors.Wrap(err, "error calling metricDescriptor function") } - m.requester = &stackdriverMetricsRequester{ + m.requester = &metricsRequester{ config: m.config, client: client, - logger: m.Logger(), + logger: logp.NewLogger(MetricsetName), } + m.Logger().Warn("extra charges on Google Cloud API requests will be generated by this metricset") return m, nil } @@ -124,8 +127,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // format. It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(ctx context.Context, reporter mb.ReporterV2) (err error) { - for _, sdc := range m.stackDriverConfig { - m.Logger().Debugf("stackdriver config: %v", sdc) + for _, sdc := range m.MetricsConfig { + m.Logger().Debugf("metrics config: %v", sdc) responses, err := m.requester.Metrics(ctx, sdc, m.metricsMeta) if err != nil { err = errors.Wrapf(err, "error trying to get metrics for project '%s' and zone '%s' or region '%s'", m.config.ProjectID, m.config.Zone, m.config.Region) @@ -169,8 +172,7 @@ func (m *MetricSet) eventMapping(ctx context.Context, tss []timeSeriesWithAligne events := make([]mb.Event, 0) for _, groupedEvents := range tsGrouped { event := mb.Event{ - Timestamp: groupedEvents[0].Timestamp, - RootFields: groupedEvents[0].ECS, + Timestamp: groupedEvents[0].Timestamp, ModuleFields: common.MapStr{ "labels": groupedEvents[0].Labels, }, @@ -181,6 +183,12 @@ func (m *MetricSet) eventMapping(ctx context.Context, tss []timeSeriesWithAligne event.MetricSetFields.Put(singleEvent.Key, singleEvent.Value) } + if serviceName == "compute" { + event.RootFields = addHostFields(groupedEvents) + } else { + event.RootFields = groupedEvents[0].ECS + } + events = append(events, event) } @@ -196,8 +204,8 @@ func validatePeriodForGCP(d time.Duration) (err error) { return nil } -// Validate stackdriver related config -func (mc *stackDriverConfig) Validate() error { +// Validate metrics related config +func (mc *metricsConfig) Validate() error { gcpAlignerNames := make([]string, 0) for k := range googlecloud.AlignersMapToGCP { gcpAlignerNames = append(gcpAlignerNames, k) @@ -219,7 +227,7 @@ func (m *MetricSet) metricDescriptor(ctx context.Context, client *monitoring.Met Name: "projects/" + m.config.ProjectID, } - for _, sdc := range m.stackDriverConfig { + for _, sdc := range m.MetricsConfig { for _, mt := range sdc.MetricTypes { req.Filter = fmt.Sprintf(`metric.type = starts_with("%s")`, sdc.ServiceName+".googleapis.com/"+mt) it := client.ListMetricDescriptors(ctx, req) @@ -266,3 +274,32 @@ func (m *MetricSet) getMetadata(out *metric.MetricDescriptor, metricsWithMeta ma metricsWithMeta[out.Type] = meta return metricsWithMeta } + +func addHostFields(groupedEvents []KeyValuePoint) common.MapStr { + hostRootFields := groupedEvents[0].ECS + // add host.id and host.name + if hostID, err := groupedEvents[0].ECS.GetValue("cloud.instance.id"); err == nil { + hostRootFields.Put("host.id", hostID) + } + + if hostName, err := groupedEvents[0].ECS.GetValue("cloud.instance.name"); err == nil { + hostRootFields.Put("host.name", hostName) + } + + hostFieldTable := map[string]string{ + "instance.cpu.utilization.value": "host.cpu.pct", + "instance.network.sent_bytes_count.value": "host.network.in.bytes", + "instance.network.received_bytes_count.value": "host.network.out.bytes", + "instance.network.sent_packets_count.value": "host.network.in.packets", + "instance.network.received_packets_count.value": "host.network.out.packets", + "instance.disk.read_bytes_count.value": "host.disk.read.bytes", + "instance.disk.write_bytes_count.value": "host.disk.write.bytes", + } + + for _, singleEvent := range groupedEvents { + if hostMetricName, ok := hostFieldTable[singleEvent.Key]; ok { + hostRootFields.Put(hostMetricName, singleEvent.Value) + } + } + return hostRootFields +} diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go b/x-pack/metricbeat/module/googlecloud/metrics/response_parser.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go rename to x-pack/metricbeat/module/googlecloud/metrics/response_parser.go index b6e38f4d333..3ab2ba9018a 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/response_parser.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "regexp" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go b/x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go similarity index 98% rename from x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go rename to x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go index 2b641151270..f9949aad962 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/response_parser_test.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/response_parser_test.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "testing" diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go b/x-pack/metricbeat/module/googlecloud/metrics/timeseries.go similarity index 99% rename from x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go rename to x-pack/metricbeat/module/googlecloud/metrics/timeseries.go index c0b456f9954..f96b8fcb767 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/timeseries.go +++ b/x-pack/metricbeat/module/googlecloud/metrics/timeseries.go @@ -2,7 +2,7 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -package stackdriver +package metrics import ( "context" diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml b/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml index 5bf1842e200..7cabb2f2085 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/pubsub/manifest.yml @@ -1,7 +1,7 @@ default: true input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: pubsub diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go index 6d739326dea..e391f22b8f8 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.pubsub.topic", "./_meta/data_topic.json"}, } - config := stackdriver.GetConfigForTest(t, "pubsub") + config := metrics.GetConfigForTest(t, "pubsub") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go index eed29ca1661..84dc87cdf6c 100644 --- a/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go +++ b/x-pack/metricbeat/module/googlecloud/pubsub/pubsub_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json b/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json deleted file mode 100644 index 363f4347d8f..00000000000 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/_meta/data.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "@timestamp": "2017-10-12T08:05:34.853Z", - "cloud": { - "account": { - "id": "elastic-observability" - }, - "instance": { - "id": "2917397443238883901", - "name": "gke-observability-8--observability-8--bc1afd95-fv5w" - }, - "machine": { - "type": "n1-standard-4" - }, - "provider": "googlecloud" - }, - "cloud.availability_zone": "europe-west1-c", - "event": { - "dataset": "googlecloud.stackdriver", - "duration": 115000, - "module": "googlecloud" - }, - "googlecloud": { - "labels": { - "user": { - "goog-gke-node": "" - } - }, - "stackdriver": { - "instance": { - "uptime": 60 - } - } - }, - "metricset": { - "name": "stackdriver", - "period": 10000 - }, - "service": { - "type": "googlecloud" - } -} \ No newline at end of file diff --git a/x-pack/metricbeat/module/googlecloud/storage/manifest.yml b/x-pack/metricbeat/module/googlecloud/storage/manifest.yml index 778624aea83..26d3d4f5e5f 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/manifest.yml +++ b/x-pack/metricbeat/module/googlecloud/storage/manifest.yml @@ -1,7 +1,7 @@ default: false input: module: googlecloud - metricset: stackdriver + metricset: metrics defaults: metrics: - service: storage diff --git a/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go b/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go index 7d40e7b2bf9..035df4fdd61 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go +++ b/x-pack/metricbeat/module/googlecloud/storage/storage_integration_test.go @@ -11,9 +11,10 @@ import ( "fmt" "testing" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" + "github.com/elastic/beats/v7/libbeat/common" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" ) func TestData(t *testing.T) { @@ -34,7 +35,7 @@ func TestData(t *testing.T) { {"googlecloud.storage.storage", "./_meta/data_storage.json"}, } - config := stackdriver.GetConfigForTest(t, "storage") + config := metrics.GetConfigForTest(t, "storage") for _, df := range dataFiles { metricSet := mbtest.NewFetcher(t, config) diff --git a/x-pack/metricbeat/module/googlecloud/storage/storage_test.go b/x-pack/metricbeat/module/googlecloud/storage/storage_test.go index 5fb9259bc28..371c3a90600 100644 --- a/x-pack/metricbeat/module/googlecloud/storage/storage_test.go +++ b/x-pack/metricbeat/module/googlecloud/storage/storage_test.go @@ -11,7 +11,7 @@ import ( // Register input module and metricset _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud" - _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/stackdriver" + _ "github.com/elastic/beats/v7/x-pack/metricbeat/module/googlecloud/metrics" ) func init() { diff --git a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go index 90603389426..d309d78714b 100644 --- a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go +++ b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector.go @@ -6,6 +6,7 @@ package googlecloud import ( "context" + "strings" "time" "github.com/golang/protobuf/ptypes" @@ -54,7 +55,8 @@ func (s *StackdriverTimeSeriesMetadataCollector) Metadata(ctx context.Context, i ecs := common.MapStr{ ECSCloud: common.MapStr{ ECSCloudAccount: common.MapStr{ - ECSCloudAccountID: accountID, + ECSCloudAccountID: accountID, + ECSCloudAccountName: accountID, }, ECSCloudProvider: "googlecloud", }, @@ -62,6 +64,12 @@ func (s *StackdriverTimeSeriesMetadataCollector) Metadata(ctx context.Context, i if availabilityZone != "" { ecs[ECSCloud+"."+ECSCloudAvailabilityZone] = availabilityZone + + // Get region name from availability zone name + region := getRegionName(availabilityZone) + if region != "" { + ecs[ECSCloud+"."+ECSCloudRegion] = region + } } //Remove keys from resource that refers to ECS fields @@ -169,3 +177,12 @@ func (s *StackdriverTimeSeriesMetadataCollector) getTimestamp(p *monitoringpb.Po return time.Time{}, errors.New("error trying to extract the timestamp from the point data") } + +func getRegionName(availabilityZone string) (region string) { + azSplit := strings.Split(availabilityZone, "-") + if len(azSplit) != 3 { + return "" + } + region = azSplit[0] + "-" + azSplit[1] + return +} diff --git a/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go new file mode 100644 index 00000000000..38ac903e2e3 --- /dev/null +++ b/x-pack/metricbeat/module/googlecloud/timeseries_metadata_collector_test.go @@ -0,0 +1,17 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package googlecloud + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestGetRegionName(t *testing.T) { + availabilityZone := "us-central1-a" + region := getRegionName(availabilityZone) + assert.Equal(t, "us-central1", region) +} diff --git a/x-pack/metricbeat/module/ibmmq/test_ibmmq.py b/x-pack/metricbeat/module/ibmmq/test_ibmmq.py index c7e930335aa..187f548a371 100644 --- a/x-pack/metricbeat/module/ibmmq/test_ibmmq.py +++ b/x-pack/metricbeat/module/ibmmq/test_ibmmq.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/iis/application_pool/application_pool.go b/x-pack/metricbeat/module/iis/application_pool/application_pool.go index 1e147fb8984..9c92894fb29 100644 --- a/x-pack/metricbeat/module/iis/application_pool/application_pool.go +++ b/x-pack/metricbeat/module/iis/application_pool/application_pool.go @@ -46,7 +46,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { return nil, err } // instantiate reader object - reader, err := newReader() + reader, err := newReader(config) if err != nil { return nil, err } @@ -55,9 +55,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { log: logp.NewLogger("application pool"), reader: reader, } - if err := ms.reader.initCounters(config.Names); err != nil { - return ms, err - } + return ms, nil } @@ -65,12 +63,17 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { // format. It publishes the event which is then forwarded to the output. In case // of an error set the Error field of mb.Event or simply call report.Error(). func (m *MetricSet) Fetch(report mb.ReporterV2) error { - var config Config - if err := m.Module().UnpackConfig(&config); err != nil { - return nil + // refresh performance counter list + // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. + // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). + // A flag is set if the second call has been executed else refresh will fail (reader.executed) + if m.reader.executed { + err := m.reader.initAppPools() + if err != nil { + return errors.Wrap(err, "failed retrieving counters") + } } - - events, err := m.reader.fetch(config.Names) + events, err := m.reader.read() if err != nil { return errors.Wrap(err, "failed reading counters") } diff --git a/x-pack/metricbeat/module/iis/application_pool/reader.go b/x-pack/metricbeat/module/iis/application_pool/reader.go index 5124f45e7a3..32c0c2d7ec3 100644 --- a/x-pack/metricbeat/module/iis/application_pool/reader.go +++ b/x-pack/metricbeat/module/iis/application_pool/reader.go @@ -9,40 +9,41 @@ package application_pool import ( "strings" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/metricbeat/helper/windows/pdh" "github.com/elastic/go-sysinfo" "github.com/pkg/errors" - "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" - "github.com/elastic/beats/v7/metricbeat/helper/windows/pdh" "github.com/elastic/beats/v7/metricbeat/mb" ) -// Reader strucr will contain the pdh query and config options +const ecsProcessId = "process.pid" + +// Reader will contain the config options type Reader struct { - Query pdh.Query // PDH Query - ApplicationPools []ApplicationPool // Mapping of counter path to key used for the label (e.g. processor.name) - log *logp.Logger // logger - hasRun bool // will check if the reader has run a first time - WorkerProcesses map[string]string + applicationPools []ApplicationPool + workerProcesses map[string]string + query pdh.Query // PDH Query + executed bool // Indicates if the query has been executed. + log *logp.Logger // + config Config // Metricset configuration } // ApplicationPool struct contains the list of applications and their worker processes type ApplicationPool struct { - Name string - WorkerProcessIds []int + name string + workerProcessIds []int counters map[string]string } // WorkerProcess struct contains the worker process details type WorkerProcess struct { - ProcessId int - InstanceName string + processId int + instanceName string } -const ecsProcessId = "process.pid" - var appPoolCounters = map[string]string{ "process.pid": "\\Process(w3wp*)\\ID Process", "process.cpu_usage_perc": "\\Process(w3wp*)\\% Processor Time", @@ -62,87 +63,107 @@ var appPoolCounters = map[string]string{ } // newReader creates a new instance of Reader. -func newReader() (*Reader, error) { +func newReader(config Config) (*Reader, error) { var query pdh.Query if err := query.Open(); err != nil { return nil, err } - reader := &Reader{ - Query: query, - log: logp.NewLogger("website"), + r := &Reader{ + query: query, + log: logp.NewLogger("application_pool"), + config: config, + workerProcesses: make(map[string]string), } - return reader, nil + err := r.initAppPools() + if err != nil { + return nil, errors.Wrap(err, "error loading counters for existing app pools") + } + return r, nil } -// initCounters func retrieves the running application worker processes and adds the counters to the pdh query -func (re *Reader) initCounters(filtered []string) error { - apps, err := getApplicationPools(filtered) +// initAppPools will check for any new instances and add them to the counter list +func (r *Reader) initAppPools() error { + apps, err := getApplicationPools(r.config.Names) if err != nil { return errors.Wrap(err, "failed retrieving running worker processes") } + r.applicationPools = apps if len(apps) == 0 { - re.log.Info("no running application pools found") + r.log.Info("no running application pools found") return nil } - re.ApplicationPools = apps - re.WorkerProcesses = make(map[string]string) var newQueries []string + r.workerProcesses = make(map[string]string) for key, value := range appPoolCounters { - counters, err := re.Query.ExpandWildCardPath(value) + childQueries, err := r.query.GetCounterPaths(value) if err != nil { - re.log.Error(err, `failed to expand counter path (query="%v")`, value) + if err == pdh.PDH_CSTATUS_NO_COUNTER || err == pdh.PDH_CSTATUS_NO_COUNTERNAME || err == pdh.PDH_CSTATUS_NO_INSTANCE || err == pdh.PDH_CSTATUS_NO_OBJECT { + r.log.Infow("Ignoring non existent counter", "error", err, + logp.Namespace("application pool"), "query", value) + } else { + r.log.Error(err, `failed to expand counter path (query= "%v")`, value) + } continue } - for _, count := range counters { - if err = re.Query.AddCounter(count, "", "float", true); err != nil { - return errors.Wrapf(err, `failed to add counter (query="%v")`, count) + newQueries = append(newQueries, childQueries...) + // check if the pdhexpandcounterpath/pdhexpandwildcardpath functions have expanded the counter successfully. + if len(childQueries) == 0 || (len(childQueries) == 1 && strings.Contains(childQueries[0], "*")) { + // covering cases when PdhExpandWildCardPathW returns no counter paths or is unable to expand and the ignore_non_existent_counters flag is set + r.log.Debugw("No counter paths returned but PdhExpandWildCardPathW returned no errors", "initial query", value, + logp.Namespace("perfmon"), "expanded query", childQueries) + continue + } + for _, v := range childQueries { + if err := r.query.AddCounter(v, "", "float", len(childQueries) > 1); err != nil { + return errors.Wrapf(err, `failed to add counter (query="%v")`, v) } - newQueries = append(newQueries, count) - re.WorkerProcesses[count] = key + r.workerProcesses[v] = key } } - err = re.Query.RemoveUnusedCounters(newQueries) + err = r.query.RemoveUnusedCounters(newQueries) if err != nil { return errors.Wrap(err, "failed removing unused counter values") } return nil } -// fetch executes collects the query data and maps the counter values to events. -func (re *Reader) fetch(names []string) ([]mb.Event, error) { - // refresh performance counter list - // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. - // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). - // A flag is set if the second call has been executed else refresh will fail (reader.executed) - if re.hasRun || len(re.Query.Counters) == 0 { - err := re.initCounters(names) - if err != nil { - return nil, errors.Wrap(err, "failed retrieving counters") - } - } - // if the ignore_non_existent_counters flag is set and no valid counter paths are found the Read func will still execute, a check is done before - if len(re.Query.Counters) == 0 { +// read executes a query and returns those values in an event. +func (r *Reader) read() ([]mb.Event, error) { + if len(r.applicationPools) == 0 { + r.executed = true return nil, nil } + // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). - if err := re.Query.CollectData(); err != nil { + if err := r.query.CollectData(); err != nil { return nil, errors.Wrap(err, "failed querying counter values") } // Get the values. - values, err := re.Query.GetFormattedCounterValues() + values, err := r.query.GetFormattedCounterValues() if err != nil { + r.query.Close() return nil, errors.Wrap(err, "failed formatting counter values") } + var events []mb.Event + eventGroup := r.mapEvents(values) + r.executed = true + results := make([]mb.Event, 0, len(events)) + for _, val := range eventGroup { + results = append(results, val) + } + return results, nil +} +func (r *Reader) mapEvents(values map[string][]pdh.CounterValue) map[string]mb.Event { workers := getProcessIds(values) events := make(map[string]mb.Event) - for _, appPool := range re.ApplicationPools { - events[appPool.Name] = mb.Event{ + for _, appPool := range r.applicationPools { + events[appPool.name] = mb.Event{ MetricSetFields: common.MapStr{ - "name": appPool.Name, + "name": appPool.name, }, RootFields: common.MapStr{}, } @@ -151,45 +172,35 @@ func (re *Reader) fetch(names []string) ([]mb.Event, error) { // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). if val.Err.Error != nil { - if !re.hasRun { - re.log.Debugw("Ignoring the first measurement because the data isn't ready", - "error", val.Err, logp.Namespace("application_pool"), "query", counterPath) + if !r.executed { continue } // The counter has a negative value or the counter was successfully found, but the data returned is not valid. // This error can occur if the counter value is less than the previous value. (Because counter values always increment, the counter value rolls over to zero when it reaches its maximum value.) // This is not an error that stops the application from running successfully and a positive counter value should be retrieved in the later calls. if val.Err.Error == pdh.PDH_CALC_NEGATIVE_VALUE || val.Err.Error == pdh.PDH_INVALID_DATA { - re.log.Debugw("Counter value retrieval returned", + r.log.Debugw("Counter value retrieval returned", "error", val.Err.Error, "cstatus", pdh.PdhErrno(val.Err.CStatus), logp.Namespace("application_pool"), "query", counterPath) continue } } - if val.Instance == appPool.Name { - events[appPool.Name].MetricSetFields.Put(appPool.counters[counterPath], val.Measurement) - } else if hasWorkerProcess(val.Instance, workers, appPool.WorkerProcessIds) { - if re.WorkerProcesses[counterPath] == ecsProcessId { - events[appPool.Name].RootFields.Put(re.WorkerProcesses[counterPath], val.Measurement) - } else { - events[appPool.Name].MetricSetFields.Put(re.WorkerProcesses[counterPath], val.Measurement) + if hasWorkerProcess(val.Instance, workers, appPool.workerProcessIds) { + if r.workerProcesses[counterPath] == ecsProcessId { + events[appPool.name].RootFields.Put(r.workerProcesses[counterPath], val.Measurement) + } else if len(r.workerProcesses[counterPath]) != 0 { + events[appPool.name].MetricSetFields.Put(r.workerProcesses[counterPath], val.Measurement) } } } } } - - re.hasRun = true - results := make([]mb.Event, 0, len(events)) - for _, val := range events { - results = append(results, val) - } - return results, nil + return events } -// Close will close the PDH query for now. -func (re *Reader) close() error { - return re.Query.Close() +// close will close the PDH query for now. +func (r *Reader) close() error { + return r.query.Close() } // getApplicationPools method retrieves the w3wp.exe processes and the application pool name, also filters on the application pool names configured by users @@ -204,7 +215,7 @@ func getApplicationPools(names []string) ([]ApplicationPool, error) { } var applicationPools []ApplicationPool for key, value := range appPools { - applicationPools = append(applicationPools, ApplicationPool{Name: key, WorkerProcessIds: value}) + applicationPools = append(applicationPools, ApplicationPool{name: key, workerProcessIds: value}) } if len(names) == 0 { return applicationPools, nil @@ -212,7 +223,7 @@ func getApplicationPools(names []string) ([]ApplicationPool, error) { var filtered []ApplicationPool for _, n := range names { for _, w3 := range applicationPools { - if n == w3.Name { + if n == w3.name { filtered = append(filtered, w3) } } @@ -253,18 +264,18 @@ func getProcessIds(counterValues map[string][]pdh.CounterValue) []WorkerProcess var workers []WorkerProcess for key, values := range counterValues { if strings.Contains(key, "\\ID Process") { - workers = append(workers, WorkerProcess{InstanceName: values[0].Instance, ProcessId: int(values[0].Measurement.(float64))}) + workers = append(workers, WorkerProcess{instanceName: values[0].Instance, processId: int(values[0].Measurement.(float64))}) } } return workers } -// hasWorkerProcess func checks if workerprocess list contains the process id +// hasWorkerProcess func checks if worker process list contains the process id func hasWorkerProcess(instance string, workers []WorkerProcess, pids []int) bool { for _, worker := range workers { - if worker.InstanceName == instance { + if worker.instanceName == instance { for _, pid := range pids { - if pid == worker.ProcessId { + if pid == worker.processId { return true } } diff --git a/x-pack/metricbeat/module/iis/application_pool/reader_test.go b/x-pack/metricbeat/module/iis/application_pool/reader_test.go index 64aa8f85941..55731f1ee1b 100644 --- a/x-pack/metricbeat/module/iis/application_pool/reader_test.go +++ b/x-pack/metricbeat/module/iis/application_pool/reader_test.go @@ -16,28 +16,26 @@ import ( // TestNewReaderValid should successfully instantiate the reader. func TestNewReaderValid(t *testing.T) { - reader, err := newReader() - assert.Nil(t, err) + var config Config + reader, err := newReader(config) + assert.NoError(t, err) assert.NotNil(t, reader) - assert.NotNil(t, reader.Query) - assert.NotNil(t, reader.Query.Handle) - assert.NotNil(t, reader.Query.Counters) - assert.Zero(t, len(reader.Query.Counters)) + assert.NotNil(t, reader.query) + assert.NotNil(t, reader.query.Handle) + assert.NotNil(t, reader.query.Counters) defer reader.close() } // TestInitCounters should successfully instantiate the reader counters. func TestInitCounters(t *testing.T) { - reader, err := newReader() + var config Config + reader, err := newReader(config) assert.NotNil(t, reader) - assert.Nil(t, err) - - err = reader.initCounters([]string{}) - assert.Nil(t, err) + assert.NoError(t, err) // if iis is not enabled, the reader.ApplicationPools is empty - if len(reader.ApplicationPools) > 0 { - assert.NotZero(t, len(reader.Query.Counters)) - assert.NotZero(t, len(reader.WorkerProcesses)) + if len(reader.applicationPools) > 0 { + assert.NotZero(t, len(reader.query.Counters)) + assert.NotZero(t, len(reader.workerProcesses)) } defer reader.close() } @@ -55,6 +53,6 @@ func TestGetProcessIds(t *testing.T) { counterList[key] = counters workerProcesses := getProcessIds(counterList) assert.NotZero(t, len(workerProcesses)) - assert.Equal(t, float64(workerProcesses[0].ProcessId), counters[0].Measurement.(float64)) - assert.Equal(t, workerProcesses[0].InstanceName, counters[0].Instance) + assert.Equal(t, float64(workerProcesses[0].processId), counters[0].Measurement.(float64)) + assert.Equal(t, workerProcesses[0].instanceName, counters[0].Instance) } diff --git a/x-pack/metricbeat/module/mssql/test_mssql.py b/x-pack/metricbeat/module/mssql/test_mssql.py index fe839cb8969..1f1eb144943 100644 --- a/x-pack/metricbeat/module/mssql/test_mssql.py +++ b/x-pack/metricbeat/module/mssql/test_mssql.py @@ -1,9 +1,7 @@ import os +import pytest import sys import unittest -from nose.plugins.attrib import attr - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat @@ -18,7 +16,7 @@ class Test(XPackTest): COMPOSE_SERVICES = ['mssql'] @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_status(self): """ MSSQL module outputs an event. @@ -47,7 +45,7 @@ def test_status(self): self.assert_fields_are_documented(evt) @unittest.skipUnless(metricbeat.INTEGRATION_TESTS, "integration test") - @attr('integration') + @pytest.mark.tag('integration') def test_performance(self): """ MSSQL module outputs an event. diff --git a/x-pack/metricbeat/module/openmetrics/test_openmetrics.py b/x-pack/metricbeat/module/openmetrics/test_openmetrics.py index 6e86ad3a506..d2b9c3ba14b 100644 --- a/x-pack/metricbeat/module/openmetrics/test_openmetrics.py +++ b/x-pack/metricbeat/module/openmetrics/test_openmetrics.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json b/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json index 9b109427e11..155852b7ccd 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/cache_data.json @@ -6,7 +6,8 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { @@ -14,19 +15,19 @@ "cache": { "buffer": { "hit": { - "pct": 0.9636984728969045 + "pct": 0.970465382180896 } }, "get": { - "consistent": 477505, - "db_blocks": 66990 + "consistent": 604979, + "db_blocks": 88580 }, - "physical_reads": 19766 + "physical_reads": 20484 } } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json b/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json index d849b506e1d..d6cbefc6f35 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/cursor_by_username_and_machine_data.json @@ -6,21 +6,22 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { "cursors": { - "avg": 0.6829268292682927, + "avg": 0.627906976744186, "max": 17, - "total": 28 + "total": 27 }, - "machine": "2ed9ac3a4c3d", + "machine": "f29609d6403a", "username": "Unknown" } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/_meta/data.json b/x-pack/metricbeat/module/oracle/performance/_meta/data.json index 0c5347a1e29..87f86acb15f 100644 --- a/x-pack/metricbeat/module/oracle/performance/_meta/data.json +++ b/x-pack/metricbeat/module/oracle/performance/_meta/data.json @@ -6,33 +6,34 @@ "module": "oracle" }, "metricset": { - "name": "performance" + "name": "performance", + "period": 10000 }, "oracle": { "performance": { "cursors": { "cache_hit": { - "pct": 0.8311065930874237 + "pct": 0.8215208034433286 }, "opened": { - "current": 5, - "total": 6886 + "current": 32, + "total": 125460 }, "parse": { - "real": 1524, - "total": 4199 + "real": 39150, + "total": 63918 }, "session": { - "cache_hits": 5723 + "cache_hits": 103068 } }, - "io_reloads": 0.0015732643391367942, - "lock_requests": 0.5958019475347308, - "pin_requests": 0.8058170730696832 + "io_reloads": 0.009607787973500542, + "lock_requests": 0.5939075233457263, + "pin_requests": 0.7450330613301921 } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/performance/metricset.go b/x-pack/metricbeat/module/oracle/performance/metricset.go index 38d1cd4a910..2c79b5813c3 100644 --- a/x-pack/metricbeat/module/oracle/performance/metricset.go +++ b/x-pack/metricbeat/module/oracle/performance/metricset.go @@ -18,7 +18,8 @@ import ( // the MetricSet for each host defined in the module's configuration. After the // MetricSet has been created then Fetch will begin to be called periodically. func init() { - mb.Registry.MustAddMetricSet("oracle", "performance", New) + mb.Registry.MustAddMetricSet("oracle", "performance", New, + mb.WithHostParser(oracle.HostParser)) } // MetricSet holds any configuration or state information. It must implement diff --git a/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json b/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json index dac8c139cd8..81dce0bf306 100644 --- a/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json +++ b/x-pack/metricbeat/module/oracle/tablespace/_meta/data.json @@ -6,18 +6,19 @@ "module": "oracle" }, "metricset": { - "name": "tablespace" + "name": "tablespace", + "period": 10000 }, "oracle": { "tablespace": { "data_file": { - "id": 18, - "name": "/u02/app/oracle/oradata/ORCLCDB/orclpdb1/sysaux01.dbf", + "id": 3, + "name": "/u02/app/oracle/oradata/ORCL/sysaux01.dbf", "online_status": "ONLINE", "size": { - "bytes": 618659840, + "bytes": 744488960, "free": { - "bytes": 617611264 + "bytes": 743440384 }, "max": { "bytes": 34359721984 @@ -28,16 +29,16 @@ "name": "SYSAUX", "space": { "free": { - "bytes": 34799616 + "bytes": 39124992 }, "used": { - "bytes": 618659840 + "bytes": 744488960 } } } }, "service": { - "address": "oracle://sys:Oradoc_db1@localhost:1521/ORCLPDB1.localdomain?connectionClass=\u0026poolIncrement=0\u0026poolMaxSessions=0\u0026poolMinSessions=0\u0026sysdba=1\u0026sysoper=0\u0026sysasm=0\u0026standaloneConnection=0\u0026enableEvents=0\u0026heterogeneousPool=0\u0026prelim=0", + "address": "localhost:32769", "type": "oracle" } } \ No newline at end of file diff --git a/x-pack/metricbeat/module/oracle/tablespace/metricset.go b/x-pack/metricbeat/module/oracle/tablespace/metricset.go index 1729429d79a..8fec8fd0a77 100644 --- a/x-pack/metricbeat/module/oracle/tablespace/metricset.go +++ b/x-pack/metricbeat/module/oracle/tablespace/metricset.go @@ -18,7 +18,8 @@ import ( // the MetricSet for each host defined in the module's configuration. After the // MetricSet has been created then Fetch will begin to be called periodically. func init() { - mb.Registry.MustAddMetricSet("oracle", "tablespace", New) + mb.Registry.MustAddMetricSet("oracle", "tablespace", New, + mb.WithHostParser(oracle.HostParser)) } // MetricSet holds any configuration or state information. It must implement diff --git a/x-pack/metricbeat/module/prometheus/_meta/config.yml b/x-pack/metricbeat/module/prometheus/_meta/config.yml index 6fd4e582c8e..789e7937252 100644 --- a/x-pack/metricbeat/module/prometheus/_meta/config.yml +++ b/x-pack/metricbeat/module/prometheus/_meta/config.yml @@ -30,6 +30,18 @@ #ssl.certificate: "/etc/pki/server/cert.pem" #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] diff --git a/x-pack/metricbeat/module/prometheus/collector/data.go b/x-pack/metricbeat/module/prometheus/collector/data.go index 23ef386291b..1dd83a82980 100644 --- a/x-pack/metricbeat/module/prometheus/collector/data.go +++ b/x-pack/metricbeat/module/prometheus/collector/data.go @@ -138,7 +138,7 @@ func (g *typedGenerator) GeneratePromEvents(mf *dto.MetricFamily) []collector.Pr events = append(events, collector.PromEvent{ Data: common.MapStr{ name: common.MapStr{ - "histogram": promHistogramToES(g.counterCache, name, labels, histogram), + "histogram": PromHistogramToES(g.counterCache, name, labels, histogram), }, }, Labels: labels, diff --git a/x-pack/metricbeat/module/prometheus/collector/histogram.go b/x-pack/metricbeat/module/prometheus/collector/histogram.go index 63ed3bf69ce..1d23264a2fb 100644 --- a/x-pack/metricbeat/module/prometheus/collector/histogram.go +++ b/x-pack/metricbeat/module/prometheus/collector/histogram.go @@ -13,7 +13,7 @@ import ( dto "github.com/prometheus/client_model/go" ) -// promHistogramToES takes a Prometheus histogram and converts it to an ES histogram: +// PromHistogramToES takes a Prometheus histogram and converts it to an ES histogram: // // ES histograms look like this: // @@ -27,7 +27,7 @@ import ( // - undoing counters accumulation for each bucket (counts) // // https://www.elastic.co/guide/en/elasticsearch/reference/master/histogram.html -func promHistogramToES(cc CounterCache, name string, labels common.MapStr, histogram *dto.Histogram) common.MapStr { +func PromHistogramToES(cc CounterCache, name string, labels common.MapStr, histogram *dto.Histogram) common.MapStr { var values []float64 var counts []uint64 diff --git a/x-pack/metricbeat/module/prometheus/collector/histogram_test.go b/x-pack/metricbeat/module/prometheus/collector/histogram_test.go index b0906068e76..460d0f3fffe 100644 --- a/x-pack/metricbeat/module/prometheus/collector/histogram_test.go +++ b/x-pack/metricbeat/module/prometheus/collector/histogram_test.go @@ -17,7 +17,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" ) -// TestPromHistogramToES tests that calling promHistogramToES multiple +// TestPromHistogramToES tests that calling PromHistogramToES multiple // times with the same cache produces each time the expected results. func TestPromHistogramToES(t *testing.T) { type sample struct { @@ -398,7 +398,7 @@ func TestPromHistogramToES(t *testing.T) { for i, s := range c.samples { t.Logf("#%d: %+v", i, s.histogram) - result := promHistogramToES(cache, metricName, labels, &s.histogram) + result := PromHistogramToES(cache, metricName, labels, &s.histogram) assert.EqualValues(t, s.expected, result) } }) diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json b/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json new file mode 100644 index 00000000000..54a1b92e428 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/_meta/data.json @@ -0,0 +1,24 @@ +{ + "@timestamp": "2020-07-17T08:23:53.958Z", + "service": { + "type": "prometheus" + }, + "event": { + "dataset": "prometheus.remote_write", + "module": "prometheus" + }, + "metricset": { + "name": "remote_write" + }, + "prometheus": { + "labels": { + "instance": "nodeexporter:9100", + "job": "nodeexporter", + "device": "eth0" + }, + "node_network_transmit_packets_total": { + "counter": 609, + "rate": 3 + } + } +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc b/x-pack/metricbeat/module/prometheus/remote_write/_meta/docs.asciidoc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/x-pack/metricbeat/module/prometheus/remote_write/_meta/fields.yml b/x-pack/metricbeat/module/prometheus/remote_write/_meta/fields.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/x-pack/metricbeat/module/prometheus/remote_write/config.go b/x-pack/metricbeat/module/prometheus/remote_write/config.go new file mode 100644 index 00000000000..8c5fe12a659 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/config.go @@ -0,0 +1,32 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import "errors" + +type config struct { + UseTypes bool `config:"use_types"` + RateCounters bool `config:"rate_counters"` + TypesPatterns TypesPatterns `config:"types_patterns" yaml:"types_patterns,omitempty"` +} + +type TypesPatterns struct { + CounterPatterns *[]string `config:"counter_patterns" yaml:"include,omitempty"` + HistogramPatterns *[]string `config:"histogram_patterns" yaml:"exclude,omitempty"` +} + +var defaultConfig = config{ + TypesPatterns: TypesPatterns{ + CounterPatterns: nil, + HistogramPatterns: nil}, +} + +func (c *config) Validate() error { + if c.RateCounters && !c.UseTypes { + return errors.New("'rate_counters' can only be enabled when `use_types` is also enabled") + } + + return nil +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/data.go b/x-pack/metricbeat/module/prometheus/remote_write/data.go new file mode 100644 index 00000000000..2258aba0270 --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/data.go @@ -0,0 +1,279 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import ( + "math" + "regexp" + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + + dto "github.com/prometheus/client_model/go" + "github.com/prometheus/common/model" + + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" + "github.com/elastic/beats/v7/libbeat/logp" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/prometheus/remote_write" + "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" +) + +const ( + counterType = "counter_type" + histogramType = "histogram_type" + otherType = "other_type" +) + +type histogram struct { + timestamp time.Time + buckets []*dto.Bucket + labels common.MapStr + metricName string +} + +func remoteWriteEventsGeneratorFactory(base mb.BaseMetricSet) (remote_write.RemoteWriteEventsGenerator, error) { + var err error + config := defaultConfig + if err = base.Module().UnpackConfig(&config); err != nil { + return nil, err + } + + if config.UseTypes { + // use a counter cache with a timeout of 5x the period, as a safe value + // to make sure that all counters are available between fetches + counters := collector.NewCounterCache(base.Module().Config().Period * 5) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: config.RateCounters, + } + + g.counterPatterns, err = p.CompilePatternList(config.TypesPatterns.CounterPatterns) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile counter patterns") + } + g.histogramPatterns, err = p.CompilePatternList(config.TypesPatterns.HistogramPatterns) + if err != nil { + return nil, errors.Wrapf(err, "unable to compile histogram patterns") + } + + return &g, nil + } + + return remote_write.DefaultRemoteWriteEventsGeneratorFactory(base) +} + +type remoteWriteTypedGenerator struct { + counterCache collector.CounterCache + rateCounters bool + counterPatterns []*regexp.Regexp + histogramPatterns []*regexp.Regexp +} + +func (g *remoteWriteTypedGenerator) Start() { + cfgwarn.Beta("Prometheus 'use_types' setting is beta") + + if g.rateCounters { + cfgwarn.Experimental("Prometheus 'rate_counters' setting is experimental") + } + + g.counterCache.Start() +} + +func (g *remoteWriteTypedGenerator) Stop() { + logp.Debug("prometheus.remote_write.cache", "stopping counterCache") + g.counterCache.Stop() +} + +// GenerateEvents receives a list of Sample and: +// 1. guess the type of the sample metric +// 2. handle it properly using "types" logic +// 3. if metrics of histogram type then it is converted to ES histogram +// 4. metrics with the same set of labels are grouped into same events +func (g remoteWriteTypedGenerator) GenerateEvents(metrics model.Samples) map[string]mb.Event { + var data common.MapStr + histograms := map[string]histogram{} + eventList := map[string]mb.Event{} + + for _, metric := range metrics { + labels := common.MapStr{} + + if metric == nil { + continue + } + val := float64(metric.Value) + if math.IsNaN(val) || math.IsInf(val, 0) { + continue + } + + name := string(metric.Metric["__name__"]) + delete(metric.Metric, "__name__") + + for k, v := range metric.Metric { + labels[string(k)] = v + } + + promType := g.findMetricType(name, labels) + + labelsHash := labels.String() + metric.Timestamp.Time().String() + labelsClone := labels.Clone() + labelsClone.Delete("le") + if promType == histogramType { + labelsHash = labelsClone.String() + metric.Timestamp.Time().String() + } + // join metrics with same labels in a single event + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{}, + Timestamp: metric.Timestamp.Time(), + } + + // Add labels + if len(labels) > 0 { + if promType == histogramType { + eventList[labelsHash].ModuleFields["labels"] = labelsClone + } else { + eventList[labelsHash].ModuleFields["labels"] = labels + } + } + } + + e := eventList[labelsHash] + switch promType { + case counterType: + data = common.MapStr{ + name: g.rateCounterFloat64(name, labels, val), + } + case otherType: + data = common.MapStr{ + name: common.MapStr{ + "value": val, + }, + } + case histogramType: + histKey := name + labelsClone.String() + + le, _ := labels.GetValue("le") + upperBound := string(le.(model.LabelValue)) + + bucket, err := strconv.ParseFloat(upperBound, 64) + if err != nil { + continue + } + v := uint64(val) + b := &dto.Bucket{ + CumulativeCount: &v, + UpperBound: &bucket, + } + hist, ok := histograms[histKey] + if !ok { + hist = histogram{} + } + hist.buckets = append(hist.buckets, b) + hist.timestamp = metric.Timestamp.Time() + hist.labels = labelsClone + hist.metricName = name + histograms[histKey] = hist + continue + } + e.ModuleFields.Update(data) + + } + + // process histograms together + g.processPromHistograms(eventList, histograms) + return eventList +} + +// rateCounterUint64 fills a counter value and optionally adds the rate if rate_counters is enabled +func (g *remoteWriteTypedGenerator) rateCounterUint64(name string, labels common.MapStr, value uint64) common.MapStr { + d := common.MapStr{ + "counter": value, + } + + if g.rateCounters { + d["rate"], _ = g.counterCache.RateUint64(name+labels.String(), value) + } + + return d +} + +// rateCounterFloat64 fills a counter value and optionally adds the rate if rate_counters is enabled +func (g *remoteWriteTypedGenerator) rateCounterFloat64(name string, labels common.MapStr, value float64) common.MapStr { + d := common.MapStr{ + "counter": value, + } + if g.rateCounters { + d["rate"], _ = g.counterCache.RateFloat64(name+labels.String(), value) + } + + return d +} + +// processPromHistograms receives a group of Histograms and converts each one to ES histogram +func (g *remoteWriteTypedGenerator) processPromHistograms(eventList map[string]mb.Event, histograms map[string]histogram) { + for _, histogram := range histograms { + labelsHash := histogram.labels.String() + histogram.timestamp.String() + if _, ok := eventList[labelsHash]; !ok { + eventList[labelsHash] = mb.Event{ + ModuleFields: common.MapStr{}, + Timestamp: histogram.timestamp, + } + + // Add labels + if len(histogram.labels) > 0 { + eventList[labelsHash].ModuleFields["labels"] = histogram.labels + } + } + + e := eventList[labelsHash] + + hist := dto.Histogram{ + Bucket: histogram.buckets, + } + name := strings.TrimSuffix(histogram.metricName, "_bucket") + data := common.MapStr{ + name: common.MapStr{ + "histogram": collector.PromHistogramToES(g.counterCache, histogram.metricName, histogram.labels, &hist), + }, + } + e.ModuleFields.Update(data) + } +} + +// findMetricType evaluates the type of the metric by check the metricname format in order to handle it properly +func (g *remoteWriteTypedGenerator) findMetricType(metricName string, labels common.MapStr) string { + leLabel := false + if _, ok := labels["le"]; ok { + leLabel = true + } + + // handle user provided patterns + if len(g.counterPatterns) > 0 { + if p.MatchMetricFamily(metricName, g.counterPatterns) { + return counterType + } + } + if len(g.histogramPatterns) > 0 { + if p.MatchMetricFamily(metricName, g.histogramPatterns) && leLabel { + return histogramType + } + } + + // handle defaults + if strings.HasSuffix(metricName, "_total") || strings.HasSuffix(metricName, "_sum") || + strings.HasSuffix(metricName, "_count") { + return counterType + } else if strings.HasSuffix(metricName, "_bucket") && leLabel { + return histogramType + } + + return otherType +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go b/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go new file mode 100644 index 00000000000..74eadff6d7b --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/remote_write.go @@ -0,0 +1,22 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package remote_write + +import ( + "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/mb/parse" + "github.com/elastic/beats/v7/metricbeat/module/prometheus/remote_write" +) + +func init() { + mb.Registry.MustAddMetricSet("prometheus", "remote_write", + remote_write.MetricSetBuilder(remoteWriteEventsGeneratorFactory), + mb.WithHostParser(parse.EmptyHostParser), + + // must replace ensures that we are replacing the oss implementation with this one + // so we can make use of ES histograms (basic only) when use_types is enabled + mb.MustReplace(), + ) +} diff --git a/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go new file mode 100644 index 00000000000..6c031be5bba --- /dev/null +++ b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go @@ -0,0 +1,1209 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !integration + +package remote_write + +import ( + "testing" + "time" + + "github.com/prometheus/common/model" + "github.com/stretchr/testify/assert" + + "github.com/elastic/beats/v7/libbeat/common" + p "github.com/elastic/beats/v7/metricbeat/helper/prometheus" + xcollector "github.com/elastic/beats/v7/x-pack/metricbeat/module/prometheus/collector" +) + +// TestGenerateEventsCounter tests counter simple cases +func TestGenerateEventsCounter(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsCounterSameLabels tests multiple counters with same labels +func TestGenerateEventsCounterSameLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsCounterDifferentLabels tests multiple counters with different labels +func TestGenerateEventsCounterDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + labels2 := common.MapStr{ + "listener_name": model.LabelValue("http"), + "device": model.LabelValue("eth0"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(44), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected1 := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(50), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected1 = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(50), + "rate": float64(6), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + +} + +// TestGenerateEventsGaugeDifferentLabels tests multiple gauges with different labels +func TestGenerateEventsGaugeDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + labels2 := common.MapStr{ + "listener_name": model.LabelValue("http"), + "device": model.LabelValue("eth0"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(43), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(44), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_open", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(49), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected1 := common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(43), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "net_conntrack_listener_conn_open": common.MapStr{ + "value": float64(49), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_total", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + }, + Value: model.SampleValue(47), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_panic_total", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(50), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_open", + "listener_name": "http", + "device": "eth0", + }, + Value: model.SampleValue(59), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected1 = common.MapStr{ + "net_conntrack_listener_conn_closed_total": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(47), + "rate": float64(4), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "net_conntrack_listener_conn_panic_total": common.MapStr{ + "counter": float64(50), + "rate": float64(6), + }, + "net_conntrack_listener_conn_open": common.MapStr{ + "value": float64(59), + }, + "labels": labels2, + } + + assert.Equal(t, len(events), 2) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected1) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + +} + +// TestGenerateEventsQuantilesDifferentLabels tests summaries with different labels +func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + + timestamp := model.Time(424242) + labels := common.MapStr{ + "runtime": model.LabelValue("linux"), + "quantile": model.LabelValue("0.25"), + } + labels2 := common.MapStr{ + "runtime": model.LabelValue("linux"), + "quantile": model.LabelValue("0.50"), + } + labels3 := common.MapStr{ + "runtime": model.LabelValue("linux"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.50", + }, + Value: model.SampleValue(43), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(44), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_2", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(46), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(42), + }, + "go_gc_duration_seconds_2": common.MapStr{ + "value": float64(46), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(43), + }, + "labels": labels2, + } + expected3 := common.MapStr{ + "go_gc_duration_seconds_count": common.MapStr{ + "counter": float64(45), + "rate": float64(0), + }, + "go_gc_duration_seconds_sum": common.MapStr{ + "counter": float64(44), + "rate": float64(0), + }, + "labels": labels3, + } + + assert.Equal(t, len(events), 3) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + e = events[labels3.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected3) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(52), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds", + "runtime": "linux", + "quantile": "0.50", + }, + Value: model.SampleValue(53), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(54), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(55), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "go_gc_duration_seconds_2", + "runtime": "linux", + "quantile": "0.25", + }, + Value: model.SampleValue(56), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(52), + }, + "go_gc_duration_seconds_2": common.MapStr{ + "value": float64(56), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "go_gc_duration_seconds": common.MapStr{ + "value": float64(53), + }, + "labels": labels2, + } + expected3 = common.MapStr{ + "go_gc_duration_seconds_count": common.MapStr{ + "counter": float64(55), + "rate": float64(10), + }, + "go_gc_duration_seconds_sum": common.MapStr{ + "counter": float64(54), + "rate": float64(10), + }, + "labels": labels3, + } + + assert.Equal(t, len(events), 3) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + e = events[labels3.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected3) + +} + +// TestGenerateEventsHistogramsDifferentLabels tests histograms with different labels +func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + } + g.counterCache.Start() + timestamp := model.Time(424242) + labels := common.MapStr{ + "runtime": model.LabelValue("linux"), + } + labels2 := common.MapStr{ + "runtime": model.LabelValue("darwin"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(43), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(44), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(46), + Timestamp: timestamp, + }, + // second histogram same label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(52), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(53), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(54), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "linux", + }, + Value: model.SampleValue(55), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "linux", + }, + Value: model.SampleValue(56), + Timestamp: timestamp, + }, + // third histogram different label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.25", + }, + Value: model.SampleValue(62), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.50", + }, + Value: model.SampleValue(63), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "+Inf", + }, + Value: model.SampleValue(64), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "darwin", + }, + Value: model.SampleValue(65), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "darwin", + }, + Value: model.SampleValue(66), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "http_request_duration_seconds": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_duration_seconds_sum": common.MapStr{ + "counter": float64(45), + "rate": float64(0), + }, + "http_request_duration_seconds_count": common.MapStr{ + "counter": float64(46), + "rate": float64(0), + }, + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(55), + "rate": float64(0), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(56), + "rate": float64(0), + }, + "labels": labels, + } + expected2 := common.MapStr{ + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(0), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(65), + "rate": float64(0), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(66), + "rate": float64(0), + }, + "labels": labels2, + } + + assert.Equal(t, 2, len(events)) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(142), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(143), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(144), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_sum", + "runtime": "linux", + }, + Value: model.SampleValue(145), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_duration_seconds_count", + "runtime": "linux", + }, + Value: model.SampleValue(146), + Timestamp: timestamp, + }, + // second histogram same label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.25", + }, + Value: model.SampleValue(252), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "0.50", + }, + Value: model.SampleValue(253), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "linux", + "le": "+Inf", + }, + Value: model.SampleValue(254), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "linux", + }, + Value: model.SampleValue(255), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "linux", + }, + Value: model.SampleValue(256), + Timestamp: timestamp, + }, + // third histogram different label + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.25", + }, + Value: model.SampleValue(362), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "0.50", + }, + Value: model.SampleValue(363), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_bucket", + "runtime": "darwin", + "le": "+Inf", + }, + Value: model.SampleValue(364), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_sum", + "runtime": "darwin", + }, + Value: model.SampleValue(365), + Timestamp: timestamp, + }, + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "http_request_bytes_count", + "runtime": "darwin", + }, + Value: model.SampleValue(366), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "http_request_duration_seconds": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(100), uint64(0), uint64(0)}, + }, + }, + "http_request_duration_seconds_sum": common.MapStr{ + "counter": float64(145), + "rate": float64(100), + }, + "http_request_duration_seconds_count": common.MapStr{ + "counter": float64(146), + "rate": float64(100), + }, + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(200), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(255), + "rate": float64(200), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(256), + "rate": float64(200), + }, + "labels": labels, + } + expected2 = common.MapStr{ + "http_request_bytes": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(0.125), float64(0.375), float64(0.75)}, + "counts": []uint64{uint64(300), uint64(0), uint64(0)}, + }, + }, + "http_request_bytes_sum": common.MapStr{ + "counter": float64(365), + "rate": float64(300), + }, + "http_request_bytes_count": common.MapStr{ + "counter": float64(366), + "rate": float64(300), + }, + "labels": labels2, + } + + assert.Equal(t, 2, len(events)) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + e = events[labels2.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected2) +} + +// TestGenerateEventsCounterWithDefinedPattern tests counter with defined pattern +func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + counterPatterns, err := p.CompilePatternList(&[]string{"_mycounter"}) + if err != nil { + panic(err) + } + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + counterPatterns: counterPatterns, + } + + g.counterCache.Start() + + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_mycounter", + "listener_name": "http", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_mycounter": common.MapStr{ + "counter": float64(42), + "rate": float64(0), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_mycounter", + "listener_name": "http", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_mycounter": common.MapStr{ + "counter": float64(45), + "rate": float64(3), + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} + +// TestGenerateEventsHistogramWithDefinedPattern tests histogram with defined pattern +func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) { + + counters := xcollector.NewCounterCache(1 * time.Second) + + histogramPatterns, err := p.CompilePatternList(&[]string{"_myhistogram"}) + if err != nil { + panic(err) + } + g := remoteWriteTypedGenerator{ + counterCache: counters, + rateCounters: true, + histogramPatterns: histogramPatterns, + } + + g.counterCache.Start() + timestamp := model.Time(424242) + labels := common.MapStr{ + "listener_name": model.LabelValue("http"), + } + + // first fetch + metrics := model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_myhistogram", + "listener_name": "http", + "le": "20", + }, + Value: model.SampleValue(42), + Timestamp: timestamp, + }, + } + events := g.GenerateEvents(metrics) + + expected := common.MapStr{ + "net_conntrack_listener_conn_closed_myhistogram": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(10)}, + "counts": []uint64{uint64(0)}, + }, + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e := events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + + // repeat in order to test the rate + metrics = model.Samples{ + &model.Sample{ + Metric: map[model.LabelName]model.LabelValue{ + "__name__": "net_conntrack_listener_conn_closed_myhistogram", + "listener_name": "http", + "le": "20", + }, + Value: model.SampleValue(45), + Timestamp: timestamp, + }, + } + events = g.GenerateEvents(metrics) + + expected = common.MapStr{ + "net_conntrack_listener_conn_closed_myhistogram": common.MapStr{ + "histogram": common.MapStr{ + "values": []float64{float64(10)}, + "counts": []uint64{uint64(3)}, + }, + }, + "labels": labels, + } + + assert.Equal(t, len(events), 1) + e = events[labels.String()+timestamp.Time().String()] + assert.EqualValues(t, e.ModuleFields, expected) + +} diff --git a/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py b/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py index 806f7a37c7a..17e30e58fea 100644 --- a/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py +++ b/x-pack/metricbeat/module/redisenterprise/test_redisenterprise.py @@ -1,10 +1,8 @@ import os -from parameterized import parameterized import redis import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) +from parameterized import parameterized from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/sql/test_sql.py b/x-pack/metricbeat/module/sql/test_sql.py index 8a18791b386..e091c4185db 100644 --- a/x-pack/metricbeat/module/sql/test_sql.py +++ b/x-pack/metricbeat/module/sql/test_sql.py @@ -1,8 +1,6 @@ import os import sys import unittest - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat diff --git a/x-pack/metricbeat/module/stan/test_stan.py b/x-pack/metricbeat/module/stan/test_stan.py index 8acd47984f9..11f862a31ba 100644 --- a/x-pack/metricbeat/module/stan/test_stan.py +++ b/x-pack/metricbeat/module/stan/test_stan.py @@ -2,8 +2,6 @@ import sys import unittest from parameterized import parameterized - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat STAN_FIELDS = metricbeat.COMMON_FIELDS + ["stan"] diff --git a/x-pack/metricbeat/module/statsd/test_statsd.py b/x-pack/metricbeat/module/statsd/test_statsd.py index 15d4b0513b7..92798009247 100644 --- a/x-pack/metricbeat/module/statsd/test_statsd.py +++ b/x-pack/metricbeat/module/statsd/test_statsd.py @@ -1,8 +1,6 @@ import os import socket import sys - -sys.path.append(os.path.join(os.path.dirname(__file__), '../../tests/system')) from xpack_metricbeat import XPackTest, metricbeat STATSD_HOST = '127.0.0.1' diff --git a/x-pack/metricbeat/modules.d/aws.yml.disabled b/x-pack/metricbeat/modules.d/aws.yml.disabled index 8ddb3333f70..d0053297885 100644 --- a/x-pack/metricbeat/modules.d/aws.yml.disabled +++ b/x-pack/metricbeat/modules.d/aws.yml.disabled @@ -33,11 +33,16 @@ - sns - sqs - module: aws - period: 12h + period: 24h metricsets: - billing - regions: - - us-east-1 + cost_explorer_config: + group_by_dimension_keys: + - "AZ" + - "INSTANCE_TYPE" + - "SERVICE" +# group_by_tag_keys: +# - "aws:createdBy" - module: aws period: 24h metricsets: diff --git a/x-pack/metricbeat/modules.d/azure.yml.disabled b/x-pack/metricbeat/modules.d/azure.yml.disabled index 857bfd6619f..23211f47206 100644 --- a/x-pack/metricbeat/modules.d/azure.yml.disabled +++ b/x-pack/metricbeat/modules.d/azure.yml.disabled @@ -112,3 +112,5 @@ # period: 300s # application_id: '' # api_key: '' +# metrics: +# - id: ["requests/count", "requests/duration"] diff --git a/x-pack/metricbeat/modules.d/googlecloud.yml.disabled b/x-pack/metricbeat/modules.d/googlecloud.yml.disabled index 9e7654cc4f7..4dd52de0a0b 100644 --- a/x-pack/metricbeat/modules.d/googlecloud.yml.disabled +++ b/x-pack/metricbeat/modules.d/googlecloud.yml.disabled @@ -30,7 +30,7 @@ - module: googlecloud metricsets: - - stackdriver + - metrics project_id: "your project id" credentials_file_path: "your JSON credentials file path" exclude_labels: false @@ -43,3 +43,13 @@ - "instance/cpu/usage_time" - "instance/cpu/utilization" - "instance/uptime" + +- module: googlecloud + metricsets: + - billing + period: 24h + project_id: "your project id" + credentials_file_path: "your JSON credentials file path" + dataset_id: "dataset id" + table_pattern: "table pattern" + cost_type: "regular" diff --git a/x-pack/metricbeat/modules.d/prometheus.yml.disabled b/x-pack/metricbeat/modules.d/prometheus.yml.disabled index f5882aff4fc..d6e00936b2a 100644 --- a/x-pack/metricbeat/modules.d/prometheus.yml.disabled +++ b/x-pack/metricbeat/modules.d/prometheus.yml.disabled @@ -33,6 +33,18 @@ #ssl.certificate: "/etc/pki/server/cert.pem" #ssl.key: "/etc/pki/server/cert.key" + # Use Elasticsearch histogram type to store histograms (beta, default: false) + # This will change the default layout and put metric type in the field name + #use_types: true + + # Store counter rates instead of original cumulative counters (experimental, default: false) + #rate_counters: true + + # Define patterns for counter and histogram types so as to identify metrics' types according to these patterns + #types_patterns: + # counter_patterns: [] + # histogram_patterns: [] + # Metrics that will be collected using a PromQL #- module: prometheus # metricsets: ["query"] diff --git a/x-pack/metricbeat/tests/system/test_xpack_base.py b/x-pack/metricbeat/tests/system/test_xpack_base.py index 225ad779f0d..ae19590dd24 100644 --- a/x-pack/metricbeat/tests/system/test_xpack_base.py +++ b/x-pack/metricbeat/tests/system/test_xpack_base.py @@ -2,7 +2,8 @@ import xpack_metricbeat import test_base +from beat import common_tests -class Test(xpack_metricbeat.XPackTest, test_base.Test): +class Test(xpack_metricbeat.XPackTest, test_base.Test, common_tests.TestExportsMixin): pass diff --git a/x-pack/metricbeat/tests/system/xpack_metricbeat.py b/x-pack/metricbeat/tests/system/xpack_metricbeat.py index 9164a3bf529..7554c9e339a 100644 --- a/x-pack/metricbeat/tests/system/xpack_metricbeat.py +++ b/x-pack/metricbeat/tests/system/xpack_metricbeat.py @@ -1,10 +1,7 @@ +import metricbeat import os import sys -sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../metricbeat/tests/system')) - -import metricbeat - class XPackTest(metricbeat.BaseTest): diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..8496265e0ac --- /dev/null +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/winlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-winlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-winlogbeat" + tags: true ## for all the tags +platform: "linux && ubuntu-18" ## default label for all the stages +stages: + windows: + mage: "mage build unitTest" + withModule: true + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/winlogbeat/Jenkinsfile.yml b/x-pack/winlogbeat/Jenkinsfile.yml new file mode 100644 index 00000000000..396d1f03a7c --- /dev/null +++ b/x-pack/winlogbeat/Jenkinsfile.yml @@ -0,0 +1,20 @@ +when: + branches: true ## for all the branches + changeset: ## when PR contains any of those entries in the changeset + - "^x-pack/winlogbeat/.*" + - "@ci" ## special token regarding the changeset for the ci + - "@xpack" ## special token regarding the changeset for the xpack + comments: ## when PR comment contains any of those entries + - "/test x-pack/winlogbeat" + labels: ## when PR labels matches any of those entries + - "x-pack-winlogbeat" + parameters: ## when parameter was selected in the UI. + - "x-pack-winlogbeat" + tags: true ## for all the tags +platform: "windows-2019" ## default label for all the stages +stages: + build: + mage: "mage build unitTest" + withModule: true + platforms: ## override default labels in this specific stage. + - "windows-2019" diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index f223b8f0b8d..9a117a42f6f 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -21,13 +21,6 @@ var security = (function () { "11": "CachedInteractive", }; - // ECS Allowed Event Outcome - // https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-outcome.html - var eventOutcomes = { - "Audit Success": "success", - "Audit Failure": "failure", - }; - // User Account Control Attributes Table // https://support.microsoft.com/es-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties var uacFlags = [ @@ -1361,18 +1354,6 @@ var security = (function () { } }; - var addEventOutcome = function(evt) { - var auditResult = evt.Get("winlog.keywords"); - if (!auditResult) { - return; - } - var eventOutcome = eventOutcomes[auditResult]; - if (eventOutcome === undefined) { - return; - } - evt.Put("event.outcome", eventOutcome); - }; - var addLogonType = function(evt) { var code = evt.Get("winlog.event_data.LogonType"); if (!code) { @@ -1699,7 +1680,6 @@ var security = (function () { .Add(copyTargetUserLogonId) .Add(addLogonType) .Add(addEventFields) - .Add(addEventOutcome) .Build(); // Handles both 4624 @@ -1709,7 +1689,6 @@ var security = (function () { .Add(addLogonType) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); if (user) { @@ -1727,7 +1706,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.SubjectUserName"); if (user) { @@ -1748,7 +1726,6 @@ var security = (function () { .Add(addFailureSubStatus) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4672 = new processor.Chain() @@ -1762,7 +1739,6 @@ var security = (function () { evt.Put("winlog.event_data.PrivilegeList", privs.split(/\s+/)); }) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4688 = new processor.Chain() @@ -1770,7 +1746,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameNewProcessFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); var res = /^-$/.test(user); @@ -1785,7 +1760,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4697 = new processor.Chain() @@ -1794,7 +1768,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addServiceFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1806,7 +1779,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); evt.AppendTo('related.user', user); @@ -1818,7 +1790,6 @@ var security = (function () { .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var userNew = evt.Get("winlog.event_data.NewTargetUserName"); evt.AppendTo('related.user', userNew); @@ -1834,7 +1805,6 @@ var security = (function () { .Add(copyTargetUserToGroup) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "group"); var member = evt.Get("winlog.event_data.MemberName"); @@ -1851,7 +1821,6 @@ var security = (function () { .Add(copySubjectUserLogonIdFromUserData) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1863,7 +1832,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addAuditInfo) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "change"); }) @@ -1872,7 +1840,6 @@ var security = (function () { var auditLogMgmt = new processor.Chain() .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var computerMgmtEvts = new processor.Chain() @@ -1882,7 +1849,6 @@ var security = (function () { .Add(renameCommonAuthFields) .Add(addUACDescription) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { @@ -1896,14 +1862,12 @@ var security = (function () { var sessionEvts = new processor.Chain() .Add(addSessionData) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var event4964 = new processor.Chain() .Add(copyTargetUser) .Add(copyTargetUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "group"); }) @@ -1916,7 +1880,6 @@ var security = (function () { .Add(addTicketEncryptionType) .Add(addTicketStatus) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var ip = evt.Get("source.ip"); if (/::ffff:/.test(ip)) { @@ -1929,14 +1892,12 @@ var security = (function () { .Add(copyTargetUser) .Add(addFailureStatus) .Add(addEventFields) - .Add(addEventOutcome) .Build(); var scheduledTask = new processor.Chain() .Add(copySubjectUser) .Add(copySubjectUserLogonId) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { evt.AppendTo("event.type", "admin"); }) @@ -1947,7 +1908,6 @@ var security = (function () { .Add(copySubjectUserLogonId) .Add(renameCommonAuthFields) .Add(addEventFields) - .Add(addEventOutcome) .Add(function(evt) { var privs = evt.Get("winlog.event_data.PrivilegeList"); if (!privs) { diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index a491a1e67be..5fcedb9e40e 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -424,9 +424,6 @@ var sysmon = (function () { evt.Put(path, value); evt.AppendTo("related.hash", value); - - // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364). - evt.Put("hash." + key, value); }); }; diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index 7e393e6c7ef..b9c6e245940 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -19,10 +19,6 @@ "name": "test.test.exe", "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" }, - "hash": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2", - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, "host": { "name": "vagrant-2012-r2" }, @@ -104,9 +100,6 @@ "name": "lastalive0.dat", "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" }, - "hash": { - "sha1": "115106f5b338c87ae6836d50dd890de3da296367" - }, "host": { "name": "vagrant-2012-r2" }, @@ -181,9 +174,6 @@ "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" }, - "hash": { - "md5": "5a9bddf83be530b481f0fd24db28a6ff" - }, "host": { "name": "vagrant-2012-r2" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index feb8d830da7..0ba347499a8 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -99,9 +99,6 @@ "process_start" ] }, - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, "host": { "name": "vagrant-2012-r2" }, @@ -188,9 +185,6 @@ "process_start" ] }, - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, "host": { "name": "vagrant-2012-r2" }, @@ -380,9 +374,6 @@ "process_start" ] }, - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, "host": { "name": "vagrant-2012-r2" }, diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index c856ab060a2..62dab077c43 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -454,10 +454,18 @@ output.elasticsearch: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL-based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 @@ -570,20 +578,27 @@ output.elasticsearch: # Resolve names locally when using a proxy server. Defaults to false. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -593,7 +608,7 @@ output.elasticsearch: # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -756,30 +771,37 @@ output.elasticsearch: # purposes. The default is "beats". #client_id: beats - # Enable SSL support. SSL is automatically enabled if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections @@ -792,6 +814,12 @@ output.elasticsearch: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -899,42 +927,56 @@ output.elasticsearch: # occurs on the proxy server. #proxy_use_local_resolver: false - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # Optional SSL configuration options. SSL is off by default. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL client authentication #ssl.certificate: "/etc/pki/client/cert.pem" - # Client Certificate Key + # Client certificate key #ssl.key: "/etc/pki/client/cert.key" - # Optional passphrase for decrypting the Certificate Key. + # Optional passphrase for decrypting the certificate key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections #ssl.cipher_suites: [] - # Configure curve types for ECDHE based cipher suites + # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] # Configure what types of renegotiation are supported. Valid options are # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # -------------------------------- File Output --------------------------------- #output.file: # Boolean flag to enable or disable the output module. @@ -1067,6 +1109,11 @@ output.elasticsearch: # Set to false to disable template loading. #setup.template.enabled: true +# Select the kind of index template. From Elasticsearch 7.8, it is possible to +# use component templates. Available options: legacy, component, index. +# By default winlogbeat uses the legacy index templates. +#setup.template.type: legacy + # Template name. By default the template name is "winlogbeat-%{[agent.version]}" # The template name and pattern has to be set in case the Elasticsearch index pattern is modified. #setup.template.name: "winlogbeat-%{[agent.version]}" @@ -1170,20 +1217,31 @@ setup.kibana: # Optional Kibana space ID. #space.id: "" - # Use SSL settings for HTTPS. Default is true. + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1202,6 +1260,17 @@ setup.kibana: # Configure curve types for ECDHE-based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + + # ================================== Logging =================================== # There are four options for the log output: file, stderr, syslog, eventlog @@ -1352,17 +1421,24 @@ logging.files: # Use SSL settings for HTTPS. #ssl.enabled: true - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. + # Controls the verification of certificates. Valid values are: + # * full, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. + # * none, which performs no verification of the server's certificate. This + # mode disables many of the security benefits of SSL/TLS and should only be used + # after very careful consideration. It is primarily intended as a temporary + # diagnostic mechanism when attempting to resolve TLS errors; its use in + # production environments is strongly discouraged. + # The default value is full. #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. #ssl.supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3] - # SSL configuration. The default is off. # List of root certificates for HTTPS server verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] @@ -1385,6 +1461,12 @@ logging.files: # never, once, and freely. Default is never. #ssl.renegotiation: never + # Configure a pin that can be used to do extra validation of the verified certificate chain, + # this allow you to ensure that a specific certificate is used to validate the chain of trust. + # + # The pin is a base64 encoded string of the SHA-256 fingerprint. + #ssl.ca_sha256: "" + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true